pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/sysutils Backport upstream patches, fixing today's XSA...
details: https://anonhg.NetBSD.org/pkgsrc/rev/45194d59a012
branches: trunk
changeset: 355138:45194d59a012
user: bouyer <bouyer%pkgsrc.org@localhost>
date: Tue Nov 22 20:59:01 2016 +0000
description:
Backport upstream patches, fixing today's XSA 191, 192, 193, 195, 197, 198.
Bump PKGREVISIONs
diffstat:
sysutils/xenkernel46/Makefile | 4 +-
sysutils/xenkernel46/distinfo | 8 +-
sysutils/xenkernel46/patches/patch-XSA-191 | 140 +++++++++++++++++++++++++++
sysutils/xenkernel46/patches/patch-XSA-192 | 66 ++++++++++++
sysutils/xenkernel46/patches/patch-XSA-193 | 70 +++++++++++++
sysutils/xenkernel46/patches/patch-XSA-195 | 47 +++++++++
sysutils/xenkernel46/patches/patch-XSA-196-1 | 63 ++++++++++++
sysutils/xenkernel46/patches/patch-XSA-196-2 | 78 +++++++++++++++
sysutils/xentools46/Makefile | 4 +-
sysutils/xentools46/distinfo | 5 +-
sysutils/xentools46/patches/patch-XSA-197-1 | 67 ++++++++++++
sysutils/xentools46/patches/patch-XSA-197-2 | 65 ++++++++++++
sysutils/xentools46/patches/patch-XSA-198 | 64 ++++++++++++
13 files changed, 675 insertions(+), 6 deletions(-)
diffs (truncated from 769 to 300 lines):
diff -r 4062f1e6e457 -r 45194d59a012 sysutils/xenkernel46/Makefile
--- a/sysutils/xenkernel46/Makefile Tue Nov 22 20:57:10 2016 +0000
+++ b/sysutils/xenkernel46/Makefile Tue Nov 22 20:59:01 2016 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.3 2016/09/08 15:44:07 bouyer Exp $
+# $NetBSD: Makefile,v 1.4 2016/11/22 20:59:01 bouyer Exp $
VERSION= 4.6.3
DISTNAME= xen-${VERSION}
PKGNAME= xenkernel46-${VERSION}
-PKGREVISION= 1
+PKGREVISION= 2
CATEGORIES= sysutils
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
diff -r 4062f1e6e457 -r 45194d59a012 sysutils/xenkernel46/distinfo
--- a/sysutils/xenkernel46/distinfo Tue Nov 22 20:57:10 2016 +0000
+++ b/sysutils/xenkernel46/distinfo Tue Nov 22 20:59:01 2016 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.2 2016/09/08 15:44:07 bouyer Exp $
+$NetBSD: distinfo,v 1.3 2016/11/22 20:59:01 bouyer Exp $
SHA1 (xen-4.6.3.tar.gz) = 2aa59d0a05a6c5ac7f336f2069c66a54f95c4349
RMD160 (xen-4.6.3.tar.gz) = 2798bd888ee001a4829165e55feb705a86af4f74
@@ -10,6 +10,12 @@
SHA1 (patch-XSA-186-2) = 6094c2efe468e3f31712659be9a71af2cbe8dc1f
SHA1 (patch-XSA-187-1) = 55ea0c2d9c7d8d9476a5ab97342ff552be4faf56
SHA1 (patch-XSA-187-2) = f5308fee03a5d73c8aa283eb82cc36a6a3d3bc06
+SHA1 (patch-XSA-191) = adf1b0d6d8a17b6585fd0ecbe0ca77517623e0af
+SHA1 (patch-XSA-192) = b8b289f4af6b2cebeea16246398d2c473a9e90c1
+SHA1 (patch-XSA-193) = 89fdeea8af25de42bbd207df1b2f3dcd3b61778f
+SHA1 (patch-XSA-195) = 0a44b7deda6a17c88e9d1858eeb7c33b0ebaf3f7
+SHA1 (patch-XSA-196-1) = bdcd7673443fbf59aeff8ad019ffbe39758fcaee
+SHA1 (patch-XSA-196-2) = 81b1d46f3ec8a3c5133f6a923fee0ab1b2b1c6a0
SHA1 (patch-xen_Makefile) = be3f4577a205b23187b91319f91c50720919f70b
SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154
SHA1 (patch-xen_common_page__alloc.c) = c4d606de1cada8cf89b5abd16efada3d58c68a03
diff -r 4062f1e6e457 -r 45194d59a012 sysutils/xenkernel46/patches/patch-XSA-191
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel46/patches/patch-XSA-191 Tue Nov 22 20:59:01 2016 +0000
@@ -0,0 +1,140 @@
+$NetBSD: patch-XSA-191,v 1.1 2016/11/22 20:59:01 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Subject: x86/hvm: Fix the handling of non-present segments
+
+In 32bit, the data segments may be NULL to indicate that the segment is
+ineligible for use. In both 32bit and 64bit, the LDT selector may be NULL to
+indicate that the entire LDT is ineligible for use. However, nothing in Xen
+actually checks for this condition when performing other segmentation
+checks. (Note however that limit and writeability checks are correctly
+performed).
+
+Neither Intel nor AMD specify the exact behaviour of loading a NULL segment.
+Experimentally, AMD zeroes all attributes but leaves the base and limit
+unmodified. Intel zeroes the base, sets the limit to 0xfffffff and resets the
+attributes to just .G and .D/B.
+
+The use of the segment information in the VMCB/VMCS is equivalent to a native
+pipeline interacting with the segment cache. The present bit can therefore
+have a subtly different meaning, and it is now cooked to uniformly indicate
+whether the segment is usable or not.
+
+GDTR and IDTR don't have access rights like the other segments, but for
+consistency, they are treated as being present so no special casing is needed
+elsewhere in the segmentation logic.
+
+AMD hardware does not consider the present bit for %cs and %tr, and will
+function as if they were present. They are therefore unconditionally set to
+present when reading information from the VMCB, to maintain the new meaning of
+usability.
+
+Intel hardware has a separate unusable bit in the VMCS segment attributes.
+This bit is inverted and stored in the present field, so the hvm code can work
+with architecturally-common state.
+
+This is XSA-191.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Reviewed-by: Jan Beulich <jbeulich%suse.com@localhost>
+
+--- xen/arch/x86/hvm/hvm.c.orig
++++ xen/arch/x86/hvm/hvm.c
+@@ -3666,6 +3666,10 @@ int hvm_virtual_to_linear_addr(
+ * COMPATIBILITY MODE: Apply segment checks and add base.
+ */
+
++ /* Segment not valid for use (cooked meaning of .p)? */
++ if ( !reg->attr.fields.p )
++ return 0;
++
+ switch ( access_type )
+ {
+ case hvm_access_read:
+@@ -3871,6 +3875,10 @@ static int hvm_load_segment_selector(
+ hvm_get_segment_register(
+ v, (sel & 4) ? x86_seg_ldtr : x86_seg_gdtr, &desctab);
+
++ /* Segment not valid for use (cooked meaning of .p)? */
++ if ( !desctab.attr.fields.p )
++ goto fail;
++
+ /* Check against descriptor table limit. */
+ if ( ((sel & 0xfff8) + 7) > desctab.limit )
+ goto fail;
+--- xen/arch/x86/hvm/svm/svm.c.orig
++++ xen/arch/x86/hvm/svm/svm.c
+@@ -620,6 +620,7 @@ static void svm_get_segment_register(str
+ {
+ case x86_seg_cs:
+ memcpy(reg, &vmcb->cs, sizeof(*reg));
++ reg->attr.fields.p = 1;
+ reg->attr.fields.g = reg->limit > 0xFFFFF;
+ break;
+ case x86_seg_ds:
+@@ -653,13 +654,16 @@ static void svm_get_segment_register(str
+ case x86_seg_tr:
+ svm_sync_vmcb(v);
+ memcpy(reg, &vmcb->tr, sizeof(*reg));
++ reg->attr.fields.p = 1;
+ reg->attr.fields.type |= 0x2;
+ break;
+ case x86_seg_gdtr:
+ memcpy(reg, &vmcb->gdtr, sizeof(*reg));
++ reg->attr.bytes = 0x80;
+ break;
+ case x86_seg_idtr:
+ memcpy(reg, &vmcb->idtr, sizeof(*reg));
++ reg->attr.bytes = 0x80;
+ break;
+ case x86_seg_ldtr:
+ svm_sync_vmcb(v);
+--- xen/arch/x86/hvm/vmx/vmx.c.orig
++++ xen/arch/x86/hvm/vmx/vmx.c
+@@ -867,10 +867,12 @@ void vmx_get_segment_register(struct vcp
+ reg->sel = sel;
+ reg->limit = limit;
+
+- reg->attr.bytes = (attr & 0xff) | ((attr >> 4) & 0xf00);
+- /* Unusable flag is folded into Present flag. */
+- if ( attr & (1u<<16) )
+- reg->attr.fields.p = 0;
++ /*
++ * Fold VT-x representation into Xen's representation. The Present bit is
++ * unconditionally set to the inverse of unusable.
++ */
++ reg->attr.bytes =
++ (!(attr & (1u << 16)) << 7) | (attr & 0x7f) | ((attr >> 4) & 0xf00);
+
+ /* Adjust for virtual 8086 mode */
+ if ( v->arch.hvm_vmx.vmx_realmode && seg <= x86_seg_tr
+@@ -950,11 +952,11 @@ static void vmx_set_segment_register(str
+ }
+ }
+
+- attr = ((attr & 0xf00) << 4) | (attr & 0xff);
+-
+- /* Not-present must mean unusable. */
+- if ( !reg->attr.fields.p )
+- attr |= (1u << 16);
++ /*
++ * Unfold Xen representation into VT-x representation. The unusable bit
++ * is unconditionally set to the inverse of present.
++ */
++ attr = (!(attr & (1u << 7)) << 16) | ((attr & 0xf00) << 4) | (attr & 0xff);
+
+ /* VMX has strict consistency requirement for flag G. */
+ attr |= !!(limit >> 20) << 15;
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1209,6 +1209,10 @@ protmode_load_seg(
+ &desctab, ctxt)) )
+ return rc;
+
++ /* Segment not valid for use (cooked meaning of .p)? */
++ if ( !desctab.attr.fields.p )
++ goto raise_exn;
++
+ /* Check against descriptor table limit. */
+ if ( ((sel & 0xfff8) + 7) > desctab.limit )
+ goto raise_exn;
diff -r 4062f1e6e457 -r 45194d59a012 sysutils/xenkernel46/patches/patch-XSA-192
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel46/patches/patch-XSA-192 Tue Nov 22 20:59:01 2016 +0000
@@ -0,0 +1,66 @@
+$NetBSD: patch-XSA-192,v 1.1 2016/11/22 20:59:01 bouyer Exp $
+
+From: Jan Beulich <jbeulich%suse.com@localhost>
+Subject: x86/HVM: don't load LDTR with VM86 mode attrs during task switch
+
+Just like TR, LDTR is purely a protected mode facility and hence needs
+to be loaded accordingly. Also move its loading to where it
+architecurally belongs.
+
+This is XSA-192.
