diff options
| author | bouyer <bouyer> | 2013-04-19 14:02:45 +0000 |
|---|---|---|
| committer | bouyer <bouyer> | 2013-04-19 14:02:45 +0000 |
| commit | 64e3e08546219bfd2c30d076cc1a8a6b0f85e5ce (patch) | |
| tree | f3aab4ba6aec4efff6a1047779ed077eaf9602b3 | |
| parent | ac3abf64145123cd791b2a0a80d7237a8a368a51 (diff) | |
| download | pkgsrc-64e3e08546219bfd2c30d076cc1a8a6b0f85e5ce.tar.gz | |
Add patches from Xen security advisory:
http://lists.xen.org/archives/html/xen-announce/2013-04/msg00000.html
http://lists.xen.org/archives/html/xen-announce/2013-04/msg00005.html
http://lists.xen.org/archives/html/xen-announce/2013-04/msg00006.html
bump PKGREVISION
| -rw-r--r-- | sysutils/xenkernel41/Makefile | 4 | ||||
| -rw-r--r-- | sysutils/xenkernel41/distinfo | 8 | ||||
| -rw-r--r-- | sysutils/xenkernel41/patches/patch-CVE-2013-1917-1 | 21 | ||||
| -rw-r--r-- | sysutils/xenkernel41/patches/patch-CVE-2013-1917-2 | 19 | ||||
| -rw-r--r-- | sysutils/xenkernel41/patches/patch-CVE-2013-1917-3 | 21 | ||||
| -rw-r--r-- | sysutils/xenkernel41/patches/patch-CVE-2013-1920 | 23 | ||||
| -rw-r--r-- | sysutils/xenkernel41/patches/patch-CVE-2013-1964-1 | 151 | ||||
| -rw-r--r-- | sysutils/xenkernel41/patches/patch-CVE-2013-1964-2 | 15 |
8 files changed, 259 insertions, 3 deletions
diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile index f10f1831462..8b4f072e173 100644 --- a/sysutils/xenkernel41/Makefile +++ b/sysutils/xenkernel41/Makefile @@ -1,10 +1,10 @@ -# $NetBSD: Makefile,v 1.19 2013/04/11 19:57:51 joerg Exp $ +# $NetBSD: Makefile,v 1.20 2013/04/19 14:02:45 bouyer Exp $ # VERSION= 4.1.4 DISTNAME= xen-${VERSION} PKGNAME= xenkernel41-${VERSION} -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo index 6cda3da2c22..a5ce1c8ec29 100644 --- a/sysutils/xenkernel41/distinfo +++ b/sysutils/xenkernel41/distinfo @@ -1,10 +1,16 @@ -$NetBSD: distinfo,v 1.15 2013/04/11 19:57:51 joerg Exp $ +$NetBSD: distinfo,v 1.16 2013/04/19 14:02:45 bouyer Exp $ SHA1 (xen-4.1.4.tar.gz) = d5f1e9c9eeb96202dd827c196750530ffc64baab RMD160 (xen-4.1.4.tar.gz) = e3cb379954c985354dfd7dfbed15eae43e73254d Size (xen-4.1.4.tar.gz) = 10387283 bytes SHA1 (patch-CVE-2012-5511_2) = a345d28d4a6dcc4bf203243f49d66b5479fdbf14 SHA1 (patch-CVE-2012-5634) = 2992ee4972ec733a80fa3841d12a70a9076625c0 +SHA1 (patch-CVE-2013-1917-1) = 3ebd5e8c30e962e1dcb0e8cae642a583a6d160e9 +SHA1 (patch-CVE-2013-1917-2) = 3b33b3430ac984cefb86617bbcf0b22e5b21427c +SHA1 (patch-CVE-2013-1917-3) = cf188803c62eb3b2fb722edc11980bd0731ab242 +SHA1 (patch-CVE-2013-1920) = 116d04d095f1bd5296576bbb4c23b18c5ac628bf +SHA1 (patch-CVE-2013-1964-1) = f3f17d292677b1f9a6520543cf65c61910ed65f0 +SHA1 (patch-CVE-2013-1964-2) = e8d05eb615c13608cb57c70d74cd8cdba80ba14a SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266 SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1917-1 b/sysutils/xenkernel41/patches/patch-CVE-2013-1917-1 new file mode 100644 index 00000000000..d0de992c7d4 --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2013-1917-1 @@ -0,0 +1,21 @@ +$NetBSD: patch-CVE-2013-1917-1,v 1.1 2013/04/19 14:02:45 bouyer Exp $ + +http://lists.xen.org/archives/html/xen-announce/2013-04/msg00005.html + +--- xen/arch/x86/acpi/suspend.c.orig ++++ xen/arch/x86/acpi/suspend.c +@@ -81,8 +81,12 @@ void restore_rest_processor_state(void) + } + + #else /* !defined(CONFIG_X86_64) */ +- if ( supervisor_mode_kernel && cpu_has_sep ) +- wrmsr(MSR_IA32_SYSENTER_ESP, &this_cpu(init_tss).esp1, 0); ++ if ( cpu_has_sep ) ++ { ++ wrmsr(MSR_IA32_SYSENTER_CS, 0, 0); ++ if ( supervisor_mode_kernel ) ++ wrmsr(MSR_IA32_SYSENTER_ESP, &this_cpu(init_tss).esp1, 0); ++ } + #endif + + /* Maybe load the debug registers. */ diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1917-2 b/sysutils/xenkernel41/patches/patch-CVE-2013-1917-2 new file mode 100644 index 00000000000..63e4ae3ff5d --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2013-1917-2 @@ -0,0 +1,19 @@ +$NetBSD: patch-CVE-2013-1917-2,v 1.1 2013/04/19 14:02:45 bouyer Exp $ + +http://lists.xen.org/archives/html/xen-announce/2013-04/msg00005.html + +--- xen/arch/x86/cpu/common.c.orig ++++ xen/arch/x86/cpu/common.c +@@ -715,8 +715,11 @@ void __cpuinit cpu_init(void) + #if defined(CONFIG_X86_32) + t->ss0 = __HYPERVISOR_DS; + t->esp0 = get_stack_bottom(); +- if ( supervisor_mode_kernel && cpu_has_sep ) ++ if ( cpu_has_sep ) { ++ wrmsr(MSR_IA32_SYSENTER_CS, 0, 0); ++ if ( supervisor_mode_kernel ) + wrmsr(MSR_IA32_SYSENTER_ESP, &t->esp1, 0); ++ } + #elif defined(CONFIG_X86_64) + /* Bottom-of-stack must be 16-byte aligned! */ + BUG_ON((get_stack_bottom() & 15) != 0); diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1917-3 b/sysutils/xenkernel41/patches/patch-CVE-2013-1917-3 new file mode 100644 index 00000000000..505748157a8 --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2013-1917-3 @@ -0,0 +1,21 @@ +$NetBSD: patch-CVE-2013-1917-3,v 1.1 2013/04/19 14:02:45 bouyer Exp $ + +http://lists.xen.org/archives/html/xen-announce/2013-04/msg00005.html + +--- xen/arch/x86/x86_64/entry.S.orig ++++ xen/arch/x86/x86_64/entry.S +@@ -287,7 +287,14 @@ sysenter_eflags_saved: + movl $3,UREGS_cs(%rsp) /* ring 3 null cs */ + movq VCPU_sysenter_addr(%rbx),%rax + setne %cl ++ testl $X86_EFLAGS_NT,UREGS_eflags(%rsp) + leaq VCPU_trap_bounce(%rbx),%rdx ++UNLIKELY_START(nz, sysenter_nt_set) ++ pushfq ++ andl $~X86_EFLAGS_NT,(%rsp) ++ popfq ++ xorl %eax,%eax ++UNLIKELY_END(sysenter_nt_set) + testq %rax,%rax + leal (,%rcx,TBF_INTERRUPT),%ecx + UNLIKELY_START(z, sysenter_gpf) diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1920 b/sysutils/xenkernel41/patches/patch-CVE-2013-1920 new file mode 100644 index 00000000000..4709590b9a9 --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2013-1920 @@ -0,0 +1,23 @@ +$NetBSD: patch-CVE-2013-1920,v 1.1 2013/04/19 14:02:45 bouyer Exp $ + +http://lists.xen.org/archives/html/xen-announce/2013-04/msg00000.html + +--- xen/common/event_channel.c.orig ++++ xen/common/event_channel.c +@@ -104,7 +104,6 @@ static int get_free_port(struct domain * + if ( unlikely(chn == NULL) ) + return -ENOMEM; + memset(chn, 0, EVTCHNS_PER_BUCKET * sizeof(*chn)); +- bucket_from_port(d, port) = chn; + + for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ ) + { +@@ -117,6 +116,8 @@ static int get_free_port(struct domain * + } + } + ++ bucket_from_port(d, port) = chn; ++ + return port; + } + diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1964-1 b/sysutils/xenkernel41/patches/patch-CVE-2013-1964-1 new file mode 100644 index 00000000000..259cd99a0c3 --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2013-1964-1 @@ -0,0 +1,151 @@ +$NetBSD: patch-CVE-2013-1964-1,v 1.1 2013/04/19 14:02:45 bouyer Exp $ + +http://lists.xen.org/archives/html/xen-announce/2013-04/msg00006.html + +--- xen/common/grant_table.c.orig ++++ xen/common/grant_table.c +@@ -598,7 +598,7 @@ __gnttab_map_grant_ref( + act->start = 0; + act->length = PAGE_SIZE; + act->is_sub_page = 0; +- act->trans_dom = rd->domain_id; ++ act->trans_domain = rd; + act->trans_gref = op->ref; + } + } +@@ -1629,11 +1629,10 @@ __release_grant_for_copy( + struct active_grant_entry *act; + unsigned long r_frame; + uint16_t *status; +- domid_t trans_domid; + grant_ref_t trans_gref; + int released_read; + int released_write; +- struct domain *trans_dom; ++ struct domain *td; + + released_read = 0; + released_write = 0; +@@ -1647,15 +1646,13 @@ __release_grant_for_copy( + if (rd->grant_table->gt_version == 1) + { + status = &sha->flags; +- trans_domid = rd->domain_id; +- /* Shut the compiler up. This'll never be used, because +- trans_domid == rd->domain_id, but gcc doesn't know that. */ +- trans_gref = 0x1234567; ++ td = rd; ++ trans_gref = gref; + } + else + { + status = &status_entry(rd->grant_table, gref); +- trans_domid = act->trans_dom; ++ td = act->trans_domain; + trans_gref = act->trans_gref; + } + +@@ -1683,21 +1680,16 @@ __release_grant_for_copy( + + spin_unlock(&rd->grant_table->lock); + +- if ( trans_domid != rd->domain_id ) ++ if ( td != rd ) + { +- if ( released_write || released_read ) +- { +- trans_dom = rcu_lock_domain_by_id(trans_domid); +- if ( trans_dom != NULL ) +- { +- /* Recursive calls, but they're tail calls, so it's +- okay. */ +- if ( released_write ) +- __release_grant_for_copy(trans_dom, trans_gref, 0); +- else if ( released_read ) +- __release_grant_for_copy(trans_dom, trans_gref, 1); +- } +- } ++ /* Recursive calls, but they're tail calls, so it's ++ okay. */ ++ if ( released_write ) ++ __release_grant_for_copy(td, trans_gref, 0); ++ else if ( released_read ) ++ __release_grant_for_copy(td, trans_gref, 1); ++ ++ rcu_unlock_domain(td); + } + } + +@@ -1734,7 +1726,7 @@ __acquire_grant_for_copy( + uint32_t old_pin; + domid_t trans_domid; + grant_ref_t trans_gref; +- struct domain *rrd; ++ struct domain *td; + unsigned long gfn; + unsigned long grant_frame; + unsigned trans_page_off; +@@ -1788,8 +1780,8 @@ __acquire_grant_for_copy( + status) ) != GNTST_okay ) + goto unlock_out; + +- trans_domid = ld->domain_id; +- trans_gref = 0; ++ td = rd; ++ trans_gref = gref; + if ( sha2 && (shah->flags & GTF_type_mask) == GTF_transitive ) + { + if ( !allow_transitive ) +@@ -1811,14 +1803,15 @@ __acquire_grant_for_copy( + that you don't need to go out of your way to avoid it + in the guest. */ + +- rrd = rcu_lock_domain_by_id(trans_domid); +- if ( rrd == NULL ) ++ /* We need to leave the rrd locked during the grant copy */ ++ td = rcu_lock_domain_by_id(trans_domid); ++ if ( td == NULL ) + PIN_FAIL(unlock_out_clear, GNTST_general_error, + "transitive grant referenced bad domain %d\n", + trans_domid); + spin_unlock(&rd->grant_table->lock); + +- rc = __acquire_grant_for_copy(rrd, trans_gref, rd, ++ rc = __acquire_grant_for_copy(td, trans_gref, rd, + readonly, &grant_frame, + &trans_page_off, &trans_length, + 0, &ignore); +@@ -1826,6 +1819,7 @@ __acquire_grant_for_copy( + spin_lock(&rd->grant_table->lock); + if ( rc != GNTST_okay ) { + __fixup_status_for_copy_pin(act, status); ++ rcu_unlock_domain(td); + spin_unlock(&rd->grant_table->lock); + return rc; + } +@@ -1837,6 +1831,7 @@ __acquire_grant_for_copy( + if ( act->pin != old_pin ) + { + __fixup_status_for_copy_pin(act, status); ++ rcu_unlock_domain(td); + spin_unlock(&rd->grant_table->lock); + return __acquire_grant_for_copy(rd, gref, ld, readonly, + frame, page_off, length, +@@ -1848,7 +1843,7 @@ __acquire_grant_for_copy( + sub-page, but we always treat it as one because that + blocks mappings of transitive grants. */ + is_sub_page = 1; +- *owning_domain = rrd; ++ *owning_domain = td; + act->gfn = -1ul; + } + else if ( sha1 ) +@@ -1894,7 +1889,7 @@ __acquire_grant_for_copy( + act->is_sub_page = is_sub_page; + act->start = trans_page_off; + act->length = trans_length; +- act->trans_dom = trans_domid; ++ act->trans_domain = td; + act->trans_gref = trans_gref; + act->frame = grant_frame; + } diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1964-2 b/sysutils/xenkernel41/patches/patch-CVE-2013-1964-2 new file mode 100644 index 00000000000..b488954fc4d --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2013-1964-2 @@ -0,0 +1,15 @@ +$NetBSD: patch-CVE-2013-1964-2,v 1.1 2013/04/19 14:02:46 bouyer Exp $ + +http://lists.xen.org/archives/html/xen-announce/2013-04/msg00006.html + +--- xen/include/xen/grant_table.h.orig ++++ xen/include/xen/grant_table.h +@@ -32,7 +32,7 @@ + struct active_grant_entry { + u32 pin; /* Reference count information. */ + domid_t domid; /* Domain being granted access. */ +- domid_t trans_dom; ++ struct domain *trans_domain; + uint32_t trans_gref; + unsigned long frame; /* Frame being granted. */ + unsigned long gfn; /* Guest's idea of the frame being granted. */ |