[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.12] xen/arm: Boot modules should always be scrubbed if bootscrub={on, idle}

commit aa8866c1e0a92342166c2786ed4ae2455eb7ce61
Author:     Julien Grall <jgrall@xxxxxxxxxx>
AuthorDate: Sat Apr 17 17:38:28 2021 +0100
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Jun 8 19:14:03 2021 +0100

    xen/arm: Boot modules should always be scrubbed if bootscrub={on, idle}
    
    The function to initialize the pages (see init_heap_pages()) will request
    scrub when the admin request idle bootscrub (default) and state ==
    SYS_STATE_active. When bootscrub=on, Xen will scrub any free pages in
    heap_init_late().
    
    Currently, the boot modules (e.g. kernels, initramfs) will be discarded/
    freed after heap_init_late() is called and system_state switched to
    SYS_STATE_active. This means the pages associated with the boot modules
    will not get scrubbed before getting re-purposed.
    
    If the memory is assigned to an untrusted domU, it may be able to
    retrieve secrets from the modules.
    
    This is part of XSA-372 / CVE-2021-28693.
    
    Fixes: 1774e9b1df27 ("xen/arm: introduce create_domUs")
    Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
    Tested-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
    (cherry picked from commit fd5dc41ceaed9cfcfa011cdfd50f264c89277a90)
---
 xen/arch/arm/setup.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c
index 0e54e9c73e..ba95c06d89 100644
--- a/xen/arch/arm/setup.c
+++ b/xen/arch/arm/setup.c
@@ -73,7 +73,6 @@ static __used void init_done(void)
     /* Must be done past setting system_state. */
     unregister_init_virtual_region();
 
-    discard_initial_modules();
     free_init_memory();
     startup_cpu_idle_loop();
 }
@@ -904,6 +903,12 @@ void __init start_xen(unsigned long boot_phys_offset,
 
     create_domUs();
 
+    /*
+     * This needs to be called **before** heap_init_late() so modules
+     * will be scrubbed (unless suppressed).
+     */
+    discard_initial_modules();
+
     heap_init_late();
 
     init_trace_bufs();
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.12

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.