[xen/f19] Insufficient restrictions on certain MMU update hypercalls, Missing privilege level checks in x86 em

Wed Nov 19 20:55:18 UTC 2014

commit bf4ddc0bc7213422cf014333e211dbd5ce2ded71
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Wed Nov 19 20:54:17 2014 +0000

    Insufficient restrictions on certain MMU update hypercalls,
    Missing privilege level checks in x86 emulation of far branches,
    Add fix for CVE-2014-0150 to qemu-dm, though it probably isn't
    exploitable from xen

 CVE-2014-0150.patch      |   11 +++
 xen.spec                 |   16 +++++-
 xsa109-4.2.patch         |   25 +++++++
 xsa110-4.3-and-4.2.patch |  156 ++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 207 insertions(+), 1 deletions(-)
---

diff --git a/CVE-2014-0150.patch b/CVE-2014-0150.patch
new file mode 100644
index 0000000..adcbcc7
--- /dev/null
+++ b/CVE-2014-0150.patch
@@ -0,0 +1,11 @@
+--- xen-4.4.1/tools/qemu-xen-traditional/hw/virtio-net.c.orig	2014-07-02 15:54:37.000000000 +0100
++++ xen-4.4.1/tools/qemu-xen-traditional/hw/virtio-net.c	2014-11-18 20:50:13.593122915 +0000
+@@ -192,7 +192,7 @@
+         return VIRTIO_NET_ERR;
+ 
+     if (mac_data.entries) {
+-        if (n->mac_table.in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {
++        if (n->mac_table.in_use <= MAC_TABLE_ENTRIES - mac_data.entries) {
+             memcpy(n->mac_table.macs + (n->mac_table.in_use * ETH_ALEN),
+                    elem->out_sg[2].iov_base + sizeof(mac_data),
+                    mac_data.entries * ETH_ALEN);
diff --git a/xen.spec b/xen.spec
index 841841a..9ed202f 100644
--- a/xen.spec
+++ b/xen.spec
@@ -27,7 +27,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.2.5
-Release: 3%{?dist}
+Release: 4%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -84,6 +84,9 @@ Patch107: xsa104.patch
 Patch108: xsa105.patch
 Patch109: xsa106.patch
 Patch110: xsa108.patch
+Patch111: xsa109-4.2.patch
+Patch112: xsa110-4.3-and-4.2.patch
+Patch113: CVE-2014-0150.patch
 
 Patch100: xen-configure-xend.patch
 
@@ -258,6 +261,9 @@ manage Xen virtual machines.
 %patch108 -p1
 %patch109 -p1
 %patch110 -p1
+%patch111 -p1
+%patch112 -p1
+%patch113 -p1
 
 %patch100 -p1
 
@@ -751,6 +757,14 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Wed Nov 19 2014 Michael Young <m.a.young at durham.ac.uk> - 4.2.5-4
+- Insufficient restrictions on certain MMU update hypercalls [XSA-109,
+	CVE-2014-8594] (#1165205)
+- Missing privilege level checks in x86 emulation of far branches [XSA-110,
+	CVE-2014-8595] (#1165204)
+- Add fix for CVE-2014-0150 to qemu-dm, though it probably isn't
+	exploitable from xen (#1086776)
+
 * Wed Oct 01 2014 Michael Young <m.a.young at durham.ac.uk> - 4.2.5-3
 - Improper MSR range used for x2APIC emulation [XSA-108, CVE-2014-7188]
 	(#1148465)
diff --git a/xsa109-4.2.patch b/xsa109-4.2.patch
new file mode 100644
index 0000000..8defc6a
--- /dev/null
+++ b/xsa109-4.2.patch
@@ -0,0 +1,25 @@
+x86: don't allow page table updates on non-PV page tables in do_mmu_update()
+
+paging_write_guest_entry() and paging_cmpxchg_guest_entry() aren't
+consistently supported for non-PV guests (they'd deref NULL for PVH or
+non-HAP HVM ones). Don't allow respective MMU_* operations on the
+page tables of such domains.
+
+This is XSA-109.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Acked-by: Tim Deegan <tim at xen.org>
+
+--- a/xen/arch/x86/mm.c
++++ b/xen/arch/x86/mm.c
+@@ -3800,6 +3800,10 @@ long do_mmu_update(
+         {
+             p2m_type_t p2mt;
+ 
++            rc = -EOPNOTSUPP;
++            if ( unlikely(paging_mode_refcounts(pt_owner)) )
++                break;
++
+             rc = xsm_mmu_normal_update(d, pt_owner, pg_owner, req.val);
+             if ( rc )
+                 break;
diff --git a/xsa110-4.3-and-4.2.patch b/xsa110-4.3-and-4.2.patch
new file mode 100644
index 0000000..443ba74
--- /dev/null
+++ b/xsa110-4.3-and-4.2.patch
@@ -0,0 +1,156 @@
+x86emul: enforce privilege level restrictions when loading CS
+
+Privilege level checks were basically missing for the CS case, the
+only check that was done (RPL == DPL for nonconforming segments)
+was solely covering a single special case (return to non-conforming
+segment).
+
+Additionally in long mode the L bit set requires the D bit to be clear,
+as was recently pointed out for KVM by Nadav Amit
+<namit at cs.technion.ac.il>.
+
+Finally we also need to force the loaded selector's RPL to CPL (at
+least as long as lret/retf emulation doesn't support privilege level
+changes).
+
+This is XSA-110.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Reviewed-by: Tim Deegan <tim at xen.org>
+
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1107,7 +1107,7 @@ realmode_load_seg(
+ static int
+ protmode_load_seg(
+     enum x86_segment seg,
+-    uint16_t sel,
++    uint16_t sel, bool_t is_ret,
+     struct x86_emulate_ctxt *ctxt,
+     const struct x86_emulate_ops *ops)
+ {
+@@ -1179,9 +1179,23 @@ protmode_load_seg(
+         /* Code segment? */
+         if ( !(desc.b & (1u<<11)) )
+             goto raise_exn;
+-        /* Non-conforming segment: check DPL against RPL. */
+-        if ( ((desc.b & (6u<<9)) != (6u<<9)) && (dpl != rpl) )
++        if ( is_ret
++             ? /*
++                * Really rpl < cpl, but our sole caller doesn't handle
++                * privilege level changes.
++                */
++               rpl != cpl || (desc.b & (1 << 10) ? dpl > rpl : dpl != rpl)
++             : desc.b & (1 << 10)
++               /* Conforming segment: check DPL against CPL. */
++               ? dpl > cpl
++               /* Non-conforming segment: check RPL and DPL against CPL. */
++               : rpl > cpl || dpl != cpl )
+             goto raise_exn;
++        /* 64-bit code segments (L bit set) must have D bit clear. */
++        if ( in_longmode(ctxt, ops) &&
++             (desc.b & (1 << 21)) && (desc.b & (1 << 22)) )
++            goto raise_exn;
++        sel = (sel ^ rpl) | cpl;
+         break;
+     case x86_seg_ss:
+         /* Writable data segment? */
+@@ -1246,7 +1260,7 @@ protmode_load_seg(
+ static int
+ load_seg(
+     enum x86_segment seg,
