diff options
| author | bouyer <bouyer@pkgsrc.org> | 2016-11-22 20:53:40 +0000 |
|---|---|---|
| committer | bouyer <bouyer@pkgsrc.org> | 2016-11-22 20:53:40 +0000 |
| commit | 1e0ccae904dac03c07d0364e1767a051a5ec9c61 (patch) | |
| tree | 2bf81be77dc659692b186236cab97bfe64dd1ce7 | |
| parent | e634e7721b6857b0ff3e899b56111a9add0ff6c8 (diff) | |
| download | pkgsrc-1e0ccae904dac03c07d0364e1767a051a5ec9c61.tar.gz | |
Backport upstream patches, fixing today's XSA 191, 192, 195, 197, 198.
Bump PKGREVISIONs
| -rw-r--r-- | sysutils/xenkernel41/Makefile | 4 | ||||
| -rw-r--r-- | sysutils/xenkernel41/distinfo | 5 | ||||
| -rw-r--r-- | sysutils/xenkernel41/patches/patch-XSA-191 | 142 | ||||
| -rw-r--r-- | sysutils/xenkernel41/patches/patch-XSA-192 | 67 | ||||
| -rw-r--r-- | sysutils/xenkernel41/patches/patch-XSA-195 | 49 | ||||
| -rw-r--r-- | sysutils/xenkernel42/Makefile | 4 | ||||
| -rw-r--r-- | sysutils/xenkernel42/distinfo | 5 | ||||
| -rw-r--r-- | sysutils/xenkernel42/patches/patch-XSA-191 | 142 | ||||
| -rw-r--r-- | sysutils/xenkernel42/patches/patch-XSA-192 | 65 | ||||
| -rw-r--r-- | sysutils/xenkernel42/patches/patch-XSA-195 | 49 | ||||
| -rw-r--r-- | sysutils/xentools41/Makefile | 4 | ||||
| -rw-r--r-- | sysutils/xentools41/distinfo | 4 | ||||
| -rw-r--r-- | sysutils/xentools41/patches/patch-XSA-197 | 69 | ||||
| -rw-r--r-- | sysutils/xentools41/patches/patch-XSA-198 | 58 | ||||
| -rw-r--r-- | sysutils/xentools42/Makefile | 4 | ||||
| -rw-r--r-- | sysutils/xentools42/distinfo | 5 | ||||
| -rw-r--r-- | sysutils/xentools42/patches/patch-XSA-197-1 | 69 | ||||
| -rw-r--r-- | sysutils/xentools42/patches/patch-XSA-197-2 | 67 | ||||
| -rw-r--r-- | sysutils/xentools42/patches/patch-XSA-198 | 58 |
19 files changed, 858 insertions, 12 deletions
diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile index bdc7ceaf0a2..1d162423900 100644 --- a/sysutils/xenkernel41/Makefile +++ b/sysutils/xenkernel41/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.51 2016/09/08 15:41:01 bouyer Exp $ +# $NetBSD: Makefile,v 1.52 2016/11/22 20:53:40 bouyer Exp $ VERSION= 4.1.6.1 DISTNAME= xen-${VERSION} PKGNAME= xenkernel41-${VERSION} -PKGREVISION= 20 +PKGREVISION= 21 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo index f15fe62894f..63b80f2f23f 100644 --- a/sysutils/xenkernel41/distinfo +++ b/sysutils/xenkernel41/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.44 2016/09/08 15:41:01 bouyer Exp $ +$NetBSD: distinfo,v 1.45 2016/11/22 20:53:40 bouyer Exp $ SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0 RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19 @@ -41,6 +41,9 @@ SHA1 (patch-XSA-182) = 70a7a6175a4b87ffaf72cbc5a3932f076efa3f9c SHA1 (patch-XSA-185) = a2313922aa4dad734b96c80f64fe54eca3c14019 SHA1 (patch-XSA-187-1) = 55ea0c2d9c7d8d9476a5ab97342ff552be4faf56 SHA1 (patch-XSA-187-2) = e21b24771fa9417f593b8f6d1550660bbad36b98 +SHA1 (patch-XSA-191) = 5da559e104543b8d22ea60378d9160d2ad83b8d0 +SHA1 (patch-XSA-192) = b0f2801fe6db91c2a98b82897cdee057062c6c2b +SHA1 (patch-XSA-195) = a04295b397126e1cc1f129bb3cb9fb872fcbb373 SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 SHA1 (patch-xen_arch_x86_cpu_mcheck_vmce.c) = 5afd01780a13654f1d21bf1562f6431c8370be0b diff --git a/sysutils/xenkernel41/patches/patch-XSA-191 b/sysutils/xenkernel41/patches/patch-XSA-191 new file mode 100644 index 00000000000..b0f9c69e23a --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-XSA-191 @@ -0,0 +1,142 @@ +$NetBSD: patch-XSA-191,v 1.1 2016/11/22 20:53:40 bouyer Exp $ + +backported from: + +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/hvm: Fix the handling of non-present segments + +In 32bit, the data segments may be NULL to indicate that the segment is +ineligible for use. In both 32bit and 64bit, the LDT selector may be NULL to +indicate that the entire LDT is ineligible for use. However, nothing in Xen +actually checks for this condition when performing other segmentation +checks. (Note however that limit and writeability checks are correctly +performed). + +Neither Intel nor AMD specify the exact behaviour of loading a NULL segment. +Experimentally, AMD zeroes all attributes but leaves the base and limit +unmodified. Intel zeroes the base, sets the limit to 0xfffffff and resets the +attributes to just .G and .D/B. + +The use of the segment information in the VMCB/VMCS is equivalent to a native +pipeline interacting with the segment cache. The present bit can therefore +have a subtly different meaning, and it is now cooked to uniformly indicate +whether the segment is usable or not. + +GDTR and IDTR don't have access rights like the other segments, but for +consistency, they are treated as being present so no special casing is needed +elsewhere in the segmentation logic. + +AMD hardware does not consider the present bit for %cs and %tr, and will +function as if they were present. They are therefore unconditionally set to +present when reading information from the VMCB, to maintain the new meaning of +usability. + +Intel hardware has a separate unusable bit in the VMCS segment attributes. +This bit is inverted and stored in the present field, so the hvm code can work +with architecturally-common state. + +This is XSA-191. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> + +--- xen/arch/x86/hvm/hvm.c.orig 2016-11-22 15:03:22.000000000 +0100 ++++ xen/arch/x86/hvm/hvm.c 2016-11-22 15:19:57.000000000 +0100 +@@ -1626,6 +1626,10 @@ + * COMPATIBILITY MODE: Apply segment checks and add base. + */ + ++ /* Segment not valid for use (cooked meaning of .p)? */ ++ if ( !reg->attr.fields.p ) ++ return 0; ++ + switch ( access_type ) + { + case hvm_access_read: +@@ -1800,6 +1804,10 @@ + hvm_get_segment_register( + v, (sel & 4) ? x86_seg_ldtr : x86_seg_gdtr, &desctab); + ++ /* Segment not valid for use (cooked meaning of .p)? */ ++ if ( !desctab.attr.fields.p ) ++ goto fail; ++ + /* Check against descriptor table limit. */ + if ( ((sel & 0xfff8) + 7) > desctab.limit ) + goto fail; +--- xen/arch/x86/hvm/svm/svm.c.orig 2013-09-10 08:42:18.000000000 +0200 ++++ xen/arch/x86/hvm/svm/svm.c 2016-11-22 15:19:57.000000000 +0100 +@@ -459,6 +459,7 @@ + { + case x86_seg_cs: + memcpy(reg, &vmcb->cs, sizeof(*reg)); ++ reg->attr.fields.p = 1; + reg->attr.fields.g = reg->limit > 0xFFFFF; + break; + case x86_seg_ds: +@@ -492,13 +493,16 @@ + case x86_seg_tr: + svm_sync_vmcb(v); + memcpy(reg, &vmcb->tr, sizeof(*reg)); ++ reg->attr.fields.p = 1; + reg->attr.fields.type |= 0x2; + break; + case x86_seg_gdtr: + memcpy(reg, &vmcb->gdtr, sizeof(*reg)); ++ reg->attr.bytes = 0x80; + break; + case x86_seg_idtr: + memcpy(reg, &vmcb->idtr, sizeof(*reg)); ++ reg->attr.bytes = 0x80; + break; + case x86_seg_ldtr: + svm_sync_vmcb(v); +--- xen/arch/x86/hvm/vmx/vmx.c.orig 2013-09-10 08:42:18.000000000 +0200 ++++ xen/arch/x86/hvm/vmx/vmx.c 2016-11-22 15:19:57.000000000 +0100 +@@ -761,10 +761,12 @@ + + vmx_vmcs_exit(v); + +- reg->attr.bytes = (attr & 0xff) | ((attr >> 4) & 0xf00); +- /* Unusable flag is folded into Present flag. */ +- if ( attr & (1u<<16) ) +- reg->attr.fields.p = 0; ++ /* ++ * Fold VT-x representation into Xen's representation. The Present bit is ++ * unconditionally set to the inverse of unusable. ++ */ ++ reg->attr.bytes = ++ (!(attr & (1u << 16)) << 7) | (attr & 0x7f) | ((attr >> 4) & 0xf00); + + /* Adjust for virtual 8086 mode */ + if ( v->arch.hvm_vmx.vmx_realmode && seg <= x86_seg_tr +@@ -844,11 +846,11 @@ + } + } + +- attr = ((attr & 0xf00) << 4) | (attr & 0xff); +- +- /* Not-present must mean unusable. */ +- if ( !reg->attr.fields.p ) +- attr |= (1u << 16); ++ /* ++ * Unfold Xen representation into VT-x representation. The unusable bit ++ * is unconditionally set to the inverse of present. ++ */ ++ attr = (!(attr & (1u << 7)) << 16) | ((attr & 0xf00) << 4) | (attr & 0xff); + + /* VMX has strict consistency requirement for flag G. */ + attr |= !!(limit >> 20) << 15; +--- xen/arch/x86/x86_emulate/x86_emulate.c.orig 2016-11-22 15:03:21.000000000 +0100 ++++ xen/arch/x86/x86_emulate/x86_emulate.c 2016-11-22 15:19:57.000000000 +0100 +@@ -1020,6 +1020,10 @@ + &desctab, ctxt)) ) + return rc; + ++ /* Segment not valid for use (cooked meaning of .p)? */ ++ if ( !desctab.attr.fields.p ) ++ goto raise_exn; ++ + /* Check against descriptor table limit. */ + if ( ((sel & 0xfff8) + 7) > desctab.limit ) + goto raise_exn; diff --git a/sysutils/xenkernel41/patches/patch-XSA-192 b/sysutils/xenkernel41/patches/patch-XSA-192 new file mode 100644 index 00000000000..72ad050f01f --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-XSA-192 @@ -0,0 +1,67 @@ +$NetBSD: patch-XSA-192,v 1.1 2016/11/22 20:53:40 bouyer Exp $ + +backported from: + +From: Jan Beulich <jbeulich@suse.com> +Subject: x86/HVM: don't load LDTR with VM86 mode attrs during task switch + +Just like TR, LDTR is purely a protected mode facility and hence needs +to be loaded accordingly. Also move its loading to where it +architecurally belongs. + +This is XSA-192. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> +Tested-by: Andrew Cooper <andrew.cooper3@citrix.com> + +--- xen/arch/x86/hvm/hvm.c.orig 2016-11-22 15:19:57.000000000 +0100 ++++ xen/arch/x86/hvm/hvm.c 2016-11-22 15:31:13.000000000 +0100 +@@ -1767,16 +1767,15 @@ + } + + static int hvm_load_segment_selector( +- enum x86_segment seg, uint16_t sel) ++ enum x86_segment seg, uint16_t sel, unsigned int eflags) + { + struct segment_register desctab, cs, segr; + struct desc_struct *pdesc, desc; + u8 dpl, rpl, cpl; + int fault_type = TRAP_invalid_tss; +- struct cpu_user_regs *regs = guest_cpu_user_regs(); + struct vcpu *v = current; + +- if ( regs->eflags & X86_EFLAGS_VM ) ++ if ( eflags & X86_EFLAGS_VM ) + { + segr.sel = sel; + segr.base = (uint32_t)sel << 4; +@@ -2022,6 +2021,8 @@ + if ( rc != HVMCOPY_okay ) + goto out; + ++ if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt, 0) ) ++ goto out; + + if ( hvm_set_cr3(tss.cr3) ) + goto out; +@@ -2044,13 +2045,12 @@ + } + + exn_raised = 0; +- if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt) || +- hvm_load_segment_selector(x86_seg_es, tss.es) || +- hvm_load_segment_selector(x86_seg_cs, tss.cs) || +- hvm_load_segment_selector(x86_seg_ss, tss.ss) || +- hvm_load_segment_selector(x86_seg_ds, tss.ds) || +- hvm_load_segment_selector(x86_seg_fs, tss.fs) || +- hvm_load_segment_selector(x86_seg_gs, tss.gs) ) ++ if ( hvm_load_segment_selector(x86_seg_es, tss.es, tss.eflags) || ++ hvm_load_segment_selector(x86_seg_cs, tss.cs, tss.eflags) || ++ hvm_load_segment_selector(x86_seg_ss, tss.ss, tss.eflags) || ++ hvm_load_segment_selector(x86_seg_ds, tss.ds, tss.eflags) || ++ hvm_load_segment_selector(x86_seg_fs, tss.fs, tss.eflags) || ++ hvm_load_segment_selector(x86_seg_gs, tss.gs, tss.eflags) ) + exn_raised = 1; + + rc = hvm_copy_to_guest_virt( diff --git a/sysutils/xenkernel41/patches/patch-XSA-195 b/sysutils/xenkernel41/patches/patch-XSA-195 new file mode 100644 index 00000000000..b20d819af9a --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-XSA-195 @@ -0,0 +1,49 @@ +$NetBSD: patch-XSA-195,v 1.1 2016/11/22 20:53:40 bouyer Exp $ + +backported from: + +From: Jan Beulich <jbeulich@suse.com> +Subject: x86emul: fix huge bit offset handling + +We must never chop off the high 32 bits. + +This is XSA-195. + +Reported-by: George Dunlap <george.dunlap@citrix.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> + +--- xen/arch/x86/x86_emulate/x86_emulate.c.orig 2016-11-22 15:19:57.000000000 +0100 ++++ xen/arch/x86/x86_emulate/x86_emulate.c 2016-11-22 16:03:48.000000000 +0100 +@@ -1578,6 +1578,12 @@ + else + { + /* ++ * Instructions such as bt can reference an arbitrary offset from ++ * their memory operand, but the instruction doing the actual ++ * emulation needs the appropriate op_bytes read from memory. ++ * Adjust both the source register and memory operand to make an ++ * equivalent instruction. ++ * + * EA += BitOffset DIV op_bytes*8 + * BitOffset = BitOffset MOD op_bytes*8 + * DIV truncates towards negative infinity. +@@ -1589,14 +1595,15 @@ + src.val = (int32_t)src.val; + if ( (long)src.val < 0 ) + { +- unsigned long byte_offset; +- byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ++ unsigned long byte_offset = ++ op_bytes + (((-src.val - 1) >> 3) & ~(op_bytes - 1L)); ++ + ea.mem.off -= byte_offset; + src.val = (byte_offset << 3) + src.val; + } + else + { +- ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); ++ ea.mem.off += (src.val >> 3) & ~(op_bytes - 1L); + src.val &= (op_bytes << 3) - 1; + } + } diff --git a/sysutils/xenkernel42/Makefile b/sysutils/xenkernel42/Makefile index 2cd1087dbe1..db0257f8d8e 100644 --- a/sysutils/xenkernel42/Makefile +++ b/sysutils/xenkernel42/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.23 2016/09/08 15:41:01 bouyer Exp $ +# $NetBSD: Makefile,v 1.24 2016/11/22 20:55:29 bouyer Exp $ VERSION= 4.2.5 DISTNAME= xen-${VERSION} PKGNAME= xenkernel42-${VERSION} -PKGREVISION= 12 +PKGREVISION= 13 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xenkernel42/distinfo b/sysutils/xenkernel42/distinfo index aae88fe3d5a..b88165351f0 100644 --- a/sysutils/xenkernel42/distinfo +++ b/sysutils/xenkernel42/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.22 2016/09/12 13:22:39 maya Exp $ +$NetBSD: distinfo,v 1.23 2016/11/22 20:55:29 bouyer Exp $ SHA1 (xen-4.2.5.tar.gz) = f42741e4ec174495ace70c4b17a6b9b0e60e798a RMD160 (xen-4.2.5.tar.gz) = 7d4f7f1b32ee541d341a756b1f8da02816438d19 @@ -30,6 +30,9 @@ SHA1 (patch-XSA-182) = f0325a6f7c7cc20c3f11367384628dbe25c90b2d SHA1 (patch-XSA-185) = a2313922aa4dad734b96c80f64fe54eca3c14019 SHA1 (patch-XSA-187-1) = 55ea0c2d9c7d8d9476a5ab97342ff552be4faf56 SHA1 (patch-XSA-187-2) = ed2d384b4cf429443560afbf71b42fb4123a279b +SHA1 (patch-XSA-191) = 7a5e2e78c457c5922e2ccd711f2a39afba238e40 +SHA1 (patch-XSA-192) = f95757227ece59a2f320308edefcf01f1a96212c +SHA1 (patch-XSA-195) = bb20234c4db0dc098ea47564732e87710bfcb9d8 SHA1 (patch-xen_Makefile) = e0d1b74518b9675ddc64295d1523ded9a8757c0a SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 SHA1 (patch-xen_arch_x86_hvm_hvm.c) = b6bac1d466ba5bc276bc3aea9d4c9df37f2b9b0f diff --git a/sysutils/xenkernel42/patches/patch-XSA-191 b/sysutils/xenkernel42/patches/patch-XSA-191 new file mode 100644 index 00000000000..1f6ba53629f --- /dev/null +++ b/sysutils/xenkernel42/patches/patch-XSA-191 @@ -0,0 +1,142 @@ +$NetBSD: patch-XSA-191,v 1.1 2016/11/22 20:55:29 bouyer Exp $ + +backported from: + +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/hvm: Fix the handling of non-present segments + +In 32bit, the data segments may be NULL to indicate that the segment is +ineligible for use. In both 32bit and 64bit, the LDT selector may be NULL to +indicate that the entire LDT is ineligible for use. However, nothing in Xen +actually checks for this condition when performing other segmentation +checks. (Note however that limit and writeability checks are correctly +performed). + +Neither Intel nor AMD specify the exact behaviour of loading a NULL segment. +Experimentally, AMD zeroes all attributes but leaves the base and limit +unmodified. Intel zeroes the base, sets the limit to 0xfffffff and resets the +attributes to just .G and .D/B. + +The use of the segment information in the VMCB/VMCS is equivalent to a native +pipeline interacting with the segment cache. The present bit can therefore +have a subtly different meaning, and it is now cooked to uniformly indicate +whether the segment is usable or not. + +GDTR and IDTR don't have access rights like the other segments, but for +consistency, they are treated as being present so no special casing is needed +elsewhere in the segmentation logic. + +AMD hardware does not consider the present bit for %cs and %tr, and will +function as if they were present. They are therefore unconditionally set to +present when reading information from the VMCB, to maintain the new meaning of +usability. + +Intel hardware has a separate unusable bit in the VMCS segment attributes. +This bit is inverted and stored in the present field, so the hvm code can work +with architecturally-common state. + +This is XSA-191. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> + +--- xen/arch/x86/hvm/hvm.c.orig 2016-11-22 15:03:34.000000000 +0100 ++++ xen/arch/x86/hvm/hvm.c 2016-11-22 15:15:51.000000000 +0100 +@@ -1921,6 +1921,10 @@ + * COMPATIBILITY MODE: Apply segment checks and add base. + */ + ++ /* Segment not valid for use (cooked meaning of .p)? */ ++ if ( !reg->attr.fields.p ) ++ return 0; ++ + switch ( access_type ) + { + case hvm_access_read: +@@ -2105,6 +2109,10 @@ + hvm_get_segment_register( + v, (sel & 4) ? x86_seg_ldtr : x86_seg_gdtr, &desctab); + ++ /* Segment not valid for use (cooked meaning of .p)? */ ++ if ( !desctab.attr.fields.p ) ++ goto fail; ++ + /* Check against descriptor table limit. */ + if ( ((sel & 0xfff8) + 7) > desctab.limit ) + goto fail; +--- xen/arch/x86/hvm/svm/svm.c.orig 2016-11-22 15:03:33.000000000 +0100 ++++ xen/arch/x86/hvm/svm/svm.c 2016-11-22 15:15:51.000000000 +0100 +@@ -517,6 +517,7 @@ + { + case x86_seg_cs: + memcpy(reg, &vmcb->cs, sizeof(*reg)); ++ reg->attr.fields.p = 1; + reg->attr.fields.g = reg->limit > 0xFFFFF; + break; + case x86_seg_ds: +@@ -550,13 +551,16 @@ + case x86_seg_tr: + svm_sync_vmcb(v); + memcpy(reg, &vmcb->tr, sizeof(*reg)); ++ reg->attr.fields.p = 1; + reg->attr.fields.type |= 0x2; + break; + case x86_seg_gdtr: + memcpy(reg, &vmcb->gdtr, sizeof(*reg)); ++ reg->attr.bytes = 0x80; + break; + case x86_seg_idtr: + memcpy(reg, &vmcb->idtr, sizeof(*reg)); ++ reg->attr.bytes = 0x80; + break; + case x86_seg_ldtr: + svm_sync_vmcb(v); +--- xen/arch/x86/hvm/vmx/vmx.c.orig 2016-11-22 15:03:33.000000000 +0100 ++++ xen/arch/x86/hvm/vmx/vmx.c 2016-11-22 15:15:51.000000000 +0100 +@@ -809,10 +809,12 @@ + + vmx_vmcs_exit(v); + +- reg->attr.bytes = (attr & 0xff) | ((attr >> 4) & 0xf00); +- /* Unusable flag is folded into Present flag. */ +- if ( attr & (1u<<16) ) +- reg->attr.fields.p = 0; ++ /* ++ * Fold VT-x representation into Xen's representation. The Present bit is ++ * unconditionally set to the inverse of unusable. ++ */ ++ reg->attr.bytes = ++ (!(attr & (1u << 16)) << 7) | (attr & 0x7f) | ((attr >> 4) & 0xf00); + + /* Adjust for virtual 8086 mode */ + if ( v->arch.hvm_vmx.vmx_realmode && seg <= x86_seg_tr +@@ -892,11 +894,11 @@ + } + } + +- attr = ((attr & 0xf00) << 4) | (attr & 0xff); +- +- /* Not-present must mean unusable. */ +- if ( !reg->attr.fields.p ) +- attr |= (1u << 16); ++ /* ++ * Unfold Xen representation into VT-x representation. The unusable bit ++ * is unconditionally set to the inverse of present. ++ */ ++ attr = (!(attr & (1u << 7)) << 16) | ((attr & 0xf00) << 4) | (attr & 0xff); + + /* VMX has strict consistency requirement for flag G. */ + attr |= !!(limit >> 20) << 15; +--- xen/arch/x86/x86_emulate/x86_emulate.c.orig 2016-11-22 15:03:34.000000000 +0100 ++++ xen/arch/x86/x86_emulate/x86_emulate.c 2016-11-22 15:15:51.000000000 +0100 +@@ -1136,6 +1136,10 @@ + &desctab, ctxt)) ) + return rc; + ++ /* Segment not valid for use (cooked meaning of .p)? */ ++ if ( !desctab.attr.fields.p ) ++ goto raise_exn; ++ + /* Check against descriptor table limit. */ + if ( ((sel & 0xfff8) + 7) > desctab.limit ) + goto raise_exn; diff --git a/sysutils/xenkernel42/patches/patch-XSA-192 b/sysutils/xenkernel42/patches/patch-XSA-192 new file mode 100644 index 00000000000..304acf2b76e --- /dev/null +++ b/sysutils/xenkernel42/patches/patch-XSA-192 @@ -0,0 +1,65 @@ +$NetBSD: patch-XSA-192,v 1.1 2016/11/22 20:55:29 bouyer Exp $ + +From: Jan Beulich <jbeulich@suse.com> +Subject: x86/HVM: don't load LDTR with VM86 mode attrs during task switch + +Just like TR, LDTR is purely a protected mode facility and hence needs +to be loaded accordingly. Also move its loading to where it +architecurally belongs. + +This is XSA-192. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> +Tested-by: Andrew Cooper <andrew.cooper3@citrix.com> + +--- xen/arch/x86/hvm/hvm.c.orig 2016-11-22 15:15:51.000000000 +0100 ++++ xen/arch/x86/hvm/hvm.c 2016-11-22 15:29:02.000000000 +0100 +@@ -2072,16 +2072,15 @@ + } + + static int hvm_load_segment_selector( +- enum x86_segment seg, uint16_t sel) ++ enum x86_segment seg, uint16_t sel, unsigned int eflags) + { + struct segment_register desctab, cs, segr; + struct desc_struct *pdesc, desc; + u8 dpl, rpl, cpl; + int fault_type = TRAP_invalid_tss; +- struct cpu_user_regs *regs = guest_cpu_user_regs(); + struct vcpu *v = current; + +- if ( regs->eflags & X86_EFLAGS_VM ) ++ if ( eflags & X86_EFLAGS_VM ) + { + segr.sel = sel; + segr.base = (uint32_t)sel << 4; +@@ -2332,6 +2331,8 @@ + if ( rc != HVMCOPY_okay ) + goto out; + ++ if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt, 0) ) ++ goto out; + + if ( hvm_set_cr3(tss.cr3) ) + goto out; +@@ -2354,13 +2355,12 @@ + } + + exn_raised = 0; +- if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt) || +- hvm_load_segment_selector(x86_seg_es, tss.es) || +- hvm_load_segment_selector(x86_seg_cs, tss.cs) || +- hvm_load_segment_selector(x86_seg_ss, tss.ss) || +- hvm_load_segment_selector(x86_seg_ds, tss.ds) || +- hvm_load_segment_selector(x86_seg_fs, tss.fs) || +- hvm_load_segment_selector(x86_seg_gs, tss.gs) ) ++ if ( hvm_load_segment_selector(x86_seg_es, tss.es, tss.eflags) || ++ hvm_load_segment_selector(x86_seg_cs, tss.cs, tss.eflags) || ++ hvm_load_segment_selector(x86_seg_ss, tss.ss, tss.eflags) || ++ hvm_load_segment_selector(x86_seg_ds, tss.ds, tss.eflags) || ++ hvm_load_segment_selector(x86_seg_fs, tss.fs, tss.eflags) || ++ hvm_load_segment_selector(x86_seg_gs, tss.gs, tss.eflags) ) + exn_raised = 1; + + rc = hvm_copy_to_guest_virt( diff --git a/sysutils/xenkernel42/patches/patch-XSA-195 b/sysutils/xenkernel42/patches/patch-XSA-195 new file mode 100644 index 00000000000..cd557389449 --- /dev/null +++ b/sysutils/xenkernel42/patches/patch-XSA-195 @@ -0,0 +1,49 @@ +$NetBSD: patch-XSA-195,v 1.1 2016/11/22 20:55:29 bouyer Exp $ + +backported from: + +From: Jan Beulich <jbeulich@suse.com> +Subject: x86emul: fix huge bit offset handling + +We must never chop off the high 32 bits. + +This is XSA-195. + +Reported-by: George Dunlap <george.dunlap@citrix.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> + +--- xen/arch/x86/x86_emulate/x86_emulate.c.orig 2016-11-22 15:15:51.000000000 +0100 ++++ xen/arch/x86/x86_emulate/x86_emulate.c 2016-11-22 16:02:09.000000000 +0100 +@@ -1756,6 +1756,12 @@ + else + { + /* ++ * Instructions such as bt can reference an arbitrary offset from ++ * their memory operand, but the instruction doing the actual ++ * emulation needs the appropriate op_bytes read from memory. ++ * Adjust both the source register and memory operand to make an ++ * equivalent instruction. ++ * + * EA += BitOffset DIV op_bytes*8 + * BitOffset = BitOffset MOD op_bytes*8 + * DIV truncates towards negative infinity. +@@ -1767,14 +1773,15 @@ + src.val = (int32_t)src.val; + if ( (long)src.val < 0 ) + { +- unsigned long byte_offset; +- byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ++ unsigned long byte_offset = ++ op_bytes + (((-src.val - 1) >> 3) & ~(op_bytes - 1L)); ++ + ea.mem.off -= byte_offset; + src.val = (byte_offset << 3) + src.val; + } + else + { +- ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); ++ ea.mem.off += (src.val >> 3) & ~(op_bytes - 1L); + src.val &= (op_bytes << 3) - 1; + } + } diff --git a/sysutils/xentools41/Makefile b/sysutils/xentools41/Makefile index 3cecb9e72b4..7ea97642405 100644 --- a/sysutils/xentools41/Makefile +++ b/sysutils/xentools41/Makefile @@ -1,11 +1,11 @@ -# $NetBSD: Makefile,v 1.63 2016/07/09 13:04:08 wiz Exp $ +# $NetBSD: Makefile,v 1.64 2016/11/22 20:53:40 bouyer Exp $ # # VERSION is set in version.mk as it is shared with other packages .include "version.mk" DISTNAME= xen-${VERSION} PKGNAME= xentools41-${VERSION} -PKGREVISION= 16 +PKGREVISION= 17 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xentools41/distinfo b/sysutils/xentools41/distinfo index 78a00cfd409..1e06c865a9d 100644 --- a/sysutils/xentools41/distinfo +++ b/sysutils/xentools41/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.42 2016/10/01 13:07:23 joerg Exp $ +$NetBSD: distinfo,v 1.43 2016/11/22 20:53:40 bouyer Exp $ SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485 RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547 @@ -17,6 +17,8 @@ SHA1 (patch-CVE-2015-2752) = f9bca0b8744233e20ff97c3e8e2e404522e87f49 SHA1 (patch-CVE-2015-2756) = 07aaac4bcd0dfc6d708c1823288b9fc789ebd125 SHA1 (patch-CVE-2015-8550) = dfd72a54d27211c1059579819b9b4c702399a0fc SHA1 (patch-CVE-2015-8554) = 7f444009519399038c657fa3e59fd2170f99bb70 +SHA1 (patch-XSA-197) = 4980664bbb3f3d8277f888f6304a8552ec714a26 +SHA1 (patch-XSA-198) = 98a18927de1e3427cb4fbcc5675fa608d1cd5ba8 SHA1 (patch-aa) = 9b53ba4a809dad7a1de34c8fa0dbe493d7256ada SHA1 (patch-ab) = 0906a5ec3a7450fc987b01289e2560e60966d00d SHA1 (patch-ac) = c3cc5335a1d6b066307c5f03fe72f513a9eb2bdb diff --git a/sysutils/xentools41/patches/patch-XSA-197 b/sysutils/xentools41/patches/patch-XSA-197 new file mode 100644 index 00000000000..b875273c39e --- /dev/null +++ b/sysutils/xentools41/patches/patch-XSA-197 @@ -0,0 +1,69 @@ +$NetBSD: patch-XSA-197,v 1.1 2016/11/22 20:53:40 bouyer Exp $ + +Backported from: + +From: Jan Beulich <jbeulich@suse.com> +Subject: xen: fix ioreq handling + +Avoid double fetches and bounds check size to avoid overflowing +internal variables. + +This is XSA-197. + +Reported-by: yanghongke <yanghongke@huawei.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Ian Jackson <ian.jackson@eu.citrix.com> + +--- ioemu-qemu-xen/i386-dm/helper2.c.orig 2013-07-17 12:59:40.000000000 +0200 ++++ ioemu-qemu-xen/i386-dm/helper2.c 2016-11-22 16:15:32.000000000 +0100 +@@ -333,6 +333,11 @@ + + sign = req->df ? -1 : 1; + ++ if (req->size > sizeof(unsigned long)) { ++ fprintf(stderr, "PIO: bad size (%u)\n", req->size); ++ exit(-1); ++ } ++ + if (req->dir == IOREQ_READ) { + if (!req->data_is_ptr) { + req->data = do_inp(env, req->addr, req->size); +@@ -368,6 +373,11 @@ + + sign = req->df ? -1 : 1; + ++ if (req->size > sizeof(req->data)) { ++ fprintf(stderr, "MMIO: bad size (%u)\n", req->size); ++ exit(-1); ++ } ++ + if (!req->data_is_ptr) { + if (req->dir == IOREQ_READ) { + for (i = 0; i < req->count; i++) { +@@ -481,11 +491,13 @@ + req.df = 1; + req.type = buf_req->type; + req.data_is_ptr = 0; ++ xen_rmb(); + qw = (req.size == 8); + if (qw) { + buf_req = &buffered_io_page->buf_ioreq[ + (buffered_io_page->read_pointer+1) % IOREQ_BUFFER_SLOT_NUM]; + req.data |= ((uint64_t)buf_req->data) << 32; ++ xen_rmb(); + } + + __handle_ioreq(env, &req); +@@ -512,7 +524,11 @@ + + __handle_buffered_iopage(env); + if (req) { +- __handle_ioreq(env, req); ++ ioreq_t copy = *req; ++ ++ xen_rmb(); ++ __handle_ioreq(env, ©); ++ req->data = copy.data; + + if (req->state != STATE_IOREQ_INPROCESS) { + fprintf(logfile, "Badness in I/O request ... not in service?!: " diff --git a/sysutils/xentools41/patches/patch-XSA-198 b/sysutils/xentools41/patches/patch-XSA-198 new file mode 100644 index 00000000000..29bb8cdaa79 --- /dev/null +++ b/sysutils/xentools41/patches/patch-XSA-198 @@ -0,0 +1,58 @@ +$NetBSD: patch-XSA-198,v 1.1 2016/11/22 20:53:40 bouyer Exp $ + +Backported from: + +From 71a389ae940bc52bf897a6e5becd73fd8ede94c5 Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Thu, 3 Nov 2016 16:37:40 +0000 +Subject: [PATCH] pygrub: Properly quote results, when returning them to the + caller: + +* When the caller wants sexpr output, use `repr()' + This is what Xend expects. + + The returned S-expressions are now escaped and quoted by Python, + generally using '...'. Previously kernel and ramdisk were unquoted + and args was quoted with "..." but without proper escaping. This + change may break toolstacks which do not properly dequote the + returned S-expressions. + +* When the caller wants "simple" output, crash if the delimiter is + contained in the returned value. + + With --output-format=simple it does not seem like this could ever + happen, because the bootloader config parsers all take line-based + input from the various bootloader config files. + + With --output-format=simple0, this can happen if the bootloader + config file contains nul bytes. + +This is XSA-198. + +Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> +Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> + +--- pygrub/src/pygrub.orig 2013-09-10 08:42:18.000000000 +0200 ++++ pygrub/src/pygrub 2016-11-22 16:26:10.000000000 +0100 +@@ -653,14 +653,17 @@ + return cfg + + def format_sxp(kernel, ramdisk, args): +- s = "linux (kernel %s)" % kernel ++ s = "linux (kernel %s)" % repr(kernel) + if ramdisk: +- s += "(ramdisk %s)" % ramdisk ++ s += "(ramdisk %s)" % repr(ramdisk) + if args: +- s += "(args \"%s\")" % args ++ s += "(args %s)" % repr(args) + return s + + def format_simple(kernel, ramdisk, args, sep): ++ for check in (kernel, ramdisk, args): ++ if check is not None and sep in check: ++ raise RuntimeError, "simple format cannot represent delimiter-containing value" + s = ("kernel %s" % kernel) + sep + if ramdisk: + s += ("ramdisk %s" % ramdisk) + sep diff --git a/sysutils/xentools42/Makefile b/sysutils/xentools42/Makefile index b915a875545..23d53d6f16b 100644 --- a/sysutils/xentools42/Makefile +++ b/sysutils/xentools42/Makefile @@ -1,11 +1,11 @@ -# $NetBSD: Makefile,v 1.50 2016/07/09 13:04:08 wiz Exp $ +# $NetBSD: Makefile,v 1.51 2016/11/22 20:55:29 bouyer Exp $ VERSION= 4.2.5 VERSION_IPXE= 1.0.0 DISTNAME= xen-${VERSION} PKGNAME= xentools42-${VERSION} -PKGREVISION= 18 +PKGREVISION= 19 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xentools42/distinfo b/sysutils/xentools42/distinfo index 2109757a920..766b8ba9802 100644 --- a/sysutils/xentools42/distinfo +++ b/sysutils/xentools42/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.28 2016/10/01 13:07:23 joerg Exp $ +$NetBSD: distinfo,v 1.29 2016/11/22 20:55:29 bouyer Exp $ SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485 RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547 @@ -39,6 +39,9 @@ SHA1 (patch-CVE-2015-8550) = 63613ca0dd9fe06f5c88774151f72e1c540e62c5 SHA1 (patch-CVE-2015-8554) = 908783cf619fc130d5a107ba2c4997fca0f0da88 SHA1 (patch-Makefile) = 3a474d28a5b838bae4a67b5ca76e23b950bf0133 SHA1 (patch-Rules.mk) = 25a04293f6fe638ba5f3bd5e09b2b091cd201023 +SHA1 (patch-XSA-197-1) = 79b4bc63bfbe7f69ed3ba38a667f185f8cb65cc9 +SHA1 (patch-XSA-197-2) = 1734d4313b66f958a312676da489b94773524128 +SHA1 (patch-XSA-198) = 38d120b4be3e04f87e75e6838a64d44e180d708b SHA1 (patch-blktap_drivers_Makefile) = c6be57154a403a64e3d6bc22d6bd833fe33fc9af SHA1 (patch-configure) = 11df58a8e1cd6bcc319db0aff508367e59592cba SHA1 (patch-examples_Makefile) = ee02f973416ca4ffda5381cd7a4ddb3b43579621 diff --git a/sysutils/xentools42/patches/patch-XSA-197-1 b/sysutils/xentools42/patches/patch-XSA-197-1 new file mode 100644 index 00000000000..d148cbe6702 --- /dev/null +++ b/sysutils/xentools42/patches/patch-XSA-197-1 @@ -0,0 +1,69 @@ +$NetBSD: patch-XSA-197-1,v 1.1 2016/11/22 20:55:29 bouyer Exp $ + +backported from: + +From: Jan Beulich <jbeulich@suse.com> +Subject: xen: fix ioreq handling + +Avoid double fetches and bounds check size to avoid overflowing +internal variables. + +This is XSA-197. + +Reported-by: yanghongke <yanghongke@huawei.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Ian Jackson <ian.jackson@eu.citrix.com> + +--- qemu-xen-traditional/i386-dm/helper2.c.orig 2014-01-09 13:44:42.000000000 +0100 ++++ qemu-xen-traditional/i386-dm/helper2.c 2016-11-22 16:17:44.000000000 +0100 +@@ -355,6 +355,11 @@ + + sign = req->df ? -1 : 1; + ++ if (req->size > sizeof(unsigned long)) { ++ fprintf(stderr, "PIO: bad size (%u)\n", req->size); ++ exit(-1); ++ } ++ + if (req->dir == IOREQ_READ) { + if (!req->data_is_ptr) { + req->data = do_inp(env, req->addr, req->size); +@@ -390,6 +395,11 @@ + + sign = req->df ? -1 : 1; + ++ if (req->size > sizeof(req->data)) { ++ fprintf(stderr, "MMIO: bad size (%u)\n", req->size); ++ exit(-1); ++ } ++ + if (!req->data_is_ptr) { + if (req->dir == IOREQ_READ) { + for (i = 0; i < req->count; i++) { +@@ -505,11 +515,13 @@ + req.df = 1; + req.type = buf_req->type; + req.data_is_ptr = 0; ++ xen_rmb(); + qw = (req.size == 8); + if (qw) { + buf_req = &buffered_io_page->buf_ioreq[ + (buffered_io_page->read_pointer+1) % IOREQ_BUFFER_SLOT_NUM]; + req.data |= ((uint64_t)buf_req->data) << 32; ++ xen_rmb(); + } + + __handle_ioreq(env, &req); +@@ -542,7 +554,11 @@ + + __handle_buffered_iopage(env); + if (req) { +- __handle_ioreq(env, req); ++ ioreq_t copy = *req; ++ ++ xen_rmb(); ++ __handle_ioreq(env, ©); ++ req->data = copy.data; + + if (req->state != STATE_IOREQ_INPROCESS) { + fprintf(logfile, "Badness in I/O request ... not in service?!: " diff --git a/sysutils/xentools42/patches/patch-XSA-197-2 b/sysutils/xentools42/patches/patch-XSA-197-2 new file mode 100644 index 00000000000..3f1ce5a701c --- /dev/null +++ b/sysutils/xentools42/patches/patch-XSA-197-2 @@ -0,0 +1,67 @@ +$NetBSD: patch-XSA-197-2,v 1.1 2016/11/22 20:55:29 bouyer Exp $ + +Backported from: + +From: Jan Beulich <jbeulich@suse.com> +Subject: xen: fix ioreq handling + +Avoid double fetches and bounds check size to avoid overflowing +internal variables. + +This is XSA-197. + +Reported-by: yanghongke <yanghongke@huawei.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> + +--- qemu-xen/xen-all.c.orig 2016-11-22 15:13:15.000000000 +0100 ++++ qemu-xen/xen-all.c 2016-11-22 16:19:25.000000000 +0100 +@@ -661,6 +661,10 @@ + + sign = req->df ? -1 : 1; + ++ if (req->size > sizeof(uint32_t)) { ++ hw_error("PIO: bad size (%u)", req->size); ++ } ++ + if (req->dir == IOREQ_READ) { + if (!req->data_is_ptr) { + req->data = do_inp(req->addr, req->size); +@@ -696,6 +700,10 @@ + + sign = req->df ? -1 : 1; + ++ if (req->size > sizeof(req->data)) { ++ hw_error("MMIO: bad size (%u)", req->size); ++ } ++ + if (!req->data_is_ptr) { + if (req->dir == IOREQ_READ) { + for (i = 0; i < req->count; i++) { +@@ -783,11 +791,13 @@ + req.df = 1; + req.type = buf_req->type; + req.data_is_ptr = 0; ++ xen_rmb(); + qw = (req.size == 8); + if (qw) { + buf_req = &state->buffered_io_page->buf_ioreq[ + (state->buffered_io_page->read_pointer + 1) % IOREQ_BUFFER_SLOT_NUM]; + req.data |= ((uint64_t)buf_req->data) << 32; ++ xen_rmb(); + } + + handle_ioreq(&req); +@@ -819,7 +829,11 @@ + + handle_buffered_iopage(state); + if (req) { +- handle_ioreq(req); ++ ioreq_t copy = *req; ++ ++ xen_rmb(); ++ handle_ioreq(©); ++ req->data = copy.data; + + if (req->state != STATE_IOREQ_INPROCESS) { + fprintf(stderr, "Badness in I/O request ... not in service?!: " diff --git a/sysutils/xentools42/patches/patch-XSA-198 b/sysutils/xentools42/patches/patch-XSA-198 new file mode 100644 index 00000000000..c2ca16dfbba --- /dev/null +++ b/sysutils/xentools42/patches/patch-XSA-198 @@ -0,0 +1,58 @@ +$NetBSD: patch-XSA-198,v 1.1 2016/11/22 20:55:29 bouyer Exp $ + +Backported from: + +From 71a389ae940bc52bf897a6e5becd73fd8ede94c5 Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Thu, 3 Nov 2016 16:37:40 +0000 +Subject: [PATCH] pygrub: Properly quote results, when returning them to the + caller: + +* When the caller wants sexpr output, use `repr()' + This is what Xend expects. + + The returned S-expressions are now escaped and quoted by Python, + generally using '...'. Previously kernel and ramdisk were unquoted + and args was quoted with "..." but without proper escaping. This + change may break toolstacks which do not properly dequote the + returned S-expressions. + +* When the caller wants "simple" output, crash if the delimiter is + contained in the returned value. + + With --output-format=simple it does not seem like this could ever + happen, because the bootloader config parsers all take line-based + input from the various bootloader config files. + + With --output-format=simple0, this can happen if the bootloader + config file contains nul bytes. + +This is XSA-198. + +Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> +Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> + +--- pygrub/src/pygrub.orig 2014-09-02 08:22:57.000000000 +0200 ++++ pygrub/src/pygrub 2016-11-22 16:30:40.000000000 +0100 +@@ -683,14 +683,17 @@ + return cfg + + def format_sxp(kernel, ramdisk, args): +- s = "linux (kernel %s)" % kernel ++ s = "linux (kernel %s)" % repr(kernel) + if ramdisk: +- s += "(ramdisk %s)" % ramdisk ++ s += "(ramdisk %s)" % repr(ramdisk) + if args: +- s += "(args \"%s\")" % args ++ s += "(args %s)" % repr(args) + return s + + def format_simple(kernel, ramdisk, args, sep): ++ for check in (kernel, ramdisk, args): ++ if check is not None and sep in check: ++ raise RuntimeError, "simple format cannot represent delimiter-containing value" + s = ("kernel %s" % kernel) + sep + if ramdisk: + s += ("ramdisk %s" % ramdisk) + sep |