diff options
| author |   Ian Delaney <idella4@gentoo.org> | 2013-06-26 15:00:58 +0000 |
|---|---|---|
| committer | Ian Delaney <idella4@gentoo.org> | 2013-06-26 15:00:58 +0000 |
| commit | 6b6a2f0ca185d3eff2ebd03d94a227277cf4d929 (patch) | |
| tree | cb32fd1d4a7fe7add5ed330a4130551fba63f2ff /app-emulation | |
| parent | removing vulnerable version of tpp for bug 474018 (diff) | |
| download | gentoo-2-6b6a2f0ca185d3eff2ebd03d94a227277cf4d929.tar.gz gentoo-2-6b6a2f0ca185d3eff2ebd03d94a227277cf4d929.tar.bz2 gentoo-2-6b6a2f0ca185d3eff2ebd03d94a227277cf4d929.zip | |
drop disused patches
(Portage version: 2.1.11.63/cvs/Linux x86_64, signed Manifest commit with key 0xB8072B0D)
Diffstat (limited to 'app-emulation')
13 files changed, 15 insertions, 802 deletions
diff --git a/app-emulation/xen/ChangeLog b/app-emulation/xen/ChangeLog index bcda3dc2ac70..f841e3c401d6 100644 --- a/app-emulation/xen/ChangeLog +++ b/app-emulation/xen/ChangeLog @@ -1,6 +1,20 @@ # ChangeLog for app-emulation/xen # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.120 2013/06/26 06:35:38 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.121 2013/06/26 15:00:58 idella4 Exp $ + + 26 Jun 2013; Ian Delaney <idella4@gentoo.org> + -files/xen-4-CVE-2012-4535-XSA-20.patch, + -files/xen-4-CVE-2012-4537-XSA-22.patch, + -files/xen-4-CVE-2012-4538-XSA-23.patch, + -files/xen-4-CVE-2012-4539-XSA-24.patch, + -files/xen-4-CVE-2012-5510-XSA-26.patch, + -files/xen-4-CVE-2012-5513-XSA-29.patch, + -files/xen-4-CVE-2012-5514-XSA-30.patch, + -files/xen-4-CVE-2012-5515-XSA-31.patch, + -files/xen-4-CVE-2012-5525-XSA-32.patch, + -files/xen-4-CVE-2013-0151-XSA-27_34_35.patch, + -files/xen-4-CVE-2013-1920-XSA-47.patch, -files/xen-4.1.1-iommu_sec_fix.patch: + drop disused patches *xen-4.2.1-r4 (26 Jun 2013) *xen-4.2.2-r1 (26 Jun 2013) diff --git a/app-emulation/xen/files/xen-4-CVE-2012-4535-XSA-20.patch b/app-emulation/xen/files/xen-4-CVE-2012-4535-XSA-20.patch deleted file mode 100644 index 25b909a3ac85..000000000000 --- a/app-emulation/xen/files/xen-4-CVE-2012-4535-XSA-20.patch +++ /dev/null @@ -1,50 +0,0 @@ - -# HG changeset patch -# User Ian Jackson <Ian.Jackson@eu.citrix.com> -# Date 1352892795 0 -# Node ID 788af5959f692ca16942937055afb09b760f2166 -# Parent bdb5cde7f79d77f8578bcd8e24d74d09a2c7caa6 -VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability - -The timer action for a vcpu periodic timer is to calculate the next -expiry time, and to reinsert itself into the timer queue. If the -deadline ends up in the past, Xen never leaves __do_softirq(). The -affected PCPU will stay in an infinite loop until Xen is killed by the -watchdog (if enabled). - -This is a security problem, XSA-20 / CVE-2012-4535. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> -Committed-by: Ian Jackson <ian.jackson@eu.citrix.com> - -xen-unstable changeset: 26148:bf58b94b3cef -Backport-requested-by: security@xen.org -Committed-by: Ian Jackson <ian.jackson@eu.citrix.com> - -diff -r bdb5cde7f79d -r 788af5959f69 xen/common/domain.c ---- xen/common/domain.c Wed Nov 14 10:40:41 2012 +0100 -+++ xen/common/domain.c Wed Nov 14 11:33:15 2012 +0000 -@@ -882,6 +882,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN - if ( set.period_ns < MILLISECS(1) ) - return -EINVAL; - -+ if ( set.period_ns > STIME_DELTA_MAX ) -+ return -EINVAL; -+ - v->periodic_period = set.period_ns; - vcpu_force_reschedule(v); - -diff -r bdb5cde7f79d -r 788af5959f69 xen/include/xen/time.h ---- xen/include/xen/time.h Wed Nov 14 10:40:41 2012 +0100 -+++ xen/include/xen/time.h Wed Nov 14 11:33:15 2012 +0000 -@@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t); - #define MILLISECS(_ms) ((s_time_t)((_ms) * 1000000ULL)) - #define MICROSECS(_us) ((s_time_t)((_us) * 1000ULL)) - #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1)) -+/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */ -+#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2)) - - extern void update_vcpu_system_time(struct vcpu *v); - extern void update_domain_wallclock_time(struct domain *d); - diff --git a/app-emulation/xen/files/xen-4-CVE-2012-4537-XSA-22.patch b/app-emulation/xen/files/xen-4-CVE-2012-4537-XSA-22.patch deleted file mode 100644 index a6d4dc20144f..000000000000 --- a/app-emulation/xen/files/xen-4-CVE-2012-4537-XSA-22.patch +++ /dev/null @@ -1,50 +0,0 @@ -# HG changeset patch -# User Ian Jackson <Ian.Jackson@eu.citrix.com> -# Date 1352893017 0 -# Node ID 4cffe28427e0c7dbeaa7c109ed393dde0fe026ba -# Parent 788af5959f692ca16942937055afb09b760f2166 -x86/physmap: Prevent incorrect updates of m2p mappings - -In certain conditions, such as low memory, set_p2m_entry() can fail. -Currently, the p2m and m2p tables will get out of sync because we still -update the m2p table after the p2m update has failed. - -If that happens, subsequent guest-invoked memory operations can cause -BUG()s and ASSERT()s to kill Xen. - -This is fixed by only updating the m2p table iff the p2m was -successfully updated. - -This is a security problem, XSA-22 / CVE-2012-4537. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> -Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> -Committed-by: Ian Jackson <ian.jackson@eu.citrix.com> - -xen-unstable changeset: 26149:6b6a4007a609 -Backport-requested-by: security@xen.org -Committed-by: Ian Jackson <ian.jackson@eu.citrix.com> - -diff -r 788af5959f69 -r 4cffe28427e0 xen/arch/x86/mm/p2m.c ---- xen/arch/x86/mm/p2m.c Wed Nov 14 11:33:15 2012 +0000 -+++ xen/arch/x86/mm/p2m.c Wed Nov 14 11:36:57 2012 +0000 -@@ -654,7 +654,10 @@ guest_physmap_add_entry(struct domain *d - if ( mfn_valid(_mfn(mfn)) ) - { - if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) ) -+ { - rc = -EINVAL; -+ goto out; /* Failed to update p2m, bail without updating m2p. */ -+ } - if ( !p2m_is_grant(t) ) - { - for ( i = 0; i < (1UL << page_order); i++ ) -@@ -677,6 +680,7 @@ guest_physmap_add_entry(struct domain *d - } - } - -+out: - p2m_unlock(p2m); - - return rc; diff --git a/app-emulation/xen/files/xen-4-CVE-2012-4538-XSA-23.patch b/app-emulation/xen/files/xen-4-CVE-2012-4538-XSA-23.patch deleted file mode 100644 index 0cf28049565f..000000000000 --- a/app-emulation/xen/files/xen-4-CVE-2012-4538-XSA-23.patch +++ /dev/null @@ -1,43 +0,0 @@ - -# HG changeset patch -# User Ian Jackson <Ian.Jackson@eu.citrix.com> -# Date 1352893365 0 -# Node ID 159080b58dda9d19a5d3be42359e667bdb3e61ca -# Parent 4cffe28427e0c7dbeaa7c109ed393dde0fe026ba -xen/mm/shadow: check toplevel pagetables are present before unhooking them. - -If the guest has not fully populated its top-level PAE entries when it calls -HVMOP_pagetable_dying, the shadow code could try to unhook entries from -MFN 0. Add a check to avoid that case. - -This issue was introduced by c/s 21239:b9d2db109cf5. - -This is a security problem, XSA-23 / CVE-2012-4538. - -Signed-off-by: Tim Deegan <tim@xen.org> -Tested-by: Andrew Cooper <andrew.cooper3@citrix.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> -Committed-by: Ian Jackson <ian.jackson@eu.citrix.com> - -xen-unstable changeset: 26150:c7a01b6450e4 -Backport-requested-by: security@xen.org -Committed-by: Ian Jackson <ian.jackson@eu.citrix.com> - -diff -r 4cffe28427e0 -r 159080b58dda xen/arch/x86/mm/shadow/multi.c ---- xen/arch/x86/mm/shadow/multi.c Wed Nov 14 11:36:57 2012 +0000 -+++ xen/arch/x86/mm/shadow/multi.c Wed Nov 14 11:42:45 2012 +0000 -@@ -4734,8 +4734,12 @@ static void sh_pagetable_dying(struct vc - unsigned long gfn; - mfn_t smfn, gmfn; - -- if ( fast_path ) -- smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i])); -+ if ( fast_path ) { -+ if ( pagetable_is_null(v->arch.shadow_table[i]) ) -+ smfn = _mfn(INVALID_MFN); -+ else -+ smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i])); -+ } - else - { - /* retrieving the l2s */ diff --git a/app-emulation/xen/files/xen-4-CVE-2012-4539-XSA-24.patch b/app-emulation/xen/files/xen-4-CVE-2012-4539-XSA-24.patch deleted file mode 100644 index 27ba9378f172..000000000000 --- a/app-emulation/xen/files/xen-4-CVE-2012-4539-XSA-24.patch +++ /dev/null @@ -1,36 +0,0 @@ -# HG changeset patch -# User Ian Jackson <Ian.Jackson@eu.citrix.com> -# Date 1352893567 0 -# Node ID 8ca6372315f826881f9de141ac1227ef962100cf -# Parent 159080b58dda9d19a5d3be42359e667bdb3e61ca -compat/gnttab: Prevent infinite loop in compat code - -c/s 20281:95ea2052b41b, which introduces Grant Table version 2 -hypercalls introduces a vulnerability whereby the compat hypercall -handler can fall into an infinite loop. - -If the watchdog is enabled, Xen will die after the timeout. - -This is a security problem, XSA-24 / CVE-2012-4539. - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Acked-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> -Committed-by: Ian Jackson <ian.jackson@eu.citrix.com> - -xen-unstable changeset: 26151:b64a7d868f06 -Backport-requested-by: security@xen.org -Committed-by: Ian Jackson <ian.jackson@eu.citrix.com> - -diff -r 159080b58dda -r 8ca6372315f8 xen/common/compat/grant_table.c ---- xen/common/compat/grant_table.c Wed Nov 14 11:42:45 2012 +0000 -+++ xen/common/compat/grant_table.c Wed Nov 14 11:46:07 2012 +0000 -@@ -318,6 +318,8 @@ int compat_grant_table_op(unsigned int c - #undef XLAT_gnttab_get_status_frames_HNDL_frame_list - if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) ) - rc = -EFAULT; -+ else -+ i = 1; - } - break; - } diff --git a/app-emulation/xen/files/xen-4-CVE-2012-5510-XSA-26.patch b/app-emulation/xen/files/xen-4-CVE-2012-5510-XSA-26.patch deleted file mode 100644 index 0046170d1341..000000000000 --- a/app-emulation/xen/files/xen-4-CVE-2012-5510-XSA-26.patch +++ /dev/null @@ -1,113 +0,0 @@ -# HG changeset patch -# User Jan Beulich <jbeulich@suse.com> -# Date 1354644138 0 -# Node ID dea7d4e5bfc1627133c0c19706fea1fbc9e5a378 -# Parent 9e13427c023020756768c73217dab05295709fb3 -gnttab: fix releasing of memory upon switches between versions - -gnttab_unpopulate_status_frames() incompletely freed the pages -previously used as status frame in that they did not get removed from -the domain's xenpage_list, thus causing subsequent list corruption -when those pages did get allocated again for the same or another purpose. - -Similarly, grant_table_create() and gnttab_grow_table() both improperly -clean up in the event of an error - pages already shared with the guest -can't be freed by just passing them to free_xenheap_page(). Fix this by -sharing the pages only after all allocations succeeded. - -This is CVE-2012-5510 / XSA-26. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> -Committed-by: Ian Jackson <ian.jackson.citrix.com> - -diff -r 9e13427c0230 -r dea7d4e5bfc1 xen/common/grant_table.c ---- xen/common/grant_table.c Thu Nov 29 16:59:43 2012 +0000 -+++ xen/common/grant_table.c Tue Dec 04 18:02:18 2012 +0000 -@@ -1173,12 +1173,13 @@ fault: - } - - static int --gnttab_populate_status_frames(struct domain *d, struct grant_table *gt) -+gnttab_populate_status_frames(struct domain *d, struct grant_table *gt, -+ unsigned int req_nr_frames) - { - unsigned i; - unsigned req_status_frames; - -- req_status_frames = grant_to_status_frames(gt->nr_grant_frames); -+ req_status_frames = grant_to_status_frames(req_nr_frames); - for ( i = nr_status_frames(gt); i < req_status_frames; i++ ) - { - if ( (gt->status[i] = alloc_xenheap_page()) == NULL ) -@@ -1209,7 +1210,12 @@ gnttab_unpopulate_status_frames(struct d - - for ( i = 0; i < nr_status_frames(gt); i++ ) - { -- page_set_owner(virt_to_page(gt->status[i]), dom_xen); -+ struct page_info *pg = virt_to_page(gt->status[i]); -+ -+ BUG_ON(page_get_owner(pg) != d); -+ if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) ) -+ put_page(pg); -+ BUG_ON(pg->count_info & ~PGC_xen_heap); - free_xenheap_page(gt->status[i]); - gt->status[i] = NULL; - } -@@ -1247,19 +1253,18 @@ gnttab_grow_table(struct domain *d, unsi - clear_page(gt->shared_raw[i]); - } - -+ /* Status pages - version 2 */ -+ if (gt->gt_version > 1) -+ { -+ if ( gnttab_populate_status_frames(d, gt, req_nr_frames) ) -+ goto shared_alloc_failed; -+ } -+ - /* Share the new shared frames with the recipient domain */ - for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ ) - gnttab_create_shared_page(d, gt, i); -- - gt->nr_grant_frames = req_nr_frames; - -- /* Status pages - version 2 */ -- if (gt->gt_version > 1) -- { -- if ( gnttab_populate_status_frames(d, gt) ) -- goto shared_alloc_failed; -- } -- - return 1; - - shared_alloc_failed: -@@ -2157,7 +2162,7 @@ gnttab_set_version(XEN_GUEST_HANDLE(gntt - - if ( op.version == 2 && gt->gt_version < 2 ) - { -- res = gnttab_populate_status_frames(d, gt); -+ res = gnttab_populate_status_frames(d, gt, nr_grant_frames(gt)); - if ( res < 0) - goto out_unlock; - } -@@ -2600,14 +2605,15 @@ grant_table_create( - clear_page(t->shared_raw[i]); - } - -- for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) -- gnttab_create_shared_page(d, t, i); -- - /* Status pages for grant table - for version 2 */ - t->status = xzalloc_array(grant_status_t *, - grant_to_status_frames(max_nr_grant_frames)); - if ( t->status == NULL ) - goto no_mem_4; -+ -+ for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) -+ gnttab_create_shared_page(d, t, i); -+ - t->nr_status_frames = 0; - - /* Okay, install the structure. */ - - diff --git a/app-emulation/xen/files/xen-4-CVE-2012-5513-XSA-29.patch b/app-emulation/xen/files/xen-4-CVE-2012-5513-XSA-29.patch deleted file mode 100644 index 9c11a1462ee7..000000000000 --- a/app-emulation/xen/files/xen-4-CVE-2012-5513-XSA-29.patch +++ /dev/null @@ -1,56 +0,0 @@ - -# HG changeset patch -# User Jan Beulich <jbeulich@suse.com> -# Date 1354644164 0 -# Node ID 83ab3cd0f8e44ad588932aba93d3b5f92a888a08 -# Parent 5771c761ff1bb249dc683d7ec019d76a2a03a048 -xen: add missing guest address range checks to XENMEM_exchange handlers - -Ever since its existence (3.0.3 iirc) the handler for this has been -using non address range checking guest memory accessors (i.e. -the ones prefixed with two underscores) without first range -checking the accessed space (via guest_handle_okay()), allowing -a guest to access and overwrite hypervisor memory. - -This is XSA-29 / CVE-2012-5513. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> -Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> -Committed-by: Ian Jackson <ian.jackson.citrix.com> - -diff -r 5771c761ff1b -r 83ab3cd0f8e4 xen/common/compat/memory.c ---- a/xen/common/compat/memory.c Tue Dec 04 18:02:38 2012 +0000 -+++ b/xen/common/compat/memory.c Tue Dec 04 18:02:44 2012 +0000 -@@ -115,6 +115,12 @@ int compat_memory_op(unsigned int cmd, X - (cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) ) - return -EINVAL; - -+ if ( !compat_handle_okay(cmp.xchg.in.extent_start, -+ cmp.xchg.in.nr_extents) || -+ !compat_handle_okay(cmp.xchg.out.extent_start, -+ cmp.xchg.out.nr_extents) ) -+ return -EFAULT; -+ - start_extent = cmp.xchg.nr_exchanged; - end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) / - (((1U << ABS(order_delta)) + 1) * -diff -r 5771c761ff1b -r 83ab3cd0f8e4 xen/common/memory.c ---- a/xen/common/memory.c Tue Dec 04 18:02:38 2012 +0000 -+++ b/xen/common/memory.c Tue Dec 04 18:02:44 2012 +0000 -@@ -308,6 +308,13 @@ static long memory_exchange(XEN_GUEST_HA - goto fail_early; - } - -+ if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) || -+ !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) ) -+ { -+ rc = -EFAULT; -+ goto fail_early; -+ } -+ - /* Only privileged guests can allocate multi-page contiguous extents. */ - if ( !multipage_allocation_permitted(current->domain, - exch.in.extent_order) || - - diff --git a/app-emulation/xen/files/xen-4-CVE-2012-5514-XSA-30.patch b/app-emulation/xen/files/xen-4-CVE-2012-5514-XSA-30.patch deleted file mode 100644 index 726592550439..000000000000 --- a/app-emulation/xen/files/xen-4-CVE-2012-5514-XSA-30.patch +++ /dev/null @@ -1,56 +0,0 @@ -xen: fix error handling of guest_physmap_mark_populate_on_demand() - -The only user of the "out" label bypasses a necessary unlock, thus -enabling the caller to lock up Xen. - -Also, the function was never meant to be called by a guest for itself, -so rather than inspecting the code paths in depth for potential other -problems this might cause, and adjusting e.g. the non-guest printk() -in the above error path, just disallow the guest access to it. - -Finally, the printk() (considering its potential of spamming the log, -the more that it's not using XENLOG_GUEST), is being converted to -P2M_DEBUG(), as debugging is what it apparently was added for in the -first place. - -This is XSA-30 / CVE-2012-5514. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> -Acked-by: George Dunlap <george.dunlap@eu.citrix.com> -Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> -Committed-by: Ian Jackson <ian.jackson.citrix.com> - -diff -r 83ab3cd0f8e4 -r 09a48c5da636 xen/arch/x86/mm/p2m-pod.c ---- xen/arch/x86/mm/p2m-pod.c Tue Dec 04 18:02:44 2012 +0000 -+++ xen/arch/x86/mm/p2m-pod.c Tue Dec 04 18:02:48 2012 +0000 -@@ -1117,6 +1117,9 @@ guest_physmap_mark_populate_on_demand(st - mfn_t omfn; - int rc = 0; - -+ if ( !IS_PRIV_FOR(current->domain, d) ) -+ return -EPERM; -+ - if ( !paging_mode_translate(d) ) - return -EINVAL; - -@@ -1135,8 +1138,7 @@ guest_physmap_mark_populate_on_demand(st - omfn = p2m->get_entry(p2m, gfn + i, &ot, &a, 0, NULL); - if ( p2m_is_ram(ot) ) - { -- printk("%s: gfn_to_mfn returned type %d!\n", -- __func__, ot); -+ P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot); - rc = -EBUSY; - goto out; - } -@@ -1160,9 +1162,9 @@ guest_physmap_mark_populate_on_demand(st - pod_unlock(p2m); - } - -+out: - gfn_unlock(p2m, gfn, order); - --out: - return rc; - } diff --git a/app-emulation/xen/files/xen-4-CVE-2012-5515-XSA-31.patch b/app-emulation/xen/files/xen-4-CVE-2012-5515-XSA-31.patch deleted file mode 100644 index a7183230e05f..000000000000 --- a/app-emulation/xen/files/xen-4-CVE-2012-5515-XSA-31.patch +++ /dev/null @@ -1,58 +0,0 @@ - -# HG changeset patch -# User Jan Beulich <jbeulich@suse.com> -# Date 1354644172 0 -# Node ID 2c3f00c5189b9269f9840be93d03f058c8994f6e -# Parent 09a48c5da6368ac61bdba5ee09253c2b20d7b577 -memop: limit guest specified extent order - -Allowing unbounded order values here causes almost unbounded loops -and/or partially incomplete requests, particularly in PoD code. - -The added range checks in populate_physmap(), decrease_reservation(), -and the "in" one in memory_exchange() architecturally all could use -PADDR_BITS - PAGE_SHIFT, and are being artificially constrained to -MAX_ORDER. - -This is XSA-31 / CVE-2012-5515. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Tim Deegan <tim@xen.org> -Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> -Committed-by: Ian Jackson <ian.jackson.citrix.com> - -diff -r 09a48c5da636 -r 2c3f00c5189b xen/common/memory.c ---- xen/common/memory.c Tue Dec 04 18:02:48 2012 +0000 -+++ xen/common/memory.c Tue Dec 04 18:02:52 2012 +0000 -@@ -115,7 +115,8 @@ static void populate_physmap(struct memo - - if ( a->memflags & MEMF_populate_on_demand ) - { -- if ( guest_physmap_mark_populate_on_demand(d, gpfn, -+ if ( a->extent_order > MAX_ORDER || -+ guest_physmap_mark_populate_on_demand(d, gpfn, - a->extent_order) < 0 ) - goto out; - } -@@ -235,7 +236,8 @@ static void decrease_reservation(struct - xen_pfn_t gmfn; - - if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done, -- a->nr_extents-1) ) -+ a->nr_extents-1) || -+ a->extent_order > MAX_ORDER ) - return; - - for ( i = a->nr_done; i < a->nr_extents; i++ ) -@@ -297,6 +299,9 @@ static long memory_exchange(XEN_GUEST_HA - if ( (exch.nr_exchanged > exch.in.nr_extents) || - /* Input and output domain identifiers match? */ - (exch.in.domid != exch.out.domid) || -+ /* Extent orders are sensible? */ -+ (exch.in.extent_order > MAX_ORDER) || -+ (exch.out.extent_order > MAX_ORDER) || - /* Sizes of input and output lists do not overflow a long? */ - ((~0UL >> exch.in.extent_order) < exch.in.nr_extents) || - ((~0UL >> exch.out.extent_order) < exch.out.nr_extents) || - - diff --git a/app-emulation/xen/files/xen-4-CVE-2012-5525-XSA-32.patch b/app-emulation/xen/files/xen-4-CVE-2012-5525-XSA-32.patch deleted file mode 100644 index 776d3cd02233..000000000000 --- a/app-emulation/xen/files/xen-4-CVE-2012-5525-XSA-32.patch +++ /dev/null @@ -1,23 +0,0 @@ -x86: get_page_from_gfn() must return NULL for invalid GFNs - -... also in the non-translated case. - -This is XSA-32 / CVE-2012-xxxx. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Tim Deegan <tim@xen.org> - -diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h -index 28be4e8..907a817 100644 ---- xen/include/asm-x86/p2m.h -+++ xen/include/asm-x86/p2m.h -@@ -384,7 +384,7 @@ static inline struct page_info *get_page_from_gfn( - if (t) - *t = p2m_ram_rw; - page = __mfn_to_page(gfn); -- return get_page(page, d) ? page : NULL; -+ return mfn_valid(gfn) && get_page(page, d) ? page : NULL; - } - - - diff --git a/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-27_34_35.patch b/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-27_34_35.patch deleted file mode 100644 index adc26a6b8729..000000000000 --- a/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-27_34_35.patch +++ /dev/null @@ -1,211 +0,0 @@ -commit 66141b2e068fa39f28bdda6be05882e323663687 -Author: Michael Young -Date: Tue Jan 22 22:22:10 2013 +0000 - - Security fix from nested virtualization CVE-2013-0151, - restore status option to xend which is used by libvirt -#diff --git a/xsa34-4.2.patch b/xsa34-4.2.patch -#new file mode 100644 -#index 0000000..f5328ef -#--- /dev/null -#+++ xsa34-4.2.patch -#@@ -0,0 +1,30 @@ -#+x86_32: don't allow use of nested HVM -#+ -#+There are (indirect) uses of map_domain_page() in the nested HVM code -#+that are unsafe when not just using the 1:1 mapping. -#+ -#+This is XSA-34 / CVE-2013-0151. -#+ -#+Signed-off-by: Jan Beulich -#+ -#diff --git a/xsa35-4.2-with-xsa34.patch b/xsa35-4.2-with-xsa34.patch -#new file mode 100644 -#index 0000000..28c6171 -#--- /dev/null -#+++ xsa35-4.2-with-xsa34.patch -#@@ -0,0 +1,24 @@ -#+xen: Do not allow guests to enable nested HVM on themselves -#+ -#+There is no reason for this and doing so exposes a memory leak to -#+guests. Only toolstacks need write access to this HVM param. -#+ -#+This is XSA-35 / CVE-2013-0152. -#+ -#+Signed-off-by: Ian Campbell -#+Acked-by: Jan Beulich -#+ ---- xen/arch/x86/hvm/hvm.c -+++ xen/arch/x86/hvm/hvm.c -@@ -3858,6 +3858,11 @@ - rc = -EINVAL; - break; - case HVM_PARAM_NESTEDHVM: -+ if ( !IS_PRIV(current->domain) ) -+ { -+ rc = -EPERM; -+ break; -+ } - if ( a.value > 1 ) - rc = -EINVAL; - if ( !is_hvm_domain(d) ) -@@ -3926,6 +3926,10 @@ long do_hvm_op(unsigned long op, XEN_GUE - rc = -EINVAL; - break; - case HVM_PARAM_NESTEDHVM: -+#ifdef __i386__ -+ if ( a.value ) -+ rc = -EINVAL; -+#else - if ( a.value > 1 ) - rc = -EINVAL; - if ( !is_hvm_domain(d) ) -@@ -3940,6 +3944,7 @@ long do_hvm_op(unsigned long op, XEN_GUE - for_each_vcpu(d, v) - if ( rc == 0 ) - rc = nestedhvm_vcpu_initialise(v); -+#endif - break; - case HVM_PARAM_BUFIOREQ_EVTCHN: - rc = -EINVAL; -# HG changeset patch -# User Tim Deegan <tim@xen.org> -# Date 1354644158 0 -# Node ID 5771c761ff1bb249dc683d7ec019d76a2a03a048 -# Parent dea7d4e5bfc1627133c0c19706fea1fbc9e5a378 -#hvm: Limit the size of large HVM op batches -# -#Doing large p2m updates for HVMOP_track_dirty_vram without preemption -#ties up the physical processor. Integrating preemption into the p2m -#updates is hard so simply limit to 1GB which is sufficient for a 15000 -#* 15000 * 32bpp framebuffer. -# -#For HVMOP_modified_memory and HVMOP_set_mem_type preemptible add the -#necessary machinery to handle preemption. -# -#This is CVE-2012-5511 / XSA-27. -# -#Signed-off-by: Tim Deegan <tim@xen.org> -#Signed-off-by: Ian Campbell <ian.campbell@citrix.com> -#Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> -#Committed-by: Ian Jackson <ian.jackson.citrix.com> -# -#v2: Provide definition of GB to fix x86-32 compile. -# -#Signed-off-by: Jan Beulich <JBeulich@suse.com> -#Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> -diff -r dea7d4e5bfc1 -r 5771c761ff1b xen/arch/x86/hvm/hvm.c ---- xen/arch/x86/hvm/hvm.c Tue Dec 04 18:02:18 2012 +0000 -+++ xen/arch/x86/hvm/hvm.c Tue Dec 04 18:02:38 2012 +0000 -@@ -3969,6 +3969,9 @@ long do_hvm_op(unsigned long op, XEN_GUE - if ( !is_hvm_domain(d) ) - goto param_fail2; - -+ if ( a.nr > GB(1) >> PAGE_SHIFT ) -+ goto param_fail2; -+ - rc = xsm_hvm_param(d, op); - if ( rc ) - goto param_fail2; -@@ -3995,7 +3998,6 @@ long do_hvm_op(unsigned long op, XEN_GUE - { - struct xen_hvm_modified_memory a; - struct domain *d; -- unsigned long pfn; - - if ( copy_from_guest(&a, arg, 1) ) - return -EFAULT; -@@ -4022,9 +4024,11 @@ long do_hvm_op(unsigned long op, XEN_GUE - if ( !paging_mode_log_dirty(d) ) - goto param_fail3; - -- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) -+ while ( a.nr > 0 ) - { -+ unsigned long pfn = a.first_pfn; - struct page_info *page; -+ - page = get_page_from_gfn(d, pfn, NULL, P2M_UNSHARE); - if ( page ) - { -@@ -4034,6 +4038,19 @@ long do_hvm_op(unsigned long op, XEN_GUE - sh_remove_shadows(d->vcpu[0], _mfn(page_to_mfn(page)), 1, 0); - put_page(page); - } -+ -+ a.first_pfn++; -+ a.nr--; -+ -+ /* Check for continuation if it's not the last interation */ -+ if ( a.nr > 0 && hypercall_preempt_check() ) -+ { -+ if ( copy_to_guest(arg, &a, 1) ) -+ rc = -EFAULT; -+ else -+ rc = -EAGAIN; -+ break; -+ } - } - - param_fail3: -@@ -4089,7 +4106,6 @@ long do_hvm_op(unsigned long op, XEN_GUE - { - struct xen_hvm_set_mem_type a; - struct domain *d; -- unsigned long pfn; - - /* Interface types to internal p2m types */ - p2m_type_t memtype[] = { -@@ -4122,8 +4138,9 @@ long do_hvm_op(unsigned long op, XEN_GUE - if ( a.hvmmem_type >= ARRAY_SIZE(memtype) ) - goto param_fail4; - -- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) -+ while ( a.nr ) - { -+ unsigned long pfn = a.first_pfn; - p2m_type_t t; - p2m_type_t nt; - mfn_t mfn; -@@ -4163,6 +4180,19 @@ long do_hvm_op(unsigned long op, XEN_GUE - } - } - put_gfn(d, pfn); -+ -+ a.first_pfn++; -+ a.nr--; -+ -+ /* Check for continuation if it's not the last interation */ -+ if ( a.nr > 0 && hypercall_preempt_check() ) -+ { -+ if ( copy_to_guest(arg, &a, 1) ) -+ rc = -EFAULT; -+ else -+ rc = -EAGAIN; -+ goto param_fail4; -+ } - } - - rc = 0; -diff -r dea7d4e5bfc1 -r 5771c761ff1b xen/include/asm-x86/config.h ---- xen/include/asm-x86/config.h Tue Dec 04 18:02:18 2012 +0000 -+++ xen/include/asm-x86/config.h Tue Dec 04 18:02:38 2012 +0000 -@@ -119,6 +119,9 @@ extern char wakeup_start[]; - extern unsigned int video_mode, video_flags; - extern unsigned short boot_edid_caps; - extern unsigned char boot_edid_info[128]; -+ -+#define GB(_gb) (_gb ## UL << 30) -+ - #endif - - #define asmlinkage -@@ -134,7 +137,6 @@ extern unsigned char boot_edid_info[128] - #define PML4_ADDR(_slot) \ - ((((_slot ## UL) >> 8) * 0xffff000000000000UL) | \ - (_slot ## UL << PML4_ENTRY_BITS)) --#define GB(_gb) (_gb ## UL << 30) - #else - #define PML4_ENTRY_BYTES (1 << PML4_ENTRY_BITS) - #define PML4_ADDR(_slot) \ - diff --git a/app-emulation/xen/files/xen-4-CVE-2013-1920-XSA-47.patch b/app-emulation/xen/files/xen-4-CVE-2013-1920-XSA-47.patch deleted file mode 100644 index 7ebb8c8a3178..000000000000 --- a/app-emulation/xen/files/xen-4-CVE-2013-1920-XSA-47.patch +++ /dev/null @@ -1,31 +0,0 @@ -defer event channel bucket pointer store until after XSM checks - -Otherwise a dangling pointer can be left, which would cause subsequent -memory corruption as soon as the space got re-allocated for some other -purpose. - -This is CVE-2013-1920 / XSA-47. - -Reported-by: Wei Liu <wei.liu2@citrix.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Tim Deegan <tim@xen.org> - ---- a/xen/common/event_channel.c -+++ b/xen/common/event_channel.c -@@ -140,7 +140,6 @@ static int get_free_port(struct domain * - chn = xzalloc_array(struct evtchn, EVTCHNS_PER_BUCKET); - if ( unlikely(chn == NULL) ) - return -ENOMEM; -- bucket_from_port(d, port) = chn; - - for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ ) - { -@@ -153,6 +152,8 @@ static int get_free_port(struct domain * - } - } - -+ bucket_from_port(d, port) = chn; -+ - return port; - } - diff --git a/app-emulation/xen/files/xen-4.1.1-iommu_sec_fix.patch b/app-emulation/xen/files/xen-4.1.1-iommu_sec_fix.patch deleted file mode 100644 index 737c2bd777aa..000000000000 --- a/app-emulation/xen/files/xen-4.1.1-iommu_sec_fix.patch +++ /dev/null @@ -1,74 +0,0 @@ - -# HG changeset patch -# User Tim Deegan <Tim.Deegan@citrix.com> -# Date 1313145221 -3600 -# Node ID 84e3706df07a1963e23cd3875d8603917657d462 -# Parent cb22fa57ff252893b6adb1481e09b1287eacd990 -Passthrough: disable bus-mastering on any card that causes an IOMMU fault. - -This stops the card from raising back-to-back faults and live-locking -the CPU that handles them. - -Signed-off-by: Tim Deegan <tim@xen.org> -Acked-by: Wei Wang2 <wei.wang2@amd.com> -Acked-by: Allen M Kay <allen.m.kay@intel.com> - -diff -r cb22fa57ff25 -r 84e3706df07a xen/drivers/passthrough/amd/iommu_init.c ---- a/xen/drivers/passthrough/amd/iommu_init.c Mon Jul 25 16:48:39 2011 +0100 -+++ b/xen/drivers/passthrough/amd/iommu_init.c Fri Aug 12 11:33:41 2011 +0100 -@@ -462,7 +462,7 @@ - - static void parse_event_log_entry(u32 entry[]) - { -- u16 domain_id, device_id; -+ u16 domain_id, device_id, bdf, cword; - u32 code; - u64 *addr; - char * event_str[] = {"ILLEGAL_DEV_TABLE_ENTRY", -@@ -497,6 +497,18 @@ - "%s: domain = %d, device id = 0x%04x, " - "fault address = 0x%"PRIx64"\n", - event_str[code-1], domain_id, device_id, *addr); -+ -+ /* Tell the device to stop DMAing; we can't rely on the guest to -+ * control it for us. */ -+ for ( bdf = 0; bdf < ivrs_bdf_entries; bdf++ ) -+ if ( get_dma_requestor_id(bdf) == device_id ) -+ { -+ cword = pci_conf_read16(PCI_BUS(bdf), PCI_SLOT(bdf), -+ PCI_FUNC(bdf), PCI_COMMAND); -+ pci_conf_write16(PCI_BUS(bdf), PCI_SLOT(bdf), -+ PCI_FUNC(bdf), PCI_COMMAND, -+ cword & ~PCI_COMMAND_MASTER); -+ } - } - else - { -diff -r cb22fa57ff25 -r 84e3706df07a xen/drivers/passthrough/vtd/iommu.c ---- a/xen/drivers/passthrough/vtd/iommu.c Mon Jul 25 16:48:39 2011 +0100 -+++ b/xen/drivers/passthrough/vtd/iommu.c Fri Aug 12 11:33:41 2011 +0100 -@@ -893,7 +893,7 @@ - while (1) - { - u8 fault_reason; -- u16 source_id; -+ u16 source_id, cword; - u32 data; - u64 guest_addr; - int type; -@@ -926,6 +926,14 @@ - iommu_page_fault_do_one(iommu, type, fault_reason, - source_id, guest_addr); - -+ /* Tell the device to stop DMAing; we can't rely on the guest to -+ * control it for us. */ -+ cword = pci_conf_read16(PCI_BUS(source_id), PCI_SLOT(source_id), -+ PCI_FUNC(source_id), PCI_COMMAND); -+ pci_conf_write16(PCI_BUS(source_id), PCI_SLOT(source_id), -+ PCI_FUNC(source_id), PCI_COMMAND, -+ cword & ~PCI_COMMAND_MASTER); -+ - fault_index++; - if ( fault_index > cap_num_fault_regs(iommu->cap) ) - fault_index = 0; - |