xen: apply XSA-{182/183/184}
Sponsored by: Citrix Systems R&D PR: 211482
This commit is contained in:
parent
8c56705be4
commit
27734a12cb
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=419430
@ -3,7 +3,7 @@
|
||||
PORTNAME= xen
|
||||
PKGNAMESUFFIX= -kernel
|
||||
PORTVERSION= 4.7.0
|
||||
PORTREVISION= 2
|
||||
PORTREVISION= 3
|
||||
CATEGORIES= emulators
|
||||
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${PORTVERSION}/
|
||||
|
||||
@ -39,7 +39,9 @@ PLIST_FILES= /boot/xen \
|
||||
/boot/xen.4th
|
||||
EXTRA_PATCHES= ${FILESDIR}/0001-xen-logdirty-prevent-preemption-if-finished.patch:-p1 \
|
||||
${FILESDIR}/0002-xen-rework-paging_log_dirty_op-to-work-with-hvm-gues.patch:-p1 \
|
||||
${FILESDIR}/kconf_arch.patch:-p1
|
||||
${FILESDIR}/kconf_arch.patch:-p1 \
|
||||
${FILESDIR}/xsa182-unstable.patch:-p1 \
|
||||
${FILESDIR}/xsa183-unstable.patch:-p1
|
||||
|
||||
|
||||
.include <bsd.port.options.mk>
|
||||
|
102
emulators/xen-kernel/files/xsa182-unstable.patch
Normal file
102
emulators/xen-kernel/files/xsa182-unstable.patch
Normal file
@ -0,0 +1,102 @@
|
||||
From 00593655e231ed5ea20704120037026e33b83fbb Mon Sep 17 00:00:00 2001
|
||||
From: Andrew Cooper <andrew.cooper3@citrix.com>
|
||||
Date: Mon, 11 Jul 2016 14:32:03 +0100
|
||||
Subject: [PATCH] x86/pv: Remove unsafe bits from the mod_l?_entry() fastpath
|
||||
|
||||
All changes in writeability and cacheability must go through full
|
||||
re-validation.
|
||||
|
||||
Rework the logic as a whitelist, to make it clearer to follow.
|
||||
|
||||
This is XSA-182
|
||||
|
||||
Reported-by: Jérémie Boutoille <jboutoille@ext.quarkslab.com>
|
||||
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
||||
Reviewed-by: Tim Deegan <tim@xen.org>
|
||||
---
|
||||
xen/arch/x86/mm.c | 28 ++++++++++++++++------------
|
||||
xen/include/asm-x86/page.h | 1 +
|
||||
2 files changed, 17 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
|
||||
index dbcf6cb..56ca19f 100644
|
||||
--- a/xen/arch/x86/mm.c
|
||||
+++ b/xen/arch/x86/mm.c
|
||||
@@ -1852,6 +1852,14 @@ static inline int update_intpte(intpte_t *p,
|
||||
_t ## e_get_intpte(_o), _t ## e_get_intpte(_n), \
|
||||
(_m), (_v), (_ad))
|
||||
|
||||
+/*
|
||||
+ * PTE flags that a guest may change without re-validating the PTE.
|
||||
+ * All other bits affect translation, caching, or Xen's safety.
|
||||
+ */
|
||||
+#define FASTPATH_FLAG_WHITELIST \
|
||||
+ (_PAGE_NX_BIT | _PAGE_AVAIL_HIGH | _PAGE_AVAIL | _PAGE_GLOBAL | \
|
||||
+ _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_USER)
|
||||
+
|
||||
/* Update the L1 entry at pl1e to new value nl1e. */
|
||||
static int mod_l1_entry(l1_pgentry_t *pl1e, l1_pgentry_t nl1e,
|
||||
unsigned long gl1mfn, int preserve_ad,
|
||||
@@ -1891,9 +1899,8 @@ static int mod_l1_entry(l1_pgentry_t *pl1e, l1_pgentry_t nl1e,
|
||||
nl1e = l1e_from_pfn(page_to_mfn(page), l1e_get_flags(nl1e));
|
||||
}
|
||||
|
||||
- /* Fast path for identical mapping, r/w, presence, and cachability. */
|
||||
- if ( !l1e_has_changed(ol1e, nl1e,
|
||||
- PAGE_CACHE_ATTRS | _PAGE_RW | _PAGE_PRESENT) )
|
||||
+ /* Fast path for sufficiently-similar mappings. */
