diff options
author | Nicolás Reynolds <fauno@endefensadelsl.org> | 2014-01-08 03:41:42 +0000 |
---|---|---|
committer | Nicolás Reynolds <fauno@endefensadelsl.org> | 2014-01-08 03:41:42 +0000 |
commit | 3092fe0e20f490a5f9b8b9602ffc039a22be60c0 (patch) | |
tree | ca5296f2b482de6c3889b3d2721dda0ae342eaee /kernels/xen/xsa78.patch | |
parent | bd5b8fe0fe2355ad0df744ed310d12b8a70c51f9 (diff) |
Wed Jan 8 03:37:02 UTC 2014
Diffstat (limited to 'kernels/xen/xsa78.patch')
-rw-r--r-- | kernels/xen/xsa78.patch | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/kernels/xen/xsa78.patch b/kernels/xen/xsa78.patch new file mode 100644 index 000000000..180506cdd --- /dev/null +++ b/kernels/xen/xsa78.patch @@ -0,0 +1,23 @@ +VT-d: fix TLB flushing in dma_pte_clear_one() + +The third parameter of __intel_iommu_iotlb_flush() is to indicate +whether the to be flushed entry was a present one. A few lines before, +we bailed if !dma_pte_present(*pte), so there's no need to check the +flag here again - we can simply always pass TRUE here. + +This is CVE-2013-6375 / XSA-78. + +Suggested-by: Cheng Yueqiang <yqcheng.2008@phdis.smu.edu.sg> +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- a/xen/drivers/passthrough/vtd/iommu.c ++++ b/xen/drivers/passthrough/vtd/iommu.c +@@ -646,7 +646,7 @@ static void dma_pte_clear_one(struct dom + iommu_flush_cache_entry(pte, sizeof(struct dma_pte)); + + if ( !this_cpu(iommu_dont_flush_iotlb) ) +- __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K , 0, 1); ++ __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K, 1, 1); + + unmap_vtd_domain_page(page); + |