diff options
| author | Mario Preksavec <mario@slackware.hr> | 2017-05-09 13:41:50 +0200 |
|---|---|---|
| committer | Willy Sudiarto Raharjo <willysr@slackbuilds.org> | 2017-05-13 07:00:05 +0700 |
| commit | 3bc8d8ddbde42ab78b117a9051c2c38b0e49b4d0 (patch) | |
| tree | 856b7d4c0c6dfc136a0839ebeca0026410e7daa1 /system/xen/xsa/xsa214.patch | |
| parent | 23fa16c0b1ca7fa938470de2fba44e224a9c0198 (diff) | |
system/xen: XSA 213 and 214 update.
Signed-off-by: Mario Preksavec <mario@slackware.hr>
Diffstat (limited to 'system/xen/xsa/xsa214.patch')
| -rw-r--r-- | system/xen/xsa/xsa214.patch | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/system/xen/xsa/xsa214.patch b/system/xen/xsa/xsa214.patch new file mode 100644 index 0000000000000..46a3d3a4c6030 --- /dev/null +++ b/system/xen/xsa/xsa214.patch @@ -0,0 +1,41 @@ +From: Jan Beulich <jbeulich@suse.com> +Subject: x86: discard type information when stealing pages + +While a page having just a single general reference left necessarily +has a zero type reference count too, its type may still be valid (and +in validated state; at present this is only possible and relevant for +PGT_seg_desc_page, as page tables have their type forcibly zapped when +their type reference count drops to zero, and +PGT_{writable,shared}_page pages don't require any validation). In +such a case when the page is being re-used with the same type again, +validation is being skipped. As validation criteria differ between +32- and 64-bit guests, pages to be transferred between guests need to +have their validation indicator zapped (and with it we zap all other +type information at once). + +This is XSA-214. + +Reported-by: Jann Horn <jannh@google.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> + +--- a/xen/arch/x86/mm.c ++++ b/xen/arch/x86/mm.c +@@ -4466,6 +4466,17 @@ int steal_page( + y = cmpxchg(&page->count_info, x, x & ~PGC_count_mask); + } while ( y != x ); + ++ /* ++ * With the sole reference dropped temporarily, no-one can update type ++ * information. Type count also needs to be zero in this case, but e.g. ++ * PGT_seg_desc_page may still have PGT_validated set, which we need to ++ * clear before transferring ownership (as validation criteria vary ++ * depending on domain type). ++ */ ++ BUG_ON(page->u.inuse.type_info & (PGT_count_mask | PGT_locked | ++ PGT_pinned)); ++ page->u.inuse.type_info = 0; ++ + /* Swizzle the owner then reinstate the PGC_allocated reference. */ + page_set_owner(page, NULL); + y = page->count_info; |