import xen-4.2.3-27.el6.centos.alt

diff --git a/SOURCES/xsa83.patch b/SOURCES/xsa83.patch
new file mode 100644 (file)
index 0000000..209c38b
--- /dev/null
+++ b/SOURCES/xsa83.patch
@@ -0,0 +1,20 @@
+x86/irq: avoid use-after-free on error path in pirq_guest_bind()
+
+This is XSA-83.
+
+Coverity-ID: 1146952
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/irq.c
++++ b/xen/arch/x86/irq.c
+@@ -1590,8 +1590,7 @@ int pirq_guest_bind(struct vcpu *v, stru
+             printk(XENLOG_G_INFO
+                    "Cannot bind IRQ%d to dom%d. Out of memory.\n",
+                    pirq->pirq, v->domain->domain_id);
+-            rc = -ENOMEM;
+-            goto out;
++            return -ENOMEM;
+         }
+ 
+         action = newaction;

diff --git a/SOURCES/xsa87-4.2.patch b/SOURCES/xsa87-4.2.patch
new file mode 100644 (file)
index 0000000..494cf5e
--- /dev/null
+++ b/SOURCES/xsa87-4.2.patch
@@ -0,0 +1,21 @@
+x86: PHYSDEVOP_{prepare,release}_msix are privileged
+
+Yet this wasn't being enforced.
+
+This is XSA-87.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/physdev.c
++++ b/xen/arch/x86/physdev.c
+@@ -612,7 +612,9 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
+     case PHYSDEVOP_release_msix: {
+         struct physdev_pci_device dev;
+ 
+-        if ( copy_from_guest(&dev, arg, 1) )
++        if ( !IS_PRIV(v->domain) )
++            ret = -EPERM;
++        else if ( copy_from_guest(&dev, arg, 1) )
+             ret = -EFAULT;
+         else
+             ret = pci_prepare_msix(dev.seg, dev.bus, dev.devfn,

diff --git a/SPECS/xen.spec b/SPECS/xen.spec
index 17d3245e40d93bc5677a340e601f26b6b2792cb0..d4bd1a9dd0f9cec050bb234e6b68d068de42c048 100644 (file)
--- a/SPECS/xen.spec
+++ b/SPECS/xen.spec
@@ -19,7 +19,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.2.3
-Release: 26%{?dist}
+Release: 27%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -134,7 +134,8 @@ Patch147: xsa74-4.1-4.2.patch
 Patch148: xsa76.patch
 Patch149: xsa80.patch
 Patch150: xsa82.patch
-
+Patch151: xsa83.patch
+Patch152: xsa87-4.2.patch
 
 Patch1000: xen-centos-disable-CFLAGS-for-qemu.patch
 Patch1001: xen-centos-disableWerror-blktap25.patch
@@ -326,6 +327,8 @@ manage Xen virtual machines.
 %patch148 -p1
 %patch149 -p1
 %patch150 -p1
+%patch151 -p1
+%patch152 -p1
 
 %patch1000 -p1
 
@@ -876,6 +879,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Fri Jan 24 2014 Johnny Hughes <johnny@centos.org> - 4.2.3-27.el6.centos
+- Roll in patches 151 and 152 for the following XSAs:
+  XSA-83 (CVE-2104-1642) and XSA-87 (CVE-2014-1666)
+
 * Tue Dec 10 2013 Johnny Hughes <johnny@centos.org> - 4.2.3-26.el6.centos
 - Roll in Patches 147, 148, 149, 150 for the following XSAs:
 - XSA-74 (CVE-2013-4553), XSA-76 (CVE-2013-4554), XSA-80 (CVE-2013-6400)