head 1.2; access; symbols pkgsrc-2020Q2:1.1.0.8 pkgsrc-2020Q2-base:1.1 pkgsrc-2020Q1:1.1.0.4 pkgsrc-2020Q1-base:1.1 pkgsrc-2019Q4:1.1.0.6 pkgsrc-2019Q4-base:1.1 pkgsrc-2019Q3:1.1.0.2; locks; strict; comment @# @; 1.2 date 2020.08.24.10.35.35; author bouyer; state dead; branches; next 1.1; commitid MGsqrLPx72UHUilC; 1.1 date 2019.12.13.13.44.21; author bouyer; state Exp; branches 1.1.2.1; next ; commitid w6P0WFKdEprc9yOB; 1.1.2.1 date 2019.12.13.13.44.21; author bsiegert; state dead; branches; next 1.1.2.2; commitid TcQZmrJvhj3Y6WOB; 1.1.2.2 date 2019.12.16.13.51.58; author bsiegert; state Exp; branches; next ; commitid TcQZmrJvhj3Y6WOB; desc @@ 1.2 log @Update to 4.11.4nb1 Keep PKGREVISION at 1 to reflect that it's not a stock Xen 4.11.4 kernel, we have additinnal security fixes (all relevant patches from upstream to date). Changes: mosly bug fixes and improvements; better support for newer AMD CPUs. full changelog at https://xenproject.org/downloads/xen-project-archives/xen-proj ect-4-11-series/xen-project-4-11-4/ @ text @$NetBSD: patch-XSA309,v 1.1 2019/12/13 13:44:21 bouyer Exp $ From 523e3974ed2213719a19218f5b246e382ceef18a Mon Sep 17 00:00:00 2001 From: George Dunlap Date: Wed, 30 Oct 2019 17:05:28 +0000 Subject: [PATCH] x86/mm: Don't reset linear_pt_count on partial validation "Linear pagetables" is a technique which involves either pointing a pagetable at itself, or to another pagetable the same or higher level. Xen has limited support for linear pagetables: A page may either point to itself, or point to another page of the same level (i.e., L2 to L2, L3 to L3, and so on). XSA-240 introduced an additional restriction that limited the "depth" of such chains by allowing pages to either *point to* other pages of the same level, or *be pointed to* by other pages of the same level, but not both. To implement this, we keep track of the number of outstanding times a page points to or is pointed to another page table, to prevent both from happening at the same time. Unfortunately, the original commit introducing this reset this count when resuming validation of a partially-validated pagetable, dropping some "linear_pt_entry" counts. On debug builds on systems where guests used this feature, this might lead to crashes that look like this: Assertion 'oc > 0' failed at mm.c:874 Worse, if an attacker could engineer such a situation to occur, they might be able to make loops or other abitrary chains of linear pagetables, leading to the denial-of-service situation outlined in XSA-240. This is XSA-309. Reported-by: Manuel Bouyer Signed-off-by: George Dunlap Reviewed-by: Jan Beulich --- xen/arch/x86/mm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 7d4dd80a85..01393fb0da 100644 --- xen/arch/x86/mm.c.orig +++ xen/arch/x86/mm.c @@@@ -3059,8 +3059,8 @@@@ static int _get_page_type(struct page_info *page, unsigned long type, { page->nr_validated_ptes = 0; page->partial_flags = 0; + page->linear_pt_count = 0; } - page->linear_pt_count = 0; rc = alloc_page_type(page, type, preemptible); } -- 2.24.0 @ 1.1 log @Update xenkernel411 to 4.11.3nb1, and xentools411 to 4.11.3 (PKGREVISION not reset on xenkernel411 on purpose, to enphasis that it's not a stock Xen 4.11.3 kernel). Changes since 4.11.2: - includes all security patches up to XSA306 - other minor bug fixes, hardware support and performances improvements In addition, xenkernel411 includes all security patches released since 4.11.3, up to XSA311 @ text @d1 1 a1 1 $NetBSD: $ @ 1.1.2.1 log @file patch-XSA309 was added on branch pkgsrc-2019Q3 on 2019-12-16 13:51:58 +0000 @ text @d1 60 @ 1.1.2.2 log @Pullup ticket #6104 - requested by bouyer