main/xen: security fixes (CVE-2014-7154, CVE-2014-7155, CVE-2014-7156)

XSA-104	CVE-2014-7154 	Race condition in HVMOP_track_dirty_vram
XSA-105	CVE-2014-7155 	Missing privilege level checks in x86 HLT, LGDT,
                        LIDT, and LMSW emulation
XSA-106	CVE-2014-7156 	Missing privilege level checks in x86 emulation
                        of software interrupts

fixes #3459

4 files changed, 118 insertions, 1 deletions

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 4012d7d0bd..e0ca99e98c 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.3.3
-pkgrel=0
+pkgrel=1
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86_64"
@@ -25,6 +25,10 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	xsa41c.patch
 
 	xsa97-hap-4_3.patch
+
+	xsa104.patch
+	xsa105.patch
+	xsa106.patch
 	xsa108.patch
 
 	fix-pod2man-choking.patch
@@ -194,6 +198,9 @@ md5sums="1b4438a50d8875700ac2c7e1ffbcd91b  xen-4.3.3.tar.gz
 ed7d0399c6ca6aeee479da5d8f807fe0  xsa41b.patch
 2f3dd7bdc59d104370066d6582725575  xsa41c.patch
 8b0feffc89e3f34d835d60ad62688b30  xsa97-hap-4_3.patch
+1cc14dc8cc1a42aa93a6ea1508931d98  xsa104.patch
+cdc40a86a58fc864ebb7b1dbf90d2352  xsa105.patch
+f58b915ad62aef72bde99f8d04f9a7a4  xsa106.patch
 1f66f6c52941309c825f60e1bf144987  xsa108.patch
 4c5455d1adc09752a835e241097fbc39  fix-pod2man-choking.patch
 a4097e06a7e000ed00f4607db014d277  qemu-xen-websocket.patch
@@ -222,6 +229,9 @@ a0c225d716d343fe041b63e3940900c5b3573ed3bcfc5b7c2d52ea2861c3fc28  docs-Fix-gener
 896a07f57310c9bea9bc2a305166cf796282c381cb7839be49105b1726a860b5  xsa41b.patch
 683dd96a0a8899f794070c8c09643dfeeb39f92da531955cba961b45f6075914  xsa41c.patch
 cfab6521221a5058a0dfbb6d59c3c4cd0e7f4239bb6cbee2723de22c33caafda  xsa97-hap-4_3.patch
+fc02f6365ca79a6ef386c882b57fab8b56aa12b54fc9b05054552f0f25e32047  xsa104.patch
+dfb5ede7cc5609a812a7b1239479cefd387f9f9c8c25e11e64199bc592ad7e39  xsa105.patch
+301060f801ab39c15ac773e1bcc250f0e6bf30d748007a96173459b83afc9270  xsa106.patch
 cf7ecf4b4680c09e8b1f03980d8350a0e1e7eb03060031788f972e0d4d47203e  xsa108.patch
 fcb5b9ff0bc4b4d39fed9b88891491b91628aa449914cfea321abe5da24c1da2  fix-pod2man-choking.patch
 e9f6c482fc449e0b540657a8988ad31f2e680b8933e50e6486687a52f6a9ed04  qemu-xen-websocket.patch
@@ -250,6 +260,9 @@ sha512sums="cd9b7199d2859a856c719b75ee50a059c480f7493bbc493bcc3701d20321bd6d83c6
 bda9105793f2327e1317991762120d0668af0e964076b18c9fdbfd509984b2e88d85df95702c46b2e00d5350e8113f6aa7b34b19064d19abbeb4d43f0c431d38  xsa41b.patch
 36b60478660ff7748328f5ab9adff13286eee1a1bad06e42fdf7e6aafe105103988525725aacd660cf5b2a184a9e2d6b3818655203c1fa07e07dcebdf23f35d9  xsa41c.patch
 acfd1058632d42bef061a9586565d184c0010d74870a25bc9b0a0bf40dda8abfd882056b8340dec45355efd9326d05f92a933f5d5c1c58e97597a8e88c61c639  xsa97-hap-4_3.patch
+25d6ecde45eb69877476c2c8a91eff8ffb688befeb41228fea9161e785009c64efd02b1a9119727dfecb46d2bfc7a362fdf8c618055493447bd298c9ac5d65a4  xsa104.patch
+9bc41d22a3286ff054a8daa04bd496e91a43910d9b3ab80f4cfea517d57dfdb06fb09192bf9004f07b950574cf5bfba1faebe431bc4e82a4849ff7c5468f7cc0  xsa105.patch
+9403eece50848844f5734f26877558cec705ad83496cdac5abc994264eb221830f185c1a7a1262c8834f45dc7fe544d8ea99898d471a3cea04f98c39bb87b2c3  xsa106.patch
 f511a13ee4223ea2fa9d109fea1802b462f178d3be7de630aeba6eb40ef5d17c7db9d3b99ea414c5794d92d181a60c0bd2061f51987c6deb3a9071f5626fd049  xsa108.patch
 2e95ad43bb66f928fe1e8caf474a3211571f75f79ea32aaa3eddb3aed9963444bd131006b67e682395af0d79118b2634bf808404693b813a94662d2a9d665ac2  fix-pod2man-choking.patch
 45f1da45f3ff937d0a626e37c130d76f5b97f49a57ddeb11ef2a8e850c04c32c819a3dfcef501eb3784db5fe7b39c88230063e56aa6e5197fd9c7b7d424fff77  qemu-xen-websocket.patch
diff --git a/main/xen/xsa104.patch b/main/xen/xsa104.patch
new file mode 100644
index 0000000000..2c5b39ee9b
--- /dev/null
+++ b/main/xen/xsa104.patch
@@ -0,0 +1,44 @@
+x86/shadow: fix race condition sampling the dirty vram state
+
+d->arch.hvm_domain.dirty_vram must be read with the domain's paging lock held.
+
+If not, two concurrent hypercalls could both end up attempting to free
+dirty_vram (the second of which will free a wild pointer), or both end up
+allocating a new dirty_vram structure (the first of which will be leaked).
+
+This is XSA-104.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+
+--- a/xen/arch/x86/mm/shadow/common.c
++++ b/xen/arch/x86/mm/shadow/common.c
+@@ -3485,7 +3485,7 @@ int shadow_track_dirty_vram(struct domai
+     int flush_tlb = 0;
+     unsigned long i;
+     p2m_type_t t;
+-    struct sh_dirty_vram *dirty_vram = d->arch.hvm_domain.dirty_vram;
++    struct sh_dirty_vram *dirty_vram;
+     struct p2m_domain *p2m = p2m_get_hostp2m(d);
+ 
+     if ( end_pfn < begin_pfn || end_pfn > p2m->max_mapped_pfn + 1 )
+@@ -3495,6 +3495,8 @@ int shadow_track_dirty_vram(struct domai
+     p2m_lock(p2m_get_hostp2m(d));
+     paging_lock(d);
+ 
++    dirty_vram = d->arch.hvm_domain.dirty_vram;
++
+     if ( dirty_vram && (!nr ||
+              ( begin_pfn != dirty_vram->begin_pfn
+             || end_pfn   != dirty_vram->end_pfn )) )
+--- a/xen/include/asm-x86/hvm/domain.h
++++ b/xen/include/asm-x86/hvm/domain.h
+@@ -112,7 +112,7 @@ struct hvm_domain {
+     /* Memory ranges with pinned cache attributes. */
+     struct list_head       pinned_cacheattr_ranges;
+ 
+-    /* VRAM dirty support. */
++    /* VRAM dirty support.  Protect with the domain paging lock. */
+     struct sh_dirty_vram *dirty_vram;
+ 
+     /* If one of vcpus of this domain is in no_fill_mode or
diff --git a/main/xen/xsa105.patch b/main/xen/xsa105.patch
new file mode 100644
index 0000000000..cc7cafddd6
--- /dev/null
+++ b/main/xen/xsa105.patch
@@ -0,0 +1,37 @@
+x86/emulate: check cpl for all privileged instructions
+
+Without this, it is possible for userspace to load its own IDT or GDT.
+
+This is XSA-105.
+
+Reported-by: Andrei LUTAS <vlutas@bitdefender.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Tested-by: Andrei LUTAS <vlutas@bitdefender.com>
+
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -3314,6 +3314,7 @@ x86_emulate(
+         goto swint;
+ 
+     case 0xf4: /* hlt */
++        generate_exception_if(!mode_ring0(), EXC_GP, 0);
+         ctxt->retire.flags.hlt = 1;
+         break;
+ 
+@@ -3710,6 +3711,7 @@ x86_emulate(
+             break;
+         case 2: /* lgdt */
+         case 3: /* lidt */
++            generate_exception_if(!mode_ring0(), EXC_GP, 0);
+             generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
+             fail_if(ops->write_segment == NULL);
+             memset(&reg, 0, sizeof(reg));
+@@ -3738,6 +3740,7 @@ x86_emulate(
+         case 6: /* lmsw */
+             fail_if(ops->read_cr == NULL);
+             fail_if(ops->write_cr == NULL);
++            generate_exception_if(!mode_ring0(), EXC_GP, 0);
+             if ( (rc = ops->read_cr(0, &cr0, ctxt)) )
+                 goto done;
+             if ( ea.type == OP_REG )
diff --git a/main/xen/xsa106.patch b/main/xen/xsa106.patch
new file mode 100644
index 0000000000..436724dbc1
--- /dev/null
+++ b/main/xen/xsa106.patch
@@ -0,0 +1,23 @@
+x86emul: only emulate software interrupt injection for real mode
+
+Protected mode emulation currently lacks proper privilege checking of
+the referenced IDT entry, and there's currently no legitimate way for
+any of the respective instructions to reach the emulator when the guest
+is in protected mode.
+
+This is XSA-106.
+
+Reported-by: Andrei LUTAS <vlutas@bitdefender.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Keir Fraser <keir@xen.org>
+
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -2634,6 +2634,7 @@ x86_emulate(
+     case 0xcd: /* int imm8 */
+         src.val = insn_fetch_type(uint8_t);
+     swint:
++        fail_if(!in_realmode(ctxt, ops)); /* XSA-106 */
+         fail_if(ops->inject_sw_interrupt == NULL);
+         rc = ops->inject_sw_interrupt(src.val, _regs.eip - ctxt->regs->eip,
+                                       ctxt) ? : X86EMUL_EXCEPTION;