Apply upstream patches for:

XSA-185: x86: Disallow L3 recursive pagetable for 32-bit PV guests
XSA-186: x86: Mishandling of instruction pointer truncation during emulation
XSA-187: x86 HVM: Overflow of sh_ctxt->seg_reg[]
bump PKGREVISION

7 files changed, 349 insertions, 3 deletions

diff --git a/sysutils/xenkernel46/Makefile b/sysutils/xenkernel46/Makefile
index 7f338c29121..edc0e2f8eec 100644
--- a/sysutils/xenkernel46/Makefile
+++ b/sysutils/xenkernel46/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.2 2016/07/09 13:04:08 wiz Exp $
+# $NetBSD: Makefile,v 1.3 2016/09/08 15:44:07 bouyer Exp $
 
 VERSION=	4.6.3
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel46-${VERSION}
-#PKGREVISION=	0
+PKGREVISION=	1
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff --git a/sysutils/xenkernel46/distinfo b/sysutils/xenkernel46/distinfo
index 9f44bb411f4..e6ca9517145 100644
--- a/sysutils/xenkernel46/distinfo
+++ b/sysutils/xenkernel46/distinfo
@@ -1,10 +1,15 @@
-$NetBSD: distinfo,v 1.1.1.1 2016/07/04 07:25:13 jnemeth Exp $
+$NetBSD: distinfo,v 1.2 2016/09/08 15:44:07 bouyer Exp $
 
 SHA1 (xen-4.6.3.tar.gz) = 2aa59d0a05a6c5ac7f336f2069c66a54f95c4349
 RMD160 (xen-4.6.3.tar.gz) = 2798bd888ee001a4829165e55feb705a86af4f74
 SHA512 (xen-4.6.3.tar.gz) = 187a860b40c05139f22b8498a5fae1db173c3110d957147af29a56cb83b7111c9dc4946d65f9dffc847001fc01c5e9bf51886eaa1194bb9cfd0b6dbcd43a2c5c
 Size (xen-4.6.3.tar.gz) = 19707041 bytes
 SHA1 (patch-Config.mk) = a2a104d023cea4e551a3ad40927d4884d6c610bf
+SHA1 (patch-XSA-185) = a2313922aa4dad734b96c80f64fe54eca3c14019
+SHA1 (patch-XSA-186-1) = 71e4a6c4c683891bac50682a3ab69a204fb681ad
+SHA1 (patch-XSA-186-2) = 6094c2efe468e3f31712659be9a71af2cbe8dc1f
+SHA1 (patch-XSA-187-1) = 55ea0c2d9c7d8d9476a5ab97342ff552be4faf56
+SHA1 (patch-XSA-187-2) = f5308fee03a5d73c8aa283eb82cc36a6a3d3bc06
 SHA1 (patch-xen_Makefile) = be3f4577a205b23187b91319f91c50720919f70b
 SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154
 SHA1 (patch-xen_common_page__alloc.c) = c4d606de1cada8cf89b5abd16efada3d58c68a03
diff --git a/sysutils/xenkernel46/patches/patch-XSA-185 b/sysutils/xenkernel46/patches/patch-XSA-185
new file mode 100644
index 00000000000..2b9b23171e7
--- /dev/null
+++ b/sysutils/xenkernel46/patches/patch-XSA-185
@@ -0,0 +1,37 @@
+$NetBSD: patch-XSA-185,v 1.1 2016/09/08 15:44:07 bouyer Exp $
+
+From 30aba4992b18245c436f16df7326a16c01a51570 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Mon, 8 Aug 2016 10:58:12 +0100
+Subject: x86/32on64: don't allow recursive page tables from L3
+
+L3 entries are special in PAE mode, and hence can't reasonably be used
+for setting up recursive (and hence linear) page table mappings. Since
+abuse is possible when the guest in fact gets run on 4-level page
+tables, this needs to be excluded explicitly.
+
+This is XSA-185.
+
+Reported-by: Jérémie Boutoille <jboutoille@ext.quarkslab.com>
+Reported-by: 栾尚聪(好风) <shangcong.lsc@alibaba-inc.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+---
+ xen/arch/x86/mm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
+index 109b8be..69b8b8d 100644
+--- xen/arch/x86/mm.c.orig
++++ xen/arch/x86/mm.c
+@@ -1122,7 +1122,9 @@ get_page_from_l3e(
+ 
+     rc = get_page_and_type_from_pagenr(
+         l3e_get_pfn(l3e), PGT_l2_page_table, d, partial, 1);
+-    if ( unlikely(rc == -EINVAL) && get_l3_linear_pagetable(l3e, pfn, d) )
++    if ( unlikely(rc == -EINVAL) &&
++         !is_pv_32bit_domain(d) &&
++         get_l3_linear_pagetable(l3e, pfn, d) )
+         rc = 0;
+ 
+     return rc;
diff --git a/sysutils/xenkernel46/patches/patch-XSA-186-1 b/sysutils/xenkernel46/patches/patch-XSA-186-1
new file mode 100644
index 00000000000..9459fadbf19
--- /dev/null
+++ b/sysutils/xenkernel46/patches/patch-XSA-186-1
@@ -0,0 +1,43 @@
+$NetBSD: patch-XSA-186-1,v 1.1 2016/09/08 15:44:07 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: hvm/fep: Allow testing of instructions crossing the -1 -> 0 virtual boundary
+
+The Force Emulation Prefix is named to follow its PV counterpart for cpuid or
+rdtsc, but isn't really an instruction prefix.  It behaves as a break-out into
+Xen, with the purpose of emulating the next instruction in the current state.
+
+It is important to be able to test legal situations which occur in real
+hardware, including instruction which cross certain boundaries, and
+instructions starting at 0.
+
+Reported-by: Brian Marcotte <marcotte@panix.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- xen/arch/x86/hvm/svm/svm.c.orig
++++ xen/arch/x86/hvm/svm/svm.c
+@@ -2139,6 +2139,10 @@ static void svm_vmexit_ud_intercept(stru
+         {
+             regs->eip += sizeof(sig);
+             regs->eflags &= ~X86_EFLAGS_RF;
++
++            /* Zero the upper 32 bits of %rip if not in long mode. */
++            if ( svm_guest_x86_mode(current) != 8 )
++                regs->eip = regs->_eip;
+         }
+     }
+ 
+--- xen/arch/x86/hvm/vmx/vmx.c.orig
++++ xen/arch/x86/hvm/vmx/vmx.c
+@@ -2757,6 +2757,10 @@ static void vmx_vmexit_ud_intercept(stru
+         {
+             regs->eip += sizeof(sig);
+             regs->eflags &= ~X86_EFLAGS_RF;
++
++            /* Zero the upper 32 bits of %rip if not in long mode. */
++            if ( vmx_guest_x86_mode(current) != 8 )
++                regs->eip = regs->_eip;
+         }
+     }
+ 
diff --git a/sysutils/xenkernel46/patches/patch-XSA-186-2 b/sysutils/xenkernel46/patches/patch-XSA-186-2
new file mode 100644
index 00000000000..52ca53aa4d2
--- /dev/null
+++ b/sysutils/xenkernel46/patches/patch-XSA-186-2
@@ -0,0 +1,73 @@
+From e938be013ba73ff08fa4f1d8670501aacefde7fb Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Fri, 22 Jul 2016 16:02:54 +0000
+Subject: [PATCH 1/2] x86/emulate: Correct boundary interactions of emulated
+ instructions
+
+This reverts most of c/s 0640ffb6 "x86emul: fix rIP handling".
+
+Experimentally, in long mode processors will execute an instruction stream
+which crosses the 64bit -1 -> 0 virtual boundary, whether the instruction
+boundary is aligned on the virtual boundary, or is misaligned.
+
+In compatibility mode, Intel processors will execute an instruction stream
+which crosses the 32bit -1 -> 0 virtual boundary, while AMD processors raise a
+segmentation fault.  Xen's segmentation behaviour matches AMD.
+
+For 16bit code, hardware does not ever truncated %ip.  %eip is always used and
+behaves normally as a 32bit register, including in 16bit protected mode
+segments, as well as in Real and Unreal mode.
+
+This is XSA-186
+
+Reported-by: Brian Marcotte <marcotte@panix.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 22 ++++------------------
+ 1 file changed, 4 insertions(+), 18 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index d5a56cf..bf3529a 100644
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1570,10 +1570,6 @@ x86_emulate(
+ #endif
+     }
+ 
+-    /* Truncate rIP to def_ad_bytes (2 or 4) if necessary. */
+-    if ( def_ad_bytes < sizeof(_regs.eip) )
+-        _regs.eip &= (1UL << (def_ad_bytes * 8)) - 1;
+-
+     /* Prefix bytes. */
+     for ( ; ; )
+     {
+@@ -3906,21 +3902,11 @@ x86_emulate(
+ 
+     /* Commit shadow register state. */
+     _regs.eflags &= ~EFLG_RF;
+-    switch ( __builtin_expect(def_ad_bytes, sizeof(_regs.eip)) )
+-    {
+-        uint16_t ip;
+ 
+-    case 2:
+-        ip = _regs.eip;
+-        _regs.eip = ctxt->regs->eip;
+-        *(uint16_t *)&_regs.eip = ip;
+-        break;
+-#ifdef __x86_64__
+-    case 4:
+-        _regs.rip = _regs._eip;
+-        break;
+-#endif
+-    }
++    /* Zero the upper 32 bits of %rip if not in long mode. */
++    if ( def_ad_bytes < sizeof(_regs.eip) )
++        _regs.eip = (uint32_t)_regs.eip;
++
+     *ctxt->regs = _regs;
+ 
+  done:
+-- 
+2.1.4
+
diff --git a/sysutils/xenkernel46/patches/patch-XSA-187-1 b/sysutils/xenkernel46/patches/patch-XSA-187-1
new file mode 100644
index 00000000000..9cbe734120e
--- /dev/null
+++ b/sysutils/xenkernel46/patches/patch-XSA-187-1
@@ -0,0 +1,44 @@
+$NetBSD: patch-XSA-187-1,v 1.1 2016/09/08 15:44:07 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/shadow: Avoid overflowing sh_ctxt->seg_reg[]
+
+hvm_get_seg_reg() does not perform a range check on its input segment, calls
+hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[].
+
+x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will hit a BUG()
+in {vmx,svm}_get_segment_register().
+
+HVM guests running with shadow paging can end up performing a virtual to
+linear translation with x86_seg_none.  This is used for addresses which are
+already linear.  However, none of this is a legitimate pagetable update, so
+fail the emulation in such a case.
+
+This is XSA-187
+
+Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+
+--- xen/arch/x86/mm/shadow/common.c.orig
++++ xen/arch/x86/mm/shadow/common.c
+@@ -140,9 +140,18 @@ static int hvm_translate_linear_addr(
+     struct sh_emulate_ctxt *sh_ctxt,
+     unsigned long *paddr)
+ {
+-    struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt);
++    struct segment_register *reg;
+     int okay;
+ 
++    /*
++     * Can arrive here with non-user segments.  However, no such cirucmstance
++     * is part of a legitimate pagetable update, so fail the emulation.
++     */
++    if ( !is_x86_user_segment(seg) )
++        return X86EMUL_UNHANDLEABLE;
++
++    reg = hvm_get_seg_reg(seg, sh_ctxt);
++
+     okay = hvm_virtual_to_linear_addr(
+         seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);
+ 
diff --git a/sysutils/xenkernel46/patches/patch-XSA-187-2 b/sysutils/xenkernel46/patches/patch-XSA-187-2
new file mode 100644
index 00000000000..c9d59e88051
--- /dev/null
+++ b/sysutils/xenkernel46/patches/patch-XSA-187-2
@@ -0,0 +1,144 @@
+$NetBSD: patch-XSA-187-2,v 1.1 2016/09/08 15:44:07 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/segment: Bounds check accesses to emulation ctxt->seg_reg[]
+
+HVM HAP codepaths have space for all segment registers in the seg_reg[]
+cache (with x86_seg_none still risking an array overrun), while the shadow
+codepaths only have space for the user segments.
+
+Range check the input segment of *_get_seg_reg() against the size of the array
+used to cache the results, to avoid overruns in the case that the callers
+don't filter their input suitably.
+
+Subsume the is_x86_user_segment(seg) checks from the shadow code, which were
+an incomplete attempt at range checking, and are now superceeded.  Make
+hvm_get_seg_reg() static, as it is not used outside of shadow/common.c
+
+No functional change, but far easier to reason that no overflow is possible.
+
+Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Tim Deegan <tim@xen.org>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+
+--- xen/arch/x86/hvm/emulate.c.orig
++++ xen/arch/x86/hvm/emulate.c
+@@ -526,6 +526,8 @@ static int hvmemul_virtual_to_linear(
+                            ? 1 : 4096);
+ 
+     reg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
++    if ( IS_ERR(reg) )
++        return -PTR_ERR(reg);
+ 
+     if ( (hvmemul_ctxt->ctxt.regs->eflags & X86_EFLAGS_DF) && (*reps > 1) )
+     {
+@@ -1360,6 +1362,10 @@ static int hvmemul_read_segment(
+     struct hvm_emulate_ctxt *hvmemul_ctxt =
+         container_of(ctxt, struct hvm_emulate_ctxt, ctxt);
+     struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
++
++    if ( IS_ERR(sreg) )
++         return -PTR_ERR(sreg);
++
+     memcpy(reg, sreg, sizeof(struct segment_register));
+     return X86EMUL_OKAY;
+ }
+@@ -1373,6 +1379,9 @@ static int hvmemul_write_segment(
+         container_of(ctxt, struct hvm_emulate_ctxt, ctxt);
+     struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
+ 
++    if ( IS_ERR(sreg) )
++         return -PTR_ERR(sreg);
++
+     memcpy(sreg, reg, sizeof(struct segment_register));
+     __set_bit(seg, &hvmemul_ctxt->seg_reg_dirty);
+ 
+@@ -1911,10 +1920,17 @@ void hvm_emulate_writeback(
+     }
+ }
+ 
++/*
++ * Callers which pass a known in-range x86_segment can rely on the return
++ * pointer being valid.  Other callers must explicitly check for errors.
++ */
+ struct segment_register *hvmemul_get_seg_reg(
+     enum x86_segment seg,
+     struct hvm_emulate_ctxt *hvmemul_ctxt)
+ {
++    if ( seg < 0 || seg >= ARRAY_SIZE(hvmemul_ctxt->seg_reg) )
++        return ERR_PTR(-X86EMUL_UNHANDLEABLE);
++
+     if ( !__test_and_set_bit(seg, &hvmemul_ctxt->seg_reg_accessed) )
+         hvm_get_segment_register(current, seg, &hvmemul_ctxt->seg_reg[seg]);
+     return &hvmemul_ctxt->seg_reg[seg];
+--- xen/arch/x86/mm/shadow/common.c.orig
++++ xen/arch/x86/mm/shadow/common.c
+@@ -125,10 +125,19 @@ __initcall(shadow_audit_key_init);
+ /* x86 emulator support for the shadow code
+  */
+ 
++/*
++ * Callers which pass a known in-range x86_segment can rely on the return
++ * pointer being valid.  Other callers must explicitly check for errors.
++ */
+ struct segment_register *hvm_get_seg_reg(
+     enum x86_segment seg, struct sh_emulate_ctxt *sh_ctxt)
+ {
+-    struct segment_register *seg_reg = &sh_ctxt->seg_reg[seg];
++    struct segment_register *seg_reg;
++
++    if ( seg < 0 || seg >= ARRAY_SIZE(sh_ctxt->seg_reg) )
++        return ERR_PTR(-X86EMUL_UNHANDLEABLE);
++
++    seg_reg = &sh_ctxt->seg_reg[seg];
+     if ( !__test_and_set_bit(seg, &sh_ctxt->valid_seg_regs) )
+         hvm_get_segment_register(current, seg, seg_reg);
+     return seg_reg;
+@@ -145,14 +154,9 @@ static int hvm_translate_linear_addr(
+     struct segment_register *reg;
+     int okay;
+ 
+-    /*
+-     * Can arrive here with non-user segments.  However, no such cirucmstance
+-     * is part of a legitimate pagetable update, so fail the emulation.
+-     */
+-    if ( !is_x86_user_segment(seg) )
+-        return X86EMUL_UNHANDLEABLE;
+-
+     reg = hvm_get_seg_reg(seg, sh_ctxt);
++    if ( IS_ERR(reg) )
++        return -PTR_ERR(reg);
+ 
+     okay = hvm_virtual_to_linear_addr(
+         seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);
+@@ -254,9 +258,6 @@ hvm_emulate_write(enum x86_segment seg,
+     unsigned long addr;
+     int rc;
+ 
+-    if ( !is_x86_user_segment(seg) )
+-        return X86EMUL_UNHANDLEABLE;
+-
+     /* How many emulations could we save if we unshadowed on stack writes? */
+     if ( seg == x86_seg_ss )
+         perfc_incr(shadow_fault_emulate_stack);
+@@ -284,9 +285,6 @@ hvm_emulate_cmpxchg(enum x86_segment seg
+     unsigned long addr, old[2], new[2];
+     int rc;
+ 
+-    if ( !is_x86_user_segment(seg) )
+-        return X86EMUL_UNHANDLEABLE;
+-
+     rc = hvm_translate_linear_addr(
+         seg, offset, bytes, hvm_access_write, sh_ctxt, &addr);
+     if ( rc )
+--- xen/include/asm-x86/hvm/emulate.h.orig
++++ xen/include/asm-x86/hvm/emulate.h
+@@ -13,6 +13,7 @@
+ #define __ASM_X86_HVM_EMULATE_H__
+ 
+ #include <xen/config.h>
++#include <xen/err.h>
+ #include <asm/hvm/hvm.h>
+ #include <asm/x86_emulate.h>
+