aboutsummaryrefslogtreecommitdiffstats
path: root/main/xen
diff options
context:
space:
mode:
Diffstat (limited to 'main/xen')
-rw-r--r--main/xen/APKBUILD48
-rw-r--r--main/xen/xsa48-4.2.patch114
-rw-r--r--main/xen/xsa62.patch46
-rw-r--r--main/xen/xsa63.patch171
-rw-r--r--main/xen/xsa64.patch55
-rw-r--r--main/xen/xsa66.patch23
-rw-r--r--main/xen/xsa67.patch37
-rw-r--r--main/xen/xsa68.patch69
-rw-r--r--main/xen/xsa70.patch34
-rw-r--r--main/xen/xsa71.patch43
10 files changed, 6 insertions, 634 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index c841c9f10a..d36413aeb6 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -2,8 +2,8 @@
# Contributor: Roger Pau Monne <roger.pau@entel.upc.edu>
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
-pkgver=4.3.0
-pkgrel=8
+pkgver=4.3.1
+pkgrel=0
pkgdesc="Xen hypervisor"
url="http://www.xen.org/"
arch="x86_64"
@@ -23,16 +23,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
xsa41.patch
xsa41b.patch
xsa41c.patch
- xsa48-4.2.patch
-
- xsa62.patch
- xsa63.patch
- xsa64.patch
- xsa66.patch
- xsa67.patch
- xsa68.patch
- xsa70.patch
- xsa71.patch
+
xsa73-4_3-unstable.patch
fix-pod2man-choking.patch
@@ -194,22 +185,13 @@ xend() {
-exec mv '{}' "$subpkgdir"/"$sitepackages"/xen \;
}
-md5sums="7b18cfb58f1ac2ce39cf35a1867f0c0a xen-4.3.0.tar.gz
+md5sums="7616b8704e1ab89c81f011f0e3703bc8 xen-4.3.1.tar.gz
2dc5ddf47c53ea168729975046c3c1f9 librt.patch
1ccde6b36a6f9542a16d998204dc9a22 qemu-xen_paths.patch
6dcff640268d514fa9164b4c812cc52d docs-Fix-generating-qemu-doc.html-with-texinfo-5.patch
8ad8942000b8a4be4917599cad9209cf xsa41.patch
ed7d0399c6ca6aeee479da5d8f807fe0 xsa41b.patch
2f3dd7bdc59d104370066d6582725575 xsa41c.patch
-b3e3a57d189a4f86c9766eaf3b5207f4 xsa48-4.2.patch
-01fc0d30d3f5293df65976ec6a4565b2 xsa62.patch
-099d02d873a36b8484572281dfa72df0 xsa63.patch
-8a27a23cf83dead783b7a8f028ce436d xsa64.patch
-b2345060369f7749a1737f3927c42c24 xsa66.patch
-879f68ccff2e3d9ca1300cd250066465 xsa67.patch
-f5ab90fba31fedc023035ae2a91e5524 xsa68.patch
-8367e07fe00c3d2e7658e1eb21cf4740 xsa70.patch
-29e7e593373bfc1390aa251da6bd834d xsa71.patch
5005efdb8bf44ccc2ce869611b507c83 xsa73-4_3-unstable.patch
4c5455d1adc09752a835e241097fbc39 fix-pod2man-choking.patch
a4097e06a7e000ed00f4607db014d277 qemu-xen-websocket.patch
@@ -230,22 +212,13 @@ fa8c72b42e0479d521a353386d8543ef xendomains.initd
9df68ac65dc3f372f5d61183abdc83ff xen-consoles.logrotate
6a2f777c16678d84039acf670d86fff6 xenqemu.confd
f9afbf39e2b5a7d9dde60ebbd249ea7d xenqemu.initd"
-sha256sums="e1e9faabe4886e2227aacdbde74410653b233d66642ca1972a860cbec6439961 xen-4.3.0.tar.gz
+sha256sums="3b5b7cc508b1739753585b5c25635471cdcef680e8770a78bf6ef9333d26a9fd xen-4.3.1.tar.gz
12bf32f9937b09283f2df4955b50d6739768f66137a7d991f661f45cf77cb53b librt.patch
9440ca31a6911201f02694e93faafb5ca9b17de18b7f15b53ceac39a03411b4a qemu-xen_paths.patch
a0c225d716d343fe041b63e3940900c5b3573ed3bcfc5b7c2d52ea2861c3fc28 docs-Fix-generating-qemu-doc.html-with-texinfo-5.patch
93452beba88a8da8e89b8bfa743074a358ba1d9052151c608e21c4d62f8c4867 xsa41.patch
896a07f57310c9bea9bc2a305166cf796282c381cb7839be49105b1726a860b5 xsa41b.patch
683dd96a0a8899f794070c8c09643dfeeb39f92da531955cba961b45f6075914 xsa41c.patch
-dc23077028584e71a08dd0dc9e81552c76744a5ce9d39df5958a95ae9cf3107b xsa48-4.2.patch
-364577f317a714099c068eb1ab771643ada99b5067fdd1eb5149fa5db649b856 xsa62.patch
-32fa93d8ebdfbe85931c52010bf9e561fdae8846462c5b1f2fbc217ca36f3005 xsa63.patch
-061396916de992c43b8637909d315581589e5fc28f238aca6822947b45445a47 xsa64.patch
-3a9b6bf114eb19d708b68dd5973763ac83b57840bc0f6fbd1fe487797eaffed4 xsa66.patch
-7de3ac9baa6cd9fead46e68912dfa0189e900095317645d0e33d85346fc8a028 xsa67.patch
-64716cb49696298e0bbd9556fe9d6f559a4e2785081e28d50607317b6e27ba32 xsa68.patch
-2582d3d545903af475436145f7e459414ad9d9c61d5720992eeeec42de8dde56 xsa70.patch
-3785784d9c27c0ec1be6808e5169fe72e6873d963173901f1b287360cf8edd9d xsa71.patch
48411cd6b15e4e4fa3c4335298179a4b1094c5e1ae8dc7582bbfb9439d97037b xsa73-4_3-unstable.patch
fcb5b9ff0bc4b4d39fed9b88891491b91628aa449914cfea321abe5da24c1da2 fix-pod2man-choking.patch
e9f6c482fc449e0b540657a8988ad31f2e680b8933e50e6486687a52f6a9ed04 qemu-xen-websocket.patch
@@ -266,22 +239,13 @@ a50a4485e84bcc098ad021556cd2aa7947c228f0a546ab942e880787ced57be3 xend.initd
0da87a4b9094f934e3de937e8ef8d3afc752e76793aa3d730182d0241e118b19 xen-consoles.logrotate
4cfcddcade5d055422ab4543e8caa6e5c5eee7625c41880a9000b7a87c7c424e xenqemu.confd
bf17808a79c57a9efc38b9f14cc87f556b2bb7ecfdec5763d9cf686255a47fce xenqemu.initd"
-sha512sums="e6b8f64e15e48704ea5cee5585cd6151fe6a5a62bc4670caf0b762c1aa71c9598db236c637ac34c42c92c6e8a5001acdd3d9d4b9305401a26273279358f481d6 xen-4.3.0.tar.gz
+sha512sums="f5250ad5ad3defc5dc1207eb6208a3928128ef57ac4162018bd92b750dc1df1eaaf37835528aca33a0f9e04c82d5f8c4ba79c03a1780d2b72cbb90cc26f77275 xen-4.3.1.tar.gz
74e3cfc51e367fc445cb3d8149f0c8830e94719a266daf04d2cd0889864591860c4c8842de2bc78070e4c5be7d14dfbb8b236c511d5faeddc2ad97177c1d3764 librt.patch
425149aea57a6deae9f488cea867f125983998dc6e8c63893fb3b9caf0ea34214251dd98ad74db823f5168631c44c49b988b6fe9c11b76bd493ddf51bc0baaa2 qemu-xen_paths.patch
477d3d08bd4fcdfbc54abea1a18acb6a41d298c366cd01c954f474515cb862d0dd59217c0dfca5460a725a8bc036de42132f522c3eefdffcc4fd511f016b783f docs-Fix-generating-qemu-doc.html-with-texinfo-5.patch
94672a4d37db4e370370157cac9507ee1a75832f4be779fba148c1faa0b18f26ed57126eee6256ccd5d218463325a730266b53139554f4865adedb7659154c16 xsa41.patch
bda9105793f2327e1317991762120d0668af0e964076b18c9fdbfd509984b2e88d85df95702c46b2e00d5350e8113f6aa7b34b19064d19abbeb4d43f0c431d38 xsa41b.patch
36b60478660ff7748328f5ab9adff13286eee1a1bad06e42fdf7e6aafe105103988525725aacd660cf5b2a184a9e2d6b3818655203c1fa07e07dcebdf23f35d9 xsa41c.patch
-31dd8c62d41cc0a01a79d9b24a5b793f5e2058230808d9c5364c6ff3477ab02f3258f1bbd761d97dc1b97ee120b41524b999eaac77f33b606496fc324b5fa2e4 xsa48-4.2.patch
-4738a229a6f18d670da07b3acbaf6e227af5fb3e7b0b414dc98671be02208aefc66ebe07f7396d9158d0fa15993b9d418fd65747880c64694b1a06b8be961419 xsa62.patch
-f972de0910dff2109fc18911eeaf789963ec457d2a21029abc9615088d2c8446028effec6c1c01e080ae3479e704175e19040c09053c8ad60c0b38c7d2ec3859 xsa63.patch
-2e9283c56f7e336f82d26a6346af91e520375f7084a6f07ad254e52781ac7e96cbb09ee48adfbf2c6c46d5516c56343612011f939f6a40ebef41e1925a9c6ed7 xsa64.patch
-5abc6cb7685a9053e67c1646c6d9e06c25da6d6c7004e63e346e7b082270e1319fcc8a194a8db4e9c9cb903fe5dc29ae17169cda6fea94913fa9e0ff5aa9b451 xsa66.patch
-959e4760210ceb480da53c709fcdeed4bd9cec27eefbcdb7dfcf6d764184e5ecf4c225f817d8a46ff0bb74baa8d14d90c9ce39bb51c9a781cbc524227b02e153 xsa67.patch
-bd1deab154e129fc63dcc51ce5c4d004f5fe044443755a0b8943d8b6087f2ef7cbfd76f2390d36f7b4ad1797ef28abbb23157401468e1bf33ecc7a17aff9e8a4 xsa68.patch
-107335f8e4ffddb9cab9e21dfdf745dea0e4d078c71ee59671942291c189dd0e998a9d480fa91ae439e6410591c9fb06491ca8e810006e22640bf0dc9cf5da81 xsa70.patch
-da71e6d60c2663d571686063cb427ba04e5d56422d945ffd3f14be1dc72df61af78f1b63dc9e248bcfb0cdaaca03a227b4145cdd2af1ec7cdf9a2655c5b006b8 xsa71.patch
8eb555bc589bc4848f640dd93bdfaf0d0a61667e26667ff2ff89ab60c8c5a777982647e8c440be7510620281bac8d9bb3281afcae36e974f09bd70184ba6ba9a xsa73-4_3-unstable.patch
2e95ad43bb66f928fe1e8caf474a3211571f75f79ea32aaa3eddb3aed9963444bd131006b67e682395af0d79118b2634bf808404693b813a94662d2a9d665ac2 fix-pod2man-choking.patch
45f1da45f3ff937d0a626e37c130d76f5b97f49a57ddeb11ef2a8e850c04c32c819a3dfcef501eb3784db5fe7b39c88230063e56aa6e5197fd9c7b7d424fff77 qemu-xen-websocket.patch
diff --git a/main/xen/xsa48-4.2.patch b/main/xen/xsa48-4.2.patch
deleted file mode 100644
index 998dbcb1d5..0000000000
--- a/main/xen/xsa48-4.2.patch
+++ /dev/null
@@ -1,114 +0,0 @@
-Add -f FMT / --format FMT arg to qemu-nbd
-
-From: "Daniel P. Berrange" <berrange@redhat.com>
-
-Currently the qemu-nbd program will auto-detect the format of
-any disk it is given. This behaviour is known to be insecure.
-For example, if qemu-nbd initially exposes a 'raw' file to an
-unprivileged app, and that app runs
-
- 'qemu-img create -f qcow2 -o backing_file=/etc/shadow /dev/nbd0'
-
-then the next time the app is started, the qemu-nbd will now
-detect it as a 'qcow2' file and expose /etc/shadow to the
-unprivileged app.
-
-The only way to avoid this is to explicitly tell qemu-nbd what
-disk format to use on the command line, completely disabling
-auto-detection. This patch adds a '-f' / '--format' arg for
-this purpose, mirroring what is already available via qemu-img
-and qemu commands.
-
- qemu-nbd --format raw -p 9000 evil.img
-
-will now always use raw, regardless of what format 'evil.img'
-looks like it contains
-
-Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
-[Use errx, not err. - Paolo]
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
-
-[ This is a security issue, CVE-2013-1922 / XSA-48. ]
-
-diff --git a/qemu-nbd.c b/qemu-nbd.c
-index 291cba2..8fbe2cf 100644
---- a/tools/qemu-xen/qemu-nbd.c
-+++ b/tools/qemu-xen/qemu-nbd.c
-@@ -247,6 +247,7 @@ out:
- int main(int argc, char **argv)
- {
- BlockDriverState *bs;
-+ BlockDriver *drv;
- off_t dev_offset = 0;
- off_t offset = 0;
- uint32_t nbdflags = 0;
-@@ -256,7 +257,7 @@ int main(int argc, char **argv)
- struct sockaddr_in addr;
- socklen_t addr_len = sizeof(addr);
- off_t fd_size;
-- const char *sopt = "hVb:o:p:rsnP:c:dvk:e:t";
-+ const char *sopt = "hVb:o:p:rsnP:c:dvk:e:f:t";
- struct option lopt[] = {
- { "help", 0, NULL, 'h' },
- { "version", 0, NULL, 'V' },
-@@ -271,6 +272,7 @@ int main(int argc, char **argv)
- { "snapshot", 0, NULL, 's' },
- { "nocache", 0, NULL, 'n' },
- { "shared", 1, NULL, 'e' },
-+ { "format", 1, NULL, 'f' },
- { "persistent", 0, NULL, 't' },
- { "verbose", 0, NULL, 'v' },
- { NULL, 0, NULL, 0 }
-@@ -292,6 +294,7 @@ int main(int argc, char **argv)
- int max_fd;
- int persistent = 0;
- pthread_t client_thread;
-+ const char *fmt = NULL;
-
- /* The client thread uses SIGTERM to interrupt the server. A signal
- * handler ensures that "qemu-nbd -v -c" exits with a nice status code.
-@@ -368,6 +371,9 @@ int main(int argc, char **argv)
- errx(EXIT_FAILURE, "Shared device number must be greater than 0\n");
- }
- break;
-+ case 'f':
-+ fmt = optarg;
-+ break;
- case 't':
- persistent = 1;
- break;
-@@ -478,9 +484,19 @@ int main(int argc, char **argv)
- bdrv_init();
- atexit(bdrv_close_all);
-
-+ if (fmt) {
-+ drv = bdrv_find_format(fmt);
-+ if (!drv) {
-+ errx(EXIT_FAILURE, "Unknown file format '%s'", fmt);
-+ }
-+ } else {
-+ drv = NULL;
-+ }
-+
- bs = bdrv_new("hda");
- srcpath = argv[optind];
-- if ((ret = bdrv_open(bs, srcpath, flags, NULL)) < 0) {
-+ ret = bdrv_open(bs, srcpath, flags, drv);
-+ if (ret < 0) {
- errno = -ret;
- err(EXIT_FAILURE, "Failed to bdrv_open '%s'", argv[optind]);
- }
-diff --git a/qemu-nbd.texi b/qemu-nbd.texi
-index 44996cc..f56c68e 100644
---- a/tools/qemu-xen/qemu-nbd.texi
-+++ b/tools/qemu-xen/qemu-nbd.texi
-@@ -36,6 +36,8 @@ Export Qemu disk image using NBD protocol.
- disconnect the specified device
- @item -e, --shared=@var{num}
- device can be shared by @var{num} clients (default @samp{1})
-+@item -f, --format=@var{fmt}
-+ force block driver for format @var{fmt} instead of auto-detecting
- @item -t, --persistent
- don't exit on the last connection
- @item -v, --verbose
diff --git a/main/xen/xsa62.patch b/main/xen/xsa62.patch
deleted file mode 100644
index 3bb432762a..0000000000
--- a/main/xen/xsa62.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-x86/xsave: initialize extended register state when guests enable it
-
-Till now, when setting previously unset bits in XCR0 we wouldn't touch
-the active register state, thus leaving in the newly enabled registers
-whatever a prior user of it left there, i.e. potentially leaking
-information between guests.
-
-This is CVE-2013-1442 / XSA-62.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
---- a/xen/arch/x86/xstate.c
-+++ b/xen/arch/x86/xstate.c
-@@ -307,6 +307,7 @@ int validate_xstate(u64 xcr0, u64 xcr0_a
- int handle_xsetbv(u32 index, u64 new_bv)
- {
- struct vcpu *curr = current;
-+ u64 mask;
-
- if ( index != XCR_XFEATURE_ENABLED_MASK )
- return -EOPNOTSUPP;
-@@ -320,9 +321,23 @@ int handle_xsetbv(u32 index, u64 new_bv)
- if ( !set_xcr0(new_bv) )
- return -EFAULT;
-
-+ mask = new_bv & ~curr->arch.xcr0_accum;
- curr->arch.xcr0 = new_bv;
- curr->arch.xcr0_accum |= new_bv;
-
-+ mask &= curr->fpu_dirtied ? ~XSTATE_FP_SSE : XSTATE_NONLAZY;
-+ if ( mask )
-+ {
-+ unsigned long cr0 = read_cr0();
-+
-+ clts();
-+ if ( curr->fpu_dirtied )
-+ asm ( "stmxcsr %0" : "=m" (curr->arch.xsave_area->fpu_sse.mxcsr) );
-+ xrstor(curr, mask);
-+ if ( cr0 & X86_CR0_TS )
-+ write_cr0(cr0);
-+ }
-+
- return 0;
- }
-
diff --git a/main/xen/xsa63.patch b/main/xen/xsa63.patch
deleted file mode 100644
index 5134650e2f..0000000000
--- a/main/xen/xsa63.patch
+++ /dev/null
@@ -1,171 +0,0 @@
-x86: properly handle hvm_copy_from_guest_{phys,virt}() errors
-
-Ignoring them generally implies using uninitialized data and, in all
-cases dealt with here, potentially leaking hypervisor stack contents to
-guests.
-
-This is XSA-63.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Tim Deegan <tim@xen.org>
-Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
---- a/xen/arch/x86/hvm/hvm.c
-+++ b/xen/arch/x86/hvm/hvm.c
-@@ -2308,11 +2308,7 @@ void hvm_task_switch(
-
- rc = hvm_copy_from_guest_virt(
- &tss, prev_tr.base, sizeof(tss), PFEC_page_present);
-- if ( rc == HVMCOPY_bad_gva_to_gfn )
-- goto out;
-- if ( rc == HVMCOPY_gfn_paged_out )
-- goto out;
-- if ( rc == HVMCOPY_gfn_shared )
-+ if ( rc != HVMCOPY_okay )
- goto out;
-
- eflags = regs->eflags;
-@@ -2357,13 +2353,11 @@ void hvm_task_switch(
-
- rc = hvm_copy_from_guest_virt(
- &tss, tr.base, sizeof(tss), PFEC_page_present);
-- if ( rc == HVMCOPY_bad_gva_to_gfn )
-- goto out;
-- if ( rc == HVMCOPY_gfn_paged_out )
-- goto out;
-- /* Note: this could be optimised, if the callee functions knew we want RO
-- * access */
-- if ( rc == HVMCOPY_gfn_shared )
-+ /*
-+ * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee
-+ * functions knew we want RO access.
-+ */
-+ if ( rc != HVMCOPY_okay )
- goto out;
-
-
---- a/xen/arch/x86/hvm/intercept.c
-+++ b/xen/arch/x86/hvm/intercept.c
-@@ -87,17 +87,28 @@ static int hvm_mmio_access(struct vcpu *
- {
- for ( i = 0; i < p->count; i++ )
- {
-- int ret;
--
-- ret = hvm_copy_from_guest_phys(&data,
-- p->data + (sign * i * p->size),
-- p->size);
-- if ( (ret == HVMCOPY_gfn_paged_out) ||
-- (ret == HVMCOPY_gfn_shared) )
-+ switch ( hvm_copy_from_guest_phys(&data,
-+ p->data + sign * i * p->size,
-+ p->size) )
- {
-+ case HVMCOPY_okay:
-+ break;
-+ case HVMCOPY_gfn_paged_out:
-+ case HVMCOPY_gfn_shared:
- rc = X86EMUL_RETRY;
- break;
-+ case HVMCOPY_bad_gfn_to_mfn:
-+ data = ~0;
-+ break;
-+ case HVMCOPY_bad_gva_to_gfn:
-+ ASSERT(0);
-+ /* fall through */
-+ default:
-+ rc = X86EMUL_UNHANDLEABLE;
-+ break;
- }
-+ if ( rc != X86EMUL_OKAY )
-+ break;
- rc = write_handler(v, p->addr + (sign * i * p->size), p->size,
- data);
- if ( rc != X86EMUL_OKAY )
-@@ -165,8 +176,28 @@ static int process_portio_intercept(port
- for ( i = 0; i < p->count; i++ )
- {
- data = 0;
-- (void)hvm_copy_from_guest_phys(&data, p->data + sign*i*p->size,
-- p->size);
-+ switch ( hvm_copy_from_guest_phys(&data,
-+ p->data + sign * i * p->size,
-+ p->size) )
-+ {
-+ case HVMCOPY_okay:
-+ break;
-+ case HVMCOPY_gfn_paged_out:
-+ case HVMCOPY_gfn_shared:
-+ rc = X86EMUL_RETRY;
-+ break;
-+ case HVMCOPY_bad_gfn_to_mfn:
-+ data = ~0;
-+ break;
-+ case HVMCOPY_bad_gva_to_gfn:
-+ ASSERT(0);
-+ /* fall through */
-+ default:
-+ rc = X86EMUL_UNHANDLEABLE;
-+ break;
-+ }
-+ if ( rc != X86EMUL_OKAY )
-+ break;
- rc = action(IOREQ_WRITE, p->addr, p->size, &data);
- if ( rc != X86EMUL_OKAY )
- break;
---- a/xen/arch/x86/hvm/io.c
-+++ b/xen/arch/x86/hvm/io.c
-@@ -340,14 +340,24 @@ static int dpci_ioport_write(uint32_t mp
- data = p->data;
- if ( p->data_is_ptr )
- {
-- int ret;
--
-- ret = hvm_copy_from_guest_phys(&data,
-- p->data + (sign * i * p->size),
-- p->size);
-- if ( (ret == HVMCOPY_gfn_paged_out) &&
-- (ret == HVMCOPY_gfn_shared) )
-+ switch ( hvm_copy_from_guest_phys(&data,
-+ p->data + sign * i * p->size,
-+ p->size) )
-+ {
-+ case HVMCOPY_okay:
-+ break;
-+ case HVMCOPY_gfn_paged_out:
-+ case HVMCOPY_gfn_shared:
- return X86EMUL_RETRY;
-+ case HVMCOPY_bad_gfn_to_mfn:
-+ data = ~0;
-+ break;
-+ case HVMCOPY_bad_gva_to_gfn:
-+ ASSERT(0);
-+ /* fall through */
-+ default:
-+ return X86EMUL_UNHANDLEABLE;
-+ }
- }
-
- switch ( p->size )
---- a/xen/arch/x86/hvm/vmx/realmode.c
-+++ b/xen/arch/x86/hvm/vmx/realmode.c
-@@ -39,7 +39,9 @@ static void realmode_deliver_exception(
-
- again:
- last_byte = (vector * 4) + 3;
-- if ( idtr->limit < last_byte )
-+ if ( idtr->limit < last_byte ||
-+ hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4) !=
-+ HVMCOPY_okay )
- {
- /* Software interrupt? */
- if ( insn_len != 0 )
-@@ -64,8 +66,6 @@ static void realmode_deliver_exception(
- }
- }
-
-- (void)hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4);
--
- frame[0] = regs->eip + insn_len;
- frame[1] = csr->sel;
- frame[2] = regs->eflags & ~X86_EFLAGS_RF;
diff --git a/main/xen/xsa64.patch b/main/xen/xsa64.patch
deleted file mode 100644
index f2c1117fdd..0000000000
--- a/main/xen/xsa64.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-commit 95a0770282ea2a03f7bc48c6656d5fc79bae0599
-Author: Tim Deegan <tim@xen.org>
-Date: Thu Sep 12 14:16:28 2013 +0100
-
- x86/mm/shadow: Fix initialization of PV shadow L4 tables.
-
- Shadowed PV L4 tables must have the same Xen mappings as their
- unshadowed equivalent. This is done by copying the Xen entries
- verbatim from the idle pagetable, and then using guest_l4_slot()
- in the SHADOW_FOREACH_L4E() iterator to avoid touching those entries.
-
- adc5afbf1c70ef55c260fb93e4b8ce5ccb918706 (x86: support up to 16Tb)
- changed the definition of ROOT_PAGETABLE_XEN_SLOTS to extend right to
- the top of the address space, which causes the shadow code to
- copy Xen mappings into guest-kernel-address slots too.
-
- In the common case, all those slots are zero in the idle pagetable,
- and no harm is done. But if any slot above #271 is non-zero, Xen will
- crash when that slot is later cleared (it attempts to drop
- shadow-pagetable refcounts on its own L4 pagetables).
-
- Fix by using the new ROOT_PAGETABLE_PV_XEN_SLOTS when appropriate.
- Monitor pagetables need the full Xen mappings, so they keep using the
- old name (with its new semantics).
-
- This is XSA-64.
-
- Signed-off-by: Tim Deegan <tim@xen.org>
- Reviewed-by: Jan Beulich <jbeulich@suse.com>
-
-diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
-index 4c4c2ba..3fed0b6 100644
---- a/xen/arch/x86/mm/shadow/multi.c
-+++ b/xen/arch/x86/mm/shadow/multi.c
-@@ -1433,15 +1433,19 @@ void sh_install_xen_entries_in_l4(struct vcpu *v, mfn_t gl4mfn, mfn_t sl4mfn)
- {
- struct domain *d = v->domain;
- shadow_l4e_t *sl4e;
-+ unsigned int slots;
-
- sl4e = sh_map_domain_page(sl4mfn);
- ASSERT(sl4e != NULL);
- ASSERT(sizeof (l4_pgentry_t) == sizeof (shadow_l4e_t));
-
- /* Copy the common Xen mappings from the idle domain */
-+ slots = (shadow_mode_external(d)
-+ ? ROOT_PAGETABLE_XEN_SLOTS
-+ : ROOT_PAGETABLE_PV_XEN_SLOTS);
- memcpy(&sl4e[ROOT_PAGETABLE_FIRST_XEN_SLOT],
- &idle_pg_table[ROOT_PAGETABLE_FIRST_XEN_SLOT],
-- ROOT_PAGETABLE_XEN_SLOTS * sizeof(l4_pgentry_t));
-+ slots * sizeof(l4_pgentry_t));
-
- /* Install the per-domain mappings for this domain */
- sl4e[shadow_l4_table_offset(PERDOMAIN_VIRT_START)] =
diff --git a/main/xen/xsa66.patch b/main/xen/xsa66.patch
deleted file mode 100644
index 1d9f25abae..0000000000
--- a/main/xen/xsa66.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-x86: properly set up fbld emulation operand address
-
-This is CVE-2013-4361 / XSA-66.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
---- a/xen/arch/x86/x86_emulate/x86_emulate.c
-+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
-@@ -3156,11 +3156,11 @@ x86_emulate(
- break;
- case 4: /* fbld m80dec */
- ea.bytes = 10;
-- dst = ea;
-+ src = ea;
- if ( (rc = ops->read(src.mem.seg, src.mem.off,
- &src.val, src.bytes, ctxt)) != 0 )
- goto done;
-- emulate_fpu_insn_memdst("fbld", src.val);
-+ emulate_fpu_insn_memsrc("fbld", src.val);
- break;
- case 5: /* fild m64i */
- ea.bytes = 8;
diff --git a/main/xen/xsa67.patch b/main/xen/xsa67.patch
deleted file mode 100644
index d81a0e18a9..0000000000
--- a/main/xen/xsa67.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-x86: check segment descriptor read result in 64-bit OUTS emulation
-
-When emulating such an operation from a 64-bit context (CS has long
-mode set), and the data segment is overridden to FS/GS, the result of
-reading the overridden segment's descriptor (read_descriptor) is not
-checked. If it fails, data_base is left uninitialized.
-
-This can lead to 8 bytes of Xen's stack being leaked to the guest
-(implicitly, i.e. via the address given in a #PF).
-
-Coverity-ID: 1055116
-
-This is CVE-2013-4368 / XSA-67.
-
-Signed-off-by: Matthew Daley <mattjd@gmail.com>
-
-Fix formatting.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-
---- a/xen/arch/x86/traps.c
-+++ b/xen/arch/x86/traps.c
-@@ -1993,10 +1993,10 @@ static int emulate_privileged_op(struct
- break;
- }
- }
-- else
-- read_descriptor(data_sel, v, regs,
-- &data_base, &data_limit, &ar,
-- 0);
-+ else if ( !read_descriptor(data_sel, v, regs,
-+ &data_base, &data_limit, &ar, 0) ||
-+ !(ar & _SEGMENT_S) || !(ar & _SEGMENT_P) )
-+ goto fail;
- data_limit = ~0UL;
- ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P;
- }
diff --git a/main/xen/xsa68.patch b/main/xen/xsa68.patch
deleted file mode 100644
index cad655be25..0000000000
--- a/main/xen/xsa68.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-libxl: fix vif rate parsing
-
-strtok can return NULL here. We don't need to use strtok anyway, so just
-use a simple strchr method.
-
-Coverity-ID: 1055642
-
-This is CVE-2013-4369 / XSA-68
-
-Signed-off-by: Matthew Daley <mattjd@gmail.com>
-
-Fix type. Add test case
-
-Signed-off-by: Ian Campbell <Ian.campbell@citrix.com>
-
-diff --git a/tools/libxl/check-xl-vif-parse b/tools/libxl/check-xl-vif-parse
-index 0473182..02c6dba 100755
---- a/tools/libxl/check-xl-vif-parse
-+++ b/tools/libxl/check-xl-vif-parse
-@@ -206,4 +206,8 @@ expected </dev/null
- one $e rate=4294967295GB/s@5us
- one $e rate=4296MB/s@4294s
-
-+# test include of single '@'
-+expected </dev/null
-+one $e rate=@
-+
- complete
-diff --git a/tools/libxl/libxlu_vif.c b/tools/libxl/libxlu_vif.c
-index 3b3de0f..0665e62 100644
---- a/tools/libxl/libxlu_vif.c
-+++ b/tools/libxl/libxlu_vif.c
-@@ -95,23 +95,30 @@ int xlu_vif_parse_rate(XLU_Config *cfg, const char *rate, libxl_device_nic *nic)
- uint64_t bytes_per_sec = 0;
- uint64_t bytes_per_interval = 0;
- uint32_t interval_usecs = 50000UL; /* Default to 50ms */
-- char *ratetok, *tmprate;
-+ char *p, *tmprate;
- int rc = 0;
-
- tmprate = strdup(rate);
-+ if (tmprate == NULL) {
-+ rc = ENOMEM;
-+ goto out;
-+ }
-+
-+ p = strchr(tmprate, '@');
-+ if (p != NULL)
-+ *p++ = 0;
-+
- if (!strcmp(tmprate,"")) {
- xlu__vif_err(cfg, "no rate specified", rate);
- rc = EINVAL;
- goto out;
- }
-
-- ratetok = strtok(tmprate, "@");
-- rc = vif_parse_rate_bytes_per_sec(cfg, ratetok, &bytes_per_sec);
-+ rc = vif_parse_rate_bytes_per_sec(cfg, tmprate, &bytes_per_sec);
- if (rc) goto out;
-
-- ratetok = strtok(NULL, "@");
-- if (ratetok != NULL) {
-- rc = vif_parse_rate_interval_usecs(cfg, ratetok, &interval_usecs);
-+ if (p != NULL) {
-+ rc = vif_parse_rate_interval_usecs(cfg, p, &interval_usecs);
- if (rc) goto out;
- }
-
diff --git a/main/xen/xsa70.patch b/main/xen/xsa70.patch
deleted file mode 100644
index f19dd96ed9..0000000000
--- a/main/xen/xsa70.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 94db3e1cb356a0d2de1753888ceb0eb767404ec4 Mon Sep 17 00:00:00 2001
-From: Matthew Daley <mattjd@gmail.com>
-Date: Tue, 10 Sep 2013 22:18:46 +1200
-Subject: [PATCH] libxl: fix out-of-memory error handling in
- libxl_list_cpupool
-
-...otherwise it will return freed memory. All the current users of this
-function check already for a NULL return, so use that.
-
-Coverity-ID: 1056194
-
-This is CVE-2013-4371 / XSA-70
-
-Signed-off-by: Matthew Daley <mattjd@gmail.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
----
- tools/libxl/libxl.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 0879f23..17653ef 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -651,6 +651,7 @@ libxl_cpupoolinfo * libxl_list_cpupool(libxl_ctx *ctx, int *nb_pool_out)
- if (!tmp) {
- LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, "allocating cpupool info");
- libxl_cpupoolinfo_list_free(ptr, i);
-+ ptr = NULL;
- goto out;
- }
- ptr = tmp;
---
-1.7.10.4
-
diff --git a/main/xen/xsa71.patch b/main/xen/xsa71.patch
deleted file mode 100644
index 45e52eb0f8..0000000000
--- a/main/xen/xsa71.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 23260e589e52ec83349f22198eab2331b5a1684e Mon Sep 17 00:00:00 2001
-From: Matthew Daley <mattjd@gmail.com>
-Date: Wed, 25 Sep 2013 12:28:47 +1200
-Subject: [PATCH] xen_disk: mark ioreq as mapped before unmapping in error
- case
-
-Commit c6961b7d ("xen_disk: use bdrv_aio_flush instead of bdrv_flush")
-modified the semantics of ioreq_{un,}map so that they are idempotent if
-called when they're not needed (ie., twice in a row). However, it neglected
-to handle the case where batch mapping is not being used (the default), and
-one of the grants fails to map. In this case, ioreq_unmap will be called to
-unwind and unmap any mappings already performed, but ioreq_unmap simply
-returns due to the aforementioned change (the ioreq has not already been
-marked as mapped).
-
-The frontend user can therefore force xen_disk to leak grant mappings, a
-per-backend-domain limited resource.
-
-Fix by marking the ioreq as mapped before calling ioreq_unmap in this
-situation.
-
-This is XSA-71 / CVE-2013-4375
-
-Signed-off-by: Matthew Daley <mattjd@gmail.com>
----
- hw/xen_disk.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/tools/qemu-xen/hw/xen_disk.c b/tools/qemu-xen/hw/xen_disk.c
-index a402ac8..1cdfcbc 100644
---- a/tools/qemu-xen/hw/xen_disk.c
-+++ b/tools/qemu-xen/hw/xen_disk.c
-@@ -299,6 +299,7 @@ static int ioreq_map(struct ioreq *ioreq)
- xen_be_printf(&ioreq->blkdev->xendev, 0,
- "can't map grant ref %d (%s, %d maps)\n",
- refs[i], strerror(errno), ioreq->blkdev->cnt_map);
-+ ioreq->mapped = 1;
- ioreq_unmap(ioreq);
- return -1;
- }
---
-1.7.10.4
-