Pullup ticket #4886 - requested by bouyer

sysutils/xenkernel42: security fix
sysutils/xentools42: security fix

Revisions pulled up:
- sysutils/xenkernel42/Makefile                                 1.20
- sysutils/xenkernel42/distinfo                                 1.19
- sysutils/xenkernel42/patches/patch-CVE-2015-5307              1.1
- sysutils/xenkernel42/patches/patch-CVE-2015-8339              1.1
- sysutils/xenkernel42/patches/patch-CVE-2015-8555              1.1
- sysutils/xenkernel42/patches/patch-XSA-166                    1.1
- sysutils/xentools42/Makefile                                  1.41
- sysutils/xentools42/distinfo                                  1.22
- sysutils/xentools42/patches/patch-CVE-2015-8550               1.1
- sysutils/xentools42/patches/patch-CVE-2015-8554               1.1

---
   Module Name:	pkgsrc
   Committed By:	bouyer
   Date:		Thu Jan  7 17:53:59 UTC 2016

   Modified Files:
   	pkgsrc/sysutils/xenkernel42: Makefile distinfo
   	pkgsrc/sysutils/xentools42: Makefile distinfo
   Added Files:
   	pkgsrc/sysutils/xenkernel42/patches: patch-CVE-2015-5307
   	    patch-CVE-2015-8339 patch-CVE-2015-8555 patch-XSA-166
   	pkgsrc/sysutils/xentools42/patches: patch-CVE-2015-8550
   	    patch-CVE-2015-8554

   Log Message:
   pply patches from Xen repository, fixing:
   CVE-2015-5307 and CVE-2015-8104 aka XSA-156
   CVE-2015-8339 and CVE-2015-8340 aka XSA-159
   CVE-2015-8555 aka XSA-165
   XSA-166
   CVE-2015-8550 aka XSA-155
   CVE-2015-8554 aka XSA-164
   Bump pkgrevision

10 files changed, 512 insertions, 6 deletions

diff --git a/sysutils/xenkernel42/Makefile b/sysutils/xenkernel42/Makefile
index a7fea4cb60e..2b77801bbae 100644
--- a/sysutils/xenkernel42/Makefile
+++ b/sysutils/xenkernel42/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.19 2015/12/05 21:26:00 adam Exp $
+# $NetBSD: Makefile,v 1.19.2.1 2016/01/11 20:37:17 bsiegert Exp $
 
 VERSION=	4.2.5
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel42-${VERSION}
-PKGREVISION=	9
+PKGREVISION=	10
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff --git a/sysutils/xenkernel42/distinfo b/sysutils/xenkernel42/distinfo
index d2487fb4c1f..4a21365c3b8 100644
--- a/sysutils/xenkernel42/distinfo
+++ b/sysutils/xenkernel42/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.18 2015/11/04 01:32:39 agc Exp $
+$NetBSD: distinfo,v 1.18.2.1 2016/01/11 20:37:17 bsiegert Exp $
 
 SHA1 (xen-4.2.5.tar.gz) = f42741e4ec174495ace70c4b17a6b9b0e60e798a
 RMD160 (xen-4.2.5.tar.gz) = 7d4f7f1b32ee541d341a756b1f8da02816438d19
@@ -18,10 +18,14 @@ SHA1 (patch-CVE-2015-3340) = 9ff5e766c9e5e3358d8a896f805babc8fb9a41c4
 SHA1 (patch-CVE-2015-3456) = 8d54d33b81ef77056aa6f58ab123912948454020
 SHA1 (patch-CVE-2015-4163) = d8c9b95026c2316bfb57f644937fdb924902a3bf
 SHA1 (patch-CVE-2015-4164) = 9f9add821c4a13308fa4bfa1becd1b0d8fda6177
+SHA1 (patch-CVE-2015-5307) = bbd6833fc27ddc5efd307bd2e53934e260458b93
 SHA1 (patch-CVE-2015-7835) = 3fa639cebc9c264df51a410d0b9f94af42231d1d
 SHA1 (patch-CVE-2015-7969) = 43f1729fa24cc628beb231839b1412479c14928e
 SHA1 (patch-CVE-2015-7971) = 0d0d36ad99f313afb96111a832eb65ddeaf8010e
