[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging-4.13] xen/arm: p2m: Always clear the P2M entry when the mapping is removed

commit 2d601a5ca15e02820d08232ad64add8b8374b81c
Author:     Julien Grall <jgrall@xxxxxxxxxx>
AuthorDate: Tue Jan 25 14:44:21 2022 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Jan 25 14:44:21 2022 +0100

    xen/arm: p2m: Always clear the P2M entry when the mapping is removed
    
    Commit 2148a125b73b ("xen/arm: Track page accessed between batch of
    Set/Way operations") allowed an entry to be invalid from the CPU PoV
    (lpae_is_valid()) but valid for Xen (p2m_is_valid()). This is useful
    to track which page is accessed and only perform an action on them
    (e.g. clean & invalidate the cache after a set/way instruction).
    
    Unfortunately, __p2m_set_entry() is only zeroing the P2M entry when
    lpae_is_valid() returns true. This means the entry will not be zeroed
    if the entry was valid from Xen PoV but invalid from the CPU PoV for
    tracking purpose.
    
    As a consequence, this will allow a domain to continue to access the
    page after it was removed.
    
    Resolve the issue by always zeroing the entry if it the LPAE bit is
    set or the entry is about to be removed.
    
    This is CVE-2022-23033 / XSA-393.
    
    Reported-by: Dmytro Firsov <Dmytro_Firsov@xxxxxxxx>
    Fixes: 2148a125b73b ("xen/arm: Track page accessed between batch of Set/Way 
operations")
    Reviewed-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
    Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx>
    master commit: a428b913a002eb2b7425b48029c20a52eeee1b5a
    master date: 2022-01-25 13:25:01 +0100
---
 xen/arch/arm/p2m.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
index ce59f2b503..993fe4ded2 100644
--- a/xen/arch/arm/p2m.c
+++ b/xen/arch/arm/p2m.c
@@ -1012,7 +1012,7 @@ static int __p2m_set_entry(struct p2m_domain *p2m,
      * sequence when updating the translation table (D4.7.1 in ARM DDI
      * 0487A.j).
      */
-    if ( lpae_is_valid(orig_pte) )
+    if ( lpae_is_valid(orig_pte) || removing_mapping )
         p2m_remove_pte(entry, p2m->clean_pte);
 
     if ( removing_mapping )
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.13

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.