From ef3cea268fdff77f93368369c5998b1c975aa297 Mon Sep 17 00:00:00 2001
From: Ian Jackson <Ian.Jackson@eu.citrix.com>
Date: Wed, 14 Nov 2012 11:36:02 +0000
Subject: [PATCH] x86/physmap: Prevent incorrect updates of m2p mappings

In certain conditions, such as low memory, set_p2m_entry() can fail.
Currently, the p2m and m2p tables will get out of sync because we still
update the m2p table after the p2m update has failed.

If that happens, subsequent guest-invoked memory operations can cause
BUG()s and ASSERT()s to kill Xen.

This is fixed by only updating the m2p table iff the p2m was
successfully updated.

This is a security problem, XSA-22 / CVE-2012-4537.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
---
 xen/arch/x86/mm/p2m.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index 9857b5b2de..e35194216c 100644
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -633,7 +633,10 @@ guest_physmap_add_entry(struct domain *d, unsigned long gfn,
     if ( mfn_valid(_mfn(mfn)) ) 
     {
         if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) )
+        {
             rc = -EINVAL;
+            goto out; /* Failed to update p2m, bail without updating m2p. */
+        }
         if ( !p2m_is_grant(t) )
         {
             for ( i = 0; i < (1UL << page_order); i++ )
@@ -656,6 +659,7 @@ guest_physmap_add_entry(struct domain *d, unsigned long gfn,
         }
     }
 
+out:
     p2m_unlock(p2m);
 
     return rc;
-- 
2.30.2