apply fixes from upstream for

XSA-125 Long latency MMIO mapping operations are not preemptible XSA-126 Unmediated PCI command register access in qemu
author: spz <spz@pkgsrc.org> 2015-04-19 13:13:20 +0000
committer: spz <spz@pkgsrc.org> 2015-04-19 13:13:20 +0000
commit: 81c1aa86a36d26cee1f27e620ade27948b3d69c3 (patch)
tree: d84cb53f00d84b881e1baf95060030f1bc0c4871 /sysutils/xenkernel41
parent: 41e65e2d201502355c945ab8875442bc9b6fe6f1 (diff)
download: pkgsrc-81c1aa86a36d26cee1f27e620ade27948b3d69c3.tar.gz
4 files changed, 255 insertions, 3 deletions
diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile
index 6fdbef578bb..540398090cf 100644
--- a/sysutils/xenkernel41/Makefile
+++ b/sysutils/xenkernel41/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.44 2015/03/10 20:27:16 spz Exp $
+# $NetBSD: Makefile,v 1.45 2015/04/19 13:13:20 spz Exp $
 
 VERSION=	4.1.6.1
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel41-${VERSION}
-PKGREVISION=	15
+PKGREVISION=	16
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo
index 84ecb8b595c..56eff5e7d1c 100644
--- a/sysutils/xenkernel41/distinfo
+++ b/sysutils/xenkernel41/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.35 2015/03/10 20:27:16 spz Exp $
+$NetBSD: distinfo,v 1.36 2015/04/19 13:13:20 spz Exp $
 
 SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0
 RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19
@@ -28,6 +28,8 @@ SHA1 (patch-CVE-2014-9030) = f52c302585b0f4b074f7562e6b8cddacb26deee4
 SHA1 (patch-CVE-2015-2044) = 00d32273d0a9f51927ff94a13f916382c3126e60
 SHA1 (patch-CVE-2015-2045) = e1874bbde0cce7db4ee9260440f5280d404027d7
 SHA1 (patch-CVE-2015-2151) = aed92f50d162febc3074f7edecaf6ca418d0b42c
+SHA1 (patch-CVE-2015-2752) = 37f44989a3b3c69dea8e9de9fc34ffd5c2e8b087
+SHA1 (patch-CVE-2015-2756) = b3b133d42229ecc8c308644b17e5317cd77f9a98
 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266
 SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b
 SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2015-2752 b/sysutils/xenkernel41/patches/patch-CVE-2015-2752
new file mode 100644
index 00000000000..b6aba0008e7
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2015-2752
@@ -0,0 +1,108 @@
+$NetBSD: patch-CVE-2015-2752,v 1.1 2015/04/19 13:13:20 spz Exp $
+
+Patch for CVE-2015-2752 aka XSA-125 from
+http://xenbits.xenproject.org/xsa/xsa125-4.2.patch
+
+--- tools/libxc/xc_domain.c.orig	2013-09-10 06:42:18.000000000 +0000
++++ tools/libxc/xc_domain.c
+@@ -1322,6 +1322,13 @@ int xc_domain_bind_pt_isa_irq(
+                                   PT_IRQ_TYPE_ISA, 0, 0, 0, machine_irq));
+ }
+ 
++#ifndef min
++#define min(X, Y) ({                             \
++            const typeof (X) _x = (X);           \
++            const typeof (Y) _y = (Y);           \
++            (void) (&_x == &_y);                 \
++            (_x < _y) ? _x : _y; })
++#endif
+ int xc_domain_memory_mapping(
+     xc_interface *xch,
+     uint32_t domid,
+@@ -1331,17 +1338,55 @@ int xc_domain_memory_mapping(
+     uint32_t add_mapping)
+ {
+     DECLARE_DOMCTL;
++    int ret = 0, err;
++    unsigned long done = 0, nr, max_batch_sz;
++
++    if ( !nr_mfns )
++        return 0;
+ 
+     domctl.cmd = XEN_DOMCTL_memory_mapping;
+     domctl.domain = domid;
+-    domctl.u.memory_mapping.first_gfn = first_gfn;
+-    domctl.u.memory_mapping.first_mfn = first_mfn;
+-    domctl.u.memory_mapping.nr_mfns = nr_mfns;
+     domctl.u.memory_mapping.add_mapping = add_mapping;
++    max_batch_sz = nr_mfns;
++    do
++    {
++        nr = min(nr_mfns - done, max_batch_sz);
++        domctl.u.memory_mapping.nr_mfns = nr;
++        domctl.u.memory_mapping.first_gfn = first_gfn + done;
++        domctl.u.memory_mapping.first_mfn = first_mfn + done;
++        err = do_domctl(xch, &domctl);
++        if ( err && errno == E2BIG )
++        {
++            if ( max_batch_sz <= 1 )
++                break;
++            max_batch_sz >>= 1;
++            continue;
++        }
++        /* Save the first error... */
++        if ( !ret )
++            ret = err;
++        /* .. and ignore the rest of them when removing. */
++        if ( err && add_mapping != DPCI_REMOVE_MAPPING )
++            break;
++
++        done += nr;
++    } while ( done < nr_mfns );
++
++    /*
++     * Undo what we have done unless unmapping, by unmapping the entire region.
++     * Errors here are ignored.
++     */
++    if ( ret && add_mapping != DPCI_REMOVE_MAPPING )
++        xc_domain_memory_mapping(xch, domid, first_gfn, first_mfn, nr_mfns,
++                                 DPCI_REMOVE_MAPPING);
++
++    /* We might get E2BIG so many times that we never advance. */
++    if ( !done && !ret )
++        ret = -1;
+ 
+-    return do_domctl(xch, &domctl);
++    return ret;
+ }
+-
++#undef min
+ int xc_domain_ioport_mapping(
+     xc_interface *xch,
+     uint32_t domid,
+
+--- xen/arch/x86/domctl.c.orig	2015-04-19 10:54:27.000000000 +0000
++++ xen/arch/x86/domctl.c
+@@ -998,6 +998,11 @@ long arch_do_domctl(
+              (gfn + nr_mfns - 1) < gfn ) /* wrap? */
+             break;
+ 
++        ret = -E2BIG;
++        /* Must break hypercall up as this could take a while. */
++        if ( nr_mfns > 64 )
++            break;
++
+         ret = -EPERM;
+         if ( !IS_PRIV(current->domain) &&
+              !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) )
+
+--- xen/include/public/domctl.h.orig	2013-09-10 06:42:18.000000000 +0000
++++ xen/include/public/domctl.h
+@@ -505,6 +505,7 @@ DEFINE_XEN_GUEST_HANDLE(xen_domctl_bind_
+ 
+ 
+ /* Bind machine I/O address range -> HVM address range. */
++/* If this returns -E2BIG lower nr_mfns value. */
+ /* XEN_DOMCTL_memory_mapping */
+ #define DPCI_ADD_MAPPING         1
+ #define DPCI_REMOVE_MAPPING      0
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2015-2756 b/sysutils/xenkernel41/patches/patch-CVE-2015-2756
new file mode 100644
index 00000000000..cbd78298c0c
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2015-2756
@@ -0,0 +1,142 @@
+$NetBSD: patch-CVE-2015-2756,v 1.1 2015/04/19 13:13:20 spz Exp $
+
+patch for CVE-2015-2756 aka XSA-126 from
+http://xenbits.xenproject.org/xsa/xsa126-qemut.patch
+
+--- tools/ioemu-qemu-xen/hw/pass-through.c.orig	2013-07-17 10:59:40.000000000 +0000
++++ tools/ioemu-qemu-xen/hw/pass-through.c
+@@ -171,9 +171,6 @@ static int pt_word_reg_read(struct pt_de
+ static int pt_long_reg_read(struct pt_dev *ptdev,
+     struct pt_reg_tbl *cfg_entry,
+     uint32_t *value, uint32_t valid_mask);
+-static int pt_cmd_reg_read(struct pt_dev *ptdev,
+-    struct pt_reg_tbl *cfg_entry,
+-    uint16_t *value, uint16_t valid_mask);
+ static int pt_bar_reg_read(struct pt_dev *ptdev,
+     struct pt_reg_tbl *cfg_entry,
+     uint32_t *value, uint32_t valid_mask);
+@@ -277,9 +274,9 @@ static struct pt_reg_info_tbl pt_emu_reg
+         .size       = 2,
+         .init_val   = 0x0000,
+         .ro_mask    = 0xF880,
+-        .emu_mask   = 0x0740,
++        .emu_mask   = 0x0743,
+         .init       = pt_common_reg_init,
+-        .u.w.read   = pt_cmd_reg_read,
++        .u.w.read   = pt_word_reg_read,
+         .u.w.write  = pt_cmd_reg_write,
+         .u.w.restore  = pt_cmd_reg_restore,
+     },
+@@ -1865,7 +1862,7 @@ static int pt_dev_is_virtfn(struct pci_d
+     return rc;
+ }
+ 
+-static int pt_register_regions(struct pt_dev *assigned_device)
++static int pt_register_regions(struct pt_dev *assigned_device, uint16_t *cmd)
+ {
+     int i = 0;
+     uint32_t bar_data = 0;
+@@ -1885,17 +1882,26 @@ static int pt_register_regions(struct pt
+ 
+             /* Register current region */
+             if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_IO )
++            {
+                 pci_register_io_region((PCIDevice *)assigned_device, i,
+                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_IO,
+                     pt_ioport_map);
++                *cmd |= PCI_COMMAND_IO;
++            }
+             else if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_MEM_PREFETCH )
++            {
+                 pci_register_io_region((PCIDevice *)assigned_device, i,
+                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM_PREFETCH,
+                     pt_iomem_map);
++                *cmd |= PCI_COMMAND_MEMORY;
++            }
+             else
++            {
+                 pci_register_io_region((PCIDevice *)assigned_device, i,
+                     (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM,
+                     pt_iomem_map);
++                *cmd |= PCI_COMMAND_MEMORY;
++            }
+ 
+             PT_LOG("IO region registered (size=0x%08x base_addr=0x%08x)\n",
+                 (uint32_t)(pci_dev->size[i]),
+@@ -3221,27 +3227,6 @@ static int pt_long_reg_read(struct pt_de
+    return 0;
+ }
+ 
+-/* read Command register */
+-static int pt_cmd_reg_read(struct pt_dev *ptdev,
+-        struct pt_reg_tbl *cfg_entry,
+-        uint16_t *value, uint16_t valid_mask)
+-{
+-    struct pt_reg_info_tbl *reg = cfg_entry->reg;
+-    uint16_t valid_emu_mask = 0;
+-    uint16_t emu_mask = reg->emu_mask;
+-
+-    if ( ptdev->is_virtfn )
+-        emu_mask |= PCI_COMMAND_MEMORY;
+-    if ( pt_is_iomul(ptdev) )
+-        emu_mask |= PCI_COMMAND_IO;
+-
+-    /* emulate word register */
+-    valid_emu_mask = emu_mask & valid_mask;
+-    *value = PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask);
+-
+-    return 0;
+-}
+-
+ /* read BAR */
+ static int pt_bar_reg_read(struct pt_dev *ptdev,
+         struct pt_reg_tbl *cfg_entry,
+@@ -3376,19 +3361,13 @@ static int pt_cmd_reg_write(struct pt_de
+     uint16_t writable_mask = 0;
+     uint16_t throughable_mask = 0;
+     uint16_t wr_value = *value;
+-    uint16_t emu_mask = reg->emu_mask;
+-
+-    if ( ptdev->is_virtfn )
+-        emu_mask |= PCI_COMMAND_MEMORY;
+-    if ( pt_is_iomul(ptdev) )
+-        emu_mask |= PCI_COMMAND_IO;
+ 
+     /* modify emulate register */
+     writable_mask = ~reg->ro_mask & valid_mask;
+     cfg_entry->data = PT_MERGE_VALUE(*value, cfg_entry->data, writable_mask);
+ 
+     /* create value for writing to I/O device register */
+-    throughable_mask = ~emu_mask & valid_mask;
++    throughable_mask = ~reg->emu_mask & valid_mask;
+ 
+     if (*value & PCI_COMMAND_DISABLE_INTx)
+     {
+@@ -4151,6 +4130,7 @@ static struct pt_dev * register_real_dev
+     struct pt_dev *assigned_device = NULL;
+     struct pci_dev *pci_dev;
+     uint8_t e_device, e_intx;
++    uint16_t cmd = 0;
+     char *key, *val;
+     int msi_translate, power_mgmt;
+ 
+@@ -4240,7 +4220,7 @@ static struct pt_dev * register_real_dev
+         assigned_device->dev.config[i] = pci_read_byte(pci_dev, i);
+ 
+     /* Handle real device's MMIO/PIO BARs */
+-    pt_register_regions(assigned_device);
++    pt_register_regions(assigned_device, &cmd);
+ 
+     /* Setup VGA bios for passthroughed gfx */
+     if ( setup_vga_pt(assigned_device) < 0 )
+@@ -4318,6 +4298,10 @@ static struct pt_dev * register_real_dev
+     }
+ 
+ out:
++    if (cmd)
++        pci_write_word(pci_dev, PCI_COMMAND,
++            *(uint16_t *)(&assigned_device->dev.config[PCI_COMMAND]) | cmd);
++
+     PT_LOG("Real physical device %02x:%02x.%x registered successfuly!\n"
+            "IRQ type = %s\n", r_bus, r_dev, r_func,
+            assigned_device->msi_trans_en? "MSI-INTx":"INTx");
author	spz <spz@pkgsrc.org>	2015-04-19 13:13:20 +0000
committer	spz <spz@pkgsrc.org>	2015-04-19 13:13:20 +0000
commit	81c1aa86a36d26cee1f27e620ade27948b3d69c3 (patch)
tree	d84cb53f00d84b881e1baf95060030f1bc0c4871 /sysutils/xenkernel41
parent	41e65e2d201502355c945ab8875442bc9b6fe6f1 (diff)
download	pkgsrc-81c1aa86a36d26cee1f27e620ade27948b3d69c3.tar.gz