fix out-of-bounds memory read access in x2APIC emulation (HVM only)

(CVE-2014-7188)
bump PKGREV

3 files changed, 27 insertions, 6 deletions

diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile
index f406f1b46d4..6e8243051bd 100644
--- a/sysutils/xenkernel41/Makefile
+++ b/sysutils/xenkernel41/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.39 2014/09/26 10:45:00 bouyer Exp $
+# $NetBSD: Makefile,v 1.40 2014/10/01 17:18:22 drochner Exp $
 
 VERSION=	4.1.6.1
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel41-${VERSION}
-PKGREVISION=	11
+PKGREVISION=	12
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo
index 9b1f54d7f8c..1870679ad96 100644
--- a/sysutils/xenkernel41/distinfo
+++ b/sysutils/xenkernel41/distinfo
@@ -1,10 +1,10 @@
-$NetBSD: distinfo,v 1.30 2014/09/26 10:45:00 bouyer Exp $
+$NetBSD: distinfo,v 1.31 2014/10/01 17:18:22 drochner Exp $
 
 SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0
 RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19
 Size (xen-4.1.6.1.tar.gz) = 10428485 bytes
 SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1
-SHA1 (patch-CVE-2013-4355_1) = 99068aa658fc231fe6c6c77bf61d68405318aaa8
+SHA1 (patch-CVE-2013-4355_1) = 56dde995d7df4f18576040007fd5532de61d9069
 SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509
 SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f
 SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1 b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1
index 42d622fed20..202e85d183e 100644
--- a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1
@@ -1,4 +1,4 @@
-$NetBSD: patch-CVE-2013-4355_1,v 1.4 2014/05/05 13:39:10 drochner Exp $
+$NetBSD: patch-CVE-2013-4355_1,v 1.5 2014/10/01 17:18:22 drochner Exp $
 
 http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03160.html
 also fixes
@@ -10,9 +10,12 @@ http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html
 also fixes
 http://lists.xenproject.org/archives/html/xen-devel/2014-04/msg03853.html
 (CVE-2014-3124)
+also fixes
+http://lists.xenproject.org/archives/html/xen-devel/2014-10/msg00065.html
+(CVE-2014-7188)
 
 --- xen/arch/x86/hvm/hvm.c.orig	2013-09-10 06:42:18.000000000 +0000
-+++ xen/arch/x86/hvm/hvm.c	2014-04-30 13:11:30.000000000 +0000
++++ xen/arch/x86/hvm/hvm.c	2014-10-01 16:40:48.000000000 +0000
 @@ -1961,11 +1961,7 @@ void hvm_task_switch(
  
      rc = hvm_copy_from_guest_virt(
@@ -45,6 +48,24 @@ http://lists.xenproject.org/archives/html/xen-devel/2014-04/msg03853.html
          goto out;
  
  
+@@ -2409,7 +2403,7 @@ int hvm_msr_read_intercept(unsigned int 
+         *msr_content = vcpu_vlapic(v)->hw.apic_base_msr;
+         break;
+ 
+-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
++    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
+         if ( hvm_x2apic_msr_read(v, msr, msr_content) )
+             goto gp_fault;
+         break;
+@@ -2529,7 +2523,7 @@ int hvm_msr_write_intercept(unsigned int
+         vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content);
+         break;
+ 
+-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
++    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
+         if ( hvm_x2apic_msr_write(v, msr, msr_content) )
+             goto gp_fault;
+         break;
 @@ -2834,7 +2828,7 @@ int hvm_do_hypercall(struct cpu_user_reg
      case 4:
      case 2: