main/xen: sec fixes fro xsa-207 - xsa-209

added perl-dev as makedepends due to man2pod moved to there.

- XSA-207
- CVE-2017-2615 XSA-208
- CVE-2017-2620 XSA-209
- XSA-210

fixes #6915

7 files changed, 346 insertions, 128 deletions

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 74dc815174..f57edc3e29 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.7.1
-pkgrel=4
+pkgrel=5
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86_64 armhf"
@@ -12,7 +12,7 @@ depends="bash iproute2 logrotate"
 depends_dev="libressl-dev python2-dev e2fsprogs-dev gettext zlib-dev ncurses-dev
 	dev86 texinfo perl pciutils-dev glib-dev yajl-dev libnl3-dev
 	spice-dev gnutls-dev curl-dev libaio-dev lzo-dev xz-dev util-linux-dev
-	e2fsprogs-dev linux-headers argp-standalone"
+	e2fsprogs-dev linux-headers argp-standalone perl-dev"
 makedepends="$depends_dev autoconf automake libtool "
 
 # secfixes:
@@ -47,6 +47,11 @@ makedepends="$depends_dev autoconf automake libtool "
 #     - CVE-2016-10024 XSA-202
 #     - CVE-2016-10025 XSA-203
 #     - CVE-2016-10013 XSA-204
+#   4.7.1-r5:
+#     - XSA-207
+#     - CVE-2017-2615 XSA-208
+#     - CVE-2017-2620 XSA-209
+#     - XSA-210
 
 case "$CARCH" in
 x86*)
@@ -108,6 +113,13 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	xsa202.patch
 	xsa203-4.7.patch
 	xsa204-4.7.patch
+	xsa207.patch
+	xsa208-qemut.patch
+	xsa208-qemuu-4.7.patch
+	xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
+	xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
+	xsa209-qemut.patch
+
 
 	qemu-coroutine-gthread.patch
 	qemu-xen_paths.patch
@@ -329,132 +341,6 @@ hypervisor() {
 	mv "$pkgdir"/boot "$subpkgdir"/
 }
 
-md5sums="8e258d87a1008a3200eec6989e164fa4  xen-4.7.1.tar.gz
-dd60683d7057917e34630b4a787932e8  gmp-4.3.2.tar.bz2
-cd3f3eb54446be6003156158d51f4884  grub-0.97.tar.gz
-36cc57650cffda9a0269493be2a169bb  lwip-1.3.0.tar.gz
-bf8f1f9e3ca83d732c00a79a6ef29bc4  newlib-1.16.0.tar.gz
-cec05e7785497c5e19da2f114b934ffd  pciutils-2.2.9.tar.bz2
-7b72caf22b01464ee7d6165f2fd85f44  polarssl-1.1.4-gpl.tgz
-e26becb8a6a2b6695f6b3e8097593db8  tpm_emulator-0.7.4.tar.gz
-debc62758716a169df9f62e6ab2bc634  zlib-1.2.3.tar.gz
-7496268cebf47d5c9ccb0696e3b26065  ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz
-b3ccddb149c8f9af4eb5dcbc230fc391  xsa191.patch
-002cef87f605db2cd9a6ec5230685554  xsa192.patch
-0bde9ad287f8a586fb47abc2f393287e  xsa193-4.7.patch
-2a37b54c1cfdf422a680652d05683b3f  xsa194.patch
-03ee88fdd719a6e2cdd53b698b14bfa0  xsa195.patch
-362e7460fa4e5db3a5e1c2a4209718cf  xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch
-3f66b6bb7129867f857fe25916c32d84  xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch
-7587583e9746ee46c39d48e693c97a2e  xsa197-qemut.patch
-6d42e09101a5c6f8da5ee7caea4e0cc5  xsa197-qemuu.patch
-e8d3ee1e904071920a6afbbf6a27aad2  xsa198.patch
-2000ddf0211c153b7cc420a625b7db4e  xsa200-4.7.patch
-6580371b4b8db7cb6876f2b42ab3fc61  xsa201-1.patch
-76394482eaf0caeb3e0611ba70e8923c  xsa201-2.patch
-136b9ad8b2bcc57d5a7ed3bf13bebe3c  xsa201-3-4.7.patch
-9cb1516d783fc9c765e9a37574bb3cbd  xsa201-4.patch
-c519ccfe62d245419ade09de5e8fe4fd  xsa202.patch
-da401ec1a25668a2dabc666f6687409b  xsa203-4.7.patch
-dc4ad05682ce371e1755817b22229601  xsa204-4.7.patch
-de1a3db370b87cfb0bddb51796b50315  qemu-coroutine-gthread.patch
-08bfdf8caff5d631f53660bf3fd4edaf  qemu-xen_paths.patch
-e449bb3359b490804ffc7b0ae08d62a0  hotplug-vif-vtrill.patch
-5fab5487fe92fa29302db9ccb04af564  rombios-no-pie.patch
-3a04998db5cc3c5c86f3b46e97e9cd82  0001-ipxe-dont-clobber-ebp.patch
-0984e3000de17a6d14b8014a3ced46a4  musl-support.patch
-513456607a2adfaa0baf1e3ae5124b23  musl-hvmloader-fix-stdint.patch
-c9313a790faa727205627a1657b9bf06  stdint_local.h
-c13f954d041a6fa78d0d241ad1780c0b  elf_local.h
-750138c31ec96d1a11fe0c665ac07e9e  xen-hotplug-lockfd.patch
-649f77b90978cd2b6d506ac44ec6c393  xen-fd-is-file.c
-b05500e9fdcec5a076ab8817fc313ac3  xenstore_client_transaction_fix.patch
-ea983c48b69eea3885627b2c8da8afec  patch-gcc6-etherboot-nonnull-compare.patch
-c1b73e5b708002b77b50827742c3af09  patch-gcc6-etherboot-rm-unused-string-functions.patch
-e10ec3a62e8dc47052b8d8be77520af7  patch-gcc6-etherboot-nic.c.patch
-78433fdb5ed0d9f71a1d2b8103a886c9  patch-gcc6-etherboot-ath.patch
-83b0416745dffdfedec8caab7d20b758  patch-gcc6-etherboot-sis190.patch
-24ece1158115e508e6a5db0a086f065c  patch-gcc6-etherboot-skge.patch
-465ca7d4841fe34b7b4d9d99257cd092  patch-gcc6-etherboot-via-velocity.c.patch
-b136a8d31272eec48c766065bba260ca  patch-gcc6-etherboot-via-rhine.c.patch
-ef2d246f23e5ca152a4057617041bac6  patch-gcc6-etherboot-e1000_phy.c.patch
-05b86753c6e6ca90af038b499fd564f0  patch-gcc6-etherboot-igb_phy.c.patch
-74a5f930491bbc4333c84fff36029a1c  patch-gcc6-etherboot-ath9k-9287-array.patch
-567de70c3355c9724ebfdb02d7806435  patch-gcc6-etherboot-no-pie.patch
-4ae9e861dc0a9b1873236399ba8cff6d  patch-gcc6-etherboot-link-header.patch
-ce606e447bc4884dffc59080cd10acfd  patch-gcc6-etherboot-eth_broadcast.patch
-4aeda68bf5b168019762fcf6edb661d3  xenstored.initd
-d86504e12f05deca6b3eeeb90157160e  xenstored.confd
-d1dd5fc9a8b00f7373d789f9b5a605b9  xenconsoled.initd
-ec2252c72050d7d5870a3a629b873ba6  xenconsoled.confd
-e155d7992ddbb5b0df6148f4cc21c7c6  xendomains.initd
-dcdd1de2c29e469e834a02ede4f47806  xendomains.confd
-9df68ac65dc3f372f5d61183abdc83ff  xen-consoles.logrotate
-6a2f777c16678d84039acf670d86fff6  xenqemu.confd
-e1c9e1c83a5cc49224608a48060bd677  xenqemu.initd"
-sha256sums="e87f4b0575e78657ee23d31470a15ecf1ce8c3a92a771cda46bbcd4d0d671ffe  xen-4.7.1.tar.gz
-936162c0312886c21581002b79932829aa048cfaf9937c6265aeaa14f1cd1775  gmp-4.3.2.tar.bz2
-4e1d15d12dbd3e9208111d6b806ad5a9857ca8850c47877d36575b904559260b  grub-0.97.tar.gz
-772e4d550e07826665ed0528c071dd5404ef7dbe1825a38c8adbc2a00bca948f  lwip-1.3.0.tar.gz
-db426394965c48c1d29023e1cc6d965ea6b9a9035d8a849be2750ca4659a3d07  newlib-1.16.0.tar.gz
-f60ae61cfbd5da1d849d0beaa21f593c38dac9359f0b3ddc612f447408265b24  pciutils-2.2.9.tar.bz2
-2d29fd04a0d0ba29dae6bd29fb418944c08d3916665dcca74afb297ef37584b6  polarssl-1.1.4-gpl.tgz
