aboutsummaryrefslogtreecommitdiffstats
path: root/main/xen/xsa388-4.14-2.patch
blob: 2f8cc881f0a53a3752672447881dff6a5b64f819 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
From: Jan Beulich <jbeulich@suse.com>
Subject: x86/PoD: handle intermediate page orders in p2m_pod_cache_add()

p2m_pod_decrease_reservation() may pass pages to the function which
aren't 4k, 2M, or 1G. Handle all intermediate orders as well, to avoid
hitting the BUG() at the switch() statement's "default" case.

This is CVE-2021-28708 / part of XSA-388.

Fixes: 3c352011c0d3 ("x86/PoD: shorten certain operations on higher order ranges")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

--- a/xen/arch/x86/mm/p2m-pod.c
+++ b/xen/arch/x86/mm/p2m-pod.c
@@ -111,15 +111,13 @@ p2m_pod_cache_add(struct p2m_domain *p2m
     /* Then add to the appropriate populate-on-demand list. */
     switch ( order )
     {
-    case PAGE_ORDER_1G:
-        for ( i = 0; i < (1UL << PAGE_ORDER_1G); i += 1UL << PAGE_ORDER_2M )
+    case PAGE_ORDER_2M ... PAGE_ORDER_1G:
+        for ( i = 0; i < (1UL << order); i += 1UL << PAGE_ORDER_2M )
             page_list_add_tail(page + i, &p2m->pod.super);
         break;
-    case PAGE_ORDER_2M:
-        page_list_add_tail(page, &p2m->pod.super);
-        break;
-    case PAGE_ORDER_4K:
-        page_list_add_tail(page, &p2m->pod.single);
+    case PAGE_ORDER_4K ... PAGE_ORDER_2M - 1:
+        for ( i = 0; i < (1UL << order); i += 1UL << PAGE_ORDER_4K )
+            page_list_add_tail(page + i, &p2m->pod.single);
         break;
     default:
         BUG();