xen: XSA-34 and XSA-35

Security fixes for nested virtualization. This only apply to Xen
4.2.x, only edge and 2.5.x Alpine Linux systems are affected.

3 files changed, 59 insertions, 1 deletions

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 3c3a8a781b..5e07fabdfe 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.2.1
-pkgrel=4
+pkgrel=5
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86 x86_64"
@@ -22,6 +22,8 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	xsa41.patch
 	xsa41b.patch
 	xsa41c.patch
+	xsa34-4.2.patch
+	xsa35-4.2-with-xsa34.patch
 
 	xenstored.initd
 	xenstored.confd
@@ -141,6 +143,8 @@ md5sums="0d48cbe1767b82aba12517898d4e0408  xen-4.2.1.tar.gz
 8ad8942000b8a4be4917599cad9209cf  xsa41.patch
 ed7d0399c6ca6aeee479da5d8f807fe0  xsa41b.patch
 2f3dd7bdc59d104370066d6582725575  xsa41c.patch
+af10e1a3f757a184a1d79904a5ef8572  xsa34-4.2.patch
+8270dbf929e26b5e95532d10a697e404  xsa35-4.2-with-xsa34.patch
 95d8af17bf844d41a015ff32aae51ba1  xenstored.initd
 b017ccdd5e1c27bbf1513e3569d4ff07  xenstored.confd
 ed262f15fb880badb53575539468646c  xenconsoled.initd
diff --git a/main/xen/xsa34-4.2.patch b/main/xen/xsa34-4.2.patch
new file mode 100644
index 0000000000..f5328eff9f
--- /dev/null
+++ b/main/xen/xsa34-4.2.patch
@@ -0,0 +1,30 @@
+x86_32: don't allow use of nested HVM
+
+There are (indirect) uses of map_domain_page() in the nested HVM code
+that are unsafe when not just using the 1:1 mapping.
+
+This is XSA-34 / CVE-2013-0151.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -3926,6 +3926,10 @@ long do_hvm_op(unsigned long op, XEN_GUE
+                     rc = -EINVAL;
+                 break;
+             case HVM_PARAM_NESTEDHVM:
++#ifdef __i386__
++                if ( a.value )
++                    rc = -EINVAL;
++#else
+                 if ( a.value > 1 )
+                     rc = -EINVAL;
+                 if ( !is_hvm_domain(d) )
+@@ -3940,6 +3944,7 @@ long do_hvm_op(unsigned long op, XEN_GUE
+                     for_each_vcpu(d, v)
+                         if ( rc == 0 )
+                             rc = nestedhvm_vcpu_initialise(v);
++#endif
+                 break;
+             case HVM_PARAM_BUFIOREQ_EVTCHN:
+                 rc = -EINVAL;
diff --git a/main/xen/xsa35-4.2-with-xsa34.patch b/main/xen/xsa35-4.2-with-xsa34.patch
new file mode 100644
index 0000000000..89230e2a46
--- /dev/null
+++ b/main/xen/xsa35-4.2-with-xsa34.patch
@@ -0,0 +1,24 @@
+xen: Do not allow guests to enable nested HVM on themselves
+
+There is no reason for this and doing so exposes a memory leak to
+guests. Only toolstacks need write access to this HVM param.
+
+This is XSA-35 / CVE-2013-0152.
+
+Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
+Acked-by: Jan Beulich <JBeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -3862,6 +3862,11 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE(void) arg)
+                     rc = -EINVAL;
+                 break;
+             case HVM_PARAM_NESTEDHVM:
++                if ( !IS_PRIV(current->domain) )
++                {
++                    rc = -EPERM;
++                    break;
++                }
+ #ifdef __i386__
+                 if ( a.value )
+                     rc = -EINVAL;