|
||||
+ if ( !l1e_has_changed(ol1e, nl1e, ~FASTPATH_FLAG_WHITELIST) )
|
||||
{
|
||||
adjust_guest_l1e(nl1e, pt_dom);
|
||||
rc = UPDATE_ENTRY(l1, pl1e, ol1e, nl1e, gl1mfn, pt_vcpu,
|
||||
@@ -1970,11 +1977,8 @@ static int mod_l2_entry(l2_pgentry_t *pl2e,
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
- /* Fast path for identical mapping and presence. */
|
||||
- if ( !l2e_has_changed(ol2e, nl2e,
|
||||
- unlikely(opt_allow_superpage)
|
||||
- ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT
|
||||
- : _PAGE_PRESENT) )
|
||||
+ /* Fast path for sufficiently-similar mappings. */
|
||||
+ if ( !l2e_has_changed(ol2e, nl2e, ~FASTPATH_FLAG_WHITELIST) )
|
||||
{
|
||||
adjust_guest_l2e(nl2e, d);
|
||||
if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) )
|
||||
@@ -2039,8 +2043,8 @@ static int mod_l3_entry(l3_pgentry_t *pl3e,
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
- /* Fast path for identical mapping and presence. */
|
||||
- if ( !l3e_has_changed(ol3e, nl3e, _PAGE_PRESENT) )
|
||||
+ /* Fast path for sufficiently-similar mappings. */
|
||||
+ if ( !l3e_has_changed(ol3e, nl3e, ~FASTPATH_FLAG_WHITELIST) )
|
||||
{
|
||||
adjust_guest_l3e(nl3e, d);
|
||||
rc = UPDATE_ENTRY(l3, pl3e, ol3e, nl3e, pfn, vcpu, preserve_ad);
|
||||
@@ -2103,8 +2107,8 @@ static int mod_l4_entry(l4_pgentry_t *pl4e,
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
- /* Fast path for identical mapping and presence. */
|
||||
- if ( !l4e_has_changed(ol4e, nl4e, _PAGE_PRESENT) )
|
||||
+ /* Fast path for sufficiently-similar mappings. */
|
||||
+ if ( !l4e_has_changed(ol4e, nl4e, ~FASTPATH_FLAG_WHITELIST) )
|
||||
{
|
||||
adjust_guest_l4e(nl4e, d);
|
||||
rc = UPDATE_ENTRY(l4, pl4e, ol4e, nl4e, pfn, vcpu, preserve_ad);
|
||||
diff --git a/xen/include/asm-x86/page.h b/xen/include/asm-x86/page.h
|
||||
index 224852a..4ae387f 100644
|
||||
--- a/xen/include/asm-x86/page.h
|
||||
+++ b/xen/include/asm-x86/page.h
|
||||
@@ -313,6 +313,7 @@ void efi_update_l4_pgtable(unsigned int l4idx, l4_pgentry_t);
|
||||
#define _PAGE_AVAIL2 _AC(0x800,U)
|
||||
#define _PAGE_AVAIL _AC(0xE00,U)
|
||||
#define _PAGE_PSE_PAT _AC(0x1000,U)
|
||||
+#define _PAGE_AVAIL_HIGH (_AC(0x7ff, U) << 12)
|
||||
#define _PAGE_NX (cpu_has_nx ? _PAGE_NX_BIT : 0)
|
||||
/* non-architectural flags */
|
||||
#define _PAGE_PAGED 0x2000U
|
||||
--
|
||||
2.1.4
|
||||
|
75
emulators/xen-kernel/files/xsa183-unstable.patch
Normal file
75
emulators/xen-kernel/files/xsa183-unstable.patch
Normal file
@ -0,0 +1,75 @@
|
||||
From 2fd4f34058fb5f87fbd80978dbd2cb458aff565d Mon Sep 17 00:00:00 2001
|
||||
From: Andrew Cooper <andrew.cooper3@citrix.com>
|
||||
Date: Wed, 15 Jun 2016 18:32:14 +0100
|
||||
Subject: [PATCH] x86/entry: Avoid SMAP violation in
|
||||
compat_create_bounce_frame()
|
||||
|
||||
A 32bit guest kernel might be running on user mappings.
|
||||
compat_create_bounce_frame() must whitelist its guest accesses to avoid
|
||||
risking a SMAP violation.
|
||||
|
||||
For both variants of create_bounce_frame(), re-blacklist user accesses if
|
||||
execution exits via an exception table redirection.
|
||||
|
||||
This is XSA-183 / CVE-2016-6259
|
||||
|
||||
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
||||
Reviewed-by: George Dunlap <george.dunlap@citrix.com>
|
||||
Reviewed-by: Jan Beulich <jbeulich@suse.com>
|
||||
---
|
||||
v2:
|
||||
* Include CLAC on the exit paths from compat_create_bounce_frame which occur
|
||||
from faults attempting to load %fs
|
||||
* Reposition ASM_STAC to avoid breaking the macro-op fusion of test/jz
|
||||
---
|
||||
xen/arch/x86/x86_64/compat/entry.S | 3 +++
|
||||
xen/arch/x86/x86_64/entry.S | 2 ++
|
||||
2 files changed, 5 insertions(+)
|
||||
|
||||
diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
|
||||
index 7f02afd..e80c53c 100644
|
||||
--- a/xen/arch/x86/x86_64/compat/entry.S
|
||||
+++ b/xen/arch/x86/x86_64/compat/entry.S
|
||||
@@ -318,6 +318,7 @@ ENTRY(compat_int80_direct_trap)
|
||||
compat_create_bounce_frame:
|
||||
ASSERT_INTERRUPTS_ENABLED
|
||||
mov %fs,%edi
|
||||
+ ASM_STAC
|
||||
testb $2,UREGS_cs+8(%rsp)
|
||||
jz 1f
|
||||
/* Push new frame at registered guest-OS stack base. */
|
||||
@@ -364,6 +365,7 @@ compat_create_bounce_frame:
|
||||
movl TRAPBOUNCE_error_code(%rdx),%eax
|
||||
.Lft8: movl %eax,%fs:(%rsi) # ERROR CODE
|
||||
1:
|
||||
+ ASM_CLAC
|
||||
/* Rewrite our stack frame and return to guest-OS mode. */
|
||||
/* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */
|
||||
andl $~(X86_EFLAGS_VM|X86_EFLAGS_RF|\
|
||||
@@ -403,6 +405,7 @@ compat_crash_page_fault_4:
|
||||
addl $4,%esi
|
||||
compat_crash_page_fault:
|
||||
.Lft14: mov %edi,%fs
|
||||
+ ASM_CLAC
|
||||
movl %esi,%edi
|
||||
call show_page_walk
|
||||
jmp dom_crash_sync_extable
|
||||
diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
|
||||
index ad8c64c..f7178cd 100644
|
||||
--- a/xen/arch/x86/x86_64/entry.S
|
||||
+++ b/xen/arch/x86/x86_64/entry.S
|
||||
@@ -420,9 +420,11 @@ domain_crash_page_fault_16:
|
||||
domain_crash_page_fault_8:
|
||||
addq $8,%rsi
|
||||
domain_crash_page_fault:
|
||||
+ ASM_CLAC
|
||||
movq %rsi,%rdi
|
||||
call show_page_walk
|
||||
ENTRY(dom_crash_sync_extable)
|
||||
+ ASM_CLAC
|
||||
# Get out of the guest-save area of the stack.
|
||||
GET_STACK_END(ax)
|
||||
leaq STACK_CPUINFO_FIELD(guest_cpu_user_regs)(%rax),%rsp
|
||||
--
|
||||
2.1.4
|
||||
|
@ -3,7 +3,7 @@
|
||||
PORTNAME= xen
|
||||
PKGNAMESUFFIX= -tools
|
||||
PORTVERSION= 4.7.0
|
||||
PORTREVISION= 3
|
||||
PORTREVISION= 4
|
||||
CATEGORIES= sysutils emulators
|
||||
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${PORTVERSION}/
|
||||
|
||||
|
43
sysutils/xen-tools/files/xsa184-qemuu-master.patch
Normal file
43
sysutils/xen-tools/files/xsa184-qemuu-master.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From e469db25d6b2e5c71cd15451889226641c53a5cd Mon Sep 17 00:00:00 2001
|
||||
From: P J P <ppandit@redhat.com>
|
||||
Date: Mon, 25 Jul 2016 17:37:18 +0530
|
||||
Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
|
||||
|
||||
A broken or malicious guest can submit more requests than the virtqueue
|
||||
size permits.
|
||||
|
||||
The guest can submit requests without bothering to wait for completion
|
||||
and is therefore not bound by virtqueue size. This requires reusing
|
||||
vring descriptors in more than one request, which is incorrect but
|
||||
possible. Processing a request allocates a VirtQueueElement and
|
||||
therefore causes unbounded memory allocation controlled by the guest.
|
||||
|
||||
Exit with an error if the guest provides more requests than the
|
||||
virtqueue size permits. This bounds memory allocation and makes the
|
||||
buggy guest visible to the user.
|
||||
|
||||
Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
---
|
||||
hw/virtio/virtio.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
||||
index d24f775..f8ac0fb 100644
|
||||
--- a/hw/virtio/virtio.c
|
||||
+++ b/hw/virtio/virtio.c
|
||||
@@ -483,6 +483,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
|
||||
|
||||
max = vq->vring.num;
|
||||
|
||||
+ if (vq->inuse >= max) {
|
||||
+ error_report("Virtqueue size exceeded");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
|
||||
if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) {
|
||||
vring_set_avail_event(vq, vq->last_avail_idx);
|
||||
--
|
||||
2.1.4
|
||||
|
Loading…
Reference in New Issue
Block a user