-4e48ea0d83dd9441cc1af04ab18cd6c961b9fa54d5cbf2c2feee038988dea459  tpm_emulator-0.7.4.tar.gz
-1795c7d067a43174113fdf03447532f373e1c6c57c08d61d9e4e9be5e244b05e  zlib-1.2.3.tar.gz
-632ce8c193ccacc3012bd354bdb733a4be126f7c098e111930aa41dad537405c  ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz
-dca534cf4d3711ea8797846a18238ca16cc9e7a24a887300db22c3ba3d95c199  xsa191.patch
-687b0216eefd5ecef8a3135cc6f542cb3d9ff35e8e9696a157703e84656c35e8  xsa192.patch
-f1b0092c585ebffe83d6ed7df94885ec5dfcb4227bdb33f421bad9febb8135a1  xsa193-4.7.patch
-4dad65417d9ff3c86e763d3c88cf8de79b58a9981d531f641ae0dd0dcedce911  xsa194.patch
-6ab5f13b81e3bbf6096020f4c3beeffaff67a075cab67e033ba27d199b41cec1  xsa195.patch
-c4122280f3786416231ae5f0660123446d29e9ac5cd3ffb92784ed36edeec8b7  xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch
-25671c44c746d4d0e8f7e2b109926c013b440e0bf225156282052ec38536e347  xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch
-effa90c9ea5e76afeee8d89359b45201826b992d616c2dc118507b4e5926c57b  xsa197-qemut.patch
-ecb1fac79d7d17db993800b0b9aeb24d8cec90d4877d80ed1b1d548401acf36c  xsa197-qemuu.patch
-0e4533ad2157c03ab309bd12a54f5ff325f03edbe97f23c60a16a3f378c75eae  xsa198.patch
-d7113b94f6ef1c2849aedfe33eace85b0713fa83639c8a533fb289aa73e818e8  xsa200-4.7.patch
-163aeb9ae3ffce28e0bc95bdfff490d2df6f6f0b85ac1d4f447bea921f0a0dda  xsa201-1.patch
-0ba570ed7df172475bc745e02b89670608251634895e5279edcf534619d6d81b  xsa201-2.patch
-a9cf56564d020675c0f2f1ea15009a712f172be3d53ea8ddf2f48adaac392e76  xsa201-3-4.7.patch
-388d548cd4e30883ae100863d33e792869e7dbd86054299a91b64db6d6599919  xsa201-4.patch
-057be742acfef200ba6f094a5dce486dd1c4e15013afe3efc963523ce2ec9cbb  xsa202.patch
-7cc04278778fe885e4c3ae3f846d099075a38bccfafe6dff018ba525499b4e46  xsa203-4.7.patch
-d0359f26e9be783672896200e14d85a3111c29d7da580313b593fca04688fef2  xsa204-4.7.patch
-3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe  qemu-coroutine-gthread.patch
-e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98  qemu-xen_paths.patch
-dd1e784bc455eb62cb85b3fa24bfc34f575ceaab9597ef6a2f1ee7ff7b3cae0a  hotplug-vif-vtrill.patch
-74cb62a4614dd042ea9169112fb677bfef751a760aae34c7e73391fa857a8429  rombios-no-pie.patch
-ac8bbd0b864c7de278fd9b68392b71863581ec21622c2e9b87e501e492e414d3  0001-ipxe-dont-clobber-ebp.patch
-2fea4ceec8872f5560023fa135e3ff03d6deee4299e53d3a33ec59c31779b2c5  musl-support.patch
-479b9605e85c865be6117b6d1993124dbbb7da7f95d0e896e4c0fe5cdfeb74d3  musl-hvmloader-fix-stdint.patch
-6b4ad2a9fdb3e23b06c8c1961a46b06c15a46471fe6fb13cdc269da37466f334  stdint_local.h
-7f1ed2db24d8eba87a08eea0601a9ab339209906fdfa74c8c03564a1a6e6471e  elf_local.h
-b183ed028a8c42a64e6fd3fb4b2b6dad832f52ed838fceb69bf681de4e7d794f  xen-hotplug-lockfd.patch
-d0b3e5f282a07878341c38f40d01041ed37623757a99d6e0a420ca64d1f4ef2a  xen-fd-is-file.c
-c9691bd43a87a939d9a883279813c405eb5ac428a4f4f89e8eef01fbb4d2d6d1  xenstore_client_transaction_fix.patch
-17bb27d95c86af8cc5e499b1b0db9b95bba3f45910d55b420f9f1f5452355fab  patch-gcc6-etherboot-nonnull-compare.patch
-5d5fe7bf52cbae9da20cfd1fc798699b2355a1af907ebf7f764e227891a759bb  patch-gcc6-etherboot-rm-unused-string-functions.patch
-9f34f8ecb9a44c688275b838c83efd233bb817f5e222629eac98e116168d704c  patch-gcc6-etherboot-nic.c.patch
-cdf7c4a089fe1fe493aafaf669decc3c9e071a0950da77dce526c09088d1c931  patch-gcc6-etherboot-ath.patch
-32595581467772b9fa0fbb5384c99caefeb2cee3306b94b9bd2722084454f5a2  patch-gcc6-etherboot-sis190.patch
-c73d1653b9b1d97ddce717817dc74429cd94c7b22989a08604eaa60df63f75f8  patch-gcc6-etherboot-skge.patch
-448caed900ada2c030738218f5b82f5e29d9dc2e1beef9ebd49cbeb23734df0d  patch-gcc6-etherboot-via-velocity.c.patch
-61b1518c8d41792ec3b36e0fbfc265adb6c9304945a6fa18d6cc5a197e34b94f  patch-gcc6-etherboot-via-rhine.c.patch
-577f06e38a9ecbd3576907f2ba1c5040f4f1573fe92912635230702ad157b2e7  patch-gcc6-etherboot-e1000_phy.c.patch
-80a24e9504d3893e83dc60550ffe364a873aaf3dafb52dcdade13f61f2ec0ee5  patch-gcc6-etherboot-igb_phy.c.patch
-a15d73e0fb51fe3c1cf8b80a5ff17d532444016d14495d90d9e642ec60f320a6  patch-gcc6-etherboot-ath9k-9287-array.patch
-2269932e8645c11e7fe60eeb6e0720841c2b5ddac2e6965ead1527d3e5924ee9  patch-gcc6-etherboot-no-pie.patch
-cace870b6629003b55d9df9ef24f3445067239b913c006b6e23da511c1a21d78  patch-gcc6-etherboot-link-header.patch
-be05ccd8975af402dcba3a3dc78c173319b2edd636bac11ac11163091453b704  patch-gcc6-etherboot-eth_broadcast.patch
-90a8fc315bfe305581b3873890b1c1c8da6f62b5d06b73b79bac7a74671bbb07  xenstored.initd
-991bb7c9da02941556e29714bd96b26e39e57e0a5b514eadd78d9bfa3fa5a9dc  xenstored.confd
-d13719093a2c3824525f36ac91ac3c9bd1154e5ba0974e5441e4a2ab5e883521  xenconsoled.initd
-2a74be03eb74f6013242a4a5d721df6cb9b959b43c405de1e32813f52d749060  xenconsoled.confd
-5fb0fc4a1ac8b139bb31b03f86b5c170050b93ea11a2f5b962d383d277ee815c  xendomains.initd
-046540c36328809fc351ad209d2b40300f91581d6d46da0caf79f57f2c212285  xendomains.confd
-0da87a4b9094f934e3de937e8ef8d3afc752e76793aa3d730182d0241e118b19  xen-consoles.logrotate
-4cfcddcade5d055422ab4543e8caa6e5c5eee7625c41880a9000b7a87c7c424e  xenqemu.confd
-c92bbb1166edd61141fdf678116974209c4422daf373cdd5bc438aa4adb25b8d  xenqemu.initd"
 sha512sums="eb03244f5fa7b54402fcc1d38f1e69c0ea4536d5ab2f9859b41b5e94920ad9db20fb146e3c3d3635e9ca1d12e93ce0429e57f24bf53d4a2c4b69babc76ec724e  xen-4.7.1.tar.gz
 2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf  gmp-4.3.2.tar.bz2
 c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb  grub-0.97.tar.gz
@@ -483,6 +369,12 @@ ad0f4217ef8218dac6997385690981e7a88d05b735e04779f582ad4a0307d8e7804c015971403133
 8f96ec62d9a159370d6c6257d45b7b9e87247ac1ca891033b8f3c9fb86f74d539b9c6d893d31289c6a0f00b967672f76ee9e6875a64d739dcda783ff2911681b  xsa202.patch
 b86ef48db23dacb51fbbdd55041bf08fac8aa0db76a272bb2f9d9be7195cd9a359a30fbbb61e040c66f23358f12ae102a92a30296fb18e4feb1023b58ffad4ff  xsa203-4.7.patch
 a2a091cd51ed54f5b5ba4131efc1c9cc0a69a647cea46415f73c29e5764efb00025e2e65bd5d24cf26f903263fce150b2b1c52ca5d61fd81dea7efe16abf57be  xsa204-4.7.patch
+89848dcdfaebf462765b2a32c9c57d5404930721ff92f7cb05c221a99be2b82fb23d31f91f52fbf32874a69065a2e8ad921460a3655f4b03cf827a8203137fac  xsa207.patch
+1ddae183299bd320a2ddb9ccb52ecab36c595e72cc87dde3308c15b4e354550372f289ef35a1ce19a180fed437abb18be83af2f39b96f93335cd3f4ae83390ec  xsa208-qemut.patch
+1fb853f7d428e21f13bb46f22df2cf0adc04f184a39fdfcd69fb4c14ffdaf8b13c118153544e59221c5513b2765c98b37d699a4ec1ffcea6ca455118a39cebd6  xsa208-qemuu-4.7.patch
+5b5b470c174e2144a4854795a1a7c4a1c514351fac7b6cf56e634a06cfd71438fb5cd95cac3239819ceef0b4b7d2903f181ed8835bad2aa97d843dd18da76d5c  xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
+ba64118f4016347b9c95df3c339f22cb9211e8604666cbc29c34c2a7e565f8b6a3ced7ea1c89cfd5211d6b26a5ba58b63e8852486c8f328b3167c2a919498548  xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
+46cd186741c22cb34ca7e98fd0d9af974610c8a7c8a38d434fa878803a9365039f8c4e6338174319b026fbdd9b36c6139c03815bdccb8287f33ff843a5167c5e  xsa209-qemut.patch
 c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562  qemu-coroutine-gthread.patch
 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3  qemu-xen_paths.patch
 f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3  hotplug-vif-vtrill.patch
diff --git a/main/xen/xsa207.patch b/main/xen/xsa207.patch
new file mode 100644
index 0000000000..6fb86fc9d5
--- /dev/null
+++ b/main/xen/xsa207.patch
@@ -0,0 +1,31 @@
+From: Oleksandr Tyshchenko <olekstysh@gmail.com>
+Subject: IOMMU: always call teardown callback
+
+There is a possible scenario when (d)->need_iommu remains unset
+during guest domain execution. For example, when no devices
+were assigned to it. Taking into account that teardown callback
+is not called when (d)->need_iommu is unset we might have unreleased
+resourses after destroying domain.
+
+So, always call teardown callback to roll back actions
+that were performed in init callback.
+
+This is XSA-207.
+
+Signed-off-by: Oleksandr Tyshchenko <olekstysh@gmail.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Tested-by: Jan Beulich <jbeulich@suse.com>
+Tested-by: Julien Grall <julien.grall@arm.com>
+
+--- a/xen/drivers/passthrough/iommu.c
++++ b/xen/drivers/passthrough/iommu.c
+@@ -244,8 +244,7 @@ void iommu_domain_destroy(struct domain
+     if ( !iommu_enabled || !dom_iommu(d)->platform_ops )
+         return;
+ 
+-    if ( need_iommu(d) )
+-        iommu_teardown(d);
++    iommu_teardown(d);
+ 
+     arch_iommu_domain_destroy(d);
+ }
diff --git a/main/xen/xsa208-qemut.patch b/main/xen/xsa208-qemut.patch
new file mode 100644
index 0000000000..27a82da05a
--- /dev/null
+++ b/main/xen/xsa208-qemut.patch
@@ -0,0 +1,56 @@
+From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 13 Feb 2017 15:22:15 +0000
+Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
+
+When doing bitblt copy in backward mode, we should minus the
+blt width first just like the adding in the forward mode. This
+can avoid the oob access of the front of vga's vram.
+
+This is XSA-208.
