xen: upgrade 4.9.x recipe to 4.9.1 and apply XSA/CVE fix patches

Upgrade the Xen 4.9.x series recipe to latest 4.9.1 and apply patches for: XSA-245 / CVE-2017-17046 XSA-246 / CVE-2017-17044 XSA-247 / CVE-2017-17045 XSA-248 / CVE-2017-17566 XSA-249 / CVE-2017-17563 XSA-250 / CVE-2017-17564 XSA-251 / CVE-2017-17565 Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
author: Christopher Clark <christopher.w.clark@gmail.com> 2018-01-08 23:12:44 -0800
committer: Bruce Ashfield <bruce.ashfield@windriver.com> 2018-01-12 10:37:46 -0500
commit: 3f5221471424c3da63821c60ad720d793844e89e (patch)
tree: cffd5309d84c096daf8714af460922adf4011160 /recipes-extended/xen/files/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch
parent: d1969606e3540d3771a5ba4626d4e5ea42bd683a (diff)
download: meta-virtualization-3f5221471424c3da63821c60ad720d793844e89e.tar.gz
1 files changed, 109 insertions, 0 deletions
diff --git a/recipes-extended/xen/files/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch b/recipes-extended/xen/files/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch
new file mode 100644
index 00000000..8c850bd7
--- /dev/null
+++ b/recipes-extended/xen/files/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch
@@ -0,0 +1,109 @@
+From d4bc7833707351a5341a6bdf04c752a028d9560d Mon Sep 17 00:00:00 2001
+From: George Dunlap <george.dunlap@citrix.com>
+Date: Fri, 10 Nov 2017 16:53:55 +0000
+Subject: [PATCH 2/2] p2m: Check return value of p2m_set_entry() when
+ decreasing reservation
+If the entire range specified to p2m_pod_decrease_reservation() is marked
+populate-on-demand, then it will make a single p2m_set_entry() call,
+reducing its PoD entry count.
+Unfortunately, in the right circumstances, this p2m_set_entry() call
+may fail.  It that case, repeated calls to decrease_reservation() may
+cause p2m->pod.entry_count to fall below zero, potentially tripping
+over BUG_ON()s to the contrary.
+Instead, check to see if the entry succeeded, and return false if not.
+The caller will then call guest_remove_page() on the gfns, which will
+return -EINVAL upon finding no valid memory there to return.
+Unfortunately if the order > 0, the entry may have partially changed.
+A domain_crash() is probably the safest thing in that case.
+Other p2m_set_entry() calls in the same function should be fine,
+because they are writing the entry at its current order.  Nonetheless,
+check the return value and crash if our assumption turns otu to be
+wrong.
+This is part of XSA-247.
+Reported-by: George Dunlap <george.dunlap.com>
+Signed-off-by: George Dunlap <george.dunlap@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+v2: Crash the domain if we're not sure it's safe (or if we think it
+can't happen)
+---
+ xen/arch/x86/mm/p2m-pod.c | 42 +++++++++++++++++++++++++++++++++---------
+ 1 file changed, 33 insertions(+), 9 deletions(-)
+diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c
+index f2ed751892..473d6a6dbf 100644
+--- a/xen/arch/x86/mm/p2m-pod.c
+++ b/xen/arch/x86/mm/p2m-pod.c
+@@ -555,11 +555,23 @@ p2m_pod_decrease_reservation(struct domain *d,
+ 
+     if ( !nonpod )
+     {
+-        /* All PoD: Mark the whole region invalid and tell caller
+-         * we're done. */
+-        p2m_set_entry(p2m, gpfn, INVALID_MFN, order, p2m_invalid,
+-                      p2m->default_access);
+-        p2m->pod.entry_count-=(1<<order);
+        /*
+         * All PoD: Mark the whole region invalid and tell caller
+         * we're done.
+         */
+        if ( p2m_set_entry(p2m, gpfn, INVALID_MFN, order, p2m_invalid,
+                           p2m->default_access) )
+        {
+            /*
+             * If this fails, we can't tell how much of the range was changed.
+             * Best to crash the domain unless we're sure a partial change is
+             * impossible.
+             */
+            if ( order != 0 )
+                domain_crash(d);
+            goto out_unlock;
+        }
+        p2m->pod.entry_count -= 1UL << order;
+         BUG_ON(p2m->pod.entry_count < 0);
+         ret = 1;
+         goto out_entry_check;
+@@ -600,8 +612,14 @@ p2m_pod_decrease_reservation(struct domain *d,
+         n = 1UL << cur_order;
+         if ( t == p2m_populate_on_demand )
+         {
+-            p2m_set_entry(p2m, gpfn + i, INVALID_MFN, cur_order,
+-                          p2m_invalid, p2m->default_access);
+            /* This shouldn't be able to fail */
+            if ( p2m_set_entry(p2m, gpfn + i, INVALID_MFN, cur_order,
+                               p2m_invalid, p2m->default_access) )
+            {
+                ASSERT_UNREACHABLE();
+                domain_crash(d);
+                goto out_unlock;
+            }
+             p2m->pod.entry_count -= n;
+             BUG_ON(p2m->pod.entry_count < 0);
+             pod -= n;
+@@ -622,8 +640,14 @@ p2m_pod_decrease_reservation(struct domain *d,
+ 
+             page = mfn_to_page(mfn);
+ 
+-            p2m_set_entry(p2m, gpfn + i, INVALID_MFN, cur_order,
+-                          p2m_invalid, p2m->default_access);
+            /* This shouldn't be able to fail */
+            if ( p2m_set_entry(p2m, gpfn + i, INVALID_MFN, cur_order,
+                               p2m_invalid, p2m->default_access) )
+            {
+                ASSERT_UNREACHABLE();
+                domain_crash(d);
+                goto out_unlock;
+            }
+             p2m_tlb_flush_sync(p2m);
+             for ( j = 0; j < n; ++j )
+                 set_gpfn_from_mfn(mfn_x(mfn), INVALID_M2P_ENTRY);
+-- 
+2.15.0
author	Christopher Clark <christopher.w.clark@gmail.com>	2018-01-08 23:12:44 -0800
committer	Bruce Ashfield <bruce.ashfield@windriver.com>	2018-01-12 10:37:46 -0500
commit	3f5221471424c3da63821c60ad720d793844e89e (patch)
tree	cffd5309d84c096daf8714af460922adf4011160 /recipes-extended/xen/files/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch
parent	d1969606e3540d3771a5ba4626d4e5ea42bd683a (diff)
download	meta-virtualization-3f5221471424c3da63821c60ad720d793844e89e.tar.gz

diff --git a/recipes-extended/xen/files/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch b/recipes-extended/xen/files/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch new file mode 100644 index 00000000..8c850bd7 --- /dev/null +++ b/recipes-extended/xen/files/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch
@@ -0,0 +1,109 @@
	1	From d4bc7833707351a5341a6bdf04c752a028d9560d Mon Sep 17 00:00:00 2001
	2	From: George Dunlap <george.dunlap@citrix.com>
	3	Date: Fri, 10 Nov 2017 16:53:55 +0000
	4	Subject: [PATCH 2/2] p2m: Check return value of p2m_set_entry() when
	5	decreasing reservation
	6
	7	If the entire range specified to p2m_pod_decrease_reservation() is marked
	8	populate-on-demand, then it will make a single p2m_set_entry() call,
	9	reducing its PoD entry count.
	10
	11	Unfortunately, in the right circumstances, this p2m_set_entry() call
	12	may fail. It that case, repeated calls to decrease_reservation() may
	13	cause p2m->pod.entry_count to fall below zero, potentially tripping
	14	over BUG_ON()s to the contrary.
	15
	16	Instead, check to see if the entry succeeded, and return false if not.
	17	The caller will then call guest_remove_page() on the gfns, which will
	18	return -EINVAL upon finding no valid memory there to return.
	19
	20	Unfortunately if the order > 0, the entry may have partially changed.
	21	A domain_crash() is probably the safest thing in that case.
	22
	23	Other p2m_set_entry() calls in the same function should be fine,
	24	because they are writing the entry at its current order. Nonetheless,
	25	check the return value and crash if our assumption turns otu to be
	26	wrong.
