Minix/pkgsrc-ng
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Import of pkgsrc-2015Q1

Browse Source
This commit is contained in:
Lionel Sambuc
2015-04-22 14:34:26 +02:00
committed by Lionel Sambuc
parent 9a8c06dafb
commit 4af1cdf7a9
25114 changed files with 870550 additions and 795435 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
sysutils/xenkernel41/Makefile
View File

@@ -1,9 +1,9 @@
# $NetBSD: Makefile,v 1.35 2014/03/28 16:07:08 drochner Exp $
# $NetBSD: Makefile,v 1.44 2015/03/10 20:27:16 spz Exp $
VERSION= 4.1.6.1
DISTNAME= xen-${VERSION}
PKGNAME= xenkernel41-${VERSION}
PKGREVISION= 8
PKGREVISION= 15
CATEGORIES= sysutils
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
@@ -21,7 +21,7 @@ USE_TOOLS+= gmake
PYTHON_FOR_BUILD_ONLY= yes
PY_PATCHPLIST= NO
PYTHON_VERSIONS_INCOMPATIBLE= 33 # not yet ported as of 4.1.6.1
PYTHON_VERSIONS_INCOMPATIBLE= 33 34 # not yet ported as of 4.1.6.1
# XXX Why does this not work?
# See work/xen-4.1.2/Config.mk:41 why PYTHON must be set and what for
@@ -38,7 +38,8 @@ MESSAGE_SUBST+= XENKERNELDIR=${XENKERNELDIR:Q}
EXTRA_CFLAGS+= -Qunused-arguments -no-integrated-as -Wno-error=format \
-Wno-error=parentheses-equality -Wno-error=enum-conversion \
-Wno-error=unused-function \
-Wno-error=tautological-pointer-compare
-Wno-error=tautological-pointer-compare \
-Wno-error=pointer-bool-conversion
.endif
MAKE_ENV+= EXTRA_CFLAGS=${EXTRA_CFLAGS:Q}

17
sysutils/xenkernel41/distinfo
View File

@@ -1,10 +1,10 @@
$NetBSD: distinfo,v 1.27 2014/03/28 16:07:08 drochner Exp $
$NetBSD: distinfo,v 1.35 2015/03/10 20:27:16 spz Exp $
SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0
RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19
Size (xen-4.1.6.1.tar.gz) = 10428485 bytes
SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1
SHA1 (patch-CVE-2013-4355_1) = 91fb26907b2ac7d2435a6efce000569b71523247
SHA1 (patch-CVE-2013-4355_1) = 56dde995d7df4f18576040007fd5532de61d9069
SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509
SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f
SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8
@@ -15,6 +15,19 @@ SHA1 (patch-CVE-2013-4553) = 6708dcef1737b119a3fcf2e3414c22c115cbacc1
SHA1 (patch-CVE-2013-6885_1) = 18d155b2c76119988be32cfd43e3c4aa6a507b9d
SHA1 (patch-CVE-2013-6885_2) = be3c99ba3e349492d45cd4f2fce0acc26ac1a96d
SHA1 (patch-CVE-2014-1666) = acf27080799d4aae6a03b556caadb01081d5314e
SHA1 (patch-CVE-2014-3124) = 59a48eed88abcda5de2fc7e398451a492e5d2145
SHA1 (patch-CVE-2014-4021) = ee8ee800b35f7eaa242b06536c1ffa6568305b36
SHA1 (patch-CVE-2014-7154) = 5f0541559d911778aa5267bb5c0e1e8a9a3904e2
SHA1 (patch-CVE-2014-7155) = 0f1aa6a5d4fdb8403fc1e01b884491a63de501f8
SHA1 (patch-CVE-2014-7156) = 85043bdcf2644227d135f725cb442aade565c9d6
SHA1 (patch-CVE-2014-8594) = 39d9d220d89c2356fa745dad5bf8c7ef5e8f2516
SHA1 (patch-CVE-2014-8595) = 46bd285b7eb8f2e23984f7917b12af2191bfef80
SHA1 (patch-CVE-2014-8866) = ee0bc3afb767b50e973d6065b84adc7e51949def
SHA1 (patch-CVE-2014-8867) = 576433746660f62b753088a66c5315a1a2ff8f76
SHA1 (patch-CVE-2014-9030) = f52c302585b0f4b074f7562e6b8cddacb26deee4
SHA1 (patch-CVE-2015-2044) = 00d32273d0a9f51927ff94a13f916382c3126e60
SHA1 (patch-CVE-2015-2045) = e1874bbde0cce7db4ee9260440f5280d404027d7
SHA1 (patch-CVE-2015-2151) = aed92f50d162febc3074f7edecaf6ca418d0b42c
SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266
SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b
SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2

56
sysutils/xenkernel41/patches/patch-CVE-2013-4355_1
View File

@@ -1,4 +1,4 @@
$NetBSD: patch-CVE-2013-4355_1,v 1.3 2014/03/28 16:07:08 drochner Exp $
$NetBSD: patch-CVE-2013-4355_1,v 1.5 2014/10/01 17:18:22 drochner Exp $
http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03160.html
also fixes
@@ -7,10 +7,16 @@ http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg03827.html
also fixes
http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html
(CVE-2014-2599)
also fixes
http://lists.xenproject.org/archives/html/xen-devel/2014-04/msg03853.html
(CVE-2014-3124)
also fixes
http://lists.xenproject.org/archives/html/xen-devel/2014-10/msg00065.html
(CVE-2014-7188)
--- xen/arch/x86/hvm/hvm.c.orig 2014-03-28 15:27:28.000000000 +0000
+++ xen/arch/x86/hvm/hvm.c 2014-03-28 15:27:36.000000000 +0000
@@ -1961,11 +1961,7 @@
--- xen/arch/x86/hvm/hvm.c.orig 2013-09-10 06:42:18.000000000 +0000
+++ xen/arch/x86/hvm/hvm.c 2014-10-01 16:40:48.000000000 +0000
@@ -1961,11 +1961,7 @@ void hvm_task_switch(
rc = hvm_copy_from_guest_virt(
&tss, prev_tr.base, sizeof(tss), PFEC_page_present);
@@ -23,7 +29,7 @@ http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html
goto out;
eflags = regs->eflags;
@@ -2010,13 +2006,11 @@
@@ -2010,13 +2006,11 @@ void hvm_task_switch(
rc = hvm_copy_from_guest_virt(
&tss, tr.base, sizeof(tss), PFEC_page_present);
@@ -42,7 +48,25 @@ http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html
goto out;
@@ -2834,7 +2828,7 @@
@@ -2409,7 +2403,7 @@ int hvm_msr_read_intercept(unsigned int
*msr_content = vcpu_vlapic(v)->hw.apic_base_msr;
break;
- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
+ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
if ( hvm_x2apic_msr_read(v, msr, msr_content) )
goto gp_fault;
break;
@@ -2529,7 +2523,7 @@ int hvm_msr_write_intercept(unsigned int
vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content);
break;
- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
+ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
if ( hvm_x2apic_msr_write(v, msr, msr_content) )
goto gp_fault;
break;
@@ -2834,7 +2828,7 @@ int hvm_do_hypercall(struct cpu_user_reg
case 4:
case 2:
hvm_get_segment_register(curr, x86_seg_ss, &sreg);
@@ -51,7 +75,23 @@ http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html
{
default:
regs->eax = -EPERM;
@@ -3746,7 +3740,7 @@
@@ -3657,13 +3651,9 @@ long do_hvm_op(unsigned long op, XEN_GUE
rc = -EINVAL;
goto param_fail4;
}
- if ( p2m_is_grant(t) )
- {
- gdprintk(XENLOG_WARNING,
- "type for pfn 0x%lx changed to grant while "
- "we were working?\n", pfn);
+ if ( !p2m_is_ram(t) &&
+ (!p2m_is_hole(t) || a.hvmmem_type != HVMMEM_mmio_dm) )
goto param_fail4;
- }
else
{
nt = p2m_change_type(p2m, pfn, t, memtype[a.hvmmem_type]);
@@ -3746,7 +3736,7 @@ long do_hvm_op(unsigned long op, XEN_GUE
((a.first_pfn + a.nr - 1) > domain_get_maximum_gpfn(d)) )
goto param_fail5;
@@ -60,7 +100,7 @@ http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html
{
p2m_type_t t;
mfn_t mfn;
@@ -3759,6 +3753,17 @@
@@ -3759,6 +3749,17 @@ long do_hvm_op(unsigned long op, XEN_GUE
p2m_unlock(p2m);
if ( !success )
goto param_fail5;

24
sysutils/xenkernel41/patches/patch-CVE-2014-3124 Normal file
View File

@@ -0,0 +1,24 @@
--- xen/include/asm-x86/p2m.h.orig 2013-09-10 06:42:18.000000000 +0000
+++ xen/include/asm-x86/p2m.h 2014-04-30 13:11:30.000000000 +0000
@@ -134,6 +134,13 @@ typedef enum {
| p2m_to_mask(p2m_ram_paging_in) \
| p2m_to_mask(p2m_ram_shared))
+/* Types that represent a physmap hole. */
+#define P2M_HOLE_TYPES (p2m_to_mask(p2m_mmio_dm) \
+ | p2m_to_mask(p2m_invalid) \
+ | p2m_to_mask(p2m_ram_paging_in_start) \
+ | p2m_to_mask(p2m_ram_paging_in) \
+ | p2m_to_mask(p2m_ram_paged))
+
/* Grant mapping types, which map to a real machine frame in another
* VM */
#define P2M_GRANT_TYPES (p2m_to_mask(p2m_grant_map_rw) \
@@ -170,6 +177,7 @@ typedef enum {
/* Useful predicates */
#define p2m_is_ram(_t) (p2m_to_mask(_t) & P2M_RAM_TYPES)
+#define p2m_is_hole(_t) (p2m_to_mask(_t) & P2M_HOLE_TYPES)
#define p2m_is_mmio(_t) (p2m_to_mask(_t) & P2M_MMIO_TYPES)
#define p2m_is_readonly(_t) (p2m_to_mask(_t) & P2M_RO_TYPES)
#define p2m_is_magic(_t) (p2m_to_mask(_t) & P2M_MAGIC_TYPES)

26
sysutils/xenkernel41/patches/patch-CVE-2014-4021 Normal file
View File

@@ -0,0 +1,26 @@
$NetBSD: patch-CVE-2014-4021,v 1.1 2014/06/18 13:47:08 drochner Exp $
http://lists.xenproject.org/archives/html/xen-devel/2014-06/msg02095.html
--- xen/common/page_alloc.c.orig 2013-09-10 06:42:18.000000000 +0000
+++ xen/common/page_alloc.c 2014-06-18 10:36:33.000000000 +0000
@@ -1123,7 +1123,10 @@ void free_xenheap_pages(void *v, unsigne
pg = virt_to_page(v);
for ( i = 0; i < (1u << order); i++ )
+ {
+ scrub_one_page(&pg[i]);
pg[i].count_info &= ~PGC_xen_heap;
+ }
free_heap_pages(pg, order);
}
@@ -1290,6 +1293,8 @@ void free_domheap_pages(struct page_info
else
{
/* Freeing anonymous domain-heap pages. */
+ for ( i = 0; i < (1 << order); i++ )
+ scrub_one_page(&pg[i]);
free_heap_pages(pg, order);
drop_dom_ref = 0;
}

34
sysutils/xenkernel41/patches/patch-CVE-2014-7154 Normal file
View File

@@ -0,0 +1,34 @@
$NetBSD: patch-CVE-2014-7154,v 1.1 2014/09/26 10:45:00 bouyer Exp $
x86/shadow: fix race condition sampling the dirty vram state
d->arch.hvm_domain.dirty_vram must be read with the domain's paging lock held.
If not, two concurrent hypercalls could both end up attempting to free
dirty_vram (the second of which will free a wild pointer), or both end up
allocating a new dirty_vram structure (the first of which will be leaked).
This is XSA-104.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Tim Deegan <tim@xen.org>
--- xen/arch/x86/mm/shadow/common.c.orig 2013-09-10 08:42:18.000000000 +0200
+++ xen/arch/x86/mm/shadow/common.c 2014-09-26 12:21:33.000000000 +0200
@@ -3640,7 +3640,7 @@
int flush_tlb = 0;
unsigned long i;
p2m_type_t t;
- struct sh_dirty_vram *dirty_vram = d->arch.hvm_domain.dirty_vram;
+ struct sh_dirty_vram *dirty_vram;
struct p2m_domain *p2m = p2m_get_hostp2m(d);
if (end_pfn < begin_pfn
@@ -3649,6 +3649,7 @@
return -EINVAL;
shadow_lock(d);
+ dirty_vram = d->arch.hvm_domain.dirty_vram;
if ( dirty_vram && (!nr ||
( begin_pfn != dirty_vram->begin_pfn

39
sysutils/xenkernel41/patches/patch-CVE-2014-7155 Normal file
View File

@@ -0,0 +1,39 @@
$NetBSD: patch-CVE-2014-7155,v 1.1 2014/09/26 10:45:00 bouyer Exp $
x86/emulate: check cpl for all privileged instructions
Without this, it is possible for userspace to load its own IDT or GDT.
This is XSA-105.
Reported-by: Andrei LUTAS <vlutas@bitdefender.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Andrei LUTAS <vlutas@bitdefender.com>
--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
+++ xen/arch/x86/x86_emulate/x86_emulate.c
@@ -3314,6 +3314,7 @@ x86_emulate(
goto swint;
case 0xf4: /* hlt */
+ generate_exception_if(!mode_ring0(), EXC_GP, 0);
ctxt->retire.flags.hlt = 1;
break;
@@ -3710,6 +3711,7 @@ x86_emulate(
break;
case 2: /* lgdt */
case 3: /* lidt */
+ generate_exception_if(!mode_ring0(), EXC_GP, 0);
generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
fail_if(ops->write_segment == NULL);
memset(&reg, 0, sizeof(reg));
@@ -3738,6 +3740,7 @@ x86_emulate(
case 6: /* lmsw */
fail_if(ops->read_cr == NULL);
fail_if(ops->write_cr == NULL);
+ generate_exception_if(!mode_ring0(), EXC_GP, 0);
if ( (rc = ops->read_cr(0, &cr0, ctxt)) )
goto done;
if ( ea.type == OP_REG )

