diff options
| author | bouyer <bouyer@pkgsrc.org> | 2016-09-21 17:03:37 +0000 |
|---|---|---|
| committer | bouyer <bouyer@pkgsrc.org> | 2016-09-21 17:03:37 +0000 |
| commit | 55046ba2e00cd25f2b6dece34400a8c067a6c26e (patch) | |
| tree | fdd22ca17dac50fbb3d1e7f134cd61662026ef05 /sysutils | |
| parent | 5c590a9bfc0cdc81a166c44581876a401c2eaa3f (diff) | |
| download | pkgsrc-55046ba2e00cd25f2b6dece34400a8c067a6c26e.tar.gz | |
Update xenkernel45 and xentools45 to 4.5.5.
Changes since 4.5.3: mostly bugfixes, including fixes for
security issues XSA-172, XSA-173, XSA-175, XSA-176, XSA-178, XSA-179, XSA-180,
XSA-181, XSA-182, XSA-183, XSA-184, XSA-185, XSA-186 and XSA-187.
All but XSA-175 were already fixed in pkgsrc.
Complete list of changes and links to the XSA advisories:
https://www.xenproject.org/downloads/xen-archives/xen-45-series/xen-455.html
Diffstat (limited to 'sysutils')
20 files changed, 17 insertions, 2660 deletions
diff --git a/sysutils/xenkernel45/Makefile b/sysutils/xenkernel45/Makefile index 29d2c4ebc29..ab1463b1b9c 100644 --- a/sysutils/xenkernel45/Makefile +++ b/sysutils/xenkernel45/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.21 2016/09/08 15:44:07 bouyer Exp $ +# $NetBSD: Makefile,v 1.22 2016/09/21 17:03:37 bouyer Exp $ -VERSION= 4.5.3 +VERSION= 4.5.5 DISTNAME= xen-${VERSION} PKGNAME= xenkernel45-${VERSION} -PKGREVISION= 3 +#PKGREVISION= 0 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xenkernel45/distinfo b/sysutils/xenkernel45/distinfo index 9df2b21caa8..da29f8ffb59 100644 --- a/sysutils/xenkernel45/distinfo +++ b/sysutils/xenkernel45/distinfo @@ -1,22 +1,10 @@ -$NetBSD: distinfo,v 1.17 2016/09/08 15:44:07 bouyer Exp $ +$NetBSD: distinfo,v 1.18 2016/09/21 17:03:37 bouyer Exp $ -SHA1 (xen-4.5.3.tar.gz) = 95d56c42642adcffe55dcf82a021d49115373108 -RMD160 (xen-4.5.3.tar.gz) = 7ba586b20404e95308007663e87868c0ccc0e6f4 -SHA512 (xen-4.5.3.tar.gz) = 086b9b75e97d836498fd4f34b645c9b2f941db44efe8c7d23e53aa6455d40e1672962aaa7bac0db1db82255dba490c4fe996f356c184e71ea7fa5b483d9e9c0f -Size (xen-4.5.3.tar.gz) = 18416997 bytes +SHA1 (xen-4.5.5.tar.gz) = 4073d411c72d3298baacfc15577b92b9ae577073 +RMD160 (xen-4.5.5.tar.gz) = 34132ab04752dc594fbdc1404c95f402b7bbbe39 +SHA512 (xen-4.5.5.tar.gz) = 7e8d7e0248daa91389db0250c5f214dc1ab46c058d556a4326c801933ead05cc450cb9510108586418de029b81a80fd9f272ec1749d288a8250e69599aa2d769 +Size (xen-4.5.5.tar.gz) = 18426889 bytes SHA1 (patch-Config.mk) = a2a104d023cea4e551a3ad40927d4884d6c610bf -SHA1 (patch-XSA-172) = ff4560534381d4d4c553170fbeb674f9361d9740 -SHA1 (patch-XSA-173) = 0f6a2c4d9467713f3d969020f8fba62aa2f5297b -SHA1 (patch-XSA-176) = 221ed0dce1a97e03c0f0cb216f5ffd13269fd162 -SHA1 (patch-XSA-180) = d50f2c7d4ae7bbc8d0ae892f7bdf4ca0ba867d1a -SHA1 (patch-XSA-181) = 3fc00b9543d6bd834359a299c288839ad69f3fbb -SHA1 (patch-XSA-182) = 77dfd369df89a51355318e26e38837482f09996e -SHA1 (patch-XSA-183) = f2a6027ff71c32c16abeb1b17e3226b714a5f1f4 -SHA1 (patch-XSA-185) = a2313922aa4dad734b96c80f64fe54eca3c14019 -SHA1 (patch-XSA-186-1) = 71e4a6c4c683891bac50682a3ab69a204fb681ad -SHA1 (patch-XSA-186-2) = 6094c2efe468e3f31712659be9a71af2cbe8dc1f -SHA1 (patch-XSA-187-1) = 55ea0c2d9c7d8d9476a5ab97342ff552be4faf56 -SHA1 (patch-XSA-187-2) = f5308fee03a5d73c8aa283eb82cc36a6a3d3bc06 SHA1 (patch-xen_Makefile) = 750d0c8d4fea14d3ef3f872de5242a1f5104cbbe SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154 SHA1 (patch-xen_common_page__alloc.c) = c4d606de1cada8cf89b5abd16efada3d58c68a03 diff --git a/sysutils/xenkernel45/patches/patch-XSA-172 b/sysutils/xenkernel45/patches/patch-XSA-172 deleted file mode 100644 index 61c3ca8ec93..00000000000 --- a/sysutils/xenkernel45/patches/patch-XSA-172 +++ /dev/null @@ -1,41 +0,0 @@ -$NetBSD: patch-XSA-172,v 1.1 2016/05/12 15:42:58 bouyer Exp $ - -x86: fix information leak on AMD CPUs - -The fix for XSA-52 was wrong, and so was the change synchronizing that -new behavior to the FXRSTOR logic: AMD's manuals explictly state that -writes to the ES bit are ignored, and it instead gets calculated from -the exception and mask bits (it gets set whenever there is an unmasked -exception, and cleared otherwise). Hence we need to follow that model -in our workaround. - -This is XSA-172. - -The first hunk (xen/arch/x86/i387.c:fpu_fxrstor) is CVE-2016-3159. -The second hunk (xen/arch/x86/xstate.c:xrstor) is CVE-2016-3158. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> - ---- xen/arch/x86/i387.c.orig -+++ xen/arch/x86/i387.c -@@ -49,7 +49,7 @@ static inline void fpu_fxrstor(struct vc - * sometimes new user value. Both should be ok. Use the FPU saved - * data block as a safe address because it should be in L1. - */ -- if ( !(fpu_ctxt->fsw & 0x0080) && -+ if ( !(fpu_ctxt->fsw & ~fpu_ctxt->fcw & 0x003f) && - boot_cpu_data.x86_vendor == X86_VENDOR_AMD ) - { - asm volatile ( "fnclex\n\t" ---- xen/arch/x86/xstate.c.orig -+++ xen/arch/x86/xstate.c -@@ -344,7 +344,7 @@ void xrstor(struct vcpu *v, uint64_t mas - * data block as a safe address because it should be in L1. - */ - if ( (mask & ptr->xsave_hdr.xstate_bv & XSTATE_FP) && -- !(ptr->fpu_sse.fsw & 0x0080) && -+ !(ptr->fpu_sse.fsw & ~ptr->fpu_sse.fcw & 0x003f) && - boot_cpu_data.x86_vendor == X86_VENDOR_AMD ) - asm volatile ( "fnclex\n\t" /* clear exceptions */ - "ffree %%st(7)\n\t" /* clear stack tag */ diff --git a/sysutils/xenkernel45/patches/patch-XSA-173 b/sysutils/xenkernel45/patches/patch-XSA-173 deleted file mode 100644 index f2c4313b7a2..00000000000 --- a/sysutils/xenkernel45/patches/patch-XSA-173 +++ /dev/null @@ -1,246 +0,0 @@ -$NetBSD: patch-XSA-173,v 1.1 2016/05/12 15:42:58 bouyer Exp $ - -commit 9d7687d60ae2e09ad2a77b05bd820e7850709375 -Author: Tim Deegan <tim@xen.org> -Date: Wed Mar 16 16:56:04 2016 +0000 - - x86: limit GFNs to 32 bits for shadowed superpages. - - Superpage shadows store the shadowed GFN in the backpointer field, - which for non-BIGMEM builds is 32 bits wide. Shadowing a superpage - mapping of a guest-physical address above 2^44 would lead to the GFN - being truncated there, and a crash when we come to remove the shadow - from the hash table. - - Track the valid width of a GFN for each guest, including reporting it - through CPUID, and enforce it in the shadow pagetables. Set the - maximum witth to 32 for guests where this truncation could occur. - - This is XSA-173. - - Signed-off-by: Tim Deegan <tim@xen.org> - Signed-off-by: Jan Beulich <jbeulich@suse.com> - -Reported-by: Ling Liu <liuling-it@360.cn> -diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c -index 5c8d3c2..7dc8220 100644 ---- xen/arch/x86/cpu/common.c.orig -+++ xen/arch/x86/cpu/common.c -@@ -37,6 +37,7 @@ integer_param("cpuid_mask_ext_edx", opt_cpuid_mask_ext_edx); - struct cpu_dev * cpu_devs[X86_VENDOR_NUM] = {}; - - unsigned int paddr_bits __read_mostly = 36; -+unsigned int hap_paddr_bits __read_mostly = 36; - - /* - * Default host IA32_CR_PAT value to cover all memory types. -@@ -209,7 +210,7 @@ static void __init early_cpu_detect(void) - - static void __cpuinit generic_identify(struct cpuinfo_x86 *c) - { -- u32 tfms, capability, excap, ebx; -+ u32 tfms, capability, excap, ebx, eax; - - /* Get vendor name */ - cpuid(0x00000000, &c->cpuid_level, -@@ -246,8 +247,11 @@ static void __cpuinit generic_identify(struct cpuinfo_x86 *c) - } - if ( c->extended_cpuid_level >= 0x80000004 ) - get_model_name(c); /* Default name */ -- if ( c->extended_cpuid_level >= 0x80000008 ) -- paddr_bits = cpuid_eax(0x80000008) & 0xff; -+ if ( c->extended_cpuid_level >= 0x80000008 ) { -+ eax = cpuid_eax(0x80000008); -+ paddr_bits = eax & 0xff; -+ hap_paddr_bits = ((eax >> 16) & 0xff) ?: paddr_bits; -+ } - } - - /* Might lift BIOS max_leaf=3 limit. */ -diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c -index 41fb10a..cac458a 100644 ---- xen/arch/x86/hvm/hvm.c.orig -+++ xen/arch/x86/hvm/hvm.c -@@ -4327,8 +4327,7 @@ void hvm_cpuid(unsigned int input, unsigned int *eax, unsigned int *ebx, - break; - - case 0x80000008: -- count = cpuid_eax(0x80000008); -- count = (count >> 16) & 0xff ?: count & 0xff; -+ count = d->arch.paging.gfn_bits + PAGE_SHIFT; - if ( (*eax & 0xff) > count ) - *eax = (*eax & ~0xff) | count; - -diff --git a/xen/arch/x86/mm/guest_walk.c b/xen/arch/x86/mm/guest_walk.c -index 1b26175..50ba7d5 100644 ---- xen/arch/x86/mm/guest_walk.c.orig -+++ xen/arch/x86/mm/guest_walk.c -@@ -94,6 +94,12 @@ void *map_domain_gfn(struct p2m_domain *p2m, gfn_t gfn, mfn_t *mfn, - struct page_info *page; - void *map; - -+ if ( gfn_x(gfn) >> p2m->domain->arch.paging.gfn_bits ) -+ { -+ *rc = _PAGE_INVALID_BIT; -+ return NULL; -+ } -+ - /* Translate the gfn, unsharing if shared */ - page = get_page_from_gfn_p2m(p2m->domain, p2m, gfn_x(gfn), p2mt, NULL, - q); -@@ -327,20 +333,8 @@ guest_walk_tables(struct vcpu *v, struct p2m_domain *p2m, - flags &= ~_PAGE_PAT; - - if ( gfn_x(start) & GUEST_L2_GFN_MASK & ~0x1 ) -- { --#if GUEST_PAGING_LEVELS == 2 -- /* -- * Note that _PAGE_INVALID_BITS is zero in this case, yielding a -- * no-op here. -- * -- * Architecturally, the walk should fail if bit 21 is set (others -- * aren't being checked at least in PSE36 mode), but we'll ignore -- * this here in order to avoid specifying a non-natural, non-zero -- * _PAGE_INVALID_BITS value just for that case. -- */ --#endif - rc |= _PAGE_INVALID_BITS; -- } -+ - /* Increment the pfn by the right number of 4k pages. - * Mask out PAT and invalid bits. */ - start = _gfn((gfn_x(start) & ~GUEST_L2_GFN_MASK) + -@@ -423,5 +417,11 @@ set_ad: - put_page(mfn_to_page(mfn_x(gw->l1mfn))); - } - -+ /* If this guest has a restricted physical address space then the -+ * target GFN must fit within it. */ -+ if ( !(rc & _PAGE_PRESENT) -+ && gfn_x(guest_l1e_get_gfn(gw->l1e)) >> d->arch.paging.gfn_bits ) -+ rc |= _PAGE_INVALID_BITS; -+ - return rc; - } -diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c -index 0c80012..84531b1 100644 ---- xen/arch/x86/mm/hap/hap.c.orig -+++ xen/arch/x86/mm/hap/hap.c -@@ -429,6 +429,8 @@ void hap_domain_init(struct domain *d) - { - INIT_PAGE_LIST_HEAD(&d->arch.paging.hap.freelist); - -+ d->arch.paging.gfn_bits = hap_paddr_bits - PAGE_SHIFT; -+ - /* Use HAP logdirty mechanism. */ - paging_log_dirty_init(d, hap_enable_log_dirty, - hap_disable_log_dirty, -diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c -index 18026fe..9028d82 100644 ---- xen/arch/x86/mm/shadow/common.c.orig -+++ xen/arch/x86/mm/shadow/common.c -@@ -48,6 +48,16 @@ void shadow_domain_init(struct domain *d, unsigned int domcr_flags) - INIT_PAGE_LIST_HEAD(&d->arch.paging.shadow.freelist); - INIT_PAGE_LIST_HEAD(&d->arch.paging.shadow.pinned_shadows); - -+ d->arch.paging.gfn_bits = paddr_bits - PAGE_SHIFT; -+#ifndef CONFIG_BIGMEM -+ /* -+ * Shadowed superpages store GFNs in 32-bit page_info fields. -+ * Note that we cannot use guest_supports_superpages() here. -+ */ -+ if ( !is_pv_domain(d) || opt_allow_superpage ) -+ d->arch.paging.gfn_bits = 32; -+#endif -+ - /* Use shadow pagetables for log-dirty support */ - paging_log_dirty_init(d, shadow_enable_log_dirty, - shadow_disable_log_dirty, shadow_clean_dirty_bitmap); -diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c -index d6802ff..7589d23 100644 ---- xen/arch/x86/mm/shadow/multi.c.orig -+++ xen/arch/x86/mm/shadow/multi.c -@@ -527,7 +527,8 @@ _sh_propagate(struct vcpu *v, - ASSERT(GUEST_PAGING_LEVELS > 3 || level != 3); - - /* Check there's something for the shadows to map to */ -- if ( !p2m_is_valid(p2mt) && !p2m_is_grant(p2mt) ) -+ if ( (!p2m_is_valid(p2mt) && !p2m_is_grant(p2mt)) -+ || gfn_x(target_gfn) >> d->arch.paging.gfn_bits ) - { - *sp = shadow_l1e_empty(); - goto done; -diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h -index 6a77a93..e8df4a9 100644 ---- xen/include/asm-x86/domain.h.orig -+++ xen/include/asm-x86/domain.h -@@ -188,6 +188,9 @@ struct paging_domain { - /* log dirty support */ - struct log_dirty_domain log_dirty; - -+ /* Number of valid bits in a gfn. */ -+ unsigned int gfn_bits; -+ - /* preemption handling */ - struct { - const struct domain *dom; -diff --git a/xen/include/asm-x86/guest_pt.h b/xen/include/asm-x86/guest_pt.h -index d2a8250..d95f835 100644 ---- xen/include/asm-x86/guest_pt.h.orig -+++ xen/include/asm-x86/guest_pt.h -@@ -220,15 +220,17 @@ guest_supports_nx(struct vcpu *v) - } - - --/* Some bits are invalid in any pagetable entry. */ --#if GUEST_PAGING_LEVELS == 2 --#define _PAGE_INVALID_BITS (0) --#elif GUEST_PAGING_LEVELS == 3 --#define _PAGE_INVALID_BITS \ -- get_pte_flags(((1ull<<63) - 1) & ~((1ull<<paddr_bits) - 1)) --#else /* GUEST_PAGING_LEVELS == 4 */ -+/* -+ * Some bits are invalid in any pagetable entry. -+ * Normal flags values get represented in 24-bit values (see -+ * get_pte_flags() and put_pte_flags()), so set bit 24 in -+ * addition to be able to flag out of range frame numbers. -+ */ -+#if GUEST_PAGING_LEVELS == 3 - #define _PAGE_INVALID_BITS \ -- get_pte_flags(((1ull<<52) - 1) & ~((1ull<<paddr_bits) - 1)) -+ (_PAGE_INVALID_BIT | get_pte_flags(((1ull << 63) - 1) & ~(PAGE_SIZE - 1))) -+#else /* 2-level and 4-level */ -+#define _PAGE_INVALID_BITS _PAGE_INVALID_BIT - #endif - - -diff --git a/xen/include/asm-x86/processor.h b/xen/include/asm-x86/processor.h -index b4e4731..56fc5a2 100644 ---- xen/include/asm-x86/processor.h.orig -+++ xen/include/asm-x86/processor.h -@@ -203,6 +203,8 @@ extern u32 cpuid_ext_features; - - /* Maximum width of physical addresses supported by the hardware */ - extern unsigned int paddr_bits; -+/* Max physical address width supported within HAP guests */ -+extern unsigned int hap_paddr_bits; - - extern void identify_cpu(struct cpuinfo_x86 *); - extern void setup_clear_cpu_cap(unsigned int); -diff --git a/xen/include/asm-x86/x86_64/page.h b/xen/include/asm-x86/x86_64/page.h -index 1d54587..f1d1b6c 100644 ---- xen/include/asm-x86/x86_64/page.h.orig -+++ xen/include/asm-x86/x86_64/page.h -@@ -141,6 +141,12 @@ typedef l4_pgentry_t root_pgentry_t; - #define _PAGE_GNTTAB (1U<<22) - - /* -+ * Bit 24 of a 24-bit flag mask! This is not any bit of a real pte, -+ * and is only used for signalling in variables that contain flags. -+ */ -+#define _PAGE_INVALID_BIT (1U<<24) -+ -+/* - * Bit 12 of a 24-bit flag mask. This corresponds to bit 52 of a pte. - * This is needed to distinguish between user and kernel PTEs since _PAGE_USER - * is asserted for both. diff --git a/sysutils/xenkernel45/patches/patch-XSA-176 b/sysutils/xenkernel45/patches/patch-XSA-176 deleted file mode 100644 index 97f5ec0fe40..00000000000 --- a/sysutils/xenkernel45/patches/patch-XSA-176 +++ /dev/null @@ -1,31 +0,0 @@ -$NetBSD: patch-XSA-176,v 1.1 2016/08/06 10:10:10 spz Exp $ - -patch for XSA-176 from upstream - ---- xen/arch/x86/mm/guest_walk.c.orig 2016-03-23 13:57:27.000000000 +0000 -+++ xen/arch/x86/mm/guest_walk.c -@@ -231,9 +237,14 @@ guest_walk_tables(struct vcpu *v, struct - rc |= _PAGE_PRESENT; - goto out; - } -+ if ( gflags & _PAGE_PSE ) -+ { -+ rc |= _PAGE_PSE | _PAGE_INVALID_BIT; -+ goto out; -+ } - rc |= ((gflags & mflags) ^ mflags); - -- pse1G = (gflags & _PAGE_PSE) && guest_supports_1G_superpages(v); -+ pse1G = !!(gflags & _PAGE_PSE); - - if ( pse1G ) - { -@@ -253,6 +264,8 @@ guest_walk_tables(struct vcpu *v, struct - /* _PAGE_PSE_PAT not set: remove _PAGE_PAT from flags. */ - flags &= ~_PAGE_PAT; - -+ if ( !guest_supports_1G_superpages(v) ) -+ rc |= _PAGE_PSE | _PAGE_INVALID_BIT; - if ( gfn_x(start) & GUEST_L3_GFN_MASK & ~0x1 ) - rc |= _PAGE_INVALID_BITS; - diff --git a/sysutils/xenkernel45/patches/patch-XSA-180 b/sysutils/xenkernel45/patches/patch-XSA-180 deleted file mode 100644 index 9a74fd3e213..00000000000 --- a/sysutils/xenkernel45/patches/patch-XSA-180 +++ /dev/null @@ -1,66 +0,0 @@ -$NetBSD: patch-XSA-180,v 1.1 2016/08/06 10:10:10 spz Exp $ - -patch for XSA-180 from upstream - ---- tools/qemu-xen-traditional/vl.c.orig 2016-01-04 15:36:03.000000000 +0000 -+++ tools/qemu-xen-traditional/vl.c -@@ -3753,6 +3753,50 @@ static void host_main_loop_wait(int *tim - } - #endif - -+static void check_cve_2014_3672_xen(void) -+{ -+ static unsigned long limit = ~0UL; -+ const int fd = 2; -+ struct stat stab; -+ -+ if (limit == ~0UL) { -+ const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT"); -+ /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */ -+ limit = s ? strtoul(s,0,0) : 1*1024*1024; -+ } -+ if (limit == 0) -+ return; -+ -+ int r = fstat(fd, &stab); -+ if (r) { -+ perror("fstat stderr (for CVE-2014-3672 check)"); -+ exit(-1); -+ } -+ if (!S_ISREG(stab.st_mode)) -+ return; -+ if (stab.st_size <= limit) -+ return; -+ -+ /* oh dear */ -+ fprintf(stderr,"\r\n" -+ "Closing stderr due to CVE-2014-3672 limit. " -+ " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override," -+ " or 0 for no limit.\n"); -+ fflush(stderr); -+ -+ int nfd = open("/dev/null", O_WRONLY); -+ if (nfd < 0) { -+ perror("open /dev/null (for CVE-2014-3672 check)"); -+ exit(-1); -+ } -+ r = dup2(nfd, fd); -+ if (r != fd) { -+ perror("dup2 /dev/null (for CVE-2014-3672 check)"); -+ exit(-1); -+ } -+ close(nfd); -+} -+ - void main_loop_wait(int timeout) - { - IOHandlerRecord *ioh; -@@ -3762,6 +3806,8 @@ void main_loop_wait(int timeout) - - qemu_bh_update_timeout(&timeout); - -+ check_cve_2014_3672_xen(); -+ - host_main_loop_wait(&timeout); - - /* poll any events */ diff --git a/sysutils/xenkernel45/patches/patch-XSA-181 b/sysutils/xenkernel45/patches/patch-XSA-181 deleted file mode 100644 index c6444f08c41..00000000000 --- a/sysutils/xenkernel45/patches/patch-XSA-181 +++ /dev/null @@ -1,18 +0,0 @@ -$NetBSD: patch-XSA-181,v 1.1 2016/08/06 10:10:10 spz Exp $ - -patch for XSA-181 from upstream -note this patch is only for ARM, and thus not really relevant to -this x86-only package - ---- xen/arch/arm/p2m.c.orig 2016-03-23 13:57:27.000000000 +0000 -+++ xen/arch/arm/p2m.c -@@ -1084,7 +1084,8 @@ void p2m_teardown(struct domain *d) - while ( (pg = page_list_remove_head(&p2m->pages)) ) - free_domheap_page(pg); - -- free_domheap_pages(p2m->root, P2M_ROOT_ORDER); -+ if ( p2m->root ) -+ free_domheap_pages(p2m->root, P2M_ROOT_ORDER); - - p2m->root = NULL; - diff --git a/sysutils/xenkernel45/patches/patch-XSA-182 b/sysutils/xenkernel45/patches/patch-XSA-182 deleted file mode 100644 index 2bb232283ed..00000000000 --- a/sysutils/xenkernel45/patches/patch-XSA-182 +++ /dev/null @@ -1,104 +0,0 @@ -$NetBSD: patch-XSA-182,v 1.1 2016/07/26 14:31:57 bouyer Exp $ - -From 798c1498f764bfaa7b0b955bab40b01b0610d372 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper <andrew.cooper3@citrix.com> -Date: Mon, 11 Jul 2016 14:32:03 +0100 -Subject: [PATCH] x86/pv: Remove unsafe bits from the mod_l?_entry() fastpath - -All changes in writeability and cacheability must go through full -re-validation. - -Rework the logic as a whitelist, to make it clearer to follow. - -This is XSA-182 - -Reported-by: Jérémie Boutoille <jboutoille@ext.quarkslab.com> -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Tim Deegan <tim@xen.org> ---- - xen/arch/x86/mm.c | 28 ++++++++++++++++------------ - xen/include/asm-x86/page.h | 1 + - 2 files changed, 17 insertions(+), 12 deletions(-) - -diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c -index b4c4fa4..a68a1ab 100644 ---- xen/arch/x86/mm.c.orig -+++ xen/arch/x86/mm.c -@@ -1695,6 +1695,14 @@ static inline int update_intpte(intpte_t *p, - _t ## e_get_intpte(_o), _t ## e_get_intpte(_n), \ - (_m), (_v), (_ad)) - -+/* -+ * PTE flags that a guest may change without re-validating the PTE. -+ * All other bits affect translation, caching, or Xen's safety. -+ */ -+#define FASTPATH_FLAG_WHITELIST \ -+ (_PAGE_NX_BIT | _PAGE_AVAIL_HIGH | _PAGE_AVAIL | _PAGE_GLOBAL | \ -+ _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_USER) -+ - /* Update the L1 entry at pl1e to new value nl1e. */ - static int mod_l1_entry(l1_pgentry_t *pl1e, l1_pgentry_t nl1e, - unsigned long gl1mfn, int preserve_ad, -@@ -1735,9 +1743,8 @@ static int mod_l1_entry(l1_pgentry_t *pl1e, l1_pgentry_t nl1e, - return -EINVAL; - } - -- /* Fast path for identical mapping, r/w, presence, and cachability. */ -- if ( !l1e_has_changed(ol1e, nl1e, -- PAGE_CACHE_ATTRS | _PAGE_RW | _PAGE_PRESENT) ) -+ /* Fast path for sufficiently-similar mappings. */ -+ if ( !l1e_has_changed(ol1e, nl1e, ~FASTPATH_FLAG_WHITELIST) ) - { - adjust_guest_l1e(nl1e, pt_dom); - if ( UPDATE_ENTRY(l1, pl1e, ol1e, nl1e, gl1mfn, pt_vcpu, -@@ -1819,11 +1826,8 @@ static int mod_l2_entry(l2_pgentry_t *pl2e, - return -EINVAL; - } - -- /* Fast path for identical mapping and presence. */ -- if ( !l2e_has_changed(ol2e, nl2e, -- unlikely(opt_allow_superpage) -- ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT -- : _PAGE_PRESENT) ) -+ /* Fast path for sufficiently-similar mappings. */ -+ if ( !l2e_has_changed(ol2e, nl2e, ~FASTPATH_FLAG_WHITELIST) ) - { - adjust_guest_l2e(nl2e, d); - if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) ) -@@ -1888,8 +1892,8 @@ static int mod_l3_entry(l3_pgentry_t *pl3e, - return -EINVAL; - } - -- /* Fast path for identical mapping and presence. */ -- if ( !l3e_has_changed(ol3e, nl3e, _PAGE_PRESENT) ) -+ /* Fast path for sufficiently-similar mappings. */ -+ if ( !l3e_has_changed(ol3e, nl3e, ~FASTPATH_FLAG_WHITELIST) ) - { - adjust_guest_l3e(nl3e, d); - rc = UPDATE_ENTRY(l3, pl3e, ol3e, nl3e, pfn, vcpu, preserve_ad); -@@ -1952,8 +1956,8 @@ static int mod_l4_entry(l4_pgentry_t *pl4e, - return -EINVAL; - } - -- /* Fast path for identical mapping and presence. */ -- if ( !l4e_has_changed(ol4e, nl4e, _PAGE_PRESENT) ) -+ /* Fast path for sufficiently-similar mappings. */ -+ if ( !l4e_has_changed(ol4e, nl4e, ~FASTPATH_FLAG_WHITELIST) ) - { - adjust_guest_l4e(nl4e, d); - rc = UPDATE_ENTRY(l4, pl4e, ol4e, nl4e, pfn, vcpu, preserve_ad); -diff --git a/xen/include/asm-x86/page.h b/xen/include/asm-x86/page.h -index 6dc9646..03c024c 100644 ---- xen/include/asm-x86/page.h.orig -+++ xen/include/asm-x86/page.h -@@ -308,6 +308,7 @@ void efi_update_l4_pgtable(unsigned int l4idx, l4_pgentry_t); - #define _PAGE_AVAIL2 _AC(0x800,U) - #define _PAGE_AVAIL _AC(0xE00,U) - #define _PAGE_PSE_PAT _AC(0x1000,U) -+#define _PAGE_AVAIL_HIGH (_AC(0x7ff, U) << 12) - /* non-architectural flags */ - #define _PAGE_PAGED 0x2000U - #define _PAGE_SHARED 0x4000U --- -2.1.4 - diff --git a/sysutils/xenkernel45/patches/patch-XSA-183 b/sysutils/xenkernel45/patches/patch-XSA-183 deleted file mode 100644 index 5fd6669b79a..00000000000 --- a/sysutils/xenkernel45/patches/patch-XSA-183 +++ /dev/null @@ -1,77 +0,0 @@ -$NetBSD: patch-XSA-183,v 1.1 2016/07/26 14:31:57 bouyer Exp $ - -From 777ebe30e81ab284f9b78392875fe884a593df35 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper <andrew.cooper3@citrix.com> -Date: Wed, 15 Jun 2016 18:32:14 +0100 -Subject: [PATCH] x86/entry: Avoid SMAP violation in - compat_create_bounce_frame() - -A 32bit guest kernel might be running on user mappings. -compat_create_bounce_frame() must whitelist its guest accesses to avoid -risking a SMAP violation. - -For both variants of create_bounce_frame(), re-blacklist user accesses if -execution exits via an exception table redirection. - -This is XSA-183 / CVE-2016-6259 - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: George Dunlap <george.dunlap@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> ---- -v2: - * Include CLAC on the exit paths from compat_create_bounce_frame which occur - from faults attempting to load %fs - * Reposition ASM_STAC to avoid breaking the macro-op fusion of test/jz ---- - xen/arch/x86/x86_64/compat/entry.S | 3 +++ - xen/arch/x86/x86_64/entry.S | 2 ++ - 2 files changed, 5 insertions(+) - -diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S -index 0e3db7c..1eaf4bb 100644 ---- xen/arch/x86/x86_64/compat/entry.S.orig -+++ xen/arch/x86/x86_64/compat/entry.S -@@ -350,6 +350,7 @@ ENTRY(compat_int80_direct_trap) - compat_create_bounce_frame: - ASSERT_INTERRUPTS_ENABLED - mov %fs,%edi -+ ASM_STAC - testb $2,UREGS_cs+8(%rsp) - jz 1f - /* Push new frame at registered guest-OS stack base. */ -@@ -403,6 +404,7 @@ UNLIKELY_START(nz, compat_bounce_failsafe) - movl %ds,%eax - .Lft12: movl %eax,%fs:0*4(%rsi) # DS - UNLIKELY_END(compat_bounce_failsafe) -+ ASM_CLAC - /* Rewrite our stack frame and return to guest-OS mode. */ - /* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */ - andl $~(X86_EFLAGS_VM|X86_EFLAGS_RF|\ -@@ -448,6 +450,7 @@ compat_crash_page_fault_4: - addl $4,%esi - compat_crash_page_fault: - .Lft14: mov %edi,%fs -+ ASM_CLAC - movl %esi,%edi - call show_page_walk - jmp dom_crash_sync_extable -diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S -index 6e27508..0c2e63a 100644 ---- xen/arch/x86/x86_64/entry.S.orig -+++ xen/arch/x86/x86_64/entry.S -@@ -462,9 +462,11 @@ domain_crash_page_fault_16: - domain_crash_page_fault_8: - addq $8,%rsi - domain_crash_page_fault: -+ ASM_CLAC - movq %rsi,%rdi - call show_page_walk - ENTRY(dom_crash_sync_extable) -+ ASM_CLAC - # Get out of the guest-save area of the stack. - GET_STACK_BASE(%rax) - leaq STACK_CPUINFO_FIELD(guest_cpu_user_regs)(%rax),%rsp --- -2.1.4 - diff --git a/sysutils/xenkernel45/patches/patch-XSA-185 b/sysutils/xenkernel45/patches/patch-XSA-185 deleted file mode 100644 index 2b9b23171e7..00000000000 --- a/sysutils/xenkernel45/patches/patch-XSA-185 +++ /dev/null @@ -1,37 +0,0 @@ -$NetBSD: patch-XSA-185,v 1.1 2016/09/08 15:44:07 bouyer Exp $ - -From 30aba4992b18245c436f16df7326a16c01a51570 Mon Sep 17 00:00:00 2001 -From: Jan Beulich <jbeulich@suse.com> -Date: Mon, 8 Aug 2016 10:58:12 +0100 -Subject: x86/32on64: don't allow recursive page tables from L3 - -L3 entries are special in PAE mode, and hence can't reasonably be used -for setting up recursive (and hence linear) page table mappings. Since -abuse is possible when the guest in fact gets run on 4-level page -tables, this needs to be excluded explicitly. - -This is XSA-185. - -Reported-by: Jérémie Boutoille <jboutoille@ext.quarkslab.com> -Reported-by: 栾尚聪(好风) <shangcong.lsc@alibaba-inc.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> ---- - xen/arch/x86/mm.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c -index 109b8be..69b8b8d 100644 ---- xen/arch/x86/mm.c.orig -+++ xen/arch/x86/mm.c -@@ -1122,7 +1122,9 @@ get_page_from_l3e( - - rc = get_page_and_type_from_pagenr( - l3e_get_pfn(l3e), PGT_l2_page_table, d, partial, 1); -- if ( unlikely(rc == -EINVAL) && get_l3_linear_pagetable(l3e, pfn, d) ) -+ if ( unlikely(rc == -EINVAL) && -+ !is_pv_32bit_domain(d) && -+ get_l3_linear_pagetable(l3e, pfn, d) ) - rc = 0; - - return rc; diff --git a/sysutils/xenkernel45/patches/patch-XSA-186-1 b/sysutils/xenkernel45/patches/patch-XSA-186-1 deleted file mode 100644 index 9459fadbf19..00000000000 --- a/sysutils/xenkernel45/patches/patch-XSA-186-1 +++ /dev/null @@ -1,43 +0,0 @@ -$NetBSD: patch-XSA-186-1,v 1.1 2016/09/08 15:44:07 bouyer Exp $ - -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: hvm/fep: Allow testing of instructions crossing the -1 -> 0 virtual boundary - -The Force Emulation Prefix is named to follow its PV counterpart for cpuid or -rdtsc, but isn't really an instruction prefix. It behaves as a break-out into -Xen, with the purpose of emulating the next instruction in the current state. - -It is important to be able to test legal situations which occur in real -hardware, including instruction which cross certain boundaries, and -instructions starting at 0. - -Reported-by: Brian Marcotte <marcotte@panix.com> -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> - ---- xen/arch/x86/hvm/svm/svm.c.orig -+++ xen/arch/x86/hvm/svm/svm.c -@@ -2139,6 +2139,10 @@ static void svm_vmexit_ud_intercept(stru - { - regs->eip += sizeof(sig); - regs->eflags &= ~X86_EFLAGS_RF; -+ -+ /* Zero the upper 32 bits of %rip if not in long mode. */ -+ if ( svm_guest_x86_mode(current) != 8 ) -+ regs->eip = regs->_eip; - } - } - ---- xen/arch/x86/hvm/vmx/vmx.c.orig -+++ xen/arch/x86/hvm/vmx/vmx.c -@@ -2757,6 +2757,10 @@ static void vmx_vmexit_ud_intercept(stru - { - regs->eip += sizeof(sig); - regs->eflags &= ~X86_EFLAGS_RF; -+ -+ /* Zero the upper 32 bits of %rip if not in long mode. */ -+ if ( vmx_guest_x86_mode(current) != 8 ) -+ regs->eip = regs->_eip; - } - } - diff --git a/sysutils/xenkernel45/patches/patch-XSA-186-2 b/sysutils/xenkernel45/patches/patch-XSA-186-2 deleted file mode 100644 index 52ca53aa4d2..00000000000 --- a/sysutils/xenkernel45/patches/patch-XSA-186-2 +++ /dev/null @@ -1,73 +0,0 @@ -From e938be013ba73ff08fa4f1d8670501aacefde7fb Mon Sep 17 00:00:00 2001 -From: Andrew Cooper <andrew.cooper3@citrix.com> -Date: Fri, 22 Jul 2016 16:02:54 +0000 -Subject: [PATCH 1/2] x86/emulate: Correct boundary interactions of emulated - instructions - -This reverts most of c/s 0640ffb6 "x86emul: fix rIP handling". - -Experimentally, in long mode processors will execute an instruction stream -which crosses the 64bit -1 -> 0 virtual boundary, whether the instruction -boundary is aligned on the virtual boundary, or is misaligned. - -In compatibility mode, Intel processors will execute an instruction stream -which crosses the 32bit -1 -> 0 virtual boundary, while AMD processors raise a -segmentation fault. Xen's segmentation behaviour matches AMD. - -For 16bit code, hardware does not ever truncated %ip. %eip is always used and -behaves normally as a 32bit register, including in 16bit protected mode -segments, as well as in Real and Unreal mode. - -This is XSA-186 - -Reported-by: Brian Marcotte <marcotte@panix.com> -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> ---- - xen/arch/x86/x86_emulate/x86_emulate.c | 22 ++++------------------ - 1 file changed, 4 insertions(+), 18 deletions(-) - -diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c -index d5a56cf..bf3529a 100644 ---- xen/arch/x86/x86_emulate/x86_emulate.c.orig -+++ xen/arch/x86/x86_emulate/x86_emulate.c -@@ -1570,10 +1570,6 @@ x86_emulate( - #endif - } - -- /* Truncate rIP to def_ad_bytes (2 or 4) if necessary. */ -- if ( def_ad_bytes < sizeof(_regs.eip) ) -- _regs.eip &= (1UL << (def_ad_bytes * 8)) - 1; -- - /* Prefix bytes. */ - for ( ; ; ) - { -@@ -3906,21 +3902,11 @@ x86_emulate( - - /* Commit shadow register state. */ - _regs.eflags &= ~EFLG_RF; -- switch ( __builtin_expect(def_ad_bytes, sizeof(_regs.eip)) ) -- { -- uint16_t ip; - -- case 2: -- ip = _regs.eip; -- _regs.eip = ctxt->regs->eip; -- *(uint16_t *)&_regs.eip = ip; -- break; --#ifdef __x86_64__ -- case 4: -- _regs.rip = _regs._eip; -- break; --#endif -- } -+ /* Zero the upper 32 bits of %rip if not in long mode. */ -+ if ( def_ad_bytes < sizeof(_regs.eip) ) -+ _regs.eip = (uint32_t)_regs.eip; -+ - *ctxt->regs = _regs; - - done: --- -2.1.4 - diff --git a/sysutils/xenkernel45/patches/patch-XSA-187-1 b/sysutils/xenkernel45/patches/patch-XSA-187-1 deleted file mode 100644 index 9cbe734120e..00000000000 --- a/sysutils/xenkernel45/patches/patch-XSA-187-1 +++ /dev/null @@ -1,44 +0,0 @@ -$NetBSD: patch-XSA-187-1,v 1.1 2016/09/08 15:44:07 bouyer Exp $ - -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/shadow: Avoid overflowing sh_ctxt->seg_reg[] - -hvm_get_seg_reg() does not perform a range check on its input segment, calls -hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[]. - -x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will hit a BUG() -in {vmx,svm}_get_segment_register(). - -HVM guests running with shadow paging can end up performing a virtual to -linear translation with x86_seg_none. This is used for addresses which are -already linear. However, none of this is a legitimate pagetable update, so -fail the emulation in such a case. - -This is XSA-187 - -Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Tim Deegan <tim@xen.org> - ---- xen/arch/x86/mm/shadow/common.c.orig -+++ xen/arch/x86/mm/shadow/common.c -@@ -140,9 +140,18 @@ static int hvm_translate_linear_addr( - struct sh_emulate_ctxt *sh_ctxt, - unsigned long *paddr) - { -- struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt); -+ struct segment_register *reg; - int okay; - -+ /* -+ * Can arrive here with non-user segments. However, no such cirucmstance -+ * is part of a legitimate pagetable update, so fail the emulation. -+ */ -+ if ( !is_x86_user_segment(seg) ) -+ return X86EMUL_UNHANDLEABLE; -+ -+ reg = hvm_get_seg_reg(seg, sh_ctxt); -+ - okay = hvm_virtual_to_linear_addr( - seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr); - diff --git a/sysutils/xenkernel45/patches/patch-XSA-187-2 b/sysutils/xenkernel45/patches/patch-XSA-187-2 deleted file mode 100644 index c9d59e88051..00000000000 --- a/sysutils/xenkernel45/patches/patch-XSA-187-2 +++ /dev/null @@ -1,144 +0,0 @@ -$NetBSD: patch-XSA-187-2,v 1.1 2016/09/08 15:44:07 bouyer Exp $ - -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/segment: Bounds check accesses to emulation ctxt->seg_reg[] - -HVM HAP codepaths have space for all segment registers in the seg_reg[] -cache (with x86_seg_none still risking an array overrun), while the shadow -codepaths only have space for the user segments. - -Range check the input segment of *_get_seg_reg() against the size of the array -used to cache the results, to avoid overruns in the case that the callers -don't filter their input suitably. - -Subsume the is_x86_user_segment(seg) checks from the shadow code, which were -an incomplete attempt at range checking, and are now superceeded. Make -hvm_get_seg_reg() static, as it is not used outside of shadow/common.c - -No functional change, but far easier to reason that no overflow is possible. - -Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Acked-by: Tim Deegan <tim@xen.org> -Acked-by: Jan Beulich <jbeulich@suse.com> - ---- xen/arch/x86/hvm/emulate.c.orig -+++ xen/arch/x86/hvm/emulate.c -@@ -526,6 +526,8 @@ static int hvmemul_virtual_to_linear( - ? 1 : 4096); - - reg = hvmemul_get_seg_reg(seg, hvmemul_ctxt); -+ if ( IS_ERR(reg) ) -+ return -PTR_ERR(reg); - - if ( (hvmemul_ctxt->ctxt.regs->eflags & X86_EFLAGS_DF) && (*reps > 1) ) - { -@@ -1360,6 +1362,10 @@ static int hvmemul_read_segment( - struct hvm_emulate_ctxt *hvmemul_ctxt = - container_of(ctxt, struct hvm_emulate_ctxt, ctxt); - struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt); -+ -+ if ( IS_ERR(sreg) ) -+ return -PTR_ERR(sreg); -+ - memcpy(reg, sreg, sizeof(struct segment_register)); - return X86EMUL_OKAY; - } -@@ -1373,6 +1379,9 @@ static int hvmemul_write_segment( - container_of(ctxt, struct hvm_emulate_ctxt, ctxt); - struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt); - -+ if ( IS_ERR(sreg) ) -+ return -PTR_ERR(sreg); -+ - memcpy(sreg, reg, sizeof(struct segment_register)); - __set_bit(seg, &hvmemul_ctxt->seg_reg_dirty); - -@@ -1911,10 +1920,17 @@ void hvm_emulate_writeback( - } - } - -+/* -+ * Callers which pass a known in-range x86_segment can rely on the return -+ * pointer being valid. Other callers must explicitly check for errors. -+ */ - struct segment_register *hvmemul_get_seg_reg( - enum x86_segment seg, - struct hvm_emulate_ctxt *hvmemul_ctxt) - { -+ if ( seg < 0 || seg >= ARRAY_SIZE(hvmemul_ctxt->seg_reg) ) -+ return ERR_PTR(-X86EMUL_UNHANDLEABLE); -+ - if ( !__test_and_set_bit(seg, &hvmemul_ctxt->seg_reg_accessed) ) - hvm_get_segment_register(current, seg, &hvmemul_ctxt->seg_reg[seg]); - return &hvmemul_ctxt->seg_reg[seg]; ---- xen/arch/x86/mm/shadow/common.c.orig -+++ xen/arch/x86/mm/shadow/common.c -@@ -125,10 +125,19 @@ __initcall(shadow_audit_key_init); - /* x86 emulator support for the shadow code - */ - -+/* -+ * Callers which pass a known in-range x86_segment can rely on the return -+ * pointer being valid. Other callers must explicitly check for errors. -+ */ - struct segment_register *hvm_get_seg_reg( - enum x86_segment seg, struct sh_emulate_ctxt *sh_ctxt) - { -- struct segment_register *seg_reg = &sh_ctxt->seg_reg[seg]; -+ struct segment_register *seg_reg; -+ -+ if ( seg < 0 || seg >= ARRAY_SIZE(sh_ctxt->seg_reg) ) -+ return ERR_PTR(-X86EMUL_UNHANDLEABLE); -+ -+ seg_reg = &sh_ctxt->seg_reg[seg]; - if ( !__test_and_set_bit(seg, &sh_ctxt->valid_seg_regs) ) - hvm_get_segment_register(current, seg, seg_reg); - return seg_reg; -@@ -145,14 +154,9 @@ static int hvm_translate_linear_addr( - struct segment_register *reg; - int okay; - -- /* -- * Can arrive here with non-user segments. However, no such cirucmstance -- * is part of a legitimate pagetable update, so fail the emulation. -- */ -- if ( !is_x86_user_segment(seg) ) -- return X86EMUL_UNHANDLEABLE; -- - reg = hvm_get_seg_reg(seg, sh_ctxt); -+ if ( IS_ERR(reg) ) -+ return -PTR_ERR(reg); - - okay = hvm_virtual_to_linear_addr( - seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr); -@@ -254,9 +258,6 @@ hvm_emulate_write(enum x86_segment seg, - unsigned long addr; - int rc; - -- if ( !is_x86_user_segment(seg) ) -- return X86EMUL_UNHANDLEABLE; -- - /* How many emulations could we save if we unshadowed on stack writes? */ - if ( seg == x86_seg_ss ) - perfc_incr(shadow_fault_emulate_stack); -@@ -284,9 +285,6 @@ hvm_emulate_cmpxchg(enum x86_segment seg - unsigned long addr, old[2], new[2]; - int rc; - -- if ( !is_x86_user_segment(seg) ) -- return X86EMUL_UNHANDLEABLE; -- - rc = hvm_translate_linear_addr( - seg, offset, bytes, hvm_access_write, sh_ctxt, &addr); - if ( rc ) ---- xen/include/asm-x86/hvm/emulate.h.orig -+++ xen/include/asm-x86/hvm/emulate.h -@@ -13,6 +13,7 @@ - #define __ASM_X86_HVM_EMULATE_H__ - - #include <xen/config.h> -+#include <xen/err.h> - #include <asm/hvm/hvm.h> - #include <asm/x86_emulate.h> - diff --git a/sysutils/xentools45/Makefile b/sysutils/xentools45/Makefile index 73900f30165..c1b310e27e3 100644 --- a/sysutils/xentools45/Makefile +++ b/sysutils/xentools45/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.38 2016/09/11 11:38:10 spz Exp $ +# $NetBSD: Makefile,v 1.39 2016/09/21 17:03:38 bouyer Exp $ -VERSION= 4.5.3 -PKGREVISION= 4 +VERSION= 4.5.5 +#PKGREVISION= 0 VERSION_IPXE= 9a93db3f0947484e30e753bbd61a10b17336e20e DISTNAME= xen-${VERSION} diff --git a/sysutils/xentools45/distinfo b/sysutils/xentools45/distinfo index 6a24e07901f..3025135901d 100644 --- a/sysutils/xentools45/distinfo +++ b/sysutils/xentools45/distinfo @@ -1,13 +1,13 @@ -$NetBSD: distinfo,v 1.26 2016/09/11 11:38:10 spz Exp $ +$NetBSD: distinfo,v 1.27 2016/09/21 17:03:38 bouyer Exp $ SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88 RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8 SHA512 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = c5cb1cdff40d2d71fd3e692a9d0efadf2aa17290daf5195391a1c81ddd9dfc913a8e44d5be2b12be85b2a5565ea31631c99c7053564f2fb2225c80ea0bb0e4a4 Size (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 2867999 bytes -SHA1 (xen-4.5.3.tar.gz) = 95d56c42642adcffe55dcf82a021d49115373108 -RMD160 (xen-4.5.3.tar.gz) = 7ba586b20404e95308007663e87868c0ccc0e6f4 -SHA512 (xen-4.5.3.tar.gz) = 086b9b75e97d836498fd4f34b645c9b2f941db44efe8c7d23e53aa6455d40e1672962aaa7bac0db1db82255dba490c4fe996f356c184e71ea7fa5b483d9e9c0f -Size (xen-4.5.3.tar.gz) = 18416997 bytes +SHA1 (xen-4.5.5.tar.gz) = 4073d411c72d3298baacfc15577b92b9ae577073 +RMD160 (xen-4.5.5.tar.gz) = 34132ab04752dc594fbdc1404c95f402b7bbbe39 +SHA512 (xen-4.5.5.tar.gz) = 7e8d7e0248daa91389db0250c5f214dc1ab46c058d556a4326c801933ead05cc450cb9510108586418de029b81a80fd9f272ec1749d288a8250e69599aa2d769 +Size (xen-4.5.5.tar.gz) = 18426889 bytes SHA1 (patch-.._.._ipxe_src_core_settings.c) = 9e053e5e9936f49c46af0d59382a67d5f28cb39d SHA1 (patch-.._.._ipxe_src_interface_efi_efi_snp.c) = 7cd8a2d2dbeff55624b5d3461d22cd8331221762 SHA1 (patch-.._.._ipxe_src_net_fcels.c) = 7c13c87af5e38233f8b867503789f536394e7005 @@ -20,10 +20,7 @@ SHA1 (patch-.._docs_man_xlcpupool.cfg.pod.5) = b44813af965e4d9d0d51c18b22d286736 SHA1 (patch-.._docs_misc_xl-disk-configuration.txt) = 5b59cfc2569d1a4c10d6c0fcb98ed35278723b79 SHA1 (patch-Makefile) = eb5d3211b26c5f10a24fcca658c83d5f60990d9f SHA1 (patch-Rules.mk) = e0dc4234c35dc2d78afad4a90b0af829a6a10b50 -SHA1 (patch-XSA-178) = 5cb68dd7d82f537e9a9d0417cc79e8cafeb05ac2 -SHA1 (patch-XSA-179) = b73d44757651efe4b8df27cedd7f9827f3d6a6ca -SHA1 (patch-XSA-180) = 58a93dec38792a36bca74123444eb72fafe158a3 -SHA1 (patch-XSA-184) = 08103cae34512c1a3b9eb3e5cfdf8a15a302e419 +SHA1 (patch-XSA-184) = b9089f29b67d1756e2c4919df30041282cebdfed SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7 SHA1 (patch-configure) = 97fa4274e425984d593cd93aea36edc681462b88 SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f diff --git a/sysutils/xentools45/patches/patch-XSA-178 b/sysutils/xentools45/patches/patch-XSA-178 deleted file mode 100644 index daf9fc6907b..00000000000 --- a/sysutils/xentools45/patches/patch-XSA-178 +++ /dev/null @@ -1,1332 +0,0 @@ -$NetBSD: patch-XSA-178,v 1.1 2016/08/06 12:41:36 spz Exp $ - -patch for XSA-178 from the xenbits.xen.org git (stable-45 branch) -by updating the affected files to the versions in git from today -(20160806). - -Thus also included are: -"libxl: Fix NULL pointer due to XSA-178 fix wrong XS nodename" -"libxl: Cleanup: Have libxl__alloc_vdev use /libxl" -"libxl: Cleanup: use libxl__backendpath_parse_domid in libxl__device_disk_from_xs_be" -"libxl: keep PoD target adjustment by memory fudge after reload_domain_config()" - -which are fixes of errors introduced by XSA-178, XSA-175 and XSA-180 patches. - -This patch can be dropped when updating to 4.5.4 - ---- libxl/libxl.c.orig 2016-03-23 13:57:27.000000000 +0000 -+++ libxl/libxl.c -@@ -21,10 +21,10 @@ - #define PAGE_TO_MEMKB(pages) ((pages) * 4) - #define BACKEND_STRING_SIZE 5 - --/* Utility to read backend xenstore keys */ --#define READ_BACKEND(tgc, subpath) ({ \ -+/* Utility to read /libxl xenstore keys, from libxl_path */ -+#define READ_LIBXLDEV(tgc, subpath) ({ \ - rc = libxl__xs_read_checked(tgc, XBT_NULL, \ -- GCSPRINTF("%s/" subpath, be_path), \ -+ GCSPRINTF("%s/" subpath, libxl_path), \ - &tmp); \ - if (rc) goto out; \ - (char*)tmp; \ -@@ -1323,9 +1323,10 @@ static void disk_eject_xswatch_callback( - const char *wpath, const char *epath) { - EGC_GC; - libxl_evgen_disk_eject *evg = (void*)w; -- char *backend; -+ const char *backend; - char *value; - char backend_type[BACKEND_STRING_SIZE+1]; -+ int rc; - - value = libxl__xs_read(gc, XBT_NULL, wpath); - -@@ -1341,9 +1342,16 @@ static void disk_eject_xswatch_callback( - libxl_event *ev = NEW_EVENT(egc, DISK_EJECT, evg->domid, evg->user); - libxl_device_disk *disk = &ev->u.disk_eject.disk; - -- backend = libxl__xs_read(gc, XBT_NULL, -- libxl__sprintf(gc, "%.*s/backend", -- (int)strlen(wpath)-6, wpath)); -+ rc = libxl__xs_read_checked(gc, XBT_NULL, evg->be_ptr_path, &backend); -+ if (rc) { -+ LIBXL__EVENT_DISASTER(egc, "xs_read failed reading be_ptr_path", -+ errno, LIBXL_EVENT_TYPE_DISK_EJECT); -+ return; -+ } -+ if (!backend) { -+ /* device has been removed, not simply ejected */ -+ return; -+ } - - sscanf(backend, - "/local/domain/%d/backend/%" TOSTRING(BACKEND_STRING_SIZE) -@@ -1360,8 +1368,7 @@ static void disk_eject_xswatch_callback( - disk->pdev_path = strdup(""); /* xxx fixme malloc failure */ - disk->format = LIBXL_DISK_FORMAT_EMPTY; - /* this value is returned to the user: do not free right away */ -- disk->vdev = xs_read(CTX->xsh, XBT_NULL, -- libxl__sprintf(gc, "%s/dev", backend), NULL); -+ disk->vdev = libxl__strdup(NOGC, evg->vdev); - disk->removable = 1; - disk->readwrite = 0; - disk->is_cdrom = 1; -@@ -1384,19 +1391,30 @@ int libxl_evenable_disk_eject(libxl_ctx - evg->domid = guest_domid; - LIBXL_LIST_INSERT_HEAD(&CTX->disk_eject_evgens, evg, entry); - -- evg->vdev = strdup(vdev); -- if (!evg->vdev) { rc = ERROR_NOMEM; goto out; } -- - uint32_t domid = libxl_get_stubdom_id(ctx, guest_domid); - - if (!domid) - domid = guest_domid; - -- path = libxl__sprintf(gc, "%s/device/vbd/%d/eject", -+ int devid = libxl__device_disk_dev_number(vdev, NULL, NULL); -+ -+ path = GCSPRINTF("%s/device/vbd/%d/eject", - libxl__xs_get_dompath(gc, domid), -- libxl__device_disk_dev_number(vdev, NULL, NULL)); -+ devid); - if (!path) { rc = ERROR_NOMEM; goto out; } - -+ const char *libxl_path = GCSPRINTF("%s/device/vbd/%d", -+ libxl__xs_libxl_path(gc, domid), -+ devid); -+ evg->be_ptr_path = libxl__sprintf(NOGC, "%s/backend", libxl_path); -+ -+ const char *configured_vdev; -+ rc = libxl__xs_read_checked(gc, XBT_NULL, -+ GCSPRINTF("%s/dev", libxl_path), &configured_vdev); -+ if (rc) goto out; -+ -+ evg->vdev = libxl__strdup(NOGC, configured_vdev); -+ - rc = libxl__ev_xswatch_register(gc, &evg->watch, - disk_eject_xswatch_callback, path); - if (rc) goto out; -@@ -1423,6 +1441,7 @@ void libxl__evdisable_disk_eject(libxl__ - libxl__ev_xswatch_deregister(gc, &evg->watch); - - free(evg->vdev); -+ free(evg->be_ptr_path); - free(evg); - - CTX_UNLOCK; -@@ -1985,15 +2004,16 @@ out: - /* common function to get next device id */ - static int libxl__device_nextid(libxl__gc *gc, uint32_t domid, char *device) - { -- char *dompath, **l; -+ char *libxl_dom_path, **l; - unsigned int nb; - int nextid = -1; - -- if (!(dompath = libxl__xs_get_dompath(gc, domid))) -+ if (!(libxl_dom_path = libxl__xs_libxl_path(gc, domid))) - return nextid; - - l = libxl__xs_directory(gc, XBT_NULL, -- GCSPRINTF("%s/device/%s", dompath, device), &nb); -+ GCSPRINTF("%s/device/%s", libxl_dom_path, device), -+ &nb); - if (l == NULL || nb == 0) - nextid = 0; - else -@@ -2156,14 +2176,15 @@ libxl_device_vtpm *libxl_device_vtpm_lis - GC_INIT(ctx); - - libxl_device_vtpm* vtpms = NULL; -- char* fe_path = NULL; -+ char *libxl_path; - char** dir = NULL; - unsigned int ndirs = 0; -+ int rc; - - *num = 0; - -- fe_path = libxl__sprintf(gc, "%s/device/vtpm", libxl__xs_get_dompath(gc, domid)); -- dir = libxl__xs_directory(gc, XBT_NULL, fe_path, &ndirs); -+ libxl_path = GCSPRINTF("%s/device/vtpm", libxl__xs_libxl_path(gc, domid)); -+ dir = libxl__xs_directory(gc, XBT_NULL, libxl_path, &ndirs); - if (dir && ndirs) { - vtpms = malloc(sizeof(*vtpms) * ndirs); - libxl_device_vtpm* vtpm; -@@ -2172,18 +2193,17 @@ libxl_device_vtpm *libxl_device_vtpm_lis - char* tmp; - const char* be_path = libxl__xs_read(gc, XBT_NULL, - GCSPRINTF("%s/%s/backend", -- fe_path, *dir)); -+ libxl_path, *dir)); - - libxl_device_vtpm_init(vtpm); - - vtpm->devid = atoi(*dir); - -- tmp = libxl__xs_read(gc, XBT_NULL, -- GCSPRINTF("%s/%s/backend-id", -- fe_path, *dir)); -- vtpm->backend_domid = atoi(tmp); -+ rc = libxl__backendpath_parse_domid(gc, be_path, -+ &vtpm->backend_domid); -+ if (rc) return NULL; - -- tmp = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/uuid", be_path)); -+ tmp = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/uuid", libxl_path)); - if (tmp) { - if(libxl_uuid_from_string(&(vtpm->uuid), tmp)) { - LOG(ERROR, "%s/uuid is a malformed uuid?? (%s) Probably a bug!!\n", be_path, tmp); -@@ -2205,7 +2225,7 @@ int libxl_device_vtpm_getinfo(libxl_ctx - libxl_vtpminfo *vtpminfo) - { - GC_INIT(ctx); -- char *dompath, *vtpmpath; -+ char *libxl_path, *dompath, *vtpmpath; - char *val; - int rc = 0; - -@@ -2214,18 +2234,17 @@ int libxl_device_vtpm_getinfo(libxl_ctx - vtpminfo->devid = vtpm->devid; - - vtpmpath = GCSPRINTF("%s/device/vtpm/%d", dompath, vtpminfo->devid); -+ libxl_path = GCSPRINTF("%s/device/vtpm/%d", -+ libxl__xs_libxl_path(gc, domid), vtpminfo->devid); - vtpminfo->backend = xs_read(ctx->xsh, XBT_NULL, -- GCSPRINTF("%s/backend", vtpmpath), NULL); -+ GCSPRINTF("%s/backend", libxl_path), NULL); - if (!vtpminfo->backend) { - goto err; - } -- if(!libxl__xs_read(gc, XBT_NULL, vtpminfo->backend)) { -- goto err; -- } - -- val = libxl__xs_read(gc, XBT_NULL, -- GCSPRINTF("%s/backend-id", vtpmpath)); -- vtpminfo->backend_id = val ? strtoul(val, NULL, 10) : -1; -+ rc = libxl__backendpath_parse_domid(gc, vtpminfo->backend, -+ &vtpminfo->backend_id); -+ if (rc) goto exit; - - val = libxl__xs_read(gc, XBT_NULL, - GCSPRINTF("%s/state", vtpmpath)); -@@ -2240,14 +2259,11 @@ int libxl_device_vtpm_getinfo(libxl_ctx - vtpminfo->rref = val ? strtoul(val, NULL, 10) : -1; - - vtpminfo->frontend = xs_read(ctx->xsh, XBT_NULL, -- GCSPRINTF("%s/frontend", vtpminfo->backend), NULL); -+ GCSPRINTF("%s/frontend", libxl_path), NULL); -+ vtpminfo->frontend_id = domid; - - val = libxl__xs_read(gc, XBT_NULL, -- GCSPRINTF("%s/frontend-id", vtpminfo->backend)); -- vtpminfo->frontend_id = val ? strtoul(val, NULL, 10) : -1; -- -- val = libxl__xs_read(gc, XBT_NULL, -- GCSPRINTF("%s/uuid", vtpminfo->backend)); -+ GCSPRINTF("%s/uuid", libxl_path)); - if(val == NULL) { - LOG(ERROR, "%s/uuid does not exist!\n", vtpminfo->backend); - goto err; -@@ -2601,8 +2617,8 @@ void libxl__device_disk_add(libxl__egc * - device_disk_add(egc, domid, disk, aodev, NULL, NULL); - } - --static int libxl__device_disk_from_xs_be(libxl__gc *gc, -- const char *be_path, -+static int libxl__device_disk_from_xenstore(libxl__gc *gc, -+ const char *libxl_path, - libxl_device_disk *disk) - { - libxl_ctx *ctx = libxl__gc_owner(gc); -@@ -2612,15 +2628,27 @@ static int libxl__device_disk_from_xs_be - - libxl_device_disk_init(disk); - -- rc = sscanf(be_path, "/local/domain/%d/", &disk->backend_domid); -- if (rc != 1) { -- LOG(ERROR, "Unable to fetch device backend domid from %s", be_path); -- goto cleanup; -+ const char *backend_path; -+ rc = libxl__xs_read_checked(gc, XBT_NULL, -+ GCSPRINTF("%s/backend", libxl_path), -+ &backend_path); -+ if (rc) goto out; -+ -+ if (!backend_path) { -+ LOG(ERROR, "disk %s does not exist (no backend path", libxl_path); -+ rc = ERROR_FAIL; -+ goto out; -+ } -+ -+ rc = libxl__backendpath_parse_domid(gc, backend_path, &disk->backend_domid); -+ if (rc) { -+ LOG(ERROR, "Unable to fetch device backend domid from %s", backend_path); -+ goto out; - } - - /* "params" may not be present; but everything else must be. */ - tmp = xs_read(ctx->xsh, XBT_NULL, -- libxl__sprintf(gc, "%s/params", be_path), &len); -+ libxl__sprintf(gc, "%s/params", libxl_path), &len); - if (tmp && strchr(tmp, ':')) { - disk->pdev_path = strdup(strchr(tmp, ':') + 1); - free(tmp); -@@ -2630,31 +2658,31 @@ static int libxl__device_disk_from_xs_be - - - tmp = libxl__xs_read(gc, XBT_NULL, -- libxl__sprintf(gc, "%s/type", be_path)); -+ libxl__sprintf(gc, "%s/type", libxl_path)); - if (!tmp) { -- LOG(ERROR, "Missing xenstore node %s/type", be_path); -+ LOG(ERROR, "Missing xenstore node %s/type", libxl_path); - goto cleanup; - } - libxl_string_to_backend(ctx, tmp, &(disk->backend)); - - disk->vdev = xs_read(ctx->xsh, XBT_NULL, -- libxl__sprintf(gc, "%s/dev", be_path), &len); -+ libxl__sprintf(gc, "%s/dev", libxl_path), &len); - if (!disk->vdev) { -- LOG(ERROR, "Missing xenstore node %s/dev", be_path); -+ LOG(ERROR, "Missing xenstore node %s/dev", libxl_path); - goto cleanup; - } - - tmp = libxl__xs_read(gc, XBT_NULL, libxl__sprintf -- (gc, "%s/removable", be_path)); -+ (gc, "%s/removable", libxl_path)); - if (!tmp) { -- LOG(ERROR, "Missing xenstore node %s/removable", be_path); -+ LOG(ERROR, "Missing xenstore node %s/removable", libxl_path); - goto cleanup; - } - disk->removable = atoi(tmp); - -- tmp = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/mode", be_path)); -+ tmp = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/mode", libxl_path)); - if (!tmp) { -- LOG(ERROR, "Missing xenstore node %s/mode", be_path); -+ LOG(ERROR, "Missing xenstore node %s/mode", libxl_path); - goto cleanup; - } - if (!strcmp(tmp, "w")) -@@ -2663,9 +2691,9 @@ static int libxl__device_disk_from_xs_be - disk->readwrite = 0; - - tmp = libxl__xs_read(gc, XBT_NULL, -- libxl__sprintf(gc, "%s/device-type", be_path)); -+ libxl__sprintf(gc, "%s/device-type", libxl_path)); - if (!tmp) { -- LOG(ERROR, "Missing xenstore node %s/device-type", be_path); -+ LOG(ERROR, "Missing xenstore node %s/device-type", libxl_path); - goto cleanup; - } - disk->is_cdrom = !strcmp(tmp, "cdrom"); -@@ -2674,15 +2702,17 @@ static int libxl__device_disk_from_xs_be - - return 0; - cleanup: -+ rc = ERROR_FAIL; -+ out: - libxl_device_disk_dispose(disk); -- return ERROR_FAIL; -+ return rc; - } - - int libxl_vdev_to_device_disk(libxl_ctx *ctx, uint32_t domid, - const char *vdev, libxl_device_disk *disk) - { - GC_INIT(ctx); -- char *dompath, *path; -+ char *dom_xl_path, *libxl_path; - int devid = libxl__device_disk_dev_number(vdev, NULL, NULL); - int rc = ERROR_FAIL; - -@@ -2691,39 +2721,34 @@ int libxl_vdev_to_device_disk(libxl_ctx - - libxl_device_disk_init(disk); - -- dompath = libxl__xs_get_dompath(gc, domid); -- if (!dompath) { -+ dom_xl_path = libxl__xs_libxl_path(gc, domid); -+ if (!dom_xl_path) { - goto out; - } -- path = libxl__xs_read(gc, XBT_NULL, -- libxl__sprintf(gc, "%s/device/vbd/%d/backend", -- dompath, devid)); -- if (!path) -- goto out; -+ libxl_path = GCSPRINTF("%s/device/vbd/%d", dom_xl_path, devid); - -- rc = libxl__device_disk_from_xs_be(gc, path, disk); -+ rc = libxl__device_disk_from_xenstore(gc, libxl_path, disk); - out: - GC_FREE; - return rc; - } - - --static int libxl__append_disk_list_of_type(libxl__gc *gc, -+static int libxl__append_disk_list(libxl__gc *gc, - uint32_t domid, -- const char *type, - libxl_device_disk **disks, - int *ndisks) - { -- char *be_path = NULL; -+ char *libxl_dir_path = NULL; - char **dir = NULL; - unsigned int n = 0; - libxl_device_disk *pdisk = NULL, *pdisk_end = NULL; - int rc=0; - int initial_disks = *ndisks; - -- be_path = libxl__sprintf(gc, "%s/backend/%s/%d", -- libxl__xs_get_dompath(gc, 0), type, domid); -- dir = libxl__xs_directory(gc, XBT_NULL, be_path, &n); -+ libxl_dir_path = GCSPRINTF("%s/device/vbd", -+ libxl__xs_libxl_path(gc, domid)); -+ dir = libxl__xs_directory(gc, XBT_NULL, libxl_dir_path, &n); - if (dir && n) { - libxl_device_disk *tmp; - tmp = realloc(*disks, sizeof (libxl_device_disk) * (*ndisks + n)); -@@ -2734,10 +2759,9 @@ static int libxl__append_disk_list_of_ty - pdisk_end = *disks + initial_disks + n; - for (; pdisk < pdisk_end; pdisk++, dir++) { - const char *p; -- p = libxl__sprintf(gc, "%s/%s", be_path, *dir); -- if ((rc=libxl__device_disk_from_xs_be(gc, p, pdisk))) -+ p = libxl__sprintf(gc, "%s/%s", libxl_dir_path, *dir); -+ if ((rc=libxl__device_disk_from_xenstore(gc, p, pdisk))) - goto out; -- pdisk->backend_domid = 0; - *ndisks += 1; - } - } -@@ -2753,13 +2777,7 @@ libxl_device_disk *libxl_device_disk_lis - - *num = 0; - -- rc = libxl__append_disk_list_of_type(gc, domid, "vbd", &disks, num); -- if (rc) goto out_err; -- -- rc = libxl__append_disk_list_of_type(gc, domid, "tap", &disks, num); -- if (rc) goto out_err; -- -- rc = libxl__append_disk_list_of_type(gc, domid, "qdisk", &disks, num); -+ rc = libxl__append_disk_list(gc, domid, &disks, num); - if (rc) goto out_err; - - GC_FREE; -@@ -2779,35 +2797,45 @@ int libxl_device_disk_getinfo(libxl_ctx - libxl_device_disk *disk, libxl_diskinfo *diskinfo) - { - GC_INIT(ctx); -- char *dompath, *diskpath; -+ char *dompath, *fe_path, *libxl_path; - char *val; -+ int rc; -+ -+ diskinfo->backend = NULL; - - dompath = libxl__xs_get_dompath(gc, domid); - diskinfo->devid = libxl__device_disk_dev_number(disk->vdev, NULL, NULL); - - /* tap devices entries in xenstore are written as vbd devices. */ -- diskpath = libxl__sprintf(gc, "%s/device/vbd/%d", dompath, diskinfo->devid); -+ fe_path = GCSPRINTF("%s/device/vbd/%d", dompath, diskinfo->devid); -+ libxl_path = GCSPRINTF("%s/device/vbd/%d", -+ libxl__xs_libxl_path(gc, domid), diskinfo->devid); - diskinfo->backend = xs_read(ctx->xsh, XBT_NULL, -- libxl__sprintf(gc, "%s/backend", diskpath), NULL); -+ GCSPRINTF("%s/backend", libxl_path), NULL); - if (!diskinfo->backend) { - GC_FREE; - return ERROR_FAIL; - } -- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/backend-id", diskpath)); -- diskinfo->backend_id = val ? strtoul(val, NULL, 10) : -1; -- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/state", diskpath)); -+ rc = libxl__backendpath_parse_domid(gc, diskinfo->backend, -+ &diskinfo->backend_id); -+ if (rc) goto out; -+ -+ val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/state", fe_path)); - diskinfo->state = val ? strtoul(val, NULL, 10) : -1; -- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/event-channel", diskpath)); -+ val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/event-channel", fe_path)); - diskinfo->evtch = val ? strtoul(val, NULL, 10) : -1; -- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/ring-ref", diskpath)); -+ val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/ring-ref", fe_path)); - diskinfo->rref = val ? strtoul(val, NULL, 10) : -1; - diskinfo->frontend = xs_read(ctx->xsh, XBT_NULL, -- libxl__sprintf(gc, "%s/frontend", diskinfo->backend), NULL); -- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/frontend-id", diskinfo->backend)); -- diskinfo->frontend_id = val ? strtoul(val, NULL, 10) : -1; -+ GCSPRINTF("%s/frontend", libxl_path), NULL); -+ diskinfo->frontend_id = domid; - - GC_FREE; - return 0; -+ -+ out: -+ free(diskinfo->backend); -+ return rc; - } - - int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk, -@@ -2819,7 +2847,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, u - libxl_domain_config d_config; - int rc, dm_ver; - libxl__device device; -- const char * path; -+ const char *be_path, *libxl_path; - char * tmp; - libxl__domain_userdata_lock *lock = NULL; - xs_transaction_t t = XBT_NULL; -@@ -2886,7 +2914,8 @@ int libxl_cdrom_insert(libxl_ctx *ctx, u - rc = libxl__device_from_disk(gc, domid, disk, &device); - if (rc) goto out; - -- path = libxl__device_backend_path(gc, &device); -+ be_path = libxl__device_backend_path(gc, &device); -+ libxl_path = libxl__device_libxl_path(gc, &device); - - insert = flexarray_make(gc, 4, 1); - -@@ -2925,18 +2954,22 @@ int libxl_cdrom_insert(libxl_ctx *ctx, u - for (;;) { - rc = libxl__xs_transaction_start(gc, &t); - if (rc) goto out; -- /* Sanity check: make sure the backend exists before writing here */ -- tmp = libxl__xs_read(gc, t, libxl__sprintf(gc, "%s/frontend", path)); -+ /* Sanity check: make sure the device exists before writing here */ -+ tmp = libxl__xs_read(gc, t, GCSPRINTF("%s/frontend", libxl_path)); - if (!tmp) - { - LIBXL__LOG(ctx, LIBXL__LOG_ERROR, "Internal error: %s does not exist", -- libxl__sprintf(gc, "%s/frontend", path)); -+ libxl__sprintf(gc, "%s/frontend", libxl_path)); - rc = ERROR_FAIL; - goto out; - } - -- rc = libxl__xs_writev(gc, t, path, -- libxl__xs_kvs_of_flexarray(gc, empty, empty->count)); -+ char **kvs = libxl__xs_kvs_of_flexarray(gc, empty, empty->count); -+ -+ rc = libxl__xs_writev(gc, t, be_path, kvs); -+ if (rc) goto out; -+ -+ rc = libxl__xs_writev(gc, t, libxl_path, kvs); - if (rc) goto out; - - rc = libxl__xs_transaction_commit(gc, &t); -@@ -2957,12 +2990,12 @@ int libxl_cdrom_insert(libxl_ctx *ctx, u - for (;;) { - rc = libxl__xs_transaction_start(gc, &t); - if (rc) goto out; -- /* Sanity check: make sure the backend exists before writing here */ -- tmp = libxl__xs_read(gc, t, libxl__sprintf(gc, "%s/frontend", path)); -+ /* Sanity check: make sure the device exists before writing here */ -+ tmp = libxl__xs_read(gc, t, GCSPRINTF("%s/frontend", libxl_path)); - if (!tmp) - { - LIBXL__LOG(ctx, LIBXL__LOG_ERROR, "Internal error: %s does not exist", -- libxl__sprintf(gc, "%s/frontend", path)); -+ libxl__sprintf(gc, "%s/frontend", libxl_path)); - rc = ERROR_FAIL; - goto out; - } -@@ -2970,8 +3003,12 @@ int libxl_cdrom_insert(libxl_ctx *ctx, u - rc = libxl__set_domain_configuration(gc, domid, &d_config); - if (rc) goto out; - -- rc = libxl__xs_writev(gc, t, path, -- libxl__xs_kvs_of_flexarray(gc, insert, insert->count)); -+ char **kvs = libxl__xs_kvs_of_flexarray(gc, insert, insert->count); -+ -+ rc = libxl__xs_writev(gc, t, be_path, kvs); -+ if (rc) goto out; -+ -+ rc = libxl__xs_writev(gc, t, libxl_path, kvs); - if (rc) goto out; - - rc = libxl__xs_transaction_commit(gc, &t); -@@ -3006,7 +3043,7 @@ static char * libxl__alloc_vdev(libxl__g - { - const char *blkdev_start = (const char *) get_vdev_user; - int devid = 0, disk = 0, part = 0; -- char *dompath = libxl__xs_get_dompath(gc, LIBXL_TOOLSTACK_DOMID); -+ char *libxl_dom_path = libxl__xs_libxl_path(gc, LIBXL_TOOLSTACK_DOMID); - - libxl__device_disk_dev_number(blkdev_start, &disk, &part); - if (part != 0) { -@@ -3021,7 +3058,7 @@ static char * libxl__alloc_vdev(libxl__g - return NULL; - if (libxl__xs_read(gc, t, - libxl__sprintf(gc, "%s/device/vbd/%d/backend", -- dompath, devid)) == NULL) { -+ libxl_dom_path, devid)) == NULL) { - if (errno == ENOENT) - return libxl__devid_to_localdev(gc, devid); - else -@@ -3461,8 +3498,8 @@ out: - return; - } - --static int libxl__device_nic_from_xs_be(libxl__gc *gc, -- const char *be_path, -+static int libxl__device_nic_from_xenstore(libxl__gc *gc, -+ const char *libxl_path, - libxl_device_nic *nic) - { - const char *tmp; -@@ -3470,7 +3507,7 @@ static int libxl__device_nic_from_xs_be( - - libxl_device_nic_init(nic); - -- tmp = READ_BACKEND(gc, "handle"); -+ tmp = READ_LIBXLDEV(gc, "handle"); - if (tmp) - nic->devid = atoi(tmp); - else -@@ -3478,7 +3515,7 @@ static int libxl__device_nic_from_xs_be( - - /* nic->mtu = */ - -- tmp = READ_BACKEND(gc, "mac"); -+ tmp = READ_LIBXLDEV(gc, "mac"); - if (tmp) { - rc = libxl__parse_mac(tmp, nic->mac); - if (rc) goto out; -@@ -3486,12 +3523,12 @@ static int libxl__device_nic_from_xs_be( - memset(nic->mac, 0, sizeof(nic->mac)); - } - -- nic->ip = READ_BACKEND(NOGC, "ip"); -- nic->bridge = READ_BACKEND(NOGC, "bridge"); -- nic->script = READ_BACKEND(NOGC, "script"); -+ nic->ip = READ_LIBXLDEV(NOGC, "ip"); -+ nic->bridge = READ_LIBXLDEV(NOGC, "bridge"); -+ nic->script = READ_LIBXLDEV(NOGC, "script"); - - /* vif_ioemu nics use the same xenstore entries as vif interfaces */ -- tmp = READ_BACKEND(gc, "type"); -+ tmp = READ_LIBXLDEV(gc, "type"); - if (tmp) { - rc = libxl_nic_type_from_string(tmp, &nic->nictype); - if (rc) goto out; -@@ -3510,21 +3547,17 @@ int libxl_devid_to_device_nic(libxl_ctx - int devid, libxl_device_nic *nic) - { - GC_INIT(ctx); -- char *dompath, *path; -+ char *libxl_dom_path, *libxl_path; - int rc = ERROR_FAIL; - - libxl_device_nic_init(nic); -- dompath = libxl__xs_get_dompath(gc, domid); -- if (!dompath) -+ libxl_dom_path = libxl__xs_libxl_path(gc, domid); -+ if (!libxl_dom_path) - goto out; - -- path = libxl__xs_read(gc, XBT_NULL, -- libxl__sprintf(gc, "%s/device/vif/%d/backend", -- dompath, devid)); -- if (!path) -- goto out; -+ libxl_path = GCSPRINTF("%s/device/vif/%d", libxl_dom_path, devid); - -- rc = libxl__device_nic_from_xs_be(gc, path, nic); -+ rc = libxl__device_nic_from_xenstore(gc, libxl_path, nic); - if (rc) goto out; - - rc = 0; -@@ -3533,21 +3566,20 @@ out: - return rc; - } - --static int libxl__append_nic_list_of_type(libxl__gc *gc, -+static int libxl__append_nic_list(libxl__gc *gc, - uint32_t domid, -- const char *type, - libxl_device_nic **nics, - int *nnics) - { -- char *be_path = NULL; -+ char *libxl_dir_path = NULL; - char **dir = NULL; - unsigned int n = 0; - libxl_device_nic *pnic = NULL, *pnic_end = NULL; - int rc; - -- be_path = libxl__sprintf(gc, "%s/backend/%s/%d", -- libxl__xs_get_dompath(gc, 0), type, domid); -- dir = libxl__xs_directory(gc, XBT_NULL, be_path, &n); -+ libxl_dir_path = GCSPRINTF("%s/device/vif", -+ libxl__xs_libxl_path(gc, domid)); -+ dir = libxl__xs_directory(gc, XBT_NULL, libxl_dir_path, &n); - if (dir && n) { - libxl_device_nic *tmp; - tmp = realloc(*nics, sizeof (libxl_device_nic) * (*nnics + n)); -@@ -3558,10 +3590,9 @@ static int libxl__append_nic_list_of_typ - pnic_end = *nics + *nnics + n; - for (; pnic < pnic_end; pnic++, dir++) { - const char *p; -- p = libxl__sprintf(gc, "%s/%s", be_path, *dir); -- rc = libxl__device_nic_from_xs_be(gc, p, pnic); -+ p = GCSPRINTF("%s/%s", libxl_dir_path, *dir); -+ rc = libxl__device_nic_from_xenstore(gc, p, pnic); - if (rc) goto out; -- pnic->backend_domid = 0; - } - *nnics += n; - } -@@ -3579,7 +3610,7 @@ libxl_device_nic *libxl_device_nic_list( - - *num = 0; - -- rc = libxl__append_nic_list_of_type(gc, domid, "vif", &nics, num); -+ rc = libxl__append_nic_list(gc, domid, &nics, num); - if (rc) goto out_err; - - GC_FREE; -@@ -3599,22 +3630,27 @@ int libxl_device_nic_getinfo(libxl_ctx * - libxl_device_nic *nic, libxl_nicinfo *nicinfo) - { - GC_INIT(ctx); -- char *dompath, *nicpath; -+ char *dompath, *nicpath, *libxl_path; - char *val; -+ int rc; - - dompath = libxl__xs_get_dompath(gc, domid); - nicinfo->devid = nic->devid; - -- nicpath = libxl__sprintf(gc, "%s/device/vif/%d", dompath, nicinfo->devid); -+ nicpath = GCSPRINTF("%s/device/vif/%d", dompath, nicinfo->devid); -+ libxl_path = GCSPRINTF("%s/device/vif/%d", -+ libxl__xs_libxl_path(gc, domid), nicinfo->devid); - nicinfo->backend = xs_read(ctx->xsh, XBT_NULL, -- libxl__sprintf(gc, "%s/backend", nicpath), NULL); -+ GCSPRINTF("%s/backend", libxl_path), NULL); - if (!nicinfo->backend) { - GC_FREE; - return ERROR_FAIL; - } -- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/backend-id", nicpath)); -- nicinfo->backend_id = val ? strtoul(val, NULL, 10) : -1; -- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/state", nicpath)); -+ rc = libxl__backendpath_parse_domid(gc, nicinfo->backend, -+ &nicinfo->backend_id); -+ if (rc) goto out; -+ -+ val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/state", nicpath)); - nicinfo->state = val ? strtoul(val, NULL, 10) : -1; - val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/event-channel", nicpath)); - nicinfo->evtch = val ? strtoul(val, NULL, 10) : -1; -@@ -3622,13 +3658,13 @@ int libxl_device_nic_getinfo(libxl_ctx * - nicinfo->rref_tx = val ? strtoul(val, NULL, 10) : -1; - val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/rx-ring-ref", nicpath)); - nicinfo->rref_rx = val ? strtoul(val, NULL, 10) : -1; -- nicinfo->frontend = xs_read(ctx->xsh, XBT_NULL, -- libxl__sprintf(gc, "%s/frontend", nicinfo->backend), NULL); -- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/frontend-id", nicinfo->backend)); -- nicinfo->frontend_id = val ? strtoul(val, NULL, 10) : -1; -+ nicinfo->frontend = libxl__strdup(NOGC, nicpath); -+ nicinfo->frontend_id = domid; - -+ rc = 0; -+ out: - GC_FREE; -- return 0; -+ return rc; - } - - const char *libxl__device_nic_devname(libxl__gc *gc, -@@ -3689,6 +3725,8 @@ int libxl__device_console_add(libxl__gc - if (console->name) { - flexarray_append(ro_front, "name"); - flexarray_append(ro_front, console->name); -+ flexarray_append(back, "name"); -+ flexarray_append(back, console->name); - } - if (console->connection) { - flexarray_append(back, "connection"); -@@ -3800,8 +3838,8 @@ int libxl__init_console_from_channel(lib - return 0; - } - --static int libxl__device_channel_from_xs_be(libxl__gc *gc, -- const char *be_path, -+static int libxl__device_channel_from_xenstore(libxl__gc *gc, -+ const char *libxl_path, - libxl_device_channel *channel) - { - const char *tmp; -@@ -3809,14 +3847,14 @@ static int libxl__device_channel_from_xs - - libxl_device_channel_init(channel); - -- /* READ_BACKEND is from libxl__device_nic_from_xs_be above */ -- channel->name = READ_BACKEND(NOGC, "name"); -- tmp = READ_BACKEND(gc, "connection"); -+ /* READ_BACKEND is from libxl__device_nic_from_xenstore above */ -+ channel->name = READ_LIBXLDEV(NOGC, "name"); -+ tmp = READ_LIBXLDEV(gc, "connection"); - if (!strcmp(tmp, "pty")) { - channel->connection = LIBXL_CHANNEL_CONNECTION_PTY; - } else if (!strcmp(tmp, "socket")) { - channel->connection = LIBXL_CHANNEL_CONNECTION_SOCKET; -- channel->u.socket.path = READ_BACKEND(NOGC, "path"); -+ channel->u.socket.path = READ_LIBXLDEV(NOGC, "path"); - } else { - rc = ERROR_INVAL; - goto out; -@@ -3827,34 +3865,32 @@ static int libxl__device_channel_from_xs - return rc; - } - --static int libxl__append_channel_list_of_type(libxl__gc *gc, -+static int libxl__append_channel_list(libxl__gc *gc, - uint32_t domid, -- const char *type, - libxl_device_channel **channels, - int *nchannels) - { -- char *fe_path = NULL, *be_path = NULL; -+ char *libxl_dir_path = NULL; - char **dir = NULL; - unsigned int n = 0, devid = 0; - libxl_device_channel *next = NULL; - int rc = 0, i; - -- fe_path = GCSPRINTF("%s/device/%s", -- libxl__xs_get_dompath(gc, domid), type); -- dir = libxl__xs_directory(gc, XBT_NULL, fe_path, &n); -+ libxl_dir_path = GCSPRINTF("%s/device/console", -+ libxl__xs_libxl_path(gc, domid)); -+ dir = libxl__xs_directory(gc, XBT_NULL, libxl_dir_path, &n); - if (!dir || !n) - goto out; - - for (i = 0; i < n; i++) { -- const char *p, *name; -+ const char *libxl_path, *name; - libxl_device_channel *tmp; - -- p = libxl__sprintf(gc, "%s/%s", fe_path, dir[i]); -- name = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/name", p)); -+ libxl_path = GCSPRINTF("%s/%s", libxl_dir_path, dir[i]); -+ name = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/name", libxl_path)); - /* 'channels' are consoles with names, so ignore all consoles - without names */ - if (!name) continue; -- be_path = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/backend", p)); - tmp = realloc(*channels, - sizeof(libxl_device_channel) * (*nchannels + devid + 1)); - if (!tmp) { -@@ -3863,7 +3899,7 @@ static int libxl__append_channel_list_of - } - *channels = tmp; - next = *channels + *nchannels + devid; -- rc = libxl__device_channel_from_xs_be(gc, be_path, next); -+ rc = libxl__device_channel_from_xenstore(gc, libxl_path, next); - if (rc) goto out; - next->devid = devid; - devid++; -@@ -3885,7 +3921,7 @@ libxl_device_channel *libxl_device_chann - - *num = 0; - -- rc = libxl__append_channel_list_of_type(gc, domid, "console", &channels, num); -+ rc = libxl__append_channel_list(gc, domid, &channels, num); - if (rc) goto out_err; - - GC_FREE; -@@ -3906,31 +3942,32 @@ int libxl_device_channel_getinfo(libxl_c - libxl_channelinfo *channelinfo) - { - GC_INIT(ctx); -- char *dompath, *fe_path; -+ char *dompath, *fe_path, *libxl_path; - char *val; -+ int rc; - - dompath = libxl__xs_get_dompath(gc, domid); - channelinfo->devid = channel->devid; - -- fe_path = libxl__sprintf(gc, "%s/device/console/%d", dompath, -- channelinfo->devid + 1); -+ fe_path = GCSPRINTF("%s/device/console/%d", dompath, -+ channelinfo->devid + 1); -+ libxl_path = GCSPRINTF("%s/device/console/%d", -+ libxl__xs_libxl_path(gc, domid), -+ channelinfo->devid + 1); - channelinfo->backend = xs_read(ctx->xsh, XBT_NULL, -- libxl__sprintf(gc, "%s/backend", -- fe_path), NULL); -+ GCSPRINTF("%s/backend", libxl_path), NULL); - if (!channelinfo->backend) { - GC_FREE; - return ERROR_FAIL; - } -- val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/backend-id", fe_path)); -- channelinfo->backend_id = val ? strtoul(val, NULL, 10) : -1; -+ rc = libxl__backendpath_parse_domid(gc, channelinfo->backend, -+ &channelinfo->backend_id); -+ if (rc) goto out; -+ - val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/state", fe_path)); - channelinfo->state = val ? strtoul(val, NULL, 10) : -1; -- channelinfo->frontend = xs_read(ctx->xsh, XBT_NULL, -- GCSPRINTF("%s/frontend", -- channelinfo->backend), NULL); -- val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/frontend-id", -- channelinfo->backend)); -- channelinfo->frontend_id = val ? strtoul(val, NULL, 10) : -1; -+ channelinfo->frontend = libxl__strdup(NOGC, fe_path); -+ channelinfo->frontend_id = domid; - val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/ring-ref", fe_path)); - channelinfo->rref = val ? strtoul(val, NULL, 10) : -1; - val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/port", fe_path)); -@@ -3940,13 +3977,36 @@ int libxl_device_channel_getinfo(libxl_c - switch (channel->connection) { - case LIBXL_CHANNEL_CONNECTION_PTY: - val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/tty", fe_path)); -+ /* -+ * It is obviously very wrong for this value to be in the -+ * frontend. But in XSA-175 we don't want to re-engineer -+ * this because other xenconsole code elsewhere (some -+ * even out of tree, perhaps) expects this node to be -+ * here. -+ * -+ * FE/pty is readonly for the guest. It always exists if -+ * FE does because libxl__device_console_add -+ * unconditionally creates it and nothing deletes it. -+ * -+ * The guest can delete the whole FE (which it has write -+ * privilege on) but the containing directories -+ * /local/GUEST[/device[/console]] are also RO for the -+ * guest. So if the guest deletes FE it cannot recreate -+ * it. -+ * -+ * Therefore the guest cannot cause FE/pty to contain bad -+ * data, although it can cause it to not exist. -+ */ -+ if (!val) val = "/NO-SUCH-PATH"; - channelinfo->u.pty.path = strdup(val); - break; - default: - break; - } -+ rc = 0; -+ out: - GC_FREE; -- return 0; -+ return rc; - } - - /******************************************************************************/ -@@ -6679,12 +6739,12 @@ int libxl_retrieve_domain_configuration( - LOG(ERROR, "fail to get memory target for domain %d", domid); - goto out; - } -- /* Target memory in xenstore is different from what user has -- * asked for. The difference is video_memkb. See -- * libxl_set_memory_target. -+ -+ /* libxl__get_targetmem_fudge() calculates the difference from -+ * what is in xenstore to what we have in the domain build info. - */ - d_config->b_info.target_memkb = target_memkb + -- d_config->b_info.video_memkb; -+ libxl__get_targetmem_fudge(gc, &d_config->b_info); - - d_config->b_info.max_memkb = max_memkb; - } - ---- libxl/libxl_device.c.orig 2016-03-23 13:57:27.000000000 +0000 -+++ libxl/libxl_device.c -@@ -40,12 +40,21 @@ char *libxl__device_backend_path(libxl__ - device->domid, device->devid); - } - -+char *libxl__device_libxl_path(libxl__gc *gc, libxl__device *device) -+{ -+ char *libxl_dom_path = libxl__xs_libxl_path(gc, device->domid); -+ -+ return GCSPRINTF("%s/device/%s/%d", libxl_dom_path, -+ libxl__device_kind_to_string(device->kind), -+ device->devid); -+} -+ - /* Returns 1 if device exists, 0 if not, ERROR_* (<0) on error. */ - int libxl__device_exists(libxl__gc *gc, xs_transaction_t t, - libxl__device *device) - { - int rc; -- char *be_path = libxl__device_backend_path(gc, device); -+ char *be_path = libxl__device_libxl_path(gc, device); - const char *dir; - - rc = libxl__xs_read_checked(gc, t, be_path, &dir); -@@ -105,14 +114,16 @@ int libxl__device_generic_add(libxl__gc - libxl__device *device, char **bents, char **fents, char **ro_fents) - { - libxl_ctx *ctx = libxl__gc_owner(gc); -- char *frontend_path, *backend_path; -+ char *frontend_path, *backend_path, *libxl_path; - struct xs_permissions frontend_perms[2]; - struct xs_permissions ro_frontend_perms[2]; - struct xs_permissions backend_perms[2]; - int create_transaction = t == XBT_NULL; -+ int rc; - - frontend_path = libxl__device_frontend_path(gc, device); - backend_path = libxl__device_backend_path(gc, device); -+ libxl_path = libxl__device_libxl_path(gc, device); - - frontend_perms[0].id = device->domid; - frontend_perms[0].perms = XS_PERM_NONE; -@@ -127,8 +138,22 @@ int libxl__device_generic_add(libxl__gc - retry_transaction: - if (create_transaction) - t = xs_transaction_start(ctx->xsh); -+ - /* FIXME: read frontend_path and check state before removing stuff */ - -+ rc = libxl__xs_rm_checked(gc, t, libxl_path); -+ if (rc) goto out; -+ -+ rc = libxl__xs_write_checked(gc, t, GCSPRINTF("%s/frontend",libxl_path), -+ frontend_path); -+ if (rc) goto out; -+ -+ rc = libxl__xs_write_checked(gc, t, GCSPRINTF("%s/backend",libxl_path), -+ backend_path); -+ if (rc) goto out; -+ -+ /* xxx much of this function lacks error checks! */ -+ - if (fents || ro_fents) { - xs_rm(ctx->xsh, t, frontend_path); - xs_mkdir(ctx->xsh, t, frontend_path); -@@ -160,6 +185,29 @@ retry_transaction: - xs_write(ctx->xsh, t, GCSPRINTF("%s/frontend", backend_path), - frontend_path, strlen(frontend_path)); - libxl__xs_writev(gc, t, backend_path, bents); -+ -+ /* -+ * We make a copy of everything for the backend in the libxl -+ * path as well. This means we don't need to trust the -+ * backend. Ideally this information would not be used and we -+ * would use the information from the json configuration -+ * instead. But there are still places in libxl that try to -+ * reconstruct a config from xenstore. -+ * -+ * This duplication will typically produces duplicate keys -+ * which will go out of date, but that's OK because nothing -+ * reads those. For example, there is usually -+ * /libxl/$guest/device/$kind/$devid/state -+ * which starts out containing XenbusStateInitialising ("1") -+ * just like the copy in -+ * /local/domain/$driverdom/backend/$guest/$kind/$devid/state -+ * but which won't ever be updated. -+ * -+ * This duplication is superfluous and messy but as discussed -+ * the proper fix is more intrusive than we want to do now. -+ */ -+ rc = libxl__xs_writev(gc, t, libxl_path, bents); -+ if (rc) goto out; - } - - if (!create_transaction) -@@ -174,6 +222,11 @@ retry_transaction: - } - } - return 0; -+ -+ out: -+ if (create_transaction && t) -+ libxl__xs_transaction_abort(gc, &t); -+ return rc; - } - - typedef struct { -@@ -258,6 +311,21 @@ static int disk_try_backend(disk_try_bac - return 0; - } - -+int libxl__backendpath_parse_domid(libxl__gc *gc, const char *be_path, -+ libxl_domid *domid_out) { -+ int r; -+ unsigned int domid_sc; -+ char delim_sc; -+ -+ r = sscanf(be_path, "/local/domain/%u%c", &domid_sc, &delim_sc); -+ if (!(r==2 && delim_sc=='/')) { -+ LOG(ERROR, "internal error: backend path %s unparseable!", be_path); -+ return ERROR_FAIL; -+ } -+ *domid_out = domid_sc; -+ return 0; -+} -+ - int libxl__device_disk_set_backend(libxl__gc *gc, libxl_device_disk *disk) { - libxl_disk_backend ok; - disk_try_backend_args a; -@@ -570,6 +638,7 @@ int libxl__device_destroy(libxl__gc *gc, - { - const char *be_path = libxl__device_backend_path(gc, dev); - const char *fe_path = libxl__device_frontend_path(gc, dev); -+ const char *libxl_path = libxl__device_libxl_path(gc, dev); - const char *tapdisk_path = GCSPRINTF("%s/%s", be_path, "tapdisk-params"); - const char *tapdisk_params; - xs_transaction_t t = 0; -@@ -594,6 +663,7 @@ int libxl__device_destroy(libxl__gc *gc, - */ - libxl__xs_path_cleanup(gc, t, fe_path); - libxl__xs_path_cleanup(gc, t, be_path); -+ libxl__xs_path_cleanup(gc, t, libxl_path); - } else if (dev->backend_domid == domid) { - /* - * The driver domain is in charge for removing what it can -@@ -636,7 +706,7 @@ void libxl__devices_destroy(libxl__egc * - libxl__multidev_begin(ao, multidev); - multidev->callback = devices_remove_callback; - -- path = GCSPRINTF("/local/domain/%d/device", domid); -+ path = GCSPRINTF("/libxl/%d/device", domid); - kinds = libxl__xs_directory(gc, XBT_NULL, path, &num_kinds); - if (!kinds) { - if (errno != ENOENT) { -@@ -649,12 +719,12 @@ void libxl__devices_destroy(libxl__egc * - if (libxl__device_kind_from_string(kinds[i], &kind)) - continue; - -- path = GCSPRINTF("/local/domain/%d/device/%s", domid, kinds[i]); -+ path = GCSPRINTF("/libxl/%d/device/%s", domid, kinds[i]); - devs = libxl__xs_directory(gc, XBT_NULL, path, &num_dev_xsentries); - if (!devs) - continue; - for (j = 0; j < num_dev_xsentries; j++) { -- path = GCSPRINTF("/local/domain/%d/device/%s/%s/backend", -+ path = GCSPRINTF("/libxl/%d/device/%s/%s/backend", - domid, kinds[i], devs[j]); - path = libxl__xs_read(gc, XBT_NULL, path); - GCNEW(dev); -@@ -679,22 +749,6 @@ void libxl__devices_destroy(libxl__egc * - } - } - -- /* console 0 frontend directory is not under /local/domain/<domid>/device */ -- path = GCSPRINTF("/local/domain/%d/console/backend", domid); -- path = libxl__xs_read(gc, XBT_NULL, path); -- GCNEW(dev); -- if (path && strcmp(path, "") && -- libxl__parse_backend_path(gc, path, dev) == 0) { -- dev->domid = domid; -- dev->kind = LIBXL__DEVICE_KIND_CONSOLE; -- dev->devid = 0; -- -- /* Currently console devices can be destroyed synchronously by just -- * removing xenstore entries, this is what libxl__device_destroy does. -- */ -- libxl__device_destroy(gc, dev); -- } -- - out: - libxl__multidev_prepared(egc, multidev, rc); - } - ---- libxl/libxl_dm.c.orig 2016-03-23 13:57:27.000000000 +0000 -+++ libxl/libxl_dm.c -@@ -92,6 +92,20 @@ const char *libxl__domain_device_model(l - return dm; - } - -+/* XSA-180 / CVE-2014-3672 -+ * -+ * The QEMU shipped with Xen has a bodge. It checks for -+ * XEN_QEMU_CONSOLE_LIMIT to see how much data QEMU is allowed -+ * to write to stderr. We set that to 1MB if it is not set by -+ * system administrator. -+ */ -+static void libxl__set_qemu_env_for_xsa_180(libxl__gc *gc, -+ flexarray_t *dm_envs) -+{ -+ if (getenv("XEN_QEMU_CONSOLE_LIMIT")) return; -+ flexarray_append_pair(dm_envs, "XEN_QEMU_CONSOLE_LIMIT", "1048576"); -+} -+ - const libxl_vnc_info *libxl__dm_vnc(const libxl_domain_config *guest_config) - { - const libxl_vnc_info *vnc = NULL; -@@ -1345,7 +1359,8 @@ void libxl__spawn_local_dm(libxl__egc *e - char *path; - int logfile_w, null; - int rc; -- char **args, **arg; -+ flexarray_t *dm_envs; -+ char **args, *const *envs, **arg; - xs_transaction_t t; - char *vm_path; - char **pass_stuff; -@@ -1374,6 +1389,10 @@ void libxl__spawn_local_dm(libxl__egc *e - goto out; - } - -+ dm_envs = flexarray_make(gc, 16, 1); -+ libxl__set_qemu_env_for_xsa_180(gc, dm_envs); -+ envs = (char**) flexarray_contents(dm_envs); -+ - if (b_info->type == LIBXL_DOMAIN_TYPE_HVM) { - path = xs_get_domain_path(ctx->xsh, domid); - libxl__xs_write(gc, XBT_NULL, -@@ -1452,7 +1471,7 @@ retry_transaction: - goto out_close; - if (!rc) { /* inner child */ - setsid(); -- libxl__exec(gc, null, logfile_w, logfile_w, dm, args, NULL); -+ libxl__exec(gc, null, logfile_w, logfile_w, dm, args, envs); - } - - rc = 0; -@@ -1524,8 +1543,8 @@ static void device_model_spawn_outcome(l - void libxl__spawn_qdisk_backend(libxl__egc *egc, libxl__dm_spawn_state *dmss) - { - STATE_AO_GC(dmss->spawn.ao); -- flexarray_t *dm_args; -- char **args; -+ flexarray_t *dm_args, *dm_envs; -+ char **args, **envs; - const char *dm; - int logfile_w, null, rc; - uint32_t domid = dmss->guest_domid; -@@ -1534,6 +1553,8 @@ void libxl__spawn_qdisk_backend(libxl__e - dm = qemu_xen_path(gc); - - dm_args = flexarray_make(gc, 15, 1); -+ dm_envs = flexarray_make(gc, 1, 1); -+ - flexarray_vappend(dm_args, dm, "-xen-domid", - GCSPRINTF("%d", domid), NULL); - flexarray_append(dm_args, "-xen-attach"); -@@ -1547,6 +1568,9 @@ void libxl__spawn_qdisk_backend(libxl__e - flexarray_append(dm_args, NULL); - args = (char **) flexarray_contents(dm_args); - -+ libxl__set_qemu_env_for_xsa_180(gc, dm_envs); -+ envs = (char **) flexarray_contents(dm_envs); -+ - logfile_w = libxl__create_qemu_logfile(gc, GCSPRINTF("qdisk-%u", domid)); - if (logfile_w < 0) { - rc = logfile_w; -@@ -1580,7 +1604,7 @@ void libxl__spawn_qdisk_backend(libxl__e - goto error; - if (!rc) { /* inner child */ - setsid(); -- libxl__exec(gc, null, logfile_w, logfile_w, dm, args, NULL); -+ libxl__exec(gc, null, logfile_w, logfile_w, dm, args, envs); - } - - return; -@@ -1648,6 +1672,7 @@ int libxl__destroy_device_model(libxl__g - GCSPRINTF("/local/domain/%d/image/device-model-pid", domid)); - } - -+/* Return 0 if no dm needed, 1 if needed and <0 if error. */ - int libxl__need_xenpv_qemu(libxl__gc *gc, - int nr_consoles, libxl__device_console *consoles, - int nr_vfbs, libxl_device_vfb *vfbs, - ---- libxl/libxl_dom.c.orig 2016-03-23 13:57:27.000000000 +0000 -+++ libxl/libxl_dom.c -@@ -446,7 +446,6 @@ int libxl__build_post(libxl__gc *gc, uin - xs_transaction_t t; - char **ents; - int i, rc; -- int64_t mem_target_fudge; - - rc = libxl_domain_sched_params_set(CTX, domid, &info->sched_params); - if (rc) -@@ -473,17 +472,12 @@ int libxl__build_post(libxl__gc *gc, uin - } - } - -- mem_target_fudge = -- (info->type == LIBXL_DOMAIN_TYPE_HVM && -- info->max_memkb > info->target_memkb) -- ? LIBXL_MAXMEM_CONSTANT : 0; -- - ents = libxl__calloc(gc, 12 + (info->max_vcpus * 2) + 2, sizeof(char *)); - ents[0] = "memory/static-max"; - ents[1] = GCSPRINTF("%"PRId64, info->max_memkb); - ents[2] = "memory/target"; -- ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb -- - mem_target_fudge); -+ ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - -+ libxl__get_targetmem_fudge(gc, info)); - ents[4] = "memory/videoram"; - ents[5] = GCSPRINTF("%"PRId64, info->video_memkb); - ents[6] = "domid"; - ---- libxl/libxl_internal.h.orig 2016-03-23 13:57:27.000000000 +0000 -+++ libxl/libxl_internal.h -@@ -271,7 +271,7 @@ struct libxl__evgen_disk_eject { - uint32_t domid; - LIBXL_LIST_ENTRY(libxl_evgen_disk_eject) entry; - libxl_ev_user user; -- char *vdev; -+ char *vdev, *be_ptr_path; - }; - _hidden void - libxl__evdisable_disk_eject(libxl__gc*, libxl_evgen_disk_eject*); -@@ -594,6 +594,8 @@ _hidden bool libxl__xs_mkdir(libxl__gc * - - _hidden char *libxl__xs_libxl_path(libxl__gc *gc, uint32_t domid); - -+_hidden int libxl__backendpath_parse_domid(libxl__gc *gc, const char *be_path, -+ libxl_domid *domid_out); - - /*----- "checked" xenstore access functions -----*/ - /* Each of these functions will check that it succeeded; if it -@@ -1061,6 +1063,7 @@ _hidden int libxl__device_generic_add(li - libxl__device *device, char **bents, char **fents, char **ro_fents); - _hidden char *libxl__device_backend_path(libxl__gc *gc, libxl__device *device); - _hidden char *libxl__device_frontend_path(libxl__gc *gc, libxl__device *device); -+_hidden char *libxl__device_libxl_path(libxl__gc *gc, libxl__device *device); - _hidden int libxl__parse_backend_path(libxl__gc *gc, const char *path, - libxl__device *dev); - _hidden int libxl__device_destroy(libxl__gc *gc, libxl__device *dev); -@@ -3578,6 +3581,21 @@ static inline void libxl__update_config_ - libxl_uuid_copy(CTX, &dst->uuid, &src->uuid); - } - -+/* Target memory in xenstore is different from what user has -+ * asked for. The difference is video_memkb + (possible) fudge. -+ * See libxl_set_memory_target. -+ */ -+static inline -+uint64_t libxl__get_targetmem_fudge(libxl__gc *gc, -+ const libxl_domain_build_info *info) -+{ -+ int64_t mem_target_fudge = (info->type == LIBXL_DOMAIN_TYPE_HVM && -+ info->max_memkb > info->target_memkb) -+ ? LIBXL_MAXMEM_CONSTANT : 0; -+ -+ return info->video_memkb + mem_target_fudge; -+} -+ - /* Macros used to compare device identifier. Returns true if the two - * devices