sysutils/xenkernel411, sysutils/xentools411: security fix Revisions pulled up: - sysutils/xenkernel411/Makefile 1.12 - sysutils/xenkernel411/distinfo 1.9 - sysutils/xenkernel411/patches/patch-XSA298 deleted - sysutils/xenkernel411/patches/patch-XSA299 deleted - sysutils/xenkernel411/patches/patch-XSA302 deleted - sysutils/xenkernel411/patches/patch-XSA304 deleted - sysutils/xenkernel411/patches/patch-XSA305 deleted - sysutils/xenkernel411/patches/patch-XSA306 deleted - sysutils/xenkernel411/patches/patch-XSA307 1.1 - sysutils/xenkernel411/patches/patch-XSA308 1.1 - sysutils/xenkernel411/patches/patch-XSA309 1.1 - sysutils/xenkernel411/patches/patch-XSA310 1.1 - sysutils/xenkernel411/patches/patch-XSA311 1.1 - sysutils/xentools411/Makefile 1.12 - sysutils/xentools411/distinfo 1.8 --- Module Name: pkgsrc Committed By: bouyer Date: Fri Dec 13 13:44:21 UTC 2019 Modified Files: pkgsrc/sysutils/xenkernel411: Makefile distinfo pkgsrc/sysutils/xentools411: Makefile distinfo Added Files: pkgsrc/sysutils/xenkernel411/patches: patch-XSA307 patch-XSA308 patch-XSA309 patch-XSA310 patch-XSA311 Removed Files: pkgsrc/sysutils/xenkernel411/patches: patch-XSA298 patch-XSA299 patch-XSA302 patch-XSA304 patch-XSA305 patch-XSA306 Log Message: Update xenkernel411 to 4.11.3nb1, and xentools411 to 4.11.3 (PKGREVISION not reset on xenkernel411 on purpose, to enphasis that it's not a stock Xen 4.11.3 kernel). Changes since 4.11.2: - includes all security patches up to XSA306 - other minor bug fixes, hardware support and performances improvements In addition, xenkernel411 includes all security patches released since 4.11.3, up to XSA311 @ text @a0 60 $NetBSD: patch-XSA309,v 1.1 2019/12/13 13:44:21 bouyer Exp $ From 523e3974ed2213719a19218f5b246e382ceef18a Mon Sep 17 00:00:00 2001 From: George Dunlap Date: Wed, 30 Oct 2019 17:05:28 +0000 Subject: [PATCH] x86/mm: Don't reset linear_pt_count on partial validation "Linear pagetables" is a technique which involves either pointing a pagetable at itself, or to another pagetable the same or higher level. Xen has limited support for linear pagetables: A page may either point to itself, or point to another page of the same level (i.e., L2 to L2, L3 to L3, and so on). XSA-240 introduced an additional restriction that limited the "depth" of such chains by allowing pages to either *point to* other pages of the same level, or *be pointed to* by other pages of the same level, but not both. To implement this, we keep track of the number of outstanding times a page points to or is pointed to another page table, to prevent both from happening at the same time. Unfortunately, the original commit introducing this reset this count when resuming validation of a partially-validated pagetable, dropping some "linear_pt_entry" counts. On debug builds on systems where guests used this feature, this might lead to crashes that look like this: Assertion 'oc > 0' failed at mm.c:874 Worse, if an attacker could engineer such a situation to occur, they might be able to make loops or other abitrary chains of linear pagetables, leading to the denial-of-service situation outlined in XSA-240. This is XSA-309. Reported-by: Manuel Bouyer Signed-off-by: George Dunlap Reviewed-by: Jan Beulich --- xen/arch/x86/mm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 7d4dd80a85..01393fb0da 100644 --- xen/arch/x86/mm.c.orig +++ xen/arch/x86/mm.c @@@@ -3059,8 +3059,8 @@@@ static int _get_page_type(struct page_info *page, unsigned long type, { page->nr_validated_ptes = 0; page->partial_flags = 0; + page->linear_pt_count = 0; } - page->linear_pt_count = 0; rc = alloc_page_type(page, type, preemptible); } -- 2.24.0 @