diff options
author | spz <spz> | 2016-09-11 11:38:10 +0000 |
---|---|---|
committer | spz <spz> | 2016-09-11 11:38:10 +0000 |
commit | 9aa1595aa021484297fad1465aac586494217695 (patch) | |
tree | 4a79552abfd9b083feeb295bf223de388eed97de /sysutils/xentools45 | |
parent | f5c27cb98cc0e671f4b9a2fe361b2a081241f1fd (diff) | |
download | pkgsrc-9aa1595aa021484297fad1465aac586494217695.tar.gz |
add the patch for XSA-184
Diffstat (limited to 'sysutils/xentools45')
-rw-r--r-- | sysutils/xentools45/Makefile | 4 | ||||
-rw-r--r-- | sysutils/xentools45/distinfo | 3 | ||||
-rw-r--r-- | sysutils/xentools45/patches/patch-XSA-184 | 83 |
3 files changed, 87 insertions, 3 deletions
diff --git a/sysutils/xentools45/Makefile b/sysutils/xentools45/Makefile index 5c936aae639..73900f30165 100644 --- a/sysutils/xentools45/Makefile +++ b/sysutils/xentools45/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.37 2016/08/06 12:41:36 spz Exp $ +# $NetBSD: Makefile,v 1.38 2016/09/11 11:38:10 spz Exp $ VERSION= 4.5.3 -PKGREVISION= 3 +PKGREVISION= 4 VERSION_IPXE= 9a93db3f0947484e30e753bbd61a10b17336e20e DISTNAME= xen-${VERSION} diff --git a/sysutils/xentools45/distinfo b/sysutils/xentools45/distinfo index 10ac19bc17f..6a24e07901f 100644 --- a/sysutils/xentools45/distinfo +++ b/sysutils/xentools45/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.25 2016/08/06 12:41:36 spz Exp $ +$NetBSD: distinfo,v 1.26 2016/09/11 11:38:10 spz Exp $ SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88 RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8 @@ -23,6 +23,7 @@ SHA1 (patch-Rules.mk) = e0dc4234c35dc2d78afad4a90b0af829a6a10b50 SHA1 (patch-XSA-178) = 5cb68dd7d82f537e9a9d0417cc79e8cafeb05ac2 SHA1 (patch-XSA-179) = b73d44757651efe4b8df27cedd7f9827f3d6a6ca SHA1 (patch-XSA-180) = 58a93dec38792a36bca74123444eb72fafe158a3 +SHA1 (patch-XSA-184) = 08103cae34512c1a3b9eb3e5cfdf8a15a302e419 SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7 SHA1 (patch-configure) = 97fa4274e425984d593cd93aea36edc681462b88 SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f diff --git a/sysutils/xentools45/patches/patch-XSA-184 b/sysutils/xentools45/patches/patch-XSA-184 new file mode 100644 index 00000000000..a909ee748d2 --- /dev/null +++ b/sysutils/xentools45/patches/patch-XSA-184 @@ -0,0 +1,83 @@ +patches for XSA-184 from upstream: + +From 17d8c4e47dfb41cb6778520ff2eab7a11fe12dfd Mon Sep 17 00:00:00 2001 +From: P J P <ppandit@redhat.com> +Date: Tue, 26 Jul 2016 15:31:59 +0100 +Subject: [PATCH] virtio: error out if guest exceeds virtqueue size + +A broken or malicious guest can submit more requests than the virtqueue +size permits. + +The guest can submit requests without bothering to wait for completion +and is therefore not bound by virtqueue size. This requires reusing +vring descriptors in more than one request, which is incorrect but +possible. Processing a request allocates a VirtQueueElement and +therefore causes unbounded memory allocation controlled by the guest. + +Exit with an error if the guest provides more requests than the +virtqueue size permits. This bounds memory allocation and makes the +buggy guest visible to the user. + +Reported-by: Zhenhao Hong <zhenhaohong@gmail.com> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +--- + hw/virtio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/virtio.c b/hw/virtio.c +index c26feff..42897bf 100644 +--- qemu-xen-traditional/hw/virtio.c.orig 2016-01-04 15:36:03.000000000 +0000 ++++ qemu-xen-traditional/hw/virtio.c 2016-09-11 11:01:37.000000000 +0000 +@@ -421,6 +421,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue + /* When we start there are none of either input nor output. */ + elem->out_num = elem->in_num = 0; + ++ if (vq->inuse >= vq->vring.num) { ++ fprintf(stderr, "Virtqueue size exceeded"); ++ exit(1); ++ } ++ + i = head = virtqueue_get_head(vq, vq->last_avail_idx++); + do { + struct iovec *sg; + +From e469db25d6b2e5c71cd15451889226641c53a5cd Mon Sep 17 00:00:00 2001 +From: P J P <ppandit@redhat.com> +Date: Mon, 25 Jul 2016 17:37:18 +0530 +Subject: [PATCH] virtio: error out if guest exceeds virtqueue size + +A broken or malicious guest can submit more requests than the virtqueue +size permits. + +The guest can submit requests without bothering to wait for completion +and is therefore not bound by virtqueue size. This requires reusing +vring descriptors in more than one request, which is incorrect but +possible. Processing a request allocates a VirtQueueElement and +therefore causes unbounded memory allocation controlled by the guest. + +Exit with an error if the guest provides more requests than the +virtqueue size permits. This bounds memory allocation and makes the +buggy guest visible to the user. + +Reported-by: Zhenhao Hong <zhenhaohong@gmail.com> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +--- + hw/virtio/virtio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index d24f775..f8ac0fb 100644 +--- qemu-xen/hw/virtio/virtio.c.orig 2016-02-18 17:30:28.000000000 +0000 ++++ qemu-xen/hw/virtio/virtio.c 2016-09-11 11:01:48.000000000 +0000 +@@ -459,6 +459,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue + + max = vq->vring.num; + ++ if (vq->inuse >= max) { ++ error_report("Virtqueue size exceeded"); ++ exit(1); ++ } ++ + i = head = virtqueue_get_head(vq, vq->last_avail_idx++); + if (vq->vdev->guest_features & (1 << VIRTIO_RING_F_EVENT_IDX)) { + vring_avail_event(vq, vring_avail_idx(vq)); |