+-    uint16_t sel,
++    uint16_t sel, bool_t is_ret,
+     struct x86_emulate_ctxt *ctxt,
+     const struct x86_emulate_ops *ops)
+ {
+@@ -1255,7 +1269,7 @@ load_seg(
+         return X86EMUL_UNHANDLEABLE;
+ 
+     if ( in_protmode(ctxt, ops) )
+-        return protmode_load_seg(seg, sel, ctxt, ops);
++        return protmode_load_seg(seg, sel, is_ret, ctxt, ops);
+ 
+     return realmode_load_seg(seg, sel, ctxt, ops);
+ }
+@@ -1852,7 +1866,7 @@ x86_emulate(
+         if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes),
+                               &dst.val, op_bytes, ctxt, ops)) != 0 )
+             goto done;
+-        if ( (rc = load_seg(src.val, (uint16_t)dst.val, ctxt, ops)) != 0 )
++        if ( (rc = load_seg(src.val, dst.val, 0, ctxt, ops)) != 0 )
+             return rc;
+         break;
+ 
+@@ -2222,7 +2236,7 @@ x86_emulate(
+         enum x86_segment seg = decode_segment(modrm_reg);
+         generate_exception_if(seg == decode_segment_failed, EXC_UD, -1);
+         generate_exception_if(seg == x86_seg_cs, EXC_UD, -1);
+-        if ( (rc = load_seg(seg, (uint16_t)src.val, ctxt, ops)) != 0 )
++        if ( (rc = load_seg(seg, src.val, 0, ctxt, ops)) != 0 )
+             goto done;
+         if ( seg == x86_seg_ss )
+             ctxt->retire.flags.mov_ss = 1;
+@@ -2303,7 +2317,7 @@ x86_emulate(
+                               &_regs.eip, op_bytes, ctxt)) )
+             goto done;
+ 
+-        if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 )
++        if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 )
+             goto done;
+         _regs.eip = eip;
+         break;
+@@ -2526,7 +2540,7 @@ x86_emulate(
+         if ( (rc = read_ulong(src.mem.seg, src.mem.off + src.bytes,
+                               &sel, 2, ctxt, ops)) != 0 )
+             goto done;
+-        if ( (rc = load_seg(dst.val, (uint16_t)sel, ctxt, ops)) != 0 )
++        if ( (rc = load_seg(dst.val, sel, 0, ctxt, ops)) != 0 )
+             goto done;
+         dst.val = src.val;
+         break;
+@@ -2600,7 +2614,7 @@ x86_emulate(
+                               &dst.val, op_bytes, ctxt, ops)) ||
+              (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes + offset),
+                               &src.val, op_bytes, ctxt, ops)) ||
+-             (rc = load_seg(x86_seg_cs, (uint16_t)src.val, ctxt, ops)) )
++             (rc = load_seg(x86_seg_cs, src.val, 1, ctxt, ops)) )
+             goto done;
+         _regs.eip = dst.val;
+         break;
+@@ -2647,7 +2661,7 @@ x86_emulate(
+         _regs.eflags &= mask;
+         _regs.eflags |= (uint32_t)(eflags & ~mask) | 0x02;
+         _regs.eip = eip;
+-        if ( (rc = load_seg(x86_seg_cs, (uint16_t)cs, ctxt, ops)) != 0 )
++        if ( (rc = load_seg(x86_seg_cs, cs, 1, ctxt, ops)) != 0 )
+             goto done;
+         break;
+     }
+@@ -3277,7 +3291,7 @@ x86_emulate(
+         generate_exception_if(mode_64bit(), EXC_UD, -1);
+         eip = insn_fetch_bytes(op_bytes);
+         sel = insn_fetch_type(uint16_t);
+-        if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 )
++        if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 )
+             goto done;
+         _regs.eip = eip;
+         break;
+@@ -3590,7 +3604,7 @@ x86_emulate(
+                     goto done;
+             }
+ 
+-            if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 )
++            if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 )
+                 goto done;
+             _regs.eip = dst.val;
+ 
+@@ -3671,7 +3685,7 @@ x86_emulate(
+         generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1);
+         generate_exception_if(!mode_ring0(), EXC_GP, 0);
+         if ( (rc = load_seg((modrm_reg & 1) ? x86_seg_tr : x86_seg_ldtr,
+-                            src.val, ctxt, ops)) != 0 )
++                            src.val, 0, ctxt, ops)) != 0 )
+             goto done;
+         break;
+ 
