pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/sysutils
Module Name: pkgsrc
Committed By: bouyer
Date: Thu Sep 8 15:44:07 UTC 2016
Modified Files:
pkgsrc/sysutils/xenkernel45: Makefile distinfo
pkgsrc/sysutils/xenkernel46: Makefile distinfo
Added Files:
pkgsrc/sysutils/xenkernel45/patches: patch-XSA-185 patch-XSA-186-1
patch-XSA-186-2 patch-XSA-187-1 patch-XSA-187-2
pkgsrc/sysutils/xenkernel46/patches: patch-XSA-185 patch-XSA-186-1
patch-XSA-186-2 patch-XSA-187-1 patch-XSA-187-2
Log Message:
Apply upstream patches for:
XSA-185: x86: Disallow L3 recursive pagetable for 32-bit PV guests
XSA-186: x86: Mishandling of instruction pointer truncation during emulation
XSA-187: x86 HVM: Overflow of sh_ctxt->seg_reg[]
bump PKGREVISION
To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 pkgsrc/sysutils/xenkernel45/Makefile
cvs rdiff -u -r1.16 -r1.17 pkgsrc/sysutils/xenkernel45/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xenkernel45/patches/patch-XSA-185 \
pkgsrc/sysutils/xenkernel45/patches/patch-XSA-186-1 \
pkgsrc/sysutils/xenkernel45/patches/patch-XSA-186-2 \
pkgsrc/sysutils/xenkernel45/patches/patch-XSA-187-1 \
pkgsrc/sysutils/xenkernel45/patches/patch-XSA-187-2
cvs rdiff -u -r1.2 -r1.3 pkgsrc/sysutils/xenkernel46/Makefile
cvs rdiff -u -r1.1.1.1 -r1.2 pkgsrc/sysutils/xenkernel46/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xenkernel46/patches/patch-XSA-185 \
pkgsrc/sysutils/xenkernel46/patches/patch-XSA-186-1 \
pkgsrc/sysutils/xenkernel46/patches/patch-XSA-186-2 \
pkgsrc/sysutils/xenkernel46/patches/patch-XSA-187-1 \
pkgsrc/sysutils/xenkernel46/patches/patch-XSA-187-2
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/sysutils/xenkernel45/Makefile
diff -u pkgsrc/sysutils/xenkernel45/Makefile:1.20 pkgsrc/sysutils/xenkernel45/Makefile:1.21
--- pkgsrc/sysutils/xenkernel45/Makefile:1.20 Sat Aug 6 10:10:10 2016
+++ pkgsrc/sysutils/xenkernel45/Makefile Thu Sep 8 15:44:07 2016
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.20 2016/08/06 10:10:10 spz Exp $
+# $NetBSD: Makefile,v 1.21 2016/09/08 15:44:07 bouyer Exp $
VERSION= 4.5.3
DISTNAME= xen-${VERSION}
PKGNAME= xenkernel45-${VERSION}
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= sysutils
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
Index: pkgsrc/sysutils/xenkernel45/distinfo
diff -u pkgsrc/sysutils/xenkernel45/distinfo:1.16 pkgsrc/sysutils/xenkernel45/distinfo:1.17
--- pkgsrc/sysutils/xenkernel45/distinfo:1.16 Sat Aug 6 10:10:10 2016
+++ pkgsrc/sysutils/xenkernel45/distinfo Thu Sep 8 15:44:07 2016
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.16 2016/08/06 10:10:10 spz Exp $
+$NetBSD: distinfo,v 1.17 2016/09/08 15:44:07 bouyer Exp $
SHA1 (xen-4.5.3.tar.gz) = 95d56c42642adcffe55dcf82a021d49115373108
RMD160 (xen-4.5.3.tar.gz) = 7ba586b20404e95308007663e87868c0ccc0e6f4
@@ -12,6 +12,11 @@ SHA1 (patch-XSA-180) = d50f2c7d4ae7bbc8d
SHA1 (patch-XSA-181) = 3fc00b9543d6bd834359a299c288839ad69f3fbb
SHA1 (patch-XSA-182) = 77dfd369df89a51355318e26e38837482f09996e
SHA1 (patch-XSA-183) = f2a6027ff71c32c16abeb1b17e3226b714a5f1f4
+SHA1 (patch-XSA-185) = a2313922aa4dad734b96c80f64fe54eca3c14019
+SHA1 (patch-XSA-186-1) = 71e4a6c4c683891bac50682a3ab69a204fb681ad
+SHA1 (patch-XSA-186-2) = 6094c2efe468e3f31712659be9a71af2cbe8dc1f
+SHA1 (patch-XSA-187-1) = 55ea0c2d9c7d8d9476a5ab97342ff552be4faf56
+SHA1 (patch-XSA-187-2) = f5308fee03a5d73c8aa283eb82cc36a6a3d3bc06
SHA1 (patch-xen_Makefile) = 750d0c8d4fea14d3ef3f872de5242a1f5104cbbe
SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154
SHA1 (patch-xen_common_page__alloc.c) = c4d606de1cada8cf89b5abd16efada3d58c68a03
Index: pkgsrc/sysutils/xenkernel46/Makefile
diff -u pkgsrc/sysutils/xenkernel46/Makefile:1.2 pkgsrc/sysutils/xenkernel46/Makefile:1.3
--- pkgsrc/sysutils/xenkernel46/Makefile:1.2 Sat Jul 9 13:04:08 2016
+++ pkgsrc/sysutils/xenkernel46/Makefile Thu Sep 8 15:44:07 2016
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.2 2016/07/09 13:04:08 wiz Exp $
+# $NetBSD: Makefile,v 1.3 2016/09/08 15:44:07 bouyer Exp $
VERSION= 4.6.3
DISTNAME= xen-${VERSION}
PKGNAME= xenkernel46-${VERSION}
-#PKGREVISION= 0
+PKGREVISION= 1
CATEGORIES= sysutils
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
Index: pkgsrc/sysutils/xenkernel46/distinfo
diff -u pkgsrc/sysutils/xenkernel46/distinfo:1.1.1.1 pkgsrc/sysutils/xenkernel46/distinfo:1.2
--- pkgsrc/sysutils/xenkernel46/distinfo:1.1.1.1 Mon Jul 4 07:25:13 2016
+++ pkgsrc/sysutils/xenkernel46/distinfo Thu Sep 8 15:44:07 2016
@@ -1,10 +1,15 @@
-$NetBSD: distinfo,v 1.1.1.1 2016/07/04 07:25:13 jnemeth Exp $
+$NetBSD: distinfo,v 1.2 2016/09/08 15:44:07 bouyer Exp $
SHA1 (xen-4.6.3.tar.gz) = 2aa59d0a05a6c5ac7f336f2069c66a54f95c4349
RMD160 (xen-4.6.3.tar.gz) = 2798bd888ee001a4829165e55feb705a86af4f74
SHA512 (xen-4.6.3.tar.gz) = 187a860b40c05139f22b8498a5fae1db173c3110d957147af29a56cb83b7111c9dc4946d65f9dffc847001fc01c5e9bf51886eaa1194bb9cfd0b6dbcd43a2c5c
Size (xen-4.6.3.tar.gz) = 19707041 bytes
SHA1 (patch-Config.mk) = a2a104d023cea4e551a3ad40927d4884d6c610bf
+SHA1 (patch-XSA-185) = a2313922aa4dad734b96c80f64fe54eca3c14019
+SHA1 (patch-XSA-186-1) = 71e4a6c4c683891bac50682a3ab69a204fb681ad
+SHA1 (patch-XSA-186-2) = 6094c2efe468e3f31712659be9a71af2cbe8dc1f
+SHA1 (patch-XSA-187-1) = 55ea0c2d9c7d8d9476a5ab97342ff552be4faf56
+SHA1 (patch-XSA-187-2) = f5308fee03a5d73c8aa283eb82cc36a6a3d3bc06
SHA1 (patch-xen_Makefile) = be3f4577a205b23187b91319f91c50720919f70b
SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154
SHA1 (patch-xen_common_page__alloc.c) = c4d606de1cada8cf89b5abd16efada3d58c68a03
Added files:
Index: pkgsrc/sysutils/xenkernel45/patches/patch-XSA-185
diff -u /dev/null pkgsrc/sysutils/xenkernel45/patches/patch-XSA-185:1.1
--- /dev/null Thu Sep 8 15:44:07 2016
+++ pkgsrc/sysutils/xenkernel45/patches/patch-XSA-185 Thu Sep 8 15:44:07 2016
@@ -0,0 +1,37 @@
+$NetBSD: patch-XSA-185,v 1.1 2016/09/08 15:44:07 bouyer Exp $
+
+From 30aba4992b18245c436f16df7326a16c01a51570 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich%suse.com@localhost>
+Date: Mon, 8 Aug 2016 10:58:12 +0100
+Subject: x86/32on64: don't allow recursive page tables from L3
+
+L3 entries are special in PAE mode, and hence can't reasonably be used
+for setting up recursive (and hence linear) page table mappings. Since
+abuse is possible when the guest in fact gets run on 4-level page
+tables, this needs to be excluded explicitly.
+
+This is XSA-185.
+
+Reported-by: Jérémie Boutoille <jboutoille%ext.quarkslab.com@localhost>
+Reported-by: 栾尚聪(好风) <shangcong.lsc%alibaba-inc.com@localhost>
+Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
+Reviewed-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+---
+ xen/arch/x86/mm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
+index 109b8be..69b8b8d 100644
+--- xen/arch/x86/mm.c.orig
++++ xen/arch/x86/mm.c
+@@ -1122,7 +1122,9 @@ get_page_from_l3e(
+
+ rc = get_page_and_type_from_pagenr(
+ l3e_get_pfn(l3e), PGT_l2_page_table, d, partial, 1);
+- if ( unlikely(rc == -EINVAL) && get_l3_linear_pagetable(l3e, pfn, d) )
++ if ( unlikely(rc == -EINVAL) &&
++ !is_pv_32bit_domain(d) &&
++ get_l3_linear_pagetable(l3e, pfn, d) )
+ rc = 0;
+
+ return rc;
Index: pkgsrc/sysutils/xenkernel45/patches/patch-XSA-186-1
diff -u /dev/null pkgsrc/sysutils/xenkernel45/patches/patch-XSA-186-1:1.1
--- /dev/null Thu Sep 8 15:44:07 2016
+++ pkgsrc/sysutils/xenkernel45/patches/patch-XSA-186-1 Thu Sep 8 15:44:07 2016
@@ -0,0 +1,43 @@
+$NetBSD: patch-XSA-186-1,v 1.1 2016/09/08 15:44:07 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Subject: hvm/fep: Allow testing of instructions crossing the -1 -> 0 virtual boundary
+
+The Force Emulation Prefix is named to follow its PV counterpart for cpuid or
+rdtsc, but isn't really an instruction prefix. It behaves as a break-out into
+Xen, with the purpose of emulating the next instruction in the current state.
+
+It is important to be able to test legal situations which occur in real
+hardware, including instruction which cross certain boundaries, and
+instructions starting at 0.
+
+Reported-by: Brian Marcotte <marcotte%panix.com@localhost>
+Signed-off-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Reviewed-by: Jan Beulich <jbeulich%suse.com@localhost>
+
+--- xen/arch/x86/hvm/svm/svm.c.orig
++++ xen/arch/x86/hvm/svm/svm.c
+@@ -2139,6 +2139,10 @@ static void svm_vmexit_ud_intercept(stru
+ {
+ regs->eip += sizeof(sig);
+ regs->eflags &= ~X86_EFLAGS_RF;
++
++ /* Zero the upper 32 bits of %rip if not in long mode. */
++ if ( svm_guest_x86_mode(current) != 8 )
++ regs->eip = regs->_eip;
+ }
+ }
+
+--- xen/arch/x86/hvm/vmx/vmx.c.orig
++++ xen/arch/x86/hvm/vmx/vmx.c
+@@ -2757,6 +2757,10 @@ static void vmx_vmexit_ud_intercept(stru
+ {
+ regs->eip += sizeof(sig);
+ regs->eflags &= ~X86_EFLAGS_RF;
++
++ /* Zero the upper 32 bits of %rip if not in long mode. */
++ if ( vmx_guest_x86_mode(current) != 8 )
++ regs->eip = regs->_eip;
+ }
+ }
+
Index: pkgsrc/sysutils/xenkernel45/patches/patch-XSA-186-2
diff -u /dev/null pkgsrc/sysutils/xenkernel45/patches/patch-XSA-186-2:1.1
--- /dev/null Thu Sep 8 15:44:07 2016
+++ pkgsrc/sysutils/xenkernel45/patches/patch-XSA-186-2 Thu Sep 8 15:44:07 2016
@@ -0,0 +1,73 @@
+From e938be013ba73ff08fa4f1d8670501aacefde7fb Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Date: Fri, 22 Jul 2016 16:02:54 +0000
+Subject: [PATCH 1/2] x86/emulate: Correct boundary interactions of emulated
+ instructions
+
+This reverts most of c/s 0640ffb6 "x86emul: fix rIP handling".
+
+Experimentally, in long mode processors will execute an instruction stream
+which crosses the 64bit -1 -> 0 virtual boundary, whether the instruction
+boundary is aligned on the virtual boundary, or is misaligned.
+
+In compatibility mode, Intel processors will execute an instruction stream
+which crosses the 32bit -1 -> 0 virtual boundary, while AMD processors raise a
+segmentation fault. Xen's segmentation behaviour matches AMD.
+
+For 16bit code, hardware does not ever truncated %ip. %eip is always used and
+behaves normally as a 32bit register, including in 16bit protected mode
+segments, as well as in Real and Unreal mode.
+
+This is XSA-186
+
+Reported-by: Brian Marcotte <marcotte%panix.com@localhost>
+Signed-off-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Reviewed-by: Jan Beulich <jbeulich%suse.com@localhost>
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 22 ++++------------------
+ 1 file changed, 4 insertions(+), 18 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index d5a56cf..bf3529a 100644
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1570,10 +1570,6 @@ x86_emulate(
+ #endif
+ }
+
+- /* Truncate rIP to def_ad_bytes (2 or 4) if necessary. */
+- if ( def_ad_bytes < sizeof(_regs.eip) )
+- _regs.eip &= (1UL << (def_ad_bytes * 8)) - 1;
+-
+ /* Prefix bytes. */
+ for ( ; ; )
+ {
+@@ -3906,21 +3902,11 @@ x86_emulate(
+
+ /* Commit shadow register state. */
+ _regs.eflags &= ~EFLG_RF;
+- switch ( __builtin_expect(def_ad_bytes, sizeof(_regs.eip)) )
+- {
+- uint16_t ip;
+
+- case 2:
+- ip = _regs.eip;
+- _regs.eip = ctxt->regs->eip;
+- *(uint16_t *)&_regs.eip = ip;
+- break;
+-#ifdef __x86_64__
+- case 4:
+- _regs.rip = _regs._eip;
+- break;
+-#endif
+- }
++ /* Zero the upper 32 bits of %rip if not in long mode. */
++ if ( def_ad_bytes < sizeof(_regs.eip) )
++ _regs.eip = (uint32_t)_regs.eip;
++
+ *ctxt->regs = _regs;
+
+ done:
+--
+2.1.4
+
Index: pkgsrc/sysutils/xenkernel45/patches/patch-XSA-187-1
diff -u /dev/null pkgsrc/sysutils/xenkernel45/patches/patch-XSA-187-1:1.1
--- /dev/null Thu Sep 8 15:44:07 2016
+++ pkgsrc/sysutils/xenkernel45/patches/patch-XSA-187-1 Thu Sep 8 15:44:07 2016
@@ -0,0 +1,44 @@
+$NetBSD: patch-XSA-187-1,v 1.1 2016/09/08 15:44:07 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Subject: x86/shadow: Avoid overflowing sh_ctxt->seg_reg[]
+
+hvm_get_seg_reg() does not perform a range check on its input segment, calls
+hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[].
+
+x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will hit a BUG()
+in {vmx,svm}_get_segment_register().
+
+HVM guests running with shadow paging can end up performing a virtual to
+linear translation with x86_seg_none. This is used for addresses which are
+already linear. However, none of this is a legitimate pagetable update, so
+fail the emulation in such a case.
+
+This is XSA-187
+
+Reported-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Signed-off-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Reviewed-by: Tim Deegan <tim%xen.org@localhost>
+
+--- xen/arch/x86/mm/shadow/common.c.orig
++++ xen/arch/x86/mm/shadow/common.c
+@@ -140,9 +140,18 @@ static int hvm_translate_linear_addr(
+ struct sh_emulate_ctxt *sh_ctxt,
+ unsigned long *paddr)
+ {
+- struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt);
++ struct segment_register *reg;
+ int okay;
+
++ /*
++ * Can arrive here with non-user segments. However, no such cirucmstance
++ * is part of a legitimate pagetable update, so fail the emulation.
++ */
++ if ( !is_x86_user_segment(seg) )
++ return X86EMUL_UNHANDLEABLE;
++
++ reg = hvm_get_seg_reg(seg, sh_ctxt);
++
+ okay = hvm_virtual_to_linear_addr(
+ seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);
+
Index: pkgsrc/sysutils/xenkernel45/patches/patch-XSA-187-2
diff -u /dev/null pkgsrc/sysutils/xenkernel45/patches/patch-XSA-187-2:1.1
--- /dev/null Thu Sep 8 15:44:07 2016
+++ pkgsrc/sysutils/xenkernel45/patches/patch-XSA-187-2 Thu Sep 8 15:44:07 2016
@@ -0,0 +1,144 @@
+$NetBSD: patch-XSA-187-2,v 1.1 2016/09/08 15:44:07 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Subject: x86/segment: Bounds check accesses to emulation ctxt->seg_reg[]
+
+HVM HAP codepaths have space for all segment registers in the seg_reg[]
+cache (with x86_seg_none still risking an array overrun), while the shadow
+codepaths only have space for the user segments.
+
+Range check the input segment of *_get_seg_reg() against the size of the array
+used to cache the results, to avoid overruns in the case that the callers
+don't filter their input suitably.
+
+Subsume the is_x86_user_segment(seg) checks from the shadow code, which were
+an incomplete attempt at range checking, and are now superceeded. Make
+hvm_get_seg_reg() static, as it is not used outside of shadow/common.c
+
+No functional change, but far easier to reason that no overflow is possible.
+
+Reported-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Signed-off-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Acked-by: Tim Deegan <tim%xen.org@localhost>
+Acked-by: Jan Beulich <jbeulich%suse.com@localhost>
+
+--- xen/arch/x86/hvm/emulate.c.orig
++++ xen/arch/x86/hvm/emulate.c
+@@ -526,6 +526,8 @@ static int hvmemul_virtual_to_linear(
+ ? 1 : 4096);
+
+ reg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
++ if ( IS_ERR(reg) )
++ return -PTR_ERR(reg);
+
+ if ( (hvmemul_ctxt->ctxt.regs->eflags & X86_EFLAGS_DF) && (*reps > 1) )
+ {
+@@ -1360,6 +1362,10 @@ static int hvmemul_read_segment(
+ struct hvm_emulate_ctxt *hvmemul_ctxt =
+ container_of(ctxt, struct hvm_emulate_ctxt, ctxt);
+ struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
++
++ if ( IS_ERR(sreg) )
++ return -PTR_ERR(sreg);
++
+ memcpy(reg, sreg, sizeof(struct segment_register));
+ return X86EMUL_OKAY;
+ }
+@@ -1373,6 +1379,9 @@ static int hvmemul_write_segment(
+ container_of(ctxt, struct hvm_emulate_ctxt, ctxt);
+ struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
+
++ if ( IS_ERR(sreg) )
++ return -PTR_ERR(sreg);
++
+ memcpy(sreg, reg, sizeof(struct segment_register));
+ __set_bit(seg, &hvmemul_ctxt->seg_reg_dirty);
+
+@@ -1911,10 +1920,17 @@ void hvm_emulate_writeback(
+ }
+ }
+
++/*
++ * Callers which pass a known in-range x86_segment can rely on the return
++ * pointer being valid. Other callers must explicitly check for errors.
++ */
+ struct segment_register *hvmemul_get_seg_reg(
+ enum x86_segment seg,
+ struct hvm_emulate_ctxt *hvmemul_ctxt)
+ {
++ if ( seg < 0 || seg >= ARRAY_SIZE(hvmemul_ctxt->seg_reg) )
++ return ERR_PTR(-X86EMUL_UNHANDLEABLE);
++
+ if ( !__test_and_set_bit(seg, &hvmemul_ctxt->seg_reg_accessed) )
+ hvm_get_segment_register(current, seg, &hvmemul_ctxt->seg_reg[seg]);
+ return &hvmemul_ctxt->seg_reg[seg];
+--- xen/arch/x86/mm/shadow/common.c.orig
++++ xen/arch/x86/mm/shadow/common.c
+@@ -125,10 +125,19 @@ __initcall(shadow_audit_key_init);
+ /* x86 emulator support for the shadow code
+ */
+
++/*
++ * Callers which pass a known in-range x86_segment can rely on the return
++ * pointer being valid. Other callers must explicitly check for errors.
++ */
+ struct segment_register *hvm_get_seg_reg(
+ enum x86_segment seg, struct sh_emulate_ctxt *sh_ctxt)
+ {
+- struct segment_register *seg_reg = &sh_ctxt->seg_reg[seg];
++ struct segment_register *seg_reg;
++
++ if ( seg < 0 || seg >= ARRAY_SIZE(sh_ctxt->seg_reg) )
++ return ERR_PTR(-X86EMUL_UNHANDLEABLE);
++
++ seg_reg = &sh_ctxt->seg_reg[seg];
+ if ( !__test_and_set_bit(seg, &sh_ctxt->valid_seg_regs) )
+ hvm_get_segment_register(current, seg, seg_reg);
+ return seg_reg;
+@@ -145,14 +154,9 @@ static int hvm_translate_linear_addr(
+ struct segment_register *reg;
+ int okay;
+
+- /*
+- * Can arrive here with non-user segments. However, no such cirucmstance
+- * is part of a legitimate pagetable update, so fail the emulation.
+- */
+- if ( !is_x86_user_segment(seg) )
+- return X86EMUL_UNHANDLEABLE;
+-
+ reg = hvm_get_seg_reg(seg, sh_ctxt);
++ if ( IS_ERR(reg) )
++ return -PTR_ERR(reg);
+
+ okay = hvm_virtual_to_linear_addr(
+ seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);
+@@ -254,9 +258,6 @@ hvm_emulate_write(enum x86_segment seg,
+ unsigned long addr;
+ int rc;
+
+- if ( !is_x86_user_segment(seg) )
+- return X86EMUL_UNHANDLEABLE;
+-
+ /* How many emulations could we save if we unshadowed on stack writes? */
+ if ( seg == x86_seg_ss )
+ perfc_incr(shadow_fault_emulate_stack);
+@@ -284,9 +285,6 @@ hvm_emulate_cmpxchg(enum x86_segment seg
+ unsigned long addr, old[2], new[2];
+ int rc;
+
+- if ( !is_x86_user_segment(seg) )
+- return X86EMUL_UNHANDLEABLE;
+-
+ rc = hvm_translate_linear_addr(
+ seg, offset, bytes, hvm_access_write, sh_ctxt, &addr);
+ if ( rc )
+--- xen/include/asm-x86/hvm/emulate.h.orig
++++ xen/include/asm-x86/hvm/emulate.h
+@@ -13,6 +13,7 @@
+ #define __ASM_X86_HVM_EMULATE_H__
+
+ #include <xen/config.h>
++#include <xen/err.h>
+ #include <asm/hvm/hvm.h>
+ #include <asm/x86_emulate.h>
+
Index: pkgsrc/sysutils/xenkernel46/patches/patch-XSA-185
diff -u /dev/null pkgsrc/sysutils/xenkernel46/patches/patch-XSA-185:1.1
--- /dev/null Thu Sep 8 15:44:07 2016
+++ pkgsrc/sysutils/xenkernel46/patches/patch-XSA-185 Thu Sep 8 15:44:07 2016
@@ -0,0 +1,37 @@
+$NetBSD: patch-XSA-185,v 1.1 2016/09/08 15:44:07 bouyer Exp $
+
+From 30aba4992b18245c436f16df7326a16c01a51570 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich%suse.com@localhost>
+Date: Mon, 8 Aug 2016 10:58:12 +0100
+Subject: x86/32on64: don't allow recursive page tables from L3
+
+L3 entries are special in PAE mode, and hence can't reasonably be used
+for setting up recursive (and hence linear) page table mappings. Since
+abuse is possible when the guest in fact gets run on 4-level page
+tables, this needs to be excluded explicitly.
+
+This is XSA-185.
+
+Reported-by: Jérémie Boutoille <jboutoille%ext.quarkslab.com@localhost>
+Reported-by: 栾尚聪(好风) <shangcong.lsc%alibaba-inc.com@localhost>
+Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
+Reviewed-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+---
+ xen/arch/x86/mm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
+index 109b8be..69b8b8d 100644
+--- xen/arch/x86/mm.c.orig
++++ xen/arch/x86/mm.c
+@@ -1122,7 +1122,9 @@ get_page_from_l3e(
+
+ rc = get_page_and_type_from_pagenr(
+ l3e_get_pfn(l3e), PGT_l2_page_table, d, partial, 1);
+- if ( unlikely(rc == -EINVAL) && get_l3_linear_pagetable(l3e, pfn, d) )
++ if ( unlikely(rc == -EINVAL) &&
++ !is_pv_32bit_domain(d) &&
++ get_l3_linear_pagetable(l3e, pfn, d) )
+ rc = 0;
+
+ return rc;
Index: pkgsrc/sysutils/xenkernel46/patches/patch-XSA-186-1
diff -u /dev/null pkgsrc/sysutils/xenkernel46/patches/patch-XSA-186-1:1.1
--- /dev/null Thu Sep 8 15:44:07 2016
+++ pkgsrc/sysutils/xenkernel46/patches/patch-XSA-186-1 Thu Sep 8 15:44:07 2016
@@ -0,0 +1,43 @@
+$NetBSD: patch-XSA-186-1,v 1.1 2016/09/08 15:44:07 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Subject: hvm/fep: Allow testing of instructions crossing the -1 -> 0 virtual boundary
+
+The Force Emulation Prefix is named to follow its PV counterpart for cpuid or
+rdtsc, but isn't really an instruction prefix. It behaves as a break-out into
+Xen, with the purpose of emulating the next instruction in the current state.
+
+It is important to be able to test legal situations which occur in real
+hardware, including instruction which cross certain boundaries, and
+instructions starting at 0.
+
+Reported-by: Brian Marcotte <marcotte%panix.com@localhost>
+Signed-off-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Reviewed-by: Jan Beulich <jbeulich%suse.com@localhost>
+
+--- xen/arch/x86/hvm/svm/svm.c.orig
++++ xen/arch/x86/hvm/svm/svm.c
+@@ -2139,6 +2139,10 @@ static void svm_vmexit_ud_intercept(stru
+ {
+ regs->eip += sizeof(sig);
+ regs->eflags &= ~X86_EFLAGS_RF;
++
++ /* Zero the upper 32 bits of %rip if not in long mode. */
++ if ( svm_guest_x86_mode(current) != 8 )
++ regs->eip = regs->_eip;
+ }
+ }
+
+--- xen/arch/x86/hvm/vmx/vmx.c.orig
++++ xen/arch/x86/hvm/vmx/vmx.c
+@@ -2757,6 +2757,10 @@ static void vmx_vmexit_ud_intercept(stru
+ {
+ regs->eip += sizeof(sig);
+ regs->eflags &= ~X86_EFLAGS_RF;
++
++ /* Zero the upper 32 bits of %rip if not in long mode. */
++ if ( vmx_guest_x86_mode(current) != 8 )
++ regs->eip = regs->_eip;
+ }
+ }
+
Index: pkgsrc/sysutils/xenkernel46/patches/patch-XSA-186-2
diff -u /dev/null pkgsrc/sysutils/xenkernel46/patches/patch-XSA-186-2:1.1
--- /dev/null Thu Sep 8 15:44:07 2016
+++ pkgsrc/sysutils/xenkernel46/patches/patch-XSA-186-2 Thu Sep 8 15:44:07 2016
@@ -0,0 +1,73 @@
+From e938be013ba73ff08fa4f1d8670501aacefde7fb Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Date: Fri, 22 Jul 2016 16:02:54 +0000
+Subject: [PATCH 1/2] x86/emulate: Correct boundary interactions of emulated
+ instructions
+
+This reverts most of c/s 0640ffb6 "x86emul: fix rIP handling".
+
+Experimentally, in long mode processors will execute an instruction stream
+which crosses the 64bit -1 -> 0 virtual boundary, whether the instruction
+boundary is aligned on the virtual boundary, or is misaligned.
+
+In compatibility mode, Intel processors will execute an instruction stream
+which crosses the 32bit -1 -> 0 virtual boundary, while AMD processors raise a
+segmentation fault. Xen's segmentation behaviour matches AMD.
+
+For 16bit code, hardware does not ever truncated %ip. %eip is always used and
+behaves normally as a 32bit register, including in 16bit protected mode
+segments, as well as in Real and Unreal mode.
+
+This is XSA-186
+
+Reported-by: Brian Marcotte <marcotte%panix.com@localhost>
+Signed-off-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Reviewed-by: Jan Beulich <jbeulich%suse.com@localhost>
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 22 ++++------------------
+ 1 file changed, 4 insertions(+), 18 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index d5a56cf..bf3529a 100644
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1570,10 +1570,6 @@ x86_emulate(
+ #endif
+ }
+
+- /* Truncate rIP to def_ad_bytes (2 or 4) if necessary. */
+- if ( def_ad_bytes < sizeof(_regs.eip) )
+- _regs.eip &= (1UL << (def_ad_bytes * 8)) - 1;
+-
+ /* Prefix bytes. */
+ for ( ; ; )
+ {
+@@ -3906,21 +3902,11 @@ x86_emulate(
+
+ /* Commit shadow register state. */
+ _regs.eflags &= ~EFLG_RF;
+- switch ( __builtin_expect(def_ad_bytes, sizeof(_regs.eip)) )
+- {
+- uint16_t ip;
+
+- case 2:
+- ip = _regs.eip;
+- _regs.eip = ctxt->regs->eip;
+- *(uint16_t *)&_regs.eip = ip;
+- break;
+-#ifdef __x86_64__
+- case 4:
+- _regs.rip = _regs._eip;
+- break;
+-#endif
+- }
++ /* Zero the upper 32 bits of %rip if not in long mode. */
++ if ( def_ad_bytes < sizeof(_regs.eip) )
++ _regs.eip = (uint32_t)_regs.eip;
++
+ *ctxt->regs = _regs;
+
+ done:
+--
+2.1.4
+
Index: pkgsrc/sysutils/xenkernel46/patches/patch-XSA-187-1
diff -u /dev/null pkgsrc/sysutils/xenkernel46/patches/patch-XSA-187-1:1.1
--- /dev/null Thu Sep 8 15:44:07 2016
+++ pkgsrc/sysutils/xenkernel46/patches/patch-XSA-187-1 Thu Sep 8 15:44:07 2016
@@ -0,0 +1,44 @@
+$NetBSD: patch-XSA-187-1,v 1.1 2016/09/08 15:44:07 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Subject: x86/shadow: Avoid overflowing sh_ctxt->seg_reg[]
+
+hvm_get_seg_reg() does not perform a range check on its input segment, calls
+hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[].
+
+x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will hit a BUG()
+in {vmx,svm}_get_segment_register().
+
+HVM guests running with shadow paging can end up performing a virtual to
+linear translation with x86_seg_none. This is used for addresses which are
+already linear. However, none of this is a legitimate pagetable update, so
+fail the emulation in such a case.
+
+This is XSA-187
+
+Reported-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Signed-off-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Reviewed-by: Tim Deegan <tim%xen.org@localhost>
+
+--- xen/arch/x86/mm/shadow/common.c.orig
++++ xen/arch/x86/mm/shadow/common.c
+@@ -140,9 +140,18 @@ static int hvm_translate_linear_addr(
+ struct sh_emulate_ctxt *sh_ctxt,
+ unsigned long *paddr)
+ {
+- struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt);
++ struct segment_register *reg;
+ int okay;
+
++ /*
++ * Can arrive here with non-user segments. However, no such cirucmstance
++ * is part of a legitimate pagetable update, so fail the emulation.
++ */
++ if ( !is_x86_user_segment(seg) )
++ return X86EMUL_UNHANDLEABLE;
++
++ reg = hvm_get_seg_reg(seg, sh_ctxt);
++
+ okay = hvm_virtual_to_linear_addr(
+ seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);
+
Index: pkgsrc/sysutils/xenkernel46/patches/patch-XSA-187-2
diff -u /dev/null pkgsrc/sysutils/xenkernel46/patches/patch-XSA-187-2:1.1
--- /dev/null Thu Sep 8 15:44:07 2016
+++ pkgsrc/sysutils/xenkernel46/patches/patch-XSA-187-2 Thu Sep 8 15:44:07 2016
@@ -0,0 +1,144 @@
+$NetBSD: patch-XSA-187-2,v 1.1 2016/09/08 15:44:07 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Subject: x86/segment: Bounds check accesses to emulation ctxt->seg_reg[]
+
+HVM HAP codepaths have space for all segment registers in the seg_reg[]
+cache (with x86_seg_none still risking an array overrun), while the shadow
+codepaths only have space for the user segments.
+
+Range check the input segment of *_get_seg_reg() against the size of the array
+used to cache the results, to avoid overruns in the case that the callers
+don't filter their input suitably.
+
+Subsume the is_x86_user_segment(seg) checks from the shadow code, which were
+an incomplete attempt at range checking, and are now superceeded. Make
+hvm_get_seg_reg() static, as it is not used outside of shadow/common.c
+
+No functional change, but far easier to reason that no overflow is possible.
+
+Reported-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Signed-off-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Acked-by: Tim Deegan <tim%xen.org@localhost>
+Acked-by: Jan Beulich <jbeulich%suse.com@localhost>
+
+--- xen/arch/x86/hvm/emulate.c.orig
++++ xen/arch/x86/hvm/emulate.c
+@@ -526,6 +526,8 @@ static int hvmemul_virtual_to_linear(
+ ? 1 : 4096);
+
+ reg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
++ if ( IS_ERR(reg) )
++ return -PTR_ERR(reg);
+
+ if ( (hvmemul_ctxt->ctxt.regs->eflags & X86_EFLAGS_DF) && (*reps > 1) )
+ {
+@@ -1360,6 +1362,10 @@ static int hvmemul_read_segment(
+ struct hvm_emulate_ctxt *hvmemul_ctxt =
+ container_of(ctxt, struct hvm_emulate_ctxt, ctxt);
+ struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
++
++ if ( IS_ERR(sreg) )
++ return -PTR_ERR(sreg);
++
+ memcpy(reg, sreg, sizeof(struct segment_register));
+ return X86EMUL_OKAY;
+ }
+@@ -1373,6 +1379,9 @@ static int hvmemul_write_segment(
+ container_of(ctxt, struct hvm_emulate_ctxt, ctxt);
+ struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
+
++ if ( IS_ERR(sreg) )
++ return -PTR_ERR(sreg);
++
+ memcpy(sreg, reg, sizeof(struct segment_register));
+ __set_bit(seg, &hvmemul_ctxt->seg_reg_dirty);
+
+@@ -1911,10 +1920,17 @@ void hvm_emulate_writeback(
+ }
+ }
+
++/*
++ * Callers which pass a known in-range x86_segment can rely on the return
++ * pointer being valid. Other callers must explicitly check for errors.
++ */
+ struct segment_register *hvmemul_get_seg_reg(
+ enum x86_segment seg,
+ struct hvm_emulate_ctxt *hvmemul_ctxt)
+ {
++ if ( seg < 0 || seg >= ARRAY_SIZE(hvmemul_ctxt->seg_reg) )
++ return ERR_PTR(-X86EMUL_UNHANDLEABLE);
++
+ if ( !__test_and_set_bit(seg, &hvmemul_ctxt->seg_reg_accessed) )
+ hvm_get_segment_register(current, seg, &hvmemul_ctxt->seg_reg[seg]);
+ return &hvmemul_ctxt->seg_reg[seg];
+--- xen/arch/x86/mm/shadow/common.c.orig
++++ xen/arch/x86/mm/shadow/common.c
+@@ -125,10 +125,19 @@ __initcall(shadow_audit_key_init);
+ /* x86 emulator support for the shadow code
+ */
+
++/*
++ * Callers which pass a known in-range x86_segment can rely on the return
++ * pointer being valid. Other callers must explicitly check for errors.
++ */
+ struct segment_register *hvm_get_seg_reg(
+ enum x86_segment seg, struct sh_emulate_ctxt *sh_ctxt)
+ {
+- struct segment_register *seg_reg = &sh_ctxt->seg_reg[seg];
++ struct segment_register *seg_reg;
++
++ if ( seg < 0 || seg >= ARRAY_SIZE(sh_ctxt->seg_reg) )
++ return ERR_PTR(-X86EMUL_UNHANDLEABLE);
++
++ seg_reg = &sh_ctxt->seg_reg[seg];
+ if ( !__test_and_set_bit(seg, &sh_ctxt->valid_seg_regs) )
+ hvm_get_segment_register(current, seg, seg_reg);
+ return seg_reg;
+@@ -145,14 +154,9 @@ static int hvm_translate_linear_addr(
+ struct segment_register *reg;
+ int okay;
+
+- /*
+- * Can arrive here with non-user segments. However, no such cirucmstance
+- * is part of a legitimate pagetable update, so fail the emulation.
+- */
+- if ( !is_x86_user_segment(seg) )
+- return X86EMUL_UNHANDLEABLE;
+-
+ reg = hvm_get_seg_reg(seg, sh_ctxt);
++ if ( IS_ERR(reg) )
++ return -PTR_ERR(reg);
+
+ okay = hvm_virtual_to_linear_addr(
+ seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);
+@@ -254,9 +258,6 @@ hvm_emulate_write(enum x86_segment seg,
+ unsigned long addr;
+ int rc;
+
+- if ( !is_x86_user_segment(seg) )
+- return X86EMUL_UNHANDLEABLE;
+-
+ /* How many emulations could we save if we unshadowed on stack writes? */
+ if ( seg == x86_seg_ss )
+ perfc_incr(shadow_fault_emulate_stack);
+@@ -284,9 +285,6 @@ hvm_emulate_cmpxchg(enum x86_segment seg
+ unsigned long addr, old[2], new[2];
+ int rc;
+
+- if ( !is_x86_user_segment(seg) )
+- return X86EMUL_UNHANDLEABLE;
+-
+ rc = hvm_translate_linear_addr(
+ seg, offset, bytes, hvm_access_write, sh_ctxt, &addr);
+ if ( rc )
+--- xen/include/asm-x86/hvm/emulate.h.orig
++++ xen/include/asm-x86/hvm/emulate.h
+@@ -13,6 +13,7 @@
+ #define __ASM_X86_HVM_EMULATE_H__
+
+ #include <xen/config.h>
++#include <xen/err.h>
+ #include <asm/hvm/hvm.h>
+ #include <asm/x86_emulate.h>
+
Home |
Main Index |
Thread Index |
Old Index