Skip to content
Commits on Nov 14, 2012
  1. @ijackson-citrix

    compat/gnttab: Prevent infinite loop in compat code

    ijackson-citrix committed
    c/s 20281:95ea2052b41b, which introduces Grant Table version 2
    hypercalls introduces a vulnerability whereby the compat hypercall
    handler can fall into an infinite loop.
    
    If the watchdog is enabled, Xen will die after the timeout.
    
    This is a security problem, XSA-24 / CVE-2012-4539.
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
    Acked-by: Jan Beulich <jbeulich@suse.com>
    Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
    Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
    
    xen-unstable changeset: 26151:b64a7d868f06
    Backport-requested-by: security@xen.org
    Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
  2. @ijackson-citrix

    xen/mm/shadow: check toplevel pagetables are present before unhooking…

    ijackson-citrix committed
    … them.
    
    If the guest has not fully populated its top-level PAE entries when it calls
    HVMOP_pagetable_dying, the shadow code could try to unhook entries from
    MFN 0.  Add a check to avoid that case.
    
    This issue was introduced by c/s 21239:b9d2db109cf5.
    
    This is a security problem, XSA-23 / CVE-2012-4538.
    
    Signed-off-by: Tim Deegan <tim@xen.org>
    Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
    Acked-by: Ian Campbell <ian.campbell@citrix.com>
    Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
    
    xen-4.1-testing changeset: 23409:61eb3d030f52
    Backport-requested-by: security@xen.org
    Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
  3. @ijackson-citrix

    x86/physmap: Prevent incorrect updates of m2p mappings

    ijackson-citrix committed
    In certain conditions, such as low memory, set_p2m_entry() can fail.
    Currently, the p2m and m2p tables will get out of sync because we still
    update the m2p table after the p2m update has failed.
    
    If that happens, subsequent guest-invoked memory operations can cause
    BUG()s and ASSERT()s to kill Xen.
    
    This is fixed by only updating the m2p table iff the p2m was
    successfully updated.
    
    This is a security problem, XSA-22 / CVE-2012-4537.
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
    Acked-by: Ian Campbell <ian.campbell@citrix.com>
    Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
    Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
  4. @ijackson-citrix

    VCPU/timers: Prevent overflow in calculations, leading to DoS vulnera…

    ijackson-citrix committed
    …bility
    
    The timer action for a vcpu periodic timer is to calculate the next
    expiry time, and to reinsert itself into the timer queue.  If the
    deadline ends up in the past, Xen never leaves __do_softirq().  The
    affected PCPU will stay in an infinite loop until Xen is killed by the
    watchdog (if enabled).
    
    This is a security problem, XSA-20 / CVE-2012-4535.
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
    Acked-by: Ian Campbell <ian.campbell@citrix.com>
    Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
    
    xen-unstable changeset: 26148:bf58b94b3cef
    Backport-requested-by: security@xen.org
    Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
Commits on Sep 12, 2012
  1. @ijackson-citrix
Commits on Sep 11, 2012
  1. @ijackson-citrix

    QEMU_TAG update

    ijackson-citrix committed
Commits on Sep 5, 2012
  1. @ijackson-citrix
  2. @ijackson-citrix

    xen: Don't BUG_ON() PoD operations on a non-translated guest.

    ijackson-citrix committed
    This is XSA-14 / CVE-2012-3496
    
    Signed-off-by: Tim Deegan <tim@xen.org>
    Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
    Tested-by: Ian Campbell <ian.campbell@citrix.com>
  3. @ijackson-citrix

    xen: prevent a 64 bit guest setting reserved bits in DR7

    ijackson-citrix committed
    The upper 32 bits of this register are reserved and should be written as
    zero.
    
    This is XSA-12 / CVE-2012-3494
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
Commits on Aug 9, 2012
  1. Added signature for changeset 8ea28053de39

    Keir Fraser committed
  2. Added tag RELEASE-4.0.4 for changeset 8ea28053de39

    Keir Fraser committed
  3. Update Xen version to 4.0.4

    Keir Fraser committed
  4. @dvrabel

    cpufreq: P state stats aren't available if there is no cpufreq driver

    dvrabel committed
    If there is no cpufreq driver (e.g., with an AMD Opteron 8212) then
    reading the P state statistics causes a deadlock as an uninitialized
    spinlock is locked in do_get_pm_info(). The spinlock is initialized in
    cpufreq_statistic_init() which is not called if cpufreq_driver ==
    NULL.
    
    Signed-off-by: David Vrabel <david.vrabel@citrix.com>
    Committed-by: Jan Beulich <jbeulich@suse.com>
    xen-unstable changeset:   25706:7fd5facb6084
    xen-unstable date:        Fri Aug 03 09:50:28 2012 +0200
  5. xen: only check for shared pages while any exist on teardown

    Ian Campbell committed
    Avoids worst case behavour when guest has a large p2m.
    
    This is XSA-11 / CVE-2012-3433
    
    Signed-off-by: Tim Deegan <tim@xen.org>
    Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
    Tested-by: Olaf Hering <olaf@aepfle.de>
    Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
Commits on Jul 30, 2012
  1. @jbeulich

    x86: fix off-by-one in nr_irqs_gsi calculation

    jbeulich committed
    highest_gsi() returns the last valid GSI, not a count.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Acked-by: Joe Jin <joe.jin@oracle.com>
    Acked-by: Keir Fraser <keir@xen.org>
    xen-unstable changeset:   25688:e6266fc76d08
    xen-unstable date:        Fri Jul 27 12:22:13 2012 +0200
  2. vt-d: fix wrong addr in IOTLB invalidation descriptor

    Yang Zhang committed
    According to vt-d specs, the addr in IOTLB invalidation descriptor
    should be 4K page aligned.
    
    Signed-off-by: Yang Zhang <yang.z.zhang@Intel.com>
    Committed-by: Keir Fraser <keir@xen.org>
    xen-unstable changeset:   25617:75eb78d6cf54
    xen-unstable date:        Thu Jul 19 15:46:02 2012 +0100
  3. Update Xen version to 4.0.4-rc4-pre

    Keir Fraser committed
Commits on Jul 26, 2012
  1. @jbeulich

    x86/hvm: don't leave emulator in inconsistent state

    jbeulich committed
    The fact that handle_mmio(), and thus the instruction emulator, is
    being run through twice for emulations that require involvement of the
    device model, allows for the second run to see a different guest state
    than the first one. Since only the MMIO-specific emulation routines
    update the vCPU's io_state, if they get invoked on the second pass,
    internal state (and particularly this variable) can be left in a state
    making successful emulation of a subsequent MMIO operation impossible.
    
    Consequently, whenever the emulator invocation returns without
    requesting a retry of the guest instruction, reset io_state.
    
    [ This is a security issue.  XSA#10. -iwj ]
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Acked-by: Keir Fraser <keir@xen.org>
    Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
    
    xen-unstable changeset: 25682:ffcb24876b4f
    Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
Commits on Jul 22, 2012
  1. Added signature for changeset 9af8521e0411

    Keir Fraser committed
  2. Added tag 4.0.4-rc3 for changeset 9af8521e0411

    Keir Fraser committed
  3. Update Xen version to 4.0.4-rc3

    Keir Fraser committed
Commits on Jul 3, 2012
  1. @andyhhp

    xen: Fix off-by-one error when parsing command line arguments

    andyhhp committed
    As Xen currently stands, it will attempt to interpret the first few
    bytes of the initcall section as a struct kernel_param.
    
    The reason that this not caused problems is because in the overflow
    case, param->name is actually a function pointer to the first
    initcall, and intepreting it as string is very unlikely to match an
    ASCII command line parameter name.
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
    Committed-by: Keir Fraser <keir@xen.org>
    xen-unstable changeset:   25587:2cffb7bf6e57
    xen-unstable date:        Tue Jul 03 13:38:19 2012 +0100
  2. @andyhhp

    x86/nmi: Fix deadlock in unknown_nmi_error()

    andyhhp committed
    Additionally, correct the text description to reflect what is being
    done, and make use of fatal_trap() in preference to kexec_crash() in
    case an unknown NMI occurs before a kdump kernel has been loaded.
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
    Committed-by: Keir Fraser <keir@xen.org>
    xen-unstable changeset:   25478:6d1a30dc47e8
    xen-unstable date:        Mon Jun 11 15:12:50 2012 +0100
  3. @andyhhp

    x86_64: Fix off-by-one error setting up the Interrupt Stack Tables

    andyhhp committed
    The Interrupt Stack Table entries in a 64bit TSS are a 1 based data
    structure as far as hardware is concerned.  As a result, the code
    setting up stacks in subarch_percpu_traps_init() fills in the wrong
    IST entries.
    
    The result is that the MCE handler executes on the stack set up for
    NMIs; the NMI handler executes on a stack set up for Double Faults,
    and Double Faults are executed with a stack pointer set to 0.
    
    Once the #DF handler starts to execute, it will usually take a page
    fault looking up the address at 0xfffffffffffffff8, which will cause a
    triple fault.  If a guest has mapped a page in that location, then it
    will have some state overwritten, but as the #DF handler always calls
    panic(), this is not a problem the guest will have time to care about.
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
    Committed-by: Keir Fraser <keir@xen.org>
    xen-unstable changeset:   25271:54da0329e259
    xen-unstable date:        Thu May 10 11:04:32 2012 +0100
Commits on Jun 20, 2012
  1. x86: Make asmlinkage explicitly a no-op, and avoid usage in arch/x86

    Keir Fraser committed
    Signed-off-by: Keir Fraser <keir@xen.org>
    xen-unstable changeset:   24511:a141f6d64916
    xen-unstable date:        Sun Jan 15 22:02:35 2012 +0000
  2. Update Xen version to 4.0.4-rc3-pre

    Keir Fraser committed
Commits on Jun 18, 2012
  1. Added signature for changeset fe1ae79f1a7f

    Keir Fraser committed
  2. Added tag 4.0.4-rc2 for changeset fe1ae79f1a7f

    Keir Fraser committed
  3. Update Xen version to 4.0.4-rc2

    Keir Fraser committed
Commits on Jun 12, 2012
  1. @jbeulich

    x86-64: detect processors subject to AMD erratum #121 and refuse to boot

    jbeulich committed
    Processors with this erratum are subject to a DoS attack by unprivileged
    guest users.
    
    This is XSA-9 / CVE-2012-2934.
    
    Signed-off-by: Jan Beulich <JBeulich@suse.com>
    Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
    Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
    
    xen-unstable changeset:   25481:422880dc94a4
    xen-unstable date:        Tue Jun 12 11:33:42 2012 +0100
    Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
  2. @jbeulich

    x86-64: fix #GP generation in assembly code

    jbeulich committed
    When guest use of sysenter (64-bit PV guest) or syscall (32-bit PV
    guest) gets converted into a GP fault (due to no callback having got
    registered), we must
    - honor the GP fault handler's request the keep enabled or mask event
      delivery
    - not allow TBF_EXCEPTION to remain set past the generation of the
      (guest) exception in the vCPU's trap_bounce.flags, as that would
      otherwise allow for the next exception occurring in guest mode,
      should it happen to get handled in Xen itself, to nevertheless get
      bounced to the guest kernel.
    
    Also, just like compat mode syscall handling already did, native mode
    sysenter handling should, when converting to #GP, subtract 2 from the
    RIP present in the frame so that the guest's GP fault handler would
    see the fault pointing to the offending instruction instead of past it.
    
    Finally, since those exception generating code blocks needed to be
    modified anyway, convert them to make use of UNLIKELY_{START,END}().
    
    [ This bug is security vulnerability, XSA-8 / CVE-2012-0218. ]
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Acked-by: Keir Fraser <keir@xen.org>
    Committed-by: Jan Beulich <jbeulich@suse.com>
    
    xen-unstable changeset:   25200:80f4113be500 25204:569d6f05e1ef
    Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
  3. @jbeulich

    x86_64: Do not execute sysret with a non-canonical return address

    jbeulich committed
    Check for non-canonical guest RIP before attempting to execute sysret.
    If sysret is executed with a non-canonical value in RCX, Intel CPUs
    take the fault in ring0, but we will necessarily already have switched
    to the the user's stack pointer.
    
    This is a security vulnerability, XSA-7 / CVE-2012-0217.
    
    Signed-off-by: Jan Beulich <JBeulich@suse.com>
    Signed-off-by: Ian Campbell <Ian.Campbell@citrix.com>
    Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
    Acked-by: Keir Fraser <keir.xen@gmail.com>
    Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
    
    xen-unstable changeset:   25480:76eaf5966c05
    xen-unstable date:        Tue Jun 12 11:33:40 2012 +0100
    Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
Commits on May 14, 2012
  1. blktap2: Fix naked unchecked uses of read/write/chdir.

