From 6f6105ba29bb3f198296851162bf994c31d6b2a3 Mon Sep 17 00:00:00 2001
From: drochner <drochner>
Date: Sat, 23 Nov 2013 14:04:59 +0000
Subject: add patch from upstream to fix lock order inversion possibly leading
 to deadlock (CVE-2013-4494) bump PKGREV

---
 sysutils/xenkernel41/Makefile                    |  4 +-
 sysutils/xenkernel41/distinfo                    |  3 +-
 sysutils/xenkernel41/patches/patch-CVE-2013-4494 | 80 ++++++++++++++++++++++++
 3 files changed, 84 insertions(+), 3 deletions(-)
 create mode 100644 sysutils/xenkernel41/patches/patch-CVE-2013-4494

(limited to 'sysutils')

diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile
index 41aaf8d4e15..59219cd8fa3 100644
--- a/sysutils/xenkernel41/Makefile
+++ b/sysutils/xenkernel41/Makefile
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.27 2013/10/22 19:41:58 drochner Exp $
+# $NetBSD: Makefile,v 1.28 2013/11/23 14:04:59 drochner Exp $
 #
 
 VERSION=	4.1.6.1
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel41-${VERSION}
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo
index f559145ebc6..c494318d881 100644
--- a/sysutils/xenkernel41/distinfo
+++ b/sysutils/xenkernel41/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.21 2013/10/22 19:41:58 drochner Exp $
+$NetBSD: distinfo,v 1.22 2013/11/23 14:04:59 drochner Exp $
 
 SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0
 RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19
@@ -10,6 +10,7 @@ SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f
 SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8
 SHA1 (patch-CVE-2013-4361) = b9074af976ba98c02aeb84288a10527bf7693241
 SHA1 (patch-CVE-2013-4368) = 77caf392b472e5586eb2fa6a37d173cd856f6f15
+SHA1 (patch-CVE-2013-4494) = d74dfc898d1128f3c205bd178c8cf663935711e3
 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266
 SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b
 SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4494 b/sysutils/xenkernel41/patches/patch-CVE-2013-4494
new file mode 100644
index 00000000000..c7818907f27
--- /dev/null
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4494
@@ -0,0 +1,80 @@
+$NetBSD: patch-CVE-2013-4494,v 1.1 2013/11/23 14:04:59 drochner Exp $
+
+http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg00225.html
+
+--- xen/common/grant_table.c.orig	2013-09-10 06:42:18.000000000 +0000
++++ xen/common/grant_table.c	2013-11-19 16:46:13.000000000 +0000
+@@ -1459,6 +1459,8 @@ gnttab_transfer(
+ 
+     for ( i = 0; i < count; i++ )
+     {
++        bool_t okay;
++
+         if (i && hypercall_preempt_check())
+             return i;
+ 
+@@ -1555,16 +1557,18 @@ gnttab_transfer(
+          * pages when it is dying.
+          */
+         if ( unlikely(e->is_dying) ||
+-             unlikely(e->tot_pages >= e->max_pages) ||
+-             unlikely(!gnttab_prepare_for_transfer(e, d, gop.ref)) )
++             unlikely(e->tot_pages >= e->max_pages) )
+         {
+-            if ( !e->is_dying )
+-                gdprintk(XENLOG_INFO, "gnttab_transfer: "
+-                        "Transferee has no reservation "
+-                        "headroom (%d,%d) or provided a bad grant ref (%08x) "
+-                        "or is dying (%d)\n",
+-                        e->tot_pages, e->max_pages, gop.ref, e->is_dying);
+             spin_unlock(&e->page_alloc_lock);
++
++            if ( e->is_dying )
++                gdprintk(XENLOG_INFO, "gnttab_transfer: "
++                         "Transferee (d%d) is dying\n", e->domain_id);
++            else
++                gdprintk(XENLOG_INFO, "gnttab_transfer: "
++                         "Transferee (d%d) has no headroom (tot %u, max %u)\n",
++                         e->domain_id, e->tot_pages, e->max_pages);
++
+             rcu_unlock_domain(e);
+             page->count_info &= ~(PGC_count_mask|PGC_allocated);
+             free_domheap_page(page);
+@@ -1575,6 +1579,37 @@ gnttab_transfer(
+         /* Okay, add the page to 'e'. */
+         if ( unlikely(e->tot_pages++ == 0) )
+             get_knownalive_domain(e);
++
++        /*
++         * We must drop the lock to avoid a possible deadlock in
++         * gnttab_prepare_for_transfer.  We have reserved a page in e so can
++         * safely drop the lock and re-aquire it later to add page to the
++         * pagelist.
++         */
++        spin_unlock(&e->page_alloc_lock);
++        okay = gnttab_prepare_for_transfer(e, d, gop.ref);
++        spin_lock(&e->page_alloc_lock);
++
++        if ( unlikely(!okay) || unlikely(e->is_dying) )
++        {
++            bool_t drop_dom_ref = (e->tot_pages-- == 1);
++
++            spin_unlock(&e->page_alloc_lock);
++
++            if ( okay /* i.e. e->is_dying due to the surrounding if() */ )
++                gdprintk(XENLOG_INFO, "gnttab_transfer: "
++                         "Transferee (d%d) is now dying\n", e->domain_id);
++
++            if ( drop_dom_ref )
++                put_domain(e);
++            rcu_unlock_domain(e);
++
++            page->count_info &= ~(PGC_count_mask|PGC_allocated);
++            free_domheap_page(page);
++            gop.status = GNTST_general_error;
++            goto copyback;
++        }
++
+         page_list_add_tail(page, &e->page_list);
+         page_set_owner(page, e);
+ 
-- 
cgit v1.2.3