Xen 4.1.1 (maintenance release)

 *   Security fixes including CVE-2011-1583 CVE-2011-1898
 *   Enhancements to guest introspection (VM single stepping support for very
fine-grained access control)
 *   Many stability improvements, such as: PV-on-HVM stability fixes (fixing
some IRQ issues), XSAVE cpu feature support for PV guests (allows safe use of
latest multimedia instructions), RAS fixes for high availability, fixes for
offlining bad pages and changes to libxc, mainly of benefit to libvirt
 *   Compatibility fixes for newer Linux guests, newer compilers, some old
guest savefiles, newer Python, grub2, some hardware/BIOS bugs.

4 files changed, 7 insertions, 271 deletions

diff --git a/sysutils/xentools41/Makefile b/sysutils/xentools41/Makefile
index 1b670e79112..6d9cc36319a 100644
--- a/sysutils/xentools41/Makefile
+++ b/sysutils/xentools41/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.9 2011/06/05 23:05:58 abs Exp $
+# $NetBSD: Makefile,v 1.10 2011/06/16 13:40:06 cegger Exp $
 #
-VERSION=		4.1.0
+VERSION=		4.1.1
 DISTNAME=		xen-${VERSION}
 PKGNAME=		xentools41-${VERSION}
-PKGREVISION=		6
+#PKGREVISION=		1
 CATEGORIES=		sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff --git a/sysutils/xentools41/distinfo b/sysutils/xentools41/distinfo
index 873c3814679..de64e5ae248 100644
--- a/sysutils/xentools41/distinfo
+++ b/sysutils/xentools41/distinfo
@@ -1,12 +1,11 @@
-$NetBSD: distinfo,v 1.7 2011/05/20 17:09:21 bouyer Exp $
+$NetBSD: distinfo,v 1.8 2011/06/16 13:40:06 cegger Exp $
 
 SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485
 RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547
 Size (ipxe-git-v1.0.0.tar.gz) = 1996881 bytes
-SHA1 (xen-4.1.0.tar.gz) = 4295e67524746ce155ff991db5fd2a611be27f67
-RMD160 (xen-4.1.0.tar.gz) = e9ef987b24503d6c993bccfd203be5af9f104f48
-Size (xen-4.1.0.tar.gz) = 10348539 bytes
-SHA1 (patch-CVE-2011-1583) = adbe2e6d2bc89cfdfb44ff8011e29f1d128fd820
+SHA1 (xen-4.1.1.tar.gz) = f1b5ef4b663c339faf9c77fc895327cfbcc9776c
+RMD160 (xen-4.1.1.tar.gz) = 4b3c0641b0f098889f627662aa6b8fea00c5b636
+Size (xen-4.1.1.tar.gz) = 10355625 bytes
 SHA1 (patch-aa) = 9b53ba4a809dad7a1de34c8fa0dbe493d7256ada
 SHA1 (patch-ab) = 0906a5ec3a7450fc987b01289e2560e60966d00d
 SHA1 (patch-ac) = c3cc5335a1d6b066307c5f03fe72f513a9eb2bdb
@@ -36,4 +35,3 @@ SHA1 (patch-dc) = d860fe3725978227278d58f09e7d5157001e463e
 SHA1 (patch-dd) = b0c6253a77c09c8625bc9425742b395d1ce67010
 SHA1 (patch-de) = b118ff85070cac7cd81375d2f59ad10b719ae263
 SHA1 (patch-qemu-phy-devices) = fef90e50ef0a58db2f2b49b6c23218f371791de5
-SHA1 (patch-xm-test_ramdisk_make-release.sh) = 0844f1e022182d91dc04df552828820f4c946b5f
diff --git a/sysutils/xentools41/patches/patch-CVE-2011-1583 b/sysutils/xentools41/patches/patch-CVE-2011-1583
deleted file mode 100644
index 8baa77d9f45..00000000000
--- a/sysutils/xentools41/patches/patch-CVE-2011-1583
+++ /dev/null
@@ -1,250 +0,0 @@
-$NetBSD: patch-CVE-2011-1583,v 1.1 2011/05/12 15:57:38 bouyer Exp $
-
-from:
-http://xenbits.xensource.com/hg/staging/xen-4.1-testing.hg/rev/e2e575f8b5d9
-
-# HG changeset patch
-# User Ian Jackson <ian.jackson@eu.citrix.com>
-# Date 1304949841 -3600
-# Node ID e2e575f8b5d961db23ea8bb7b3820be8621789b3
-# Parent  bdc6dd89d83c2fcd87b069557b6f8867ab95dda1
-libxc: [CVE-2011-1583] pv kernel image validation
-
-The functions which interpret the kernel image supplied for a
-paravirtualised guest, and decompress it into memory when booting the
-domain, are incautious.  Specifically:
-
- (i) Integer overflow in the decompression loop memory allocator might
-    result in overrunning the buffer used for the decompressed image;
- (ii) Integer overflows and lack of checking of certain length fields
-    can result in the loader reading its own address space beyond the
-    size of the supplied kernel image file.
- (iii) Lack of error checking in the decompression loop can lead to an
-    infinite loop.
-
-This patch fixes these problems.
-
-CVE-2011-1583.
-
-Signed-off-by: Ian Campbell <Ian.Campbell@eu.citrix.com>
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
-diff -r bdc6dd89d83c -r e2e575f8b5d9 libxc/xc_dom_bzimageloader.c
---- libxc/xc_dom_bzimageloader.c	Mon May 09 12:18:50 2011 +0100
-+++ libxc/xc_dom_bzimageloader.c	Mon May 09 15:04:01 2011 +0100
-@@ -82,8 +82,29 @@
-     for ( ; ; )
-     {
-         ret = BZ2_bzDecompress(&stream);
--        if ( (stream.avail_out == 0) || (ret != BZ_OK) )
-+        if ( ret == BZ_STREAM_END )
-         {
-+            DOMPRINTF("BZIP2: Saw data stream end");
-+            retval = 0;
-+            break;
-+        }
-+        if ( ret != BZ_OK )
-+        {
-+            DOMPRINTF("BZIP2: error %d", ret);
-+            free(out_buf);
-+            goto bzip2_cleanup;
-+        }
-+
-+        if ( stream.avail_out == 0 )
-+        {
-+            /* Protect against output buffer overflow */
-+            if ( outsize > INT_MAX / 2 )
-+            {
-+                DOMPRINTF("BZIP2: output buffer overflow");
-+                free(out_buf);
-+                goto bzip2_cleanup;
-+            }
-+
-             tmp_buf = realloc(out_buf, outsize * 2);
-             if ( tmp_buf == NULL )
-             {
-@@ -97,16 +118,18 @@
-             stream.avail_out = (outsize * 2) - outsize;
-             outsize *= 2;
-         }
--
--        if ( ret != BZ_OK )
-+        else if ( stream.avail_in == 0 )
-         {
--            if ( ret == BZ_STREAM_END )
--            {
--                DOMPRINTF("BZIP2: Saw data stream end");
--                retval = 0;
--                break;
--            }
--            DOMPRINTF("BZIP2: error");
-+            /*
-+             * If there is output buffer available then this indicates
-+             * that BZ2_bzDecompress would like more input data to be
-+             * provided.  However our complete input buffer is in
-+             * memory and provided upfront so if avail_in is zero this
-+             * actually indicates a truncated input.
-+             */
-+            DOMPRINTF("BZIP2: not enough input");
-+            free(out_buf);
-+            goto bzip2_cleanup;
-         }
-     }
- 
-@@ -180,31 +203,14 @@
-     for ( ; ; )
-     {
-         ret = lzma_code(&stream, action);
--        if ( (stream.avail_out == 0) || (ret != LZMA_OK) )
-+        if ( ret == LZMA_STREAM_END )
-         {
--            tmp_buf = realloc(out_buf, outsize * 2);
--            if ( tmp_buf == NULL )
--            {
--                DOMPRINTF("LZMA: Failed to realloc memory");
--                free(out_buf);
--                goto lzma_cleanup;
--            }
--            out_buf = tmp_buf;
--
--            stream.next_out = out_buf + outsize;
--            stream.avail_out = (outsize * 2) - outsize;
--            outsize *= 2;
-+            DOMPRINTF("LZMA: Saw data stream end");
-+            retval = 0;
-+            break;
-         }
--
-         if ( ret != LZMA_OK )
-         {
--            if ( ret == LZMA_STREAM_END )
--            {
--                DOMPRINTF("LZMA: Saw data stream end");
--                retval = 0;
--                break;
--            }
--
-             switch ( ret )
-             {
-             case LZMA_MEM_ERROR:
-@@ -238,7 +244,32 @@
-             }
-             DOMPRINTF("%s: LZMA decompression error %s",
-                       __FUNCTION__, msg);
--            break;
-+            free(out_buf);
-+            goto lzma_cleanup;
-+        }
-+
-+        if ( stream.avail_out == 0 )
-+        {
-+            /* Protect against output buffer overflow */
-+            if ( outsize > INT_MAX / 2 )
-+            {
-+                DOMPRINTF("LZMA: output buffer overflow");
-+                free(out_buf);
-+                goto lzma_cleanup;
-+            }
-+
-+            tmp_buf = realloc(out_buf, outsize * 2);
-+            if ( tmp_buf == NULL )
-+            {
-+                DOMPRINTF("LZMA: Failed to realloc memory");
-+                free(out_buf);
-+                goto lzma_cleanup;
-+            }
-+            out_buf = tmp_buf;
-+
-+            stream.next_out = out_buf + outsize;
-+            stream.avail_out = (outsize * 2) - outsize;
-+            outsize *= 2;
-         }
-     }
- 
-@@ -489,18 +520,18 @@
- 
- extern struct xc_dom_loader elf_loader;
- 
--static unsigned int payload_offset(struct setup_header *hdr)
-+static int check_magic(struct xc_dom_image *dom, const void *magic, size_t len)
- {
--    unsigned int off;
-+    if (len > dom->kernel_size)
-+        return 0;
- 
--    off = (hdr->setup_sects + 1) * 512;
--    off += hdr->payload_offset;
--    return off;
-+    return (memcmp(dom->kernel_blob, magic, len) == 0);
- }
- 
- static int xc_dom_probe_bzimage_kernel(struct xc_dom_image *dom)
- {
-     struct setup_header *hdr;
-+    uint64_t payload_offset, payload_length;
-     int ret;
- 
-     if ( dom->kernel_blob == NULL )
-@@ -533,10 +564,30 @@
-         return -EINVAL;
-     }
- 
--    dom->kernel_blob = dom->kernel_blob + payload_offset(hdr);
--    dom->kernel_size = hdr->payload_length;
- 
--    if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 )
-+    /* upcast to 64 bits to avoid overflow */
-+    /* setup_sects is u8 and so cannot overflow */
-+    payload_offset = (hdr->setup_sects + 1) * 512;
-+    payload_offset += hdr->payload_offset;
-+    payload_length = hdr->payload_length;
-+
-+    if ( payload_offset >= dom->kernel_size )
-+    {
-+        xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: payload offset overflow",
-+                     __FUNCTION__);
-+        return -EINVAL;
-+    }
-+    if ( (payload_offset + payload_length) > dom->kernel_size )
-+    {
-+        xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: payload length overflow",
-+                     __FUNCTION__);
-+        return -EINVAL;
-+    }
-+
-+    dom->kernel_blob = dom->kernel_blob + payload_offset;
-+    dom->kernel_size = payload_length;
-+
-+    if ( check_magic(dom, "\037\213", 2) )
-     {
-         ret = xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size);
-         if ( ret == -1 )
-@@ -546,7 +597,7 @@
-             return -EINVAL;
-         }
-     }
--    else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 )
-+    else if ( check_magic(dom, "\102\132\150", 3) )
-     {
-         ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size);
-         if ( ret < 0 )
-@@ -557,7 +608,7 @@
-             return -EINVAL;
-         }
-     }
--    else if ( memcmp(dom->kernel_blob, "\135\000", 2) == 0 )
-+    else if ( check_magic(dom, "\135\000", 2) )
-     {
-         ret = xc_try_lzma_decode(dom, &dom->kernel_blob, &dom->kernel_size);
-         if ( ret < 0 )
-@@ -568,7 +619,7 @@
-             return -EINVAL;
-         }
-     }
--    else if ( memcmp(dom->kernel_blob, "\x89LZO", 5) == 0 )
-+    else if ( check_magic(dom, "\x89LZO", 5) )
-     {
-         ret = xc_try_lzo1x_decode(dom, &dom->kernel_blob, &dom->kernel_size);
-         if ( ret < 0 )
-
diff --git a/sysutils/xentools41/patches/patch-xm-test_ramdisk_make-release.sh b/sysutils/xentools41/patches/patch-xm-test_ramdisk_make-release.sh
deleted file mode 100644
index 2ce4caff0ff..00000000000
--- a/sysutils/xentools41/patches/patch-xm-test_ramdisk_make-release.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-$NetBSD: patch-xm-test_ramdisk_make-release.sh,v 1.1 2011/05/02 20:32:27 abs Exp $
-
---- xm-test/ramdisk/make-release.sh.orig	2011-03-25 10:42:56.000000000 +0000
-+++ xm-test/ramdisk/make-release.sh
-@@ -1,6 +1,6 @@
- #!/bin/sh
- 
--if [ "$1" == "" ]
-+if [ "$1" = "" ]
- then
-   arch=""
- else