Package: xen Version: 4.0.1-5.11 Severity: important Tags: security, patch, fixed-upstream
http://www.openwall.com/lists/oss-security/2013/11/21/2 Description: An inverted boolean parameter resulted in TLB flushes not happening upon clearing of a present translation table entry. Retaining stale TLB entries could allow guests access to memory that ought to have been revoked, or grant greater access than intended. Impact: Malicious guest administrators might be able to cause host-wide denial of service, or escalate their privilege to that of the host. Patch attached. Please patch this security vulnerability, thanks. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.11-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash
VT-d: fix TLB flushing in dma_pte_clear_one() The third parameter of __intel_iommu_iotlb_flush() is to indicate whether the to be flushed entry was a present one. A few lines before, we bailed if !dma_pte_present(*pte), so there's no need to check the flag here again - we can simply always pass TRUE here. This is CVE-2013-6375 / XSA-78. Suggested-by: Cheng Yueqiang <[email protected]> Signed-off-by: Jan Beulich <[email protected]> --- a/xen/drivers/passthrough/vtd/iommu.c +++ b/xen/drivers/passthrough/vtd/iommu.c @@ -646,7 +646,7 @@ static void dma_pte_clear_one(struct dom iommu_flush_cache_entry(pte, sizeof(struct dma_pte)); if ( !this_cpu(iommu_dont_flush_iotlb) ) - __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K , 0, 1); + __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K, 1, 1); unmap_vtd_domain_page(page);
signature.asc
Description: Digital signature

