File xsa279.patch of Package xen.12882

Overview Repositories Revisions Requests Users Attributes Meta

File xsa279.patch of Package xen.12882

Subject: x86/mm: Don't perform flush after failing to update a guests L1e
From: Andrew Cooper andrew.cooper3@citrix.com Tue Nov 20 16:04:10 2018 +0100
Date: Tue Nov 20 16:04:10 2018 +0100:
Git: 045d4f77e9214f11797f590a925652b0f943dd72

If the L1e update hasn't occured, the flush cannot do anything useful.  This
skips the potentially expensive vcpumask_to_pcpumask() conversion, and
broadcast TLB shootdown.

More importantly however, we might be in the error path due to a bad va
parameter from the guest, and this should not propagate into the TLB flushing
logic.  The INVPCID instruction for example raises #GP for a non-canonical
address.

This is XSA-279.

Reported-by: Matthew Daley <mattd@bugfuzz.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
master commit: 6c8d50288722672ecc8e19b0741a31b521d01706
master date: 2018-11-20 14:58:41 +0100

Index: xen-4.7.6-testing/xen/arch/x86/mm.c
===================================================================
--- xen-4.7.6-testing.orig/xen/arch/x86/mm.c
+++ xen-4.7.6-testing/xen/arch/x86/mm.c
@@ -4837,6 +4837,14 @@ static int __do_update_va_mapping(
     if ( pl1e )
         guest_unmap_l1e(pl1e);
 
+    /*
+     * Any error at this point means that we haven't change the l1e.  Skip the
+     * flush, as it won't do anything useful.  Furthermore, va is guest
+     * controlled and not necesserily audited by this point.
+     */
+    if ( rc )
+        return rc;
+
     switch ( flags & UVMF_FLUSHTYPE_MASK )
     {
     case UVMF_TLB_FLUSH:

Places

File xsa279.patch of Package xen.12882

Places