+SHA1 (patch-CVE-2015-8339) = 080bc4c04ee5ad832756b11a65b1598f12eae97e
+SHA1 (patch-CVE-2015-8555) = 594f85557efe137fb32a88c0dc589a1318184b66
 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266
+SHA1 (patch-XSA-166) = 24fccf8e30ccf910a128e5e0365800191a90524c
 SHA1 (patch-xen_Makefile) = e0d1b74518b9675ddc64295d1523ded9a8757c0a
 SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
 SHA1 (patch-xen_arch_x86_hvm_hvm.c) = b6bac1d466ba5bc276bc3aea9d4c9df37f2b9b0f
diff --git a/sysutils/xenkernel42/patches/patch-CVE-2015-5307 b/sysutils/xenkernel42/patches/patch-CVE-2015-5307
new file mode 100644
index 00000000000..b74f5a0da91
--- /dev/null
+++ b/sysutils/xenkernel42/patches/patch-CVE-2015-5307
@@ -0,0 +1,108 @@
+$NetBSD: patch-CVE-2015-5307,v 1.1.2.2 2016/01/11 20:37:17 bsiegert Exp $
+
+Patch for CVE-2015-5307 and CVE-2015-8104 aka XSA-156, based on
+http://xenbits.xenproject.org/xsa/xsa156-4.3.patch
+
+--- xen/arch/x86/hvm/svm/svm.c.orig	2014-09-02 08:22:57.000000000 +0200
++++ xen/arch/x86/hvm/svm/svm.c	2016-01-07 14:30:34.000000000 +0100
+@@ -942,10 +942,11 @@
+         unlikely(v->arch.hvm_vcpu.debug_state_latch != debug_state) )
+     {
+         uint32_t intercepts = vmcb_get_exception_intercepts(vmcb);
+-        uint32_t mask = (1U << TRAP_debug) | (1U << TRAP_int3);
++
+         v->arch.hvm_vcpu.debug_state_latch = debug_state;
+         vmcb_set_exception_intercepts(
+-            vmcb, debug_state ? (intercepts | mask) : (intercepts & ~mask));
++            vmcb, debug_state ? (intercepts | (1U << TRAP_int3))
++                              : (intercepts & ~(1U << TRAP_int3)));
+     }
+ 
+     if ( v->arch.hvm_svm.launch_core != smp_processor_id() )
+@@ -2232,8 +2233,9 @@
+ 
+     case VMEXIT_EXCEPTION_DB:
+         if ( !v->domain->debugger_attached )
+-            goto exit_and_crash;
+-        domain_pause_for_debugger();
++            hvm_inject_hw_exception(TRAP_debug, HVM_DELIVER_NO_ERROR_CODE);
++        else
++            domain_pause_for_debugger();
+         break;
+ 
+     case VMEXIT_EXCEPTION_BP:
+@@ -2281,6 +2283,11 @@
+         break;
+     }
+ 
++    case VMEXIT_EXCEPTION_AC:
++        HVMTRACE_1D(TRAP, TRAP_alignment_check);
++        hvm_inject_hw_exception(TRAP_alignment_check, vmcb->exitinfo1);
++        break;
++
+     case VMEXIT_EXCEPTION_UD:
+         svm_vmexit_ud_intercept(regs);
+         break;
+--- xen/arch/x86/hvm/vmx/vmx.c.orig
++++ xen/arch/x86/hvm/vmx/vmx.c
+@@ -1122,18 +1122,12 @@ static void vmx_update_host_cr3(struct v
+ 
+ void vmx_update_debug_state(struct vcpu *v)
+ {
+-    unsigned long mask;
+-
+     ASSERT(v == current);
+ 
+-    mask = 1u << TRAP_int3;
+-    if ( !cpu_has_monitor_trap_flag )
+-        mask |= 1u << TRAP_debug;
+-
+     if ( v->arch.hvm_vcpu.debug_state_latch )
+-        v->arch.hvm_vmx.exception_bitmap |= mask;
++        v->arch.hvm_vmx.exception_bitmap |= 1U << TRAP_int3;
+     else
+-        v->arch.hvm_vmx.exception_bitmap &= ~mask;
++        v->arch.hvm_vmx.exception_bitmap &= ~(1U << TRAP_int3);
+     vmx_update_exception_bitmap(v);
+ }
+ 
+@@ -2616,9 +2610,10 @@ void vmx_vmexit_handler(struct cpu_user_
+             exit_qualification = __vmread(EXIT_QUALIFICATION);
+             HVMTRACE_1D(TRAP_DEBUG, exit_qualification);
+             write_debugreg(6, exit_qualification | 0xffff0ff0);
+-            if ( !v->domain->debugger_attached || cpu_has_monitor_trap_flag )
+-                goto exit_and_crash;
+-            domain_pause_for_debugger();
++            if ( !v->domain->debugger_attached )
++                hvm_inject_hw_exception(vector, HVM_DELIVER_NO_ERROR_CODE);
++            else
++                domain_pause_for_debugger();
+             break;
+         case TRAP_int3: 
+         {
+@@ -2679,6 +2674,11 @@ void vmx_vmexit_handler(struct cpu_user_
+ 
+             hvm_inject_page_fault(regs->error_code, exit_qualification);
+             break;
++        case TRAP_alignment_check:
++            HVMTRACE_1D(TRAP, vector);
++            hvm_inject_hw_exception(vector,
++                                    __vmread(VM_EXIT_INTR_ERROR_CODE));
++            break;
+         case TRAP_nmi:
+             if ( (intr_info & INTR_INFO_INTR_TYPE_MASK) !=
+                  (X86_EVENTTYPE_NMI << 8) )
+--- xen/include/asm-x86/hvm/hvm.h.orig
++++ xen/include/asm-x86/hvm/hvm.h
+@@ -389,7 +389,10 @@ static inline bool_t hvm_vcpu_has_smep(v
+ })
+ 
+ /* These exceptions must always be intercepted. */
+-#define HVM_TRAP_MASK ((1U << TRAP_machine_check) | (1U << TRAP_invalid_op))
++#define HVM_TRAP_MASK ((1U << TRAP_debug)           | \
++                       (1U << TRAP_invalid_op)      | \
++                       (1U << TRAP_alignment_check) | \
++                       (1U << TRAP_machine_check))
+ 
+ /*
+  * x86 event types. This enumeration is valid for:
diff --git a/sysutils/xenkernel42/patches/patch-CVE-2015-8339 b/sysutils/xenkernel42/patches/patch-CVE-2015-8339
new file mode 100644
index 00000000000..52cc287e465
--- /dev/null
+++ b/sysutils/xenkernel42/patches/patch-CVE-2015-8339
@@ -0,0 +1,33 @@
+$NetBSD: patch-CVE-2015-8339,v 1.1.2.2 2016/01/11 20:37:17 bsiegert Exp $
+
+Patch for CVE-2015-8339 and CVE-2015-8340 aka XSA-159, based on
+http://xenbits.xenproject.org/xsa/xsa159.patch
+
+--- xen/common/memory.c.orig
++++ xen/common/memory.c
+@@ -334,7 +334,7 @@ static long memory_exchange(XEN_GUEST_HA
+     PAGE_LIST_HEAD(out_chunk_list);
+     unsigned long in_chunk_order, out_chunk_order;
+     xen_pfn_t     gpfn, gmfn, mfn;
+-    unsigned long i, j, k = 0; /* gcc ... */
++    unsigned long i, j, k;
+     unsigned int  memflags = 0;
+     long          rc = 0;
+     struct domain *d;
+@@ -572,11 +572,12 @@ static long memory_exchange(XEN_GUEST_HA
+  fail:
+     /* Reassign any input pages we managed to steal. */
+     while ( (page = page_list_remove_head(&in_chunk_list)) )
+-    {
+-        put_gfn(d, gmfn + k--);
+         if ( assign_pages(d, page, 0, MEMF_no_refcount) )
+-            BUG();
+-    }
++        {
++            BUG_ON(!d->is_dying);
++            if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
++                put_page(page);
++        }
+ 
+  dying:
+     rcu_unlock_domain(d);
diff --git a/sysutils/xenkernel42/patches/patch-CVE-2015-8555 b/sysutils/xenkernel42/patches/patch-CVE-2015-8555
new file mode 100644
index 00000000000..303a781da92
--- /dev/null
+++ b/sysutils/xenkernel42/patches/patch-CVE-2015-8555
@@ -0,0 +1,80 @@
+$NetBSD: patch-CVE-2015-8555,v 1.1.2.2 2016/01/11 20:37:17 bsiegert Exp $
+
+Patch for CVE-2015-8555 aka XSA-165, based on
+http://xenbits.xenproject.org/xsa/xsa165-4.3.patch
+
+--- xen/arch/x86/domain.c.orig
++++ xen/arch/x86/domain.c
+@@ -730,6 +730,17 @@ int arch_set_info_guest(
+ 
+     if ( flags & VGCF_I387_VALID )
+         memcpy(v->arch.fpu_ctxt, &c.nat->fpu_ctxt, sizeof(c.nat->fpu_ctxt));
++    else if ( v->arch.xsave_area )
++        memset(&v->arch.xsave_area->xsave_hdr, 0,
++               sizeof(v->arch.xsave_area->xsave_hdr));
++    else
++    {
++        typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt;
++
++        memset(fpu_sse, 0, sizeof(*fpu_sse));
++        fpu_sse->fcw = FCW_DEFAULT;
++        fpu_sse->mxcsr = MXCSR_DEFAULT;
++    }
+ 
+     if ( !compat )
+     {
+--- xen/arch/x86/i387.c.orig
++++ xen/arch/x86/i387.c
+@@ -17,19 +17,6 @@
+ #include <asm/xstate.h>
+ #include <asm/asm_defns.h>
+ 
+-static void fpu_init(void)
+-{
+-    unsigned long val;
+-    
+-    asm volatile ( "fninit" );
+-    if ( cpu_has_xmm )
+-    {
+-        /* load default value into MXCSR control/status register */
+-        val = MXCSR_DEFAULT;
+-        asm volatile ( "ldmxcsr %0" : : "m" (val) );
+-    }
+-}
+-
+ /*******************************/
+ /*     FPU Restore Functions   */
+ /*******************************/
+@@ -254,15 +241,8 @@ void vcpu_restore_fpu_lazy(struct vcpu *
+ 
+     if ( cpu_has_xsave )
+         fpu_xrstor(v, XSTATE_LAZY);
+-    else if ( v->fpu_initialised )
+-    {
+-        if ( cpu_has_fxsr )
+-            fpu_fxrstor(v);
+-        else
+-            fpu_frstor(v);
+-    }
+     else
+-        fpu_init();
++        fpu_fxrstor(v);
+ 
+     v->fpu_initialised = 1;
+     v->fpu_dirtied = 1;
+@@ -323,7 +303,14 @@ int vcpu_init_fpu(struct vcpu *v)
+     else
+     {
+         v->arch.fpu_ctxt = _xzalloc(sizeof(v->arch.xsave_area->fpu_sse), 16);
+-        if ( !v->arch.fpu_ctxt )
++        if ( v->arch.fpu_ctxt )
++        {
++            typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt;
++
++            fpu_sse->fcw = FCW_DEFAULT;
++            fpu_sse->mxcsr = MXCSR_DEFAULT;
++        }
++        else
+         {
+             rc = -ENOMEM;
+             goto done;
diff --git a/sysutils/xenkernel42/patches/patch-XSA-166 b/sysutils/xenkernel42/patches/patch-XSA-166
new file mode 100644
index 00000000000..020f9dc7ab0
--- /dev/null
+++ b/sysutils/xenkernel42/patches/patch-XSA-166
@@ -0,0 +1,42 @@
+$NetBSD: patch-XSA-166,v 1.1.2.2 2016/01/11 20:37:17 bsiegert Exp $
+
+Patch for XSA-166, based on
+http://xenbits.xenproject.org/xsa/xsa166-4.3.patch
+
+--- xen/arch/x86/hvm/hvm.c.orig
++++ xen/arch/x86/hvm/hvm.c
+@@ -342,6 +342,7 @@ void hvm_migrate_pirqs(struct vcpu *v)
+ void hvm_do_resume(struct vcpu *v)
+ {
+     ioreq_t *p;
++    unsigned int state;
+ 
+     pt_restore_timer(v);
+ 
+@@ -349,9 +350,10 @@ void hvm_do_resume(struct vcpu *v)
+ 
+     /* NB. Optimised for common case (p->state == STATE_IOREQ_NONE). */
+     p = get_ioreq(v);
+-    while ( p->state != STATE_IOREQ_NONE )
++    while ( (state = p->state) != STATE_IOREQ_NONE )
+     {
+-        switch ( p->state )
++        rmb();
++        switch ( state )
+         {
+         case STATE_IORESP_READY: /* IORESP_READY -> NONE */
+             hvm_io_assist();
+@@ -359,11 +361,10 @@ void hvm_do_resume(struct vcpu *v)
+         case STATE_IOREQ_READY:  /* IOREQ_{READY,INPROCESS} -> IORESP_READY */
+         case STATE_IOREQ_INPROCESS:
+             wait_on_xen_event_channel(v->arch.hvm_vcpu.xen_port,
+-                                      (p->state != STATE_IOREQ_READY) &&
+-                                      (p->state != STATE_IOREQ_INPROCESS));
++                                      p->state != state);
+             break;
+         default:
+-            gdprintk(XENLOG_ERR, "Weird HVM iorequest state %d.\n", p->state);
++            gdprintk(XENLOG_ERR, "Weird HVM iorequest state %u\n", state);
+             domain_crash(v->domain);
+             return; /* bail */
+         }
diff --git a/sysutils/xentools42/Makefile b/sysutils/xentools42/Makefile
index 91b70244262..d357ea38add 100644
--- a/sysutils/xentools42/Makefile
+++ b/sysutils/xentools42/Makefile
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.40 2015/12/05 21:26:00 adam Exp $
+# $NetBSD: Makefile,v 1.40.2.1 2016/01/11 20:37:17 bsiegert Exp $
 
 VERSION=	4.2.5
 VERSION_IPXE=	1.0.0
 
 DISTNAME=		xen-${VERSION}
 PKGNAME=		xentools42-${VERSION}
-PKGREVISION=		13
+PKGREVISION=		14
 CATEGORIES=		sysutils
 MASTER_SITES=		http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff --git a/sysutils/xentools42/distinfo b/sysutils/xentools42/distinfo
index c7528c1d5dd..2c6ecbd5639 100644
--- a/sysutils/xentools42/distinfo
+++ b/sysutils/xentools42/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.21 2015/11/04 01:32:40 agc Exp $
+$NetBSD: distinfo,v 1.21.2.1 2016/01/11 20:37:17 bsiegert Exp $
 
 SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485
 RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547
@@ -8,6 +8,9 @@ SHA1 (xen-4.2.5.tar.gz) = f42741e4ec174495ace70c4b17a6b9b0e60e798a
 RMD160 (xen-4.2.5.tar.gz) = 7d4f7f1b32ee541d341a756b1f8da02816438d19
 SHA512 (xen-4.2.5.tar.gz) = 42c0fc241952fc55fc44480fb6752b004b54ae40e946159ec047adf229b65cbfbd810271d01b064ad8fdbddb73c640dcdcb6bc19f91e8968829889c129920dac
 Size (xen-4.2.5.tar.gz) = 15671925 bytes
+<<<<<<< distinfo
+=======
+>>>>>>> 1.21
 SHA1 (patch-.._.._ipxe_src_Makefile.housekeeping) = 5ec8020a9705b2f64096c2942473a8de4db578bb
 SHA1 (patch-.._.._ipxe_src_arch_i386_include_librm.h) = 4549ac641b112321b4731a918d85219c3fce6808
 SHA1 (patch-.._.._ipxe_src_arch_i386_scripts_i386.lds) = 4c0cbb7f535be43e1b6f53c284340a8bafc37c0b
@@ -34,6 +37,8 @@ SHA1 (patch-CVE-2015-3456) = e1600393860110c3093559f2f58273ba47478dd8
 SHA1 (patch-CVE-2015-5154) = 29e0f8ad5696b6b1f4d5dbcc8d35579fb8d67375
 SHA1 (patch-CVE-2015-5165) = c0b5324cb85ced435f869a0aa7232c5670a9995d
 SHA1 (patch-CVE-2015-5166) = 947ac0945091027d5973963765a3ab8975d2226a
+SHA1 (patch-CVE-2015-8550) = 63613ca0dd9fe06f5c88774151f72e1c540e62c5
+SHA1 (patch-CVE-2015-8554) = 908783cf619fc130d5a107ba2c4997fca0f0da88
 SHA1 (patch-Makefile) = 3a474d28a5b838bae4a67b5ca76e23b950bf0133
 SHA1 (patch-Rules.mk) = 25a04293f6fe638ba5f3bd5e09b2b091cd201023
 SHA1 (patch-blktap_drivers_Makefile) = c6be57154a403a64e3d6bc22d6bd833fe33fc9af
diff --git a/sysutils/xentools42/patches/patch-CVE-2015-8550 b/sysutils/xentools42/patches/patch-CVE-2015-8550
new file mode 100644
index 00000000000..f461d538b1b
--- /dev/null
+++ b/sysutils/xentools42/patches/patch-CVE-2015-8550
@@ -0,0 +1,213 @@
+$NetBSD: patch-CVE-2015-8550,v 1.1.2.2 2016/01/11 20:37:17 bsiegert Exp $
+
+patch for CVE-2015-8550 aka XSA-155 from
+http://xenbits.xenproject.org/xsa/xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
+http://xenbits.xenproject.org/xsa/xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
+http://xenbits.xenproject.org/xsa/xsa155-xen44-0003-libvchan-Read-prod-cons-only-once.patch
+http://xenbits.xenproject.org/xsa/xsa155-qemut-qdisk-double-access.patch
+http://xenbits.xenproject.org/xsa/xsa155-qemut-xenfb.patch
+http://xenbits.xenproject.org/xsa/xsa155-qemu-qdisk-double-access.patch
+http://xenbits.xenproject.org/xsa/xsa155-qemu-xenfb.patch
+
+--- ../xen/include/public/io/ring.h.orig
++++ ../xen/include/public/io/ring.h
+@@ -212,6 +212,20 @@ typedef struct __name##_back_ring __name##_back_ring_t
+ #define RING_GET_REQUEST(_r, _idx)                                      \
+     (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req))
+ 
++/*
++ * Get a local copy of a request.
++ *
++ * Use this in preference to RING_GET_REQUEST() so all processing is
++ * done on a local copy that cannot be modified by the other end.
++ *
++ * Note that https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 may cause this
++ * to be ineffective where _req is a struct which consists of only bitfields.
++ */
++#define RING_COPY_REQUEST(_r, _idx, _req) do {				\
++	/* Use volatile to force the copy into _req. */			\
++	*(_req) = *(volatile typeof(_req))RING_GET_REQUEST(_r, _idx);	\
++} while (0)
++
+ #define RING_GET_RESPONSE(_r, _idx)                                     \
+     (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp))
+
+--- blktap2/drivers/block-log.c.orig
++++ blktap2/drivers/block-log.c
+@@ -494,11 +494,12 @@ static int ctl_kick(struct tdlog_state* s, int fd)
+   reqstart = s->bring.req_cons;
+   reqend = s->sring->req_prod;
+ 
++  xen_mb();
+   BDPRINTF("ctl: ring kicked (start = %u, end = %u)", reqstart, reqend);
+ 
+   while (reqstart != reqend) {
+     /* XXX actually submit these! */
+-    memcpy(&req, RING_GET_REQUEST(&s->bring, reqstart), sizeof(req));
++    RING_COPY_REQUEST(&s->bring, reqstart, &req);
+     BDPRINTF("ctl: read request %"PRIu64":%u", req.sector, req.count);
+     s->bring.req_cons = ++reqstart;
+ 
+--- blktap2/drivers/tapdisk-vbd.c.orig
++++ blktap2/drivers/tapdisk-vbd.c
+@@ -1555,7 +1555,7 @@ tapdisk_vbd_pull_ring_requests(td_vbd_t *vbd)
+ 	int idx;
+ 	RING_IDX rp, rc;
+ 	td_ring_t *ring;
+-	blkif_request_t *req;
++	blkif_request_t req;
+ 	td_vbd_request_t *vreq;
+ 
+ 	ring = &vbd->ring;
+@@ -1566,16 +1566,16 @@ tapdisk_vbd_pull_ring_requests(td_vbd_t *vbd)
+ 	xen_rmb();
+ 
+ 	for (rc = ring->fe_ring.req_cons; rc != rp; rc++) {
+-		req = RING_GET_REQUEST(&ring->fe_ring, rc);
++		RING_COPY_REQUEST(&ring->fe_ring, rc, &req);
+ 		++ring->fe_ring.req_cons;
+ 
+-		idx  = req->id;
++		idx  = req.id;
+ 		vreq = &vbd->request_list[idx];
+ 
+ 		ASSERT(list_empty(&vreq->next));
+ 		ASSERT(vreq->secs_pending == 0);
+ 
+-		memcpy(&vreq->req, req, sizeof(blkif_request_t));
++		memcpy(&vreq->req, &req, sizeof(blkif_request_t));
+ 		vbd->received++;
+ 		vreq->vbd = vbd;
+
+--- libvchan/io.c.orig
++++ libvchan/io.c
+@@ -118,6 +118,7 @@ static inline int send_notify(struct libxenvchan *ctrl, uint8_t bit)
+ static inline int raw_get_data_ready(struct libxenvchan *ctrl)
+ {
+ 	uint32_t ready = rd_prod(ctrl) - rd_cons(ctrl);
++	xen_mb(); /* Ensure 'ready' is read only once. */
+ 	if (ready >= rd_ring_size(ctrl))
+ 		/* We have no way to return errors.  Locking up the ring is
+ 		 * better than the alternatives. */
+@@ -159,6 +160,7 @@ int libxenvchan_data_ready(struct libxenvchan *ctrl)
+ static inline int raw_get_buffer_space(struct libxenvchan *ctrl)
+ {
+ 	uint32_t ready = wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl));
++	xen_mb(); /* Ensure 'ready' is read only once. */
+ 	if (ready > wr_ring_size(ctrl))
+ 		/* We have no way to return errors.  Locking up the ring is
+ 		 * better than the alternatives. */
+
+--- qemu-xen-traditional/hw/xen_blkif.h.orig	2013-10-10 16:15:47.000000000 +0200
++++ qemu-xen-traditional/hw/xen_blkif.h	2016-01-07 17:35:36.000000000 +0100
+@@ -79,8 +79,10 @@
+ 	dst->handle = src->handle;
+ 	dst->id = src->id;
+ 	dst->sector_number = src->sector_number;
+-	if (n > src->nr_segments)
+-		n = src->nr_segments;
++	/* prevent the compiler from optimizing the code and using src->nr_segments instead */
++	xen_mb();
++	if (n > dst->nr_segments)
++		n = dst->nr_segments;
+ 	for (i = 0; i < n; i++)
+ 		dst->seg[i] = src->seg[i];
+ }
+@@ -94,8 +96,10 @@
+ 	dst->handle = src->handle;
+ 	dst->id = src->id;
+ 	dst->sector_number = src->sector_number;
+-	if (n > src->nr_segments)
+-		n = src->nr_segments;
++	/* prevent the compiler from optimizing the code and using src->nr_segments instead */
++	xen_mb();
++	if (n > dst->nr_segments)
++		n = dst->nr_segments;
+ 	for (i = 0; i < n; i++)
+ 		dst->seg[i] = src->seg[i];
+ }
+
+--- qemu-xen-traditional/hw/xenfb.c
++++ qemu-xen-traditional/hw/xenfb.c
+@@ -827,18 +827,20 @@ static void xenfb_invalidate(void *opaque)
+ 
+ static void xenfb_handle_events(struct XenFB *xenfb)
+ {
+-    uint32_t prod, cons;
++    uint32_t prod, cons, out_cons;
+     struct xenfb_page *page = xenfb->c.page;
+ 
+     prod = page->out_prod;
+-    if (prod == page->out_cons)
++    out_cons = page->out_cons;
++    if (prod == out_cons)
+ 	return;
+     xen_rmb();		/* ensure we see ring contents up to prod */
+-    for (cons = page->out_cons; cons != prod; cons++) {
++    for (cons = out_cons; cons != prod; cons++) {
+ 	union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
++        uint8_t type = event->type;
+ 	int x, y, w, h;
+ 
+-	switch (event->type) {
++	switch (type) {
+ 	case XENFB_TYPE_UPDATE:
+ 	    if (xenfb->up_count == UP_QUEUE)
+ 		xenfb->up_fullscreen = 1;
+
+--- qemu-xen/hw/xen_blkif.h.orig	2013-10-10 16:15:47.000000000 +0200
++++ qemu-xen/hw/xen_blkif.h	2016-01-07 17:35:36.000000000 +0100
+@@ -79,8 +79,10 @@
+ 	dst->handle = src->handle;
+ 	dst->id = src->id;
+ 	dst->sector_number = src->sector_number;
+-	if (n > src->nr_segments)
+-		n = src->nr_segments;
++	/* prevent the compiler from optimizing the code and using src->nr_segments instead */
++	xen_mb();
++	if (n > dst->nr_segments)
++		n = dst->nr_segments;
+ 	for (i = 0; i < n; i++)
+ 		dst->seg[i] = src->seg[i];
+ }
+@@ -94,8 +96,10 @@
+ 	dst->handle = src->handle;
+ 	dst->id = src->id;
+ 	dst->sector_number = src->sector_number;
+-	if (n > src->nr_segments)
+-		n = src->nr_segments;
++	/* prevent the compiler from optimizing the code and using src->nr_segments instead */
++	xen_mb();
++	if (n > dst->nr_segments)
++		n = dst->nr_segments;
+ 	for (i = 0; i < n; i++)
+ 		dst->seg[i] = src->seg[i];
+ }
+
+--- qemu-xen/hw/xenfb.c.orig
++++ qemu-xen/hw/xenfb.c
+@@ -784,18 +784,20 @@ static void xenfb_invalidate(void *opaque)
+ 
+ static void xenfb_handle_events(struct XenFB *xenfb)
+ {
+-    uint32_t prod, cons;
++    uint32_t prod, cons, out_cons;
+     struct xenfb_page *page = xenfb->c.page;
+ 
+     prod = page->out_prod;
+-    if (prod == page->out_cons)
++    out_cons = page->out_cons;
++    if (prod == out_cons)
+ 	return;
+     xen_rmb();		/* ensure we see ring contents up to prod */
+-    for (cons = page->out_cons; cons != prod; cons++) {
++    for (cons = out_cons; cons != prod; cons++) {
+ 	union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
++        uint8_t type = event->type;
+ 	int x, y, w, h;
+ 
+-	switch (event->type) {
++	switch (type) {
+ 	case XENFB_TYPE_UPDATE:
+ 	    if (xenfb->up_count == UP_QUEUE)
+ 		xenfb->up_fullscreen = 1;
diff --git a/sysutils/xentools42/patches/patch-CVE-2015-8554 b/sysutils/xentools42/patches/patch-CVE-2015-8554
new file mode 100644
index 00000000000..f0a7d899916
--- /dev/null
+++ b/sysutils/xentools42/patches/patch-CVE-2015-8554
@@ -0,0 +1,21 @@
+$NetBSD: patch-CVE-2015-8554,v 1.1.2.2 2016/01/11 20:37:17 bsiegert Exp $
+
+patch for CVE-2015-8554 aka XSA-164 from
+http://xenbits.xenproject.org/xsa/xsa164.patch
+
+--- qemu-xen-traditional/hw/pt-msi.c.orig
++++ qemu-xen-traditional/hw/pt-msi.c
+@@ -440,6 +440,13 @@ static void pci_msix_writel(void *opaque
+         return;
+     }
+ 
++    if ( addr - msix->mmio_base_addr >= msix->total_entries * 16 )
++    {
++        PT_LOG("Error: Out of bounds write to MSI-X table,"
++               " addr %016"PRIx64"\n", addr);
++        return;
++    }
++
+     entry_nr = (addr - msix->mmio_base_addr) / 16;
+     entry = &msix->msix_entry[entry_nr];
+     offset = ((addr - msix->mmio_base_addr) % 16) / 4;