aboutsummaryrefslogtreecommitdiffstats
path: root/main
diff options
context:
space:
mode:
authorRoger Pau Monne <roger.pau@citrix.com>2012-11-16 17:53:16 +0100
committerNatanael Copa <ncopa@alpinelinux.org>2012-11-19 12:15:52 +0000
commit22809ecb412e53ecc84ef1213fcdfc3afa124909 (patch)
tree08d0a9c4fba60b7fe0371a0ff966161139319887 /main
parent1bba205542b00512cc50c8a4807b358f0b2697c5 (diff)
downloadaports-22809ecb412e53ecc84ef1213fcdfc3afa124909.tar.bz2
aports-22809ecb412e53ecc84ef1213fcdfc3afa124909.tar.xz
xen: add a bunch of security fixes
This covers: XSA-20 XSA-22 XSA-23 XSA-24 Signed-off-by: Roger Pau Monne <roger.pau@citrix.com>
Diffstat (limited to 'main')
-rw-r--r--main/xen/APKBUILD8
-rw-r--r--main/xen/xsa20.patch38
-rw-r--r--main/xen/xsa22-4.2-unstable.patch40
-rw-r--r--main/xen/xsa23-4.2-unstable.patch32
-rw-r--r--main/xen/xsa24.patch26
5 files changed, 144 insertions, 0 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 7143850112..1777d47ffe 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -19,6 +19,10 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
librt.patch
make_stubdoms.patch
qemu-xen_paths.patch
+ xsa20.patch
+ xsa22-4.2-unstable.patch
+ xsa23-4.2-unstable.patch
+ xsa24.patch
xsa25-4.2.patch
xenstored.initd
@@ -134,6 +138,10 @@ md5sums="f4f217969afc38f09251039966d91a87 xen-4.2.0.tar.gz
2dc5ddf47c53ea168729975046c3c1f9 librt.patch
41ad48fdc269749776fa6aa04f6778c2 make_stubdoms.patch
1ccde6b36a6f9542a16d998204dc9a22 qemu-xen_paths.patch
+fb7e76f00c2a4e63b408cb67df7d1a7b xsa20.patch
+5a67dfac5e6f5a0836aeaefa1804c09f xsa22-4.2-unstable.patch
+9151e7c648b12f518826ad0f0a67da42 xsa23-4.2-unstable.patch
+9bd8b30094f8eb2408846c1b6ed0cad6 xsa24.patch
9fc7097ed2e5e756c4ae91145c143433 xsa25-4.2.patch
4ee9bf0c09269995569c9f05d4e8c779 xenstored.initd
b017ccdd5e1c27bbf1513e3569d4ff07 xenstored.confd
diff --git a/main/xen/xsa20.patch b/main/xen/xsa20.patch
new file mode 100644
index 0000000000..bedd318f65
--- /dev/null
+++ b/main/xen/xsa20.patch
@@ -0,0 +1,38 @@
+VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability
+
+The timer action for a vcpu periodic timer is to calculate the next
+expiry time, and to reinsert itself into the timer queue. If the
+deadline ends up in the past, Xen never leaves __do_softirq(). The
+affected PCPU will stay in an infinite loop until Xen is killed by the
+watchdog (if enabled).
+
+This is a security problem, XSA-20 / CVE-2012-4535.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+diff -r 478ba3f146df xen/common/domain.c
+--- a/xen/common/domain.c
++++ b/xen/common/domain.c
+@@ -903,6 +903,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
+ if ( set.period_ns < MILLISECS(1) )
+ return -EINVAL;
+
++ if ( set.period_ns > STIME_DELTA_MAX )
++ return -EINVAL;
++
+ v->periodic_period = set.period_ns;
+ vcpu_force_reschedule(v);
+
+diff -r 478ba3f146df xen/include/xen/time.h
+--- a/xen/include/xen/time.h
++++ b/xen/include/xen/time.h
+@@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t);
+ #define MILLISECS(_ms) ((s_time_t)((_ms) * 1000000ULL))
+ #define MICROSECS(_us) ((s_time_t)((_us) * 1000ULL))
+ #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1))
++/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */
++#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2))
+
+ extern void update_vcpu_system_time(struct vcpu *v);
+ extern void update_domain_wallclock_time(struct domain *d);
diff --git a/main/xen/xsa22-4.2-unstable.patch b/main/xen/xsa22-4.2-unstable.patch
new file mode 100644
index 0000000000..e15fd73534
--- /dev/null
+++ b/main/xen/xsa22-4.2-unstable.patch
@@ -0,0 +1,40 @@
+x86/physmap: Prevent incorrect updates of m2p mappings
+
+In certain conditions, such as low memory, set_p2m_entry() can fail.
