1.9.1
-From fd2516d6c9a5816f17bbe3bbadce8d4ffcd3c855 Mon Sep 17 00:00:00 2001
+From 8df95318fde4be67647c8ba557c9afdb91e74009 Mon Sep 17 00:00:00 2001
+From: George Dunlap <george.dunlap@eu.citrix.com>
+Date: Mon, 1 Jun 2015 11:47:24 +0100
+Subject: [PATCH] gnttab: add missing version check to GNTTABOP_swap_grant_ref
+ handling
+
+... avoiding NULL derefs when the version to use wasn't set yet (via
+GNTTABOP_setup_table or GNTTABOP_set_version).
+
+This is XSA-134.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+---
+ xen/common/grant_table.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
+index 107b000..34e1c25 100644
+--- a/xen/common/grant_table.c
++++ b/xen/common/grant_table.c
+@@ -2393,6 +2393,9 @@ __gnttab_swap_grant_ref(grant_ref_t ref_a, grant_ref_t ref_b)
+
+ spin_lock(>->lock);
+
++ if ( gt->gt_version == 0 )
++ PIN_FAIL(out, GNTST_general_error, "grant table not yet set up\n");
++
+ /* Bounds check on the grant refs */
+ if ( unlikely(ref_a >= nr_grant_entries(d->grant_table)))
+ PIN_FAIL(out, GNTST_bad_gntref, "Bad ref-a (%d).\n", ref_a);
+--
+1.9.1
+
+
+From b1d22106579832b31b496dd632ee4bf065a12d40 Mon Sep 17 00:00:00 2001
+From: George Dunlap <george.dunlap@eu.citrix.com>
+Date: Tue, 9 Jun 2015 12:07:14 +0100
+Subject: [PATCH] x86/traps: loop in the correct direction in compat_iret()
+
+This is XSA-136.
+
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/x86_64/compat/traps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xen/arch/x86/x86_64/compat/traps.c b/xen/arch/x86/x86_64/compat/traps.c
+index 5f0ea0a..0b78445 100644
+--- a/xen/arch/x86/x86_64/compat/traps.c
++++ b/xen/arch/x86/x86_64/compat/traps.c
+@@ -119,7 +119,7 @@ unsigned int compat_iret(void)
+ }
+ else if ( ksp > regs->_esp )
+ {
+- for (i = 9; i > 0; ++i)
++ for ( i = 9; i > 0; --i )
+ {
+ rc |= __get_user(x, (u32 *)regs->rsp + i);
+ rc |= __put_user(x, (u32 *)(unsigned long)ksp + i);
+--
+1.9.1
+
+
+From 5f4c3c14e993b8ee4ffb96c10af1b835d603f7bb Mon Sep 17 00:00:00 2001
From: Wen Congyang <wency@cn.fujitsu.com>
Date: Thu, 23 Apr 2015 15:06:13 +0100
Subject: [PATCH] tools: libxl: pass correct file to qemu if we use blktap2
1.9.1
-From 0804f67899b0422ad87f2eb8cb55cd03d8607101 Mon Sep 17 00:00:00 2001
+From 462e99a97e40ffce8ac5f369331542f4fb220bfe Mon Sep 17 00:00:00 2001
From: George Dunlap <george.dunlap@eu.citrix.com>
Date: Thu, 23 Apr 2015 15:06:13 +0100
Subject: [PATCH] it: George Dunlap <george.dunlap@eu.citrix.com>
1.9.1
-From 7c93e25a0a54f56a957627251c8b4728f3cb3056 Mon Sep 17 00:00:00 2001
+From 21c18afea6b2aa700d30037f046eddfe9784facd Mon Sep 17 00:00:00 2001
From: George Dunlap <george.dunlap@eu.citrix.com>
Date: Thu, 23 Apr 2015 15:06:13 +0100
Subject: [PATCH] Revert "libxl: prefer qdisk over blktap when choosing disk
1.9.1
-From 39a0f30238d15c123deada9a1ab21ac3e55c4753 Mon Sep 17 00:00:00 2001
+From 0125042dc60081badc0e6dbd60bfae06e30149c0 Mon Sep 17 00:00:00 2001
From: George Dunlap <george.dunlap@eu.citrix.com>
Date: Thu, 23 Apr 2015 15:06:13 +0100
Subject: [PATCH] xen-centos-disable-CFLAGS-for-qemu.patch
1.9.1
-From ed68bc247dabdee4e87abb3036155f3b962af1c8 Mon Sep 17 00:00:00 2001
+From 7a72d67cc0a3231cd173531f1e64721ff567451b Mon Sep 17 00:00:00 2001
From: George Dunlap <george.dunlap@eu.citrix.com>
Date: Thu, 23 Apr 2015 15:06:13 +0100
Subject: [PATCH] Adapt libxl to use blktap 2.5 v0.9.2
--- /dev/null
+pcnet: fix Negative array index read\r
+ \r
+From: Gonglei <arei.gonglei@huawei.com>\r
+\r
+s->xmit_pos maybe assigned to a negative value (-1),\r
+but in this branch variable s->xmit_pos as an index to\r
+array s->buffer. Let's add a check for s->xmit_pos.\r
+ \r
+upstream-commit-id: 7b50d00911ddd6d56a766ac5671e47304c20a21b\r
+\r
+Signed-off-by: Gonglei <arei.gonglei@huawei.com>\r
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>\r
+Reviewed-by: Jason Wang <jasowang@redhat.com>\r
+Reviewed-by: Jason Wang <jasowang@redhat.com>\r
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>\r
+\r
+diff --git a/hw/pcnet.c b/hw/pcnet.c\r
+index 7cc0637..9f3e1cc 100644\r
+--- a/hw/pcnet.c\r
++++ b/hw/pcnet.c\r
+@@ -1250,7 +1250,7 @@ static void pcnet_transmit(PCNetState *s)\r
+ target_phys_addr_t xmit_cxda = 0;\r
+ int count = CSR_XMTRL(s)-1;\r
+ int add_crc = 0;\r
+-\r
++ int bcnt;\r
+ s->xmit_pos = -1;\r
+ \r
+ if (!CSR_TXON(s)) {\r
+@@ -1276,34 +1276,39 @@ static void pcnet_transmit(PCNetState *s)\r
+ if (BCR_SWSTYLE(s) != 1)\r
+ add_crc = GET_FIELD(tmd.status, TMDS, ADDFCS);\r
+ }\r
++\r
++ if (s->xmit_pos < 0) {\r
++ goto txdone;\r
++ }\r
++\r
++ bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);\r
++ s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),\r
++ s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));\r
++ s->xmit_pos += bcnt;\r
++\r
+ if (!GET_FIELD(tmd.status, TMDS, ENP)) {\r
+- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);\r
+- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),\r
+- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));\r
+- s->xmit_pos += bcnt;\r
+- } else if (s->xmit_pos >= 0) {\r
+- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);\r
+- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),\r
+- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));\r
+- s->xmit_pos += bcnt;\r
++ goto txdone;\r
++ }\r
+ #ifdef PCNET_DEBUG\r
+- printf("pcnet_transmit size=%d\n", s->xmit_pos);\r
++ printf("pcnet_transmit size=%d\n", s->xmit_pos);\r
+ #endif\r
+- if (CSR_LOOP(s)) {\r
+- if (BCR_SWSTYLE(s) == 1)\r
+- add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);\r
+- s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;\r
+- pcnet_receive(s, s->buffer, s->xmit_pos);\r
+- s->looptest = 0;\r
+- } else\r
+- if (s->vc)\r
+- qemu_send_packet(s->vc, s->buffer, s->xmit_pos);\r
+-\r
+- s->csr[0] &= ~0x0008; /* clear TDMD */\r
+- s->csr[4] |= 0x0004; /* set TXSTRT */\r
+- s->xmit_pos = -1;\r
++ if (CSR_LOOP(s)) {\r
++ if (BCR_SWSTYLE(s) == 1)\r
++ add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);\r
++ s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;\r
++ pcnet_receive(s, s->buffer, s->xmit_pos);\r
++ s->looptest = 0;\r
++ } else {\r
++ if (s->vc) {\r
++ qemu_send_packet(s->vc, s->buffer, s->xmit_pos);\r
++ }\r
+ }\r
+ \r
++ s->csr[0] &= ~0x0008; /* clear TDMD */\r
++ s->csr[4] |= 0x0004; /* set TXSTRT */\r
++ s->xmit_pos = -1;\r
++\r
++ txdone:\r
+ SET_FIELD(&tmd.status, TMDS, OWN, 0);\r
+ TMDSTORE(&tmd, PHYSADDR(s,CSR_CXDA(s)));\r
+ if (!CSR_TOKINTD(s) || (CSR_LTINTEN(s) && GET_FIELD(tmd.status, TMDS, LTINT)))\r
--- /dev/null
+>From 2630672ab22255de252f877709851c0557a1c647 Mon Sep 17 00:00:00 2001\r
+From: Petr Matousek <pmatouse@redhat.com>\r
+Date: Sun, 24 May 2015 10:53:44 +0200\r
+Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx\r
+\r
+4096 is the maximum length per TMD and it is also currently the size of\r
+the relay buffer pcnet driver uses for sending the packet data to QEMU\r
+for further processing. With packet spanning multiple TMDs it can\r
+happen that the overall packet size will be bigger than sizeof(buffer),\r
+which results in memory corruption.\r
+\r
+Fix this by only allowing to queue maximum sizeof(buffer) bytes.\r
+\r
+This is CVE-2015-3209.\r
+\r
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>\r
+Reported-by: Matt Tait <matttait@google.com>\r
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>\r
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>\r
+---\r
+ hw/pcnet.c | 8 ++++++++\r
+ 1 file changed, 8 insertions(+)\r
+\r
+diff --git a/hw/pcnet.c b/hw/pcnet.c\r
+index bdfd38f..6d32e4c 100644\r
+--- a/hw/pcnet.c\r
++++ b/hw/pcnet.c\r
+@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)\r
+ }\r
+\r
+ bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);\r
++\r
++ /* if multi-tmd packet outsizes s->buffer then skip it silently.\r
++ Note: this is not what real hw does */\r
++ if (s->xmit_pos + bcnt > sizeof(s->buffer)) {\r
++ s->xmit_pos = -1;\r
++ goto txdone;\r
++ }\r
++\r
+ s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),\r
+ s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));\r
+ s->xmit_pos += bcnt;\r
+-- \r
+2.1.0\r
+\r
--- /dev/null
+pcnet: fix Negative array index read\r
+ \r
+From: Gonglei <arei.gonglei@huawei.com>\r
+\r
+s->xmit_pos maybe assigned to a negative value (-1),\r
+but in this branch variable s->xmit_pos as an index to\r
+array s->buffer. Let's add a check for s->xmit_pos.\r
+ \r
+upstream-commit-id: 7b50d00911ddd6d56a766ac5671e47304c20a21b\r
+\r
+Signed-off-by: Gonglei <arei.gonglei@huawei.com>\r
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>\r
+Reviewed-by: Jason Wang <jasowang@redhat.com>\r
+Reviewed-by: Jason Wang <jasowang@redhat.com>\r
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>\r
+\r
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c\r
+index d344c15..f409b92 100644\r
+--- a/hw/net/pcnet.c\r
++++ b/hw/net/pcnet.c\r
+@@ -1212,7 +1212,7 @@ static void pcnet_transmit(PCNetState *s)\r
+ hwaddr xmit_cxda = 0;\r
+ int count = CSR_XMTRL(s)-1;\r
+ int add_crc = 0;\r
+-\r
++ int bcnt;\r
+ s->xmit_pos = -1;\r
+ \r
+ if (!CSR_TXON(s)) {\r
+@@ -1247,35 +1247,40 @@ static void pcnet_transmit(PCNetState *s)\r
+ s->xmit_pos = -1;\r
+ goto txdone;\r
+ }\r
++\r
++ if (s->xmit_pos < 0) {\r
++ goto txdone;\r
++ }\r
++\r
++ bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);\r
++ s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),\r
++ s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));\r
++ s->xmit_pos += bcnt;\r
++ \r
+ if (!GET_FIELD(tmd.status, TMDS, ENP)) {\r
+- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);\r
+- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),\r
+- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));\r
+- s->xmit_pos += bcnt;\r
+- } else if (s->xmit_pos >= 0) {\r
+- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);\r
+- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),\r
+- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));\r
+- s->xmit_pos += bcnt;\r
++ goto txdone;\r
++ }\r
++\r
+ #ifdef PCNET_DEBUG\r
+- printf("pcnet_transmit size=%d\n", s->xmit_pos);\r
++ printf("pcnet_transmit size=%d\n", s->xmit_pos);\r
+ #endif\r
+- if (CSR_LOOP(s)) {\r
+- if (BCR_SWSTYLE(s) == 1)\r
+- add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);\r
+- s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;\r
+- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);\r
+- s->looptest = 0;\r
+- } else\r
+- if (s->nic)\r
+- qemu_send_packet(qemu_get_queue(s->nic), s->buffer,\r
+- s->xmit_pos);\r
+-\r
+- s->csr[0] &= ~0x0008; /* clear TDMD */\r
+- s->csr[4] |= 0x0004; /* set TXSTRT */\r
+- s->xmit_pos = -1;\r
++ if (CSR_LOOP(s)) {\r
++ if (BCR_SWSTYLE(s) == 1)\r
++ add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);\r
++ s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;\r
++ pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);\r
++ s->looptest = 0;\r
++ } else {\r
++ if (s->nic) {\r
++ qemu_send_packet(qemu_get_queue(s->nic), s->buffer,\r
++ s->xmit_pos);\r
++ }\r
+ }\r
+ \r
++ s->csr[0] &= ~0x0008; /* clear TDMD */\r
++ s->csr[4] |= 0x0004; /* set TXSTRT */\r
++ s->xmit_pos = -1;\r
++\r
+ txdone:\r
+ SET_FIELD(&tmd.status, TMDS, OWN, 0);\r
+ TMDSTORE(&tmd, PHYSADDR(s,CSR_CXDA(s)));\r
--- /dev/null
+>From 2630672ab22255de252f877709851c0557a1c647 Mon Sep 17 00:00:00 2001\r
+From: Petr Matousek <pmatouse@redhat.com>\r
+Date: Sun, 24 May 2015 10:53:44 +0200\r
+Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx\r
+\r
+4096 is the maximum length per TMD and it is also currently the size of\r
+the relay buffer pcnet driver uses for sending the packet data to QEMU\r
+for further processing. With packet spanning multiple TMDs it can\r
+happen that the overall packet size will be bigger than sizeof(buffer),\r
+which results in memory corruption.\r
+\r
+Fix this by only allowing to queue maximum sizeof(buffer) bytes.\r
+\r
+This is CVE-2015-3209.\r
+\r
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>\r
+Reported-by: Matt Tait <matttait@google.com>\r
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>\r
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>\r
+---\r
+ hw/net/pcnet.c | 8 ++++++++\r
+ 1 file changed, 8 insertions(+)\r
+\r
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c\r
+index bdfd38f..6d32e4c 100644\r
+--- a/hw/net/pcnet.c\r
++++ b/hw/net/pcnet.c\r
+@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)\r
+ }\r
+\r
+ bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);\r
++\r
++ /* if multi-tmd packet outsizes s->buffer then skip it silently.\r
++ Note: this is not what real hw does */\r
++ if (s->xmit_pos + bcnt > sizeof(s->buffer)) {\r
++ s->xmit_pos = -1;\r
++ goto txdone;\r
++ }\r
++\r
+ s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),\r
+ s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));\r
+ s->xmit_pos += bcnt;\r
+-- \r
+2.1.0\r
+\r
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.4.2
-Release: 3%{?dist}
+Release: 4%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
Patch2011: xsa131-qemuu-7.patch
Patch2012: xsa131-qemuu-8.patch
Patch2013: xsa133-qemuu.patch
+Patch2014: xsa135-qemuu-4.5-1.patch
+Patch2015: xsa135-qemuu-4.5-2.patch
Patch3001: xsa126-qemut.patch
Patch3002: xsa128-qemut.patch
Patch3011: xsa131-qemut-7.patch
Patch3012: xsa131-qemut-8.patch
Patch3013: xsa133-qemut.patch
+Patch3014: xsa135-qemut-1.patch
+Patch3015: xsa135-qemut-2.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
%patch2011 -p1
%patch2012 -p1
%patch2013 -p1
+%patch2014 -p1
+%patch2015 -p1
popd
pushd tools/qemu-xen-traditional
%patch3011 -p1
%patch3012 -p1
%patch3013 -p1
+%patch3014 -p1
+%patch3015 -p1
popd
# stubdom sources
%endif
%changelog
+* Mon Jun 1 2015 George Dunlap <george.dunlap@eu.citrix.com> - 4.4.2-4.el6.centos
+ - Import XSA-134,135,136
+
* Mon Jun 1 2015 George Dunlap <george.dunlap@eu.citrix.com> - 4.4.2-3.el6.centos
- Import XSA-128,129.130,131
projects / people / aperard / centos-package-xen.git / commitdiff