diff options
| author | drochner <drochner@pkgsrc.org> | 2012-12-05 19:16:26 +0000 |
|---|---|---|
| committer | drochner <drochner@pkgsrc.org> | 2012-12-05 19:16:26 +0000 |
| commit | 44a59ec9ad440ba10c4a8dce4d042c43d2f8ce07 (patch) | |
| tree | e28c3002e875f9d0c83c6859425ca95dce0cb0ec /sysutils/xenkernel41 | |
| parent | 2fcf42dca8435d183c15e287ef9604f8eb9f63e3 (diff) | |
| download | pkgsrc-44a59ec9ad440ba10c4a8dce4d042c43d2f8ce07.tar.gz | |
add another batch of security patches from upstream
bump PKGREV
Diffstat (limited to 'sysutils/xenkernel41')
| -rw-r--r-- | sysutils/xenkernel41/Makefile | 4 | ||||
| -rw-r--r-- | sysutils/xenkernel41/distinfo | 10 | ||||
| -rw-r--r-- | sysutils/xenkernel41/patches/patch-CVE-2012-3496 | 36 | ||||
| -rw-r--r-- | sysutils/xenkernel41/patches/patch-CVE-2012-5510 | 92 | ||||
| -rw-r--r-- | sysutils/xenkernel41/patches/patch-CVE-2012-5511_1 | 116 | ||||
| -rw-r--r-- | sysutils/xenkernel41/patches/patch-CVE-2012-5511_2 | 29 | ||||
| -rw-r--r-- | sysutils/xenkernel41/patches/patch-CVE-2012-5511_3 | 22 | ||||
| -rw-r--r-- | sysutils/xenkernel41/patches/patch-CVE-2012-5513_1 | 19 | ||||
| -rw-r--r-- | sysutils/xenkernel41/patches/patch-CVE-2012-5513_2 | 51 |
9 files changed, 371 insertions, 8 deletions
diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile index f35a2cd4f16..61be25160cb 100644 --- a/sysutils/xenkernel41/Makefile +++ b/sysutils/xenkernel41/Makefile @@ -1,10 +1,10 @@ -# $NetBSD: Makefile,v 1.15 2012/11/14 13:42:41 drochner Exp $ +# $NetBSD: Makefile,v 1.16 2012/12/05 19:16:26 drochner Exp $ # VERSION= 4.1.3 DISTNAME= xen-${VERSION} PKGNAME= xenkernel41-${VERSION} -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ EXTRACT_SUFX= .tar.gz diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo index 3e5cc52e31a..8d17e5b8b28 100644 --- a/sysutils/xenkernel41/distinfo +++ b/sysutils/xenkernel41/distinfo @@ -1,14 +1,20 @@ -$NetBSD: distinfo,v 1.11 2012/11/14 13:42:41 drochner Exp $ +$NetBSD: distinfo,v 1.12 2012/12/05 19:16:26 drochner Exp $ SHA1 (xen-4.1.3.tar.gz) = 0f688955262d08fba28361ca338f3ad0c0f53d74 RMD160 (xen-4.1.3.tar.gz) = a6296a16579fd628a1ff2aa64b6b800e4913eeae Size (xen-4.1.3.tar.gz) = 10382132 bytes SHA1 (patch-CVE-2012-3494) = 166121ce515aaa2f2e399431be3ca7d2496c79c6 -SHA1 (patch-CVE-2012-3496) = 926c171c265836bb79de31546b5814bf1e8b2af3 +SHA1 (patch-CVE-2012-3496) = 89843ade32b3b1478f69d0c23c2dd69daf506b37 SHA1 (patch-CVE-2012-3498) = d3d3eddcb39559381e268ea804d8b1190f0ed582 SHA1 (patch-CVE-2012-4535_1) = 862155304af023cb10ef62957c2a3dbc569bd40c SHA1 (patch-CVE-2012-4535_2) = f38d5b5286278b900e4b1892fd8a4e6da3434e47 SHA1 (patch-CVE-2012-4538) = 31d3a26556de5e0afc2a9d3c5e75d9d461b795ff SHA1 (patch-CVE-2012-4539) = 4fd6a9229aafbe3f451c3d757562bc1068628081 +SHA1 (patch-CVE-2012-5510) = 47617f3e29173a381a97c7b44c7b1cfc970c1477 +SHA1 (patch-CVE-2012-5511_1) = bdb885335d9357fc4e8df3352893d9f7c24f5c21 +SHA1 (patch-CVE-2012-5511_2) = f4ae6fd4942fea658b14d33f4bbd60ea2383dffe +SHA1 (patch-CVE-2012-5511_3) = 2e223c3ae105330f8147c79bbff5cbba37ff8372 +SHA1 (patch-CVE-2012-5513_1) = b190539b089c2623657028b7780345112c1a8f0f +SHA1 (patch-CVE-2012-5513_2) = f6beb84708b62c7317cccccf682af9bee10a43e5 SHA1 (patch-xen_drivers_char_console_c) = 0fe186369602ccffaeec6f4bfbee8bb4298d3ff0 SHA1 (patch-xen_include_xen_stdarg.h) = e9df974a9b783ed442ab17497198432cb9844b70 diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-3496 b/sysutils/xenkernel41/patches/patch-CVE-2012-3496 index 2a7374d4636..f30ea035af7 100644 --- a/sysutils/xenkernel41/patches/patch-CVE-2012-3496 +++ b/sysutils/xenkernel41/patches/patch-CVE-2012-3496 @@ -1,23 +1,51 @@ -$NetBSD: patch-CVE-2012-3496,v 1.2 2012/11/14 13:42:41 drochner Exp $ +$NetBSD: patch-CVE-2012-3496,v 1.3 2012/12/05 19:16:26 drochner Exp $ see http://lists.xen.org/archives/html/xen-devel/2012-09/msg00194.html fix for CVE-2012-4537 is also here, see http://lists.xen.org/archives/html/xen-devel/2012-11/msg00507.html +fix for CVE-2012-5514 is also here, see +http://lists.xen.org/archives/html/xen-announce/2012-12/msg00005.html + --- xen/arch/x86/mm/p2m.c.orig 2012-08-10 13:51:45.000000000 +0000 +++ xen/arch/x86/mm/p2m.c -@@ -2414,7 +2414,8 @@ guest_physmap_mark_populate_on_demand(st +@@ -2414,7 +2414,11 @@ guest_physmap_mark_populate_on_demand(st int pod_count = 0; int rc = 0; - BUG_ON(!paging_mode_translate(d)); ++ if ( !IS_PRIV_FOR(current->domain, d) ) ++ return -EPERM; ++ + if ( !paging_mode_translate(d) ) + return -EINVAL; rc = gfn_check_limit(d, gfn, order); if ( rc != 0 ) -@@ -2559,7 +2560,10 @@ guest_physmap_add_entry(struct p2m_domai +@@ -2431,8 +2435,7 @@ guest_physmap_mark_populate_on_demand(st + omfn = gfn_to_mfn_query(p2m, gfn + i, &ot); + if ( p2m_is_ram(ot) ) + { +- printk("%s: gfn_to_mfn returned type %d!\n", +- __func__, ot); ++ P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot); + rc = -EBUSY; + goto out; + } +@@ -2454,10 +2457,10 @@ guest_physmap_mark_populate_on_demand(st + BUG_ON(p2m->pod.entry_count < 0); + } + ++out: + audit_p2m(p2m, 1); + p2m_unlock(p2m); + +-out: + return rc; + } + +@@ -2559,7 +2562,10 @@ guest_physmap_add_entry(struct p2m_domai if ( mfn_valid(_mfn(mfn)) ) { if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) ) @@ -28,7 +56,7 @@ http://lists.xen.org/archives/html/xen-devel/2012-11/msg00507.html if ( !p2m_is_grant(t) ) { for ( i = 0; i < (1UL << page_order); i++ ) -@@ -2580,6 +2584,7 @@ guest_physmap_add_entry(struct p2m_domai +@@ -2580,6 +2586,7 @@ guest_physmap_add_entry(struct p2m_domai } } diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-5510 b/sysutils/xenkernel41/patches/patch-CVE-2012-5510 new file mode 100644 index 00000000000..081ce7d5737 --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2012-5510 @@ -0,0 +1,92 @@ +$NetBSD: patch-CVE-2012-5510,v 1.1 2012/12/05 19:16:26 drochner Exp $ + +see http://lists.xen.org/archives/html/xen-announce/2012-12/msg00000.html + +--- xen/common/grant_table.c.orig 2012-08-10 13:51:47.000000000 +0000 ++++ xen/common/grant_table.c +@@ -1102,12 +1102,13 @@ fault: + } + + static int +-gnttab_populate_status_frames(struct domain *d, struct grant_table *gt) ++gnttab_populate_status_frames(struct domain *d, struct grant_table *gt, ++ unsigned int req_nr_frames) + { + unsigned i; + unsigned req_status_frames; + +- req_status_frames = grant_to_status_frames(gt->nr_grant_frames); ++ req_status_frames = grant_to_status_frames(req_nr_frames); + for ( i = nr_status_frames(gt); i < req_status_frames; i++ ) + { + if ( (gt->status[i] = alloc_xenheap_page()) == NULL ) +@@ -1138,7 +1139,12 @@ gnttab_unpopulate_status_frames(struct d + + for ( i = 0; i < nr_status_frames(gt); i++ ) + { +- page_set_owner(virt_to_page(gt->status[i]), dom_xen); ++ struct page_info *pg = virt_to_page(gt->status[i]); ++ ++ BUG_ON(page_get_owner(pg) != d); ++ if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) ) ++ put_page(pg); ++ BUG_ON(pg->count_info & ~PGC_xen_heap); + free_xenheap_page(gt->status[i]); + gt->status[i] = NULL; + } +@@ -1176,19 +1182,18 @@ gnttab_grow_table(struct domain *d, unsi + clear_page(gt->shared_raw[i]); + } + +- /* Share the new shared frames with the recipient domain */ +- for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ ) +- gnttab_create_shared_page(d, gt, i); +- +- gt->nr_grant_frames = req_nr_frames; +- + /* Status pages - version 2 */ + if (gt->gt_version > 1) + { +- if ( gnttab_populate_status_frames(d, gt) ) ++ if ( gnttab_populate_status_frames(d, gt, req_nr_frames) ) + goto shared_alloc_failed; + } + ++ /* Share the new shared frames with the recipient domain */ ++ for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ ) ++ gnttab_create_shared_page(d, gt, i); ++ gt->nr_grant_frames = req_nr_frames; ++ + return 1; + + shared_alloc_failed: +@@ -2129,7 +2134,7 @@ gnttab_set_version(XEN_GUEST_HANDLE(gntt + + if ( op.version == 2 && gt->gt_version < 2 ) + { +- res = gnttab_populate_status_frames(d, gt); ++ res = gnttab_populate_status_frames(d, gt, nr_grant_frames(gt)); + if ( res < 0) + goto out_unlock; + } +@@ -2450,9 +2455,6 @@ grant_table_create( + clear_page(t->shared_raw[i]); + } + +- for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) +- gnttab_create_shared_page(d, t, i); +- + /* Status pages for grant table - for version 2 */ + t->status = xmalloc_array(grant_status_t *, + grant_to_status_frames(max_nr_grant_frames)); +@@ -2460,6 +2462,10 @@ grant_table_create( + goto no_mem_4; + memset(t->status, 0, + grant_to_status_frames(max_nr_grant_frames) * sizeof(t->status[0])); ++ ++ for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) ++ gnttab_create_shared_page(d, t, i); ++ + t->nr_status_frames = 0; + + /* Okay, install the structure. */ diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-5511_1 b/sysutils/xenkernel41/patches/patch-CVE-2012-5511_1 new file mode 100644 index 00000000000..48d1f51e9bd --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2012-5511_1 @@ -0,0 +1,116 @@ +$NetBSD: patch-CVE-2012-5511_1,v 1.1 2012/12/05 19:16:27 drochner Exp $ + +see http://lists.xen.org/archives/html/xen-announce/2012-12/msg00006.html + +fix for CVE-2012-5512 is also here, see +http://lists.xen.org/archives/html/xen-announce/2012-12/msg00003.html + +--- xen/arch/x86/hvm/hvm.c.orig 2012-08-10 13:51:44.000000000 +0000 ++++ xen/arch/x86/hvm/hvm.c +@@ -3446,6 +3446,9 @@ long do_hvm_op(unsigned long op, XEN_GUE + if ( !is_hvm_domain(d) ) + goto param_fail2; + ++ if ( a.nr > GB(1) >> PAGE_SHIFT ) ++ goto param_fail2; ++ + rc = xsm_hvm_param(d, op); + if ( rc ) + goto param_fail2; +@@ -3473,7 +3476,6 @@ long do_hvm_op(unsigned long op, XEN_GUE + struct xen_hvm_modified_memory a; + struct domain *d; + struct p2m_domain *p2m; +- unsigned long pfn; + + if ( copy_from_guest(&a, arg, 1) ) + return -EFAULT; +@@ -3501,8 +3503,9 @@ long do_hvm_op(unsigned long op, XEN_GUE + goto param_fail3; + + p2m = p2m_get_hostp2m(d); +- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) ++ while ( a.nr > 0 ) + { ++ unsigned long pfn = a.first_pfn; + p2m_type_t t; + mfn_t mfn = gfn_to_mfn(p2m, pfn, &t); + if ( p2m_is_paging(t) ) +@@ -3523,6 +3526,19 @@ long do_hvm_op(unsigned long op, XEN_GUE + /* don't take a long time and don't die either */ + sh_remove_shadows(d->vcpu[0], mfn, 1, 0); + } ++ ++ a.first_pfn++; ++ a.nr--; ++ ++ /* Check for continuation if it's not the last interation */ ++ if ( a.nr > 0 && hypercall_preempt_check() ) ++ { ++ if ( copy_to_guest(arg, &a, 1) ) ++ rc = -EFAULT; ++ else ++ rc = -EAGAIN; ++ break; ++ } + } + + param_fail3: +@@ -3566,7 +3582,6 @@ long do_hvm_op(unsigned long op, XEN_GUE + struct xen_hvm_set_mem_type a; + struct domain *d; + struct p2m_domain *p2m; +- unsigned long pfn; + + /* Interface types to internal p2m types */ + p2m_type_t memtype[] = { +@@ -3596,8 +3611,9 @@ long do_hvm_op(unsigned long op, XEN_GUE + goto param_fail4; + + p2m = p2m_get_hostp2m(d); +- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) ++ while ( a.nr > 0 ) + { ++ unsigned long pfn = a.first_pfn; + p2m_type_t t; + p2m_type_t nt; + mfn_t mfn; +@@ -3633,6 +3649,19 @@ long do_hvm_op(unsigned long op, XEN_GUE + goto param_fail4; + } + } ++ ++ a.first_pfn++; ++ a.nr--; ++ ++ /* Check for continuation if it's not the last interation */ ++ if ( a.nr > 0 && hypercall_preempt_check() ) ++ { ++ if ( copy_to_guest(arg, &a, 1) ) ++ rc = -EFAULT; ++ else ++ rc = -EAGAIN; ++ goto param_fail4; ++ } + } + + rc = 0; +@@ -3670,7 +3699,7 @@ long do_hvm_op(unsigned long op, XEN_GUE + return rc; + + rc = -EINVAL; +- if ( !is_hvm_domain(d) ) ++ if ( !is_hvm_domain(d) || a.hvmmem_access >= ARRAY_SIZE(memaccess) ) + goto param_fail5; + + p2m = p2m_get_hostp2m(d); +@@ -3690,9 +3719,6 @@ long do_hvm_op(unsigned long op, XEN_GUE + ((a.first_pfn + a.nr - 1) > domain_get_maximum_gpfn(d)) ) + goto param_fail5; + +- if ( a.hvmmem_access >= ARRAY_SIZE(memaccess) ) +- goto param_fail5; +- + for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) + { + p2m_type_t t; diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-5511_2 b/sysutils/xenkernel41/patches/patch-CVE-2012-5511_2 new file mode 100644 index 00000000000..d8877e61284 --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2012-5511_2 @@ -0,0 +1,29 @@ +$NetBSD: patch-CVE-2012-5511_2,v 1.1 2012/12/05 19:16:27 drochner Exp $ + +--- xen/arch/x86/mm/paging.c.orig 2012-08-10 13:51:45.000000000 +0000 ++++ xen/arch/x86/mm/paging.c +@@ -529,13 +529,18 @@ int paging_log_dirty_range(struct domain + + if ( !d->arch.paging.log_dirty.fault_count && + !d->arch.paging.log_dirty.dirty_count ) { +- int size = (nr + BITS_PER_LONG - 1) / BITS_PER_LONG; +- unsigned long zeroes[size]; +- memset(zeroes, 0x00, size * BYTES_PER_LONG); ++ static uint8_t zeroes[PAGE_SIZE]; ++ int off, size; ++ ++ size = ((nr + BITS_PER_LONG - 1) / BITS_PER_LONG) * sizeof (long); + rv = 0; +- if ( copy_to_guest_offset(dirty_bitmap, 0, (uint8_t *) zeroes, +- size * BYTES_PER_LONG) != 0 ) +- rv = -EFAULT; ++ for ( off = 0; !rv && off < size; off += sizeof zeroes ) ++ { ++ int todo = min(size - off, (int) PAGE_SIZE); ++ if ( copy_to_guest_offset(dirty_bitmap, off, zeroes, todo) ) ++ rv = -EFAULT; ++ off += todo; ++ } + goto out; + } + d->arch.paging.log_dirty.fault_count = 0; diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-5511_3 b/sysutils/xenkernel41/patches/patch-CVE-2012-5511_3 new file mode 100644 index 00000000000..e059a116624 --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2012-5511_3 @@ -0,0 +1,22 @@ +$NetBSD: patch-CVE-2012-5511_3,v 1.1 2012/12/05 19:16:27 drochner Exp $ + +--- xen/include/asm-x86/config.h.orig 2012-08-10 13:51:52.000000000 +0000 ++++ xen/include/asm-x86/config.h +@@ -108,6 +108,9 @@ extern unsigned int trampoline_xen_phys_ + extern unsigned char trampoline_cpu_started; + extern char wakeup_start[]; + extern unsigned int video_mode, video_flags; ++ ++#define GB(_gb) (_gb ## UL << 30) ++ + #endif + + #define asmlinkage +@@ -123,7 +126,6 @@ extern unsigned int video_mode, video_fl + #define PML4_ADDR(_slot) \ + ((((_slot ## UL) >> 8) * 0xffff000000000000UL) | \ + (_slot ## UL << PML4_ENTRY_BITS)) +-#define GB(_gb) (_gb ## UL << 30) + #else + #define PML4_ENTRY_BYTES (1 << PML4_ENTRY_BITS) + #define PML4_ADDR(_slot) \ diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-5513_1 b/sysutils/xenkernel41/patches/patch-CVE-2012-5513_1 new file mode 100644 index 00000000000..1aa9039acdb --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2012-5513_1 @@ -0,0 +1,19 @@ +$NetBSD: patch-CVE-2012-5513_1,v 1.1 2012/12/05 19:16:27 drochner Exp $ + +see http://lists.xen.org/archives/html/xen-announce/2012-12/msg00004.html + +--- xen/common/compat/memory.c.orig 2012-08-10 13:51:47.000000000 +0000 ++++ xen/common/compat/memory.c +@@ -114,6 +114,12 @@ int compat_memory_op(unsigned int cmd, X + (cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) ) + return -EINVAL; + ++ if ( !compat_handle_okay(cmp.xchg.in.extent_start, ++ cmp.xchg.in.nr_extents) || ++ !compat_handle_okay(cmp.xchg.out.extent_start, ++ cmp.xchg.out.nr_extents) ) ++ return -EFAULT; ++ + start_extent = cmp.xchg.nr_exchanged; + end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) / + (((1U << ABS(order_delta)) + 1) * diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-5513_2 b/sysutils/xenkernel41/patches/patch-CVE-2012-5513_2 new file mode 100644 index 00000000000..223ff6905ec --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2012-5513_2 @@ -0,0 +1,51 @@ +$NetBSD: patch-CVE-2012-5513_2,v 1.1 2012/12/05 19:16:27 drochner Exp $ + +fix for CVE-2012-5515 is also here, see +http://lists.xen.org/archives/html/xen-announce/2012-12/msg00001.html + +--- xen/common/memory.c.orig 2012-08-10 13:51:48.000000000 +0000 ++++ xen/common/memory.c +@@ -117,7 +117,8 @@ static void populate_physmap(struct memo + + if ( a->memflags & MEMF_populate_on_demand ) + { +- if ( guest_physmap_mark_populate_on_demand(d, gpfn, ++ if ( a->extent_order > MAX_ORDER || ++ guest_physmap_mark_populate_on_demand(d, gpfn, + a->extent_order) < 0 ) + goto out; + } +@@ -216,7 +217,8 @@ static void decrease_reservation(struct + xen_pfn_t gmfn; + + if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done, +- a->nr_extents-1) ) ++ a->nr_extents-1) || ++ a->extent_order > MAX_ORDER ) + return; + + for ( i = a->nr_done; i < a->nr_extents; i++ ) +@@ -278,6 +280,9 @@ static long memory_exchange(XEN_GUEST_HA + if ( (exch.nr_exchanged > exch.in.nr_extents) || + /* Input and output domain identifiers match? */ + (exch.in.domid != exch.out.domid) || ++ /* Extent orders are sensible? */ ++ (exch.in.extent_order > MAX_ORDER) || ++ (exch.out.extent_order > MAX_ORDER) || + /* Sizes of input and output lists do not overflow a long? */ + ((~0UL >> exch.in.extent_order) < exch.in.nr_extents) || + ((~0UL >> exch.out.extent_order) < exch.out.nr_extents) || +@@ -289,6 +294,13 @@ static long memory_exchange(XEN_GUEST_HA + goto fail_early; + } + ++ if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) || ++ !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) ) ++ { ++ rc = -EFAULT; ++ goto fail_early; ++ } ++ + /* Only privileged guests can allocate multi-page contiguous extents. */ + if ( !multipage_allocation_permitted(current->domain, + exch.in.extent_order) || |