Sophie

Sophie

distrib > Mageia > 5 > x86_64 > media > core-updates-src > by-pkgid > 6baf24ee0100410726269e474b93d1bc > files > 27

xen-4.5.2-1.5.mga5.src.rpm

From 642943d1614d25a035e9923b916e46e9b446ee81 Mon Sep 17 00:00:00 2001
From: Jan Beulich <jbeulich@suse.com>
Date: Wed, 20 Jan 2016 14:02:17 +0100
Subject: [PATCH 28/43] x86/mm: PV superpage handling lacks sanity checks

MMUEXT_{,UN}MARK_SUPER fail to check the input MFN for validity before
dereferencing pointers into the superpage frame table.

Reported-by: Qinghao Tang <luodalongde@gmail.com>

get_superpage() has a similar issue.

This is CVE-2016-1570 / XSA-167.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
master commit: 47abf29a9255b2e7b94e56d66b455d0a584b68b8
master date: 2016-01-20 13:49:23 +0100
---
 xen/arch/x86/mm.c | 37 ++++++++++++-------------------------
 1 file changed, 12 insertions(+), 25 deletions(-)

diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index b4d3031..9179a8f 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -2550,6 +2550,9 @@ int get_superpage(unsigned long mfn, struct domain *d)
 
     ASSERT(opt_allow_superpage);
 
+    if ( !mfn_valid(mfn | (L1_PAGETABLE_ENTRIES - 1)) )
+        return -EINVAL;
+
     spage = mfn_to_spage(mfn);
     y = spage->type_info;
     do {
@@ -3320,42 +3323,26 @@ long do_mmuext_op(
         }
 
         case MMUEXT_MARK_SUPER:
+        case MMUEXT_UNMARK_SUPER:
         {
             unsigned long mfn = op.arg1.mfn;
 
-            if ( unlikely(d != pg_owner) )
-                rc = -EPERM;
-            else if ( mfn & (L1_PAGETABLE_ENTRIES-1) )
-            {
-                MEM_LOG("Unaligned superpage reference mfn %lx", mfn);
-                okay = 0;
-            }
-            else if ( !opt_allow_superpage )
+            if ( !opt_allow_superpage )
             {
                 MEM_LOG("Superpages disallowed");
                 rc = -ENOSYS;
             }
-            else
-                rc = mark_superpage(mfn_to_spage(mfn), d);
-            break;
-        }
-
-        case MMUEXT_UNMARK_SUPER:
-        {
-            unsigned long mfn = op.arg1.mfn;
-
-            if ( unlikely(d != pg_owner) )
+            else if ( unlikely(d != pg_owner) )
                 rc = -EPERM;
-            else if ( mfn & (L1_PAGETABLE_ENTRIES-1) )
+            else if ( mfn & (L1_PAGETABLE_ENTRIES - 1) )
             {
                 MEM_LOG("Unaligned superpage reference mfn %lx", mfn);
-                okay = 0;
-            }
-            else if ( !opt_allow_superpage )
-            {
-                MEM_LOG("Superpages disallowed");
-                rc = -ENOSYS;
+                rc = -EINVAL;
             }
+            else if ( !mfn_valid(mfn | (L1_PAGETABLE_ENTRIES - 1)) )
+                rc = -EINVAL;
+            else if ( op.cmd == MMUEXT_MARK_SUPER )
+                rc = mark_superpage(mfn_to_spage(mfn), d);
             else
                 rc = unmark_superpage(mfn_to_spage(mfn));
             break;
-- 
2.7.2

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional