pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/sysutils
Module Name: pkgsrc
Committed By: bouyer
Date: Tue Nov 22 20:55:30 UTC 2016
Modified Files:
pkgsrc/sysutils/xenkernel42: Makefile distinfo
pkgsrc/sysutils/xentools42: Makefile distinfo
Added Files:
pkgsrc/sysutils/xenkernel42/patches: patch-XSA-191 patch-XSA-192
patch-XSA-195
pkgsrc/sysutils/xentools42/patches: patch-XSA-197-1 patch-XSA-197-2
patch-XSA-198
Log Message:
Backport upstream patches, fixing today's XSA 191, 192, 195, 197, 198.
Bump PKGREVISIONs
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 pkgsrc/sysutils/xenkernel42/Makefile
cvs rdiff -u -r1.22 -r1.23 pkgsrc/sysutils/xenkernel42/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xenkernel42/patches/patch-XSA-191 \
pkgsrc/sysutils/xenkernel42/patches/patch-XSA-192 \
pkgsrc/sysutils/xenkernel42/patches/patch-XSA-195
cvs rdiff -u -r1.50 -r1.51 pkgsrc/sysutils/xentools42/Makefile
cvs rdiff -u -r1.28 -r1.29 pkgsrc/sysutils/xentools42/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xentools42/patches/patch-XSA-197-1 \
pkgsrc/sysutils/xentools42/patches/patch-XSA-197-2 \
pkgsrc/sysutils/xentools42/patches/patch-XSA-198
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/sysutils/xenkernel42/Makefile
diff -u pkgsrc/sysutils/xenkernel42/Makefile:1.23 pkgsrc/sysutils/xenkernel42/Makefile:1.24
--- pkgsrc/sysutils/xenkernel42/Makefile:1.23 Thu Sep 8 15:41:01 2016
+++ pkgsrc/sysutils/xenkernel42/Makefile Tue Nov 22 20:55:29 2016
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.23 2016/09/08 15:41:01 bouyer Exp $
+# $NetBSD: Makefile,v 1.24 2016/11/22 20:55:29 bouyer Exp $
VERSION= 4.2.5
DISTNAME= xen-${VERSION}
PKGNAME= xenkernel42-${VERSION}
-PKGREVISION= 12
+PKGREVISION= 13
CATEGORIES= sysutils
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
Index: pkgsrc/sysutils/xenkernel42/distinfo
diff -u pkgsrc/sysutils/xenkernel42/distinfo:1.22 pkgsrc/sysutils/xenkernel42/distinfo:1.23
--- pkgsrc/sysutils/xenkernel42/distinfo:1.22 Mon Sep 12 13:22:39 2016
+++ pkgsrc/sysutils/xenkernel42/distinfo Tue Nov 22 20:55:29 2016
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.22 2016/09/12 13:22:39 maya Exp $
+$NetBSD: distinfo,v 1.23 2016/11/22 20:55:29 bouyer Exp $
SHA1 (xen-4.2.5.tar.gz) = f42741e4ec174495ace70c4b17a6b9b0e60e798a
RMD160 (xen-4.2.5.tar.gz) = 7d4f7f1b32ee541d341a756b1f8da02816438d19
@@ -30,6 +30,9 @@ SHA1 (patch-XSA-182) = f0325a6f7c7cc20c3
SHA1 (patch-XSA-185) = a2313922aa4dad734b96c80f64fe54eca3c14019
SHA1 (patch-XSA-187-1) = 55ea0c2d9c7d8d9476a5ab97342ff552be4faf56
SHA1 (patch-XSA-187-2) = ed2d384b4cf429443560afbf71b42fb4123a279b
+SHA1 (patch-XSA-191) = 7a5e2e78c457c5922e2ccd711f2a39afba238e40
+SHA1 (patch-XSA-192) = f95757227ece59a2f320308edefcf01f1a96212c
+SHA1 (patch-XSA-195) = bb20234c4db0dc098ea47564732e87710bfcb9d8
SHA1 (patch-xen_Makefile) = e0d1b74518b9675ddc64295d1523ded9a8757c0a
SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
SHA1 (patch-xen_arch_x86_hvm_hvm.c) = b6bac1d466ba5bc276bc3aea9d4c9df37f2b9b0f
Index: pkgsrc/sysutils/xentools42/Makefile
diff -u pkgsrc/sysutils/xentools42/Makefile:1.50 pkgsrc/sysutils/xentools42/Makefile:1.51
--- pkgsrc/sysutils/xentools42/Makefile:1.50 Sat Jul 9 13:04:08 2016
+++ pkgsrc/sysutils/xentools42/Makefile Tue Nov 22 20:55:29 2016
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.50 2016/07/09 13:04:08 wiz Exp $
+# $NetBSD: Makefile,v 1.51 2016/11/22 20:55:29 bouyer Exp $
VERSION= 4.2.5
VERSION_IPXE= 1.0.0
DISTNAME= xen-${VERSION}
PKGNAME= xentools42-${VERSION}
-PKGREVISION= 18
+PKGREVISION= 19
CATEGORIES= sysutils
MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
Index: pkgsrc/sysutils/xentools42/distinfo
diff -u pkgsrc/sysutils/xentools42/distinfo:1.28 pkgsrc/sysutils/xentools42/distinfo:1.29
--- pkgsrc/sysutils/xentools42/distinfo:1.28 Sat Oct 1 13:07:23 2016
+++ pkgsrc/sysutils/xentools42/distinfo Tue Nov 22 20:55:29 2016
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.28 2016/10/01 13:07:23 joerg Exp $
+$NetBSD: distinfo,v 1.29 2016/11/22 20:55:29 bouyer Exp $
SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485
RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547
@@ -39,6 +39,9 @@ SHA1 (patch-CVE-2015-8550) = 63613ca0dd9
SHA1 (patch-CVE-2015-8554) = 908783cf619fc130d5a107ba2c4997fca0f0da88
SHA1 (patch-Makefile) = 3a474d28a5b838bae4a67b5ca76e23b950bf0133
SHA1 (patch-Rules.mk) = 25a04293f6fe638ba5f3bd5e09b2b091cd201023
+SHA1 (patch-XSA-197-1) = 79b4bc63bfbe7f69ed3ba38a667f185f8cb65cc9
+SHA1 (patch-XSA-197-2) = 1734d4313b66f958a312676da489b94773524128
+SHA1 (patch-XSA-198) = 38d120b4be3e04f87e75e6838a64d44e180d708b
SHA1 (patch-blktap_drivers_Makefile) = c6be57154a403a64e3d6bc22d6bd833fe33fc9af
SHA1 (patch-configure) = 11df58a8e1cd6bcc319db0aff508367e59592cba
SHA1 (patch-examples_Makefile) = ee02f973416ca4ffda5381cd7a4ddb3b43579621
Added files:
Index: pkgsrc/sysutils/xenkernel42/patches/patch-XSA-191
diff -u /dev/null pkgsrc/sysutils/xenkernel42/patches/patch-XSA-191:1.1
--- /dev/null Tue Nov 22 20:55:30 2016
+++ pkgsrc/sysutils/xenkernel42/patches/patch-XSA-191 Tue Nov 22 20:55:29 2016
@@ -0,0 +1,142 @@
+$NetBSD: patch-XSA-191,v 1.1 2016/11/22 20:55:29 bouyer Exp $
+
+backported from:
+
+From: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Subject: x86/hvm: Fix the handling of non-present segments
+
+In 32bit, the data segments may be NULL to indicate that the segment is
+ineligible for use. In both 32bit and 64bit, the LDT selector may be NULL to
+indicate that the entire LDT is ineligible for use. However, nothing in Xen
+actually checks for this condition when performing other segmentation
+checks. (Note however that limit and writeability checks are correctly
+performed).
+
+Neither Intel nor AMD specify the exact behaviour of loading a NULL segment.
+Experimentally, AMD zeroes all attributes but leaves the base and limit
+unmodified. Intel zeroes the base, sets the limit to 0xfffffff and resets the
+attributes to just .G and .D/B.
+
+The use of the segment information in the VMCB/VMCS is equivalent to a native
+pipeline interacting with the segment cache. The present bit can therefore
+have a subtly different meaning, and it is now cooked to uniformly indicate
+whether the segment is usable or not.
+
+GDTR and IDTR don't have access rights like the other segments, but for
+consistency, they are treated as being present so no special casing is needed
+elsewhere in the segmentation logic.
+
+AMD hardware does not consider the present bit for %cs and %tr, and will
+function as if they were present. They are therefore unconditionally set to
+present when reading information from the VMCB, to maintain the new meaning of
+usability.
+
+Intel hardware has a separate unusable bit in the VMCS segment attributes.
+This bit is inverted and stored in the present field, so the hvm code can work
+with architecturally-common state.
+
+This is XSA-191.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Reviewed-by: Jan Beulich <jbeulich%suse.com@localhost>
+
+--- xen/arch/x86/hvm/hvm.c.orig 2016-11-22 15:03:34.000000000 +0100
++++ xen/arch/x86/hvm/hvm.c 2016-11-22 15:15:51.000000000 +0100
+@@ -1921,6 +1921,10 @@
+ * COMPATIBILITY MODE: Apply segment checks and add base.
+ */
+
++ /* Segment not valid for use (cooked meaning of .p)? */
++ if ( !reg->attr.fields.p )
++ return 0;
++
+ switch ( access_type )
+ {
+ case hvm_access_read:
+@@ -2105,6 +2109,10 @@
+ hvm_get_segment_register(
+ v, (sel & 4) ? x86_seg_ldtr : x86_seg_gdtr, &desctab);
+
++ /* Segment not valid for use (cooked meaning of .p)? */
++ if ( !desctab.attr.fields.p )
++ goto fail;
++
+ /* Check against descriptor table limit. */
+ if ( ((sel & 0xfff8) + 7) > desctab.limit )
+ goto fail;
+--- xen/arch/x86/hvm/svm/svm.c.orig 2016-11-22 15:03:33.000000000 +0100
++++ xen/arch/x86/hvm/svm/svm.c 2016-11-22 15:15:51.000000000 +0100
+@@ -517,6 +517,7 @@
+ {
+ case x86_seg_cs:
+ memcpy(reg, &vmcb->cs, sizeof(*reg));
++ reg->attr.fields.p = 1;
+ reg->attr.fields.g = reg->limit > 0xFFFFF;
+ break;
+ case x86_seg_ds:
+@@ -550,13 +551,16 @@
+ case x86_seg_tr:
+ svm_sync_vmcb(v);
+ memcpy(reg, &vmcb->tr, sizeof(*reg));
++ reg->attr.fields.p = 1;
+ reg->attr.fields.type |= 0x2;
+ break;
+ case x86_seg_gdtr:
+ memcpy(reg, &vmcb->gdtr, sizeof(*reg));
++ reg->attr.bytes = 0x80;
+ break;
+ case x86_seg_idtr:
+ memcpy(reg, &vmcb->idtr, sizeof(*reg));
++ reg->attr.bytes = 0x80;
+ break;
+ case x86_seg_ldtr:
+ svm_sync_vmcb(v);
+--- xen/arch/x86/hvm/vmx/vmx.c.orig 2016-11-22 15:03:33.000000000 +0100
++++ xen/arch/x86/hvm/vmx/vmx.c 2016-11-22 15:15:51.000000000 +0100
+@@ -809,10 +809,12 @@
+
+ vmx_vmcs_exit(v);
+
+- reg->attr.bytes = (attr & 0xff) | ((attr >> 4) & 0xf00);
+- /* Unusable flag is folded into Present flag. */
+- if ( attr & (1u<<16) )
+- reg->attr.fields.p = 0;
++ /*
++ * Fold VT-x representation into Xen's representation. The Present bit is
++ * unconditionally set to the inverse of unusable.
++ */
++ reg->attr.bytes =
++ (!(attr & (1u << 16)) << 7) | (attr & 0x7f) | ((attr >> 4) & 0xf00);
+
+ /* Adjust for virtual 8086 mode */
+ if ( v->arch.hvm_vmx.vmx_realmode && seg <= x86_seg_tr
+@@ -892,11 +894,11 @@
+ }
+ }
+
+- attr = ((attr & 0xf00) << 4) | (attr & 0xff);
+-
+- /* Not-present must mean unusable. */
+- if ( !reg->attr.fields.p )
+- attr |= (1u << 16);
++ /*
++ * Unfold Xen representation into VT-x representation. The unusable bit
++ * is unconditionally set to the inverse of present.
++ */
++ attr = (!(attr & (1u << 7)) << 16) | ((attr & 0xf00) << 4) | (attr & 0xff);
+
+ /* VMX has strict consistency requirement for flag G. */
+ attr |= !!(limit >> 20) << 15;
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig 2016-11-22 15:03:34.000000000 +0100
++++ xen/arch/x86/x86_emulate/x86_emulate.c 2016-11-22 15:15:51.000000000 +0100
+@@ -1136,6 +1136,10 @@
+ &desctab, ctxt)) )
+ return rc;
+
++ /* Segment not valid for use (cooked meaning of .p)? */
++ if ( !desctab.attr.fields.p )
++ goto raise_exn;
++
+ /* Check against descriptor table limit. */
+ if ( ((sel & 0xfff8) + 7) > desctab.limit )
+ goto raise_exn;
Index: pkgsrc/sysutils/xenkernel42/patches/patch-XSA-192
diff -u /dev/null pkgsrc/sysutils/xenkernel42/patches/patch-XSA-192:1.1
--- /dev/null Tue Nov 22 20:55:30 2016
+++ pkgsrc/sysutils/xenkernel42/patches/patch-XSA-192 Tue Nov 22 20:55:29 2016
@@ -0,0 +1,65 @@
+$NetBSD: patch-XSA-192,v 1.1 2016/11/22 20:55:29 bouyer Exp $
+
+From: Jan Beulich <jbeulich%suse.com@localhost>
+Subject: x86/HVM: don't load LDTR with VM86 mode attrs during task switch
+
+Just like TR, LDTR is purely a protected mode facility and hence needs
+to be loaded accordingly. Also move its loading to where it
+architecurally belongs.
+
+This is XSA-192.
+
+Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
+Reviewed-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Tested-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+
+--- xen/arch/x86/hvm/hvm.c.orig 2016-11-22 15:15:51.000000000 +0100
++++ xen/arch/x86/hvm/hvm.c 2016-11-22 15:29:02.000000000 +0100
+@@ -2072,16 +2072,15 @@
+ }
+
+ static int hvm_load_segment_selector(
+- enum x86_segment seg, uint16_t sel)
++ enum x86_segment seg, uint16_t sel, unsigned int eflags)
+ {
+ struct segment_register desctab, cs, segr;
+ struct desc_struct *pdesc, desc;
+ u8 dpl, rpl, cpl;
+ int fault_type = TRAP_invalid_tss;
+- struct cpu_user_regs *regs = guest_cpu_user_regs();
+ struct vcpu *v = current;
+
+- if ( regs->eflags & X86_EFLAGS_VM )
++ if ( eflags & X86_EFLAGS_VM )
+ {
+ segr.sel = sel;
+ segr.base = (uint32_t)sel << 4;
+@@ -2332,6 +2331,8 @@
+ if ( rc != HVMCOPY_okay )
+ goto out;
+
++ if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt, 0) )
++ goto out;
+
+ if ( hvm_set_cr3(tss.cr3) )
+ goto out;
+@@ -2354,13 +2355,12 @@
+ }
+
+ exn_raised = 0;
+- if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt) ||
+- hvm_load_segment_selector(x86_seg_es, tss.es) ||
+- hvm_load_segment_selector(x86_seg_cs, tss.cs) ||
+- hvm_load_segment_selector(x86_seg_ss, tss.ss) ||
+- hvm_load_segment_selector(x86_seg_ds, tss.ds) ||
+- hvm_load_segment_selector(x86_seg_fs, tss.fs) ||
+- hvm_load_segment_selector(x86_seg_gs, tss.gs) )
++ if ( hvm_load_segment_selector(x86_seg_es, tss.es, tss.eflags) ||
++ hvm_load_segment_selector(x86_seg_cs, tss.cs, tss.eflags) ||
++ hvm_load_segment_selector(x86_seg_ss, tss.ss, tss.eflags) ||
++ hvm_load_segment_selector(x86_seg_ds, tss.ds, tss.eflags) ||
++ hvm_load_segment_selector(x86_seg_fs, tss.fs, tss.eflags) ||
++ hvm_load_segment_selector(x86_seg_gs, tss.gs, tss.eflags) )
+ exn_raised = 1;
+
+ rc = hvm_copy_to_guest_virt(
Index: pkgsrc/sysutils/xenkernel42/patches/patch-XSA-195
diff -u /dev/null pkgsrc/sysutils/xenkernel42/patches/patch-XSA-195:1.1
--- /dev/null Tue Nov 22 20:55:30 2016
+++ pkgsrc/sysutils/xenkernel42/patches/patch-XSA-195 Tue Nov 22 20:55:29 2016
@@ -0,0 +1,49 @@
+$NetBSD: patch-XSA-195,v 1.1 2016/11/22 20:55:29 bouyer Exp $
+
+backported from:
+
+From: Jan Beulich <jbeulich%suse.com@localhost>
+Subject: x86emul: fix huge bit offset handling
+
+We must never chop off the high 32 bits.
+
+This is XSA-195.
+
+Reported-by: George Dunlap <george.dunlap%citrix.com@localhost>
+Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
+Reviewed-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig 2016-11-22 15:15:51.000000000 +0100
++++ xen/arch/x86/x86_emulate/x86_emulate.c 2016-11-22 16:02:09.000000000 +0100
+@@ -1756,6 +1756,12 @@
+ else
+ {
+ /*
++ * Instructions such as bt can reference an arbitrary offset from
++ * their memory operand, but the instruction doing the actual
++ * emulation needs the appropriate op_bytes read from memory.
++ * Adjust both the source register and memory operand to make an
++ * equivalent instruction.
++ *
+ * EA += BitOffset DIV op_bytes*8
+ * BitOffset = BitOffset MOD op_bytes*8
+ * DIV truncates towards negative infinity.
+@@ -1767,14 +1773,15 @@
+ src.val = (int32_t)src.val;
+ if ( (long)src.val < 0 )
+ {
+- unsigned long byte_offset;
+- byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
++ unsigned long byte_offset =
++ op_bytes + (((-src.val - 1) >> 3) & ~(op_bytes - 1L));
++
+ ea.mem.off -= byte_offset;
+ src.val = (byte_offset << 3) + src.val;
+ }
+ else
+ {
+- ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
++ ea.mem.off += (src.val >> 3) & ~(op_bytes - 1L);
+ src.val &= (op_bytes << 3) - 1;
+ }
+ }
Index: pkgsrc/sysutils/xentools42/patches/patch-XSA-197-1
diff -u /dev/null pkgsrc/sysutils/xentools42/patches/patch-XSA-197-1:1.1
--- /dev/null Tue Nov 22 20:55:30 2016
+++ pkgsrc/sysutils/xentools42/patches/patch-XSA-197-1 Tue Nov 22 20:55:29 2016
@@ -0,0 +1,69 @@
+$NetBSD: patch-XSA-197-1,v 1.1 2016/11/22 20:55:29 bouyer Exp $
+
+backported from:
+
+From: Jan Beulich <jbeulich%suse.com@localhost>
+Subject: xen: fix ioreq handling
+
+Avoid double fetches and bounds check size to avoid overflowing
+internal variables.
+
+This is XSA-197.
+
+Reported-by: yanghongke <yanghongke%huawei.com@localhost>
+Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
+Reviewed-by: Ian Jackson <ian.jackson%eu.citrix.com@localhost>
+
+--- qemu-xen-traditional/i386-dm/helper2.c.orig 2014-01-09 13:44:42.000000000 +0100
++++ qemu-xen-traditional/i386-dm/helper2.c 2016-11-22 16:17:44.000000000 +0100
+@@ -355,6 +355,11 @@
+
+ sign = req->df ? -1 : 1;
+
++ if (req->size > sizeof(unsigned long)) {
++ fprintf(stderr, "PIO: bad size (%u)\n", req->size);
++ exit(-1);
++ }
++
+ if (req->dir == IOREQ_READ) {
+ if (!req->data_is_ptr) {
+ req->data = do_inp(env, req->addr, req->size);
+@@ -390,6 +395,11 @@
+
+ sign = req->df ? -1 : 1;
+
++ if (req->size > sizeof(req->data)) {
++ fprintf(stderr, "MMIO: bad size (%u)\n", req->size);
++ exit(-1);
++ }
++
+ if (!req->data_is_ptr) {
+ if (req->dir == IOREQ_READ) {
+ for (i = 0; i < req->count; i++) {
+@@ -505,11 +515,13 @@
+ req.df = 1;
+ req.type = buf_req->type;
+ req.data_is_ptr = 0;
++ xen_rmb();
+ qw = (req.size == 8);
+ if (qw) {
+ buf_req = &buffered_io_page->buf_ioreq[
+ (buffered_io_page->read_pointer+1) % IOREQ_BUFFER_SLOT_NUM];
+ req.data |= ((uint64_t)buf_req->data) << 32;
++ xen_rmb();
+ }
+
+ __handle_ioreq(env, &req);
+@@ -542,7 +554,11 @@
+
+ __handle_buffered_iopage(env);
+ if (req) {
+- __handle_ioreq(env, req);
++ ioreq_t copy = *req;
++
++ xen_rmb();
++ __handle_ioreq(env, ©);
++ req->data = copy.data;
+
+ if (req->state != STATE_IOREQ_INPROCESS) {
+ fprintf(logfile, "Badness in I/O request ... not in service?!: "
Index: pkgsrc/sysutils/xentools42/patches/patch-XSA-197-2
diff -u /dev/null pkgsrc/sysutils/xentools42/patches/patch-XSA-197-2:1.1
--- /dev/null Tue Nov 22 20:55:30 2016
+++ pkgsrc/sysutils/xentools42/patches/patch-XSA-197-2 Tue Nov 22 20:55:29 2016
@@ -0,0 +1,67 @@
+$NetBSD: patch-XSA-197-2,v 1.1 2016/11/22 20:55:29 bouyer Exp $
+
+Backported from:
+
+From: Jan Beulich <jbeulich%suse.com@localhost>
+Subject: xen: fix ioreq handling
+
+Avoid double fetches and bounds check size to avoid overflowing
+internal variables.
+
+This is XSA-197.
+
+Reported-by: yanghongke <yanghongke%huawei.com@localhost>
+Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
+Reviewed-by: Stefano Stabellini <sstabellini%kernel.org@localhost>
+
+--- qemu-xen/xen-all.c.orig 2016-11-22 15:13:15.000000000 +0100
++++ qemu-xen/xen-all.c 2016-11-22 16:19:25.000000000 +0100
+@@ -661,6 +661,10 @@
+
+ sign = req->df ? -1 : 1;
+
++ if (req->size > sizeof(uint32_t)) {
++ hw_error("PIO: bad size (%u)", req->size);
++ }
++
+ if (req->dir == IOREQ_READ) {
+ if (!req->data_is_ptr) {
+ req->data = do_inp(req->addr, req->size);
+@@ -696,6 +700,10 @@
+
+ sign = req->df ? -1 : 1;
+
++ if (req->size > sizeof(req->data)) {
++ hw_error("MMIO: bad size (%u)", req->size);
++ }
++
+ if (!req->data_is_ptr) {
+ if (req->dir == IOREQ_READ) {
+ for (i = 0; i < req->count; i++) {
+@@ -783,11 +791,13 @@
+ req.df = 1;
+ req.type = buf_req->type;
+ req.data_is_ptr = 0;
++ xen_rmb();
+ qw = (req.size == 8);
+ if (qw) {
+ buf_req = &state->buffered_io_page->buf_ioreq[
+ (state->buffered_io_page->read_pointer + 1) % IOREQ_BUFFER_SLOT_NUM];
+ req.data |= ((uint64_t)buf_req->data) << 32;
++ xen_rmb();
+ }
+
+ handle_ioreq(&req);
+@@ -819,7 +829,11 @@
+
+ handle_buffered_iopage(state);
+ if (req) {
+- handle_ioreq(req);
++ ioreq_t copy = *req;
++
++ xen_rmb();
++ handle_ioreq(©);
++ req->data = copy.data;
+
+ if (req->state != STATE_IOREQ_INPROCESS) {
+ fprintf(stderr, "Badness in I/O request ... not in service?!: "
Index: pkgsrc/sysutils/xentools42/patches/patch-XSA-198
diff -u /dev/null pkgsrc/sysutils/xentools42/patches/patch-XSA-198:1.1
--- /dev/null Tue Nov 22 20:55:30 2016
+++ pkgsrc/sysutils/xentools42/patches/patch-XSA-198 Tue Nov 22 20:55:29 2016
@@ -0,0 +1,58 @@
+$NetBSD: patch-XSA-198,v 1.1 2016/11/22 20:55:29 bouyer Exp $
+
+Backported from:
+
+From 71a389ae940bc52bf897a6e5becd73fd8ede94c5 Mon Sep 17 00:00:00 2001
+From: Ian Jackson <ian.jackson%eu.citrix.com@localhost>
+Date: Thu, 3 Nov 2016 16:37:40 +0000
+Subject: [PATCH] pygrub: Properly quote results, when returning them to the
+ caller:
+
+* When the caller wants sexpr output, use `repr()'
+ This is what Xend expects.
+
+ The returned S-expressions are now escaped and quoted by Python,
+ generally using '...'. Previously kernel and ramdisk were unquoted
+ and args was quoted with "..." but without proper escaping. This
+ change may break toolstacks which do not properly dequote the
+ returned S-expressions.
+
+* When the caller wants "simple" output, crash if the delimiter is
+ contained in the returned value.
+
+ With --output-format=simple it does not seem like this could ever
+ happen, because the bootloader config parsers all take line-based
+ input from the various bootloader config files.
+
+ With --output-format=simple0, this can happen if the bootloader
+ config file contains nul bytes.
+
+This is XSA-198.
+
+Signed-off-by: Ian Jackson <Ian.Jackson%eu.citrix.com@localhost>
+Tested-by: Ian Jackson <Ian.Jackson%eu.citrix.com@localhost>
+Reviewed-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+
+--- pygrub/src/pygrub.orig 2014-09-02 08:22:57.000000000 +0200
++++ pygrub/src/pygrub 2016-11-22 16:30:40.000000000 +0100
+@@ -683,14 +683,17 @@
+ return cfg
+
+ def format_sxp(kernel, ramdisk, args):
+- s = "linux (kernel %s)" % kernel
++ s = "linux (kernel %s)" % repr(kernel)
+ if ramdisk:
+- s += "(ramdisk %s)" % ramdisk
++ s += "(ramdisk %s)" % repr(ramdisk)
+ if args:
+- s += "(args \"%s\")" % args
++ s += "(args %s)" % repr(args)
+ return s
+
+ def format_simple(kernel, ramdisk, args, sep):
++ for check in (kernel, ramdisk, args):
++ if check is not None and sep in check:
++ raise RuntimeError, "simple format cannot represent delimiter-containing value"
+ s = ("kernel %s" % kernel) + sep
+ if ramdisk:
+ s += ("ramdisk %s" % ramdisk) + sep
Home |
Main Index |
Thread Index |
Old Index