diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2015-10-29 13:50:28 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2015-10-29 15:18:02 +0000 |
| commit | 1e0864dfc2222c7a623cf8eefa098700e17f304a (patch) | |
| tree | 7dcb90c07506d5fd05bb677372277ad1e2791d70 /main/xen | |
| parent | f3da078305d1ccc488e6948a1c1e9136edc21529 (diff) | |
| download | aports-1e0864dfc2222c7a623cf8eefa098700e17f304a.tar.bz2 aports-1e0864dfc2222c7a623cf8eefa098700e17f304a.tar.xz | |
main/xen: upgrade to 4.6.0 and fix sec issues
Diffstat (limited to 'main/xen')
| -rw-r--r-- | main/xen/0001-ipxe-dont-clobber-ebp.patch | 6 | ||||
| -rw-r--r-- | main/xen/APKBUILD | 129 | ||||
| -rw-r--r-- | main/xen/init-xenstore-domain.patch | 14 | ||||
| -rw-r--r-- | main/xen/xsa135-qemut-1.patch | 93 | ||||
| -rw-r--r-- | main/xen/xsa135-qemut-2.patch | 46 | ||||
| -rw-r--r-- | main/xen/xsa137.patch | 231 | ||||
| -rw-r--r-- | main/xen/xsa138-qemut-1.patch | 77 | ||||
| -rw-r--r-- | main/xen/xsa138-qemut-2.patch | 71 | ||||
| -rw-r--r-- | main/xen/xsa138-qemuu-1.patch | 76 | ||||
| -rw-r--r-- | main/xen/xsa138-qemuu-2.patch | 28 | ||||
| -rw-r--r-- | main/xen/xsa138-qemuu-3.patch | 71 | ||||
| -rw-r--r-- | main/xen/xsa148.patch | 39 | ||||
| -rw-r--r-- | main/xen/xsa149.patch | 20 | ||||
| -rw-r--r-- | main/xen/xsa150.patch | 201 | ||||
| -rw-r--r-- | main/xen/xsa151.patch | 28 | ||||
| -rw-r--r-- | main/xen/xsa152.patch | 66 | ||||
| -rw-r--r-- | main/xen/xsa153-libxl.patch | 86 |
17 files changed, 514 insertions, 768 deletions
diff --git a/main/xen/0001-ipxe-dont-clobber-ebp.patch b/main/xen/0001-ipxe-dont-clobber-ebp.patch index 2d2fe2f818..f3342e6007 100644 --- a/main/xen/0001-ipxe-dont-clobber-ebp.patch +++ b/main/xen/0001-ipxe-dont-clobber-ebp.patch @@ -275,10 +275,10 @@ diff --git a/tools/firmware/etherboot/patches/series b/tools/firmware/etherboot/ index 5bd7df8..154e65b 100644 --- a/tools/firmware/etherboot/patches/series +++ b/tools/firmware/etherboot/patches/series -@@ -2,3 +2,5 @@ boot_prompt_option.patch - build_fix_1.patch - build_fix_2.patch +@@ -4,3 +4,5 @@ build_fix_3.patch + build-compare.patch + build_fix_4.patch +no-clobber-ebp.patch +no-clobber-ebp2.patch -- diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index 046719f0a1..050f8b120a 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -2,8 +2,8 @@ # Contributor: Roger Pau Monne <roger.pau@entel.upc.edu> # Maintainer: William Pitcock <nenolod@dereferenced.org> pkgname=xen -pkgver=4.5.1 -pkgrel=3 +pkgver=4.6.0 +pkgrel=0 pkgdesc="Xen hypervisor" url="http://www.xen.org/" arch="x86_64" @@ -12,38 +12,49 @@ depends="syslinux bash iproute2 logrotate" depends_dev="openssl-dev python-dev e2fsprogs-dev gettext zlib-dev ncurses-dev dev86 texinfo perl iasl pciutils-dev glib-dev yajl-dev libnl3-dev spice-dev gnutls-dev curl-dev libaio-dev lzo-dev xz-dev util-linux-dev - e2fsprogs-dev linux-headers" + e2fsprogs-dev linux-headers argp-standalone" makedepends="$depends_dev autoconf automake libtool seabios-bin" install="" subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-hypervisor" + +# grep _VERSION= stubdom/configure +_ZLIB_VERSION="1.2.3" +_LIBPCI_VERSION="2.2.9" +_NEWLIB_VERSION="1.16.0" +_LWIP_VERSION="1.3.0" +_GRUB_VERSION="0.97" +_OCAML_VERSION="3.11.0" +_GMP_VERSION="4.3.2" +_POLARSSL_VERSION="1.1.4" +_TPMEMU_VERSION="0.7.4" + +# grep ^IPXE_GIT_TAG tools/firmware/etherboot/Makefile +_IPXE_GIT_TAG=9a93db3f0947484e30e753bbd61a10b17336e20e + source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.gz - http://xenbits.xen.org/xen-extfiles/gmp-4.3.2.tar.bz2 - http://xenbits.xen.org/xen-extfiles/grub-0.97.tar.gz - http://xenbits.xen.org/xen-extfiles/ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz - http://xenbits.xen.org/xen-extfiles/lwip-1.3.0.tar.gz - http://xenbits.xen.org/xen-extfiles/newlib-1.16.0.tar.gz - http://xenbits.xen.org/xen-extfiles/pciutils-2.2.9.tar.bz2 - http://xenbits.xen.org/xen-extfiles/polarssl-1.1.4-gpl.tgz - http://xenbits.xen.org/xen-extfiles/tpm_emulator-0.7.4.tar.gz - http://xenbits.xen.org/xen-extfiles/zlib-1.2.3.tar.gz - - xsa135-qemut-1.patch - xsa135-qemut-2.patch - xsa137.patch - xsa138-qemut-1.patch - xsa138-qemut-2.patch - xsa138-qemuu-1.patch - xsa138-qemuu-2.patch - xsa138-qemuu-3.patch + http://xenbits.xen.org/xen-extfiles/gmp-$_GMP_VERSION.tar.bz2 + http://xenbits.xen.org/xen-extfiles/grub-$_GRUB_VERSION.tar.gz + http://xenbits.xen.org/xen-extfiles/lwip-$_LWIP_VERSION.tar.gz + http://xenbits.xen.org/xen-extfiles/newlib-$_NEWLIB_VERSION.tar.gz + http://xenbits.xen.org/xen-extfiles/pciutils-$_LIBPCI_VERSION.tar.bz2 + http://xenbits.xen.org/xen-extfiles/polarssl-$_POLARSSL_VERSION-gpl.tgz + http://xenbits.xen.org/xen-extfiles/tpm_emulator-$_TPMEMU_VERSION.tar.gz + http://xenbits.xen.org/xen-extfiles/zlib-$_ZLIB_VERSION.tar.gz + http://xenbits.xen.org/xen-extfiles/ipxe-git-$_IPXE_GIT_TAG.tar.gz + + xsa148.patch + xsa149.patch + xsa150.patch + xsa151.patch + xsa152.patch + xsa153-libxl.patch qemu-coroutine-gthread.patch - qemu-xen-musl-openpty.patch qemu-xen_paths.patch hotplug-vif-vtrill.patch 0001-ipxe-dont-clobber-ebp.patch gnutls-3.4.0.patch - gcc5-ipxe.patch gcc5-cflags.patch init-xenstore-domain.patch @@ -215,33 +226,29 @@ hypervisor() { mv "$pkgdir"/boot "$subpkgdir"/ } -md5sums="d12dc9e5e8bd22a68b5c7f53119221f1 xen-4.5.1.tar.gz +md5sums="48e232f90927c08326a7b52bb06f49bc xen-4.6.0.tar.gz dd60683d7057917e34630b4a787932e8 gmp-4.3.2.tar.bz2 cd3f3eb54446be6003156158d51f4884 grub-0.97.tar.gz -7496268cebf47d5c9ccb0696e3b26065 ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz 36cc57650cffda9a0269493be2a169bb lwip-1.3.0.tar.gz bf8f1f9e3ca83d732c00a79a6ef29bc4 newlib-1.16.0.tar.gz cec05e7785497c5e19da2f114b934ffd pciutils-2.2.9.tar.bz2 7b72caf22b01464ee7d6165f2fd85f44 polarssl-1.1.4-gpl.tgz e26becb8a6a2b6695f6b3e8097593db8 tpm_emulator-0.7.4.tar.gz debc62758716a169df9f62e6ab2bc634 zlib-1.2.3.tar.gz -8035908817374d2d32aaadf942e3391d xsa135-qemut-1.patch -462f5d784493119bdfa6e7b5a628a88d xsa135-qemut-2.patch -b15a4247812342c2febb26e43be01dc0 xsa137.patch -80133dcbd2d2d0dcfcfc82b2172daec4 xsa138-qemut-1.patch -bbe64473d94e5e059edfaac114067cc4 xsa138-qemut-2.patch -c58f36d469d98f40eab478635b214a5d xsa138-qemuu-1.patch -d0365ffb471ba1acb7227c07d15f5e3a xsa138-qemuu-2.patch -86cc3fcc24da1b46473dae6a04f1af2e xsa138-qemuu-3.patch +7496268cebf47d5c9ccb0696e3b26065 ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz +6e302a683e89f320c07a4819aa7247f1 xsa148.patch +92b0a8119ddec698291498fc4d14c5aa xsa149.patch +ebd65969e47ea94480d031481521259f xsa150.patch +b9c287c042317017f201a45193fdcf17 xsa151.patch +161a985c52ca2db47c09ae3245f8bceb xsa152.patch +e5ddc6b5a2c7ef0437812ce39cb55034 xsa153-libxl.patch de1a3db370b87cfb0bddb51796b50315 qemu-coroutine-gthread.patch -dd8603eaab5857816843bfc37647d569 qemu-xen-musl-openpty.patch 08bfdf8caff5d631f53660bf3fd4edaf qemu-xen_paths.patch e449bb3359b490804ffc7b0ae08d62a0 hotplug-vif-vtrill.patch -229539a822e14a6a62babffd71ecfbf3 0001-ipxe-dont-clobber-ebp.patch +3a04998db5cc3c5c86f3b46e97e9cd82 0001-ipxe-dont-clobber-ebp.patch a0a0294eccbaef77a2f8f5c2789f011c gnutls-3.4.0.patch -80e3861e1a7b2f01bb051e813f9b5a98 gcc5-ipxe.patch a0b70cd1190345396d97170bf2d11663 gcc5-cflags.patch -08a30d56902b660f5102a5c208e545c9 init-xenstore-domain.patch +ad3ac1be33a9f61bc60fb07b48b90a1c init-xenstore-domain.patch 0984e3000de17a6d14b8014a3ced46a4 musl-support.patch 513456607a2adfaa0baf1e3ae5124b23 musl-hvmloader-fix-stdint.patch c9313a790faa727205627a1657b9bf06 stdint_local.h @@ -257,33 +264,29 @@ dcdd1de2c29e469e834a02ede4f47806 xendomains.confd 9df68ac65dc3f372f5d61183abdc83ff xen-consoles.logrotate 6a2f777c16678d84039acf670d86fff6 xenqemu.confd e1c9e1c83a5cc49224608a48060bd677 xenqemu.initd" -sha256sums="668c11d4fca67ac44329e369f810356eacd37b28d28fb96e66aac77f3c5e1371 xen-4.5.1.tar.gz +sha256sums="6fa1c2431df55aa5950d248e6093b8c8c0f11c357a0adbd348a2186478e80909 xen-4.6.0.tar.gz 936162c0312886c21581002b79932829aa048cfaf9937c6265aeaa14f1cd1775 gmp-4.3.2.tar.bz2 4e1d15d12dbd3e9208111d6b806ad5a9857ca8850c47877d36575b904559260b grub-0.97.tar.gz -632ce8c193ccacc3012bd354bdb733a4be126f7c098e111930aa41dad537405c ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz 772e4d550e07826665ed0528c071dd5404ef7dbe1825a38c8adbc2a00bca948f lwip-1.3.0.tar.gz db426394965c48c1d29023e1cc6d965ea6b9a9035d8a849be2750ca4659a3d07 newlib-1.16.0.tar.gz f60ae61cfbd5da1d849d0beaa21f593c38dac9359f0b3ddc612f447408265b24 pciutils-2.2.9.tar.bz2 2d29fd04a0d0ba29dae6bd29fb418944c08d3916665dcca74afb297ef37584b6 polarssl-1.1.4-gpl.tgz 4e48ea0d83dd9441cc1af04ab18cd6c961b9fa54d5cbf2c2feee038988dea459 tpm_emulator-0.7.4.tar.gz 1795c7d067a43174113fdf03447532f373e1c6c57c08d61d9e4e9be5e244b05e zlib-1.2.3.tar.gz -b4b66d772e52ec35f7256b168ac68f5cf0901590112b3b4db860d1b9c2f513f6 xsa135-qemut-1.patch -0d98a8c4498390a93665872dea9b4b00781578e95e6c78a49632bacb5f70edb8 xsa135-qemut-2.patch -0272c443575c88b53445c89ef84f0cd98a03944d3303f06c66c33ef0037d97b9 xsa137.patch -134b697539eb0c68326cdeec9672dbed93bc81b7e31301993599ac9311b7c6a4 xsa138-qemut-1.patch -53c05aee8d819507e6ca5b7ea7dd929f9afcfcd29068ae5228b2ef00828045bf xsa138-qemut-2.patch -855199d5cfd6bbc171129ef864cf8c6f7c4f6a0ac5159275154b6477f9b77727 xsa138-qemuu-1.patch -9f67687e09b6d62772c430f57db56caec061f592a24e937c6954a6a73afaed22 xsa138-qemuu-2.patch -e4d4691d4bf00d6a5175cc6c75346a7d4663bec0af54fd6b67c78a2278daa5ef xsa138-qemuu-3.patch +632ce8c193ccacc3012bd354bdb733a4be126f7c098e111930aa41dad537405c ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz +f320d105a4832124910f46c50acd4803fe289bd7c4702ec15f97fb611b70944d xsa148.patch +e01628400b81c4bb7bafba348f2ecb1fe80f16e3162cee5013e0be1d7311738b xsa149.patch +9054215f08cab48d2523efb456eb3c93ca6ac580d661f6e4f1feca115c67afa8 xsa150.patch +e247a9dbbe236ffa3c5aa5e2d41047fa67da80f2b0474eef3440b5b3da2d5617 xsa151.patch +596f51797aa591b5abd068ead03e21215cf70997c98a4a562392499afe47b81c xsa152.patch +f5cbc98cba758e10da0a01d9379012ec56b98a85a92bfeb0c6b8132d4b91ce77 xsa153-libxl.patch 3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe qemu-coroutine-gthread.patch -fe76c7c8faf686060b20491bfed4a13ce37b1bc3dcdbf33d242e388cee14c7c1 qemu-xen-musl-openpty.patch e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98 qemu-xen_paths.patch dd1e784bc455eb62cb85b3fa24bfc34f575ceaab9597ef6a2f1ee7ff7b3cae0a hotplug-vif-vtrill.patch -751ef06569de66578b8713dc170976832b0671ac2696f32eb9ad69d60332d594 0001-ipxe-dont-clobber-ebp.patch +ac8bbd0b864c7de278fd9b68392b71863581ec21622c2e9b87e501e492e414d3 0001-ipxe-dont-clobber-ebp.patch e25d38376e22f6f935d2c0ce1b9d6e6b47ff261b5e6056bc3b47168739d7a992 gnutls-3.4.0.patch -dbd94ef2e8ac3ae63dc7173d3b3de51dca5fb248c55719f3be1a3c371a543f63 gcc5-ipxe.patch 8226200f17448e20784ad985ffe47aba1e8401364d9a2b6301818ca043f9ec35 gcc5-cflags.patch -0204d69804e83864cd6b2122f51b9c1940588158a35c159a7ef0c3b8fb0af4cb init-xenstore-domain.patch +13a6117a4b893fa64c1d59f2bab0b30403b10917a047a93e4a32673775b587a5 init-xenstore-domain.patch 2fea4ceec8872f5560023fa135e3ff03d6deee4299e53d3a33ec59c31779b2c5 musl-support.patch 479b9605e85c865be6117b6d1993124dbbb7da7f95d0e896e4c0fe5cdfeb74d3 musl-hvmloader-fix-stdint.patch 6b4ad2a9fdb3e23b06c8c1961a46b06c15a46471fe6fb13cdc269da37466f334 stdint_local.h @@ -299,33 +302,29 @@ d13719093a2c3824525f36ac91ac3c9bd1154e5ba0974e5441e4a2ab5e883521 xenconsoled.in 0da87a4b9094f934e3de937e8ef8d3afc752e76793aa3d730182d0241e118b19 xen-consoles.logrotate 4cfcddcade5d055422ab4543e8caa6e5c5eee7625c41880a9000b7a87c7c424e xenqemu.confd c92bbb1166edd61141fdf678116974209c4422daf373cdd5bc438aa4adb25b8d xenqemu.initd" -sha512sums="9436243e26bc64bc836a179abdc3a6b1b6fa9d3f2170453092c18be71fa62e18cd4465a9154c0f28a7ac8d69d08361ba1defef240a51197f058c012c3855ba04 xen-4.5.1.tar.gz +sha512sums="b4b02f306ffea360f539dd8c231b2f58c00c3638fdb665cb659c7291b475b40f1075bc59d49a6144767729e57b8bc40a1cfd9030d61de2b8fa4ac97d43655c2b xen-4.6.0.tar.gz 2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2 c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz -c5cb1cdff40d2d71fd3e692a9d0efadf2aa17290daf5195391a1c81ddd9dfc913a8e44d5be2b12be85b2a5565ea31631c99c7053564f2fb2225c80ea0bb0e4a4 ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz 1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz 40eb96bbc6736a16b6399e0cdb73e853d0d90b685c967e77899183446664d64570277a633fdafdefc351b46ce210a99115769a1d9f47ac749d7e82837d4d1ac3 newlib-1.16.0.tar.gz 2b3d98d027e46d8c08037366dde6f0781ca03c610ef2b380984639e4ef39899ed8d8b8e4cd9c9dc54df101279b95879bd66bfd4d04ad07fef41e847ea7ae32b5 pciutils-2.2.9.tar.bz2 88da614e4d3f4409c4fd3bb3e44c7587ba051e3fed4e33d526069a67e8180212e1ea22da984656f50e290049f60ddca65383e5983c0f8884f648d71f698303ad polarssl-1.1.4-gpl.tgz 4928b5b82f57645be9408362706ff2c4d9baa635b21b0d41b1c82930e8c60a759b1ea4fa74d7e6c7cae1b7692d006aa5cb72df0c3b88bf049779aa2b566f9d35 tpm_emulator-0.7.4.tar.gz 021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e zlib-1.2.3.tar.gz -68824ec4d8a201c9687bd2de82489730908a70914243067f9e76a2584ce73212fd55ec00d6cf1301f7d1c73e32c9e46a93d3da4a6a61781ddec4f863190fb02b xsa135-qemut-1.patch -c29683569affcef4d45ec510b0b8b6d7c4466fc3026005b0612876ce1b7dc52ead77880a3204b5df78d836bdf197b872780c67afd49a895f9f7a47aabf3d9064 xsa135-qemut-2.patch -00a45a430467b708c04d0ee9a25decbdf542eb6d8b6623bb71c87ad6c22880aa12cbf4d070a958e40c9901a99262459e6913b89f192eb31e1addecc2a4fa387d xsa137.patch -6f648cd7447e82163b9b920473a6605c4879a656886ead395130022df8f89c630c5311f6eb66d12d9fdeaead36f25c02b4b401ae6432fe6ba1e7ae91da8b0a1d xsa138-qemut-1.patch -64c3435d96b78fd677214508fb811c6de2b5df3b66e824c48010f2f7e6c644fa423a4a45a7135bf1538f3701e744ec9080922218ae73135ef52387d92e1b2468 xsa138-qemut-2.patch -68d72eb311deab03cb2816b508148169bc5fae712ca98ea5959738c056ae2440a11534d4eb455f5db0fe79c3f1c3881a2449a5c91064e35dbc84a87c2b0ac43c xsa138-qemuu-1.patch -cb307f4191c96bd61a565f248517d5905243e8888bc2999e677e4f2bdb48994153e4319021b0a9d27ef08038d4e6e8b993dfac021a8e1e4a1134604b7d8b8f4c xsa138-qemuu-2.patch -8e1dc230a6ae8a22913a68dfce67af9115859e71ac0440c0078c1bd8a0995b0abbbf1379aba60b786732c1e00af4b75e1231c520bf50cd88ea6848f4dabad013 xsa138-qemuu-3.patch +c5cb1cdff40d2d71fd3e692a9d0efadf2aa17290daf5195391a1c81ddd9dfc913a8e44d5be2b12be85b2a5565ea31631c99c7053564f2fb2225c80ea0bb0e4a4 ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz +f6d1753641741c6d921ec6ba4acd9ac9df511ef1a7ca7c21fb3498a2b7b8758827b9d8cb19543ffda0125b632c7ac8004366ba47036ecb7c66c5723143e125e5 xsa148.patch +86c19dbab57c9dee5443ba10fcea38d35e0bef821a502d916684f9010b530101af4386db88f2fa90a252812fa2722da9450964747eb7204ee23a94369e58ec72 xsa149.patch +8c4a588764c5829d4722766e9766fe769e93e21b5b027578ffdfac3e85c8cdf11281cf4b3a28de4fbbb64ab102f13ed55f029d11201a7fe8ecd1b5c94b6134ec xsa150.patch +d1d6f11ff4c108d57de408cd75a818eeb124b3788c480bee6eb46ffdb18ef53a5dd96588f961f3336881d38c07908fae7c4042d8ee7267704647b306180aaebf xsa151.patch +e442c062b6bcf54761784649d3b21df2b4e46b7e1d94ab7375e227e65d6741b5457a838e72569ab9e49fb0ca57063226652f9efd4331356b822d686829682faa xsa152.patch +a33a184fdb1588ee17ddaab53dd45f9e68b2523f99278de7e8a403b36ce2dd71efcccae1c94b4b196f5d83d6423766a23e48fbf0a6a2e1dd681313edb0d1c399 xsa153-libxl.patch c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562 qemu-coroutine-gthread.patch -a8b7378516172389450834985e8558d7a86d7cd808154bdc846bb98325e40fc4e87b1fc6d725297f4bef6eb54ebcbcbfa4d9d0363d83f635755795fb0726e006 qemu-xen-musl-openpty.patch 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3 hotplug-vif-vtrill.patch -c3a1b270347a99c8ce21118010ad8d817b4462a31cc5c75352faa7086969ef0646f3f4d0922d85c2e504cff091ce7e9fe79c92f983c2ba4af2fae85c52c3835a 0001-ipxe-dont-clobber-ebp.patch +a6455988477a29d856924651db5e14f96d835413b956278d2291cbb8e5877d7bf6f462890f607ecf1c7b4003997295d0ba7852e110fc20df3a3edf1845e778ba 0001-ipxe-dont-clobber-ebp.patch e9b88234bd67c2d65fcda1a56deeaf60aaa4c8b2afff128028c6a1478c89f828584dab1ac04f8d9d53cf17d26572e5505d0bbfcc4b2a6842cc749c6c018c0e51 gnutls-3.4.0.patch -abeef8f4bf410794af63ac3fe0e8a55671111e21701029c6f9af950dd1a24d4933bcd21c8eed86f9d775195d2233996a08015884a37c38e06378110b2a3e93c8 gcc5-ipxe.patch 68ea6d4798f107fc2fd134c970cd7f7b9aeafe3efaf9501bbd5ec35e7e212f1d637c15c21c7a257c0709c2a2d441f6c6192abad39fd23b3ecba69bcefbb3e930 gcc5-cflags.patch -475eb800660dc928914b8c15562f18f24d6e7a76f4cc7bed9249ce52d444c29aec1aef843eb37ade0c7c9616195bbbc1606a3195e25b2bd4b6a1d1af5f69256e init-xenstore-domain.patch +5262012d4b34ef86d3bf2c6347156664db10fca7f473b9b2f2214f6de7c90c352c32b279be45a4c5c375f1369c93a7cf7689281796233c243f92474b0b70f4d7 init-xenstore-domain.patch 76bd60768b296752ca11195bb03a57584686461da45255cb540977111a73c42b5b92362fd46d97bfd20487c96971dd5aed7eae7d8bf1aad7d5199adb875d4962 musl-support.patch 08cf7fac825dd3da5f33856abf6692da00d8928ab73050b3ae0a643ddb97c8ae323238a80152fd31595ac1c31678d559232264258c189e2c05ecaf33e295f13e musl-hvmloader-fix-stdint.patch 9dcb481c5b83c7df23e87be717d8a9234014f26a0f80893e125fe8110e2923562d95162d18ff64c08b5782cd7c085f90378a9e0802b3995c077c8ba32bbb669f stdint_local.h diff --git a/main/xen/init-xenstore-domain.patch b/main/xen/init-xenstore-domain.patch index 0f529efdc2..5c170608f8 100644 --- a/main/xen/init-xenstore-domain.patch +++ b/main/xen/init-xenstore-domain.patch @@ -1,10 +1,10 @@ ---- xen-4.3.1.orig/tools/xenstore/Makefile -+++ xen-4.3.1/tools/xenstore/Makefile -@@ -118,6 +118,7 @@ - $(INSTALL_PROG) xenstored $(DESTDIR)$(SBINDIR) - $(INSTALL_PROG) xenstore-control $(DESTDIR)$(BINDIR) - $(INSTALL_PROG) xenstore $(DESTDIR)$(BINDIR) +--- ./tools/xenstore/Makefile.orig ++++ ./tools/xenstore/Makefile +@@ -139,6 +139,7 @@ + endif + $(INSTALL_PROG) xenstore-control $(DESTDIR)$(bindir) + $(INSTALL_PROG) xenstore $(DESTDIR)$(bindir) + $(INSTALL_PROG) init-xenstore-domain $(DESTDIR)$(BINDIR) set -e ; for c in $(CLIENTS) ; do \ - ln -f $(DESTDIR)$(BINDIR)/xenstore $(DESTDIR)$(BINDIR)/$${c} ; \ + ln -f $(DESTDIR)$(bindir)/xenstore $(DESTDIR)$(bindir)/$${c} ; \ done diff --git a/main/xen/xsa135-qemut-1.patch b/main/xen/xsa135-qemut-1.patch deleted file mode 100644 index 54ac78d29f..0000000000 --- a/main/xen/xsa135-qemut-1.patch +++ /dev/null @@ -1,93 +0,0 @@ -pcnet: fix Negative array index read - -From: Gonglei <arei.gonglei@huawei.com> - -s->xmit_pos maybe assigned to a negative value (-1), -but in this branch variable s->xmit_pos as an index to -array s->buffer. Let's add a check for s->xmit_pos. - -upstream-commit-id: 7b50d00911ddd6d56a766ac5671e47304c20a21b - -Signed-off-by: Gonglei <arei.gonglei@huawei.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Reviewed-by: Jason Wang <jasowang@redhat.com> -Reviewed-by: Jason Wang <jasowang@redhat.com> -Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> - -diff --git a/hw/pcnet.c b/hw/pcnet.c -index 7cc0637..9f3e1cc 100644 ---- a/tools/qemu-xen-traditional/hw/pcnet.c -+++ b/tools/qemu-xen-traditional/hw/pcnet.c -@@ -1250,7 +1250,7 @@ static void pcnet_transmit(PCNetState *s) - target_phys_addr_t xmit_cxda = 0; - int count = CSR_XMTRL(s)-1; - int add_crc = 0; -- -+ int bcnt; - s->xmit_pos = -1; - - if (!CSR_TXON(s)) { -@@ -1276,34 +1276,39 @@ static void pcnet_transmit(PCNetState *s) - if (BCR_SWSTYLE(s) != 1) - add_crc = GET_FIELD(tmd.status, TMDS, ADDFCS); - } -+ -+ if (s->xmit_pos < 0) { -+ goto txdone; -+ } -+ -+ bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -+ s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), -+ s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); -+ s->xmit_pos += bcnt; -+ - if (!GET_FIELD(tmd.status, TMDS, ENP)) { -- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), -- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); -- s->xmit_pos += bcnt; -- } else if (s->xmit_pos >= 0) { -- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), -- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); -- s->xmit_pos += bcnt; -+ goto txdone; -+ } - #ifdef PCNET_DEBUG -- printf("pcnet_transmit size=%d\n", s->xmit_pos); -+ printf("pcnet_transmit size=%d\n", s->xmit_pos); - #endif -- if (CSR_LOOP(s)) { -- if (BCR_SWSTYLE(s) == 