main/xen: fix xsa45 and xsa58 (CVE-2013-1918,CVE-2013-1432)

ref #2123
2026-02-16 05:11:59 +01:00 · 2013-07-01 14:38:45 +00:00 · 2013-07-01 14:38:45 +00:00 · 448e4822bb
commit 448e4822bb
parent 011d14498b
3 changed files with 1271 additions and 1 deletions
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.2.2
-pkgrel=5
+pkgrel=6
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86 x86_64"
@ -24,6 +24,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	xsa41.patch
 	xsa41b.patch
 	xsa41c.patch
+	xsa45-4.2.patch
 	xsa48-4.2.patch
 	xsa52-4.2-unstable.patch
 	xsa53-4.2.patch
@ -31,6 +32,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	xsa55.patch
 	xsa56.patch
 	xsa57.patch
+	xsa58-4.2.patch

 	fix-pod2man-choking.patch

@ -154,6 +156,7 @@ md5sums="f7362b19401a47826f2d8fd603a1782a  xen-4.2.2.tar.gz
 8ad8942000b8a4be4917599cad9209cf  xsa41.patch
 ed7d0399c6ca6aeee479da5d8f807fe0  xsa41b.patch
 2f3dd7bdc59d104370066d6582725575  xsa41c.patch
+9265540493f41f7d40c48d0886ec5823  xsa45-4.2.patch
 b3e3a57d189a4f86c9766eaf3b5207f4  xsa48-4.2.patch
 83a9cdd035bcd18bf035434a1ba08c38  xsa52-4.2-unstable.patch
 03a1a4ebc470ee7e638e04db2701a4f7  xsa53-4.2.patch
@ -161,6 +164,7 @@ a8393d1ec6b886ea72ffe624a04ee10a  xsa54.patch
 42cd104f2a33d67938a63a6372cff573  xsa55.patch
 e70b9128ffc2175cea314a533a7d8457  xsa56.patch
 7475158130474ee062a4eb878259af61  xsa57.patch
+7de2cd11c10d6a554f3c81e0688c38b7  xsa58-4.2.patch
 c1d1a415415b0192e5dae9032962bf61  fix-pod2man-choking.patch
 95d8af17bf844d41a015ff32aae51ba1  xenstored.initd
 b017ccdd5e1c27bbf1513e3569d4ff07  xenstored.confd
@ -181,6 +185,7 @@ a0c225d716d343fe041b63e3940900c5b3573ed3bcfc5b7c2d52ea2861c3fc28  docs-Fix-gener
 93452beba88a8da8e89b8bfa743074a358ba1d9052151c608e21c4d62f8c4867  xsa41.patch
 896a07f57310c9bea9bc2a305166cf796282c381cb7839be49105b1726a860b5  xsa41b.patch
 683dd96a0a8899f794070c8c09643dfeeb39f92da531955cba961b45f6075914  xsa41c.patch
+f3c8c75cc6f55409139b1928017d1e432e5e64b6fac2083395f4723353e1c775  xsa45-4.2.patch
 dc23077028584e71a08dd0dc9e81552c76744a5ce9d39df5958a95ae9cf3107b  xsa48-4.2.patch
 5b8582185bf90386729e81db1f7780c69a891b074a87d9a619a90d6f639bea13  xsa52-4.2-unstable.patch
 785f7612bd229f7501f4e98e4760f307d90c64305ee14707d262b77f05fa683d  xsa53-4.2.patch
@ -188,6 +193,7 @@ dc23077028584e71a08dd0dc9e81552c76744a5ce9d39df5958a95ae9cf3107b  xsa48-4.2.patc
 ac3ebaf3ec37e28ba08e23d63626d7aaccf0a3f282dd0af9c24cc4df3fd8fae0  xsa55.patch
 a691c5f5332a42c0d38ddb4dc037eb902f01ba31033b64c47d02909a8de0257d  xsa56.patch
 b6a5106848541972519cc529859d9ff3083c79367276c7031560fa4ce6f9f770  xsa57.patch
+194d6610fc38b767d643e5d58a1268f45921fb35e309b47aca6a388b861311c2  xsa58-4.2.patch
 b4e7d43364a06b2cb04527db3e9567524bc489fef475709fd8493ebf1e62406d  fix-pod2man-choking.patch
 81d335946c81311c86e2f2112b773a568a5a530c0db9802b2fe559e71bb8b381  xenstored.initd
 ea9171e71ab3d33061979bcf3bb737156192aa4b0be4d1234438ced75b6fdef3  xenstored.confd
@ -208,6 +214,7 @@ sha512sums="4943b18016ed8c2b194a3b55e6655b3b734b39ffb8cb7ee0a0580f2f4460a1d0e92e
 94672a4d37db4e370370157cac9507ee1a75832f4be779fba148c1faa0b18f26ed57126eee6256ccd5d218463325a730266b53139554f4865adedb7659154c16  xsa41.patch
 bda9105793f2327e1317991762120d0668af0e964076b18c9fdbfd509984b2e88d85df95702c46b2e00d5350e8113f6aa7b34b19064d19abbeb4d43f0c431d38  xsa41b.patch
 36b60478660ff7748328f5ab9adff13286eee1a1bad06e42fdf7e6aafe105103988525725aacd660cf5b2a184a9e2d6b3818655203c1fa07e07dcebdf23f35d9  xsa41c.patch
+a57b4c8be76a938d51e51ffb39f0781389ebef320f359b0ae9af4a93af970d37dde50a304d4864a75b7fb32861a4745b9da5fa6acce0f2a688b11b13ab43fb4e  xsa45-4.2.patch
 31dd8c62d41cc0a01a79d9b24a5b793f5e2058230808d9c5364c6ff3477ab02f3258f1bbd761d97dc1b97ee120b41524b999eaac77f33b606496fc324b5fa2e4  xsa48-4.2.patch
 b64a965fab8534958e453c493211ed3a6555aafb90d18f6d56a45b41d3086a0029aee85b6b6eb93b0d861d5fdc0ef10fc32e9b4f83593b37c43922d838085dd8  xsa52-4.2-unstable.patch
 9b08924e563e79d2b308c1521da520c0579b334b61ac99a5593eabdb96dbda2da898b542cc47bda6d663c68343216d9d29c04853b6d1b6ecdde964b0cbb3f7ab  xsa53-4.2.patch
@ -215,6 +222,7 @@ c9010be637d4f96ef03c880e1ef28228f762c5980108380a105bd190b631a882c8dff81e9421246d
 b4f43095163146a29ae258575bb03bd45f5a315d3cca7434a0b88c18eb1b6e1cf17ef13b4ac428a08797271a3dbc756d3f705a990991c8d2fc96f0f272c3665a  xsa55.patch
 26a1c2cc92ddd4c1ab6712b0e41a0135d0e76a7fe3a14b651fb0235e352e5a24077414371acccb93058b7ce4d882b667386811170ba74570c53165837bcd983d  xsa56.patch
 5ccc1654d9f0270485495f9fc913e41663ddbda602ffe049e0a9c3247c6246690b7ec4165482f96921c5253a2a5205ca384048339996e611c07ab60a6a75cf6a  xsa57.patch
+60813c01f6bb909da8748919df4d0ffa923baf4b7b55287e0bec3389fb83020158225182e112941c9e126b4df57e7b8724f2a69d0c1fa9ce3b37c0bdf1a49da4  xsa58-4.2.patch
 ffb1113fcec0853b690c177655c7d1136388efdebf0d7f625b80481b98eadd3e9ef461442ced53e11acf0e347800a2b0a41e18b05065b5d04bffdd8a4e127cec  fix-pod2man-choking.patch
 792b062e8a16a2efd3cb4662d379d1500527f2a7ca9228d7831c2bd34f3b9141df949153ea05463a7758c3e3dd9a4182492ad5505fa38e298ecf8c99db77b4ee  xenstored.initd
 100cf4112f401f45c1e4e885a5074698c484b40521262f6268fad286498e95f4c51e746f0e94eb43a590bb8e813a397bb53801ccacebec9541020799d8d70514  xenstored.confd
--- a/main/xen/xsa45-4.2.patch
+++ b/main/xen/xsa45-4.2.patch
--- a/main/xen/xsa58-4.2.patch
+++ b/main/xen/xsa58-4.2.patch
@ -0,0 +1,129 @@
+x86: fix page refcount handling in page table pin error path
+
+In the original patch 7 of the series addressing XSA-45 I mistakenly
+took the addition of the call to get_page_light() in alloc_page_type()
+to cover two decrements that would happen: One for the PGT_partial bit
+that is getting set along with the call, and the other for the page
+reference the caller hold (and would be dropping on its error path).
