1 files changed, 50 insertions, 0 deletions

diff --git a/0003-x86-HVM-bound-number-of-pinned-cache-attribute-regio.patch b/0003-x86-HVM-bound-number-of-pinned-cache-attribute-regio.patch
new file mode 100644
index 0000000..9974108
--- /dev/null
+++ b/0003-x86-HVM-bound-number-of-pinned-cache-attribute-regio.patch
@@ -0,0 +1,50 @@
+From 887ba097cfcd4454d4707e1bee6504322335ea79 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Tue, 21 Mar 2023 12:01:01 +0000
+Subject: [PATCH 03/13] x86/HVM: bound number of pinned cache attribute regions
+
+This is exposed via DMOP, i.e. to potentially not fully privileged
+device models. With that we may not permit registration of an (almost)
+unbounded amount of such regions.
+
+This is CVE-2022-42333 / part of XSA-428.
+
+Fixes: 642123c5123f ("x86/hvm: provide XEN_DMOP_pin_memory_cacheattr")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+(cherry picked from commit a5e768640f786b681063f4e08af45d0c4e91debf)
+---
+ xen/arch/x86/hvm/mtrr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/xen/arch/x86/hvm/mtrr.c b/xen/arch/x86/hvm/mtrr.c
+index fb051d59c3..09a51f415d 100644
+--- a/xen/arch/x86/hvm/mtrr.c
++++ b/xen/arch/x86/hvm/mtrr.c
+@@ -596,6 +596,7 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start,
+                                  uint64_t gfn_end, uint32_t type)
+ {
+     struct hvm_mem_pinned_cacheattr_range *range;
++    unsigned int nr = 0;
+     int rc = 1;
+ 
+     if ( !is_hvm_domain(d) )
+@@ -667,11 +668,15 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start,
+             rc = -EBUSY;
+             break;
+         }
++        ++nr;
+     }
+     rcu_read_unlock(&pinned_cacheattr_rcu_lock);
+     if ( rc <= 0 )
+         return rc;
+ 
++    if ( nr >= 64 /* The limit is arbitrary. */ )
++        return -ENOSPC;
++
+     range = xzalloc(struct hvm_mem_pinned_cacheattr_range);
+     if ( range == NULL )
+         return -ENOMEM;
+-- 
+2.40.0
+