head 1.2; access; symbols pkgsrc-2020Q2:1.1.0.24 pkgsrc-2020Q2-base:1.1 pkgsrc-2020Q1:1.1.0.20 pkgsrc-2020Q1-base:1.1 pkgsrc-2019Q4:1.1.0.22 pkgsrc-2019Q4-base:1.1 pkgsrc-2019Q3:1.1.0.18 pkgsrc-2019Q3-base:1.1 pkgsrc-2019Q2:1.1.0.16 pkgsrc-2019Q2-base:1.1 pkgsrc-2019Q1:1.1.0.14 pkgsrc-2019Q1-base:1.1 pkgsrc-2018Q4:1.1.0.12 pkgsrc-2018Q4-base:1.1 pkgsrc-2018Q3:1.1.0.10 pkgsrc-2018Q3-base:1.1 pkgsrc-2018Q2:1.1.0.8 pkgsrc-2018Q2-base:1.1 pkgsrc-2018Q1:1.1.0.6 pkgsrc-2018Q1-base:1.1 pkgsrc-2017Q4:1.1.0.4 pkgsrc-2017Q4-base:1.1 pkgsrc-2017Q3:1.1.0.2; locks; strict; comment @# @; 1.2 date 2020.08.19.10.39.23; author bouyer; state dead; branches; next 1.1; commitid DGAMglRf0Jde6FkC; 1.1 date 2017.10.17.10.57.34; author bouyer; state Exp; branches 1.1.2.1; next ; commitid Op7VCttvsVltwobA; 1.1.2.1 date 2017.10.17.10.57.34; author bsiegert; state dead; branches; next 1.1.2.2; commitid hV2F1sd8zeL8jrbA; 1.1.2.2 date 2017.10.17.19.17.50; author bsiegert; state Exp; branches; next ; commitid hV2F1sd8zeL8jrbA; desc @@ 1.2 log @Remove xenkernel and xentools packages older than 4.11. They're not maintained anymore upstream, and don't build on supported NetBSD releases. @ text @$NetBSD: patch-XSA243,v 1.1 2017/10/17 10:57:34 bouyer Exp $ From: Andrew Cooper Subject: x86: Disable the use of auto-translated PV guests This is a minimal backport of c/s 92942fd3d469 "x86/mm: drop guest_{map,get_eff}_l1e() hooks" from Xen 4.7, which stated: Disallow the unmaintained and presumed broken translated-but-not-external paging mode combination ... It turns out that this mode is insecure to run with, as opposed to just simply broken. This is part of XSA-243. Signed-off-by: Andrew Cooper diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index dcff4fb..945bb61 100644 --- xen/arch/x86/mm/paging.c.orig +++ xen/arch/x86/mm/paging.c @@@@ -835,6 +835,15 @@@@ void paging_final_teardown(struct domain *d) * creation. */ int paging_enable(struct domain *d, u32 mode) { + switch ( mode & (PG_external | PG_translate) ) + { + case 0: + case PG_external | PG_translate: + break; + default: + return -EINVAL; + } + if ( hap_enabled(d) ) return hap_enable(d, mode | PG_HAP_enable); else From: Andrew Cooper Subject: x86/shadow: Don't create self-linear shadow mappings for 4-level translated guests When initially creating a monitor table for 4-level translated guests, don't install a shadow-linear mapping. This mapping is actually self-linear, and trips up the writeable heuristic logic into following Xen's mappings, not the guests' shadows it was expecting to follow. A consequence of this is that sh_guess_wrmap() needs to cope with there being no shadow-linear mapping present, which in practice occurs once each time a vcpu switches to 4-level paging from a different paging mode. An appropriate shadow-linear slot will be inserted into the monitor table either while constructing lower level monitor tables, or by sh_update_cr3(). While fixing this, clarify the safety of the other mappings. Despite appearing unsafe, it is correct to create a guest-linear mapping for translated domains; this is self-linear and doesn't point into the translated domain. Drop a dead clause for translate != external guests. This is part of XSA-243. Signed-off-by: Andrew Cooper Acked-by: Tim Deegan diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c index c34ebe0..cb8ddde 100644 --- xen/arch/x86/mm/shadow/multi.c.orig +++ xen/arch/x86/mm/shadow/multi.c @@@@ -1456,26 +1456,38 @@@@ void sh_install_xen_entries_in_l4(struct domain *d, mfn_t gl4mfn, mfn_t sl4mfn) sl4e[shadow_l4_table_offset(RO_MPT_VIRT_START)] = shadow_l4e_empty(); } - /* Shadow linear mapping for 4-level shadows. N.B. for 3-level - * shadows on 64-bit xen, this linear mapping is later replaced by the - * monitor pagetable structure, which is built in make_monitor_table - * and maintained by sh_update_linear_entries. */ - sl4e[shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START)] = - shadow_l4e_from_mfn(sl4mfn, __PAGE_HYPERVISOR); - - /* Self linear mapping. */ - if ( shadow_mode_translate(d) && !shadow_mode_external(d) ) - { - // linear tables may not be used with translated PV guests - sl4e[shadow_l4_table_offset(LINEAR_PT_VIRT_START)] = + /* + * Linear mapping slots: + * + * Calling this function with gl4mfn == sl4mfn is used to construct a + * monitor table for translated domains. In this case, gl4mfn forms the + * self-linear mapping (i.e. not pointing into the translated domain), and + * the shadow-linear slot is skipped. The shadow-linear slot is either + * filled when constructing lower level monitor tables, or via + * sh_update_cr3() for 4-level guests. + * + * Calling this function with gl4mfn != sl4mfn is used for non-translated + * guests, where the shadow-linear slot is actually self-linear, and the + * guest-linear slot points into the guests view of its pagetables. + */ + if ( shadow_mode_translate(d) ) + { + ASSERT(mfn_x(gl4mfn) == mfn_x(sl4mfn)); + + sl4e[shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START)] = shadow_l4e_empty(); } else { - sl4e[shadow_l4_table_offset(LINEAR_PT_VIRT_START)] = - shadow_l4e_from_mfn(gl4mfn, __PAGE_HYPERVISOR); + ASSERT(mfn_x(gl4mfn) != mfn_x(sl4mfn)); + + sl4e[shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START)] = + shadow_l4e_from_mfn(sl4mfn, __PAGE_HYPERVISOR); } + sl4e[shadow_l4_table_offset(LINEAR_PT_VIRT_START)] = + shadow_l4e_from_mfn(gl4mfn, __PAGE_HYPERVISOR); + unmap_domain_page(sl4e); } #endif @@@@ -4270,6 +4282,11 @@@@ static int sh_guess_wrmap(struct vcpu *v, unsigned long vaddr, mfn_t gmfn) /* Carefully look in the shadow linear map for the l1e we expect */ #if SHADOW_PAGING_LEVELS >= 4 + /* Is a shadow linear map is installed in the first place? */ + sl4p = v->arch.paging.shadow.guest_vtable; + sl4p += shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START); + if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) ) + return 0; sl4p = sh_linear_l4_table(v) + shadow_l4_linear_offset(vaddr); if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) ) return 0; @ 1.1 log @Update xen*46 to 4.6.6, including fixes up to XSA244. changes since Xen 4.6.5: mostly bug fixes, including security fixes for XSA206, XSA211 to XSA244. PKGREVISION set to 1 to account for the fact that it's not a stock Xen 4.6.6. Note that, unlike upstream, pv-linear-pt defaults to true, so that NetBSD PV guests (including dom0) will continue to boot without changes to boot.cfg @ text @d1 1 a1 1 $NetBSD: $ @ 1.1.2.1 log @file patch-XSA243 was added on branch pkgsrc-2017Q3 on 2017-10-17 19:17:50 +0000 @ text @d1 132 @ 1.1.2.2 log @Pullup ticket #5580 - requested by bouyer sysutils/xenkernel46, sysutils/xentools46: security fix Revisions pulled up: - sysutils/xenkernel46/MESSAGE 1.2 - sysutils/xenkernel46/Makefile 1.14 - sysutils/xenkernel46/distinfo 1.10 - sysutils/xenkernel46/patches/patch-XSA-212 deleted - sysutils/xenkernel46/patches/patch-XSA226 1.1 - sysutils/xenkernel46/patches/patch-XSA227 1.1 - sysutils/xenkernel46/patches/patch-XSA228 1.1 - sysutils/xenkernel46/patches/patch-XSA230 1.1 - sysutils/xenkernel46/patches/patch-XSA231 1.1 - sysutils/xenkernel46/patches/patch-XSA232 1.1 - sysutils/xenkernel46/patches/patch-XSA234 1.1 - sysutils/xenkernel46/patches/patch-XSA237 1.1 - sysutils/xenkernel46/patches/patch-XSA238 1.1 - sysutils/xenkernel46/patches/patch-XSA239 1.1 - sysutils/xenkernel46/patches/patch-XSA240 1.1 - sysutils/xenkernel46/patches/patch-XSA241 1.1 - sysutils/xenkernel46/patches/patch-XSA242 1.1 - sysutils/xenkernel46/patches/patch-XSA243 1.1 - sysutils/xenkernel46/patches/patch-XSA244 1.1 - sysutils/xentools46/Makefile 1.21 - sysutils/xentools46/distinfo 1.9 - sysutils/xentools46/patches/patch-XSA-211-1 deleted - sysutils/xentools46/patches/patch-XSA-211-2 deleted - sysutils/xentools46/patches/patch-XSA228 1.1 - sysutils/xentools46/patches/patch-XSA233 1.1 - sysutils/xentools46/patches/patch-XSA240 1.1 - sysutils/xentools46/version.mk 1.3 --- Module Name: pkgsrc Committed By: bouyer Date: Tue Oct 17 10:57:35 UTC 2017 Modified Files: pkgsrc/sysutils/xenkernel46: MESSAGE Makefile distinfo pkgsrc/sysutils/xentools46: Makefile distinfo version.mk Added Files: pkgsrc/sysutils/xenkernel46/patches: patch-XSA226 patch-XSA227 patch-XSA228 patch-XSA230 patch-XSA231 patch-XSA232 patch-XSA234 patch-XSA237 patch-XSA238 patch-XSA239 patch-XSA240 patch-XSA241 patch-XSA242 patch-XSA243 patch-XSA244 pkgsrc/sysutils/xentools46/patches: patch-XSA228 patch-XSA233 patch-XSA240 Removed Files: pkgsrc/sysutils/xenkernel46/patches: patch-XSA-212 pkgsrc/sysutils/xentools46/patches: patch-XSA-211-1 patch-XSA-211-2 Log Message: Update xen*46 to 4.6.6, including fixes up to XSA244. changes since Xen 4.6.5: mostly bug fixes, including security fixes for XSA206, XSA211 to XSA244. PKGREVISION set to 1 to account for the fact that it's not a stock Xen 4.6.6. Note that, unlike upstream, pv-linear-pt defaults to true, so that NetBSD PV guests (including dom0) will continue to boot without changes to boot.cfg @ text @a0 132 $NetBSD: patch-XSA243,v 1.1 2017/10/17 10:57:34 bouyer Exp $ From: Andrew Cooper Subject: x86: Disable the use of auto-translated PV guests This is a minimal backport of c/s 92942fd3d469 "x86/mm: drop guest_{map,get_eff}_l1e() hooks" from Xen 4.7, which stated: Disallow the unmaintained and presumed broken translated-but-not-external paging mode combination ... It turns out that this mode is insecure to run with, as opposed to just simply broken. This is part of XSA-243. Signed-off-by: Andrew Cooper diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index dcff4fb..945bb61 100644 --- xen/arch/x86/mm/paging.c.orig +++ xen/arch/x86/mm/paging.c @@@@ -835,6 +835,15 @@@@ void paging_final_teardown(struct domain *d) * creation. */ int paging_enable(struct domain *d, u32 mode) { + switch ( mode & (PG_external | PG_translate) ) + { + case 0: + case PG_external | PG_translate: + break; + default: + return -EINVAL; + } + if ( hap_enabled(d) ) return hap_enable(d, mode | PG_HAP_enable); else From: Andrew Cooper Subject: x86/shadow: Don't create self-linear shadow mappings for 4-level translated guests When initially creating a monitor table for 4-level translated guests, don't install a shadow-linear mapping. This mapping is actually self-linear, and trips up the writeable heuristic logic into following Xen's mappings, not the guests' shadows it was expecting to follow. A consequence of this is that sh_guess_wrmap() needs to cope with there being no shadow-linear mapping present, which in practice occurs once each time a vcpu switches to 4-level paging from a different paging mode. An appropriate shadow-linear slot will be inserted into the monitor table either while constructing lower level monitor tables, or by sh_update_cr3(). While fixing this, clarify the safety of the other mappings. Despite appearing unsafe, it is correct to create a guest-linear mapping for translated domains; this is self-linear and doesn't point into the translated domain. Drop a dead clause for translate != external guests. This is part of XSA-243. Signed-off-by: Andrew Cooper Acked-by: Tim Deegan diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c index c34ebe0..cb8ddde 100644 --- xen/arch/x86/mm/shadow/multi.c.orig +++ xen/arch/x86/mm/shadow/multi.c @@@@ -1456,26 +1456,38 @@@@ void sh_install_xen_entries_in_l4(struct domain *d, mfn_t gl4mfn, mfn_t sl4mfn) sl4e[shadow_l4_table_offset(RO_MPT_VIRT_START)] = shadow_l4e_empty(); } - /* Shadow linear mapping for 4-level shadows. N.B. for 3-level - * shadows on 64-bit xen, this linear mapping is later replaced by the - * monitor pagetable structure, which is built in make_monitor_table - * and maintained by sh_update_linear_entries. */ - sl4e[shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START)] = - shadow_l4e_from_mfn(sl4mfn, __PAGE_HYPERVISOR); - - /* Self linear mapping. */ - if ( shadow_mode_translate(d) && !shadow_mode_external(d) ) - { - // linear tables may not be used with translated PV guests - sl4e[shadow_l4_table_offset(LINEAR_PT_VIRT_START)] = + /* + * Linear mapping slots: + * + * Calling this function with gl4mfn == sl4mfn is used to construct a + * monitor table for translated domains. In this case, gl4mfn forms the + * self-linear mapping (i.e. not pointing into the translated domain), and + * the shadow-linear slot is skipped. The shadow-linear slot is either + * filled when constructing lower level monitor tables, or via + * sh_update_cr3() for 4-level guests. + * + * Calling this function with gl4mfn != sl4mfn is used for non-translated + * guests, where the shadow-linear slot is actually self-linear, and the + * guest-linear slot points into the guests view of its pagetables. + */ + if ( shadow_mode_translate(d) ) + { + ASSERT(mfn_x(gl4mfn) == mfn_x(sl4mfn)); + + sl4e[shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START)] = shadow_l4e_empty(); } else { - sl4e[shadow_l4_table_offset(LINEAR_PT_VIRT_START)] = - shadow_l4e_from_mfn(gl4mfn, __PAGE_HYPERVISOR); + ASSERT(mfn_x(gl4mfn) != mfn_x(sl4mfn)); + + sl4e[shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START)] = + shadow_l4e_from_mfn(sl4mfn, __PAGE_HYPERVISOR); } + sl4e[shadow_l4_table_offset(LINEAR_PT_VIRT_START)] = + shadow_l4e_from_mfn(gl4mfn, __PAGE_HYPERVISOR); + unmap_domain_page(sl4e); } #endif @@@@ -4270,6 +4282,11 @@@@ static int sh_guess_wrmap(struct vcpu *v, unsigned long vaddr, mfn_t gmfn) /* Carefully look in the shadow linear map for the l1e we expect */ #if SHADOW_PAGING_LEVELS >= 4 + /* Is a shadow linear map is installed in the first place? */ + sl4p = v->arch.paging.shadow.guest_vtable; + sl4p += shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START); + if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) ) + return 0; sl4p = sh_linear_l4_table(v) + shadow_l4_linear_offset(vaddr); if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) ) return 0; @