~alpine/devel

[alpine-devel] [PATCH 2/4] xen: add a bunch of security fixes

Roger Pau Monne <roger.pau@citrix.com>
Details
Message ID
<1353084798-65779-3-git-send-email-roger.pau@citrix.com>
Sender timestamp
1353084796
DKIM signature
missing
Download raw message
11 years ago
Patch: +144 -0 
This covers:
XSA-20
XSA-22
XSA-23
XSA-24

Signed-off-by: Roger Pau Monne <roger.pau@citrix.com>
---
 main/xen/APKBUILD                 |    8 +++++++
 main/xen/xsa20.patch              |   38 +++++++++++++++++++++++++++++++++++
 main/xen/xsa22-4.2-unstable.patch |   40 +++++++++++++++++++++++++++++++++++++
 main/xen/xsa23-4.2-unstable.patch |   32 +++++++++++++++++++++++++++++
 main/xen/xsa24.patch              |   26 ++++++++++++++++++++++++
 5 files changed, 144 insertions(+), 0 deletions(-)
 create mode 100644 main/xen/xsa20.patch
 create mode 100644 main/xen/xsa22-4.2-unstable.patch
 create mode 100644 main/xen/xsa23-4.2-unstable.patch
 create mode 100644 main/xen/xsa24.patch

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 7143850..1777d47 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -19,6 +19,10 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
	librt.patch
	make_stubdoms.patch
	qemu-xen_paths.patch
	xsa20.patch
	xsa22-4.2-unstable.patch
	xsa23-4.2-unstable.patch
	xsa24.patch
	xsa25-4.2.patch

	xenstored.initd
@@ -134,6 +138,10 @@ md5sums="f4f217969afc38f09251039966d91a87  xen-4.2.0.tar.gz
2dc5ddf47c53ea168729975046c3c1f9  librt.patch
41ad48fdc269749776fa6aa04f6778c2  make_stubdoms.patch
1ccde6b36a6f9542a16d998204dc9a22  qemu-xen_paths.patch
fb7e76f00c2a4e63b408cb67df7d1a7b  xsa20.patch
5a67dfac5e6f5a0836aeaefa1804c09f  xsa22-4.2-unstable.patch
9151e7c648b12f518826ad0f0a67da42  xsa23-4.2-unstable.patch
9bd8b30094f8eb2408846c1b6ed0cad6  xsa24.patch
9fc7097ed2e5e756c4ae91145c143433  xsa25-4.2.patch
4ee9bf0c09269995569c9f05d4e8c779  xenstored.initd
b017ccdd5e1c27bbf1513e3569d4ff07  xenstored.confd
diff --git a/main/xen/xsa20.patch b/main/xen/xsa20.patch
new file mode 100644
index 0000000..bedd318
--- /dev/null
+++ b/main/xen/xsa20.patch
@@ -0,0 +1,38 @@
VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability

The timer action for a vcpu periodic timer is to calculate the next
expiry time, and to reinsert itself into the timer queue.  If the
deadline ends up in the past, Xen never leaves __do_softirq().  The
affected PCPU will stay in an infinite loop until Xen is killed by the
watchdog (if enabled).

This is a security problem, XSA-20 / CVE-2012-4535.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

diff -r 478ba3f146df xen/common/domain.c
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -903,6 +903,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
         if ( set.period_ns < MILLISECS(1) )
             return -EINVAL;
 
+        if ( set.period_ns > STIME_DELTA_MAX )
+            return -EINVAL;
+
         v->periodic_period = set.period_ns;
         vcpu_force_reschedule(v);
 
diff -r 478ba3f146df xen/include/xen/time.h
--- a/xen/include/xen/time.h
+++ b/xen/include/xen/time.h
@@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t);
 #define MILLISECS(_ms)  ((s_time_t)((_ms) * 1000000ULL))
 #define MICROSECS(_us)  ((s_time_t)((_us) * 1000ULL))
 #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1))
+/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */
+#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2))
 
 extern void update_vcpu_system_time(struct vcpu *v);
 extern void update_domain_wallclock_time(struct domain *d);
diff --git a/main/xen/xsa22-4.2-unstable.patch b/main/xen/xsa22-4.2-unstable.patch
new file mode 100644
index 0000000..e15fd73
--- /dev/null
+++ b/main/xen/xsa22-4.2-unstable.patch
@@ -0,0 +1,40 @@
x86/physmap: Prevent incorrect updates of m2p mappings

