[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.6] memory: fix XENMEM_exchange error handling

commit 2633d57c3aa849ccb5fb541d96aa953104f824c9
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Dec 8 14:06:02 2015 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Dec 8 14:06:02 2015 +0100

    memory: fix XENMEM_exchange error handling
    
    assign_pages() can fail due to the domain getting killed in parallel,
    which should not result in a hypervisor crash.
    
    Reported-by: Julien Grall <julien.grall@xxxxxxxxxx>
    
    Also delete a redundant put_gfn() - all relevant paths leading to the
    "fail" label already do this (and there are also paths where it was
    plain wrong). All of the put_gfn()-s got introduced by 51032ca058
    ("Modify naming of queries into the p2m"), including the otherwise
    unneeded initializer for k (with even a kind of misleading comment -
    the compiler warning could actually have served as a hint that the use
    is wrong).
    
    This is CVE-2015-8339 + CVE-2015-8340 / XSA-159.
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
    master commit: eedecb3cf0b2ce1ffc2eb08f3c73f88d42c382c9
    master date: 2015-12-08 14:01:43 +0100
---
 xen/common/memory.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/xen/common/memory.c b/xen/common/memory.c
index 7bffc88..31d9803 100644
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -372,7 +372,7 @@ static long 
memory_exchange(XEN_GUEST_HANDLE_PARAM(xen_memory_exchange_t) arg)
     PAGE_LIST_HEAD(out_chunk_list);
     unsigned long in_chunk_order, out_chunk_order;
     xen_pfn_t     gpfn, gmfn, mfn;
-    unsigned long i, j, k = 0; /* gcc ... */
+    unsigned long i, j, k;
     unsigned int  memflags = 0;
     long          rc = 0;
     struct domain *d;
@@ -604,11 +604,12 @@ static long 
memory_exchange(XEN_GUEST_HANDLE_PARAM(xen_memory_exchange_t) arg)
  fail:
     /* Reassign any input pages we managed to steal. */
     while ( (page = page_list_remove_head(&in_chunk_list)) )
-    {
-        put_gfn(d, gmfn + k--);
         if ( assign_pages(d, page, 0, MEMF_no_refcount) )
-            BUG();
-    }
+        {
+            BUG_ON(!d->is_dying);
+            if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
+                put_page(page);
+        }
 
  dying:
     rcu_unlock_domain(d);
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.6

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.