File 5fd8b02d-evtchn-FIFO-reorder-and-synchronize.patch of Package xen.23271
# Commit c5e63651fdc706954d920a2d98f74f4a21b46a7e
# Date 2020-12-15 13:46:37 +0100
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
evtchn/FIFO: re-order and synchronize (with) map_control_block()
For evtchn_fifo_set_pending()'s check of the control block having been
set to be effective, ordering of respective reads and writes needs to be
ensured: The control block pointer needs to be recorded strictly after
the setting of all the queue heads, and it needs checking strictly
before any uses of them (this latter aspect was already guaranteed).
This is XSA-358 / CVE-2020-29570.
Reported-by: Julien Grall <jgrall@amazon.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Julien Grall <jgrall@amazon.com>
--- a/xen/common/event_fifo.c
+++ b/xen/common/event_fifo.c
@@ -235,6 +235,10 @@ static void evtchn_fifo_set_pending(stru
             goto unlock;
         }
 
+        /*
+         * This also acts as the read counterpart of the smp_wmb() in
+         * map_control_block().
+         */
         if ( guest_test_and_set_bit(d, EVTCHN_FIFO_LINKED, word) )
             goto unlock;
 
@@ -460,6 +464,7 @@ static int setup_control_block(struct vc
 static int map_control_block(struct vcpu *v, uint64_t gfn, uint32_t offset)
 {
     void *virt;
+    struct evtchn_fifo_control_block *control_block;
     unsigned int i;
     int rc;
 
@@ -470,10 +475,15 @@ static int map_control_block(struct vcpu
     if ( rc < 0 )
         return rc;
 
-    v->evtchn_fifo->control_block = virt + offset;
+    control_block = virt + offset;
 
     for ( i = 0; i <= EVTCHN_FIFO_PRIORITY_MIN; i++ )
-        v->evtchn_fifo->queue[i].head = &v->evtchn_fifo->control_block->head[i];
+        v->evtchn_fifo->queue[i].head = &control_block->head[i];
+
+    /* All queue heads must have been set before setting the control block. */
+    smp_wmb();
+
+    v->evtchn_fifo->control_block = control_block;
 
     return 0;
 }