+
+upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+
+{ kraxel: with backward blits (negative pitch) addr is the topmost
+          address, so check it as-is against vram size ]
+
+[ This is CVE-2017-2615 / XSA-208  - Ian Jackson ]
+
+Cc: qemu-stable@nongnu.org
+Cc: P J P <ppandit@redhat.com>
+Cc: Laszlo Ersek <lersek@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
+Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
+---
+ hw/cirrus_vga.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
+index e6c3893..364e22d 100644
+--- a/hw/cirrus_vga.c
++++ b/tools/qemu-xen-traditional/hw/cirrus_vga.c
+@@ -308,10 +308,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ {
+     if (pitch < 0) {
+         int64_t min = addr
+-            + ((int64_t)s->cirrus_blt_height-1) * pitch;
+-        int32_t max = addr
+-            + s->cirrus_blt_width;
+-        if (min < 0 || max >= s->vram_size) {
++            + ((int64_t)s->cirrus_blt_height - 1) * pitch
++            - s->cirrus_blt_width;
++        if (min < -1 || addr >= s->vram_size) {
+             return true;
+         }
+     } else {
+-- 
+2.1.4
+
diff --git a/main/xen/xsa208-qemuu-4.7.patch b/main/xen/xsa208-qemuu-4.7.patch
new file mode 100644
index 0000000000..705bab5020
--- /dev/null
+++ b/main/xen/xsa208-qemuu-4.7.patch
@@ -0,0 +1,53 @@
+From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 13 Feb 2017 15:22:15 +0000
+Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
+
+When doing bitblt copy in backward mode, we should minus the
+blt width first just like the adding in the forward mode. This
+can avoid the oob access of the front of vga's vram.
+
+This is XSA-208.
+
+upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+
+{ kraxel: with backward blits (negative pitch) addr is the topmost
+          address, so check it as-is against vram size ]
+
+Cc: qemu-stable@nongnu.org
+Cc: P J P <ppandit@redhat.com>
+Cc: Laszlo Ersek <lersek@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
+---
+ hw/display/cirrus_vga.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 5198037..7bf3707 100644
+--- a/hw/display/cirrus_vga.c
++++ b/tools/qemu-xen/hw/display/cirrus_vga.c
+@@ -272,10 +272,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ {
+     if (pitch < 0) {
+         int64_t min = addr
+-            + ((int64_t)s->cirrus_blt_height-1) * pitch;
+-        int32_t max = addr
+-            + s->cirrus_blt_width;
+-        if (min < 0 || max >= s->vga.vram_size) {
++            + ((int64_t)s->cirrus_blt_height - 1) * pitch
++            - s->cirrus_blt_width;
++        if (min < -1 || addr >= s->vga.vram_size) {
+             return true;
+         }
+     } else {
+-- 
+2.1.4
+
diff --git a/main/xen/xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch b/main/xen/xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
new file mode 100644
index 0000000000..787567d5a5
--- /dev/null
+++ b/main/xen/xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
@@ -0,0 +1,72 @@
+From 52b7f43c8fa185ab856bcaacda7abc9a6fc07f84 Mon Sep 17 00:00:00 2001
+From: Bruce Rogers <brogers@suse.com>
+Date: Tue, 21 Feb 2017 10:54:38 -0800
+Subject: [PATCH 1/2] display: cirrus: ignore source pitch value as needed in
+ blit_is_unsafe
+
+Commit 4299b90 added a check which is too broad, given that the source
+pitch value is not required to be initialized for solid fill operations.
+This patch refines the blit_is_unsafe() check to ignore source pitch in
+that case. After applying the above commit as a security patch, we
+noticed the SLES 11 SP4 guest gui failed to initialize properly.
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Message-id: 20170109203520.5619-1-brogers@suse.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/cirrus_vga.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 7bf3707..34a6900 100644
+--- a/hw/display/cirrus_vga.c
++++ b/tools/qemu-xen/hw/display/cirrus_vga.c
+@@ -288,7 +288,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+     return false;
+ }
+ 
+-static bool blit_is_unsafe(struct CirrusVGAState *s)
++static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
+ {
+     /* should be the case, see cirrus_bitblt_start */
+     assert(s->cirrus_blt_width > 0);
+@@ -302,6 +302,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
+                               s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
+         return true;
+     }
++    if (dst_only) {
++        return false;
++    }
+     if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
+                               s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
+         return true;
+@@ -667,7 +670,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
+ 
+     dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
+ 
+-    if (blit_is_unsafe(s))
++    if (blit_is_unsafe(s, false))
+         return 0;
+ 
+     (*s->cirrus_rop) (s, dst, src,
+@@ -685,7 +688,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
+ {
+     cirrus_fill_t rop_func;
+ 
+-    if (blit_is_unsafe(s)) {
++    if (blit_is_unsafe(s, true)) {
+         return 0;
+     }
+     rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
+@@ -784,7 +787,7 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+ 
+ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+ {
+-    if (blit_is_unsafe(s))
++    if (blit_is_unsafe(s, false))
+         return 0;
+ 
+     cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
+-- 
+2.1.4
+
diff --git a/main/xen/xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch b/main/xen/xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
new file mode 100644
index 0000000000..afaf916237
--- /dev/null
+++ b/main/xen/xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
@@ -0,0 +1,60 @@
+From 15268f91fbe75b38a851c458aef74e693d646ea5 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 21 Feb 2017 10:54:59 -0800
+Subject: [PATCH 2/2] cirrus: add blit_is_unsafe call to
+ cirrus_bitblt_cputovideo
+
+CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
+and blit width, at all.  Oops.  Fix it.
+
+Security impact: high.
+
+The missing blit destination check allows to write to host memory.
+Basically same as CVE-2014-8106 for the other blit variants.
+
+The missing blit width check allows to overflow cirrus_bltbuf,
+with the attractive target cirrus_srcptr (current cirrus_bltbuf write
+position) being located right after cirrus_bltbuf in CirrusVGAState.
+
+Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
+hasn't full control over cirrus_srcptr though, only one byte can be
+changed.  Once the first byte has been modified further writes land
+elsewhere.
+
+[ This is CVE-2017-2620 / XSA-209  - Ian Jackson ]
+
+Reported-by: Gerd Hoffmann <ghoffman@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/cirrus_vga.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 34a6900..5901250 100644
+--- a/hw/display/cirrus_vga.c
++++ b/tools/qemu-xen/hw/display/cirrus_vga.c
+@@ -865,6 +865,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ {
+     int w;
+ 
++    if (blit_is_unsafe(s, true)) {
++        return 0;
++    }
++
+     s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
+     s->cirrus_srcptr = &s->cirrus_bltbuf[0];
+     s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
+@@ -890,6 +894,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ 	}
+         s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
+     }
++
++    /* the blit_is_unsafe call above should catch this */
++    assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
++
+     s->cirrus_srcptr = s->cirrus_bltbuf;
+     s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
+     cirrus_update_memory_access(s);
+-- 
+2.1.4
+
diff --git a/main/xen/xsa209-qemut.patch b/main/xen/xsa209-qemut.patch
new file mode 100644
index 0000000000..ffc574ba86
--- /dev/null
+++ b/main/xen/xsa209-qemut.patch
@@ -0,0 +1,54 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
+
+CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
+and blit width, at all.  Oops.  Fix it.
+
+Security impact: high.
+
+The missing blit destination check allows to write to host memory.
+Basically same as CVE-2014-8106 for the other blit variants.
+
+The missing blit width check allows to overflow cirrus_bltbuf,
+with the attractive target cirrus_srcptr (current cirrus_bltbuf write
+position) being located right after cirrus_bltbuf in CirrusVGAState.
+
+Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
+hasn't full control over cirrus_srcptr though, only one byte can be
+changed.  Once the first byte has been modified further writes land
+elsewhere.
+
+[ This is CVE-2017-2620 / XSA-209  - Ian Jackson ]
+
+Fixed compilation by removing extra parameter to blit_is_unsafe. -iwj
+
+Reported-by: Gerd Hoffmann <ghoffman@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
+---
+diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
+index e6c3893..45facb6 100644
+--- a/hw/cirrus_vga.c
++++ b/tools/qemu-xen-traditional/hw/cirrus_vga.c
+@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ {
+     int w;
+ 
++    if (blit_is_unsafe(s)) {
++        return 0;
++    }
++
+     s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
+     s->cirrus_srcptr = &s->cirrus_bltbuf[0];
+     s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
+@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ 	}
+         s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
+     }
++
++    /* the blit_is_unsafe call above should catch this */
++    assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
++
+     s->cirrus_srcptr = s->cirrus_bltbuf;
+     s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
+     cirrus_update_memory_access(s);