From: Julien Grall Date: Sat, 17 Apr 2021 16:38:28 +0000 (+0100) Subject: xen/arm: Boot modules should always be scrubbed if bootscrub={on, idle} X-Git-Tag: archive/raspbian/4.16.0+51-g0941d6cb-1+rpi1~2^2~42^2~462 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=fd5dc41ceaed9cfcfa011cdfd50f264c89277a90;p=xen.git xen/arm: Boot modules should always be scrubbed if bootscrub={on, idle} The function to initialize the pages (see init_heap_pages()) will request scrub when the admin request idle bootscrub (default) and state == SYS_STATE_active. When bootscrub=on, Xen will scrub any free pages in heap_init_late(). Currently, the boot modules (e.g. kernels, initramfs) will be discarded/ freed after heap_init_late() is called and system_state switched to SYS_STATE_active. This means the pages associated with the boot modules will not get scrubbed before getting re-purposed. If the memory is assigned to an untrusted domU, it may be able to retrieve secrets from the modules. This is part of XSA-372 / CVE-2021-28693. Fixes: 1774e9b1df27 ("xen/arm: introduce create_domUs") Signed-off-by: Julien Grall Reviewed-by: Jan Beulich Reviewed-by: Stefano Stabellini Tested-by: Stefano Stabellini --- diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c index e17532c132..63a908e325 100644 --- a/xen/arch/arm/setup.c +++ b/xen/arch/arm/setup.c @@ -71,8 +71,6 @@ domid_t __read_mostly max_init_domid; static __used void init_done(void) { - discard_initial_modules(); - /* Must be done past setting system_state. */ unregister_init_virtual_region(); @@ -999,6 +997,12 @@ void __init start_xen(unsigned long boot_phys_offset, if ( acpi_disabled ) create_domUs(); + /* + * This needs to be called **before** heap_init_late() so modules + * will be scrubbed (unless suppressed). + */ + discard_initial_modules(); + heap_init_late(); init_trace_bufs();