From fc12722ee7c5fc2e776c768e2c9fbb10586d61a1 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Thu, 29 Oct 2015 13:47:38 +0100 Subject: [PATCH] arm: handle races between relinquish_memory and free_domheap_pages Primarily this means XENMEM_decrease_reservation from a toolstack domain. Unlike x86 we have no requirement right now to queue such pages onto a separate list, if we hit this race then the other code has already fully accepted responsibility for freeing this page and therefore there is no more for relinquish_memory to do. This is CVE-2015-7814 / XSA-147. Signed-off-by: Ian Campbell Reviewed-by: Julien Grall Reviewed-by: Jan Beulich master commit: 1ef01396fdff88b1c3331a09ca5c69619b90f4ea master date: 2015-10-29 13:34:17 +0100 (cherry picked from commit df6fa370865717ee51530c0102d1e983a70d37c3) Patch-Name: CVE-2015-7814.diff Gbp-Pq: Name CVE-2015-7814.diff --- xen/arch/arm/domain.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c index b9a422656e..20cc772ac8 100644 --- a/xen/arch/arm/domain.c +++ b/xen/arch/arm/domain.c @@ -768,8 +768,15 @@ static int relinquish_memory(struct domain *d, struct page_list_head *list) { /* Grab a reference to the page so it won't disappear from under us. */ if ( unlikely(!get_page(page, d)) ) - /* Couldn't get a reference -- someone is freeing this page. */ - BUG(); + /* + * Couldn't get a reference -- someone is freeing this page and + * has already committed to doing so, so no more to do here. + * + * Note that the page must be left on the list, a list_del + * here will clash with the list_del done by the other + * party in the race and corrupt the list head. + */ + continue; if ( test_and_clear_bit(_PGC_allocated, &page->count_info) ) put_page(page); -- 2.30.2