From 512a20c5c1b98f36fbe5193d7b25b820cfcfedc8 Mon Sep 17 00:00:00 2001
From: tron <tron>
Date: Sun, 28 Sep 2014 12:07:10 +0000
Subject: Pullup ticket #4505 - requested by bouyer sysutils/xenkernel41:
 security patch

Revisions pulled up:
- sysutils/xenkernel41/Makefile                                 1.39
- sysutils/xenkernel41/distinfo                                 1.30
- sysutils/xenkernel41/patches/patch-CVE-2014-7154              1.1
- sysutils/xenkernel41/patches/patch-CVE-2014-7155              1.1
- sysutils/xenkernel41/patches/patch-CVE-2014-7156              1.1

---
   Module Name:	pkgsrc
   Committed By:	bouyer
   Date:		Fri Sep 26 10:45:00 UTC 2014

   Modified Files:
   	pkgsrc/sysutils/xenkernel41: Makefile distinfo
   Added Files:
   	pkgsrc/sysutils/xenkernel41/patches: patch-CVE-2014-7154
   	    patch-CVE-2014-7155 patch-CVE-2014-7156

   Log Message:
   Add patch for:
   XSA-104 (CVE-2014-7154) - Race condition in HVMOP_track_dirty_vram
   XSA-105 (CVE-2014-7155) - Missing privilege level checks in x86 HLT, LGDT,
     LIDT, and LMSW emulation
   XSA-106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation
     of software interrupts

   bump PKGREVISION
---
 sysutils/xenkernel41/Makefile                    |  4 +--
 sysutils/xenkernel41/distinfo                    |  5 ++-
 sysutils/xenkernel41/patches/patch-CVE-2014-7154 | 34 +++++++++++++++++++++
 sysutils/xenkernel41/patches/patch-CVE-2014-7155 | 39 ++++++++++++++++++++++++
 sysutils/xenkernel41/patches/patch-CVE-2014-7156 | 25 +++++++++++++++
 5 files changed, 104 insertions(+), 3 deletions(-)
 create mode 100644 sysutils/xenkernel41/patches/patch-CVE-2014-7154
 create mode 100644 sysutils/xenkernel41/patches/patch-CVE-2014-7155
 create mode 100644 sysutils/xenkernel41/patches/patch-CVE-2014-7156

diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile
index 26ef1ad99ba..710a5fe12a4 100644
--- a/sysutils/xenkernel41/Makefile
+++ b/sysutils/xenkernel41/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.38 2014/06/18 13:47:08 drochner Exp $
+# $NetBSD: Makefile,v 1.38.2.1 2014/09/28 12:07:10 tron Exp $
 
 VERSION=	4.1.6.1
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel41-${VERSION}
-PKGREVISION=	10
+PKGREVISION=	11
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo
index c5b4cf1fe80..c5b52fef7f9 100644
--- a/sysutils/xenkernel41/distinfo
+++ b/sysutils/xenkernel41/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.29 2014/06/18 13:47:08 drochner Exp $
+$NetBSD: distinfo,v 1.29.2.1 2014/09/28 12:07:10 tron Exp $
 
 SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0
 RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19
@@ -17,6 +17,9 @@ SHA1 (patch-CVE-2013-6885_2) = be3c99ba3e349492d45cd4f2fce0acc26ac1a96d
 SHA1 (patch-CVE-2014-1666) = acf27080799d4aae6a03b556caadb01081d5314e
 SHA1 (patch-CVE-2014-3124) = 59a48eed88abcda5de2fc7e398451a492e5d2145
 SHA1 (patch-CVE-2014-4021) = ee8ee800b35f7eaa242b06536c1ffa6568305b36
+SHA1 (patch-CVE-2014-7154) = 5f0541559d911778aa5267bb5c0e1e8a9a3904e2
+SHA1 (patch-CVE-2014-7155) = 0f1aa6a5d4fdb8403fc1e01b884491a63de501f8
+SHA1 (patch-CVE-2014-7156) = 85043bdcf2644227d135f725cb442aade565c9d6
 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266
 SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b
 SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2014-7154 b/sysutils/xenkernel41/patches/patch-CVE-2014-7154
new file mode 100644
index 00000000000..7ffb89680ae
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2014-7154
@@ -0,0 +1,34 @@
+$NetBSD: patch-CVE-2014-7154,v 1.1.2.2 2014/09/28 12:07:10 tron Exp $
+
+x86/shadow: fix race condition sampling the dirty vram state
+
+d->arch.hvm_domain.dirty_vram must be read with the domain's paging lock held.
+
+If not, two concurrent hypercalls could both end up attempting to free
+dirty_vram (the second of which will free a wild pointer), or both end up
+allocating a new dirty_vram structure (the first of which will be leaked).
+
+This is XSA-104.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+
+--- xen/arch/x86/mm/shadow/common.c.orig	2013-09-10 08:42:18.000000000 +0200
++++ xen/arch/x86/mm/shadow/common.c	2014-09-26 12:21:33.000000000 +0200
+@@ -3640,7 +3640,7 @@
+     int flush_tlb = 0;
+     unsigned long i;
+     p2m_type_t t;
+-    struct sh_dirty_vram *dirty_vram = d->arch.hvm_domain.dirty_vram;
++    struct sh_dirty_vram *dirty_vram;
+     struct p2m_domain *p2m = p2m_get_hostp2m(d);
+ 
+     if (end_pfn < begin_pfn
+@@ -3649,6 +3649,7 @@
+         return -EINVAL;
+ 
+     shadow_lock(d);
++    dirty_vram = d->arch.hvm_domain.dirty_vram;
+ 
+     if ( dirty_vram && (!nr ||
+              ( begin_pfn != dirty_vram->begin_pfn
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2014-7155 b/sysutils/xenkernel41/patches/patch-CVE-2014-7155
new file mode 100644
index 00000000000..5d60104f50f
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2014-7155
@@ -0,0 +1,39 @@
+$NetBSD: patch-CVE-2014-7155,v 1.1.2.2 2014/09/28 12:07:10 tron Exp $
+
+x86/emulate: check cpl for all privileged instructions
+
+Without this, it is possible for userspace to load its own IDT or GDT.
+
+This is XSA-105.
+
+Reported-by: Andrei LUTAS <vlutas@bitdefender.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Tested-by: Andrei LUTAS <vlutas@bitdefender.com>
+
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -3314,6 +3314,7 @@ x86_emulate(
+         goto swint;
+ 
+     case 0xf4: /* hlt */
++        generate_exception_if(!mode_ring0(), EXC_GP, 0);
+         ctxt->retire.flags.hlt = 1;
+         break;
+ 
+@@ -3710,6 +3711,7 @@ x86_emulate(
+             break;
+         case 2: /* lgdt */
+         case 3: /* lidt */
++            generate_exception_if(!mode_ring0(), EXC_GP, 0);
+             generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
+             fail_if(ops->write_segment == NULL);
+             memset(&reg, 0, sizeof(reg));
+@@ -3738,6 +3740,7 @@ x86_emulate(
+         case 6: /* lmsw */
+             fail_if(ops->read_cr == NULL);
+             fail_if(ops->write_cr == NULL);
++            generate_exception_if(!mode_ring0(), EXC_GP, 0);
+             if ( (rc = ops->read_cr(0, &cr0, ctxt)) )
+                 goto done;
+             if ( ea.type == OP_REG )
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2014-7156 b/sysutils/xenkernel41/patches/patch-CVE-2014-7156
new file mode 100644
index 00000000000..ca1b429af8f
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2014-7156
@@ -0,0 +1,25 @@
+$NetBSD: patch-CVE-2014-7156,v 1.1.2.2 2014/09/28 12:07:10 tron Exp $
+
+x86emul: only emulate software interrupt injection for real mode
+
+Protected mode emulation currently lacks proper privilege checking of
+the referenced IDT entry, and there's currently no legitimate way for
+any of the respective instructions to reach the emulator when the guest
+is in protected mode.
+
+This is XSA-106.
+
+Reported-by: Andrei LUTAS <vlutas@bitdefender.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Keir Fraser <keir@xen.org>
+
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -2634,6 +2634,7 @@ x86_emulate(
+     case 0xcd: /* int imm8 */
+         src.val = insn_fetch_type(uint8_t);
+     swint:
++        fail_if(!in_realmode(ctxt, ops)); /* XSA-106 */
+         fail_if(ops->inject_sw_interrupt == NULL);
+         rc = ops->inject_sw_interrupt(src.val, _regs.eip - ctxt->regs->eip,
+                                       ctxt) ? : X86EMUL_EXCEPTION;
-- 
cgit v1.2.3