[xen/f16] in rare circumstances an unprivileged user can crash an HVM guest [XSA-10] (#843766)

Fri Jul 27 10:42:18 UTC 2012

commit 22f816f8eb376576ae0c4d5ed469bb3fa1623702
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Fri Jul 27 11:41:09 2012 +0100

    in rare circumstances an unprivileged user can crash an HVM guest [XSA-10]
    (#843766)

 xen-4.1-testing.23325.patch |   41 +++++++++++++++++++++++++++++++++++++++++
 xen.spec                    |    8 +++++++-
 2 files changed, 48 insertions(+), 1 deletions(-)
---

diff --git a/xen-4.1-testing.23325.patch b/xen-4.1-testing.23325.patch
new file mode 100644
index 0000000..e68897c
--- /dev/null
+++ b/xen-4.1-testing.23325.patch
@@ -0,0 +1,41 @@
+
+# HG changeset patch
+# User Jan Beulich <jbeulich at suse.com>
+# Date 1343318195 -3600
+# Node ID a43f5b4b03319117edba76ebca8f827119d4e9a8
+# Parent  e89be0dedeb4e4a9556cf3e1b9a5295ba0b59edf
+x86/hvm: don't leave emulator in inconsistent state
+
+The fact that handle_mmio(), and thus the instruction emulator, is
+being run through twice for emulations that require involvement of the
+device model, allows for the second run to see a different guest state
+than the first one. Since only the MMIO-specific emulation routines
+update the vCPU's io_state, if they get invoked on the second pass,
+internal state (and particularly this variable) can be left in a state
+making successful emulation of a subsequent MMIO operation impossible.
+
+Consequently, whenever the emulator invocation returns without
+requesting a retry of the guest instruction, reset io_state.
+
+[ This is a security issue.  XSA#10. -iwj ]
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Acked-by: Keir Fraser <keir at xen.org>
+Committed-by: Ian Jackson <ian.jackson at eu.citrix.com>
+
+xen-unstable changeset: 25682:ffcb24876b4f
+Committed-by: Ian Jackson <ian.jackson at eu.citrix.com>
+
+diff -r e89be0dedeb4 -r a43f5b4b0331 xen/arch/x86/hvm/io.c
+--- a/xen/arch/x86/hvm/io.c	Sun Jul 22 16:39:00 2012 +0100
++++ b/xen/arch/x86/hvm/io.c	Thu Jul 26 16:56:35 2012 +0100
+@@ -176,6 +176,8 @@ int handle_mmio(void)
+ 
+     rc = hvm_emulate_one(&ctxt);
+ 
++    if ( rc != X86EMUL_RETRY )
++        curr->arch.hvm_vcpu.io_state = HVMIO_none;
+     if ( curr->arch.hvm_vcpu.io_state == HVMIO_awaiting_completion )
+         curr->arch.hvm_vcpu.io_state = HVMIO_handle_mmio_awaiting_completion;
+     else
+
diff --git a/xen.spec b/xen.spec
index c5d1ad3..7133faf 100644
--- a/xen.spec
+++ b/xen.spec
@@ -10,7 +10,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.1.2
-Release: 8%{?dist}
+Release: 9%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -62,6 +62,7 @@ Patch39: pygrub.size.limits.patch
 Patch40: CVE-2012-0217.patch
 Patch41: CVE-2012-0218.patch
 Patch42: CVE-2012-2934.patch
+Patch43: xen-4.1-testing.23325.patch
 
 Patch50: upstream-23936:cdb34816a40a-rework
 Patch51: upstream-23937:5173834e8476
@@ -230,6 +231,7 @@ manage Xen virtual machines.
 %patch40 -p1
 %patch41 -p1
 %patch42 -p1
+%patch43 -p1
 
 %patch50 -p1
 %patch51 -p1
@@ -642,6 +644,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Fri Jul 27 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.2-9
+- in rare circumstances an unprivileged user can crash an HVM guest [XSA-10]
+  (#843766)
+
 * Wed Jun 13 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.2-8
 - make pygrub cope better with big files from guest (#818412 CVE-2012-2625)
 - 64-bit PV guest privilege escalation vulnerability [CVE-2012-0217]
