diff options
| author | bouyer <bouyer> | 2015-06-23 17:45:33 +0000 |
|---|---|---|
| committer | bouyer <bouyer> | 2015-06-23 17:45:33 +0000 |
| commit | 92f477bc00b28419b0fa4990c69e63a64172a071 (patch) | |
| tree | 08584c12a9e19bf647a9388c0f6a5cb9b0c80e3f /sysutils/xentools45 | |
| parent | 65e19b493cb30657a7220d59d310bcc381ff7dd4 (diff) | |
| download | pkgsrc-92f477bc00b28419b0fa4990c69e63a64172a071.tar.gz | |
Upgrade xenkernel45 and xentools45 to 4.5.1.
Note that the patch for XSA135 for qemu-traditional, which was
no applied to the 4.5 branch before the release due to an oversight,
is applied here (xentools45/patches/patch-XSA135).
Selected entries from the relase notes:
a246727: cpupool: fix shutdown with cpupools with different schedulers [Dario Faggioli]
5b2f480: libelf: fix elf_parse_bsdsyms call [Roger Pau Monné]
8faef24: VT-d: extend quirks to newer desktop chipsets [Jan Beulich]
24fcf17: x86/VPMU: add lost Intel processor [Alan Robinson]
131889c: x86/crash: don't use set_fixmap() in the crash path [Andrew Cooper]
8791a30: x86/apic: Disable the LAPIC later in smp_send_stop() [Andrew Cooper]
fbd26f2: x86/pvh: disable posted interrupts [Roger Pau Monné]
0d8cbca: libxl: In libxl_set_vcpuonline check for maximum number of VCPUs against the cpumap. [Konrad Rzeszutek Wilk]
bf06e40: libxl: event handling: ao_inprogress does waits while reports outstanding [Ian Jackson]
97051bd: libxl: event handling: Break out ao_work_outstanding [Ian Jackson]
0bc9f98: x86/traps: loop in the correct direction in compat_iret() [Andrew Cooper]
fcfbdb4: gnttab: add missing version check to GNTTABOP_swap_grant_ref handling [Jan Beulich]
09f76cb: cpupools: avoid crashing if shutting down with free CPUs [Dario Faggioli]
f237ee4: cpupool: assigning a CPU to a pool can fail [Dario Faggioli]
b986072: xen: common: Use unbounded array for symbols_offset. [Ian Campbell]
5eac1be: x86/irq: limit the maximum number of domain PIRQs [Andrew Cooper]
9c3d34d: x86: don't unconditionally touch the hvm_domain union during domain construction [Andrew Cooper]
9d5b2b0: tools/xenconsoled: Increase file descriptor limit [Andrew Cooper]
cfc4c43: ocaml/xenctrl: Fix stub_xc_readconsolering() [Andrew Cooper]
032673c: ocaml/xenctrl: Make failwith_xc() thread safe [Andrew Cooper]
c91ed88: ocaml/xenctrl: Check return values from hypercalls [Andrew Cooper]
fa62913: libxl: Domain destroy: fork [Ian Jackson]
c9b13f3: libxl: Domain destroy: unlock userdata earlier [Ian Jackson]
0b19348: libxl: In domain death search, start search at first domid we want [Ian Jackson]
ddfe333: x86: don't change affinity with interrupt unmasked [Jan Beulich]
bf30232: x86: don't clear high 32 bits of RAX on sub-word guest I/O port reads [Jan Beulich]
a824bf9: x86_emulate: fix EFLAGS setting of CMPXCHG emulation [Eugene Korenevsky]
f653b7f: x86/hvm: implicitly disable an ioreq server when it is destroyed [Paul Durrant]
8dbdcc3: x86/hvm: actually release ioreq server pages [Paul Durrant]
56fe488: x86/hvm: fix the unknown nested vmexit reason 80000021 bug [Liang Li]
4a52101: VT-d: improve fault info logging [Jan Beulich]
5a7c042: x86/MSI: fix error handling [Jan Beulich]
51d8325: LZ4 : fix the data abort issue [JeHyeon Yeon]
0327c93: hvmloader: don't treat ROM BAR like other BARs [Jan Beulich]
f2e08aa: domctl/sysctl: don't leak hypervisor stack to toolstacks [Andrew Cooper]
3771b5a: arm64: fix fls() [Jan Beulich]
9246d2e: domctl: don't allow a toolstack domain to call domain_pause() on itself [Andrew Cooper]
f5bca81: Limit XEN_DOMCTL_memory_mapping hypercall to only process up to 64 GFNs (or less) [Konrad Rzeszutek Wilk]
7fe1c1b: x86: don't apply reboot quirks if reboot set by user [Ross Lagerwall]
969df12: Revert "cpupools: update domU's node-affinity on the cpupool_unassign_cpu() path" [Jan Beulich]
483c6cd: honor MEMF_no_refcount in alloc_heap_pages() [Jan Beulich]
6616c4d: tools: libxl: Explicitly disable graphics backends on qemu cmdline [Ian Campbell]
d0b141e: x86/tboot: invalidate FIX_TBOOT_MAP_ADDRESS mapping after use [Jan Beulich]
902998e: x86emul: fully ignore segment override for register-only operations [Jan Beulich]
25c6ee8: pre-fill structures for certain HYPERVISOR_xen_version sub-ops [Aaron Adams]
7ef0364: x86/HVM: return all ones on wrong-sized reads of system device I/O ports [Jan Beulich]
3665563: tools/libxc: Don't leave scratch_pfn uninitialised if the domain has no memory [Andrew Cooper]
75ac8cf: x86/nmi: fix shootdown of pcpus running in VMX non-root mode [Andrew Cooper]
1e44c92: x86/hvm: explicitly mark ioreq server pages dirty [Paul Durrant]
2bfef90: x86/hvm: wait for at least one ioreq server to be enabled [Paul Durrant]
d976397: x86/VPMU: disable when NMI watchdog is on [Boris Ostrovsky]
84f2484: libxc: introduce a per architecture scratch pfn for temporary grant mapping [Julien Grall]
6302c61: Install libxlutil.h [Jim Fehlig]
d8e78d6: bunzip2: off by one in get_next_block() [Dan Carpenter]
8a855b3: docs/commandline: correct information for 'x2apic_phys' parameter [Andrew Cooper]
3a777be: x86: vcpu_destroy_pagetables() must not return -EINTR [Konrad Rzeszutek Wilk]
1acb3b6: handle XENMEM_get_vnumainfo in compat_memory_op [Wei Liu]
4eec09f: x86: correctly check for sub-leaf zero of leaf 7 in pv_cpuid() [Jan Beulich]
7788cbb: x86: don't expose XSAVES capability to PV guests [Jan Beulich]
4cfc54b: xsm/evtchn: never pretend to have successfully created a Xen event channel [Andrew Cooper]
2fdd521: common/memory: fix an XSM error path [Jan Beulich]
ad83ad9: x86emul: tighten CLFLUSH emulation [Jan Beulich]
1928318: dt-uart: use ':' as separator between path and options [Ian Campbell]
9ae1853: libxl: Don't ignore error when we fail to give access to ioport/irq/iomem [Julien Grall]
In addition, this release also contains the following fixes to qemu-traditional:
afaa35b: ... by default. Add a per-device "permissive" mode similar to pciback's to allow restoring previous behavior (and hence break security again, i.e. should be used only for trusted guests). [Jan Beulich]
3cff7ad: Since the next patch will turn all not explicitly described fields read-only by default, those fields that have guest writable bits need to be given explicit descriptors. [Jan Beulich]
ec61b93: The adjustments are solely to make the subsequent patches work right (and hence make the patch set consistent), namely if permissive mode (introduced by the last patch) gets used (as both reserved registers and reserved fields must be similarly protected from guest access in default mode, but the guest should be allowed access to them in permissive mode). [Jan Beulich]
37c77b8: xen_pt_emu_reg_pcie[]'s PCI_EXP_DEVCAP needs to cover all bits as read- only to avoid unintended write-back (just a precaution, the field ought to be read-only in hardware). [Jan Beulich]
2dc4059: This is just to avoid having to adjust that calculation later in multiple places. [Jan Beulich]
29d9566: xen_pt_pmcsr_reg_write() needs an adjustment to deal with the RW1C nature of the not passed through bit 15 (PCI_PM_CTRL_PME_STATUS). [Jan Beulich]
2e19270: There's no point in xen_pt_pmcsr_reg_{read,write}() each ORing PCI_PM_CTRL_STATE_MASK and PCI_PM_CTRL_NO_SOFT_RESET into a local emu_mask variable - we can have the same effect by setting the field descriptor's emu_mask member suitably right away. Note that xen_pt_pmcsr_reg_write() is being retained in order to allow later patches to be less intrusive. [Jan Beulich]
751d20d: Without this the actual XSA-131 fix would cause the enable bit to not get set anymore (due to the write back getting suppressed there based on the OR of emu_mask, ro_mask, and res_mask). [Jan Beulich]
51f3b5b: ... to avoid allowing the guest to cause the control domain's disk to fill. [Jan Beulich]
7f99bb9: It's being used by the hypervisor. For now simply mimic a device not capable of masking, and fully emulate any accesses a guest may issue nevertheless as simple reads/writes without side effects. [Jan Beulich]
6fc82bf: The old logic didn't work as intended when an access spanned multiple fields (for example a 32-bit access to the location of the MSI Message Data field with the high 16 bits not being covered by any known field). Remove it and derive which fields not to write to from the accessed fields' emulation masks: When they're all ones, there's no point in doing any host write. [Jan Beulich]
e42b84c: fdc: force the fifo access to be in bounds of the allocated buffer [Petr Matousek]
62e4158: xen: limit guest control of PCI command register [Jan Beulich]
3499745: cirrus: fix an uninitialized variable [Jan Beulich]
This release also contains the security fixes for XSA-117 to XSA-136, with the exception of XSA-124 which documents security risks of non-standard PCI device functionality that cannot be addressed in software. It also includes an update to XSA-98 and XSA-59.
Diffstat (limited to 'sysutils/xentools45')
| -rw-r--r-- | sysutils/xentools45/Makefile | 5 | ||||
| -rw-r--r-- | sysutils/xentools45/PLIST | 3 | ||||
| -rw-r--r-- | sysutils/xentools45/distinfo | 15 | ||||
| -rw-r--r-- | sysutils/xentools45/patches/patch-CVE-2015-2152 | 42 | ||||
| -rw-r--r-- | sysutils/xentools45/patches/patch-CVE-2015-2752 | 72 | ||||
| -rw-r--r-- | sysutils/xentools45/patches/patch-CVE-2015-2756 | 260 | ||||
| -rw-r--r-- | sysutils/xentools45/patches/patch-CVE-2015-3456 | 131 | ||||
| -rw-r--r-- | sysutils/xentools45/patches/patch-XSA135 | 139 | ||||
| -rw-r--r-- | sysutils/xentools45/patches/patch-libxl_Makefile | 8 |
9 files changed, 153 insertions, 522 deletions
diff --git a/sysutils/xentools45/Makefile b/sysutils/xentools45/Makefile index c7e90abf23f..55a52ac00bc 100644 --- a/sysutils/xentools45/Makefile +++ b/sysutils/xentools45/Makefile @@ -1,11 +1,10 @@ -# $NetBSD: Makefile,v 1.9 2015/06/12 10:51:19 wiz Exp $ +# $NetBSD: Makefile,v 1.10 2015/06/23 17:45:33 bouyer Exp $ -VERSION= 4.5.0 +VERSION= 4.5.1 VERSION_IPXE= 9a93db3f0947484e30e753bbd61a10b17336e20e DISTNAME= xen-${VERSION} PKGNAME= xentools45-${VERSION} -PKGREVISION= 6 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xentools45/PLIST b/sysutils/xentools45/PLIST index b12be33ab47..1ca47558b48 100644 --- a/sysutils/xentools45/PLIST +++ b/sysutils/xentools45/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.1 2015/01/20 16:42:13 bouyer Exp $ +@comment $NetBSD: PLIST,v 1.2 2015/06/23 17:45:33 bouyer Exp $ bin/pygrub bin/qemu-img-xen bin/xen-detect @@ -28,6 +28,7 @@ include/libxl_event.h include/libxl_json.h include/libxl_utils.h include/libxl_uuid.h +include/libxlutil.h include/xen/COPYING include/xen/arch-arm.h include/xen/arch-arm/hvm/save.h diff --git a/sysutils/xentools45/distinfo b/sysutils/xentools45/distinfo index d2a4dd2d9b7..500c72ae99d 100644 --- a/sysutils/xentools45/distinfo +++ b/sysutils/xentools45/distinfo @@ -1,11 +1,11 @@ -$NetBSD: distinfo,v 1.8 2015/06/11 17:43:58 bouyer Exp $ +$NetBSD: distinfo,v 1.9 2015/06/23 17:45:33 bouyer Exp $ SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88 RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8 Size (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 2867999 bytes -SHA1 (xen-4.5.0.tar.gz) = c4aab5fb366496ad1edc7fe0a935a0d604335637 -RMD160 (xen-4.5.0.tar.gz) = e35ba0cb484492c1a289218eb9bf53b57dbd3a45 -Size (xen-4.5.0.tar.gz) = 18404933 bytes +SHA1 (xen-4.5.1.tar.gz) = f10328ce63625a5a7bfa3af5899c4432a467c051 +RMD160 (xen-4.5.1.tar.gz) = 4c449d799e041a52a94c00ee43a8c28fd4af1b96 +Size (xen-4.5.1.tar.gz) = 18410400 bytes SHA1 (patch-.._.._ipxe_src_core_settings.c) = 9e053e5e9936f49c46af0d59382a67d5f28cb39d SHA1 (patch-.._.._ipxe_src_interface_efi_efi_snp.c) = 7cd8a2d2dbeff55624b5d3461d22cd8331221762 SHA1 (patch-.._.._ipxe_src_net_fcels.c) = 7c13c87af5e38233f8b867503789f536394e7005 @@ -15,12 +15,9 @@ SHA1 (patch-.._docs_man_xl.cfg.pod.5) = e2058495b6fe85af338e22560d46996d36aeedab SHA1 (patch-.._docs_man_xl.conf.pod.5) = 015da24a45388468d56f1ecfa60f6acf07bdfef8 SHA1 (patch-.._docs_man_xl.pod.1) = b194f2c5608c6f0e80a4abd8655808cf91355cd5 SHA1 (patch-.._docs_man_xlcpupool.cfg.pod.5) = b44813af965e4d9d0d51c18b22d286736a4663b2 -SHA1 (patch-CVE-2015-2152) = 5a1cabf330b3a1bd902adf2b33dd5c4c32b8ab9d -SHA1 (patch-CVE-2015-2752) = 85bcb80dab938b85da3342e7001d95bacf7f49e5 -SHA1 (patch-CVE-2015-2756) = 350cfd57a77d90997b81c7186e320bb52fb62d75 -SHA1 (patch-CVE-2015-3456) = 268b4dcb47bdf760e146b81184022e46d8a9d2d7 SHA1 (patch-Makefile) = 5d5b9678ed9764275ee95f49d24e8538a0e8a01c SHA1 (patch-Rules.mk) = e0dc4234c35dc2d78afad4a90b0af829a6a10b50 +SHA1 (patch-XSA135) = c27b9c495d7348864e9939f54574e3afc37a816a SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7 SHA1 (patch-configure) = d1a1b9c9e00dd79bb872190282006201510ce2c1 SHA1 (patch-examples_Makefile) = 5fe7bb876d254cf0c4f774ed0f08dcaea5b355ff @@ -35,7 +32,7 @@ SHA1 (patch-include_xen-sys_NetBSD_gntdev.h) = b1f60f46e606b7591d68d98655d1cb29d SHA1 (patch-libfsimage_common_Makefile) = 9c80a669805ba2e1f224985c71ca976fbe60e8b5 SHA1 (patch-libfsimage_ufs_ufs.h) = ce1461ab83499edb4e127e3b7af9dfc1e9c0267f SHA1 (patch-libxc_xc__netbsd.c) = 547a713bbe9ddc92ee51b57a7b58a619f01225f1 -SHA1 (patch-libxl_Makefile) = 5b5dede29e5d9c579cdd7d6497f692ecf3a3c2cb +SHA1 (patch-libxl_Makefile) = 16abc9e74855dacbeff40ad1010876dd80230977 SHA1 (patch-libxl_libxl__create.c) = d4c94e9a389e9a7601513460f31c82e4f4bf28c9 SHA1 (patch-libxl_libxl__save__helper.c) = 70e5237e28bea1aa87486e080fc25aa81300a6d8 SHA1 (patch-libxl_libxl_uuid.c) = d14286be8ccdbcb5fae544a1968e7b681b63e884 diff --git a/sysutils/xentools45/patches/patch-CVE-2015-2152 b/sysutils/xentools45/patches/patch-CVE-2015-2152 deleted file mode 100644 index 57e042091c6..00000000000 --- a/sysutils/xentools45/patches/patch-CVE-2015-2152 +++ /dev/null @@ -1,42 +0,0 @@ -$NetBSD: patch-CVE-2015-2152,v 1.1 2015/03/13 10:27:49 spz Exp $ - -xsa119-unstable.patch from upstream. -XSA-119 is "HVM qemu unexpectedly enabling emulated VGA graphics backends" - ---- libxl/libxl_dm.c.orig 2015-01-12 16:53:24.000000000 +0000 -+++ libxl/libxl_dm.c -@@ -180,7 +180,14 @@ static char ** libxl__build_device_model - if (libxl_defbool_val(vnc->findunused)) { - flexarray_append(dm_args, "-vncunused"); - } -- } -+ } else -+ /* -+ * VNC is not enabled by default by qemu-xen-traditional, -+ * however passing -vnc none causes SDL to not be -+ * (unexpectedly) enabled by default. This is overridden by -+ * explicitly passing -sdl below as required. -+ */ -+ flexarray_append_pair(dm_args, "-vnc", "none"); - - if (sdl) { - flexarray_append(dm_args, "-sdl"); -@@ -513,7 +520,17 @@ static char ** libxl__build_device_model - } - - flexarray_append(dm_args, vncarg); -- } -+ } else -+ /* -+ * Ensure that by default no vnc server is created. -+ */ -+ flexarray_append_pair(dm_args, "-vnc", "none"); -+ -+ /* -+ * Ensure that by default no display backend is created. Further -+ * options given below might then enable more. -+ */ -+ flexarray_append_pair(dm_args, "-display", "none"); - - if (sdl) { - flexarray_append(dm_args, "-sdl"); diff --git a/sysutils/xentools45/patches/patch-CVE-2015-2752 b/sysutils/xentools45/patches/patch-CVE-2015-2752 deleted file mode 100644 index 1aaa13fef77..00000000000 --- a/sysutils/xentools45/patches/patch-CVE-2015-2752 +++ /dev/null @@ -1,72 +0,0 @@ -$NetBSD: patch-CVE-2015-2752,v 1.1 2015/04/19 13:13:21 spz Exp $ - -Patch for CVE-2015-2752 aka XSA-125 from -http://xenbits.xenproject.org/xsa/xsa125-4.2.patch - ---- libxc/xc_domain.c.orig 2015-01-12 16:53:24.000000000 +0000 -+++ libxc/xc_domain.c -@@ -1992,6 +1992,8 @@ int xc_domain_memory_mapping( - { - DECLARE_DOMCTL; - xc_dominfo_t info; -+ int ret = 0, err; -+ unsigned long done = 0, nr, max_batch_sz; - - if ( xc_domain_getinfo(xch, domid, 1, &info) != 1 || - info.domid != domid ) -@@ -2002,14 +2004,50 @@ int xc_domain_memory_mapping( - if ( !xc_core_arch_auto_translated_physmap(&info) ) - return 0; - -+ if ( !nr_mfns ) -+ return 0; -+ - domctl.cmd = XEN_DOMCTL_memory_mapping; - domctl.domain = domid; -- domctl.u.memory_mapping.first_gfn = first_gfn; -- domctl.u.memory_mapping.first_mfn = first_mfn; -- domctl.u.memory_mapping.nr_mfns = nr_mfns; - domctl.u.memory_mapping.add_mapping = add_mapping; -+ max_batch_sz = nr_mfns; -+ do -+ { -+ nr = min(nr_mfns - done, max_batch_sz); -+ domctl.u.memory_mapping.nr_mfns = nr; -+ domctl.u.memory_mapping.first_gfn = first_gfn + done; -+ domctl.u.memory_mapping.first_mfn = first_mfn + done; -+ err = do_domctl(xch, &domctl); -+ if ( err && errno == E2BIG ) -+ { -+ if ( max_batch_sz <= 1 ) -+ break; -+ max_batch_sz >>= 1; -+ continue; -+ } -+ /* Save the first error... */ -+ if ( !ret ) -+ ret = err; -+ /* .. and ignore the rest of them when removing. */ -+ if ( err && add_mapping != DPCI_REMOVE_MAPPING ) -+ break; -+ -+ done += nr; -+ } while ( done < nr_mfns ); -+ -+ /* -+ * Undo what we have done unless unmapping, by unmapping the entire region. -+ * Errors here are ignored. -+ */ -+ if ( ret && add_mapping != DPCI_REMOVE_MAPPING ) -+ xc_domain_memory_mapping(xch, domid, first_gfn, first_mfn, nr_mfns, -+ DPCI_REMOVE_MAPPING); -+ -+ /* We might get E2BIG so many times that we never advance. */ -+ if ( !done && !ret ) -+ ret = -1; - -- return do_domctl(xch, &domctl); -+ return ret; - } - - int xc_domain_ioport_mapping( - diff --git a/sysutils/xentools45/patches/patch-CVE-2015-2756 b/sysutils/xentools45/patches/patch-CVE-2015-2756 deleted file mode 100644 index 0b14653234a..00000000000 --- a/sysutils/xentools45/patches/patch-CVE-2015-2756 +++ /dev/null @@ -1,260 +0,0 @@ -$NetBSD: patch-CVE-2015-2756,v 1.1 2015/04/19 13:13:21 spz Exp $ - -patch for CVE-2015-2756 aka XSA-126 from -http://xenbits.xenproject.org/xsa/xsa126-qemuu.patch -and -http://xenbits.xenproject.org/xsa/xsa126-qemut.patch - ---- qemu-xen/hw/xen/xen_pt.c.orig 2014-12-02 10:41:02.000000000 +0000 -+++ qemu-xen/hw/xen/xen_pt.c -@@ -388,7 +388,7 @@ static const MemoryRegionOps ops = { - .write = xen_pt_bar_write, - }; - --static int xen_pt_register_regions(XenPCIPassthroughState *s) -+static int xen_pt_register_regions(XenPCIPassthroughState *s, uint16_t *cmd) - { - int i = 0; - XenHostPCIDevice *d = &s->real_device; -@@ -406,6 +406,7 @@ static int xen_pt_register_regions(XenPC - - if (r->type & XEN_HOST_PCI_REGION_TYPE_IO) { - type = PCI_BASE_ADDRESS_SPACE_IO; -+ *cmd |= PCI_COMMAND_IO; - } else { - type = PCI_BASE_ADDRESS_SPACE_MEMORY; - if (r->type & XEN_HOST_PCI_REGION_TYPE_PREFETCH) { -@@ -414,6 +415,7 @@ static int xen_pt_register_regions(XenPC - if (r->type & XEN_HOST_PCI_REGION_TYPE_MEM_64) { - type |= PCI_BASE_ADDRESS_MEM_TYPE_64; - } -+ *cmd |= PCI_COMMAND_MEMORY; - } - - memory_region_init_io(&s->bar[i], OBJECT(s), &ops, &s->dev, -@@ -657,6 +659,7 @@ static int xen_pt_initfn(PCIDevice *d) - XenPCIPassthroughState *s = DO_UPCAST(XenPCIPassthroughState, dev, d); - int rc = 0; - uint8_t machine_irq = 0; -+ uint16_t cmd = 0; - int pirq = XEN_PT_UNASSIGNED_PIRQ; - - /* register real device */ -@@ -691,7 +694,7 @@ static int xen_pt_initfn(PCIDevice *d) - s->io_listener = xen_pt_io_listener; - - /* Handle real device's MMIO/PIO BARs */ -- xen_pt_register_regions(s); -+ xen_pt_register_regions(s, &cmd); - - /* reinitialize each config register to be emulated */ - if (xen_pt_config_init(s)) { -@@ -755,6 +758,11 @@ static int xen_pt_initfn(PCIDevice *d) - } - - out: -+ if (cmd) { -+ xen_host_pci_set_word(&s->real_device, PCI_COMMAND, -+ pci_get_word(d->config + PCI_COMMAND) | cmd); -+ } -+ - memory_listener_register(&s->memory_listener, &address_space_memory); - memory_listener_register(&s->io_listener, &address_space_io); - XEN_PT_LOG(d, - ---- qemu-xen/hw/xen/xen_pt_config_init.c.orig 2014-12-02 10:41:02.000000000 +0000 -+++ qemu-xen/hw/xen/xen_pt_config_init.c -@@ -286,23 +286,6 @@ static int xen_pt_irqpin_reg_init(XenPCI - } - - /* Command register */ --static int xen_pt_cmd_reg_read(XenPCIPassthroughState *s, XenPTReg *cfg_entry, -- uint16_t *value, uint16_t valid_mask) --{ -- XenPTRegInfo *reg = cfg_entry->reg; -- uint16_t valid_emu_mask = 0; -- uint16_t emu_mask = reg->emu_mask; -- -- if (s->is_virtfn) { -- emu_mask |= PCI_COMMAND_MEMORY; -- } -- -- /* emulate word register */ -- valid_emu_mask = emu_mask & valid_mask; -- *value = XEN_PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask); -- -- return 0; --} - static int xen_pt_cmd_reg_write(XenPCIPassthroughState *s, XenPTReg *cfg_entry, - uint16_t *val, uint16_t dev_value, - uint16_t valid_mask) -@@ -310,18 +293,13 @@ static int xen_pt_cmd_reg_write(XenPCIPa - XenPTRegInfo *reg = cfg_entry->reg; - uint16_t writable_mask = 0; - uint16_t throughable_mask = 0; -- uint16_t emu_mask = reg->emu_mask; -- -- if (s->is_virtfn) { -- emu_mask |= PCI_COMMAND_MEMORY; -- } - - /* modify emulate register */ - writable_mask = ~reg->ro_mask & valid_mask; - cfg_entry->data = XEN_PT_MERGE_VALUE(*val, cfg_entry->data, writable_mask); - - /* create value for writing to I/O device register */ -- throughable_mask = ~emu_mask & valid_mask; -+ throughable_mask = ~reg->emu_mask & valid_mask; - - if (*val & PCI_COMMAND_INTX_DISABLE) { - throughable_mask |= PCI_COMMAND_INTX_DISABLE; -@@ -605,9 +583,9 @@ static XenPTRegInfo xen_pt_emu_reg_heade - .size = 2, - .init_val = 0x0000, - .ro_mask = 0xF880, -- .emu_mask = 0x0740, -+ .emu_mask = 0x0743, - .init = xen_pt_common_reg_init, -- .u.w.read = xen_pt_cmd_reg_read, -+ .u.w.read = xen_pt_word_reg_read, - .u.w.write = xen_pt_cmd_reg_write, - }, - /* Capabilities Pointer reg */ - ---- qemu-xen-traditional/hw/pass-through.c.orig 2014-10-06 15:50:24.000000000 +0000 -+++ qemu-xen-traditional/hw/pass-through.c -@@ -172,9 +172,6 @@ static int pt_word_reg_read(struct pt_de - static int pt_long_reg_read(struct pt_dev *ptdev, - struct pt_reg_tbl *cfg_entry, - uint32_t *value, uint32_t valid_mask); --static int pt_cmd_reg_read(struct pt_dev *ptdev, -- struct pt_reg_tbl *cfg_entry, -- uint16_t *value, uint16_t valid_mask); - static int pt_bar_reg_read(struct pt_dev *ptdev, - struct pt_reg_tbl *cfg_entry, - uint32_t *value, uint32_t valid_mask); -@@ -286,9 +283,9 @@ static struct pt_reg_info_tbl pt_emu_reg - .size = 2, - .init_val = 0x0000, - .ro_mask = 0xF880, -- .emu_mask = 0x0740, -+ .emu_mask = 0x0743, - .init = pt_common_reg_init, -- .u.w.read = pt_cmd_reg_read, -+ .u.w.read = pt_word_reg_read, - .u.w.write = pt_cmd_reg_write, - .u.w.restore = pt_cmd_reg_restore, - }, -@@ -1905,7 +1902,7 @@ static int pt_dev_is_virtfn(struct pci_d - return rc; - } - --static int pt_register_regions(struct pt_dev *assigned_device) -+static int pt_register_regions(struct pt_dev *assigned_device, uint16_t *cmd) - { - int i = 0; - uint32_t bar_data = 0; -@@ -1925,17 +1922,26 @@ static int pt_register_regions(struct pt - - /* Register current region */ - if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_IO ) -+ { - pci_register_io_region((PCIDevice *)assigned_device, i, - (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_IO, - pt_ioport_map); -+ *cmd |= PCI_COMMAND_IO; -+ } - else if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_MEM_PREFETCH ) -+ { - pci_register_io_region((PCIDevice *)assigned_device, i, - (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM_PREFETCH, - pt_iomem_map); -+ *cmd |= PCI_COMMAND_MEMORY; -+ } - else -+ { - pci_register_io_region((PCIDevice *)assigned_device, i, - (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM, - pt_iomem_map); -+ *cmd |= PCI_COMMAND_MEMORY; -+ } - - PT_LOG("IO region registered (size=0x%08x base_addr=0x%08x)\n", - (uint32_t)(pci_dev->size[i]), -@@ -3263,27 +3269,6 @@ static int pt_long_reg_read(struct pt_de - return 0; - } - --/* read Command register */ --static int pt_cmd_reg_read(struct pt_dev *ptdev, -- struct pt_reg_tbl *cfg_entry, -- uint16_t *value, uint16_t valid_mask) --{ -- struct pt_reg_info_tbl *reg = cfg_entry->reg; -- uint16_t valid_emu_mask = 0; -- uint16_t emu_mask = reg->emu_mask; -- -- if ( ptdev->is_virtfn ) -- emu_mask |= PCI_COMMAND_MEMORY; -- if ( pt_is_iomul(ptdev) ) -- emu_mask |= PCI_COMMAND_IO; -- -- /* emulate word register */ -- valid_emu_mask = emu_mask & valid_mask; -- *value = PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask); -- -- return 0; --} -- - /* read BAR */ - static int pt_bar_reg_read(struct pt_dev *ptdev, - struct pt_reg_tbl *cfg_entry, -@@ -3418,19 +3403,13 @@ static int pt_cmd_reg_write(struct pt_de - uint16_t writable_mask = 0; - uint16_t throughable_mask = 0; - uint16_t wr_value = *value; -- uint16_t emu_mask = reg->emu_mask; -- -- if ( ptdev->is_virtfn ) -- emu_mask |= PCI_COMMAND_MEMORY; -- if ( pt_is_iomul(ptdev) ) -- emu_mask |= PCI_COMMAND_IO; - - /* modify emulate register */ - writable_mask = ~reg->ro_mask & valid_mask; - cfg_entry->data = PT_MERGE_VALUE(*value, cfg_entry->data, writable_mask); - - /* create value for writing to I/O device register */ -- throughable_mask = ~emu_mask & valid_mask; -+ throughable_mask = ~reg->emu_mask & valid_mask; - - if (*value & PCI_COMMAND_DISABLE_INTx) - { -@@ -4211,6 +4190,7 @@ static struct pt_dev * register_real_dev - struct pt_dev *assigned_device = NULL; - struct pci_dev *pci_dev; - uint8_t e_device, e_intx; -+ uint16_t cmd = 0; - char *key, *val; - int msi_translate, power_mgmt; - -@@ -4300,7 +4280,7 @@ static struct pt_dev * register_real_dev - assigned_device->dev.config[i] = pci_read_byte(pci_dev, i); - - /* Handle real device's MMIO/PIO BARs */ -- pt_register_regions(assigned_device); -+ pt_register_regions(assigned_device, &cmd); - - /* Setup VGA bios for passthroughed gfx */ - if ( setup_vga_pt(assigned_device) < 0 ) -@@ -4378,6 +4358,10 @@ static struct pt_dev * register_real_dev - } - - out: -+ if (cmd) -+ pci_write_word(pci_dev, PCI_COMMAND, -+ *(uint16_t *)(&assigned_device->dev.config[PCI_COMMAND]) | cmd); -+ - PT_LOG("Real physical device %02x:%02x.%x registered successfuly!\n" - "IRQ type = %s\n", r_bus, r_dev, r_func, - assigned_device->msi_trans_en? "MSI-INTx":"INTx"); diff --git a/sysutils/xentools45/patches/patch-CVE-2015-3456 b/sysutils/xentools45/patches/patch-CVE-2015-3456 deleted file mode 100644 index a607a48fb36..00000000000 --- a/sysutils/xentools45/patches/patch-CVE-2015-3456 +++ /dev/null @@ -1,131 +0,0 @@ -$NetBSD: patch-CVE-2015-3456,v 1.1 2015/06/05 18:15:42 khorben Exp $ - -fdc: force the fifo access to be in bounds of the allocated buffer - -During processing of certain commands such as FD_CMD_READ_ID and -FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could -get out of bounds leading to memory corruption with values coming -from the guest. - -Fix this by making sure that the index is always bounded by the -allocated memory. - -This is CVE-2015-3456. - -Signed-off-by: Petr Matousek <pmatouse@redhat.com> -Reviewed-by: John Snow <jsnow@redhat.com> - ---- qemu-xen/hw/block/fdc.c -+++ qemu-xen/hw/block/fdc.c -@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - { - FDrive *cur_drv; - uint32_t retval = 0; -- int pos; -+ uint32_t pos; - - cur_drv = get_cur_drv(fdctrl); - fdctrl->dsr &= ~FD_DSR_PWRDOWN; -@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - return 0; - } - pos = fdctrl->data_pos; -+ pos %= FD_SECTOR_LEN; - if (fdctrl->msr & FD_MSR_NONDMA) { -- pos %= FD_SECTOR_LEN; - if (pos == 0) { - if (fdctrl->data_pos != 0) - if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { -@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) - static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) - { - FDrive *cur_drv = get_cur_drv(fdctrl); -+ uint32_t pos; - -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { -+ pos = fdctrl->data_pos - 1; -+ pos %= FD_SECTOR_LEN; -+ if (fdctrl->fifo[pos] & 0x80) { - /* Command parameters done */ -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { -+ if (fdctrl->fifo[pos] & 0x40) { - fdctrl->fifo[0] = fdctrl->fifo[1]; - fdctrl->fifo[2] = 0; - fdctrl->fifo[3] = 0; -@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; - static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - { - FDrive *cur_drv; -- int pos; -+ uint32_t pos; - - /* Reset mode */ - if (!(fdctrl->dor & FD_DOR_nRESET)) { -@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - } - - FLOPPY_DPRINTF("%s: %02x\n", __func__, value); -- fdctrl->fifo[fdctrl->data_pos++] = value; -+ pos = fdctrl->data_pos++; -+ pos %= FD_SECTOR_LEN; -+ fdctrl->fifo[pos] = value; - if (fdctrl->data_pos == fdctrl->data_len) { - /* We now have all parameters - * and will be able to treat the command ---- qemu-xen-traditional/hw/fdc.c -+++ qemu-xen-traditional/hw/fdc.c -@@ -1318,7 +1318,7 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl) - { - fdrive_t *cur_drv; - uint32_t retval = 0; -- int pos; -+ uint32_t pos; - - cur_drv = get_cur_drv(fdctrl); - fdctrl->dsr &= ~FD_DSR_PWRDOWN; -@@ -1327,8 +1327,8 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl) - return 0; - } - pos = fdctrl->data_pos; -+ pos %= FD_SECTOR_LEN; - if (fdctrl->msr & FD_MSR_NONDMA) { -- pos %= FD_SECTOR_LEN; - if (pos == 0) { - if (fdctrl->data_pos != 0) - if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { -@@ -1673,10 +1673,13 @@ static void fdctrl_handle_option (fdctrl_t *fdctrl, int direction) - static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction) - { - fdrive_t *cur_drv = get_cur_drv(fdctrl); -+ uint32_t pos; - -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { -+ pos = fdctrl->data_pos - 1; -+ pos %= FD_SECTOR_LEN; -+ if (fdctrl->fifo[pos] & 0x80) { - /* Command parameters done */ -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { -+ if (fdctrl->fifo[pos] & 0x40) { - fdctrl->fifo[0] = fdctrl->fifo[1]; - fdctrl->fifo[2] = 0; - fdctrl->fifo[3] = 0; -@@ -1771,7 +1774,7 @@ static uint8_t command_to_handler[256]; - static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) - { - fdrive_t *cur_drv; -- int pos; -+ uint32_t pos; - - /* Reset mode */ - if (!(fdctrl->dor & FD_DOR_nRESET)) { -@@ -1817,7 +1820,9 @@ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) - } - - FLOPPY_DPRINTF("%s: %02x\n", __func__, value); -- fdctrl->fifo[fdctrl->data_pos++] = value; -+ pos = fdctrl->data_pos++; -+ pos %= FD_SECTOR_LEN; -+ fdctrl->fifo[pos] = value; - if (fdctrl->data_pos == fdctrl->data_len) { - /* We now have all parameters - * and will be able to treat the command diff --git a/sysutils/xentools45/patches/patch-XSA135 b/sysutils/xentools45/patches/patch-XSA135 new file mode 100644 index 00000000000..d859e64ce14 --- /dev/null +++ b/sysutils/xentools45/patches/patch-XSA135 @@ -0,0 +1,139 @@ +$NetBSD: patch-XSA135,v 1.1 2015/06/23 17:45:33 bouyer Exp $ + +pcnet: fix Negative array index read + +From: Gonglei <arei.gonglei@huawei.com> + +s->xmit_pos maybe assigned to a negative value (-1), +but in this branch variable s->xmit_pos as an index to +array s->buffer. Let's add a check for s->xmit_pos. + +upstream-commit-id: 7b50d00911ddd6d56a766ac5671e47304c20a21b + +Signed-off-by: Gonglei <arei.gonglei@huawei.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Reviewed-by: Jason Wang <jasowang@redhat.com> +Reviewed-by: Jason Wang <jasowang@redhat.com> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> + +diff --git a/hw/pcnet.c b/hw/pcnet.c +index 7cc0637..9f3e1cc 100644 +--- qemu-xen-traditional/hw/pcnet.c.orig ++++ qemu-xen-traditional/hw/pcnet.c +@@ -1250,7 +1250,7 @@ static void pcnet_transmit(PCNetState *s) + target_phys_addr_t xmit_cxda = 0; + int count = CSR_XMTRL(s)-1; + int add_crc = 0; +- ++ int bcnt; + s->xmit_pos = -1; + + if (!CSR_TXON(s)) { +@@ -1276,34 +1276,39 @@ static void pcnet_transmit(PCNetState *s) + if (BCR_SWSTYLE(s) != 1) + add_crc = GET_FIELD(tmd.status, TMDS, ADDFCS); + } ++ ++ if (s->xmit_pos < 0) { ++ goto txdone; ++ } ++ ++ bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); ++ s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), ++ s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); ++ s->xmit_pos += bcnt; ++ + if (!GET_FIELD(tmd.status, TMDS, ENP)) { +- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); +- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), +- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); +- s->xmit_pos += bcnt; +- } else if (s->xmit_pos >= 0) { +- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); +- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), +- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); +- s->xmit_pos += bcnt; ++ goto txdone; ++ } + #ifdef PCNET_DEBUG +- printf("pcnet_transmit size=%d\n", s->xmit_pos); ++ printf("pcnet_transmit size=%d\n", s->xmit_pos); + #endif +- if (CSR_LOOP(s)) { +- if (BCR_SWSTYLE(s) == 1) +- add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); +- s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; +- pcnet_receive(s, s->buffer, s->xmit_pos); +- s->looptest = 0; +- } else +- if (s->vc) +- qemu_send_packet(s->vc, s->buffer, s->xmit_pos); +- +- s->csr[0] &= ~0x0008; /* clear TDMD */ +- s->csr[4] |= 0x0004; /* set TXSTRT */ +- s->xmit_pos = -1; ++ if (CSR_LOOP(s)) { ++ if (BCR_SWSTYLE(s) == 1) ++ add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); ++ s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; ++ pcnet_receive(s, s->buffer, s->xmit_pos); ++ s->looptest = 0; ++ } else { ++ if (s->vc) { ++ qemu_send_packet(s->vc, s->buffer, s->xmit_pos); ++ } + } + ++ s->csr[0] &= ~0x0008; /* clear TDMD */ ++ s->csr[4] |= 0x0004; /* set TXSTRT */ ++ s->xmit_pos = -1; ++ ++ txdone: + SET_FIELD(&tmd.status, TMDS, OWN, 0); + TMDSTORE(&tmd, PHYSADDR(s,CSR_CXDA(s))); + if (!CSR_TOKINTD(s) || (CSR_LTINTEN(s) && GET_FIELD(tmd.status, TMDS, LTINT))) +From 2630672ab22255de252f877709851c0557a1c647 Mon Sep 17 00:00:00 2001 +From: Petr Matousek <pmatouse@redhat.com> +Date: Sun, 24 May 2015 10:53:44 +0200 +Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx + +4096 is the maximum length per TMD and it is also currently the size of +the relay buffer pcnet driver uses for sending the packet data to QEMU +for further processing. With packet spanning multiple TMDs it can +happen that the overall packet size will be bigger than sizeof(buffer), +which results in memory corruption. + +Fix this by only allowing to queue maximum sizeof(buffer) bytes. + +This is CVE-2015-3209. + +Signed-off-by: Petr Matousek <pmatouse@redhat.com> +Reported-by: Matt Tait <matttait@google.com> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +--- + hw/pcnet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/pcnet.c b/hw/pcnet.c +index bdfd38f..6d32e4c 100644 +--- qemu-xen-traditional/hw/pcnet.c.orig ++++ qemu-xen-traditional/hw/pcnet.c +@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) + } + + bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); ++ ++ /* if multi-tmd packet outsizes s->buffer then skip it silently. ++ Note: this is not what real hw does */ ++ if (s->xmit_pos + bcnt > sizeof(s->buffer)) { ++ s->xmit_pos = -1; ++ goto txdone; ++ } ++ + s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), + s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); + s->xmit_pos += bcnt; +-- +2.1.0 + diff --git a/sysutils/xentools45/patches/patch-libxl_Makefile b/sysutils/xentools45/patches/patch-libxl_Makefile index 800ef3b7838..2fe394f3472 100644 --- a/sysutils/xentools45/patches/patch-libxl_Makefile +++ b/sysutils/xentools45/patches/patch-libxl_Makefile @@ -1,7 +1,7 @@ -$NetBSD: patch-libxl_Makefile,v 1.1 2015/01/20 16:42:13 bouyer Exp $ +$NetBSD: patch-libxl_Makefile,v 1.2 2015/06/23 17:45:33 bouyer Exp $ ---- libxl/Makefile.orig 2015-01-19 21:18:26.000000000 +0100 -+++ libxl/Makefile 2015-01-19 21:18:49.000000000 +0100 +--- libxl/Makefile.orig 2015-06-22 15:41:35.000000000 +0200 ++++ libxl/Makefile 2015-06-23 16:51:38.000000000 +0200 @@ -253,7 +253,7 @@ $(INSTALL_DIR) $(DESTDIR)$(SBINDIR) $(INSTALL_DIR) $(DESTDIR)$(LIBDIR) @@ -14,7 +14,7 @@ $NetBSD: patch-libxl_Makefile,v 1.1 2015/01/20 16:42:13 bouyer Exp $ @@ -267,7 +267,7 @@ $(SYMLINK_SHLIB) libxlutil.so.$(XLUMAJOR) $(DESTDIR)$(LIBDIR)/libxlutil.so $(INSTALL_DATA) libxlutil.a $(DESTDIR)$(LIBDIR) - $(INSTALL_DATA) libxl.h libxl_event.h libxl_json.h _libxl_types.h _libxl_types_json.h _libxl_list.h libxl_utils.h libxl_uuid.h $(DESTDIR)$(INCLUDEDIR) + $(INSTALL_DATA) libxl.h libxl_event.h libxl_json.h _libxl_types.h _libxl_types_json.h _libxl_list.h libxl_utils.h libxl_uuid.h libxlutil.h $(DESTDIR)$(INCLUDEDIR) - $(INSTALL_DATA) bash-completion $(DESTDIR)$(BASH_COMPLETION_DIR)/xl.sh + $(INSTALL_DATA) bash-completion $(DESTDIR)$(XEN_EXAMPLES_DIR)/xl.sh |