[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] x86/mm/shadow: Fix initialization of PV shadow L4 tables.



commit f46befdd825c8a459c5eb21adb7d5b0dc6e30ad5
Author:     Tim Deegan <tim@xxxxxxx>
AuthorDate: Mon Sep 30 14:18:25 2013 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Mon Sep 30 14:18:25 2013 +0200

    x86/mm/shadow: Fix initialization of PV shadow L4 tables.
    
    Shadowed PV L4 tables must have the same Xen mappings as their
    unshadowed equivalent.  This is done by copying the Xen entries
    verbatim from the idle pagetable, and then using guest_l4_slot()
    in the SHADOW_FOREACH_L4E() iterator to avoid touching those entries.
    
    adc5afbf1c70ef55c260fb93e4b8ce5ccb918706 (x86: support up to 16Tb)
    changed the definition of ROOT_PAGETABLE_XEN_SLOTS to extend right to
    the top of the address space, which causes the shadow code to
    copy Xen mappings into guest-kernel-address slots too.
    
    In the common case, all those slots are zero in the idle pagetable,
    and no harm is done.  But if any slot above #271 is non-zero, Xen will
    crash when that slot is later cleared (it attempts to drop
    shadow-pagetable refcounts on its own L4 pagetables).
    
    Fix by using the new ROOT_PAGETABLE_PV_XEN_SLOTS when appropriate.
    Monitor pagetables need the full Xen mappings, so they keep using the
    old name (with its new semantics).
    
    This is CVE-2013-4356 / XSA-64.
    
    Signed-off-by: Tim Deegan <tim@xxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
---
 xen/arch/x86/mm/shadow/multi.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
index 4c4c2ba..3fed0b6 100644
--- a/xen/arch/x86/mm/shadow/multi.c
+++ b/xen/arch/x86/mm/shadow/multi.c
@@ -1433,15 +1433,19 @@ void sh_install_xen_entries_in_l4(struct vcpu *v, mfn_t 
gl4mfn, mfn_t sl4mfn)
 {
     struct domain *d = v->domain;
     shadow_l4e_t *sl4e;
+    unsigned int slots;
 
     sl4e = sh_map_domain_page(sl4mfn);
     ASSERT(sl4e != NULL);
     ASSERT(sizeof (l4_pgentry_t) == sizeof (shadow_l4e_t));
     
     /* Copy the common Xen mappings from the idle domain */
+    slots = (shadow_mode_external(d)
+             ? ROOT_PAGETABLE_XEN_SLOTS
+             : ROOT_PAGETABLE_PV_XEN_SLOTS);
     memcpy(&sl4e[ROOT_PAGETABLE_FIRST_XEN_SLOT],
            &idle_pg_table[ROOT_PAGETABLE_FIRST_XEN_SLOT],
-           ROOT_PAGETABLE_XEN_SLOTS * sizeof(l4_pgentry_t));
+           slots * sizeof(l4_pgentry_t));
 
     /* Install the per-domain mappings for this domain */
     sl4e[shadow_l4_table_offset(PERDOMAIN_VIRT_START)] =
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.