[xen] Disaggregated domain management security status update, IOMMU TLB flushing may be inadvertently supp

myoung myoung at fedoraproject.org
Wed Dec 11 13:44:56 UTC 2013


commit 62dd1f8ca5a742e7e2b3a8aeb245b610e8a07a99
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Wed Dec 11 12:43:17 2013 +0000

    Disaggregated domain management security status update,
    IOMMU TLB flushing may be inadvertently suppressed

 xen.spec             |   11 +++-
 xsa77-unstable.patch |  214 ++++++++++++++++++++++++++++++++++++++++++++++++++
 xsa80.patch          |   72 +++++++++++++++++
 3 files changed, 296 insertions(+), 1 deletions(-)
---
diff --git a/xen.spec b/xen.spec
index f23bc2a..7be70d2 100644
--- a/xen.spec
+++ b/xen.spec
@@ -46,7 +46,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.3.1
-Release: 5%{?dist}
+Release: 6%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -104,6 +104,8 @@ Patch24: xsa78.patch
 Patch25: xsa74-4.3-unstable.patch
 Patch26: xsa76.patch
 Patch27: xsa82.patch
+Patch28: xsa77-unstable.patch
+Patch29: xsa80.patch
 
 Patch100: xen-configure-xend.patch
 
@@ -290,6 +292,8 @@ manage Xen virtual machines.
 %patch25 -p1
 %patch26 -p1
 %patch27 -p1
+%patch28 -p1
+%patch29 -p1
 
 %patch100 -p1
 
@@ -822,6 +826,11 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Wed Dec 11 2013 Michael Young <m.a.young at durham.ac.uk> - 4.3.1-6
+- Disaggregated domain management security status update [XSA-77]
+- IOMMU TLB flushing may be inadvertently suppressed [XSA-80, CVE-2013-6400]
+    (#1040024)
+
 * Mon Dec 02 2013 Michael Young <m.a.young at durham.ac.uk> - 4.3.1-5
 - HVM guest triggerable AMD CPU erratum may cause host hang
     [XSA-82, CVE-2013-6885]
diff --git a/xsa77-unstable.patch b/xsa77-unstable.patch
new file mode 100644
index 0000000..4ec475f
--- /dev/null
+++ b/xsa77-unstable.patch
@@ -0,0 +1,214 @@
+xen: list interfaces subject to the security process exception in XSA-77
+
+List all the sub ops of:
+  __HYPERVISOR_domctl
+  __HYPERVISOR_sysctl
+  __HYPERVISOR_memory_op
+  __HYPERVISOR_tmem_op
+which are subject to the policy given in
+http://xenbits.xen.org/xsa/advisory-77.html
+
+It is expected that these lists will be whittled away as each interface is
+audited for safety.
+
+New interfaces should be expected to be safe when introduced (IOW the list
+should never be expanded).
+
+This is XSA-77.
+
+Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
+
+diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt
+index ff81b01..ddd5831 100644
+--- a/docs/misc/xsm-flask.txt
++++ b/docs/misc/xsm-flask.txt
+@@ -17,6 +17,189 @@ Some examples of what FLASK can do:
+ Some of these examples require dom0 disaggregation to be useful, since the
+ domain build process requires the ability to write to the new domain's memory.
+ 
++Security Status of dom0 disaggregation
++--------------------------------------
++
++Xen supports disaggregation of various support and management
++functions into their own domains, via the XSM mechanisms described in
++this document.
++
++However the implementations of these support and management interfaces
++were originally written to be used only by the totally-privileged
++dom0, and have not been reviewed for security when exposed to
++supposedly-only-semi-privileged disaggregated management domains.  But
++such management domains are (in such a design) to be seen as
++potentially hostile, e.g. due to privilege escalation following
++exploitation of a bug in the management domain.
++
++Until the interfaces have been properly reviewed for security against
++hostile callers, the Xen.org security team intends (subject of course
++to the permission of anyone disclosing to us) to handle these and
++future vulnerabilities in these interfaces in public, as if they were
++normal non-security-related bugs.
++
++This applies only to bugs which do no more than reduce the security of
++a radically disaggregated system to the security of a
++non-disaggregated one.  Here a "radically disaggregated system" is one
++which uses the XSM mechanism to delegate the affected interfaces to
++other-than-fully-trusted domains.
++
++This policy does not apply to bugs which affect stub device models,
++driver domains, or stub xenstored - even if those bugs do no worse
++than reduce the security of such a system to one whose device models,
++backend drivers, or xenstore, run in dom0.
++
++For more information see http://xenbits.xen.org/xsa/advisory-77.html.
++
++The following interfaces are covered by this statement.  Interfaces
++not listed here are considered safe for disaggregation, security
++issues found in interfaces not listed here will be handled according
++to the normal security problem response policy
++http://www.xenproject.org/security-policy.html.
++
++__HYPERVISOR_domctl (xen/include/public/domctl.h)
++
++ The following subops are covered by this statement. subops not listed
++ here are considered safe for disaggregation.
++
++ * XEN_DOMCTL_createdomain
++ * XEN_DOMCTL_destroydomain
++ * XEN_DOMCTL_pausedomain
++ * XEN_DOMCTL_unpausedomain
++ * XEN_DOMCTL_getdomaininfo
++ * XEN_DOMCTL_getmemlist
++ * XEN_DOMCTL_getpageframeinfo
++ * XEN_DOMCTL_getpageframeinfo2
++ * XEN_DOMCTL_setvcpuaffinity
++ * XEN_DOMCTL_shadow_op
++ * XEN_DOMCTL_max_mem
++ * XEN_DOMCTL_setvcpucontext
++ * XEN_DOMCTL_getvcpucontext
++ * XEN_DOMCTL_getvcpuinfo
++ * XEN_DOMCTL_max_vcpus
++ * XEN_DOMCTL_scheduler_op
++ * XEN_DOMCTL_setdomainhandle
++ * XEN_DOMCTL_setdebugging
++ * XEN_DOMCTL_irq_permission
++ * XEN_DOMCTL_iomem_permission
++ * XEN_DOMCTL_ioport_permission
++ * XEN_DOMCTL_hypercall_init
++ * XEN_DOMCTL_arch_setup
++ * XEN_DOMCTL_settimeoffset
++ * XEN_DOMCTL_getvcpuaffinity
++ * XEN_DOMCTL_real_mode_area
++ * XEN_DOMCTL_resumedomain
++ * XEN_DOMCTL_sendtrigger
++ * XEN_DOMCTL_subscribe
++ * XEN_DOMCTL_gethvmcontext
++ * XEN_DOMCTL_sethvmcontext
++ * XEN_DOMCTL_set_address_size
++ * XEN_DOMCTL_get_address_size
++ * XEN_DOMCTL_assign_device
++ * XEN_DOMCTL_pin_mem_cacheattr
++ * XEN_DOMCTL_set_ext_vcpucontext
++ * XEN_DOMCTL_get_ext_vcpucontext
++ * XEN_DOMCTL_set_opt_feature
++ * XEN_DOMCTL_test_assign_device
++ * XEN_DOMCTL_set_target
++ * XEN_DOMCTL_deassign_device
++ * XEN_DOMCTL_set_cpuid
++ * XEN_DOMCTL_get_device_group
++ * XEN_DOMCTL_set_machine_address_size
++ * XEN_DOMCTL_get_machine_address_size
++ * XEN_DOMCTL_suppress_spurious_page_faults
++ * XEN_DOMCTL_debug_op
++ * XEN_DOMCTL_gethvmcontext_partial
++ * XEN_DOMCTL_mem_event_op
++ * XEN_DOMCTL_mem_sharing_op
++ * XEN_DOMCTL_disable_migrate
++ * XEN_DOMCTL_gettscinfo
++ * XEN_DOMCTL_settscinfo
++ * XEN_DOMCTL_getpageframeinfo3
++ * XEN_DOMCTL_setvcpuextstate
++ * XEN_DOMCTL_getvcpuextstate
++ * XEN_DOMCTL_set_access_required
++ * XEN_DOMCTL_audit_p2m
++ * XEN_DOMCTL_set_virq_handler
++ * XEN_DOMCTL_set_broken_page_p2m
++ * XEN_DOMCTL_setnodeaffinity
++ * XEN_DOMCTL_getnodeaffinity
++ * XEN_DOMCTL_set_max_evtchn
++ * XEN_DOMCTL_gdbsx_guestmemio
++ * XEN_DOMCTL_gdbsx_pausevcpu
++ * XEN_DOMCTL_gdbsx_unpausevcpu
++ * XEN_DOMCTL_gdbsx_domstatus
++
++__HYPERVISOR_sysctl (xen/include/public/sysctl.h)
++
++ The following subops are covered by this statement. subops not listed
++ here are considered safe for disaggregation.
++
++ * XEN_SYSCTL_readconsole
++ * XEN_SYSCTL_tbuf_op
++ * XEN_SYSCTL_physinfo
++ * XEN_SYSCTL_sched_id
++ * XEN_SYSCTL_perfc_op
++ * XEN_SYSCTL_getdomaininfolist
++ * XEN_SYSCTL_debug_keys
++ * XEN_SYSCTL_getcpuinfo
++ * XEN_SYSCTL_availheap
++ * XEN_SYSCTL_get_pmstat
++ * XEN_SYSCTL_cpu_hotplug
++ * XEN_SYSCTL_pm_op
++ * XEN_SYSCTL_page_offline_op
++ * XEN_SYSCTL_lockprof_op
++ * XEN_SYSCTL_topologyinfo
++ * XEN_SYSCTL_numainfo
++ * XEN_SYSCTL_cpupool_op
++ * XEN_SYSCTL_scheduler_op
++ * XEN_SYSCTL_coverage_op
++
++__HYPERVISOR_memory_op (xen/include/public/memory.h)
++
++ The following subops are covered by this statement. subops not listed
++ here are considered safe for disaggregation.
++
++ * XENMEM_set_pod_target
++ * XENMEM_get_pod_target
++ * XENMEM_claim_pages
++
++__HYPERVISOR_tmem_op (xen/include/public/tmem.h)
++
++ The following tmem control ops, that is the sub-subops of
++ TMEM_CONTROL, are covered by this statement. 
++
++ Note that TMEM is also subject to a similar policy arising from
++ XSA-15 http://lists.xen.org/archives/html/xen-announce/2012-09/msg00006.html.
++ Due to this existing policy all TMEM Ops are already subject to
++ reduced security support.
++
++ * TMEMC_THAW
++ * TMEMC_FREEZE
++ * TMEMC_FLUSH
++ * TMEMC_DESTROY
++ * TMEMC_LIST
++ * TMEMC_SET_WEIGHT
++ * TMEMC_SET_CAP
++ * TMEMC_SET_COMPRESS
++ * TMEMC_QUERY_FREEABLE_MB
++ * TMEMC_SAVE_BEGIN
++ * TMEMC_SAVE_GET_VERSION
++ * TMEMC_SAVE_GET_MAXPOOLS
++ * TMEMC_SAVE_GET_CLIENT_WEIGHT
++ * TMEMC_SAVE_GET_CLIENT_CAP
++ * TMEMC_SAVE_GET_CLIENT_FLAGS
++ * TMEMC_SAVE_GET_POOL_FLAGS
++ * TMEMC_SAVE_GET_POOL_NPAGES
++ * TMEMC_SAVE_GET_POOL_UUID
++ * TMEMC_SAVE_GET_NEXT_PAGE
++ * TMEMC_SAVE_GET_NEXT_INV
++ * TMEMC_SAVE_END
++ * TMEMC_RESTORE_BEGIN
++ * TMEMC_RESTORE_PUT_PAGE
++ * TMEMC_RESTORE_FLUSH_PAGE
++
++
+ 
+ Setting up FLASK
+ ----------------
diff --git a/xsa80.patch b/xsa80.patch
new file mode 100644
index 0000000..c904595
--- /dev/null
+++ b/xsa80.patch
@@ -0,0 +1,72 @@
+IOMMU: clear "don't flush" override on error paths
+
+Both xenmem_add_to_physmap() and iommu_populate_page_table() each have
+an error path that fails to clear that flag, thus suppressing further
+flushes on the respective pCPU.
+
+In iommu_populate_page_table() also slightly re-arrange code to avoid
+the false impression of the flag in question being guarded by a
+domain's page_alloc_lock.
+
+This is CVE-2013-6400 / XSA-80.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Acked-by: Ian Campbell <ian.campbell at citrix.com>
+
+--- a/xen/arch/x86/mm.c
++++ b/xen/arch/x86/mm.c
+@@ -4648,7 +4648,7 @@ static int xenmem_add_to_physmap(struct 
+         {
+             rc = xenmem_add_to_physmap_once(d, xatp);
+             if ( rc < 0 )
+-                return rc;
++                break;
+ 
+             xatp->idx++;
+             xatp->gpfn++;
+--- a/xen/drivers/passthrough/iommu.c
++++ b/xen/drivers/passthrough/iommu.c
+@@ -306,11 +306,11 @@ static int iommu_populate_page_table(str
+ {
+     struct hvm_iommu *hd = domain_hvm_iommu(d);
+     struct page_info *page;
+-    int rc;
++    int rc = 0;
+ 
++    this_cpu(iommu_dont_flush_iotlb) = 1;
+     spin_lock(&d->page_alloc_lock);
+ 
+-    this_cpu(iommu_dont_flush_iotlb) = 1;
+     page_list_for_each ( page, &d->page_list )
+     {
+         if ( is_hvm_domain(d) ||
+@@ -320,18 +320,20 @@ static int iommu_populate_page_table(str
+             rc = hd->platform_ops->map_page(
+                 d, mfn_to_gmfn(d, page_to_mfn(page)), page_to_mfn(page),
+                 IOMMUF_readable|IOMMUF_writable);
+-            if (rc)
+-            {
+-                spin_unlock(&d->page_alloc_lock);
+-                hd->platform_ops->teardown(d);
+-                return rc;
+-            }
++            if ( rc )
++                break;
+         }
+     }
+-    this_cpu(iommu_dont_flush_iotlb) = 0;
+-    iommu_iotlb_flush_all(d);
++
+     spin_unlock(&d->page_alloc_lock);
+-    return 0;
++    this_cpu(iommu_dont_flush_iotlb) = 0;
++
++    if ( !rc )
++        iommu_iotlb_flush_all(d);
++    else
++        hd->platform_ops->teardown(d);
++
++    return rc;
+ }
+ 
+ 


More information about the scm-commits mailing list