In certain conditions, such as low memory, set_p2m_entry() can fail.
Currently, the p2m and m2p tables will get out of sync because we still
update the m2p table after the p2m update has failed.

If that happens, subsequent guest-invoked memory operations can cause
BUG()s and ASSERT()s to kill Xen.

This is fixed by only updating the m2p table iff the p2m was
successfully updated.

This is a security problem, XSA-22 / CVE-2012-4537.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

diff -r f53b9f915c3d xen/arch/x86/mm/p2m.c
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -633,7 +633,10 @@ guest_physmap_add_entry(struct domain *d
     if ( mfn_valid(_mfn(mfn)) ) 
     {
         if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) )
+        {
             rc = -EINVAL;
+            goto out; /* Failed to update p2m, bail without updating m2p. */
+        }
         if ( !p2m_is_grant(t) )
         {
             for ( i = 0; i < (1UL << page_order); i++ )
@@ -656,6 +659,7 @@ guest_physmap_add_entry(struct domain *d
         }
     }
 
+out:
     p2m_unlock(p2m);
 
     return rc;
diff --git a/main/xen/xsa23-4.2-unstable.patch b/main/xen/xsa23-4.2-unstable.patch
new file mode 100644
index 0000000..be80a61
--- /dev/null
+++ b/main/xen/xsa23-4.2-unstable.patch
@@ -0,0 +1,32 @@
xen/mm/shadow: check toplevel pagetables are present before unhooking them.

If the guest has not fully populated its top-level PAE entries when it calls
HVMOP_pagetable_dying, the shadow code could try to unhook entries from
MFN 0.  Add a check to avoid that case.

This issue was introduced by c/s 21239:b9d2db109cf5.

This is a security problem, XSA-23 / CVE-2012-4538.

Signed-off-by: Tim Deegan <tim@xen.org>
Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

diff -r cc56c0394db7 xen/arch/x86/mm/shadow/multi.c
--- a/xen/arch/x86/mm/shadow/multi.c
+++ b/xen/arch/x86/mm/shadow/multi.c
@@ -4734,8 +4734,12 @@ static void sh_pagetable_dying(struct vc
         unsigned long gfn;
         mfn_t smfn, gmfn;
 
-        if ( fast_path )
-            smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
+        if ( fast_path ) {
+            if ( pagetable_is_null(v->arch.shadow_table[i]) )
+                smfn = _mfn(INVALID_MFN);
+            else
+                smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
+        }
         else
         {
             /* retrieving the l2s */
diff --git a/main/xen/xsa24.patch b/main/xen/xsa24.patch
new file mode 100644
index 0000000..e46f513
--- /dev/null
+++ b/main/xen/xsa24.patch
@@ -0,0 +1,26 @@
compat/gnttab: Prevent infinite loop in compat code

c/s 20281:95ea2052b41b, which introduces Grant Table version 2
hypercalls introduces a vulnerability whereby the compat hypercall
handler can fall into an infinite loop.

If the watchdog is enabled, Xen will die after the timeout.

This is a security problem, XSA-24 / CVE-2012-4539.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

diff -r bac883cf805a xen/common/compat/grant_table.c
--- a/xen/common/compat/grant_table.c
+++ b/xen/common/compat/grant_table.c
@@ -318,6 +318,8 @@ int compat_grant_table_op(unsigned int c
 #undef XLAT_gnttab_get_status_frames_HNDL_frame_list
                 if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) )
                     rc = -EFAULT;
+                else
+                    i = 1;
             }
             break;
         }
-- 
1.7.7.5 (Apple Git-26)



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)