diff options
Diffstat (limited to '0003-x86-HVM-bound-number-of-pinned-cache-attribute-regio.patch')
-rw-r--r-- | 0003-x86-HVM-bound-number-of-pinned-cache-attribute-regio.patch | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/0003-x86-HVM-bound-number-of-pinned-cache-attribute-regio.patch b/0003-x86-HVM-bound-number-of-pinned-cache-attribute-regio.patch new file mode 100644 index 0000000..9974108 --- /dev/null +++ b/0003-x86-HVM-bound-number-of-pinned-cache-attribute-regio.patch @@ -0,0 +1,50 @@ +From 887ba097cfcd4454d4707e1bee6504322335ea79 Mon Sep 17 00:00:00 2001 +From: Jan Beulich <jbeulich@suse.com> +Date: Tue, 21 Mar 2023 12:01:01 +0000 +Subject: [PATCH 03/13] x86/HVM: bound number of pinned cache attribute regions + +This is exposed via DMOP, i.e. to potentially not fully privileged +device models. With that we may not permit registration of an (almost) +unbounded amount of such regions. + +This is CVE-2022-42333 / part of XSA-428. + +Fixes: 642123c5123f ("x86/hvm: provide XEN_DMOP_pin_memory_cacheattr") +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> +(cherry picked from commit a5e768640f786b681063f4e08af45d0c4e91debf) +--- + xen/arch/x86/hvm/mtrr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/xen/arch/x86/hvm/mtrr.c b/xen/arch/x86/hvm/mtrr.c +index fb051d59c3..09a51f415d 100644 +--- a/xen/arch/x86/hvm/mtrr.c ++++ b/xen/arch/x86/hvm/mtrr.c +@@ -596,6 +596,7 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start, + uint64_t gfn_end, uint32_t type) + { + struct hvm_mem_pinned_cacheattr_range *range; ++ unsigned int nr = 0; + int rc = 1; + + if ( !is_hvm_domain(d) ) +@@ -667,11 +668,15 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start, + rc = -EBUSY; + break; + } ++ ++nr; + } + rcu_read_unlock(&pinned_cacheattr_rcu_lock); + if ( rc <= 0 ) + return rc; + ++ if ( nr >= 64 /* The limit is arbitrary. */ ) ++ return -ENOSPC; ++ + range = xzalloc(struct hvm_mem_pinned_cacheattr_range); + if ( range == NULL ) + return -ENOMEM; +-- +2.40.0 + |