aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2017-02-27 19:19:21 +0100
committerNatanael Copa <ncopa@alpinelinux.org>2017-02-28 11:26:43 +0100
commitb28bbad2dacae5dc8d285faf4179316da15ef781 (patch)
tree73892d179098734a4399c4475a87998ca42cc039
parent0fc0564f72ef78608f8a2d377d95facb4c388545 (diff)
downloadaports-b28bbad2dacae5dc8d285faf4179316da15ef781.tar.bz2
aports-b28bbad2dacae5dc8d285faf4179316da15ef781.tar.xz
main/xen: sec fixes fro xsa-207 - xsa-209
added perl-dev as makedepends due to man2pod moved to there. - XSA-207 - CVE-2017-2615 XSA-208 - CVE-2017-2620 XSA-209 - XSA-210 fixes #6916
-rw-r--r--main/xen/APKBUILD146
-rw-r--r--main/xen/xsa207.patch31
-rw-r--r--main/xen/xsa208-qemut.patch56
-rw-r--r--main/xen/xsa208-qemuu-4.7.patch53
-rw-r--r--main/xen/xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch72
-rw-r--r--main/xen/xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch60
-rw-r--r--main/xen/xsa209-qemut.patch54
7 files changed, 345 insertions, 127 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 62bcf65ec0..13ee20f25c 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
pkgver=4.7.1
-pkgrel=4
+pkgrel=5
pkgdesc="Xen hypervisor"
url="http://www.xen.org/"
arch="x86_64 armhf"
@@ -47,6 +47,11 @@ makedepends="$depends_dev autoconf automake libtool "
# - CVE-2016-10024 XSA-202
# - CVE-2016-10025 XSA-203
# - CVE-2016-10013 XSA-204
+# 4.7.1-r5:
+# - XSA-207
+# - CVE-2017-2615 XSA-208
+# - CVE-2017-2620 XSA-209
+# - XSA-210
case "$CARCH" in
x86*)
@@ -108,6 +113,13 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
xsa202.patch
xsa203-4.7.patch
xsa204-4.7.patch
+ xsa207.patch
+ xsa208-qemut.patch
+ xsa208-qemuu-4.7.patch
+ xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
+ xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
+ xsa209-qemut.patch
+
qemu-coroutine-gthread.patch
qemu-xen_paths.patch
@@ -329,132 +341,6 @@ hypervisor() {
mv "$pkgdir"/boot "$subpkgdir"/
}
-md5sums="8e258d87a1008a3200eec6989e164fa4 xen-4.7.1.tar.gz
-dd60683d7057917e34630b4a787932e8 gmp-4.3.2.tar.bz2
-cd3f3eb54446be6003156158d51f4884 grub-0.97.tar.gz
-36cc57650cffda9a0269493be2a169bb lwip-1.3.0.tar.gz
-bf8f1f9e3ca83d732c00a79a6ef29bc4 newlib-1.16.0.tar.gz
-cec05e7785497c5e19da2f114b934ffd pciutils-2.2.9.tar.bz2
-7b72caf22b01464ee7d6165f2fd85f44 polarssl-1.1.4-gpl.tgz
-e26becb8a6a2b6695f6b3e8097593db8 tpm_emulator-0.7.4.tar.gz
-debc62758716a169df9f62e6ab2bc634 zlib-1.2.3.tar.gz
-7496268cebf47d5c9ccb0696e3b26065 ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz
-b3ccddb149c8f9af4eb5dcbc230fc391 xsa191.patch
-002cef87f605db2cd9a6ec5230685554 xsa192.patch
-0bde9ad287f8a586fb47abc2f393287e xsa193-4.7.patch
-2a37b54c1cfdf422a680652d05683b3f xsa194.patch
-03ee88fdd719a6e2cdd53b698b14bfa0 xsa195.patch
-362e7460fa4e5db3a5e1c2a4209718cf xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch
-3f66b6bb7129867f857fe25916c32d84 xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch
-7587583e9746ee46c39d48e693c97a2e xsa197-qemut.patch
-6d42e09101a5c6f8da5ee7caea4e0cc5 xsa197-qemuu.patch
-e8d3ee1e904071920a6afbbf6a27aad2 xsa198.patch
-2000ddf0211c153b7cc420a625b7db4e xsa200-4.7.patch
-6580371b4b8db7cb6876f2b42ab3fc61 xsa201-1.patch
-76394482eaf0caeb3e0611ba70e8923c xsa201-2.patch
-136b9ad8b2bcc57d5a7ed3bf13bebe3c xsa201-3-4.7.patch
-9cb1516d783fc9c765e9a37574bb3cbd xsa201-4.patch
-c519ccfe62d245419ade09de5e8fe4fd xsa202.patch
-da401ec1a25668a2dabc666f6687409b xsa203-4.7.patch
-dc4ad05682ce371e1755817b22229601 xsa204-4.7.patch
-de1a3db370b87cfb0bddb51796b50315 qemu-coroutine-gthread.patch
-08bfdf8caff5d631f53660bf3fd4edaf qemu-xen_paths.patch
-e449bb3359b490804ffc7b0ae08d62a0 hotplug-vif-vtrill.patch
-5fab5487fe92fa29302db9ccb04af564 rombios-no-pie.patch
-3a04998db5cc3c5c86f3b46e97e9cd82 0001-ipxe-dont-clobber-ebp.patch
-0984e3000de17a6d14b8014a3ced46a4 musl-support.patch
-513456607a2adfaa0baf1e3ae5124b23 musl-hvmloader-fix-stdint.patch
-c9313a790faa727205627a1657b9bf06 stdint_local.h
-c13f954d041a6fa78d0d241ad1780c0b elf_local.h
-750138c31ec96d1a11fe0c665ac07e9e xen-hotplug-lockfd.patch
-649f77b90978cd2b6d506ac44ec6c393 xen-fd-is-file.c
-b05500e9fdcec5a076ab8817fc313ac3 xenstore_client_transaction_fix.patch
-ea983c48b69eea3885627b2c8da8afec patch-gcc6-etherboot-nonnull-compare.patch
-c1b73e5b708002b77b50827742c3af09 patch-gcc6-etherboot-rm-unused-string-functions.patch
-e10ec3a62e8dc47052b8d8be77520af7 patch-gcc6-etherboot-nic.c.patch
-78433fdb5ed0d9f71a1d2b8103a886c9 patch-gcc6-etherboot-ath.patch
-83b0416745dffdfedec8caab7d20b758 patch-gcc6-etherboot-sis190.patch
-24ece1158115e508e6a5db0a086f065c patch-gcc6-etherboot-skge.patch
-465ca7d4841fe34b7b4d9d99257cd092 patch-gcc6-etherboot-via-velocity.c.patch
-b136a8d31272eec48c766065bba260ca patch-gcc6-etherboot-via-rhine.c.patch
-ef2d246f23e5ca152a4057617041bac6 patch-gcc6-etherboot-e1000_phy.c.patch
-05b86753c6e6ca90af038b499fd564f0 patch-gcc6-etherboot-igb_phy.c.patch
-74a5f930491bbc4333c84fff36029a1c patch-gcc6-etherboot-ath9k-9287-array.patch
-567de70c3355c9724ebfdb02d7806435 patch-gcc6-etherboot-no-pie.patch
-4ae9e861dc0a9b1873236399ba8cff6d patch-gcc6-etherboot-link-header.patch
-ce606e447bc4884dffc59080cd10acfd patch-gcc6-etherboot-eth_broadcast.patch
-4aeda68bf5b168019762fcf6edb661d3 xenstored.initd
-d86504e12f05deca6b3eeeb90157160e xenstored.confd
-d1dd5fc9a8b00f7373d789f9b5a605b9 xenconsoled.initd
-ec2252c72050d7d5870a3a629b873ba6 xenconsoled.confd
-e155d7992ddbb5b0df6148f4cc21c7c6 xendomains.initd
-dcdd1de2c29e469e834a02ede4f47806 xendomains.confd
-9df68ac65dc3f372f5d61183abdc83ff xen-consoles.logrotate
-6a2f777c16678d84039acf670d86fff6 xenqemu.confd
-e1c9e1c83a5cc49224608a48060bd677 xenqemu.initd"
-sha256sums="e87f4b0575e78657ee23d31470a15ecf1ce8c3a92a771cda46bbcd4d0d671ffe xen-4.7.1.tar.gz
-936162c0312886c21581002b79932829aa048cfaf9937c6265aeaa14f1cd1775 gmp-4.3.2.tar.bz2
-4e1d15d12dbd3e9208111d6b806ad5a9857ca8850c47877d36575b904559260b grub-0.97.tar.gz
-772e4d550e07826665ed0528c071dd5404ef7dbe1825a38c8adbc2a00bca948f lwip-1.3.0.tar.gz
-db426394965c48c1d29023e1cc6d965ea6b9a9035d8a849be2750ca4659a3d07 newlib-1.16.0.tar.gz
-f60ae61cfbd5da1d849d0beaa21f593c38dac9359f0b3ddc612f447408265b24 pciutils-2.2.9.tar.bz2
-2d29fd04a0d0ba29dae6bd29fb418944c08d3916665dcca74afb297ef37584b6 polarssl-1.1.4-gpl.tgz
-4e48ea0d83dd9441cc1af04ab18cd6c961b9fa54d5cbf2c2feee038988dea459 tpm_emulator-0.7.4.tar.gz
-1795c7d067a43174113fdf03447532f373e1c6c57c08d61d9e4e9be5e244b05e zlib-1.2.3.tar.gz
-632ce8c193ccacc3012bd354bdb733a4be126f7c098e111930aa41dad537405c ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz
-dca534cf4d3711ea8797846a18238ca16cc9e7a24a887300db22c3ba3d95c199 xsa191.patch
-687b0216eefd5ecef8a3135cc6f542cb3d9ff35e8e9696a157703e84656c35e8 xsa192.patch
-f1b0092c585ebffe83d6ed7df94885ec5dfcb4227bdb33f421bad9febb8135a1 xsa193-4.7.patch
-4dad65417d9ff3c86e763d3c88cf8de79b58a9981d531f641ae0dd0dcedce911 xsa194.patch
-6ab5f13b81e3bbf6096020f4c3beeffaff67a075cab67e033ba27d199b41cec1 xsa195.patch
-c4122280f3786416231ae5f0660123446d29e9ac5cd3ffb92784ed36edeec8b7 xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch
-25671c44c746d4d0e8f7e2b109926c013b440e0bf225156282052ec38536e347 xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch
-effa90c9ea5e76afeee8d89359b45201826b992d616c2dc118507b4e5926c57b xsa197-qemut.patch
-ecb1fac79d7d17db993800b0b9aeb24d8cec90d4877d80ed1b1d548401acf36c xsa197-qemuu.patch
-0e4533ad2157c03ab309bd12a54f5ff325f03edbe97f23c60a16a3f378c75eae xsa198.patch
-d7113b94f6ef1c2849aedfe33eace85b0713fa83639c8a533fb289aa73e818e8 xsa200-4.7.patch
-163aeb9ae3ffce28e0bc95bdfff490d2df6f6f0b85ac1d4f447bea921f0a0dda xsa201-1.patch
-0ba570ed7df172475bc745e02b89670608251634895e5279edcf534619d6d81b xsa201-2.patch
-a9cf56564d020675c0f2f1ea15009a712f172be3d53ea8ddf2f48adaac392e76 xsa201-3-4.7.patch
-388d548cd4e30883ae100863d33e792869e7dbd86054299a91b64db6d6599919 xsa201-4.patch
-057be742acfef200ba6f094a5dce486dd1c4e15013afe3efc963523ce2ec9cbb xsa202.patch
-7cc04278778fe885e4c3ae3f846d099075a38bccfafe6dff018ba525499b4e46 xsa203-4.7.patch
-d0359f26e9be783672896200e14d85a3111c29d7da580313b593fca04688fef2 xsa204-4.7.patch
-3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe qemu-coroutine-gthread.patch
-e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98 qemu-xen_paths.patch
-dd1e784bc455eb62cb85b3fa24bfc34f575ceaab9597ef6a2f1ee7ff7b3cae0a hotplug-vif-vtrill.patch
-74cb62a4614dd042ea9169112fb677bfef751a760aae34c7e73391fa857a8429 rombios-no-pie.patch
-ac8bbd0b864c7de278fd9b68392b71863581ec21622c2e9b87e501e492e414d3 0001-ipxe-dont-clobber-ebp.patch
-2fea4ceec8872f5560023fa135e3ff03d6deee4299e53d3a33ec59c31779b2c5 musl-support.patch
-479b9605e85c865be6117b6d1993124dbbb7da7f95d0e896e4c0fe5cdfeb74d3 musl-hvmloader-fix-stdint.patch
-6b4ad2a9fdb3e23b06c8c1961a46b06c15a46471fe6fb13cdc269da37466f334 stdint_local.h
-7f1ed2db24d8eba87a08eea0601a9ab339209906fdfa74c8c03564a1a6e6471e elf_local.h
-b183ed028a8c42a64e6fd3fb4b2b6dad832f52ed838fceb69bf681de4e7d794f xen-hotplug-lockfd.patch
-d0b3e5f282a07878341c38f40d01041ed37623757a99d6e0a420ca64d1f4ef2a xen-fd-is-file.c
-c9691bd43a87a939d9a883279813c405eb5ac428a4f4f89e8eef01fbb4d2d6d1 xenstore_client_transaction_fix.patch
-17bb27d95c86af8cc5e499b1b0db9b95bba3f45910d55b420f9f1f5452355fab patch-gcc6-etherboot-nonnull-compare.patch
-5d5fe7bf52cbae9da20cfd1fc798699b2355a1af907ebf7f764e227891a759bb patch-gcc6-etherboot-rm-unused-string-functions.patch
-9f34f8ecb9a44c688275b838c83efd233bb817f5e222629eac98e116168d704c patch-gcc6-etherboot-nic.c.patch
-cdf7c4a089fe1fe493aafaf669decc3c9e071a0950da77dce526c09088d1c931 patch-gcc6-etherboot-ath.patch
-32595581467772b9fa0fbb5384c99caefeb2cee3306b94b9bd2722084454f5a2 patch-gcc6-etherboot-sis190.patch
-c73d1653b9b1d97ddce717817dc74429cd94c7b22989a08604eaa60df63f75f8 patch-gcc6-etherboot-skge.patch
-448caed900ada2c030738218f5b82f5e29d9dc2e1beef9ebd49cbeb23734df0d patch-gcc6-etherboot-via-velocity.c.patch
-61b1518c8d41792ec3b36e0fbfc265adb6c9304945a6fa18d6cc5a197e34b94f patch-gcc6-etherboot-via-rhine.c.patch
-577f06e38a9ecbd3576907f2ba1c5040f4f1573fe92912635230702ad157b2e7 patch-gcc6-etherboot-e1000_phy.c.patch
-80a24e9504d3893e83dc60550ffe364a873aaf3dafb52dcdade13f61f2ec0ee5 patch-gcc6-etherboot-igb_phy.c.patch
-a15d73e0fb51fe3c1cf8b80a5ff17d532444016d14495d90d9e642ec60f320a6 patch-gcc6-etherboot-ath9k-9287-array.patch
-2269932e8645c11e7fe60eeb6e0720841c2b5ddac2e6965ead1527d3e5924ee9 patch-gcc6-etherboot-no-pie.patch
-cace870b6629003b55d9df9ef24f3445067239b913c006b6e23da511c1a21d78 patch-gcc6-etherboot-link-header.patch
-be05ccd8975af402dcba3a3dc78c173319b2edd636bac11ac11163091453b704 patch-gcc6-etherboot-eth_broadcast.patch
-90a8fc315bfe305581b3873890b1c1c8da6f62b5d06b73b79bac7a74671bbb07 xenstored.initd
-991bb7c9da02941556e29714bd96b26e39e57e0a5b514eadd78d9bfa3fa5a9dc xenstored.confd
-d13719093a2c3824525f36ac91ac3c9bd1154e5ba0974e5441e4a2ab5e883521 xenconsoled.initd
-2a74be03eb74f6013242a4a5d721df6cb9b959b43c405de1e32813f52d749060 xenconsoled.confd
-5fb0fc4a1ac8b139bb31b03f86b5c170050b93ea11a2f5b962d383d277ee815c xendomains.initd
-046540c36328809fc351ad209d2b40300f91581d6d46da0caf79f57f2c212285 xendomains.confd
-0da87a4b9094f934e3de937e8ef8d3afc752e76793aa3d730182d0241e118b19 xen-consoles.logrotate
-4cfcddcade5d055422ab4543e8caa6e5c5eee7625c41880a9000b7a87c7c424e xenqemu.confd
-c92bbb1166edd61141fdf678116974209c4422daf373cdd5bc438aa4adb25b8d xenqemu.initd"
sha512sums="eb03244f5fa7b54402fcc1d38f1e69c0ea4536d5ab2f9859b41b5e94920ad9db20fb146e3c3d3635e9ca1d12e93ce0429e57f24bf53d4a2c4b69babc76ec724e xen-4.7.1.tar.gz
2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2
c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz
@@ -483,6 +369,12 @@ ad0f4217ef8218dac6997385690981e7a88d05b735e04779f582ad4a0307d8e7804c015971403133
8f96ec62d9a159370d6c6257d45b7b9e87247ac1ca891033b8f3c9fb86f74d539b9c6d893d31289c6a0f00b967672f76ee9e6875a64d739dcda783ff2911681b xsa202.patch
b86ef48db23dacb51fbbdd55041bf08fac8aa0db76a272bb2f9d9be7195cd9a359a30fbbb61e040c66f23358f12ae102a92a30296fb18e4feb1023b58ffad4ff xsa203-4.7.patch
a2a091cd51ed54f5b5ba4131efc1c9cc0a69a647cea46415f73c29e5764efb00025e2e65bd5d24cf26f903263fce150b2b1c52ca5d61fd81dea7efe16abf57be xsa204-4.7.patch
+89848dcdfaebf462765b2a32c9c57d5404930721ff92f7cb05c221a99be2b82fb23d31f91f52fbf32874a69065a2e8ad921460a3655f4b03cf827a8203137fac xsa207.patch
+1ddae183299bd320a2ddb9ccb52ecab36c595e72cc87dde3308c15b4e354550372f289ef35a1ce19a180fed437abb18be83af2f39b96f93335cd3f4ae83390ec xsa208-qemut.patch
+1fb853f7d428e21f13bb46f22df2cf0adc04f184a39fdfcd69fb4c14ffdaf8b13c118153544e59221c5513b2765c98b37d699a4ec1ffcea6ca455118a39cebd6 xsa208-qemuu-4.7.patch
+5b5b470c174e2144a4854795a1a7c4a1c514351fac7b6cf56e634a06cfd71438fb5cd95cac3239819ceef0b4b7d2903f181ed8835bad2aa97d843dd18da76d5c xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
+ba64118f4016347b9c95df3c339f22cb9211e8604666cbc29c34c2a7e565f8b6a3ced7ea1c89cfd5211d6b26a5ba58b63e8852486c8f328b3167c2a919498548 xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
+46cd186741c22cb34ca7e98fd0d9af974610c8a7c8a38d434fa878803a9365039f8c4e6338174319b026fbdd9b36c6139c03815bdccb8287f33ff843a5167c5e xsa209-qemut.patch
c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562 qemu-coroutine-gthread.patch
1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch
f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3 hotplug-vif-vtrill.patch
diff --git a/main/xen/xsa207.patch b/main/xen/xsa207.patch
new file mode 100644
index 0000000000..6fb86fc9d5
--- /dev/null
+++ b/main/xen/xsa207.patch
@@ -0,0 +1,31 @@
+From: Oleksandr Tyshchenko <olekstysh@gmail.com>
+Subject: IOMMU: always call teardown callback
+
+There is a possible scenario when (d)->need_iommu remains unset
+during guest domain execution. For example, when no devices
+were assigned to it. Taking into account that teardown callback
+is not called when (d)->need_iommu is unset we might have unreleased
+resourses after destroying domain.
+
+So, always call teardown callback to roll back actions
+that were performed in init callback.
+
+This is XSA-207.
+
+Signed-off-by: Oleksandr Tyshchenko <olekstysh@gmail.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Tested-by: Jan Beulich <jbeulich@suse.com>
+Tested-by: Julien Grall <julien.grall@arm.com>
+
+--- a/xen/drivers/passthrough/iommu.c
++++ b/xen/drivers/passthrough/iommu.c
+@@ -244,8 +244,7 @@ void iommu_domain_destroy(struct domain
+ if ( !iommu_enabled || !dom_iommu(d)->platform_ops )
+ return;
+
+- if ( need_iommu(d) )
+- iommu_teardown(d);
++ iommu_teardown(d);
+
+ arch_iommu_domain_destroy(d);
+ }
diff --git a/main/xen/xsa208-qemut.patch b/main/xen/xsa208-qemut.patch
new file mode 100644
index 0000000000..27a82da05a
--- /dev/null
+++ b/main/xen/xsa208-qemut.patch
@@ -0,0 +1,56 @@
+From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 13 Feb 2017 15:22:15 +0000
+Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
+
+When doing bitblt copy in backward mode, we should minus the
+blt width first just like the adding in the forward mode. This
+can avoid the oob access of the front of vga's vram.
+
+This is XSA-208.
+
+upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+
+{ kraxel: with backward blits (negative pitch) addr is the topmost
+ address, so check it as-is against vram size ]
+
+[ This is CVE-2017-2615 / XSA-208 - Ian Jackson ]
+
+Cc: qemu-stable@nongnu.org
+Cc: P J P <ppandit@redhat.com>
+Cc: Laszlo Ersek <lersek@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
+Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
+---
+ hw/cirrus_vga.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
+index e6c3893..364e22d 100644
+--- a/hw/cirrus_vga.c
++++ b/tools/qemu-xen-traditional/hw/cirrus_vga.c
+@@ -308,10 +308,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ {
+ if (pitch < 0) {
+ int64_t min = addr
+- + ((int64_t)s->cirrus_blt_height-1) * pitch;
+- int32_t max = addr
+- + s->cirrus_blt_width;
+- if (min < 0 || max >= s->vram_size) {
++ + ((int64_t)s->cirrus_blt_height - 1) * pitch
++ - s->cirrus_blt_width;
++ if (min < -1 || addr >= s->vram_size) {
+ return true;
+ }
+ } else {
+--
+2.1.4
+
diff --git a/main/xen/xsa208-qemuu-4.7.patch b/main/xen/xsa208-qemuu-4.7.patch
new file mode 100644
index 0000000000..705bab5020
--- /dev/null
+++ b/main/xen/xsa208-qemuu-4.7.patch
@@ -0,0 +1,53 @@
+From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 13 Feb 2017 15:22:15 +0000
+Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
+
+When doing bitblt copy in backward mode, we should minus the
+blt width first just like the adding in the forward mode. This
+can avoid the oob access of the front of vga's vram.
+
+This is XSA-208.
+
+upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+
+{ kraxel: with backward blits (negative pitch) addr is the topmost
+ address, so check it as-is against vram size ]
+
+Cc: qemu-stable@nongnu.org
+Cc: P J P <ppandit@redhat.com>
+Cc: Laszlo Ersek <lersek@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
+---
+ hw/display/cirrus_vga.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 5198037..7bf3707 100644
+--- a/hw/display/cirrus_vga.c
++++ b/tools/qemu-xen/hw/display/cirrus_vga.c
+@@ -272,10 +272,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ {
+ if (pitch < 0) {
+ int64_t min = addr
+- + ((int64_t)s->cirrus_blt_height-1) * pitch;
+- int32_t max = addr
+- + s->cirrus_blt_width;
+- if (min < 0 || max >= s->vga.vram_size) {
++ + ((int64_t)s->cirrus_blt_height - 1) * pitch
++ - s->cirrus_blt_width;
++ if (min < -1 || addr >= s->vga.vram_size) {
+ return true;
+ }
+ } else {
+--
+2.1.4
+
diff --git a/main/xen/xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch b/main/xen/xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
new file mode 100644
index 0000000000..787567d5a5
--- /dev/null
+++ b/main/xen/xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
@@ -0,0 +1,72 @@
+From 52b7f43c8fa185ab856bcaacda7abc9a6fc07f84 Mon Sep 17 00:00:00 2001
+From: Bruce Rogers <brogers@suse.com>
+Date: Tue, 21 Feb 2017 10:54:38 -0800
+Subject: [PATCH 1/2] display: cirrus: ignore source pitch value as needed in
+ blit_is_unsafe
+
+Commit 4299b90 added a check which is too broad, given that the source
+pitch value is not required to be initialized for solid fill operations.
+This patch refines the blit_is_unsafe() check to ignore source pitch in
+that case. After applying the above commit as a security patch, we
+noticed the SLES 11 SP4 guest gui failed to initialize properly.
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Message-id: 20170109203520.5619-1-brogers@suse.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/cirrus_vga.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 7bf3707..34a6900 100644
+--- a/hw/display/cirrus_vga.c
++++ b/tools/qemu-xen/hw/display/cirrus_vga.c
+@@ -288,7 +288,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ return false;
+ }
+
+-static bool blit_is_unsafe(struct CirrusVGAState *s)
++static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
+ {
+ /* should be the case, see cirrus_bitblt_start */
+ assert(s->cirrus_blt_width > 0);
+@@ -302,6 +302,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
+ s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
+ return true;
+ }
++ if (dst_only) {
++ return false;
++ }
+ if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
+ s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
+ return true;
+@@ -667,7 +670,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
+
+ dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
+
+- if (blit_is_unsafe(s))
++ if (blit_is_unsafe(s, false))
+ return 0;
+
+ (*s->cirrus_rop) (s, dst, src,
+@@ -685,7 +688,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
+ {
+ cirrus_fill_t rop_func;
+
+- if (blit_is_unsafe(s)) {
++ if (blit_is_unsafe(s, true)) {
+ return 0;
+ }
+ rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
+@@ -784,7 +787,7 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+
+ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+ {
+- if (blit_is_unsafe(s))
++ if (blit_is_unsafe(s, false))
+ return 0;
+
+ cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
+--
+2.1.4
+
diff --git a/main/xen/xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch b/main/xen/xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
new file mode 100644
index 0000000000..afaf916237
--- /dev/null
+++ b/main/xen/xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
@@ -0,0 +1,60 @@
+From 15268f91fbe75b38a851c458aef74e693d646ea5 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 21 Feb 2017 10:54:59 -0800
+Subject: [PATCH 2/2] cirrus: add blit_is_unsafe call to
+ cirrus_bitblt_cputovideo
+
+CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
+and blit width, at all. Oops. Fix it.
+
+Security impact: high.
+
+The missing blit destination check allows to write to host memory.
+Basically same as CVE-2014-8106 for the other blit variants.
+
+The missing blit width check allows to overflow cirrus_bltbuf,
+with the attractive target cirrus_srcptr (current cirrus_bltbuf write
+position) being located right after cirrus_bltbuf in CirrusVGAState.
+
+Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
+hasn't full control over cirrus_srcptr though, only one byte can be
+changed. Once the first byte has been modified further writes land
+elsewhere.
+
+[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ]
+
+Reported-by: Gerd Hoffmann <ghoffman@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/cirrus_vga.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 34a6900..5901250 100644
+--- a/hw/display/cirrus_vga.c
++++ b/tools/qemu-xen/hw/display/cirrus_vga.c
+@@ -865,6 +865,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ {
+ int w;
+
++ if (blit_is_unsafe(s, true)) {
++ return 0;
++ }
++
+ s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
+ s->cirrus_srcptr = &s->cirrus_bltbuf[0];
+ s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
+@@ -890,6 +894,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ }
+ s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
+ }
++
++ /* the blit_is_unsafe call above should catch this */
++ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
++
+ s->cirrus_srcptr = s->cirrus_bltbuf;
+ s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
+ cirrus_update_memory_access(s);
+--
+2.1.4
+
diff --git a/main/xen/xsa209-qemut.patch b/main/xen/xsa209-qemut.patch
new file mode 100644
index 0000000000..ffc574ba86
--- /dev/null
+++ b/main/xen/xsa209-qemut.patch
@@ -0,0 +1,54 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
+
+CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
+and blit width, at all. Oops. Fix it.
+
+Security impact: high.
+
+The missing blit destination check allows to write to host memory.
+Basically same as CVE-2014-8106 for the other blit variants.
+
+The missing blit width check allows to overflow cirrus_bltbuf,
+with the attractive target cirrus_srcptr (current cirrus_bltbuf write
+position) being located right after cirrus_bltbuf in CirrusVGAState.
+
+Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
+hasn't full control over cirrus_srcptr though, only one byte can be
+changed. Once the first byte has been modified further writes land
+elsewhere.
+
+[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ]
+
+Fixed compilation by removing extra parameter to blit_is_unsafe. -iwj
+
+Reported-by: Gerd Hoffmann <ghoffman@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
+---
+diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
+index e6c3893..45facb6 100644
+--- a/hw/cirrus_vga.c
++++ b/tools/qemu-xen-traditional/hw/cirrus_vga.c
+@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ {
+ int w;
+
++ if (blit_is_unsafe(s)) {
++ return 0;
++ }
++
+ s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
+ s->cirrus_srcptr = &s->cirrus_bltbuf[0];
+ s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
+@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ }
+ s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
+ }
++
++ /* the blit_is_unsafe call above should catch this */
++ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
++
+ s->cirrus_srcptr = s->cirrus_bltbuf;
+ s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
+ cirrus_update_memory_access(s);