diff options
| author | bouyer <bouyer> | 2017-03-20 18:17:12 +0000 |
|---|---|---|
| committer | bouyer <bouyer> | 2017-03-20 18:17:12 +0000 |
| commit | 53e714aa3413af4cebc7d06af141ec3fcc2c158c (patch) | |
| tree | 24015bc2944b2d2ec84d2f8129eaf42cb918b81c /sysutils | |
| parent | a5efe37b1de156904758ceddd9abf9d2450f4d3e (diff) | |
| download | pkgsrc-53e714aa3413af4cebc7d06af141ec3fcc2c158c.tar.gz | |
Update xenkernel46 and xentools46 to 4.6.5. Changes since 4.6.3:
various bug fixes. Includes all security patches up to and including
XSA-209
Diffstat (limited to 'sysutils')
24 files changed, 17 insertions, 1351 deletions
diff --git a/sysutils/xenkernel46/Makefile b/sysutils/xenkernel46/Makefile index 59483f6ed58..c33dab3d35f 100644 --- a/sysutils/xenkernel46/Makefile +++ b/sysutils/xenkernel46/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.9 2017/02/14 21:38:34 joerg Exp $ +# $NetBSD: Makefile,v 1.10 2017/03/20 18:17:12 bouyer Exp $ -VERSION= 4.6.3 +VERSION= 4.6.5 DISTNAME= xen-${VERSION} PKGNAME= xenkernel46-${VERSION} -PKGREVISION= 4 +#PKGREVISION= 4 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xenkernel46/distinfo b/sysutils/xenkernel46/distinfo index 17159dee776..5981606c70e 100644 --- a/sysutils/xenkernel46/distinfo +++ b/sysutils/xenkernel46/distinfo @@ -1,25 +1,10 @@ -$NetBSD: distinfo,v 1.6 2017/02/14 21:38:34 joerg Exp $ +$NetBSD: distinfo,v 1.7 2017/03/20 18:17:12 bouyer Exp $ -SHA1 (xen-4.6.3.tar.gz) = 2aa59d0a05a6c5ac7f336f2069c66a54f95c4349 -RMD160 (xen-4.6.3.tar.gz) = 2798bd888ee001a4829165e55feb705a86af4f74 -SHA512 (xen-4.6.3.tar.gz) = 187a860b40c05139f22b8498a5fae1db173c3110d957147af29a56cb83b7111c9dc4946d65f9dffc847001fc01c5e9bf51886eaa1194bb9cfd0b6dbcd43a2c5c -Size (xen-4.6.3.tar.gz) = 19707041 bytes +SHA1 (xen-4.6.5.tar.gz) = af371af662211ee1480167b6c9e35142156f3a8d +RMD160 (xen-4.6.5.tar.gz) = 3f2468d7d3715d14842ac57b2180118ef48e93fa +SHA512 (xen-4.6.5.tar.gz) = d3e1b16fa9d695a5fc28ca4375b8de3dfcab480437d4d0151972d9f286528c9f667841e7a6888c918c580371d6984658a8d3b92235553c8c9c052d93154547b5 +Size (xen-4.6.5.tar.gz) = 19712756 bytes SHA1 (patch-Config.mk) = a2a104d023cea4e551a3ad40927d4884d6c610bf -SHA1 (patch-XSA-185) = a2313922aa4dad734b96c80f64fe54eca3c14019 -SHA1 (patch-XSA-186-1) = 71e4a6c4c683891bac50682a3ab69a204fb681ad -SHA1 (patch-XSA-186-2) = 6094c2efe468e3f31712659be9a71af2cbe8dc1f -SHA1 (patch-XSA-187-1) = 55ea0c2d9c7d8d9476a5ab97342ff552be4faf56 -SHA1 (patch-XSA-187-2) = f5308fee03a5d73c8aa283eb82cc36a6a3d3bc06 -SHA1 (patch-XSA-191) = adf1b0d6d8a17b6585fd0ecbe0ca77517623e0af -SHA1 (patch-XSA-192) = b8b289f4af6b2cebeea16246398d2c473a9e90c1 -SHA1 (patch-XSA-193) = 89fdeea8af25de42bbd207df1b2f3dcd3b61778f -SHA1 (patch-XSA-195) = 0a44b7deda6a17c88e9d1858eeb7c33b0ebaf3f7 -SHA1 (patch-XSA-196-1) = bdcd7673443fbf59aeff8ad019ffbe39758fcaee -SHA1 (patch-XSA-196-2) = 81b1d46f3ec8a3c5133f6a923fee0ab1b2b1c6a0 -SHA1 (patch-XSA-200) = 37254653e3f9016de0440047465fddce7e9b1874 -SHA1 (patch-XSA-202) = 52cb1da3bb078f6b7574f606b8c9cacdf24f6518 -SHA1 (patch-XSA-203) = 43310c4e95e0070a24e6a847502e057b9e0eefe9 -SHA1 (patch-XSA-204) = 05defb8d99976a712024d35a81f4dde5627107d9 SHA1 (patch-tools_xentrace_xenalyze.c) = ab973cb7090dc90867dcddf9ab8965f8f2f36c46 SHA1 (patch-xen_Makefile) = be3f4577a205b23187b91319f91c50720919f70b SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154 diff --git a/sysutils/xenkernel46/patches/patch-XSA-185 b/sysutils/xenkernel46/patches/patch-XSA-185 deleted file mode 100644 index 2b9b23171e7..00000000000 --- a/sysutils/xenkernel46/patches/patch-XSA-185 +++ /dev/null @@ -1,37 +0,0 @@ -$NetBSD: patch-XSA-185,v 1.1 2016/09/08 15:44:07 bouyer Exp $ - -From 30aba4992b18245c436f16df7326a16c01a51570 Mon Sep 17 00:00:00 2001 -From: Jan Beulich <jbeulich@suse.com> -Date: Mon, 8 Aug 2016 10:58:12 +0100 -Subject: x86/32on64: don't allow recursive page tables from L3 - -L3 entries are special in PAE mode, and hence can't reasonably be used -for setting up recursive (and hence linear) page table mappings. Since -abuse is possible when the guest in fact gets run on 4-level page -tables, this needs to be excluded explicitly. - -This is XSA-185. - -Reported-by: Jérémie Boutoille <jboutoille@ext.quarkslab.com> -Reported-by: 栾尚聪(好风) <shangcong.lsc@alibaba-inc.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> ---- - xen/arch/x86/mm.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c -index 109b8be..69b8b8d 100644 ---- xen/arch/x86/mm.c.orig -+++ xen/arch/x86/mm.c -@@ -1122,7 +1122,9 @@ get_page_from_l3e( - - rc = get_page_and_type_from_pagenr( - l3e_get_pfn(l3e), PGT_l2_page_table, d, partial, 1); -- if ( unlikely(rc == -EINVAL) && get_l3_linear_pagetable(l3e, pfn, d) ) -+ if ( unlikely(rc == -EINVAL) && -+ !is_pv_32bit_domain(d) && -+ get_l3_linear_pagetable(l3e, pfn, d) ) - rc = 0; - - return rc; diff --git a/sysutils/xenkernel46/patches/patch-XSA-186-1 b/sysutils/xenkernel46/patches/patch-XSA-186-1 deleted file mode 100644 index 9459fadbf19..00000000000 --- a/sysutils/xenkernel46/patches/patch-XSA-186-1 +++ /dev/null @@ -1,43 +0,0 @@ -$NetBSD: patch-XSA-186-1,v 1.1 2016/09/08 15:44:07 bouyer Exp $ - -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: hvm/fep: Allow testing of instructions crossing the -1 -> 0 virtual boundary - -The Force Emulation Prefix is named to follow its PV counterpart for cpuid or -rdtsc, but isn't really an instruction prefix. It behaves as a break-out into -Xen, with the purpose of emulating the next instruction in the current state. - -It is important to be able to test legal situations which occur in real -hardware, including instruction which cross certain boundaries, and -instructions starting at 0. - -Reported-by: Brian Marcotte <marcotte@panix.com> -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> - ---- xen/arch/x86/hvm/svm/svm.c.orig -+++ xen/arch/x86/hvm/svm/svm.c -@@ -2139,6 +2139,10 @@ static void svm_vmexit_ud_intercept(stru - { - regs->eip += sizeof(sig); - regs->eflags &= ~X86_EFLAGS_RF; -+ -+ /* Zero the upper 32 bits of %rip if not in long mode. */ -+ if ( svm_guest_x86_mode(current) != 8 ) -+ regs->eip = regs->_eip; - } - } - ---- xen/arch/x86/hvm/vmx/vmx.c.orig -+++ xen/arch/x86/hvm/vmx/vmx.c -@@ -2757,6 +2757,10 @@ static void vmx_vmexit_ud_intercept(stru - { - regs->eip += sizeof(sig); - regs->eflags &= ~X86_EFLAGS_RF; -+ -+ /* Zero the upper 32 bits of %rip if not in long mode. */ -+ if ( vmx_guest_x86_mode(current) != 8 ) -+ regs->eip = regs->_eip; - } - } - diff --git a/sysutils/xenkernel46/patches/patch-XSA-186-2 b/sysutils/xenkernel46/patches/patch-XSA-186-2 deleted file mode 100644 index 52ca53aa4d2..00000000000 --- a/sysutils/xenkernel46/patches/patch-XSA-186-2 +++ /dev/null @@ -1,73 +0,0 @@ -From e938be013ba73ff08fa4f1d8670501aacefde7fb Mon Sep 17 00:00:00 2001 -From: Andrew Cooper <andrew.cooper3@citrix.com> -Date: Fri, 22 Jul 2016 16:02:54 +0000 -Subject: [PATCH 1/2] x86/emulate: Correct boundary interactions of emulated - instructions - -This reverts most of c/s 0640ffb6 "x86emul: fix rIP handling". - -Experimentally, in long mode processors will execute an instruction stream -which crosses the 64bit -1 -> 0 virtual boundary, whether the instruction -boundary is aligned on the virtual boundary, or is misaligned. - -In compatibility mode, Intel processors will execute an instruction stream -which crosses the 32bit -1 -> 0 virtual boundary, while AMD processors raise a -segmentation fault. Xen's segmentation behaviour matches AMD. - -For 16bit code, hardware does not ever truncated %ip. %eip is always used and -behaves normally as a 32bit register, including in 16bit protected mode -segments, as well as in Real and Unreal mode. - -This is XSA-186 - -Reported-by: Brian Marcotte <marcotte@panix.com> -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> ---- - xen/arch/x86/x86_emulate/x86_emulate.c | 22 ++++------------------ - 1 file changed, 4 insertions(+), 18 deletions(-) - -diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c -index d5a56cf..bf3529a 100644 ---- xen/arch/x86/x86_emulate/x86_emulate.c.orig -+++ xen/arch/x86/x86_emulate/x86_emulate.c -@@ -1570,10 +1570,6 @@ x86_emulate( - #endif - } - -- /* Truncate rIP to def_ad_bytes (2 or 4) if necessary. */ -- if ( def_ad_bytes < sizeof(_regs.eip) ) -- _regs.eip &= (1UL << (def_ad_bytes * 8)) - 1; -- - /* Prefix bytes. */ - for ( ; ; ) - { -@@ -3906,21 +3902,11 @@ x86_emulate( - - /* Commit shadow register state. */ - _regs.eflags &= ~EFLG_RF; -- switch ( __builtin_expect(def_ad_bytes, sizeof(_regs.eip)) ) -- { -- uint16_t ip; - -- case 2: -- ip = _regs.eip; -- _regs.eip = ctxt->regs->eip; -- *(uint16_t *)&_regs.eip = ip; -- break; --#ifdef __x86_64__ -- case 4: -- _regs.rip = _regs._eip; -- break; --#endif -- } -+ /* Zero the upper 32 bits of %rip if not in long mode. */ -+ if ( def_ad_bytes < sizeof(_regs.eip) ) -+ _regs.eip = (uint32_t)_regs.eip; -+ - *ctxt->regs = _regs; - - done: --- -2.1.4 - diff --git a/sysutils/xenkernel46/patches/patch-XSA-187-1 b/sysutils/xenkernel46/patches/patch-XSA-187-1 deleted file mode 100644 index 9cbe734120e..00000000000 --- a/sysutils/xenkernel46/patches/patch-XSA-187-1 +++ /dev/null @@ -1,44 +0,0 @@ -$NetBSD: patch-XSA-187-1,v 1.1 2016/09/08 15:44:07 bouyer Exp $ - -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/shadow: Avoid overflowing sh_ctxt->seg_reg[] - -hvm_get_seg_reg() does not perform a range check on its input segment, calls -hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[]. - -x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will hit a BUG() -in {vmx,svm}_get_segment_register(). - -HVM guests running with shadow paging can end up performing a virtual to -linear translation with x86_seg_none. This is used for addresses which are -already linear. However, none of this is a legitimate pagetable update, so -fail the emulation in such a case. - -This is XSA-187 - -Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Tim Deegan <tim@xen.org> - ---- xen/arch/x86/mm/shadow/common.c.orig -+++ xen/arch/x86/mm/shadow/common.c -@@ -140,9 +140,18 @@ static int hvm_translate_linear_addr( - struct sh_emulate_ctxt *sh_ctxt, - unsigned long *paddr) - { -- struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt); -+ struct segment_register *reg; - int okay; - -+ /* -+ * Can arrive here with non-user segments. However, no such cirucmstance -+ * is part of a legitimate pagetable update, so fail the emulation. -+ */ -+ if ( !is_x86_user_segment(seg) ) -+ return X86EMUL_UNHANDLEABLE; -+ -+ reg = hvm_get_seg_reg(seg, sh_ctxt); -+ - okay = hvm_virtual_to_linear_addr( - seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr); - diff --git a/sysutils/xenkernel46/patches/patch-XSA-187-2 b/sysutils/xenkernel46/patches/patch-XSA-187-2 deleted file mode 100644 index c9d59e88051..00000000000 --- a/sysutils/xenkernel46/patches/patch-XSA-187-2 +++ /dev/null @@ -1,144 +0,0 @@ -$NetBSD: patch-XSA-187-2,v 1.1 2016/09/08 15:44:07 bouyer Exp $ - -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/segment: Bounds check accesses to emulation ctxt->seg_reg[] - -HVM HAP codepaths have space for all segment registers in the seg_reg[] -cache (with x86_seg_none still risking an array overrun), while the shadow -codepaths only have space for the user segments. - -Range check the input segment of *_get_seg_reg() against the size of the array -used to cache the results, to avoid overruns in the case that the callers -don't filter their input suitably. - -Subsume the is_x86_user_segment(seg) checks from the shadow code, which were -an incomplete attempt at range checking, and are now superceeded. Make -hvm_get_seg_reg() static, as it is not used outside of shadow/common.c - -No functional change, but far easier to reason that no overflow is possible. - -Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Acked-by: Tim Deegan <tim@xen.org> -Acked-by: Jan Beulich <jbeulich@suse.com> - ---- xen/arch/x86/hvm/emulate.c.orig -+++ xen/arch/x86/hvm/emulate.c -@@ -526,6 +526,8 @@ static int hvmemul_virtual_to_linear( - ? 1 : 4096); - - reg = hvmemul_get_seg_reg(seg, hvmemul_ctxt); -+ if ( IS_ERR(reg) ) -+ return -PTR_ERR(reg); - - if ( (hvmemul_ctxt->ctxt.regs->eflags & X86_EFLAGS_DF) && (*reps > 1) ) - { -@@ -1360,6 +1362,10 @@ static int hvmemul_read_segment( - struct hvm_emulate_ctxt *hvmemul_ctxt = - container_of(ctxt, struct hvm_emulate_ctxt, ctxt); - struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt); -+ -+ if ( IS_ERR(sreg) ) -+ return -PTR_ERR(sreg); -+ - memcpy(reg, sreg, sizeof(struct segment_register)); - return X86EMUL_OKAY; - } -@@ -1373,6 +1379,9 @@ static int hvmemul_write_segment( - container_of(ctxt, struct hvm_emulate_ctxt, ctxt); - struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt); - -+ if ( IS_ERR(sreg) ) -+ return -PTR_ERR(sreg); -+ - memcpy(sreg, reg, sizeof(struct segment_register)); - __set_bit(seg, &hvmemul_ctxt->seg_reg_dirty); - -@@ -1911,10 +1920,17 @@ void hvm_emulate_writeback( - } - } - -+/* -+ * Callers which pass a known in-range x86_segment can rely on the return -+ * pointer being valid. Other callers must explicitly check for errors. -+ */ - struct segment_register *hvmemul_get_seg_reg( - enum x86_segment seg, - struct hvm_emulate_ctxt *hvmemul_ctxt) - { -+ if ( seg < 0 || seg >= ARRAY_SIZE(hvmemul_ctxt->seg_reg) ) -+ return ERR_PTR(-X86EMUL_UNHANDLEABLE); -+ - if ( !__test_and_set_bit(seg, &hvmemul_ctxt->seg_reg_accessed) ) - hvm_get_segment_register(current, seg, &hvmemul_ctxt->seg_reg[seg]); - return &hvmemul_ctxt->seg_reg[seg]; ---- xen/arch/x86/mm/shadow/common.c.orig -+++ xen/arch/x86/mm/shadow/common.c -@@ -125,10 +125,19 @@ __initcall(shadow_audit_key_init); - /* x86 emulator support for the shadow code - */ - -+/* -+ * Callers which pass a known in-range x86_segment can rely on the return -+ * pointer being valid. Other callers must explicitly check for errors. -+ */ - struct segment_register *hvm_get_seg_reg( - enum x86_segment seg, struct sh_emulate_ctxt *sh_ctxt) - { -- struct segment_register *seg_reg = &sh_ctxt->seg_reg[seg]; -+ struct segment_register *seg_reg; -+ -+ if ( seg < 0 || seg >= ARRAY_SIZE(sh_ctxt->seg_reg) ) -+ return ERR_PTR(-X86EMUL_UNHANDLEABLE); -+ -+ seg_reg = &sh_ctxt->seg_reg[seg]; - if ( !__test_and_set_bit(seg, &sh_ctxt->valid_seg_regs) ) - hvm_get_segment_register(current, seg, seg_reg); - return seg_reg; -@@ -145,14 +154,9 @@ static int hvm_translate_linear_addr( - struct segment_register *reg; - int okay; - -- /* -- * Can arrive here with non-user segments. However, no such cirucmstance -- * is part of a legitimate pagetable update, so fail the emulation. -- */ -- if ( !is_x86_user_segment(seg) ) -- return X86EMUL_UNHANDLEABLE; -- - reg = hvm_get_seg_reg(seg, sh_ctxt); -+ if ( IS_ERR(reg) ) -+ return -PTR_ERR(reg); - - okay = hvm_virtual_to_linear_addr( - seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr); -@@ -254,9 +258,6 @@ hvm_emulate_write(enum x86_segment seg, - unsigned long addr; - int rc; - -- if ( !is_x86_user_segment(seg) ) -- return X86EMUL_UNHANDLEABLE; -- - /* How many emulations could we save if we unshadowed on stack writes? */ - if ( seg == x86_seg_ss ) - perfc_incr(shadow_fault_emulate_stack); -@@ -284,9 +285,6 @@ hvm_emulate_cmpxchg(enum x86_segment seg - unsigned long addr, old[2], new[2]; - int rc; - -- if ( !is_x86_user_segment(seg) ) -- return X86EMUL_UNHANDLEABLE; -- - rc = hvm_translate_linear_addr( - seg, offset, bytes, hvm_access_write, sh_ctxt, &addr); - if ( rc ) ---- xen/include/asm-x86/hvm/emulate.h.orig -+++ xen/include/asm-x86/hvm/emulate.h -@@ -13,6 +13,7 @@ - #define __ASM_X86_HVM_EMULATE_H__ - - #include <xen/config.h> -+#include <xen/err.h> - #include <asm/hvm/hvm.h> - #include <asm/x86_emulate.h> - diff --git a/sysutils/xenkernel46/patches/patch-XSA-191 b/sysutils/xenkernel46/patches/patch-XSA-191 deleted file mode 100644 index d383b4f9b17..00000000000 --- a/sysutils/xenkernel46/patches/patch-XSA-191 +++ /dev/null @@ -1,140 +0,0 @@ -$NetBSD: patch-XSA-191,v 1.1 2016/11/22 20:59:01 bouyer Exp $ - -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/hvm: Fix the handling of non-present segments - -In 32bit, the data segments may be NULL to indicate that the segment is -ineligible for use. In both 32bit and 64bit, the LDT selector may be NULL to -indicate that the entire LDT is ineligible for use. However, nothing in Xen -actually checks for this condition when performing other segmentation -checks. (Note however that limit and writeability checks are correctly -performed). - -Neither Intel nor AMD specify the exact behaviour of loading a NULL segment. -Experimentally, AMD zeroes all attributes but leaves the base and limit -unmodified. Intel zeroes the base, sets the limit to 0xfffffff and resets the -attributes to just .G and .D/B. - -The use of the segment information in the VMCB/VMCS is equivalent to a native -pipeline interacting with the segment cache. The present bit can therefore -have a subtly different meaning, and it is now cooked to uniformly indicate -whether the segment is usable or not. - -GDTR and IDTR don't have access rights like the other segments, but for -consistency, they are treated as being present so no special casing is needed -elsewhere in the segmentation logic. - -AMD hardware does not consider the present bit for %cs and %tr, and will -function as if they were present. They are therefore unconditionally set to -present when reading information from the VMCB, to maintain the new meaning of -usability. - -Intel hardware has a separate unusable bit in the VMCS segment attributes. -This bit is inverted and stored in the present field, so the hvm code can work -with architecturally-common state. - -This is XSA-191. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> - ---- xen/arch/x86/hvm/hvm.c.orig -+++ xen/arch/x86/hvm/hvm.c -@@ -3666,6 +3666,10 @@ int hvm_virtual_to_linear_addr( - * COMPATIBILITY MODE: Apply segment checks and add base. - */ - -+ /* Segment not valid for use (cooked meaning of .p)? */ -+ if ( !reg->attr.fields.p ) -+ return 0; -+ - switch ( access_type ) - { - case hvm_access_read: -@@ -3871,6 +3875,10 @@ static int hvm_load_segment_selector( - hvm_get_segment_register( - v, (sel & 4) ? x86_seg_ldtr : x86_seg_gdtr, &desctab); - -+ /* Segment not valid for use (cooked meaning of .p)? */ -+ if ( !desctab.attr.fields.p ) -+ goto fail; -+ - /* Check against descriptor table limit. */ - if ( ((sel & 0xfff8) + 7) > desctab.limit ) - goto fail; ---- xen/arch/x86/hvm/svm/svm.c.orig -+++ xen/arch/x86/hvm/svm/svm.c -@@ -620,6 +620,7 @@ static void svm_get_segment_register(str - { - case x86_seg_cs: - memcpy(reg, &vmcb->cs, sizeof(*reg)); -+ reg->attr.fields.p = 1; - reg->attr.fields.g = reg->limit > 0xFFFFF; - break; - case x86_seg_ds: -@@ -653,13 +654,16 @@ static void svm_get_segment_register(str - case x86_seg_tr: - svm_sync_vmcb(v); - memcpy(reg, &vmcb->tr, sizeof(*reg)); -+ reg->attr.fields.p = 1; - reg->attr.fields.type |= 0x2; - break; - case x86_seg_gdtr: - memcpy(reg, &vmcb->gdtr, sizeof(*reg)); -+ reg->attr.bytes = 0x80; - break; - case x86_seg_idtr: - memcpy(reg, &vmcb->idtr, sizeof(*reg)); -+ reg->attr.bytes = 0x80; - break; - case x86_seg_ldtr: - svm_sync_vmcb(v); ---- xen/arch/x86/hvm/vmx/vmx.c.orig -+++ xen/arch/x86/hvm/vmx/vmx.c -@@ -867,10 +867,12 @@ void vmx_get_segment_register(struct vcp - reg->sel = sel; - reg->limit = limit; - -- reg->attr.bytes = (attr & 0xff) | ((attr >> 4) & 0xf00); -- /* Unusable flag is folded into Present flag. */ -- if ( attr & (1u<<16) ) -- reg->attr.fields.p = 0; -+ /* -+ * Fold VT-x representation into Xen's representation. The Present bit is -+ * unconditionally set to the inverse of unusable. -+ */ -+ reg->attr.bytes = -+ (!(attr & (1u << 16)) << 7) | (attr & 0x7f) | ((attr >> 4) & 0xf00); - - /* Adjust for virtual 8086 mode */ - if ( v->arch.hvm_vmx.vmx_realmode && seg <= x86_seg_tr -@@ -950,11 +952,11 @@ static void vmx_set_segment_register(str - } - } - -- attr = ((attr & 0xf00) << 4) | (attr & 0xff); -- -- /* Not-present must mean unusable. */ -- if ( !reg->attr.fields.p ) -- attr |= (1u << 16); -+ /* -+ * Unfold Xen representation into VT-x representation. The unusable bit -+ * is unconditionally set to the inverse of present. -+ */ -+ attr = (!(attr & (1u << 7)) << 16) | ((attr & 0xf00) << 4) | (attr & 0xff); - - /* VMX has strict consistency requirement for flag G. */ - attr |= !!(limit >> 20) << 15; ---- xen/arch/x86/x86_emulate/x86_emulate.c.orig -+++ xen/arch/x86/x86_emulate/x86_emulate.c -@@ -1209,6 +1209,10 @@ protmode_load_seg( - &desctab, ctxt)) ) - return rc; - -+ /* Segment not valid for use (cooked meaning of .p)? */ -+ if ( !desctab.attr.fields.p ) -+ goto raise_exn; -+ - /* Check against descriptor table limit. */ - if ( ((sel & 0xfff8) + 7) > desctab.limit ) - goto raise_exn; diff --git a/sysutils/xenkernel46/patches/patch-XSA-192 b/sysutils/xenkernel46/patches/patch-XSA-192 deleted file mode 100644 index 86d55f06f5a..00000000000 --- a/sysutils/xenkernel46/patches/patch-XSA-192 +++ /dev/null @@ -1,66 +0,0 @@ -$NetBSD: patch-XSA-192,v 1.1 2016/11/22 20:59:01 bouyer Exp $ - -From: Jan Beulich <jbeulich@suse.com> -Subject: x86/HVM: don't load LDTR with VM86 mode attrs during task switch - -Just like TR, LDTR is purely a protected mode facility and hence needs -to be loaded accordingly. Also move its loading to where it -architecurally belongs. - -This is XSA-192. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> -Tested-by: Andrew Cooper <andrew.cooper3@citrix.com> - ---- xen/arch/x86/hvm/hvm.c.orig -+++ xen/arch/x86/hvm/hvm.c -@@ -2728,17 +2728,16 @@ static void hvm_unmap_entry(void *p) - } - - static int hvm_load_segment_selector( -- enum x86_segment seg, uint16_t sel) -+ enum x86_segment seg, uint16_t sel, unsigned int eflags) - { - struct segment_register desctab, cs, segr; - struct desc_struct *pdesc, desc; - u8 dpl, rpl, cpl; - bool_t writable; - int fault_type = TRAP_invalid_tss; -- struct cpu_user_regs *regs = guest_cpu_user_regs(); - struct vcpu *v = current; - -- if ( regs->eflags & X86_EFLAGS_VM ) -+ if ( eflags & X86_EFLAGS_VM ) - { - segr.sel = sel; - segr.base = (uint32_t)sel << 4; -@@ -2986,6 +2985,8 @@ void hvm_task_switch( - if ( rc != HVMCOPY_okay ) - goto out; - -+ if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt, 0) ) -+ goto out; - - if ( hvm_set_cr3(tss.cr3, 1) ) - goto out; -@@ -3008,13 +3009,12 @@ void hvm_task_switch( - } - - exn_raised = 0; -- if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt) || -- hvm_load_segment_selector(x86_seg_es, tss.es) || -- hvm_load_segment_selector(x86_seg_cs, tss.cs) || -- hvm_load_segment_selector(x86_seg_ss, tss.ss) || -- hvm_load_segment_selector(x86_seg_ds, tss.ds) || -- hvm_load_segment_selector(x86_seg_fs, tss.fs) || -- hvm_load_segment_selector(x86_seg_gs, tss.gs) ) -+ if ( hvm_load_segment_selector(x86_seg_es, tss.es, tss.eflags) || -+ hvm_load_segment_selector(x86_seg_cs, tss.cs, tss.eflags) || -+ hvm_load_segment_selector(x86_seg_ss, tss.ss, tss.eflags) || -+ hvm_load_segment_selector(x86_seg_ds, tss.ds, tss.eflags) || -+ hvm_load_segment_selector(x86_seg_fs, tss.fs, tss.eflags) || -+ hvm_load_segment_selector(x86_seg_gs, tss.gs, tss.eflags) ) - exn_raised = 1; - - rc = hvm_copy_to_guest_virt( diff --git a/sysutils/xenkernel46/patches/patch-XSA-193 b/sysutils/xenkernel46/patches/patch-XSA-193 deleted file mode 100644 index a01a16dfaea..00000000000 --- a/sysutils/xenkernel46/patches/patch-XSA-193 +++ /dev/null @@ -1,70 +0,0 @@ -$NetBSD: patch-XSA-193,v 1.1 2016/11/22 20:59:01 bouyer Exp $ - -From: Jan Beulich <jbeulich@suse.com> -Subject: x86/PV: writes of %fs and %gs base MSRs require canonical addresses - -Commit c42494acb2 ("x86: fix FS/GS base handling when using the -fsgsbase feature") replaced the use of wrmsr_safe() on these paths -without recognizing that wr{f,g}sbase() use just wrmsrl() and that the -WR{F,G}SBASE instructions also raise #GP for non-canonical input. - -Similarly arch_set_info_guest() needs to prevent non-canonical -addresses from getting stored into state later to be loaded by context -switch code. For consistency also check stack pointers and LDT base. -DR0..3, otoh, already get properly checked in set_debugreg() (albeit -we discard the error there). - -The SHADOW_GS_BASE check isn't strictly necessary, but I think we -better avoid trying the WRMSR if we know it's going to fail. - -This is XSA-193. - -Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> - ---- xen/arch/x86/domain.c.orig -+++ xen/arch/x86/domain.c -@@ -890,7 +890,13 @@ int arch_set_info_guest( - { - if ( !compat ) - { -- if ( !is_canonical_address(c.nat->user_regs.eip) || -+ if ( !is_canonical_address(c.nat->user_regs.rip) || -+ !is_canonical_address(c.nat->user_regs.rsp) || -+ !is_canonical_address(c.nat->kernel_sp) || -+ (c.nat->ldt_ents && !is_canonical_address(c.nat->ldt_base)) || -+ !is_canonical_address(c.nat->fs_base) || -+ !is_canonical_address(c.nat->gs_base_kernel) || -+ !is_canonical_address(c.nat->gs_base_user) || - !is_canonical_address(c.nat->event_callback_eip) || - !is_canonical_address(c.nat->syscall_callback_eip) || - !is_canonical_address(c.nat->failsafe_callback_eip) ) ---- xen/arch/x86/traps.c.orig -+++ xen/arch/x86/traps.c -@@ -2723,19 +2723,22 @@ static int emulate_privileged_op(struct - switch ( regs->_ecx ) - { - case MSR_FS_BASE: -- if ( is_pv_32bit_domain(currd) ) -+ if ( is_pv_32bit_domain(currd) || -+ !is_canonical_address(msr_content) ) - goto fail; - wrfsbase(msr_content); - v->arch.pv_vcpu.fs_base = msr_content; - break; - case MSR_GS_BASE: -- if ( is_pv_32bit_domain(currd) ) -+ if ( is_pv_32bit_domain(currd) || -+ !is_canonical_address(msr_content) ) - goto fail; - wrgsbase(msr_content); - v->arch.pv_vcpu.gs_base_kernel = msr_content; - break; - case MSR_SHADOW_GS_BASE: -- if ( is_pv_32bit_domain(currd) ) -+ if ( is_pv_32bit_domain(currd) || -+ !is_canonical_address(msr_content) ) - goto fail; - if ( wrmsr_safe(MSR_SHADOW_GS_BASE, msr_content) ) - goto fail; diff --git a/sysutils/xenkernel46/patches/patch-XSA-195 b/sysutils/xenkernel46/patches/patch-XSA-195 deleted file mode 100644 index 7a2b0f77029..00000000000 --- a/sysutils/xenkernel46/patches/patch-XSA-195 +++ /dev/null @@ -1,47 +0,0 @@ -$NetBSD: patch-XSA-195,v 1.1 2016/11/22 20:59:01 bouyer Exp $ - -From: Jan Beulich <jbeulich@suse.com> -Subject: x86emul: fix huge bit offset handling - -We must never chop off the high 32 bits. - -This is XSA-195. - -Reported-by: George Dunlap <george.dunlap@citrix.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> - ---- xen/arch/x86/x86_emulate/x86_emulate.c.orig -+++ xen/arch/x86/x86_emulate/x86_emulate.c -@@ -2549,6 +2549,12 @@ x86_emulate( - else - { - /* -+ * Instructions such as bt can reference an arbitrary offset from -+ * their memory operand, but the instruction doing the actual -+ * emulation needs the appropriate op_bytes read from memory. -+ * Adjust both the source register and memory operand to make an -+ * equivalent instruction. -+ * - * EA += BitOffset DIV op_bytes*8 - * BitOffset = BitOffset MOD op_bytes*8 - * DIV truncates towards negative infinity. -@@ -2560,14 +2566,15 @@ x86_emulate( - src.val = (int32_t)src.val; - if ( (long)src.val < 0 ) - { -- unsigned long byte_offset; -- byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); -+ unsigned long byte_offset = -+ op_bytes + (((-src.val - 1) >> 3) & ~(op_bytes - 1L)); -+ - ea.mem.off -= byte_offset; - src.val = (byte_offset << 3) + src.val; - } - else - { -- ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); -+ ea.mem.off += (src.val >> 3) & ~(op_bytes - 1L); - src.val &= (op_bytes << 3) - 1; - } - } diff --git a/sysutils/xenkernel46/patches/patch-XSA-196-1 b/sysutils/xenkernel46/patches/patch-XSA-196-1 deleted file mode 100644 index ef8c6118578..00000000000 --- a/sysutils/xenkernel46/patches/patch-XSA-196-1 +++ /dev/null @@ -1,63 +0,0 @@ -$NetBSD: patch-XSA-196-1,v 1.1 2016/11/22 20:59:01 bouyer Exp $ - -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/emul: Correct the IDT entry calculation in inject_swint() - -The logic, as introduced in c/s 36ebf14ebe "x86/emulate: support for emulating -software event injection" is buggy. The size of an IDT entry depends on long -mode being active, not the width of the code segment currently in use. - -In particular, this means that a compatibility code segment which hits -emulation for software event injection will end up using an incorrect offset -in the IDT for DPL/Presence checking. In practice, this only occurs on old -AMD hardware lacking NRip support; all newer AMD hardware, and all Intel -hardware bypass this path in the emulator. - -While here, fix a minor issue with reading the IDT entry. The return value -from ops->read() wasn't checked, but in reality the only failure case is if a -pagefault occurs. This is not a realistic problem as the kernel will almost -certainly crash with a double fault if this setup actually occured. - -This is part of XSA-196. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> ---- - xen/arch/x86/x86_emulate/x86_emulate.c | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - -diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c -index 7a707dc..f74aa8f 100644 ---- xen/arch/x86/x86_emulate/x86_emulate.c.orig -+++ xen/arch/x86/x86_emulate/x86_emulate.c -@@ -1630,10 +1630,16 @@ static int inject_swint(enum x86_swint_type type, - { - if ( !in_realmode(ctxt, ops) ) - { -- unsigned int idte_size = (ctxt->addr_size == 64) ? 16 : 8; -- unsigned int idte_offset = vector * idte_size; -+ unsigned int idte_size, idte_offset; - struct segment_register idtr; - uint32_t idte_ctl; -+ int lm = in_longmode(ctxt, ops); -+ -+ if ( lm < 0 ) -+ return X86EMUL_UNHANDLEABLE; -+ -+ idte_size = lm ? 16 : 8; -+ idte_offset = vector * idte_size; - - /* icebp sets the External Event bit despite being an instruction. */ - error_code = (vector << 3) | ECODE_IDT | -@@ -1661,8 +1667,9 @@ static int inject_swint(enum x86_swint_type type, - * Should strictly speaking read all 8/16 bytes of an entry, - * but we currently only care about the dpl and present bits. - */ -- ops->read(x86_seg_none, idtr.base + idte_offset + 4, -- &idte_ctl, sizeof(idte_ctl), ctxt); -+ if ( (rc = ops->read(x86_seg_none, idtr.base + idte_offset + 4, -+ &idte_ctl, sizeof(idte_ctl), ctxt)) ) -+ goto done; - - /* Is this entry present? */ - if ( !(idte_ctl & (1u << 15)) ) diff --git a/sysutils/xenkernel46/patches/patch-XSA-196-2 b/sysutils/xenkernel46/patches/patch-XSA-196-2 deleted file mode 100644 index d448d695181..00000000000 --- a/sysutils/xenkernel46/patches/patch-XSA-196-2 +++ /dev/null @@ -1,78 +0,0 @@ -$NetBSD: patch-XSA-196-2,v 1.1 2016/11/22 20:59:01 bouyer Exp $ - -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/svm: Fix injection of software interrupts - -The non-NextRip logic in c/s 36ebf14eb "x86/emulate: support for emulating -software event injection" was based on an older version of the AMD software -manual. The manual was later corrected, following findings from that series. - -I took the original wording of "not supported without NextRIP" to mean that -X86_EVENTTYPE_SW_INTERRUPT was not eligible for use. It turns out that this -is not the case, and the new wording is clearer on the matter. - -Despite testing the original patch series on non-NRip hardware, the -swint-emulation XTF test case focuses on the debug vectors; it never ended up -executing an `int $n` instruction for a vector which wasn't also an exception. - -During a vmentry, the use of X86_EVENTTYPE_HW_EXCEPTION comes with a vector -check to ensure that it is only used with exception vectors. Xen's use of -X86_EVENTTYPE_HW_EXCEPTION for `int $n` injection has always been buggy on AMD -hardware. - -Fix this by always using X86_EVENTTYPE_SW_INTERRUPT. - -Print and decode the eventinj information in svm_vmcb_dump(), as it has -several invalid combinations which cause vmentry failures. - -This is part of XSA-196. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> ---- - xen/arch/x86/hvm/svm/svm.c | 13 +++++-------- - xen/arch/x86/hvm/svm/svmdebug.c | 4 ++++ - 2 files changed, 9 insertions(+), 8 deletions(-) - -diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c -index 4391744..76efc3e 100644 ---- xen/arch/x86/hvm/svm/svm.c.orig -+++ xen/arch/x86/hvm/svm/svm.c -@@ -1231,17 +1231,14 @@ static void svm_inject_trap(const struct hvm_trap *trap) - { - case X86_EVENTTYPE_SW_INTERRUPT: /* int $n */ - /* -- * Injection type 4 (software interrupt) is only supported with -- * NextRIP support. Without NextRIP, the emulator will have performed -- * DPL and presence checks for us. -+ * Software interrupts (type 4) cannot be properly injected if the -+ * processor doesn't support NextRIP. Without NextRIP, the emulator -+ * will have performed DPL and presence checks for us, and will have -+ * moved eip forward if appropriate. - */ - if ( cpu_has_svm_nrips ) -- { - vmcb->nextrip = regs->eip + _trap.insn_len; -- event.fields.type = X86_EVENTTYPE_SW_INTERRUPT; -- } -- else -- event.fields.type = X86_EVENTTYPE_HW_EXCEPTION; -+ event.fields.type = X86_EVENTTYPE_SW_INTERRUPT; - break; - - case X86_EVENTTYPE_PRI_SW_EXCEPTION: /* icebp */ -diff --git a/xen/arch/x86/hvm/svm/svmdebug.c b/xen/arch/x86/hvm/svm/svmdebug.c -index ded5d19..f93dfed 100644 ---- xen/arch/x86/hvm/svm/svmdebug.c.orig -+++ xen/arch/x86/hvm/svm/svmdebug.c -@@ -48,6 +48,10 @@ void svm_vmcb_dump(const char *from, struct vmcb_struct *vmcb) - vmcb->tlb_control, - (unsigned long long)vmcb->_vintr.bytes, - (unsigned long long)vmcb->interrupt_shadow); -+ printk("eventinj %016"PRIx64", valid? %d, ec? %d, type %u, vector %#x\n", -+ vmcb->eventinj.bytes, vmcb->eventinj.fields.v, -+ vmcb->eventinj.fields.ev, vmcb->eventinj.fields.type, -+ vmcb->eventinj.fields.vector); - printk("exitcode = %#Lx exitintinfo = %#Lx\n", - (unsigned long long)vmcb->exitcode, - (unsigned long long)vmcb->exitintinfo.bytes); diff --git a/sysutils/xenkernel46/patches/patch-XSA-200 b/sysutils/xenkernel46/patches/patch-XSA-200 deleted file mode 100644 index ac0612764bc..00000000000 --- a/sysutils/xenkernel46/patches/patch-XSA-200 +++ /dev/null @@ -1,57 +0,0 @@ -$NetBSD: patch-XSA-200,v 1.1 2016/12/20 10:22:29 bouyer Exp $ - -From: Jan Beulich <jbeulich@suse.com> -Subject: x86emul: CMPXCHG8B ignores operand size prefix - -Otherwise besides mis-handling the instruction, the comparison failure -case would result in uninitialized stack data being handed back to the -guest in rDX:rAX (32 bits leaked for 32-bit guests, 96 bits for 64-bit -ones). - -This is XSA-200. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> - ---- tools/tests/x86_emulator/test_x86_emulator.c.orig -+++ tools/tests/x86_emulator/test_x86_emulator.c -@@ -429,6 +429,24 @@ int main(int argc, char **argv) - goto fail; - printf("okay\n"); - -+ printf("%-40s", "Testing cmpxchg8b (%edi) [opsize]..."); -+ instr[0] = 0x66; instr[1] = 0x0f; instr[2] = 0xc7; instr[3] = 0x0f; -+ res[0] = 0x12345678; -+ res[1] = 0x87654321; -+ regs.eflags = 0x200; -+ regs.eip = (unsigned long)&instr[0]; -+ regs.edi = (unsigned long)res; -+ rc = x86_emulate(&ctxt, &emulops); -+ if ( (rc != X86EMUL_OKAY) || -+ (res[0] != 0x12345678) || -+ (res[1] != 0x87654321) || -+ (regs.eax != 0x12345678) || -+ (regs.edx != 0x87654321) || -+ ((regs.eflags&0x240) != 0x200) || -+ (regs.eip != (unsigned long)&instr[4]) ) -+ goto fail; -+ printf("okay\n"); -+ - printf("%-40s", "Testing movsxbd (%%eax),%%ecx..."); - instr[0] = 0x0f; instr[1] = 0xbe; instr[2] = 0x08; - regs.eflags = 0x200; ---- xen/arch/x86/x86_emulate/x86_emulate.c.orig -+++ xen/arch/x86/x86_emulate/x86_emulate.c -@@ -4739,8 +4739,12 @@ x86_emulate( - generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1); - generate_exception_if(ea.type != OP_MEM, EXC_UD, -1); - if ( op_bytes == 8 ) -+ { - vcpu_must_have_cx16(); -- op_bytes *= 2; -+ op_bytes = 16; -+ } -+ else -+ op_bytes = 8; - - /* Get actual old value. */ - if ( (rc = ops->read(ea.mem.seg, ea.mem.off, old, op_bytes, diff --git a/sysutils/xenkernel46/patches/patch-XSA-202 b/sysutils/xenkernel46/patches/patch-XSA-202 deleted file mode 100644 index 2bb8bae74ee..00000000000 --- a/sysutils/xenkernel46/patches/patch-XSA-202 +++ /dev/null @@ -1,75 +0,0 @@ -$NetBSD: patch-XSA-202,v 1.1 2016/12/21 15:36:39 bouyer Exp $ - -From: Jan Beulich <jbeulich@suse.com> -Subject: x86: force EFLAGS.IF on when exiting to PV guests - -Guest kernels modifying instructions in the process of being emulated -for another of their vCPU-s may effect EFLAGS.IF to be cleared upon -next exiting to guest context, by converting the being emulated -instruction to CLI (at the right point in time). Prevent any such bad -effects by always forcing EFLAGS.IF on. And to cover hypothetical other -similar issues, also force EFLAGS.{IOPL,NT,VM} to zero. - -This is XSA-202. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> - ---- xen/arch/x86/x86_64/compat/entry.S.orig -+++ xen/arch/x86/x86_64/compat/entry.S -@@ -174,6 +174,8 @@ compat_bad_hypercall: - /* %rbx: struct vcpu, interrupts disabled */ - ENTRY(compat_restore_all_guest) - ASSERT_INTERRUPTS_DISABLED -+ mov $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11d -+ and UREGS_eflags(%rsp),%r11d - .Lcr4_orig: - .skip .Lcr4_alt_end - .Lcr4_alt, 0x90 - .Lcr4_orig_end: -@@ -209,6 +211,8 @@ ENTRY(compat_restore_all_guest) - (.Lcr4_orig_end - .Lcr4_orig), \ - (.Lcr4_alt_end - .Lcr4_alt) - .popsection -+ or $X86_EFLAGS_IF,%r11 -+ mov %r11d,UREGS_eflags(%rsp) - RESTORE_ALL adj=8 compat=1 - .Lft0: iretq - ---- xen/arch/x86/x86_64/entry.S.orig -+++ xen/arch/x86/x86_64/entry.S -@@ -40,28 +40,29 @@ restore_all_guest: - testw $TRAP_syscall,4(%rsp) - jz iret_exit_to_guest - -+ movq 24(%rsp),%r11 # RFLAGS -+ andq $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11 -+ orq $X86_EFLAGS_IF,%r11 -+ - /* Don't use SYSRET path if the return address is not canonical. */ - movq 8(%rsp),%rcx - sarq $47,%rcx - incl %ecx - cmpl $1,%ecx -- ja .Lforce_iret -+ movq 8(%rsp),%rcx # RIP -+ ja iret_exit_to_guest - - cmpw $FLAT_USER_CS32,16(%rsp)# CS -- movq 8(%rsp),%rcx # RIP -- movq 24(%rsp),%r11 # RFLAGS - movq 32(%rsp),%rsp # RSP - je 1f - sysretq - 1: sysretl - --.Lforce_iret: -- /* Mimic SYSRET behavior. */ -- movq 8(%rsp),%rcx # RIP -- movq 24(%rsp),%r11 # RFLAGS - ALIGN - /* No special register assumptions. */ - iret_exit_to_guest: -+ andl $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),24(%rsp) -+ orl $X86_EFLAGS_IF,24(%rsp) - addq $8,%rsp - .Lft0: iretq - diff --git a/sysutils/xenkernel46/patches/patch-XSA-203 b/sysutils/xenkernel46/patches/patch-XSA-203 deleted file mode 100644 index 5e739fbdd18..00000000000 --- a/sysutils/xenkernel46/patches/patch-XSA-203 +++ /dev/null @@ -1,21 +0,0 @@ -$NetBSD: patch-XSA-203,v 1.1 2016/12/21 15:36:39 bouyer Exp $ - -From: Jan Beulich <jbeulich@suse.com> -Subject: x86/HVM: add missing NULL check before using VMFUNC hook - -This is XSA-203. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> - ---- xen/arch/x86/hvm/emulate.c.orig -+++ xen/arch/x86/hvm/emulate.c -@@ -1643,6 +1643,8 @@ static int hvmemul_vmfunc( - { - int rc; - -+ if ( !hvm_funcs.altp2m_vcpu_emulate_vmfunc ) -+ return X86EMUL_UNHANDLEABLE; - rc = hvm_funcs.altp2m_vcpu_emulate_vmfunc(ctxt->regs); - if ( rc != X86EMUL_OKAY ) - hvmemul_inject_hw_exception(TRAP_invalid_op, 0, ctxt); diff --git a/sysutils/xenkernel46/patches/patch-XSA-204 b/sysutils/xenkernel46/patches/patch-XSA-204 deleted file mode 100644 index 804423de01e..00000000000 --- a/sysutils/xenkernel46/patches/patch-XSA-204 +++ /dev/null @@ -1,71 +0,0 @@ -$NetBSD: patch-XSA-204,v 1.1 2016/12/20 10:22:29 bouyer Exp $ - -From: Andrew Cooper <andrew.cooper3@citrix.com> -Date: Sun, 18 Dec 2016 15:42:59 +0000 -Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL - -A singlestep #DB is determined by the resulting eflags value from the -execution of SYSCALL, not the original eflags value. - -By using the original eflags value, we negate the guest kernels attempt to -protect itself from a privilege escalation by masking TF. - -Introduce a tf boolean and have the SYSCALL emulation recalculate it -after the instruction is complete. - -This is XSA-204 - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> ---- - xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++--- - 1 file changed, 20 insertions(+), 3 deletions(-) - -diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c -index bca7045..abe442e 100644 ---- xen/arch/x86/x86_emulate/x86_emulate.c.orig -+++ xen/arch/x86/x86_emulate/x86_emulate.c -@@ -1582,6 +1582,7 @@ x86_emulate( - union vex vex = {}; - unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes; - bool_t lock_prefix = 0; -+ bool_t tf = !!(ctxt->regs->eflags & EFLG_TF); - int override_seg = -1, rc = X86EMUL_OKAY; - struct operand src = { .reg = REG_POISON }; - struct operand dst = { .reg = REG_POISON }; -@@ -3910,9 +3911,8 @@ x86_emulate( - } - - no_writeback: -- /* Inject #DB if single-step tracing was enabled at instruction start. */ -- if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) && -- (ops->inject_hw_exception != NULL) ) -+ /* Should a singlestep #DB be raised? */ -+ if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) ) - rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION; - - /* Commit shadow register state. */ -@@ -4143,6 +4143,23 @@ x86_emulate( - (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) ) - goto done; - -+ /* -+ * SYSCALL (unlike most instructions) evaluates its singlestep action -+ * based on the resulting EFLG_TF, not the starting EFLG_TF. -+ * -+ * As the #DB is raised after the CPL change and before the OS can -+ * switch stack, it is a large risk for privilege escalation. -+ * -+ * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any -+ * vulnerability. Running the #DB handler on an IST stack is also a -+ * mitigation. -+ * -+ * 32bit kernels have no ability to mask EFLG_TF at all. Their only -+ * mitigation is to use a task gate for handling #DB (or to not use -+ * enable EFER.SCE to start with). -+ */ -+ tf = !!(_regs.eflags & EFLG_TF); -+ - break; - } - diff --git a/sysutils/xentools46/Makefile b/sysutils/xentools46/Makefile index 2d8d91c3430..dcd272aa54e 100644 --- a/sysutils/xentools46/Makefile +++ b/sysutils/xentools46/Makefile @@ -1,11 +1,11 @@ -# $NetBSD: Makefile,v 1.12 2017/01/04 16:45:24 sborrill Exp $ +# $NetBSD: Makefile,v 1.13 2017/03/20 18:17:13 bouyer Exp $ # # VERSION is set in version.mk as it is shared with other packages .include "version.mk" DISTNAME= xen-${VERSION} PKGNAME= xentools46-${VERSION} -PKGREVISION= 6 +#PKGREVISION= 6 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xentools46/distinfo b/sysutils/xentools46/distinfo index 22fae40a404..e45c93bbf30 100644 --- a/sysutils/xentools46/distinfo +++ b/sysutils/xentools46/distinfo @@ -1,13 +1,13 @@ -$NetBSD: distinfo,v 1.4 2016/12/20 17:24:58 bouyer Exp $ +$NetBSD: distinfo,v 1.5 2017/03/20 18:17:13 bouyer Exp $ SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88 RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8 SHA512 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = c5cb1cdff40d2d71fd3e692a9d0efadf2aa17290daf5195391a1c81ddd9dfc913a8e44d5be2b12be85b2a5565ea31631c99c7053564f2fb2225c80ea0bb0e4a4 Size (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 2867999 bytes -SHA1 (xen-4.6.3.tar.gz) = 2aa59d0a05a6c5ac7f336f2069c66a54f95c4349 -RMD160 (xen-4.6.3.tar.gz) = 2798bd888ee001a4829165e55feb705a86af4f74 -SHA512 (xen-4.6.3.tar.gz) = 187a860b40c05139f22b8498a5fae1db173c3110d957147af29a56cb83b7111c9dc4946d65f9dffc847001fc01c5e9bf51886eaa1194bb9cfd0b6dbcd43a2c5c -Size (xen-4.6.3.tar.gz) = 19707041 bytes +SHA1 (xen-4.6.5.tar.gz) = af371af662211ee1480167b6c9e35142156f3a8d +RMD160 (xen-4.6.5.tar.gz) = 3f2468d7d3715d14842ac57b2180118ef48e93fa +SHA512 (xen-4.6.5.tar.gz) = d3e1b16fa9d695a5fc28ca4375b8de3dfcab480437d4d0151972d9f286528c9f667841e7a6888c918c580371d6984658a8d3b92235553c8c9c052d93154547b5 +Size (xen-4.6.5.tar.gz) = 19712756 bytes SHA1 (patch-.._.._ipxe_src_core_settings.c) = 9e053e5e9936f49c46af0d59382a67d5f28cb39d SHA1 (patch-.._.._ipxe_src_interface_efi_efi_snp.c) = 7cd8a2d2dbeff55624b5d3461d22cd8331221762 SHA1 (patch-.._.._ipxe_src_net_fcels.c) = 7c13c87af5e38233f8b867503789f536394e7005 @@ -20,10 +20,6 @@ SHA1 (patch-.._docs_man_xlcpupool.cfg.pod.5) = b44813af965e4d9d0d51c18b22d286736 SHA1 (patch-.._docs_misc_xl-disk-configuration.txt) = 5b59cfc2569d1a4c10d6c0fcb98ed35278723b79 SHA1 (patch-Makefile) = 87defa487fcc7ba36fada41a7347e2f969f59045 SHA1 (patch-Rules.mk) = ec0af52c494718204f15adac30ddd06713ff572c -SHA1 (patch-XSA-197-1) = 4d373d23cd7032cc505300d865b6eaa8e80e2290 -SHA1 (patch-XSA-197-2) = 3dc303f22d0744f64eb4552f4de10fc11f32bb01 -SHA1 (patch-XSA-198) = 5a61b6b4af265ba0b90d5750166924daafe554d7 -SHA1 (patch-XSA-199) = 481c740d36a5b8415275c4b1152bb7e2a45349a1 SHA1 (patch-configure) = a58d149de07613fb03444234278778a6a24b9b26 SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f SHA1 (patch-examples_Makefile) = 5fe7bb876d254cf0c4f774ed0f08dcaea5b355ff diff --git a/sysutils/xentools46/patches/patch-XSA-197-1 b/sysutils/xentools46/patches/patch-XSA-197-1 deleted file mode 100644 index b41c894e000..00000000000 --- a/sysutils/xentools46/patches/patch-XSA-197-1 +++ /dev/null @@ -1,67 +0,0 @@ -$NetBSD: patch-XSA-197-1,v 1.1 2016/11/22 20:59:01 bouyer Exp $ - -From: Jan Beulich <jbeulich@suse.com> -Subject: xen: fix ioreq handling - -Avoid double fetches and bounds check size to avoid overflowing -internal variables. - -This is XSA-197. - -Reported-by: yanghongke <yanghongke@huawei.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Ian Jackson <ian.jackson@eu.citrix.com> - ---- qemu-xen-traditional/i386-dm/helper2.c.orig -+++ qemu-xen-traditional/i386-dm/helper2.c -@@ -375,6 +375,11 @@ static void cpu_ioreq_pio(CPUState *env, - { - uint32_t i; - -+ if (req->size > sizeof(unsigned long)) { -+ fprintf(stderr, "PIO: bad size (%u)\n", req->size); -+ exit(-1); -+ } -+ - if (req->dir == IOREQ_READ) { - if (!req->data_is_ptr) { - req->data = do_inp(env, req->addr, req->size); -@@ -404,6 +409,11 @@ static void cpu_ioreq_move(CPUState *env - { - uint32_t i; - -+ if (req->size > sizeof(req->data)) { -+ fprintf(stderr, "MMIO: bad size (%u)\n", req->size); -+ exit(-1); -+ } -+ - if (!req->data_is_ptr) { - if (req->dir == IOREQ_READ) { - for (i = 0; i < req->count; i++) { -@@ -516,11 +526,13 @@ static int __handle_buffered_iopage(CPUS - req.df = 1; - req.type = buf_req->type; - req.data_is_ptr = 0; -+ xen_rmb(); - qw = (req.size == 8); - if (qw) { - buf_req = &buffered_io_page->buf_ioreq[(rdptr + 1) % - IOREQ_BUFFER_SLOT_NUM]; - req.data |= ((uint64_t)buf_req->data) << 32; -+ xen_rmb(); - } - - __handle_ioreq(env, &req); -@@ -552,7 +564,11 @@ static void cpu_handle_ioreq(void *opaqu - - __handle_buffered_iopage(env); - if (req) { -- __handle_ioreq(env, req); -+ ioreq_t copy = *req; -+ -+ xen_rmb(); -+ __handle_ioreq(env, ©); -+ req->data = copy.data; - - if (req->state != STATE_IOREQ_INPROCESS) { - fprintf(logfile, "Badness in I/O request ... not in service?!: " diff --git a/sysutils/xentools46/patches/patch-XSA-197-2 b/sysutils/xentools46/patches/patch-XSA-197-2 deleted file mode 100644 index 70e65b2c6cb..00000000000 --- a/sysutils/xentools46/patches/patch-XSA-197-2 +++ /dev/null @@ -1,65 +0,0 @@ -$NetBSD: patch-XSA-197-2,v 1.1 2016/11/22 20:59:01 bouyer Exp $ - -From: Jan Beulich <jbeulich@suse.com> -Subject: xen: fix ioreq handling - -Avoid double fetches and bounds check size to avoid overflowing -internal variables. - -This is XSA-197. - -Reported-by: yanghongke <yanghongke@huawei.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> - ---- qemu-xen/xen-hvm.c.orig -+++ qemu-xen/xen-hvm.c -@@ -817,6 +817,10 @@ static void cpu_ioreq_pio(ioreq_t *req) - { - uint32_t i; - -+ if (req->size > sizeof(uint32_t)) { -+ hw_error("PIO: bad size (%u)", req->size); -+ } -+ - if (req->dir == IOREQ_READ) { - if (!req->data_is_ptr) { - req->data = do_inp(req->addr, req->size); -@@ -846,6 +850,10 @@ static void cpu_ioreq_move(ioreq_t *req) - { - uint32_t i; - -+ if (req->size > sizeof(req->data)) { -+ hw_error("MMIO: bad size (%u)", req->size); -+ } -+ - if (!req->data_is_ptr) { - if (req->dir == IOREQ_READ) { - for (i = 0; i < req->count; i++) { -@@ -999,11 +1007,13 @@ static int handle_buffered_iopage(XenIOS - req.df = 1; - req.type = buf_req->type; - req.data_is_ptr = 0; -+ xen_rmb(); - qw = (req.size == 8); - if (qw) { - buf_req = &buf_page->buf_ioreq[(rdptr + 1) % - IOREQ_BUFFER_SLOT_NUM]; - req.data |= ((uint64_t)buf_req->data) << 32; -+ xen_rmb(); - } - - handle_ioreq(state, &req); -@@ -1034,7 +1044,11 @@ static void cpu_handle_ioreq(void *opaqu - - handle_buffered_iopage(state); - if (req) { -- handle_ioreq(state, req); -+ ioreq_t copy = *req; -+ -+ xen_rmb(); -+ handle_ioreq(state, ©); -+ req->data = copy.data; - - if (req->state != STATE_IOREQ_INPROCESS) { - fprintf(stderr, "Badness in I/O request ... not in service?!: " diff --git a/sysutils/xentools46/patches/patch-XSA-198 b/sysutils/xentools46/patches/patch-XSA-198 deleted file mode 100644 index 3795500b9ae..00000000000 --- a/sysutils/xentools46/patches/patch-XSA-198 +++ /dev/null @@ -1,64 +0,0 @@ -$NetBSD: patch-XSA-198,v 1.1 2016/11/22 20:59:01 bouyer Exp $ - -From 71a389ae940bc52bf897a6e5becd73fd8ede94c5 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Thu, 3 Nov 2016 16:37:40 +0000 -Subject: [PATCH] pygrub: Properly quote results, when returning them to the - caller: - -* When the caller wants sexpr output, use `repr()' - This is what Xend expects. - - The returned S-expressions are now escaped and quoted by Python, - generally using '...'. Previously kernel and ramdisk were unquoted - and args was quoted with "..." but without proper escaping. This - change may break toolstacks which do not properly dequote the - returned S-expressions. - -* When the caller wants "simple" output, crash if the delimiter is - contained in the returned value. - - With --output-format=simple it does not seem like this could ever - happen, because the bootloader config parsers all take line-based - input from the various bootloader config files. - - With --output-format=simple0, this can happen if the bootloader - config file contains nul bytes. - -This is XSA-198. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> ---- - tools/pygrub/src/pygrub | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub -index 40f9584..dd0c8f7 100755 ---- pygrub/src/pygrub.orig -+++ pygrub/src/pygrub -@@ -721,14 +721,17 @@ def sniff_netware(fs, cfg): - return cfg - - def format_sxp(kernel, ramdisk, args): -- s = "linux (kernel %s)" % kernel -+ s = "linux (kernel %s)" % repr(kernel) - if ramdisk: -- s += "(ramdisk %s)" % ramdisk -+ s += "(ramdisk %s)" % repr(ramdisk) - if args: -- s += "(args \"%s\")" % args -+ s += "(args %s)" % repr(args) - return s - - def format_simple(kernel, ramdisk, args, sep): -+ for check in (kernel, ramdisk, args): -+ if check is not None and sep in check: -+ raise RuntimeError, "simple format cannot represent delimiter-containing value" - s = ("kernel %s" % kernel) + sep - if ramdisk: - s += ("ramdisk %s" % ramdisk) + sep --- -2.1.4 - diff --git a/sysutils/xentools46/patches/patch-XSA-199 b/sysutils/xentools46/patches/patch-XSA-199 deleted file mode 100644 index d91d01cd430..00000000000 --- a/sysutils/xentools46/patches/patch-XSA-199 +++ /dev/null @@ -1,90 +0,0 @@ -$NetBSD: patch-XSA-199,v 1.1 2016/12/20 10:22:29 bouyer Exp $ - -From b73bd1edc05d1bad5c018228146930d79315a5da Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Mon, 14 Nov 2016 17:19:46 +0000 -Subject: [PATCH] qemu: ioport_read, ioport_write: be defensive about 32-bit - addresses - -On x86, ioport addresses are 16-bit. That these functions take 32-bit -arguments is a mistake. Changing the argument type to 16-bit will -discard the top bits of any erroneous values from elsewhere in qemu. - -Also, check just before use that the value is in range. (This turns -an ill-advised change to MAX_IOPORTS into a possible guest crash -rather than a privilege escalation vulnerability.) - -And, in the Xen ioreq processor, clamp incoming ioport addresses to -16-bit values. Xen will never write >16-bit values but the guest may -have access to the ioreq ring. We want to defend the rest of the qemu -code from wrong values. - -This is XSA-199. - -Reported-by: yanghongke <yanghongke@huawei.com> -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> ---- - i386-dm/helper2.c | 2 ++ - vl.c | 9 +++++++-- - 2 files changed, 9 insertions(+), 2 deletions(-) - -diff --git a/i386-dm/helper2.c b/i386-dm/helper2.c -index 2706f2e..5d276bb 100644 ---- qemu-xen-traditional/i386-dm/helper2.c.orig -+++ qemu-xen-traditional/i386-dm/helper2.c -@@ -375,6 +375,8 @@ static void cpu_ioreq_pio(CPUState *env, ioreq_t *req) - { - uint32_t i; - -+ req->addr &= 0x0ffffU; -+ - if (req->size > sizeof(unsigned long)) { - fprintf(stderr, "PIO: bad size (%u)\n", req->size); - exit(-1); -diff --git a/vl.c b/vl.c -index f9c4d7e..c3c5d63 100644 ---- qemu-xen-traditional/vl.c.orig -+++ qemu-xen-traditional/vl.c -@@ -52,6 +52,7 @@ - - #include <xen/hvm/hvm_info_table.h> - -+#include <assert.h> - #include <unistd.h> - #include <fcntl.h> - #include <signal.h> -@@ -290,26 +291,30 @@ PicState2 *isa_pic; - static IOPortReadFunc default_ioport_readb, default_ioport_readw, default_ioport_readl; - static IOPortWriteFunc default_ioport_writeb, default_ioport_writew, default_ioport_writel; - --static uint32_t ioport_read(int index, uint32_t address) -+static uint32_t ioport_read(int index, uint16_t address) - { - static IOPortReadFunc *default_func[3] = { - default_ioport_readb, - default_ioport_readw, - default_ioport_readl - }; -+ if (address >= MAX_IOPORTS) -+ abort(); - IOPortReadFunc *func = ioport_read_table[index][address]; - if (!func) - func = default_func[index]; - return func(ioport_opaque[address], address); - } - --static void ioport_write(int index, uint32_t address, uint32_t data) -+static void ioport_write(int index, uint16_t address, uint32_t data) - { - static IOPortWriteFunc *default_func[3] = { - default_ioport_writeb, - default_ioport_writew, - default_ioport_writel - }; -+ if (address >= MAX_IOPORTS) -+ abort(); - IOPortWriteFunc *func = ioport_write_table[index][address]; - if (!func) - func = default_func[index]; --- -2.1.4 diff --git a/sysutils/xentools46/version.mk b/sysutils/xentools46/version.mk index 896f20914c1..561e84a9e72 100644 --- a/sysutils/xentools46/version.mk +++ b/sysutils/xentools46/version.mk @@ -1,6 +1,6 @@ -# $NetBSD: version.mk,v 1.1 2017/01/04 16:37:29 sborrill Exp $ +# $NetBSD: version.mk,v 1.2 2017/03/20 18:17:13 bouyer Exp $ # # Version number is used by xentools46 and xenstoretools -VERSION= 4.6.3 +VERSION= 4.6.5 VERSION_IPXE= 9a93db3f0947484e30e753bbd61a10b17336e20e |