Pullup ticket #3834 - requested by bouyer

sysutils/xenkernel41: security patch Revisions pulled up: - sysutils/xenkernel41/Makefile 1.6 - sysutils/xenkernel41/distinfo 1.7 - sysutils/xenkernel41/patch-xsa7-xsa8-xen-4.1 1.1 - sysutils/xenkernel41/patch-xsa9-xen-4.1 1.1 --- Module Name: pkgsrc Committed By: bouyer Date: Tue Jun 12 15:59:04 UTC 2012 Modified Files: pkgsrc/sysutils/xenkernel41: Makefile distinfo Added Files: pkgsrc/sysutils/xenkernel41: patch-xsa7-xsa8-xen-4.1 patch-xsa9-xen-4.1 Log Message: pull up patches from upstream, fixing XSA7, XSA8 and XSA9. PKGREVISION++
author: tron <tron> 2012-06-13 11:06:17 +0000
committer: tron <tron> 2012-06-13 11:06:17 +0000
commit: 470b6cea8d78bc3045d80c864566416439b7e1dc (patch)
tree: 6cbaaf6499e9e8c38fbc026ab0ca765276735015
parent: 9377ab5a4c9d4392ac8bcc58be6791e031fa4cab (diff)
download: pkgsrc-470b6cea8d78bc3045d80c864566416439b7e1dc.tar.gz
4 files changed, 177 insertions, 3 deletions
diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile
index f9953d83994..11839569b38 100644
--- a/sysutils/xenkernel41/Makefile
+++ b/sysutils/xenkernel41/Makefile
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.5 2011/11/20 03:12:44 jym Exp $
+# $NetBSD: Makefile,v 1.5.4.1 2012/06/13 11:06:17 tron Exp $
 #
 
 VERSION=	4.1.2
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel41-${VERSION}
-#PKGREVISION=	1
+PKGREVISION=	1
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 EXTRACT_SUFX=	.tar.gz
diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo
index 303c27620d7..d0ba5a9929d 100644
--- a/sysutils/xenkernel41/distinfo
+++ b/sysutils/xenkernel41/distinfo
@@ -1,7 +1,9 @@
-$NetBSD: distinfo,v 1.6 2011/10/21 18:26:58 cegger Exp $
+$NetBSD: distinfo,v 1.6.4.1 2012/06/13 11:06:17 tron Exp $
 
 SHA1 (xen-4.1.2.tar.gz) = db584cb0a0cc614888d7df3b196d514fdb2edd6e
 RMD160 (xen-4.1.2.tar.gz) = 457797ec4be286afbbcad940a9ce04e44f3f40d6
 Size (xen-4.1.2.tar.gz) = 10365786 bytes
 SHA1 (patch-xen_drivers_char_console_c) = 0fe186369602ccffaeec6f4bfbee8bb4298d3ff0
 SHA1 (patch-xen_include_xen_stdarg.h) = e9df974a9b783ed442ab17497198432cb9844b70
+SHA1 (patch-xsa7-xsa8-xen-4.1) = e48cfd4ae9e7a4d48e059738b3f36074d3982515
+SHA1 (patch-xsa9-xen-4.1) = 4bbefd6426e2a7b36ccecb81cc94dc33af34e4fb
diff --git a/sysutils/xenkernel41/patch-xsa7-xsa8-xen-4.1 b/sysutils/xenkernel41/patch-xsa7-xsa8-xen-4.1
new file mode 100644
index 00000000000..495b2c7428d
--- /dev/null
+++ b/sysutils/xenkernel41/patch-xsa7-xsa8-xen-4.1
@@ -0,0 +1,124 @@
+$NetBSD: patch-xsa7-xsa8-xen-4.1,v 1.1.2.2 2012/06/13 11:06:17 tron Exp $
+
+diff -r 35248be669e7 xen/arch/x86/x86_64/asm-offsets.c
+--- xen/arch/x86/x86_64/asm-offsets.c.orig	Mon May 14 16:59:12 2012 +0100
++++ xen/arch/x86/x86_64/asm-offsets.c	Thu May 24 11:12:33 2012 +0100
+@@ -90,6 +90,8 @@ void __dummy__(void)
+            arch.guest_context.trap_ctxt[TRAP_gp_fault].address);
+     OFFSET(VCPU_gp_fault_sel, struct vcpu,
+            arch.guest_context.trap_ctxt[TRAP_gp_fault].cs);
++    OFFSET(VCPU_gp_fault_flags, struct vcpu,
++           arch.guest_context.trap_ctxt[TRAP_gp_fault].flags);
+     OFFSET(VCPU_kernel_sp, struct vcpu, arch.guest_context.kernel_sp);
+     OFFSET(VCPU_kernel_ss, struct vcpu, arch.guest_context.kernel_ss);
+     OFFSET(VCPU_guest_context_flags, struct vcpu, arch.guest_context.flags);
+diff -r 35248be669e7 xen/arch/x86/x86_64/compat/entry.S
+--- xen/arch/x86/x86_64/compat/entry.S.orig	Mon May 14 16:59:12 2012 +0100
++++ xen/arch/x86/x86_64/compat/entry.S	Thu May 24 11:12:33 2012 +0100
+@@ -214,6 +214,7 @@ 1:      call  compat_create_bounce_frame
+ ENTRY(compat_post_handle_exception)
+         testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx)
+         jz    compat_test_all_events
++.Lcompat_bounce_exception:
+         call  compat_create_bounce_frame
+         movb  $0,TRAPBOUNCE_flags(%rdx)
+         jmp   compat_test_all_events
+@@ -226,19 +227,20 @@ ENTRY(compat_syscall)
+         leaq  VCPU_trap_bounce(%rbx),%rdx
+         testl $~3,%esi
+         leal  (,%rcx,TBF_INTERRUPT),%ecx
+-        jz    2f
+-1:      movq  %rax,TRAPBOUNCE_eip(%rdx)
++UNLIKELY_START(z, compat_syscall_gpf)
++        movl  $TRAP_gp_fault,UREGS_entry_vector(%rsp)
++        subl  $2,UREGS_rip(%rsp)
++        movl  $0,TRAPBOUNCE_error_code(%rdx)
++        movl  VCPU_gp_fault_addr(%rbx),%eax
++        movzwl VCPU_gp_fault_sel(%rbx),%esi
++        testb $4,VCPU_gp_fault_flags(%rbx)
++        setnz %cl
++        leal  TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx
++UNLIKELY_END(compat_syscall_gpf)
++        movq  %rax,TRAPBOUNCE_eip(%rdx)
+         movw  %si,TRAPBOUNCE_cs(%rdx)
+         movb  %cl,TRAPBOUNCE_flags(%rdx)
+-        call  compat_create_bounce_frame
+-        jmp   compat_test_all_events
+-2:      movl  $TRAP_gp_fault,UREGS_entry_vector(%rsp)
+-        subl  $2,UREGS_rip(%rsp)
+-        movq  VCPU_gp_fault_addr(%rbx),%rax
+-        movzwl VCPU_gp_fault_sel(%rbx),%esi
+-        movb  $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl
+-        movl  $0,TRAPBOUNCE_error_code(%rdx)
+-        jmp   1b
++        jmp   .Lcompat_bounce_exception
+ 
+ ENTRY(compat_sysenter)
+         cmpl  $TRAP_gp_fault,UREGS_entry_vector(%rsp)
+diff -r 35248be669e7 xen/arch/x86/x86_64/entry.S
+--- xen/arch/x86/x86_64/entry.S.orig	Mon May 14 16:59:12 2012 +0100
++++ xen/arch/x86/x86_64/entry.S	Thu May 24 11:12:33 2012 +0100
+@@ -40,6 +40,13 @@ restore_all_guest:
+         testw $TRAP_syscall,4(%rsp)
+         jz    iret_exit_to_guest
+ 
++        /* Don't use SYSRET path if the return address is not canonical. */
++        movq  8(%rsp),%rcx
++        sarq  $47,%rcx
++        incl  %ecx
++        cmpl  $1,%ecx
++        ja    .Lforce_iret
++
+         addq  $8,%rsp
+         popq  %rcx                    # RIP
+         popq  %r11                    # CS
+@@ -50,6 +57,10 @@ restore_all_guest:
+         sysretq
+ 1:      sysretl
+ 
++.Lforce_iret:
++        /* Mimic SYSRET behavior. */
++        movq  8(%rsp),%rcx            # RIP
++        movq  24(%rsp),%r11           # RFLAGS
+         ALIGN
+ /* No special register assumptions. */
+ iret_exit_to_guest:
+@@ -278,19 +289,21 @@ sysenter_eflags_saved:
+         leaq  VCPU_trap_bounce(%rbx),%rdx
+         testq %rax,%rax
+         leal  (,%rcx,TBF_INTERRUPT),%ecx
+-        jz    2f
+-1:      movq  VCPU_domain(%rbx),%rdi
++UNLIKELY_START(z, sysenter_gpf)
++        movl  $TRAP_gp_fault,UREGS_entry_vector(%rsp)
++        subq  $2,UREGS_rip(%rsp)
++        movl  %eax,TRAPBOUNCE_error_code(%rdx)
++        movq  VCPU_gp_fault_addr(%rbx),%rax
++        testb $4,VCPU_gp_fault_flags(%rbx)
++        setnz %cl
++        leal  TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx
++UNLIKELY_END(sysenter_gpf)
++        movq  VCPU_domain(%rbx),%rdi
+         movq  %rax,TRAPBOUNCE_eip(%rdx)
+         movb  %cl,TRAPBOUNCE_flags(%rdx)
+         testb $1,DOMAIN_is_32bit_pv(%rdi)
+         jnz   compat_sysenter
+-        call  create_bounce_frame
+-        jmp   test_all_events
+-2:      movl  %eax,TRAPBOUNCE_error_code(%rdx)
+-        movq  VCPU_gp_fault_addr(%rbx),%rax
+-        movb  $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl
+-        movl  $TRAP_gp_fault,UREGS_entry_vector(%rsp)
+-        jmp   1b
++        jmp   .Lbounce_exception
+ 
+ ENTRY(int80_direct_trap)
+         pushq $0
+@@ -482,6 +495,7 @@ 1:      movq  %rsp,%rdi
+         jnz   compat_post_handle_exception
+         testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx)
+         jz    test_all_events
++.Lbounce_exception:
+         call  create_bounce_frame
+         movb  $0,TRAPBOUNCE_flags(%rdx)
+         jmp   test_all_events
diff --git a/sysutils/xenkernel41/patch-xsa9-xen-4.1 b/sysutils/xenkernel41/patch-xsa9-xen-4.1
new file mode 100644
index 00000000000..bbbc2521994
--- /dev/null
+++ b/sysutils/xenkernel41/patch-xsa9-xen-4.1
@@ -0,0 +1,48 @@
+$NetBSD: patch-xsa9-xen-4.1,v 1.1.2.2 2012/06/13 11:06:17 tron Exp $
+
+x86-64: detect processors subject to AMD erratum #121 and refuse to boot
+
+Processors with this erratum are subject to a DoS attack by unprivileged
+guest users.
+
+This is XSA-9 / CVE-2006-0744.
+
+Signed-off-by: Jan Beulich <JBeulich@suse.com>
+Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
+
+--- xen/arch/x86/cpu/amd.c.orig
++++ xen/arch/x86/cpu/amd.c
+@@ -32,6 +32,9 @@
+ static char opt_famrev[14];
+ string_param("cpuid_mask_cpu", opt_famrev);
+ 
++static int opt_allow_unsafe;
++boolean_param("allow_unsafe", opt_allow_unsafe);
++
+ static inline void wrmsr_amd(unsigned int index, unsigned int lo, 
+ 		unsigned int hi)
+ {
+@@ -620,6 +623,11 @@ static void __devinit init_amd(struct cp
+ 		clear_bit(X86_FEATURE_MCE, c->x86_capability);
+ 
+ #ifdef __x86_64__
++	if (cpu_has_amd_erratum(c, AMD_ERRATUM_121) && !opt_allow_unsafe)
++		panic("Xen will not boot on this CPU for security reasons.\n"
++		      "Pass \"allow_unsafe\" if you're trusting all your"
++		      " (PV) guest kernels.\n");
++
+ 	/* AMD CPUs do not support SYSENTER outside of legacy mode. */
+ 	clear_bit(X86_FEATURE_SEP, c->x86_capability);
+ 
+--- xen/include/asm-x86/amd.h.orig
++++ xen/include/asm-x86/amd.h
+@@ -127,6 +127,9 @@
+ #define AMD_MODEL_RANGE_START(range)    (((range) >> 12) & 0xfff)
+ #define AMD_MODEL_RANGE_END(range)      ((range) & 0xfff)
+ 
++#define AMD_ERRATUM_121                                                 \
++    AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x3f, 0xf))
++
+ #define AMD_ERRATUM_170                                                 \
+     AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x67, 0xf))
+
author	tron <tron>	2012-06-13 11:06:17 +0000
committer	tron <tron>	2012-06-13 11:06:17 +0000
commit	470b6cea8d78bc3045d80c864566416439b7e1dc (patch)
tree	6cbaaf6499e9e8c38fbc026ab0ca765276735015
parent	9377ab5a4c9d4392ac8bcc58be6791e031fa4cab (diff)
download	pkgsrc-470b6cea8d78bc3045d80c864566416439b7e1dc.tar.gz