Wed Jun 20 17:54:12 2012 UTC ()
Pullup ticket #3837 - requested by bouyer
sysutils/xenkernel41: security patch

Revisions pulled up:
- sysutils/xenkernel41/Makefile                                 1.7
- sysutils/xenkernel41/patch-xsa7-xsa8-xen-4.1                  deleted
- sysutils/xenkernel41/patch-xsa9-xen-4.1                       deleted
- sysutils/xenkernel41/patches/patch-xsa7-xsa8-xen-4.1          1.1
- sysutils/xenkernel41/patches/patch-xsa9-xen-4.1               1.1

---
   Module Name:	pkgsrc
   Committed By:	bouyer
   Date:		Tue Jun 19 20:17:07 UTC 2012

   Modified Files:
   	pkgsrc/sysutils/xenkernel41: Makefile
   Added Files:
   	pkgsrc/sysutils/xenkernel41/patches: patch-xsa7-xsa8-xen-4.1
   	    patch-xsa9-xen-4.1
   Removed Files:
   	pkgsrc/sysutils/xenkernel41: patch-xsa7-xsa8-xen-4.1 patch-xsa9-xen-4.1

   Log Message:
   Move patches to the right place. Bump PKGREVISION


(tron)
diff -r1.5.4.1 -r1.5.4.2 pkgsrc/sysutils/xenkernel41/Makefile
diff -r1.1.2.2 -r0 pkgsrc/sysutils/xenkernel41/patch-xsa7-xsa8-xen-4.1
diff -r1.1.2.2 -r0 pkgsrc/sysutils/xenkernel41/patch-xsa9-xen-4.1
diff -r0 -r1.1.2.2 pkgsrc/sysutils/xenkernel41/patches/patch-xsa7-xsa8-xen-4.1
diff -r0 -r1.1.2.2 pkgsrc/sysutils/xenkernel41/patches/patch-xsa9-xen-4.1
cvs diff -r1.5.4.1 -r1.5.4.2 pkgsrc/sysutils/xenkernel41/Attic/Makefile (expand / switch to unified diff)

--- pkgsrc/sysutils/xenkernel41/Attic/Makefile 2012/06/13 11:06:17 1.5.4.1
+++ pkgsrc/sysutils/xenkernel41/Attic/Makefile 2012/06/20 17:54:12 1.5.4.2
@@ -1,20 +1,20 @@ @@ -1,20 +1,20 @@
1# $NetBSD: Makefile,v 1.5.4.1 2012/06/13 11:06:17 tron Exp $ 1# $NetBSD: Makefile,v 1.5.4.2 2012/06/20 17:54:12 tron Exp $
2# 2#
3 3
4VERSION= 4.1.2 4VERSION= 4.1.2
5DISTNAME= xen-${VERSION} 5DISTNAME= xen-${VERSION}
6PKGNAME= xenkernel41-${VERSION} 6PKGNAME= xenkernel41-${VERSION}
7PKGREVISION= 1 7PKGREVISION= 2
8CATEGORIES= sysutils 8CATEGORIES= sysutils
9MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ 9MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
10EXTRACT_SUFX= .tar.gz 10EXTRACT_SUFX= .tar.gz
11 11
12MAINTAINER= cegger@NetBSD.org 12MAINTAINER= cegger@NetBSD.org
13HOMEPAGE= http://xen.org/ 13HOMEPAGE= http://xen.org/
14COMMENT= Xen 4.1.2 Kernel 14COMMENT= Xen 4.1.2 Kernel
15 15
16LICENSE= gnu-gpl-v2 16LICENSE= gnu-gpl-v2
17 17
18PKG_DESTDIR_SUPPORT= user-destdir 18PKG_DESTDIR_SUPPORT= user-destdir
19 19
20ONLY_FOR_PLATFORM= Linux-2.6*-i386 Linux-2.6*-x86_64 20ONLY_FOR_PLATFORM= Linux-2.6*-i386 Linux-2.6*-x86_64
File Deleted: pkgsrc/sysutils/xenkernel41/Attic/patch-xsa7-xsa8-xen-4.1
File Deleted: pkgsrc/sysutils/xenkernel41/Attic/patch-xsa9-xen-4.1
File Added: pkgsrc/sysutils/xenkernel41/patches/Attic/patch-xsa7-xsa8-xen-4.1
$NetBSD: patch-xsa7-xsa8-xen-4.1,v 1.1.2.2 2012/06/20 17:54:12 tron Exp $

