diff options
author | Christopher Clark <christopher.w.clark@gmail.com> | 2018-01-08 23:12:44 -0800 |
---|---|---|
committer | Bruce Ashfield <bruce.ashfield@windriver.com> | 2018-01-12 10:37:46 -0500 |
commit | 3f5221471424c3da63821c60ad720d793844e89e (patch) | |
tree | cffd5309d84c096daf8714af460922adf4011160 /recipes-extended/xen/files/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch | |
parent | d1969606e3540d3771a5ba4626d4e5ea42bd683a (diff) | |
download | meta-virtualization-3f5221471424c3da63821c60ad720d793844e89e.tar.gz |
xen: upgrade 4.9.x recipe to 4.9.1 and apply XSA/CVE fix patches
Upgrade the Xen 4.9.x series recipe to latest 4.9.1
and apply patches for:
XSA-245 / CVE-2017-17046
XSA-246 / CVE-2017-17044
XSA-247 / CVE-2017-17045
XSA-248 / CVE-2017-17566
XSA-249 / CVE-2017-17563
XSA-250 / CVE-2017-17564
XSA-251 / CVE-2017-17565
Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Diffstat (limited to 'recipes-extended/xen/files/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch')
-rw-r--r-- | recipes-extended/xen/files/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/recipes-extended/xen/files/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch b/recipes-extended/xen/files/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch new file mode 100644 index 00000000..8c850bd7 --- /dev/null +++ b/recipes-extended/xen/files/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas.patch | |||
@@ -0,0 +1,109 @@ | |||
1 | From d4bc7833707351a5341a6bdf04c752a028d9560d Mon Sep 17 00:00:00 2001 | ||
2 | From: George Dunlap <george.dunlap@citrix.com> | ||
3 | Date: Fri, 10 Nov 2017 16:53:55 +0000 | ||
4 | Subject: [PATCH 2/2] p2m: Check return value of p2m_set_entry() when | ||
5 | decreasing reservation | ||
6 | |||
7 | If the entire range specified to p2m_pod_decrease_reservation() is marked | ||
8 | populate-on-demand, then it will make a single p2m_set_entry() call, | ||
9 | reducing its PoD entry count. | ||
10 | |||
11 | Unfortunately, in the right circumstances, this p2m_set_entry() call | ||
12 | may fail. It that case, repeated calls to decrease_reservation() may | ||
13 | cause p2m->pod.entry_count to fall below zero, potentially tripping | ||
14 | over BUG_ON()s to the contrary. | ||
15 | |||
16 | Instead, check to see if the entry succeeded, and return false if not. | ||
17 | The caller will then call guest_remove_page() on the gfns, which will | ||
18 | return -EINVAL upon finding no valid memory there to return. | ||
19 | |||
20 | Unfortunately if the order > 0, the entry may have partially changed. | ||
21 | A domain_crash() is probably the safest thing in that case. | ||
22 | |||
23 | Other p2m_set_entry() calls in the same function should be fine, | ||
24 | because they are writing the entry at its current order. Nonetheless, | ||
25 | check the return value and crash if our assumption turns otu to be | ||
26 | wrong. | ||
27 | |||
28 | This is part of XSA-247. | ||
29 | |||
30 | Reported-by: George Dunlap <george.dunlap.com> | ||
31 | Signed-off-by: George Dunlap <george.dunlap@citrix.com> | ||
32 | Reviewed-by: Jan Beulich <jbeulich@suse.com> | ||
33 | --- | ||
34 | v2: Crash the domain if we're not sure it's safe (or if we think it | ||
35 | can't happen) | ||
36 | --- | ||
37 | xen/arch/x86/mm/p2m-pod.c | 42 +++++++++++++++++++++++++++++++++--------- | ||
38 | 1 file changed, 33 insertions(+), 9 deletions(-) | ||
39 | |||
40 | diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c | ||
41 | index f2ed751892..473d6a6dbf 100644 | ||
42 | --- a/xen/arch/x86/mm/p2m-pod.c | ||
43 | +++ b/xen/arch/x86/mm/p2m-pod.c | ||
44 | @@ -555,11 +555,23 @@ p2m_pod_decrease_reservation(struct domain *d, | ||
45 | |||
46 | if ( !nonpod ) | ||
47 | { | ||
48 | - /* All PoD: Mark the whole region invalid and tell caller | ||
49 | - * we're done. */ | ||
50 | - p2m_set_entry(p2m, gpfn, INVALID_MFN, order, p2m_invalid, | ||
51 | - p2m->default_access); | ||
52 | - p2m->pod.entry_count-=(1<<order); | ||
53 | + /* | ||
54 | + * All PoD: Mark the whole region invalid and tell caller | ||
55 | + * we're done. | ||
56 | + */ | ||
57 | + if ( p2m_set_entry(p2m, gpfn, INVALID_MFN, order, p2m_invalid, | ||
58 | + p2m->default_access) ) | ||
59 | + { | ||
60 | + /* | ||
61 | + * If this fails, we can't tell how much of the range was changed. | ||
62 | + * Best to crash the domain unless we're sure a partial change is | ||
63 | + * impossible. | ||
64 | + */ | ||
65 | + if ( order != 0 ) | ||
66 | + domain_crash(d); | ||
67 | + goto out_unlock; | ||
68 | + } | ||
69 | + p2m->pod.entry_count -= 1UL << order; | ||
70 | BUG_ON(p2m->pod.entry_count < 0); | ||
71 | ret = 1; | ||
72 | goto out_entry_check; | ||
73 | @@ -600,8 +612,14 @@ p2m_pod_decrease_reservation(struct domain *d, | ||
74 | n = 1UL << cur_order; | ||
75 | if ( t == p2m_populate_on_demand ) | ||
76 | { | ||
77 | - p2m_set_entry(p2m, gpfn + i, INVALID_MFN, cur_order, | ||
78 | - p2m_invalid, p2m->default_access); | ||
79 | + /* This shouldn't be able to fail */ | ||
80 | + if ( p2m_set_entry(p2m, gpfn + i, INVALID_MFN, cur_order, | ||
81 | + p2m_invalid, p2m->default_access) ) | ||
82 | + { | ||
83 | + ASSERT_UNREACHABLE(); | ||
84 | + domain_crash(d); | ||
85 | + goto out_unlock; | ||
86 | + } | ||
87 | p2m->pod.entry_count -= n; | ||
88 | BUG_ON(p2m->pod.entry_count < 0); | ||
89 | pod -= n; | ||
90 | @@ -622,8 +640,14 @@ p2m_pod_decrease_reservation(struct domain *d, | ||
91 | |||
92 | page = mfn_to_page(mfn); | ||
93 | |||
94 | - p2m_set_entry(p2m, gpfn + i, INVALID_MFN, cur_order, | ||
95 | - p2m_invalid, p2m->default_access); | ||
96 | + /* This shouldn't be able to fail */ | ||
97 | + if ( p2m_set_entry(p2m, gpfn + i, INVALID_MFN, cur_order, | ||
98 | + p2m_invalid, p2m->default_access) ) | ||
99 | + { | ||
100 | + ASSERT_UNREACHABLE(); | ||
101 | + domain_crash(d); | ||
102 | + goto out_unlock; | ||
103 | + } | ||
104 | p2m_tlb_flush_sync(p2m); | ||
105 | for ( j = 0; j < n; ++j ) | ||
106 | set_gpfn_from_mfn(mfn_x(mfn), INVALID_M2P_ENTRY); | ||
107 | -- | ||
108 | 2.15.0 | ||
109 | |||