diff options
| author | Tim Deegan <tim@xen.org> | 2013-09-30 14:23:33 +0200 |
|---|---|---|
| committer | Jan Beulich <jbeulich@suse.com> | 2013-09-30 14:23:33 +0200 |
| commit | 0155524aa6bf4ea4947c865dee4b13dd3dec6427 (patch) | |
| tree | a1ee44058af6a1342da0c7f4eec3301ba7b60733 /.hgignore | |
| parent | 43aef4c11dcd40de6a91eb3483a0922d894e5eee (diff) | |
| download | xen-0155524aa6bf4ea4947c865dee4b13dd3dec6427.tar.gz xen-0155524aa6bf4ea4947c865dee4b13dd3dec6427.tar.bz2 xen-0155524aa6bf4ea4947c865dee4b13dd3dec6427.zip | |
x86/mm/shadow: Fix initialization of PV shadow L4 tables.
Shadowed PV L4 tables must have the same Xen mappings as their
unshadowed equivalent. This is done by copying the Xen entries
verbatim from the idle pagetable, and then using guest_l4_slot()
in the SHADOW_FOREACH_L4E() iterator to avoid touching those entries.
adc5afbf1c70ef55c260fb93e4b8ce5ccb918706 (x86: support up to 16Tb)
changed the definition of ROOT_PAGETABLE_XEN_SLOTS to extend right to
the top of the address space, which causes the shadow code to
copy Xen mappings into guest-kernel-address slots too.
In the common case, all those slots are zero in the idle pagetable,
and no harm is done. But if any slot above #271 is non-zero, Xen will
crash when that slot is later cleared (it attempts to drop
shadow-pagetable refcounts on its own L4 pagetables).
Fix by using the new ROOT_PAGETABLE_PV_XEN_SLOTS when appropriate.
Monitor pagetables need the full Xen mappings, so they keep using the
old name (with its new semantics).
This is CVE-2013-4356 / XSA-64.
Signed-off-by: Tim Deegan <tim@xen.org>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
master commit: f46befdd825c8a459c5eb21adb7d5b0dc6e30ad5
master date: 2013-09-30 14:18:25 +0200
Diffstat (limited to '.hgignore')
0 files changed, 0 insertions, 0 deletions