Sat Nov 23 14:04:59 2013 UTC ()

add patch from upstream to fix lock order inversion possibly leading
to deadlock (CVE-2013-4494)
bump PKGREV


(drochner)

diff -r1.27 -r1.28 pkgsrc/sysutils/xenkernel41/Makefile
diff -r1.21 -r1.22 pkgsrc/sysutils/xenkernel41/distinfo
diff -r0 -r1.1 pkgsrc/sysutils/xenkernel41/patches/patch-CVE-2013-4494

--- pkgsrc/sysutils/xenkernel41/Attic/Makefile 2013/10/22 19:41:58 1.27
+++ pkgsrc/sysutils/xenkernel41/Attic/Makefile 2013/11/23 14:04:59 1.28

 @@ -1,20 +1,20 @@
-# $NetBSD: Makefile,v 1.27 2013/10/22 19:41:58 drochner Exp $
+# $NetBSD: Makefile,v 1.28 2013/11/23 14:04:59 drochner Exp $
+#
 VERSION=	4.1.6.1
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel41-${VERSION}
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 MAINTAINER=	cegger@NetBSD.org
 HOMEPAGE=	http://xen.org/
 COMMENT=	Xen 4.1.x Kernel
 LICENSE=        gnu-gpl-v2
 ONLY_FOR_PLATFORM=	Linux-2.6*-i386 Linux-2.6*-x86_64
 ONLY_FOR_PLATFORM+=	NetBSD-[5-9].*-x86_64 NetBSD-[5-9].*-i386
 NO_CONFIGURE=	yes

--- pkgsrc/sysutils/xenkernel41/Attic/distinfo 2013/10/22 19:41:58 1.21
+++ pkgsrc/sysutils/xenkernel41/Attic/distinfo 2013/11/23 14:04:59 1.22

 @@ -1,19 +1,20 @@
-$NetBSD: distinfo,v 1.21 2013/10/22 19:41:58 drochner Exp $
+$NetBSD: distinfo,v 1.22 2013/11/23 14:04:59 drochner Exp $
 SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0
 RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19
 Size (xen-4.1.6.1.tar.gz) = 10428485 bytes
 SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1
 SHA1 (patch-CVE-2013-4355_1) = 88cc2e7bf0993b2878a864e8b28ed989f8eeef3a
 SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509
 SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f
 SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8
 SHA1 (patch-CVE-2013-4361) = b9074af976ba98c02aeb84288a10527bf7693241
 SHA1 (patch-CVE-2013-4368) = 77caf392b472e5586eb2fa6a37d173cd856f6f15
 SHA1 (patch-CVE-2013-4494) = d74dfc898d1128f3c205bd178c8cf663935711e3
 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266
 SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b
 SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
 SHA1 (patch-xen_arch_x86_cpu_mcheck_vmce.c) = 5afd01780a13654f1d21bf1562f6431c8370be0b
 SHA1 (patch-xen_arch_x86_time.c) = 1611959c08ad79e3f042ac70c8d9d57b60225289
 SHA1 (patch-xen_drivers_char_console_c) = 0fe186369602ccffaeec6f4bfbee8bb4298d3ff0
 SHA1 (patch-xen_include_xen_stdarg.h) = e9df974a9b783ed442ab17497198432cb9844b70

$NetBSD: patch-CVE-2013-4494,v 1.1 2013/11/23 14:04:59 drochner Exp $

http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg00225.html

--- xen/common/grant_table.c.orig	2013-09-10 06:42:18.000000000 +0000
+++ xen/common/grant_table.c	2013-11-19 16:46:13.000000000 +0000
@@ -1459,6 +1459,8 @@ gnttab_transfer(
 
     for ( i = 0; i < count; i++ )
     {
+        bool_t okay;
+
         if (i && hypercall_preempt_check())
             return i;
 
@@ -1555,16 +1557,18 @@ gnttab_transfer(
          * pages when it is dying.
          */
         if ( unlikely(e->is_dying) ||
-             unlikely(e->tot_pages >= e->max_pages) ||
-             unlikely(!gnttab_prepare_for_transfer(e, d, gop.ref)) )
+             unlikely(e->tot_pages >= e->max_pages) )
         {
-            if ( !e->is_dying )
-                gdprintk(XENLOG_INFO, "gnttab_transfer: "
-                        "Transferee has no reservation "
-                        "headroom (%d,%d) or provided a bad grant ref (%08x) "
-                        "or is dying (%d)\n",
-                        e->tot_pages, e->max_pages, gop.ref, e->is_dying);
             spin_unlock(&e->page_alloc_lock);
+
+            if ( e->is_dying )
+                gdprintk(XENLOG_INFO, "gnttab_transfer: "
+                         "Transferee (d%d) is dying\n", e->domain_id);
+            else
+                gdprintk(XENLOG_INFO, "gnttab_transfer: "
+                         "Transferee (d%d) has no headroom (tot %u, max %u)\n",
+                         e->domain_id, e->tot_pages, e->max_pages);
+
             rcu_unlock_domain(e);
             page->count_info &= ~(PGC_count_mask|PGC_allocated);
             free_domheap_page(page);
@@ -1575,6 +1579,37 @@ gnttab_transfer(
         /* Okay, add the page to 'e'. */
         if ( unlikely(e->tot_pages++ == 0) )
             get_knownalive_domain(e);
+
+        /*
+         * We must drop the lock to avoid a possible deadlock in
+         * gnttab_prepare_for_transfer.  We have reserved a page in e so can
+         * safely drop the lock and re-aquire it later to add page to the
+         * pagelist.
+         */
+        spin_unlock(&e->page_alloc_lock);
+        okay = gnttab_prepare_for_transfer(e, d, gop.ref);
+        spin_lock(&e->page_alloc_lock);
+
+        if ( unlikely(!okay) || unlikely(e->is_dying) )
+        {
+            bool_t drop_dom_ref = (e->tot_pages-- == 1);
+
+            spin_unlock(&e->page_alloc_lock);
+
+            if ( okay /* i.e. e->is_dying due to the surrounding if() */ )
+                gdprintk(XENLOG_INFO, "gnttab_transfer: "
+                         "Transferee (d%d) is now dying\n", e->domain_id);
+
+            if ( drop_dom_ref )
+                put_domain(e);
+            rcu_unlock_domain(e);
+
+            page->count_info &= ~(PGC_count_mask|PGC_allocated);
+            free_domheap_page(page);
+            gop.status = GNTST_general_error;
+            goto copyback;
+        }
+
         page_list_add_tail(page, &e->page_list);
         page_set_owner(page, e);