diff options
| author | bouyer <bouyer@pkgsrc.org> | 2016-01-07 17:53:58 +0000 |
|---|---|---|
| committer | bouyer <bouyer@pkgsrc.org> | 2016-01-07 17:53:58 +0000 |
| commit | 29e4ed0480a659884433886f0a678bd99b38c5c5 (patch) | |
| tree | 2b420212cac3600a8b4e5d031acf8cac6dff01ee /sysutils | |
| parent | eb518f376aa1e76d5cb7ac123f411cc74cfa918d (diff) | |
| download | pkgsrc-29e4ed0480a659884433886f0a678bd99b38c5c5.tar.gz | |
pply patches from Xen repository, fixing:
CVE-2015-5307 and CVE-2015-8104 aka XSA-156
CVE-2015-8339 and CVE-2015-8340 aka XSA-159
CVE-2015-8555 aka XSA-165
XSA-166
CVE-2015-8550 aka XSA-155
CVE-2015-8554 aka XSA-164
Bump pkgrevision
Diffstat (limited to 'sysutils')
| -rw-r--r-- | sysutils/xenkernel42/Makefile | 4 | ||||
| -rw-r--r-- | sysutils/xenkernel42/distinfo | 6 | ||||
| -rw-r--r-- | sysutils/xenkernel42/patches/patch-CVE-2015-5307 | 108 | ||||
| -rw-r--r-- | sysutils/xenkernel42/patches/patch-CVE-2015-8339 | 33 | ||||
| -rw-r--r-- | sysutils/xenkernel42/patches/patch-CVE-2015-8555 | 80 | ||||
| -rw-r--r-- | sysutils/xenkernel42/patches/patch-XSA-166 | 42 | ||||
| -rw-r--r-- | sysutils/xentools42/Makefile | 4 | ||||
| -rw-r--r-- | sysutils/xentools42/distinfo | 7 | ||||
| -rw-r--r-- | sysutils/xentools42/patches/patch-CVE-2015-8550 | 213 | ||||
| -rw-r--r-- | sysutils/xentools42/patches/patch-CVE-2015-8554 | 21 |
10 files changed, 512 insertions, 6 deletions
diff --git a/sysutils/xenkernel42/Makefile b/sysutils/xenkernel42/Makefile index a7fea4cb60e..2eacc900ffc 100644 --- a/sysutils/xenkernel42/Makefile +++ b/sysutils/xenkernel42/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.19 2015/12/05 21:26:00 adam Exp $ +# $NetBSD: Makefile,v 1.20 2016/01/07 17:53:58 bouyer Exp $ VERSION= 4.2.5 DISTNAME= xen-${VERSION} PKGNAME= xenkernel42-${VERSION} -PKGREVISION= 9 +PKGREVISION= 10 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xenkernel42/distinfo b/sysutils/xenkernel42/distinfo index d2487fb4c1f..d6b758c003f 100644 --- a/sysutils/xenkernel42/distinfo +++ b/sysutils/xenkernel42/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.18 2015/11/04 01:32:39 agc Exp $ +$NetBSD: distinfo,v 1.19 2016/01/07 17:53:58 bouyer Exp $ SHA1 (xen-4.2.5.tar.gz) = f42741e4ec174495ace70c4b17a6b9b0e60e798a RMD160 (xen-4.2.5.tar.gz) = 7d4f7f1b32ee541d341a756b1f8da02816438d19 @@ -18,10 +18,14 @@ SHA1 (patch-CVE-2015-3340) = 9ff5e766c9e5e3358d8a896f805babc8fb9a41c4 SHA1 (patch-CVE-2015-3456) = 8d54d33b81ef77056aa6f58ab123912948454020 SHA1 (patch-CVE-2015-4163) = d8c9b95026c2316bfb57f644937fdb924902a3bf SHA1 (patch-CVE-2015-4164) = 9f9add821c4a13308fa4bfa1becd1b0d8fda6177 +SHA1 (patch-CVE-2015-5307) = bbd6833fc27ddc5efd307bd2e53934e260458b93 SHA1 (patch-CVE-2015-7835) = 3fa639cebc9c264df51a410d0b9f94af42231d1d SHA1 (patch-CVE-2015-7969) = 43f1729fa24cc628beb231839b1412479c14928e SHA1 (patch-CVE-2015-7971) = 0d0d36ad99f313afb96111a832eb65ddeaf8010e +SHA1 (patch-CVE-2015-8339) = 080bc4c04ee5ad832756b11a65b1598f12eae97e +SHA1 (patch-CVE-2015-8555) = 594f85557efe137fb32a88c0dc589a1318184b66 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266 +SHA1 (patch-XSA-166) = 24fccf8e30ccf910a128e5e0365800191a90524c SHA1 (patch-xen_Makefile) = e0d1b74518b9675ddc64295d1523ded9a8757c0a SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 SHA1 (patch-xen_arch_x86_hvm_hvm.c) = b6bac1d466ba5bc276bc3aea9d4c9df37f2b9b0f diff --git a/sysutils/xenkernel42/patches/patch-CVE-2015-5307 b/sysutils/xenkernel42/patches/patch-CVE-2015-5307 new file mode 100644 index 00000000000..ce92888cb4d --- /dev/null +++ b/sysutils/xenkernel42/patches/patch-CVE-2015-5307 @@ -0,0 +1,108 @@ +$NetBSD: patch-CVE-2015-5307,v 1.1 2016/01/07 17:53:58 bouyer Exp $ + +Patch for CVE-2015-5307 and CVE-2015-8104 aka XSA-156, based on +http://xenbits.xenproject.org/xsa/xsa156-4.3.patch + +--- xen/arch/x86/hvm/svm/svm.c.orig 2014-09-02 08:22:57.000000000 +0200 ++++ xen/arch/x86/hvm/svm/svm.c 2016-01-07 14:30:34.000000000 +0100 +@@ -942,10 +942,11 @@ + unlikely(v->arch.hvm_vcpu.debug_state_latch != debug_state) ) + { + uint32_t intercepts = vmcb_get_exception_intercepts(vmcb); +- uint32_t mask = (1U << TRAP_debug) | (1U << TRAP_int3); ++ + v->arch.hvm_vcpu.debug_state_latch = debug_state; + vmcb_set_exception_intercepts( +- vmcb, debug_state ? (intercepts | mask) : (intercepts & ~mask)); ++ vmcb, debug_state ? (intercepts | (1U << TRAP_int3)) ++ : (intercepts & ~(1U << TRAP_int3))); + } + + if ( v->arch.hvm_svm.launch_core != smp_processor_id() ) +@@ -2232,8 +2233,9 @@ + + case VMEXIT_EXCEPTION_DB: + if ( !v->domain->debugger_attached ) +- goto exit_and_crash; +- domain_pause_for_debugger(); ++ hvm_inject_hw_exception(TRAP_debug, HVM_DELIVER_NO_ERROR_CODE); ++ else ++ domain_pause_for_debugger(); + break; + + case VMEXIT_EXCEPTION_BP: +@@ -2281,6 +2283,11 @@ + break; + } + ++ case VMEXIT_EXCEPTION_AC: ++ HVMTRACE_1D(TRAP, TRAP_alignment_check); ++ hvm_inject_hw_exception(TRAP_alignment_check, vmcb->exitinfo1); ++ break; ++ + case VMEXIT_EXCEPTION_UD: + svm_vmexit_ud_intercept(regs); + break; +--- xen/arch/x86/hvm/vmx/vmx.c.orig ++++ xen/arch/x86/hvm/vmx/vmx.c +@@ -1122,18 +1122,12 @@ static void vmx_update_host_cr3(struct v + + void vmx_update_debug_state(struct vcpu *v) + { +- unsigned long mask; +- + ASSERT(v == current); + +- mask = 1u << TRAP_int3; +- if ( !cpu_has_monitor_trap_flag ) +- mask |= 1u << TRAP_debug; +- + if ( v->arch.hvm_vcpu.debug_state_latch ) +- v->arch.hvm_vmx.exception_bitmap |= mask; ++ v->arch.hvm_vmx.exception_bitmap |= 1U << TRAP_int3; + else +- v->arch.hvm_vmx.exception_bitmap &= ~mask; ++ v->arch.hvm_vmx.exception_bitmap &= ~(1U << TRAP_int3); + vmx_update_exception_bitmap(v); + } + +@@ -2616,9 +2610,10 @@ void vmx_vmexit_handler(struct cpu_user_ + exit_qualification = __vmread(EXIT_QUALIFICATION); + HVMTRACE_1D(TRAP_DEBUG, exit_qualification); + write_debugreg(6, exit_qualification | 0xffff0ff0); +- if ( !v->domain->debugger_attached || cpu_has_monitor_trap_flag ) +- goto exit_and_crash; +- domain_pause_for_debugger(); ++ if ( !v->domain->debugger_attached ) ++ hvm_inject_hw_exception(vector, HVM_DELIVER_NO_ERROR_CODE); ++ else ++ domain_pause_for_debugger(); + break; + case TRAP_int3: + { +@@ -2679,6 +2674,11 @@ void vmx_vmexit_handler(struct cpu_user_ + + hvm_inject_page_fault(regs->error_code, exit_qualification); + break; ++ case TRAP_alignment_check: ++ HVMTRACE_1D(TRAP, vector); ++ hvm_inject_hw_exception(vector, ++ __vmread(VM_EXIT_INTR_ERROR_CODE)); ++ break; + case TRAP_nmi: + if ( (intr_info & INTR_INFO_INTR_TYPE_MASK) != + (X86_EVENTTYPE_NMI << 8) ) +--- xen/include/asm-x86/hvm/hvm.h.orig ++++ xen/include/asm-x86/hvm/hvm.h +@@ -389,7 +389,10 @@ static inline bool_t hvm_vcpu_has_smep(v + }) + + /* These exceptions must always be intercepted. */ +-#define HVM_TRAP_MASK ((1U << TRAP_machine_check) | (1U << TRAP_invalid_op)) ++#define HVM_TRAP_MASK ((1U << TRAP_debug) | \ ++ (1U << TRAP_invalid_op) | \ ++ (1U << TRAP_alignment_check) | \ ++ (1U << TRAP_machine_check)) + + /* + * x86 event types. This enumeration is valid for: diff --git a/sysutils/xenkernel42/patches/patch-CVE-2015-8339 b/sysutils/xenkernel42/patches/patch-CVE-2015-8339 new file mode 100644 index 00000000000..d78a2f196dd --- /dev/null +++ b/sysutils/xenkernel42/patches/patch-CVE-2015-8339 @@ -0,0 +1,33 @@ +$NetBSD: patch-CVE-2015-8339,v 1.1 2016/01/07 17:53:58 bouyer Exp $ + +Patch for CVE-2015-8339 and CVE-2015-8340 aka XSA-159, based on +http://xenbits.xenproject.org/xsa/xsa159.patch + +--- xen/common/memory.c.orig ++++ xen/common/memory.c +@@ -334,7 +334,7 @@ static long memory_exchange(XEN_GUEST_HA + PAGE_LIST_HEAD(out_chunk_list); + unsigned long in_chunk_order, out_chunk_order; + xen_pfn_t gpfn, gmfn, mfn; +- unsigned long i, j, k = 0; /* gcc ... */ ++ unsigned long i, j, k; + unsigned int memflags = 0; + long rc = 0; + struct domain *d; +@@ -572,11 +572,12 @@ static long memory_exchange(XEN_GUEST_HA + fail: + /* Reassign any input pages we managed to steal. */ + while ( (page = page_list_remove_head(&in_chunk_list)) ) +- { +- put_gfn(d, gmfn + k--); + if ( assign_pages(d, page, 0, MEMF_no_refcount) ) +- BUG(); +- } ++ { ++ BUG_ON(!d->is_dying); ++ if ( test_and_clear_bit(_PGC_allocated, &page->count_info) ) ++ put_page(page); ++ } + + dying: + rcu_unlock_domain(d); diff --git a/sysutils/xenkernel42/patches/patch-CVE-2015-8555 b/sysutils/xenkernel42/patches/patch-CVE-2015-8555 new file mode 100644 index 00000000000..5806d91bce3 --- /dev/null +++ b/sysutils/xenkernel42/patches/patch-CVE-2015-8555 @@ -0,0 +1,80 @@ +$NetBSD: patch-CVE-2015-8555,v 1.1 2016/01/07 17:53:58 bouyer Exp $ + +Patch for CVE-2015-8555 aka XSA-165, based on +http://xenbits.xenproject.org/xsa/xsa165-4.3.patch + +--- xen/arch/x86/domain.c.orig ++++ xen/arch/x86/domain.c +@@ -730,6 +730,17 @@ int arch_set_info_guest( + + if ( flags & VGCF_I387_VALID ) + memcpy(v->arch.fpu_ctxt, &c.nat->fpu_ctxt, sizeof(c.nat->fpu_ctxt)); ++ else if ( v->arch.xsave_area ) ++ memset(&v->arch.xsave_area->xsave_hdr, 0, ++ sizeof(v->arch.xsave_area->xsave_hdr)); ++ else ++ { ++ typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt; ++ ++ memset(fpu_sse, 0, sizeof(*fpu_sse)); ++ fpu_sse->fcw = FCW_DEFAULT; ++ fpu_sse->mxcsr = MXCSR_DEFAULT; ++ } + + if ( !compat ) + { +--- xen/arch/x86/i387.c.orig ++++ xen/arch/x86/i387.c +@@ -17,19 +17,6 @@ + #include <asm/xstate.h> + #include <asm/asm_defns.h> + +-static void fpu_init(void) +-{ +- unsigned long val; +- +- asm volatile ( "fninit" ); +- if ( cpu_has_xmm ) +- { +- /* load default value into MXCSR control/status register */ +- val = MXCSR_DEFAULT; +- asm volatile ( "ldmxcsr %0" : : "m" (val) ); +- } +-} +- + /*******************************/ + /* FPU Restore Functions */ + /*******************************/ +@@ -254,15 +241,8 @@ void vcpu_restore_fpu_lazy(struct vcpu * + + if ( cpu_has_xsave ) + fpu_xrstor(v, XSTATE_LAZY); +- else if ( v->fpu_initialised ) +- { +- if ( cpu_has_fxsr ) +- fpu_fxrstor(v); +- else +- fpu_frstor(v); +- } + else +- fpu_init(); ++ fpu_fxrstor(v); + + v->fpu_initialised = 1; + v->fpu_dirtied = 1; +@@ -323,7 +303,14 @@ int vcpu_init_fpu(struct vcpu *v) + else + { + v->arch.fpu_ctxt = _xzalloc(sizeof(v->arch.xsave_area->fpu_sse), 16); +- if ( !v->arch.fpu_ctxt ) ++ if ( v->arch.fpu_ctxt ) ++ { ++ typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt; ++ ++ fpu_sse->fcw = FCW_DEFAULT; ++ fpu_sse->mxcsr = MXCSR_DEFAULT; ++ } ++ else + { + rc = -ENOMEM; + goto done; diff --git a/sysutils/xenkernel42/patches/patch-XSA-166 b/sysutils/xenkernel42/patches/patch-XSA-166 new file mode 100644 index 00000000000..69e87f68d3c --- /dev/null +++ b/sysutils/xenkernel42/patches/patch-XSA-166 @@ -0,0 +1,42 @@ +$NetBSD: patch-XSA-166,v 1.1 2016/01/07 17:53:58 bouyer Exp $ + +Patch for XSA-166, based on +http://xenbits.xenproject.org/xsa/xsa166-4.3.patch + +--- xen/arch/x86/hvm/hvm.c.orig ++++ xen/arch/x86/hvm/hvm.c +@@ -342,6 +342,7 @@ void hvm_migrate_pirqs(struct vcpu *v) + void hvm_do_resume(struct vcpu *v) + { + ioreq_t *p; ++ unsigned int state; + + pt_restore_timer(v); + +@@ -349,9 +350,10 @@ void hvm_do_resume(struct vcpu *v) + + /* NB. Optimised for common case (p->state == STATE_IOREQ_NONE). */ + p = get_ioreq(v); +- while ( p->state != STATE_IOREQ_NONE ) ++ while ( (state = p->state) != STATE_IOREQ_NONE ) + { +- switch ( p->state ) ++ rmb(); ++ switch ( state ) + { + case STATE_IORESP_READY: /* IORESP_READY -> NONE */ + hvm_io_assist(); +@@ -359,11 +361,10 @@ void hvm_do_resume(struct vcpu *v) + case STATE_IOREQ_READY: /* IOREQ_{READY,INPROCESS} -> IORESP_READY */ + case STATE_IOREQ_INPROCESS: + wait_on_xen_event_channel(v->arch.hvm_vcpu.xen_port, +- (p->state != STATE_IOREQ_READY) && +- (p->state != STATE_IOREQ_INPROCESS)); ++ p->state != state); + break; + default: +- gdprintk(XENLOG_ERR, "Weird HVM iorequest state %d.\n", p->state); ++ gdprintk(XENLOG_ERR, "Weird HVM iorequest state %u\n", state); + domain_crash(v->domain); + return; /* bail */ + } diff --git a/sysutils/xentools42/Makefile b/sysutils/xentools42/Makefile index 91b70244262..6178be1ecfb 100644 --- a/sysutils/xentools42/Makefile +++ b/sysutils/xentools42/Makefile @@ -1,11 +1,11 @@ -# $NetBSD: Makefile,v 1.40 2015/12/05 21:26:00 adam Exp $ +# $NetBSD: Makefile,v 1.41 2016/01/07 17:53:58 bouyer Exp $ VERSION= 4.2.5 VERSION_IPXE= 1.0.0 DISTNAME= xen-${VERSION} PKGNAME= xentools42-${VERSION} -PKGREVISION= 13 +PKGREVISION= 14 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xentools42/distinfo b/sysutils/xentools42/distinfo index c7528c1d5dd..a6a4f7ffc83 100644 --- a/sysutils/xentools42/distinfo +++ b/sysutils/xentools42/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.21 2015/11/04 01:32:40 agc Exp $ +$NetBSD: distinfo,v 1.22 2016/01/07 17:53:58 bouyer Exp $ SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485 RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547 @@ -8,6 +8,9 @@ SHA1 (xen-4.2.5.tar.gz) = f42741e4ec174495ace70c4b17a6b9b0e60e798a RMD160 (xen-4.2.5.tar.gz) = 7d4f7f1b32ee541d341a756b1f8da02816438d19 SHA512 (xen-4.2.5.tar.gz) = 42c0fc241952fc55fc44480fb6752b004b54ae40e946159ec047adf229b65cbfbd810271d01b064ad8fdbddb73c640dcdcb6bc19f91e8968829889c129920dac Size (xen-4.2.5.tar.gz) = 15671925 bytes +<<<<<<< distinfo +======= +>>>>>>> 1.21 SHA1 (patch-.._.._ipxe_src_Makefile.housekeeping) = 5ec8020a9705b2f64096c2942473a8de4db578bb SHA1 (patch-.._.._ipxe_src_arch_i386_include_librm.h) = 4549ac641b112321b4731a918d85219c3fce6808 SHA1 (patch-.._.._ipxe_src_arch_i386_scripts_i386.lds) = 4c0cbb7f535be43e1b6f53c284340a8bafc37c0b @@ -34,6 +37,8 @@ SHA1 (patch-CVE-2015-3456) = e1600393860110c3093559f2f58273ba47478dd8 SHA1 (patch-CVE-2015-5154) = 29e0f8ad5696b6b1f4d5dbcc8d35579fb8d67375 SHA1 (patch-CVE-2015-5165) = c0b5324cb85ced435f869a0aa7232c5670a9995d SHA1 (patch-CVE-2015-5166) = 947ac0945091027d5973963765a3ab8975d2226a +SHA1 (patch-CVE-2015-8550) = 63613ca0dd9fe06f5c88774151f72e1c540e62c5 +SHA1 (patch-CVE-2015-8554) = 908783cf619fc130d5a107ba2c4997fca0f0da88 SHA1 (patch-Makefile) = 3a474d28a5b838bae4a67b5ca76e23b950bf0133 SHA1 (patch-Rules.mk) = 25a04293f6fe638ba5f3bd5e09b2b091cd201023 SHA1 (patch-blktap_drivers_Makefile) = c6be57154a403a64e3d6bc22d6bd833fe33fc9af diff --git a/sysutils/xentools42/patches/patch-CVE-2015-8550 b/sysutils/xentools42/patches/patch-CVE-2015-8550 new file mode 100644 index 00000000000..126435ca0db --- /dev/null +++ b/sysutils/xentools42/patches/patch-CVE-2015-8550 @@ -0,0 +1,213 @@ +$NetBSD: patch-CVE-2015-8550,v 1.1 2016/01/07 17:53:58 bouyer Exp $ + +patch for CVE-2015-8550 aka XSA-155 from +http://xenbits.xenproject.org/xsa/xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch +http://xenbits.xenproject.org/xsa/xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch +http://xenbits.xenproject.org/xsa/xsa155-xen44-0003-libvchan-Read-prod-cons-only-once.patch +http://xenbits.xenproject.org/xsa/xsa155-qemut-qdisk-double-access.patch +http://xenbits.xenproject.org/xsa/xsa155-qemut-xenfb.patch +http://xenbits.xenproject.org/xsa/xsa155-qemu-qdisk-double-access.patch +http://xenbits.xenproject.org/xsa/xsa155-qemu-xenfb.patch + +--- ../xen/include/public/io/ring.h.orig ++++ ../xen/include/public/io/ring.h +@@ -212,6 +212,20 @@ typedef struct __name##_back_ring __name##_back_ring_t + #define RING_GET_REQUEST(_r, _idx) \ + (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req)) + ++/* ++ * Get a local copy of a request. ++ * ++ * Use this in preference to RING_GET_REQUEST() so all processing is ++ * done on a local copy that cannot be modified by the other end. ++ * ++ * Note that https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 may cause this ++ * to be ineffective where _req is a struct which consists of only bitfields. ++ */ ++#define RING_COPY_REQUEST(_r, _idx, _req) do { \ ++ /* Use volatile to force the copy into _req. */ \ ++ *(_req) = *(volatile typeof(_req))RING_GET_REQUEST(_r, _idx); \ ++} while (0) ++ + #define RING_GET_RESPONSE(_r, _idx) \ + (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp)) + +--- blktap2/drivers/block-log.c.orig ++++ blktap2/drivers/block-log.c +@@ -494,11 +494,12 @@ static int ctl_kick(struct tdlog_state* s, int fd) + reqstart = s->bring.req_cons; + reqend = s->sring->req_prod; + ++ xen_mb(); + BDPRINTF("ctl: ring kicked (start = %u, end = %u)", reqstart, reqend); + + while (reqstart != reqend) { + /* XXX actually submit these! */ +- memcpy(&req, RING_GET_REQUEST(&s->bring, reqstart), sizeof(req)); ++ RING_COPY_REQUEST(&s->bring, reqstart, &req); + BDPRINTF("ctl: read request %"PRIu64":%u", req.sector, req.count); + s->bring.req_cons = ++reqstart; + +--- blktap2/drivers/tapdisk-vbd.c.orig ++++ blktap2/drivers/tapdisk-vbd.c +@@ -1555,7 +1555,7 @@ tapdisk_vbd_pull_ring_requests(td_vbd_t *vbd) + int idx; + RING_IDX rp, rc; + td_ring_t *ring; +- blkif_request_t *req; ++ blkif_request_t req; + td_vbd_request_t *vreq; + + ring = &vbd->ring; +@@ -1566,16 +1566,16 @@ tapdisk_vbd_pull_ring_requests(td_vbd_t *vbd) + xen_rmb(); + + for (rc = ring->fe_ring.req_cons; rc != rp; rc++) { +- req = RING_GET_REQUEST(&ring->fe_ring, rc); ++ RING_COPY_REQUEST(&ring->fe_ring, rc, &req); + ++ring->fe_ring.req_cons; + +- idx = req->id; ++ idx = req.id; + vreq = &vbd->request_list[idx]; + + ASSERT(list_empty(&vreq->next)); + ASSERT(vreq->secs_pending == 0); + +- memcpy(&vreq->req, req, sizeof(blkif_request_t)); ++ memcpy(&vreq->req, &req, sizeof(blkif_request_t)); + vbd->received++; + vreq->vbd = vbd; + +--- libvchan/io.c.orig ++++ libvchan/io.c +@@ -118,6 +118,7 @@ static inline int send_notify(struct libxenvchan *ctrl, uint8_t bit) + static inline int raw_get_data_ready(struct libxenvchan *ctrl) + { + uint32_t ready = rd_prod(ctrl) - rd_cons(ctrl); ++ xen_mb(); /* Ensure 'ready' is read only once. */ + if (ready >= rd_ring_size(ctrl)) + /* We have no way to return errors. Locking up the ring is + * better than the alternatives. */ +@@ -159,6 +160,7 @@ int libxenvchan_data_ready(struct libxenvchan *ctrl) + static inline int raw_get_buffer_space(struct libxenvchan *ctrl) + { + uint32_t ready = wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl)); ++ xen_mb(); /* Ensure 'ready' is read only once. */ + if (ready > wr_ring_size(ctrl)) + /* We have no way to return errors. Locking up the ring is + * better than the alternatives. */ + +--- qemu-xen-traditional/hw/xen_blkif.h.orig 2013-10-10 16:15:47.000000000 +0200 ++++ qemu-xen-traditional/hw/xen_blkif.h 2016-01-07 17:35:36.000000000 +0100 +@@ -79,8 +79,10 @@ + dst->handle = src->handle; + dst->id = src->id; + dst->sector_number = src->sector_number; +- if (n > src->nr_segments) +- n = src->nr_segments; ++ /* prevent the compiler from optimizing the code and using src->nr_segments instead */ ++ xen_mb(); ++ if (n > dst->nr_segments) ++ n = dst->nr_segments; + for (i = 0; i < n; i++) + dst->seg[i] = src->seg[i]; + } +@@ -94,8 +96,10 @@ + dst->handle = src->handle; + dst->id = src->id; + dst->sector_number = src->sector_number; +- if (n > src->nr_segments) +- n = src->nr_segments; ++ /* prevent the compiler from optimizing the code and using src->nr_segments instead */ ++ xen_mb(); ++ if (n > dst->nr_segments) ++ n = dst->nr_segments; + for (i = 0; i < n; i++) + dst->seg[i] = src->seg[i]; + } + +--- qemu-xen-traditional/hw/xenfb.c ++++ qemu-xen-traditional/hw/xenfb.c +@@ -827,18 +827,20 @@ static void xenfb_invalidate(void *opaque) + + static void xenfb_handle_events(struct XenFB *xenfb) + { +- uint32_t prod, cons; ++ uint32_t prod, cons, out_cons; + struct xenfb_page *page = xenfb->c.page; + + prod = page->out_prod; +- if (prod == page->out_cons) ++ out_cons = page->out_cons; ++ if (prod == out_cons) + return; + xen_rmb(); /* ensure we see ring contents up to prod */ +- for (cons = page->out_cons; cons != prod; cons++) { ++ for (cons = out_cons; cons != prod; cons++) { + union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons); ++ uint8_t type = event->type; + int x, y, w, h; + +- switch (event->type) { ++ switch (type) { + case XENFB_TYPE_UPDATE: + if (xenfb->up_count == UP_QUEUE) + xenfb->up_fullscreen = 1; + +--- qemu-xen/hw/xen_blkif.h.orig 2013-10-10 16:15:47.000000000 +0200 ++++ qemu-xen/hw/xen_blkif.h 2016-01-07 17:35:36.000000000 +0100 +@@ -79,8 +79,10 @@ + dst->handle = src->handle; + dst->id = src->id; + dst->sector_number = src->sector_number; +- if (n > src->nr_segments) +- n = src->nr_segments; ++ /* prevent the compiler from optimizing the code and using src->nr_segments instead */ ++ xen_mb(); ++ if (n > dst->nr_segments) ++ n = dst->nr_segments; + for (i = 0; i < n; i++) + dst->seg[i] = src->seg[i]; + } +@@ -94,8 +96,10 @@ + dst->handle = src->handle; + dst->id = src->id; + dst->sector_number = src->sector_number; +- if (n > src->nr_segments) +- n = src->nr_segments; ++ /* prevent the compiler from optimizing the code and using src->nr_segments instead */ ++ xen_mb(); ++ if (n > dst->nr_segments) ++ n = dst->nr_segments; + for (i = 0; i < n; i++) + dst->seg[i] = src->seg[i]; + } + +--- qemu-xen/hw/xenfb.c.orig ++++ qemu-xen/hw/xenfb.c +@@ -784,18 +784,20 @@ static void xenfb_invalidate(void *opaque) + + static void xenfb_handle_events(struct XenFB *xenfb) + { +- uint32_t prod, cons; ++ uint32_t prod, cons, out_cons; + struct xenfb_page *page = xenfb->c.page; + + prod = page->out_prod; +- if (prod == page->out_cons) ++ out_cons = page->out_cons; ++ if (prod == out_cons) + return; + xen_rmb(); /* ensure we see ring contents up to prod */ +- for (cons = page->out_cons; cons != prod; cons++) { ++ for (cons = out_cons; cons != prod; cons++) { + union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons); ++ uint8_t type = event->type; + int x, y, w, h; + +- switch (event->type) { ++ switch (type) { + case XENFB_TYPE_UPDATE: + if (xenfb->up_count == UP_QUEUE) + xenfb->up_fullscreen = 1; diff --git a/sysutils/xentools42/patches/patch-CVE-2015-8554 b/sysutils/xentools42/patches/patch-CVE-2015-8554 new file mode 100644 index 00000000000..a43d5654de8 --- /dev/null +++ b/sysutils/xentools42/patches/patch-CVE-2015-8554 @@ -0,0 +1,21 @@ +$NetBSD: patch-CVE-2015-8554,v 1.1 2016/01/07 17:53:58 bouyer Exp $ + +patch for CVE-2015-8554 aka XSA-164 from +http://xenbits.xenproject.org/xsa/xsa164.patch + +--- qemu-xen-traditional/hw/pt-msi.c.orig ++++ qemu-xen-traditional/hw/pt-msi.c +@@ -440,6 +440,13 @@ static void pci_msix_writel(void *opaque + return; + } + ++ if ( addr - msix->mmio_base_addr >= msix->total_entries * 16 ) ++ { ++ PT_LOG("Error: Out of bounds write to MSI-X table," ++ " addr %016"PRIx64"\n", addr); ++ return; ++ } ++ + entry_nr = (addr - msix->mmio_base_addr) / 16; + entry = &msix->msix_entry[entry_nr]; + offset = ((addr - msix->mmio_base_addr) % 16) / 4; |