    Keir Fraser committed
    These cause warnings under warn_unused_result, and for read/write we
    ought to deal with partial io results.
    
    Signed-off-by: Keir Fraser <keir@xen.org>
    xen-unstable changeset:   25299:01d64a3dea71
    xen-unstable date:        Fri May 11 18:30:29 2012 +0100
    
    
    blktap2: Fix another uninitialised value error
    
    gcc  -O1 -fno-omit-frame-pointer -m32 -march=i686 -g
    -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes
    -Wdeclaration-after-statement   -D__XEN_TOOLS__ -MMD -MF
    .block-remus.o.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
    -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -fno-optimize-sibling-calls
    -mno-tls-direct-seg-refs -Werror -g -Wno-unused -fno-strict-aliasing
    -I../include -I../drivers
    -I/home/osstest/build.12828.build-i386/xen-unstable/tools/blktap2/drivers/../../../tools/libxc
    -I/home/osstest/build.12828.build-i386/xen-unstable/tools/blktap2/drivers/../../../tools/include
    -D_GNU_SOURCE -DUSE_NFS_LOCKS  -c -o block-remus.o block-remus.c
    
    block-remus.c: In function 'ramdisk_flush':
    block-remus.c:508: error: 'buf' may be used uninitialized in this
    function
    make[5]: *** [block-remus.o] Error 1
    
    This is because gcc can see that merge_requests doesn't always set
    *mergedbuf but gcc isn't able to prove that it always does so if
    merge_requests returns 0 and that in that case the value of
    ramdisk_flush::buf isn't used.
    
    This is too useful a warning to disable, despite the occasional false
    positive of this form.  The conventional approach is to suppress the
    warning by explicitly initialising the variable to 0.
    
    This has just come to light because 25275:27d63b9f111a reenabled
    optimisation for this area of code, and gcc's data flow analysis
    (which is required to trigger the uninitialised variable warning) only
    occurs when optimisation is turned on.
    
    Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
    xen-unstable changeset:   25281:60064411a8a9
    xen-unstable date:        Thu May 10 14:26:14 2012 +0100
    
    
    blktap2: Do not build with -O0
    
    Signed-off-by: Keir Fraser <keir@xen.org>
    xen-unstable changeset:   25275:27d63b9f111a
    xen-unstable date:        Thu May 10 11:22:18 2012 +0100
    
    
    blktap2: Fix uninitialised value error.
    
    Signed-off-by: Keir Fraser <keir@xen.org>
    xen-unstable changeset:   25274:cb82b5aa73bd
    xen-unstable date:        Thu May 10 11:21:59 2012 +0100
    
    
    tools/blktap2: fix out of bounds access in block-log.c
    
    block-log.c: In function 'ctl_close_sock':
    block-log.c:363:23: warning: array subscript is above array bounds
    [-Warray-bounds]
    
    Adjust loop condition in ctl_close_sock() to fix warning.
    Adjust array acccess in ctl_close() to actually access the array
    member.
    
    Signed-off-by: Olaf Hering <olaf@aepfle.de>
    Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
    Committed-by: Keir Fraser <keir@xen.org>
    xen-unstable changeset:   25273:83a02f225bde
    xen-unstable date:        Thu May 10 11:20:04 2012 +0100
    
    
    tools/blktap2: fix build errors caused by Werror in
    vhd_journal_write_entry
    
    -O2 -Wall -Werror triggers these warnings:
    
    libvhd-journal.c: In function 'vhd_journal_write_entry':
    libvhd-journal.c:335: warning: statement with no effect
    
    Really return the error from vhd_journal_write() to caller.
    
    v2:
     - simplify the patch by just adding the missing return statement
    
    Signed-off-by: Olaf Hering <olaf@aepfle.de>
    Committed-by: Keir Fraser <keir@xen.org>
    xen-unstable changeset:   25272:ca02580986d2
    xen-unstable date:        Thu May 10 11:19:05 2012 +0100
  2. Update Xen version to 4.0.4-rc2-pre

    Keir Fraser committed
Commits on May 7, 2012
  1. Added signature for changeset 94fddf2a1948

    Keir Fraser committed
Something went wrong with that request. Please try again.