diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2015-05-15 11:20:29 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2015-05-15 11:20:29 +0000 |
commit | a824d445bbe2abb22ca2362898b7e72054639120 (patch) | |
tree | a617cd635d915c4d623e19eb4851329b62f8b8cb /main | |
parent | 0b34e934c5ee509c197b159a51b14e9424f24470 (diff) | |
download | aports-a824d445bbe2abb22ca2362898b7e72054639120.tar.bz2 aports-a824d445bbe2abb22ca2362898b7e72054639120.tar.xz |
main/xen: upgrade to 4.5
Diffstat (limited to 'main')
-rw-r--r-- | main/xen/APKBUILD | 114 | ||||
-rw-r--r-- | main/xen/musl-hvmloader-fix-stdint.patch | 8 | ||||
-rw-r--r-- | main/xen/musl-support.patch | 10 | ||||
-rw-r--r-- | main/xen/qemu-xen_paths.patch | 14 | ||||
-rw-r--r-- | main/xen/xsa117.patch | 42 | ||||
-rw-r--r-- | main/xen/xsa118-4.5-unstable-1.patch | 253 | ||||
-rw-r--r-- | main/xen/xsa118-4.5-unstable-2.patch | 115 | ||||
-rw-r--r-- | main/xen/xsa119-unstable.patch | 99 | ||||
-rw-r--r-- | main/xen/xsa121.patch | 51 | ||||
-rw-r--r-- | main/xen/xsa122.patch | 40 | ||||
-rw-r--r-- | main/xen/xsa123.patch | 24 | ||||
-rw-r--r-- | main/xen/xsa125.patch | 154 | ||||
-rw-r--r-- | main/xen/xsa126-qemut.patch | 151 | ||||
-rw-r--r-- | main/xen/xsa126-qemuu.patch | 128 | ||||
-rw-r--r-- | main/xen/xsa127-4.x.patch | 50 | ||||
-rw-r--r-- | main/xen/xsa132.patch | 29 | ||||
-rw-r--r-- | main/xen/xsa133-qemut.patch | 80 | ||||
-rw-r--r-- | main/xen/xsa133-qemuu.patch | 84 |
18 files changed, 1383 insertions, 63 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index 61956cbdb8..94227bea85 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -2,8 +2,8 @@ # Contributor: Roger Pau Monne <roger.pau@entel.upc.edu> # Maintainer: William Pitcock <nenolod@dereferenced.org> pkgname=xen -pkgver=4.4.2 -pkgrel=1 +pkgver=4.5.0 +pkgrel=0 pkgdesc="Xen hypervisor" url="http://www.xen.org/" arch="x86_64" @@ -15,9 +15,23 @@ depends_dev="openssl-dev python-dev e2fsprogs-dev gettext zlib-dev ncurses-dev e2fsprogs-dev linux-headers" makedepends="$depends_dev autoconf automake libtool" install="" -subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-hypervisor - py-$pkgname:_py" +subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-hypervisor" source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.gz + xsa117.patch + xsa118-4.5-unstable-1.patch + xsa118-4.5-unstable-2.patch + xsa119-unstable.patch + xsa121.patch + xsa122.patch + xsa123.patch + xsa125.patch + xsa126-qemut.patch + xsa126-qemuu.patch + xsa127-4.x.patch + xsa132.patch + xsa133-qemut.patch + xsa133-qemuu.patch + qemu-coroutine-gthread.patch qemu-xen-musl-openpty.patch qemu-xen_paths.patch @@ -185,42 +199,30 @@ hypervisor() { mv "$pkgdir"/boot "$subpkgdir"/ } -_py() { - pkdesc="Python bindings and tools for Xen" - depends= - mkdir -p "$subpkgdir"/usr/lib/xen/bin \ - "$subpkgdir"/usr/bin \ - "$subpkgdir"/usr/sbin \ - || return 1 - mv "$pkgdir"/usr/lib/python* "$subpkgdir"/usr/lib/ - mv "$pkgdir"/usr/bin/xencons \ - "$pkgdir"/usr/bin/xentrace_format \ - "$subpkgdir"/usr/bin/ || return 1 - mv "$pkgdir"/usr/sbin/xenmon.py \ - "$pkgdir"/usr/sbin/xen-ringwatch \ - "$pkgdir"/usr/sbin/xen-python-path \ - "$subpkgdir"/usr/sbin/ || return 1 - mv "$pkgdir"/usr/lib/xen/bin/pygrub \ - "$pkgdir"/usr/lib/xen/bin/xenpvnetboot \ - "$subpkgdir"/usr/lib/xen/bin/ || return 1 - - # verify we dont have any python deps in main package left - if find "$pkgdir" -type f -print 0 | xargs -0 file --mime-type \ - | grep python; then - return 1 - fi -} - -md5sums="1812261459564147e6b9105115c511aa xen-4.4.2.tar.gz +md5sums="9bac43d2419d05a647064d9253bb03fa xen-4.5.0.tar.gz +d43cf4b2da680dcf709714863c4f06ed xsa117.patch +27c7fd9e385440bed2d0f33d8f27c065 xsa118-4.5-unstable-1.patch +7816e8ea4718d79e65acd890bb9a6aed xsa118-4.5-unstable-2.patch +a96d0463ddf52699dc908908398d5960 xsa119-unstable.patch +ee80cffba0b858712d1e3eedf5df7775 xsa121.patch +8d46ed3846559a5492f686b4fe0fa4d4 xsa122.patch +4b98895abd06f41cdc2cf0e98ea05308 xsa123.patch +620fb94e090d7d735c3d96310c627972 xsa125.patch +941b4cb7f2a8ba31bf08ab5425891902 xsa126-qemut.patch +1ee5f45ecda3513e8a9708b2edf5141d xsa126-qemuu.patch +c7d2d6913945100b5048e5149d0f6af2 xsa127-4.x.patch +896d814b803427d72781cd9a1e11ebd2 xsa132.patch +c1b7aaa9c5e729b61712d27d1f9fae6a xsa133-qemut.patch +fdb8ba32313a5b8088773ffcfd865ae7 xsa133-qemuu.patch de1a3db370b87cfb0bddb51796b50315 qemu-coroutine-gthread.patch dd8603eaab5857816843bfc37647d569 qemu-xen-musl-openpty.patch -c4d2d95ae3e5f538b7145becb3c6098e qemu-xen_paths.patch +08bfdf8caff5d631f53660bf3fd4edaf qemu-xen_paths.patch e449bb3359b490804ffc7b0ae08d62a0 hotplug-vif-vtrill.patch 229539a822e14a6a62babffd71ecfbf3 0001-ipxe-dont-clobber-ebp.patch a0a0294eccbaef77a2f8f5c2789f011c gnutls-3.4.0.patch 08a30d56902b660f5102a5c208e545c9 init-xenstore-domain.patch -f7aa282a27f270a923f229f2040cd7b5 musl-support.patch -2b1afbf120b69c5d14c846178378116b musl-hvmloader-fix-stdint.patch +0984e3000de17a6d14b8014a3ced46a4 musl-support.patch +513456607a2adfaa0baf1e3ae5124b23 musl-hvmloader-fix-stdint.patch c9313a790faa727205627a1657b9bf06 stdint_local.h c13f954d041a6fa78d0d241ad1780c0b elf_local.h 750138c31ec96d1a11fe0c665ac07e9e xen-hotplug-lockfd.patch @@ -234,16 +236,30 @@ dcdd1de2c29e469e834a02ede4f47806 xendomains.confd 9df68ac65dc3f372f5d61183abdc83ff xen-consoles.logrotate 6a2f777c16678d84039acf670d86fff6 xenqemu.confd e1c9e1c83a5cc49224608a48060bd677 xenqemu.initd" -sha256sums="cd53592e86669e5e8c4d4a731b0199e8af17d8eadbb8f26dbb69f1b751259204 xen-4.4.2.tar.gz +sha256sums="5bdb40e2b28d2eeb541bd71a9777f40cbe2ae444b987521d33f099541a006f3b xen-4.5.0.tar.gz +5d7c1ec3bd604ed49999a56fefeebda1206f424b1b48c0e44899f13bc1e55cd0 xsa117.patch +ee24a4c5e12b67d7539f08b644080c87797f31b4402215cd4efbbc6114bffc25 xsa118-4.5-unstable-1.patch +bd532e3cd535fcdea51f43631a519012baff068cb62d2205fc25f2c823f031eb xsa118-4.5-unstable-2.patch +ee44c8f6a7cf3ca7b2d9886047b91690aaa2b091baf8629d8ab4c298022c6c47 xsa119-unstable.patch +e74afb34e8059e8ee25b803019c192aa47c29208af2c19fb81aa84b0d7c0d268 xsa121.patch +13404ef363ee347db1571ee91afaa962a68e616a7596c2441a29e26f6db9ec47 xsa122.patch +994cf1487ec5c455fce4877168901e03283f0002062dcff8895a17ca30e010df xsa123.patch +be0c7cceb1af4b7b1341f37c1e20cf804ea3ac7d3c2ca2e5599f936479d5e0de xsa125.patch +791c288379fcd8b30ee473d42f1113c8ffa5f244dd82df9db6cc4597c81155b7 xsa126-qemut.patch +bbb8c840f3ef182508cff36803d861f15923325075ccc58801673b23dfc1a169 xsa126-qemuu.patch +e5fd3c126ae10fe45283e6eb1a4216b75057f1772d869d2b3a26398b0984c7bd xsa127-4.x.patch +329d4edf1e1133795ece41f2fc8887c5f4cc06b42ced63c810c610b17bcee46d xsa132.patch +8d8c82fedf4beb6ad1a27002c1d3fb3031e43a732316e2049ec5d04939c159bc xsa133-qemut.patch +032481a153d80192112e42f704dc7180aeb995a12d3ddef0efec4eb87c044079 xsa133-qemuu.patch 3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe qemu-coroutine-gthread.patch fe76c7c8faf686060b20491bfed4a13ce37b1bc3dcdbf33d242e388cee14c7c1 qemu-xen-musl-openpty.patch -a6ccc0ed0dab8465188f92ceb3c983f10d65cd93bb2c8bab4e4155ef13536f5d qemu-xen_paths.patch +e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98 qemu-xen_paths.patch dd1e784bc455eb62cb85b3fa24bfc34f575ceaab9597ef6a2f1ee7ff7b3cae0a hotplug-vif-vtrill.patch 