[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Xen Security Advisory 268 v3 (CVE-2018-15469) - Use of v2 grant tables may cause cras
From: Xen.org security team <security () xen ! org>
Date: 2018-08-20 9:47:38
Message-ID: E1frgmg-0003fy-TP () xenbits ! xenproject ! org
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2018-15469 / XSA-268
version 3
Use of v2 grant tables may cause crash on ARM
UPDATES IN VERSION 3
====================
CVE assigned.
ISSUE DESCRIPTION
=================
ARM never properly implemented grant table v2, either in the
hypervisor or in Linux.
Unfortunately, an ARM guest can still request v2 grant tables; they
will simply not be properly set up, resulting in subsequent
grant-related hypercalls hitting BUG() checks.
IMPACT
======
An unprivileged guest can cause a BUG() check in the hypervisor,
resulting in a denial-of-service.
VULNERABLE SYSTEMS
==================
Only ARM systems are vulnerable. All supported versions of Xen are
vulnerable.
MITIGATION
==========
None.
CREDITS
=======
This issue was discovered by 王磊 of Samsung.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue by
preventing a guest from switching to grant v2.
xsa268.patch xen-unstable
xsa268-4.11.patch Xen 4.11.0
xsa268-4.10-?.patch Xen 4.10.x
xsa268-4.9-?.patch Xen 4.9.x, Xen 4.8.x
xsa268-4.7-?.patch Xen 4.7.x
xsa268-4.6-?.patch Xen 4.6.x
$ sha256sum xsa268*
f336b45676e73f8b102e5dddf78af2d1d288f9a254142a8a8e9949db55e1cc3b xsa268.meta
ca5f69cb8cfb74fae44a0f39f80ec9ae4d269c4895f36311b50d191be97bbcf0 xsa268.patch
93a68a5b23aedc6adf0aae23303dc8eb2c02dc40a5e1d7eb0a1b497cd66da209 xsa268-4.6-1.patch
5b74afd13d96779a72dc34ba7c63a1735cd267fb9bb643f735ac69b0e6ff54d5 xsa268-4.6-2.patch
820e1018f76ef2828b1cbb33e2966b99f6934a80ab55f11749ff847d375d1b02 xsa268-4.7-1.patch
233f7e69e5fb931d2e5cf03f4407f38ff960c039c9eced957df13d3cc37fa6b1 xsa268-4.7-2.patch
4a0c705f0266185b32daf313e686abc340e2fbb1a1644647500fc405bc180913 xsa268-4.9-1.patch
ce16eaab94cd1e64f9c9127b64da7ebb6a7758eb540fecc3bbcc2dbfbcc4d7e2 xsa268-4.9-2.patch
f413d41fadefe0e275c8bff16a2061bb325f3900b7ccf214a9e97fabf3ee1a89 xsa268-4.10-1.patch
531654f82908c1aa7b0fcea818c82c4b53d4750a697db3353cc05e9e91e5d639 xsa268-4.10-2.patch
baeb6b2c28a9cbe929c9cf34398780002fffe12b928df4d1e5951c0a5b51336a xsa268-4.11.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJbeo4HAAoJEIP+FMlX6CvZxYMH/R1pB/0Qh+eYJevI0XZCh0TX
TlzPkzvTkif3JUfYtms1rVeXdAUoOaZPrMpzZYFWthOHhHR6Y8tiBWxiRGWuEf0a
OaAYTebIQN4U69AUXGaXdA1p1Nnix5guOgljM1EHD3LGEBtadzdYdFfpKrEv1F7L
f8fwLULljcfwHKI7Yv/CwGdRAt2YrtIFqry916yc0RHk2nQpLvX8V+8YXWla8zGR
1Vkin0WoR31qkcakJGXO8jXD1Wpn4J+2lAyMpAiPpN7d8F7/cEOj7huRuTkYFQha
/sTUc5Dy3kniLptJF+2//dLOjwKQKSKd3c8LJjc8IGPCwfpNpVmLaCiB/93AcWk=
=yh+i
-----END PGP SIGNATURE-----
["xsa268.meta" (application/octet-stream)]
["xsa268.patch" (application/octet-stream)]
From: Stefano Stabellini <sstabellini@kernel.org>
Subject: ARM: disable grant table v2
It was never expected to work, the implementation is incomplete.
As a side effect, it also prevents guests from triggering a
"BUG_ON(page_get_owner(pg) != d)" in gnttab_unpopulate_status_frames().
This is XSA-268.
Reported-by: 王磊 <lei19.wang@samsung.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Acked-by: Jan Beulich <jbeulich@suse.com>
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -938,6 +938,8 @@ version are 1 and 2.
use of grant table v2 without transitive grants is an ABI breakage from the
guests point of view.
+The usage of gnttab v2 is not security supported on ARM platforms.
+
### gnttab\_max\_frames
> `= <integer>`
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -88,7 +88,11 @@ static unsigned int __read_mostly max_maptrack_frames =
unsigned int __read_mostly opt_max_maptrack_frames = 1024;
integer_runtime_param("gnttab_max_maptrack_frames", opt_max_maptrack_frames);
-static unsigned int __read_mostly opt_gnttab_max_version = 2;
+#ifndef GNTTAB_MAX_VERSION
+#define GNTTAB_MAX_VERSION 2
+#endif
+
+static unsigned int __read_mostly opt_gnttab_max_version = GNTTAB_MAX_VERSION;
static bool __read_mostly opt_transitive_grants = true;
static int __init parse_gnttab(const char *s)
--- a/xen/include/asm-arm/grant_table.h
+++ b/xen/include/asm-arm/grant_table.h
@@ -7,6 +7,7 @@
#include <xen/sched.h>
#define INITIAL_NR_GRANT_FRAMES 1U
+#define GNTTAB_MAX_VERSION 1
struct grant_table_arch {
gfn_t *shared_gfn;
["xsa268-4.6-1.patch" (application/octet-stream)]
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: common/gnttab: Introduce command line feature controls
This patch was originally released as part of XSA-226. It retains the same
command line syntax (as various downstreams are mitigating XSA-226 using this
mechanism) but the defaults have been updated due to the revised XSA-226
patched, after which transitive grants are believed to functioning
properly.
Reported-by: 王磊 <lei19.wang@samsung.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -787,6 +787,19 @@ Controls EPT related features.
Specify the serial parameters for the GDB stub.
+### gnttab
+> `= List of [ max-ver:<integer>, transitive=<bool> ]`
+
+> Default: `gnttab=max-ver:2,transitive`
+
+Control various aspects of the grant table behaviour available to guests.
+
+* `max-ver` Select the maximum grant table version to offer to guests. Valid
+version are 1 and 2.
+* `transitive` Permit or disallow the use of transitive grants. Note that the
+use of grant table v2 without transitive grants is an ABI breakage from the
+guests point of view.
