Add patches, derived from Xen security advisory, fixing:

CVE-2015-7835 aka XSA-148
CVE-2015-7869 aka XSA-149 + XSA-151
CVE-2015-7971 aka XSA-152
Bump PKGREVISION

5 files changed, 106 insertions, 3 deletions

diff --git a/sysutils/xenkernel42/Makefile b/sysutils/xenkernel42/Makefile
index ff4a683b485..f57b7f227c7 100644
--- a/sysutils/xenkernel42/Makefile
+++ b/sysutils/xenkernel42/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.17 2015/08/23 16:17:12 spz Exp $
+# $NetBSD: Makefile,v 1.18 2015/10/29 21:59:16 bouyer Exp $
 
 VERSION=	4.2.5
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel42-${VERSION}
-PKGREVISION=	8
+PKGREVISION=	9
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff --git a/sysutils/xenkernel42/distinfo b/sysutils/xenkernel42/distinfo
index 8e5ed0faabd..16f277c95d4 100644
--- a/sysutils/xenkernel42/distinfo
+++ b/sysutils/xenkernel42/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.16 2015/09/14 13:36:29 joerg Exp $
+$NetBSD: distinfo,v 1.17 2015/10/29 21:59:16 bouyer Exp $
 
 SHA1 (xen-4.2.5.tar.gz) = f42741e4ec174495ace70c4b17a6b9b0e60e798a
 RMD160 (xen-4.2.5.tar.gz) = 7d4f7f1b32ee541d341a756b1f8da02816438d19
@@ -17,6 +17,9 @@ SHA1 (patch-CVE-2015-3340) = 9ff5e766c9e5e3358d8a896f805babc8fb9a41c4
 SHA1 (patch-CVE-2015-3456) = 8d54d33b81ef77056aa6f58ab123912948454020
 SHA1 (patch-CVE-2015-4163) = d8c9b95026c2316bfb57f644937fdb924902a3bf
 SHA1 (patch-CVE-2015-4164) = 9f9add821c4a13308fa4bfa1becd1b0d8fda6177
+SHA1 (patch-CVE-2015-7835) = 3fa639cebc9c264df51a410d0b9f94af42231d1d
+SHA1 (patch-CVE-2015-7969) = 43f1729fa24cc628beb231839b1412479c14928e
+SHA1 (patch-CVE-2015-7971) = 0d0d36ad99f313afb96111a832eb65ddeaf8010e
 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266
 SHA1 (patch-xen_Makefile) = e0d1b74518b9675ddc64295d1523ded9a8757c0a
 SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
diff --git a/sysutils/xenkernel42/patches/patch-CVE-2015-7835 b/sysutils/xenkernel42/patches/patch-CVE-2015-7835
new file mode 100644
index 00000000000..6c774549431
--- /dev/null
+++ b/sysutils/xenkernel42/patches/patch-CVE-2015-7835
@@ -0,0 +1,31 @@
+$NetBSD: patch-CVE-2015-7835,v 1.1 2015/10/29 21:59:16 bouyer Exp $
+
+Patch for CVE-2015-7835 aka XSA-148 based on
+http://xenbits.xenproject.org/xsa/xsa148-4.4.patch
+
+--- xen/arch/x86/mm.c.orig	2014-09-02 08:22:57.000000000 +0200
++++ xen/arch/x86/mm.c	2015-10-29 22:27:31.000000000 +0100
+@@ -169,7 +169,10 @@
+ 
+ static uint32_t base_disallow_mask;
+ #define L1_DISALLOW_MASK (base_disallow_mask | _PAGE_GNTTAB)
+-#define L2_DISALLOW_MASK (base_disallow_mask & ~_PAGE_PSE)
++
++#define L2_DISALLOW_MASK (unlikely(opt_allow_superpage) \
++                          ? base_disallow_mask & ~_PAGE_PSE \
++                          : base_disallow_mask)
+ 
+ #if defined(__x86_64__)
+ 
+@@ -1980,7 +1983,10 @@
+         }
+ 
+         /* Fast path for identical mapping and presence. */
+-        if ( !l2e_has_changed(ol2e, nl2e, _PAGE_PRESENT) )
++        if ( !l2e_has_changed(ol2e, nl2e,
++                              unlikely(opt_allow_superpage)
++                              ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT
++                              : _PAGE_PRESENT) )
+         {
+             adjust_guest_l2e(nl2e, d);
+             if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) )
diff --git a/sysutils/xenkernel42/patches/patch-CVE-2015-7969 b/sysutils/xenkernel42/patches/patch-CVE-2015-7969
new file mode 100644
index 00000000000..fe16fa3b375
--- /dev/null
+++ b/sysutils/xenkernel42/patches/patch-CVE-2015-7969
@@ -0,0 +1,34 @@
+$NetBSD: patch-CVE-2015-7969,v 1.1 2015/10/29 21:59:16 bouyer Exp $
+
+Patch for CVE-2015-7869 aka XSA-149 + XSA-151 based on
+http://xenbits.xenproject.org/xsa/xsa149.patch
+http://xenbits.xenproject.org/xsa/xsa151.patch
+
+--- xen/common/domain.c.orig	2014-09-02 08:22:57.000000000 +0200
++++ xen/common/domain.c	2015-10-29 22:29:21.000000000 +0100
+@@ -685,6 +685,7 @@
+ 
+     xsm_free_security_domain(d);
+     free_cpumask_var(d->domain_dirty_cpumask);
++    xfree(d->vcpu);
+     free_domain_struct(d);
+ 
+     send_global_virq(VIRQ_DOM_EXC);
+--- xen/common/xenoprof.c.orig	2014-09-02 08:22:57.000000000 +0200
++++ xen/common/xenoprof.c	2015-10-29 22:29:35.000000000 +0100
+@@ -239,6 +239,7 @@
+     d->xenoprof->rawbuf = alloc_xenheap_pages(get_order_from_pages(npages), 0);
+     if ( d->xenoprof->rawbuf == NULL )
+     {
++        xfree(d->xenoprof->vcpu);
+         xfree(d->xenoprof);
+         d->xenoprof = NULL;
+         return -ENOMEM;
+@@ -286,6 +287,7 @@
+         free_xenheap_pages(x->rawbuf, order);
+     }
+ 
++    xfree(x->vcpu);
+     xfree(x);
+     d->xenoprof = NULL;
+ }
diff --git a/sysutils/xenkernel42/patches/patch-CVE-2015-7971 b/sysutils/xenkernel42/patches/patch-CVE-2015-7971
new file mode 100644
index 00000000000..d9efd4575e6
--- /dev/null
+++ b/sysutils/xenkernel42/patches/patch-CVE-2015-7971
@@ -0,0 +1,35 @@
+$NetBSD: patch-CVE-2015-7971,v 1.1 2015/10/29 21:59:16 bouyer Exp $
+
+Patch for CVE-2015-7971 aka XSA-152, based on
+http://xenbits.xenproject.org/xsa/xsa152.patch
+
+--- xen/common/xenoprof.c.orig
++++ xen/common/xenoprof.c
+@@ -676,15 +676,13 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_H
+     
+     if ( (op < 0) || (op > XENOPROF_last_op) )
+     {
+-        printk("xenoprof: invalid operation %d for domain %d\n",
+-               op, current->domain->domain_id);
++        gdprintk(XENLOG_DEBUG, "invalid operation %d\n", op);
+         return -EINVAL;
+     }
+ 
+     if ( !NONPRIV_OP(op) && (current->domain != xenoprof_primary_profiler) )
+     {
+-        printk("xenoprof: dom %d denied privileged operation %d\n",
+-               current->domain->domain_id, op);
++        gdprintk(XENLOG_DEBUG, "denied privileged operation %d\n", op);
+         return -EPERM;
+     }
+ 
+@@ -907,8 +905,7 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_H
+     spin_unlock(&xenoprof_lock);
+ 
+     if ( ret < 0 )
+-        printk("xenoprof: operation %d failed for dom %d (status : %d)\n",
+-               op, current->domain->domain_id, ret);
++        gdprintk(XENLOG_DEBUG, "operation %d failed: %d\n", op, ret);
+ 
+     return ret;
+ }