From 9f2b9403f4052a072845f2075a4e1699b4f48e53 Mon Sep 17 00:00:00 2001 From: spz Date: Thu, 28 Jul 2016 13:54:43 +0000 Subject: Pullup ticket #5071 - requested by bouyer sysutils/xenkernel42: security patch Revisions pulled up: - sysutils/xenkernel42/Makefile 1.22 - sysutils/xenkernel42/distinfo 1.20 - sysutils/xenkernel42/patches/patch-XSA-182 1.1 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bouyer Date: Tue Jul 26 15:38:00 UTC 2016 Modified Files: pkgsrc/sysutils/xenkernel42: Makefile distinfo Added Files: pkgsrc/sysutils/xenkernel42/patches: patch-XSA-182 Log Message: Apply security patch from XSA-182. Bump PKGREVISION xen 4.2 is not vulnerable to XSA-183. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 pkgsrc/sysutils/xenkernel42/Makefile cvs rdiff -u -r1.19 -r1.20 pkgsrc/sysutils/xenkernel42/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xenkernel42/patches/patch-XSA-182 --- sysutils/xenkernel42/Makefile | 4 +- sysutils/xenkernel42/distinfo | 3 +- sysutils/xenkernel42/patches/patch-XSA-182 | 91 ++++++++++++++++++++++++++++++ 3 files changed, 95 insertions(+), 3 deletions(-) create mode 100644 sysutils/xenkernel42/patches/patch-XSA-182 diff --git a/sysutils/xenkernel42/Makefile b/sysutils/xenkernel42/Makefile index 2eacc900ffc..8a575a0c316 100644 --- a/sysutils/xenkernel42/Makefile +++ b/sysutils/xenkernel42/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.20 2016/01/07 17:53:58 bouyer Exp $ +# $NetBSD: Makefile,v 1.20.4.1 2016/07/28 13:54:43 spz Exp $ VERSION= 4.2.5 DISTNAME= xen-${VERSION} PKGNAME= xenkernel42-${VERSION} -PKGREVISION= 10 +PKGREVISION= 11 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xenkernel42/distinfo b/sysutils/xenkernel42/distinfo index d6b758c003f..2ba35a79032 100644 --- a/sysutils/xenkernel42/distinfo +++ b/sysutils/xenkernel42/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.19 2016/01/07 17:53:58 bouyer Exp $ +$NetBSD: distinfo,v 1.19.4.1 2016/07/28 13:54:43 spz Exp $ SHA1 (xen-4.2.5.tar.gz) = f42741e4ec174495ace70c4b17a6b9b0e60e798a RMD160 (xen-4.2.5.tar.gz) = 7d4f7f1b32ee541d341a756b1f8da02816438d19 @@ -26,6 +26,7 @@ SHA1 (patch-CVE-2015-8339) = 080bc4c04ee5ad832756b11a65b1598f12eae97e SHA1 (patch-CVE-2015-8555) = 594f85557efe137fb32a88c0dc589a1318184b66 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266 SHA1 (patch-XSA-166) = 24fccf8e30ccf910a128e5e0365800191a90524c +SHA1 (patch-XSA-182) = f0325a6f7c7cc20c3f11367384628dbe25c90b2d SHA1 (patch-xen_Makefile) = e0d1b74518b9675ddc64295d1523ded9a8757c0a SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 SHA1 (patch-xen_arch_x86_hvm_hvm.c) = b6bac1d466ba5bc276bc3aea9d4c9df37f2b9b0f diff --git a/sysutils/xenkernel42/patches/patch-XSA-182 b/sysutils/xenkernel42/patches/patch-XSA-182 new file mode 100644 index 00000000000..50da8b26b11 --- /dev/null +++ b/sysutils/xenkernel42/patches/patch-XSA-182 @@ -0,0 +1,91 @@ +$NetBSD: patch-XSA-182,v 1.1.2.2 2016/07/28 13:54:43 spz Exp $ + +backported from: + +From 798c1498f764bfaa7b0b955bab40b01b0610d372 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Mon, 11 Jul 2016 14:32:03 +0100 +Subject: [PATCH] x86/pv: Remove unsafe bits from the mod_l?_entry() fastpath + +All changes in writeability and cacheability must go through full +re-validation. + +Rework the logic as a whitelist, to make it clearer to follow. + +This is XSA-182 + +--- xen/arch/x86/mm.c.orig 2016-07-26 16:33:46.000000000 +0200 ++++ xen/arch/x86/mm.c 2016-07-26 16:37:14.000000000 +0200 +@@ -1860,6 +1860,14 @@ + _t ## e_get_intpte(_o), _t ## e_get_intpte(_n), \ + (_m), (_v), (_ad)) + ++/* ++ * PTE flags that a guest may change without re-validating the PTE. ++ * All other bits affect translation, caching, or Xen's safety. ++ */ ++#define FASTPATH_FLAG_WHITELIST \ ++ (_PAGE_NX_BIT | _PAGE_AVAIL_HIGH | _PAGE_AVAIL | _PAGE_GLOBAL | \ ++ _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_USER) ++ + /* Update the L1 entry at pl1e to new value nl1e. */ + static int mod_l1_entry(l1_pgentry_t *pl1e, l1_pgentry_t nl1e, + unsigned long gl1mfn, int preserve_ad, +@@ -1900,8 +1908,8 @@ + return -EINVAL; + } + +- /* Fast path for identical mapping, r/w and presence. */ +- if ( !l1e_has_changed(ol1e, nl1e, _PAGE_RW | _PAGE_PRESENT) ) ++ /* Fast path for sufficiently-similar mappings.*/ ++ if ( !l1e_has_changed(ol1e, nl1e, ~FASTPATH_FLAG_WHITELIST) ) + { + adjust_guest_l1e(nl1e, pt_dom); + if ( UPDATE_ENTRY(l1, pl1e, ol1e, nl1e, gl1mfn, pt_vcpu, +@@ -1982,11 +1990,8 @@ + return -EINVAL; + } + +- /* Fast path for identical mapping and presence. */ +- if ( !l2e_has_changed(ol2e, nl2e, +- unlikely(opt_allow_superpage) +- ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT +- : _PAGE_PRESENT) ) ++ /* Fast path for sufficiently-similar mappings. */ ++ if ( !l2e_has_changed(ol2e, nl2e, ~FASTPATH_FLAG_WHITELIST) ) + { + adjust_guest_l2e(nl2e, d); + if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) ) +@@ -2051,8 +2056,8 @@ + return -EINVAL; + } + +- /* Fast path for identical mapping and presence. */ +- if ( !l3e_has_changed(ol3e, nl3e, _PAGE_PRESENT) ) ++ /* Fast path for sufficiently-similar mappings. */ ++ if ( !l3e_has_changed(ol3e, nl3e, ~FASTPATH_FLAG_WHITELIST) ) + { + adjust_guest_l3e(nl3e, d); + rc = UPDATE_ENTRY(l3, pl3e, ol3e, nl3e, pfn, vcpu, preserve_ad); +@@ -2121,8 +2126,8 @@ + return -EINVAL; + } + +- /* Fast path for identical mapping and presence. */ +- if ( !l4e_has_changed(ol4e, nl4e, _PAGE_PRESENT) ) ++ /* Fast path for sufficiently-similar mappings. */ ++ if ( !l4e_has_changed(ol4e, nl4e, ~FASTPATH_FLAG_WHITELIST) ) + { + adjust_guest_l4e(nl4e, d); + rc = UPDATE_ENTRY(l4, pl4e, ol4e, nl4e, pfn, vcpu, preserve_ad); + +--- xen/include/asm-x86/page.h.orig 2014-09-02 08:22:57.000000000 +0200 ++++ xen/include/asm-x86/page.h 2016-07-26 16:39:51.000000000 +0200 +@@ -332,6 +332,7 @@ + #define _PAGE_AVAIL2 0x800U + #define _PAGE_AVAIL 0xE00U + #define _PAGE_PSE_PAT 0x1000U ++#define _PAGE_AVAIL_HIGH (0x7ffU << 12) + #define _PAGE_PAGED 0x2000U + #define _PAGE_SHARED 0x4000U + -- cgit v1.2.3