aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWilliam Pitcock <nenolod@dereferenced.org>2013-11-01 16:05:55 +0000
committerWilliam Pitcock <nenolod@dereferenced.org>2013-11-01 16:06:38 +0000
commita853eaef495f42eeda7f09ef18b53850afd7641f (patch)
tree517eaceb054860a0a6dd1d139629bdc0f4363db4
parent7707a8977bf02fb4303a4b10bbb42aad04cdbe78 (diff)
downloadaports-a853eaef495f42eeda7f09ef18b53850afd7641f.tar.bz2
aports-a853eaef495f42eeda7f09ef18b53850afd7641f.tar.xz
main/xen: apply relevant XSA patches (XSA-62 through XSA-71)
-rw-r--r--main/xen/APKBUILD34
-rw-r--r--main/xen/xsa62.patch46
-rw-r--r--main/xen/xsa63.patch171
-rw-r--r--main/xen/xsa64.patch55
-rw-r--r--main/xen/xsa66.patch23
-rw-r--r--main/xen/xsa67.patch37
-rw-r--r--main/xen/xsa68.patch69
-rw-r--r--main/xen/xsa70.patch34
-rw-r--r--main/xen/xsa71.patch43
9 files changed, 511 insertions, 1 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index a9cae4cbde..c841c9f10a 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
pkgver=4.3.0
-pkgrel=7
+pkgrel=8
pkgdesc="Xen hypervisor"
url="http://www.xen.org/"
arch="x86_64"
@@ -25,6 +25,14 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
xsa41c.patch
xsa48-4.2.patch
+ xsa62.patch
+ xsa63.patch
+ xsa64.patch
+ xsa66.patch
+ xsa67.patch
+ xsa68.patch
+ xsa70.patch
+ xsa71.patch
xsa73-4_3-unstable.patch
fix-pod2man-choking.patch
@@ -194,6 +202,14 @@ md5sums="7b18cfb58f1ac2ce39cf35a1867f0c0a xen-4.3.0.tar.gz
ed7d0399c6ca6aeee479da5d8f807fe0 xsa41b.patch
2f3dd7bdc59d104370066d6582725575 xsa41c.patch
b3e3a57d189a4f86c9766eaf3b5207f4 xsa48-4.2.patch
+01fc0d30d3f5293df65976ec6a4565b2 xsa62.patch
+099d02d873a36b8484572281dfa72df0 xsa63.patch
+8a27a23cf83dead783b7a8f028ce436d xsa64.patch
+b2345060369f7749a1737f3927c42c24 xsa66.patch
+879f68ccff2e3d9ca1300cd250066465 xsa67.patch
+f5ab90fba31fedc023035ae2a91e5524 xsa68.patch
+8367e07fe00c3d2e7658e1eb21cf4740 xsa70.patch
+29e7e593373bfc1390aa251da6bd834d xsa71.patch
5005efdb8bf44ccc2ce869611b507c83 xsa73-4_3-unstable.patch
4c5455d1adc09752a835e241097fbc39 fix-pod2man-choking.patch
a4097e06a7e000ed00f4607db014d277 qemu-xen-websocket.patch
@@ -222,6 +238,14 @@ a0c225d716d343fe041b63e3940900c5b3573ed3bcfc5b7c2d52ea2861c3fc28 docs-Fix-gener
896a07f57310c9bea9bc2a305166cf796282c381cb7839be49105b1726a860b5 xsa41b.patch
683dd96a0a8899f794070c8c09643dfeeb39f92da531955cba961b45f6075914 xsa41c.patch
dc23077028584e71a08dd0dc9e81552c76744a5ce9d39df5958a95ae9cf3107b xsa48-4.2.patch
+364577f317a714099c068eb1ab771643ada99b5067fdd1eb5149fa5db649b856 xsa62.patch
+32fa93d8ebdfbe85931c52010bf9e561fdae8846462c5b1f2fbc217ca36f3005 xsa63.patch
+061396916de992c43b8637909d315581589e5fc28f238aca6822947b45445a47 xsa64.patch
+3a9b6bf114eb19d708b68dd5973763ac83b57840bc0f6fbd1fe487797eaffed4 xsa66.patch
+7de3ac9baa6cd9fead46e68912dfa0189e900095317645d0e33d85346fc8a028 xsa67.patch
+64716cb49696298e0bbd9556fe9d6f559a4e2785081e28d50607317b6e27ba32 xsa68.patch
+2582d3d545903af475436145f7e459414ad9d9c61d5720992eeeec42de8dde56 xsa70.patch
+3785784d9c27c0ec1be6808e5169fe72e6873d963173901f1b287360cf8edd9d xsa71.patch
48411cd6b15e4e4fa3c4335298179a4b1094c5e1ae8dc7582bbfb9439d97037b xsa73-4_3-unstable.patch
fcb5b9ff0bc4b4d39fed9b88891491b91628aa449914cfea321abe5da24c1da2 fix-pod2man-choking.patch
e9f6c482fc449e0b540657a8988ad31f2e680b8933e50e6486687a52f6a9ed04 qemu-xen-websocket.patch
@@ -250,6 +274,14 @@ sha512sums="e6b8f64e15e48704ea5cee5585cd6151fe6a5a62bc4670caf0b762c1aa71c9598db2
bda9105793f2327e1317991762120d0668af0e964076b18c9fdbfd509984b2e88d85df95702c46b2e00d5350e8113f6aa7b34b19064d19abbeb4d43f0c431d38 xsa41b.patch
36b60478660ff7748328f5ab9adff13286eee1a1bad06e42fdf7e6aafe105103988525725aacd660cf5b2a184a9e2d6b3818655203c1fa07e07dcebdf23f35d9 xsa41c.patch
31dd8c62d41cc0a01a79d9b24a5b793f5e2058230808d9c5364c6ff3477ab02f3258f1bbd761d97dc1b97ee120b41524b999eaac77f33b606496fc324b5fa2e4 xsa48-4.2.patch
+4738a229a6f18d670da07b3acbaf6e227af5fb3e7b0b414dc98671be02208aefc66ebe07f7396d9158d0fa15993b9d418fd65747880c64694b1a06b8be961419 xsa62.patch
+f972de0910dff2109fc18911eeaf789963ec457d2a21029abc9615088d2c8446028effec6c1c01e080ae3479e704175e19040c09053c8ad60c0b38c7d2ec3859 xsa63.patch
+2e9283c56f7e336f82d26a6346af91e520375f7084a6f07ad254e52781ac7e96cbb09ee48adfbf2c6c46d5516c56343612011f939f6a40ebef41e1925a9c6ed7 xsa64.patch
+5abc6cb7685a9053e67c1646c6d9e06c25da6d6c7004e63e346e7b082270e1319fcc8a194a8db4e9c9cb903fe5dc29ae17169cda6fea94913fa9e0ff5aa9b451 xsa66.patch
+959e4760210ceb480da53c709fcdeed4bd9cec27eefbcdb7dfcf6d764184e5ecf4c225f817d8a46ff0bb74baa8d14d90c9ce39bb51c9a781cbc524227b02e153 xsa67.patch
+bd1deab154e129fc63dcc51ce5c4d004f5fe044443755a0b8943d8b6087f2ef7cbfd76f2390d36f7b4ad1797ef28abbb23157401468e1bf33ecc7a17aff9e8a4 xsa68.patch
+107335f8e4ffddb9cab9e21dfdf745dea0e4d078c71ee59671942291c189dd0e998a9d480fa91ae439e6410591c9fb06491ca8e810006e22640bf0dc9cf5da81 xsa70.patch
+da71e6d60c2663d571686063cb427ba04e5d56422d945ffd3f14be1dc72df61af78f1b63dc9e248bcfb0cdaaca03a227b4145cdd2af1ec7cdf9a2655c5b006b8 xsa71.patch
8eb555bc589bc4848f640dd93bdfaf0d0a61667e26667ff2ff89ab60c8c5a777982647e8c440be7510620281bac8d9bb3281afcae36e974f09bd70184ba6ba9a xsa73-4_3-unstable.patch
2e95ad43bb66f928fe1e8caf474a3211571f75f79ea32aaa3eddb3aed9963444bd131006b67e682395af0d79118b2634bf808404693b813a94662d2a9d665ac2 fix-pod2man-choking.patch
45f1da45f3ff937d0a626e37c130d76f5b97f49a57ddeb11ef2a8e850c04c32c819a3dfcef501eb3784db5fe7b39c88230063e56aa6e5197fd9c7b7d424fff77 qemu-xen-websocket.patch
diff --git a/main/xen/xsa62.patch b/main/xen/xsa62.patch
new file mode 100644
index 0000000000..3bb432762a
--- /dev/null
+++ b/main/xen/xsa62.patch
@@ -0,0 +1,46 @@
+x86/xsave: initialize extended register state when guests enable it
+
+Till now, when setting previously unset bits in XCR0 we wouldn't touch
+the active register state, thus leaving in the newly enabled registers
+whatever a prior user of it left there, i.e. potentially leaking
+information between guests.
+
+This is CVE-2013-1442 / XSA-62.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/xstate.c
++++ b/xen/arch/x86/xstate.c
+@@ -307,6 +307,7 @@ int validate_xstate(u64 xcr0, u64 xcr0_a
+ int handle_xsetbv(u32 index, u64 new_bv)
+ {
+ struct vcpu *curr = current;
++ u64 mask;
+
+ if ( index != XCR_XFEATURE_ENABLED_MASK )
+ return -EOPNOTSUPP;
+@@ -320,9 +321,23 @@ int handle_xsetbv(u32 index, u64 new_bv)
+ if ( !set_xcr0(new_bv) )
+ return -EFAULT;
+
++ mask = new_bv & ~curr->arch.xcr0_accum;
+ curr->arch.xcr0 = new_bv;
+ curr->arch.xcr0_accum |= new_bv;
+
++ mask &= curr->fpu_dirtied ? ~XSTATE_FP_SSE : XSTATE_NONLAZY;
++ if ( mask )
++ {
++ unsigned long cr0 = read_cr0();
++
++ clts();
++ if ( curr->fpu_dirtied )
++ asm ( "stmxcsr %0" : "=m" (curr->arch.xsave_area->fpu_sse.mxcsr) );
++ xrstor(curr, mask);
++ if ( cr0 & X86_CR0_TS )
++ write_cr0(cr0);
++ }
++
+ return 0;
+ }
+
diff --git a/main/xen/xsa63.patch b/main/xen/xsa63.patch
new file mode 100644
index 0000000000..5134650e2f
--- /dev/null
+++ b/main/xen/xsa63.patch
@@ -0,0 +1,171 @@
+x86: properly handle hvm_copy_from_guest_{phys,virt}() errors
+
+Ignoring them generally implies using uninitialized data and, in all
+cases dealt with here, potentially leaking hypervisor stack contents to
+guests.
+
+This is XSA-63.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -2308,11 +2308,7 @@ void hvm_task_switch(
+
+ rc = hvm_copy_from_guest_virt(
+ &tss, prev_tr.base, sizeof(tss), PFEC_page_present);
+- if ( rc == HVMCOPY_bad_gva_to_gfn )
+- goto out;
+- if ( rc == HVMCOPY_gfn_paged_out )
+- goto out;
+- if ( rc == HVMCOPY_gfn_shared )
++ if ( rc != HVMCOPY_okay )
+ goto out;
+
+ eflags = regs->eflags;
+@@ -2357,13 +2353,11 @@ void hvm_task_switch(
+
+ rc = hvm_copy_from_guest_virt(
+ &tss, tr.base, sizeof(tss), PFEC_page_present);
+- if ( rc == HVMCOPY_bad_gva_to_gfn )
+- goto out;
+- if ( rc == HVMCOPY_gfn_paged_out )
+- goto out;
+- /* Note: this could be optimised, if the callee functions knew we want RO
+- * access */
+- if ( rc == HVMCOPY_gfn_shared )
++ /*
++ * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee
++ * functions knew we want RO access.
++ */
++ if ( rc != HVMCOPY_okay )
+ goto out;
+
+
+--- a/xen/arch/x86/hvm/intercept.c
++++ b/xen/arch/x86/hvm/intercept.c
+@@ -87,17 +87,28 @@ static int hvm_mmio_access(struct vcpu *
+ {
+ for ( i = 0; i < p->count; i++ )
+ {
+- int ret;
+-
+- ret = hvm_copy_from_guest_phys(&data,
+- p->data + (sign * i * p->size),
+- p->size);
+- if ( (ret == HVMCOPY_gfn_paged_out) ||
+- (ret == HVMCOPY_gfn_shared) )
++ switch ( hvm_copy_from_guest_phys(&data,
++ p->data + sign * i * p->size,
++ p->size) )
+ {
++ case HVMCOPY_okay:
++ break;
++ case HVMCOPY_gfn_paged_out:
++ case HVMCOPY_gfn_shared:
+ rc = X86EMUL_RETRY;
+ break;
++ case HVMCOPY_bad_gfn_to_mfn:
++ data = ~0;
++ break;
++ case HVMCOPY_bad_gva_to_gfn:
++ ASSERT(0);
++ /* fall through */
++ default:
++ rc = X86EMUL_UNHANDLEABLE;
++ break;
+ }
++ if ( rc != X86EMUL_OKAY )
++ break;
+ rc = write_handler(v, p->addr + (sign * i * p->size), p->size,
+ data);
+ if ( rc != X86EMUL_OKAY )
+@@ -165,8 +176,28 @@ static int process_portio_intercept(port
+ for ( i = 0; i < p->count; i++ )
+ {
+ data = 0;
+- (void)hvm_copy_from_guest_phys(&data, p->data + sign*i*p->size,
+- p->size);
++ switch ( hvm_copy_from_guest_phys(&data,
++ p->data + sign * i * p->size,
++ p->size) )
++ {
++ case HVMCOPY_okay:
++ break;
++ case HVMCOPY_gfn_paged_out:
++ case HVMCOPY_gfn_shared:
++ rc = X86EMUL_RETRY;
++ break;
++ case HVMCOPY_bad_gfn_to_mfn:
++ data = ~0;
++ break;
++ case HVMCOPY_bad_gva_to_gfn:
++ ASSERT(0);
++ /* fall through */
++ default:
++ rc = X86EMUL_UNHANDLEABLE;
++ break;
++ }
++ if ( rc != X86EMUL_OKAY )
++ break;
+ rc = action(IOREQ_WRITE, p->addr, p->size, &data);
+ if ( rc != X86EMUL_OKAY )
+ break;
+--- a/xen/arch/x86/hvm/io.c
++++ b/xen/arch/x86/hvm/io.c
+@@ -340,14 +340,24 @@ static int dpci_ioport_write(uint32_t mp
+ data = p->data;
+ if ( p->data_is_ptr )
+ {
+- int ret;
+-
+- ret = hvm_copy_from_guest_phys(&data,
+- p->data + (sign * i * p->size),
+- p->size);
+- if ( (ret == HVMCOPY_gfn_paged_out) &&
+- (ret == HVMCOPY_gfn_shared) )
++ switch ( hvm_copy_from_guest_phys(&data,
++ p->data + sign * i * p->size,
++ p->size) )
++ {
++ case HVMCOPY_okay:
++ break;
++ case HVMCOPY_gfn_paged_out:
++ case HVMCOPY_gfn_shared:
+ return X86EMUL_RETRY;
++ case HVMCOPY_bad_gfn_to_mfn:
++ data = ~0;
++ break;
++ case HVMCOPY_bad_gva_to_gfn:
++ ASSERT(0);
++ /* fall through */
++ default:
++ return X86EMUL_UNHANDLEABLE;
++ }
+ }
+
+ switch ( p->size )
+--- a/xen/arch/x86/hvm/vmx/realmode.c
++++ b/xen/arch/x86/hvm/vmx/realmode.c
+@@ -39,7 +39,9 @@ static void realmode_deliver_exception(
+
+ again:
+ last_byte = (vector * 4) + 3;
+- if ( idtr->limit < last_byte )
++ if ( idtr->limit < last_byte ||
++ hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4) !=
++ HVMCOPY_okay )
+ {
+ /* Software interrupt? */
+ if ( insn_len != 0 )
+@@ -64,8 +66,6 @@ static void realmode_deliver_exception(
+ }
+ }
+
+- (void)hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4);
+-
+ frame[0] = regs->eip + insn_len;
+ frame[1] = csr->sel;
+ frame[2] = regs->eflags & ~X86_EFLAGS_RF;
diff --git a/main/xen/xsa64.patch b/main/xen/xsa64.patch
new file mode 100644
index 0000000000..f2c1117fdd
--- /dev/null
+++ b/main/xen/xsa64.patch
@@ -0,0 +1,55 @@
+commit 95a0770282ea2a03f7bc48c6656d5fc79bae0599
+Author: Tim Deegan <tim@xen.org>
+Date: Thu Sep 12 14:16:28 2013 +0100
+
+ x86/mm/shadow: Fix initialization of PV shadow L4 tables.
+
+ Shadowed PV L4 tables must have the same Xen mappings as their
+ unshadowed equivalent. This is done by copying the Xen entries
+ verbatim from the idle pagetable, and then using guest_l4_slot()
+ in the SHADOW_FOREACH_L4E() iterator to avoid touching those entries.
+
+ adc5afbf1c70ef55c260fb93e4b8ce5ccb918706 (x86: support up to 16Tb)
+ changed the definition of ROOT_PAGETABLE_XEN_SLOTS to extend right to
+ the top of the address space, which causes the shadow code to
+ copy Xen mappings into guest-kernel-address slots too.
+
+ In the common case, all those slots are zero in the idle pagetable,
+ and no harm is done. But if any slot above #271 is non-zero, Xen will
+ crash when that slot is later cleared (it attempts to drop
+ shadow-pagetable refcounts on its own L4 pagetables).
+
+ Fix by using the new ROOT_PAGETABLE_PV_XEN_SLOTS when appropriate.
+ Monitor pagetables need the full Xen mappings, so they keep using the
+ old name (with its new semantics).
+
+ This is XSA-64.
+
+ Signed-off-by: Tim Deegan <tim@xen.org>
+ Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
+index 4c4c2ba..3fed0b6 100644
+--- a/xen/arch/x86/mm/shadow/multi.c
++++ b/xen/arch/x86/mm/shadow/multi.c
+@@ -1433,15 +1433,19 @@ void sh_install_xen_entries_in_l4(struct vcpu *v, mfn_t gl4mfn, mfn_t sl4mfn)
+ {
+ struct domain *d = v->domain;
+ shadow_l4e_t *sl4e;
++ unsigned int slots;
+
+ sl4e = sh_map_domain_page(sl4mfn);
+ ASSERT(sl4e != NULL);
+ ASSERT(sizeof (l4_pgentry_t) == sizeof (shadow_l4e_t));
+
+ /* Copy the common Xen mappings from the idle domain */
++ slots = (shadow_mode_external(d)
++ ? ROOT_PAGETABLE_XEN_SLOTS
++ : ROOT_PAGETABLE_PV_XEN_SLOTS);
+ memcpy(&sl4e[ROOT_PAGETABLE_FIRST_XEN_SLOT],
+ &idle_pg_table[ROOT_PAGETABLE_FIRST_XEN_SLOT],
+- ROOT_PAGETABLE_XEN_SLOTS * sizeof(l4_pgentry_t));
++ slots * sizeof(l4_pgentry_t));
+
+ /* Install the per-domain mappings for this domain */
+ sl4e[shadow_l4_table_offset(PERDOMAIN_VIRT_START)] =
diff --git a/main/xen/xsa66.patch b/main/xen/xsa66.patch
new file mode 100644
index 0000000000..1d9f25abae
--- /dev/null
+++ b/main/xen/xsa66.patch
@@ -0,0 +1,23 @@
+x86: properly set up fbld emulation operand address
+
+This is CVE-2013-4361 / XSA-66.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
+
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -3156,11 +3156,11 @@ x86_emulate(
+ break;
+ case 4: /* fbld m80dec */
+ ea.bytes = 10;
+- dst = ea;
++ src = ea;
+ if ( (rc = ops->read(src.mem.seg, src.mem.off,
+ &src.val, src.bytes, ctxt)) != 0 )
+ goto done;
+- emulate_fpu_insn_memdst("fbld", src.val);
++ emulate_fpu_insn_memsrc("fbld", src.val);
+ break;
+ case 5: /* fild m64i */
+ ea.bytes = 8;
diff --git a/main/xen/xsa67.patch b/main/xen/xsa67.patch
new file mode 100644
index 0000000000..d81a0e18a9
--- /dev/null
+++ b/main/xen/xsa67.patch
@@ -0,0 +1,37 @@
+x86: check segment descriptor read result in 64-bit OUTS emulation
+
+When emulating such an operation from a 64-bit context (CS has long
+mode set), and the data segment is overridden to FS/GS, the result of
+reading the overridden segment's descriptor (read_descriptor) is not
+checked. If it fails, data_base is left uninitialized.
+
+This can lead to 8 bytes of Xen's stack being leaked to the guest
+(implicitly, i.e. via the address given in a #PF).
+
+Coverity-ID: 1055116
+
+This is CVE-2013-4368 / XSA-67.
+
+Signed-off-by: Matthew Daley <mattjd@gmail.com>
+
+Fix formatting.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/traps.c
++++ b/xen/arch/x86/traps.c
+@@ -1993,10 +1993,10 @@ static int emulate_privileged_op(struct
+ break;
+ }
+ }
+- else
+- read_descriptor(data_sel, v, regs,
+- &data_base, &data_limit, &ar,
+- 0);
++ else if ( !read_descriptor(data_sel, v, regs,
++ &data_base, &data_limit, &ar, 0) ||
++ !(ar & _SEGMENT_S) || !(ar & _SEGMENT_P) )
++ goto fail;
+ data_limit = ~0UL;
+ ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P;
+ }
diff --git a/main/xen/xsa68.patch b/main/xen/xsa68.patch
new file mode 100644
index 0000000000..cad655be25
--- /dev/null
+++ b/main/xen/xsa68.patch
@@ -0,0 +1,69 @@
+libxl: fix vif rate parsing
+
+strtok can return NULL here. We don't need to use strtok anyway, so just
+use a simple strchr method.
+
+Coverity-ID: 1055642
+
+This is CVE-2013-4369 / XSA-68
+
+Signed-off-by: Matthew Daley <mattjd@gmail.com>
+
+Fix type. Add test case
+
+Signed-off-by: Ian Campbell <Ian.campbell@citrix.com>
+
+diff --git a/tools/libxl/check-xl-vif-parse b/tools/libxl/check-xl-vif-parse
+index 0473182..02c6dba 100755
+--- a/tools/libxl/check-xl-vif-parse
++++ b/tools/libxl/check-xl-vif-parse
+@@ -206,4 +206,8 @@ expected </dev/null
+ one $e rate=4294967295GB/s@5us
+ one $e rate=4296MB/s@4294s
+
++# test include of single '@'
++expected </dev/null
++one $e rate=@
++
+ complete
+diff --git a/tools/libxl/libxlu_vif.c b/tools/libxl/libxlu_vif.c
+index 3b3de0f..0665e62 100644
+--- a/tools/libxl/libxlu_vif.c
++++ b/tools/libxl/libxlu_vif.c
+@@ -95,23 +95,30 @@ int xlu_vif_parse_rate(XLU_Config *cfg, const char *rate, libxl_device_nic *nic)
+ uint64_t bytes_per_sec = 0;
+ uint64_t bytes_per_interval = 0;
+ uint32_t interval_usecs = 50000UL; /* Default to 50ms */
+- char *ratetok, *tmprate;
++ char *p, *tmprate;
+ int rc = 0;
+
+ tmprate = strdup(rate);
++ if (tmprate == NULL) {
++ rc = ENOMEM;
++ goto out;
++ }
++
++ p = strchr(tmprate, '@');
++ if (p != NULL)
++ *p++ = 0;
++
+ if (!strcmp(tmprate,"")) {
+ xlu__vif_err(cfg, "no rate specified", rate);
+ rc = EINVAL;
+ goto out;
+ }
+
+- ratetok = strtok(tmprate, "@");
+- rc = vif_parse_rate_bytes_per_sec(cfg, ratetok, &bytes_per_sec);
++ rc = vif_parse_rate_bytes_per_sec(cfg, tmprate, &bytes_per_sec);
+ if (rc) goto out;
+
+- ratetok = strtok(NULL, "@");
+- if (ratetok != NULL) {
+- rc = vif_parse_rate_interval_usecs(cfg, ratetok, &interval_usecs);
++ if (p != NULL) {
++ rc = vif_parse_rate_interval_usecs(cfg, p, &interval_usecs);
+ if (rc) goto out;
+ }
+
diff --git a/main/xen/xsa70.patch b/main/xen/xsa70.patch
new file mode 100644
index 0000000000..f19dd96ed9
--- /dev/null
+++ b/main/xen/xsa70.patch
@@ -0,0 +1,34 @@
+From 94db3e1cb356a0d2de1753888ceb0eb767404ec4 Mon Sep 17 00:00:00 2001
+From: Matthew Daley <mattjd@gmail.com>
+Date: Tue, 10 Sep 2013 22:18:46 +1200
+Subject: [PATCH] libxl: fix out-of-memory error handling in
+ libxl_list_cpupool
+
+...otherwise it will return freed memory. All the current users of this
+function check already for a NULL return, so use that.
