aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--emulators/xen-kernel/Makefile7
-rw-r--r--emulators/xen-kernel/files/xsa159.patch47
-rw-r--r--emulators/xen-kernel/files/xsa165-4.5.patch85
-rw-r--r--emulators/xen-kernel/files/xsa166-4.5.patch44
-rw-r--r--emulators/xen/Makefile1
-rw-r--r--sysutils/xen-tools/Makefile8
-rw-r--r--sysutils/xen-tools/files/xsa160-4.6.patch69
-rw-r--r--sysutils/xen-tools/files/xsa162-qemuu.patch42
8 files changed, 301 insertions, 2 deletions
diff --git a/emulators/xen-kernel/Makefile b/emulators/xen-kernel/Makefile
index c5cf67dc3100..0beaeb325168 100644
--- a/emulators/xen-kernel/Makefile
+++ b/emulators/xen-kernel/Makefile
@@ -3,6 +3,7 @@
PORTNAME= xen
PKGNAMESUFFIX= -kernel
PORTVERSION= 4.5.2
+PORTREVISION= 1
CATEGORIES= emulators
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${PORTVERSION}/
@@ -30,7 +31,11 @@ EXTRA_PATCHES= ${FILESDIR}/0001-introduce-a-helper-to-allocate-non-contiguous-me
${FILESDIR}/0005-x86-rework-paging_log_dirty_op-to-work-with-hvm-gues.patch:-p2 \
${FILESDIR}/0006-xen-pvh-enable-mmu_update-hypercall.patch:-p2 \
${FILESDIR}/0007-iommu-fix-usage-of-shared-EPT-IOMMU-page-tables-on-P.patch:-p2 \
- ${FILESDIR}/xsa156-4.5.patch:-p2
+ ${FILESDIR}/xsa156-4.5.patch:-p2 \
+ ${FILESDIR}/xsa159.patch:-p2 \
+ ${FILESDIR}/xsa165-4.5.patch:-p2 \
+ ${FILESDIR}/xsa166-4.5.patch:-p2
+
.include <bsd.port.options.mk>
diff --git a/emulators/xen-kernel/files/xsa159.patch b/emulators/xen-kernel/files/xsa159.patch
new file mode 100644
index 000000000000..5e4e20c43f16
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa159.patch
@@ -0,0 +1,47 @@
+memory: fix XENMEM_exchange error handling
+
+assign_pages() can fail due to the domain getting killed in parallel,
+which should not result in a hypervisor crash.
+
+Also delete a redundant put_gfn() - all relevant paths leading to the
+"fail" label already do this (and there are also paths where it was
+plain wrong). All of the put_gfn()-s got introduced by 51032ca058
+("Modify naming of queries into the p2m"), including the otherwise
+unneeded initializer for k (with even a kind of misleading comment -
+the compiler warning could actually have served as a hint that the use
+is wrong).
+
+This is XSA-159.
+
+Reported-by: Julien Grall <julien.grall@citrix.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+--- a/xen/common/memory.c
++++ b/xen/common/memory.c
+@@ -334,7 +334,7 @@ static long memory_exchange(XEN_GUEST_HA
+ PAGE_LIST_HEAD(out_chunk_list);
+ unsigned long in_chunk_order, out_chunk_order;
+ xen_pfn_t gpfn, gmfn, mfn;
+- unsigned long i, j, k = 0; /* gcc ... */
++ unsigned long i, j, k;
+ unsigned int memflags = 0;
+ long rc = 0;
+ struct domain *d;
+@@ -572,11 +572,12 @@ static long memory_exchange(XEN_GUEST_HA
+ fail:
+ /* Reassign any input pages we managed to steal. */
+ while ( (page = page_list_remove_head(&in_chunk_list)) )
+- {
+- put_gfn(d, gmfn + k--);
+ if ( assign_pages(d, page, 0, MEMF_no_refcount) )
+- BUG();
+- }
++ {
++ BUG_ON(!d->is_dying);
++ if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
++ put_page(page);
++ }
+
+ dying:
+ rcu_unlock_domain(d);
diff --git a/emulators/xen-kernel/files/xsa165-4.5.patch b/emulators/xen-kernel/files/xsa165-4.5.patch
new file mode 100644
index 000000000000..b0909e49b890
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa165-4.5.patch
@@ -0,0 +1,85 @@
+x86: don't leak ST(n)/XMMn values to domains first using them
+
+FNINIT doesn't alter these registers, and hence using it is
+insufficient to initialize a guest's initial state.
+
+This is XSA-165.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/domain.c
++++ b/xen/arch/x86/domain.c
+@@ -798,6 +798,17 @@ int arch_set_info_guest(
+ if ( v->arch.xsave_area )
+ v->arch.xsave_area->xsave_hdr.xstate_bv = XSTATE_FP_SSE;
+ }
++ else if ( v->arch.xsave_area )
++ memset(&v->arch.xsave_area->xsave_hdr, 0,
++ sizeof(v->arch.xsave_area->xsave_hdr));
++ else
++ {
++ typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt;
++
++ memset(fpu_sse, 0, sizeof(*fpu_sse));
++ fpu_sse->fcw = FCW_DEFAULT;
++ fpu_sse->mxcsr = MXCSR_DEFAULT;
++ }
+
+ if ( !compat )
+ {
+--- a/xen/arch/x86/i387.c
++++ b/xen/arch/x86/i387.c
+@@ -17,19 +17,6 @@
+ #include <asm/xstate.h>
+ #include <asm/asm_defns.h>
+
+-static void fpu_init(void)
+-{
+- unsigned long val;
+-
+- asm volatile ( "fninit" );
+- if ( cpu_has_xmm )
+- {
+- /* load default value into MXCSR control/status register */
+- val = MXCSR_DEFAULT;
+- asm volatile ( "ldmxcsr %0" : : "m" (val) );
+- }
+-}
+-
+ /*******************************/
+ /* FPU Restore Functions */
+ /*******************************/
+@@ -248,15 +235,8 @@ void vcpu_restore_fpu_lazy(struct vcpu *
+
+ if ( cpu_has_xsave )
+ fpu_xrstor(v, XSTATE_LAZY);
+- else if ( v->fpu_initialised )
+- {
+- if ( cpu_has_fxsr )
+- fpu_fxrstor(v);
+- else
+- fpu_frstor(v);
+- }
+ else
+- fpu_init();
++ fpu_fxrstor(v);
+
+ v->fpu_initialised = 1;
+ v->fpu_dirtied = 1;
+@@ -317,7 +297,14 @@ int vcpu_init_fpu(struct vcpu *v)
+ else
+ {
+ v->arch.fpu_ctxt = _xzalloc(sizeof(v->arch.xsave_area->fpu_sse), 16);
+- if ( !v->arch.fpu_ctxt )
++ if ( v->arch.fpu_ctxt )
++ {
++ typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt;
++
++ fpu_sse->fcw = FCW_DEFAULT;
++ fpu_sse->mxcsr = MXCSR_DEFAULT;
++ }
++ else
+ {
+ rc = -ENOMEM;
+ goto done;
diff --git a/emulators/xen-kernel/files/xsa166-4.5.patch b/emulators/xen-kernel/files/xsa166-4.5.patch
new file mode 100644
index 000000000000..60bdbf428459
--- /dev/null
+++ b/emulators/xen-kernel/files/xsa166-4.5.patch
@@ -0,0 +1,44 @@
+x86/HVM: avoid reading ioreq state more than once
+
+Otherwise, especially when the compiler chooses to translate the
+switch() to a jump table, unpredictable behavior (and in the jump table
+case arbitrary code execution) can result.
+
+This is XSA-166.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -400,23 +400,23 @@ bool_t hvm_io_pending(struct vcpu *v)
+
+ static bool_t hvm_wait_for_io(struct hvm_ioreq_vcpu *sv, ioreq_t *p)
+ {
++ unsigned int state;
++
+ /* NB. Optimised for common case (p->state == STATE_IOREQ_NONE). */
+- while ( p->state != STATE_IOREQ_NONE )
++ while ( (state = p->state) != STATE_IOREQ_NONE )
+ {
+- switch ( p->state )
++ rmb();
++ switch ( state )
+ {
+ case STATE_IORESP_READY: /* IORESP_READY -> NONE */
+- rmb(); /* see IORESP_READY /then/ read contents of ioreq */
+ hvm_io_assist(p);
+ break;
+ case STATE_IOREQ_READY: /* IOREQ_{READY,INPROCESS} -> IORESP_READY */
+ case STATE_IOREQ_INPROCESS:
+- wait_on_xen_event_channel(sv->ioreq_evtchn,
+- (p->state != STATE_IOREQ_READY) &&
+- (p->state != STATE_IOREQ_INPROCESS));
++ wait_on_xen_event_channel(sv->ioreq_evtchn, p->state != state);
+ break;
+ default:
+- gdprintk(XENLOG_ERR, "Weird HVM iorequest state %d.\n", p->state);
++ gdprintk(XENLOG_ERR, "Weird HVM iorequest state %u\n", state);
+ domain_crash(sv->vcpu->domain);
+ return 0; /* bail */
+ }
diff --git a/emulators/xen/Makefile b/emulators/xen/Makefile
index f0c8f433a685..a5bea14f6c57 100644
--- a/emulators/xen/Makefile
+++ b/emulators/xen/Makefile
@@ -2,6 +2,7 @@
PORTNAME= xen
PORTVERSION= 4.5.2
+PORTREVISION= 1
CATEGORIES= emulators
MAINTAINER= royger@FreeBSD.org
diff --git a/sysutils/xen-tools/Makefile b/sysutils/xen-tools/Makefile
index 3a21eea9700c..c13390465ca5 100644
--- a/sysutils/xen-tools/Makefile
+++ b/sysutils/xen-tools/Makefile
@@ -2,6 +2,7 @@
PORTNAME= xen
PORTVERSION= 4.5.2
+PORTREVISION= 1
CATEGORIES= sysutils emulators
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${PORTVERSION}/ \
http://code.coreboot.org/p/seabios/downloads/get/:seabios
@@ -47,7 +48,8 @@ QEMU_ARGS= --disable-gtk \
--disable-curl \
--cxx=c++
-EXTRA_PATCHES= ${FILESDIR}/0002-libxc-fix-xc_dom_load_elf_symtab.patch:-p1
+EXTRA_PATCHES= ${FILESDIR}/0002-libxc-fix-xc_dom_load_elf_symtab.patch:-p1 \
+ ${FILESDIR}/xsa160-4.6.patch:-p1
CONFIGURE_ARGS+= --with-extra-qemuu-configure-args="${QEMU_ARGS}"
SHEBANG_FILES= tools/misc/xencov_split \
@@ -74,6 +76,10 @@ post-patch:
${WRKSRC}/tools/libxl/libxl_dm.c \
${WRKSRC}/tools/qemu-xen-traditional/i386-dm/helper2.c \
${WRKSRC}/docs/man/*
+ @for p in ${FILESDIR}/*qemuu*.patch; do \
+ ${ECHO_CMD} "====> Applying $${p##*/}" ; \
+ ${PATCH} -s -p1 -i $${p} -d ${WRKSRC}/tools/qemu-xen ; \
+ done
post-install:
${MKDIR} ${STAGEDIR}/var/run/xen
diff --git a/sysutils/xen-tools/files/xsa160-4.6.patch b/sysutils/xen-tools/files/xsa160-4.6.patch
new file mode 100644
index 000000000000..36db34f2c097
--- /dev/null
+++ b/sysutils/xen-tools/files/xsa160-4.6.patch
@@ -0,0 +1,69 @@
+From adcbd15b1aec8367f790774c998db199c9b577bf Mon Sep 17 00:00:00 2001
+From: Ian Jackson <ian.jackson@eu.citrix.com>
+Date: Wed, 18 Nov 2015 15:34:54 +0000
+Subject: [PATCH] libxl: Fix bootloader-related virtual memory leak on pv
+ build failure
+
+The bootloader may call libxl__file_reference_map(), which mmap's the
+pv_kernel and pv_ramdisk into process memory. This was only unmapped,
+however, on the success path of libxl__build_pv(). If there were a
+failure anywhere between libxl_bootloader.c:parse_bootloader_result()
+and the end of libxl__build_pv(), the calls to
+libxl__file_reference_unmap() would be skipped, leaking the mapped
+virtual memory.
+
+Ideally this would be fixed by adding the unmap calls to the
+destruction path for libxl__domain_build_state. Unfortunately the
+lifetime of the libxl__domain_build_state is opaque, and it doesn't
+have a proper destruction path. But, the only thing in it that isn't
+from the gc are these bootloader references, and they are only ever
+set for one libxl__domain_build_state, the one which is
+libxl__domain_create_state.build_state.
+
+So we can clean up in the exit path from libxl__domain_create_*, which
+always comes through domcreate_complete.
+
+Remove the now-redundant unmaps in libxl__build_pv's success path.
+
+This is XSA-160.
+
+Signed-off-by: George Dunlap <george.dunlap@citrix.com>
+Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
+Tested-by: George Dunlap <george.dunlap@citrix.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+---
+ tools/libxl/libxl_create.c | 3 +++
+ tools/libxl/libxl_dom.c | 3 ---
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c
+index f5771da..278b9ed 100644
+--- a/tools/libxl/libxl_create.c
++++ b/tools/libxl/libxl_create.c
+@@ -1484,6 +1484,9 @@ static void domcreate_complete(libxl__egc *egc,
+ libxl_domain_config *const d_config = dcs->guest_config;
+ libxl_domain_config *d_config_saved = &dcs->guest_config_saved;
+
++ libxl__file_reference_unmap(&dcs->build_state.pv_kernel);
++ libxl__file_reference_unmap(&dcs->build_state.pv_ramdisk);
++
+ if (!rc && d_config->b_info.exec_ssidref)
+ rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid, d_config->b_info.exec_ssidref);
+
+diff --git a/tools/libxl/libxl_dom.c b/tools/libxl/libxl_dom.c
+index 8019f4e..2da3ac4 100644
+--- a/tools/libxl/libxl_dom.c
++++ b/tools/libxl/libxl_dom.c
+@@ -750,9 +750,6 @@ int libxl__build_pv(libxl__gc *gc, uint32_t domid,
+ state->store_mfn = xc_dom_p2m_host(dom, dom->xenstore_pfn);
+ }
+
+- libxl__file_reference_unmap(&state->pv_kernel);
+- libxl__file_reference_unmap(&state->pv_ramdisk);
+-
+ ret = 0;
+ out:
+ xc_dom_release(dom);
+--
+1.7.10.4
+
diff --git a/sysutils/xen-tools/files/xsa162-qemuu.patch b/sysutils/xen-tools/files/xsa162-qemuu.patch
new file mode 100644
index 000000000000..2e3352d88b62
--- /dev/null
+++ b/sysutils/xen-tools/files/xsa162-qemuu.patch
@@ -0,0 +1,42 @@
+net: pcnet: add check to validate receive data size(CVE-2015-7504)
+
+In loopback mode, pcnet_receive routine appends CRC code to the
+receive buffer. If the data size given is same as the buffer size,
+the appended CRC code overwrites 4 bytes after s->buffer. Added a
+check to avoid that.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/net/pcnet.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index 3437376..5f55591 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1085,7 +1085,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
+ uint32_t fcs = ~0;
+ uint8_t *p = src;
+
+- while (p != &src[size-4])
++ while (p != &src[size])
+ CRC(fcs, *p++);
+ crc_err = (*(uint32_t *)p != htonl(fcs));
+ }
+@@ -1234,8 +1234,10 @@ static void pcnet_transmit(PCNetState *s)
+ bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+
+ /* if multi-tmd packet outsizes s->buffer then skip it silently.
+- Note: this is not what real hw does */
+- if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
++ * Note: this is not what real hw does.
++ * Last four bytes of s->buffer are used to store CRC FCS code.
++ */
++ if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
+ s->xmit_pos = -1;
+ goto txdone;
+ }
+--
+2.4.3
+