[Pkg-xen-changes] [xen] 27/70: arm: handle races between relinquish_memory and free_domheap_pages

Ian James Campbell ijc at moszumanska.debian.org
Thu Dec 17 14:44:54 UTC 2015 

This is an automated email from the git hooks/post-receive script.

ijc pushed a commit to branch feature/bug805508
in repository xen.

commit 81b4ce8f487078f2e5f6732b8102e25bead37166
Author: Ian Campbell <ian.campbell at citrix.com>
Date:   Thu Oct 29 13:47:38 2015 +0100

    arm: handle races between relinquish_memory and free_domheap_pages
    
    Primarily this means XENMEM_decrease_reservation from a toolstack
    domain.
    
    Unlike x86 we have no requirement right now to queue such pages onto
    a separate list, if we hit this race then the other code has already
    fully accepted responsibility for freeing this page and therefore
    there is no more for relinquish_memory to do.
    
    This is CVE-2015-7814 / XSA-147.
    
    Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
    Reviewed-by: Julien Grall <julien.grall at citrix.com>
    Reviewed-by: Jan Beulich <jbeulich at suse.com>
    master commit: 1ef01396fdff88b1c3331a09ca5c69619b90f4ea
    master date: 2015-10-29 13:34:17 +0100
    
    (cherry picked from commit df6fa370865717ee51530c0102d1e983a70d37c3)
    
    Patch-Name: CVE-2015-7814.diff
---
 xen/arch/arm/domain.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c
index b9a4226..20cc772 100644
--- a/xen/arch/arm/domain.c
+++ b/xen/arch/arm/domain.c
@@ -768,8 +768,15 @@ static int relinquish_memory(struct domain *d, struct page_list_head *list)
     {
         /* Grab a reference to the page so it won't disappear from under us. */
         if ( unlikely(!get_page(page, d)) )
-            /* Couldn't get a reference -- someone is freeing this page. */
-            BUG();
+            /*
+             * Couldn't get a reference -- someone is freeing this page and
+             * has already committed to doing so, so no more to do here.
+             *
+             * Note that the page must be left on the list, a list_del
+             * here will clash with the list_del done by the other
+             * party in the race and corrupt the list head.
+             */
+            continue;
 
         if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
             put_page(page);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-xen/xen.git

More information about the Pkg-xen-changes mailing list