db426394965c48c1d29023e1cc6d965ea6b9a9035d8a849be2750ca4659a3d07 SOURCES/newlib-1.16.0.tar.gz
f60ae61cfbd5da1d849d0beaa21f593c38dac9359f0b3ddc612f447408265b24 SOURCES/pciutils-2.2.9.tar.bz2
fad9414898f727ddb7d14d30d89ca977375e6dddef301aa6f3df74ee766b0235 SOURCES/qemu-xen-4.2.3.tar.gz
-1795c7d067a43174113fdf03447532f373e1c6c57c08d61d9e4e9be5e244b05e SOURCES/zlib-1.2.3.tar.gz
69b6a73701383d609ad094a38925004e8595755fb39a6fafd579ba754e8667db SOURCES/xen-4.2.3.tar.gz
+1795c7d067a43174113fdf03447532f373e1c6c57c08d61d9e4e9be5e244b05e SOURCES/zlib-1.2.3.tar.gz
--- /dev/null
+x86: restrict XEN_DOMCTL_getmemlist
+
+Coverity ID 1055652
+
+(See the code comment.)
+
+This is CVE-2013-4553 / XSA-74.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+
+--- a/xen/arch/x86/domctl.c
++++ b/xen/arch/x86/domctl.c
+@@ -385,6 +385,26 @@ long arch_do_domctl(
+ break;
+ }
+
++ /*
++ * XSA-74: This sub-hypercall is broken in several ways:
++ * - lock order inversion (p2m locks inside page_alloc_lock)
++ * - no preemption on huge max_pfns input
++ * - not (re-)checking d->is_dying with page_alloc_lock held
++ * - not honoring start_pfn input (which libxc also doesn't set)
++ * Additionally it is rather useless, as the result is stale by
++ * the time the caller gets to look at it.
++ * As it only has a single, non-production consumer (xen-mceinj),
++ * rather than trying to fix it we restrict it for the time being.
++ */
++ if ( /* No nested locks inside copy_to_guest_offset(). */
++ paging_mode_external(current->domain) ||
++ /* Arbitrary limit capping processing time. */
++ max_pfns > GB(4) / PAGE_SIZE )
++ {
++ ret = -EOPNOTSUPP;
++ break;
++ }
++
+ spin_lock(&d->page_alloc_lock);
+
+ if ( unlikely(d->is_dying) ) {
--- /dev/null
+x86/HVM: only allow ring 0 guest code to make hypercalls
+
+Anything else would allow for privilege escalation.
+
+This is CVE-2013-4554 / XSA-76.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -3359,7 +3359,7 @@ int hvm_do_hypercall(struct cpu_user_reg
+ case 4:
+ case 2:
+ hvm_get_segment_register(curr, x86_seg_ss, &sreg);
+- if ( unlikely(sreg.attr.fields.dpl == 3) )
++ if ( unlikely(sreg.attr.fields.dpl) )
+ {
+ default:
+ regs->eax = -EPERM;
--- /dev/null
+IOMMU: clear "don't flush" override on error paths
+
+Both xenmem_add_to_physmap() and iommu_populate_page_table() each have
+an error path that fails to clear that flag, thus suppressing further
+flushes on the respective pCPU.
+
+In iommu_populate_page_table() also slightly re-arrange code to avoid
+the false impression of the flag in question being guarded by a
+domain's page_alloc_lock.
+
+This is CVE-2013-6400 / XSA-80.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+--- a/xen/arch/x86/mm.c
++++ b/xen/arch/x86/mm.c
+@@ -4648,7 +4648,7 @@ static int xenmem_add_to_physmap(struct
+ {
+ rc = xenmem_add_to_physmap_once(d, xatp);
+ if ( rc < 0 )
+- return rc;
++ break;
+
+ xatp->idx++;
+ xatp->gpfn++;
+--- a/xen/drivers/passthrough/iommu.c
++++ b/xen/drivers/passthrough/iommu.c
+@@ -306,11 +306,11 @@ static int iommu_populate_page_table(str
+ {
+ struct hvm_iommu *hd = domain_hvm_iommu(d);
+ struct page_info *page;
+- int rc;
++ int rc = 0;
+
++ this_cpu(iommu_dont_flush_iotlb) = 1;
+ spin_lock(&d->page_alloc_lock);
+
+- this_cpu(iommu_dont_flush_iotlb) = 1;
+ page_list_for_each ( page, &d->page_list )
+ {
+ if ( is_hvm_domain(d) ||
+@@ -320,18 +320,20 @@ static int iommu_populate_page_table(str
+ rc = hd->platform_ops->map_page(
+ d, mfn_to_gmfn(d, page_to_mfn(page)), page_to_mfn(page),
+ IOMMUF_readable|IOMMUF_writable);
+- if (rc)
+- {
+- spin_unlock(&d->page_alloc_lock);
+- hd->platform_ops->teardown(d);
+- return rc;
+- }
++ if ( rc )
++ break;
+ }
+ }
+- this_cpu(iommu_dont_flush_iotlb) = 0;
+- iommu_iotlb_flush_all(d);
++
+ spin_unlock(&d->page_alloc_lock);
+- return 0;
++ this_cpu(iommu_dont_flush_iotlb) = 0;
++
++ if ( !rc )
++ iommu_iotlb_flush_all(d);
++ else
++ hd->platform_ops->teardown(d);
++
++ return rc;
+ }
+
+
--- /dev/null
+x86/AMD: work around erratum 793
+
+The recommendation is to set a bit in an MSR - do this if the firmware
+didn't, considering that otherwise we expose ourselves to a guest
+induced DoS.
+
+This is CVE-2013-6885 / XSA-82.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+
+--- a/xen/arch/x86/cpu/amd.c
++++ b/xen/arch/x86/cpu/amd.c
+@@ -476,6 +476,20 @@ static void __devinit init_amd(struct cp
+ "*** Pass \"allow_unsafe\" if you're trusting"
+ " all your (PV) guest kernels. ***\n");
+
++ if (c->x86 == 0x16 && c->x86_model <= 0xf) {
++ rdmsrl(MSR_AMD64_LS_CFG, value);
++ if (!(value & (1 << 15))) {
++ static bool_t warned;
++
++ if (c == &boot_cpu_data || opt_cpu_info ||
++ !test_and_set_bool(warned))
++ printk(KERN_WARNING
++ "CPU%u: Applying workaround for erratum 793\n",
++ smp_processor_id());
++ wrmsrl(MSR_AMD64_LS_CFG, value | (1 << 15));
++ }
++ }
++
+ /* AMD CPUs do not support SYSENTER outside of legacy mode. */
+ clear_bit(X86_FEATURE_SEP, c->x86_capability);
+
+--- a/xen/include/asm-x86/msr-index.h
++++ b/xen/include/asm-x86/msr-index.h
+@@ -213,6 +213,7 @@
+
+ /* AMD64 MSRs */
+ #define MSR_AMD64_NB_CFG 0xc001001f
++#define MSR_AMD64_LS_CFG 0xc0011020
+ #define MSR_AMD64_IC_CFG 0xc0011021
+ #define MSR_AMD64_DC_CFG 0xc0011022
+ #define AMD64_NB_CFG_CF8_EXT_ENABLE_BIT 46
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.2.3
-Release: 25%{?dist}
+Release: 26%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
Patch144: xsa73-4.2.patch
Patch145: xsa75-4.2.patch
Patch146: xsa78.patch
+Patch147: xsa74-4.1-4.2.patch
+Patch148: xsa76.patch
+Patch149: xsa80.patch
+Patch150: xsa82.patch
Patch1000: xen-centos-disable-CFLAGS-for-qemu.patch
%patch144 -p1
%patch145 -p1
%patch146 -p1
+%patch147 -p1
+%patch148 -p1
+%patch149 -p1
+%patch150 -p1
%patch1000 -p1
%endif
%changelog
+* Tue Dec 10 2013 Johnny Hughes <johnny@centos.org> - 4.2.3-26.el6.centos
+- Roll in Patches 147, 148, 149, 150 for the following XSAs:
+- XSA-74 (CVE-2013-4553), XSA-76 (CVE-2013-4554), XSA-80 (CVE-2013-6400)
+- XSA-81 (CVE-2013-6885)
+
* Sat Nov 23 2013 Johnny Hughes <johnny@centos.org> - 4.2.3-25.el6.centos
- Roll in patch 145 and 146 for XSA-75 (CVE-2013-4551), XSA-78 (CVE-2013-6375)
projects / people / aperard / centos-package-xen.git / commitdiff