diff options
Diffstat (limited to 'main/xen')
-rw-r--r-- | main/xen/APKBUILD | 48 | ||||
-rw-r--r-- | main/xen/xsa48-4.2.patch | 114 | ||||
-rw-r--r-- | main/xen/xsa62.patch | 46 | ||||
-rw-r--r-- | main/xen/xsa63.patch | 171 | ||||
-rw-r--r-- | main/xen/xsa64.patch | 55 | ||||
-rw-r--r-- | main/xen/xsa66.patch | 23 | ||||
-rw-r--r-- | main/xen/xsa67.patch | 37 | ||||
-rw-r--r-- | main/xen/xsa68.patch | 69 | ||||
-rw-r--r-- | main/xen/xsa70.patch | 34 | ||||
-rw-r--r-- | main/xen/xsa71.patch | 43 |
10 files changed, 6 insertions, 634 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index c841c9f10a..d36413aeb6 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -2,8 +2,8 @@ # Contributor: Roger Pau Monne <roger.pau@entel.upc.edu> # Maintainer: William Pitcock <nenolod@dereferenced.org> pkgname=xen -pkgver=4.3.0 -pkgrel=8 +pkgver=4.3.1 +pkgrel=0 pkgdesc="Xen hypervisor" url="http://www.xen.org/" arch="x86_64" @@ -23,16 +23,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g xsa41.patch xsa41b.patch xsa41c.patch - xsa48-4.2.patch - - xsa62.patch - xsa63.patch - xsa64.patch - xsa66.patch - xsa67.patch - xsa68.patch - xsa70.patch - xsa71.patch + xsa73-4_3-unstable.patch fix-pod2man-choking.patch @@ -194,22 +185,13 @@ xend() { -exec mv '{}' "$subpkgdir"/"$sitepackages"/xen \; } -md5sums="7b18cfb58f1ac2ce39cf35a1867f0c0a xen-4.3.0.tar.gz +md5sums="7616b8704e1ab89c81f011f0e3703bc8 xen-4.3.1.tar.gz 2dc5ddf47c53ea168729975046c3c1f9 librt.patch 1ccde6b36a6f9542a16d998204dc9a22 qemu-xen_paths.patch 6dcff640268d514fa9164b4c812cc52d docs-Fix-generating-qemu-doc.html-with-texinfo-5.patch 8ad8942000b8a4be4917599cad9209cf xsa41.patch ed7d0399c6ca6aeee479da5d8f807fe0 xsa41b.patch 2f3dd7bdc59d104370066d6582725575 xsa41c.patch -b3e3a57d189a4f86c9766eaf3b5207f4 xsa48-4.2.patch -01fc0d30d3f5293df65976ec6a4565b2 xsa62.patch -099d02d873a36b8484572281dfa72df0 xsa63.patch -8a27a23cf83dead783b7a8f028ce436d xsa64.patch -b2345060369f7749a1737f3927c42c24 xsa66.patch -879f68ccff2e3d9ca1300cd250066465 xsa67.patch -f5ab90fba31fedc023035ae2a91e5524 xsa68.patch -8367e07fe00c3d2e7658e1eb21cf4740 xsa70.patch -29e7e593373bfc1390aa251da6bd834d xsa71.patch 5005efdb8bf44ccc2ce869611b507c83 xsa73-4_3-unstable.patch 4c5455d1adc09752a835e241097fbc39 fix-pod2man-choking.patch a4097e06a7e000ed00f4607db014d277 qemu-xen-websocket.patch @@ -230,22 +212,13 @@ fa8c72b42e0479d521a353386d8543ef xendomains.initd 9df68ac65dc3f372f5d61183abdc83ff xen-consoles.logrotate 6a2f777c16678d84039acf670d86fff6 xenqemu.confd f9afbf39e2b5a7d9dde60ebbd249ea7d xenqemu.initd" -sha256sums="e1e9faabe4886e2227aacdbde74410653b233d66642ca1972a860cbec6439961 xen-4.3.0.tar.gz +sha256sums="3b5b7cc508b1739753585b5c25635471cdcef680e8770a78bf6ef9333d26a9fd xen-4.3.1.tar.gz 12bf32f9937b09283f2df4955b50d6739768f66137a7d991f661f45cf77cb53b librt.patch 9440ca31a6911201f02694e93faafb5ca9b17de18b7f15b53ceac39a03411b4a qemu-xen_paths.patch a0c225d716d343fe041b63e3940900c5b3573ed3bcfc5b7c2d52ea2861c3fc28 docs-Fix-generating-qemu-doc.html-with-texinfo-5.patch 93452beba88a8da8e89b8bfa743074a358ba1d9052151c608e21c4d62f8c4867 xsa41.patch 896a07f57310c9bea9bc2a305166cf796282c381cb7839be49105b1726a860b5 xsa41b.patch 683dd96a0a8899f794070c8c09643dfeeb39f92da531955cba961b45f6075914 xsa41c.patch -dc23077028584e71a08dd0dc9e81552c76744a5ce9d39df5958a95ae9cf3107b xsa48-4.2.patch -364577f317a714099c068eb1ab771643ada99b5067fdd1eb5149fa5db649b856 xsa62.patch -32fa93d8ebdfbe85931c52010bf9e561fdae8846462c5b1f2fbc217ca36f3005 xsa63.patch -061396916de992c43b8637909d315581589e5fc28f238aca6822947b45445a47 xsa64.patch -3a9b6bf114eb19d708b68dd5973763ac83b57840bc0f6fbd1fe487797eaffed4 xsa66.patch -7de3ac9baa6cd9fead46e68912dfa0189e900095317645d0e33d85346fc8a028 xsa67.patch -64716cb49696298e0bbd9556fe9d6f559a4e2785081e28d50607317b6e27ba32 xsa68.patch -2582d3d545903af475436145f7e459414ad9d9c61d5720992eeeec42de8dde56 xsa70.patch -3785784d9c27c0ec1be6808e5169fe72e6873d963173901f1b287360cf8edd9d xsa71.patch 48411cd6b15e4e4fa3c4335298179a4b1094c5e1ae8dc7582bbfb9439d97037b xsa73-4_3-unstable.patch fcb5b9ff0bc4b4d39fed9b88891491b91628aa449914cfea321abe5da24c1da2 fix-pod2man-choking.patch e9f6c482fc449e0b540657a8988ad31f2e680b8933e50e6486687a52f6a9ed04 qemu-xen-websocket.patch @@ -266,22 +239,13 @@ a50a4485e84bcc098ad021556cd2aa7947c228f0a546ab942e880787ced57be3 xend.initd 0da87a4b9094f934e3de937e8ef8d3afc752e76793aa3d730182d0241e118b19 xen-consoles.logrotate 4cfcddcade5d055422ab4543e8caa6e5c5eee7625c41880a9000b7a87c7c424e xenqemu.confd bf17808a79c57a9efc38b9f14cc87f556b2bb7ecfdec5763d9cf686255a47fce xenqemu.initd" -sha512sums="e6b8f64e15e48704ea5cee5585cd6151fe6a5a62bc4670caf0b762c1aa71c9598db236c637ac34c42c92c6e8a5001acdd3d9d4b9305401a26273279358f481d6 xen-4.3.0.tar.gz +sha512sums="f5250ad5ad3defc5dc1207eb6208a3928128ef57ac4162018bd92b750dc1df1eaaf37835528aca33a0f9e04c82d5f8c4ba79c03a1780d2b72cbb90cc26f77275 xen-4.3.1.tar.gz 74e3cfc51e367fc445cb3d8149f0c8830e94719a266daf04d2cd0889864591860c4c8842de2bc78070e4c5be7d14dfbb8b236c511d5faeddc2ad97177c1d3764 librt.patch 425149aea57a6deae9f488cea867f125983998dc6e8c63893fb3b9caf0ea34214251dd98ad74db823f5168631c44c49b988b6fe9c11b76bd493ddf51bc0baaa2 qemu-xen_paths.patch 477d3d08bd4fcdfbc54abea1a18acb6a41d298c366cd01c954f474515cb862d0dd59217c0dfca5460a725a8bc036de42132f522c3eefdffcc4fd511f016b783f docs-Fix-generating-qemu-doc.html-with-texinfo-5.patch 94672a4d37db4e370370157cac9507ee1a75832f4be779fba148c1faa0b18f26ed57126eee6256ccd5d218463325a730266b53139554f4865adedb7659154c16 xsa41.patch bda9105793f2327e1317991762120d0668af0e964076b18c9fdbfd509984b2e88d85df95702c46b2e00d5350e8113f6aa7b34b19064d19abbeb4d43f0c431d38 xsa41b.patch 36b60478660ff7748328f5ab9adff13286eee1a1bad06e42fdf7e6aafe105103988525725aacd660cf5b2a184a9e2d6b3818655203c1fa07e07dcebdf23f35d9 xsa41c.patch -31dd8c62d41cc0a01a79d9b24a5b793f5e2058230808d9c5364c6ff3477ab02f3258f1bbd761d97dc1b97ee120b41524b999eaac77f33b606496fc324b5fa2e4 xsa48-4.2.patch -4738a229a6f18d670da07b3acbaf6e227af5fb3e7b0b414dc98671be02208aefc66ebe07f7396d9158d0fa15993b9d418fd65747880c64694b1a06b8be961419 xsa62.patch -f972de0910dff2109fc18911eeaf789963ec457d2a21029abc9615088d2c8446028effec6c1c01e080ae3479e704175e19040c09053c8ad60c0b38c7d2ec3859 xsa63.patch -2e9283c56f7e336f82d26a6346af91e520375f7084a6f07ad254e52781ac7e96cbb09ee48adfbf2c6c46d5516c56343612011f939f6a40ebef41e1925a9c6ed7 xsa64.patch -5abc6cb7685a9053e67c1646c6d9e06c25da6d6c7004e63e346e7b082270e1319fcc8a194a8db4e9c9cb903fe5dc29ae17169cda6fea94913fa9e0ff5aa9b451 xsa66.patch -959e4760210ceb480da53c709fcdeed4bd9cec27eefbcdb7dfcf6d764184e5ecf4c225f817d8a46ff0bb74baa8d14d90c9ce39bb51c9a781cbc524227b02e153 xsa67.patch -bd1deab154e129fc63dcc51ce5c4d004f5fe044443755a0b8943d8b6087f2ef7cbfd76f2390d36f7b4ad1797ef28abbb23157401468e1bf33ecc7a17aff9e8a4 xsa68.patch -107335f8e4ffddb9cab9e21dfdf745dea0e4d078c71ee59671942291c189dd0e998a9d480fa91ae439e6410591c9fb06491ca8e810006e22640bf0dc9cf5da81 xsa70.patch -da71e6d60c2663d571686063cb427ba04e5d56422d945ffd3f14be1dc72df61af78f1b63dc9e248bcfb0cdaaca03a227b4145cdd2af1ec7cdf9a2655c5b006b8 xsa71.patch 8eb555bc589bc4848f640dd93bdfaf0d0a61667e26667ff2ff89ab60c8c5a777982647e8c440be7510620281bac8d9bb3281afcae36e974f09bd70184ba6ba9a xsa73-4_3-unstable.patch 2e95ad43bb66f928fe1e8caf474a3211571f75f79ea32aaa3eddb3aed9963444bd131006b67e682395af0d79118b2634bf808404693b813a94662d2a9d665ac2 fix-pod2man-choking.patch 45f1da45f3ff937d0a626e37c130d76f5b97f49a57ddeb11ef2a8e850c04c32c819a3dfcef501eb3784db5fe7b39c88230063e56aa6e5197fd9c7b7d424fff77 qemu-xen-websocket.patch diff --git a/main/xen/xsa48-4.2.patch b/main/xen/xsa48-4.2.patch deleted file mode 100644 index 998dbcb1d5..0000000000 --- a/main/xen/xsa48-4.2.patch +++ /dev/null @@ -1,114 +0,0 @@ -Add -f FMT / --format FMT arg to qemu-nbd - -From: "Daniel P. Berrange" <berrange@redhat.com> - -Currently the qemu-nbd program will auto-detect the format of -any disk it is given. This behaviour is known to be insecure. -For example, if qemu-nbd initially exposes a 'raw' file to an -unprivileged app, and that app runs - - 'qemu-img create -f qcow2 -o backing_file=/etc/shadow /dev/nbd0' - -then the next time the app is started, the qemu-nbd will now -detect it as a 'qcow2' file and expose /etc/shadow to the -unprivileged app. - -The only way to avoid this is to explicitly tell qemu-nbd what -disk format to use on the command line, completely disabling -auto-detection. This patch adds a '-f' / '--format' arg for -this purpose, mirroring what is already available via qemu-img -and qemu commands. - - qemu-nbd --format raw -p 9000 evil.img - -will now always use raw, regardless of what format 'evil.img' -looks like it contains - -Signed-off-by: Daniel P. Berrange <berrange@redhat.com> -[Use errx, not err. - Paolo] -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> - -[ This is a security issue, CVE-2013-1922 / XSA-48. ] - -diff --git a/qemu-nbd.c b/qemu-nbd.c -index 291cba2..8fbe2cf 100644 ---- a/tools/qemu-xen/qemu-nbd.c -+++ b/tools/qemu-xen/qemu-nbd.c -@@ -247,6 +247,7 @@ out: - int main(int argc, char **argv) - { - BlockDriverState *bs; -+ BlockDriver *drv; - off_t dev_offset = 0; - off_t offset = 0; - uint32_t nbdflags = 0; -@@ -256,7 +257,7 @@ int main(int argc, char **argv) - struct sockaddr_in addr; - socklen_t addr_len = sizeof(addr); - off_t fd_size; -- const char *sopt = "hVb:o:p:rsnP:c:dvk:e:t"; -+ const char *sopt = "hVb:o:p:rsnP:c:dvk:e:f:t"; - struct option lopt[] = { - { "help", 0, NULL, 'h' }, - { "version", 0, NULL, 'V' }, -@@ -271,6 +272,7 @@ int main(int argc, char **argv) - { "snapshot", 0, NULL, 's' }, - { "nocache", 0, NULL, 'n' }, - { "shared", 1, NULL, 'e' }, -+ { "format", 1, NULL, 'f' }, - { "persistent", 0, NULL, 't' }, - { "verbose", 0, NULL, 'v' }, - { NULL, 0, NULL, 0 } -@@ -292,6 +294,7 @@ int main(int argc, char **argv) - int max_fd; - int persistent = 0; - pthread_t client_thread; -+ const char *fmt = NULL; - - /* The client thread uses SIGTERM to interrupt the server. A signal - * handler ensures that "qemu-nbd -v -c" exits with a nice status code. -@@ -368,6 +371,9 @@ int main(int argc, char **argv) - errx(EXIT_FAILURE, "Shared device number must be greater than 0\n"); - } - break; -+ case 'f': -+ fmt = optarg; -+ break; - case 't': - persistent = 1; - break; -@@ -478,9 +484,19 @@ int main(int argc, char **argv) - bdrv_init(); - atexit(bdrv_close_all); - -+ if (fmt) { -+ drv = bdrv_find_format(fmt); -+ if (!drv) { -+ errx(EXIT_FAILURE, "Unknown file format '%s'", fmt); -+ } -+ } else { -+ drv = NULL; -+ } -+ - bs = bdrv_new("hda"); - srcpath = argv[optind]; -- if ((ret = bdrv_open(bs, srcpath, flags, NULL)) < 0) { -+ ret = bdrv_open(bs, srcpath, flags, drv); -+ if (ret < 0) { - errno = -ret; - err(EXIT_FAILURE, "Failed to bdrv_open '%s'", argv[optind]); - } -diff --git a/qemu-nbd.texi b/qemu-nbd.texi -index 44996cc..f56c68e 100644 ---- a/tools/qemu-xen/qemu-nbd.texi -+++ b/tools/qemu-xen/qemu-nbd.texi -@@ -36,6 +36,8 @@ Export Qemu disk image using NBD protocol. - disconnect the specified device - @item -e, --shared=@var{num} - device can be shared by @var{num} clients (default @samp{1}) -+@item -f, --format=@var{fmt} -+ force block driver for format @var{fmt} instead of auto-detecting - @item -t, --persistent - don't exit on the last connection - @item -v, --verbose diff --git a/main/xen/xsa62.patch b/main/xen/xsa62.patch deleted file mode 100644 index 3bb432762a..0000000000 --- a/main/xen/xsa62.patch +++ /dev/null @@ -1,46 +0,0 @@ -x86/xsave: initialize extended register state when guests enable it - -Till now, when setting previously unset bits in XCR0 we wouldn't touch -the active register state, thus leaving in the newly enabled registers -whatever a prior user of it left there, i.e. potentially leaking -information between guests. - -This is CVE-2013-1442 / XSA-62. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> - ---- a/xen/arch/x86/xstate.c -+++ b/xen/arch/x86/xstate.c -@@ -307,6 +307,7 @@ int validate_xstate(u64 xcr0, u64 xcr0_a - int handle_xsetbv(u32 index, u64 new_bv) - { - struct vcpu *curr = current; -+ u64 mask; - - if ( index != XCR_XFEATURE_ENABLED_MASK ) - return -EOPNOTSUPP; -@@ -320,9 +321,23 @@ int handle_xsetbv(u32 index, u64 new_bv) - if ( !set_xcr0(new_bv) ) - return -EFAULT; - -+ mask = new_bv & ~curr->arch.xcr0_accum; - curr->arch.xcr0 = new_bv; - curr->arch.xcr0_accum |= new_bv; - -+ mask &= curr->fpu_dirtied ? ~XSTATE_FP_SSE : XSTATE_NONLAZY; -+ if ( mask ) -+ { -+ unsigned long cr0 = read_cr0(); -+ -+ clts(); -+ if ( curr->fpu_dirtied ) -+ asm ( "stmxcsr %0" : "=m" (curr->arch.xsave_area->fpu_sse.mxcsr) ); -+ xrstor(curr, mask); -+ if ( cr0 & X86_CR0_TS ) -+ write_cr0(cr0); -+ } -+ - return 0; - } - diff --git a/main/xen/xsa63.patch b/main/xen/xsa63.patch deleted file mode 100644 index 5134650e2f..0000000000 --- a/main/xen/xsa63.patch +++ /dev/null @@ -1,171 +0,0 @@ -x86: properly handle hvm_copy_from_guest_{phys,virt}() errors - -Ignoring them generally implies using uninitialized data and, in all -cases dealt with here, potentially leaking hypervisor stack contents to -guests. - -This is XSA-63. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Tim Deegan <tim@xen.org> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> - ---- a/xen/arch/x86/hvm/hvm.c -+++ b/xen/arch/x86/hvm/hvm.c -@@ -2308,11 +2308,7 @@ void hvm_task_switch( - - rc = hvm_copy_from_guest_virt( - &tss, prev_tr.base, sizeof(tss), PFEC_page_present); -- if ( rc == HVMCOPY_bad_gva_to_gfn ) -- goto out; -- if ( rc == HVMCOPY_gfn_paged_out ) -- goto out; -- if ( rc == HVMCOPY_gfn_shared ) -+ if ( rc != HVMCOPY_okay ) - goto out; - - eflags = regs->eflags; -@@ -2357,13 +2353,11 @@ void hvm_task_switch( - - rc = hvm_copy_from_guest_virt( - &tss, tr.base, sizeof(tss), PFEC_page_present); -- if ( rc == HVMCOPY_bad_gva_to_gfn ) -- goto out; -- if ( rc == HVMCOPY_gfn_paged_out ) -- goto out; -- /* Note: this could be optimised, if the callee functions knew we want RO -- * access */ -- if ( rc == HVMCOPY_gfn_shared ) -+ /* -+ * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee -+ * functions knew we want RO access. -+ */ -+ if ( rc != HVMCOPY_okay ) - goto out; - - ---- a/xen/arch/x86/hvm/intercept.c -+++ b/xen/arch/x86/hvm/intercept.c -@@ -87,17 +87,28 @@ static int hvm_mmio_access(struct vcpu * - { - for ( i = 0; i < p->count; i++ ) - { -- int ret; -- -- ret = hvm_copy_from_guest_phys(&data, -- p->data + (sign * i * p->size), -- p->size); -- if ( (ret == HVMCOPY_gfn_paged_out) || -- (ret == HVMCOPY_gfn_shared) ) -+ switch ( hvm_copy_from_guest_phys(&data, -+ p->data + sign * i * p->size, -+ p->size) ) - { -+ case HVMCOPY_okay: -+ break; -+ case HVMCOPY_gfn_paged_out: -+ case HVMCOPY_gfn_shared: - rc = X86EMUL_RETRY; - break; -+ case HVMCOPY_bad_gfn_to_mfn: -+ data = ~0; -+ break; -+ case HVMCOPY_bad_gva_to_gfn: -+ ASSERT(0); -+ /* fall through */ -+ default: -+ rc = X86EMUL_UNHANDLEABLE; -+ break; - } -+ if ( rc != X86EMUL_OKAY ) -+ break; - rc = write_handler(v, p->addr + (sign * i * p->size), p->size, - data); - if ( rc != X86EMUL_OKAY ) -@@ -165,8 +176,28 @@ static int process_portio_intercept(port - for ( i = 0; i < p->count; i++ ) - { - data = 0; -- (void)hvm_copy_from_guest_phys(&data, p->data + sign*i*p->size, -- p->size); -+ switch ( hvm_copy_from_guest_phys(&data, -+ p->data + sign * i * p->size, -+ p->size) ) -+ { -+ case HVMCOPY_okay: -+ break; -+ case HVMCOPY_gfn_paged_out: -+ case HVMCOPY_gfn_shared: -+ rc = X86EMUL_RETRY; -+ break; -+ case HVMCOPY_bad_gfn_to_mfn: -+ data = ~0; -+ break; -+ case HVMCOPY_bad_gva_to_gfn: -+ ASSERT(0); -+ /* fall through */ -+ default: -+ rc = X86EMUL_UNHANDLEABLE; -+ break; -+ } -+ if ( rc != X86EMUL_OKAY ) -+ break; - rc = action(IOREQ_WRITE, p->addr, p->size, &data); - if ( rc != X86EMUL_OKAY ) - break; ---- a/xen/arch/x86/hvm/io.c -+++ b/xen/arch/x86/hvm/io.c -@@ -340,14 +340,24 @@ static int dpci_ioport_write(uint32_t mp - data = p->data; - if ( p->data_is_ptr ) - { -- int ret; -- -- ret = hvm_copy_from_guest_phys(&data, -- p->data + (sign * i * p->size), -- p->size); -- if ( (ret == HVMCOPY_gfn_paged_out) && -- (ret == HVMCOPY_gfn_shared) ) -+ switch ( hvm_copy_from_guest_phys(&data, -+ p->data + sign * i * p->size, -+ p->size) ) -+ { -+ case HVMCOPY_okay: -+ break; -+ case HVMCOPY_gfn_paged_out: -+ case HVMCOPY_gfn_shared: - return X86EMUL_RETRY; -+ case HVMCOPY_bad_gfn_to_mfn: -+ data = ~0; -+ break; -+ case HVMCOPY_bad_gva_to_gfn: -+ ASSERT(0); -+ /* fall through */ -+ default: -+ return X86EMUL_UNHANDLEABLE; -+ } - } - - switch ( p->size ) ---- a/xen/arch/x86/hvm/vmx/realmode.c -+++ b/xen/arch/x86/hvm/vmx/realmode.c -@@ -39,7 +39,9 @@ static void realmode_deliver_exception( - - again: - last_byte = (vector * 4) + 3; -- if ( idtr->limit < last_byte ) -+ if ( idtr->limit < last_byte || -+ hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4) != -+ HVMCOPY_okay ) - { - /* Software interrupt? */ - if ( insn_len != 0 ) -@@ -64,8 +66,6 @@ static void realmode_deliver_exception( - } - } - -- (void)hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4); -- - frame[0] = regs->eip + insn_len; - frame[1] = csr->sel; - frame[2] = regs->eflags & ~X86_EFLAGS_RF; diff --git a/main/xen/xsa64.patch b/main/xen/xsa64.patch deleted file mode 100644 index f2c1117fdd..0000000000 --- a/main/xen/xsa64.patch +++ /dev/null @@ -1,55 +0,0 @@ -commit 95a0770282ea2a03f7bc48c6656d5fc79bae0599 -Author: Tim Deegan <tim@xen.org> -Date: Thu Sep 12 14:16:28 2013 +0100 - - x86/mm/shadow: Fix initialization of PV shadow L4 tables. - - Shadowed PV L4 tables must have the same Xen mappings as their - unshadowed equivalent. This is done by copying the Xen entries - verbatim from the idle pagetable, and then using guest_l4_slot() - in the SHADOW_FOREACH_L4E() iterator to avoid touching those entries. - - adc5afbf1c70ef55c260fb93e4b8ce5ccb918706 (x86: support up to 16Tb) - changed the definition of ROOT_PAGETABLE_XEN_SLOTS to extend right to - the top of the address space, which causes the shadow code to - copy Xen mappings into guest-kernel-address slots too. - - In the common case, all those slots are zero in the idle pagetable, - and no harm is done. But if any slot above #271 is non-zero, Xen will - crash when that slot is later cleared (it attempts to drop - shadow-pagetable refcounts on its own L4 pagetables). - - Fix by using the new ROOT_PAGETABLE_PV_XEN_SLOTS when appropriate. - Monitor pagetables need the full Xen mappings, so they keep using the - old name (with its new semantics). - - This is XSA-64. - - Signed-off-by: Tim Deegan <tim@xen.org> - Reviewed-by: Jan Beulich <jbeulich@suse.com> - -diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c -index 4c4c2ba..3fed0b6 100644 ---- a/xen/arch/x86/mm/shadow/multi.c -+++ b/xen/arch/x86/mm/shadow/multi.c -@@ -1433,15 +1433,19 @@ void sh_install_xen_entries_in_l4(struct vcpu *v, mfn_t gl4mfn, mfn_t sl4mfn) - { - struct domain *d = v->domain; - shadow_l4e_t *sl4e; -+ unsigned int slots; - - sl4e = sh_map_domain_page(sl4mfn); - ASSERT(sl4e != NULL); - ASSERT(sizeof (l4_pgentry_t) == sizeof (shadow_l4e_t)); - - /* Copy the common Xen mappings from the idle domain */ -+ slots = (shadow_mode_external(d) -+ ? ROOT_PAGETABLE_XEN_SLOTS -+ : ROOT_PAGETABLE_PV_XEN_SLOTS); - memcpy(&sl4e[ROOT_PAGETABLE_FIRST_XEN_SLOT], - &idle_pg_table[ROOT_PAGETABLE_FIRST_XEN_SLOT], -- ROOT_PAGETABLE_XEN_SLOTS * sizeof(l4_pgentry_t)); -+ slots * sizeof(l4_pgentry_t)); - - /* Install the per-domain mappings for this domain */ - sl4e[shadow_l4_table_offset(PERDOMAIN_VIRT_START)] = diff --git a/main/xen/xsa66.patch b/main/xen/xsa66.patch deleted file mode 100644 index 1d9f25abae..0000000000 --- a/main/xen/xsa66.patch +++ /dev/null @@ -1,23 +0,0 @@ -x86: properly set up fbld emulation operand address - -This is CVE-2013-4361 / XSA-66. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> - ---- a/xen/arch/x86/x86_emulate/x86_emulate.c -+++ b/xen/arch/x86/x86_emulate/x86_emulate.c -@@ -3156,11 +3156,11 @@ x86_emulate( - break; - case 4: /* fbld m80dec */ - ea.bytes = 10; -- dst = ea; -+ src = ea; - if ( (rc = ops->read(src.mem.seg, src.mem.off, - &src.val, src.bytes, ctxt)) != 0 ) - goto done; -- emulate_fpu_insn_memdst("fbld", src.val); -+ emulate_fpu_insn_memsrc("fbld", src.val); - break; - case 5: /* fild m64i */ - ea.bytes = 8; diff --git a/main/xen/xsa67.patch b/main/xen/xsa67.patch deleted file mode 100644 index d81a0e18a9..0000000000 --- a/main/xen/xsa67.patch +++ /dev/null @@ -1,37 +0,0 @@ -x86: check segment descriptor read result in 64-bit OUTS emulation - -When emulating such an operation from a 64-bit context (CS has long -mode set), and the data segment is overridden to FS/GS, the result of -reading the overridden segment's descriptor (read_descriptor) is not -checked. If it fails, data_base is left uninitialized. - -This can lead to 8 bytes of Xen's stack being leaked to the guest -(implicitly, i.e. via the address given in a #PF). - -Coverity-ID: 1055116 - -This is CVE-2013-4368 / XSA-67. - -Signed-off-by: Matthew Daley <mattjd@gmail.com> - -Fix formatting. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> - ---- a/xen/arch/x86/traps.c -+++ b/xen/arch/x86/traps.c -@@ -1993,10 +1993,10 @@ static int emulate_privileged_op(struct - break; - } - } -- else -- read_descriptor(data_sel, v, regs, -- &data_base, &data_limit, &ar, -- 0); -+ else if ( !read_descriptor(data_sel, v, regs, -+ &data_base, &data_limit, &ar, 0) || -+ !(ar & _SEGMENT_S) || !(ar & _SEGMENT_P) ) -+ goto fail; - data_limit = ~0UL; - ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P; - } diff --git a/main/xen/xsa68.patch b/main/xen/xsa68.patch deleted file mode 100644 index cad655be25..0000000000 --- a/main/xen/xsa68.patch +++ /dev/null @@ -1,69 +0,0 @@ -libxl: fix vif rate parsing - -strtok can return NULL here. We don't need to use strtok anyway, so just -use a simple strchr method. - -Coverity-ID: 1055642 - -This is CVE-2013-4369 / XSA-68 - -Signed-off-by: Matthew Daley <mattjd@gmail.com> - -Fix type. Add test case - -Signed-off-by: Ian Campbell <Ian.campbell@citrix.com> - -diff --git a/tools/libxl/check-xl-vif-parse b/tools/libxl/check-xl-vif-parse -index 0473182..02c6dba 100755 ---- a/tools/libxl/check-xl-vif-parse -+++ b/tools/libxl/check-xl-vif-parse -@@ -206,4 +206,8 @@ expected </dev/null - one $e rate=4294967295GB/s@5us - one $e rate=4296MB/s@4294s - -+# test include of single '@' -+expected </dev/null -+one $e rate=@ -+ - complete -diff --git a/tools/libxl/libxlu_vif.c b/tools/libxl/libxlu_vif.c -index 3b3de0f..0665e62 100644 ---- a/tools/libxl/libxlu_vif.c -+++ b/tools/libxl/libxlu_vif.c -@@ -95,23 +95,30 @@ int xlu_vif_parse_rate(XLU_Config *cfg, const char *rate, libxl_device_nic *nic) - uint64_t bytes_per_sec = 0; - uint64_t bytes_per_interval = 0; - uint32_t interval_usecs = 50000UL; /* Default to 50ms */ -- char *ratetok, *tmprate; -+ char *p, *tmprate; - int rc = 0; - - tmprate = strdup(rate); -+ if (tmprate == NULL) { -+ rc = ENOMEM; -+ goto out; -+ } -+ -+ p = strchr(tmprate, '@'); -+ if (p != NULL) -+ *p++ = 0; -+ - if (!strcmp(tmprate,"")) { - xlu__vif_err(cfg, "no rate specified", rate); - rc = EINVAL; - goto out; - } - -- ratetok = strtok(tmprate, "@"); -- rc = vif_parse_rate_bytes_per_sec(cfg, ratetok, &bytes_per_sec); -+ rc = vif_parse_rate_bytes_per_sec(cfg, tmprate, &bytes_per_sec); - if (rc) goto out; - -- ratetok = strtok(NULL, "@"); -- if (ratetok != NULL) { -- rc = vif_parse_rate_interval_usecs(cfg, ratetok, &interval_usecs); -+ if (p != NULL) { -+ rc = vif_parse_rate_interval_usecs(cfg, p, &interval_usecs); - if (rc) goto out; - } - diff --git a/main/xen/xsa70.patch b/main/xen/xsa70.patch deleted file mode 100644 index f19dd96ed9..0000000000 --- a/main/xen/xsa70.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 94db3e1cb356a0d2de1753888ceb0eb767404ec4 Mon Sep 17 00:00:00 2001 -From: Matthew Daley <mattjd@gmail.com> -Date: Tue, 10 Sep 2013 22:18:46 +1200 -Subject: [PATCH] libxl: fix out-of-memory error handling in - libxl_list_cpupool - -...otherwise it will return freed memory. All the current users of this -function check already for a NULL return, so use that. - -Coverity-ID: 1056194 - -This is CVE-2013-4371 / XSA-70 - -Signed-off-by: Matthew Daley <mattjd@gmail.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> ---- - tools/libxl/libxl.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 0879f23..17653ef 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -651,6 +651,7 @@ libxl_cpupoolinfo * libxl_list_cpupool(libxl_ctx *ctx, int *nb_pool_out) - if (!tmp) { - LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, "allocating cpupool info"); - libxl_cpupoolinfo_list_free(ptr, i); -+ ptr = NULL; - goto out; - } - ptr = tmp; --- -1.7.10.4 - diff --git a/main/xen/xsa71.patch b/main/xen/xsa71.patch deleted file mode 100644 index 45e52eb0f8..0000000000 --- a/main/xen/xsa71.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 23260e589e52ec83349f22198eab2331b5a1684e Mon Sep 17 00:00:00 2001 -From: Matthew Daley <mattjd@gmail.com> -Date: Wed, 25 Sep 2013 12:28:47 +1200 -Subject: [PATCH] xen_disk: mark ioreq as mapped before unmapping in error - case - -Commit c6961b7d ("xen_disk: use bdrv_aio_flush instead of bdrv_flush") -modified the semantics of ioreq_{un,}map so that they are idempotent if -called when they're not needed (ie., twice in a row). However, it neglected -to handle the case where batch mapping is not being used (the default), and -one of the grants fails to map. In this case, ioreq_unmap will be called to -unwind and unmap any mappings already performed, but ioreq_unmap simply -returns due to the aforementioned change (the ioreq has not already been -marked as mapped). - -The frontend user can therefore force xen_disk to leak grant mappings, a -per-backend-domain limited resource. - -Fix by marking the ioreq as mapped before calling ioreq_unmap in this -situation. - -This is XSA-71 / CVE-2013-4375 - -Signed-off-by: Matthew Daley <mattjd@gmail.com> ---- - hw/xen_disk.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/tools/qemu-xen/hw/xen_disk.c b/tools/qemu-xen/hw/xen_disk.c -index a402ac8..1cdfcbc 100644 ---- a/tools/qemu-xen/hw/xen_disk.c -+++ b/tools/qemu-xen/hw/xen_disk.c -@@ -299,6 +299,7 @@ static int ioreq_map(struct ioreq *ioreq) - xen_be_printf(&ioreq->blkdev->xendev, 0, - "can't map grant ref %d (%s, %d maps)\n", - refs[i], strerror(errno), ioreq->blkdev->cnt_map); -+ ioreq->mapped = 1; - ioreq_unmap(ioreq); - return -1; - } --- -1.7.10.4 - |