Apply patches from Xen repository, fixing:

CVE-2015-8339 and CVE-2015-8340 aka XSA-159
XSA-166
CVE-2015-8550 aka XSA-155
CVE-2015-8554 aka XSA-164
Bump pkgrevision

4 files changed, 160 insertions, 3 deletions

diff --git a/sysutils/xentools41/Makefile b/sysutils/xentools41/Makefile
index dc6674ceefd..001ee91a659 100644
--- a/sysutils/xentools41/Makefile
+++ b/sysutils/xentools41/Makefile
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.58 2015/12/05 21:26:00 adam Exp $
+# $NetBSD: Makefile,v 1.59 2016/01/07 17:55:55 bouyer Exp $
 #
 # VERSION is set in version.mk as it is shared with other packages
 .include		"version.mk"
 
 DISTNAME=		xen-${VERSION}
 PKGNAME=		xentools41-${VERSION}
-PKGREVISION=		13
+PKGREVISION=		14
 CATEGORIES=		sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff --git a/sysutils/xentools41/distinfo b/sysutils/xentools41/distinfo
index 5bf0b793002..2ac3ab8dd61 100644
--- a/sysutils/xentools41/distinfo
+++ b/sysutils/xentools41/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.40 2015/11/04 01:32:40 agc Exp $
+$NetBSD: distinfo,v 1.41 2016/01/07 17:55:55 bouyer Exp $
 
 SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485
 RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547
@@ -15,6 +15,8 @@ SHA1 (patch-.._Config.mk) = 9b971a41f67bb3974d3a4459bb9d96fbbd636c96
 SHA1 (patch-CVE-2014-1950) = b0d900722fd0f59a50f1e1eda1471105d5b557e5
 SHA1 (patch-CVE-2015-2752) = f9bca0b8744233e20ff97c3e8e2e404522e87f49
 SHA1 (patch-CVE-2015-2756) = 07aaac4bcd0dfc6d708c1823288b9fc789ebd125
+SHA1 (patch-CVE-2015-8550) = dfd72a54d27211c1059579819b9b4c702399a0fc
+SHA1 (patch-CVE-2015-8554) = 7f444009519399038c657fa3e59fd2170f99bb70
 SHA1 (patch-aa) = 9b53ba4a809dad7a1de34c8fa0dbe493d7256ada
 SHA1 (patch-ab) = 0906a5ec3a7450fc987b01289e2560e60966d00d
 SHA1 (patch-ac) = c3cc5335a1d6b066307c5f03fe72f513a9eb2bdb
diff --git a/sysutils/xentools41/patches/patch-CVE-2015-8550 b/sysutils/xentools41/patches/patch-CVE-2015-8550
new file mode 100644
index 00000000000..739ffba9109
--- /dev/null
+++ b/sysutils/xentools41/patches/patch-CVE-2015-8550
@@ -0,0 +1,134 @@
+$NetBSD: patch-CVE-2015-8550,v 1.1 2016/01/07 17:55:55 bouyer Exp $
+
+patch for CVE-2015-8550 aka XSA-155 from
+http://xenbits.xenproject.org/xsa/xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
+http://xenbits.xenproject.org/xsa/xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
+http://xenbits.xenproject.org/xsa/xsa155-qemut-qdisk-double-access.patch
+http://xenbits.xenproject.org/xsa/xsa155-qemut-xenfb.patch
+
+--- ../xen/include/public/io/ring.h.orig
++++ ../xen/include/public/io/ring.h
+@@ -212,6 +212,20 @@ typedef struct __name##_back_ring __name##_back_ring_t
+ #define RING_GET_REQUEST(_r, _idx)                                      \
+     (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req))
+ 
++/*
++ * Get a local copy of a request.
++ *
++ * Use this in preference to RING_GET_REQUEST() so all processing is
++ * done on a local copy that cannot be modified by the other end.
++ *
++ * Note that https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 may cause this
++ * to be ineffective where _req is a struct which consists of only bitfields.
++ */
++#define RING_COPY_REQUEST(_r, _idx, _req) do {				\
++	/* Use volatile to force the copy into _req. */			\
++	*(_req) = *(volatile typeof(_req))RING_GET_REQUEST(_r, _idx);	\
++} while (0)
++
+ #define RING_GET_RESPONSE(_r, _idx)                                     \
+     (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp))
+
+--- blktap2/drivers/block-log.c.orig
++++ blktap2/drivers/block-log.c
+@@ -494,11 +494,12 @@ static int ctl_kick(struct tdlog_state* s, int fd)
+   reqstart = s->bring.req_cons;
+   reqend = s->sring->req_prod;
+ 
++  xen_mb();
+   BDPRINTF("ctl: ring kicked (start = %u, end = %u)", reqstart, reqend);
+ 
+   while (reqstart != reqend) {
+     /* XXX actually submit these! */
+-    memcpy(&req, RING_GET_REQUEST(&s->bring, reqstart), sizeof(req));
++    RING_COPY_REQUEST(&s->bring, reqstart, &req);
+     BDPRINTF("ctl: read request %"PRIu64":%u", req.sector, req.count);
+     s->bring.req_cons = ++reqstart;
+ 
+--- blktap2/drivers/tapdisk-vbd.c.orig
++++ blktap2/drivers/tapdisk-vbd.c
+@@ -1555,7 +1555,7 @@ tapdisk_vbd_pull_ring_requests(td_vbd_t *vbd)
+ 	int idx;
+ 	RING_IDX rp, rc;
+ 	td_ring_t *ring;
+-	blkif_request_t *req;
++	blkif_request_t req;
+ 	td_vbd_request_t *vreq;
+ 
+ 	ring = &vbd->ring;
+@@ -1566,16 +1566,16 @@ tapdisk_vbd_pull_ring_requests(td_vbd_t *vbd)
+ 	xen_rmb();
+ 
+ 	for (rc = ring->fe_ring.req_cons; rc != rp; rc++) {
+-		req = RING_GET_REQUEST(&ring->fe_ring, rc);
++		RING_COPY_REQUEST(&ring->fe_ring, rc, &req);
+ 		++ring->fe_ring.req_cons;
+ 
+-		idx  = req->id;
++		idx  = req.id;
+ 		vreq = &vbd->request_list[idx];
+ 
+ 		ASSERT(list_empty(&vreq->next));
+ 		ASSERT(vreq->secs_pending == 0);
+ 
+-		memcpy(&vreq->req, req, sizeof(blkif_request_t));
++		memcpy(&vreq->req, &req, sizeof(blkif_request_t));
+ 		vbd->received++;
+ 		vreq->vbd = vbd;
+
+--- ioemu-qemu-xen/hw/xen_blkif.h.orig
++++ ioemu-qemu-xen/hw/xen_blkif.h
+@@ -79,8 +79,10 @@ static inline void blkif_get_x86_32_req(blkif_request_t *dst, blkif_x86_32_reque
+ 	dst->handle = src->handle;
+ 	dst->id = src->id;
+ 	dst->sector_number = src->sector_number;
+-	if (n > src->nr_segments)
+-		n = src->nr_segments;
++	/* prevent the compiler from optimizing the code and using src->nr_segments instead */
++	xen_mb();
++	if (n > dst->nr_segments)
++		n = dst->nr_segments;
+ 	for (i = 0; i < n; i++)
+ 		dst->seg[i] = src->seg[i];
+ }
+@@ -94,8 +96,10 @@ static inline void blkif_get_x86_64_req(blkif_request_t *dst, blkif_x86_64_reque
+ 	dst->handle = src->handle;
+ 	dst->id = src->id;
+ 	dst->sector_number = src->sector_number;
+-	if (n > src->nr_segments)
+-		n = src->nr_segments;
++	/* prevent the compiler from optimizing the code and using src->nr_segments instead */
++	xen_mb();
++	if (n > dst->nr_segments)
++		n = dst->nr_segments;
+ 	for (i = 0; i < n; i++)
+ 		dst->seg[i] = src->seg[i];
+ }
+
+--- ioemu-qemu-xen/hw/xenfb.c
++++ ioemu-qemu-xen/hw/xenfb.c
+@@ -827,18 +827,20 @@ static void xenfb_invalidate(void *opaque)
+ 
+ static void xenfb_handle_events(struct XenFB *xenfb)
+ {
+-    uint32_t prod, cons;
++    uint32_t prod, cons, out_cons;
+     struct xenfb_page *page = xenfb->c.page;
+ 
+     prod = page->out_prod;
+-    if (prod == page->out_cons)
++    out_cons = page->out_cons;
++    if (prod == out_cons)
+ 	return;
+     xen_rmb();		/* ensure we see ring contents up to prod */
+-    for (cons = page->out_cons; cons != prod; cons++) {
++    for (cons = out_cons; cons != prod; cons++) {
+ 	union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
++        uint8_t type = event->type;
+ 	int x, y, w, h;
+ 
+-	switch (event->type) {
++	switch (type) {
+ 	case XENFB_TYPE_UPDATE:
+ 	    if (xenfb->up_count == UP_QUEUE)
+ 		xenfb->up_fullscreen = 1;
diff --git a/sysutils/xentools41/patches/patch-CVE-2015-8554 b/sysutils/xentools41/patches/patch-CVE-2015-8554
new file mode 100644
index 00000000000..9516e638960
--- /dev/null
+++ b/sysutils/xentools41/patches/patch-CVE-2015-8554
@@ -0,0 +1,21 @@
+$NetBSD: patch-CVE-2015-8554,v 1.1 2016/01/07 17:55:55 bouyer Exp $
+
+patch for CVE-2015-8554 aka XSA-164 from
+http://xenbits.xenproject.org/xsa/xsa164.patch
+
+--- ioemu-qemu-xen/hw/pt-msi.c.orig
++++ ioemu-qemu-xen/hw/pt-msi.c
+@@ -440,6 +440,13 @@ static void pci_msix_writel(void *opaque
+         return;
+     }
+ 
++    if ( addr - msix->mmio_base_addr >= msix->total_entries * 16 )
++    {
++        PT_LOG("Error: Out of bounds write to MSI-X table,"
++               " addr %016"PRIx64"\n", addr);
++        return;
++    }
++
+     entry_nr = (addr - msix->mmio_base_addr) / 16;
+     entry = &msix->msix_entry[entry_nr];
+     offset = ((addr - msix->mmio_base_addr) % 16) / 4;