	27
	28	This is part of XSA-247.
	29
	30	Reported-by: George Dunlap <george.dunlap.com>
	31	Signed-off-by: George Dunlap <george.dunlap@citrix.com>
	32	Reviewed-by: Jan Beulich <jbeulich@suse.com>
	33	---
	34	v2: Crash the domain if we're not sure it's safe (or if we think it
	35	can't happen)
	36	---
	37	xen/arch/x86/mm/p2m-pod.c \| 42 +++++++++++++++++++++++++++++++++---------
	38	1 file changed, 33 insertions(+), 9 deletions(-)
	39
	40	diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c
	41	index f2ed751892..473d6a6dbf 100644
	42	--- a/xen/arch/x86/mm/p2m-pod.c
	43	+++ b/xen/arch/x86/mm/p2m-pod.c
	44	@@ -555,11 +555,23 @@ p2m_pod_decrease_reservation(struct domain *d,
	45
	46	if ( !nonpod )
	47	{
	48	- /* All PoD: Mark the whole region invalid and tell caller
	49	- * we're done. */
	50	- p2m_set_entry(p2m, gpfn, INVALID_MFN, order, p2m_invalid,
	51	- p2m->default_access);
	52	- p2m->pod.entry_count-=(1<<order);
	53	+ /*
	54	+ * All PoD: Mark the whole region invalid and tell caller
	55	+ * we're done.
	56	+ */
	57	+ if ( p2m_set_entry(p2m, gpfn, INVALID_MFN, order, p2m_invalid,
	58	+ p2m->default_access) )
	59	+ {
	60	+ /*
	61	+ * If this fails, we can't tell how much of the range was changed.
	62	+ * Best to crash the domain unless we're sure a partial change is
	63	+ * impossible.
	64	+ */
	65	+ if ( order != 0 )
	66	+ domain_crash(d);
	67	+ goto out_unlock;
	68	+ }
	69	+ p2m->pod.entry_count -= 1UL << order;
	70	BUG_ON(p2m->pod.entry_count < 0);
	71	ret = 1;
	72	goto out_entry_check;
	73	@@ -600,8 +612,14 @@ p2m_pod_decrease_reservation(struct domain *d,
	74	n = 1UL << cur_order;
	75	if ( t == p2m_populate_on_demand )
	76	{
	77	- p2m_set_entry(p2m, gpfn + i, INVALID_MFN, cur_order,
	78	- p2m_invalid, p2m->default_access);
	79	+ /* This shouldn't be able to fail */
	80	+ if ( p2m_set_entry(p2m, gpfn + i, INVALID_MFN, cur_order,
	81	+ p2m_invalid, p2m->default_access) )
	82	+ {
	83	+ ASSERT_UNREACHABLE();
	84	+ domain_crash(d);
	85	+ goto out_unlock;
	86	+ }
	87	p2m->pod.entry_count -= n;
	88	BUG_ON(p2m->pod.entry_count < 0);
	89	pod -= n;
	90	@@ -622,8 +640,14 @@ p2m_pod_decrease_reservation(struct domain *d,
	91
	92	page = mfn_to_page(mfn);
	93
	94	- p2m_set_entry(p2m, gpfn + i, INVALID_MFN, cur_order,
	95	- p2m_invalid, p2m->default_access);
	96	+ /* This shouldn't be able to fail */
	97	+ if ( p2m_set_entry(p2m, gpfn + i, INVALID_MFN, cur_order,
	98	+ p2m_invalid, p2m->default_access) )
	99	+ {
	100	+ ASSERT_UNREACHABLE();
	101	+ domain_crash(d);
	102	+ goto out_unlock;
	103	+ }
	104	p2m_tlb_flush_sync(p2m);
	105	for ( j = 0; j < n; ++j )
	106	set_gpfn_from_mfn(mfn_x(mfn), INVALID_M2P_ENTRY);
	107	--
	108	2.15.0
	109