diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2017-04-11 07:31:50 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2017-04-11 14:26:28 +0000 |
commit | da85ca277a6878be7b6a40d6904d52c522ed214d (patch) | |
tree | 57645dd6fb6c8fb77037646fb606a6d62348eeba /main/xen | |
parent | 634a18834fafb5103f5a2aaa0f430de62e073929 (diff) | |
download | aports-da85ca277a6878be7b6a40d6904d52c522ed214d.tar.bz2 aports-da85ca277a6878be7b6a40d6904d52c522ed214d.tar.xz |
main/xen: upgrade to 4.7.2 and fix xsa210 and xsa211
Diffstat (limited to 'main/xen')
28 files changed, 595 insertions, 1862 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index f57edc3e29..a56f634b7a 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -2,8 +2,8 @@ # Contributor: Roger Pau Monne <roger.pau@entel.upc.edu> # Maintainer: William Pitcock <nenolod@dereferenced.org> pkgname=xen -pkgver=4.7.1 -pkgrel=5 +pkgver=4.7.2 +pkgrel=0 pkgdesc="Xen hypervisor" url="http://www.xen.org/" arch="x86_64 armhf" @@ -14,6 +14,7 @@ depends_dev="libressl-dev python2-dev e2fsprogs-dev gettext zlib-dev ncurses-dev spice-dev gnutls-dev curl-dev libaio-dev lzo-dev xz-dev util-linux-dev e2fsprogs-dev linux-headers argp-standalone perl-dev" makedepends="$depends_dev autoconf automake libtool " +options="!strip" # secfixes: # 4.7.0-r0: @@ -52,6 +53,9 @@ makedepends="$depends_dev autoconf automake libtool " # - CVE-2017-2615 XSA-208 # - CVE-2017-2620 XSA-209 # - XSA-210 +# 4.7.2-r0: +# - CVE-2016-9603 XSA-211 +# - CVE-2017-7228 XSA-212 case "$CARCH" in x86*) @@ -65,9 +69,9 @@ esac install="" -if [ "$CARCH" != "armhf" ]; then - subpackages="$pkgname-dbg" -fi +#if [ "$CARCH" != "armhf" ]; then +# subpackages="$pkgname-dbg" +#fi subpackages="$subpackages $pkgname-doc $pkgname-dev $pkgname-libs $pkgname-hypervisor" # grep _VERSION= stubdom/configure @@ -95,31 +99,9 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g http://xenbits.xen.org/xen-extfiles/zlib-$_ZLIB_VERSION.tar.gz http://xenbits.xen.org/xen-extfiles/ipxe-git-$_IPXE_GIT_TAG.tar.gz - xsa191.patch - xsa192.patch - xsa193-4.7.patch - xsa194.patch - xsa195.patch - xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch - xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch - xsa197-qemut.patch - xsa197-qemuu.patch - xsa198.patch - xsa200-4.7.patch - xsa201-1.patch - xsa201-2.patch - xsa201-3-4.7.patch - xsa201-4.patch - xsa202.patch - xsa203-4.7.patch - xsa204-4.7.patch - xsa207.patch - xsa208-qemut.patch - xsa208-qemuu-4.7.patch - xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch - xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch - xsa209-qemut.patch - + xsa211-qemut.patch + xsa211-qemuu-4.7.patch + xsa212.patch qemu-coroutine-gthread.patch qemu-xen_paths.patch @@ -322,6 +304,14 @@ package() { "$pkgdir"/etc/xen/xen-consoles.logrotate install -m755 xen-fd-is-file "$pkgdir"/usr/lib/xen/bin/xen-fd-is-file + + # we need to exclude /usr/share when stripping + msg "Stripping binaries" + scanelf --recursive --nobanner --etype "ET_DYN,ET_EXEC" "$pkgdir"/usr/lib \ + "$pkgdir"/usr/bin \ + "$pkgdir"/usr/sbin \ + | sed -e 's:^ET_DYN ::' -e 's:^ET_EXEC ::' \ + | xargs strip } libs() { @@ -341,7 +331,7 @@ hypervisor() { mv "$pkgdir"/boot "$subpkgdir"/ } -sha512sums="eb03244f5fa7b54402fcc1d38f1e69c0ea4536d5ab2f9859b41b5e94920ad9db20fb146e3c3d3635e9ca1d12e93ce0429e57f24bf53d4a2c4b69babc76ec724e xen-4.7.1.tar.gz +sha512sums="8f447e7feffec81fea5b5a4098968b8b8cebc6989e7b6a845413317644d5d328d6f12181d09266366200878ab6a29ab34c7235c1af7b55463a3fdaea40ee1500 xen-4.7.2.tar.gz 2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2 c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz 1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz @@ -351,30 +341,9 @@ c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a36 4928b5b82f57645be9408362706ff2c4d9baa635b21b0d41b1c82930e8c60a759b1ea4fa74d7e6c7cae1b7692d006aa5cb72df0c3b88bf049779aa2b566f9d35 tpm_emulator-0.7.4.tar.gz 021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e zlib-1.2.3.tar.gz c5cb1cdff40d2d71fd3e692a9d0efadf2aa17290daf5195391a1c81ddd9dfc913a8e44d5be2b12be85b2a5565ea31631c99c7053564f2fb2225c80ea0bb0e4a4 ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz -7484f63adc5f74d1c9cf335a6698cbfa782198aea2008ccea91a7dd9de13ca5e046497dd116bd56605fab6c59feba91b206ca5dc12d6e13f3229640aae2f7173 xsa191.patch -13670f640f36d216b276dc4fcf73745cb81e54381afbee7452d8e058166a468dc4467dbdeb3e22154f66d5ef70b796f0a0f0f0080dcb4c3587d7f15fe7b9abc6 xsa192.patch -6a20d6b192849af32e7db59f61d7686cbd4e0542741f3b6ddef2133f102212ba3ebc93901e5d74cdd54747e188a4eb8060b8843c10878e3bc9c567af678a6bd1 xsa193-4.7.patch -a5119a779e23d39524639bded6fe1d1e8dce8ef3c36798a43477f27f9631c6d2e1324708f574deb697131641d2cf86de2f4754887325f67c2961e6c7dbaae0bc xsa194.patch -2b32a360c13590f24de8ebb1cd18eb17eada444034a394739c21306be708ba5924ea1448e0d120c0f61f9472bce45e80439e3fd5779f4be72d367ce5c55b6ec0 xsa195.patch -d76d457343a1a2cd08d6a3fcaf063569638862d5491c5eb3100bc3902d3f4845c5a9a6ceed16e2be405ecfc924d786e7a0e2407c002c59da344a10e8e183e758 xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch -3f47f78f83f01af57c51eee5c6a51466c59d23ddcbbf0c107539166840faed756af113b139c73aea74534ebceb304c0b6b69a394e47c3a9a5499342cce6d5cf8 xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch -e25e8f99c129c51da735103542da332b38d54502dd4dccc824383f8e086ce969afaac7da8ad4011bea5745e160e5c2020f4e58daccc9cc69542ff3fc7157761c xsa197-qemut.patch -68b5a4f5b8dbe1a0c6a55f126839f02c13bf6ff393cee71c33a06deae61ce4cd4ebdf2cc3bf2594e71fad0e766221fdc23c2055550db63bd0662b930ab8c2acc xsa197-qemuu.patch -b61429fbf4d1677a8dab2710ab21335f18b3f998f2e5e19e45a4727f71b9671b3d1bd709bef3594cbaa5a47f339c3b8a5cccf11dd361b993aa76d242b825549c xsa198.patch -44274dbef002c70606c3e5cad46433868d37e7e3f79f0d3a3e19ac43892f77cc0bd48783ecf3abe270f1ebb8ee5f3bfe6d689b732483ec0ad4fcbd11a912ab2b xsa200-4.7.patch -67006c1ac5d0b01eb65b5a9b6583ef31c0df0cdb6331af983d972d9b0c4bc21416484d88445edb8ee8470becdc11bc88fad4a617aac40ae26610eb2bee40bd01 xsa201-1.patch -afed1ed3c5b4dd3a1d2c1c0fe824cdeb58efdc40fdaf5ce439deb2feef63141168114ea362fc5c683eb0494bb6bd3c76773b099495af21550ae3a1e5cb4e924d xsa201-2.patch -ad0f4217ef8218dac6997385690981e7a88d05b735e04779f582ad4a0307d8e7804c015971403133fe1d3334c628da784c696161768b275ed3ab64d6140293dc xsa201-3-4.7.patch -1761ca422fe9e3caee3442b43b84da49721a01ed8417f653c568695b08718c40be1493cc7a0a6145c7ce195c7fb0c753b190fe2f1782d5242e1e304c18005610 xsa201-4.patch -8f96ec62d9a159370d6c6257d45b7b9e87247ac1ca891033b8f3c9fb86f74d539b9c6d893d31289c6a0f00b967672f76ee9e6875a64d739dcda783ff2911681b xsa202.patch -b86ef48db23dacb51fbbdd55041bf08fac8aa0db76a272bb2f9d9be7195cd9a359a30fbbb61e040c66f23358f12ae102a92a30296fb18e4feb1023b58ffad4ff xsa203-4.7.patch -a2a091cd51ed54f5b5ba4131efc1c9cc0a69a647cea46415f73c29e5764efb00025e2e65bd5d24cf26f903263fce150b2b1c52ca5d61fd81dea7efe16abf57be xsa204-4.7.patch -89848dcdfaebf462765b2a32c9c57d5404930721ff92f7cb05c221a99be2b82fb23d31f91f52fbf32874a69065a2e8ad921460a3655f4b03cf827a8203137fac xsa207.patch -1ddae183299bd320a2ddb9ccb52ecab36c595e72cc87dde3308c15b4e354550372f289ef35a1ce19a180fed437abb18be83af2f39b96f93335cd3f4ae83390ec xsa208-qemut.patch -1fb853f7d428e21f13bb46f22df2cf0adc04f184a39fdfcd69fb4c14ffdaf8b13c118153544e59221c5513b2765c98b37d699a4ec1ffcea6ca455118a39cebd6 xsa208-qemuu-4.7.patch -5b5b470c174e2144a4854795a1a7c4a1c514351fac7b6cf56e634a06cfd71438fb5cd95cac3239819ceef0b4b7d2903f181ed8835bad2aa97d843dd18da76d5c xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch -ba64118f4016347b9c95df3c339f22cb9211e8604666cbc29c34c2a7e565f8b6a3ced7ea1c89cfd5211d6b26a5ba58b63e8852486c8f328b3167c2a919498548 xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch -46cd186741c22cb34ca7e98fd0d9af974610c8a7c8a38d434fa878803a9365039f8c4e6338174319b026fbdd9b36c6139c03815bdccb8287f33ff843a5167c5e xsa209-qemut.patch +a3d1975afabf344b01af992642a93088e42d7655c955d38d50f00b9388cadeedaea88b6afb1db7558703cb356024a81afaee3e5cdfd76b571df9e6604e6ee035 xsa211-qemut.patch +7b1bae43d578ee1195c509760b14d15771987d685cfa2603ae07c49e1f4c9f8aea3240ebc1c14a8a1afa6d41be4e20f540ea14ca5e07e47714000ad2c9cc9cb6 xsa211-qemuu-4.7.patch +d012556c6b439629c5e4284a0de2f5ae70cda3db4f6f42373b8719509fec3bb0bb667a50484fd1e6c1129dcd2bff550a3eb9ead0f676fb626e6263ac98023e06 xsa212.patch c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562 qemu-coroutine-gthread.patch 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3 hotplug-vif-vtrill.patch diff --git a/main/xen/xsa191.patch b/main/xen/xsa191.patch deleted file mode 100644 index 956f1c97ad..0000000000 --- a/main/xen/xsa191.patch +++ /dev/null @@ -1,152 +0,0 @@ -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/hvm: Fix the handling of non-present segments - -In 32bit, the data segments may be NULL to indicate that the segment is -ineligible for use. In both 32bit and 64bit, the LDT selector may be NULL to -indicate that the entire LDT is ineligible for use. However, nothing in Xen -actually checks for this condition when performing other segmentation -checks. (Note however that limit and writeability checks are correctly -performed). - -Neither Intel nor AMD specify the exact behaviour of loading a NULL segment. -Experimentally, AMD zeroes all attributes but leaves the base and limit -unmodified. Intel zeroes the base, sets the limit to 0xfffffff and resets the -attributes to just .G and .D/B. - -The use of the segment information in the VMCB/VMCS is equivalent to a native -pipeline interacting with the segment cache. The present bit can therefore -have a subtly different meaning, and it is now cooked to uniformly indicate -whether the segment is usable or not. - -GDTR and IDTR don't have access rights like the other segments, but for -consistency, they are treated as being present so no special casing is needed -elsewhere in the segmentation logic. - -AMD hardware does not consider the present bit for %cs and %tr, and will -function as if they were present. They are therefore unconditionally set to -present when reading information from the VMCB, to maintain the new meaning of -usability. - -Intel hardware has a separate unusable bit in the VMCS segment attributes. -This bit is inverted and stored in the present field, so the hvm code can work -with architecturally-common state. - -This is XSA-191. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> ---- - xen/arch/x86/hvm/hvm.c | 8 ++++++++ - xen/arch/x86/hvm/svm/svm.c | 4 ++++ - xen/arch/x86/hvm/vmx/vmx.c | 20 +++++++++++--------- - xen/arch/x86/x86_emulate/x86_emulate.c | 4 ++++ - 4 files changed, 27 insertions(+), 9 deletions(-) - -diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c -index 704fd64..deb1783 100644 ---- a/xen/arch/x86/hvm/hvm.c -+++ b/xen/arch/x86/hvm/hvm.c -@@ -2512,6 +2512,10 @@ bool_t hvm_virtual_to_linear_addr( - */ - addr = (uint32_t)(addr + reg->base); - -+ /* Segment not valid for use (cooked meaning of .p)? */ -+ if ( !reg->attr.fields.p ) -+ goto out; -+ - switch ( access_type ) - { - case hvm_access_read: -@@ -2767,6 +2771,10 @@ static int hvm_load_segment_selector( - hvm_get_segment_register( - v, (sel & 4) ? x86_seg_ldtr : x86_seg_gdtr, &desctab); - -+ /* Segment not valid for use (cooked meaning of .p)? */ -+ if ( !desctab.attr.fields.p ) -+ goto fail; -+ - /* Check against descriptor table limit. */ - if ( ((sel & 0xfff8) + 7) > desctab.limit ) - goto fail; -diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c -index 16427f6..4cba406 100644 ---- a/xen/arch/x86/hvm/svm/svm.c -+++ b/xen/arch/x86/hvm/svm/svm.c -@@ -627,6 +627,7 @@ static void svm_get_segment_register(struct vcpu *v, enum x86_segment seg, - { - case x86_seg_cs: - memcpy(reg, &vmcb->cs, sizeof(*reg)); -+ reg->attr.fields.p = 1; - reg->attr.fields.g = reg->limit > 0xFFFFF; - break; - case x86_seg_ds: -@@ -660,13 +661,16 @@ static void svm_get_segment_register(struct vcpu *v, enum x86_segment seg, - case x86_seg_tr: - svm_sync_vmcb(v); - memcpy(reg, &vmcb->tr, sizeof(*reg)); -+ reg->attr.fields.p = 1; - reg->attr.fields.type |= 0x2; - break; - case x86_seg_gdtr: - memcpy(reg, &vmcb->gdtr, sizeof(*reg)); -+ reg->attr.bytes = 0x80; - break; - case x86_seg_idtr: - memcpy(reg, &vmcb->idtr, sizeof(*reg)); -+ reg->attr.bytes = 0x80; - break; - case x86_seg_ldtr: - svm_sync_vmcb(v); -diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c -index 9a8f694..a652c52 100644 ---- a/xen/arch/x86/hvm/vmx/vmx.c -+++ b/xen/arch/x86/hvm/vmx/vmx.c -@@ -1035,10 +1035,12 @@ void vmx_get_segment_register(struct vcpu *v, enum x86_segment seg, - reg->sel = sel; - reg->limit = limit; - -- reg->attr.bytes = (attr & 0xff) | ((attr >> 4) & 0xf00); -- /* Unusable flag is folded into Present flag. */ -- if ( attr & (1u<<16) ) -- reg->attr.fields.p = 0; -+ /* -+ * Fold VT-x representation into Xen's representation. The Present bit is -+ * unconditionally set to the inverse of unusable. -+ */ -+ reg->attr.bytes = -+ (!(attr & (1u << 16)) << 7) | (attr & 0x7f) | ((attr >> 4) & 0xf00); - - /* Adjust for virtual 8086 mode */ - if ( v->arch.hvm_vmx.vmx_realmode && seg <= x86_seg_tr -@@ -1118,11 +1120,11 @@ static void vmx_set_segment_register(struct vcpu *v, enum x86_segment seg, - } - } - -- attr = ((attr & 0xf00) << 4) | (attr & 0xff); -- -- /* Not-present must mean unusable. */ -- if ( !reg->attr.fields.p ) -- attr |= (1u << 16); -+ /* -+ * Unfold Xen representation into VT-x representation. The unusable bit -+ * is unconditionally set to the inverse of present. -+ */ -+ attr = (!(attr & (1u << 7)) << 16) | ((attr & 0xf00) << 4) | (attr & 0xff); - - /* VMX has strict consistency requirement for flag G. */ - attr |= !!(limit >> 20) << 15; -diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c -index 7a707dc..7cb6f98 100644 ---- a/xen/arch/x86/x86_emulate/x86_emulate.c -+++ b/xen/arch/x86/x86_emulate/x86_emulate.c -@@ -1367,6 +1367,10 @@ protmode_load_seg( - &desctab, ctxt)) ) - return rc; - -+ /* Segment not valid for use (cooked meaning of .p)? */ -+ if ( !desctab.attr.fields.p ) -+ goto raise_exn; -+ - /* Check against descriptor table limit. */ - if ( ((sel & 0xfff8) + 7) > desctab.limit ) - goto raise_exn; diff --git a/main/xen/xsa192.patch b/main/xen/xsa192.patch deleted file mode 100644 index b573a132c9..0000000000 --- a/main/xen/xsa192.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: x86/HVM: don't load LDTR with VM86 mode attrs during task switch - -Just like TR, LDTR is purely a protected mode facility and hence needs -to be loaded accordingly. Also move its loading to where it -architecurally belongs. - -This is XSA-192. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> -Tested-by: Andrew Cooper <andrew.cooper3@citrix.com> - ---- a/xen/arch/x86/hvm/hvm.c -+++ b/xen/arch/x86/hvm/hvm.c -@@ -2728,17 +2728,16 @@ static void hvm_unmap_entry(void *p) - } - - static int hvm_load_segment_selector( -- enum x86_segment seg, uint16_t sel) -+ enum x86_segment seg, uint16_t sel, unsigned int eflags) - { - struct segment_register desctab, cs, segr; - struct desc_struct *pdesc, desc; - u8 dpl, rpl, cpl; - bool_t writable; - int fault_type = TRAP_invalid_tss; -- struct cpu_user_regs *regs = guest_cpu_user_regs(); - struct vcpu *v = current; - -- if ( regs->eflags & X86_EFLAGS_VM ) -+ if ( eflags & X86_EFLAGS_VM ) - { - segr.sel = sel; - segr.base = (uint32_t)sel << 4; -@@ -2986,6 +2985,8 @@ void hvm_task_switch( - if ( rc != HVMCOPY_okay ) - goto out; - -+ if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt, 0) ) -+ goto out; - - if ( hvm_set_cr3(tss.cr3, 1) ) - goto out; -@@ -3008,13 +3009,12 @@ void hvm_task_switch( - } - - exn_raised = 0; -- if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt) || -- hvm_load_segment_selector(x86_seg_es, tss.es) || -- hvm_load_segment_selector(x86_seg_cs, tss.cs) || -- hvm_load_segment_selector(x86_seg_ss, tss.ss) || -- hvm_load_segment_selector(x86_seg_ds, tss.ds) || -- hvm_load_segment_selector(x86_seg_fs, tss.fs) || -- hvm_load_segment_selector(x86_seg_gs, tss.gs) ) -+ if ( hvm_load_segment_selector(x86_seg_es, tss.es, tss.eflags) || -+ hvm_load_segment_selector(x86_seg_cs, tss.cs, tss.eflags) || -+ hvm_load_segment_selector(x86_seg_ss, tss.ss, tss.eflags) || -+ hvm_load_segment_selector(x86_seg_ds, tss.ds, tss.eflags) || -+ hvm_load_segment_selector(x86_seg_fs, tss.fs, tss.eflags) || -+ hvm_load_segment_selector(x86_seg_gs, tss.gs, tss.eflags) ) - exn_raised = 1; - - rc = hvm_copy_to_guest_virt( diff --git a/main/xen/xsa193-4.7.patch b/main/xen/xsa193-4.7.patch deleted file mode 100644 index c5486efa54..0000000000 --- a/main/xen/xsa193-4.7.patch +++ /dev/null @@ -1,68 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: x86/PV: writes of %fs and %gs base MSRs require canonical addresses - -Commit c42494acb2 ("x86: fix FS/GS base handling when using the -fsgsbase feature") replaced the use of wrmsr_safe() on these paths -without recognizing that wr{f,g}sbase() use just wrmsrl() and that the -WR{F,G}SBASE instructions also raise #GP for non-canonical input. - -Similarly arch_set_info_guest() needs to prevent non-canonical -addresses from getting stored into state later to be loaded by context -switch code. For consistency also check stack pointers and LDT base. -DR0..3, otoh, already get properly checked in set_debugreg() (albeit -we discard the error there). - -The SHADOW_GS_BASE check isn't strictly necessary, but I think we -better avoid trying the WRMSR if we know it's going to fail. - -This is XSA-193. - -Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> - ---- a/xen/arch/x86/domain.c -+++ b/xen/arch/x86/domain.c -@@ -890,7 +890,13 @@ int arch_set_info_guest( - { - if ( !compat ) - { -- if ( !is_canonical_address(c.nat->user_regs.eip) || -+ if ( !is_canonical_address(c.nat->user_regs.rip) || -+ !is_canonical_address(c.nat->user_regs.rsp) || -+ !is_canonical_address(c.nat->kernel_sp) || -+ (c.nat->ldt_ents && !is_canonical_address(c.nat->ldt_base)) || -+ !is_canonical_address(c.nat->fs_base) || -+ !is_canonical_address(c.nat->gs_base_kernel) || -+ !is_canonical_address(c.nat->gs_base_user) || - !is_canonical_address(c.nat->event_callback_eip) || - !is_canonical_address(c.nat->syscall_callback_eip) || - !is_canonical_address(c.nat->failsafe_callback_eip) ) ---- a/xen/arch/x86/traps.c -+++ b/xen/arch/x86/traps.c -@@ -2723,19 +2723,22 @@ static int emulate_privileged_op(struct - switch ( regs->_ecx ) - { - case MSR_FS_BASE: -- if ( is_pv_32bit_domain(currd) ) -+ if ( is_pv_32bit_domain(currd) || -+ !is_canonical_address(msr_content) ) - goto fail; - wrfsbase(msr_content); - v->arch.pv_vcpu.fs_base = msr_content; - break; - case MSR_GS_BASE: -- if ( is_pv_32bit_domain(currd) ) -+ if ( is_pv_32bit_domain(currd) || -+ !is_canonical_address(msr_content) ) - goto fail; - wrgsbase(msr_content); - v->arch.pv_vcpu.gs_base_kernel = msr_content; - break; - case MSR_SHADOW_GS_BASE: -- if ( is_pv_32bit_domain(currd) ) -+ if ( is_pv_32bit_domain(currd) || -+ !is_canonical_address(msr_content) ) - goto fail; - if ( wrmsr_safe(MSR_SHADOW_GS_BASE, msr_content) ) - goto fail; diff --git a/main/xen/xsa194.patch b/main/xen/xsa194.patch deleted file mode 100644 index 946bd8783d..0000000000 --- a/main/xen/xsa194.patch +++ /dev/null @@ -1,144 +0,0 @@ -From 71096b016f7fd54a72af73576948cb25cf42ebcb Mon Sep 17 00:00:00 2001 -From: Roger Pau MonnĂ© <roger.pau@citrix.com>Date: Wed, 2 Nov 2016 15:02:00 +0000 -Subject: [PATCH] libelf: fix stack memory leak when loading 32 bit symbol - tables - -The 32 bit Elf structs are smaller than the 64 bit ones, which means that -when loading them there's some padding left uninitialized at the end of each -struct (because the size indicated in e_ehsize and e_shentsize is -smaller than the size of elf_ehdr and elf_shdr). - -Fix this by introducing a new helper that is used to set -[caller_]xdest_{base/size} and that takes care of performing the appropriate -memset of the region. This newly introduced helper is then used to set and -unset xdest_{base/size} in elf_load_bsdsyms. Now that the full struct -is zeroed, there's no need to specifically zero the undefined section. - -This is XSA-194. - -Suggested-by: Ian Jackson <ian.jackson@eu.citrix.com> - -Also remove the open coded (and redundant with the earlier -elf_memset_unchecked()) use of caller_xdest_* from elf_init(). - -Signed-off-by: Roger Pau MonnĂ© <roger.pau@citrix.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> ---- - xen/common/libelf/libelf-loader.c | 14 +++----------- - xen/common/libelf/libelf-tools.c | 11 +++++++++-- - xen/include/xen/libelf.h | 15 +++++++++------ - 3 files changed, 21 insertions(+), 19 deletions(-) - -diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c -index 4d3ae4d..bc1f87b 100644 ---- a/xen/common/libelf/libelf-loader.c -+++ b/xen/common/libelf/libelf-loader.c -@@ -43,8 +43,6 @@ elf_errorstatus elf_init(struct elf_binary *elf, const char *image_input, size_t - elf->ehdr = ELF_MAKE_HANDLE(elf_ehdr, (elf_ptrval)image_input); - elf->class = elf_uval_3264(elf, elf->ehdr, e32.e_ident[EI_CLASS]); - elf->data = elf_uval_3264(elf, elf->ehdr, e32.e_ident[EI_DATA]); -- elf->caller_xdest_base = NULL; -- elf->caller_xdest_size = 0; - - /* Sanity check phdr. */ - offset = elf_uval(elf, elf->ehdr, e_phoff) + -@@ -284,9 +282,8 @@ do { \ - #define SYMTAB_INDEX 1 - #define STRTAB_INDEX 2 - -- /* Allow elf_memcpy_safe to write to symbol_header. */ -- elf->caller_xdest_base = &header; -- elf->caller_xdest_size = sizeof(header); -+ /* Allow elf_memcpy_safe to write to header. */ -+ elf_set_xdest(elf, &header, sizeof(header)); - - /* - * Calculate the position of the various elements in GUEST MEMORY SPACE. -@@ -319,11 +316,7 @@ do { \ - elf_store_field_bitness(elf, header_handle, e_phentsize, 0); - elf_store_field_bitness(elf, header_handle, e_phnum, 0); - -- /* Zero the undefined section. */ -- section_handle = ELF_MAKE_HANDLE(elf_shdr, -- ELF_REALPTR2PTRVAL(&header.elf_header.section[SHN_UNDEF])); - shdr_size = elf_uval(elf, elf->ehdr, e_shentsize); -- elf_memset_safe(elf, ELF_HANDLE_PTRVAL(section_handle), 0, shdr_size); - - /* - * The symtab section header is going to reside in section[SYMTAB_INDEX], -@@ -404,8 +397,7 @@ do { \ - } - - /* Remove permissions from elf_memcpy_safe. */ -- elf->caller_xdest_base = NULL; -- elf->caller_xdest_size = 0; -+ elf_set_xdest(elf, NULL, 0); - - #undef SYMTAB_INDEX - #undef STRTAB_INDEX -diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c -index 5a4757b..e73e729 100644 ---- a/xen/common/libelf/libelf-tools.c -+++ b/xen/common/libelf/libelf-tools.c -@@ -59,8 +59,7 @@ bool elf_access_ok(struct elf_binary * elf, - return 1; - if ( elf_ptrval_in_range(ptrval, size, elf->dest_base, elf->dest_size) ) - return 1; -- if ( elf_ptrval_in_range(ptrval, size, -- elf->caller_xdest_base, elf->caller_xdest_size) ) -+ if ( elf_ptrval_in_range(ptrval, size, elf->xdest_base, elf->xdest_size) ) - return 1; - elf_mark_broken(elf, "out of range access"); - return 0; -@@ -373,6 +372,14 @@ bool elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr - return ((p_type == PT_LOAD) && (p_flags & (PF_R | PF_W | PF_X)) != 0); - } - -+void elf_set_xdest(struct elf_binary *elf, void *addr, uint64_t size) -+{ -+ elf->xdest_base = addr; -+ elf->xdest_size = size; -+ if ( addr != NULL ) -+ elf_memset_safe(elf, ELF_REALPTR2PTRVAL(addr), 0, size); -+} -+ - /* - * Local variables: - * mode: C -diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h -index 95b5370..cf62bc7 100644 ---- a/xen/include/xen/libelf.h -+++ b/xen/include/xen/libelf.h -@@ -210,13 +210,11 @@ struct elf_binary { - uint64_t bsd_symtab_pend; - - /* -- * caller's other acceptable destination -- * -- * Again, these are trusted and must be valid (or 0) so long -- * as the struct elf_binary is in use. -+ * caller's other acceptable destination. -+ * Set by elf_set_xdest. Do not set these directly. - */ -- void *caller_xdest_base; -- uint64_t caller_xdest_size; -+ void *xdest_base; -+ uint64_t xdest_size; - - #ifndef __XEN__ - /* misc */ -@@ -494,5 +492,10 @@ static inline void ELF_ADVANCE_DEST(struct elf_binary *elf, uint64_t amount) - } - } - -+/* Specify a (single) additional destination, to which the image may -+ * cause writes. As with dest_base and dest_size, the values provided -+ * are trusted and must be valid so long as the struct elf_binary -+ * is in use or until elf_set_xdest(,0,0) is called. */ -+void elf_set_xdest(struct elf_binary *elf, void *addr, uint64_t size); - - #endif /* __XEN_LIBELF_H__ */ --- -2.1.4 - diff --git a/main/xen/xsa195.patch b/main/xen/xsa195.patch deleted file mode 100644 index a193a5cca0..0000000000 --- a/main/xen/xsa195.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: x86emul: fix huge bit offset handling - -We must never chop off the high 32 bits. - -This is XSA-195. - -Reported-by: George Dunlap <george.dunlap@citrix.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> - ---- a/xen/arch/x86/x86_emulate/x86_emulate.c -+++ b/xen/arch/x86/x86_emulate/x86_emulate.c -@@ -2549,6 +2549,12 @@ x86_emulate( - else - { - /* -+ * Instructions such as bt can reference an arbitrary offset from -+ * their memory operand, but the instruction doing the actual -+ * emulation needs the appropriate op_bytes read from memory. -+ * Adjust both the source register and memory operand to make an -+ * equivalent instruction. -+ * - * EA += BitOffset DIV op_bytes*8 - * BitOffset = BitOffset MOD op_bytes*8 - * DIV truncates towards negative infinity. -@@ -2560,14 +2566,15 @@ x86_emulate( - src.val = (int32_t)src.val; - if ( (long)src.val < 0 ) - { -- unsigned long byte_offset; -- byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); -+ unsigned long byte_offset = -+ op_bytes + (((-src.val - 1) >> 3) & ~(op_bytes - 1L)); -+ - ea.mem.off -= byte_offset; - src.val = (byte_offset << 3) + src.val; - } - else - { -- ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); -+ ea.mem.off += (src.val >> 3) & ~(op_bytes - 1L); - src.val &= (op_bytes << 3) - 1; - } - } diff --git a/main/xen/xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch b/main/xen/xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch deleted file mode 100644 index 7193e9ad5a..0000000000 --- a/main/xen/xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/emul: Correct the IDT entry calculation in inject_swint() - -The logic, as introduced in c/s 36ebf14ebe "x86/emulate: support for emulating -software event injection" is buggy. The size of an IDT entry depends on long -mode being active, not the width of the code segment currently in use. - -In particular, this means that a compatibility code segment which hits -emulation for software event injection will end up using an incorrect offset -in the IDT for DPL/Presence checking. In practice, this only occurs on old -AMD hardware lacking NRip support; all newer AMD hardware, and all Intel -hardware bypass this path in the emulator. - -While here, fix a minor issue with reading the IDT entry. The return value -from ops->read() wasn't checked, but in reality the only failure case is if a -pagefault occurs. This is not a realistic problem as the kernel will almost -certainly crash with a double fault if this setup actually occured. - -This is part of XSA-196. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> ---- - xen/arch/x86/x86_emulate/x86_emulate.c | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - -diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c -index 7a707dc..f74aa8f 100644 ---- a/xen/arch/x86/x86_emulate/x86_emulate.c -+++ b/xen/arch/x86/x86_emulate/x86_emulate.c -@@ -1630,10 +1630,16 @@ static int inject_swint(enum x86_swint_type type, - { - if ( !in_realmode(ctxt, ops) ) - { -- unsigned int idte_size = (ctxt->addr_size == 64) ? 16 : 8; -- unsigned int idte_offset = vector * idte_size; -+ unsigned int idte_size, idte_offset; - struct segment_register idtr; - uint32_t idte_ctl; -+ int lm = in_longmode(ctxt, ops); -+ -+ if ( lm < 0 ) -+ return X86EMUL_UNHANDLEABLE; -+ -+ idte_size = lm ? 16 : 8; -+ idte_offset = vector * idte_size; - - /* icebp sets the External Event bit despite being an instruction. */ - error_code = (vector << 3) | ECODE_IDT | -@@ -1661,8 +1667,9 @@ static int inject_swint(enum x86_swint_type type, - * Should strictly speaking read all 8/16 bytes of an entry, - * but we currently only care about the dpl and present bits. - */ -- ops->read(x86_seg_none, idtr.base + idte_offset + 4, -- &idte_ctl, sizeof(idte_ctl), ctxt); -+ if ( (rc = ops->read(x86_seg_none, idtr.base + idte_offset + 4, -+ &idte_ctl, sizeof(idte_ctl), ctxt)) ) -+ goto done; - - /* Is this entry present? */ - if ( !(idte_ctl & (1u << 15)) ) diff --git a/main/xen/xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch b/main/xen/xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch deleted file mode 100644 index 26580ff809..0000000000 --- a/main/xen/xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch +++ /dev/null @@ -1,76 +0,0 @@ -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/svm: Fix injection of software interrupts - -The non-NextRip logic in c/s 36ebf14eb "x86/emulate: support for emulating -software event injection" was based on an older version of the AMD software -manual. The manual was later corrected, following findings from that series. - -I took the original wording of "not supported without NextRIP" to mean that -X86_EVENTTYPE_SW_INTERRUPT was not eligible for use. It turns out that this -is not the case, and the new wording is clearer on the matter. - -Despite testing the original patch series on non-NRip hardware, the -swint-emulation XTF test case focuses on the debug vectors; it never ended up -executing an `int $n` instruction for a vector which wasn't also an exception. - -During a vmentry, the use of X86_EVENTTYPE_HW_EXCEPTION comes with a vector -check to ensure that it is only used with exception vectors. Xen's use of -X86_EVENTTYPE_HW_EXCEPTION for `int $n` injection has always been buggy on AMD -hardware. - -Fix this by always using X86_EVENTTYPE_SW_INTERRUPT. - -Print and decode the eventinj information in svm_vmcb_dump(), as it has -several invalid combinations which cause vmentry failures. - -This is part of XSA-196. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> ---- - xen/arch/x86/hvm/svm/svm.c | 13 +++++-------- - xen/arch/x86/hvm/svm/svmdebug.c | 4 ++++ - 2 files changed, 9 insertions(+), 8 deletions(-) - -diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c -index 4391744..76efc3e 100644 ---- a/xen/arch/x86/hvm/svm/svm.c -+++ b/xen/arch/x86/hvm/svm/svm.c -@@ -1231,17 +1231,14 @@ static void svm_inject_trap(const struct hvm_trap *trap) - { - case X86_EVENTTYPE_SW_INTERRUPT: /* int $n */ - /* -- * Injection type 4 (software interrupt) is only supported with -- * NextRIP support. Without NextRIP, the emulator will have performed -- * DPL and presence checks for us. -+ * Software interrupts (type 4) cannot be properly injected if the -+ * processor doesn't support NextRIP. Without NextRIP, the emulator -+ * will have performed DPL and presence checks for us, and will have -+ * moved eip forward if appropriate. - */ - if ( cpu_has_svm_nrips ) -- { - vmcb->nextrip = regs->eip + _trap.insn_len; -- event.fields.type = X86_EVENTTYPE_SW_INTERRUPT; -- } -- else -- event.fields.type = X86_EVENTTYPE_HW_EXCEPTION; -+ event.fields.type = X86_EVENTTYPE_SW_INTERRUPT; - break; - - case X86_EVENTTYPE_PRI_SW_EXCEPTION: /* icebp */ -diff --git a/xen/arch/x86/hvm/svm/svmdebug.c b/xen/arch/x86/hvm/svm/svmdebug.c -index ded5d19..f93dfed 100644 ---- a/xen/arch/x86/hvm/svm/svmdebug.c -+++ b/xen/arch/x86/hvm/svm/svmdebug.c -@@ -48,6 +48,10 @@ void svm_vmcb_dump(const char *from, struct vmcb_struct *vmcb) - vmcb->tlb_control, - (unsigned long long)vmcb->_vintr.bytes, - (unsigned long long)vmcb->interrupt_shadow); -+ printk("eventinj %016"PRIx64", valid? %d, ec? %d, type %u, vector %#x\n", -+ vmcb->eventinj.bytes, vmcb->eventinj.fields.v, -+ vmcb->eventinj.fields.ev, vmcb->eventinj.fields.type, -+ vmcb->eventinj.fields.vector); - printk("exitcode = %#Lx exitintinfo = %#Lx\n", - (unsigned long long)vmcb->exitcode, - (unsigned long long)vmcb->exitintinfo.bytes); diff --git a/main/xen/xsa197-qemut.patch b/main/xen/xsa197-qemut.patch deleted file mode 100644 index 878c347b91..0000000000 --- a/main/xen/xsa197-qemut.patch +++ /dev/null @@ -1,65 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: xen: fix ioreq handling - -Avoid double fetches and bounds check size to avoid overflowing -internal variables. - -This is XSA-197. - -Reported-by: yanghongke <yanghongke@huawei.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Ian Jackson <ian.jackson@eu.citrix.com> - ---- a/i386-dm/helper2.c -+++ b/tools/qemu-xen-traditional/i386-dm/helper2.c -@@ -375,6 +375,11 @@ static void cpu_ioreq_pio(CPUState *env, - { - uint32_t i; - -+ if (req->size > sizeof(unsigned long)) { -+ fprintf(stderr, "PIO: bad size (%u)\n", req->size); -+ exit(-1); -+ } -+ - if (req->dir == IOREQ_READ) { - if (!req->data_is_ptr) { - req->data = do_inp(env, req->addr, req->size); -@@ -404,6 +409,11 @@ static void cpu_ioreq_move(CPUState *env - { - uint32_t i; - -+ if (req->size > sizeof(req->data)) { -+ fprintf(stderr, "MMIO: bad size (%u)\n", req->size); -+ exit(-1); -+ } -+ - if (!req->data_is_ptr) { - if (req->dir == IOREQ_READ) { - for (i = 0; i < req->count; i++) { -@@ -516,11 +526,13 @@ static int __handle_buffered_iopage(CPUS - req.df = 1; - req.type = buf_req->type; - req.data_is_ptr = 0; -+ xen_rmb(); - qw = (req.size == 8); - if (qw) { - buf_req = &buffered_io_page->buf_ioreq[(rdptr + 1) % - IOREQ_BUFFER_SLOT_NUM]; - req.data |= ((uint64_t)buf_req->data) << 32; -+ xen_rmb(); - } - - __handle_ioreq(env, &req); -@@ -552,7 +564,11 @@ static void cpu_handle_ioreq(void *opaqu - - __handle_buffered_iopage(env); - if (req) { -- __handle_ioreq(env, req); -+ ioreq_t copy = *req; -+ -+ xen_rmb(); -+ __handle_ioreq(env, ©); -+ req->data = copy.data; - - if (req->state != STATE_IOREQ_INPROCESS) { - fprintf(logfile, "Badness in I/O request ... not in service?!: " diff --git a/main/xen/xsa197-qemuu.patch b/main/xen/xsa197-qemuu.patch deleted file mode 100644 index 079e8093d1..0000000000 --- a/main/xen/xsa197-qemuu.patch +++ /dev/null @@ -1,63 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: xen: fix ioreq handling - -Avoid double fetches and bounds check size to avoid overflowing -internal variables. - -This is XSA-197. - -Reported-by: yanghongke <yanghongke@huawei.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> - ---- a/xen-hvm.c -+++ b/tools/qemu-xen/xen-hvm.c -@@ -810,6 +810,10 @@ static void cpu_ioreq_pio(ioreq_t *req) - trace_cpu_ioreq_pio(req, req->dir, req->df, req->data_is_ptr, req->addr, - req->data, req->count, req->size); - -+ if (req->size > sizeof(uint32_t)) { -+ hw_error("PIO: bad size (%u)", req->size); -+ } -+ - if (req->dir == IOREQ_READ) { - if (!req->data_is_ptr) { - req->data = do_inp(req->addr, req->size); -@@ -846,6 +850,10 @@ static void cpu_ioreq_move(ioreq_t *req) - trace_cpu_ioreq_move(req, req->dir, req->df, req->data_is_ptr, req->addr, - req->data, req->count, req->size); - -+ if (req->size > sizeof(req->data)) { -+ hw_error("MMIO: bad size (%u)", req->size); -+ } -+ - if (!req->data_is_ptr) { - if (req->dir == IOREQ_READ) { - for (i = 0; i < req->count; i++) { -@@ -1010,11 +1018,13 @@ static int handle_buffered_iopage(XenIOS - req.df = 1; - req.type = buf_req->type; - req.data_is_ptr = 0; -+ xen_rmb(); - qw = (req.size == 8); - if (qw) { - buf_req = &buf_page->buf_ioreq[(rdptr + 1) % - IOREQ_BUFFER_SLOT_NUM]; - req.data |= ((uint64_t)buf_req->data) << 32; -+ xen_rmb(); - } - - handle_ioreq(state, &req); -@@ -1045,7 +1055,11 @@ static void cpu_handle_ioreq(void *opaqu - - handle_buffered_iopage(state); - if (req) { -- handle_ioreq(state, req); -+ ioreq_t copy = *req; -+ -+ xen_rmb(); -+ handle_ioreq(state, ©); -+ req->data = copy.data; - - if (req->state != STATE_IOREQ_INPROCESS) { - fprintf(stderr, "Badness in I/O request ... not in service?!: " diff --git a/main/xen/xsa198.patch b/main/xen/xsa198.patch deleted file mode 100644 index dbf708491e..0000000000 --- a/main/xen/xsa198.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 71a389ae940bc52bf897a6e5becd73fd8ede94c5 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Thu, 3 Nov 2016 16:37:40 +0000 -Subject: [PATCH] pygrub: Properly quote results, when returning them to the - caller: - -* When the caller wants sexpr output, use `repr()' - This is what Xend expects. - - The returned S-expressions are now escaped and quoted by Python, - generally using '...'. Previously kernel and ramdisk were unquoted - and args was quoted with "..." but without proper escaping. This - change may break toolstacks which do not properly dequote the - returned S-expressions. - -* When the caller wants "simple" output, crash if the delimiter is - contained in the returned value. - - With --output-format=simple it does not seem like this could ever - happen, because the bootloader config parsers all take line-based - input from the various bootloader config files. - - With --output-format=simple0, this can happen if the bootloader - config file contains nul bytes. - -This is XSA-198. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> ---- - tools/pygrub/src/pygrub | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub -index 40f9584..dd0c8f7 100755 ---- a/tools/pygrub/src/pygrub -+++ b/tools/pygrub/src/pygrub -@@ -721,14 +721,17 @@ def sniff_netware(fs, cfg): - return cfg - - def format_sxp(kernel, ramdisk, args): -- s = "linux (kernel %s)" % kernel -+ s = "linux (kernel %s)" % repr(kernel) - if ramdisk: -- s += "(ramdisk %s)" % ramdisk -+ s += "(ramdisk %s)" % repr(ramdisk) - if args: -- s += "(args \"%s\")" % args -+ s += "(args %s)" % repr(args) - return s - - def format_simple(kernel, ramdisk, args, sep): -+ for check in (kernel, ramdisk, args): -+ if check is not None and sep in check: -+ raise RuntimeError, "simple format cannot represent delimiter-containing value" - s = ("kernel %s" % kernel) + sep - if ramdisk: - s += ("ramdisk %s" % ramdisk) + sep --- -2.1.4 - diff --git a/main/xen/xsa200-4.7.patch b/main/xen/xsa200-4.7.patch deleted file mode 100644 index 69608f6fc3..0000000000 --- a/main/xen/xsa200-4.7.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: x86emul: CMPXCHG8B ignores operand size prefix - -Otherwise besides mis-handling the instruction, the comparison failure -case would result in uninitialized stack data being handed back to the -guest in rDX:rAX (32 bits leaked for 32-bit guests, 96 bits for 64-bit -ones). - -This is XSA-200. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> - ---- a/tools/tests/x86_emulator/test_x86_emulator.c -+++ b/tools/tests/x86_emulator/test_x86_emulator.c -@@ -435,6 +435,24 @@ int main(int argc, char **argv) - goto fail; - printf("okay\n"); - -+ printf("%-40s", "Testing cmpxchg8b (%edi) [opsize]..."); -+ instr[0] = 0x66; instr[1] = 0x0f; instr[2] = 0xc7; instr[3] = 0x0f; -+ res[0] = 0x12345678; -+ res[1] = 0x87654321; -+ regs.eflags = 0x200; -+ regs.eip = (unsigned long)&instr[0]; -+ regs.edi = (unsigned long)res; -+ rc = x86_emulate(&ctxt, &emulops); -+ if ( (rc != X86EMUL_OKAY) || -+ (res[0] != 0x12345678) || -+ (res[1] != 0x87654321) || -+ (regs.eax != 0x12345678) || -+ (regs.edx != 0x87654321) || -+ ((regs.eflags&0x240) != 0x200) || -+ (regs.eip != (unsigned long)&instr[4]) ) -+ goto fail; -+ printf("okay\n"); -+ - printf("%-40s", "Testing movsxbd (%%eax),%%ecx..."); - instr[0] = 0x0f; instr[1] = 0xbe; instr[2] = 0x08; - regs.eflags = 0x200; ---- a/xen/arch/x86/x86_emulate/x86_emulate.c -+++ b/xen/arch/x86/x86_emulate/x86_emulate.c -@@ -4775,8 +4775,12 @@ x86_emulate( - generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1); - generate_exception_if(ea.type != OP_MEM, EXC_UD, -1); - if ( op_bytes == 8 ) -+ { - host_and_vcpu_must_have(cx16); -- op_bytes *= 2; -+ op_bytes = 16; -+ } -+ else -+ op_bytes = 8; - - /* Get actual old value. */ - if ( (rc = ops->read(ea.mem.seg, ea.mem.off, old, op_bytes, diff --git a/main/xen/xsa201-1.patch b/main/xen/xsa201-1.patch deleted file mode 100644 index 50983b852f..0000000000 --- a/main/xen/xsa201-1.patch +++ /dev/null @@ -1,87 +0,0 @@ -From: Wei Chen <Wei.Chen@arm.com> -Subject: arm64: handle guest-generated EL1 asynchronous abort - -In current code, when the hypervisor receives an asynchronous abort -from a guest, the hypervisor will do panic, the host will be down. -We have to prevent such security issue, so, in this patch we crash -the guest, when the hypervisor receives an asynchronous abort from -the guest. - -This is CVE-2016-9815, part of XSA-201. - -Signed-off-by: Wei Chen <Wei.Chen@arm.com> -Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> -Reviewed-by: Steve Capper <steve.capper@arm.com> -Reviewed-by: Julien Grall <Julien.Grall@arm.com> - ---- a/xen/arch/arm/arm64/entry.S -+++ b/xen/arch/arm/arm64/entry.S -@@ -204,9 +204,12 @@ guest_fiq_invalid: - entry hyp=0, compat=0 - invalid BAD_FIQ - --guest_error_invalid: -+guest_error: - entry hyp=0, compat=0 -- invalid BAD_ERROR -+ msr daifclr, #2 -+ mov x0, sp -+ bl do_trap_guest_error -+ exit hyp=0, compat=0 - - guest_sync_compat: - entry hyp=0, compat=1 -@@ -225,9 +228,12 @@ guest_fiq_invalid_compat: - entry hyp=0, compat=1 - invalid BAD_FIQ - --guest_error_invalid_compat: -+guest_error_compat: - entry hyp=0, compat=1 -- invalid BAD_ERROR -+ msr daifclr, #2 -+ mov x0, sp -+ bl do_trap_guest_error -+ exit hyp=0, compat=1 - - ENTRY(return_to_new_vcpu32) - exit hyp=0, compat=1 -@@ -286,12 +292,12 @@ ENTRY(hyp_traps_vector) - ventry guest_sync // Synchronous 64-bit EL0/EL1 - ventry guest_irq // IRQ 64-bit EL0/EL1 - ventry guest_fiq_invalid // FIQ 64-bit EL0/EL1 -- ventry guest_error_invalid // Error 64-bit EL0/EL1 -+ ventry guest_error // Error 64-bit EL0/EL1 - - ventry guest_sync_compat // Synchronous 32-bit EL0/EL1 - ventry guest_irq_compat // IRQ 32-bit EL0/EL1 - ventry guest_fiq_invalid_compat // FIQ 32-bit EL0/EL1 -- ventry guest_error_invalid_compat // Error 32-bit EL0/EL1 -+ ventry guest_error_compat // Error 32-bit EL0/EL1 - - /* - * struct vcpu *__context_switch(struct vcpu *prev, struct vcpu *next) ---- a/xen/arch/arm/traps.c -+++ b/xen/arch/arm/traps.c -@@ -2723,6 +2723,21 @@ asmlinkage void do_trap_hypervisor(struct cpu_user_regs *regs) - } - } - -+asmlinkage void do_trap_guest_error(struct cpu_user_regs *regs) -+{ -+ enter_hypervisor_head(regs); -+ -+ /* -+ * Currently, to ensure hypervisor safety, when we received a -+ * guest-generated vSerror/vAbort, we just crash the guest to protect -+ * the hypervisor. In future we can better handle this by injecting -+ * a vSerror/vAbort to the guest. -+ */ -+ gdprintk(XENLOG_WARNING, "Guest(Dom-%u) will be crashed by vSError\n", -+ current->domain->domain_id); -+ domain_crash_synchronous(); -+} -+ - asmlinkage void do_trap_irq(struct cpu_user_regs *regs) - { - enter_hypervisor_head(regs); diff --git a/main/xen/xsa201-2.patch b/main/xen/xsa201-2.patch deleted file mode 100644 index 9bd1f8f89d..0000000000 --- a/main/xen/xsa201-2.patch +++ /dev/null @@ -1,199 +0,0 @@ -From: Wei Chen <Wei.Chen@arm.com> -Subject: arm64: handle async aborts delivered while at EL2 - -If EL1 generates an asynchronous abort and then traps into EL2 -(by HVC or IRQ) before the abort has been delivered, the hypervisor -could not catch it, because the PSTATE.A bit is masked all the time -in hypervisor. So this asynchronous abort may be slipped to next -running guest with PSTATE.A bit unmasked. - -In order to avoid this, it is necessary to take the abort at EL2, by -clearing the PSTATE.A bit. In this patch, we unmask the PSTATE.A bit -to open a window to catch guest-generated asynchronous abort in all -EL1 -> EL2 swich paths. If we catched such asynchronous abort in -checking window, the hyp_error exception will be triggered and the -abort source guest will be crashed. - -This is CVE-2016-9816, part of XSA-201. - -Signed-off-by: Wei Chen <Wei.Chen@arm.com> -Reviewed-by: Julien Grall <julien.grall@arm.com> - ---- a/xen/arch/arm/arm64/entry.S -+++ b/xen/arch/arm/arm64/entry.S -@@ -173,6 +173,43 @@ hyp_error_invalid: - entry hyp=1 - invalid BAD_ERROR - -+hyp_error: -+ /* -+ * Only two possibilities: -+ * 1) Either we come from the exit path, having just unmasked -+ * PSTATE.A: change the return code to an EL2 fault, and -+ * carry on, as we're already in a sane state to handle it. -+ * 2) Or we come from anywhere else, and that's a bug: we panic. -+ */ -+ entry hyp=1 -+ msr daifclr, #2 -+ -+ /* -+ * The ELR_EL2 may be modified by an interrupt, so we have to use the -+ * saved value in cpu_user_regs to check whether we come from 1) or -+ * not. -+ */ -+ ldr x0, [sp, #UREGS_PC] -+ adr x1, abort_guest_exit_start -+ cmp x0, x1 -+ adr x1, abort_guest_exit_end -+ ccmp x0, x1, #4, ne -+ mov x0, sp -+ mov x1, #BAD_ERROR -+ -+ /* -+ * Not equal, the exception come from 2). It's a bug, we have to -+ * panic the hypervisor. -+ */ -+ b.ne do_bad_mode -+ -+ /* -+ * Otherwise, the exception come from 1). It happened because of -+ * the guest. Crash this guest. -+ */ -+ bl do_trap_guest_error -+ exit hyp=1 -+ - /* Traps taken in Current EL with SP_ELx */ - hyp_sync: - entry hyp=1 -@@ -189,15 +226,29 @@ hyp_irq: - - guest_sync: - entry hyp=0, compat=0 -+ bl check_pending_vserror -+ /* -+ * If x0 is Non-zero, a vSError took place, the initial exception -+ * doesn't have any significance to be handled. Exit ASAP -+ */ -+ cbnz x0, 1f - msr daifclr, #2 - mov x0, sp - bl do_trap_hypervisor -+1: - exit hyp=0, compat=0 - - guest_irq: - entry hyp=0, compat=0 -+ bl check_pending_vserror -+ /* -+ * If x0 is Non-zero, a vSError took place, the initial exception -+ * doesn't have any significance to be handled. Exit ASAP -+ */ -+ cbnz x0, 1f - mov x0, sp - bl do_trap_irq -+1: - exit hyp=0, compat=0 - - guest_fiq_invalid: -@@ -213,15 +264,29 @@ guest_error: - - guest_sync_compat: - entry hyp=0, compat=1 -+ bl check_pending_vserror -+ /* -+ * If x0 is Non-zero, a vSError took place, the initial exception -+ * doesn't have any significance to be handled. Exit ASAP -+ */ -+ cbnz x0, 1f - msr daifclr, #2 - mov x0, sp - bl do_trap_hypervisor -+1: - exit hyp=0, compat=1 - - guest_irq_compat: - entry hyp=0, compat=1 -+ bl check_pending_vserror -+ /* -+ * If x0 is Non-zero, a vSError took place, the initial exception -+ * doesn't have any significance to be handled. Exit ASAP -+ */ -+ cbnz x0, 1f - mov x0, sp - bl do_trap_irq -+1: - exit hyp=0, compat=1 - - guest_fiq_invalid_compat: -@@ -270,6 +335,62 @@ return_from_trap: - eret - - /* -+ * This function is used to check pending virtual SError in the gap of -+ * EL1 -> EL2 world switch. -+ * The x0 register will be used to indicate the results of detection. -+ * x0 -- Non-zero indicates a pending virtual SError took place. -+ * x0 -- Zero indicates no pending virtual SError took place. -+ */ -+check_pending_vserror: -+ /* -+ * Save elr_el2 to check whether the pending SError exception takes -+ * place while we are doing this sync exception. -+ */ -+ mrs x0, elr_el2 -+ -+ /* Synchronize against in-flight ld/st */ -+ dsb sy -+ -+ /* -+ * Unmask PSTATE asynchronous abort bit. If there is a pending -+ * SError, the EL2 error exception will happen after PSTATE.A -+ * is cleared. -+ */ -+ msr daifclr, #4 -+ -+ /* -+ * This is our single instruction exception window. A pending -+ * SError is guaranteed to occur at the earliest when we unmask -+ * it, and at the latest just after the ISB. -+ * -+ * If a pending SError occurs, the program will jump to EL2 error -+ * exception handler, and the elr_el2 will be set to -+ * abort_guest_exit_start or abort_guest_exit_end. -+ */ -+abort_guest_exit_start: -+ -+ isb -+ -+abort_guest_exit_end: -+ /* Mask PSTATE asynchronous abort bit, close the checking window. */ -+ msr daifset, #4 -+ -+ /* -+ * Compare elr_el2 and the saved value to check whether we are -+ * returning from a valid exception caused by pending SError. -+ */ -+ mrs x1, elr_el2 -+ cmp x0, x1 -+ -+ /* -+ * Not equal, the pending SError exception took place, set -+ * x0 to non-zero. -+ */ -+ cset x0, ne -+ -+ ret -+ -+/* - * Exception vectors. - */ - .macro ventry label -@@ -287,7 +408,7 @@ ENTRY(hyp_traps_vector) - ventry hyp_sync // Synchronous EL2h - ventry hyp_irq // IRQ EL2h - ventry hyp_fiq_invalid // FIQ EL2h -- ventry hyp_error_invalid // Error EL2h -+ ventry hyp_error // Error EL2h - - ventry guest_sync // Synchronous 64-bit EL0/EL1 - ventry guest_irq // IRQ 64-bit EL0/EL1 diff --git a/main/xen/xsa201-3-4.7.patch b/main/xen/xsa201-3-4.7.patch deleted file mode 100644 index af7fc3703e..0000000000 --- a/main/xen/xsa201-3-4.7.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Wei Chen <Wei.Chen@arm.com> -Subject: arm: crash the guest when it traps on external abort - -If we spot a data or prefetch abort bearing the ESR_EL2.EA bit set, we -know that this is an external abort, and that should crash the guest. - -This is CVE-2016-9817, part of XSA-201. - -Signed-off-by: Wei Chen <Wei.Chen@arm.com> -Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> -Reviewed-by: Steve Capper <steve.capper@arm.com> -Reviewed-by: Julien Grall <Julien.Grall@arm.com> - ---- a/xen/arch/arm/traps.c -+++ b/xen/arch/arm/traps.c -@@ -2383,6 +2383,15 @@ static void do_trap_instr_abort_guest(struct cpu_user_regs *regs, - int rc; - register_t gva = READ_SYSREG(FAR_EL2); - -+ /* -+ * If this bit has been set, it means that this instruction abort is caused -+ * by a guest external abort. Currently we crash the guest to protect the -+ * hypervisor. In future one can better handle this by injecting a virtual -+ * abort to the guest. -+ */ -+ if ( hsr.iabt.eat ) -+ domain_crash_synchronous(); -+ - switch ( hsr.iabt.ifsc & 0x3f ) - { - case FSC_FLT_PERM ... FSC_FLT_PERM + 3: -@@ -2437,6 +2446,15 @@ static void do_trap_data_abort_guest(struct cpu_user_regs *regs, - return; - } - -+ /* -+ * If this bit has been set, it means that this data abort is caused -+ * by a guest external abort. Currently we crash the guest to protect the -+ * hypervisor. In future one can better handle this by injecting a virtual -+ * abort to the guest. -+ */ -+ if ( dabt.eat ) -+ domain_crash_synchronous(); -+ - info.dabt = dabt; - #ifdef CONFIG_ARM_32 - info.gva = READ_CP32(HDFAR); diff --git a/main/xen/xsa201-4.patch b/main/xen/xsa201-4.patch deleted file mode 100644 index 8060a5be13..0000000000 --- a/main/xen/xsa201-4.patch +++ /dev/null @@ -1,130 +0,0 @@ -From: Wei Chen <Wei.Chen@arm.com> -Subject: arm32: handle async aborts delivered while at HYP - -If guest generates an asynchronous abort and then traps into HYP -(by HVC or IRQ) before the abort has been delivered, the hypervisor -could not catch it, because the PSTATE.A bit is masked all the time -in hypervisor. So this asynchronous abort may be slipped to next -running guest with PSTATE.A bit unmasked. - -In order to avoid this, it is necessary to take the abort at HYP, by -clearing the PSTATE.A bit. In this patch, we unmask the PSTATE.A bit -to open a window to catch guest-generated asynchronous abort in all -Guest -> HYP switch paths. If we caught such asynchronous abort in -checking window, the HYP data abort exception will be triggered and -the abort source guest will be crashed. - -This is CVE-2016-9818, part of XSA-201. - -Signed-off-by: Wei Chen <Wei.Chen@arm.com> -Reviewed-by: Julien Grall <julien.grall@arm.com> - ---- a/xen/arch/arm/arm32/entry.S -+++ b/xen/arch/arm/arm32/entry.S -@@ -42,6 +42,61 @@ save_guest_regs: - SAVE_BANKED(fiq) - SAVE_ONE_BANKED(R8_fiq); SAVE_ONE_BANKED(R9_fiq); SAVE_ONE_BANKED(R10_fiq) - SAVE_ONE_BANKED(R11_fiq); SAVE_ONE_BANKED(R12_fiq); -+ /* -+ * Start to check pending virtual abort in the gap of Guest -> HYP -+ * world switch. -+ * -+ * Save ELR_hyp to check whether the pending virtual abort exception -+ * takes place while we are doing this trap exception. -+ */ -+ mrs r1, ELR_hyp -+ -+ /* -+ * Force loads and stores to complete before unmasking asynchronous -+ * aborts and forcing the delivery of the exception. -+ */ -+ dsb sy -+ -+ /* -+ * Unmask asynchronous abort bit. If there is a pending asynchronous -+ * abort, the data_abort exception will happen after A bit is cleared. -+ */ -+ cpsie a -+ -+ /* -+ * This is our single instruction exception window. A pending -+ * asynchronous abort is guaranteed to occur at the earliest when we -+ * unmask it, and at the latest just after the ISB. -+ * -+ * If a pending abort occurs, the program will jump to data_abort -+ * exception handler, and the ELR_hyp will be set to -+ * abort_guest_exit_start or abort_guest_exit_end. -+ */ -+ .global abort_guest_exit_start -+abort_guest_exit_start: -+ -+ isb -+ -+ .global abort_guest_exit_end -+abort_guest_exit_end: -+ /* Mask CPSR asynchronous abort bit, close the checking window. */ -+ cpsid a -+ -+ /* -+ * Compare ELR_hyp and the saved value to check whether we are -+ * returning from a valid exception caused by pending virtual -+ * abort. -+ */ -+ mrs r2, ELR_hyp -+ cmp r1, r2 -+ -+ /* -+ * Not equal, the pending virtual abort exception took place, the -+ * initial exception does not have any significance to be handled. -+ * Exit ASAP. -+ */ -+ bne return_from_trap -+ - mov pc, lr - - #define DEFINE_TRAP_ENTRY(trap) \ ---- a/xen/arch/arm/arm32/traps.c -+++ b/xen/arch/arm/arm32/traps.c -@@ -63,7 +63,10 @@ asmlinkage void do_trap_prefetch_abort(struct cpu_user_regs *regs) - - asmlinkage void do_trap_data_abort(struct cpu_user_regs *regs) - { -- do_unexpected_trap("Data Abort", regs); -+ if ( VABORT_GEN_BY_GUEST(regs) ) -+ do_trap_guest_error(regs); -+ else -+ do_unexpected_trap("Data Abort", regs); - } - - /* ---- a/xen/include/asm-arm/arm32/processor.h -+++ b/xen/include/asm-arm/arm32/processor.h -@@ -55,6 +55,17 @@ struct cpu_user_regs - - uint32_t pad1; /* Doubleword-align the user half of the frame */ - }; -+ -+/* Functions for pending virtual abort checking window. */ -+void abort_guest_exit_start(void); -+void abort_guest_exit_end(void); -+ -+#define VABORT_GEN_BY_GUEST(r) \ -+( \ -+ ( (unsigned long)abort_guest_exit_start == (r)->pc ) || \ -+ ( (unsigned long)abort_guest_exit_end == (r)->pc ) \ -+) -+ - #endif - - /* Layout as used in assembly, with src/dest registers mixed in */ ---- a/xen/include/asm-arm/processor.h -+++ b/xen/include/asm-arm/processor.h -@@ -690,6 +690,8 @@ void vcpu_regs_user_to_hyp(struct vcpu *vcpu, - int call_smc(register_t function_id, register_t arg0, register_t arg1, - register_t arg2); - -+void do_trap_guest_error(struct cpu_user_regs *regs); -+ - #endif /* __ASSEMBLY__ */ - #endif /* __ASM_ARM_PROCESSOR_H */ - /* diff --git a/main/xen/xsa202.patch b/main/xen/xsa202.patch deleted file mode 100644 index 51d38dcba5..0000000000 --- a/main/xen/xsa202.patch +++ /dev/null @@ -1,75 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: x86: force EFLAGS.IF on when exiting to PV guests - -Guest kernels modifying instructions in the process of being emulated -for another of their vCPU-s may effect EFLAGS.IF to be cleared upon -next exiting to guest context, by converting the being emulated -instruction to CLI (at the right point in time). Prevent any such bad -effects by always forcing EFLAGS.IF on. And to cover hypothetical other -similar issues, also force EFLAGS.{IOPL,NT,VM} to zero. - -This is XSA-202. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> ---- - ---- a/xen/arch/x86/x86_64/compat/entry.S -+++ b/xen/arch/x86/x86_64/compat/entry.S -@@ -109,6 +109,8 @@ compat_process_trap: - /* %rbx: struct vcpu, interrupts disabled */ - ENTRY(compat_restore_all_guest) - ASSERT_INTERRUPTS_DISABLED -+ mov $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11d -+ and UREGS_eflags(%rsp),%r11d - .Lcr4_orig: - .skip .Lcr4_alt_end - .Lcr4_alt, 0x90 - .Lcr4_orig_end: -@@ -144,6 +146,8 @@ ENTRY(compat_restore_all_guest) - (.Lcr4_orig_end - .Lcr4_orig), \ - (.Lcr4_alt_end - .Lcr4_alt) - .popsection -+ or $X86_EFLAGS_IF,%r11 -+ mov %r11d,UREGS_eflags(%rsp) - RESTORE_ALL adj=8 compat=1 - .Lft0: iretq - _ASM_PRE_EXTABLE(.Lft0, handle_exception) ---- a/xen/arch/x86/x86_64/entry.S -+++ b/xen/arch/x86/x86_64/entry.S -@@ -40,28 +40,29 @@ restore_all_guest: - testw $TRAP_syscall,4(%rsp) - jz iret_exit_to_guest - -+ movq 24(%rsp),%r11 # RFLAGS -+ andq $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11 -+ orq $X86_EFLAGS_IF,%r11 -+ - /* Don't use SYSRET path if the return address is not canonical. */ - movq 8(%rsp),%rcx - sarq $47,%rcx - incl %ecx - cmpl $1,%ecx -- ja .Lforce_iret -+ movq 8(%rsp),%rcx # RIP -+ ja iret_exit_to_guest - - cmpw $FLAT_USER_CS32,16(%rsp)# CS -- movq 8(%rsp),%rcx # RIP -- movq 24(%rsp),%r11 # RFLAGS - movq 32(%rsp),%rsp # RSP - je 1f - sysretq - 1: sysretl - --.Lforce_iret: -- /* Mimic SYSRET behavior. */ -- movq 8(%rsp),%rcx # RIP -- movq 24(%rsp),%r11 # RFLAGS - ALIGN - /* No special register assumptions. */ - iret_exit_to_guest: -+ andl $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),24(%rsp) -+ orl $X86_EFLAGS_IF,24(%rsp) - addq $8,%rsp - .Lft0: iretq - _ASM_PRE_EXTABLE(.Lft0, handle_exception) diff --git a/main/xen/xsa203-4.7.patch b/main/xen/xsa203-4.7.patch deleted file mode 100644 index d623d8468b..0000000000 --- a/main/xen/xsa203-4.7.patch +++ /dev/null @@ -1,19 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: x86/HVM: add missing NULL check before using VMFUNC hook - -This is XSA-203. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> - ---- a/xen/arch/x86/hvm/emulate.c -+++ b/xen/arch/x86/hvm/emulate.c -@@ -1643,6 +1643,8 @@ static int hvmemul_vmfunc( - { - int rc; - -+ if ( !hvm_funcs.altp2m_vcpu_emulate_vmfunc ) -+ return X86EMUL_UNHANDLEABLE; - rc = hvm_funcs.altp2m_vcpu_emulate_vmfunc(ctxt->regs); - if ( rc != X86EMUL_OKAY ) - hvmemul_inject_hw_exception(TRAP_invalid_op, 0, ctxt); diff --git a/main/xen/xsa204-4.7.patch b/main/xen/xsa204-4.7.patch deleted file mode 100644 index ea41789a4b..0000000000 --- a/main/xen/xsa204-4.7.patch +++ /dev/null @@ -1,69 +0,0 @@ -From: Andrew Cooper <andrew.cooper3@citrix.com> -Date: Sun, 18 Dec 2016 15:42:59 +0000 -Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL - -A singlestep #DB is determined by the resulting eflags value from the -execution of SYSCALL, not the original eflags value. - -By using the original eflags value, we negate the guest kernels attempt to -protect itself from a privilege escalation by masking TF. - -Introduce a tf boolean and have the SYSCALL emulation recalculate it -after the instruction is complete. - -This is XSA-204 - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> ---- - xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++--- - 1 file changed, 20 insertions(+), 3 deletions(-) - -diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c -index bca7045..abe442e 100644 ---- a/xen/arch/x86/x86_emulate/x86_emulate.c -+++ b/xen/arch/x86/x86_emulate/x86_emulate.c -@@ -1582,6 +1582,7 @@ x86_emulate( - union vex vex = {}; - unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes; - bool_t lock_prefix = 0; -+ bool_t tf = !!(ctxt->regs->eflags & EFLG_TF); - int override_seg = -1, rc = X86EMUL_OKAY; - struct operand src = { .reg = REG_POISON }; - struct operand dst = { .reg = REG_POISON }; -@@ -3910,9 +3911,8 @@ x86_emulate( - } - - no_writeback: -- /* Inject #DB if single-step tracing was enabled at instruction start. */ -- if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) && -- (ops->inject_hw_exception != NULL) ) -+ /* Should a singlestep #DB be raised? */ -+ if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) ) - rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION; - - /* Commit shadow register state. */ -@@ -4143,6 +4143,23 @@ x86_emulate( - (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) ) - goto done; - -+ /* -+ * SYSCALL (unlike most instructions) evaluates its singlestep action -+ * based on the resulting EFLG_TF, not the starting EFLG_TF. -+ * -+ * As the #DB is raised after the CPL change and before the OS can -+ * switch stack, it is a large risk for privilege escalation. -+ * -+ * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any -+ * vulnerability. Running the #DB handler on an IST stack is also a -+ * mitigation. -+ * -+ * 32bit kernels have no ability to mask EFLG_TF at all. Their only -+ * mitigation is to use a task gate for handling #DB (or to not use -+ * enable EFER.SCE to start with). -+ */ -+ tf = !!(_regs.eflags & EFLG_TF); -+ - break; - } - diff --git a/main/xen/xsa207.patch b/main/xen/xsa207.patch deleted file mode 100644 index 6fb86fc9d5..0000000000 --- a/main/xen/xsa207.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: Oleksandr Tyshchenko <olekstysh@gmail.com> -Subject: IOMMU: always call teardown callback - -There is a possible scenario when (d)->need_iommu remains unset -during guest domain execution. For example, when no devices -were assigned to it. Taking into account that teardown callback -is not called when (d)->need_iommu is unset we might have unreleased -resourses after destroying domain. - -So, always call teardown callback to roll back actions -that were performed in init callback. - -This is XSA-207. - -Signed-off-by: Oleksandr Tyshchenko <olekstysh@gmail.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> -Tested-by: Jan Beulich <jbeulich@suse.com> -Tested-by: Julien Grall <julien.grall@arm.com> - ---- a/xen/drivers/passthrough/iommu.c -+++ b/xen/drivers/passthrough/iommu.c -@@ -244,8 +244,7 @@ void iommu_domain_destroy(struct domain - if ( !iommu_enabled || !dom_iommu(d)->platform_ops ) - return; - -- if ( need_iommu(d) ) -- iommu_teardown(d); -+ iommu_teardown(d); - - arch_iommu_domain_destroy(d); - } diff --git a/main/xen/xsa208-qemut.patch b/main/xen/xsa208-qemut.patch deleted file mode 100644 index 27a82da05a..0000000000 --- a/main/xen/xsa208-qemut.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001 -From: Li Qiang <liqiang6-s@360.cn> -Date: Mon, 13 Feb 2017 15:22:15 +0000 -Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615) - -When doing bitblt copy in backward mode, we should minus the -blt width first just like the adding in the forward mode. This -can avoid the oob access of the front of vga's vram. - -This is XSA-208. - -upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64 - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> - -{ kraxel: with backward blits (negative pitch) addr is the topmost - address, so check it as-is against vram size ] - -[ This is CVE-2017-2615 / XSA-208 - Ian Jackson ] - -Cc: qemu-stable@nongnu.org -Cc: P J P <ppandit@redhat.com> -Cc: Laszlo Ersek <lersek@redhat.com> -Cc: Paolo Bonzini <pbonzini@redhat.com> -Cc: Wolfgang Bumiller <w.bumiller@proxmox.com> -Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> -Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com -Reviewed-by: Laszlo Ersek <lersek@redhat.com> -Signed-off-by: Stefano Stabellini <sstabellini@kernel.org> -Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> ---- - hw/cirrus_vga.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c -index e6c3893..364e22d 100644 ---- a/hw/cirrus_vga.c -+++ b/tools/qemu-xen-traditional/hw/cirrus_vga.c -@@ -308,10 +308,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, - { - if (pitch < 0) { - int64_t min = addr -- + ((int64_t)s->cirrus_blt_height-1) * pitch; -- int32_t max = addr -- + s->cirrus_blt_width; -- if (min < 0 || max >= s->vram_size) { -+ + ((int64_t)s->cirrus_blt_height - 1) * pitch -+ - s->cirrus_blt_width; -+ if (min < -1 || addr >= s->vram_size) { - return true; - } - } else { --- -2.1.4 - diff --git a/main/xen/xsa208-qemuu-4.7.patch b/main/xen/xsa208-qemuu-4.7.patch deleted file mode 100644 index 705bab5020..0000000000 --- a/main/xen/xsa208-qemuu-4.7.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001 -From: Li Qiang <liqiang6-s@360.cn> -Date: Mon, 13 Feb 2017 15:22:15 +0000 -Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615) - -When doing bitblt copy in backward mode, we should minus the -blt width first just like the adding in the forward mode. This -can avoid the oob access of the front of vga's vram. - -This is XSA-208. - -upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64 - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> - -{ kraxel: with backward blits (negative pitch) addr is the topmost - address, so check it as-is against vram size ] - -Cc: qemu-stable@nongnu.org -Cc: P J P <ppandit@redhat.com> -Cc: Laszlo Ersek <lersek@redhat.com> -Cc: Paolo Bonzini <pbonzini@redhat.com> -Cc: Wolfgang Bumiller <w.bumiller@proxmox.com> -Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> -Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com -Reviewed-by: Laszlo Ersek <lersek@redhat.com> -Signed-off-by: Stefano Stabellini <sstabellini@kernel.org> ---- - hw/display/cirrus_vga.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 5198037..7bf3707 100644 ---- a/hw/display/cirrus_vga.c -+++ b/tools/qemu-xen/hw/display/cirrus_vga.c -@@ -272,10 +272,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, - { - if (pitch < 0) { - int64_t min = addr -- + ((int64_t)s->cirrus_blt_height-1) * pitch; -- int32_t max = addr -- + s->cirrus_blt_width; -- if (min < 0 || max >= s->vga.vram_size) { -+ + ((int64_t)s->cirrus_blt_height - 1) * pitch -+ - s->cirrus_blt_width; -+ if (min < -1 || addr >= s->vga.vram_size) { - return true; - } - } else { --- -2.1.4 - diff --git a/main/xen/xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch b/main/xen/xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch deleted file mode 100644 index 787567d5a5..0000000000 --- a/main/xen/xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 52b7f43c8fa185ab856bcaacda7abc9a6fc07f84 Mon Sep 17 00:00:00 2001 -From: Bruce Rogers <brogers@suse.com> -Date: Tue, 21 Feb 2017 10:54:38 -0800 -Subject: [PATCH 1/2] display: cirrus: ignore source pitch value as needed in - blit_is_unsafe - -Commit 4299b90 added a check which is too broad, given that the source -pitch value is not required to be initialized for solid fill operations. -This patch refines the blit_is_unsafe() check to ignore source pitch in -that case. After applying the above commit as a security patch, we -noticed the SLES 11 SP4 guest gui failed to initialize properly. - -Signed-off-by: Bruce Rogers <brogers@suse.com> -Message-id: 20170109203520.5619-1-brogers@suse.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/display/cirrus_vga.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 7bf3707..34a6900 100644 ---- a/hw/display/cirrus_vga.c -+++ b/tools/qemu-xen/hw/display/cirrus_vga.c -@@ -288,7 +288,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, - return false; - } - --static bool blit_is_unsafe(struct CirrusVGAState *s) -+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only) - { - /* should be the case, see cirrus_bitblt_start */ - assert(s->cirrus_blt_width > 0); -@@ -302,6 +302,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s) - s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) { - return true; - } -+ if (dst_only) { -+ return false; -+ } - if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch, - s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) { - return true; -@@ -667,7 +670,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s, - - dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask); - -- if (blit_is_unsafe(s)) -+ if (blit_is_unsafe(s, false)) - return 0; - - (*s->cirrus_rop) (s, dst, src, -@@ -685,7 +688,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) - { - cirrus_fill_t rop_func; - -- if (blit_is_unsafe(s)) { -+ if (blit_is_unsafe(s, true)) { - return 0; - } - rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1]; -@@ -784,7 +787,7 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) - - static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) - { -- if (blit_is_unsafe(s)) -+ if (blit_is_unsafe(s, false)) - return 0; - - cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, --- -2.1.4 - diff --git a/main/xen/xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch b/main/xen/xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch deleted file mode 100644 index afaf916237..0000000000 --- a/main/xen/xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 15268f91fbe75b38a851c458aef74e693d646ea5 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann <kraxel@redhat.com> -Date: Tue, 21 Feb 2017 10:54:59 -0800 -Subject: [PATCH 2/2] cirrus: add blit_is_unsafe call to - cirrus_bitblt_cputovideo - -CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination -and blit width, at all. Oops. Fix it. - -Security impact: high. - -The missing blit destination check allows to write to host memory. -Basically same as CVE-2014-8106 for the other blit variants. - -The missing blit width check allows to overflow cirrus_bltbuf, -with the attractive target cirrus_srcptr (current cirrus_bltbuf write -position) being located right after cirrus_bltbuf in CirrusVGAState. - -Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker -hasn't full control over cirrus_srcptr though, only one byte can be -changed. Once the first byte has been modified further writes land -elsewhere. - -[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ] - -Reported-by: Gerd Hoffmann <ghoffman@redhat.com> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/display/cirrus_vga.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 34a6900..5901250 100644 ---- a/hw/display/cirrus_vga.c -+++ b/tools/qemu-xen/hw/display/cirrus_vga.c -@@ -865,6 +865,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) - { - int w; - -+ if (blit_is_unsafe(s, true)) { -+ return 0; -+ } -+ - s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; - s->cirrus_srcptr = &s->cirrus_bltbuf[0]; - s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; -@@ -890,6 +894,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) - } - s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; - } -+ -+ /* the blit_is_unsafe call above should catch this */ -+ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); -+ - s->cirrus_srcptr = s->cirrus_bltbuf; - s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; - cirrus_update_memory_access(s); --- -2.1.4 - diff --git a/main/xen/xsa209-qemut.patch b/main/xen/xsa209-qemut.patch deleted file mode 100644 index ffc574ba86..0000000000 --- a/main/xen/xsa209-qemut.patch +++ /dev/null @@ -1,54 +0,0 @@ -From: Gerd Hoffmann <kraxel@redhat.com> -Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo - -CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination -and blit width, at all. Oops. Fix it. - -Security impact: high. - -The missing blit destination check allows to write to host memory. -Basically same as CVE-2014-8106 for the other blit variants. - -The missing blit width check allows to overflow cirrus_bltbuf, -with the attractive target cirrus_srcptr (current cirrus_bltbuf write -position) being located right after cirrus_bltbuf in CirrusVGAState. - -Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker -hasn't full control over cirrus_srcptr though, only one byte can be -changed. Once the first byte has been modified further writes land -elsewhere. - -[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ] - -Fixed compilation by removing extra parameter to blit_is_unsafe. -iwj - -Reported-by: Gerd Hoffmann <ghoffman@redhat.com> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> -Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> ---- -diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c -index e6c3893..45facb6 100644 ---- a/hw/cirrus_vga.c -+++ b/tools/qemu-xen-traditional/hw/cirrus_vga.c -@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) - { - int w; - -+ if (blit_is_unsafe(s)) { -+ return 0; -+ } -+ - s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; - s->cirrus_srcptr = &s->cirrus_bltbuf[0]; - s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; -@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) - } - s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; - } -+ -+ /* the blit_is_unsafe call above should catch this */ -+ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); -+ - s->cirrus_srcptr = s->cirrus_bltbuf; - s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; - cirrus_update_memory_access(s); diff --git a/main/xen/xsa211-qemut.patch b/main/xen/xsa211-qemut.patch new file mode 100644 index 0000000000..1d088d7d7c --- /dev/null +++ b/main/xen/xsa211-qemut.patch @@ -0,0 +1,225 @@ +From 29e67cfd46b4d06ca1bb75558e227ec34a6af35f Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Thu, 9 Mar 2017 11:14:55 +0000 +Subject: [PATCH] cirrus/vnc: zap drop bitblit support from console code. + +From: Gerd Hoffmann <kraxel@redhat.com> + +There is a special code path (dpy_gfx_copy) to allow graphic emulation +notify user interface code about bitblit operations carryed out by +guests. It is supported by cirrus and vnc server. The intended purpose +is to optimize display scrolls and just send over the scroll op instead +of a full display update. + +This is rarely used these days though because modern guests simply don't +use the cirrus blitter any more. Any linux guest using the cirrus drm +driver doesn't. Any windows guest newer than winxp doesn't ship with a +cirrus driver any more and thus uses the cirrus as simple framebuffer. + +So this code tends to bitrot and bugs can go unnoticed for a long time. +See for example commit "3e10c3e vnc: fix qemu crash because of SIGSEGV" +which fixes a bug lingering in the code for almost a year, added by +commit "c7628bf vnc: only alloc server surface with clients connected". + +Also the vnc server will throttle the frame rate in case it figures the +network can't keep up (send buffers are full). This doesn't work with +dpy_gfx_copy, for any copy operation sent to the vnc client we have to +send all outstanding updates beforehand, otherwise the vnc client might +run the client side blit on outdated data and thereby corrupt the +display. So this dpy_gfx_copy "optimization" might even make things +worse on slow network links. + +Lets kill it once for all. + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +These changes (dropping dpy_copy and all its references and +implementations) reimplemented for qemu-xen-traditional. + +This is XSA-211. + +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +--- + console.c | 8 -------- + console.h | 16 ---------------- + hw/cirrus_vga.c | 15 +++++---------- + hw/vmware_vga.c | 1 + + vnc.c | 35 ----------------------------------- + 5 files changed, 6 insertions(+), 69 deletions(-) + +diff --git a/console.c b/console.c +index d4f1ad0..e61b53b 100644 +--- a/console.c ++++ b/tools/qemu-xen-traditional/console.c +@@ -1399,14 +1399,6 @@ void qemu_console_resize(DisplayState *ds, int width, int height) + } + } + +-void qemu_console_copy(DisplayState *ds, int src_x, int src_y, +- int dst_x, int dst_y, int w, int h) +-{ +- if (is_graphic_console()) { +- dpy_copy(ds, src_x, src_y, dst_x, dst_y, w, h); +- } +-} +- + PixelFormat qemu_different_endianness_pixelformat(int bpp) + { + PixelFormat pf; +diff --git a/console.h b/console.h +index 14b42f3..8306cc4 100644 +--- a/console.h ++++ b/tools/qemu-xen-traditional/console.h +@@ -98,8 +98,6 @@ struct DisplayChangeListener { + void (*dpy_resize)(struct DisplayState *s); + void (*dpy_setdata)(struct DisplayState *s); + void (*dpy_refresh)(struct DisplayState *s); +- void (*dpy_copy)(struct DisplayState *s, int src_x, int src_y, +- int dst_x, int dst_y, int w, int h); + void (*dpy_fill)(struct DisplayState *s, int x, int y, + int w, int h, uint32_t c); + void (*dpy_text_cursor)(struct DisplayState *s, int x, int y); +@@ -211,18 +209,6 @@ static inline void dpy_refresh(DisplayState *s) + } + } + +-static inline void dpy_copy(struct DisplayState *s, int src_x, int src_y, +- int dst_x, int dst_y, int w, int h) { +- struct DisplayChangeListener *dcl = s->listeners; +- while (dcl != NULL) { +- if (dcl->dpy_copy) +- dcl->dpy_copy(s, src_x, src_y, dst_x, dst_y, w, h); +- else /* TODO */ +- dcl->dpy_update(s, dst_x, dst_y, w, h); +- dcl = dcl->next; +- } +-} +- + static inline void dpy_fill(struct DisplayState *s, int x, int y, + int w, int h, uint32_t c) { + struct DisplayChangeListener *dcl = s->listeners; +@@ -297,8 +283,6 @@ void text_consoles_set_display(DisplayState *ds); + void console_select(unsigned int index); + void console_color_init(DisplayState *ds); + void qemu_console_resize(DisplayState *ds, int width, int height); +-void qemu_console_copy(DisplayState *ds, int src_x, int src_y, +- int dst_x, int dst_y, int w, int h); + + /* sdl.c */ + void sdl_display_init(DisplayState *ds, int full_screen, int no_frame, int opengl_enabled); +diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c +index 06b4a3b..4e85b90 100644 +--- a/hw/cirrus_vga.c ++++ b/tools/qemu-xen-traditional/hw/cirrus_vga.c +@@ -793,11 +793,6 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + } + } + +- /* we have to flush all pending changes so that the copy +- is generated at the appropriate moment in time */ +- if (notify) +- vga_hw_update(); +- + (*s->cirrus_rop) (s, s->vram_ptr + + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), + s->vram_ptr + +@@ -806,13 +801,13 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + s->cirrus_blt_width, s->cirrus_blt_height); + + if (notify) +- qemu_console_copy(s->ds, +- sx, sy, dx, dy, +- s->cirrus_blt_width / depth, +- s->cirrus_blt_height); ++ dpy_update(s->ds, ++ dx, dy, ++ s->cirrus_blt_width / depth, ++ s->cirrus_blt_height); + + /* we don't have to notify the display that this portion has +- changed since qemu_console_copy implies this */ ++ changed since dpy_update implies this */ + + cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, + s->cirrus_blt_dstpitch, s->cirrus_blt_width, +diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c +index d1cba28..c38e43c 100644 +--- a/hw/vmware_vga.c ++++ b/tools/qemu-xen-traditional/hw/vmware_vga.c +@@ -383,6 +383,7 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s, + + # ifdef DIRECT_VRAM + if (s->ds->dpy_copy) ++# error This configuration is not supported. See XSA-211. + qemu_console_copy(s->ds, x0, y0, x1, y1, w, h); + else + # endif +diff --git a/vnc.c b/vnc.c +index 61d1555..0e61197 100644 +--- a/vnc.c ++++ b/tools/qemu-xen-traditional/vnc.c +@@ -572,36 +572,6 @@ static void send_framebuffer_update(VncState *vs, int x, int y, int w, int h) + send_framebuffer_update_raw(vs, x, y, w, h); + } + +-static void vnc_copy(DisplayState *ds, int src_x, int src_y, int dst_x, int dst_y, int w, int h) +-{ +- VncState *vs = ds->opaque; +- int updating_client = 1; +- +- if (!vs->update_requested || +- src_x < vs->visible_x || src_y < vs->visible_y || +- dst_x < vs->visible_x || dst_y < vs->visible_y || +- (src_x + w) > (vs->visible_x + vs->visible_w) || +- (src_y + h) > (vs->visible_y + vs->visible_h) || +- (dst_x + w) > (vs->visible_x + vs->visible_w) || +- (dst_y + h) > (vs->visible_y + vs->visible_h)) +- updating_client = 0; +- +- if (updating_client) +- _vnc_update_client(vs); +- +- if (updating_client && vs->csock != -1 && !vs->has_update) { +- vnc_write_u8(vs, 0); /* msg id */ +- vnc_write_u8(vs, 0); +- vnc_write_u16(vs, 1); /* number of rects */ +- vnc_framebuffer_update(vs, dst_x, dst_y, w, h, 1); +- vnc_write_u16(vs, src_x); +- vnc_write_u16(vs, src_y); +- vnc_flush(vs); +- vs->update_requested--; +- } else +- framebuffer_set_updated(vs, dst_x, dst_y, w, h); +-} +- + static int find_update_height(VncState *vs, int y, int maxy, int last_x, int x) + { + int h; +@@ -1543,16 +1513,12 @@ static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings) + vs->has_pointer_type_change = 0; + vs->has_WMVi = 0; + vs->absolute = -1; +- dcl->dpy_copy = NULL; + + for (i = n_encodings - 1; i >= 0; i--) { + switch (encodings[i]) { + case 0: /* Raw */ + vs->has_hextile = 0; + break; +- case 1: /* CopyRect */ +- dcl->dpy_copy = vnc_copy; +- break; + case 5: /* Hextile */ + vs->has_hextile = 1; + break; +@@ -2459,7 +2425,6 @@ static void vnc_listen_read(void *opaque) + vs->has_resize = 0; + vs->has_hextile = 0; + vs->update_requested = 0; +- dcl->dpy_copy = NULL; + vnc_timer_init(vs); + } + } +-- +2.1.4 + diff --git a/main/xen/xsa211-qemuu-4.7.patch b/main/xen/xsa211-qemuu-4.7.patch new file mode 100644 index 0000000000..c7a92ed3f1 --- /dev/null +++ b/main/xen/xsa211-qemuu-4.7.patch @@ -0,0 +1,259 @@ +From 9de536fbc2be97ae887560f08f0fd824efa3d5db Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Tue, 14 Feb 2017 19:09:59 +0100 +Subject: [PATCH] cirrus/vnc: zap bitblit support from console code. + +There is a special code path (dpy_gfx_copy) to allow graphic emulation +notify user interface code about bitblit operations carryed out by +guests. It is supported by cirrus and vnc server. The intended purpose +is to optimize display scrolls and just send over the scroll op instead +of a full display update. + +This is rarely used these days though because modern guests simply don't +use the cirrus blitter any more. Any linux guest using the cirrus drm +driver doesn't. Any windows guest newer than winxp doesn't ship with a +cirrus driver any more and thus uses the cirrus as simple framebuffer. + +So this code tends to bitrot and bugs can go unnoticed for a long time. +See for example commit "3e10c3e vnc: fix qemu crash because of SIGSEGV" +which fixes a bug lingering in the code for almost a year, added by +commit "c7628bf vnc: only alloc server surface with clients connected". + +Also the vnc server will throttle the frame rate in case it figures the +network can't keep up (send buffers are full). This doesn't work with +dpy_gfx_copy, for any copy operation sent to the vnc client we have to +send all outstanding updates beforehand, otherwise the vnc client might +run the client side blit on outdated data and thereby corrupt the +display. So this dpy_gfx_copy "optimization" might even make things +worse on slow network links. + +Lets kill it once for all. + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/display/cirrus_vga.c | 12 ++----- + include/ui/console.h | 7 ---- + ui/console.c | 28 --------------- + ui/vnc.c | 91 ------------------------------------------------- + 4 files changed, 3 insertions(+), 135 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 5901250..2841676 100644 +--- a/hw/display/cirrus_vga.c ++++ b/tools/qemu-xen/hw/display/cirrus_vga.c +@@ -758,11 +758,6 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + } + } + +- /* we have to flush all pending changes so that the copy +- is generated at the appropriate moment in time */ +- if (notify) +- graphic_hw_update(s->vga.con); +- + (*s->cirrus_rop) (s, s->vga.vram_ptr + + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), + s->vga.vram_ptr + +@@ -771,10 +766,9 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + s->cirrus_blt_width, s->cirrus_blt_height); + + if (notify) { +- qemu_console_copy(s->vga.con, +- sx, sy, dx, dy, +- s->cirrus_blt_width / depth, +- s->cirrus_blt_height); ++ dpy_gfx_update(s->vga.con, dx, dy, ++ s->cirrus_blt_width / depth, ++ s->cirrus_blt_height); + } + + /* we don't have to notify the display that this portion has +diff --git a/include/ui/console.h b/include/ui/console.h +index 047a2b4..ed07065 100644 +--- a/include/ui/console.h ++++ b/tools/qemu-xen/include/ui/console.h +@@ -166,9 +166,6 @@ typedef struct DisplayChangeListenerOps { + int x, int y, int w, int h); + void (*dpy_gfx_switch)(DisplayChangeListener *dcl, + struct DisplaySurface *new_surface); +- void (*dpy_gfx_copy)(DisplayChangeListener *dcl, +- int src_x, int src_y, +- int dst_x, int dst_y, int w, int h); + bool (*dpy_gfx_check_format)(DisplayChangeListener *dcl, + pixman_format_code_t format); + +@@ -233,8 +230,6 @@ int dpy_set_ui_info(QemuConsole *con, QemuUIInfo *info); + void dpy_gfx_update(QemuConsole *con, int x, int y, int w, int h); + void dpy_gfx_replace_surface(QemuConsole *con, + DisplaySurface *surface); +-void dpy_gfx_copy(QemuConsole *con, int src_x, int src_y, +- int dst_x, int dst_y, int w, int h); + void dpy_text_cursor(QemuConsole *con, int x, int y); + void dpy_text_update(QemuConsole *con, int x, int y, int w, int h); + void dpy_text_resize(QemuConsole *con, int w, int h); +@@ -329,8 +324,6 @@ void text_consoles_set_display(DisplayState *ds); + void console_select(unsigned int index); + void console_color_init(DisplayState *ds); + void qemu_console_resize(QemuConsole *con, int width, int height); +-void qemu_console_copy(QemuConsole *con, int src_x, int src_y, +- int dst_x, int dst_y, int w, int h); + DisplaySurface *qemu_console_surface(QemuConsole *con); + + /* console-gl.c */ +diff --git a/ui/console.c b/ui/console.c +index 75fc492..72d91cb 100644 +--- a/ui/console.c ++++ b/tools/qemu-xen/ui/console.c +@@ -1495,27 +1495,6 @@ static void dpy_refresh(DisplayState *s) + } + } + +-void dpy_gfx_copy(QemuConsole *con, int src_x, int src_y, +- int dst_x, int dst_y, int w, int h) +-{ +- DisplayState *s = con->ds; +- DisplayChangeListener *dcl; +- +- if (!qemu_console_is_visible(con)) { +- return; +- } +- QLIST_FOREACH(dcl, &s->listeners, next) { +- if (con != (dcl->con ? dcl->con : active_console)) { +- continue; +- } +- if (dcl->ops->dpy_gfx_copy) { +- dcl->ops->dpy_gfx_copy(dcl, src_x, src_y, dst_x, dst_y, w, h); +- } else { /* TODO */ +- dcl->ops->dpy_gfx_update(dcl, dst_x, dst_y, w, h); +- } +- } +-} +- + void dpy_text_cursor(QemuConsole *con, int x, int y) + { + DisplayState *s = con->ds; +@@ -1968,13 +1947,6 @@ void qemu_console_resize(QemuConsole *s, int width, int height) + dpy_gfx_replace_surface(s, surface); + } + +-void qemu_console_copy(QemuConsole *con, int src_x, int src_y, +- int dst_x, int dst_y, int w, int h) +-{ +- assert(con->console_type == GRAPHIC_CONSOLE); +- dpy_gfx_copy(con, src_x, src_y, dst_x, dst_y, w, h); +-} +- + DisplaySurface *qemu_console_surface(QemuConsole *console) + { + return console->surface; +diff --git a/ui/vnc.c b/ui/vnc.c +index 52c6809..61ab611 100644 +--- a/ui/vnc.c ++++ b/tools/qemu-xen/ui/vnc.c +@@ -908,96 +908,6 @@ int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h) + return n; + } + +-static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h) +-{ +- /* send bitblit op to the vnc client */ +- vnc_lock_output(vs); +- vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE); +- vnc_write_u8(vs, 0); +- vnc_write_u16(vs, 1); /* number of rects */ +- vnc_framebuffer_update(vs, dst_x, dst_y, w, h, VNC_ENCODING_COPYRECT); +- vnc_write_u16(vs, src_x); +- vnc_write_u16(vs, src_y); +- vnc_unlock_output(vs); +- vnc_flush(vs); +-} +- +-static void vnc_dpy_copy(DisplayChangeListener *dcl, +- int src_x, int src_y, +- int dst_x, int dst_y, int w, int h) +-{ +- VncDisplay *vd = container_of(dcl, VncDisplay, dcl); +- VncState *vs, *vn; +- uint8_t *src_row; +- uint8_t *dst_row; +- int i, x, y, pitch, inc, w_lim, s; +- int cmp_bytes; +- +- vnc_refresh_server_surface(vd); +- QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) { +- if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) { +- vs->force_update = 1; +- vnc_update_client(vs, 1, true); +- /* vs might be free()ed here */ +- } +- } +- +- /* do bitblit op on the local surface too */ +- pitch = vnc_server_fb_stride(vd); +- src_row = vnc_server_fb_ptr(vd, src_x, src_y); +- dst_row = vnc_server_fb_ptr(vd, dst_x, dst_y); +- y = dst_y; +- inc = 1; +- if (dst_y > src_y) { +- /* copy backwards */ +- src_row += pitch * (h-1); +- dst_row += pitch * (h-1); +- pitch = -pitch; +- y = dst_y + h - 1; +- inc = -1; +- } +- w_lim = w - (VNC_DIRTY_PIXELS_PER_BIT - (dst_x % VNC_DIRTY_PIXELS_PER_BIT)); +- if (w_lim < 0) { +- w_lim = w; +- } else { +- w_lim = w - (w_lim % VNC_DIRTY_PIXELS_PER_BIT); +- } +- for (i = 0; i < h; i++) { +- for (x = 0; x <= w_lim; +- x += s, src_row += cmp_bytes, dst_row += cmp_bytes) { +- if (x == w_lim) { +- if ((s = w - w_lim) == 0) +- break; +- } else if (!x) { +- s = (VNC_DIRTY_PIXELS_PER_BIT - +- (dst_x % VNC_DIRTY_PIXELS_PER_BIT)); +- s = MIN(s, w_lim); +- } else { +- s = VNC_DIRTY_PIXELS_PER_BIT; +- } +- cmp_bytes = s * VNC_SERVER_FB_BYTES; +- if (memcmp(src_row, dst_row, cmp_bytes) == 0) +- continue; +- memmove(dst_row, src_row, cmp_bytes); +- QTAILQ_FOREACH(vs, &vd->clients, next) { +- if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) { +- set_bit(((x + dst_x) / VNC_DIRTY_PIXELS_PER_BIT), +- vs->dirty[y]); +- } +- } +- } +- src_row += pitch - w * VNC_SERVER_FB_BYTES; +- dst_row += pitch - w * VNC_SERVER_FB_BYTES; +- y += inc; +- } +- +- QTAILQ_FOREACH(vs, &vd->clients, next) { +- if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) { +- vnc_copy(vs, src_x, src_y, dst_x, dst_y, w, h); +- } +- } +-} +- + static void vnc_mouse_set(DisplayChangeListener *dcl, + int x, int y, int visible) + { +@@ -3131,7 +3041,6 @@ static void vnc_listen_websocket_read(void *opaque) + static const DisplayChangeListenerOps dcl_ops = { + .dpy_name = "vnc", + .dpy_refresh = vnc_refresh, +- .dpy_gfx_copy = vnc_dpy_copy, + .dpy_gfx_update = vnc_dpy_update, + .dpy_gfx_switch = vnc_dpy_switch, + .dpy_gfx_check_format = qemu_pixman_check_format, +-- +2.1.4 + diff --git a/main/xen/xsa212.patch b/main/xen/xsa212.patch new file mode 100644 index 0000000000..2c435c4136 --- /dev/null +++ b/main/xen/xsa212.patch @@ -0,0 +1,87 @@ +memory: properly check guest memory ranges in XENMEM_exchange handling + +The use of guest_handle_okay() here (as introduced by the XSA-29 fix) +is insufficient here, guest_handle_subrange_okay() needs to be used +instead. + +Note that the uses are okay in +- XENMEM_add_to_physmap_batch handling due to the size field being only + 16 bits wide, +- livepatch_list() due to the limit of 1024 enforced on the + number-of-entries input (leaving aside the fact that this can be + called by a privileged domain only anyway), +- compat mode handling due to counts there being limited to 32 bits, +- everywhere else due to guest arrays being accessed sequentially from + index zero. + +This is XSA-212. + +Reported-by: Jann Horn <jannh@google.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> + +--- a/xen/common/memory.c ++++ b/xen/common/memory.c +@@ -436,8 +436,8 @@ static long memory_exchange(XEN_GUEST_HA + goto fail_early; + } + +- if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) || +- !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) ) ++ if ( !guest_handle_subrange_okay(exch.in.extent_start, exch.nr_exchanged, ++ exch.in.nr_extents - 1) ) + { + rc = -EFAULT; + goto fail_early; +@@ -447,11 +447,27 @@ static long memory_exchange(XEN_GUEST_HA + { + in_chunk_order = exch.out.extent_order - exch.in.extent_order; + out_chunk_order = 0; ++ ++ if ( !guest_handle_subrange_okay(exch.out.extent_start, ++ exch.nr_exchanged >> in_chunk_order, ++ exch.out.nr_extents - 1) ) ++ { ++ rc = -EFAULT; ++ goto fail_early; ++ } + } + else + { + in_chunk_order = 0; + out_chunk_order = exch.in.extent_order - exch.out.extent_order; ++ ++ if ( !guest_handle_subrange_okay(exch.out.extent_start, ++ exch.nr_exchanged << out_chunk_order, ++ exch.out.nr_extents - 1) ) ++ { ++ rc = -EFAULT; ++ goto fail_early; ++ } + } + + d = rcu_lock_domain_by_any_id(exch.in.domid); +--- a/xen/include/asm-x86/x86_64/uaccess.h ++++ b/xen/include/asm-x86/x86_64/uaccess.h +@@ -29,8 +29,9 @@ extern void *xlat_malloc(unsigned long * + /* + * Valid if in +ve half of 48-bit address space, or above Xen-reserved area. + * This is also valid for range checks (addr, addr+size). As long as the +- * start address is outside the Xen-reserved area then we will access a +- * non-canonical address (and thus fault) before ever reaching VIRT_START. ++ * start address is outside the Xen-reserved area, sequential accesses ++ * (starting at addr) will hit a non-canonical address (and thus fault) ++ * before ever reaching VIRT_START. + */ + #define __addr_ok(addr) \ + (((unsigned long)(addr) < (1UL<<47)) || \ +@@ -40,7 +41,8 @@ extern void *xlat_malloc(unsigned long * + (__addr_ok(addr) || is_compat_arg_xlat_range(addr, size)) + + #define array_access_ok(addr, count, size) \ +- (access_ok(addr, (count)*(size))) ++ (likely(((count) ?: 0UL) < (~0UL / (size))) && \ ++ access_ok(addr, (count) * (size))) + + #define __compat_addr_ok(d, addr) \ + ((unsigned long)(addr) < HYPERVISOR_COMPAT_VIRT_START(d)) |