[pkgsrc/trunk]: pkgsrc/sysutils/xentools45 Apply upstream patches for securit...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/sysutils/xentools45 Apply upstream patches for securit...
From: bouyer <bouyer%pkgsrc.org@localhost>
Date: Wed, 15 Jan 2020 06:53:25 +0000
details:   https://anonhg.NetBSD.org/pkgsrc/rev/96444b344741
branches:  trunk
changeset: 360050:96444b344741
user:      bouyer <bouyer%pkgsrc.org@localhost>
date:      Mon Mar 20 18:09:21 2017 +0000

description:
Apply upstream patches for security fixes XSA-208, XSA-209 and XSA-211.
Bump PKGREVISION

diffstat:

 sysutils/xentools45/Makefile                |    4 +-
 sysutils/xentools45/distinfo                |    8 +-
 sysutils/xentools45/patches/patch-XSA-208-1 |   55 +++++
 sysutils/xentools45/patches/patch-XSA-208-2 |   58 ++++++
 sysutils/xentools45/patches/patch-XSA-209-1 |  153 ++++++++++++++++
 sysutils/xentools45/patches/patch-XSA-209-2 |   56 +++++
 sysutils/xentools45/patches/patch-XSA-211-1 |  262 ++++++++++++++++++++++++++++
 sysutils/xentools45/patches/patch-XSA-211-2 |  230 ++++++++++++++++++++++++
 8 files changed, 823 insertions(+), 3 deletions(-)

diffs (truncated from 873 to 300 lines):

diff -r 9fd85f88eb9b -r 96444b344741 sysutils/xentools45/Makefile
--- a/sysutils/xentools45/Makefile      Mon Mar 20 18:06:06 2017 +0000
+++ b/sysutils/xentools45/Makefile      Mon Mar 20 18:09:21 2017 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.46 2017/02/14 21:36:15 joerg Exp $
+# $NetBSD: Makefile,v 1.47 2017/03/20 18:09:21 bouyer Exp $
 
 VERSION=       4.5.5
-PKGREVISION=   3
+PKGREVISION=   4
 VERSION_IPXE=  9a93db3f0947484e30e753bbd61a10b17336e20e
 
 DISTNAME=              xen-${VERSION}
diff -r 9fd85f88eb9b -r 96444b344741 sysutils/xentools45/distinfo
--- a/sysutils/xentools45/distinfo      Mon Mar 20 18:06:06 2017 +0000
+++ b/sysutils/xentools45/distinfo      Mon Mar 20 18:09:21 2017 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.29 2016/12/20 10:22:29 bouyer Exp $
+$NetBSD: distinfo,v 1.30 2017/03/20 18:09:21 bouyer Exp $
 
 SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88
 RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8
@@ -25,6 +25,12 @@
 SHA1 (patch-XSA-197-2) = f5cf82cf04303f145e3cfea29c4104bc058dd043
 SHA1 (patch-XSA-198) = 5a61b6b4af265ba0b90d5750166924daafe554d7
 SHA1 (patch-XSA-199) = 481c740d36a5b8415275c4b1152bb7e2a45349a1
+SHA1 (patch-XSA-208-1) = a8eac4ac701626014b54480a5c7e382a43f892bb
+SHA1 (patch-XSA-208-2) = 148df8d7fd42f9f885e4381c1073c0a7b5c71816
+SHA1 (patch-XSA-209-1) = a7cfa5bbdb3df5d76b4caa39119c2745a6ecf321
+SHA1 (patch-XSA-209-2) = 6b90313758d1f5a33936d48fc0bcb7c3f3fb84c0
+SHA1 (patch-XSA-211-1) = 432d65327e1ebe3d3317ac5f42f3912bb23d08ca
+SHA1 (patch-XSA-211-2) = a92663c2c18290f5927780d3ed55aec497c58a8c
 SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7
 SHA1 (patch-configure) = 97fa4274e425984d593cd93aea36edc681462b88
 SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f
diff -r 9fd85f88eb9b -r 96444b344741 sysutils/xentools45/patches/patch-XSA-208-1
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xentools45/patches/patch-XSA-208-1       Mon Mar 20 18:09:21 2017 +0000
@@ -0,0 +1,55 @@
+$NetBSD: patch-XSA-208-1,v 1.1 2017/03/20 18:09:21 bouyer Exp $
+
+From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s%360.cn@localhost>
+Date: Mon, 13 Feb 2017 15:22:15 +0000
+Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
+
+When doing bitblt copy in backward mode, we should minus the
+blt width first just like the adding in the forward mode. This
+can avoid the oob access of the front of vga's vram.
+
+This is XSA-208.
+
+upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
+
+Signed-off-by: Li Qiang <liqiang6-s%360.cn@localhost>
+
+{ kraxel: with backward blits (negative pitch) addr is the topmost
+          address, so check it as-is against vram size ]
+
+Cc: qemu-stable%nongnu.org@localhost
+Cc: P J P <ppandit%redhat.com@localhost>
+Cc: Laszlo Ersek <lersek%redhat.com@localhost>
+Cc: Paolo Bonzini <pbonzini%redhat.com@localhost>
+Cc: Wolfgang Bumiller <w.bumiller%proxmox.com@localhost>
+Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
+Signed-off-by: Gerd Hoffmann <kraxel%redhat.com@localhost>
+Message-id: 1485938101-26602-1-git-send-email-kraxel%redhat.com@localhost
+Reviewed-by: Laszlo Ersek <lersek%redhat.com@localhost>
+Signed-off-by: Stefano Stabellini <sstabellini%kernel.org@localhost>
+---
+ hw/display/cirrus_vga.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 5198037..7bf3707 100644
+--- qemu-xen/hw/display/cirrus_vga.c.orig
++++ qemu-xen/hw/display/cirrus_vga.c
+@@ -272,10 +272,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ {
+     if (pitch < 0) {
+         int64_t min = addr
+-            + ((int64_t)s->cirrus_blt_height-1) * pitch;
+-        int32_t max = addr
+-            + s->cirrus_blt_width;
+-        if (min < 0 || max >= s->vga.vram_size) {
++            + ((int64_t)s->cirrus_blt_height - 1) * pitch
++            - s->cirrus_blt_width;
++        if (min < -1 || addr >= s->vga.vram_size) {
+             return true;
+         }
+     } else {
+-- 
+2.1.4
+
diff -r 9fd85f88eb9b -r 96444b344741 sysutils/xentools45/patches/patch-XSA-208-2
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xentools45/patches/patch-XSA-208-2       Mon Mar 20 18:09:21 2017 +0000
@@ -0,0 +1,58 @@
+$NetBSD: patch-XSA-208-2,v 1.1 2017/03/20 18:09:21 bouyer Exp $
+
+From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s%360.cn@localhost>
+Date: Mon, 13 Feb 2017 15:22:15 +0000
+Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
+
+When doing bitblt copy in backward mode, we should minus the
+blt width first just like the adding in the forward mode. This
+can avoid the oob access of the front of vga's vram.
+
+This is XSA-208.
+
+upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
+
+Signed-off-by: Li Qiang <liqiang6-s%360.cn@localhost>
+
+{ kraxel: with backward blits (negative pitch) addr is the topmost
+          address, so check it as-is against vram size ]
+
+[ This is CVE-2017-2615 / XSA-208  - Ian Jackson ]
+
+Cc: qemu-stable%nongnu.org@localhost
+Cc: P J P <ppandit%redhat.com@localhost>
+Cc: Laszlo Ersek <lersek%redhat.com@localhost>
+Cc: Paolo Bonzini <pbonzini%redhat.com@localhost>
+Cc: Wolfgang Bumiller <w.bumiller%proxmox.com@localhost>
+Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
+Signed-off-by: Gerd Hoffmann <kraxel%redhat.com@localhost>
+Message-id: 1485938101-26602-1-git-send-email-kraxel%redhat.com@localhost
+Reviewed-by: Laszlo Ersek <lersek%redhat.com@localhost>
+Signed-off-by: Stefano Stabellini <sstabellini%kernel.org@localhost>
+Signed-off-by: Ian Jackson <ian.jackson%eu.citrix.com@localhost>
+---
+ hw/cirrus_vga.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
+index e6c3893..364e22d 100644
+--- qemu-xen-traditional/hw/cirrus_vga.c.orig
++++ qemu-xen-traditional/hw/cirrus_vga.c
+@@ -308,10 +308,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ {
+     if (pitch < 0) {
+         int64_t min = addr
+-            + ((int64_t)s->cirrus_blt_height-1) * pitch;
+-        int32_t max = addr
+-            + s->cirrus_blt_width;
+-        if (min < 0 || max >= s->vram_size) {
++            + ((int64_t)s->cirrus_blt_height - 1) * pitch
++            - s->cirrus_blt_width;
++        if (min < -1 || addr >= s->vram_size) {
+             return true;
+         }
+     } else {
+-- 
+2.1.4
+
diff -r 9fd85f88eb9b -r 96444b344741 sysutils/xentools45/patches/patch-XSA-209-1
