[xen/f19] PHYSDEVOP_{prepare, release}_msix exposed to unprivileged pv guest

Fri Jan 24 23:07:45 UTC 2014

commit 90030be36a33a1e011fca25de4a73ef9e0b57218
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Fri Jan 24 23:07:30 2014 +0000

    PHYSDEVOP_{prepare,release}_msix exposed to unprivileged pv guest

 xen.spec        |    8 +++++++-
 xsa87-4.2.patch |   21 +++++++++++++++++++++
 2 files changed, 28 insertions(+), 1 deletions(-)
---

diff --git a/xen.spec b/xen.spec
index 2b4853c..a01077c 100644
--- a/xen.spec
+++ b/xen.spec
@@ -27,7 +27,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.2.3
-Release: 13%{?dist}
+Release: 14%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -98,6 +98,7 @@ Patch120: xsa76.patch
 Patch121: xsa82.patch
 Patch122: xsa80.patch
 Patch123: xsa83.patch
+Patch124: xsa87-4.2.patch
 
 Patch100: xen-configure-xend.patch
 
@@ -286,6 +287,7 @@ manage Xen virtual machines.
 %patch121 -p1
 %patch122 -p1
 %patch123 -p1
+%patch124 -p1
 
 %patch100 -p1
 
@@ -779,6 +781,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Fri Jan 24 2014 Michael Young <m.a.young at durham.ac.uk> - 4.2.3-14
+- PHYSDEVOP_{prepare,release}_msix exposed to unprivileged pv guests
+    [XSA-87, CVE-2014-1666]
+
 * Thu Jan 23 2014 Michael Young <m.a.young at durham.ac.uk> - 4.2.3-13
 - Out-of-memory condition yielding memory corruption during IRQ setup
     [XSA-83, CVE-2014-1642] (#1057142)
diff --git a/xsa87-4.2.patch b/xsa87-4.2.patch
new file mode 100644
index 0000000..494cf5e
--- /dev/null
+++ b/xsa87-4.2.patch
@@ -0,0 +1,21 @@
+x86: PHYSDEVOP_{prepare,release}_msix are privileged
+
+Yet this wasn't being enforced.
+
+This is XSA-87.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+
+--- a/xen/arch/x86/physdev.c
++++ b/xen/arch/x86/physdev.c
+@@ -612,7 +612,9 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
+     case PHYSDEVOP_release_msix: {
+         struct physdev_pci_device dev;
+ 
+-        if ( copy_from_guest(&dev, arg, 1) )
++        if ( !IS_PRIV(v->domain) )
++            ret = -EPERM;
++        else if ( copy_from_guest(&dev, arg, 1) )
+             ret = -EFAULT;
+         else
+             ret = pci_prepare_msix(dev.seg, dev.bus, dev.devfn,
