diff options
| author | bouyer <bouyer@pkgsrc.org> | 2016-01-08 13:24:29 +0000 |
|---|---|---|
| committer | bouyer <bouyer@pkgsrc.org> | 2016-01-08 13:24:29 +0000 |
| commit | e64c9f3500375eee333b5ab8cb93245812b3fcc2 (patch) | |
| tree | 1f25dff9376714ef714a22ee931abd1ea2630133 /sysutils/xentools45 | |
| parent | 4db8a23be7d15f4010e1c683ae83b3efcdaaada3 (diff) | |
| download | pkgsrc-e64c9f3500375eee333b5ab8cb93245812b3fcc2.tar.gz | |
Update xenkernel45 and xentools45 to 4.5.2.
Changes since 4.5.1 includes security fixes (most of which were already in
our local patches) and bug fixes. The complete list of changes
is there:
http://www.xenproject.org/downloads/xen-archives/xen-45-series/xen-452.html
Diffstat (limited to 'sysutils/xentools45')
| -rw-r--r-- | sysutils/xentools45/Makefile | 6 | ||||
| -rw-r--r-- | sysutils/xentools45/distinfo | 15 | ||||
| -rw-r--r-- | sysutils/xentools45/patches/patch-XSA135 | 139 | ||||
| -rw-r--r-- | sysutils/xentools45/patches/patch-XSA137 | 175 | ||||
| -rw-r--r-- | sysutils/xentools45/patches/patch-XSA138 | 175 | ||||
| -rw-r--r-- | sysutils/xentools45/patches/patch-XSA139 | 28 | ||||
| -rw-r--r-- | sysutils/xentools45/patches/patch-XSA140 | 433 |
7 files changed, 8 insertions, 963 deletions
diff --git a/sysutils/xentools45/Makefile b/sysutils/xentools45/Makefile index ea8a0bc3ed4..0d4d5ac777c 100644 --- a/sysutils/xentools45/Makefile +++ b/sysutils/xentools45/Makefile @@ -1,11 +1,11 @@ -# $NetBSD: Makefile,v 1.23 2016/01/07 17:48:34 bouyer Exp $ +# $NetBSD: Makefile,v 1.24 2016/01/08 13:24:29 bouyer Exp $ -VERSION= 4.5.1 +VERSION= 4.5.2 VERSION_IPXE= 9a93db3f0947484e30e753bbd61a10b17336e20e DISTNAME= xen-${VERSION} PKGNAME= xentools45-${VERSION} -PKGREVISION= 9 +#PKGREVISION= 0 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xentools45/distinfo b/sysutils/xentools45/distinfo index 589abbf50bf..c5c4c236b2d 100644 --- a/sysutils/xentools45/distinfo +++ b/sysutils/xentools45/distinfo @@ -1,13 +1,13 @@ -$NetBSD: distinfo,v 1.15 2016/01/07 17:48:34 bouyer Exp $ +$NetBSD: distinfo,v 1.16 2016/01/08 13:24:29 bouyer Exp $ SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88 RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8 SHA512 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = c5cb1cdff40d2d71fd3e692a9d0efadf2aa17290daf5195391a1c81ddd9dfc913a8e44d5be2b12be85b2a5565ea31631c99c7053564f2fb2225c80ea0bb0e4a4 Size (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 2867999 bytes -SHA1 (xen-4.5.1.tar.gz) = f10328ce63625a5a7bfa3af5899c4432a467c051 -RMD160 (xen-4.5.1.tar.gz) = 4c449d799e041a52a94c00ee43a8c28fd4af1b96 -SHA512 (xen-4.5.1.tar.gz) = 9436243e26bc64bc836a179abdc3a6b1b6fa9d3f2170453092c18be71fa62e18cd4465a9154c0f28a7ac8d69d08361ba1defef240a51197f058c012c3855ba04 -Size (xen-4.5.1.tar.gz) = 18410400 bytes +SHA1 (xen-4.5.2.tar.gz) = c764589afc817aee4a5df5fa5dc2c7b8ab79508b +RMD160 (xen-4.5.2.tar.gz) = 953f81cd175b3cb9f591ce21d3c838ecb8e6a780 +SHA512 (xen-4.5.2.tar.gz) = e0ce01a5356c254bfde48fae0b0e005c42c1615a7ccf4c1ba7dcf90784777b53995e9a9ae4575e3f19ef341014b34cb8c06e39d68be359f7fd69830501a144dd +Size (xen-4.5.2.tar.gz) = 18416220 bytes SHA1 (patch-.._.._ipxe_src_core_settings.c) = 9e053e5e9936f49c46af0d59382a67d5f28cb39d SHA1 (patch-.._.._ipxe_src_interface_efi_efi_snp.c) = 7cd8a2d2dbeff55624b5d3461d22cd8331221762 SHA1 (patch-.._.._ipxe_src_net_fcels.c) = 7c13c87af5e38233f8b867503789f536394e7005 @@ -22,11 +22,6 @@ SHA1 (patch-CVE-2015-8550) = 27f9214b9df78e04ec30e8ca56970c5b1d5dc50d SHA1 (patch-CVE-2015-8554) = 908783cf619fc130d5a107ba2c4997fca0f0da88 SHA1 (patch-Makefile) = eb5d3211b26c5f10a24fcca658c83d5f60990d9f SHA1 (patch-Rules.mk) = e0dc4234c35dc2d78afad4a90b0af829a6a10b50 -SHA1 (patch-XSA135) = c27b9c495d7348864e9939f54574e3afc37a816a -SHA1 (patch-XSA137) = 3e65d46768eb3a09dd44c2d78e1760070718cb79 -SHA1 (patch-XSA138) = ef04f40621073b1e936dfeb3711c6e9ae2a896c2 -SHA1 (patch-XSA139) = 3b86a578c86f5a3ecb127dede4bccf51d6bc7687 -SHA1 (patch-XSA140) = 55ef4eb9c4d09ac327f9600ac7553e92b9cd0624 SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7 SHA1 (patch-configure) = d1a1b9c9e00dd79bb872190282006201510ce2c1 SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f diff --git a/sysutils/xentools45/patches/patch-XSA135 b/sysutils/xentools45/patches/patch-XSA135 deleted file mode 100644 index d859e64ce14..00000000000 --- a/sysutils/xentools45/patches/patch-XSA135 +++ /dev/null @@ -1,139 +0,0 @@ -$NetBSD: patch-XSA135,v 1.1 2015/06/23 17:45:33 bouyer Exp $ - -pcnet: fix Negative array index read - -From: Gonglei <arei.gonglei@huawei.com> - -s->xmit_pos maybe assigned to a negative value (-1), -but in this branch variable s->xmit_pos as an index to -array s->buffer. Let's add a check for s->xmit_pos. - -upstream-commit-id: 7b50d00911ddd6d56a766ac5671e47304c20a21b - -Signed-off-by: Gonglei <arei.gonglei@huawei.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Reviewed-by: Jason Wang <jasowang@redhat.com> -Reviewed-by: Jason Wang <jasowang@redhat.com> -Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> - -diff --git a/hw/pcnet.c b/hw/pcnet.c -index 7cc0637..9f3e1cc 100644 ---- qemu-xen-traditional/hw/pcnet.c.orig -+++ qemu-xen-traditional/hw/pcnet.c -@@ -1250,7 +1250,7 @@ static void pcnet_transmit(PCNetState *s) - target_phys_addr_t xmit_cxda = 0; - int count = CSR_XMTRL(s)-1; - int add_crc = 0; -- -+ int bcnt; - s->xmit_pos = -1; - - if (!CSR_TXON(s)) { -@@ -1276,34 +1276,39 @@ static void pcnet_transmit(PCNetState *s) - if (BCR_SWSTYLE(s) != 1) - add_crc = GET_FIELD(tmd.status, TMDS, ADDFCS); - } -+ -+ if (s->xmit_pos < 0) { -+ goto txdone; -+ } -+ -+ bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -+ s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), -+ s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); -+ s->xmit_pos += bcnt; -+ - if (!GET_FIELD(tmd.status, TMDS, ENP)) { -- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), -- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); -- s->xmit_pos += bcnt; -- } else if (s->xmit_pos >= 0) { -- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), -- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); -- s->xmit_pos += bcnt; -+ goto txdone; -+ } - #ifdef PCNET_DEBUG -- printf("pcnet_transmit size=%d\n", s->xmit_pos); -+ printf("pcnet_transmit size=%d\n", s->xmit_pos); - #endif -- if (CSR_LOOP(s)) { -- if (BCR_SWSTYLE(s) == 1) -- add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); -- s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; -- pcnet_receive(s, s->buffer, s->xmit_pos); -- s->looptest = 0; -- } else -- if (s->vc) -- qemu_send_packet(s->vc, s->buffer, s->xmit_pos); -- -- s->csr[0] &= ~0x0008; /* clear TDMD */ -- s->csr[4] |= 0x0004; /* set TXSTRT */ -- s->xmit_pos = -1; -+ if (CSR_LOOP(s)) { -+ if (BCR_SWSTYLE(s) == 1) -+ add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); -+ s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; -+ pcnet_receive(s, s->buffer, s->xmit_pos); -+ s->looptest = 0; -+ } else { -+ if (s->vc) { -+ qemu_send_packet(s->vc, s->buffer, s->xmit_pos); -+ } - } - -+ s->csr[0] &= ~0x0008; /* clear TDMD */ -+ s->csr[4] |= 0x0004; /* set TXSTRT */ -+ s->xmit_pos = -1; -+ -+ txdone: - SET_FIELD(&tmd.status, TMDS, OWN, 0); - TMDSTORE(&tmd, PHYSADDR(s,CSR_CXDA(s))); - if (!CSR_TOKINTD(s) || (CSR_LTINTEN(s) && GET_FIELD(tmd.status, TMDS, LTINT))) -From 2630672ab22255de252f877709851c0557a1c647 Mon Sep 17 00:00:00 2001 -From: Petr Matousek <pmatouse@redhat.com> -Date: Sun, 24 May 2015 10:53:44 +0200 -Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx - -4096 is the maximum length per TMD and it is also currently the size of -the relay buffer pcnet driver uses for sending the packet data to QEMU -for further processing. With packet spanning multiple TMDs it can -happen that the overall packet size will be bigger than sizeof(buffer), -which results in memory corruption. - -Fix this by only allowing to queue maximum sizeof(buffer) bytes. - -This is CVE-2015-3209. - -Signed-off-by: Petr Matousek <pmatouse@redhat.com> -Reported-by: Matt Tait <matttait@google.com> -Reviewed-by: Peter Maydell <peter.maydell@linaro.org> -Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> ---- - hw/pcnet.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/pcnet.c b/hw/pcnet.c -index bdfd38f..6d32e4c 100644 ---- qemu-xen-traditional/hw/pcnet.c.orig -+++ qemu-xen-traditional/hw/pcnet.c -@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) - } - - bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -+ -+ /* if multi-tmd packet outsizes s->buffer then skip it silently. -+ Note: this is not what real hw does */ -+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) { -+ s->xmit_pos = -1; -+ goto txdone; -+ } -+ - s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), - s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); - s->xmit_pos += bcnt; --- -2.1.0 - diff --git a/sysutils/xentools45/patches/patch-XSA137 b/sysutils/xentools45/patches/patch-XSA137 deleted file mode 100644 index d36320e12d9..00000000000 --- a/sysutils/xentools45/patches/patch-XSA137 +++ /dev/null @@ -1,175 +0,0 @@ -$NetBSD: patch-XSA137,v 1.1 2015/08/23 17:02:58 spz Exp $ - -patch for CVE-2015-3259 aka XSA-137 from: -http://xenbits.xen.org/xsa/xsa137.patch - ---- libxl/xl_cmdimpl.c.orig 2015-06-22 13:41:35.000000000 +0000 -+++ libxl/xl_cmdimpl.c -@@ -151,7 +151,7 @@ struct domain_create { - int console_autoconnect; - int checkpointed_stream; - const char *config_file; -- const char *extra_config; /* extra config string */ -+ char *extra_config; /* extra config string */ - const char *restore_file; - int migrate_fd; /* -1 means none */ - char **migration_domname_r; /* from malloc */ -@@ -4570,11 +4570,25 @@ int main_vm_list(int argc, char **argv) - return 0; - } - -+static void string_realloc_append(char **accumulate, const char *more) -+{ -+ /* Appends more to accumulate. Accumulate is either NULL, or -+ * points (always) to a malloc'd nul-terminated string. */ -+ -+ size_t oldlen = *accumulate ? strlen(*accumulate) : 0; -+ size_t morelen = strlen(more) + 1/*nul*/; -+ if (oldlen > SSIZE_MAX || morelen > SSIZE_MAX - oldlen) { -+ fprintf(stderr,"Additional config data far too large\n"); -+ exit(-ERROR_FAIL); -+ } -+ -+ *accumulate = xrealloc(*accumulate, oldlen + morelen); -+ memcpy(*accumulate + oldlen, more, morelen); -+} -+ - int main_create(int argc, char **argv) - { - const char *filename = NULL; -- char *p; -- char extra_config[1024]; - struct domain_create dom_info; - int paused = 0, debug = 0, daemonize = 1, console_autoconnect = 0, - quiet = 0, monitor = 1, vnc = 0, vncautopass = 0; -@@ -4589,6 +4603,8 @@ int main_create(int argc, char **argv) - {0, 0, 0, 0} - }; - -+ dom_info.extra_config = NULL; -+ - if (argv[1] && argv[1][0] != '-' && !strchr(argv[1], '=')) { - filename = argv[1]; - argc--; argv++; -@@ -4628,20 +4644,21 @@ int main_create(int argc, char **argv) - break; - } - -- extra_config[0] = '\0'; -- for (p = extra_config; optind < argc; optind++) { -+ memset(&dom_info, 0, sizeof(dom_info)); -+ -+ for (; optind < argc; optind++) { - if (strchr(argv[optind], '=') != NULL) { -- p += snprintf(p, sizeof(extra_config) - (p - extra_config), -- "%s\n", argv[optind]); -+ string_realloc_append(&dom_info.extra_config, argv[optind]); -+ string_realloc_append(&dom_info.extra_config, "\n"); - } else if (!filename) { - filename = argv[optind]; - } else { - help("create"); -+ free(dom_info.extra_config); - return 2; - } - } - -- memset(&dom_info, 0, sizeof(dom_info)); - dom_info.debug = debug; - dom_info.daemonize = daemonize; - dom_info.monitor = monitor; -@@ -4649,16 +4666,18 @@ int main_create(int argc, char **argv) - dom_info.dryrun = dryrun_only; - dom_info.quiet = quiet; - dom_info.config_file = filename; -- dom_info.extra_config = extra_config; - dom_info.migrate_fd = -1; - dom_info.vnc = vnc; - dom_info.vncautopass = vncautopass; - dom_info.console_autoconnect = console_autoconnect; - - rc = create_domain(&dom_info); -- if (rc < 0) -+ if (rc < 0) { -+ free(dom_info.extra_config); - return -rc; -+ } - -+ free(dom_info.extra_config); - return 0; - } - -@@ -4666,8 +4685,7 @@ int main_config_update(int argc, char ** - { - uint32_t domid; - const char *filename = NULL; -- char *p; -- char extra_config[1024]; -+ char *extra_config = NULL; - void *config_data = 0; - int config_len = 0; - libxl_domain_config d_config; -@@ -4705,15 +4723,15 @@ int main_config_update(int argc, char ** - break; - } - -- extra_config[0] = '\0'; -- for (p = extra_config; optind < argc; optind++) { -+ for (; optind < argc; optind++) { - if (strchr(argv[optind], '=') != NULL) { -- p += snprintf(p, sizeof(extra_config) - (p - extra_config), -- "%s\n", argv[optind]); -+ string_realloc_append(&extra_config, argv[optind]); -+ string_realloc_append(&extra_config, "\n"); - } else if (!filename) { - filename = argv[optind]; - } else { - help("create"); -+ free(extra_config); - return 2; - } - } -@@ -4722,7 +4740,8 @@ int main_config_update(int argc, char ** - rc = libxl_read_file_contents(ctx, filename, - &config_data, &config_len); - if (rc) { fprintf(stderr, "Failed to read config file: %s: %s\n", -- filename, strerror(errno)); return ERROR_FAIL; } -+ filename, strerror(errno)); -+ free(extra_config); return ERROR_FAIL; } - if (strlen(extra_config)) { - if (config_len > INT_MAX - (strlen(extra_config) + 2 + 1)) { - fprintf(stderr, "Failed to attach extra configration\n"); -@@ -4763,7 +4782,7 @@ int main_config_update(int argc, char ** - libxl_domain_config_dispose(&d_config); - - free(config_data); -- -+ free(extra_config); - return 0; - } - -@@ -7020,7 +7039,7 @@ int main_cpupoolcreate(int argc, char ** - { - const char *filename = NULL, *config_src=NULL; - const char *p; -- char extra_config[1024]; -+ char *extra_config = NULL; - int opt; - static struct option opts[] = { - {"defconfig", 1, 0, 'f'}, -@@ -7054,13 +7073,10 @@ int main_cpupoolcreate(int argc, char ** - break; - } - -- memset(extra_config, 0, sizeof(extra_config)); - while (optind < argc) { - if ((p = strchr(argv[optind], '='))) { -- if (strlen(extra_config) + 1 + strlen(argv[optind]) < sizeof(extra_config)) { -- strcat(extra_config, "\n"); -- strcat(extra_config, argv[optind]); -- } -+ string_realloc_append(&extra_config, "\n"); -+ string_realloc_append(&extra_config, argv[optind]); - } else if (!filename) { - filename = argv[optind]; - } else { diff --git a/sysutils/xentools45/patches/patch-XSA138 b/sysutils/xentools45/patches/patch-XSA138 deleted file mode 100644 index 196066a7bd0..00000000000 --- a/sysutils/xentools45/patches/patch-XSA138 +++ /dev/null @@ -1,175 +0,0 @@ -$NetBSD: patch-XSA138,v 1.1 2015/08/23 17:02:58 spz Exp $ - -patch for CVE-2015-5154 from XSA-138 from -http://xenbits.xen.org/xsa/xsa138-qemut-1.patch -http://xenbits.xen.org/xsa/xsa138-qemut-2.patch -http://xenbits.xen.org/xsa/xsa138-qemuu-1.patch -http://xenbits.xen.org/xsa/xsa138-qemuu-2.patch -http://xenbits.xen.org/xsa/xsa138-qemuu-3.patch - ---- qemu-xen/hw/ide/core.c.orig 2015-06-10 11:43:51.000000000 +0000 -+++ qemu-xen/hw/ide/core.c -@@ -1901,11 +1901,17 @@ void ide_data_writew(void *opaque, uint3 - } - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return; -+ } -+ - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - uint32_t ide_data_readw(void *opaque, uint32_t addr) -@@ -1922,11 +1928,17 @@ uint32_t ide_data_readw(void *opaque, ui - } - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - -@@ -1943,11 +1955,17 @@ void ide_data_writel(void *opaque, uint3 - } - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return; -+ } -+ - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - uint32_t ide_data_readl(void *opaque, uint32_t addr) -@@ -1964,11 +1982,17 @@ uint32_t ide_data_readl(void *opaque, ui - } - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - ---- qemu-xen/hw/ide/atapi.c.orig 2015-06-10 11:43:51.000000000 +0000 -+++ qemu-xen/hw/ide/atapi.c -@@ -879,6 +879,7 @@ static void cmd_start_stop_unit(IDEState - - if (pwrcnd) { - /* eject/load only happens for power condition == 0 */ -+ ide_atapi_cmd_ok(s); - return; - } - ---- qemu-xen-traditional/hw/ide.c.orig 2015-08-23 15:08:13.000000000 +0000 -+++ qemu-xen-traditional/hw/ide.c -@@ -3006,11 +3006,17 @@ static void ide_data_writew(void *opaque - buffered_pio_write(s, addr, 2); - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return; -+ } -+ - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - static uint32_t ide_data_readw(void *opaque, uint32_t addr) -@@ -3025,11 +3031,17 @@ static uint32_t ide_data_readw(void *opa - buffered_pio_read(s, addr, 2); - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - -@@ -3044,11 +3056,17 @@ static void ide_data_writel(void *opaque - buffered_pio_write(s, addr, 4); - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return; -+ } -+ - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - static uint32_t ide_data_readl(void *opaque, uint32_t addr) -@@ -3063,11 +3081,17 @@ static uint32_t ide_data_readl(void *opa - buffered_pio_read(s, addr, 4); - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - diff --git a/sysutils/xentools45/patches/patch-XSA139 b/sysutils/xentools45/patches/patch-XSA139 deleted file mode 100644 index ffff15d5cdd..00000000000 --- a/sysutils/xentools45/patches/patch-XSA139 +++ /dev/null @@ -1,28 +0,0 @@ -$NetBSD: patch-XSA139,v 1.1 2015/08/23 17:02:58 spz Exp $ - -patch for CVE-2015-5166 aka XSA-139 from -http://xenbits.xen.org/xsa/xsa139-qemuu-4.5.patch - ---- qemu-xen/hw/ide/piix.c.orig 2015-06-10 11:43:51.000000000 +0000 -+++ qemu-xen/hw/ide/piix.c -@@ -172,6 +172,7 @@ int pci_piix3_xen_ide_unplug(DeviceState - PCIIDEState *pci_ide; - DriveInfo *di; - int i = 0; -+ IDEDevice *idedev; - - pci_ide = PCI_IDE(dev); - -@@ -184,6 +185,12 @@ int pci_piix3_xen_ide_unplug(DeviceState - } - bdrv_close(di->bdrv); - pci_ide->bus[di->bus].ifs[di->unit].bs = NULL; -+ if (!(i % 2)) { -+ idedev = pci_ide->bus[di->bus].master; -+ } else { -+ idedev = pci_ide->bus[di->bus].slave; -+ } -+ idedev->conf.bs = NULL; - drive_put_ref(di); - } - } diff --git a/sysutils/xentools45/patches/patch-XSA140 b/sysutils/xentools45/patches/patch-XSA140 deleted file mode 100644 index 64199e48c3e..00000000000 --- a/sysutils/xentools45/patches/patch-XSA140 +++ /dev/null @@ -1,433 +0,0 @@ -$NetBSD: patch-XSA140,v 1.1 2015/08/23 17:02:58 spz Exp $ - -patch for CVE-2015-5165 aka XSA-140 from -http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-1.patch -http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-2.patch -http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-3.patch -http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-4.patch -http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-5.patch -http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-6.patch -http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-7.patch - ---- qemu-xen/hw/net/rtl8139.c.orig 2015-06-10 11:43:51.000000000 +0000 -+++ qemu-xen/hw/net/rtl8139.c -@@ -2161,6 +2161,11 @@ static int rtl8139_cplus_transmit_one(RT - { - DPRINTF("+++ C+ mode offloaded task checksum\n"); - -+ /* Large enough for Ethernet and IP headers? */ -+ if (saved_size < ETH_HLEN + sizeof(ip_header)) { -+ goto skip_offload; -+ } -+ - /* ip packet header */ - ip_header *ip = NULL; - int hlen = 0; -@@ -2171,223 +2176,235 @@ static int rtl8139_cplus_transmit_one(RT - size_t eth_payload_len = 0; - - int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12)); -- if (proto == ETH_P_IP) -+ if (proto != ETH_P_IP) - { -- DPRINTF("+++ C+ mode has IP packet\n"); -+ goto skip_offload; -+ } - -- /* not aligned */ -- eth_payload_data = saved_buffer + ETH_HLEN; -- eth_payload_len = saved_size - ETH_HLEN; -- -- ip = (ip_header*)eth_payload_data; -- -- if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { -- DPRINTF("+++ C+ mode packet has bad IP version %d " -- "expected %d\n", IP_HEADER_VERSION(ip), -- IP_HEADER_VERSION_4); -- ip = NULL; -- } else { -- hlen = IP_HEADER_LENGTH(ip); -- ip_protocol = ip->ip_p; -- ip_data_len = be16_to_cpu(ip->ip_len) - hlen; -- } -+ DPRINTF("+++ C+ mode has IP packet\n"); -+ -+ /* not aligned */ -+ eth_payload_data = saved_buffer + ETH_HLEN; -+ eth_payload_len = saved_size - ETH_HLEN; -+ -+ ip = (ip_header*)eth_payload_data; -+ -+ if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { -+ DPRINTF("+++ C+ mode packet has bad IP version %d " -+ "expected %d\n", IP_HEADER_VERSION(ip), -+ IP_HEADER_VERSION_4); -+ goto skip_offload; -+ } -+ -+ hlen = IP_HEADER_LENGTH(ip); -+ if (hlen < sizeof(ip_header) || hlen > eth_payload_len) { -+ goto skip_offload; - } - -- if (ip) -+ ip_protocol = ip->ip_p; -+ -+ ip_data_len = be16_to_cpu(ip->ip_len); -+ if (ip_data_len < hlen || ip_data_len > eth_payload_len) { -+ goto skip_offload; -+ } -+ ip_data_len -= hlen; -+ -+ if (txdw0 & CP_TX_IPCS) - { -- if (txdw0 & CP_TX_IPCS) -- { -- DPRINTF("+++ C+ mode need IP checksum\n"); -+ DPRINTF("+++ C+ mode need IP checksum\n"); - -- if (hlen<sizeof(ip_header) || hlen>eth_payload_len) {/* min header length */ -- /* bad packet header len */ -- /* or packet too short */ -- } -- else -- { -- ip->ip_sum = 0; -- ip->ip_sum = ip_checksum(ip, hlen); -- DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n", -- hlen, ip->ip_sum); -- } -+ ip->ip_sum = 0; -+ ip->ip_sum = ip_checksum(ip, hlen); -+ DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n", -+ hlen, ip->ip_sum); -+ } -+ -+ if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) -+ { -+ /* Large enough for the TCP header? */ -+ if (ip_data_len < sizeof(tcp_header)) { -+ goto skip_offload; - } - -- if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) -- { -- int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK; -+ int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK; - -- DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d " -- "frame data %d specified MSS=%d\n", ETH_MTU, -- ip_data_len, saved_size - ETH_HLEN, large_send_mss); -+ DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d " -+ "frame data %d specified MSS=%d\n", ETH_MTU, -+ ip_data_len, saved_size - ETH_HLEN, large_send_mss); - -- int tcp_send_offset = 0; -- int send_count = 0; -+ int tcp_send_offset = 0; -+ int send_count = 0; - -- /* maximum IP header length is 60 bytes */ -- uint8_t saved_ip_header[60]; -+ /* maximum IP header length is 60 bytes */ -+ uint8_t saved_ip_header[60]; - -- /* save IP header template; data area is used in tcp checksum calculation */ -- memcpy(saved_ip_header, eth_payload_data, hlen); -+ /* save IP header template; data area is used in tcp checksum calculation */ -+ memcpy(saved_ip_header, eth_payload_data, hlen); - -- /* a placeholder for checksum calculation routine in tcp case */ -- uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -- // size_t data_to_checksum_len = eth_payload_len - hlen + 12; -+ /* a placeholder for checksum calculation routine in tcp case */ -+ uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -+ // size_t data_to_checksum_len = eth_payload_len - hlen + 12; - -- /* pointer to TCP header */ -- tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen); -+ /* pointer to TCP header */ -+ tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen); - -- int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); -+ int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); - -- /* ETH_MTU = ip header len + tcp header len + payload */ -- int tcp_data_len = ip_data_len - tcp_hlen; -- int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen; -+ /* Invalid TCP data offset? */ -+ if (tcp_hlen < sizeof(tcp_header) || tcp_hlen > ip_data_len) { -+ goto skip_offload; -+ } - -- DPRINTF("+++ C+ mode TSO IP data len %d TCP hlen %d TCP " -- "data len %d TCP chunk size %d\n", ip_data_len, -- tcp_hlen, tcp_data_len, tcp_chunk_size); -+ /* ETH_MTU = ip header len + tcp header len + payload */ -+ int tcp_data_len = ip_data_len - tcp_hlen; -+ int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen; - -- /* note the cycle below overwrites IP header data, -- but restores it from saved_ip_header before sending packet */ -+ DPRINTF("+++ C+ mode TSO IP data len %d TCP hlen %d TCP " -+ "data len %d TCP chunk size %d\n", ip_data_len, -+ tcp_hlen, tcp_data_len, tcp_chunk_size); - -- int is_last_frame = 0; -+ /* note the cycle below overwrites IP header data, -+ but restores it from saved_ip_header before sending packet */ - -- for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size) -- { -- uint16_t chunk_size = tcp_chunk_size; -+ int is_last_frame = 0; - -- /* check if this is the last frame */ -- if (tcp_send_offset + tcp_chunk_size >= tcp_data_len) -- { -- is_last_frame = 1; -- chunk_size = tcp_data_len - tcp_send_offset; -- } -- -- DPRINTF("+++ C+ mode TSO TCP seqno %08x\n", -- be32_to_cpu(p_tcp_hdr->th_seq)); -- -- /* add 4 TCP pseudoheader fields */ -- /* copy IP source and destination fields */ -- memcpy(data_to_checksum, saved_ip_header + 12, 8); -- -- DPRINTF("+++ C+ mode TSO calculating TCP checksum for " -- "packet with %d bytes data\n", tcp_hlen + -- chunk_size); -- -- if (tcp_send_offset) -- { -- memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size); -- } -- -- /* keep PUSH and FIN flags only for the last frame */ -- if (!is_last_frame) -- { -- TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TCP_FLAG_PUSH|TCP_FLAG_FIN); -- } -- -- /* recalculate TCP checksum */ -- ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -- p_tcpip_hdr->zeros = 0; -- p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -- p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size); -- -- p_tcp_hdr->th_sum = 0; -- -- int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12); -- DPRINTF("+++ C+ mode TSO TCP checksum %04x\n", -- tcp_checksum); -- -- p_tcp_hdr->th_sum = tcp_checksum; -- -- /* restore IP header */ -- memcpy(eth_payload_data, saved_ip_header, hlen); -- -- /* set IP data length and recalculate IP checksum */ -- ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size); -- -- /* increment IP id for subsequent frames */ -- ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id)); -- -- ip->ip_sum = 0; -- ip->ip_sum = ip_checksum(eth_payload_data, hlen); -- DPRINTF("+++ C+ mode TSO IP header len=%d " -- "checksum=%04x\n", hlen, ip->ip_sum); -- -- int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size; -- DPRINTF("+++ C+ mode TSO transferring packet size " -- "%d\n", tso_send_size); -- rtl8139_transfer_frame(s, saved_buffer, tso_send_size, -- 0, (uint8_t *) dot1q_buffer); -- -- /* add transferred count to TCP sequence number */ -- p_tcp_hdr->th_seq = cpu_to_be32(chunk_size + be32_to_cpu(p_tcp_hdr->th_seq)); -- ++send_count; -- } -- -- /* Stop sending this frame */ -- saved_size = 0; -- } -- else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS)) -+ for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size) - { -- DPRINTF("+++ C+ mode need TCP or UDP checksum\n"); -+ uint16_t chunk_size = tcp_chunk_size; - -- /* maximum IP header length is 60 bytes */ -- uint8_t saved_ip_header[60]; -- memcpy(saved_ip_header, eth_payload_data, hlen); -+ /* check if this is the last frame */ -+ if (tcp_send_offset + tcp_chunk_size >= tcp_data_len) -+ { -+ is_last_frame = 1; -+ chunk_size = tcp_data_len - tcp_send_offset; -+ } - -- uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -- // size_t data_to_checksum_len = eth_payload_len - hlen + 12; -+ DPRINTF("+++ C+ mode TSO TCP seqno %08x\n", -+ be32_to_cpu(p_tcp_hdr->th_seq)); - - /* add 4 TCP pseudoheader fields */ - /* copy IP source and destination fields */ - memcpy(data_to_checksum, saved_ip_header + 12, 8); - -- if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP) -+ DPRINTF("+++ C+ mode TSO calculating TCP checksum for " -+ "packet with %d bytes data\n", tcp_hlen + -+ chunk_size); -+ -+ if (tcp_send_offset) -+ { -+ memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size); -+ } -+ -+ /* keep PUSH and FIN flags only for the last frame */ -+ if (!is_last_frame) - { -- DPRINTF("+++ C+ mode calculating TCP checksum for " -- "packet with %d bytes data\n", ip_data_len); -+ TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TCP_FLAG_PUSH|TCP_FLAG_FIN); -+ } - -- ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -- p_tcpip_hdr->zeros = 0; -- p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -- p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ /* recalculate TCP checksum */ -+ ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -+ p_tcpip_hdr->zeros = 0; -+ p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -+ p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size); -+ -+ p_tcp_hdr->th_sum = 0; -+ -+ int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12); -+ DPRINTF("+++ C+ mode TSO TCP checksum %04x\n", -+ tcp_checksum); - -- tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12); -+ p_tcp_hdr->th_sum = tcp_checksum; - -- p_tcp_hdr->th_sum = 0; -+ /* restore IP header */ -+ memcpy(eth_payload_data, saved_ip_header, hlen); - -- int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -- DPRINTF("+++ C+ mode TCP checksum %04x\n", -- tcp_checksum); -+ /* set IP data length and recalculate IP checksum */ -+ ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size); - -- p_tcp_hdr->th_sum = tcp_checksum; -- } -- else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP) -- { -- DPRINTF("+++ C+ mode calculating UDP checksum for " -- "packet with %d bytes data\n", ip_data_len); -+ /* increment IP id for subsequent frames */ -+ ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id)); - -- ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum; -- p_udpip_hdr->zeros = 0; -- p_udpip_hdr->ip_proto = IP_PROTO_UDP; -- p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ ip->ip_sum = 0; -+ ip->ip_sum = ip_checksum(eth_payload_data, hlen); -+ DPRINTF("+++ C+ mode TSO IP header len=%d " -+ "checksum=%04x\n", hlen, ip->ip_sum); -+ -+ int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size; -+ DPRINTF("+++ C+ mode TSO transferring packet size " -+ "%d\n", tso_send_size); -+ rtl8139_transfer_frame(s, saved_buffer, tso_send_size, -+ 0, (uint8_t *) dot1q_buffer); -+ -+ /* add transferred count to TCP sequence number */ -+ p_tcp_hdr->th_seq = cpu_to_be32(chunk_size + be32_to_cpu(p_tcp_hdr->th_seq)); -+ ++send_count; -+ } - -- udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12); -+ /* Stop sending this frame */ -+ saved_size = 0; -+ } -+ else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS)) -+ { -+ DPRINTF("+++ C+ mode need TCP or UDP checksum\n"); - -- p_udp_hdr->uh_sum = 0; -+ /* maximum IP header length is 60 bytes */ -+ uint8_t saved_ip_header[60]; -+ memcpy(saved_ip_header, eth_payload_data, hlen); - -- int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -- DPRINTF("+++ C+ mode UDP checksum %04x\n", -- udp_checksum); -+ uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -+ // size_t data_to_checksum_len = eth_payload_len - hlen + 12; - -- p_udp_hdr->uh_sum = udp_checksum; -- } -+ /* add 4 TCP pseudoheader fields */ -+ /* copy IP source and destination fields */ -+ memcpy(data_to_checksum, saved_ip_header + 12, 8); - -- /* restore IP header */ -- memcpy(eth_payload_data, saved_ip_header, hlen); -+ if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP) -+ { -+ DPRINTF("+++ C+ mode calculating TCP checksum for " -+ "packet with %d bytes data\n", ip_data_len); -+ -+ ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -+ p_tcpip_hdr->zeros = 0; -+ p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -+ p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ -+ tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12); -+ -+ p_tcp_hdr->th_sum = 0; -+ -+ int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -+ DPRINTF("+++ C+ mode TCP checksum %04x\n", -+ tcp_checksum); -+ -+ p_tcp_hdr->th_sum = tcp_checksum; - } -+ else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP) -+ { -+ DPRINTF("+++ C+ mode calculating UDP checksum for " -+ "packet with %d bytes data\n", ip_data_len); -+ -+ ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum; -+ p_udpip_hdr->zeros = 0; -+ p_udpip_hdr->ip_proto = IP_PROTO_UDP; -+ p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ -+ udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12); -+ -+ p_udp_hdr->uh_sum = 0; -+ -+ int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -+ DPRINTF("+++ C+ mode UDP checksum %04x\n", -+ udp_checksum); -+ -+ p_udp_hdr->uh_sum = udp_checksum; -+ } -+ -+ /* restore IP header */ -+ memcpy(eth_payload_data, saved_ip_header, hlen); - } - } - -+skip_offload: - /* update tally counter */ - ++s->tally_counters.TxOk; - |