diff options
| author | Christopher Clark <christopher.w.clark@gmail.com> | 2018-01-08 23:12:44 -0800 |
|---|---|---|
| committer | Bruce Ashfield <bruce.ashfield@windriver.com> | 2018-01-12 10:37:46 -0500 |
| commit | 3f5221471424c3da63821c60ad720d793844e89e (patch) | |
| tree | cffd5309d84c096daf8714af460922adf4011160 /recipes-extended/xen/files/xsa250.patch | |
| parent | d1969606e3540d3771a5ba4626d4e5ea42bd683a (diff) | |
| download | meta-virtualization-3f5221471424c3da63821c60ad720d793844e89e.tar.gz | |
xen: upgrade 4.9.x recipe to 4.9.1 and apply XSA/CVE fix patches
Upgrade the Xen 4.9.x series recipe to latest 4.9.1
and apply patches for:
XSA-245 / CVE-2017-17046
XSA-246 / CVE-2017-17044
XSA-247 / CVE-2017-17045
XSA-248 / CVE-2017-17566
XSA-249 / CVE-2017-17563
XSA-250 / CVE-2017-17564
XSA-251 / CVE-2017-17565
Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Diffstat (limited to 'recipes-extended/xen/files/xsa250.patch')
| -rw-r--r-- | recipes-extended/xen/files/xsa250.patch | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/recipes-extended/xen/files/xsa250.patch b/recipes-extended/xen/files/xsa250.patch new file mode 100644 index 00000000..26aeb33f --- /dev/null +++ b/recipes-extended/xen/files/xsa250.patch | |||
| @@ -0,0 +1,67 @@ | |||
| 1 | From: Jan Beulich <jbeulich@suse.com> | ||
| 2 | Subject: x86/shadow: fix ref-counting error handling | ||
| 3 | |||
| 4 | The old-Linux handling in shadow_set_l4e() mistakenly ORed together the | ||
| 5 | results of sh_get_ref() and sh_pin(). As the latter failing is not a | ||
| 6 | correctness problem, simply ignore its return value. | ||
| 7 | |||
| 8 | In sh_set_toplevel_shadow() a failing sh_get_ref() must not be | ||
| 9 | accompanied by installing the entry, despite the domain being crashed. | ||
| 10 | |||
| 11 | This is XSA-250. | ||
| 12 | |||
| 13 | Signed-off-by: Jan Beulich <jbeulich@suse.com> | ||
| 14 | Reviewed-by: Tim Deegan <tim@xen.org> | ||
| 15 | |||
| 16 | --- a/xen/arch/x86/mm/shadow/multi.c | ||
| 17 | +++ b/xen/arch/x86/mm/shadow/multi.c | ||
| 18 | @@ -923,7 +923,7 @@ static int shadow_set_l4e(struct domain | ||
| 19 | shadow_l4e_t new_sl4e, | ||
| 20 | mfn_t sl4mfn) | ||
| 21 | { | ||
| 22 | - int flags = 0, ok; | ||
| 23 | + int flags = 0; | ||
| 24 | shadow_l4e_t old_sl4e; | ||
| 25 | paddr_t paddr; | ||
| 26 | ASSERT(sl4e != NULL); | ||
| 27 | @@ -938,15 +938,16 @@ static int shadow_set_l4e(struct domain | ||
| 28 | { | ||
| 29 | /* About to install a new reference */ | ||
| 30 | mfn_t sl3mfn = shadow_l4e_get_mfn(new_sl4e); | ||
| 31 | - ok = sh_get_ref(d, sl3mfn, paddr); | ||
| 32 | - /* Are we pinning l3 shadows to handle wierd linux behaviour? */ | ||
| 33 | - if ( sh_type_is_pinnable(d, SH_type_l3_64_shadow) ) | ||
| 34 | - ok |= sh_pin(d, sl3mfn); | ||
| 35 | - if ( !ok ) | ||
| 36 | + | ||
| 37 | + if ( !sh_get_ref(d, sl3mfn, paddr) ) | ||
| 38 | { | ||
| 39 | domain_crash(d); | ||
| 40 | return SHADOW_SET_ERROR; | ||
| 41 | } | ||
| 42 | + | ||
| 43 | + /* Are we pinning l3 shadows to handle weird Linux behaviour? */ | ||
| 44 | + if ( sh_type_is_pinnable(d, SH_type_l3_64_shadow) ) | ||
| 45 | + sh_pin(d, sl3mfn); | ||
| 46 | } | ||
| 47 | |||
| 48 | /* Write the new entry */ | ||
| 49 | @@ -3965,14 +3966,15 @@ sh_set_toplevel_shadow(struct vcpu *v, | ||
| 50 | |||
| 51 | /* Take a ref to this page: it will be released in sh_detach_old_tables() | ||
| 52 | * or the next call to set_toplevel_shadow() */ | ||
| 53 | - if ( !sh_get_ref(d, smfn, 0) ) | ||
| 54 | + if ( sh_get_ref(d, smfn, 0) ) | ||
| 55 | + new_entry = pagetable_from_mfn(smfn); | ||
| 56 | + else | ||
| 57 | { | ||
| 58 | SHADOW_ERROR("can't install %#lx as toplevel shadow\n", mfn_x(smfn)); | ||
| 59 | domain_crash(d); | ||
| 60 | + new_entry = pagetable_null(); | ||
| 61 | } | ||
| 62 | |||
| 63 | - new_entry = pagetable_from_mfn(smfn); | ||
| 64 | - | ||
| 65 | install_new_entry: | ||
| 66 | /* Done. Install it */ | ||
| 67 | SHADOW_PRINTK("%u/%u [%u] gmfn %#"PRI_mfn" smfn %#"PRI_mfn"\n", | ||