diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-08-12 14:13:10 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-08-12 14:19:48 +0000 |
commit | 39334b55a641271e04b6529e4ba75f780b232a6c (patch) | |
tree | 6c20310ff4bb78f4ceb327eea2fcb4017e91cf82 | |
parent | e2a41181980948dc15f6b20a9b6980444f9f73df (diff) | |
download | aports-39334b55a641271e04b6529e4ba75f780b232a6c.tar.bz2 aports-39334b55a641271e04b6529e4ba75f780b232a6c.tar.xz |
main/xen: security upgrade to 4.4.4. Fixes #6020
-rw-r--r-- | main/xen/APKBUILD | 104 | ||||
-rw-r--r-- | main/xen/xsa125-4.4.patch | 160 | ||||
-rw-r--r-- | main/xen/xsa126-qemut.patch | 151 | ||||
-rw-r--r-- | main/xen/xsa126-qemuu.patch | 128 | ||||
-rw-r--r-- | main/xen/xsa127-4.x.patch | 50 | ||||
-rw-r--r-- | main/xen/xsa132.patch | 29 | ||||
-rw-r--r-- | main/xen/xsa133-qemut.patch | 80 | ||||
-rw-r--r-- | main/xen/xsa133-qemuu.patch | 84 | ||||
-rw-r--r-- | main/xen/xsa134.patch | 23 | ||||
-rw-r--r-- | main/xen/xsa135-qemut-1.patch | 93 | ||||
-rw-r--r-- | main/xen/xsa135-qemut-2.patch | 46 | ||||
-rw-r--r-- | main/xen/xsa135-qemuu-4.5-1.patch | 94 | ||||
-rw-r--r-- | main/xen/xsa135-qemuu-4.5-2.patch | 45 | ||||
-rw-r--r-- | main/xen/xsa136.patch | 19 | ||||
-rw-r--r-- | main/xen/xsa154-4.4.patch | 328 | ||||
-rw-r--r-- | main/xen/xsa156-4.4.patch | 127 | ||||
-rw-r--r-- | main/xen/xsa159.patch | 47 | ||||
-rw-r--r-- | main/xen/xsa160-4.4.patch | 69 | ||||
-rw-r--r-- | main/xen/xsa165-4.5.patch | 85 | ||||
-rw-r--r-- | main/xen/xsa167-4.4.patch | 78 | ||||
-rw-r--r-- | main/xen/xsa168.patch | 27 | ||||
-rw-r--r-- | main/xen/xsa181-4.4.patch | 38 | ||||
-rw-r--r-- | main/xen/xsa184-qemut-master.patch | 43 | ||||
-rw-r--r-- | main/xen/xsa184-qemuu-master.patch | 43 |
24 files changed, 147 insertions, 1844 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index 3436460ba8..f1a6612b0c 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -2,8 +2,8 @@ # Contributor: Roger Pau Monne <roger.pau@entel.upc.edu> # Maintainer: William Pitcock <nenolod@dereferenced.org> pkgname=xen -pkgver=4.4.2 -pkgrel=7 +pkgver=4.4.4 +pkgrel=0 pkgdesc="Xen hypervisor" url="http://www.xen.org/" arch="x86_64" @@ -18,28 +18,12 @@ install="" subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-hypervisor py-$pkgname:_py" source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.gz - xsa125-4.4.patch - xsa126-qemuu.patch - xsa126-qemut.patch - xsa127-4.x.patch - xsa132.patch - xsa133-qemut.patch - xsa133-qemuu.patch - xsa134.patch - xsa135-qemut-1.patch - xsa135-qemut-2.patch - xsa135-qemuu-4.5-1.patch - xsa135-qemuu-4.5-2.patch - xsa136.patch - xsa156-4.4.patch - xsa159.patch - xsa160-4.4.patch - xsa165-4.5.patch - xsa167-4.4.patch - xsa168.patch xsa170-4.5.patch xsa172.patch xsa173-4.4.patch + xsa181-4.4.patch + xsa184-qemut-master.patch + xsa184-qemuu-master.patch 0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch 0002-libxl-Provide-libxl__backendpath_parse_domid.patch @@ -98,6 +82,12 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g " _builddir="$srcdir"/$pkgname-$pkgver + +# security fixes: +# 4.4.4-r0: +# - CVE-2016-5242 +# - CVE-2016-5403 + prepare() { local i cd "$_builddir" @@ -261,29 +251,13 @@ _py() { fi } -md5sums="1812261459564147e6b9105115c511aa xen-4.4.2.tar.gz -b7270a203701a5399c849c48867dc327 xsa125-4.4.patch -1ee5f45ecda3513e8a9708b2edf5141d xsa126-qemuu.patch -941b4cb7f2a8ba31bf08ab5425891902 xsa126-qemut.patch -c7d2d6913945100b5048e5149d0f6af2 xsa127-4.x.patch -896d814b803427d72781cd9a1e11ebd2 xsa132.patch -c1b7aaa9c5e729b61712d27d1f9fae6a xsa133-qemut.patch -fdb8ba32313a5b8088773ffcfd865ae7 xsa133-qemuu.patch -c6c0595e7824988fa21daf73d4a9f029 xsa134.patch -8035908817374d2d32aaadf942e3391d xsa135-qemut-1.patch -462f5d784493119bdfa6e7b5a628a88d xsa135-qemut-2.patch -c14ee8915f4b2207e0e59c4df8da957c xsa135-qemuu-4.5-1.patch -8326f1f53d86312cfad80cd33de1962f xsa135-qemuu-4.5-2.patch -ff35b1f11bcddbd651445406bbc88a76 xsa136.patch -784876f7bc9034a2a6184edbfa2bdec0 xsa156-4.4.patch -9dad98f18893ab696e7a26e5d2a707b2 xsa159.patch -8d5940f58564ecc37fbf8f3176884b8a xsa160-4.4.patch -73959d870f397ff4fa5091ebb62d7697 xsa165-4.5.patch -1832af4e78d994617c18bd7df58e6409 xsa167-4.4.patch -b837726ce186fa61cfe7238b225b0335 xsa168.patch +md5sums="421ab1dc50357c916d7f3e1fbe7db074 xen-4.4.4.tar.gz 2c2adc771c0ac13671bdcdd314602fcd xsa170-4.5.patch b14d9a4247ae654579cb757c9b0e949a xsa172.patch 6de4080f47887c2e28911d4dd2f05fee xsa173-4.4.patch +c7ee17c756c6801234f6095cfc056e0c xsa181-4.4.patch +95bc220677fc2bb9a3df4dc14a0b31f6 xsa184-qemut-master.patch +cc0904605d03a9e4f6f21d16824e41c9 xsa184-qemuu-master.patch d598b31823a2b4398fb2f9c39aec0cff 0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch 761926907618592763ba75fce4c02c57 0002-libxl-Provide-libxl__backendpath_parse_domid.patch b5e297a4a111f897b403d70c25158adb 0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch @@ -330,29 +304,13 @@ dcdd1de2c29e469e834a02ede4f47806 xendomains.confd 9df68ac65dc3f372f5d61183abdc83ff xen-consoles.logrotate 6a2f777c16678d84039acf670d86fff6 xenqemu.confd f9afbf39e2b5a7d9dde60ebbd249ea7d xenqemu.initd" -sha256sums="cd53592e86669e5e8c4d4a731b0199e8af17d8eadbb8f26dbb69f1b751259204 xen-4.4.2.tar.gz -2180e657b34d8628d4e0157adf2a36904bb6feaf55d53338e4457ef77d867a31 xsa125-4.4.patch -bbb8c840f3ef182508cff36803d861f15923325075ccc58801673b23dfc1a169 xsa126-qemuu.patch -791c288379fcd8b30ee473d42f1113c8ffa5f244dd82df9db6cc4597c81155b7 xsa126-qemut.patch -e5fd3c126ae10fe45283e6eb1a4216b75057f1772d869d2b3a26398b0984c7bd xsa127-4.x.patch -329d4edf1e1133795ece41f2fc8887c5f4cc06b42ced63c810c610b17bcee46d xsa132.patch -8d8c82fedf4beb6ad1a27002c1d3fb3031e43a732316e2049ec5d04939c159bc xsa133-qemut.patch -032481a153d80192112e42f704dc7180aeb995a12d3ddef0efec4eb87c044079 xsa133-qemuu.patch -fff911a994a5031831cabd574bcba281eff438559706414a1886502eaa05ee12 xsa134.patch -b4b66d772e52ec35f7256b168ac68f5cf0901590112b3b4db860d1b9c2f513f6 xsa135-qemut-1.patch -0d98a8c4498390a93665872dea9b4b00781578e95e6c78a49632bacb5f70edb8 xsa135-qemut-2.patch -45332351182c3c2c64e1480aa1f77a2d88814e0fb3fbe03fef77f32c37cf8a5e xsa135-qemuu-4.5-1.patch -04bf6d34183278984d3098522d985d5d22a45c38381772e9670e962d00b133d0 xsa135-qemuu-4.5-2.patch -b54a71cf41d333345a9b8fd5f3f1aa644000a24e20343b54e5a41cd51d14af04 xsa136.patch -c2001aed46840b044a066b9ca79a8c53aca26fc637125016ccfebafa5ace5475 xsa156-4.4.patch -05c35871c1430e9cfdbee049411b23fca6c64c5bc9f112d7508afe5cbd289cef xsa159.patch -d0ce9e3c2b951ac3d25da4a0f6f232b13980625a249ed9c4cd6e9484721943a5 xsa160-4.4.patch -dd15e301f2757e0c7975bdccfe49ddf41c730bc124dd90166e0844d332eeedad xsa165-4.5.patch -194c1ce89292f4cbb9980baa703095bcbeb5849abf46d193e07a98a0d8301f78 xsa167-4.4.patch -c95198a66485d6e538d113ce2b84630d77c15f597113c38fadd6bf1e24e4c8ec xsa168.patch +sha256sums="86007e0f81c1c7d85009902e3ece0baf29b205ff4248b81709828c6fdc9ec253 xen-4.4.4.tar.gz 1df068fb439c7edc1e86dfa9ea3b9ae99b58cdc3ac874b96cdf63b26ef9a6b98 xsa170-4.5.patch f18282fcb794b8772bc3af51d56860050071bd62a5a909b8f2fc2018e2958154 xsa172.patch 35e02b8d4c2841ad951dd967b4f11aa7911fe5d52be2cb605b174e8c2e9214ca xsa173-4.4.patch +97a90c7cb42466647622cb2ed98de531b7ba2e174a1bc639a32a6f1b626d503f xsa181-4.4.patch +88c939c64b8f9fc9f86d0a30517d5455462d1ff837aa4285a9cb189b54c0cf20 xsa184-qemut-master.patch +3877e19992c4532b8b2a37e151fe6a6187a1bbee2b54c1718b995260bb0fcf65 xsa184-qemuu-master.patch cefe2c82a30227b6538c6924d7d939192be3c481e48ac94c82f4c51f60388570 0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch f24b26891fac4e8bf8a0939a5b64fc7ad096ef699f1882aad6e96cf81b85fc3e 0002-libxl-Provide-libxl__backendpath_parse_domid.patch 748ea9d369b1f8372d1a4c420e6a9d90f881b7142e7913ed5d72b99c07ac11a0 0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch @@ -399,29 +357,13 @@ b5125159b4a4487e910b2f75519061204eccf7f8377e3cd395b18f0358451db9 xendomains.ini 0da87a4b9094f934e3de937e8ef8d3afc752e76793aa3d730182d0241e118b19 xen-consoles.logrotate 4cfcddcade5d055422ab4543e8caa6e5c5eee7625c41880a9000b7a87c7c424e xenqemu.confd bf17808a79c57a9efc38b9f14cc87f556b2bb7ecfdec5763d9cf686255a47fce xenqemu.initd" -sha512sums="7dae2a1d601d5c65c350ea9fe9870551ec53dff47b6ebe56e99285fd1112aa1cba3a2594e294b871defcf43fb7fccace9f18910e69f02dfce162d7bf453eb07b xen-4.4.2.tar.gz -3f1dbbd9ff6c7fa637ae995b2a5dcf13e37ca89e0c25deec55893f7349b1665d4f328e526eddea36ab7c820371031083d1827011308bb522b75920d217470b28 xsa125-4.4.patch -5ade1fb69e48d12b60fc867b00a59dcd94d3db264c9f3cf6937551ef142fd37285ba59b81b95883f16b21d287fda5eef5f114df155fef059ba97535168fd358a xsa126-qemuu.patch -b65565d1e8fd0a41a683c22664cc024b9193f733f7029a4421730a63c23190ff4d6d3afb7bfddcccd290c8986b866d989e6ddfa9c5d99f6aa73e0516c2d2d511 xsa126-qemut.patch -598761b014cf17fa9ee1ac56ad7cf5c27cda208e180b471d2946a14079886c60448c6f2e7e0633bd1d85b5737af2a4e76b7377e58726f617e982c5c5395f03d9 xsa127-4.x.patch -23d4fb293c678b8b0a6c48cbd696761bd35179e56c7d9b1d8090006241e33dc5cc4d77a2598f27dd3943a9d13a38c6b21714d2a639e6f9c0d86a0a5c747becee xsa132.patch -a06bf522ab6076fbb5869e9a5f1aba37d41fba21d8a327b85ea315ca8814cb959fef2d3458c7f6d2b758eb5a4b7b54ed81b14bb80512205eb2a90d46ca432f95 xsa133-qemut.patch -fc97003d6817fa44dac7e72db1b5bdb0905a138d65caf12f8b1e3cd5855b3b8d441caf95f7c902f36b4c21c862148ab31e45b6ef1ffd22c25875a04cb29c9911 xsa133-qemuu.patch -2a11aa675ce808a0b43811470ff3b24fb1a98b603982216ed756738904b3d5c7ec2b206cdbc6b4f08f062a6abc5f2496cf06a41a72ef8da683234c77d1fc6fce xsa134.patch -68824ec4d8a201c9687bd2de82489730908a70914243067f9e76a2584ce73212fd55ec00d6cf1301f7d1c73e32c9e46a93d3da4a6a61781ddec4f863190fb02b xsa135-qemut-1.patch -c29683569affcef4d45ec510b0b8b6d7c4466fc3026005b0612876ce1b7dc52ead77880a3204b5df78d836bdf197b872780c67afd49a895f9f7a47aabf3d9064 xsa135-qemut-2.patch -66c7c906b5d23ec9f093986f15243499d66fb38b4c68d77e6f3989a21b05ee22f8ddf6ca3c76a8b0022aa52e5ffcdb9c2374cc62a6808fbbbafc3ddf928f216d xsa135-qemuu-4.5-1.patch -6d9e93f65a5a8732c4c6a20e22c9d3252e8c6b5948db652903a2f323bc653c9ae6dc85d21c66bc93e5a4d7d09344e20e401e850a748fbc5e99c5e50671f11a00 xsa135-qemuu-4.5-2.patch -aa204c59ee5d7b61d4515648208b6217dd0bd5b4dc8934085b0c3cedc72780a21b012445c38024e33ab604e870db49b2fffd7d9f91e909b775bcd503eec30bd9 xsa136.patch -3e4a7edad774cf80c07f19823710efbaabc4c81d75e34378efed6dab4e7696eb876a0e3a955296d48443c3cc55daaddd3fea623369f1d2e76a777ef8e6f41b64 xsa156-4.4.patch -82a8cd774078b201e3ca854b2419d5c2e69d8168066dcf0cf2c7373b649a9c0325b568cb7434b0f50e10dcc965a0557e845309dd1ddb9925950f386b12249d5d xsa159.patch -f12e15fe6e67cc61ba462993f69e5c247ae58652fe84ecd5a2f48379a9734cafcb22c83c3398aeca8fa5e72f9e8e7a56ef51bc8ab780dda7177946a119c34863 xsa160-4.4.patch -1585c23d3ee8e3d40bd4fd4c74fcbe8223a6285cbe8b3d6479d77eaf9851b11e9634bf275e80f6aaf1cceeb466142e18e4f61491ada509f4c5a0aebda4b6e795 xsa165-4.5.patch -61c41491a6086a96bcdf830c7330d71561b6229cd71672075d00ef011e84e3e00b15a1ff650a8ec36a3936e970593c2ce0f986810cecca1d2f1973e1378c4e22 xsa167-4.4.patch -c55ee924b21edf54ce3c873d952a20f32f851661a13514528d42d2ef36767cfa9e31b1a42a4e0f40ff1011c692c406155fcc59be0c43fd44973cd0a5acee2ac7 xsa168.patch +sha512sums="dfb085f84ab6f160f73af9a0cccf85de597261313ca1a8139142ac1ded57e8c82c39141ef90514a39f94a4fe272a73f35dbc43b30c373cbee73048a5dce64b1b xen-4.4.4.tar.gz 1b6f700bd9239ec7fad8e9c6d3f3c83b051dd5bc374c92d131211688985f8d8389bc2c24aa784fe1647524af4bdebd50943187218e7cf842154b16b8d4fcd9db xsa170-4.5.patch 8636f74b270b0ccf56ea6bab4c90d0ee909e5d2891987b4572df4a0906e2230e046aad0c99add6c1d70f7023cc6d99bcfd2947c953f600074a6ed7c176a5d3dc xsa172.patch 0f916156724995abe68bdd66a704c2e80d5b9c7883fd406cbd67e47e626e5c309418d4117588388bdd626b0876c0f7664733815c492c29e0c9d3a46460a01124 xsa173-4.4.patch +c11965a710eb0ff7b3f7d4797882d6607e8091159b06267a190dc12e0292370a7682a8ec3b7036bb23b283bcacd8efb19d275efe441461fbf970b82989c8439a xsa181-4.4.patch +14c07d077a9d60a03859ca1b92347517c93faf88db06f8cb0515e486a3919afa8401203161ff671dda8fbdb64e6ca5e86120f1b8f65e6bfaa63a8c6a33211bad xsa184-qemut-master.patch +862e00d9cd126f8323f9c9706bf6ce7896d97e68e647416c699d9f2e01b88083a5fea346b13403577311384946912123f64bf5a568f1a6f92077d28923df54c6 xsa184-qemuu-master.patch a78d27cbd0090521854a10d83180d58b4050c1ab8d8a7eef4639240ea24df5a03d8638795589479010a5de1a4df3ce64f705afc8971786ad981a87a545778014 0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch c7142a142413542e291df407621c16b7d3c0a4b8cfb4c3287f2be012ea72485cb2b8d70cffc3cf4393f664f7154e9cbe4a436ead044ef820f7ab8eee7f445625 0002-libxl-Provide-libxl__backendpath_parse_domid.patch fd9d3d113ecb74f8589a792e5461e61d2664939e601744671a064194e2c603533e01b3abd8ae42ce203916f9055b5438d481dd47236b84b20d8129b4159ee4ae 0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch diff --git a/main/xen/xsa125-4.4.patch b/main/xen/xsa125-4.4.patch deleted file mode 100644 index 35208f3998..0000000000 --- a/main/xen/xsa125-4.4.patch +++ /dev/null @@ -1,160 +0,0 @@ -From df2922ce672cc35500e2f3ba041441021f44b41c Mon Sep 17 00:00:00 2001 -From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Date: Wed, 19 Nov 2014 12:57:11 -0500 -Subject: [PATCH] Limit XEN_DOMCTL_memory_mapping hypercall to only process up - to 64 GFNs (or less) - -Said hypercall for large BARs can take quite a while. As such -we can require that the hypercall MUST break up the request -in smaller values. - -Another approach is to add preemption to it - whether we do the -preemption using hypercall_create_continuation or returning -EAGAIN to userspace (and have it re-invocate the call) - either -way the issue we cannot easily solve is that in 'map_mmio_regions' -if we encounter an error we MUST call 'unmap_mmio_regions' for the -whole BAR region. - -Since the preemption would re-use input fields such as nr_mfns, -first_gfn, first_mfn - we would lose the original values - -and only undo what was done in the current round (i.e. ignoring -anything that was done prior to earlier preemptions). - -Unless we re-used the return value as 'EAGAIN|nr_mfns_done<<10' but -that puts a limit (since the return value is a long) on the amount -of nr_mfns that can provided. - -This patch sidesteps this problem by: - - Setting an hard limit of nr_mfns having to be 64 or less. - - Toolstack adjusts correspondingly to the nr_mfn limit. - - If the there is an error when adding the toolstack will call the - remove operation to remove the whole region. - -The need to break this hypercall down is for large BARs can take -more than the guest (initial domain usually) time-slice. This has -the negative result in that the guest is locked out for a long -duration and is unable to act on any pending events. - -We also augment the code to return zero if nr_mfns instead -of trying to the hypercall. - -Suggested-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Jan Beulich <jbeulich@suse.com> -Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> ---- - tools/libxc/xc_domain.c | 55 ++++++++++++++++++++++++++++++++++++++++----- - xen/arch/x86/domctl.c | 5 +++++ - xen/include/public/domctl.h | 1 + - 3 files changed, 56 insertions(+), 5 deletions(-) - -diff --git a/tools/libxc/xc_domain.c b/tools/libxc/xc_domain.c -index 369c3f3..40ca771 100644 ---- a/tools/libxc/xc_domain.c -+++ b/tools/libxc/xc_domain.c -@@ -1641,6 +1641,13 @@ failed: - return -1; - } - -+#ifndef min -+#define min(X, Y) ({ \ -+ const typeof (X) _x = (X); \ -+ const typeof (Y) _y = (Y); \ -+ (void) (&_x == &_y); \ -+ (_x < _y) ? _x : _y; }) -+#endif - int xc_domain_memory_mapping( - xc_interface *xch, - uint32_t domid, -@@ -1650,17 +1657,55 @@ int xc_domain_memory_mapping( - uint32_t add_mapping) - { - DECLARE_DOMCTL; -+ int ret = 0, err; -+ unsigned long done = 0, nr, max_batch_sz; -+ -+ if ( !nr_mfns ) -+ return 0; - - domctl.cmd = XEN_DOMCTL_memory_mapping; - domctl.domain = domid; -- domctl.u.memory_mapping.first_gfn = first_gfn; -- domctl.u.memory_mapping.first_mfn = first_mfn; -- domctl.u.memory_mapping.nr_mfns = nr_mfns; - domctl.u.memory_mapping.add_mapping = add_mapping; -+ max_batch_sz = nr_mfns; -+ do -+ { -+ nr = min(nr_mfns - done, max_batch_sz); -+ domctl.u.memory_mapping.nr_mfns = nr; -+ domctl.u.memory_mapping.first_gfn = first_gfn + done; -+ domctl.u.memory_mapping.first_mfn = first_mfn + done; -+ err = do_domctl(xch, &domctl); -+ if ( err && errno == E2BIG ) -+ { -+ if ( max_batch_sz <= 1 ) -+ break; -+ max_batch_sz >>= 1; -+ continue; -+ } -+ /* Save the first error... */ -+ if ( !ret ) -+ ret = err; -+ /* .. and ignore the rest of them when removing. */ -+ if ( err && add_mapping != DPCI_REMOVE_MAPPING ) -+ break; - -- return do_domctl(xch, &domctl); --} -+ done += nr; -+ } while ( done < nr_mfns ); - -+ /* -+ * Undo what we have done unless unmapping, by unmapping the entire region. -+ * Errors here are ignored. -+ */ -+ if ( ret && add_mapping != DPCI_REMOVE_MAPPING ) -+ xc_domain_memory_mapping(xch, domid, first_gfn, first_mfn, nr_mfns, -+ DPCI_REMOVE_MAPPING); -+ -+ /* We might get E2BIG so many times that we never advance. */ -+ if ( !done && !ret ) -+ ret = -1; -+ -+ return ret; -+} -+#undef min - int xc_domain_ioport_mapping( - xc_interface *xch, - uint32_t domid, -diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c -index a967b65..9b72c22 100644 ---- a/xen/arch/x86/domctl.c -+++ b/xen/arch/x86/domctl.c -@@ -653,6 +653,11 @@ long arch_do_domctl( - (gfn + nr_mfns - 1) < gfn ) /* wrap? */ - break; - -+ ret = -E2BIG; -+ /* Must break hypercall up as this could take a while. */ -+ if ( nr_mfns > 64 ) -+ break; -+ - ret = -EPERM; - if ( !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) ) - break; -diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h -index f22fe2e..c45bc59 100644 ---- a/xen/include/public/domctl.h -+++ b/xen/include/public/domctl.h -@@ -518,6 +518,7 @@ DEFINE_XEN_GUEST_HANDLE(xen_domctl_bind_pt_irq_t); - - - /* Bind machine I/O address range -> HVM address range. */ -+/* If this returns -E2BIG lower nr_mfns value. */ - /* XEN_DOMCTL_memory_mapping */ - #define DPCI_ADD_MAPPING 1 - #define DPCI_REMOVE_MAPPING 0 --- -2.1.0 - diff --git a/main/xen/xsa126-qemut.patch b/main/xen/xsa126-qemut.patch deleted file mode 100644 index 796ff9e541..0000000000 --- a/main/xen/xsa126-qemut.patch +++ /dev/null @@ -1,151 +0,0 @@ -xen: limit guest control of PCI command register - -Otherwise the guest can abuse that control to cause e.g. PCIe -Unsupported Request responses (by disabling memory and/or I/O decoding -and subsequently causing [CPU side] accesses to the respective address -ranges), which (depending on system configuration) may be fatal to the -host. - -This is CVE-2015-2756 / XSA-126. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> - ---- a/tools/qemu-xen-traditional/hw/pass-through.c -+++ b/tools/qemu-xen-traditional/hw/pass-through.c -@@ -172,9 +172,6 @@ static int pt_word_reg_read(struct pt_de - static int pt_long_reg_read(struct pt_dev *ptdev, - struct pt_reg_tbl *cfg_entry, - uint32_t *value, uint32_t valid_mask); --static int pt_cmd_reg_read(struct pt_dev *ptdev, -- struct pt_reg_tbl *cfg_entry, -- uint16_t *value, uint16_t valid_mask); - static int pt_bar_reg_read(struct pt_dev *ptdev, - struct pt_reg_tbl *cfg_entry, - uint32_t *value, uint32_t valid_mask); -@@ -286,9 +283,9 @@ static struct pt_reg_info_tbl pt_emu_reg - .size = 2, - .init_val = 0x0000, - .ro_mask = 0xF880, -- .emu_mask = 0x0740, -+ .emu_mask = 0x0743, - .init = pt_common_reg_init, -- .u.w.read = pt_cmd_reg_read, -+ .u.w.read = pt_word_reg_read, - .u.w.write = pt_cmd_reg_write, - .u.w.restore = pt_cmd_reg_restore, - }, -@@ -1905,7 +1902,7 @@ static int pt_dev_is_virtfn(struct pci_d - return rc; - } - --static int pt_register_regions(struct pt_dev *assigned_device) -+static int pt_register_regions(struct pt_dev *assigned_device, uint16_t *cmd) - { - int i = 0; - uint32_t bar_data = 0; -@@ -1925,17 +1922,26 @@ static int pt_register_regions(struct pt - - /* Register current region */ - if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_IO ) -+ { - pci_register_io_region((PCIDevice *)assigned_device, i, - (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_IO, - pt_ioport_map); -+ *cmd |= PCI_COMMAND_IO; -+ } - else if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_MEM_PREFETCH ) -+ { - pci_register_io_region((PCIDevice *)assigned_device, i, - (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM_PREFETCH, - pt_iomem_map); -+ *cmd |= PCI_COMMAND_MEMORY; -+ } - else -+ { - pci_register_io_region((PCIDevice *)assigned_device, i, - (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM, - pt_iomem_map); -+ *cmd |= PCI_COMMAND_MEMORY; -+ } - - PT_LOG("IO region registered (size=0x%08x base_addr=0x%08x)\n", - (uint32_t)(pci_dev->size[i]), -@@ -3263,27 +3269,6 @@ static int pt_long_reg_read(struct pt_de - return 0; - } - --/* read Command register */ --static int pt_cmd_reg_read(struct pt_dev *ptdev, -- struct pt_reg_tbl *cfg_entry, -- uint16_t *value, uint16_t valid_mask) --{ -- struct pt_reg_info_tbl *reg = cfg_entry->reg; -- uint16_t valid_emu_mask = 0; -- uint16_t emu_mask = reg->emu_mask; -- -- if ( ptdev->is_virtfn ) -- emu_mask |= PCI_COMMAND_MEMORY; -- if ( pt_is_iomul(ptdev) ) -- emu_mask |= PCI_COMMAND_IO; -- -- /* emulate word register */ -- valid_emu_mask = emu_mask & valid_mask; -- *value = PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask); -- -- return 0; --} -- - /* read BAR */ - static int pt_bar_reg_read(struct pt_dev *ptdev, - struct pt_reg_tbl *cfg_entry, -@@ -3418,19 +3403,13 @@ static int pt_cmd_reg_write(struct pt_de - uint16_t writable_mask = 0; - uint16_t throughable_mask = 0; - uint16_t wr_value = *value; -- uint16_t emu_mask = reg->emu_mask; -- -- if ( ptdev->is_virtfn ) -- emu_mask |= PCI_COMMAND_MEMORY; -- if ( pt_is_iomul(ptdev) ) -- emu_mask |= PCI_COMMAND_IO; - - /* modify emulate register */ - writable_mask = ~reg->ro_mask & valid_mask; - cfg_entry->data = PT_MERGE_VALUE(*value, cfg_entry->data, writable_mask); - - /* create value for writing to I/O device register */ -- throughable_mask = ~emu_mask & valid_mask; -+ throughable_mask = ~reg->emu_mask & valid_mask; - - if (*value & PCI_COMMAND_DISABLE_INTx) - { -@@ -4211,6 +4190,7 @@ static struct pt_dev * register_real_dev - struct pt_dev *assigned_device = NULL; - struct pci_dev *pci_dev; - uint8_t e_device, e_intx; -+ uint16_t cmd = 0; - char *key, *val; - int msi_translate, power_mgmt; - -@@ -4300,7 +4280,7 @@ static struct pt_dev * register_real_dev - assigned_device->dev.config[i] = pci_read_byte(pci_dev, i); - - /* Handle real device's MMIO/PIO BARs */ -- pt_register_regions(assigned_device); -+ pt_register_regions(assigned_device, &cmd); - - /* Setup VGA bios for passthroughed gfx */ - if ( setup_vga_pt(assigned_device) < 0 ) -@@ -4378,6 +4358,10 @@ static struct pt_dev * register_real_dev - } - - out: -+ if (cmd) -+ pci_write_word(pci_dev, PCI_COMMAND, -+ *(uint16_t *)(&assigned_device->dev.config[PCI_COMMAND]) | cmd); -+ - PT_LOG("Real physical device %02x:%02x.%x registered successfuly!\n" - "IRQ type = %s\n", r_bus, r_dev, r_func, - assigned_device->msi_trans_en? "MSI-INTx":"INTx"); diff --git a/main/xen/xsa126-qemuu.patch b/main/xen/xsa126-qemuu.patch deleted file mode 100644 index 84fd4ae340..0000000000 --- a/main/xen/xsa126-qemuu.patch +++ /dev/null @@ -1,128 +0,0 @@ -xen: limit guest control of PCI command register - -Otherwise the guest can abuse that control to cause e.g. PCIe -Unsupported Request responses (by disabling memory and/or I/O decoding -and subsequently causing [CPU side] accesses to the respective address -ranges), which (depending on system configuration) may be fatal to the -host. - -This is CVE-2015-2756 / XSA-126. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> - ---- a/tools/qemu-xen/hw/xen/xen_pt.c -+++ b/tools/qemu-xen/hw/xen/xen_pt.c -@@ -388,7 +388,7 @@ static const MemoryRegionOps ops = { - .write = xen_pt_bar_write, - }; - --static int xen_pt_register_regions(XenPCIPassthroughState *s) -+static int xen_pt_register_regions(XenPCIPassthroughState *s, uint16_t *cmd) - { - int i = 0; - XenHostPCIDevice *d = &s->real_device; -@@ -406,6 +406,7 @@ static int xen_pt_register_regions(XenPC - - if (r->type & XEN_HOST_PCI_REGION_TYPE_IO) { - type = PCI_BASE_ADDRESS_SPACE_IO; -+ *cmd |= PCI_COMMAND_IO; - } else { - type = PCI_BASE_ADDRESS_SPACE_MEMORY; - if (r->type & XEN_HOST_PCI_REGION_TYPE_PREFETCH) { -@@ -414,6 +415,7 @@ static int xen_pt_register_regions(XenPC - if (r->type & XEN_HOST_PCI_REGION_TYPE_MEM_64) { - type |= PCI_BASE_ADDRESS_MEM_TYPE_64; - } -+ *cmd |= PCI_COMMAND_MEMORY; - } - - memory_region_init_io(&s->bar[i], OBJECT(s), &ops, &s->dev, -@@ -638,6 +640,7 @@ static int xen_pt_initfn(PCIDevice *d) - XenPCIPassthroughState *s = DO_UPCAST(XenPCIPassthroughState, dev, d); - int rc = 0; - uint8_t machine_irq = 0; -+ uint16_t cmd = 0; - int pirq = XEN_PT_UNASSIGNED_PIRQ; - - /* register real device */ -@@ -672,7 +675,7 @@ static int xen_pt_initfn(PCIDevice *d) - s->io_listener = xen_pt_io_listener; - - /* Handle real device's MMIO/PIO BARs */ -- xen_pt_register_regions(s); -+ xen_pt_register_regions(s, &cmd); - - /* reinitialize each config register to be emulated */ - if (xen_pt_config_init(s)) { -@@ -736,6 +739,11 @@ static int xen_pt_initfn(PCIDevice *d) - } - - out: -+ if (cmd) { -+ xen_host_pci_set_word(&s->real_device, PCI_COMMAND, -+ pci_get_word(d->config + PCI_COMMAND) | cmd); -+ } -+ - memory_listener_register(&s->memory_listener, &address_space_memory); - memory_listener_register(&s->io_listener, &address_space_io); - XEN_PT_LOG(d, ---- a/tools/qemu-xen/hw/xen/xen_pt_config_init.c -+++ b/tools/qemu-xen/hw/xen/xen_pt_config_init.c -@@ -286,23 +286,6 @@ static int xen_pt_irqpin_reg_init(XenPCI - } - - /* Command register */ --static int xen_pt_cmd_reg_read(XenPCIPassthroughState *s, XenPTReg *cfg_entry, -- uint16_t *value, uint16_t valid_mask) --{ -- XenPTRegInfo *reg = cfg_entry->reg; -- uint16_t valid_emu_mask = 0; -- uint16_t emu_mask = reg->emu_mask; -- -- if (s->is_virtfn) { -- emu_mask |= PCI_COMMAND_MEMORY; -- } -- -- /* emulate word register */ -- valid_emu_mask = emu_mask & valid_mask; -- *value = XEN_PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask); -- -- return 0; --} - static int xen_pt_cmd_reg_write(XenPCIPassthroughState *s, XenPTReg *cfg_entry, - uint16_t *val, uint16_t dev_value, - uint16_t valid_mask) -@@ -310,18 +293,13 @@ static int xen_pt_cmd_reg_write(XenPCIPa - XenPTRegInfo *reg = cfg_entry->reg; - uint16_t writable_mask = 0; - uint16_t throughable_mask = 0; -- uint16_t emu_mask = reg->emu_mask; -- -- if (s->is_virtfn) { -- emu_mask |= PCI_COMMAND_MEMORY; -- } - - /* modify emulate register */ - writable_mask = ~reg->ro_mask & valid_mask; - cfg_entry->data = XEN_PT_MERGE_VALUE(*val, cfg_entry->data, writable_mask); - - /* create value for writing to I/O device register */ -- throughable_mask = ~emu_mask & valid_mask; -+ throughable_mask = ~reg->emu_mask & valid_mask; - - if (*val & PCI_COMMAND_INTX_DISABLE) { - throughable_mask |= PCI_COMMAND_INTX_DISABLE; -@@ -605,9 +583,9 @@ static XenPTRegInfo xen_pt_emu_reg_heade - .size = 2, - .init_val = 0x0000, - .ro_mask = 0xF880, -- .emu_mask = 0x0740, -+ .emu_mask = 0x0743, - .init = xen_pt_common_reg_init, -- .u.w.read = xen_pt_cmd_reg_read, -+ .u.w.read = xen_pt_word_reg_read, - .u.w.write = xen_pt_cmd_reg_write, - }, - /* Capabilities Pointer reg */ diff --git a/main/xen/xsa127-4.x.patch b/main/xen/xsa127-4.x.patch deleted file mode 100644 index 463b1ddf77..0000000000 --- a/main/xen/xsa127-4.x.patch +++ /dev/null @@ -1,50 +0,0 @@ -domctl: don't allow a toolstack domain to call domain_pause() on itself - -These DOMCTL subops were accidentally declared safe for disaggregation -in the wake of XSA-77. - -This is XSA-127. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> - ---- a/xen/arch/x86/domctl.c -+++ b/xen/arch/x86/domctl.c -@@ -888,6 +888,10 @@ long arch_do_domctl( - { - xen_guest_tsc_info_t info; - -+ ret = -EINVAL; -+ if ( d == current->domain ) /* no domain_pause() */ -+ break; -+ - domain_pause(d); - tsc_get_info(d, &info.tsc_mode, - &info.elapsed_nsec, -@@ -903,6 +907,10 @@ long arch_do_domctl( - - case XEN_DOMCTL_settscinfo: - { -+ ret = -EINVAL; -+ if ( d == current->domain ) /* no domain_pause() */ -+ break; -+ - domain_pause(d); - tsc_set_info(d, domctl->u.tsc_info.info.tsc_mode, - domctl->u.tsc_info.info.elapsed_nsec, ---- a/xen/common/domctl.c -+++ b/xen/common/domctl.c -@@ -522,8 +522,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe - - case XEN_DOMCTL_resumedomain: - { -- domain_resume(d); -- ret = 0; -+ if ( d == current->domain ) /* no domain_pause() */ -+ ret = -EINVAL; -+ else -+ domain_resume(d); - } - break; - diff --git a/main/xen/xsa132.patch b/main/xen/xsa132.patch deleted file mode 100644 index 321c87bf62..0000000000 --- a/main/xen/xsa132.patch +++ /dev/null @@ -1,29 +0,0 @@ -domctl/sysctl: don't leak hypervisor stack to toolstacks - -This is XSA-132. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> - ---- a/xen/arch/x86/domctl.c -+++ b/xen/arch/x86/domctl.c -@@ -884,7 +884,7 @@ long arch_do_domctl( - - case XEN_DOMCTL_gettscinfo: - { -- xen_guest_tsc_info_t info; -+ xen_guest_tsc_info_t info = { 0 }; - - ret = -EINVAL; - if ( d == current->domain ) /* no domain_pause() */ ---- a/xen/common/sysctl.c -+++ b/xen/common/sysctl.c -@@ -76,7 +76,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xe - case XEN_SYSCTL_getdomaininfolist: - { - struct domain *d; -- struct xen_domctl_getdomaininfo info; -+ struct xen_domctl_getdomaininfo info = { 0 }; - u32 num_domains = 0; - - rcu_read_lock(&domlist_read_lock); diff --git a/main/xen/xsa133-qemut.patch b/main/xen/xsa133-qemut.patch deleted file mode 100644 index fa8a2073ab..0000000000 --- a/main/xen/xsa133-qemut.patch +++ /dev/null @@ -1,80 +0,0 @@ -From ac7ddbe342d7aa2303c39ca731cc6229dbbd739b Mon Sep 17 00:00:00 2001 -From: Petr Matousek <pmatouse@redhat.com> -Date: Wed, 6 May 2015 09:48:59 +0200 -Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer - -During processing of certain commands such as FD_CMD_READ_ID and -FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could -get out of bounds leading to memory corruption with values coming -from the guest. - -Fix this by making sure that the index is always bounded by the -allocated memory. - -This is CVE-2015-3456. - -Signed-off-by: Petr Matousek <pmatouse@redhat.com> -Reviewed-by: John Snow <jsnow@redhat.com> ---- - hw/fdc.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/hw/fdc.c b/hw/fdc.c -index b00a4ec..aba02e4 100644 ---- a/tools/qemu-xen-traditional/hw/fdc.c -+++ b/tools/qemu-xen-traditional/hw/fdc.c -@@ -1318,7 +1318,7 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl) - { - fdrive_t *cur_drv; - uint32_t retval = 0; -- int pos; -+ uint32_t pos; - - cur_drv = get_cur_drv(fdctrl); - fdctrl->dsr &= ~FD_DSR_PWRDOWN; -@@ -1327,8 +1327,8 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl) - return 0; - } - pos = fdctrl->data_pos; -+ pos %= FD_SECTOR_LEN; - if (fdctrl->msr & FD_MSR_NONDMA) { -- pos %= FD_SECTOR_LEN; - if (pos == 0) { - if (fdctrl->data_pos != 0) - if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { -@@ -1673,10 +1673,13 @@ static void fdctrl_handle_option (fdctrl_t *fdctrl, int direction) - static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction) - { - fdrive_t *cur_drv = get_cur_drv(fdctrl); -+ uint32_t pos; - -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { -+ pos = fdctrl->data_pos - 1; -+ pos %= FD_SECTOR_LEN; -+ if (fdctrl->fifo[pos] & 0x80) { - /* Command parameters done */ -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { -+ if (fdctrl->fifo[pos] & 0x40) { - fdctrl->fifo[0] = fdctrl->fifo[1]; - fdctrl->fifo[2] = 0; - fdctrl->fifo[3] = 0; -@@ -1771,7 +1774,7 @@ static uint8_t command_to_handler[256]; - static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) - { - fdrive_t *cur_drv; -- int pos; -+ uint32_t pos; - - /* Reset mode */ - if (!(fdctrl->dor & FD_DOR_nRESET)) { -@@ -1817,7 +1820,9 @@ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) - } - - FLOPPY_DPRINTF("%s: %02x\n", __func__, value); -- fdctrl->fifo[fdctrl->data_pos++] = value; -+ pos = fdctrl->data_pos++; -+ pos %= FD_SECTOR_LEN; -+ fdctrl->fifo[pos] = value; - if (fdctrl->data_pos == fdctrl->data_len) { - /* We now have all parameters - * and will be able to treat the command diff --git a/main/xen/xsa133-qemuu.patch b/main/xen/xsa133-qemuu.patch deleted file mode 100644 index 75611ada3c..0000000000 --- a/main/xen/xsa133-qemuu.patch +++ /dev/null @@ -1,84 +0,0 @@ -From ac7ddbe342d7aa2303c39ca731cc6229dbbd739b Mon Sep 17 00:00:00 2001 -From: Petr Matousek <pmatouse@redhat.com> -Date: Wed, 6 May 2015 09:48:59 +0200 -Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer - -During processing of certain commands such as FD_CMD_READ_ID and -FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could -get out of bounds leading to memory corruption with values coming -from the guest. - -Fix this by making sure that the index is always bounded by the -allocated memory. - -This is CVE-2015-3456. - -Signed-off-by: Petr Matousek <pmatouse@redhat.com> -Reviewed-by: John Snow <jsnow@redhat.com> ---- - hw/block/fdc.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/hw/block/fdc.c b/hw/block/fdc.c -index f72a392..d8a8edd 100644 ---- a/tools/qemu-xen/hw/block/fdc.c -+++ b/tools/qemu-xen/hw/block/fdc.c -@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - { - FDrive *cur_drv; - uint32_t retval = 0; -- int pos; -+ uint32_t pos; - - cur_drv = get_cur_drv(fdctrl); - fdctrl->dsr &= ~FD_DSR_PWRDOWN; -@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - return 0; - } - pos = fdctrl->data_pos; -+ pos %= FD_SECTOR_LEN; - if (fdctrl->msr & FD_MSR_NONDMA) { -- pos %= FD_SECTOR_LEN; - if (pos == 0) { - if (fdctrl->data_pos != 0) - if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { -@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) - static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) - { - FDrive *cur_drv = get_cur_drv(fdctrl); -+ uint32_t pos; - -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { -+ pos = fdctrl->data_pos - 1; -+ pos %= FD_SECTOR_LEN; -+ if (fdctrl->fifo[pos] & 0x80) { - /* Command parameters done */ -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { -+ if (fdctrl->fifo[pos] & 0x40) { - fdctrl->fifo[0] = fdctrl->fifo[1]; - fdctrl->fifo[2] = 0; - fdctrl->fifo[3] = 0; -@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; - static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - { - FDrive *cur_drv; -- int pos; -+ uint32_t pos; - - /* Reset mode */ - if (!(fdctrl->dor & FD_DOR_nRESET)) { -@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - } - - FLOPPY_DPRINTF("%s: %02x\n", __func__, value); -- fdctrl->fifo[fdctrl->data_pos++] = value; -+ pos = fdctrl->data_pos++; -+ pos %= FD_SECTOR_LEN; -+ fdctrl->fifo[pos] = value; - if (fdctrl->data_pos == fdctrl->data_len) { - /* We now have all parameters - * and will be able to treat the command --- -2.1.0 - - diff --git a/main/xen/xsa134.patch b/main/xen/xsa134.patch deleted file mode 100644 index 16b93ac59f..0000000000 --- a/main/xen/xsa134.patch +++ /dev/null @@ -1,23 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: gnttab: add missing version check to GNTTABOP_swap_grant_ref handling - -... avoiding NULL derefs when the version to use wasn't set yet (via -GNTTABOP_setup_table or GNTTABOP_set_version). - -This is XSA-134. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> - ---- a/xen/common/grant_table.c -+++ b/xen/common/grant_table.c -@@ -2592,6 +2592,9 @@ __gnttab_swap_grant_ref(grant_ref_t ref_ - - spin_lock(>->lock); - -+ if ( gt->gt_version == 0 ) -+ PIN_FAIL(out, GNTST_general_error, "grant table not yet set up\n"); -+ - /* Bounds check on the grant refs */ - if ( unlikely(ref_a >= nr_grant_entries(d->grant_table))) - PIN_FAIL(out, GNTST_bad_gntref, "Bad ref-a (%d).\n", ref_a); diff --git a/main/xen/xsa135-qemut-1.patch b/main/xen/xsa135-qemut-1.patch deleted file mode 100644 index 54ac78d29f..0000000000 --- a/main/xen/xsa135-qemut-1.patch +++ /dev/null @@ -1,93 +0,0 @@ -pcnet: fix Negative array index read - -From: Gonglei <arei.gonglei@huawei.com> - -s->xmit_pos maybe assigned to a negative value (-1), -but in this branch variable s->xmit_pos as an index to -array s->buffer. Let's add a check for s->xmit_pos. - -upstream-commit-id: 7b50d00911ddd6d56a766ac5671e47304c20a21b - -Signed-off-by: Gonglei <arei.gonglei@huawei.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Reviewed-by: Jason Wang <jasowang@redhat.com> -Reviewed-by: Jason Wang <jasowang@redhat.com> -Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> - -diff --git a/hw/pcnet.c b/hw/pcnet.c -index 7cc0637..9f3e1cc 100644 ---- a/tools/qemu-xen-traditional/hw/pcnet.c -+++ b/tools/qemu-xen-traditional/hw/pcnet.c -@@ -1250,7 +1250,7 @@ static void pcnet_transmit(PCNetState *s) - target_phys_addr_t xmit_cxda = 0; - int count = CSR_XMTRL(s)-1; - int add_crc = 0; -- -+ int bcnt; - s->xmit_pos = -1; - - if (!CSR_TXON(s)) { -@@ -1276,34 +1276,39 @@ static void pcnet_transmit(PCNetState *s) - if (BCR_SWSTYLE(s) != 1) - add_crc = GET_FIELD(tmd.status, TMDS, ADDFCS); - } -+ -+ if (s->xmit_pos < 0) { -+ goto txdone; -+ } -+ -+ bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -+ s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), -+ s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); -+ s->xmit_pos += bcnt; -+ - if (!GET_FIELD(tmd.status, TMDS, ENP)) { -- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), -- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); -- s->xmit_pos += bcnt; -- } else if (s->xmit_pos >= 0) { -- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), -- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); -- s->xmit_pos += bcnt; -+ goto txdone; -+ } - #ifdef PCNET_DEBUG -- printf("pcnet_transmit size=%d\n", s->xmit_pos); -+ printf("pcnet_transmit size=%d\n", s->xmit_pos); - #endif -- if (CSR_LOOP(s)) { -- if (BCR_SWSTYLE(s) == 1) -- add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); -- s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; -- pcnet_receive(s, s->buffer, s->xmit_pos); -- s->looptest = 0; -- } else -- if (s->vc) -- qemu_send_packet(s->vc, s->buffer, s->xmit_pos); -- -- s->csr[0] &= ~0x0008; /* clear TDMD */ -- s->csr[4] |= 0x0004; /* set TXSTRT */ -- s->xmit_pos = -1; -+ if (CSR_LOOP(s)) { -+ if (BCR_SWSTYLE(s) == 1) -+ add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); -+ s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; -+ pcnet_receive(s, s->buffer, s->xmit_pos); -+ s->looptest = 0; -+ } else { -+ if (s->vc) { -+ qemu_send_packet(s->vc, s->buffer, s->xmit_pos); -+ } - } - -+ s->csr[0] &= ~0x0008; /* clear TDMD */ -+ s->csr[4] |= 0x0004; /* set TXSTRT */ -+ s->xmit_pos = -1; -+ -+ txdone: - SET_FIELD(&tmd.status, TMDS, OWN, 0); - TMDSTORE(&tmd, PHYSADDR(s,CSR_CXDA(s))); - if (!CSR_TOKINTD(s) || (CSR_LTINTEN(s) && GET_FIELD(tmd.status, TMDS, LTINT))) - diff --git a/main/xen/xsa135-qemut-2.patch b/main/xen/xsa135-qemut-2.patch deleted file mode 100644 index 2b0631af7c..0000000000 --- a/main/xen/xsa135-qemut-2.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 2630672ab22255de252f877709851c0557a1c647 Mon Sep 17 00:00:00 2001 -From: Petr Matousek <pmatouse@redhat.com> -Date: Sun, 24 May 2015 10:53:44 +0200 -Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx - -4096 is the maximum length per TMD and it is also currently the size of -the relay buffer pcnet driver uses for sending the packet data to QEMU -for further processing. With packet spanning multiple TMDs it can -happen that the overall packet size will be bigger than sizeof(buffer), -which results in memory corruption. - -Fix this by only allowing to queue maximum sizeof(buffer) bytes. - -This is CVE-2015-3209. - -Signed-off-by: Petr Matousek <pmatouse@redhat.com> -Reported-by: Matt Tait <matttait@google.com> -Reviewed-by: Peter Maydell <peter.maydell@linaro.org> -Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> ---- - hw/pcnet.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/pcnet.c b/hw/pcnet.c -index bdfd38f..6d32e4c 100644 ---- a/tools/qemu-xen-traditional/hw/pcnet.c -+++ b/tools/qemu-xen-traditional/hw/pcnet.c -@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) - } - - bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -+ -+ /* if multi-tmd packet outsizes s->buffer then skip it silently. -+ Note: this is not what real hw does */ -+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) { -+ s->xmit_pos = -1; -+ goto txdone; -+ } -+ - s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), - s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); - s->xmit_pos += bcnt; --- -2.1.0 - - diff --git a/main/xen/xsa135-qemuu-4.5-1.patch b/main/xen/xsa135-qemuu-4.5-1.patch deleted file mode 100644 index bce9ca209f..0000000000 --- a/main/xen/xsa135-qemuu-4.5-1.patch +++ /dev/null @@ -1,94 +0,0 @@ -pcnet: fix Negative array index read - -From: Gonglei <arei.gonglei@huawei.com> - -s->xmit_pos maybe assigned to a negative value (-1), -but in this branch variable s->xmit_pos as an index to -array s->buffer. Let's add a check for s->xmit_pos. - -upstream-commit-id: 7b50d00911ddd6d56a766ac5671e47304c20a21b - -Signed-off-by: Gonglei <arei.gonglei@huawei.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Reviewed-by: Jason Wang <jasowang@redhat.com> -Reviewed-by: Jason Wang <jasowang@redhat.com> -Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> - -diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c -index d344c15..f409b92 100644 ---- a/tools/qemu-xen/hw/net/pcnet.c -+++ b/tools/qemu-xen/hw/net/pcnet.c -@@ -1212,7 +1212,7 @@ static void pcnet_transmit(PCNetState *s) - hwaddr xmit_cxda = 0; - int count = CSR_XMTRL(s)-1; - int add_crc = 0; -- -+ int bcnt; - s->xmit_pos = -1; - - if (!CSR_TXON(s)) { -@@ -1247,35 +1247,40 @@ static void pcnet_transmit(PCNetState *s) - s->xmit_pos = -1; - goto txdone; - } -+ -+ if (s->xmit_pos < 0) { -+ goto txdone; -+ } -+ -+ bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -+ s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), -+ s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); -+ s->xmit_pos += bcnt; -+ - if (!GET_FIELD(tmd.status, TMDS, ENP)) { -- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), -- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); -- s->xmit_pos += bcnt; -- } else if (s->xmit_pos >= 0) { -- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), -- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); -- s->xmit_pos += bcnt; -+ goto txdone; -+ } -+ - #ifdef PCNET_DEBUG -- printf("pcnet_transmit size=%d\n", s->xmit_pos); -+ printf("pcnet_transmit size=%d\n", s->xmit_pos); - #endif -- if (CSR_LOOP(s)) { -- if (BCR_SWSTYLE(s) == 1) -- add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); -- s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; -- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos); -- s->looptest = 0; -- } else -- if (s->nic) -- qemu_send_packet(qemu_get_queue(s->nic), s->buffer, -- s->xmit_pos); -- -- s->csr[0] &= ~0x0008; /* clear TDMD */ -- s->csr[4] |= 0x0004; /* set TXSTRT */ -- s->xmit_pos = -1; -+ if (CSR_LOOP(s)) { -+ if (BCR_SWSTYLE(s) == 1) -+ add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); -+ s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; -+ pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos); -+ s->looptest = 0; -+ } else { -+ if (s->nic) { -+ qemu_send_packet(qemu_get_queue(s->nic), s->buffer, -+ s->xmit_pos); -+ } - } - -+ s->csr[0] &= ~0x0008; /* clear TDMD */ -+ s->csr[4] |= 0x0004; /* set TXSTRT */ -+ s->xmit_pos = -1; -+ - txdone: - SET_FIELD(&tmd.status, TMDS, OWN, 0); - TMDSTORE(&tmd, PHYSADDR(s,CSR_CXDA(s))); diff --git a/main/xen/xsa135-qemuu-4.5-2.patch b/main/xen/xsa135-qemuu-4.5-2.patch deleted file mode 100644 index 37aa1b91ac..0000000000 --- a/main/xen/xsa135-qemuu-4.5-2.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 2630672ab22255de252f877709851c0557a1c647 Mon Sep 17 00:00:00 2001 -From: Petr Matousek <pmatouse@redhat.com> -Date: Sun, 24 May 2015 10:53:44 +0200 -Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx - -4096 is the maximum length per TMD and it is also currently the size of -the relay buffer pcnet driver uses for sending the packet data to QEMU -for further processing. With packet spanning multiple TMDs it can -happen that the overall packet size will be bigger than sizeof(buffer), -which results in memory corruption. - -Fix this by only allowing to queue maximum sizeof(buffer) bytes. - -This is CVE-2015-3209. - -Signed-off-by: Petr Matousek <pmatouse@redhat.com> -Reported-by: Matt Tait <matttait@google.com> -Reviewed-by: Peter Maydell <peter.maydell@linaro.org> -Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> ---- - hw/net/pcnet.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c -index bdfd38f..6d32e4c 100644 ---- a/tools/qemu-xen/hw/net/pcnet.c -+++ b/tools/qemu-xen/hw/net/pcnet.c -@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) - } - - bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -+ -+ /* if multi-tmd packet outsizes s->buffer then skip it silently. -+ Note: this is not what real hw does */ -+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) { -+ s->xmit_pos = -1; -+ goto txdone; -+ } -+ - s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), - s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); - s->xmit_pos += bcnt; --- -2.1.0 - diff --git a/main/xen/xsa136.patch b/main/xen/xsa136.patch deleted file mode 100644 index fda3fa2389..0000000000 --- a/main/xen/xsa136.patch +++ /dev/null @@ -1,19 +0,0 @@ -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/traps: loop in the correct direction in compat_iret() - -This is XSA-136. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> - ---- a/xen/arch/x86/x86_64/compat/traps.c -+++ b/xen/arch/x86/x86_64/compat/traps.c -@@ -119,7 +119,7 @@ unsigned int compat_iret(void) - } - else if ( ksp > regs->_esp ) - { -- for (i = 9; i > 0; ++i) -+ for ( i = 9; i > 0; --i ) - { - rc |= __get_user(x, (u32 *)regs->rsp + i); - rc |= __put_user(x, (u32 *)(unsigned long)ksp + i); diff --git a/main/xen/xsa154-4.4.patch b/main/xen/xsa154-4.4.patch deleted file mode 100644 index c7733cf026..0000000000 --- a/main/xen/xsa154-4.4.patch +++ /dev/null @@ -1,328 +0,0 @@ -x86: enforce consistent cachability of MMIO mappings - -We've been told by Intel that inconsistent cachability between -multiple mappings of the same page can affect system stability only -when the affected page is an MMIO one. Since the stale data issue is -of no relevance to the hypervisor (since all guest memory accesses go -through proper accessors and validation), handling of RAM pages -remains unchanged here. Any MMIO mapped by domains however needs to be -done consistently (all cachable mappings or all uncachable ones), in -order to avoid Machine Check exceptions. Since converting existing -cachable mappings to uncachable (at the time an uncachable mapping -gets established) would in the PV case require tracking all mappings, -allow MMIO to only get mapped uncachable (UC, UC-, or WC). - -This also implies that in the PV case we mustn't use the L1 PTE update -fast path when cachability flags get altered. - -Since in the HVM case at least for now we want to continue honoring -pinned cachability attributes for pages not mapped by the hypervisor, -special case handling of r/o MMIO pages (forcing UC) gets added there. -Arguably the counterpart change to p2m-pt.c may not be necessary, since -UC- (which already gets enforced there) is probably strict enough. - -Note that the shadow code changes include fixing the write protection -of r/o MMIO ranges: shadow_l1e_remove_flags() and its siblings, other -than l1e_remove_flags() and alike, return the new PTE (and hence -ignoring their return values makes them no-ops). - -This is CVE-2016-2270 / XSA-154. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> - ---- a/docs/misc/xen-command-line.markdown -+++ b/docs/misc/xen-command-line.markdown -@@ -697,6 +697,15 @@ limit is ignored by Xen. - - Specify if the MMConfig space should be enabled. - -+### mmio-relax -+> `= <boolean> | all` -+ -+> Default: `false` -+ -+By default, domains may not create cached mappings to MMIO regions. -+This option relaxes the check for Domain 0 (or when using `all`, all PV -+domains), to permit the use of cacheable MMIO mappings. -+ - ### msi - > `= <boolean>` - ---- a/xen/arch/x86/hvm/mtrr.c -+++ b/xen/arch/x86/hvm/mtrr.c -@@ -693,8 +693,12 @@ uint8_t epte_get_entry_emt(struct domain - if ( v->domain != d ) - v = d->vcpu ? d->vcpu[0] : NULL; - -- if ( !mfn_valid(mfn_x(mfn)) ) -+ if ( !mfn_valid(mfn_x(mfn)) || -+ rangeset_contains_singleton(mmio_ro_ranges, mfn_x(mfn)) ) -+ { -+ *ipat = 1; - return MTRR_TYPE_UNCACHABLE; -+ } - - if ( hvm_get_mem_pinned_cacheattr(d, gfn, &type) ) - return type; ---- a/xen/arch/x86/mm/p2m-pt.c -+++ b/xen/arch/x86/mm/p2m-pt.c -@@ -93,6 +93,8 @@ static unsigned long p2m_type_to_flags(p - case p2m_mmio_direct: - if ( !rangeset_contains_singleton(mmio_ro_ranges, mfn_x(mfn)) ) - flags |= _PAGE_RW; -+ else -+ flags |= _PAGE_PWT; - return flags | P2M_BASE_FLAGS | _PAGE_PCD; - } - } ---- a/xen/arch/x86/mm/shadow/multi.c -+++ b/xen/arch/x86/mm/shadow/multi.c -@@ -521,6 +521,7 @@ _sh_propagate(struct vcpu *v, - gfn_t target_gfn = guest_l1e_get_gfn(guest_entry); - u32 pass_thru_flags; - u32 gflags, sflags; -+ bool_t mmio_mfn; - - /* We don't shadow PAE l3s */ - ASSERT(GUEST_PAGING_LEVELS > 3 || level != 3); -@@ -561,7 +562,10 @@ _sh_propagate(struct vcpu *v, - // mfn means that we can not usefully shadow anything, and so we - // return early. - // -- if ( !mfn_valid(target_mfn) -+ mmio_mfn = !mfn_valid(target_mfn) -+ || (level == 1 -+ && page_get_owner(mfn_to_page(target_mfn)) == dom_io); -+ if ( mmio_mfn - && !(level == 1 && (!shadow_mode_refcounts(d) - || p2mt == p2m_mmio_direct)) ) - { -@@ -579,7 +583,7 @@ _sh_propagate(struct vcpu *v, - _PAGE_RW | _PAGE_PRESENT); - if ( guest_supports_nx(v) ) - pass_thru_flags |= _PAGE_NX_BIT; -- if ( !shadow_mode_refcounts(d) && !mfn_valid(target_mfn) ) -+ if ( level == 1 && !shadow_mode_refcounts(d) && mmio_mfn ) - pass_thru_flags |= _PAGE_PAT | _PAGE_PCD | _PAGE_PWT; - sflags = gflags & pass_thru_flags; - -@@ -676,10 +680,14 @@ _sh_propagate(struct vcpu *v, - } - - /* Read-only memory */ -- if ( p2m_is_readonly(p2mt) || -- (p2mt == p2m_mmio_direct && -- rangeset_contains_singleton(mmio_ro_ranges, mfn_x(target_mfn))) ) -+ if ( p2m_is_readonly(p2mt) ) - sflags &= ~_PAGE_RW; -+ else if ( p2mt == p2m_mmio_direct && -+ rangeset_contains_singleton(mmio_ro_ranges, mfn_x(target_mfn)) ) -+ { -+ sflags &= ~(_PAGE_RW | _PAGE_PAT); -+ sflags |= _PAGE_PCD | _PAGE_PWT; -+ } - - // protect guest page tables - // -@@ -1201,22 +1209,28 @@ static int shadow_set_l1e(struct vcpu *v - && !sh_l1e_is_magic(new_sl1e) ) - { - /* About to install a new reference */ -- if ( shadow_mode_refcounts(d) ) { -+ if ( shadow_mode_refcounts(d) ) -+ { -+#define PAGE_FLIPPABLE (_PAGE_RW | _PAGE_PWT | _PAGE_PCD | _PAGE_PAT) -+ int rc; -+ - TRACE_SHADOW_PATH_FLAG(TRCE_SFLAG_SHADOW_L1_GET_REF); -- switch ( shadow_get_page_from_l1e(new_sl1e, d, new_type) ) -+ switch ( rc = shadow_get_page_from_l1e(new_sl1e, d, new_type) ) - { - default: - /* Doesn't look like a pagetable. */ - flags |= SHADOW_SET_ERROR; - new_sl1e = shadow_l1e_empty(); - break; -- case 1: -- shadow_l1e_remove_flags(new_sl1e, _PAGE_RW); -+ case PAGE_FLIPPABLE & -PAGE_FLIPPABLE ... PAGE_FLIPPABLE: -+ ASSERT(!(rc & ~PAGE_FLIPPABLE)); -+ new_sl1e = shadow_l1e_flip_flags(new_sl1e, rc); - /* fall through */ - case 0: - shadow_vram_get_l1e(new_sl1e, sl1e, sl1mfn, d); - break; - } -+#undef PAGE_FLIPPABLE - } - } - ---- a/xen/arch/x86/mm/shadow/types.h -+++ b/xen/arch/x86/mm/shadow/types.h -@@ -100,6 +100,9 @@ static inline u32 shadow_l4e_get_flags(s - static inline shadow_l1e_t - shadow_l1e_remove_flags(shadow_l1e_t sl1e, u32 flags) - { l1e_remove_flags(sl1e, flags); return sl1e; } -+static inline shadow_l1e_t -+shadow_l1e_flip_flags(shadow_l1e_t sl1e, u32 flags) -+{ l1e_flip_flags(sl1e, flags); return sl1e; } - - static inline shadow_l1e_t shadow_l1e_empty(void) - { return l1e_empty(); } ---- a/xen/arch/x86/mm.c -+++ b/xen/arch/x86/mm.c -@@ -188,6 +188,18 @@ static uint32_t base_disallow_mask; - is_pv_domain(d)) ? \ - L1_DISALLOW_MASK : (L1_DISALLOW_MASK & ~PAGE_CACHE_ATTRS)) - -+static s8 __read_mostly opt_mmio_relax; -+static void __init parse_mmio_relax(const char *s) -+{ -+ if ( !*s ) -+ opt_mmio_relax = 1; -+ else -+ opt_mmio_relax = parse_bool(s); -+ if ( opt_mmio_relax < 0 && strcmp(s, "all") ) -+ opt_mmio_relax = 0; -+} -+custom_param("mmio-relax", parse_mmio_relax); -+ - static void __init init_frametable_chunk(void *start, void *end) - { - unsigned long s = (unsigned long)start; -@@ -773,6 +785,8 @@ get_page_from_l1e( - if ( !mfn_valid(mfn) || - (real_pg_owner = page_get_owner_and_reference(page)) == dom_io ) - { -+ int flip = 0; -+ - /* Only needed the reference to confirm dom_io ownership. */ - if ( mfn_valid(mfn) ) - put_page(page); -@@ -805,13 +819,41 @@ get_page_from_l1e( - return -EINVAL; - } - -- if ( !(l1f & _PAGE_RW) || -- !rangeset_contains_singleton(mmio_ro_ranges, mfn) ) -- return 0; -- dprintk(XENLOG_G_WARNING, -- "d%d: Forcing read-only access to MFN %lx\n", -- l1e_owner->domain_id, mfn); -- return 1; -+ if ( !rangeset_contains_singleton(mmio_ro_ranges, mfn) ) -+ { -+ /* MMIO pages must not be mapped cachable unless requested so. */ -+ switch ( opt_mmio_relax ) -+ { -+ case 0: -+ break; -+ case 1: -+ if ( is_hardware_domain(l1e_owner) ) -+ case -1: -+ return 0; -+ default: -+ ASSERT_UNREACHABLE(); -+ } -+ } -+ else if ( l1f & _PAGE_RW ) -+ { -+ dprintk(XENLOG_G_WARNING, -+ "d%d: Forcing read-only access to MFN %lx\n", -+ l1e_owner->domain_id, mfn); -+ flip = _PAGE_RW; -+ } -+ -+ switch ( l1f & PAGE_CACHE_ATTRS ) -+ { -+ case 0: /* WB */ -+ flip |= _PAGE_PWT | _PAGE_PCD; -+ break; -+ case _PAGE_PWT: /* WT */ -+ case _PAGE_PWT | _PAGE_PAT: /* WP */ -+ flip |= _PAGE_PCD | (l1f & _PAGE_PAT); -+ break; -+ } -+ -+ return flip; - } - - if ( unlikely( (real_pg_owner != pg_owner) && -@@ -1210,8 +1252,9 @@ static int alloc_l1_table(struct page_in - goto fail; - case 0: - break; -- case 1: -- l1e_remove_flags(pl1e[i], _PAGE_RW); -+ case _PAGE_RW ... _PAGE_RW | PAGE_CACHE_ATTRS: -+ ASSERT(!(ret & ~(_PAGE_RW | PAGE_CACHE_ATTRS))); -+ l1e_flip_flags(pl1e[i], ret); - break; - } - -@@ -1706,8 +1749,9 @@ static int mod_l1_entry(l1_pgentry_t *pl - return -EINVAL; - } - -- /* Fast path for identical mapping, r/w and presence. */ -- if ( !l1e_has_changed(ol1e, nl1e, _PAGE_RW | _PAGE_PRESENT) ) -+ /* Fast path for identical mapping, r/w, presence, and cachability. */ -+ if ( !l1e_has_changed(ol1e, nl1e, -+ PAGE_CACHE_ATTRS | _PAGE_RW | _PAGE_PRESENT) ) - { - adjust_guest_l1e(nl1e, pt_dom); - if ( UPDATE_ENTRY(l1, pl1e, ol1e, nl1e, gl1mfn, pt_vcpu, -@@ -1730,8 +1774,9 @@ static int mod_l1_entry(l1_pgentry_t *pl - return rc; - case 0: - break; -- case 1: -- l1e_remove_flags(nl1e, _PAGE_RW); -+ case _PAGE_RW ... _PAGE_RW | PAGE_CACHE_ATTRS: -+ ASSERT(!(rc & ~(_PAGE_RW | PAGE_CACHE_ATTRS))); -+ l1e_flip_flags(nl1e, rc); - rc = 0; - break; - } -@@ -4919,6 +4964,7 @@ static int ptwr_emulated_update( - l1_pgentry_t pte, ol1e, nl1e, *pl1e; - struct vcpu *v = current; - struct domain *d = v->domain; -+ int ret; - - /* Only allow naturally-aligned stores within the original %cr2 page. */ - if ( unlikely(((addr^ptwr_ctxt->cr2) & PAGE_MASK) || (addr & (bytes-1))) ) -@@ -4966,7 +5012,7 @@ static int ptwr_emulated_update( - - /* Check the new PTE. */ - nl1e = l1e_from_intpte(val); -- switch ( get_page_from_l1e(nl1e, d, d) ) -+ switch ( ret = get_page_from_l1e(nl1e, d, d) ) - { - default: - if ( is_pv_32bit_domain(d) && (bytes == 4) && (unaligned_addr & 4) && -@@ -4990,8 +5036,9 @@ static int ptwr_emulated_update( - break; - case 0: - break; -- case 1: -- l1e_remove_flags(nl1e, _PAGE_RW); -+ case _PAGE_RW ... _PAGE_RW | PAGE_CACHE_ATTRS: -+ ASSERT(!(ret & ~(_PAGE_RW | PAGE_CACHE_ATTRS))); -+ l1e_flip_flags(nl1e, ret); - break; - } - ---- a/xen/include/asm-x86/page.h -+++ b/xen/include/asm-x86/page.h -@@ -157,6 +157,9 @@ static inline l4_pgentry_t l4e_from_padd - #define l3e_remove_flags(x, flags) ((x).l3 &= ~put_pte_flags(flags)) - #define l4e_remove_flags(x, flags) ((x).l4 &= ~put_pte_flags(flags)) - -+/* Flip flags in an existing L1 PTE. */ -+#define l1e_flip_flags(x, flags) ((x).l1 ^= put_pte_flags(flags)) -+ - /* Check if a pte's page mapping or significant access flags have changed. */ - #define l1e_has_changed(x,y,flags) \ - ( !!(((x).l1 ^ (y).l1) & ((PADDR_MASK&PAGE_MASK)|put_pte_flags(flags))) ) diff --git a/main/xen/xsa156-4.4.patch b/main/xen/xsa156-4.4.patch deleted file mode 100644 index 326989aad2..0000000000 --- a/main/xen/xsa156-4.4.patch +++ /dev/null @@ -1,127 +0,0 @@ -x86/HVM: always intercept #AC and #DB - -Both being benign exceptions, and both being possible to get triggered -by exception delivery, this is required to prevent a guest from locking -up a CPU (resulting from no other VM exits occurring once getting into -such a loop). - -The specific scenarios: - -1) #AC may be raised during exception delivery if the handler is set to -be a ring-3 one by a 32-bit guest, and the stack is misaligned. - -2) #DB may be raised during exception delivery when a breakpoint got -placed on a data structure involved in delivering the exception. This -can result in an endless loop when a 64-bit guest uses a non-zero IST -for the vector 1 IDT entry, but even without use of IST the time it -takes until a contributory fault would get raised (results depending -on the handler) may be quite long. - -This is XSA-156. - -Reported-by: Benjamin Serebrin <serebrin@google.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> -Tested-by: Andrew Cooper <andrew.cooper3@citrix.com> - ---- a/xen/arch/x86/hvm/svm/svm.c -+++ b/xen/arch/x86/hvm/svm/svm.c -@@ -941,10 +941,11 @@ static void noreturn svm_do_resume(struc - unlikely(v->arch.hvm_vcpu.debug_state_latch != debug_state) ) - { - uint32_t intercepts = vmcb_get_exception_intercepts(vmcb); -- uint32_t mask = (1U << TRAP_debug) | (1U << TRAP_int3); -+ - v->arch.hvm_vcpu.debug_state_latch = debug_state; - vmcb_set_exception_intercepts( -- vmcb, debug_state ? (intercepts | mask) : (intercepts & ~mask)); -+ vmcb, debug_state ? (intercepts | (1U << TRAP_int3)) -+ : (intercepts & ~(1U << TRAP_int3))); - } - - if ( v->arch.hvm_svm.launch_core != smp_processor_id() ) -@@ -2225,8 +2226,9 @@ void svm_vmexit_handler(struct cpu_user_ - - case VMEXIT_EXCEPTION_DB: - if ( !v->domain->debugger_attached ) -- goto unexpected_exit_type; -- domain_pause_for_debugger(); -+ hvm_inject_hw_exception(TRAP_debug, HVM_DELIVER_NO_ERROR_CODE); -+ else -+ domain_pause_for_debugger(); - break; - - case VMEXIT_EXCEPTION_BP: -@@ -2274,6 +2276,11 @@ void svm_vmexit_handler(struct cpu_user_ - break; - } - -+ case VMEXIT_EXCEPTION_AC: -+ HVMTRACE_1D(TRAP, TRAP_alignment_check); -+ hvm_inject_hw_exception(TRAP_alignment_check, vmcb->exitinfo1); -+ break; -+ - case VMEXIT_EXCEPTION_UD: - svm_vmexit_ud_intercept(regs); - break; ---- a/xen/arch/x86/hvm/vmx/vmx.c -+++ b/xen/arch/x86/hvm/vmx/vmx.c -@@ -1132,16 +1132,10 @@ static void vmx_update_host_cr3(struct v - - void vmx_update_debug_state(struct vcpu *v) - { -- unsigned long mask; -- -- mask = 1u << TRAP_int3; -- if ( !cpu_has_monitor_trap_flag ) -- mask |= 1u << TRAP_debug; -- - if ( v->arch.hvm_vcpu.debug_state_latch ) -- v->arch.hvm_vmx.exception_bitmap |= mask; -+ v->arch.hvm_vmx.exception_bitmap |= 1U << TRAP_int3; - else -- v->arch.hvm_vmx.exception_bitmap &= ~mask; -+ v->arch.hvm_vmx.exception_bitmap &= ~(1U << TRAP_int3); - - vmx_vmcs_enter(v); - vmx_update_exception_bitmap(v); -@@ -2678,9 +2672,10 @@ void vmx_vmexit_handler(struct cpu_user_ - __vmread(EXIT_QUALIFICATION, &exit_qualification); - HVMTRACE_1D(TRAP_DEBUG, exit_qualification); - write_debugreg(6, exit_qualification | 0xffff0ff0); -- if ( !v->domain->debugger_attached || cpu_has_monitor_trap_flag ) -- goto exit_and_crash; -- domain_pause_for_debugger(); -+ if ( !v->domain->debugger_attached ) -+ hvm_inject_hw_exception(vector, HVM_DELIVER_NO_ERROR_CODE); -+ else -+ domain_pause_for_debugger(); - break; - case TRAP_int3: - { -@@ -2745,6 +2740,11 @@ void vmx_vmexit_handler(struct cpu_user_ - - hvm_inject_page_fault(regs->error_code, exit_qualification); - break; -+ case TRAP_alignment_check: -+ HVMTRACE_1D(TRAP, vector); -+ __vmread(VM_EXIT_INTR_ERROR_CODE, &ecode); -+ hvm_inject_hw_exception(vector, ecode); -+ break; - case TRAP_nmi: - if ( (intr_info & INTR_INFO_INTR_TYPE_MASK) != - (X86_EVENTTYPE_NMI << 8) ) ---- a/xen/include/asm-x86/hvm/hvm.h -+++ b/xen/include/asm-x86/hvm/hvm.h -@@ -393,7 +393,10 @@ static inline int hvm_event_pending(stru - }) - - /* These exceptions must always be intercepted. */ --#define HVM_TRAP_MASK ((1U << TRAP_machine_check) | (1U << TRAP_invalid_op)) -+#define HVM_TRAP_MASK ((1U << TRAP_debug) | \ -+ (1U << TRAP_invalid_op) | \ -+ (1U << TRAP_alignment_check) | \ -+ (1U << TRAP_machine_check)) - - /* - * x86 event types. This enumeration is valid for: diff --git a/main/xen/xsa159.patch b/main/xen/xsa159.patch deleted file mode 100644 index 5e4e20c43f..0000000000 --- a/main/xen/xsa159.patch +++ /dev/null @@ -1,47 +0,0 @@ -memory: fix XENMEM_exchange error handling - -assign_pages() can fail due to the domain getting killed in parallel, -which should not result in a hypervisor crash. - -Also delete a redundant put_gfn() - all relevant paths leading to the -"fail" label already do this (and there are also paths where it was -plain wrong). All of the put_gfn()-s got introduced by 51032ca058 -("Modify naming of queries into the p2m"), including the otherwise -unneeded initializer for k (with even a kind of misleading comment - -the compiler warning could actually have served as a hint that the use -is wrong). - -This is XSA-159. - -Reported-by: Julien Grall <julien.grall@citrix.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> - ---- a/xen/common/memory.c -+++ b/xen/common/memory.c -@@ -334,7 +334,7 @@ static long memory_exchange(XEN_GUEST_HA - PAGE_LIST_HEAD(out_chunk_list); - unsigned long in_chunk_order, out_chunk_order; - xen_pfn_t gpfn, gmfn, mfn; -- unsigned long i, j, k = 0; /* gcc ... */ -+ unsigned long i, j, k; - unsigned int memflags = 0; - long rc = 0; - struct domain *d; -@@ -572,11 +572,12 @@ static long memory_exchange(XEN_GUEST_HA - fail: - /* Reassign any input pages we managed to steal. */ - while ( (page = page_list_remove_head(&in_chunk_list)) ) -- { -- put_gfn(d, gmfn + k--); - if ( assign_pages(d, page, 0, MEMF_no_refcount) ) -- BUG(); -- } -+ { -+ BUG_ON(!d->is_dying); -+ if ( test_and_clear_bit(_PGC_allocated, &page->count_info) ) -+ put_page(page); -+ } - - dying: - rcu_unlock_domain(d); diff --git a/main/xen/xsa160-4.4.patch b/main/xen/xsa160-4.4.patch deleted file mode 100644 index 2ca540d391..0000000000 --- a/main/xen/xsa160-4.4.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 7f9fd14c80b71b4abbca36f2747d2e75dfebc289 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Wed, 18 Nov 2015 15:34:54 +0000 -Subject: [PATCH] libxl: Fix bootloader-related virtual memory leak on pv - build failure - -The bootloader may call libxl__file_reference_map(), which mmap's the -pv_kernel and pv_ramdisk into process memory. This was only unmapped, -however, on the success path of libxl__build_pv(). If there were a -failure anywhere between libxl_bootloader.c:parse_bootloader_result() -and the end of libxl__build_pv(), the calls to -libxl__file_reference_unmap() would be skipped, leaking the mapped -virtual memory. - -Ideally this would be fixed by adding the unmap calls to the -destruction path for libxl__domain_build_state. Unfortunately the -lifetime of the libxl__domain_build_state is opaque, and it doesn't -have a proper destruction path. But, the only thing in it that isn't -from the gc are these bootloader references, and they are only ever -set for one libxl__domain_build_state, the one which is -libxl__domain_create_state.build_state. - -So we can clean up in the exit path from libxl__domain_create_*, which -always comes through domcreate_complete. - -Remove the now-redundant unmaps in libxl__build_pv's success path. - -This is XSA-160. - -Signed-off-by: George Dunlap <george.dunlap@citrix.com> -Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> -Tested-by: George Dunlap <george.dunlap@citrix.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> ---- - tools/libxl/libxl_create.c | 3 +++ - tools/libxl/libxl_dom.c | 3 --- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c -index e3350d5..5292c15 100644 ---- a/tools/libxl/libxl_create.c -+++ b/tools/libxl/libxl_create.c -@@ -1295,6 +1295,9 @@ static void domcreate_complete(libxl__egc *egc, - STATE_AO_GC(dcs->ao); - libxl_domain_config *const d_config = dcs->guest_config; - -+ libxl__file_reference_unmap(&dcs->build_state.pv_kernel); -+ libxl__file_reference_unmap(&dcs->build_state.pv_ramdisk); -+ - if (!rc && d_config->b_info.exec_ssidref) - rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid, d_config->b_info.exec_ssidref); - -diff --git a/tools/libxl/libxl_dom.c b/tools/libxl/libxl_dom.c -index 52bc01a..978a1eb 100644 ---- a/tools/libxl/libxl_dom.c -+++ b/tools/libxl/libxl_dom.c -@@ -451,9 +451,6 @@ int libxl__build_pv(libxl__gc *gc, uint32_t domid, - state->store_mfn = xc_dom_p2m_host(dom, dom->xenstore_pfn); - } - -- libxl__file_reference_unmap(&state->pv_kernel); -- libxl__file_reference_unmap(&state->pv_ramdisk); -- - ret = 0; - out: - xc_dom_release(dom); --- -1.7.10.4 - diff --git a/main/xen/xsa165-4.5.patch b/main/xen/xsa165-4.5.patch deleted file mode 100644 index b0909e49b8..0000000000 --- a/main/xen/xsa165-4.5.patch +++ /dev/null @@ -1,85 +0,0 @@ -x86: don't leak ST(n)/XMMn values to domains first using them - -FNINIT doesn't alter these registers, and hence using it is -insufficient to initialize a guest's initial state. - -This is XSA-165. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> - ---- a/xen/arch/x86/domain.c -+++ b/xen/arch/x86/domain.c -@@ -798,6 +798,17 @@ int arch_set_info_guest( - if ( v->arch.xsave_area ) - v->arch.xsave_area->xsave_hdr.xstate_bv = XSTATE_FP_SSE; - } -+ else if ( v->arch.xsave_area ) -+ memset(&v->arch.xsave_area->xsave_hdr, 0, -+ sizeof(v->arch.xsave_area->xsave_hdr)); -+ else -+ { -+ typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt; -+ -+ memset(fpu_sse, 0, sizeof(*fpu_sse)); -+ fpu_sse->fcw = FCW_DEFAULT; -+ fpu_sse->mxcsr = MXCSR_DEFAULT; -+ } - - if ( !compat ) - { ---- a/xen/arch/x86/i387.c -+++ b/xen/arch/x86/i387.c -@@ -17,19 +17,6 @@ - #include <asm/xstate.h> - #include <asm/asm_defns.h> - --static void fpu_init(void) --{ -- unsigned long val; -- -- asm volatile ( "fninit" ); -- if ( cpu_has_xmm ) -- { -- /* load default value into MXCSR control/status register */ -- val = MXCSR_DEFAULT; -- asm volatile ( "ldmxcsr %0" : : "m" (val) ); -- } --} -- - /*******************************/ - /* FPU Restore Functions */ - /*******************************/ -@@ -248,15 +235,8 @@ void vcpu_restore_fpu_lazy(struct vcpu * - - if ( cpu_has_xsave ) - fpu_xrstor(v, XSTATE_LAZY); -- else if ( v->fpu_initialised ) -- { -- if ( cpu_has_fxsr ) -- fpu_fxrstor(v); -- else -- fpu_frstor(v); -- } - else -- fpu_init(); -+ fpu_fxrstor(v); - - v->fpu_initialised = 1; - v->fpu_dirtied = 1; -@@ -317,7 +297,14 @@ int vcpu_init_fpu(struct vcpu *v) - else - { - v->arch.fpu_ctxt = _xzalloc(sizeof(v->arch.xsave_area->fpu_sse), 16); -- if ( !v->arch.fpu_ctxt ) -+ if ( v->arch.fpu_ctxt ) -+ { -+ typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt; -+ -+ fpu_sse->fcw = FCW_DEFAULT; -+ fpu_sse->mxcsr = MXCSR_DEFAULT; -+ } -+ else - { - rc = -ENOMEM; - goto done; diff --git a/main/xen/xsa167-4.4.patch b/main/xen/xsa167-4.4.patch deleted file mode 100644 index d7d3677fe3..0000000000 --- a/main/xen/xsa167-4.4.patch +++ /dev/null @@ -1,78 +0,0 @@ -x86/mm: PV superpage handling lacks sanity checks - -MMUEXT_{,UN}MARK_SUPER fail to check the input MFN for validity before -dereferencing pointers into the superpage frame table. - -get_superpage() has a similar issue. - -This is XSA-167. - -Reported-by: Qinghao Tang <luodalongde@gmail.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> - ---- a/xen/arch/x86/mm.c -+++ b/xen/arch/x86/mm.c -@@ -2566,6 +2566,9 @@ int get_superpage(unsigned long mfn, str - - ASSERT(opt_allow_superpage); - -+ if ( !mfn_valid(mfn | (L1_PAGETABLE_ENTRIES - 1)) ) -+ return -EINVAL; -+ - spage = mfn_to_spage(mfn); - y = spage->type_info; - do { -@@ -3320,14 +3323,6 @@ long do_mmuext_op( - unsigned long mfn; - struct spage_info *spage; - -- mfn = op.arg1.mfn; -- if ( mfn & (L1_PAGETABLE_ENTRIES-1) ) -- { -- MEM_LOG("Unaligned superpage reference mfn %lx", mfn); -- okay = 0; -- break; -- } -- - if ( !opt_allow_superpage ) - { - MEM_LOG("Superpages disallowed"); -@@ -3336,16 +3331,6 @@ long do_mmuext_op( - break; - } - -- spage = mfn_to_spage(mfn); -- okay = (mark_superpage(spage, d) >= 0); -- break; -- } -- -- case MMUEXT_UNMARK_SUPER: -- { -- unsigned long mfn; -- struct spage_info *spage; -- - mfn = op.arg1.mfn; - if ( mfn & (L1_PAGETABLE_ENTRIES-1) ) - { -@@ -3354,16 +3339,16 @@ long do_mmuext_op( - break; - } - -- if ( !opt_allow_superpage ) -+ if ( !mfn_valid(mfn | (L1_PAGETABLE_ENTRIES - 1)) ) - { -- MEM_LOG("Superpages disallowed"); - okay = 0; -- rc = -ENOSYS; - break; - } - - spage = mfn_to_spage(mfn); -- okay = (unmark_superpage(spage) >= 0); -+ okay = ((op.cmd == MMUEXT_MARK_SUPER -+ ? mark_superpage(spage, d) -+ : unmark_superpage(spage)) >= 0); - break; - } - diff --git a/main/xen/xsa168.patch b/main/xen/xsa168.patch deleted file mode 100644 index 856f02e6fc..0000000000 --- a/main/xen/xsa168.patch +++ /dev/null @@ -1,27 +0,0 @@ -x86/VMX: prevent INVVPID failure due to non-canonical guest address - -While INVLPG (and on SVM INVLPGA) don't fault on non-canonical -addresses, INVVPID fails (in the "individual address" case) when passed -such an address. - -Since such intercepted INVLPG are effectively no-ops anyway, don't fix -this in vmx_invlpg_intercept(), but instead have paging_invlpg() never -return true in such a case. - -This is XSA-168. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> - ---- a/xen/include/asm-x86/paging.h -+++ b/xen/include/asm-x86/paging.h -@@ -245,7 +245,7 @@ paging_fault(unsigned long va, struct cp - * or 0 if it's safe not to do so. */ - static inline int paging_invlpg(struct vcpu *v, unsigned long va) - { -- return paging_get_hostmode(v)->invlpg(v, va); -+ return is_canonical_address(va) && paging_get_hostmode(v)->invlpg(v, va); - } - - /* Translate a guest virtual address to the frame number that the diff --git a/main/xen/xsa181-4.4.patch b/main/xen/xsa181-4.4.patch new file mode 100644 index 0000000000..a3ed2748e7 --- /dev/null +++ b/main/xen/xsa181-4.4.patch @@ -0,0 +1,38 @@ +From 605a2711c411247920116a5026e772815b1168cd Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Thu, 2 Jun 2016 14:19:00 +0100 +Subject: [PATCH] xen/arm: Don't free p2m->first_level in p2m_teardown() before + it has been allocated + +If p2m_init() didn't complete successfully, (e.g. due to VMID +exhaustion), p2m_teardown() is called and unconditionally tries to free +p2m->first_level before it has been allocated. free_domheap_pages() doesn't +tolerate NULL pointers. + +This is XSA-181 + +Reported-by: Aaron Cornelius <Aaron.Cornelius@dornerworks.com> +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Julien Grall <julien.grall@arm.com> +--- + xen/arch/arm/p2m.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c +index aff7a2c..9cf6f91 100644 +--- a/xen/arch/arm/p2m.c ++++ b/xen/arch/arm/p2m.c +@@ -615,7 +615,8 @@ void p2m_teardown(struct domain *d) + while ( (pg = page_list_remove_head(&p2m->pages)) ) + free_domheap_page(pg); + +- free_domheap_pages(p2m->first_level, P2M_FIRST_ORDER); ++ if ( p2m->first_level ) ++ free_domheap_pages(p2m->first_level, P2M_FIRST_ORDER); + + p2m->first_level = NULL; + +-- +2.1.4 + diff --git a/main/xen/xsa184-qemut-master.patch b/main/xen/xsa184-qemut-master.patch new file mode 100644 index 0000000000..b376f33a52 --- /dev/null +++ b/main/xen/xsa184-qemut-master.patch @@ -0,0 +1,43 @@ +From 17d8c4e47dfb41cb6778520ff2eab7a11fe12dfd Mon Sep 17 00:00:00 2001 +From: P J P <ppandit@redhat.com> +Date: Tue, 26 Jul 2016 15:31:59 +0100 +Subject: [PATCH] virtio: error out if guest exceeds virtqueue size + +A broken or malicious guest can submit more requests than the virtqueue +size permits. + +The guest can submit requests without bothering to wait for completion +and is therefore not bound by virtqueue size. This requires reusing +vring descriptors in more than one request, which is incorrect but +possible. Processing a request allocates a VirtQueueElement and +therefore causes unbounded memory allocation controlled by the guest. + +Exit with an error if the guest provides more requests than the +virtqueue size permits. This bounds memory allocation and makes the +buggy guest visible to the user. + +Reported-by: Zhenhao Hong <zhenhaohong@gmail.com> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +--- + hw/virtio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/virtio.c b/hw/virtio.c +index c26feff..42897bf 100644 +--- a/tools/qemu-xen-traditional/hw/virtio.c ++++ b/tools/qemu-xen-traditional/hw/virtio.c +@@ -421,6 +421,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem) + /* When we start there are none of either input nor output. */ + elem->out_num = elem->in_num = 0; + ++ if (vq->inuse >= vq->vring.num) { ++ fprintf(stderr, "Virtqueue size exceeded"); ++ exit(1); ++ } ++ + i = head = virtqueue_get_head(vq, vq->last_avail_idx++); + do { + struct iovec *sg; +-- +2.1.4 + diff --git a/main/xen/xsa184-qemuu-master.patch b/main/xen/xsa184-qemuu-master.patch new file mode 100644 index 0000000000..bbe44e8fcb --- /dev/null +++ b/main/xen/xsa184-qemuu-master.patch @@ -0,0 +1,43 @@ +From e469db25d6b2e5c71cd15451889226641c53a5cd Mon Sep 17 00:00:00 2001 +From: P J P <ppandit@redhat.com> +Date: Mon, 25 Jul 2016 17:37:18 +0530 +Subject: [PATCH] virtio: error out if guest exceeds virtqueue size + +A broken or malicious guest can submit more requests than the virtqueue +size permits. + +The guest can submit requests without bothering to wait for completion +and is therefore not bound by virtqueue size. This requires reusing +vring descriptors in more than one request, which is incorrect but +possible. Processing a request allocates a VirtQueueElement and +therefore causes unbounded memory allocation controlled by the guest. + +Exit with an error if the guest provides more requests than the +virtqueue size permits. This bounds memory allocation and makes the +buggy guest visible to the user. + +Reported-by: Zhenhao Hong <zhenhaohong@gmail.com> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +--- + hw/virtio/virtio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index d24f775..f8ac0fb 100644 +--- a/tools/qemu-xen/hw/virtio/virtio.c ++++ b/tools/qemu-xen/hw/virtio/virtio.c +@@ -483,6 +483,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem) + + max = vq->vring.num; + ++ if (vq->inuse >= max) { ++ error_report("Virtqueue size exceeded"); ++ exit(1); ++ } ++ + i = head = virtqueue_get_head(vq, vq->last_avail_idx++); + if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) { + vring_set_avail_event(vq, vq->last_avail_idx); +-- +2.1.4 + |