diff -r 35248be669e7 xen/arch/x86/x86_64/asm-offsets.c
--- xen/arch/x86/x86_64/asm-offsets.c.orig	Mon May 14 16:59:12 2012 +0100
+++ xen/arch/x86/x86_64/asm-offsets.c	Thu May 24 11:12:33 2012 +0100
@@ -90,6 +90,8 @@ void __dummy__(void)
            arch.guest_context.trap_ctxt[TRAP_gp_fault].address);
     OFFSET(VCPU_gp_fault_sel, struct vcpu,
            arch.guest_context.trap_ctxt[TRAP_gp_fault].cs);
+    OFFSET(VCPU_gp_fault_flags, struct vcpu,
+           arch.guest_context.trap_ctxt[TRAP_gp_fault].flags);
     OFFSET(VCPU_kernel_sp, struct vcpu, arch.guest_context.kernel_sp);
     OFFSET(VCPU_kernel_ss, struct vcpu, arch.guest_context.kernel_ss);
     OFFSET(VCPU_guest_context_flags, struct vcpu, arch.guest_context.flags);
diff -r 35248be669e7 xen/arch/x86/x86_64/compat/entry.S
--- xen/arch/x86/x86_64/compat/entry.S.orig	Mon May 14 16:59:12 2012 +0100
+++ xen/arch/x86/x86_64/compat/entry.S	Thu May 24 11:12:33 2012 +0100
@@ -214,6 +214,7 @@ 1:      call  compat_create_bounce_frame
 ENTRY(compat_post_handle_exception)
         testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx)
         jz    compat_test_all_events
+.Lcompat_bounce_exception:
         call  compat_create_bounce_frame
         movb  $0,TRAPBOUNCE_flags(%rdx)
         jmp   compat_test_all_events
@@ -226,19 +227,20 @@ ENTRY(compat_syscall)
         leaq  VCPU_trap_bounce(%rbx),%rdx
         testl $~3,%esi
         leal  (,%rcx,TBF_INTERRUPT),%ecx
-        jz    2f
-1:      movq  %rax,TRAPBOUNCE_eip(%rdx)
+UNLIKELY_START(z, compat_syscall_gpf)
+        movl  $TRAP_gp_fault,UREGS_entry_vector(%rsp)
+        subl  $2,UREGS_rip(%rsp)
+        movl  $0,TRAPBOUNCE_error_code(%rdx)
+        movl  VCPU_gp_fault_addr(%rbx),%eax
+        movzwl VCPU_gp_fault_sel(%rbx),%esi
+        testb $4,VCPU_gp_fault_flags(%rbx)
+        setnz %cl
+        leal  TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx
+UNLIKELY_END(compat_syscall_gpf)
+        movq  %rax,TRAPBOUNCE_eip(%rdx)
         movw  %si,TRAPBOUNCE_cs(%rdx)
         movb  %cl,TRAPBOUNCE_flags(%rdx)
-        call  compat_create_bounce_frame
-        jmp   compat_test_all_events
-2:      movl  $TRAP_gp_fault,UREGS_entry_vector(%rsp)
-        subl  $2,UREGS_rip(%rsp)
-        movq  VCPU_gp_fault_addr(%rbx),%rax
-        movzwl VCPU_gp_fault_sel(%rbx),%esi
-        movb  $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl
-        movl  $0,TRAPBOUNCE_error_code(%rdx)
-        jmp   1b
+        jmp   .Lcompat_bounce_exception
 
 ENTRY(compat_sysenter)
         cmpl  $TRAP_gp_fault,UREGS_entry_vector(%rsp)
diff -r 35248be669e7 xen/arch/x86/x86_64/entry.S
--- xen/arch/x86/x86_64/entry.S.orig	Mon May 14 16:59:12 2012 +0100
+++ xen/arch/x86/x86_64/entry.S	Thu May 24 11:12:33 2012 +0100
@@ -40,6 +40,13 @@ restore_all_guest:
         testw $TRAP_syscall,4(%rsp)
         jz    iret_exit_to_guest
 
+        /* Don't use SYSRET path if the return address is not canonical. */
+        movq  8(%rsp),%rcx
+        sarq  $47,%rcx
+        incl  %ecx
+        cmpl  $1,%ecx
+        ja    .Lforce_iret
+
         addq  $8,%rsp
         popq  %rcx                    # RIP
         popq  %r11                    # CS
@@ -50,6 +57,10 @@ restore_all_guest:
         sysretq
 1:      sysretl
 
+.Lforce_iret:
+        /* Mimic SYSRET behavior. */
+        movq  8(%rsp),%rcx            # RIP
+        movq  24(%rsp),%r11           # RFLAGS
         ALIGN
 /* No special register assumptions. */
 iret_exit_to_guest:
@@ -278,19 +289,21 @@ sysenter_eflags_saved:
         leaq  VCPU_trap_bounce(%rbx),%rdx
         testq %rax,%rax
         leal  (,%rcx,TBF_INTERRUPT),%ecx
-        jz    2f
-1:      movq  VCPU_domain(%rbx),%rdi
+UNLIKELY_START(z, sysenter_gpf)
+        movl  $TRAP_gp_fault,UREGS_entry_vector(%rsp)
+        subq  $2,UREGS_rip(%rsp)
+        movl  %eax,TRAPBOUNCE_error_code(%rdx)
+        movq  VCPU_gp_fault_addr(%rbx),%rax
+        testb $4,VCPU_gp_fault_flags(%rbx)
+        setnz %cl
+        leal  TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx
+UNLIKELY_END(sysenter_gpf)
+        movq  VCPU_domain(%rbx),%rdi
         movq  %rax,TRAPBOUNCE_eip(%rdx)
         movb  %cl,TRAPBOUNCE_flags(%rdx)
         testb $1,DOMAIN_is_32bit_pv(%rdi)
         jnz   compat_sysenter
-        call  create_bounce_frame
-        jmp   test_all_events
-2:      movl  %eax,TRAPBOUNCE_error_code(%rdx)
-        movq  VCPU_gp_fault_addr(%rbx),%rax
-        movb  $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl
-        movl  $TRAP_gp_fault,UREGS_entry_vector(%rsp)
-        jmp   1b
+        jmp   .Lbounce_exception
 
 ENTRY(int80_direct_trap)
         pushq $0
@@ -482,6 +495,7 @@ 1:      movq  %rsp,%rdi
         jnz   compat_post_handle_exception
         testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx)
         jz    test_all_events
+.Lbounce_exception:
         call  create_bounce_frame
         movb  $0,TRAPBOUNCE_flags(%rdx)
         jmp   test_all_events
File Added: pkgsrc/sysutils/xenkernel41/patches/Attic/patch-xsa9-xen-4.1
$NetBSD: patch-xsa9-xen-4.1,v 1.1.2.2 2012/06/20 17:54:12 tron Exp $

x86-64: detect processors subject to AMD erratum #121 and refuse to boot

Processors with this erratum are subject to a DoS attack by unprivileged
guest users.

This is XSA-9 / CVE-2006-0744.

Signed-off-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>

--- xen/arch/x86/cpu/amd.c.orig
+++ xen/arch/x86/cpu/amd.c
@@ -32,6 +32,9 @@
 static char opt_famrev[14];
 string_param("cpuid_mask_cpu", opt_famrev);
 
+static int opt_allow_unsafe;
+boolean_param("allow_unsafe", opt_allow_unsafe);
+
 static inline void wrmsr_amd(unsigned int index, unsigned int lo, 
 		unsigned int hi)
 {
@@ -620,6 +623,11 @@ static void __devinit init_amd(struct cp
 		clear_bit(X86_FEATURE_MCE, c->x86_capability);
 
 #ifdef __x86_64__
+	if (cpu_has_amd_erratum(c, AMD_ERRATUM_121) && !opt_allow_unsafe)
+		panic("Xen will not boot on this CPU for security reasons.\n"
+		      "Pass \"allow_unsafe\" if you're trusting all your"
+		      " (PV) guest kernels.\n");
+
 	/* AMD CPUs do not support SYSENTER outside of legacy mode. */
 	clear_bit(X86_FEATURE_SEP, c->x86_capability);
 
--- xen/include/asm-x86/amd.h.orig
+++ xen/include/asm-x86/amd.h
@@ -127,6 +127,9 @@
 #define AMD_MODEL_RANGE_START(range)    (((range) >> 12) & 0xfff)
 #define AMD_MODEL_RANGE_END(range)      ((range) & 0xfff)
 
+#define AMD_ERRATUM_121                                                 \
+    AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x3f, 0xf))
+
 #define AMD_ERRATUM_170                                                 \
     AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x67, 0xf))