1 |
idella4 13/01/30 12:12:31 |
2 |
|
3 |
Modified: xen-4-fix_dotconfig-gcc.patch |
4 |
Added: xen-4-CVE-2012-5513-XSA-29.patch |
5 |
xen-4-CVE-2012-5510-XSA-26.patch |
6 |
xen-4-CVE-2012-4537-XSA-22.patch |
7 |
xen-4-CVE-2012-4535-XSA-20.patch |
8 |
xen-4-CVE-2012-4539-XSA-24.patch |
9 |
xen-4-CVE-2012-5634-XSA-33.patch |
10 |
xen-4-CVE-2013-0151-XSA-34_35.patch |
11 |
xen-4-CVE-2012-4538-XSA-23.patch |
12 |
xen-4-CVE-2013-0151-XSA-27_34_35.patch |
13 |
xen-4-CVE-2013-0154-XSA-37.patch |
14 |
xen-4-CVE-2012-5514-XSA-30.patch |
15 |
xen-4-CVE-2012-5525-XSA-32.patch |
16 |
xen-4-CVE-2012-5515-XSA-31.patch |
17 |
Log: |
18 |
revbumps; -4.2.0-r1, eclass python-single-r1 added to anable & ensure a build by py2 fixing Bug #453930, PYTHON_COMPAT set accordingly, EAPI->5, sed statements reduced to patches, many sec. patches added addressing Bugs #445254, #431156, #454314. -4.2.1-r1, changes mirrored in those of -4.2.0-r1, addition of 3 sec. patches that pertain to 4.2.1. Dropped 4.2.0 & 4.2.1 by virtue of being prone to failure in form of Bug #453930. Sees 4.2.0-r1 ready for testing for stable |
19 |
|
20 |
(Portage version: 2.1.11.40/cvs/Linux x86_64, signed Manifest commit with key 0xB8072B0D) |
21 |
|
22 |
Revision Changes Path |
23 |
1.2 app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch |
24 |
|
25 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch?rev=1.2&view=markup |
26 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch?rev=1.2&content-type=text/plain |
27 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch?r1=1.1&r2=1.2 |
28 |
|
29 |
Index: xen-4-fix_dotconfig-gcc.patch |
30 |
=================================================================== |
31 |
RCS file: /var/cvsroot/gentoo-x86/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch,v |
32 |
retrieving revision 1.1 |
33 |
retrieving revision 1.2 |
34 |
diff -u -r1.1 -r1.2 |
35 |
--- xen-4-fix_dotconfig-gcc.patch 24 Jan 2013 09:18:34 -0000 1.1 |
36 |
+++ xen-4-fix_dotconfig-gcc.patch 30 Jan 2013 12:12:31 -0000 1.2 |
37 |
@@ -7,7 +7,7 @@ |
38 |
# Define some default flags. |
39 |
# NB. '-Wcast-qual' is nasty, so I omitted it. |
40 |
-DEF_CFLAGS += -fno-builtin -Wall -Werror -Wredundant-decls -Wno-format -Wno-redundant-decls |
41 |
-+DEF_CFLAGS += -fno-builtin -Wall -Wredundant-decls -Wno-format -Wno-redundant-decls |
42 |
++DEF_CFLAGS += -fno-builtin -Wall -Wredundant-decls -Wno-format -Wno-redundant-decls |
43 |
DEF_CFLAGS += $(call cc-option,$(CC),-fno-stack-protector,) |
44 |
DEF_CFLAGS += $(call cc-option,$(CC),-fgnu89-inline) |
45 |
DEF_CFLAGS += -Wstrict-prototypes -Wnested-externs -Wpointer-arith -Winline |
46 |
@@ -19,7 +19,7 @@ |
47 |
-include $(XEN_TARGET_ARCH)/Makefile |
48 |
|
49 |
-CFLAGS += -Werror -Wmissing-prototypes |
50 |
-+CFLAGS += -Wmissing-prototypes |
51 |
++CFLAGS += -Wmissing-prototypes |
52 |
CFLAGS += -I. $(CFLAGS_xeninclude) |
53 |
|
54 |
# Needed for posix_fadvise64() in xc_linux.c |
55 |
|
56 |
|
57 |
|
58 |
1.1 app-emulation/xen/files/xen-4-CVE-2012-5513-XSA-29.patch |
59 |
|
60 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5513-XSA-29.patch?rev=1.1&view=markup |
61 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5513-XSA-29.patch?rev=1.1&content-type=text/plain |
62 |
|
63 |
Index: xen-4-CVE-2012-5513-XSA-29.patch |
64 |
=================================================================== |
65 |
|
66 |
# HG changeset patch |
67 |
# User Jan Beulich <jbeulich@××××.com> |
68 |
# Date 1354644164 0 |
69 |
# Node ID 83ab3cd0f8e44ad588932aba93d3b5f92a888a08 |
70 |
# Parent 5771c761ff1bb249dc683d7ec019d76a2a03a048 |
71 |
xen: add missing guest address range checks to XENMEM_exchange handlers |
72 |
|
73 |
Ever since its existence (3.0.3 iirc) the handler for this has been |
74 |
using non address range checking guest memory accessors (i.e. |
75 |
the ones prefixed with two underscores) without first range |
76 |
checking the accessed space (via guest_handle_okay()), allowing |
77 |
a guest to access and overwrite hypervisor memory. |
78 |
|
79 |
This is XSA-29 / CVE-2012-5513. |
80 |
|
81 |
Signed-off-by: Jan Beulich <jbeulich@××××.com> |
82 |
Acked-by: Ian Campbell <ian.campbell@××××××.com> |
83 |
Acked-by: Ian Jackson <ian.jackson@×××××××××.com> |
84 |
Committed-by: Ian Jackson <ian.jackson.citrix.com> |
85 |
|
86 |
diff -r 5771c761ff1b -r 83ab3cd0f8e4 xen/common/compat/memory.c |
87 |
--- a/xen/common/compat/memory.c Tue Dec 04 18:02:38 2012 +0000 |
88 |
+++ b/xen/common/compat/memory.c Tue Dec 04 18:02:44 2012 +0000 |
89 |
@@ -115,6 +115,12 @@ int compat_memory_op(unsigned int cmd, X |
90 |
(cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) ) |
91 |
return -EINVAL; |
92 |
|
93 |
+ if ( !compat_handle_okay(cmp.xchg.in.extent_start, |
94 |
+ cmp.xchg.in.nr_extents) || |
95 |
+ !compat_handle_okay(cmp.xchg.out.extent_start, |
96 |
+ cmp.xchg.out.nr_extents) ) |
97 |
+ return -EFAULT; |
98 |
+ |
99 |
start_extent = cmp.xchg.nr_exchanged; |
100 |
end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) / |
101 |
(((1U << ABS(order_delta)) + 1) * |
102 |
diff -r 5771c761ff1b -r 83ab3cd0f8e4 xen/common/memory.c |
103 |
--- a/xen/common/memory.c Tue Dec 04 18:02:38 2012 +0000 |
104 |
+++ b/xen/common/memory.c Tue Dec 04 18:02:44 2012 +0000 |
105 |
@@ -308,6 +308,13 @@ static long memory_exchange(XEN_GUEST_HA |
106 |
goto fail_early; |
107 |
} |
108 |
|
109 |
+ if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) || |
110 |
+ !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) ) |
111 |
+ { |
112 |
+ rc = -EFAULT; |
113 |
+ goto fail_early; |
114 |
+ } |
115 |
+ |
116 |
/* Only privileged guests can allocate multi-page contiguous extents. */ |
117 |
if ( !multipage_allocation_permitted(current->domain, |
118 |
exch.in.extent_order) || |
119 |
|
120 |
|
121 |
|
122 |
|
123 |
|
124 |
1.1 app-emulation/xen/files/xen-4-CVE-2012-5510-XSA-26.patch |
125 |
|
126 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5510-XSA-26.patch?rev=1.1&view=markup |
127 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5510-XSA-26.patch?rev=1.1&content-type=text/plain |
128 |
|
129 |
Index: xen-4-CVE-2012-5510-XSA-26.patch |
130 |
=================================================================== |
131 |
# HG changeset patch |
132 |
# User Jan Beulich <jbeulich@××××.com> |
133 |
# Date 1354644138 0 |
134 |
# Node ID dea7d4e5bfc1627133c0c19706fea1fbc9e5a378 |
135 |
# Parent 9e13427c023020756768c73217dab05295709fb3 |
136 |
gnttab: fix releasing of memory upon switches between versions |
137 |
|
138 |
gnttab_unpopulate_status_frames() incompletely freed the pages |
139 |
previously used as status frame in that they did not get removed from |
140 |
the domain's xenpage_list, thus causing subsequent list corruption |
141 |
when those pages did get allocated again for the same or another purpose. |
142 |
|
143 |
Similarly, grant_table_create() and gnttab_grow_table() both improperly |
144 |
clean up in the event of an error - pages already shared with the guest |
145 |
can't be freed by just passing them to free_xenheap_page(). Fix this by |
146 |
sharing the pages only after all allocations succeeded. |
147 |
|
148 |
This is CVE-2012-5510 / XSA-26. |
149 |
|
150 |
Signed-off-by: Jan Beulich <jbeulich@××××.com> |
151 |
Acked-by: Ian Campbell <ian.campbell@××××××.com> |
152 |
Committed-by: Ian Jackson <ian.jackson.citrix.com> |
153 |
|
154 |
diff -r 9e13427c0230 -r dea7d4e5bfc1 xen/common/grant_table.c |
155 |
--- xen/common/grant_table.c Thu Nov 29 16:59:43 2012 +0000 |
156 |
+++ xen/common/grant_table.c Tue Dec 04 18:02:18 2012 +0000 |
157 |
@@ -1173,12 +1173,13 @@ fault: |
158 |
} |
159 |
|
160 |
static int |
161 |
-gnttab_populate_status_frames(struct domain *d, struct grant_table *gt) |
162 |
+gnttab_populate_status_frames(struct domain *d, struct grant_table *gt, |
163 |
+ unsigned int req_nr_frames) |
164 |
{ |
165 |
unsigned i; |
166 |
unsigned req_status_frames; |
167 |
|
168 |
- req_status_frames = grant_to_status_frames(gt->nr_grant_frames); |
169 |
+ req_status_frames = grant_to_status_frames(req_nr_frames); |
170 |
for ( i = nr_status_frames(gt); i < req_status_frames; i++ ) |
171 |
{ |
172 |
if ( (gt->status[i] = alloc_xenheap_page()) == NULL ) |
173 |
@@ -1209,7 +1210,12 @@ gnttab_unpopulate_status_frames(struct d |
174 |
|
175 |
for ( i = 0; i < nr_status_frames(gt); i++ ) |
176 |
{ |
177 |
- page_set_owner(virt_to_page(gt->status[i]), dom_xen); |
178 |
+ struct page_info *pg = virt_to_page(gt->status[i]); |
179 |
+ |
180 |
+ BUG_ON(page_get_owner(pg) != d); |
181 |
+ if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) ) |
182 |
+ put_page(pg); |
183 |
+ BUG_ON(pg->count_info & ~PGC_xen_heap); |
184 |
free_xenheap_page(gt->status[i]); |
185 |
gt->status[i] = NULL; |
186 |
} |
187 |
@@ -1247,19 +1253,18 @@ gnttab_grow_table(struct domain *d, unsi |
188 |
clear_page(gt->shared_raw[i]); |
189 |
} |
190 |
|
191 |
+ /* Status pages - version 2 */ |
192 |
+ if (gt->gt_version > 1) |
193 |
+ { |
194 |
+ if ( gnttab_populate_status_frames(d, gt, req_nr_frames) ) |
195 |
+ goto shared_alloc_failed; |
196 |
+ } |
197 |
+ |
198 |
/* Share the new shared frames with the recipient domain */ |
199 |
for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ ) |
200 |
gnttab_create_shared_page(d, gt, i); |
201 |
- |
202 |
gt->nr_grant_frames = req_nr_frames; |
203 |
|
204 |
- /* Status pages - version 2 */ |
205 |
- if (gt->gt_version > 1) |
206 |
- { |
207 |
- if ( gnttab_populate_status_frames(d, gt) ) |
208 |
- goto shared_alloc_failed; |
209 |
- } |
210 |
- |
211 |
return 1; |
212 |
|
213 |
shared_alloc_failed: |
214 |
@@ -2157,7 +2162,7 @@ gnttab_set_version(XEN_GUEST_HANDLE(gntt |
215 |
|
216 |
if ( op.version == 2 && gt->gt_version < 2 ) |
217 |
{ |
218 |
- res = gnttab_populate_status_frames(d, gt); |
219 |
+ res = gnttab_populate_status_frames(d, gt, nr_grant_frames(gt)); |
220 |
if ( res < 0) |
221 |
goto out_unlock; |
222 |
} |
223 |
@@ -2600,14 +2605,15 @@ grant_table_create( |
224 |
clear_page(t->shared_raw[i]); |
225 |
} |
226 |
|
227 |
- for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) |
228 |
- gnttab_create_shared_page(d, t, i); |
229 |
- |
230 |
/* Status pages for grant table - for version 2 */ |
231 |
t->status = xzalloc_array(grant_status_t *, |
232 |
grant_to_status_frames(max_nr_grant_frames)); |
233 |
if ( t->status == NULL ) |
234 |
goto no_mem_4; |
235 |
+ |
236 |
+ for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) |
237 |
+ gnttab_create_shared_page(d, t, i); |
238 |
+ |
239 |
t->nr_status_frames = 0; |
240 |
|
241 |
/* Okay, install the structure. */ |
242 |
|
243 |
|
244 |
|
245 |
|
246 |
|
247 |
1.1 app-emulation/xen/files/xen-4-CVE-2012-4537-XSA-22.patch |
248 |
|
249 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-4537-XSA-22.patch?rev=1.1&view=markup |
250 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-4537-XSA-22.patch?rev=1.1&content-type=text/plain |
251 |
|
252 |
Index: xen-4-CVE-2012-4537-XSA-22.patch |
253 |
=================================================================== |
254 |
# HG changeset patch |
255 |
# User Ian Jackson <Ian.Jackson@×××××××××.com> |
256 |
# Date 1352893017 0 |
257 |
# Node ID 4cffe28427e0c7dbeaa7c109ed393dde0fe026ba |
258 |
# Parent 788af5959f692ca16942937055afb09b760f2166 |
259 |
x86/physmap: Prevent incorrect updates of m2p mappings |
260 |
|
261 |
In certain conditions, such as low memory, set_p2m_entry() can fail. |
262 |
Currently, the p2m and m2p tables will get out of sync because we still |
263 |
update the m2p table after the p2m update has failed. |
264 |
|
265 |
If that happens, subsequent guest-invoked memory operations can cause |
266 |
BUG()s and ASSERT()s to kill Xen. |
267 |
|
268 |
This is fixed by only updating the m2p table iff the p2m was |
269 |
successfully updated. |
270 |
|
271 |
This is a security problem, XSA-22 / CVE-2012-4537. |
272 |
|
273 |
Signed-off-by: Andrew Cooper <andrew.cooper3@××××××.com> |
274 |
Acked-by: Ian Campbell <ian.campbell@××××××.com> |
275 |
Acked-by: Ian Jackson <ian.jackson@×××××××××.com> |
276 |
Committed-by: Ian Jackson <ian.jackson@×××××××××.com> |
277 |
|
278 |
xen-unstable changeset: 26149:6b6a4007a609 |
279 |
Backport-requested-by: security@×××.org |
280 |
Committed-by: Ian Jackson <ian.jackson@×××××××××.com> |
281 |
|
282 |
diff -r 788af5959f69 -r 4cffe28427e0 xen/arch/x86/mm/p2m.c |
283 |
--- xen/arch/x86/mm/p2m.c Wed Nov 14 11:33:15 2012 +0000 |
284 |
+++ xen/arch/x86/mm/p2m.c Wed Nov 14 11:36:57 2012 +0000 |
285 |
@@ -654,7 +654,10 @@ guest_physmap_add_entry(struct domain *d |
286 |
if ( mfn_valid(_mfn(mfn)) ) |
287 |
{ |
288 |
if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) ) |
289 |
+ { |
290 |
rc = -EINVAL; |
291 |
+ goto out; /* Failed to update p2m, bail without updating m2p. */ |
292 |
+ } |
293 |
if ( !p2m_is_grant(t) ) |
294 |
{ |
295 |
for ( i = 0; i < (1UL << page_order); i++ ) |
296 |
@@ -677,6 +680,7 @@ guest_physmap_add_entry(struct domain *d |
297 |
} |
298 |
} |
299 |
|
300 |
+out: |
301 |
p2m_unlock(p2m); |
302 |
|
303 |
return rc; |
304 |
|
305 |
|
306 |
|
307 |
1.1 app-emulation/xen/files/xen-4-CVE-2012-4535-XSA-20.patch |
308 |
|
309 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-4535-XSA-20.patch?rev=1.1&view=markup |
310 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-4535-XSA-20.patch?rev=1.1&content-type=text/plain |
311 |
|
312 |
Index: xen-4-CVE-2012-4535-XSA-20.patch |
313 |
=================================================================== |
314 |
|
315 |
# HG changeset patch |
316 |
# User Ian Jackson <Ian.Jackson@×××××××××.com> |
317 |
# Date 1352892795 0 |
318 |
# Node ID 788af5959f692ca16942937055afb09b760f2166 |
319 |
# Parent bdb5cde7f79d77f8578bcd8e24d74d09a2c7caa6 |
320 |
VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability |
321 |
|
322 |
The timer action for a vcpu periodic timer is to calculate the next |
323 |
expiry time, and to reinsert itself into the timer queue. If the |
324 |
deadline ends up in the past, Xen never leaves __do_softirq(). The |
325 |
affected PCPU will stay in an infinite loop until Xen is killed by the |
326 |
watchdog (if enabled). |
327 |
|
328 |
This is a security problem, XSA-20 / CVE-2012-4535. |
329 |
|
330 |
Signed-off-by: Andrew Cooper <andrew.cooper3@××××××.com> |
331 |
Acked-by: Ian Campbell <ian.campbell@××××××.com> |
332 |
Committed-by: Ian Jackson <ian.jackson@×××××××××.com> |
333 |
|
334 |
xen-unstable changeset: 26148:bf58b94b3cef |
335 |
Backport-requested-by: security@×××.org |
336 |
Committed-by: Ian Jackson <ian.jackson@×××××××××.com> |
337 |
|
338 |
diff -r bdb5cde7f79d -r 788af5959f69 xen/common/domain.c |
339 |
--- xen/common/domain.c Wed Nov 14 10:40:41 2012 +0100 |
340 |
+++ xen/common/domain.c Wed Nov 14 11:33:15 2012 +0000 |
341 |
@@ -882,6 +882,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN |
342 |
if ( set.period_ns < MILLISECS(1) ) |
343 |
return -EINVAL; |
344 |
|
345 |
+ if ( set.period_ns > STIME_DELTA_MAX ) |
346 |
+ return -EINVAL; |
347 |
+ |
348 |
v->periodic_period = set.period_ns; |
349 |
vcpu_force_reschedule(v); |
350 |
|
351 |
diff -r bdb5cde7f79d -r 788af5959f69 xen/include/xen/time.h |
352 |
--- xen/include/xen/time.h Wed Nov 14 10:40:41 2012 +0100 |
353 |
+++ xen/include/xen/time.h Wed Nov 14 11:33:15 2012 +0000 |
354 |
@@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t); |
355 |
#define MILLISECS(_ms) ((s_time_t)((_ms) * 1000000ULL)) |
356 |
#define MICROSECS(_us) ((s_time_t)((_us) * 1000ULL)) |
357 |
#define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1)) |
358 |
+/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */ |
359 |
+#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2)) |
360 |
|
361 |
extern void update_vcpu_system_time(struct vcpu *v); |
362 |
extern void update_domain_wallclock_time(struct domain *d); |
363 |
|
364 |
|
365 |
|
366 |
|
367 |
1.1 app-emulation/xen/files/xen-4-CVE-2012-4539-XSA-24.patch |
368 |
|
369 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-4539-XSA-24.patch?rev=1.1&view=markup |
370 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-4539-XSA-24.patch?rev=1.1&content-type=text/plain |
371 |
|
372 |
Index: xen-4-CVE-2012-4539-XSA-24.patch |
373 |
=================================================================== |
374 |
# HG changeset patch |
375 |
# User Ian Jackson <Ian.Jackson@×××××××××.com> |
376 |
# Date 1352893567 0 |
377 |
# Node ID 8ca6372315f826881f9de141ac1227ef962100cf |
378 |
# Parent 159080b58dda9d19a5d3be42359e667bdb3e61ca |
379 |
compat/gnttab: Prevent infinite loop in compat code |
380 |
|
381 |
c/s 20281:95ea2052b41b, which introduces Grant Table version 2 |
382 |
hypercalls introduces a vulnerability whereby the compat hypercall |
383 |
handler can fall into an infinite loop. |
384 |
|
385 |
If the watchdog is enabled, Xen will die after the timeout. |
386 |
|
387 |
This is a security problem, XSA-24 / CVE-2012-4539. |
388 |
|
389 |
Signed-off-by: Andrew Cooper <andrew.cooper3@××××××.com> |
390 |
Acked-by: Jan Beulich <jbeulich@××××.com> |
391 |
Acked-by: Ian Jackson <ian.jackson@×××××××××.com> |
392 |
Committed-by: Ian Jackson <ian.jackson@×××××××××.com> |
393 |
|
394 |
xen-unstable changeset: 26151:b64a7d868f06 |
395 |
Backport-requested-by: security@×××.org |
396 |
Committed-by: Ian Jackson <ian.jackson@×××××××××.com> |
397 |
|
398 |
diff -r 159080b58dda -r 8ca6372315f8 xen/common/compat/grant_table.c |
399 |
--- xen/common/compat/grant_table.c Wed Nov 14 11:42:45 2012 +0000 |
400 |
+++ xen/common/compat/grant_table.c Wed Nov 14 11:46:07 2012 +0000 |
401 |
@@ -318,6 +318,8 @@ int compat_grant_table_op(unsigned int c |
402 |
#undef XLAT_gnttab_get_status_frames_HNDL_frame_list |
403 |
if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) ) |
404 |
rc = -EFAULT; |
405 |
+ else |
406 |
+ i = 1; |
407 |
} |
408 |
break; |
409 |
} |
410 |
|
411 |
|
412 |
|
413 |
1.1 app-emulation/xen/files/xen-4-CVE-2012-5634-XSA-33.patch |
414 |
|
415 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5634-XSA-33.patch?rev=1.1&view=markup |
416 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5634-XSA-33.patch?rev=1.1&content-type=text/plain |
417 |
|
418 |
Index: xen-4-CVE-2012-5634-XSA-33.patch |
419 |
=================================================================== |
420 |
VT-d: fix interrupt remapping source validation for devices behind legacy bridges |
421 |
Using SVT_VERIFY_BUS here doesn't make sense; |
422 |
|
423 |
native Linux also uses SVT_VERIFY_SID_SQ here instead. |
424 |
This is XSA-33 / CVE-2012-5634. |
425 |
Signed-off-by: Jan Beulich <jbeulich@××××.com> |
426 |
|
427 |
--- xen/drivers/passthrough/vtd/intremap.c |
428 |
+++ xen/drivers/passthrough/vtd/intremap.c |
429 |
@@ -466,7 +466,7 @@ static void set_msi_source_id(struct pci_dev *pdev, struct iremap_entry *ire) |
430 |
set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, |
431 |
(bus << 8) | pdev->bus); |
432 |
else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE ) |
433 |
- set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, |
434 |
+ set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, |
435 |
PCI_BDF2(bus, devfn)); |
436 |
} |
437 |
break; |
438 |
|
439 |
|
440 |
|
441 |
1.1 app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-34_35.patch |
442 |
|
443 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-34_35.patch?rev=1.1&view=markup |
444 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-34_35.patch?rev=1.1&content-type=text/plain |
445 |
|
446 |
Index: xen-4-CVE-2013-0151-XSA-34_35.patch |
447 |
=================================================================== |
448 |
commit 66141b2e068fa39f28bdda6be05882e323663687 |
449 |
Author: Michael Young |
450 |
Date: Tue Jan 22 22:22:10 2013 +0000 |
451 |
|
452 |
Security fix from nested virtualization CVE-2013-0151, |
453 |
restore status option to xend which is used by libvirt |
454 |
#diff --git a/xsa34-4.2.patch b/xsa34-4.2.patch |
455 |
