diff options
author | Christopher Clark <christopher.w.clark@gmail.com> | 2018-01-08 23:12:44 -0800 |
---|---|---|
committer | Bruce Ashfield <bruce.ashfield@windriver.com> | 2018-01-12 10:37:46 -0500 |
commit | 3f5221471424c3da63821c60ad720d793844e89e (patch) | |
tree | cffd5309d84c096daf8714af460922adf4011160 /recipes-extended/xen/files/xsa250.patch | |
parent | d1969606e3540d3771a5ba4626d4e5ea42bd683a (diff) | |
download | meta-virtualization-3f5221471424c3da63821c60ad720d793844e89e.tar.gz |
xen: upgrade 4.9.x recipe to 4.9.1 and apply XSA/CVE fix patches
Upgrade the Xen 4.9.x series recipe to latest 4.9.1
and apply patches for:
XSA-245 / CVE-2017-17046
XSA-246 / CVE-2017-17044
XSA-247 / CVE-2017-17045
XSA-248 / CVE-2017-17566
XSA-249 / CVE-2017-17563
XSA-250 / CVE-2017-17564
XSA-251 / CVE-2017-17565
Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Diffstat (limited to 'recipes-extended/xen/files/xsa250.patch')
-rw-r--r-- | recipes-extended/xen/files/xsa250.patch | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/recipes-extended/xen/files/xsa250.patch b/recipes-extended/xen/files/xsa250.patch new file mode 100644 index 00000000..26aeb33f --- /dev/null +++ b/recipes-extended/xen/files/xsa250.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From: Jan Beulich <jbeulich@suse.com> | ||
2 | Subject: x86/shadow: fix ref-counting error handling | ||
3 | |||
4 | The old-Linux handling in shadow_set_l4e() mistakenly ORed together the | ||
5 | results of sh_get_ref() and sh_pin(). As the latter failing is not a | ||
6 | correctness problem, simply ignore its return value. | ||
7 | |||
8 | In sh_set_toplevel_shadow() a failing sh_get_ref() must not be | ||
9 | accompanied by installing the entry, despite the domain being crashed. | ||
10 | |||
11 | This is XSA-250. | ||
12 | |||
13 | Signed-off-by: Jan Beulich <jbeulich@suse.com> | ||
14 | Reviewed-by: Tim Deegan <tim@xen.org> | ||
15 | |||
16 | --- a/xen/arch/x86/mm/shadow/multi.c | ||
17 | +++ b/xen/arch/x86/mm/shadow/multi.c | ||
18 | @@ -923,7 +923,7 @@ static int shadow_set_l4e(struct domain | ||
19 | shadow_l4e_t new_sl4e, | ||
20 | mfn_t sl4mfn) | ||
21 | { | ||
22 | - int flags = 0, ok; | ||
23 | + int flags = 0; | ||
24 | shadow_l4e_t old_sl4e; | ||
25 | paddr_t paddr; | ||
26 | ASSERT(sl4e != NULL); | ||
27 | @@ -938,15 +938,16 @@ static int shadow_set_l4e(struct domain | ||
28 | { | ||
29 | /* About to install a new reference */ | ||
30 | mfn_t sl3mfn = shadow_l4e_get_mfn(new_sl4e); | ||
31 | - ok = sh_get_ref(d, sl3mfn, paddr); | ||
32 | - /* Are we pinning l3 shadows to handle wierd linux behaviour? */ | ||
33 | - if ( sh_type_is_pinnable(d, SH_type_l3_64_shadow) ) | ||
34 | - ok |= sh_pin(d, sl3mfn); | ||
35 | - if ( !ok ) | ||
36 | + | ||
37 | + if ( !sh_get_ref(d, sl3mfn, paddr) ) | ||
38 | { | ||
39 | domain_crash(d); | ||
40 | return SHADOW_SET_ERROR; | ||
41 | } | ||
42 | + | ||
43 | + /* Are we pinning l3 shadows to handle weird Linux behaviour? */ | ||
44 | + if ( sh_type_is_pinnable(d, SH_type_l3_64_shadow) ) | ||
45 | + sh_pin(d, sl3mfn); | ||
46 | } | ||
47 | |||
48 | /* Write the new entry */ | ||
49 | @@ -3965,14 +3966,15 @@ sh_set_toplevel_shadow(struct vcpu *v, | ||
50 | |||
51 | /* Take a ref to this page: it will be released in sh_detach_old_tables() | ||
52 | * or the next call to set_toplevel_shadow() */ | ||
53 | - if ( !sh_get_ref(d, smfn, 0) ) | ||
54 | + if ( sh_get_ref(d, smfn, 0) ) | ||
55 | + new_entry = pagetable_from_mfn(smfn); | ||
56 | + else | ||
57 | { | ||
58 | SHADOW_ERROR("can't install %#lx as toplevel shadow\n", mfn_x(smfn)); | ||
59 | domain_crash(d); | ||
60 | + new_entry = pagetable_null(); | ||
61 | } | ||
62 | |||
63 | - new_entry = pagetable_from_mfn(smfn); | ||
64 | - | ||
65 | install_new_entry: | ||
66 | /* Done. Install it */ | ||
67 | SHADOW_PRINTK("%u/%u [%u] gmfn %#"PRI_mfn" smfn %#"PRI_mfn"\n", | ||