diff options
Diffstat (limited to 'app-emulation/files/xen-3.4.2-fix-__addr_ok-limit.patch')
| -rw-r--r-- | app-emulation/files/xen-3.4.2-fix-__addr_ok-limit.patch | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/app-emulation/files/xen-3.4.2-fix-__addr_ok-limit.patch b/app-emulation/files/xen-3.4.2-fix-__addr_ok-limit.patch new file mode 100644 index 0000000..8616008 --- /dev/null +++ b/app-emulation/files/xen-3.4.2-fix-__addr_ok-limit.patch @@ -0,0 +1,101 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + + Xen Security Advisory CVE-2011-2901 / XSA-4 + revision no.2 + Xen <= 3.3 DoS due to incorrect virtual address validation + +ISSUE DESCRIPTION +================= + +The x86_64 __addr_ok() macro intends to ensure that the checked +address is either in the positive half of the 48-bit virtual address +space, or above the Xen-reserved area. However, the current shift +count is off-by-one, allowing full access to the "negative half" too, +via certain hypercalls which ignore virtual-address bits [63:48]. +Vulnerable hypercalls exist only in very old versions of the +hypervisor. + +VULNERABLE SYSTEMS +================== + +All systems running a Xen 3.3 or earlier hypervisor with 64-bit PV +guests with untrusted administrators are vulnerable. + +IMPACT +====== + +A malicious guest administrator on a vulnerable system is able to +crash the host. + +There are no known further exploits but these have not been ruled out. + +RESOLUTION +========== + +The attached patch resolves the issue. + +Alternatively, users may choose to upgrade to a more recent hypervisor + +PATCHES +======= + +The following patch resolves this issue. + +Filename: fix-__addr_ok-limit.patch +SHA1: f18bde8d276110451c608a16f577865aa1226b4f +SHA256: 2da5aac72e1ac4849c34d38374ae456795905fd9512eef94b48fc31383c21636 + +This patch should apply cleanly, and fix the problem, for all affected +versions of Xen. + +It is harmless when applied to later hypervisors and will be included +in the Xen unstable branch in due course. + +VERSION HISTORY +=============== + +Analysis following version 1 of this advisory (sent out to the +predisclosure list during the embargo period) indicates that the +actual DoS vulnerability only exists in very old hypervisors, Xen 3.3 +and earlier, contrary to previous reports. + +This advisory is no longer embargoed. +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 (GNU/Linux) + +iQEcBAEBAgAGBQJOYLq2AAoJEIP+FMlX6CvZLegH/26/oJBkd/WM/yYhXkzlbnIP +MxF6Fgy96Omu8poQTanD7g1vEcM0TOLY+Kk3GGsfj4aDdEJ5Nq4ZOW8ooI0VnVcD +7VXQqFsXPxre+eZ6g+G0AsmzdsG45C3qujUTRfGKqzYwXqjWjt9nNsdIy1Mrz8/4 +zG1uLDkN0LXnBG2Te4q8ZckYwMq8gFXHHnH35RfQ5Besu6pvJmtK3rFXETdlP12A +JjBh7t5jsCfzvYWFQehVp8mJupuftiOBPClmVh4vrvN9gYd5rzEgB4Q9Ioiqz2qT +2bE1zegR8NeOKBOi9xriTU8F530OdFzeWAbo7D5gyEbYdc60eNwbadcgNGLbzMg= +=09T8 +-----END PGP SIGNATURE----- + +Subject: XSA-4: xen: correct limit checking in x86_64 version of __addr_ok + +The x86_64 __addr_ok() macro intends to ensure that the checked +address is either in the positive half of the 48-bit virtual address +space, or above the Xen-reserved area. However, the current shift +count is off-by-one, allowing full access to the "negative half" +too. Guests may exploit this to gain access to off-limits ranges. + +This issue has been assigned CVE-2011-2901. + +Signed-off-by: Laszlo Ersek <lersek@...hat.com> +Signed-off-by: Ian Campbell <ian.campbell@...rix.com> + +diff --git a/xen/include/asm-x86/x86_64/uaccess.h +b/xen/include/asm-x86/x86_64/uaccess.h +--- a/xen/include/asm-x86/x86_64/uaccess.h ++++ b/xen/include/asm-x86/x86_64/uaccess.h +@@ -34,7 +34,7 @@ + * non-canonical address (and thus fault) before ever reaching VIRT_START. + */ + #define __addr_ok(addr) \ +- (((unsigned long)(addr) < (1UL<<48)) || \ ++ (((unsigned long)(addr) < (1UL<<47)) || \ + ((unsigned long)(addr) >= HYPERVISOR_VIRT_END)) + + #define access_ok(addr, size) \ |