import xen-4.2.5-34.el6.centos.alt

diff --git a/SOURCES/xsa108.patch b/SOURCES/xsa108.patch
new file mode 100644 (file)
index 0000000..e162185
--- /dev/null
+++ b/SOURCES/xsa108.patch
@@ -0,0 +1,36 @@
+x86/HVM: properly bound x2APIC MSR range
+
+While the write path change appears to be purely cosmetic (but still
+gets done here for consistency), the read side mistake permitted
+accesses beyond the virtual APIC page.
+
+Note that while this isn't fully in line with the specification
+(digesting MSRs 0x800-0xBFF for the x2APIC), this is the minimal
+possible fix addressing the security issue and getting x2APIC related
+code into a consistent shape (elsewhere a 256 rather than 1024 wide
+window is being used too). This will be dealt with subsequently.
+
+This is XSA-108.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -4380,7 +4380,7 @@ int hvm_msr_read_intercept(unsigned int 
+         *msr_content = vcpu_vlapic(v)->hw.apic_base_msr;
+         break;
+ 
+-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
++    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
+         if ( hvm_x2apic_msr_read(v, msr, msr_content) )
+             goto gp_fault;
+         break;
+@@ -4506,7 +4506,7 @@ int hvm_msr_write_intercept(unsigned int
+         vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content);
+         break;
+ 
+-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
++    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
+         if ( hvm_x2apic_msr_write(v, msr, msr_content) )
+             goto gp_fault;
+         break;

diff --git a/SPECS/xen.spec b/SPECS/xen.spec
index 858ee491fb30d3b9f494a06279a0845f954aa8c9..2b32614741691917f9a33bdc43468f08bbc917b4 100644 (file)
--- a/SPECS/xen.spec
+++ b/SPECS/xen.spec
@@ -19,7 +19,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.2.5
-Release: 33%{?dist}
+Release: 34%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -84,6 +84,7 @@ Patch205: xsa97-hap-4.2.patch
 Patch206: xsa104.patch
 Patch207: xsa105.patch
 Patch208: xsa106.patch
+Patch209: xsa108.patch
 
 Patch1000: xen-centos-disable-CFLAGS-for-qemu.patch
 Patch1001: xen-centos-disableWerror-blktap25.patch
@@ -263,6 +264,7 @@ manage Xen virtual machines.
 %patch206 -p1
 %patch207 -p1
 %patch208 -p1
+%patch209 -p1
 
 %patch1000 -p1
 
@@ -811,6 +813,9 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Wed Oct  1 2014 Johnny Hughes <johnny@centos.org> - 4.2.5-34.el6.centos
+- Roll in Patch209 (XSA-108, CVE-2014-7188)
+
 * Fri Sep 26 2014 Johnny HUghes <johnny@centos.org> -  4.2.5-33.el6.centos
 - upgrade to upstream Xen version 4.2.5
 - removed patches that are already part of 4.2.5