Apply upstream patch for XSA-199, XSA-200 and XSA-204.

Bump PKGREVISIONs

3 files changed, 94 insertions, 3 deletions

diff --git a/sysutils/xentools45/Makefile b/sysutils/xentools45/Makefile
index 7ddad223c85..c2d878c5461 100644
--- a/sysutils/xentools45/Makefile
+++ b/sysutils/xentools45/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.40 2016/11/22 20:57:10 bouyer Exp $
+# $NetBSD: Makefile,v 1.41 2016/12/20 10:22:29 bouyer Exp $
 
 VERSION=	4.5.5
-PKGREVISION=	1
+PKGREVISION=	2
 VERSION_IPXE=	9a93db3f0947484e30e753bbd61a10b17336e20e
 
 DISTNAME=		xen-${VERSION}
diff --git a/sysutils/xentools45/distinfo b/sysutils/xentools45/distinfo
index c17f882c45b..c77ad564d8f 100644
--- a/sysutils/xentools45/distinfo
+++ b/sysutils/xentools45/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.28 2016/11/22 20:57:10 bouyer Exp $
+$NetBSD: distinfo,v 1.29 2016/12/20 10:22:29 bouyer Exp $
 
 SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88
 RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8
@@ -24,6 +24,7 @@ SHA1 (patch-XSA-184) = b9089f29b67d1756e2c4919df30041282cebdfed
 SHA1 (patch-XSA-197-1) = a481196957f8942253cb18e5eef089e491d02652
 SHA1 (patch-XSA-197-2) = f5cf82cf04303f145e3cfea29c4104bc058dd043
 SHA1 (patch-XSA-198) = 5a61b6b4af265ba0b90d5750166924daafe554d7
+SHA1 (patch-XSA-199) = 481c740d36a5b8415275c4b1152bb7e2a45349a1
 SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7
 SHA1 (patch-configure) = 97fa4274e425984d593cd93aea36edc681462b88
 SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f
diff --git a/sysutils/xentools45/patches/patch-XSA-199 b/sysutils/xentools45/patches/patch-XSA-199
new file mode 100644
index 00000000000..d91d01cd430
--- /dev/null
+++ b/sysutils/xentools45/patches/patch-XSA-199
@@ -0,0 +1,90 @@
+$NetBSD: patch-XSA-199,v 1.1 2016/12/20 10:22:29 bouyer Exp $
+
+From b73bd1edc05d1bad5c018228146930d79315a5da Mon Sep 17 00:00:00 2001
+From: Ian Jackson <ian.jackson@eu.citrix.com>
+Date: Mon, 14 Nov 2016 17:19:46 +0000
+Subject: [PATCH] qemu: ioport_read, ioport_write: be defensive about 32-bit
+ addresses
+
+On x86, ioport addresses are 16-bit.  That these functions take 32-bit
+arguments is a mistake.  Changing the argument type to 16-bit will
+discard the top bits of any erroneous values from elsewhere in qemu.
+
+Also, check just before use that the value is in range.  (This turns
+an ill-advised change to MAX_IOPORTS into a possible guest crash
+rather than a privilege escalation vulnerability.)
+
+And, in the Xen ioreq processor, clamp incoming ioport addresses to
+16-bit values.  Xen will never write >16-bit values but the guest may
+have access to the ioreq ring.  We want to defend the rest of the qemu
+code from wrong values.
+
+This is XSA-199.
+
+Reported-by: yanghongke <yanghongke@huawei.com>
+Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
+---
+ i386-dm/helper2.c | 2 ++
+ vl.c              | 9 +++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/i386-dm/helper2.c b/i386-dm/helper2.c
+index 2706f2e..5d276bb 100644
+--- qemu-xen-traditional/i386-dm/helper2.c.orig
++++ qemu-xen-traditional/i386-dm/helper2.c
+@@ -375,6 +375,8 @@ static void cpu_ioreq_pio(CPUState *env, ioreq_t *req)
+ {
+     uint32_t i;
+ 
++    req->addr &= 0x0ffffU;
++
+     if (req->size > sizeof(unsigned long)) {
+         fprintf(stderr, "PIO: bad size (%u)\n", req->size);
+         exit(-1);
+diff --git a/vl.c b/vl.c
+index f9c4d7e..c3c5d63 100644
+--- qemu-xen-traditional/vl.c.orig
++++ qemu-xen-traditional/vl.c
+@@ -52,6 +52,7 @@
+ 
+ #include <xen/hvm/hvm_info_table.h>
+ 
++#include <assert.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+ #include <signal.h>
+@@ -290,26 +291,30 @@ PicState2 *isa_pic;
+ static IOPortReadFunc default_ioport_readb, default_ioport_readw, default_ioport_readl;
+ static IOPortWriteFunc default_ioport_writeb, default_ioport_writew, default_ioport_writel;
+ 
+-static uint32_t ioport_read(int index, uint32_t address)
++static uint32_t ioport_read(int index, uint16_t address)
+ {
+     static IOPortReadFunc *default_func[3] = {
+         default_ioport_readb,
+         default_ioport_readw,
+         default_ioport_readl
+     };
++    if (address >= MAX_IOPORTS)
++        abort();
+     IOPortReadFunc *func = ioport_read_table[index][address];
+     if (!func)
+         func = default_func[index];
+     return func(ioport_opaque[address], address);
+ }
+ 
+-static void ioport_write(int index, uint32_t address, uint32_t data)
++static void ioport_write(int index, uint16_t address, uint32_t data)
+ {
+     static IOPortWriteFunc *default_func[3] = {
+         default_ioport_writeb,
+         default_ioport_writew,
+         default_ioport_writel
+     };
++    if (address >= MAX_IOPORTS)
++        abort();
+     IOPortWriteFunc *func = ioport_write_table[index][address];
+     if (!func)
+         func = default_func[index];
+-- 
+2.1.4