1) -- add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); -- s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; -- pcnet_receive(s, s->buffer, s->xmit_pos); -- s->looptest = 0; -- } else -- if (s->vc) -- qemu_send_packet(s->vc, s->buffer, s->xmit_pos); -- -- s->csr[0] &= ~0x0008; /* clear TDMD */ -- s->csr[4] |= 0x0004; /* set TXSTRT */ -- s->xmit_pos = -1; -+ if (CSR_LOOP(s)) { -+ if (BCR_SWSTYLE(s) == 1) -+ add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); -+ s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; -+ pcnet_receive(s, s->buffer, s->xmit_pos); -+ s->looptest = 0; -+ } else { -+ if (s->vc) { -+ qemu_send_packet(s->vc, s->buffer, s->xmit_pos); -+ } - } - -+ s->csr[0] &= ~0x0008; /* clear TDMD */ -+ s->csr[4] |= 0x0004; /* set TXSTRT */ -+ s->xmit_pos = -1; -+ -+ txdone: - SET_FIELD(&tmd.status, TMDS, OWN, 0); - TMDSTORE(&tmd, PHYSADDR(s,CSR_CXDA(s))); - if (!CSR_TOKINTD(s) || (CSR_LTINTEN(s) && GET_FIELD(tmd.status, TMDS, LTINT))) - diff --git a/main/xen/xsa135-qemut-2.patch b/main/xen/xsa135-qemut-2.patch deleted file mode 100644 index 2b0631af7c..0000000000 --- a/main/xen/xsa135-qemut-2.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 2630672ab22255de252f877709851c0557a1c647 Mon Sep 17 00:00:00 2001 -From: Petr Matousek <pmatouse@redhat.com> -Date: Sun, 24 May 2015 10:53:44 +0200 -Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx - -4096 is the maximum length per TMD and it is also currently the size of -the relay buffer pcnet driver uses for sending the packet data to QEMU -for further processing. With packet spanning multiple TMDs it can -happen that the overall packet size will be bigger than sizeof(buffer), -which results in memory corruption. - -Fix this by only allowing to queue maximum sizeof(buffer) bytes. - -This is CVE-2015-3209. - -Signed-off-by: Petr Matousek <pmatouse@redhat.com> -Reported-by: Matt Tait <matttait@google.com> -Reviewed-by: Peter Maydell <peter.maydell@linaro.org> -Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> ---- - hw/pcnet.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/pcnet.c b/hw/pcnet.c -index bdfd38f..6d32e4c 100644 ---- a/tools/qemu-xen-traditional/hw/pcnet.c -+++ b/tools/qemu-xen-traditional/hw/pcnet.c -@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) - } - - bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -+ -+ /* if multi-tmd packet outsizes s->buffer then skip it silently. -+ Note: this is not what real hw does */ -+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) { -+ s->xmit_pos = -1; -+ goto txdone; -+ } -+ - s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), - s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); - s->xmit_pos += bcnt; --- -2.1.0 - - diff --git a/main/xen/xsa137.patch b/main/xen/xsa137.patch deleted file mode 100644 index ffc7fa7d49..0000000000 --- a/main/xen/xsa137.patch +++ /dev/null @@ -1,231 +0,0 @@ -From 593fe52faa1b85567a7ec20c69d8cfbc7368ae5b Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Mon, 15 Jun 2015 14:50:42 +0100 -Subject: [PATCH] xl: Sane handling of extra config file arguments - -Various xl sub-commands take additional parameters containing = as -additional config fragments. - -The handling of these config fragments has a number of bugs: - - 1. Use of a static 1024-byte buffer. (If truncation would occur, - with semi-trusted input, a security risk arises due to quotes - being lost.) - - 2. Mishandling of the return value from snprintf, so that if - truncation occurs, the to-write pointer is updated with the - wanted-to-write length, resulting in stack corruption. (This is - XSA-137.) - - 3. Clone-and-hack of the code for constructing the appended - config file. - -These are fixed here, by introducing a new function -`string_realloc_append' and using it everywhere. The `extra_info' -buffers are replaced by pointers, which start off NULL and are -explicitly freed on all return paths. - -The separate variable which will become dom_info.extra_config is -abolished (which involves moving the clearing of dom_info). - -Additional bugs I observe, not fixed here: - - 4. The functions which now call string_realloc_append use ad-hoc - error returns, with multiple calls to `return'. This currently - necessitates multiple new calls to `free'. - - 5. Many of the paths in xl call exit(-rc) where rc is a libxl status - code. This is a ridiculous exit status `convention'. - - 6. The loops for handling extra config data are clone-and-hacks. - - 7. Once the extra config buffer is accumulated, it must be combined - with the appropriate main config file. The code to do this - combining is clone-and-hacked too. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Acked-by: Ian Campbell <ian,campbell@citrix.com> ---- -v2: Use SSIZE_MAX, not INT_MAX. - Check *accumulate for NULL, not accumulate. - Move memset of dom_info. ---- - tools/libxl/xl_cmdimpl.c | 64 +++++++++++++++++++++++++++++----------------- - 1 file changed, 40 insertions(+), 24 deletions(-) - -diff --git a/tools/libxl/xl_cmdimpl.c b/tools/libxl/xl_cmdimpl.c -index c858068..c01a851 100644 ---- a/tools/libxl/xl_cmdimpl.c -+++ b/tools/libxl/xl_cmdimpl.c -@@ -151,7 +151,7 @@ struct domain_create { - int console_autoconnect; - int checkpointed_stream; - const char *config_file; -- const char *extra_config; /* extra config string */ -+ char *extra_config; /* extra config string */ - const char *restore_file; - int migrate_fd; /* -1 means none */ - char **migration_domname_r; /* from malloc */ -@@ -4805,11 +4805,25 @@ int main_vm_list(int argc, char **argv) - return 0; - } - -+static void string_realloc_append(char **accumulate, const char *more) -+{ -+ /* Appends more to accumulate. Accumulate is either NULL, or -+ * points (always) to a malloc'd nul-terminated string. */ -+ -+ size_t oldlen = *accumulate ? strlen(*accumulate) : 0; -+ size_t morelen = strlen(more) + 1/*nul*/; -+ if (oldlen > SSIZE_MAX || morelen > SSIZE_MAX - oldlen) { -+ fprintf(stderr,"Additional config data far too large\n"); -+ exit(-ERROR_FAIL); -+ } -+ -+ *accumulate = xrealloc(*accumulate, oldlen + morelen); -+ memcpy(*accumulate + oldlen, more, morelen); -+} -+ - int main_create(int argc, char **argv) - { - const char *filename = NULL; -- char *p; -- char extra_config[1024]; - struct domain_create dom_info; - int paused = 0, debug = 0, daemonize = 1, console_autoconnect = 0, - quiet = 0, monitor = 1, vnc = 0, vncautopass = 0; -@@ -4824,6 +4838,8 @@ int main_create(int argc, char **argv) - {0, 0, 0, 0} - }; - -+ dom_info.extra_config = NULL; -+ - if (argv[1] && argv[1][0] != '-' && !strchr(argv[1], '=')) { - filename = argv[1]; - argc--; argv++; -@@ -4863,20 +4879,21 @@ int main_create(int argc, char **argv) - break; - } - -- extra_config[0] = '\0'; -- for (p = extra_config; optind < argc; optind++) { -+ memset(&dom_info, 0, sizeof(dom_info)); -+ -+ for (; optind < argc; optind++) { - if (strchr(argv[optind], '=') != NULL) { -- p += snprintf(p, sizeof(extra_config) - (p - extra_config), -- "%s\n", argv[optind]); -+ string_realloc_append(&dom_info.extra_config, argv[optind]); -+ string_realloc_append(&dom_info.extra_config, "\n"); - } else if (!filename) { - filename = argv[optind]; - } else { - help("create"); -+ free(dom_info.extra_config); - return 2; - } - } - -- memset(&dom_info, 0, sizeof(dom_info)); - dom_info.debug = debug; - dom_info.daemonize = daemonize; - dom_info.monitor = monitor; -@@ -4884,16 +4901,18 @@ int main_create(int argc, char **argv) - dom_info.dryrun = dryrun_only; - dom_info.quiet = quiet; - dom_info.config_file = filename; -- dom_info.extra_config = extra_config; - dom_info.migrate_fd = -1; - dom_info.vnc = vnc; - dom_info.vncautopass = vncautopass; - dom_info.console_autoconnect = console_autoconnect; - - rc = create_domain(&dom_info); -- if (rc < 0) -+ if (rc < 0) { -+ free(dom_info.extra_config); - return -rc; -+ } - -+ free(dom_info.extra_config); - return 0; - } - -@@ -4901,8 +4920,7 @@ int main_config_update(int argc, char **argv) - { - uint32_t domid; - const char *filename = NULL; -- char *p; -- char extra_config[1024]; -+ char *extra_config = NULL; - void *config_data = 0; - int config_len = 0; - libxl_domain_config d_config; -@@ -4940,15 +4958,15 @@ int main_config_update(int argc, char **argv) - break; - } - -- extra_config[0] = '\0'; -- for (p = extra_config; optind < argc; optind++) { -+ for (; optind < argc; optind++) { - if (strchr(argv[optind], '=') != NULL) { -- p += snprintf(p, sizeof(extra_config) - (p - extra_config), -- "%s\n", argv[optind]); -+ string_realloc_append(&extra_config, argv[optind]); -+ string_realloc_append(&extra_config, "\n"); - } else if (!filename) { - filename = argv[optind]; - } else { - help("create"); -+ free(extra_config); - return 2; - } - } -@@ -4957,7 +4975,8 @@ int main_config_update(int argc, char **argv) - rc = libxl_read_file_contents(ctx, filename, - &config_data, &config_len); - if (rc) { fprintf(stderr, "Failed to read config file: %s: %s\n", -- filename, strerror(errno)); return ERROR_FAIL; } -+ filename, strerror(errno)); -+ free(extra_config); return ERROR_FAIL; } - if (strlen(extra_config)) { - if (config_len > INT_MAX - (strlen(extra_config) + 2 + 1)) { - fprintf(stderr, "Failed to attach extra configration\n"); -@@ -4998,7 +5017,7 @@ int main_config_update(int argc, char **argv) - libxl_domain_config_dispose(&d_config); - - free(config_data); -- -+ free(extra_config); - return 0; - } - -@@ -7255,7 +7274,7 @@ int main_cpupoolcreate(int argc, char **argv) - { - const char *filename = NULL, *config_src=NULL; - const char *p; -- char extra_config[1024]; -+ char *extra_config = NULL; - int opt; - static struct option opts[] = { - {"defconfig", 1, 0, 'f'}, -@@ -7289,13 +7308,10 @@ int main_cpupoolcreate(int argc, char **argv) - break; - } - -- memset(extra_config, 0, sizeof(extra_config)); - while (optind < argc) { - if ((p = strchr(argv[optind], '='))) { -- if (strlen(extra_config) + 1 + strlen(argv[optind]) < sizeof(extra_config)) { -- strcat(extra_config, "\n"); -- strcat(extra_config, argv[optind]); -- } -+ string_realloc_append(&extra_config, "\n"); -+ string_realloc_append(&extra_config, argv[optind]); - } else if (!filename) { - filename = argv[optind]; - } else { --- -1.7.10.4 - diff --git a/main/xen/xsa138-qemut-1.patch b/main/xen/xsa138-qemut-1.patch deleted file mode 100644 index cfbeb1d26d..0000000000 --- a/main/xen/xsa138-qemut-1.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 510952d4c33ee69574167ce30829b21c815a165b Mon Sep 17 00:00:00 2001 -From: Kevin Wolf <kwolf@redhat.com> -Date: Wed, 3 Jun 2015 14:13:31 +0200 -Subject: [PATCH 1/2] ide: Check array bounds before writing to io_buffer - (CVE-2015-5154) - -If the end_transfer_func of a command is called because enough data has -been read or written for the current PIO transfer, and it fails to -correctly call the command completion functions, the DRQ bit in the -status register and s->end_transfer_func may remain set. This allows the -guest to access further bytes in s->io_buffer beyond s->data_end, and -eventually overflowing the io_buffer. - -One case where this currently happens is emulation of the ATAPI command -START STOP UNIT. - -This patch fixes the problem by adding explicit array bounds checks -before accessing the buffer instead of relying on end_transfer_func to -function correctly. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Kevin Wolf <kwolf@redhat.com> ---- - hw/ide.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/hw/ide.c b/hw/ide.c -index 791666b..211ec88 100644 ---- a/tools/qemu-xen-traditional/hw/ide.c -+++ b/tools/qemu-xen-traditional/hw/ide.c -@@ -3002,6 +3002,10 @@ static void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) - buffered_pio_write(s, addr, 2); - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return; -+ } -+ - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -@@ -3021,6 +3025,10 @@ static uint32_t ide_data_readw(void *opaque, uint32_t addr) - buffered_pio_read(s, addr, 2); - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -@@ -3040,6 +3048,10 @@ static void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) - buffered_pio_write(s, addr, 4); - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return; -+ } -+ - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -@@ -3059,6 +3071,10 @@ static uint32_t ide_data_readl(void *opaque, uint32_t addr) - buffered_pio_read(s, addr, 4); - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; --- -2.1.4 - diff --git a/main/xen/xsa138-qemut-2.patch b/main/xen/xsa138-qemut-2.patch deleted file mode 100644 index 1389ced4c3..0000000000 --- a/main/xen/xsa138-qemut-2.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 1ac0f60d558b7fca55c69a61ab4c4538af1f02f9 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf <kwolf@redhat.com> -Date: Wed, 3 Jun 2015 14:41:27 +0200 -Subject: [PATCH 2/2] ide: Clear DRQ after handling all expected accesses - -This is additional hardening against an end_transfer_func that fails to -clear the DRQ status bit. The bit must be unset as soon as the PIO -transfer has completed, so it's better to do this in a central place -instead of duplicating the code in all commands (and forgetting it in -some). - -Signed-off-by: Kevin Wolf <kwolf@redhat.com> ---- - hw/ide.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/hw/ide.c b/hw/ide.c -index 211ec88..7b84d1b 100644 ---- a/tools/qemu-xen-traditional/hw/ide.c -+++ b/tools/qemu-xen-traditional/hw/ide.c -@@ -3009,8 +3009,10 @@ static void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - static uint32_t ide_data_readw(void *opaque, uint32_t addr) -@@ -3032,8 +3034,10 @@ static uint32_t ide_data_readw(void *opaque, uint32_t addr) - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - -@@ -3055,8 +3059,10 @@ static void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - static uint32_t ide_data_readl(void *opaque, uint32_t addr) -@@ -3078,8 +3084,10 @@ static uint32_t ide_data_readl(void *opaque, uint32_t addr) - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - --- -2.1.4 - diff --git a/main/xen/xsa138-qemuu-1.patch b/main/xen/xsa138-qemuu-1.patch deleted file mode 100644 index 333d064750..0000000000 --- a/main/xen/xsa138-qemuu-1.patch +++ /dev/null @@ -1,76 +0,0 @@ -From a9de14175548c04e0f8be7fae219246509ba46a9 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf <kwolf@redhat.com> -Date: Wed, 3 Jun 2015 14:13:31 +0200 -Subject: [PATCH 1/3] ide: Check array bounds before writing to io_buffer - (CVE-2015-5154) - -If the end_transfer_func of a command is called because enough data has -been read or written for the current PIO transfer, and it fails to -correctly call the command completion functions, the DRQ bit in the -status register and s->end_transfer_func may remain set. This allows the -guest to access further bytes in s->io_buffer beyond s->data_end, and -eventually overflowing the io_buffer. - -One case where this currently happens is emulation of the ATAPI command -START STOP UNIT. - -This patch fixes the problem by adding explicit array bounds checks -before accessing the buffer instead of relying on end_transfer_func to -function correctly. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Kevin Wolf <kwolf@redhat.com> ---- - hw/ide/core.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/hw/ide/core.c b/hw/ide/core.c -index 122e955..44fcc23 100644 ---- a/tools/qemu-xen/hw/ide/core.c -+++ b/tools/qemu-xen/hw/ide/core.c -@@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) - } - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return; -+ } -+ - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -@@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr) - } - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -@@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) - } - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return; -+ } -+ - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -@@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr) - } - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; --- -1.8.3.1 diff --git a/main/xen/xsa138-qemuu-2.patch b/main/xen/xsa138-qemuu-2.patch deleted file mode 100644 index ab0ce5f323..0000000000 --- a/main/xen/xsa138-qemuu-2.patch +++ /dev/null @@ -1,28 +0,0 @@ -From aa851d30acfbb9580098ac1dc82885530cb8b3c1 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf <kwolf@redhat.com> -Date: Wed, 3 Jun 2015 14:17:46 +0200 -Subject: [PATCH 2/3] ide/atapi: Fix START STOP UNIT command completion - -The command must be completed on all code paths. START STOP UNIT with -pwrcnd set should succeed without doing anything. - -Signed-off-by: Kevin Wolf <kwolf@redhat.com> ---- - hw/ide/atapi.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c -index 950e311..79dd167 100644 ---- a/tools/qemu-xen/hw/ide/atapi.c -+++ b/tools/qemu-xen/hw/ide/atapi.c -@@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf) - - if (pwrcnd) { - /* eject/load only happens for power condition == 0 */ -+ ide_atapi_cmd_ok(s); - return; - } - --- -1.8.3.1 - diff --git a/main/xen/xsa138-qemuu-3.patch b/main/xen/xsa138-qemuu-3.patch deleted file mode 100644 index 0322866fe3..0000000000 --- a/main/xen/xsa138-qemuu-3.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 1d3c2268f8708126a34064c2e0c1000b40e6f3e5 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf <kwolf@redhat.com> -Date: Wed, 3 Jun 2015 14:41:27 +0200 -Subject: [PATCH 3/3] ide: Clear DRQ after handling all expected accesses - -This is additional hardening against an end_transfer_func that fails to -clear the DRQ status bit. The bit must be unset as soon as the PIO -transfer has completed, so it's better to do this in a central place -instead of duplicating the code in all commands (and forgetting it in -some). - -Signed-off-by: Kevin Wolf <kwolf@redhat.com> ---- - hw/ide/core.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/hw/ide/core.c b/hw/ide/core.c -index 44fcc23..50449ca 100644 ---- a/tools/qemu-xen/hw/ide/core.c -+++ b/tools/qemu-xen/hw/ide/core.c -@@ -2028,8 +2028,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - uint32_t ide_data_readw(void *opaque, uint32_t addr) -@@ -2053,8 +2055,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr) - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - -@@ -2078,8 +2082,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - uint32_t ide_data_readl(void *opaque, uint32_t addr) -@@ -2103,8 +2109,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr) - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - --- -1.8.3.1 - diff --git a/main/xen/xsa148.patch b/main/xen/xsa148.patch new file mode 100644 index 0000000000..3b6843a8e2 --- /dev/null +++ b/main/xen/xsa148.patch @@ -0,0 +1,39 @@ +x86: guard against undue super page PTE creation + +When optional super page support got added (commit bd1cd81d64 "x86: PV +support for hugepages"), two adjustments were missed: mod_l2_entry() +needs to consider the PSE and RW bits when deciding whether to use the +fast path, and the PSE bit must not be removed from L2_DISALLOW_MASK +unconditionally. + +This is XSA-148. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Tim Deegan <tim@xen.org> + +--- a/xen/arch/x86/mm.c ++++ b/xen/arch/x86/mm.c +@@ -160,7 +160,10 @@ static void put_superpage(unsigned long + static uint32_t base_disallow_mask; + /* Global bit is allowed to be set on L1 PTEs. Intended for user mappings. */ + #define L1_DISALLOW_MASK ((base_disallow_mask | _PAGE_GNTTAB) & ~_PAGE_GLOBAL) +-#define L2_DISALLOW_MASK (base_disallow_mask & ~_PAGE_PSE) ++ ++#define L2_DISALLOW_MASK (unlikely(opt_allow_superpage) \ ++ ? base_disallow_mask & ~_PAGE_PSE \ ++ : base_disallow_mask) + + #define l3_disallow_mask(d) (!is_pv_32bit_domain(d) ? \ + base_disallow_mask : 0xFFFFF198U) +@@ -1841,7 +1844,10 @@ static int mod_l2_entry(l2_pgentry_t *pl + } + + /* Fast path for identical mapping and presence. */ +- if ( !l2e_has_changed(ol2e, nl2e, _PAGE_PRESENT) ) ++ if ( !l2e_has_changed(ol2e, nl2e, ++ unlikely(opt_allow_superpage) ++ ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT ++ : _PAGE_PRESENT) ) + { + adjust_guest_l2e(nl2e, d); + if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) ) diff --git a/main/xen/xsa149.patch b/main/xen/xsa149.patch new file mode 100644 index 0000000000..41103b2983 --- /dev/null +++ b/main/xen/xsa149.patch @@ -0,0 +1,20 @@ +xen: free domain's vcpu array + +This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per +guest"). + +This is XSA-149. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Ian Campbell <ian.campbell@citrix.com> + +--- a/xen/common/domain.c ++++ b/xen/common/domain.c +@@ -841,6 +841,7 @@ static void complete_domain_destroy(stru + + xsm_free_security_domain(d); + free_cpumask_var(d->domain_dirty_cpumask); ++ xfree(d->vcpu); + free_domain_struct(d); + + send_global_virq(VIRQ_DOM_EXC); diff --git a/main/xen/xsa150.patch b/main/xen/xsa150.patch new file mode 100644 index 0000000000..f5ef12e45b --- /dev/null +++ b/main/xen/xsa150.patch @@ -0,0 +1,201 @@ +x86/PoD: Eager sweep for zeroed pages + +Based on the contents of a guests physical address space, +p2m_pod_emergency_sweep() could degrade into a linear memcmp() from 0 to +max_gfn, which runs non-preemptibly. + +As p2m_pod_emergency_sweep() runs behind the scenes in a number of contexts, +making it preemptible is not feasible. + +Instead, a different approach is taken. Recently-populated pages are eagerly +checked for reclaimation, which amortises the p2m_pod_emergency_sweep() +operation across each p2m_pod_demand_populate() operation. + +Note that in the case that a 2M superpage can't be reclaimed as a superpage, +it is shattered if 4K pages of zeros can be reclaimed. This is unfortunate +but matches the previous behaviour, and is required to avoid regressions +(domain crash from PoD exhaustion) with VMs configured close to the limit. + +This is CVE-2015-7970 / XSA-150. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: George Dunlap <george.dunlap@citrix.com> + +--- a/xen/arch/x86/mm/p2m-pod.c ++++ b/xen/arch/x86/mm/p2m-pod.c +@@ -920,28 +920,6 @@ p2m_pod_zero_check(struct p2m_domain *p2 + } + + #define POD_SWEEP_LIMIT 1024 +- +-/* When populating a new superpage, look at recently populated superpages +- * hoping that they've been zeroed. This will snap up zeroed pages as soon as +- * the guest OS is done with them. */ +-static void +-p2m_pod_check_last_super(struct p2m_domain *p2m, unsigned long gfn_aligned) +-{ +- unsigned long check_gfn; +- +- ASSERT(p2m->pod.last_populated_index < POD_HISTORY_MAX); +- +- check_gfn = p2m->pod.last_populated[p2m->pod.last_populated_index]; +- +- p2m->pod.last_populated[p2m->pod.last_populated_index] = gfn_aligned; +- +- p2m->pod.last_populated_index = +- ( p2m->pod.last_populated_index + 1 ) % POD_HISTORY_MAX; +- +- p2m_pod_zero_check_superpage(p2m, check_gfn); +-} +- +- + #define POD_SWEEP_STRIDE 16 + static void + p2m_pod_emergency_sweep(struct p2m_domain *p2m) +@@ -982,7 +960,7 @@ p2m_pod_emergency_sweep(struct p2m_domai + * NB that this is a zero-sum game; we're increasing our cache size + * by re-increasing our 'debt'. Since we hold the pod lock, + * (entry_count - count) must remain the same. */ +- if ( p2m->pod.count > 0 && i < limit ) ++ if ( i < limit && (p2m->pod.count > 0 || hypercall_preempt_check()) ) + break; + } + +@@ -994,6 +972,58 @@ p2m_pod_emergency_sweep(struct p2m_domai + + } + ++static void pod_eager_reclaim(struct p2m_domain *p2m) ++{ ++ struct pod_mrp_list *mrp = &p2m->pod.mrp; ++ unsigned int i = 0; ++ ++ /* ++ * Always check one page for reclaimation. ++ * ++ * If the PoD pool is empty, keep checking some space is found, or all ++ * entries have been exhaused. ++ */ ++ do ++ { ++ unsigned int idx = (mrp->idx + i++) % ARRAY_SIZE(mrp->list); ++ unsigned long gfn = mrp->list[idx]; ++ ++ if ( gfn != INVALID_GFN ) ++ { ++ if ( gfn & POD_LAST_SUPERPAGE ) ++ { ++ gfn &= ~POD_LAST_SUPERPAGE; ++ ++ if ( p2m_pod_zero_check_superpage(p2m, gfn) == 0 ) ++ { ++ unsigned int x; ++ ++ for ( x = 0; x < SUPERPAGE_PAGES; ++x, ++gfn ) ++ p2m_pod_zero_check(p2m, &gfn, 1); ++ } ++ } ++ else ++ p2m_pod_zero_check(p2m, &gfn, 1); ++ ++ mrp->list[idx] = INVALID_GFN; ++ } ++ ++ } while ( (p2m->pod.count == 0) && (i < ARRAY_SIZE(mrp->list)) ); ++} ++ ++static void pod_eager_record(struct p2m_domain *p2m, ++ unsigned long gfn, unsigned int order) ++{ ++ struct pod_mrp_list *mrp = &p2m->pod.mrp; ++ ++ ASSERT(mrp->list[mrp->idx] == INVALID_GFN); ++ ASSERT(gfn != INVALID_GFN); ++ ++ mrp->list[mrp->idx++] = ++ gfn | (order == PAGE_ORDER_2M ? POD_LAST_SUPERPAGE : 0); ++ mrp->idx %= ARRAY_SIZE(mrp->list); ++} ++ + int + p2m_pod_demand_populate(struct p2m_domain *p2m, unsigned long gfn, + unsigned int order, +@@ -1034,6 +1064,8 @@ p2m_pod_demand_populate(struct p2m_domai + return 0; + } + ++ pod_eager_reclaim(p2m); ++ + /* Only sweep if we're actually out of memory. Doing anything else + * causes unnecessary time and fragmentation of superpages in the p2m. */ + if ( p2m->pod.count == 0 ) +@@ -1070,6 +1102,8 @@ p2m_pod_demand_populate(struct p2m_domai + p2m->pod.entry_count -= (1 << order); + BUG_ON(p2m->pod.entry_count < 0); + ++ pod_eager_record(p2m, gfn_aligned, order); ++ + if ( tb_init_done ) + { + struct { +@@ -1085,12 +1119,6 @@ p2m_pod_demand_populate(struct p2m_domai + __trace_var(TRC_MEM_POD_POPULATE, 0, sizeof(t), &t); + } + +- /* Check the last guest demand-populate */ +- if ( p2m->pod.entry_count > p2m->pod.count +- && (order == PAGE_ORDER_2M) +- && (q & P2M_ALLOC) ) +- p2m_pod_check_last_super(p2m, gfn_aligned); +- + pod_unlock(p2m); + return 0; + out_of_memory: +--- a/xen/arch/x86/mm/p2m.c ++++ b/xen/arch/x86/mm/p2m.c +@@ -58,6 +58,7 @@ boolean_param("hap_2mb", opt_hap_2mb); + /* Init the datastructures for later use by the p2m code */ + static int p2m_initialise(struct domain *d, struct p2m_domain *p2m) + { ++ unsigned int i; + int ret = 0; + + mm_rwlock_init(&p2m->lock); +@@ -73,6 +74,9 @@ static int p2m_initialise(struct domain + + p2m->np2m_base = P2M_BASE_EADDR; + ++ for ( i = 0; i < ARRAY_SIZE(p2m->pod.mrp.list); ++i ) ++ p2m->pod.mrp.list[i] = INVALID_GFN; ++ + if ( hap_enabled(d) && cpu_has_vmx ) + ret = ept_p2m_init(p2m); + else +--- a/xen/include/asm-x86/p2m.h ++++ b/xen/include/asm-x86/p2m.h +@@ -292,10 +292,20 @@ struct p2m_domain { + entry_count; /* # of pages in p2m marked pod */ + unsigned long reclaim_single; /* Last gpfn of a scan */ + unsigned long max_guest; /* gpfn of max guest demand-populate */ +-#define POD_HISTORY_MAX 128 +- /* gpfn of last guest superpage demand-populated */ +- unsigned long last_populated[POD_HISTORY_MAX]; +- unsigned int last_populated_index; ++ ++ /* ++ * Tracking of the most recently populated PoD pages, for eager ++ * reclamation. ++ */ ++ struct pod_mrp_list { ++#define NR_POD_MRP_ENTRIES 32 ++ ++/* Encode ORDER_2M superpage in top bit of GFN */ ++#define POD_LAST_SUPERPAGE (INVALID_GFN & ~(INVALID_GFN >> 1)) ++ ++ unsigned long list[NR_POD_MRP_ENTRIES]; ++ unsigned int idx; ++ } mrp; + mm_lock_t lock; /* Locking of private pod structs, * + * not relying on the p2m lock. */ + } pod; diff --git a/main/xen/xsa151.patch b/main/xen/xsa151.patch new file mode 100644 index 0000000000..1f0277ea78 --- /dev/null +++ b/main/xen/xsa151.patch @@ -0,0 +1,28 @@ +xenoprof: free domain's vcpu array + +This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per +guest"). + +This is XSA-151. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Ian Campbell <ian.campbell@citrix.com> + +--- a/xen/common/xenoprof.c ++++ b/xen/common/xenoprof.c +@@ -239,6 +239,7 @@ static int alloc_xenoprof_struct( + d->xenoprof->rawbuf = alloc_xenheap_pages(get_order_from_pages(npages), 0); + if ( d->xenoprof->rawbuf == NULL ) + { ++ xfree(d->xenoprof->vcpu); + xfree(d->xenoprof); + d->xenoprof = NULL; + return -ENOMEM; +@@ -286,6 +287,7 @@ void free_xenoprof_pages(struct domain * + free_xenheap_pages(x->rawbuf, order); + } + ++ xfree(x->vcpu); + xfree(x); + d->xenoprof = NULL; + } diff --git a/main/xen/xsa152.patch b/main/xen/xsa152.patch new file mode 100644 index 0000000000..6fbc90fd1e --- /dev/null +++ b/main/xen/xsa152.patch @@ -0,0 +1,66 @@ +x86: rate-limit logging in do_xen{oprof,pmu}_op() + +Some of the sub-ops are acessible to all guests, and hence should be +rate-limited. In the xenoprof case, just like for XSA-146, include them +only in debug builds. Since the vPMU code is rather new, allow them to +be always present, but downgrade them to (rate limited) guest messages. + +This is XSA-152. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Ian Campbell <ian.campbell@citrix.com> + +--- a/xen/arch/x86/cpu/vpmu.c ++++ b/xen/arch/x86/cpu/vpmu.c +@@ -682,8 +682,8 @@ long do_xenpmu_op(unsigned int op, XEN_G + vpmu_mode = pmu_params.val; + else if ( vpmu_mode != pmu_params.val ) + { +- printk(XENLOG_WARNING +- "VPMU: Cannot change mode while active VPMUs exist\n"); ++ gprintk(XENLOG_WARNING, ++ "VPMU: Cannot change mode while active VPMUs exist\n"); + ret = -EBUSY; + } + +@@ -714,8 +714,8 @@ long do_xenpmu_op(unsigned int op, XEN_G + vpmu_features = pmu_params.val; + else + { +- printk(XENLOG_WARNING "VPMU: Cannot change features while" +- " active VPMUs exist\n"); ++ gprintk(XENLOG_WARNING, ++ "VPMU: Cannot change features while active VPMUs exist\n"); + ret = -EBUSY; + } + +--- a/xen/common/xenoprof.c ++++ b/xen/common/xenoprof.c +@@ -676,15 +676,13 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_H + + if ( (op < 0) || (op > XENOPROF_last_op) ) + { +- printk("xenoprof: invalid operation %d for domain %d\n", +- op, current->domain->domain_id); ++ gdprintk(XENLOG_DEBUG, "invalid operation %d\n", op); + return -EINVAL; + } + + if ( !NONPRIV_OP(op) && (current->domain != xenoprof_primary_profiler) ) + { +- printk("xenoprof: dom %d denied privileged operation %d\n", +- current->domain->domain_id, op); ++ gdprintk(XENLOG_DEBUG, "denied privileged operation %d\n", op); + return -EPERM; + } + +@@ -907,8 +905,7 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_H + spin_unlock(&xenoprof_lock); + + if ( ret < 0 ) +- printk("xenoprof: operation %d failed for dom %d (status : %d)\n", +- op, current->domain->domain_id, ret); ++ gdprintk(XENLOG_DEBUG, "operation %d failed: %d\n", op, ret); + + return ret; + } diff --git a/main/xen/xsa153-libxl.patch b/main/xen/xsa153-libxl.patch new file mode 100644 index 0000000000..14a50eb02e --- /dev/null +++ b/main/xen/xsa153-libxl.patch @@ -0,0 +1,86 @@ +From 27593ec62bdad8621df910931349d964a6dbaa8c Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Wed, 21 Oct 2015 16:18:30 +0100 +Subject: [PATCH XSA-153 v3] libxl: adjust PoD target by memory fudge, too + +PoD guests need to balloon at least as far as required by PoD, or risk +crashing. Currently they don't necessarily know what the right value +is, because our memory accounting is (at the very least) confusing. + +Apply the memory limit fudge factor to the in-hypervisor PoD memory +target, too. This will increase the size of the guest's PoD cache by +the fudge factor LIBXL_MAXMEM_CONSTANT (currently 1Mby). This ensures +that even with a slightly-off balloon driver, the guest will be +stable even under memory pressure. + +There are two call sites of xc_domain_set_pod_target that need fixing: + +The one in libxl_set_memory_target is straightforward. + +The one in xc_hvm_build_x86.c:setup_guest is more awkward. Simply +setting the PoD target differently does not work because the various +amounts of memory during domain construction no longer match up. +Instead, we adjust the guest memory target in xenstore (but only for +PoD guests). + +This introduces a 1Mby discrepancy between the balloon target of a PoD +guest at boot, and the target set by an apparently-equivalent `xl +mem-set' (or similar) later. This approach is low-risk for a security +fix but we need to fix this up properly in xen.git#staging and +probably also in stable trees. + +This is XSA-153. + +Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> +--- + tools/libxl/libxl.c | 2 +- + tools/libxl/libxl_dom.c | 9 ++++++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c +index d38d0c7..1366177 100644 +--- a/tools/libxl/libxl.c ++++ b/tools/libxl/libxl.c +@@ -4815,7 +4815,7 @@ retry_transaction: + } + + rc = xc_domain_set_pod_target(ctx->xch, domid, +- new_target_memkb / 4, NULL, NULL, NULL); ++ (new_target_memkb + LIBXL_MAXMEM_CONSTANT) / 4, NULL, NULL, NULL); + if (rc != 0) { + LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, + "xc_domain_set_pod_target domid=%d, memkb=%d " +diff --git a/tools/libxl/libxl_dom.c b/tools/libxl/libxl_dom.c +index b514377..8019f4e 100644 +--- a/tools/libxl/libxl_dom.c ++++ b/tools/libxl/libxl_dom.c +@@ -486,6 +486,7 @@ int libxl__build_post(libxl__gc *gc, uint32_t domid, + xs_transaction_t t; + char **ents; + int i, rc; ++ int64_t mem_target_fudge; + + if (info->num_vnuma_nodes && !info->num_vcpu_soft_affinity) { + rc = set_vnuma_affinity(gc, domid, info); +@@ -518,11 +519,17 @@ int libxl__build_post(libxl__gc *gc, uint32_t domid, + } + } + ++ mem_target_fudge = ++ (info->type == LIBXL_DOMAIN_TYPE_HVM && ++ info->max_memkb > info->target_memkb) ++ ? LIBXL_MAXMEM_CONSTANT : 0; ++ + ents = libxl__calloc(gc, 12 + (info->max_vcpus * 2) + 2, sizeof(char *)); + ents[0] = "memory/static-max"; + ents[1] = GCSPRINTF("%"PRId64, info->max_memkb); + ents[2] = "memory/target"; +- ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb); ++ ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb ++ - mem_target_fudge); + ents[4] = "memory/videoram"; + ents[5] = GCSPRINTF("%"PRId64, info->video_memkb); + ents[6] = "domid"; +-- +1.7.10.4 + |