diff options
author | bouyer <bouyer> | 2016-12-20 10:22:28 +0000 |
---|---|---|
committer | bouyer <bouyer> | 2016-12-20 10:22:28 +0000 |
commit | 8ee93ce6998ddec4ad0dd3852a2a12a86767c384 (patch) | |
tree | 607b1c16ac76ad8e35d84b1626fdcef45eb3d7c8 /sysutils/xentools45 | |
parent | 80c9bd6567a8bc9da68685ebf36cb61542944701 (diff) | |
download | pkgsrc-8ee93ce6998ddec4ad0dd3852a2a12a86767c384.tar.gz |
Apply upstream patch for XSA-199, XSA-200 and XSA-204.
Bump PKGREVISIONs
Diffstat (limited to 'sysutils/xentools45')
-rw-r--r-- | sysutils/xentools45/Makefile | 4 | ||||
-rw-r--r-- | sysutils/xentools45/distinfo | 3 | ||||
-rw-r--r-- | sysutils/xentools45/patches/patch-XSA-199 | 90 |
3 files changed, 94 insertions, 3 deletions
diff --git a/sysutils/xentools45/Makefile b/sysutils/xentools45/Makefile index 7ddad223c85..c2d878c5461 100644 --- a/sysutils/xentools45/Makefile +++ b/sysutils/xentools45/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.40 2016/11/22 20:57:10 bouyer Exp $ +# $NetBSD: Makefile,v 1.41 2016/12/20 10:22:29 bouyer Exp $ VERSION= 4.5.5 -PKGREVISION= 1 +PKGREVISION= 2 VERSION_IPXE= 9a93db3f0947484e30e753bbd61a10b17336e20e DISTNAME= xen-${VERSION} diff --git a/sysutils/xentools45/distinfo b/sysutils/xentools45/distinfo index c17f882c45b..c77ad564d8f 100644 --- a/sysutils/xentools45/distinfo +++ b/sysutils/xentools45/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.28 2016/11/22 20:57:10 bouyer Exp $ +$NetBSD: distinfo,v 1.29 2016/12/20 10:22:29 bouyer Exp $ SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88 RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8 @@ -24,6 +24,7 @@ SHA1 (patch-XSA-184) = b9089f29b67d1756e2c4919df30041282cebdfed SHA1 (patch-XSA-197-1) = a481196957f8942253cb18e5eef089e491d02652 SHA1 (patch-XSA-197-2) = f5cf82cf04303f145e3cfea29c4104bc058dd043 SHA1 (patch-XSA-198) = 5a61b6b4af265ba0b90d5750166924daafe554d7 +SHA1 (patch-XSA-199) = 481c740d36a5b8415275c4b1152bb7e2a45349a1 SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7 SHA1 (patch-configure) = 97fa4274e425984d593cd93aea36edc681462b88 SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f diff --git a/sysutils/xentools45/patches/patch-XSA-199 b/sysutils/xentools45/patches/patch-XSA-199 new file mode 100644 index 00000000000..d91d01cd430 --- /dev/null +++ b/sysutils/xentools45/patches/patch-XSA-199 @@ -0,0 +1,90 @@ +$NetBSD: patch-XSA-199,v 1.1 2016/12/20 10:22:29 bouyer Exp $ + +From b73bd1edc05d1bad5c018228146930d79315a5da Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Mon, 14 Nov 2016 17:19:46 +0000 +Subject: [PATCH] qemu: ioport_read, ioport_write: be defensive about 32-bit + addresses + +On x86, ioport addresses are 16-bit. That these functions take 32-bit +arguments is a mistake. Changing the argument type to 16-bit will +discard the top bits of any erroneous values from elsewhere in qemu. + +Also, check just before use that the value is in range. (This turns +an ill-advised change to MAX_IOPORTS into a possible guest crash +rather than a privilege escalation vulnerability.) + +And, in the Xen ioreq processor, clamp incoming ioport addresses to +16-bit values. Xen will never write >16-bit values but the guest may +have access to the ioreq ring. We want to defend the rest of the qemu +code from wrong values. + +This is XSA-199. + +Reported-by: yanghongke <yanghongke@huawei.com> +Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> +--- + i386-dm/helper2.c | 2 ++ + vl.c | 9 +++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/i386-dm/helper2.c b/i386-dm/helper2.c +index 2706f2e..5d276bb 100644 +--- qemu-xen-traditional/i386-dm/helper2.c.orig ++++ qemu-xen-traditional/i386-dm/helper2.c +@@ -375,6 +375,8 @@ static void cpu_ioreq_pio(CPUState *env, ioreq_t *req) + { + uint32_t i; + ++ req->addr &= 0x0ffffU; ++ + if (req->size > sizeof(unsigned long)) { + fprintf(stderr, "PIO: bad size (%u)\n", req->size); + exit(-1); +diff --git a/vl.c b/vl.c +index f9c4d7e..c3c5d63 100644 +--- qemu-xen-traditional/vl.c.orig ++++ qemu-xen-traditional/vl.c +@@ -52,6 +52,7 @@ + + #include <xen/hvm/hvm_info_table.h> + ++#include <assert.h> + #include <unistd.h> + #include <fcntl.h> + #include <signal.h> +@@ -290,26 +291,30 @@ PicState2 *isa_pic; + static IOPortReadFunc default_ioport_readb, default_ioport_readw, default_ioport_readl; + static IOPortWriteFunc default_ioport_writeb, default_ioport_writew, default_ioport_writel; + +-static uint32_t ioport_read(int index, uint32_t address) ++static uint32_t ioport_read(int index, uint16_t address) + { + static IOPortReadFunc *default_func[3] = { + default_ioport_readb, + default_ioport_readw, + default_ioport_readl + }; ++ if (address >= MAX_IOPORTS) ++ abort(); + IOPortReadFunc *func = ioport_read_table[index][address]; + if (!func) + func = default_func[index]; + return func(ioport_opaque[address], address); + } + +-static void ioport_write(int index, uint32_t address, uint32_t data) ++static void ioport_write(int index, uint16_t address, uint32_t data) + { + static IOPortWriteFunc *default_func[3] = { + default_ioport_writeb, + default_ioport_writew, + default_ioport_writel + }; ++ if (address >= MAX_IOPORTS) ++ abort(); + IOPortWriteFunc *func = ioport_write_table[index][address]; + if (!func) + func = default_func[index]; +-- +2.1.4 |