From: Jan Beulich <jbeulich@suse.com>
Date: Tue, 17 Jun 2014 13:21:10 +0000 (+0200)
Subject: page-alloc: scrub pages used by hypervisor upon freeing
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~4853
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=4bd78937ec324bcef4e29ef951e0ff9815770de1;p=xen.git

page-alloc: scrub pages used by hypervisor upon freeing

... unless they're part of a fully separate pool (and hence can't ever
be used for guest allocations).

This is CVE-2014-4021 / XSA-100.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
---

diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c
index 1b2d541ef8..58677d0b15 100644
--- a/xen/common/page_alloc.c
+++ b/xen/common/page_alloc.c
@@ -1587,7 +1587,10 @@ void free_xenheap_pages(void *v, unsigned int order)
     pg = virt_to_page(v);
 
     for ( i = 0; i < (1u << order); i++ )
+    {
+        scrub_one_page(&pg[i]);
         pg[i].count_info &= ~PGC_xen_heap;
+    }
 
     free_heap_pages(pg, order);
 }
@@ -1757,6 +1760,8 @@ void free_domheap_pages(struct page_info *pg, unsigned int order)
     else
     {
         /* Freeing anonymous domain-heap pages. */
+        for ( i = 0; i < (1 << order); i++ )
+            scrub_one_page(&pg[i]);
         free_heap_pages(pg, order);
         drop_dom_ref = 0;
     }