main/xen: add mitigation for XSA-384 (CVE-2021-28701)

2026-05-12 16:16:22 +02:00 · 2021-09-08 13:19:46 -06:00 · 2021-09-08 13:19:46 -06:00 · be3c16d1cb
commit be3c16d1cb
parent 43ec5dabc8
2 changed files with 87 additions and 3 deletions
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=xen
 pkgver=4.15.0
-pkgrel=2
+pkgrel=3
 pkgdesc="Xen hypervisor"
 url="https://www.xenproject.org/"
 arch="x86_64 armhf aarch64" # enable armv7 when builds with gcc8
@ -254,11 +254,12 @@ options="!strip"
 #     - CVE-2021-28694 XSA-378
 #     - CVE-2021-28695 XSA-378
 #     - CVE-2021-28696 XSA-378
-#     - CVE-2021-28967 XSA-379
+#     - CVE-2021-28697 XSA-379
 #     - CVE-2021-28698 XSA-380
 #     - CVE-2021-28699 XSA-382
 #     - CVE-2021-28700 XSA-383
-
+#   4.15.0-r3:
+#     - CVE-2021-28701 XSA-384

 case "$CARCH" in
 x86*)
@ -350,6 +351,7 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz

 	xsa382.patch
 	xsa383.patch
+	xsa384.patch

 	xenstored.initd
 	xenstored.confd
@ -615,6 +617,7 @@ d2d7096037f77b52b2c6144bda3a744f6edab9f72cabbaadb1751733c398278dbaace925f393bd96
 c3aa4f37ebdbd35a59d5b889b65bcb18f5c7f15c07af335b4093a70ba84d674588eba63b18401b4f537486f437bd0495f6866bf16a527352ac6169deb70d2fa6  xsa380-3.patch
 6c5e3388fcfb0dcae30d5f315bf95d263c82519d2cbf2a8a88d280b5b0b1c1ed4cce7a1a85fabbf57c785ad9dc23e8e5e4773c631c00e036aada604ff8e7fa03  xsa382.patch
 d5106df26e6c4512d88ea6748c403117a2b61cb40f6d6c08a76f160352b79f94dd67cbb3419a33f2c6cfc7bbd644baed0498e366a6bf00d8031df728a47f36ea  xsa383.patch
+fe14ee4e28001e28ab0c3c0eca56d00d4d6e95879eec1f81f780d783d3845a4dd1dcd38449b2b7085e9aad88f0b95c59eebb52d8b5cf868012ff410fe32b9870  xsa384.patch
 a8dda349cab62febf2ef506eb26d2ba494a649b1c37206519ae23f02a36f600b19996bb8a148e5f21a240ec53ecfcf971a07686b9ddcdad417563fdf39b2215f  xenstored.initd
 093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0  xenstored.confd
 1dd04f4bf1890771aa7eef0b6e46f7139487da0907d28dcdbef9fbe335dcf731ca391cfcb175dd82924f637a308de00a69ae981f67348c34f04489ec5e5dc3b7  xenconsoled.initd
--- a/main/xen/xsa384.patch
+++ b/main/xen/xsa384.patch
@ -0,0 +1,81 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: gnttab: deal with status frame mapping race
+
+Once gnttab_map_frame() drops the grant table lock, the MFN it reports
+back to its caller is free to other manipulation. In particular
+gnttab_unpopulate_status_frames() might free it, by a racing request on
+another CPU, thus resulting in a reference to a deallocated page getting
+added to a domain's P2M.
+
+Obtain a page reference in gnttab_map_frame() to prevent freeing of the
+page until xenmem_add_to_physmap_one() has actually completed its acting
+on the page. Do so uniformly, even if only strictly required for v2
+status pages, to avoid extra conditionals (which then would all need to
+be kept in sync going forward).
+
+This is CVE-2021-28701 / XSA-384.
+
+Reported-by: Julien Grall <jgrall@amazon.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Julien Grall <jgrall@amazon.com>
+---
+v2: Pull get_page() earlier and fold if()s.
+
+--- a/xen/arch/arm/mm.c
+++ b/xen/arch/arm/mm.c
+@@ -1420,6 +1420,8 @@ int xenmem_add_to_physmap_one(
+         if ( rc )
+             return rc;
+ 
+        /* Need to take care of the reference obtained in gnttab_map_frame(). */
+        page = mfn_to_page(mfn);
+         t = p2m_ram_rw;
+ 
+         break;
+@@ -1487,9 +1489,12 @@ int xenmem_add_to_physmap_one(
+     /* Map at new location. */
+     rc = guest_physmap_add_entry(d, gfn, mfn, 0, t);
+ 
+-    /* If we fail to add the mapping, we need to drop the reference we
+-     * took earlier on foreign pages */
+-    if ( rc && space == XENMAPSPACE_gmfn_foreign )
+    /*
+     * For XENMAPSPACE_gmfn_foreign if we failed to add the mapping, we need
+     * to drop the reference we took earlier. In all other cases we need to
+     * drop any reference we took earlier (perhaps indirectly).
+     */
+    if ( space == XENMAPSPACE_gmfn_foreign ? rc : page != NULL )
+     {
+         ASSERT(page != NULL);
+         put_page(page);
+--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
+@@ -2726,6 +2726,8 @@ int xenmem_add_to_physmap_one(
+         rc = gnttab_map_frame(d, idx, gpfn, &mfn);
+         if ( rc )
+             return rc;
+        /* Need to take care of the reference obtained in gnttab_map_frame(). */
+        page = mfn_to_page(mfn);
+         break;
+ 
+     case XENMAPSPACE_gmfn:
+--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
+@@ -4097,7 +4097,16 @@ int gnttab_map_frame(struct domain *d, u
+     }
+ 
+     if ( !rc )
+-        gnttab_set_frame_gfn(gt, status, idx, gfn);
+    {
+        /*
+         * Make sure gnttab_unpopulate_status_frames() won't (successfully)
+         * free the page until our caller has completed its operation.
+         */
+        if ( get_page(mfn_to_page(*mfn), d) )
+            gnttab_set_frame_gfn(gt, status, idx, gfn);
+        else
+            rc = -EBUSY;
+    }
+ 
+     grant_write_unlock(gt);
+