update to 4.1.3 also add security patches from upstream (for CVE-2012-3497, no patches are available yet) changes: -fixes for vulnerabilities were integrated -many bug fixes and improvements, Highlights are: -Updates for the latest Intel/AMD CPU revisions -Bug fixes for IOMMU handling (device passthrough to HVM guests) approved by maintainer

(drochner)

 @@ -1,20 +1,19 @@
-# $NetBSD: Makefile,v 1.11 2012/08/10 09:59:47 drochner Exp $
+# $NetBSD: Makefile,v 1.12 2012/09/12 11:04:17 drochner Exp $
+#
-VERSION=	4.1.2
+VERSION=	4.1.3
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel41-${VERSION}
 PKGREVISION=	4
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 EXTRACT_SUFX=	.tar.gz
 MAINTAINER=	cegger@NetBSD.org
 HOMEPAGE=	http://xen.org/
 COMMENT=	Xen 4.1.2 Kernel
 LICENSE=        gnu-gpl-v2
 PKG_DESTDIR_SUPPORT=	user-destdir
 ONLY_FOR_PLATFORM=	Linux-2.6*-i386 Linux-2.6*-x86_64

 @@ -1,11 +1,10 @@
-$NetBSD: distinfo,v 1.9 2012/08/10 09:59:47 drochner Exp $
+$NetBSD: distinfo,v 1.10 2012/09/12 11:04:17 drochner Exp $
-SHA1 (xen-4.1.2.tar.gz) = db584cb0a0cc614888d7df3b196d514fdb2edd6e
+SHA1 (xen-4.1.3.tar.gz) = 0f688955262d08fba28361ca338f3ad0c0f53d74
-RMD160 (xen-4.1.2.tar.gz) = 457797ec4be286afbbcad940a9ce04e44f3f40d6
+RMD160 (xen-4.1.3.tar.gz) = a6296a16579fd628a1ff2aa64b6b800e4913eeae
-Size (xen-4.1.2.tar.gz) = 10365786 bytes
+Size (xen-4.1.3.tar.gz) = 10382132 bytes
-SHA1 (patch-CVE-2012-3432) = e85b1adf1c683a1d086410f0c4265ed72a86d7fb
+SHA1 (patch-CVE-2012-3494) = 166121ce515aaa2f2e399431be3ca7d2496c79c6
-SHA1 (patch-CVE-2012-3433) = 51ca4a6427c19dc31ba2bd05e4c09027d52a4ebc
+SHA1 (patch-CVE-2012-3496) = c863d3e951d5aaa5659f9e1f38723f8326b8d8b8
 SHA1 (patch-CVE-2012-3498) = 2bb2b40675de498ae9fcc89ba5267b5be4a2c4c1
 SHA1 (patch-xen_drivers_char_console_c) = 0fe186369602ccffaeec6f4bfbee8bb4298d3ff0
 SHA1 (patch-xen_include_xen_stdarg.h) = e9df974a9b783ed442ab17497198432cb9844b70
 SHA1 (patch-xsa7-xsa8-xen-4.1) = e48cfd4ae9e7a4d48e059738b3f36074d3982515
 SHA1 (patch-xsa9-xen-4.1) = 4bbefd6426e2a7b36ccecb81cc94dc33af34e4fb

$NetBSD: patch-CVE-2012-3494,v 1.1 2012/09/12 11:04:17 drochner Exp $ see http://lists.xen.org/archives/html/xen-devel/2012-09/msg00181.html --- xen/include/asm-x86/debugreg.h.orig 2012-08-10 13:51:52.000000000 +0000 +++ xen/include/asm-x86/debugreg.h @@ -58,7 +58,7 @@ We can slow the instruction pipeline for instructions coming via the gdt or the ldt if we want to. I am not sure why this is an advantage */ -#define DR_CONTROL_RESERVED_ZERO (0x0000d800ul) /* Reserved, read as zero */ +#define DR_CONTROL_RESERVED_ZERO (~0xffff27fful) /* Reserved, read as zero */ #define DR_CONTROL_RESERVED_ONE (0x00000400ul) /* Reserved, read as one */ #define DR_LOCAL_EXACT_ENABLE (0x00000100ul) /* Local exact enable */ #define DR_GLOBAL_EXACT_ENABLE (0x00000200ul) /* Global exact enable */

$NetBSD: patch-CVE-2012-3496,v 1.1 2012/09/12 11:04:17 drochner Exp $ see http://lists.xen.org/archives/html/xen-devel/2012-09/msg00194.html --- xen/arch/x86/mm/p2m.c.orig 2012-08-10 13:51:45.000000000 +0000 +++ xen/arch/x86/mm/p2m.c @@ -2414,7 +2414,8 @@ guest_physmap_mark_populate_on_demand(st int pod_count = 0; int rc = 0; - BUG_ON(!paging_mode_translate(d)); + if ( !paging_mode_translate(d) ) + return -EINVAL; rc = gfn_check_limit(d, gfn, order); if ( rc != 0 )

$NetBSD: patch-CVE-2012-3498,v 1.1 2012/09/12 11:04:18 drochner Exp $ contains patch for CVE-2012-3495 see http://lists.xen.org/archives/html/xen-devel/2012-09/msg00187.html and http://lists.xen.org/archives/html/xen-devel/2012-09/msg00197.html --- xen/arch/x86/physdev.c.orig 2012-09-12 09:41:55.000000000 +0000 +++ xen/arch/x86/physdev.c @@ -40,11 +40,18 @@ static int physdev_hvm_map_pirq( struct hvm_girq_dpci_mapping *girq; uint32_t machine_gsi = 0; + if ( map->index < 0 || map->index >= NR_HVM_IRQS ) + { + ret = -EINVAL; + break; + } + /* find the machine gsi corresponding to the * emulated gsi */ hvm_irq_dpci = domain_get_irq_dpci(d); if ( hvm_irq_dpci ) { + BUILD_BUG_ON(ARRAY_SIZE(hvm_irq_dpci->girq) < NR_HVM_IRQS); list_for_each_entry ( girq, &hvm_irq_dpci->girq[map->index], list ) @@ -587,11 +594,16 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H break; spin_lock(&d->event_lock); - out.pirq = get_free_pirq(d, out.type, 0); - d->arch.pirq_irq[out.pirq] = PIRQ_ALLOCATED; + ret = get_free_pirq(d, out.type, 0); + if ( ret >= 0 ) + d->arch.pirq_irq[ret] = PIRQ_ALLOCATED; spin_unlock(&d->event_lock); - ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0; + if ( ret >= 0 ) + { + out.pirq = ret; + ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0; + } rcu_unlock_domain(d); break;