751ef06569de66578b8713dc170976832b0671ac2696f32eb9ad69d60332d594 0001-ipxe-dont-clobber-ebp.patch e25d38376e22f6f935d2c0ce1b9d6e6b47ff261b5e6056bc3b47168739d7a992 gnutls-3.4.0.patch 0204d69804e83864cd6b2122f51b9c1940588158a35c159a7ef0c3b8fb0af4cb init-xenstore-domain.patch -2513ab530c80b32bd7fe4d35a5b1ecbda14c8e093e556e040a68226796e63791 musl-support.patch -09b9feb9ea6f9c1bda5cc1672f42e8fc5186dc9dd5561f28c6f1904d80aca7fa musl-hvmloader-fix-stdint.patch +2fea4ceec8872f5560023fa135e3ff03d6deee4299e53d3a33ec59c31779b2c5 musl-support.patch +479b9605e85c865be6117b6d1993124dbbb7da7f95d0e896e4c0fe5cdfeb74d3 musl-hvmloader-fix-stdint.patch 6b4ad2a9fdb3e23b06c8c1961a46b06c15a46471fe6fb13cdc269da37466f334 stdint_local.h 7f1ed2db24d8eba87a08eea0601a9ab339209906fdfa74c8c03564a1a6e6471e elf_local.h b183ed028a8c42a64e6fd3fb4b2b6dad832f52ed838fceb69bf681de4e7d794f xen-hotplug-lockfd.patch @@ -257,16 +273,30 @@ d13719093a2c3824525f36ac91ac3c9bd1154e5ba0974e5441e4a2ab5e883521 xenconsoled.in 0da87a4b9094f934e3de937e8ef8d3afc752e76793aa3d730182d0241e118b19 xen-consoles.logrotate 4cfcddcade5d055422ab4543e8caa6e5c5eee7625c41880a9000b7a87c7c424e xenqemu.confd c92bbb1166edd61141fdf678116974209c4422daf373cdd5bc438aa4adb25b8d xenqemu.initd" -sha512sums="7dae2a1d601d5c65c350ea9fe9870551ec53dff47b6ebe56e99285fd1112aa1cba3a2594e294b871defcf43fb7fccace9f18910e69f02dfce162d7bf453eb07b xen-4.4.2.tar.gz +sha512sums="31621fbaf621ad350125d03366ecff4dec5d810b0c1242ca0e28788f7556ac1443d7ee9247e1f76dec07e148e0b4ae16d08a7c10101bb78d6529375f3e40998e xen-4.5.0.tar.gz +517dfa702d6c80816d27bbc8fb55e6cd72856e157e6a18ff2d13b310f9173f8bb23940e43bb85acf41fd035e7415597f237c1d2805c87ff1e5c37c49ab4d4ed0 xsa117.patch +4074546aab41f9a9093b0bc1124e02d443402c1976484797c3ef59bc5cfa84202e22c5247eb99b0f0a7b0918a6d79ff612b1c59f0e5154bc79926c553e784f91 xsa118-4.5-unstable-1.patch +5a11cac98ee70d3bfc86a9096b2007c0bbf000b4abf6e53aaf7cb574ac59dcc39a31585bf85f58349b3c94535ef3abf0ddfced20af723dcc4a03a288dfc550a6 xsa118-4.5-unstable-2.patch +96c782934f52a1e541909270e88f38b22335ccb20562cefa068ad2b6713011cdeb0cb9d3ad9523a6ae1c52703b62f57fae53a7986b518a73a094719475a2e9db xsa119-unstable.patch +c58967af871518340745fd9023822ec4cc42c90c7f99f5e91eaec2da33476f50819ac84f70a38bafcd26cd60909ea9f54920606ec970150e3c2b5b28ee021883 xsa121.patch +723e9c2d12a5c6a9acac3c3feba06cb811e9af4949d6b5f75814fff89fef7e53bc90fe1562b70a5983f72ec623fe14fb2f83f4b23039cf83f50c9cc337ab22d3 xsa122.patch +1ebcfa74a1922656584fdd6c46563a88e7e76320e6605bdda837f8710872e5b2144c86a57c8246e7b33c7b7f344ce068807a7da5ecbc07c231ae61959e43290d xsa123.patch +cf05a33319018093003a72d3187d361c893490cd6728b9a3e3adf2d925287c838eae16554f8f5d4e2ffef3199e3da28ff7573fa5211b2246f0d3d2da30ff5130 xsa125.patch +b65565d1e8fd0a41a683c22664cc024b9193f733f7029a4421730a63c23190ff4d6d3afb7bfddcccd290c8986b866d989e6ddfa9c5d99f6aa73e0516c2d2d511 xsa126-qemut.patch +5ade1fb69e48d12b60fc867b00a59dcd94d3db264c9f3cf6937551ef142fd37285ba59b81b95883f16b21d287fda5eef5f114df155fef059ba97535168fd358a xsa126-qemuu.patch +598761b014cf17fa9ee1ac56ad7cf5c27cda208e180b471d2946a14079886c60448c6f2e7e0633bd1d85b5737af2a4e76b7377e58726f617e982c5c5395f03d9 xsa127-4.x.patch +23d4fb293c678b8b0a6c48cbd696761bd35179e56c7d9b1d8090006241e33dc5cc4d77a2598f27dd3943a9d13a38c6b21714d2a639e6f9c0d86a0a5c747becee xsa132.patch +a06bf522ab6076fbb5869e9a5f1aba37d41fba21d8a327b85ea315ca8814cb959fef2d3458c7f6d2b758eb5a4b7b54ed81b14bb80512205eb2a90d46ca432f95 xsa133-qemut.patch +fc97003d6817fa44dac7e72db1b5bdb0905a138d65caf12f8b1e3cd5855b3b8d441caf95f7c902f36b4c21c862148ab31e45b6ef1ffd22c25875a04cb29c9911 xsa133-qemuu.patch c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562 qemu-coroutine-gthread.patch a8b7378516172389450834985e8558d7a86d7cd808154bdc846bb98325e40fc4e87b1fc6d725297f4bef6eb54ebcbcbfa4d9d0363d83f635755795fb0726e006 qemu-xen-musl-openpty.patch -1f19cf495142dfc9f1786af6d4f7d497a482119fa2f1c10d4f9174994d38562719bc5190820dd444c32da0fb9af78fadac8dc8958437c26d6ca385f2409794e8 qemu-xen_paths.patch +1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3 hotplug-vif-vtrill.patch c3a1b270347a99c8ce21118010ad8d817b4462a31cc5c75352faa7086969ef0646f3f4d0922d85c2e504cff091ce7e9fe79c92f983c2ba4af2fae85c52c3835a 0001-ipxe-dont-clobber-ebp.patch e9b88234bd67c2d65fcda1a56deeaf60aaa4c8b2afff128028c6a1478c89f828584dab1ac04f8d9d53cf17d26572e5505d0bbfcc4b2a6842cc749c6c018c0e51 gnutls-3.4.0.patch 475eb800660dc928914b8c15562f18f24d6e7a76f4cc7bed9249ce52d444c29aec1aef843eb37ade0c7c9616195bbbc1606a3195e25b2bd4b6a1d1af5f69256e init-xenstore-domain.patch -3d6b180d631c6d7baeff9976503cf6b16f24b0e99c25b2b2a5153db85f41600159d10d4f47eda0e33e1f41197dc9d6d935cf33f31ffbcf429d35002e0affdb2d musl-support.patch -4acf7e360ae94f7c0f7541fcd106389402f215c28bd18ed1fd4be9d4b9d12550e17152f7e19b19793e16d4ee0e131ec3e3ce6011b42bc7683fcebdb4051c6109 musl-hvmloader-fix-stdint.patch +76bd60768b296752ca11195bb03a57584686461da45255cb540977111a73c42b5b92362fd46d97bfd20487c96971dd5aed7eae7d8bf1aad7d5199adb875d4962 musl-support.patch +08cf7fac825dd3da5f33856abf6692da00d8928ab73050b3ae0a643ddb97c8ae323238a80152fd31595ac1c31678d559232264258c189e2c05ecaf33e295f13e musl-hvmloader-fix-stdint.patch 9dcb481c5b83c7df23e87be717d8a9234014f26a0f80893e125fe8110e2923562d95162d18ff64c08b5782cd7c085f90378a9e0802b3995c077c8ba32bbb669f stdint_local.h 853467a2d055c5bfbdc7bdca175a334241be44a7c5ac3c0a84a4bc5463b5c070b66d37e2a557429ef860727a6b7350683af758cc2494d85b6be4d883143a2c0d elf_local.h 79cb1b6b81b17cb87a064dfe3548949dfb80f64f203cac11ef327102b7a25794549ce2d9c019ebf05f752214da8e05065e9219d069e679c0ae5bee3d090c685e xen-hotplug-lockfd.patch diff --git a/main/xen/musl-hvmloader-fix-stdint.patch b/main/xen/musl-hvmloader-fix-stdint.patch index a343c17b6b..819746b5bb 100644 --- a/main/xen/musl-hvmloader-fix-stdint.patch +++ b/main/xen/musl-hvmloader-fix-stdint.patch @@ -45,7 +45,7 @@ index 7b22d80..413c930 100644 #include <xen/hvm/ioreq.h> diff --git a/tools/firmware/hvmloader/config.h b/tools/firmware/hvmloader/config.h -index 6641197..01e402c 100644 +index b838cf9..33d48b3 100644 --- a/tools/firmware/hvmloader/config.h +++ b/tools/firmware/hvmloader/config.h @@ -1,7 +1,7 @@ @@ -110,7 +110,7 @@ index 6e50822..6134b01 100644 #define NR_PIR_SLOTS 6 diff --git a/tools/firmware/hvmloader/smbios.c b/tools/firmware/hvmloader/smbios.c -index 9f292cc..f909354 100644 +index 4d3d692..60d144d 100644 --- a/tools/firmware/hvmloader/smbios.c +++ b/tools/firmware/hvmloader/smbios.c @@ -20,7 +20,7 @@ @@ -149,7 +149,7 @@ index 80d822f..671d8cd 100644 #include <xen/memory.h> #include <xen/sched.h> diff --git a/tools/firmware/hvmloader/util.h b/tools/firmware/hvmloader/util.h -index 9ccb905..77b416b 100644 +index a70e4aa..a8a2628 100644 --- a/tools/firmware/hvmloader/util.h +++ b/tools/firmware/hvmloader/util.h @@ -2,7 +2,7 @@ @@ -158,9 +158,9 @@ index 9ccb905..77b416b 100644 #include <stdarg.h> -#include <stdint.h> +#include <stdint_local.h> + #include <stddef.h> #include <xen/xen.h> #include <xen/hvm/hvm_info_table.h> - diff --git a/tools/firmware/rombios/32bit/pmm.c b/tools/firmware/rombios/32bit/pmm.c index 4a279ca..b90b813 100644 --- a/tools/firmware/rombios/32bit/pmm.c diff --git a/main/xen/musl-support.patch b/main/xen/musl-support.patch index 7946cb64b8..81587d2340 100644 --- a/main/xen/musl-support.patch +++ b/main/xen/musl-support.patch @@ -41,16 +41,6 @@ if (r) { LOGE(ERROR, "login_tty failed"); exit(-1); } libxl__exec(gc, -1, -1, -1, bl->args[0], (char **) bl->args, env); exit(-1); ---- xen-4.3.1.orig/tools/xenstore/xs_tdb_dump.c -+++ xen-4.3.1/tools/xenstore/xs_tdb_dump.c -@@ -5,6 +5,7 @@ - #include <stdio.h> - #include <stdarg.h> - #include <string.h> -+#include <sys/types.h> - #include "xenstore_lib.h" - #include "tdb.h" - #include "talloc.h" --- xen-4.3.1.orig/tools/firmware/hvmloader/acpi/acpi2_0.h +++ xen-4.3.1/tools/firmware/hvmloader/acpi/acpi2_0.h @@ -366,7 +366,7 @@ diff --git a/main/xen/qemu-xen_paths.patch b/main/xen/qemu-xen_paths.patch index 79d634d6e5..e558d1f37f 100644 --- a/main/xen/qemu-xen_paths.patch +++ b/main/xen/qemu-xen_paths.patch @@ -1,11 +1,11 @@ ---- ./tools.orig/Makefile +--- ./tools/Makefile.orig +++ ./tools/Makefile -@@ -198,6 +198,8 @@ - --extra-ldflags="-L$(XEN_ROOT)/tools/libxc \ - -L$(XEN_ROOT)/tools/xenstore" \ - --bindir=$(LIBEXEC) \ -+ --libexecdir=$(LIBEXEC) \ +@@ -219,6 +219,8 @@ + -L$(XEN_ROOT)/tools/xenstore \ + $(QEMU_UPSTREAM_RPATH)" \ + --bindir=$(LIBEXEC_BIN) \ ++ --libexecdir=$(LIBEXEC_BIN) \ + --sysconfdir=/etc/xen \ --datadir=$(SHAREDIR)/qemu-xen \ - --localstatedir=/var \ + --localstatedir=$(localstatedir) \ --disable-kvm \ diff --git a/main/xen/xsa117.patch b/main/xen/xsa117.patch new file mode 100644 index 0000000000..aa04fe45c0 --- /dev/null +++ b/main/xen/xsa117.patch @@ -0,0 +1,42 @@ +From 472dc9e627c8f1b9d7138b142a5b0838550a2072 Mon Sep 17 00:00:00 2001 +From: Julien Grall <julien.grall@linaro.org> +Date: Fri, 23 Jan 2015 14:15:07 +0000 +Subject: [PATCH] xen/arm: vgic-v2: Don't crash the hypervisor if the SGI + target mode is invalid + +The GICv2 spec reserved the value 0b11 for GICD_SGIR.TargetListFilter. + +Even if it's an invalid value, a malicious guest could write this value +and threfore crash the hypervisor. + +Replace the BUG() by logging the error and inject a data abort to the guest. + +This was introduced by commit ea37fd21110b6fbcf9257f814076a243d3873cb7 +"xen/arm: split vgic driver into generic and vgic-v2 driver". + +This is CVE-2015-0268 / XSA-117. + +Signed-off-by: Julien Grall <julien.grall@linaro.org> +--- + xen/arch/arm/vgic-v2.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/xen/arch/arm/vgic-v2.c b/xen/arch/arm/vgic-v2.c +index 598bf06..9dc9a20 100644 +--- a/xen/arch/arm/vgic-v2.c ++++ b/xen/arch/arm/vgic-v2.c +@@ -257,7 +257,10 @@ static int vgic_v2_to_sgi(struct vcpu *v, register_t sgir) + sgi_mode = SGI_TARGET_SELF; + break; + default: +- BUG(); ++ printk(XENLOG_G_DEBUG ++ "%pv: vGICD: unhandled GICD_SGIR write %"PRIregister" with wrong mode\n", ++ v, sgir); ++ return 0; + } + + return vgic_to_sgi(v, sgir, sgi_mode, virq, vcpu_mask); +-- +2.1.4 + diff --git a/main/xen/xsa118-4.5-unstable-1.patch b/main/xen/xsa118-4.5-unstable-1.patch new file mode 100644 index 0000000000..a714c8306e --- /dev/null +++ b/main/xen/xsa118-4.5-unstable-1.patch @@ -0,0 +1,253 @@ +From e698f4ab05a710e4463317ea978d426d43107e27 Mon Sep 17 00:00:00 2001 +From: Julien Grall <julien.grall@linaro.org> +Date: Mon, 19 Jan 2015 14:01:09 +0000 +Subject: [PATCH 1/2] xen/arm: vgic-v3: message in the emulation code should be + rate-limited + +printk by default is not rate-limited by default. Therefore a malicious guest +may be able to flood the Xen console. + +If we use gdprintk, unnecessary information will be printed such as the +filename and the line. Instead use XENLOG_G_{ERR,DEBUG} combine with %pv. + +Also remove the vGICv3 prefix which is not neccessary and update some +message which were wrong. + +Signed-off-by: Julien Grall <julien.grall@linaro.org> +--- + xen/arch/arm/vgic-v3.c | 109 +++++++++++++++++++++++++++---------------------- + 1 file changed, 61 insertions(+), 48 deletions(-) + +diff --git a/xen/arch/arm/vgic-v3.c b/xen/arch/arm/vgic-v3.c +index ae4482c..bece189 100644 +--- a/xen/arch/arm/vgic-v3.c ++++ b/xen/arch/arm/vgic-v3.c +@@ -168,13 +168,14 @@ static int __vgic_v3_rdistr_rd_mmio_read(struct vcpu *v, mmio_info_t *info, + /* Reserved0 */ + goto read_as_zero; + default: +- printk("vGICv3: vGICR: read r%d offset %#08x\n not found", +- dabt.reg, gicr_reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICR: read r%d offset %#08x\n not found", ++ v, dabt.reg, gicr_reg); + return 0; + } + bad_width: +- printk("vGICv3: vGICR: bad read width %d r%d offset %#08x\n", +- dabt.size, dabt.reg, gicr_reg); ++ printk(XENLOG_G_ERR "%pv vGICR: bad read width %d r%d offset %#08x\n", ++ v, dabt.size, dabt.reg, gicr_reg); + domain_crash_synchronous(); + return 0; + +@@ -244,12 +245,14 @@ static int __vgic_v3_rdistr_rd_mmio_write(struct vcpu *v, mmio_info_t *info, + /* RO */ + goto write_ignore; + default: +- printk("vGICR: write r%d offset %#08x\n not found", dabt.reg, gicr_reg); ++ printk(XENLOG_G_ERR "%pv: vGICR: write r%d offset %#08x\n not found", ++ v, dabt.reg, gicr_reg); + return 0; + } + bad_width: +- printk("vGICR: bad write width %d r%d=%"PRIregister" offset %#08x\n", +- dabt.size, dabt.reg, *r, gicr_reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICR: bad write width %d r%d=%"PRIregister" offset %#08x\n", ++ v, dabt.size, dabt.reg, *r, gicr_reg); + domain_crash_synchronous(); + return 0; + +@@ -345,15 +348,16 @@ static int __vgic_v3_distr_common_mmio_read(struct vcpu *v, mmio_info_t *info, + vgic_unlock_rank(v, rank, flags); + return 1; + default: +- printk("vGICv3: vGICD/vGICR: unhandled read r%d offset %#08x\n", +- dabt.reg, reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD/vGICR: unhandled read r%d offset %#08x\n", ++ v, dabt.reg, reg); + return 0; + } + + bad_width: +- dprintk(XENLOG_ERR, +- "vGICv3: vGICD/vGICR: bad read width %d r%d offset %#08x\n", +- dabt.size, dabt.reg, reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD/vGICR: bad read width %d r%d offset %#08x\n", ++ v, dabt.size, dabt.reg, reg); + domain_crash_synchronous(); + return 0; + +@@ -458,15 +462,16 @@ static int __vgic_v3_distr_common_mmio_write(struct vcpu *v, mmio_info_t *info, + vgic_unlock_rank(v, rank, flags); + return 1; + default: +- printk("vGICv3: vGICD/vGICR: unhandled write r%d " +- "=%"PRIregister" offset %#08x\n", dabt.reg, *r, reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD/vGICR: unhandled write r%d=%"PRIregister" offset %#08x\n", ++ v, dabt.reg, *r, reg); + return 0; + } + + bad_width: +- dprintk(XENLOG_ERR, +- "vGICv3: vGICD/vGICR: bad write width %d r%d=%"PRIregister" " +- "offset %#08x\n", dabt.size, dabt.reg, *r, reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD/vGICR: bad write width %d r%d=%"PRIregister" offset %#08x\n", ++ v, dabt.size, dabt.reg, *r, reg); + domain_crash_synchronous(); + return 0; + +@@ -521,13 +526,14 @@ static int vgic_v3_rdistr_sgi_mmio_read(struct vcpu *v, mmio_info_t *info, + if ( dabt.size != DABT_WORD ) goto bad_width; + return 1; + default: +- printk("vGICv3: vGICR: read r%d offset %#08x\n not found", +- dabt.reg, gicr_reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICR: SGI: read r%d offset %#08x\n not found", ++ v, dabt.reg, gicr_reg); + return 0; + } + bad_width: +- printk("vGICv3: vGICR: bad read width %d r%d offset %#08x\n", +- dabt.size, dabt.reg, gicr_reg); ++ printk(XENLOG_G_ERR "%pv: vGICR: SGI: bad read width %d r%d offset %#08x\n", ++ v, dabt.size, dabt.reg, gicr_reg); + domain_crash_synchronous(); + return 0; + +@@ -585,14 +591,16 @@ static int vgic_v3_rdistr_sgi_mmio_write(struct vcpu *v, mmio_info_t *info, + /* We do not implement security extensions for guests, write ignore */ + goto write_ignore; + default: +- printk("vGICv3: vGICR SGI: write r%d offset %#08x\n not found", +- dabt.reg, gicr_reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICR: SGI: write r%d offset %#08x\n not found", ++ v, dabt.reg, gicr_reg); + return 0; + } + + bad_width: +- printk("vGICR SGI: bad write width %d r%d=%"PRIregister" offset %#08x\n", +- dabt.size, dabt.reg, *r, gicr_reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICR: SGI: bad write width %d r%d=%"PRIregister" offset %#08x\n", ++ v, dabt.size, dabt.reg, *r, gicr_reg); + domain_crash_synchronous(); + return 0; + +@@ -618,9 +626,9 @@ static int vgic_v3_rdistr_mmio_read(struct vcpu *v, mmio_info_t *info) + else if ( (offset >= SZ_64K) && (offset < 2 * SZ_64K) ) + return vgic_v3_rdistr_sgi_mmio_read(v, info, (offset - SZ_64K)); + else +- gdprintk(XENLOG_WARNING, +- "vGICv3: vGICR: unknown gpa read address %"PRIpaddr"\n", +- info->gpa); ++ printk(XENLOG_G_WARNING ++ "%pv: vGICR: unknown gpa read address %"PRIpaddr"\n", ++ v, info->gpa); + + return 0; + } +@@ -642,9 +650,9 @@ static int vgic_v3_rdistr_mmio_write(struct vcpu *v, mmio_info_t *info) + else if ( (offset >= SZ_64K) && (offset < 2 * SZ_64K) ) + return vgic_v3_rdistr_sgi_mmio_write(v, info, (offset - SZ_64K)); + else +- gdprintk(XENLOG_WARNING, +- "vGICV3: vGICR: unknown gpa write address %"PRIpaddr"\n", +- info->gpa); ++ printk(XENLOG_G_WARNING ++ "%pv: vGICR: unknown gpa write address %"PRIpaddr"\n", ++ v, info->gpa); + + return 0; + } +@@ -770,18 +778,19 @@ static int vgic_v3_distr_mmio_read(struct vcpu *v, mmio_info_t *info) + case 0xf30 ... 0x5fcc: + case 0x8000 ... 0xbfcc: + /* These are reserved register addresses */ +- printk("vGICv3: vGICD: read unknown 0x00c .. 0xfcc r%d offset %#08x\n", +- dabt.reg, gicd_reg); ++ printk(XENLOG_G_DEBUG ++ "%pv: vGICD: RAZ on reserved register offset %#08x\n", ++ v, gicd_reg); + goto read_as_zero; + default: +- printk("vGICv3: vGICD: unhandled read r%d offset %#08x\n", +- dabt.reg, gicd_reg); ++ printk(XENLOG_G_ERR "%pv: vGICD: unhandled read r%d offset %#08x\n", ++ v, dabt.reg, gicd_reg); + return 0; + } + + bad_width: +- dprintk(XENLOG_ERR, "vGICv3: vGICD: bad read width %d r%d offset %#08x\n", +- dabt.size, dabt.reg, gicd_reg); ++ printk(XENLOG_G_ERR "%pv: vGICD: bad read width %d r%d offset %#08x\n", ++ v, dabt.size, dabt.reg, gicd_reg); + domain_crash_synchronous(); + return 0; + +@@ -840,8 +849,9 @@ static int vgic_v3_distr_mmio_write(struct vcpu *v, mmio_info_t *info) + case 0x020 ... 0x03c: + case 0xc000 ... 0xffcc: + /* Implementation defined -- write ignored */ +- printk("vGICv3: vGICD: write unknown 0x020 - 0x03c r%d offset %#08x\n", +- dabt.reg, gicd_reg); ++ printk(XENLOG_G_DEBUG ++ "%pv: vGICD: WI on implementation defined register offset %#08x\n", ++ v, gicd_reg); + goto write_ignore; + case GICD_IGROUPR ... GICD_IGROUPRN: + case GICD_ISENABLER ... GICD_ISENABLERN: +@@ -885,8 +895,9 @@ static int vgic_v3_distr_mmio_write(struct vcpu *v, mmio_info_t *info) + new_target = new_irouter & MPIDR_AFF0_MASK; + if ( new_target >= v->domain->max_vcpus ) + { +- printk("vGICv3: vGICD: wrong irouter at offset %#08x\n val 0x%lx vcpu %x", +- gicd_reg, new_target, v->domain->max_vcpus); ++ printk(XENLOG_G_DEBUG ++ "%pv: vGICD: wrong irouter at offset %#08x\n val 0x%lx vcpu %x", ++ v, gicd_reg, new_target, v->domain->max_vcpus); + vgic_unlock_rank(v, rank, flags); + return 0; + } +@@ -926,19 +937,21 @@ static int vgic_v3_distr_mmio_write(struct vcpu *v, mmio_info_t *info) + case 0xf30 ... 0x5fcc: + case 0x8000 ... 0xbfcc: + /* Reserved register addresses */ +- printk("vGICv3: vGICD: write unknown 0x00c 0xfcc r%d offset %#08x\n", +- dabt.reg, gicd_reg); ++ printk(XENLOG_G_DEBUG ++ "%pv: vGICD: write unknown 0x00c 0xfcc r%d offset %#08x\n", ++ v, dabt.reg, gicd_reg); + goto write_ignore; + default: +- printk("vGICv3: vGICD: unhandled write r%d=%"PRIregister" " +- "offset %#08x\n", dabt.reg, *r, gicd_reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n", ++ v, dabt.reg, *r, gicd_reg); + return 0; + } + + bad_width: +- dprintk(XENLOG_ERR, +- "VGICv3: vGICD: bad write width %d r%d=%"PRIregister" " +- "offset %#08x\n", dabt.size, dabt.reg, *r, gicd_reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n", ++ v, dabt.size, dabt.reg, *r, gicd_reg); + domain_crash_synchronous(); + return 0; + +-- +2.1.4 + diff --git a/main/xen/xsa118-4.5-unstable-2.patch b/main/xen/xsa118-4.5-unstable-2.patch new file mode 100644 index 0000000000..621b739b4a --- /dev/null +++ b/main/xen/xsa118-4.5-unstable-2.patch @@ -0,0 +1,115 @@ +From e8fa469595e29b2dbe6dde3a77ee2ea2d9e93283 Mon Sep 17 00:00:00 2001 +From: Julien Grall <julien.grall@linaro.org> +Date: Mon, 19 Jan 2015 12:59:42 +0000 +Subject: [PATCH 2/2] xen/arm: vgic-v2: message in the emulation code should be + rate-limited + +printk is not rated-limited by default. Therefore a malicious guest may +be able to flood the Xen console. + +If we use gdprintk, unecessary information will be printed such as the +filename and the line. Instead use XENLOG_G_ERR combine with %pv. + +Signed-off-by: Julien Grall <julien.grall@linaro.org> +--- + xen/arch/arm/vgic-v2.c | 40 +++++++++++++++++++++++----------------- + 1 file changed, 23 insertions(+), 17 deletions(-) + +diff --git a/xen/arch/arm/vgic-v2.c b/xen/arch/arm/vgic-v2.c +index 9dc9a20..3b87f54 100644 +--- a/xen/arch/arm/vgic-v2.c ++++ b/xen/arch/arm/vgic-v2.c +@@ -198,7 +198,7 @@ static int vgic_v2_distr_mmio_read(struct vcpu *v, mmio_info_t *info) + + case GICD_ICPIDR2: + if ( dabt.size != DABT_WORD ) goto bad_width; +- printk("vGICD: unhandled read from ICPIDR2\n"); ++ printk(XENLOG_G_ERR "%pv: vGICD: unhandled read from ICPIDR2\n", v); + return 0; + + /* Implementation defined -- read as zero */ +@@ -215,14 +215,14 @@ static int vgic_v2_distr_mmio_read(struct vcpu *v, mmio_info_t *info) + goto read_as_zero; + + default: +- printk("vGICD: unhandled read r%d offset %#08x\n", +- dabt.reg, gicd_reg); ++ printk(XENLOG_G_ERR "%pv: vGICD: unhandled read r%d offset %#08x\n", ++ v, dabt.reg, gicd_reg); + return 0; + } + + bad_width: +- printk("vGICD: bad read width %d r%d offset %#08x\n", +- dabt.size, dabt.reg, gicd_reg); ++ printk(XENLOG_G_ERR "%pv: vGICD: bad read width %d r%d offset %#08x\n", ++ v, dabt.size, dabt.reg, gicd_reg); + domain_crash_synchronous(); + return 0; + +@@ -331,14 +331,16 @@ static int vgic_v2_distr_mmio_write(struct vcpu *v, mmio_info_t *info) + + case GICD_ISPENDR ... GICD_ISPENDRN: + if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width; +- printk("vGICD: unhandled %s write %#"PRIregister" to ISPENDR%d\n", +- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ISPENDR); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD: unhandled %s write %#"PRIregister" to ISPENDR%d\n", ++ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ISPENDR); + return 0; + + case GICD_ICPENDR ... GICD_ICPENDRN: + if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width; +- printk("vGICD: unhandled %s write %#"PRIregister" to ICPENDR%d\n", +- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ICPENDR); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD: unhandled %s write %#"PRIregister" to ICPENDR%d\n", ++ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ICPENDR); + return 0; + + case GICD_ISACTIVER ... GICD_ISACTIVERN: +@@ -457,14 +459,16 @@ static int vgic_v2_distr_mmio_write(struct vcpu *v, mmio_info_t *info) + + case GICD_CPENDSGIR ... GICD_CPENDSGIRN: + if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width; +- printk("vGICD: unhandled %s write %#"PRIregister" to ICPENDSGIR%d\n", +- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_CPENDSGIR); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD: unhandled %s write %#"PRIregister" to ICPENDSGIR%d\n", ++ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_CPENDSGIR); + return 0; + + case GICD_SPENDSGIR ... GICD_SPENDSGIRN: + if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width; +- printk("vGICD: unhandled %s write %#"PRIregister" to ISPENDSGIR%d\n", +- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_SPENDSGIR); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD: unhandled %s write %#"PRIregister" to ISPENDSGIR%d\n", ++ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_SPENDSGIR); + return 0; + + /* Implementation defined -- write ignored */ +@@ -489,14 +493,16 @@ static int vgic_v2_distr_mmio_write(struct vcpu *v, mmio_info_t *info) + goto write_ignore; + + default: +- printk("vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n", +- dabt.reg, *r, gicd_reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n", ++ v, dabt.reg, *r, gicd_reg); + return 0; + } + + bad_width: +- printk("vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n", +- dabt.size, dabt.reg, *r, gicd_reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n", ++ v, dabt.size, dabt.reg, *r, gicd_reg); + domain_crash_synchronous(); + return 0; + +-- +2.1.4 + diff --git a/main/xen/xsa119-unstable.patch b/main/xen/xsa119-unstable.patch new file mode 100644 index 0000000000..f696eb5b6e --- /dev/null +++ b/main/xen/xsa119-unstable.patch @@ -0,0 +1,99 @@ +From f433bfafbaf7d8a41c4c27aa3e8e78b1ab900b69 Mon Sep 17 00:00:00 2001 +From: Ian Campbell <ian.campbell@citrix.com> +Date: Fri, 20 Feb 2015 14:41:09 +0000 +Subject: [PATCH] tools: libxl: Explicitly disable graphics backends on qemu + cmdline + +By default qemu will try to create some sort of backend for the +emulated VGA device, either SDL or VNC. + +However when the user specifies sdl=0 and vnc=0 in their configuration +libxl was not explicitly disabling either backend, which could lead to +one unexpectedly running. + +If either sdl=1 or vnc=1 is configured then both before and after this +change only the backends which are explicitly enabled are configured, +i.e. this issue only occurs when all backends are supposed to have +been disabled. + +This affects qemu-xen and qemu-xen-traditional differently. + +If qemu-xen was compiled with SDL support then this would result in an +SDL window being opened if $DISPLAY is valid, or a failure to start +the guest if not. Passing "-display none" to qemu before any further +-sdl options disables this default behaviour and ensures that SDL is +only started if the libxl configuration demands it. + +If qemu-xen was compiled without SDL support then qemu would instead +start a VNC server listening on ::1 (IPv6 localhost) or 127.0.0.1 +(IPv4 localhost) with IPv6 preferred if available. Explicitly pass +"-vnc none" when vnc is not enabled in the libxl configuration to +remove this possibility. + +qemu-xen-traditional would never start a vnc backend unless asked. +However by default it will start an SDL backend, the way to disable +this is to pass a -vnc option. In other words passing "-vnc none" will +disable both vnc and sdl by default. sdl can then be reenabled if +configured by subsequent use of the -sdl option. + +Tested with both qemu-xen and qemu-xen-traditional built with SDL +support and: + xl cr # defaults + xl cr sdl=0 vnc=0 + xl cr sdl=1 vnc=0 + xl cr sdl=0 vnc=1 + xl cr sdl=0 vnc=0 vga=\"none\" + xl cr sdl=0 vnc=0 nographic=1 +with both valid and invalid $DISPLAY. + +This is XSA-119. + +Reported-by: Sander Eikelenboom <linux@eikelenboom.it> +Signed-off-by: Ian Campbell <ian.campbell@citrix.com> +Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> +--- + tools/libxl/libxl_dm.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c +index 8599a6a..3b918c6 100644 +--- a/tools/libxl/libxl_dm.c ++++ b/tools/libxl/libxl_dm.c +@@ -180,7 +180,14 @@ static char ** libxl__build_device_model_args_old(libxl__gc *gc, + if (libxl_defbool_val(vnc->findunused)) { + flexarray_append(dm_args, "-vncunused"); + } +- } ++ } else ++ /* ++ * VNC is not enabled by default by qemu-xen-traditional, ++ * however passing -vnc none causes SDL to not be ++ * (unexpectedly) enabled by default. This is overridden by ++ * explicitly passing -sdl below as required. ++ */ ++ flexarray_append_pair(dm_args, "-vnc", "none"); + + if (sdl) { + flexarray_append(dm_args, "-sdl"); +@@ -522,7 +529,17 @@ static char ** libxl__build_device_model_args_new(libxl__gc *gc, + } + + flexarray_append(dm_args, vncarg); +- } ++ } else ++ /* ++ * Ensure that by default no vnc server is created. ++ */ ++ flexarray_append_pair(dm_args, "-vnc", "none"); ++ ++ /* ++ * Ensure that by default no display backend is created. Further ++ * options given below might then enable more. ++ */ ++ flexarray_append_pair(dm_args, "-display", "none"); + + if (sdl) { + flexarray_append(dm_args, "-sdl"); +-- +2.1.4 + diff --git a/main/xen/xsa121.patch b/main/xen/xsa121.patch new file mode 100644 index 0000000000..f3d1397d6d --- /dev/null +++ b/main/xen/xsa121.patch @@ -0,0 +1,51 @@ +x86/HVM: return all ones on wrong-sized reads of system device I/O ports + +So far the value presented to the guest remained uninitialized. + +This is CVE-2015-2044 / XSA-121. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> + +--- a/xen/arch/x86/hvm/i8254.c ++++ b/xen/arch/x86/hvm/i8254.c +@@ -486,6 +486,7 @@ static int handle_pit_io( + if ( bytes != 1 ) + { + gdprintk(XENLOG_WARNING, "PIT bad access\n"); ++ *val = ~0; + return X86EMUL_OKAY; + } + +--- a/xen/arch/x86/hvm/pmtimer.c ++++ b/xen/arch/x86/hvm/pmtimer.c +@@ -213,6 +213,7 @@ static int handle_pmt_io( + if ( bytes != 4 ) + { + gdprintk(XENLOG_WARNING, "HVM_PMT bad access\n"); ++ *val = ~0; + return X86EMUL_OKAY; + } + +--- a/xen/arch/x86/hvm/rtc.c ++++ b/xen/arch/x86/hvm/rtc.c +@@ -703,7 +703,8 @@ static int handle_rtc_io( + + if ( bytes != 1 ) + { +- gdprintk(XENLOG_WARNING, "HVM_RTC bas access\n"); ++ gdprintk(XENLOG_WARNING, "HVM_RTC bad access\n"); ++ *val = ~0; + return X86EMUL_OKAY; + } + +--- a/xen/arch/x86/hvm/vpic.c ++++ b/xen/arch/x86/hvm/vpic.c +@@ -331,6 +331,7 @@ static int vpic_intercept_pic_io( + if ( bytes != 1 ) + { + gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes); ++ *val = ~0; + return X86EMUL_OKAY; + } + diff --git a/main/xen/xsa122.patch b/main/xen/xsa122.patch new file mode 100644 index 0000000000..1e58965b54 --- /dev/null +++ b/main/xen/xsa122.patch @@ -0,0 +1,40 @@ +pre-fill structures for certain HYPERVISOR_xen_version sub-ops + +... avoiding to pass hypervisor stack contents back to the caller +through space unused by the respective strings. + +This is CVE-2015-2045 / XSA-122. + +Signed-off-by: Aaron Adams <Aaron.Adams@nccgroup.com> +Acked-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> + +--- a/xen/common/kernel.c ++++ b/xen/common/kernel.c +@@ -240,6 +240,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL + case XENVER_extraversion: + { + xen_extraversion_t extraversion; ++ ++ memset(extraversion, 0, sizeof(extraversion)); + safe_strcpy(extraversion, xen_extra_version()); + if ( copy_to_guest(arg, extraversion, ARRAY_SIZE(extraversion)) ) + return -EFAULT; +@@ -249,6 +251,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL + case XENVER_compile_info: + { + struct xen_compile_info info; ++ ++ memset(&info, 0, sizeof(info)); + safe_strcpy(info.compiler, xen_compiler()); + safe_strcpy(info.compile_by, xen_compile_by()); + safe_strcpy(info.compile_domain, xen_compile_domain()); +@@ -284,6 +288,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL + case XENVER_changeset: + { + xen_changeset_info_t chgset; ++ ++ memset(chgset, 0, sizeof(chgset)); + safe_strcpy(chgset, xen_changeset()); + if ( copy_to_guest(arg, chgset, ARRAY_SIZE(chgset)) ) + return -EFAULT; diff --git a/main/xen/xsa123.patch b/main/xen/xsa123.patch new file mode 100644 index 0000000000..653996d317 --- /dev/null +++ b/main/xen/xsa123.patch @@ -0,0 +1,24 @@ +x86emul: fully ignore segment override for register-only operations + +For ModRM encoded instructions with register operands we must not +overwrite ea.mem.seg (if a - bogus in that case - segment override was +present) as it aliases with ea.reg. + +This is CVE-2015-2151 / XSA-123. + +Reported-by: Felix Wilhelm <fwilhelm@ernw.de> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Tim Deegan <tim@xen.org> +Reviewed-by: Keir Fraser <keir@xen.org> + +--- a/xen/arch/x86/x86_emulate/x86_emulate.c ++++ b/xen/arch/x86/x86_emulate/x86_emulate.c +@@ -1757,7 +1757,7 @@ x86_emulate( + } + } + +- if ( override_seg != -1 ) ++ if ( override_seg != -1 && ea.type == OP_MEM ) + ea.mem.seg = override_seg; + + /* Early operand adjustments. */ diff --git a/main/xen/xsa125.patch b/main/xen/xsa125.patch new file mode 100644 index 0000000000..ad5dbb31c2 --- /dev/null +++ b/main/xen/xsa125.patch @@ -0,0 +1,154 @@ +From 98670acc98cad5aee0e0714694a64d3b96675c36 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Date: Wed, 19 Nov 2014 12:57:11 -0500 +Subject: [PATCH] Limit XEN_DOMCTL_memory_mapping hypercall to only process up + to 64 GFNs (or less) + +Said hypercall for large BARs can take quite a while. As such +we can require that the hypercall MUST break up the request +in smaller values. + +Another approach is to add preemption to it - whether we do the +preemption using hypercall_create_continuation or returning +EAGAIN to userspace (and have it re-invocate the call) - either +way the issue we cannot easily solve is that in 'map_mmio_regions' +if we encounter an error we MUST call 'unmap_mmio_regions' for the +whole BAR region. + +Since the preemption would re-use input fields such as nr_mfns, +first_gfn, first_mfn - we would lose the original values - +and only undo what was done in the current round (i.e. ignoring +anything that was done prior to earlier preemptions). + +Unless we re-used the return value as 'EAGAIN|nr_mfns_done<<10' but +that puts a limit (since the return value is a long) on the amount +of nr_mfns that can provided. + +This patch sidesteps this problem by: + - Setting an hard limit of nr_mfns having to be 64 or less. + - Toolstack adjusts correspondingly to the nr_mfn limit. + - If the there is an error when adding the toolstack will call the + remove operation to remove the whole region. + +The need to break this hypercall down is for large BARs can take +more than the guest (initial domain usually) time-slice. This has +the negative result in that the guest is locked out for a long +duration and is unable to act on any pending events. + +We also augment the code to return zero if nr_mfns instead +of trying to the hypercall. + +Suggested-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Jan Beulich <jbeulich@suse.com> +Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> +--- +[v50: Simplify loop] +[v51: If max_batch_sz 1 (or less) we would return zero. Fix that] +[v52: Handle nr_mfns being zero] +[v53: Fix up return value] +--- + tools/libxc/xc_domain.c | 46 +++++++++++++++++++++++++++++++++++++++++---- + xen/common/domctl.c | 5 +++++ + xen/include/public/domctl.h | 1 + + 3 files changed, 48 insertions(+), 4 deletions(-) + +diff --git a/tools/libxc/xc_domain.c b/tools/libxc/xc_domain.c +index 845d1d7..bba7672 100644 +--- a/tools/libxc/xc_domain.c ++++ b/tools/libxc/xc_domain.c +@@ -1988,6 +1988,8 @@ int xc_domain_memory_mapping( + { + DECLARE_DOMCTL; + xc_dominfo_t info; ++ int ret = 0, err; ++ unsigned long done = 0, nr, max_batch_sz; + + if ( xc_domain_getinfo(xch, domid, 1, &info) != 1 || + info.domid != domid ) +@@ -1998,14 +2000,50 @@ int xc_domain_memory_mapping( + if ( !xc_core_arch_auto_translated_physmap(&info) ) + return 0; + ++ if ( !nr_mfns ) ++ return 0; ++ + domctl.cmd = XEN_DOMCTL_memory_mapping; + domctl.domain = domid; +- domctl.u.memory_mapping.first_gfn = first_gfn; +- domctl.u.memory_mapping.first_mfn = first_mfn; +- domctl.u.memory_mapping.nr_mfns = nr_mfns; + domctl.u.memory_mapping.add_mapping = add_mapping; ++ max_batch_sz = nr_mfns; ++ do ++ { ++ nr = min(nr_mfns - done, max_batch_sz); ++ domctl.u.memory_mapping.nr_mfns = nr; ++ domctl.u.memory_mapping.first_gfn = first_gfn + done; ++ domctl.u.memory_mapping.first_mfn = first_mfn + done; ++ err = do_domctl(xch, &domctl); ++ if ( err && errno == E2BIG ) ++ { ++ if ( max_batch_sz <= 1 ) ++ break; ++ max_batch_sz >>= 1; ++ continue; ++ } ++ /* Save the first error... */ ++ if ( !ret ) ++ ret = err; ++ /* .. and ignore the rest of them when removing. */ ++ if ( err && add_mapping != DPCI_REMOVE_MAPPING ) ++ break; + +- return do_domctl(xch, &domctl); ++ done += nr; ++ } while ( done < nr_mfns ); ++ ++ /* ++ * Undo what we have done unless unmapping, by unmapping the entire region. ++ * Errors here are ignored. ++ */ ++ if ( ret && add_mapping != DPCI_REMOVE_MAPPING ) ++ xc_domain_memory_mapping(xch, domid, first_gfn, first_mfn, nr_mfns, ++ DPCI_REMOVE_MAPPING); ++ ++ /* We might get E2BIG so many times that we never advance. */ ++ if ( !done && !ret ) ++ ret = -1; ++ ++ return ret; + } + + int xc_domain_ioport_mapping( +diff --git a/xen/common/domctl.c b/xen/common/domctl.c +index d396cc4..c2e60a7 100644 +--- a/xen/common/domctl.c ++++ b/xen/common/domctl.c +@@ -1027,6 +1027,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) + (gfn + nr_mfns - 1) < gfn ) /* wrap? */ + break; + ++ ret = -E2BIG; ++ /* Must break hypercall up as this could take a while. */ ++ if ( nr_mfns > 64 ) ++ break; ++ + ret = -EPERM; + if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || + !iomem_access_permitted(d, mfn, mfn_end) ) +diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h +index ca0e51e..0c9f474 100644 +--- a/xen/include/public/domctl.h ++++ b/xen/include/public/domctl.h +@@ -543,6 +543,7 @@ DEFINE_XEN_GUEST_HANDLE(xen_domctl_bind_pt_irq_t); + + + /* Bind machine I/O address range -> HVM address range. */ ++/* If this returns -E2BIG lower nr_mfns value. */ + /* XEN_DOMCTL_memory_mapping */ + #define DPCI_ADD_MAPPING 1 + #define DPCI_REMOVE_MAPPING 0 +-- +2.1.0 + diff --git a/main/xen/xsa126-qemut.patch b/main/xen/xsa126-qemut.patch new file mode 100644 index 0000000000..796ff9e541 --- /dev/null +++ b/main/xen/xsa126-qemut.patch @@ -0,0 +1,151 @@ +xen: limit guest control of PCI command register + +Otherwise the guest can abuse that control to cause e.g. PCIe +Unsupported Request responses (by disabling memory and/or I/O decoding +and subsequently causing [CPU side] accesses to the respective address +ranges), which (depending on system configuration) may be fatal to the +host. + +This is CVE-2015-2756 / XSA-126. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> + +--- a/tools/qemu-xen-traditional/hw/pass-through.c ++++ b/tools/qemu-xen-traditional/hw/pass-through.c +@@ -172,9 +172,6 @@ static int pt_word_reg_read(struct pt_de + static int pt_long_reg_read(struct pt_dev *ptdev, + struct pt_reg_tbl *cfg_entry, + uint32_t *value, uint32_t valid_mask); +-static int pt_cmd_reg_read(struct pt_dev *ptdev, +- struct pt_reg_tbl *cfg_entry, +- uint16_t *value, uint16_t valid_mask); + static int pt_bar_reg_read(struct pt_dev *ptdev, + struct pt_reg_tbl *cfg_entry, + uint32_t *value, uint32_t valid_mask); +@@ -286,9 +283,9 @@ static struct pt_reg_info_tbl pt_emu_reg + .size = 2, + .init_val = 0x0000, + .ro_mask = 0xF880, +- .emu_mask = 0x0740, ++ .emu_mask = 0x0743, + .init = pt_common_reg_init, +- .u.w.read = pt_cmd_reg_read, ++ .u.w.read = pt_word_reg_read, + .u.w.write = pt_cmd_reg_write, + .u.w.restore = pt_cmd_reg_restore, + }, +@@ -1905,7 +1902,7 @@ static int pt_dev_is_virtfn(struct pci_d + return rc; + } + +-static int pt_register_regions(struct pt_dev *assigned_device) ++static int pt_register_regions(struct pt_dev *assigned_device, uint16_t *cmd) + { + int i = 0; + uint32_t bar_data = 0; +@@ -1925,17 +1922,26 @@ static int pt_register_regions(struct pt + + /* Register current region */ + if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_IO ) ++ { + pci_register_io_region((PCIDevice *)assigned_device, i, + (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_IO, + pt_ioport_map); ++ *cmd |= PCI_COMMAND_IO; ++ } + else if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_MEM_PREFETCH ) ++ { + pci_register_io_region((PCIDevice *)assigned_device, i, + (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM_PREFETCH, + pt_iomem_map); ++ *cmd |= PCI_COMMAND_MEMORY; ++ } + else ++ { + pci_register_io_region((PCIDevice *)assigned_device, i, + (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM, + pt_iomem_map); ++ *cmd |= PCI_COMMAND_MEMORY; ++ } + + PT_LOG("IO region registered (size=0x%08x base_addr=0x%08x)\n", + (uint32_t)(pci_dev->size[i]), +@@ -3263,27 +3269,6 @@ static int pt_long_reg_read(struct pt_de + return 0; + } + +-/* read Command register */ +-static int pt_cmd_reg_read(struct pt_dev *ptdev, +- struct pt_reg_tbl *cfg_entry, +- uint16_t *value, uint16_t valid_mask) +-{ +- struct pt_reg_info_tbl *reg = cfg_entry->reg; +- uint16_t valid_emu_mask = 0; +- uint16_t emu_mask = reg->emu_mask; +- +- if ( ptdev->is_virtfn ) +- emu_mask |= PCI_COMMAND_MEMORY; +- if ( pt_is_iomul(ptdev) ) +- emu_mask |= PCI_COMMAND_IO; +- +- /* emulate word register */ +- valid_emu_mask = emu_mask & valid_mask; +- *value = PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask); +- +- return 0; +-} +- + /* read BAR */ + static int pt_bar_reg_read(struct pt_dev *ptdev, + struct pt_reg_tbl *cfg_entry, +@@ -3418,19 +3403,13 @@ static int pt_cmd_reg_write(struct pt_de + uint16_t writable_mask = 0; + uint16_t throughable_mask = 0; + uint16_t wr_value = *value; +- uint16_t emu_mask = reg->emu_mask; +- +- if ( ptdev->is_virtfn ) +- emu_mask |= PCI_COMMAND_MEMORY; +- if ( pt_is_iomul(ptdev) ) +- emu_mask |= PCI_COMMAND_IO; + + /* modify emulate register */ + writable_mask = ~reg->ro_mask & valid_mask; + cfg_entry->data = PT_MERGE_VALUE(*value, cfg_entry->data, writable_mask); + + /* create value for writing to I/O device register */ +- throughable_mask = ~emu_mask & valid_mask; ++ throughable_mask = ~reg->emu_mask & valid_mask; + + if (*value & PCI_COMMAND_DISABLE_INTx) + { +@@ -4211,6 +4190,7 @@ static struct pt_dev * register_real_dev + struct pt_dev *assigned_device = NULL; + struct pci_dev *pci_dev; + uint8_t e_device, e_intx; ++ uint16_t cmd = 0; + char *key, *val; + int msi_translate, power_mgmt; + +@@ -4300,7 +4280,7 @@ static struct pt_dev * register_real_dev + assigned_device->dev.config[i] = pci_read_byte(pci_dev, i); + + /* Handle real device's MMIO/PIO BARs */ +- pt_register_regions(assigned_device); ++ pt_register_regions(assigned_device, &cmd); + + /* Setup VGA bios for passthroughed gfx */ + if ( setup_vga_pt(assigned_device) < 0 ) +@@ -4378,6 +4358,10 @@ static struct pt_dev * register_real_dev + } + + out: ++ if (cmd) ++ pci_write_word(pci_dev, PCI_COMMAND, ++ *(uint16_t *)(&assigned_device->dev.config[PCI_COMMAND]) | cmd); ++ + PT_LOG("Real physical device %02x:%02x.%x registered successfuly!\n" + "IRQ type = %s\n", r_bus, r_dev, r_func, + assigned_device->msi_trans_en? "MSI-INTx":"INTx"); diff --git a/main/xen/xsa126-qemuu.patch b/main/xen/xsa126-qemuu.patch new file mode 100644 index 0000000000..84fd4ae340 --- /dev/null +++ b/main/xen/xsa126-qemuu.patch @@ -0,0 +1,128 @@ +xen: limit guest control of PCI command register + +Otherwise the guest can abuse that control to cause e.g. PCIe +Unsupported Request responses (by disabling memory and/or I/O decoding +and subsequently causing [CPU side] accesses to the respective address +ranges), which (depending on system configuration) may be fatal to the +host. + +This is CVE-2015-2756 / XSA-126. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> + +--- a/tools/qemu-xen/hw/xen/xen_pt.c ++++ b/tools/qemu-xen/hw/xen/xen_pt.c +@@ -388,7 +388,7 @@ static const MemoryRegionOps ops = { + .write = xen_pt_bar_write, + }; + +-static int xen_pt_register_regions(XenPCIPassthroughState *s) ++static int xen_pt_register_regions(XenPCIPassthroughState *s, uint16_t *cmd) + { + int i = 0; + XenHostPCIDevice *d = &s->real_device; +@@ -406,6 +406,7 @@ static int xen_pt_register_regions(XenPC + + if (r->type & XEN_HOST_PCI_REGION_TYPE_IO) { + type = PCI_BASE_ADDRESS_SPACE_IO; ++ *cmd |= PCI_COMMAND_IO; + } else { + type = PCI_BASE_ADDRESS_SPACE_MEMORY; + if (r->type & XEN_HOST_PCI_REGION_TYPE_PREFETCH) { +@@ -414,6 +415,7 @@ static int xen_pt_register_regions(XenPC + if (r->type & XEN_HOST_PCI_REGION_TYPE_MEM_64) { + type |= PCI_BASE_ADDRESS_MEM_TYPE_64; + } ++ *cmd |= PCI_COMMAND_MEMORY; + } + + memory_region_init_io(&s->bar[i], OBJECT(s), &ops, &s->dev, +@@ -638,6 +640,7 @@ static int xen_pt_initfn(PCIDevice *d) + XenPCIPassthroughState *s = DO_UPCAST(XenPCIPassthroughState, dev, d); + int rc = 0; + uint8_t machine_irq = 0; ++ uint16_t cmd = 0; + int pirq = XEN_PT_UNASSIGNED_PIRQ; + + /* register real device */ +@@ -672,7 +675,7 @@ static int xen_pt_initfn(PCIDevice *d) + s->io_listener = xen_pt_io_listener; + + /* Handle real device's MMIO/PIO BARs */ +- xen_pt_register_regions(s); ++ xen_pt_register_regions(s, &cmd); + + /* reinitialize each config register to be emulated */ + if (xen_pt_config_init(s)) { +@@ -736,6 +739,11 @@ static int xen_pt_initfn(PCIDevice *d) + } + + out: ++ if (cmd) { ++ xen_host_pci_set_word(&s->real_device, PCI_COMMAND, ++ pci_get_word(d->config + PCI_COMMAND) | cmd); ++ } ++ + memory_listener_register(&s->memory_listener, &address_space_memory); + memory_listener_register(&s->io_listener, &address_space_io); + XEN_PT_LOG(d, +--- a/tools/qemu-xen/hw/xen/xen_pt_config_init.c ++++ b/tools/qemu-xen/hw/xen/xen_pt_config_init.c +@@ -286,23 +286,6 @@ static int xen_pt_irqpin_reg_init(XenPCI + } + + /* Command register */ +-static int xen_pt_cmd_reg_read(XenPCIPassthroughState *s, XenPTReg *cfg_entry, +- uint16_t *value, uint16_t valid_mask) +-{ +- XenPTRegInfo *reg = cfg_entry->reg; +- uint16_t valid_emu_mask = 0; +- uint16_t emu_mask = reg->emu_mask; +- +- if (s->is_virtfn) { +- emu_mask |= PCI_COMMAND_MEMORY; +- } +- +- /* emulate word register */ +- valid_emu_mask = emu_mask & valid_mask; +- *value = XEN_PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask); +- +- return 0; +-} + static int xen_pt_cmd_reg_write(XenPCIPassthroughState *s, XenPTReg *cfg_entry, + uint16_t *val, uint16_t dev_value, + uint16_t valid_mask) +@@ -310,18 +293,13 @@ static int xen_pt_cmd_reg_write(XenPCIPa + XenPTRegInfo *reg = cfg_entry->reg; + uint16_t writable_mask = 0; + uint16_t throughable_mask = 0; +- uint16_t emu_mask = reg->emu_mask; +- +- if (s->is_virtfn) { +- emu_mask |= PCI_COMMAND_MEMORY; +- } + + /* modify emulate register */ + writable_mask = ~reg->ro_mask & valid_mask; + cfg_entry->data = XEN_PT_MERGE_VALUE(*val, cfg_entry->data, writable_mask); + + /* create value for writing to I/O device register */ +- throughable_mask = ~emu_mask & valid_mask; ++ throughable_mask = ~reg->emu_mask & valid_mask; + + if (*val & PCI_COMMAND_INTX_DISABLE) { + throughable_mask |= PCI_COMMAND_INTX_DISABLE; +@@ -605,9 +583,9 @@ static XenPTRegInfo xen_pt_emu_reg_heade + .size = 2, + .init_val = 0x0000, + .ro_mask = 0xF880, +- .emu_mask = 0x0740, ++ .emu_mask = 0x0743, + .init = xen_pt_common_reg_init, +- .u.w.read = xen_pt_cmd_reg_read, ++ .u.w.read = xen_pt_word_reg_read, + .u.w.write = xen_pt_cmd_reg_write, + }, + /* Capabilities Pointer reg */ diff --git a/main/xen/xsa127-4.x.patch b/main/xen/xsa127-4.x.patch new file mode 100644 index 0000000000..463b1ddf77 --- /dev/null +++ b/main/xen/xsa127-4.x.patch @@ -0,0 +1,50 @@ +domctl: don't allow a toolstack domain to call domain_pause() on itself + +These DOMCTL subops were accidentally declared safe for disaggregation +in the wake of XSA-77. + +This is XSA-127. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> + +--- a/xen/arch/x86/domctl.c ++++ b/xen/arch/x86/domctl.c +@@ -888,6 +888,10 @@ long arch_do_domctl( + { + xen_guest_tsc_info_t info; + ++ ret = -EINVAL; ++ if ( d == current->domain ) /* no domain_pause() */ ++ break; ++ + domain_pause(d); + tsc_get_info(d, &info.tsc_mode, + &info.elapsed_nsec, +@@ -903,6 +907,10 @@ long arch_do_domctl( + + case XEN_DOMCTL_settscinfo: + { ++ ret = -EINVAL; ++ if ( d == current->domain ) /* no domain_pause() */ ++ break; ++ + domain_pause(d); + tsc_set_info(d, domctl->u.tsc_info.info.tsc_mode, + domctl->u.tsc_info.info.elapsed_nsec, +--- a/xen/common/domctl.c ++++ b/xen/common/domctl.c +@@ -522,8 +522,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe + + case XEN_DOMCTL_resumedomain: + { +- domain_resume(d); +- ret = 0; ++ if ( d == current->domain ) /* no domain_pause() */ ++ ret = -EINVAL; ++ else ++ domain_resume(d); + } + break; + diff --git a/main/xen/xsa132.patch b/main/xen/xsa132.patch new file mode 100644 index 0000000000..321c87bf62 --- /dev/null +++ b/main/xen/xsa132.patch @@ -0,0 +1,29 @@ +domctl/sysctl: don't leak hypervisor stack to toolstacks + +This is XSA-132. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> + +--- a/xen/arch/x86/domctl.c ++++ b/xen/arch/x86/domctl.c +@@ -884,7 +884,7 @@ long arch_do_domctl( + + case XEN_DOMCTL_gettscinfo: + { +- xen_guest_tsc_info_t info; ++ xen_guest_tsc_info_t info = { 0 }; + + ret = -EINVAL; + if ( d == current->domain ) /* no domain_pause() */ +--- a/xen/common/sysctl.c ++++ b/xen/common/sysctl.c +@@ -76,7 +76,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xe + case XEN_SYSCTL_getdomaininfolist: + { + struct domain *d; +- struct xen_domctl_getdomaininfo info; ++ struct xen_domctl_getdomaininfo info = { 0 }; + u32 num_domains = 0; + + rcu_read_lock(&domlist_read_lock); diff --git a/main/xen/xsa133-qemut.patch b/main/xen/xsa133-qemut.patch new file mode 100644 index 0000000000..fa8a2073ab --- /dev/null +++ b/main/xen/xsa133-qemut.patch @@ -0,0 +1,80 @@ +From ac7ddbe342d7aa2303c39ca731cc6229dbbd739b Mon Sep 17 00:00:00 2001 +From: Petr Matousek <pmatouse@redhat.com> +Date: Wed, 6 May 2015 09:48:59 +0200 +Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. + +Signed-off-by: Petr Matousek <pmatouse@redhat.com> +Reviewed-by: John Snow <jsnow@redhat.com> +--- + hw/fdc.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/hw/fdc.c b/hw/fdc.c +index b00a4ec..aba02e4 100644 +--- a/tools/qemu-xen-traditional/hw/fdc.c ++++ b/tools/qemu-xen-traditional/hw/fdc.c +@@ -1318,7 +1318,7 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl) + { + fdrive_t *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1327,8 +1327,8 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl) + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1673,10 +1673,13 @@ static void fdctrl_handle_option (fdctrl_t *fdctrl, int direction) + static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction) + { + fdrive_t *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1771,7 +1774,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) + { + fdrive_t *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -1817,7 +1820,9 @@ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command diff --git a/main/xen/xsa133-qemuu.patch b/main/xen/xsa133-qemuu.patch new file mode 100644 index 0000000000..75611ada3c --- /dev/null +++ b/main/xen/xsa133-qemuu.patch @@ -0,0 +1,84 @@ +From ac7ddbe342d7aa2303c39ca731cc6229dbbd739b Mon Sep 17 00:00:00 2001 +From: Petr Matousek <pmatouse@redhat.com> +Date: Wed, 6 May 2015 09:48:59 +0200 +Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. + +Signed-off-by: Petr Matousek <pmatouse@redhat.com> +Reviewed-by: John Snow <jsnow@redhat.com> +--- + hw/block/fdc.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index f72a392..d8a8edd 100644 +--- a/tools/qemu-xen/hw/block/fdc.c ++++ b/tools/qemu-xen/hw/block/fdc.c +@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + { + FDrive *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) + static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) + { + FDrive *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + { + FDrive *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command +-- +2.1.0 + + |