[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.6] x86/32on64: don't allow recursive page tables from L3



commit f984f6e2bacccd434f142cab515c37d9f25d0c07
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Thu Sep 8 14:24:45 2016 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Sep 8 14:24:45 2016 +0200

    x86/32on64: don't allow recursive page tables from L3
    
    L3 entries are special in PAE mode, and hence can't reasonably be used
    for setting up recursive (and hence linear) page table mappings. Since
    abuse is possible when the guest in fact gets run on 4-level page
    tables, this needs to be excluded explicitly.
    
    This is XSA-185 / CVE-2016-7092.
    
    Reported-by: Jérémie Boutoille <jboutoille@xxxxxxxxxxxxxxxxx>
    Reported-by: "栾��(好�)" <shangcong.lsc@xxxxxxxxxxxxxxx>
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    master commit: c844d637d92a75854ea5c8d4e5ca34302a9f623c
    master date: 2016-09-08 14:14:53 +0200
---
 xen/arch/x86/mm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 8dd22b8..64e2de3 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -1051,7 +1051,9 @@ get_page_from_l3e(
 
     rc = get_page_and_type_from_pagenr(
         l3e_get_pfn(l3e), PGT_l2_page_table, d, partial, 1);
-    if ( unlikely(rc == -EINVAL) && get_l3_linear_pagetable(l3e, pfn, d) )
+    if ( unlikely(rc == -EINVAL) &&
+         !is_pv_32bit_domain(d) &&
+         get_l3_linear_pagetable(l3e, pfn, d) )
         rc = 0;
 
     return rc;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.6

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.