main/xen: security fixes. Fixes #6155

CVE-2016-7092, XSA-185: x86: Disallow L3 recursive pagetable for 32-bit PV guests
CVE-2016-7094, XSA-187: x86 HVM: Overflow of sh_ctxt->seg_reg[]
CVE-2016-7154, XSA-188: use after free in FIFO event channel code

5 files changed, 270 insertions, 5 deletions

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index f1a6612b0c..b0707d711c 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.4.4
-pkgrel=0
+pkgrel=1
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86_64"
@@ -21,9 +21,14 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	xsa170-4.5.patch
 	xsa172.patch
 	xsa173-4.4.patch
+	xsa176.patch
 	xsa181-4.4.patch
 	xsa184-qemut-master.patch
 	xsa184-qemuu-master.patch
+	xsa185.patch
+	xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
+	xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
+	xsa188.patch
 
 	0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
 	0002-libxl-Provide-libxl__backendpath_parse_domid.patch
@@ -36,7 +41,6 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
 	0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
 
-	xsa176.patch
 
 	0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch
 	0002-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch
@@ -87,6 +91,10 @@ _builddir="$srcdir"/$pkgname-$pkgver
 #   4.4.4-r0:
 #   - CVE-2016-5242
 #   - CVE-2016-5403
+#   4.4.4-r1:
+#   - CVE-2016-7092
+#   - CVE-2016-7094
+#   - CVE-2016-7154
 
 prepare() {
 	local i
@@ -255,9 +263,14 @@ md5sums="421ab1dc50357c916d7f3e1fbe7db074  xen-4.4.4.tar.gz
 2c2adc771c0ac13671bdcdd314602fcd  xsa170-4.5.patch
 b14d9a4247ae654579cb757c9b0e949a  xsa172.patch
 6de4080f47887c2e28911d4dd2f05fee  xsa173-4.4.patch
+f5a889df9c86a2cda28da20ec7cd7adc  xsa176.patch
 c7ee17c756c6801234f6095cfc056e0c  xsa181-4.4.patch
 95bc220677fc2bb9a3df4dc14a0b31f6  xsa184-qemut-master.patch
 cc0904605d03a9e4f6f21d16824e41c9  xsa184-qemuu-master.patch
+8ae22c70681f3daf97ee7ef8ad947e76  xsa185.patch
+c426383254acdcbb9466bbec2d6f8d9b  xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
+a7545557908b8e2580af85b7ec680e43  xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
+adc72106be77107b379a62aa61294519  xsa188.patch
 d598b31823a2b4398fb2f9c39aec0cff  0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
 761926907618592763ba75fce4c02c57  0002-libxl-Provide-libxl__backendpath_parse_domid.patch
 b5e297a4a111f897b403d70c25158adb  0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
@@ -268,7 +281,6 @@ bb3fe7f6fd1850082b4cda123eeb0ea5  0004-libxl-Do-not-trust-frontend-in-libxl__dev
 0ee118dcd7bd840916a0399d200d494a  0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
 c7d84a8620cd25244c5a04f7e9a5f77c  0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
 7c09155ea89d59061d5d02ce68a01d7f  0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
-f5a889df9c86a2cda28da20ec7cd7adc  xsa176.patch
 37ccd7198ec535411082a5ecc15e57e0  0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch
 332c4d1f44dad70d503129a4702644ce  0002-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch
 8f15863d4c985db7d52bf89a82fa23f5  0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch
@@ -308,9 +320,14 @@ sha256sums="86007e0f81c1c7d85009902e3ece0baf29b205ff4248b81709828c6fdc9ec253  xe
 1df068fb439c7edc1e86dfa9ea3b9ae99b58cdc3ac874b96cdf63b26ef9a6b98  xsa170-4.5.patch
 f18282fcb794b8772bc3af51d56860050071bd62a5a909b8f2fc2018e2958154  xsa172.patch
 35e02b8d4c2841ad951dd967b4f11aa7911fe5d52be2cb605b174e8c2e9214ca  xsa173-4.4.patch
+e61c52477a8d8aa79111d686b103202ff8a558d8b3356635288c1290789b7eb3  xsa176.patch
 97a90c7cb42466647622cb2ed98de531b7ba2e174a1bc639a32a6f1b626d503f  xsa181-4.4.patch
 88c939c64b8f9fc9f86d0a30517d5455462d1ff837aa4285a9cb189b54c0cf20  xsa184-qemut-master.patch
 3877e19992c4532b8b2a37e151fe6a6187a1bbee2b54c1718b995260bb0fcf65  xsa184-qemuu-master.patch
+3328a1953ecdf4de35462ea8396b0927171d718e95f73a87a7f651427bd8f8b4  xsa185.patch
+be9fe85d36c2c1fbca246c1f4d834c3ef11b6ab3d5467da0ac8c079aa5a68de9  xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
+727b18ae83001f7ea04613aa7199ada3e6a84939aa44516f7c426e609d383b2a  xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
+9f374c2e1437ad71369f41275e7b333e7b7691a783ba693ee567c899bd78c722  xsa188.patch
 cefe2c82a30227b6538c6924d7d939192be3c481e48ac94c82f4c51f60388570  0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
 f24b26891fac4e8bf8a0939a5b64fc7ad096ef699f1882aad6e96cf81b85fc3e  0002-libxl-Provide-libxl__backendpath_parse_domid.patch
 748ea9d369b1f8372d1a4c420e6a9d90f881b7142e7913ed5d72b99c07ac11a0  0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
@@ -321,7 +338,6 @@ be5665c91b0dfd79c8c4bb35d5adfb719ab23a547479a14aacac9d5f46d77a0f  0006-libxl-Do-
 b57f96af3c1cac5f56a684afe223b4a977c144daf8d5f2a1e184697cd29fdbe2  0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
 c8941fcf41edae75fa5a1b417d9b457fdd67a5531b6cf75dc16da9d63697c61f  0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
 0641b38b7718d5fa84a8ce12a2bf034273caeb1e372f48b73170b3fd085f169c  0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
-e61c52477a8d8aa79111d686b103202ff8a558d8b3356635288c1290789b7eb3  xsa176.patch
 5d8e426eb650b35702a63df9b729836c4c7a8bfd7888da600d41e09e5d547457  0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch
 693fe1757711ecb2631e6b922ef4514c172813a99f92a08b1d31843829b85366  0002-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch
 4baa48fbd2a93fcfae70a1162c2ebbf14324783392a49e905ad0e0d1f1dbc5c8  0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch
@@ -361,9 +377,14 @@ sha512sums="dfb085f84ab6f160f73af9a0cccf85de597261313ca1a8139142ac1ded57e8c82c39
 1b6f700bd9239ec7fad8e9c6d3f3c83b051dd5bc374c92d131211688985f8d8389bc2c24aa784fe1647524af4bdebd50943187218e7cf842154b16b8d4fcd9db  xsa170-4.5.patch
 8636f74b270b0ccf56ea6bab4c90d0ee909e5d2891987b4572df4a0906e2230e046aad0c99add6c1d70f7023cc6d99bcfd2947c953f600074a6ed7c176a5d3dc  xsa172.patch
 0f916156724995abe68bdd66a704c2e80d5b9c7883fd406cbd67e47e626e5c309418d4117588388bdd626b0876c0f7664733815c492c29e0c9d3a46460a01124  xsa173-4.4.patch
+0f86e4e4ee94c22166174d018954f60d9700ea4d880f4ca41b6ae1b242a4e1649da305851ef4d9b3aa91d512411a3a423f1aadceb20714d160d4d97d145dc312  xsa176.patch
 c11965a710eb0ff7b3f7d4797882d6607e8091159b06267a190dc12e0292370a7682a8ec3b7036bb23b283bcacd8efb19d275efe441461fbf970b82989c8439a  xsa181-4.4.patch
 14c07d077a9d60a03859ca1b92347517c93faf88db06f8cb0515e486a3919afa8401203161ff671dda8fbdb64e6ca5e86120f1b8f65e6bfaa63a8c6a33211bad  xsa184-qemut-master.patch
 862e00d9cd126f8323f9c9706bf6ce7896d97e68e647416c699d9f2e01b88083a5fea346b13403577311384946912123f64bf5a568f1a6f92077d28923df54c6  xsa184-qemuu-master.patch
+6b774cfef049d457d89149a973b5a5af674b995726c88ce09278f4a64cb94f5b3c2c2380a6273475a13eb9cdd972f5429f393247ecca6463f6068d606ea74886  xsa185.patch
+d85bc3c56805ff5b3df6b85b2b34ff97d15fe254fc5a873b5c43c2c15564eea42753723a6296292a543e7b7dc83ad71f0fafe01fa6a6ebf82fa0a7268fc67486  xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
+cb3bcaa104a1e1a45f1fcb90682c1496f008d603dc9ea63e9b815628f6d1b6d439d450f67d633db34a08368b9594fb5aca70aa6c77035b24ae8f09f69d2b56db  xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
+171182bf8fd2d546a58bdd695729b24b6e8d121d6236dfb4c50144ee7697ae43c2d30d01af0412a7a60caabd79126b8eb94029192b4619cfefeca883d73d7991  xsa188.patch
 a78d27cbd0090521854a10d83180d58b4050c1ab8d8a7eef4639240ea24df5a03d8638795589479010a5de1a4df3ce64f705afc8971786ad981a87a545778014  0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
 c7142a142413542e291df407621c16b7d3c0a4b8cfb4c3287f2be012ea72485cb2b8d70cffc3cf4393f664f7154e9cbe4a436ead044ef820f7ab8eee7f445625  0002-libxl-Provide-libxl__backendpath_parse_domid.patch
 fd9d3d113ecb74f8589a792e5461e61d2664939e601744671a064194e2c603533e01b3abd8ae42ce203916f9055b5438d481dd47236b84b20d8129b4159ee4ae  0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
@@ -374,7 +395,6 @@ c45c06a8ddcd180044ccd49cbd108da16181b5fe64400bdd62bd54c5533b2c0102be7f180ae9f0aa
 12447525b319ae8912bbade257ab38730b70b43fa2c3056f567c9a9b5f95647c7d61eb43d82f2c526700224a080baae6f991bbc683d19fba416ffaa1c667a013  0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
 20212bf1b0912548dd35f38166550195fad0debe46ade82979c68e0da8f30eedb87ec90ab547c4eebbcc0c56675c27037c0716da9339180412fbe5012e76ceda  0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
 f88337c4c89d8bd8465fb227d944f1046e9ebb00739fe731004104d073ed0713e1dc42a6c21adf420f94a268515b8f3487bb22ac39fad02691b284eadcd2d7cb  0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
-0f86e4e4ee94c22166174d018954f60d9700ea4d880f4ca41b6ae1b242a4e1649da305851ef4d9b3aa91d512411a3a423f1aadceb20714d160d4d97d145dc312  xsa176.patch
 25ad6f183890ea6a96b99d6bb6d1c70acf1f5eddba0acf2467c4a7bb349b6bb10dcf7c8b45d45867a1ec2ba96df3a1c614cfba4c6a246f7febce8f637a62d51e  0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch
 3b503a4a58e52366c27c999f0476471ce56d12069c97c07209f99f72d894b35c7ee40692c8d4bad376d0d458c51745ee974a653da759fc676d0f70b815097cdc  0002-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch
 09220bd7d5283df84d6c7451aaddd568eecea6afeb58f76cb105140732ebc6a70696e5cbd6b68ad12aaa8dc28bcb264d5f20832df43f34f927cc8b2e7dbfc7ae  0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch
diff --git a/main/xen/xsa185.patch b/main/xen/xsa185.patch
new file mode 100644
index 0000000000..a4c133ee19
--- /dev/null
+++ b/main/xen/xsa185.patch
@@ -0,0 +1,38 @@
+From 30aba4992b18245c436f16df7326a16c01a51570 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Mon, 8 Aug 2016 10:58:12 +0100
+Subject: x86/32on64: don't allow recursive page tables from L3
+
+L3 entries are special in PAE mode, and hence can't reasonably be used
+for setting up recursive (and hence linear) page table mappings. Since
+abuse is possible when the guest in fact gets run on 4-level page
+tables, this needs to be excluded explicitly.
+
+This is XSA-185.
+
+Reported-by: Jérémie Boutoille <jboutoille@ext.quarkslab.com>
+Reported-by: 栾尚聪(好风) <shangcong.lsc@alibaba-inc.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+---
+ xen/arch/x86/mm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
+index 109b8be..69b8b8d 100644
+--- a/xen/arch/x86/mm.c
++++ b/xen/arch/x86/mm.c
+@@ -1122,7 +1122,9 @@ get_page_from_l3e(
+ 
+     rc = get_page_and_type_from_pagenr(
+         l3e_get_pfn(l3e), PGT_l2_page_table, d, partial, 1);
+-    if ( unlikely(rc == -EINVAL) && get_l3_linear_pagetable(l3e, pfn, d) )
++    if ( unlikely(rc == -EINVAL) &&
++         !is_pv_32bit_domain(d) &&
++         get_l3_linear_pagetable(l3e, pfn, d) )
+         rc = 0;
+ 
+     return rc;
+-- 
+2.1.4
+
diff --git a/main/xen/xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch b/main/xen/xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
new file mode 100644
index 0000000000..ee891eac91
--- /dev/null
+++ b/main/xen/xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
@@ -0,0 +1,142 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/segment: Bounds check accesses to emulation ctxt->seg_reg[]
+
+HVM HAP codepaths have space for all segment registers in the seg_reg[]
+cache (with x86_seg_none still risking an array overrun), while the shadow
+codepaths only have space for the user segments.
+
+Range check the input segment of *_get_seg_reg() against the size of the array
+used to cache the results, to avoid overruns in the case that the callers
+don't filter their input suitably.
+
+Subsume the is_x86_user_segment(seg) checks from the shadow code, which were
+an incomplete attempt at range checking, and are now superceeded.  Make
+hvm_get_seg_reg() static, as it is not used outside of shadow/common.c
+
+No functional change, but far easier to reason that no overflow is possible.
+
+Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Tim Deegan <tim@xen.org>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/emulate.c
++++ b/xen/arch/x86/hvm/emulate.c
+@@ -436,6 +436,8 @@ static int hvmemul_virtual_to_linear(
+     *reps = min_t(unsigned long, *reps, 4096);
+ 
+     reg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
++    if ( IS_ERR(reg) )
++        return -PTR_ERR(reg);
+ 
+     if ( (hvmemul_ctxt->ctxt.regs->eflags & X86_EFLAGS_DF) && (*reps > 1) )
+     {
+@@ -926,6 +928,10 @@ static int hvmemul_read_segment(
+     struct hvm_emulate_ctxt *hvmemul_ctxt =
+         container_of(ctxt, struct hvm_emulate_ctxt, ctxt);
+     struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
++
++    if ( IS_ERR(sreg) )
++         return -PTR_ERR(sreg);
++
+     memcpy(reg, sreg, sizeof(struct segment_register));
+     return X86EMUL_OKAY;
+ }
+@@ -939,6 +945,9 @@ static int hvmemul_write_segment(
+         container_of(ctxt, struct hvm_emulate_ctxt, ctxt);
+     struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
+ 
++    if ( IS_ERR(sreg) )
++         return -PTR_ERR(sreg);
++
+     memcpy(sreg, reg, sizeof(struct segment_register));
+     __set_bit(seg, &hvmemul_ctxt->seg_reg_dirty);
+ 
+@@ -1302,10 +1311,17 @@ void hvm_emulate_writeback(
+     }
+ }
+ 
++/*
++ * Callers which pass a known in-range x86_segment can rely on the return
++ * pointer being valid.  Other callers must explicitly check for errors.
++ */
+ struct segment_register *hvmemul_get_seg_reg(
+     enum x86_segment seg,
+     struct hvm_emulate_ctxt *hvmemul_ctxt)
+ {
++    if ( seg < 0 || seg >= ARRAY_SIZE(hvmemul_ctxt->seg_reg) )
++        return ERR_PTR(-X86EMUL_UNHANDLEABLE);
++
+     if ( !__test_and_set_bit(seg, &hvmemul_ctxt->seg_reg_accessed) )
+         hvm_get_segment_register(current, seg, &hvmemul_ctxt->seg_reg[seg]);
+     return &hvmemul_ctxt->seg_reg[seg];
+--- a/xen/arch/x86/mm/shadow/common.c
++++ b/xen/arch/x86/mm/shadow/common.c
+@@ -120,10 +120,19 @@ __initcall(shadow_audit_key_init);
+ /* x86 emulator support for the shadow code
+  */
+ 
++/*
++ * Callers which pass a known in-range x86_segment can rely on the return
++ * pointer being valid.  Other callers must explicitly check for errors.
++ */
+ struct segment_register *hvm_get_seg_reg(
+     enum x86_segment seg, struct sh_emulate_ctxt *sh_ctxt)
+ {
+-    struct segment_register *seg_reg = &sh_ctxt->seg_reg[seg];
++    struct segment_register *seg_reg;
++
++    if ( seg < 0 || seg >= ARRAY_SIZE(sh_ctxt->seg_reg) )
++        return ERR_PTR(-X86EMUL_UNHANDLEABLE);
++
++    seg_reg = &sh_ctxt->seg_reg[seg];
+     if ( !__test_and_set_bit(seg, &sh_ctxt->valid_seg_regs) )
+         hvm_get_segment_register(current, seg, seg_reg);
+     return seg_reg;
+@@ -140,14 +149,9 @@ static int hvm_translate_linear_addr(
+     struct segment_register *reg;
+     int okay;
+ 
+-    /*
+-     * Can arrive here with non-user segments.  However, no such cirucmstance
+-     * is part of a legitimate pagetable update, so fail the emulation.
+-     */
+-    if ( !is_x86_user_segment(seg) )
+-        return X86EMUL_UNHANDLEABLE;
+-
+     reg = hvm_get_seg_reg(seg, sh_ctxt);
++    if ( IS_ERR(reg) )
++        return -PTR_ERR(reg);
+ 
+     okay = hvm_virtual_to_linear_addr(
+         seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);
+@@ -249,9 +253,6 @@ hvm_emulate_write(enum x86_segment seg,
+     unsigned long addr;
+     int rc;
+ 
+-    if ( !is_x86_user_segment(seg) )
+-        return X86EMUL_UNHANDLEABLE;
+-
+     /* How many emulations could we save if we unshadowed on stack writes? */
+     if ( seg == x86_seg_ss )
+         perfc_incr(shadow_fault_emulate_stack);
+@@ -279,9 +280,6 @@ hvm_emulate_cmpxchg(enum x86_segment seg
+     unsigned long addr, old[2], new[2];
+     int rc;
+ 
+-    if ( !is_x86_user_segment(seg) )
+-        return X86EMUL_UNHANDLEABLE;
+-
+     rc = hvm_translate_linear_addr(
+         seg, offset, bytes, hvm_access_write, sh_ctxt, &addr);
+     if ( rc )
+--- a/xen/include/asm-x86/hvm/emulate.h
++++ b/xen/include/asm-x86/hvm/emulate.h
+@@ -13,6 +13,7 @@
+ #define __ASM_X86_HVM_EMULATE_H__
+ 
+ #include <xen/config.h>
++#include <xen/err.h>
+ #include <asm/x86_emulate.h>
+ 
+ struct hvm_emulate_ctxt {
diff --git a/main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch b/main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
new file mode 100644
index 0000000000..bc99596083
--- /dev/null
+++ b/main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
@@ -0,0 +1,42 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/shadow: Avoid overflowing sh_ctxt->seg_reg[]
+
+hvm_get_seg_reg() does not perform a range check on its input segment, calls
+hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[].
+
+x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will hit a BUG()
+in {vmx,svm}_get_segment_register().
+
+HVM guests running with shadow paging can end up performing a virtual to
+linear translation with x86_seg_none.  This is used for addresses which are
+already linear.  However, none of this is a legitimate pagetable update, so
+fail the emulation in such a case.
+
+This is XSA-187
+
+Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+
+--- a/xen/arch/x86/mm/shadow/common.c
++++ b/xen/arch/x86/mm/shadow/common.c
+@@ -140,9 +140,18 @@ static int hvm_translate_linear_addr(
+     struct sh_emulate_ctxt *sh_ctxt,
+     unsigned long *paddr)
+ {
+-    struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt);
++    struct segment_register *reg;
+     int okay;
+ 
++    /*
++     * Can arrive here with non-user segments.  However, no such cirucmstance
++     * is part of a legitimate pagetable update, so fail the emulation.
++     */
++    if ( !is_x86_user_segment(seg) )
++        return X86EMUL_UNHANDLEABLE;
++
++    reg = hvm_get_seg_reg(seg, sh_ctxt);
++
+     okay = hvm_virtual_to_linear_addr(
+         seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);
+ 
diff --git a/main/xen/xsa188.patch b/main/xen/xsa188.patch
new file mode 100644
index 0000000000..efa60a9d90
--- /dev/null
+++ b/main/xen/xsa188.patch
@@ -0,0 +1,23 @@
+evtchn-fifo: prevent use after free
+
+evtchn_fifo_init_control() calls evtchn_fifo_destroy() on an error
+path, leading to cleanup_event_array() which frees d->evtchn_fifo
+without also clearing the pointer. Otoh the bulk of
+evtchn_fifo_init_control() is dependent on d->evtchn_fifo being NULL.
+
+This is XSA-188.
+
+Reported-by: Mikhail V Gorobets <mikhail.v.gorobets@intel.com>
+Suggested-by: Mikhail V Gorobets <mikhail.v.gorobets@intel.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/common/event_fifo.c
++++ b/xen/common/event_fifo.c
+@@ -482,6 +482,7 @@ static void cleanup_event_array(struct d
+     for ( i = 0; i < EVTCHN_FIFO_MAX_EVENT_ARRAY_PAGES; i++ )
+         unmap_guest_page(d->evtchn_fifo->event_array[i]);
+     xfree(d->evtchn_fifo);
++    d->evtchn_fifo = NULL;
+ }
+ 
+ static void setup_ports(struct domain *d)