File 5632127b-x86-guard-against-undue-super-page-PTE... of Package xen.1589

Overview Repositories Revisions Requests Users Attributes Meta

File 5632127b-x86-guard-against-undue-super-page-PTE-creation.patch of Package xen.1589

References: bsc#950367 CVE-2015-7835 XSA-148

# Commit fe360c90ea13f309ef78810f1a2b92f2ae3b30b8
# Date 2015-10-29 13:35:07 +0100
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86: guard against undue super page PTE creation

When optional super page support got added (commit bd1cd81d64 "x86: PV
support for hugepages"), two adjustments were missed: mod_l2_entry()
needs to consider the PSE and RW bits when deciding whether to use the
fast path, and the PSE bit must not be removed from L2_DISALLOW_MASK
unconditionally.

This is CVE-2015-7835 / XSA-148.

Reported-by: "栾尚聪(好风)" <shangcong.lsc@alibaba-inc.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>

--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -163,7 +163,10 @@ static void put_superpage(unsigned long
 
 static uint32_t base_disallow_mask;
 #define L1_DISALLOW_MASK (base_disallow_mask | _PAGE_GNTTAB)
-#define L2_DISALLOW_MASK (base_disallow_mask & ~_PAGE_PSE)
+
+#define L2_DISALLOW_MASK (unlikely(opt_allow_superpage) \
+                          ? base_disallow_mask & ~_PAGE_PSE \
+                          : base_disallow_mask)
 
 #define l3_disallow_mask(d) (!is_pv_32on64_domain(d) ?  \
                              base_disallow_mask :       \
@@ -1786,7 +1789,10 @@ static int mod_l2_entry(l2_pgentry_t *pl
         }
 
         /* Fast path for identical mapping and presence. */
-        if ( !l2e_has_changed(ol2e, nl2e, _PAGE_PRESENT) )
+        if ( !l2e_has_changed(ol2e, nl2e,
+                              unlikely(opt_allow_superpage)
+                              ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT
+                              : _PAGE_PRESENT) )
         {
             adjust_guest_l2e(nl2e, d);
             if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) )

Places

File 5632127b-x86-guard-against-undue-super-page-PTE-creation.patch of Package xen.1589

Places