[xen/f19] IOMMU TLB flushing may be inadvertently suppressed
myoung
myoung at fedoraproject.org
Wed Dec 11 17:16:05 UTC 2013
commit bb858c72728755be55a8c015c6d59f04b570f985
Author: Michael Young <m.a.young at durham.ac.uk>
Date: Wed Dec 11 17:15:55 2013 +0000
IOMMU TLB flushing may be inadvertently suppressed
xen.spec | 8 +++++-
xsa80.patch | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 79 insertions(+), 1 deletions(-)
---
diff --git a/xen.spec b/xen.spec
index 8c65910..d3d70a4 100644
--- a/xen.spec
+++ b/xen.spec
@@ -27,7 +27,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.2.3
-Release: 11%{?dist}
+Release: 12%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -96,6 +96,7 @@ Patch118: xsa78.patch
Patch119: xsa74-4.1-4.2.patch
Patch120: xsa76.patch
Patch121: xsa82.patch
+Patch122: xsa80.patch
Patch100: xen-configure-xend.patch
@@ -282,6 +283,7 @@ manage Xen virtual machines.
%patch119 -p1
%patch120 -p1
%patch121 -p1
+%patch122 -p1
%patch100 -p1
@@ -775,6 +777,10 @@ rm -rf %{buildroot}
%endif
%changelog
+* Wed Dec 11 2013 Michael Young <m.a.young at durham.ac.uk> - 4.2.3-12
+- IOMMU TLB flushing may be inadvertently suppressed [XSA-80, CVE-2013-6400]
+ (#1040024)
+
* Mon Dec 02 2013 Michael Young <m.a.young at durham.ac.uk> - 4.2.3-11
- HVM guest triggerable AMD CPU erratum may cause host hang
[XSA-82, CVE-2013-6885]
diff --git a/xsa80.patch b/xsa80.patch
new file mode 100644
index 0000000..c904595
--- /dev/null
+++ b/xsa80.patch
@@ -0,0 +1,72 @@
+IOMMU: clear "don't flush" override on error paths
+
+Both xenmem_add_to_physmap() and iommu_populate_page_table() each have
+an error path that fails to clear that flag, thus suppressing further
+flushes on the respective pCPU.
+
+In iommu_populate_page_table() also slightly re-arrange code to avoid
+the false impression of the flag in question being guarded by a
+domain's page_alloc_lock.
+
+This is CVE-2013-6400 / XSA-80.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Acked-by: Ian Campbell <ian.campbell at citrix.com>
+
+--- a/xen/arch/x86/mm.c
++++ b/xen/arch/x86/mm.c
+@@ -4648,7 +4648,7 @@ static int xenmem_add_to_physmap(struct
+ {
+ rc = xenmem_add_to_physmap_once(d, xatp);
+ if ( rc < 0 )
+- return rc;
++ break;
+
+ xatp->idx++;
+ xatp->gpfn++;
+--- a/xen/drivers/passthrough/iommu.c
++++ b/xen/drivers/passthrough/iommu.c
+@@ -306,11 +306,11 @@ static int iommu_populate_page_table(str
+ {
+ struct hvm_iommu *hd = domain_hvm_iommu(d);
+ struct page_info *page;
+- int rc;
++ int rc = 0;
+
++ this_cpu(iommu_dont_flush_iotlb) = 1;
+ spin_lock(&d->page_alloc_lock);
+
+- this_cpu(iommu_dont_flush_iotlb) = 1;
+ page_list_for_each ( page, &d->page_list )
+ {
+ if ( is_hvm_domain(d) ||
+@@ -320,18 +320,20 @@ static int iommu_populate_page_table(str
+ rc = hd->platform_ops->map_page(
+ d, mfn_to_gmfn(d, page_to_mfn(page)), page_to_mfn(page),
+ IOMMUF_readable|IOMMUF_writable);
+- if (rc)
+- {
+- spin_unlock(&d->page_alloc_lock);
+- hd->platform_ops->teardown(d);
+- return rc;
+- }
++ if ( rc )
++ break;
+ }
+ }
+- this_cpu(iommu_dont_flush_iotlb) = 0;
+- iommu_iotlb_flush_all(d);
++
+ spin_unlock(&d->page_alloc_lock);
+- return 0;
++ this_cpu(iommu_dont_flush_iotlb) = 0;
++
++ if ( !rc )
++ iommu_iotlb_flush_all(d);
++ else
++ hd->platform_ops->teardown(d);
++
++ return rc;
+ }
+
+
More information about the scm-commits
mailing list