commit 53dece81a05ddefb9c1a563784dd5cceb069c1cc Author: Jacek Konieczny <jkoniec...@eggsoft.pl> Date: Fri Apr 11 13:13:06 2014 +0200
Fix CVE-2014-2599 CVE-2014-2599.patch | 108 ++++++++++++++++++++++++++++++++++++++++++++++++++++ xen.spec | 2 + 2 files changed, 110 insertions(+) --- diff --git a/xen.spec b/xen.spec index d5d1b49..11de68a 100644 --- a/xen.spec +++ b/xen.spec @@ -116,6 +116,7 @@ Patch12: %{name}-doc.patch Patch13: %{name}-paths.patch Patch14: %{name}-no_fetcher.patch Patch15: odd-glib2-fix.patch +Patch16: CVE-2014-2599.patch URL: http://www.xen.org/products/xenhyp.html %if %{with qemu_traditional} %{?with_opengl:BuildRequires: OpenGL-devel} @@ -419,6 +420,7 @@ Nadzorca Xen w postaci, która może być uruchomiona wprost z firmware %patch13 -p1 %patch14 -p1 %patch15 -p1 +%patch16 -p1 # stubdom sources ln -s %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} stubdom diff --git a/CVE-2014-2599.patch b/CVE-2014-2599.patch new file mode 100644 index 0000000..fc407c8 --- /dev/null +++ b/CVE-2014-2599.patch @@ -0,0 +1,108 @@ +commit babcef372ae2ca9c4f4212398803015eb250f764 +Author: Jan Beulich <jbeul...@suse.com> +Date: Tue Mar 25 17:20:47 2014 +0100 + + x86: enforce preemption in HVM_set_mem_access / p2m_set_mem_access() + + Processing up to 4G PFNs may take almost arbitrarily long, so + preemption is needed here. + + This is CVE-2014-2599 / XSA-89. + + Signed-off-by: Jan Beulich <jbeul...@suse.com> + Reviewed-by: Tim Deegan <t...@xen.org> + master commit: 0fe53c4f279e1a8ef913e71ed000236d21ce96de + master date: 2014-03-25 15:23:57 +0100 + +diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c +index 69f7e74..6150899 100644 +--- a/xen/arch/x86/hvm/hvm.c ++++ b/xen/arch/x86/hvm/hvm.c +@@ -4465,6 +4465,15 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void) arg) + goto param_fail5; + + rc = p2m_set_mem_access(d, a.first_pfn, a.nr, a.hvmmem_access); ++ if ( rc > 0 ) ++ { ++ a.first_pfn += a.nr - rc; ++ a.nr = rc; ++ if ( __copy_to_guest(arg, &a, 1) ) ++ rc = -EFAULT; ++ else ++ rc = -EAGAIN; ++ } + + param_fail5: + rcu_unlock_domain(d); +diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c +index 8f380ed..e0e5840 100644 +--- a/xen/arch/x86/mm/p2m.c ++++ b/xen/arch/x86/mm/p2m.c +@@ -1366,15 +1366,14 @@ void p2m_mem_access_resume(struct domain *d) + + /* Set access type for a region of pfns. + * If start_pfn == -1ul, sets the default access type */ +-int p2m_set_mem_access(struct domain *d, unsigned long start_pfn, +- uint32_t nr, hvmmem_access_t access) ++long p2m_set_mem_access(struct domain *d, unsigned long pfn, uint32_t nr, ++ hvmmem_access_t access) + { + struct p2m_domain *p2m = p2m_get_hostp2m(d); +- unsigned long pfn; + p2m_access_t a, _a; + p2m_type_t t; + mfn_t mfn; +- int rc = 0; ++ long rc; + + /* N.B. _not_ static: initializer depends on p2m->default_access */ + p2m_access_t memaccess[] = { +@@ -1397,14 +1396,17 @@ int p2m_set_mem_access(struct domain *d, unsigned long start_pfn, + a = memaccess[access]; + + /* If request to set default access */ +- if ( start_pfn == ~0ull ) ++ if ( pfn == ~0ul ) + { + p2m->default_access = a; + return 0; + } + ++ if ( !nr ) ++ return 0; ++ + p2m_lock(p2m); +- for ( pfn = start_pfn; pfn < start_pfn + nr; pfn++ ) ++ for ( ; ; ++pfn ) + { + mfn = p2m->get_entry(p2m, pfn, &t, &_a, 0, NULL); + if ( p2m->set_entry(p2m, pfn, mfn, PAGE_ORDER_4K, t, a) == 0 ) +@@ -1412,6 +1414,13 @@ int p2m_set_mem_access(struct domain *d, unsigned long start_pfn, + rc = -ENOMEM; + break; + } ++ ++ /* Check for continuation if it's not the last interation. */ ++ if ( !--nr || hypercall_preempt_check() ) ++ { ++ rc = nr; ++ break; ++ } + } + p2m_unlock(p2m); + return rc; +diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h +index f4e7253..a2cb1b7 100644 +--- a/xen/include/asm-x86/p2m.h ++++ b/xen/include/asm-x86/p2m.h +@@ -576,8 +576,8 @@ void p2m_mem_access_resume(struct domain *d); + + /* Set access type for a region of pfns. + * If start_pfn == -1ul, sets the default access type */ +-int p2m_set_mem_access(struct domain *d, unsigned long start_pfn, +- uint32_t nr, hvmmem_access_t access); ++long p2m_set_mem_access(struct domain *d, unsigned long start_pfn, ++ uint32_t nr, hvmmem_access_t access); + + /* Get access type for a pfn + * If pfn == -1ul, gets the default access type */ ================================================================ ---- gitweb: http://git.pld-linux.org/gitweb.cgi/packages/xen.git/commitdiff/c970ae7a37e862f8ae886c26f76e94ab12c4f904 _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit