head 1.2; access; symbols pkgsrc-2017Q4:1.1.0.4 pkgsrc-2017Q4-base:1.1 pkgsrc-2017Q3:1.1.0.2; locks; strict; comment @# @; 1.2 date 2018.01.24.23.29.32; author bouyer; state dead; branches; next 1.1; commitid WktdwS8UoS8bvboA; 1.1 date 2017.10.17.08.42.30; author bouyer; state Exp; branches 1.1.2.1 1.1.4.1; next ; commitid OJpItiWkoMToMnbA; 1.1.2.1 date 2017.10.17.08.42.30; author bsiegert; state dead; branches; next 1.1.2.2; commitid fTgNkUKfFJMQdrbA; 1.1.2.2 date 2017.10.17.19.02.25; author bsiegert; state Exp; branches; next ; commitid fTgNkUKfFJMQdrbA; 1.1.4.1 date 2018.01.28.15.23.24; author bsiegert; state dead; branches; next ; commitid hLOFEOUtck6sHEoA; desc @@ 1.2 log @Update xen 4.8 packages to 4.8.3. Changes since 4.8.2: include patches from all security advisory up to and including XSA254. While there pass XEN_VENDORVERSION=nb${PKGREVISION} to make so that 'xl info' shows the NetBSD PKGREVISION. If PKGREVISION is not available, define this as 'nb0'. @ text @$NetBSD: patch-XSA243,v 1.1 2017/10/17 08:42:30 bouyer Exp $ From: Andrew Cooper Subject: x86/shadow: Don't create self-linear shadow mappings for 4-level translated guests When initially creating a monitor table for 4-level translated guests, don't install a shadow-linear mapping. This mapping is actually self-linear, and trips up the writeable heuristic logic into following Xen's mappings, not the guests' shadows it was expecting to follow. A consequence of this is that sh_guess_wrmap() needs to cope with there being no shadow-linear mapping present, which in practice occurs once each time a vcpu switches to 4-level paging from a different paging mode. An appropriate shadow-linear slot will be inserted into the monitor table either while constructing lower level monitor tables, or by sh_update_cr3(). While fixing this, clarify the safety of the other mappings. Despite appearing unsafe, it is correct to create a guest-linear mapping for translated domains; this is self-linear and doesn't point into the translated domain. Drop a dead clause for translate != external guests. This is XSA-243. Signed-off-by: Andrew Cooper Acked-by: Tim Deegan diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c index d70b1c6..029e8d4 100644 --- xen/arch/x86/mm/shadow/multi.c.orig +++ xen/arch/x86/mm/shadow/multi.c @@@@ -1472,26 +1472,38 @@@@ void sh_install_xen_entries_in_l4(struct domain *d, mfn_t gl4mfn, mfn_t sl4mfn) sl4e[shadow_l4_table_offset(RO_MPT_VIRT_START)] = shadow_l4e_empty(); } - /* Shadow linear mapping for 4-level shadows. N.B. for 3-level - * shadows on 64-bit xen, this linear mapping is later replaced by the - * monitor pagetable structure, which is built in make_monitor_table - * and maintained by sh_update_linear_entries. */ - sl4e[shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START)] = - shadow_l4e_from_mfn(sl4mfn, __PAGE_HYPERVISOR); - - /* Self linear mapping. */ - if ( shadow_mode_translate(d) && !shadow_mode_external(d) ) + /* + * Linear mapping slots: + * + * Calling this function with gl4mfn == sl4mfn is used to construct a + * monitor table for translated domains. In this case, gl4mfn forms the + * self-linear mapping (i.e. not pointing into the translated domain), and + * the shadow-linear slot is skipped. The shadow-linear slot is either + * filled when constructing lower level monitor tables, or via + * sh_update_cr3() for 4-level guests. + * + * Calling this function with gl4mfn != sl4mfn is used for non-translated + * guests, where the shadow-linear slot is actually self-linear, and the + * guest-linear slot points into the guests view of its pagetables. + */ + if ( shadow_mode_translate(d) ) { - // linear tables may not be used with translated PV guests - sl4e[shadow_l4_table_offset(LINEAR_PT_VIRT_START)] = + ASSERT(mfn_eq(gl4mfn, sl4mfn)); + + sl4e[shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START)] = shadow_l4e_empty(); } else { - sl4e[shadow_l4_table_offset(LINEAR_PT_VIRT_START)] = - shadow_l4e_from_mfn(gl4mfn, __PAGE_HYPERVISOR); + ASSERT(!mfn_eq(gl4mfn, sl4mfn)); + + sl4e[shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START)] = + shadow_l4e_from_mfn(sl4mfn, __PAGE_HYPERVISOR); } + sl4e[shadow_l4_table_offset(LINEAR_PT_VIRT_START)] = + shadow_l4e_from_mfn(gl4mfn, __PAGE_HYPERVISOR); + unmap_domain_page(sl4e); } #endif @@@@ -4287,6 +4299,11 @@@@ static int sh_guess_wrmap(struct vcpu *v, unsigned long vaddr, mfn_t gmfn) /* Carefully look in the shadow linear map for the l1e we expect */ #if SHADOW_PAGING_LEVELS >= 4 + /* Is a shadow linear map is installed in the first place? */ + sl4p = v->arch.paging.shadow.guest_vtable; + sl4p += shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START); + if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) ) + return 0; sl4p = sh_linear_l4_table(v) + shadow_l4_linear_offset(vaddr); if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) ) return 0; @ 1.1 log @Update xentools48 and xenkernel48 to 4.8.2, and apply security patches up to XSA244. Keep PKGREVISION to 1 to account for the fact that it's not a stock Xen 4.8.2. Note that, unlike upstream, pv-linear-pt defaults to true, so that NetBSD PV guests (including dom0) will continue to boot without changes to boot.cfg @ text @d1 1 a1 1 $NetBSD: $ @ 1.1.4.1 log @Pullup ticket #5693 - requested by bouyer sysutils/xenkernel48: security fix sysutils/xentools48: security fix Revisions pulled up: - sysutils/xenkernel48/Makefile 1.12 - sysutils/xenkernel48/distinfo 1.6 - sysutils/xenkernel48/patches/patch-XSA231 deleted - sysutils/xenkernel48/patches/patch-XSA232 deleted - sysutils/xenkernel48/patches/patch-XSA234 deleted - sysutils/xenkernel48/patches/patch-XSA237 deleted - sysutils/xenkernel48/patches/patch-XSA238 deleted - sysutils/xenkernel48/patches/patch-XSA239 deleted - sysutils/xenkernel48/patches/patch-XSA240 deleted - sysutils/xenkernel48/patches/patch-XSA241 deleted - sysutils/xenkernel48/patches/patch-XSA242 deleted - sysutils/xenkernel48/patches/patch-XSA243 deleted - sysutils/xenkernel48/patches/patch-XSA244 deleted - sysutils/xenkernel48/patches/patch-XSA246 deleted - sysutils/xenkernel48/patches/patch-XSA247 deleted - sysutils/xenkernel48/patches/patch-XSA248 deleted - sysutils/xenkernel48/patches/patch-XSA249 deleted - sysutils/xenkernel48/patches/patch-XSA250 deleted - sysutils/xenkernel48/patches/patch-XSA251 deleted - sysutils/xenkernel48/patches/patch-XSA254-1 deleted - sysutils/xenkernel48/patches/patch-XSA254-2 deleted - sysutils/xenkernel48/patches/patch-XSA254-3 deleted - sysutils/xenkernel48/patches/patch-XSA254-4 deleted - sysutils/xentools48/Makefile 1.16 - sysutils/xentools48/distinfo 1.7-1.8 - sysutils/xentools48/patches/patch-XSA233 deleted - sysutils/xentools48/patches/patch-XSA240 deleted --- Module Name: pkgsrc Committed By: bouyer Date: Wed Jan 24 23:29:33 UTC 2018 Modified Files: pkgsrc/sysutils/xenkernel48: Makefile distinfo pkgsrc/sysutils/xentools48: Makefile distinfo Removed Files: pkgsrc/sysutils/xenkernel48/patches: patch-XSA231 patch-XSA232 patch-XSA234 patch-XSA237 patch-XSA238 patch-XSA239 patch-XSA240 patch-XSA241 patch-XSA242 patch-XSA243 patch-XSA244 patch-XSA246 patch-XSA247 patch-XSA248 patch-XSA249 patch-XSA250 patch-XSA251 patch-XSA254-1 patch-XSA254-2 patch-XSA254-3 patch-XSA254-4 pkgsrc/sysutils/xentools48/patches: patch-XSA233 patch-XSA240 Log Message: Update xen 4.8 packages to 4.8.3. Changes since 4.8.2: include patches from all security advisory up to and including XSA254. While there pass XEN_VENDORVERSION=nb${PKGREVISION} to make so that 'xl info' shows the NetBSD PKGREVISION. If PKGREVISION is not available, define this as 'nb0'. --- Module Name: pkgsrc Committed By: bouyer Date: Sat Jan 27 16:44:40 UTC 2018 Modified Files: pkgsrc/sysutils/xentools48: distinfo Log Message: Remove entries for patch-XSA233 and patch-XSA240 which have been deleted. @ text @d1 1 a1 1 $NetBSD: patch-XSA243,v 1.1 2017/10/17 08:42:30 bouyer Exp $ @ 1.1.2.1 log @file patch-XSA243 was added on branch pkgsrc-2017Q3 on 2017-10-17 19:02:25 +0000 @ text @d1 95 @ 1.1.2.2 log @Pullup ticket #5579 - requested by bouyer sysutils/xenkernel48, sysutils/xentools48: security fix Revisions pulled up: - sysutils/xenkernel48/MESSAGE 1.2 - sysutils/xenkernel48/Makefile 1.6 - sysutils/xenkernel48/distinfo 1.3 - sysutils/xenkernel48/patches/patch-XSA-212 deleted - sysutils/xenkernel48/patches/patch-XSA231 1.1 - sysutils/xenkernel48/patches/patch-XSA232 1.1 - sysutils/xenkernel48/patches/patch-XSA234 1.1 - sysutils/xenkernel48/patches/patch-XSA237 1.1 - sysutils/xenkernel48/patches/patch-XSA238 1.1 - sysutils/xenkernel48/patches/patch-XSA239 1.1 - sysutils/xenkernel48/patches/patch-XSA240 1.1 - sysutils/xenkernel48/patches/patch-XSA241 1.1 - sysutils/xenkernel48/patches/patch-XSA242 1.1 - sysutils/xenkernel48/patches/patch-XSA243 1.1 - sysutils/xenkernel48/patches/patch-XSA244 1.1 - sysutils/xentools48/Makefile 1.8 - sysutils/xentools48/distinfo 1.4 - sysutils/xentools48/patches/patch-XSA-211-1 deleted - sysutils/xentools48/patches/patch-XSA-211-2 deleted - sysutils/xentools48/patches/patch-XSA233 1.1 - sysutils/xentools48/patches/patch-XSA240 1.1 --- Module Name: pkgsrc Committed By: bouyer Date: Tue Oct 17 08:42:30 UTC 2017 Modified Files: pkgsrc/sysutils/xenkernel48: MESSAGE Makefile distinfo pkgsrc/sysutils/xentools48: Makefile distinfo Added Files: pkgsrc/sysutils/xenkernel48/patches: patch-XSA231 patch-XSA232 patch-XSA234 patch-XSA237 patch-XSA238 patch-XSA239 patch-XSA240 patch-XSA241 patch-XSA242 patch-XSA243 patch-XSA244 pkgsrc/sysutils/xentools48/patches: patch-XSA233 patch-XSA240 Removed Files: pkgsrc/sysutils/xenkernel48/patches: patch-XSA-212 pkgsrc/sysutils/xentools48/patches: patch-XSA-211-1 patch-XSA-211-2 Log Message: Update xentools48 and xenkernel48 to 4.8.2, and apply security patches up to XSA244. Keep PKGREVISION to 1 to account for the fact that it's not a stock Xen 4.8.2. Note that, unlike upstream, pv-linear-pt defaults to true, so that NetBSD PV guests (including dom0) will continue to boot without changes to boot.cfg @ text @a0 95 $NetBSD: patch-XSA243,v 1.1 2017/10/17 08:42:30 bouyer Exp $ From: Andrew Cooper Subject: x86/shadow: Don't create self-linear shadow mappings for 4-level translated guests When initially creating a monitor table for 4-level translated guests, don't install a shadow-linear mapping. This mapping is actually self-linear, and trips up the writeable heuristic logic into following Xen's mappings, not the guests' shadows it was expecting to follow. A consequence of this is that sh_guess_wrmap() needs to cope with there being no shadow-linear mapping present, which in practice occurs once each time a vcpu switches to 4-level paging from a different paging mode. An appropriate shadow-linear slot will be inserted into the monitor table either while constructing lower level monitor tables, or by sh_update_cr3(). While fixing this, clarify the safety of the other mappings. Despite appearing unsafe, it is correct to create a guest-linear mapping for translated domains; this is self-linear and doesn't point into the translated domain. Drop a dead clause for translate != external guests. This is XSA-243. Signed-off-by: Andrew Cooper Acked-by: Tim Deegan diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c index d70b1c6..029e8d4 100644 --- xen/arch/x86/mm/shadow/multi.c.orig +++ xen/arch/x86/mm/shadow/multi.c @@@@ -1472,26 +1472,38 @@@@ void sh_install_xen_entries_in_l4(struct domain *d, mfn_t gl4mfn, mfn_t sl4mfn) sl4e[shadow_l4_table_offset(RO_MPT_VIRT_START)] = shadow_l4e_empty(); } - /* Shadow linear mapping for 4-level shadows. N.B. for 3-level - * shadows on 64-bit xen, this linear mapping is later replaced by the - * monitor pagetable structure, which is built in make_monitor_table - * and maintained by sh_update_linear_entries. */ - sl4e[shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START)] = - shadow_l4e_from_mfn(sl4mfn, __PAGE_HYPERVISOR); - - /* Self linear mapping. */ - if ( shadow_mode_translate(d) && !shadow_mode_external(d) ) + /* + * Linear mapping slots: + * + * Calling this function with gl4mfn == sl4mfn is used to construct a + * monitor table for translated domains. In this case, gl4mfn forms the + * self-linear mapping (i.e. not pointing into the translated domain), and + * the shadow-linear slot is skipped. The shadow-linear slot is either + * filled when constructing lower level monitor tables, or via + * sh_update_cr3() for 4-level guests. + * + * Calling this function with gl4mfn != sl4mfn is used for non-translated + * guests, where the shadow-linear slot is actually self-linear, and the + * guest-linear slot points into the guests view of its pagetables. + */ + if ( shadow_mode_translate(d) ) { - // linear tables may not be used with translated PV guests - sl4e[shadow_l4_table_offset(LINEAR_PT_VIRT_START)] = + ASSERT(mfn_eq(gl4mfn, sl4mfn)); + + sl4e[shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START)] = shadow_l4e_empty(); } else { - sl4e[shadow_l4_table_offset(LINEAR_PT_VIRT_START)] = - shadow_l4e_from_mfn(gl4mfn, __PAGE_HYPERVISOR); + ASSERT(!mfn_eq(gl4mfn, sl4mfn)); + + sl4e[shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START)] = + shadow_l4e_from_mfn(sl4mfn, __PAGE_HYPERVISOR); } + sl4e[shadow_l4_table_offset(LINEAR_PT_VIRT_START)] = + shadow_l4e_from_mfn(gl4mfn, __PAGE_HYPERVISOR); + unmap_domain_page(sl4e); } #endif @@@@ -4287,6 +4299,11 @@@@ static int sh_guess_wrmap(struct vcpu *v, unsigned long vaddr, mfn_t gmfn) /* Carefully look in the shadow linear map for the l1e we expect */ #if SHADOW_PAGING_LEVELS >= 4 + /* Is a shadow linear map is installed in the first place? */ + sl4p = v->arch.paging.shadow.guest_vtable; + sl4p += shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START); + if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) ) + return 0; sl4p = sh_linear_l4_table(v) + shadow_l4_linear_offset(vaddr); if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) ) return 0; @