From: Jan Beulich <jbeulich@suse.com>
Date: Wed, 27 Nov 2013 08:00:41 +0000 (+0100)
Subject: x86: restrict XEN_DOMCTL_getmemlist
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~5860
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https://%22%22/%22http:/www.example.com/cgi/%22https:/%22%22?a=commitdiff_plain;h=19f027cc5daff4a37fd0a28bca2514c721852dd0;p=xen.git

x86: restrict XEN_DOMCTL_getmemlist

Coverity ID 1055652

(See the code comment.)

This is CVE-2013-4553 / XSA-74.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Tim Deegan <tim@xen.org>
---

diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
index 864421864e..ef6c140e34 100644
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -329,6 +329,26 @@ long arch_do_domctl(
             break;
         }
 
+        /*
+         * XSA-74: This sub-hypercall is broken in several ways:
+         * - lock order inversion (p2m locks inside page_alloc_lock)
+         * - no preemption on huge max_pfns input
+         * - not (re-)checking d->is_dying with page_alloc_lock held
+         * - not honoring start_pfn input (which libxc also doesn't set)
+         * Additionally it is rather useless, as the result is stale by the
+         * time the caller gets to look at it.
+         * As it only has a single, non-production consumer (xen-mceinj),
+         * rather than trying to fix it we restrict it for the time being.
+         */
+        if ( /* No nested locks inside copy_to_guest_offset(). */
+             paging_mode_external(current->domain) ||
+             /* Arbitrary limit capping processing time. */
+             max_pfns > GB(4) / PAGE_SIZE )
+        {
+            ret = -EOPNOTSUPP;
+            break;
+        }
+
         spin_lock(&d->page_alloc_lock);
 
         ret = i = 0;