diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/03-xen-MSI-X-limit-error-messages-CVE-2015-4105.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/03-xen-MSI-X-limit-error-messages-CVE-2015-4105.patch | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/03-xen-MSI-X-limit-error-messages-CVE-2015-4105.patch b/meta/recipes-devtools/qemu/qemu/03-xen-MSI-X-limit-error-messages-CVE-2015-4105.patch new file mode 100644 index 0000000000..8bb2230333 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/03-xen-MSI-X-limit-error-messages-CVE-2015-4105.patch | |||
@@ -0,0 +1,90 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
4 | |||
5 | From b38ec5ee7a581776bbce0bdaecb397632c3c4791 Mon Sep 17 00:00:00 2001 | ||
6 | From: Jan Beulich <jbeulich@suse.com> | ||
7 | Date: Tue, 2 Jun 2015 15:07:00 +0000 | ||
8 | Subject: xen/MSI-X: limit error messages | ||
9 | Bug-Debian: http://bugs.debian.org/787547 | ||
10 | |||
11 | Limit error messages resulting from bad guest behavior to avoid allowing | ||
12 | the guest to cause the control domain's disk to fill. | ||
13 | |||
14 | The first message in pci_msix_write() can simply be deleted, as this | ||
15 | is indeed bad guest behavior, but such out of bounds writes don't | ||
16 | really need to be logged. | ||
17 | |||
18 | The second one is more problematic, as there guest behavior may only | ||
19 | appear to be wrong: For one, the old logic didn't take the mask-all bit | ||
20 | into account. And then this shouldn't depend on host device state (i.e. | ||
21 | the host may have masked the entry without the guest having done so). | ||
22 | Plus these writes shouldn't be dropped even when an entry is unmasked. | ||
23 | Instead, if they can't be made take effect right away, they should take | ||
24 | effect on the next unmasking or enabling operation - the specification | ||
25 | explicitly describes such caching behavior. Until we can validly drop | ||
26 | the message (implementing such caching/latching behavior), issue the | ||
27 | message just once per MSI-X table entry. | ||
28 | |||
29 | Note that the log message in pci_msix_read() similar to the one being | ||
30 | removed here is not an issue: "addr" being of unsigned type, and the | ||
31 | maximum size of the MSI-X table being 32k, entry_nr simply can't be | ||
32 | negative and hence the conditonal guarding issuing of the message will | ||
33 | never be true. | ||
34 | |||
35 | This is XSA-130. | ||
36 | |||
37 | Signed-off-by: Jan Beulich <jbeulich@suse.com> | ||
38 | Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> | ||
39 | --- | ||
40 | hw/xen/xen_pt.h | 1 + | ||
41 | hw/xen/xen_pt_msi.c | 12 +++++++----- | ||
42 | 2 files changed, 8 insertions(+), 5 deletions(-) | ||
43 | |||
44 | diff --git a/hw/xen/xen_pt.h b/hw/xen/xen_pt.h | ||
45 | index 52ceb85..8c9b6c2 100644 | ||
46 | --- a/hw/xen/xen_pt.h | ||
47 | +++ b/hw/xen/xen_pt.h | ||
48 | @@ -175,6 +175,7 @@ typedef struct XenPTMSIXEntry { | ||
49 | uint32_t data; | ||
50 | uint32_t vector_ctrl; | ||
51 | bool updated; /* indicate whether MSI ADDR or DATA is updated */ | ||
52 | + bool warned; /* avoid issuing (bogus) warning more than once */ | ||
53 | } XenPTMSIXEntry; | ||
54 | typedef struct XenPTMSIX { | ||
55 | uint32_t ctrl_offset; | ||
56 | diff --git a/hw/xen/xen_pt_msi.c b/hw/xen/xen_pt_msi.c | ||
57 | index 9ed9321..68db623 100644 | ||
58 | --- a/hw/xen/xen_pt_msi.c | ||
59 | +++ b/hw/xen/xen_pt_msi.c | ||
60 | @@ -434,11 +434,10 @@ static void pci_msix_write(void *opaque, hwaddr addr, | ||
61 | XenPCIPassthroughState *s = opaque; | ||
62 | XenPTMSIX *msix = s->msix; | ||
63 | XenPTMSIXEntry *entry; | ||
64 | - int entry_nr, offset; | ||
65 | + unsigned int entry_nr, offset; | ||
66 | |||
67 | entry_nr = addr / PCI_MSIX_ENTRY_SIZE; | ||
68 | - if (entry_nr < 0 || entry_nr >= msix->total_entries) { | ||
69 | - XEN_PT_ERR(&s->dev, "asked MSI-X entry '%i' invalid!\n", entry_nr); | ||
70 | + if (entry_nr >= msix->total_entries) { | ||
71 | return; | ||
72 | } | ||
73 | entry = &msix->msix_entry[entry_nr]; | ||
74 | @@ -460,8 +459,11 @@ static void pci_msix_write(void *opaque, hwaddr addr, | ||
75 | + PCI_MSIX_ENTRY_VECTOR_CTRL; | ||
76 | |||
77 | if (msix->enabled && !(*vec_ctrl & PCI_MSIX_ENTRY_CTRL_MASKBIT)) { | ||
78 | - XEN_PT_ERR(&s->dev, "Can't update msix entry %d since MSI-X is" | ||
79 | - " already enabled.\n", entry_nr); | ||
80 | + if (!entry->warned) { | ||
81 | + entry->warned = true; | ||
82 | + XEN_PT_ERR(&s->dev, "Can't update msix entry %d since MSI-X is" | ||
83 | + " already enabled.\n", entry_nr); | ||
84 | + } | ||
85 | return; | ||
86 | } | ||
87 | |||
88 | -- | ||
89 | 2.1.4 | ||
90 | |||