+
+Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
+Reviewed-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Tested-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+
+--- xen/arch/x86/hvm/hvm.c.orig
++++ xen/arch/x86/hvm/hvm.c
+@@ -2728,17 +2728,16 @@ static void hvm_unmap_entry(void *p)
+ }
+
+ static int hvm_load_segment_selector(
+- enum x86_segment seg, uint16_t sel)
++ enum x86_segment seg, uint16_t sel, unsigned int eflags)
+ {
+ struct segment_register desctab, cs, segr;
+ struct desc_struct *pdesc, desc;
+ u8 dpl, rpl, cpl;
+ bool_t writable;
+ int fault_type = TRAP_invalid_tss;
+- struct cpu_user_regs *regs = guest_cpu_user_regs();
+ struct vcpu *v = current;
+
+- if ( regs->eflags & X86_EFLAGS_VM )
++ if ( eflags & X86_EFLAGS_VM )
+ {
+ segr.sel = sel;
+ segr.base = (uint32_t)sel << 4;
+@@ -2986,6 +2985,8 @@ void hvm_task_switch(
+ if ( rc != HVMCOPY_okay )
+ goto out;
+
++ if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt, 0) )
++ goto out;
+
+ if ( hvm_set_cr3(tss.cr3, 1) )
+ goto out;
+@@ -3008,13 +3009,12 @@ void hvm_task_switch(
+ }
+
+ exn_raised = 0;
+- if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt) ||
+- hvm_load_segment_selector(x86_seg_es, tss.es) ||
+- hvm_load_segment_selector(x86_seg_cs, tss.cs) ||
+- hvm_load_segment_selector(x86_seg_ss, tss.ss) ||
+- hvm_load_segment_selector(x86_seg_ds, tss.ds) ||
+- hvm_load_segment_selector(x86_seg_fs, tss.fs) ||
+- hvm_load_segment_selector(x86_seg_gs, tss.gs) )
++ if ( hvm_load_segment_selector(x86_seg_es, tss.es, tss.eflags) ||
++ hvm_load_segment_selector(x86_seg_cs, tss.cs, tss.eflags) ||
++ hvm_load_segment_selector(x86_seg_ss, tss.ss, tss.eflags) ||
++ hvm_load_segment_selector(x86_seg_ds, tss.ds, tss.eflags) ||
++ hvm_load_segment_selector(x86_seg_fs, tss.fs, tss.eflags) ||
++ hvm_load_segment_selector(x86_seg_gs, tss.gs, tss.eflags) )
+ exn_raised = 1;
+
+ rc = hvm_copy_to_guest_virt(
diff -r 4062f1e6e457 -r 45194d59a012 sysutils/xenkernel46/patches/patch-XSA-193
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel46/patches/patch-XSA-193 Tue Nov 22 20:59:01 2016 +0000
@@ -0,0 +1,70 @@
+$NetBSD: patch-XSA-193,v 1.1 2016/11/22 20:59:01 bouyer Exp $
+
+From: Jan Beulich <jbeulich%suse.com@localhost>
+Subject: x86/PV: writes of %fs and %gs base MSRs require canonical addresses
+
+Commit c42494acb2 ("x86: fix FS/GS base handling when using the
+fsgsbase feature") replaced the use of wrmsr_safe() on these paths
+without recognizing that wr{f,g}sbase() use just wrmsrl() and that the
+WR{F,G}SBASE instructions also raise #GP for non-canonical input.
+
+Similarly arch_set_info_guest() needs to prevent non-canonical
+addresses from getting stored into state later to be loaded by context
+switch code. For consistency also check stack pointers and LDT base.
+DR0..3, otoh, already get properly checked in set_debugreg() (albeit
+we discard the error there).
+
+The SHADOW_GS_BASE check isn't strictly necessary, but I think we
+better avoid trying the WRMSR if we know it's going to fail.
+
+This is XSA-193.
+
+Reported-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
+Reviewed-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+
+--- xen/arch/x86/domain.c.orig
++++ xen/arch/x86/domain.c
+@@ -890,7 +890,13 @@ int arch_set_info_guest(
+ {
+ if ( !compat )
+ {
+- if ( !is_canonical_address(c.nat->user_regs.eip) ||
++ if ( !is_canonical_address(c.nat->user_regs.rip) ||
++ !is_canonical_address(c.nat->user_regs.rsp) ||
++ !is_canonical_address(c.nat->kernel_sp) ||
++ (c.nat->ldt_ents && !is_canonical_address(c.nat->ldt_base)) ||
++ !is_canonical_address(c.nat->fs_base) ||
++ !is_canonical_address(c.nat->gs_base_kernel) ||
++ !is_canonical_address(c.nat->gs_base_user) ||
+ !is_canonical_address(c.nat->event_callback_eip) ||
+ !is_canonical_address(c.nat->syscall_callback_eip) ||
+ !is_canonical_address(c.nat->failsafe_callback_eip) )
+--- xen/arch/x86/traps.c.orig
++++ xen/arch/x86/traps.c
+@@ -2723,19 +2723,22 @@ static int emulate_privileged_op(struct
Home |
Main Index |
Thread Index |
Old Index