diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2014-10-23 09:28:52 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2014-10-23 09:48:32 +0000 |
commit | 9cba7900153b15f9070445e546fd8244cb2da8f1 (patch) | |
tree | cbccb037c3b72a9c8f240294fcc026759c8da37b /main/xen/xsa108.patch | |
parent | 256f4e7e9f920e61c9a0f213d108851dd6eee97c (diff) |
main/xen: security upgrade to 4.2.5 and patches2.5-stable
The 4.2.5 release fixes:
CVE-2014-2599 / XSA-89 HVMOP_set_mem_access is not preemptible
CVE-2014-3124 / XSA-92 HVMOP_set_mem_type allows invalid P2M entries to be
created
CVE-2014-3967,CVE-2014-3968 / XSA-96 Vulnerabilities in HVM MSI injection
CVE-2014-4021 / XSA-100 Hypervisor heap contents leaked to guests
In addition we add patches for:
CVE-2014-7154 / XSA-104 Race condition in HVMOP_track_dirty_vram
CVE-2014-7155 / XSA-105 Missing privilege level checks in x86 HLT, LGDT,
LIDT, and LMSW emulation
CVE-2014-7156 / XSA-106 Missing privilege level checks in x86 emulation of
software interrupts
CVE-2014-7188 / XSA-108 Improper MSR range used for x2APIC emulation
fixes #3412
fixes #3457
Diffstat (limited to 'main/xen/xsa108.patch')
-rw-r--r-- | main/xen/xsa108.patch | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/main/xen/xsa108.patch b/main/xen/xsa108.patch new file mode 100644 index 00000000000..e162185789f --- /dev/null +++ b/main/xen/xsa108.patch @@ -0,0 +1,36 @@ +x86/HVM: properly bound x2APIC MSR range + +While the write path change appears to be purely cosmetic (but still +gets done here for consistency), the read side mistake permitted +accesses beyond the virtual APIC page. + +Note that while this isn't fully in line with the specification +(digesting MSRs 0x800-0xBFF for the x2APIC), this is the minimal +possible fix addressing the security issue and getting x2APIC related +code into a consistent shape (elsewhere a 256 rather than 1024 wide +window is being used too). This will be dealt with subsequently. + +This is XSA-108. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- a/xen/arch/x86/hvm/hvm.c ++++ b/xen/arch/x86/hvm/hvm.c +@@ -4380,7 +4380,7 @@ int hvm_msr_read_intercept(unsigned int + *msr_content = vcpu_vlapic(v)->hw.apic_base_msr; + break; + +- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: ++ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff: + if ( hvm_x2apic_msr_read(v, msr, msr_content) ) + goto gp_fault; + break; +@@ -4506,7 +4506,7 @@ int hvm_msr_write_intercept(unsigned int + vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content); + break; + +- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: ++ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff: + if ( hvm_x2apic_msr_write(v, msr, msr_content) ) + goto gp_fault; + break; |