1 |
dlan 14/01/24 15:25:38 |
2 |
|
3 |
Added: xen-4-XSA-83.patch xen-4.2-XSA-87.patch |
4 |
xen-4.3-XSA-87.patch |
5 |
Log: |
6 |
fix security bugs #499054, #499124 |
7 |
|
8 |
(Portage version: 2.2.8/cvs/Linux x86_64, signed Manifest commit with key 0xAABEFD55) |
9 |
|
10 |
Revision Changes Path |
11 |
1.1 app-emulation/xen/files/xen-4-XSA-83.patch |
12 |
|
13 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-XSA-83.patch?rev=1.1&view=markup |
14 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-XSA-83.patch?rev=1.1&content-type=text/plain |
15 |
|
16 |
Index: xen-4-XSA-83.patch |
17 |
=================================================================== |
18 |
x86/irq: avoid use-after-free on error path in pirq_guest_bind() |
19 |
|
20 |
This is XSA-83. |
21 |
|
22 |
Coverity-ID: 1146952 |
23 |
Signed-off-by: Andrew Cooper <andrew.cooper3@××××××.com> |
24 |
Reviewed-by: Jan Beulich <jbeulich@××××.com> |
25 |
|
26 |
--- a/xen/arch/x86/irq.c |
27 |
+++ b/xen/arch/x86/irq.c |
28 |
@@ -1590,8 +1590,7 @@ int pirq_guest_bind(struct vcpu *v, stru |
29 |
printk(XENLOG_G_INFO |
30 |
"Cannot bind IRQ%d to dom%d. Out of memory.\n", |
31 |
pirq->pirq, v->domain->domain_id); |
32 |
- rc = -ENOMEM; |
33 |
- goto out; |
34 |
+ return -ENOMEM; |
35 |
} |
36 |
|
37 |
action = newaction; |
38 |
|
39 |
|
40 |
|
41 |
1.1 app-emulation/xen/files/xen-4.2-XSA-87.patch |
42 |
|
43 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4.2-XSA-87.patch?rev=1.1&view=markup |
44 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4.2-XSA-87.patch?rev=1.1&content-type=text/plain |
45 |
|
46 |
Index: xen-4.2-XSA-87.patch |
47 |
=================================================================== |
48 |
x86: PHYSDEVOP_{prepare,release}_msix are privileged |
49 |
|
50 |
Yet this wasn't being enforced. |
51 |
|
52 |
This is XSA-87. |
53 |
|
54 |
Signed-off-by: Jan Beulich <jbeulich@××××.com> |
55 |
|
56 |
--- a/xen/arch/x86/physdev.c |
57 |
+++ b/xen/arch/x86/physdev.c |
58 |
@@ -612,7 +612,9 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H |
59 |
case PHYSDEVOP_release_msix: { |
60 |
struct physdev_pci_device dev; |
61 |
|
62 |
- if ( copy_from_guest(&dev, arg, 1) ) |
63 |
+ if ( !IS_PRIV(v->domain) ) |
64 |
+ ret = -EPERM; |
65 |
+ else if ( copy_from_guest(&dev, arg, 1) ) |
66 |
ret = -EFAULT; |
67 |
else |
68 |
ret = pci_prepare_msix(dev.seg, dev.bus, dev.devfn, |
69 |
|
70 |
|
71 |
|
72 |
1.1 app-emulation/xen/files/xen-4.3-XSA-87.patch |
73 |
|
74 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4.3-XSA-87.patch?rev=1.1&view=markup |
75 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4.3-XSA-87.patch?rev=1.1&content-type=text/plain |
76 |
|
77 |
Index: xen-4.3-XSA-87.patch |
78 |
=================================================================== |
79 |
x86: PHYSDEVOP_{prepare,release}_msix are privileged |
80 |
|
81 |
Yet this wasn't being enforced. |
82 |
|
83 |
This is XSA-87. |
84 |
|
85 |
Signed-off-by: Jan Beulich <jbeulich@××××.com> |
86 |
Reviewed-by: Andrew Cooper <andrew.cooper3@××××××.com> |
87 |
|
88 |
--- 2014-01-14.orig/xen/arch/x86/physdev.c 2013-11-18 11:03:37.000000000 +0100 |
89 |
+++ 2014-01-14/xen/arch/x86/physdev.c 2014-01-22 12:47:47.000000000 +0100 |
90 |
@@ -640,7 +640,10 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H |
91 |
if ( copy_from_guest(&dev, arg, 1) ) |
92 |
ret = -EFAULT; |
93 |
else |
94 |
- ret = pci_prepare_msix(dev.seg, dev.bus, dev.devfn, |
95 |
+ ret = xsm_resource_setup_pci(XSM_PRIV, |
96 |
+ (dev.seg << 16) | (dev.bus << 8) | |
97 |
+ dev.devfn) ?: |
98 |
+ pci_prepare_msix(dev.seg, dev.bus, dev.devfn, |
99 |
cmd != PHYSDEVOP_prepare_msix); |
100 |
break; |
101 |
} |