pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/sysutils/xenkernel41 add patches from upstream to fix ...
details: https://anonhg.NetBSD.org/pkgsrc/rev/0c883e52a7f0
branches: trunk
changeset: 624825:0c883e52a7f0
user: drochner <drochner%pkgsrc.org@localhost>
date: Tue Oct 01 14:54:44 2013 +0000
description:
add patches from upstream to fix security problems:
-Information leak on AVX and/or LWP capable CPUs (CVE-2013-1442 / XSA-62)
-Information leaks through I/O instruction emulation
(CVE-2013-4355 / XSA-63)
-Information leak through fbld instruction emulation
(CVE-2013-4361 / XSA-66)
bump PKGREV
diffstat:
sysutils/xenkernel41/Makefile | 3 +-
sysutils/xenkernel41/distinfo | 8 ++-
sysutils/xenkernel41/patches/patch-CVE-2013-1442 | 27 ++++++++
sysutils/xenkernel41/patches/patch-CVE-2013-4355_1 | 38 +++++++++++
sysutils/xenkernel41/patches/patch-CVE-2013-4355_2 | 71 ++++++++++++++++++++++
sysutils/xenkernel41/patches/patch-CVE-2013-4355_3 | 36 +++++++++++
sysutils/xenkernel41/patches/patch-CVE-2013-4355_4 | 24 +++++++
sysutils/xenkernel41/patches/patch-CVE-2013-4361 | 20 ++++++
8 files changed, 225 insertions(+), 2 deletions(-)
diffs (274 lines):
diff -r 23be63791822 -r 0c883e52a7f0 sysutils/xenkernel41/Makefile
--- a/sysutils/xenkernel41/Makefile Tue Oct 01 14:50:38 2013 +0000
+++ b/sysutils/xenkernel41/Makefile Tue Oct 01 14:54:44 2013 +0000
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile,v 1.25 2013/09/27 11:35:07 joerg Exp $
+# $NetBSD: Makefile,v 1.26 2013/10/01 14:54:44 drochner Exp $
#
VERSION= 4.1.6.1
DISTNAME= xen-${VERSION}
PKGNAME= xenkernel41-${VERSION}
+PKGREVISION= 1
CATEGORIES= sysutils
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
diff -r 23be63791822 -r 0c883e52a7f0 sysutils/xenkernel41/distinfo
--- a/sysutils/xenkernel41/distinfo Tue Oct 01 14:50:38 2013 +0000
+++ b/sysutils/xenkernel41/distinfo Tue Oct 01 14:54:44 2013 +0000
@@ -1,8 +1,14 @@
-$NetBSD: distinfo,v 1.19 2013/09/11 18:00:33 drochner Exp $
+$NetBSD: distinfo,v 1.20 2013/10/01 14:54:44 drochner Exp $
SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0
RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19
Size (xen-4.1.6.1.tar.gz) = 10428485 bytes
+SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1
+SHA1 (patch-CVE-2013-4355_1) = 88cc2e7bf0993b2878a864e8b28ed989f8eeef3a
+SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509
+SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f
+SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8
+SHA1 (patch-CVE-2013-4361) = b9074af976ba98c02aeb84288a10527bf7693241
SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266
SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b
SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
diff -r 23be63791822 -r 0c883e52a7f0 sysutils/xenkernel41/patches/patch-CVE-2013-1442
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-1442 Tue Oct 01 14:54:44 2013 +0000
@@ -0,0 +1,27 @@
+$NetBSD: patch-CVE-2013-1442,v 1.1 2013/10/01 14:54:44 drochner Exp $
+
+http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg02523.html
+
+--- xen/arch/x86/i387.c.orig 2013-09-10 06:42:18.000000000 +0000
++++ xen/arch/x86/i387.c 2013-09-30 15:23:07.000000000 +0000
+@@ -103,9 +103,9 @@ void setup_fpu(struct vcpu *v)
+ {
+ /*
+ * XCR0 normally represents what guest OS set. In case of Xen itself,
+- * we set all supported feature mask before doing save/restore.
++ * we set all supported feature mask before restoring.
+ */
+- set_xcr0(v->arch.xcr0_accum);
++ set_xcr0(xfeature_mask);
+ xrstor(v);
+ set_xcr0(v->arch.xcr0);
+ }
+@@ -149,7 +149,7 @@ void save_init_fpu(struct vcpu *v)
+ if ( xsave_enabled(v) )
+ {
+ /* XCR0 normally represents what guest OS set. In case of Xen itself,
+- * we set all accumulated feature mask before doing save/restore.
++ * we set all accumulated feature mask before saving.
+ */
+ set_xcr0(v->arch.xcr0_accum);
+ if ( cpu_has_xsaveopt )
diff -r 23be63791822 -r 0c883e52a7f0 sysutils/xenkernel41/patches/patch-CVE-2013-4355_1
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1 Tue Oct 01 14:54:44 2013 +0000
@@ -0,0 +1,38 @@
+$NetBSD: patch-CVE-2013-4355_1,v 1.1 2013/10/01 14:54:44 drochner Exp $
+
+http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03160.html
+
+--- xen/arch/x86/hvm/hvm.c.orig 2013-09-10 06:42:18.000000000 +0000
++++ xen/arch/x86/hvm/hvm.c 2013-09-30 15:23:07.000000000 +0000
+@@ -1961,11 +1961,7 @@ void hvm_task_switch(
+
+ rc = hvm_copy_from_guest_virt(
+ &tss, prev_tr.base, sizeof(tss), PFEC_page_present);
+- if ( rc == HVMCOPY_bad_gva_to_gfn )
+- goto out;
+- if ( rc == HVMCOPY_gfn_paged_out )
+- goto out;
+- if ( rc == HVMCOPY_gfn_shared )
++ if ( rc != HVMCOPY_okay )
+ goto out;
+
+ eflags = regs->eflags;
+@@ -2010,13 +2006,11 @@ void hvm_task_switch(
+
+ rc = hvm_copy_from_guest_virt(
+ &tss, tr.base, sizeof(tss), PFEC_page_present);
+- if ( rc == HVMCOPY_bad_gva_to_gfn )
+- goto out;
+- if ( rc == HVMCOPY_gfn_paged_out )
+- goto out;
+- /* Note: this could be optimised, if the callee functions knew we want RO
+- * access */
+- if ( rc == HVMCOPY_gfn_shared )
++ /*
++ * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee
++ * functions knew we want RO access.
++ */
++ if ( rc != HVMCOPY_okay )
+ goto out;
+
+
diff -r 23be63791822 -r 0c883e52a7f0 sysutils/xenkernel41/patches/patch-CVE-2013-4355_2
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_2 Tue Oct 01 14:54:44 2013 +0000
@@ -0,0 +1,71 @@
+$NetBSD: patch-CVE-2013-4355_2,v 1.1 2013/10/01 14:54:44 drochner Exp $
+
+--- xen/arch/x86/hvm/intercept.c.orig 2013-09-10 06:42:18.000000000 +0000
++++ xen/arch/x86/hvm/intercept.c 2013-09-30 15:23:07.000000000 +0000
+@@ -93,17 +93,28 @@ static int hvm_mmio_access(struct vcpu *
+ {
+ for ( i = 0; i < p->count; i++ )
+ {
+- int ret;
+-
+- ret = hvm_copy_from_guest_phys(&data,
+- p->data + (sign * i * p->size),
+- p->size);
+- if ( (ret == HVMCOPY_gfn_paged_out) ||
+- (ret == HVMCOPY_gfn_shared) )
++ switch ( hvm_copy_from_guest_phys(&data,
++ p->data + sign * i * p->size,
++ p->size) )
+ {
++ case HVMCOPY_okay:
++ break;
++ case HVMCOPY_gfn_paged_out:
++ case HVMCOPY_gfn_shared:
+ rc = X86EMUL_RETRY;
+ break;
++ case HVMCOPY_bad_gfn_to_mfn:
++ data = ~0;
++ break;
++ case HVMCOPY_bad_gva_to_gfn:
++ ASSERT(0);
++ /* fall through */
++ default:
++ rc = X86EMUL_UNHANDLEABLE;
++ break;
+ }
++ if ( rc != X86EMUL_OKAY )
++ break;
+ rc = write_handler(v, p->addr + (sign * i * p->size), p->size,
+ data);
+ if ( rc != X86EMUL_OKAY )
+@@ -171,8 +182,28 @@ static int process_portio_intercept(port
+ for ( i = 0; i < p->count; i++ )
+ {
+ data = 0;
+- (void)hvm_copy_from_guest_phys(&data, p->data + sign*i*p->size,
+- p->size);
++ switch ( hvm_copy_from_guest_phys(&data,
++ p->data + sign * i * p->size,
++ p->size) )
++ {
++ case HVMCOPY_okay:
++ break;
++ case HVMCOPY_gfn_paged_out:
++ case HVMCOPY_gfn_shared:
++ rc = X86EMUL_RETRY;
++ break;
++ case HVMCOPY_bad_gfn_to_mfn:
++ data = ~0;
++ break;
++ case HVMCOPY_bad_gva_to_gfn:
++ ASSERT(0);
++ /* fall through */
++ default:
++ rc = X86EMUL_UNHANDLEABLE;
++ break;
++ }
++ if ( rc != X86EMUL_OKAY )
++ break;
+ rc = action(IOREQ_WRITE, p->addr, p->size, &data);
+ if ( rc != X86EMUL_OKAY )
+ break;
diff -r 23be63791822 -r 0c883e52a7f0 sysutils/xenkernel41/patches/patch-CVE-2013-4355_3
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_3 Tue Oct 01 14:54:44 2013 +0000
@@ -0,0 +1,36 @@
+$NetBSD: patch-CVE-2013-4355_3,v 1.1 2013/10/01 14:54:44 drochner Exp $
+
+--- xen/arch/x86/hvm/io.c.orig 2013-09-10 06:42:18.000000000 +0000
++++ xen/arch/x86/hvm/io.c 2013-09-30 15:23:07.000000000 +0000
+@@ -333,14 +333,24 @@ static int dpci_ioport_write(uint32_t mp
+ data = p->data;
+ if ( p->data_is_ptr )
+ {
+- int ret;
+-
+- ret = hvm_copy_from_guest_phys(&data,
+- p->data + (sign * i * p->size),
+- p->size);
+- if ( (ret == HVMCOPY_gfn_paged_out) &&
+- (ret == HVMCOPY_gfn_shared) )
++ switch ( hvm_copy_from_guest_phys(&data,
++ p->data + sign * i * p->size,
++ p->size) )
++ {
++ case HVMCOPY_okay:
++ break;
++ case HVMCOPY_gfn_paged_out:
++ case HVMCOPY_gfn_shared:
+ return X86EMUL_RETRY;
++ case HVMCOPY_bad_gfn_to_mfn:
++ data = ~0;
++ break;
++ case HVMCOPY_bad_gva_to_gfn:
++ ASSERT(0);
++ /* fall through */
++ default:
++ return X86EMUL_UNHANDLEABLE;
++ }
+ }
+
+ switch ( p->size )
diff -r 23be63791822 -r 0c883e52a7f0 sysutils/xenkernel41/patches/patch-CVE-2013-4355_4
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_4 Tue Oct 01 14:54:44 2013 +0000
@@ -0,0 +1,24 @@
+$NetBSD: patch-CVE-2013-4355_4,v 1.1 2013/10/01 14:54:44 drochner Exp $
+
+--- xen/arch/x86/hvm/vmx/realmode.c.orig 2013-09-10 06:42:18.000000000 +0000
++++ xen/arch/x86/hvm/vmx/realmode.c 2013-09-30 15:23:07.000000000 +0000
+@@ -38,7 +38,9 @@ static void realmode_deliver_exception(
+
+ again:
+ last_byte = (vector * 4) + 3;
+- if ( idtr->limit < last_byte )
++ if ( idtr->limit < last_byte ||
++ hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4) !=
++ HVMCOPY_okay )
+ {
+ /* Software interrupt? */
+ if ( insn_len != 0 )
+@@ -63,8 +65,6 @@ static void realmode_deliver_exception(
+ }
+ }
+
+- (void)hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4);
+-
+ frame[0] = regs->eip + insn_len;
+ frame[1] = csr->sel;
+ frame[2] = regs->eflags & ~X86_EFLAGS_RF;
diff -r 23be63791822 -r 0c883e52a7f0 sysutils/xenkernel41/patches/patch-CVE-2013-4361
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4361 Tue Oct 01 14:54:44 2013 +0000
@@ -0,0 +1,20 @@
+$NetBSD: patch-CVE-2013-4361,v 1.1 2013/10/01 14:54:44 drochner Exp $
+
+http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03162.html
+
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig 2013-09-10 06:42:18.000000000 +0000
++++ xen/arch/x86/x86_emulate/x86_emulate.c 2013-09-30 15:23:08.000000000 +0000
+@@ -2975,11 +2975,11 @@ x86_emulate(
+ break;
+ case 4: /* fbld m80dec */
+ ea.bytes = 10;
+- dst = ea;
++ src = ea;
+ if ( (rc = ops->read(src.mem.seg, src.mem.off,
+ &src.val, src.bytes, ctxt)) != 0 )
+ goto done;
+- emulate_fpu_insn_memdst("fbld", src.val);
++ emulate_fpu_insn_memsrc("fbld", src.val);
+ break;
+ case 5: /* fild m64i */
+ ea.bytes = 8;
Home |
Main Index |
Thread Index |
Old Index