[xen/f19] Lock order reversal between page_alloc_lock and mm_rwlock, Hypercalls exposed to privilege rings 1 a
myoung
myoung at fedoraproject.org
Tue Nov 26 22:56:37 UTC 2013
commit 54f013cbd2041ea0e6df86ab2272cfd9114f72d3
Author: Michael Young <m.a.young at durham.ac.uk>
Date: Tue Nov 26 22:56:01 2013 +0000
Lock order reversal between page_alloc_lock and mm_rwlock,
Hypercalls exposed to privilege rings 1 and 2 of HVM guests
xen.spec | 12 +++++++++++-
xsa74-4.1-4.2.patch | 41 +++++++++++++++++++++++++++++++++++++++++
xsa76.patch | 19 +++++++++++++++++++
3 files changed, 71 insertions(+), 1 deletions(-)
---
diff --git a/xen.spec b/xen.spec
index f0d7543..b8aaa6d 100644
--- a/xen.spec
+++ b/xen.spec
@@ -27,7 +27,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.2.3
-Release: 9%{?dist}
+Release: 10%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -93,6 +93,8 @@ Patch115: xsa72.patch
Patch116: xsa73-4.2.patch
Patch117: xsa75-4.2.patch
Patch118: xsa78.patch
+Patch119: xsa74-4.1-4.2.patch
+Patch120: xsa76.patch
Patch100: xen-configure-xend.patch
@@ -276,6 +278,8 @@ manage Xen virtual machines.
%patch116 -p1
%patch117 -p1
%patch118 -p1
+%patch119 -p1
+%patch120 -p1
%patch100 -p1
@@ -769,6 +773,12 @@ rm -rf %{buildroot}
%endif
%changelog
+* Tue Nov 26 2013 Michael Young <m.a.young at durham.ac.uk> - 4.2.3-10
+- Lock order reversal between page_alloc_lock and mm_rwlock
+ [XSA-74, CVE-2013-4553] (#1034925)
+- Hypercalls exposed to privilege rings 1 and 2 of HVM guests
+ [XSA-76, CVE-2013-4554] (#1034923)
+
* Thu Nov 21 2013 Michael Young <m.a.young at durham.ac.uk> - 4.2.3-9
- Insufficient TLB flushing in VT-d (iommu) code
[XSA-78, CVE-2013-6375] (#1033149)
diff --git a/xsa74-4.1-4.2.patch b/xsa74-4.1-4.2.patch
new file mode 100644
index 0000000..490f84e
--- /dev/null
+++ b/xsa74-4.1-4.2.patch
@@ -0,0 +1,41 @@
+x86: restrict XEN_DOMCTL_getmemlist
+
+Coverity ID 1055652
+
+(See the code comment.)
+
+This is CVE-2013-4553 / XSA-74.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
+Reviewed-by: Tim Deegan <tim at xen.org>
+
+--- a/xen/arch/x86/domctl.c
++++ b/xen/arch/x86/domctl.c
+@@ -385,6 +385,26 @@ long arch_do_domctl(
+ break;
+ }
+
++ /*
++ * XSA-74: This sub-hypercall is broken in several ways:
++ * - lock order inversion (p2m locks inside page_alloc_lock)
++ * - no preemption on huge max_pfns input
++ * - not (re-)checking d->is_dying with page_alloc_lock held
++ * - not honoring start_pfn input (which libxc also doesn't set)
++ * Additionally it is rather useless, as the result is stale by
++ * the time the caller gets to look at it.
++ * As it only has a single, non-production consumer (xen-mceinj),
++ * rather than trying to fix it we restrict it for the time being.
++ */
++ if ( /* No nested locks inside copy_to_guest_offset(). */
++ paging_mode_external(current->domain) ||
++ /* Arbitrary limit capping processing time. */
++ max_pfns > GB(4) / PAGE_SIZE )
++ {
++ ret = -EOPNOTSUPP;
++ break;
++ }
++
+ spin_lock(&d->page_alloc_lock);
+
+ if ( unlikely(d->is_dying) ) {
diff --git a/xsa76.patch b/xsa76.patch
new file mode 100644
index 0000000..54e4325
--- /dev/null
+++ b/xsa76.patch
@@ -0,0 +1,19 @@
+x86/HVM: only allow ring 0 guest code to make hypercalls
+
+Anything else would allow for privilege escalation.
+
+This is CVE-2013-4554 / XSA-76.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -3359,7 +3359,7 @@ int hvm_do_hypercall(struct cpu_user_reg
+ case 4:
+ case 2:
+ hvm_get_segment_register(curr, x86_seg_ss, &sreg);
+- if ( unlikely(sreg.attr.fields.dpl == 3) )
++ if ( unlikely(sreg.attr.fields.dpl) )
+ {
+ default:
+ regs->eax = -EPERM;
More information about the scm-commits
mailing list