|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.1] x86: enforce preemption in HVM_set_mem_access / p2m_set_mem_access()
commit cfe54268832a964fd873ef1364bc9556ea9d6591
Author: Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Mar 25 17:27:40 2014 +0100
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Mar 25 17:27:40 2014 +0100
x86: enforce preemption in HVM_set_mem_access / p2m_set_mem_access()
Processing up to 4G PFNs may take almost arbitrarily long, so
preemption is needed here.
This is CVE-2014-2599 / XSA-89.
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Reviewed-by: Tim Deegan <tim@xxxxxxx>
---
xen/arch/x86/hvm/hvm.c | 13 ++++++++++++-
1 files changed, 12 insertions(+), 1 deletions(-)
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index 9469499..bf0ad26 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3755,7 +3755,7 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE(void)
arg)
((a.first_pfn + a.nr - 1) > domain_get_maximum_gpfn(d)) )
goto param_fail5;
- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ )
+ for ( pfn = a.first_pfn; a.nr; ++pfn )
{
p2m_type_t t;
mfn_t mfn;
@@ -3768,6 +3768,17 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE(void)
arg)
p2m_unlock(p2m);
if ( !success )
goto param_fail5;
+
+ /* Check for continuation if it's not the last interation. */
+ if ( --a.nr && hypercall_preempt_check() )
+ {
+ a.first_pfn = pfn + 1;
+ if ( copy_to_guest(arg, &a, 1) )
+ rc = -EFAULT;
+ else
+ rc = -EAGAIN;
+ goto param_fail5;
+ }
}
rc = 0;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.1
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |