Pullup ticket #4514 - requested by bouyer sysutils/xenkernel42: security patch Revisions pulled up: - sysutils/xenkernel42/Makefile 1.9 - sysutils/xenkernel42/distinfo 1.7 - sysutils/xenkernel42/patches/patch-xen_arch_x86_hvm_hvm.c 1.1 --- Module Name: pkgsrc Committed By: bouyer Date: Wed Oct 1 17:34:55 UTC 2014 Modified Files: pkgsrc/sysutils/xenkernel42: Makefile distinfo Added Files: pkgsrc/sysutils/xenkernel42/patches: patch-xen_arch_x86_hvm_hvm.c Log Message: Add patch from upstream, fixing CVE-2014-7188 / XSA-108: Improper MSR range used for x2APIC emulation Bump PKGREVISION

(tron)

 @@ -1,18 +1,19 @@
-# $NetBSD: Makefile,v 1.8 2014/09/26 10:39:31 bouyer Exp $
+# $NetBSD: Makefile,v 1.8.2.1 2014/10/04 15:39:18 tron Exp $
 VERSION=	4.2.5
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel42-${VERSION}
 PKGREVISION=	1
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://xenproject.org/
 COMMENT=	Xen 4.2.x Kernel
 LICENSE=	gnu-gpl-v2
 ONLY_FOR_PLATFORM=	Linux-2.6*-i386 Linux-2.6*-x86_64
 ONLY_FOR_PLATFORM+=	NetBSD-[5-9].*-x86_64 NetBSD-[5-9].*-i386
 NO_CONFIGURE=	yes

 @@ -1,11 +1,12 @@
-$NetBSD: distinfo,v 1.6 2014/09/26 10:39:31 bouyer Exp $
+$NetBSD: distinfo,v 1.6.2.1 2014/10/04 15:39:18 tron Exp $
 SHA1 (xen-4.2.5.tar.gz) = f42741e4ec174495ace70c4b17a6b9b0e60e798a
 RMD160 (xen-4.2.5.tar.gz) = 7d4f7f1b32ee541d341a756b1f8da02816438d19
 Size (xen-4.2.5.tar.gz) = 15671925 bytes
 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266
 SHA1 (patch-xen_Makefile) = e0d1b74518b9675ddc64295d1523ded9a8757c0a
 SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
 SHA1 (patch-xen_arch_x86_hvm_hvm.c) = b6bac1d466ba5bc276bc3aea9d4c9df37f2b9b0f
 SHA1 (patch-xen_arch_x86_mm_shadow_common.c) = 89dce860cc6aef7d0ec31f3137616b592490e60a
 SHA1 (patch-xen_arch_x86_x86_emulate_x86_emulate.c) = 8b906e762c8f94a670398b4e033d50a2fb012f0a
 SHA1 (patch-xen_include_xen_lib.h) = 36dcaf3874a1b1214babc45d7e19fe3b556c1044

$NetBSD: patch-xen_arch_x86_hvm_hvm.c,v 1.1.2.2 2014/10/04 15:39:18 tron Exp $ x86/HVM: properly bound x2APIC MSR range While the write path change appears to be purely cosmetic (but still gets done here for consistency), the read side mistake permitted accesses beyond the virtual APIC page. Note that while this isn't fully in line with the specification (digesting MSRs 0x800-0xBFF for the x2APIC), this is the minimal possible fix addressing the security issue and getting x2APIC related code into a consistent shape (elsewhere a 256 rather than 1024 wide window is being used too). This will be dealt with subsequently. This is XSA-108. Signed-off-by: Jan Beulich <jbeulich@suse.com> --- xen/arch/x86/hvm/hvm.c.orig +++ xen/arch/x86/hvm/hvm.c @@ -4380,7 +4380,7 @@ int hvm_msr_read_intercept(unsigned int *msr_content = vcpu_vlapic(v)->hw.apic_base_msr; break; - case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: + case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff: if ( hvm_x2apic_msr_read(v, msr, msr_content) ) goto gp_fault; break; @@ -4506,7 +4506,7 @@ int hvm_msr_write_intercept(unsigned int vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content); break; - case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: + case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff: if ( hvm_x2apic_msr_write(v, msr, msr_content) ) goto gp_fault; break;