From: Andrew Cooper <andrew.cooper3@citrix.com>
To: AL13N <alien@rmail.be>
Cc: IAN DELANEY <della5@iinet.com.au>, xen-devel@lists.xen.org
Subject: Re: xen-CVE-2013-1442-XSA-62.patch
Date: Thu, 3 Oct 2013 10:01:29 +0100 [thread overview]
Message-ID: <524D3269.4080007@citrix.com> (raw)
In-Reply-To: <1538598.QC6NsvogIo@localhost>
On 02/10/13 20:12, AL13N wrote:
> Op woensdag 2 oktober 2013 19:53:06 schreef Andrew Cooper:
> [...]
>> You have a few options
>>
>> 1) Unconditionally force xsave off. It is at the very least buggy if
>> you are missing the patches causing your patch application problems.
> i can do this programmatorically, so that noone in Mageia 3 will be able to
> use it?
>
> does this mean xsave has been buggy on the released 4.2.1 in any case?
Xsave support in Xen has been buggy on all releases, with the final
fixes only appearing very recently. The upcoming 4.3.1 release is I
believe the first formal Xen release where xsave support is supposedly
fixed.
If you want to disable xsave, then you need to play with "use_xsave" in
xen/arch/x86/cpu/common.c
However, if anyone has VMs using xsave, this change in a security update
will break the VM on live migrate.
>
>> 2) Backport the xsave patches as well.
>> http://xenbits.xen.org/gitweb/?p=xen.git;a=history;f=xen/arch/x86/xstate.c;h
>> b=12b0ee04a16194f064d5b895a844fcdc6414bfc0 should give you a good idea of
>> the patches.
>> http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=0bda88abe18029c2bbe9
>> dc5d07cc706bd775c9b7 is probably the main patch needed.
>>
>> 3) Rework the security patch yourself using
>> 0bda88abe18029c2bbe9dc5d07cc706bd775c9b7 as a reference of where and how
>> to patch in arch/x86/traps.c
>>
>>
>> I highly recommend option 2.
> thanks for the quick assistance
As I said, option 2 is the only reasonable solution to this problem
which wont cause regressions for users, and has a side effect of making
xsave actually work.
~Andrew
prev parent reply other threads:[~2013-10-03 9:01 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-02 16:47 xen-CVE-2013-1442-XSA-62.patch IAN DELANEY
2013-10-02 16:59 ` xen-CVE-2013-1442-XSA-62.patch Andrew Cooper
2013-10-02 18:39 ` xen-CVE-2013-1442-XSA-62.patch AL13N
2013-10-02 18:53 ` xen-CVE-2013-1442-XSA-62.patch Andrew Cooper
2013-10-02 19:12 ` xen-CVE-2013-1442-XSA-62.patch AL13N
2013-10-03 9:01 ` Andrew Cooper [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=524D3269.4080007@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=alien@rmail.be \
--cc=della5@iinet.com.au \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).