have same identifier. */ - #define COMPARE_DEVID(a, b) ((a)->devid == (b)->devid) diff --git a/sysutils/xentools45/patches/patch-XSA-179 b/sysutils/xentools45/patches/patch-XSA-179 deleted file mode 100644 index 8ca70838d5c..00000000000 --- a/sysutils/xentools45/patches/patch-XSA-179 +++ /dev/null @@ -1,266 +0,0 @@ -$NetBSD: patch-XSA-179,v 1.1 2016/05/12 15:42:58 bouyer Exp $ - -Patch for XSA-179, aka CVE-2016-3710 and CVE-2016-3712 -from http://xenbits.xenproject.org/xsa/advisory-179.html - ---- qemu-xen/hw/display/vga.c.orig 2016-05-12 16:36:58.000000000 +0200 -+++ qemu-xen/hw/display/vga.c 2016-05-12 16:37:36.000000000 +0200 -@@ -166,6 +166,13 @@ - static uint16_t expand2[256]; - static uint8_t expand4to8[16]; - -+static void vbe_update_vgaregs(VGACommonState *s); -+ -+static inline bool vbe_enabled(VGACommonState *s) -+{ -+ return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED; -+} -+ - static void vga_update_memory_access(VGACommonState *s) - { - MemoryRegion *region, *old_region = s->chain4_alias; -@@ -197,6 +204,7 @@ - break; - } - base += isa_mem_base; -+ assert(offset + size <= s->vram_size); - region = g_malloc(sizeof(*region)); - memory_region_init_alias(region, memory_region_owner(&s->vram), - "vga.chain4", &s->vram, offset, size); -@@ -503,6 +511,7 @@ - printf("vga: write SR%x = 0x%02x\n", s->sr_index, val); - #endif - s->sr[s->sr_index] = val & sr_mask[s->sr_index]; -+ vbe_update_vgaregs(s); - if (s->sr_index == VGA_SEQ_CLOCK_MODE) { - s->update_retrace_info(s); - } -@@ -534,6 +543,7 @@ - printf("vga: write GR%x = 0x%02x\n", s->gr_index, val); - #endif - s->gr[s->gr_index] = val & gr_mask[s->gr_index]; -+ vbe_update_vgaregs(s); - vga_update_memory_access(s); - break; - case VGA_CRT_IM: -@@ -552,10 +562,12 @@ - if (s->cr_index == VGA_CRTC_OVERFLOW) { - s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x10) | - (val & 0x10); -+ vbe_update_vgaregs(s); - } - return; - } - s->cr[s->cr_index] = val; -+ vbe_update_vgaregs(s); - - switch(s->cr_index) { - case VGA_CRTC_H_TOTAL: -@@ -588,7 +600,7 @@ - uint16_t *r = s->vbe_regs; - uint32_t bits, linelength, maxy, offset; - -- if (!(r[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) { -+ if (!vbe_enabled(s)) { - /* vbe is turned off -- nothing to do */ - return; - } -@@ -663,6 +675,49 @@ - s->vbe_start_addr = offset / 4; - } - -+/* we initialize the VGA graphic mode */ -+static void vbe_update_vgaregs(VGACommonState *s) -+{ -+ int h, shift_control; -+ -+ if (!vbe_enabled(s)) { -+ /* vbe is turned off -- nothing to do */ -+ return; -+ } -+ -+ /* graphic mode + memory map 1 */ -+ s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 | -+ VGA_GR06_GRAPHICS_MODE; -+ s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */ -+ s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3; -+ /* width */ -+ s->cr[VGA_CRTC_H_DISP] = -+ (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1; -+ /* height (only meaningful if < 1024) */ -+ h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1; -+ s->cr[VGA_CRTC_V_DISP_END] = h; -+ s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) | -+ ((h >> 7) & 0x02) | ((h >> 3) & 0x40); -+ /* line compare to 1023 */ -+ s->cr[VGA_CRTC_LINE_COMPARE] = 0xff; -+ s->cr[VGA_CRTC_OVERFLOW] |= 0x10; -+ s->cr[VGA_CRTC_MAX_SCAN] |= 0x40; -+ -+ if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { -+ shift_control = 0; -+ s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ -+ } else { -+ shift_control = 2; -+ /* set chain 4 mode */ -+ s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; -+ /* activate all planes */ -+ s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; -+ } -+ s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | -+ (shift_control << 5); -+ s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */ -+} -+ - static uint32_t vbe_ioport_read_index(void *opaque, uint32_t addr) - { - VGACommonState *s = opaque; -@@ -739,13 +794,10 @@ - case VBE_DISPI_INDEX_Y_OFFSET: - s->vbe_regs[s->vbe_index] = val; - vbe_fixup_regs(s); -+ vbe_update_vgaregs(s); - break; - case VBE_DISPI_INDEX_BANK: -- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { -- val &= (s->vbe_bank_mask >> 2); -- } else { -- val &= s->vbe_bank_mask; -- } -+ val &= s->vbe_bank_mask; - s->vbe_regs[s->vbe_index] = val; - s->bank_offset = (val << 16); - vga_update_memory_access(s); -@@ -753,53 +805,19 @@ - case VBE_DISPI_INDEX_ENABLE: - if ((val & VBE_DISPI_ENABLED) && - !(s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) { -- int h, shift_control; - - s->vbe_regs[VBE_DISPI_INDEX_VIRT_WIDTH] = 0; - s->vbe_regs[VBE_DISPI_INDEX_X_OFFSET] = 0; - s->vbe_regs[VBE_DISPI_INDEX_Y_OFFSET] = 0; - s->vbe_regs[VBE_DISPI_INDEX_ENABLE] |= VBE_DISPI_ENABLED; - vbe_fixup_regs(s); -+ vbe_update_vgaregs(s); - - /* clear the screen (should be done in BIOS) */ - if (!(val & VBE_DISPI_NOCLEARMEM)) { - memset(s->vram_ptr, 0, - s->vbe_regs[VBE_DISPI_INDEX_YRES] * s->vbe_line_offset); - } -- -- /* we initialize the VGA graphic mode (should be done -- in BIOS) */ -- /* graphic mode + memory map 1 */ -- s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 | -- VGA_GR06_GRAPHICS_MODE; -- s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */ -- s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3; -- /* width */ -- s->cr[VGA_CRTC_H_DISP] = -- (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1; -- /* height (only meaningful if < 1024) */ -- h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1; -- s->cr[VGA_CRTC_V_DISP_END] = h; -- s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) | -- ((h >> 7) & 0x02) | ((h >> 3) & 0x40); -- /* line compare to 1023 */ -- s->cr[VGA_CRTC_LINE_COMPARE] = 0xff; -- s->cr[VGA_CRTC_OVERFLOW] |= 0x10; -- s->cr[VGA_CRTC_MAX_SCAN] |= 0x40; -- -- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { -- shift_control = 0; -- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ -- } else { -- shift_control = 2; -- /* set chain 4 mode */ -- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; -- /* activate all planes */ -- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; -- } -- s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | -- (shift_control << 5); -- s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */ - } else { - /* XXX: the bios should do that */ - s->bank_offset = 0; -@@ -846,13 +864,21 @@ - - if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { - /* chain 4 mode : simplest access */ -+ assert(addr < s->vram_size); - ret = s->vram_ptr[addr]; - } else if (s->gr[VGA_GFX_MODE] & 0x10) { - /* odd/even mode (aka text mode mapping) */ - plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1); -- ret = s->vram_ptr[((addr & ~1) << 1) | plane]; -+ addr = ((addr & ~1) << 1) | plane; -+ if (addr >= s->vram_size) { -+ return 0xff; -+ } -+ ret = s->vram_ptr[addr]; - } else { - /* standard VGA latched access */ -+ if (addr * sizeof(uint32_t) >= s->vram_size) { -+ return 0xff; -+ } - s->latch = ((uint32_t *)s->vram_ptr)[addr]; - - if (!(s->gr[VGA_GFX_MODE] & 0x08)) { -@@ -909,6 +935,7 @@ - plane = addr & 3; - mask = (1 << plane); - if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { -+ assert(addr < s->vram_size); - s->vram_ptr[addr] = val; - #ifdef DEBUG_VGA_MEM - printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr); -@@ -922,6 +949,9 @@ - mask = (1 << plane); - if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { - addr = ((addr & ~1) << 1) | plane; -+ if (addr >= s->vram_size) { -+ return; -+ } - s->vram_ptr[addr] = val; - #ifdef DEBUG_VGA_MEM - printf("vga: odd/even: [0x" TARGET_FMT_plx "]\n", addr); -@@ -995,6 +1025,9 @@ - mask = s->sr[VGA_SEQ_PLANE_WRITE]; - s->plane_updated |= mask; /* only used to detect font change */ - write_mask = mask16[mask]; -+ if (addr * sizeof(uint32_t) >= s->vram_size) { -+ return; -+ } - ((uint32_t *)s->vram_ptr)[addr] = - (((uint32_t *)s->vram_ptr)[addr] & ~write_mask) | - (val & write_mask); -@@ -1158,7 +1191,7 @@ - { - uint32_t start_addr, line_offset, line_compare; - -- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) { -+ if (vbe_enabled(s)) { - line_offset = s->vbe_line_offset; - start_addr = s->vbe_start_addr; - line_compare = 65535; -@@ -1611,7 +1644,7 @@ - { - int ret; - -- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) { -+ if (vbe_enabled(s)) { - ret = s->vbe_regs[VBE_DISPI_INDEX_BPP]; - } else { - ret = 0; -@@ -1623,7 +1656,7 @@ - { - int width, height; - -- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) { -+ if (vbe_enabled(s)) { - width = s->vbe_regs[VBE_DISPI_INDEX_XRES]; - height = s->vbe_regs[VBE_DISPI_INDEX_YRES]; - } else { diff --git a/sysutils/xentools45/patches/patch-XSA-180 b/sysutils/xentools45/patches/patch-XSA-180 deleted file mode 100644 index 330ddebf85b..00000000000 --- a/sysutils/xentools45/patches/patch-XSA-180 +++ /dev/null @@ -1,66 +0,0 @@ -$NetBSD: patch-XSA-180,v 1.1 2016/08/06 12:41:36 spz Exp $ - -patch for XSA-180 from upstream - ---- qemu-xen-traditional/vl.c.orig 2016-01-04 15:36:03.000000000 +0000 -+++ qemu-xen-traditional/vl.c -@@ -3753,6 +3753,50 @@ static void host_main_loop_wait(int *tim - } - #endif - -+static void check_cve_2014_3672_xen(void) -+{ -+ static unsigned long limit = ~0UL; -+ const int fd = 2; -+ struct stat stab; -+ -+ if (limit == ~0UL) { -+ const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT"); -+ /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */ -+ limit = s ? strtoul(s,0,0) : 1*1024*1024; -+ } -+ if (limit == 0) -+ return; -+ -+ int r = fstat(fd, &stab); -+ if (r) { -+ perror("fstat stderr (for CVE-2014-3672 check)"); -+ exit(-1); -+ } -+ if (!S_ISREG(stab.st_mode)) -+ return; -+ if (stab.st_size <= limit) -+ return; -+ -+ /* oh dear */ -+ fprintf(stderr,"\r\n" -+ "Closing stderr due to CVE-2014-3672 limit. " -+ " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override," -+ " or 0 for no limit.\n"); -+ fflush(stderr); -+ -+ int nfd = open("/dev/null", O_WRONLY); -+ if (nfd < 0) { -+ perror("open /dev/null (for CVE-2014-3672 check)"); -+ exit(-1); -+ } -+ r = dup2(nfd, fd); -+ if (r != fd) { -+ perror("dup2 /dev/null (for CVE-2014-3672 check)"); -+ exit(-1); -+ } -+ close(nfd); -+} -+ - void main_loop_wait(int timeout) - { - IOHandlerRecord *ioh; -@@ -3762,6 +3806,8 @@ void main_loop_wait(int timeout) - - qemu_bh_update_timeout(&timeout); - -+ check_cve_2014_3672_xen(); -+ - host_main_loop_wait(&timeout); - - /* poll any events */ diff --git a/sysutils/xentools45/patches/patch-XSA-184 b/sysutils/xentools45/patches/patch-XSA-184 index a909ee748d2..471a8acc088 100644 --- a/sysutils/xentools45/patches/patch-XSA-184 +++ b/sysutils/xentools45/patches/patch-XSA-184 @@ -41,43 +41,3 @@ index c26feff..42897bf 100644 do { struct iovec *sg; -From e469db25d6b2e5c71cd15451889226641c53a5cd Mon Sep 17 00:00:00 2001 -From: P J P <ppandit@redhat.com> -Date: Mon, 25 Jul 2016 17:37:18 +0530 -Subject: [PATCH] virtio: error out if guest exceeds virtqueue size - -A broken or malicious guest can submit more requests than the virtqueue -size permits. - -The guest can submit requests without bothering to wait for completion -and is therefore not bound by virtqueue size. This requires reusing -vring descriptors in more than one request, which is incorrect but -possible. Processing a request allocates a VirtQueueElement and -therefore causes unbounded memory allocation controlled by the guest. - -Exit with an error if the guest provides more requests than the -virtqueue size permits. This bounds memory allocation and makes the -buggy guest visible to the user. - -Reported-by: Zhenhao Hong <zhenhaohong@gmail.com> -Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> ---- - hw/virtio/virtio.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index d24f775..f8ac0fb 100644 ---- qemu-xen/hw/virtio/virtio.c.orig 2016-02-18 17:30:28.000000000 +0000 -+++ qemu-xen/hw/virtio/virtio.c 2016-09-11 11:01:48.000000000 +0000 -@@ -459,6 +459,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue - - max = vq->vring.num; - -+ if (vq->inuse >= max) { -+ error_report("Virtqueue size exceeded"); -+ exit(1); -+ } -+ - i = head = virtqueue_get_head(vq, vq->last_avail_idx++); - if (vq->vdev->guest_features & (1 << VIRTIO_RING_F_EVENT_IDX)) { - vring_avail_event(vq, vring_avail_idx(vq)); |