[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.13] x86/HAP: adjust monitor table related error handling



commit 0021c269786e0442d6f922d110d957867fff421d
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Oct 11 15:48:23 2022 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Oct 11 15:48:23 2022 +0200

    x86/HAP: adjust monitor table related error handling
    
    hap_make_monitor_table() will return INVALID_MFN if it encounters an
    error condition, but hap_update_paging_modes() wasnâ??t handling this
    value, resulting in an inappropriate value being stored in
    monitor_table. This would subsequently misguide at least
    hap_vcpu_teardown(). Avoid this by bailing early.
    
    Further, when a domain has/was already crashed or (perhaps less
    important as there's no such path known to lead here) is already dying,
    avoid calling domain_crash() on it again - that's at best confusing.
    
    This is part of CVE-2022-33746 / XSA-410.
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
    master commit: 5b44a61180f4f2e4f490a28400c884dd357ff45d
    master date: 2022-10-11 14:21:56 +0200
---
 xen/arch/x86/mm/hap/hap.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c
index c2d425a4b1..d3931b4e49 100644
--- a/xen/arch/x86/mm/hap/hap.c
+++ b/xen/arch/x86/mm/hap/hap.c
@@ -39,6 +39,7 @@
 #include <asm/domain.h>
 #include <xen/numa.h>
 #include <asm/hvm/nestedhvm.h>
+#include <public/sched.h>
 
 #include "private.h"
 
@@ -405,8 +406,13 @@ static mfn_t hap_make_monitor_table(struct vcpu *v)
     return m4mfn;
 
  oom:
-    printk(XENLOG_G_ERR "out of memory building monitor pagetable\n");
-    domain_crash(d);
+    if ( !d->is_dying &&
+         (!d->is_shutting_down || d->shutdown_code != SHUTDOWN_crash) )
+    {
+        printk(XENLOG_G_ERR "%pd: out of memory building monitor pagetable\n",
+               d);
+        domain_crash(d);
+    }
     return INVALID_MFN;
 }
 
@@ -693,6 +699,9 @@ static void hap_update_paging_modes(struct vcpu *v)
     if ( pagetable_is_null(v->arch.monitor_table) )
     {
         mfn_t mmfn = hap_make_monitor_table(v);
+
+        if ( mfn_eq(mmfn, INVALID_MFN) )
+            goto unlock;
         v->arch.monitor_table = pagetable_from_mfn(mmfn);
         make_cr3(v, mmfn);
         hvm_update_host_cr3(v);
@@ -701,6 +710,7 @@ static void hap_update_paging_modes(struct vcpu *v)
     /* CR3 is effectively updated by a mode change. Flush ASIDs, etc. */
     hap_update_cr3(v, 0, false);
 
+ unlock:
     paging_unlock(d);
     put_gfn(d, cr3_gfn);
 }
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.13



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.