diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2017-06-15 13:28:21 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2017-06-15 13:28:21 +0000 |
commit | 379c5299d65499022d1f9338b6042ef5f6008b52 (patch) | |
tree | 62cbce1c92d64ecc30caa9851463ba31ecc4a2e0 | |
parent | 73c141f3470739c757e59dc00b5a6c58861f9365 (diff) | |
download | aports-379c5299d65499022d1f9338b6042ef5f6008b52.tar.bz2 aports-379c5299d65499022d1f9338b6042ef5f6008b52.tar.xz |
main/xen: security fixes #7292
-rw-r--r-- | main/xen/APKBUILD | 44 | ||||
-rw-r--r-- | main/xen/xsa213-4.5.patch | 173 | ||||
-rw-r--r-- | main/xen/xsa214.patch | 41 | ||||
-rw-r--r-- | main/xen/xsa215.patch | 37 |
4 files changed, 281 insertions, 14 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index c274db74cc..d263116b59 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -4,7 +4,7 @@ # Maintainer: William Pitcock <nenolod@dereferenced.org> pkgname=xen pkgver=4.5.5 -pkgrel=1 +pkgrel=2 pkgdesc="Xen hypervisor" url="http://www.xen.org/" arch="x86_64" @@ -37,6 +37,9 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g xsa211-qemut-4.5.patch xsa211-qemuu-4.6.patch xsa212.patch + xsa213-4.5.patch + xsa214.patch + xsa215.patch qemu-coroutine-gthread.patch qemu-xen-musl-openpty.patch @@ -70,22 +73,26 @@ _builddir="$srcdir"/$pkgname-$pkgver # security fixes: # 4.5.3-r0: -# - CVE-2016-5242 -# - CVE-2016-6258 -# - CVE-2016-6259 -# - CVE-2016-5403 +# - CVE-2016-5242 +# - CVE-2016-6258 +# - CVE-2016-6259 +# - CVE-2016-5403 # 4.5.3-r1: -# - CVE-2016-7092 -# - CVE-2016-7093 -# - CVE-2016-7094 +# - CVE-2016-7092 +# - CVE-2016-7093 +# - CVE-2016-7094 # 4.5.3-r3: -# - CVE-2016-9932 XSA-200 -# - CVE-2016-9815 XSA-201 -# - CVE-2016-9816 XSA-201 -# - CVE-2016-9818 XSA-201 +# - CVE-2016-9932 XSA-200 +# - CVE-2016-9815 XSA-201 +# - CVE-2016-9816 XSA-201 +# - CVE-2016-9818 XSA-201 # 4.5.5-r1: -# - CVE-2016-9603 -# - CVE-2017-7228 +# - CVE-2016-9603 +# - CVE-2017-7228 +# 4.5.5-r2: +# - CVE-2017-8903 XSA-213 +# - CVE-2017-8904 XSA-214 +# - CVE-2017-8905 XSA-215 prepare() { local i @@ -244,6 +251,9 @@ a5a39c6354c952095e1d78a582385933 xsa202-4.6.patch 8a3dd57e9587f4696ef1719e442f7821 xsa211-qemut-4.5.patch a300eae67ae77cf4d2e0741dad01ee29 xsa211-qemuu-4.6.patch 8d3c76a3954dfa359d2f9fe9b59c1828 xsa212.patch +ba5255567a68de558bd4dbaf1d0942d4 xsa213-4.5.patch +c4466088c7c521f6c84cdc63e8e91e60 xsa214.patch +e5847b6c87c60de11ba7a128d7babe10 xsa215.patch de1a3db370b87cfb0bddb51796b50315 qemu-coroutine-gthread.patch dd8603eaab5857816843bfc37647d569 qemu-xen-musl-openpty.patch 08bfdf8caff5d631f53660bf3fd4edaf qemu-xen_paths.patch @@ -285,6 +295,9 @@ e523b65ba122c8e22d32004d2035facaf06295094fdc8b67c151b6f44799ef0b xsa204-4.5.pat 851b3bb0686b116d1462185a02c652de53cef7f5da2d6a6947c39885a74c79ff xsa211-qemut-4.5.patch be0049f39b306a3dfb703b73eb60ecf35b9cc7a3d4e9481fd8314fd7e3704573 xsa211-qemuu-4.6.patch be1255bcda06158cdb86eb5297e8a271e05318e88cd21035c58a67f9ada6ccba xsa212.patch +fce9bbc9fc30769dfbab4d1830d87d220000b2742e5e70aac22f3e9d013b7614 xsa213-4.5.patch +1c038c3927d08e6abdf3ce320bb8b0b68a106e6ac86b4e8194035dc5e4726d64 xsa214.patch +5be4ff661dd22890b0120f86beee3ec809e2a29f833db8c48bd70ce98e9691ee xsa215.patch 3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe qemu-coroutine-gthread.patch fe76c7c8faf686060b20491bfed4a13ce37b1bc3dcdbf33d242e388cee14c7c1 qemu-xen-musl-openpty.patch e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98 qemu-xen_paths.patch @@ -326,6 +339,9 @@ dee7a595324ea5de3754c9aad2422fc2021bcb53999e344dbe6e4edfd4772a5ed20e8ebfb40750b8 d8a567dde6af0c49a939c89eaeb6127912168f180bbe32db0cf9a1af631370f0658c55129140431abb7c8c096a2784bfeb80849167c5672bdb7ed50fa7418568 xsa211-qemut-4.5.patch a21ae520900f31b77a50cb9956499d884d93802962e0f10503c61b8962ad76a38655a17bc9ef03057b5c23d4f4c5b6a951fd3ad6aa5bbd5ad7e939b29706b7c6 xsa211-qemuu-4.6.patch d012556c6b439629c5e4284a0de2f5ae70cda3db4f6f42373b8719509fec3bb0bb667a50484fd1e6c1129dcd2bff550a3eb9ead0f676fb626e6263ac98023e06 xsa212.patch +dc1b27cf37b63755a1cf78c5f32cb7ffee91ab7001762018a7c38050520f90ab0dc7aa28c6f34c564e44ccb797c22b96e55a538480a2ed348ee33d7d6ed99e95 xsa213-4.5.patch +ea12702e97b9417ea6c4120dbc7cf9c5e2b89f82b41cfd389069d3238891749474a5d3925d2dc571a7cc2aaf5e88af03ccc9af60046eaa39425b5af05f62fba0 xsa214.patch +3e6a2589cc6ff4b8f15ae1aaac5d71b601bfb88e88bbc0b28047a3afd62a10a1bf5cd13bcb919fec687f155c4cd3fe50e50868601896fa34dde65e6d7a3b6e2b xsa215.patch c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562 qemu-coroutine-gthread.patch a8b7378516172389450834985e8558d7a86d7cd808154bdc846bb98325e40fc4e87b1fc6d725297f4bef6eb54ebcbcbfa4d9d0363d83f635755795fb0726e006 qemu-xen-musl-openpty.patch 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch diff --git a/main/xen/xsa213-4.5.patch b/main/xen/xsa213-4.5.patch new file mode 100644 index 0000000000..85abe788f3 --- /dev/null +++ b/main/xen/xsa213-4.5.patch @@ -0,0 +1,173 @@ +From: Jan Beulich <jbeulich@suse.com> +Subject: multicall: deal with early exit conditions + +In particular changes to guest privilege level require the multicall +sequence to be aborted, as hypercalls are permitted from kernel mode +only. While likely not very useful in a multicall, also properly handle +the return value in the HYPERVISOR_iret case (which should be the guest +specified value). + +This is XSA-213. + +Reported-by: Jann Horn <jannh@google.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> +Acked-by: Julien Grall <julien.grall@arm.com> + +--- a/xen/arch/arm/traps.c ++++ b/xen/arch/arm/traps.c +@@ -1395,30 +1395,33 @@ static bool_t check_multicall_32bit_clea + return true; + } + +-void do_multicall_call(struct multicall_entry *multi) ++enum mc_disposition do_multicall_call(struct multicall_entry *multi) + { + arm_hypercall_fn_t call = NULL; + + if ( multi->op >= ARRAY_SIZE(arm_hypercall_table) ) + { + multi->result = -ENOSYS; +- return; ++ return mc_continue; + } + + call = arm_hypercall_table[multi->op].fn; + if ( call == NULL ) + { + multi->result = -ENOSYS; +- return; ++ return mc_continue; + } + + if ( is_32bit_domain(current->domain) && + !check_multicall_32bit_clean(multi) ) +- return; ++ return mc_continue; + + multi->result = call(multi->args[0], multi->args[1], + multi->args[2], multi->args[3], + multi->args[4]); ++ ++ return likely(!psr_mode_is_user(guest_cpu_user_regs())) ++ ? mc_continue : mc_preempt; + } + + /* +--- a/xen/common/multicall.c ++++ b/xen/common/multicall.c +@@ -40,6 +40,7 @@ do_multicall( + struct mc_state *mcs = ¤t->mc_state; + uint32_t i; + int rc = 0; ++ enum mc_disposition disp = mc_continue; + + if ( unlikely(__test_and_set_bit(_MCSF_in_multicall, &mcs->flags)) ) + { +@@ -50,7 +51,7 @@ do_multicall( + if ( unlikely(!guest_handle_okay(call_list, nr_calls)) ) + rc = -EFAULT; + +- for ( i = 0; !rc && i < nr_calls; i++ ) ++ for ( i = 0; !rc && disp == mc_continue && i < nr_calls; i++ ) + { + if ( i && hypercall_preempt_check() ) + goto preempted; +@@ -63,7 +64,7 @@ do_multicall( + + trace_multicall_call(&mcs->call); + +- do_multicall_call(&mcs->call); ++ disp = do_multicall_call(&mcs->call); + + #ifndef NDEBUG + { +@@ -77,7 +78,14 @@ do_multicall( + } + #endif + +- if ( unlikely(__copy_field_to_guest(call_list, &mcs->call, result)) ) ++ if ( unlikely(disp == mc_exit) ) ++ { ++ if ( __copy_field_to_guest(call_list, &mcs->call, result) ) ++ /* nothing, best effort only */; ++ rc = mcs->call.result; ++ } ++ else if ( unlikely(__copy_field_to_guest(call_list, &mcs->call, ++ result)) ) + rc = -EFAULT; + else if ( test_bit(_MCSF_call_preempted, &mcs->flags) ) + { +@@ -93,6 +101,9 @@ do_multicall( + guest_handle_add_offset(call_list, 1); + } + ++ if ( unlikely(disp == mc_preempt) && i < nr_calls ) ++ goto preempted; ++ + perfc_incr(calls_to_multicall); + perfc_add(calls_from_multicall, i); + mcs->flags = 0; +--- a/xen/include/asm-arm/multicall.h ++++ b/xen/include/asm-arm/multicall.h +@@ -1,7 +1,11 @@ + #ifndef __ASM_ARM_MULTICALL_H__ + #define __ASM_ARM_MULTICALL_H__ + +-extern void do_multicall_call(struct multicall_entry *call); ++extern enum mc_disposition { ++ mc_continue, ++ mc_exit, ++ mc_preempt, ++} do_multicall_call(struct multicall_entry *call); + + #endif /* __ASM_ARM_MULTICALL_H__ */ + /* +--- a/xen/include/asm-x86/multicall.h ++++ b/xen/include/asm-x86/multicall.h +@@ -7,8 +7,21 @@ + + #include <xen/errno.h> + ++enum mc_disposition { ++ mc_continue, ++ mc_exit, ++ mc_preempt, ++}; ++ ++#define multicall_ret(call) \ ++ (unlikely((call)->op == __HYPERVISOR_iret) \ ++ ? mc_exit \ ++ : likely(guest_kernel_mode(current, \ ++ guest_cpu_user_regs())) \ ++ ? mc_continue : mc_preempt) ++ + #define do_multicall_call(_call) \ +- do { \ ++ ({ \ + __asm__ __volatile__ ( \ + " movq %c1(%0),%%rax; " \ + " leaq hypercall_table(%%rip),%%rdi; " \ +@@ -36,9 +49,11 @@ + /* all the caller-saves registers */ \ + : "rax", "rcx", "rdx", "rsi", "rdi", \ + "r8", "r9", "r10", "r11" ); \ +- } while ( 0 ) ++ multicall_ret(_call); \ ++ }) + + #define compat_multicall_call(_call) \ ++ ({ \ + __asm__ __volatile__ ( \ + " movl %c1(%0),%%eax; " \ + " leaq compat_hypercall_table(%%rip),%%rdi; "\ +@@ -65,6 +80,8 @@ + "i" (offsetof(__typeof__(*_call), result)) \ + /* all the caller-saves registers */ \ + : "rax", "rcx", "rdx", "rsi", "rdi", \ +- "r8", "r9", "r10", "r11" ) \ ++ "r8", "r9", "r10", "r11" ); \ ++ multicall_ret(_call); \ ++ }) + + #endif /* __ASM_X86_MULTICALL_H__ */ diff --git a/main/xen/xsa214.patch b/main/xen/xsa214.patch new file mode 100644 index 0000000000..46a3d3a4c6 --- /dev/null +++ b/main/xen/xsa214.patch @@ -0,0 +1,41 @@ +From: Jan Beulich <jbeulich@suse.com> +Subject: x86: discard type information when stealing pages + +While a page having just a single general reference left necessarily +has a zero type reference count too, its type may still be valid (and +in validated state; at present this is only possible and relevant for +PGT_seg_desc_page, as page tables have their type forcibly zapped when +their type reference count drops to zero, and +PGT_{writable,shared}_page pages don't require any validation). In +such a case when the page is being re-used with the same type again, +validation is being skipped. As validation criteria differ between +32- and 64-bit guests, pages to be transferred between guests need to +have their validation indicator zapped (and with it we zap all other +type information at once). + +This is XSA-214. + +Reported-by: Jann Horn <jannh@google.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> + +--- a/xen/arch/x86/mm.c ++++ b/xen/arch/x86/mm.c +@@ -4466,6 +4466,17 @@ int steal_page( + y = cmpxchg(&page->count_info, x, x & ~PGC_count_mask); + } while ( y != x ); + ++ /* ++ * With the sole reference dropped temporarily, no-one can update type ++ * information. Type count also needs to be zero in this case, but e.g. ++ * PGT_seg_desc_page may still have PGT_validated set, which we need to ++ * clear before transferring ownership (as validation criteria vary ++ * depending on domain type). ++ */ ++ BUG_ON(page->u.inuse.type_info & (PGT_count_mask | PGT_locked | ++ PGT_pinned)); ++ page->u.inuse.type_info = 0; ++ + /* Swizzle the owner then reinstate the PGC_allocated reference. */ + page_set_owner(page, NULL); + y = page->count_info; diff --git a/main/xen/xsa215.patch b/main/xen/xsa215.patch new file mode 100644 index 0000000000..f18a1cd01f --- /dev/null +++ b/main/xen/xsa215.patch @@ -0,0 +1,37 @@ +From: Jan Beulich <jbeulich@suse.com> +Subject: x86: correct create_bounce_frame + +We may push up to 96 bytes on the guest (kernel) stack, so we should +also cover as much in the early range check. Note that this is the +simplest possible patch, which has the theoretical potential of +breaking a guest: We only really push 96 bytes when invoking the +failsafe callback, ordinary exceptions only have 56 or 64 bytes pushed +(without / with error code respectively). There is, however, no PV OS +known to place a kernel stack there. + +This is XSA-215. + +Reported-by: Jann Horn <jannh@google.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> + +--- a/xen/arch/x86/x86_64/entry.S ++++ b/xen/arch/x86/x86_64/entry.S +@@ -347,7 +347,7 @@ int80_slow_path: + jmp handle_exception_saved + + /* CREATE A BASIC EXCEPTION FRAME ON GUEST OS STACK: */ +-/* { RCX, R11, [DS-GS,] [CR2,] [ERRCODE,] RIP, CS, RFLAGS, RSP, SS } */ ++/* { RCX, R11, [DS-GS,] [ERRCODE,] RIP, CS, RFLAGS, RSP, SS } */ + /* %rdx: trap_bounce, %rbx: struct vcpu */ + /* On return only %rbx and %rdx are guaranteed non-clobbered. */ + create_bounce_frame: +@@ -367,7 +367,7 @@ create_bounce_frame: + 2: andq $~0xf,%rsi # Stack frames are 16-byte aligned. + movq $HYPERVISOR_VIRT_START,%rax + cmpq %rax,%rsi +- movq $HYPERVISOR_VIRT_END+60,%rax ++ movq $HYPERVISOR_VIRT_END+12*8,%rax + sbb %ecx,%ecx # In +ve address space? Then okay. + cmpq %rax,%rsi + adc %ecx,%ecx # Above Xen private area? Then okay. |