From aae11fec1d0a7d8e2a7826395d6cb8be2312d119 Mon Sep 17 00:00:00 2001 From: royger Date: Tue, 5 Jan 2016 10:06:07 +0000 Subject: xen: fix XSAs Add the following XSA patches: 159, 160, 162, 165, 166. Security: CVE-2015-8339 Security: CVE-2015-8340 Security: CVE-2015-8341 Security: CVE-2015-7504 Security: CVE-2015-8555 PR: 205841 MFH: 2016Q1 Sponsored by: Citrix Systems R&D Requested by: junovitch Reviewed by: junovitch Differential revision: https://reviews.freebsd.org/D4783 --- emulators/xen-kernel/Makefile | 7 ++- emulators/xen-kernel/files/xsa159.patch | 47 ++++++++++++++++ emulators/xen-kernel/files/xsa165-4.5.patch | 85 +++++++++++++++++++++++++++++ emulators/xen-kernel/files/xsa166-4.5.patch | 44 +++++++++++++++ emulators/xen/Makefile | 1 + 5 files changed, 183 insertions(+), 1 deletion(-) create mode 100644 emulators/xen-kernel/files/xsa159.patch create mode 100644 emulators/xen-kernel/files/xsa165-4.5.patch create mode 100644 emulators/xen-kernel/files/xsa166-4.5.patch (limited to 'emulators') diff --git a/emulators/xen-kernel/Makefile b/emulators/xen-kernel/Makefile index c5cf67dc3100..0beaeb325168 100644 --- a/emulators/xen-kernel/Makefile +++ b/emulators/xen-kernel/Makefile @@ -3,6 +3,7 @@ PORTNAME= xen PKGNAMESUFFIX= -kernel PORTVERSION= 4.5.2 +PORTREVISION= 1 CATEGORIES= emulators MASTER_SITES= http://bits.xensource.com/oss-xen/release/${PORTVERSION}/ @@ -30,7 +31,11 @@ EXTRA_PATCHES= ${FILESDIR}/0001-introduce-a-helper-to-allocate-non-contiguous-me ${FILESDIR}/0005-x86-rework-paging_log_dirty_op-to-work-with-hvm-gues.patch:-p2 \ ${FILESDIR}/0006-xen-pvh-enable-mmu_update-hypercall.patch:-p2 \ ${FILESDIR}/0007-iommu-fix-usage-of-shared-EPT-IOMMU-page-tables-on-P.patch:-p2 \ - ${FILESDIR}/xsa156-4.5.patch:-p2 + ${FILESDIR}/xsa156-4.5.patch:-p2 \ + ${FILESDIR}/xsa159.patch:-p2 \ + ${FILESDIR}/xsa165-4.5.patch:-p2 \ + ${FILESDIR}/xsa166-4.5.patch:-p2 + .include diff --git a/emulators/xen-kernel/files/xsa159.patch b/emulators/xen-kernel/files/xsa159.patch new file mode 100644 index 000000000000..5e4e20c43f16 --- /dev/null +++ b/emulators/xen-kernel/files/xsa159.patch @@ -0,0 +1,47 @@ +memory: fix XENMEM_exchange error handling + +assign_pages() can fail due to the domain getting killed in parallel, +which should not result in a hypervisor crash. + +Also delete a redundant put_gfn() - all relevant paths leading to the +"fail" label already do this (and there are also paths where it was +plain wrong). All of the put_gfn()-s got introduced by 51032ca058 +("Modify naming of queries into the p2m"), including the otherwise +unneeded initializer for k (with even a kind of misleading comment - +the compiler warning could actually have served as a hint that the use +is wrong). + +This is XSA-159. + +Reported-by: Julien Grall +Signed-off-by: Jan Beulich +Acked-by: Ian Campbell + +--- a/xen/common/memory.c ++++ b/xen/common/memory.c +@@ -334,7 +334,7 @@ static long memory_exchange(XEN_GUEST_HA + PAGE_LIST_HEAD(out_chunk_list); + unsigned long in_chunk_order, out_chunk_order; + xen_pfn_t gpfn, gmfn, mfn; +- unsigned long i, j, k = 0; /* gcc ... */ ++ unsigned long i, j, k; + unsigned int memflags = 0; + long rc = 0; + struct domain *d; +@@ -572,11 +572,12 @@ static long memory_exchange(XEN_GUEST_HA + fail: + /* Reassign any input pages we managed to steal. */ + while ( (page = page_list_remove_head(&in_chunk_list)) ) +- { +- put_gfn(d, gmfn + k--); + if ( assign_pages(d, page, 0, MEMF_no_refcount) ) +- BUG(); +- } ++ { ++ BUG_ON(!d->is_dying); ++ if ( test_and_clear_bit(_PGC_allocated, &page->count_info) ) ++ put_page(page); ++ } + + dying: + rcu_unlock_domain(d); diff --git a/emulators/xen-kernel/files/xsa165-4.5.patch b/emulators/xen-kernel/files/xsa165-4.5.patch new file mode 100644 index 000000000000..b0909e49b890 --- /dev/null +++ b/emulators/xen-kernel/files/xsa165-4.5.patch @@ -0,0 +1,85 @@ +x86: don't leak ST(n)/XMMn values to domains first using them + +FNINIT doesn't alter these registers, and hence using it is +insufficient to initialize a guest's initial state. + +This is XSA-165. + +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper + +--- a/xen/arch/x86/domain.c ++++ b/xen/arch/x86/domain.c +@@ -798,6 +798,17 @@ int arch_set_info_guest( + if ( v->arch.xsave_area ) + v->arch.xsave_area->xsave_hdr.xstate_bv = XSTATE_FP_SSE; + } ++ else if ( v->arch.xsave_area ) ++ memset(&v->arch.xsave_area->xsave_hdr, 0, ++ sizeof(v->arch.xsave_area->xsave_hdr)); ++ else ++ { ++ typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt; ++ ++ memset(fpu_sse, 0, sizeof(*fpu_sse)); ++ fpu_sse->fcw = FCW_DEFAULT; ++ fpu_sse->mxcsr = MXCSR_DEFAULT; ++ } + + if ( !compat ) + { +--- a/xen/arch/x86/i387.c ++++ b/xen/arch/x86/i387.c +@@ -17,19 +17,6 @@ + #include + #include + +-static void fpu_init(void) +-{ +- unsigned long val; +- +- asm volatile ( "fninit" ); +- if ( cpu_has_xmm ) +- { +- /* load default value into MXCSR control/status register */ +- val = MXCSR_DEFAULT; +- asm volatile ( "ldmxcsr %0" : : "m" (val) ); +- } +-} +- + /*******************************/ + /* FPU Restore Functions */ + /*******************************/ +@@ -248,15 +235,8 @@ void vcpu_restore_fpu_lazy(struct vcpu * + + if ( cpu_has_xsave ) + fpu_xrstor(v, XSTATE_LAZY); +- else if ( v->fpu_initialised ) +- { +- if ( cpu_has_fxsr ) +- fpu_fxrstor(v); +- else +- fpu_frstor(v); +- } + else +- fpu_init(); ++ fpu_fxrstor(v); + + v->fpu_initialised = 1; + v->fpu_dirtied = 1; +@@ -317,7 +297,14 @@ int vcpu_init_fpu(struct vcpu *v) + else + { + v->arch.fpu_ctxt = _xzalloc(sizeof(v->arch.xsave_area->fpu_sse), 16); +- if ( !v->arch.fpu_ctxt ) ++ if ( v->arch.fpu_ctxt ) ++ { ++ typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt; ++ ++ fpu_sse->fcw = FCW_DEFAULT; ++ fpu_sse->mxcsr = MXCSR_DEFAULT; ++ } ++ else + { + rc = -ENOMEM; + goto done; diff --git a/emulators/xen-kernel/files/xsa166-4.5.patch b/emulators/xen-kernel/files/xsa166-4.5.patch new file mode 100644 index 000000000000..60bdbf428459 --- /dev/null +++ b/emulators/xen-kernel/files/xsa166-4.5.patch @@ -0,0 +1,44 @@ +x86/HVM: avoid reading ioreq state more than once + +Otherwise, especially when the compiler chooses to translate the +switch() to a jump table, unpredictable behavior (and in the jump table +case arbitrary code execution) can result. + +This is XSA-166. + +Signed-off-by: Jan Beulich +Acked-by: Ian Campbell + +--- a/xen/arch/x86/hvm/hvm.c ++++ b/xen/arch/x86/hvm/hvm.c +@@ -400,23 +400,23 @@ bool_t hvm_io_pending(struct vcpu *v) + + static bool_t hvm_wait_for_io(struct hvm_ioreq_vcpu *sv, ioreq_t *p) + { ++ unsigned int state; ++ + /* NB. Optimised for common case (p->state == STATE_IOREQ_NONE). */ +- while ( p->state != STATE_IOREQ_NONE ) ++ while ( (state = p->state) != STATE_IOREQ_NONE ) + { +- switch ( p->state ) ++ rmb(); ++ switch ( state ) + { + case STATE_IORESP_READY: /* IORESP_READY -> NONE */ +- rmb(); /* see IORESP_READY /then/ read contents of ioreq */ + hvm_io_assist(p); + break; + case STATE_IOREQ_READY: /* IOREQ_{READY,INPROCESS} -> IORESP_READY */ + case STATE_IOREQ_INPROCESS: +- wait_on_xen_event_channel(sv->ioreq_evtchn, +- (p->state != STATE_IOREQ_READY) && +- (p->state != STATE_IOREQ_INPROCESS)); ++ wait_on_xen_event_channel(sv->ioreq_evtchn, p->state != state); + break; + default: +- gdprintk(XENLOG_ERR, "Weird HVM iorequest state %d.\n", p->state); ++ gdprintk(XENLOG_ERR, "Weird HVM iorequest state %u\n", state); + domain_crash(sv->vcpu->domain); + return 0; /* bail */ + } diff --git a/emulators/xen/Makefile b/emulators/xen/Makefile index f0c8f433a685..a5bea14f6c57 100644 --- a/emulators/xen/Makefile +++ b/emulators/xen/Makefile @@ -2,6 +2,7 @@ PORTNAME= xen PORTVERSION= 4.5.2 +PORTREVISION= 1 CATEGORIES= emulators MAINTAINER= royger@FreeBSD.org -- cgit