pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/sysutils Apply upstream patch for XSA-199, XSA-200 and...
details: https://anonhg.NetBSD.org/pkgsrc/rev/3e16a1ddbc99
branches: trunk
changeset: 356168:3e16a1ddbc99
user: bouyer <bouyer%pkgsrc.org@localhost>
date: Tue Dec 20 10:22:28 2016 +0000
description:
Apply upstream patch for XSA-199, XSA-200 and XSA-204.
Bump PKGREVISIONs
diffstat:
sysutils/xenkernel41/Makefile | 4 +-
sysutils/xenkernel41/distinfo | 4 +-
sysutils/xenkernel41/patches/patch-XSA-200 | 57 +++++++++++++
sysutils/xenkernel41/patches/patch-XSA-204 | 71 +++++++++++++++++
sysutils/xenkernel42/Makefile | 4 +-
sysutils/xenkernel42/distinfo | 4 +-
sysutils/xenkernel42/patches/patch-XSA-200 | 57 +++++++++++++
sysutils/xenkernel42/patches/patch-XSA-204 | 71 +++++++++++++++++
sysutils/xenkernel45/Makefile | 4 +-
sysutils/xenkernel45/distinfo | 4 +-
sysutils/xenkernel45/patches/patch-XSA-200 | 57 +++++++++++++
sysutils/xenkernel45/patches/patch-XSA-204 | 71 +++++++++++++++++
sysutils/xenkernel46/Makefile | 4 +-
sysutils/xenkernel46/distinfo | 4 +-
sysutils/xenkernel46/patches/patch-XSA-200 | 57 +++++++++++++
sysutils/xenkernel46/patches/patch-XSA-204 | 71 +++++++++++++++++
sysutils/xentools41/Makefile | 4 +-
sysutils/xentools41/distinfo | 3 +-
sysutils/xentools41/patches/patch-XSA-199 | 90 +++++++++++++++++++++
sysutils/xentools42/Makefile | 4 +-
sysutils/xentools42/distinfo | 3 +-
sysutils/xentools42/patches/patch-XSA-199 | 121 +++++++++++++++++++++++++++++
sysutils/xentools45/Makefile | 4 +-
sysutils/xentools45/distinfo | 3 +-
sysutils/xentools45/patches/patch-XSA-199 | 90 +++++++++++++++++++++
sysutils/xentools46/Makefile | 4 +-
sysutils/xentools46/distinfo | 3 +-
sysutils/xentools46/patches/patch-XSA-199 | 90 +++++++++++++++++++++
28 files changed, 939 insertions(+), 24 deletions(-)
diffs (truncated from 1215 to 300 lines):
diff -r 2a8cfab0a61f -r 3e16a1ddbc99 sysutils/xenkernel41/Makefile
--- a/sysutils/xenkernel41/Makefile Tue Dec 20 08:57:02 2016 +0000
+++ b/sysutils/xenkernel41/Makefile Tue Dec 20 10:22:28 2016 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.52 2016/11/22 20:53:40 bouyer Exp $
+# $NetBSD: Makefile,v 1.53 2016/12/20 10:22:28 bouyer Exp $
VERSION= 4.1.6.1
DISTNAME= xen-${VERSION}
PKGNAME= xenkernel41-${VERSION}
-PKGREVISION= 21
+PKGREVISION= 22
CATEGORIES= sysutils
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
diff -r 2a8cfab0a61f -r 3e16a1ddbc99 sysutils/xenkernel41/distinfo
--- a/sysutils/xenkernel41/distinfo Tue Dec 20 08:57:02 2016 +0000
+++ b/sysutils/xenkernel41/distinfo Tue Dec 20 10:22:28 2016 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.45 2016/11/22 20:53:40 bouyer Exp $
+$NetBSD: distinfo,v 1.46 2016/12/20 10:22:28 bouyer Exp $
SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0
RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19
@@ -44,6 +44,8 @@
SHA1 (patch-XSA-191) = 5da559e104543b8d22ea60378d9160d2ad83b8d0
SHA1 (patch-XSA-192) = b0f2801fe6db91c2a98b82897cdee057062c6c2b
SHA1 (patch-XSA-195) = a04295b397126e1cc1f129bb3cb9fb872fcbb373
+SHA1 (patch-XSA-200) = 2e5f6e3596fa754030af29a1dc8fafb738ad1da4
+SHA1 (patch-XSA-204) = 99e2b88b551d80724fcc27f925fbf65d3fc468de
SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b
SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
SHA1 (patch-xen_arch_x86_cpu_mcheck_vmce.c) = 5afd01780a13654f1d21bf1562f6431c8370be0b
diff -r 2a8cfab0a61f -r 3e16a1ddbc99 sysutils/xenkernel41/patches/patch-XSA-200
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel41/patches/patch-XSA-200 Tue Dec 20 10:22:28 2016 +0000
@@ -0,0 +1,57 @@
+$NetBSD: patch-XSA-200,v 1.1 2016/12/20 10:22:28 bouyer Exp $
+
+From: Jan Beulich <jbeulich%suse.com@localhost>
+Subject: x86emul: CMPXCHG8B ignores operand size prefix
+
+Otherwise besides mis-handling the instruction, the comparison failure
+case would result in uninitialized stack data being handed back to the
+guest in rDX:rAX (32 bits leaked for 32-bit guests, 96 bits for 64-bit
+ones).
+
+This is XSA-200.
+
+Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
+
+--- tools/tests/x86_emulator/test_x86_emulator.c.orig
++++ tools/tests/x86_emulator/test_x86_emulator.c
+@@ -429,6 +429,24 @@ int main(int argc, char **argv)
+ goto fail;
+ printf("okay\n");
+
++ printf("%-40s", "Testing cmpxchg8b (%edi) [opsize]...");
++ instr[0] = 0x66; instr[1] = 0x0f; instr[2] = 0xc7; instr[3] = 0x0f;
++ res[0] = 0x12345678;
++ res[1] = 0x87654321;
++ regs.eflags = 0x200;
++ regs.eip = (unsigned long)&instr[0];
++ regs.edi = (unsigned long)res;
++ rc = x86_emulate(&ctxt, &emulops);
++ if ( (rc != X86EMUL_OKAY) ||
++ (res[0] != 0x12345678) ||
++ (res[1] != 0x87654321) ||
++ (regs.eax != 0x12345678) ||
++ (regs.edx != 0x87654321) ||
++ ((regs.eflags&0x240) != 0x200) ||
++ (regs.eip != (unsigned long)&instr[4]) )
++ goto fail;
++ printf("okay\n");
++
+ printf("%-40s", "Testing movsxbd (%%eax),%%ecx...");
+ instr[0] = 0x0f; instr[1] = 0xbe; instr[2] = 0x08;
+ regs.eflags = 0x200;
+--- ./xen/arch/x86/x86_emulate/x86_emulate.c.orig 2016-12-19 21:54:25.000000000 +0100
++++ ./xen/arch/x86/x86_emulate/x86_emulate.c 2016-12-19 22:00:32.000000000 +0100
+@@ -4183,7 +4183,12 @@
+
+ generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1);
+ generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
+- op_bytes *= 2;
++ if ( op_bytes == 8 )
++ {
++ /* vcpu_must_have_cx16() XXX doens't exists */
++ op_bytes = 16;
++ } else
++ op_bytes = 8;
+
+ /* Get actual old value. */
+ for ( i = 0; i < (op_bytes/sizeof(long)); i++ )
diff -r 2a8cfab0a61f -r 3e16a1ddbc99 sysutils/xenkernel41/patches/patch-XSA-204
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel41/patches/patch-XSA-204 Tue Dec 20 10:22:28 2016 +0000
@@ -0,0 +1,71 @@
+$NetBSD: patch-XSA-204,v 1.1 2016/12/20 10:22:28 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Date: Sun, 18 Dec 2016 15:42:59 +0000
+Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL
+
+A singlestep #DB is determined by the resulting eflags value from the
+execution of SYSCALL, not the original eflags value.
+
+By using the original eflags value, we negate the guest kernels attempt to
+protect itself from a privilege escalation by masking TF.
+
+Introduce a tf boolean and have the SYSCALL emulation recalculate it
+after the instruction is complete.
+
+This is XSA-204
+
+Signed-off-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Reviewed-by: Jan Beulich <jbeulich%suse.com@localhost>
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index 0c43fe1..f675dc9 100644
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig 2016-12-19 22:02:25.000000000 +0100
++++ xen/arch/x86/x86_emulate/x86_emulate.c 2016-12-19 22:05:31.000000000 +0100
+@@ -1233,6 +1233,7 @@
+ #define REPE_PREFIX 1
+ #define REPNE_PREFIX 2
+ unsigned int lock_prefix = 0, rep_prefix = 0;
++ bool_t tf = !!(ctxt->regs->eflags & EFLG_TF);
+ int override_seg = -1, rc = X86EMUL_OKAY;
+ struct operand src, dst;
+
+@@ -3498,9 +3499,8 @@
+ break;
+ }
+
+- /* Inject #DB if single-step tracing was enabled at instruction start. */
+- if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) &&
+- (ops->inject_hw_exception != NULL) )
++ /* Should a singlestep #DB be raised? */
++ if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) )
+ rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
+
+ /* Commit shadow register state. */
+@@ -3685,6 +3685,23 @@
+ (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) )
+ goto done;
+
++ /*
++ * SYSCALL (unlike most instructions) evaluates its singlestep action
++ * based on the resulting EFLG_TF, not the starting EFLG_TF.
++ *
++ * As the #DB is raised after the CPL change and before the OS can
++ * switch stack, it is a large risk for privilege escalation.
++ *
++ * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
++ * vulnerability. Running the #DB handler on an IST stack is also a
++ * mitigation.
++ *
++ * 32bit kernels have no ability to mask EFLG_TF at all. Their only
++ * mitigation is to use a task gate for handling #DB (or to not use
++ * enable EFER.SCE to start with).
++ */
++ tf = !!(_regs.eflags & EFLG_TF);
++
+ break;
+ }
+
diff -r 2a8cfab0a61f -r 3e16a1ddbc99 sysutils/xenkernel42/Makefile
--- a/sysutils/xenkernel42/Makefile Tue Dec 20 08:57:02 2016 +0000
+++ b/sysutils/xenkernel42/Makefile Tue Dec 20 10:22:28 2016 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.24 2016/11/22 20:55:29 bouyer Exp $
+# $NetBSD: Makefile,v 1.25 2016/12/20 10:22:28 bouyer Exp $
VERSION= 4.2.5
DISTNAME= xen-${VERSION}
PKGNAME= xenkernel42-${VERSION}
-PKGREVISION= 13
+PKGREVISION= 14
CATEGORIES= sysutils
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
diff -r 2a8cfab0a61f -r 3e16a1ddbc99 sysutils/xenkernel42/distinfo
--- a/sysutils/xenkernel42/distinfo Tue Dec 20 08:57:02 2016 +0000
+++ b/sysutils/xenkernel42/distinfo Tue Dec 20 10:22:28 2016 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.23 2016/11/22 20:55:29 bouyer Exp $
+$NetBSD: distinfo,v 1.24 2016/12/20 10:22:28 bouyer Exp $
SHA1 (xen-4.2.5.tar.gz) = f42741e4ec174495ace70c4b17a6b9b0e60e798a
RMD160 (xen-4.2.5.tar.gz) = 7d4f7f1b32ee541d341a756b1f8da02816438d19
@@ -33,6 +33,8 @@
SHA1 (patch-XSA-191) = 7a5e2e78c457c5922e2ccd711f2a39afba238e40
SHA1 (patch-XSA-192) = f95757227ece59a2f320308edefcf01f1a96212c
SHA1 (patch-XSA-195) = bb20234c4db0dc098ea47564732e87710bfcb9d8
+SHA1 (patch-XSA-200) = 2f615fa9c4ac43fc98f6c897acb5ee7e4651a668
+SHA1 (patch-XSA-204) = f6a59adf3cbd0aab59ccf233240a6b4e9ee2913b
SHA1 (patch-xen_Makefile) = e0d1b74518b9675ddc64295d1523ded9a8757c0a
SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
SHA1 (patch-xen_arch_x86_hvm_hvm.c) = b6bac1d466ba5bc276bc3aea9d4c9df37f2b9b0f
diff -r 2a8cfab0a61f -r 3e16a1ddbc99 sysutils/xenkernel42/patches/patch-XSA-200
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel42/patches/patch-XSA-200 Tue Dec 20 10:22:28 2016 +0000
@@ -0,0 +1,57 @@
+$NetBSD: patch-XSA-200,v 1.1 2016/12/20 10:22:28 bouyer Exp $
+
+From: Jan Beulich <jbeulich%suse.com@localhost>
+Subject: x86emul: CMPXCHG8B ignores operand size prefix
+
+Otherwise besides mis-handling the instruction, the comparison failure
+case would result in uninitialized stack data being handed back to the
+guest in rDX:rAX (32 bits leaked for 32-bit guests, 96 bits for 64-bit
+ones).
+
+This is XSA-200.
+
+Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
+
+--- tools/tests/x86_emulator/test_x86_emulator.c.orig
++++ tools/tests/x86_emulator/test_x86_emulator.c
+@@ -429,6 +429,24 @@ int main(int argc, char **argv)
+ goto fail;
+ printf("okay\n");
+
++ printf("%-40s", "Testing cmpxchg8b (%edi) [opsize]...");
++ instr[0] = 0x66; instr[1] = 0x0f; instr[2] = 0xc7; instr[3] = 0x0f;
++ res[0] = 0x12345678;
++ res[1] = 0x87654321;
++ regs.eflags = 0x200;
++ regs.eip = (unsigned long)&instr[0];
++ regs.edi = (unsigned long)res;
++ rc = x86_emulate(&ctxt, &emulops);
++ if ( (rc != X86EMUL_OKAY) ||
++ (res[0] != 0x12345678) ||
++ (res[1] != 0x87654321) ||
++ (regs.eax != 0x12345678) ||
++ (regs.edx != 0x87654321) ||
++ ((regs.eflags&0x240) != 0x200) ||
++ (regs.eip != (unsigned long)&instr[4]) )
++ goto fail;
++ printf("okay\n");
++
+ printf("%-40s", "Testing movsxbd (%%eax),%%ecx...");
+ instr[0] = 0x0f; instr[1] = 0xbe; instr[2] = 0x08;
+ regs.eflags = 0x200;
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -4494,9 +4498,11 @@
+
+ generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1);
+ generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
+- if ( op_bytes == 8 )
++ if ( op_bytes == 8 ) {
+ vcpu_must_have_cx16();
+- op_bytes *= 2;
++ op_bytes = 16;
++ } else
++ op_bytes = 8;
+
+ /* Get actual old value. */
+ for ( i = 0; i < (op_bytes/sizeof(long)); i++ )
diff -r 2a8cfab0a61f -r 3e16a1ddbc99 sysutils/xenkernel42/patches/patch-XSA-204
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel42/patches/patch-XSA-204 Tue Dec 20 10:22:28 2016 +0000
@@ -0,0 +1,71 @@
+$NetBSD: patch-XSA-204,v 1.1 2016/12/20 10:22:28 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Date: Sun, 18 Dec 2016 15:42:59 +0000
+Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL
+
+A singlestep #DB is determined by the resulting eflags value from the
+execution of SYSCALL, not the original eflags value.
+
+By using the original eflags value, we negate the guest kernels attempt to
+protect itself from a privilege escalation by masking TF.
+
+Introduce a tf boolean and have the SYSCALL emulation recalculate it
+after the instruction is complete.
+
+This is XSA-204
+
+Signed-off-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Reviewed-by: Jan Beulich <jbeulich%suse.com@localhost>
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index 0c43fe1..f675dc9 100644
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig 2016-12-19 23:22:20.000000000 +0100
++++ xen/arch/x86/x86_emulate/x86_emulate.c 2016-12-19 23:22:38.000000000 +0100
+@@ -1348,6 +1348,7 @@
+ union vex vex = {};
+ unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes;
+ bool_t lock_prefix = 0;
++ bool_t tf = !!(ctxt->regs->eflags & EFLG_TF);
+ int override_seg = -1, rc = X86EMUL_OKAY;
Home |
Main Index |
Thread Index |
Old Index