diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2016-11-25 16:54:20 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2016-11-25 17:00:23 +0000 |
| commit | 64afb5ab10d6bdced5921588f38124df06eb3783 (patch) | |
| tree | 05fb0feaf82dab5ebf38b9cc6c173ea2891f55f4 /main/xen/xsa197-qemuu.patch | |
| parent | 9a2f0cb09a04c388d44a68a62311b3e04c0550c8 (diff) | |
| download | aports-64afb5ab10d6bdced5921588f38124df06eb3783.tar.bz2 aports-64afb5ab10d6bdced5921588f38124df06eb3783.tar.xz | |
main/xen: fix various security issues
- XSA-198 CVE-2016-9379 CVE-2016-9380
delimiter injection vulnerabilities in pygrub
- XSA-197 CVE-2016-9381
qemu incautious about shared ring processing
- XSA-196 CVE-2016-9377 CVE-2016-9378
x86 software interrupt injection mis-handled
- XSA-195 CVE-2016-9383
x86 64-bit bit test instruction emulation broken
- XSA-194 CVE-2016-9384
guest 32-bit ELF symbol table load leaking host data
- XSA-193 CVE-2016-9385
x86 segment base write emulation lacking canonical address checks
- XSA-192 CVE-2016-9382
x86 task switch to VM86 mode mis-handled
- XSA-191 CVE-2016-9386
x86 null segments not always treated as unusable
fixes #6495
Diffstat (limited to 'main/xen/xsa197-qemuu.patch')
| -rw-r--r-- | main/xen/xsa197-qemuu.patch | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/main/xen/xsa197-qemuu.patch b/main/xen/xsa197-qemuu.patch new file mode 100644 index 0000000000..079e8093d1 --- /dev/null +++ b/main/xen/xsa197-qemuu.patch @@ -0,0 +1,63 @@ +From: Jan Beulich <jbeulich@suse.com> +Subject: xen: fix ioreq handling + +Avoid double fetches and bounds check size to avoid overflowing +internal variables. + +This is XSA-197. + +Reported-by: yanghongke <yanghongke@huawei.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> + +--- a/xen-hvm.c ++++ b/tools/qemu-xen/xen-hvm.c +@@ -810,6 +810,10 @@ static void cpu_ioreq_pio(ioreq_t *req) + trace_cpu_ioreq_pio(req, req->dir, req->df, req->data_is_ptr, req->addr, + req->data, req->count, req->size); + ++ if (req->size > sizeof(uint32_t)) { ++ hw_error("PIO: bad size (%u)", req->size); ++ } ++ + if (req->dir == IOREQ_READ) { + if (!req->data_is_ptr) { + req->data = do_inp(req->addr, req->size); +@@ -846,6 +850,10 @@ static void cpu_ioreq_move(ioreq_t *req) + trace_cpu_ioreq_move(req, req->dir, req->df, req->data_is_ptr, req->addr, + req->data, req->count, req->size); + ++ if (req->size > sizeof(req->data)) { ++ hw_error("MMIO: bad size (%u)", req->size); ++ } ++ + if (!req->data_is_ptr) { + if (req->dir == IOREQ_READ) { + for (i = 0; i < req->count; i++) { +@@ -1010,11 +1018,13 @@ static int handle_buffered_iopage(XenIOS + req.df = 1; + req.type = buf_req->type; + req.data_is_ptr = 0; ++ xen_rmb(); + qw = (req.size == 8); + if (qw) { + buf_req = &buf_page->buf_ioreq[(rdptr + 1) % + IOREQ_BUFFER_SLOT_NUM]; + req.data |= ((uint64_t)buf_req->data) << 32; ++ xen_rmb(); + } + + handle_ioreq(state, &req); +@@ -1045,7 +1055,11 @@ static void cpu_handle_ioreq(void *opaqu + + handle_buffered_iopage(state); + if (req) { +- handle_ioreq(state, req); ++ ioreq_t copy = *req; ++ ++ xen_rmb(); ++ handle_ioreq(state, ©); ++ req->data = copy.data; + + if (req->state != STATE_IOREQ_INPROCESS) { + fprintf(stderr, "Badness in I/O request ... not in service?!: " |