head 1.2; access; symbols pkgsrc-2020Q2:1.1.0.30 pkgsrc-2020Q2-base:1.1 pkgsrc-2020Q1:1.1.0.10 pkgsrc-2020Q1-base:1.1 pkgsrc-2019Q4:1.1.0.32 pkgsrc-2019Q4-base:1.1 pkgsrc-2019Q3:1.1.0.28 pkgsrc-2019Q3-base:1.1 pkgsrc-2019Q2:1.1.0.26 pkgsrc-2019Q2-base:1.1 pkgsrc-2019Q1:1.1.0.24 pkgsrc-2019Q1-base:1.1 pkgsrc-2018Q4:1.1.0.22 pkgsrc-2018Q4-base:1.1 pkgsrc-2018Q3:1.1.0.20 pkgsrc-2018Q3-base:1.1 pkgsrc-2018Q2:1.1.0.18 pkgsrc-2018Q2-base:1.1 pkgsrc-2018Q1:1.1.0.16 pkgsrc-2018Q1-base:1.1 pkgsrc-2017Q4:1.1.0.14 pkgsrc-2017Q4-base:1.1 pkgsrc-2017Q3:1.1.0.12 pkgsrc-2017Q3-base:1.1 pkgsrc-2017Q2:1.1.0.8 pkgsrc-2017Q2-base:1.1 pkgsrc-2017Q1:1.1.0.6 pkgsrc-2017Q1-base:1.1 pkgsrc-2016Q4:1.1.0.4 pkgsrc-2016Q4-base:1.1 pkgsrc-2016Q3:1.1.0.2 pkgsrc-2016Q3-base:1.1; locks; strict; comment @# @; 1.2 date 2020.08.19.10.39.23; author bouyer; state dead; branches; next 1.1; commitid DGAMglRf0Jde6FkC; 1.1 date 2016.09.08.15.41.01; author bouyer; state Exp; branches; next ; commitid c9X7FynnoqZn5vlz; desc @@ 1.2 log @Remove xenkernel and xentools packages older than 4.11. They're not maintained anymore upstream, and don't build on supported NetBSD releases. @ text @$NetBSD: patch-XSA-187-2,v 1.1 2016/09/08 15:41:01 bouyer Exp $ From: Andrew Cooper Subject: x86/segment: Bounds check accesses to emulation ctxt->seg_reg[] HVM HAP codepaths have space for all segment registers in the seg_reg[] cache (with x86_seg_none still risking an array overrun), while the shadow codepaths only have space for the user segments. Range check the input segment of *_get_seg_reg() against the size of the array used to cache the results, to avoid overruns in the case that the callers don't filter their input suitably. Subsume the is_x86_user_segment(seg) checks from the shadow code, which were an incomplete attempt at range checking, and are now superceeded. Make hvm_get_seg_reg() static, as it is not used outside of shadow/common.c No functional change, but far easier to reason that no overflow is possible. Reported-by: Andrew Cooper Signed-off-by: Andrew Cooper Acked-by: Tim Deegan Acked-by: Jan Beulich --- xen/arch/x86/mm/shadow/common.c.orig +++ xen/arch/x86/mm/shadow/common.c @@@@ -125,10 +125,19 @@@@ __initcall(shadow_audit_key_init); /* x86 emulator support for the shadow code */ +/* + * Callers which pass a known in-range x86_segment can rely on the return + * pointer being valid. Other callers must explicitly check for errors. + */ struct segment_register *hvm_get_seg_reg( enum x86_segment seg, struct sh_emulate_ctxt *sh_ctxt) { - struct segment_register *seg_reg = &sh_ctxt->seg_reg[seg]; + struct segment_register *seg_reg; + + if ( seg < 0 || seg >= ARRAY_SIZE(sh_ctxt->seg_reg) ) + return ERR_PTR(-X86EMUL_UNHANDLEABLE); + + seg_reg = &sh_ctxt->seg_reg[seg]; if ( !__test_and_set_bit(seg, &sh_ctxt->valid_seg_regs) ) hvm_get_segment_register(current, seg, seg_reg); return seg_reg; @@@@ -145,14 +154,9 @@@@ static int hvm_translate_linear_addr( struct segment_register *reg; int okay; - /* - * Can arrive here with non-user segments. However, no such cirucmstance - * is part of a legitimate pagetable update, so fail the emulation. - */ - if ( !is_x86_user_segment(seg) ) - return X86EMUL_UNHANDLEABLE; - reg = hvm_get_seg_reg(seg, sh_ctxt); + if ( IS_ERR(reg) ) + return -PTR_ERR(reg); okay = hvm_virtual_to_linear_addr( seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr); @@@@ -254,9 +258,6 @@@@ hvm_emulate_write(enum x86_segment seg, unsigned long addr; int rc; - if ( !is_x86_user_segment(seg) ) - return X86EMUL_UNHANDLEABLE; - /* How many emulations could we save if we unshadowed on stack writes? */ if ( seg == x86_seg_ss ) perfc_incr(shadow_fault_emulate_stack); @@@@ -284,9 +285,6 @@@@ hvm_emulate_cmpxchg(enum x86_segment seg unsigned long addr, old[2], new[2]; int rc; - if ( !is_x86_user_segment(seg) ) - return X86EMUL_UNHANDLEABLE; - rc = hvm_translate_linear_addr( seg, offset, bytes, hvm_access_write, sh_ctxt, &addr); if ( rc ) --- xen/include/asm-x86/hvm/emulate.h.orig 2014-09-02 08:22:57.000000000 +0200 +++ xen/include/asm-x86/hvm/emulate.h 2016-09-08 15:57:32.000000000 +0200 @@@@ -13,6 +13,7 @@@@ #define __ASM_X86_HVM_EMULATE_H__ #include +#include #include struct hvm_emulate_ctxt { --- xen/arch/x86/hvm/emulate.c.orig 2014-09-02 08:22:57.000000000 +0200 +++ xen/arch/x86/hvm/emulate.c 2016-09-08 16:01:31.000000000 +0200 @@@@ -390,6 +390,8 @@@@ *reps = min_t(unsigned long, *reps, 4096); reg = hvmemul_get_seg_reg(seg, hvmemul_ctxt); + if ( IS_ERR(reg) ) + return -PTR_ERR(reg); if ( (hvmemul_ctxt->ctxt.regs->eflags & X86_EFLAGS_DF) && (*reps > 1) ) { @@@@ -777,6 +779,10 @@@@ struct hvm_emulate_ctxt *hvmemul_ctxt = container_of(ctxt, struct hvm_emulate_ctxt, ctxt); struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt); + + if ( IS_ERR(sreg) ) + return -PTR_ERR(sreg); + memcpy(reg, sreg, sizeof(struct segment_register)); return X86EMUL_OKAY; } @@@@ -790,6 +796,9 @@@@ container_of(ctxt, struct hvm_emulate_ctxt, ctxt); struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt); + if ( IS_ERR(sreg) ) + return -PTR_ERR(sreg); + memcpy(sreg, reg, sizeof(struct segment_register)); __set_bit(seg, &hvmemul_ctxt->seg_reg_dirty); @@@@ -1130,10 +1139,17 @@@@ } } +/* + * Callers which pass a known in-range x86_segment can rely on the return + * pointer being valid. Other callers must explicitly check for errors. + */ struct segment_register *hvmemul_get_seg_reg( enum x86_segment seg, struct hvm_emulate_ctxt *hvmemul_ctxt) { + if ( seg < 0 || seg >= ARRAY_SIZE(hvmemul_ctxt->seg_reg) ) + return ERR_PTR(-X86EMUL_UNHANDLEABLE); + if ( !__test_and_set_bit(seg, &hvmemul_ctxt->seg_reg_accessed) ) hvm_get_segment_register(current, seg, &hvmemul_ctxt->seg_reg[seg]); return &hvmemul_ctxt->seg_reg[seg]; @ 1.1 log @Backport upstream patches for security issues: XSA-185: x86: Disallow L3 recursive pagetable for 32-bit PV guests XSA-187: x86 HVM: Overflow of sh_ctxt->seg_reg[] bump PKGREVISION @ text @d1 1 a1 1 $NetBSD: $ @