[xen] Lock order reversal between page_alloc_lock and mm_rwlock, Hypercalls exposed to privilege rings 1 a
myoung
myoung at fedoraproject.org
Tue Nov 26 21:17:42 UTC 2013
commit 14cd6e1a74ae36fe7ee6edc1cd3209ae8bc2cdf8
Author: Michael Young <m.a.young at durham.ac.uk>
Date: Tue Nov 26 21:15:20 2013 +0000
Lock order reversal between page_alloc_lock and mm_rwlock,
Hypercalls exposed to privilege rings 1 and 2 of HVM guests
xen.spec | 12 +++++++++++-
xsa74-4.3-unstable.patch | 41 +++++++++++++++++++++++++++++++++++++++++
xsa76.patch | 19 +++++++++++++++++++
3 files changed, 71 insertions(+), 1 deletions(-)
---
diff --git a/xen.spec b/xen.spec
index dac8a31..6f87417 100644
--- a/xen.spec
+++ b/xen.spec
@@ -46,7 +46,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.3.1
-Release: 3%{?dist}
+Release: 4%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -101,6 +101,8 @@ Patch21: xen.64.bit.hyp.on.ix86.patch
Patch22: xsa73-4.3-unstable.patch
Patch23: xsa75-4.3-unstable.patch
Patch24: xsa78.patch
+Patch25: xsa74-4.3-unstable.patch
+Patch26: xsa76.patch
Patch100: xen-configure-xend.patch
@@ -284,6 +286,8 @@ manage Xen virtual machines.
%patch22 -p1
%patch23 -p1
%patch24 -p1
+%patch25 -p1
+%patch26 -p1
%patch100 -p1
@@ -816,6 +820,12 @@ rm -rf %{buildroot}
%endif
%changelog
+* Tue Nov 26 2013 Michael Young <m.a.young at durham.ac.uk> - 4.3.1-4
+- Lock order reversal between page_alloc_lock and mm_rwlock
+ [XSA-74, CVE-2013-4553] (#1034925)
+- Hypercalls exposed to privilege rings 1 and 2 of HVM guests
+ [XSA-76, CVE-2013-4554] (#1034923)
+
* Thu Nov 21 2013 Michael Young <m.a.young at durham.ac.uk> - 4.3.1-3
- Insufficient TLB flushing in VT-d (iommu) code
[XSA-78, CVE-2013-6375] (#1033149)
diff --git a/xsa74-4.3-unstable.patch b/xsa74-4.3-unstable.patch
new file mode 100644
index 0000000..4c9c27c
--- /dev/null
+++ b/xsa74-4.3-unstable.patch
@@ -0,0 +1,41 @@
+x86: restrict XEN_DOMCTL_getmemlist
+
+Coverity ID 1055652
+
+(See the code comment.)
+
+This is CVE-2013-4553 / XSA-74.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
+Reviewed-by: Tim Deegan <tim at xen.org>
+
+--- a/xen/arch/x86/domctl.c
++++ b/xen/arch/x86/domctl.c
+@@ -329,6 +329,26 @@ long arch_do_domctl(
+ break;
+ }
+
++ /*
++ * XSA-74: This sub-hypercall is broken in several ways:
++ * - lock order inversion (p2m locks inside page_alloc_lock)
++ * - no preemption on huge max_pfns input
++ * - not (re-)checking d->is_dying with page_alloc_lock held
++ * - not honoring start_pfn input (which libxc also doesn't set)
++ * Additionally it is rather useless, as the result is stale by the
++ * time the caller gets to look at it.
++ * As it only has a single, non-production consumer (xen-mceinj),
++ * rather than trying to fix it we restrict it for the time being.
++ */
++ if ( /* No nested locks inside copy_to_guest_offset(). */
++ paging_mode_external(current->domain) ||
++ /* Arbitrary limit capping processing time. */
++ max_pfns > GB(4) / PAGE_SIZE )
++ {
++ ret = -EOPNOTSUPP;
++ break;
++ }
++
+ spin_lock(&d->page_alloc_lock);
+
+ ret = i = 0;
diff --git a/xsa76.patch b/xsa76.patch
new file mode 100644
index 0000000..54e4325
--- /dev/null
+++ b/xsa76.patch
@@ -0,0 +1,19 @@
+x86/HVM: only allow ring 0 guest code to make hypercalls
+
+Anything else would allow for privilege escalation.
+
+This is CVE-2013-4554 / XSA-76.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -3359,7 +3359,7 @@ int hvm_do_hypercall(struct cpu_user_reg
+ case 4:
+ case 2:
+ hvm_get_segment_register(curr, x86_seg_ss, &sreg);
+- if ( unlikely(sreg.attr.fields.dpl == 3) )
++ if ( unlikely(sreg.attr.fields.dpl) )
+ {
+ default:
+ regs->eax = -EPERM;
More information about the scm-commits
mailing list