aboutsummaryrefslogtreecommitdiffstats
path: root/main/xen/xsa338.patch
diff options
context:
space:
mode:
authorDaniel NĂ©ri <dne+alpine@mayonnaise.net>2020-09-23 08:28:53 +0200
committerLeo <thinkabit.ukim@gmail.com>2020-09-23 08:13:25 +0000
commitf48590ae54ca9e0c3bf6b3fae3e6b065f14223e3 (patch)
tree7fb3d4ae4b41f290d9eeb6f65e0a4f57f839ee8f /main/xen/xsa338.patch
parent7827f2cdeff854d65e1c9f05d5a80fb7226f18f8 (diff)
main/xen: security fixes for XSA-333, XSA-334, XSA-336, XSA-337, XSA-338, XSA-339, XSA-340, XSA-342, XSA-343 and XSA-344
Diffstat (limited to 'main/xen/xsa338.patch')
-rw-r--r--main/xen/xsa338.patch42
1 files changed, 42 insertions, 0 deletions
diff --git a/main/xen/xsa338.patch b/main/xen/xsa338.patch
new file mode 100644
index 00000000000..776521990e7
--- /dev/null
+++ b/main/xen/xsa338.patch
@@ -0,0 +1,42 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: evtchn: relax port_is_valid()
+
+To avoid ports potentially becoming invalid behind the back of certain
+other functions (due to ->max_evtchn shrinking) because of
+- a guest invoking evtchn_reset() and from a 2nd vCPU opening new
+ channels in parallel (see also XSA-343),
+- alloc_unbound_xen_event_channel() produced channels living above the
+ 2-level range (see also XSA-342),
+drop the max_evtchns check from port_is_valid(). For a port for which
+the function once returned "true", the returned value may not turn into
+"false" later on. The function's result may only depend on bounds which
+can only ever grow (which is the case for d->valid_evtchns).
+
+This also eliminates a false sense of safety, utilized by some of the
+users (see again XSA-343): Without a suitable lock held, d->max_evtchns
+may change at any time, and hence deducing that certain other operations
+are safe when port_is_valid() returned true is not legitimate. The
+opportunities to abuse this may get widened by the change here
+(depending on guest and host configuration), but will be taken care of
+by the other XSA.
+
+This is XSA-338.
+
+Fixes: 48974e6ce52e ("evtchn: use a per-domain variable for the max number of event channels")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Reviewed-by: Julien Grall <jgrall@amazon.com>
+---
+v5: New, split from larger patch.
+
+--- a/xen/include/xen/event.h
++++ b/xen/include/xen/event.h
+@@ -107,8 +107,6 @@ void notify_via_xen_event_channel(struct
+
+ static inline bool_t port_is_valid(struct domain *d, unsigned int p)
+ {
+- if ( p >= d->max_evtchns )
+- return 0;
+ return p < read_atomic(&d->valid_evtchns);
+ }
+