[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.4] x86/mm: fully honor PS bits in guest page table walks

commit 09f9f792b5af8023c95e445aeba94cb9bffcc45f
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue May 17 14:56:46 2016 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue May 17 14:56:46 2016 +0200

    x86/mm: fully honor PS bits in guest page table walks
    
    In L4 entries it is currently unconditionally reserved (and hence
    should, when set, always result in a reserved bit page fault), and is
    reserved on hardware not supporting 1Gb pages (and hence should, when
    set, similarly cause a reserved bit page fault on such hardware).
    
    This is CVE-2016-4480 / XSA-176.
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Tested-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    master commit: 46699c7393bd991234b5642763c5c24b6b39a6c4
    master date: 2016-05-17 14:41:14 +0200
---
 xen/arch/x86/mm/guest_walk.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/mm/guest_walk.c b/xen/arch/x86/mm/guest_walk.c
index 09511f0..ae742b6 100644
--- a/xen/arch/x86/mm/guest_walk.c
+++ b/xen/arch/x86/mm/guest_walk.c
@@ -186,6 +186,11 @@ guest_walk_tables(struct vcpu *v, struct p2m_domain *p2m,
         rc |= _PAGE_PRESENT;
         goto out;
     }
+    if ( gflags & _PAGE_PSE )
+    {
+        rc |= _PAGE_PSE | _PAGE_INVALID_BIT;
+        goto out;
+    }
     rc |= ((gflags & mflags) ^ mflags);
 
     /* Map the l3 table */
@@ -206,7 +211,7 @@ guest_walk_tables(struct vcpu *v, struct p2m_domain *p2m,
     }
     rc |= ((gflags & mflags) ^ mflags);
     
-    pse1G = (gflags & _PAGE_PSE) && guest_supports_1G_superpages(v); 
+    pse1G = !!(gflags & _PAGE_PSE);
 
     if ( pse1G )
     {
@@ -226,6 +231,8 @@ guest_walk_tables(struct vcpu *v, struct p2m_domain *p2m,
             /* _PAGE_PSE_PAT not set: remove _PAGE_PAT from flags. */
             flags &= ~_PAGE_PAT;
 
+        if ( !guest_supports_1G_superpages(v) )
+            rc |= _PAGE_PSE | _PAGE_INVALID_BIT;
         if ( gfn_x(start) & GUEST_L3_GFN_MASK & ~0x1 )
             rc |= _PAGE_INVALID_BITS;
 
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.4

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.