diff options
| author | spz <spz> | 2016-07-28 13:35:31 +0000 |
|---|---|---|
| committer | spz <spz> | 2016-07-28 13:35:31 +0000 |
| commit | b63f2ebdf43384904050ebab5467df57acafc27d (patch) | |
| tree | 7d356bb6e08f109ae0212ab5e6010377c130ade9 | |
| parent | 5987c4c1d5365a7244bea703ec866c0a141339b1 (diff) | |
| download | pkgsrc-b63f2ebdf43384904050ebab5467df57acafc27d.tar.gz | |
Pullup ticket #5070 - requested by bouyer
sysutils/xenkernel45: security patch
Revisions pulled up:
- sysutils/xenkernel45/Makefile 1.19
- sysutils/xenkernel45/distinfo 1.15
- sysutils/xenkernel45/patches/patch-XSA-182 1.1
- sysutils/xenkernel45/patches/patch-XSA-183 1.1
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: bouyer
Date: Tue Jul 26 14:31:57 UTC 2016
Modified Files:
pkgsrc/sysutils/xenkernel45: Makefile distinfo
Added Files:
pkgsrc/sysutils/xenkernel45/patches: patch-XSA-182 patch-XSA-183
Log Message:
Apply security patch from XSA-182 and XSA-183. Bump PKGREVISION
To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.19 pkgsrc/sysutils/xenkernel45/Makefile
cvs rdiff -u -r1.14 -r1.15 pkgsrc/sysutils/xenkernel45/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xenkernel45/patches/patch-XSA-182 \
pkgsrc/sysutils/xenkernel45/patches/patch-XSA-183
| -rw-r--r-- | sysutils/xenkernel45/Makefile | 4 | ||||
| -rw-r--r-- | sysutils/xenkernel45/distinfo | 4 | ||||
| -rw-r--r-- | sysutils/xenkernel45/patches/patch-XSA-182 | 104 | ||||
| -rw-r--r-- | sysutils/xenkernel45/patches/patch-XSA-183 | 77 |
4 files changed, 186 insertions, 3 deletions
diff --git a/sysutils/xenkernel45/Makefile b/sysutils/xenkernel45/Makefile index b1cd83882ec..4531012c41a 100644 --- a/sysutils/xenkernel45/Makefile +++ b/sysutils/xenkernel45/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.17 2016/06/16 09:58:19 prlw1 Exp $ +# $NetBSD: Makefile,v 1.17.2.1 2016/07/28 13:35:31 spz Exp $ VERSION= 4.5.3 DISTNAME= xen-${VERSION} PKGNAME= xenkernel45-${VERSION} -#PKGREVISION= 0 +PKGREVISION= 1 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xenkernel45/distinfo b/sysutils/xenkernel45/distinfo index ae01c4fd679..c7fd4ad1c12 100644 --- a/sysutils/xenkernel45/distinfo +++ b/sysutils/xenkernel45/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.14 2016/05/12 15:42:58 bouyer Exp $ +$NetBSD: distinfo,v 1.14.2.1 2016/07/28 13:35:31 spz Exp $ SHA1 (xen-4.5.3.tar.gz) = 95d56c42642adcffe55dcf82a021d49115373108 RMD160 (xen-4.5.3.tar.gz) = 7ba586b20404e95308007663e87868c0ccc0e6f4 @@ -7,6 +7,8 @@ Size (xen-4.5.3.tar.gz) = 18416997 bytes SHA1 (patch-Config.mk) = a2a104d023cea4e551a3ad40927d4884d6c610bf SHA1 (patch-XSA-172) = ff4560534381d4d4c553170fbeb674f9361d9740 SHA1 (patch-XSA-173) = 0f6a2c4d9467713f3d969020f8fba62aa2f5297b +SHA1 (patch-XSA-182) = 77dfd369df89a51355318e26e38837482f09996e +SHA1 (patch-XSA-183) = f2a6027ff71c32c16abeb1b17e3226b714a5f1f4 SHA1 (patch-xen_Makefile) = 750d0c8d4fea14d3ef3f872de5242a1f5104cbbe SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154 SHA1 (patch-xen_common_page__alloc.c) = c4d606de1cada8cf89b5abd16efada3d58c68a03 diff --git a/sysutils/xenkernel45/patches/patch-XSA-182 b/sysutils/xenkernel45/patches/patch-XSA-182 new file mode 100644 index 00000000000..76902a07740 --- /dev/null +++ b/sysutils/xenkernel45/patches/patch-XSA-182 @@ -0,0 +1,104 @@ +$NetBSD: patch-XSA-182,v 1.1.2.2 2016/07/28 13:35:31 spz Exp $ + +From 798c1498f764bfaa7b0b955bab40b01b0610d372 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Mon, 11 Jul 2016 14:32:03 +0100 +Subject: [PATCH] x86/pv: Remove unsafe bits from the mod_l?_entry() fastpath + +All changes in writeability and cacheability must go through full +re-validation. + +Rework the logic as a whitelist, to make it clearer to follow. + +This is XSA-182 + +Reported-by: Jérémie Boutoille <jboutoille@ext.quarkslab.com> +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Tim Deegan <tim@xen.org> +--- + xen/arch/x86/mm.c | 28 ++++++++++++++++------------ + xen/include/asm-x86/page.h | 1 + + 2 files changed, 17 insertions(+), 12 deletions(-) + +diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c +index b4c4fa4..a68a1ab 100644 +--- xen/arch/x86/mm.c.orig ++++ xen/arch/x86/mm.c +@@ -1695,6 +1695,14 @@ static inline int update_intpte(intpte_t *p, + _t ## e_get_intpte(_o), _t ## e_get_intpte(_n), \ + (_m), (_v), (_ad)) + ++/* ++ * PTE flags that a guest may change without re-validating the PTE. ++ * All other bits affect translation, caching, or Xen's safety. ++ */ ++#define FASTPATH_FLAG_WHITELIST \ ++ (_PAGE_NX_BIT | _PAGE_AVAIL_HIGH | _PAGE_AVAIL | _PAGE_GLOBAL | \ ++ _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_USER) ++ + /* Update the L1 entry at pl1e to new value nl1e. */ + static int mod_l1_entry(l1_pgentry_t *pl1e, l1_pgentry_t nl1e, + unsigned long gl1mfn, int preserve_ad, +@@ -1735,9 +1743,8 @@ static int mod_l1_entry(l1_pgentry_t *pl1e, l1_pgentry_t nl1e, + return -EINVAL; + } + +- /* Fast path for identical mapping, r/w, presence, and cachability. */ +- if ( !l1e_has_changed(ol1e, nl1e, +- PAGE_CACHE_ATTRS | _PAGE_RW | _PAGE_PRESENT) ) ++ /* Fast path for sufficiently-similar mappings. */ ++ if ( !l1e_has_changed(ol1e, nl1e, ~FASTPATH_FLAG_WHITELIST) ) + { + adjust_guest_l1e(nl1e, pt_dom); + if ( UPDATE_ENTRY(l1, pl1e, ol1e, nl1e, gl1mfn, pt_vcpu, +@@ -1819,11 +1826,8 @@ static int mod_l2_entry(l2_pgentry_t *pl2e, + return -EINVAL; + } + +- /* Fast path for identical mapping and presence. */ +- if ( !l2e_has_changed(ol2e, nl2e, +- unlikely(opt_allow_superpage) +- ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT +- : _PAGE_PRESENT) ) ++ /* Fast path for sufficiently-similar mappings. */ ++ if ( !l2e_has_changed(ol2e, nl2e, ~FASTPATH_FLAG_WHITELIST) ) + { + adjust_guest_l2e(nl2e, d); + if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) ) +@@ -1888,8 +1892,8 @@ static int mod_l3_entry(l3_pgentry_t *pl3e, + return -EINVAL; + } + +- /* Fast path for identical mapping and presence. */ +- if ( !l3e_has_changed(ol3e, nl3e, _PAGE_PRESENT) ) ++ /* Fast path for sufficiently-similar mappings. */ ++ if ( !l3e_has_changed(ol3e, nl3e, ~FASTPATH_FLAG_WHITELIST) ) + { + adjust_guest_l3e(nl3e, d); + rc = UPDATE_ENTRY(l3, pl3e, ol3e, nl3e, pfn, vcpu, preserve_ad); +@@ -1952,8 +1956,8 @@ static int mod_l4_entry(l4_pgentry_t *pl4e, + return -EINVAL; + } + +- /* Fast path for identical mapping and presence. */ +- if ( !l4e_has_changed(ol4e, nl4e, _PAGE_PRESENT) ) ++ /* Fast path for sufficiently-similar mappings. */ ++ if ( !l4e_has_changed(ol4e, nl4e, ~FASTPATH_FLAG_WHITELIST) ) + { + adjust_guest_l4e(nl4e, d); + rc = UPDATE_ENTRY(l4, pl4e, ol4e, nl4e, pfn, vcpu, preserve_ad); +diff --git a/xen/include/asm-x86/page.h b/xen/include/asm-x86/page.h +index 6dc9646..03c024c 100644 +--- xen/include/asm-x86/page.h.orig ++++ xen/include/asm-x86/page.h +@@ -308,6 +308,7 @@ void efi_update_l4_pgtable(unsigned int l4idx, l4_pgentry_t); + #define _PAGE_AVAIL2 _AC(0x800,U) + #define _PAGE_AVAIL _AC(0xE00,U) + #define _PAGE_PSE_PAT _AC(0x1000,U) ++#define _PAGE_AVAIL_HIGH (_AC(0x7ff, U) << 12) + /* non-architectural flags */ + #define _PAGE_PAGED 0x2000U + #define _PAGE_SHARED 0x4000U +-- +2.1.4 + diff --git a/sysutils/xenkernel45/patches/patch-XSA-183 b/sysutils/xenkernel45/patches/patch-XSA-183 new file mode 100644 index 00000000000..b9ecb904737 --- /dev/null +++ b/sysutils/xenkernel45/patches/patch-XSA-183 @@ -0,0 +1,77 @@ +$NetBSD: patch-XSA-183,v 1.1.2.2 2016/07/28 13:35:31 spz Exp $ + +From 777ebe30e81ab284f9b78392875fe884a593df35 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Wed, 15 Jun 2016 18:32:14 +0100 +Subject: [PATCH] x86/entry: Avoid SMAP violation in + compat_create_bounce_frame() + +A 32bit guest kernel might be running on user mappings. +compat_create_bounce_frame() must whitelist its guest accesses to avoid +risking a SMAP violation. + +For both variants of create_bounce_frame(), re-blacklist user accesses if +execution exits via an exception table redirection. + +This is XSA-183 / CVE-2016-6259 + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: George Dunlap <george.dunlap@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +--- +v2: + * Include CLAC on the exit paths from compat_create_bounce_frame which occur + from faults attempting to load %fs + * Reposition ASM_STAC to avoid breaking the macro-op fusion of test/jz +--- + xen/arch/x86/x86_64/compat/entry.S | 3 +++ + xen/arch/x86/x86_64/entry.S | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S +index 0e3db7c..1eaf4bb 100644 +--- xen/arch/x86/x86_64/compat/entry.S.orig ++++ xen/arch/x86/x86_64/compat/entry.S +@@ -350,6 +350,7 @@ ENTRY(compat_int80_direct_trap) + compat_create_bounce_frame: + ASSERT_INTERRUPTS_ENABLED + mov %fs,%edi ++ ASM_STAC + testb $2,UREGS_cs+8(%rsp) + jz 1f + /* Push new frame at registered guest-OS stack base. */ +@@ -403,6 +404,7 @@ UNLIKELY_START(nz, compat_bounce_failsafe) + movl %ds,%eax + .Lft12: movl %eax,%fs:0*4(%rsi) # DS + UNLIKELY_END(compat_bounce_failsafe) ++ ASM_CLAC + /* Rewrite our stack frame and return to guest-OS mode. */ + /* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */ + andl $~(X86_EFLAGS_VM|X86_EFLAGS_RF|\ +@@ -448,6 +450,7 @@ compat_crash_page_fault_4: + addl $4,%esi + compat_crash_page_fault: + .Lft14: mov %edi,%fs ++ ASM_CLAC + movl %esi,%edi + call show_page_walk + jmp dom_crash_sync_extable +diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S +index 6e27508..0c2e63a 100644 +--- xen/arch/x86/x86_64/entry.S.orig ++++ xen/arch/x86/x86_64/entry.S +@@ -462,9 +462,11 @@ domain_crash_page_fault_16: + domain_crash_page_fault_8: + addq $8,%rsi + domain_crash_page_fault: ++ ASM_CLAC + movq %rsi,%rdi + call show_page_walk + ENTRY(dom_crash_sync_extable) ++ ASM_CLAC + # Get out of the guest-save area of the stack. + GET_STACK_BASE(%rax) + leaq STACK_CPUINFO_FIELD(guest_cpu_user_regs)(%rax),%rsp +-- +2.1.4 + |