[Xen-changelog] [xen-4.1-testing] x86/physmap: Prevent incorrect updates of m2p mappings

[Xen patchbot-4.1-testing <patchbot@xxxxxxx>]

# HG changeset patch
# User Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
# Date 1352893245 0
# Node ID f635b1447d7e35fb10cf5373ee365111f892c932
# Parent  210f16b6509b7462481da2e64e4fe20efcdb899d
x86/physmap: Prevent incorrect updates of m2p mappings

In certain conditions, such as low memory, set_p2m_entry() can fail.
Currently, the p2m and m2p tables will get out of sync because we still
update the m2p table after the p2m update has failed.

If that happens, subsequent guest-invoked memory operations can cause
BUG()s and ASSERT()s to kill Xen.

This is fixed by only updating the m2p table iff the p2m was
successfully updated.

This is a security problem, XSA-22 / CVE-2012-4537.

Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
Acked-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
Committed-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
---


diff -r 210f16b6509b -r f635b1447d7e xen/arch/x86/mm/p2m.c
--- a/xen/arch/x86/mm/p2m.c     Wed Nov 14 11:35:06 2012 +0000
+++ b/xen/arch/x86/mm/p2m.c     Wed Nov 14 11:40:45 2012 +0000
@@ -2558,7 +2558,10 @@ guest_physmap_add_entry(struct p2m_domai
     if ( mfn_valid(_mfn(mfn)) ) 
     {
         if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, 
p2m->default_access) )
+        {
             rc = -EINVAL;
+            goto out; /* Failed to update p2m, bail without updating m2p. */
+        }
         if ( !p2m_is_grant(t) )
         {
             for ( i = 0; i < (1UL << page_order); i++ )
@@ -2579,6 +2582,7 @@ guest_physmap_add_entry(struct p2m_domai
         }
     }
 
+out:
     audit_p2m(p2m, 1);
     p2m_unlock(p2m);
 

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog