mirror of
https://github.com/Stichting-MINIX-Research-Foundation/pkgsrc-ng.git
synced 2025-09-15 15:31:43 -04:00
35 lines
1.1 KiB
Plaintext
35 lines
1.1 KiB
Plaintext
$NetBSD: patch-CVE-2014-7154,v 1.1 2014/09/26 10:45:00 bouyer Exp $
|
|
|
|
x86/shadow: fix race condition sampling the dirty vram state
|
|
|
|
d->arch.hvm_domain.dirty_vram must be read with the domain's paging lock held.
|
|
|
|
If not, two concurrent hypercalls could both end up attempting to free
|
|
dirty_vram (the second of which will free a wild pointer), or both end up
|
|
allocating a new dirty_vram structure (the first of which will be leaked).
|
|
|
|
This is XSA-104.
|
|
|
|
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
Reviewed-by: Tim Deegan <tim@xen.org>
|
|
|
|
--- xen/arch/x86/mm/shadow/common.c.orig 2013-09-10 08:42:18.000000000 +0200
|
|
+++ xen/arch/x86/mm/shadow/common.c 2014-09-26 12:21:33.000000000 +0200
|
|
@@ -3640,7 +3640,7 @@
|
|
int flush_tlb = 0;
|
|
unsigned long i;
|
|
p2m_type_t t;
|
|
- struct sh_dirty_vram *dirty_vram = d->arch.hvm_domain.dirty_vram;
|
|
+ struct sh_dirty_vram *dirty_vram;
|
|
struct p2m_domain *p2m = p2m_get_hostp2m(d);
|
|
|
|
if (end_pfn < begin_pfn
|
|
@@ -3649,6 +3649,7 @@
|
|
return -EINVAL;
|
|
|
|
shadow_lock(d);
|
|
+ dirty_vram = d->arch.hvm_domain.dirty_vram;
|
|
|
|
if ( dirty_vram && (!nr ||
|
|
( begin_pfn != dirty_vram->begin_pfn
|