[xen/f19] IOMMU TLB flushing may be inadvertently suppressed

myoung myoung at fedoraproject.org
Wed Dec 11 17:16:05 UTC 2013


commit bb858c72728755be55a8c015c6d59f04b570f985
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Wed Dec 11 17:15:55 2013 +0000

    IOMMU TLB flushing may be inadvertently suppressed

 xen.spec    |    8 +++++-
 xsa80.patch |   72 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 79 insertions(+), 1 deletions(-)
---
diff --git a/xen.spec b/xen.spec
index 8c65910..d3d70a4 100644
--- a/xen.spec
+++ b/xen.spec
@@ -27,7 +27,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.2.3
-Release: 11%{?dist}
+Release: 12%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -96,6 +96,7 @@ Patch118: xsa78.patch
 Patch119: xsa74-4.1-4.2.patch
 Patch120: xsa76.patch
 Patch121: xsa82.patch
+Patch122: xsa80.patch
 
 Patch100: xen-configure-xend.patch
 
@@ -282,6 +283,7 @@ manage Xen virtual machines.
 %patch119 -p1
 %patch120 -p1
 %patch121 -p1
+%patch122 -p1
 
 %patch100 -p1
 
@@ -775,6 +777,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Wed Dec 11 2013 Michael Young <m.a.young at durham.ac.uk> - 4.2.3-12
+- IOMMU TLB flushing may be inadvertently suppressed [XSA-80, CVE-2013-6400]
+    (#1040024)
+
 * Mon Dec 02 2013 Michael Young <m.a.young at durham.ac.uk> - 4.2.3-11
 - HVM guest triggerable AMD CPU erratum may cause host hang
     [XSA-82, CVE-2013-6885]
diff --git a/xsa80.patch b/xsa80.patch
new file mode 100644
index 0000000..c904595
--- /dev/null
+++ b/xsa80.patch
@@ -0,0 +1,72 @@
+IOMMU: clear "don't flush" override on error paths
+
+Both xenmem_add_to_physmap() and iommu_populate_page_table() each have
+an error path that fails to clear that flag, thus suppressing further
+flushes on the respective pCPU.
+
+In iommu_populate_page_table() also slightly re-arrange code to avoid
+the false impression of the flag in question being guarded by a
+domain's page_alloc_lock.
+
+This is CVE-2013-6400 / XSA-80.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Acked-by: Ian Campbell <ian.campbell at citrix.com>
+
+--- a/xen/arch/x86/mm.c
++++ b/xen/arch/x86/mm.c
+@@ -4648,7 +4648,7 @@ static int xenmem_add_to_physmap(struct 
+         {
+             rc = xenmem_add_to_physmap_once(d, xatp);
+             if ( rc < 0 )
+-                return rc;
++                break;
+ 
+             xatp->idx++;
+             xatp->gpfn++;
+--- a/xen/drivers/passthrough/iommu.c
++++ b/xen/drivers/passthrough/iommu.c
+@@ -306,11 +306,11 @@ static int iommu_populate_page_table(str
+ {
+     struct hvm_iommu *hd = domain_hvm_iommu(d);
+     struct page_info *page;
+-    int rc;
++    int rc = 0;
+ 
++    this_cpu(iommu_dont_flush_iotlb) = 1;
+     spin_lock(&d->page_alloc_lock);
+ 
+-    this_cpu(iommu_dont_flush_iotlb) = 1;
+     page_list_for_each ( page, &d->page_list )
+     {
+         if ( is_hvm_domain(d) ||
+@@ -320,18 +320,20 @@ static int iommu_populate_page_table(str
+             rc = hd->platform_ops->map_page(
+                 d, mfn_to_gmfn(d, page_to_mfn(page)), page_to_mfn(page),
+                 IOMMUF_readable|IOMMUF_writable);
+-            if (rc)
+-            {
+-                spin_unlock(&d->page_alloc_lock);
+-                hd->platform_ops->teardown(d);
+-                return rc;
+-            }
++            if ( rc )
++                break;
+         }
+     }
+-    this_cpu(iommu_dont_flush_iotlb) = 0;
+-    iommu_iotlb_flush_all(d);
++
+     spin_unlock(&d->page_alloc_lock);
+-    return 0;
++    this_cpu(iommu_dont_flush_iotlb) = 0;
++
++    if ( !rc )
++        iommu_iotlb_flush_all(d);
++    else
++        hd->platform_ops->teardown(d);
++
++    return rc;
+ }
+ 
+ 


More information about the scm-commits mailing list