pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/sysutils Update xen*46 to 4.6.6, including fixes up to...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/40107a3215b9
branches:  trunk
changeset: 370450:40107a3215b9
user:      bouyer <bouyer%pkgsrc.org@localhost>
date:      Tue Oct 17 10:57:34 2017 +0000

description:
Update xen*46 to 4.6.6, including fixes up to XSA244.
changes since Xen 4.6.5: mostly bug fixes, including security fixes
for XSA206, XSA211 to XSA244.
PKGREVISION set to 1 to account for the fact that it's not a stock Xen 4.6.6.

Note that, unlike upstream, pv-linear-pt defaults to true, so that
NetBSD PV guests (including dom0) will continue to boot without changes
to boot.cfg

diffstat:

 sysutils/xenkernel46/MESSAGE                |    6 +-
 sysutils/xenkernel46/Makefile               |    4 +-
 sysutils/xenkernel46/distinfo               |   26 +-
 sysutils/xenkernel46/patches/patch-XSA-212  |   89 ----
 sysutils/xenkernel46/patches/patch-XSA226   |  431 ++++++++++++++++++++
 sysutils/xenkernel46/patches/patch-XSA227   |   68 +++
 sysutils/xenkernel46/patches/patch-XSA228   |  200 +++++++++
 sysutils/xenkernel46/patches/patch-XSA230   |   40 +
 sysutils/xenkernel46/patches/patch-XSA231   |  110 +++++
 sysutils/xenkernel46/patches/patch-XSA232   |   25 +
 sysutils/xenkernel46/patches/patch-XSA234   |  187 +++++++++
 sysutils/xenkernel46/patches/patch-XSA237   |  311 +++++++++++++++
 sysutils/xenkernel46/patches/patch-XSA238   |   45 ++
 sysutils/xenkernel46/patches/patch-XSA239   |   48 ++
 sysutils/xenkernel46/patches/patch-XSA240   |  578 ++++++++++++++++++++++++++++
 sysutils/xenkernel46/patches/patch-XSA241   |  122 +++++
 sysutils/xenkernel46/patches/patch-XSA242   |   45 ++
 sysutils/xenkernel46/patches/patch-XSA243   |  132 ++++++
 sysutils/xenkernel46/patches/patch-XSA244   |   53 ++
 sysutils/xentools46/Makefile                |    4 +-
 sysutils/xentools46/distinfo                |   15 +-
 sysutils/xentools46/patches/patch-XSA-211-1 |  262 ------------
 sysutils/xentools46/patches/patch-XSA-211-2 |  227 ----------
 sysutils/xentools46/patches/patch-XSA228    |   65 +++
 sysutils/xentools46/patches/patch-XSA233    |   54 ++
 sysutils/xentools46/patches/patch-XSA240    |   56 ++
 sysutils/xentools46/version.mk              |    4 +-
 27 files changed, 2609 insertions(+), 598 deletions(-)

diffs (truncated from 3358 to 300 lines):

diff -r 6562ff775c18 -r 40107a3215b9 sysutils/xenkernel46/MESSAGE
--- a/sysutils/xenkernel46/MESSAGE      Tue Oct 17 10:50:38 2017 +0000
+++ b/sysutils/xenkernel46/MESSAGE      Tue Oct 17 10:57:34 2017 +0000
@@ -1,7 +1,11 @@
 ===========================================================================
-$NetBSD: MESSAGE,v 1.1.1.1 2016/07/04 07:25:13 jnemeth Exp $
+$NetBSD: MESSAGE,v 1.2 2017/10/17 10:57:34 bouyer Exp $
 
 The Xen hypervisor is installed under the following locations:
        ${XENKERNELDIR}/xen.gz          (standard hypervisor)
        ${XENKERNELDIR}/xen-debug.gz    (debug hypervisor)
+
+Note that unlike upstream Xen, pv-linear-pt defaults to true.
+You can disable it using pv-linear-pt=false on the Xen command line,
+but then you can't boot NetBSD in PV mode.
 ===========================================================================
diff -r 6562ff775c18 -r 40107a3215b9 sysutils/xenkernel46/Makefile
--- a/sysutils/xenkernel46/Makefile     Tue Oct 17 10:50:38 2017 +0000
+++ b/sysutils/xenkernel46/Makefile     Tue Oct 17 10:57:34 2017 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.13 2017/07/24 08:53:45 maya Exp $
+# $NetBSD: Makefile,v 1.14 2017/10/17 10:57:34 bouyer Exp $
 
-VERSION=       4.6.5
+VERSION=       4.6.6
 DISTNAME=      xen-${VERSION}
 PKGNAME=       xenkernel46-${VERSION}
 PKGREVISION=   1
diff -r 6562ff775c18 -r 40107a3215b9 sysutils/xenkernel46/distinfo
--- a/sysutils/xenkernel46/distinfo     Tue Oct 17 10:50:38 2017 +0000
+++ b/sysutils/xenkernel46/distinfo     Tue Oct 17 10:57:34 2017 +0000
@@ -1,11 +1,25 @@
-$NetBSD: distinfo,v 1.9 2017/05/07 21:21:01 joerg Exp $
+$NetBSD: distinfo,v 1.10 2017/10/17 10:57:34 bouyer Exp $
 
-SHA1 (xen-4.6.5.tar.gz) = af371af662211ee1480167b6c9e35142156f3a8d
-RMD160 (xen-4.6.5.tar.gz) = 3f2468d7d3715d14842ac57b2180118ef48e93fa
-SHA512 (xen-4.6.5.tar.gz) = d3e1b16fa9d695a5fc28ca4375b8de3dfcab480437d4d0151972d9f286528c9f667841e7a6888c918c580371d6984658a8d3b92235553c8c9c052d93154547b5
-Size (xen-4.6.5.tar.gz) = 19712756 bytes
+SHA1 (xen-4.6.6.tar.gz) = 82f39ef4bf754ffd679ab5d15709bc34a98fccb7
+RMD160 (xen-4.6.6.tar.gz) = 6412f75183647172d72597e8779235b60e1c00f3
+SHA512 (xen-4.6.6.tar.gz) = 4683fe6c44dce3a6f9ff410d026f39094ccd6937ea0052f08ef5e066172ee840548322654cc15d7ded9f5bce10d43b5e46f6a04f16ef3c03ea3ba2cc2f7724ec
+Size (xen-4.6.6.tar.gz) = 19725113 bytes
 SHA1 (patch-Config.mk) = a2a104d023cea4e551a3ad40927d4884d6c610bf
-SHA1 (patch-XSA-212) = 4637d51bcbb3b11fb0e22940f824ebacdaa15b4f
+SHA1 (patch-XSA226) = eda5aadeebfe09ffebf336a7c0424c0212ba370d
+SHA1 (patch-XSA227) = 8a5e7f65515a83a7d749eb3d01faea1171e2f900
+SHA1 (patch-XSA228) = 0e0cf239660cd4a6f7cabc9ebe63d4c6e1646123
+SHA1 (patch-XSA230) = 339c400d8f0edf773664a493532aacf0c2e71da0
+SHA1 (patch-XSA231) = 780118ad97f011b5eddb05dd5d4c20be427ee670
+SHA1 (patch-XSA232) = 86d633941ac3165ca4034db660a48d60384ea252
+SHA1 (patch-XSA234) = 0b5973597e3a15fb9ce93d6a735f32794983cfc7
+SHA1 (patch-XSA237) = 2a5cd048a04b8cadc67905b9001689b1221edd3e
+SHA1 (patch-XSA238) = e2059991d12f31740650136ec59c62da20c79633
+SHA1 (patch-XSA239) = 10619718e8a1536a7f52eb3838cdb490e6ba8c97
+SHA1 (patch-XSA240) = af3d204e9873fe79b23c714d60dfa91fcbe46ec5
+SHA1 (patch-XSA241) = b506425ca7382190435df6f96800cb0a24aff23e
+SHA1 (patch-XSA242) = afff314771d78ee2482aec3b7693c12bfe00e0ec
+SHA1 (patch-XSA243) = ffe83e9e443a2582047f1d17673d39d6746f4b75
+SHA1 (patch-XSA244) = 95077513502c26f8d6dae7964a0e422556be322a
 SHA1 (patch-tools_xentrace_xenalyze.c) = ab973cb7090dc90867dcddf9ab8965f8f2f36c46
 SHA1 (patch-xen_Makefile) = be3f4577a205b23187b91319f91c50720919f70b
 SHA1 (patch-xen_arch_arm_xen.lds.S) = df0e4a13b9b3ae863448172bea28b1b92296327b
diff -r 6562ff775c18 -r 40107a3215b9 sysutils/xenkernel46/patches/patch-XSA-212
--- a/sysutils/xenkernel46/patches/patch-XSA-212        Tue Oct 17 10:50:38 2017 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,89 +0,0 @@
-$NetBSD: patch-XSA-212,v 1.1 2017/04/08 12:17:58 spz Exp $
-
-memory: properly check guest memory ranges in XENMEM_exchange handling
-
-The use of guest_handle_okay() here (as introduced by the XSA-29 fix)
-is insufficient here, guest_handle_subrange_okay() needs to be used
-instead.
-
-Note that the uses are okay in
-- XENMEM_add_to_physmap_batch handling due to the size field being only
-  16 bits wide,
-- livepatch_list() due to the limit of 1024 enforced on the
-  number-of-entries input (leaving aside the fact that this can be
-  called by a privileged domain only anyway),
-- compat mode handling due to counts there being limited to 32 bits,
-- everywhere else due to guest arrays being accessed sequentially from
-  index zero.
-
-This is XSA-212.
-
-Reported-by: Jann Horn <jannh%google.com@localhost>
-Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
-Reviewed-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
-
---- xen/common/memory.c
-+++ xen/common/memory.c
-@@ -436,8 +436,8 @@ static long memory_exchange(XEN_GUEST_HA
-         goto fail_early;
-     }
- 
--    if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) ||
