add patch from upstream (XSA-89) to fix: Processing of the HVMOP_set_mem_access HVM control operations does not check the size of its input and can tie up a physical CPU for extended periods of time. bump PKGREVdiff -r1.34 -r1.35 pkgsrc/sysutils/xenkernel41/Makefile
(drochner)
@@ -1,19 +1,19 @@ | @@ -1,19 +1,19 @@ | |||
1 | # $NetBSD: Makefile,v 1.34 2014/03/06 15:45:45 joerg Exp $ | 1 | # $NetBSD: Makefile,v 1.35 2014/03/28 16:07:08 drochner Exp $ | |
2 | 2 | |||
3 | VERSION= 4.1.6.1 | 3 | VERSION= 4.1.6.1 | |
4 | DISTNAME= xen-${VERSION} | 4 | DISTNAME= xen-${VERSION} | |
5 | PKGNAME= xenkernel41-${VERSION} | 5 | PKGNAME= xenkernel41-${VERSION} | |
6 | PKGREVISION= 7 | 6 | PKGREVISION= 8 | |
7 | CATEGORIES= sysutils | 7 | CATEGORIES= sysutils | |
8 | MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ | 8 | MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ | |
9 | 9 | |||
10 | MAINTAINER= cegger@NetBSD.org | 10 | MAINTAINER= cegger@NetBSD.org | |
11 | HOMEPAGE= http://xen.org/ | 11 | HOMEPAGE= http://xen.org/ | |
12 | COMMENT= Xen 4.1.x Kernel | 12 | COMMENT= Xen 4.1.x Kernel | |
13 | 13 | |||
14 | LICENSE= gnu-gpl-v2 | 14 | LICENSE= gnu-gpl-v2 | |
15 | 15 | |||
16 | ONLY_FOR_PLATFORM= Linux-2.6*-i386 Linux-2.6*-x86_64 | 16 | ONLY_FOR_PLATFORM= Linux-2.6*-i386 Linux-2.6*-x86_64 | |
17 | ONLY_FOR_PLATFORM+= NetBSD-[5-9].*-x86_64 NetBSD-[5-9].*-i386 | 17 | ONLY_FOR_PLATFORM+= NetBSD-[5-9].*-x86_64 NetBSD-[5-9].*-i386 | |
18 | 18 | |||
19 | NO_CONFIGURE= yes | 19 | NO_CONFIGURE= yes |
@@ -1,20 +1,20 @@ | @@ -1,20 +1,20 @@ | |||
1 | $NetBSD: distinfo,v 1.26 2014/02/20 17:37:25 drochner Exp $ | 1 | $NetBSD: distinfo,v 1.27 2014/03/28 16:07:08 drochner Exp $ | |
2 | 2 | |||
3 | SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0 | 3 | SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0 | |
4 | RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19 | 4 | RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19 | |
5 | Size (xen-4.1.6.1.tar.gz) = 10428485 bytes | 5 | Size (xen-4.1.6.1.tar.gz) = 10428485 bytes | |
6 | SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1 | 6 | SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1 | |
7 | SHA1 (patch-CVE-2013-4355_1) = a28e4fc0cbe5409a759e689ff1af82792f560a39 | 7 | SHA1 (patch-CVE-2013-4355_1) = 91fb26907b2ac7d2435a6efce000569b71523247 | |
8 | SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509 | 8 | SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509 | |
9 | SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f | 9 | SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f | |
10 | SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8 | 10 | SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8 | |
11 | SHA1 (patch-CVE-2013-4361) = b9074af976ba98c02aeb84288a10527bf7693241 | 11 | SHA1 (patch-CVE-2013-4361) = b9074af976ba98c02aeb84288a10527bf7693241 | |
12 | SHA1 (patch-CVE-2013-4368) = 77caf392b472e5586eb2fa6a37d173cd856f6f15 | 12 | SHA1 (patch-CVE-2013-4368) = 77caf392b472e5586eb2fa6a37d173cd856f6f15 | |
13 | SHA1 (patch-CVE-2013-4494) = d74dfc898d1128f3c205bd178c8cf663935711e3 | 13 | SHA1 (patch-CVE-2013-4494) = d74dfc898d1128f3c205bd178c8cf663935711e3 | |
14 | SHA1 (patch-CVE-2013-4553) = 6708dcef1737b119a3fcf2e3414c22c115cbacc1 | 14 | SHA1 (patch-CVE-2013-4553) = 6708dcef1737b119a3fcf2e3414c22c115cbacc1 | |
15 | SHA1 (patch-CVE-2013-6885_1) = 18d155b2c76119988be32cfd43e3c4aa6a507b9d | 15 | SHA1 (patch-CVE-2013-6885_1) = 18d155b2c76119988be32cfd43e3c4aa6a507b9d | |
16 | SHA1 (patch-CVE-2013-6885_2) = be3c99ba3e349492d45cd4f2fce0acc26ac1a96d | 16 | SHA1 (patch-CVE-2013-6885_2) = be3c99ba3e349492d45cd4f2fce0acc26ac1a96d | |
17 | SHA1 (patch-CVE-2014-1666) = acf27080799d4aae6a03b556caadb01081d5314e | 17 | SHA1 (patch-CVE-2014-1666) = acf27080799d4aae6a03b556caadb01081d5314e | |
18 | SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266 | 18 | SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266 | |
19 | SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b | 19 | SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b | |
20 | SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 | 20 | SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 |
@@ -1,50 +1,80 @@ | @@ -1,50 +1,80 @@ | |||
1 | $NetBSD | 1 | $NetBSD: patch-CVE-2013-4355_1,v 1.3 2014/03/28 16:07:08 drochner Exp $ | |
2 | 2 | |||
3 | http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03160.html | 3 | http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03160.html | |
4 | also fixes | 4 | also fixes | |
5 | http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg03827.html | 5 | http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg03827.html | |
6 | (CVE-2013-4554) | 6 | (CVE-2013-4554) | |
7 | also fixes | |||
8 | http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html | |||
9 | (CVE-2014-2599) | |||
7 | 10 | |||
8 | --- xen/arch/x86/hvm/hvm.c.orig 2013-09-10 06:42:18.000000000 +0000 | 11 | --- xen/arch/x86/hvm/hvm.c.orig 2014-03-28 15:27:28.000000000 +0000 | |
9 | +++ xen/arch/x86/hvm/hvm.c 2013-11-29 15:12:29.000000000 +0000 | 12 | +++ xen/arch/x86/hvm/hvm.c 2014-03-28 15:27:36.000000000 +0000 | |
10 | @@ -1961,11 +1961,7 @@ void hvm_task_switch( | 13 | @@ -1961,11 +1961,7 @@ | |
11 | 14 | |||
12 | rc = hvm_copy_from_guest_virt( | 15 | rc = hvm_copy_from_guest_virt( | |
13 | &tss, prev_tr.base, sizeof(tss), PFEC_page_present); | 16 | &tss, prev_tr.base, sizeof(tss), PFEC_page_present); | |
14 | - if ( rc == HVMCOPY_bad_gva_to_gfn ) | 17 | - if ( rc == HVMCOPY_bad_gva_to_gfn ) | |
15 | - goto out; | 18 | - goto out; | |
16 | - if ( rc == HVMCOPY_gfn_paged_out ) | 19 | - if ( rc == HVMCOPY_gfn_paged_out ) | |
17 | - goto out; | 20 | - goto out; | |
18 | - if ( rc == HVMCOPY_gfn_shared ) | 21 | - if ( rc == HVMCOPY_gfn_shared ) | |
19 | + if ( rc != HVMCOPY_okay ) | 22 | + if ( rc != HVMCOPY_okay ) | |
20 | goto out; | 23 | goto out; | |
21 | 24 | |||
22 | eflags = regs->eflags; | 25 | eflags = regs->eflags; | |
23 | @@ -2010,13 +2006,11 @@ void hvm_task_switch( | 26 | @@ -2010,13 +2006,11 @@ | |
24 | 27 | |||
25 | rc = hvm_copy_from_guest_virt( | 28 | rc = hvm_copy_from_guest_virt( | |
26 | &tss, tr.base, sizeof(tss), PFEC_page_present); | 29 | &tss, tr.base, sizeof(tss), PFEC_page_present); | |
27 | - if ( rc == HVMCOPY_bad_gva_to_gfn ) | 30 | - if ( rc == HVMCOPY_bad_gva_to_gfn ) | |
28 | - goto out; | 31 | - goto out; | |
29 | - if ( rc == HVMCOPY_gfn_paged_out ) | 32 | - if ( rc == HVMCOPY_gfn_paged_out ) | |
30 | - goto out; | 33 | - goto out; | |
31 | - /* Note: this could be optimised, if the callee functions knew we want RO | 34 | - /* Note: this could be optimised, if the callee functions knew we want RO | |
32 | - * access */ | 35 | - * access */ | |
33 | - if ( rc == HVMCOPY_gfn_shared ) | 36 | - if ( rc == HVMCOPY_gfn_shared ) | |
34 | + /* | 37 | + /* | |
35 | + * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee | 38 | + * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee | |
36 | + * functions knew we want RO access. | 39 | + * functions knew we want RO access. | |
37 | + */ | 40 | + */ | |
38 | + if ( rc != HVMCOPY_okay ) | 41 | + if ( rc != HVMCOPY_okay ) | |
39 | goto out; | 42 | goto out; | |
40 | 43 | |||
41 | 44 | |||
42 | @@ -2834,7 +2828,7 @@ int hvm_do_hypercall(struct cpu_user_reg | 45 | @@ -2834,7 +2828,7 @@ | |
43 | case 4: | 46 | case 4: | |
44 | case 2: | 47 | case 2: | |
45 | hvm_get_segment_register(curr, x86_seg_ss, &sreg); | 48 | hvm_get_segment_register(curr, x86_seg_ss, &sreg); | |
46 | - if ( unlikely(sreg.attr.fields.dpl == 3) ) | 49 | - if ( unlikely(sreg.attr.fields.dpl == 3) ) | |
47 | + if ( unlikely(sreg.attr.fields.dpl) ) | 50 | + if ( unlikely(sreg.attr.fields.dpl) ) | |
48 | { | 51 | { | |
49 | default: | 52 | default: | |
50 | regs->eax = -EPERM; | 53 | regs->eax = -EPERM; | |
54 | @@ -3746,7 +3740,7 @@ | |||
55 | ((a.first_pfn + a.nr - 1) > domain_get_maximum_gpfn(d)) ) | |||
56 | goto param_fail5; | |||
57 | ||||
58 | - for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) | |||
59 | + for ( pfn = a.first_pfn; a.nr; ++pfn ) | |||
60 | { | |||
61 | p2m_type_t t; | |||
62 | mfn_t mfn; | |||
63 | @@ -3759,6 +3753,17 @@ | |||
64 | p2m_unlock(p2m); | |||
65 | if ( !success ) | |||
66 | goto param_fail5; | |||
67 | + | |||
68 | + /* Check for continuation if it's not the last interation. */ | |||
69 | + if ( --a.nr && hypercall_preempt_check() ) | |||
70 | + { | |||
71 | + a.first_pfn = pfn + 1; | |||
72 | + if ( copy_to_guest(arg, &a, 1) ) | |||
73 | + rc = -EFAULT; | |||
74 | + else | |||
75 | + rc = -EAGAIN; | |||
76 | + goto param_fail5; | |||
77 | + } | |||
78 | } | |||
79 | ||||
80 | rc = 0; |