CVE-2016-3960 / XSA-173

xen-4.3 dropped support for x86-32 bit.
As such compilation fails for 4.1 on i386::
> guest_walk.c: In function 'mandatory_flags':
> guest_walk.c:66:40: error: '_PAGE_INVALID_BIT' undeclared (first use in this function)
> guest_walk.c:66:40: note: each undeclared identifier is reported only once for each function it appears in
> guest_walk.c: In function 'guest_walk_tables_2_levels':
> guest_walk.c:146:30: error: '_PAGE_INVALID_BIT' undeclared (first use in this function)
> guest_walk.c: In function 'mandatory_flags':
> guest_walk.c:67:1: error: control reaches end of non-void function [-Werror=return-type]

Define _PAGE_INVALID_BIT for x86-32 too, for which support was dropped in xen-4.3:

diff --git a/xen/include/asm-x86/x86_32/page.h b/xen/include/asm-x86/x86_32/page.h
index ca6988c..a2cd306 100644
--- a/xen/include/asm-x86/x86_32/page.h
+++ b/xen/include/asm-x86/x86_32/page.h
@@ -135,6 +135,12 @@ extern unsigned int PAGE_HYPERVISOR_NOCACHE;
                           : BASE_DISALLOW_MASK)
 #define L3_DISALLOW_MASK 0xFFFFF1FEU /* must-be-zero */

+/*
+ * Bit 24 of a 24-bit flag mask! This is not any bit of a real pte,
+ * and is only used for signalling in variables that contain flags.
+ */
+#define _PAGE_INVALID_BIT (1U<<24)
+
 #endif /* __X86_32_PAGE_H__ */

 /*

Waiting on confirmation from xen-devel that using bit 24 on x86-32 is okay.

Philipp, have you heard back from Xen devs if this bit is free for use?

Thanks

> Philipp, have you heard back from Xen devs if this bit is free for use?

Yes, Jan Beulich replied back and reported bit 24 being fine for i386 as well:
<http://lists.xenproject.org/archives/html/xen-devel/2016-05/msg01256.html>

Hi Phillipp, I was looking over your backport today and have a few remarks to add:

xen/arch/x86/mm/guest_walk.c:

Your backport drops the two first hunks of the 4.3 patch but I think from manually looking at the code as it is (at least what we got in Trusty) they would fit. Of course with a bit of manually ignoring context.

xen/arch/x86/hvm/hvm.c:

I agree there is no handling of the 0x80000008 case there, yet. Probably need to figure out when that got added and for what reason. Looks to be restricting values returned by the generic cpuid call. So that might be necessary to add after the other changes done.

Last, could it be that v2 is not really the right patch? From the comment I would expect a hunk modifying xen/include/asm-x86/x86_32/page.h but that does not seem to be there. No need to update it, I can make the changes in my tree.

I am tending towards squashing "x86/HVM: correct CPUID leaf 80000008 handling" into the backport for 4.1.x as that looks to be required to make HVM guests aware of any limits (via vMTRR code).

v2 did not yet include the patch for 32 bit, as I only later got the confirmation of using but 24 is okay.

Right, I think I have v3 more or less but with the two hunks in guest_walk added (which I mentioned). It is a bit hard to compare patches as I had to refresh the quilt patch. On top of this I decided to pick the change that updates hvm_cpuid and the vMTRR code.
I kept this separate in case testing would blow up. Not done yet but so far looked promising.

Released in xen-4.1.6.1-0ubuntu0.12.04.11

Released in xen-4.4.2-0ubuntu0.14.04.6

Released in xen-4.5.1-0ubuntu1.4

Released in xen-4.6.0-1ubuntu4.1

Released in xen-4.6.0-1ubuntu5