diff options
author | tron <tron> | 2014-09-28 12:07:10 +0000 |
---|---|---|
committer | tron <tron> | 2014-09-28 12:07:10 +0000 |
commit | 512a20c5c1b98f36fbe5193d7b25b820cfcfedc8 (patch) | |
tree | 1bdcc183c6f1622776c44d0745ec86f243e71b79 | |
parent | d549a54207672a7cf3381685bd1d271a89d7d5a8 (diff) | |
download | pkgsrc-512a20c5c1b98f36fbe5193d7b25b820cfcfedc8.tar.gz |
Pullup ticket #4505 - requested by bouyer
sysutils/xenkernel41: security patch
Revisions pulled up:
- sysutils/xenkernel41/Makefile 1.39
- sysutils/xenkernel41/distinfo 1.30
- sysutils/xenkernel41/patches/patch-CVE-2014-7154 1.1
- sysutils/xenkernel41/patches/patch-CVE-2014-7155 1.1
- sysutils/xenkernel41/patches/patch-CVE-2014-7156 1.1
---
Module Name: pkgsrc
Committed By: bouyer
Date: Fri Sep 26 10:45:00 UTC 2014
Modified Files:
pkgsrc/sysutils/xenkernel41: Makefile distinfo
Added Files:
pkgsrc/sysutils/xenkernel41/patches: patch-CVE-2014-7154
patch-CVE-2014-7155 patch-CVE-2014-7156
Log Message:
Add patch for:
XSA-104 (CVE-2014-7154) - Race condition in HVMOP_track_dirty_vram
XSA-105 (CVE-2014-7155) - Missing privilege level checks in x86 HLT, LGDT,
LIDT, and LMSW emulation
XSA-106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation
of software interrupts
bump PKGREVISION
-rw-r--r-- | sysutils/xenkernel41/Makefile | 4 | ||||
-rw-r--r-- | sysutils/xenkernel41/distinfo | 5 | ||||
-rw-r--r-- | sysutils/xenkernel41/patches/patch-CVE-2014-7154 | 34 | ||||
-rw-r--r-- | sysutils/xenkernel41/patches/patch-CVE-2014-7155 | 39 | ||||
-rw-r--r-- | sysutils/xenkernel41/patches/patch-CVE-2014-7156 | 25 |
5 files changed, 104 insertions, 3 deletions
diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile index 26ef1ad99ba..710a5fe12a4 100644 --- a/sysutils/xenkernel41/Makefile +++ b/sysutils/xenkernel41/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.38 2014/06/18 13:47:08 drochner Exp $ +# $NetBSD: Makefile,v 1.38.2.1 2014/09/28 12:07:10 tron Exp $ VERSION= 4.1.6.1 DISTNAME= xen-${VERSION} PKGNAME= xenkernel41-${VERSION} -PKGREVISION= 10 +PKGREVISION= 11 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo index c5b4cf1fe80..c5b52fef7f9 100644 --- a/sysutils/xenkernel41/distinfo +++ b/sysutils/xenkernel41/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.29 2014/06/18 13:47:08 drochner Exp $ +$NetBSD: distinfo,v 1.29.2.1 2014/09/28 12:07:10 tron Exp $ SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0 RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19 @@ -17,6 +17,9 @@ SHA1 (patch-CVE-2013-6885_2) = be3c99ba3e349492d45cd4f2fce0acc26ac1a96d SHA1 (patch-CVE-2014-1666) = acf27080799d4aae6a03b556caadb01081d5314e SHA1 (patch-CVE-2014-3124) = 59a48eed88abcda5de2fc7e398451a492e5d2145 SHA1 (patch-CVE-2014-4021) = ee8ee800b35f7eaa242b06536c1ffa6568305b36 +SHA1 (patch-CVE-2014-7154) = 5f0541559d911778aa5267bb5c0e1e8a9a3904e2 +SHA1 (patch-CVE-2014-7155) = 0f1aa6a5d4fdb8403fc1e01b884491a63de501f8 +SHA1 (patch-CVE-2014-7156) = 85043bdcf2644227d135f725cb442aade565c9d6 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266 SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 diff --git a/sysutils/xenkernel41/patches/patch-CVE-2014-7154 b/sysutils/xenkernel41/patches/patch-CVE-2014-7154 new file mode 100644 index 00000000000..7ffb89680ae --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2014-7154 @@ -0,0 +1,34 @@ +$NetBSD: patch-CVE-2014-7154,v 1.1.2.2 2014/09/28 12:07:10 tron Exp $ + +x86/shadow: fix race condition sampling the dirty vram state + +d->arch.hvm_domain.dirty_vram must be read with the domain's paging lock held. + +If not, two concurrent hypercalls could both end up attempting to free +dirty_vram (the second of which will free a wild pointer), or both end up +allocating a new dirty_vram structure (the first of which will be leaked). + +This is XSA-104. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Tim Deegan <tim@xen.org> + +--- xen/arch/x86/mm/shadow/common.c.orig 2013-09-10 08:42:18.000000000 +0200 ++++ xen/arch/x86/mm/shadow/common.c 2014-09-26 12:21:33.000000000 +0200 +@@ -3640,7 +3640,7 @@ + int flush_tlb = 0; + unsigned long i; + p2m_type_t t; +- struct sh_dirty_vram *dirty_vram = d->arch.hvm_domain.dirty_vram; ++ struct sh_dirty_vram *dirty_vram; + struct p2m_domain *p2m = p2m_get_hostp2m(d); + + if (end_pfn < begin_pfn +@@ -3649,6 +3649,7 @@ + return -EINVAL; + + shadow_lock(d); ++ dirty_vram = d->arch.hvm_domain.dirty_vram; + + if ( dirty_vram && (!nr || + ( begin_pfn != dirty_vram->begin_pfn diff --git a/sysutils/xenkernel41/patches/patch-CVE-2014-7155 b/sysutils/xenkernel41/patches/patch-CVE-2014-7155 new file mode 100644 index 00000000000..5d60104f50f --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2014-7155 @@ -0,0 +1,39 @@ +$NetBSD: patch-CVE-2014-7155,v 1.1.2.2 2014/09/28 12:07:10 tron Exp $ + +x86/emulate: check cpl for all privileged instructions + +Without this, it is possible for userspace to load its own IDT or GDT. + +This is XSA-105. + +Reported-by: Andrei LUTAS <vlutas@bitdefender.com> +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +Tested-by: Andrei LUTAS <vlutas@bitdefender.com> + +--- xen/arch/x86/x86_emulate/x86_emulate.c.orig ++++ xen/arch/x86/x86_emulate/x86_emulate.c +@@ -3314,6 +3314,7 @@ x86_emulate( + goto swint; + + case 0xf4: /* hlt */ ++ generate_exception_if(!mode_ring0(), EXC_GP, 0); + ctxt->retire.flags.hlt = 1; + break; + +@@ -3710,6 +3711,7 @@ x86_emulate( + break; + case 2: /* lgdt */ + case 3: /* lidt */ ++ generate_exception_if(!mode_ring0(), EXC_GP, 0); + generate_exception_if(ea.type != OP_MEM, EXC_UD, -1); + fail_if(ops->write_segment == NULL); + memset(®, 0, sizeof(reg)); +@@ -3738,6 +3740,7 @@ x86_emulate( + case 6: /* lmsw */ + fail_if(ops->read_cr == NULL); + fail_if(ops->write_cr == NULL); ++ generate_exception_if(!mode_ring0(), EXC_GP, 0); + if ( (rc = ops->read_cr(0, &cr0, ctxt)) ) + goto done; + if ( ea.type == OP_REG ) diff --git a/sysutils/xenkernel41/patches/patch-CVE-2014-7156 b/sysutils/xenkernel41/patches/patch-CVE-2014-7156 new file mode 100644 index 00000000000..ca1b429af8f --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2014-7156 @@ -0,0 +1,25 @@ +$NetBSD: patch-CVE-2014-7156,v 1.1.2.2 2014/09/28 12:07:10 tron Exp $ + +x86emul: only emulate software interrupt injection for real mode + +Protected mode emulation currently lacks proper privilege checking of +the referenced IDT entry, and there's currently no legitimate way for +any of the respective instructions to reach the emulator when the guest +is in protected mode. + +This is XSA-106. + +Reported-by: Andrei LUTAS <vlutas@bitdefender.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Keir Fraser <keir@xen.org> + +--- xen/arch/x86/x86_emulate/x86_emulate.c.orig ++++ xen/arch/x86/x86_emulate/x86_emulate.c +@@ -2634,6 +2634,7 @@ x86_emulate( + case 0xcd: /* int imm8 */ + src.val = insn_fetch_type(uint8_t); + swint: ++ fail_if(!in_realmode(ctxt, ops)); /* XSA-106 */ + fail_if(ops->inject_sw_interrupt == NULL); + rc = ops->inject_sw_interrupt(src.val, _regs.eip - ctxt->regs->eip, + ctxt) ? : X86EMUL_EXCEPTION; |