fix possible creation of invalid P2M entries, leading to xen crash

The vulnerability is only exposed to service domains for HVM guests which have privilege over the guest. In a usual configuration that means only device model emulators (qemu-dm). bump PKGREV
author: drochner <drochner@pkgsrc.org> 2014-05-05 13:39:10 +0000
committer: drochner <drochner@pkgsrc.org> 2014-05-05 13:39:10 +0000
commit: ad3b985ffa0500211c526d6e4227ce99c895ef2e (patch)
tree: bd14f59937b1fbd33ecd587c1df2cba06fb5befa /sysutils/xenkernel41
parent: e3e4bdd1867e72cc86586f41c16772b93e078ddc (diff)
download: pkgsrc-ad3b985ffa0500211c526d6e4227ce99c895ef2e.tar.gz
4 files changed, 56 insertions, 12 deletions
diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile
index 58d87f89555..5f8fa4de72b 100644
--- a/sysutils/xenkernel41/Makefile
+++ b/sysutils/xenkernel41/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.35 2014/03/28 16:07:08 drochner Exp $
+# $NetBSD: Makefile,v 1.36 2014/05/05 13:39:10 drochner Exp $
 
 VERSION=	4.1.6.1
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel41-${VERSION}
-PKGREVISION=	8
+PKGREVISION=	9
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo
index ff60ec1fb61..2bcf750e0ee 100644
--- a/sysutils/xenkernel41/distinfo
+++ b/sysutils/xenkernel41/distinfo
@@ -1,10 +1,10 @@
-$NetBSD: distinfo,v 1.27 2014/03/28 16:07:08 drochner Exp $
+$NetBSD: distinfo,v 1.28 2014/05/05 13:39:10 drochner Exp $
 
 SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0
 RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19
 Size (xen-4.1.6.1.tar.gz) = 10428485 bytes
 SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1
-SHA1 (patch-CVE-2013-4355_1) = 91fb26907b2ac7d2435a6efce000569b71523247
+SHA1 (patch-CVE-2013-4355_1) = 99068aa658fc231fe6c6c77bf61d68405318aaa8
 SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509
 SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f
 SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8
@@ -15,6 +15,7 @@ SHA1 (patch-CVE-2013-4553) = 6708dcef1737b119a3fcf2e3414c22c115cbacc1
 SHA1 (patch-CVE-2013-6885_1) = 18d155b2c76119988be32cfd43e3c4aa6a507b9d
 SHA1 (patch-CVE-2013-6885_2) = be3c99ba3e349492d45cd4f2fce0acc26ac1a96d
 SHA1 (patch-CVE-2014-1666) = acf27080799d4aae6a03b556caadb01081d5314e
+SHA1 (patch-CVE-2014-3124) = 59a48eed88abcda5de2fc7e398451a492e5d2145
 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266
 SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b
 SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1 b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1
index 581eca4a1d5..42d622fed20 100644
--- a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1
@@ -1,4 +1,4 @@
-$NetBSD: patch-CVE-2013-4355_1,v 1.3 2014/03/28 16:07:08 drochner Exp $
+$NetBSD: patch-CVE-2013-4355_1,v 1.4 2014/05/05 13:39:10 drochner Exp $
 
 http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03160.html
 also fixes
@@ -7,10 +7,13 @@ http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg03827.html
 also fixes
 http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html
 (CVE-2014-2599)
+also fixes
+http://lists.xenproject.org/archives/html/xen-devel/2014-04/msg03853.html
+(CVE-2014-3124)
 
---- xen/arch/x86/hvm/hvm.c.orig	2014-03-28 15:27:28.000000000 +0000
-+++ xen/arch/x86/hvm/hvm.c	2014-03-28 15:27:36.000000000 +0000
-@@ -1961,11 +1961,7 @@
+--- xen/arch/x86/hvm/hvm.c.orig	2013-09-10 06:42:18.000000000 +0000
++++ xen/arch/x86/hvm/hvm.c	2014-04-30 13:11:30.000000000 +0000
+@@ -1961,11 +1961,7 @@ void hvm_task_switch(
  
      rc = hvm_copy_from_guest_virt(
          &tss, prev_tr.base, sizeof(tss), PFEC_page_present);
@@ -23,7 +26,7 @@ http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html
          goto out;
  
      eflags = regs->eflags;
-@@ -2010,13 +2006,11 @@
+@@ -2010,13 +2006,11 @@ void hvm_task_switch(
  
      rc = hvm_copy_from_guest_virt(
          &tss, tr.base, sizeof(tss), PFEC_page_present);
@@ -42,7 +45,7 @@ http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html
          goto out;
  
  
-@@ -2834,7 +2828,7 @@
+@@ -2834,7 +2828,7 @@ int hvm_do_hypercall(struct cpu_user_reg
      case 4:
      case 2:
          hvm_get_segment_register(curr, x86_seg_ss, &sreg);
@@ -51,7 +54,23 @@ http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html
          {
      default:
              regs->eax = -EPERM;
-@@ -3746,7 +3740,7 @@
+@@ -3657,13 +3651,9 @@ long do_hvm_op(unsigned long op, XEN_GUE
+                 rc = -EINVAL;
+                 goto param_fail4;
+             } 
+-            if ( p2m_is_grant(t) )
+-            {
+-                gdprintk(XENLOG_WARNING,
+-                         "type for pfn 0x%lx changed to grant while "
+-                         "we were working?\n", pfn);
++            if ( !p2m_is_ram(t) &&
++                 (!p2m_is_hole(t) || a.hvmmem_type != HVMMEM_mmio_dm) )
+                 goto param_fail4;
+-            }
+             else
+             {
+                 nt = p2m_change_type(p2m, pfn, t, memtype[a.hvmmem_type]);
+@@ -3746,7 +3736,7 @@ long do_hvm_op(unsigned long op, XEN_GUE
               ((a.first_pfn + a.nr - 1) > domain_get_maximum_gpfn(d)) )
              goto param_fail5;
              
@@ -60,7 +79,7 @@ http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html
          {
              p2m_type_t t;
              mfn_t mfn;
-@@ -3759,6 +3753,17 @@
+@@ -3759,6 +3749,17 @@ long do_hvm_op(unsigned long op, XEN_GUE
              p2m_unlock(p2m);
              if ( !success )
                  goto param_fail5;
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2014-3124 b/sysutils/xenkernel41/patches/patch-CVE-2014-3124
new file mode 100644
index 00000000000..ffbb3761b2f
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2014-3124
@@ -0,0 +1,24 @@
+--- xen/include/asm-x86/p2m.h.orig	2013-09-10 06:42:18.000000000 +0000
++++ xen/include/asm-x86/p2m.h	2014-04-30 13:11:30.000000000 +0000
+@@ -134,6 +134,13 @@ typedef enum {
+                        | p2m_to_mask(p2m_ram_paging_in)       \
+                        | p2m_to_mask(p2m_ram_shared))
+ 
++/* Types that represent a physmap hole. */
++#define P2M_HOLE_TYPES (p2m_to_mask(p2m_mmio_dm)               \
++                        | p2m_to_mask(p2m_invalid)             \
++                        | p2m_to_mask(p2m_ram_paging_in_start) \
++                        | p2m_to_mask(p2m_ram_paging_in)       \
++                        | p2m_to_mask(p2m_ram_paged))
++
+ /* Grant mapping types, which map to a real machine frame in another
+  * VM */
+ #define P2M_GRANT_TYPES (p2m_to_mask(p2m_grant_map_rw)  \
+@@ -170,6 +177,7 @@ typedef enum {
+ 
+ /* Useful predicates */
+ #define p2m_is_ram(_t) (p2m_to_mask(_t) & P2M_RAM_TYPES)
++#define p2m_is_hole(_t) (p2m_to_mask(_t) & P2M_HOLE_TYPES)
+ #define p2m_is_mmio(_t) (p2m_to_mask(_t) & P2M_MMIO_TYPES)
+ #define p2m_is_readonly(_t) (p2m_to_mask(_t) & P2M_RO_TYPES)
+ #define p2m_is_magic(_t) (p2m_to_mask(_t) & P2M_MAGIC_TYPES)
author	drochner <drochner@pkgsrc.org>	2014-05-05 13:39:10 +0000
committer	drochner <drochner@pkgsrc.org>	2014-05-05 13:39:10 +0000
commit	ad3b985ffa0500211c526d6e4227ce99c895ef2e (patch)
tree	bd14f59937b1fbd33ecd587c1df2cba06fb5befa /sysutils/xenkernel41
parent	e3e4bdd1867e72cc86586f41c16772b93e078ddc (diff)
download	pkgsrc-ad3b985ffa0500211c526d6e4227ce99c895ef2e.tar.gz