add patch from upstream to fix lock order inversion possibly leading to deadlock (CVE-2013-4494) bump PKGREVdiff -r1.27 -r1.28 pkgsrc/sysutils/xenkernel41/Makefile
(drochner)
@@ -1,20 +1,20 @@ | @@ -1,20 +1,20 @@ | |||
1 | # $NetBSD: Makefile,v 1.27 2013/10/22 19:41:58 drochner Exp $ | 1 | # $NetBSD: Makefile,v 1.28 2013/11/23 14:04:59 drochner Exp $ | |
2 | # | 2 | # | |
3 | 3 | |||
4 | VERSION= 4.1.6.1 | 4 | VERSION= 4.1.6.1 | |
5 | DISTNAME= xen-${VERSION} | 5 | DISTNAME= xen-${VERSION} | |
6 | PKGNAME= xenkernel41-${VERSION} | 6 | PKGNAME= xenkernel41-${VERSION} | |
7 | PKGREVISION= 2 | 7 | PKGREVISION= 3 | |
8 | CATEGORIES= sysutils | 8 | CATEGORIES= sysutils | |
9 | MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ | 9 | MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ | |
10 | 10 | |||
11 | MAINTAINER= cegger@NetBSD.org | 11 | MAINTAINER= cegger@NetBSD.org | |
12 | HOMEPAGE= http://xen.org/ | 12 | HOMEPAGE= http://xen.org/ | |
13 | COMMENT= Xen 4.1.x Kernel | 13 | COMMENT= Xen 4.1.x Kernel | |
14 | 14 | |||
15 | LICENSE= gnu-gpl-v2 | 15 | LICENSE= gnu-gpl-v2 | |
16 | 16 | |||
17 | ONLY_FOR_PLATFORM= Linux-2.6*-i386 Linux-2.6*-x86_64 | 17 | ONLY_FOR_PLATFORM= Linux-2.6*-i386 Linux-2.6*-x86_64 | |
18 | ONLY_FOR_PLATFORM+= NetBSD-[5-9].*-x86_64 NetBSD-[5-9].*-i386 | 18 | ONLY_FOR_PLATFORM+= NetBSD-[5-9].*-x86_64 NetBSD-[5-9].*-i386 | |
19 | 19 | |||
20 | NO_CONFIGURE= yes | 20 | NO_CONFIGURE= yes |
@@ -1,19 +1,20 @@ | @@ -1,19 +1,20 @@ | |||
1 | $NetBSD: distinfo,v 1.21 2013/10/22 19:41:58 drochner Exp $ | 1 | $NetBSD: distinfo,v 1.22 2013/11/23 14:04:59 drochner Exp $ | |
2 | 2 | |||
3 | SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0 | 3 | SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0 | |
4 | RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19 | 4 | RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19 | |
5 | Size (xen-4.1.6.1.tar.gz) = 10428485 bytes | 5 | Size (xen-4.1.6.1.tar.gz) = 10428485 bytes | |
6 | SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1 | 6 | SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1 | |
7 | SHA1 (patch-CVE-2013-4355_1) = 88cc2e7bf0993b2878a864e8b28ed989f8eeef3a | 7 | SHA1 (patch-CVE-2013-4355_1) = 88cc2e7bf0993b2878a864e8b28ed989f8eeef3a | |
8 | SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509 | 8 | SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509 | |
9 | SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f | 9 | SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f | |
10 | SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8 | 10 | SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8 | |
11 | SHA1 (patch-CVE-2013-4361) = b9074af976ba98c02aeb84288a10527bf7693241 | 11 | SHA1 (patch-CVE-2013-4361) = b9074af976ba98c02aeb84288a10527bf7693241 | |
12 | SHA1 (patch-CVE-2013-4368) = 77caf392b472e5586eb2fa6a37d173cd856f6f15 | 12 | SHA1 (patch-CVE-2013-4368) = 77caf392b472e5586eb2fa6a37d173cd856f6f15 | |
13 | SHA1 (patch-CVE-2013-4494) = d74dfc898d1128f3c205bd178c8cf663935711e3 | |||
13 | SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266 | 14 | SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266 | |
14 | SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b | 15 | SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b | |
15 | SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 | 16 | SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 | |
16 | SHA1 (patch-xen_arch_x86_cpu_mcheck_vmce.c) = 5afd01780a13654f1d21bf1562f6431c8370be0b | 17 | SHA1 (patch-xen_arch_x86_cpu_mcheck_vmce.c) = 5afd01780a13654f1d21bf1562f6431c8370be0b | |
17 | SHA1 (patch-xen_arch_x86_time.c) = 1611959c08ad79e3f042ac70c8d9d57b60225289 | 18 | SHA1 (patch-xen_arch_x86_time.c) = 1611959c08ad79e3f042ac70c8d9d57b60225289 | |
18 | SHA1 (patch-xen_drivers_char_console_c) = 0fe186369602ccffaeec6f4bfbee8bb4298d3ff0 | 19 | SHA1 (patch-xen_drivers_char_console_c) = 0fe186369602ccffaeec6f4bfbee8bb4298d3ff0 | |
19 | SHA1 (patch-xen_include_xen_stdarg.h) = e9df974a9b783ed442ab17497198432cb9844b70 | 20 | SHA1 (patch-xen_include_xen_stdarg.h) = e9df974a9b783ed442ab17497198432cb9844b70 |
$NetBSD: patch-CVE-2013-4494,v 1.1 2013/11/23 14:04:59 drochner Exp $
http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg00225.html
--- xen/common/grant_table.c.orig 2013-09-10 06:42:18.000000000 +0000
+++ xen/common/grant_table.c 2013-11-19 16:46:13.000000000 +0000
@@ -1459,6 +1459,8 @@ gnttab_transfer(
for ( i = 0; i < count; i++ )
{
+ bool_t okay;
+
if (i && hypercall_preempt_check())
return i;
@@ -1555,16 +1557,18 @@ gnttab_transfer(
* pages when it is dying.
*/
if ( unlikely(e->is_dying) ||
- unlikely(e->tot_pages >= e->max_pages) ||
- unlikely(!gnttab_prepare_for_transfer(e, d, gop.ref)) )
+ unlikely(e->tot_pages >= e->max_pages) )
{
- if ( !e->is_dying )
- gdprintk(XENLOG_INFO, "gnttab_transfer: "
- "Transferee has no reservation "
- "headroom (%d,%d) or provided a bad grant ref (%08x) "
- "or is dying (%d)\n",
- e->tot_pages, e->max_pages, gop.ref, e->is_dying);
spin_unlock(&e->page_alloc_lock);
+
+ if ( e->is_dying )
+ gdprintk(XENLOG_INFO, "gnttab_transfer: "
+ "Transferee (d%d) is dying\n", e->domain_id);
+ else
+ gdprintk(XENLOG_INFO, "gnttab_transfer: "
+ "Transferee (d%d) has no headroom (tot %u, max %u)\n",
+ e->domain_id, e->tot_pages, e->max_pages);
+
rcu_unlock_domain(e);
page->count_info &= ~(PGC_count_mask|PGC_allocated);
free_domheap_page(page);
@@ -1575,6 +1579,37 @@ gnttab_transfer(
/* Okay, add the page to 'e'. */
if ( unlikely(e->tot_pages++ == 0) )
get_knownalive_domain(e);
+
+ /*
+ * We must drop the lock to avoid a possible deadlock in
+ * gnttab_prepare_for_transfer. We have reserved a page in e so can
+ * safely drop the lock and re-aquire it later to add page to the
+ * pagelist.
+ */
+ spin_unlock(&e->page_alloc_lock);
+ okay = gnttab_prepare_for_transfer(e, d, gop.ref);
+ spin_lock(&e->page_alloc_lock);
+
+ if ( unlikely(!okay) || unlikely(e->is_dying) )
+ {
+ bool_t drop_dom_ref = (e->tot_pages-- == 1);
+
+ spin_unlock(&e->page_alloc_lock);
+
+ if ( okay /* i.e. e->is_dying due to the surrounding if() */ )
+ gdprintk(XENLOG_INFO, "gnttab_transfer: "
+ "Transferee (d%d) is now dying\n", e->domain_id);
+
+ if ( drop_dom_ref )
+ put_domain(e);
+ rcu_unlock_domain(e);
+
+ page->count_info &= ~(PGC_count_mask|PGC_allocated);
+ free_domheap_page(page);
+ gop.status = GNTST_general_error;
+ goto copyback;
+ }
+
page_list_add_tail(page, &e->page_list);
page_set_owner(page, e);