[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen stable-4.12] x86/ept: atomically modify entries in ept_next_level
commit 8faa45e25e8b97570b81b46a6b48bdbc8b489b4f Author: Roger Pau Monné <roger.pau@xxxxxxxxxx> AuthorDate: Tue Jul 7 15:10:14 2020 +0200 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Tue Jul 7 15:10:14 2020 +0200 x86/ept: atomically modify entries in ept_next_level ept_next_level was passing a live PTE pointer to ept_set_middle_entry, which was then modified without taking into account that the PTE could be part of a live EPT table. This wasn't a security issue because the pages returned by p2m_alloc_ptp are zeroed, so adding such an entry before actually initializing it didn't allow a guest to access physical memory addresses it wasn't supposed to access. This is part of XSA-328. Reported-by: Jan Beulich <jbeulich@xxxxxxxx> Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> master commit: bc3d9f95d661372b059a5539ae6cb1e79435bb95 master date: 2020-07-07 14:37:12 +0200 --- xen/arch/x86/mm/p2m-ept.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/mm/p2m-ept.c b/xen/arch/x86/mm/p2m-ept.c index eb42248d56..61fc39bac5 100644 --- a/xen/arch/x86/mm/p2m-ept.c +++ b/xen/arch/x86/mm/p2m-ept.c @@ -307,6 +307,8 @@ static int ept_next_level(struct p2m_domain *p2m, bool_t read_only, ept_entry_t *ept_entry, *next = NULL, e; u32 shift, index; + ASSERT(next_level); + shift = next_level * EPT_TABLE_ORDER; index = *gfn_remainder >> shift; @@ -323,16 +325,20 @@ static int ept_next_level(struct p2m_domain *p2m, bool_t read_only, if ( !is_epte_present(&e) ) { + int rc; + if ( e.sa_p2mt == p2m_populate_on_demand ) return GUEST_TABLE_POD_PAGE; if ( read_only ) return GUEST_TABLE_MAP_FAILED; - next = ept_set_middle_entry(p2m, ept_entry); + next = ept_set_middle_entry(p2m, &e); if ( !next ) return GUEST_TABLE_MAP_FAILED; - /* e is now stale and hence may not be used anymore below. */ + + rc = atomic_write_ept_entry(p2m, ept_entry, e, next_level); + ASSERT(rc == 0); } /* The only time sp would be set here is if we had hit a superpage */ else if ( is_epte_superpage(&e) ) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.12
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |