summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbouyer <bouyer@pkgsrc.org>2016-12-20 10:22:28 +0000
committerbouyer <bouyer@pkgsrc.org>2016-12-20 10:22:28 +0000
commit7f26264716966bf1840525c72bf2e8746218a2c5 (patch)
tree9f6404a713979300f155f3f05fd9b6c8891130ee
parent732240f69c800cd8be6b79fd2ac54198313f12b2 (diff)
downloadpkgsrc-7f26264716966bf1840525c72bf2e8746218a2c5.tar.gz
Apply upstream patch for XSA-199, XSA-200 and XSA-204.
Bump PKGREVISIONs
-rw-r--r--sysutils/xenkernel41/Makefile4
-rw-r--r--sysutils/xenkernel41/distinfo4
-rw-r--r--sysutils/xenkernel41/patches/patch-XSA-20057
-rw-r--r--sysutils/xenkernel41/patches/patch-XSA-20471
-rw-r--r--sysutils/xenkernel42/Makefile4
-rw-r--r--sysutils/xenkernel42/distinfo4
-rw-r--r--sysutils/xenkernel42/patches/patch-XSA-20057
-rw-r--r--sysutils/xenkernel42/patches/patch-XSA-20471
-rw-r--r--sysutils/xenkernel45/Makefile4
-rw-r--r--sysutils/xenkernel45/distinfo4
-rw-r--r--sysutils/xenkernel45/patches/patch-XSA-20057
-rw-r--r--sysutils/xenkernel45/patches/patch-XSA-20471
-rw-r--r--sysutils/xenkernel46/Makefile4
-rw-r--r--sysutils/xenkernel46/distinfo4
-rw-r--r--sysutils/xenkernel46/patches/patch-XSA-20057
-rw-r--r--sysutils/xenkernel46/patches/patch-XSA-20471
-rw-r--r--sysutils/xentools41/Makefile4
-rw-r--r--sysutils/xentools41/distinfo3
-rw-r--r--sysutils/xentools41/patches/patch-XSA-19990
-rw-r--r--sysutils/xentools42/Makefile4
-rw-r--r--sysutils/xentools42/distinfo3
-rw-r--r--sysutils/xentools42/patches/patch-XSA-199121
-rw-r--r--sysutils/xentools45/Makefile4
-rw-r--r--sysutils/xentools45/distinfo3
-rw-r--r--sysutils/xentools45/patches/patch-XSA-19990
-rw-r--r--sysutils/xentools46/Makefile4
-rw-r--r--sysutils/xentools46/distinfo3
-rw-r--r--sysutils/xentools46/patches/patch-XSA-19990
28 files changed, 939 insertions, 24 deletions
diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile
index 1d162423900..41f492e8e4d 100644
--- a/sysutils/xenkernel41/Makefile
+++ b/sysutils/xenkernel41/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.52 2016/11/22 20:53:40 bouyer Exp $
+# $NetBSD: Makefile,v 1.53 2016/12/20 10:22:28 bouyer Exp $
VERSION= 4.1.6.1
DISTNAME= xen-${VERSION}
PKGNAME= xenkernel41-${VERSION}
-PKGREVISION= 21
+PKGREVISION= 22
CATEGORIES= sysutils
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo
index 63b80f2f23f..fadc348ba56 100644
--- a/sysutils/xenkernel41/distinfo
+++ b/sysutils/xenkernel41/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.45 2016/11/22 20:53:40 bouyer Exp $
+$NetBSD: distinfo,v 1.46 2016/12/20 10:22:28 bouyer Exp $
SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0
RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19
@@ -44,6 +44,8 @@ SHA1 (patch-XSA-187-2) = e21b24771fa9417f593b8f6d1550660bbad36b98
SHA1 (patch-XSA-191) = 5da559e104543b8d22ea60378d9160d2ad83b8d0
SHA1 (patch-XSA-192) = b0f2801fe6db91c2a98b82897cdee057062c6c2b
SHA1 (patch-XSA-195) = a04295b397126e1cc1f129bb3cb9fb872fcbb373
+SHA1 (patch-XSA-200) = 2e5f6e3596fa754030af29a1dc8fafb738ad1da4
+SHA1 (patch-XSA-204) = 99e2b88b551d80724fcc27f925fbf65d3fc468de
SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b
SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
SHA1 (patch-xen_arch_x86_cpu_mcheck_vmce.c) = 5afd01780a13654f1d21bf1562f6431c8370be0b
diff --git a/sysutils/xenkernel41/patches/patch-XSA-200 b/sysutils/xenkernel41/patches/patch-XSA-200
new file mode 100644
index 00000000000..8ffb7246c60
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-XSA-200
@@ -0,0 +1,57 @@
+$NetBSD: patch-XSA-200,v 1.1 2016/12/20 10:22:28 bouyer Exp $
+
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86emul: CMPXCHG8B ignores operand size prefix
+
+Otherwise besides mis-handling the instruction, the comparison failure
+case would result in uninitialized stack data being handed back to the
+guest in rDX:rAX (32 bits leaked for 32-bit guests, 96 bits for 64-bit
+ones).
+
+This is XSA-200.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- tools/tests/x86_emulator/test_x86_emulator.c.orig
++++ tools/tests/x86_emulator/test_x86_emulator.c
+@@ -429,6 +429,24 @@ int main(int argc, char **argv)
+ goto fail;
+ printf("okay\n");
+
++ printf("%-40s", "Testing cmpxchg8b (%edi) [opsize]...");
++ instr[0] = 0x66; instr[1] = 0x0f; instr[2] = 0xc7; instr[3] = 0x0f;
++ res[0] = 0x12345678;
++ res[1] = 0x87654321;
++ regs.eflags = 0x200;
++ regs.eip = (unsigned long)&instr[0];
++ regs.edi = (unsigned long)res;
++ rc = x86_emulate(&ctxt, &emulops);
++ if ( (rc != X86EMUL_OKAY) ||
++ (res[0] != 0x12345678) ||
++ (res[1] != 0x87654321) ||
++ (regs.eax != 0x12345678) ||
++ (regs.edx != 0x87654321) ||
++ ((regs.eflags&0x240) != 0x200) ||
++ (regs.eip != (unsigned long)&instr[4]) )
++ goto fail;
++ printf("okay\n");
++
+ printf("%-40s", "Testing movsxbd (%%eax),%%ecx...");
+ instr[0] = 0x0f; instr[1] = 0xbe; instr[2] = 0x08;
+ regs.eflags = 0x200;
+--- ./xen/arch/x86/x86_emulate/x86_emulate.c.orig 2016-12-19 21:54:25.000000000 +0100
++++ ./xen/arch/x86/x86_emulate/x86_emulate.c 2016-12-19 22:00:32.000000000 +0100
+@@ -4183,7 +4183,12 @@
+
+ generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1);
+ generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
+- op_bytes *= 2;
++ if ( op_bytes == 8 )
++ {
++ /* vcpu_must_have_cx16() XXX doens't exists */
++ op_bytes = 16;
++ } else
++ op_bytes = 8;
+
+ /* Get actual old value. */
+ for ( i = 0; i < (op_bytes/sizeof(long)); i++ )
diff --git a/sysutils/xenkernel41/patches/patch-XSA-204 b/sysutils/xenkernel41/patches/patch-XSA-204
new file mode 100644
index 00000000000..72f272056a6
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-XSA-204
@@ -0,0 +1,71 @@
+$NetBSD: patch-XSA-204,v 1.1 2016/12/20 10:22:28 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Sun, 18 Dec 2016 15:42:59 +0000
+Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL
+
+A singlestep #DB is determined by the resulting eflags value from the
+execution of SYSCALL, not the original eflags value.
+
+By using the original eflags value, we negate the guest kernels attempt to
+protect itself from a privilege escalation by masking TF.
+
+Introduce a tf boolean and have the SYSCALL emulation recalculate it
+after the instruction is complete.
+
+This is XSA-204
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index 0c43fe1..f675dc9 100644
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig 2016-12-19 22:02:25.000000000 +0100
++++ xen/arch/x86/x86_emulate/x86_emulate.c 2016-12-19 22:05:31.000000000 +0100
+@@ -1233,6 +1233,7 @@
+ #define REPE_PREFIX 1
+ #define REPNE_PREFIX 2
+ unsigned int lock_prefix = 0, rep_prefix = 0;
++ bool_t tf = !!(ctxt->regs->eflags & EFLG_TF);
+ int override_seg = -1, rc = X86EMUL_OKAY;
+ struct operand src, dst;
+
+@@ -3498,9 +3499,8 @@
+ break;
+ }
+
+- /* Inject #DB if single-step tracing was enabled at instruction start. */
+- if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) &&
+- (ops->inject_hw_exception != NULL) )
++ /* Should a singlestep #DB be raised? */
++ if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) )
+ rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
+
+ /* Commit shadow register state. */
+@@ -3685,6 +3685,23 @@
+ (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) )
+ goto done;
+
++ /*
++ * SYSCALL (unlike most instructions) evaluates its singlestep action
++ * based on the resulting EFLG_TF, not the starting EFLG_TF.
++ *
++ * As the #DB is raised after the CPL change and before the OS can
++ * switch stack, it is a large risk for privilege escalation.
++ *
++ * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
++ * vulnerability. Running the #DB handler on an IST stack is also a
++ * mitigation.
++ *
++ * 32bit kernels have no ability to mask EFLG_TF at all. Their only
++ * mitigation is to use a task gate for handling #DB (or to not use
++ * enable EFER.SCE to start with).
++ */
++ tf = !!(_regs.eflags & EFLG_TF);
++
+ break;
+ }
+
diff --git a/sysutils/xenkernel42/Makefile b/sysutils/xenkernel42/Makefile
index db0257f8d8e..e4f065a0812 100644
--- a/sysutils/xenkernel42/Makefile
+++ b/sysutils/xenkernel42/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.24 2016/11/22 20:55:29 bouyer Exp $
+# $NetBSD: Makefile,v 1.25 2016/12/20 10:22:28 bouyer Exp $
VERSION= 4.2.5
DISTNAME= xen-${VERSION}
PKGNAME= xenkernel42-${VERSION}
-PKGREVISION= 13
+PKGREVISION= 14
CATEGORIES= sysutils
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
diff --git a/sysutils/xenkernel42/distinfo b/sysutils/xenkernel42/distinfo
index b88165351f0..8471467ea4c 100644
--- a/sysutils/xenkernel42/distinfo
+++ b/sysutils/xenkernel42/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.23 2016/11/22 20:55:29 bouyer Exp $
+$NetBSD: distinfo,v 1.24 2016/12/20 10:22:28 bouyer Exp $
SHA1 (xen-4.2.5.tar.gz) = f42741e4ec174495ace70c4b17a6b9b0e60e798a
RMD160 (xen-4.2.5.tar.gz) = 7d4f7f1b32ee541d341a756b1f8da02816438d19
@@ -33,6 +33,8 @@ SHA1 (patch-XSA-187-2) = ed2d384b4cf429443560afbf71b42fb4123a279b
SHA1 (patch-XSA-191) = 7a5e2e78c457c5922e2ccd711f2a39afba238e40
SHA1 (patch-XSA-192) = f95757227ece59a2f320308edefcf01f1a96212c
SHA1 (patch-XSA-195) = bb20234c4db0dc098ea47564732e87710bfcb9d8
+SHA1 (patch-XSA-200) = 2f615fa9c4ac43fc98f6c897acb5ee7e4651a668
+SHA1 (patch-XSA-204) = f6a59adf3cbd0aab59ccf233240a6b4e9ee2913b
SHA1 (patch-xen_Makefile) = e0d1b74518b9675ddc64295d1523ded9a8757c0a
SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
SHA1 (patch-xen_arch_x86_hvm_hvm.c) = b6bac1d466ba5bc276bc3aea9d4c9df37f2b9b0f
diff --git a/sysutils/xenkernel42/patches/patch-XSA-200 b/sysutils/xenkernel42/patches/patch-XSA-200
new file mode 100644
index 00000000000..ad17c28ec73
--- /dev/null
+++ b/sysutils/xenkernel42/patches/patch-XSA-200
@@ -0,0 +1,57 @@
+$NetBSD: patch-XSA-200,v 1.1 2016/12/20 10:22:28 bouyer Exp $
+
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86emul: CMPXCHG8B ignores operand size prefix
+
+Otherwise besides mis-handling the instruction, the comparison failure
+case would result in uninitialized stack data being handed back to the
+guest in rDX:rAX (32 bits leaked for 32-bit guests, 96 bits for 64-bit
+ones).
+
+This is XSA-200.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- tools/tests/x86_emulator/test_x86_emulator.c.orig
++++ tools/tests/x86_emulator/test_x86_emulator.c
+@@ -429,6 +429,24 @@ int main(int argc, char **argv)
+ goto fail;
+ printf("okay\n");
+
++ printf("%-40s", "Testing cmpxchg8b (%edi) [opsize]...");
++ instr[0] = 0x66; instr[1] = 0x0f; instr[2] = 0xc7; instr[3] = 0x0f;
++ res[0] = 0x12345678;
++ res[1] = 0x87654321;
++ regs.eflags = 0x200;
++ regs.eip = (unsigned long)&instr[0];
++ regs.edi = (unsigned long)res;
++ rc = x86_emulate(&ctxt, &emulops);
++ if ( (rc != X86EMUL_OKAY) ||
++ (res[0] != 0x12345678) ||
++ (res[1] != 0x87654321) ||
++ (regs.eax != 0x12345678) ||
++ (regs.edx != 0x87654321) ||
++ ((regs.eflags&0x240) != 0x200) ||
++ (regs.eip != (unsigned long)&instr[4]) )
++ goto fail;
++ printf("okay\n");
++
+ printf("%-40s", "Testing movsxbd (%%eax),%%ecx...");
+ instr[0] = 0x0f; instr[1] = 0xbe; instr[2] = 0x08;
+ regs.eflags = 0x200;
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -4494,9 +4498,11 @@
+
+ generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1);
+ generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
+- if ( op_bytes == 8 )
++ if ( op_bytes == 8 ) {
+ vcpu_must_have_cx16();
+- op_bytes *= 2;
++ op_bytes = 16;
++ } else
++ op_bytes = 8;
+
+ /* Get actual old value. */
+ for ( i = 0; i < (op_bytes/sizeof(long)); i++ )
diff --git a/sysutils/xenkernel42/patches/patch-XSA-204 b/sysutils/xenkernel42/patches/patch-XSA-204
new file mode 100644
index 00000000000..68f30ab3306
--- /dev/null
+++ b/sysutils/xenkernel42/patches/patch-XSA-204
@@ -0,0 +1,71 @@
+$NetBSD: patch-XSA-204,v 1.1 2016/12/20 10:22:28 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Sun, 18 Dec 2016 15:42:59 +0000
+Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL
+
+A singlestep #DB is determined by the resulting eflags value from the
+execution of SYSCALL, not the original eflags value.
+
+By using the original eflags value, we negate the guest kernels attempt to
+protect itself from a privilege escalation by masking TF.
+
+Introduce a tf boolean and have the SYSCALL emulation recalculate it
+after the instruction is complete.
+
+This is XSA-204
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index 0c43fe1..f675dc9 100644
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig 2016-12-19 23:22:20.000000000 +0100
++++ xen/arch/x86/x86_emulate/x86_emulate.c 2016-12-19 23:22:38.000000000 +0100
+@@ -1348,6 +1348,7 @@
+ union vex vex = {};
+ unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes;
+ bool_t lock_prefix = 0;
++ bool_t tf = !!(ctxt->regs->eflags & EFLG_TF);
+ int override_seg = -1, rc = X86EMUL_OKAY;
+ struct operand src, dst;
+ DECLARE_ALIGNED(mmval_t, mmval);
+@@ -3679,9 +3680,8 @@
+ break;
+ }
+
+- /* Inject #DB if single-step tracing was enabled at instruction start. */
+- if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) &&
+- (ops->inject_hw_exception != NULL) )
++ /* Should a singlestep #DB be raised? */
++ if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) )
+ rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
+
+ /* Commit shadow register state. */
+@@ -3866,6 +3866,23 @@
+ (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) )
+ goto done;
+
++ /*
++ * SYSCALL (unlike most instructions) evaluates its singlestep action
++ * based on the resulting EFLG_TF, not the starting EFLG_TF.
++ *
++ * As the #DB is raised after the CPL change and before the OS can
++ * switch stack, it is a large risk for privilege escalation.
++ *
++ * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
++ * vulnerability. Running the #DB handler on an IST stack is also a
++ * mitigation.
++ *
++ * 32bit kernels have no ability to mask EFLG_TF at all. Their only
++ * mitigation is to use a task gate for handling #DB (or to not use
++ * enable EFER.SCE to start with).
++ */
++ tf = !!(_regs.eflags & EFLG_TF);
++
+ break;
+ }
+
diff --git a/sysutils/xenkernel45/Makefile b/sysutils/xenkernel45/Makefile
index 34cbdb133b8..2a33f683875 100644
--- a/sysutils/xenkernel45/Makefile
+++ b/sysutils/xenkernel45/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.23 2016/11/22 20:57:10 bouyer Exp $
+# $NetBSD: Makefile,v 1.24 2016/12/20 10:22:28 bouyer Exp $
VERSION= 4.5.5
DISTNAME= xen-${VERSION}
PKGNAME= xenkernel45-${VERSION}
-PKGREVISION= 1
+PKGREVISION= 2
CATEGORIES= sysutils
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
diff --git a/sysutils/xenkernel45/distinfo b/sysutils/xenkernel45/distinfo
index 82a10dd7dc6..757dc13cad1 100644
--- a/sysutils/xenkernel45/distinfo
+++ b/sysutils/xenkernel45/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.19 2016/11/22 20:57:10 bouyer Exp $
+$NetBSD: distinfo,v 1.20 2016/12/20 10:22:28 bouyer Exp $
SHA1 (xen-4.5.5.tar.gz) = 4073d411c72d3298baacfc15577b92b9ae577073
RMD160 (xen-4.5.5.tar.gz) = 34132ab04752dc594fbdc1404c95f402b7bbbe39
@@ -11,6 +11,8 @@ SHA1 (patch-XSA-193) = 7088e2278da771f7140eb0d4200dc877326cfa5a
SHA1 (patch-XSA-195) = 0a44b7deda6a17c88e9d1858eeb7c33b0ebaf3f7
SHA1 (patch-XSA-196-1) = bdcd7673443fbf59aeff8ad019ffbe39758fcaee
SHA1 (patch-XSA-196-2) = 81b1d46f3ec8a3c5133f6a923fee0ab1b2b1c6a0
+SHA1 (patch-XSA-200) = 37254653e3f9016de0440047465fddce7e9b1874
+SHA1 (patch-XSA-204) = 4d5616f418e3ea010af4cb9e5d1ad14c8adcbf1c
SHA1 (patch-xen_Makefile) = 750d0c8d4fea14d3ef3f872de5242a1f5104cbbe
SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154
SHA1 (patch-xen_common_page__alloc.c) = c4d606de1cada8cf89b5abd16efada3d58c68a03
diff --git a/sysutils/xenkernel45/patches/patch-XSA-200 b/sysutils/xenkernel45/patches/patch-XSA-200
new file mode 100644
index 00000000000..377bb6bef9a
--- /dev/null
+++ b/sysutils/xenkernel45/patches/patch-XSA-200
@@ -0,0 +1,57 @@
+$NetBSD: patch-XSA-200,v 1.1 2016/12/20 10:22:28 bouyer Exp $
+
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86emul: CMPXCHG8B ignores operand size prefix
+
+Otherwise besides mis-handling the instruction, the comparison failure
+case would result in uninitialized stack data being handed back to the
+guest in rDX:rAX (32 bits leaked for 32-bit guests, 96 bits for 64-bit
+ones).
+
+This is XSA-200.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- tools/tests/x86_emulator/test_x86_emulator.c.orig
++++ tools/tests/x86_emulator/test_x86_emulator.c
+@@ -429,6 +429,24 @@ int main(int argc, char **argv)
+ goto fail;
+ printf("okay\n");
+
++ printf("%-40s", "Testing cmpxchg8b (%edi) [opsize]...");
++ instr[0] = 0x66; instr[1] = 0x0f; instr[2] = 0xc7; instr[3] = 0x0f;
++ res[0] = 0x12345678;
++ res[1] = 0x87654321;
++ regs.eflags = 0x200;
++ regs.eip = (unsigned long)&instr[0];
++ regs.edi = (unsigned long)res;
++ rc = x86_emulate(&ctxt, &emulops);
++ if ( (rc != X86EMUL_OKAY) ||
++ (res[0] != 0x12345678) ||
++ (res[1] != 0x87654321) ||
++ (regs.eax != 0x12345678) ||
++ (regs.edx != 0x87654321) ||
++ ((regs.eflags&0x240) != 0x200) ||
++ (regs.eip != (unsigned long)&instr[4]) )
++ goto fail;
++ printf("okay\n");
++
+ printf("%-40s", "Testing movsxbd (%%eax),%%ecx...");
+ instr[0] = 0x0f; instr[1] = 0xbe; instr[2] = 0x08;
+ regs.eflags = 0x200;
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -4739,8 +4739,12 @@ x86_emulate(
+ generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1);
+ generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
+ if ( op_bytes == 8 )
++ {
+ vcpu_must_have_cx16();
+- op_bytes *= 2;
++ op_bytes = 16;
++ }
++ else
++ op_bytes = 8;
+
+ /* Get actual old value. */
+ if ( (rc = ops->read(ea.mem.seg, ea.mem.off, old, op_bytes,
diff --git a/sysutils/xenkernel45/patches/patch-XSA-204 b/sysutils/xenkernel45/patches/patch-XSA-204
new file mode 100644
index 00000000000..30386bb2946
--- /dev/null
+++ b/sysutils/xenkernel45/patches/patch-XSA-204
@@ -0,0 +1,71 @@
+$NetBSD: patch-XSA-204,v 1.1 2016/12/20 10:22:28 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Sun, 18 Dec 2016 15:42:59 +0000
+Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL
+
+A singlestep #DB is determined by the resulting eflags value from the
+execution of SYSCALL, not the original eflags value.
+
+By using the original eflags value, we negate the guest kernels attempt to
+protect itself from a privilege escalation by masking TF.
+
+Introduce a tf boolean and have the SYSCALL emulation recalculate it
+after the instruction is complete.
+
+This is XSA-204
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index 0c43fe1..f675dc9 100644
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1537,6 +1537,7 @@ x86_emulate(
+ union vex vex = {};
+ unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes;
+ bool_t lock_prefix = 0;
++ bool_t tf = !!(ctxt->regs->eflags & EFLG_TF);
+ int override_seg = -1, rc = X86EMUL_OKAY;
+ struct operand src = { .reg = REG_POISON };
+ struct operand dst = { .reg = REG_POISON };
+@@ -3881,9 +3882,8 @@ x86_emulate(
+ break;
+ }
+
+- /* Inject #DB if single-step tracing was enabled at instruction start. */
+- if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) &&
+- (ops->inject_hw_exception != NULL) )
++ /* Should a singlestep #DB be raised? */
++ if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) )
+ rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
+
+ /* Commit shadow register state. */
+@@ -4068,6 +4068,23 @@ x86_emulate(
+ (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) )
+ goto done;
+
++ /*
++ * SYSCALL (unlike most instructions) evaluates its singlestep action
++ * based on the resulting EFLG_TF, not the starting EFLG_TF.
++ *
++ * As the #DB is raised after the CPL change and before the OS can
++ * switch stack, it is a large risk for privilege escalation.
++ *
++ * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
++ * vulnerability. Running the #DB handler on an IST stack is also a
++ * mitigation.
++ *
++ * 32bit kernels have no ability to mask EFLG_TF at all. Their only
++ * mitigation is to use a task gate for handling #DB (or to not use
++ * enable EFER.SCE to start with).
++ */
++ tf = !!(_regs.eflags & EFLG_TF);
++
+ break;
+ }
+
diff --git a/sysutils/xenkernel46/Makefile b/sysutils/xenkernel46/Makefile
index 9d8f9145605..90f2eae8c87 100644
--- a/sysutils/xenkernel46/Makefile
+++ b/sysutils/xenkernel46/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.4 2016/11/22 20:59:01 bouyer Exp $
+# $NetBSD: Makefile,v 1.5 2016/12/20 10:22:28 bouyer Exp $
VERSION= 4.6.3
DISTNAME= xen-${VERSION}
PKGNAME= xenkernel46-${VERSION}
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= sysutils
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
diff --git a/sysutils/xenkernel46/distinfo b/sysutils/xenkernel46/distinfo
index 9f27eae0420..7f29e20354d 100644
--- a/sysutils/xenkernel46/distinfo
+++ b/sysutils/xenkernel46/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.3 2016/11/22 20:59:01 bouyer Exp $
+$NetBSD: distinfo,v 1.4 2016/12/20 10:22:28 bouyer Exp $
SHA1 (xen-4.6.3.tar.gz) = 2aa59d0a05a6c5ac7f336f2069c66a54f95c4349
RMD160 (xen-4.6.3.tar.gz) = 2798bd888ee001a4829165e55feb705a86af4f74
@@ -16,6 +16,8 @@ SHA1 (patch-XSA-193) = 89fdeea8af25de42bbd207df1b2f3dcd3b61778f
SHA1 (patch-XSA-195) = 0a44b7deda6a17c88e9d1858eeb7c33b0ebaf3f7
SHA1 (patch-XSA-196-1) = bdcd7673443fbf59aeff8ad019ffbe39758fcaee
SHA1 (patch-XSA-196-2) = 81b1d46f3ec8a3c5133f6a923fee0ab1b2b1c6a0
+SHA1 (patch-XSA-200) = 37254653e3f9016de0440047465fddce7e9b1874
+SHA1 (patch-XSA-204) = 05defb8d99976a712024d35a81f4dde5627107d9
SHA1 (patch-xen_Makefile) = be3f4577a205b23187b91319f91c50720919f70b
SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154
SHA1 (patch-xen_common_page__alloc.c) = c4d606de1cada8cf89b5abd16efada3d58c68a03
diff --git a/sysutils/xenkernel46/patches/patch-XSA-200 b/sysutils/xenkernel46/patches/patch-XSA-200
new file mode 100644
index 00000000000..ac0612764bc
--- /dev/null
+++ b/sysutils/xenkernel46/patches/patch-XSA-200
@@ -0,0 +1,57 @@
+$NetBSD: patch-XSA-200,v 1.1 2016/12/20 10:22:29 bouyer Exp $
+
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86emul: CMPXCHG8B ignores operand size prefix
+
+Otherwise besides mis-handling the instruction, the comparison failure
+case would result in uninitialized stack data being handed back to the
+guest in rDX:rAX (32 bits leaked for 32-bit guests, 96 bits for 64-bit
+ones).
+
+This is XSA-200.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- tools/tests/x86_emulator/test_x86_emulator.c.orig
++++ tools/tests/x86_emulator/test_x86_emulator.c
+@@ -429,6 +429,24 @@ int main(int argc, char **argv)
+ goto fail;
+ printf("okay\n");
+
++ printf("%-40s", "Testing cmpxchg8b (%edi) [opsize]...");
++ instr[0] = 0x66; instr[1] = 0x0f; instr[2] = 0xc7; instr[3] = 0x0f;
++ res[0] = 0x12345678;
++ res[1] = 0x87654321;
++ regs.eflags = 0x200;
++ regs.eip = (unsigned long)&instr[0];
++ regs.edi = (unsigned long)res;
++ rc = x86_emulate(&ctxt, &emulops);
++ if ( (rc != X86EMUL_OKAY) ||
++ (res[0] != 0x12345678) ||
++ (res[1] != 0x87654321) ||
++ (regs.eax != 0x12345678) ||
++ (regs.edx != 0x87654321) ||
++ ((regs.eflags&0x240) != 0x200) ||
++ (regs.eip != (unsigned long)&instr[4]) )
++ goto fail;
++ printf("okay\n");
++
+ printf("%-40s", "Testing movsxbd (%%eax),%%ecx...");
+ instr[0] = 0x0f; instr[1] = 0xbe; instr[2] = 0x08;
+ regs.eflags = 0x200;
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -4739,8 +4739,12 @@ x86_emulate(
+ generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1);
+ generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
+ if ( op_bytes == 8 )
++ {
+ vcpu_must_have_cx16();
+- op_bytes *= 2;
++ op_bytes = 16;
++ }
++ else
++ op_bytes = 8;
+
+ /* Get actual old value. */
+ if ( (rc = ops->read(ea.mem.seg, ea.mem.off, old, op_bytes,
diff --git a/sysutils/xenkernel46/patches/patch-XSA-204 b/sysutils/xenkernel46/patches/patch-XSA-204
new file mode 100644
index 00000000000..804423de01e
--- /dev/null
+++ b/sysutils/xenkernel46/patches/patch-XSA-204
@@ -0,0 +1,71 @@
+$NetBSD: patch-XSA-204,v 1.1 2016/12/20 10:22:29 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Sun, 18 Dec 2016 15:42:59 +0000
+Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL
+
+A singlestep #DB is determined by the resulting eflags value from the
+execution of SYSCALL, not the original eflags value.
+
+By using the original eflags value, we negate the guest kernels attempt to
+protect itself from a privilege escalation by masking TF.
+
+Introduce a tf boolean and have the SYSCALL emulation recalculate it
+after the instruction is complete.
+
+This is XSA-204
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index bca7045..abe442e 100644
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1582,6 +1582,7 @@ x86_emulate(
+ union vex vex = {};
+ unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes;
+ bool_t lock_prefix = 0;
++ bool_t tf = !!(ctxt->regs->eflags & EFLG_TF);
+ int override_seg = -1, rc = X86EMUL_OKAY;
+ struct operand src = { .reg = REG_POISON };
+ struct operand dst = { .reg = REG_POISON };
+@@ -3910,9 +3911,8 @@ x86_emulate(
+ }
+
+ no_writeback:
+- /* Inject #DB if single-step tracing was enabled at instruction start. */
+- if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) &&
+- (ops->inject_hw_exception != NULL) )
++ /* Should a singlestep #DB be raised? */
++ if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) )
+ rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
+
+ /* Commit shadow register state. */
+@@ -4143,6 +4143,23 @@ x86_emulate(
+ (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) )
+ goto done;
+
++ /*
++ * SYSCALL (unlike most instructions) evaluates its singlestep action
++ * based on the resulting EFLG_TF, not the starting EFLG_TF.
++ *
++ * As the #DB is raised after the CPL change and before the OS can
++ * switch stack, it is a large risk for privilege escalation.
++ *
++ * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
++ * vulnerability. Running the #DB handler on an IST stack is also a
++ * mitigation.
++ *
++ * 32bit kernels have no ability to mask EFLG_TF at all. Their only
++ * mitigation is to use a task gate for handling #DB (or to not use
++ * enable EFER.SCE to start with).
++ */
++ tf = !!(_regs.eflags & EFLG_TF);
++
+ break;
+ }
+
diff --git a/sysutils/xentools41/Makefile b/sysutils/xentools41/Makefile
index 7ea97642405..14adae51595 100644
--- a/sysutils/xentools41/Makefile
+++ b/sysutils/xentools41/Makefile
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.64 2016/11/22 20:53:40 bouyer Exp $
+# $NetBSD: Makefile,v 1.65 2016/12/20 10:22:29 bouyer Exp $
#
# VERSION is set in version.mk as it is shared with other packages
.include "version.mk"
DISTNAME= xen-${VERSION}
PKGNAME= xentools41-${VERSION}
-PKGREVISION= 17
+PKGREVISION= 18
CATEGORIES= sysutils
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
diff --git a/sysutils/xentools41/distinfo b/sysutils/xentools41/distinfo
index 1e06c865a9d..4c7d5aaeb4a 100644
--- a/sysutils/xentools41/distinfo
+++ b/sysutils/xentools41/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.43 2016/11/22 20:53:40 bouyer Exp $
+$NetBSD: distinfo,v 1.44 2016/12/20 10:22:29 bouyer Exp $
SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485
RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547
@@ -19,6 +19,7 @@ SHA1 (patch-CVE-2015-8550) = dfd72a54d27211c1059579819b9b4c702399a0fc
SHA1 (patch-CVE-2015-8554) = 7f444009519399038c657fa3e59fd2170f99bb70
SHA1 (patch-XSA-197) = 4980664bbb3f3d8277f888f6304a8552ec714a26
SHA1 (patch-XSA-198) = 98a18927de1e3427cb4fbcc5675fa608d1cd5ba8
+SHA1 (patch-XSA-199) = 406f14cdb356f0d7abe3a843a5efa1dc398c77bd
SHA1 (patch-aa) = 9b53ba4a809dad7a1de34c8fa0dbe493d7256ada
SHA1 (patch-ab) = 0906a5ec3a7450fc987b01289e2560e60966d00d
SHA1 (patch-ac) = c3cc5335a1d6b066307c5f03fe72f513a9eb2bdb
diff --git a/sysutils/xentools41/patches/patch-XSA-199 b/sysutils/xentools41/patches/patch-XSA-199
new file mode 100644
index 00000000000..af551486fd5
--- /dev/null
+++ b/sysutils/xentools41/patches/patch-XSA-199
@@ -0,0 +1,90 @@
+$NetBSD: patch-XSA-199,v 1.1 2016/12/20 10:22:29 bouyer Exp $
+
+From b73bd1edc05d1bad5c018228146930d79315a5da Mon Sep 17 00:00:00 2001
+From: Ian Jackson <ian.jackson@eu.citrix.com>
+Date: Mon, 14 Nov 2016 17:19:46 +0000
+Subject: [PATCH] qemu: ioport_read, ioport_write: be defensive about 32-bit
+ addresses
+
+On x86, ioport addresses are 16-bit. That these functions take 32-bit
+arguments is a mistake. Changing the argument type to 16-bit will
+discard the top bits of any erroneous values from elsewhere in qemu.
+
+Also, check just before use that the value is in range. (This turns
+an ill-advised change to MAX_IOPORTS into a possible guest crash
+rather than a privilege escalation vulnerability.)
+
+And, in the Xen ioreq processor, clamp incoming ioport addresses to
+16-bit values. Xen will never write >16-bit values but the guest may
+have access to the ioreq ring. We want to defend the rest of the qemu
+code from wrong values.
+
+This is XSA-199.
+
+Reported-by: yanghongke <yanghongke@huawei.com>
+Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
+---
+ i386-dm/helper2.c | 2 ++
+ vl.c | 9 +++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/i386-dm/helper2.c b/i386-dm/helper2.c
+index 2706f2e..5d276bb 100644
+--- ioemu-qemu-xen/i386-dm/helper2.c.orig
++++ ioemu-qemu-xen/i386-dm/helper2.c
+@@ -375,6 +375,8 @@ static void cpu_ioreq_pio(CPUState *env, ioreq_t *req)
+
+ sign = req->df ? -1 : 1;
+
++ req->addr &= 0x0ffffU;
++
+ if (req->size > sizeof(req->data)) {
+ fprintf(stderr, "MMIO: bad size (%u)\n", req->size);
+ exit(-1);
+diff --git a/vl.c b/vl.c
+index f9c4d7e..c3c5d63 100644
+--- ioemu-qemu-xen/vl.c.orig
++++ ioemu-qemu-xen/vl.c
+@@ -52,6 +52,7 @@
+
+ #include <xen/hvm/hvm_info_table.h>
+
++#include <assert.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+ #include <signal.h>
+@@ -290,26 +291,30 @@ PicState2 *isa_pic;
+ static IOPortReadFunc default_ioport_readb, default_ioport_readw, default_ioport_readl;
+ static IOPortWriteFunc default_ioport_writeb, default_ioport_writew, default_ioport_writel;
+
+-static uint32_t ioport_read(int index, uint32_t address)
++static uint32_t ioport_read(int index, uint16_t address)
+ {
+ static IOPortReadFunc *default_func[3] = {
+ default_ioport_readb,
+ default_ioport_readw,
+ default_ioport_readl
+ };
++ if (address >= MAX_IOPORTS)
++ abort();
+ IOPortReadFunc *func = ioport_read_table[index][address];
+ if (!func)
+ func = default_func[index];
+ return func(ioport_opaque[address], address);
+ }
+
+-static void ioport_write(int index, uint32_t address, uint32_t data)
++static void ioport_write(int index, uint16_t address, uint32_t data)
+ {
+ static IOPortWriteFunc *default_func[3] = {
+ default_ioport_writeb,
+ default_ioport_writew,
+ default_ioport_writel
+ };
++ if (address >= MAX_IOPORTS)
++ abort();
+ IOPortWriteFunc *func = ioport_write_table[index][address];
+ if (!func)
+ func = default_func[index];
+--
+2.1.4
diff --git a/sysutils/xentools42/Makefile b/sysutils/xentools42/Makefile
index 23d53d6f16b..d3f263e3778 100644
--- a/sysutils/xentools42/Makefile
+++ b/sysutils/xentools42/Makefile
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.51 2016/11/22 20:55:29 bouyer Exp $
+# $NetBSD: Makefile,v 1.52 2016/12/20 10:22:29 bouyer Exp $
VERSION= 4.2.5
VERSION_IPXE= 1.0.0
DISTNAME= xen-${VERSION}
PKGNAME= xentools42-${VERSION}
-PKGREVISION= 19
+PKGREVISION= 20
CATEGORIES= sysutils
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
diff --git a/sysutils/xentools42/distinfo b/sysutils/xentools42/distinfo
index 766b8ba9802..bac6d0c0e31 100644
--- a/sysutils/xentools42/distinfo
+++ b/sysutils/xentools42/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.29 2016/11/22 20:55:29 bouyer Exp $
+$NetBSD: distinfo,v 1.30 2016/12/20 10:22:29 bouyer Exp $
SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485
RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547
@@ -42,6 +42,7 @@ SHA1 (patch-Rules.mk) = 25a04293f6fe638ba5f3bd5e09b2b091cd201023
SHA1 (patch-XSA-197-1) = 79b4bc63bfbe7f69ed3ba38a667f185f8cb65cc9
SHA1 (patch-XSA-197-2) = 1734d4313b66f958a312676da489b94773524128
SHA1 (patch-XSA-198) = 38d120b4be3e04f87e75e6838a64d44e180d708b
+SHA1 (patch-XSA-199) = e34c7557a1df7131000f5e408e89d3aaa4b10189
SHA1 (patch-blktap_drivers_Makefile) = c6be57154a403a64e3d6bc22d6bd833fe33fc9af
SHA1 (patch-configure) = 11df58a8e1cd6bcc319db0aff508367e59592cba
SHA1 (patch-examples_Makefile) = ee02f973416ca4ffda5381cd7a4ddb3b43579621
diff --git a/sysutils/xentools42/patches/patch-XSA-199 b/sysutils/xentools42/patches/patch-XSA-199
new file mode 100644
index 00000000000..f5e1be72751
--- /dev/null
+++ b/sysutils/xentools42/patches/patch-XSA-199
@@ -0,0 +1,121 @@
+$NetBSD: patch-XSA-199,v 1.1 2016/12/20 10:22:29 bouyer Exp $
+
+From b73bd1edc05d1bad5c018228146930d79315a5da Mon Sep 17 00:00:00 2001
+From: Ian Jackson <ian.jackson@eu.citrix.com>
+Date: Mon, 14 Nov 2016 17:19:46 +0000
+Subject: [PATCH] qemu: ioport_read, ioport_write: be defensive about 32-bit
+ addresses
+
+On x86, ioport addresses are 16-bit. That these functions take 32-bit
+arguments is a mistake. Changing the argument type to 16-bit will
+discard the top bits of any erroneous values from elsewhere in qemu.
+
+Also, check just before use that the value is in range. (This turns
+an ill-advised change to MAX_IOPORTS into a possible guest crash
+rather than a privilege escalation vulnerability.)
+
+And, in the Xen ioreq processor, clamp incoming ioport addresses to
+16-bit values. Xen will never write >16-bit values but the guest may
+have access to the ioreq ring. We want to defend the rest of the qemu
+code from wrong values.
+
+This is XSA-199.
+
+Reported-by: yanghongke <yanghongke@huawei.com>
+Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
+---
+ i386-dm/helper2.c | 2 ++
+ vl.c | 9 +++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/i386-dm/helper2.c b/i386-dm/helper2.c
+index 2706f2e..5d276bb 100644
+--- qemu-xen-traditional/i386-dm/helper2.c.orig
++++ qemu-xen-traditional/i386-dm/helper2.c
+@@ -355,6 +355,8 @@
+
+ sign = req->df ? -1 : 1;
+
++ req->addr &= 0x0ffffU;
++
+ if (req->size > sizeof(unsigned long)) {
+ fprintf(stderr, "PIO: bad size (%u)\n", req->size);
+ exit(-1);
+diff --git a/vl.c b/vl.c
+index f9c4d7e..c3c5d63 100644
+--- qemu-xen-traditional/vl.c.orig
++++ qemu-xen-traditional/vl.c
+@@ -52,6 +52,7 @@
+
+ #include <xen/hvm/hvm_info_table.h>
+
++#include <assert.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+ #include <signal.h>
+@@ -290,26 +291,30 @@ PicState2 *isa_pic;
+ static IOPortReadFunc default_ioport_readb, default_ioport_readw, default_ioport_readl;
+ static IOPortWriteFunc default_ioport_writeb, default_ioport_writew, default_ioport_writel;
+
+-static uint32_t ioport_read(int index, uint32_t address)
++static uint32_t ioport_read(int index, uint16_t address)
+ {
+ static IOPortReadFunc *default_func[3] = {
+ default_ioport_readb,
+ default_ioport_readw,
+ default_ioport_readl
+ };
++ if (address >= MAX_IOPORTS)
++ abort();
+ IOPortReadFunc *func = ioport_read_table[index][address];
+ if (!func)
+ func = default_func[index];
+ return func(ioport_opaque[address], address);
+ }
+
+-static void ioport_write(int index, uint32_t address, uint32_t data)
++static void ioport_write(int index, uint16_t address, uint32_t data)
+ {
+ static IOPortWriteFunc *default_func[3] = {
+ default_ioport_writeb,
+ default_ioport_writew,
+ default_ioport_writel
+ };
++ if (address >= MAX_IOPORTS)
++ abort();
+ IOPortWriteFunc *func = ioport_write_table[index][address];
+ if (!func)
+ func = default_func[index];
+--
+2.1.4
+--- qemu-xen/xen-all.c.orig 2016-12-20 10:53:18.000000000 +0100
++++ qemu-xen/xen-all.c 2016-12-20 10:53:46.000000000 +0100
+@@ -661,6 +661,8 @@
+
+ sign = req->df ? -1 : 1;
+
++ req->addr &= 0x0ffffU;
++
+ if (req->size > sizeof(uint32_t)) {
+ hw_error("PIO: bad size (%u)", req->size);
+ }
+--- qemu-xen/ioport.c.orig 2016-12-20 10:57:45.000000000 +0100
++++ qemu-xen/ioport.c 2016-12-20 10:58:26.000000000 +0100
+@@ -64,6 +64,8 @@
+ default_ioport_readl
+ };
+ IOPortReadFunc *func = ioport_read_table[index][address];
++ if (address >= MAX_IOPORTS)
++ abort();
+ if (!func)
+ func = default_func[index];
+ return func(ioport_opaque[address], address);
+@@ -76,6 +78,8 @@
+ default_ioport_writew,
+ default_ioport_writel
+ };
++ if (address >= MAX_IOPORTS)
++ abort();
+ IOPortWriteFunc *func = ioport_write_table[index][address];
+ if (!func)
+ func = default_func[index];
diff --git a/sysutils/xentools45/Makefile b/sysutils/xentools45/Makefile
index 7ddad223c85..c2d878c5461 100644
--- a/sysutils/xentools45/Makefile
+++ b/sysutils/xentools45/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.40 2016/11/22 20:57:10 bouyer Exp $
+# $NetBSD: Makefile,v 1.41 2016/12/20 10:22:29 bouyer Exp $
VERSION= 4.5.5
-PKGREVISION= 1
+PKGREVISION= 2
VERSION_IPXE= 9a93db3f0947484e30e753bbd61a10b17336e20e
DISTNAME= xen-${VERSION}
diff --git a/sysutils/xentools45/distinfo b/sysutils/xentools45/distinfo
index c17f882c45b..c77ad564d8f 100644
--- a/sysutils/xentools45/distinfo
+++ b/sysutils/xentools45/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.28 2016/11/22 20:57:10 bouyer Exp $
+$NetBSD: distinfo,v 1.29 2016/12/20 10:22:29 bouyer Exp $
SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88
RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8
@@ -24,6 +24,7 @@ SHA1 (patch-XSA-184) = b9089f29b67d1756e2c4919df30041282cebdfed
SHA1 (patch-XSA-197-1) = a481196957f8942253cb18e5eef089e491d02652
SHA1 (patch-XSA-197-2) = f5cf82cf04303f145e3cfea29c4104bc058dd043
SHA1 (patch-XSA-198) = 5a61b6b4af265ba0b90d5750166924daafe554d7
+SHA1 (patch-XSA-199) = 481c740d36a5b8415275c4b1152bb7e2a45349a1
SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7
SHA1 (patch-configure) = 97fa4274e425984d593cd93aea36edc681462b88
SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f
diff --git a/sysutils/xentools45/patches/patch-XSA-199 b/sysutils/xentools45/patches/patch-XSA-199
new file mode 100644
index 00000000000..d91d01cd430
--- /dev/null
+++ b/sysutils/xentools45/patches/patch-XSA-199
@@ -0,0 +1,90 @@
+$NetBSD: patch-XSA-199,v 1.1 2016/12/20 10:22:29 bouyer Exp $
+
+From b73bd1edc05d1bad5c018228146930d79315a5da Mon Sep 17 00:00:00 2001
+From: Ian Jackson <ian.jackson@eu.citrix.com>
+Date: Mon, 14 Nov 2016 17:19:46 +0000
+Subject: [PATCH] qemu: ioport_read, ioport_write: be defensive about 32-bit
+ addresses
+
+On x86, ioport addresses are 16-bit. That these functions take 32-bit
+arguments is a mistake. Changing the argument type to 16-bit will
+discard the top bits of any erroneous values from elsewhere in qemu.
+
+Also, check just before use that the value is in range. (This turns
+an ill-advised change to MAX_IOPORTS into a possible guest crash
+rather than a privilege escalation vulnerability.)
+
+And, in the Xen ioreq processor, clamp incoming ioport addresses to
+16-bit values. Xen will never write >16-bit values but the guest may
+have access to the ioreq ring. We want to defend the rest of the qemu
+code from wrong values.
+
+This is XSA-199.
+
+Reported-by: yanghongke <yanghongke@huawei.com>
+Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
+---
+ i386-dm/helper2.c | 2 ++
+ vl.c | 9 +++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/i386-dm/helper2.c b/i386-dm/helper2.c
+index 2706f2e..5d276bb 100644
+--- qemu-xen-traditional/i386-dm/helper2.c.orig
++++ qemu-xen-traditional/i386-dm/helper2.c
+@@ -375,6 +375,8 @@ static void cpu_ioreq_pio(CPUState *env, ioreq_t *req)
+ {
+ uint32_t i;
+
++ req->addr &= 0x0ffffU;
++
+ if (req->size > sizeof(unsigned long)) {
+ fprintf(stderr, "PIO: bad size (%u)\n", req->size);
+ exit(-1);
+diff --git a/vl.c b/vl.c
+index f9c4d7e..c3c5d63 100644
+--- qemu-xen-traditional/vl.c.orig
++++ qemu-xen-traditional/vl.c
+@@ -52,6 +52,7 @@
+
+ #include <xen/hvm/hvm_info_table.h>
+
++#include <assert.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+ #include <signal.h>
+@@ -290,26 +291,30 @@ PicState2 *isa_pic;
+ static IOPortReadFunc default_ioport_readb, default_ioport_readw, default_ioport_readl;
+ static IOPortWriteFunc default_ioport_writeb, default_ioport_writew, default_ioport_writel;
+
+-static uint32_t ioport_read(int index, uint32_t address)
++static uint32_t ioport_read(int index, uint16_t address)
+ {
+ static IOPortReadFunc *default_func[3] = {
+ default_ioport_readb,
+ default_ioport_readw,
+ default_ioport_readl
+ };
++ if (address >= MAX_IOPORTS)
++ abort();
+ IOPortReadFunc *func = ioport_read_table[index][address];
+ if (!func)
+ func = default_func[index];
+ return func(ioport_opaque[address], address);
+ }
+
+-static void ioport_write(int index, uint32_t address, uint32_t data)
++static void ioport_write(int index, uint16_t address, uint32_t data)
+ {
+ static IOPortWriteFunc *default_func[3] = {
+ default_ioport_writeb,
+ default_ioport_writew,
+ default_ioport_writel
+ };
++ if (address >= MAX_IOPORTS)
++ abort();
+ IOPortWriteFunc *func = ioport_write_table[index][address];
+ if (!func)
+ func = default_func[index];
+--
+2.1.4
diff --git a/sysutils/xentools46/Makefile b/sysutils/xentools46/Makefile
index f583ed2b89d..5d36c9592aa 100644
--- a/sysutils/xentools46/Makefile
+++ b/sysutils/xentools46/Makefile
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.4 2016/11/22 20:59:01 bouyer Exp $
+# $NetBSD: Makefile,v 1.5 2016/12/20 10:22:29 bouyer Exp $
VERSION= 4.6.3
VERSION_IPXE= 9a93db3f0947484e30e753bbd61a10b17336e20e
DISTNAME= xen-${VERSION}
PKGNAME= xentools46-${VERSION}
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= sysutils
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
diff --git a/sysutils/xentools46/distinfo b/sysutils/xentools46/distinfo
index 6f7e0672c8d..7faa587b60c 100644
--- a/sysutils/xentools46/distinfo
+++ b/sysutils/xentools46/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.2 2016/11/22 20:59:01 bouyer Exp $
+$NetBSD: distinfo,v 1.3 2016/12/20 10:22:29 bouyer Exp $
SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88
RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8
@@ -23,6 +23,7 @@ SHA1 (patch-Rules.mk) = ec0af52c494718204f15adac30ddd06713ff572c
SHA1 (patch-XSA-197-1) = 4d373d23cd7032cc505300d865b6eaa8e80e2290
SHA1 (patch-XSA-197-2) = 3dc303f22d0744f64eb4552f4de10fc11f32bb01
SHA1 (patch-XSA-198) = 5a61b6b4af265ba0b90d5750166924daafe554d7
+SHA1 (patch-XSA-199) = 481c740d36a5b8415275c4b1152bb7e2a45349a1
SHA1 (patch-configure) = a58d149de07613fb03444234278778a6a24b9b26
SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f
SHA1 (patch-examples_Makefile) = 5fe7bb876d254cf0c4f774ed0f08dcaea5b355ff
diff --git a/sysutils/xentools46/patches/patch-XSA-199 b/sysutils/xentools46/patches/patch-XSA-199
new file mode 100644
index 00000000000..d91d01cd430
--- /dev/null
+++ b/sysutils/xentools46/patches/patch-XSA-199
@@ -0,0 +1,90 @@
+$NetBSD: patch-XSA-199,v 1.1 2016/12/20 10:22:29 bouyer Exp $
+
+From b73bd1edc05d1bad5c018228146930d79315a5da Mon Sep 17 00:00:00 2001
+From: Ian Jackson <ian.jackson@eu.citrix.com>
+Date: Mon, 14 Nov 2016 17:19:46 +0000
+Subject: [PATCH] qemu: ioport_read, ioport_write: be defensive about 32-bit
+ addresses
+
+On x86, ioport addresses are 16-bit. That these functions take 32-bit
+arguments is a mistake. Changing the argument type to 16-bit will
+discard the top bits of any erroneous values from elsewhere in qemu.
+
+Also, check just before use that the value is in range. (This turns
+an ill-advised change to MAX_IOPORTS into a possible guest crash
+rather than a privilege escalation vulnerability.)
+
+And, in the Xen ioreq processor, clamp incoming ioport addresses to
+16-bit values. Xen will never write >16-bit values but the guest may
+have access to the ioreq ring. We want to defend the rest of the qemu
+code from wrong values.
+
+This is XSA-199.
+
+Reported-by: yanghongke <yanghongke@huawei.com>
+Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
+---
+ i386-dm/helper2.c | 2 ++
+ vl.c | 9 +++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/i386-dm/helper2.c b/i386-dm/helper2.c
+index 2706f2e..5d276bb 100644
+--- qemu-xen-traditional/i386-dm/helper2.c.orig
++++ qemu-xen-traditional/i386-dm/helper2.c
+@@ -375,6 +375,8 @@ static void cpu_ioreq_pio(CPUState *env, ioreq_t *req)
+ {
+ uint32_t i;
+
++ req->addr &= 0x0ffffU;
++
+ if (req->size > sizeof(unsigned long)) {
+ fprintf(stderr, "PIO: bad size (%u)\n", req->size);
+ exit(-1);
+diff --git a/vl.c b/vl.c
+index f9c4d7e..c3c5d63 100644
+--- qemu-xen-traditional/vl.c.orig
++++ qemu-xen-traditional/vl.c
+@@ -52,6 +52,7 @@
+
+ #include <xen/hvm/hvm_info_table.h>
+
++#include <assert.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+ #include <signal.h>
+@@ -290,26 +291,30 @@ PicState2 *isa_pic;
+ static IOPortReadFunc default_ioport_readb, default_ioport_readw, default_ioport_readl;
+ static IOPortWriteFunc default_ioport_writeb, default_ioport_writew, default_ioport_writel;
+
+-static uint32_t ioport_read(int index, uint32_t address)
++static uint32_t ioport_read(int index, uint16_t address)
+ {
+ static IOPortReadFunc *default_func[3] = {
+ default_ioport_readb,
+ default_ioport_readw,
+ default_ioport_readl
+ };
++ if (address >= MAX_IOPORTS)
++ abort();
+ IOPortReadFunc *func = ioport_read_table[index][address];
+ if (!func)
+ func = default_func[index];
+ return func(ioport_opaque[address], address);
+ }
+
+-static void ioport_write(int index, uint32_t address, uint32_t data)
++static void ioport_write(int index, uint16_t address, uint32_t data)
+ {
+ static IOPortWriteFunc *default_func[3] = {
+ default_ioport_writeb,
+ default_ioport_writew,
+ default_ioport_writel
+ };
++ if (address >= MAX_IOPORTS)
++ abort();
+ IOPortWriteFunc *func = ioport_write_table[index][address];
+ if (!func)
+ func = default_func[index];
+--
+2.1.4