Add patch from Xen security advisory:

http://lists.xen.org/archives/html/xen-announce/2013-02/msg00005.html

4 files changed, 82 insertions, 5 deletions

diff --git a/sysutils/xentools41/Makefile b/sysutils/xentools41/Makefile
index 9900e45e7b7..fe971351870 100644
--- a/sysutils/xentools41/Makefile
+++ b/sysutils/xentools41/Makefile
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.30 2013/04/11 19:57:53 joerg Exp $
+# $NetBSD: Makefile,v 1.31 2013/04/19 14:03:51 bouyer Exp $
 #
 # VERSION is set in version.mk as it is shared with other packages
 .include		"version.mk"
 
 DISTNAME=		xen-${VERSION}
 PKGNAME=		xentools41-${VERSION}
-PKGREVISION=		3
+PKGREVISION=		4
 CATEGORIES=		sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff --git a/sysutils/xentools41/distinfo b/sysutils/xentools41/distinfo
index 12360ba136e..cc5d8918882 100644
--- a/sysutils/xentools41/distinfo
+++ b/sysutils/xentools41/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.27 2013/04/11 19:57:53 joerg Exp $
+$NetBSD: distinfo,v 1.28 2013/04/19 14:03:51 bouyer Exp $
 
 SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485
 RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547
@@ -11,6 +11,8 @@ SHA1 (patch-.._.._ipxe_src_core_settings.c) = 240ff973757403b983f12b2cbed826584c
 SHA1 (patch-.._.._ipxe_src_net_tls.c) = c0cfbc2ab2b92c659c146601c4f80d58c951ca62
 SHA1 (patch-.._Config.mk) = 9b971a41f67bb3974d3a4459bb9d96fbbd636c96
 SHA1 (patch-CVE-2012-6075) = 9de84238489875d94245d4f6ce3689629bb318ee
+SHA1 (patch-CVE-2013-0215-1) = 61149c756c6b9314980368cadb09437c64205199
+SHA1 (patch-CVE-2013-0215-2) = 44a86ef7fa85a212fda95e73ef8aefb98af1cc39
 SHA1 (patch-aa) = 9b53ba4a809dad7a1de34c8fa0dbe493d7256ada
 SHA1 (patch-ab) = 0906a5ec3a7450fc987b01289e2560e60966d00d
 SHA1 (patch-ac) = c3cc5335a1d6b066307c5f03fe72f513a9eb2bdb
@@ -41,9 +43,7 @@ SHA1 (patch-dc) = d860fe3725978227278d58f09e7d5157001e463e
 SHA1 (patch-dd) = e66d9cc0028ba922b050fc142862b4095cd018f3
 SHA1 (patch-de) = fae94b61a430a1a7dd98c9a6a04e4513824c6d8d
 SHA1 (patch-df) = d20bf9d3fd05f5334f77c9154bf0fb9944c1292c
-SHA1 (patch-examples_Makefile) = da39a3ee5e6b4b0d3255bfef95601890afd80709
 SHA1 (patch-firmware_hvmloader_Makefile) = b2914e4988ba004d45403d67f1580b1f9725d006
-SHA1 (patch-hotplug_common_Makefile) = da39a3ee5e6b4b0d3255bfef95601890afd80709
 SHA1 (patch-ioemu-qemu-xen_hw_pass-through.c) = 76185c239078f29cb42b953d6c2cd1f59e240989
 SHA1 (patch-ioemu-qemu-xen_hw_pass-through.h) = 98c26798d1ad99d3eee8b33deb08f747c958c886
 SHA1 (patch-ioemu-qemu-xen_hw_piix4acpi.c) = ca19457e9bde2d844a86a866960ac6de1f3d084c
diff --git a/sysutils/xentools41/patches/patch-CVE-2013-0215-1 b/sysutils/xentools41/patches/patch-CVE-2013-0215-1
new file mode 100644
index 00000000000..937b522831f
--- /dev/null
+++ b/sysutils/xentools41/patches/patch-CVE-2013-0215-1
@@ -0,0 +1,30 @@
+$NetBSD: patch-CVE-2013-0215-1,v 1.1 2013/04/19 14:03:51 bouyer Exp $
+
+http://lists.xen.org/archives/html/xen-announce/2013-02/msg00005.html
+
+--- ocaml/libs/xb/partial.ml.orig
++++ ocaml/libs/xb/partial.ml
+@@ -27,8 +27,15 @@ external header_size: unit -> int = "stub_header_size"
+ external header_of_string_internal: string -> int * int * int * int
+          = "stub_header_of_string"
+ 
++let xenstore_payload_max = 4096 (* xen/include/public/io/xs_wire.h *)
++
+ let of_string s =
+ 	let tid, rid, opint, dlen = header_of_string_internal s in
++	(* A packet which is bigger than xenstore_payload_max is illegal.
++	   This will leave the guest connection is a bad state and will
++	   be hard to recover from without restarting the connection
++	   (ie rebooting the guest) *)
++	let dlen = min xenstore_payload_max dlen in
+ 	{
+ 		tid = tid;
+ 		rid = rid;
+@@ -38,6 +45,7 @@ let of_string s =
+ 	}
+ 
+ let append pkt s sz =
++	if pkt.len > 4096 then failwith "Buffer.add: cannot grow buffer";
+ 	Buffer.add_string pkt.buf (String.sub s 0 sz)
+ 
+ let to_complete pkt =
diff --git a/sysutils/xentools41/patches/patch-CVE-2013-0215-2 b/sysutils/xentools41/patches/patch-CVE-2013-0215-2
new file mode 100644
index 00000000000..c24c8135bb6
--- /dev/null
+++ b/sysutils/xentools41/patches/patch-CVE-2013-0215-2
@@ -0,0 +1,47 @@
+$NetBSD: patch-CVE-2013-0215-2,v 1.1 2013/04/19 14:03:52 bouyer Exp $
+
+http://lists.xen.org/archives/html/xen-announce/2013-02/msg00005.html
+
+--- ocaml/libs/xb/xs_ring_stubs.c.orig
++++ ocaml/libs/xb/xs_ring_stubs.c
+@@ -39,21 +39,23 @@ static int xs_ring_read(struct mmap_interface *interface,
+                              char *buffer, int len)
+ {
+ 	struct xenstore_domain_interface *intf = interface->addr;
+-	XENSTORE_RING_IDX cons, prod;
++	XENSTORE_RING_IDX cons, prod; /* offsets only */
+ 	int to_read;
+ 
+-	cons = intf->req_cons;
+-	prod = intf->req_prod;
++	cons = *(volatile uint32*)&intf->req_cons;
++	prod = *(volatile uint32*)&intf->req_prod;
+ 	xen_mb();
+ 	if (prod == cons)
+ 		return 0;
+-	if (MASK_XENSTORE_IDX(prod) > MASK_XENSTORE_IDX(cons)) 
++	cons = MASK_XENSTORE_IDX(cons);
++	prod = MASK_XENSTORE_IDX(prod);
++	if (prod > cons)
+ 		to_read = prod - cons;
+ 	else
+-		to_read = XENSTORE_RING_SIZE - MASK_XENSTORE_IDX(cons);
++		to_read = XENSTORE_RING_SIZE - cons;
+ 	if (to_read < len)
+ 		len = to_read;
+-	memcpy(buffer, intf->req + MASK_XENSTORE_IDX(cons), len);
++	memcpy(buffer, intf->req + cons, len);
+ 	xen_mb();
+ 	intf->req_cons += len;
+ 	return len;
+@@ -66,8 +68,8 @@ static int xs_ring_write(struct mmap_interface *interface,
+ 	XENSTORE_RING_IDX cons, prod;
+ 	int can_write;
+ 
+-	cons = intf->rsp_cons;
+-	prod = intf->rsp_prod;
++	cons = *(volatile uint32*)&intf->rsp_cons;
++	prod = *(volatile uint32*)&intf->rsp_prod;
+ 	xen_mb();
+ 	if ( (prod - cons) >= XENSTORE_RING_SIZE )
+ 		return 0;