add the patch for XSA-184

3 files changed, 87 insertions, 3 deletions

diff --git a/sysutils/xentools45/Makefile b/sysutils/xentools45/Makefile
index 5c936aae639..73900f30165 100644
--- a/sysutils/xentools45/Makefile
+++ b/sysutils/xentools45/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.37 2016/08/06 12:41:36 spz Exp $
+# $NetBSD: Makefile,v 1.38 2016/09/11 11:38:10 spz Exp $
 
 VERSION=	4.5.3
-PKGREVISION=	3
+PKGREVISION=	4
 VERSION_IPXE=	9a93db3f0947484e30e753bbd61a10b17336e20e
 
 DISTNAME=		xen-${VERSION}
diff --git a/sysutils/xentools45/distinfo b/sysutils/xentools45/distinfo
index 10ac19bc17f..6a24e07901f 100644
--- a/sysutils/xentools45/distinfo
+++ b/sysutils/xentools45/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.25 2016/08/06 12:41:36 spz Exp $
+$NetBSD: distinfo,v 1.26 2016/09/11 11:38:10 spz Exp $
 
 SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88
 RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8
@@ -23,6 +23,7 @@ SHA1 (patch-Rules.mk) = e0dc4234c35dc2d78afad4a90b0af829a6a10b50
 SHA1 (patch-XSA-178) = 5cb68dd7d82f537e9a9d0417cc79e8cafeb05ac2
 SHA1 (patch-XSA-179) = b73d44757651efe4b8df27cedd7f9827f3d6a6ca
 SHA1 (patch-XSA-180) = 58a93dec38792a36bca74123444eb72fafe158a3
+SHA1 (patch-XSA-184) = 08103cae34512c1a3b9eb3e5cfdf8a15a302e419
 SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7
 SHA1 (patch-configure) = 97fa4274e425984d593cd93aea36edc681462b88
 SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f
diff --git a/sysutils/xentools45/patches/patch-XSA-184 b/sysutils/xentools45/patches/patch-XSA-184
new file mode 100644
index 00000000000..a909ee748d2
--- /dev/null
+++ b/sysutils/xentools45/patches/patch-XSA-184
@@ -0,0 +1,83 @@
+patches for XSA-184 from upstream:
+
+From 17d8c4e47dfb41cb6778520ff2eab7a11fe12dfd Mon Sep 17 00:00:00 2001
+From: P J P <ppandit@redhat.com>
+Date: Tue, 26 Jul 2016 15:31:59 +0100
+Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
+
+A broken or malicious guest can submit more requests than the virtqueue
+size permits.
+
+The guest can submit requests without bothering to wait for completion
+and is therefore not bound by virtqueue size.  This requires reusing
+vring descriptors in more than one request, which is incorrect but
+possible.  Processing a request allocates a VirtQueueElement and
+therefore causes unbounded memory allocation controlled by the guest.
+
+Exit with an error if the guest provides more requests than the
+virtqueue size permits.  This bounds memory allocation and makes the
+buggy guest visible to the user.
+
+Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+---
+ hw/virtio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/virtio.c b/hw/virtio.c
+index c26feff..42897bf 100644
+--- qemu-xen-traditional/hw/virtio.c.orig	2016-01-04 15:36:03.000000000 +0000
++++ qemu-xen-traditional/hw/virtio.c	2016-09-11 11:01:37.000000000 +0000
+@@ -421,6 +421,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue
+     /* When we start there are none of either input nor output. */
+     elem->out_num = elem->in_num = 0;
+ 
++    if (vq->inuse >= vq->vring.num) {
++        fprintf(stderr, "Virtqueue size exceeded");
++        exit(1);
++    }
++
+     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
+     do {
+         struct iovec *sg;
+
+From e469db25d6b2e5c71cd15451889226641c53a5cd Mon Sep 17 00:00:00 2001
+From: P J P <ppandit@redhat.com>
+Date: Mon, 25 Jul 2016 17:37:18 +0530
+Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
+
+A broken or malicious guest can submit more requests than the virtqueue
+size permits.
+
+The guest can submit requests without bothering to wait for completion
+and is therefore not bound by virtqueue size.  This requires reusing
+vring descriptors in more than one request, which is incorrect but
+possible.  Processing a request allocates a VirtQueueElement and
+therefore causes unbounded memory allocation controlled by the guest.
+
+Exit with an error if the guest provides more requests than the
+virtqueue size permits.  This bounds memory allocation and makes the
+buggy guest visible to the user.
+
+Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+---
+ hw/virtio/virtio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index d24f775..f8ac0fb 100644
+--- qemu-xen/hw/virtio/virtio.c.orig	2016-02-18 17:30:28.000000000 +0000
++++ qemu-xen/hw/virtio/virtio.c	2016-09-11 11:01:48.000000000 +0000
+@@ -459,6 +459,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue
+ 
+     max = vq->vring.num;
+ 
++    if (vq->inuse >= max) {
++        error_report("Virtqueue size exceeded");
++        exit(1);
++    }
++
+     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
+     if (vq->vdev->guest_features & (1 << VIRTIO_RING_F_EVENT_IDX)) {
+         vring_avail_event(vq, vring_avail_idx(vq));