x86/mm: PV superpage handling lacks sanity checks

MMUEXT_{,UN}MARK_SUPER fail to check the input MFN for validity before
dereferencing pointers into the superpage frame table.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
get_superpage() has a similar issue.

This is CVE-2016-1570 / XSA-167.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
master commit: 47abf29a9255b2e7b94e56d66b455d0a584b68b8
master date: 2016-01-20 13:49:23 +0100

diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 1caa5550e70bbbe9937760b7e4a750f28f23f73b..222fe5f5bba8852f2195ee989cc2f238bf1df293 100644 (file)
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -2566,6 +2566,9 @@ int get_superpage(unsigned long mfn, struct domain *d)
 
     ASSERT(opt_allow_superpage);
 
+    if ( !mfn_valid(mfn | (L1_PAGETABLE_ENTRIES - 1)) )
+        return -EINVAL;
+
     spage = mfn_to_spage(mfn);
     y = spage->type_info;
     do {
@@ -3320,14 +3323,6 @@ long do_mmuext_op(
             unsigned long mfn;
             struct spage_info *spage;
 
-            mfn = op.arg1.mfn;
-            if ( mfn & (L1_PAGETABLE_ENTRIES-1) )
-            {
-                MEM_LOG("Unaligned superpage reference mfn %lx", mfn);
-                okay = 0;
-                break;
-            }
-
             if ( !opt_allow_superpage )
             {
                 MEM_LOG("Superpages disallowed");
@@ -3336,16 +3331,6 @@ long do_mmuext_op(
                 break;
             }
 
-            spage = mfn_to_spage(mfn);
-            okay = (mark_superpage(spage, d) >= 0);
-            break;
-        }
-
-        case MMUEXT_UNMARK_SUPER:
-        {
-            unsigned long mfn;
-            struct spage_info *spage;
-
             mfn = op.arg1.mfn;
             if ( mfn & (L1_PAGETABLE_ENTRIES-1) )
             {
@@ -3354,16 +3339,16 @@ long do_mmuext_op(
                 break;
             }
 
-            if ( !opt_allow_superpage )
+            if ( !mfn_valid(mfn | (L1_PAGETABLE_ENTRIES - 1)) )
             {
-                MEM_LOG("Superpages disallowed");
                 okay = 0;
-                rc = -ENOSYS;
                 break;
             }
 
             spage = mfn_to_spage(mfn);
-            okay = (unmark_superpage(spage) >= 0);
+            okay = ((op.cmd == MMUEXT_MARK_SUPER
+                    ? mark_superpage(spage, d)
+                    : unmark_superpage(spage)) >= 0);
             break;
         }