[xen] Race condition in HVMOP_track_dirty_vram, Missing privilege level checks in x86 HLT, LGDT, LIDT, and
myoung
myoung at fedoraproject.org
Tue Sep 23 18:34:05 UTC 2014
commit 34a955b2a502dbce1f9b8d892e4897d8d9163c36
Author: Michael Young <m.a.young at durham.ac.uk>
Date: Tue Sep 23 19:31:51 2014 +0100
Race condition in HVMOP_track_dirty_vram,
Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation,
Missing privilege level checks in x86 emulation of software interrupts
xen.spec | 15 ++++++++++++++-
xsa104.patch | 44 ++++++++++++++++++++++++++++++++++++++++++++
xsa105.patch | 37 +++++++++++++++++++++++++++++++++++++
xsa106.patch | 23 +++++++++++++++++++++++
4 files changed, 118 insertions(+), 1 deletions(-)
---
diff --git a/xen.spec b/xen.spec
index a415897..ae184ac 100644
--- a/xen.spec
+++ b/xen.spec
@@ -53,7 +53,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.4.1
-Release: 3%{?dist}
+Release: 4%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -102,6 +102,9 @@ Patch21: xen.64.bit.hyp.on.ix86.patch
Patch22: xen.console.fix.patch
Patch23: xen.ocamlfix.patch
Patch24: xsa107-4.4.patch
+Patch25: xsa104.patch
+Patch26: xsa105.patch
+Patch27: xsa106.patch
Patch99: xen.figs.disable.patch
Patch100: xen-configure-xend.patch
@@ -289,6 +292,9 @@ manage Xen virtual machines.
%patch22 -p1
%patch23 -p1
%patch24 -p1
+%patch25 -p1
+%patch26 -p1
+%patch27 -p1
%patch99 -p1
%patch100 -p1
@@ -886,6 +892,13 @@ rm -rf %{buildroot}
%endif
%changelog
+* Tue Sep 23 2014 Michael Young <m.a.young at durham.ac.uk> - 4.4.1-4
+- Race condition in HVMOP_track_dirty_vram [XSA-104] (#1145736)
+- Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
+ [XSA-105] (#1145737)
+- Missing privilege level checks in x86 emulation of software interrupts
+ [XSA-106] (#1145738)
+
* Sun Sep 14 2014 Michael Young <m.a.young at durham.ac.uk> - 4.4.1-3
- disable building pngs from fig files which is currently broken in rawhide
diff --git a/xsa104.patch b/xsa104.patch
new file mode 100644
index 0000000..2c5b39e
--- /dev/null
+++ b/xsa104.patch
@@ -0,0 +1,44 @@
+x86/shadow: fix race condition sampling the dirty vram state
+
+d->arch.hvm_domain.dirty_vram must be read with the domain's paging lock held.
+
+If not, two concurrent hypercalls could both end up attempting to free
+dirty_vram (the second of which will free a wild pointer), or both end up
+allocating a new dirty_vram structure (the first of which will be leaked).
+
+This is XSA-104.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
+Reviewed-by: Tim Deegan <tim at xen.org>
+
+--- a/xen/arch/x86/mm/shadow/common.c
++++ b/xen/arch/x86/mm/shadow/common.c
+@@ -3485,7 +3485,7 @@ int shadow_track_dirty_vram(struct domai
+ int flush_tlb = 0;
+ unsigned long i;
+ p2m_type_t t;
+- struct sh_dirty_vram *dirty_vram = d->arch.hvm_domain.dirty_vram;
++ struct sh_dirty_vram *dirty_vram;
+ struct p2m_domain *p2m = p2m_get_hostp2m(d);
+
+ if ( end_pfn < begin_pfn || end_pfn > p2m->max_mapped_pfn + 1 )
+@@ -3495,6 +3495,8 @@ int shadow_track_dirty_vram(struct domai
+ p2m_lock(p2m_get_hostp2m(d));
+ paging_lock(d);
+
++ dirty_vram = d->arch.hvm_domain.dirty_vram;
++
+ if ( dirty_vram && (!nr ||
+ ( begin_pfn != dirty_vram->begin_pfn
+ || end_pfn != dirty_vram->end_pfn )) )
+--- a/xen/include/asm-x86/hvm/domain.h
++++ b/xen/include/asm-x86/hvm/domain.h
+@@ -112,7 +112,7 @@ struct hvm_domain {
+ /* Memory ranges with pinned cache attributes. */
+ struct list_head pinned_cacheattr_ranges;
+
+- /* VRAM dirty support. */
++ /* VRAM dirty support. Protect with the domain paging lock. */
+ struct sh_dirty_vram *dirty_vram;
+
+ /* If one of vcpus of this domain is in no_fill_mode or
diff --git a/xsa105.patch b/xsa105.patch
new file mode 100644
index 0000000..cc7cafd
--- /dev/null
+++ b/xsa105.patch
@@ -0,0 +1,37 @@
+x86/emulate: check cpl for all privileged instructions
+
+Without this, it is possible for userspace to load its own IDT or GDT.
+
+This is XSA-105.
+
+Reported-by: Andrei LUTAS <vlutas at bitdefender.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
+Reviewed-by: Jan Beulich <jbeulich at suse.com>
+Tested-by: Andrei LUTAS <vlutas at bitdefender.com>
+
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -3314,6 +3314,7 @@ x86_emulate(
+ goto swint;
+
+ case 0xf4: /* hlt */
++ generate_exception_if(!mode_ring0(), EXC_GP, 0);
+ ctxt->retire.flags.hlt = 1;
+ break;
+
+@@ -3710,6 +3711,7 @@ x86_emulate(
+ break;
+ case 2: /* lgdt */
+ case 3: /* lidt */
++ generate_exception_if(!mode_ring0(), EXC_GP, 0);
+ generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
+ fail_if(ops->write_segment == NULL);
+ memset(®, 0, sizeof(reg));
+@@ -3738,6 +3740,7 @@ x86_emulate(
+ case 6: /* lmsw */
+ fail_if(ops->read_cr == NULL);
+ fail_if(ops->write_cr == NULL);
++ generate_exception_if(!mode_ring0(), EXC_GP, 0);
+ if ( (rc = ops->read_cr(0, &cr0, ctxt)) )
+ goto done;
+ if ( ea.type == OP_REG )
diff --git a/xsa106.patch b/xsa106.patch
new file mode 100644
index 0000000..436724d
--- /dev/null
+++ b/xsa106.patch
@@ -0,0 +1,23 @@
+x86emul: only emulate software interrupt injection for real mode
+
+Protected mode emulation currently lacks proper privilege checking of
+the referenced IDT entry, and there's currently no legitimate way for
+any of the respective instructions to reach the emulator when the guest
+is in protected mode.
+
+This is XSA-106.
+
+Reported-by: Andrei LUTAS <vlutas at bitdefender.com>
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Acked-by: Keir Fraser <keir at xen.org>
+
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -2634,6 +2634,7 @@ x86_emulate(
+ case 0xcd: /* int imm8 */
+ src.val = insn_fetch_type(uint8_t);
+ swint:
++ fail_if(!in_realmode(ctxt, ops)); /* XSA-106 */
+ fail_if(ops->inject_sw_interrupt == NULL);
+ rc = ops->inject_sw_interrupt(src.val, _regs.eip - ctxt->regs->eip,
+ ctxt) ? : X86EMUL_EXCEPTION;
More information about the scm-commits
mailing list