File CVE-2012-5514-xsa30.patch of Package xen.openSUSE_Evergreen_11.4

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2012-5514-xsa30.patch of Package xen.openSUSE_Evergreen_11.4

xen: fix error handling of guest_physmap_mark_populate_on_demand()

The only user of the "out" label bypasses a necessary unlock, thus
enabling the caller to lock up Xen.

Also, the function was never meant to be called by a guest for itself,
so rather than inspecting the code paths in depth for potential other
problems this might cause, and adjusting e.g. the non-guest printk()
in the above error path, just disallow the guest access to it.

Finally, the printk() (considering its potential of spamming the log,
the more that it's not using XENLOG_GUEST), is being converted to
P2M_DEBUG(), as debugging is what it apparently was added for in the
first place.

This is XSA-30 / CVE-2012-5514.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

--- xen-4.0.3-testing/xen/arch/x86/mm/p2m.c.orig	2012-12-12 12:09:17.614370326 +0100
+++ xen-4.0.3-testing/xen/arch/x86/mm/p2m.c	2012-12-12 12:14:37.940338582 +0100
@@ -2080,6 +2080,9 @@
     int pod_count = 0;
     int rc = 0;
 
+    if ( !IS_PRIV_FOR(current->domain, d) )
+        return -EPERM;
+
     if ( !paging_mode_translate(d) )
         return -EINVAL;
 
@@ -2098,8 +2101,7 @@
         omfn = gfn_to_mfn_query(d, gfn + i, &ot);
         if ( p2m_is_ram(ot) )
         {
-            printk("%s: gfn_to_mfn returned type %d!\n",
-                   __func__, ot);
+            P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot);
             rc = -EBUSY;
             goto out;
         }
@@ -2121,10 +2123,10 @@
         BUG_ON(p2md->pod.entry_count < 0);
     }
 
+out:
     audit_p2m(d);
     p2m_unlock(p2md);
 
-out:
     return rc;
 
 }

Places

File CVE-2012-5514-xsa30.patch of Package xen.openSUSE_Evergreen_11.4

Places