Received: by mail.netbsd.org (Postfix, from userid 605) id A502E84D5D; Fri, 17 Apr 2020 12:34:16 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 2A1D384D5D for ; Fri, 17 Apr 2020 12:34:16 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id tSB8KQUS3val for ; Fri, 17 Apr 2020 12:34:15 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id 26FD784CEF for ; Fri, 17 Apr 2020 12:34:15 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 20DBAFB27; Fri, 17 Apr 2020 12:34:15 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1587126855134460" MIME-Version: 1.0 Date: Fri, 17 Apr 2020 12:34:15 +0000 From: "Benny Siegert" Subject: CVS commit: [pkgsrc-2020Q1] pkgsrc/sysutils/xenkernel411 To: pkgsrc-changes@NetBSD.org Reply-To: bsiegert@netbsd.org X-Mailer: log_accum Message-Id: <20200417123415.20DBAFB27@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1587126855134460 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: bsiegert Date: Fri Apr 17 12:34:15 UTC 2020 Modified Files: pkgsrc/sysutils/xenkernel411 [pkgsrc-2020Q1]: Makefile distinfo Added Files: pkgsrc/sysutils/xenkernel411/patches [pkgsrc-2020Q1]: patch-XSA313 patch-XSA316 patch-XSA318 Log Message: Pullup ticket #6160 - requested by bouyer sysutils/xenkernel411: security fix Revisions pulled up: - sysutils/xenkernel411/Makefile 1.13 - sysutils/xenkernel411/distinfo 1.10-1.11 - sysutils/xenkernel411/patches/patch-XSA313 1.1 - sysutils/xenkernel411/patches/patch-XSA316 1.1 - sysutils/xenkernel411/patches/patch-XSA318 1.1 --- Module Name: pkgsrc Committed By: bouyer Date: Wed Apr 15 15:37:20 UTC 2020 Modified Files: pkgsrc/sysutils/xenkernel411: Makefile distinfo Added Files: pkgsrc/sysutils/xenkernel411/patches: patch-XSA313 patch-XSA318 Log Message: Apply upstream patches for security issues XSA313 and XSA318. Bump PKGREVISION --- Module Name: pkgsrc Committed By: bouyer Date: Wed Apr 15 15:45:05 UTC 2020 Modified Files: pkgsrc/sysutils/xenkernel411: distinfo Added Files: pkgsrc/sysutils/xenkernel411/patches: patch-XSA316 Log Message: Also apply patch for XSA316. ride previous PKGREVISION bump To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.12.2.1 pkgsrc/sysutils/xenkernel411/Makefile cvs rdiff -u -r1.9 -r1.9.2.1 pkgsrc/sysutils/xenkernel411/distinfo cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/sysutils/xenkernel411/patches/patch-XSA313 \ pkgsrc/sysutils/xenkernel411/patches/patch-XSA316 \ pkgsrc/sysutils/xenkernel411/patches/patch-XSA318 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1587126855134460 Content-Disposition: inline Content-Length: 11792 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/sysutils/xenkernel411/Makefile diff -u pkgsrc/sysutils/xenkernel411/Makefile:1.12 pkgsrc/sysutils/xenkernel411/Makefile:1.12.2.1 --- pkgsrc/sysutils/xenkernel411/Makefile:1.12 Fri Dec 13 13:44:21 2019 +++ pkgsrc/sysutils/xenkernel411/Makefile Fri Apr 17 12:34:14 2020 @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.12 2019/12/13 13:44:21 bouyer Exp $ +# $NetBSD: Makefile,v 1.12.2.1 2020/04/17 12:34:14 bsiegert Exp $ VERSION= 4.11.3 -PKGREVISION= 1 +PKGREVISION= 2 DISTNAME= xen-${VERSION} PKGNAME= xenkernel411-${VERSION} CATEGORIES= sysutils Index: pkgsrc/sysutils/xenkernel411/distinfo diff -u pkgsrc/sysutils/xenkernel411/distinfo:1.9 pkgsrc/sysutils/xenkernel411/distinfo:1.9.2.1 --- pkgsrc/sysutils/xenkernel411/distinfo:1.9 Fri Dec 13 13:44:21 2019 +++ pkgsrc/sysutils/xenkernel411/distinfo Fri Apr 17 12:34:14 2020 @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.9 2019/12/13 13:44:21 bouyer Exp $ +$NetBSD: distinfo,v 1.9.2.1 2020/04/17 12:34:14 bsiegert Exp $ SHA1 (xen411/xen-4.11.3.tar.gz) = 2d77152168d6f9dcea50db9cb8e3e6a0720a4a1b RMD160 (xen411/xen-4.11.3.tar.gz) = cfb2e699842867b60d25a01963c564a6c5e580da @@ -10,6 +10,9 @@ SHA1 (patch-XSA308) = bda9ef732e0b6578ce SHA1 (patch-XSA309) = 78cf7306e9d1efcbf2ebf425025d46948ae83019 SHA1 (patch-XSA310) = 77b711f4b75de1d473a6988eb6f2b48e37cc353a SHA1 (patch-XSA311) = 4d3e6cc39c2b95cb3339961271df2bc885667927 +SHA1 (patch-XSA313) = b2f281d6aed1207727cd454dcb5e914c7f6fb44b +SHA1 (patch-XSA316) = 9cce683315e4c1ca6d53b578e69ae71e1db2b3eb +SHA1 (patch-XSA318) = d0dcbb99ab584098aed7995a7a05d5bf4ac28d47 SHA1 (patch-xen_Makefile) = 465388d80de414ca3bb84faefa0f52d817e423a6 SHA1 (patch-xen_Rules.mk) = c743dc63f51fc280d529a7d9e08650292c171dac SHA1 (patch-xen_arch_x86_Rules.mk) = 0bedfc53a128a87b6a249ae04fbdf6a053bfb70b Added files: Index: pkgsrc/sysutils/xenkernel411/patches/patch-XSA313 diff -u /dev/null pkgsrc/sysutils/xenkernel411/patches/patch-XSA313:1.1.2.2 --- /dev/null Fri Apr 17 12:34:15 2020 +++ pkgsrc/sysutils/xenkernel411/patches/patch-XSA313 Fri Apr 17 12:34:14 2020 @@ -0,0 +1,160 @@ +$NetBSD: patch-XSA313,v 1.1.2.2 2020/04/17 12:34:14 bsiegert Exp $ + +From: Jan Beulich +Subject: xenoprof: clear buffer intended to be shared with guests + +alloc_xenheap_pages() making use of MEMF_no_scrub is fine for Xen +internally used allocations, but buffers allocated to be shared with +(unpriviliged) guests need to be zapped of their prior content. + +This is part of XSA-313. + +Reported-by: Ilja Van Sprundel +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper +Reviewed-by: Wei Liu + +--- xen/common/xenoprof.c.orig ++++ xen/common/xenoprof.c +@@ -253,6 +253,9 @@ static int alloc_xenoprof_struct( + return -ENOMEM; + } + ++ for ( i = 0; i < npages; ++i ) ++ clear_page(d->xenoprof->rawbuf + i * PAGE_SIZE); ++ + d->xenoprof->npages = npages; + d->xenoprof->nbuf = nvcpu; + d->xenoprof->bufsize = bufsize; +From: Jan Beulich +Subject: xenoprof: limit consumption of shared buffer data + +Since a shared buffer can be written to by the guest, we may only read +the head and tail pointers from there (all other fields should only ever +be written to). Furthermore, for any particular operation the two values +must be read exactly once, with both checks and consumption happening +with the thus read values. (The backtrace related xenoprof_buf_space() +use in xenoprof_log_event() is an exception: The values used there get +re-checked by every subsequent xenoprof_add_sample().) + +Since that code needed touching, also fix the double increment of the +lost samples count in case the backtrace related xenoprof_add_sample() +invocation in xenoprof_log_event() fails. + +Where code is being touched anyway, add const as appropriate, but take +the opportunity to entirely drop the now unused domain parameter of +xenoprof_buf_space(). + +This is part of XSA-313. + +Reported-by: Ilja Van Sprundel +Signed-off-by: Jan Beulich +Reviewed-by: George Dunlap +Reviewed-by: Wei Liu + +--- xen/common/xenoprof.c.orig ++++ xen/common/xenoprof.c +@@ -479,25 +479,22 @@ static int add_passive_list(XEN_GUEST_HA + + + /* Get space in the buffer */ +-static int xenoprof_buf_space(struct domain *d, xenoprof_buf_t * buf, int size) ++static int xenoprof_buf_space(int head, int tail, int size) + { +- int head, tail; +- +- head = xenoprof_buf(d, buf, event_head); +- tail = xenoprof_buf(d, buf, event_tail); +- + return ((tail > head) ? 0 : size) + tail - head - 1; + } + + /* Check for space and add a sample. Return 1 if successful, 0 otherwise. */ +-static int xenoprof_add_sample(struct domain *d, xenoprof_buf_t *buf, ++static int xenoprof_add_sample(const struct domain *d, ++ const struct xenoprof_vcpu *v, + uint64_t eip, int mode, int event) + { ++ xenoprof_buf_t *buf = v->buffer; + int head, tail, size; + + head = xenoprof_buf(d, buf, event_head); + tail = xenoprof_buf(d, buf, event_tail); +- size = xenoprof_buf(d, buf, event_size); ++ size = v->event_size; + + /* make sure indexes in shared buffer are sane */ + if ( (head < 0) || (head >= size) || (tail < 0) || (tail >= size) ) +@@ -506,7 +503,7 @@ static int xenoprof_add_sample(struct do + return 0; + } + +- if ( xenoprof_buf_space(d, buf, size) > 0 ) ++ if ( xenoprof_buf_space(head, tail, size) > 0 ) + { + xenoprof_buf(d, buf, event_log[head].eip) = eip; + xenoprof_buf(d, buf, event_log[head].mode) = mode; +@@ -530,7 +527,6 @@ static int xenoprof_add_sample(struct do + int xenoprof_add_trace(struct vcpu *vcpu, uint64_t pc, int mode) + { + struct domain *d = vcpu->domain; +- xenoprof_buf_t *buf = d->xenoprof->vcpu[vcpu->vcpu_id].buffer; + + /* Do not accidentally write an escape code due to a broken frame. */ + if ( pc == XENOPROF_ESCAPE_CODE ) +@@ -539,7 +535,8 @@ int xenoprof_add_trace(struct vcpu *vcpu + return 0; + } + +- return xenoprof_add_sample(d, buf, pc, mode, 0); ++ return xenoprof_add_sample(d, &d->xenoprof->vcpu[vcpu->vcpu_id], ++ pc, mode, 0); + } + + void xenoprof_log_event(struct vcpu *vcpu, const struct cpu_user_regs *regs, +@@ -570,17 +567,22 @@ void xenoprof_log_event(struct vcpu *vcp + /* Provide backtrace if requested. */ + if ( backtrace_depth > 0 ) + { +- if ( (xenoprof_buf_space(d, buf, v->event_size) < 2) || +- !xenoprof_add_sample(d, buf, XENOPROF_ESCAPE_CODE, mode, +- XENOPROF_TRACE_BEGIN) ) ++ if ( xenoprof_buf_space(xenoprof_buf(d, buf, event_head), ++ xenoprof_buf(d, buf, event_tail), ++ v->event_size) < 2 ) + { + xenoprof_buf(d, buf, lost_samples)++; + lost_samples++; + return; + } ++ ++ /* xenoprof_add_sample() will increment lost_samples on failure */ ++ if ( !xenoprof_add_sample(d, v, XENOPROF_ESCAPE_CODE, mode, ++ XENOPROF_TRACE_BEGIN) ) ++ return; + } + +- if ( xenoprof_add_sample(d, buf, pc, mode, event) ) ++ if ( xenoprof_add_sample(d, v, pc, mode, event) ) + { + if ( is_active(vcpu->domain) ) + active_samples++; +--- xen/include/xen/xenoprof.h.orig ++++ xen/include/xen/xenoprof.h +@@ -61,12 +61,12 @@ struct xenoprof { + + #ifndef CONFIG_COMPAT + #define XENOPROF_COMPAT(x) 0 +-#define xenoprof_buf(d, b, field) ((b)->field) ++#define xenoprof_buf(d, b, field) ACCESS_ONCE((b)->field) + #else + #define XENOPROF_COMPAT(x) ((x)->is_compat) +-#define xenoprof_buf(d, b, field) (*(!(d)->xenoprof->is_compat ? \ +- &(b)->native.field : \ +- &(b)->compat.field)) ++#define xenoprof_buf(d, b, field) ACCESS_ONCE(*(!(d)->xenoprof->is_compat \ ++ ? &(b)->native.field \ ++ : &(b)->compat.field)) + #endif + + struct domain; Index: pkgsrc/sysutils/xenkernel411/patches/patch-XSA316 diff -u /dev/null pkgsrc/sysutils/xenkernel411/patches/patch-XSA316:1.1.2.2 --- /dev/null Fri Apr 17 12:34:15 2020 +++ pkgsrc/sysutils/xenkernel411/patches/patch-XSA316 Fri Apr 17 12:34:14 2020 @@ -0,0 +1,32 @@ +$NetBSD: patch-XSA316,v 1.1.2.2 2020/04/17 12:34:14 bsiegert Exp $ + +From: Ross Lagerwall +Subject: xen/gnttab: Fix error path in map_grant_ref() + +Part of XSA-295 (c/s 863e74eb2cffb) inadvertently re-positioned the brackets, +changing the logic. If the _set_status() call fails, the grant_map hypercall +would fail with a status of 1 (rc != GNTST_okay) instead of the expected +negative GNTST_* error. + +This error path can be taken due to bad guest state, and causes net/blk-back +in Linux to crash. + +This is XSA-316. + +Signed-off-by: Ross Lagerwall +Reviewed-by: Andrew Cooper +Reviewed-by: Julien Grall + +diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c +index 9fd6e60416..4b5344dc21 100644 +--- xen/common/grant_table.c.orig ++++ xen/common/grant_table.c +@@ -1031,7 +1031,7 @@ map_grant_ref( + { + if ( (rc = _set_status(shah, status, rd, rgt->gt_version, act, + op->flags & GNTMAP_readonly, 1, +- ld->domain_id) != GNTST_okay) ) ++ ld->domain_id)) != GNTST_okay ) + goto act_release_out; + + if ( !act->pin ) Index: pkgsrc/sysutils/xenkernel411/patches/patch-XSA318 diff -u /dev/null pkgsrc/sysutils/xenkernel411/patches/patch-XSA318:1.1.2.2 --- /dev/null Fri Apr 17 12:34:15 2020 +++ pkgsrc/sysutils/xenkernel411/patches/patch-XSA318 Fri Apr 17 12:34:14 2020 @@ -0,0 +1,41 @@ +$NetBSD: patch-XSA318,v 1.1.2.2 2020/04/17 12:34:14 bsiegert Exp $ + +From: Jan Beulich +Subject: gnttab: fix GNTTABOP_copy continuation handling + +The XSA-226 fix was flawed - the backwards transformation on rc was done +too early, causing a continuation to not get invoked when the need for +preemption was determined at the very first iteration of the request. +This in particular means that all of the status fields of the individual +operations would be left untouched, i.e. set to whatever the caller may +or may not have initialized them to. + +This is part of XSA-318. + +Reported-by: Pawel Wieczorkiewicz +Tested-by: Pawel Wieczorkiewicz +Signed-off-by: Jan Beulich +Reviewed-by: Juergen Gross + +--- xen/common/grant_table.c.orig ++++ xen/common/grant_table.c +@@ -3576,8 +3576,7 @@ do_grant_table_op( + rc = gnttab_copy(copy, count); + if ( rc > 0 ) + { +- rc = count - rc; +- guest_handle_add_offset(copy, rc); ++ guest_handle_add_offset(copy, count - rc); + uop = guest_handle_cast(copy, void); + } + break; +@@ -3644,6 +3643,9 @@ do_grant_table_op( + out: + if ( rc > 0 || opaque_out != 0 ) + { ++ /* Adjust rc, see gnttab_copy() for why this is needed. */ ++ if ( cmd == GNTTABOP_copy ) ++ rc = count - rc; + ASSERT(rc < count); + ASSERT((opaque_out & GNTTABOP_CMD_MASK) == 0); + rc = hypercall_create_continuation(__HYPERVISOR_grant_table_op, "ihi", --_----------=_1587126855134460--