#new file mode 100644 |
456 |
#index 0000000..f5328ef |
457 |
#--- /dev/null |
458 |
#+++ xsa34-4.2.patch |
459 |
#@@ -0,0 +1,30 @@ |
460 |
#+x86_32: don't allow use of nested HVM |
461 |
#+ |
462 |
#+There are (indirect) uses of map_domain_page() in the nested HVM code |
463 |
#+that are unsafe when not just using the 1:1 mapping. |
464 |
#+ |
465 |
#+This is XSA-34 / CVE-2013-0151. |
466 |
#+ |
467 |
#+Signed-off-by: Jan Beulich |
468 |
#+ |
469 |
#diff --git a/xsa35-4.2-with-xsa34.patch b/xsa35-4.2-with-xsa34.patch |
470 |
#new file mode 100644 |
471 |
#index 0000000..28c6171 |
472 |
#--- /dev/null |
473 |
#+++ xsa35-4.2-with-xsa34.patch |
474 |
#@@ -0,0 +1,24 @@ |
475 |
#+xen: Do not allow guests to enable nested HVM on themselves |
476 |
#+ |
477 |
#+There is no reason for this and doing so exposes a memory leak to |
478 |
#+guests. Only toolstacks need write access to this HVM param. |
479 |
#+ |
480 |
#+This is XSA-35 / CVE-2013-0152. |
481 |
#+ |
482 |
#+Signed-off-by: Ian Campbell |
483 |
#+Acked-by: Jan Beulich |
484 |
#+ |
485 |
--- xen/arch/x86/hvm/hvm.c |
486 |
+++ xen/arch/x86/hvm/hvm.c |
487 |
@@ -3858,6 +3858,11 @@ |
488 |
rc = -EINVAL; |
489 |
break; |
490 |
case HVM_PARAM_NESTEDHVM: |
491 |
+ if ( !IS_PRIV(current->domain) ) |
492 |
+ { |
493 |
+ rc = -EPERM; |
494 |
+ break; |
495 |
+ } |
496 |
if ( a.value > 1 ) |
497 |
rc = -EINVAL; |
498 |
if ( !is_hvm_domain(d) ) |
499 |
@@ -3926,6 +3926,10 @@ long do_hvm_op(unsigned long op, XEN_GUE |
500 |
rc = -EINVAL; |
501 |
break; |
502 |
case HVM_PARAM_NESTEDHVM: |
503 |
+#ifdef __i386__ |
504 |
+ if ( a.value ) |
505 |
+ rc = -EINVAL; |
506 |
+#else |
507 |
if ( a.value > 1 ) |
508 |
rc = -EINVAL; |
509 |
if ( !is_hvm_domain(d) ) |
510 |
@@ -3940,6 +3944,7 @@ long do_hvm_op(unsigned long op, XEN_GUE |
511 |
for_each_vcpu(d, v) |
512 |
if ( rc == 0 ) |
513 |
rc = nestedhvm_vcpu_initialise(v); |
514 |
+#endif |
515 |
break; |
516 |
case HVM_PARAM_BUFIOREQ_EVTCHN: |
517 |
rc = -EINVAL; |
518 |
|
519 |
|
520 |
|
521 |
1.1 app-emulation/xen/files/xen-4-CVE-2012-4538-XSA-23.patch |
522 |
|
523 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-4538-XSA-23.patch?rev=1.1&view=markup |
524 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-4538-XSA-23.patch?rev=1.1&content-type=text/plain |
525 |
|
526 |
Index: xen-4-CVE-2012-4538-XSA-23.patch |
527 |
=================================================================== |
528 |
|
529 |
# HG changeset patch |
530 |
# User Ian Jackson <Ian.Jackson@×××××××××.com> |
531 |
# Date 1352893365 0 |
532 |
# Node ID 159080b58dda9d19a5d3be42359e667bdb3e61ca |
533 |
# Parent 4cffe28427e0c7dbeaa7c109ed393dde0fe026ba |
534 |
xen/mm/shadow: check toplevel pagetables are present before unhooking them. |
535 |
|
536 |
If the guest has not fully populated its top-level PAE entries when it calls |
537 |
HVMOP_pagetable_dying, the shadow code could try to unhook entries from |
538 |
MFN 0. Add a check to avoid that case. |
539 |
|
540 |
This issue was introduced by c/s 21239:b9d2db109cf5. |
541 |
|
542 |
This is a security problem, XSA-23 / CVE-2012-4538. |
543 |
|
544 |
Signed-off-by: Tim Deegan <tim@×××.org> |
545 |
Tested-by: Andrew Cooper <andrew.cooper3@××××××.com> |
546 |
Acked-by: Ian Campbell <ian.campbell@××××××.com> |
547 |
Committed-by: Ian Jackson <ian.jackson@×××××××××.com> |
548 |
|
549 |
xen-unstable changeset: 26150:c7a01b6450e4 |
550 |
Backport-requested-by: security@×××.org |
551 |
Committed-by: Ian Jackson <ian.jackson@×××××××××.com> |
552 |
|
553 |
diff -r 4cffe28427e0 -r 159080b58dda xen/arch/x86/mm/shadow/multi.c |
554 |
--- xen/arch/x86/mm/shadow/multi.c Wed Nov 14 11:36:57 2012 +0000 |
555 |
+++ xen/arch/x86/mm/shadow/multi.c Wed Nov 14 11:42:45 2012 +0000 |
556 |
@@ -4734,8 +4734,12 @@ static void sh_pagetable_dying(struct vc |
557 |
unsigned long gfn; |
558 |
mfn_t smfn, gmfn; |
559 |
|
560 |
- if ( fast_path ) |
561 |
- smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i])); |
562 |
+ if ( fast_path ) { |
563 |
+ if ( pagetable_is_null(v->arch.shadow_table[i]) ) |
564 |
+ smfn = _mfn(INVALID_MFN); |
565 |
+ else |
566 |
+ smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i])); |
567 |
+ } |
568 |
else |
569 |
{ |
570 |
/* retrieving the l2s */ |
571 |
|
572 |
|
573 |
|
574 |
1.1 app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-27_34_35.patch |
575 |
|
576 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-27_34_35.patch?rev=1.1&view=markup |
577 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-27_34_35.patch?rev=1.1&content-type=text/plain |
578 |
|
579 |
Index: xen-4-CVE-2013-0151-XSA-27_34_35.patch |
580 |
=================================================================== |
581 |
commit 66141b2e068fa39f28bdda6be05882e323663687 |
582 |
Author: Michael Young |
583 |
Date: Tue Jan 22 22:22:10 2013 +0000 |
584 |
|
585 |
Security fix from nested virtualization CVE-2013-0151, |
586 |
restore status option to xend which is used by libvirt |
587 |
#diff --git a/xsa34-4.2.patch b/xsa34-4.2.patch |
588 |
#new file mode 100644 |
589 |
#index 0000000..f5328ef |
590 |
#--- /dev/null |
591 |
#+++ xsa34-4.2.patch |
592 |
#@@ -0,0 +1,30 @@ |
593 |
#+x86_32: don't allow use of nested HVM |
594 |
#+ |
595 |
#+There are (indirect) uses of map_domain_page() in the nested HVM code |
596 |
#+that are unsafe when not just using the 1:1 mapping. |
597 |
#+ |
598 |
#+This is XSA-34 / CVE-2013-0151. |
599 |
#+ |
600 |
#+Signed-off-by: Jan Beulich |
601 |
#+ |
602 |
#diff --git a/xsa35-4.2-with-xsa34.patch b/xsa35-4.2-with-xsa34.patch |
603 |
#new file mode 100644 |
604 |
#index 0000000..28c6171 |
605 |
#--- /dev/null |
606 |
#+++ xsa35-4.2-with-xsa34.patch |
607 |
#@@ -0,0 +1,24 @@ |
608 |
#+xen: Do not allow guests to enable nested HVM on themselves |
609 |
#+ |
610 |
#+There is no reason for this and doing so exposes a memory leak to |
611 |
#+guests. Only toolstacks need write access to this HVM param. |
612 |
#+ |
613 |
#+This is XSA-35 / CVE-2013-0152. |
614 |
#+ |
615 |
#+Signed-off-by: Ian Campbell |
616 |
#+Acked-by: Jan Beulich |
617 |
#+ |
618 |
--- xen/arch/x86/hvm/hvm.c |
619 |
+++ xen/arch/x86/hvm/hvm.c |
620 |
@@ -3858,6 +3858,11 @@ |
621 |
rc = -EINVAL; |
622 |
break; |
623 |
case HVM_PARAM_NESTEDHVM: |
624 |
+ if ( !IS_PRIV(current->domain) ) |
625 |
+ { |
626 |
+ rc = -EPERM; |
627 |
+ break; |
628 |
+ } |
629 |
if ( a.value > 1 ) |
630 |
rc = -EINVAL; |
631 |
if ( !is_hvm_domain(d) ) |
632 |
@@ -3926,6 +3926,10 @@ long do_hvm_op(unsigned long op, XEN_GUE |
633 |
rc = -EINVAL; |
634 |
break; |
635 |
case HVM_PARAM_NESTEDHVM: |
636 |
+#ifdef __i386__ |
637 |
+ if ( a.value ) |
638 |
+ rc = -EINVAL; |
639 |
+#else |
640 |
if ( a.value > 1 ) |
641 |
rc = -EINVAL; |
642 |
if ( !is_hvm_domain(d) ) |
643 |
@@ -3940,6 +3944,7 @@ long do_hvm_op(unsigned long op, XEN_GUE |
644 |
for_each_vcpu(d, v) |
645 |
if ( rc == 0 ) |
646 |
rc = nestedhvm_vcpu_initialise(v); |
647 |
+#endif |
648 |
break; |
649 |
case HVM_PARAM_BUFIOREQ_EVTCHN: |
650 |
rc = -EINVAL; |
651 |
# HG changeset patch |
652 |
# User Tim Deegan <tim@×××.org> |
653 |
# Date 1354644158 0 |
654 |
# Node ID 5771c761ff1bb249dc683d7ec019d76a2a03a048 |
655 |
# Parent dea7d4e5bfc1627133c0c19706fea1fbc9e5a378 |
656 |
#hvm: Limit the size of large HVM op batches |
657 |
# |
658 |
#Doing large p2m updates for HVMOP_track_dirty_vram without preemption |
659 |
#ties up the physical processor. Integrating preemption into the p2m |
660 |
#updates is hard so simply limit to 1GB which is sufficient for a 15000 |
661 |
#* 15000 * 32bpp framebuffer. |
662 |
# |
663 |
#For HVMOP_modified_memory and HVMOP_set_mem_type preemptible add the |
664 |
#necessary machinery to handle preemption. |
665 |
# |
666 |
#This is CVE-2012-5511 / XSA-27. |
667 |
# |
668 |
#Signed-off-by: Tim Deegan <tim@×××.org> |
669 |
#Signed-off-by: Ian Campbell <ian.campbell@××××××.com> |
670 |
#Acked-by: Ian Jackson <ian.jackson@×××××××××.com> |
671 |
#Committed-by: Ian Jackson <ian.jackson.citrix.com> |
672 |
# |
673 |
#v2: Provide definition of GB to fix x86-32 compile. |
674 |
# |
675 |
#Signed-off-by: Jan Beulich <JBeulich@××××.com> |
676 |
#Acked-by: Ian Jackson <ian.jackson@×××××××××.com> |
677 |
diff -r dea7d4e5bfc1 -r 5771c761ff1b xen/arch/x86/hvm/hvm.c |
678 |
--- xen/arch/x86/hvm/hvm.c Tue Dec 04 18:02:18 2012 +0000 |
679 |
+++ xen/arch/x86/hvm/hvm.c Tue Dec 04 18:02:38 2012 +0000 |
680 |
@@ -3969,6 +3969,9 @@ long do_hvm_op(unsigned long op, XEN_GUE |
681 |
if ( !is_hvm_domain(d) ) |
682 |
goto param_fail2; |
683 |
|
684 |
+ if ( a.nr > GB(1) >> PAGE_SHIFT ) |
685 |
+ goto param_fail2; |
686 |
+ |
687 |
rc = xsm_hvm_param(d, op); |
688 |
if ( rc ) |
689 |
goto param_fail2; |
690 |
@@ -3995,7 +3998,6 @@ long do_hvm_op(unsigned long op, XEN_GUE |
691 |
{ |
692 |
struct xen_hvm_modified_memory a; |
693 |
struct domain *d; |
694 |
- unsigned long pfn; |
695 |
|
696 |
if ( copy_from_guest(&a, arg, 1) ) |
697 |
return -EFAULT; |
698 |
@@ -4022,9 +4024,11 @@ long do_hvm_op(unsigned long op, XEN_GUE |
699 |
if ( !paging_mode_log_dirty(d) ) |
700 |
goto param_fail3; |
701 |
|
702 |
- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) |
703 |
+ while ( a.nr > 0 ) |
704 |
{ |
705 |
+ unsigned long pfn = a.first_pfn; |
706 |
struct page_info *page; |
707 |
+ |
708 |
page = get_page_from_gfn(d, pfn, NULL, P2M_UNSHARE); |
709 |
if ( page ) |
710 |
{ |
711 |
@@ -4034,6 +4038,19 @@ long do_hvm_op(unsigned long op, XEN_GUE |
712 |
sh_remove_shadows(d->vcpu[0], _mfn(page_to_mfn(page)), 1, 0); |
713 |
put_page(page); |
714 |
} |
715 |
+ |
716 |
+ a.first_pfn++; |
717 |
+ a.nr--; |
718 |
+ |
719 |
+ /* Check for continuation if it's not the last interation */ |
720 |
+ if ( a.nr > 0 && hypercall_preempt_check() ) |
721 |
+ { |
722 |
+ if ( copy_to_guest(arg, &a, 1) ) |
723 |
+ rc = -EFAULT; |
724 |
+ else |
725 |
+ rc = -EAGAIN; |
726 |
+ break; |
727 |
+ } |
728 |
} |
729 |
|
730 |
param_fail3: |
731 |
@@ -4089,7 +4106,6 @@ long do_hvm_op(unsigned long op, XEN_GUE |
