Commit d4b5d61f authored by Henrik Riomar's avatar Henrik Riomar Committed by Milan P. Stanić
Browse files

main/xen: fix XSA-359

This is CVE-2020-29571
parent 1af50114
......@@ -209,6 +209,7 @@ options="!strip"
# - CVE-2020-29486 XSA-352
# - CVE-2020-29479 XSA-353
# - CVE-2020-29570 XSA-358
# - CVE-2020-29571 XSA-359
case "$CARCH" in
x86*)
......@@ -314,6 +315,8 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz
xsa358-4.14.patch
xsa359.patch
xenstored.initd
xenstored.confd
xenconsoled.initd
......@@ -590,6 +593,7 @@ b1791c36e0eb0ae6bb89c0529922775e6b9c0ec66cfd99a203bc56ff0ddb071e98ae39e81d4f4d57
3fe751d9c802963ec57ffc88a69a08de63f0c45da914b9debc65fd77d5cb407080e7a6e3287a893ccf5c352a2d2786f831458cd302b99d1b3d490e9a7330fbad xsa352.patch
c458c962d9ae45c2fce049e6094923f72dfc87e0a20ef083371215cfe8345f437f556c4efadac841432db8421457eb0a6dea5d93ff148aff2466795125c759e1 xsa353.patch
0f7dcfa0115ac7e353bb0f645845b839fd628bdb553f8a5c5f03f2b5808515e255bcc6173b6b946a8901f62a80dcf9cf94f4039cd66e04315bd2ba849e585fde xsa358-4.14.patch
a842b086044a2936b71f77afb6a30aa8eb336dda467d94ab2656936434f7a1301522f2c2d6a90ebb87d39aca16d3b9d875d36b0b14492420aca1782116ecc398 xsa359.patch
52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd
093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0 xenstored.confd
3c86ed48fbee0af4051c65c4a3893f131fa66e47bf083caf20c9b6aa4b63fdead8832f84a58d0e27964bc49ec8397251b34e5be5c212c139f556916dc8da9523 xenconsoled.initd
......
From: Jan Beulich <jbeulich@suse.com>
Subject: evtchn/FIFO: add 2nd smp_rmb() to evtchn_fifo_word_from_port()
Besides with add_page_to_event_array() the function also needs to
synchronize with evtchn_fifo_init_control() setting both d->evtchn_fifo
and (subsequently) d->evtchn_port_ops.
This is XSA-359 / CVE-2020-29571.
Reported-by: Julien Grall <jgrall@amazon.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Julien Grall <jgrall@amazon.com>
--- a/xen/common/event_fifo.c
+++ b/xen/common/event_fifo.c
@@ -55,6 +55,13 @@ static inline event_word_t *evtchn_fifo_
{
unsigned int p, w;
+ /*
+ * Callers aren't required to hold d->event_lock, so we need to synchronize
+ * with evtchn_fifo_init_control() setting d->evtchn_port_ops /after/
+ * d->evtchn_fifo.
+ */
+ smp_rmb();
+
if ( unlikely(port >= d->evtchn_fifo->num_evtchns) )
return NULL;
@@ -606,6 +613,10 @@ int evtchn_fifo_init_control(struct evtc
if ( rc < 0 )
goto error;
+ /*
+ * This call, as a side effect, synchronizes with
+ * evtchn_fifo_word_from_port().
+ */
rc = map_control_block(v, gfn, offset);
if ( rc < 0 )
goto error;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment