diff options
| author | bouyer <bouyer> | 2014-10-01 17:34:54 +0000 |
|---|---|---|
| committer | bouyer <bouyer> | 2014-10-01 17:34:54 +0000 |
| commit | 7aeb08c9b5f1ab00a360ccfc1495133eafb9b9aa (patch) | |
| tree | 71bb8ad1dfb7db072430255edab7727fa26ba4d3 /sysutils | |
| parent | ea7c8c5fbcfafd0f7cf01ab28c519b82add38414 (diff) | |
| download | pkgsrc-7aeb08c9b5f1ab00a360ccfc1495133eafb9b9aa.tar.gz | |
Add patch from upstream, fixing CVE-2014-7188 / XSA-108:
Improper MSR range used for x2APIC emulation
Bump PKGREVISION
Diffstat (limited to 'sysutils')
| -rw-r--r-- | sysutils/xenkernel42/Makefile | 3 | ||||
| -rw-r--r-- | sysutils/xenkernel42/distinfo | 3 | ||||
| -rw-r--r-- | sysutils/xenkernel42/patches/patch-xen_arch_x86_hvm_hvm.c | 38 |
3 files changed, 42 insertions, 2 deletions
diff --git a/sysutils/xenkernel42/Makefile b/sysutils/xenkernel42/Makefile index 597cbec1561..5f002bfe2d4 100644 --- a/sysutils/xenkernel42/Makefile +++ b/sysutils/xenkernel42/Makefile @@ -1,8 +1,9 @@ -# $NetBSD: Makefile,v 1.8 2014/09/26 10:39:31 bouyer Exp $ +# $NetBSD: Makefile,v 1.9 2014/10/01 17:34:54 bouyer Exp $ VERSION= 4.2.5 DISTNAME= xen-${VERSION} PKGNAME= xenkernel42-${VERSION} +PKGREVISION= 1 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xenkernel42/distinfo b/sysutils/xenkernel42/distinfo index 13ee7a1823c..625754dcec4 100644 --- a/sysutils/xenkernel42/distinfo +++ b/sysutils/xenkernel42/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.6 2014/09/26 10:39:31 bouyer Exp $ +$NetBSD: distinfo,v 1.7 2014/10/01 17:34:54 bouyer Exp $ SHA1 (xen-4.2.5.tar.gz) = f42741e4ec174495ace70c4b17a6b9b0e60e798a RMD160 (xen-4.2.5.tar.gz) = 7d4f7f1b32ee541d341a756b1f8da02816438d19 @@ -6,6 +6,7 @@ Size (xen-4.2.5.tar.gz) = 15671925 bytes SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266 SHA1 (patch-xen_Makefile) = e0d1b74518b9675ddc64295d1523ded9a8757c0a SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 +SHA1 (patch-xen_arch_x86_hvm_hvm.c) = b6bac1d466ba5bc276bc3aea9d4c9df37f2b9b0f SHA1 (patch-xen_arch_x86_mm_shadow_common.c) = 89dce860cc6aef7d0ec31f3137616b592490e60a SHA1 (patch-xen_arch_x86_x86_emulate_x86_emulate.c) = 8b906e762c8f94a670398b4e033d50a2fb012f0a SHA1 (patch-xen_include_xen_lib.h) = 36dcaf3874a1b1214babc45d7e19fe3b556c1044 diff --git a/sysutils/xenkernel42/patches/patch-xen_arch_x86_hvm_hvm.c b/sysutils/xenkernel42/patches/patch-xen_arch_x86_hvm_hvm.c new file mode 100644 index 00000000000..fd86b066ec9 --- /dev/null +++ b/sysutils/xenkernel42/patches/patch-xen_arch_x86_hvm_hvm.c @@ -0,0 +1,38 @@ +$NetBSD: patch-xen_arch_x86_hvm_hvm.c,v 1.1 2014/10/01 17:34:54 bouyer Exp $ + +x86/HVM: properly bound x2APIC MSR range + +While the write path change appears to be purely cosmetic (but still +gets done here for consistency), the read side mistake permitted +accesses beyond the virtual APIC page. + +Note that while this isn't fully in line with the specification +(digesting MSRs 0x800-0xBFF for the x2APIC), this is the minimal +possible fix addressing the security issue and getting x2APIC related +code into a consistent shape (elsewhere a 256 rather than 1024 wide +window is being used too). This will be dealt with subsequently. + +This is XSA-108. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- xen/arch/x86/hvm/hvm.c.orig ++++ xen/arch/x86/hvm/hvm.c +@@ -4380,7 +4380,7 @@ int hvm_msr_read_intercept(unsigned int + *msr_content = vcpu_vlapic(v)->hw.apic_base_msr; + break; + +- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: ++ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff: + if ( hvm_x2apic_msr_read(v, msr, msr_content) ) + goto gp_fault; + break; +@@ -4506,7 +4506,7 @@ int hvm_msr_write_intercept(unsigned int + vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content); + break; + +- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: ++ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff: + if ( hvm_x2apic_msr_write(v, msr, msr_content) ) + goto gp_fault; + break; |