add patches from Xen SA 20..24 to fix various security problems

(CVE-2012-4535..4539) bump PKGREV
author: drochner <drochner> 2012-11-14 13:42:41 +0000
committer: drochner <drochner> 2012-11-14 13:42:41 +0000
commit: db9b7b79894ea71a6c0bcdf9b141cf5de4bacdf2 (patch)
tree: eeca6c44d74c51a0a9309186daa267509fd42455 /sysutils/xenkernel41
parent: 8271ffd73562ed451c9fc6475a196c4085a9cfc8 (diff)
download: pkgsrc-db9b7b79894ea71a6c0bcdf9b141cf5de4bacdf2.tar.gz
8 files changed, 113 insertions, 8 deletions
diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile
index e9562416968..f35a2cd4f16 100644
--- a/sysutils/xenkernel41/Makefile
+++ b/sysutils/xenkernel41/Makefile
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile,v 1.14 2012/10/23 19:51:36 asau Exp $
+# $NetBSD: Makefile,v 1.15 2012/11/14 13:42:41 drochner Exp $
 #
 
 VERSION=	4.1.3
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel41-${VERSION}
+PKGREVISION=	1
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 EXTRACT_SUFX=	.tar.gz
diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo
index 71f0f48a2a0..3e5cc52e31a 100644
--- a/sysutils/xenkernel41/distinfo
+++ b/sysutils/xenkernel41/distinfo
@@ -1,10 +1,14 @@
-$NetBSD: distinfo,v 1.10 2012/09/12 11:04:17 drochner Exp $
+$NetBSD: distinfo,v 1.11 2012/11/14 13:42:41 drochner Exp $
 
 SHA1 (xen-4.1.3.tar.gz) = 0f688955262d08fba28361ca338f3ad0c0f53d74
 RMD160 (xen-4.1.3.tar.gz) = a6296a16579fd628a1ff2aa64b6b800e4913eeae
 Size (xen-4.1.3.tar.gz) = 10382132 bytes
 SHA1 (patch-CVE-2012-3494) = 166121ce515aaa2f2e399431be3ca7d2496c79c6
-SHA1 (patch-CVE-2012-3496) = c863d3e951d5aaa5659f9e1f38723f8326b8d8b8
-SHA1 (patch-CVE-2012-3498) = 2bb2b40675de498ae9fcc89ba5267b5be4a2c4c1
+SHA1 (patch-CVE-2012-3496) = 926c171c265836bb79de31546b5814bf1e8b2af3
+SHA1 (patch-CVE-2012-3498) = d3d3eddcb39559381e268ea804d8b1190f0ed582
+SHA1 (patch-CVE-2012-4535_1) = 862155304af023cb10ef62957c2a3dbc569bd40c
+SHA1 (patch-CVE-2012-4535_2) = f38d5b5286278b900e4b1892fd8a4e6da3434e47
+SHA1 (patch-CVE-2012-4538) = 31d3a26556de5e0afc2a9d3c5e75d9d461b795ff
+SHA1 (patch-CVE-2012-4539) = 4fd6a9229aafbe3f451c3d757562bc1068628081
 SHA1 (patch-xen_drivers_char_console_c) = 0fe186369602ccffaeec6f4bfbee8bb4298d3ff0
 SHA1 (patch-xen_include_xen_stdarg.h) = e9df974a9b783ed442ab17497198432cb9844b70
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-3496 b/sysutils/xenkernel41/patches/patch-CVE-2012-3496
index 3bd7c50a1cf..2a7374d4636 100644
--- a/sysutils/xenkernel41/patches/patch-CVE-2012-3496
+++ b/sysutils/xenkernel41/patches/patch-CVE-2012-3496
@@ -1,7 +1,10 @@
-$NetBSD: patch-CVE-2012-3496,v 1.1 2012/09/12 11:04:17 drochner Exp $
+$NetBSD: patch-CVE-2012-3496,v 1.2 2012/11/14 13:42:41 drochner Exp $
 
 see http://lists.xen.org/archives/html/xen-devel/2012-09/msg00194.html
 
+fix for CVE-2012-4537 is also here, see
+http://lists.xen.org/archives/html/xen-devel/2012-11/msg00507.html
+
 --- xen/arch/x86/mm/p2m.c.orig	2012-08-10 13:51:45.000000000 +0000
 +++ xen/arch/x86/mm/p2m.c
 @@ -2414,7 +2414,8 @@ guest_physmap_mark_populate_on_demand(st
@@ -14,3 +17,22 @@ see http://lists.xen.org/archives/html/xen-devel/2012-09/msg00194.html
  
      rc = gfn_check_limit(d, gfn, order);
      if ( rc != 0 )
+@@ -2559,7 +2560,10 @@ guest_physmap_add_entry(struct p2m_domai
+     if ( mfn_valid(_mfn(mfn)) ) 
+     {
+         if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) )
++	{
+             rc = -EINVAL;
++	    goto out; /* Failed to update p2m, bail without updating m2p. */
++	}
+         if ( !p2m_is_grant(t) )
+         {
+             for ( i = 0; i < (1UL << page_order); i++ )
+@@ -2580,6 +2584,7 @@ guest_physmap_add_entry(struct p2m_domai
+         }
+     }
+ 
++out:
+     audit_p2m(p2m, 1);
+     p2m_unlock(p2m);
+ 
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-3498 b/sysutils/xenkernel41/patches/patch-CVE-2012-3498
index 66f1622a53c..48287b70b1f 100644
--- a/sysutils/xenkernel41/patches/patch-CVE-2012-3498
+++ b/sysutils/xenkernel41/patches/patch-CVE-2012-3498
@@ -1,10 +1,12 @@
-$NetBSD: patch-CVE-2012-3498,v 1.1 2012/09/12 11:04:18 drochner Exp $
+$NetBSD: patch-CVE-2012-3498,v 1.2 2012/11/14 13:42:41 drochner Exp $
 
 contains patch for CVE-2012-3495
 see http://lists.xen.org/archives/html/xen-devel/2012-09/msg00187.html
 and http://lists.xen.org/archives/html/xen-devel/2012-09/msg00197.html
+and patch for CVE-2012-4536
+see http://lists.xen.org/archives/html/xen-devel/2012-11/msg00503.html
 
---- xen/arch/x86/physdev.c.orig	2012-09-12 09:41:55.000000000 +0000
+--- xen/arch/x86/physdev.c.orig	2012-08-10 13:51:46.000000000 +0000
 +++ xen/arch/x86/physdev.c
 @@ -40,11 +40,18 @@ static int physdev_hvm_map_pirq(
          struct hvm_girq_dpci_mapping *girq;
@@ -25,7 +27,18 @@ and http://lists.xen.org/archives/html/xen-devel/2012-09/msg00197.html
              list_for_each_entry ( girq,
                                    &hvm_irq_dpci->girq[map->index],
                                    list )
-@@ -587,11 +594,16 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
+@@ -230,6 +237,10 @@ static int physdev_unmap_pirq(struct phy
+     if ( ret )
+         return ret;
+ 
++    ret = -EINVAL;
++    if ( unmap->pirq < 0 || unmap->pirq >= d->nr_pirqs )
++	goto free_domain;
++
+     if ( is_hvm_domain(d) )
+     {
+         spin_lock(&d->event_lock);
+@@ -587,11 +598,16 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
              break;
  
          spin_lock(&d->event_lock);
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-4535_1 b/sysutils/xenkernel41/patches/patch-CVE-2012-4535_1
new file mode 100644
index 00000000000..fe56f8550a1
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2012-4535_1
@@ -0,0 +1,16 @@
+$NetBSD: patch-CVE-2012-4535_1,v 1.1 2012/11/14 13:42:41 drochner Exp $
+
+see http://lists.xen.org/archives/html/xen-devel/2012-11/msg00502.html
+
+--- xen/common/domain.c.orig	2012-08-10 13:51:47.000000000 +0000
++++ xen/common/domain.c
+@@ -871,6 +871,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
+         if ( set.period_ns < MILLISECS(1) )
+             return -EINVAL;
+ 
++	if ( set.period_ns > STIME_DELTA_MAX )
++	    return -EINVAL;
++
+         v->periodic_period = set.period_ns;
+         vcpu_force_reschedule(v);
+ 
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-4535_2 b/sysutils/xenkernel41/patches/patch-CVE-2012-4535_2
new file mode 100644
index 00000000000..f39ef4ea77b
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2012-4535_2
@@ -0,0 +1,13 @@
+$NetBSD: patch-CVE-2012-4535_2,v 1.1 2012/11/14 13:42:41 drochner Exp $
+
+--- xen/include/xen/time.h.orig	2012-08-10 13:51:55.000000000 +0000
++++ xen/include/xen/time.h
+@@ -53,6 +53,8 @@ struct tm gmtime(unsigned long t);
+ #define MILLISECS(_ms)  ((s_time_t)((_ms) * 1000000ULL))
+ #define MICROSECS(_us)  ((s_time_t)((_us) * 1000ULL))
+ #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1))
++/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */
++#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2))
+ 
+ extern void update_vcpu_system_time(struct vcpu *v);
+ extern void update_domain_wallclock_time(struct domain *d);
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-4538 b/sysutils/xenkernel41/patches/patch-CVE-2012-4538
new file mode 100644
index 00000000000..961be4326ee
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2012-4538
@@ -0,0 +1,21 @@
+$NetBSD: patch-CVE-2012-4538,v 1.1 2012/11/14 13:42:41 drochner Exp $
+
+see http://lists.xen.org/archives/html/xen-devel/2012-11/msg00504.html
+
+--- xen/arch/x86/mm/shadow/multi.c.orig	2012-08-10 13:51:46.000000000 +0000
++++ xen/arch/x86/mm/shadow/multi.c
+@@ -4737,8 +4737,12 @@ static void sh_pagetable_dying(struct vc
+     }
+     for ( i = 0; i < 4; i++ )
+     {
+-        if ( fast_path )
+-            smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
++        if ( fast_path ) {
++	    if ( pagetable_is_null(v->arch.shadow_table[i]) )
++		smfn = _mfn(INVALID_MFN);
++	    else
++                smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
++	}
+         else
+         {
+             /* retrieving the l2s */
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-4539 b/sysutils/xenkernel41/patches/patch-CVE-2012-4539
new file mode 100644
index 00000000000..5e809859f23
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2012-4539
@@ -0,0 +1,15 @@
+$NetBSD: patch-CVE-2012-4539,v 1.1 2012/11/14 13:42:41 drochner Exp $
+
+see http://lists.xen.org/archives/html/xen-devel/2012-11/msg00505.html
+
+--- xen/common/compat/grant_table.c.orig	2012-08-10 13:51:47.000000000 +0000
++++ xen/common/compat/grant_table.c
+@@ -310,6 +310,8 @@ int compat_grant_table_op(unsigned int c
+ #undef XLAT_gnttab_get_status_frames_HNDL_frame_list
+                 if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) )
+                     rc = -EFAULT;
++		else
++		    i = 1;
+             }
+             break;
+         }
author	drochner <drochner>	2012-11-14 13:42:41 +0000
committer	drochner <drochner>	2012-11-14 13:42:41 +0000
commit	db9b7b79894ea71a6c0bcdf9b141cf5de4bacdf2 (patch)
tree	eeca6c44d74c51a0a9309186daa267509fd42455 /sysutils/xenkernel41
parent	8271ffd73562ed451c9fc6475a196c4085a9cfc8 (diff)
download	pkgsrc-db9b7b79894ea71a6c0bcdf9b141cf5de4bacdf2.tar.gz