--         !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) )
-+    if ( !guest_handle_subrange_okay(exch.in.extent_start, exch.nr_exchanged,
-+                                     exch.in.nr_extents - 1) )
-     {
-         rc = -EFAULT;
-         goto fail_early;
-@@ -447,11 +447,27 @@ static long memory_exchange(XEN_GUEST_HA
-     {
-         in_chunk_order  = exch.out.extent_order - exch.in.extent_order;
-         out_chunk_order = 0;
-+
-+        if ( !guest_handle_subrange_okay(exch.out.extent_start,
-+                                         exch.nr_exchanged >> in_chunk_order,
-+                                         exch.out.nr_extents - 1) )
-+        {
-+            rc = -EFAULT;
-+            goto fail_early;
-+        }
-     }
-     else
-     {
-         in_chunk_order  = 0;
-         out_chunk_order = exch.in.extent_order - exch.out.extent_order;
-+
-+        if ( !guest_handle_subrange_okay(exch.out.extent_start,
-+                                         exch.nr_exchanged << out_chunk_order,
-+                                         exch.out.nr_extents - 1) )
-+        {
-+            rc = -EFAULT;
-+            goto fail_early;
-+        }
-     }
- 
-     d = rcu_lock_domain_by_any_id(exch.in.domid);
---- xen/include/asm-x86/x86_64/uaccess.h
-+++ xen/include/asm-x86/x86_64/uaccess.h
-@@ -29,8 +29,9 @@ extern void *xlat_malloc(unsigned long *
- /*
-  * Valid if in +ve half of 48-bit address space, or above Xen-reserved area.
-  * This is also valid for range checks (addr, addr+size). As long as the
-- * start address is outside the Xen-reserved area then we will access a
-- * non-canonical address (and thus fault) before ever reaching VIRT_START.
-+ * start address is outside the Xen-reserved area, sequential accesses
-+ * (starting at addr) will hit a non-canonical address (and thus fault)
-+ * before ever reaching VIRT_START.
-  */
- #define __addr_ok(addr) \
-     (((unsigned long)(addr) < (1UL<<47)) || \
-@@ -40,7 +41,8 @@ extern void *xlat_malloc(unsigned long *
-     (__addr_ok(addr) || is_compat_arg_xlat_range(addr, size))
- 
- #define array_access_ok(addr, count, size) \
--    (access_ok(addr, (count)*(size)))
-+    (likely(((count) ?: 0UL) < (~0UL / (size))) && \
-+     access_ok(addr, (count) * (size)))
- 
- #define __compat_addr_ok(d, addr) \
-     ((unsigned long)(addr) < HYPERVISOR_COMPAT_VIRT_START(d))
diff -r 6562ff775c18 -r 40107a3215b9 sysutils/xenkernel46/patches/patch-XSA226
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel46/patches/patch-XSA226 Tue Oct 17 10:57:34 2017 +0000
@@ -0,0 +1,431 @@
+$NetBSD: patch-XSA226,v 1.1 2017/10/17 10:57:34 bouyer Exp $
+
+From: Jan Beulich <jbeulich%suse.com@localhost>
+Subject: gnttab: don't use possibly unbounded tail calls
+
+There is no guarantee that the compiler would actually translate them
+to branches instead of calls, so only ones with a known recursion limit
+are okay:
+- __release_grant_for_copy() can call itself only once, as
+  __acquire_grant_for_copy() won't permit use of multi-level transitive
+  grants,
+- __acquire_grant_for_copy() is fine to call itself with the last
+  argument false, as that prevents further recursion,
+- __acquire_grant_for_copy() must not call itself to recover from an
+  observed change to the active entry's pin count
+
+This is part of CVE-2017-12135 / XSA-226.
+
+Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
+
+--- xen/common/compat/grant_table.c.orig
++++ xen/common/compat/grant_table.c
+@@ -258,9 +258,9 @@ int compat_grant_table_op(unsigned int cmd,
+                 rc = gnttab_copy(guest_handle_cast(nat.uop, gnttab_copy_t), n);
+             if ( rc > 0 )
+             {
+-                ASSERT(rc < n);
+-                i -= n - rc;
+-                n = rc;
++                ASSERT(rc <= n);
++                i -= rc;
++                n -= rc;
+             }
+             if ( rc >= 0 )
+             {
+--- xen/common/grant_table.c.orig
++++ xen/common/grant_table.c
+@@ -2089,8 +2089,10 @@ __release_grant_for_copy(
+ 
+     if ( td != rd )
+     {
+-        /* Recursive calls, but they're tail calls, so it's
+-           okay. */
++        /*
++         * Recursive calls, but they're bounded (acquire permits only a single
++         * level of transitivity), so it's okay.
++         */
+         if ( released_write )
+             __release_grant_for_copy(td, trans_gref, 0);
+         else if ( released_read )
+@@ -2241,10 +2243,11 @@ __acquire_grant_for_copy(
+                 return rc;
+             }
+ 
+-            /* We dropped the lock, so we have to check that nobody
+-               else tried to pin (or, for that matter, unpin) the
+-               reference in *this* domain.  If they did, just give up
+-               and try again. */
++            /*
++             * We dropped the lock, so we have to check that nobody else tried
++             * to pin (or, for that matter, unpin) the reference in *this*
++             * domain.  If they did, just give up and tell the caller to retry.
++             */
+             if ( act->pin != old_pin )
+             {
+                 __fixup_status_for_copy_pin(act, status);
+@@ -2252,9 +2255,8 @@ __acquire_grant_for_copy(
+                 active_entry_release(act);
+                 read_unlock(&rgt->lock);
+                 put_page(*page);
+-                return __acquire_grant_for_copy(rd, gref, ldom, readonly,
+-                                                frame, page, page_off, length,
+-                                                allow_transitive);
++                *page = NULL;
++                return ERESTART;
+             }
+ 
+             /* The actual remote remote grant may or may not be a
+@@ -2560,7 +2562,7 @@ static int gnttab_copy_one(const struct
+     {
+         gnttab_copy_release_buf(src);
+         rc = gnttab_copy_claim_buf(op, &op->source, src, GNTCOPY_source_gref);
+-        if ( rc < 0 )
++        if ( rc )
+             goto out;
+     }
+ 
+@@ -2570,7 +2572,7 @@ static int gnttab_copy_one(const struct
+     {
+         gnttab_copy_release_buf(dest);
+         rc = gnttab_copy_claim_buf(op, &op->dest, dest, GNTCOPY_dest_gref);
+-        if ( rc < 0 )
++        if ( rc )
+             goto out;
+     }
+ 
+@@ -2579,6 +2581,14 @@ static int gnttab_copy_one(const struct
+     return rc;
+ }
+ 
++/*
++ * gnttab_copy(), other than the various other helpers of
++ * do_grant_table_op(), returns (besides possible error indicators)
++ * "count - i" rather than "i" to ensure that even if no progress
++ * was made at all (perhaps due to gnttab_copy_one() returning a
++ * positive value) a non-zero value is being handed back (zero needs
++ * to be avoided, as that means "success, all done").
++ */
+ static long gnttab_copy(
+     XEN_GUEST_HANDLE_PARAM(gnttab_copy_t) uop, unsigned int count)
+ {
+@@ -2592,7 +2602,7 @@ static long gnttab_copy(
+     {
+         if ( i && hypercall_preempt_check() )
+         {
+-            rc = i;
++            rc = count - i;
+             break;
+         }
+ 
+@@ -2602,13 +2612,20 @@ static long gnttab_copy(
+             break;
+         }
+ 
+-        op.status = gnttab_copy_one(&op, &dest, &src);
+-        if ( op.status != GNTST_okay )
++        rc = gnttab_copy_one(&op, &dest, &src);
++        if ( rc > 0 )
++        {
++            rc = count - i;
++            break;
++        }
++        if ( rc != GNTST_okay )
+         {
+             gnttab_copy_release_buf(&src);
+             gnttab_copy_release_buf(&dest);
+         }
+ 
++        op.status = rc;
++        rc = 0;



Home | Main Index | Thread Index | Old Index