[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.6] x86/mm: fully honor PS bits in guest page table walks
commit 62673da8ed1ded80f30d34cdbbb82acbc7d754cb Author: Jan Beulich <jbeulich@xxxxxxxx> AuthorDate: Tue May 17 14:53:55 2016 +0200 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Tue May 17 14:53:55 2016 +0200 x86/mm: fully honor PS bits in guest page table walks In L4 entries it is currently unconditionally reserved (and hence should, when set, always result in a reserved bit page fault), and is reserved on hardware not supporting 1Gb pages (and hence should, when set, similarly cause a reserved bit page fault on such hardware). This is CVE-2016-4480 / XSA-176. Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Tested-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> master commit: 46699c7393bd991234b5642763c5c24b6b39a6c4 master date: 2016-05-17 14:41:14 +0200 --- xen/arch/x86/mm/guest_walk.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/mm/guest_walk.c b/xen/arch/x86/mm/guest_walk.c index 06543d3..f64d8ae 100644 --- a/xen/arch/x86/mm/guest_walk.c +++ b/xen/arch/x86/mm/guest_walk.c @@ -218,6 +218,11 @@ guest_walk_tables(struct vcpu *v, struct p2m_domain *p2m, rc |= _PAGE_PRESENT; goto out; } + if ( gflags & _PAGE_PSE ) + { + rc |= _PAGE_PSE | _PAGE_INVALID_BIT; + goto out; + } rc |= ((gflags & mflags) ^ mflags); /* Map the l3 table */ @@ -238,7 +243,7 @@ guest_walk_tables(struct vcpu *v, struct p2m_domain *p2m, } rc |= ((gflags & mflags) ^ mflags); - pse1G = (gflags & _PAGE_PSE) && guest_supports_1G_superpages(v); + pse1G = !!(gflags & _PAGE_PSE); if ( pse1G ) { @@ -258,6 +263,8 @@ guest_walk_tables(struct vcpu *v, struct p2m_domain *p2m, /* _PAGE_PSE_PAT not set: remove _PAGE_PAT from flags. */ flags &= ~_PAGE_PAT; + if ( !guest_supports_1G_superpages(v) ) + rc |= _PAGE_PSE | _PAGE_INVALID_BIT; if ( gfn_x(start) & GUEST_L3_GFN_MASK & ~0x1 ) rc |= _PAGE_INVALID_BITS; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.6 _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |