Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK)) by mollari.NetBSD.org (Postfix) with ESMTPS id D30917A30B for ; Tue, 22 Nov 2016 20:59:04 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id 7B7E4855CF; Tue, 22 Nov 2016 20:59:04 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 09E58855B8 for ; Tue, 22 Nov 2016 20:59:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id eDSyzMezdsAz for ; Tue, 22 Nov 2016 20:59:02 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197]) by mail.netbsd.org (Postfix) with ESMTP id 36584855A9 for ; Tue, 22 Nov 2016 20:59:02 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 31238FBA6; Tue, 22 Nov 2016 20:59:02 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1479848342213860" MIME-Version: 1.0 Date: Tue, 22 Nov 2016 20:59:02 +0000 From: "Manuel Bouyer" Subject: CVS commit: pkgsrc/sysutils To: pkgsrc-changes@NetBSD.org Reply-To: bouyer@netbsd.org X-Mailer: log_accum Message-Id: <20161122205902.31238FBA6@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk This is a multi-part message in MIME format. --_----------=_1479848342213860 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: bouyer Date: Tue Nov 22 20:59:02 UTC 2016 Modified Files: pkgsrc/sysutils/xenkernel46: Makefile distinfo pkgsrc/sysutils/xentools46: Makefile distinfo Added Files: pkgsrc/sysutils/xenkernel46/patches: patch-XSA-191 patch-XSA-192 patch-XSA-193 patch-XSA-195 patch-XSA-196-1 patch-XSA-196-2 pkgsrc/sysutils/xentools46/patches: patch-XSA-197-1 patch-XSA-197-2 patch-XSA-198 Log Message: Backport upstream patches, fixing today's XSA 191, 192, 193, 195, 197, 198. Bump PKGREVISIONs To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 pkgsrc/sysutils/xenkernel46/Makefile cvs rdiff -u -r1.2 -r1.3 pkgsrc/sysutils/xenkernel46/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xenkernel46/patches/patch-XSA-191 \ pkgsrc/sysutils/xenkernel46/patches/patch-XSA-192 \ pkgsrc/sysutils/xenkernel46/patches/patch-XSA-193 \ pkgsrc/sysutils/xenkernel46/patches/patch-XSA-195 \ pkgsrc/sysutils/xenkernel46/patches/patch-XSA-196-1 \ pkgsrc/sysutils/xenkernel46/patches/patch-XSA-196-2 cvs rdiff -u -r1.3 -r1.4 pkgsrc/sysutils/xentools46/Makefile cvs rdiff -u -r1.1.1.1 -r1.2 pkgsrc/sysutils/xentools46/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xentools46/patches/patch-XSA-197-1 \ pkgsrc/sysutils/xentools46/patches/patch-XSA-197-2 \ pkgsrc/sysutils/xentools46/patches/patch-XSA-198 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1479848342213860 Content-Disposition: inline Content-Length: 32237 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/sysutils/xenkernel46/Makefile diff -u pkgsrc/sysutils/xenkernel46/Makefile:1.3 pkgsrc/sysutils/xenkernel46/Makefile:1.4 --- pkgsrc/sysutils/xenkernel46/Makefile:1.3 Thu Sep 8 15:44:07 2016 +++ pkgsrc/sysutils/xenkernel46/Makefile Tue Nov 22 20:59:01 2016 @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.3 2016/09/08 15:44:07 bouyer Exp $ +# $NetBSD: Makefile,v 1.4 2016/11/22 20:59:01 bouyer Exp $ VERSION= 4.6.3 DISTNAME= xen-${VERSION} PKGNAME= xenkernel46-${VERSION} -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ Index: pkgsrc/sysutils/xenkernel46/distinfo diff -u pkgsrc/sysutils/xenkernel46/distinfo:1.2 pkgsrc/sysutils/xenkernel46/distinfo:1.3 --- pkgsrc/sysutils/xenkernel46/distinfo:1.2 Thu Sep 8 15:44:07 2016 +++ pkgsrc/sysutils/xenkernel46/distinfo Tue Nov 22 20:59:01 2016 @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.2 2016/09/08 15:44:07 bouyer Exp $ +$NetBSD: distinfo,v 1.3 2016/11/22 20:59:01 bouyer Exp $ SHA1 (xen-4.6.3.tar.gz) = 2aa59d0a05a6c5ac7f336f2069c66a54f95c4349 RMD160 (xen-4.6.3.tar.gz) = 2798bd888ee001a4829165e55feb705a86af4f74 @@ -10,6 +10,12 @@ SHA1 (patch-XSA-186-1) = 71e4a6c4c683891 SHA1 (patch-XSA-186-2) = 6094c2efe468e3f31712659be9a71af2cbe8dc1f SHA1 (patch-XSA-187-1) = 55ea0c2d9c7d8d9476a5ab97342ff552be4faf56 SHA1 (patch-XSA-187-2) = f5308fee03a5d73c8aa283eb82cc36a6a3d3bc06 +SHA1 (patch-XSA-191) = adf1b0d6d8a17b6585fd0ecbe0ca77517623e0af +SHA1 (patch-XSA-192) = b8b289f4af6b2cebeea16246398d2c473a9e90c1 +SHA1 (patch-XSA-193) = 89fdeea8af25de42bbd207df1b2f3dcd3b61778f +SHA1 (patch-XSA-195) = 0a44b7deda6a17c88e9d1858eeb7c33b0ebaf3f7 +SHA1 (patch-XSA-196-1) = bdcd7673443fbf59aeff8ad019ffbe39758fcaee +SHA1 (patch-XSA-196-2) = 81b1d46f3ec8a3c5133f6a923fee0ab1b2b1c6a0 SHA1 (patch-xen_Makefile) = be3f4577a205b23187b91319f91c50720919f70b SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154 SHA1 (patch-xen_common_page__alloc.c) = c4d606de1cada8cf89b5abd16efada3d58c68a03 Index: pkgsrc/sysutils/xentools46/Makefile diff -u pkgsrc/sysutils/xentools46/Makefile:1.3 pkgsrc/sysutils/xentools46/Makefile:1.4 --- pkgsrc/sysutils/xentools46/Makefile:1.3 Sat Jul 9 13:04:08 2016 +++ pkgsrc/sysutils/xentools46/Makefile Tue Nov 22 20:59:01 2016 @@ -1,11 +1,11 @@ -# $NetBSD: Makefile,v 1.3 2016/07/09 13:04:08 wiz Exp $ +# $NetBSD: Makefile,v 1.4 2016/11/22 20:59:01 bouyer Exp $ VERSION= 4.6.3 VERSION_IPXE= 9a93db3f0947484e30e753bbd61a10b17336e20e DISTNAME= xen-${VERSION} PKGNAME= xentools46-${VERSION} -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ Index: pkgsrc/sysutils/xentools46/distinfo diff -u pkgsrc/sysutils/xentools46/distinfo:1.1.1.1 pkgsrc/sysutils/xentools46/distinfo:1.2 --- pkgsrc/sysutils/xentools46/distinfo:1.1.1.1 Mon Jul 4 07:30:49 2016 +++ pkgsrc/sysutils/xentools46/distinfo Tue Nov 22 20:59:01 2016 @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.1.1.1 2016/07/04 07:30:49 jnemeth Exp $ +$NetBSD: distinfo,v 1.2 2016/11/22 20:59:01 bouyer Exp $ SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88 RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8 @@ -20,6 +20,9 @@ SHA1 (patch-.._docs_man_xlcpupool.cfg.po SHA1 (patch-.._docs_misc_xl-disk-configuration.txt) = 5b59cfc2569d1a4c10d6c0fcb98ed35278723b79 SHA1 (patch-Makefile) = 87defa487fcc7ba36fada41a7347e2f969f59045 SHA1 (patch-Rules.mk) = ec0af52c494718204f15adac30ddd06713ff572c +SHA1 (patch-XSA-197-1) = 4d373d23cd7032cc505300d865b6eaa8e80e2290 +SHA1 (patch-XSA-197-2) = 3dc303f22d0744f64eb4552f4de10fc11f32bb01 +SHA1 (patch-XSA-198) = 5a61b6b4af265ba0b90d5750166924daafe554d7 SHA1 (patch-configure) = a58d149de07613fb03444234278778a6a24b9b26 SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f SHA1 (patch-examples_Makefile) = 5fe7bb876d254cf0c4f774ed0f08dcaea5b355ff Added files: Index: pkgsrc/sysutils/xenkernel46/patches/patch-XSA-191 diff -u /dev/null pkgsrc/sysutils/xenkernel46/patches/patch-XSA-191:1.1 --- /dev/null Tue Nov 22 20:59:02 2016 +++ pkgsrc/sysutils/xenkernel46/patches/patch-XSA-191 Tue Nov 22 20:59:01 2016 @@ -0,0 +1,140 @@ +$NetBSD: patch-XSA-191,v 1.1 2016/11/22 20:59:01 bouyer Exp $ + +From: Andrew Cooper +Subject: x86/hvm: Fix the handling of non-present segments + +In 32bit, the data segments may be NULL to indicate that the segment is +ineligible for use. In both 32bit and 64bit, the LDT selector may be NULL to +indicate that the entire LDT is ineligible for use. However, nothing in Xen +actually checks for this condition when performing other segmentation +checks. (Note however that limit and writeability checks are correctly +performed). + +Neither Intel nor AMD specify the exact behaviour of loading a NULL segment. +Experimentally, AMD zeroes all attributes but leaves the base and limit +unmodified. Intel zeroes the base, sets the limit to 0xfffffff and resets the +attributes to just .G and .D/B. + +The use of the segment information in the VMCB/VMCS is equivalent to a native +pipeline interacting with the segment cache. The present bit can therefore +have a subtly different meaning, and it is now cooked to uniformly indicate +whether the segment is usable or not. + +GDTR and IDTR don't have access rights like the other segments, but for +consistency, they are treated as being present so no special casing is needed +elsewhere in the segmentation logic. + +AMD hardware does not consider the present bit for %cs and %tr, and will +function as if they were present. They are therefore unconditionally set to +present when reading information from the VMCB, to maintain the new meaning of +usability. + +Intel hardware has a separate unusable bit in the VMCS segment attributes. +This bit is inverted and stored in the present field, so the hvm code can work +with architecturally-common state. + +This is XSA-191. + +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich + +--- xen/arch/x86/hvm/hvm.c.orig ++++ xen/arch/x86/hvm/hvm.c +@@ -3666,6 +3666,10 @@ int hvm_virtual_to_linear_addr( + * COMPATIBILITY MODE: Apply segment checks and add base. + */ + ++ /* Segment not valid for use (cooked meaning of .p)? */ ++ if ( !reg->attr.fields.p ) ++ return 0; ++ + switch ( access_type ) + { + case hvm_access_read: +@@ -3871,6 +3875,10 @@ static int hvm_load_segment_selector( + hvm_get_segment_register( + v, (sel & 4) ? x86_seg_ldtr : x86_seg_gdtr, &desctab); + ++ /* Segment not valid for use (cooked meaning of .p)? */ ++ if ( !desctab.attr.fields.p ) ++ goto fail; ++ + /* Check against descriptor table limit. */ + if ( ((sel & 0xfff8) + 7) > desctab.limit ) + goto fail; +--- xen/arch/x86/hvm/svm/svm.c.orig ++++ xen/arch/x86/hvm/svm/svm.c +@@ -620,6 +620,7 @@ static void svm_get_segment_register(str + { + case x86_seg_cs: + memcpy(reg, &vmcb->cs, sizeof(*reg)); ++ reg->attr.fields.p = 1; + reg->attr.fields.g = reg->limit > 0xFFFFF; + break; + case x86_seg_ds: +@@ -653,13 +654,16 @@ static void svm_get_segment_register(str + case x86_seg_tr: + svm_sync_vmcb(v); + memcpy(reg, &vmcb->tr, sizeof(*reg)); ++ reg->attr.fields.p = 1; + reg->attr.fields.type |= 0x2; + break; + case x86_seg_gdtr: + memcpy(reg, &vmcb->gdtr, sizeof(*reg)); ++ reg->attr.bytes = 0x80; + break; + case x86_seg_idtr: + memcpy(reg, &vmcb->idtr, sizeof(*reg)); ++ reg->attr.bytes = 0x80; + break; + case x86_seg_ldtr: + svm_sync_vmcb(v); +--- xen/arch/x86/hvm/vmx/vmx.c.orig ++++ xen/arch/x86/hvm/vmx/vmx.c +@@ -867,10 +867,12 @@ void vmx_get_segment_register(struct vcp + reg->sel = sel; + reg->limit = limit; + +- reg->attr.bytes = (attr & 0xff) | ((attr >> 4) & 0xf00); +- /* Unusable flag is folded into Present flag. */ +- if ( attr & (1u<<16) ) +- reg->attr.fields.p = 0; ++ /* ++ * Fold VT-x representation into Xen's representation. The Present bit is ++ * unconditionally set to the inverse of unusable. ++ */ ++ reg->attr.bytes = ++ (!(attr & (1u << 16)) << 7) | (attr & 0x7f) | ((attr >> 4) & 0xf00); + + /* Adjust for virtual 8086 mode */ + if ( v->arch.hvm_vmx.vmx_realmode && seg <= x86_seg_tr +@@ -950,11 +952,11 @@ static void vmx_set_segment_register(str + } + } + +- attr = ((attr & 0xf00) << 4) | (attr & 0xff); +- +- /* Not-present must mean unusable. */ +- if ( !reg->attr.fields.p ) +- attr |= (1u << 16); ++ /* ++ * Unfold Xen representation into VT-x representation. The unusable bit ++ * is unconditionally set to the inverse of present. ++ */ ++ attr = (!(attr & (1u << 7)) << 16) | ((attr & 0xf00) << 4) | (attr & 0xff); + + /* VMX has strict consistency requirement for flag G. */ + attr |= !!(limit >> 20) << 15; +--- xen/arch/x86/x86_emulate/x86_emulate.c.orig ++++ xen/arch/x86/x86_emulate/x86_emulate.c +@@ -1209,6 +1209,10 @@ protmode_load_seg( + &desctab, ctxt)) ) + return rc; + ++ /* Segment not valid for use (cooked meaning of .p)? */ ++ if ( !desctab.attr.fields.p ) ++ goto raise_exn; ++ + /* Check against descriptor table limit. */ + if ( ((sel & 0xfff8) + 7) > desctab.limit ) + goto raise_exn; Index: pkgsrc/sysutils/xenkernel46/patches/patch-XSA-192 diff -u /dev/null pkgsrc/sysutils/xenkernel46/patches/patch-XSA-192:1.1 --- /dev/null Tue Nov 22 20:59:02 2016 +++ pkgsrc/sysutils/xenkernel46/patches/patch-XSA-192 Tue Nov 22 20:59:01 2016 @@ -0,0 +1,66 @@ +$NetBSD: patch-XSA-192,v 1.1 2016/11/22 20:59:01 bouyer Exp $ + +From: Jan Beulich +Subject: x86/HVM: don't load LDTR with VM86 mode attrs during task switch + +Just like TR, LDTR is purely a protected mode facility and hence needs +to be loaded accordingly. Also move its loading to where it +architecurally belongs. + +This is XSA-192. + +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper +Tested-by: Andrew Cooper + +--- xen/arch/x86/hvm/hvm.c.orig ++++ xen/arch/x86/hvm/hvm.c +@@ -2728,17 +2728,16 @@ static void hvm_unmap_entry(void *p) + } + + static int hvm_load_segment_selector( +- enum x86_segment seg, uint16_t sel) ++ enum x86_segment seg, uint16_t sel, unsigned int eflags) + { + struct segment_register desctab, cs, segr; + struct desc_struct *pdesc, desc; + u8 dpl, rpl, cpl; + bool_t writable; + int fault_type = TRAP_invalid_tss; +- struct cpu_user_regs *regs = guest_cpu_user_regs(); + struct vcpu *v = current; + +- if ( regs->eflags & X86_EFLAGS_VM ) ++ if ( eflags & X86_EFLAGS_VM ) + { + segr.sel = sel; + segr.base = (uint32_t)sel << 4; +@@ -2986,6 +2985,8 @@ void hvm_task_switch( + if ( rc != HVMCOPY_okay ) + goto out; + ++ if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt, 0) ) ++ goto out; + + if ( hvm_set_cr3(tss.cr3, 1) ) + goto out; +@@ -3008,13 +3009,12 @@ void hvm_task_switch( + } + + exn_raised = 0; +- if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt) || +- hvm_load_segment_selector(x86_seg_es, tss.es) || +- hvm_load_segment_selector(x86_seg_cs, tss.cs) || +- hvm_load_segment_selector(x86_seg_ss, tss.ss) || +- hvm_load_segment_selector(x86_seg_ds, tss.ds) || +- hvm_load_segment_selector(x86_seg_fs, tss.fs) || +- hvm_load_segment_selector(x86_seg_gs, tss.gs) ) ++ if ( hvm_load_segment_selector(x86_seg_es, tss.es, tss.eflags) || ++ hvm_load_segment_selector(x86_seg_cs, tss.cs, tss.eflags) || ++ hvm_load_segment_selector(x86_seg_ss, tss.ss, tss.eflags) || ++ hvm_load_segment_selector(x86_seg_ds, tss.ds, tss.eflags) || ++ hvm_load_segment_selector(x86_seg_fs, tss.fs, tss.eflags) || ++ hvm_load_segment_selector(x86_seg_gs, tss.gs, tss.eflags) ) + exn_raised = 1; + + rc = hvm_copy_to_guest_virt( Index: pkgsrc/sysutils/xenkernel46/patches/patch-XSA-193 diff -u /dev/null pkgsrc/sysutils/xenkernel46/patches/patch-XSA-193:1.1 --- /dev/null Tue Nov 22 20:59:02 2016 +++ pkgsrc/sysutils/xenkernel46/patches/patch-XSA-193 Tue Nov 22 20:59:01 2016 @@ -0,0 +1,70 @@ +$NetBSD: patch-XSA-193,v 1.1 2016/11/22 20:59:01 bouyer Exp $ + +From: Jan Beulich +Subject: x86/PV: writes of %fs and %gs base MSRs require canonical addresses + +Commit c42494acb2 ("x86: fix FS/GS base handling when using the +fsgsbase feature") replaced the use of wrmsr_safe() on these paths +without recognizing that wr{f,g}sbase() use just wrmsrl() and that the +WR{F,G}SBASE instructions also raise #GP for non-canonical input. + +Similarly arch_set_info_guest() needs to prevent non-canonical +addresses from getting stored into state later to be loaded by context +switch code. For consistency also check stack pointers and LDT base. +DR0..3, otoh, already get properly checked in set_debugreg() (albeit +we discard the error there). + +The SHADOW_GS_BASE check isn't strictly necessary, but I think we +better avoid trying the WRMSR if we know it's going to fail. + +This is XSA-193. + +Reported-by: Andrew Cooper +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper + +--- xen/arch/x86/domain.c.orig ++++ xen/arch/x86/domain.c +@@ -890,7 +890,13 @@ int arch_set_info_guest( + { + if ( !compat ) + { +- if ( !is_canonical_address(c.nat->user_regs.eip) || ++ if ( !is_canonical_address(c.nat->user_regs.rip) || ++ !is_canonical_address(c.nat->user_regs.rsp) || ++ !is_canonical_address(c.nat->kernel_sp) || ++ (c.nat->ldt_ents && !is_canonical_address(c.nat->ldt_base)) || ++ !is_canonical_address(c.nat->fs_base) || ++ !is_canonical_address(c.nat->gs_base_kernel) || ++ !is_canonical_address(c.nat->gs_base_user) || + !is_canonical_address(c.nat->event_callback_eip) || + !is_canonical_address(c.nat->syscall_callback_eip) || + !is_canonical_address(c.nat->failsafe_callback_eip) ) +--- xen/arch/x86/traps.c.orig ++++ xen/arch/x86/traps.c +@@ -2723,19 +2723,22 @@ static int emulate_privileged_op(struct + switch ( regs->_ecx ) + { + case MSR_FS_BASE: +- if ( is_pv_32bit_domain(currd) ) ++ if ( is_pv_32bit_domain(currd) || ++ !is_canonical_address(msr_content) ) + goto fail; + wrfsbase(msr_content); + v->arch.pv_vcpu.fs_base = msr_content; + break; + case MSR_GS_BASE: +- if ( is_pv_32bit_domain(currd) ) ++ if ( is_pv_32bit_domain(currd) || ++ !is_canonical_address(msr_content) ) + goto fail; + wrgsbase(msr_content); + v->arch.pv_vcpu.gs_base_kernel = msr_content; + break; + case MSR_SHADOW_GS_BASE: +- if ( is_pv_32bit_domain(currd) ) ++ if ( is_pv_32bit_domain(currd) || ++ !is_canonical_address(msr_content) ) + goto fail; + if ( wrmsr_safe(MSR_SHADOW_GS_BASE, msr_content) ) + goto fail; Index: pkgsrc/sysutils/xenkernel46/patches/patch-XSA-195 diff -u /dev/null pkgsrc/sysutils/xenkernel46/patches/patch-XSA-195:1.1 --- /dev/null Tue Nov 22 20:59:02 2016 +++ pkgsrc/sysutils/xenkernel46/patches/patch-XSA-195 Tue Nov 22 20:59:01 2016 @@ -0,0 +1,47 @@ +$NetBSD: patch-XSA-195,v 1.1 2016/11/22 20:59:01 bouyer Exp $ + +From: Jan Beulich +Subject: x86emul: fix huge bit offset handling + +We must never chop off the high 32 bits. + +This is XSA-195. + +Reported-by: George Dunlap +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper + +--- xen/arch/x86/x86_emulate/x86_emulate.c.orig ++++ xen/arch/x86/x86_emulate/x86_emulate.c +@@ -2549,6 +2549,12 @@ x86_emulate( + else + { + /* ++ * Instructions such as bt can reference an arbitrary offset from ++ * their memory operand, but the instruction doing the actual ++ * emulation needs the appropriate op_bytes read from memory. ++ * Adjust both the source register and memory operand to make an ++ * equivalent instruction. ++ * + * EA += BitOffset DIV op_bytes*8 + * BitOffset = BitOffset MOD op_bytes*8 + * DIV truncates towards negative infinity. +@@ -2560,14 +2566,15 @@ x86_emulate( + src.val = (int32_t)src.val; + if ( (long)src.val < 0 ) + { +- unsigned long byte_offset; +- byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); ++ unsigned long byte_offset = ++ op_bytes + (((-src.val - 1) >> 3) & ~(op_bytes - 1L)); ++ + ea.mem.off -= byte_offset; + src.val = (byte_offset << 3) + src.val; + } + else + { +- ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); ++ ea.mem.off += (src.val >> 3) & ~(op_bytes - 1L); + src.val &= (op_bytes << 3) - 1; + } + } Index: pkgsrc/sysutils/xenkernel46/patches/patch-XSA-196-1 diff -u /dev/null pkgsrc/sysutils/xenkernel46/patches/patch-XSA-196-1:1.1 --- /dev/null Tue Nov 22 20:59:02 2016 +++ pkgsrc/sysutils/xenkernel46/patches/patch-XSA-196-1 Tue Nov 22 20:59:01 2016 @@ -0,0 +1,63 @@ +$NetBSD: patch-XSA-196-1,v 1.1 2016/11/22 20:59:01 bouyer Exp $ + +From: Andrew Cooper +Subject: x86/emul: Correct the IDT entry calculation in inject_swint() + +The logic, as introduced in c/s 36ebf14ebe "x86/emulate: support for emulating +software event injection" is buggy. The size of an IDT entry depends on long +mode being active, not the width of the code segment currently in use. + +In particular, this means that a compatibility code segment which hits +emulation for software event injection will end up using an incorrect offset +in the IDT for DPL/Presence checking. In practice, this only occurs on old +AMD hardware lacking NRip support; all newer AMD hardware, and all Intel +hardware bypass this path in the emulator. + +While here, fix a minor issue with reading the IDT entry. The return value +from ops->read() wasn't checked, but in reality the only failure case is if a +pagefault occurs. This is not a realistic problem as the kernel will almost +certainly crash with a double fault if this setup actually occured. + +This is part of XSA-196. + +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +--- + xen/arch/x86/x86_emulate/x86_emulate.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c +index 7a707dc..f74aa8f 100644 +--- xen/arch/x86/x86_emulate/x86_emulate.c.orig ++++ xen/arch/x86/x86_emulate/x86_emulate.c +@@ -1630,10 +1630,16 @@ static int inject_swint(enum x86_swint_type type, + { + if ( !in_realmode(ctxt, ops) ) + { +- unsigned int idte_size = (ctxt->addr_size == 64) ? 16 : 8; +- unsigned int idte_offset = vector * idte_size; ++ unsigned int idte_size, idte_offset; + struct segment_register idtr; + uint32_t idte_ctl; ++ int lm = in_longmode(ctxt, ops); ++ ++ if ( lm < 0 ) ++ return X86EMUL_UNHANDLEABLE; ++ ++ idte_size = lm ? 16 : 8; ++ idte_offset = vector * idte_size; + + /* icebp sets the External Event bit despite being an instruction. */ + error_code = (vector << 3) | ECODE_IDT | +@@ -1661,8 +1667,9 @@ static int inject_swint(enum x86_swint_type type, + * Should strictly speaking read all 8/16 bytes of an entry, + * but we currently only care about the dpl and present bits. + */ +- ops->read(x86_seg_none, idtr.base + idte_offset + 4, +- &idte_ctl, sizeof(idte_ctl), ctxt); ++ if ( (rc = ops->read(x86_seg_none, idtr.base + idte_offset + 4, ++ &idte_ctl, sizeof(idte_ctl), ctxt)) ) ++ goto done; + + /* Is this entry present? */ + if ( !(idte_ctl & (1u << 15)) ) Index: pkgsrc/sysutils/xenkernel46/patches/patch-XSA-196-2 diff -u /dev/null pkgsrc/sysutils/xenkernel46/patches/patch-XSA-196-2:1.1 --- /dev/null Tue Nov 22 20:59:02 2016 +++ pkgsrc/sysutils/xenkernel46/patches/patch-XSA-196-2 Tue Nov 22 20:59:01 2016 @@ -0,0 +1,78 @@ +$NetBSD: patch-XSA-196-2,v 1.1 2016/11/22 20:59:01 bouyer Exp $ + +From: Andrew Cooper +Subject: x86/svm: Fix injection of software interrupts + +The non-NextRip logic in c/s 36ebf14eb "x86/emulate: support for emulating +software event injection" was based on an older version of the AMD software +manual. The manual was later corrected, following findings from that series. + +I took the original wording of "not supported without NextRIP" to mean that +X86_EVENTTYPE_SW_INTERRUPT was not eligible for use. It turns out that this +is not the case, and the new wording is clearer on the matter. + +Despite testing the original patch series on non-NRip hardware, the +swint-emulation XTF test case focuses on the debug vectors; it never ended up +executing an `int $n` instruction for a vector which wasn't also an exception. + +During a vmentry, the use of X86_EVENTTYPE_HW_EXCEPTION comes with a vector +check to ensure that it is only used with exception vectors. Xen's use of +X86_EVENTTYPE_HW_EXCEPTION for `int $n` injection has always been buggy on AMD +hardware. + +Fix this by always using X86_EVENTTYPE_SW_INTERRUPT. + +Print and decode the eventinj information in svm_vmcb_dump(), as it has +several invalid combinations which cause vmentry failures. + +This is part of XSA-196. + +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +--- + xen/arch/x86/hvm/svm/svm.c | 13 +++++-------- + xen/arch/x86/hvm/svm/svmdebug.c | 4 ++++ + 2 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c +index 4391744..76efc3e 100644 +--- xen/arch/x86/hvm/svm/svm.c.orig ++++ xen/arch/x86/hvm/svm/svm.c +@@ -1231,17 +1231,14 @@ static void svm_inject_trap(const struct hvm_trap *trap) + { + case X86_EVENTTYPE_SW_INTERRUPT: /* int $n */ + /* +- * Injection type 4 (software interrupt) is only supported with +- * NextRIP support. Without NextRIP, the emulator will have performed +- * DPL and presence checks for us. ++ * Software interrupts (type 4) cannot be properly injected if the ++ * processor doesn't support NextRIP. Without NextRIP, the emulator ++ * will have performed DPL and presence checks for us, and will have ++ * moved eip forward if appropriate. + */ + if ( cpu_has_svm_nrips ) +- { + vmcb->nextrip = regs->eip + _trap.insn_len; +- event.fields.type = X86_EVENTTYPE_SW_INTERRUPT; +- } +- else +- event.fields.type = X86_EVENTTYPE_HW_EXCEPTION; ++ event.fields.type = X86_EVENTTYPE_SW_INTERRUPT; + break; + + case X86_EVENTTYPE_PRI_SW_EXCEPTION: /* icebp */ +diff --git a/xen/arch/x86/hvm/svm/svmdebug.c b/xen/arch/x86/hvm/svm/svmdebug.c +index ded5d19..f93dfed 100644 +--- xen/arch/x86/hvm/svm/svmdebug.c.orig ++++ xen/arch/x86/hvm/svm/svmdebug.c +@@ -48,6 +48,10 @@ void svm_vmcb_dump(const char *from, struct vmcb_struct *vmcb) + vmcb->tlb_control, + (unsigned long long)vmcb->_vintr.bytes, + (unsigned long long)vmcb->interrupt_shadow); ++ printk("eventinj %016"PRIx64", valid? %d, ec? %d, type %u, vector %#x\n", ++ vmcb->eventinj.bytes, vmcb->eventinj.fields.v, ++ vmcb->eventinj.fields.ev, vmcb->eventinj.fields.type, ++ vmcb->eventinj.fields.vector); + printk("exitcode = %#Lx exitintinfo = %#Lx\n", + (unsigned long long)vmcb->exitcode, + (unsigned long long)vmcb->exitintinfo.bytes); Index: pkgsrc/sysutils/xentools46/patches/patch-XSA-197-1 diff -u /dev/null pkgsrc/sysutils/xentools46/patches/patch-XSA-197-1:1.1 --- /dev/null Tue Nov 22 20:59:02 2016 +++ pkgsrc/sysutils/xentools46/patches/patch-XSA-197-1 Tue Nov 22 20:59:01 2016 @@ -0,0 +1,67 @@ +$NetBSD: patch-XSA-197-1,v 1.1 2016/11/22 20:59:01 bouyer Exp $ + +From: Jan Beulich +Subject: xen: fix ioreq handling + +Avoid double fetches and bounds check size to avoid overflowing +internal variables. + +This is XSA-197. + +Reported-by: yanghongke +Signed-off-by: Jan Beulich +Reviewed-by: Ian Jackson + +--- qemu-xen-traditional/i386-dm/helper2.c.orig ++++ qemu-xen-traditional/i386-dm/helper2.c +@@ -375,6 +375,11 @@ static void cpu_ioreq_pio(CPUState *env, + { + uint32_t i; + ++ if (req->size > sizeof(unsigned long)) { ++ fprintf(stderr, "PIO: bad size (%u)\n", req->size); ++ exit(-1); ++ } ++ + if (req->dir == IOREQ_READ) { + if (!req->data_is_ptr) { + req->data = do_inp(env, req->addr, req->size); +@@ -404,6 +409,11 @@ static void cpu_ioreq_move(CPUState *env + { + uint32_t i; + ++ if (req->size > sizeof(req->data)) { ++ fprintf(stderr, "MMIO: bad size (%u)\n", req->size); ++ exit(-1); ++ } ++ + if (!req->data_is_ptr) { + if (req->dir == IOREQ_READ) { + for (i = 0; i < req->count; i++) { +@@ -516,11 +526,13 @@ static int __handle_buffered_iopage(CPUS + req.df = 1; + req.type = buf_req->type; + req.data_is_ptr = 0; ++ xen_rmb(); + qw = (req.size == 8); + if (qw) { + buf_req = &buffered_io_page->buf_ioreq[(rdptr + 1) % + IOREQ_BUFFER_SLOT_NUM]; + req.data |= ((uint64_t)buf_req->data) << 32; ++ xen_rmb(); + } + + __handle_ioreq(env, &req); +@@ -552,7 +564,11 @@ static void cpu_handle_ioreq(void *opaqu + + __handle_buffered_iopage(env); + if (req) { +- __handle_ioreq(env, req); ++ ioreq_t copy = *req; ++ ++ xen_rmb(); ++ __handle_ioreq(env, ©); ++ req->data = copy.data; + + if (req->state != STATE_IOREQ_INPROCESS) { + fprintf(logfile, "Badness in I/O request ... not in service?!: " Index: pkgsrc/sysutils/xentools46/patches/patch-XSA-197-2 diff -u /dev/null pkgsrc/sysutils/xentools46/patches/patch-XSA-197-2:1.1 --- /dev/null Tue Nov 22 20:59:02 2016 +++ pkgsrc/sysutils/xentools46/patches/patch-XSA-197-2 Tue Nov 22 20:59:01 2016 @@ -0,0 +1,65 @@ +$NetBSD: patch-XSA-197-2,v 1.1 2016/11/22 20:59:01 bouyer Exp $ + +From: Jan Beulich +Subject: xen: fix ioreq handling + +Avoid double fetches and bounds check size to avoid overflowing +internal variables. + +This is XSA-197. + +Reported-by: yanghongke +Signed-off-by: Jan Beulich +Reviewed-by: Stefano Stabellini + +--- qemu-xen/xen-hvm.c.orig ++++ qemu-xen/xen-hvm.c +@@ -817,6 +817,10 @@ static void cpu_ioreq_pio(ioreq_t *req) + { + uint32_t i; + ++ if (req->size > sizeof(uint32_t)) { ++ hw_error("PIO: bad size (%u)", req->size); ++ } ++ + if (req->dir == IOREQ_READ) { + if (!req->data_is_ptr) { + req->data = do_inp(req->addr, req->size); +@@ -846,6 +850,10 @@ static void cpu_ioreq_move(ioreq_t *req) + { + uint32_t i; + ++ if (req->size > sizeof(req->data)) { ++ hw_error("MMIO: bad size (%u)", req->size); ++ } ++ + if (!req->data_is_ptr) { + if (req->dir == IOREQ_READ) { + for (i = 0; i < req->count; i++) { +@@ -999,11 +1007,13 @@ static int handle_buffered_iopage(XenIOS + req.df = 1; + req.type = buf_req->type; + req.data_is_ptr = 0; ++ xen_rmb(); + qw = (req.size == 8); + if (qw) { + buf_req = &buf_page->buf_ioreq[(rdptr + 1) % + IOREQ_BUFFER_SLOT_NUM]; + req.data |= ((uint64_t)buf_req->data) << 32; ++ xen_rmb(); + } + + handle_ioreq(state, &req); +@@ -1034,7 +1044,11 @@ static void cpu_handle_ioreq(void *opaqu + + handle_buffered_iopage(state); + if (req) { +- handle_ioreq(state, req); ++ ioreq_t copy = *req; ++ ++ xen_rmb(); ++ handle_ioreq(state, ©); ++ req->data = copy.data; + + if (req->state != STATE_IOREQ_INPROCESS) { + fprintf(stderr, "Badness in I/O request ... not in service?!: " Index: pkgsrc/sysutils/xentools46/patches/patch-XSA-198 diff -u /dev/null pkgsrc/sysutils/xentools46/patches/patch-XSA-198:1.1 --- /dev/null Tue Nov 22 20:59:02 2016 +++ pkgsrc/sysutils/xentools46/patches/patch-XSA-198 Tue Nov 22 20:59:01 2016 @@ -0,0 +1,64 @@ +$NetBSD: patch-XSA-198,v 1.1 2016/11/22 20:59:01 bouyer Exp $ + +From 71a389ae940bc52bf897a6e5becd73fd8ede94c5 Mon Sep 17 00:00:00 2001 +From: Ian Jackson +Date: Thu, 3 Nov 2016 16:37:40 +0000 +Subject: [PATCH] pygrub: Properly quote results, when returning them to the + caller: + +* When the caller wants sexpr output, use `repr()' + This is what Xend expects. + + The returned S-expressions are now escaped and quoted by Python, + generally using '...'. Previously kernel and ramdisk were unquoted + and args was quoted with "..." but without proper escaping. This + change may break toolstacks which do not properly dequote the + returned S-expressions. + +* When the caller wants "simple" output, crash if the delimiter is + contained in the returned value. + + With --output-format=simple it does not seem like this could ever + happen, because the bootloader config parsers all take line-based + input from the various bootloader config files. + + With --output-format=simple0, this can happen if the bootloader + config file contains nul bytes. + +This is XSA-198. + +Signed-off-by: Ian Jackson +Tested-by: Ian Jackson +Reviewed-by: Andrew Cooper +--- + tools/pygrub/src/pygrub | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub +index 40f9584..dd0c8f7 100755 +--- pygrub/src/pygrub.orig ++++ pygrub/src/pygrub +@@ -721,14 +721,17 @@ def sniff_netware(fs, cfg): + return cfg + + def format_sxp(kernel, ramdisk, args): +- s = "linux (kernel %s)" % kernel ++ s = "linux (kernel %s)" % repr(kernel) + if ramdisk: +- s += "(ramdisk %s)" % ramdisk ++ s += "(ramdisk %s)" % repr(ramdisk) + if args: +- s += "(args \"%s\")" % args ++ s += "(args %s)" % repr(args) + return s + + def format_simple(kernel, ramdisk, args, sep): ++ for check in (kernel, ramdisk, args): ++ if check is not None and sep in check: ++ raise RuntimeError, "simple format cannot represent delimiter-containing value" + s = ("kernel %s" % kernel) + sep + if ramdisk: + s += ("ramdisk %s" % ramdisk) + sep +-- +2.1.4 + --_----------=_1479848342213860--