main/xen: security fix for xsa245

3 files changed, 128 insertions, 1 deletions

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 079b1f0891..ea326cdb03 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.9.0
-pkgrel=4
+pkgrel=5
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86_64 armhf aarch64"
@@ -85,6 +85,8 @@ options="!strip"
 #     - CVE-2017-14318 XSA-232
 #     - CVE-2017-14317 XSA-233
 #     - CVE-2017-14319 XSA-234
+#   4.9.0-r5:
+#     - XSA-245
 
 case "$CARCH" in
 x86*)
@@ -142,6 +144,8 @@ source="https://downloads.xenproject.org/release/$pkgname/$pkgver/$pkgname-$pkgv
 	xsa233.patch
 	xsa234-4.9.patch
 	xsa235-4.9.patch
+	xsa245-1.patch
+	xsa245-2.patch
 
 	qemu-coroutine-gthread.patch
 	qemu-xen_paths.patch
@@ -404,6 +408,8 @@ fb742225a4f3dbf2a574c4a6e3ef61a5da0c91aaeed77a2247023bdefcd4e0b6c08f1c9ffb42eaac
 a322ac6c5ac2f858a59096108032fd42974eaaeeebd8f4966119149665f32bed281e333e743136e79add2e6f3844d88b6a3e4d5a685c2808702fd3a9e6396cd4  xsa233.patch
 cafeef137cd82cefc3e974b42b974c6562e822c9b359efb654ac374e663d9fc123be210eec17b278f40eabb77c93d3bf0ff03e445607159ad0712808a609a906  xsa234-4.9.patch
 8bab6e59577b51f0c6b8a547c9a37a257bd0460e7219512e899d25f80a74084745d2a4c54e55ad12526663d40f218cb8f833b71350220d36e3750d002ff43d29  xsa235-4.9.patch
+b19197934e8685fc2af73f404b5c8cbed66d9241e5ff902d1a77fdc227e001a13b775a53d6e303d5f27419f5590561c84ec69409152d9773a5e6050c16e92f1b  xsa245-1.patch
+75369673232b2107b59dc0242d6fc224c016b9dcbf3299eab90a1d7c365d617fbc91f7b25075b394fee92782db37ce83c416387fa5ad4c4fcd51d0775a8a754f  xsa245-2.patch
 c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562  qemu-coroutine-gthread.patch
 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3  qemu-xen_paths.patch
 f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3  hotplug-vif-vtrill.patch
diff --git a/main/xen/xsa245-1.patch b/main/xen/xsa245-1.patch
new file mode 100644
index 0000000000..2047686903
--- /dev/null
+++ b/main/xen/xsa245-1.patch
@@ -0,0 +1,48 @@
+From a48d47febc1340f27d6c716545692641a09b414c Mon Sep 17 00:00:00 2001
+From: Julien Grall <julien.grall@arm.com>
+Date: Thu, 21 Sep 2017 14:13:08 +0100
+Subject: [PATCH 1/2] xen/page_alloc: Cover memory unreserved after boot in
+ first_valid_mfn
+
+On Arm, some regions (e.g Initramfs, Dom0 Kernel...) are marked as
+reserved until the hardware domain is built and they are copied into its
+memory. Therefore, they will not be added in the boot allocator via
+init_boot_pages.
+
+Instead, init_xenheap_pages will be called once the region are not used
+anymore.
+
+Update first_valid_mfn in both init_heap_pages and init_boot_pages
+(already exist) to cover all the cases.
+
+Signed-off-by: Julien Grall <julien.grall@arm.com>
+[Adjust comment, added locking around first_valid_mfn update]
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+---
+ xen/common/page_alloc.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c
+index 0b9f6cc6df..fbe5a8af39 100644
+--- a/xen/common/page_alloc.c
++++ b/xen/common/page_alloc.c
+@@ -1700,6 +1700,16 @@ static void init_heap_pages(
+ {
+     unsigned long i;
+ 
++    /*
++     * Some pages may not go through the boot allocator (e.g reserved
++     * memory at boot but released just after --- kernel, initramfs,
++     * etc.).
++     * Update first_valid_mfn to ensure those regions are covered.
++     */
++    spin_lock(&heap_lock);
++    first_valid_mfn = min_t(unsigned long, page_to_mfn(pg), first_valid_mfn);
++    spin_unlock(&heap_lock);
++
+     for ( i = 0; i < nr_pages; i++ )
+     {
+         unsigned int nid = phys_to_nid(page_to_maddr(pg+i));
+-- 
+2.11.0
+
diff --git a/main/xen/xsa245-2.patch b/main/xen/xsa245-2.patch
new file mode 100644
index 0000000000..cd4d2709be
--- /dev/null
+++ b/main/xen/xsa245-2.patch
@@ -0,0 +1,73 @@
+From cbfcf039d0e0b6f4c4cb3de612f7bf788a0c47cd Mon Sep 17 00:00:00 2001
+From: Julien Grall <julien.grall@arm.com>
+Date: Mon, 18 Sep 2017 14:24:08 +0100
+Subject: [PATCH 2/2] xen/arm: Correctly report the memory region in the dummy
+ NUMA helpers
+
+NUMA is currently not supported on Arm. Because common code is
+NUMA-aware, dummy helpers are instead provided to expose a single node.
+
+Those helpers are for instance used to know the region to scrub.
+
+However the memory region is not reported correctly. Indeed, the
+frametable may not be at the beginning of the memory and there might be
+multiple memory banks. This will lead to not scrub some part of the
+memory.
+
+The memory information can be found using:
+    * first_valid_mfn as the start of the memory
+    * max_page - first_valid_mfn as the spanned pages
+
+Note that first_valid_mfn is now been exported. The prototype has been
+added in asm-arm/numa.h and not in a common header because I would
+expect the variable to become static once NUMA is fully supported on
+Arm.
+
+Signed-off-by: Julien Grall <julien.grall@arm.com>
+---
+ xen/common/page_alloc.c    |  6 +++++-
+ xen/include/asm-arm/numa.h | 10 ++++++++--
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c
+index fbe5a8af39..472c6fe329 100644
+--- a/xen/common/page_alloc.c
++++ b/xen/common/page_alloc.c
+@@ -192,7 +192,11 @@ PAGE_LIST_HEAD(page_broken_list);
+  * BOOT-TIME ALLOCATOR
+  */
+ 
+-static unsigned long __initdata first_valid_mfn = ~0UL;
++/*
++ * first_valid_mfn is exported because it is use in ARM specific NUMA
++ * helpers. See comment in asm-arm/numa.h.
++ */
++unsigned long first_valid_mfn = ~0UL;
+ 
+ static struct bootmem_region {
+     unsigned long s, e; /* MFNs @s through @e-1 inclusive are free */
+diff --git a/xen/include/asm-arm/numa.h b/xen/include/asm-arm/numa.h
+index a2c1a3476d..3e7384da9e 100644
+--- a/xen/include/asm-arm/numa.h
++++ b/xen/include/asm-arm/numa.h
+@@ -12,9 +12,15 @@ static inline __attribute__((pure)) nodeid_t phys_to_nid(paddr_t addr)
+     return 0;
+ }
+ 
++/*
++ * TODO: make first_valid_mfn static when NUMA is supported on Arm, this
++ * is required because the dummy helpers is using it.
++ */
++extern unsigned long first_valid_mfn;
++
+ /* XXX: implement NUMA support */
+-#define node_spanned_pages(nid) (total_pages)
+-#define node_start_pfn(nid) (pdx_to_pfn(frametable_base_pdx))
++#define node_spanned_pages(nid) (max_page - first_valid_mfn)
++#define node_start_pfn(nid) (first_valid_mfn)
+ #define __node_distance(a, b) (20)
+ 
+ static inline unsigned int arch_get_dma_bitsize(void)
+-- 
+2.11.0
+