x86/PoD: handle intermediate page orders in p2m_pod_cache_add()

p2m_pod_decrease_reservation() may pass pages to the function which
aren't 4k, 2M, or 1G. Handle all intermediate orders as well, to avoid
hitting the BUG() at the switch() statement's "default" case.

This is CVE-2021-28708 / part of XSA-388.

Fixes: 3c352011c0d3 ("x86/PoD: shorten certain operations on higher order ranges")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
master commit: 8ec13f68e0b026863d23e7f44f252d06478bc809
master date: 2021-11-22 12:27:30 +0000

diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c
index fd5bad31f0ae874f1a3a64165e6d395713c4ce7e..d94759513205b70cee11ae35f90a9b7be3aa0072 100644 (file)
--- a/xen/arch/x86/mm/p2m-pod.c
+++ b/xen/arch/x86/mm/p2m-pod.c
@@ -111,15 +111,13 @@ p2m_pod_cache_add(struct p2m_domain *p2m,
     /* Then add to the appropriate populate-on-demand list. */
     switch ( order )
     {
-    case PAGE_ORDER_1G:
-        for ( i = 0; i < (1UL << PAGE_ORDER_1G); i += 1UL << PAGE_ORDER_2M )
+    case PAGE_ORDER_2M ... PAGE_ORDER_1G:
+        for ( i = 0; i < (1UL << order); i += 1UL << PAGE_ORDER_2M )
             page_list_add_tail(page + i, &p2m->pod.super);
         break;
-    case PAGE_ORDER_2M:
-        page_list_add_tail(page, &p2m->pod.super);
-        break;
-    case PAGE_ORDER_4K:
-        page_list_add_tail(page, &p2m->pod.single);
+    case PAGE_ORDER_4K ... PAGE_ORDER_2M - 1:
+        for ( i = 0; i < (1UL << order); i += 1UL << PAGE_ORDER_4K )
+            page_list_add_tail(page + i, &p2m->pod.single);
         break;
     default:
         BUG();