732 |
{ |
733 |
struct xen_hvm_set_mem_type a; |
734 |
struct domain *d; |
735 |
- unsigned long pfn; |
736 |
|
737 |
/* Interface types to internal p2m types */ |
738 |
p2m_type_t memtype[] = { |
739 |
@@ -4122,8 +4138,9 @@ long do_hvm_op(unsigned long op, XEN_GUE |
740 |
if ( a.hvmmem_type >= ARRAY_SIZE(memtype) ) |
741 |
goto param_fail4; |
742 |
|
743 |
- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) |
744 |
+ while ( a.nr ) |
745 |
{ |
746 |
+ unsigned long pfn = a.first_pfn; |
747 |
p2m_type_t t; |
748 |
p2m_type_t nt; |
749 |
mfn_t mfn; |
750 |
@@ -4163,6 +4180,19 @@ long do_hvm_op(unsigned long op, XEN_GUE |
751 |
} |
752 |
} |
753 |
put_gfn(d, pfn); |
754 |
+ |
755 |
+ a.first_pfn++; |
756 |
+ a.nr--; |
757 |
+ |
758 |
+ /* Check for continuation if it's not the last interation */ |
759 |
+ if ( a.nr > 0 && hypercall_preempt_check() ) |
760 |
+ { |
761 |
+ if ( copy_to_guest(arg, &a, 1) ) |
762 |
+ rc = -EFAULT; |
763 |
+ else |
764 |
+ rc = -EAGAIN; |
765 |
+ goto param_fail4; |
766 |
+ } |
767 |
} |
768 |
|
769 |
rc = 0; |
770 |
diff -r dea7d4e5bfc1 -r 5771c761ff1b xen/include/asm-x86/config.h |
771 |
--- xen/include/asm-x86/config.h Tue Dec 04 18:02:18 2012 +0000 |
772 |
+++ xen/include/asm-x86/config.h Tue Dec 04 18:02:38 2012 +0000 |
773 |
@@ -119,6 +119,9 @@ extern char wakeup_start[]; |
774 |
extern unsigned int video_mode, video_flags; |
775 |
extern unsigned short boot_edid_caps; |
776 |
extern unsigned char boot_edid_info[128]; |
777 |
+ |
778 |
+#define GB(_gb) (_gb ## UL << 30) |
779 |
+ |
780 |
#endif |
781 |
|
782 |
#define asmlinkage |
783 |
@@ -134,7 +137,6 @@ extern unsigned char boot_edid_info[128] |
784 |
#define PML4_ADDR(_slot) \ |
785 |
((((_slot ## UL) >> 8) * 0xffff000000000000UL) | \ |
786 |
(_slot ## UL << PML4_ENTRY_BITS)) |
787 |
-#define GB(_gb) (_gb ## UL << 30) |
788 |
#else |
789 |
#define PML4_ENTRY_BYTES (1 << PML4_ENTRY_BITS) |
790 |
#define PML4_ADDR(_slot) \ |
791 |
|
792 |
|
793 |
|
794 |
|
795 |
1.1 app-emulation/xen/files/xen-4-CVE-2013-0154-XSA-37.patch |
796 |
|
797 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2013-0154-XSA-37.patch?rev=1.1&view=markup |
798 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2013-0154-XSA-37.patch?rev=1.1&content-type=text/plain |
799 |
|
800 |
Index: xen-4-CVE-2013-0154-XSA-37.patch |
801 |
=================================================================== |
802 |
x86: fix assertion in get_page_type() |
803 |
|
804 |
c/s 22998:e9fab50d7b61 (and immediately following ones) made it |
805 |
possible that __get_page_type() returns other than -EINVAL, in |
806 |
particular -EBUSY. Consequently, the assertion in get_page_type() |
807 |
should check for only the return values we absolutely don't expect to |
808 |
see there. |
809 |
|
810 |
This is XSA-37 / CVE-2013-0154. |
811 |
|
812 |
Signed-off-by: Jan Beulich <jbeulich@××××.com> |
813 |
|
814 |
--- xen/arch/x86/mm.c |
815 |
+++ xen/arch/x86/mm.c |
816 |
@@ -2586,7 +2586,7 @@ int get_page_type(struct page_info *page |
817 |
int rc = __get_page_type(page, type, 0); |
818 |
if ( likely(rc == 0) ) |
819 |
return 1; |
820 |
- ASSERT(rc == -EINVAL); |
821 |
+ ASSERT(rc != -EINTR && rc != -EAGAIN); |
822 |
return 0; |
823 |
} |
824 |
|
825 |
|
826 |
|
827 |
|
828 |
1.1 app-emulation/xen/files/xen-4-CVE-2012-5514-XSA-30.patch |
829 |
|
830 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5514-XSA-30.patch?rev=1.1&view=markup |
831 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5514-XSA-30.patch?rev=1.1&content-type=text/plain |
832 |
|
833 |
Index: xen-4-CVE-2012-5514-XSA-30.patch |
834 |
=================================================================== |
835 |
xen: fix error handling of guest_physmap_mark_populate_on_demand() |
836 |
|
837 |
The only user of the "out" label bypasses a necessary unlock, thus |
838 |
enabling the caller to lock up Xen. |
839 |
|
840 |
Also, the function was never meant to be called by a guest for itself, |
841 |
so rather than inspecting the code paths in depth for potential other |
842 |
problems this might cause, and adjusting e.g. the non-guest printk() |
843 |
in the above error path, just disallow the guest access to it. |
844 |
|
845 |
Finally, the printk() (considering its potential of spamming the log, |
846 |
the more that it's not using XENLOG_GUEST), is being converted to |
847 |
P2M_DEBUG(), as debugging is what it apparently was added for in the |
848 |
first place. |
849 |
|
850 |
This is XSA-30 / CVE-2012-5514. |
851 |
|
852 |
Signed-off-by: Jan Beulich <jbeulich@××××.com> |
853 |
Acked-by: Ian Campbell <ian.campbell@××××××.com> |
854 |
Acked-by: George Dunlap <george.dunlap@×××××××××.com> |
855 |
Acked-by: Ian Jackson <ian.jackson@×××××××××.com> |
856 |
Committed-by: Ian Jackson <ian.jackson.citrix.com> |
857 |
|
858 |
diff -r 83ab3cd0f8e4 -r 09a48c5da636 xen/arch/x86/mm/p2m-pod.c |
859 |
--- xen/arch/x86/mm/p2m-pod.c Tue Dec 04 18:02:44 2012 +0000 |
860 |
+++ xen/arch/x86/mm/p2m-pod.c Tue Dec 04 18:02:48 2012 +0000 |
861 |
@@ -1117,6 +1117,9 @@ guest_physmap_mark_populate_on_demand(st |
862 |
mfn_t omfn; |
863 |
int rc = 0; |
864 |
|
865 |
+ if ( !IS_PRIV_FOR(current->domain, d) ) |
866 |
+ return -EPERM; |
867 |
+ |
868 |
if ( !paging_mode_translate(d) ) |
869 |
return -EINVAL; |
870 |
|
871 |
@@ -1135,8 +1138,7 @@ guest_physmap_mark_populate_on_demand(st |
872 |
omfn = p2m->get_entry(p2m, gfn + i, &ot, &a, 0, NULL); |
873 |
if ( p2m_is_ram(ot) ) |
874 |
{ |
875 |
- printk("%s: gfn_to_mfn returned type %d!\n", |
876 |
- __func__, ot); |
877 |
+ P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot); |
878 |
rc = -EBUSY; |
879 |
goto out; |
880 |
} |
881 |
@@ -1160,9 +1162,9 @@ guest_physmap_mark_populate_on_demand(st |
882 |
pod_unlock(p2m); |
883 |
} |
884 |
|
885 |
+out: |
886 |
gfn_unlock(p2m, gfn, order); |
887 |
|
888 |
-out: |
889 |
return rc; |
890 |
} |
891 |
|
892 |
|
893 |
|
894 |
1.1 app-emulation/xen/files/xen-4-CVE-2012-5525-XSA-32.patch |
895 |
|
896 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5525-XSA-32.patch?rev=1.1&view=markup |
897 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5525-XSA-32.patch?rev=1.1&content-type=text/plain |
898 |
|
899 |
Index: xen-4-CVE-2012-5525-XSA-32.patch |
900 |
=================================================================== |
901 |
x86: get_page_from_gfn() must return NULL for invalid GFNs |
902 |
|
903 |
... also in the non-translated case. |
904 |
|
905 |
This is XSA-32 / CVE-2012-xxxx. |
906 |
|
907 |
Signed-off-by: Jan Beulich <jbeulich@××××.com> |
908 |
Acked-by: Tim Deegan <tim@×××.org> |
909 |
|
910 |
diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h |
911 |
index 28be4e8..907a817 100644 |
912 |
--- xen/include/asm-x86/p2m.h |
913 |
+++ xen/include/asm-x86/p2m.h |
914 |
@@ -384,7 +384,7 @@ static inline struct page_info *get_page_from_gfn( |
915 |
if (t) |
916 |
*t = p2m_ram_rw; |
917 |
page = __mfn_to_page(gfn); |
918 |
- return get_page(page, d) ? page : NULL; |
919 |
+ return mfn_valid(gfn) && get_page(page, d) ? page : NULL; |
920 |
} |
921 |
|
922 |
|
923 |
|
924 |
|
925 |
|
926 |
|
927 |
1.1 app-emulation/xen/files/xen-4-CVE-2012-5515-XSA-31.patch |
928 |
|
929 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5515-XSA-31.patch?rev=1.1&view=markup |
930 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5515-XSA-31.patch?rev=1.1&content-type=text/plain |
931 |
|
932 |
Index: xen-4-CVE-2012-5515-XSA-31.patch |
933 |
=================================================================== |
934 |
|
935 |
# HG changeset patch |
936 |
# User Jan Beulich <jbeulich@××××.com> |
937 |
# Date 1354644172 0 |
938 |
# Node ID 2c3f00c5189b9269f9840be93d03f058c8994f6e |
939 |
# Parent 09a48c5da6368ac61bdba5ee09253c2b20d7b577 |
940 |
memop: limit guest specified extent order |
941 |
|
942 |
Allowing unbounded order values here causes almost unbounded loops |
943 |
and/or partially incomplete requests, particularly in PoD code. |
944 |
|
945 |
The added range checks in populate_physmap(), decrease_reservation(), |
946 |
and the "in" one in memory_exchange() architecturally all could use |
947 |
PADDR_BITS - PAGE_SHIFT, and are being artificially constrained to |
948 |
MAX_ORDER. |
949 |
|
950 |
This is XSA-31 / CVE-2012-5515. |
951 |
|
952 |
Signed-off-by: Jan Beulich <jbeulich@××××.com> |
953 |
Acked-by: Tim Deegan <tim@×××.org> |
954 |
Acked-by: Ian Jackson <ian.jackson@×××××××××.com> |
955 |
Committed-by: Ian Jackson <ian.jackson.citrix.com> |
956 |
|
957 |
diff -r 09a48c5da636 -r 2c3f00c5189b xen/common/memory.c |
958 |
--- xen/common/memory.c Tue Dec 04 18:02:48 2012 +0000 |
959 |
+++ xen/common/memory.c Tue Dec 04 18:02:52 2012 +0000 |
960 |
@@ -115,7 +115,8 @@ static void populate_physmap(struct memo |
961 |
|
962 |
if ( a->memflags & MEMF_populate_on_demand ) |
963 |
{ |
964 |
- if ( guest_physmap_mark_populate_on_demand(d, gpfn, |
965 |
+ if ( a->extent_order > MAX_ORDER || |
966 |
+ guest_physmap_mark_populate_on_demand(d, gpfn, |
967 |
a->extent_order) < 0 ) |
968 |
goto out; |
969 |
} |
970 |
@@ -235,7 +236,8 @@ static void decrease_reservation(struct |
971 |
xen_pfn_t gmfn; |
972 |
|
973 |
if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done, |
974 |
- a->nr_extents-1) ) |
975 |
+ a->nr_extents-1) || |
976 |
+ a->extent_order > MAX_ORDER ) |
977 |
return; |
978 |
|
979 |
for ( i = a->nr_done; i < a->nr_extents; i++ ) |
980 |
@@ -297,6 +299,9 @@ static long memory_exchange(XEN_GUEST_HA |
981 |
if ( (exch.nr_exchanged > exch.in.nr_extents) || |
982 |
/* Input and output domain identifiers match? */ |
983 |
(exch.in.domid != exch.out.domid) || |
984 |
+ /* Extent orders are sensible? */ |
985 |
+ (exch.in.extent_order > MAX_ORDER) || |
986 |
+ (exch.out.extent_order > MAX_ORDER) || |
987 |
/* Sizes of input and output lists do not overflow a long? */ |
988 |
((~0UL >> exch.in.extent_order) < exch.in.nr_extents) || |
989 |
((~0UL >> exch.out.extent_order) < exch.out.nr_extents) || |