Add patch for: XSA-104 (CVE-2014-7154) - Race condition in HVMOP_track_dirty_vram XSA-105 (CVE-2014-7155) - Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation XSA-106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation of software interrupts bump PKGREVISIONdiff -r1.38 -r1.39 pkgsrc/sysutils/xenkernel41/Makefile
(bouyer)
@@ -1,19 +1,19 @@ | @@ -1,19 +1,19 @@ | |||
1 | # $NetBSD: Makefile,v 1.38 2014/06/18 13:47:08 drochner Exp $ | 1 | # $NetBSD: Makefile,v 1.39 2014/09/26 10:45:00 bouyer Exp $ | |
2 | 2 | |||
3 | VERSION= 4.1.6.1 | 3 | VERSION= 4.1.6.1 | |
4 | DISTNAME= xen-${VERSION} | 4 | DISTNAME= xen-${VERSION} | |
5 | PKGNAME= xenkernel41-${VERSION} | 5 | PKGNAME= xenkernel41-${VERSION} | |
6 | PKGREVISION= 10 | 6 | PKGREVISION= 11 | |
7 | CATEGORIES= sysutils | 7 | CATEGORIES= sysutils | |
8 | MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ | 8 | MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ | |
9 | 9 | |||
10 | MAINTAINER= cegger@NetBSD.org | 10 | MAINTAINER= cegger@NetBSD.org | |
11 | HOMEPAGE= http://xen.org/ | 11 | HOMEPAGE= http://xen.org/ | |
12 | COMMENT= Xen 4.1.x Kernel | 12 | COMMENT= Xen 4.1.x Kernel | |
13 | 13 | |||
14 | LICENSE= gnu-gpl-v2 | 14 | LICENSE= gnu-gpl-v2 | |
15 | 15 | |||
16 | ONLY_FOR_PLATFORM= Linux-2.6*-i386 Linux-2.6*-x86_64 | 16 | ONLY_FOR_PLATFORM= Linux-2.6*-i386 Linux-2.6*-x86_64 | |
17 | ONLY_FOR_PLATFORM+= NetBSD-[5-9].*-x86_64 NetBSD-[5-9].*-i386 | 17 | ONLY_FOR_PLATFORM+= NetBSD-[5-9].*-x86_64 NetBSD-[5-9].*-i386 | |
18 | 18 | |||
19 | NO_CONFIGURE= yes | 19 | NO_CONFIGURE= yes |
@@ -1,26 +1,29 @@ | @@ -1,26 +1,29 @@ | |||
1 | $NetBSD: distinfo,v 1.29 2014/06/18 13:47:08 drochner Exp $ | 1 | $NetBSD: distinfo,v 1.30 2014/09/26 10:45:00 bouyer Exp $ | |
2 | 2 | |||
3 | SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0 | 3 | SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0 | |
4 | RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19 | 4 | RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19 | |
5 | Size (xen-4.1.6.1.tar.gz) = 10428485 bytes | 5 | Size (xen-4.1.6.1.tar.gz) = 10428485 bytes | |
6 | SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1 | 6 | SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1 | |
7 | SHA1 (patch-CVE-2013-4355_1) = 99068aa658fc231fe6c6c77bf61d68405318aaa8 | 7 | SHA1 (patch-CVE-2013-4355_1) = 99068aa658fc231fe6c6c77bf61d68405318aaa8 | |
8 | SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509 | 8 | SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509 | |
9 | SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f | 9 | SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f | |
10 | SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8 | 10 | SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8 | |
11 | SHA1 (patch-CVE-2013-4361) = b9074af976ba98c02aeb84288a10527bf7693241 | 11 | SHA1 (patch-CVE-2013-4361) = b9074af976ba98c02aeb84288a10527bf7693241 | |
12 | SHA1 (patch-CVE-2013-4368) = 77caf392b472e5586eb2fa6a37d173cd856f6f15 | 12 | SHA1 (patch-CVE-2013-4368) = 77caf392b472e5586eb2fa6a37d173cd856f6f15 | |
13 | SHA1 (patch-CVE-2013-4494) = d74dfc898d1128f3c205bd178c8cf663935711e3 | 13 | SHA1 (patch-CVE-2013-4494) = d74dfc898d1128f3c205bd178c8cf663935711e3 | |
14 | SHA1 (patch-CVE-2013-4553) = 6708dcef1737b119a3fcf2e3414c22c115cbacc1 | 14 | SHA1 (patch-CVE-2013-4553) = 6708dcef1737b119a3fcf2e3414c22c115cbacc1 | |
15 | SHA1 (patch-CVE-2013-6885_1) = 18d155b2c76119988be32cfd43e3c4aa6a507b9d | 15 | SHA1 (patch-CVE-2013-6885_1) = 18d155b2c76119988be32cfd43e3c4aa6a507b9d | |
16 | SHA1 (patch-CVE-2013-6885_2) = be3c99ba3e349492d45cd4f2fce0acc26ac1a96d | 16 | SHA1 (patch-CVE-2013-6885_2) = be3c99ba3e349492d45cd4f2fce0acc26ac1a96d | |
17 | SHA1 (patch-CVE-2014-1666) = acf27080799d4aae6a03b556caadb01081d5314e | 17 | SHA1 (patch-CVE-2014-1666) = acf27080799d4aae6a03b556caadb01081d5314e | |
18 | SHA1 (patch-CVE-2014-3124) = 59a48eed88abcda5de2fc7e398451a492e5d2145 | 18 | SHA1 (patch-CVE-2014-3124) = 59a48eed88abcda5de2fc7e398451a492e5d2145 | |
19 | SHA1 (patch-CVE-2014-4021) = ee8ee800b35f7eaa242b06536c1ffa6568305b36 | 19 | SHA1 (patch-CVE-2014-4021) = ee8ee800b35f7eaa242b06536c1ffa6568305b36 | |
20 | SHA1 (patch-CVE-2014-7154) = 5f0541559d911778aa5267bb5c0e1e8a9a3904e2 | |||
21 | SHA1 (patch-CVE-2014-7155) = 0f1aa6a5d4fdb8403fc1e01b884491a63de501f8 | |||
22 | SHA1 (patch-CVE-2014-7156) = 85043bdcf2644227d135f725cb442aade565c9d6 | |||
20 | SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266 | 23 | SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266 | |
21 | SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b | 24 | SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b | |
22 | SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 | 25 | SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 | |
23 | SHA1 (patch-xen_arch_x86_cpu_mcheck_vmce.c) = 5afd01780a13654f1d21bf1562f6431c8370be0b | 26 | SHA1 (patch-xen_arch_x86_cpu_mcheck_vmce.c) = 5afd01780a13654f1d21bf1562f6431c8370be0b | |
24 | SHA1 (patch-xen_arch_x86_time.c) = 1611959c08ad79e3f042ac70c8d9d57b60225289 | 27 | SHA1 (patch-xen_arch_x86_time.c) = 1611959c08ad79e3f042ac70c8d9d57b60225289 | |
25 | SHA1 (patch-xen_drivers_char_console_c) = 0fe186369602ccffaeec6f4bfbee8bb4298d3ff0 | 28 | SHA1 (patch-xen_drivers_char_console_c) = 0fe186369602ccffaeec6f4bfbee8bb4298d3ff0 | |
26 | SHA1 (patch-xen_include_xen_stdarg.h) = e9df974a9b783ed442ab17497198432cb9844b70 | 29 | SHA1 (patch-xen_include_xen_stdarg.h) = e9df974a9b783ed442ab17497198432cb9844b70 |
$NetBSD: patch-CVE-2014-7154,v 1.1 2014/09/26 10:45:00 bouyer Exp $
x86/shadow: fix race condition sampling the dirty vram state
d->arch.hvm_domain.dirty_vram must be read with the domain's paging lock held.
If not, two concurrent hypercalls could both end up attempting to free
dirty_vram (the second of which will free a wild pointer), or both end up
allocating a new dirty_vram structure (the first of which will be leaked).
This is XSA-104.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Tim Deegan <tim@xen.org>
--- xen/arch/x86/mm/shadow/common.c.orig 2013-09-10 08:42:18.000000000 +0200
+++ xen/arch/x86/mm/shadow/common.c 2014-09-26 12:21:33.000000000 +0200
@@ -3640,7 +3640,7 @@
int flush_tlb = 0;
unsigned long i;
p2m_type_t t;
- struct sh_dirty_vram *dirty_vram = d->arch.hvm_domain.dirty_vram;
+ struct sh_dirty_vram *dirty_vram;
struct p2m_domain *p2m = p2m_get_hostp2m(d);
if (end_pfn < begin_pfn
@@ -3649,6 +3649,7 @@
return -EINVAL;
shadow_lock(d);
+ dirty_vram = d->arch.hvm_domain.dirty_vram;
if ( dirty_vram && (!nr ||
( begin_pfn != dirty_vram->begin_pfn
$NetBSD: patch-CVE-2014-7155,v 1.1 2014/09/26 10:45:00 bouyer Exp $
x86/emulate: check cpl for all privileged instructions
Without this, it is possible for userspace to load its own IDT or GDT.
This is XSA-105.
Reported-by: Andrei LUTAS <vlutas@bitdefender.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Andrei LUTAS <vlutas@bitdefender.com>
--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
+++ xen/arch/x86/x86_emulate/x86_emulate.c
@@ -3314,6 +3314,7 @@ x86_emulate(
goto swint;
case 0xf4: /* hlt */
+ generate_exception_if(!mode_ring0(), EXC_GP, 0);
ctxt->retire.flags.hlt = 1;
break;
@@ -3710,6 +3711,7 @@ x86_emulate(
break;
case 2: /* lgdt */
case 3: /* lidt */
+ generate_exception_if(!mode_ring0(), EXC_GP, 0);
generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
fail_if(ops->write_segment == NULL);
memset(®, 0, sizeof(reg));
@@ -3738,6 +3740,7 @@ x86_emulate(
case 6: /* lmsw */
fail_if(ops->read_cr == NULL);
fail_if(ops->write_cr == NULL);
+ generate_exception_if(!mode_ring0(), EXC_GP, 0);
if ( (rc = ops->read_cr(0, &cr0, ctxt)) )
goto done;
if ( ea.type == OP_REG )
$NetBSD: patch-CVE-2014-7156,v 1.1 2014/09/26 10:45:00 bouyer Exp $
x86emul: only emulate software interrupt injection for real mode
Protected mode emulation currently lacks proper privilege checking of
the referenced IDT entry, and there's currently no legitimate way for
any of the respective instructions to reach the emulator when the guest
is in protected mode.
This is XSA-106.
Reported-by: Andrei LUTAS <vlutas@bitdefender.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
+++ xen/arch/x86/x86_emulate/x86_emulate.c
@@ -2634,6 +2634,7 @@ x86_emulate(
case 0xcd: /* int imm8 */
src.val = insn_fetch_type(uint8_t);
swint:
+ fail_if(!in_realmode(ctxt, ops)); /* XSA-106 */
fail_if(ops->inject_sw_interrupt == NULL);
rc = ops->inject_sw_interrupt(src.val, _regs.eip - ctxt->regs->eip,
ctxt) ? : X86EMUL_EXCEPTION;