diff options
| -rw-r--r-- | main/xen/APKBUILD | 30 | ||||
| -rw-r--r-- | main/xen/make_stubdoms.patch | 184 | ||||
| -rw-r--r-- | main/xen/xsa20.patch | 38 | ||||
| -rw-r--r-- | main/xen/xsa22-4.2-unstable.patch | 40 | ||||
| -rw-r--r-- | main/xen/xsa23-4.2-unstable.patch | 32 | ||||
| -rw-r--r-- | main/xen/xsa24.patch | 26 | ||||
| -rw-r--r-- | main/xen/xsa25-4.2.patch | 365 | ||||
| -rw-r--r-- | main/xen/xsa26-4.2.patch | 105 | ||||
| -rw-r--r-- | main/xen/xsa27-4.2.patch | 136 | ||||
| -rw-r--r-- | main/xen/xsa29-4.2-unstable.patch | 49 | ||||
| -rw-r--r-- | main/xen/xsa30-4.2.patch | 56 | ||||
| -rw-r--r-- | main/xen/xsa31-4.2-unstable.patch | 50 | ||||
| -rw-r--r-- | main/xen/xsa32-4.2.patch | 22 |
13 files changed, 3 insertions, 1130 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index e9503e8ab1..36c11c7c3b 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -2,8 +2,8 @@ # Contributor: Roger Pau Monne <roger.pau@entel.upc.edu> # Maintainer: William Pitcock <nenolod@dereferenced.org> pkgname=xen -pkgver=4.2.0 -pkgrel=7 +pkgver=4.2.1 +pkgrel=0 pkgdesc="Xen hypervisor" url="http://www.xen.org/" arch="x86 x86_64" @@ -17,19 +17,7 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-hypervisor $pkgnam source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.gz qemu_uclibc_configure.patch librt.patch - make_stubdoms.patch qemu-xen_paths.patch - xsa20.patch - xsa22-4.2-unstable.patch - xsa23-4.2-unstable.patch - xsa24.patch - xsa25-4.2.patch - xsa26-4.2.patch - xsa27-4.2.patch - xsa29-4.2-unstable.patch - xsa30-4.2.patch - xsa31-4.2-unstable.patch - xsa32-4.2.patch xenstored.initd xenstored.confd @@ -139,22 +127,10 @@ xend() { -exec mv '{}' "$subpkgdir"/"$sitepackages"/xen \; } -md5sums="f4f217969afc38f09251039966d91a87 xen-4.2.0.tar.gz +md5sums="0d48cbe1767b82aba12517898d4e0408 xen-4.2.1.tar.gz 506e7ab6f9482dc95f230978d340bcd9 qemu_uclibc_configure.patch 2dc5ddf47c53ea168729975046c3c1f9 librt.patch -41ad48fdc269749776fa6aa04f6778c2 make_stubdoms.patch 1ccde6b36a6f9542a16d998204dc9a22 qemu-xen_paths.patch -fb7e76f00c2a4e63b408cb67df7d1a7b xsa20.patch -5a67dfac5e6f5a0836aeaefa1804c09f xsa22-4.2-unstable.patch -9151e7c648b12f518826ad0f0a67da42 xsa23-4.2-unstable.patch -9bd8b30094f8eb2408846c1b6ed0cad6 xsa24.patch -9fc7097ed2e5e756c4ae91145c143433 xsa25-4.2.patch -281ad5fefa8856a5b431a7830be6c370 xsa26-4.2.patch -d8cb820b85f86caa58ce1cc215aac069 xsa27-4.2.patch -405531d7e434be9bc663c601d4dc67a4 xsa29-4.2-unstable.patch -23f5ca5789f5358b8d2f8ce998db5ed6 xsa30-4.2.patch -78fa8ac0ac907dd3ae7ef02bea623bb5 xsa31-4.2-unstable.patch -2bd8f676273e644910e6a907372dfa31 xsa32-4.2.patch 95d8af17bf844d41a015ff32aae51ba1 xenstored.initd b017ccdd5e1c27bbf1513e3569d4ff07 xenstored.confd ed262f15fb880badb53575539468646c xenconsoled.initd diff --git a/main/xen/make_stubdoms.patch b/main/xen/make_stubdoms.patch deleted file mode 100644 index 0587ef1a58..0000000000 --- a/main/xen/make_stubdoms.patch +++ /dev/null @@ -1,184 +0,0 @@ -diff --git a/stubdom/Makefile b/stubdom/Makefile -index 2da70e3..618624c 100644 ---- a/stubdom/Makefile -+++ b/stubdom/Makefile -@@ -76,8 +76,6 @@ TARGET_LDFLAGS += -nostdlib -L$(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf/lib - - TARGETS=ioemu c caml grub xenstore - --CROSS_MAKE := $(MAKE) DESTDIR= -- - .PHONY: all - all: build - ifeq ($(STUBDOM_SUPPORTED),1) -@@ -113,8 +111,8 @@ $(NEWLIB_STAMPFILE): mk-headers-$(XEN_TARGET_ARCH) newlib-$(NEWLIB_VERSION) - mkdir -p newlib-$(XEN_TARGET_ARCH) - ( cd newlib-$(XEN_TARGET_ARCH) && \ - CC_FOR_TARGET="$(CC) $(TARGET_CPPFLAGS) $(TARGET_CFLAGS) $(NEWLIB_CFLAGS)" AR_FOR_TARGET=$(AR) LD_FOR_TARGET=$(LD) RANLIB_FOR_TARGET=$(RANLIB) ../newlib-$(NEWLIB_VERSION)/configure --prefix=$(CROSS_PREFIX) --verbose --target=$(GNU_TARGET_ARCH)-xen-elf --enable-newlib-io-long-long --disable-multilib && \ -- $(CROSS_MAKE) && \ -- $(CROSS_MAKE) install ) -+ $(MAKE) DESTDIR= && \ -+ $(MAKE) DESTDIR= install ) - - ############ - # Cross-zlib -@@ -133,8 +131,8 @@ cross-zlib: $(ZLIB_STAMPFILE) - $(ZLIB_STAMPFILE): zlib-$(XEN_TARGET_ARCH) $(NEWLIB_STAMPFILE) - ( cd $< && \ - CFLAGS="$(TARGET_CPPFLAGS) $(TARGET_CFLAGS)" CC=$(CC) ./configure --prefix=$(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf && \ -- $(CROSS_MAKE) libz.a && \ -- $(CROSS_MAKE) install ) -+ $(MAKE) DESTDIR= libz.a && \ -+ $(MAKE) DESTDIR= install ) - - ############## - # Cross-libpci -@@ -158,7 +156,7 @@ $(LIBPCI_STAMPFILE): pciutils-$(XEN_TARGET_ARCH) $(NEWLIB_STAMPFILE) $(ZLIB_STAM - chmod u+w lib/config.h && \ - echo '#define PCILIB_VERSION "$(LIBPCI_VERSION)"' >> lib/config.h && \ - ln -sf ../../libpci.config.mak lib/config.mk && \ -- $(CROSS_MAKE) CC="$(CC) $(TARGET_CPPFLAGS) $(TARGET_CFLAGS) -I$(call realpath,$(MINI_OS)/include)" lib/libpci.a && \ -+ $(MAKE) DESTDIR= CC="$(CC) $(TARGET_CPPFLAGS) $(TARGET_CFLAGS) -I$(call realpath,$(MINI_OS)/include)" lib/libpci.a && \ - $(INSTALL_DATA) lib/libpci.a $(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf/lib/ && \ - $(INSTALL_DIR) $(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf/include/pci && \ - $(INSTALL_DATA) lib/config.h lib/header.h lib/pci.h lib/types.h $(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf/include/pci/ \ -@@ -203,8 +201,8 @@ $(OCAML_STAMPFILE): ocaml-$(XEN_TARGET_ARCH)/.dirstamp - -no-pthread -no-shared-libs -no-tk -no-curses \ - -cc "$(CC) -U_FORTIFY_SOURCE -fno-stack-protector -mno-red-zone" - $(foreach i,$(MINIOS_HASNOT),sed -i 's,^\(#define HAS_$(i)\),//\1,' ocaml-$(XEN_TARGET_ARCH)/config/s.h ; ) -- $(CROSS_MAKE) -C ocaml-$(XEN_TARGET_ARCH) world -- $(CROSS_MAKE) -C ocaml-$(XEN_TARGET_ARCH) opt -+ $(MAKE) DESTDIR= -C ocaml-$(XEN_TARGET_ARCH) world -+ $(MAKE) DESTDIR= -C ocaml-$(XEN_TARGET_ARCH) opt - $(MAKE) -C ocaml-$(XEN_TARGET_ARCH) install - touch $@ - -@@ -219,7 +217,7 @@ QEMU_ROOT := $(shell if [ -d "$(CONFIG_QEMU)" ]; then echo "$(CONFIG_QEMU)"; els - - ifeq ($(QEMU_ROOT),.) - $(XEN_ROOT)/tools/qemu-xen-traditional-dir: -- $(CROSS_MAKE) -C $(XEN_ROOT)/tools qemu-xen-traditional-dir-find -+ $(MAKE) DESTDIR= -C $(XEN_ROOT)/tools qemu-xen-traditional-dir-find - - ioemu/linkfarm.stamp: $(XEN_ROOT)/tools/qemu-xen-traditional-dir - mkdir -p ioemu -@@ -250,7 +248,7 @@ mk-headers-$(XEN_TARGET_ARCH): ioemu/linkfarm.stamp - ( [ -h include/xen/libelf ] || ln -sf $(XEN_ROOT)/tools/include/xen/libelf include/xen/libelf ) && \ - mkdir -p include/xen-foreign && \ - ln -sf $(wildcard $(XEN_ROOT)/tools/include/xen-foreign/*) include/xen-foreign/ && \ -- $(CROSS_MAKE) -C include/xen-foreign/ && \ -+ $(MAKE) DESTDIR= -C include/xen-foreign/ && \ - ( [ -h include/xen/foreign ] || ln -sf ../xen-foreign include/xen/foreign ) - mkdir -p libxc-$(XEN_TARGET_ARCH) - [ -h libxc-$(XEN_TARGET_ARCH)/Makefile ] || ( cd libxc-$(XEN_TARGET_ARCH) && \ -@@ -267,7 +265,7 @@ mk-headers-$(XEN_TARGET_ARCH): ioemu/linkfarm.stamp - ln -sf $(XEN_ROOT)/tools/xenstore/*.c . && \ - ln -sf $(XEN_ROOT)/tools/xenstore/*.h . && \ - ln -sf $(XEN_ROOT)/tools/xenstore/Makefile . ) -- $(CROSS_MAKE) -C $(MINI_OS) links -+ $(MAKE) DESTDIR= -C $(MINI_OS) links - touch mk-headers-$(XEN_TARGET_ARCH) - - TARGETS_MINIOS=$(addprefix mini-os-$(XEN_TARGET_ARCH)-,$(TARGETS)) -@@ -284,7 +282,7 @@ $(TARGETS_MINIOS): mini-os-%: - .PHONY: libxc - libxc: libxc-$(XEN_TARGET_ARCH)/libxenctrl.a libxc-$(XEN_TARGET_ARCH)/libxenguest.a - libxc-$(XEN_TARGET_ARCH)/libxenctrl.a: cross-zlib -- CPPFLAGS="$(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" $(CROSS_MAKE) -C libxc-$(XEN_TARGET_ARCH) -+ CPPFLAGS="$(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" $(MAKE) DESTDIR= -C libxc-$(XEN_TARGET_ARCH) - - libxc-$(XEN_TARGET_ARCH)/libxenguest.a: libxc-$(XEN_TARGET_ARCH)/libxenctrl.a - -@@ -302,7 +300,7 @@ ioemu: cross-zlib cross-libpci libxc - TARGET_CFLAGS="$(TARGET_CFLAGS)" \ - TARGET_LDFLAGS="$(TARGET_LDFLAGS)" \ - $(QEMU_ROOT)/xen-setup-stubdom ) -- $(CROSS_MAKE) -C ioemu -f $(QEMU_ROOT)/Makefile -+ $(MAKE) DESTDIR= -C ioemu -f $(QEMU_ROOT)/Makefile - - ###### - # caml -@@ -310,7 +308,7 @@ ioemu: cross-zlib cross-libpci libxc - - .PHONY: caml - caml: $(CROSS_ROOT) -- CPPFLAGS="$(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" $(CROSS_MAKE) -C $@ LWIPDIR=$(CURDIR)/lwip-$(XEN_TARGET_ARCH) OCAMLC_CROSS_PREFIX=$(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf/bin/ -+ CPPFLAGS="$(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" $(MAKE) DESTDIR= -C $@ LWIPDIR=$(CURDIR)/lwip-$(XEN_TARGET_ARCH) OCAMLC_CROSS_PREFIX=$(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf/bin/ - - ### - # C -@@ -318,7 +316,7 @@ caml: $(CROSS_ROOT) - - .PHONY: c - c: $(CROSS_ROOT) -- CPPFLAGS="$(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" $(CROSS_MAKE) -C $@ LWIPDIR=$(CURDIR)/lwip-$(XEN_TARGET_ARCH) -+ CPPFLAGS="$(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" $(MAKE) DESTDIR= -C $@ LWIPDIR=$(CURDIR)/lwip-$(XEN_TARGET_ARCH) - - ###### - # Grub -@@ -337,7 +335,7 @@ grub-upstream: grub-$(GRUB_VERSION).tar.gz - .PHONY: grub - grub: grub-upstream $(CROSS_ROOT) - mkdir -p grub-$(XEN_TARGET_ARCH) -- CPPFLAGS="$(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" $(CROSS_MAKE) -C $@ OBJ_DIR=$(CURDIR)/grub-$(XEN_TARGET_ARCH) -+ CPPFLAGS="$(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" $(MAKE) DESTDIR= -C $@ OBJ_DIR=$(CURDIR)/grub-$(XEN_TARGET_ARCH) - - ########## - # xenstore -@@ -345,7 +343,7 @@ grub: grub-upstream $(CROSS_ROOT) - - .PHONY: xenstore - xenstore: $(CROSS_ROOT) -- CPPFLAGS="$(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" $(CROSS_MAKE) -C $@ xenstored.a CONFIG_STUBDOM=y -+ CPPFLAGS="$(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" $(MAKE) DESTDIR= -C $@ xenstored.a CONFIG_STUBDOM=y - - ######## - # minios -@@ -354,23 +352,23 @@ xenstore: $(CROSS_ROOT) - .PHONY: ioemu-stubdom - ioemu-stubdom: APP_OBJS=$(CURDIR)/ioemu/i386-stubdom/qemu.a $(CURDIR)/ioemu/i386-stubdom/libqemu.a $(CURDIR)/ioemu/libqemu_common.a - ioemu-stubdom: mini-os-$(XEN_TARGET_ARCH)-ioemu lwip-$(XEN_TARGET_ARCH) libxc ioemu -- DEF_CPPFLAGS="$(TARGET_CPPFLAGS)" DEF_CFLAGS="$(TARGET_CFLAGS)" DEF_LDFLAGS="$(TARGET_LDFLAGS)" MINIOS_CONFIG="$(CURDIR)/ioemu-minios.cfg" $(CROSS_MAKE) -C $(MINI_OS) OBJ_DIR=$(CURDIR)/$< LWIPDIR=$(CURDIR)/lwip-$(XEN_TARGET_ARCH) APP_OBJS="$(APP_OBJS)" -+ DEF_CPPFLAGS="$(TARGET_CPPFLAGS)" DEF_CFLAGS="$(TARGET_CFLAGS)" DEF_LDFLAGS="$(TARGET_LDFLAGS)" MINIOS_CONFIG="$(CURDIR)/ioemu-minios.cfg" $(MAKE) DESTDIR= -C $(MINI_OS) OBJ_DIR=$(CURDIR)/$< LWIPDIR=$(CURDIR)/lwip-$(XEN_TARGET_ARCH) APP_OBJS="$(APP_OBJS)" - - .PHONY: caml-stubdom - caml-stubdom: mini-os-$(XEN_TARGET_ARCH)-caml lwip-$(XEN_TARGET_ARCH) libxc cross-ocaml caml -- DEF_CPPFLAGS="$(TARGET_CPPFLAGS)" DEF_CFLAGS="$(TARGET_CFLAGS)" DEF_LDFLAGS="$(TARGET_LDFLAGS)" MINIOS_CONFIG="$(CURDIR)/caml/minios.cfg" $(CROSS_MAKE) -C $(MINI_OS) OBJ_DIR=$(CURDIR)/$< LWIPDIR=$(CURDIR)/lwip-$(XEN_TARGET_ARCH) APP_OBJS="$(CURDIR)/caml/main-caml.o $(CURDIR)/caml/caml.o $(CAMLLIB)/libasmrun.a" -+ DEF_CPPFLAGS="$(TARGET_CPPFLAGS)" DEF_CFLAGS="$(TARGET_CFLAGS)" DEF_LDFLAGS="$(TARGET_LDFLAGS)" MINIOS_CONFIG="$(CURDIR)/caml/minios.cfg" $(MAKE) DESTDIR= -C $(MINI_OS) OBJ_DIR=$(CURDIR)/$< LWIPDIR=$(CURDIR)/lwip-$(XEN_TARGET_ARCH) APP_OBJS="$(CURDIR)/caml/main-caml.o $(CURDIR)/caml/caml.o $(CAMLLIB)/libasmrun.a" - - .PHONY: c-stubdom - c-stubdom: mini-os-$(XEN_TARGET_ARCH)-c lwip-$(XEN_TARGET_ARCH) libxc c -- DEF_CPPFLAGS="$(TARGET_CPPFLAGS)" DEF_CFLAGS="$(TARGET_CFLAGS)" DEF_LDFLAGS="$(TARGET_LDFLAGS)" MINIOS_CONFIG="$(CURDIR)/c/minios.cfg" $(CROSS_MAKE) -C $(MINI_OS) OBJ_DIR=$(CURDIR)/$< LWIPDIR=$(CURDIR)/lwip-$(XEN_TARGET_ARCH) APP_OBJS=$(CURDIR)/c/main.a -+ DEF_CPPFLAGS="$(TARGET_CPPFLAGS)" DEF_CFLAGS="$(TARGET_CFLAGS)" DEF_LDFLAGS="$(TARGET_LDFLAGS)" MINIOS_CONFIG="$(CURDIR)/c/minios.cfg" $(MAKE) DESTDIR= -C $(MINI_OS) OBJ_DIR=$(CURDIR)/$< LWIPDIR=$(CURDIR)/lwip-$(XEN_TARGET_ARCH) APP_OBJS=$(CURDIR)/c/main.a - - .PHONY: pv-grub - pv-grub: mini-os-$(XEN_TARGET_ARCH)-grub libxc grub -- DEF_CPPFLAGS="$(TARGET_CPPFLAGS)" DEF_CFLAGS="$(TARGET_CFLAGS)" DEF_LDFLAGS="$(TARGET_LDFLAGS)" MINIOS_CONFIG="$(CURDIR)/grub/minios.cfg" $(CROSS_MAKE) -C $(MINI_OS) OBJ_DIR=$(CURDIR)/$< APP_OBJS=$(CURDIR)/grub-$(XEN_TARGET_ARCH)/main.a -+ DEF_CPPFLAGS="$(TARGET_CPPFLAGS)" DEF_CFLAGS="$(TARGET_CFLAGS)" DEF_LDFLAGS="$(TARGET_LDFLAGS)" MINIOS_CONFIG="$(CURDIR)/grub/minios.cfg" $(MAKE) DESTDIR= -C $(MINI_OS) OBJ_DIR=$(CURDIR)/$< APP_OBJS=$(CURDIR)/grub-$(XEN_TARGET_ARCH)/main.a - - .PHONY: xenstore-stubdom - xenstore-stubdom: mini-os-$(XEN_TARGET_ARCH)-xenstore libxc xenstore -- DEF_CPPFLAGS="$(TARGET_CPPFLAGS)" DEF_CFLAGS="$(TARGET_CFLAGS)" DEF_LDFLAGS="$(TARGET_LDFLAGS)" MINIOS_CONFIG="$(CURDIR)/xenstore-minios.cfg" $(CROSS_MAKE) -C $(MINI_OS) OBJ_DIR=$(CURDIR)/$< APP_OBJS=$(CURDIR)/xenstore/xenstored.a -+ DEF_CPPFLAGS="$(TARGET_CPPFLAGS)" DEF_CFLAGS="$(TARGET_CFLAGS)" DEF_LDFLAGS="$(TARGET_LDFLAGS)" MINIOS_CONFIG="$(CURDIR)/xenstore-minios.cfg" $(MAKE) DESTDIR= -C $(MINI_OS) OBJ_DIR=$(CURDIR)/$< APP_OBJS=$(CURDIR)/xenstore/xenstored.a - - ######### - # install -@@ -412,13 +410,13 @@ clean: - rm -fr mini-os-$(XEN_TARGET_ARCH)-caml - rm -fr mini-os-$(XEN_TARGET_ARCH)-grub - rm -fr mini-os-$(XEN_TARGET_ARCH)-xenstore -- $(CROSS_MAKE) -C caml clean -- $(CROSS_MAKE) -C c clean -+ $(MAKE) DESTDIR= -C caml clean -+ $(MAKE) DESTDIR= -C c clean - rm -fr grub-$(XEN_TARGET_ARCH) - rm -f $(STUBDOMPATH) -- [ ! -d libxc-$(XEN_TARGET_ARCH) ] || $(CROSS_MAKE) -C libxc-$(XEN_TARGET_ARCH) clean -- -[ ! -d ioemu ] || $(CROSS_MAKE) -C ioemu clean -- -[ ! -d xenstore ] || $(CROSS_MAKE) -C xenstore clean -+ [ ! -d libxc-$(XEN_TARGET_ARCH) ] || $(MAKE) DESTDIR= -C libxc-$(XEN_TARGET_ARCH) clean -+ -[ ! -d ioemu ] || $(MAKE) DESTDIR= -C ioemu clean -+ -[ ! -d xenstore ] || $(MAKE) DESTDIR= -C xenstore clean - - # clean the cross-compilation result - .PHONY: crossclean diff --git a/main/xen/xsa20.patch b/main/xen/xsa20.patch deleted file mode 100644 index bedd318f65..0000000000 --- a/main/xen/xsa20.patch +++ /dev/null @@ -1,38 +0,0 @@ -VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability - -The timer action for a vcpu periodic timer is to calculate the next -expiry time, and to reinsert itself into the timer queue. If the -deadline ends up in the past, Xen never leaves __do_softirq(). The -affected PCPU will stay in an infinite loop until Xen is killed by the -watchdog (if enabled). - -This is a security problem, XSA-20 / CVE-2012-4535. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> - -diff -r 478ba3f146df xen/common/domain.c ---- a/xen/common/domain.c -+++ b/xen/common/domain.c -@@ -903,6 +903,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN - if ( set.period_ns < MILLISECS(1) ) - return -EINVAL; - -+ if ( set.period_ns > STIME_DELTA_MAX ) -+ return -EINVAL; -+ - v->periodic_period = set.period_ns; - vcpu_force_reschedule(v); - -diff -r 478ba3f146df xen/include/xen/time.h ---- a/xen/include/xen/time.h -+++ b/xen/include/xen/time.h -@@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t); - #define MILLISECS(_ms) ((s_time_t)((_ms) * 1000000ULL)) - #define MICROSECS(_us) ((s_time_t)((_us) * 1000ULL)) - #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1)) -+/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */ -+#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2)) - - extern void update_vcpu_system_time(struct vcpu *v); - extern void update_domain_wallclock_time(struct domain *d); diff --git a/main/xen/xsa22-4.2-unstable.patch b/main/xen/xsa22-4.2-unstable.patch deleted file mode 100644 index e15fd73534..0000000000 --- a/main/xen/xsa22-4.2-unstable.patch +++ /dev/null @@ -1,40 +0,0 @@ -x86/physmap: Prevent incorrect updates of m2p mappings - -In certain conditions, such as low memory, set_p2m_entry() can fail. -Currently, the p2m and m2p tables will get out of sync because we still -update the m2p table after the p2m update has failed. - -If that happens, subsequent guest-invoked memory operations can cause -BUG()s and ASSERT()s to kill Xen. - -This is fixed by only updating the m2p table iff the p2m was -successfully updated. - -This is a security problem, XSA-22 / CVE-2012-4537. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> -Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> - -diff -r f53b9f915c3d xen/arch/x86/mm/p2m.c ---- a/xen/arch/x86/mm/p2m.c -+++ b/xen/arch/x86/mm/p2m.c -@@ -633,7 +633,10 @@ guest_physmap_add_entry(struct domain *d - if ( mfn_valid(_mfn(mfn)) ) - { - if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) ) -+ { - rc = -EINVAL; -+ goto out; /* Failed to update p2m, bail without updating m2p. */ -+ } - if ( !p2m_is_grant(t) ) - { - for ( i = 0; i < (1UL << page_order); i++ ) -@@ -656,6 +659,7 @@ guest_physmap_add_entry(struct domain *d - } - } - -+out: - p2m_unlock(p2m); - - return rc; diff --git a/main/xen/xsa23-4.2-unstable.patch b/main/xen/xsa23-4.2-unstable.patch deleted file mode 100644 index be80a61680..0000000000 --- a/main/xen/xsa23-4.2-unstable.patch +++ /dev/null @@ -1,32 +0,0 @@ -xen/mm/shadow: check toplevel pagetables are present before unhooking them. - -If the guest has not fully populated its top-level PAE entries when it calls -HVMOP_pagetable_dying, the shadow code could try to unhook entries from -MFN 0. Add a check to avoid that case. - -This issue was introduced by c/s 21239:b9d2db109cf5. - -This is a security problem, XSA-23 / CVE-2012-4538. - -Signed-off-by: Tim Deegan <tim@xen.org> -Tested-by: Andrew Cooper <andrew.cooper3@citrix.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> - -diff -r cc56c0394db7 xen/arch/x86/mm/shadow/multi.c ---- a/xen/arch/x86/mm/shadow/multi.c -+++ b/xen/arch/x86/mm/shadow/multi.c -@@ -4734,8 +4734,12 @@ static void sh_pagetable_dying(struct vc - unsigned long gfn; - mfn_t smfn, gmfn; - -- if ( fast_path ) -- smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i])); -+ if ( fast_path ) { -+ if ( pagetable_is_null(v->arch.shadow_table[i]) ) -+ smfn = _mfn(INVALID_MFN); -+ else -+ smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i])); -+ } - else - { - /* retrieving the l2s */ diff --git a/main/xen/xsa24.patch b/main/xen/xsa24.patch deleted file mode 100644 index e46f513a75..0000000000 --- a/main/xen/xsa24.patch +++ /dev/null @@ -1,26 +0,0 @@ -compat/gnttab: Prevent infinite loop in compat code - -c/s 20281:95ea2052b41b, which introduces Grant Table version 2 -hypercalls introduces a vulnerability whereby the compat hypercall -handler can fall into an infinite loop. - -If the watchdog is enabled, Xen will die after the timeout. - -This is a security problem, XSA-24 / CVE-2012-4539. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Acked-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> - -diff -r bac883cf805a xen/common/compat/grant_table.c ---- a/xen/common/compat/grant_table.c -+++ b/xen/common/compat/grant_table.c -@@ -318,6 +318,8 @@ int compat_grant_table_op(unsigned int c - #undef XLAT_gnttab_get_status_frames_HNDL_frame_list - if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) ) - rc = -EFAULT; -+ else -+ i = 1; - } - break; - } diff --git a/main/xen/xsa25-4.2.patch b/main/xen/xsa25-4.2.patch deleted file mode 100644 index 088d787e59..0000000000 --- a/main/xen/xsa25-4.2.patch +++ /dev/null @@ -1,365 +0,0 @@ -libxc: builder: limit maximum size of kernel/ramdisk. - -Allowing user supplied kernels of arbitrary sizes, especially during -decompression, can swallow up dom0 memory leading to either virtual -address space exhaustion in the builder process or allocation -failures/OOM killing of both toolstack and unrelated processes. - -We disable these checks when building in a stub domain for pvgrub -since this uses the guest's own memory and is isolated. - -Decompression of gzip compressed kernels and ramdisks has been safe -since 14954:58205257517d (Xen 3.1.0 onwards). - -This is XSA-25 / CVE-2012-4544. - -Also make explicit checks for buffer overflows in various -decompression routines. These were already ruled out due to other -properties of the code but check them as a belt-and-braces measure. - -Signed-off-by: Ian Campbell <ian.campbell@citrix.com> -Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> - -diff --git a/stubdom/grub/kexec.c b/stubdom/grub/kexec.c -index 06bef52..b21c91a 100644 ---- a/stubdom/grub/kexec.c -+++ b/stubdom/grub/kexec.c -@@ -137,6 +137,10 @@ void kexec(void *kernel, long kernel_size, void *module, long module_size, char - dom = xc_dom_allocate(xc_handle, cmdline, features); - dom->allocate = kexec_allocate; - -+ /* We are using guest owned memory, therefore no limits. */ -+ xc_dom_kernel_max_size(dom, 0); -+ xc_dom_ramdisk_max_size(dom, 0); -+ - dom->kernel_blob = kernel; - dom->kernel_size = kernel_size; - -diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h -index 2aef64a..6a72aa9 100644 ---- a/tools/libxc/xc_dom.h -+++ b/tools/libxc/xc_dom.h -@@ -55,6 +55,9 @@ struct xc_dom_image { - void *ramdisk_blob; - size_t ramdisk_size; - -+ size_t max_kernel_size; -+ size_t max_ramdisk_size; -+ - /* arguments and parameters */ - char *cmdline; - uint32_t f_requested[XENFEAT_NR_SUBMAPS]; -@@ -180,6 +183,23 @@ void xc_dom_release_phys(struct xc_dom_image *dom); - void xc_dom_release(struct xc_dom_image *dom); - int xc_dom_mem_init(struct xc_dom_image *dom, unsigned int mem_mb); - -+/* Set this larger if you have enormous ramdisks/kernels. Note that -+ * you should trust all kernels not to be maliciously large (e.g. to -+ * exhaust all dom0 memory) if you do this (see CVE-2012-4544 / -+ * XSA-25). You can also set the default independently for -+ * ramdisks/kernels in xc_dom_allocate() or call -+ * xc_dom_{kernel,ramdisk}_max_size. -+ */ -+#ifndef XC_DOM_DECOMPRESS_MAX -+#define XC_DOM_DECOMPRESS_MAX (1024*1024*1024) /* 1GB */ -+#endif -+ -+int xc_dom_kernel_check_size(struct xc_dom_image *dom, size_t sz); -+int xc_dom_kernel_max_size(struct xc_dom_image *dom, size_t sz); -+ -+int xc_dom_ramdisk_check_size(struct xc_dom_image *dom, size_t sz); -+int xc_dom_ramdisk_max_size(struct xc_dom_image *dom, size_t sz); -+ - size_t xc_dom_check_gzip(xc_interface *xch, - void *blob, size_t ziplen); - int xc_dom_do_gunzip(xc_interface *xch, -@@ -240,7 +260,8 @@ void xc_dom_log_memory_footprint(struct xc_dom_image *dom); - void *xc_dom_malloc(struct xc_dom_image *dom, size_t size); - void *xc_dom_malloc_page_aligned(struct xc_dom_image *dom, size_t size); - void *xc_dom_malloc_filemap(struct xc_dom_image *dom, -- const char *filename, size_t * size); -+ const char *filename, size_t * size, -+ const size_t max_size); - char *xc_dom_strdup(struct xc_dom_image *dom, const char *str); - - /* --- alloc memory pool ------------------------------------------- */ -diff --git a/tools/libxc/xc_dom_bzimageloader.c b/tools/libxc/xc_dom_bzimageloader.c -index 113d40f..b1b2eb0 100644 ---- a/tools/libxc/xc_dom_bzimageloader.c -+++ b/tools/libxc/xc_dom_bzimageloader.c -@@ -47,13 +47,19 @@ static int xc_try_bzip2_decode( - char *out_buf; - char *tmp_buf; - int retval = -1; -- int outsize; -+ unsigned int outsize; - uint64_t total; - - stream.bzalloc = NULL; - stream.bzfree = NULL; - stream.opaque = NULL; - -+ if ( dom->kernel_size == 0) -+ { -+ DOMPRINTF("BZIP2: Input is 0 size"); -+ return -1; -+ } -+ - ret = BZ2_bzDecompressInit(&stream, 0, 0); - if ( ret != BZ_OK ) - { -@@ -66,6 +72,17 @@ static int xc_try_bzip2_decode( - * the input buffer to start, and we'll realloc as needed. - */ - outsize = dom->kernel_size; -+ -+ /* -+ * stream.avail_in and outsize are unsigned int, while kernel_size -+ * is a size_t. Check we aren't overflowing. -+ */ -+ if ( outsize != dom->kernel_size ) -+ { -+ DOMPRINTF("BZIP2: Input too large"); -+ goto bzip2_cleanup; -+ } -+ - out_buf = malloc(outsize); - if ( out_buf == NULL ) - { -@@ -98,13 +115,20 @@ static int xc_try_bzip2_decode( - if ( stream.avail_out == 0 ) - { - /* Protect against output buffer overflow */ -- if ( outsize > INT_MAX / 2 ) -+ if ( outsize > UINT_MAX / 2 ) - { - DOMPRINTF("BZIP2: output buffer overflow"); - free(out_buf); - goto bzip2_cleanup; - } - -+ if ( xc_dom_kernel_check_size(dom, outsize * 2) ) -+ { -+ DOMPRINTF("BZIP2: output too large"); -+ free(out_buf); -+ goto bzip2_cleanup; -+ } -+ - tmp_buf = realloc(out_buf, outsize * 2); - if ( tmp_buf == NULL ) - { -@@ -172,9 +196,15 @@ static int _xc_try_lzma_decode( - unsigned char *out_buf; - unsigned char *tmp_buf; - int retval = -1; -- int outsize; -+ size_t outsize; - const char *msg; - -+ if ( dom->kernel_size == 0) -+ { -+ DOMPRINTF("%s: Input is 0 size", what); -+ return -1; -+ } -+ - /* sigh. We don't know up-front how much memory we are going to need - * for the output buffer. Allocate the output buffer to be equal - * the input buffer to start, and we'll realloc as needed. -@@ -244,13 +274,20 @@ static int _xc_try_lzma_decode( - if ( stream->avail_out == 0 ) - { - /* Protect against output buffer overflow */ -- if ( outsize > INT_MAX / 2 ) -+ if ( outsize > SIZE_MAX / 2 ) - { - DOMPRINTF("%s: output buffer overflow", what); - free(out_buf); - goto lzma_cleanup; - } - -+ if ( xc_dom_kernel_check_size(dom, outsize * 2) ) -+ { -+ DOMPRINTF("%s: output too large", what); -+ free(out_buf); -+ goto lzma_cleanup; -+ } -+ - tmp_buf = realloc(out_buf, outsize * 2); - if ( tmp_buf == NULL ) - { -@@ -359,6 +396,12 @@ static int xc_try_lzo1x_decode( - 0x89, 0x4c, 0x5a, 0x4f, 0x00, 0x0d, 0x0a, 0x1a, 0x0a - }; - -+ /* -+ * lzo_uint should match size_t. Check that this is the case to be -+ * sure we won't overflow various lzo_uint fields. -+ */ -+ XC_BUILD_BUG_ON(sizeof(lzo_uint) != sizeof(size_t)); -+ - ret = lzo_init(); - if ( ret != LZO_E_OK ) - { -@@ -438,6 +481,14 @@ static int xc_try_lzo1x_decode( - if ( src_len <= 0 || src_len > dst_len || src_len > left ) - break; - -+ msg = "Output buffer overflow"; -+ if ( *size > SIZE_MAX - dst_len ) -+ break; -+ -+ msg = "Decompressed image too large"; -+ if ( xc_dom_kernel_check_size(dom, *size + dst_len) ) -+ break; -+ - msg = "Failed to (re)alloc memory"; - tmp_buf = realloc(out_buf, *size + dst_len); - if ( tmp_buf == NULL ) -diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c -index fea9de5..2a01d7c 100644 ---- a/tools/libxc/xc_dom_core.c -+++ b/tools/libxc/xc_dom_core.c -@@ -159,7 +159,8 @@ void *xc_dom_malloc_page_aligned(struct xc_dom_image *dom, size_t size) - } - - void *xc_dom_malloc_filemap(struct xc_dom_image *dom, -- const char *filename, size_t * size) -+ const char *filename, size_t * size, -+ const size_t max_size) - { - struct xc_dom_mem *block = NULL; - int fd = -1; -@@ -171,6 +172,13 @@ void *xc_dom_malloc_filemap(struct xc_dom_image *dom, - lseek(fd, 0, SEEK_SET); - *size = lseek(fd, 0, SEEK_END); - -+ if ( max_size && *size > max_size ) -+ { -+ xc_dom_panic(dom->xch, XC_OUT_OF_MEMORY, -+ "tried to map file which is too large"); -+ goto err; -+ } -+ - block = malloc(sizeof(*block)); - if ( block == NULL ) - goto err; -@@ -222,6 +230,40 @@ char *xc_dom_strdup(struct xc_dom_image *dom, const char *str) - } - - /* ------------------------------------------------------------------------ */ -+/* decompression buffer sizing */ -+int xc_dom_kernel_check_size(struct xc_dom_image *dom, size_t sz) -+{ -+ /* No limit */ -+ if ( !dom->max_kernel_size ) -+ return 0; -+ -+ if ( sz > dom->max_kernel_size ) -+ { -+ xc_dom_panic(dom->xch, XC_INVALID_KERNEL, -+ "kernel image too large"); -+ return 1; -+ } -+ -+ return 0; -+} -+ -+int xc_dom_ramdisk_check_size(struct xc_dom_image *dom, size_t sz) -+{ -+ /* No limit */ -+ if ( !dom->max_ramdisk_size ) -+ return 0; -+ -+ if ( sz > dom->max_ramdisk_size ) -+ { -+ xc_dom_panic(dom->xch, XC_INVALID_KERNEL, -+ "ramdisk image too large"); -+ return 1; -+ } -+ -+ return 0; -+} -+ -+/* ------------------------------------------------------------------------ */ - /* read files, copy memory blocks, with transparent gunzip */ - - size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen) -@@ -235,7 +277,7 @@ size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen) - - gzlen = blob + ziplen - 4; - unziplen = gzlen[3] << 24 | gzlen[2] << 16 | gzlen[1] << 8 | gzlen[0]; -- if ( (unziplen < 0) || (unziplen > (1024*1024*1024)) ) /* 1GB limit */ -+ if ( (unziplen < 0) || (unziplen > XC_DOM_DECOMPRESS_MAX) ) - { - xc_dom_printf - (xch, -@@ -288,6 +330,9 @@ int xc_dom_try_gunzip(struct xc_dom_image *dom, void **blob, size_t * size) - if ( unziplen == 0 ) - return 0; - -+ if ( xc_dom_kernel_check_size(dom, unziplen) ) -+ return 0; -+ - unzip = xc_dom_malloc(dom, unziplen); - if ( unzip == NULL ) - return -1; -@@ -588,6 +633,9 @@ struct xc_dom_image *xc_dom_allocate(xc_interface *xch, - memset(dom, 0, sizeof(*dom)); - dom->xch = xch; - -+ dom->max_kernel_size = XC_DOM_DECOMPRESS_MAX; -+ dom->max_ramdisk_size = XC_DOM_DECOMPRESS_MAX; -+ - if ( cmdline ) - dom->cmdline = xc_dom_strdup(dom, cmdline); - if ( features ) -@@ -608,10 +656,25 @@ struct xc_dom_image *xc_dom_allocate(xc_interface *xch, - return NULL; - } - -+int xc_dom_kernel_max_size(struct xc_dom_image *dom, size_t sz) -+{ -+ DOMPRINTF("%s: kernel_max_size=%zx", __FUNCTION__, sz); -+ dom->max_kernel_size = sz; -+ return 0; -+} -+ -+int xc_dom_ramdisk_max_size(struct xc_dom_image *dom, size_t sz) -+{ -+ DOMPRINTF("%s: ramdisk_max_size=%zx", __FUNCTION__, sz); -+ dom->max_ramdisk_size = sz; -+ return 0; -+} -+ - int xc_dom_kernel_file(struct xc_dom_image *dom, const char *filename) - { - DOMPRINTF("%s: filename=\"%s\"", __FUNCTION__, filename); -- dom->kernel_blob = xc_dom_malloc_filemap(dom, filename, &dom->kernel_size); -+ dom->kernel_blob = xc_dom_malloc_filemap(dom, filename, &dom->kernel_size, -+ dom->max_kernel_size); - if ( dom->kernel_blob == NULL ) - return -1; - return xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size); -@@ -621,7 +684,9 @@ int xc_dom_ramdisk_file(struct xc_dom_image *dom, const char *filename) - { - DOMPRINTF("%s: filename=\"%s\"", __FUNCTION__, filename); - dom->ramdisk_blob = -- xc_dom_malloc_filemap(dom, filename, &dom->ramdisk_size); -+ xc_dom_malloc_filemap(dom, filename, &dom->ramdisk_size, -+ dom->max_ramdisk_size); -+ - if ( dom->ramdisk_blob == NULL ) - return -1; - // return xc_dom_try_gunzip(dom, &dom->ramdisk_blob, &dom->ramdisk_size); -@@ -781,7 +846,11 @@ int xc_dom_build_image(struct xc_dom_image *dom) - void *ramdiskmap; - - unziplen = xc_dom_check_gzip(dom->xch, dom->ramdisk_blob, dom->ramdisk_size); -+ if ( xc_dom_ramdisk_check_size(dom, unziplen) != 0 ) -+ unziplen = 0; -+ - ramdisklen = unziplen ? unziplen : dom->ramdisk_size; -+ - if ( xc_dom_alloc_segment(dom, &dom->ramdisk_seg, "ramdisk", 0, - ramdisklen) != 0 ) - goto err; diff --git a/main/xen/xsa26-4.2.patch b/main/xen/xsa26-4.2.patch deleted file mode 100644 index 44b8f344eb..0000000000 --- a/main/xen/xsa26-4.2.patch +++ /dev/null @@ -1,105 +0,0 @@ -gnttab: fix releasing of memory upon switches between versions - -gnttab_unpopulate_status_frames() incompletely freed the pages -previously used as status frame in that they did not get removed from -the domain's xenpage_list, thus causing subsequent list corruption -when those pages did get allocated again for the same or another purpose. - -Similarly, grant_table_create() and gnttab_grow_table() both improperly -clean up in the event of an error - pages already shared with the guest -can't be freed by just passing them to free_xenheap_page(). Fix this by -sharing the pages only after all allocations succeeded. - -This is CVE-2012-5510 / XSA-26. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> - -diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c -index c01ad00..6fb2be9 100644 ---- a/xen/common/grant_table.c -+++ b/xen/common/grant_table.c -@@ -1173,12 +1173,13 @@ fault: - } - - static int --gnttab_populate_status_frames(struct domain *d, struct grant_table *gt) -+gnttab_populate_status_frames(struct domain *d, struct grant_table *gt, -+ unsigned int req_nr_frames) - { - unsigned i; - unsigned req_status_frames; - -- req_status_frames = grant_to_status_frames(gt->nr_grant_frames); -+ req_status_frames = grant_to_status_frames(req_nr_frames); - for ( i = nr_status_frames(gt); i < req_status_frames; i++ ) - { - if ( (gt->status[i] = alloc_xenheap_page()) == NULL ) -@@ -1209,7 +1210,12 @@ gnttab_unpopulate_status_frames(struct domain *d, struct grant_table *gt) - - for ( i = 0; i < nr_status_frames(gt); i++ ) - { -- page_set_owner(virt_to_page(gt->status[i]), dom_xen); -+ struct page_info *pg = virt_to_page(gt->status[i]); -+ -+ BUG_ON(page_get_owner(pg) != d); -+ if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) ) -+ put_page(pg); -+ BUG_ON(pg->count_info & ~PGC_xen_heap); - free_xenheap_page(gt->status[i]); - gt->status[i] = NULL; - } -@@ -1247,19 +1253,18 @@ gnttab_grow_table(struct domain *d, unsigned int req_nr_frames) - clear_page(gt->shared_raw[i]); - } - -- /* Share the new shared frames with the recipient domain */ -- for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ ) -- gnttab_create_shared_page(d, gt, i); -- -- gt->nr_grant_frames = req_nr_frames; -- - /* Status pages - version 2 */ - if (gt->gt_version > 1) - { -- if ( gnttab_populate_status_frames(d, gt) ) -+ if ( gnttab_populate_status_frames(d, gt, req_nr_frames) ) - goto shared_alloc_failed; - } - -+ /* Share the new shared frames with the recipient domain */ -+ for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ ) -+ gnttab_create_shared_page(d, gt, i); -+ gt->nr_grant_frames = req_nr_frames; -+ - return 1; - - shared_alloc_failed: -@@ -2157,7 +2162,7 @@ gnttab_set_version(XEN_GUEST_HANDLE(gnttab_set_version_t uop)) - - if ( op.version == 2 && gt->gt_version < 2 ) - { -- res = gnttab_populate_status_frames(d, gt); -+ res = gnttab_populate_status_frames(d, gt, nr_grant_frames(gt)); - if ( res < 0) - goto out_unlock; - } -@@ -2600,14 +2605,15 @@ grant_table_create( - clear_page(t->shared_raw[i]); - } - -- for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) -- gnttab_create_shared_page(d, t, i); -- - /* Status pages for grant table - for version 2 */ - t->status = xzalloc_array(grant_status_t *, - grant_to_status_frames(max_nr_grant_frames)); - if ( t->status == NULL ) - goto no_mem_4; -+ -+ for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) -+ gnttab_create_shared_page(d, t, i); -+ - t->nr_status_frames = 0; - - /* Okay, install the structure. */ diff --git a/main/xen/xsa27-4.2.patch b/main/xen/xsa27-4.2.patch deleted file mode 100644 index 62a8d76378..0000000000 --- a/main/xen/xsa27-4.2.patch +++ /dev/null @@ -1,136 +0,0 @@ -hvm: Limit the size of large HVM op batches - -Doing large p2m updates for HVMOP_track_dirty_vram without preemption -ties up the physical processor. Integrating preemption into the p2m -updates is hard so simply limit to 1GB which is sufficient for a 15000 -* 15000 * 32bpp framebuffer. - -For HVMOP_modified_memory and HVMOP_set_mem_type preemptible add the -necessary machinery to handle preemption. - -This is CVE-2012-5511 / XSA-27. - -Signed-off-by: Tim Deegan <tim@xen.org> -Signed-off-by: Ian Campbell <ian.campbell@citrix.com> -Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> - -v2: Provide definition of GB to fix x86-32 compile. - -Signed-off-by: Jan Beulich <JBeulich@suse.com> -Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> - - -diff -r 7c4d806b3753 xen/arch/x86/hvm/hvm.c ---- a/xen/arch/x86/hvm/hvm.c Fri Nov 16 15:56:14 2012 +0000 -+++ b/xen/arch/x86/hvm/hvm.c Mon Nov 19 14:42:10 2012 +0000 -@@ -3969,6 +3969,9 @@ long do_hvm_op(unsigned long op, XEN_GUE - if ( !is_hvm_domain(d) ) - goto param_fail2; - -+ if ( a.nr > GB(1) >> PAGE_SHIFT ) -+ goto param_fail2; -+ - rc = xsm_hvm_param(d, op); - if ( rc ) - goto param_fail2; -@@ -3995,7 +3998,6 @@ long do_hvm_op(unsigned long op, XEN_GUE - { - struct xen_hvm_modified_memory a; - struct domain *d; -- unsigned long pfn; - - if ( copy_from_guest(&a, arg, 1) ) - return -EFAULT; -@@ -4022,9 +4024,11 @@ long do_hvm_op(unsigned long op, XEN_GUE - if ( !paging_mode_log_dirty(d) ) - goto param_fail3; - -- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) -+ while ( a.nr > 0 ) - { -+ unsigned long pfn = a.first_pfn; - struct page_info *page; -+ - page = get_page_from_gfn(d, pfn, NULL, P2M_UNSHARE); - if ( page ) - { -@@ -4034,6 +4038,19 @@ long do_hvm_op(unsigned long op, XEN_GUE - sh_remove_shadows(d->vcpu[0], _mfn(page_to_mfn(page)), 1, 0); - put_page(page); - } -+ -+ a.first_pfn++; -+ a.nr--; -+ -+ /* Check for continuation if it's not the last interation */ -+ if ( a.nr > 0 && hypercall_preempt_check() ) -+ { -+ if ( copy_to_guest(arg, &a, 1) ) -+ rc = -EFAULT; -+ else -+ rc = -EAGAIN; -+ break; -+ } - } - - param_fail3: -@@ -4089,7 +4106,6 @@ long do_hvm_op(unsigned long op, XEN_GUE - { - struct xen_hvm_set_mem_type a; - struct domain *d; -- unsigned long pfn; - - /* Interface types to internal p2m types */ - p2m_type_t memtype[] = { -@@ -4122,8 +4138,9 @@ long do_hvm_op(unsigned long op, XEN_GUE - if ( a.hvmmem_type >= ARRAY_SIZE(memtype) ) - goto param_fail4; - -- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) -+ while ( a.nr ) - { -+ unsigned long pfn = a.first_pfn; - p2m_type_t t; - p2m_type_t nt; - mfn_t mfn; -@@ -4163,6 +4180,19 @@ long do_hvm_op(unsigned long op, XEN_GUE - } - } - put_gfn(d, pfn); -+ -+ a.first_pfn++; -+ a.nr--; -+ -+ /* Check for continuation if it's not the last interation */ -+ if ( a.nr > 0 && hypercall_preempt_check() ) -+ { -+ if ( copy_to_guest(arg, &a, 1) ) -+ rc = -EFAULT; -+ else -+ rc = -EAGAIN; -+ goto param_fail4; -+ } - } - - rc = 0; -diff -r 7c4d806b3753 xen/include/asm-x86/config.h ---- a/xen/include/asm-x86/config.h Fri Nov 16 15:56:14 2012 +0000 -+++ b/xen/include/asm-x86/config.h Mon Nov 19 14:42:10 2012 +0000 -@@ -119,6 +119,9 @@ extern char wakeup_start[]; - extern unsigned int video_mode, video_flags; - extern unsigned short boot_edid_caps; - extern unsigned char boot_edid_info[128]; -+ -+#define GB(_gb) (_gb ## UL << 30) -+ - #endif - - #define asmlinkage -@@ -134,7 +137,6 @@ extern unsigned char boot_edid_info[128] - #define PML4_ADDR(_slot) \ - ((((_slot ## UL) >> 8) * 0xffff000000000000UL) | \ - (_slot ## UL << PML4_ENTRY_BITS)) --#define GB(_gb) (_gb ## UL << 30) - #else - #define PML4_ENTRY_BYTES (1 << PML4_ENTRY_BITS) - #define PML4_ADDR(_slot) \ diff --git a/main/xen/xsa29-4.2-unstable.patch b/main/xen/xsa29-4.2-unstable.patch deleted file mode 100644 index ec3111fab9..0000000000 --- a/main/xen/xsa29-4.2-unstable.patch +++ /dev/null @@ -1,49 +0,0 @@ -xen: add missing guest address range checks to XENMEM_exchange handlers - -Ever since its existence (3.0.3 iirc) the handler for this has been -using non address range checking guest memory accessors (i.e. -the ones prefixed with two underscores) without first range -checking the accessed space (via guest_handle_okay()), allowing -a guest to access and overwrite hypervisor memory. - -This is XSA-29 / CVE-2012-5513. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> -Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> - -diff --git a/xen/common/compat/memory.c b/xen/common/compat/memory.c -index 996151c..a49f51b 100644 ---- a/xen/common/compat/memory.c -+++ b/xen/common/compat/memory.c -@@ -115,6 +115,12 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) compat) - (cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) ) - return -EINVAL; - -+ if ( !compat_handle_okay(cmp.xchg.in.extent_start, -+ cmp.xchg.in.nr_extents) || -+ !compat_handle_okay(cmp.xchg.out.extent_start, -+ cmp.xchg.out.nr_extents) ) -+ return -EFAULT; -+ - start_extent = cmp.xchg.nr_exchanged; - end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) / - (((1U << ABS(order_delta)) + 1) * -diff --git a/xen/common/memory.c b/xen/common/memory.c -index 83e2666..bdb6ed8 100644 ---- a/xen/common/memory.c -+++ b/xen/common/memory.c -@@ -308,6 +308,13 @@ static long memory_exchange(XEN_GUEST_HANDLE_PARAM(xen_memory_exchange_t) arg) - goto fail_early; - } - -+ if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) || -+ !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) ) -+ { -+ rc = -EFAULT; -+ goto fail_early; -+ } -+ - /* Only privileged guests can allocate multi-page contiguous extents. */ - if ( !multipage_allocation_permitted(current->domain, - exch.in.extent_order) || diff --git a/main/xen/xsa30-4.2.patch b/main/xen/xsa30-4.2.patch deleted file mode 100644 index c46571dadb..0000000000 --- a/main/xen/xsa30-4.2.patch +++ /dev/null @@ -1,56 +0,0 @@ -xen: fix error handling of guest_physmap_mark_populate_on_demand() - -The only user of the "out" label bypasses a necessary unlock, thus -enabling the caller to lock up Xen. - -Also, the function was never meant to be called by a guest for itself, -so rather than inspecting the code paths in depth for potential other -problems this might cause, and adjusting e.g. the non-guest printk() -in the above error path, just disallow the guest access to it. - -Finally, the printk() (considering its potential of spamming the log, -the more that it's not using XENLOG_GUEST), is being converted to -P2M_DEBUG(), as debugging is what it apparently was added for in the -first place. - -This is XSA-30 / CVE-2012-5514. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> -Acked-by: George Dunlap <george.dunlap@eu.citrix.com> -Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> - -diff -r 7c4d806b3753 xen/arch/x86/mm/p2m-pod.c ---- a/xen/arch/x86/mm/p2m-pod.c Fri Nov 16 15:56:14 2012 +0000 -+++ b/xen/arch/x86/mm/p2m-pod.c Thu Nov 22 17:02:32 2012 +0000 -@@ -1117,6 +1117,9 @@ guest_physmap_mark_populate_on_demand(st - mfn_t omfn; - int rc = 0; - -+ if ( !IS_PRIV_FOR(current->domain, d) ) -+ return -EPERM; -+ - if ( !paging_mode_translate(d) ) - return -EINVAL; - -@@ -1135,8 +1138,7 @@ guest_physmap_mark_populate_on_demand(st - omfn = p2m->get_entry(p2m, gfn + i, &ot, &a, 0, NULL); - if ( p2m_is_ram(ot) ) - { -- printk("%s: gfn_to_mfn returned type %d!\n", -- __func__, ot); -+ P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot); - rc = -EBUSY; - goto out; - } -@@ -1160,9 +1162,9 @@ guest_physmap_mark_populate_on_demand(st - pod_unlock(p2m); - } - -+out: - gfn_unlock(p2m, gfn, order); - --out: - return rc; - } - diff --git a/main/xen/xsa31-4.2-unstable.patch b/main/xen/xsa31-4.2-unstable.patch deleted file mode 100644 index 2229c4c37a..0000000000 --- a/main/xen/xsa31-4.2-unstable.patch +++ /dev/null @@ -1,50 +0,0 @@ -memop: limit guest specified extent order - -Allowing unbounded order values here causes almost unbounded loops -and/or partially incomplete requests, particularly in PoD code. - -The added range checks in populate_physmap(), decrease_reservation(), -and the "in" one in memory_exchange() architecturally all could use -PADDR_BITS - PAGE_SHIFT, and are being artificially constrained to -MAX_ORDER. - -This is XSA-31 / CVE-2012-5515. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Tim Deegan <tim@xen.org> -Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> - -diff --git a/xen/common/memory.c b/xen/common/memory.c -index 83e2666..2e56d46 100644 ---- a/xen/common/memory.c -+++ b/xen/common/memory.c -@@ -115,7 +115,8 @@ static void populate_physmap(struct memop_args *a) - - if ( a->memflags & MEMF_populate_on_demand ) - { -- if ( guest_physmap_mark_populate_on_demand(d, gpfn, -+ if ( a->extent_order > MAX_ORDER || -+ guest_physmap_mark_populate_on_demand(d, gpfn, - a->extent_order) < 0 ) - goto out; - } -@@ -235,7 +236,8 @@ static void decrease_reservation(struct memop_args *a) - xen_pfn_t gmfn; - - if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done, -- a->nr_extents-1) ) -+ a->nr_extents-1) || -+ a->extent_order > MAX_ORDER ) - return; - - for ( i = a->nr_done; i < a->nr_extents; i++ ) -@@ -297,6 +299,9 @@ static long memory_exchange(XEN_GUEST_HANDLE_PARAM(xen_memory_exchange_t) arg) - if ( (exch.nr_exchanged > exch.in.nr_extents) || - /* Input and output domain identifiers match? */ - (exch.in.domid != exch.out.domid) || -+ /* Extent orders are sensible? */ -+ (exch.in.extent_order > MAX_ORDER) || -+ (exch.out.extent_order > MAX_ORDER) || - /* Sizes of input and output lists do not overflow a long? */ - ((~0UL >> exch.in.extent_order) < exch.in.nr_extents) || - ((~0UL >> exch.out.extent_order) < exch.out.nr_extents) || diff --git a/main/xen/xsa32-4.2.patch b/main/xen/xsa32-4.2.patch deleted file mode 100644 index 98006097b2..0000000000 --- a/main/xen/xsa32-4.2.patch +++ /dev/null @@ -1,22 +0,0 @@ -x86: get_page_from_gfn() must return NULL for invalid GFNs - -... also in the non-translated case. - -This is XSA-32 / CVE-2012-xxxx. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Tim Deegan <tim@xen.org> - -diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h -index 7a7c7eb..d5665b8 100644 ---- a/xen/include/asm-x86/p2m.h -+++ b/xen/include/asm-x86/p2m.h -@@ -400,7 +400,7 @@ static inline struct page_info *get_page_from_gfn( - if (t) - *t = p2m_ram_rw; - page = __mfn_to_page(gfn); -- return get_page(page, d) ? page : NULL; -+ return mfn_valid(gfn) && get_page(page, d) ? page : NULL; - } - - |