diff options
Diffstat (limited to 'sysutils/xenkernel41')
55 files changed, 0 insertions, 2685 deletions
diff --git a/sysutils/xenkernel41/DESCR b/sysutils/xenkernel41/DESCR deleted file mode 100644 index 543eb12f86e..00000000000 --- a/sysutils/xenkernel41/DESCR +++ /dev/null @@ -1,12 +0,0 @@ -Xen is a virtual machine monitor which supports running multiple -guests operating systems on a single machine. Guest OSes (also -called "domains") require a modified kernel which supports Xen -hypercalls in replacement to access to the physical hardware. At -boot, the xen kernel is loaded along with the guest kernel for the -first domain (called domain0). domain0 has privileges to access -the physical hardware (PCI and ISA devices), administrate other -domains and provide virtual devices (disks and network) to other -domains. - -This package contains the 4.1 Xen4 kernel itself. PCI passthrough is -not supported. PAE is mandatory; on i386 one must use XEN3PAE_DOM0[0U]. diff --git a/sysutils/xenkernel41/MESSAGE b/sysutils/xenkernel41/MESSAGE deleted file mode 100644 index 1339881d91c..00000000000 --- a/sysutils/xenkernel41/MESSAGE +++ /dev/null @@ -1,7 +0,0 @@ -=========================================================================== -$NetBSD: MESSAGE,v 1.1 2011/11/20 03:12:44 jym Exp $ - -The Xen hypervisor is installed under the following locations: - ${XENKERNELDIR}/xen.gz (standard hypervisor) - ${XENKERNELDIR}/xen-debug.gz (debug hypervisor) -=========================================================================== diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile deleted file mode 100644 index 3428da24c71..00000000000 --- a/sysutils/xenkernel41/Makefile +++ /dev/null @@ -1,61 +0,0 @@ -# $NetBSD: Makefile,v 1.54 2016/12/21 15:35:44 bouyer Exp $ - -VERSION= 4.1.6.1 -DISTNAME= xen-${VERSION} -PKGNAME= xenkernel41-${VERSION} -PKGREVISION= 23 -CATEGORIES= sysutils -MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ - -MAINTAINER= cegger@NetBSD.org -HOMEPAGE= http://xen.org/ -COMMENT= Xen 4.1.x Kernel - -LICENSE= gnu-gpl-v2 - -ONLY_FOR_PLATFORM= Linux-2.6*-i386 Linux-2.6*-x86_64 -ONLY_FOR_PLATFORM+= NetBSD-[5-9].*-x86_64 NetBSD-[5-9].*-i386 - -NO_CONFIGURE= yes -USE_TOOLS+= gmake - -PYTHON_FOR_BUILD_ONLY= yes -PY_PATCHPLIST= NO -PYTHON_VERSIONS_INCOMPATIBLE= 34 35 # not yet ported as of 4.1.6.1 - -# XXX Why does this not work? -# See work/xen-4.1.2/Config.mk:41 why PYTHON must be set and what for -MAKE_ENV+= PYTHON=${PYTHONBIN:Q} -MAKE_ENV+= OCAML_TOOLS=no - -INSTALLATION_DIRS= xen41-kernel -XENKERNELDIR= ${PREFIX}/${INSTALLATION_DIRS} - -MESSAGE_SUBST+= XENKERNELDIR=${XENKERNELDIR:Q} - -.include "../../mk/compiler.mk" -.if !empty(PKGSRC_COMPILER:Mclang) -EXTRA_CFLAGS+= -Qunused-arguments -no-integrated-as -Wno-error=format \ - -Wno-error=parentheses-equality -Wno-error=enum-conversion \ - -Wno-error=unused-function \ - -Wno-error=tautological-pointer-compare \ - -Wno-error=pointer-bool-conversion -.endif - -MAKE_ENV+= EXTRA_CFLAGS=${EXTRA_CFLAGS:Q} - -do-build: - cd ${WRKSRC}/xen && ${BUILD_MAKE_CMD} debug=n build - ${CP} ${WRKSRC}/xen/xen.gz ${WRKDIR}/xen.gz - cd ${WRKSRC}/xen && ${MAKE_PROGRAM} clean - cd ${WRKSRC}/xen && ${BUILD_MAKE_CMD} debug=y build - ${CP} ${WRKSRC}/xen/xen.gz ${WRKDIR}/xen-debug.gz - -do-install: - ${INSTALL_DATA} ${WRKDIR}/xen.gz \ - ${DESTDIR}${XENKERNELDIR}/xen.gz - ${INSTALL_DATA} ${WRKDIR}/xen-debug.gz \ - ${DESTDIR}${XENKERNELDIR}/xen-debug.gz - -.include "../../lang/python/application.mk" -.include "../../mk/bsd.pkg.mk" diff --git a/sysutils/xenkernel41/PLIST b/sysutils/xenkernel41/PLIST deleted file mode 100644 index 886fa82240d..00000000000 --- a/sysutils/xenkernel41/PLIST +++ /dev/null @@ -1,3 +0,0 @@ -@comment $NetBSD: PLIST,v 1.1.1.1 2011/04/06 09:05:53 cegger Exp $ -xen41-kernel/xen-debug.gz -xen41-kernel/xen.gz diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo deleted file mode 100644 index 86eecde8161..00000000000 --- a/sysutils/xenkernel41/distinfo +++ /dev/null @@ -1,56 +0,0 @@ -$NetBSD: distinfo,v 1.47 2016/12/21 15:35:44 bouyer Exp $ - -SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0 -RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19 -SHA512 (xen-4.1.6.1.tar.gz) = 5f6106514ffb57708009e3d6763824b13d9038699048d1a91fa09ad223e0391b92b6ea0f25714a0bbf8ac8373c58fc7871ca0bce9c3ff7873d41fb2eeae13ed8 -Size (xen-4.1.6.1.tar.gz) = 10428485 bytes -SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1 -SHA1 (patch-CVE-2013-4355_1) = 56dde995d7df4f18576040007fd5532de61d9069 -SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509 -SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f -SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8 -SHA1 (patch-CVE-2013-4361) = b9074af976ba98c02aeb84288a10527bf7693241 -SHA1 (patch-CVE-2013-4368) = 77caf392b472e5586eb2fa6a37d173cd856f6f15 -SHA1 (patch-CVE-2013-4494) = d74dfc898d1128f3c205bd178c8cf663935711e3 -SHA1 (patch-CVE-2013-4553) = 6708dcef1737b119a3fcf2e3414c22c115cbacc1 -SHA1 (patch-CVE-2013-6885_1) = 18d155b2c76119988be32cfd43e3c4aa6a507b9d -SHA1 (patch-CVE-2013-6885_2) = be3c99ba3e349492d45cd4f2fce0acc26ac1a96d -SHA1 (patch-CVE-2014-1666) = acf27080799d4aae6a03b556caadb01081d5314e -SHA1 (patch-CVE-2014-3124) = 0643b9b2b4bb3a976f59ec081e25f2b466e4fdba -SHA1 (patch-CVE-2014-4021) = ee8ee800b35f7eaa242b06536c1ffa6568305b36 -SHA1 (patch-CVE-2014-7154) = 5f0541559d911778aa5267bb5c0e1e8a9a3904e2 -SHA1 (patch-CVE-2014-7155) = 0f1aa6a5d4fdb8403fc1e01b884491a63de501f8 -SHA1 (patch-CVE-2014-7156) = 85043bdcf2644227d135f725cb442aade565c9d6 -SHA1 (patch-CVE-2014-8594) = 39d9d220d89c2356fa745dad5bf8c7ef5e8f2516 -SHA1 (patch-CVE-2014-8595) = 46bd285b7eb8f2e23984f7917b12af2191bfef80 -SHA1 (patch-CVE-2014-8866) = ee0bc3afb767b50e973d6065b84adc7e51949def -SHA1 (patch-CVE-2014-8867) = 576433746660f62b753088a66c5315a1a2ff8f76 -SHA1 (patch-CVE-2014-9030) = f52c302585b0f4b074f7562e6b8cddacb26deee4 -SHA1 (patch-CVE-2015-2044) = 00d32273d0a9f51927ff94a13f916382c3126e60 -SHA1 (patch-CVE-2015-2045) = e1874bbde0cce7db4ee9260440f5280d404027d7 -SHA1 (patch-CVE-2015-2151) = aed92f50d162febc3074f7edecaf6ca418d0b42c -SHA1 (patch-CVE-2015-2752) = 37f44989a3b3c69dea8e9de9fc34ffd5c2e8b087 -SHA1 (patch-CVE-2015-2756) = b3b133d42229ecc8c308644b17e5317cd77f9a98 -SHA1 (patch-CVE-2015-7835) = d66fe84abfb921bf435c1ed9b077012937d0c71e -SHA1 (patch-CVE-2015-7969) = 4eb96025afae4be547f74b9e71a7d8a3a37fc60b -SHA1 (patch-CVE-2015-7971) = 0d0d36ad99f313afb96111a832eb65ddeaf8010e -SHA1 (patch-CVE-2015-8339) = e5485ab9e73fa9a63c566505b8de805530ac678e -SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266 -SHA1 (patch-XSA-166) = 24fccf8e30ccf910a128e5e0365800191a90524c -SHA1 (patch-XSA-182) = 70a7a6175a4b87ffaf72cbc5a3932f076efa3f9c -SHA1 (patch-XSA-185) = a2313922aa4dad734b96c80f64fe54eca3c14019 -SHA1 (patch-XSA-187-1) = 55ea0c2d9c7d8d9476a5ab97342ff552be4faf56 -SHA1 (patch-XSA-187-2) = e21b24771fa9417f593b8f6d1550660bbad36b98 -SHA1 (patch-XSA-191) = 5da559e104543b8d22ea60378d9160d2ad83b8d0 -SHA1 (patch-XSA-192) = b0f2801fe6db91c2a98b82897cdee057062c6c2b -SHA1 (patch-XSA-195) = a04295b397126e1cc1f129bb3cb9fb872fcbb373 -SHA1 (patch-XSA-200) = 2e5f6e3596fa754030af29a1dc8fafb738ad1da4 -SHA1 (patch-XSA-202) = ceb6f02eb7f1a41243c6e47c4f1bbbc9626a8da5 -SHA1 (patch-XSA-204) = 99e2b88b551d80724fcc27f925fbf65d3fc468de -SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b -SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 -SHA1 (patch-xen_arch_x86_cpu_mcheck_vmce.c) = 5afd01780a13654f1d21bf1562f6431c8370be0b -SHA1 (patch-xen_arch_x86_time.c) = 2c69ac1cb5e0ca06c4f70acb91d2723a32ce98a9 -SHA1 (patch-xen_drivers_char_console_c) = 0fe186369602ccffaeec6f4bfbee8bb4298d3ff0 -SHA1 (patch-xen_drivers_passthrough_vtd_x86_ats.c) = 012ccbb27069c4f2e0361bd127397fdd22027f29 -SHA1 (patch-xen_include_xen_stdarg.h) = e9df974a9b783ed442ab17497198432cb9844b70 diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-1442 b/sysutils/xenkernel41/patches/patch-CVE-2013-1442 deleted file mode 100644 index fad8b9e6581..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-1442 +++ /dev/null @@ -1,27 +0,0 @@ -$NetBSD: patch-CVE-2013-1442,v 1.1 2013/10/01 14:54:44 drochner Exp $ - -http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg02523.html - ---- xen/arch/x86/i387.c.orig 2013-09-10 06:42:18.000000000 +0000 -+++ xen/arch/x86/i387.c 2013-09-30 15:23:07.000000000 +0000 -@@ -103,9 +103,9 @@ void setup_fpu(struct vcpu *v) - { - /* - * XCR0 normally represents what guest OS set. In case of Xen itself, -- * we set all supported feature mask before doing save/restore. -+ * we set all supported feature mask before restoring. - */ -- set_xcr0(v->arch.xcr0_accum); -+ set_xcr0(xfeature_mask); - xrstor(v); - set_xcr0(v->arch.xcr0); - } -@@ -149,7 +149,7 @@ void save_init_fpu(struct vcpu *v) - if ( xsave_enabled(v) ) - { - /* XCR0 normally represents what guest OS set. In case of Xen itself, -- * we set all accumulated feature mask before doing save/restore. -+ * we set all accumulated feature mask before saving. - */ - set_xcr0(v->arch.xcr0_accum); - if ( cpu_has_xsaveopt ) diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1 b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1 deleted file mode 100644 index 202e85d183e..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1 +++ /dev/null @@ -1,120 +0,0 @@ -$NetBSD: patch-CVE-2013-4355_1,v 1.5 2014/10/01 17:18:22 drochner Exp $ - -http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03160.html -also fixes -http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg03827.html -(CVE-2013-4554) -also fixes -http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html -(CVE-2014-2599) -also fixes -http://lists.xenproject.org/archives/html/xen-devel/2014-04/msg03853.html -(CVE-2014-3124) -also fixes -http://lists.xenproject.org/archives/html/xen-devel/2014-10/msg00065.html -(CVE-2014-7188) - ---- xen/arch/x86/hvm/hvm.c.orig 2013-09-10 06:42:18.000000000 +0000 -+++ xen/arch/x86/hvm/hvm.c 2014-10-01 16:40:48.000000000 +0000 -@@ -1961,11 +1961,7 @@ void hvm_task_switch( - - rc = hvm_copy_from_guest_virt( - &tss, prev_tr.base, sizeof(tss), PFEC_page_present); -- if ( rc == HVMCOPY_bad_gva_to_gfn ) -- goto out; -- if ( rc == HVMCOPY_gfn_paged_out ) -- goto out; -- if ( rc == HVMCOPY_gfn_shared ) -+ if ( rc != HVMCOPY_okay ) - goto out; - - eflags = regs->eflags; -@@ -2010,13 +2006,11 @@ void hvm_task_switch( - - rc = hvm_copy_from_guest_virt( - &tss, tr.base, sizeof(tss), PFEC_page_present); -- if ( rc == HVMCOPY_bad_gva_to_gfn ) -- goto out; -- if ( rc == HVMCOPY_gfn_paged_out ) -- goto out; -- /* Note: this could be optimised, if the callee functions knew we want RO -- * access */ -- if ( rc == HVMCOPY_gfn_shared ) -+ /* -+ * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee -+ * functions knew we want RO access. -+ */ -+ if ( rc != HVMCOPY_okay ) - goto out; - - -@@ -2409,7 +2403,7 @@ int hvm_msr_read_intercept(unsigned int - *msr_content = vcpu_vlapic(v)->hw.apic_base_msr; - break; - -- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: -+ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff: - if ( hvm_x2apic_msr_read(v, msr, msr_content) ) - goto gp_fault; - break; -@@ -2529,7 +2523,7 @@ int hvm_msr_write_intercept(unsigned int - vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content); - break; - -- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: -+ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff: - if ( hvm_x2apic_msr_write(v, msr, msr_content) ) - goto gp_fault; - break; -@@ -2834,7 +2828,7 @@ int hvm_do_hypercall(struct cpu_user_reg - case 4: - case 2: - hvm_get_segment_register(curr, x86_seg_ss, &sreg); -- if ( unlikely(sreg.attr.fields.dpl == 3) ) -+ if ( unlikely(sreg.attr.fields.dpl) ) - { - default: - regs->eax = -EPERM; -@@ -3657,13 +3651,9 @@ long do_hvm_op(unsigned long op, XEN_GUE - rc = -EINVAL; - goto param_fail4; - } -- if ( p2m_is_grant(t) ) -- { -- gdprintk(XENLOG_WARNING, -- "type for pfn 0x%lx changed to grant while " -- "we were working?\n", pfn); -+ if ( !p2m_is_ram(t) && -+ (!p2m_is_hole(t) || a.hvmmem_type != HVMMEM_mmio_dm) ) - goto param_fail4; -- } - else - { - nt = p2m_change_type(p2m, pfn, t, memtype[a.hvmmem_type]); -@@ -3746,7 +3736,7 @@ long do_hvm_op(unsigned long op, XEN_GUE - ((a.first_pfn + a.nr - 1) > domain_get_maximum_gpfn(d)) ) - goto param_fail5; - -- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) -+ for ( pfn = a.first_pfn; a.nr; ++pfn ) - { - p2m_type_t t; - mfn_t mfn; -@@ -3759,6 +3749,17 @@ long do_hvm_op(unsigned long op, XEN_GUE - p2m_unlock(p2m); - if ( !success ) - goto param_fail5; -+ -+ /* Check for continuation if it's not the last interation. */ -+ if ( --a.nr && hypercall_preempt_check() ) -+ { -+ a.first_pfn = pfn + 1; -+ if ( copy_to_guest(arg, &a, 1) ) -+ rc = -EFAULT; -+ else -+ rc = -EAGAIN; -+ goto param_fail5; -+ } - } - - rc = 0; diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_2 b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_2 deleted file mode 100644 index 65716cd9c10..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_2 +++ /dev/null @@ -1,71 +0,0 @@ -$NetBSD: patch-CVE-2013-4355_2,v 1.1 2013/10/01 14:54:44 drochner Exp $ - ---- xen/arch/x86/hvm/intercept.c.orig 2013-09-10 06:42:18.000000000 +0000 -+++ xen/arch/x86/hvm/intercept.c 2013-09-30 15:23:07.000000000 +0000 -@@ -93,17 +93,28 @@ static int hvm_mmio_access(struct vcpu * - { - for ( i = 0; i < p->count; i++ ) - { -- int ret; -- -- ret = hvm_copy_from_guest_phys(&data, -- p->data + (sign * i * p->size), -- p->size); -- if ( (ret == HVMCOPY_gfn_paged_out) || -- (ret == HVMCOPY_gfn_shared) ) -+ switch ( hvm_copy_from_guest_phys(&data, -+ p->data + sign * i * p->size, -+ p->size) ) - { -+ case HVMCOPY_okay: -+ break; -+ case HVMCOPY_gfn_paged_out: -+ case HVMCOPY_gfn_shared: - rc = X86EMUL_RETRY; - break; -+ case HVMCOPY_bad_gfn_to_mfn: -+ data = ~0; -+ break; -+ case HVMCOPY_bad_gva_to_gfn: -+ ASSERT(0); -+ /* fall through */ -+ default: -+ rc = X86EMUL_UNHANDLEABLE; -+ break; - } -+ if ( rc != X86EMUL_OKAY ) -+ break; - rc = write_handler(v, p->addr + (sign * i * p->size), p->size, - data); - if ( rc != X86EMUL_OKAY ) -@@ -171,8 +182,28 @@ static int process_portio_intercept(port - for ( i = 0; i < p->count; i++ ) - { - data = 0; -- (void)hvm_copy_from_guest_phys(&data, p->data + sign*i*p->size, -- p->size); -+ switch ( hvm_copy_from_guest_phys(&data, -+ p->data + sign * i * p->size, -+ p->size) ) -+ { -+ case HVMCOPY_okay: -+ break; -+ case HVMCOPY_gfn_paged_out: -+ case HVMCOPY_gfn_shared: -+ rc = X86EMUL_RETRY; -+ break; -+ case HVMCOPY_bad_gfn_to_mfn: -+ data = ~0; -+ break; -+ case HVMCOPY_bad_gva_to_gfn: -+ ASSERT(0); -+ /* fall through */ -+ default: -+ rc = X86EMUL_UNHANDLEABLE; -+ break; -+ } -+ if ( rc != X86EMUL_OKAY ) -+ break; - rc = action(IOREQ_WRITE, p->addr, p->size, &data); - if ( rc != X86EMUL_OKAY ) - break; diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_3 b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_3 deleted file mode 100644 index 59f890afa52..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_3 +++ /dev/null @@ -1,36 +0,0 @@ -$NetBSD: patch-CVE-2013-4355_3,v 1.1 2013/10/01 14:54:44 drochner Exp $ - ---- xen/arch/x86/hvm/io.c.orig 2013-09-10 06:42:18.000000000 +0000 -+++ xen/arch/x86/hvm/io.c 2013-09-30 15:23:07.000000000 +0000 -@@ -333,14 +333,24 @@ static int dpci_ioport_write(uint32_t mp - data = p->data; - if ( p->data_is_ptr ) - { -- int ret; -- -- ret = hvm_copy_from_guest_phys(&data, -- p->data + (sign * i * p->size), -- p->size); -- if ( (ret == HVMCOPY_gfn_paged_out) && -- (ret == HVMCOPY_gfn_shared) ) -+ switch ( hvm_copy_from_guest_phys(&data, -+ p->data + sign * i * p->size, -+ p->size) ) -+ { -+ case HVMCOPY_okay: -+ break; -+ case HVMCOPY_gfn_paged_out: -+ case HVMCOPY_gfn_shared: - return X86EMUL_RETRY; -+ case HVMCOPY_bad_gfn_to_mfn: -+ data = ~0; -+ break; -+ case HVMCOPY_bad_gva_to_gfn: -+ ASSERT(0); -+ /* fall through */ -+ default: -+ return X86EMUL_UNHANDLEABLE; -+ } - } - - switch ( p->size ) diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_4 b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_4 deleted file mode 100644 index 96d956f2417..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_4 +++ /dev/null @@ -1,24 +0,0 @@ -$NetBSD: patch-CVE-2013-4355_4,v 1.1 2013/10/01 14:54:44 drochner Exp $ - ---- xen/arch/x86/hvm/vmx/realmode.c.orig 2013-09-10 06:42:18.000000000 +0000 -+++ xen/arch/x86/hvm/vmx/realmode.c 2013-09-30 15:23:07.000000000 +0000 -@@ -38,7 +38,9 @@ static void realmode_deliver_exception( - - again: - last_byte = (vector * 4) + 3; -- if ( idtr->limit < last_byte ) -+ if ( idtr->limit < last_byte || -+ hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4) != -+ HVMCOPY_okay ) - { - /* Software interrupt? */ - if ( insn_len != 0 ) -@@ -63,8 +65,6 @@ static void realmode_deliver_exception( - } - } - -- (void)hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4); -- - frame[0] = regs->eip + insn_len; - frame[1] = csr->sel; - frame[2] = regs->eflags & ~X86_EFLAGS_RF; diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4361 b/sysutils/xenkernel41/patches/patch-CVE-2013-4361 deleted file mode 100644 index b133c1e6677..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-4361 +++ /dev/null @@ -1,20 +0,0 @@ -$NetBSD: patch-CVE-2013-4361,v 1.1 2013/10/01 14:54:44 drochner Exp $ - -http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03162.html - ---- xen/arch/x86/x86_emulate/x86_emulate.c.orig 2013-09-10 06:42:18.000000000 +0000 -+++ xen/arch/x86/x86_emulate/x86_emulate.c 2013-09-30 15:23:08.000000000 +0000 -@@ -2975,11 +2975,11 @@ x86_emulate( - break; - case 4: /* fbld m80dec */ - ea.bytes = 10; -- dst = ea; -+ src = ea; - if ( (rc = ops->read(src.mem.seg, src.mem.off, - &src.val, src.bytes, ctxt)) != 0 ) - goto done; -- emulate_fpu_insn_memdst("fbld", src.val); -+ emulate_fpu_insn_memsrc("fbld", src.val); - break; - case 5: /* fild m64i */ - ea.bytes = 8; diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4368 b/sysutils/xenkernel41/patches/patch-CVE-2013-4368 deleted file mode 100644 index b46ec754134..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-4368 +++ /dev/null @@ -1,21 +0,0 @@ -$NetBSD: patch-CVE-2013-4368,v 1.1 2013/10/22 19:41:58 drochner Exp $ - -http://lists.xenproject.org/archives/html/xen-devel/2013-10/msg00812.html - ---- xen/arch/x86/traps.c.orig 2013-09-10 08:42:18.000000000 +0200 -+++ xen/arch/x86/traps.c 2013-10-22 21:11:24.000000000 +0200 -@@ -1965,10 +1965,10 @@ static int emulate_privileged_op(struct - break; - } - } -- else -- read_descriptor(data_sel, v, regs, -- &data_base, &data_limit, &ar, -- 0); -+ else if ( !read_descriptor(data_sel, v, regs, -+ &data_base, &data_limit, &ar, 0) || -+ !(ar & _SEGMENT_S) || !(ar & _SEGMENT_P) ) -+ goto fail; - data_limit = ~0UL; - ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P; - } diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4494 b/sysutils/xenkernel41/patches/patch-CVE-2013-4494 deleted file mode 100644 index c7818907f27..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-4494 +++ /dev/null @@ -1,80 +0,0 @@ -$NetBSD: patch-CVE-2013-4494,v 1.1 2013/11/23 14:04:59 drochner Exp $ - -http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg00225.html - ---- xen/common/grant_table.c.orig 2013-09-10 06:42:18.000000000 +0000 -+++ xen/common/grant_table.c 2013-11-19 16:46:13.000000000 +0000 -@@ -1459,6 +1459,8 @@ gnttab_transfer( - - for ( i = 0; i < count; i++ ) - { -+ bool_t okay; -+ - if (i && hypercall_preempt_check()) - return i; - -@@ -1555,16 +1557,18 @@ gnttab_transfer( - * pages when it is dying. - */ - if ( unlikely(e->is_dying) || -- unlikely(e->tot_pages >= e->max_pages) || -- unlikely(!gnttab_prepare_for_transfer(e, d, gop.ref)) ) -+ unlikely(e->tot_pages >= e->max_pages) ) - { -- if ( !e->is_dying ) -- gdprintk(XENLOG_INFO, "gnttab_transfer: " -- "Transferee has no reservation " -- "headroom (%d,%d) or provided a bad grant ref (%08x) " -- "or is dying (%d)\n", -- e->tot_pages, e->max_pages, gop.ref, e->is_dying); - spin_unlock(&e->page_alloc_lock); -+ -+ if ( e->is_dying ) -+ gdprintk(XENLOG_INFO, "gnttab_transfer: " -+ "Transferee (d%d) is dying\n", e->domain_id); -+ else -+ gdprintk(XENLOG_INFO, "gnttab_transfer: " -+ "Transferee (d%d) has no headroom (tot %u, max %u)\n", -+ e->domain_id, e->tot_pages, e->max_pages); -+ - rcu_unlock_domain(e); - page->count_info &= ~(PGC_count_mask|PGC_allocated); - free_domheap_page(page); -@@ -1575,6 +1579,37 @@ gnttab_transfer( - /* Okay, add the page to 'e'. */ - if ( unlikely(e->tot_pages++ == 0) ) - get_knownalive_domain(e); -+ -+ /* -+ * We must drop the lock to avoid a possible deadlock in -+ * gnttab_prepare_for_transfer. We have reserved a page in e so can -+ * safely drop the lock and re-aquire it later to add page to the -+ * pagelist. -+ */ -+ spin_unlock(&e->page_alloc_lock); -+ okay = gnttab_prepare_for_transfer(e, d, gop.ref); -+ spin_lock(&e->page_alloc_lock); -+ -+ if ( unlikely(!okay) || unlikely(e->is_dying) ) -+ { -+ bool_t drop_dom_ref = (e->tot_pages-- == 1); -+ -+ spin_unlock(&e->page_alloc_lock); -+ -+ if ( okay /* i.e. e->is_dying due to the surrounding if() */ ) -+ gdprintk(XENLOG_INFO, "gnttab_transfer: " -+ "Transferee (d%d) is now dying\n", e->domain_id); -+ -+ if ( drop_dom_ref ) -+ put_domain(e); -+ rcu_unlock_domain(e); -+ -+ page->count_info &= ~(PGC_count_mask|PGC_allocated); -+ free_domheap_page(page); -+ gop.status = GNTST_general_error; -+ goto copyback; -+ } -+ - page_list_add_tail(page, &e->page_list); - page_set_owner(page, e); - diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4553 b/sysutils/xenkernel41/patches/patch-CVE-2013-4553 deleted file mode 100644 index d0bc8108ec5..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-4553 +++ /dev/null @@ -1,33 +0,0 @@ -$NetBSD: patch-CVE-2013-4553,v 1.1 2013/11/29 19:29:58 drochner Exp $ - -http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg03828.html - ---- xen/arch/x86/domctl.c.orig 2013-09-10 06:42:18.000000000 +0000 -+++ xen/arch/x86/domctl.c 2013-11-29 15:19:13.000000000 +0000 -@@ -383,6 +383,26 @@ long arch_do_domctl( - break; - } - -+ /* -+ * XSA-74: This sub-hypercall is broken in several ways: -+ * - lock order inversion (p2m locks inside page_alloc_lock) -+ * - no preemption on huge max_pfns input -+ * - not (re-)checking d->is_dying with page_alloc_lock held -+ * - not honoring start_pfn input (which libxc also doesn't set) -+ * Additionally it is rather useless, as the result is stale by -+ * the time the caller gets to look at it. -+ * As it only has a single, non-production consumer (xen-mceinj), -+ * rather than trying to fix it we restrict it for the time being. -+ */ -+ if ( /* No nested locks inside copy_to_guest_offset(). */ -+ paging_mode_external(current->domain) || -+ /* Arbitrary limit capping processing time. */ -+ max_pfns > GB(4) / PAGE_SIZE ) -+ { -+ ret = -EOPNOTSUPP; -+ break; -+ } -+ - spin_lock(&d->page_alloc_lock); - - if ( unlikely(d->is_dying) ) { diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-6885_1 b/sysutils/xenkernel41/patches/patch-CVE-2013-6885_1 deleted file mode 100644 index 9befecfc20f..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-6885_1 +++ /dev/null @@ -1,28 +0,0 @@ -$NetBSD: patch-CVE-2013-6885_1,v 1.2 2014/02/20 17:37:25 drochner Exp $ - -http://lists.xenproject.org/archives/html/xen-devel/2013-12/msg00235.html -http://lists.xenproject.org/archives/html/xen-devel/2014-02/msg01800.html - ---- xen/arch/x86/cpu/amd.c.orig 2013-09-10 06:42:18.000000000 +0000 -+++ xen/arch/x86/cpu/amd.c -@@ -661,6 +661,20 @@ static void __devinit init_amd(struct cp - } - #endif - -+ if (c->x86 == 0x16 && c->x86_model <= 0xf) { -+ rdmsrl(MSR_AMD64_LS_CFG, value); -+ if (!(value & (1 << 15))) { -+ static bool_t warned; -+ -+ if (c == &boot_cpu_data || opt_cpu_info || -+ !test_and_set_bool(warned)) -+ printk(KERN_WARNING -+ "CPU%u: Applying workaround for erratum 793\n", -+ smp_processor_id()); -+ wrmsrl(MSR_AMD64_LS_CFG, value | (1 << 15)); -+ } -+ } -+ - if (c->x86 == 0x10) { - /* - * On family 10h BIOS may not have properly enabled WC+ diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-6885_2 b/sysutils/xenkernel41/patches/patch-CVE-2013-6885_2 deleted file mode 100644 index 376c1bbef35..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-6885_2 +++ /dev/null @@ -1,12 +0,0 @@ -$NetBSD: patch-CVE-2013-6885_2,v 1.1 2013/12/04 10:35:01 drochner Exp $ - ---- xen/include/asm-x86/msr-index.h.orig 2013-09-10 06:42:18.000000000 +0000 -+++ xen/include/asm-x86/msr-index.h 2013-12-03 16:55:24.000000000 +0000 -@@ -245,6 +245,7 @@ - - /* AMD64 MSRs */ - #define MSR_AMD64_NB_CFG 0xc001001f -+#define MSR_AMD64_LS_CFG 0xc0011020 - #define MSR_AMD64_IC_CFG 0xc0011021 - #define MSR_AMD64_DC_CFG 0xc0011022 - #define AMD64_NB_CFG_CF8_EXT_ENABLE_BIT 46 diff --git a/sysutils/xenkernel41/patches/patch-CVE-2014-1666 b/sysutils/xenkernel41/patches/patch-CVE-2014-1666 deleted file mode 100644 index 5606447d4cf..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2014-1666 +++ /dev/null @@ -1,17 +0,0 @@ -$NetBSD: patch-CVE-2014-1666,v 1.1 2014/01/24 17:07:36 drochner Exp $ - -http://lists.xenproject.org/archives/html/xen-devel/2014-01/msg02075.html - ---- xen/arch/x86/physdev.c.orig 2014-01-24 16:04:18.000000000 +0000 -+++ xen/arch/x86/physdev.c 2014-01-24 16:05:09.000000000 +0000 -@@ -554,7 +554,9 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H - case PHYSDEVOP_release_msix: { - struct physdev_pci_device dev; - -- if ( copy_from_guest(&dev, arg, 1) ) -+ if ( !IS_PRIV(v->domain) ) -+ ret = -EPERM; -+ else if ( copy_from_guest(&dev, arg, 1) ) - ret = -EFAULT; - else if ( dev.seg ) - ret = -EOPNOTSUPP; diff --git a/sysutils/xenkernel41/patches/patch-CVE-2014-3124 b/sysutils/xenkernel41/patches/patch-CVE-2014-3124 deleted file mode 100644 index 1980d7b8f45..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2014-3124 +++ /dev/null @@ -1,26 +0,0 @@ -$NetBSD: patch-CVE-2014-3124,v 1.2 2015/12/29 04:04:32 dholland Exp $ - ---- xen/include/asm-x86/p2m.h.orig 2013-09-10 06:42:18.000000000 +0000 -+++ xen/include/asm-x86/p2m.h 2014-04-30 13:11:30.000000000 +0000 -@@ -134,6 +134,13 @@ typedef enum { - | p2m_to_mask(p2m_ram_paging_in) \ - | p2m_to_mask(p2m_ram_shared)) - -+/* Types that represent a physmap hole. */ -+#define P2M_HOLE_TYPES (p2m_to_mask(p2m_mmio_dm) \ -+ | p2m_to_mask(p2m_invalid) \ -+ | p2m_to_mask(p2m_ram_paging_in_start) \ -+ | p2m_to_mask(p2m_ram_paging_in) \ -+ | p2m_to_mask(p2m_ram_paged)) -+ - /* Grant mapping types, which map to a real machine frame in another - * VM */ - #define P2M_GRANT_TYPES (p2m_to_mask(p2m_grant_map_rw) \ -@@ -170,6 +177,7 @@ typedef enum { - - /* Useful predicates */ - #define p2m_is_ram(_t) (p2m_to_mask(_t) & P2M_RAM_TYPES) -+#define p2m_is_hole(_t) (p2m_to_mask(_t) & P2M_HOLE_TYPES) - #define p2m_is_mmio(_t) (p2m_to_mask(_t) & P2M_MMIO_TYPES) - #define p2m_is_readonly(_t) (p2m_to_mask(_t) & P2M_RO_TYPES) - #define p2m_is_magic(_t) (p2m_to_mask(_t) & P2M_MAGIC_TYPES) diff --git a/sysutils/xenkernel41/patches/patch-CVE-2014-4021 b/sysutils/xenkernel41/patches/patch-CVE-2014-4021 deleted file mode 100644 index e5c196eaf94..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2014-4021 +++ /dev/null @@ -1,26 +0,0 @@ -$NetBSD: patch-CVE-2014-4021,v 1.1 2014/06/18 13:47:08 drochner Exp $ - -http://lists.xenproject.org/archives/html/xen-devel/2014-06/msg02095.html - ---- xen/common/page_alloc.c.orig 2013-09-10 06:42:18.000000000 +0000 -+++ xen/common/page_alloc.c 2014-06-18 10:36:33.000000000 +0000 -@@ -1123,7 +1123,10 @@ void free_xenheap_pages(void *v, unsigne - pg = virt_to_page(v); - - for ( i = 0; i < (1u << order); i++ ) -+ { -+ scrub_one_page(&pg[i]); - pg[i].count_info &= ~PGC_xen_heap; -+ } - - free_heap_pages(pg, order); - } -@@ -1290,6 +1293,8 @@ void free_domheap_pages(struct page_info - else - { - /* Freeing anonymous domain-heap pages. */ -+ for ( i = 0; i < (1 << order); i++ ) -+ scrub_one_page(&pg[i]); - free_heap_pages(pg, order); - drop_dom_ref = 0; - } diff --git a/sysutils/xenkernel41/patches/patch-CVE-2014-7154 b/sysutils/xenkernel41/patches/patch-CVE-2014-7154 deleted file mode 100644 index 1a60d8ed127..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2014-7154 +++ /dev/null @@ -1,34 +0,0 @@ -$NetBSD: patch-CVE-2014-7154,v 1.1 2014/09/26 10:45:00 bouyer Exp $ - -x86/shadow: fix race condition sampling the dirty vram state - -d->arch.hvm_domain.dirty_vram must be read with the domain's paging lock held. - -If not, two concurrent hypercalls could both end up attempting to free -dirty_vram (the second of which will free a wild pointer), or both end up -allocating a new dirty_vram structure (the first of which will be leaked). - -This is XSA-104. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Tim Deegan <tim@xen.org> - ---- xen/arch/x86/mm/shadow/common.c.orig 2013-09-10 08:42:18.000000000 +0200 -+++ xen/arch/x86/mm/shadow/common.c 2014-09-26 12:21:33.000000000 +0200 -@@ -3640,7 +3640,7 @@ - int flush_tlb = 0; - unsigned long i; - p2m_type_t t; -- struct sh_dirty_vram *dirty_vram = d->arch.hvm_domain.dirty_vram; -+ struct sh_dirty_vram *dirty_vram; - struct p2m_domain *p2m = p2m_get_hostp2m(d); - - if (end_pfn < begin_pfn -@@ -3649,6 +3649,7 @@ - return -EINVAL; - - shadow_lock(d); -+ dirty_vram = d->arch.hvm_domain.dirty_vram; - - if ( dirty_vram && (!nr || - ( begin_pfn != dirty_vram->begin_pfn diff --git a/sysutils/xenkernel41/patches/patch-CVE-2014-7155 b/sysutils/xenkernel41/patches/patch-CVE-2014-7155 deleted file mode 100644 index 8b7388e9dbe..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2014-7155 +++ /dev/null @@ -1,39 +0,0 @@ -$NetBSD: patch-CVE-2014-7155,v 1.1 2014/09/26 10:45:00 bouyer Exp $ - -x86/emulate: check cpl for all privileged instructions - -Without this, it is possible for userspace to load its own IDT or GDT. - -This is XSA-105. - -Reported-by: Andrei LUTAS <vlutas@bitdefender.com> -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> -Tested-by: Andrei LUTAS <vlutas@bitdefender.com> - ---- xen/arch/x86/x86_emulate/x86_emulate.c.orig -+++ xen/arch/x86/x86_emulate/x86_emulate.c -@@ -3314,6 +3314,7 @@ x86_emulate( - goto swint; - - case 0xf4: /* hlt */ -+ generate_exception_if(!mode_ring0(), EXC_GP, 0); - ctxt->retire.flags.hlt = 1; - break; - -@@ -3710,6 +3711,7 @@ x86_emulate( - break; - case 2: /* lgdt */ - case 3: /* lidt */ -+ generate_exception_if(!mode_ring0(), EXC_GP, 0); - generate_exception_if(ea.type != OP_MEM, EXC_UD, -1); - fail_if(ops->write_segment == NULL); - memset(®, 0, sizeof(reg)); -@@ -3738,6 +3740,7 @@ x86_emulate( - case 6: /* lmsw */ - fail_if(ops->read_cr == NULL); - fail_if(ops->write_cr == NULL); -+ generate_exception_if(!mode_ring0(), EXC_GP, 0); - if ( (rc = ops->read_cr(0, &cr0, ctxt)) ) - goto done; - if ( ea.type == OP_REG ) diff --git a/sysutils/xenkernel41/patches/patch-CVE-2014-7156 b/sysutils/xenkernel41/patches/patch-CVE-2014-7156 deleted file mode 100644 index ab28472ef3d..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2014-7156 +++ /dev/null @@ -1,25 +0,0 @@ -$NetBSD: patch-CVE-2014-7156,v 1.1 2014/09/26 10:45:00 bouyer Exp $ - -x86emul: only emulate software interrupt injection for real mode - -Protected mode emulation currently lacks proper privilege checking of -the referenced IDT entry, and there's currently no legitimate way for -any of the respective instructions to reach the emulator when the guest -is in protected mode. - -This is XSA-106. - -Reported-by: Andrei LUTAS <vlutas@bitdefender.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Keir Fraser <keir@xen.org> - ---- xen/arch/x86/x86_emulate/x86_emulate.c.orig -+++ xen/arch/x86/x86_emulate/x86_emulate.c -@@ -2634,6 +2634,7 @@ x86_emulate( - case 0xcd: /* int imm8 */ - src.val = insn_fetch_type(uint8_t); - swint: -+ fail_if(!in_realmode(ctxt, ops)); /* XSA-106 */ - fail_if(ops->inject_sw_interrupt == NULL); - rc = ops->inject_sw_interrupt(src.val, _regs.eip - ctxt->regs->eip, - ctxt) ? : X86EMUL_EXCEPTION; diff --git a/sysutils/xenkernel41/patches/patch-CVE-2014-8594 b/sysutils/xenkernel41/patches/patch-CVE-2014-8594 deleted file mode 100644 index 3d2e8b43465..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2014-8594 +++ /dev/null @@ -1,27 +0,0 @@ -$NetBSD: patch-CVE-2014-8594,v 1.1 2014/11/27 15:36:02 bouyer Exp $ - -x86: don't allow page table updates on non-PV page tables in do_mmu_update() - -paging_write_guest_entry() and paging_cmpxchg_guest_entry() aren't -consistently supported for non-PV guests (they'd deref NULL for PVH or -non-HAP HVM ones). Don't allow respective MMU_* operations on the -page tables of such domains. - -This is XSA-109. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Tim Deegan <tim@xen.org> - ---- xen/arch/x86/mm.c.orig 2014-11-27 15:21:15.000000000 +0100 -+++ xen/arch/x86/mm.c 2014-11-27 15:26:06.000000000 +0100 -@@ -3695,6 +3695,10 @@ - { - p2m_type_t p2mt; - -+ rc = -EOPNOTSUPP; -+ if ( unlikely(paging_mode_refcounts(pt_owner)) ) -+ break; -+ - rc = xsm_mmu_normal_update(d, pg_owner, req.val); - if ( rc ) - break; diff --git a/sysutils/xenkernel41/patches/patch-CVE-2014-8595 b/sysutils/xenkernel41/patches/patch-CVE-2014-8595 deleted file mode 100644 index 66954ed447c..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2014-8595 +++ /dev/null @@ -1,158 +0,0 @@ -$NetBSD: patch-CVE-2014-8595,v 1.1 2014/11/27 15:36:02 bouyer Exp $ - -x86emul: enforce privilege level restrictions when loading CS - -Privilege level checks were basically missing for the CS case, the -only check that was done (RPL == DPL for nonconforming segments) -was solely covering a single special case (return to non-conforming -segment). - -Additionally in long mode the L bit set requires the D bit to be clear, -as was recently pointed out for KVM by Nadav Amit -<namit@cs.technion.ac.il>. - -Finally we also need to force the loaded selector's RPL to CPL (at -least as long as lret/retf emulation doesn't support privilege level -changes). - -This is XSA-110. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Tim Deegan <tim@xen.org> - ---- xen/arch/x86/x86_emulate/x86_emulate.c.orig -+++ xen/arch/x86/x86_emulate/x86_emulate.c -@@ -1107,7 +1107,7 @@ realmode_load_seg( - static int - protmode_load_seg( - enum x86_segment seg, -- uint16_t sel, -+ uint16_t sel, bool_t is_ret, - struct x86_emulate_ctxt *ctxt, - const struct x86_emulate_ops *ops) - { -@@ -1179,9 +1179,23 @@ protmode_load_seg( - /* Code segment? */ - if ( !(desc.b & (1u<<11)) ) - goto raise_exn; -- /* Non-conforming segment: check DPL against RPL. */ -- if ( ((desc.b & (6u<<9)) != (6u<<9)) && (dpl != rpl) ) -+ if ( is_ret -+ ? /* -+ * Really rpl < cpl, but our sole caller doesn't handle -+ * privilege level changes. -+ */ -+ rpl != cpl || (desc.b & (1 << 10) ? dpl > rpl : dpl != rpl) -+ : desc.b & (1 << 10) -+ /* Conforming segment: check DPL against CPL. */ -+ ? dpl > cpl -+ /* Non-conforming segment: check RPL and DPL against CPL. */ -+ : rpl > cpl || dpl != cpl ) - goto raise_exn; -+ /* 64-bit code segments (L bit set) must have D bit clear. */ -+ if ( in_longmode(ctxt, ops) && -+ (desc.b & (1 << 21)) && (desc.b & (1 << 22)) ) -+ goto raise_exn; -+ sel = (sel ^ rpl) | cpl; - break; - case x86_seg_ss: - /* Writable data segment? */ -@@ -1246,7 +1260,7 @@ protmode_load_seg( - static int - load_seg( - enum x86_segment seg, -- uint16_t sel, -+ uint16_t sel, bool_t is_ret, - struct x86_emulate_ctxt *ctxt, - const struct x86_emulate_ops *ops) - { -@@ -1255,7 +1269,7 @@ load_seg( - return X86EMUL_UNHANDLEABLE; - - if ( in_protmode(ctxt, ops) ) -- return protmode_load_seg(seg, sel, ctxt, ops); -+ return protmode_load_seg(seg, sel, is_ret, ctxt, ops); - - return realmode_load_seg(seg, sel, ctxt, ops); - } -@@ -1852,7 +1866,7 @@ x86_emulate( - if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), - &dst.val, op_bytes, ctxt, ops)) != 0 ) - goto done; -- if ( (rc = load_seg(src.val, (uint16_t)dst.val, ctxt, ops)) != 0 ) -+ if ( (rc = load_seg(src.val, dst.val, 0, ctxt, ops)) != 0 ) - return rc; - break; - -@@ -2222,7 +2236,7 @@ x86_emulate( - enum x86_segment seg = decode_segment(modrm_reg); - generate_exception_if(seg == decode_segment_failed, EXC_UD, -1); - generate_exception_if(seg == x86_seg_cs, EXC_UD, -1); -- if ( (rc = load_seg(seg, (uint16_t)src.val, ctxt, ops)) != 0 ) -+ if ( (rc = load_seg(seg, src.val, 0, ctxt, ops)) != 0 ) - goto done; - if ( seg == x86_seg_ss ) - ctxt->retire.flags.mov_ss = 1; -@@ -2303,7 +2317,7 @@ x86_emulate( - &_regs.eip, op_bytes, ctxt)) ) - goto done; - -- if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) -+ if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 ) - goto done; - _regs.eip = eip; - break; -@@ -2526,7 +2540,7 @@ x86_emulate( - if ( (rc = read_ulong(src.mem.seg, src.mem.off + src.bytes, - &sel, 2, ctxt, ops)) != 0 ) - goto done; -- if ( (rc = load_seg(dst.val, (uint16_t)sel, ctxt, ops)) != 0 ) -+ if ( (rc = load_seg(dst.val, sel, 0, ctxt, ops)) != 0 ) - goto done; - dst.val = src.val; - break; -@@ -2600,7 +2614,7 @@ x86_emulate( - &dst.val, op_bytes, ctxt, ops)) || - (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes + offset), - &src.val, op_bytes, ctxt, ops)) || -- (rc = load_seg(x86_seg_cs, (uint16_t)src.val, ctxt, ops)) ) -+ (rc = load_seg(x86_seg_cs, src.val, 1, ctxt, ops)) ) - goto done; - _regs.eip = dst.val; - break; -@@ -2647,7 +2661,7 @@ x86_emulate( - _regs.eflags &= mask; - _regs.eflags |= (uint32_t)(eflags & ~mask) | 0x02; - _regs.eip = eip; -- if ( (rc = load_seg(x86_seg_cs, (uint16_t)cs, ctxt, ops)) != 0 ) -+ if ( (rc = load_seg(x86_seg_cs, cs, 1, ctxt, ops)) != 0 ) - goto done; - break; - } -@@ -3277,7 +3291,7 @@ x86_emulate( - generate_exception_if(mode_64bit(), EXC_UD, -1); - eip = insn_fetch_bytes(op_bytes); - sel = insn_fetch_type(uint16_t); -- if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) -+ if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 ) - goto done; - _regs.eip = eip; - break; -@@ -3590,7 +3604,7 @@ x86_emulate( - goto done; - } - -- if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) -+ if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 ) - goto done; - _regs.eip = dst.val; - -@@ -3671,7 +3685,7 @@ x86_emulate( - generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1); - generate_exception_if(!mode_ring0(), EXC_GP, 0); - if ( (rc = load_seg((modrm_reg & 1) ? x86_seg_tr : x86_seg_ldtr, -- src.val, ctxt, ops)) != 0 ) -+ src.val, 0, ctxt, ops)) != 0 ) - goto done; - break; - diff --git a/sysutils/xenkernel41/patches/patch-CVE-2014-8866 b/sysutils/xenkernel41/patches/patch-CVE-2014-8866 deleted file mode 100644 index d65688bb667..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2014-8866 +++ /dev/null @@ -1,115 +0,0 @@ -$NetBSD: patch-CVE-2014-8866,v 1.1 2014/11/27 15:36:02 bouyer Exp $ - -x86: limit checks in hypercall_xlat_continuation() to actual arguments - -HVM/PVH guests can otherwise trigger the final BUG_ON() in that -function by entering 64-bit mode, setting the high halves of affected -registers to non-zero values, leaving 64-bit mode, and issuing a -hypercall that might get preempted and hence become subject to -continuation argument translation (HYPERVISOR_memory_op being the only -one possible for HVM, PVH also having the option of using -HYPERVISOR_mmuext_op). This issue got introduced when HVM code was -switched to use compat_memory_op() - neither that nor -hypercall_xlat_continuation() were originally intended to be used by -other than PV guests (which can't enter 64-bit mode and hence have no -way to alter the high halves of 64-bit registers). - -This is XSA-111. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Tim Deegan <tim@xen.org> - ---- xen/arch/x86/domain.c.orig -+++ xen/arch/x86/domain.c -@@ -1921,7 +1921,8 @@ unsigned long hypercall_create_continuat - } - - #ifdef CONFIG_COMPAT --int hypercall_xlat_continuation(unsigned int *id, unsigned int mask, ...) -+int hypercall_xlat_continuation(unsigned int *id, unsigned int nr, -+ unsigned int mask, ...) - { - int rc = 0; - struct mc_state *mcs = ¤t->mc_state; -@@ -1930,7 +1931,10 @@ int hypercall_xlat_continuation(unsigned - unsigned long nval = 0; - va_list args; - -- BUG_ON(id && *id > 5); -+ ASSERT(nr <= ARRAY_SIZE(mcs->call.args)); -+ ASSERT(!(mask >> nr)); -+ -+ BUG_ON(id && *id >= nr); - BUG_ON(id && (mask & (1U << *id))); - - va_start(args, mask); -@@ -1939,7 +1943,7 @@ int hypercall_xlat_continuation(unsigned - { - if ( !test_bit(_MCSF_call_preempted, &mcs->flags) ) - return 0; -- for ( i = 0; i < 6; ++i, mask >>= 1 ) -+ for ( i = 0; i < nr; ++i, mask >>= 1 ) - { - if ( mask & 1 ) - { -@@ -1967,7 +1971,7 @@ int hypercall_xlat_continuation(unsigned - else - { - regs = guest_cpu_user_regs(); -- for ( i = 0; i < 6; ++i, mask >>= 1 ) -+ for ( i = 0; i < nr; ++i, mask >>= 1 ) - { - unsigned long *reg; - ---- xen/common/compat/memory.c.orig -+++ xen/common/compat/memory.c -@@ -208,7 +208,7 @@ int compat_memory_op(unsigned int cmd, X - break; - - cmd = 0; -- if ( hypercall_xlat_continuation(&cmd, 0x02, nat.hnd, compat) ) -+ if ( hypercall_xlat_continuation(&cmd, 2, 0x02, nat.hnd, compat) ) - { - BUG_ON(rc != __HYPERVISOR_memory_op); - BUG_ON((cmd & MEMOP_CMD_MASK) != op); ---- xen/include/xen/compat.h.orig 2013-09-10 08:42:18.000000000 +0200 -+++ xen/include/xen/compat.h 2014-11-27 15:29:34.000000000 +0100 -@@ -185,7 +185,8 @@ - CHECK_FIELD_COMMON_(k, CHECK_NAME_(k, n ## __ ## f1 ## __ ## f2 ## __ ## \ - f3, F2), n, f1.f2.f3) - --int hypercall_xlat_continuation(unsigned int *id, unsigned int mask, ...); -+int hypercall_xlat_continuation(unsigned int *id, unsigned int nr, -+ unsigned int mask, ...); - - /* In-place translation functons: */ - struct start_info; ---- xen/arch/x86/x86_64/compat/mm.c.orig 2013-09-10 08:42:18.000000000 +0200 -+++ xen/arch/x86/x86_64/compat/mm.c 2014-11-27 15:21:15.000000000 +0100 -@@ -128,7 +128,7 @@ - break; - - if ( rc == __HYPERVISOR_memory_op ) -- hypercall_xlat_continuation(NULL, 0x2, nat, arg); -+ hypercall_xlat_continuation(NULL, 2, 0x2, nat, arg); - - XLAT_pod_target(&cmp, nat); - -@@ -333,7 +333,7 @@ - left = 1; - if ( arg1 != MMU_UPDATE_PREEMPTED ) - { -- BUG_ON(!hypercall_xlat_continuation(&left, 0x01, nat_ops, -+ BUG_ON(!hypercall_xlat_continuation(&left, 4, 0x01, nat_ops, - cmp_uops)); - if ( !test_bit(_MCSF_in_multicall, &mcs->flags) ) - regs->_ecx += count - i; -@@ -341,7 +341,7 @@ - mcs->compat_call.args[1] += count - i; - } - else -- BUG_ON(hypercall_xlat_continuation(&left, 0)); -+ BUG_ON(hypercall_xlat_continuation(&left, 4, 0)); - BUG_ON(left != arg1); - } - else diff --git a/sysutils/xenkernel41/patches/patch-CVE-2014-8867 b/sysutils/xenkernel41/patches/patch-CVE-2014-8867 deleted file mode 100644 index bc2007d2cd4..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2014-8867 +++ /dev/null @@ -1,90 +0,0 @@ -$NetBSD: patch-CVE-2014-8867,v 1.1 2014/11/27 15:36:02 bouyer Exp $ - -x86/HVM: confine internally handled MMIO to solitary regions - -While it is generally wrong to cross region boundaries when dealing -with MMIO accesses of repeated string instructions (currently only -MOVS) as that would do things a guest doesn't expect (leaving aside -that none of these regions would normally be accessed with repeated -string instructions in the first place), this is even more of a problem -for all virtual MSI-X page accesses (both msixtbl_{read,write}() can be -made dereference NULL "entry" pointers this way) as well as undersized -(1- or 2-byte) LAPIC writes (causing vlapic_read_aligned() to access -space beyond the one memory page set up for holding LAPIC register -values). - -Since those functions validly assume to be called only with addresses -their respective checking functions indicated to be okay, it is generic -code that needs to be fixed to clip the repetition count. - -To be on the safe side (and consistent), also do the same for buffered -I/O intercepts, even if their only client (stdvga) doesn't put the -hypervisor at risk (i.e. "only" guest misbehavior would result). - -This is CVE-2014-8867 / XSA-112. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Tim Deegan <tim@xen.org> - ---- xen/arch/x86/hvm/intercept.c.orig -+++ xen/arch/x86/hvm/intercept.c -@@ -131,11 +131,24 @@ int hvm_mmio_intercept(ioreq_t *p) - int i; - - for ( i = 0; i < HVM_MMIO_HANDLER_NR; i++ ) -- if ( hvm_mmio_handlers[i]->check_handler(v, p->addr) ) -+ { -+ hvm_mmio_check_t check_handler = -+ hvm_mmio_handlers[i]->check_handler; -+ -+ if ( check_handler(v, p->addr) ) -+ { -+ if ( unlikely(p->count > 1) && -+ !check_handler(v, unlikely(p->df) -+ ? p->addr - (p->count - 1LL) * p->size -+ : p->addr + (p->count - 1LL) * p->size) ) -+ p->count = 1; -+ - return hvm_mmio_access( - v, p, - hvm_mmio_handlers[i]->read_handler, - hvm_mmio_handlers[i]->write_handler); -+ } -+ } - - return X86EMUL_UNHANDLEABLE; - } -@@ -243,6 +256,13 @@ int hvm_io_intercept(ioreq_t *p, int typ - if ( type == HVM_PORTIO ) - return process_portio_intercept( - handler->hdl_list[i].action.portio, p); -+ -+ if ( unlikely(p->count > 1) && -+ (unlikely(p->df) -+ ? p->addr - (p->count - 1LL) * p->size < addr -+ : p->addr + p->count * 1LL * p->size - 1 >= addr + size) ) -+ p->count = 1; -+ - return handler->hdl_list[i].action.mmio(p); - } - } ---- xen/arch/x86/hvm/vmsi.c.orig -+++ xen/arch/x86/hvm/vmsi.c -@@ -236,6 +236,8 @@ static int msixtbl_read( - rcu_read_lock(&msixtbl_rcu_lock); - - entry = msixtbl_find_entry(v, address); -+ if ( !entry ) -+ goto out; - offset = address & (PCI_MSIX_ENTRY_SIZE - 1); - - if ( offset != PCI_MSIX_ENTRY_VECTOR_CTRL_OFFSET ) -@@ -278,6 +280,8 @@ static int msixtbl_write(struct vcpu *v, - rcu_read_lock(&msixtbl_rcu_lock); - - entry = msixtbl_find_entry(v, address); -+ if ( !entry ) -+ goto out; - nr_entry = (address - entry->gtable) / PCI_MSIX_ENTRY_SIZE; - - offset = address & (PCI_MSIX_ENTRY_SIZE - 1); diff --git a/sysutils/xenkernel41/patches/patch-CVE-2014-9030 b/sysutils/xenkernel41/patches/patch-CVE-2014-9030 deleted file mode 100644 index 9c7b44708ae..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2014-9030 +++ /dev/null @@ -1,46 +0,0 @@ -$NetBSD: patch-CVE-2014-9030,v 1.1 2014/11/27 15:36:02 bouyer Exp $ - -x86/mm: fix a reference counting error in MMU_MACHPHYS_UPDATE - -Any domain which can pass the XSM check against a translated guest can cause a -page reference to be leaked. - -While shuffling the order of checks, drop the quite-pointless MEM_LOG(). This -brings the check in line with similar checks in the vicinity. - -Discovered while reviewing the XSA-109/110 followup series. - -This is XSA-113. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Tim Deegan <tim@xen.org> - ---- xen/arch/x86/mm.c.orig 2014-11-27 15:21:15.000000000 +0100 -+++ xen/arch/x86/mm.c 2014-11-27 15:37:25.000000000 +0100 -@@ -3888,6 +3892,12 @@ - - case MMU_MACHPHYS_UPDATE: - -+ if ( unlikely(paging_mode_translate(pg_owner)) ) -+ { -+ rc = -EINVAL; -+ break; -+ } -+ - mfn = req.ptr >> PAGE_SHIFT; - gpfn = req.val; - -@@ -3901,12 +3911,6 @@ - break; - } - -- if ( unlikely(paging_mode_translate(pg_owner)) ) -- { -- MEM_LOG("Mach-phys update on auto-translate guest"); -- break; -- } -- - set_gpfn_from_mfn(mfn, gpfn); - okay = 1; - diff --git a/sysutils/xenkernel41/patches/patch-CVE-2015-2044 b/sysutils/xenkernel41/patches/patch-CVE-2015-2044 deleted file mode 100644 index 858e491420e..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2015-2044 +++ /dev/null @@ -1,53 +0,0 @@ -$NetBSD: patch-CVE-2015-2044,v 1.1 2015/03/05 16:37:16 spz Exp $ - -x86/HVM: return all ones on wrong-sized reads of system device I/O ports - -So far the value presented to the guest remained uninitialized. - -This is CVE-2015-2044 / XSA-121. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> - ---- xen/arch/x86/hvm/rtc.c.orig 2014-09-02 06:22:57.000000000 +0000 -+++ xen/arch/x86/hvm/rtc.c -@@ -408,7 +408,8 @@ static int handle_rtc_io( - - if ( bytes != 1 ) - { -- gdprintk(XENLOG_WARNING, "HVM_RTC bas access\n"); -+ gdprintk(XENLOG_WARNING, "HVM_RTC bad access\n"); -+ *val = ~0; - return X86EMUL_OKAY; - } - ---- xen/arch/x86/hvm/i8254.c.orig 2014-09-02 06:22:57.000000000 +0000 -+++ xen/arch/x86/hvm/i8254.c -@@ -475,6 +475,7 @@ static int handle_pit_io( - if ( bytes != 1 ) - { - gdprintk(XENLOG_WARNING, "PIT bad access\n"); -+ *val = ~0; - return X86EMUL_OKAY; - } - ---- xen/arch/x86/hvm/pmtimer.c.orig 2014-09-02 06:22:57.000000000 +0000 -+++ xen/arch/x86/hvm/pmtimer.c -@@ -213,6 +213,7 @@ static int handle_pmt_io( - if ( bytes != 4 ) - { - gdprintk(XENLOG_WARNING, "HVM_PMT bad access\n"); -+ *val = ~0; - return X86EMUL_OKAY; - } - ---- xen/arch/x86/hvm/vpic.c.orig 2014-09-02 06:22:57.000000000 +0000 -+++ xen/arch/x86/hvm/vpic.c -@@ -324,6 +324,7 @@ static int vpic_intercept_pic_io( - if ( bytes != 1 ) - { - gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes); -+ *val = ~0; - return X86EMUL_OKAY; - } - diff --git a/sysutils/xenkernel41/patches/patch-CVE-2015-2045 b/sysutils/xenkernel41/patches/patch-CVE-2015-2045 deleted file mode 100644 index 21b2e40e01d..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2015-2045 +++ /dev/null @@ -1,42 +0,0 @@ -$NetBSD: patch-CVE-2015-2045,v 1.1 2015/03/05 16:37:16 spz Exp $ - -pre-fill structures for certain HYPERVISOR_xen_version sub-ops - -... avoiding to pass hypervisor stack contents back to the caller -through space unused by the respective strings. - -This is CVE-2015-2045 / XSA-122. - -Signed-off-by: Aaron Adams <Aaron.Adams@nccgroup.com> -Acked-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> - ---- xen/common/kernel.c.orig 2014-09-02 06:22:57.000000000 +0000 -+++ xen/common/kernel.c -@@ -218,6 +218,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL - case XENVER_extraversion: - { - xen_extraversion_t extraversion; -+ -+ memset(extraversion, 0, sizeof(extraversion)); - safe_strcpy(extraversion, xen_extra_version()); - if ( copy_to_guest(arg, extraversion, ARRAY_SIZE(extraversion)) ) - return -EFAULT; -@@ -227,6 +229,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL - case XENVER_compile_info: - { - struct xen_compile_info info; -+ -+ memset(&info, 0, sizeof(info)); - safe_strcpy(info.compiler, xen_compiler()); - safe_strcpy(info.compile_by, xen_compile_by()); - safe_strcpy(info.compile_domain, xen_compile_domain()); -@@ -263,6 +267,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL - case XENVER_changeset: - { - xen_changeset_info_t chgset; -+ -+ memset(chgset, 0, sizeof(chgset)); - safe_strcpy(chgset, xen_changeset()); - if ( copy_to_guest(arg, chgset, ARRAY_SIZE(chgset)) ) - return -EFAULT; diff --git a/sysutils/xenkernel41/patches/patch-CVE-2015-2151 b/sysutils/xenkernel41/patches/patch-CVE-2015-2151 deleted file mode 100644 index 9334467e331..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2015-2151 +++ /dev/null @@ -1,22 +0,0 @@ -$NetBSD: patch-CVE-2015-2151,v 1.1 2015/03/10 20:27:16 spz Exp $ - -xsa123-4.3-4.2.patch from upstream: -x86emul: fully ignore segment override for register-only operations - -For ModRM encoded instructions with register operands we must not -overwrite ea.mem.seg (if a - bogus in that case - segment override was -present) as it aliases with ea.reg. - -This is CVE-2015-2151 / XSA-123. - ---- xen/arch/x86/x86_emulate/x86_emulate.c.orig 2015-03-10 20:10:23.000000000 +0000 -+++ xen/arch/x86/x86_emulate/x86_emulate.c -@@ -1462,7 +1462,7 @@ x86_emulate( - } - } - -- if ( override_seg != -1 ) -+ if ( override_seg != -1 && ea.type == OP_MEM ) - ea.mem.seg = override_seg; - - /* Decode and fetch the source operand: register, memory or immediate. */ diff --git a/sysutils/xenkernel41/patches/patch-CVE-2015-2752 b/sysutils/xenkernel41/patches/patch-CVE-2015-2752 deleted file mode 100644 index b6aba0008e7..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2015-2752 +++ /dev/null @@ -1,108 +0,0 @@ -$NetBSD: patch-CVE-2015-2752,v 1.1 2015/04/19 13:13:20 spz Exp $ - -Patch for CVE-2015-2752 aka XSA-125 from -http://xenbits.xenproject.org/xsa/xsa125-4.2.patch - ---- tools/libxc/xc_domain.c.orig 2013-09-10 06:42:18.000000000 +0000 -+++ tools/libxc/xc_domain.c -@@ -1322,6 +1322,13 @@ int xc_domain_bind_pt_isa_irq( - PT_IRQ_TYPE_ISA, 0, 0, 0, machine_irq)); - } - -+#ifndef min -+#define min(X, Y) ({ \ -+ const typeof (X) _x = (X); \ -+ const typeof (Y) _y = (Y); \ -+ (void) (&_x == &_y); \ -+ (_x < _y) ? _x : _y; }) -+#endif - int xc_domain_memory_mapping( - xc_interface *xch, - uint32_t domid, -@@ -1331,17 +1338,55 @@ int xc_domain_memory_mapping( - uint32_t add_mapping) - { - DECLARE_DOMCTL; -+ int ret = 0, err; -+ unsigned long done = 0, nr, max_batch_sz; -+ -+ if ( !nr_mfns ) -+ return 0; - - domctl.cmd = XEN_DOMCTL_memory_mapping; - domctl.domain = domid; -- domctl.u.memory_mapping.first_gfn = first_gfn; -- domctl.u.memory_mapping.first_mfn = first_mfn; -- domctl.u.memory_mapping.nr_mfns = nr_mfns; - domctl.u.memory_mapping.add_mapping = add_mapping; -+ max_batch_sz = nr_mfns; -+ do -+ { -+ nr = min(nr_mfns - done, max_batch_sz); -+ domctl.u.memory_mapping.nr_mfns = nr; -+ domctl.u.memory_mapping.first_gfn = first_gfn + done; -+ domctl.u.memory_mapping.first_mfn = first_mfn + done; -+ err = do_domctl(xch, &domctl); -+ if ( err && errno == E2BIG ) -+ { -+ if ( max_batch_sz <= 1 ) -+ break; -+ max_batch_sz >>= 1; -+ continue; -+ } -+ /* Save the first error... */ -+ if ( !ret ) -+ ret = err; -+ /* .. and ignore the rest of them when removing. */ -+ if ( err && add_mapping != DPCI_REMOVE_MAPPING ) -+ break; -+ -+ done += nr; -+ } while ( done < nr_mfns ); -+ -+ /* -+ * Undo what we have done unless unmapping, by unmapping the entire region. -+ * Errors here are ignored. -+ */ -+ if ( ret && add_mapping != DPCI_REMOVE_MAPPING ) -+ xc_domain_memory_mapping(xch, domid, first_gfn, first_mfn, nr_mfns, -+ DPCI_REMOVE_MAPPING); -+ -+ /* We might get E2BIG so many times that we never advance. */ -+ if ( !done && !ret ) -+ ret = -1; - -- return do_domctl(xch, &domctl); -+ return ret; - } -- -+#undef min - int xc_domain_ioport_mapping( - xc_interface *xch, - uint32_t domid, - ---- xen/arch/x86/domctl.c.orig 2015-04-19 10:54:27.000000000 +0000 -+++ xen/arch/x86/domctl.c -@@ -998,6 +998,11 @@ long arch_do_domctl( - (gfn + nr_mfns - 1) < gfn ) /* wrap? */ - break; - -+ ret = -E2BIG; -+ /* Must break hypercall up as this could take a while. */ -+ if ( nr_mfns > 64 ) -+ break; -+ - ret = -EPERM; - if ( !IS_PRIV(current->domain) && - !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) ) - ---- xen/include/public/domctl.h.orig 2013-09-10 06:42:18.000000000 +0000 -+++ xen/include/public/domctl.h -@@ -505,6 +505,7 @@ DEFINE_XEN_GUEST_HANDLE(xen_domctl_bind_ - - - /* Bind machine I/O address range -> HVM address range. */ -+/* If this returns -E2BIG lower nr_mfns value. */ - /* XEN_DOMCTL_memory_mapping */ - #define DPCI_ADD_MAPPING 1 - #define DPCI_REMOVE_MAPPING 0 diff --git a/sysutils/xenkernel41/patches/patch-CVE-2015-2756 b/sysutils/xenkernel41/patches/patch-CVE-2015-2756 deleted file mode 100644 index cbd78298c0c..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2015-2756 +++ /dev/null @@ -1,142 +0,0 @@ -$NetBSD: patch-CVE-2015-2756,v 1.1 2015/04/19 13:13:20 spz Exp $ - -patch for CVE-2015-2756 aka XSA-126 from -http://xenbits.xenproject.org/xsa/xsa126-qemut.patch - ---- tools/ioemu-qemu-xen/hw/pass-through.c.orig 2013-07-17 10:59:40.000000000 +0000 -+++ tools/ioemu-qemu-xen/hw/pass-through.c -@@ -171,9 +171,6 @@ static int pt_word_reg_read(struct pt_de - static int pt_long_reg_read(struct pt_dev *ptdev, - struct pt_reg_tbl *cfg_entry, - uint32_t *value, uint32_t valid_mask); --static int pt_cmd_reg_read(struct pt_dev *ptdev, -- struct pt_reg_tbl *cfg_entry, -- uint16_t *value, uint16_t valid_mask); - static int pt_bar_reg_read(struct pt_dev *ptdev, - struct pt_reg_tbl *cfg_entry, - uint32_t *value, uint32_t valid_mask); -@@ -277,9 +274,9 @@ static struct pt_reg_info_tbl pt_emu_reg - .size = 2, - .init_val = 0x0000, - .ro_mask = 0xF880, -- .emu_mask = 0x0740, -+ .emu_mask = 0x0743, - .init = pt_common_reg_init, -- .u.w.read = pt_cmd_reg_read, -+ .u.w.read = pt_word_reg_read, - .u.w.write = pt_cmd_reg_write, - .u.w.restore = pt_cmd_reg_restore, - }, -@@ -1865,7 +1862,7 @@ static int pt_dev_is_virtfn(struct pci_d - return rc; - } - --static int pt_register_regions(struct pt_dev *assigned_device) -+static int pt_register_regions(struct pt_dev *assigned_device, uint16_t *cmd) - { - int i = 0; - uint32_t bar_data = 0; -@@ -1885,17 +1882,26 @@ static int pt_register_regions(struct pt - - /* Register current region */ - if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_IO ) -+ { - pci_register_io_region((PCIDevice *)assigned_device, i, - (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_IO, - pt_ioport_map); -+ *cmd |= PCI_COMMAND_IO; -+ } - else if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_MEM_PREFETCH ) -+ { - pci_register_io_region((PCIDevice *)assigned_device, i, - (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM_PREFETCH, - pt_iomem_map); -+ *cmd |= PCI_COMMAND_MEMORY; -+ } - else -+ { - pci_register_io_region((PCIDevice *)assigned_device, i, - (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM, - pt_iomem_map); -+ *cmd |= PCI_COMMAND_MEMORY; -+ } - - PT_LOG("IO region registered (size=0x%08x base_addr=0x%08x)\n", - (uint32_t)(pci_dev->size[i]), -@@ -3221,27 +3227,6 @@ static int pt_long_reg_read(struct pt_de - return 0; - } - --/* read Command register */ --static int pt_cmd_reg_read(struct pt_dev *ptdev, -- struct pt_reg_tbl *cfg_entry, -- uint16_t *value, uint16_t valid_mask) --{ -- struct pt_reg_info_tbl *reg = cfg_entry->reg; -- uint16_t valid_emu_mask = 0; -- uint16_t emu_mask = reg->emu_mask; -- -- if ( ptdev->is_virtfn ) -- emu_mask |= PCI_COMMAND_MEMORY; -- if ( pt_is_iomul(ptdev) ) -- emu_mask |= PCI_COMMAND_IO; -- -- /* emulate word register */ -- valid_emu_mask = emu_mask & valid_mask; -- *value = PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask); -- -- return 0; --} -- - /* read BAR */ - static int pt_bar_reg_read(struct pt_dev *ptdev, - struct pt_reg_tbl *cfg_entry, -@@ -3376,19 +3361,13 @@ static int pt_cmd_reg_write(struct pt_de - uint16_t writable_mask = 0; - uint16_t throughable_mask = 0; - uint16_t wr_value = *value; -- uint16_t emu_mask = reg->emu_mask; -- -- if ( ptdev->is_virtfn ) -- emu_mask |= PCI_COMMAND_MEMORY; -- if ( pt_is_iomul(ptdev) ) -- emu_mask |= PCI_COMMAND_IO; - - /* modify emulate register */ - writable_mask = ~reg->ro_mask & valid_mask; - cfg_entry->data = PT_MERGE_VALUE(*value, cfg_entry->data, writable_mask); - - /* create value for writing to I/O device register */ -- throughable_mask = ~emu_mask & valid_mask; -+ throughable_mask = ~reg->emu_mask & valid_mask; - - if (*value & PCI_COMMAND_DISABLE_INTx) - { -@@ -4151,6 +4130,7 @@ static struct pt_dev * register_real_dev - struct pt_dev *assigned_device = NULL; - struct pci_dev *pci_dev; - uint8_t e_device, e_intx; -+ uint16_t cmd = 0; - char *key, *val; - int msi_translate, power_mgmt; - -@@ -4240,7 +4220,7 @@ static struct pt_dev * register_real_dev - assigned_device->dev.config[i] = pci_read_byte(pci_dev, i); - - /* Handle real device's MMIO/PIO BARs */ -- pt_register_regions(assigned_device); -+ pt_register_regions(assigned_device, &cmd); - - /* Setup VGA bios for passthroughed gfx */ - if ( setup_vga_pt(assigned_device) < 0 ) -@@ -4318,6 +4298,10 @@ static struct pt_dev * register_real_dev - } - - out: -+ if (cmd) -+ pci_write_word(pci_dev, PCI_COMMAND, -+ *(uint16_t *)(&assigned_device->dev.config[PCI_COMMAND]) | cmd); -+ - PT_LOG("Real physical device %02x:%02x.%x registered successfuly!\n" - "IRQ type = %s\n", r_bus, r_dev, r_func, - assigned_device->msi_trans_en? "MSI-INTx":"INTx"); diff --git a/sysutils/xenkernel41/patches/patch-CVE-2015-7835 b/sysutils/xenkernel41/patches/patch-CVE-2015-7835 deleted file mode 100644 index 9b38ab4435e..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2015-7835 +++ /dev/null @@ -1,45 +0,0 @@ -$NetBSD: patch-CVE-2015-7835,v 1.1 2015/10/29 20:29:56 bouyer Exp $ - -Patch for CVE-2015-7835 aka XSA-148 based on -http://xenbits.xenproject.org/xsa/xsa148-4.4.patch - ---- xen/include/asm-x86/x86_32/page.h.orig 2015-10-29 20:35:24.000000000 +0100 -+++ xen/include/asm-x86/x86_32/page.h 2015-10-29 20:38:02.000000000 +0100 -@@ -130,7 +130,9 @@ - #define BASE_DISALLOW_MASK (0xFFFFF198U & ~_PAGE_NX) - - #define L1_DISALLOW_MASK (BASE_DISALLOW_MASK | _PAGE_GNTTAB) --#define L2_DISALLOW_MASK (BASE_DISALLOW_MASK & ~_PAGE_PSE) -+#define L2_DISALLOW_MASK (unlikely(opt_allow_superpage) \ -+ ? BASE_DISALLOW_MASK & ~_PAGE_PSE \ -+ : BASE_DISALLOW_MASK ) - #define L3_DISALLOW_MASK 0xFFFFF1FEU /* must-be-zero */ - - #endif /* __X86_32_PAGE_H__ */ ---- xen/include/asm-x86/x86_64/page.h.orig 2015-10-29 20:35:36.000000000 +0100 -+++ xen/include/asm-x86/x86_64/page.h 2015-10-29 20:37:33.000000000 +0100 -@@ -167,7 +167,9 @@ - #define BASE_DISALLOW_MASK (0xFF800198U & ~_PAGE_NX) - - #define L1_DISALLOW_MASK (BASE_DISALLOW_MASK | _PAGE_GNTTAB) --#define L2_DISALLOW_MASK (BASE_DISALLOW_MASK & ~_PAGE_PSE) -+#define L2_DISALLOW_MASK (unlikely(opt_allow_superpage) \ -+ ? BASE_DISALLOW_MASK & ~_PAGE_PSE \ -+ : BASE_DISALLOW_MASK ) - #define L3_DISALLOW_MASK (BASE_DISALLOW_MASK) - #define L4_DISALLOW_MASK (BASE_DISALLOW_MASK) - ---- xen/arch/x86/mm.c.orig 2015-10-29 20:30:55.000000000 +0100 -+++ xen/arch/x86/mm.c 2015-10-29 20:32:56.000000000 +0100 -@@ -1898,7 +1898,10 @@ - } - - /* Fast path for identical mapping and presence. */ -- if ( !l2e_has_changed(ol2e, nl2e, _PAGE_PRESENT) ) -+ if ( !l2e_has_changed(ol2e, nl2e, -+ unlikely(opt_allow_superpage) -+ ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT -+ : _PAGE_PRESENT) ) - { - adjust_guest_l2e(nl2e, d); - rc = UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad); diff --git a/sysutils/xenkernel41/patches/patch-CVE-2015-7969 b/sysutils/xenkernel41/patches/patch-CVE-2015-7969 deleted file mode 100644 index 200c1dd57c3..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2015-7969 +++ /dev/null @@ -1,35 +0,0 @@ -$NetBSD: patch-CVE-2015-7969,v 1.1 2015/10/29 20:29:56 bouyer Exp $ - -Patch for CVE-2015-7869 aka XSA-149 + XSA-151 based on -http://xenbits.xenproject.org/xsa/xsa149.patch -http://xenbits.xenproject.org/xsa/xsa151.patch - ---- xen/common/domain.c.orig 2013-09-10 08:42:18.000000000 +0200 -+++ xen/common/domain.c 2015-10-29 20:44:06.000000000 +0100 -@@ -671,6 +671,7 @@ - xfree(d->pirq_to_evtchn); - - xsm_free_security_domain(d); -+ xfree(d->vcpu); - free_domain_struct(d); - - send_guest_global_virq(dom0, VIRQ_DOM_EXC); - ---- xen/common/xenoprof.c.orig -+++ xen/common/xenoprof.c -@@ -239,6 +239,7 @@ static int alloc_xenoprof_struct( - d->xenoprof->rawbuf = alloc_xenheap_pages(get_order_from_pages(npages), 0); - if ( d->xenoprof->rawbuf == NULL ) - { -+ xfree(d->xenoprof->vcpu); - xfree(d->xenoprof); - d->xenoprof = NULL; - return -ENOMEM; -@@ -286,6 +287,7 @@ void free_xenoprof_pages(struct domain * - free_xenheap_pages(x->rawbuf, order); - } - -+ xfree(x->vcpu); - xfree(x); - d->xenoprof = NULL; - } diff --git a/sysutils/xenkernel41/patches/patch-CVE-2015-7971 b/sysutils/xenkernel41/patches/patch-CVE-2015-7971 deleted file mode 100644 index d104a07fd6c..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2015-7971 +++ /dev/null @@ -1,35 +0,0 @@ -$NetBSD: patch-CVE-2015-7971,v 1.1 2015/10/29 20:29:56 bouyer Exp $ - -Patch for CVE-2015-7971 aka XSA-152, based on -http://xenbits.xenproject.org/xsa/xsa152.patch - ---- xen/common/xenoprof.c.orig -+++ xen/common/xenoprof.c -@@ -676,15 +676,13 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_H - - if ( (op < 0) || (op > XENOPROF_last_op) ) - { -- printk("xenoprof: invalid operation %d for domain %d\n", -- op, current->domain->domain_id); -+ gdprintk(XENLOG_DEBUG, "invalid operation %d\n", op); - return -EINVAL; - } - - if ( !NONPRIV_OP(op) && (current->domain != xenoprof_primary_profiler) ) - { -- printk("xenoprof: dom %d denied privileged operation %d\n", -- current->domain->domain_id, op); -+ gdprintk(XENLOG_DEBUG, "denied privileged operation %d\n", op); - return -EPERM; - } - -@@ -907,8 +905,7 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_H - spin_unlock(&xenoprof_lock); - - if ( ret < 0 ) -- printk("xenoprof: operation %d failed for dom %d (status : %d)\n", -- op, current->domain->domain_id, ret); -+ gdprintk(XENLOG_DEBUG, "operation %d failed: %d\n", op, ret); - - return ret; - } diff --git a/sysutils/xenkernel41/patches/patch-CVE-2015-8339 b/sysutils/xenkernel41/patches/patch-CVE-2015-8339 deleted file mode 100644 index d6b2dc9e78c..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2015-8339 +++ /dev/null @@ -1,20 +0,0 @@ -$NetBSD: patch-CVE-2015-8339,v 1.1 2016/01/07 17:55:55 bouyer Exp $ - -Patch for CVE-2015-8339 and CVE-2015-8340 aka XSA-159, based on -http://xenbits.xenproject.org/xsa/xsa159.patch - ---- xen/common/memory.c.orig 2013-09-10 08:42:18.000000000 +0200 -+++ xen/common/memory.c 2016-01-07 14:39:42.000000000 +0100 -@@ -487,7 +487,11 @@ - /* Reassign any input pages we managed to steal. */ - while ( (page = page_list_remove_head(&in_chunk_list)) ) - if ( assign_pages(d, page, 0, MEMF_no_refcount) ) -- BUG(); -+ { -+ BUG_ON(!d->is_dying); -+ if ( test_and_clear_bit(_PGC_allocated, &page->count_info) ) -+ put_page(page); -+ } - dying: - rcu_unlock_domain(d); - /* Free any output pages we managed to allocate. */ diff --git a/sysutils/xenkernel41/patches/patch-Config.mk b/sysutils/xenkernel41/patches/patch-Config.mk deleted file mode 100644 index 8bd5cdcb667..00000000000 --- a/sysutils/xenkernel41/patches/patch-Config.mk +++ /dev/null @@ -1,13 +0,0 @@ -$NetBSD: patch-Config.mk,v 1.1 2013/04/11 19:57:51 joerg Exp $ - ---- Config.mk.orig 2012-12-18 12:54:16.000000000 +0000 -+++ Config.mk -@@ -16,6 +16,8 @@ SHELL ?= /bin/sh - HOSTCC = gcc - HOSTCFLAGS = -Wall -Werror -Wstrict-prototypes -O2 -fomit-frame-pointer - HOSTCFLAGS += -fno-strict-aliasing -+HOSTCFLAGS += ${EXTRA_CFLAGS} -+CFLAGS += ${EXTRA_CFLAGS} - - DISTDIR ?= $(XEN_ROOT)/dist - DESTDIR ?= / diff --git a/sysutils/xenkernel41/patches/patch-XSA-166 b/sysutils/xenkernel41/patches/patch-XSA-166 deleted file mode 100644 index 2e3e322007a..00000000000 --- a/sysutils/xenkernel41/patches/patch-XSA-166 +++ /dev/null @@ -1,42 +0,0 @@ -$NetBSD: patch-XSA-166,v 1.1 2016/01/07 17:55:55 bouyer Exp $ - -Patch for XSA-166, based on -http://xenbits.xenproject.org/xsa/xsa166-4.3.patch - ---- xen/arch/x86/hvm/hvm.c.orig -+++ xen/arch/x86/hvm/hvm.c -@@ -342,6 +342,7 @@ void hvm_migrate_pirqs(struct vcpu *v) - void hvm_do_resume(struct vcpu *v) - { - ioreq_t *p; -+ unsigned int state; - - pt_restore_timer(v); - -@@ -349,9 +350,10 @@ void hvm_do_resume(struct vcpu *v) - - /* NB. Optimised for common case (p->state == STATE_IOREQ_NONE). */ - p = get_ioreq(v); -- while ( p->state != STATE_IOREQ_NONE ) -+ while ( (state = p->state) != STATE_IOREQ_NONE ) - { -- switch ( p->state ) -+ rmb(); -+ switch ( state ) - { - case STATE_IORESP_READY: /* IORESP_READY -> NONE */ - hvm_io_assist(); -@@ -359,11 +361,10 @@ void hvm_do_resume(struct vcpu *v) - case STATE_IOREQ_READY: /* IOREQ_{READY,INPROCESS} -> IORESP_READY */ - case STATE_IOREQ_INPROCESS: - wait_on_xen_event_channel(v->arch.hvm_vcpu.xen_port, -- (p->state != STATE_IOREQ_READY) && -- (p->state != STATE_IOREQ_INPROCESS)); -+ p->state != state); - break; - default: -- gdprintk(XENLOG_ERR, "Weird HVM iorequest state %d.\n", p->state); -+ gdprintk(XENLOG_ERR, "Weird HVM iorequest state %u\n", state); - domain_crash(v->domain); - return; /* bail */ - } diff --git a/sysutils/xenkernel41/patches/patch-XSA-182 b/sysutils/xenkernel41/patches/patch-XSA-182 deleted file mode 100644 index 04f4a45b0c4..00000000000 --- a/sysutils/xenkernel41/patches/patch-XSA-182 +++ /dev/null @@ -1,90 +0,0 @@ -$NetBSD: patch-XSA-182,v 1.1 2016/07/26 15:59:20 bouyer Exp $ - -backported from: - -From 798c1498f764bfaa7b0b955bab40b01b0610d372 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper <andrew.cooper3@citrix.com> -Date: Mon, 11 Jul 2016 14:32:03 +0100 -Subject: [PATCH] x86/pv: Remove unsafe bits from the mod_l?_entry() fastpath - -All changes in writeability and cacheability must go through full -re-validation. - -Rework the logic as a whitelist, to make it clearer to follow. - -This is XSA-182 - ---- xen/arch/x86/mm.c.orig 2016-07-26 16:51:13.000000000 +0200 -+++ xen/arch/x86/mm.c 2016-07-26 16:53:07.000000000 +0200 -@@ -1792,6 +1792,14 @@ - _t ## e_get_intpte(_o), _t ## e_get_intpte(_n), \ - (_m), (_v), (_ad)) - -+/* -+ * PTE flags that a guest may change without re-validating the PTE. -+ * All other bits affect translation, caching, or Xen's safety. -+ */ -+#define FASTPATH_FLAG_WHITELIST \ -+ (_PAGE_NX_BIT | _PAGE_AVAIL_HIGH | _PAGE_AVAIL | _PAGE_GLOBAL | \ -+ _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_USER) -+ - /* Update the L1 entry at pl1e to new value nl1e. */ - static int mod_l1_entry(l1_pgentry_t *pl1e, l1_pgentry_t nl1e, - unsigned long gl1mfn, int preserve_ad, -@@ -1829,8 +1837,8 @@ - return 0; - } - -- /* Fast path for identical mapping, r/w and presence. */ -- if ( !l1e_has_changed(ol1e, nl1e, _PAGE_RW | _PAGE_PRESENT) ) -+ /* Fast path for sufficiently-similar mappings.*/ -+ if ( !l1e_has_changed(ol1e, nl1e, ~FASTPATH_FLAG_WHITELIST) ) - { - adjust_guest_l1e(nl1e, pt_dom); - rc = UPDATE_ENTRY(l1, pl1e, ol1e, nl1e, gl1mfn, pt_vcpu, -@@ -1897,11 +1905,8 @@ - return 0; - } - -- /* Fast path for identical mapping and presence. */ -- if ( !l2e_has_changed(ol2e, nl2e, -- unlikely(opt_allow_superpage) -- ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT -- : _PAGE_PRESENT) ) -+ /* Fast path for sufficiently-similar mappings. */ -+ if ( !l2e_has_changed(ol2e, nl2e, ~FASTPATH_FLAG_WHITELIST) ) - { - adjust_guest_l2e(nl2e, d); - rc = UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad); -@@ -1965,8 +1970,8 @@ - return -EINVAL; - } - -- /* Fast path for identical mapping and presence. */ -- if ( !l3e_has_changed(ol3e, nl3e, _PAGE_PRESENT) ) -+ /* Fast path for sufficiently-similar mappings. */ -+ if ( !l3e_has_changed(ol3e, nl3e, ~FASTPATH_FLAG_WHITELIST) ) - { - adjust_guest_l3e(nl3e, d); - rc = UPDATE_ENTRY(l3, pl3e, ol3e, nl3e, pfn, vcpu, preserve_ad); -@@ -2035,8 +2040,8 @@ - return -EINVAL; - } - -- /* Fast path for identical mapping and presence. */ -- if ( !l4e_has_changed(ol4e, nl4e, _PAGE_PRESENT) ) -+ /* Fast path for sufficiently-similar mappings. */ -+ if ( !l4e_has_changed(ol4e, nl4e, ~FASTPATH_FLAG_WHITELIST) ) - { - adjust_guest_l4e(nl4e, d); - rc = UPDATE_ENTRY(l4, pl4e, ol4e, nl4e, pfn, vcpu, preserve_ad); ---- xen/include/asm-x86/page.h.orig 2014-09-02 08:22:57.000000000 +0200 -+++ xen/include/asm-x86/page.h 2016-07-26 16:39:51.000000000 +0200 -@@ -332,6 +332,7 @@ - #define _PAGE_AVAIL2 0x800U - #define _PAGE_AVAIL 0xE00U - #define _PAGE_PSE_PAT 0x1000U -+#define _PAGE_AVAIL_HIGH (0x7ffU << 12) - #define _PAGE_PAGED 0x2000U - #define _PAGE_SHARED 0x4000U - diff --git a/sysutils/xenkernel41/patches/patch-XSA-185 b/sysutils/xenkernel41/patches/patch-XSA-185 deleted file mode 100644 index b1d13bac5e7..00000000000 --- a/sysutils/xenkernel41/patches/patch-XSA-185 +++ /dev/null @@ -1,37 +0,0 @@ -$NetBSD: patch-XSA-185,v 1.1 2016/09/08 15:41:01 bouyer Exp $ - -From 30aba4992b18245c436f16df7326a16c01a51570 Mon Sep 17 00:00:00 2001 -From: Jan Beulich <jbeulich@suse.com> -Date: Mon, 8 Aug 2016 10:58:12 +0100 -Subject: x86/32on64: don't allow recursive page tables from L3 - -L3 entries are special in PAE mode, and hence can't reasonably be used -for setting up recursive (and hence linear) page table mappings. Since -abuse is possible when the guest in fact gets run on 4-level page -tables, this needs to be excluded explicitly. - -This is XSA-185. - -Reported-by: Jérémie Boutoille <jboutoille@ext.quarkslab.com> -Reported-by: 栾尚聪(好风) <shangcong.lsc@alibaba-inc.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> ---- - xen/arch/x86/mm.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c -index 109b8be..69b8b8d 100644 ---- xen/arch/x86/mm.c.orig -+++ xen/arch/x86/mm.c -@@ -1122,7 +1122,9 @@ get_page_from_l3e( - - rc = get_page_and_type_from_pagenr( - l3e_get_pfn(l3e), PGT_l2_page_table, d, partial, 1); -- if ( unlikely(rc == -EINVAL) && get_l3_linear_pagetable(l3e, pfn, d) ) -+ if ( unlikely(rc == -EINVAL) && -+ !is_pv_32bit_domain(d) && -+ get_l3_linear_pagetable(l3e, pfn, d) ) - rc = 0; - - return rc; diff --git a/sysutils/xenkernel41/patches/patch-XSA-187-1 b/sysutils/xenkernel41/patches/patch-XSA-187-1 deleted file mode 100644 index 6481bcb5ace..00000000000 --- a/sysutils/xenkernel41/patches/patch-XSA-187-1 +++ /dev/null @@ -1,44 +0,0 @@ -$NetBSD: patch-XSA-187-1,v 1.1 2016/09/08 15:41:01 bouyer Exp $ - -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/shadow: Avoid overflowing sh_ctxt->seg_reg[] - -hvm_get_seg_reg() does not perform a range check on its input segment, calls -hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[]. - -x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will hit a BUG() -in {vmx,svm}_get_segment_register(). - -HVM guests running with shadow paging can end up performing a virtual to -linear translation with x86_seg_none. This is used for addresses which are -already linear. However, none of this is a legitimate pagetable update, so -fail the emulation in such a case. - -This is XSA-187 - -Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Tim Deegan <tim@xen.org> - ---- xen/arch/x86/mm/shadow/common.c.orig -+++ xen/arch/x86/mm/shadow/common.c -@@ -140,9 +140,18 @@ static int hvm_translate_linear_addr( - struct sh_emulate_ctxt *sh_ctxt, - unsigned long *paddr) - { -- struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt); -+ struct segment_register *reg; - int okay; - -+ /* -+ * Can arrive here with non-user segments. However, no such cirucmstance -+ * is part of a legitimate pagetable update, so fail the emulation. -+ */ -+ if ( !is_x86_user_segment(seg) ) -+ return X86EMUL_UNHANDLEABLE; -+ -+ reg = hvm_get_seg_reg(seg, sh_ctxt); -+ - okay = hvm_virtual_to_linear_addr( - seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr); - diff --git a/sysutils/xenkernel41/patches/patch-XSA-187-2 b/sysutils/xenkernel41/patches/patch-XSA-187-2 deleted file mode 100644 index 0fa5b0a3cc8..00000000000 --- a/sysutils/xenkernel41/patches/patch-XSA-187-2 +++ /dev/null @@ -1,152 +0,0 @@ -$NetBSD: patch-XSA-187-2,v 1.1 2016/09/08 15:41:01 bouyer Exp $ - -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/segment: Bounds check accesses to emulation ctxt->seg_reg[] - -HVM HAP codepaths have space for all segment registers in the seg_reg[] -cache (with x86_seg_none still risking an array overrun), while the shadow -codepaths only have space for the user segments. - -Range check the input segment of *_get_seg_reg() against the size of the array -used to cache the results, to avoid overruns in the case that the callers -don't filter their input suitably. - -Subsume the is_x86_user_segment(seg) checks from the shadow code, which were -an incomplete attempt at range checking, and are now superceeded. Make -hvm_get_seg_reg() static, as it is not used outside of shadow/common.c - -No functional change, but far easier to reason that no overflow is possible. - -Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Acked-by: Tim Deegan <tim@xen.org> -Acked-by: Jan Beulich <jbeulich@suse.com> - ---- xen/include/asm-x86/hvm/emulate.h.orig 2014-09-02 08:22:57.000000000 +0200 -+++ xen/include/asm-x86/hvm/emulate.h 2016-09-08 15:57:32.000000000 +0200 -@@ -13,6 +13,7 @@ - #define __ASM_X86_HVM_EMULATE_H__ - - #include <xen/config.h> -+#include <xen/err.h> - #include <asm/x86_emulate.h> - - struct hvm_emulate_ctxt { ---- xen/arch/x86/hvm/emulate.c.orig 2014-09-02 08:22:57.000000000 +0200 -+++ xen/arch/x86/hvm/emulate.c 2016-09-08 16:01:31.000000000 +0200 -@@ -390,6 +390,8 @@ - *reps = min_t(unsigned long, *reps, 4096); - - reg = hvmemul_get_seg_reg(seg, hvmemul_ctxt); -+ if ( IS_ERR(reg) ) -+ return -PTR_ERR(reg); - - if ( (hvmemul_ctxt->ctxt.regs->eflags & X86_EFLAGS_DF) && (*reps > 1) ) - { -@@ -777,6 +779,10 @@ - struct hvm_emulate_ctxt *hvmemul_ctxt = - container_of(ctxt, struct hvm_emulate_ctxt, ctxt); - struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt); -+ -+ if ( IS_ERR(sreg) ) -+ return -PTR_ERR(sreg); -+ - memcpy(reg, sreg, sizeof(struct segment_register)); - return X86EMUL_OKAY; - } -@@ -790,6 +796,9 @@ - container_of(ctxt, struct hvm_emulate_ctxt, ctxt); - struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt); - -+ if ( IS_ERR(sreg) ) -+ return -PTR_ERR(sreg); -+ - memcpy(sreg, reg, sizeof(struct segment_register)); - __set_bit(seg, &hvmemul_ctxt->seg_reg_dirty); - -@@ -1130,10 +1139,17 @@ - } - } - -+/* -+ * Callers which pass a known in-range x86_segment can rely on the return -+ * pointer being valid. Other callers must explicitly check for errors. -+ */ - struct segment_register *hvmemul_get_seg_reg( - enum x86_segment seg, - struct hvm_emulate_ctxt *hvmemul_ctxt) - { -+ if ( seg < 0 || seg >= ARRAY_SIZE(hvmemul_ctxt->seg_reg) ) -+ return ERR_PTR(-X86EMUL_UNHANDLEABLE); -+ - if ( !__test_and_set_bit(seg, &hvmemul_ctxt->seg_reg_accessed) ) - hvm_get_segment_register(current, seg, &hvmemul_ctxt->seg_reg[seg]); - return &hvmemul_ctxt->seg_reg[seg]; ---- xen/arch/x86/mm/shadow/common.c.orig 2016-09-08 17:15:35.000000000 +0200 -+++ xen/arch/x86/mm/shadow/common.c 2016-09-08 17:29:23.000000000 +0200 -@@ -22,6 +22,7 @@ - */ - - #include <xen/config.h> -+#include <xen/err.h> - #include <xen/types.h> - #include <xen/mm.h> - #include <xen/trace.h> -@@ -116,10 +117,19 @@ - /* x86 emulator support for the shadow code - */ - -+/* -+ * Callers which pass a known in-range x86_segment can rely on the return -+ * pointer being valid. Other callers must explicitly check for errors. -+ */ - struct segment_register *hvm_get_seg_reg( - enum x86_segment seg, struct sh_emulate_ctxt *sh_ctxt) - { -- struct segment_register *seg_reg = &sh_ctxt->seg_reg[seg]; -+ struct segment_register *seg_reg; -+ -+ if ( seg < 0 || seg >= ARRAY_SIZE(sh_ctxt->seg_reg) ) -+ return ERR_PTR(-X86EMUL_UNHANDLEABLE); -+ -+ seg_reg = &sh_ctxt->seg_reg[seg]; - if ( !__test_and_set_bit(seg, &sh_ctxt->valid_seg_regs) ) - hvm_get_segment_register(current, seg, seg_reg); - return seg_reg; -@@ -136,14 +146,9 @@ - struct segment_register *reg; - int okay; - -- /* -- * Can arrive here with non-user segments. However, no such cirucmstance -- * is part of a legitimate pagetable update, so fail the emulation. -- */ -- if ( !is_x86_user_segment(seg) ) -- return X86EMUL_UNHANDLEABLE; -- - reg = hvm_get_seg_reg(seg, sh_ctxt); -+ if ( IS_ERR(reg) ) -+ return -PTR_ERR(reg); - - okay = hvm_virtual_to_linear_addr( - seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr); -@@ -245,9 +250,6 @@ - unsigned long addr; - int rc; - -- if ( !is_x86_user_segment(seg) ) -- return X86EMUL_UNHANDLEABLE; -- - /* How many emulations could we save if we unshadowed on stack writes? */ - if ( seg == x86_seg_ss ) - perfc_incr(shadow_fault_emulate_stack); -@@ -275,9 +277,6 @@ - unsigned long addr, old[2], new[2]; - int rc; - -- if ( !is_x86_user_segment(seg) ) -- return X86EMUL_UNHANDLEABLE; -- - rc = hvm_translate_linear_addr( - seg, offset, bytes, hvm_access_write, sh_ctxt, &addr); - if ( rc ) diff --git a/sysutils/xenkernel41/patches/patch-XSA-191 b/sysutils/xenkernel41/patches/patch-XSA-191 deleted file mode 100644 index b0f9c69e23a..00000000000 --- a/sysutils/xenkernel41/patches/patch-XSA-191 +++ /dev/null @@ -1,142 +0,0 @@ -$NetBSD: patch-XSA-191,v 1.1 2016/11/22 20:53:40 bouyer Exp $ - -backported from: - -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/hvm: Fix the handling of non-present segments - -In 32bit, the data segments may be NULL to indicate that the segment is -ineligible for use. In both 32bit and 64bit, the LDT selector may be NULL to -indicate that the entire LDT is ineligible for use. However, nothing in Xen -actually checks for this condition when performing other segmentation -checks. (Note however that limit and writeability checks are correctly -performed). - -Neither Intel nor AMD specify the exact behaviour of loading a NULL segment. -Experimentally, AMD zeroes all attributes but leaves the base and limit -unmodified. Intel zeroes the base, sets the limit to 0xfffffff and resets the -attributes to just .G and .D/B. - -The use of the segment information in the VMCB/VMCS is equivalent to a native -pipeline interacting with the segment cache. The present bit can therefore -have a subtly different meaning, and it is now cooked to uniformly indicate -whether the segment is usable or not. - -GDTR and IDTR don't have access rights like the other segments, but for -consistency, they are treated as being present so no special casing is needed -elsewhere in the segmentation logic. - -AMD hardware does not consider the present bit for %cs and %tr, and will -function as if they were present. They are therefore unconditionally set to -present when reading information from the VMCB, to maintain the new meaning of -usability. - -Intel hardware has a separate unusable bit in the VMCS segment attributes. -This bit is inverted and stored in the present field, so the hvm code can work -with architecturally-common state. - -This is XSA-191. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> - ---- xen/arch/x86/hvm/hvm.c.orig 2016-11-22 15:03:22.000000000 +0100 -+++ xen/arch/x86/hvm/hvm.c 2016-11-22 15:19:57.000000000 +0100 -@@ -1626,6 +1626,10 @@ - * COMPATIBILITY MODE: Apply segment checks and add base. - */ - -+ /* Segment not valid for use (cooked meaning of .p)? */ -+ if ( !reg->attr.fields.p ) -+ return 0; -+ - switch ( access_type ) - { - case hvm_access_read: -@@ -1800,6 +1804,10 @@ - hvm_get_segment_register( - v, (sel & 4) ? x86_seg_ldtr : x86_seg_gdtr, &desctab); - -+ /* Segment not valid for use (cooked meaning of .p)? */ -+ if ( !desctab.attr.fields.p ) -+ goto fail; -+ - /* Check against descriptor table limit. */ - if ( ((sel & 0xfff8) + 7) > desctab.limit ) - goto fail; ---- xen/arch/x86/hvm/svm/svm.c.orig 2013-09-10 08:42:18.000000000 +0200 -+++ xen/arch/x86/hvm/svm/svm.c 2016-11-22 15:19:57.000000000 +0100 -@@ -459,6 +459,7 @@ - { - case x86_seg_cs: - memcpy(reg, &vmcb->cs, sizeof(*reg)); -+ reg->attr.fields.p = 1; - reg->attr.fields.g = reg->limit > 0xFFFFF; - break; - case x86_seg_ds: -@@ -492,13 +493,16 @@ - case x86_seg_tr: - svm_sync_vmcb(v); - memcpy(reg, &vmcb->tr, sizeof(*reg)); -+ reg->attr.fields.p = 1; - reg->attr.fields.type |= 0x2; - break; - case x86_seg_gdtr: - memcpy(reg, &vmcb->gdtr, sizeof(*reg)); -+ reg->attr.bytes = 0x80; - break; - case x86_seg_idtr: - memcpy(reg, &vmcb->idtr, sizeof(*reg)); -+ reg->attr.bytes = 0x80; - break; - case x86_seg_ldtr: - svm_sync_vmcb(v); ---- xen/arch/x86/hvm/vmx/vmx.c.orig 2013-09-10 08:42:18.000000000 +0200 -+++ xen/arch/x86/hvm/vmx/vmx.c 2016-11-22 15:19:57.000000000 +0100 -@@ -761,10 +761,12 @@ - - vmx_vmcs_exit(v); - -- reg->attr.bytes = (attr & 0xff) | ((attr >> 4) & 0xf00); -- /* Unusable flag is folded into Present flag. */ -- if ( attr & (1u<<16) ) -- reg->attr.fields.p = 0; -+ /* -+ * Fold VT-x representation into Xen's representation. The Present bit is -+ * unconditionally set to the inverse of unusable. -+ */ -+ reg->attr.bytes = -+ (!(attr & (1u << 16)) << 7) | (attr & 0x7f) | ((attr >> 4) & 0xf00); - - /* Adjust for virtual 8086 mode */ - if ( v->arch.hvm_vmx.vmx_realmode && seg <= x86_seg_tr -@@ -844,11 +846,11 @@ - } - } - -- attr = ((attr & 0xf00) << 4) | (attr & 0xff); -- -- /* Not-present must mean unusable. */ -- if ( !reg->attr.fields.p ) -- attr |= (1u << 16); -+ /* -+ * Unfold Xen representation into VT-x representation. The unusable bit -+ * is unconditionally set to the inverse of present. -+ */ -+ attr = (!(attr & (1u << 7)) << 16) | ((attr & 0xf00) << 4) | (attr & 0xff); - - /* VMX has strict consistency requirement for flag G. */ - attr |= !!(limit >> 20) << 15; ---- xen/arch/x86/x86_emulate/x86_emulate.c.orig 2016-11-22 15:03:21.000000000 +0100 -+++ xen/arch/x86/x86_emulate/x86_emulate.c 2016-11-22 15:19:57.000000000 +0100 -@@ -1020,6 +1020,10 @@ - &desctab, ctxt)) ) - return rc; - -+ /* Segment not valid for use (cooked meaning of .p)? */ -+ if ( !desctab.attr.fields.p ) -+ goto raise_exn; -+ - /* Check against descriptor table limit. */ - if ( ((sel & 0xfff8) + 7) > desctab.limit ) - goto raise_exn; diff --git a/sysutils/xenkernel41/patches/patch-XSA-192 b/sysutils/xenkernel41/patches/patch-XSA-192 deleted file mode 100644 index 72ad050f01f..00000000000 --- a/sysutils/xenkernel41/patches/patch-XSA-192 +++ /dev/null @@ -1,67 +0,0 @@ -$NetBSD: patch-XSA-192,v 1.1 2016/11/22 20:53:40 bouyer Exp $ - -backported from: - -From: Jan Beulich <jbeulich@suse.com> -Subject: x86/HVM: don't load LDTR with VM86 mode attrs during task switch - -Just like TR, LDTR is purely a protected mode facility and hence needs -to be loaded accordingly. Also move its loading to where it -architecurally belongs. - -This is XSA-192. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> -Tested-by: Andrew Cooper <andrew.cooper3@citrix.com> - ---- xen/arch/x86/hvm/hvm.c.orig 2016-11-22 15:19:57.000000000 +0100 -+++ xen/arch/x86/hvm/hvm.c 2016-11-22 15:31:13.000000000 +0100 -@@ -1767,16 +1767,15 @@ - } - - static int hvm_load_segment_selector( -- enum x86_segment seg, uint16_t sel) -+ enum x86_segment seg, uint16_t sel, unsigned int eflags) - { - struct segment_register desctab, cs, segr; - struct desc_struct *pdesc, desc; - u8 dpl, rpl, cpl; - int fault_type = TRAP_invalid_tss; -- struct cpu_user_regs *regs = guest_cpu_user_regs(); - struct vcpu *v = current; - -- if ( regs->eflags & X86_EFLAGS_VM ) -+ if ( eflags & X86_EFLAGS_VM ) - { - segr.sel = sel; - segr.base = (uint32_t)sel << 4; -@@ -2022,6 +2021,8 @@ - if ( rc != HVMCOPY_okay ) - goto out; - -+ if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt, 0) ) -+ goto out; - - if ( hvm_set_cr3(tss.cr3) ) - goto out; -@@ -2044,13 +2045,12 @@ - } - - exn_raised = 0; -- if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt) || -- hvm_load_segment_selector(x86_seg_es, tss.es) || -- hvm_load_segment_selector(x86_seg_cs, tss.cs) || -- hvm_load_segment_selector(x86_seg_ss, tss.ss) || -- hvm_load_segment_selector(x86_seg_ds, tss.ds) || -- hvm_load_segment_selector(x86_seg_fs, tss.fs) || -- hvm_load_segment_selector(x86_seg_gs, tss.gs) ) -+ if ( hvm_load_segment_selector(x86_seg_es, tss.es, tss.eflags) || -+ hvm_load_segment_selector(x86_seg_cs, tss.cs, tss.eflags) || -+ hvm_load_segment_selector(x86_seg_ss, tss.ss, tss.eflags) || -+ hvm_load_segment_selector(x86_seg_ds, tss.ds, tss.eflags) || -+ hvm_load_segment_selector(x86_seg_fs, tss.fs, tss.eflags) || -+ hvm_load_segment_selector(x86_seg_gs, tss.gs, tss.eflags) ) - exn_raised = 1; - - rc = hvm_copy_to_guest_virt( diff --git a/sysutils/xenkernel41/patches/patch-XSA-195 b/sysutils/xenkernel41/patches/patch-XSA-195 deleted file mode 100644 index b20d819af9a..00000000000 --- a/sysutils/xenkernel41/patches/patch-XSA-195 +++ /dev/null @@ -1,49 +0,0 @@ -$NetBSD: patch-XSA-195,v 1.1 2016/11/22 20:53:40 bouyer Exp $ - -backported from: - -From: Jan Beulich <jbeulich@suse.com> -Subject: x86emul: fix huge bit offset handling - -We must never chop off the high 32 bits. - -This is XSA-195. - -Reported-by: George Dunlap <george.dunlap@citrix.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> - ---- xen/arch/x86/x86_emulate/x86_emulate.c.orig 2016-11-22 15:19:57.000000000 +0100 -+++ xen/arch/x86/x86_emulate/x86_emulate.c 2016-11-22 16:03:48.000000000 +0100 -@@ -1578,6 +1578,12 @@ - else - { - /* -+ * Instructions such as bt can reference an arbitrary offset from -+ * their memory operand, but the instruction doing the actual -+ * emulation needs the appropriate op_bytes read from memory. -+ * Adjust both the source register and memory operand to make an -+ * equivalent instruction. -+ * - * EA += BitOffset DIV op_bytes*8 - * BitOffset = BitOffset MOD op_bytes*8 - * DIV truncates towards negative infinity. -@@ -1589,14 +1595,15 @@ - src.val = (int32_t)src.val; - if ( (long)src.val < 0 ) - { -- unsigned long byte_offset; -- byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); -+ unsigned long byte_offset = -+ op_bytes + (((-src.val - 1) >> 3) & ~(op_bytes - 1L)); -+ - ea.mem.off -= byte_offset; - src.val = (byte_offset << 3) + src.val; - } - else - { -- ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); -+ ea.mem.off += (src.val >> 3) & ~(op_bytes - 1L); - src.val &= (op_bytes << 3) - 1; - } - } diff --git a/sysutils/xenkernel41/patches/patch-XSA-200 b/sysutils/xenkernel41/patches/patch-XSA-200 deleted file mode 100644 index 8ffb7246c60..00000000000 --- a/sysutils/xenkernel41/patches/patch-XSA-200 +++ /dev/null @@ -1,57 +0,0 @@ -$NetBSD: patch-XSA-200,v 1.1 2016/12/20 10:22:28 bouyer Exp $ - -From: Jan Beulich <jbeulich@suse.com> -Subject: x86emul: CMPXCHG8B ignores operand size prefix - -Otherwise besides mis-handling the instruction, the comparison failure -case would result in uninitialized stack data being handed back to the -guest in rDX:rAX (32 bits leaked for 32-bit guests, 96 bits for 64-bit -ones). - -This is XSA-200. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> - ---- tools/tests/x86_emulator/test_x86_emulator.c.orig -+++ tools/tests/x86_emulator/test_x86_emulator.c -@@ -429,6 +429,24 @@ int main(int argc, char **argv) - goto fail; - printf("okay\n"); - -+ printf("%-40s", "Testing cmpxchg8b (%edi) [opsize]..."); -+ instr[0] = 0x66; instr[1] = 0x0f; instr[2] = 0xc7; instr[3] = 0x0f; -+ res[0] = 0x12345678; -+ res[1] = 0x87654321; -+ regs.eflags = 0x200; -+ regs.eip = (unsigned long)&instr[0]; -+ regs.edi = (unsigned long)res; -+ rc = x86_emulate(&ctxt, &emulops); -+ if ( (rc != X86EMUL_OKAY) || -+ (res[0] != 0x12345678) || -+ (res[1] != 0x87654321) || -+ (regs.eax != 0x12345678) || -+ (regs.edx != 0x87654321) || -+ ((regs.eflags&0x240) != 0x200) || -+ (regs.eip != (unsigned long)&instr[4]) ) -+ goto fail; -+ printf("okay\n"); -+ - printf("%-40s", "Testing movsxbd (%%eax),%%ecx..."); - instr[0] = 0x0f; instr[1] = 0xbe; instr[2] = 0x08; - regs.eflags = 0x200; ---- ./xen/arch/x86/x86_emulate/x86_emulate.c.orig 2016-12-19 21:54:25.000000000 +0100 -+++ ./xen/arch/x86/x86_emulate/x86_emulate.c 2016-12-19 22:00:32.000000000 +0100 -@@ -4183,7 +4183,12 @@ - - generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1); - generate_exception_if(ea.type != OP_MEM, EXC_UD, -1); -- op_bytes *= 2; -+ if ( op_bytes == 8 ) -+ { -+ /* vcpu_must_have_cx16() XXX doens't exists */ -+ op_bytes = 16; -+ } else -+ op_bytes = 8; - - /* Get actual old value. */ - for ( i = 0; i < (op_bytes/sizeof(long)); i++ ) diff --git a/sysutils/xenkernel41/patches/patch-XSA-202 b/sysutils/xenkernel41/patches/patch-XSA-202 deleted file mode 100644 index d95bcc9b8e9..00000000000 --- a/sysutils/xenkernel41/patches/patch-XSA-202 +++ /dev/null @@ -1,73 +0,0 @@ -$NetBSD: patch-XSA-202,v 1.1 2016/12/21 15:35:44 bouyer Exp $ - -From: Jan Beulich <jbeulich@suse.com> -Subject: x86: force EFLAGS.IF on when exiting to PV guests - -Guest kernels modifying instructions in the process of being emulated -for another of their vCPU-s may effect EFLAGS.IF to be cleared upon -next exiting to guest context, by converting the being emulated -instruction to CLI (at the right point in time). Prevent any such bad -effects by always forcing EFLAGS.IF on. And to cover hypothetical other -similar issues, also force EFLAGS.{IOPL,NT,VM} to zero. - -This is XSA-202. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> - - ---- xen/arch/x86/x86_64/compat/entry.S.orig 2014-09-02 08:22:57.000000000 +0200 -+++ xen/arch/x86/x86_64/compat/entry.S 2016-12-21 13:23:21.000000000 +0100 -@@ -173,6 +173,10 @@ - /* %rbx: struct vcpu, interrupts disabled */ - ENTRY(compat_restore_all_guest) - ASSERT_INTERRUPTS_DISABLED -+ mov $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11d -+ and UREGS_eflags(%rsp),%r11d -+ or $X86_EFLAGS_IF,%r11 -+ mov %r11d,UREGS_eflags(%rsp) - RESTORE_ALL - addq $8,%rsp - .Lft0: iretq ---- xen/arch/x86/x86_64/entry.S.orig 2016-12-21 13:25:26.000000000 +0100 -+++ xen/arch/x86/x86_64/entry.S 2016-12-21 13:32:36.000000000 +0100 -@@ -41,30 +41,29 @@ - testw $TRAP_syscall,4(%rsp) - jz iret_exit_to_guest - -+ movq 24(%rsp),%r11 # RFLAGS -+ andq $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11 -+ orq $X86_EFLAGS_IF,%r11 -+ - /* Don't use SYSRET path if the return address is not canonical. */ - movq 8(%rsp),%rcx - sarq $47,%rcx - incl %ecx - cmpl $1,%ecx -- ja .Lforce_iret -+ movq 8(%rsp),%rcx # RIP -+ ja iret_exit_to_guest - -- addq $8,%rsp -- popq %rcx # RIP -- popq %r11 # CS -- cmpw $FLAT_USER_CS32,%r11 -- popq %r11 # RFLAGS -- popq %rsp # RSP -+ cmpw $FLAT_USER_CS32,%r11w -+ movq 32(%rsp),%rsp # RSP - je 1f - sysretq - 1: sysretl - --.Lforce_iret: -- /* Mimic SYSRET behavior. */ -- movq 8(%rsp),%rcx # RIP -- movq 24(%rsp),%r11 # RFLAGS - ALIGN - /* No special register assumptions. */ - iret_exit_to_guest: -+ andl $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),24(%rsp) -+ orl $X86_EFLAGS_IF,24(%rsp) - addq $8,%rsp - .Lft0: iretq - diff --git a/sysutils/xenkernel41/patches/patch-XSA-204 b/sysutils/xenkernel41/patches/patch-XSA-204 deleted file mode 100644 index 72f272056a6..00000000000 --- a/sysutils/xenkernel41/patches/patch-XSA-204 +++ /dev/null @@ -1,71 +0,0 @@ -$NetBSD: patch-XSA-204,v 1.1 2016/12/20 10:22:28 bouyer Exp $ - -From: Andrew Cooper <andrew.cooper3@citrix.com> -Date: Sun, 18 Dec 2016 15:42:59 +0000 -Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL - -A singlestep #DB is determined by the resulting eflags value from the -execution of SYSCALL, not the original eflags value. - -By using the original eflags value, we negate the guest kernels attempt to -protect itself from a privilege escalation by masking TF. - -Introduce a tf boolean and have the SYSCALL emulation recalculate it -after the instruction is complete. - -This is XSA-204 - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> ---- - xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++--- - 1 file changed, 20 insertions(+), 3 deletions(-) - -diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c -index 0c43fe1..f675dc9 100644 ---- xen/arch/x86/x86_emulate/x86_emulate.c.orig 2016-12-19 22:02:25.000000000 +0100 -+++ xen/arch/x86/x86_emulate/x86_emulate.c 2016-12-19 22:05:31.000000000 +0100 -@@ -1233,6 +1233,7 @@ - #define REPE_PREFIX 1 - #define REPNE_PREFIX 2 - unsigned int lock_prefix = 0, rep_prefix = 0; -+ bool_t tf = !!(ctxt->regs->eflags & EFLG_TF); - int override_seg = -1, rc = X86EMUL_OKAY; - struct operand src, dst; - -@@ -3498,9 +3499,8 @@ - break; - } - -- /* Inject #DB if single-step tracing was enabled at instruction start. */ -- if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) && -- (ops->inject_hw_exception != NULL) ) -+ /* Should a singlestep #DB be raised? */ -+ if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) ) - rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION; - - /* Commit shadow register state. */ -@@ -3685,6 +3685,23 @@ - (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) ) - goto done; - -+ /* -+ * SYSCALL (unlike most instructions) evaluates its singlestep action -+ * based on the resulting EFLG_TF, not the starting EFLG_TF. -+ * -+ * As the #DB is raised after the CPL change and before the OS can -+ * switch stack, it is a large risk for privilege escalation. -+ * -+ * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any -+ * vulnerability. Running the #DB handler on an IST stack is also a -+ * mitigation. -+ * -+ * 32bit kernels have no ability to mask EFLG_TF at all. Their only -+ * mitigation is to use a task gate for handling #DB (or to not use -+ * enable EFER.SCE to start with). -+ */ -+ tf = !!(_regs.eflags & EFLG_TF); -+ - break; - } - diff --git a/sysutils/xenkernel41/patches/patch-xen_Makefile b/sysutils/xenkernel41/patches/patch-xen_Makefile deleted file mode 100644 index c32b1cac297..00000000000 --- a/sysutils/xenkernel41/patches/patch-xen_Makefile +++ /dev/null @@ -1,13 +0,0 @@ -$NetBSD: patch-xen_Makefile,v 1.1 2013/04/11 19:57:51 joerg Exp $ - ---- xen/Makefile.orig 2013-03-25 13:23:45.000000000 +0000 -+++ xen/Makefile -@@ -89,7 +89,7 @@ include/xen/compile.h: include/xen/compi - -e 's/@@whoami@@/$(XEN_WHOAMI)/g' \ - -e 's/@@domain@@/$(XEN_DOMAIN)/g' \ - -e 's/@@hostname@@/$(shell hostname)/g' \ -- -e 's!@@compiler@@!$(shell $(CC) $(CFLAGS) -v 2>&1 | tail -1)!g' \ -+ -e 's!@@compiler@@!$(shell $(CC) $(EXTRA_CFLAGS) $(CFLAGS) -v 2>&1 | tail -1)!g' \ - -e 's/@@version@@/$(XEN_VERSION)/g' \ - -e 's/@@subversion@@/$(XEN_SUBVERSION)/g' \ - -e 's/@@extraversion@@/$(XEN_EXTRAVERSION)/g' \ diff --git a/sysutils/xenkernel41/patches/patch-xen_arch_x86_Rules.mk b/sysutils/xenkernel41/patches/patch-xen_arch_x86_Rules.mk deleted file mode 100644 index e433e0ce6e7..00000000000 --- a/sysutils/xenkernel41/patches/patch-xen_arch_x86_Rules.mk +++ /dev/null @@ -1,12 +0,0 @@ -$NetBSD: patch-xen_arch_x86_Rules.mk,v 1.1 2013/04/11 19:57:51 joerg Exp $ - ---- xen/arch/x86/Rules.mk.orig 2013-03-25 13:28:19.000000000 +0000 -+++ xen/arch/x86/Rules.mk -@@ -21,6 +21,7 @@ CFLAGS += -iwithprefix include -Werror - - CFLAGS += -I$(BASEDIR)/include - CFLAGS += -I$(BASEDIR)/include/asm-x86/mach-generic - CFLAGS += -I$(BASEDIR)/include/asm-x86/mach-default -+CFLAGS += $(EXTRA_CFLAGS) - - # Prevent floating-point variables from creeping into Xen. - CFLAGS += -msoft-float diff --git a/sysutils/xenkernel41/patches/patch-xen_arch_x86_cpu_mcheck_vmce.c b/sysutils/xenkernel41/patches/patch-xen_arch_x86_cpu_mcheck_vmce.c deleted file mode 100644 index b29d6cfc309..00000000000 --- a/sysutils/xenkernel41/patches/patch-xen_arch_x86_cpu_mcheck_vmce.c +++ /dev/null @@ -1,31 +0,0 @@ -$NetBSD: patch-xen_arch_x86_cpu_mcheck_vmce.c,v 1.1 2013/04/11 19:57:51 joerg Exp $ - ---- xen/arch/x86/cpu/mcheck/vmce.c.orig 2013-03-25 13:46:53.000000000 +0000 -+++ xen/arch/x86/cpu/mcheck/vmce.c -@@ -39,7 +39,7 @@ int vmce_init_msr(struct domain *d) - return -ENOMEM; - } - memset(dom_vmce(d)->mci_ctl, ~0, -- sizeof(dom_vmce(d)->mci_ctl)); -+ sizeof(*dom_vmce(d)->mci_ctl)); - - dom_vmce(d)->mcg_status = 0x0; - dom_vmce(d)->mcg_cap = g_mcg_cap; -@@ -369,7 +369,7 @@ static struct bank_entry* alloc_bank_ent - return NULL; - } - -- memset(entry, 0x0, sizeof(entry)); -+ memset(entry, 0x0, sizeof(*entry)); - INIT_LIST_HEAD(&entry->list); - return entry; - } -@@ -451,7 +451,7 @@ int vmce_init(struct cpuinfo_x86 *c) - return -ENOMEM; - } - /* Don't care banks before firstbank */ -- memset(h_mci_ctrl, 0xff, sizeof(h_mci_ctrl)); -+ memset(h_mci_ctrl, 0xff, sizeof(*h_mci_ctrl)); - for (i = firstbank; i < nr_mce_banks; i++) - rdmsrl(MSR_IA32_MCx_CTL(i), h_mci_ctrl[i]); - } diff --git a/sysutils/xenkernel41/patches/patch-xen_arch_x86_time.c b/sysutils/xenkernel41/patches/patch-xen_arch_x86_time.c deleted file mode 100644 index 358fb2620c1..00000000000 --- a/sysutils/xenkernel41/patches/patch-xen_arch_x86_time.c +++ /dev/null @@ -1,26 +0,0 @@ -$NetBSD: patch-xen_arch_x86_time.c,v 1.3 2015/12/29 04:04:32 dholland Exp $ - ---- xen/arch/x86/time.c.orig 2013-09-10 06:42:18.000000000 +0000 -+++ xen/arch/x86/time.c 2013-09-11 14:30:13.000000000 +0000 -@@ -105,7 +105,7 @@ - { - u32 product_int, product_frac; - asm ( -- "mul %3" -+ "mull %3" - : "=a" (product_frac), "=d" (product_int) - : "0" (multiplicand), "r" (multiplier) ); - return product_int; -@@ -129,10 +129,10 @@ - - #ifdef CONFIG_X86_32 - asm ( -- "mul %5 ; " -+ "mull %5 ; " - "mov %4,%%eax ; " - "mov %%edx,%4 ; " -- "mul %5 ; " -+ "mull %5 ; " - "xor %5,%5 ; " - "add %4,%%eax ; " - "adc %5,%%edx ; " diff --git a/sysutils/xenkernel41/patches/patch-xen_drivers_char_console_c b/sysutils/xenkernel41/patches/patch-xen_drivers_char_console_c deleted file mode 100644 index 277428e069a..00000000000 --- a/sysutils/xenkernel41/patches/patch-xen_drivers_char_console_c +++ /dev/null @@ -1,12 +0,0 @@ -$NetBSD: patch-xen_drivers_char_console_c,v 1.1 2011/06/16 13:02:50 cegger Exp $ - ---- xen/drivers/char/console.c.orig 2011-06-14 16:03:45.000000000 +0000 -+++ xen/drivers/char/console.c -@@ -10,7 +10,6 @@ - * Ported to Xen - Steven Rostedt - Red Hat - */ - --#include <xen/stdarg.h> - #include <xen/config.h> - #include <xen/version.h> - #include <xen/init.h> diff --git a/sysutils/xenkernel41/patches/patch-xen_drivers_passthrough_vtd_x86_ats.c b/sysutils/xenkernel41/patches/patch-xen_drivers_passthrough_vtd_x86_ats.c deleted file mode 100644 index 40822684d39..00000000000 --- a/sysutils/xenkernel41/patches/patch-xen_drivers_passthrough_vtd_x86_ats.c +++ /dev/null @@ -1,13 +0,0 @@ -$NetBSD: patch-xen_drivers_passthrough_vtd_x86_ats.c,v 1.1 2015/09/14 13:36:29 joerg Exp $ - ---- xen/drivers/passthrough/vtd/x86/ats.c.orig 2015-09-13 15:34:59.000000000 +0000 -+++ xen/drivers/passthrough/vtd/x86/ats.c -@@ -286,7 +286,7 @@ int dev_invalidate_iotlb(struct iommu *i - case DMA_TLB_GLOBAL_FLUSH: - /* invalidate all translations: sbit=1,bit_63=0,bit[62:12]=1 */ - sbit = 1; -- addr = (~0 << PAGE_SHIFT_4K) & 0x7FFFFFFFFFFFFFFF; -+ addr = (~0ULL << PAGE_SHIFT_4K) & 0x7FFFFFFFFFFFFFFF; - ret |= qinval_device_iotlb(iommu, pdev->ats_queue_depth, - sid, sbit, addr); - break; diff --git a/sysutils/xenkernel41/patches/patch-xen_include_xen_stdarg.h b/sysutils/xenkernel41/patches/patch-xen_include_xen_stdarg.h deleted file mode 100644 index 55db181b596..00000000000 --- a/sysutils/xenkernel41/patches/patch-xen_include_xen_stdarg.h +++ /dev/null @@ -1,25 +0,0 @@ -$NetBSD: patch-xen_include_xen_stdarg.h,v 1.3 2011/08/14 20:42:41 abs Exp $ - ---- xen/include/xen/stdarg.h.orig 2011-06-14 16:03:46.000000000 +0000 -+++ xen/include/xen/stdarg.h -@@ -1,8 +1,19 @@ - #if defined(__OpenBSD__) - # include "/usr/include/stdarg.h" - #elif defined (__NetBSD__) -+ /* Why not just include stdarg.h like everyone else? should explain */ - typedef __builtin_va_list va_list; --# define va_start(ap, last) __builtin_stdarg_start((ap), (last)) -+# ifdef __GNUC__ -+# define __GNUC_PREREQ__(x, y) \ -+ ((__GNUC__ == (x) && __GNUC_MINOR__ >= (y)) || \ -+ (__GNUC__ > (x))) -+# else -+# define __GNUC_PREREQ__(x, y) 0 -+# endif -+# if !__GNUC_PREREQ__(4, 5) -+# define __builtin_va_start(ap, last) __builtin_stdarg_start((ap), (last)) -+# endif -+# define va_start(ap, last) __builtin_va_start((ap), (last)) - # define va_end(ap) __builtin_va_end(ap) - # define va_arg __builtin_va_arg - #else |