Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Ian Delaney (idella4)" <idella4@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in app-emulation/xen/files: xen-4-CVE-2012-5513-XSA-29.patch xen-4-CVE-2012-5510-XSA-26.patch xen-4-CVE-2012-4537-XSA-22.patch xen-4-CVE-2012-4535-XSA-20.patch xen-4-CVE-2012-4539-XSA-24.patch xen-4-CVE-2012-5634-XSA-33.patch xen-4-CVE-2013-0151-XSA-34_35.patch xen-4-CVE-2012-4538-XSA-23.patch xen-4-CVE-2013-0151-XSA-27_34_35.patch xen-4-CVE-2013-0154-XSA-37.patch xen-4-CVE-2012-5514-XSA-30.patch xen-4-fix_dotconfig-gcc.patch xen-4-CVE-2012-5525-XSA-32.patch xen-4-CVE-2012-5515-XSA-31.patch
Date: Wed, 30 Jan 2013 12:12:37
Message-Id: 20130130121231.8E7512171D@flycatcher.gentoo.org
1 idella4 13/01/30 12:12:31
2
3 Modified: xen-4-fix_dotconfig-gcc.patch
4 Added: xen-4-CVE-2012-5513-XSA-29.patch
5 xen-4-CVE-2012-5510-XSA-26.patch
6 xen-4-CVE-2012-4537-XSA-22.patch
7 xen-4-CVE-2012-4535-XSA-20.patch
8 xen-4-CVE-2012-4539-XSA-24.patch
9 xen-4-CVE-2012-5634-XSA-33.patch
10 xen-4-CVE-2013-0151-XSA-34_35.patch
11 xen-4-CVE-2012-4538-XSA-23.patch
12 xen-4-CVE-2013-0151-XSA-27_34_35.patch
13 xen-4-CVE-2013-0154-XSA-37.patch
14 xen-4-CVE-2012-5514-XSA-30.patch
15 xen-4-CVE-2012-5525-XSA-32.patch
16 xen-4-CVE-2012-5515-XSA-31.patch
17 Log:
18 revbumps; -4.2.0-r1, eclass python-single-r1 added to anable & ensure a build by py2 fixing Bug #453930, PYTHON_COMPAT set accordingly, EAPI->5, sed statements reduced to patches, many sec. patches added addressing Bugs #445254, #431156, #454314. -4.2.1-r1, changes mirrored in those of -4.2.0-r1, addition of 3 sec. patches that pertain to 4.2.1. Dropped 4.2.0 & 4.2.1 by virtue of being prone to failure in form of Bug #453930. Sees 4.2.0-r1 ready for testing for stable
19
20 (Portage version: 2.1.11.40/cvs/Linux x86_64, signed Manifest commit with key 0xB8072B0D)
21
22 Revision Changes Path
23 1.2 app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch
24
25 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch?rev=1.2&view=markup
26 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch?rev=1.2&content-type=text/plain
27 diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch?r1=1.1&r2=1.2
28
29 Index: xen-4-fix_dotconfig-gcc.patch
30 ===================================================================
31 RCS file: /var/cvsroot/gentoo-x86/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch,v
32 retrieving revision 1.1
33 retrieving revision 1.2
34 diff -u -r1.1 -r1.2
35 --- xen-4-fix_dotconfig-gcc.patch 24 Jan 2013 09:18:34 -0000 1.1
36 +++ xen-4-fix_dotconfig-gcc.patch 30 Jan 2013 12:12:31 -0000 1.2
37 @@ -7,7 +7,7 @@
38 # Define some default flags.
39 # NB. '-Wcast-qual' is nasty, so I omitted it.
40 -DEF_CFLAGS += -fno-builtin -Wall -Werror -Wredundant-decls -Wno-format -Wno-redundant-decls
41 -+DEF_CFLAGS += -fno-builtin -Wall -Wredundant-decls -Wno-format -Wno-redundant-decls
42 ++DEF_CFLAGS += -fno-builtin -Wall -Wredundant-decls -Wno-format -Wno-redundant-decls
43 DEF_CFLAGS += $(call cc-option,$(CC),-fno-stack-protector,)
44 DEF_CFLAGS += $(call cc-option,$(CC),-fgnu89-inline)
45 DEF_CFLAGS += -Wstrict-prototypes -Wnested-externs -Wpointer-arith -Winline
46 @@ -19,7 +19,7 @@
47 -include $(XEN_TARGET_ARCH)/Makefile
48
49 -CFLAGS += -Werror -Wmissing-prototypes
50 -+CFLAGS += -Wmissing-prototypes
51 ++CFLAGS += -Wmissing-prototypes
52 CFLAGS += -I. $(CFLAGS_xeninclude)
53
54 # Needed for posix_fadvise64() in xc_linux.c
55
56
57
58 1.1 app-emulation/xen/files/xen-4-CVE-2012-5513-XSA-29.patch
59
60 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5513-XSA-29.patch?rev=1.1&view=markup
61 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5513-XSA-29.patch?rev=1.1&content-type=text/plain
62
63 Index: xen-4-CVE-2012-5513-XSA-29.patch
64 ===================================================================
65
66 # HG changeset patch
67 # User Jan Beulich <jbeulich@××××.com>
68 # Date 1354644164 0
69 # Node ID 83ab3cd0f8e44ad588932aba93d3b5f92a888a08
70 # Parent 5771c761ff1bb249dc683d7ec019d76a2a03a048
71 xen: add missing guest address range checks to XENMEM_exchange handlers
72
73 Ever since its existence (3.0.3 iirc) the handler for this has been
74 using non address range checking guest memory accessors (i.e.
75 the ones prefixed with two underscores) without first range
76 checking the accessed space (via guest_handle_okay()), allowing
77 a guest to access and overwrite hypervisor memory.
78
79 This is XSA-29 / CVE-2012-5513.
80
81 Signed-off-by: Jan Beulich <jbeulich@××××.com>
82 Acked-by: Ian Campbell <ian.campbell@××××××.com>
83 Acked-by: Ian Jackson <ian.jackson@×××××××××.com>
84 Committed-by: Ian Jackson <ian.jackson.citrix.com>
85
86 diff -r 5771c761ff1b -r 83ab3cd0f8e4 xen/common/compat/memory.c
87 --- a/xen/common/compat/memory.c Tue Dec 04 18:02:38 2012 +0000
88 +++ b/xen/common/compat/memory.c Tue Dec 04 18:02:44 2012 +0000
89 @@ -115,6 +115,12 @@ int compat_memory_op(unsigned int cmd, X
90 (cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) )
91 return -EINVAL;
92
93 + if ( !compat_handle_okay(cmp.xchg.in.extent_start,
94 + cmp.xchg.in.nr_extents) ||
95 + !compat_handle_okay(cmp.xchg.out.extent_start,
96 + cmp.xchg.out.nr_extents) )
97 + return -EFAULT;
98 +
99 start_extent = cmp.xchg.nr_exchanged;
100 end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) /
101 (((1U << ABS(order_delta)) + 1) *
102 diff -r 5771c761ff1b -r 83ab3cd0f8e4 xen/common/memory.c
103 --- a/xen/common/memory.c Tue Dec 04 18:02:38 2012 +0000
104 +++ b/xen/common/memory.c Tue Dec 04 18:02:44 2012 +0000
105 @@ -308,6 +308,13 @@ static long memory_exchange(XEN_GUEST_HA
106 goto fail_early;
107 }
108
109 + if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) ||
110 + !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) )
111 + {
112 + rc = -EFAULT;
113 + goto fail_early;
114 + }
115 +
116 /* Only privileged guests can allocate multi-page contiguous extents. */
117 if ( !multipage_allocation_permitted(current->domain,
118 exch.in.extent_order) ||
119
120
121
122
123
124 1.1 app-emulation/xen/files/xen-4-CVE-2012-5510-XSA-26.patch
125
126 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5510-XSA-26.patch?rev=1.1&view=markup
127 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5510-XSA-26.patch?rev=1.1&content-type=text/plain
128
129 Index: xen-4-CVE-2012-5510-XSA-26.patch
130 ===================================================================
131 # HG changeset patch
132 # User Jan Beulich <jbeulich@××××.com>
133 # Date 1354644138 0
134 # Node ID dea7d4e5bfc1627133c0c19706fea1fbc9e5a378
135 # Parent 9e13427c023020756768c73217dab05295709fb3
136 gnttab: fix releasing of memory upon switches between versions
137
138 gnttab_unpopulate_status_frames() incompletely freed the pages
139 previously used as status frame in that they did not get removed from
140 the domain's xenpage_list, thus causing subsequent list corruption
141 when those pages did get allocated again for the same or another purpose.
142
143 Similarly, grant_table_create() and gnttab_grow_table() both improperly
144 clean up in the event of an error - pages already shared with the guest
145 can't be freed by just passing them to free_xenheap_page(). Fix this by
146 sharing the pages only after all allocations succeeded.
147
148 This is CVE-2012-5510 / XSA-26.
149
150 Signed-off-by: Jan Beulich <jbeulich@××××.com>
151 Acked-by: Ian Campbell <ian.campbell@××××××.com>
152 Committed-by: Ian Jackson <ian.jackson.citrix.com>
153
154 diff -r 9e13427c0230 -r dea7d4e5bfc1 xen/common/grant_table.c
155 --- xen/common/grant_table.c Thu Nov 29 16:59:43 2012 +0000
156 +++ xen/common/grant_table.c Tue Dec 04 18:02:18 2012 +0000
157 @@ -1173,12 +1173,13 @@ fault:
158 }
159
160 static int
161 -gnttab_populate_status_frames(struct domain *d, struct grant_table *gt)
162 +gnttab_populate_status_frames(struct domain *d, struct grant_table *gt,
163 + unsigned int req_nr_frames)
164 {
165 unsigned i;
166 unsigned req_status_frames;
167
168 - req_status_frames = grant_to_status_frames(gt->nr_grant_frames);
169 + req_status_frames = grant_to_status_frames(req_nr_frames);
170 for ( i = nr_status_frames(gt); i < req_status_frames; i++ )
171 {
172 if ( (gt->status[i] = alloc_xenheap_page()) == NULL )
173 @@ -1209,7 +1210,12 @@ gnttab_unpopulate_status_frames(struct d
174
175 for ( i = 0; i < nr_status_frames(gt); i++ )
176 {
177 - page_set_owner(virt_to_page(gt->status[i]), dom_xen);
178 + struct page_info *pg = virt_to_page(gt->status[i]);
179 +
180 + BUG_ON(page_get_owner(pg) != d);
181 + if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) )
182 + put_page(pg);
183 + BUG_ON(pg->count_info & ~PGC_xen_heap);
184 free_xenheap_page(gt->status[i]);
185 gt->status[i] = NULL;
186 }
187 @@ -1247,19 +1253,18 @@ gnttab_grow_table(struct domain *d, unsi
188 clear_page(gt->shared_raw[i]);
189 }
190
191 + /* Status pages - version 2 */
192 + if (gt->gt_version > 1)
193 + {
194 + if ( gnttab_populate_status_frames(d, gt, req_nr_frames) )
195 + goto shared_alloc_failed;
196 + }
197 +
198 /* Share the new shared frames with the recipient domain */
199 for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ )
200 gnttab_create_shared_page(d, gt, i);
201 -
202 gt->nr_grant_frames = req_nr_frames;
203
204 - /* Status pages - version 2 */
205 - if (gt->gt_version > 1)
206 - {
207 - if ( gnttab_populate_status_frames(d, gt) )
208 - goto shared_alloc_failed;
209 - }
210 -
211 return 1;
212
213 shared_alloc_failed:
214 @@ -2157,7 +2162,7 @@ gnttab_set_version(XEN_GUEST_HANDLE(gntt
215
216 if ( op.version == 2 && gt->gt_version < 2 )
217 {
218 - res = gnttab_populate_status_frames(d, gt);
219 + res = gnttab_populate_status_frames(d, gt, nr_grant_frames(gt));
220 if ( res < 0)
221 goto out_unlock;
222 }
223 @@ -2600,14 +2605,15 @@ grant_table_create(
224 clear_page(t->shared_raw[i]);
225 }
226
227 - for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ )
228 - gnttab_create_shared_page(d, t, i);
229 -
230 /* Status pages for grant table - for version 2 */
231 t->status = xzalloc_array(grant_status_t *,
232 grant_to_status_frames(max_nr_grant_frames));
233 if ( t->status == NULL )
234 goto no_mem_4;
235 +
236 + for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ )
237 + gnttab_create_shared_page(d, t, i);
238 +
239 t->nr_status_frames = 0;
240
241 /* Okay, install the structure. */
242
243
244
245
246
247 1.1 app-emulation/xen/files/xen-4-CVE-2012-4537-XSA-22.patch
248
249 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-4537-XSA-22.patch?rev=1.1&view=markup
250 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-4537-XSA-22.patch?rev=1.1&content-type=text/plain
251
252 Index: xen-4-CVE-2012-4537-XSA-22.patch
253 ===================================================================
254 # HG changeset patch
255 # User Ian Jackson <Ian.Jackson@×××××××××.com>
256 # Date 1352893017 0
257 # Node ID 4cffe28427e0c7dbeaa7c109ed393dde0fe026ba
258 # Parent 788af5959f692ca16942937055afb09b760f2166
259 x86/physmap: Prevent incorrect updates of m2p mappings
260
261 In certain conditions, such as low memory, set_p2m_entry() can fail.
262 Currently, the p2m and m2p tables will get out of sync because we still
263 update the m2p table after the p2m update has failed.
264
265 If that happens, subsequent guest-invoked memory operations can cause
266 BUG()s and ASSERT()s to kill Xen.
267
268 This is fixed by only updating the m2p table iff the p2m was
269 successfully updated.
270
271 This is a security problem, XSA-22 / CVE-2012-4537.
272
273 Signed-off-by: Andrew Cooper <andrew.cooper3@××××××.com>
274 Acked-by: Ian Campbell <ian.campbell@××××××.com>
275 Acked-by: Ian Jackson <ian.jackson@×××××××××.com>
276 Committed-by: Ian Jackson <ian.jackson@×××××××××.com>
277
278 xen-unstable changeset: 26149:6b6a4007a609
279 Backport-requested-by: security@×××.org
280 Committed-by: Ian Jackson <ian.jackson@×××××××××.com>
281
282 diff -r 788af5959f69 -r 4cffe28427e0 xen/arch/x86/mm/p2m.c
283 --- xen/arch/x86/mm/p2m.c Wed Nov 14 11:33:15 2012 +0000
284 +++ xen/arch/x86/mm/p2m.c Wed Nov 14 11:36:57 2012 +0000
285 @@ -654,7 +654,10 @@ guest_physmap_add_entry(struct domain *d
286 if ( mfn_valid(_mfn(mfn)) )
287 {
288 if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) )
289 + {
290 rc = -EINVAL;
291 + goto out; /* Failed to update p2m, bail without updating m2p. */
292 + }
293 if ( !p2m_is_grant(t) )
294 {
295 for ( i = 0; i < (1UL << page_order); i++ )
296 @@ -677,6 +680,7 @@ guest_physmap_add_entry(struct domain *d
297 }
298 }
299
300 +out:
301 p2m_unlock(p2m);
302
303 return rc;
304
305
306
307 1.1 app-emulation/xen/files/xen-4-CVE-2012-4535-XSA-20.patch
308
309 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-4535-XSA-20.patch?rev=1.1&view=markup
310 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-4535-XSA-20.patch?rev=1.1&content-type=text/plain
311
312 Index: xen-4-CVE-2012-4535-XSA-20.patch
313 ===================================================================
314
315 # HG changeset patch
316 # User Ian Jackson <Ian.Jackson@×××××××××.com>
317 # Date 1352892795 0
318 # Node ID 788af5959f692ca16942937055afb09b760f2166
319 # Parent bdb5cde7f79d77f8578bcd8e24d74d09a2c7caa6
320 VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability
321
322 The timer action for a vcpu periodic timer is to calculate the next
323 expiry time, and to reinsert itself into the timer queue. If the
324 deadline ends up in the past, Xen never leaves __do_softirq(). The
325 affected PCPU will stay in an infinite loop until Xen is killed by the
326 watchdog (if enabled).
327
328 This is a security problem, XSA-20 / CVE-2012-4535.
329
330 Signed-off-by: Andrew Cooper <andrew.cooper3@××××××.com>
331 Acked-by: Ian Campbell <ian.campbell@××××××.com>
332 Committed-by: Ian Jackson <ian.jackson@×××××××××.com>
333
334 xen-unstable changeset: 26148:bf58b94b3cef
335 Backport-requested-by: security@×××.org
336 Committed-by: Ian Jackson <ian.jackson@×××××××××.com>
337
338 diff -r bdb5cde7f79d -r 788af5959f69 xen/common/domain.c
339 --- xen/common/domain.c Wed Nov 14 10:40:41 2012 +0100
340 +++ xen/common/domain.c Wed Nov 14 11:33:15 2012 +0000
341 @@ -882,6 +882,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
342 if ( set.period_ns < MILLISECS(1) )
343 return -EINVAL;
344
345 + if ( set.period_ns > STIME_DELTA_MAX )
346 + return -EINVAL;
347 +
348 v->periodic_period = set.period_ns;
349 vcpu_force_reschedule(v);
350
351 diff -r bdb5cde7f79d -r 788af5959f69 xen/include/xen/time.h
352 --- xen/include/xen/time.h Wed Nov 14 10:40:41 2012 +0100
353 +++ xen/include/xen/time.h Wed Nov 14 11:33:15 2012 +0000
354 @@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t);
355 #define MILLISECS(_ms) ((s_time_t)((_ms) * 1000000ULL))
356 #define MICROSECS(_us) ((s_time_t)((_us) * 1000ULL))
357 #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1))
358 +/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */
359 +#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2))
360
361 extern void update_vcpu_system_time(struct vcpu *v);
362 extern void update_domain_wallclock_time(struct domain *d);
363
364
365
366
367 1.1 app-emulation/xen/files/xen-4-CVE-2012-4539-XSA-24.patch
368
369 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-4539-XSA-24.patch?rev=1.1&view=markup
370 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-4539-XSA-24.patch?rev=1.1&content-type=text/plain
371
372 Index: xen-4-CVE-2012-4539-XSA-24.patch
373 ===================================================================
374 # HG changeset patch
375 # User Ian Jackson <Ian.Jackson@×××××××××.com>
376 # Date 1352893567 0
377 # Node ID 8ca6372315f826881f9de141ac1227ef962100cf
378 # Parent 159080b58dda9d19a5d3be42359e667bdb3e61ca
379 compat/gnttab: Prevent infinite loop in compat code
380
381 c/s 20281:95ea2052b41b, which introduces Grant Table version 2
382 hypercalls introduces a vulnerability whereby the compat hypercall
383 handler can fall into an infinite loop.
384
385 If the watchdog is enabled, Xen will die after the timeout.
386
387 This is a security problem, XSA-24 / CVE-2012-4539.
388
389 Signed-off-by: Andrew Cooper <andrew.cooper3@××××××.com>
390 Acked-by: Jan Beulich <jbeulich@××××.com>
391 Acked-by: Ian Jackson <ian.jackson@×××××××××.com>
392 Committed-by: Ian Jackson <ian.jackson@×××××××××.com>
393
394 xen-unstable changeset: 26151:b64a7d868f06
395 Backport-requested-by: security@×××.org
396 Committed-by: Ian Jackson <ian.jackson@×××××××××.com>
397
398 diff -r 159080b58dda -r 8ca6372315f8 xen/common/compat/grant_table.c
399 --- xen/common/compat/grant_table.c Wed Nov 14 11:42:45 2012 +0000
400 +++ xen/common/compat/grant_table.c Wed Nov 14 11:46:07 2012 +0000
401 @@ -318,6 +318,8 @@ int compat_grant_table_op(unsigned int c
402 #undef XLAT_gnttab_get_status_frames_HNDL_frame_list
403 if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) )
404 rc = -EFAULT;
405 + else
406 + i = 1;
407 }
408 break;
409 }
410
411
412
413 1.1 app-emulation/xen/files/xen-4-CVE-2012-5634-XSA-33.patch
414
415 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5634-XSA-33.patch?rev=1.1&view=markup
416 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5634-XSA-33.patch?rev=1.1&content-type=text/plain
417
418 Index: xen-4-CVE-2012-5634-XSA-33.patch
419 ===================================================================
420 VT-d: fix interrupt remapping source validation for devices behind legacy bridges
421 Using SVT_VERIFY_BUS here doesn't make sense;
422
423 native Linux also uses SVT_VERIFY_SID_SQ here instead.
424 This is XSA-33 / CVE-2012-5634.
425 Signed-off-by: Jan Beulich <jbeulich@××××.com>
426
427 --- xen/drivers/passthrough/vtd/intremap.c
428 +++ xen/drivers/passthrough/vtd/intremap.c
429 @@ -466,7 +466,7 @@ static void set_msi_source_id(struct pci_dev *pdev, struct iremap_entry *ire)
430 set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16,
431 (bus << 8) | pdev->bus);
432 else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE )
433 - set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16,
434 + set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16,
435 PCI_BDF2(bus, devfn));
436 }
437 break;
438
439
440
441 1.1 app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-34_35.patch
442
443 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-34_35.patch?rev=1.1&view=markup
444 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-34_35.patch?rev=1.1&content-type=text/plain
445
446 Index: xen-4-CVE-2013-0151-XSA-34_35.patch
447 ===================================================================
448 commit 66141b2e068fa39f28bdda6be05882e323663687
449 Author: Michael Young
450 Date: Tue Jan 22 22:22:10 2013 +0000
451
452 Security fix from nested virtualization CVE-2013-0151,
453 restore status option to xend which is used by libvirt
454 #diff --git a/xsa34-4.2.patch b/xsa34-4.2.patch
455 #new file mode 100644
456 #index 0000000..f5328ef
457 #--- /dev/null
458 #+++ xsa34-4.2.patch
459 #@@ -0,0 +1,30 @@
460 #+x86_32: don't allow use of nested HVM
461 #+
462 #+There are (indirect) uses of map_domain_page() in the nested HVM code
463 #+that are unsafe when not just using the 1:1 mapping.
464 #+
465 #+This is XSA-34 / CVE-2013-0151.
466 #+
467 #+Signed-off-by: Jan Beulich
468 #+
469 #diff --git a/xsa35-4.2-with-xsa34.patch b/xsa35-4.2-with-xsa34.patch
470 #new file mode 100644
471 #index 0000000..28c6171
472 #--- /dev/null
473 #+++ xsa35-4.2-with-xsa34.patch
474 #@@ -0,0 +1,24 @@
475 #+xen: Do not allow guests to enable nested HVM on themselves
476 #+
477 #+There is no reason for this and doing so exposes a memory leak to
478 #+guests. Only toolstacks need write access to this HVM param.
479 #+
480 #+This is XSA-35 / CVE-2013-0152.
481 #+
482 #+Signed-off-by: Ian Campbell
483 #+Acked-by: Jan Beulich
484 #+
485 --- xen/arch/x86/hvm/hvm.c
486 +++ xen/arch/x86/hvm/hvm.c
487 @@ -3858,6 +3858,11 @@
488 rc = -EINVAL;
489 break;
490 case HVM_PARAM_NESTEDHVM:
491 + if ( !IS_PRIV(current->domain) )
492 + {
493 + rc = -EPERM;
494 + break;
495 + }
496 if ( a.value > 1 )
497 rc = -EINVAL;
498 if ( !is_hvm_domain(d) )
499 @@ -3926,6 +3926,10 @@ long do_hvm_op(unsigned long op, XEN_GUE
500 rc = -EINVAL;
501 break;
502 case HVM_PARAM_NESTEDHVM:
503 +#ifdef __i386__
504 + if ( a.value )
505 + rc = -EINVAL;
506 +#else
507 if ( a.value > 1 )
508 rc = -EINVAL;
509 if ( !is_hvm_domain(d) )
510 @@ -3940,6 +3944,7 @@ long do_hvm_op(unsigned long op, XEN_GUE
511 for_each_vcpu(d, v)
512 if ( rc == 0 )
513 rc = nestedhvm_vcpu_initialise(v);
514 +#endif
515 break;
516 case HVM_PARAM_BUFIOREQ_EVTCHN:
517 rc = -EINVAL;
518
519
520
521 1.1 app-emulation/xen/files/xen-4-CVE-2012-4538-XSA-23.patch
522
523 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-4538-XSA-23.patch?rev=1.1&view=markup
524 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-4538-XSA-23.patch?rev=1.1&content-type=text/plain
525
526 Index: xen-4-CVE-2012-4538-XSA-23.patch
527 ===================================================================
528
529 # HG changeset patch
530 # User Ian Jackson <Ian.Jackson@×××××××××.com>
531 # Date 1352893365 0
532 # Node ID 159080b58dda9d19a5d3be42359e667bdb3e61ca
533 # Parent 4cffe28427e0c7dbeaa7c109ed393dde0fe026ba
534 xen/mm/shadow: check toplevel pagetables are present before unhooking them.
535
536 If the guest has not fully populated its top-level PAE entries when it calls
537 HVMOP_pagetable_dying, the shadow code could try to unhook entries from
538 MFN 0. Add a check to avoid that case.
539
540 This issue was introduced by c/s 21239:b9d2db109cf5.
541
542 This is a security problem, XSA-23 / CVE-2012-4538.
543
544 Signed-off-by: Tim Deegan <tim@×××.org>
545 Tested-by: Andrew Cooper <andrew.cooper3@××××××.com>
546 Acked-by: Ian Campbell <ian.campbell@××××××.com>
547 Committed-by: Ian Jackson <ian.jackson@×××××××××.com>
548
549 xen-unstable changeset: 26150:c7a01b6450e4
550 Backport-requested-by: security@×××.org
551 Committed-by: Ian Jackson <ian.jackson@×××××××××.com>
552
553 diff -r 4cffe28427e0 -r 159080b58dda xen/arch/x86/mm/shadow/multi.c
554 --- xen/arch/x86/mm/shadow/multi.c Wed Nov 14 11:36:57 2012 +0000
555 +++ xen/arch/x86/mm/shadow/multi.c Wed Nov 14 11:42:45 2012 +0000
556 @@ -4734,8 +4734,12 @@ static void sh_pagetable_dying(struct vc
557 unsigned long gfn;
558 mfn_t smfn, gmfn;
559
560 - if ( fast_path )
561 - smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
562 + if ( fast_path ) {
563 + if ( pagetable_is_null(v->arch.shadow_table[i]) )
564 + smfn = _mfn(INVALID_MFN);
565 + else
566 + smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
567 + }
568 else
569 {
570 /* retrieving the l2s */
571
572
573
574 1.1 app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-27_34_35.patch
575
576 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-27_34_35.patch?rev=1.1&view=markup
577 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-27_34_35.patch?rev=1.1&content-type=text/plain
578
579 Index: xen-4-CVE-2013-0151-XSA-27_34_35.patch
580 ===================================================================
581 commit 66141b2e068fa39f28bdda6be05882e323663687
582 Author: Michael Young
583 Date: Tue Jan 22 22:22:10 2013 +0000
584
585 Security fix from nested virtualization CVE-2013-0151,
586 restore status option to xend which is used by libvirt
587 #diff --git a/xsa34-4.2.patch b/xsa34-4.2.patch
588 #new file mode 100644
589 #index 0000000..f5328ef
590 #--- /dev/null
591 #+++ xsa34-4.2.patch
592 #@@ -0,0 +1,30 @@
593 #+x86_32: don't allow use of nested HVM
594 #+
595 #+There are (indirect) uses of map_domain_page() in the nested HVM code
596 #+that are unsafe when not just using the 1:1 mapping.
597 #+
598 #+This is XSA-34 / CVE-2013-0151.
599 #+
600 #+Signed-off-by: Jan Beulich
601 #+
602 #diff --git a/xsa35-4.2-with-xsa34.patch b/xsa35-4.2-with-xsa34.patch
603 #new file mode 100644
604 #index 0000000..28c6171
605 #--- /dev/null
606 #+++ xsa35-4.2-with-xsa34.patch
607 #@@ -0,0 +1,24 @@
608 #+xen: Do not allow guests to enable nested HVM on themselves
609 #+
610 #+There is no reason for this and doing so exposes a memory leak to
611 #+guests. Only toolstacks need write access to this HVM param.
612 #+
613 #+This is XSA-35 / CVE-2013-0152.
614 #+
615 #+Signed-off-by: Ian Campbell
616 #+Acked-by: Jan Beulich
617 #+
618 --- xen/arch/x86/hvm/hvm.c
619 +++ xen/arch/x86/hvm/hvm.c
620 @@ -3858,6 +3858,11 @@
621 rc = -EINVAL;
622 break;
623 case HVM_PARAM_NESTEDHVM:
624 + if ( !IS_PRIV(current->domain) )
625 + {
626 + rc = -EPERM;
627 + break;
628 + }
629 if ( a.value > 1 )
630 rc = -EINVAL;
631 if ( !is_hvm_domain(d) )
632 @@ -3926,6 +3926,10 @@ long do_hvm_op(unsigned long op, XEN_GUE
633 rc = -EINVAL;
634 break;
635 case HVM_PARAM_NESTEDHVM:
636 +#ifdef __i386__
637 + if ( a.value )
638 + rc = -EINVAL;
639 +#else
640 if ( a.value > 1 )
641 rc = -EINVAL;
642 if ( !is_hvm_domain(d) )
643 @@ -3940,6 +3944,7 @@ long do_hvm_op(unsigned long op, XEN_GUE
644 for_each_vcpu(d, v)
645 if ( rc == 0 )
646 rc = nestedhvm_vcpu_initialise(v);
647 +#endif
648 break;
649 case HVM_PARAM_BUFIOREQ_EVTCHN:
650 rc = -EINVAL;
651 # HG changeset patch
652 # User Tim Deegan <tim@×××.org>
653 # Date 1354644158 0
654 # Node ID 5771c761ff1bb249dc683d7ec019d76a2a03a048
655 # Parent dea7d4e5bfc1627133c0c19706fea1fbc9e5a378
656 #hvm: Limit the size of large HVM op batches
657 #
658 #Doing large p2m updates for HVMOP_track_dirty_vram without preemption
659 #ties up the physical processor. Integrating preemption into the p2m
660 #updates is hard so simply limit to 1GB which is sufficient for a 15000
661 #* 15000 * 32bpp framebuffer.
662 #
663 #For HVMOP_modified_memory and HVMOP_set_mem_type preemptible add the
664 #necessary machinery to handle preemption.
665 #
666 #This is CVE-2012-5511 / XSA-27.
667 #
668 #Signed-off-by: Tim Deegan <tim@×××.org>
669 #Signed-off-by: Ian Campbell <ian.campbell@××××××.com>
670 #Acked-by: Ian Jackson <ian.jackson@×××××××××.com>
671 #Committed-by: Ian Jackson <ian.jackson.citrix.com>
672 #
673 #v2: Provide definition of GB to fix x86-32 compile.
674 #
675 #Signed-off-by: Jan Beulich <JBeulich@××××.com>
676 #Acked-by: Ian Jackson <ian.jackson@×××××××××.com>
677 diff -r dea7d4e5bfc1 -r 5771c761ff1b xen/arch/x86/hvm/hvm.c
678 --- xen/arch/x86/hvm/hvm.c Tue Dec 04 18:02:18 2012 +0000
679 +++ xen/arch/x86/hvm/hvm.c Tue Dec 04 18:02:38 2012 +0000
680 @@ -3969,6 +3969,9 @@ long do_hvm_op(unsigned long op, XEN_GUE
681 if ( !is_hvm_domain(d) )
682 goto param_fail2;
683
684 + if ( a.nr > GB(1) >> PAGE_SHIFT )
685 + goto param_fail2;
686 +
687 rc = xsm_hvm_param(d, op);
688 if ( rc )
689 goto param_fail2;
690 @@ -3995,7 +3998,6 @@ long do_hvm_op(unsigned long op, XEN_GUE
691 {
692 struct xen_hvm_modified_memory a;
693 struct domain *d;
694 - unsigned long pfn;
695
696 if ( copy_from_guest(&a, arg, 1) )
697 return -EFAULT;
698 @@ -4022,9 +4024,11 @@ long do_hvm_op(unsigned long op, XEN_GUE
699 if ( !paging_mode_log_dirty(d) )
700 goto param_fail3;
701
702 - for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ )
703 + while ( a.nr > 0 )
704 {
705 + unsigned long pfn = a.first_pfn;
706 struct page_info *page;
707 +
708 page = get_page_from_gfn(d, pfn, NULL, P2M_UNSHARE);
709 if ( page )
710 {
711 @@ -4034,6 +4038,19 @@ long do_hvm_op(unsigned long op, XEN_GUE
712 sh_remove_shadows(d->vcpu[0], _mfn(page_to_mfn(page)), 1, 0);
713 put_page(page);
714 }
715 +
716 + a.first_pfn++;
717 + a.nr--;
718 +
719 + /* Check for continuation if it's not the last interation */
720 + if ( a.nr > 0 && hypercall_preempt_check() )
721 + {
722 + if ( copy_to_guest(arg, &a, 1) )
723 + rc = -EFAULT;
724 + else
725 + rc = -EAGAIN;
726 + break;
727 + }
728 }
729
730 param_fail3:
