1 files changed, 73 insertions, 0 deletions

diff --git a/main/xen/xsa38.patch b/main/xen/xsa38.patch
new file mode 100644
index 0000000000..f4a5dc0881
--- /dev/null
+++ b/main/xen/xsa38.patch
@@ -0,0 +1,73 @@
+diff --git a/tools/ocaml/libs/xb/partial.ml b/tools/ocaml/libs/xb/partial.ml
+index 3558889..d4d1c7b 100644
+--- a/tools/ocaml/libs/xb/partial.ml
++++ b/tools/ocaml/libs/xb/partial.ml
+@@ -27,8 +27,15 @@ external header_size: unit -> int = "stub_header_size"
+ external header_of_string_internal: string -> int * int * int * int
+          = "stub_header_of_string"
+ 
++let xenstore_payload_max = 4096 (* xen/include/public/io/xs_wire.h *)
++
+ let of_string s =
+ 	let tid, rid, opint, dlen = header_of_string_internal s in
++	(* A packet which is bigger than xenstore_payload_max is illegal.
++	   This will leave the guest connection is a bad state and will
++	   be hard to recover from without restarting the connection
++	   (ie rebooting the guest) *)
++	let dlen = min xenstore_payload_max dlen in
+ 	{
+ 		tid = tid;
+ 		rid = rid;
+@@ -38,6 +45,7 @@ let of_string s =
+ 	}
+ 
+ let append pkt s sz =
++	if pkt.len > 4096 then failwith "Buffer.add: cannot grow buffer";
+ 	Buffer.add_string pkt.buf (String.sub s 0 sz)
+ 
+ let to_complete pkt =
+diff --git a/tools/ocaml/libs/xb/xs_ring_stubs.c b/tools/ocaml/libs/xb/xs_ring_stubs.c
+index 00414c5..4888ac5 100644
+--- a/tools/ocaml/libs/xb/xs_ring_stubs.c
++++ b/tools/ocaml/libs/xb/xs_ring_stubs.c
+@@ -39,21 +39,23 @@ static int xs_ring_read(struct mmap_interface *interface,
+                              char *buffer, int len)
+ {
+ 	struct xenstore_domain_interface *intf = interface->addr;
+-	XENSTORE_RING_IDX cons, prod;
++	XENSTORE_RING_IDX cons, prod; /* offsets only */
+ 	int to_read;
+ 
+-	cons = intf->req_cons;
+-	prod = intf->req_prod;
++	cons = *(volatile uint32*)&intf->req_cons;
++	prod = *(volatile uint32*)&intf->req_prod;
+ 	xen_mb();
++	cons = MASK_XENSTORE_IDX(cons);
++	prod = MASK_XENSTORE_IDX(prod);
+ 	if (prod == cons)
+ 		return 0;
+-	if (MASK_XENSTORE_IDX(prod) > MASK_XENSTORE_IDX(cons)) 
++	if (prod > cons)
+ 		to_read = prod - cons;
+ 	else
+-		to_read = XENSTORE_RING_SIZE - MASK_XENSTORE_IDX(cons);
++		to_read = XENSTORE_RING_SIZE - cons;
+ 	if (to_read < len)
+ 		len = to_read;
+-	memcpy(buffer, intf->req + MASK_XENSTORE_IDX(cons), len);
++	memcpy(buffer, intf->req + cons, len);
+ 	xen_mb();
+ 	intf->req_cons += len;
+ 	return len;
+@@ -66,8 +68,8 @@ static int xs_ring_write(struct mmap_interface *interface,
+ 	XENSTORE_RING_IDX cons, prod;
+ 	int can_write;
+ 
+-	cons = intf->rsp_cons;
+-	prod = intf->rsp_prod;
++	cons = *(volatile uint32*)&intf->rsp_cons;
++	prod = *(volatile uint32*)&intf->rsp_prod;
+ 	xen_mb();
+ 	if ( (prod - cons) >= XENSTORE_RING_SIZE )
+ 		return 0;