+
### gnttab\_max\_frames
> `= <integer>`
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -62,6 +62,41 @@ integer_param("gnttab_max_frames", max_g
static unsigned int __read_mostly max_maptrack_frames;
integer_param("gnttab_max_maptrack_frames", max_maptrack_frames);
+static unsigned int __read_mostly opt_gnttab_max_version = 2;
+static bool_t __read_mostly opt_transitive_grants = 1;
+
+static int __init parse_gnttab(const char *s)
+{
+ const char *ss, *e;
+ int val, rc = 0;
+
+ do {
+ ss = strchr(s, ',');
+ if ( !ss )
+ ss = strchr(s, '\0');
+
+ if ( !strncmp(s, "max-ver:", 8) ||
+ !strncmp(s, "max_ver:", 8) ) /* Alias for original XSA-226 patch */
+ {
+ long ver = simple_strtol(s + 8, &e, 10);
+
+ if ( e == ss && ver >= 1 && ver <= 2 )
+ opt_gnttab_max_version = ver;
+ else
+ rc = -EINVAL;
+ }
+ else if ( (val = parse_boolean("transitive", s, ss)) >= 0 )
+ opt_transitive_grants = val;
+ else
+ rc = -EINVAL;
+
+ s = ss + 1;
+ } while ( *ss );
+
+ return rc;
+}
+custom_param("gnttab", parse_gnttab);
+
/*
* Note that the three values below are effectively part of the ABI, even if
* we don't need to make them a formal part of it: A guest suspended for
@@ -2532,7 +2567,8 @@ static int gnttab_copy_claim_buf(const s
current->domain->domain_id,
buf->read_only,
&buf->frame, &buf->page,
- &buf->ptr.offset, &buf->len, 1);
+ &buf->ptr.offset, &buf->len,
+ opt_transitive_grants);
if ( rc != GNTST_okay )
goto out;
buf->ptr.u.ref = ptr->u.ref;
@@ -2733,6 +2769,10 @@ gnttab_set_version(XEN_GUEST_HANDLE_PARA
if ( op.version != 1 && op.version != 2 )
goto out;
+ res = -ENOSYS;
+ if ( op.version == 2 && opt_gnttab_max_version == 1 )
+ goto out; /* Behave as before set_version was introduced. */
+
res = 0;
if ( gt->gt_version == op.version )
goto out;
["xsa268-4.6-2.patch" (application/octet-stream)]
From: Stefano Stabellini <sstabellini@kernel.org>
Subject: ARM: disable grant table v2
It was never expected to work, the implementation is incomplete.
As a side effect, it also prevents guests from triggering a
"BUG_ON(page_get_owner(pg) != d)" in gnttab_unpopulate_status_frames().
This is XSA-268.
Reported-by: 王磊 <lei19.wang@samsung.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Acked-by: Jan Beulich <jbeulich@suse.com>
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -800,6 +800,8 @@ version are 1 and 2.
use of grant table v2 without transitive grants is an ABI breakage from the
guests point of view.
+The usage of gnttab v2 is not security supported on ARM platforms.
+
### gnttab\_max\_frames
> `= <integer>`
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -62,7 +62,11 @@ integer_param("gnttab_max_frames", max_g
static unsigned int __read_mostly max_maptrack_frames;
integer_param("gnttab_max_maptrack_frames", max_maptrack_frames);
-static unsigned int __read_mostly opt_gnttab_max_version = 2;
+#ifndef GNTTAB_MAX_VERSION
+#define GNTTAB_MAX_VERSION 2
+#endif
+
+static unsigned int __read_mostly opt_gnttab_max_version = GNTTAB_MAX_VERSION;
static bool_t __read_mostly opt_transitive_grants = 1;
static int __init parse_gnttab(const char *s)
--- a/xen/include/asm-arm/grant_table.h
+++ b/xen/include/asm-arm/grant_table.h
@@ -4,6 +4,7 @@
#include <xen/grant_table.h>
#define INITIAL_NR_GRANT_FRAMES 4
+#define GNTTAB_MAX_VERSION 1
void gnttab_clear_flag(unsigned long nr, uint16_t *addr);
int create_grant_host_mapping(unsigned long gpaddr,
["xsa268-4.7-1.patch" (application/octet-stream)]
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: common/gnttab: Introduce command line feature controls
This patch was originally released as part of XSA-226. It retains the same
command line syntax (as various downstreams are mitigating XSA-226 using this
mechanism) but the defaults have been updated due to the revised XSA-226
patched, after which transitive grants are believed to functioning
properly.
Reported-by: 王磊 <lei19.wang@samsung.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -812,6 +812,19 @@ Controls EPT related features.
Specify which console gdbstub should use. See **console**.
+### gnttab
+> `= List of [ max-ver:<integer>, transitive=<bool> ]`
+
+> Default: `gnttab=max-ver:2,transitive`
+
+Control various aspects of the grant table behaviour available to guests.
+
+* `max-ver` Select the maximum grant table version to offer to guests. Valid
+version are 1 and 2.
+* `transitive` Permit or disallow the use of transitive grants. Note that the
+use of grant table v2 without transitive grants is an ABI breakage from the
+guests point of view.
+
### gnttab\_max\_frames
> `= <integer>`
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -62,6 +62,41 @@ integer_param("gnttab_max_frames", max_g
static unsigned int __read_mostly max_maptrack_frames;
integer_param("gnttab_max_maptrack_frames", max_maptrack_frames);
+static unsigned int __read_mostly opt_gnttab_max_version = 2;
+static bool_t __read_mostly opt_transitive_grants = 1;
+
+static int __init parse_gnttab(const char *s)
+{
+ const char *ss, *e;
+ int val, rc = 0;
+
+ do {
+ ss = strchr(s, ',');
+ if ( !ss )
+ ss = strchr(s, '\0');
+
+ if ( !strncmp(s, "max-ver:", 8) ||
+ !strncmp(s, "max_ver:", 8) ) /* Alias for original XSA-226 patch */
+ {
+ long ver = simple_strtol(s + 8, &e, 10);
+
+ if ( e == ss && ver >= 1 && ver <= 2 )
+ opt_gnttab_max_version = ver;
+ else
+ rc = -EINVAL;
+ }
+ else if ( (val = parse_boolean("transitive", s, ss)) >= 0 )
+ opt_transitive_grants = val;
+ else
+ rc = -EINVAL;
+
+ s = ss + 1;
+ } while ( *ss );
+
+ return rc;
+}
+custom_param("gnttab", parse_gnttab);
+
/*
* Note that the three values below are effectively part of the ABI, even if
* we don't need to make them a formal part of it: A guest suspended for
@@ -2537,7 +2572,8 @@ static int gnttab_copy_claim_buf(const s
current->domain->domain_id,
buf->read_only,
&buf->frame, &buf->page,
- &buf->ptr.offset, &buf->len, 1);
+ &buf->ptr.offset, &buf->len,
+ opt_transitive_grants);
if ( rc != GNTST_okay )
goto out;
buf->ptr.u.ref = ptr->u.ref;
@@ -2738,6 +2774,10 @@ gnttab_set_version(XEN_GUEST_HANDLE_PARA
if ( op.version != 1 && op.version != 2 )
goto out;
+ res = -ENOSYS;
+ if ( op.version == 2 && opt_gnttab_max_version == 1 )
+ goto out; /* Behave as before set_version was introduced. */
+
res = 0;
if ( gt->gt_version == op.version )
goto out;
["xsa268-4.7-2.patch" (application/octet-stream)]
From: Stefano Stabellini <sstabellini@kernel.org>
Subject: ARM: disable grant table v2
It was never expected to work, the implementation is incomplete.
As a side effect, it also prevents guests from triggering a
"BUG_ON(page_get_owner(pg) != d)" in gnttab_unpopulate_status_frames().
This is XSA-268.
Reported-by: 王磊 <lei19.wang@samsung.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Acked-by: Jan Beulich <jbeulich@suse.com>
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -825,6 +825,8 @@ version are 1 and 2.
use of grant table v2 without transitive grants is an ABI breakage from the
guests point of view.
+The usage of gnttab v2 is not security supported on ARM platforms.
+
### gnttab\_max\_frames
> `= <integer>`
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -62,7 +62,11 @@ integer_param("gnttab_max_frames", max_g
static unsigned int __read_mostly max_maptrack_frames;
integer_param("gnttab_max_maptrack_frames", max_maptrack_frames);
-static unsigned int __read_mostly opt_gnttab_max_version = 2;
+#ifndef GNTTAB_MAX_VERSION
+#define GNTTAB_MAX_VERSION 2
+#endif
+
+static unsigned int __read_mostly opt_gnttab_max_version = GNTTAB_MAX_VERSION;
static bool_t __read_mostly opt_transitive_grants = 1;
static int __init parse_gnttab(const char *s)
--- a/xen/include/asm-arm/grant_table.h
+++ b/xen/include/asm-arm/grant_table.h
@@ -4,6 +4,7 @@
#include <xen/grant_table.h>
#define INITIAL_NR_GRANT_FRAMES 4
+#define GNTTAB_MAX_VERSION 1
void gnttab_clear_flag(unsigned long nr, uint16_t *addr);
int create_grant_host_mapping(unsigned long gpaddr,
["xsa268-4.9-1.patch" (application/octet-stream)]
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: common/gnttab: Introduce command line feature controls
This patch was originally released as part of XSA-226. It retains the same
command line syntax (as various downstreams are mitigating XSA-226 using this
mechanism) but the defaults have been updated due to the revised XSA-226
patched, after which transitive grants are believed to functioning
properly.
