main/xen: upgrade to 4.7.0 and add secfixes

fixes for:
- CVE-2016-6258
- CVE-2016-6259
- CVE-2016-5403

1 files changed, 43 insertions, 0 deletions

diff --git a/main/xen/xsa184-qemut-master.patch b/main/xen/xsa184-qemut-master.patch
new file mode 100644
index 000000000..b376f33a5
--- /dev/null
+++ b/main/xen/xsa184-qemut-master.patch
@@ -0,0 +1,43 @@
+From 17d8c4e47dfb41cb6778520ff2eab7a11fe12dfd Mon Sep 17 00:00:00 2001
+From: P J P <ppandit@redhat.com>
+Date: Tue, 26 Jul 2016 15:31:59 +0100
+Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
+
+A broken or malicious guest can submit more requests than the virtqueue
+size permits.
+
+The guest can submit requests without bothering to wait for completion
+and is therefore not bound by virtqueue size.  This requires reusing
+vring descriptors in more than one request, which is incorrect but
+possible.  Processing a request allocates a VirtQueueElement and
+therefore causes unbounded memory allocation controlled by the guest.
+
+Exit with an error if the guest provides more requests than the
+virtqueue size permits.  This bounds memory allocation and makes the
+buggy guest visible to the user.
+
+Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+---
+ hw/virtio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/virtio.c b/hw/virtio.c
+index c26feff..42897bf 100644
+--- a/tools/qemu-xen-traditional/hw/virtio.c
++++ b/tools/qemu-xen-traditional/hw/virtio.c
+@@ -421,6 +421,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
+     /* When we start there are none of either input nor output. */
+     elem->out_num = elem->in_num = 0;
+ 
++    if (vq->inuse >= vq->vring.num) {
++        fprintf(stderr, "Virtqueue size exceeded");
++        exit(1);
++    }
++
+     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
+     do {
+         struct iovec *sg;
+-- 
+2.1.4
+