Fri Sep 26 10:39:32 2014 UTC ()

Update xentools42 and xenkernel42 to Xen 4.2.5, fixing:
CVE-2014-2599 / XSA-89 HVMOP_set_mem_access is not preemptible
CVE-2014-3124 / XSA-92 HVMOP_set_mem_type allows invalid P2M entries to be
  created
CVE-2014-3967,CVE-2014-3968 / XSA-96 Vulnerabilities in HVM MSI injection
CVE-2014-4021 / XSA-100 Hypervisor heap contents leaked to guests

pkgsrc also includes patches from the Xen Security Advisory:
XSA-104 (CVE-2014-7154) - Race condition in HVMOP_track_dirty_vram
XSA-105 (CVE-2014-7155) - Missing privilege level checks in x86 HLT, LGDT,
  LIDT, and LMSW emulation
XSA-106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation
  of software interrupts


(bouyer)

diff -r1.7 -r1.8 pkgsrc/sysutils/xenkernel42/Makefile
diff -r1.5 -r1.6 pkgsrc/sysutils/xenkernel42/distinfo
diff -r0 -r1.1 pkgsrc/sysutils/xenkernel42/patches/patch-xen_arch_x86_mm_shadow_common.c
diff -r0 -r1.1 pkgsrc/sysutils/xenkernel42/patches/patch-xen_arch_x86_x86_emulate_x86_emulate.c
diff -r1.11 -r1.12 pkgsrc/sysutils/xentools42/distinfo

--- pkgsrc/sysutils/xenkernel42/Attic/Makefile 2014/05/09 07:37:20 1.7
+++ pkgsrc/sysutils/xenkernel42/Attic/Makefile 2014/09/26 10:39:31 1.8

 @@ -1,16 +1,16 @@
-# $NetBSD: Makefile,v 1.7 2014/05/09 07:37:20 wiz Exp $
+# $NetBSD: Makefile,v 1.8 2014/09/26 10:39:31 bouyer Exp $
-VERSION=	4.2.4
+VERSION=	4.2.5
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel42-${VERSION}
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://xenproject.org/
 COMMENT=	Xen 4.2.x Kernel
 LICENSE=	gnu-gpl-v2
 ONLY_FOR_PLATFORM=	Linux-2.6*-i386 Linux-2.6*-x86_64
 ONLY_FOR_PLATFORM+=	NetBSD-[5-9].*-x86_64 NetBSD-[5-9].*-i386

--- pkgsrc/sysutils/xenkernel42/Attic/distinfo 2014/02/22 01:22:49 1.5
+++ pkgsrc/sysutils/xenkernel42/Attic/distinfo 2014/09/26 10:39:31 1.6

 @@ -1,9 +1,11 @@
-$NetBSD: distinfo,v 1.5 2014/02/22 01:22:49 prlw1 Exp $
+$NetBSD: distinfo,v 1.6 2014/09/26 10:39:31 bouyer Exp $
-SHA1 (xen-4.2.4.tar.gz) = ab661bf0f64a18155f971343a9c07b7e7d1410f1
+SHA1 (xen-4.2.5.tar.gz) = f42741e4ec174495ace70c4b17a6b9b0e60e798a
-RMD160 (xen-4.2.4.tar.gz) = b2210d3ff6a9fdf9cae1a5a38b829667dfd6fd2f
+RMD160 (xen-4.2.5.tar.gz) = 7d4f7f1b32ee541d341a756b1f8da02816438d19
-Size (xen-4.2.4.tar.gz) = 15663999 bytes
+Size (xen-4.2.5.tar.gz) = 15671925 bytes
 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266
 SHA1 (patch-xen_Makefile) = e0d1b74518b9675ddc64295d1523ded9a8757c0a
 SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
 SHA1 (patch-xen_arch_x86_mm_shadow_common.c) = 89dce860cc6aef7d0ec31f3137616b592490e60a
 SHA1 (patch-xen_arch_x86_x86_emulate_x86_emulate.c) = 8b906e762c8f94a670398b4e033d50a2fb012f0a
 SHA1 (patch-xen_include_xen_lib.h) = 36dcaf3874a1b1214babc45d7e19fe3b556c1044

$NetBSD: patch-xen_arch_x86_mm_shadow_common.c,v 1.1 2014/09/26 10:39:31 bouyer Exp $

patch for XSA-104/CVE-2014-7154, from Xen Security Advisory

--- xen/arch/x86/mm/shadow/common.c.orig	2014-09-02 08:22:57.000000000 +0200
+++ xen/arch/x86/mm/shadow/common.c	2014-09-26 11:18:02.000000000 +0200
@@ -3601,7 +3601,7 @@
     int flush_tlb = 0;
     unsigned long i;
     p2m_type_t t;
-    struct sh_dirty_vram *dirty_vram = d->arch.hvm_domain.dirty_vram;
+    struct sh_dirty_vram *dirty_vram;
     struct p2m_domain *p2m = p2m_get_hostp2m(d);
 
     if ( end_pfn < begin_pfn || end_pfn > p2m->max_mapped_pfn + 1 )
@@ -3611,6 +3611,8 @@
     p2m_lock(p2m_get_hostp2m(d));
     paging_lock(d);
 