25
sysutils/xenkernel41/patches/patch-CVE-2014-7156 Normal file
View File

@@ -0,0 +1,25 @@
$NetBSD: patch-CVE-2014-7156,v 1.1 2014/09/26 10:45:00 bouyer Exp $
x86emul: only emulate software interrupt injection for real mode
Protected mode emulation currently lacks proper privilege checking of
the referenced IDT entry, and there's currently no legitimate way for
any of the respective instructions to reach the emulator when the guest
is in protected mode.
This is XSA-106.
Reported-by: Andrei LUTAS <vlutas@bitdefender.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
+++ xen/arch/x86/x86_emulate/x86_emulate.c
@@ -2634,6 +2634,7 @@ x86_emulate(
case 0xcd: /* int imm8 */
src.val = insn_fetch_type(uint8_t);
swint:
+ fail_if(!in_realmode(ctxt, ops)); /* XSA-106 */
fail_if(ops->inject_sw_interrupt == NULL);
rc = ops->inject_sw_interrupt(src.val, _regs.eip - ctxt->regs->eip,
ctxt) ? : X86EMUL_EXCEPTION;

27
sysutils/xenkernel41/patches/patch-CVE-2014-8594 Normal file
View File

@@ -0,0 +1,27 @@
$NetBSD: patch-CVE-2014-8594,v 1.1 2014/11/27 15:36:02 bouyer Exp $
x86: don't allow page table updates on non-PV page tables in do_mmu_update()
paging_write_guest_entry() and paging_cmpxchg_guest_entry() aren't
consistently supported for non-PV guests (they'd deref NULL for PVH or
non-HAP HVM ones). Don't allow respective MMU_* operations on the
page tables of such domains.
This is XSA-109.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>
--- xen/arch/x86/mm.c.orig 2014-11-27 15:21:15.000000000 +0100
+++ xen/arch/x86/mm.c 2014-11-27 15:26:06.000000000 +0100
@@ -3695,6 +3695,10 @@
{
p2m_type_t p2mt;
+ rc = -EOPNOTSUPP;
+ if ( unlikely(paging_mode_refcounts(pt_owner)) )
+ break;
+
rc = xsm_mmu_normal_update(d, pg_owner, req.val);
if ( rc )
break;

158
sysutils/xenkernel41/patches/patch-CVE-2014-8595 Normal file
View File

@@ -0,0 +1,158 @@
$NetBSD: patch-CVE-2014-8595,v 1.1 2014/11/27 15:36:02 bouyer Exp $
x86emul: enforce privilege level restrictions when loading CS
Privilege level checks were basically missing for the CS case, the
only check that was done (RPL == DPL for nonconforming segments)
was solely covering a single special case (return to non-conforming
segment).
Additionally in long mode the L bit set requires the D bit to be clear,
as was recently pointed out for KVM by Nadav Amit
<namit@cs.technion.ac.il>.
Finally we also need to force the loaded selector's RPL to CPL (at
least as long as lret/retf emulation doesn't support privilege level
changes).
This is XSA-110.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
+++ xen/arch/x86/x86_emulate/x86_emulate.c
@@ -1107,7 +1107,7 @@ realmode_load_seg(
static int
protmode_load_seg(
enum x86_segment seg,
- uint16_t sel,
+ uint16_t sel, bool_t is_ret,
struct x86_emulate_ctxt *ctxt,
const struct x86_emulate_ops *ops)
{
@@ -1179,9 +1179,23 @@ protmode_load_seg(
/* Code segment? */
if ( !(desc.b & (1u<<11)) )
goto raise_exn;
- /* Non-conforming segment: check DPL against RPL. */
- if ( ((desc.b & (6u<<9)) != (6u<<9)) && (dpl != rpl) )
+ if ( is_ret
+ ? /*
+ * Really rpl < cpl, but our sole caller doesn't handle
+ * privilege level changes.
+ */
+ rpl != cpl || (desc.b & (1 << 10) ? dpl > rpl : dpl != rpl)
+ : desc.b & (1 << 10)
+ /* Conforming segment: check DPL against CPL. */
+ ? dpl > cpl
+ /* Non-conforming segment: check RPL and DPL against CPL. */
+ : rpl > cpl || dpl != cpl )
goto raise_exn;
+ /* 64-bit code segments (L bit set) must have D bit clear. */
+ if ( in_longmode(ctxt, ops) &&
+ (desc.b & (1 << 21)) && (desc.b & (1 << 22)) )
+ goto raise_exn;
+ sel = (sel ^ rpl) | cpl;
break;
case x86_seg_ss:
/* Writable data segment? */
@@ -1246,7 +1260,7 @@ protmode_load_seg(
static int
load_seg(
enum x86_segment seg,
- uint16_t sel,
+ uint16_t sel, bool_t is_ret,
struct x86_emulate_ctxt *ctxt,
const struct x86_emulate_ops *ops)
{
@@ -1255,7 +1269,7 @@ load_seg(
return X86EMUL_UNHANDLEABLE;
if ( in_protmode(ctxt, ops) )
- return protmode_load_seg(seg, sel, ctxt, ops);
+ return protmode_load_seg(seg, sel, is_ret, ctxt, ops);
return realmode_load_seg(seg, sel, ctxt, ops);
}
@@ -1852,7 +1866,7 @@ x86_emulate(
if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes),
&dst.val, op_bytes, ctxt, ops)) != 0 )
goto done;
- if ( (rc = load_seg(src.val, (uint16_t)dst.val, ctxt, ops)) != 0 )
+ if ( (rc = load_seg(src.val, dst.val, 0, ctxt, ops)) != 0 )
return rc;
break;
@@ -2222,7 +2236,7 @@ x86_emulate(
enum x86_segment seg = decode_segment(modrm_reg);
generate_exception_if(seg == decode_segment_failed, EXC_UD, -1);
generate_exception_if(seg == x86_seg_cs, EXC_UD, -1);
- if ( (rc = load_seg(seg, (uint16_t)src.val, ctxt, ops)) != 0 )
+ if ( (rc = load_seg(seg, src.val, 0, ctxt, ops)) != 0 )
goto done;
if ( seg == x86_seg_ss )
ctxt->retire.flags.mov_ss = 1;
@@ -2303,7 +2317,7 @@ x86_emulate(
&_regs.eip, op_bytes, ctxt)) )
goto done;
- if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 )
+ if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 )
goto done;
_regs.eip = eip;
break;
@@ -2526,7 +2540,7 @@ x86_emulate(
if ( (rc = read_ulong(src.mem.seg, src.mem.off + src.bytes,
&sel, 2, ctxt, ops)) != 0 )
goto done;
- if ( (rc = load_seg(dst.val, (uint16_t)sel, ctxt, ops)) != 0 )
+ if ( (rc = load_seg(dst.val, sel, 0, ctxt, ops)) != 0 )
goto done;
dst.val = src.val;
break;
@@ -2600,7 +2614,7 @@ x86_emulate(
&dst.val, op_bytes, ctxt, ops)) ||
(rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes + offset),
&src.val, op_bytes, ctxt, ops)) ||
- (rc = load_seg(x86_seg_cs, (uint16_t)src.val, ctxt, ops)) )
+ (rc = load_seg(x86_seg_cs, src.val, 1, ctxt, ops)) )
goto done;
_regs.eip = dst.val;
break;
@@ -2647,7 +2661,7 @@ x86_emulate(
_regs.eflags &= mask;
_regs.eflags |= (uint32_t)(eflags & ~mask) | 0x02;
_regs.eip = eip;
- if ( (rc = load_seg(x86_seg_cs, (uint16_t)cs, ctxt, ops)) != 0 )
+ if ( (rc = load_seg(x86_seg_cs, cs, 1, ctxt, ops)) != 0 )
goto done;
break;
}
@@ -3277,7 +3291,7 @@ x86_emulate(
generate_exception_if(mode_64bit(), EXC_UD, -1);
eip = insn_fetch_bytes(op_bytes);
sel = insn_fetch_type(uint16_t);
- if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 )
+ if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 )
goto done;
_regs.eip = eip;
break;
@@ -3590,7 +3604,7 @@ x86_emulate(
goto done;
}
- if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 )
+ if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 )
goto done;
_regs.eip = dst.val;
@@ -3671,7 +3685,7 @@ x86_emulate(
generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1);
generate_exception_if(!mode_ring0(), EXC_GP, 0);
if ( (rc = load_seg((modrm_reg & 1) ? x86_seg_tr : x86_seg_ldtr,
- src.val, ctxt, ops)) != 0 )
+ src.val, 0, ctxt, ops)) != 0 )
goto done;
break;

115
sysutils/xenkernel41/patches/patch-CVE-2014-8866 Normal file
View File

@@ -0,0 +1,115 @@
$NetBSD: patch-CVE-2014-8866,v 1.1 2014/11/27 15:36:02 bouyer Exp $
x86: limit checks in hypercall_xlat_continuation() to actual arguments
HVM/PVH guests can otherwise trigger the final BUG_ON() in that
function by entering 64-bit mode, setting the high halves of affected
registers to non-zero values, leaving 64-bit mode, and issuing a
hypercall that might get preempted and hence become subject to
continuation argument translation (HYPERVISOR_memory_op being the only
one possible for HVM, PVH also having the option of using
HYPERVISOR_mmuext_op). This issue got introduced when HVM code was
switched to use compat_memory_op() - neither that nor
hypercall_xlat_continuation() were originally intended to be used by
other than PV guests (which can't enter 64-bit mode and hence have no
way to alter the high halves of 64-bit registers).
This is XSA-111.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
--- xen/arch/x86/domain.c.orig
+++ xen/arch/x86/domain.c
@@ -1921,7 +1921,8 @@ unsigned long hypercall_create_continuat
}
#ifdef CONFIG_COMPAT
-int hypercall_xlat_continuation(unsigned int *id, unsigned int mask, ...)
+int hypercall_xlat_continuation(unsigned int *id, unsigned int nr,
+ unsigned int mask, ...)
{
int rc = 0;
struct mc_state *mcs = &current->mc_state;
@@ -1930,7 +1931,10 @@ int hypercall_xlat_continuation(unsigned
unsigned long nval = 0;
va_list args;
- BUG_ON(id && *id > 5);
+ ASSERT(nr <= ARRAY_SIZE(mcs->call.args));
+ ASSERT(!(mask >> nr));
+
+ BUG_ON(id && *id >= nr);
BUG_ON(id && (mask & (1U << *id)));
va_start(args, mask);
@@ -1939,7 +1943,7 @@ int hypercall_xlat_continuation(unsigned
{
if ( !test_bit(_MCSF_call_preempted, &mcs->flags) )
return 0;
- for ( i = 0; i < 6; ++i, mask >>= 1 )
+ for ( i = 0; i < nr; ++i, mask >>= 1 )
{
if ( mask & 1 )
{
@@ -1967,7 +1971,7 @@ int hypercall_xlat_continuation(unsigned
else
{
regs = guest_cpu_user_regs();
- for ( i = 0; i < 6; ++i, mask >>= 1 )
+ for ( i = 0; i < nr; ++i, mask >>= 1 )
{
unsigned long *reg;
--- xen/common/compat/memory.c.orig
+++ xen/common/compat/memory.c
@@ -208,7 +208,7 @@ int compat_memory_op(unsigned int cmd, X
break;
cmd = 0;
- if ( hypercall_xlat_continuation(&cmd, 0x02, nat.hnd, compat) )
+ if ( hypercall_xlat_continuation(&cmd, 2, 0x02, nat.hnd, compat) )
{
BUG_ON(rc != __HYPERVISOR_memory_op);
BUG_ON((cmd & MEMOP_CMD_MASK) != op);
--- xen/include/xen/compat.h.orig 2013-09-10 08:42:18.000000000 +0200
+++ xen/include/xen/compat.h 2014-11-27 15:29:34.000000000 +0100
@@ -185,7 +185,8 @@
CHECK_FIELD_COMMON_(k, CHECK_NAME_(k, n ## __ ## f1 ## __ ## f2 ## __ ## \
f3, F2), n, f1.f2.f3)
-int hypercall_xlat_continuation(unsigned int *id, unsigned int mask, ...);
+int hypercall_xlat_continuation(unsigned int *id, unsigned int nr,
+ unsigned int mask, ...);
/* In-place translation functons: */
struct start_info;
--- xen/arch/x86/x86_64/compat/mm.c.orig 2013-09-10 08:42:18.000000000 +0200
+++ xen/arch/x86/x86_64/compat/mm.c 2014-11-27 15:21:15.000000000 +0100
@@ -128,7 +128,7 @@
break;
if ( rc == __HYPERVISOR_memory_op )
- hypercall_xlat_continuation(NULL, 0x2, nat, arg);
+ hypercall_xlat_continuation(NULL, 2, 0x2, nat, arg);
XLAT_pod_target(&cmp, nat);
@@ -333,7 +333,7 @@
left = 1;
if ( arg1 != MMU_UPDATE_PREEMPTED )
{
- BUG_ON(!hypercall_xlat_continuation(&left, 0x01, nat_ops,
+ BUG_ON(!hypercall_xlat_continuation(&left, 4, 0x01, nat_ops,
cmp_uops));
if ( !test_bit(_MCSF_in_multicall, &mcs->flags) )
regs->_ecx += count - i;
@@ -341,7 +341,7 @@
mcs->compat_call.args[1] += count - i;
}
else
- BUG_ON(hypercall_xlat_continuation(&left, 0));
+ BUG_ON(hypercall_xlat_continuation(&left, 4, 0));
BUG_ON(left != arg1);
}
else

90
sysutils/xenkernel41/patches/patch-CVE-2014-8867 Normal file
View File

@@ -0,0 +1,90 @@
$NetBSD: patch-CVE-2014-8867,v 1.1 2014/11/27 15:36:02 bouyer Exp $
x86/HVM: confine internally handled MMIO to solitary regions
While it is generally wrong to cross region boundaries when dealing
with MMIO accesses of repeated string instructions (currently only
MOVS) as that would do things a guest doesn't expect (leaving aside
that none of these regions would normally be accessed with repeated
string instructions in the first place), this is even more of a problem
for all virtual MSI-X page accesses (both msixtbl_{read,write}() can be
made dereference NULL "entry" pointers this way) as well as undersized
(1- or 2-byte) LAPIC writes (causing vlapic_read_aligned() to access
space beyond the one memory page set up for holding LAPIC register
values).
Since those functions validly assume to be called only with addresses
their respective checking functions indicated to be okay, it is generic
code that needs to be fixed to clip the repetition count.
To be on the safe side (and consistent), also do the same for buffered
I/O intercepts, even if their only client (stdvga) doesn't put the
hypervisor at risk (i.e. "only" guest misbehavior would result).
This is CVE-2014-8867 / XSA-112.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
--- xen/arch/x86/hvm/intercept.c.orig
+++ xen/arch/x86/hvm/intercept.c
@@ -131,11 +131,24 @@ int hvm_mmio_intercept(ioreq_t *p)
int i;
for ( i = 0; i < HVM_MMIO_HANDLER_NR; i++ )
- if ( hvm_mmio_handlers[i]->check_handler(v, p->addr) )
+ {
+ hvm_mmio_check_t check_handler =
+ hvm_mmio_handlers[i]->check_handler;
+
+ if ( check_handler(v, p->addr) )
+ {
+ if ( unlikely(p->count > 1) &&
+ !check_handler(v, unlikely(p->df)
+ ? p->addr - (p->count - 1LL) * p->size
+ : p->addr + (p->count - 1LL) * p->size) )
+ p->count = 1;
+
return hvm_mmio_access(
v, p,
hvm_mmio_handlers[i]->read_handler,
hvm_mmio_handlers[i]->write_handler);
+ }
+ }
return X86EMUL_UNHANDLEABLE;
}
@@ -243,6 +256,13 @@ int hvm_io_intercept(ioreq_t *p, int typ
if ( type == HVM_PORTIO )
return process_portio_intercept(
handler->hdl_list[i].action.portio, p);
+
+ if ( unlikely(p->count > 1) &&
+ (unlikely(p->df)
+ ? p->addr - (p->count - 1LL) * p->size < addr
+ : p->addr + p->count * 1LL * p->size - 1 >= addr + size) )
+ p->count = 1;
+
return handler->hdl_list[i].action.mmio(p);
}
}
--- xen/arch/x86/hvm/vmsi.c.orig
+++ xen/arch/x86/hvm/vmsi.c
@@ -236,6 +236,8 @@ static int msixtbl_read(
rcu_read_lock(&msixtbl_rcu_lock);
entry = msixtbl_find_entry(v, address);
+ if ( !entry )
+ goto out;
offset = address & (PCI_MSIX_ENTRY_SIZE - 1);
if ( offset != PCI_MSIX_ENTRY_VECTOR_CTRL_OFFSET )
@@ -278,6 +280,8 @@ static int msixtbl_write(struct vcpu *v,
rcu_read_lock(&msixtbl_rcu_lock);
entry = msixtbl_find_entry(v, address);
+ if ( !entry )
+ goto out;
nr_entry = (address - entry->gtable) / PCI_MSIX_ENTRY_SIZE;
offset = address & (PCI_MSIX_ENTRY_SIZE - 1);

46
sysutils/xenkernel41/patches/patch-CVE-2014-9030 Normal file
View File

@@ -0,0 +1,46 @@
$NetBSD: patch-CVE-2014-9030,v 1.1 2014/11/27 15:36:02 bouyer Exp $
x86/mm: fix a reference counting error in MMU_MACHPHYS_UPDATE
Any domain which can pass the XSM check against a translated guest can cause a
page reference to be leaked.
While shuffling the order of checks, drop the quite-pointless MEM_LOG(). This
brings the check in line with similar checks in the vicinity.
Discovered while reviewing the XSA-109/110 followup series.
This is XSA-113.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
--- xen/arch/x86/mm.c.orig 2014-11-27 15:21:15.000000000 +0100
+++ xen/arch/x86/mm.c 2014-11-27 15:37:25.000000000 +0100
@@ -3888,6 +3892,12 @@
case MMU_MACHPHYS_UPDATE:
+ if ( unlikely(paging_mode_translate(pg_owner)) )
+ {
+ rc = -EINVAL;
+ break;
+ }
+
mfn = req.ptr >> PAGE_SHIFT;
gpfn = req.val;
@@ -3901,12 +3911,6 @@
break;
}
- if ( unlikely(paging_mode_translate(pg_owner)) )
- {
- MEM_LOG("Mach-phys update on auto-translate guest");
- break;
- }
-
set_gpfn_from_mfn(mfn, gpfn);
okay = 1;

53
sysutils/xenkernel41/patches/patch-CVE-2015-2044 Normal file
View File

@@ -0,0 +1,53 @@
$NetBSD: patch-CVE-2015-2044,v 1.1 2015/03/05 16:37:16 spz Exp $
x86/HVM: return all ones on wrong-sized reads of system device I/O ports
So far the value presented to the guest remained uninitialized.
This is CVE-2015-2044 / XSA-121.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
--- xen/arch/x86/hvm/rtc.c.orig 2014-09-02 06:22:57.000000000 +0000
+++ xen/arch/x86/hvm/rtc.c
@@ -408,7 +408,8 @@ static int handle_rtc_io(
if ( bytes != 1 )
{
- gdprintk(XENLOG_WARNING, "HVM_RTC bas access\n");
+ gdprintk(XENLOG_WARNING, "HVM_RTC bad access\n");
+ *val = ~0;
return X86EMUL_OKAY;
}
--- xen/arch/x86/hvm/i8254.c.orig 2014-09-02 06:22:57.000000000 +0000
+++ xen/arch/x86/hvm/i8254.c
@@ -475,6 +475,7 @@ static int handle_pit_io(
if ( bytes != 1 )
{
gdprintk(XENLOG_WARNING, "PIT bad access\n");
+ *val = ~0;
return X86EMUL_OKAY;
}
--- xen/arch/x86/hvm/pmtimer.c.orig 2014-09-02 06:22:57.000000000 +0000
+++ xen/arch/x86/hvm/pmtimer.c
@@ -213,6 +213,7 @@ static int handle_pmt_io(
if ( bytes != 4 )
{
gdprintk(XENLOG_WARNING, "HVM_PMT bad access\n");
+ *val = ~0;
return X86EMUL_OKAY;
}
--- xen/arch/x86/hvm/vpic.c.orig 2014-09-02 06:22:57.000000000 +0000
+++ xen/arch/x86/hvm/vpic.c
@@ -324,6 +324,7 @@ static int vpic_intercept_pic_io(
if ( bytes != 1 )
{
gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes);
+ *val = ~0;
return X86EMUL_OKAY;
}

42
sysutils/xenkernel41/patches/patch-CVE-2015-2045 Normal file
View File

@@ -0,0 +1,42 @@
$NetBSD: patch-CVE-2015-2045,v 1.1 2015/03/05 16:37:16 spz Exp $
pre-fill structures for certain HYPERVISOR_xen_version sub-ops
... avoiding to pass hypervisor stack contents back to the caller
through space unused by the respective strings.
This is CVE-2015-2045 / XSA-122.
Signed-off-by: Aaron Adams <Aaron.Adams@nccgroup.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
--- xen/common/kernel.c.orig 2014-09-02 06:22:57.000000000 +0000
+++ xen/common/kernel.c
@@ -218,6 +218,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
case XENVER_extraversion:
{
xen_extraversion_t extraversion;
+
+ memset(extraversion, 0, sizeof(extraversion));
safe_strcpy(extraversion, xen_extra_version());
if ( copy_to_guest(arg, extraversion, ARRAY_SIZE(extraversion)) )
return -EFAULT;
@@ -227,6 +229,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
case XENVER_compile_info:
{
struct xen_compile_info info;
+
+ memset(&info, 0, sizeof(info));
safe_strcpy(info.compiler, xen_compiler());
safe_strcpy(info.compile_by, xen_compile_by());
safe_strcpy(info.compile_domain, xen_compile_domain());
@@ -263,6 +267,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
case XENVER_changeset:
{
xen_changeset_info_t chgset;
+
+ memset(chgset, 0, sizeof(chgset));
safe_strcpy(chgset, xen_changeset());
if ( copy_to_guest(arg, chgset, ARRAY_SIZE(chgset)) )
return -EFAULT;

22
sysutils/xenkernel41/patches/patch-CVE-2015-2151 Normal file
View File

@@ -0,0 +1,22 @@
$NetBSD: patch-CVE-2015-2151,v 1.1 2015/03/10 20:27:16 spz Exp $
xsa123-4.3-4.2.patch from upstream:
x86emul: fully ignore segment override for register-only operations
For ModRM encoded instructions with register operands we must not
overwrite ea.mem.seg (if a - bogus in that case - segment override was
present) as it aliases with ea.reg.
This is CVE-2015-2151 / XSA-123.
--- xen/arch/x86/x86_emulate/x86_emulate.c.orig 2015-03-10 20:10:23.000000000 +0000
+++ xen/arch/x86/x86_emulate/x86_emulate.c
@@ -1462,7 +1462,7 @@ x86_emulate(
}
}
- if ( override_seg != -1 )
+ if ( override_seg != -1 && ea.type == OP_MEM )
ea.mem.seg = override_seg;
/* Decode and fetch the source operand: register, memory or immediate. */