pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/sysutils/xentools45



Module Name:    pkgsrc
Committed By:   spz
Date:           Sun Sep 11 11:38:10 UTC 2016

Modified Files:
        pkgsrc/sysutils/xentools45: Makefile distinfo
Added Files:
        pkgsrc/sysutils/xentools45/patches: patch-XSA-184

Log Message:
add the patch for XSA-184


To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.38 pkgsrc/sysutils/xentools45/Makefile
cvs rdiff -u -r1.25 -r1.26 pkgsrc/sysutils/xentools45/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xentools45/patches/patch-XSA-184

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/sysutils/xentools45/Makefile
diff -u pkgsrc/sysutils/xentools45/Makefile:1.37 pkgsrc/sysutils/xentools45/Makefile:1.38
--- pkgsrc/sysutils/xentools45/Makefile:1.37    Sat Aug  6 12:41:36 2016
+++ pkgsrc/sysutils/xentools45/Makefile Sun Sep 11 11:38:10 2016
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.37 2016/08/06 12:41:36 spz Exp $
+# $NetBSD: Makefile,v 1.38 2016/09/11 11:38:10 spz Exp $
 
 VERSION=       4.5.3
-PKGREVISION=   3
+PKGREVISION=   4
 VERSION_IPXE=  9a93db3f0947484e30e753bbd61a10b17336e20e
 
 DISTNAME=              xen-${VERSION}

Index: pkgsrc/sysutils/xentools45/distinfo
diff -u pkgsrc/sysutils/xentools45/distinfo:1.25 pkgsrc/sysutils/xentools45/distinfo:1.26
--- pkgsrc/sysutils/xentools45/distinfo:1.25    Sat Aug  6 12:41:36 2016
+++ pkgsrc/sysutils/xentools45/distinfo Sun Sep 11 11:38:10 2016
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.25 2016/08/06 12:41:36 spz Exp $
+$NetBSD: distinfo,v 1.26 2016/09/11 11:38:10 spz Exp $
 
 SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88
 RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8
@@ -23,6 +23,7 @@ SHA1 (patch-Rules.mk) = e0dc4234c35dc2d7
 SHA1 (patch-XSA-178) = 5cb68dd7d82f537e9a9d0417cc79e8cafeb05ac2
 SHA1 (patch-XSA-179) = b73d44757651efe4b8df27cedd7f9827f3d6a6ca
 SHA1 (patch-XSA-180) = 58a93dec38792a36bca74123444eb72fafe158a3
+SHA1 (patch-XSA-184) = 08103cae34512c1a3b9eb3e5cfdf8a15a302e419
 SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7
 SHA1 (patch-configure) = 97fa4274e425984d593cd93aea36edc681462b88
 SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f

Added files:

Index: pkgsrc/sysutils/xentools45/patches/patch-XSA-184
diff -u /dev/null pkgsrc/sysutils/xentools45/patches/patch-XSA-184:1.1
--- /dev/null   Sun Sep 11 11:38:10 2016
+++ pkgsrc/sysutils/xentools45/patches/patch-XSA-184    Sun Sep 11 11:38:10 2016
@@ -0,0 +1,83 @@
+patches for XSA-184 from upstream:
+
+From 17d8c4e47dfb41cb6778520ff2eab7a11fe12dfd Mon Sep 17 00:00:00 2001
+From: P J P <ppandit%redhat.com@localhost>
+Date: Tue, 26 Jul 2016 15:31:59 +0100
+Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
+
+A broken or malicious guest can submit more requests than the virtqueue
+size permits.
+
+The guest can submit requests without bothering to wait for completion
+and is therefore not bound by virtqueue size.  This requires reusing
+vring descriptors in more than one request, which is incorrect but
+possible.  Processing a request allocates a VirtQueueElement and
+therefore causes unbounded memory allocation controlled by the guest.
+
+Exit with an error if the guest provides more requests than the
+virtqueue size permits.  This bounds memory allocation and makes the
+buggy guest visible to the user.
+
+Reported-by: Zhenhao Hong <zhenhaohong%gmail.com@localhost>
+Signed-off-by: Stefan Hajnoczi <stefanha%redhat.com@localhost>
+---
+ hw/virtio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/virtio.c b/hw/virtio.c
+index c26feff..42897bf 100644
+--- qemu-xen-traditional/hw/virtio.c.orig      2016-01-04 15:36:03.000000000 +0000
++++ qemu-xen-traditional/hw/virtio.c   2016-09-11 11:01:37.000000000 +0000
+@@ -421,6 +421,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue
+     /* When we start there are none of either input nor output. */
+     elem->out_num = elem->in_num = 0;
+ 
++    if (vq->inuse >= vq->vring.num) {
++        fprintf(stderr, "Virtqueue size exceeded");
++        exit(1);
++    }
++
+     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
+     do {
+         struct iovec *sg;
+
+From e469db25d6b2e5c71cd15451889226641c53a5cd Mon Sep 17 00:00:00 2001
+From: P J P <ppandit%redhat.com@localhost>
+Date: Mon, 25 Jul 2016 17:37:18 +0530
+Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
+
+A broken or malicious guest can submit more requests than the virtqueue
+size permits.
+
+The guest can submit requests without bothering to wait for completion
+and is therefore not bound by virtqueue size.  This requires reusing
+vring descriptors in more than one request, which is incorrect but
+possible.  Processing a request allocates a VirtQueueElement and
+therefore causes unbounded memory allocation controlled by the guest.
+
+Exit with an error if the guest provides more requests than the
+virtqueue size permits.  This bounds memory allocation and makes the
+buggy guest visible to the user.
+
+Reported-by: Zhenhao Hong <zhenhaohong%gmail.com@localhost>
+Signed-off-by: Stefan Hajnoczi <stefanha%redhat.com@localhost>
+---
+ hw/virtio/virtio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index d24f775..f8ac0fb 100644
+--- qemu-xen/hw/virtio/virtio.c.orig   2016-02-18 17:30:28.000000000 +0000
++++ qemu-xen/hw/virtio/virtio.c        2016-09-11 11:01:48.000000000 +0000
+@@ -459,6 +459,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue
+ 
+     max = vq->vring.num;
+ 
++    if (vq->inuse >= max) {
++        error_report("Virtqueue size exceeded");
++        exit(1);
++    }
++
+     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
+     if (vq->vdev->guest_features & (1 << VIRTIO_RING_F_EVENT_IDX)) {
+         vring_avail_event(vq, vring_avail_idx(vq));



Home | Main Index | Thread Index | Old Index