[xen/f19] Vulnerabilities in HVM MSI injection

Sun Jun 15 19:22:40 UTC 2014

commit f2fe3d72bf3219cb86093dadff8b1afc7c057125
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Sun Jun 15 20:22:18 2014 +0100

    Vulnerabilities in HVM MSI injection

 xen.spec    |    8 +++++++-
 xsa96.patch |   38 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+), 1 deletions(-)
---

diff --git a/xen.spec b/xen.spec
index 9b2da85..c7cfb17 100644
--- a/xen.spec
+++ b/xen.spec
@@ -27,7 +27,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.2.4
-Release: 4%{?dist}
+Release: 5%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -84,6 +84,7 @@ Patch106: xen.setdevid.patch
 Patch107: xsa82-4.2-32bit.patch
 Patch108: xsa89.patch
 Patch109: xsa92-4.2.patch
+Patch110: xsa96.patch
 
 Patch100: xen-configure-xend.patch
 
@@ -258,6 +259,7 @@ manage Xen virtual machines.
 %patch107 -p1
 %patch108 -p1
 %patch109 -p1
+%patch110 -p1
 
 %patch100 -p1
 
@@ -751,6 +753,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Sun Jun 15 2014 Michael Young <m.a.young at durham.ac.uk> - 4.2.4-5
+- Vulnerabilities in HVM MSI injection [XSA-96, CVE-2014-3967,CVE-2014-3968]
+	(#1104583)
+
 * Thu May 01 2014 Michael Young <m.a.young at durham.ac.uk> - 4.2.4-4
 - HVMOP_set_mem_type allows invalid P2M entries to be created
 	[XSA-92, CVE-2014-3124] (#1093315)
diff --git a/xsa96.patch b/xsa96.patch
new file mode 100644
index 0000000..ef6443f
--- /dev/null
+++ b/xsa96.patch
@@ -0,0 +1,38 @@
+x86/HVM: eliminate vulnerabilities from hvm_inject_msi()
+
+- pirq_info() returns NULL for a non-allocated pIRQ, and hence we
+  mustn't unconditionally de-reference it, and we need to invoke it
+  another time after having called map_domain_emuirq_pirq()
+- don't use printk(), namely without XENLOG_GUEST, for error reporting
+
+This is XSA-96.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+
+--- a/xen/arch/x86/hvm/irq.c
++++ b/xen/arch/x86/hvm/irq.c
+@@ -289,20 +289,18 @@ void hvm_inject_msi(struct domain *d, ui
+             struct pirq *info = pirq_info(d, pirq);
+ 
+             /* if it is the first time, allocate the pirq */
+-            if (info->arch.hvm.emuirq == IRQ_UNBOUND)
++            if ( !info || info->arch.hvm.emuirq == IRQ_UNBOUND )
+             {
+                 spin_lock(&d->event_lock);
+                 map_domain_emuirq_pirq(d, pirq, IRQ_MSI_EMU);
+                 spin_unlock(&d->event_lock);
++                info = pirq_info(d, pirq);
++                if ( !info )
++                    return;
+             } else if (info->arch.hvm.emuirq != IRQ_MSI_EMU)
+-            {
+-                printk("%s: pirq %d does not correspond to an emulated MSI\n", __func__, pirq);
+                 return;
+-            }
+             send_guest_pirq(d, info);
+             return;
+-        } else {
+-            printk("%s: error getting pirq from MSI: pirq = %d\n", __func__, pirq);
+         }
+     }
+ 
