Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/app-emulation/xen/files/xen-4-CVE-2012-5510-XSA-26.patch
diff options
context:
space:
mode:
Diffstat (limited to 'app-emulation/xen/files/xen-4-CVE-2012-5510-XSA-26.patch')
-rw-r--r--app-emulation/xen/files/xen-4-CVE-2012-5510-XSA-26.patch113
1 files changed, 0 insertions, 113 deletions
diff --git a/app-emulation/xen/files/xen-4-CVE-2012-5510-XSA-26.patch b/app-emulation/xen/files/xen-4-CVE-2012-5510-XSA-26.patch
deleted file mode 100644
index 0046170d1341..000000000000
--- a/app-emulation/xen/files/xen-4-CVE-2012-5510-XSA-26.patch
+++ /dev/null
@@ -1,113 +0,0 @@
-# HG changeset patch
-# User Jan Beulich <jbeulich@suse.com>
-# Date 1354644138 0
-# Node ID dea7d4e5bfc1627133c0c19706fea1fbc9e5a378
-# Parent 9e13427c023020756768c73217dab05295709fb3
-gnttab: fix releasing of memory upon switches between versions
-
-gnttab_unpopulate_status_frames() incompletely freed the pages
-previously used as status frame in that they did not get removed from
-the domain's xenpage_list, thus causing subsequent list corruption
-when those pages did get allocated again for the same or another purpose.
-
-Similarly, grant_table_create() and gnttab_grow_table() both improperly
-clean up in the event of an error - pages already shared with the guest
-can't be freed by just passing them to free_xenheap_page(). Fix this by
-sharing the pages only after all allocations succeeded.
-
-This is CVE-2012-5510 / XSA-26.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-Committed-by: Ian Jackson <ian.jackson.citrix.com>
-
-diff -r 9e13427c0230 -r dea7d4e5bfc1 xen/common/grant_table.c
---- xen/common/grant_table.c Thu Nov 29 16:59:43 2012 +0000
-+++ xen/common/grant_table.c Tue Dec 04 18:02:18 2012 +0000
-@@ -1173,12 +1173,13 @@ fault:
- }
-
- static int
--gnttab_populate_status_frames(struct domain *d, struct grant_table *gt)
-+gnttab_populate_status_frames(struct domain *d, struct grant_table *gt,
-+ unsigned int req_nr_frames)
- {
- unsigned i;
- unsigned req_status_frames;
-
-- req_status_frames = grant_to_status_frames(gt->nr_grant_frames);
-+ req_status_frames = grant_to_status_frames(req_nr_frames);
- for ( i = nr_status_frames(gt); i < req_status_frames; i++ )
- {
- if ( (gt->status[i] = alloc_xenheap_page()) == NULL )
-@@ -1209,7 +1210,12 @@ gnttab_unpopulate_status_frames(struct d
-
- for ( i = 0; i < nr_status_frames(gt); i++ )
- {
-- page_set_owner(virt_to_page(gt->status[i]), dom_xen);
-+ struct page_info *pg = virt_to_page(gt->status[i]);
-+
-+ BUG_ON(page_get_owner(pg) != d);
-+ if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) )
-+ put_page(pg);
-+ BUG_ON(pg->count_info & ~PGC_xen_heap);
- free_xenheap_page(gt->status[i]);
- gt->status[i] = NULL;
- }
-@@ -1247,19 +1253,18 @@ gnttab_grow_table(struct domain *d, unsi
- clear_page(gt->shared_raw[i]);
- }
-
-+ /* Status pages - version 2 */
-+ if (gt->gt_version > 1)
-+ {
-+ if ( gnttab_populate_status_frames(d, gt, req_nr_frames) )
-+ goto shared_alloc_failed;
-+ }
-+
- /* Share the new shared frames with the recipient domain */
- for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ )
- gnttab_create_shared_page(d, gt, i);
--
- gt->nr_grant_frames = req_nr_frames;
-
-- /* Status pages - version 2 */
-- if (gt->gt_version > 1)
-- {
-- if ( gnttab_populate_status_frames(d, gt) )
-- goto shared_alloc_failed;
-- }
--
- return 1;
-
- shared_alloc_failed:
-@@ -2157,7 +2162,7 @@ gnttab_set_version(XEN_GUEST_HANDLE(gntt
-
- if ( op.version == 2 && gt->gt_version < 2 )
- {
-- res = gnttab_populate_status_frames(d, gt);
-+ res = gnttab_populate_status_frames(d, gt, nr_grant_frames(gt));
- if ( res < 0)
- goto out_unlock;
- }
-@@ -2600,14 +2605,15 @@ grant_table_create(
- clear_page(t->shared_raw[i]);
- }
-
-- for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ )
-- gnttab_create_shared_page(d, t, i);
--
- /* Status pages for grant table - for version 2 */
- t->status = xzalloc_array(grant_status_t *,
- grant_to_status_frames(max_nr_grant_frames));
- if ( t->status == NULL )
- goto no_mem_4;
-+
-+ for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ )
-+ gnttab_create_shared_page(d, t, i);
-+
- t->nr_status_frames = 0;
-
- /* Okay, install the structure. */
-
-