Apply upstream patch for XSA-199, XSA-200 and XSA-204.

Bump PKGREVISIONs

4 files changed, 133 insertions, 3 deletions

diff --git a/sysutils/xenkernel46/Makefile b/sysutils/xenkernel46/Makefile
index 9d8f9145605..90f2eae8c87 100644
--- a/sysutils/xenkernel46/Makefile
+++ b/sysutils/xenkernel46/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.4 2016/11/22 20:59:01 bouyer Exp $
+# $NetBSD: Makefile,v 1.5 2016/12/20 10:22:28 bouyer Exp $
 
 VERSION=	4.6.3
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel46-${VERSION}
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff --git a/sysutils/xenkernel46/distinfo b/sysutils/xenkernel46/distinfo
index 9f27eae0420..7f29e20354d 100644
--- a/sysutils/xenkernel46/distinfo
+++ b/sysutils/xenkernel46/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.3 2016/11/22 20:59:01 bouyer Exp $
+$NetBSD: distinfo,v 1.4 2016/12/20 10:22:28 bouyer Exp $
 
 SHA1 (xen-4.6.3.tar.gz) = 2aa59d0a05a6c5ac7f336f2069c66a54f95c4349
 RMD160 (xen-4.6.3.tar.gz) = 2798bd888ee001a4829165e55feb705a86af4f74
@@ -16,6 +16,8 @@ SHA1 (patch-XSA-193) = 89fdeea8af25de42bbd207df1b2f3dcd3b61778f
 SHA1 (patch-XSA-195) = 0a44b7deda6a17c88e9d1858eeb7c33b0ebaf3f7
 SHA1 (patch-XSA-196-1) = bdcd7673443fbf59aeff8ad019ffbe39758fcaee
 SHA1 (patch-XSA-196-2) = 81b1d46f3ec8a3c5133f6a923fee0ab1b2b1c6a0
+SHA1 (patch-XSA-200) = 37254653e3f9016de0440047465fddce7e9b1874
+SHA1 (patch-XSA-204) = 05defb8d99976a712024d35a81f4dde5627107d9
 SHA1 (patch-xen_Makefile) = be3f4577a205b23187b91319f91c50720919f70b
 SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154
 SHA1 (patch-xen_common_page__alloc.c) = c4d606de1cada8cf89b5abd16efada3d58c68a03
diff --git a/sysutils/xenkernel46/patches/patch-XSA-200 b/sysutils/xenkernel46/patches/patch-XSA-200
new file mode 100644
index 00000000000..ac0612764bc
--- /dev/null
+++ b/sysutils/xenkernel46/patches/patch-XSA-200
@@ -0,0 +1,57 @@
+$NetBSD: patch-XSA-200,v 1.1 2016/12/20 10:22:29 bouyer Exp $
+
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86emul: CMPXCHG8B ignores operand size prefix
+
+Otherwise besides mis-handling the instruction, the comparison failure
+case would result in uninitialized stack data being handed back to the
+guest in rDX:rAX (32 bits leaked for 32-bit guests, 96 bits for 64-bit
+ones).
+
+This is XSA-200.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- tools/tests/x86_emulator/test_x86_emulator.c.orig
++++ tools/tests/x86_emulator/test_x86_emulator.c
+@@ -429,6 +429,24 @@ int main(int argc, char **argv)
+         goto fail;
+     printf("okay\n");
+ 
++    printf("%-40s", "Testing cmpxchg8b (%edi) [opsize]...");
++    instr[0] = 0x66; instr[1] = 0x0f; instr[2] = 0xc7; instr[3] = 0x0f;
++    res[0]      = 0x12345678;
++    res[1]      = 0x87654321;
++    regs.eflags = 0x200;
++    regs.eip    = (unsigned long)&instr[0];
++    regs.edi    = (unsigned long)res;
++    rc = x86_emulate(&ctxt, &emulops);
++    if ( (rc != X86EMUL_OKAY) ||
++         (res[0] != 0x12345678) ||
++         (res[1] != 0x87654321) ||
++         (regs.eax != 0x12345678) ||
++         (regs.edx != 0x87654321) ||
++         ((regs.eflags&0x240) != 0x200) ||
++         (regs.eip != (unsigned long)&instr[4]) )
++        goto fail;
++    printf("okay\n");
++
+     printf("%-40s", "Testing movsxbd (%%eax),%%ecx...");
+     instr[0] = 0x0f; instr[1] = 0xbe; instr[2] = 0x08;
+     regs.eflags = 0x200;
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -4739,8 +4739,12 @@ x86_emulate(
+         generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1);
+         generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
+         if ( op_bytes == 8 )
++        {
+             vcpu_must_have_cx16();
+-        op_bytes *= 2;
++            op_bytes = 16;
++        }
++        else
++            op_bytes = 8;
+ 
+         /* Get actual old value. */
+         if ( (rc = ops->read(ea.mem.seg, ea.mem.off, old, op_bytes,
diff --git a/sysutils/xenkernel46/patches/patch-XSA-204 b/sysutils/xenkernel46/patches/patch-XSA-204
new file mode 100644
index 00000000000..804423de01e
--- /dev/null
+++ b/sysutils/xenkernel46/patches/patch-XSA-204
@@ -0,0 +1,71 @@
+$NetBSD: patch-XSA-204,v 1.1 2016/12/20 10:22:29 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Sun, 18 Dec 2016 15:42:59 +0000
+Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL
+
+A singlestep #DB is determined by the resulting eflags value from the
+execution of SYSCALL, not the original eflags value.
+
+By using the original eflags value, we negate the guest kernels attempt to
+protect itself from a privilege escalation by masking TF.
+
+Introduce a tf boolean and have the SYSCALL emulation recalculate it
+after the instruction is complete.
+
+This is XSA-204
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index bca7045..abe442e 100644
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1582,6 +1582,7 @@ x86_emulate(
+     union vex vex = {};
+     unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes;
+     bool_t lock_prefix = 0;
++    bool_t tf = !!(ctxt->regs->eflags & EFLG_TF);
+     int override_seg = -1, rc = X86EMUL_OKAY;
+     struct operand src = { .reg = REG_POISON };
+     struct operand dst = { .reg = REG_POISON };
+@@ -3910,9 +3911,8 @@ x86_emulate(
+     }
+ 
+  no_writeback:
+-    /* Inject #DB if single-step tracing was enabled at instruction start. */
+-    if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) &&
+-         (ops->inject_hw_exception != NULL) )
++    /* Should a singlestep #DB be raised? */
++    if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) )
+         rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
+ 
+     /* Commit shadow register state. */
+@@ -4143,6 +4143,23 @@ x86_emulate(
+              (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) )
+             goto done;
+ 
++        /*
++         * SYSCALL (unlike most instructions) evaluates its singlestep action
++         * based on the resulting EFLG_TF, not the starting EFLG_TF.
++         *
++         * As the #DB is raised after the CPL change and before the OS can
++         * switch stack, it is a large risk for privilege escalation.
++         *
++         * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
++         * vulnerability.  Running the #DB handler on an IST stack is also a
++         * mitigation.
++         *
++         * 32bit kernels have no ability to mask EFLG_TF at all.  Their only
++         * mitigation is to use a task gate for handling #DB (or to not use
++         * enable EFER.SCE to start with).
++         */
++        tf = !!(_regs.eflags & EFLG_TF);
++
+         break;
+     }
+