main/xen: security fix for xsa118 (CVE-2015-1563)

fixes #3894

2 files changed, 120 insertions, 1 deletions

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 47d341ef5..45866d709 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.4.1
-pkgrel=7
+pkgrel=8
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86_64"
@@ -26,6 +26,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	xsa113.patch
 	xsa114-4.4.patch
 	xsa116.patch
+	xsa118-4.4.patch
 
 	qemu-coroutine-gthread.patch
 	qemu-xen-musl-openpty.patch
@@ -228,6 +229,7 @@ e0f14ff509c91b324e367ee35f024b85  xsa112.patch
 8c802cd95e29ecb085a8c436d3539c36  xsa113.patch
 7566238066a655770dfba9fe30e3a347  xsa114-4.4.patch
 6f0ed43665d54dada7a8ff10ec53563c  xsa116.patch
+afd7d4f04a5d1241dd1a375619a9ee8e  xsa118-4.4.patch
 de1a3db370b87cfb0bddb51796b50315  qemu-coroutine-gthread.patch
 dd8603eaab5857816843bfc37647d569  qemu-xen-musl-openpty.patch
 c4d2d95ae3e5f538b7145becb3c6098e  qemu-xen_paths.patch
@@ -258,6 +260,7 @@ cc39a4cdcb52929ed36ab696807d2405aa552177a6f029d8a1a52041ca1ed519  xsa112.patch
 a0f2b792a6b4648151f85fe13961b0bf309a568ed03e1b1d4ea01e4eabf1b18e  xsa113.patch
 b35ed8710693163cc33772c36e4c17dc76e25a0b2025fff4a5aa3b46c459938a  xsa114-4.4.patch
 84b5a7bb2386e3d95d9d836a4a2504870723694ddaf537f1b59db75b7c63e9bd  xsa116.patch
+5741cfe408273bd80e1a03c21a5650f963d7103fd022c688730f55dcf5373433  xsa118-4.4.patch
 3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe  qemu-coroutine-gthread.patch
 fe76c7c8faf686060b20491bfed4a13ce37b1bc3dcdbf33d242e388cee14c7c1  qemu-xen-musl-openpty.patch
 a6ccc0ed0dab8465188f92ceb3c983f10d65cd93bb2c8bab4e4155ef13536f5d  qemu-xen_paths.patch
@@ -288,6 +291,7 @@ d9d08039c0127007ea0db792d2b1375ac9f94d91982324cc945afd97dd3d14049195f5dceea37969
 be8223e778eb529d10a752f507c0dfaef0a607191924b400979dc5fd4c1f2806e39ec49c84fb299d5d06505ffe2d4b4268551db6e909a2520f70f70bb40bb3cb  xsa113.patch
 c8ed45c7a6bb9bc7cfe08aae06e36c6a88ce79c3c33ad6f707fea88b5fb70e9eb1c1ee98534b7e49ca6e52cdea56b0893d6c839874057b05ae815c2c94b7ce8f  xsa114-4.4.patch
 8d0d6b01e4836195f0c57c5102fdb933c742cb941e0c565adff0dfd4ad660618dfd6b5c2c7bf367e73645a560d097d2677511d52399d19100e26e55d25aaacd1  xsa116.patch
+a6c24b4bd6b7b8cc750c203b74fbe8a8dde26c2f5b06d27822353ea14778de9d6b375aaea5ee64b42a1235a1811a25119b0028234a22424747f4c6eba91b0ffa  xsa118-4.4.patch
 c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562  qemu-coroutine-gthread.patch
 a8b7378516172389450834985e8558d7a86d7cd808154bdc846bb98325e40fc4e87b1fc6d725297f4bef6eb54ebcbcbfa4d9d0363d83f635755795fb0726e006  qemu-xen-musl-openpty.patch
 1f19cf495142dfc9f1786af6d4f7d497a482119fa2f1c10d4f9174994d38562719bc5190820dd444c32da0fb9af78fadac8dc8958437c26d6ca385f2409794e8  qemu-xen_paths.patch
diff --git a/main/xen/xsa118-4.4.patch b/main/xen/xsa118-4.4.patch
new file mode 100644
index 000000000..9a15de235
--- /dev/null
+++ b/main/xen/xsa118-4.4.patch
@@ -0,0 +1,115 @@
+From 172cf0489b504b35c7c1666fb7d015006976c4e7 Mon Sep 17 00:00:00 2001
+From: Julien Grall <julien.grall@linaro.org>
+Date: Mon, 19 Jan 2015 12:59:42 +0000
+Subject: [PATCH] xen/arm: vgic: message in the emulation code should be
+ rate-limited
+
+printk is not rated-limited by default. Therefore a malicious guest may
+be able to flood the Xen console.
+
+If we use gdprintk, unecessary information will be printed such as the
+filename and the line. Instead use XENLOG_G_ERR combine with %pv.
+
+Signed-off-by: Julien Grall <julien.grall@linaro.org>
+---
+ xen/arch/arm/vgic.c | 40 +++++++++++++++++++++++-----------------
+ 1 file changed, 23 insertions(+), 17 deletions(-)
+
+diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c
+index 8d1b79e..b2262c6 100644
+--- a/xen/arch/arm/vgic.c
++++ b/xen/arch/arm/vgic.c
+@@ -332,7 +332,7 @@ static int vgic_distr_mmio_read(struct vcpu *v, mmio_info_t *info)
+ 
+     case GICD_ICPIDR2:
+         if ( dabt.size != 2 ) goto bad_width;
+-        printk("vGICD: unhandled read from ICPIDR2\n");
++        printk(XENLOG_G_ERR "%pv: vGICD: unhandled read from ICPIDR2\n", v);
+         return 0;
+ 
+     /* Implementation defined -- read as zero */
+@@ -349,14 +349,14 @@ static int vgic_distr_mmio_read(struct vcpu *v, mmio_info_t *info)
+         goto read_as_zero;
+ 
+     default:
+-        printk("vGICD: unhandled read r%d offset %#08x\n",
+-               dabt.reg, offset);
++        printk(XENLOG_G_ERR "%pv: vGICD: unhandled read r%d offset %#08x\n",
++               v, dabt.reg, offset);
+         return 0;
+     }
+ 
+ bad_width:
+-    printk("vGICD: bad read width %d r%d offset %#08x\n",
+-           dabt.size, dabt.reg, offset);
++    printk(XENLOG_G_ERR "%pv: vGICD: bad read width %d r%d offset %#08x\n",
++           v, dabt.size, dabt.reg, offset);
+     domain_crash_synchronous();
+     return 0;
+ 
+@@ -523,14 +523,16 @@ static int vgic_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
+ 
+     case GICD_ISPENDR ... GICD_ISPENDRN:
+         if ( dabt.size != 0 && dabt.size != 2 ) goto bad_width;
+-        printk("vGICD: unhandled %s write %#"PRIregister" to ISPENDR%d\n",
+-               dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ISPENDR);
++        printk(XENLOG_G_ERR
++               "%pv: vGICD: unhandled %s write %#"PRIregister" to ISPENDR%d\n",
++               v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ISPENDR);
+         return 0;
+ 
+     case GICD_ICPENDR ... GICD_ICPENDRN:
+         if ( dabt.size != 0 && dabt.size != 2 ) goto bad_width;
+-        printk("vGICD: unhandled %s write %#"PRIregister" to ICPENDR%d\n",
+-               dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ICPENDR);
++        printk(XENLOG_G_ERR
++               "%pv: vGICD: unhandled %s write %#"PRIregister" to ICPENDR%d\n",
++               v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ICPENDR);
+         return 0;
+ 
+     case GICD_ISACTIVER ... GICD_ISACTIVERN:
+@@ -606,14 +608,16 @@ static int vgic_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
+ 
+     case GICD_CPENDSGIR ... GICD_CPENDSGIRN:
+         if ( dabt.size != 0 && dabt.size != 2 ) goto bad_width;
+-        printk("vGICD: unhandled %s write %#"PRIregister" to ICPENDSGIR%d\n",
+-               dabt.size ? "word" : "byte", *r, gicd_reg - GICD_CPENDSGIR);
++        printk(XENLOG_G_ERR
++               "%pv: vGICD: unhandled %s write %#"PRIregister" to ICPENDSGIR%d\n",
++               v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_CPENDSGIR);
+         return 0;
+ 
+     case GICD_SPENDSGIR ... GICD_SPENDSGIRN:
+         if ( dabt.size != 0 && dabt.size != 2 ) goto bad_width;
+-        printk("vGICD: unhandled %s write %#"PRIregister" to ISPENDSGIR%d\n",
+-               dabt.size ? "word" : "byte", *r, gicd_reg - GICD_SPENDSGIR);
++        printk(XENLOG_G_ERR
++               "%pv: vGICD: unhandled %s write %#"PRIregister" to ISPENDSGIR%d\n",
++               v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_SPENDSGIR);
+         return 0;
+ 
+     /* Implementation defined -- write ignored */
+@@ -638,14 +642,16 @@ static int vgic_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
+         goto write_ignore;
+ 
+     default:
+-        printk("vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n",
+-               dabt.reg, *r, offset);
++        printk(XENLOG_G_ERR
++               "%pv: vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n",
++               v, dabt.reg, *r, offset);
+         return 0;
+     }
+ 
+ bad_width:
+-    printk("vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n",
+-           dabt.size, dabt.reg, *r, offset);
++    printk(XENLOG_G_ERR
++           "%pv: vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n",
++           v, dabt.size, dabt.reg, *r, offset);
+     domain_crash_synchronous();
+     return 0;
+ 
+-- 
+2.1.4
+