diff --git a/debian/changelog b/debian/changelog index dac78e7a7..5f71305ea 100644 --- a/debian/changelog +++ b/debian/changelog @@ -811,6 +811,10 @@ linux (4.19.34-1) UNRELEASED; urgency=medium [ Bastian Blank ] * Don't longer recommend irqbalance. (closes: #926967) + [ Salvatore Bonaccorso ] + * xen/pciback: Don't disable PCI_COMMAND on PCI device reset. + (CVE-2015-8553) + -- Ben Hutchings Mon, 18 Mar 2019 22:50:08 +0000 linux (4.19.28-2) unstable; urgency=medium diff --git a/debian/patches/bugfix/all/xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch b/debian/patches/bugfix/all/xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch new file mode 100644 index 000000000..e9ef64a5a --- /dev/null +++ b/debian/patches/bugfix/all/xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch @@ -0,0 +1,56 @@ +From: Konrad Rzeszutek Wilk +Date: Wed, 13 Feb 2019 18:21:31 -0500 +Subject: xen/pciback: Don't disable PCI_COMMAND on PCI device reset. +Origin: https://git.kernel.org/linus/7681f31ec9cdacab4fd10570be924f2cef6669ba +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2015-8553 +Bug: http://xenbits.xen.org/xsa/advisory-120.html + +There is no need for this at all. Worst it means that if +the guest tries to write to BARs it could lead (on certain +platforms) to PCI SERR errors. + +Please note that with af6fc858a35b90e89ea7a7ee58e66628c55c776b +"xen-pciback: limit guest control of command register" +a guest is still allowed to enable those control bits (safely), but +is not allowed to disable them and that therefore a well behaved +frontend which enables things before using them will still +function correctly. + +This is done via an write to the configuration register 0x4 which +triggers on the backend side: +command_write + \- pci_enable_device + \- pci_enable_device_flags + \- do_pci_enable_device + \- pcibios_enable_device + \-pci_enable_resourcess + [which enables the PCI_COMMAND_MEMORY|PCI_COMMAND_IO] + +However guests (and drivers) which don't do this could cause +problems, including the security issues which XSA-120 sought +to address. + +Reported-by: Jan Beulich +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Prarit Bhargava +Signed-off-by: Juergen Gross +--- + drivers/xen/xen-pciback/pciback_ops.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c +index ea4a08b83fa0..787966f44589 100644 +--- a/drivers/xen/xen-pciback/pciback_ops.c ++++ b/drivers/xen/xen-pciback/pciback_ops.c +@@ -127,8 +127,6 @@ void xen_pcibk_reset_device(struct pci_dev *dev) + if (pci_is_enabled(dev)) + pci_disable_device(dev); + +- pci_write_config_word(dev, PCI_COMMAND, 0); +- + dev->is_busmaster = 0; + } else { + pci_read_config_word(dev, PCI_COMMAND, &cmd); +-- +2.11.0 + diff --git a/debian/patches/series b/debian/patches/series index 3cdb884da..bd1787f6d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -142,6 +142,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch +bugfix/all/xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch