import xen-4.2.4-32.el6.centos.alt

diff --git a/SOURCES/xen-pygrub-fix-for-rhel7.patch b/SOURCES/xen-pygrub-fix-for-rhel7.patch
new file mode 100644 (file)
index 0000000..1ad5d78
--- /dev/null
+++ b/SOURCES/xen-pygrub-fix-for-rhel7.patch
@@ -0,0 +1,25 @@
+# HG changeset patch
+# Parent df2b08554a3b5da3493e536f1dbe762cd65d61f3
+
+diff --git a/tools/pygrub/src/GrubConf.py b/tools/pygrub/src/GrubConf.py
+--- a/tools/pygrub/src/GrubConf.py
++++ b/tools/pygrub/src/GrubConf.py
+@@ -348,7 +348,9 @@
+                 
+     commands = {'set:root': 'root',
+                 'linux': 'kernel',
++                'linux16': 'kernel',
+                 'initrd': 'initrd',
++                'initrd16': 'initrd',
+                 'echo': None,
+                 'insmod': None,
+                 'search': None}
+@@ -394,7 +396,7 @@
+                 continue
+ 
+             # new image
+-            title_match = re.match('^menuentry ["\'](.*)["\'] (.*){', l)
++            title_match = re.match('^menuentry ["\'](.*?)["\'] (.*){', l)
+             if title_match:
+                 if img is not None:
+                     raise RuntimeError, "syntax error: cannot nest menuentry (%d %s)" % (len(img),img)

diff --git a/SOURCES/xsa92-4.2.patch b/SOURCES/xsa92-4.2.patch
new file mode 100644 (file)
index 0000000..1ec2111
--- /dev/null
+++ b/SOURCES/xsa92-4.2.patch
@@ -0,0 +1,36 @@
+x86/HVM: restrict HVMOP_set_mem_type
+
+Permitting arbitrary type changes here has the potential of creating
+present P2M (and hence EPT/NPT/IOMMU) entries pointing to an invalid
+MFN (INVALID_MFN truncated to the respective hardware structure field's
+width). This would become a problem the latest when something real sat
+at the end of the physical address space; I'm suspecting though that
+other things might break with such bogus entries.
+
+Along with that drop a bogus (and otherwise becoming stale) log
+message.
+
+Afaict the similar operation in p2m_set_mem_access() is safe.
+
+This is XSA-92.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -4245,12 +4245,10 @@ long do_hvm_op(unsigned long op, XEN_GUE
+                 rc = -EINVAL;
+                 goto param_fail4;
+             } 
+-            if ( p2m_is_grant(t) )
++            if ( !p2m_is_ram(t) &&
++                 (!p2m_is_hole(t) || a.hvmmem_type != HVMMEM_mmio_dm) )
+             {
+                 put_gfn(d, pfn);
+-                gdprintk(XENLOG_WARNING,
+-                         "type for pfn 0x%lx changed to grant while "
+-                         "we were working?\n", pfn);
+                 goto param_fail4;
+             }
+             else

diff --git a/SOURCES/xsa96.patch b/SOURCES/xsa96.patch
new file mode 100644 (file)
index 0000000..ef6443f
--- /dev/null
+++ b/SOURCES/xsa96.patch
@@ -0,0 +1,38 @@
+x86/HVM: eliminate vulnerabilities from hvm_inject_msi()
+
+- pirq_info() returns NULL for a non-allocated pIRQ, and hence we
+  mustn't unconditionally de-reference it, and we need to invoke it
+  another time after having called map_domain_emuirq_pirq()
+- don't use printk(), namely without XENLOG_GUEST, for error reporting
+
+This is XSA-96.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/irq.c
++++ b/xen/arch/x86/hvm/irq.c
+@@ -289,20 +289,18 @@ void hvm_inject_msi(struct domain *d, ui
+             struct pirq *info = pirq_info(d, pirq);
+ 
+             /* if it is the first time, allocate the pirq */
+-            if (info->arch.hvm.emuirq == IRQ_UNBOUND)
++            if ( !info || info->arch.hvm.emuirq == IRQ_UNBOUND )
+             {
+                 spin_lock(&d->event_lock);
+                 map_domain_emuirq_pirq(d, pirq, IRQ_MSI_EMU);
+                 spin_unlock(&d->event_lock);
++                info = pirq_info(d, pirq);
++                if ( !info )
++                    return;
+             } else if (info->arch.hvm.emuirq != IRQ_MSI_EMU)
+-            {
+-                printk("%s: pirq %d does not correspond to an emulated MSI\n", __func__, pirq);
+                 return;
+-            }
+             send_guest_pirq(d, info);
+             return;
+-        } else {
+-            printk("%s: error getting pirq from MSI: pirq = %d\n", __func__, pirq);
+         }
+     }
+ 

diff --git a/SPECS/xen.spec b/SPECS/xen.spec
index c23bd105a01928b58b2b01a0d2497f860a9b3eb0..c8a0c1343ef3fac7f73fb9365d51a216bd8f9ae9 100644 (file)
--- a/SPECS/xen.spec
+++ b/SPECS/xen.spec
@@ -19,7 +19,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.2.4
-Release: 30%{?dist}
+Release: 32%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -80,6 +80,10 @@ Patch106: xen-xl-autoballon-with-auto-option.patch
 Patch107: xen-xl-set-autoballon-default-auto.patch
 
 Patch200: xsa89.patch
+Patch201: xen-pygrub-fix-for-rhel7.patch 
+Patch202: xsa92-4.2.patch
+Patch203: xsa96.patch 
+
 
 Patch1000: xen-centos-disable-CFLAGS-for-qemu.patch
 Patch1001: xen-centos-disableWerror-blktap25.patch
@@ -256,6 +260,8 @@ manage Xen virtual machines.
 %patch107 -p1
 
 %patch200 -p1
+%patch201 -p1
+%patch202 -p1
 
 %patch1000 -p1
 
@@ -804,8 +810,15 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Mon Jun 16 2014 Johnny Hughes <johnny@centos.org> - 4.2.4-32.el6.centos
+- Patch203 (XSA-96, CVE-2014-3967 and CVE-2014-3968) added
+
+* Mon May  5 2014 Johnny Hughes <johnny@centos.org> - 4.2.4-31.el6.centos
+- Roll in Patch202, XSA-92 (CVE-2014-3124)
+- Created Patch201 to allow RHEL7 Beta and RC to boot
+
 * Wed Mar 26 2014 Johnny Hughes <johnny@centos.org> - 4.2.4-30.el6.centos
-- roll in Patch200, XSA-89
+- roll in Patch200, XSA-89 (CVE-2014-2599)
 
 * Sun Feb 23 2014 Johnny Hughes <johnny@centos.org> - 4.2.4-29.el6.centos
 - cleaned up older patches, removed qemu-xen upstream git (Source 100)