CVE-2015-2150 xen: NMIs triggerable by guests (rhbz 1196266 1200397)

Part deux: Fix it harder
2015-04-01 08:38:46 -04:00 · 2015-04-01 08:38:46 -04:00 · a86ca716e6
parent 571a39e572
commit a86ca716e6
2 changed files with 60 additions and 0 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -631,6 +631,9 @@ Patch26171: acpi-video-Add-force-native-backlight-quirk-for-Leno.patch
 #rhbz 1203584
 Patch26174: Input-ALPS-fix-max-coordinates-for-v5-and-v7-protoco.patch

+#CVE-2015-2150 rhbz 1196266 1200397
+Patch26175: xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch
+
 # END OF PATCH DEFINITIONS

 %endif
@ -1373,6 +1376,9 @@ ApplyPatch acpi-video-Add-force-native-backlight-quirk-for-Leno.patch
 #rhbz 1203584
 ApplyPatch Input-ALPS-fix-max-coordinates-for-v5-and-v7-protoco.patch

+#CVE-2015-2150 rhbz 1196266 1200397
+ApplyPatch xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch
+
 # END OF PATCH APPLICATIONS

 %endif
@ -2223,6 +2229,9 @@ fi
 #
 # 
 %changelog
+* Wed Apr 01 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2015-2150 xen: NMIs triggerable by guests (rhbz 1196266 1200397)
+
 * Tue Mar 31 2015 Josh Boyer <jwboyer@fedoraproject.org>
 - Enable MLX4_EN_VXLAN (rhbz 1207728)

--- a/xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch
+++ b/xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch
@ -0,0 +1,51 @@
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Fri, 27 Mar 2015 13:31:11 -0400
+Subject: [PATCH] xen/pciback: Don't disable PCI_COMMAND on PCI device reset.
+
+There is no need for this at all. Worst it means that if
+the guest tries to write to BARs it could lead (on certain
+platforms) to PCI SERR errors.
+
+Please note that with af6fc858a35b90e89ea7a7ee58e66628c55c776b
+"xen-pciback: limit guest control of command register"
+a guest is still allowed to enable those control bits (safely), but
+is not allowed to disable them and that therefore a well behaved
+frontend which enables things before using them will still
+function correctly.
+
+This is done via an write to the configuration register 0x4 which
+triggers on the backend side:
+command_write
+  \- pci_enable_device
+     \- pci_enable_device_flags
+        \- do_pci_enable_device
+           \- pcibios_enable_device
+              \-pci_enable_resourcess
+                [which enables the PCI_COMMAND_MEMORY|PCI_COMMAND_IO]
+
+However guests (and drivers) which don't do this could cause
+problems, including the security issues which XSA-120 sought
+to address.
+
+Reported-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+---
+ drivers/xen/xen-pciback/pciback_ops.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c
+index c4a0666de6f5..26e651336787 100644
+--- a/drivers/xen/xen-pciback/pciback_ops.c
+++ b/drivers/xen/xen-pciback/pciback_ops.c
+@@ -119,8 +119,6 @@ void xen_pcibk_reset_device(struct pci_dev *dev)
+ 		if (pci_is_enabled(dev))
+ 			pci_disable_device(dev);
+ 
+-		pci_write_config_word(dev, PCI_COMMAND, 0);
+-
+ 		dev->is_busmaster = 0;
+ 	} else {
+ 		pci_read_config_word(dev, PCI_COMMAND, &cmd);
+-- 
+2.1.0
+