diff options
Diffstat (limited to 'system/xen/patches/xsa176.patch')
-rw-r--r-- | system/xen/patches/xsa176.patch | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/system/xen/patches/xsa176.patch b/system/xen/patches/xsa176.patch new file mode 100644 index 000000000000..1c15abd3e333 --- /dev/null +++ b/system/xen/patches/xsa176.patch @@ -0,0 +1,45 @@ +x86/mm: fully honor PS bits in guest page table walks + +In L4 entries it is currently unconditionally reserved (and hence +should, when set, always result in a reserved bit page fault), and is +reserved on hardware not supporting 1Gb pages (and hence should, when +set, similarly cause a reserved bit page fault on such hardware). + +This is CVE-2016-4480 / XSA-176. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> +Tested-by: Andrew Cooper <andrew.cooper3@citrix.com> + +--- a/xen/arch/x86/mm/guest_walk.c ++++ b/xen/arch/x86/mm/guest_walk.c +@@ -226,6 +226,11 @@ guest_walk_tables(struct vcpu *v, struct + rc |= _PAGE_PRESENT; + goto out; + } ++ if ( gflags & _PAGE_PSE ) ++ { ++ rc |= _PAGE_PSE | _PAGE_INVALID_BIT; ++ goto out; ++ } + rc |= ((gflags & mflags) ^ mflags); + + /* Map the l3 table */ +@@ -247,7 +252,7 @@ guest_walk_tables(struct vcpu *v, struct + } + rc |= ((gflags & mflags) ^ mflags); + +- pse1G = (gflags & _PAGE_PSE) && guest_supports_1G_superpages(v); ++ pse1G = !!(gflags & _PAGE_PSE); + + if ( pse1G ) + { +@@ -267,6 +272,8 @@ guest_walk_tables(struct vcpu *v, struct + /* _PAGE_PSE_PAT not set: remove _PAGE_PAT from flags. */ + flags &= ~_PAGE_PAT; + ++ if ( !guest_supports_1G_superpages(v) ) ++ rc |= _PAGE_PSE | _PAGE_INVALID_BIT; + if ( gfn_x(start) & GUEST_L3_GFN_MASK & ~0x1 ) + rc |= _PAGE_INVALID_BITS; + |