diff options
author | Roger Pau Monne <roger.pau@citrix.com> | 2012-11-16 17:53:16 +0100 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2012-11-19 12:15:52 +0000 |
commit | 22809ecb412e53ecc84ef1213fcdfc3afa124909 (patch) | |
tree | 08d0a9c4fba60b7fe0371a0ff966161139319887 /main | |
parent | 1bba205542b00512cc50c8a4807b358f0b2697c5 (diff) | |
download | aports-22809ecb412e53ecc84ef1213fcdfc3afa124909.tar.bz2 aports-22809ecb412e53ecc84ef1213fcdfc3afa124909.tar.xz |
xen: add a bunch of security fixes
This covers:
XSA-20
XSA-22
XSA-23
XSA-24
Signed-off-by: Roger Pau Monne <roger.pau@citrix.com>
Diffstat (limited to 'main')
-rw-r--r-- | main/xen/APKBUILD | 8 | ||||
-rw-r--r-- | main/xen/xsa20.patch | 38 | ||||
-rw-r--r-- | main/xen/xsa22-4.2-unstable.patch | 40 | ||||
-rw-r--r-- | main/xen/xsa23-4.2-unstable.patch | 32 | ||||
-rw-r--r-- | main/xen/xsa24.patch | 26 |
5 files changed, 144 insertions, 0 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index 7143850112..1777d47ffe 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -19,6 +19,10 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g librt.patch make_stubdoms.patch qemu-xen_paths.patch + xsa20.patch + xsa22-4.2-unstable.patch + xsa23-4.2-unstable.patch + xsa24.patch xsa25-4.2.patch xenstored.initd @@ -134,6 +138,10 @@ md5sums="f4f217969afc38f09251039966d91a87 xen-4.2.0.tar.gz 2dc5ddf47c53ea168729975046c3c1f9 librt.patch 41ad48fdc269749776fa6aa04f6778c2 make_stubdoms.patch 1ccde6b36a6f9542a16d998204dc9a22 qemu-xen_paths.patch +fb7e76f00c2a4e63b408cb67df7d1a7b xsa20.patch +5a67dfac5e6f5a0836aeaefa1804c09f xsa22-4.2-unstable.patch +9151e7c648b12f518826ad0f0a67da42 xsa23-4.2-unstable.patch +9bd8b30094f8eb2408846c1b6ed0cad6 xsa24.patch 9fc7097ed2e5e756c4ae91145c143433 xsa25-4.2.patch 4ee9bf0c09269995569c9f05d4e8c779 xenstored.initd b017ccdd5e1c27bbf1513e3569d4ff07 xenstored.confd diff --git a/main/xen/xsa20.patch b/main/xen/xsa20.patch new file mode 100644 index 0000000000..bedd318f65 --- /dev/null +++ b/main/xen/xsa20.patch @@ -0,0 +1,38 @@ +VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability + +The timer action for a vcpu periodic timer is to calculate the next +expiry time, and to reinsert itself into the timer queue. If the +deadline ends up in the past, Xen never leaves __do_softirq(). The +affected PCPU will stay in an infinite loop until Xen is killed by the +watchdog (if enabled). + +This is a security problem, XSA-20 / CVE-2012-4535. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> + +diff -r 478ba3f146df xen/common/domain.c +--- a/xen/common/domain.c ++++ b/xen/common/domain.c +@@ -903,6 +903,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN + if ( set.period_ns < MILLISECS(1) ) + return -EINVAL; + ++ if ( set.period_ns > STIME_DELTA_MAX ) ++ return -EINVAL; ++ + v->periodic_period = set.period_ns; + vcpu_force_reschedule(v); + +diff -r 478ba3f146df xen/include/xen/time.h +--- a/xen/include/xen/time.h ++++ b/xen/include/xen/time.h +@@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t); + #define MILLISECS(_ms) ((s_time_t)((_ms) * 1000000ULL)) + #define MICROSECS(_us) ((s_time_t)((_us) * 1000ULL)) + #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1)) ++/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */ ++#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2)) + + extern void update_vcpu_system_time(struct vcpu *v); + extern void update_domain_wallclock_time(struct domain *d); diff --git a/main/xen/xsa22-4.2-unstable.patch b/main/xen/xsa22-4.2-unstable.patch new file mode 100644 index 0000000000..e15fd73534 --- /dev/null +++ b/main/xen/xsa22-4.2-unstable.patch @@ -0,0 +1,40 @@ +x86/physmap: Prevent incorrect updates of m2p mappings + +In certain conditions, such as low memory, set_p2m_entry() can fail. +Currently, the p2m and m2p tables will get out of sync because we still +update the m2p table after the p2m update has failed. + +If that happens, subsequent guest-invoked memory operations can cause +BUG()s and ASSERT()s to kill Xen. + +This is fixed by only updating the m2p table iff the p2m was +successfully updated. + +This is a security problem, XSA-22 / CVE-2012-4537. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> +Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> + +diff -r f53b9f915c3d xen/arch/x86/mm/p2m.c +--- a/xen/arch/x86/mm/p2m.c ++++ b/xen/arch/x86/mm/p2m.c +@@ -633,7 +633,10 @@ guest_physmap_add_entry(struct domain *d + if ( mfn_valid(_mfn(mfn)) ) + { + if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) ) ++ { + rc = -EINVAL; ++ goto out; /* Failed to update p2m, bail without updating m2p. */ ++ } + if ( !p2m_is_grant(t) ) + { + for ( i = 0; i < (1UL << page_order); i++ ) +@@ -656,6 +659,7 @@ guest_physmap_add_entry(struct domain *d + } + } + ++out: + p2m_unlock(p2m); + + return rc; diff --git a/main/xen/xsa23-4.2-unstable.patch b/main/xen/xsa23-4.2-unstable.patch new file mode 100644 index 0000000000..be80a61680 --- /dev/null +++ b/main/xen/xsa23-4.2-unstable.patch @@ -0,0 +1,32 @@ +xen/mm/shadow: check toplevel pagetables are present before unhooking them. + +If the guest has not fully populated its top-level PAE entries when it calls +HVMOP_pagetable_dying, the shadow code could try to unhook entries from +MFN 0. Add a check to avoid that case. + +This issue was introduced by c/s 21239:b9d2db109cf5. + +This is a security problem, XSA-23 / CVE-2012-4538. + +Signed-off-by: Tim Deegan <tim@xen.org> +Tested-by: Andrew Cooper <andrew.cooper3@citrix.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> + +diff -r cc56c0394db7 xen/arch/x86/mm/shadow/multi.c +--- a/xen/arch/x86/mm/shadow/multi.c ++++ b/xen/arch/x86/mm/shadow/multi.c +@@ -4734,8 +4734,12 @@ static void sh_pagetable_dying(struct vc + unsigned long gfn; + mfn_t smfn, gmfn; + +- if ( fast_path ) +- smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i])); ++ if ( fast_path ) { ++ if ( pagetable_is_null(v->arch.shadow_table[i]) ) ++ smfn = _mfn(INVALID_MFN); ++ else ++ smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i])); ++ } + else + { + /* retrieving the l2s */ diff --git a/main/xen/xsa24.patch b/main/xen/xsa24.patch new file mode 100644 index 0000000000..e46f513a75 --- /dev/null +++ b/main/xen/xsa24.patch @@ -0,0 +1,26 @@ +compat/gnttab: Prevent infinite loop in compat code + +c/s 20281:95ea2052b41b, which introduces Grant Table version 2 +hypercalls introduces a vulnerability whereby the compat hypercall +handler can fall into an infinite loop. + +If the watchdog is enabled, Xen will die after the timeout. + +This is a security problem, XSA-24 / CVE-2012-4539. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Acked-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> + +diff -r bac883cf805a xen/common/compat/grant_table.c +--- a/xen/common/compat/grant_table.c ++++ b/xen/common/compat/grant_table.c +@@ -318,6 +318,8 @@ int compat_grant_table_op(unsigned int c + #undef XLAT_gnttab_get_status_frames_HNDL_frame_list + if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) ) + rc = -EFAULT; ++ else ++ i = 1; + } + break; + } |