| Brad Bishop | 316dfdd | 2018-06-25 12:45:53 -0400 | [diff] [blame] | 1 | From: Jan Beulich <jbeulich@suse.com> |
| 2 | Subject: x86/shadow: fix ref-counting error handling |
| 3 | |
| 4 | The old-Linux handling in shadow_set_l4e() mistakenly ORed together the |
| 5 | results of sh_get_ref() and sh_pin(). As the latter failing is not a |
| 6 | correctness problem, simply ignore its return value. |
| 7 | |
| 8 | In sh_set_toplevel_shadow() a failing sh_get_ref() must not be |
| 9 | accompanied by installing the entry, despite the domain being crashed. |
| 10 | |
| 11 | This is XSA-250. |
| 12 | |
| 13 | Signed-off-by: Jan Beulich <jbeulich@suse.com> |
| 14 | Reviewed-by: Tim Deegan <tim@xen.org> |
| 15 | |
| 16 | --- a/xen/arch/x86/mm/shadow/multi.c |
| 17 | +++ b/xen/arch/x86/mm/shadow/multi.c |
| 18 | @@ -923,7 +923,7 @@ static int shadow_set_l4e(struct domain |
| 19 | shadow_l4e_t new_sl4e, |
| 20 | mfn_t sl4mfn) |
| 21 | { |
| 22 | - int flags = 0, ok; |
| 23 | + int flags = 0; |
| 24 | shadow_l4e_t old_sl4e; |
| 25 | paddr_t paddr; |
| 26 | ASSERT(sl4e != NULL); |
| 27 | @@ -938,15 +938,16 @@ static int shadow_set_l4e(struct domain |
| 28 | { |
| 29 | /* About to install a new reference */ |
| 30 | mfn_t sl3mfn = shadow_l4e_get_mfn(new_sl4e); |
| 31 | - ok = sh_get_ref(d, sl3mfn, paddr); |
| 32 | - /* Are we pinning l3 shadows to handle wierd linux behaviour? */ |
| 33 | - if ( sh_type_is_pinnable(d, SH_type_l3_64_shadow) ) |
| 34 | - ok |= sh_pin(d, sl3mfn); |
| 35 | - if ( !ok ) |
| 36 | + |
| 37 | + if ( !sh_get_ref(d, sl3mfn, paddr) ) |
| 38 | { |
| 39 | domain_crash(d); |
| 40 | return SHADOW_SET_ERROR; |
| 41 | } |
| 42 | + |
| 43 | + /* Are we pinning l3 shadows to handle weird Linux behaviour? */ |
| 44 | + if ( sh_type_is_pinnable(d, SH_type_l3_64_shadow) ) |
| 45 | + sh_pin(d, sl3mfn); |
| 46 | } |
| 47 | |
| 48 | /* Write the new entry */ |
| 49 | @@ -3965,14 +3966,15 @@ sh_set_toplevel_shadow(struct vcpu *v, |
| 50 | |
| 51 | /* Take a ref to this page: it will be released in sh_detach_old_tables() |
| 52 | * or the next call to set_toplevel_shadow() */ |
| 53 | - if ( !sh_get_ref(d, smfn, 0) ) |
| 54 | + if ( sh_get_ref(d, smfn, 0) ) |
| 55 | + new_entry = pagetable_from_mfn(smfn); |
| 56 | + else |
| 57 | { |
| 58 | SHADOW_ERROR("can't install %#lx as toplevel shadow\n", mfn_x(smfn)); |
| 59 | domain_crash(d); |
| 60 | + new_entry = pagetable_null(); |
| 61 | } |
| 62 | |
| 63 | - new_entry = pagetable_from_mfn(smfn); |
| 64 | - |
| 65 | install_new_entry: |
| 66 | /* Done. Install it */ |
| 67 | SHADOW_PRINTK("%u/%u [%u] gmfn %#"PRI_mfn" smfn %#"PRI_mfn"\n", |