diff options
author | drochner <drochner@pkgsrc.org> | 2014-05-05 13:39:10 +0000 |
---|---|---|
committer | drochner <drochner@pkgsrc.org> | 2014-05-05 13:39:10 +0000 |
commit | ad3b985ffa0500211c526d6e4227ce99c895ef2e (patch) | |
tree | bd14f59937b1fbd33ecd587c1df2cba06fb5befa /sysutils/xenkernel41 | |
parent | e3e4bdd1867e72cc86586f41c16772b93e078ddc (diff) | |
download | pkgsrc-ad3b985ffa0500211c526d6e4227ce99c895ef2e.tar.gz |
fix possible creation of invalid P2M entries, leading to xen crash
The vulnerability is only exposed to service domains for HVM guests
which have privilege over the guest. In a usual configuration that
means only device model emulators (qemu-dm).
bump PKGREV
Diffstat (limited to 'sysutils/xenkernel41')
-rw-r--r-- | sysutils/xenkernel41/Makefile | 4 | ||||
-rw-r--r-- | sysutils/xenkernel41/distinfo | 5 | ||||
-rw-r--r-- | sysutils/xenkernel41/patches/patch-CVE-2013-4355_1 | 35 | ||||
-rw-r--r-- | sysutils/xenkernel41/patches/patch-CVE-2014-3124 | 24 |
4 files changed, 56 insertions, 12 deletions
diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile index 58d87f89555..5f8fa4de72b 100644 --- a/sysutils/xenkernel41/Makefile +++ b/sysutils/xenkernel41/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.35 2014/03/28 16:07:08 drochner Exp $ +# $NetBSD: Makefile,v 1.36 2014/05/05 13:39:10 drochner Exp $ VERSION= 4.1.6.1 DISTNAME= xen-${VERSION} PKGNAME= xenkernel41-${VERSION} -PKGREVISION= 8 +PKGREVISION= 9 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo index ff60ec1fb61..2bcf750e0ee 100644 --- a/sysutils/xenkernel41/distinfo +++ b/sysutils/xenkernel41/distinfo @@ -1,10 +1,10 @@ -$NetBSD: distinfo,v 1.27 2014/03/28 16:07:08 drochner Exp $ +$NetBSD: distinfo,v 1.28 2014/05/05 13:39:10 drochner Exp $ SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0 RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19 Size (xen-4.1.6.1.tar.gz) = 10428485 bytes SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1 -SHA1 (patch-CVE-2013-4355_1) = 91fb26907b2ac7d2435a6efce000569b71523247 +SHA1 (patch-CVE-2013-4355_1) = 99068aa658fc231fe6c6c77bf61d68405318aaa8 SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509 SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8 @@ -15,6 +15,7 @@ SHA1 (patch-CVE-2013-4553) = 6708dcef1737b119a3fcf2e3414c22c115cbacc1 SHA1 (patch-CVE-2013-6885_1) = 18d155b2c76119988be32cfd43e3c4aa6a507b9d SHA1 (patch-CVE-2013-6885_2) = be3c99ba3e349492d45cd4f2fce0acc26ac1a96d SHA1 (patch-CVE-2014-1666) = acf27080799d4aae6a03b556caadb01081d5314e +SHA1 (patch-CVE-2014-3124) = 59a48eed88abcda5de2fc7e398451a492e5d2145 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266 SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1 b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1 index 581eca4a1d5..42d622fed20 100644 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1 +++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1 @@ -1,4 +1,4 @@ -$NetBSD: patch-CVE-2013-4355_1,v 1.3 2014/03/28 16:07:08 drochner Exp $ +$NetBSD: patch-CVE-2013-4355_1,v 1.4 2014/05/05 13:39:10 drochner Exp $ http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03160.html also fixes @@ -7,10 +7,13 @@ http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg03827.html also fixes http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html (CVE-2014-2599) +also fixes +http://lists.xenproject.org/archives/html/xen-devel/2014-04/msg03853.html +(CVE-2014-3124) ---- xen/arch/x86/hvm/hvm.c.orig 2014-03-28 15:27:28.000000000 +0000 -+++ xen/arch/x86/hvm/hvm.c 2014-03-28 15:27:36.000000000 +0000 -@@ -1961,11 +1961,7 @@ +--- xen/arch/x86/hvm/hvm.c.orig 2013-09-10 06:42:18.000000000 +0000 ++++ xen/arch/x86/hvm/hvm.c 2014-04-30 13:11:30.000000000 +0000 +@@ -1961,11 +1961,7 @@ void hvm_task_switch( rc = hvm_copy_from_guest_virt( &tss, prev_tr.base, sizeof(tss), PFEC_page_present); @@ -23,7 +26,7 @@ http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html goto out; eflags = regs->eflags; -@@ -2010,13 +2006,11 @@ +@@ -2010,13 +2006,11 @@ void hvm_task_switch( rc = hvm_copy_from_guest_virt( &tss, tr.base, sizeof(tss), PFEC_page_present); @@ -42,7 +45,7 @@ http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html goto out; -@@ -2834,7 +2828,7 @@ +@@ -2834,7 +2828,7 @@ int hvm_do_hypercall(struct cpu_user_reg case 4: case 2: hvm_get_segment_register(curr, x86_seg_ss, &sreg); @@ -51,7 +54,23 @@ http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html { default: regs->eax = -EPERM; -@@ -3746,7 +3740,7 @@ +@@ -3657,13 +3651,9 @@ long do_hvm_op(unsigned long op, XEN_GUE + rc = -EINVAL; + goto param_fail4; + } +- if ( p2m_is_grant(t) ) +- { +- gdprintk(XENLOG_WARNING, +- "type for pfn 0x%lx changed to grant while " +- "we were working?\n", pfn); ++ if ( !p2m_is_ram(t) && ++ (!p2m_is_hole(t) || a.hvmmem_type != HVMMEM_mmio_dm) ) + goto param_fail4; +- } + else + { + nt = p2m_change_type(p2m, pfn, t, memtype[a.hvmmem_type]); +@@ -3746,7 +3736,7 @@ long do_hvm_op(unsigned long op, XEN_GUE ((a.first_pfn + a.nr - 1) > domain_get_maximum_gpfn(d)) ) goto param_fail5; @@ -60,7 +79,7 @@ http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html { p2m_type_t t; mfn_t mfn; -@@ -3759,6 +3753,17 @@ +@@ -3759,6 +3749,17 @@ long do_hvm_op(unsigned long op, XEN_GUE p2m_unlock(p2m); if ( !success ) goto param_fail5; diff --git a/sysutils/xenkernel41/patches/patch-CVE-2014-3124 b/sysutils/xenkernel41/patches/patch-CVE-2014-3124 new file mode 100644 index 00000000000..ffbb3761b2f --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2014-3124 @@ -0,0 +1,24 @@ +--- xen/include/asm-x86/p2m.h.orig 2013-09-10 06:42:18.000000000 +0000 ++++ xen/include/asm-x86/p2m.h 2014-04-30 13:11:30.000000000 +0000 +@@ -134,6 +134,13 @@ typedef enum { + | p2m_to_mask(p2m_ram_paging_in) \ + | p2m_to_mask(p2m_ram_shared)) + ++/* Types that represent a physmap hole. */ ++#define P2M_HOLE_TYPES (p2m_to_mask(p2m_mmio_dm) \ ++ | p2m_to_mask(p2m_invalid) \ ++ | p2m_to_mask(p2m_ram_paging_in_start) \ ++ | p2m_to_mask(p2m_ram_paging_in) \ ++ | p2m_to_mask(p2m_ram_paged)) ++ + /* Grant mapping types, which map to a real machine frame in another + * VM */ + #define P2M_GRANT_TYPES (p2m_to_mask(p2m_grant_map_rw) \ +@@ -170,6 +177,7 @@ typedef enum { + + /* Useful predicates */ + #define p2m_is_ram(_t) (p2m_to_mask(_t) & P2M_RAM_TYPES) ++#define p2m_is_hole(_t) (p2m_to_mask(_t) & P2M_HOLE_TYPES) + #define p2m_is_mmio(_t) (p2m_to_mask(_t) & P2M_MMIO_TYPES) + #define p2m_is_readonly(_t) (p2m_to_mask(_t) & P2M_RO_TYPES) + #define p2m_is_magic(_t) (p2m_to_mask(_t) & P2M_MAGIC_TYPES) |