Fri Sep 26 10:45:00 2014 UTC ()

Add patch for:
XSA-104 (CVE-2014-7154) - Race condition in HVMOP_track_dirty_vram
XSA-105 (CVE-2014-7155) - Missing privilege level checks in x86 HLT, LGDT,
  LIDT, and LMSW emulation
XSA-106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation
  of software interrupts

bump PKGREVISION


(bouyer)

diff -r1.38 -r1.39 pkgsrc/sysutils/xenkernel41/Makefile
diff -r1.29 -r1.30 pkgsrc/sysutils/xenkernel41/distinfo
diff -r0 -r1.1 pkgsrc/sysutils/xenkernel41/patches/patch-CVE-2014-7154
diff -r0 -r1.1 pkgsrc/sysutils/xenkernel41/patches/patch-CVE-2014-7155
diff -r0 -r1.1 pkgsrc/sysutils/xenkernel41/patches/patch-CVE-2014-7156

--- pkgsrc/sysutils/xenkernel41/Attic/Makefile 2014/06/18 13:47:08 1.38
+++ pkgsrc/sysutils/xenkernel41/Attic/Makefile 2014/09/26 10:45:00 1.39

 @@ -1,19 +1,19 @@
-# $NetBSD: Makefile,v 1.38 2014/06/18 13:47:08 drochner Exp $
+# $NetBSD: Makefile,v 1.39 2014/09/26 10:45:00 bouyer Exp $
 VERSION=	4.1.6.1
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel41-${VERSION}
-PKGREVISION=	10
+PKGREVISION=	11
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 MAINTAINER=	cegger@NetBSD.org
 HOMEPAGE=	http://xen.org/
 COMMENT=	Xen 4.1.x Kernel
 LICENSE=        gnu-gpl-v2
 ONLY_FOR_PLATFORM=	Linux-2.6*-i386 Linux-2.6*-x86_64
 ONLY_FOR_PLATFORM+=	NetBSD-[5-9].*-x86_64 NetBSD-[5-9].*-i386
 NO_CONFIGURE=	yes

--- pkgsrc/sysutils/xenkernel41/Attic/distinfo 2014/06/18 13:47:08 1.29
+++ pkgsrc/sysutils/xenkernel41/Attic/distinfo 2014/09/26 10:45:00 1.30

 @@ -1,26 +1,29 @@
-$NetBSD: distinfo,v 1.29 2014/06/18 13:47:08 drochner Exp $
+$NetBSD: distinfo,v 1.30 2014/09/26 10:45:00 bouyer Exp $
 SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0
 RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19
 Size (xen-4.1.6.1.tar.gz) = 10428485 bytes
 SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1
 SHA1 (patch-CVE-2013-4355_1) = 99068aa658fc231fe6c6c77bf61d68405318aaa8
 SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509
 SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f
 SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8
 SHA1 (patch-CVE-2013-4361) = b9074af976ba98c02aeb84288a10527bf7693241
 SHA1 (patch-CVE-2013-4368) = 77caf392b472e5586eb2fa6a37d173cd856f6f15
 SHA1 (patch-CVE-2013-4494) = d74dfc898d1128f3c205bd178c8cf663935711e3
 SHA1 (patch-CVE-2013-4553) = 6708dcef1737b119a3fcf2e3414c22c115cbacc1
 SHA1 (patch-CVE-2013-6885_1) = 18d155b2c76119988be32cfd43e3c4aa6a507b9d
 SHA1 (patch-CVE-2013-6885_2) = be3c99ba3e349492d45cd4f2fce0acc26ac1a96d
 SHA1 (patch-CVE-2014-1666) = acf27080799d4aae6a03b556caadb01081d5314e
 SHA1 (patch-CVE-2014-3124) = 59a48eed88abcda5de2fc7e398451a492e5d2145
 SHA1 (patch-CVE-2014-4021) = ee8ee800b35f7eaa242b06536c1ffa6568305b36
 SHA1 (patch-CVE-2014-7154) = 5f0541559d911778aa5267bb5c0e1e8a9a3904e2
 SHA1 (patch-CVE-2014-7155) = 0f1aa6a5d4fdb8403fc1e01b884491a63de501f8
 SHA1 (patch-CVE-2014-7156) = 85043bdcf2644227d135f725cb442aade565c9d6
 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266
 SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b
 SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
 SHA1 (patch-xen_arch_x86_cpu_mcheck_vmce.c) = 5afd01780a13654f1d21bf1562f6431c8370be0b
 SHA1 (patch-xen_arch_x86_time.c) = 1611959c08ad79e3f042ac70c8d9d57b60225289
 SHA1 (patch-xen_drivers_char_console_c) = 0fe186369602ccffaeec6f4bfbee8bb4298d3ff0
 SHA1 (patch-xen_include_xen_stdarg.h) = e9df974a9b783ed442ab17497198432cb9844b70

$NetBSD: patch-CVE-2014-7154,v 1.1 2014/09/26 10:45:00 bouyer Exp $

x86/shadow: fix race condition sampling the dirty vram state

d->arch.hvm_domain.dirty_vram must be read with the domain's paging lock held.

If not, two concurrent hypercalls could both end up attempting to free
dirty_vram (the second of which will free a wild pointer), or both end up
allocating a new dirty_vram structure (the first of which will be leaked).

This is XSA-104.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Tim Deegan <tim@xen.org>

--- xen/arch/x86/mm/shadow/common.c.orig	2013-09-10 08:42:18.000000000 +0200
+++ xen/arch/x86/mm/shadow/common.c	2014-09-26 12:21:33.000000000 +0200
@@ -3640,7 +3640,7 @@
     int flush_tlb = 0;
     unsigned long i;
     p2m_type_t t;
-    struct sh_dirty_vram *dirty_vram = d->arch.hvm_domain.dirty_vram;
+    struct sh_dirty_vram *dirty_vram;
     struct p2m_domain *p2m = p2m_get_hostp2m(d);
 
     if (end_pfn < begin_pfn
@@ -3649,6 +3649,7 @@
         return -EINVAL;
 
     shadow_lock(d);
+    dirty_vram = d->arch.hvm_domain.dirty_vram;
 
     if ( dirty_vram && (!nr ||
              ( begin_pfn != dirty_vram->begin_pfn

$NetBSD: patch-CVE-2014-7155,v 1.1 2014/09/26 10:45:00 bouyer Exp $

x86/emulate: check cpl for all privileged instructions

Without this, it is possible for userspace to load its own IDT or GDT.

This is XSA-105.

Reported-by: Andrei LUTAS <vlutas@bitdefender.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Andrei LUTAS <vlutas@bitdefender.com>

--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
+++ xen/arch/x86/x86_emulate/x86_emulate.c
@@ -3314,6 +3314,7 @@ x86_emulate(
         goto swint;
 
     case 0xf4: /* hlt */
+        generate_exception_if(!mode_ring0(), EXC_GP, 0);
         ctxt->retire.flags.hlt = 1;
         break;
 
@@ -3710,6 +3711,7 @@ x86_emulate(
             break;
         case 2: /* lgdt */
         case 3: /* lidt */
+            generate_exception_if(!mode_ring0(), EXC_GP, 0);
             generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
             fail_if(ops->write_segment == NULL);
             memset(&reg, 0, sizeof(reg));
@@ -3738,6 +3740,7 @@ x86_emulate(
         case 6: /* lmsw */
             fail_if(ops->read_cr == NULL);
             fail_if(ops->write_cr == NULL);
+            generate_exception_if(!mode_ring0(), EXC_GP, 0);
             if ( (rc = ops->read_cr(0, &cr0, ctxt)) )
                 goto done;
             if ( ea.type == OP_REG )

$NetBSD: patch-CVE-2014-7156,v 1.1 2014/09/26 10:45:00 bouyer Exp $

x86emul: only emulate software interrupt injection for real mode

Protected mode emulation currently lacks proper privilege checking of
the referenced IDT entry, and there's currently no legitimate way for
any of the respective instructions to reach the emulator when the guest
is in protected mode.

This is XSA-106.

Reported-by: Andrei LUTAS <vlutas@bitdefender.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
+++ xen/arch/x86/x86_emulate/x86_emulate.c
@@ -2634,6 +2634,7 @@ x86_emulate(
     case 0xcd: /* int imm8 */
         src.val = insn_fetch_type(uint8_t);
     swint:
+        fail_if(!in_realmode(ctxt, ops)); /* XSA-106 */
         fail_if(ops->inject_sw_interrupt == NULL);
         rc = ops->inject_sw_interrupt(src.val, _regs.eip - ctxt->regs->eip,
                                       ctxt) ? : X86EMUL_EXCEPTION;