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xentools45/patches/patch-XSA-209-1       Mon Mar 20 18:09:21 2017 +0000
@@ -0,0 +1,153 @@
+$NetBSD: patch-XSA-209-1,v 1.1 2017/03/20 18:09:21 bouyer Exp $
+
+From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s%360.cn@localhost>
+Date: Mon, 13 Feb 2017 15:22:15 +0000
+Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
+
+When doing bitblt copy in backward mode, we should minus the
+blt width first just like the adding in the forward mode. This
+can avoid the oob access of the front of vga's vram.
+
+This is XSA-208.
+
+upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
+
+Signed-off-by: Li Qiang <liqiang6-s%360.cn@localhost>
+
+{ kraxel: with backward blits (negative pitch) addr is the topmost
+          address, so check it as-is against vram size ]
+
+Cc: qemu-stable%nongnu.org@localhost
+From 52b7f43c8fa185ab856bcaacda7abc9a6fc07f84 Mon Sep 17 00:00:00 2001
+From: Bruce Rogers <brogers%suse.com@localhost>
+Date: Tue, 21 Feb 2017 10:54:38 -0800
+Subject: [PATCH 1/2] display: cirrus: ignore source pitch value as needed in
+ blit_is_unsafe
+
+Commit 4299b90 added a check which is too broad, given that the source
+pitch value is not required to be initialized for solid fill operations.
+This patch refines the blit_is_unsafe() check to ignore source pitch in
+that case. After applying the above commit as a security patch, we
+noticed the SLES 11 SP4 guest gui failed to initialize properly.
+
+Signed-off-by: Bruce Rogers <brogers%suse.com@localhost>
+Message-id: 20170109203520.5619-1-brogers%suse.com@localhost
+Signed-off-by: Gerd Hoffmann <kraxel%redhat.com@localhost>
+---
+ hw/display/cirrus_vga.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 7bf3707..34a6900 100644
+--- qemu-xen/hw/display/cirrus_vga.c.orig
++++ qemu-xen/hw/display/cirrus_vga.c
+@@ -288,7 +288,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+     return false;
+ }
+ 
+-static bool blit_is_unsafe(struct CirrusVGAState *s)
++static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
+ {
+     /* should be the case, see cirrus_bitblt_start */
+     assert(s->cirrus_blt_width > 0);
+@@ -302,6 +302,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
+                               s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
+         return true;
+     }
++    if (dst_only) {
++        return false;
++    }
+     if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
+                               s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
+         return true;
+@@ -667,7 +670,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
+ 
+     dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
+ 
+-    if (blit_is_unsafe(s))
++    if (blit_is_unsafe(s, false))
+         return 0;
+ 
+     (*s->cirrus_rop) (s, dst, src,
+@@ -685,7 +688,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
+ {
+     cirrus_fill_t rop_func;
+ 
+-    if (blit_is_unsafe(s)) {
++    if (blit_is_unsafe(s, true)) {
+         return 0;
+     }
+     rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
+@@ -784,7 +787,7 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+ 
+ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+ {
+-    if (blit_is_unsafe(s))
++    if (blit_is_unsafe(s, false))
+         return 0;
+ 
+     cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
+-- 
+2.1.4
+
+From 15268f91fbe75b38a851c458aef74e693d646ea5 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel%redhat.com@localhost>
+Date: Tue, 21 Feb 2017 10:54:59 -0800
+Subject: [PATCH 2/2] cirrus: add blit_is_unsafe call to
+ cirrus_bitblt_cputovideo
+
+CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
+and blit width, at all.  Oops.  Fix it.
+
+Security impact: high.
+
+The missing blit destination check allows to write to host memory.
+Basically same as CVE-2014-8106 for the other blit variants.
+
+The missing blit width check allows to overflow cirrus_bltbuf,
+with the attractive target cirrus_srcptr (current cirrus_bltbuf write
+position) being located right after cirrus_bltbuf in CirrusVGAState.
+
+Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
+hasn't full control over cirrus_srcptr though, only one byte can be
+changed.  Once the first byte has been modified further writes land
+elsewhere.
+
+[ This is CVE-2017-2620 / XSA-209  - Ian Jackson ]
+
+Reported-by: Gerd Hoffmann <ghoffman%redhat.com@localhost>
+Signed-off-by: Gerd Hoffmann <kraxel%redhat.com@localhost>
+---
+ hw/display/cirrus_vga.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 34a6900..5901250 100644
+--- qemu-xen/hw/display/cirrus_vga.c.orig
++++ qemu-xen/hw/display/cirrus_vga.c
+@@ -865,6 +865,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ {
+     int w;
+ 
++    if (blit_is_unsafe(s, true)) {
++        return 0;
++    }
++
+     s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
+     s->cirrus_srcptr = &s->cirrus_bltbuf[0];
+     s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
+@@ -890,6 +894,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
Prev by Date: [pkgsrc/trunk]: pkgsrc/sysutils/xenkernel45 Apply upstream patch for XSA-207....
Next by Date: [pkgsrc/trunk]: pkgsrc/doc Updated sysutils/xenkernel45 to 4.5.5nb4
Previous by Thread: [pkgsrc/trunk]: pkgsrc/sysutils/xenkernel45 Apply upstream patch for XSA-207....
Next by Thread: [pkgsrc/trunk]: pkgsrc/doc Updated sysutils/xenkernel45 to 4.5.5nb4
Indexes:
Home | Main Index | Thread Index | Old Index