Reported-by: 王磊 <lei19.wang@samsung.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -872,6 +872,19 @@ Controls EPT related features.
Specify which console gdbstub should use. See **console**.
+### gnttab
+> `= List of [ max-ver:<integer>, transitive=<bool> ]`
+
+> Default: `gnttab=max-ver:2,transitive`
+
+Control various aspects of the grant table behaviour available to guests.
+
+* `max-ver` Select the maximum grant table version to offer to guests. Valid
+version are 1 and 2.
+* `transitive` Permit or disallow the use of transitive grants. Note that the
+use of grant table v2 without transitive grants is an ABI breakage from the
+guests point of view.
+
### gnttab\_max\_frames
> `= <integer>`
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -62,6 +62,41 @@ integer_param("gnttab_max_frames", max_g
static unsigned int __read_mostly max_maptrack_frames;
integer_param("gnttab_max_maptrack_frames", max_maptrack_frames);
+static unsigned int __read_mostly opt_gnttab_max_version = 2;
+static bool __read_mostly opt_transitive_grants = true;
+
+static int __init parse_gnttab(const char *s)
+{
+ const char *ss, *e;
+ int val, rc = 0;
+
+ do {
+ ss = strchr(s, ',');
+ if ( !ss )
+ ss = strchr(s, '\0');
+
+ if ( !strncmp(s, "max-ver:", 8) ||
+ !strncmp(s, "max_ver:", 8) ) /* Alias for original XSA-226 patch */
+ {
+ long ver = simple_strtol(s + 8, &e, 10);
+
+ if ( e == ss && ver >= 1 && ver <= 2 )
+ opt_gnttab_max_version = ver;
+ else
+ rc = -EINVAL;
+ }
+ else if ( (val = parse_boolean("transitive", s, ss)) >= 0 )
+ opt_transitive_grants = val;
+ else
+ rc = -EINVAL;
+
+ s = ss + 1;
+ } while ( *ss );
+
+ return rc;
+}
+custom_param("gnttab", parse_gnttab);
+
/*
* Note that the three values below are effectively part of the ABI, even if
* we don't need to make them a formal part of it: A guest suspended for
@@ -2538,7 +2573,8 @@ static int gnttab_copy_claim_buf(const s
current->domain->domain_id,
buf->read_only,
&buf->frame, &buf->page,
- &buf->ptr.offset, &buf->len, 1);
+ &buf->ptr.offset, &buf->len,
+ opt_transitive_grants);
if ( rc != GNTST_okay )
goto out;
buf->ptr.u.ref = ptr->u.ref;
@@ -2739,6 +2775,10 @@ gnttab_set_version(XEN_GUEST_HANDLE_PARA
if ( op.version != 1 && op.version != 2 )
goto out;
+ res = -ENOSYS;
+ if ( op.version == 2 && opt_gnttab_max_version == 1 )
+ goto out; /* Behave as before set_version was introduced. */
+
res = 0;
if ( gt->gt_version == op.version )
goto out;
["xsa268-4.9-2.patch" (application/octet-stream)]
From: Stefano Stabellini <sstabellini@kernel.org>
Subject: ARM: disable grant table v2
It was never expected to work, the implementation is incomplete.
As a side effect, it also prevents guests from triggering a
"BUG_ON(page_get_owner(pg) != d)" in gnttab_unpopulate_status_frames().
This is XSA-268.
Reported-by: 王磊 <lei19.wang@samsung.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Acked-by: Jan Beulich <jbeulich@suse.com>
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -885,6 +885,8 @@ version are 1 and 2.
use of grant table v2 without transitive grants is an ABI breakage from the
guests point of view.
+The usage of gnttab v2 is not security supported on ARM platforms.
+
### gnttab\_max\_frames
> `= <integer>`
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -62,7 +62,11 @@ integer_param("gnttab_max_frames", max_g
static unsigned int __read_mostly max_maptrack_frames;
integer_param("gnttab_max_maptrack_frames", max_maptrack_frames);
-static unsigned int __read_mostly opt_gnttab_max_version = 2;
+#ifndef GNTTAB_MAX_VERSION
+#define GNTTAB_MAX_VERSION 2
+#endif
+
+static unsigned int __read_mostly opt_gnttab_max_version = GNTTAB_MAX_VERSION;
static bool __read_mostly opt_transitive_grants = true;
static int __init parse_gnttab(const char *s)
--- a/xen/include/asm-arm/grant_table.h
+++ b/xen/include/asm-arm/grant_table.h
@@ -4,6 +4,7 @@
#include <xen/grant_table.h>
#define INITIAL_NR_GRANT_FRAMES 4
+#define GNTTAB_MAX_VERSION 1
void gnttab_clear_flag(unsigned long nr, uint16_t *addr);
int create_grant_host_mapping(unsigned long gpaddr,
["xsa268-4.10-1.patch" (application/octet-stream)]
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: common/gnttab: Introduce command line feature controls
This patch was originally released as part of XSA-226. It retains the same
command line syntax (as various downstreams are mitigating XSA-226 using this
mechanism) but the defaults have been updated due to the revised XSA-226
patched, after which transitive grants are believed to functioning
properly.
Reported-by: 王磊 <lei19.wang@samsung.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -920,6 +920,19 @@ Controls EPT related features.
Specify which console gdbstub should use. See **console**.
+### gnttab
+> `= List of [ max-ver:<integer>, transitive=<bool> ]`
+
+> Default: `gnttab=max-ver:2,transitive`
+
+Control various aspects of the grant table behaviour available to guests.
+
+* `max-ver` Select the maximum grant table version to offer to guests. Valid
+version are 1 and 2.
+* `transitive` Permit or disallow the use of transitive grants. Note that the
+use of grant table v2 without transitive grants is an ABI breakage from the
+guests point of view.
+
### gnttab\_max\_frames
> `= <integer>`
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -97,6 +97,41 @@ static unsigned int __read_mostly max_ma
DEFAULT_MAX_MAPTRACK_FRAMES;
integer_runtime_param("gnttab_max_maptrack_frames", max_maptrack_frames);
+static unsigned int __read_mostly opt_gnttab_max_version = 2;
+static bool __read_mostly opt_transitive_grants = true;
+
+static int __init parse_gnttab(const char *s)
+{
+ const char *ss, *e;
+ int val, rc = 0;
+
+ do {
+ ss = strchr(s, ',');
+ if ( !ss )
+ ss = strchr(s, '\0');
+
+ if ( !strncmp(s, "max-ver:", 8) ||
+ !strncmp(s, "max_ver:", 8) ) /* Alias for original XSA-226 patch */
+ {
+ long ver = simple_strtol(s + 8, &e, 10);
+
+ if ( e == ss && ver >= 1 && ver <= 2 )
+ opt_gnttab_max_version = ver;
+ else
+ rc = -EINVAL;
+ }
+ else if ( (val = parse_boolean("transitive", s, ss)) >= 0 )
+ opt_transitive_grants = val;
+ else
+ rc = -EINVAL;
+
+ s = ss + 1;
+ } while ( *ss );
+
+ return rc;
+}
+custom_param("gnttab", parse_gnttab);
+
/*
* Note that the three values below are effectively part of the ABI, even if
* we don't need to make them a formal part of it: A guest suspended for
@@ -2725,7 +2760,8 @@ static int gnttab_copy_claim_buf(const s
current->domain->domain_id,
buf->read_only,
&buf->frame, &buf->page,
- &buf->ptr.offset, &buf->len, true);
+ &buf->ptr.offset, &buf->len,
+ opt_transitive_grants);
if ( rc != GNTST_okay )
goto out;
buf->ptr.u.ref = ptr->u.ref;
@@ -2927,6 +2963,10 @@ gnttab_set_version(XEN_GUEST_HANDLE_PARA
if ( op.version != 1 && op.version != 2 )
goto out;
+ res = -ENOSYS;
+ if ( op.version == 2 && opt_gnttab_max_version == 1 )
+ goto out; /* Behave as before set_version was introduced. */
+
res = 0;
if ( gt->gt_version == op.version )
goto out;
["xsa268-4.10-2.patch" (application/octet-stream)]
From: Stefano Stabellini <sstabellini@kernel.org>
Subject: ARM: disable grant table v2
It was never expected to work, the implementation is incomplete.
