Fri Mar 28 16:07:08 2014 UTC ()
add patch from upstream (XSA-89) to fix:
Processing of the HVMOP_set_mem_access HVM control operations does not
check the size of its input and can tie up a physical CPU for extended
periods of time.
bump PKGREV


(drochner)
diff -r1.34 -r1.35 pkgsrc/sysutils/xenkernel41/Makefile
diff -r1.26 -r1.27 pkgsrc/sysutils/xenkernel41/distinfo
diff -r1.2 -r1.3 pkgsrc/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1
cvs diff -r1.34 -r1.35 pkgsrc/sysutils/xenkernel41/Attic/Makefile (expand / switch to unified diff)

--- pkgsrc/sysutils/xenkernel41/Attic/Makefile 2014/03/06 15:45:45 1.34
+++ pkgsrc/sysutils/xenkernel41/Attic/Makefile 2014/03/28 16:07:08 1.35
@@ -1,19 +1,19 @@ @@ -1,19 +1,19 @@
1# $NetBSD: Makefile,v 1.34 2014/03/06 15:45:45 joerg Exp $ 1# $NetBSD: Makefile,v 1.35 2014/03/28 16:07:08 drochner Exp $
2 2
3VERSION= 4.1.6.1 3VERSION= 4.1.6.1
4DISTNAME= xen-${VERSION} 4DISTNAME= xen-${VERSION}
5PKGNAME= xenkernel41-${VERSION} 5PKGNAME= xenkernel41-${VERSION}
6PKGREVISION= 7 6PKGREVISION= 8
7CATEGORIES= sysutils 7CATEGORIES= sysutils
8MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ 8MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
9 9
10MAINTAINER= cegger@NetBSD.org 10MAINTAINER= cegger@NetBSD.org
11HOMEPAGE= http://xen.org/ 11HOMEPAGE= http://xen.org/
12COMMENT= Xen 4.1.x Kernel 12COMMENT= Xen 4.1.x Kernel
13 13
14LICENSE= gnu-gpl-v2 14LICENSE= gnu-gpl-v2
15 15
16ONLY_FOR_PLATFORM= Linux-2.6*-i386 Linux-2.6*-x86_64 16ONLY_FOR_PLATFORM= Linux-2.6*-i386 Linux-2.6*-x86_64
17ONLY_FOR_PLATFORM+= NetBSD-[5-9].*-x86_64 NetBSD-[5-9].*-i386 17ONLY_FOR_PLATFORM+= NetBSD-[5-9].*-x86_64 NetBSD-[5-9].*-i386
18 18
19NO_CONFIGURE= yes 19NO_CONFIGURE= yes
cvs diff -r1.26 -r1.27 pkgsrc/sysutils/xenkernel41/Attic/distinfo (expand / switch to unified diff)

--- pkgsrc/sysutils/xenkernel41/Attic/distinfo 2014/02/20 17:37:25 1.26
+++ pkgsrc/sysutils/xenkernel41/Attic/distinfo 2014/03/28 16:07:08 1.27
@@ -1,20 +1,20 @@ @@ -1,20 +1,20 @@
1$NetBSD: distinfo,v 1.26 2014/02/20 17:37:25 drochner Exp $ 1$NetBSD: distinfo,v 1.27 2014/03/28 16:07:08 drochner Exp $
2 2
3SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0 3SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0
4RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19 4RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19
5Size (xen-4.1.6.1.tar.gz) = 10428485 bytes 5Size (xen-4.1.6.1.tar.gz) = 10428485 bytes
6SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1 6SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1
7SHA1 (patch-CVE-2013-4355_1) = a28e4fc0cbe5409a759e689ff1af82792f560a39 7SHA1 (patch-CVE-2013-4355_1) = 91fb26907b2ac7d2435a6efce000569b71523247
8SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509 8SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509
9SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f 9SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f
10SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8 10SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8
11SHA1 (patch-CVE-2013-4361) = b9074af976ba98c02aeb84288a10527bf7693241 11SHA1 (patch-CVE-2013-4361) = b9074af976ba98c02aeb84288a10527bf7693241
12SHA1 (patch-CVE-2013-4368) = 77caf392b472e5586eb2fa6a37d173cd856f6f15 12SHA1 (patch-CVE-2013-4368) = 77caf392b472e5586eb2fa6a37d173cd856f6f15
13SHA1 (patch-CVE-2013-4494) = d74dfc898d1128f3c205bd178c8cf663935711e3 13SHA1 (patch-CVE-2013-4494) = d74dfc898d1128f3c205bd178c8cf663935711e3
14SHA1 (patch-CVE-2013-4553) = 6708dcef1737b119a3fcf2e3414c22c115cbacc1 14SHA1 (patch-CVE-2013-4553) = 6708dcef1737b119a3fcf2e3414c22c115cbacc1
15SHA1 (patch-CVE-2013-6885_1) = 18d155b2c76119988be32cfd43e3c4aa6a507b9d 15SHA1 (patch-CVE-2013-6885_1) = 18d155b2c76119988be32cfd43e3c4aa6a507b9d
16SHA1 (patch-CVE-2013-6885_2) = be3c99ba3e349492d45cd4f2fce0acc26ac1a96d 16SHA1 (patch-CVE-2013-6885_2) = be3c99ba3e349492d45cd4f2fce0acc26ac1a96d
17SHA1 (patch-CVE-2014-1666) = acf27080799d4aae6a03b556caadb01081d5314e 17SHA1 (patch-CVE-2014-1666) = acf27080799d4aae6a03b556caadb01081d5314e
18SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266 18SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266
19SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b 19SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b
20SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 20SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
cvs diff -r1.2 -r1.3 pkgsrc/sysutils/xenkernel41/patches/Attic/patch-CVE-2013-4355_1 (expand / switch to unified diff)

--- pkgsrc/sysutils/xenkernel41/patches/Attic/patch-CVE-2013-4355_1 2013/11/29 19:29:58 1.2
+++ pkgsrc/sysutils/xenkernel41/patches/Attic/patch-CVE-2013-4355_1 2014/03/28 16:07:08 1.3
@@ -1,50 +1,80 @@ @@ -1,50 +1,80 @@
1$NetBSD 1$NetBSD: patch-CVE-2013-4355_1,v 1.3 2014/03/28 16:07:08 drochner Exp $
2 2
3http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03160.html 3http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03160.html
4also fixes 4also fixes
5http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg03827.html 5http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg03827.html
6(CVE-2013-4554) 6(CVE-2013-4554)
 7also fixes
 8http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html
 9(CVE-2014-2599)
7 10
8--- xen/arch/x86/hvm/hvm.c.orig 2013-09-10 06:42:18.000000000 +0000 11--- xen/arch/x86/hvm/hvm.c.orig 2014-03-28 15:27:28.000000000 +0000
9+++ xen/arch/x86/hvm/hvm.c 2013-11-29 15:12:29.000000000 +0000 12+++ xen/arch/x86/hvm/hvm.c 2014-03-28 15:27:36.000000000 +0000
10@@ -1961,11 +1961,7 @@ void hvm_task_switch( 13@@ -1961,11 +1961,7 @@
11  14
12 rc = hvm_copy_from_guest_virt( 15 rc = hvm_copy_from_guest_virt(
13 &tss, prev_tr.base, sizeof(tss), PFEC_page_present); 16 &tss, prev_tr.base, sizeof(tss), PFEC_page_present);
14- if ( rc == HVMCOPY_bad_gva_to_gfn ) 17- if ( rc == HVMCOPY_bad_gva_to_gfn )
15- goto out; 18- goto out;
16- if ( rc == HVMCOPY_gfn_paged_out ) 19- if ( rc == HVMCOPY_gfn_paged_out )
17- goto out; 20- goto out;
18- if ( rc == HVMCOPY_gfn_shared ) 21- if ( rc == HVMCOPY_gfn_shared )
19+ if ( rc != HVMCOPY_okay ) 22+ if ( rc != HVMCOPY_okay )
20 goto out; 23 goto out;
21  24
22 eflags = regs->eflags; 25 eflags = regs->eflags;
23@@ -2010,13 +2006,11 @@ void hvm_task_switch( 26@@ -2010,13 +2006,11 @@
24  27
25 rc = hvm_copy_from_guest_virt( 28 rc = hvm_copy_from_guest_virt(
26 &tss, tr.base, sizeof(tss), PFEC_page_present); 29 &tss, tr.base, sizeof(tss), PFEC_page_present);
27- if ( rc == HVMCOPY_bad_gva_to_gfn ) 30- if ( rc == HVMCOPY_bad_gva_to_gfn )
28- goto out; 31- goto out;
29- if ( rc == HVMCOPY_gfn_paged_out ) 32- if ( rc == HVMCOPY_gfn_paged_out )
30- goto out; 33- goto out;
31- /* Note: this could be optimised, if the callee functions knew we want RO 34- /* Note: this could be optimised, if the callee functions knew we want RO
32- * access */ 35- * access */
33- if ( rc == HVMCOPY_gfn_shared ) 36- if ( rc == HVMCOPY_gfn_shared )
34+ /* 37+ /*
35+ * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee 38+ * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee
36+ * functions knew we want RO access. 39+ * functions knew we want RO access.
37+ */ 40+ */
38+ if ( rc != HVMCOPY_okay ) 41+ if ( rc != HVMCOPY_okay )
39 goto out; 42 goto out;
40  43
41  44
42@@ -2834,7 +2828,7 @@ int hvm_do_hypercall(struct cpu_user_reg 45@@ -2834,7 +2828,7 @@
43 case 4: 46 case 4:
44 case 2: 47 case 2:
45 hvm_get_segment_register(curr, x86_seg_ss, &sreg); 48 hvm_get_segment_register(curr, x86_seg_ss, &sreg);
46- if ( unlikely(sreg.attr.fields.dpl == 3) ) 49- if ( unlikely(sreg.attr.fields.dpl == 3) )
47+ if ( unlikely(sreg.attr.fields.dpl) ) 50+ if ( unlikely(sreg.attr.fields.dpl) )
48 { 51 {
49 default: 52 default:
50 regs->eax = -EPERM; 53 regs->eax = -EPERM;
 54@@ -3746,7 +3740,7 @@
 55 ((a.first_pfn + a.nr - 1) > domain_get_maximum_gpfn(d)) )
 56 goto param_fail5;
 57
 58- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ )
 59+ for ( pfn = a.first_pfn; a.nr; ++pfn )
 60 {
 61 p2m_type_t t;
 62 mfn_t mfn;
 63@@ -3759,6 +3753,17 @@
 64 p2m_unlock(p2m);
 65 if ( !success )
 66 goto param_fail5;
 67+
 68+ /* Check for continuation if it's not the last interation. */
 69+ if ( --a.nr && hypercall_preempt_check() )
 70+ {
 71+ a.first_pfn = pfn + 1;
 72+ if ( copy_to_guest(arg, &a, 1) )
 73+ rc = -EFAULT;
 74+ else
 75+ rc = -EAGAIN;
 76+ goto param_fail5;
 77+ }
 78 }
 79
 80 rc = 0;