Minix/pkgsrc-ng
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Import of pkgsrc-2015Q2

Browse Source
This commit is contained in:
Lionel Sambuc
2015-08-30 02:56:09 -07:00
committed by Lionel Sambuc
parent 4af1cdf7a9
commit f641581404
15409 changed files with 267784 additions and 121624 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
sysutils/xenkernel42/Makefile
View File

@@ -1,9 +1,9 @@
# $NetBSD: Makefile,v 1.14 2015/03/18 15:05:51 joerg Exp $
# $NetBSD: Makefile,v 1.16 2015/06/05 18:18:41 khorben Exp $
VERSION= 4.2.5
DISTNAME= xen-${VERSION}
PKGNAME= xenkernel42-${VERSION}
PKGREVISION= 5
PKGREVISION= 7
CATEGORIES= sysutils
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/

5
sysutils/xenkernel42/distinfo
View File

@@ -1,4 +1,4 @@
$NetBSD: distinfo,v 1.12 2015/03/18 15:05:51 joerg Exp $
$NetBSD: distinfo,v 1.14 2015/06/05 18:18:41 khorben Exp $
SHA1 (xen-4.2.5.tar.gz) = f42741e4ec174495ace70c4b17a6b9b0e60e798a
RMD160 (xen-4.2.5.tar.gz) = 7d4f7f1b32ee541d341a756b1f8da02816438d19
@@ -11,6 +11,9 @@ SHA1 (patch-CVE-2014-9030) = f4646ab2b0d01ad2a3bf47839fe0ffd35479b4a6
SHA1 (patch-CVE-2015-2044) = bcb7152da8d37902540cbfbdfd7309536cffa61e
SHA1 (patch-CVE-2015-2045) = f70839fabd4ef9086c8fb808e4f3448a8e844c98
SHA1 (patch-CVE-2015-2151) = df05750b86331b88102b41f065c314c38c6bc396
SHA1 (patch-CVE-2015-2752) = 62547b55385aaf54af23270939fe086b996d5744
SHA1 (patch-CVE-2015-2756) = cb1be46c28e6f88c13fc0d26ff0606bdb877283c
SHA1 (patch-CVE-2015-3456) = 8d54d33b81ef77056aa6f58ab123912948454020
SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266
SHA1 (patch-xen_Makefile) = e0d1b74518b9675ddc64295d1523ded9a8757c0a
SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2

108
sysutils/xenkernel42/patches/patch-CVE-2015-2752 Normal file
View File

@@ -0,0 +1,108 @@
$NetBSD: patch-CVE-2015-2752,v 1.1 2015/04/19 13:13:20 spz Exp $
Patch for CVE-2015-2752 aka XSA-125 from
http://xenbits.xenproject.org/xsa/xsa125-4.2.patch
--- tools/libxc/xc_domain.c.orig 2014-09-02 06:22:57.000000000 +0000
+++ tools/libxc/xc_domain.c
@@ -1352,6 +1352,13 @@ int xc_domain_bind_pt_isa_irq(
PT_IRQ_TYPE_ISA, 0, 0, 0, machine_irq));
}
+#ifndef min
+#define min(X, Y) ({ \
+ const typeof (X) _x = (X); \
+ const typeof (Y) _y = (Y); \
+ (void) (&_x == &_y); \
+ (_x < _y) ? _x : _y; })
+#endif
int xc_domain_memory_mapping(
xc_interface *xch,
uint32_t domid,
@@ -1361,17 +1368,55 @@ int xc_domain_memory_mapping(
uint32_t add_mapping)
{
DECLARE_DOMCTL;
+ int ret = 0, err;
+ unsigned long done = 0, nr, max_batch_sz;
+
+ if ( !nr_mfns )
+ return 0;
domctl.cmd = XEN_DOMCTL_memory_mapping;
domctl.domain = domid;
- domctl.u.memory_mapping.first_gfn = first_gfn;
- domctl.u.memory_mapping.first_mfn = first_mfn;
- domctl.u.memory_mapping.nr_mfns = nr_mfns;
domctl.u.memory_mapping.add_mapping = add_mapping;
+ max_batch_sz = nr_mfns;
+ do
+ {
+ nr = min(nr_mfns - done, max_batch_sz);
+ domctl.u.memory_mapping.nr_mfns = nr;
+ domctl.u.memory_mapping.first_gfn = first_gfn + done;
+ domctl.u.memory_mapping.first_mfn = first_mfn + done;
+ err = do_domctl(xch, &domctl);
+ if ( err && errno == E2BIG )
+ {
+ if ( max_batch_sz <= 1 )
+ break;
+ max_batch_sz >>= 1;
+ continue;
+ }
+ /* Save the first error... */
+ if ( !ret )
+ ret = err;
+ /* .. and ignore the rest of them when removing. */
+ if ( err && add_mapping != DPCI_REMOVE_MAPPING )
+ break;
+
+ done += nr;
+ } while ( done < nr_mfns );
+
+ /*
+ * Undo what we have done unless unmapping, by unmapping the entire region.
+ * Errors here are ignored.
+ */
+ if ( ret && add_mapping != DPCI_REMOVE_MAPPING )
+ xc_domain_memory_mapping(xch, domid, first_gfn, first_mfn, nr_mfns,
+ DPCI_REMOVE_MAPPING);
+
+ /* We might get E2BIG so many times that we never advance. */
+ if ( !done && !ret )
+ ret = -1;
- return do_domctl(xch, &domctl);
+ return ret;
}
-
+#undef min
int xc_domain_ioport_mapping(
xc_interface *xch,
uint32_t domid,
--- xen/arch/x86/domctl.c.orig 2014-09-02 06:22:57.000000000 +0000
+++ xen/arch/x86/domctl.c
@@ -865,6 +865,11 @@ long arch_do_domctl(
(gfn + nr_mfns - 1) < gfn ) /* wrap? */
break;
+ ret = -E2BIG;
+ /* Must break hypercall up as this could take a while. */
+ if ( nr_mfns > 64 )
+ break;
+
ret = -EPERM;
if ( !IS_PRIV(current->domain) &&
!iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) )
--- xen/include/public/domctl.h.orig 2014-09-02 06:22:57.000000000 +0000
+++ xen/include/public/domctl.h
@@ -507,6 +507,7 @@ DEFINE_XEN_GUEST_HANDLE(xen_domctl_bind_
/* Bind machine I/O address range -> HVM address range. */
+/* If this returns -E2BIG lower nr_mfns value. */
/* XEN_DOMCTL_memory_mapping */
#define DPCI_ADD_MAPPING 1
#define DPCI_REMOVE_MAPPING 0

