f0e3c54177
XSA-185: x86: Disallow L3 recursive pagetable for 32-bit PV guests XSA-186: x86: Mishandling of instruction pointer truncation during emulation XSA-187: x86 HVM: Overflow of sh_ctxt->seg_reg[] bump PKGREVISION
37 lines
1.3 KiB
Text
37 lines
1.3 KiB
Text
$NetBSD: patch-XSA-185,v 1.1 2016/09/08 15:44:07 bouyer Exp $
|
|
|
|
From 30aba4992b18245c436f16df7326a16c01a51570 Mon Sep 17 00:00:00 2001
|
|
From: Jan Beulich <jbeulich@suse.com>
|
|
Date: Mon, 8 Aug 2016 10:58:12 +0100
|
|
Subject: x86/32on64: don't allow recursive page tables from L3
|
|
|
|
L3 entries are special in PAE mode, and hence can't reasonably be used
|
|
for setting up recursive (and hence linear) page table mappings. Since
|
|
abuse is possible when the guest in fact gets run on 4-level page
|
|
tables, this needs to be excluded explicitly.
|
|
|
|
This is XSA-185.
|
|
|
|
Reported-by: Jérémie Boutoille <jboutoille@ext.quarkslab.com>
|
|
Reported-by: 栾尚聪(好风) <shangcong.lsc@alibaba-inc.com>
|
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
---
|
|
xen/arch/x86/mm.c | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
|
|
index 109b8be..69b8b8d 100644
|
|
--- xen/arch/x86/mm.c.orig
|
|
+++ xen/arch/x86/mm.c
|
|
@@ -1122,7 +1122,9 @@ get_page_from_l3e(
|
|
|
|
rc = get_page_and_type_from_pagenr(
|
|
l3e_get_pfn(l3e), PGT_l2_page_table, d, partial, 1);
|
|
- if ( unlikely(rc == -EINVAL) && get_l3_linear_pagetable(l3e, pfn, d) )
|
|
+ if ( unlikely(rc == -EINVAL) &&
|
|
+ !is_pv_32bit_domain(d) &&
|
|
+ get_l3_linear_pagetable(l3e, pfn, d) )
|
|
rc = 0;
|
|
|
|
return rc;
|