[xen/f19] Vulnerabilities in HVM MSI injection
myoung
myoung at fedoraproject.org
Sun Jun 15 19:22:40 UTC 2014
commit f2fe3d72bf3219cb86093dadff8b1afc7c057125
Author: Michael Young <m.a.young at durham.ac.uk>
Date: Sun Jun 15 20:22:18 2014 +0100
Vulnerabilities in HVM MSI injection
xen.spec | 8 +++++++-
xsa96.patch | 38 ++++++++++++++++++++++++++++++++++++++
2 files changed, 45 insertions(+), 1 deletions(-)
---
diff --git a/xen.spec b/xen.spec
index 9b2da85..c7cfb17 100644
--- a/xen.spec
+++ b/xen.spec
@@ -27,7 +27,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.2.4
-Release: 4%{?dist}
+Release: 5%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -84,6 +84,7 @@ Patch106: xen.setdevid.patch
Patch107: xsa82-4.2-32bit.patch
Patch108: xsa89.patch
Patch109: xsa92-4.2.patch
+Patch110: xsa96.patch
Patch100: xen-configure-xend.patch
@@ -258,6 +259,7 @@ manage Xen virtual machines.
%patch107 -p1
%patch108 -p1
%patch109 -p1
+%patch110 -p1
%patch100 -p1
@@ -751,6 +753,10 @@ rm -rf %{buildroot}
%endif
%changelog
+* Sun Jun 15 2014 Michael Young <m.a.young at durham.ac.uk> - 4.2.4-5
+- Vulnerabilities in HVM MSI injection [XSA-96, CVE-2014-3967,CVE-2014-3968]
+ (#1104583)
+
* Thu May 01 2014 Michael Young <m.a.young at durham.ac.uk> - 4.2.4-4
- HVMOP_set_mem_type allows invalid P2M entries to be created
[XSA-92, CVE-2014-3124] (#1093315)
diff --git a/xsa96.patch b/xsa96.patch
new file mode 100644
index 0000000..ef6443f
--- /dev/null
+++ b/xsa96.patch
@@ -0,0 +1,38 @@
+x86/HVM: eliminate vulnerabilities from hvm_inject_msi()
+
+- pirq_info() returns NULL for a non-allocated pIRQ, and hence we
+ mustn't unconditionally de-reference it, and we need to invoke it
+ another time after having called map_domain_emuirq_pirq()
+- don't use printk(), namely without XENLOG_GUEST, for error reporting
+
+This is XSA-96.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+
+--- a/xen/arch/x86/hvm/irq.c
++++ b/xen/arch/x86/hvm/irq.c
+@@ -289,20 +289,18 @@ void hvm_inject_msi(struct domain *d, ui
+ struct pirq *info = pirq_info(d, pirq);
+
+ /* if it is the first time, allocate the pirq */
+- if (info->arch.hvm.emuirq == IRQ_UNBOUND)
++ if ( !info || info->arch.hvm.emuirq == IRQ_UNBOUND )
+ {
+ spin_lock(&d->event_lock);
+ map_domain_emuirq_pirq(d, pirq, IRQ_MSI_EMU);
+ spin_unlock(&d->event_lock);
++ info = pirq_info(d, pirq);
++ if ( !info )
++ return;
+ } else if (info->arch.hvm.emuirq != IRQ_MSI_EMU)
+- {
+- printk("%s: pirq %d does not correspond to an emulated MSI\n", __func__, pirq);
+ return;
+- }
+ send_guest_pirq(d, info);
+ return;
+- } else {
+- printk("%s: error getting pirq from MSI: pirq = %d\n", __func__, pirq);
+ }
+ }
+
More information about the scm-commits
mailing list