Xen project Mailing List

[Xen-devel] question: is it a CVE in relinquish_memory()[xen/arch/x86/domain.c]

To: "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>

From: "Xuquan (Quan Xu)" <xuquan8@xxxxxxxxxx>

Date: Wed, 9 Nov 2016 12:01:52 +0000

Accept-language: en-US

Cc: "Tian, Kevin" <kevin.tian@xxxxxxxxx>, "Liuxiaojian \(alex\)" <liuxiaojian6@xxxxxxxxxx>, "George.Dunlap@xxxxxxxxxxxxx" <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, "Xuquan \(Quan Xu\)" <xuquan8@xxxxxxxxxx>, "JBeulich@xxxxxxxx" <JBeulich@xxxxxxxx>, "dgdegra@xxxxxxxxxxxxx" <dgdegra@xxxxxxxxxxxxx>

Delivery-date: Wed, 09 Nov 2016 12:02:56 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Thread-index: AdI6gFJ/bDEPKV4CSg+PuH+yGI+U1g==

Thread-topic: question: is it a CVE in relinquish_memory()[xen/arch/x86/domain.c]

Hi, Based on CVE-2015-7814 and commit 1ef01396fdff, ' arm: handle races between relinquish_memory and free_domheap_pages'.. relinquish_memory() [xen/arch/arm/domain.c, arm code], when couldn't get a reference -- someone is freeing this page and has already committed to doing so, so no more to do here, continue. But in relinquish_memory()[xen/arch/x86/domain.c, __x86__ code], when couldn't get a reference -- someone is freeing this page, Why adding this page to d->arch.relmem_list again. Is it a CVE to double free page, then hit the ''" alloc_heap_pages() : BUG_ON(pg[i].count_info != PGC_state_free)"" in creating guests later.. ======== [1] CVE-2015-7814 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7814 [2] commit 1ef01396fdff commit 1ef01396fdff88b1c3331a09ca5c69619b90f4ea Author: Ian Campbell <ian.campbell@xxxxxxxxxx> Date: Thu Oct 29 13:34:17 2015 +0100 arm: handle races between relinquish_memory and free_domheap_pages Primarily this means XENMEM_decrease_reservation from a toolstack domain. Unlike x86 we have no requirement right now to queue such pages onto a separate list, if we hit this race then the other code has already fully accepted responsibility for freeing this page and therefore there is no more for relinquish_memory to do. This is CVE-2015-7814 / XSA-147. Signed-off-by: Ian Campbell <ian.campbell@xxxxxxxxxx> Reviewed-by: Julien Grall <julien.grall@xxxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c index 683e769..880d0a6 100644 --- a/xen/arch/arm/domain.c +++ b/xen/arch/arm/domain.c @@ -772,8 +772,15 @@ static int relinquish_memory(struct domain *d, struct page_list_head *list) { /* Grab a reference to the page so it won't disappear from under us. */ if ( unlikely(!get_page(page, d)) ) - /* Couldn't get a reference -- someone is freeing this page. */ - BUG(); + /* + * Couldn't get a reference -- someone is freeing this page and + * has already committed to doing so, so no more to do here. + * + * Note that the page must be left on the list, a list_del + * here will clash with the list_del done by the other + * party in the race and corrupt the list head. + */ + continue; if ( test_and_clear_bit(_PGC_allocated, &page->count_info) ) put_page(page); ~ Quan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.