$NetBSD: patch-CVE-2013-4355_1,v 1.3 2014/03/28 16:07:08 drochner Exp $ http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03160.html also fixes http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg03827.html (CVE-2013-4554) also fixes http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html (CVE-2014-2599) --- xen/arch/x86/hvm/hvm.c.orig 2014-03-28 15:27:28.000000000 +0000 +++ xen/arch/x86/hvm/hvm.c 2014-03-28 15:27:36.000000000 +0000 @@ -1961,11 +1961,7 @@ rc = hvm_copy_from_guest_virt( &tss, prev_tr.base, sizeof(tss), PFEC_page_present); - if ( rc == HVMCOPY_bad_gva_to_gfn ) - goto out; - if ( rc == HVMCOPY_gfn_paged_out ) - goto out; - if ( rc == HVMCOPY_gfn_shared ) + if ( rc != HVMCOPY_okay ) goto out; eflags = regs->eflags; @@ -2010,13 +2006,11 @@ rc = hvm_copy_from_guest_virt( &tss, tr.base, sizeof(tss), PFEC_page_present); - if ( rc == HVMCOPY_bad_gva_to_gfn ) - goto out; - if ( rc == HVMCOPY_gfn_paged_out ) - goto out; - /* Note: this could be optimised, if the callee functions knew we want RO - * access */ - if ( rc == HVMCOPY_gfn_shared ) + /* + * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee + * functions knew we want RO access. + */ + if ( rc != HVMCOPY_okay ) goto out; @@ -2834,7 +2828,7 @@ case 4: case 2: hvm_get_segment_register(curr, x86_seg_ss, &sreg); - if ( unlikely(sreg.attr.fields.dpl == 3) ) + if ( unlikely(sreg.attr.fields.dpl) ) { default: regs->eax = -EPERM; @@ -3746,7 +3740,7 @@ ((a.first_pfn + a.nr - 1) > domain_get_maximum_gpfn(d)) ) goto param_fail5; - for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) + for ( pfn = a.first_pfn; a.nr; ++pfn ) { p2m_type_t t; mfn_t mfn; @@ -3759,6 +3753,17 @@ p2m_unlock(p2m); if ( !success ) goto param_fail5; + + /* Check for continuation if it's not the last interation. */ + if ( --a.nr && hypercall_preempt_check() ) + { + a.first_pfn = pfn + 1; + if ( copy_to_guest(arg, &a, 1) ) + rc = -EFAULT; + else + rc = -EAGAIN; + goto param_fail5; + } } rc = 0;