Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
SUSE:SLE-15-SP1:Update
xen
60bf9e1a-Arm-boot-modules-scrubbing.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 60bf9e1a-Arm-boot-modules-scrubbing.patch of Package xen
# Commit fd5dc41ceaed9cfcfa011cdfd50f264c89277a90 # Date 2021-06-08 17:43:06 +0100 # Author Julien Grall <jgrall@amazon.com> # Committer Andrew Cooper <andrew.cooper3@citrix.com> xen/arm: Boot modules should always be scrubbed if bootscrub={on, idle} The function to initialize the pages (see init_heap_pages()) will request scrub when the admin request idle bootscrub (default) and state == SYS_STATE_active. When bootscrub=on, Xen will scrub any free pages in heap_init_late(). Currently, the boot modules (e.g. kernels, initramfs) will be discarded/ freed after heap_init_late() is called and system_state switched to SYS_STATE_active. This means the pages associated with the boot modules will not get scrubbed before getting re-purposed. If the memory is assigned to an untrusted domU, it may be able to retrieve secrets from the modules. This is part of XSA-372 / CVE-2021-28693. Fixes: 1774e9b1df27 ("xen/arm: introduce create_domUs") Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> Tested-by: Stefano Stabellini <sstabellini@kernel.org> --- a/xen/arch/arm/setup.c +++ b/xen/arch/arm/setup.c @@ -73,7 +73,6 @@ static __used void init_done(void) /* Must be done past setting system_state. */ unregister_init_virtual_region(); - discard_initial_modules(); free_init_memory(); startup_cpu_idle_loop(); } @@ -904,6 +903,12 @@ void __init start_xen(unsigned long boot create_domUs(); + /* + * This needs to be called **before** heap_init_late() so modules + * will be scrubbed (unless suppressed). + */ + discard_initial_modules(); + heap_init_late(); init_trace_bufs();
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor