3411652615b89bc2c7fa7fb72a4fee1415936eb943ce27eff700278f1f26f50c SOURCES/blktap-9960138790b9d3610b12acd153bba20235efa4f5.tar.gz
-1795c7d067a43174113fdf03447532f373e1c6c57c08d61d9e4e9be5e244b05e SOURCES/zlib-1.2.3.tar.gz
4e1d15d12dbd3e9208111d6b806ad5a9857ca8850c47877d36575b904559260b SOURCES/grub-0.97.tar.gz
772e4d550e07826665ed0528c071dd5404ef7dbe1825a38c8adbc2a00bca948f SOURCES/lwip-1.3.0.tar.gz
db426394965c48c1d29023e1cc6d965ea6b9a9035d8a849be2750ca4659a3d07 SOURCES/newlib-1.16.0.tar.gz
f60ae61cfbd5da1d849d0beaa21f593c38dac9359f0b3ddc612f447408265b24 SOURCES/pciutils-2.2.9.tar.bz2
-fad9414898f727ddb7d14d30d89ca977375e6dddef301aa6f3df74ee766b0235 SOURCES/qemu-xen-4.2.3.tar.gz
-69b6a73701383d609ad094a38925004e8595755fb39a6fafd579ba754e8667db SOURCES/xen-4.2.3.tar.gz
+e23e6292affd7a6d82da99527e8bf3964e57eb7322144c67c2025692b1a21550 SOURCES/xen-4.2.4.tar.gz
+1795c7d067a43174113fdf03447532f373e1c6c57c08d61d9e4e9be5e244b05e SOURCES/zlib-1.2.3.tar.gz
+++ /dev/null
-Add -f FMT / --format FMT arg to qemu-nbd
-
-From: "Daniel P. Berrange" <berrange@redhat.com>
-
-Currently the qemu-nbd program will auto-detect the format of
-any disk it is given. This behaviour is known to be insecure.
-For example, if qemu-nbd initially exposes a 'raw' file to an
-unprivileged app, and that app runs
-
- 'qemu-img create -f qcow2 -o backing_file=/etc/shadow /dev/nbd0'
-
-then the next time the app is started, the qemu-nbd will now
-detect it as a 'qcow2' file and expose /etc/shadow to the
-unprivileged app.
-
-The only way to avoid this is to explicitly tell qemu-nbd what
-disk format to use on the command line, completely disabling
-auto-detection. This patch adds a '-f' / '--format' arg for
-this purpose, mirroring what is already available via qemu-img
-and qemu commands.
-
- qemu-nbd --format raw -p 9000 evil.img
-
-will now always use raw, regardless of what format 'evil.img'
-looks like it contains
-
-Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
-[Use errx, not err. - Paolo]
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
-
-[ This is a security issue, CVE-2013-1922 / XSA-48. ]
-
-diff --git a/qemu-nbd.c b/qemu-nbd.c
-index 291cba2..8fbe2cf 100644
---- a/qemu-nbd.c
-+++ b/qemu-nbd.c
-@@ -247,6 +247,7 @@ out:
- int main(int argc, char **argv)
- {
- BlockDriverState *bs;
-+ BlockDriver *drv;
- off_t dev_offset = 0;
- off_t offset = 0;
- uint32_t nbdflags = 0;
-@@ -256,7 +257,7 @@ int main(int argc, char **argv)
- struct sockaddr_in addr;
- socklen_t addr_len = sizeof(addr);
- off_t fd_size;
-- const char *sopt = "hVb:o:p:rsnP:c:dvk:e:t";
-+ const char *sopt = "hVb:o:p:rsnP:c:dvk:e:f:t";
- struct option lopt[] = {
- { "help", 0, NULL, 'h' },
- { "version", 0, NULL, 'V' },
-@@ -271,6 +272,7 @@ int main(int argc, char **argv)
- { "snapshot", 0, NULL, 's' },
- { "nocache", 0, NULL, 'n' },
- { "shared", 1, NULL, 'e' },
-+ { "format", 1, NULL, 'f' },
- { "persistent", 0, NULL, 't' },
- { "verbose", 0, NULL, 'v' },
- { NULL, 0, NULL, 0 }
-@@ -292,6 +294,7 @@ int main(int argc, char **argv)
- int max_fd;
- int persistent = 0;
- pthread_t client_thread;
-+ const char *fmt = NULL;
-
- /* The client thread uses SIGTERM to interrupt the server. A signal
- * handler ensures that "qemu-nbd -v -c" exits with a nice status code.
-@@ -368,6 +371,9 @@ int main(int argc, char **argv)
- errx(EXIT_FAILURE, "Shared device number must be greater than 0\n");
- }
- break;
-+ case 'f':
-+ fmt = optarg;
-+ break;
- case 't':
- persistent = 1;
- break;
-@@ -478,9 +484,19 @@ int main(int argc, char **argv)
- bdrv_init();
- atexit(bdrv_close_all);
-
-+ if (fmt) {
-+ drv = bdrv_find_format(fmt);
-+ if (!drv) {
-+ errx(EXIT_FAILURE, "Unknown file format '%s'", fmt);
-+ }
-+ } else {
-+ drv = NULL;
-+ }
-+
- bs = bdrv_new("hda");
- srcpath = argv[optind];
-- if ((ret = bdrv_open(bs, srcpath, flags, NULL)) < 0) {
-+ ret = bdrv_open(bs, srcpath, flags, drv);
-+ if (ret < 0) {
- errno = -ret;
- err(EXIT_FAILURE, "Failed to bdrv_open '%s'", argv[optind]);
- }
-diff --git a/qemu-nbd.texi b/qemu-nbd.texi
-index 44996cc..f56c68e 100644
---- a/qemu-nbd.texi
-+++ b/qemu-nbd.texi
-@@ -36,6 +36,8 @@ Export Qemu disk image using NBD protocol.
- disconnect the specified device
- @item -e, --shared=@var{num}
- device can be shared by @var{num} clients (default @samp{1})
-+@item -f, --format=@var{fmt}
-+ force block driver for format @var{fmt} instead of auto-detecting
- @item -t, --persistent
- don't exit on the last connection
- @item -v, --verbose
+++ /dev/null
-x86/xsave: initialize extended register state when guests enable it
-
-Till now, when setting previously unset bits in XCR0 we wouldn't touch
-the active register state, thus leaving in the newly enabled registers
-whatever a prior user of it left there, i.e. potentially leaking
-information between guests.
-
-This is CVE-2013-1442 / XSA-62.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
---- a/xen/arch/x86/xstate.c
-+++ b/xen/arch/x86/xstate.c
-@@ -307,6 +307,7 @@ int validate_xstate(u64 xcr0, u64 xcr0_a
- int handle_xsetbv(u32 index, u64 new_bv)
- {
- struct vcpu *curr = current;
-+ u64 mask;
-
- if ( index != XCR_XFEATURE_ENABLED_MASK )
- return -EOPNOTSUPP;
-@@ -320,9 +321,23 @@ int handle_xsetbv(u32 index, u64 new_bv)
- if ( !set_xcr0(new_bv) )
- return -EFAULT;
-
-+ mask = new_bv & ~curr->arch.xcr0_accum;
- curr->arch.xcr0 = new_bv;
- curr->arch.xcr0_accum |= new_bv;
-
-+ mask &= curr->fpu_dirtied ? ~XSTATE_FP_SSE : XSTATE_NONLAZY;
-+ if ( mask )
-+ {
-+ unsigned long cr0 = read_cr0();
-+
-+ clts();
-+ if ( curr->fpu_dirtied )
-+ asm ( "stmxcsr %0" : "=m" (curr->arch.xsave_area->fpu_sse.mxcsr) );
-+ xrstor(curr, mask);
-+ if ( cr0 & X86_CR0_TS )
-+ write_cr0(cr0);
-+ }
-+
- return 0;
- }
-
+++ /dev/null
-x86: properly handle hvm_copy_from_guest_{phys,virt}() errors
-
-Ignoring them generally implies using uninitialized data and, in all
-cases dealt with here, potentially leaking hypervisor stack contents to
-guests.
-
-This is XSA-63.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Tim Deegan <tim@xen.org>
-Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
---- a/xen/arch/x86/hvm/hvm.c
-+++ b/xen/arch/x86/hvm/hvm.c
-@@ -2308,11 +2308,7 @@ void hvm_task_switch(
-
- rc = hvm_copy_from_guest_virt(
- &tss, prev_tr.base, sizeof(tss), PFEC_page_present);
-- if ( rc == HVMCOPY_bad_gva_to_gfn )
-- goto out;
-- if ( rc == HVMCOPY_gfn_paged_out )
-- goto out;
-- if ( rc == HVMCOPY_gfn_shared )
-+ if ( rc != HVMCOPY_okay )
- goto out;
-
- eflags = regs->eflags;
-@@ -2357,13 +2353,11 @@ void hvm_task_switch(
-
- rc = hvm_copy_from_guest_virt(
- &tss, tr.base, sizeof(tss), PFEC_page_present);
-- if ( rc == HVMCOPY_bad_gva_to_gfn )
-- goto out;
-- if ( rc == HVMCOPY_gfn_paged_out )
-- goto out;
-- /* Note: this could be optimised, if the callee functions knew we want RO
-- * access */
-- if ( rc == HVMCOPY_gfn_shared )
-+ /*
-+ * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee
-+ * functions knew we want RO access.
-+ */
-+ if ( rc != HVMCOPY_okay )
- goto out;
-
-
---- a/xen/arch/x86/hvm/intercept.c
-+++ b/xen/arch/x86/hvm/intercept.c
-@@ -87,17 +87,28 @@ static int hvm_mmio_access(struct vcpu *
- {
- for ( i = 0; i < p->count; i++ )
- {
-- int ret;
--
-- ret = hvm_copy_from_guest_phys(&data,
-- p->data + (sign * i * p->size),
-- p->size);
-- if ( (ret == HVMCOPY_gfn_paged_out) ||
-- (ret == HVMCOPY_gfn_shared) )
-+ switch ( hvm_copy_from_guest_phys(&data,
-+ p->data + sign * i * p->size,
-+ p->size) )
- {
-+ case HVMCOPY_okay:
-+ break;
-+ case HVMCOPY_gfn_paged_out:
-+ case HVMCOPY_gfn_shared:
- rc = X86EMUL_RETRY;
- break;
-+ case HVMCOPY_bad_gfn_to_mfn:
-+ data = ~0;
-+ break;
-+ case HVMCOPY_bad_gva_to_gfn:
-+ ASSERT(0);
-+ /* fall through */
-+ default:
-+ rc = X86EMUL_UNHANDLEABLE;
-+ break;
- }
-+ if ( rc != X86EMUL_OKAY )
-+ break;
- rc = write_handler(v, p->addr + (sign * i * p->size), p->size,
- data);
- if ( rc != X86EMUL_OKAY )
-@@ -165,8 +176,28 @@ static int process_portio_intercept(port
- for ( i = 0; i < p->count; i++ )
- {
- data = 0;
-- (void)hvm_copy_from_guest_phys(&data, p->data + sign*i*p->size,
-- p->size);
-+ switch ( hvm_copy_from_guest_phys(&data,
-+ p->data + sign * i * p->size,
-+ p->size) )
-+ {
-+ case HVMCOPY_okay:
-+ break;
-+ case HVMCOPY_gfn_paged_out:
-+ case HVMCOPY_gfn_shared:
-+ rc = X86EMUL_RETRY;
-+ break;
-+ case HVMCOPY_bad_gfn_to_mfn:
-+ data = ~0;
-+ break;
-+ case HVMCOPY_bad_gva_to_gfn:
-+ ASSERT(0);
-+ /* fall through */
-+ default:
-+ rc = X86EMUL_UNHANDLEABLE;
-+ break;
-+ }
-+ if ( rc != X86EMUL_OKAY )
-+ break;
- rc = action(IOREQ_WRITE, p->addr, p->size, &data);
- if ( rc != X86EMUL_OKAY )
- break;
---- a/xen/arch/x86/hvm/io.c
-+++ b/xen/arch/x86/hvm/io.c
-@@ -340,14 +340,24 @@ static int dpci_ioport_write(uint32_t mp
- data = p->data;
- if ( p->data_is_ptr )
- {
-- int ret;
--
-- ret = hvm_copy_from_guest_phys(&data,
-- p->data + (sign * i * p->size),
-- p->size);
-- if ( (ret == HVMCOPY_gfn_paged_out) &&
-- (ret == HVMCOPY_gfn_shared) )
-+ switch ( hvm_copy_from_guest_phys(&data,
-+ p->data + sign * i * p->size,
-+ p->size) )
-+ {
-+ case HVMCOPY_okay:
-+ break;
-+ case HVMCOPY_gfn_paged_out:
-+ case HVMCOPY_gfn_shared:
- return X86EMUL_RETRY;
-+ case HVMCOPY_bad_gfn_to_mfn:
-+ data = ~0;
-+ break;
-+ case HVMCOPY_bad_gva_to_gfn:
-+ ASSERT(0);
-+ /* fall through */
-+ default:
-+ return X86EMUL_UNHANDLEABLE;
-+ }
- }
-
- switch ( p->size )
---- a/xen/arch/x86/hvm/vmx/realmode.c
-+++ b/xen/arch/x86/hvm/vmx/realmode.c
-@@ -39,7 +39,9 @@ static void realmode_deliver_exception(
-
- again:
- last_byte = (vector * 4) + 3;
-- if ( idtr->limit < last_byte )
-+ if ( idtr->limit < last_byte ||
-+ hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4) !=
-+ HVMCOPY_okay )
- {
- /* Software interrupt? */
- if ( insn_len != 0 )
-@@ -64,8 +66,6 @@ static void realmode_deliver_exception(
- }
- }
-
-- (void)hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4);
--
- frame[0] = regs->eip + insn_len;
- frame[1] = csr->sel;
- frame[2] = regs->eflags & ~X86_EFLAGS_RF;
+++ /dev/null
-commit 95a0770282ea2a03f7bc48c6656d5fc79bae0599
-Author: Tim Deegan <tim@xen.org>
-Date: Thu Sep 12 14:16:28 2013 +0100
-
- x86/mm/shadow: Fix initialization of PV shadow L4 tables.
-
- Shadowed PV L4 tables must have the same Xen mappings as their
- unshadowed equivalent. This is done by copying the Xen entries
- verbatim from the idle pagetable, and then using guest_l4_slot()
- in the SHADOW_FOREACH_L4E() iterator to avoid touching those entries.
-
- adc5afbf1c70ef55c260fb93e4b8ce5ccb918706 (x86: support up to 16Tb)
- changed the definition of ROOT_PAGETABLE_XEN_SLOTS to extend right to
- the top of the address space, which causes the shadow code to
- copy Xen mappings into guest-kernel-address slots too.
-
- In the common case, all those slots are zero in the idle pagetable,
- and no harm is done. But if any slot above #271 is non-zero, Xen will
- crash when that slot is later cleared (it attempts to drop
- shadow-pagetable refcounts on its own L4 pagetables).
-
- Fix by using the new ROOT_PAGETABLE_PV_XEN_SLOTS when appropriate.
- Monitor pagetables need the full Xen mappings, so they keep using the
- old name (with its new semantics).
-
- This is XSA-64.
-
- Signed-off-by: Tim Deegan <tim@xen.org>
- Reviewed-by: Jan Beulich <jbeulich@suse.com>
-
-diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
-index 4c4c2ba..3fed0b6 100644
---- a/xen/arch/x86/mm/shadow/multi.c
-+++ b/xen/arch/x86/mm/shadow/multi.c
-@@ -1433,15 +1433,19 @@ void sh_install_xen_entries_in_l4(struct vcpu *v, mfn_t gl4mfn, mfn_t sl4mfn)
- {
- struct domain *d = v->domain;
- shadow_l4e_t *sl4e;
-+ unsigned int slots;
-
- sl4e = sh_map_domain_page(sl4mfn);
- ASSERT(sl4e != NULL);
- ASSERT(sizeof (l4_pgentry_t) == sizeof (shadow_l4e_t));
-
- /* Copy the common Xen mappings from the idle domain */
-+ slots = (shadow_mode_external(d)
-+ ? ROOT_PAGETABLE_XEN_SLOTS
-+ : ROOT_PAGETABLE_PV_XEN_SLOTS);
- memcpy(&sl4e[ROOT_PAGETABLE_FIRST_XEN_SLOT],
- &idle_pg_table[ROOT_PAGETABLE_FIRST_XEN_SLOT],
-- ROOT_PAGETABLE_XEN_SLOTS * sizeof(l4_pgentry_t));
-+ slots * sizeof(l4_pgentry_t));
-
- /* Install the per-domain mappings for this domain */
- sl4e[shadow_l4_table_offset(PERDOMAIN_VIRT_START)] =
+++ /dev/null
-x86: properly set up fbld emulation operand address
-
-This is CVE-2013-4361 / XSA-66.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
---- a/xen/arch/x86/x86_emulate/x86_emulate.c
-+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
-@@ -3156,11 +3156,11 @@ x86_emulate(
- break;
- case 4: /* fbld m80dec */
- ea.bytes = 10;
-- dst = ea;
-+ src = ea;
- if ( (rc = ops->read(src.mem.seg, src.mem.off,
- &src.val, src.bytes, ctxt)) != 0 )
- goto done;
-- emulate_fpu_insn_memdst("fbld", src.val);
-+ emulate_fpu_insn_memsrc("fbld", src.val);
- break;
- case 5: /* fild m64i */
- ea.bytes = 8;
+++ /dev/null
-x86: check segment descriptor read result in 64-bit OUTS emulation
-
-When emulating such an operation from a 64-bit context (CS has long
-mode set), and the data segment is overridden to FS/GS, the result of
-reading the overridden segment's descriptor (read_descriptor) is not
-checked. If it fails, data_base is left uninitialized.
-
-This can lead to 8 bytes of Xen's stack being leaked to the guest
-(implicitly, i.e. via the address given in a #PF).
-
-Coverity-ID: 1055116
-
-This is CVE-2013-4368 / XSA-67.
-
-Signed-off-by: Matthew Daley <mattjd@gmail.com>
-
-Fix formatting.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-
---- a/xen/arch/x86/traps.c
-+++ b/xen/arch/x86/traps.c
-@@ -1993,10 +1993,10 @@ static int emulate_privileged_op(struct
- break;
- }
- }
-- else
-- read_descriptor(data_sel, v, regs,
-- &data_base, &data_limit, &ar,
-- 0);
-+ else if ( !read_descriptor(data_sel, v, regs,
-+ &data_base, &data_limit, &ar, 0) ||
-+ !(ar & _SEGMENT_S) || !(ar & _SEGMENT_P) )
-+ goto fail;
- data_limit = ~0UL;
- ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P;
- }
+++ /dev/null
-libxl: fix vif rate parsing
-
-strtok can return NULL here. We don't need to use strtok anyway, so just
-use a simple strchr method.
-
-Coverity-ID: 1055642
-
-This is CVE-2013-4369 / XSA-68
-
-Signed-off-by: Matthew Daley <mattjd@gmail.com>
-
-Fix type. Add test case
-
-Signed-off-by: Ian Campbell <Ian.campbell@citrix.com>
-
-diff --git a/tools/libxl/check-xl-vif-parse b/tools/libxl/check-xl-vif-parse
-index 0473182..02c6dba 100755
---- a/tools/libxl/check-xl-vif-parse
-+++ b/tools/libxl/check-xl-vif-parse
-@@ -206,4 +206,8 @@ expected </dev/null
- one $e rate=4294967295GB/s@5us
- one $e rate=4296MB/s@4294s
-
-+# test include of single '@'
-+expected </dev/null
-+one $e rate=@
-+
- complete
-diff --git a/tools/libxl/libxlu_vif.c b/tools/libxl/libxlu_vif.c
-index 3b3de0f..0665e62 100644
---- a/tools/libxl/libxlu_vif.c
-+++ b/tools/libxl/libxlu_vif.c
-@@ -95,23 +95,30 @@ int xlu_vif_parse_rate(XLU_Config *cfg, const char *rate, libxl_device_nic *nic)
- uint64_t bytes_per_sec = 0;
- uint64_t bytes_per_interval = 0;
- uint32_t interval_usecs = 50000UL; /* Default to 50ms */
-- char *ratetok, *tmprate;
-+ char *p, *tmprate;
- int rc = 0;
-
- tmprate = strdup(rate);
-+ if (tmprate == NULL) {
-+ rc = ENOMEM;
-+ goto out;
-+ }
-+
-+ p = strchr(tmprate, '@');
-+ if (p != NULL)
-+ *p++ = 0;
-+
- if (!strcmp(tmprate,"")) {
- xlu__vif_err(cfg, "no rate specified", rate);
- rc = EINVAL;
- goto out;
- }
-
-- ratetok = strtok(tmprate, "@");
-- rc = vif_parse_rate_bytes_per_sec(cfg, ratetok, &bytes_per_sec);
-+ rc = vif_parse_rate_bytes_per_sec(cfg, tmprate, &bytes_per_sec);
- if (rc) goto out;
-
-- ratetok = strtok(NULL, "@");
-- if (ratetok != NULL) {
-- rc = vif_parse_rate_interval_usecs(cfg, ratetok, &interval_usecs);
-+ if (p != NULL) {
-+ rc = vif_parse_rate_interval_usecs(cfg, p, &interval_usecs);
- if (rc) goto out;
- }
-
+++ /dev/null
-From 067c122873c67bd1d9620f8340f9c9c209135388 Mon Sep 17 00:00:00 2001
-From: Matthew Daley <mattjd@gmail.com>
-Date: Tue, 10 Sep 2013 23:12:45 +1200
-Subject: [PATCH] tools/ocaml: fix erroneous free of cpumap in
- stub_xc_vcpu_getaffinity
-
-Not sure how it got there...
-
-Coverity-ID: 1056196
-
-This is CVE-2013-4370 / XSA-69
-
-Signed-off-by: Matthew Daley <mattjd@gmail.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
----
- tools/ocaml/libs/xc/xenctrl_stubs.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c b/tools/ocaml/libs/xc/xenctrl_stubs.c
-index df756ad..f5cf0ed 100644
---- a/tools/ocaml/libs/xc/xenctrl_stubs.c
-+++ b/tools/ocaml/libs/xc/xenctrl_stubs.c
-@@ -461,8 +461,6 @@ CAMLprim value stub_xc_vcpu_getaffinity(value xch, value domid,
-
- retval = xc_vcpu_getaffinity(_H(xch), _D(domid),
- Int_val(vcpu), c_cpumap);
-- free(c_cpumap);
--
- if (retval < 0) {
- free(c_cpumap);
- failwith_xc(_H(xch));
---
-1.7.10.4
-
+++ /dev/null
-From 94db3e1cb356a0d2de1753888ceb0eb767404ec4 Mon Sep 17 00:00:00 2001
-From: Matthew Daley <mattjd@gmail.com>
-Date: Tue, 10 Sep 2013 22:18:46 +1200
-Subject: [PATCH] libxl: fix out-of-memory error handling in
- libxl_list_cpupool
-
-...otherwise it will return freed memory. All the current users of this
-function check already for a NULL return, so use that.
-
-Coverity-ID: 1056194
-
-This is CVE-2013-4371 / XSA-70
-
-Signed-off-by: Matthew Daley <mattjd@gmail.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
----
- tools/libxl/libxl.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 0879f23..17653ef 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -651,6 +651,7 @@ libxl_cpupoolinfo * libxl_list_cpupool(libxl_ctx *ctx, int *nb_pool_out)
- if (!tmp) {
- LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, "allocating cpupool info");
- libxl_cpupoolinfo_list_free(ptr, i);
-+ ptr = NULL;
- goto out;
- }
- ptr = tmp;
---
-1.7.10.4
-
+++ /dev/null
-tools: xenstored: if the reply is too big then send E2BIG error
-
-This fixes the issue for both C and ocaml xenstored, however only the ocaml
-xenstored is vulnerable in its default configuration.
-
-Adding a new error appears to be safe, since bit libxenstore and the Linux
-driver at least treat an unknown error code as EINVAL.
-
-This is XSA-72
-
-Original ocaml patch by Jerome Maloberti <jerome.maloberti@citrix.com>
-Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
-Signed-off-by: Thomas Sanders <thomas.sanders@citrix.com>
-
-diff --git a/tools/ocaml/xenstored/connection.ml b/tools/ocaml/xenstored/connection.ml
-index 273fe4d..47695f8 100644
---- a/tools/ocaml/xenstored/connection.ml
-+++ b/tools/ocaml/xenstored/connection.ml
-@@ -18,6 +18,8 @@ exception End_of_file
-
- open Stdext
-
-+let xenstore_payload_max = 4096 (* xen/include/public/io/xs_wire.h *)
-+
- type watch = {
- con: t;
- token: string;
-@@ -112,8 +114,15 @@ let restrict con domid =
- let set_target con target_domid =
- con.perm <- Perms.Connection.set_target (get_perm con) ~perms:[Perms.READ; Perms.WRITE] target_domid
-
-+let is_backend_mmap con = match con.xb.Xenbus.Xb.backend with
-+ | Xenbus.Xb.Xenmmap _ -> true
-+ | _ -> false
-+
- let send_reply con tid rid ty data =
-- Xenbus.Xb.queue con.xb (Xenbus.Xb.Packet.create tid rid ty data)
-+ if (String.length data) > xenstore_payload_max && (is_backend_mmap con) then
-+ Xenbus.Xb.queue con.xb (Xenbus.Xb.Packet.create tid rid Xenbus.Xb.Op.Error "E2BIG\000")
-+ else
-+ Xenbus.Xb.queue con.xb (Xenbus.Xb.Packet.create tid rid ty data)
-
- let send_error con tid rid err = send_reply con tid rid Xenbus.Xb.Op.Error (err ^ "\000")
- let send_ack con tid rid ty = send_reply con tid rid ty "OK\000"
-diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
-index 0f8ba64..ccfdaa3 100644
---- a/tools/xenstore/xenstored_core.c
-+++ b/tools/xenstore/xenstored_core.c
-@@ -629,6 +629,11 @@ void send_reply(struct connection *conn, enum xsd_sockmsg_type type,
- {
- struct buffered_data *bdata;
-
-+ if ( len > XENSTORE_PAYLOAD_MAX ) {
-+ send_error(conn, E2BIG);
-+ return;
-+ }
-+
- /* Message is a child of the connection context for auto-cleanup. */
- bdata = new_buffer(conn);
- bdata->buffer = talloc_array(bdata, char, len);
-diff --git a/xen/include/public/io/xs_wire.h b/xen/include/public/io/xs_wire.h
-index 99d24e3..585f0c8 100644
---- a/xen/include/public/io/xs_wire.h
-+++ b/xen/include/public/io/xs_wire.h
-@@ -83,7 +83,8 @@ __attribute__((unused))
- XSD_ERROR(EROFS),
- XSD_ERROR(EBUSY),
- XSD_ERROR(EAGAIN),
-- XSD_ERROR(EISCONN)
-+ XSD_ERROR(EISCONN),
-+ XSD_ERROR(E2BIG)
- };
- #endif
-
+++ /dev/null
-From 52b2c3148bdcaa46befcdca64e14d0201d7ca642 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Thu, 31 Oct 2013 20:49:00 +0000
-Subject: [PATCH] gnttab: correct locking order reversal
-
-Coverity ID 1087189
-
-Correct a lock order reversal between a domains page allocation and grant
-table locks.
-
-This is CVE-2013-4494 / XSA-73.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
-Consolidate error handling.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Keir Fraser <keir@xen.org>
-Tested-by: Matthew Daley <mattjd@gmail.com>
-
-Backported to Xen-4.2
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
----
- xen/common/grant_table.c | 52 +++++++++++++++++++++++++++++++++++++++-------
- 1 file changed, 44 insertions(+), 8 deletions(-)
-
-diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
-index 0e349cc..0672bad 100644
---- a/xen/common/grant_table.c
-+++ b/xen/common/grant_table.c
-@@ -1499,6 +1499,8 @@ gnttab_transfer(
-
- for ( i = 0; i < count; i++ )
- {
-+ bool_t okay;
-+
- if (i && hypercall_preempt_check())
- return i;
-
-@@ -1607,16 +1609,18 @@ gnttab_transfer(
- * pages when it is dying.
- */
- if ( unlikely(e->is_dying) ||
-- unlikely(e->tot_pages >= e->max_pages) ||
-- unlikely(!gnttab_prepare_for_transfer(e, d, gop.ref)) )
-+ unlikely(e->tot_pages >= e->max_pages) )
- {
-- if ( !e->is_dying )
-- gdprintk(XENLOG_INFO, "gnttab_transfer: "
-- "Transferee has no reservation "
-- "headroom (%d,%d) or provided a bad grant ref (%08x) "
-- "or is dying (%d)\n",
-- e->tot_pages, e->max_pages, gop.ref, e->is_dying);
- spin_unlock(&e->page_alloc_lock);
-+
-+ if ( e->is_dying )
-+ gdprintk(XENLOG_INFO, "gnttab_transfer: "
-+ "Transferee (d%d) is dying\n", e->domain_id);
-+ else
-+ gdprintk(XENLOG_INFO, "gnttab_transfer: "
-+ "Transferee (d%d) has no headroom (tot %u, max %u)\n",
-+ e->domain_id, e->tot_pages, e->max_pages);
-+
- rcu_unlock_domain(e);
- put_gfn(d, gop.mfn);
- page->count_info &= ~(PGC_count_mask|PGC_allocated);
-@@ -1628,6 +1632,38 @@ gnttab_transfer(
- /* Okay, add the page to 'e'. */
- if ( unlikely(e->tot_pages++ == 0) )
- get_knownalive_domain(e);
-+
-+ /*
-+ * We must drop the lock to avoid a possible deadlock in
-+ * gnttab_prepare_for_transfer. We have reserved a page in e so can
-+ * safely drop the lock and re-aquire it later to add page to the
-+ * pagelist.
-+ */
-+ spin_unlock(&e->page_alloc_lock);
-+ okay = gnttab_prepare_for_transfer(e, d, gop.ref);
-+ spin_lock(&e->page_alloc_lock);
-+
-+ if ( unlikely(!okay) || unlikely(e->is_dying) )
-+ {
-+ bool_t drop_dom_ref = (e->tot_pages-- == 1);
-+
-+ spin_unlock(&e->page_alloc_lock);
-+
-+ if ( okay /* i.e. e->is_dying due to the surrounding if() */ )
-+ gdprintk(XENLOG_INFO, "gnttab_transfer: "
-+ "Transferee (d%d) is now dying\n", e->domain_id);
-+
-+ if ( drop_dom_ref )
-+ put_domain(e);
-+ rcu_unlock_domain(e);
-+
-+ put_gfn(d, gop.mfn);
-+ page->count_info &= ~(PGC_count_mask|PGC_allocated);
-+ free_domheap_page(page);
-+ gop.status = GNTST_general_error;
-+ goto copyback;
-+ }
-+
- page_list_add_tail(page, &e->page_list);
- page_set_owner(page, e);
-
---
-1.7.10.4
-
+++ /dev/null
-x86: restrict XEN_DOMCTL_getmemlist
-
-Coverity ID 1055652
-
-(See the code comment.)
-
-This is CVE-2013-4553 / XSA-74.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Tim Deegan <tim@xen.org>
-
---- a/xen/arch/x86/domctl.c
-+++ b/xen/arch/x86/domctl.c
-@@ -385,6 +385,26 @@ long arch_do_domctl(
- break;
- }
-
-+ /*
-+ * XSA-74: This sub-hypercall is broken in several ways:
-+ * - lock order inversion (p2m locks inside page_alloc_lock)
-+ * - no preemption on huge max_pfns input
-+ * - not (re-)checking d->is_dying with page_alloc_lock held
-+ * - not honoring start_pfn input (which libxc also doesn't set)
-+ * Additionally it is rather useless, as the result is stale by
-+ * the time the caller gets to look at it.
-+ * As it only has a single, non-production consumer (xen-mceinj),
-+ * rather than trying to fix it we restrict it for the time being.
-+ */
-+ if ( /* No nested locks inside copy_to_guest_offset(). */
-+ paging_mode_external(current->domain) ||
-+ /* Arbitrary limit capping processing time. */
-+ max_pfns > GB(4) / PAGE_SIZE )
-+ {
-+ ret = -EOPNOTSUPP;
-+ break;
-+ }
-+
- spin_lock(&d->page_alloc_lock);
-
- if ( unlikely(d->is_dying) ) {
+++ /dev/null
-nested VMX: VMLANUCH/VMRESUME emulation must check permission first thing
-
-Otherwise uninitialized data may be used, leading to crashes.
-
-This is CVE-2013-4551 / XSA-75.
-
-Reported-and-tested-by: Jeff Zimmerman <Jeff_Zimmerman@McAfee.com>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-and-tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
---- a/xen/arch/x86/hvm/vmx/vvmx.c
-+++ b/xen/arch/x86/hvm/vmx/vvmx.c
-@@ -1075,15 +1075,10 @@ int nvmx_handle_vmxoff(struct cpu_user_r
- return X86EMUL_OKAY;
- }
-
--int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs)
-+static int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs)
- {
- struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
- struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
-- int rc;
--
-- rc = vmx_inst_check_privilege(regs, 0);
-- if ( rc != X86EMUL_OKAY )
-- return rc;
-
- /* check VMCS is valid and IO BITMAP is set */
- if ( (nvcpu->nv_vvmcxaddr != VMCX_EADDR) &&
-@@ -1100,6 +1095,10 @@ int nvmx_handle_vmresume(struct cpu_user
- {
- int launched;
- struct vcpu *v = current;
-+ int rc = vmx_inst_check_privilege(regs, 0);
-+
-+ if ( rc != X86EMUL_OKAY )
-+ return rc;
-
- if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
- {
-@@ -1119,8 +1118,11 @@ int nvmx_handle_vmresume(struct cpu_user
- int nvmx_handle_vmlaunch(struct cpu_user_regs *regs)
- {
- int launched;
-- int rc;
- struct vcpu *v = current;
-+ int rc = vmx_inst_check_privilege(regs, 0);
-+
-+ if ( rc != X86EMUL_OKAY )
-+ return rc;
-
- if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
- {
+++ /dev/null
-x86/HVM: only allow ring 0 guest code to make hypercalls
-
-Anything else would allow for privilege escalation.
-
-This is CVE-2013-4554 / XSA-76.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-
---- a/xen/arch/x86/hvm/hvm.c
-+++ b/xen/arch/x86/hvm/hvm.c
-@@ -3359,7 +3359,7 @@ int hvm_do_hypercall(struct cpu_user_reg
- case 4:
- case 2:
- hvm_get_segment_register(curr, x86_seg_ss, &sreg);
-- if ( unlikely(sreg.attr.fields.dpl == 3) )
-+ if ( unlikely(sreg.attr.fields.dpl) )
- {
- default:
- regs->eax = -EPERM;
+++ /dev/null
-VT-d: fix TLB flushing in dma_pte_clear_one()
-
-The third parameter of __intel_iommu_iotlb_flush() is to indicate
-whether the to be flushed entry was a present one. A few lines before,
-we bailed if !dma_pte_present(*pte), so there's no need to check the
-flag here again - we can simply always pass TRUE here.
-
-This is CVE-2013-6375 / XSA-78.
-
-Suggested-by: Cheng Yueqiang <yqcheng.2008@phdis.smu.edu.sg>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-
---- a/xen/drivers/passthrough/vtd/iommu.c
-+++ b/xen/drivers/passthrough/vtd/iommu.c
-@@ -646,7 +646,7 @@ static void dma_pte_clear_one(struct dom
- iommu_flush_cache_entry(pte, sizeof(struct dma_pte));
-
- if ( !this_cpu(iommu_dont_flush_iotlb) )
-- __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K , 0, 1);
-+ __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K, 1, 1);
-
- unmap_vtd_domain_page(page);
-
+++ /dev/null
-IOMMU: clear "don't flush" override on error paths
-
-Both xenmem_add_to_physmap() and iommu_populate_page_table() each have
-an error path that fails to clear that flag, thus suppressing further
-flushes on the respective pCPU.
-
-In iommu_populate_page_table() also slightly re-arrange code to avoid
-the false impression of the flag in question being guarded by a
-domain's page_alloc_lock.
-
-This is CVE-2013-6400 / XSA-80.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-@@ -4648,7 +4648,7 @@ static int xenmem_add_to_physmap(struct
- {
- rc = xenmem_add_to_physmap_once(d, xatp);
- if ( rc < 0 )
-- return rc;
-+ break;
-
- xatp->idx++;
- xatp->gpfn++;
---- a/xen/drivers/passthrough/iommu.c
-+++ b/xen/drivers/passthrough/iommu.c
-@@ -306,11 +306,11 @@ static int iommu_populate_page_table(str
- {
- struct hvm_iommu *hd = domain_hvm_iommu(d);
- struct page_info *page;
-- int rc;
-+ int rc = 0;
-
-+ this_cpu(iommu_dont_flush_iotlb) = 1;
- spin_lock(&d->page_alloc_lock);
-
-- this_cpu(iommu_dont_flush_iotlb) = 1;
- page_list_for_each ( page, &d->page_list )
- {
- if ( is_hvm_domain(d) ||
-@@ -320,18 +320,20 @@ static int iommu_populate_page_table(str
- rc = hd->platform_ops->map_page(
- d, mfn_to_gmfn(d, page_to_mfn(page)), page_to_mfn(page),
- IOMMUF_readable|IOMMUF_writable);
-- if (rc)
-- {
-- spin_unlock(&d->page_alloc_lock);
-- hd->platform_ops->teardown(d);
-- return rc;
-- }
-+ if ( rc )
-+ break;
- }
- }
-- this_cpu(iommu_dont_flush_iotlb) = 0;
-- iommu_iotlb_flush_all(d);
-+
- spin_unlock(&d->page_alloc_lock);
-- return 0;
-+ this_cpu(iommu_dont_flush_iotlb) = 0;
-+
-+ if ( !rc )
-+ iommu_iotlb_flush_all(d);
-+ else
-+ hd->platform_ops->teardown(d);
-+
-+ return rc;
- }
-
-
+++ /dev/null
-x86/AMD: work around erratum 793
-
-The recommendation is to set a bit in an MSR - do this if the firmware
-didn't, considering that otherwise we expose ourselves to a guest
-induced DoS.
-
-This is CVE-2013-6885 / XSA-82.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
-
---- a/xen/arch/x86/cpu/amd.c
-+++ b/xen/arch/x86/cpu/amd.c
-@@ -476,6 +476,20 @@ static void __devinit init_amd(struct cp
- "*** Pass \"allow_unsafe\" if you're trusting"
- " all your (PV) guest kernels. ***\n");
-
-+ if (c->x86 == 0x16 && c->x86_model <= 0xf) {
-+ rdmsrl(MSR_AMD64_LS_CFG, value);
-+ if (!(value & (1 << 15))) {
-+ static bool_t warned;
-+
-+ if (c == &boot_cpu_data || opt_cpu_info ||
-+ !test_and_set_bool(warned))
-+ printk(KERN_WARNING
-+ "CPU%u: Applying workaround for erratum 793\n",
-+ smp_processor_id());
-+ wrmsrl(MSR_AMD64_LS_CFG, value | (1 << 15));
-+ }
-+ }
-+
- /* AMD CPUs do not support SYSENTER outside of legacy mode. */
- clear_bit(X86_FEATURE_SEP, c->x86_capability);
-
---- a/xen/include/asm-x86/msr-index.h
-+++ b/xen/include/asm-x86/msr-index.h
-@@ -213,6 +213,7 @@
-
- /* AMD64 MSRs */
- #define MSR_AMD64_NB_CFG 0xc001001f
-+#define MSR_AMD64_LS_CFG 0xc0011020
- #define MSR_AMD64_IC_CFG 0xc0011021
- #define MSR_AMD64_DC_CFG 0xc0011022
- #define AMD64_NB_CFG_CF8_EXT_ENABLE_BIT 46
+++ /dev/null
-x86/irq: avoid use-after-free on error path in pirq_guest_bind()
-
-This is XSA-83.
-
-Coverity-ID: 1146952
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-
---- a/xen/arch/x86/irq.c
-+++ b/xen/arch/x86/irq.c
-@@ -1590,8 +1590,7 @@ int pirq_guest_bind(struct vcpu *v, stru
- printk(XENLOG_G_INFO
- "Cannot bind IRQ%d to dom%d. Out of memory.\n",
- pirq->pirq, v->domain->domain_id);
-- rc = -ENOMEM;
-- goto out;
-+ return -ENOMEM;
- }
-
- action = newaction;
+++ /dev/null
-flask: fix reading strings from guest memory
-
-Since the string size is being specified by the guest, we must range
-check it properly before doing allocations based on it. While for the
-two cases that are exposed only to trusted guests (via policy
-restriction) this just uses an arbitrary upper limit (PAGE_SIZE), for
-the FLASK_[GS]ETBOOL case (which any guest can use) the upper limit
-gets enforced based on the longest name across all boolean settings.
-
-This is XSA-84.
-
-Reported-by: Matthew Daley <mattd@bugfuzz.com>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
-
---- a/xen/xsm/flask/flask_op.c
-+++ b/xen/xsm/flask/flask_op.c
-@@ -53,6 +53,7 @@ static DEFINE_SPINLOCK(sel_sem);
- /* global data for booleans */
- static int bool_num = 0;
- static int *bool_pending_values = NULL;
-+static size_t bool_maxstr;
- static int flask_security_make_bools(void);
-
- extern int ss_initialized;
-@@ -71,9 +72,15 @@ static int domain_has_security(struct do
- perms, NULL);
- }
-
--static int flask_copyin_string(XEN_GUEST_HANDLE(char) u_buf, char **buf, uint32_t size)
-+static int flask_copyin_string(XEN_GUEST_HANDLE(char) u_buf, char **buf,
-+ size_t size, size_t max_size)
- {
-- char *tmp = xmalloc_bytes(size + 1);
-+ char *tmp;
-+
-+ if ( size > max_size )
-+ return -ENOENT;
-+
-+ tmp = xmalloc_array(char, size + 1);
- if ( !tmp )
- return -ENOMEM;
-
-@@ -99,7 +106,7 @@ static int flask_security_user(struct xe
- if ( rv )
- return rv;
-
-- rv = flask_copyin_string(arg->u.user, &user, arg->size);
-+ rv = flask_copyin_string(arg->u.user, &user, arg->size, PAGE_SIZE);
- if ( rv )
- return rv;
-
-@@ -210,7 +217,7 @@ static int flask_security_context(struct
- if ( rv )
- return rv;
-
-- rv = flask_copyin_string(arg->context, &buf, arg->size);
-+ rv = flask_copyin_string(arg->context, &buf, arg->size, PAGE_SIZE);
- if ( rv )
- return rv;
-
-@@ -303,7 +310,7 @@ static int flask_security_resolve_bool(s
- if ( arg->bool_id != -1 )
- return 0;
-
-- rv = flask_copyin_string(arg->name, &name, arg->size);
-+ rv = flask_copyin_string(arg->name, &name, arg->size, bool_maxstr);
- if ( rv )
- return rv;
-
-@@ -334,7 +341,7 @@ static int flask_security_set_bool(struc
- int num;
- int *values;
-
-- rv = security_get_bools(&num, NULL, &values);
-+ rv = security_get_bools(&num, NULL, &values, NULL);
- if ( rv != 0 )
- goto out;
-
-@@ -440,7 +447,7 @@ static int flask_security_make_bools(voi
-
- xfree(bool_pending_values);
-
-- ret = security_get_bools(&num, NULL, &values);
-+ ret = security_get_bools(&num, NULL, &values, &bool_maxstr);
- if ( ret != 0 )
- goto out;
-
---- a/xen/xsm/flask/include/conditional.h
-+++ b/xen/xsm/flask/include/conditional.h
-@@ -13,7 +13,9 @@
- #ifndef _FLASK_CONDITIONAL_H_
- #define _FLASK_CONDITIONAL_H_
-
--int security_get_bools(int *len, char ***names, int **values);
-+#include <xen/types.h>
-+
-+int security_get_bools(int *len, char ***names, int **values, size_t *maxstr);
-
- int security_set_bools(int len, int *values);
-
---- a/xen/xsm/flask/ss/services.c
-+++ b/xen/xsm/flask/ss/services.c
-@@ -1900,7 +1900,7 @@ int security_find_bool(const char *name)
- return rv;
- }
-
--int security_get_bools(int *len, char ***names, int **values)
-+int security_get_bools(int *len, char ***names, int **values, size_t *maxstr)
- {
- int i, rc = -ENOMEM;
-
-@@ -1908,6 +1908,8 @@ int security_get_bools(int *len, char **
- if ( names )
- *names = NULL;
- *values = NULL;
-+ if ( maxstr )
-+ *maxstr = 0;
-
- *len = policydb.p_bools.nprim;
- if ( !*len )
-@@ -1929,16 +1931,17 @@ int security_get_bools(int *len, char **
-
- for ( i = 0; i < *len; i++ )
- {
-- size_t name_len;
-+ size_t name_len = strlen(policydb.p_bool_val_to_name[i]);
-+
- (*values)[i] = policydb.bool_val_to_struct[i]->state;
- if ( names ) {
-- name_len = strlen(policydb.p_bool_val_to_name[i]) + 1;
-- (*names)[i] = (char*)xmalloc_array(char, name_len);
-+ (*names)[i] = xmalloc_array(char, name_len + 1);
- if ( !(*names)[i] )
- goto err;
-- strlcpy((*names)[i], policydb.p_bool_val_to_name[i], name_len);
-- (*names)[i][name_len - 1] = 0;
-+ strlcpy((*names)[i], policydb.p_bool_val_to_name[i], name_len + 1);
- }
-+ if ( maxstr && name_len > *maxstr )
-+ *maxstr = name_len;
- }
- rc = 0;
- out:
-@@ -2056,7 +2059,7 @@ static int security_preserve_bools(struc
- struct cond_bool_datum *booldatum;
- struct cond_node *cur;
-
-- rc = security_get_bools(&nbools, &bnames, &bvalues);
-+ rc = security_get_bools(&nbools, &bnames, &bvalues, NULL);
- if ( rc )
- goto out;
- for ( i = 0; i < nbools; i++ )
+++ /dev/null
-From 593bc8c63d582ec0fc2b3a35336106cf9c3a8b34 Mon Sep 17 00:00:00 2001
-From: Matthew Daley <mattd@bugfuzz.com>
-Date: Sun, 12 Jan 2014 14:29:32 +1300
-Subject: [PATCH] xsm/flask: correct off-by-one in
- flask_security_avc_cachestats cpu id check
-
-This is XSA-85
-
-Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
----
- xen/xsm/flask/flask_op.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c
-index 4426ab9..22878f5 100644
---- a/xen/xsm/flask/flask_op.c
-+++ b/xen/xsm/flask/flask_op.c
-@@ -457,7 +457,7 @@ static int flask_security_avc_cachestats(struct xen_flask_cache_stats *arg)
- {
- struct avc_cache_stats *st;
-
-- if ( arg->cpu > nr_cpu_ids )
-+ if ( arg->cpu >= nr_cpu_ids )
- return -ENOENT;
- if ( !cpu_online(arg->cpu) )
- return -ENOENT;
---
-1.8.5.2
-
+++ /dev/null
-From b4c452646efd37b4cd0996256dd0ab7bf6ccb7f6 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
- <marmarek@invisiblethingslab.com>
-Date: Mon, 20 Jan 2014 15:51:56 +0000
-Subject: [PATCH] libvchan: Fix handling of invalid ring buffer indices
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The remote (hostile) process can set ring buffer indices to any value
-at any time. If that happens, it is possible to get "buffer space"
-(either for writing data, or ready for reading) negative or greater
-than buffer size. This will end up with buffer overflow in the second
-memcpy inside of do_send/do_recv.
-
-Fix this by introducing new available bytes accessor functions
-raw_get_data_ready and raw_get_buffer_space which are robust against
-mad ring states, and only return sanitised values.
-
-Proof sketch of correctness:
-
-Now {rd,wr}_{cons,prod} are only ever used in the raw available bytes
-functions, and in do_send and do_recv.
-
-The raw available bytes functions do unsigned arithmetic on the
-returned values. If the result is "negative" or too big it will be
->ring_size (since we used unsigned arithmetic). Otherwise the result
-is a positive in-range value representing a reasonable ring state, in
-which case we can safely convert it to int (as the rest of the code
-expects).
-
-do_send and do_recv immediately mask the ring index value with the
-ring size. The result is always going to be plausible. If the ring
-state has become mad, the worst case is that our behaviour is
-inconsistent with the peer's ring pointer. I.e. we read or write to
-arguably-incorrect parts of the ring - but always parts of the ring.
-And of course if a peer misoperates the ring they can achieve this
-effect anyway.
-
-So the security problem is fixed.
-
-This is XSA-86.
-
-(The patch is essentially Ian Jackson's work, although parts of the
-commit message are by Marek.)
-
-Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
-Cc: Joanna Rutkowska <joanna@invisiblethingslab.com>
----
- tools/libvchan/io.c | 47 +++++++++++++++++++++++++++++++++++++++++------
- 1 file changed, 41 insertions(+), 6 deletions(-)
-
-diff --git a/tools/libvchan/io.c b/tools/libvchan/io.c
-index 2383364..804c63c 100644
---- a/tools/libvchan/io.c
-+++ b/tools/libvchan/io.c
-@@ -111,12 +111,26 @@ static inline int send_notify(struct libxenvchan *ctrl, uint8_t bit)
- return 0;
- }
-
-+/*
-+ * Get the amount of buffer space available, and do nothing about
-+ * notifications.
-+ */
-+static inline int raw_get_data_ready(struct libxenvchan *ctrl)
-+{
-+ uint32_t ready = rd_prod(ctrl) - rd_cons(ctrl);
-+ if (ready >= rd_ring_size(ctrl))
-+ /* We have no way to return errors. Locking up the ring is
-+ * better than the alternatives. */
-+ return 0;
-+ return ready;
-+}
-+
- /**
- * Get the amount of buffer space available and enable notifications if needed.
- */
- static inline int fast_get_data_ready(struct libxenvchan *ctrl, size_t request)
- {
-- int ready = rd_prod(ctrl) - rd_cons(ctrl);
-+ int ready = raw_get_data_ready(ctrl);
- if (ready >= request)
- return ready;
- /* We plan to consume all data; please tell us if you send more */
-@@ -126,7 +140,7 @@ static inline int fast_get_data_ready(struct libxenvchan *ctrl, size_t request)
- * will not get notified even though the actual amount of data ready is
- * above request. Reread rd_prod to cover this case.
- */
-- return rd_prod(ctrl) - rd_cons(ctrl);
-+ return raw_get_data_ready(ctrl);
- }
-
- int libxenvchan_data_ready(struct libxenvchan *ctrl)
-@@ -135,7 +149,21 @@ int libxenvchan_data_ready(struct libxenvchan *ctrl)
- * when it changes
- */
- request_notify(ctrl, VCHAN_NOTIFY_WRITE);
-- return rd_prod(ctrl) - rd_cons(ctrl);
-+ return raw_get_data_ready(ctrl);
-+}
-+
-+/**
-+ * Get the amount of buffer space available, and do nothing
-+ * about notifications
-+ */
-+static inline int raw_get_buffer_space(struct libxenvchan *ctrl)
-+{
-+ uint32_t ready = wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl));
-+ if (ready > wr_ring_size(ctrl))
-+ /* We have no way to return errors. Locking up the ring is
-+ * better than the alternatives. */
-+ return 0;
-+ return ready;
- }
-
- /**
-@@ -143,7 +171,7 @@ int libxenvchan_data_ready(struct libxenvchan *ctrl)
- */
- static inline int fast_get_buffer_space(struct libxenvchan *ctrl, size_t request)
- {
-- int ready = wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl));
-+ int ready = raw_get_buffer_space(ctrl);
- if (ready >= request)
- return ready;
- /* We plan to fill the buffer; please tell us when you've read it */
-@@ -153,7 +181,7 @@ static inline int fast_get_buffer_space(struct libxenvchan *ctrl, size_t request
- * will not get notified even though the actual amount of buffer space
- * is above request. Reread wr_cons to cover this case.
- */
-- return wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl));
-+ return raw_get_buffer_space(ctrl);
- }
-
- int libxenvchan_buffer_space(struct libxenvchan *ctrl)
-@@ -162,7 +190,7 @@ int libxenvchan_buffer_space(struct libxenvchan *ctrl)
- * when it changes
- */
- request_notify(ctrl, VCHAN_NOTIFY_READ);
-- return wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl));
-+ return raw_get_buffer_space(ctrl);
- }
-
- int libxenvchan_wait(struct libxenvchan *ctrl)
-@@ -176,6 +204,8 @@ int libxenvchan_wait(struct libxenvchan *ctrl)
-
- /**
- * returns -1 on error, or size on success
-+ *
-+ * caller must have checked that enough space is available
- */
- static int do_send(struct libxenvchan *ctrl, const void *data, size_t size)
- {
-@@ -248,6 +278,11 @@ int libxenvchan_write(struct libxenvchan *ctrl, const void *data, size_t size)
- }
- }
-
-+/**
-+ * returns -1 on error, or size on success
-+ *
-+ * caller must have checked that enough data is available
-+ */
- static int do_recv(struct libxenvchan *ctrl, void *data, size_t size)
- {
- int real_idx = rd_cons(ctrl) & (rd_ring_size(ctrl) - 1);
---
-1.7.10.4
-
+++ /dev/null
-x86: PHYSDEVOP_{prepare,release}_msix are privileged
-
-Yet this wasn't being enforced.
-
-This is XSA-87.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-
---- a/xen/arch/x86/physdev.c
-+++ b/xen/arch/x86/physdev.c
-@@ -612,7 +612,9 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
- case PHYSDEVOP_release_msix: {
- struct physdev_pci_device dev;
-
-- if ( copy_from_guest(&dev, arg, 1) )
-+ if ( !IS_PRIV(v->domain) )
-+ ret = -EPERM;
-+ else if ( copy_from_guest(&dev, arg, 1) )
- ret = -EFAULT;
- else
- ret = pci_prepare_msix(dev.seg, dev.bus, dev.devfn,
Summary: Xen is a virtual machine monitor
Name: xen
-Version: 4.2.3
-Release: 28%{?dist}
+Version: 4.2.4
+Release: 29%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
Source48: libexec.xendomains
Source49: tmpfiles.d.xen.conf
-Source100: qemu-xen-4.2.3.tar.gz
Source101: blktap-9960138790b9d3610b12acd153bba20235efa4f5.tar.gz
Patch1: xen-initscript.patch
Patch64: xl.list.-l.format.patch
Patch65: xen.git-9c23a1d0eb7a6b5e3273d527cfd7960838fbfee6.patch
-#Patch66: xsa45-4.2-01-vcpu-destroy-pagetables-preemptible.patch
-#Patch67: xsa45-4.2-02-new-guest-cr3-preemptible.patch
-#Patch68: xsa45-4.2-03-new-user-base-preemptible.patch
-#Patch69: xsa45-4.2-04-vcpu-reset-preemptible.patch
-#Patch70: xsa45-4.2-05-set-info-guest-preemptible.patch
-#Patch71: xsa45-4.2-06-unpin-preemptible.patch
-#Patch72: xsa45-4.2-07-mm-error-paths-preemptible.patch
-#Patch73: xsa49-4.2.patch
-#Patch74: xsa56.patch
-#Patch75: xsa46-regression-xend-xm.patch
-#Patch92: xsa52-4.2-unstable.patch
-#Patch93: xsa53-4.2.patch
-#Patch94: xsa54.patch
+
Patch100: xen-configure-xend.patch
-Patch105: xsa48-4.2.patch
+
Patch106: xen-xl-autoballon-with-auto-option.patch
Patch107: xen-xl-set-autoballon-default-auto.patch
-#Patch108: xsa55-4.2-0001-libelf-abolish-libelf-relocate.c.patch
-#Patch109: xsa55-4.2-0002-libxc-introduce-xc_dom_seg_to_ptr_pages.patch
-#Patch110: xsa55-4.2-0003-libxc-Fix-range-checking-in-xc_dom_pfn_to_ptr-etc.patch
-#Patch111: xsa55-4.2-0004-libelf-add-struct-elf_binary-parameter-to-elf_load_i.patch
-#Patch112: xsa55-4.2-0005-libelf-abolish-elf_sval-and-elf_access_signed.patch
-#Patch113: xsa55-4.2-0006-libelf-move-include-of-asm-guest_access.h-to-top-of-.patch
-#Patch114: xsa55-4.2-0007-libelf-xc_dom_load_elf_symtab-Do-not-use-syms-uninit.patch
-#Patch115: xsa55-4.2-0008-libelf-introduce-macros-for-memory-access-and-pointe.patch
-#Patch116: xsa55-4.2-0009-tools-xcutils-readnotes-adjust-print_l1_mfn_valid_no.patch
-#Patch117: xsa55-4.2-0010-libelf-check-nul-terminated-strings-properly.patch
-#Patch118: xsa55-4.2-0011-libelf-check-all-pointer-accesses.patch
-#Patch119: xsa55-4.2-0012-libelf-Check-pointer-references-in-elf_is_elfbinary.patch
-#Patch120: xsa55-4.2-0013-libelf-Make-all-callers-call-elf_check_broken.patch
-#Patch121: xsa55-4.2-0014-libelf-use-C99-bool-for-booleans.patch
-#Patch122: xsa55-4.2-0015-libelf-use-only-unsigned-integers.patch
-#Patch123: xsa55-4.2-0016-libelf-check-loops-for-running-away.patch
-#Patch124: xsa55-4.2-0017-libelf-abolish-obsolete-macros.patch
-#Patch125: xsa55-4.2-0018-libxc-Add-range-checking-to-xc_dom_binloader.patch
-#Patch126: xsa55-4.2-0019-libxc-check-failure-of-xc_dom_-_to_ptr-xc_map_foreig.patch
-#Patch127: xsa55-4.2-0020-libxc-check-return-values-from-malloc.patch
-#Patch128: xsa55-4.2-0021-libxc-range-checks-in-xc_dom_p2m_host-and-_guest.patch
-#Patch129: xsa55-4.2-0022-libxc-check-blob-size-before-proceeding-in-xc_dom_ch.patch
-#Patch130: xsa55-4.2-0023-libxc-Better-range-check-in-xc_dom_alloc_segment.patch
-#Patch131: xsa57-4.2.patch
-#Patch132: xsa58-4.2.patch
-#Patch133: xsa61-4.2-unstable.patch
-Patch134: xsa62.patch
-Patch135: xsa63.patch
-Patch136: xsa64.patch
-Patch137: xsa66.patch
-Patch138: xsa67.patch
-Patch139: xsa68.patch
-Patch140: xsa69.patch
-Patch141: xsa70.patch
-#Patch142: xsa71-qemu-xen-4.2.patch
-Patch143: xsa72.patch
-Patch144: xsa73-4.2.patch
-Patch145: xsa75-4.2.patch
-Patch146: xsa78.patch
-Patch147: xsa74-4.1-4.2.patch
-Patch148: xsa76.patch
-Patch149: xsa80.patch
-Patch150: xsa82.patch
-Patch151: xsa83.patch
-Patch152: xsa87-4.2.patch
-Patch153: xsa84-4.2.patch
-Patch154: xsa85.patch
-Patch155: xsa86.patch
Patch1000: xen-centos-disable-CFLAGS-for-qemu.patch
Patch1001: xen-centos-disableWerror-blktap25.patch
%patch106 -p1
%patch107 -p1
-%patch134 -p1
-%patch135 -p1
-#%patch136 -p1
-%patch137 -p1
-%patch138 -p1
-%patch139 -p1
-%patch140 -p1
-%patch141 -p1
-%patch143 -p1
-%patch144 -p1
-%patch145 -p1
-%patch146 -p1
-%patch147 -p1
-%patch148 -p1
-%patch149 -p1
-%patch150 -p1
-%patch151 -p1
-%patch152 -p1
-%patch153 -p1
-%patch154 -p1
-%patch155 -p1
-
%patch1000 -p1
pushd `pwd`
-rm -rf ${RPM_BUILD_DIR}/%{name}-%{version}/tools/qemu-xen
-%{__tar} -C ${RPM_BUILD_DIR}/%{name}-%{version}/tools/ -zxf %{SOURCE100}
rm -rf ${RPM_BUILD_DIR}/%{name}-%{version}/tools/blktap2
%{__tar} -C ${RPM_BUILD_DIR}/%{name}-%{version}/tools/ -zxf %{SOURCE101}
cd ${RPM_BUILD_DIR}/%{name}-%{version}/tools/blktap2
pushd `pwd`
cd ${RPM_BUILD_DIR}/%{name}-%{version}/tools/qemu-xen
-%patch105 -p1
+#%patch105 -p1
popd
# stubdom sources
%endif
%changelog
+* Sun Feb 23 2014 Johnny Hughes <johnny@centos.org> - 4.2.4-29.el6.centos
+- cleaned up older patches, removed qemu-xen upstream git (Source 100)
+ tarball as it is part of the xen-4.2.4.tar.gz tarball now
+
+* Sat Feb 22 2014 Johnny Hughes <johnny@centos.org> - 4.2.4-28.el6.centos
+- upgrade to upstream version 4.2.4
+
* Tue Feb 11 2014 Johnny Hughes <johnny@centos.org> - 4.2.3-28.el6.centos
- Roll in Patches 153, 154, and 155
XSA-84 (CVE-2014-1891, CVE-2014-1892, CVE-2014-1893, CVE-2014-1894)
projects / people / aperard / centos-package-xen.git / commitdiff