diff options
author | bouyer <bouyer@pkgsrc.org> | 2016-12-20 10:22:28 +0000 |
---|---|---|
committer | bouyer <bouyer@pkgsrc.org> | 2016-12-20 10:22:28 +0000 |
commit | 7f26264716966bf1840525c72bf2e8746218a2c5 (patch) | |
tree | 9f6404a713979300f155f3f05fd9b6c8891130ee | |
parent | 732240f69c800cd8be6b79fd2ac54198313f12b2 (diff) | |
download | pkgsrc-7f26264716966bf1840525c72bf2e8746218a2c5.tar.gz |
Apply upstream patch for XSA-199, XSA-200 and XSA-204.
Bump PKGREVISIONs
28 files changed, 939 insertions, 24 deletions
diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile index 1d162423900..41f492e8e4d 100644 --- a/sysutils/xenkernel41/Makefile +++ b/sysutils/xenkernel41/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.52 2016/11/22 20:53:40 bouyer Exp $ +# $NetBSD: Makefile,v 1.53 2016/12/20 10:22:28 bouyer Exp $ VERSION= 4.1.6.1 DISTNAME= xen-${VERSION} PKGNAME= xenkernel41-${VERSION} -PKGREVISION= 21 +PKGREVISION= 22 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo index 63b80f2f23f..fadc348ba56 100644 --- a/sysutils/xenkernel41/distinfo +++ b/sysutils/xenkernel41/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.45 2016/11/22 20:53:40 bouyer Exp $ +$NetBSD: distinfo,v 1.46 2016/12/20 10:22:28 bouyer Exp $ SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0 RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19 @@ -44,6 +44,8 @@ SHA1 (patch-XSA-187-2) = e21b24771fa9417f593b8f6d1550660bbad36b98 SHA1 (patch-XSA-191) = 5da559e104543b8d22ea60378d9160d2ad83b8d0 SHA1 (patch-XSA-192) = b0f2801fe6db91c2a98b82897cdee057062c6c2b SHA1 (patch-XSA-195) = a04295b397126e1cc1f129bb3cb9fb872fcbb373 +SHA1 (patch-XSA-200) = 2e5f6e3596fa754030af29a1dc8fafb738ad1da4 +SHA1 (patch-XSA-204) = 99e2b88b551d80724fcc27f925fbf65d3fc468de SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 SHA1 (patch-xen_arch_x86_cpu_mcheck_vmce.c) = 5afd01780a13654f1d21bf1562f6431c8370be0b diff --git a/sysutils/xenkernel41/patches/patch-XSA-200 b/sysutils/xenkernel41/patches/patch-XSA-200 new file mode 100644 index 00000000000..8ffb7246c60 --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-XSA-200 @@ -0,0 +1,57 @@ +$NetBSD: patch-XSA-200,v 1.1 2016/12/20 10:22:28 bouyer Exp $ + +From: Jan Beulich <jbeulich@suse.com> +Subject: x86emul: CMPXCHG8B ignores operand size prefix + +Otherwise besides mis-handling the instruction, the comparison failure +case would result in uninitialized stack data being handed back to the +guest in rDX:rAX (32 bits leaked for 32-bit guests, 96 bits for 64-bit +ones). + +This is XSA-200. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- tools/tests/x86_emulator/test_x86_emulator.c.orig ++++ tools/tests/x86_emulator/test_x86_emulator.c +@@ -429,6 +429,24 @@ int main(int argc, char **argv) + goto fail; + printf("okay\n"); + ++ printf("%-40s", "Testing cmpxchg8b (%edi) [opsize]..."); ++ instr[0] = 0x66; instr[1] = 0x0f; instr[2] = 0xc7; instr[3] = 0x0f; ++ res[0] = 0x12345678; ++ res[1] = 0x87654321; ++ regs.eflags = 0x200; ++ regs.eip = (unsigned long)&instr[0]; ++ regs.edi = (unsigned long)res; ++ rc = x86_emulate(&ctxt, &emulops); ++ if ( (rc != X86EMUL_OKAY) || ++ (res[0] != 0x12345678) || ++ (res[1] != 0x87654321) || ++ (regs.eax != 0x12345678) || ++ (regs.edx != 0x87654321) || ++ ((regs.eflags&0x240) != 0x200) || ++ (regs.eip != (unsigned long)&instr[4]) ) ++ goto fail; ++ printf("okay\n"); ++ + printf("%-40s", "Testing movsxbd (%%eax),%%ecx..."); + instr[0] = 0x0f; instr[1] = 0xbe; instr[2] = 0x08; + regs.eflags = 0x200; +--- ./xen/arch/x86/x86_emulate/x86_emulate.c.orig 2016-12-19 21:54:25.000000000 +0100 ++++ ./xen/arch/x86/x86_emulate/x86_emulate.c 2016-12-19 22:00:32.000000000 +0100 +@@ -4183,7 +4183,12 @@ + + generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1); + generate_exception_if(ea.type != OP_MEM, EXC_UD, -1); +- op_bytes *= 2; ++ if ( op_bytes == 8 ) ++ { ++ /* vcpu_must_have_cx16() XXX doens't exists */ ++ op_bytes = 16; ++ } else ++ op_bytes = 8; + + /* Get actual old value. */ + for ( i = 0; i < (op_bytes/sizeof(long)); i++ ) diff --git a/sysutils/xenkernel41/patches/patch-XSA-204 b/sysutils/xenkernel41/patches/patch-XSA-204 new file mode 100644 index 00000000000..72f272056a6 --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-XSA-204 @@ -0,0 +1,71 @@ +$NetBSD: patch-XSA-204,v 1.1 2016/12/20 10:22:28 bouyer Exp $ + +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Sun, 18 Dec 2016 15:42:59 +0000 +Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL + +A singlestep #DB is determined by the resulting eflags value from the +execution of SYSCALL, not the original eflags value. + +By using the original eflags value, we negate the guest kernels attempt to +protect itself from a privilege escalation by masking TF. + +Introduce a tf boolean and have the SYSCALL emulation recalculate it +after the instruction is complete. + +This is XSA-204 + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +--- + xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c +index 0c43fe1..f675dc9 100644 +--- xen/arch/x86/x86_emulate/x86_emulate.c.orig 2016-12-19 22:02:25.000000000 +0100 ++++ xen/arch/x86/x86_emulate/x86_emulate.c 2016-12-19 22:05:31.000000000 +0100 +@@ -1233,6 +1233,7 @@ + #define REPE_PREFIX 1 + #define REPNE_PREFIX 2 + unsigned int lock_prefix = 0, rep_prefix = 0; ++ bool_t tf = !!(ctxt->regs->eflags & EFLG_TF); + int override_seg = -1, rc = X86EMUL_OKAY; + struct operand src, dst; + +@@ -3498,9 +3499,8 @@ + break; + } + +- /* Inject #DB if single-step tracing was enabled at instruction start. */ +- if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) && +- (ops->inject_hw_exception != NULL) ) ++ /* Should a singlestep #DB be raised? */ ++ if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) ) + rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION; + + /* Commit shadow register state. */ +@@ -3685,6 +3685,23 @@ + (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) ) + goto done; + ++ /* ++ * SYSCALL (unlike most instructions) evaluates its singlestep action ++ * based on the resulting EFLG_TF, not the starting EFLG_TF. ++ * ++ * As the #DB is raised after the CPL change and before the OS can ++ * switch stack, it is a large risk for privilege escalation. ++ * ++ * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any ++ * vulnerability. Running the #DB handler on an IST stack is also a ++ * mitigation. ++ * ++ * 32bit kernels have no ability to mask EFLG_TF at all. Their only ++ * mitigation is to use a task gate for handling #DB (or to not use ++ * enable EFER.SCE to start with). ++ */ ++ tf = !!(_regs.eflags & EFLG_TF); ++ + break; + } + diff --git a/sysutils/xenkernel42/Makefile b/sysutils/xenkernel42/Makefile index db0257f8d8e..e4f065a0812 100644 --- a/sysutils/xenkernel42/Makefile +++ b/sysutils/xenkernel42/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.24 2016/11/22 20:55:29 bouyer Exp $ +# $NetBSD: Makefile,v 1.25 2016/12/20 10:22:28 bouyer Exp $ VERSION= 4.2.5 DISTNAME= xen-${VERSION} PKGNAME= xenkernel42-${VERSION} -PKGREVISION= 13 +PKGREVISION= 14 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xenkernel42/distinfo b/sysutils/xenkernel42/distinfo index b88165351f0..8471467ea4c 100644 --- a/sysutils/xenkernel42/distinfo +++ b/sysutils/xenkernel42/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.23 2016/11/22 20:55:29 bouyer Exp $ +$NetBSD: distinfo,v 1.24 2016/12/20 10:22:28 bouyer Exp $ SHA1 (xen-4.2.5.tar.gz) = f42741e4ec174495ace70c4b17a6b9b0e60e798a RMD160 (xen-4.2.5.tar.gz) = 7d4f7f1b32ee541d341a756b1f8da02816438d19 @@ -33,6 +33,8 @@ SHA1 (patch-XSA-187-2) = ed2d384b4cf429443560afbf71b42fb4123a279b SHA1 (patch-XSA-191) = 7a5e2e78c457c5922e2ccd711f2a39afba238e40 SHA1 (patch-XSA-192) = f95757227ece59a2f320308edefcf01f1a96212c SHA1 (patch-XSA-195) = bb20234c4db0dc098ea47564732e87710bfcb9d8 +SHA1 (patch-XSA-200) = 2f615fa9c4ac43fc98f6c897acb5ee7e4651a668 +SHA1 (patch-XSA-204) = f6a59adf3cbd0aab59ccf233240a6b4e9ee2913b SHA1 (patch-xen_Makefile) = e0d1b74518b9675ddc64295d1523ded9a8757c0a SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 SHA1 (patch-xen_arch_x86_hvm_hvm.c) = b6bac1d466ba5bc276bc3aea9d4c9df37f2b9b0f diff --git a/sysutils/xenkernel42/patches/patch-XSA-200 b/sysutils/xenkernel42/patches/patch-XSA-200 new file mode 100644 index 00000000000..ad17c28ec73 --- /dev/null +++ b/sysutils/xenkernel42/patches/patch-XSA-200 @@ -0,0 +1,57 @@ +$NetBSD: patch-XSA-200,v 1.1 2016/12/20 10:22:28 bouyer Exp $ + +From: Jan Beulich <jbeulich@suse.com> +Subject: x86emul: CMPXCHG8B ignores operand size prefix + +Otherwise besides mis-handling the instruction, the comparison failure +case would result in uninitialized stack data being handed back to the +guest in rDX:rAX (32 bits leaked for 32-bit guests, 96 bits for 64-bit +ones). + +This is XSA-200. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- tools/tests/x86_emulator/test_x86_emulator.c.orig ++++ tools/tests/x86_emulator/test_x86_emulator.c +@@ -429,6 +429,24 @@ int main(int argc, char **argv) + goto fail; + printf("okay\n"); + ++ printf("%-40s", "Testing cmpxchg8b (%edi) [opsize]..."); ++ instr[0] = 0x66; instr[1] = 0x0f; instr[2] = 0xc7; instr[3] = 0x0f; ++ res[0] = 0x12345678; ++ res[1] = 0x87654321; ++ regs.eflags = 0x200; ++ regs.eip = (unsigned long)&instr[0]; ++ regs.edi = (unsigned long)res; ++ rc = x86_emulate(&ctxt, &emulops); ++ if ( (rc != X86EMUL_OKAY) || ++ (res[0] != 0x12345678) || ++ (res[1] != 0x87654321) || ++ (regs.eax != 0x12345678) || ++ (regs.edx != 0x87654321) || ++ ((regs.eflags&0x240) != 0x200) || ++ (regs.eip != (unsigned long)&instr[4]) ) ++ goto fail; ++ printf("okay\n"); ++ + printf("%-40s", "Testing movsxbd (%%eax),%%ecx..."); + instr[0] = 0x0f; instr[1] = 0xbe; instr[2] = 0x08; + regs.eflags = 0x200; +--- xen/arch/x86/x86_emulate/x86_emulate.c.orig ++++ xen/arch/x86/x86_emulate/x86_emulate.c +@@ -4494,9 +4498,11 @@ + + generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1); + generate_exception_if(ea.type != OP_MEM, EXC_UD, -1); +- if ( op_bytes == 8 ) ++ if ( op_bytes == 8 ) { + vcpu_must_have_cx16(); +- op_bytes *= 2; ++ op_bytes = 16; ++ } else ++ op_bytes = 8; + + /* Get actual old value. */ + for ( i = 0; i < (op_bytes/sizeof(long)); i++ ) diff --git a/sysutils/xenkernel42/patches/patch-XSA-204 b/sysutils/xenkernel42/patches/patch-XSA-204 new file mode 100644 index 00000000000..68f30ab3306 --- /dev/null +++ b/sysutils/xenkernel42/patches/patch-XSA-204 @@ -0,0 +1,71 @@ +$NetBSD: patch-XSA-204,v 1.1 2016/12/20 10:22:28 bouyer Exp $ + +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Sun, 18 Dec 2016 15:42:59 +0000 +Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL + +A singlestep #DB is determined by the resulting eflags value from the +execution of SYSCALL, not the original eflags value. + +By using the original eflags value, we negate the guest kernels attempt to +protect itself from a privilege escalation by masking TF. + +Introduce a tf boolean and have the SYSCALL emulation recalculate it +after the instruction is complete. + +This is XSA-204 + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +--- + xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c +index 0c43fe1..f675dc9 100644 +--- xen/arch/x86/x86_emulate/x86_emulate.c.orig 2016-12-19 23:22:20.000000000 +0100 ++++ xen/arch/x86/x86_emulate/x86_emulate.c 2016-12-19 23:22:38.000000000 +0100 +@@ -1348,6 +1348,7 @@ + union vex vex = {}; + unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes; + bool_t lock_prefix = 0; ++ bool_t tf = !!(ctxt->regs->eflags & EFLG_TF); + int override_seg = -1, rc = X86EMUL_OKAY; + struct operand src, dst; + DECLARE_ALIGNED(mmval_t, mmval); +@@ -3679,9 +3680,8 @@ + break; + } + +- /* Inject #DB if single-step tracing was enabled at instruction start. */ +- if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) && +- (ops->inject_hw_exception != NULL) ) ++ /* Should a singlestep #DB be raised? */ ++ if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) ) + rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION; + + /* Commit shadow register state. */ +@@ -3866,6 +3866,23 @@ + (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) ) + goto done; + ++ /* ++ * SYSCALL (unlike most instructions) evaluates its singlestep action ++ * based on the resulting EFLG_TF, not the starting EFLG_TF. ++ * ++ * As the #DB is raised after the CPL change and before the OS can ++ * switch stack, it is a large risk for privilege escalation. ++ * ++ * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any ++ * vulnerability. Running the #DB handler on an IST stack is also a ++ * mitigation. ++ * ++ * 32bit kernels have no ability to mask EFLG_TF at all. Their only ++ * mitigation is to use a task gate for handling #DB (or to not use ++ * enable EFER.SCE to start with). ++ */ ++ tf = !!(_regs.eflags & EFLG_TF); ++ + break; + } + diff --git a/sysutils/xenkernel45/Makefile b/sysutils/xenkernel45/Makefile index 34cbdb133b8..2a33f683875 100644 --- a/sysutils/xenkernel45/Makefile +++ b/sysutils/xenkernel45/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.23 2016/11/22 20:57:10 bouyer Exp $ +# $NetBSD: Makefile,v 1.24 2016/12/20 10:22:28 bouyer Exp $ VERSION= 4.5.5 DISTNAME= xen-${VERSION} PKGNAME= xenkernel45-${VERSION} -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xenkernel45/distinfo b/sysutils/xenkernel45/distinfo index 82a10dd7dc6..757dc13cad1 100644 --- a/sysutils/xenkernel45/distinfo +++ b/sysutils/xenkernel45/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.19 2016/11/22 20:57:10 bouyer Exp $ +$NetBSD: distinfo,v 1.20 2016/12/20 10:22:28 bouyer Exp $ SHA1 (xen-4.5.5.tar.gz) = 4073d411c72d3298baacfc15577b92b9ae577073 RMD160 (xen-4.5.5.tar.gz) = 34132ab04752dc594fbdc1404c95f402b7bbbe39 @@ -11,6 +11,8 @@ SHA1 (patch-XSA-193) = 7088e2278da771f7140eb0d4200dc877326cfa5a SHA1 (patch-XSA-195) = 0a44b7deda6a17c88e9d1858eeb7c33b0ebaf3f7 SHA1 (patch-XSA-196-1) = bdcd7673443fbf59aeff8ad019ffbe39758fcaee SHA1 (patch-XSA-196-2) = 81b1d46f3ec8a3c5133f6a923fee0ab1b2b1c6a0 +SHA1 (patch-XSA-200) = 37254653e3f9016de0440047465fddce7e9b1874 +SHA1 (patch-XSA-204) = 4d5616f418e3ea010af4cb9e5d1ad14c8adcbf1c SHA1 (patch-xen_Makefile) = 750d0c8d4fea14d3ef3f872de5242a1f5104cbbe SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154 SHA1 (patch-xen_common_page__alloc.c) = c4d606de1cada8cf89b5abd16efada3d58c68a03 diff --git a/sysutils/xenkernel45/patches/patch-XSA-200 b/sysutils/xenkernel45/patches/patch-XSA-200 new file mode 100644 index 00000000000..377bb6bef9a --- /dev/null +++ b/sysutils/xenkernel45/patches/patch-XSA-200 @@ -0,0 +1,57 @@ +$NetBSD: patch-XSA-200,v 1.1 2016/12/20 10:22:28 bouyer Exp $ + +From: Jan Beulich <jbeulich@suse.com> +Subject: x86emul: CMPXCHG8B ignores operand size prefix + +Otherwise besides mis-handling the instruction, the comparison failure +case would result in uninitialized stack data being handed back to the +guest in rDX:rAX (32 bits leaked for 32-bit guests, 96 bits for 64-bit +ones). + +This is XSA-200. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- tools/tests/x86_emulator/test_x86_emulator.c.orig ++++ tools/tests/x86_emulator/test_x86_emulator.c +@@ -429,6 +429,24 @@ int main(int argc, char **argv) + goto fail; + printf("okay\n"); + ++ printf("%-40s", "Testing cmpxchg8b (%edi) [opsize]..."); ++ instr[0] = 0x66; instr[1] = 0x0f; instr[2] = 0xc7; instr[3] = 0x0f; ++ res[0] = 0x12345678; ++ res[1] = 0x87654321; ++ regs.eflags = 0x200; ++ regs.eip = (unsigned long)&instr[0]; ++ regs.edi = (unsigned long)res; ++ rc = x86_emulate(&ctxt, &emulops); ++ if ( (rc != X86EMUL_OKAY) || ++ (res[0] != 0x12345678) || ++ (res[1] != 0x87654321) || ++ (regs.eax != 0x12345678) || ++ (regs.edx != 0x87654321) || ++ ((regs.eflags&0x240) != 0x200) || ++ (regs.eip != (unsigned long)&instr[4]) ) ++ goto fail; ++ printf("okay\n"); ++ + printf("%-40s", "Testing movsxbd (%%eax),%%ecx..."); + instr[0] = 0x0f; instr[1] = 0xbe; instr[2] = 0x08; + regs.eflags = 0x200; +--- xen/arch/x86/x86_emulate/x86_emulate.c.orig ++++ xen/arch/x86/x86_emulate/x86_emulate.c +@@ -4739,8 +4739,12 @@ x86_emulate( + generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1); + generate_exception_if(ea.type != OP_MEM, EXC_UD, -1); + if ( op_bytes == 8 ) ++ { + vcpu_must_have_cx16(); +- op_bytes *= 2; ++ op_bytes = 16; ++ } ++ else ++ op_bytes = 8; + + /* Get actual old value. */ + if ( (rc = ops->read(ea.mem.seg, ea.mem.off, old, op_bytes, diff --git a/sysutils/xenkernel45/patches/patch-XSA-204 b/sysutils/xenkernel45/patches/patch-XSA-204 new file mode 100644 index 00000000000..30386bb2946 --- /dev/null +++ b/sysutils/xenkernel45/patches/patch-XSA-204 @@ -0,0 +1,71 @@ +$NetBSD: patch-XSA-204,v 1.1 2016/12/20 10:22:28 bouyer Exp $ + +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Sun, 18 Dec 2016 15:42:59 +0000 +Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL + +A singlestep #DB is determined by the resulting eflags value from the +execution of SYSCALL, not the original eflags value. + +By using the original eflags value, we negate the guest kernels attempt to +protect itself from a privilege escalation by masking TF. + +Introduce a tf boolean and have the SYSCALL emulation recalculate it +after the instruction is complete. + +This is XSA-204 + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +--- + xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c +index 0c43fe1..f675dc9 100644 +--- xen/arch/x86/x86_emulate/x86_emulate.c.orig ++++ xen/arch/x86/x86_emulate/x86_emulate.c +@@ -1537,6 +1537,7 @@ x86_emulate( + union vex vex = {}; + unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes; + bool_t lock_prefix = 0; ++ bool_t tf = !!(ctxt->regs->eflags & EFLG_TF); + int override_seg = -1, rc = X86EMUL_OKAY; + struct operand src = { .reg = REG_POISON }; + struct operand dst = { .reg = REG_POISON }; +@@ -3881,9 +3882,8 @@ x86_emulate( + break; + } + +- /* Inject #DB if single-step tracing was enabled at instruction start. */ +- if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) && +- (ops->inject_hw_exception != NULL) ) ++ /* Should a singlestep #DB be raised? */ ++ if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) ) + rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION; + + /* Commit shadow register state. */ +@@ -4068,6 +4068,23 @@ x86_emulate( + (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) ) + goto done; + ++ /* ++ * SYSCALL (unlike most instructions) evaluates its singlestep action ++ * based on the resulting EFLG_TF, not the starting EFLG_TF. ++ * ++ * As the #DB is raised after the CPL change and before the OS can ++ * switch stack, it is a large risk for privilege escalation. ++ * ++ * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any ++ * vulnerability. Running the #DB handler on an IST stack is also a ++ * mitigation. ++ * ++ * 32bit kernels have no ability to mask EFLG_TF at all. Their only ++ * mitigation is to use a task gate for handling #DB (or to not use ++ * enable EFER.SCE to start with). ++ */ ++ tf = !!(_regs.eflags & EFLG_TF); ++ + break; + } + diff --git a/sysutils/xenkernel46/Makefile b/sysutils/xenkernel46/Makefile index 9d8f9145605..90f2eae8c87 100644 --- a/sysutils/xenkernel46/Makefile +++ b/sysutils/xenkernel46/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.4 2016/11/22 20:59:01 bouyer Exp $ +# $NetBSD: Makefile,v 1.5 2016/12/20 10:22:28 bouyer Exp $ VERSION= 4.6.3 DISTNAME= xen-${VERSION} PKGNAME= xenkernel46-${VERSION} -PKGREVISION= 2 +PKGREVISION= 3 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xenkernel46/distinfo b/sysutils/xenkernel46/distinfo index 9f27eae0420..7f29e20354d 100644 --- a/sysutils/xenkernel46/distinfo +++ b/sysutils/xenkernel46/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.3 2016/11/22 20:59:01 bouyer Exp $ +$NetBSD: distinfo,v 1.4 2016/12/20 10:22:28 bouyer Exp $ SHA1 (xen-4.6.3.tar.gz) = 2aa59d0a05a6c5ac7f336f2069c66a54f95c4349 RMD160 (xen-4.6.3.tar.gz) = 2798bd888ee001a4829165e55feb705a86af4f74 @@ -16,6 +16,8 @@ SHA1 (patch-XSA-193) = 89fdeea8af25de42bbd207df1b2f3dcd3b61778f SHA1 (patch-XSA-195) = 0a44b7deda6a17c88e9d1858eeb7c33b0ebaf3f7 SHA1 (patch-XSA-196-1) = bdcd7673443fbf59aeff8ad019ffbe39758fcaee SHA1 (patch-XSA-196-2) = 81b1d46f3ec8a3c5133f6a923fee0ab1b2b1c6a0 +SHA1 (patch-XSA-200) = 37254653e3f9016de0440047465fddce7e9b1874 +SHA1 (patch-XSA-204) = 05defb8d99976a712024d35a81f4dde5627107d9 SHA1 (patch-xen_Makefile) = be3f4577a205b23187b91319f91c50720919f70b SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154 SHA1 (patch-xen_common_page__alloc.c) = c4d606de1cada8cf89b5abd16efada3d58c68a03 diff --git a/sysutils/xenkernel46/patches/patch-XSA-200 b/sysutils/xenkernel46/patches/patch-XSA-200 new file mode 100644 index 00000000000..ac0612764bc --- /dev/null +++ b/sysutils/xenkernel46/patches/patch-XSA-200 @@ -0,0 +1,57 @@ +$NetBSD: patch-XSA-200,v 1.1 2016/12/20 10:22:29 bouyer Exp $ + +From: Jan Beulich <jbeulich@suse.com> +Subject: x86emul: CMPXCHG8B ignores operand size prefix + +Otherwise besides mis-handling the instruction, the comparison failure +case would result in uninitialized stack data being handed back to the +guest in rDX:rAX (32 bits leaked for 32-bit guests, 96 bits for 64-bit +ones). + +This is XSA-200. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- tools/tests/x86_emulator/test_x86_emulator.c.orig ++++ tools/tests/x86_emulator/test_x86_emulator.c +@@ -429,6 +429,24 @@ int main(int argc, char **argv) + goto fail; + printf("okay\n"); + ++ printf("%-40s", "Testing cmpxchg8b (%edi) [opsize]..."); ++ instr[0] = 0x66; instr[1] = 0x0f; instr[2] = 0xc7; instr[3] = 0x0f; ++ res[0] = 0x12345678; ++ res[1] = 0x87654321; ++ regs.eflags = 0x200; ++ regs.eip = (unsigned long)&instr[0]; ++ regs.edi = (unsigned long)res; ++ rc = x86_emulate(&ctxt, &emulops); ++ if ( (rc != X86EMUL_OKAY) || ++ (res[0] != 0x12345678) || ++ (res[1] != 0x87654321) || ++ (regs.eax != 0x12345678) || ++ (regs.edx != 0x87654321) || ++ ((regs.eflags&0x240) != 0x200) || ++ (regs.eip != (unsigned long)&instr[4]) ) ++ goto fail; ++ printf("okay\n"); ++ + printf("%-40s", "Testing movsxbd (%%eax),%%ecx..."); + instr[0] = 0x0f; instr[1] = 0xbe; instr[2] = 0x08; + regs.eflags = 0x200; +--- xen/arch/x86/x86_emulate/x86_emulate.c.orig ++++ xen/arch/x86/x86_emulate/x86_emulate.c +@@ -4739,8 +4739,12 @@ x86_emulate( + generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1); + generate_exception_if(ea.type != OP_MEM, EXC_UD, -1); + if ( op_bytes == 8 ) ++ { + vcpu_must_have_cx16(); +- op_bytes *= 2; ++ op_bytes = 16; ++ } ++ else ++ op_bytes = 8; + + /* Get actual old value. */ + if ( (rc = ops->read(ea.mem.seg, ea.mem.off, old, op_bytes, diff --git a/sysutils/xenkernel46/patches/patch-XSA-204 b/sysutils/xenkernel46/patches/patch-XSA-204 new file mode 100644 index 00000000000..804423de01e --- /dev/null +++ b/sysutils/xenkernel46/patches/patch-XSA-204 @@ -0,0 +1,71 @@ +$NetBSD: patch-XSA-204,v 1.1 2016/12/20 10:22:29 bouyer Exp $ + +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Sun, 18 Dec 2016 15:42:59 +0000 +Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL + +A singlestep #DB is determined by the resulting eflags value from the +execution of SYSCALL, not the original eflags value. + +By using the original eflags value, we negate the guest kernels attempt to +protect itself from a privilege escalation by masking TF. + +Introduce a tf boolean and have the SYSCALL emulation recalculate it +after the instruction is complete. + +This is XSA-204 + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +--- + xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c +index bca7045..abe442e 100644 +--- xen/arch/x86/x86_emulate/x86_emulate.c.orig ++++ xen/arch/x86/x86_emulate/x86_emulate.c +@@ -1582,6 +1582,7 @@ x86_emulate( + union vex vex = {}; + unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes; + bool_t lock_prefix = 0; ++ bool_t tf = !!(ctxt->regs->eflags & EFLG_TF); + int override_seg = -1, rc = X86EMUL_OKAY; + struct operand src = { .reg = REG_POISON }; + struct operand dst = { .reg = REG_POISON }; +@@ -3910,9 +3911,8 @@ x86_emulate( + } + + no_writeback: +- /* Inject #DB if single-step tracing was enabled at instruction start. */ +- if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) && +- (ops->inject_hw_exception != NULL) ) ++ /* Should a singlestep #DB be raised? */ ++ if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) ) + rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION; + + /* Commit shadow register state. */ +@@ -4143,6 +4143,23 @@ x86_emulate( + (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) ) + goto done; + ++ /* ++ * SYSCALL (unlike most instructions) evaluates its singlestep action ++ * based on the resulting EFLG_TF, not the starting EFLG_TF. ++ * ++ * As the #DB is raised after the CPL change and before the OS can ++ * switch stack, it is a large risk for privilege escalation. ++ * ++ * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any ++ * vulnerability. Running the #DB handler on an IST stack is also a ++ * mitigation. ++ * ++ * 32bit kernels have no ability to mask EFLG_TF at all. Their only ++ * mitigation is to use a task gate for handling #DB (or to not use ++ * enable EFER.SCE to start with). ++ */ ++ tf = !!(_regs.eflags & EFLG_TF); ++ + break; + } + diff --git a/sysutils/xentools41/Makefile b/sysutils/xentools41/Makefile index 7ea97642405..14adae51595 100644 --- a/sysutils/xentools41/Makefile +++ b/sysutils/xentools41/Makefile @@ -1,11 +1,11 @@ -# $NetBSD: Makefile,v 1.64 2016/11/22 20:53:40 bouyer Exp $ +# $NetBSD: Makefile,v 1.65 2016/12/20 10:22:29 bouyer Exp $ # # VERSION is set in version.mk as it is shared with other packages .include "version.mk" DISTNAME= xen-${VERSION} PKGNAME= xentools41-${VERSION} -PKGREVISION= 17 +PKGREVISION= 18 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xentools41/distinfo b/sysutils/xentools41/distinfo index 1e06c865a9d..4c7d5aaeb4a 100644 --- a/sysutils/xentools41/distinfo +++ b/sysutils/xentools41/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.43 2016/11/22 20:53:40 bouyer Exp $ +$NetBSD: distinfo,v 1.44 2016/12/20 10:22:29 bouyer Exp $ SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485 RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547 @@ -19,6 +19,7 @@ SHA1 (patch-CVE-2015-8550) = dfd72a54d27211c1059579819b9b4c702399a0fc SHA1 (patch-CVE-2015-8554) = 7f444009519399038c657fa3e59fd2170f99bb70 SHA1 (patch-XSA-197) = 4980664bbb3f3d8277f888f6304a8552ec714a26 SHA1 (patch-XSA-198) = 98a18927de1e3427cb4fbcc5675fa608d1cd5ba8 +SHA1 (patch-XSA-199) = 406f14cdb356f0d7abe3a843a5efa1dc398c77bd SHA1 (patch-aa) = 9b53ba4a809dad7a1de34c8fa0dbe493d7256ada SHA1 (patch-ab) = 0906a5ec3a7450fc987b01289e2560e60966d00d SHA1 (patch-ac) = c3cc5335a1d6b066307c5f03fe72f513a9eb2bdb diff --git a/sysutils/xentools41/patches/patch-XSA-199 b/sysutils/xentools41/patches/patch-XSA-199 new file mode 100644 index 00000000000..af551486fd5 --- /dev/null +++ b/sysutils/xentools41/patches/patch-XSA-199 @@ -0,0 +1,90 @@ +$NetBSD: patch-XSA-199,v 1.1 2016/12/20 10:22:29 bouyer Exp $ + +From b73bd1edc05d1bad5c018228146930d79315a5da Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Mon, 14 Nov 2016 17:19:46 +0000 +Subject: [PATCH] qemu: ioport_read, ioport_write: be defensive about 32-bit + addresses + +On x86, ioport addresses are 16-bit. That these functions take 32-bit +arguments is a mistake. Changing the argument type to 16-bit will +discard the top bits of any erroneous values from elsewhere in qemu. + +Also, check just before use that the value is in range. (This turns +an ill-advised change to MAX_IOPORTS into a possible guest crash +rather than a privilege escalation vulnerability.) + +And, in the Xen ioreq processor, clamp incoming ioport addresses to +16-bit values. Xen will never write >16-bit values but the guest may +have access to the ioreq ring. We want to defend the rest of the qemu +code from wrong values. + +This is XSA-199. + +Reported-by: yanghongke <yanghongke@huawei.com> +Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> +--- + i386-dm/helper2.c | 2 ++ + vl.c | 9 +++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/i386-dm/helper2.c b/i386-dm/helper2.c +index 2706f2e..5d276bb 100644 +--- ioemu-qemu-xen/i386-dm/helper2.c.orig ++++ ioemu-qemu-xen/i386-dm/helper2.c +@@ -375,6 +375,8 @@ static void cpu_ioreq_pio(CPUState *env, ioreq_t *req) + + sign = req->df ? -1 : 1; + ++ req->addr &= 0x0ffffU; ++ + if (req->size > sizeof(req->data)) { + fprintf(stderr, "MMIO: bad size (%u)\n", req->size); + exit(-1); +diff --git a/vl.c b/vl.c +index f9c4d7e..c3c5d63 100644 +--- ioemu-qemu-xen/vl.c.orig ++++ ioemu-qemu-xen/vl.c +@@ -52,6 +52,7 @@ + + #include <xen/hvm/hvm_info_table.h> + ++#include <assert.h> + #include <unistd.h> + #include <fcntl.h> + #include <signal.h> +@@ -290,26 +291,30 @@ PicState2 *isa_pic; + static IOPortReadFunc default_ioport_readb, default_ioport_readw, default_ioport_readl; + static IOPortWriteFunc default_ioport_writeb, default_ioport_writew, default_ioport_writel; + +-static uint32_t ioport_read(int index, uint32_t address) ++static uint32_t ioport_read(int index, uint16_t address) + { + static IOPortReadFunc *default_func[3] = { + default_ioport_readb, + default_ioport_readw, + default_ioport_readl + }; ++ if (address >= MAX_IOPORTS) ++ abort(); + IOPortReadFunc *func = ioport_read_table[index][address]; + if (!func) + func = default_func[index]; + return func(ioport_opaque[address], address); + } + +-static void ioport_write(int index, uint32_t address, uint32_t data) ++static void ioport_write(int index, uint16_t address, uint32_t data) + { + static IOPortWriteFunc *default_func[3] = { + default_ioport_writeb, + default_ioport_writew, + default_ioport_writel + }; ++ if (address >= MAX_IOPORTS) ++ abort(); + IOPortWriteFunc *func = ioport_write_table[index][address]; + if (!func) + func = default_func[index]; +-- +2.1.4 diff --git a/sysutils/xentools42/Makefile b/sysutils/xentools42/Makefile index 23d53d6f16b..d3f263e3778 100644 --- a/sysutils/xentools42/Makefile +++ b/sysutils/xentools42/Makefile @@ -1,11 +1,11 @@ -# $NetBSD: Makefile,v 1.51 2016/11/22 20:55:29 bouyer Exp $ +# $NetBSD: Makefile,v 1.52 2016/12/20 10:22:29 bouyer Exp $ VERSION= 4.2.5 VERSION_IPXE= 1.0.0 DISTNAME= xen-${VERSION} PKGNAME= xentools42-${VERSION} -PKGREVISION= 19 +PKGREVISION= 20 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xentools42/distinfo b/sysutils/xentools42/distinfo index 766b8ba9802..bac6d0c0e31 100644 --- a/sysutils/xentools42/distinfo +++ b/sysutils/xentools42/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.29 2016/11/22 20:55:29 bouyer Exp $ +$NetBSD: distinfo,v 1.30 2016/12/20 10:22:29 bouyer Exp $ SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485 RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547 @@ -42,6 +42,7 @@ SHA1 (patch-Rules.mk) = 25a04293f6fe638ba5f3bd5e09b2b091cd201023 SHA1 (patch-XSA-197-1) = 79b4bc63bfbe7f69ed3ba38a667f185f8cb65cc9 SHA1 (patch-XSA-197-2) = 1734d4313b66f958a312676da489b94773524128 SHA1 (patch-XSA-198) = 38d120b4be3e04f87e75e6838a64d44e180d708b +SHA1 (patch-XSA-199) = e34c7557a1df7131000f5e408e89d3aaa4b10189 SHA1 (patch-blktap_drivers_Makefile) = c6be57154a403a64e3d6bc22d6bd833fe33fc9af SHA1 (patch-configure) = 11df58a8e1cd6bcc319db0aff508367e59592cba SHA1 (patch-examples_Makefile) = ee02f973416ca4ffda5381cd7a4ddb3b43579621 diff --git a/sysutils/xentools42/patches/patch-XSA-199 b/sysutils/xentools42/patches/patch-XSA-199 new file mode 100644 index 00000000000..f5e1be72751 --- /dev/null +++ b/sysutils/xentools42/patches/patch-XSA-199 @@ -0,0 +1,121 @@ +$NetBSD: patch-XSA-199,v 1.1 2016/12/20 10:22:29 bouyer Exp $ + +From b73bd1edc05d1bad5c018228146930d79315a5da Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Mon, 14 Nov 2016 17:19:46 +0000 +Subject: [PATCH] qemu: ioport_read, ioport_write: be defensive about 32-bit + addresses + +On x86, ioport addresses are 16-bit. That these functions take 32-bit +arguments is a mistake. Changing the argument type to 16-bit will +discard the top bits of any erroneous values from elsewhere in qemu. + +Also, check just before use that the value is in range. (This turns +an ill-advised change to MAX_IOPORTS into a possible guest crash +rather than a privilege escalation vulnerability.) + +And, in the Xen ioreq processor, clamp incoming ioport addresses to +16-bit values. Xen will never write >16-bit values but the guest may +have access to the ioreq ring. We want to defend the rest of the qemu +code from wrong values. + +This is XSA-199. + +Reported-by: yanghongke <yanghongke@huawei.com> +Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> +--- + i386-dm/helper2.c | 2 ++ + vl.c | 9 +++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/i386-dm/helper2.c b/i386-dm/helper2.c +index 2706f2e..5d276bb 100644 +--- qemu-xen-traditional/i386-dm/helper2.c.orig ++++ qemu-xen-traditional/i386-dm/helper2.c +@@ -355,6 +355,8 @@ + + sign = req->df ? -1 : 1; + ++ req->addr &= 0x0ffffU; ++ + if (req->size > sizeof(unsigned long)) { + fprintf(stderr, "PIO: bad size (%u)\n", req->size); + exit(-1); +diff --git a/vl.c b/vl.c +index f9c4d7e..c3c5d63 100644 +--- qemu-xen-traditional/vl.c.orig ++++ qemu-xen-traditional/vl.c +@@ -52,6 +52,7 @@ + + #include <xen/hvm/hvm_info_table.h> + ++#include <assert.h> + #include <unistd.h> + #include <fcntl.h> + #include <signal.h> +@@ -290,26 +291,30 @@ PicState2 *isa_pic; + static IOPortReadFunc default_ioport_readb, default_ioport_readw, default_ioport_readl; + static IOPortWriteFunc default_ioport_writeb, default_ioport_writew, default_ioport_writel; + +-static uint32_t ioport_read(int index, uint32_t address) ++static uint32_t ioport_read(int index, uint16_t address) + { + static IOPortReadFunc *default_func[3] = { + default_ioport_readb, + default_ioport_readw, + default_ioport_readl + }; ++ if (address >= MAX_IOPORTS) ++ abort(); + IOPortReadFunc *func = ioport_read_table[index][address]; + if (!func) + func = default_func[index]; + return func(ioport_opaque[address], address); + } + +-static void ioport_write(int index, uint32_t address, uint32_t data) ++static void ioport_write(int index, uint16_t address, uint32_t data) + { + static IOPortWriteFunc *default_func[3] = { + default_ioport_writeb, + default_ioport_writew, + default_ioport_writel + }; ++ if (address >= MAX_IOPORTS) ++ abort(); + IOPortWriteFunc *func = ioport_write_table[index][address]; + if (!func) + func = default_func[index]; +-- +2.1.4 +--- qemu-xen/xen-all.c.orig 2016-12-20 10:53:18.000000000 +0100 ++++ qemu-xen/xen-all.c 2016-12-20 10:53:46.000000000 +0100 +@@ -661,6 +661,8 @@ + + sign = req->df ? -1 : 1; + ++ req->addr &= 0x0ffffU; ++ + if (req->size > sizeof(uint32_t)) { + hw_error("PIO: bad size (%u)", req->size); + } +--- qemu-xen/ioport.c.orig 2016-12-20 10:57:45.000000000 +0100 ++++ qemu-xen/ioport.c 2016-12-20 10:58:26.000000000 +0100 +@@ -64,6 +64,8 @@ + default_ioport_readl + }; + IOPortReadFunc *func = ioport_read_table[index][address]; ++ if (address >= MAX_IOPORTS) ++ abort(); + if (!func) + func = default_func[index]; + return func(ioport_opaque[address], address); +@@ -76,6 +78,8 @@ + default_ioport_writew, + default_ioport_writel + }; ++ if (address >= MAX_IOPORTS) ++ abort(); + IOPortWriteFunc *func = ioport_write_table[index][address]; + if (!func) + func = default_func[index]; diff --git a/sysutils/xentools45/Makefile b/sysutils/xentools45/Makefile index 7ddad223c85..c2d878c5461 100644 --- a/sysutils/xentools45/Makefile +++ b/sysutils/xentools45/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.40 2016/11/22 20:57:10 bouyer Exp $ +# $NetBSD: Makefile,v 1.41 2016/12/20 10:22:29 bouyer Exp $ VERSION= 4.5.5 -PKGREVISION= 1 +PKGREVISION= 2 VERSION_IPXE= 9a93db3f0947484e30e753bbd61a10b17336e20e DISTNAME= xen-${VERSION} diff --git a/sysutils/xentools45/distinfo b/sysutils/xentools45/distinfo index c17f882c45b..c77ad564d8f 100644 --- a/sysutils/xentools45/distinfo +++ b/sysutils/xentools45/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.28 2016/11/22 20:57:10 bouyer Exp $ +$NetBSD: distinfo,v 1.29 2016/12/20 10:22:29 bouyer Exp $ SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88 RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8 @@ -24,6 +24,7 @@ SHA1 (patch-XSA-184) = b9089f29b67d1756e2c4919df30041282cebdfed SHA1 (patch-XSA-197-1) = a481196957f8942253cb18e5eef089e491d02652 SHA1 (patch-XSA-197-2) = f5cf82cf04303f145e3cfea29c4104bc058dd043 SHA1 (patch-XSA-198) = 5a61b6b4af265ba0b90d5750166924daafe554d7 +SHA1 (patch-XSA-199) = 481c740d36a5b8415275c4b1152bb7e2a45349a1 SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7 SHA1 (patch-configure) = 97fa4274e425984d593cd93aea36edc681462b88 SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f diff --git a/sysutils/xentools45/patches/patch-XSA-199 b/sysutils/xentools45/patches/patch-XSA-199 new file mode 100644 index 00000000000..d91d01cd430 --- /dev/null +++ b/sysutils/xentools45/patches/patch-XSA-199 @@ -0,0 +1,90 @@ +$NetBSD: patch-XSA-199,v 1.1 2016/12/20 10:22:29 bouyer Exp $ + +From b73bd1edc05d1bad5c018228146930d79315a5da Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Mon, 14 Nov 2016 17:19:46 +0000 +Subject: [PATCH] qemu: ioport_read, ioport_write: be defensive about 32-bit + addresses + +On x86, ioport addresses are 16-bit. That these functions take 32-bit +arguments is a mistake. Changing the argument type to 16-bit will +discard the top bits of any erroneous values from elsewhere in qemu. + +Also, check just before use that the value is in range. (This turns +an ill-advised change to MAX_IOPORTS into a possible guest crash +rather than a privilege escalation vulnerability.) + +And, in the Xen ioreq processor, clamp incoming ioport addresses to +16-bit values. Xen will never write >16-bit values but the guest may +have access to the ioreq ring. We want to defend the rest of the qemu +code from wrong values. + +This is XSA-199. + +Reported-by: yanghongke <yanghongke@huawei.com> +Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> +--- + i386-dm/helper2.c | 2 ++ + vl.c | 9 +++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/i386-dm/helper2.c b/i386-dm/helper2.c +index 2706f2e..5d276bb 100644 +--- qemu-xen-traditional/i386-dm/helper2.c.orig ++++ qemu-xen-traditional/i386-dm/helper2.c +@@ -375,6 +375,8 @@ static void cpu_ioreq_pio(CPUState *env, ioreq_t *req) + { + uint32_t i; + ++ req->addr &= 0x0ffffU; ++ + if (req->size > sizeof(unsigned long)) { + fprintf(stderr, "PIO: bad size (%u)\n", req->size); + exit(-1); +diff --git a/vl.c b/vl.c +index f9c4d7e..c3c5d63 100644 +--- qemu-xen-traditional/vl.c.orig ++++ qemu-xen-traditional/vl.c +@@ -52,6 +52,7 @@ + + #include <xen/hvm/hvm_info_table.h> + ++#include <assert.h> + #include <unistd.h> + #include <fcntl.h> + #include <signal.h> +@@ -290,26 +291,30 @@ PicState2 *isa_pic; + static IOPortReadFunc default_ioport_readb, default_ioport_readw, default_ioport_readl; + static IOPortWriteFunc default_ioport_writeb, default_ioport_writew, default_ioport_writel; + +-static uint32_t ioport_read(int index, uint32_t address) ++static uint32_t ioport_read(int index, uint16_t address) + { + static IOPortReadFunc *default_func[3] = { + default_ioport_readb, + default_ioport_readw, + default_ioport_readl + }; ++ if (address >= MAX_IOPORTS) ++ abort(); + IOPortReadFunc *func = ioport_read_table[index][address]; + if (!func) + func = default_func[index]; + return func(ioport_opaque[address], address); + } + +-static void ioport_write(int index, uint32_t address, uint32_t data) ++static void ioport_write(int index, uint16_t address, uint32_t data) + { + static IOPortWriteFunc *default_func[3] = { + default_ioport_writeb, + default_ioport_writew, + default_ioport_writel + }; ++ if (address >= MAX_IOPORTS) ++ abort(); + IOPortWriteFunc *func = ioport_write_table[index][address]; + if (!func) + func = default_func[index]; +-- +2.1.4 diff --git a/sysutils/xentools46/Makefile b/sysutils/xentools46/Makefile index f583ed2b89d..5d36c9592aa 100644 --- a/sysutils/xentools46/Makefile +++ b/sysutils/xentools46/Makefile @@ -1,11 +1,11 @@ -# $NetBSD: Makefile,v 1.4 2016/11/22 20:59:01 bouyer Exp $ +# $NetBSD: Makefile,v 1.5 2016/12/20 10:22:29 bouyer Exp $ VERSION= 4.6.3 VERSION_IPXE= 9a93db3f0947484e30e753bbd61a10b17336e20e DISTNAME= xen-${VERSION} PKGNAME= xentools46-${VERSION} -PKGREVISION= 2 +PKGREVISION= 3 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xentools46/distinfo b/sysutils/xentools46/distinfo index 6f7e0672c8d..7faa587b60c 100644 --- a/sysutils/xentools46/distinfo +++ b/sysutils/xentools46/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.2 2016/11/22 20:59:01 bouyer Exp $ +$NetBSD: distinfo,v 1.3 2016/12/20 10:22:29 bouyer Exp $ SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88 RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8 @@ -23,6 +23,7 @@ SHA1 (patch-Rules.mk) = ec0af52c494718204f15adac30ddd06713ff572c SHA1 (patch-XSA-197-1) = 4d373d23cd7032cc505300d865b6eaa8e80e2290 SHA1 (patch-XSA-197-2) = 3dc303f22d0744f64eb4552f4de10fc11f32bb01 SHA1 (patch-XSA-198) = 5a61b6b4af265ba0b90d5750166924daafe554d7 +SHA1 (patch-XSA-199) = 481c740d36a5b8415275c4b1152bb7e2a45349a1 SHA1 (patch-configure) = a58d149de07613fb03444234278778a6a24b9b26 SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f SHA1 (patch-examples_Makefile) = 5fe7bb876d254cf0c4f774ed0f08dcaea5b355ff diff --git a/sysutils/xentools46/patches/patch-XSA-199 b/sysutils/xentools46/patches/patch-XSA-199 new file mode 100644 index 00000000000..d91d01cd430 --- /dev/null +++ b/sysutils/xentools46/patches/patch-XSA-199 @@ -0,0 +1,90 @@ +$NetBSD: patch-XSA-199,v 1.1 2016/12/20 10:22:29 bouyer Exp $ + +From b73bd1edc05d1bad5c018228146930d79315a5da Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Mon, 14 Nov 2016 17:19:46 +0000 +Subject: [PATCH] qemu: ioport_read, ioport_write: be defensive about 32-bit + addresses + +On x86, ioport addresses are 16-bit. That these functions take 32-bit +arguments is a mistake. Changing the argument type to 16-bit will +discard the top bits of any erroneous values from elsewhere in qemu. + +Also, check just before use that the value is in range. (This turns +an ill-advised change to MAX_IOPORTS into a possible guest crash +rather than a privilege escalation vulnerability.) + +And, in the Xen ioreq processor, clamp incoming ioport addresses to +16-bit values. Xen will never write >16-bit values but the guest may +have access to the ioreq ring. We want to defend the rest of the qemu +code from wrong values. + +This is XSA-199. + +Reported-by: yanghongke <yanghongke@huawei.com> +Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> +--- + i386-dm/helper2.c | 2 ++ + vl.c | 9 +++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/i386-dm/helper2.c b/i386-dm/helper2.c +index 2706f2e..5d276bb 100644 +--- qemu-xen-traditional/i386-dm/helper2.c.orig ++++ qemu-xen-traditional/i386-dm/helper2.c +@@ -375,6 +375,8 @@ static void cpu_ioreq_pio(CPUState *env, ioreq_t *req) + { + uint32_t i; + ++ req->addr &= 0x0ffffU; ++ + if (req->size > sizeof(unsigned long)) { + fprintf(stderr, "PIO: bad size (%u)\n", req->size); + exit(-1); +diff --git a/vl.c b/vl.c +index f9c4d7e..c3c5d63 100644 +--- qemu-xen-traditional/vl.c.orig ++++ qemu-xen-traditional/vl.c +@@ -52,6 +52,7 @@ + + #include <xen/hvm/hvm_info_table.h> + ++#include <assert.h> + #include <unistd.h> + #include <fcntl.h> + #include <signal.h> +@@ -290,26 +291,30 @@ PicState2 *isa_pic; + static IOPortReadFunc default_ioport_readb, default_ioport_readw, default_ioport_readl; + static IOPortWriteFunc default_ioport_writeb, default_ioport_writew, default_ioport_writel; + +-static uint32_t ioport_read(int index, uint32_t address) ++static uint32_t ioport_read(int index, uint16_t address) + { + static IOPortReadFunc *default_func[3] = { + default_ioport_readb, + default_ioport_readw, + default_ioport_readl + }; ++ if (address >= MAX_IOPORTS) ++ abort(); + IOPortReadFunc *func = ioport_read_table[index][address]; + if (!func) + func = default_func[index]; + return func(ioport_opaque[address], address); + } + +-static void ioport_write(int index, uint32_t address, uint32_t data) ++static void ioport_write(int index, uint16_t address, uint32_t data) + { + static IOPortWriteFunc *default_func[3] = { + default_ioport_writeb, + default_ioport_writew, + default_ioport_writel + }; ++ if (address >= MAX_IOPORTS) ++ abort(); + IOPortWriteFunc *func = ioport_write_table[index][address]; + if (!func) + func = default_func[index]; +-- +2.1.4 |