add patches from upstream to fix security problems:

-Information leak on AVX and/or LWP capable CPUs (CVE-2013-1442 / XSA-62)
-Information leaks through I/O instruction emulation
 (CVE-2013-4355 / XSA-63)
-Information leak through fbld instruction emulation
 (CVE-2013-4361 / XSA-66)
bump PKGREV

8 files changed, 225 insertions, 2 deletions

diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile
index aba08ec9c11..f05f22052dc 100644
--- a/sysutils/xenkernel41/Makefile
+++ b/sysutils/xenkernel41/Makefile
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile,v 1.25 2013/09/27 11:35:07 joerg Exp $
+# $NetBSD: Makefile,v 1.26 2013/10/01 14:54:44 drochner Exp $
 #
 
 VERSION=	4.1.6.1
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel41-${VERSION}
+PKGREVISION=	1
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo
index 75b76494d69..ba6e58650b6 100644
--- a/sysutils/xenkernel41/distinfo
+++ b/sysutils/xenkernel41/distinfo
@@ -1,8 +1,14 @@
-$NetBSD: distinfo,v 1.19 2013/09/11 18:00:33 drochner Exp $
+$NetBSD: distinfo,v 1.20 2013/10/01 14:54:44 drochner Exp $
 
 SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0
 RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19
 Size (xen-4.1.6.1.tar.gz) = 10428485 bytes
+SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1
+SHA1 (patch-CVE-2013-4355_1) = 88cc2e7bf0993b2878a864e8b28ed989f8eeef3a
+SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509
+SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f
+SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8
+SHA1 (patch-CVE-2013-4361) = b9074af976ba98c02aeb84288a10527bf7693241
 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266
 SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b
 SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1442 b/sysutils/xenkernel41/patches/patch-CVE-2013-1442
new file mode 100644
index 00000000000..fad8b9e6581
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-1442
@@ -0,0 +1,27 @@
+$NetBSD: patch-CVE-2013-1442,v 1.1 2013/10/01 14:54:44 drochner Exp $
+
+http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg02523.html
+
+--- xen/arch/x86/i387.c.orig	2013-09-10 06:42:18.000000000 +0000
++++ xen/arch/x86/i387.c	2013-09-30 15:23:07.000000000 +0000
+@@ -103,9 +103,9 @@ void setup_fpu(struct vcpu *v)
+     {
+         /*
+          * XCR0 normally represents what guest OS set. In case of Xen itself, 
+-         * we set all supported feature mask before doing save/restore.
++         * we set all supported feature mask before restoring.
+          */
+-        set_xcr0(v->arch.xcr0_accum);
++        set_xcr0(xfeature_mask);
+         xrstor(v);
+         set_xcr0(v->arch.xcr0);
+     }
+@@ -149,7 +149,7 @@ void save_init_fpu(struct vcpu *v)
+     if ( xsave_enabled(v) )
+     {
+         /* XCR0 normally represents what guest OS set. In case of Xen itself,
+-         * we set all accumulated feature mask before doing save/restore.
++         * we set all accumulated feature mask before saving.
+          */
+         set_xcr0(v->arch.xcr0_accum);
+         if ( cpu_has_xsaveopt )
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1 b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1
new file mode 100644
index 00000000000..7d1bb208e2e
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1
@@ -0,0 +1,38 @@
+$NetBSD: patch-CVE-2013-4355_1,v 1.1 2013/10/01 14:54:44 drochner Exp $
+
+http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03160.html
+
+--- xen/arch/x86/hvm/hvm.c.orig	2013-09-10 06:42:18.000000000 +0000
++++ xen/arch/x86/hvm/hvm.c	2013-09-30 15:23:07.000000000 +0000
+@@ -1961,11 +1961,7 @@ void hvm_task_switch(
+ 
+     rc = hvm_copy_from_guest_virt(
+         &tss, prev_tr.base, sizeof(tss), PFEC_page_present);
+-    if ( rc == HVMCOPY_bad_gva_to_gfn )
+-        goto out;
+-    if ( rc == HVMCOPY_gfn_paged_out )
+-        goto out;
+-    if ( rc == HVMCOPY_gfn_shared )
++    if ( rc != HVMCOPY_okay )
+         goto out;
+ 
+     eflags = regs->eflags;
+@@ -2010,13 +2006,11 @@ void hvm_task_switch(
+ 
+     rc = hvm_copy_from_guest_virt(
+         &tss, tr.base, sizeof(tss), PFEC_page_present);
+-    if ( rc == HVMCOPY_bad_gva_to_gfn )
+-        goto out;
+-    if ( rc == HVMCOPY_gfn_paged_out )
+-        goto out;
+-    /* Note: this could be optimised, if the callee functions knew we want RO
+-     * access */
+-    if ( rc == HVMCOPY_gfn_shared )
++    /*
++     * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee
++     * functions knew we want RO access.
++     */
++    if ( rc != HVMCOPY_okay )
+         goto out;
+ 
+ 
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_2 b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_2
new file mode 100644
index 00000000000..65716cd9c10
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_2
@@ -0,0 +1,71 @@
+$NetBSD: patch-CVE-2013-4355_2,v 1.1 2013/10/01 14:54:44 drochner Exp $
+
+--- xen/arch/x86/hvm/intercept.c.orig	2013-09-10 06:42:18.000000000 +0000
++++ xen/arch/x86/hvm/intercept.c	2013-09-30 15:23:07.000000000 +0000
+@@ -93,17 +93,28 @@ static int hvm_mmio_access(struct vcpu *
+     {
+         for ( i = 0; i < p->count; i++ )
+         {
+-            int ret;
+-
+-            ret = hvm_copy_from_guest_phys(&data,
+-                                           p->data + (sign * i * p->size),
+-                                           p->size);
+-            if ( (ret == HVMCOPY_gfn_paged_out) || 
+-                 (ret == HVMCOPY_gfn_shared) )
++            switch ( hvm_copy_from_guest_phys(&data,
++                                              p->data + sign * i * p->size,
++                                              p->size) )
+             {
++            case HVMCOPY_okay:
++                break;
++            case HVMCOPY_gfn_paged_out:
++            case HVMCOPY_gfn_shared:
+                 rc = X86EMUL_RETRY;
+                 break;
++            case HVMCOPY_bad_gfn_to_mfn:
++                data = ~0;
++                break;
++            case HVMCOPY_bad_gva_to_gfn:
++                ASSERT(0);
++                /* fall through */
++            default:
++                rc = X86EMUL_UNHANDLEABLE;
++                break;
+             }
++            if ( rc != X86EMUL_OKAY )
++                break;
+             rc = write_handler(v, p->addr + (sign * i * p->size), p->size,
+                                data);
+             if ( rc != X86EMUL_OKAY )
+@@ -171,8 +182,28 @@ static int process_portio_intercept(port
+         for ( i = 0; i < p->count; i++ )
+         {
+             data = 0;
+-            (void)hvm_copy_from_guest_phys(&data, p->data + sign*i*p->size,
+-                                           p->size);
++            switch ( hvm_copy_from_guest_phys(&data,
++                                              p->data + sign * i * p->size,
++                                              p->size) )
++            {
++            case HVMCOPY_okay:
++                break;
++            case HVMCOPY_gfn_paged_out:
++            case HVMCOPY_gfn_shared:
++                rc = X86EMUL_RETRY;
++                break;
++            case HVMCOPY_bad_gfn_to_mfn:
++                data = ~0;
++                break;
++            case HVMCOPY_bad_gva_to_gfn:
++                ASSERT(0);
++                /* fall through */
++            default:
++                rc = X86EMUL_UNHANDLEABLE;
++                break;
++            }
++            if ( rc != X86EMUL_OKAY )
++                break;
+             rc = action(IOREQ_WRITE, p->addr, p->size, &data);
+             if ( rc != X86EMUL_OKAY )
+                 break;
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_3 b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_3
new file mode 100644
index 00000000000..59f890afa52
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_3
@@ -0,0 +1,36 @@
+$NetBSD: patch-CVE-2013-4355_3,v 1.1 2013/10/01 14:54:44 drochner Exp $
+
+--- xen/arch/x86/hvm/io.c.orig	2013-09-10 06:42:18.000000000 +0000
++++ xen/arch/x86/hvm/io.c	2013-09-30 15:23:07.000000000 +0000
+@@ -333,14 +333,24 @@ static int dpci_ioport_write(uint32_t mp
+         data = p->data;
+         if ( p->data_is_ptr )
+         {
+-            int ret;
+-            
+-            ret = hvm_copy_from_guest_phys(&data, 
+-                                           p->data + (sign * i * p->size),
+-                                           p->size);
+-            if ( (ret == HVMCOPY_gfn_paged_out) &&
+-                 (ret == HVMCOPY_gfn_shared) )
++            switch ( hvm_copy_from_guest_phys(&data,
++                                              p->data + sign * i * p->size,
++                                              p->size) )
++            {
++            case HVMCOPY_okay:
++                break;
++            case HVMCOPY_gfn_paged_out:
++            case HVMCOPY_gfn_shared:
+                 return X86EMUL_RETRY;
++            case HVMCOPY_bad_gfn_to_mfn:
++                data = ~0;
++                break;
++            case HVMCOPY_bad_gva_to_gfn:
++                ASSERT(0);
++                /* fall through */
++            default:
++                return X86EMUL_UNHANDLEABLE;
++            }
+         }
+ 
+         switch ( p->size )
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_4 b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_4
new file mode 100644
index 00000000000..96d956f2417
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_4
@@ -0,0 +1,24 @@
+$NetBSD: patch-CVE-2013-4355_4,v 1.1 2013/10/01 14:54:44 drochner Exp $
+
+--- xen/arch/x86/hvm/vmx/realmode.c.orig	2013-09-10 06:42:18.000000000 +0000
++++ xen/arch/x86/hvm/vmx/realmode.c	2013-09-30 15:23:07.000000000 +0000
+@@ -38,7 +38,9 @@ static void realmode_deliver_exception(
+ 
+  again:
+     last_byte = (vector * 4) + 3;
+-    if ( idtr->limit < last_byte )
++    if ( idtr->limit < last_byte ||
++         hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4) !=
++         HVMCOPY_okay )
+     {
+         /* Software interrupt? */
+         if ( insn_len != 0 )
+@@ -63,8 +65,6 @@ static void realmode_deliver_exception(
+         }
+     }
+ 
+-    (void)hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4);
+-
+     frame[0] = regs->eip + insn_len;
+     frame[1] = csr->sel;
+     frame[2] = regs->eflags & ~X86_EFLAGS_RF;
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4361 b/sysutils/xenkernel41/patches/patch-CVE-2013-4361
new file mode 100644
index 00000000000..b133c1e6677
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4361
@@ -0,0 +1,20 @@
+$NetBSD: patch-CVE-2013-4361,v 1.1 2013/10/01 14:54:44 drochner Exp $
+
+http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03162.html
+
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig	2013-09-10 06:42:18.000000000 +0000
++++ xen/arch/x86/x86_emulate/x86_emulate.c	2013-09-30 15:23:08.000000000 +0000
+@@ -2975,11 +2975,11 @@ x86_emulate(
+                 break;
+             case 4: /* fbld m80dec */
+                 ea.bytes = 10;
+-                dst = ea;
++                src = ea;
+                 if ( (rc = ops->read(src.mem.seg, src.mem.off,
+                                      &src.val, src.bytes, ctxt)) != 0 )
+                     goto done;
+-                emulate_fpu_insn_memdst("fbld", src.val);
++                emulate_fpu_insn_memsrc("fbld", src.val);
+                 break;
+             case 5: /* fild m64i */
+                 ea.bytes = 8;