pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/sysutils/xentools45 add the patch for XSA-184
details: https://anonhg.NetBSD.org/pkgsrc/rev/a3d731bbd196
branches: trunk
changeset: 352237:a3d731bbd196
user: spz <spz%pkgsrc.org@localhost>
date: Sun Sep 11 11:38:10 2016 +0000
description:
add the patch for XSA-184
diffstat:
sysutils/xentools45/Makefile | 4 +-
sysutils/xentools45/distinfo | 3 +-
sysutils/xentools45/patches/patch-XSA-184 | 83 +++++++++++++++++++++++++++++++
3 files changed, 87 insertions(+), 3 deletions(-)
diffs (117 lines):
diff -r c0c64f7b3dff -r a3d731bbd196 sysutils/xentools45/Makefile
--- a/sysutils/xentools45/Makefile Sun Sep 11 09:52:41 2016 +0000
+++ b/sysutils/xentools45/Makefile Sun Sep 11 11:38:10 2016 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.37 2016/08/06 12:41:36 spz Exp $
+# $NetBSD: Makefile,v 1.38 2016/09/11 11:38:10 spz Exp $
VERSION= 4.5.3
-PKGREVISION= 3
+PKGREVISION= 4
VERSION_IPXE= 9a93db3f0947484e30e753bbd61a10b17336e20e
DISTNAME= xen-${VERSION}
diff -r c0c64f7b3dff -r a3d731bbd196 sysutils/xentools45/distinfo
--- a/sysutils/xentools45/distinfo Sun Sep 11 09:52:41 2016 +0000
+++ b/sysutils/xentools45/distinfo Sun Sep 11 11:38:10 2016 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.25 2016/08/06 12:41:36 spz Exp $
+$NetBSD: distinfo,v 1.26 2016/09/11 11:38:10 spz Exp $
SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88
RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8
@@ -23,6 +23,7 @@
SHA1 (patch-XSA-178) = 5cb68dd7d82f537e9a9d0417cc79e8cafeb05ac2
SHA1 (patch-XSA-179) = b73d44757651efe4b8df27cedd7f9827f3d6a6ca
SHA1 (patch-XSA-180) = 58a93dec38792a36bca74123444eb72fafe158a3
+SHA1 (patch-XSA-184) = 08103cae34512c1a3b9eb3e5cfdf8a15a302e419
SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7
SHA1 (patch-configure) = 97fa4274e425984d593cd93aea36edc681462b88
SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f
diff -r c0c64f7b3dff -r a3d731bbd196 sysutils/xentools45/patches/patch-XSA-184
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xentools45/patches/patch-XSA-184 Sun Sep 11 11:38:10 2016 +0000
@@ -0,0 +1,83 @@
+patches for XSA-184 from upstream:
+
+From 17d8c4e47dfb41cb6778520ff2eab7a11fe12dfd Mon Sep 17 00:00:00 2001
+From: P J P <ppandit%redhat.com@localhost>
+Date: Tue, 26 Jul 2016 15:31:59 +0100
+Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
+
+A broken or malicious guest can submit more requests than the virtqueue
+size permits.
+
+The guest can submit requests without bothering to wait for completion
+and is therefore not bound by virtqueue size. This requires reusing
+vring descriptors in more than one request, which is incorrect but
+possible. Processing a request allocates a VirtQueueElement and
+therefore causes unbounded memory allocation controlled by the guest.
+
+Exit with an error if the guest provides more requests than the
+virtqueue size permits. This bounds memory allocation and makes the
+buggy guest visible to the user.
+
+Reported-by: Zhenhao Hong <zhenhaohong%gmail.com@localhost>
+Signed-off-by: Stefan Hajnoczi <stefanha%redhat.com@localhost>
+---
+ hw/virtio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/virtio.c b/hw/virtio.c
+index c26feff..42897bf 100644
+--- qemu-xen-traditional/hw/virtio.c.orig 2016-01-04 15:36:03.000000000 +0000
++++ qemu-xen-traditional/hw/virtio.c 2016-09-11 11:01:37.000000000 +0000
+@@ -421,6 +421,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue
+ /* When we start there are none of either input nor output. */
+ elem->out_num = elem->in_num = 0;
+
++ if (vq->inuse >= vq->vring.num) {
++ fprintf(stderr, "Virtqueue size exceeded");
++ exit(1);
++ }
++
+ i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
+ do {
+ struct iovec *sg;
+
+From e469db25d6b2e5c71cd15451889226641c53a5cd Mon Sep 17 00:00:00 2001
+From: P J P <ppandit%redhat.com@localhost>
+Date: Mon, 25 Jul 2016 17:37:18 +0530
+Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
+
+A broken or malicious guest can submit more requests than the virtqueue
+size permits.
+
+The guest can submit requests without bothering to wait for completion
+and is therefore not bound by virtqueue size. This requires reusing
+vring descriptors in more than one request, which is incorrect but
+possible. Processing a request allocates a VirtQueueElement and
+therefore causes unbounded memory allocation controlled by the guest.
+
+Exit with an error if the guest provides more requests than the
+virtqueue size permits. This bounds memory allocation and makes the
+buggy guest visible to the user.
+
+Reported-by: Zhenhao Hong <zhenhaohong%gmail.com@localhost>
+Signed-off-by: Stefan Hajnoczi <stefanha%redhat.com@localhost>
+---
+ hw/virtio/virtio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index d24f775..f8ac0fb 100644
+--- qemu-xen/hw/virtio/virtio.c.orig 2016-02-18 17:30:28.000000000 +0000
++++ qemu-xen/hw/virtio/virtio.c 2016-09-11 11:01:48.000000000 +0000
+@@ -459,6 +459,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue
+
+ max = vq->vring.num;
+
++ if (vq->inuse >= max) {
++ error_report("Virtqueue size exceeded");
++ exit(1);
++ }
++
+ i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
+ if (vq->vdev->guest_features & (1 << VIRTIO_RING_F_EVENT_IDX)) {
+ vring_avail_event(vq, vring_avail_idx(vq));
Home |
Main Index |
Thread Index |
Old Index