Commit 1af50114 authored by Henrik Riomar's avatar Henrik Riomar Committed by Milan P. Stanić
Browse files

main/xen: fix XSA-358

This is CVE-2020-29570
parent 971df5ec
......@@ -208,6 +208,7 @@ options="!strip"
# - CVE-2020-29566 XSA-348
# - CVE-2020-29486 XSA-352
# - CVE-2020-29479 XSA-353
# - CVE-2020-29570 XSA-358
case "$CARCH" in
x86*)
......@@ -311,6 +312,8 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz
xsa353.patch
xsa358-4.14.patch
xenstored.initd
xenstored.confd
xenconsoled.initd
......@@ -586,6 +589,7 @@ d73b8a7e815601770804029175c068a4331346aa3c137a71cc105684cdded2d13b40a99f67ada614
b1791c36e0eb0ae6bb89c0529922775e6b9c0ec66cfd99a203bc56ff0ddb071e98ae39e81d4f4d5703149a6e066c0f0dd00283b2cae586429b1fc4d548993d6d xsa348-4.13-3.patch
3fe751d9c802963ec57ffc88a69a08de63f0c45da914b9debc65fd77d5cb407080e7a6e3287a893ccf5c352a2d2786f831458cd302b99d1b3d490e9a7330fbad xsa352.patch
c458c962d9ae45c2fce049e6094923f72dfc87e0a20ef083371215cfe8345f437f556c4efadac841432db8421457eb0a6dea5d93ff148aff2466795125c759e1 xsa353.patch
0f7dcfa0115ac7e353bb0f645845b839fd628bdb553f8a5c5f03f2b5808515e255bcc6173b6b946a8901f62a80dcf9cf94f4039cd66e04315bd2ba849e585fde xsa358-4.14.patch
52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd
093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0 xenstored.confd
3c86ed48fbee0af4051c65c4a3893f131fa66e47bf083caf20c9b6aa4b63fdead8832f84a58d0e27964bc49ec8397251b34e5be5c212c139f556916dc8da9523 xenconsoled.initd
......
From: Jan Beulich <jbeulich@suse.com>
Subject: evtchn/FIFO: re-order and synchronize (with) map_control_block()
For evtchn_fifo_set_pending()'s check of the control block having been
set to be effective, ordering of respective reads and writes needs to be
ensured: The control block pointer needs to be recorded strictly after
the setting of all the queue heads, and it needs checking strictly
before any uses of them (this latter aspect was already guaranteed).
This is XSA-358 / CVE-2020-29570.
Reported-by: Julien Grall <jgrall@amazon.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Julien Grall <jgrall@amazon.com>
--- a/xen/common/event_fifo.c
+++ b/xen/common/event_fifo.c
@@ -249,6 +249,10 @@ static void evtchn_fifo_set_pending(stru
goto unlock;
}
+ /*
+ * This also acts as the read counterpart of the smp_wmb() in
+ * map_control_block().
+ */
if ( guest_test_and_set_bit(d, EVTCHN_FIFO_LINKED, word) )
goto unlock;
@@ -474,6 +478,7 @@ static int setup_control_block(struct vc
static int map_control_block(struct vcpu *v, uint64_t gfn, uint32_t offset)
{
void *virt;
+ struct evtchn_fifo_control_block *control_block;
unsigned int i;
int rc;
@@ -484,10 +489,15 @@ static int map_control_block(struct vcpu
if ( rc < 0 )
return rc;
- v->evtchn_fifo->control_block = virt + offset;
+ control_block = virt + offset;
for ( i = 0; i <= EVTCHN_FIFO_PRIORITY_MIN; i++ )
- v->evtchn_fifo->queue[i].head = &v->evtchn_fifo->control_block->head[i];
+ v->evtchn_fifo->queue[i].head = &control_block->head[i];
+
+ /* All queue heads must have been set before setting the control block. */
+ smp_wmb();
+
+ v->evtchn_fifo->control_block = control_block;
return 0;
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment