diff options
| author | drochner <drochner@pkgsrc.org> | 2013-01-17 19:37:54 +0000 |
|---|---|---|
| committer | drochner <drochner@pkgsrc.org> | 2013-01-17 19:37:54 +0000 |
| commit | 824f96abcd99708dc8b15b0e2d12abf6554e412e (patch) | |
| tree | 1f7bb85ea88615eb83324dce62a231b3c715ad14 /sysutils | |
| parent | e87575e5866898d0d32cb22432fd0f89c2edd674 (diff) | |
| download | pkgsrc-824f96abcd99708dc8b15b0e2d12abf6554e412e.tar.gz | |
update to 4.1.4
changes:
-fixes for many vulnerabilities (were mostly patched in pkgsrc)
-bug fixes and improvements (almost 100 since Xen 4.1.3). Highlights are:
-A fix for a long standing time management issue
-Bug fixes for S3 (suspend to RAM) handling
-Bug fixes for other low level system state handling
pkgsrc note:
fixes for CVE-2012-5634 (interrupt issue on IOMMU systems)
and CVE-2012-6075 (oversized packets from e1000 driver)
are already included
Diffstat (limited to 'sysutils')
17 files changed, 70 insertions, 551 deletions
diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile index 61be25160cb..ae4500e40a8 100644 --- a/sysutils/xenkernel41/Makefile +++ b/sysutils/xenkernel41/Makefile @@ -1,10 +1,9 @@ -# $NetBSD: Makefile,v 1.16 2012/12/05 19:16:26 drochner Exp $ +# $NetBSD: Makefile,v 1.17 2013/01/17 19:37:54 drochner Exp $ # -VERSION= 4.1.3 +VERSION= 4.1.4 DISTNAME= xen-${VERSION} PKGNAME= xenkernel41-${VERSION} -PKGREVISION= 2 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ EXTRACT_SUFX= .tar.gz diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo index 8d17e5b8b28..e006cf472a9 100644 --- a/sysutils/xenkernel41/distinfo +++ b/sysutils/xenkernel41/distinfo @@ -1,20 +1,10 @@ -$NetBSD: distinfo,v 1.12 2012/12/05 19:16:26 drochner Exp $ +$NetBSD: distinfo,v 1.13 2013/01/17 19:37:54 drochner Exp $ -SHA1 (xen-4.1.3.tar.gz) = 0f688955262d08fba28361ca338f3ad0c0f53d74 -RMD160 (xen-4.1.3.tar.gz) = a6296a16579fd628a1ff2aa64b6b800e4913eeae -Size (xen-4.1.3.tar.gz) = 10382132 bytes -SHA1 (patch-CVE-2012-3494) = 166121ce515aaa2f2e399431be3ca7d2496c79c6 -SHA1 (patch-CVE-2012-3496) = 89843ade32b3b1478f69d0c23c2dd69daf506b37 -SHA1 (patch-CVE-2012-3498) = d3d3eddcb39559381e268ea804d8b1190f0ed582 -SHA1 (patch-CVE-2012-4535_1) = 862155304af023cb10ef62957c2a3dbc569bd40c -SHA1 (patch-CVE-2012-4535_2) = f38d5b5286278b900e4b1892fd8a4e6da3434e47 -SHA1 (patch-CVE-2012-4538) = 31d3a26556de5e0afc2a9d3c5e75d9d461b795ff -SHA1 (patch-CVE-2012-4539) = 4fd6a9229aafbe3f451c3d757562bc1068628081 -SHA1 (patch-CVE-2012-5510) = 47617f3e29173a381a97c7b44c7b1cfc970c1477 -SHA1 (patch-CVE-2012-5511_1) = bdb885335d9357fc4e8df3352893d9f7c24f5c21 -SHA1 (patch-CVE-2012-5511_2) = f4ae6fd4942fea658b14d33f4bbd60ea2383dffe -SHA1 (patch-CVE-2012-5511_3) = 2e223c3ae105330f8147c79bbff5cbba37ff8372 -SHA1 (patch-CVE-2012-5513_1) = b190539b089c2623657028b7780345112c1a8f0f -SHA1 (patch-CVE-2012-5513_2) = f6beb84708b62c7317cccccf682af9bee10a43e5 +SHA1 (xen-4.1.4.tar.gz) = d5f1e9c9eeb96202dd827c196750530ffc64baab +RMD160 (xen-4.1.4.tar.gz) = e3cb379954c985354dfd7dfbed15eae43e73254d +Size (xen-4.1.4.tar.gz) = 10387283 bytes +SHA1 (patch-CVE-2012-5511_2) = a345d28d4a6dcc4bf203243f49d66b5479fdbf14 +SHA1 (patch-CVE-2012-5634) = 2992ee4972ec733a80fa3841d12a70a9076625c0 +SHA1 (patch-CVE-2012-6075) = e368374468526a6ceee03fe15a5ee35aca28cc6e SHA1 (patch-xen_drivers_char_console_c) = 0fe186369602ccffaeec6f4bfbee8bb4298d3ff0 SHA1 (patch-xen_include_xen_stdarg.h) = e9df974a9b783ed442ab17497198432cb9844b70 diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-3494 b/sysutils/xenkernel41/patches/patch-CVE-2012-3494 deleted file mode 100644 index 9699fd59024..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2012-3494 +++ /dev/null @@ -1,15 +0,0 @@ -$NetBSD: patch-CVE-2012-3494,v 1.1 2012/09/12 11:04:17 drochner Exp $ - -see http://lists.xen.org/archives/html/xen-devel/2012-09/msg00181.html - ---- xen/include/asm-x86/debugreg.h.orig 2012-08-10 13:51:52.000000000 +0000 -+++ xen/include/asm-x86/debugreg.h -@@ -58,7 +58,7 @@ - We can slow the instruction pipeline for instructions coming via the - gdt or the ldt if we want to. I am not sure why this is an advantage */ - --#define DR_CONTROL_RESERVED_ZERO (0x0000d800ul) /* Reserved, read as zero */ -+#define DR_CONTROL_RESERVED_ZERO (~0xffff27fful) /* Reserved, read as zero */ - #define DR_CONTROL_RESERVED_ONE (0x00000400ul) /* Reserved, read as one */ - #define DR_LOCAL_EXACT_ENABLE (0x00000100ul) /* Local exact enable */ - #define DR_GLOBAL_EXACT_ENABLE (0x00000200ul) /* Global exact enable */ diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-3496 b/sysutils/xenkernel41/patches/patch-CVE-2012-3496 deleted file mode 100644 index f30ea035af7..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2012-3496 +++ /dev/null @@ -1,66 +0,0 @@ -$NetBSD: patch-CVE-2012-3496,v 1.3 2012/12/05 19:16:26 drochner Exp $ - -see http://lists.xen.org/archives/html/xen-devel/2012-09/msg00194.html - -fix for CVE-2012-4537 is also here, see -http://lists.xen.org/archives/html/xen-devel/2012-11/msg00507.html - -fix for CVE-2012-5514 is also here, see -http://lists.xen.org/archives/html/xen-announce/2012-12/msg00005.html - ---- xen/arch/x86/mm/p2m.c.orig 2012-08-10 13:51:45.000000000 +0000 -+++ xen/arch/x86/mm/p2m.c -@@ -2414,7 +2414,11 @@ guest_physmap_mark_populate_on_demand(st - int pod_count = 0; - int rc = 0; - -- BUG_ON(!paging_mode_translate(d)); -+ if ( !IS_PRIV_FOR(current->domain, d) ) -+ return -EPERM; -+ -+ if ( !paging_mode_translate(d) ) -+ return -EINVAL; - - rc = gfn_check_limit(d, gfn, order); - if ( rc != 0 ) -@@ -2431,8 +2435,7 @@ guest_physmap_mark_populate_on_demand(st - omfn = gfn_to_mfn_query(p2m, gfn + i, &ot); - if ( p2m_is_ram(ot) ) - { -- printk("%s: gfn_to_mfn returned type %d!\n", -- __func__, ot); -+ P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot); - rc = -EBUSY; - goto out; - } -@@ -2454,10 +2457,10 @@ guest_physmap_mark_populate_on_demand(st - BUG_ON(p2m->pod.entry_count < 0); - } - -+out: - audit_p2m(p2m, 1); - p2m_unlock(p2m); - --out: - return rc; - } - -@@ -2559,7 +2562,10 @@ guest_physmap_add_entry(struct p2m_domai - if ( mfn_valid(_mfn(mfn)) ) - { - if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) ) -+ { - rc = -EINVAL; -+ goto out; /* Failed to update p2m, bail without updating m2p. */ -+ } - if ( !p2m_is_grant(t) ) - { - for ( i = 0; i < (1UL << page_order); i++ ) -@@ -2580,6 +2586,7 @@ guest_physmap_add_entry(struct p2m_domai - } - } - -+out: - audit_p2m(p2m, 1); - p2m_unlock(p2m); - diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-3498 b/sysutils/xenkernel41/patches/patch-CVE-2012-3498 deleted file mode 100644 index 48287b70b1f..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2012-3498 +++ /dev/null @@ -1,60 +0,0 @@ -$NetBSD: patch-CVE-2012-3498,v 1.2 2012/11/14 13:42:41 drochner Exp $ - -contains patch for CVE-2012-3495 -see http://lists.xen.org/archives/html/xen-devel/2012-09/msg00187.html -and http://lists.xen.org/archives/html/xen-devel/2012-09/msg00197.html -and patch for CVE-2012-4536 -see http://lists.xen.org/archives/html/xen-devel/2012-11/msg00503.html - ---- xen/arch/x86/physdev.c.orig 2012-08-10 13:51:46.000000000 +0000 -+++ xen/arch/x86/physdev.c -@@ -40,11 +40,18 @@ static int physdev_hvm_map_pirq( - struct hvm_girq_dpci_mapping *girq; - uint32_t machine_gsi = 0; - -+ if ( map->index < 0 || map->index >= NR_HVM_IRQS ) -+ { -+ ret = -EINVAL; -+ break; -+ } -+ - /* find the machine gsi corresponding to the - * emulated gsi */ - hvm_irq_dpci = domain_get_irq_dpci(d); - if ( hvm_irq_dpci ) - { -+ BUILD_BUG_ON(ARRAY_SIZE(hvm_irq_dpci->girq) < NR_HVM_IRQS); - list_for_each_entry ( girq, - &hvm_irq_dpci->girq[map->index], - list ) -@@ -230,6 +237,10 @@ static int physdev_unmap_pirq(struct phy - if ( ret ) - return ret; - -+ ret = -EINVAL; -+ if ( unmap->pirq < 0 || unmap->pirq >= d->nr_pirqs ) -+ goto free_domain; -+ - if ( is_hvm_domain(d) ) - { - spin_lock(&d->event_lock); -@@ -587,11 +598,16 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H - break; - - spin_lock(&d->event_lock); -- out.pirq = get_free_pirq(d, out.type, 0); -- d->arch.pirq_irq[out.pirq] = PIRQ_ALLOCATED; -+ ret = get_free_pirq(d, out.type, 0); -+ if ( ret >= 0 ) -+ d->arch.pirq_irq[ret] = PIRQ_ALLOCATED; - spin_unlock(&d->event_lock); - -- ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0; -+ if ( ret >= 0 ) -+ { -+ out.pirq = ret; -+ ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0; -+ } - - rcu_unlock_domain(d); - break; diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-4535_1 b/sysutils/xenkernel41/patches/patch-CVE-2012-4535_1 deleted file mode 100644 index fe56f8550a1..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2012-4535_1 +++ /dev/null @@ -1,16 +0,0 @@ -$NetBSD: patch-CVE-2012-4535_1,v 1.1 2012/11/14 13:42:41 drochner Exp $ - -see http://lists.xen.org/archives/html/xen-devel/2012-11/msg00502.html - ---- xen/common/domain.c.orig 2012-08-10 13:51:47.000000000 +0000 -+++ xen/common/domain.c -@@ -871,6 +871,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN - if ( set.period_ns < MILLISECS(1) ) - return -EINVAL; - -+ if ( set.period_ns > STIME_DELTA_MAX ) -+ return -EINVAL; -+ - v->periodic_period = set.period_ns; - vcpu_force_reschedule(v); - diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-4535_2 b/sysutils/xenkernel41/patches/patch-CVE-2012-4535_2 deleted file mode 100644 index f39ef4ea77b..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2012-4535_2 +++ /dev/null @@ -1,13 +0,0 @@ -$NetBSD: patch-CVE-2012-4535_2,v 1.1 2012/11/14 13:42:41 drochner Exp $ - ---- xen/include/xen/time.h.orig 2012-08-10 13:51:55.000000000 +0000 -+++ xen/include/xen/time.h -@@ -53,6 +53,8 @@ struct tm gmtime(unsigned long t); - #define MILLISECS(_ms) ((s_time_t)((_ms) * 1000000ULL)) - #define MICROSECS(_us) ((s_time_t)((_us) * 1000ULL)) - #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1)) -+/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */ -+#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2)) - - extern void update_vcpu_system_time(struct vcpu *v); - extern void update_domain_wallclock_time(struct domain *d); diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-4538 b/sysutils/xenkernel41/patches/patch-CVE-2012-4538 deleted file mode 100644 index 961be4326ee..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2012-4538 +++ /dev/null @@ -1,21 +0,0 @@ -$NetBSD: patch-CVE-2012-4538,v 1.1 2012/11/14 13:42:41 drochner Exp $ - -see http://lists.xen.org/archives/html/xen-devel/2012-11/msg00504.html - ---- xen/arch/x86/mm/shadow/multi.c.orig 2012-08-10 13:51:46.000000000 +0000 -+++ xen/arch/x86/mm/shadow/multi.c -@@ -4737,8 +4737,12 @@ static void sh_pagetable_dying(struct vc - } - for ( i = 0; i < 4; i++ ) - { -- if ( fast_path ) -- smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i])); -+ if ( fast_path ) { -+ if ( pagetable_is_null(v->arch.shadow_table[i]) ) -+ smfn = _mfn(INVALID_MFN); -+ else -+ smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i])); -+ } - else - { - /* retrieving the l2s */ diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-4539 b/sysutils/xenkernel41/patches/patch-CVE-2012-4539 deleted file mode 100644 index 5e809859f23..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2012-4539 +++ /dev/null @@ -1,15 +0,0 @@ -$NetBSD: patch-CVE-2012-4539,v 1.1 2012/11/14 13:42:41 drochner Exp $ - -see http://lists.xen.org/archives/html/xen-devel/2012-11/msg00505.html - ---- xen/common/compat/grant_table.c.orig 2012-08-10 13:51:47.000000000 +0000 -+++ xen/common/compat/grant_table.c -@@ -310,6 +310,8 @@ int compat_grant_table_op(unsigned int c - #undef XLAT_gnttab_get_status_frames_HNDL_frame_list - if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) ) - rc = -EFAULT; -+ else -+ i = 1; - } - break; - } diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-5510 b/sysutils/xenkernel41/patches/patch-CVE-2012-5510 deleted file mode 100644 index 081ce7d5737..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2012-5510 +++ /dev/null @@ -1,92 +0,0 @@ -$NetBSD: patch-CVE-2012-5510,v 1.1 2012/12/05 19:16:26 drochner Exp $ - -see http://lists.xen.org/archives/html/xen-announce/2012-12/msg00000.html - ---- xen/common/grant_table.c.orig 2012-08-10 13:51:47.000000000 +0000 -+++ xen/common/grant_table.c -@@ -1102,12 +1102,13 @@ fault: - } - - static int --gnttab_populate_status_frames(struct domain *d, struct grant_table *gt) -+gnttab_populate_status_frames(struct domain *d, struct grant_table *gt, -+ unsigned int req_nr_frames) - { - unsigned i; - unsigned req_status_frames; - -- req_status_frames = grant_to_status_frames(gt->nr_grant_frames); -+ req_status_frames = grant_to_status_frames(req_nr_frames); - for ( i = nr_status_frames(gt); i < req_status_frames; i++ ) - { - if ( (gt->status[i] = alloc_xenheap_page()) == NULL ) -@@ -1138,7 +1139,12 @@ gnttab_unpopulate_status_frames(struct d - - for ( i = 0; i < nr_status_frames(gt); i++ ) - { -- page_set_owner(virt_to_page(gt->status[i]), dom_xen); -+ struct page_info *pg = virt_to_page(gt->status[i]); -+ -+ BUG_ON(page_get_owner(pg) != d); -+ if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) ) -+ put_page(pg); -+ BUG_ON(pg->count_info & ~PGC_xen_heap); - free_xenheap_page(gt->status[i]); - gt->status[i] = NULL; - } -@@ -1176,19 +1182,18 @@ gnttab_grow_table(struct domain *d, unsi - clear_page(gt->shared_raw[i]); - } - -- /* Share the new shared frames with the recipient domain */ -- for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ ) -- gnttab_create_shared_page(d, gt, i); -- -- gt->nr_grant_frames = req_nr_frames; -- - /* Status pages - version 2 */ - if (gt->gt_version > 1) - { -- if ( gnttab_populate_status_frames(d, gt) ) -+ if ( gnttab_populate_status_frames(d, gt, req_nr_frames) ) - goto shared_alloc_failed; - } - -+ /* Share the new shared frames with the recipient domain */ -+ for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ ) -+ gnttab_create_shared_page(d, gt, i); -+ gt->nr_grant_frames = req_nr_frames; -+ - return 1; - - shared_alloc_failed: -@@ -2129,7 +2134,7 @@ gnttab_set_version(XEN_GUEST_HANDLE(gntt - - if ( op.version == 2 && gt->gt_version < 2 ) - { -- res = gnttab_populate_status_frames(d, gt); -+ res = gnttab_populate_status_frames(d, gt, nr_grant_frames(gt)); - if ( res < 0) - goto out_unlock; - } -@@ -2450,9 +2455,6 @@ grant_table_create( - clear_page(t->shared_raw[i]); - } - -- for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) -- gnttab_create_shared_page(d, t, i); -- - /* Status pages for grant table - for version 2 */ - t->status = xmalloc_array(grant_status_t *, - grant_to_status_frames(max_nr_grant_frames)); -@@ -2460,6 +2462,10 @@ grant_table_create( - goto no_mem_4; - memset(t->status, 0, - grant_to_status_frames(max_nr_grant_frames) * sizeof(t->status[0])); -+ -+ for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) -+ gnttab_create_shared_page(d, t, i); -+ - t->nr_status_frames = 0; - - /* Okay, install the structure. */ diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-5511_1 b/sysutils/xenkernel41/patches/patch-CVE-2012-5511_1 deleted file mode 100644 index 48d1f51e9bd..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2012-5511_1 +++ /dev/null @@ -1,116 +0,0 @@ -$NetBSD: patch-CVE-2012-5511_1,v 1.1 2012/12/05 19:16:27 drochner Exp $ - -see http://lists.xen.org/archives/html/xen-announce/2012-12/msg00006.html - -fix for CVE-2012-5512 is also here, see -http://lists.xen.org/archives/html/xen-announce/2012-12/msg00003.html - ---- xen/arch/x86/hvm/hvm.c.orig 2012-08-10 13:51:44.000000000 +0000 -+++ xen/arch/x86/hvm/hvm.c -@@ -3446,6 +3446,9 @@ long do_hvm_op(unsigned long op, XEN_GUE - if ( !is_hvm_domain(d) ) - goto param_fail2; - -+ if ( a.nr > GB(1) >> PAGE_SHIFT ) -+ goto param_fail2; -+ - rc = xsm_hvm_param(d, op); - if ( rc ) - goto param_fail2; -@@ -3473,7 +3476,6 @@ long do_hvm_op(unsigned long op, XEN_GUE - struct xen_hvm_modified_memory a; - struct domain *d; - struct p2m_domain *p2m; -- unsigned long pfn; - - if ( copy_from_guest(&a, arg, 1) ) - return -EFAULT; -@@ -3501,8 +3503,9 @@ long do_hvm_op(unsigned long op, XEN_GUE - goto param_fail3; - - p2m = p2m_get_hostp2m(d); -- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) -+ while ( a.nr > 0 ) - { -+ unsigned long pfn = a.first_pfn; - p2m_type_t t; - mfn_t mfn = gfn_to_mfn(p2m, pfn, &t); - if ( p2m_is_paging(t) ) -@@ -3523,6 +3526,19 @@ long do_hvm_op(unsigned long op, XEN_GUE - /* don't take a long time and don't die either */ - sh_remove_shadows(d->vcpu[0], mfn, 1, 0); - } -+ -+ a.first_pfn++; -+ a.nr--; -+ -+ /* Check for continuation if it's not the last interation */ -+ if ( a.nr > 0 && hypercall_preempt_check() ) -+ { -+ if ( copy_to_guest(arg, &a, 1) ) -+ rc = -EFAULT; -+ else -+ rc = -EAGAIN; -+ break; -+ } - } - - param_fail3: -@@ -3566,7 +3582,6 @@ long do_hvm_op(unsigned long op, XEN_GUE - struct xen_hvm_set_mem_type a; - struct domain *d; - struct p2m_domain *p2m; -- unsigned long pfn; - - /* Interface types to internal p2m types */ - p2m_type_t memtype[] = { -@@ -3596,8 +3611,9 @@ long do_hvm_op(unsigned long op, XEN_GUE - goto param_fail4; - - p2m = p2m_get_hostp2m(d); -- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) -+ while ( a.nr > 0 ) - { -+ unsigned long pfn = a.first_pfn; - p2m_type_t t; - p2m_type_t nt; - mfn_t mfn; -@@ -3633,6 +3649,19 @@ long do_hvm_op(unsigned long op, XEN_GUE - goto param_fail4; - } - } -+ -+ a.first_pfn++; -+ a.nr--; -+ -+ /* Check for continuation if it's not the last interation */ -+ if ( a.nr > 0 && hypercall_preempt_check() ) -+ { -+ if ( copy_to_guest(arg, &a, 1) ) -+ rc = -EFAULT; -+ else -+ rc = -EAGAIN; -+ goto param_fail4; -+ } - } - - rc = 0; -@@ -3670,7 +3699,7 @@ long do_hvm_op(unsigned long op, XEN_GUE - return rc; - - rc = -EINVAL; -- if ( !is_hvm_domain(d) ) -+ if ( !is_hvm_domain(d) || a.hvmmem_access >= ARRAY_SIZE(memaccess) ) - goto param_fail5; - - p2m = p2m_get_hostp2m(d); -@@ -3690,9 +3719,6 @@ long do_hvm_op(unsigned long op, XEN_GUE - ((a.first_pfn + a.nr - 1) > domain_get_maximum_gpfn(d)) ) - goto param_fail5; - -- if ( a.hvmmem_access >= ARRAY_SIZE(memaccess) ) -- goto param_fail5; -- - for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) - { - p2m_type_t t; diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-5511_2 b/sysutils/xenkernel41/patches/patch-CVE-2012-5511_2 index d8877e61284..211cb1f17e4 100644 --- a/sysutils/xenkernel41/patches/patch-CVE-2012-5511_2 +++ b/sysutils/xenkernel41/patches/patch-CVE-2012-5511_2 @@ -1,29 +1,16 @@ -$NetBSD: patch-CVE-2012-5511_2,v 1.1 2012/12/05 19:16:27 drochner Exp $ +$NetBSD: patch-CVE-2012-5511_2,v 1.2 2013/01/17 19:37:55 drochner Exp $ ---- xen/arch/x86/mm/paging.c.orig 2012-08-10 13:51:45.000000000 +0000 +see http://lists.xen.org/archives/html/xen-devel/2013-01/msg01193.html + +--- xen/arch/x86/mm/paging.c.orig 2012-12-18 12:54:25.000000000 +0000 +++ xen/arch/x86/mm/paging.c -@@ -529,13 +529,18 @@ int paging_log_dirty_range(struct domain +@@ -534,7 +534,8 @@ int paging_log_dirty_range(struct domain - if ( !d->arch.paging.log_dirty.fault_count && - !d->arch.paging.log_dirty.dirty_count ) { -- int size = (nr + BITS_PER_LONG - 1) / BITS_PER_LONG; -- unsigned long zeroes[size]; -- memset(zeroes, 0x00, size * BYTES_PER_LONG); -+ static uint8_t zeroes[PAGE_SIZE]; -+ int off, size; -+ -+ size = ((nr + BITS_PER_LONG - 1) / BITS_PER_LONG) * sizeof (long); + size = ((nr + BITS_PER_LONG - 1) / BITS_PER_LONG) * sizeof (long); rv = 0; -- if ( copy_to_guest_offset(dirty_bitmap, 0, (uint8_t *) zeroes, -- size * BYTES_PER_LONG) != 0 ) -- rv = -EFAULT; -+ for ( off = 0; !rv && off < size; off += sizeof zeroes ) -+ { -+ int todo = min(size - off, (int) PAGE_SIZE); -+ if ( copy_to_guest_offset(dirty_bitmap, off, zeroes, todo) ) -+ rv = -EFAULT; -+ off += todo; -+ } - goto out; - } - d->arch.paging.log_dirty.fault_count = 0; +- for ( off = 0; !rv && off < size; off += sizeof zeroes ) ++ off = 0; ++ while ( !rv && off < size ) + { + int todo = min(size - off, (int) PAGE_SIZE); + if ( copy_to_guest_offset(dirty_bitmap, off, zeroes, todo) ) diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-5511_3 b/sysutils/xenkernel41/patches/patch-CVE-2012-5511_3 deleted file mode 100644 index e059a116624..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2012-5511_3 +++ /dev/null @@ -1,22 +0,0 @@ -$NetBSD: patch-CVE-2012-5511_3,v 1.1 2012/12/05 19:16:27 drochner Exp $ - ---- xen/include/asm-x86/config.h.orig 2012-08-10 13:51:52.000000000 +0000 -+++ xen/include/asm-x86/config.h -@@ -108,6 +108,9 @@ extern unsigned int trampoline_xen_phys_ - extern unsigned char trampoline_cpu_started; - extern char wakeup_start[]; - extern unsigned int video_mode, video_flags; -+ -+#define GB(_gb) (_gb ## UL << 30) -+ - #endif - - #define asmlinkage -@@ -123,7 +126,6 @@ extern unsigned int video_mode, video_fl - #define PML4_ADDR(_slot) \ - ((((_slot ## UL) >> 8) * 0xffff000000000000UL) | \ - (_slot ## UL << PML4_ENTRY_BITS)) --#define GB(_gb) (_gb ## UL << 30) - #else - #define PML4_ENTRY_BYTES (1 << PML4_ENTRY_BITS) - #define PML4_ADDR(_slot) \ diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-5513_1 b/sysutils/xenkernel41/patches/patch-CVE-2012-5513_1 deleted file mode 100644 index 1aa9039acdb..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2012-5513_1 +++ /dev/null @@ -1,19 +0,0 @@ -$NetBSD: patch-CVE-2012-5513_1,v 1.1 2012/12/05 19:16:27 drochner Exp $ - -see http://lists.xen.org/archives/html/xen-announce/2012-12/msg00004.html - ---- xen/common/compat/memory.c.orig 2012-08-10 13:51:47.000000000 +0000 -+++ xen/common/compat/memory.c -@@ -114,6 +114,12 @@ int compat_memory_op(unsigned int cmd, X - (cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) ) - return -EINVAL; - -+ if ( !compat_handle_okay(cmp.xchg.in.extent_start, -+ cmp.xchg.in.nr_extents) || -+ !compat_handle_okay(cmp.xchg.out.extent_start, -+ cmp.xchg.out.nr_extents) ) -+ return -EFAULT; -+ - start_extent = cmp.xchg.nr_exchanged; - end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) / - (((1U << ABS(order_delta)) + 1) * diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-5513_2 b/sysutils/xenkernel41/patches/patch-CVE-2012-5513_2 deleted file mode 100644 index 223ff6905ec..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2012-5513_2 +++ /dev/null @@ -1,51 +0,0 @@ -$NetBSD: patch-CVE-2012-5513_2,v 1.1 2012/12/05 19:16:27 drochner Exp $ - -fix for CVE-2012-5515 is also here, see -http://lists.xen.org/archives/html/xen-announce/2012-12/msg00001.html - ---- xen/common/memory.c.orig 2012-08-10 13:51:48.000000000 +0000 -+++ xen/common/memory.c -@@ -117,7 +117,8 @@ static void populate_physmap(struct memo - - if ( a->memflags & MEMF_populate_on_demand ) - { -- if ( guest_physmap_mark_populate_on_demand(d, gpfn, -+ if ( a->extent_order > MAX_ORDER || -+ guest_physmap_mark_populate_on_demand(d, gpfn, - a->extent_order) < 0 ) - goto out; - } -@@ -216,7 +217,8 @@ static void decrease_reservation(struct - xen_pfn_t gmfn; - - if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done, -- a->nr_extents-1) ) -+ a->nr_extents-1) || -+ a->extent_order > MAX_ORDER ) - return; - - for ( i = a->nr_done; i < a->nr_extents; i++ ) -@@ -278,6 +280,9 @@ static long memory_exchange(XEN_GUEST_HA - if ( (exch.nr_exchanged > exch.in.nr_extents) || - /* Input and output domain identifiers match? */ - (exch.in.domid != exch.out.domid) || -+ /* Extent orders are sensible? */ -+ (exch.in.extent_order > MAX_ORDER) || -+ (exch.out.extent_order > MAX_ORDER) || - /* Sizes of input and output lists do not overflow a long? */ - ((~0UL >> exch.in.extent_order) < exch.in.nr_extents) || - ((~0UL >> exch.out.extent_order) < exch.out.nr_extents) || -@@ -289,6 +294,13 @@ static long memory_exchange(XEN_GUEST_HA - goto fail_early; - } - -+ if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) || -+ !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) ) -+ { -+ rc = -EFAULT; -+ goto fail_early; -+ } -+ - /* Only privileged guests can allocate multi-page contiguous extents. */ - if ( !multipage_allocation_permitted(current->domain, - exch.in.extent_order) || diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-5634 b/sysutils/xenkernel41/patches/patch-CVE-2012-5634 new file mode 100644 index 00000000000..a51d9db9b5b --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2012-5634 @@ -0,0 +1,15 @@ +$NetBSD: patch-CVE-2012-5634,v 1.1 2013/01/17 19:37:55 drochner Exp $ + +see http://lists.xen.org/archives/html/xen-devel/2013-01/msg00445.html + +--- xen/drivers/passthrough/vtd/intremap.c.orig 2012-12-18 12:54:27.000000000 +0000 ++++ xen/drivers/passthrough/vtd/intremap.c +@@ -499,7 +499,7 @@ static void set_msi_source_id(struct pci + set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, + (bus << 8) | pdev->bus); + else if ( pdev_type(bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE ) +- set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, ++ set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, + PCI_BDF2(bus, devfn)); + } + break; diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-6075 b/sysutils/xenkernel41/patches/patch-CVE-2012-6075 new file mode 100644 index 00000000000..e45763e5330 --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2012-6075 @@ -0,0 +1,34 @@ +$NetBSD: patch-CVE-2012-6075,v 1.1 2013/01/17 19:37:55 drochner Exp $ + +see http://lists.xen.org/archives/html/xen-devel/2013-01/msg01070.html + +--- tools/ioemu-qemu-xen/hw/e1000.c.orig 2012-11-13 18:25:17.000000000 +0000 ++++ tools/ioemu-qemu-xen/hw/e1000.c +@@ -55,6 +55,11 @@ static int debugflags = DBGBIT(TXERR) | + #define REG_IOADDR 0x0 + #define REG_IODATA 0x4 + ++/* this is the size past which hardware will drop packets when setting LPE=0 */ ++#define MAXIMUM_ETHERNET_VLAN_SIZE 1522 ++/* this is the size past which hardware will drop packets when setting LPE=1 */ ++#define MAXIMUM_ETHERNET_LPE_SIZE 16384 ++ + /* + * HW models: + * E1000_DEV_ID_82540EM works with Windows and Linux +@@ -628,6 +633,15 @@ e1000_receive(void *opaque, const uint8_ + return; + } + ++ /* Discard oversized packets if !LPE and !SBP. */ ++ if ((size > MAXIMUM_ETHERNET_LPE_SIZE || ++ (size > MAXIMUM_ETHERNET_VLAN_SIZE ++ && !(s->mac_reg[RCTL] & E1000_RCTL_LPE))) ++ && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) { ++ DBGOUT(RX, "packet too large for applicable LPE/VLAN size\n"); ++ return; ++ } ++ + if (!receive_filter(s, buf, size)) + return; + |