142
sysutils/xenkernel42/patches/patch-CVE-2015-2756 Normal file
View File

@@ -0,0 +1,142 @@
$NetBSD: patch-CVE-2015-2756,v 1.1 2015/04/19 13:13:21 spz Exp $
patch for CVE-2015-2756 aka XSA-126 from
http://xenbits.xenproject.org/xsa/xsa126-qemut.patch
--- tools/qemu-xen-traditional/hw/pass-through.c.orig 2014-01-09 12:44:42.000000000 +0000
+++ tools/qemu-xen-traditional/hw/pass-through.c
@@ -172,9 +172,6 @@ static int pt_word_reg_read(struct pt_de
static int pt_long_reg_read(struct pt_dev *ptdev,
struct pt_reg_tbl *cfg_entry,
uint32_t *value, uint32_t valid_mask);
-static int pt_cmd_reg_read(struct pt_dev *ptdev,
- struct pt_reg_tbl *cfg_entry,
- uint16_t *value, uint16_t valid_mask);
static int pt_bar_reg_read(struct pt_dev *ptdev,
struct pt_reg_tbl *cfg_entry,
uint32_t *value, uint32_t valid_mask);
@@ -286,9 +283,9 @@ static struct pt_reg_info_tbl pt_emu_reg
.size = 2,
.init_val = 0x0000,
.ro_mask = 0xF880,
- .emu_mask = 0x0740,
+ .emu_mask = 0x0743,
.init = pt_common_reg_init,
- .u.w.read = pt_cmd_reg_read,
+ .u.w.read = pt_word_reg_read,
.u.w.write = pt_cmd_reg_write,
.u.w.restore = pt_cmd_reg_restore,
},
@@ -1905,7 +1902,7 @@ static int pt_dev_is_virtfn(struct pci_d
return rc;
}
-static int pt_register_regions(struct pt_dev *assigned_device)
+static int pt_register_regions(struct pt_dev *assigned_device, uint16_t *cmd)
{
int i = 0;
uint32_t bar_data = 0;
@@ -1925,17 +1922,26 @@ static int pt_register_regions(struct pt
/* Register current region */
if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_IO )
+ {
pci_register_io_region((PCIDevice *)assigned_device, i,
(uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_IO,
pt_ioport_map);
+ *cmd |= PCI_COMMAND_IO;
+ }
else if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_MEM_PREFETCH )
+ {
pci_register_io_region((PCIDevice *)assigned_device, i,
(uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM_PREFETCH,
pt_iomem_map);
+ *cmd |= PCI_COMMAND_MEMORY;
+ }
else
+ {
pci_register_io_region((PCIDevice *)assigned_device, i,
(uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM,
pt_iomem_map);
+ *cmd |= PCI_COMMAND_MEMORY;
+ }
PT_LOG("IO region registered (size=0x%08x base_addr=0x%08x)\n",
(uint32_t)(pci_dev->size[i]),
@@ -3263,27 +3269,6 @@ static int pt_long_reg_read(struct pt_de
return 0;
}
-/* read Command register */
-static int pt_cmd_reg_read(struct pt_dev *ptdev,
- struct pt_reg_tbl *cfg_entry,
- uint16_t *value, uint16_t valid_mask)
-{
- struct pt_reg_info_tbl *reg = cfg_entry->reg;
- uint16_t valid_emu_mask = 0;
- uint16_t emu_mask = reg->emu_mask;
-
- if ( ptdev->is_virtfn )
- emu_mask |= PCI_COMMAND_MEMORY;
- if ( pt_is_iomul(ptdev) )
- emu_mask |= PCI_COMMAND_IO;
-
- /* emulate word register */
- valid_emu_mask = emu_mask & valid_mask;
- *value = PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask);
-
- return 0;
-}
-
/* read BAR */
static int pt_bar_reg_read(struct pt_dev *ptdev,
struct pt_reg_tbl *cfg_entry,
@@ -3418,19 +3403,13 @@ static int pt_cmd_reg_write(struct pt_de
uint16_t writable_mask = 0;
uint16_t throughable_mask = 0;
uint16_t wr_value = *value;
- uint16_t emu_mask = reg->emu_mask;
-
- if ( ptdev->is_virtfn )
- emu_mask |= PCI_COMMAND_MEMORY;
- if ( pt_is_iomul(ptdev) )
- emu_mask |= PCI_COMMAND_IO;
/* modify emulate register */
writable_mask = ~reg->ro_mask & valid_mask;
cfg_entry->data = PT_MERGE_VALUE(*value, cfg_entry->data, writable_mask);
/* create value for writing to I/O device register */
- throughable_mask = ~emu_mask & valid_mask;
+ throughable_mask = ~reg->emu_mask & valid_mask;
if (*value & PCI_COMMAND_DISABLE_INTx)
{
@@ -4205,6 +4184,7 @@ static struct pt_dev * register_real_dev
struct pt_dev *assigned_device = NULL;
struct pci_dev *pci_dev;
uint8_t e_device, e_intx;
+ uint16_t cmd = 0;
char *key, *val;
int msi_translate, power_mgmt;
@@ -4294,7 +4274,7 @@ static struct pt_dev * register_real_dev
assigned_device->dev.config[i] = pci_read_byte(pci_dev, i);
/* Handle real device's MMIO/PIO BARs */
- pt_register_regions(assigned_device);
+ pt_register_regions(assigned_device, &cmd);
/* Setup VGA bios for passthroughed gfx */
if ( setup_vga_pt(assigned_device) < 0 )
@@ -4372,6 +4352,10 @@ static struct pt_dev * register_real_dev
}
out:
+ if (cmd)
+ pci_write_word(pci_dev, PCI_COMMAND,
+ *(uint16_t *)(&assigned_device->dev.config[PCI_COMMAND]) | cmd);
+
PT_LOG("Real physical device %02x:%02x.%x registered successfuly!\n"
"IRQ type = %s\n", r_bus, r_dev, r_func,
assigned_device->msi_trans_en? "MSI-INTx":"INTx");

131
sysutils/xenkernel42/patches/patch-CVE-2015-3456 Normal file
View File

@@ -0,0 +1,131 @@
$NetBSD: patch-CVE-2015-3456,v 1.1 2015/06/05 18:18:41 khorben Exp $
fdc: force the fifo access to be in bounds of the allocated buffer
During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.
Fix this by making sure that the index is always bounded by the
allocated memory.
This is CVE-2015-3456.
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
--- tools/qemu-xen/hw/fdc.c.orig
+++ tools/qemu-xen/hw/fdc.c
@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
{
FDrive *cur_drv;
uint32_t retval = 0;
- int pos;
+ uint32_t pos;
cur_drv = get_cur_drv(fdctrl);
fdctrl->dsr &= ~FD_DSR_PWRDOWN;
@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
return 0;
}
pos = fdctrl->data_pos;
+ pos %= FD_SECTOR_LEN;
if (fdctrl->msr & FD_MSR_NONDMA) {
- pos %= FD_SECTOR_LEN;
if (pos == 0) {
if (fdctrl->data_pos != 0)
if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
{
FDrive *cur_drv = get_cur_drv(fdctrl);
+ uint32_t pos;
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
+ pos = fdctrl->data_pos - 1;
+ pos %= FD_SECTOR_LEN;
+ if (fdctrl->fifo[pos] & 0x80) {
/* Command parameters done */
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
+ if (fdctrl->fifo[pos] & 0x40) {
fdctrl->fifo[0] = fdctrl->fifo[1];
fdctrl->fifo[2] = 0;
fdctrl->fifo[3] = 0;
@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
{
FDrive *cur_drv;
- int pos;
+ uint32_t pos;
/* Reset mode */
if (!(fdctrl->dor & FD_DOR_nRESET)) {
@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
}
FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
- fdctrl->fifo[fdctrl->data_pos++] = value;
+ pos = fdctrl->data_pos++;
+ pos %= FD_SECTOR_LEN;
+ fdctrl->fifo[pos] = value;
if (fdctrl->data_pos == fdctrl->data_len) {
/* We now have all parameters
* and will be able to treat the command
--- tools/qemu-xen-traditional/hw/fdc.c.orig
+++ tools/qemu-xen-traditional/hw/fdc.c
@@ -1318,7 +1318,7 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl)
{
fdrive_t *cur_drv;
uint32_t retval = 0;
- int pos;
+ uint32_t pos;
cur_drv = get_cur_drv(fdctrl);
fdctrl->dsr &= ~FD_DSR_PWRDOWN;
@@ -1327,8 +1327,8 @@ static uint32_t fdctrl_read_data (fdctrl_t *fdctrl)
return 0;
}
pos = fdctrl->data_pos;
+ pos %= FD_SECTOR_LEN;
if (fdctrl->msr & FD_MSR_NONDMA) {
- pos %= FD_SECTOR_LEN;
if (pos == 0) {
if (fdctrl->data_pos != 0)
if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
@@ -1673,10 +1673,13 @@ static void fdctrl_handle_option (fdctrl_t *fdctrl, int direction)
static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction)
{
fdrive_t *cur_drv = get_cur_drv(fdctrl);
+ uint32_t pos;
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
+ pos = fdctrl->data_pos - 1;
+ pos %= FD_SECTOR_LEN;
+ if (fdctrl->fifo[pos] & 0x80) {
/* Command parameters done */
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
+ if (fdctrl->fifo[pos] & 0x40) {
fdctrl->fifo[0] = fdctrl->fifo[1];
fdctrl->fifo[2] = 0;
fdctrl->fifo[3] = 0;
@@ -1771,7 +1774,7 @@ static uint8_t command_to_handler[256];
static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
{
fdrive_t *cur_drv;
- int pos;
+ uint32_t pos;
/* Reset mode */
if (!(fdctrl->dor & FD_DOR_nRESET)) {
@@ -1817,7 +1820,9 @@ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
}
FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
- fdctrl->fifo[fdctrl->data_pos++] = value;
+ pos = fdctrl->data_pos++;
+ pos %= FD_SECTOR_LEN;
+ fdctrl->fifo[pos] = value;
if (fdctrl->data_pos == fdctrl->data_len) {
/* We now have all parameters
* and will be able to treat the command