731 @@ -4089,7 +4106,6 @@ long do_hvm_op(unsigned long op, XEN_GUE
732 {
733 struct xen_hvm_set_mem_type a;
734 struct domain *d;
735 - unsigned long pfn;
736
737 /* Interface types to internal p2m types */
738 p2m_type_t memtype[] = {
739 @@ -4122,8 +4138,9 @@ long do_hvm_op(unsigned long op, XEN_GUE
740 if ( a.hvmmem_type >= ARRAY_SIZE(memtype) )
741 goto param_fail4;
742
743 - for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ )
744 + while ( a.nr )
745 {
746 + unsigned long pfn = a.first_pfn;
747 p2m_type_t t;
748 p2m_type_t nt;
749 mfn_t mfn;
750 @@ -4163,6 +4180,19 @@ long do_hvm_op(unsigned long op, XEN_GUE
751 }
752 }
753 put_gfn(d, pfn);
754 +
755 + a.first_pfn++;
756 + a.nr--;
757 +
758 + /* Check for continuation if it's not the last interation */
759 + if ( a.nr > 0 && hypercall_preempt_check() )
760 + {
761 + if ( copy_to_guest(arg, &a, 1) )
762 + rc = -EFAULT;
763 + else
764 + rc = -EAGAIN;
765 + goto param_fail4;
766 + }
767 }
768
769 rc = 0;
770 diff -r dea7d4e5bfc1 -r 5771c761ff1b xen/include/asm-x86/config.h
771 --- xen/include/asm-x86/config.h Tue Dec 04 18:02:18 2012 +0000
772 +++ xen/include/asm-x86/config.h Tue Dec 04 18:02:38 2012 +0000
773 @@ -119,6 +119,9 @@ extern char wakeup_start[];
774 extern unsigned int video_mode, video_flags;
775 extern unsigned short boot_edid_caps;
776 extern unsigned char boot_edid_info[128];
777 +
778 +#define GB(_gb) (_gb ## UL << 30)
779 +
780 #endif
781
782 #define asmlinkage
783 @@ -134,7 +137,6 @@ extern unsigned char boot_edid_info[128]
784 #define PML4_ADDR(_slot) \
785 ((((_slot ## UL) >> 8) * 0xffff000000000000UL) | \
786 (_slot ## UL << PML4_ENTRY_BITS))
787 -#define GB(_gb) (_gb ## UL << 30)
788 #else
789 #define PML4_ENTRY_BYTES (1 << PML4_ENTRY_BITS)
790 #define PML4_ADDR(_slot) \
791
792
793
794
795 1.1 app-emulation/xen/files/xen-4-CVE-2013-0154-XSA-37.patch
796
797 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2013-0154-XSA-37.patch?rev=1.1&view=markup
798 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2013-0154-XSA-37.patch?rev=1.1&content-type=text/plain
799
800 Index: xen-4-CVE-2013-0154-XSA-37.patch
801 ===================================================================
802 x86: fix assertion in get_page_type()
803
804 c/s 22998:e9fab50d7b61 (and immediately following ones) made it
805 possible that __get_page_type() returns other than -EINVAL, in
806 particular -EBUSY. Consequently, the assertion in get_page_type()
807 should check for only the return values we absolutely don't expect to
808 see there.
809
810 This is XSA-37 / CVE-2013-0154.
811
812 Signed-off-by: Jan Beulich <jbeulich@××××.com>
813
814 --- xen/arch/x86/mm.c
815 +++ xen/arch/x86/mm.c
816 @@ -2586,7 +2586,7 @@ int get_page_type(struct page_info *page
817 int rc = __get_page_type(page, type, 0);
818 if ( likely(rc == 0) )
819 return 1;
820 - ASSERT(rc == -EINVAL);
821 + ASSERT(rc != -EINTR && rc != -EAGAIN);
822 return 0;
823 }
824
825
826
827
828 1.1 app-emulation/xen/files/xen-4-CVE-2012-5514-XSA-30.patch
829
830 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5514-XSA-30.patch?rev=1.1&view=markup
831 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5514-XSA-30.patch?rev=1.1&content-type=text/plain
832
833 Index: xen-4-CVE-2012-5514-XSA-30.patch
834 ===================================================================
835 xen: fix error handling of guest_physmap_mark_populate_on_demand()
836
837 The only user of the "out" label bypasses a necessary unlock, thus
838 enabling the caller to lock up Xen.
839
840 Also, the function was never meant to be called by a guest for itself,
841 so rather than inspecting the code paths in depth for potential other
842 problems this might cause, and adjusting e.g. the non-guest printk()
843 in the above error path, just disallow the guest access to it.
844
845 Finally, the printk() (considering its potential of spamming the log,
846 the more that it's not using XENLOG_GUEST), is being converted to
847 P2M_DEBUG(), as debugging is what it apparently was added for in the
848 first place.
849
850 This is XSA-30 / CVE-2012-5514.
851
852 Signed-off-by: Jan Beulich <jbeulich@××××.com>
853 Acked-by: Ian Campbell <ian.campbell@××××××.com>
854 Acked-by: George Dunlap <george.dunlap@×××××××××.com>
855 Acked-by: Ian Jackson <ian.jackson@×××××××××.com>
856 Committed-by: Ian Jackson <ian.jackson.citrix.com>
857
858 diff -r 83ab3cd0f8e4 -r 09a48c5da636 xen/arch/x86/mm/p2m-pod.c
859 --- xen/arch/x86/mm/p2m-pod.c Tue Dec 04 18:02:44 2012 +0000
860 +++ xen/arch/x86/mm/p2m-pod.c Tue Dec 04 18:02:48 2012 +0000
861 @@ -1117,6 +1117,9 @@ guest_physmap_mark_populate_on_demand(st
862 mfn_t omfn;
863 int rc = 0;
864
865 + if ( !IS_PRIV_FOR(current->domain, d) )
866 + return -EPERM;
867 +
868 if ( !paging_mode_translate(d) )
869 return -EINVAL;
870
871 @@ -1135,8 +1138,7 @@ guest_physmap_mark_populate_on_demand(st
872 omfn = p2m->get_entry(p2m, gfn + i, &ot, &a, 0, NULL);
873 if ( p2m_is_ram(ot) )
874 {
875 - printk("%s: gfn_to_mfn returned type %d!\n",
876 - __func__, ot);
877 + P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot);
878 rc = -EBUSY;
879 goto out;
880 }
881 @@ -1160,9 +1162,9 @@ guest_physmap_mark_populate_on_demand(st
882 pod_unlock(p2m);
883 }
884
885 +out:
886 gfn_unlock(p2m, gfn, order);
887
888 -out:
889 return rc;
890 }
891
892
893
894 1.1 app-emulation/xen/files/xen-4-CVE-2012-5525-XSA-32.patch
895
896 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5525-XSA-32.patch?rev=1.1&view=markup
897 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5525-XSA-32.patch?rev=1.1&content-type=text/plain
898
899 Index: xen-4-CVE-2012-5525-XSA-32.patch
900 ===================================================================
901 x86: get_page_from_gfn() must return NULL for invalid GFNs
902
903 ... also in the non-translated case.
904
905 This is XSA-32 / CVE-2012-xxxx.
906
907 Signed-off-by: Jan Beulich <jbeulich@××××.com>
908 Acked-by: Tim Deegan <tim@×××.org>
909
910 diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h
911 index 28be4e8..907a817 100644
912 --- xen/include/asm-x86/p2m.h
913 +++ xen/include/asm-x86/p2m.h
914 @@ -384,7 +384,7 @@ static inline struct page_info *get_page_from_gfn(
915 if (t)
916 *t = p2m_ram_rw;
917 page = __mfn_to_page(gfn);
918 - return get_page(page, d) ? page : NULL;
919 + return mfn_valid(gfn) && get_page(page, d) ? page : NULL;
920 }
921
922
923
924
925
926
927 1.1 app-emulation/xen/files/xen-4-CVE-2012-5515-XSA-31.patch
928
929 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5515-XSA-31.patch?rev=1.1&view=markup
930 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen/files/xen-4-CVE-2012-5515-XSA-31.patch?rev=1.1&content-type=text/plain
931
932 Index: xen-4-CVE-2012-5515-XSA-31.patch
933 ===================================================================
934
935 # HG changeset patch
936 # User Jan Beulich <jbeulich@××××.com>
937 # Date 1354644172 0
938 # Node ID 2c3f00c5189b9269f9840be93d03f058c8994f6e
939 # Parent 09a48c5da6368ac61bdba5ee09253c2b20d7b577
940 memop: limit guest specified extent order
941
942 Allowing unbounded order values here causes almost unbounded loops
943 and/or partially incomplete requests, particularly in PoD code.
944
945 The added range checks in populate_physmap(), decrease_reservation(),
946 and the "in" one in memory_exchange() architecturally all could use
947 PADDR_BITS - PAGE_SHIFT, and are being artificially constrained to
948 MAX_ORDER.
949
950 This is XSA-31 / CVE-2012-5515.
951
952 Signed-off-by: Jan Beulich <jbeulich@××××.com>
953 Acked-by: Tim Deegan <tim@×××.org>
954 Acked-by: Ian Jackson <ian.jackson@×××××××××.com>
955 Committed-by: Ian Jackson <ian.jackson.citrix.com>
956
957 diff -r 09a48c5da636 -r 2c3f00c5189b xen/common/memory.c
958 --- xen/common/memory.c Tue Dec 04 18:02:48 2012 +0000
959 +++ xen/common/memory.c Tue Dec 04 18:02:52 2012 +0000
960 @@ -115,7 +115,8 @@ static void populate_physmap(struct memo
961
962 if ( a->memflags & MEMF_populate_on_demand )
963 {
964 - if ( guest_physmap_mark_populate_on_demand(d, gpfn,
965 + if ( a->extent_order > MAX_ORDER ||
966 + guest_physmap_mark_populate_on_demand(d, gpfn,
967 a->extent_order) < 0 )
968 goto out;
969 }
970 @@ -235,7 +236,8 @@ static void decrease_reservation(struct
971 xen_pfn_t gmfn;
972
973 if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done,
974 - a->nr_extents-1) )
975 + a->nr_extents-1) ||
976 + a->extent_order > MAX_ORDER )
977 return;
978
979 for ( i = a->nr_done; i < a->nr_extents; i++ )
980 @@ -297,6 +299,9 @@ static long memory_exchange(XEN_GUEST_HA
981 if ( (exch.nr_exchanged > exch.in.nr_extents) ||
982 /* Input and output domain identifiers match? */
983 (exch.in.domid != exch.out.domid) ||
984 + /* Extent orders are sensible? */
985 + (exch.in.extent_order > MAX_ORDER) ||
986 + (exch.out.extent_order > MAX_ORDER) ||
987 /* Sizes of input and output lists do not overflow a long? */
988 ((~0UL >> exch.in.extent_order) < exch.in.nr_extents) ||
989 ((~0UL >> exch.out.extent_order) < exch.out.nr_extents) ||
Report Message
Find on MARC Find on Google Groups