main/xen: security fixes (CVE-2015-5307, CVE-2015-8104)

2 files changed, 132 insertions, 1 deletions

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 6968901789..fa918b4eed 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.6.0
-pkgrel=1
+pkgrel=2
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86_64"
@@ -48,6 +48,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	xsa151.patch
 	xsa152.patch
 	xsa153-libxl.patch
+	xsa156.patch
 
 	qemu-coroutine-gthread.patch
 	qemu-xen_paths.patch
@@ -242,6 +243,7 @@ ebd65969e47ea94480d031481521259f  xsa150.patch
 b9c287c042317017f201a45193fdcf17  xsa151.patch
 161a985c52ca2db47c09ae3245f8bceb  xsa152.patch
 e5ddc6b5a2c7ef0437812ce39cb55034  xsa153-libxl.patch
+ea188fa0ada9e5217f166dc3f0b8102c  xsa156.patch
 de1a3db370b87cfb0bddb51796b50315  qemu-coroutine-gthread.patch
 08bfdf8caff5d631f53660bf3fd4edaf  qemu-xen_paths.patch
 e449bb3359b490804ffc7b0ae08d62a0  hotplug-vif-vtrill.patch
@@ -280,6 +282,7 @@ e01628400b81c4bb7bafba348f2ecb1fe80f16e3162cee5013e0be1d7311738b  xsa149.patch
 e247a9dbbe236ffa3c5aa5e2d41047fa67da80f2b0474eef3440b5b3da2d5617  xsa151.patch
 596f51797aa591b5abd068ead03e21215cf70997c98a4a562392499afe47b81c  xsa152.patch
 f5cbc98cba758e10da0a01d9379012ec56b98a85a92bfeb0c6b8132d4b91ce77  xsa153-libxl.patch
+d92729ca9174f7d1d8c6fd31321d1a58696c0630e87420539c32f7718b9e8ee8  xsa156.patch
 3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe  qemu-coroutine-gthread.patch
 e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98  qemu-xen_paths.patch
 dd1e784bc455eb62cb85b3fa24bfc34f575ceaab9597ef6a2f1ee7ff7b3cae0a  hotplug-vif-vtrill.patch
@@ -318,6 +321,7 @@ f6d1753641741c6d921ec6ba4acd9ac9df511ef1a7ca7c21fb3498a2b7b8758827b9d8cb19543ffd
 d1d6f11ff4c108d57de408cd75a818eeb124b3788c480bee6eb46ffdb18ef53a5dd96588f961f3336881d38c07908fae7c4042d8ee7267704647b306180aaebf  xsa151.patch
 e442c062b6bcf54761784649d3b21df2b4e46b7e1d94ab7375e227e65d6741b5457a838e72569ab9e49fb0ca57063226652f9efd4331356b822d686829682faa  xsa152.patch
 a33a184fdb1588ee17ddaab53dd45f9e68b2523f99278de7e8a403b36ce2dd71efcccae1c94b4b196f5d83d6423766a23e48fbf0a6a2e1dd681313edb0d1c399  xsa153-libxl.patch
+a879a7c8f5a1a49d5c1dc9c80ca5a7086b68f5cfa1938819ec93f354f2ba916862e8a553822f0e8d004fe90cf389c37675fc2c523157ad8a2426f60dcc03715d  xsa156.patch
 c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562  qemu-coroutine-gthread.patch
 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3  qemu-xen_paths.patch
 f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3  hotplug-vif-vtrill.patch
diff --git a/main/xen/xsa156.patch b/main/xen/xsa156.patch
new file mode 100644
index 0000000000..d37dff1cd7
--- /dev/null
+++ b/main/xen/xsa156.patch
@@ -0,0 +1,127 @@
+x86/HVM: always intercept #AC and #DB
+
+Both being benign exceptions, and both being possible to get triggered
+by exception delivery, this is required to prevent a guest from locking
+up a CPU (resulting from no other VM exits occurring once getting into
+such a loop).
+
+The specific scenarios:
+
+1) #AC may be raised during exception delivery if the handler is set to
+be a ring-3 one by a 32-bit guest, and the stack is misaligned.
+
+2) #DB may be raised during exception delivery when a breakpoint got
+placed on a data structure involved in delivering the exception. This
+can result in an endless loop when a 64-bit guest uses a non-zero IST
+for the vector 1 IDT entry, but even without use of IST the time it
+takes until a contributory fault would get raised (results depending
+on the handler) may be quite long.
+
+This is XSA-156.
+
+Reported-by: Benjamin Serebrin <serebrin@google.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/hvm/svm/svm.c
++++ b/xen/arch/x86/hvm/svm/svm.c
+@@ -1043,10 +1043,11 @@ static void noreturn svm_do_resume(struc
+         unlikely(v->arch.hvm_vcpu.debug_state_latch != debug_state) )
+     {
+         uint32_t intercepts = vmcb_get_exception_intercepts(vmcb);
+-        uint32_t mask = (1U << TRAP_debug) | (1U << TRAP_int3);
++
+         v->arch.hvm_vcpu.debug_state_latch = debug_state;
+         vmcb_set_exception_intercepts(
+-            vmcb, debug_state ? (intercepts | mask) : (intercepts & ~mask));
++            vmcb, debug_state ? (intercepts | (1U << TRAP_int3))
++                              : (intercepts & ~(1U << TRAP_int3)));
+     }
+ 
+     if ( v->arch.hvm_svm.launch_core != smp_processor_id() )
+@@ -2434,8 +2435,9 @@ void svm_vmexit_handler(struct cpu_user_
+ 
+     case VMEXIT_EXCEPTION_DB:
+         if ( !v->domain->debugger_attached )
+-            goto unexpected_exit_type;
+-        domain_pause_for_debugger();
++            hvm_inject_hw_exception(TRAP_debug, HVM_DELIVER_NO_ERROR_CODE);
++        else
++            domain_pause_for_debugger();
+         break;
+ 
+     case VMEXIT_EXCEPTION_BP:
+@@ -2483,6 +2485,11 @@ void svm_vmexit_handler(struct cpu_user_
+         break;
+     }
+ 
++    case VMEXIT_EXCEPTION_AC:
++        HVMTRACE_1D(TRAP, TRAP_alignment_check);
++        hvm_inject_hw_exception(TRAP_alignment_check, vmcb->exitinfo1);
++        break;
++
+     case VMEXIT_EXCEPTION_UD:
+         svm_vmexit_ud_intercept(regs);
+         break;
+--- a/xen/arch/x86/hvm/vmx/vmx.c
++++ b/xen/arch/x86/hvm/vmx/vmx.c
+@@ -1224,16 +1224,10 @@ static void vmx_update_host_cr3(struct v
+ 
+ void vmx_update_debug_state(struct vcpu *v)
+ {
+-    unsigned long mask;
+-
+-    mask = 1u << TRAP_int3;
+-    if ( !cpu_has_monitor_trap_flag )
+-        mask |= 1u << TRAP_debug;
+-
+     if ( v->arch.hvm_vcpu.debug_state_latch )
+-        v->arch.hvm_vmx.exception_bitmap |= mask;
++        v->arch.hvm_vmx.exception_bitmap |= 1U << TRAP_int3;
+     else
+-        v->arch.hvm_vmx.exception_bitmap &= ~mask;
++        v->arch.hvm_vmx.exception_bitmap &= ~(1U << TRAP_int3);
+ 
+     vmx_vmcs_enter(v);
+     vmx_update_exception_bitmap(v);
+@@ -3060,9 +3054,10 @@ void vmx_vmexit_handler(struct cpu_user_
+             __vmread(EXIT_QUALIFICATION, &exit_qualification);
+             HVMTRACE_1D(TRAP_DEBUG, exit_qualification);
+             write_debugreg(6, exit_qualification | DR_STATUS_RESERVED_ONE);
+-            if ( !v->domain->debugger_attached || cpu_has_monitor_trap_flag )
+-                goto exit_and_crash;
+-            domain_pause_for_debugger();
++            if ( !v->domain->debugger_attached )
++                hvm_inject_hw_exception(vector, HVM_DELIVER_NO_ERROR_CODE);
++            else
++                domain_pause_for_debugger();
+             break;
+         case TRAP_int3: 
+         {
+@@ -3127,6 +3122,11 @@ void vmx_vmexit_handler(struct cpu_user_
+ 
+             hvm_inject_page_fault(regs->error_code, exit_qualification);
+             break;
++        case TRAP_alignment_check:
++            HVMTRACE_1D(TRAP, vector);
++            __vmread(VM_EXIT_INTR_ERROR_CODE, &ecode);
++            hvm_inject_hw_exception(vector, ecode);
++            break;
+         case TRAP_nmi:
+             if ( MASK_EXTR(intr_info, INTR_INFO_INTR_TYPE_MASK) !=
+                  X86_EVENTTYPE_NMI )
+--- a/xen/include/asm-x86/hvm/hvm.h
++++ b/xen/include/asm-x86/hvm/hvm.h
+@@ -385,7 +385,10 @@ static inline int hvm_event_pending(stru
+     (X86_CR4_VMXE | X86_CR4_PAE | X86_CR4_MCE))
+ 
+ /* These exceptions must always be intercepted. */
+-#define HVM_TRAP_MASK ((1U << TRAP_machine_check) | (1U << TRAP_invalid_op))
++#define HVM_TRAP_MASK ((1U << TRAP_debug)           | \
++                       (1U << TRAP_invalid_op)      | \
++                       (1U << TRAP_alignment_check) | \
++                       (1U << TRAP_machine_check))
+ 
+ /*
+  * x86 event types. This enumeration is valid for: