Add patches for XSA-121 and XSA-122 from upstream.

4 files changed, 100 insertions, 3 deletions

diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile
index bd484630906..13b4b2fcaf2 100644
--- a/sysutils/xenkernel41/Makefile
+++ b/sysutils/xenkernel41/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.42 2014/12/11 22:15:30 joerg Exp $
+# $NetBSD: Makefile,v 1.43 2015/03/05 16:37:16 spz Exp $
 
 VERSION=	4.1.6.1
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel41-${VERSION}
-PKGREVISION=	13
+PKGREVISION=	14
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo
index 66b7d4e2f40..67208d9c4ae 100644
--- a/sysutils/xenkernel41/distinfo
+++ b/sysutils/xenkernel41/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.33 2014/12/21 17:34:24 bouyer Exp $
+$NetBSD: distinfo,v 1.34 2015/03/05 16:37:16 spz Exp $
 
 SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0
 RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19
@@ -25,6 +25,8 @@ SHA1 (patch-CVE-2014-8595) = 46bd285b7eb8f2e23984f7917b12af2191bfef80
 SHA1 (patch-CVE-2014-8866) = ee0bc3afb767b50e973d6065b84adc7e51949def
 SHA1 (patch-CVE-2014-8867) = 576433746660f62b753088a66c5315a1a2ff8f76
 SHA1 (patch-CVE-2014-9030) = f52c302585b0f4b074f7562e6b8cddacb26deee4
+SHA1 (patch-CVE-2015-2044) = 00d32273d0a9f51927ff94a13f916382c3126e60
+SHA1 (patch-CVE-2015-2045) = e1874bbde0cce7db4ee9260440f5280d404027d7
 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266
 SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b
 SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2015-2044 b/sysutils/xenkernel41/patches/patch-CVE-2015-2044
new file mode 100644
index 00000000000..858e491420e
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2015-2044
@@ -0,0 +1,53 @@
+$NetBSD: patch-CVE-2015-2044,v 1.1 2015/03/05 16:37:16 spz Exp $
+
+x86/HVM: return all ones on wrong-sized reads of system device I/O ports
+
+So far the value presented to the guest remained uninitialized.
+
+This is CVE-2015-2044 / XSA-121.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+--- xen/arch/x86/hvm/rtc.c.orig	2014-09-02 06:22:57.000000000 +0000
++++ xen/arch/x86/hvm/rtc.c
+@@ -408,7 +408,8 @@ static int handle_rtc_io(
+ 
+     if ( bytes != 1 )
+     {
+-        gdprintk(XENLOG_WARNING, "HVM_RTC bas access\n");
++        gdprintk(XENLOG_WARNING, "HVM_RTC bad access\n");
++        *val = ~0;
+         return X86EMUL_OKAY;
+     }
+     
+--- xen/arch/x86/hvm/i8254.c.orig	2014-09-02 06:22:57.000000000 +0000
++++ xen/arch/x86/hvm/i8254.c
+@@ -475,6 +475,7 @@ static int handle_pit_io(
+     if ( bytes != 1 )
+     {
+         gdprintk(XENLOG_WARNING, "PIT bad access\n");
++        *val = ~0;
+         return X86EMUL_OKAY;
+     }
+ 
+--- xen/arch/x86/hvm/pmtimer.c.orig	2014-09-02 06:22:57.000000000 +0000
++++ xen/arch/x86/hvm/pmtimer.c
+@@ -213,6 +213,7 @@ static int handle_pmt_io(
+     if ( bytes != 4 )
+     {
+         gdprintk(XENLOG_WARNING, "HVM_PMT bad access\n");
++        *val = ~0;
+         return X86EMUL_OKAY;
+     }
+     
+--- xen/arch/x86/hvm/vpic.c.orig	2014-09-02 06:22:57.000000000 +0000
++++ xen/arch/x86/hvm/vpic.c
+@@ -324,6 +324,7 @@ static int vpic_intercept_pic_io(
+     if ( bytes != 1 )
+     {
+         gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes);
++        *val = ~0;
+         return X86EMUL_OKAY;
+     }
+ 
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2015-2045 b/sysutils/xenkernel41/patches/patch-CVE-2015-2045
new file mode 100644
index 00000000000..21b2e40e01d
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2015-2045
@@ -0,0 +1,42 @@
+$NetBSD: patch-CVE-2015-2045,v 1.1 2015/03/05 16:37:16 spz Exp $
+
+pre-fill structures for certain HYPERVISOR_xen_version sub-ops
+
+... avoiding to pass hypervisor stack contents back to the caller
+through space unused by the respective strings.
+
+This is CVE-2015-2045 / XSA-122.
+
+Signed-off-by: Aaron Adams <Aaron.Adams@nccgroup.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+--- xen/common/kernel.c.orig	2014-09-02 06:22:57.000000000 +0000
++++ xen/common/kernel.c
+@@ -218,6 +218,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
+     case XENVER_extraversion:
+     {
+         xen_extraversion_t extraversion;
++
++        memset(extraversion, 0, sizeof(extraversion));
+         safe_strcpy(extraversion, xen_extra_version());
+         if ( copy_to_guest(arg, extraversion, ARRAY_SIZE(extraversion)) )
+             return -EFAULT;
+@@ -227,6 +229,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
+     case XENVER_compile_info:
+     {
+         struct xen_compile_info info;
++
++        memset(&info, 0, sizeof(info));
+         safe_strcpy(info.compiler,       xen_compiler());
+         safe_strcpy(info.compile_by,     xen_compile_by());
+         safe_strcpy(info.compile_domain, xen_compile_domain());
+@@ -263,6 +267,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
+     case XENVER_changeset:
+     {
+         xen_changeset_info_t chgset;
++
++        memset(chgset, 0, sizeof(chgset));
+         safe_strcpy(chgset, xen_changeset());
+         if ( copy_to_guest(arg, chgset, ARRAY_SIZE(chgset)) )
+             return -EFAULT;