[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-3.4-testing] x86/physmap: Prevent incorrect updates of m2p mappings

  • To: xen-changelog@xxxxxxxxxxxxxxxxxxx
  • From: Xen patchbot-3.4-testing <patchbot@xxxxxxx>
  • Date: Wed, 14 Nov 2012 11:44:09 +0000
  • Delivery-date: Wed, 14 Nov 2012 11:44:17 +0000
  • List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>
# HG changeset patch
# User Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
# Date 1352893271 0
# Node ID b42c35f6369af19f414f29b71159c662b3b094be
# Parent  97f0909e11ad25985dcbac49bdfba02a29ad8c63
x86/physmap: Prevent incorrect updates of m2p mappings

In certain conditions, such as low memory, set_p2m_entry() can fail.
Currently, the p2m and m2p tables will get out of sync because we still
update the m2p table after the p2m update has failed.

If that happens, subsequent guest-invoked memory operations can cause
BUG()s and ASSERT()s to kill Xen.

This is fixed by only updating the m2p table iff the p2m was
successfully updated.

This is a security problem, XSA-22 / CVE-2012-4537.

Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
Acked-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>

[ Add backport of 20516:c4e620a2e65c to correct
  error return from set_p2m_entry ]

Committed-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
---


diff -r 97f0909e11ad -r b42c35f6369a xen/arch/x86/mm/p2m.c
--- a/xen/arch/x86/mm/p2m.c     Wed Nov 14 11:38:25 2012 +0000
+++ b/xen/arch/x86/mm/p2m.c     Wed Nov 14 11:41:11 2012 +0000
@@ -1500,14 +1500,15 @@ int set_p2m_entry(struct domain *d, unsi
 {
     unsigned long todo = 1ul << page_order;
     unsigned int order;
-    int rc = 0;
+    int rc = 1;
 
     while ( todo )
     {
         order = ((((gfn | mfn_x(mfn) | todo) & (SUPERPAGE_PAGES - 1)) == 0) &&
                  hvm_hap_has_2mb(d)) ? 9 : 0;
 
-        rc = d->arch.p2m->set_entry(d, gfn, mfn, order, p2mt);
+        if ( !d->arch.p2m->set_entry(d, gfn, mfn, order, p2mt) )
+            rc = 0;
         gfn += 1ul << order;
         if ( mfn_x(mfn) != INVALID_MFN )
             mfn = _mfn(mfn_x(mfn) + (1ul << order));
@@ -2054,7 +2055,10 @@ guest_physmap_add_entry(struct domain *d
     if ( mfn_valid(_mfn(mfn)) ) 
     {
         if ( !set_p2m_entry(d, gfn, _mfn(mfn), page_order, t) )
+        {
             rc = -EINVAL;
+            goto out; /* Failed to update p2m, bail without updating m2p. */
+        }
         for ( i = 0; i < (1UL << page_order); i++ )
             set_gpfn_from_mfn(mfn+i, gfn+i);
     }
@@ -2072,6 +2076,7 @@ guest_physmap_add_entry(struct domain *d
         }
     }
 
+out:
     audit_p2m(d);
     p2m_unlock(d->arch.p2m);
 

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.