+But of course the additional page reference is tied to the PGT_partial
+bit, and hence any caller of a function that may leave
+->arch.old_guest_table non-NULL for error cleanup purposes has to make
+sure a respective page reference gets retained.
+
+Similar issues were then also spotted elsewhere: In effect all callers
+of get_page_type_preemptible() need to deal with errors in similar
+ways. To make sure error handling can work this way without leaking
+page references, a respective assertion gets added to that function.
+
+This is CVE-2013-1432 / XSA-58.
+
+Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+
+--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
+@@ -941,6 +941,10 @@ int arch_set_info_guest(
+     if ( v->vcpu_id == 0 )
+         d->vm_assist = c(vm_assist);
+ 
+    rc = put_old_guest_table(current);
+    if ( rc )
+        return rc;
+
+     if ( !compat )
+         rc = (int)set_gdt(v, c.nat->gdt_frames, c.nat->gdt_ents);
+ #ifdef CONFIG_COMPAT
+@@ -980,18 +984,24 @@ int arch_set_info_guest(
+     }
+     else
+     {
+-        /*
+-         * Since v->arch.guest_table{,_user} are both NULL, this effectively
+-         * is just a call to put_old_guest_table().
+-         */
+         if ( !compat )
+-            rc = vcpu_destroy_pagetables(v);
+            rc = put_old_guest_table(v);
+         if ( !rc )
+             rc = get_page_type_preemptible(cr3_page,
+                                            !compat ? PGT_root_page_table
+                                                    : PGT_l3_page_table);
+-        if ( rc == -EINTR )
+        switch ( rc )
+        {
+        case -EINTR:
+             rc = -EAGAIN;
+        case -EAGAIN:
+        case 0:
+            break;
+        default:
+            if ( cr3_page == current->arch.old_guest_table )
+                cr3_page = NULL;
+            break;
+        }
+     }
+     if ( rc )
+         /* handled below */;
+@@ -1018,6 +1028,11 @@ int arch_set_info_guest(
+                         pagetable_get_page(v->arch.guest_table);
+                     v->arch.guest_table = pagetable_null();
+                     break;
+                default:
+                    if ( cr3_page == current->arch.old_guest_table )
+                        cr3_page = NULL;
+                case 0:
+                    break;
+                 }
+             }
+             if ( !rc )
+--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
+@@ -718,7 +718,8 @@ static int get_page_and_type_from_pagenr
+           get_page_type_preemptible(page, type) :
+           (get_page_type(page, type) ? 0 : -EINVAL));
+ 
+-    if ( unlikely(rc) && partial >= 0 )
+    if ( unlikely(rc) && partial >= 0 &&
+         (!preemptible || page != current->arch.old_guest_table) )
+         put_page(page);
+ 
+     return rc;
+@@ -2638,6 +2639,7 @@ int put_page_type_preemptible(struct pag
+ 
+ int get_page_type_preemptible(struct page_info *page, unsigned long type)
+ {
+    ASSERT(!current->arch.old_guest_table);
+     return __get_page_type(page, type, 1);
+ }
+ 
+@@ -2848,7 +2850,7 @@ static void put_superpage(unsigned long 
+ 
+ #endif
+ 
+-static int put_old_guest_table(struct vcpu *v)
+int put_old_guest_table(struct vcpu *v)
+ {
+     int rc;
+ 
+@@ -3253,7 +3255,8 @@ long do_mmuext_op(
+                     rc = -EAGAIN;
+                 else if ( rc != -EAGAIN )
+                     MEM_LOG("Error while pinning mfn %lx", page_to_mfn(page));
+-                put_page(page);
+                if ( page != curr->arch.old_guest_table )
+                    put_page(page);
+                 break;
+             }
+ 
+--- a/xen/include/asm-x86/mm.h
+++ b/xen/include/asm-x86/mm.h
+@@ -374,6 +374,7 @@ void put_page_type(struct page_info *pag
+ int  get_page_type(struct page_info *page, unsigned long type);
+ int  put_page_type_preemptible(struct page_info *page);
+ int  get_page_type_preemptible(struct page_info *page, unsigned long type);
+int  put_old_guest_table(struct vcpu *);
+ int  get_page_from_l1e(
+     l1_pgentry_t l1e, struct domain *l1e_owner, struct domain *pg_owner);
+ void put_page_from_l1e(l1_pgentry_t l1e, struct domain *l1e_owner);