[pkgsrc/trunk]: pkgsrc/sysutils/xentools45 add the patch for XSA-184

[spz <spz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/a3d731bbd196
branches:  trunk
changeset: 352237:a3d731bbd196
user:      spz <spz%pkgsrc.org@localhost>
date:      Sun Sep 11 11:38:10 2016 +0000

description:
add the patch for XSA-184

diffstat:

 sysutils/xentools45/Makefile              |   4 +-
 sysutils/xentools45/distinfo              |   3 +-
 sysutils/xentools45/patches/patch-XSA-184 |  83 +++++++++++++++++++++++++++++++
 3 files changed, 87 insertions(+), 3 deletions(-)

diffs (117 lines):

diff -r c0c64f7b3dff -r a3d731bbd196 sysutils/xentools45/Makefile
--- a/sysutils/xentools45/Makefile      Sun Sep 11 09:52:41 2016 +0000
+++ b/sysutils/xentools45/Makefile      Sun Sep 11 11:38:10 2016 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.37 2016/08/06 12:41:36 spz Exp $
+# $NetBSD: Makefile,v 1.38 2016/09/11 11:38:10 spz Exp $
 
 VERSION=       4.5.3
-PKGREVISION=   3
+PKGREVISION=   4
 VERSION_IPXE=  9a93db3f0947484e30e753bbd61a10b17336e20e
 
 DISTNAME=              xen-${VERSION}
diff -r c0c64f7b3dff -r a3d731bbd196 sysutils/xentools45/distinfo
--- a/sysutils/xentools45/distinfo      Sun Sep 11 09:52:41 2016 +0000
+++ b/sysutils/xentools45/distinfo      Sun Sep 11 11:38:10 2016 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.25 2016/08/06 12:41:36 spz Exp $
+$NetBSD: distinfo,v 1.26 2016/09/11 11:38:10 spz Exp $
 
 SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88
 RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8
@@ -23,6 +23,7 @@
 SHA1 (patch-XSA-178) = 5cb68dd7d82f537e9a9d0417cc79e8cafeb05ac2
 SHA1 (patch-XSA-179) = b73d44757651efe4b8df27cedd7f9827f3d6a6ca
 SHA1 (patch-XSA-180) = 58a93dec38792a36bca74123444eb72fafe158a3
+SHA1 (patch-XSA-184) = 08103cae34512c1a3b9eb3e5cfdf8a15a302e419
 SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7
 SHA1 (patch-configure) = 97fa4274e425984d593cd93aea36edc681462b88
 SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f
diff -r c0c64f7b3dff -r a3d731bbd196 sysutils/xentools45/patches/patch-XSA-184
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xentools45/patches/patch-XSA-184 Sun Sep 11 11:38:10 2016 +0000
@@ -0,0 +1,83 @@
+patches for XSA-184 from upstream:
+
+From 17d8c4e47dfb41cb6778520ff2eab7a11fe12dfd Mon Sep 17 00:00:00 2001
+From: P J P <ppandit%redhat.com@localhost>
+Date: Tue, 26 Jul 2016 15:31:59 +0100
+Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
+
+A broken or malicious guest can submit more requests than the virtqueue
+size permits.
+
+The guest can submit requests without bothering to wait for completion
+and is therefore not bound by virtqueue size.  This requires reusing
+vring descriptors in more than one request, which is incorrect but
+possible.  Processing a request allocates a VirtQueueElement and
+therefore causes unbounded memory allocation controlled by the guest.
+
+Exit with an error if the guest provides more requests than the
+virtqueue size permits.  This bounds memory allocation and makes the
+buggy guest visible to the user.
+
+Reported-by: Zhenhao Hong <zhenhaohong%gmail.com@localhost>
+Signed-off-by: Stefan Hajnoczi <stefanha%redhat.com@localhost>
+---
+ hw/virtio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/virtio.c b/hw/virtio.c
+index c26feff..42897bf 100644
+--- qemu-xen-traditional/hw/virtio.c.orig      2016-01-04 15:36:03.000000000 +0000
++++ qemu-xen-traditional/hw/virtio.c   2016-09-11 11:01:37.000000000 +0000
+@@ -421,6 +421,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue
+     /* When we start there are none of either input nor output. */
+     elem->out_num = elem->in_num = 0;
+ 
++    if (vq->inuse >= vq->vring.num) {
++        fprintf(stderr, "Virtqueue size exceeded");
++        exit(1);
++    }
++
+     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
+     do {
+         struct iovec *sg;
+
+From e469db25d6b2e5c71cd15451889226641c53a5cd Mon Sep 17 00:00:00 2001
+From: P J P <ppandit%redhat.com@localhost>
+Date: Mon, 25 Jul 2016 17:37:18 +0530
+Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
+
+A broken or malicious guest can submit more requests than the virtqueue
+size permits.
+
+The guest can submit requests without bothering to wait for completion
+and is therefore not bound by virtqueue size.  This requires reusing
+vring descriptors in more than one request, which is incorrect but
+possible.  Processing a request allocates a VirtQueueElement and
+therefore causes unbounded memory allocation controlled by the guest.
+
+Exit with an error if the guest provides more requests than the
+virtqueue size permits.  This bounds memory allocation and makes the
+buggy guest visible to the user.
+
+Reported-by: Zhenhao Hong <zhenhaohong%gmail.com@localhost>
+Signed-off-by: Stefan Hajnoczi <stefanha%redhat.com@localhost>
+---
+ hw/virtio/virtio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index d24f775..f8ac0fb 100644
+--- qemu-xen/hw/virtio/virtio.c.orig   2016-02-18 17:30:28.000000000 +0000
++++ qemu-xen/hw/virtio/virtio.c        2016-09-11 11:01:48.000000000 +0000
+@@ -459,6 +459,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue
+ 
+     max = vq->vring.num;
+ 
++    if (vq->inuse >= max) {
++        error_report("Virtqueue size exceeded");
++        exit(1);
++    }
++
+     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
+     if (vq->vdev->guest_features & (1 << VIRTIO_RING_F_EVENT_IDX)) {
+         vring_avail_event(vq, vring_avail_idx(vq));