main/xen: security fixes (XSA-226 and XSA-235)

Update patch for XSA-226 (fixes a regression).
http://openwall.com/lists/oss-security/2017/08/29/2

Include fix for XSA-235.

3 files changed, 70 insertions, 2 deletions

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 1274b35f4a..f450aa810a 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.9.0
-pkgrel=1
+pkgrel=2
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86_64 armhf"
@@ -78,6 +78,8 @@ options="!strip"
 #     - CVE-2017-12137 XSA-227
 #     - CVE-2017-12136 XSA-228
 #     - CVE-2017-12855 XSA-230
+#   4.9.0-r2:
+#     - XSA-235
 
 case "$CARCH" in
 x86*)
@@ -127,6 +129,7 @@ source="https://downloads.xenproject.org/release/$pkgname/$pkgver/$pkgname-$pkgv
 	xsa227.patch
 	xsa228.patch
 	xsa230.patch
+	xsa235-4.9.patch
 
 	qemu-coroutine-gthread.patch
 	qemu-xen_paths.patch
@@ -377,11 +380,12 @@ c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a36
 4928b5b82f57645be9408362706ff2c4d9baa635b21b0d41b1c82930e8c60a759b1ea4fa74d7e6c7cae1b7692d006aa5cb72df0c3b88bf049779aa2b566f9d35  tpm_emulator-0.7.4.tar.gz
 021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e  zlib-1.2.3.tar.gz
 82ba65e1c676d32b29c71e6395c9506cab952c8f8b03f692e2b50133be8f0c0146d0f22c223262d81a4df579986fde5abc6507869f4965be4846297ef7b4b890  ipxe-git-827dd1bfee67daa683935ce65316f7e0f057fe1c.tar.gz
-e934ba5be6a526d164cb4c8bb71a679f2fedeaddb82d8f5ebbbbe3cbfaa6dd639c4e94662c6b7a9d066195f2a59e8d14dc3ee55dc94c09b4475d455d881b2741  xsa226-1.patch
+45fed43bbdcf63fc3ded0a2629e27a5d58306a244dba2e005cf8814aa50cde962c41e5e72075a1d678eb9c18af17e1cbf078884214fd29df0ad551977c9880c2  xsa226-1.patch
 4d1e729c592efefd705233b49484991801606b2122a64ff14abbf994bb3e77ec75c4989d43753ce2043cc4fe13d34fb1cef7ee1adb291ff16625bb3b125e5508  xsa226-2.patch
 7d66494e833d46f8a213af0f2b107a12617d5e8b45c3b07daee229c75bd6aad98284bc0e19f15706d044b58273cc7f0c193ef8553faa22fadeae349689e763c8  xsa227.patch
 d406f14531af707325790909d08ce299ac2f2cb4b87f9a8ddb0fba10bd83bed84cc1633e07632cc2f841c50bc1a9af6240c89539a2e6ba6028cb127e218f86fc  xsa228.patch
 df174a1675f74b73e78bc3cb1c9f16536199dfd1922c0cc545a807e92bc24941a816891838258e118f477109548487251a7eaccb2d1dd9b6994c8c76fc5b058f  xsa230.patch
+8bab6e59577b51f0c6b8a547c9a37a257bd0460e7219512e899d25f80a74084745d2a4c54e55ad12526663d40f218cb8f833b71350220d36e3750d002ff43d29  xsa235-4.9.patch
 c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562  qemu-coroutine-gthread.patch
 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3  qemu-xen_paths.patch
 f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3  hotplug-vif-vtrill.patch
diff --git a/main/xen/xsa226-1.patch b/main/xen/xsa226-1.patch
index 7711d3f888..d60bbe2db1 100644
--- a/main/xen/xsa226-1.patch
+++ b/main/xen/xsa226-1.patch
@@ -16,6 +16,21 @@ This is part of CVE-2017-12135 / XSA-226.
 
 Signed-off-by: Jan Beulich <jbeulich@suse.com>
 
+--- a/xen/common/compat/grant_table.c
++++ b/xen/common/compat/grant_table.c
+@@ -258,9 +258,9 @@ int compat_grant_table_op(unsigned int cmd,
+                 rc = gnttab_copy(guest_handle_cast(nat.uop, gnttab_copy_t), n);
+             if ( rc > 0 )
+             {
+-                ASSERT(rc < n);
+-                i -= n - rc;
+-                n = rc;
++                ASSERT(rc <= n);
++                i -= rc;
++                n -= rc;
+             }
+             if ( rc >= 0 )
+             {
 --- a/xen/common/grant_table.c
 +++ b/xen/common/grant_table.c
 @@ -2103,8 +2103,10 @@ __release_grant_for_copy(
diff --git a/main/xen/xsa235-4.9.patch b/main/xen/xsa235-4.9.patch
new file mode 100644
index 0000000000..25dd650755
--- /dev/null
+++ b/main/xen/xsa235-4.9.patch
@@ -0,0 +1,49 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: arm/mm: release grant lock on xenmem_add_to_physmap_one() error paths
+
+Commit 55021ff9ab ("xen/arm: add_to_physmap_one: Avoid to map mfn 0 if
+an error occurs") introduced error paths not releasing the grant table
+lock. Replace them by a suitable check after the lock was dropped.
+
+This is XSA-235.
+
+Reported-by: Wei Liu <wei.liu2@citrix.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Julien Grall <julien.grall@arm.com>
+
+--- a/xen/arch/arm/mm.c
++++ b/xen/arch/arm/mm.c
+@@ -1164,7 +1164,7 @@ int xenmem_add_to_physmap_one(
+             if ( idx < nr_status_frames(d->grant_table) )
+                 mfn = virt_to_mfn(d->grant_table->status[idx]);
+             else
+-                return -EINVAL;
++                mfn = mfn_x(INVALID_MFN);
+         }
+         else
+         {
+@@ -1175,14 +1175,21 @@ int xenmem_add_to_physmap_one(
+             if ( idx < nr_grant_frames(d->grant_table) )
+                 mfn = virt_to_mfn(d->grant_table->shared_raw[idx]);
+             else
+-                return -EINVAL;
++                mfn = mfn_x(INVALID_MFN);
+         }
+ 
+-        d->arch.grant_table_gfn[idx] = gfn;
++        if ( mfn != mfn_x(INVALID_MFN) )
++        {
++            d->arch.grant_table_gfn[idx] = gfn;
+ 
+-        t = p2m_ram_rw;
++            t = p2m_ram_rw;
++        }
+ 
+         grant_write_unlock(d->grant_table);
++
++        if ( mfn == mfn_x(INVALID_MFN) )
++            return -EINVAL;
++
+         break;
+     case XENMAPSPACE_shared_info:
+         if ( idx != 0 )