File xend-xsa153.patch of Package xen.10697

Overview Repositories Revisions Requests Users Attributes Meta

File xend-xsa153.patch of Package xen.10697

References: bsc#951845 XSA-153 - This is the xend version

From 27593ec62bdad8621df910931349d964a6dbaa8c Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Wed, 21 Oct 2015 16:18:30 +0100
Subject: [PATCH XSA-153 v3] libxl: adjust PoD target by memory fudge, too

PoD guests need to balloon at least as far as required by PoD, or risk
crashing.  Currently they don't necessarily know what the right value
is, because our memory accounting is (at the very least) confusing.

Apply the memory limit fudge factor to the in-hypervisor PoD memory
target, too.  This will increase the size of the guest's PoD cache by
the fudge factor LIBXL_MAXMEM_CONSTANT (currently 1Mby).  This ensures
that even with a slightly-off balloon driver, the guest will be
stable even under memory pressure.

There are two call sites of xc_domain_set_pod_target that need fixing:

The one in libxl_set_memory_target is straightforward.

The one in xc_hvm_build_x86.c:setup_guest is more awkward.  Simply
setting the PoD target differently does not work because the various
amounts of memory during domain construction no longer match up.
Instead, we adjust the guest memory target in xenstore (but only for
PoD guests).

This introduces a 1Mby discrepancy between the balloon target of a PoD
guest at boot, and the target set by an apparently-equivalent `xl
mem-set' (or similar) later.  This approach is low-risk for a security
fix but we need to fix this up properly in xen.git#staging and
probably also in stable trees.

This is XSA-153.

Index: xen-4.4.4-testing/tools/python/xen/lowlevel/xc/xc.c
===================================================================
--- xen-4.4.4-testing.orig/tools/python/xen/lowlevel/xc/xc.c
+++ xen-4.4.4-testing/tools/python/xen/lowlevel/xc/xc.c
@@ -1678,7 +1678,8 @@ static PyObject *pyxc_domain_set_target_
     if (!PyArg_ParseTuple(args, "ii", &dom, &mem_kb))
         return NULL;
 
-    mem_pages = mem_kb / 4; 
+    /* bsc#951845 - CVE-2015-7972 XSA-153 */
+    mem_pages = (mem_kb + 1024) / 4;
 
     if (xc_domain_set_pod_target(self->xc_handle, dom, mem_pages,
 				 NULL, NULL, NULL) != 0)
Index: xen-4.4.4-testing/tools/python/xen/xend/XendDomainInfo.py
===================================================================
--- xen-4.4.4-testing.orig/tools/python/xen/xend/XendDomainInfo.py
+++ xen-4.4.4-testing/tools/python/xen/xend/XendDomainInfo.py
@@ -1579,10 +1579,14 @@ class XendDomainInfo:
         self._safe_set_memory('memory_dynamic_max', target * MiB)
 
         if self.domid >= 0:
+            mem_target_fudge = 0
             if target > memory_cur:
                 balloon.free((target - memory_cur) * 1024, self)
             self.storeVm("memory", target)
-            self.storeDom("memory/target", target << 10)
+            # bsc#951845 - CVE-2015-7972 XSA-153
+            if self.pod_enabled:
+                mem_target_fudge = 1
+            self.storeDom("memory/target", (target-mem_target_fudge) << 10)
             xc.domain_set_target_mem(self.domid,
                                      (target * 1024))
         xen.xend.XendDomain.instance().managed_config_save(self)
@@ -1908,6 +1912,10 @@ class XendDomainInfo:
         if self.info.has_key('security_label'):
             f('security_label', self.info['security_label'])
 
+        # bsc#951845 - CVE-2015-7972 XSA-153
+        if self.pod_enabled:
+            f('memory/target', str((self.info['memory_dynamic_max'] - 1024) / 1024))
+
         to_store.update(self._vcpuDomDetails())
 
         log.debug("Storing domain details: %s", scrub_password(to_store))

Places

File xend-xsa153.patch of Package xen.10697

Places