As a side effect, it also prevents guests from triggering a
"BUG_ON(page_get_owner(pg) != d)" in gnttab_unpopulate_status_frames().
This is XSA-268.
Reported-by: 王磊 <lei19.wang@samsung.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Acked-by: Jan Beulich <jbeulich@suse.com>
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -933,6 +933,8 @@ version are 1 and 2.
use of grant table v2 without transitive grants is an ABI breakage from the
guests point of view.
+The usage of gnttab v2 is not security supported on ARM platforms.
+
### gnttab\_max\_frames
> `= <integer>`
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -97,7 +97,11 @@ static unsigned int __read_mostly max_ma
DEFAULT_MAX_MAPTRACK_FRAMES;
integer_runtime_param("gnttab_max_maptrack_frames", max_maptrack_frames);
-static unsigned int __read_mostly opt_gnttab_max_version = 2;
+#ifndef GNTTAB_MAX_VERSION
+#define GNTTAB_MAX_VERSION 2
+#endif
+
+static unsigned int __read_mostly opt_gnttab_max_version = GNTTAB_MAX_VERSION;
static bool __read_mostly opt_transitive_grants = true;
static int __init parse_gnttab(const char *s)
--- a/xen/include/asm-arm/grant_table.h
+++ b/xen/include/asm-arm/grant_table.h
@@ -7,6 +7,7 @@
#include <xen/sched.h>
#define INITIAL_NR_GRANT_FRAMES 1U
+#define GNTTAB_MAX_VERSION 1
struct grant_table_arch {
gfn_t *shared_gfn;
["xsa268-4.11.patch" (application/octet-stream)]
From: Stefano Stabellini <sstabellini@kernel.org>
Subject: ARM: disable grant table v2
It was never expected to work, the implementation is incomplete.
As a side effect, it also prevents guests from triggering a
"BUG_ON(page_get_owner(pg) != d)" in gnttab_unpopulate_status_frames().
This is XSA-268.
Reported-by: 王磊 <lei19.wang@samsung.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Acked-by: Jan Beulich <jbeulich@suse.com>
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -936,6 +936,8 @@ version are 1 and 2.
use of grant table v2 without transitive grants is an ABI breakage from the
guests point of view.
+The usage of gnttab v2 is not security supported on ARM platforms.
+
### gnttab\_max\_frames
> `= <integer>`
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -97,7 +97,11 @@ static unsigned int __read_mostly max_maptrack_frames =
DEFAULT_MAX_MAPTRACK_FRAMES;
integer_runtime_param("gnttab_max_maptrack_frames", max_maptrack_frames);
-static unsigned int __read_mostly opt_gnttab_max_version = 2;
+#ifndef GNTTAB_MAX_VERSION
+#define GNTTAB_MAX_VERSION 2
+#endif
+
+static unsigned int __read_mostly opt_gnttab_max_version = GNTTAB_MAX_VERSION;
static bool __read_mostly opt_transitive_grants = true;
static int __init parse_gnttab(const char *s)
--- a/xen/include/asm-arm/grant_table.h
+++ b/xen/include/asm-arm/grant_table.h
@@ -7,6 +7,7 @@
#include <xen/sched.h>
#define INITIAL_NR_GRANT_FRAMES 1U
+#define GNTTAB_MAX_VERSION 1
struct grant_table_arch {
gfn_t *shared_gfn;
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic