diff options
| author | bouyer <bouyer@pkgsrc.org> | 2016-05-12 15:42:58 +0000 |
|---|---|---|
| committer | bouyer <bouyer@pkgsrc.org> | 2016-05-12 15:42:58 +0000 |
| commit | aade96c0cc864985779e1348573a45d64806d064 (patch) | |
| tree | 563d7e9d94ad9a91bcaf0ee13be3bdd5ea4e9423 | |
| parent | 3e8a0837f7772d8ddec900844ff1c51156a0c689 (diff) | |
| download | pkgsrc-aade96c0cc864985779e1348573a45d64806d064.tar.gz | |
Update xenkernel45 and xentools45 to 4.5.3.
While there also add patches for security issues XSA-172, XSA-173 and XSA-179
(others between 170 and 179 are either not yet public, or linux-only).
Upstream changes since 4.5.2:
- security issues up to XSA-170 are fixed (these were already patched
in pkgsrc).
- other minor performances and functionality fixes.
full changelog at:
http://www.xenproject.org/downloads/xen-archives/xen-45-series/xen-453.html
| -rw-r--r-- | sysutils/xenkernel45/Makefile | 4 | ||||
| -rw-r--r-- | sysutils/xenkernel45/distinfo | 16 | ||||
| -rw-r--r-- | sysutils/xenkernel45/patches/patch-CVE-2015-5307 | 106 | ||||
| -rw-r--r-- | sysutils/xenkernel45/patches/patch-CVE-2015-8339 | 33 | ||||
| -rw-r--r-- | sysutils/xenkernel45/patches/patch-CVE-2015-8555 | 80 | ||||
| -rw-r--r-- | sysutils/xenkernel45/patches/patch-XSA-166 | 39 | ||||
| -rw-r--r-- | sysutils/xenkernel45/patches/patch-XSA-172 | 41 | ||||
| -rw-r--r-- | sysutils/xenkernel45/patches/patch-XSA-173 | 246 | ||||
| -rw-r--r-- | sysutils/xentools45/Makefile | 7 | ||||
| -rw-r--r-- | sysutils/xentools45/distinfo | 14 | ||||
| -rw-r--r-- | sysutils/xentools45/patches/patch-CVE-2015-8341 | 29 | ||||
| -rw-r--r-- | sysutils/xentools45/patches/patch-CVE-2015-8550 | 213 | ||||
| -rw-r--r-- | sysutils/xentools45/patches/patch-CVE-2015-8554 | 21 | ||||
| -rw-r--r-- | sysutils/xentools45/patches/patch-XSA-179 | 266 |
14 files changed, 571 insertions, 544 deletions
diff --git a/sysutils/xenkernel45/Makefile b/sysutils/xenkernel45/Makefile index 6e06c9e907b..ff6f32cab2b 100644 --- a/sysutils/xenkernel45/Makefile +++ b/sysutils/xenkernel45/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.13 2016/01/08 13:24:29 bouyer Exp $ +# $NetBSD: Makefile,v 1.14 2016/05/12 15:42:58 bouyer Exp $ -VERSION= 4.5.2 +VERSION= 4.5.3 DISTNAME= xen-${VERSION} PKGNAME= xenkernel45-${VERSION} #PKGREVISION= 0 diff --git a/sysutils/xenkernel45/distinfo b/sysutils/xenkernel45/distinfo index 3bdd3a8c080..ae01c4fd679 100644 --- a/sysutils/xenkernel45/distinfo +++ b/sysutils/xenkernel45/distinfo @@ -1,14 +1,12 @@ -$NetBSD: distinfo,v 1.13 2016/01/08 13:24:29 bouyer Exp $ +$NetBSD: distinfo,v 1.14 2016/05/12 15:42:58 bouyer Exp $ -SHA1 (xen-4.5.2.tar.gz) = c764589afc817aee4a5df5fa5dc2c7b8ab79508b -RMD160 (xen-4.5.2.tar.gz) = 953f81cd175b3cb9f591ce21d3c838ecb8e6a780 -SHA512 (xen-4.5.2.tar.gz) = e0ce01a5356c254bfde48fae0b0e005c42c1615a7ccf4c1ba7dcf90784777b53995e9a9ae4575e3f19ef341014b34cb8c06e39d68be359f7fd69830501a144dd -Size (xen-4.5.2.tar.gz) = 18416220 bytes -SHA1 (patch-CVE-2015-5307) = f140ec14cbb9d5194e926d8f34777ebddf3d6836 -SHA1 (patch-CVE-2015-8339) = 080bc4c04ee5ad832756b11a65b1598f12eae97e -SHA1 (patch-CVE-2015-8555) = 493a9229c2d5f8bd3bedc79166939d4883466645 +SHA1 (xen-4.5.3.tar.gz) = 95d56c42642adcffe55dcf82a021d49115373108 +RMD160 (xen-4.5.3.tar.gz) = 7ba586b20404e95308007663e87868c0ccc0e6f4 +SHA512 (xen-4.5.3.tar.gz) = 086b9b75e97d836498fd4f34b645c9b2f941db44efe8c7d23e53aa6455d40e1672962aaa7bac0db1db82255dba490c4fe996f356c184e71ea7fa5b483d9e9c0f +Size (xen-4.5.3.tar.gz) = 18416997 bytes SHA1 (patch-Config.mk) = a2a104d023cea4e551a3ad40927d4884d6c610bf -SHA1 (patch-XSA-166) = 8c2b5f569a3ae5107dcb3d9eb39a9ddfc57889e0 +SHA1 (patch-XSA-172) = ff4560534381d4d4c553170fbeb674f9361d9740 +SHA1 (patch-XSA-173) = 0f6a2c4d9467713f3d969020f8fba62aa2f5297b SHA1 (patch-xen_Makefile) = 750d0c8d4fea14d3ef3f872de5242a1f5104cbbe SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154 SHA1 (patch-xen_common_page__alloc.c) = c4d606de1cada8cf89b5abd16efada3d58c68a03 diff --git a/sysutils/xenkernel45/patches/patch-CVE-2015-5307 b/sysutils/xenkernel45/patches/patch-CVE-2015-5307 deleted file mode 100644 index c211f6ef5c7..00000000000 --- a/sysutils/xenkernel45/patches/patch-CVE-2015-5307 +++ /dev/null @@ -1,106 +0,0 @@ -$NetBSD: patch-CVE-2015-5307,v 1.1 2016/01/07 17:48:34 bouyer Exp $ - -Patch for CVE-2015-5307 and CVE-2015-8104 aka XSA-156, based on -http://xenbits.xenproject.org/xsa/xsa156-4.5.patch - ---- xen/arch/x86/hvm/svm/svm.c.orig -+++ xen/arch/x86/hvm/svm/svm.c -@@ -1045,10 +1045,11 @@ static void noreturn svm_do_resume(struc - unlikely(v->arch.hvm_vcpu.debug_state_latch != debug_state) ) - { - uint32_t intercepts = vmcb_get_exception_intercepts(vmcb); -- uint32_t mask = (1U << TRAP_debug) | (1U << TRAP_int3); -+ - v->arch.hvm_vcpu.debug_state_latch = debug_state; - vmcb_set_exception_intercepts( -- vmcb, debug_state ? (intercepts | mask) : (intercepts & ~mask)); -+ vmcb, debug_state ? (intercepts | (1U << TRAP_int3)) -+ : (intercepts & ~(1U << TRAP_int3))); - } - - if ( v->arch.hvm_svm.launch_core != smp_processor_id() ) -@@ -2435,8 +2436,9 @@ void svm_vmexit_handler(struct cpu_user_ - - case VMEXIT_EXCEPTION_DB: - if ( !v->domain->debugger_attached ) -- goto unexpected_exit_type; -- domain_pause_for_debugger(); -+ hvm_inject_hw_exception(TRAP_debug, HVM_DELIVER_NO_ERROR_CODE); -+ else -+ domain_pause_for_debugger(); - break; - - case VMEXIT_EXCEPTION_BP: -@@ -2484,6 +2486,11 @@ void svm_vmexit_handler(struct cpu_user_ - break; - } - -+ case VMEXIT_EXCEPTION_AC: -+ HVMTRACE_1D(TRAP, TRAP_alignment_check); -+ hvm_inject_hw_exception(TRAP_alignment_check, vmcb->exitinfo1); -+ break; -+ - case VMEXIT_EXCEPTION_UD: - svm_vmexit_ud_intercept(regs); - break; ---- xen/arch/x86/hvm/vmx/vmx.c.orig -+++ xen/arch/x86/hvm/vmx/vmx.c -@@ -1186,16 +1186,10 @@ static void vmx_update_host_cr3(struct v - - void vmx_update_debug_state(struct vcpu *v) - { -- unsigned long mask; -- -- mask = 1u << TRAP_int3; -- if ( !cpu_has_monitor_trap_flag ) -- mask |= 1u << TRAP_debug; -- - if ( v->arch.hvm_vcpu.debug_state_latch ) -- v->arch.hvm_vmx.exception_bitmap |= mask; -+ v->arch.hvm_vmx.exception_bitmap |= 1U << TRAP_int3; - else -- v->arch.hvm_vmx.exception_bitmap &= ~mask; -+ v->arch.hvm_vmx.exception_bitmap &= ~(1U << TRAP_int3); - - vmx_vmcs_enter(v); - vmx_update_exception_bitmap(v); -@@ -2801,9 +2795,10 @@ void vmx_vmexit_handler(struct cpu_user_ - __vmread(EXIT_QUALIFICATION, &exit_qualification); - HVMTRACE_1D(TRAP_DEBUG, exit_qualification); - write_debugreg(6, exit_qualification | 0xffff0ff0); -- if ( !v->domain->debugger_attached || cpu_has_monitor_trap_flag ) -- goto exit_and_crash; -- domain_pause_for_debugger(); -+ if ( !v->domain->debugger_attached ) -+ hvm_inject_hw_exception(vector, HVM_DELIVER_NO_ERROR_CODE); -+ else -+ domain_pause_for_debugger(); - break; - case TRAP_int3: - { -@@ -2868,6 +2863,11 @@ void vmx_vmexit_handler(struct cpu_user_ - - hvm_inject_page_fault(regs->error_code, exit_qualification); - break; -+ case TRAP_alignment_check: -+ HVMTRACE_1D(TRAP, vector); -+ __vmread(VM_EXIT_INTR_ERROR_CODE, &ecode); -+ hvm_inject_hw_exception(vector, ecode); -+ break; - case TRAP_nmi: - if ( (intr_info & INTR_INFO_INTR_TYPE_MASK) != - (X86_EVENTTYPE_NMI << 8) ) ---- xen/include/asm-x86/hvm/hvm.h.orig -+++ xen/include/asm-x86/hvm/hvm.h -@@ -378,7 +378,10 @@ static inline int hvm_event_pending(stru - (X86_CR4_VMXE | X86_CR4_PAE | X86_CR4_MCE)) - - /* These exceptions must always be intercepted. */ --#define HVM_TRAP_MASK ((1U << TRAP_machine_check) | (1U << TRAP_invalid_op)) -+#define HVM_TRAP_MASK ((1U << TRAP_debug) | \ -+ (1U << TRAP_invalid_op) | \ -+ (1U << TRAP_alignment_check) | \ -+ (1U << TRAP_machine_check)) - - /* - * x86 event types. This enumeration is valid for: diff --git a/sysutils/xenkernel45/patches/patch-CVE-2015-8339 b/sysutils/xenkernel45/patches/patch-CVE-2015-8339 deleted file mode 100644 index b89411f3af1..00000000000 --- a/sysutils/xenkernel45/patches/patch-CVE-2015-8339 +++ /dev/null @@ -1,33 +0,0 @@ -$NetBSD: patch-CVE-2015-8339,v 1.1 2016/01/07 17:48:34 bouyer Exp $ - -Patch for CVE-2015-8339 and CVE-2015-8340 aka XSA-159, based on -http://xenbits.xenproject.org/xsa/xsa159.patch - ---- xen/common/memory.c.orig -+++ xen/common/memory.c -@@ -334,7 +334,7 @@ static long memory_exchange(XEN_GUEST_HA - PAGE_LIST_HEAD(out_chunk_list); - unsigned long in_chunk_order, out_chunk_order; - xen_pfn_t gpfn, gmfn, mfn; -- unsigned long i, j, k = 0; /* gcc ... */ -+ unsigned long i, j, k; - unsigned int memflags = 0; - long rc = 0; - struct domain *d; -@@ -572,11 +572,12 @@ static long memory_exchange(XEN_GUEST_HA - fail: - /* Reassign any input pages we managed to steal. */ - while ( (page = page_list_remove_head(&in_chunk_list)) ) -- { -- put_gfn(d, gmfn + k--); - if ( assign_pages(d, page, 0, MEMF_no_refcount) ) -- BUG(); -- } -+ { -+ BUG_ON(!d->is_dying); -+ if ( test_and_clear_bit(_PGC_allocated, &page->count_info) ) -+ put_page(page); -+ } - - dying: - rcu_unlock_domain(d); diff --git a/sysutils/xenkernel45/patches/patch-CVE-2015-8555 b/sysutils/xenkernel45/patches/patch-CVE-2015-8555 deleted file mode 100644 index 6218fcc20f3..00000000000 --- a/sysutils/xenkernel45/patches/patch-CVE-2015-8555 +++ /dev/null @@ -1,80 +0,0 @@ -$NetBSD: patch-CVE-2015-8555,v 1.1 2016/01/07 17:48:34 bouyer Exp $ - -Patch for CVE-2015-8555 aka XSA-165, based on -http://xenbits.xenproject.org/xsa/xsa165-4.5.patch - ---- xen/arch/x86/domain.c.orig -+++ xen/arch/x86/domain.c -@@ -798,6 +798,17 @@ int arch_set_info_guest( - if ( v->arch.xsave_area ) - v->arch.xsave_area->xsave_hdr.xstate_bv = XSTATE_FP_SSE; - } -+ else if ( v->arch.xsave_area ) -+ memset(&v->arch.xsave_area->xsave_hdr, 0, -+ sizeof(v->arch.xsave_area->xsave_hdr)); -+ else -+ { -+ typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt; -+ -+ memset(fpu_sse, 0, sizeof(*fpu_sse)); -+ fpu_sse->fcw = FCW_DEFAULT; -+ fpu_sse->mxcsr = MXCSR_DEFAULT; -+ } - - if ( !compat ) - { ---- xen/arch/x86/i387.c.orig -+++ xen/arch/x86/i387.c -@@ -17,19 +17,6 @@ - #include <asm/xstate.h> - #include <asm/asm_defns.h> - --static void fpu_init(void) --{ -- unsigned long val; -- -- asm volatile ( "fninit" ); -- if ( cpu_has_xmm ) -- { -- /* load default value into MXCSR control/status register */ -- val = MXCSR_DEFAULT; -- asm volatile ( "ldmxcsr %0" : : "m" (val) ); -- } --} -- - /*******************************/ - /* FPU Restore Functions */ - /*******************************/ -@@ -248,15 +235,8 @@ void vcpu_restore_fpu_lazy(struct vcpu * - - if ( cpu_has_xsave ) - fpu_xrstor(v, XSTATE_LAZY); -- else if ( v->fpu_initialised ) -- { -- if ( cpu_has_fxsr ) -- fpu_fxrstor(v); -- else -- fpu_frstor(v); -- } - else -- fpu_init(); -+ fpu_fxrstor(v); - - v->fpu_initialised = 1; - v->fpu_dirtied = 1; -@@ -317,7 +297,14 @@ int vcpu_init_fpu(struct vcpu *v) - else - { - v->arch.fpu_ctxt = _xzalloc(sizeof(v->arch.xsave_area->fpu_sse), 16); -- if ( !v->arch.fpu_ctxt ) -+ if ( v->arch.fpu_ctxt ) -+ { -+ typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt; -+ -+ fpu_sse->fcw = FCW_DEFAULT; -+ fpu_sse->mxcsr = MXCSR_DEFAULT; -+ } -+ else - { - rc = -ENOMEM; - goto done; diff --git a/sysutils/xenkernel45/patches/patch-XSA-166 b/sysutils/xenkernel45/patches/patch-XSA-166 deleted file mode 100644 index a5c996cb21f..00000000000 --- a/sysutils/xenkernel45/patches/patch-XSA-166 +++ /dev/null @@ -1,39 +0,0 @@ -$NetBSD: patch-XSA-166,v 1.1 2016/01/07 17:48:34 bouyer Exp $ - -Patch for XSA-166, based on -http://xenbits.xenproject.org/xsa/xsa166-4.5.patch - ---- xen/arch/x86/hvm/hvm.c.orig -+++ xen/arch/x86/hvm/hvm.c -@@ -400,23 +400,23 @@ bool_t hvm_io_pending(struct vcpu *v) - - static bool_t hvm_wait_for_io(struct hvm_ioreq_vcpu *sv, ioreq_t *p) - { -+ unsigned int state; -+ - /* NB. Optimised for common case (p->state == STATE_IOREQ_NONE). */ -- while ( p->state != STATE_IOREQ_NONE ) -+ while ( (state = p->state) != STATE_IOREQ_NONE ) - { -- switch ( p->state ) -+ rmb(); -+ switch ( state ) - { - case STATE_IORESP_READY: /* IORESP_READY -> NONE */ -- rmb(); /* see IORESP_READY /then/ read contents of ioreq */ - hvm_io_assist(p); - break; - case STATE_IOREQ_READY: /* IOREQ_{READY,INPROCESS} -> IORESP_READY */ - case STATE_IOREQ_INPROCESS: -- wait_on_xen_event_channel(sv->ioreq_evtchn, -- (p->state != STATE_IOREQ_READY) && -- (p->state != STATE_IOREQ_INPROCESS)); -+ wait_on_xen_event_channel(sv->ioreq_evtchn, p->state != state); - break; - default: -- gdprintk(XENLOG_ERR, "Weird HVM iorequest state %d.\n", p->state); -+ gdprintk(XENLOG_ERR, "Weird HVM iorequest state %u\n", state); - domain_crash(sv->vcpu->domain); - return 0; /* bail */ - } - diff --git a/sysutils/xenkernel45/patches/patch-XSA-172 b/sysutils/xenkernel45/patches/patch-XSA-172 new file mode 100644 index 00000000000..61c3ca8ec93 --- /dev/null +++ b/sysutils/xenkernel45/patches/patch-XSA-172 @@ -0,0 +1,41 @@ +$NetBSD: patch-XSA-172,v 1.1 2016/05/12 15:42:58 bouyer Exp $ + +x86: fix information leak on AMD CPUs + +The fix for XSA-52 was wrong, and so was the change synchronizing that +new behavior to the FXRSTOR logic: AMD's manuals explictly state that +writes to the ES bit are ignored, and it instead gets calculated from +the exception and mask bits (it gets set whenever there is an unmasked +exception, and cleared otherwise). Hence we need to follow that model +in our workaround. + +This is XSA-172. + +The first hunk (xen/arch/x86/i387.c:fpu_fxrstor) is CVE-2016-3159. +The second hunk (xen/arch/x86/xstate.c:xrstor) is CVE-2016-3158. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> + +--- xen/arch/x86/i387.c.orig ++++ xen/arch/x86/i387.c +@@ -49,7 +49,7 @@ static inline void fpu_fxrstor(struct vc + * sometimes new user value. Both should be ok. Use the FPU saved + * data block as a safe address because it should be in L1. + */ +- if ( !(fpu_ctxt->fsw & 0x0080) && ++ if ( !(fpu_ctxt->fsw & ~fpu_ctxt->fcw & 0x003f) && + boot_cpu_data.x86_vendor == X86_VENDOR_AMD ) + { + asm volatile ( "fnclex\n\t" +--- xen/arch/x86/xstate.c.orig ++++ xen/arch/x86/xstate.c +@@ -344,7 +344,7 @@ void xrstor(struct vcpu *v, uint64_t mas + * data block as a safe address because it should be in L1. + */ + if ( (mask & ptr->xsave_hdr.xstate_bv & XSTATE_FP) && +- !(ptr->fpu_sse.fsw & 0x0080) && ++ !(ptr->fpu_sse.fsw & ~ptr->fpu_sse.fcw & 0x003f) && + boot_cpu_data.x86_vendor == X86_VENDOR_AMD ) + asm volatile ( "fnclex\n\t" /* clear exceptions */ + "ffree %%st(7)\n\t" /* clear stack tag */ diff --git a/sysutils/xenkernel45/patches/patch-XSA-173 b/sysutils/xenkernel45/patches/patch-XSA-173 new file mode 100644 index 00000000000..f2c4313b7a2 --- /dev/null +++ b/sysutils/xenkernel45/patches/patch-XSA-173 @@ -0,0 +1,246 @@ +$NetBSD: patch-XSA-173,v 1.1 2016/05/12 15:42:58 bouyer Exp $ + +commit 9d7687d60ae2e09ad2a77b05bd820e7850709375 +Author: Tim Deegan <tim@xen.org> +Date: Wed Mar 16 16:56:04 2016 +0000 + + x86: limit GFNs to 32 bits for shadowed superpages. + + Superpage shadows store the shadowed GFN in the backpointer field, + which for non-BIGMEM builds is 32 bits wide. Shadowing a superpage + mapping of a guest-physical address above 2^44 would lead to the GFN + being truncated there, and a crash when we come to remove the shadow + from the hash table. + + Track the valid width of a GFN for each guest, including reporting it + through CPUID, and enforce it in the shadow pagetables. Set the + maximum witth to 32 for guests where this truncation could occur. + + This is XSA-173. + + Signed-off-by: Tim Deegan <tim@xen.org> + Signed-off-by: Jan Beulich <jbeulich@suse.com> + +Reported-by: Ling Liu <liuling-it@360.cn> +diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c +index 5c8d3c2..7dc8220 100644 +--- xen/arch/x86/cpu/common.c.orig ++++ xen/arch/x86/cpu/common.c +@@ -37,6 +37,7 @@ integer_param("cpuid_mask_ext_edx", opt_cpuid_mask_ext_edx); + struct cpu_dev * cpu_devs[X86_VENDOR_NUM] = {}; + + unsigned int paddr_bits __read_mostly = 36; ++unsigned int hap_paddr_bits __read_mostly = 36; + + /* + * Default host IA32_CR_PAT value to cover all memory types. +@@ -209,7 +210,7 @@ static void __init early_cpu_detect(void) + + static void __cpuinit generic_identify(struct cpuinfo_x86 *c) + { +- u32 tfms, capability, excap, ebx; ++ u32 tfms, capability, excap, ebx, eax; + + /* Get vendor name */ + cpuid(0x00000000, &c->cpuid_level, +@@ -246,8 +247,11 @@ static void __cpuinit generic_identify(struct cpuinfo_x86 *c) + } + if ( c->extended_cpuid_level >= 0x80000004 ) + get_model_name(c); /* Default name */ +- if ( c->extended_cpuid_level >= 0x80000008 ) +- paddr_bits = cpuid_eax(0x80000008) & 0xff; ++ if ( c->extended_cpuid_level >= 0x80000008 ) { ++ eax = cpuid_eax(0x80000008); ++ paddr_bits = eax & 0xff; ++ hap_paddr_bits = ((eax >> 16) & 0xff) ?: paddr_bits; ++ } + } + + /* Might lift BIOS max_leaf=3 limit. */ +diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c +index 41fb10a..cac458a 100644 +--- xen/arch/x86/hvm/hvm.c.orig ++++ xen/arch/x86/hvm/hvm.c +@@ -4327,8 +4327,7 @@ void hvm_cpuid(unsigned int input, unsigned int *eax, unsigned int *ebx, + break; + + case 0x80000008: +- count = cpuid_eax(0x80000008); +- count = (count >> 16) & 0xff ?: count & 0xff; ++ count = d->arch.paging.gfn_bits + PAGE_SHIFT; + if ( (*eax & 0xff) > count ) + *eax = (*eax & ~0xff) | count; + +diff --git a/xen/arch/x86/mm/guest_walk.c b/xen/arch/x86/mm/guest_walk.c +index 1b26175..50ba7d5 100644 +--- xen/arch/x86/mm/guest_walk.c.orig ++++ xen/arch/x86/mm/guest_walk.c +@@ -94,6 +94,12 @@ void *map_domain_gfn(struct p2m_domain *p2m, gfn_t gfn, mfn_t *mfn, + struct page_info *page; + void *map; + ++ if ( gfn_x(gfn) >> p2m->domain->arch.paging.gfn_bits ) ++ { ++ *rc = _PAGE_INVALID_BIT; ++ return NULL; ++ } ++ + /* Translate the gfn, unsharing if shared */ + page = get_page_from_gfn_p2m(p2m->domain, p2m, gfn_x(gfn), p2mt, NULL, + q); +@@ -327,20 +333,8 @@ guest_walk_tables(struct vcpu *v, struct p2m_domain *p2m, + flags &= ~_PAGE_PAT; + + if ( gfn_x(start) & GUEST_L2_GFN_MASK & ~0x1 ) +- { +-#if GUEST_PAGING_LEVELS == 2 +- /* +- * Note that _PAGE_INVALID_BITS is zero in this case, yielding a +- * no-op here. +- * +- * Architecturally, the walk should fail if bit 21 is set (others +- * aren't being checked at least in PSE36 mode), but we'll ignore +- * this here in order to avoid specifying a non-natural, non-zero +- * _PAGE_INVALID_BITS value just for that case. +- */ +-#endif + rc |= _PAGE_INVALID_BITS; +- } ++ + /* Increment the pfn by the right number of 4k pages. + * Mask out PAT and invalid bits. */ + start = _gfn((gfn_x(start) & ~GUEST_L2_GFN_MASK) + +@@ -423,5 +417,11 @@ set_ad: + put_page(mfn_to_page(mfn_x(gw->l1mfn))); + } + ++ /* If this guest has a restricted physical address space then the ++ * target GFN must fit within it. */ ++ if ( !(rc & _PAGE_PRESENT) ++ && gfn_x(guest_l1e_get_gfn(gw->l1e)) >> d->arch.paging.gfn_bits ) ++ rc |= _PAGE_INVALID_BITS; ++ + return rc; + } +diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c +index 0c80012..84531b1 100644 +--- xen/arch/x86/mm/hap/hap.c.orig ++++ xen/arch/x86/mm/hap/hap.c +@@ -429,6 +429,8 @@ void hap_domain_init(struct domain *d) + { + INIT_PAGE_LIST_HEAD(&d->arch.paging.hap.freelist); + ++ d->arch.paging.gfn_bits = hap_paddr_bits - PAGE_SHIFT; ++ + /* Use HAP logdirty mechanism. */ + paging_log_dirty_init(d, hap_enable_log_dirty, + hap_disable_log_dirty, +diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c +index 18026fe..9028d82 100644 +--- xen/arch/x86/mm/shadow/common.c.orig ++++ xen/arch/x86/mm/shadow/common.c +@@ -48,6 +48,16 @@ void shadow_domain_init(struct domain *d, unsigned int domcr_flags) + INIT_PAGE_LIST_HEAD(&d->arch.paging.shadow.freelist); + INIT_PAGE_LIST_HEAD(&d->arch.paging.shadow.pinned_shadows); + ++ d->arch.paging.gfn_bits = paddr_bits - PAGE_SHIFT; ++#ifndef CONFIG_BIGMEM ++ /* ++ * Shadowed superpages store GFNs in 32-bit page_info fields. ++ * Note that we cannot use guest_supports_superpages() here. ++ */ ++ if ( !is_pv_domain(d) || opt_allow_superpage ) ++ d->arch.paging.gfn_bits = 32; ++#endif ++ + /* Use shadow pagetables for log-dirty support */ + paging_log_dirty_init(d, shadow_enable_log_dirty, + shadow_disable_log_dirty, shadow_clean_dirty_bitmap); +diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c +index d6802ff..7589d23 100644 +--- xen/arch/x86/mm/shadow/multi.c.orig ++++ xen/arch/x86/mm/shadow/multi.c +@@ -527,7 +527,8 @@ _sh_propagate(struct vcpu *v, + ASSERT(GUEST_PAGING_LEVELS > 3 || level != 3); + + /* Check there's something for the shadows to map to */ +- if ( !p2m_is_valid(p2mt) && !p2m_is_grant(p2mt) ) ++ if ( (!p2m_is_valid(p2mt) && !p2m_is_grant(p2mt)) ++ || gfn_x(target_gfn) >> d->arch.paging.gfn_bits ) + { + *sp = shadow_l1e_empty(); + goto done; +diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h +index 6a77a93..e8df4a9 100644 +--- xen/include/asm-x86/domain.h.orig ++++ xen/include/asm-x86/domain.h +@@ -188,6 +188,9 @@ struct paging_domain { + /* log dirty support */ + struct log_dirty_domain log_dirty; + ++ /* Number of valid bits in a gfn. */ ++ unsigned int gfn_bits; ++ + /* preemption handling */ + struct { + const struct domain *dom; +diff --git a/xen/include/asm-x86/guest_pt.h b/xen/include/asm-x86/guest_pt.h +index d2a8250..d95f835 100644 +--- xen/include/asm-x86/guest_pt.h.orig ++++ xen/include/asm-x86/guest_pt.h +@@ -220,15 +220,17 @@ guest_supports_nx(struct vcpu *v) + } + + +-/* Some bits are invalid in any pagetable entry. */ +-#if GUEST_PAGING_LEVELS == 2 +-#define _PAGE_INVALID_BITS (0) +-#elif GUEST_PAGING_LEVELS == 3 +-#define _PAGE_INVALID_BITS \ +- get_pte_flags(((1ull<<63) - 1) & ~((1ull<<paddr_bits) - 1)) +-#else /* GUEST_PAGING_LEVELS == 4 */ ++/* ++ * Some bits are invalid in any pagetable entry. ++ * Normal flags values get represented in 24-bit values (see ++ * get_pte_flags() and put_pte_flags()), so set bit 24 in ++ * addition to be able to flag out of range frame numbers. ++ */ ++#if GUEST_PAGING_LEVELS == 3 + #define _PAGE_INVALID_BITS \ +- get_pte_flags(((1ull<<52) - 1) & ~((1ull<<paddr_bits) - 1)) ++ (_PAGE_INVALID_BIT | get_pte_flags(((1ull << 63) - 1) & ~(PAGE_SIZE - 1))) ++#else /* 2-level and 4-level */ ++#define _PAGE_INVALID_BITS _PAGE_INVALID_BIT + #endif + + +diff --git a/xen/include/asm-x86/processor.h b/xen/include/asm-x86/processor.h +index b4e4731..56fc5a2 100644 +--- xen/include/asm-x86/processor.h.orig ++++ xen/include/asm-x86/processor.h +@@ -203,6 +203,8 @@ extern u32 cpuid_ext_features; + + /* Maximum width of physical addresses supported by the hardware */ + extern unsigned int paddr_bits; ++/* Max physical address width supported within HAP guests */ ++extern unsigned int hap_paddr_bits; + + extern void identify_cpu(struct cpuinfo_x86 *); + extern void setup_clear_cpu_cap(unsigned int); +diff --git a/xen/include/asm-x86/x86_64/page.h b/xen/include/asm-x86/x86_64/page.h +index 1d54587..f1d1b6c 100644 +--- xen/include/asm-x86/x86_64/page.h.orig ++++ xen/include/asm-x86/x86_64/page.h +@@ -141,6 +141,12 @@ typedef l4_pgentry_t root_pgentry_t; + #define _PAGE_GNTTAB (1U<<22) + + /* ++ * Bit 24 of a 24-bit flag mask! This is not any bit of a real pte, ++ * and is only used for signalling in variables that contain flags. ++ */ ++#define _PAGE_INVALID_BIT (1U<<24) ++ ++/* + * Bit 12 of a 24-bit flag mask. This corresponds to bit 52 of a pte. + * This is needed to distinguish between user and kernel PTEs since _PAGE_USER + * is asserted for both. diff --git a/sysutils/xentools45/Makefile b/sysutils/xentools45/Makefile index 6a0e5939d4c..2070c8b4b11 100644 --- a/sysutils/xentools45/Makefile +++ b/sysutils/xentools45/Makefile @@ -1,12 +1,11 @@ -# $NetBSD: Makefile,v 1.31 2016/05/05 11:45:41 jaapb Exp $ +# $NetBSD: Makefile,v 1.32 2016/05/12 15:42:58 bouyer Exp $ -VERSION= 4.5.2 -PKGREVISION= 2 +VERSION= 4.5.3 +#PKGREVISION= 0 VERSION_IPXE= 9a93db3f0947484e30e753bbd61a10b17336e20e DISTNAME= xen-${VERSION} PKGNAME= xentools45-${VERSION} -PKGREVISION= 1 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xentools45/distinfo b/sysutils/xentools45/distinfo index c809e8f6501..ffea426b682 100644 --- a/sysutils/xentools45/distinfo +++ b/sysutils/xentools45/distinfo @@ -1,13 +1,13 @@ -$NetBSD: distinfo,v 1.21 2016/04/04 14:47:56 wiz Exp $ +$NetBSD: distinfo,v 1.22 2016/05/12 15:42:58 bouyer Exp $ SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88 RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8 SHA512 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = c5cb1cdff40d2d71fd3e692a9d0efadf2aa17290daf5195391a1c81ddd9dfc913a8e44d5be2b12be85b2a5565ea31631c99c7053564f2fb2225c80ea0bb0e4a4 Size (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 2867999 bytes -SHA1 (xen-4.5.2.tar.gz) = c764589afc817aee4a5df5fa5dc2c7b8ab79508b -RMD160 (xen-4.5.2.tar.gz) = 953f81cd175b3cb9f591ce21d3c838ecb8e6a780 -SHA512 (xen-4.5.2.tar.gz) = e0ce01a5356c254bfde48fae0b0e005c42c1615a7ccf4c1ba7dcf90784777b53995e9a9ae4575e3f19ef341014b34cb8c06e39d68be359f7fd69830501a144dd -Size (xen-4.5.2.tar.gz) = 18416220 bytes +SHA1 (xen-4.5.3.tar.gz) = 95d56c42642adcffe55dcf82a021d49115373108 +RMD160 (xen-4.5.3.tar.gz) = 7ba586b20404e95308007663e87868c0ccc0e6f4 +SHA512 (xen-4.5.3.tar.gz) = 086b9b75e97d836498fd4f34b645c9b2f941db44efe8c7d23e53aa6455d40e1672962aaa7bac0db1db82255dba490c4fe996f356c184e71ea7fa5b483d9e9c0f +Size (xen-4.5.3.tar.gz) = 18416997 bytes SHA1 (patch-.._.._ipxe_src_core_settings.c) = 9e053e5e9936f49c46af0d59382a67d5f28cb39d SHA1 (patch-.._.._ipxe_src_interface_efi_efi_snp.c) = 7cd8a2d2dbeff55624b5d3461d22cd8331221762 SHA1 (patch-.._.._ipxe_src_net_fcels.c) = 7c13c87af5e38233f8b867503789f536394e7005 @@ -18,11 +18,9 @@ SHA1 (patch-.._docs_man_xl.conf.pod.5) = 015da24a45388468d56f1ecfa60f6acf07bdfef SHA1 (patch-.._docs_man_xl.pod.1) = b194f2c5608c6f0e80a4abd8655808cf91355cd5 SHA1 (patch-.._docs_man_xlcpupool.cfg.pod.5) = b44813af965e4d9d0d51c18b22d286736a4663b2 SHA1 (patch-.._docs_misc_xl-disk-configuration.txt) = 5b59cfc2569d1a4c10d6c0fcb98ed35278723b79 -SHA1 (patch-CVE-2015-8341) = 9d4cb191f023c6d6ff9de85028a19ca13aa69e1f -SHA1 (patch-CVE-2015-8550) = 27f9214b9df78e04ec30e8ca56970c5b1d5dc50d -SHA1 (patch-CVE-2015-8554) = 908783cf619fc130d5a107ba2c4997fca0f0da88 SHA1 (patch-Makefile) = eb5d3211b26c5f10a24fcca658c83d5f60990d9f SHA1 (patch-Rules.mk) = e0dc4234c35dc2d78afad4a90b0af829a6a10b50 +SHA1 (patch-XSA-179) = b73d44757651efe4b8df27cedd7f9827f3d6a6ca SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7 SHA1 (patch-configure) = 97fa4274e425984d593cd93aea36edc681462b88 SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f diff --git a/sysutils/xentools45/patches/patch-CVE-2015-8341 b/sysutils/xentools45/patches/patch-CVE-2015-8341 deleted file mode 100644 index 02021005f66..00000000000 --- a/sysutils/xentools45/patches/patch-CVE-2015-8341 +++ /dev/null @@ -1,29 +0,0 @@ -$NetBSD: patch-CVE-2015-8341,v 1.1 2016/01/07 17:48:34 bouyer Exp $ - -patch for CVE-2015-8341 aka XSA-160 from -http://xenbits.xenproject.org/xsa/xsa160-4.6.patch - ---- libxl/libxl_create.c.orig -+++ libxl/libxl_create.c -@@ -1484,6 +1484,9 @@ static void domcreate_complete(libxl__egc *egc, - libxl_domain_config *const d_config = dcs->guest_config; - libxl_domain_config *d_config_saved = &dcs->guest_config_saved; - -+ libxl__file_reference_unmap(&dcs->build_state.pv_kernel); -+ libxl__file_reference_unmap(&dcs->build_state.pv_ramdisk); -+ - if (!rc && d_config->b_info.exec_ssidref) - rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid, d_config->b_info.exec_ssidref); - ---- libxl/libxl_dom.c.orig -+++ libxl/libxl_dom.c -@@ -750,9 +750,6 @@ int libxl__build_pv(libxl__gc *gc, uint32_t domid, - state->store_mfn = xc_dom_p2m_host(dom, dom->xenstore_pfn); - } - -- libxl__file_reference_unmap(&state->pv_kernel); -- libxl__file_reference_unmap(&state->pv_ramdisk); -- - ret = 0; - out: - xc_dom_release(dom); diff --git a/sysutils/xentools45/patches/patch-CVE-2015-8550 b/sysutils/xentools45/patches/patch-CVE-2015-8550 deleted file mode 100644 index 13a27facf38..00000000000 --- a/sysutils/xentools45/patches/patch-CVE-2015-8550 +++ /dev/null @@ -1,213 +0,0 @@ -$NetBSD: patch-CVE-2015-8550,v 1.1 2016/01/07 17:48:34 bouyer Exp $ - -patch for CVE-2015-8550 aka XSA-155 from -http://xenbits.xenproject.org/xsa/xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch -http://xenbits.xenproject.org/xsa/xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch -http://xenbits.xenproject.org/xsa/xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch -http://xenbits.xenproject.org/xsa/xsa155-qemut-qdisk-double-access.patch -http://xenbits.xenproject.org/xsa/xsa155-qemut-xenfb.patch -http://xenbits.xenproject.org/xsa/xsa155-qemu-qdisk-double-access.patch -http://xenbits.xenproject.org/xsa/xsa155-qemu-xenfb.patch - ---- ../xen/include/public/io/ring.h.orig -+++ ../xen/include/public/io/ring.h -@@ -212,6 +212,20 @@ typedef struct __name##_back_ring __name##_back_ring_t - #define RING_GET_REQUEST(_r, _idx) \ - (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req)) - -+/* -+ * Get a local copy of a request. -+ * -+ * Use this in preference to RING_GET_REQUEST() so all processing is -+ * done on a local copy that cannot be modified by the other end. -+ * -+ * Note that https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 may cause this -+ * to be ineffective where _req is a struct which consists of only bitfields. -+ */ -+#define RING_COPY_REQUEST(_r, _idx, _req) do { \ -+ /* Use volatile to force the copy into _req. */ \ -+ *(_req) = *(volatile typeof(_req))RING_GET_REQUEST(_r, _idx); \ -+} while (0) -+ - #define RING_GET_RESPONSE(_r, _idx) \ - (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp)) - ---- blktap2/drivers/block-log.c.orig -+++ blktap2/drivers/block-log.c -@@ -494,11 +494,12 @@ static int ctl_kick(struct tdlog_state* s, int fd) - reqstart = s->bring.req_cons; - reqend = s->sring->req_prod; - -+ xen_mb(); - BDPRINTF("ctl: ring kicked (start = %u, end = %u)", reqstart, reqend); - - while (reqstart != reqend) { - /* XXX actually submit these! */ -- memcpy(&req, RING_GET_REQUEST(&s->bring, reqstart), sizeof(req)); -+ RING_COPY_REQUEST(&s->bring, reqstart, &req); - BDPRINTF("ctl: read request %"PRIu64":%u", req.sector, req.count); - s->bring.req_cons = ++reqstart; - ---- blktap2/drivers/tapdisk-vbd.c.orig -+++ blktap2/drivers/tapdisk-vbd.c -@@ -1555,7 +1555,7 @@ tapdisk_vbd_pull_ring_requests(td_vbd_t *vbd) - int idx; - RING_IDX rp, rc; - td_ring_t *ring; -- blkif_request_t *req; -+ blkif_request_t req; - td_vbd_request_t *vreq; - - ring = &vbd->ring; -@@ -1566,16 +1566,16 @@ tapdisk_vbd_pull_ring_requests(td_vbd_t *vbd) - xen_rmb(); - - for (rc = ring->fe_ring.req_cons; rc != rp; rc++) { -- req = RING_GET_REQUEST(&ring->fe_ring, rc); -+ RING_COPY_REQUEST(&ring->fe_ring, rc, &req); - ++ring->fe_ring.req_cons; - -- idx = req->id; -+ idx = req.id; - vreq = &vbd->request_list[idx]; - - ASSERT(list_empty(&vreq->next)); - ASSERT(vreq->secs_pending == 0); - -- memcpy(&vreq->req, req, sizeof(blkif_request_t)); -+ memcpy(&vreq->req, &req, sizeof(blkif_request_t)); - vbd->received++; - vreq->vbd = vbd; - ---- libvchan/io.c.orig -+++ libvchan/io.c -@@ -117,6 +117,7 @@ static inline int send_notify(struct libxenvchan *ctrl, uint8_t bit) - static inline int raw_get_data_ready(struct libxenvchan *ctrl) - { - uint32_t ready = rd_prod(ctrl) - rd_cons(ctrl); -+ xen_mb(); /* Ensure 'ready' is read only once. */ - if (ready > rd_ring_size(ctrl)) - /* We have no way to return errors. Locking up the ring is - * better than the alternatives. */ -@@ -158,6 +159,7 @@ int libxenvchan_data_ready(struct libxenvchan *ctrl) - static inline int raw_get_buffer_space(struct libxenvchan *ctrl) - { - uint32_t ready = wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl)); -+ xen_mb(); /* Ensure 'ready' is read only once. */ - if (ready > wr_ring_size(ctrl)) - /* We have no way to return errors. Locking up the ring is - * better than the alternatives. */ - ---- qemu-xen-traditional/hw/xen_blkif.h.orig -+++ qemu-xen-traditional/hw/xen_blkif.h -@@ -79,8 +79,10 @@ static inline void blkif_get_x86_32_req(blkif_request_t *dst, blkif_x86_32_reque - dst->handle = src->handle; - dst->id = src->id; - dst->sector_number = src->sector_number; -- if (n > src->nr_segments) -- n = src->nr_segments; -+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */ -+ xen_mb(); -+ if (n > dst->nr_segments) -+ n = dst->nr_segments; - for (i = 0; i < n; i++) - dst->seg[i] = src->seg[i]; - } -@@ -94,8 +96,10 @@ static inline void blkif_get_x86_64_req(blkif_request_t *dst, blkif_x86_64_reque - dst->handle = src->handle; - dst->id = src->id; - dst->sector_number = src->sector_number; -- if (n > src->nr_segments) -- n = src->nr_segments; -+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */ -+ xen_mb(); -+ if (n > dst->nr_segments) -+ n = dst->nr_segments; - for (i = 0; i < n; i++) - dst->seg[i] = src->seg[i]; - } - ---- qemu-xen-traditional/hw/xenfb.c -+++ qemu-xen-traditional/hw/xenfb.c -@@ -827,18 +827,20 @@ static void xenfb_invalidate(void *opaque) - - static void xenfb_handle_events(struct XenFB *xenfb) - { -- uint32_t prod, cons; -+ uint32_t prod, cons, out_cons; - struct xenfb_page *page = xenfb->c.page; - - prod = page->out_prod; -- if (prod == page->out_cons) -+ out_cons = page->out_cons; -+ if (prod == out_cons) - return; - xen_rmb(); /* ensure we see ring contents up to prod */ -- for (cons = page->out_cons; cons != prod; cons++) { -+ for (cons = out_cons; cons != prod; cons++) { - union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons); -+ uint8_t type = event->type; - int x, y, w, h; - -- switch (event->type) { -+ switch (type) { - case XENFB_TYPE_UPDATE: - if (xenfb->up_count == UP_QUEUE) - xenfb->up_fullscreen = 1; - ---- qemu-xen/hw/block/xen_blkif.h -+++ qemu-xen/hw/block/xen_blkif.h -@@ -85,8 +85,10 @@ static inline void blkif_get_x86_32_req(blkif_request_t *dst, blkif_x86_32_reque - d->nr_sectors = s->nr_sectors; - return; - } -- if (n > src->nr_segments) -- n = src->nr_segments; -+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */ -+ barrier(); -+ if (n > dst->nr_segments) -+ n = dst->nr_segments; - for (i = 0; i < n; i++) - dst->seg[i] = src->seg[i]; - } -@@ -106,8 +108,10 @@ static inline void blkif_get_x86_64_req(blkif_request_t *dst, blkif_x86_64_reque - d->nr_sectors = s->nr_sectors; - return; - } -- if (n > src->nr_segments) -- n = src->nr_segments; -+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */ -+ barrier(); -+ if (n > dst->nr_segments) -+ n = dst->nr_segments; - for (i = 0; i < n; i++) - dst->seg[i] = src->seg[i]; - } - ---- qemu-xen/hw/display/xenfb.c.orig -+++ qemu-xen/hw/display/xenfb.c -@@ -784,18 +784,20 @@ static void xenfb_invalidate(void *opaque) - - static void xenfb_handle_events(struct XenFB *xenfb) - { -- uint32_t prod, cons; -+ uint32_t prod, cons, out_cons; - struct xenfb_page *page = xenfb->c.page; - - prod = page->out_prod; -- if (prod == page->out_cons) -+ out_cons = page->out_cons; -+ if (prod == out_cons) - return; - xen_rmb(); /* ensure we see ring contents up to prod */ -- for (cons = page->out_cons; cons != prod; cons++) { -+ for (cons = out_cons; cons != prod; cons++) { - union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons); -+ uint8_t type = event->type; - int x, y, w, h; - -- switch (event->type) { -+ switch (type) { - case XENFB_TYPE_UPDATE: - if (xenfb->up_count == UP_QUEUE) - xenfb->up_fullscreen = 1; diff --git a/sysutils/xentools45/patches/patch-CVE-2015-8554 b/sysutils/xentools45/patches/patch-CVE-2015-8554 deleted file mode 100644 index 3ffca2347a3..00000000000 --- a/sysutils/xentools45/patches/patch-CVE-2015-8554 +++ /dev/null @@ -1,21 +0,0 @@ -$NetBSD: patch-CVE-2015-8554,v 1.1 2016/01/07 17:48:34 bouyer Exp $ - -patch for CVE-2015-8554 aka XSA-164 from -http://xenbits.xenproject.org/xsa/xsa164.patch - ---- qemu-xen-traditional/hw/pt-msi.c.orig -+++ qemu-xen-traditional/hw/pt-msi.c -@@ -440,6 +440,13 @@ static void pci_msix_writel(void *opaque - return; - } - -+ if ( addr - msix->mmio_base_addr >= msix->total_entries * 16 ) -+ { -+ PT_LOG("Error: Out of bounds write to MSI-X table," -+ " addr %016"PRIx64"\n", addr); -+ return; -+ } -+ - entry_nr = (addr - msix->mmio_base_addr) / 16; - entry = &msix->msix_entry[entry_nr]; - offset = ((addr - msix->mmio_base_addr) % 16) / 4; diff --git a/sysutils/xentools45/patches/patch-XSA-179 b/sysutils/xentools45/patches/patch-XSA-179 new file mode 100644 index 00000000000..8ca70838d5c --- /dev/null +++ b/sysutils/xentools45/patches/patch-XSA-179 @@ -0,0 +1,266 @@ +$NetBSD: patch-XSA-179,v 1.1 2016/05/12 15:42:58 bouyer Exp $ + +Patch for XSA-179, aka CVE-2016-3710 and CVE-2016-3712 +from http://xenbits.xenproject.org/xsa/advisory-179.html + +--- qemu-xen/hw/display/vga.c.orig 2016-05-12 16:36:58.000000000 +0200 ++++ qemu-xen/hw/display/vga.c 2016-05-12 16:37:36.000000000 +0200 +@@ -166,6 +166,13 @@ + static uint16_t expand2[256]; + static uint8_t expand4to8[16]; + ++static void vbe_update_vgaregs(VGACommonState *s); ++ ++static inline bool vbe_enabled(VGACommonState *s) ++{ ++ return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED; ++} ++ + static void vga_update_memory_access(VGACommonState *s) + { + MemoryRegion *region, *old_region = s->chain4_alias; +@@ -197,6 +204,7 @@ + break; + } + base += isa_mem_base; ++ assert(offset + size <= s->vram_size); + region = g_malloc(sizeof(*region)); + memory_region_init_alias(region, memory_region_owner(&s->vram), + "vga.chain4", &s->vram, offset, size); +@@ -503,6 +511,7 @@ + printf("vga: write SR%x = 0x%02x\n", s->sr_index, val); + #endif + s->sr[s->sr_index] = val & sr_mask[s->sr_index]; ++ vbe_update_vgaregs(s); + if (s->sr_index == VGA_SEQ_CLOCK_MODE) { + s->update_retrace_info(s); + } +@@ -534,6 +543,7 @@ + printf("vga: write GR%x = 0x%02x\n", s->gr_index, val); + #endif + s->gr[s->gr_index] = val & gr_mask[s->gr_index]; ++ vbe_update_vgaregs(s); + vga_update_memory_access(s); + break; + case VGA_CRT_IM: +@@ -552,10 +562,12 @@ + if (s->cr_index == VGA_CRTC_OVERFLOW) { + s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x10) | + (val & 0x10); ++ vbe_update_vgaregs(s); + } + return; + } + s->cr[s->cr_index] = val; ++ vbe_update_vgaregs(s); + + switch(s->cr_index) { + case VGA_CRTC_H_TOTAL: +@@ -588,7 +600,7 @@ + uint16_t *r = s->vbe_regs; + uint32_t bits, linelength, maxy, offset; + +- if (!(r[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) { ++ if (!vbe_enabled(s)) { + /* vbe is turned off -- nothing to do */ + return; + } +@@ -663,6 +675,49 @@ + s->vbe_start_addr = offset / 4; + } + ++/* we initialize the VGA graphic mode */ ++static void vbe_update_vgaregs(VGACommonState *s) ++{ ++ int h, shift_control; ++ ++ if (!vbe_enabled(s)) { ++ /* vbe is turned off -- nothing to do */ ++ return; ++ } ++ ++ /* graphic mode + memory map 1 */ ++ s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 | ++ VGA_GR06_GRAPHICS_MODE; ++ s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */ ++ s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3; ++ /* width */ ++ s->cr[VGA_CRTC_H_DISP] = ++ (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1; ++ /* height (only meaningful if < 1024) */ ++ h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1; ++ s->cr[VGA_CRTC_V_DISP_END] = h; ++ s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) | ++ ((h >> 7) & 0x02) | ((h >> 3) & 0x40); ++ /* line compare to 1023 */ ++ s->cr[VGA_CRTC_LINE_COMPARE] = 0xff; ++ s->cr[VGA_CRTC_OVERFLOW] |= 0x10; ++ s->cr[VGA_CRTC_MAX_SCAN] |= 0x40; ++ ++ if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { ++ shift_control = 0; ++ s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ ++ } else { ++ shift_control = 2; ++ /* set chain 4 mode */ ++ s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; ++ /* activate all planes */ ++ s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; ++ } ++ s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | ++ (shift_control << 5); ++ s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */ ++} ++ + static uint32_t vbe_ioport_read_index(void *opaque, uint32_t addr) + { + VGACommonState *s = opaque; +@@ -739,13 +794,10 @@ + case VBE_DISPI_INDEX_Y_OFFSET: + s->vbe_regs[s->vbe_index] = val; + vbe_fixup_regs(s); ++ vbe_update_vgaregs(s); + break; + case VBE_DISPI_INDEX_BANK: +- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { +- val &= (s->vbe_bank_mask >> 2); +- } else { +- val &= s->vbe_bank_mask; +- } ++ val &= s->vbe_bank_mask; + s->vbe_regs[s->vbe_index] = val; + s->bank_offset = (val << 16); + vga_update_memory_access(s); +@@ -753,53 +805,19 @@ + case VBE_DISPI_INDEX_ENABLE: + if ((val & VBE_DISPI_ENABLED) && + !(s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) { +- int h, shift_control; + + s->vbe_regs[VBE_DISPI_INDEX_VIRT_WIDTH] = 0; + s->vbe_regs[VBE_DISPI_INDEX_X_OFFSET] = 0; + s->vbe_regs[VBE_DISPI_INDEX_Y_OFFSET] = 0; + s->vbe_regs[VBE_DISPI_INDEX_ENABLE] |= VBE_DISPI_ENABLED; + vbe_fixup_regs(s); ++ vbe_update_vgaregs(s); + + /* clear the screen (should be done in BIOS) */ + if (!(val & VBE_DISPI_NOCLEARMEM)) { + memset(s->vram_ptr, 0, + s->vbe_regs[VBE_DISPI_INDEX_YRES] * s->vbe_line_offset); + } +- +- /* we initialize the VGA graphic mode (should be done +- in BIOS) */ +- /* graphic mode + memory map 1 */ +- s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 | +- VGA_GR06_GRAPHICS_MODE; +- s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */ +- s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3; +- /* width */ +- s->cr[VGA_CRTC_H_DISP] = +- (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1; +- /* height (only meaningful if < 1024) */ +- h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1; +- s->cr[VGA_CRTC_V_DISP_END] = h; +- s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) | +- ((h >> 7) & 0x02) | ((h >> 3) & 0x40); +- /* line compare to 1023 */ +- s->cr[VGA_CRTC_LINE_COMPARE] = 0xff; +- s->cr[VGA_CRTC_OVERFLOW] |= 0x10; +- s->cr[VGA_CRTC_MAX_SCAN] |= 0x40; +- +- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { +- shift_control = 0; +- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ +- } else { +- shift_control = 2; +- /* set chain 4 mode */ +- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; +- /* activate all planes */ +- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; +- } +- s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | +- (shift_control << 5); +- s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */ + } else { + /* XXX: the bios should do that */ + s->bank_offset = 0; +@@ -846,13 +864,21 @@ + + if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { + /* chain 4 mode : simplest access */ ++ assert(addr < s->vram_size); + ret = s->vram_ptr[addr]; + } else if (s->gr[VGA_GFX_MODE] & 0x10) { + /* odd/even mode (aka text mode mapping) */ + plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1); +- ret = s->vram_ptr[((addr & ~1) << 1) | plane]; ++ addr = ((addr & ~1) << 1) | plane; ++ if (addr >= s->vram_size) { ++ return 0xff; ++ } ++ ret = s->vram_ptr[addr]; + } else { + /* standard VGA latched access */ ++ if (addr * sizeof(uint32_t) >= s->vram_size) { ++ return 0xff; ++ } + s->latch = ((uint32_t *)s->vram_ptr)[addr]; + + if (!(s->gr[VGA_GFX_MODE] & 0x08)) { +@@ -909,6 +935,7 @@ + plane = addr & 3; + mask = (1 << plane); + if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { ++ assert(addr < s->vram_size); + s->vram_ptr[addr] = val; + #ifdef DEBUG_VGA_MEM + printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr); +@@ -922,6 +949,9 @@ + mask = (1 << plane); + if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { + addr = ((addr & ~1) << 1) | plane; ++ if (addr >= s->vram_size) { ++ return; ++ } + s->vram_ptr[addr] = val; + #ifdef DEBUG_VGA_MEM + printf("vga: odd/even: [0x" TARGET_FMT_plx "]\n", addr); +@@ -995,6 +1025,9 @@ + mask = s->sr[VGA_SEQ_PLANE_WRITE]; + s->plane_updated |= mask; /* only used to detect font change */ + write_mask = mask16[mask]; ++ if (addr * sizeof(uint32_t) >= s->vram_size) { ++ return; ++ } + ((uint32_t *)s->vram_ptr)[addr] = + (((uint32_t *)s->vram_ptr)[addr] & ~write_mask) | + (val & write_mask); +@@ -1158,7 +1191,7 @@ + { + uint32_t start_addr, line_offset, line_compare; + +- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) { ++ if (vbe_enabled(s)) { + line_offset = s->vbe_line_offset; + start_addr = s->vbe_start_addr; + line_compare = 65535; +@@ -1611,7 +1644,7 @@ + { + int ret; + +- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) { ++ if (vbe_enabled(s)) { + ret = s->vbe_regs[VBE_DISPI_INDEX_BPP]; + } else { + ret = 0; +@@ -1623,7 +1656,7 @@ + { + int width, height; + +- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) { ++ if (vbe_enabled(s)) { + width = s->vbe_regs[VBE_DISPI_INDEX_XRES]; + height = s->vbe_regs[VBE_DISPI_INDEX_YRES]; + } else { |