diff options
-rw-r--r-- | pcr/xen/PKGBUILD | 13 | ||||
-rw-r--r-- | pcr/xen/xsa393.patch | 49 | ||||
-rw-r--r-- | pcr/xen/xsa394.patch | 63 | ||||
-rw-r--r-- | pcr/xen/xsa395.patch | 42 |
4 files changed, 161 insertions, 6 deletions
diff --git a/pcr/xen/PKGBUILD b/pcr/xen/PKGBUILD index 80b0f5022..ae6e2a6c6 100644 --- a/pcr/xen/PKGBUILD +++ b/pcr/xen/PKGBUILD @@ -23,7 +23,7 @@ pkgbase=xen pkgname=("xen" "xen-docs") pkgver=4.16.0 pkgrel=3 -pkgdesc='Open-source type-1 or baremetal hypervisor' +pkgdesc='Type-1 or bare-metal hypervisor' arch=('x86_64') url='https://xenproject.org/' license=('GPL2') @@ -53,10 +53,11 @@ validpgpkeys=('23E3222C145F4475FA8060A783FE14C957E82BD9') # Xen.org Xen tree cod # Follow the Xen securite mailing lists, and if a patch is applicable to our package # add the URL here. +# Better yet, add the patch to abslibre :) _patches=( - "https://xenbits.xen.org/xsa/xsa393.patch" - "https://xenbits.xen.org/xsa/xsa394.patch" - "https://xenbits.xen.org/xsa/xsa395.patch" + "xsa393.patch" + "xsa394.patch" + "xsa395.patch" ) @@ -210,7 +211,7 @@ build() { } package_xen() { - pkgdesc='Open-source type-1 or baremetal hypervisor' + pkgdesc='Type-1 or baremetal hypervisor' depends=( 'zlib' 'python' 'ncurses' 'openssl' 'libx11' 'libuuid.so' 'yajl' 'libaio' 'glib2' 'pkgconf' @@ -320,7 +321,7 @@ package_xen() { package_xen-docs() { pkgdesc="Xen hypervisor documentation and man pages" - arch=("any") + arch=("x86_64") # no reason to publish this package to 32-bit repos cd "${pkgbase}-${pkgver}" make "${_common_make_flags[@]}" DESTDIR="$pkgdir" install-docs } diff --git a/pcr/xen/xsa393.patch b/pcr/xen/xsa393.patch new file mode 100644 index 000000000..57af36bae --- /dev/null +++ b/pcr/xen/xsa393.patch @@ -0,0 +1,49 @@ +From 7ff58ab770157a03c92604155a0c745bcab834c2 Mon Sep 17 00:00:00 2001 +From: Julien Grall <jgrall@amazon.com> +Date: Tue, 14 Dec 2021 09:53:44 +0000 +Subject: [PATCH] xen/arm: p2m: Always clear the P2M entry when the mapping is + removed + +Commit 2148a125b73b ("xen/arm: Track page accessed between batch of +Set/Way operations") allowed an entry to be invalid from the CPU PoV +(lpae_is_valid()) but valid for Xen (p2m_is_valid()). This is useful +to track which page is accessed and only perform an action on them +(e.g. clean & invalidate the cache after a set/way instruction). + +Unfortunately, __p2m_set_entry() is only zeroing the P2M entry when +lpae_is_valid() returns true. This means the entry will not be zeroed +if the entry was valid from Xen PoV but invalid from the CPU PoV for +tracking purpose. + +As a consequence, this will allow a domain to continue to access the +page after it was removed. + +Resolve the issue by always zeroing the entry if it the LPAE bit is +set or the entry is about to be removed. + +This is CVE-2022-23033 / XSA-393. + +Reported-by: Dmytro Firsov <Dmytro_Firsov@epam.com> +Fixes: 2148a125b73b ("xen/arm: Track page accessed between batch of Set/Way operations") +Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> +Signed-off-by: Julien Grall <jgrall@amazon.com> +--- + xen/arch/arm/p2m.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c +index 8b20b430777e..fb71fa4c1c90 100644 +--- a/xen/arch/arm/p2m.c ++++ b/xen/arch/arm/p2m.c +@@ -1016,7 +1016,7 @@ static int __p2m_set_entry(struct p2m_domain *p2m, + * sequence when updating the translation table (D4.7.1 in ARM DDI + * 0487A.j). + */ +- if ( lpae_is_valid(orig_pte) ) ++ if ( lpae_is_valid(orig_pte) || removing_mapping ) + p2m_remove_pte(entry, p2m->clean_pte); + + if ( removing_mapping ) +-- +2.32.0 + diff --git a/pcr/xen/xsa394.patch b/pcr/xen/xsa394.patch new file mode 100644 index 000000000..1704c5b08 --- /dev/null +++ b/pcr/xen/xsa394.patch @@ -0,0 +1,63 @@ +From a8bdee7a30d0cd13341d2ca1753569b171daf5b8 Mon Sep 17 00:00:00 2001 +From: Julien Grall <jgrall@amazon.com> +Date: Fri, 19 Nov 2021 11:27:47 +0000 +Subject: [PATCH] xen/grant-table: Only decrement the refcounter when grant is + fully unmapped + +The grant unmapping hypercall (GNTTABOP_unmap_grant_ref) is not a +simple revert of the changes done by the grant mapping hypercall +(GNTTABOP_map_grant_ref). + +Instead, it is possible to partially (or even not) clear some flags. +This will leave the grant is mapped until a future call where all +the flags would be cleared. + +XSA-380 introduced a refcounting that is meant to only be dropped +when the grant is fully unmapped. Unfortunately, unmap_common() will +decrement the refcount for every successful call. + +A consequence is a domain would be able to underflow the refcount +and trigger a BUG(). + +Looking at the code, it is not clear to me why a domain would +want to partially clear some flags in the grant-table. But as +this is part of the ABI, it is better to not change the behavior +for now. + +Fix it by checking if the maptrack handle has been released before +decrementing the refcounting. + +This is CVE-2022-23034 / XSA-394. + +Fixes: 9781b51efde2 ("gnttab: replace mapkind()") +Signed-off-by: Julien Grall <jgrall@amazon.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +--- + xen/common/grant_table.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c +index 0262f2c48af8..ed1e2fabcea6 100644 +--- a/xen/common/grant_table.c ++++ b/xen/common/grant_table.c +@@ -1488,8 +1488,15 @@ unmap_common( + if ( put_handle ) + put_maptrack_handle(lgt, op->handle); + +- /* See the respective comment in map_grant_ref(). */ +- if ( rc == GNTST_okay && ld != rd && gnttab_need_iommu_mapping(ld) ) ++ /* ++ * map_grant_ref() will only increment the refcount (and update the ++ * IOMMU) once per mapping. So we only want to decrement it once the ++ * maptrack handle has been put, alongside the further IOMMU update. ++ * ++ * For the second and third check, see the respective comment in ++ * map_grant_ref(). ++ */ ++ if ( put_handle && ld != rd && gnttab_need_iommu_mapping(ld) ) + { + void **slot; + union maptrack_node node; +-- +2.32.0 + diff --git a/pcr/xen/xsa395.patch b/pcr/xen/xsa395.patch new file mode 100644 index 000000000..13b731102 --- /dev/null +++ b/pcr/xen/xsa395.patch @@ -0,0 +1,42 @@ +From 4cc924c3e3a0d53306d08b04720c427d1c298ba8 Mon Sep 17 00:00:00 2001 +From: Julien Grall <jgrall@amazon.com> +Date: Wed, 5 Jan 2022 18:09:20 +0000 +Subject: [PATCH] passthrough/x86: stop pirq iteration immediately in case of + error + +pt_pirq_iterate() will iterate in batch over all the PIRQs. The outer +loop will bail out if 'rc' is non-zero but the inner loop will continue. + +This means 'rc' will get clobbered and we may miss any errors (such as +-ERESTART in the case of the callback pci_clean_dpci_irq()). + +This is CVE-2022-23035 / XSA-395. + +Fixes: c24536b636f2 ("replace d->nr_pirqs sized arrays with radix tree") +Fixes: f6dd295381f4 ("dpci: replace tasklet with softirq") +Signed-off-by: Julien Grall <jgrall@amazon.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> +--- + xen/drivers/passthrough/x86/hvm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/xen/drivers/passthrough/x86/hvm.c b/xen/drivers/passthrough/x86/hvm.c +index 351daafdc9bf..0b37cd145b60 100644 +--- a/xen/drivers/passthrough/x86/hvm.c ++++ b/xen/drivers/passthrough/x86/hvm.c +@@ -732,7 +732,11 @@ int pt_pirq_iterate(struct domain *d, + + pirq = pirqs[i]->pirq; + if ( (pirq_dpci->flags & HVM_IRQ_DPCI_MAPPED) ) ++ { + rc = cb(d, pirq_dpci, arg); ++ if ( rc ) ++ break; ++ } + } + } while ( !rc && ++pirq < d->nr_pirqs && n == ARRAY_SIZE(pirqs) ); + +-- +2.32.0 + |