+Currently, the p2m and m2p tables will get out of sync because we still
+update the m2p table after the p2m update has failed.
+
+If that happens, subsequent guest-invoked memory operations can cause
+BUG()s and ASSERT()s to kill Xen.
+
+This is fixed by only updating the m2p table iff the p2m was
+successfully updated.
+
+This is a security problem, XSA-22 / CVE-2012-4537.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
+
+diff -r f53b9f915c3d xen/arch/x86/mm/p2m.c
+--- a/xen/arch/x86/mm/p2m.c
++++ b/xen/arch/x86/mm/p2m.c
+@@ -633,7 +633,10 @@ guest_physmap_add_entry(struct domain *d
+ if ( mfn_valid(_mfn(mfn)) )
+ {
+ if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) )
++ {
+ rc = -EINVAL;
++ goto out; /* Failed to update p2m, bail without updating m2p. */
++ }
+ if ( !p2m_is_grant(t) )
+ {
+ for ( i = 0; i < (1UL << page_order); i++ )
+@@ -656,6 +659,7 @@ guest_physmap_add_entry(struct domain *d
+ }
+ }
+
++out:
+ p2m_unlock(p2m);
+
+ return rc;
diff --git a/main/xen/xsa23-4.2-unstable.patch b/main/xen/xsa23-4.2-unstable.patch
new file mode 100644
index 0000000000..be80a61680
--- /dev/null
+++ b/main/xen/xsa23-4.2-unstable.patch
@@ -0,0 +1,32 @@
+xen/mm/shadow: check toplevel pagetables are present before unhooking them.
+
+If the guest has not fully populated its top-level PAE entries when it calls
+HVMOP_pagetable_dying, the shadow code could try to unhook entries from
+MFN 0. Add a check to avoid that case.
+
+This issue was introduced by c/s 21239:b9d2db109cf5.
+
+This is a security problem, XSA-23 / CVE-2012-4538.
+
+Signed-off-by: Tim Deegan <tim@xen.org>
+Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+diff -r cc56c0394db7 xen/arch/x86/mm/shadow/multi.c
+--- a/xen/arch/x86/mm/shadow/multi.c
++++ b/xen/arch/x86/mm/shadow/multi.c
+@@ -4734,8 +4734,12 @@ static void sh_pagetable_dying(struct vc
+ unsigned long gfn;
+ mfn_t smfn, gmfn;
+
+- if ( fast_path )
+- smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
++ if ( fast_path ) {
++ if ( pagetable_is_null(v->arch.shadow_table[i]) )
++ smfn = _mfn(INVALID_MFN);
++ else
++ smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
++ }
+ else
+ {
+ /* retrieving the l2s */
diff --git a/main/xen/xsa24.patch b/main/xen/xsa24.patch
new file mode 100644
index 0000000000..e46f513a75
--- /dev/null
+++ b/main/xen/xsa24.patch
@@ -0,0 +1,26 @@
+compat/gnttab: Prevent infinite loop in compat code
+
+c/s 20281:95ea2052b41b, which introduces Grant Table version 2
+hypercalls introduces a vulnerability whereby the compat hypercall
+handler can fall into an infinite loop.
+
+If the watchdog is enabled, Xen will die after the timeout.
+
+This is a security problem, XSA-24 / CVE-2012-4539.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
+
+diff -r bac883cf805a xen/common/compat/grant_table.c
+--- a/xen/common/compat/grant_table.c
++++ b/xen/common/compat/grant_table.c
+@@ -318,6 +318,8 @@ int compat_grant_table_op(unsigned int c
+ #undef XLAT_gnttab_get_status_frames_HNDL_frame_list
+ if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) )
+ rc = -EFAULT;
++ else
++ i = 1;
+ }
+ break;
+ }