+
+Coverity-ID: 1056194
+
+This is CVE-2013-4371 / XSA-70
+
+Signed-off-by: Matthew Daley <mattjd@gmail.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+---
+ tools/libxl/libxl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
+index 0879f23..17653ef 100644
+--- a/tools/libxl/libxl.c
++++ b/tools/libxl/libxl.c
+@@ -651,6 +651,7 @@ libxl_cpupoolinfo * libxl_list_cpupool(libxl_ctx *ctx, int *nb_pool_out)
+ if (!tmp) {
+ LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, "allocating cpupool info");
+ libxl_cpupoolinfo_list_free(ptr, i);
++ ptr = NULL;
+ goto out;
+ }
+ ptr = tmp;
+--
+1.7.10.4
+
diff --git a/main/xen/xsa71.patch b/main/xen/xsa71.patch
new file mode 100644
index 0000000000..45e52eb0f8
--- /dev/null
+++ b/main/xen/xsa71.patch
@@ -0,0 +1,43 @@
+From 23260e589e52ec83349f22198eab2331b5a1684e Mon Sep 17 00:00:00 2001
+From: Matthew Daley <mattjd@gmail.com>
+Date: Wed, 25 Sep 2013 12:28:47 +1200
+Subject: [PATCH] xen_disk: mark ioreq as mapped before unmapping in error
+ case
+
+Commit c6961b7d ("xen_disk: use bdrv_aio_flush instead of bdrv_flush")
+modified the semantics of ioreq_{un,}map so that they are idempotent if
+called when they're not needed (ie., twice in a row). However, it neglected
+to handle the case where batch mapping is not being used (the default), and
+one of the grants fails to map. In this case, ioreq_unmap will be called to
+unwind and unmap any mappings already performed, but ioreq_unmap simply
+returns due to the aforementioned change (the ioreq has not already been
+marked as mapped).
+
+The frontend user can therefore force xen_disk to leak grant mappings, a
+per-backend-domain limited resource.
+
+Fix by marking the ioreq as mapped before calling ioreq_unmap in this
+situation.
+
+This is XSA-71 / CVE-2013-4375
+
+Signed-off-by: Matthew Daley <mattjd@gmail.com>
+---
+ hw/xen_disk.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/qemu-xen/hw/xen_disk.c b/tools/qemu-xen/hw/xen_disk.c
+index a402ac8..1cdfcbc 100644
+--- a/tools/qemu-xen/hw/xen_disk.c
++++ b/tools/qemu-xen/hw/xen_disk.c
+@@ -299,6 +299,7 @@ static int ioreq_map(struct ioreq *ioreq)
+ xen_be_printf(&ioreq->blkdev->xendev, 0,
+ "can't map grant ref %d (%s, %d maps)\n",
+ refs[i], strerror(errno), ioreq->blkdev->cnt_map);
++ ioreq->mapped = 1;
+ ioreq_unmap(ioreq);
+ return -1;
+ }
+--
+1.7.10.4
+