aboutsummaryrefslogtreecommitdiff
path: root/system/xen/patches/xsa176.patch
diff options
context:
space:
mode:
Diffstat (limited to 'system/xen/patches/xsa176.patch')
-rw-r--r--system/xen/patches/xsa176.patch45
1 files changed, 45 insertions, 0 deletions
diff --git a/system/xen/patches/xsa176.patch b/system/xen/patches/xsa176.patch
new file mode 100644
index 000000000000..1c15abd3e333
--- /dev/null
+++ b/system/xen/patches/xsa176.patch
@@ -0,0 +1,45 @@
+x86/mm: fully honor PS bits in guest page table walks
+
+In L4 entries it is currently unconditionally reserved (and hence
+should, when set, always result in a reserved bit page fault), and is
+reserved on hardware not supporting 1Gb pages (and hence should, when
+set, similarly cause a reserved bit page fault on such hardware).
+
+This is CVE-2016-4480 / XSA-176.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/mm/guest_walk.c
++++ b/xen/arch/x86/mm/guest_walk.c
+@@ -226,6 +226,11 @@ guest_walk_tables(struct vcpu *v, struct
+ rc |= _PAGE_PRESENT;
+ goto out;
+ }
++ if ( gflags & _PAGE_PSE )
++ {
++ rc |= _PAGE_PSE | _PAGE_INVALID_BIT;
++ goto out;
++ }
+ rc |= ((gflags & mflags) ^ mflags);
+
+ /* Map the l3 table */
+@@ -247,7 +252,7 @@ guest_walk_tables(struct vcpu *v, struct
+ }
+ rc |= ((gflags & mflags) ^ mflags);
+
+- pse1G = (gflags & _PAGE_PSE) && guest_supports_1G_superpages(v);
++ pse1G = !!(gflags & _PAGE_PSE);
+
+ if ( pse1G )
+ {
+@@ -267,6 +272,8 @@ guest_walk_tables(struct vcpu *v, struct
+ /* _PAGE_PSE_PAT not set: remove _PAGE_PAT from flags. */
+ flags &= ~_PAGE_PAT;
+
++ if ( !guest_supports_1G_superpages(v) )
++ rc |= _PAGE_PSE | _PAGE_INVALID_BIT;
+ if ( gfn_x(start) & GUEST_L3_GFN_MASK & ~0x1 )
+ rc |= _PAGE_INVALID_BITS;
+