+    dirty_vram = d->arch.hvm_domain.dirty_vram;
+
     if ( dirty_vram && (!nr ||
              ( begin_pfn != dirty_vram->begin_pfn
             || end_pfn   != dirty_vram->end_pfn )) )

$NetBSD: patch-xen_arch_x86_x86_emulate_x86_emulate.c,v 1.1 2014/09/26 10:39:31 bouyer Exp $

patch for XSA-105/CVE-2014-7155 and XSA-106/CVE-2014-7156,
from Xen Security Advisory

--- xen/arch/x86/x86_emulate/x86_emulate.c.orig	2014-09-26 11:53:50.000000000 +0200
+++ xen/arch/x86/x86_emulate/x86_emulate.c	2014-09-26 11:53:43.000000000 +0200
@@ -2616,6 +2616,7 @@
     case 0xcd: /* int imm8 */
         src.val = insn_fetch_type(uint8_t);
     swint:
+        fail_if(!in_realmode(ctxt, ops)); /* XSA-106 */
         fail_if(ops->inject_sw_interrupt == NULL);
         rc = ops->inject_sw_interrupt(src.val, _regs.eip - ctxt->regs->eip,
                                       ctxt) ? : X86EMUL_EXCEPTION;
@@ -3296,6 +3297,7 @@
         goto swint;
 
     case 0xf4: /* hlt */
+        generate_exception_if(!mode_ring0(), EXC_GP, 0);
         ctxt->retire.flags.hlt = 1;
         break;
 
@@ -3721,6 +3723,7 @@
             break;
         case 2: /* lgdt */
         case 3: /* lidt */
+            generate_exception_if(!mode_ring0(), EXC_GP, 0);
             generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
             fail_if(ops->write_segment == NULL);
             memset(&reg, 0, sizeof(reg));
@@ -3749,6 +3752,7 @@
         case 6: /* lmsw */
             fail_if(ops->read_cr == NULL);
             fail_if(ops->write_cr == NULL);
+            generate_exception_if(!mode_ring0(), EXC_GP, 0);
             if ( (rc = ops->read_cr(0, &cr0, ctxt)) )
                 goto done;
             if ( ea.type == OP_REG )

--- pkgsrc/sysutils/xentools42/Attic/distinfo 2014/09/17 20:32:36 1.11
+++ pkgsrc/sysutils/xentools42/Attic/distinfo 2014/09/26 10:39:31 1.12

 @@ -1,21 +1,21 @@
-$NetBSD: distinfo,v 1.11 2014/09/17 20:32:36 bouyer Exp $
+$NetBSD: distinfo,v 1.12 2014/09/26 10:39:31 bouyer Exp $
 SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485
 RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547
 Size (ipxe-git-v1.0.0.tar.gz) = 1996881 bytes
-SHA1 (xen-4.2.4.tar.gz) = ab661bf0f64a18155f971343a9c07b7e7d1410f1
+SHA1 (xen-4.2.5.tar.gz) = f42741e4ec174495ace70c4b17a6b9b0e60e798a
-RMD160 (xen-4.2.4.tar.gz) = b2210d3ff6a9fdf9cae1a5a38b829667dfd6fd2f
+RMD160 (xen-4.2.5.tar.gz) = 7d4f7f1b32ee541d341a756b1f8da02816438d19
-Size (xen-4.2.4.tar.gz) = 15663999 bytes
+Size (xen-4.2.5.tar.gz) = 15671925 bytes
 SHA1 (patch-.._.._ipxe_src_Makefile.housekeeping) = 5ec8020a9705b2f64096c2942473a8de4db578bb
 SHA1 (patch-.._.._ipxe_src_arch_i386_include_librm.h) = 4549ac641b112321b4731a918d85219c3fce6808
 SHA1 (patch-.._.._ipxe_src_arch_i386_scripts_i386.lds) = 4c0cbb7f535be43e1b6f53c284340a8bafc37c0b
 SHA1 (patch-.._.._ipxe_src_core_settings.c) = 240ff973757403b983f12b2cbed826584c4a8aba
 SHA1 (patch-.._.._ipxe_src_drivers_net_ath5k_ath5k_qcu.c) = eb86106d05d5cc3300b7b57b0e0c2fdd338bbf43
 SHA1 (patch-.._.._ipxe_src_drivers_net_ns83820.c) = fbdfc47949f4946174b705d41d2b6c4405a68704
 SHA1 (patch-.._.._ipxe_src_drivers_net_tulip.c) = 0d9370c64e5e6bf15a5b87944e03333a10e4a299
 SHA1 (patch-.._.._ipxe_src_net_tls.c) = 893c70515bc4cb0d4d9319fd94eddc4945f6a0b3
 SHA1 (patch-.._Config.mk) = ec5ba76be10e43cb1b2d37686e35d5fb81d8de80
 SHA1 (patch-.._config_NetBSD.mk) = 90893326dcce4e3e2ef273f22ec5ddf5af0f7cd8
 SHA1 (patch-.._config_StdGNU.mk) = 3f93999038bd9d25277803cd1d969dc5733b593f
 SHA1 (patch-.._docs_man_xend-config.sxp.pod.5) = 36afc7b063f83adfe5b927ed0be586b102684020
 SHA1 (patch-.._docs_man_xl.cfg.pod.5) = 8f580bc91f346167999d91a279855c6e2710a8cc