[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen stable-4.16] x86/HAP: adjust monitor table related error handling
commit 3422c19d85a3d23a9d798eafb739ffb8865522d2 Author: Jan Beulich <jbeulich@xxxxxxxx> AuthorDate: Tue Oct 11 14:52:59 2022 +0200 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Tue Oct 11 14:52:59 2022 +0200 x86/HAP: adjust monitor table related error handling hap_make_monitor_table() will return INVALID_MFN if it encounters an error condition, but hap_update_paging_modes() wasnâ??t handling this value, resulting in an inappropriate value being stored in monitor_table. This would subsequently misguide at least hap_vcpu_teardown(). Avoid this by bailing early. Further, when a domain has/was already crashed or (perhaps less important as there's no such path known to lead here) is already dying, avoid calling domain_crash() on it again - that's at best confusing. This is part of CVE-2022-33746 / XSA-410. Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> master commit: 5b44a61180f4f2e4f490a28400c884dd357ff45d master date: 2022-10-11 14:21:56 +0200 --- xen/arch/x86/mm/hap/hap.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c index a8f5a19da9..d75dc2b9ed 100644 --- a/xen/arch/x86/mm/hap/hap.c +++ b/xen/arch/x86/mm/hap/hap.c @@ -39,6 +39,7 @@ #include <asm/domain.h> #include <xen/numa.h> #include <asm/hvm/nestedhvm.h> +#include <public/sched.h> #include "private.h" @@ -405,8 +406,13 @@ static mfn_t hap_make_monitor_table(struct vcpu *v) return m4mfn; oom: - printk(XENLOG_G_ERR "out of memory building monitor pagetable\n"); - domain_crash(d); + if ( !d->is_dying && + (!d->is_shutting_down || d->shutdown_code != SHUTDOWN_crash) ) + { + printk(XENLOG_G_ERR "%pd: out of memory building monitor pagetable\n", + d); + domain_crash(d); + } return INVALID_MFN; } @@ -766,6 +772,9 @@ static void hap_update_paging_modes(struct vcpu *v) if ( pagetable_is_null(v->arch.hvm.monitor_table) ) { mfn_t mmfn = hap_make_monitor_table(v); + + if ( mfn_eq(mmfn, INVALID_MFN) ) + goto unlock; v->arch.hvm.monitor_table = pagetable_from_mfn(mmfn); make_cr3(v, mmfn); hvm_update_host_cr3(v); @@ -774,6 +783,7 @@ static void hap_update_paging_modes(struct vcpu *v) /* CR3 is effectively updated by a mode change. Flush ASIDs, etc. */ hap_update_cr3(v, 0, false); + unlock: paging_unlock(d); put_gfn(d, cr3_gfn); } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |