summaryrefslogtreecommitdiff
path: root/sysutils/xenkernel41
diff options
context:
space:
mode:
Diffstat (limited to 'sysutils/xenkernel41')
-rw-r--r--sysutils/xenkernel41/Makefile5
-rw-r--r--sysutils/xenkernel41/distinfo15
-rw-r--r--sysutils/xenkernel41/patches/patch-CVE-2012-343215
-rw-r--r--sysutils/xenkernel41/patches/patch-CVE-2012-343315
-rw-r--r--sysutils/xenkernel41/patches/patch-CVE-2012-349415
-rw-r--r--sysutils/xenkernel41/patches/patch-CVE-2012-349616
-rw-r--r--sysutils/xenkernel41/patches/patch-CVE-2012-349847
-rw-r--r--sysutils/xenkernel41/patches/patch-xsa7-xsa8-xen-4.1124
-rw-r--r--sysutils/xenkernel41/patches/patch-xsa9-xen-4.148
9 files changed, 87 insertions, 213 deletions
diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile
index be039f25fd6..bcccf43cf98 100644
--- a/sysutils/xenkernel41/Makefile
+++ b/sysutils/xenkernel41/Makefile
@@ -1,10 +1,9 @@
-# $NetBSD: Makefile,v 1.11 2012/08/10 09:59:47 drochner Exp $
+# $NetBSD: Makefile,v 1.12 2012/09/12 11:04:17 drochner Exp $
#
-VERSION= 4.1.2
+VERSION= 4.1.3
DISTNAME= xen-${VERSION}
PKGNAME= xenkernel41-${VERSION}
-PKGREVISION= 4
CATEGORIES= sysutils
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
EXTRACT_SUFX= .tar.gz
diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo
index b04ad13c858..71f0f48a2a0 100644
--- a/sysutils/xenkernel41/distinfo
+++ b/sysutils/xenkernel41/distinfo
@@ -1,11 +1,10 @@
-$NetBSD: distinfo,v 1.9 2012/08/10 09:59:47 drochner Exp $
+$NetBSD: distinfo,v 1.10 2012/09/12 11:04:17 drochner Exp $
-SHA1 (xen-4.1.2.tar.gz) = db584cb0a0cc614888d7df3b196d514fdb2edd6e
-RMD160 (xen-4.1.2.tar.gz) = 457797ec4be286afbbcad940a9ce04e44f3f40d6
-Size (xen-4.1.2.tar.gz) = 10365786 bytes
-SHA1 (patch-CVE-2012-3432) = e85b1adf1c683a1d086410f0c4265ed72a86d7fb
-SHA1 (patch-CVE-2012-3433) = 51ca4a6427c19dc31ba2bd05e4c09027d52a4ebc
+SHA1 (xen-4.1.3.tar.gz) = 0f688955262d08fba28361ca338f3ad0c0f53d74
+RMD160 (xen-4.1.3.tar.gz) = a6296a16579fd628a1ff2aa64b6b800e4913eeae
+Size (xen-4.1.3.tar.gz) = 10382132 bytes
+SHA1 (patch-CVE-2012-3494) = 166121ce515aaa2f2e399431be3ca7d2496c79c6
+SHA1 (patch-CVE-2012-3496) = c863d3e951d5aaa5659f9e1f38723f8326b8d8b8
+SHA1 (patch-CVE-2012-3498) = 2bb2b40675de498ae9fcc89ba5267b5be4a2c4c1
SHA1 (patch-xen_drivers_char_console_c) = 0fe186369602ccffaeec6f4bfbee8bb4298d3ff0
SHA1 (patch-xen_include_xen_stdarg.h) = e9df974a9b783ed442ab17497198432cb9844b70
-SHA1 (patch-xsa7-xsa8-xen-4.1) = e48cfd4ae9e7a4d48e059738b3f36074d3982515
-SHA1 (patch-xsa9-xen-4.1) = 4bbefd6426e2a7b36ccecb81cc94dc33af34e4fb
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-3432 b/sysutils/xenkernel41/patches/patch-CVE-2012-3432
deleted file mode 100644
index 93740b1034c..00000000000
--- a/sysutils/xenkernel41/patches/patch-CVE-2012-3432
+++ /dev/null
@@ -1,15 +0,0 @@
-$NetBSD: patch-CVE-2012-3432,v 1.1 2012/07/27 18:50:34 drochner Exp $
-
-see http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html
-
---- xen/arch/x86/hvm/io.c.orig 2012-07-27 18:34:15.000000000 +0000
-+++ xen/arch/x86/hvm/io.c
-@@ -176,6 +176,8 @@ int handle_mmio(void)
-
- rc = hvm_emulate_one(&ctxt);
-
-+ if ( rc != X86EMUL_RETRY )
-+ curr->arch.hvm_vcpu.io_state = HVMIO_none;
- if ( curr->arch.hvm_vcpu.io_state == HVMIO_awaiting_completion )
- curr->arch.hvm_vcpu.io_state = HVMIO_handle_mmio_awaiting_completion;
- else
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-3433 b/sysutils/xenkernel41/patches/patch-CVE-2012-3433
deleted file mode 100644
index b43a309b338..00000000000
--- a/sysutils/xenkernel41/patches/patch-CVE-2012-3433
+++ /dev/null
@@ -1,15 +0,0 @@
-$NetBSD: patch-CVE-2012-3433,v 1.1 2012/08/10 09:59:47 drochner Exp $
-
-see http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html
-
---- xen/arch/x86/mm/p2m.c.orig 2011-10-20 17:05:48.000000000 +0000
-+++ xen/arch/x86/mm/p2m.c
-@@ -2043,6 +2043,8 @@ void p2m_teardown(struct p2m_domain *p2m
- #ifdef __x86_64__
- for ( gfn=0; gfn < p2m->max_mapped_pfn; gfn++ )
- {
-+ if ( atomic_read(&d->shr_pages) == 0 )
-+ break;
- mfn = p2m->get_entry(p2m, gfn, &t, &a, p2m_query);
- if ( mfn_valid(mfn) && (t == p2m_ram_shared) )
- BUG_ON(mem_sharing_unshare_page(p2m, gfn, MEM_SHARING_DESTROY_GFN));
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-3494 b/sysutils/xenkernel41/patches/patch-CVE-2012-3494
new file mode 100644
index 00000000000..9699fd59024
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2012-3494
@@ -0,0 +1,15 @@
+$NetBSD: patch-CVE-2012-3494,v 1.1 2012/09/12 11:04:17 drochner Exp $
+
+see http://lists.xen.org/archives/html/xen-devel/2012-09/msg00181.html
+
+--- xen/include/asm-x86/debugreg.h.orig 2012-08-10 13:51:52.000000000 +0000
++++ xen/include/asm-x86/debugreg.h
+@@ -58,7 +58,7 @@
+ We can slow the instruction pipeline for instructions coming via the
+ gdt or the ldt if we want to. I am not sure why this is an advantage */
+
+-#define DR_CONTROL_RESERVED_ZERO (0x0000d800ul) /* Reserved, read as zero */
++#define DR_CONTROL_RESERVED_ZERO (~0xffff27fful) /* Reserved, read as zero */
+ #define DR_CONTROL_RESERVED_ONE (0x00000400ul) /* Reserved, read as one */
+ #define DR_LOCAL_EXACT_ENABLE (0x00000100ul) /* Local exact enable */
+ #define DR_GLOBAL_EXACT_ENABLE (0x00000200ul) /* Global exact enable */
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-3496 b/sysutils/xenkernel41/patches/patch-CVE-2012-3496
new file mode 100644
index 00000000000..3bd7c50a1cf
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2012-3496
@@ -0,0 +1,16 @@
+$NetBSD: patch-CVE-2012-3496,v 1.1 2012/09/12 11:04:17 drochner Exp $
+
+see http://lists.xen.org/archives/html/xen-devel/2012-09/msg00194.html
+
+--- xen/arch/x86/mm/p2m.c.orig 2012-08-10 13:51:45.000000000 +0000
++++ xen/arch/x86/mm/p2m.c
+@@ -2414,7 +2414,8 @@ guest_physmap_mark_populate_on_demand(st
+ int pod_count = 0;
+ int rc = 0;
+
+- BUG_ON(!paging_mode_translate(d));
++ if ( !paging_mode_translate(d) )
++ return -EINVAL;
+
+ rc = gfn_check_limit(d, gfn, order);
+ if ( rc != 0 )
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-3498 b/sysutils/xenkernel41/patches/patch-CVE-2012-3498
new file mode 100644
index 00000000000..66f1622a53c
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2012-3498
@@ -0,0 +1,47 @@
+$NetBSD: patch-CVE-2012-3498,v 1.1 2012/09/12 11:04:18 drochner Exp $
+
+contains patch for CVE-2012-3495
+see http://lists.xen.org/archives/html/xen-devel/2012-09/msg00187.html
+and http://lists.xen.org/archives/html/xen-devel/2012-09/msg00197.html
+
+--- xen/arch/x86/physdev.c.orig 2012-09-12 09:41:55.000000000 +0000
++++ xen/arch/x86/physdev.c
+@@ -40,11 +40,18 @@ static int physdev_hvm_map_pirq(
+ struct hvm_girq_dpci_mapping *girq;
+ uint32_t machine_gsi = 0;
+
++ if ( map->index < 0 || map->index >= NR_HVM_IRQS )
++ {
++ ret = -EINVAL;
++ break;
++ }
++
+ /* find the machine gsi corresponding to the
+ * emulated gsi */
+ hvm_irq_dpci = domain_get_irq_dpci(d);
+ if ( hvm_irq_dpci )
+ {
++ BUILD_BUG_ON(ARRAY_SIZE(hvm_irq_dpci->girq) < NR_HVM_IRQS);
+ list_for_each_entry ( girq,
+ &hvm_irq_dpci->girq[map->index],
+ list )
+@@ -587,11 +594,16 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
+ break;
+
+ spin_lock(&d->event_lock);
+- out.pirq = get_free_pirq(d, out.type, 0);
+- d->arch.pirq_irq[out.pirq] = PIRQ_ALLOCATED;
++ ret = get_free_pirq(d, out.type, 0);
++ if ( ret >= 0 )
++ d->arch.pirq_irq[ret] = PIRQ_ALLOCATED;
+ spin_unlock(&d->event_lock);
+
+- ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0;
++ if ( ret >= 0 )
++ {
++ out.pirq = ret;
++ ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0;
++ }
+
+ rcu_unlock_domain(d);
+ break;
diff --git a/sysutils/xenkernel41/patches/patch-xsa7-xsa8-xen-4.1 b/sysutils/xenkernel41/patches/patch-xsa7-xsa8-xen-4.1
deleted file mode 100644
index 63d5f482731..00000000000
--- a/sysutils/xenkernel41/patches/patch-xsa7-xsa8-xen-4.1
+++ /dev/null
@@ -1,124 +0,0 @@
-$NetBSD: patch-xsa7-xsa8-xen-4.1,v 1.1 2012/06/19 20:17:06 bouyer Exp $
-
-diff -r 35248be669e7 xen/arch/x86/x86_64/asm-offsets.c
---- xen/arch/x86/x86_64/asm-offsets.c.orig Mon May 14 16:59:12 2012 +0100
-+++ xen/arch/x86/x86_64/asm-offsets.c Thu May 24 11:12:33 2012 +0100
-@@ -90,6 +90,8 @@ void __dummy__(void)
- arch.guest_context.trap_ctxt[TRAP_gp_fault].address);
- OFFSET(VCPU_gp_fault_sel, struct vcpu,
- arch.guest_context.trap_ctxt[TRAP_gp_fault].cs);
-+ OFFSET(VCPU_gp_fault_flags, struct vcpu,
-+ arch.guest_context.trap_ctxt[TRAP_gp_fault].flags);
- OFFSET(VCPU_kernel_sp, struct vcpu, arch.guest_context.kernel_sp);
- OFFSET(VCPU_kernel_ss, struct vcpu, arch.guest_context.kernel_ss);
- OFFSET(VCPU_guest_context_flags, struct vcpu, arch.guest_context.flags);
-diff -r 35248be669e7 xen/arch/x86/x86_64/compat/entry.S
---- xen/arch/x86/x86_64/compat/entry.S.orig Mon May 14 16:59:12 2012 +0100
-+++ xen/arch/x86/x86_64/compat/entry.S Thu May 24 11:12:33 2012 +0100
-@@ -214,6 +214,7 @@ 1: call compat_create_bounce_frame
- ENTRY(compat_post_handle_exception)
- testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx)
- jz compat_test_all_events
-+.Lcompat_bounce_exception:
- call compat_create_bounce_frame
- movb $0,TRAPBOUNCE_flags(%rdx)
- jmp compat_test_all_events
-@@ -226,19 +227,20 @@ ENTRY(compat_syscall)
- leaq VCPU_trap_bounce(%rbx),%rdx
- testl $~3,%esi
- leal (,%rcx,TBF_INTERRUPT),%ecx
-- jz 2f
--1: movq %rax,TRAPBOUNCE_eip(%rdx)
-+UNLIKELY_START(z, compat_syscall_gpf)
-+ movl $TRAP_gp_fault,UREGS_entry_vector(%rsp)
-+ subl $2,UREGS_rip(%rsp)
-+ movl $0,TRAPBOUNCE_error_code(%rdx)
-+ movl VCPU_gp_fault_addr(%rbx),%eax
-+ movzwl VCPU_gp_fault_sel(%rbx),%esi
-+ testb $4,VCPU_gp_fault_flags(%rbx)
-+ setnz %cl
-+ leal TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx
-+UNLIKELY_END(compat_syscall_gpf)
-+ movq %rax,TRAPBOUNCE_eip(%rdx)
- movw %si,TRAPBOUNCE_cs(%rdx)
- movb %cl,TRAPBOUNCE_flags(%rdx)
-- call compat_create_bounce_frame
-- jmp compat_test_all_events
--2: movl $TRAP_gp_fault,UREGS_entry_vector(%rsp)
-- subl $2,UREGS_rip(%rsp)
-- movq VCPU_gp_fault_addr(%rbx),%rax
-- movzwl VCPU_gp_fault_sel(%rbx),%esi
-- movb $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl
-- movl $0,TRAPBOUNCE_error_code(%rdx)
-- jmp 1b
-+ jmp .Lcompat_bounce_exception
-
- ENTRY(compat_sysenter)
- cmpl $TRAP_gp_fault,UREGS_entry_vector(%rsp)
-diff -r 35248be669e7 xen/arch/x86/x86_64/entry.S
---- xen/arch/x86/x86_64/entry.S.orig Mon May 14 16:59:12 2012 +0100
-+++ xen/arch/x86/x86_64/entry.S Thu May 24 11:12:33 2012 +0100
-@@ -40,6 +40,13 @@ restore_all_guest:
- testw $TRAP_syscall,4(%rsp)
- jz iret_exit_to_guest
-
-+ /* Don't use SYSRET path if the return address is not canonical. */
-+ movq 8(%rsp),%rcx
-+ sarq $47,%rcx
-+ incl %ecx
-+ cmpl $1,%ecx
-+ ja .Lforce_iret
-+
- addq $8,%rsp
- popq %rcx # RIP
- popq %r11 # CS
-@@ -50,6 +57,10 @@ restore_all_guest:
- sysretq
- 1: sysretl
-
-+.Lforce_iret:
-+ /* Mimic SYSRET behavior. */
-+ movq 8(%rsp),%rcx # RIP
-+ movq 24(%rsp),%r11 # RFLAGS
- ALIGN
- /* No special register assumptions. */
- iret_exit_to_guest:
-@@ -278,19 +289,21 @@ sysenter_eflags_saved:
- leaq VCPU_trap_bounce(%rbx),%rdx
- testq %rax,%rax
- leal (,%rcx,TBF_INTERRUPT),%ecx
-- jz 2f
--1: movq VCPU_domain(%rbx),%rdi
-+UNLIKELY_START(z, sysenter_gpf)
-+ movl $TRAP_gp_fault,UREGS_entry_vector(%rsp)
-+ subq $2,UREGS_rip(%rsp)
-+ movl %eax,TRAPBOUNCE_error_code(%rdx)
-+ movq VCPU_gp_fault_addr(%rbx),%rax
-+ testb $4,VCPU_gp_fault_flags(%rbx)
-+ setnz %cl
-+ leal TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx
-+UNLIKELY_END(sysenter_gpf)
-+ movq VCPU_domain(%rbx),%rdi
- movq %rax,TRAPBOUNCE_eip(%rdx)
- movb %cl,TRAPBOUNCE_flags(%rdx)
- testb $1,DOMAIN_is_32bit_pv(%rdi)
- jnz compat_sysenter
-- call create_bounce_frame
-- jmp test_all_events
--2: movl %eax,TRAPBOUNCE_error_code(%rdx)
-- movq VCPU_gp_fault_addr(%rbx),%rax
-- movb $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl
-- movl $TRAP_gp_fault,UREGS_entry_vector(%rsp)
-- jmp 1b
-+ jmp .Lbounce_exception
-
- ENTRY(int80_direct_trap)
- pushq $0
-@@ -482,6 +495,7 @@ 1: movq %rsp,%rdi
- jnz compat_post_handle_exception
- testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx)
- jz test_all_events
-+.Lbounce_exception:
- call create_bounce_frame
- movb $0,TRAPBOUNCE_flags(%rdx)
- jmp test_all_events
diff --git a/sysutils/xenkernel41/patches/patch-xsa9-xen-4.1 b/sysutils/xenkernel41/patches/patch-xsa9-xen-4.1
deleted file mode 100644
index 87cf4fe73db..00000000000
--- a/sysutils/xenkernel41/patches/patch-xsa9-xen-4.1
+++ /dev/null
@@ -1,48 +0,0 @@
-$NetBSD: patch-xsa9-xen-4.1,v 1.1 2012/06/19 20:17:06 bouyer Exp $
-
-x86-64: detect processors subject to AMD erratum #121 and refuse to boot
-
-Processors with this erratum are subject to a DoS attack by unprivileged
-guest users.
-
-This is XSA-9 / CVE-2006-0744.
-
-Signed-off-by: Jan Beulich <JBeulich@suse.com>
-Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
-
---- xen/arch/x86/cpu/amd.c.orig
-+++ xen/arch/x86/cpu/amd.c
-@@ -32,6 +32,9 @@
- static char opt_famrev[14];
- string_param("cpuid_mask_cpu", opt_famrev);
-
-+static int opt_allow_unsafe;
-+boolean_param("allow_unsafe", opt_allow_unsafe);
-+
- static inline void wrmsr_amd(unsigned int index, unsigned int lo,
- unsigned int hi)
- {
-@@ -620,6 +623,11 @@ static void __devinit init_amd(struct cp
- clear_bit(X86_FEATURE_MCE, c->x86_capability);
-
- #ifdef __x86_64__
-+ if (cpu_has_amd_erratum(c, AMD_ERRATUM_121) && !opt_allow_unsafe)
-+ panic("Xen will not boot on this CPU for security reasons.\n"
-+ "Pass \"allow_unsafe\" if you're trusting all your"
-+ " (PV) guest kernels.\n");
-+
- /* AMD CPUs do not support SYSENTER outside of legacy mode. */
- clear_bit(X86_FEATURE_SEP, c->x86_capability);
-
---- xen/include/asm-x86/amd.h.orig
-+++ xen/include/asm-x86/amd.h
-@@ -127,6 +127,9 @@
- #define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff)
- #define AMD_MODEL_RANGE_END(range) ((range) & 0xfff)
-
-+#define AMD_ERRATUM_121 \
-+ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x3f, 0xf))
-+
- #define AMD_ERRATUM_170 \
- AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x67, 0xf))
-