1 |
idella4 13/01/30 09:09:02 |
2 |
|
3 |
Modified: ipxe-nopie.patch |
4 |
Added: xen-4-CVE-2012-4544-XSA-25.patch |
5 |
xen-4-CVE-2012-6075-XSA-41.patch |
6 |
xen-tools-4-add-nopie.patch |
7 |
xen-4-fix_dotconfig-gcc.patch |
8 |
xen-tools-4-docfix.patch |
9 |
Removed: xen-tools-3.4.2-as-needed.patch |
10 |
Log: |
11 |
revbump;-4.2.0-r3; adjustments to DEPS, implementation of ocaml flag courtesy of user known as 'a.m' wrt Bug #447716, reconstitution of ipxe-nopie with subsequent add of -4-add-nopie.patch, new use ocaml added and implemented (possible to rename), sed statements reduced to patches, 2 sec. patches applied, build & install of docs corrected/upgrade. 4.2.1-r1; changes mirrored those to 4.2.0-r3, add of 1 valid sec. patch. Drop un-needed -3.4.2-as-needed.patch |
12 |
|
13 |
(Portage version: 2.1.11.40/cvs/Linux x86_64, signed Manifest commit with key 0xB8072B0D) |
14 |
|
15 |
Revision Changes Path |
16 |
1.3 app-emulation/xen-tools/files/ipxe-nopie.patch |
17 |
|
18 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen-tools/files/ipxe-nopie.patch?rev=1.3&view=markup |
19 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen-tools/files/ipxe-nopie.patch?rev=1.3&content-type=text/plain |
20 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen-tools/files/ipxe-nopie.patch?r1=1.2&r2=1.3 |
21 |
|
22 |
Index: ipxe-nopie.patch |
23 |
=================================================================== |
24 |
RCS file: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/files/ipxe-nopie.patch,v |
25 |
retrieving revision 1.2 |
26 |
retrieving revision 1.3 |
27 |
diff -u -r1.2 -r1.3 |
28 |
--- ipxe-nopie.patch 17 Dec 2012 10:54:06 -0000 1.2 |
29 |
+++ ipxe-nopie.patch 30 Jan 2013 09:09:01 -0000 1.3 |
30 |
@@ -4,8 +4,8 @@ |
31 |
* /tools/firmware/etherboot/patches/ipxe-nopie.patche New patch |
32 |
* /tools/firmware/etherboot/patches/series Add ipxe-nopie.patch |
33 |
|
34 |
---- a/tools/firmware/etherboot/patches/ipxe-nopie.patch 1970-01-01 01:00:00.000000000 +0100 |
35 |
-+++ b/tools/firmware/etherboot/patches/ipxe-nopie.patch 2011-03-27 17:45:13.929697782 +0200 |
36 |
+#--- tools/firmware/etherboot/patches/ipxe-nopie.patch 1970-01-01 01:00:00.000000000 +0100 |
37 |
+#+++ tools/firmware/etherboot/patches/ipxe-nopie.patch 2011-03-27 17:45:13.929697782 +0200 |
38 |
@@ -0,0 +1,11 @@ |
39 |
+--- ipxe/src/Makefile~ 2011-03-27 17:41:52.000000000 +0200 |
40 |
++++ ipxe/src/Makefile 2011-03-27 17:43:20.869446433 +0200 |
41 |
@@ -18,9 +18,3 @@ |
42 |
+ ASFLAGS := |
43 |
+ LDFLAGS := |
44 |
+ MAKEDEPS := Makefile |
45 |
---- a/tools/firmware/etherboot/patches/series 2011-03-25 11:42:50.000000000 +0100 |
46 |
-+++ b/tools/firmware/etherboot/patches/series 2011-03-27 17:45:45.140446216 +0200 |
47 |
-build_fix_1.patch |
48 |
-build_fix_2.patch |
49 |
-build_fix_3.patch |
50 |
-+ipxe-nopie.patch |
51 |
|
52 |
|
53 |
|
54 |
1.1 app-emulation/xen-tools/files/xen-4-CVE-2012-4544-XSA-25.patch |
55 |
|
56 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen-tools/files/xen-4-CVE-2012-4544-XSA-25.patch?rev=1.1&view=markup |
57 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen-tools/files/xen-4-CVE-2012-4544-XSA-25.patch?rev=1.1&content-type=text/plain |
58 |
|
59 |
Index: xen-4-CVE-2012-4544-XSA-25.patch |
60 |
=================================================================== |
61 |
|
62 |
# HG changeset patch |
63 |
# User Ian Jackson <Ian.Jackson@×××××××××.com> |
64 |
# Date 1351264255 -3600 |
65 |
# Node ID 537776f51f79c5789d06f97b363596a197c3e71c |
66 |
# Parent 40ccbee890e1fc053de3046bbc3d13b8ff6f5d63 |
67 |
libxc: builder: limit maximum size of kernel/ramdisk. |
68 |
|
69 |
Allowing user supplied kernels of arbitrary sizes, especially during |
70 |
decompression, can swallow up dom0 memory leading to either virtual |
71 |
address space exhaustion in the builder process or allocation |
72 |
failures/OOM killing of both toolstack and unrelated processes. |
73 |
|
74 |
We disable these checks when building in a stub domain for pvgrub |
75 |
since this uses the guest's own memory and is isolated. |
76 |
|
77 |
Decompression of gzip compressed kernels and ramdisks has been safe |
78 |
since 14954:58205257517d (Xen 3.1.0 onwards). |
79 |
|
80 |
This is XSA-25 / CVE-2012-4544. |
81 |
|
82 |
Also make explicit checks for buffer overflows in various |
83 |
decompression routines. These were already ruled out due to other |
84 |
properties of the code but check them as a belt-and-braces measure. |
85 |
|
86 |
Signed-off-by: Ian Campbell <ian.campbell@××××××.com> |
87 |
Acked-by: Ian Jackson <ian.jackson@×××××××××.com> |
88 |
|
89 |
diff -r 40ccbee890e1 -r 537776f51f79 stubdom/grub/kexec.c |
90 |
--- stubdom/grub/kexec.c Thu Oct 25 15:36:32 2012 +0200 |
91 |
+++ stubdom/grub/kexec.c Fri Oct 26 16:10:55 2012 +0100 |
92 |
@@ -137,6 +137,10 @@ void kexec(void *kernel, long kernel_siz |
93 |
dom = xc_dom_allocate(xc_handle, cmdline, features); |
94 |
dom->allocate = kexec_allocate; |
95 |
|
96 |
+ /* We are using guest owned memory, therefore no limits. */ |
97 |
+ xc_dom_kernel_max_size(dom, 0); |
98 |
+ xc_dom_ramdisk_max_size(dom, 0); |
99 |
+ |
100 |
dom->kernel_blob = kernel; |
101 |
dom->kernel_size = kernel_size; |
102 |
|
103 |
diff -r 40ccbee890e1 -r 537776f51f79 tools/libxc/xc_dom.h |
104 |
--- tools/libxc/xc_dom.h Thu Oct 25 15:36:32 2012 +0200 |
105 |
+++ tools/libxc/xc_dom.h Fri Oct 26 16:10:55 2012 +0100 |
106 |
@@ -55,6 +55,9 @@ struct xc_dom_image { |
107 |
void *ramdisk_blob; |
108 |
size_t ramdisk_size; |
109 |
|
110 |
+ size_t max_kernel_size; |
111 |
+ size_t max_ramdisk_size; |
112 |
+ |
113 |
/* arguments and parameters */ |
114 |
char *cmdline; |
115 |
uint32_t f_requested[XENFEAT_NR_SUBMAPS]; |
116 |
@@ -180,6 +183,23 @@ void xc_dom_release_phys(struct xc_dom_i |
117 |
void xc_dom_release(struct xc_dom_image *dom); |
118 |
int xc_dom_mem_init(struct xc_dom_image *dom, unsigned int mem_mb); |
119 |
|
120 |
+/* Set this larger if you have enormous ramdisks/kernels. Note that |
121 |
+ * you should trust all kernels not to be maliciously large (e.g. to |
122 |
+ * exhaust all dom0 memory) if you do this (see CVE-2012-4544 / |
123 |
+ * XSA-25). You can also set the default independently for |
124 |
+ * ramdisks/kernels in xc_dom_allocate() or call |
125 |
+ * xc_dom_{kernel,ramdisk}_max_size. |
126 |
+ */ |
127 |
+#ifndef XC_DOM_DECOMPRESS_MAX |
128 |
+#define XC_DOM_DECOMPRESS_MAX (1024*1024*1024) /* 1GB */ |
129 |
+#endif |
130 |
+ |
131 |
+int xc_dom_kernel_check_size(struct xc_dom_image *dom, size_t sz); |
132 |
+int xc_dom_kernel_max_size(struct xc_dom_image *dom, size_t sz); |
133 |
+ |
134 |
+int xc_dom_ramdisk_check_size(struct xc_dom_image *dom, size_t sz); |
135 |
+int xc_dom_ramdisk_max_size(struct xc_dom_image *dom, size_t sz); |
136 |
+ |
137 |
size_t xc_dom_check_gzip(xc_interface *xch, |
138 |
void *blob, size_t ziplen); |
139 |
int xc_dom_do_gunzip(xc_interface *xch, |
140 |
@@ -240,7 +260,8 @@ void xc_dom_log_memory_footprint(struct |
141 |
void *xc_dom_malloc(struct xc_dom_image *dom, size_t size); |
142 |
void *xc_dom_malloc_page_aligned(struct xc_dom_image *dom, size_t size); |
143 |
void *xc_dom_malloc_filemap(struct xc_dom_image *dom, |
144 |
- const char *filename, size_t * size); |
145 |
+ const char *filename, size_t * size, |
146 |
+ const size_t max_size); |
147 |
char *xc_dom_strdup(struct xc_dom_image *dom, const char *str); |
148 |
|
149 |
/* --- alloc memory pool ------------------------------------------- */ |
150 |
diff -r 40ccbee890e1 -r 537776f51f79 tools/libxc/xc_dom_bzimageloader.c |
151 |
--- tools/libxc/xc_dom_bzimageloader.c Thu Oct 25 15:36:32 2012 +0200 |
152 |
+++ tools/libxc/xc_dom_bzimageloader.c Fri Oct 26 16:10:55 2012 +0100 |
153 |
@@ -47,13 +47,19 @@ static int xc_try_bzip2_decode( |
154 |
char *out_buf; |
155 |
char *tmp_buf; |
156 |
int retval = -1; |
157 |
- int outsize; |
158 |
+ unsigned int outsize; |
159 |
uint64_t total; |
160 |
|
161 |
stream.bzalloc = NULL; |
162 |
stream.bzfree = NULL; |
163 |
stream.opaque = NULL; |
164 |
|
165 |
+ if ( dom->kernel_size == 0) |
166 |
+ { |
167 |
+ DOMPRINTF("BZIP2: Input is 0 size"); |
168 |
+ return -1; |
169 |
+ } |
170 |
+ |
171 |
ret = BZ2_bzDecompressInit(&stream, 0, 0); |
172 |
if ( ret != BZ_OK ) |
173 |
{ |
174 |
@@ -66,6 +72,17 @@ static int xc_try_bzip2_decode( |
175 |
* the input buffer to start, and we'll realloc as needed. |
176 |
*/ |
177 |
outsize = dom->kernel_size; |
178 |
+ |
179 |
+ /* |
180 |
+ * stream.avail_in and outsize are unsigned int, while kernel_size |
181 |
+ * is a size_t. Check we aren't overflowing. |
182 |
+ */ |
183 |
+ if ( outsize != dom->kernel_size ) |
184 |
+ { |
185 |
+ DOMPRINTF("BZIP2: Input too large"); |
186 |
+ goto bzip2_cleanup; |
187 |
+ } |
188 |
+ |
189 |
out_buf = malloc(outsize); |
190 |
if ( out_buf == NULL ) |
191 |
{ |
192 |
@@ -98,13 +115,20 @@ static int xc_try_bzip2_decode( |
193 |
if ( stream.avail_out == 0 ) |
194 |
{ |
195 |
/* Protect against output buffer overflow */ |
196 |
- if ( outsize > INT_MAX / 2 ) |
197 |
+ if ( outsize > UINT_MAX / 2 ) |
198 |
{ |
199 |
DOMPRINTF("BZIP2: output buffer overflow"); |
200 |
free(out_buf); |
201 |
goto bzip2_cleanup; |
202 |
} |
203 |
|
204 |
+ if ( xc_dom_kernel_check_size(dom, outsize * 2) ) |
205 |
+ { |
206 |
+ DOMPRINTF("BZIP2: output too large"); |
207 |
+ free(out_buf); |
208 |
+ goto bzip2_cleanup; |
209 |
+ } |
210 |
+ |
211 |
tmp_buf = realloc(out_buf, outsize * 2); |
212 |
if ( tmp_buf == NULL ) |
213 |
{ |
214 |
@@ -172,9 +196,15 @@ static int _xc_try_lzma_decode( |
215 |
unsigned char *out_buf; |
216 |
unsigned char *tmp_buf; |
217 |
int retval = -1; |
218 |
- int outsize; |
219 |
+ size_t outsize; |
220 |
const char *msg; |
221 |
|
222 |
+ if ( dom->kernel_size == 0) |
223 |
+ { |
224 |
+ DOMPRINTF("%s: Input is 0 size", what); |
225 |
+ return -1; |
226 |
+ } |
227 |
+ |
228 |
/* sigh. We don't know up-front how much memory we are going to need |
229 |
* for the output buffer. Allocate the output buffer to be equal |
230 |
* the input buffer to start, and we'll realloc as needed. |
231 |
@@ -244,13 +274,20 @@ static int _xc_try_lzma_decode( |
232 |
if ( stream->avail_out == 0 ) |
233 |
{ |
234 |
/* Protect against output buffer overflow */ |
235 |
- if ( outsize > INT_MAX / 2 ) |
236 |
+ if ( outsize > SIZE_MAX / 2 ) |
237 |
{ |
238 |
DOMPRINTF("%s: output buffer overflow", what); |
239 |
free(out_buf); |
240 |
goto lzma_cleanup; |
241 |
} |
242 |
|
243 |
+ if ( xc_dom_kernel_check_size(dom, outsize * 2) ) |
244 |
+ { |
245 |
+ DOMPRINTF("%s: output too large", what); |
246 |
+ free(out_buf); |
247 |
+ goto lzma_cleanup; |
248 |
+ } |
249 |
+ |
250 |
tmp_buf = realloc(out_buf, outsize * 2); |
251 |
if ( tmp_buf == NULL ) |
252 |
{ |
253 |
@@ -359,6 +396,12 @@ static int xc_try_lzo1x_decode( |
254 |
0x89, 0x4c, 0x5a, 0x4f, 0x00, 0x0d, 0x0a, 0x1a, 0x0a |
255 |
}; |
256 |
|
257 |
+ /* |
258 |
+ * lzo_uint should match size_t. Check that this is the case to be |
259 |
+ * sure we won't overflow various lzo_uint fields. |
260 |
+ */ |
261 |
+ XC_BUILD_BUG_ON(sizeof(lzo_uint) != sizeof(size_t)); |
262 |
+ |
263 |
ret = lzo_init(); |
264 |
if ( ret != LZO_E_OK ) |
265 |
{ |
266 |
@@ -438,6 +481,14 @@ static int xc_try_lzo1x_decode( |
267 |
if ( src_len <= 0 || src_len > dst_len || src_len > left ) |
268 |
break; |
269 |
|
270 |
+ msg = "Output buffer overflow"; |
271 |
+ if ( *size > SIZE_MAX - dst_len ) |
272 |
+ break; |
273 |
+ |
274 |
+ msg = "Decompressed image too large"; |
275 |
+ if ( xc_dom_kernel_check_size(dom, *size + dst_len) ) |
276 |
+ break; |
277 |
+ |
278 |
msg = "Failed to (re)alloc memory"; |
279 |
tmp_buf = realloc(out_buf, *size + dst_len); |
280 |
if ( tmp_buf == NULL ) |
281 |
diff -r 40ccbee890e1 -r 537776f51f79 tools/libxc/xc_dom_core.c |
282 |
--- tools/libxc/xc_dom_core.c Thu Oct 25 15:36:32 2012 +0200 |
283 |
+++ tools/libxc/xc_dom_core.c Fri Oct 26 16:10:55 2012 +0100 |
284 |
@@ -159,7 +159,8 @@ void *xc_dom_malloc_page_aligned(struct |
285 |
} |
286 |
|
287 |
void *xc_dom_malloc_filemap(struct xc_dom_image *dom, |
288 |
- const char *filename, size_t * size) |
289 |
+ const char *filename, size_t * size, |
290 |
+ const size_t max_size) |
291 |
{ |
292 |
struct xc_dom_mem *block = NULL; |
293 |
int fd = -1; |
294 |
@@ -171,6 +172,13 @@ void *xc_dom_malloc_filemap(struct xc_do |
295 |
lseek(fd, 0, SEEK_SET); |
296 |
*size = lseek(fd, 0, SEEK_END); |
297 |
|
298 |
+ if ( max_size && *size > max_size ) |
299 |
+ { |
300 |
+ xc_dom_panic(dom->xch, XC_OUT_OF_MEMORY, |
301 |
+ "tried to map file which is too large"); |
302 |
+ goto err; |
303 |
+ } |
304 |
+ |
305 |
block = malloc(sizeof(*block)); |
306 |
if ( block == NULL ) |
307 |
goto err; |
308 |
@@ -222,6 +230,40 @@ char *xc_dom_strdup(struct xc_dom_image |
309 |
} |
310 |
|
311 |
/* ------------------------------------------------------------------------ */ |
312 |
+/* decompression buffer sizing */ |
313 |
+int xc_dom_kernel_check_size(struct xc_dom_image *dom, size_t sz) |
314 |
+{ |
315 |
+ /* No limit */ |
316 |
+ if ( !dom->max_kernel_size ) |
317 |
+ return 0; |
318 |
+ |
319 |
+ if ( sz > dom->max_kernel_size ) |
320 |
+ { |
321 |
+ xc_dom_panic(dom->xch, XC_INVALID_KERNEL, |
322 |
+ "kernel image too large"); |
323 |
+ return 1; |
324 |
+ } |
325 |
+ |
326 |
+ return 0; |
327 |
+} |
328 |
+ |
329 |
+int xc_dom_ramdisk_check_size(struct xc_dom_image *dom, size_t sz) |
330 |
+{ |
331 |
+ /* No limit */ |
332 |
+ if ( !dom->max_ramdisk_size ) |
333 |
+ return 0; |
334 |
+ |
335 |
+ if ( sz > dom->max_ramdisk_size ) |
336 |
+ { |
337 |
+ xc_dom_panic(dom->xch, XC_INVALID_KERNEL, |
338 |
+ "ramdisk image too large"); |
339 |
+ return 1; |
340 |
+ } |
341 |
+ |
342 |
+ return 0; |
343 |
+} |
344 |
+ |
345 |
+/* ------------------------------------------------------------------------ */ |
346 |
/* read files, copy memory blocks, with transparent gunzip */ |
347 |
|
348 |
size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen) |
349 |
@@ -235,7 +277,7 @@ size_t xc_dom_check_gzip(xc_interface *x |
350 |
|
351 |
gzlen = blob + ziplen - 4; |
352 |
unziplen = gzlen[3] << 24 | gzlen[2] << 16 | gzlen[1] << 8 | gzlen[0]; |
353 |
- if ( (unziplen < 0) || (unziplen > (1024*1024*1024)) ) /* 1GB limit */ |
354 |
+ if ( (unziplen < 0) || (unziplen > XC_DOM_DECOMPRESS_MAX) ) |
355 |
{ |
356 |
xc_dom_printf |
357 |
(xch, |
358 |
@@ -288,6 +330,9 @@ int xc_dom_try_gunzip(struct xc_dom_imag |
359 |
if ( unziplen == 0 ) |
360 |
return 0; |
361 |
|
362 |
+ if ( xc_dom_kernel_check_size(dom, unziplen) ) |
363 |
+ return 0; |
364 |
+ |
365 |
unzip = xc_dom_malloc(dom, unziplen); |
366 |
if ( unzip == NULL ) |
367 |
return -1; |
368 |
@@ -588,6 +633,9 @@ struct xc_dom_image *xc_dom_allocate(xc_ |
369 |
memset(dom, 0, sizeof(*dom)); |
370 |
dom->xch = xch; |
371 |
|
372 |
+ dom->max_kernel_size = XC_DOM_DECOMPRESS_MAX; |
373 |
+ dom->max_ramdisk_size = XC_DOM_DECOMPRESS_MAX; |
374 |
+ |
375 |
if ( cmdline ) |
376 |
dom->cmdline = xc_dom_strdup(dom, cmdline); |
377 |
if ( features ) |
378 |
@@ -608,10 +656,25 @@ struct xc_dom_image *xc_dom_allocate(xc_ |
379 |
return NULL; |
380 |
} |
381 |
|
382 |
+int xc_dom_kernel_max_size(struct xc_dom_image *dom, size_t sz) |
383 |
+{ |
384 |
+ DOMPRINTF("%s: kernel_max_size=%zx", __FUNCTION__, sz); |
385 |
+ dom->max_kernel_size = sz; |
386 |
+ return 0; |
387 |
+} |
388 |
+ |
389 |
+int xc_dom_ramdisk_max_size(struct xc_dom_image *dom, size_t sz) |
390 |
+{ |
391 |
+ DOMPRINTF("%s: ramdisk_max_size=%zx", __FUNCTION__, sz); |
392 |
+ dom->max_ramdisk_size = sz; |
393 |
+ return 0; |
394 |
+} |
395 |
+ |
396 |
int xc_dom_kernel_file(struct xc_dom_image *dom, const char *filename) |
397 |
{ |
398 |
DOMPRINTF("%s: filename=\"%s\"", __FUNCTION__, filename); |
399 |
- dom->kernel_blob = xc_dom_malloc_filemap(dom, filename, &dom->kernel_size); |
400 |
+ dom->kernel_blob = xc_dom_malloc_filemap(dom, filename, &dom->kernel_size, |
401 |
+ dom->max_kernel_size); |
402 |
if ( dom->kernel_blob == NULL ) |
403 |
return -1; |
404 |
return xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size); |
405 |
@@ -621,7 +684,9 @@ int xc_dom_ramdisk_file(struct xc_dom_im |
406 |
{ |
407 |
DOMPRINTF("%s: filename=\"%s\"", __FUNCTION__, filename); |
408 |
dom->ramdisk_blob = |
409 |
- xc_dom_malloc_filemap(dom, filename, &dom->ramdisk_size); |
410 |
+ xc_dom_malloc_filemap(dom, filename, &dom->ramdisk_size, |
411 |
+ dom->max_ramdisk_size); |
412 |
+ |
413 |
if ( dom->ramdisk_blob == NULL ) |
414 |
return -1; |
415 |
// return xc_dom_try_gunzip(dom, &dom->ramdisk_blob, &dom->ramdisk_size); |
416 |
@@ -781,7 +846,11 @@ int xc_dom_build_image(struct xc_dom_ima |
417 |
void *ramdiskmap; |
418 |
|
419 |
unziplen = xc_dom_check_gzip(dom->xch, dom->ramdisk_blob, dom->ramdisk_size); |
420 |
+ if ( xc_dom_ramdisk_check_size(dom, unziplen) != 0 ) |
421 |
+ unziplen = 0; |
422 |
+ |
423 |
ramdisklen = unziplen ? unziplen : dom->ramdisk_size; |
424 |
+ |
425 |
if ( xc_dom_alloc_segment(dom, &dom->ramdisk_seg, "ramdisk", 0, |
426 |
ramdisklen) != 0 ) |
427 |
goto err; |
428 |
|
429 |
|
430 |
|
431 |
|
432 |
|
433 |
1.1 app-emulation/xen-tools/files/xen-4-CVE-2012-6075-XSA-41.patch |
434 |
|
435 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen-tools/files/xen-4-CVE-2012-6075-XSA-41.patch?rev=1.1&view=markup |
436 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen-tools/files/xen-4-CVE-2012-6075-XSA-41.patch?rev=1.1&content-type=text/plain |
437 |
|
438 |
Index: xen-4-CVE-2012-6075-XSA-41.patch |
439 |
=================================================================== |
440 |
authorMichael Contreras <michael@×××××××.com> |
441 |
Mon, 3 Dec 2012 04:11:22 +0000 (20:11 -0800) |
442 |
committerAnthony Liguori <aliguori@××××××.com> |
443 |
Mon, 3 Dec 2012 14:14:10 +0000 (08:14 -0600) |
444 |
|
445 |
The e1000_receive function for the e1000 needs to discard packets longer than |
446 |
1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes |
447 |
this behavior and allocates memory based on this assumption. |
448 |
|
449 |
Signed-off-by: Michael Contreras <michael@×××××××.com> |
450 |
Signed-off-by: Anthony Liguori <aliguori@××××××.com> |
451 |
hw/e1000.c |
452 |
|
453 |
--- tools/qemu-xen/hw/e1000.c |
454 |
+++ tools/qemu-xen/hw/e1000.c |
455 |
@@ -59,6 +59,9 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL); |
456 |
#define PNPMMIO_SIZE 0x20000 |
457 |
#define MIN_BUF_SIZE 60 /* Min. octets in an ethernet frame sans FCS */ |
458 |
|
459 |
+/* this is the size past which hardware will drop packets when setting LPE=0 */ |
460 |
+#define MAXIMUM_ETHERNET_VLAN_SIZE 1522 |
461 |
+ |
462 |
/* |
463 |
* HW models: |
464 |
* E1000_DEV_ID_82540EM works with Windows and Linux |
465 |
@@ -805,6 +808,13 @@ e1000_receive(NetClientState *nc, const uint8_t *buf, size_t size) |
466 |
size = sizeof(min_buf); |
467 |
} |
468 |
|
469 |
+ /* Discard oversized packets if !LPE and !SBP. */ |
470 |
+ if (size > MAXIMUM_ETHERNET_VLAN_SIZE |
471 |
+ && !(s->mac_reg[RCTL] & E1000_RCTL_LPE) |
472 |
+ && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) { |
473 |
+ return size; |
474 |
+ } |
475 |
+ |
476 |
if (!receive_filter(s, buf, size)) |
477 |
return size; |
478 |
|
479 |
|
480 |
|
481 |
|
482 |
1.1 app-emulation/xen-tools/files/xen-tools-4-add-nopie.patch |
483 |
|
484 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen-tools/files/xen-tools-4-add-nopie.patch?rev=1.1&view=markup |
485 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen-tools/files/xen-tools-4-add-nopie.patch?rev=1.1&content-type=text/plain |
486 |
|
487 |
Index: xen-tools-4-add-nopie.patch |
488 |
=================================================================== |
489 |
2011-10-22 Ralf Glauberman <ralfglauberman@×××.de> |
490 |
|
491 |
#360805 Don't compile ipxe with pie on hardened. |
492 |
* /tools/firmware/etherboot/patches/ipxe-nopie.patche New patch |
493 |
Reconstituted patch; Tue Jan 29 14:35:13 WST 2013 |
494 |
|
495 |
diff -ur xen-4.2.0.orig/tools/firmware/etherboot/patches/series xen-4.2.0/tools/firmware/etherboot/patches/series |
496 |
--- tools/firmware/etherboot/patches/series 2013-01-29 14:34:10.773520921 +0800 |
497 |
+++ tools/firmware/etherboot/patches/series 2013-01-29 14:33:31.781519209 +0800 |
498 |
@@ -2,3 +2,4 @@ |
499 |
build_fix_1.patch |
500 |
build_fix_2.patch |
501 |
build_fix_3.patch |
502 |
+ipxe-nopie.patch |
503 |
|
504 |
|
505 |
|
506 |
|
507 |
1.1 app-emulation/xen-tools/files/xen-4-fix_dotconfig-gcc.patch |
508 |
|
509 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen-tools/files/xen-4-fix_dotconfig-gcc.patch?rev=1.1&view=markup |
510 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen-tools/files/xen-4-fix_dotconfig-gcc.patch?rev=1.1&content-type=text/plain |
511 |
|
512 |
Index: xen-4-fix_dotconfig-gcc.patch |
513 |
=================================================================== |
514 |
# Fix gcc-4.6 |
515 |
diff -ur xen-4.2.0.orig/extras/mini-os/minios.mk xen-4.2.0/extras/mini-os/minios.mk |
516 |
--- extras/mini-os/minios.mk 2012-09-17 18:21:17.000000000 +0800 |
517 |
+++ extras/mini-os/minios.mk 2012-12-05 14:01:10.653260260 +0800 |
518 |
@@ -6,7 +6,7 @@ |
519 |
|
520 |
# Define some default flags. |
521 |
# NB. '-Wcast-qual' is nasty, so I omitted it. |
522 |
-DEF_CFLAGS += -fno-builtin -Wall -Werror -Wredundant-decls -Wno-format -Wno-redundant-decls |
523 |
+DEF_CFLAGS += -fno-builtin -Wall -Wredundant-decls -Wno-format -Wno-redundant-decls |
524 |
DEF_CFLAGS += $(call cc-option,$(CC),-fno-stack-protector,) |
525 |
DEF_CFLAGS += $(call cc-option,$(CC),-fgnu89-inline) |
526 |
DEF_CFLAGS += -Wstrict-prototypes -Wnested-externs -Wpointer-arith -Winline |
527 |
diff -ur xen-4.2.0.orig/tools/libxc/Makefile xen-4.2.0/tools/libxc/Makefile |
528 |
--- tools/libxc/Makefile 2012-09-17 18:21:18.000000000 +0800 |
529 |
+++ tools/libxc/Makefile 2012-12-05 14:01:10.653260260 +0800 |
530 |
@@ -73,7 +73,7 @@ |
531 |
|
532 |
-include $(XEN_TARGET_ARCH)/Makefile |
533 |
|
534 |
-CFLAGS += -Werror -Wmissing-prototypes |
535 |
+CFLAGS += -Wmissing-prototypes |
536 |
CFLAGS += -I. $(CFLAGS_xeninclude) |
537 |
|
538 |
# Needed for posix_fadvise64() in xc_linux.c |
539 |
# Drop .config |
540 |
diff -ur xen-4.2.0.orig/Config.mk xen-4.2.0/Config.mk |
541 |
--- Config.mk 2012-09-17 18:23:12.000000000 +0800 |
542 |
+++ Config.mk 2012-12-05 14:01:10.641260261 +0800 |
543 |
@@ -7,7 +7,6 @@ Drop .config |
544 |
# fallback for older make |
545 |
realpath = $(wildcard $(foreach file,$(1),$(shell cd -P $(dir $(file)) && echo "$$PWD/$(notdir $(file))"))) |
546 |
|
547 |
--include $(XEN_ROOT)/.config |
548 |
|
549 |
# A debug build of Xen and tools? |
550 |
debug ?= n |
551 |
@@ -24,7 +24,7 @@ |
552 |
|
553 |
# Tools to run on system hosting the build |
554 |
HOSTCC = gcc |
555 |
-HOSTCFLAGS = -Wall -Werror -Wstrict-prototypes -O2 -fomit-frame-pointer |
556 |
+HOSTCFLAGS = -Wstrict-prototypes -O2 -fomit-frame-pointer |
557 |
HOSTCFLAGS += -fno-strict-aliasing |
558 |
|
559 |
DISTDIR ?= $(XEN_ROOT)/dist |
560 |
@@ -156,7 +156,7 @@ |
561 |
|
562 |
CFLAGS += -std=gnu99 |
563 |
|
564 |
-CFLAGS += -Wall -Wstrict-prototypes |
565 |
+CFLAGS += -Wstrict-prototypes |
566 |
|
567 |
# Clang complains about macros that expand to 'if ( ( foo == bar ) ) ...' |
568 |
# and is over-zealous with the printf format lint |
569 |
diff -ur xen-4.2.1.orig/tools/blktap2/drivers/Makefile xen-4.2.1/tools/blktap2/drivers/Makefile |
570 |
--- tools/blktap2/drivers/Makefile 2012-12-17 23:00:11.000000000 +0800 |
571 |
+++ tools/blktap2/drivers/Makefile 2013-01-30 12:31:43.539941099 +0800 |
572 |
@@ -9,7 +9,7 @@ |
573 |
LOCK_UTIL = lock-util |
574 |
INST_DIR = $(SBINDIR) |
575 |
|
576 |
-CFLAGS += -Werror -g |
577 |
+CFLAGS += -g |
578 |
CFLAGS += -Wno-unused |
579 |
CFLAGS += -fno-strict-aliasing |
580 |
CFLAGS += -I$(BLKTAP_ROOT)/include -I$(BLKTAP_ROOT)/drivers |
581 |
diff -ur xen-4.2.1.orig/tools/debugger/gdbsx/Rules.mk xen-4.2.1/tools/debugger/gdbsx/Rules.mk |
582 |
--- tools/debugger/gdbsx/Rules.mk 2012-12-17 23:00:22.000000000 +0800 |
583 |
+++ tools/debugger/gdbsx/Rules.mk 2013-01-30 12:31:43.516941098 +0800 |
584 |
@@ -1,4 +1,4 @@ |
585 |
include $(XEN_ROOT)/tools/Rules.mk |
586 |
|
587 |
-CFLAGS += -Werror -Wmissing-prototypes |
588 |
+CFLAGS += -Wmissing-prototypes |
589 |
# (gcc 4.3x and later) -Wconversion -Wno-sign-conversion |
590 |
diff -ur xen-4.2.1.orig/tools/debugger/xenitp/Makefile xen-4.2.1/tools/debugger/xenitp/Makefile |
591 |
--- tools/debugger/xenitp/Makefile 2012-12-17 23:00:22.000000000 +0800 |
592 |
+++ tools/debugger/xenitp/Makefile 2013-01-30 12:31:43.516941098 +0800 |
593 |
@@ -1,7 +1,7 @@ |
594 |
XEN_ROOT=$(CURDIR)/../../.. |
595 |
include $(XEN_ROOT)/tools/Rules.mk |
596 |
|
597 |
-#CFLAGS += -Werror -g -O0 |
598 |
+#CFLAGS += -g -O0 |
599 |
|
600 |
CFLAGS += $(CFLAGS_libxenctrl) |
601 |
|
602 |
diff -ur xen-4.2.1.orig/tools/libaio/harness/Makefile xen-4.2.1/tools/libaio/harness/Makefile |
603 |
--- tools/libaio/harness/Makefile 2012-12-17 23:00:35.000000000 +0800 |
604 |
+++ tools/libaio/harness/Makefile 2013-01-30 12:31:43.541941099 +0800 |
605 |
@@ -4,7 +4,7 @@ |
606 |
HARNESS_SRCS:=main.c |
607 |
# io_queue.c |
608 |
|
609 |
-CFLAGS=-Wall -Werror -g -O -laio |
610 |
+CFLAGS=-Wall -g -O -laio |
611 |
#-lpthread -lrt |
612 |
|
613 |
all: $(PROGS) |
614 |
diff -ur xen-4.2.1.orig/tools/libfsimage/Rules.mk xen-4.2.1/tools/libfsimage/Rules.mk |
615 |
--- tools/libfsimage/Rules.mk 2012-12-17 23:00:36.000000000 +0800 |
616 |
+++ tools/libfsimage/Rules.mk 2013-01-30 12:31:43.515941097 +0800 |
617 |
@@ -1,7 +1,7 @@ |
618 |
include $(XEN_ROOT)/tools/Rules.mk |
619 |
|
620 |
CFLAGS += -Wno-unknown-pragmas -I$(XEN_ROOT)/tools/libfsimage/common/ -DFSIMAGE_FSDIR=\"$(FSDIR)\" |
621 |
-CFLAGS += -Werror -D_GNU_SOURCE |
622 |
+CFLAGS += -D_GNU_SOURCE |
623 |
LDFLAGS += -L../common/ |
624 |
|
625 |
PIC_OBJS := $(patsubst %.c,%.opic,$(LIB_SRCS-y)) |
626 |
diff -ur xen-4.2.1.orig/tools/libxl/Makefile xen-4.2.1/tools/libxl/Makefile |
627 |
--- tools/libxl/Makefile 2012-12-17 23:01:08.000000000 +0800 |
628 |
+++ tools/libxl/Makefile 2013-01-30 12:31:43.541941099 +0800 |
629 |
@@ -11,7 +11,7 @@ |
630 |
XLUMAJOR = 1.0 |
631 |
XLUMINOR = 1 |
632 |
|
633 |
-CFLAGS += -Werror -Wno-format-zero-length -Wmissing-declarations \ |
634 |
+CFLAGS += -Wno-format-zero-length -Wmissing-declarations \ |
635 |
-Wno-declaration-after-statement -Wformat-nonliteral |
636 |
CFLAGS += -I. -fPIC |
637 |
|
638 |
diff -ur xen-4.2.1.orig/tools/qemu-xen/pc-bios/optionrom/Makefile xen-4.2.1/tools/qemu-xen/pc-bios/optionrom/Makefile |
639 |
--- tools/qemu-xen/pc-bios/optionrom/Makefile 2012-09-11 02:10:52.000000000 +0800 |
640 |
+++ tools/qemu-xen/pc-bios/optionrom/Makefile 2013-01-30 12:31:43.528941098 +0800 |
641 |
@@ -9,7 +9,7 @@ |
642 |
|
643 |
.PHONY : all clean build-all |
644 |
|
645 |
-CFLAGS := -Wall -Wstrict-prototypes -Werror -fomit-frame-pointer -fno-builtin |
646 |
+CFLAGS := -Wall -Wstrict-prototypes -fomit-frame-pointer -fno-builtin |
647 |
CFLAGS += -I$(SRC_PATH) |
648 |
CFLAGS += $(call cc-option, $(CFLAGS), -fno-stack-protector) |
649 |
QEMU_CFLAGS = $(CFLAGS) |
650 |
diff -ur xen-4.2.1.orig/tools/vtpm/Rules.mk xen-4.2.1/tools/vtpm/Rules.mk |
651 |
--- tools/vtpm/Rules.mk 2012-12-17 23:01:35.000000000 +0800 |
652 |
+++ tools/vtpm/Rules.mk 2013-01-30 12:31:43.515941097 +0800 |
653 |
@@ -6,7 +6,7 @@ |
654 |
# |
655 |
|
656 |
# General compiler flags |
657 |
-CFLAGS = -Werror -g3 |
658 |
+CFLAGS = -g3 |
659 |
|
660 |
# Generic project files |
661 |
HDRS = $(wildcard *.h) |
662 |
diff -ur xen-4.2.1.orig/tools/vtpm_manager/Rules.mk xen-4.2.1/tools/vtpm_manager/Rules.mk |
663 |
--- tools/vtpm_manager/Rules.mk 2012-12-17 23:01:35.000000000 +0800 |
664 |
+++ tools/vtpm_manager/Rules.mk 2013-01-30 12:31:43.511941097 +0800 |
665 |
@@ -6,7 +6,7 @@ |
666 |
# |
667 |
|
668 |
# General compiler flags |
669 |
-CFLAGS = -Werror -g3 |
670 |
+CFLAGS = -g3 |
671 |
|
672 |
# Generic project files |
673 |
HDRS = $(wildcard *.h) |
674 |
diff -ur xen-4.2.1.orig/tools/xenstat/xentop/Makefile xen-4.2.1/tools/xenstat/xentop/Makefile |
675 |
--- tools/xenstat/xentop/Makefile 2012-12-17 23:01:35.000000000 +0800 |
676 |
+++ tools/xenstat/xentop/Makefile 2013-01-30 12:31:43.535941098 +0800 |
677 |
@@ -18,7 +18,7 @@ |
678 |
all install xentop: |
679 |
else |
680 |
|
681 |
-CFLAGS += -DGCC_PRINTF -Wall -Werror $(CFLAGS_libxenstat) |
682 |
+CFLAGS += -DGCC_PRINTF -Wall $(CFLAGS_libxenstat) |
683 |
LDLIBS += $(LDLIBS_libxenstat) $(CURSES_LIBS) $(SOCKET_LIBS) |
684 |
CFLAGS += -DHOST_$(XEN_OS) |
685 |
|
686 |
diff -ur xen-4.2.1.orig/xen/arch/arm/Rules.mk xen-4.2.1/xen/arch/arm/Rules.mk |
687 |
--- xen/arch/arm/Rules.mk 2012-12-17 23:01:37.000000000 +0800 |
688 |
+++ xen/arch/arm/Rules.mk 2013-01-30 12:31:43.498941097 +0800 |
689 |
@@ -9,7 +9,7 @@ |
690 |
HAS_DEVICE_TREE := y |
691 |
|
692 |
CFLAGS += -fno-builtin -fno-common -Wredundant-decls |
693 |
-CFLAGS += -iwithprefix include -Werror -Wno-pointer-arith -pipe |
694 |
+CFLAGS += -iwithprefix include -Wno-pointer-arith -pipe |
695 |
CFLAGS += -I$(BASEDIR)/include |
696 |
|
697 |
# Prevent floating-point variables from creeping into Xen. |
698 |
diff -ur xen-4.2.1.orig/xen/arch/x86/Rules.mk xen-4.2.1/xen/arch/x86/Rules.mk |
699 |
--- xen/arch/x86/Rules.mk 2012-12-17 23:01:37.000000000 +0800 |
700 |
+++ xen/arch/x86/Rules.mk 2013-01-30 12:31:43.490941096 +0800 |
701 |
@@ -24,7 +24,7 @@ |
702 |
endif |
703 |
|
704 |
CFLAGS += -fno-builtin -fno-common -Wredundant-decls |
705 |
-CFLAGS += -iwithprefix include -Werror -Wno-pointer-arith -pipe |
706 |
+CFLAGS += -iwithprefix include -Wno-pointer-arith -pipe |
707 |
CFLAGS += -I$(BASEDIR)/include |
708 |
CFLAGS += -I$(BASEDIR)/include/asm-x86/mach-generic |
709 |
CFLAGS += -I$(BASEDIR)/include/asm-x86/mach-default |
710 |
diff -ur xen-4.2.1.orig/xen/include/Makefile xen-4.2.1/xen/include/Makefile |
711 |
--- xen/include/Makefile 2012-12-17 23:01:55.000000000 +0800 |
712 |
+++ xen/include/Makefile 2013-01-30 12:31:43.502941097 +0800 |
713 |
@@ -78,7 +78,7 @@ |
714 |
all: headers.chk |
715 |
|
716 |
headers.chk: $(filter-out public/arch-% public/%ctl.h public/xsm/% public/%hvm/save.h, $(wildcard public/*.h public/*/*.h) $(public-y)) Makefile |
717 |
- for i in $(filter %.h,$^); do $(CC) -ansi -include stdint.h -Wall -W -Werror -S -o /dev/null -xc $$i || exit 1; echo $$i; done >$@.new |
718 |
+ for i in $(filter %.h,$^); do $(CC) -ansi -include stdint.h -Wall -W -S -o /dev/null -xc $$i || exit 1; echo $$i; done >$@.new |
719 |
mv $@.new $@ |
720 |
|
721 |
endif |
722 |
diff -ur xen-4.2.1.orig/tools/tests/mce-test/tools/Makefile xen-4.2.1/tools/tests/mce-test/tools/Makefile |
723 |
--- tools/tests/mce-test/tools/Makefile 2012-12-17 23:01:35.000000000 +0800 |
724 |
+++ tools/tests/mce-test/tools/Makefile 2013-01-30 13:01:44.890020152 +0800 |
725 |
@@ -1,7 +1,7 @@ |
726 |
XEN_ROOT=$(CURDIR)/../../../.. |
727 |
include $(XEN_ROOT)/tools/Rules.mk |
728 |
|
729 |
-CFLAGS += -Werror |
730 |
+CFLAGS += |
731 |
CFLAGS += $(CFLAGS_libxenctrl) |
732 |
CFLAGS += $(CFLAGS_libxenguest) |
733 |
CFLAGS += $(CFLAGS_libxenstore) |
734 |
diff -ur xen-4.2.1.orig/tools/tests/mem-sharing/Makefile xen-4.2.1/tools/tests/mem-sharing/Makefile |
735 |
--- tools/tests/mem-sharing/Makefile 2012-12-17 23:01:35.000000000 +0800 |
736 |
+++ tools/tests/mem-sharing/Makefile 2013-01-30 13:01:44.890020152 +0800 |
737 |
@@ -1,7 +1,7 @@ |
738 |
XEN_ROOT=$(CURDIR)/../../.. |
739 |
include $(XEN_ROOT)/tools/Rules.mk |
740 |
|
741 |
-CFLAGS += -Werror |
742 |
+CFLAGS += |
743 |
|
744 |
CFLAGS += $(CFLAGS_libxenctrl) |
745 |
CFLAGS += $(CFLAGS_xeninclude) |
746 |
diff -ur xen-4.2.1.orig/tools/tests/xen-access/Makefile xen-4.2.1/tools/tests/xen-access/Makefile |
747 |
--- tools/tests/xen-access/Makefile 2012-12-17 23:01:35.000000000 +0800 |
748 |
+++ tools/tests/xen-access/Makefile 2013-01-30 13:01:44.891020152 +0800 |
749 |
@@ -1,7 +1,7 @@ |
750 |
XEN_ROOT=$(CURDIR)/../../.. |
751 |
include $(XEN_ROOT)/tools/Rules.mk |
752 |
|
753 |
-CFLAGS += -Werror |
754 |
+CFLAGS += |
755 |
|
756 |
CFLAGS += $(CFLAGS_libxenctrl) |
757 |
CFLAGS += $(CFLAGS_libxenguest) |
758 |
|
759 |
|
760 |
|
761 |
|
762 |
1.1 app-emulation/xen-tools/files/xen-tools-4-docfix.patch |
763 |
|
764 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen-tools/files/xen-tools-4-docfix.patch?rev=1.1&view=markup |
765 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/xen-tools/files/xen-tools-4-docfix.patch?rev=1.1&content-type=text/plain |
766 |
|
767 |
Index: xen-tools-4-docfix.patch |
768 |
=================================================================== |
769 |
diff -ur xen-4.2.0.orig/tools/qemu-xen-traditional/Makefile xen-4.2.0/tools/qemu-xen-traditional/Makefile |
770 |
--- xen-4.2.0.orig/tools/qemu-xen-traditional/Makefile 2012-09-07 00:05:30.000000000 +0800 |
771 |
+++ xen-4.2.0/tools/qemu-xen-traditional/Makefile 2013-01-29 11:12:20.502989453 +0800 |
772 |
@@ -275,7 +275,7 @@ |
773 |
|
774 |
# documentation |
775 |
%.html: %.texi |
776 |
- texi2html -monolithic -number $< |
777 |
+ texi2html -monolithic $< |
778 |
|
779 |
%.info: %.texi |
780 |
makeinfo $< -o $@ |