From 9cb167cd17104bb4b0bb6b7097ad9f924fa158f9 Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Thu, 2 Oct 2014 14:37:50 +0000
Subject: main/xen: upgrade to 4.3.3 and fix CVE-2014-7188

The following critical vulnerabilities have been fixed:
- CVE-2014-2599 / XSA-89 HVMOP_set_mem_access is not preemptible
- CVE-2014-3124 / XSA-92 HVMOP_set_mem_type allows invalid P2M entries
  to be created
- CVE-2014-3967,CVE-2014-3968 / XSA-96 Vulnerabilities in HVM MSI injection
- CVE-2014-4021 / XSA-100 Hypervisor heap contents leaked to guests

Also add patch for xsa108:
- CVE-2014-7188: Improper MSR range used for x2APIC emulation.

fixes #3414
---
 main/xen/APKBUILD     | 14 +++++++++-----
 main/xen/xsa108.patch | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+), 5 deletions(-)
 create mode 100644 main/xen/xsa108.patch

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index e9c1c8aa8..a2a058629 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -2,8 +2,8 @@
 # Contributor: Roger Pau Monne <roger.pau@entel.upc.edu>
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
-pkgver=4.3.2
-pkgrel=4
+pkgver=4.3.3
+pkgrel=0
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86_64"
@@ -25,6 +25,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	xsa41b.patch
 	xsa41c.patch
 	xsa97-hap-4_3.patch
+	xsa108.patch
 
 	fix-pod2man-choking.patch
 
@@ -205,7 +206,7 @@ xend() {
 		-exec mv '{}' "$subpkgdir"/"$sitepackages"/xen \;
 }
 
-md5sums="83e0e13678383e4fbcaa69ce6064b187  xen-4.3.2.tar.gz
+md5sums="1b4438a50d8875700ac2c7e1ffbcd91b  xen-4.3.3.tar.gz
 2dc5ddf47c53ea168729975046c3c1f9  librt.patch
 1ccde6b36a6f9542a16d998204dc9a22  qemu-xen_paths.patch
 6dcff640268d514fa9164b4c812cc52d  docs-Fix-generating-qemu-doc.html-with-texinfo-5.patch
@@ -213,6 +214,7 @@ md5sums="83e0e13678383e4fbcaa69ce6064b187  xen-4.3.2.tar.gz
 ed7d0399c6ca6aeee479da5d8f807fe0  xsa41b.patch
 2f3dd7bdc59d104370066d6582725575  xsa41c.patch
 8b0feffc89e3f34d835d60ad62688b30  xsa97-hap-4_3.patch
+1f66f6c52941309c825f60e1bf144987  xsa108.patch
 4c5455d1adc09752a835e241097fbc39  fix-pod2man-choking.patch
 a4097e06a7e000ed00f4607db014d277  qemu-xen-websocket.patch
 35bdea1d4e3ae2565edc7e40906efdd5  qemu-xen-tls-websockets.patch
@@ -237,7 +239,7 @@ ec2252c72050d7d5870a3a629b873ba6  xenconsoled.confd
 9df68ac65dc3f372f5d61183abdc83ff  xen-consoles.logrotate
 6a2f777c16678d84039acf670d86fff6  xenqemu.confd
 f9afbf39e2b5a7d9dde60ebbd249ea7d  xenqemu.initd"
-sha256sums="17611d95f955302560ff72d97c08933b4e62bc2e8ffb71400fc54e388746ff69  xen-4.3.2.tar.gz
+sha256sums="59eb0e1c4a1f66965fe56dcf27cdb5872bf7e0585b7f2e60bd7967ec7f744ebf  xen-4.3.3.tar.gz
 12bf32f9937b09283f2df4955b50d6739768f66137a7d991f661f45cf77cb53b  librt.patch
 9440ca31a6911201f02694e93faafb5ca9b17de18b7f15b53ceac39a03411b4a  qemu-xen_paths.patch
 a0c225d716d343fe041b63e3940900c5b3573ed3bcfc5b7c2d52ea2861c3fc28  docs-Fix-generating-qemu-doc.html-with-texinfo-5.patch
@@ -245,6 +247,7 @@ a0c225d716d343fe041b63e3940900c5b3573ed3bcfc5b7c2d52ea2861c3fc28  docs-Fix-gener
 896a07f57310c9bea9bc2a305166cf796282c381cb7839be49105b1726a860b5  xsa41b.patch
 683dd96a0a8899f794070c8c09643dfeeb39f92da531955cba961b45f6075914  xsa41c.patch
 cfab6521221a5058a0dfbb6d59c3c4cd0e7f4239bb6cbee2723de22c33caafda  xsa97-hap-4_3.patch
+cf7ecf4b4680c09e8b1f03980d8350a0e1e7eb03060031788f972e0d4d47203e  xsa108.patch
 fcb5b9ff0bc4b4d39fed9b88891491b91628aa449914cfea321abe5da24c1da2  fix-pod2man-choking.patch
 e9f6c482fc449e0b540657a8988ad31f2e680b8933e50e6486687a52f6a9ed04  qemu-xen-websocket.patch
 435dd428d83acdfde58888532a1cece1e9075b2a2460fe3f6cd33c7d400f2715  qemu-xen-tls-websockets.patch
@@ -269,7 +272,7 @@ c304a6353ba1daebd0547bb57e9ffffc2c90465d6abe7469cfdacf61c5108eab  xendomains.ini
 0da87a4b9094f934e3de937e8ef8d3afc752e76793aa3d730182d0241e118b19  xen-consoles.logrotate
 4cfcddcade5d055422ab4543e8caa6e5c5eee7625c41880a9000b7a87c7c424e  xenqemu.confd
 bf17808a79c57a9efc38b9f14cc87f556b2bb7ecfdec5763d9cf686255a47fce  xenqemu.initd"
-sha512sums="ec94d849b56ec590b89022075ce43768d8ef44b7be9580ce032509b44c085f0f66495845607a18cd3dea6b89c69bc2a18012705556f59288cd8653c3e5eca302  xen-4.3.2.tar.gz
+sha512sums="cd9b7199d2859a856c719b75ee50a059c480f7493bbc493bcc3701d20321bd6d83c6fe1dd58e7b37695639bccf15e6420fb52f7e699586e7750ea665e99f82fc  xen-4.3.3.tar.gz
 74e3cfc51e367fc445cb3d8149f0c8830e94719a266daf04d2cd0889864591860c4c8842de2bc78070e4c5be7d14dfbb8b236c511d5faeddc2ad97177c1d3764  librt.patch
 425149aea57a6deae9f488cea867f125983998dc6e8c63893fb3b9caf0ea34214251dd98ad74db823f5168631c44c49b988b6fe9c11b76bd493ddf51bc0baaa2  qemu-xen_paths.patch
 477d3d08bd4fcdfbc54abea1a18acb6a41d298c366cd01c954f474515cb862d0dd59217c0dfca5460a725a8bc036de42132f522c3eefdffcc4fd511f016b783f  docs-Fix-generating-qemu-doc.html-with-texinfo-5.patch
@@ -277,6 +280,7 @@ sha512sums="ec94d849b56ec590b89022075ce43768d8ef44b7be9580ce032509b44c085f0f6649
 bda9105793f2327e1317991762120d0668af0e964076b18c9fdbfd509984b2e88d85df95702c46b2e00d5350e8113f6aa7b34b19064d19abbeb4d43f0c431d38  xsa41b.patch
 36b60478660ff7748328f5ab9adff13286eee1a1bad06e42fdf7e6aafe105103988525725aacd660cf5b2a184a9e2d6b3818655203c1fa07e07dcebdf23f35d9  xsa41c.patch
 acfd1058632d42bef061a9586565d184c0010d74870a25bc9b0a0bf40dda8abfd882056b8340dec45355efd9326d05f92a933f5d5c1c58e97597a8e88c61c639  xsa97-hap-4_3.patch
+f511a13ee4223ea2fa9d109fea1802b462f178d3be7de630aeba6eb40ef5d17c7db9d3b99ea414c5794d92d181a60c0bd2061f51987c6deb3a9071f5626fd049  xsa108.patch
 2e95ad43bb66f928fe1e8caf474a3211571f75f79ea32aaa3eddb3aed9963444bd131006b67e682395af0d79118b2634bf808404693b813a94662d2a9d665ac2  fix-pod2man-choking.patch
 45f1da45f3ff937d0a626e37c130d76f5b97f49a57ddeb11ef2a8e850c04c32c819a3dfcef501eb3784db5fe7b39c88230063e56aa6e5197fd9c7b7d424fff77  qemu-xen-websocket.patch
 11eaccc346440ff285552f204d491e3b31bda1665c3219ecae3061b5d55db9dec885af0c031fa19c67e87bbe238002b1911bbd5bfea2f2ba0d61e6b3d0c952c9  qemu-xen-tls-websockets.patch
diff --git a/main/xen/xsa108.patch b/main/xen/xsa108.patch
new file mode 100644
index 000000000..e16218578
--- /dev/null
+++ b/main/xen/xsa108.patch
@@ -0,0 +1,36 @@
+x86/HVM: properly bound x2APIC MSR range
+
+While the write path change appears to be purely cosmetic (but still
+gets done here for consistency), the read side mistake permitted
+accesses beyond the virtual APIC page.
+
+Note that while this isn't fully in line with the specification
+(digesting MSRs 0x800-0xBFF for the x2APIC), this is the minimal
+possible fix addressing the security issue and getting x2APIC related
+code into a consistent shape (elsewhere a 256 rather than 1024 wide
+window is being used too). This will be dealt with subsequently.
+
+This is XSA-108.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -4380,7 +4380,7 @@ int hvm_msr_read_intercept(unsigned int 
+         *msr_content = vcpu_vlapic(v)->hw.apic_base_msr;
+         break;
+ 
+-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
++    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
+         if ( hvm_x2apic_msr_read(v, msr, msr_content) )
+             goto gp_fault;
+         break;
+@@ -4506,7 +4506,7 @@ int hvm_msr_write_intercept(unsigned int
+         vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content);
+         break;
+ 
+-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
++    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
+         if ( hvm_x2apic_msr_write(v, msr, msr_content) )
+             goto gp_fault;
+         break;
-- 
cgit v1.2.3