diff options
author | Ian Campbell <ian.campbell@citrix.com> | 2012-08-09 15:47:42 +0100 |
---|---|---|
committer | Ian Campbell <ian.campbell@citrix.com> | 2012-08-09 15:47:42 +0100 |
commit | e0b12805c5a63ba4980c006a72514f289f293bc5 (patch) | |
tree | 54e6d52758a5073591c53edf5cd3e31a2c3d3ff6 | |
parent | d88e5d451b9bcf8da3cec31f94ecaa06d62fcc5d (diff) | |
download | xen-e0b12805c5a63ba4980c006a72514f289f293bc5.tar.gz xen-e0b12805c5a63ba4980c006a72514f289f293bc5.tar.bz2 xen-e0b12805c5a63ba4980c006a72514f289f293bc5.zip |
xen: only check for shared pages while any exist on teardown
Avoids worst case behavour when guest has a large p2m.
This is XSA-11 / CVE-2012-3433
Signed-off-by: Tim Deegan <tim@xen.org>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Tested-by: Olaf Hering <olaf@aepfle.de>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
-rw-r--r-- | xen/arch/x86/mm/p2m.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index fdbe766242..e095118d71 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -2044,6 +2044,8 @@ void p2m_teardown(struct p2m_domain *p2m) #ifdef __x86_64__ for ( gfn=0; gfn < p2m->max_mapped_pfn; gfn++ ) { + if ( atomic_read(&d->shr_pages) == 0 ) + break; mfn = p2m->get_entry(p2m, gfn, &t, &a, p2m_query); if ( mfn_valid(mfn) && (t == p2m_ram_shared) ) BUG_ON(mem_sharing_unshare_page(p2m, gfn, MEM_SHARING_DESTROY_GFN)); |