xen: add a bunch of security fixes

This covers:
XSA-20
XSA-22
XSA-23
XSA-24

Signed-off-by: Roger Pau Monne <roger.pau@citrix.com>

5 files changed, 144 insertions, 0 deletions

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 714385011..1777d47ff 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -19,6 +19,10 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	librt.patch
 	make_stubdoms.patch
 	qemu-xen_paths.patch
+	xsa20.patch
+	xsa22-4.2-unstable.patch
+	xsa23-4.2-unstable.patch
+	xsa24.patch
 	xsa25-4.2.patch
 
 	xenstored.initd
@@ -134,6 +138,10 @@ md5sums="f4f217969afc38f09251039966d91a87  xen-4.2.0.tar.gz
 2dc5ddf47c53ea168729975046c3c1f9  librt.patch
 41ad48fdc269749776fa6aa04f6778c2  make_stubdoms.patch
 1ccde6b36a6f9542a16d998204dc9a22  qemu-xen_paths.patch
+fb7e76f00c2a4e63b408cb67df7d1a7b  xsa20.patch
+5a67dfac5e6f5a0836aeaefa1804c09f  xsa22-4.2-unstable.patch
+9151e7c648b12f518826ad0f0a67da42  xsa23-4.2-unstable.patch
+9bd8b30094f8eb2408846c1b6ed0cad6  xsa24.patch
 9fc7097ed2e5e756c4ae91145c143433  xsa25-4.2.patch
 4ee9bf0c09269995569c9f05d4e8c779  xenstored.initd
 b017ccdd5e1c27bbf1513e3569d4ff07  xenstored.confd
diff --git a/main/xen/xsa20.patch b/main/xen/xsa20.patch
new file mode 100644
index 000000000..bedd318f6
--- /dev/null
+++ b/main/xen/xsa20.patch
@@ -0,0 +1,38 @@
+VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability
+
+The timer action for a vcpu periodic timer is to calculate the next
+expiry time, and to reinsert itself into the timer queue.  If the
+deadline ends up in the past, Xen never leaves __do_softirq().  The
+affected PCPU will stay in an infinite loop until Xen is killed by the
+watchdog (if enabled).
+
+This is a security problem, XSA-20 / CVE-2012-4535.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+diff -r 478ba3f146df xen/common/domain.c
+--- a/xen/common/domain.c
++++ b/xen/common/domain.c
+@@ -903,6 +903,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
+         if ( set.period_ns < MILLISECS(1) )
+             return -EINVAL;
+ 
++        if ( set.period_ns > STIME_DELTA_MAX )
++            return -EINVAL;
++
+         v->periodic_period = set.period_ns;
+         vcpu_force_reschedule(v);
+ 
+diff -r 478ba3f146df xen/include/xen/time.h
+--- a/xen/include/xen/time.h
++++ b/xen/include/xen/time.h
+@@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t);
+ #define MILLISECS(_ms)  ((s_time_t)((_ms) * 1000000ULL))
+ #define MICROSECS(_us)  ((s_time_t)((_us) * 1000ULL))
+ #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1))
++/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */
++#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2))
+ 
+ extern void update_vcpu_system_time(struct vcpu *v);
+ extern void update_domain_wallclock_time(struct domain *d);
diff --git a/main/xen/xsa22-4.2-unstable.patch b/main/xen/xsa22-4.2-unstable.patch
new file mode 100644
index 000000000..e15fd7353
--- /dev/null
+++ b/main/xen/xsa22-4.2-unstable.patch
@@ -0,0 +1,40 @@
+x86/physmap: Prevent incorrect updates of m2p mappings
+
+In certain conditions, such as low memory, set_p2m_entry() can fail.
+Currently, the p2m and m2p tables will get out of sync because we still
+update the m2p table after the p2m update has failed.
+
+If that happens, subsequent guest-invoked memory operations can cause
+BUG()s and ASSERT()s to kill Xen.
+
+This is fixed by only updating the m2p table iff the p2m was
+successfully updated.
+
+This is a security problem, XSA-22 / CVE-2012-4537.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
+
+diff -r f53b9f915c3d xen/arch/x86/mm/p2m.c
+--- a/xen/arch/x86/mm/p2m.c
++++ b/xen/arch/x86/mm/p2m.c
+@@ -633,7 +633,10 @@ guest_physmap_add_entry(struct domain *d
+     if ( mfn_valid(_mfn(mfn)) ) 
+     {
+         if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) )
++        {
+             rc = -EINVAL;
++            goto out; /* Failed to update p2m, bail without updating m2p. */
++        }
+         if ( !p2m_is_grant(t) )
+         {
+             for ( i = 0; i < (1UL << page_order); i++ )
+@@ -656,6 +659,7 @@ guest_physmap_add_entry(struct domain *d
+         }
+     }
+ 
++out:
+     p2m_unlock(p2m);
+ 
+     return rc;
diff --git a/main/xen/xsa23-4.2-unstable.patch b/main/xen/xsa23-4.2-unstable.patch
new file mode 100644
index 000000000..be80a6168
--- /dev/null
+++ b/main/xen/xsa23-4.2-unstable.patch
@@ -0,0 +1,32 @@
+xen/mm/shadow: check toplevel pagetables are present before unhooking them.
+
+If the guest has not fully populated its top-level PAE entries when it calls
+HVMOP_pagetable_dying, the shadow code could try to unhook entries from
+MFN 0.  Add a check to avoid that case.
+
+This issue was introduced by c/s 21239:b9d2db109cf5.
+
+This is a security problem, XSA-23 / CVE-2012-4538.
+
+Signed-off-by: Tim Deegan <tim@xen.org>
+Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+diff -r cc56c0394db7 xen/arch/x86/mm/shadow/multi.c
+--- a/xen/arch/x86/mm/shadow/multi.c
++++ b/xen/arch/x86/mm/shadow/multi.c
+@@ -4734,8 +4734,12 @@ static void sh_pagetable_dying(struct vc
+         unsigned long gfn;
+         mfn_t smfn, gmfn;
+ 
+-        if ( fast_path )
+-            smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
++        if ( fast_path ) {
++            if ( pagetable_is_null(v->arch.shadow_table[i]) )
++                smfn = _mfn(INVALID_MFN);
++            else
++                smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
++        }
+         else
+         {
+             /* retrieving the l2s */
diff --git a/main/xen/xsa24.patch b/main/xen/xsa24.patch
new file mode 100644
index 000000000..e46f513a7
--- /dev/null
+++ b/main/xen/xsa24.patch
@@ -0,0 +1,26 @@
+compat/gnttab: Prevent infinite loop in compat code
+
+c/s 20281:95ea2052b41b, which introduces Grant Table version 2
+hypercalls introduces a vulnerability whereby the compat hypercall
+handler can fall into an infinite loop.
+
+If the watchdog is enabled, Xen will die after the timeout.
+
+This is a security problem, XSA-24 / CVE-2012-4539.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
+
+diff -r bac883cf805a xen/common/compat/grant_table.c
+--- a/xen/common/compat/grant_table.c
++++ b/xen/common/compat/grant_table.c
+@@ -318,6 +318,8 @@ int compat_grant_table_op(unsigned int c
+ #undef XLAT_gnttab_get_status_frames_HNDL_frame_list
+                 if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) )
+                     rc = -EFAULT;
++                else
++                    i = 1;
+             }
+             break;
+         }