f432013602
CVE-2014-7188/XSA-108: x86/HVM: properly bound x2APIC MSR range, fixing: A buggy or malicious HVM guest can crash the host or read data relating to other guests or the hypervisor itself. CVE-2014-8594/XSA-109: x86: don't allow page table updates on non-PV page tables in do_mmu_update(), fixing: Malicious or buggy stub domain kernels or tool stacks otherwise living outside of Domain0 can mount a denial of service attack which, if successful, can affect the whole system. CVE-2014-8595/XSA-110: x86emul: enforce privilege level restrictions when loading CS, fixing: Malicious HVM guest user mode code may be able to elevate its privileges to guest supervisor mode, or to crash the guest. CVE-2014-8866/XSA-111: x86: limit checks in hypercall_xlat_continuation() to actual arguments, fixing: A buggy or malicious HVM guest can crash the host. CVE-2014-8867/XSA-112: x86/HVM: confine internally handled MMIO to solitary regions, fixing: A buggy or malicious HVM guest can crash the host. CVE-2014-9030/XSA-113: x86/mm: fix a reference counting error in MMU_MACHPHYS_UPDATE, fixing: Malicious or buggy stub domain kernels or tool stacks otherwise living outside of Domain0 can mount a denial of service attack which, if successful, can affect the whole system.
46 lines
1.3 KiB
Text
46 lines
1.3 KiB
Text
$NetBSD: patch-CVE-2014-9030,v 1.1 2014/11/27 15:36:02 bouyer Exp $
|
|
|
|
x86/mm: fix a reference counting error in MMU_MACHPHYS_UPDATE
|
|
|
|
Any domain which can pass the XSM check against a translated guest can cause a
|
|
page reference to be leaked.
|
|
|
|
While shuffling the order of checks, drop the quite-pointless MEM_LOG(). This
|
|
brings the check in line with similar checks in the vicinity.
|
|
|
|
Discovered while reviewing the XSA-109/110 followup series.
|
|
|
|
This is XSA-113.
|
|
|
|
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
Reviewed-by: Jan Beulich <jbeulich@suse.com>
|
|
Reviewed-by: Tim Deegan <tim@xen.org>
|
|
|
|
--- xen/arch/x86/mm.c.orig 2014-11-27 15:21:15.000000000 +0100
|
|
+++ xen/arch/x86/mm.c 2014-11-27 15:37:25.000000000 +0100
|
|
@@ -3888,6 +3892,12 @@
|
|
|
|
case MMU_MACHPHYS_UPDATE:
|
|
|
|
+ if ( unlikely(paging_mode_translate(pg_owner)) )
|
|
+ {
|
|
+ rc = -EINVAL;
|
|
+ break;
|
|
+ }
|
|
+
|
|
mfn = req.ptr >> PAGE_SHIFT;
|
|
gpfn = req.val;
|
|
|
|
@@ -3901,12 +3911,6 @@
|
|
break;
|
|
}
|
|
|
|
- if ( unlikely(paging_mode_translate(pg_owner)) )
|
|
- {
|
|
- MEM_LOG("Mach-phys update on auto-translate guest");
|
|
- break;
|
|
- }
|
|
-
|
|
set_gpfn_from_mfn(mfn, gpfn);
|
|
okay = 1;
|
|
|