[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.4] page-alloc: scrub pages used by hypervisor upon freeing



commit c3d1024d56aaf7fbb6415db1558f7eb40c854afc
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Jun 17 16:01:35 2014 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Jun 17 16:01:35 2014 +0200

    page-alloc: scrub pages used by hypervisor upon freeing
    
    ... unless they're part of a fully separate pool (and hence can't ever
    be used for guest allocations).
    
    This is CVE-2014-4021 / XSA-100.
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
    Acked-by: Keir Fraser <keir@xxxxxxx>
    master commit: 4bd78937ec324bcef4e29ef951e0ff9815770de1
    master date: 2014-06-17 15:21:10 +0200
---
 xen/common/page_alloc.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c
index 601319c..5cbdeb7 100644
--- a/xen/common/page_alloc.c
+++ b/xen/common/page_alloc.c
@@ -1409,7 +1409,10 @@ void free_xenheap_pages(void *v, unsigned int order)
     pg = virt_to_page(v);
 
     for ( i = 0; i < (1u << order); i++ )
+    {
+        scrub_one_page(&pg[i]);
         pg[i].count_info &= ~PGC_xen_heap;
+    }
 
     free_heap_pages(pg, order);
 }
@@ -1579,6 +1582,8 @@ void free_domheap_pages(struct page_info *pg, unsigned 
int order)
     else
     {
         /* Freeing anonymous domain-heap pages. */
+        for ( i = 0; i < (1 << order); i++ )
+            scrub_one_page(&pg[i]);
         free_heap_pages(pg, order);
         drop_dom_ref = 0;
     }
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.4

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.