diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2015-06-30 11:51:34 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2015-07-01 11:46:47 +0000 |
commit | 1ef91d8e6b1d20088a2e5646544cc80c286b906e (patch) | |
tree | 0a02001dc7c3015b7d482f2e53fe524ebb547920 /main/xen | |
parent | a1e44175275f99b81751cbc64f983292dbbbd09f (diff) | |
download | aports-1ef91d8e6b1d20088a2e5646544cc80c286b906e.tar.bz2 aports-1ef91d8e6b1d20088a2e5646544cc80c286b906e.tar.xz |
main/xen: security upgrade to 4.5.1
Diffstat (limited to 'main/xen')
-rw-r--r-- | main/xen/APKBUILD | 74 | ||||
-rw-r--r-- | main/xen/xsa117.patch | 42 | ||||
-rw-r--r-- | main/xen/xsa118-4.5-unstable-1.patch | 253 | ||||
-rw-r--r-- | main/xen/xsa118-4.5-unstable-2.patch | 115 | ||||
-rw-r--r-- | main/xen/xsa119-unstable.patch | 99 | ||||
-rw-r--r-- | main/xen/xsa121.patch | 51 | ||||
-rw-r--r-- | main/xen/xsa122.patch | 40 | ||||
-rw-r--r-- | main/xen/xsa123.patch | 24 | ||||
-rw-r--r-- | main/xen/xsa125.patch | 154 | ||||
-rw-r--r-- | main/xen/xsa126-qemut.patch | 151 | ||||
-rw-r--r-- | main/xen/xsa126-qemuu.patch | 128 | ||||
-rw-r--r-- | main/xen/xsa127-4.x.patch | 50 | ||||
-rw-r--r-- | main/xen/xsa132.patch | 29 | ||||
-rw-r--r-- | main/xen/xsa133-qemut.patch | 80 | ||||
-rw-r--r-- | main/xen/xsa133-qemuu.patch | 84 | ||||
-rw-r--r-- | main/xen/xsa135-qemut-1.patch | 93 | ||||
-rw-r--r-- | main/xen/xsa135-qemut-2.patch | 46 |
17 files changed, 152 insertions, 1361 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index 0d85c07262..37145b7efd 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -2,8 +2,8 @@ # Contributor: Roger Pau Monne <roger.pau@entel.upc.edu> # Maintainer: William Pitcock <nenolod@dereferenced.org> pkgname=xen -pkgver=4.5.0 -pkgrel=1 +pkgver=4.5.1 +pkgrel=0 pkgdesc="Xen hypervisor" url="http://www.xen.org/" arch="x86_64" @@ -17,20 +17,8 @@ makedepends="$depends_dev autoconf automake libtool" install="" subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-hypervisor" source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.gz - xsa117.patch - xsa118-4.5-unstable-1.patch - xsa118-4.5-unstable-2.patch - xsa119-unstable.patch - xsa121.patch - xsa122.patch - xsa123.patch - xsa125.patch - xsa126-qemut.patch - xsa126-qemuu.patch - xsa127-4.x.patch - xsa132.patch - xsa133-qemut.patch - xsa133-qemuu.patch + xsa135-qemut-1.patch + xsa135-qemut-2.patch qemu-coroutine-gthread.patch qemu-xen-musl-openpty.patch @@ -199,21 +187,9 @@ hypervisor() { mv "$pkgdir"/boot "$subpkgdir"/ } -md5sums="9bac43d2419d05a647064d9253bb03fa xen-4.5.0.tar.gz -d43cf4b2da680dcf709714863c4f06ed xsa117.patch -27c7fd9e385440bed2d0f33d8f27c065 xsa118-4.5-unstable-1.patch -7816e8ea4718d79e65acd890bb9a6aed xsa118-4.5-unstable-2.patch -a96d0463ddf52699dc908908398d5960 xsa119-unstable.patch -ee80cffba0b858712d1e3eedf5df7775 xsa121.patch -8d46ed3846559a5492f686b4fe0fa4d4 xsa122.patch -4b98895abd06f41cdc2cf0e98ea05308 xsa123.patch -620fb94e090d7d735c3d96310c627972 xsa125.patch -941b4cb7f2a8ba31bf08ab5425891902 xsa126-qemut.patch -1ee5f45ecda3513e8a9708b2edf5141d xsa126-qemuu.patch -c7d2d6913945100b5048e5149d0f6af2 xsa127-4.x.patch -896d814b803427d72781cd9a1e11ebd2 xsa132.patch -c1b7aaa9c5e729b61712d27d1f9fae6a xsa133-qemut.patch -fdb8ba32313a5b8088773ffcfd865ae7 xsa133-qemuu.patch +md5sums="d12dc9e5e8bd22a68b5c7f53119221f1 xen-4.5.1.tar.gz +8035908817374d2d32aaadf942e3391d xsa135-qemut-1.patch +462f5d784493119bdfa6e7b5a628a88d xsa135-qemut-2.patch de1a3db370b87cfb0bddb51796b50315 qemu-coroutine-gthread.patch dd8603eaab5857816843bfc37647d569 qemu-xen-musl-openpty.patch 08bfdf8caff5d631f53660bf3fd4edaf qemu-xen_paths.patch @@ -236,21 +212,9 @@ dcdd1de2c29e469e834a02ede4f47806 xendomains.confd 9df68ac65dc3f372f5d61183abdc83ff xen-consoles.logrotate 6a2f777c16678d84039acf670d86fff6 xenqemu.confd e1c9e1c83a5cc49224608a48060bd677 xenqemu.initd" -sha256sums="5bdb40e2b28d2eeb541bd71a9777f40cbe2ae444b987521d33f099541a006f3b xen-4.5.0.tar.gz -5d7c1ec3bd604ed49999a56fefeebda1206f424b1b48c0e44899f13bc1e55cd0 xsa117.patch -ee24a4c5e12b67d7539f08b644080c87797f31b4402215cd4efbbc6114bffc25 xsa118-4.5-unstable-1.patch -bd532e3cd535fcdea51f43631a519012baff068cb62d2205fc25f2c823f031eb xsa118-4.5-unstable-2.patch -ee44c8f6a7cf3ca7b2d9886047b91690aaa2b091baf8629d8ab4c298022c6c47 xsa119-unstable.patch -e74afb34e8059e8ee25b803019c192aa47c29208af2c19fb81aa84b0d7c0d268 xsa121.patch -13404ef363ee347db1571ee91afaa962a68e616a7596c2441a29e26f6db9ec47 xsa122.patch -994cf1487ec5c455fce4877168901e03283f0002062dcff8895a17ca30e010df xsa123.patch -be0c7cceb1af4b7b1341f37c1e20cf804ea3ac7d3c2ca2e5599f936479d5e0de xsa125.patch -791c288379fcd8b30ee473d42f1113c8ffa5f244dd82df9db6cc4597c81155b7 xsa126-qemut.patch -bbb8c840f3ef182508cff36803d861f15923325075ccc58801673b23dfc1a169 xsa126-qemuu.patch -e5fd3c126ae10fe45283e6eb1a4216b75057f1772d869d2b3a26398b0984c7bd xsa127-4.x.patch -329d4edf1e1133795ece41f2fc8887c5f4cc06b42ced63c810c610b17bcee46d xsa132.patch -8d8c82fedf4beb6ad1a27002c1d3fb3031e43a732316e2049ec5d04939c159bc xsa133-qemut.patch -032481a153d80192112e42f704dc7180aeb995a12d3ddef0efec4eb87c044079 xsa133-qemuu.patch +sha256sums="668c11d4fca67ac44329e369f810356eacd37b28d28fb96e66aac77f3c5e1371 xen-4.5.1.tar.gz +b4b66d772e52ec35f7256b168ac68f5cf0901590112b3b4db860d1b9c2f513f6 xsa135-qemut-1.patch +0d98a8c4498390a93665872dea9b4b00781578e95e6c78a49632bacb5f70edb8 xsa135-qemut-2.patch 3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe qemu-coroutine-gthread.patch fe76c7c8faf686060b20491bfed4a13ce37b1bc3dcdbf33d242e388cee14c7c1 qemu-xen-musl-openpty.patch e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98 qemu-xen_paths.patch @@ -273,21 +237,9 @@ d13719093a2c3824525f36ac91ac3c9bd1154e5ba0974e5441e4a2ab5e883521 xenconsoled.in 0da87a4b9094f934e3de937e8ef8d3afc752e76793aa3d730182d0241e118b19 xen-consoles.logrotate 4cfcddcade5d055422ab4543e8caa6e5c5eee7625c41880a9000b7a87c7c424e xenqemu.confd c92bbb1166edd61141fdf678116974209c4422daf373cdd5bc438aa4adb25b8d xenqemu.initd" -sha512sums="31621fbaf621ad350125d03366ecff4dec5d810b0c1242ca0e28788f7556ac1443d7ee9247e1f76dec07e148e0b4ae16d08a7c10101bb78d6529375f3e40998e xen-4.5.0.tar.gz -517dfa702d6c80816d27bbc8fb55e6cd72856e157e6a18ff2d13b310f9173f8bb23940e43bb85acf41fd035e7415597f237c1d2805c87ff1e5c37c49ab4d4ed0 xsa117.patch -4074546aab41f9a9093b0bc1124e02d443402c1976484797c3ef59bc5cfa84202e22c5247eb99b0f0a7b0918a6d79ff612b1c59f0e5154bc79926c553e784f91 xsa118-4.5-unstable-1.patch -5a11cac98ee70d3bfc86a9096b2007c0bbf000b4abf6e53aaf7cb574ac59dcc39a31585bf85f58349b3c94535ef3abf0ddfced20af723dcc4a03a288dfc550a6 xsa118-4.5-unstable-2.patch -96c782934f52a1e541909270e88f38b22335ccb20562cefa068ad2b6713011cdeb0cb9d3ad9523a6ae1c52703b62f57fae53a7986b518a73a094719475a2e9db xsa119-unstable.patch -c58967af871518340745fd9023822ec4cc42c90c7f99f5e91eaec2da33476f50819ac84f70a38bafcd26cd60909ea9f54920606ec970150e3c2b5b28ee021883 xsa121.patch -723e9c2d12a5c6a9acac3c3feba06cb811e9af4949d6b5f75814fff89fef7e53bc90fe1562b70a5983f72ec623fe14fb2f83f4b23039cf83f50c9cc337ab22d3 xsa122.patch -1ebcfa74a1922656584fdd6c46563a88e7e76320e6605bdda837f8710872e5b2144c86a57c8246e7b33c7b7f344ce068807a7da5ecbc07c231ae61959e43290d xsa123.patch -cf05a33319018093003a72d3187d361c893490cd6728b9a3e3adf2d925287c838eae16554f8f5d4e2ffef3199e3da28ff7573fa5211b2246f0d3d2da30ff5130 xsa125.patch -b65565d1e8fd0a41a683c22664cc024b9193f733f7029a4421730a63c23190ff4d6d3afb7bfddcccd290c8986b866d989e6ddfa9c5d99f6aa73e0516c2d2d511 xsa126-qemut.patch -5ade1fb69e48d12b60fc867b00a59dcd94d3db264c9f3cf6937551ef142fd37285ba59b81b95883f16b21d287fda5eef5f114df155fef059ba97535168fd358a xsa126-qemuu.patch -598761b014cf17fa9ee1ac56ad7cf5c27cda208e180b471d2946a14079886c60448c6f2e7e0633bd1d85b5737af2a4e76b7377e58726f617e982c5c5395f03d9 xsa127-4.x.patch -23d4fb293c678b8b0a6c48cbd696761bd35179e56c7d9b1d8090006241e33dc5cc4d77a2598f27dd3943a9d13a38c6b21714d2a639e6f9c0d86a0a5c747becee xsa132.patch -a06bf522ab6076fbb5869e9a5f1aba37d41fba21d8a327b85ea315ca8814cb959fef2d3458c7f6d2b758eb5a4b7b54ed81b14bb80512205eb2a90d46ca432f95 xsa133-qemut.patch -fc97003d6817fa44dac7e72db1b5bdb0905a138d65caf12f8b1e3cd5855b3b8d441caf95f7c902f36b4c21c862148ab31e45b6ef1ffd22c25875a04cb29c9911 xsa133-qemuu.patch +sha512sums="9436243e26bc64bc836a179abdc3a6b1b6fa9d3f2170453092c18be71fa62e18cd4465a9154c0f28a7ac8d69d08361ba1defef240a51197f058c012c3855ba04 xen-4.5.1.tar.gz +68824ec4d8a201c9687bd2de82489730908a70914243067f9e76a2584ce73212fd55ec00d6cf1301f7d1c73e32c9e46a93d3da4a6a61781ddec4f863190fb02b xsa135-qemut-1.patch +c29683569affcef4d45ec510b0b8b6d7c4466fc3026005b0612876ce1b7dc52ead77880a3204b5df78d836bdf197b872780c67afd49a895f9f7a47aabf3d9064 xsa135-qemut-2.patch c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562 qemu-coroutine-gthread.patch a8b7378516172389450834985e8558d7a86d7cd808154bdc846bb98325e40fc4e87b1fc6d725297f4bef6eb54ebcbcbfa4d9d0363d83f635755795fb0726e006 qemu-xen-musl-openpty.patch 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch diff --git a/main/xen/xsa117.patch b/main/xen/xsa117.patch deleted file mode 100644 index aa04fe45c0..0000000000 --- a/main/xen/xsa117.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 472dc9e627c8f1b9d7138b142a5b0838550a2072 Mon Sep 17 00:00:00 2001 -From: Julien Grall <julien.grall@linaro.org> -Date: Fri, 23 Jan 2015 14:15:07 +0000 -Subject: [PATCH] xen/arm: vgic-v2: Don't crash the hypervisor if the SGI - target mode is invalid - -The GICv2 spec reserved the value 0b11 for GICD_SGIR.TargetListFilter. - -Even if it's an invalid value, a malicious guest could write this value -and threfore crash the hypervisor. - -Replace the BUG() by logging the error and inject a data abort to the guest. - -This was introduced by commit ea37fd21110b6fbcf9257f814076a243d3873cb7 -"xen/arm: split vgic driver into generic and vgic-v2 driver". - -This is CVE-2015-0268 / XSA-117. - -Signed-off-by: Julien Grall <julien.grall@linaro.org> ---- - xen/arch/arm/vgic-v2.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/xen/arch/arm/vgic-v2.c b/xen/arch/arm/vgic-v2.c -index 598bf06..9dc9a20 100644 ---- a/xen/arch/arm/vgic-v2.c -+++ b/xen/arch/arm/vgic-v2.c -@@ -257,7 +257,10 @@ static int vgic_v2_to_sgi(struct vcpu *v, register_t sgir) - sgi_mode = SGI_TARGET_SELF; - break; - default: -- BUG(); -+ printk(XENLOG_G_DEBUG -+ "%pv: vGICD: unhandled GICD_SGIR write %"PRIregister" with wrong mode\n", -+ v, sgir); -+ return 0; - } - - return vgic_to_sgi(v, sgir, sgi_mode, virq, vcpu_mask); --- -2.1.4 - diff --git a/main/xen/xsa118-4.5-unstable-1.patch b/main/xen/xsa118-4.5-unstable-1.patch deleted file mode 100644 index a714c8306e..0000000000 --- a/main/xen/xsa118-4.5-unstable-1.patch +++ /dev/null @@ -1,253 +0,0 @@ -From e698f4ab05a710e4463317ea978d426d43107e27 Mon Sep 17 00:00:00 2001 -From: Julien Grall <julien.grall@linaro.org> -Date: Mon, 19 Jan 2015 14:01:09 +0000 -Subject: [PATCH 1/2] xen/arm: vgic-v3: message in the emulation code should be - rate-limited - -printk by default is not rate-limited by default. Therefore a malicious guest -may be able to flood the Xen console. - -If we use gdprintk, unnecessary information will be printed such as the -filename and the line. Instead use XENLOG_G_{ERR,DEBUG} combine with %pv. - -Also remove the vGICv3 prefix which is not neccessary and update some -message which were wrong. - -Signed-off-by: Julien Grall <julien.grall@linaro.org> ---- - xen/arch/arm/vgic-v3.c | 109 +++++++++++++++++++++++++++---------------------- - 1 file changed, 61 insertions(+), 48 deletions(-) - -diff --git a/xen/arch/arm/vgic-v3.c b/xen/arch/arm/vgic-v3.c -index ae4482c..bece189 100644 ---- a/xen/arch/arm/vgic-v3.c -+++ b/xen/arch/arm/vgic-v3.c -@@ -168,13 +168,14 @@ static int __vgic_v3_rdistr_rd_mmio_read(struct vcpu *v, mmio_info_t *info, - /* Reserved0 */ - goto read_as_zero; - default: -- printk("vGICv3: vGICR: read r%d offset %#08x\n not found", -- dabt.reg, gicr_reg); -+ printk(XENLOG_G_ERR -+ "%pv: vGICR: read r%d offset %#08x\n not found", -+ v, dabt.reg, gicr_reg); - return 0; - } - bad_width: -- printk("vGICv3: vGICR: bad read width %d r%d offset %#08x\n", -- dabt.size, dabt.reg, gicr_reg); -+ printk(XENLOG_G_ERR "%pv vGICR: bad read width %d r%d offset %#08x\n", -+ v, dabt.size, dabt.reg, gicr_reg); - domain_crash_synchronous(); - return 0; - -@@ -244,12 +245,14 @@ static int __vgic_v3_rdistr_rd_mmio_write(struct vcpu *v, mmio_info_t *info, - /* RO */ - goto write_ignore; - default: -- printk("vGICR: write r%d offset %#08x\n not found", dabt.reg, gicr_reg); -+ printk(XENLOG_G_ERR "%pv: vGICR: write r%d offset %#08x\n not found", -+ v, dabt.reg, gicr_reg); - return 0; - } - bad_width: -- printk("vGICR: bad write width %d r%d=%"PRIregister" offset %#08x\n", -- dabt.size, dabt.reg, *r, gicr_reg); -+ printk(XENLOG_G_ERR -+ "%pv: vGICR: bad write width %d r%d=%"PRIregister" offset %#08x\n", -+ v, dabt.size, dabt.reg, *r, gicr_reg); - domain_crash_synchronous(); - return 0; - -@@ -345,15 +348,16 @@ static int __vgic_v3_distr_common_mmio_read(struct vcpu *v, mmio_info_t *info, - vgic_unlock_rank(v, rank, flags); - return 1; - default: -- printk("vGICv3: vGICD/vGICR: unhandled read r%d offset %#08x\n", -- dabt.reg, reg); -+ printk(XENLOG_G_ERR -+ "%pv: vGICD/vGICR: unhandled read r%d offset %#08x\n", -+ v, dabt.reg, reg); - return 0; - } - - bad_width: -- dprintk(XENLOG_ERR, -- "vGICv3: vGICD/vGICR: bad read width %d r%d offset %#08x\n", -- dabt.size, dabt.reg, reg); -+ printk(XENLOG_G_ERR -+ "%pv: vGICD/vGICR: bad read width %d r%d offset %#08x\n", -+ v, dabt.size, dabt.reg, reg); - domain_crash_synchronous(); - return 0; - -@@ -458,15 +462,16 @@ static int __vgic_v3_distr_common_mmio_write(struct vcpu *v, mmio_info_t *info, - vgic_unlock_rank(v, rank, flags); - return 1; - default: -- printk("vGICv3: vGICD/vGICR: unhandled write r%d " -- "=%"PRIregister" offset %#08x\n", dabt.reg, *r, reg); -+ printk(XENLOG_G_ERR -+ "%pv: vGICD/vGICR: unhandled write r%d=%"PRIregister" offset %#08x\n", -+ v, dabt.reg, *r, reg); - return 0; - } - - bad_width: -- dprintk(XENLOG_ERR, -- "vGICv3: vGICD/vGICR: bad write width %d r%d=%"PRIregister" " -- "offset %#08x\n", dabt.size, dabt.reg, *r, reg); -+ printk(XENLOG_G_ERR -+ "%pv: vGICD/vGICR: bad write width %d r%d=%"PRIregister" offset %#08x\n", -+ v, dabt.size, dabt.reg, *r, reg); - domain_crash_synchronous(); - return 0; - -@@ -521,13 +526,14 @@ static int vgic_v3_rdistr_sgi_mmio_read(struct vcpu *v, mmio_info_t *info, - if ( dabt.size != DABT_WORD ) goto bad_width; - return 1; - default: -- printk("vGICv3: vGICR: read r%d offset %#08x\n not found", -- dabt.reg, gicr_reg); -+ printk(XENLOG_G_ERR -+ "%pv: vGICR: SGI: read r%d offset %#08x\n not found", -+ v, dabt.reg, gicr_reg); - return 0; - } - bad_width: -- printk("vGICv3: vGICR: bad read width %d r%d offset %#08x\n", -- dabt.size, dabt.reg, gicr_reg); -+ printk(XENLOG_G_ERR "%pv: vGICR: SGI: bad read width %d r%d offset %#08x\n", -+ v, dabt.size, dabt.reg, gicr_reg); - domain_crash_synchronous(); - return 0; - -@@ -585,14 +591,16 @@ static int vgic_v3_rdistr_sgi_mmio_write(struct vcpu *v, mmio_info_t *info, - /* We do not implement security extensions for guests, write ignore */ - goto write_ignore; - default: -- printk("vGICv3: vGICR SGI: write r%d offset %#08x\n not found", -- dabt.reg, gicr_reg); -+ printk(XENLOG_G_ERR -+ "%pv: vGICR: SGI: write r%d offset %#08x\n not found", -+ v, dabt.reg, gicr_reg); - return 0; - } - - bad_width: -- printk("vGICR SGI: bad write width %d r%d=%"PRIregister" offset %#08x\n", -- dabt.size, dabt.reg, *r, gicr_reg); -+ printk(XENLOG_G_ERR -+ "%pv: vGICR: SGI: bad write width %d r%d=%"PRIregister" offset %#08x\n", -+ v, dabt.size, dabt.reg, *r, gicr_reg); - domain_crash_synchronous(); - return 0; - -@@ -618,9 +626,9 @@ static int vgic_v3_rdistr_mmio_read(struct vcpu *v, mmio_info_t *info) - else if ( (offset >= SZ_64K) && (offset < 2 * SZ_64K) ) - return vgic_v3_rdistr_sgi_mmio_read(v, info, (offset - SZ_64K)); - else -- gdprintk(XENLOG_WARNING, -- "vGICv3: vGICR: unknown gpa read address %"PRIpaddr"\n", -- info->gpa); -+ printk(XENLOG_G_WARNING -+ "%pv: vGICR: unknown gpa read address %"PRIpaddr"\n", -+ v, info->gpa); - - return 0; - } -@@ -642,9 +650,9 @@ static int vgic_v3_rdistr_mmio_write(struct vcpu *v, mmio_info_t *info) - else if ( (offset >= SZ_64K) && (offset < 2 * SZ_64K) ) - return vgic_v3_rdistr_sgi_mmio_write(v, info, (offset - SZ_64K)); - else -- gdprintk(XENLOG_WARNING, -- "vGICV3: vGICR: unknown gpa write address %"PRIpaddr"\n", -- info->gpa); -+ printk(XENLOG_G_WARNING -+ "%pv: vGICR: unknown gpa write address %"PRIpaddr"\n", -+ v, info->gpa); - - return 0; - } -@@ -770,18 +778,19 @@ static int vgic_v3_distr_mmio_read(struct vcpu *v, mmio_info_t *info) - case 0xf30 ... 0x5fcc: - case 0x8000 ... 0xbfcc: - /* These are reserved register addresses */ -- printk("vGICv3: vGICD: read unknown 0x00c .. 0xfcc r%d offset %#08x\n", -- dabt.reg, gicd_reg); -+ printk(XENLOG_G_DEBUG -+ "%pv: vGICD: RAZ on reserved register offset %#08x\n", -+ v, gicd_reg); - goto read_as_zero; - default: -- printk("vGICv3: vGICD: unhandled read r%d offset %#08x\n", -- dabt.reg, gicd_reg); -+ printk(XENLOG_G_ERR "%pv: vGICD: unhandled read r%d offset %#08x\n", -+ v, dabt.reg, gicd_reg); - return 0; - } - - bad_width: -- dprintk(XENLOG_ERR, "vGICv3: vGICD: bad read width %d r%d offset %#08x\n", -- dabt.size, dabt.reg, gicd_reg); -+ printk(XENLOG_G_ERR "%pv: vGICD: bad read width %d r%d offset %#08x\n", -+ v, dabt.size, dabt.reg, gicd_reg); - domain_crash_synchronous(); - return 0; - -@@ -840,8 +849,9 @@ static int vgic_v3_distr_mmio_write(struct vcpu *v, mmio_info_t *info) - case 0x020 ... 0x03c: - case 0xc000 ... 0xffcc: - /* Implementation defined -- write ignored */ -- printk("vGICv3: vGICD: write unknown 0x020 - 0x03c r%d offset %#08x\n", -- dabt.reg, gicd_reg); -+ printk(XENLOG_G_DEBUG -+ "%pv: vGICD: WI on implementation defined register offset %#08x\n", -+ v, gicd_reg); - goto write_ignore; - case GICD_IGROUPR ... GICD_IGROUPRN: - case GICD_ISENABLER ... GICD_ISENABLERN: -@@ -885,8 +895,9 @@ static int vgic_v3_distr_mmio_write(struct vcpu *v, mmio_info_t *info) - new_target = new_irouter & MPIDR_AFF0_MASK; - if ( new_target >= v->domain->max_vcpus ) - { -- printk("vGICv3: vGICD: wrong irouter at offset %#08x\n val 0x%lx vcpu %x", -- gicd_reg, new_target, v->domain->max_vcpus); -+ printk(XENLOG_G_DEBUG -+ "%pv: vGICD: wrong irouter at offset %#08x\n val 0x%lx vcpu %x", -+ v, gicd_reg, new_target, v->domain->max_vcpus); - vgic_unlock_rank(v, rank, flags); - return 0; - } -@@ -926,19 +937,21 @@ static int vgic_v3_distr_mmio_write(struct vcpu *v, mmio_info_t *info) - case 0xf30 ... 0x5fcc: - case 0x8000 ... 0xbfcc: - /* Reserved register addresses */ -- printk("vGICv3: vGICD: write unknown 0x00c 0xfcc r%d offset %#08x\n", -- dabt.reg, gicd_reg); -+ printk(XENLOG_G_DEBUG -+ "%pv: vGICD: write unknown 0x00c 0xfcc r%d offset %#08x\n", -+ v, dabt.reg, gicd_reg); - goto write_ignore; - default: -- printk("vGICv3: vGICD: unhandled write r%d=%"PRIregister" " -- "offset %#08x\n", dabt.reg, *r, gicd_reg); -+ printk(XENLOG_G_ERR -+ "%pv: vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n", -+ v, dabt.reg, *r, gicd_reg); - return 0; - } - - bad_width: -- dprintk(XENLOG_ERR, -- "VGICv3: vGICD: bad write width %d r%d=%"PRIregister" " -- "offset %#08x\n", dabt.size, dabt.reg, *r, gicd_reg); -+ printk(XENLOG_G_ERR -+ "%pv: vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n", -+ v, dabt.size, dabt.reg, *r, gicd_reg); - domain_crash_synchronous(); - return 0; - --- -2.1.4 - diff --git a/main/xen/xsa118-4.5-unstable-2.patch b/main/xen/xsa118-4.5-unstable-2.patch deleted file mode 100644 index 621b739b4a..0000000000 --- a/main/xen/xsa118-4.5-unstable-2.patch +++ /dev/null @@ -1,115 +0,0 @@ -From e8fa469595e29b2dbe6dde3a77ee2ea2d9e93283 Mon Sep 17 00:00:00 2001 -From: Julien Grall <julien.grall@linaro.org> -Date: Mon, 19 Jan 2015 12:59:42 +0000 -Subject: [PATCH 2/2] xen/arm: vgic-v2: message in the emulation code should be - rate-limited - -printk is not rated-limited by default. Therefore a malicious guest may -be able to flood the Xen console. - -If we use gdprintk, unecessary information will be printed such as the -filename and the line. Instead use XENLOG_G_ERR combine with %pv. - -Signed-off-by: Julien Grall <julien.grall@linaro.org> ---- - xen/arch/arm/vgic-v2.c | 40 +++++++++++++++++++++++----------------- - 1 file changed, 23 insertions(+), 17 deletions(-) - -diff --git a/xen/arch/arm/vgic-v2.c b/xen/arch/arm/vgic-v2.c -index 9dc9a20..3b87f54 100644 ---- a/xen/arch/arm/vgic-v2.c -+++ b/xen/arch/arm/vgic-v2.c -@@ -198,7 +198,7 @@ static int vgic_v2_distr_mmio_read(struct vcpu *v, mmio_info_t *info) - - case GICD_ICPIDR2: - if ( dabt.size != DABT_WORD ) goto bad_width; -- printk("vGICD: unhandled read from ICPIDR2\n"); -+ printk(XENLOG_G_ERR "%pv: vGICD: unhandled read from ICPIDR2\n", v); - return 0; - - /* Implementation defined -- read as zero */ -@@ -215,14 +215,14 @@ static int vgic_v2_distr_mmio_read(struct vcpu *v, mmio_info_t *info) - goto read_as_zero; - - default: -- printk("vGICD: unhandled read r%d offset %#08x\n", -- dabt.reg, gicd_reg); -+ printk(XENLOG_G_ERR "%pv: vGICD: unhandled read r%d offset %#08x\n", -+ v, dabt.reg, gicd_reg); - return 0; - } - - bad_width: -- printk("vGICD: bad read width %d r%d offset %#08x\n", -- dabt.size, dabt.reg, gicd_reg); -+ printk(XENLOG_G_ERR "%pv: vGICD: bad read width %d r%d offset %#08x\n", -+ v, dabt.size, dabt.reg, gicd_reg); - domain_crash_synchronous(); - return 0; - -@@ -331,14 +331,16 @@ static int vgic_v2_distr_mmio_write(struct vcpu *v, mmio_info_t *info) - - case GICD_ISPENDR ... GICD_ISPENDRN: - if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width; -- printk("vGICD: unhandled %s write %#"PRIregister" to ISPENDR%d\n", -- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ISPENDR); -+ printk(XENLOG_G_ERR -+ "%pv: vGICD: unhandled %s write %#"PRIregister" to ISPENDR%d\n", -+ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ISPENDR); - return 0; - - case GICD_ICPENDR ... GICD_ICPENDRN: - if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width; -- printk("vGICD: unhandled %s write %#"PRIregister" to ICPENDR%d\n", -- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ICPENDR); -+ printk(XENLOG_G_ERR -+ "%pv: vGICD: unhandled %s write %#"PRIregister" to ICPENDR%d\n", -+ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ICPENDR); - return 0; - - case GICD_ISACTIVER ... GICD_ISACTIVERN: -@@ -457,14 +459,16 @@ static int vgic_v2_distr_mmio_write(struct vcpu *v, mmio_info_t *info) - - case GICD_CPENDSGIR ... GICD_CPENDSGIRN: - if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width; -- printk("vGICD: unhandled %s write %#"PRIregister" to ICPENDSGIR%d\n", -- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_CPENDSGIR); -+ printk(XENLOG_G_ERR -+ "%pv: vGICD: unhandled %s write %#"PRIregister" to ICPENDSGIR%d\n", -+ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_CPENDSGIR); - return 0; - - case GICD_SPENDSGIR ... GICD_SPENDSGIRN: - if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width; -- printk("vGICD: unhandled %s write %#"PRIregister" to ISPENDSGIR%d\n", -- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_SPENDSGIR); -+ printk(XENLOG_G_ERR -+ "%pv: vGICD: unhandled %s write %#"PRIregister" to ISPENDSGIR%d\n", -+ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_SPENDSGIR); - return 0; - - /* Implementation defined -- write ignored */ -@@ -489,14 +493,16 @@ static int vgic_v2_distr_mmio_write(struct vcpu *v, mmio_info_t *info) - goto write_ignore; - - default: -- printk("vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n", -- dabt.reg, *r, gicd_reg); -+ printk(XENLOG_G_ERR -+ "%pv: vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n", -+ v, dabt.reg, *r, gicd_reg); - return 0; - } - - bad_width: -- printk("vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n", -- dabt.size, dabt.reg, *r, gicd_reg); -+ printk(XENLOG_G_ERR -+ "%pv: vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n", -+ v, dabt.size, dabt.reg, *r, gicd_reg); - domain_crash_synchronous(); - return 0; - --- -2.1.4 - diff --git a/main/xen/xsa119-unstable.patch b/main/xen/xsa119-unstable.patch deleted file mode 100644 index f696eb5b6e..0000000000 --- a/main/xen/xsa119-unstable.patch +++ /dev/null @@ -1,99 +0,0 @@ -From f433bfafbaf7d8a41c4c27aa3e8e78b1ab900b69 Mon Sep 17 00:00:00 2001 -From: Ian Campbell <ian.campbell@citrix.com> -Date: Fri, 20 Feb 2015 14:41:09 +0000 -Subject: [PATCH] tools: libxl: Explicitly disable graphics backends on qemu - cmdline - -By default qemu will try to create some sort of backend for the -emulated VGA device, either SDL or VNC. - -However when the user specifies sdl=0 and vnc=0 in their configuration -libxl was not explicitly disabling either backend, which could lead to -one unexpectedly running. - -If either sdl=1 or vnc=1 is configured then both before and after this -change only the backends which are explicitly enabled are configured, -i.e. this issue only occurs when all backends are supposed to have -been disabled. - -This affects qemu-xen and qemu-xen-traditional differently. - -If qemu-xen was compiled with SDL support then this would result in an -SDL window being opened if $DISPLAY is valid, or a failure to start -the guest if not. Passing "-display none" to qemu before any further --sdl options disables this default behaviour and ensures that SDL is -only started if the libxl configuration demands it. - -If qemu-xen was compiled without SDL support then qemu would instead -start a VNC server listening on ::1 (IPv6 localhost) or 127.0.0.1 -(IPv4 localhost) with IPv6 preferred if available. Explicitly pass -"-vnc none" when vnc is not enabled in the libxl configuration to -remove this possibility. - -qemu-xen-traditional would never start a vnc backend unless asked. -However by default it will start an SDL backend, the way to disable -this is to pass a -vnc option. In other words passing "-vnc none" will -disable both vnc and sdl by default. sdl can then be reenabled if -configured by subsequent use of the -sdl option. - -Tested with both qemu-xen and qemu-xen-traditional built with SDL -support and: - xl cr # defaults - xl cr sdl=0 vnc=0 - xl cr sdl=1 vnc=0 - xl cr sdl=0 vnc=1 - xl cr sdl=0 vnc=0 vga=\"none\" - xl cr sdl=0 vnc=0 nographic=1 -with both valid and invalid $DISPLAY. - -This is XSA-119. - -Reported-by: Sander Eikelenboom <linux@eikelenboom.it> -Signed-off-by: Ian Campbell <ian.campbell@citrix.com> -Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> ---- - tools/libxl/libxl_dm.c | 21 +++++++++++++++++++-- - 1 file changed, 19 insertions(+), 2 deletions(-) - -diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c -index 8599a6a..3b918c6 100644 ---- a/tools/libxl/libxl_dm.c -+++ b/tools/libxl/libxl_dm.c -@@ -180,7 +180,14 @@ static char ** libxl__build_device_model_args_old(libxl__gc *gc, - if (libxl_defbool_val(vnc->findunused)) { - flexarray_append(dm_args, "-vncunused"); - } -- } -+ } else -+ /* -+ * VNC is not enabled by default by qemu-xen-traditional, -+ * however passing -vnc none causes SDL to not be -+ * (unexpectedly) enabled by default. This is overridden by -+ * explicitly passing -sdl below as required. -+ */ -+ flexarray_append_pair(dm_args, "-vnc", "none"); - - if (sdl) { - flexarray_append(dm_args, "-sdl"); -@@ -522,7 +529,17 @@ static char ** libxl__build_device_model_args_new(libxl__gc *gc, - } - - flexarray_append(dm_args, vncarg); -- } -+ } else -+ /* -+ * Ensure that by default no vnc server is created. -+ */ -+ flexarray_append_pair(dm_args, "-vnc", "none"); -+ -+ /* -+ * Ensure that by default no display backend is created. Further -+ * options given below might then enable more. -+ */ -+ flexarray_append_pair(dm_args, "-display", "none"); - - if (sdl) { - flexarray_append(dm_args, "-sdl"); --- -2.1.4 - diff --git a/main/xen/xsa121.patch b/main/xen/xsa121.patch deleted file mode 100644 index f3d1397d6d..0000000000 --- a/main/xen/xsa121.patch +++ /dev/null @@ -1,51 +0,0 @@ -x86/HVM: return all ones on wrong-sized reads of system device I/O ports - -So far the value presented to the guest remained uninitialized. - -This is CVE-2015-2044 / XSA-121. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> - ---- a/xen/arch/x86/hvm/i8254.c -+++ b/xen/arch/x86/hvm/i8254.c -@@ -486,6 +486,7 @@ static int handle_pit_io( - if ( bytes != 1 ) - { - gdprintk(XENLOG_WARNING, "PIT bad access\n"); -+ *val = ~0; - return X86EMUL_OKAY; - } - ---- a/xen/arch/x86/hvm/pmtimer.c -+++ b/xen/arch/x86/hvm/pmtimer.c -@@ -213,6 +213,7 @@ static int handle_pmt_io( - if ( bytes != 4 ) - { - gdprintk(XENLOG_WARNING, "HVM_PMT bad access\n"); -+ *val = ~0; - return X86EMUL_OKAY; - } - ---- a/xen/arch/x86/hvm/rtc.c -+++ b/xen/arch/x86/hvm/rtc.c -@@ -703,7 +703,8 @@ static int handle_rtc_io( - - if ( bytes != 1 ) - { -- gdprintk(XENLOG_WARNING, "HVM_RTC bas access\n"); -+ gdprintk(XENLOG_WARNING, "HVM_RTC bad access\n"); -+ *val = ~0; - return X86EMUL_OKAY; - } - ---- a/xen/arch/x86/hvm/vpic.c -+++ b/xen/arch/x86/hvm/vpic.c -@@ -331,6 +331,7 @@ static int vpic_intercept_pic_io( - if ( bytes != 1 ) - { - gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes); -+ *val = ~0; - return X86EMUL_OKAY; - } - diff --git a/main/xen/xsa122.patch b/main/xen/xsa122.patch deleted file mode 100644 index 1e58965b54..0000000000 --- a/main/xen/xsa122.patch +++ /dev/null @@ -1,40 +0,0 @@ -pre-fill structures for certain HYPERVISOR_xen_version sub-ops - -... avoiding to pass hypervisor stack contents back to the caller -through space unused by the respective strings. - -This is CVE-2015-2045 / XSA-122. - -Signed-off-by: Aaron Adams <Aaron.Adams@nccgroup.com> -Acked-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> - ---- a/xen/common/kernel.c -+++ b/xen/common/kernel.c -@@ -240,6 +240,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL - case XENVER_extraversion: - { - xen_extraversion_t extraversion; -+ -+ memset(extraversion, 0, sizeof(extraversion)); - safe_strcpy(extraversion, xen_extra_version()); - if ( copy_to_guest(arg, extraversion, ARRAY_SIZE(extraversion)) ) - return -EFAULT; -@@ -249,6 +251,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL - case XENVER_compile_info: - { - struct xen_compile_info info; -+ -+ memset(&info, 0, sizeof(info)); - safe_strcpy(info.compiler, xen_compiler()); - safe_strcpy(info.compile_by, xen_compile_by()); - safe_strcpy(info.compile_domain, xen_compile_domain()); -@@ -284,6 +288,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL - case XENVER_changeset: - { - xen_changeset_info_t chgset; -+ -+ memset(chgset, 0, sizeof(chgset)); - safe_strcpy(chgset, xen_changeset()); - if ( copy_to_guest(arg, chgset, ARRAY_SIZE(chgset)) ) - return -EFAULT; diff --git a/main/xen/xsa123.patch b/main/xen/xsa123.patch deleted file mode 100644 index 653996d317..0000000000 --- a/main/xen/xsa123.patch +++ /dev/null @@ -1,24 +0,0 @@ -x86emul: fully ignore segment override for register-only operations - -For ModRM encoded instructions with register operands we must not -overwrite ea.mem.seg (if a - bogus in that case - segment override was -present) as it aliases with ea.reg. - -This is CVE-2015-2151 / XSA-123. - -Reported-by: Felix Wilhelm <fwilhelm@ernw.de> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Tim Deegan <tim@xen.org> -Reviewed-by: Keir Fraser <keir@xen.org> - ---- a/xen/arch/x86/x86_emulate/x86_emulate.c -+++ b/xen/arch/x86/x86_emulate/x86_emulate.c -@@ -1757,7 +1757,7 @@ x86_emulate( - } - } - -- if ( override_seg != -1 ) -+ if ( override_seg != -1 && ea.type == OP_MEM ) - ea.mem.seg = override_seg; - - /* Early operand adjustments. */ diff --git a/main/xen/xsa125.patch b/main/xen/xsa125.patch deleted file mode 100644 index ad5dbb31c2..0000000000 --- a/main/xen/xsa125.patch +++ /dev/null @@ -1,154 +0,0 @@ -From 98670acc98cad5aee0e0714694a64d3b96675c36 Mon Sep 17 00:00:00 2001 -From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Date: Wed, 19 Nov 2014 12:57:11 -0500 -Subject: [PATCH] Limit XEN_DOMCTL_memory_mapping hypercall to only process up - to 64 GFNs (or less) - -Said hypercall for large BARs can take quite a while. As such -we can require that the hypercall MUST break up the request -in smaller values. - -Another approach is to add preemption to it - whether we do the -preemption using hypercall_create_continuation or returning -EAGAIN to userspace (and have it re-invocate the call) - either -way the issue we cannot easily solve is that in 'map_mmio_regions' -if we encounter an error we MUST call 'unmap_mmio_regions' for the -whole BAR region. - -Since the preemption would re-use input fields such as nr_mfns, -first_gfn, first_mfn - we would lose the original values - -and only undo what was done in the current round (i.e. ignoring -anything that was done prior to earlier preemptions). - -Unless we re-used the return value as 'EAGAIN|nr_mfns_done<<10' but -that puts a limit (since the return value is a long) on the amount -of nr_mfns that can provided. - -This patch sidesteps this problem by: - - Setting an hard limit of nr_mfns having to be 64 or less. - - Toolstack adjusts correspondingly to the nr_mfn limit. - - If the there is an error when adding the toolstack will call the - remove operation to remove the whole region. - -The need to break this hypercall down is for large BARs can take -more than the guest (initial domain usually) time-slice. This has -the negative result in that the guest is locked out for a long -duration and is unable to act on any pending events. - -We also augment the code to return zero if nr_mfns instead -of trying to the hypercall. - -Suggested-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Jan Beulich <jbeulich@suse.com> -Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> ---- -[v50: Simplify loop] -[v51: If max_batch_sz 1 (or less) we would return zero. Fix that] -[v52: Handle nr_mfns being zero] -[v53: Fix up return value] ---- - tools/libxc/xc_domain.c | 46 +++++++++++++++++++++++++++++++++++++++++---- - xen/common/domctl.c | 5 +++++ - xen/include/public/domctl.h | 1 + - 3 files changed, 48 insertions(+), 4 deletions(-) - -diff --git a/tools/libxc/xc_domain.c b/tools/libxc/xc_domain.c -index 845d1d7..bba7672 100644 ---- a/tools/libxc/xc_domain.c -+++ b/tools/libxc/xc_domain.c -@@ -1988,6 +1988,8 @@ int xc_domain_memory_mapping( - { - DECLARE_DOMCTL; - xc_dominfo_t info; -+ int ret = 0, err; -+ unsigned long done = 0, nr, max_batch_sz; - - if ( xc_domain_getinfo(xch, domid, 1, &info) != 1 || - info.domid != domid ) -@@ -1998,14 +2000,50 @@ int xc_domain_memory_mapping( - if ( !xc_core_arch_auto_translated_physmap(&info) ) - return 0; - -+ if ( !nr_mfns ) -+ return 0; -+ - domctl.cmd = XEN_DOMCTL_memory_mapping; - domctl.domain = domid; -- domctl.u.memory_mapping.first_gfn = first_gfn; -- domctl.u.memory_mapping.first_mfn = first_mfn; -- domctl.u.memory_mapping.nr_mfns = nr_mfns; - domctl.u.memory_mapping.add_mapping = add_mapping; -+ max_batch_sz = nr_mfns; -+ do -+ { -+ nr = min(nr_mfns - done, max_batch_sz); -+ domctl.u.memory_mapping.nr_mfns = nr; -+ domctl.u.memory_mapping.first_gfn = first_gfn + done; -+ domctl.u.memory_mapping.first_mfn = first_mfn + done; -+ err = do_domctl(xch, &domctl); -+ if ( err && errno == E2BIG ) -+ { -+ if ( max_batch_sz <= 1 ) -+ break; -+ max_batch_sz >>= 1; -+ continue; -+ } -+ /* Save the first error... */ -+ if ( !ret ) -+ ret = err; -+ /* .. and ignore the rest of them when removing. */ -+ if ( err && add_mapping != DPCI_REMOVE_MAPPING ) -+ break; - -- return do_domctl(xch, &domctl); -+ done += nr; -+ } while ( done < nr_mfns ); -+ -+ /* -+ * Undo what we have done unless unmapping, by unmapping the entire region. -+ * Errors here are ignored. -+ */ -+ if ( ret && add_mapping != DPCI_REMOVE_MAPPING ) -+ xc_domain_memory_mapping(xch, domid, first_gfn, first_mfn, nr_mfns, -+ DPCI_REMOVE_MAPPING); -+ -+ /* We might get E2BIG so many times that we never advance. */ -+ if ( !done && !ret ) -+ ret = -1; -+ -+ return ret; - } - - int xc_domain_ioport_mapping( -diff --git a/xen/common/domctl.c b/xen/common/domctl.c -index d396cc4..c2e60a7 100644 ---- a/xen/common/domctl.c -+++ b/xen/common/domctl.c -@@ -1027,6 +1027,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) - (gfn + nr_mfns - 1) < gfn ) /* wrap? */ - break; - -+ ret = -E2BIG; -+ /* Must break hypercall up as this could take a while. */ -+ if ( nr_mfns > 64 ) -+ break; -+ - ret = -EPERM; - if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || - !iomem_access_permitted(d, mfn, mfn_end) ) -diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h -index ca0e51e..0c9f474 100644 ---- a/xen/include/public/domctl.h -+++ b/xen/include/public/domctl.h -@@ -543,6 +543,7 @@ DEFINE_XEN_GUEST_HANDLE(xen_domctl_bind_pt_irq_t); - - - /* Bind machine I/O address range -> HVM address range. */ -+/* If this returns -E2BIG lower nr_mfns value. */ - /* XEN_DOMCTL_memory_mapping */ - #define DPCI_ADD_MAPPING 1 - #define DPCI_REMOVE_MAPPING 0 --- -2.1.0 - diff --git a/main/xen/xsa126-qemut.patch b/main/xen/xsa126-qemut.patch deleted file mode 100644 index 796ff9e541..0000000000 --- a/main/xen/xsa126-qemut.patch +++ /dev/null @@ -1,151 +0,0 @@ -xen: limit guest control of PCI command register - -Otherwise the guest can abuse that control to cause e.g. PCIe -Unsupported Request responses (by disabling memory and/or I/O decoding -and subsequently causing [CPU side] accesses to the respective address -ranges), which (depending on system configuration) may be fatal to the -host. - -This is CVE-2015-2756 / XSA-126. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> - ---- a/tools/qemu-xen-traditional/hw/pass-through.c -+++ b/tools/qemu-xen-traditional/hw/pass-through.c -@@ -172,9 +172,6 @@ static int pt_word_reg_read(struct pt_de - static int pt_long_reg_read(struct pt_dev *ptdev, - struct pt_reg_tbl *cfg_entry, - uint32_t *value, uint32_t valid_mask); --static int pt_cmd_reg_read(struct pt_dev *ptdev, -- struct pt_reg_tbl *cfg_entry, -- uint16_t *value, uint16_t valid_mask); - static int pt_bar_reg_read(struct pt_dev *ptdev, - struct pt_reg_tbl *cfg_entry, - uint32_t *value, uint32_t valid_mask); -@@ -286,9 +283,9 @@ static struct pt_reg_info_tbl pt_emu_reg - .size = 2, - .init_val = 0x0000, - .ro_mask = 0xF880, -- .emu_mask = 0x0740, -+ .emu_mask = 0x0743, - .init = pt_common_reg_init, -- .u.w.read = pt_cmd_reg_read, -+ .u.w.read = pt_word_reg_read, - .u.w.write = pt_cmd_reg_write, - .u.w.restore = pt_cmd_reg_restore, - }, -@@ -1905,7 +1902,7 @@ static int pt_dev_is_virtfn(struct pci_d - return rc; - } - --static int pt_register_regions(struct pt_dev *assigned_device) -+static int pt_register_regions(struct pt_dev *assigned_device, uint16_t *cmd) - { - int i = 0; - uint32_t bar_data = 0; -@@ -1925,17 +1922,26 @@ static int pt_register_regions(struct pt - - /* Register current region */ - if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_IO ) -+ { - pci_register_io_region((PCIDevice *)assigned_device, i, - (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_IO, - pt_ioport_map); -+ *cmd |= PCI_COMMAND_IO; -+ } - else if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_MEM_PREFETCH ) -+ { - pci_register_io_region((PCIDevice *)assigned_device, i, - (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM_PREFETCH, - pt_iomem_map); -+ *cmd |= PCI_COMMAND_MEMORY; -+ } - else -+ { - pci_register_io_region((PCIDevice *)assigned_device, i, - (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM, - pt_iomem_map); -+ *cmd |= PCI_COMMAND_MEMORY; -+ } - - PT_LOG("IO region registered (size=0x%08x base_addr=0x%08x)\n", - (uint32_t)(pci_dev->size[i]), -@@ -3263,27 +3269,6 @@ static int pt_long_reg_read(struct pt_de - return 0; - } - --/* read Command register */ --static int pt_cmd_reg_read(struct pt_dev *ptdev, -- struct pt_reg_tbl *cfg_entry, -- uint16_t *value, uint16_t valid_mask) --{ -- struct pt_reg_info_tbl *reg = cfg_entry->reg; -- uint16_t valid_emu_mask = 0; -- uint16_t emu_mask = reg->emu_mask; -- -- if ( ptdev->is_virtfn ) -- emu_mask |= PCI_COMMAND_MEMORY; -- if ( pt_is_iomul(ptdev) ) -- emu_mask |= PCI_COMMAND_IO; -- -- /* emulate word register */ -- valid_emu_mask = emu_mask & valid_mask; -- *value = PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask); -- -- return 0; --} -- - /* read BAR */ - static int pt_bar_reg_read(struct pt_dev *ptdev, - struct pt_reg_tbl *cfg_entry, -@@ -3418,19 +3403,13 @@ static int pt_cmd_reg_write(struct pt_de - uint16_t writable_mask = 0; - uint16_t throughable_mask = 0; - uint16_t wr_value = *value; -- uint16_t emu_mask = reg->emu_mask; -- -- if ( ptdev->is_virtfn ) -- emu_mask |= PCI_COMMAND_MEMORY; -- if ( pt_is_iomul(ptdev) ) -- emu_mask |= PCI_COMMAND_IO; - - /* modify emulate register */ - writable_mask = ~reg->ro_mask & valid_mask; - cfg_entry->data = PT_MERGE_VALUE(*value, cfg_entry->data, writable_mask); - - /* create value for writing to I/O device register */ -- throughable_mask = ~emu_mask & valid_mask; -+ throughable_mask = ~reg->emu_mask & valid_mask; - - if (*value & PCI_COMMAND_DISABLE_INTx) - { -@@ -4211,6 +4190,7 @@ static struct pt_dev * register_real_dev - struct pt_dev *assigned_device = NULL; - struct pci_dev *pci_dev; - uint8_t e_device, e_intx; -+ uint16_t cmd = 0; - char *key, *val; - int msi_translate, power_mgmt; - -@@ -4300,7 +4280,7 @@ static struct pt_dev * register_real_dev - assigned_device->dev.config[i] = pci_read_byte(pci_dev, i); - - /* Handle real device's MMIO/PIO BARs */ -- pt_register_regions(assigned_device); -+ pt_register_regions(assigned_device, &cmd); - - /* Setup VGA bios for passthroughed gfx */ - if ( setup_vga_pt(assigned_device) < 0 ) -@@ -4378,6 +4358,10 @@ static struct pt_dev * register_real_dev - } - - out: -+ if (cmd) -+ pci_write_word(pci_dev, PCI_COMMAND, -+ *(uint16_t *)(&assigned_device->dev.config[PCI_COMMAND]) | cmd); -+ - PT_LOG("Real physical device %02x:%02x.%x registered successfuly!\n" - "IRQ type = %s\n", r_bus, r_dev, r_func, - assigned_device->msi_trans_en? "MSI-INTx":"INTx"); diff --git a/main/xen/xsa126-qemuu.patch b/main/xen/xsa126-qemuu.patch deleted file mode 100644 index 84fd4ae340..0000000000 --- a/main/xen/xsa126-qemuu.patch +++ /dev/null @@ -1,128 +0,0 @@ -xen: limit guest control of PCI command register - -Otherwise the guest can abuse that control to cause e.g. PCIe -Unsupported Request responses (by disabling memory and/or I/O decoding -and subsequently causing [CPU side] accesses to the respective address -ranges), which (depending on system configuration) may be fatal to the -host. - -This is CVE-2015-2756 / XSA-126. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> - ---- a/tools/qemu-xen/hw/xen/xen_pt.c -+++ b/tools/qemu-xen/hw/xen/xen_pt.c -@@ -388,7 +388,7 @@ static const MemoryRegionOps ops = { - .write = xen_pt_bar_write, - }; - --static int xen_pt_register_regions(XenPCIPassthroughState *s) -+static int xen_pt_register_regions(XenPCIPassthroughState *s, uint16_t *cmd) - { - int i = 0; - XenHostPCIDevice *d = &s->real_device; -@@ -406,6 +406,7 @@ static int xen_pt_register_regions(XenPC - - if (r->type & XEN_HOST_PCI_REGION_TYPE_IO) { - type = PCI_BASE_ADDRESS_SPACE_IO; -+ *cmd |= PCI_COMMAND_IO; - } else { - type = PCI_BASE_ADDRESS_SPACE_MEMORY; - if (r->type & XEN_HOST_PCI_REGION_TYPE_PREFETCH) { -@@ -414,6 +415,7 @@ static int xen_pt_register_regions(XenPC - if (r->type & XEN_HOST_PCI_REGION_TYPE_MEM_64) { - type |= PCI_BASE_ADDRESS_MEM_TYPE_64; - } -+ *cmd |= PCI_COMMAND_MEMORY; - } - - memory_region_init_io(&s->bar[i], OBJECT(s), &ops, &s->dev, -@@ -638,6 +640,7 @@ static int xen_pt_initfn(PCIDevice *d) - XenPCIPassthroughState *s = DO_UPCAST(XenPCIPassthroughState, dev, d); - int rc = 0; - uint8_t machine_irq = 0; -+ uint16_t cmd = 0; - int pirq = XEN_PT_UNASSIGNED_PIRQ; - - /* register real device */ -@@ -672,7 +675,7 @@ static int xen_pt_initfn(PCIDevice *d) - s->io_listener = xen_pt_io_listener; - - /* Handle real device's MMIO/PIO BARs */ -- xen_pt_register_regions(s); -+ xen_pt_register_regions(s, &cmd); - - /* reinitialize each config register to be emulated */ - if (xen_pt_config_init(s)) { -@@ -736,6 +739,11 @@ static int xen_pt_initfn(PCIDevice *d) - } - - out: -+ if (cmd) { -+ xen_host_pci_set_word(&s->real_device, PCI_COMMAND, -+ pci_get_word(d->config + PCI_COMMAND) | cmd); -+ } -+ - memory_listener_register(&s->memory_listener, &address_space_memory); - memory_listener_register(&s->io_listener, &address_space_io); - XEN_PT_LOG(d, ---- a/tools/qemu-xen/hw/xen/xen_pt_config_init.c -+++ b/tools/qemu-xen/hw/xen/xen_pt_config_init.c -@@ -286,23 +286,6 @@ static int xen_pt_irqpin_reg_init(XenPCI - } - - /* Command register */ --static int xen_pt_cmd_reg_read(XenPCIPassthroughState *s, XenPTReg *cfg_entry, -- uint16_t *value, uint16_t valid_mask) --{ -- XenPTRegInfo *reg = cfg_entry->reg; -- uint16_t valid_emu_mask = 0; -- uint16_t emu_mask = reg->emu_mask; -- -- if (s->is_virtfn) { -- emu_mask |= PCI_COMMAND_MEMORY; -- } -- -- /* emulate word register */ -- valid_emu_mask = emu_mask & valid_mask; -- *value = XEN_PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask); -- -- return 0; --} - static int xen_pt_cmd_reg_write(XenPCIPassthroughState *s, XenPTReg *cfg_entry, - uint16_t *val, uint16_t dev_value, - uint16_t valid_mask) -@@ -310,18 +293,13 @@ static int xen_pt_cmd_reg_write(XenPCIPa - XenPTRegInfo *reg = cfg_entry->reg; - uint16_t writable_mask = 0; - uint16_t throughable_mask = 0; -- uint16_t emu_mask = reg->emu_mask; -- -- if (s->is_virtfn) { -- emu_mask |= PCI_COMMAND_MEMORY; -- } - - /* modify emulate register */ - writable_mask = ~reg->ro_mask & valid_mask; - cfg_entry->data = XEN_PT_MERGE_VALUE(*val, cfg_entry->data, writable_mask); - - /* create value for writing to I/O device register */ -- throughable_mask = ~emu_mask & valid_mask; -+ throughable_mask = ~reg->emu_mask & valid_mask; - - if (*val & PCI_COMMAND_INTX_DISABLE) { - throughable_mask |= PCI_COMMAND_INTX_DISABLE; -@@ -605,9 +583,9 @@ static XenPTRegInfo xen_pt_emu_reg_heade - .size = 2, - .init_val = 0x0000, - .ro_mask = 0xF880, -- .emu_mask = 0x0740, -+ .emu_mask = 0x0743, - .init = xen_pt_common_reg_init, -- .u.w.read = xen_pt_cmd_reg_read, -+ .u.w.read = xen_pt_word_reg_read, - .u.w.write = xen_pt_cmd_reg_write, - }, - /* Capabilities Pointer reg */ diff --git a/main/xen/xsa127-4.x.patch b/main/xen/xsa127-4.x.patch deleted file mode 100644 index 463b1ddf77..0000000000 --- a/main/xen/xsa127-4.x.patch +++ /dev/null @@ -1,50 +0,0 @@ -domctl: don't allow a toolstack domain to call domain_pause() on itself - -These DOMCTL subops were accidentally declared safe for disaggregation -in the wake of XSA-77. - -This is XSA-127. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> - ---- a/xen/arch/x86/domctl.c -+++ b/xen/arch/x86/domctl.c -@@ -888,6 +888,10 @@ long arch_do_domctl( - { - xen_guest_tsc_info_t info; - -+ ret = -EINVAL; -+ if ( d == current->domain ) /* no domain_pause() */ -+ break; -+ - domain_pause(d); - tsc_get_info(d, &info.tsc_mode, - &info.elapsed_nsec, -@@ -903,6 +907,10 @@ long arch_do_domctl( - - case XEN_DOMCTL_settscinfo: - { -+ ret = -EINVAL; -+ if ( d == current->domain ) /* no domain_pause() */ -+ break; -+ - domain_pause(d); - tsc_set_info(d, domctl->u.tsc_info.info.tsc_mode, - domctl->u.tsc_info.info.elapsed_nsec, ---- a/xen/common/domctl.c -+++ b/xen/common/domctl.c -@@ -522,8 +522,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe - - case XEN_DOMCTL_resumedomain: - { -- domain_resume(d); -- ret = 0; -+ if ( d == current->domain ) /* no domain_pause() */ -+ ret = -EINVAL; -+ else -+ domain_resume(d); - } - break; - diff --git a/main/xen/xsa132.patch b/main/xen/xsa132.patch deleted file mode 100644 index 321c87bf62..0000000000 --- a/main/xen/xsa132.patch +++ /dev/null @@ -1,29 +0,0 @@ -domctl/sysctl: don't leak hypervisor stack to toolstacks - -This is XSA-132. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> - ---- a/xen/arch/x86/domctl.c -+++ b/xen/arch/x86/domctl.c -@@ -884,7 +884,7 @@ long arch_do_domctl( - - case XEN_DOMCTL_gettscinfo: - { -- xen_guest_tsc_info_t info; -+ xen_guest_tsc_info_t info = { 0 }; - - ret = -EINVAL; - if ( d == current->domain ) /* no domain_pause() */ ---- a/xen/common/sysctl.c -+++ b/xen/common/sysctl.c -@@ -76,7 +76,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xe - case XEN_SYSCTL_getdomaininfolist: - { - struct domain *d; -- struct xen_domctl_getdomaininfo info; -+ struct xen_domctl_getdomaininfo info = { 0 }; - u32 num_domains = 0; - - rcu_read_lock(&domlist_read_lock); diff --git a/main/xen/xsa133-qemut.patch b/main/xen/xsa133-qemut.patch deleted file mode 100644 index fa8a2073ab..0000000000 --- a/main/xen/xsa133-qemut.patch +++ /dev/null @@ -1,80 +0,0 @@ -From ac7ddbe342d7aa2303c39ca731cc6229dbbd739b Mon Sep 17 00:00:00 2001 -From: Petr Matousek <pmatouse@redhat.com> -Date: Wed, 6 May 2015 09:48:59 +0200 -Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer - -During processing of certain commands such as FD_CMD_READ_ID and -FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could -get out of bounds leading to memory corruption with values coming -from the guest. - -Fix this by making sure that the index is always bounded by the -allocated memory. - -This is CVE-2015-3456. - -Signed-off-by: Petr Matousek <pmatouse@redhat.com> -Reviewed-by: John Snow <jsnow@redhat.com> ---- - hw/fdc.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/hw/fdc.c b/hw/fdc.c -index b00a4ec..aba02e4 100644 ---- a/tools/qemu-xen-traditional/hw/fdc.c -+++ b/tools/qemu-xen-traditional/hw/fdc.c -@@ -1318,7 +1318,7 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl) - { - fdrive_t *cur_drv; - uint32_t retval = 0; -- int pos; -+ uint32_t pos; - - cur_drv = get_cur_drv(fdctrl); - fdctrl->dsr &= ~FD_DSR_PWRDOWN; -@@ -1327,8 +1327,8 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl) - return 0; - } - pos = fdctrl->data_pos; -+ pos %= FD_SECTOR_LEN; - if (fdctrl->msr & FD_MSR_NONDMA) { -- pos %= FD_SECTOR_LEN; - if (pos == 0) { - if (fdctrl->data_pos != 0) - if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { -@@ -1673,10 +1673,13 @@ static void fdctrl_handle_option (fdctrl_t *fdctrl, int direction) - static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction) - { - fdrive_t *cur_drv = get_cur_drv(fdctrl); -+ uint32_t pos; - -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { -+ pos = fdctrl->data_pos - 1; -+ pos %= FD_SECTOR_LEN; -+ if (fdctrl->fifo[pos] & 0x80) { - /* Command parameters done */ -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { -+ if (fdctrl->fifo[pos] & 0x40) { - fdctrl->fifo[0] = fdctrl->fifo[1]; - fdctrl->fifo[2] = 0; - fdctrl->fifo[3] = 0; -@@ -1771,7 +1774,7 @@ static uint8_t command_to_handler[256]; - static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) - { - fdrive_t *cur_drv; -- int pos; -+ uint32_t pos; - - /* Reset mode */ - if (!(fdctrl->dor & FD_DOR_nRESET)) { -@@ -1817,7 +1820,9 @@ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) - } - - FLOPPY_DPRINTF("%s: %02x\n", __func__, value); -- fdctrl->fifo[fdctrl->data_pos++] = value; -+ pos = fdctrl->data_pos++; -+ pos %= FD_SECTOR_LEN; -+ fdctrl->fifo[pos] = value; - if (fdctrl->data_pos == fdctrl->data_len) { - /* We now have all parameters - * and will be able to treat the command diff --git a/main/xen/xsa133-qemuu.patch b/main/xen/xsa133-qemuu.patch deleted file mode 100644 index 75611ada3c..0000000000 --- a/main/xen/xsa133-qemuu.patch +++ /dev/null @@ -1,84 +0,0 @@ -From ac7ddbe342d7aa2303c39ca731cc6229dbbd739b Mon Sep 17 00:00:00 2001 -From: Petr Matousek <pmatouse@redhat.com> -Date: Wed, 6 May 2015 09:48:59 +0200 -Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer - -During processing of certain commands such as FD_CMD_READ_ID and -FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could -get out of bounds leading to memory corruption with values coming -from the guest. - -Fix this by making sure that the index is always bounded by the -allocated memory. - -This is CVE-2015-3456. - -Signed-off-by: Petr Matousek <pmatouse@redhat.com> -Reviewed-by: John Snow <jsnow@redhat.com> ---- - hw/block/fdc.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/hw/block/fdc.c b/hw/block/fdc.c -index f72a392..d8a8edd 100644 ---- a/tools/qemu-xen/hw/block/fdc.c -+++ b/tools/qemu-xen/hw/block/fdc.c -@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - { - FDrive *cur_drv; - uint32_t retval = 0; -- int pos; -+ uint32_t pos; - - cur_drv = get_cur_drv(fdctrl); - fdctrl->dsr &= ~FD_DSR_PWRDOWN; -@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - return 0; - } - pos = fdctrl->data_pos; -+ pos %= FD_SECTOR_LEN; - if (fdctrl->msr & FD_MSR_NONDMA) { -- pos %= FD_SECTOR_LEN; - if (pos == 0) { - if (fdctrl->data_pos != 0) - if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { -@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) - static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) - { - FDrive *cur_drv = get_cur_drv(fdctrl); -+ uint32_t pos; - -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { -+ pos = fdctrl->data_pos - 1; -+ pos %= FD_SECTOR_LEN; -+ if (fdctrl->fifo[pos] & 0x80) { - /* Command parameters done */ -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { -+ if (fdctrl->fifo[pos] & 0x40) { - fdctrl->fifo[0] = fdctrl->fifo[1]; - fdctrl->fifo[2] = 0; - fdctrl->fifo[3] = 0; -@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; - static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - { - FDrive *cur_drv; -- int pos; -+ uint32_t pos; - - /* Reset mode */ - if (!(fdctrl->dor & FD_DOR_nRESET)) { -@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - } - - FLOPPY_DPRINTF("%s: %02x\n", __func__, value); -- fdctrl->fifo[fdctrl->data_pos++] = value; -+ pos = fdctrl->data_pos++; -+ pos %= FD_SECTOR_LEN; -+ fdctrl->fifo[pos] = value; - if (fdctrl->data_pos == fdctrl->data_len) { - /* We now have all parameters - * and will be able to treat the command --- -2.1.0 - - diff --git a/main/xen/xsa135-qemut-1.patch b/main/xen/xsa135-qemut-1.patch new file mode 100644 index 0000000000..54ac78d29f --- /dev/null +++ b/main/xen/xsa135-qemut-1.patch @@ -0,0 +1,93 @@ +pcnet: fix Negative array index read + +From: Gonglei <arei.gonglei@huawei.com> + +s->xmit_pos maybe assigned to a negative value (-1), +but in this branch variable s->xmit_pos as an index to +array s->buffer. Let's add a check for s->xmit_pos. + +upstream-commit-id: 7b50d00911ddd6d56a766ac5671e47304c20a21b + +Signed-off-by: Gonglei <arei.gonglei@huawei.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Reviewed-by: Jason Wang <jasowang@redhat.com> +Reviewed-by: Jason Wang <jasowang@redhat.com> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> + +diff --git a/hw/pcnet.c b/hw/pcnet.c +index 7cc0637..9f3e1cc 100644 +--- a/tools/qemu-xen-traditional/hw/pcnet.c ++++ b/tools/qemu-xen-traditional/hw/pcnet.c +@@ -1250,7 +1250,7 @@ static void pcnet_transmit(PCNetState *s) + target_phys_addr_t xmit_cxda = 0; + int count = CSR_XMTRL(s)-1; + int add_crc = 0; +- ++ int bcnt; + s->xmit_pos = -1; + + if (!CSR_TXON(s)) { +@@ -1276,34 +1276,39 @@ static void pcnet_transmit(PCNetState *s) + if (BCR_SWSTYLE(s) != 1) + add_crc = GET_FIELD(tmd.status, TMDS, ADDFCS); + } ++ ++ if (s->xmit_pos < 0) { ++ goto txdone; ++ } ++ ++ bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); ++ s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), ++ s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); ++ s->xmit_pos += bcnt; ++ + if (!GET_FIELD(tmd.status, TMDS, ENP)) { +- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); +- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), +- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); +- s->xmit_pos += bcnt; +- } else if (s->xmit_pos >= 0) { +- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); +- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), +- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); +- s->xmit_pos += bcnt; ++ goto txdone; ++ } + #ifdef PCNET_DEBUG +- printf("pcnet_transmit size=%d\n", s->xmit_pos); ++ printf("pcnet_transmit size=%d\n", s->xmit_pos); + #endif +- if (CSR_LOOP(s)) { +- if (BCR_SWSTYLE(s) == 1) +- add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); +- s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; +- pcnet_receive(s, s->buffer, s->xmit_pos); +- s->looptest = 0; +- } else +- if (s->vc) +- qemu_send_packet(s->vc, s->buffer, s->xmit_pos); +- +- s->csr[0] &= ~0x0008; /* clear TDMD */ +- s->csr[4] |= 0x0004; /* set TXSTRT */ +- s->xmit_pos = -1; ++ if (CSR_LOOP(s)) { ++ if (BCR_SWSTYLE(s) == 1) ++ add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); ++ s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; ++ pcnet_receive(s, s->buffer, s->xmit_pos); ++ s->looptest = 0; ++ } else { ++ if (s->vc) { ++ qemu_send_packet(s->vc, s->buffer, s->xmit_pos); ++ } + } + ++ s->csr[0] &= ~0x0008; /* clear TDMD */ ++ s->csr[4] |= 0x0004; /* set TXSTRT */ ++ s->xmit_pos = -1; ++ ++ txdone: + SET_FIELD(&tmd.status, TMDS, OWN, 0); + TMDSTORE(&tmd, PHYSADDR(s,CSR_CXDA(s))); + if (!CSR_TOKINTD(s) || (CSR_LTINTEN(s) && GET_FIELD(tmd.status, TMDS, LTINT))) + diff --git a/main/xen/xsa135-qemut-2.patch b/main/xen/xsa135-qemut-2.patch new file mode 100644 index 0000000000..2b0631af7c --- /dev/null +++ b/main/xen/xsa135-qemut-2.patch @@ -0,0 +1,46 @@ +From 2630672ab22255de252f877709851c0557a1c647 Mon Sep 17 00:00:00 2001 +From: Petr Matousek <pmatouse@redhat.com> +Date: Sun, 24 May 2015 10:53:44 +0200 +Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx + +4096 is the maximum length per TMD and it is also currently the size of +the relay buffer pcnet driver uses for sending the packet data to QEMU +for further processing. With packet spanning multiple TMDs it can +happen that the overall packet size will be bigger than sizeof(buffer), +which results in memory corruption. + +Fix this by only allowing to queue maximum sizeof(buffer) bytes. + +This is CVE-2015-3209. + +Signed-off-by: Petr Matousek <pmatouse@redhat.com> +Reported-by: Matt Tait <matttait@google.com> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +--- + hw/pcnet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/pcnet.c b/hw/pcnet.c +index bdfd38f..6d32e4c 100644 +--- a/tools/qemu-xen-traditional/hw/pcnet.c ++++ b/tools/qemu-xen-traditional/hw/pcnet.c +@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) + } + + bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); ++ ++ /* if multi-tmd packet outsizes s->buffer then skip it silently. ++ Note: this is not what real hw does */ ++ if (s->xmit_pos + bcnt > sizeof(s->buffer)) { ++ s->xmit_pos = -1; ++ goto txdone; ++ } ++ + s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), + s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); + s->xmit_pos += bcnt; +-- +2.1.0 + + |