From 4d1b39dd65801d1bc5a4cfb75cfa813b73cfd32c Mon Sep 17 00:00:00 2001 From: drochner Date: Wed, 12 Sep 2012 11:04:17 +0000 Subject: update to 4.1.3 also add security patches from upstream (for CVE-2012-3497, no patches are available yet) changes: -fixes for vulnerabilities were integrated -many bug fixes and improvements, Highlights are: -Updates for the latest Intel/AMD CPU revisions -Bug fixes for IOMMU handling (device passthrough to HVM guests) approved by maintainer --- sysutils/xenkernel41/Makefile | 5 +- sysutils/xenkernel41/distinfo | 15 ++- sysutils/xenkernel41/patches/patch-CVE-2012-3432 | 15 --- sysutils/xenkernel41/patches/patch-CVE-2012-3433 | 15 --- sysutils/xenkernel41/patches/patch-CVE-2012-3494 | 15 +++ sysutils/xenkernel41/patches/patch-CVE-2012-3496 | 16 +++ sysutils/xenkernel41/patches/patch-CVE-2012-3498 | 47 ++++++++ .../xenkernel41/patches/patch-xsa7-xsa8-xen-4.1 | 124 --------------------- sysutils/xenkernel41/patches/patch-xsa9-xen-4.1 | 48 -------- 9 files changed, 87 insertions(+), 213 deletions(-) delete mode 100644 sysutils/xenkernel41/patches/patch-CVE-2012-3432 delete mode 100644 sysutils/xenkernel41/patches/patch-CVE-2012-3433 create mode 100644 sysutils/xenkernel41/patches/patch-CVE-2012-3494 create mode 100644 sysutils/xenkernel41/patches/patch-CVE-2012-3496 create mode 100644 sysutils/xenkernel41/patches/patch-CVE-2012-3498 delete mode 100644 sysutils/xenkernel41/patches/patch-xsa7-xsa8-xen-4.1 delete mode 100644 sysutils/xenkernel41/patches/patch-xsa9-xen-4.1 (limited to 'sysutils') diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile index be039f25fd6..bcccf43cf98 100644 --- a/sysutils/xenkernel41/Makefile +++ b/sysutils/xenkernel41/Makefile @@ -1,10 +1,9 @@ -# $NetBSD: Makefile,v 1.11 2012/08/10 09:59:47 drochner Exp $ +# $NetBSD: Makefile,v 1.12 2012/09/12 11:04:17 drochner Exp $ # -VERSION= 4.1.2 +VERSION= 4.1.3 DISTNAME= xen-${VERSION} PKGNAME= xenkernel41-${VERSION} -PKGREVISION= 4 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ EXTRACT_SUFX= .tar.gz diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo index b04ad13c858..71f0f48a2a0 100644 --- a/sysutils/xenkernel41/distinfo +++ b/sysutils/xenkernel41/distinfo @@ -1,11 +1,10 @@ -$NetBSD: distinfo,v 1.9 2012/08/10 09:59:47 drochner Exp $ +$NetBSD: distinfo,v 1.10 2012/09/12 11:04:17 drochner Exp $ -SHA1 (xen-4.1.2.tar.gz) = db584cb0a0cc614888d7df3b196d514fdb2edd6e -RMD160 (xen-4.1.2.tar.gz) = 457797ec4be286afbbcad940a9ce04e44f3f40d6 -Size (xen-4.1.2.tar.gz) = 10365786 bytes -SHA1 (patch-CVE-2012-3432) = e85b1adf1c683a1d086410f0c4265ed72a86d7fb -SHA1 (patch-CVE-2012-3433) = 51ca4a6427c19dc31ba2bd05e4c09027d52a4ebc +SHA1 (xen-4.1.3.tar.gz) = 0f688955262d08fba28361ca338f3ad0c0f53d74 +RMD160 (xen-4.1.3.tar.gz) = a6296a16579fd628a1ff2aa64b6b800e4913eeae +Size (xen-4.1.3.tar.gz) = 10382132 bytes +SHA1 (patch-CVE-2012-3494) = 166121ce515aaa2f2e399431be3ca7d2496c79c6 +SHA1 (patch-CVE-2012-3496) = c863d3e951d5aaa5659f9e1f38723f8326b8d8b8 +SHA1 (patch-CVE-2012-3498) = 2bb2b40675de498ae9fcc89ba5267b5be4a2c4c1 SHA1 (patch-xen_drivers_char_console_c) = 0fe186369602ccffaeec6f4bfbee8bb4298d3ff0 SHA1 (patch-xen_include_xen_stdarg.h) = e9df974a9b783ed442ab17497198432cb9844b70 -SHA1 (patch-xsa7-xsa8-xen-4.1) = e48cfd4ae9e7a4d48e059738b3f36074d3982515 -SHA1 (patch-xsa9-xen-4.1) = 4bbefd6426e2a7b36ccecb81cc94dc33af34e4fb diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-3432 b/sysutils/xenkernel41/patches/patch-CVE-2012-3432 deleted file mode 100644 index 93740b1034c..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2012-3432 +++ /dev/null @@ -1,15 +0,0 @@ -$NetBSD: patch-CVE-2012-3432,v 1.1 2012/07/27 18:50:34 drochner Exp $ - -see http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html - ---- xen/arch/x86/hvm/io.c.orig 2012-07-27 18:34:15.000000000 +0000 -+++ xen/arch/x86/hvm/io.c -@@ -176,6 +176,8 @@ int handle_mmio(void) - - rc = hvm_emulate_one(&ctxt); - -+ if ( rc != X86EMUL_RETRY ) -+ curr->arch.hvm_vcpu.io_state = HVMIO_none; - if ( curr->arch.hvm_vcpu.io_state == HVMIO_awaiting_completion ) - curr->arch.hvm_vcpu.io_state = HVMIO_handle_mmio_awaiting_completion; - else diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-3433 b/sysutils/xenkernel41/patches/patch-CVE-2012-3433 deleted file mode 100644 index b43a309b338..00000000000 --- a/sysutils/xenkernel41/patches/patch-CVE-2012-3433 +++ /dev/null @@ -1,15 +0,0 @@ -$NetBSD: patch-CVE-2012-3433,v 1.1 2012/08/10 09:59:47 drochner Exp $ - -see http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html - ---- xen/arch/x86/mm/p2m.c.orig 2011-10-20 17:05:48.000000000 +0000 -+++ xen/arch/x86/mm/p2m.c -@@ -2043,6 +2043,8 @@ void p2m_teardown(struct p2m_domain *p2m - #ifdef __x86_64__ - for ( gfn=0; gfn < p2m->max_mapped_pfn; gfn++ ) - { -+ if ( atomic_read(&d->shr_pages) == 0 ) -+ break; - mfn = p2m->get_entry(p2m, gfn, &t, &a, p2m_query); - if ( mfn_valid(mfn) && (t == p2m_ram_shared) ) - BUG_ON(mem_sharing_unshare_page(p2m, gfn, MEM_SHARING_DESTROY_GFN)); diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-3494 b/sysutils/xenkernel41/patches/patch-CVE-2012-3494 new file mode 100644 index 00000000000..9699fd59024 --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2012-3494 @@ -0,0 +1,15 @@ +$NetBSD: patch-CVE-2012-3494,v 1.1 2012/09/12 11:04:17 drochner Exp $ + +see http://lists.xen.org/archives/html/xen-devel/2012-09/msg00181.html + +--- xen/include/asm-x86/debugreg.h.orig 2012-08-10 13:51:52.000000000 +0000 ++++ xen/include/asm-x86/debugreg.h +@@ -58,7 +58,7 @@ + We can slow the instruction pipeline for instructions coming via the + gdt or the ldt if we want to. I am not sure why this is an advantage */ + +-#define DR_CONTROL_RESERVED_ZERO (0x0000d800ul) /* Reserved, read as zero */ ++#define DR_CONTROL_RESERVED_ZERO (~0xffff27fful) /* Reserved, read as zero */ + #define DR_CONTROL_RESERVED_ONE (0x00000400ul) /* Reserved, read as one */ + #define DR_LOCAL_EXACT_ENABLE (0x00000100ul) /* Local exact enable */ + #define DR_GLOBAL_EXACT_ENABLE (0x00000200ul) /* Global exact enable */ diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-3496 b/sysutils/xenkernel41/patches/patch-CVE-2012-3496 new file mode 100644 index 00000000000..3bd7c50a1cf --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2012-3496 @@ -0,0 +1,16 @@ +$NetBSD: patch-CVE-2012-3496,v 1.1 2012/09/12 11:04:17 drochner Exp $ + +see http://lists.xen.org/archives/html/xen-devel/2012-09/msg00194.html + +--- xen/arch/x86/mm/p2m.c.orig 2012-08-10 13:51:45.000000000 +0000 ++++ xen/arch/x86/mm/p2m.c +@@ -2414,7 +2414,8 @@ guest_physmap_mark_populate_on_demand(st + int pod_count = 0; + int rc = 0; + +- BUG_ON(!paging_mode_translate(d)); ++ if ( !paging_mode_translate(d) ) ++ return -EINVAL; + + rc = gfn_check_limit(d, gfn, order); + if ( rc != 0 ) diff --git a/sysutils/xenkernel41/patches/patch-CVE-2012-3498 b/sysutils/xenkernel41/patches/patch-CVE-2012-3498 new file mode 100644 index 00000000000..66f1622a53c --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2012-3498 @@ -0,0 +1,47 @@ +$NetBSD: patch-CVE-2012-3498,v 1.1 2012/09/12 11:04:18 drochner Exp $ + +contains patch for CVE-2012-3495 +see http://lists.xen.org/archives/html/xen-devel/2012-09/msg00187.html +and http://lists.xen.org/archives/html/xen-devel/2012-09/msg00197.html + +--- xen/arch/x86/physdev.c.orig 2012-09-12 09:41:55.000000000 +0000 ++++ xen/arch/x86/physdev.c +@@ -40,11 +40,18 @@ static int physdev_hvm_map_pirq( + struct hvm_girq_dpci_mapping *girq; + uint32_t machine_gsi = 0; + ++ if ( map->index < 0 || map->index >= NR_HVM_IRQS ) ++ { ++ ret = -EINVAL; ++ break; ++ } ++ + /* find the machine gsi corresponding to the + * emulated gsi */ + hvm_irq_dpci = domain_get_irq_dpci(d); + if ( hvm_irq_dpci ) + { ++ BUILD_BUG_ON(ARRAY_SIZE(hvm_irq_dpci->girq) < NR_HVM_IRQS); + list_for_each_entry ( girq, + &hvm_irq_dpci->girq[map->index], + list ) +@@ -587,11 +594,16 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H + break; + + spin_lock(&d->event_lock); +- out.pirq = get_free_pirq(d, out.type, 0); +- d->arch.pirq_irq[out.pirq] = PIRQ_ALLOCATED; ++ ret = get_free_pirq(d, out.type, 0); ++ if ( ret >= 0 ) ++ d->arch.pirq_irq[ret] = PIRQ_ALLOCATED; + spin_unlock(&d->event_lock); + +- ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0; ++ if ( ret >= 0 ) ++ { ++ out.pirq = ret; ++ ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0; ++ } + + rcu_unlock_domain(d); + break; diff --git a/sysutils/xenkernel41/patches/patch-xsa7-xsa8-xen-4.1 b/sysutils/xenkernel41/patches/patch-xsa7-xsa8-xen-4.1 deleted file mode 100644 index 63d5f482731..00000000000 --- a/sysutils/xenkernel41/patches/patch-xsa7-xsa8-xen-4.1 +++ /dev/null @@ -1,124 +0,0 @@ -$NetBSD: patch-xsa7-xsa8-xen-4.1,v 1.1 2012/06/19 20:17:06 bouyer Exp $ - -diff -r 35248be669e7 xen/arch/x86/x86_64/asm-offsets.c ---- xen/arch/x86/x86_64/asm-offsets.c.orig Mon May 14 16:59:12 2012 +0100 -+++ xen/arch/x86/x86_64/asm-offsets.c Thu May 24 11:12:33 2012 +0100 -@@ -90,6 +90,8 @@ void __dummy__(void) - arch.guest_context.trap_ctxt[TRAP_gp_fault].address); - OFFSET(VCPU_gp_fault_sel, struct vcpu, - arch.guest_context.trap_ctxt[TRAP_gp_fault].cs); -+ OFFSET(VCPU_gp_fault_flags, struct vcpu, -+ arch.guest_context.trap_ctxt[TRAP_gp_fault].flags); - OFFSET(VCPU_kernel_sp, struct vcpu, arch.guest_context.kernel_sp); - OFFSET(VCPU_kernel_ss, struct vcpu, arch.guest_context.kernel_ss); - OFFSET(VCPU_guest_context_flags, struct vcpu, arch.guest_context.flags); -diff -r 35248be669e7 xen/arch/x86/x86_64/compat/entry.S ---- xen/arch/x86/x86_64/compat/entry.S.orig Mon May 14 16:59:12 2012 +0100 -+++ xen/arch/x86/x86_64/compat/entry.S Thu May 24 11:12:33 2012 +0100 -@@ -214,6 +214,7 @@ 1: call compat_create_bounce_frame - ENTRY(compat_post_handle_exception) - testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx) - jz compat_test_all_events -+.Lcompat_bounce_exception: - call compat_create_bounce_frame - movb $0,TRAPBOUNCE_flags(%rdx) - jmp compat_test_all_events -@@ -226,19 +227,20 @@ ENTRY(compat_syscall) - leaq VCPU_trap_bounce(%rbx),%rdx - testl $~3,%esi - leal (,%rcx,TBF_INTERRUPT),%ecx -- jz 2f --1: movq %rax,TRAPBOUNCE_eip(%rdx) -+UNLIKELY_START(z, compat_syscall_gpf) -+ movl $TRAP_gp_fault,UREGS_entry_vector(%rsp) -+ subl $2,UREGS_rip(%rsp) -+ movl $0,TRAPBOUNCE_error_code(%rdx) -+ movl VCPU_gp_fault_addr(%rbx),%eax -+ movzwl VCPU_gp_fault_sel(%rbx),%esi -+ testb $4,VCPU_gp_fault_flags(%rbx) -+ setnz %cl -+ leal TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx -+UNLIKELY_END(compat_syscall_gpf) -+ movq %rax,TRAPBOUNCE_eip(%rdx) - movw %si,TRAPBOUNCE_cs(%rdx) - movb %cl,TRAPBOUNCE_flags(%rdx) -- call compat_create_bounce_frame -- jmp compat_test_all_events --2: movl $TRAP_gp_fault,UREGS_entry_vector(%rsp) -- subl $2,UREGS_rip(%rsp) -- movq VCPU_gp_fault_addr(%rbx),%rax -- movzwl VCPU_gp_fault_sel(%rbx),%esi -- movb $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl -- movl $0,TRAPBOUNCE_error_code(%rdx) -- jmp 1b -+ jmp .Lcompat_bounce_exception - - ENTRY(compat_sysenter) - cmpl $TRAP_gp_fault,UREGS_entry_vector(%rsp) -diff -r 35248be669e7 xen/arch/x86/x86_64/entry.S ---- xen/arch/x86/x86_64/entry.S.orig Mon May 14 16:59:12 2012 +0100 -+++ xen/arch/x86/x86_64/entry.S Thu May 24 11:12:33 2012 +0100 -@@ -40,6 +40,13 @@ restore_all_guest: - testw $TRAP_syscall,4(%rsp) - jz iret_exit_to_guest - -+ /* Don't use SYSRET path if the return address is not canonical. */ -+ movq 8(%rsp),%rcx -+ sarq $47,%rcx -+ incl %ecx -+ cmpl $1,%ecx -+ ja .Lforce_iret -+ - addq $8,%rsp - popq %rcx # RIP - popq %r11 # CS -@@ -50,6 +57,10 @@ restore_all_guest: - sysretq - 1: sysretl - -+.Lforce_iret: -+ /* Mimic SYSRET behavior. */ -+ movq 8(%rsp),%rcx # RIP -+ movq 24(%rsp),%r11 # RFLAGS - ALIGN - /* No special register assumptions. */ - iret_exit_to_guest: -@@ -278,19 +289,21 @@ sysenter_eflags_saved: - leaq VCPU_trap_bounce(%rbx),%rdx - testq %rax,%rax - leal (,%rcx,TBF_INTERRUPT),%ecx -- jz 2f --1: movq VCPU_domain(%rbx),%rdi -+UNLIKELY_START(z, sysenter_gpf) -+ movl $TRAP_gp_fault,UREGS_entry_vector(%rsp) -+ subq $2,UREGS_rip(%rsp) -+ movl %eax,TRAPBOUNCE_error_code(%rdx) -+ movq VCPU_gp_fault_addr(%rbx),%rax -+ testb $4,VCPU_gp_fault_flags(%rbx) -+ setnz %cl -+ leal TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx -+UNLIKELY_END(sysenter_gpf) -+ movq VCPU_domain(%rbx),%rdi - movq %rax,TRAPBOUNCE_eip(%rdx) - movb %cl,TRAPBOUNCE_flags(%rdx) - testb $1,DOMAIN_is_32bit_pv(%rdi) - jnz compat_sysenter -- call create_bounce_frame -- jmp test_all_events --2: movl %eax,TRAPBOUNCE_error_code(%rdx) -- movq VCPU_gp_fault_addr(%rbx),%rax -- movb $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl -- movl $TRAP_gp_fault,UREGS_entry_vector(%rsp) -- jmp 1b -+ jmp .Lbounce_exception - - ENTRY(int80_direct_trap) - pushq $0 -@@ -482,6 +495,7 @@ 1: movq %rsp,%rdi - jnz compat_post_handle_exception - testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx) - jz test_all_events -+.Lbounce_exception: - call create_bounce_frame - movb $0,TRAPBOUNCE_flags(%rdx) - jmp test_all_events diff --git a/sysutils/xenkernel41/patches/patch-xsa9-xen-4.1 b/sysutils/xenkernel41/patches/patch-xsa9-xen-4.1 deleted file mode 100644 index 87cf4fe73db..00000000000 --- a/sysutils/xenkernel41/patches/patch-xsa9-xen-4.1 +++ /dev/null @@ -1,48 +0,0 @@ -$NetBSD: patch-xsa9-xen-4.1,v 1.1 2012/06/19 20:17:06 bouyer Exp $ - -x86-64: detect processors subject to AMD erratum #121 and refuse to boot - -Processors with this erratum are subject to a DoS attack by unprivileged -guest users. - -This is XSA-9 / CVE-2006-0744. - -Signed-off-by: Jan Beulich -Signed-off-by: Ian Campbell - ---- xen/arch/x86/cpu/amd.c.orig -+++ xen/arch/x86/cpu/amd.c -@@ -32,6 +32,9 @@ - static char opt_famrev[14]; - string_param("cpuid_mask_cpu", opt_famrev); - -+static int opt_allow_unsafe; -+boolean_param("allow_unsafe", opt_allow_unsafe); -+ - static inline void wrmsr_amd(unsigned int index, unsigned int lo, - unsigned int hi) - { -@@ -620,6 +623,11 @@ static void __devinit init_amd(struct cp - clear_bit(X86_FEATURE_MCE, c->x86_capability); - - #ifdef __x86_64__ -+ if (cpu_has_amd_erratum(c, AMD_ERRATUM_121) && !opt_allow_unsafe) -+ panic("Xen will not boot on this CPU for security reasons.\n" -+ "Pass \"allow_unsafe\" if you're trusting all your" -+ " (PV) guest kernels.\n"); -+ - /* AMD CPUs do not support SYSENTER outside of legacy mode. */ - clear_bit(X86_FEATURE_SEP, c->x86_capability); - ---- xen/include/asm-x86/amd.h.orig -+++ xen/include/asm-x86/amd.h -@@ -127,6 +127,9 @@ - #define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff) - #define AMD_MODEL_RANGE_END(range) ((range) & 0xfff) - -+#define AMD_ERRATUM_121 \ -+ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x3f, 0xf)) -+ - #define AMD_ERRATUM_170 \ - AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x67, 0xf)) - -- cgit v1.2.3