diff options
| author | Roger Pau Monne <roger.pau@citrix.com> | 2013-04-18 16:26:26 +0200 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-04-19 06:15:12 +0000 |
| commit | 6665cdadf07a7dc49d8e128fc8cdd368751c2bef (patch) | |
| tree | f70a68c1fb61b9040a6f9f818365cac96127b2e5 | |
| parent | 9e64313ac0693f81fd4bc3c1b3a8949bdb99725a (diff) | |
| download | aports-6665cdadf07a7dc49d8e128fc8cdd368751c2bef.tar.bz2 aports-6665cdadf07a7dc49d8e128fc8cdd368751c2bef.tar.xz | |
CVE-2013-1917 / XSA-44
CVE-2013-1919 / XSA-46
CVE-2013-1920 / XSA-47
CVE-2013-1922 / XSA-48
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
| -rw-r--r-- | main/xen/APKBUILD | 69 | ||||
| -rw-r--r-- | main/xen/docs-Fix-generating-qemu-doc.html-with-texinfo-5.patch | 55 | ||||
| -rw-r--r-- | main/xen/xsa44-4.2.patch | 77 | ||||
| -rw-r--r-- | main/xen/xsa46-4.2.patch | 293 | ||||
| -rw-r--r-- | main/xen/xsa47-4.2-unstable.patch | 31 | ||||
| -rw-r--r-- | main/xen/xsa48-4.2.patch | 114 |
6 files changed, 638 insertions, 1 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index 51ff406c45..a4190705f4 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: William Pitcock <nenolod@dereferenced.org> pkgname=xen pkgver=4.2.1 -pkgrel=6 +pkgrel=7 pkgdesc="Xen hypervisor" url="http://www.xen.org/" arch="x86 x86_64" @@ -18,6 +18,8 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g qemu_uclibc_configure.patch librt.patch qemu-xen_paths.patch + docs-Fix-generating-qemu-doc.html-with-texinfo-5.patch + xsa33-4.2-unstable.patch xsa41.patch xsa41b.patch @@ -26,6 +28,10 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g xsa35-4.2-with-xsa34.patch xsa36-4.2.patch xsa38.patch + xsa47-4.2-unstable.patch + xsa48-4.2.patch + xsa44-4.2.patch + xsa46-4.2.patch xenstored.initd xenstored.confd @@ -141,6 +147,7 @@ md5sums="0d48cbe1767b82aba12517898d4e0408 xen-4.2.1.tar.gz 506e7ab6f9482dc95f230978d340bcd9 qemu_uclibc_configure.patch 2dc5ddf47c53ea168729975046c3c1f9 librt.patch 1ccde6b36a6f9542a16d998204dc9a22 qemu-xen_paths.patch +6dcff640268d514fa9164b4c812cc52d docs-Fix-generating-qemu-doc.html-with-texinfo-5.patch 8aa341b27fac3f93a99113c72671c864 xsa33-4.2-unstable.patch 8ad8942000b8a4be4917599cad9209cf xsa41.patch ed7d0399c6ca6aeee479da5d8f807fe0 xsa41b.patch @@ -149,6 +156,10 @@ af10e1a3f757a184a1d79904a5ef8572 xsa34-4.2.patch 8270dbf929e26b5e95532d10a697e404 xsa35-4.2-with-xsa34.patch 87a54b2a1f1ea3d955017fe1fd8c0398 xsa36-4.2.patch 47589e06d077d71282ec1b87dd4d87a9 xsa38.patch +c05bb12fc5b6aa64cd23f2ad623c539a xsa47-4.2-unstable.patch +b3e3a57d189a4f86c9766eaf3b5207f4 xsa48-4.2.patch +85239ba26395b05502ceee5eec968ea7 xsa44-4.2.patch +b955534323681fa461f86c69e4acec75 xsa46-4.2.patch 95d8af17bf844d41a015ff32aae51ba1 xenstored.initd b017ccdd5e1c27bbf1513e3569d4ff07 xenstored.confd ed262f15fb880badb53575539468646c xenconsoled.initd @@ -160,3 +171,59 @@ c99e24fe50ac40436040e3b012f23cdc xendomains.initd 9df68ac65dc3f372f5d61183abdc83ff xen-consoles.logrotate 6a2f777c16678d84039acf670d86fff6 xenqemu.confd f9afbf39e2b5a7d9dde60ebbd249ea7d xenqemu.initd" +sha256sums="fb8df5827ce3e2d2d3b078d9e5afde502beb5e7ab9442e51a94087061bd450c6 xen-4.2.1.tar.gz +4fb92fa1ce67eb3f78a15c6c971415d4d53599904969596acc7a52edc83a5fee qemu_uclibc_configure.patch +12bf32f9937b09283f2df4955b50d6739768f66137a7d991f661f45cf77cb53b librt.patch +9440ca31a6911201f02694e93faafb5ca9b17de18b7f15b53ceac39a03411b4a qemu-xen_paths.patch +a0c225d716d343fe041b63e3940900c5b3573ed3bcfc5b7c2d52ea2861c3fc28 docs-Fix-generating-qemu-doc.html-with-texinfo-5.patch +ba05474b8e1232318ae010d63d24ff1b15ba4d83e28cdb69d6a76e8f9eb5292c xsa33-4.2-unstable.patch +93452beba88a8da8e89b8bfa743074a358ba1d9052151c608e21c4d62f8c4867 xsa41.patch +896a07f57310c9bea9bc2a305166cf796282c381cb7839be49105b1726a860b5 xsa41b.patch +683dd96a0a8899f794070c8c09643dfeeb39f92da531955cba961b45f6075914 xsa41c.patch +ef75cdcf934003aaced57698a2441c4ba058b968956925eec2d5a100a28db0ae xsa34-4.2.patch +4a103bf14dd060f702289db539a8c6c69496bdfd1de5d0c0468c3aab7b34f6a5 xsa35-4.2-with-xsa34.patch +6848712b560b522f7d3cede53e29e799624311e7dee6e450f0c02c165a590783 xsa36-4.2.patch +7d7a5746bc76da747bf61eb87b3303a8f3abb0d96561f35a706c671317ebe4eb xsa38.patch +c29b59492f9d7e3f74bfc41877a2c5cff70436d3738fd91066f396f969aab0a7 xsa47-4.2-unstable.patch +dc23077028584e71a08dd0dc9e81552c76744a5ce9d39df5958a95ae9cf3107b xsa48-4.2.patch +c6c3afa228426d78e0484b7ac34210f642f79add35c4a04ca5ff7db5f2539e49 xsa44-4.2.patch +822da2303f1fc69648d7a29eb72fdda8e64baab3edc0e1548456d31e66ed1d7c xsa46-4.2.patch +81d335946c81311c86e2f2112b773a568a5a530c0db9802b2fe559e71bb8b381 xenstored.initd +ea9171e71ab3d33061979bcf3bb737156192aa4b0be4d1234438ced75b6fdef3 xenstored.confd +93bea2eb90ea1b4628854c8141dd351bbd1fbc5959b12795447ea933ad025f01 xenconsoled.initd +2a74be03eb74f6013242a4a5d721df6cb9b959b43c405de1e32813f52d749060 xenconsoled.confd +a50a4485e84bcc098ad021556cd2aa7947c228f0a546ab942e880787ced57be3 xend.initd +7f7a96349084474b76af98426387fec12a0684f505d1691091ac3d2556bde2de xend.confd +ce7c7228e5fa903b6662844386b50092bf0448820d6faa3ad71efc06b1aa0cdb xendomains.initd +5cfb81ca252ba7a1c5b9a2ea4bc43a2f4bf16d078fcf99a6274e92c640b72594 xendomains.confd +0da87a4b9094f934e3de937e8ef8d3afc752e76793aa3d730182d0241e118b19 xen-consoles.logrotate +4cfcddcade5d055422ab4543e8caa6e5c5eee7625c41880a9000b7a87c7c424e xenqemu.confd +bf17808a79c57a9efc38b9f14cc87f556b2bb7ecfdec5763d9cf686255a47fce xenqemu.initd" +sha512sums="fe27a965e2b34035bd025482eda9fc4d4e82523c929323fd30813367d5ffbe2fa1ed3d7d4479f2632e8b5625972448b7bd6a7768e8dc1dcd1b6747d281cc1a9e xen-4.2.1.tar.gz +81a5555c123daad6a9a1835186a82d604e68d833efe3a6576a88717268e5335f809a6621846645c2e1eb1d33a51951a6306e4c393a76c677959149bc28a886be qemu_uclibc_configure.patch +74e3cfc51e367fc445cb3d8149f0c8830e94719a266daf04d2cd0889864591860c4c8842de2bc78070e4c5be7d14dfbb8b236c511d5faeddc2ad97177c1d3764 librt.patch +425149aea57a6deae9f488cea867f125983998dc6e8c63893fb3b9caf0ea34214251dd98ad74db823f5168631c44c49b988b6fe9c11b76bd493ddf51bc0baaa2 qemu-xen_paths.patch +477d3d08bd4fcdfbc54abea1a18acb6a41d298c366cd01c954f474515cb862d0dd59217c0dfca5460a725a8bc036de42132f522c3eefdffcc4fd511f016b783f docs-Fix-generating-qemu-doc.html-with-texinfo-5.patch +e29d80c58c84fad9d68cb9789c1fd9c1694f0b0c96b55c2172502d4b32db3af541c377d19cf1aa88eb1687ddf818870a8afa171a9ef17f317a51fba8991eedb4 xsa33-4.2-unstable.patch +94672a4d37db4e370370157cac9507ee1a75832f4be779fba148c1faa0b18f26ed57126eee6256ccd5d218463325a730266b53139554f4865adedb7659154c16 xsa41.patch +bda9105793f2327e1317991762120d0668af0e964076b18c9fdbfd509984b2e88d85df95702c46b2e00d5350e8113f6aa7b34b19064d19abbeb4d43f0c431d38 xsa41b.patch +36b60478660ff7748328f5ab9adff13286eee1a1bad06e42fdf7e6aafe105103988525725aacd660cf5b2a184a9e2d6b3818655203c1fa07e07dcebdf23f35d9 xsa41c.patch +0647841dd220bfe08e6382bb19ae6cb204887e4ef58ecc616bb2ee454e6b28abac225a68ba5f7736972da899284d718ec077bf3ac0045a0a370086c225314678 xsa34-4.2.patch +6ce446fd561d38873d27efe2a874a745381bca40a73bb2564dc0e3f4733c3382cd2cdda134d0419c53e2b97b751dd190ebeb3cf885f7ee9671f232c6a2432c27 xsa35-4.2-with-xsa34.patch +90f7b880cb05c0214af37feb6fb4ea7475d2fa7c653c80fbcaef09d8dcdc480732564203c18e3c828ade6f247850427f8d3d368cac640003e00af9863effdd19 xsa36-4.2.patch +2abe25c83a3ede047db380b0477ba1aaaf9d955e87244f8d2404699e011cac46ad5501a0f75b76b90b5dc276d19ae08600a2fe57a69681f97088b5d17d977066 xsa38.patch +aac646828703eb1f4cf9a94a29eec4901c7fcc37e86e06f60530bee40259bd789d1749d844b341aeda307bc5860f72375618cc169819fef5778679789703d7cb xsa47-4.2-unstable.patch +31dd8c62d41cc0a01a79d9b24a5b793f5e2058230808d9c5364c6ff3477ab02f3258f1bbd761d97dc1b97ee120b41524b999eaac77f33b606496fc324b5fa2e4 xsa48-4.2.patch +cfcf8d1af07032bfd3ff9c7a76a8f7d8c6f8b3b084712a494c3ca7624d9a03cbb7cad723b5a1dbc2a99e18a7046c221fae743c8dc42ba09b463f02fd069254d9 xsa44-4.2.patch +35ed4d580d219e977ee1085c223563f51ccd9ce3675df2660d10d99c366a2fe2446269c98ac9dbf57c37de83340f4b0868d0eb3c5d898be4c0fc80357f6ed780 xsa46-4.2.patch +792b062e8a16a2efd3cb4662d379d1500527f2a7ca9228d7831c2bd34f3b9141df949153ea05463a7758c3e3dd9a4182492ad5505fa38e298ecf8c99db77b4ee xenstored.initd +100cf4112f401f45c1e4e885a5074698c484b40521262f6268fad286498e95f4c51e746f0e94eb43a590bb8e813a397bb53801ccacebec9541020799d8d70514 xenstored.confd +12f981b2459c65d66e67ec0b32d0d19b95a029bc54c2a79138cfe488d3524a22e51860f755abfe25ddcdaf1b27f2ded59b6e350b9d5f8791193d00e2d3673137 xenconsoled.initd +30df69cc38d0bed26bc4d6e08a2b62cbdc654d5f663009a05cb3b83b3e3dc5e206362d3fd59abbb753ceb8d6d79eaa6e15d079bb8f4f35dc74667103faf4e85d xenconsoled.confd +55766e22d9374b404b96fba9d30aee49bee6c95fabce9c3d2aed1faba04c1573ecd75fe49e27ce1527ecf9064f53ccc15e4c69a1aa4ea3daa44828f38d687d85 xend.initd +39b38156f0a8498dbbe9aa58d320b85473d0999d62d2e33bb6bf53627fc41f2c67ec318dfab70d2063799f4cd9eeadc015b66fbb211ee3ef765492421a718608 xend.confd +7f8a79424dee62f818a3fa494032c57749b8c216aec0b949417006a01bd0a41ba76e942e1ee06c501e7b09ecc23f50545d3c88e75bbcf8bb31e31c9b404ff1de xendomains.initd +77aeaf1858f944c0c3d6f99787525b48460d33c04182762d716dde8cdb33623d050e9d349a558109788e37ef1e56934232d028e0703078bed288c8c9155a0748 xendomains.confd +ab2105c75cfe01768aecd5bcbb56269d63666e8a44e42b6a83aee87df6c84ee2f9ab249171c21b2e09f8fec2cae8318f6e87d160989398a3e7dd68db8d52c426 xen-consoles.logrotate +bdbe15c924071cdc2d0f23e53ba8e3f837d4b5369bfb218abd3405f9bef25d105269aaf0784baeb69c073a5786b8c82ffdfd414e86874da34293cfdc2c497928 xenqemu.confd +2341a01a000e4badd9dbfd122e7eb3e594982921a80186c0e4174744daf31114c384b42458864d9904ed1b463746efb774efa707ad48280a25ce897ef5ac9e83 xenqemu.initd" diff --git a/main/xen/docs-Fix-generating-qemu-doc.html-with-texinfo-5.patch b/main/xen/docs-Fix-generating-qemu-doc.html-with-texinfo-5.patch new file mode 100644 index 0000000000..e442e3d8c3 --- /dev/null +++ b/main/xen/docs-Fix-generating-qemu-doc.html-with-texinfo-5.patch @@ -0,0 +1,55 @@ +From patchwork Wed Feb 20 17:20:31 2013 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: docs: Fix generating qemu-doc.html with texinfo 5 +Date: Wed, 20 Feb 2013 07:20:31 -0000 +From: Cole Robinson <crobinso@redhat.com> +X-Patchwork-Id: 222131 +Message-Id: <97218cb913b6b91072f7e6f21d1de39ec5a137dd.1361380831.git.crobinso@redhat.com> +To: qemu-devel@nongnu.org +Cc: qemu-stable@nongnu.org, Cole Robinson <crobinso@redhat.com> + +LC_ALL=C makeinfo --no-headers --no-split --number-sections --html qemu-doc.texi -o qemu-doc.html +./qemu-options.texi:1521: unknown command `list' +./qemu-options.texi:1521: table requires an argument: the formatter for @item +./qemu-options.texi:1521: warning: @table has text but no @item + +CC: qemu-stable@nongnu.org +Signed-off-by: Cole Robinson <crobinso@redhat.com> +Reviewed-by: Markus Armbruster <armbru@redhat.com> + +--- +qemu-options.hx | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +diff --git a/qemu-options.hx b/qemu-options.hx +index 4bc9c85..3af60bf 100644 +--- a/tools/qemu-xen/qemu-options.hx ++++ b/tools/qemu-xen/qemu-options.hx +@@ -2095,18 +2095,13 @@ QEMU supports using either local sheepdog devices or remote networked + devices. + + Syntax for specifying a sheepdog device +-@table @list +-``sheepdog:<vdiname>'' +- +-``sheepdog:<vdiname>:<snapid>'' +- +-``sheepdog:<vdiname>:<tag>'' +- +-``sheepdog:<host>:<port>:<vdiname>'' +- +-``sheepdog:<host>:<port>:<vdiname>:<snapid>'' +- +-``sheepdog:<host>:<port>:<vdiname>:<tag>'' ++@table @code ++@item sheepdog:<vdiname> ++@item sheepdog:<vdiname>:<snapid> ++@item sheepdog:<vdiname>:<tag> ++@item sheepdog:<host>:<port>:<vdiname> ++@item sheepdog:<host>:<port>:<vdiname>:<snapid> ++@item sheepdog:<host>:<port>:<vdiname>:<tag> + @end table + + Example diff --git a/main/xen/xsa44-4.2.patch b/main/xen/xsa44-4.2.patch new file mode 100644 index 0000000000..07ed9386f6 --- /dev/null +++ b/main/xen/xsa44-4.2.patch @@ -0,0 +1,77 @@ +x86: clear EFLAGS.NT in SYSENTER entry path + +... as it causes problems if we happen to exit back via IRET: In the +course of trying to handle the fault, the hypervisor creates a stack +frame by hand, and uses PUSHFQ to set the respective EFLAGS field, but +expects to be able to IRET through that stack frame to the second +portion of the fixup code (which causes a #GP due to the stored EFLAGS +having NT set). + +And even if this worked (e.g if we cleared NT in that path), it would +then (through the fail safe callback) cause a #GP in the guest with the +SYSENTER handler's first instruction as the source, which in turn would +allow guest user mode code to crash the guest kernel. + +Inject a #GP on the fake (NULL) address of the SYSENTER instruction +instead, just like in the case where the guest kernel didn't register +a corresponding entry point. + +On 32-bit we also need to make sure we clear SYSENTER_CS for all CPUs +(neither #RESET nor #INIT guarantee this). + +This is CVE-2013-1917 / XSA-44. + +Reported-by: Andrew Cooper <andrew.cooper3@citirx.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Tested-by: Andrew Cooper <andrew.cooper3@citrix.com> +Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> + +--- a/xen/arch/x86/acpi/suspend.c ++++ b/xen/arch/x86/acpi/suspend.c +@@ -81,8 +81,12 @@ void restore_rest_processor_state(void) + } + + #else /* !defined(CONFIG_X86_64) */ +- if ( supervisor_mode_kernel && cpu_has_sep ) +- wrmsr(MSR_IA32_SYSENTER_ESP, &this_cpu(init_tss).esp1, 0); ++ if ( cpu_has_sep ) ++ { ++ wrmsr(MSR_IA32_SYSENTER_CS, 0, 0); ++ if ( supervisor_mode_kernel ) ++ wrmsr(MSR_IA32_SYSENTER_ESP, &this_cpu(init_tss).esp1, 0); ++ } + #endif + + /* Maybe load the debug registers. */ +--- a/xen/arch/x86/cpu/common.c ++++ b/xen/arch/x86/cpu/common.c +@@ -655,8 +655,11 @@ void __cpuinit cpu_init(void) + #if defined(CONFIG_X86_32) + t->ss0 = __HYPERVISOR_DS; + t->esp0 = get_stack_bottom(); +- if ( supervisor_mode_kernel && cpu_has_sep ) ++ if ( cpu_has_sep ) { ++ wrmsr(MSR_IA32_SYSENTER_CS, 0, 0); ++ if ( supervisor_mode_kernel ) + wrmsr(MSR_IA32_SYSENTER_ESP, &t->esp1, 0); ++ } + #elif defined(CONFIG_X86_64) + /* Bottom-of-stack must be 16-byte aligned! */ + BUG_ON((get_stack_bottom() & 15) != 0); +--- a/xen/arch/x86/x86_64/entry.S ++++ b/xen/arch/x86/x86_64/entry.S +@@ -284,7 +284,14 @@ sysenter_eflags_saved: + cmpb $0,VCPU_sysenter_disables_events(%rbx) + movq VCPU_sysenter_addr(%rbx),%rax + setne %cl ++ testl $X86_EFLAGS_NT,UREGS_eflags(%rsp) + leaq VCPU_trap_bounce(%rbx),%rdx ++UNLIKELY_START(nz, sysenter_nt_set) ++ pushfq ++ andl $~X86_EFLAGS_NT,(%rsp) ++ popfq ++ xorl %eax,%eax ++UNLIKELY_END(sysenter_nt_set) + testq %rax,%rax + leal (,%rcx,TBF_INTERRUPT),%ecx + UNLIKELY_START(z, sysenter_gpf) diff --git a/main/xen/xsa46-4.2.patch b/main/xen/xsa46-4.2.patch new file mode 100644 index 0000000000..9448ea9c67 --- /dev/null +++ b/main/xen/xsa46-4.2.patch @@ -0,0 +1,293 @@ +x86: fix various issues with handling guest IRQs + +- properly revoke IRQ access in map_domain_pirq() error path +- don't permit replacing an in use IRQ +- don't accept inputs in the GSI range for MAP_PIRQ_TYPE_MSI +- track IRQ access permission in host IRQ terms, not guest IRQ ones + (and with that, also disallow Dom0 access to IRQ0) + +This is CVE-2013-1919 / XSA-46. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> + +--- a/tools/libxl/libxl_create.c ++++ b/tools/libxl/libxl_create.c +@@ -968,14 +968,16 @@ static void domcreate_launch_dm(libxl__e + } + + for (i = 0; i < d_config->b_info.num_irqs; i++) { +- uint32_t irq = d_config->b_info.irqs[i]; ++ int irq = d_config->b_info.irqs[i]; + +- LOG(DEBUG, "dom%d irq %"PRIx32, domid, irq); ++ LOG(DEBUG, "dom%d irq %d", domid, irq); + +- ret = xc_domain_irq_permission(CTX->xch, domid, irq, 1); ++ ret = irq >= 0 ? xc_physdev_map_pirq(CTX->xch, domid, irq, &irq) ++ : -EOVERFLOW; ++ if (!ret) ++ ret = xc_domain_irq_permission(CTX->xch, domid, irq, 1); + if ( ret<0 ){ +- LOGE(ERROR, +- "failed give dom%d access to irq %"PRId32, domid, irq); ++ LOGE(ERROR, "failed give dom%d access to irq %d", domid, irq); + ret = ERROR_FAIL; + } + } +--- a/tools/python/xen/xend/server/irqif.py ++++ b/tools/python/xen/xend/server/irqif.py +@@ -73,6 +73,12 @@ class IRQController(DevController): + + pirq = get_param('irq') + ++ rc = xc.physdev_map_pirq(domid = self.getDomid(), ++ index = pirq, ++ pirq = pirq) ++ if rc < 0: ++ raise VmError('irq: Failed to map irq %x' % (pirq)) ++ + rc = xc.domain_irq_permission(domid = self.getDomid(), + pirq = pirq, + allow_access = True) +@@ -81,12 +87,6 @@ class IRQController(DevController): + #todo non-fatal + raise VmError( + 'irq: Failed to configure irq: %d' % (pirq)) +- rc = xc.physdev_map_pirq(domid = self.getDomid(), +- index = pirq, +- pirq = pirq) +- if rc < 0: +- raise VmError( +- 'irq: Failed to map irq %x' % (pirq)) + back = dict([(k, config[k]) for k in self.valid_cfg if k in config]) + return (self.allocateDeviceID(), back, {}) + +--- a/xen/arch/x86/domain_build.c ++++ b/xen/arch/x86/domain_build.c +@@ -1219,7 +1219,7 @@ int __init construct_dom0( + /* DOM0 is permitted full I/O capabilities. */ + rc |= ioports_permit_access(dom0, 0, 0xFFFF); + rc |= iomem_permit_access(dom0, 0UL, ~0UL); +- rc |= irqs_permit_access(dom0, 0, d->nr_pirqs - 1); ++ rc |= irqs_permit_access(dom0, 1, nr_irqs_gsi - 1); + + /* + * Modify I/O port access permissions. +--- a/xen/arch/x86/domctl.c ++++ b/xen/arch/x86/domctl.c +@@ -772,9 +772,13 @@ long arch_do_domctl( + goto bind_out; + + ret = -EPERM; +- if ( !IS_PRIV(current->domain) && +- !irq_access_permitted(current->domain, bind->machine_irq) ) +- goto bind_out; ++ if ( !IS_PRIV(current->domain) ) ++ { ++ int irq = domain_pirq_to_irq(d, bind->machine_irq); ++ ++ if ( irq <= 0 || !irq_access_permitted(current->domain, irq) ) ++ goto bind_out; ++ } + + ret = -ESRCH; + if ( iommu_enabled ) +@@ -803,9 +807,13 @@ long arch_do_domctl( + bind = &(domctl->u.bind_pt_irq); + + ret = -EPERM; +- if ( !IS_PRIV(current->domain) && +- !irq_access_permitted(current->domain, bind->machine_irq) ) +- goto unbind_out; ++ if ( !IS_PRIV(current->domain) ) ++ { ++ int irq = domain_pirq_to_irq(d, bind->machine_irq); ++ ++ if ( irq <= 0 || !irq_access_permitted(current->domain, irq) ) ++ goto unbind_out; ++ } + + if ( iommu_enabled ) + { +--- a/xen/arch/x86/irq.c ++++ b/xen/arch/x86/irq.c +@@ -184,6 +184,14 @@ int create_irq(int node) + desc->arch.used = IRQ_UNUSED; + irq = ret; + } ++ else if ( dom0 ) ++ { ++ ret = irq_permit_access(dom0, irq); ++ if ( ret ) ++ printk(XENLOG_G_ERR ++ "Could not grant Dom0 access to IRQ%d (error %d)\n", ++ irq, ret); ++ } + + return irq; + } +@@ -280,6 +288,17 @@ void clear_irq_vector(int irq) + void destroy_irq(unsigned int irq) + { + BUG_ON(!MSI_IRQ(irq)); ++ ++ if ( dom0 ) ++ { ++ int err = irq_deny_access(dom0, irq); ++ ++ if ( err ) ++ printk(XENLOG_G_ERR ++ "Could not revoke Dom0 access to IRQ%u (error %d)\n", ++ irq, err); ++ } ++ + dynamic_irq_cleanup(irq); + clear_irq_vector(irq); + } +@@ -1858,7 +1877,7 @@ int map_domain_pirq( + + if ( !IS_PRIV(current->domain) && + !(IS_PRIV_FOR(current->domain, d) && +- irq_access_permitted(current->domain, pirq))) ++ irq_access_permitted(current->domain, irq))) + return -EPERM; + + if ( pirq < 0 || pirq >= d->nr_pirqs || irq < 0 || irq >= nr_irqs ) +@@ -1887,17 +1906,18 @@ int map_domain_pirq( + return ret; + } + +- ret = irq_permit_access(d, pirq); ++ ret = irq_permit_access(d, irq); + if ( ret ) + { +- dprintk(XENLOG_G_ERR, "dom%d: could not permit access to irq %d\n", +- d->domain_id, pirq); ++ printk(XENLOG_G_ERR ++ "dom%d: could not permit access to IRQ%d (pirq %d)\n", ++ d->domain_id, irq, pirq); + return ret; + } + + ret = prepare_domain_irq_pirq(d, irq, pirq, &info); + if ( ret ) +- return ret; ++ goto revoke; + + desc = irq_to_desc(irq); + +@@ -1921,8 +1941,14 @@ int map_domain_pirq( + spin_lock_irqsave(&desc->lock, flags); + + if ( desc->handler != &no_irq_type ) ++ { ++ spin_unlock_irqrestore(&desc->lock, flags); + dprintk(XENLOG_G_ERR, "dom%d: irq %d in use\n", + d->domain_id, irq); ++ pci_disable_msi(msi_desc); ++ ret = -EBUSY; ++ goto done; ++ } + setup_msi_handler(desc, msi_desc); + + if ( opt_irq_vector_map == OPT_IRQ_VECTOR_MAP_PERDEV +@@ -1951,7 +1977,14 @@ int map_domain_pirq( + + done: + if ( ret ) ++ { + cleanup_domain_irq_pirq(d, irq, info); ++ revoke: ++ if ( irq_deny_access(d, irq) ) ++ printk(XENLOG_G_ERR ++ "dom%d: could not revoke access to IRQ%d (pirq %d)\n", ++ d->domain_id, irq, pirq); ++ } + return ret; + } + +@@ -2017,10 +2050,11 @@ int unmap_domain_pirq(struct domain *d, + if ( !forced_unbind ) + cleanup_domain_irq_pirq(d, irq, info); + +- ret = irq_deny_access(d, pirq); ++ ret = irq_deny_access(d, irq); + if ( ret ) +- dprintk(XENLOG_G_ERR, "dom%d: could not deny access to irq %d\n", +- d->domain_id, pirq); ++ printk(XENLOG_G_ERR ++ "dom%d: could not deny access to IRQ%d (pirq %d)\n", ++ d->domain_id, irq, pirq); + + done: + return ret; +--- a/xen/arch/x86/physdev.c ++++ b/xen/arch/x86/physdev.c +@@ -147,7 +147,7 @@ int physdev_map_pirq(domid_t domid, int + if ( irq == -1 ) + irq = create_irq(NUMA_NO_NODE); + +- if ( irq < 0 || irq >= nr_irqs ) ++ if ( irq < nr_irqs_gsi || irq >= nr_irqs ) + { + dprintk(XENLOG_G_ERR, "dom%d: can't create irq for msi!\n", + d->domain_id); +--- a/xen/common/domctl.c ++++ b/xen/common/domctl.c +@@ -25,6 +25,7 @@ + #include <xen/paging.h> + #include <xen/hypercall.h> + #include <asm/current.h> ++#include <asm/irq.h> + #include <asm/page.h> + #include <public/domctl.h> + #include <xsm/xsm.h> +@@ -897,9 +898,9 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc + else if ( xsm_irq_permission(d, pirq, allow) ) + ret = -EPERM; + else if ( allow ) +- ret = irq_permit_access(d, pirq); ++ ret = pirq_permit_access(d, pirq); + else +- ret = irq_deny_access(d, pirq); ++ ret = pirq_deny_access(d, pirq); + + rcu_unlock_domain(d); + } +--- a/xen/common/event_channel.c ++++ b/xen/common/event_channel.c +@@ -369,7 +369,7 @@ static long evtchn_bind_pirq(evtchn_bind + if ( (pirq < 0) || (pirq >= d->nr_pirqs) ) + return -EINVAL; + +- if ( !is_hvm_domain(d) && !irq_access_permitted(d, pirq) ) ++ if ( !is_hvm_domain(d) && !pirq_access_permitted(d, pirq) ) + return -EPERM; + + spin_lock(&d->event_lock); +--- a/xen/include/xen/iocap.h ++++ b/xen/include/xen/iocap.h +@@ -28,4 +28,22 @@ + #define irq_access_permitted(d, i) \ + rangeset_contains_singleton((d)->irq_caps, i) + ++#define pirq_permit_access(d, i) ({ \ ++ struct domain *d__ = (d); \ ++ int i__ = domain_pirq_to_irq(d__, i); \ ++ i__ > 0 ? rangeset_add_singleton(d__->irq_caps, i__)\ ++ : -EINVAL; \ ++}) ++#define pirq_deny_access(d, i) ({ \ ++ struct domain *d__ = (d); \ ++ int i__ = domain_pirq_to_irq(d__, i); \ ++ i__ > 0 ? rangeset_remove_singleton(d__->irq_caps, i__)\ ++ : -EINVAL; \ ++}) ++#define pirq_access_permitted(d, i) ({ \ ++ struct domain *d__ = (d); \ ++ rangeset_contains_singleton(d__->irq_caps, \ ++ domain_pirq_to_irq(d__, i));\ ++}) ++ + #endif /* __XEN_IOCAP_H__ */ diff --git a/main/xen/xsa47-4.2-unstable.patch b/main/xen/xsa47-4.2-unstable.patch new file mode 100644 index 0000000000..7ebb8c8a31 --- /dev/null +++ b/main/xen/xsa47-4.2-unstable.patch @@ -0,0 +1,31 @@ +defer event channel bucket pointer store until after XSM checks + +Otherwise a dangling pointer can be left, which would cause subsequent +memory corruption as soon as the space got re-allocated for some other +purpose. + +This is CVE-2013-1920 / XSA-47. + +Reported-by: Wei Liu <wei.liu2@citrix.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Tim Deegan <tim@xen.org> + +--- a/xen/common/event_channel.c ++++ b/xen/common/event_channel.c +@@ -140,7 +140,6 @@ static int get_free_port(struct domain * + chn = xzalloc_array(struct evtchn, EVTCHNS_PER_BUCKET); + if ( unlikely(chn == NULL) ) + return -ENOMEM; +- bucket_from_port(d, port) = chn; + + for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ ) + { +@@ -153,6 +152,8 @@ static int get_free_port(struct domain * + } + } + ++ bucket_from_port(d, port) = chn; ++ + return port; + } + diff --git a/main/xen/xsa48-4.2.patch b/main/xen/xsa48-4.2.patch new file mode 100644 index 0000000000..998dbcb1d5 --- /dev/null +++ b/main/xen/xsa48-4.2.patch @@ -0,0 +1,114 @@ +Add -f FMT / --format FMT arg to qemu-nbd + +From: "Daniel P. Berrange" <berrange@redhat.com> + +Currently the qemu-nbd program will auto-detect the format of +any disk it is given. This behaviour is known to be insecure. +For example, if qemu-nbd initially exposes a 'raw' file to an +unprivileged app, and that app runs + + 'qemu-img create -f qcow2 -o backing_file=/etc/shadow /dev/nbd0' + +then the next time the app is started, the qemu-nbd will now +detect it as a 'qcow2' file and expose /etc/shadow to the +unprivileged app. + +The only way to avoid this is to explicitly tell qemu-nbd what +disk format to use on the command line, completely disabling +auto-detection. This patch adds a '-f' / '--format' arg for +this purpose, mirroring what is already available via qemu-img +and qemu commands. + + qemu-nbd --format raw -p 9000 evil.img + +will now always use raw, regardless of what format 'evil.img' +looks like it contains + +Signed-off-by: Daniel P. Berrange <berrange@redhat.com> +[Use errx, not err. - Paolo] +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> + +[ This is a security issue, CVE-2013-1922 / XSA-48. ] + +diff --git a/qemu-nbd.c b/qemu-nbd.c +index 291cba2..8fbe2cf 100644 +--- a/tools/qemu-xen/qemu-nbd.c ++++ b/tools/qemu-xen/qemu-nbd.c +@@ -247,6 +247,7 @@ out: + int main(int argc, char **argv) + { + BlockDriverState *bs; ++ BlockDriver *drv; + off_t dev_offset = 0; + off_t offset = 0; + uint32_t nbdflags = 0; +@@ -256,7 +257,7 @@ int main(int argc, char **argv) + struct sockaddr_in addr; + socklen_t addr_len = sizeof(addr); + off_t fd_size; +- const char *sopt = "hVb:o:p:rsnP:c:dvk:e:t"; ++ const char *sopt = "hVb:o:p:rsnP:c:dvk:e:f:t"; + struct option lopt[] = { + { "help", 0, NULL, 'h' }, + { "version", 0, NULL, 'V' }, +@@ -271,6 +272,7 @@ int main(int argc, char **argv) + { "snapshot", 0, NULL, 's' }, + { "nocache", 0, NULL, 'n' }, + { "shared", 1, NULL, 'e' }, ++ { "format", 1, NULL, 'f' }, + { "persistent", 0, NULL, 't' }, + { "verbose", 0, NULL, 'v' }, + { NULL, 0, NULL, 0 } +@@ -292,6 +294,7 @@ int main(int argc, char **argv) + int max_fd; + int persistent = 0; + pthread_t client_thread; ++ const char *fmt = NULL; + + /* The client thread uses SIGTERM to interrupt the server. A signal + * handler ensures that "qemu-nbd -v -c" exits with a nice status code. +@@ -368,6 +371,9 @@ int main(int argc, char **argv) + errx(EXIT_FAILURE, "Shared device number must be greater than 0\n"); + } + break; ++ case 'f': ++ fmt = optarg; ++ break; + case 't': + persistent = 1; + break; +@@ -478,9 +484,19 @@ int main(int argc, char **argv) + bdrv_init(); + atexit(bdrv_close_all); + ++ if (fmt) { ++ drv = bdrv_find_format(fmt); ++ if (!drv) { ++ errx(EXIT_FAILURE, "Unknown file format '%s'", fmt); ++ } ++ } else { ++ drv = NULL; ++ } ++ + bs = bdrv_new("hda"); + srcpath = argv[optind]; +- if ((ret = bdrv_open(bs, srcpath, flags, NULL)) < 0) { ++ ret = bdrv_open(bs, srcpath, flags, drv); ++ if (ret < 0) { + errno = -ret; + err(EXIT_FAILURE, "Failed to bdrv_open '%s'", argv[optind]); + } +diff --git a/qemu-nbd.texi b/qemu-nbd.texi +index 44996cc..f56c68e 100644 +--- a/tools/qemu-xen/qemu-nbd.texi ++++ b/tools/qemu-xen/qemu-nbd.texi +@@ -36,6 +36,8 @@ Export Qemu disk image using NBD protocol. + disconnect the specified device + @item -e, --shared=@var{num} + device can be shared by @var{num} clients (default @samp{1}) ++@item -f, --format=@var{fmt} ++ force block driver for format @var{fmt} instead of auto-detecting + @item -t, --persistent + don't exit on the last connection + @item -v, --verbose |