[xen] PHYSDEVOP_{prepare, release}_msix exposed to unprivileged pv guest

myoung myoung at fedoraproject.org
Fri Jan 24 19:53:36 UTC 2014 

commit 0633152cb557323c15d85645e3f82e05a0a2f674
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Fri Jan 24 19:52:59 2014 +0000

    PHYSDEVOP_{prepare,release}_msix exposed to unprivileged pv guest

 xen.spec                 |    8 +++++++-
 xsa87-unstable-4.3.patch |   23 +++++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletions(-)
---
diff --git a/xen.spec b/xen.spec
index 9ea1c8d..0bc4b64 100644
--- a/xen.spec
+++ b/xen.spec
@@ -46,7 +46,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.3.1
-Release: 7%{?dist}
+Release: 8%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -107,6 +107,7 @@ Patch27: xsa82.patch
 Patch28: xsa77-unstable.patch
 Patch29: xsa80.patch
 Patch30: xsa83.patch
+Patch31: xsa87-unstable-4.3.patch
 
 Patch100: xen-configure-xend.patch
 
@@ -296,6 +297,7 @@ manage Xen virtual machines.
 %patch28 -p1
 %patch29 -p1
 %patch30 -p1
+%patch31 -p1
 
 %patch100 -p1
 
@@ -828,6 +830,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Fri Jan 24 2014 Michael Young <m.a.young at durham.ac.uk> - 4.3.1-8
+- PHYSDEVOP_{prepare,release}_msix exposed to unprivileged pv guests
+    [XSA-87, CVE-2014-1666]
+
 * Thu Jan 23 2014 Michael Young <m.a.young at durham.ac.uk> - 4.3.1-7
 - Out-of-memory condition yielding memory corruption during IRQ setup
     [XSA-83, CVE-2014-1642] (#1057142)
diff --git a/xsa87-unstable-4.3.patch b/xsa87-unstable-4.3.patch
new file mode 100644
index 0000000..3c31ed5
--- /dev/null
+++ b/xsa87-unstable-4.3.patch
@@ -0,0 +1,23 @@
+x86: PHYSDEVOP_{prepare,release}_msix are privileged
+
+Yet this wasn't being enforced.
+
+This is XSA-87.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com>
+
+--- 2014-01-14.orig/xen/arch/x86/physdev.c	2013-11-18 11:03:37.000000000 +0100
++++ 2014-01-14/xen/arch/x86/physdev.c	2014-01-22 12:47:47.000000000 +0100
+@@ -640,7 +640,10 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
+         if ( copy_from_guest(&dev, arg, 1) )
+             ret = -EFAULT;
+         else
+-            ret = pci_prepare_msix(dev.seg, dev.bus, dev.devfn,
++            ret = xsm_resource_setup_pci(XSM_PRIV,
++                                         (dev.seg << 16) | (dev.bus << 8) |
++                                         dev.devfn) ?:
++                  pci_prepare_msix(dev.seg, dev.bus, dev.devfn,
+                                    cmd != PHYSDEVOP_prepare_msix);
+         break;
+     }

More information about the scm-commits mailing list