aboutsummaryrefslogtreecommitdiffstats
path: root/emulators
diff options
context:
space:
mode:
authorbapt <bapt@FreeBSD.org>2015-06-12 02:08:41 +0800
committerbapt <bapt@FreeBSD.org>2015-06-12 02:08:41 +0800
commitfa932a58bc660c742aa384010415d37260d44b96 (patch)
tree18f5812b2d56e7557585361a5df2fc8350d6ec99 /emulators
parent87edd8832e741567363a2c71c6e5f7d87c0f44c6 (diff)
downloadfreebsd-ports-gnome-fa932a58bc660c742aa384010415d37260d44b96.tar.gz
freebsd-ports-gnome-fa932a58bc660c742aa384010415d37260d44b96.tar.zst
freebsd-ports-gnome-fa932a58bc660c742aa384010415d37260d44b96.zip
Fix plenty of security issues
Security: XSA-117 / CVE-2015-0268 Security: XSA-118 / CVE-2015-1563 Security: XSA-121 / CVE-2015-2044 Security: XSA-122 / CVE-2015-2045 Security: XSA-123 / CVE-2015-2151 Security: XSA-125 / CVE-2015-2752 Security: XSA-127 / CVE-2015-2751 Security: XSA-132 / CVE-2015-3340 Security: XSA-134 / CVE-2015-4163 Security: XSA-136 / CVE-2015-4164
Diffstat (limited to 'emulators')
-rw-r--r--emulators/xen-kernel/Makefile15
-rw-r--r--emulators/xen-kernel/files/xsa117.patch42
-rw-r--r--emulators/xen-kernel/files/xsa118-4.5-unstable-1.patch253
-rw-r--r--emulators/xen-kernel/files/xsa118-4.5-unstable-2.patch115
-rw-r--r--emulators/xen-kernel/files/xsa121.patch51
-rw-r--r--emulators/xen-kernel/files/xsa122.patch40
-rw-r--r--emulators/xen-kernel/files/xsa123.patch24
-rw-r--r--emulators/xen-kernel/files/xsa125.patch71
-rw-r--r--emulators/xen-kernel/files/xsa127-4.x.patch50
-rw-r--r--emulators/xen-kernel/files/xsa132.patch29
-rw-r--r--emulators/xen-kernel/files/xsa134.patch23
-rw-r--r--emulators/xen-kernel/files/xsa136.patch19
12 files changed, 730 insertions, 2 deletions
diff --git a/emulators/xen-kernel/Makefile b/emulators/xen-kernel/Makefile
index 6d6e39a39a06..949064b0d708 100644
--- a/emulators/xen-kernel/Makefile
+++ b/emulators/xen-kernel/Makefile
@@ -3,7 +3,7 @@
PORTNAME= xen
PKGNAMESUFFIX= -kernel
PORTVERSION= 4.5.0
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= emulators
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${PORTVERSION}/
@@ -25,7 +25,18 @@ ALL_TARGET= build
STRIP= #
WRKSRC_SUBDIR= xen
EXTRA_PATCHES= ${FILESDIR}/iommu_share_p2m_table.patch:-p2 \
- ${FILESDIR}/0001-x86-pvh-disable-posted-interrupts.patch:-p2
+ ${FILESDIR}/0001-x86-pvh-disable-posted-interrupts.patch:-p2 \
+ ${FILESDIR}/xsa117.patch:-p2 \
+ ${FILESDIR}/xsa118-4.5-unstable-1.patch:-p2 \
+ ${FILESDIR}/xsa118-4.5-unstable-2.patch:-p2 \
+ ${FILESDIR}/xsa121.patch:-p2 \
+ ${FILESDIR}/xsa122.patch:-p2 \
+ ${FILESDIR}/xsa123.patch:-p2 \
+ ${FILESDIR}/xsa125.patch:-p2 \
+ ${FILESDIR}/xsa127-4.x.patch:-p2 \
+ ${FILESDIR}/xsa132.patch:-p2 \
+ ${FILESDIR}/xsa134.patch:-p2 \
+ ${FILESDIR}/xsa136.patch:-p2
.include <bsd.port.options.mk>
diff --git a/emulators/xen-kernel/files/xsa117.patch b/emulators/xen-kernel/files/xsa117.patch
new file mode 100644
index 000000000000..aa04fe45c07b
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa117.patch
@@ -0,0 +1,42 @@
+From 472dc9e627c8f1b9d7138b142a5b0838550a2072 Mon Sep 17 00:00:00 2001
+From: Julien Grall <julien.grall@linaro.org>
+Date: Fri, 23 Jan 2015 14:15:07 +0000
+Subject: [PATCH] xen/arm: vgic-v2: Don't crash the hypervisor if the SGI
+ target mode is invalid
+
+The GICv2 spec reserved the value 0b11 for GICD_SGIR.TargetListFilter.
+
+Even if it's an invalid value, a malicious guest could write this value
+and threfore crash the hypervisor.
+
+Replace the BUG() by logging the error and inject a data abort to the guest.
+
+This was introduced by commit ea37fd21110b6fbcf9257f814076a243d3873cb7
+"xen/arm: split vgic driver into generic and vgic-v2 driver".
+
+This is CVE-2015-0268 / XSA-117.
+
+Signed-off-by: Julien Grall <julien.grall@linaro.org>
+---
+ xen/arch/arm/vgic-v2.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/xen/arch/arm/vgic-v2.c b/xen/arch/arm/vgic-v2.c
+index 598bf06..9dc9a20 100644
+--- a/xen/arch/arm/vgic-v2.c
++++ b/xen/arch/arm/vgic-v2.c
+@@ -257,7 +257,10 @@ static int vgic_v2_to_sgi(struct vcpu *v, register_t sgir)
+ sgi_mode = SGI_TARGET_SELF;
+ break;
+ default:
+- BUG();
++ printk(XENLOG_G_DEBUG
++ "%pv: vGICD: unhandled GICD_SGIR write %"PRIregister" with wrong mode\n",
++ v, sgir);
++ return 0;
+ }
+
+ return vgic_to_sgi(v, sgir, sgi_mode, virq, vcpu_mask);
+--
+2.1.4
+
diff --git a/emulators/xen-kernel/files/xsa118-4.5-unstable-1.patch b/emulators/xen-kernel/files/xsa118-4.5-unstable-1.patch
new file mode 100644
index 000000000000..a714c8306e21
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa118-4.5-unstable-1.patch
@@ -0,0 +1,253 @@
+From e698f4ab05a710e4463317ea978d426d43107e27 Mon Sep 17 00:00:00 2001
+From: Julien Grall <julien.grall@linaro.org>
+Date: Mon, 19 Jan 2015 14:01:09 +0000
+Subject: [PATCH 1/2] xen/arm: vgic-v3: message in the emulation code should be
+ rate-limited
+
+printk by default is not rate-limited by default. Therefore a malicious guest
+may be able to flood the Xen console.
+
+If we use gdprintk, unnecessary information will be printed such as the
+filename and the line. Instead use XENLOG_G_{ERR,DEBUG} combine with %pv.
+
+Also remove the vGICv3 prefix which is not neccessary and update some
+message which were wrong.
+
+Signed-off-by: Julien Grall <julien.grall@linaro.org>
+---
+ xen/arch/arm/vgic-v3.c | 109 +++++++++++++++++++++++++++----------------------
+ 1 file changed, 61 insertions(+), 48 deletions(-)
+
+diff --git a/xen/arch/arm/vgic-v3.c b/xen/arch/arm/vgic-v3.c
+index ae4482c..bece189 100644
+--- a/xen/arch/arm/vgic-v3.c
++++ b/xen/arch/arm/vgic-v3.c
+@@ -168,13 +168,14 @@ static int __vgic_v3_rdistr_rd_mmio_read(struct vcpu *v, mmio_info_t *info,
+ /* Reserved0 */
+ goto read_as_zero;
+ default:
+- printk("vGICv3: vGICR: read r%d offset %#08x\n not found",
+- dabt.reg, gicr_reg);
++ printk(XENLOG_G_ERR
++ "%pv: vGICR: read r%d offset %#08x\n not found",
++ v, dabt.reg, gicr_reg);
+ return 0;
+ }
+ bad_width:
+- printk("vGICv3: vGICR: bad read width %d r%d offset %#08x\n",
+- dabt.size, dabt.reg, gicr_reg);
++ printk(XENLOG_G_ERR "%pv vGICR: bad read width %d r%d offset %#08x\n",
++ v, dabt.size, dabt.reg, gicr_reg);
+ domain_crash_synchronous();
+ return 0;
+
+@@ -244,12 +245,14 @@ static int __vgic_v3_rdistr_rd_mmio_write(struct vcpu *v, mmio_info_t *info,
+ /* RO */
+ goto write_ignore;
+ default:
+- printk("vGICR: write r%d offset %#08x\n not found", dabt.reg, gicr_reg);
++ printk(XENLOG_G_ERR "%pv: vGICR: write r%d offset %#08x\n not found",
++ v, dabt.reg, gicr_reg);
+ return 0;
+ }
+ bad_width:
+- printk("vGICR: bad write width %d r%d=%"PRIregister" offset %#08x\n",
+- dabt.size, dabt.reg, *r, gicr_reg);
++ printk(XENLOG_G_ERR
++ "%pv: vGICR: bad write width %d r%d=%"PRIregister" offset %#08x\n",
++ v, dabt.size, dabt.reg, *r, gicr_reg);
+ domain_crash_synchronous();
+ return 0;
+
+@@ -345,15 +348,16 @@ static int __vgic_v3_distr_common_mmio_read(struct vcpu *v, mmio_info_t *info,
+ vgic_unlock_rank(v, rank, flags);
+ return 1;
+ default:
+- printk("vGICv3: vGICD/vGICR: unhandled read r%d offset %#08x\n",
+- dabt.reg, reg);
++ printk(XENLOG_G_ERR
++ "%pv: vGICD/vGICR: unhandled read r%d offset %#08x\n",
++ v, dabt.reg, reg);
+ return 0;
+ }
+
+ bad_width:
+- dprintk(XENLOG_ERR,
+- "vGICv3: vGICD/vGICR: bad read width %d r%d offset %#08x\n",
+- dabt.size, dabt.reg, reg);
++ printk(XENLOG_G_ERR
++ "%pv: vGICD/vGICR: bad read width %d r%d offset %#08x\n",
++ v, dabt.size, dabt.reg, reg);
+ domain_crash_synchronous();
+ return 0;
+
+@@ -458,15 +462,16 @@ static int __vgic_v3_distr_common_mmio_write(struct vcpu *v, mmio_info_t *info,
+ vgic_unlock_rank(v, rank, flags);
+ return 1;
+ default:
+- printk("vGICv3: vGICD/vGICR: unhandled write r%d "
+- "=%"PRIregister" offset %#08x\n", dabt.reg, *r, reg);
++ printk(XENLOG_G_ERR
++ "%pv: vGICD/vGICR: unhandled write r%d=%"PRIregister" offset %#08x\n",
++ v, dabt.reg, *r, reg);
+ return 0;
+ }
+
+ bad_width:
+- dprintk(XENLOG_ERR,
+- "vGICv3: vGICD/vGICR: bad write width %d r%d=%"PRIregister" "
+- "offset %#08x\n", dabt.size, dabt.reg, *r, reg);
++ printk(XENLOG_G_ERR
++ "%pv: vGICD/vGICR: bad write width %d r%d=%"PRIregister" offset %#08x\n",
++ v, dabt.size, dabt.reg, *r, reg);
+ domain_crash_synchronous();
+ return 0;
+
+@@ -521,13 +526,14 @@ static int vgic_v3_rdistr_sgi_mmio_read(struct vcpu *v, mmio_info_t *info,
+ if ( dabt.size != DABT_WORD ) goto bad_width;
+ return 1;
+ default:
+- printk("vGICv3: vGICR: read r%d offset %#08x\n not found",
+- dabt.reg, gicr_reg);
++ printk(XENLOG_G_ERR
++ "%pv: vGICR: SGI: read r%d offset %#08x\n not found",
++ v, dabt.reg, gicr_reg);
+ return 0;
+ }
+ bad_width:
+- printk("vGICv3: vGICR: bad read width %d r%d offset %#08x\n",
+- dabt.size, dabt.reg, gicr_reg);
++ printk(XENLOG_G_ERR "%pv: vGICR: SGI: bad read width %d r%d offset %#08x\n",
++ v, dabt.size, dabt.reg, gicr_reg);
+ domain_crash_synchronous();
+ return 0;
+
+@@ -585,14 +591,16 @@ static int vgic_v3_rdistr_sgi_mmio_write(struct vcpu *v, mmio_info_t *info,
+ /* We do not implement security extensions for guests, write ignore */
+ goto write_ignore;
+ default:
+- printk("vGICv3: vGICR SGI: write r%d offset %#08x\n not found",
+- dabt.reg, gicr_reg);
++ printk(XENLOG_G_ERR
++ "%pv: vGICR: SGI: write r%d offset %#08x\n not found",
++ v, dabt.reg, gicr_reg);
+ return 0;
+ }
+
+ bad_width:
+- printk("vGICR SGI: bad write width %d r%d=%"PRIregister" offset %#08x\n",
+- dabt.size, dabt.reg, *r, gicr_reg);
++ printk(XENLOG_G_ERR
++ "%pv: vGICR: SGI: bad write width %d r%d=%"PRIregister" offset %#08x\n",
++ v, dabt.size, dabt.reg, *r, gicr_reg);
+ domain_crash_synchronous();
+ return 0;
+
+@@ -618,9 +626,9 @@ static int vgic_v3_rdistr_mmio_read(struct vcpu *v, mmio_info_t *info)
+ else if ( (offset >= SZ_64K) && (offset < 2 * SZ_64K) )
+ return vgic_v3_rdistr_sgi_mmio_read(v, info, (offset - SZ_64K));
+ else
+- gdprintk(XENLOG_WARNING,
+- "vGICv3: vGICR: unknown gpa read address %"PRIpaddr"\n",
+- info->gpa);
++ printk(XENLOG_G_WARNING
++ "%pv: vGICR: unknown gpa read address %"PRIpaddr"\n",
++ v, info->gpa);
+
+ return 0;
+ }
+@@ -642,9 +650,9 @@ static int vgic_v3_rdistr_mmio_write(struct vcpu *v, mmio_info_t *info)
+ else if ( (offset >= SZ_64K) && (offset < 2 * SZ_64K) )
+ return vgic_v3_rdistr_sgi_mmio_write(v, info, (offset - SZ_64K));
+ else
+- gdprintk(XENLOG_WARNING,
+- "vGICV3: vGICR: unknown gpa write address %"PRIpaddr"\n",
+- info->gpa);
++ printk(XENLOG_G_WARNING
++ "%pv: vGICR: unknown gpa write address %"PRIpaddr"\n",
++ v, info->gpa);
+
+ return 0;
+ }
+@@ -770,18 +778,19 @@ static int vgic_v3_distr_mmio_read(struct vcpu *v, mmio_info_t *info)
+ case 0xf30 ... 0x5fcc:
+ case 0x8000 ... 0xbfcc:
+ /* These are reserved register addresses */
+- printk("vGICv3: vGICD: read unknown 0x00c .. 0xfcc r%d offset %#08x\n",
+- dabt.reg, gicd_reg);
++ printk(XENLOG_G_DEBUG
++ "%pv: vGICD: RAZ on reserved register offset %#08x\n",
++ v, gicd_reg);
+ goto read_as_zero;
+ default:
+- printk("vGICv3: vGICD: unhandled read r%d offset %#08x\n",
+- dabt.reg, gicd_reg);
++ printk(XENLOG_G_ERR "%pv: vGICD: unhandled read r%d offset %#08x\n",
++ v, dabt.reg, gicd_reg);
+ return 0;
+ }
+
+ bad_width:
+- dprintk(XENLOG_ERR, "vGICv3: vGICD: bad read width %d r%d offset %#08x\n",
+- dabt.size, dabt.reg, gicd_reg);
++ printk(XENLOG_G_ERR "%pv: vGICD: bad read width %d r%d offset %#08x\n",
++ v, dabt.size, dabt.reg, gicd_reg);
+ domain_crash_synchronous();
+ return 0;
+
+@@ -840,8 +849,9 @@ static int vgic_v3_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
+ case 0x020 ... 0x03c:
+ case 0xc000 ... 0xffcc:
+ /* Implementation defined -- write ignored */
+- printk("vGICv3: vGICD: write unknown 0x020 - 0x03c r%d offset %#08x\n",
+- dabt.reg, gicd_reg);
++ printk(XENLOG_G_DEBUG
++ "%pv: vGICD: WI on implementation defined register offset %#08x\n",
++ v, gicd_reg);
+ goto write_ignore;
+ case GICD_IGROUPR ... GICD_IGROUPRN:
+ case GICD_ISENABLER ... GICD_ISENABLERN:
+@@ -885,8 +895,9 @@ static int vgic_v3_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
+ new_target = new_irouter & MPIDR_AFF0_MASK;
+ if ( new_target >= v->domain->max_vcpus )
+ {
+- printk("vGICv3: vGICD: wrong irouter at offset %#08x\n val 0x%lx vcpu %x",
+- gicd_reg, new_target, v->domain->max_vcpus);
++ printk(XENLOG_G_DEBUG
++ "%pv: vGICD: wrong irouter at offset %#08x\n val 0x%lx vcpu %x",
++ v, gicd_reg, new_target, v->domain->max_vcpus);
+ vgic_unlock_rank(v, rank, flags);
+ return 0;
+ }
+@@ -926,19 +937,21 @@ static int vgic_v3_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
+ case 0xf30 ... 0x5fcc:
+ case 0x8000 ... 0xbfcc:
+ /* Reserved register addresses */
+- printk("vGICv3: vGICD: write unknown 0x00c 0xfcc r%d offset %#08x\n",
+- dabt.reg, gicd_reg);
++ printk(XENLOG_G_DEBUG
++ "%pv: vGICD: write unknown 0x00c 0xfcc r%d offset %#08x\n",
++ v, dabt.reg, gicd_reg);
+ goto write_ignore;
+ default:
+- printk("vGICv3: vGICD: unhandled write r%d=%"PRIregister" "
+- "offset %#08x\n", dabt.reg, *r, gicd_reg);
++ printk(XENLOG_G_ERR
++ "%pv: vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n",
++ v, dabt.reg, *r, gicd_reg);
+ return 0;
+ }
+
+ bad_width:
+- dprintk(XENLOG_ERR,
+- "VGICv3: vGICD: bad write width %d r%d=%"PRIregister" "
+- "offset %#08x\n", dabt.size, dabt.reg, *r, gicd_reg);
++ printk(XENLOG_G_ERR
++ "%pv: vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n",
++ v, dabt.size, dabt.reg, *r, gicd_reg);
+ domain_crash_synchronous();
+ return 0;
+
+--
+2.1.4
+
diff --git a/emulators/xen-kernel/files/xsa118-4.5-unstable-2.patch b/emulators/xen-kernel/files/xsa118-4.5-unstable-2.patch
new file mode 100644
index 000000000000..621b739b4a55
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa118-4.5-unstable-2.patch
@@ -0,0 +1,115 @@
+From e8fa469595e29b2dbe6dde3a77ee2ea2d9e93283 Mon Sep 17 00:00:00 2001
+From: Julien Grall <julien.grall@linaro.org>
+Date: Mon, 19 Jan 2015 12:59:42 +0000
+Subject: [PATCH 2/2] xen/arm: vgic-v2: message in the emulation code should be
+ rate-limited
+
+printk is not rated-limited by default. Therefore a malicious guest may
+be able to flood the Xen console.
+
+If we use gdprintk, unecessary information will be printed such as the
+filename and the line. Instead use XENLOG_G_ERR combine with %pv.
+
+Signed-off-by: Julien Grall <julien.grall@linaro.org>
+---
+ xen/arch/arm/vgic-v2.c | 40 +++++++++++++++++++++++-----------------
+ 1 file changed, 23 insertions(+), 17 deletions(-)
+
+diff --git a/xen/arch/arm/vgic-v2.c b/xen/arch/arm/vgic-v2.c
+index 9dc9a20..3b87f54 100644
+--- a/xen/arch/arm/vgic-v2.c
++++ b/xen/arch/arm/vgic-v2.c
+@@ -198,7 +198,7 @@ static int vgic_v2_distr_mmio_read(struct vcpu *v, mmio_info_t *info)
+
+ case GICD_ICPIDR2:
+ if ( dabt.size != DABT_WORD ) goto bad_width;
+- printk("vGICD: unhandled read from ICPIDR2\n");
++ printk(XENLOG_G_ERR "%pv: vGICD: unhandled read from ICPIDR2\n", v);
+ return 0;
+
+ /* Implementation defined -- read as zero */
+@@ -215,14 +215,14 @@ static int vgic_v2_distr_mmio_read(struct vcpu *v, mmio_info_t *info)
+ goto read_as_zero;
+
+ default:
+- printk("vGICD: unhandled read r%d offset %#08x\n",
+- dabt.reg, gicd_reg);
++ printk(XENLOG_G_ERR "%pv: vGICD: unhandled read r%d offset %#08x\n",
++ v, dabt.reg, gicd_reg);
+ return 0;
+ }
+
+ bad_width:
+- printk("vGICD: bad read width %d r%d offset %#08x\n",
+- dabt.size, dabt.reg, gicd_reg);
++ printk(XENLOG_G_ERR "%pv: vGICD: bad read width %d r%d offset %#08x\n",
++ v, dabt.size, dabt.reg, gicd_reg);
+ domain_crash_synchronous();
+ return 0;
+
+@@ -331,14 +331,16 @@ static int vgic_v2_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
+
+ case GICD_ISPENDR ... GICD_ISPENDRN:
+ if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width;
+- printk("vGICD: unhandled %s write %#"PRIregister" to ISPENDR%d\n",
+- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ISPENDR);
++ printk(XENLOG_G_ERR
++ "%pv: vGICD: unhandled %s write %#"PRIregister" to ISPENDR%d\n",
++ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ISPENDR);
+ return 0;
+
+ case GICD_ICPENDR ... GICD_ICPENDRN:
+ if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width;
+- printk("vGICD: unhandled %s write %#"PRIregister" to ICPENDR%d\n",
+- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ICPENDR);
++ printk(XENLOG_G_ERR
++ "%pv: vGICD: unhandled %s write %#"PRIregister" to ICPENDR%d\n",
++ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ICPENDR);
+ return 0;
+
+ case GICD_ISACTIVER ... GICD_ISACTIVERN:
+@@ -457,14 +459,16 @@ static int vgic_v2_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
+
+ case GICD_CPENDSGIR ... GICD_CPENDSGIRN:
+ if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width;
+- printk("vGICD: unhandled %s write %#"PRIregister" to ICPENDSGIR%d\n",
+- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_CPENDSGIR);
++ printk(XENLOG_G_ERR
++ "%pv: vGICD: unhandled %s write %#"PRIregister" to ICPENDSGIR%d\n",
++ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_CPENDSGIR);
+ return 0;
+
+ case GICD_SPENDSGIR ... GICD_SPENDSGIRN:
+ if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width;
+- printk("vGICD: unhandled %s write %#"PRIregister" to ISPENDSGIR%d\n",
+- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_SPENDSGIR);
++ printk(XENLOG_G_ERR
++ "%pv: vGICD: unhandled %s write %#"PRIregister" to ISPENDSGIR%d\n",
++ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_SPENDSGIR);
+ return 0;
+
+ /* Implementation defined -- write ignored */
+@@ -489,14 +493,16 @@ static int vgic_v2_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
+ goto write_ignore;
+
+ default:
+- printk("vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n",
+- dabt.reg, *r, gicd_reg);
++ printk(XENLOG_G_ERR
++ "%pv: vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n",
++ v, dabt.reg, *r, gicd_reg);
+ return 0;
+ }
+
+ bad_width:
+- printk("vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n",
+- dabt.size, dabt.reg, *r, gicd_reg);
++ printk(XENLOG_G_ERR
++ "%pv: vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n",
++ v, dabt.size, dabt.reg, *r, gicd_reg);
+ domain_crash_synchronous();
+ return 0;
+
+--
+2.1.4
+
diff --git a/emulators/xen-kernel/files/xsa121.patch b/emulators/xen-kernel/files/xsa121.patch
new file mode 100644
index 000000000000..f3d1397d6daf
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa121.patch
@@ -0,0 +1,51 @@
+x86/HVM: return all ones on wrong-sized reads of system device I/O ports
+
+So far the value presented to the guest remained uninitialized.
+
+This is CVE-2015-2044 / XSA-121.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+--- a/xen/arch/x86/hvm/i8254.c
++++ b/xen/arch/x86/hvm/i8254.c
+@@ -486,6 +486,7 @@ static int handle_pit_io(
+ if ( bytes != 1 )
+ {
+ gdprintk(XENLOG_WARNING, "PIT bad access\n");
++ *val = ~0;
+ return X86EMUL_OKAY;
+ }
+
+--- a/xen/arch/x86/hvm/pmtimer.c
++++ b/xen/arch/x86/hvm/pmtimer.c
+@@ -213,6 +213,7 @@ static int handle_pmt_io(
+ if ( bytes != 4 )
+ {
+ gdprintk(XENLOG_WARNING, "HVM_PMT bad access\n");
++ *val = ~0;
+ return X86EMUL_OKAY;
+ }
+
+--- a/xen/arch/x86/hvm/rtc.c
++++ b/xen/arch/x86/hvm/rtc.c
+@@ -703,7 +703,8 @@ static int handle_rtc_io(
+
+ if ( bytes != 1 )
+ {
+- gdprintk(XENLOG_WARNING, "HVM_RTC bas access\n");
++ gdprintk(XENLOG_WARNING, "HVM_RTC bad access\n");
++ *val = ~0;
+ return X86EMUL_OKAY;
+ }
+
+--- a/xen/arch/x86/hvm/vpic.c
++++ b/xen/arch/x86/hvm/vpic.c
+@@ -331,6 +331,7 @@ static int vpic_intercept_pic_io(
+ if ( bytes != 1 )
+ {
+ gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes);
++ *val = ~0;
+ return X86EMUL_OKAY;
+ }
+
diff --git a/emulators/xen-kernel/files/xsa122.patch b/emulators/xen-kernel/files/xsa122.patch
new file mode 100644
index 000000000000..1e58965b54dd
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa122.patch
@@ -0,0 +1,40 @@
+pre-fill structures for certain HYPERVISOR_xen_version sub-ops
+
+... avoiding to pass hypervisor stack contents back to the caller
+through space unused by the respective strings.
+
+This is CVE-2015-2045 / XSA-122.
+
+Signed-off-by: Aaron Adams <Aaron.Adams@nccgroup.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+--- a/xen/common/kernel.c
++++ b/xen/common/kernel.c
+@@ -240,6 +240,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
+ case XENVER_extraversion:
+ {
+ xen_extraversion_t extraversion;
++
++ memset(extraversion, 0, sizeof(extraversion));
+ safe_strcpy(extraversion, xen_extra_version());
+ if ( copy_to_guest(arg, extraversion, ARRAY_SIZE(extraversion)) )
+ return -EFAULT;
+@@ -249,6 +251,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
+ case XENVER_compile_info:
+ {
+ struct xen_compile_info info;
++
++ memset(&info, 0, sizeof(info));
+ safe_strcpy(info.compiler, xen_compiler());
+ safe_strcpy(info.compile_by, xen_compile_by());
+ safe_strcpy(info.compile_domain, xen_compile_domain());
+@@ -284,6 +288,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
+ case XENVER_changeset:
+ {
+ xen_changeset_info_t chgset;
++
++ memset(chgset, 0, sizeof(chgset));
+ safe_strcpy(chgset, xen_changeset());
+ if ( copy_to_guest(arg, chgset, ARRAY_SIZE(chgset)) )
+ return -EFAULT;
diff --git a/emulators/xen-kernel/files/xsa123.patch b/emulators/xen-kernel/files/xsa123.patch
new file mode 100644
index 000000000000..653996d31788
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa123.patch
@@ -0,0 +1,24 @@
+x86emul: fully ignore segment override for register-only operations
+
+For ModRM encoded instructions with register operands we must not
+overwrite ea.mem.seg (if a - bogus in that case - segment override was
+present) as it aliases with ea.reg.
+
+This is CVE-2015-2151 / XSA-123.
+
+Reported-by: Felix Wilhelm <fwilhelm@ernw.de>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+Reviewed-by: Keir Fraser <keir@xen.org>
+
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1757,7 +1757,7 @@ x86_emulate(
+ }
+ }
+
+- if ( override_seg != -1 )
++ if ( override_seg != -1 && ea.type == OP_MEM )
+ ea.mem.seg = override_seg;
+
+ /* Early operand adjustments. */
diff --git a/emulators/xen-kernel/files/xsa125.patch b/emulators/xen-kernel/files/xsa125.patch
new file mode 100644
index 000000000000..ac35ca5f548e
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa125.patch
@@ -0,0 +1,71 @@
+From 98670acc98cad5aee0e0714694a64d3b96675c36 Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Wed, 19 Nov 2014 12:57:11 -0500
+Subject: [PATCH] Limit XEN_DOMCTL_memory_mapping hypercall to only process up
+ to 64 GFNs (or less)
+
+Said hypercall for large BARs can take quite a while. As such
+we can require that the hypercall MUST break up the request
+in smaller values.
+
+Another approach is to add preemption to it - whether we do the
+preemption using hypercall_create_continuation or returning
+EAGAIN to userspace (and have it re-invocate the call) - either
+way the issue we cannot easily solve is that in 'map_mmio_regions'
+if we encounter an error we MUST call 'unmap_mmio_regions' for the
+whole BAR region.
+
+Since the preemption would re-use input fields such as nr_mfns,
+first_gfn, first_mfn - we would lose the original values -
+and only undo what was done in the current round (i.e. ignoring
+anything that was done prior to earlier preemptions).
+
+Unless we re-used the return value as 'EAGAIN|nr_mfns_done<<10' but
+that puts a limit (since the return value is a long) on the amount
+of nr_mfns that can provided.
+
+This patch sidesteps this problem by:
+ - Setting an hard limit of nr_mfns having to be 64 or less.
+ - Toolstack adjusts correspondingly to the nr_mfn limit.
+ - If the there is an error when adding the toolstack will call the
+ remove operation to remove the whole region.
+
+The need to break this hypercall down is for large BARs can take
+more than the guest (initial domain usually) time-slice. This has
+the negative result in that the guest is locked out for a long
+duration and is unable to act on any pending events.
+
+We also augment the code to return zero if nr_mfns instead
+of trying to the hypercall.
+
+Suggested-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+---
+[v50: Simplify loop]
+[v51: If max_batch_sz 1 (or less) we would return zero. Fix that]
+[v52: Handle nr_mfns being zero]
+[v53: Fix up return value]
+---
+ tools/libxc/xc_domain.c | 46 +++++++++++++++++++++++++++++++++++++++++----
+ xen/common/domctl.c | 5 +++++
+ xen/include/public/domctl.h | 1 +
+ 3 files changed, 48 insertions(+), 4 deletions(-)
+
+diff --git a/xen/common/domctl.c b/xen/common/domctl.c
+index d396cc4..c2e60a7 100644
+--- a/xen/common/domctl.c
++++ b/xen/common/domctl.c
+@@ -1027,6 +1027,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
+ (gfn + nr_mfns - 1) < gfn ) /* wrap? */
+ break;
+
++ ret = -E2BIG;
++ /* Must break hypercall up as this could take a while. */
++ if ( nr_mfns > 64 )
++ break;
++
+ ret = -EPERM;
+ if ( !iomem_access_permitted(current->domain, mfn, mfn_end) ||
+ !iomem_access_permitted(d, mfn, mfn_end) )
diff --git a/emulators/xen-kernel/files/xsa127-4.x.patch b/emulators/xen-kernel/files/xsa127-4.x.patch
new file mode 100644
index 000000000000..463b1ddf774a
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa127-4.x.patch
@@ -0,0 +1,50 @@
+domctl: don't allow a toolstack domain to call domain_pause() on itself
+
+These DOMCTL subops were accidentally declared safe for disaggregation
+in the wake of XSA-77.
+
+This is XSA-127.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+--- a/xen/arch/x86/domctl.c
++++ b/xen/arch/x86/domctl.c
+@@ -888,6 +888,10 @@ long arch_do_domctl(
+ {
+ xen_guest_tsc_info_t info;
+
++ ret = -EINVAL;
++ if ( d == current->domain ) /* no domain_pause() */
++ break;
++
+ domain_pause(d);
+ tsc_get_info(d, &info.tsc_mode,
+ &info.elapsed_nsec,
+@@ -903,6 +907,10 @@ long arch_do_domctl(
+
+ case XEN_DOMCTL_settscinfo:
+ {
++ ret = -EINVAL;
++ if ( d == current->domain ) /* no domain_pause() */
++ break;
++
+ domain_pause(d);
+ tsc_set_info(d, domctl->u.tsc_info.info.tsc_mode,
+ domctl->u.tsc_info.info.elapsed_nsec,
+--- a/xen/common/domctl.c
++++ b/xen/common/domctl.c
+@@ -522,8 +522,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe
+
+ case XEN_DOMCTL_resumedomain:
+ {
+- domain_resume(d);
+- ret = 0;
++ if ( d == current->domain ) /* no domain_pause() */
++ ret = -EINVAL;
++ else
++ domain_resume(d);
+ }
+ break;
+
diff --git a/emulators/xen-kernel/files/xsa132.patch b/emulators/xen-kernel/files/xsa132.patch
new file mode 100644
index 000000000000..321c87bf62d5
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa132.patch
@@ -0,0 +1,29 @@
+domctl/sysctl: don't leak hypervisor stack to toolstacks
+
+This is XSA-132.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/domctl.c
++++ b/xen/arch/x86/domctl.c
+@@ -884,7 +884,7 @@ long arch_do_domctl(
+
+ case XEN_DOMCTL_gettscinfo:
+ {
+- xen_guest_tsc_info_t info;
++ xen_guest_tsc_info_t info = { 0 };
+
+ ret = -EINVAL;
+ if ( d == current->domain ) /* no domain_pause() */
+--- a/xen/common/sysctl.c
++++ b/xen/common/sysctl.c
+@@ -76,7 +76,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xe
+ case XEN_SYSCTL_getdomaininfolist:
+ {
+ struct domain *d;
+- struct xen_domctl_getdomaininfo info;
++ struct xen_domctl_getdomaininfo info = { 0 };
+ u32 num_domains = 0;
+
+ rcu_read_lock(&domlist_read_lock);
diff --git a/emulators/xen-kernel/files/xsa134.patch b/emulators/xen-kernel/files/xsa134.patch
new file mode 100644
index 000000000000..16b93ac59f65
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa134.patch
@@ -0,0 +1,23 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: gnttab: add missing version check to GNTTABOP_swap_grant_ref handling
+
+... avoiding NULL derefs when the version to use wasn't set yet (via
+GNTTABOP_setup_table or GNTTABOP_set_version).
+
+This is XSA-134.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+--- a/xen/common/grant_table.c
++++ b/xen/common/grant_table.c
+@@ -2592,6 +2592,9 @@ __gnttab_swap_grant_ref(grant_ref_t ref_
+
+ spin_lock(&gt->lock);
+
++ if ( gt->gt_version == 0 )
++ PIN_FAIL(out, GNTST_general_error, "grant table not yet set up\n");
++
+ /* Bounds check on the grant refs */
+ if ( unlikely(ref_a >= nr_grant_entries(d->grant_table)))
+ PIN_FAIL(out, GNTST_bad_gntref, "Bad ref-a (%d).\n", ref_a);
diff --git a/emulators/xen-kernel/files/xsa136.patch b/emulators/xen-kernel/files/xsa136.patch
new file mode 100644
index 000000000000..fda3fa238902
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa136.patch
@@ -0,0 +1,19 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/traps: loop in the correct direction in compat_iret()
+
+This is XSA-136.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/x86_64/compat/traps.c
++++ b/xen/arch/x86/x86_64/compat/traps.c
+@@ -119,7 +119,7 @@ unsigned int compat_iret(void)
+ }
+ else if ( ksp > regs->_esp )
+ {
+- for (i = 9; i > 0; ++i)
++ for ( i = 9; i > 0; --i )
+ {
+ rc |= __get_user(x, (u32 *)regs->rsp + i);
+ rc |= __put_user(x, (u32 *)(unsigned long)ksp + i);