Sun Sep 11 11:38:10 2016 UTC ()
add the patch for XSA-184


(spz)
diff -r1.37 -r1.38 pkgsrc/sysutils/xentools45/Makefile
diff -r1.25 -r1.26 pkgsrc/sysutils/xentools45/distinfo
diff -r0 -r1.1 pkgsrc/sysutils/xentools45/patches/patch-XSA-184
cvs diff -r1.37 -r1.38 pkgsrc/sysutils/xentools45/Attic/Makefile (expand / switch to unified diff)

--- pkgsrc/sysutils/xentools45/Attic/Makefile 2016/08/06 12:41:36 1.37
+++ pkgsrc/sysutils/xentools45/Attic/Makefile 2016/09/11 11:38:10 1.38
@@ -1,17 +1,17 @@ @@ -1,17 +1,17 @@
1# $NetBSD: Makefile,v 1.37 2016/08/06 12:41:36 spz Exp $ 1# $NetBSD: Makefile,v 1.38 2016/09/11 11:38:10 spz Exp $
2 2
3VERSION= 4.5.3 3VERSION= 4.5.3
4PKGREVISION= 3 4PKGREVISION= 4
5VERSION_IPXE= 9a93db3f0947484e30e753bbd61a10b17336e20e 5VERSION_IPXE= 9a93db3f0947484e30e753bbd61a10b17336e20e
6 6
7DISTNAME= xen-${VERSION} 7DISTNAME= xen-${VERSION}
8PKGNAME= xentools45-${VERSION} 8PKGNAME= xentools45-${VERSION}
9CATEGORIES= sysutils 9CATEGORIES= sysutils
10MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ 10MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
11 11
12DISTFILES= ${DISTNAME}.tar.gz 12DISTFILES= ${DISTNAME}.tar.gz
13DISTFILES+= ipxe-git-${VERSION_IPXE}.tar.gz 13DISTFILES+= ipxe-git-${VERSION_IPXE}.tar.gz
14SITES.ipxe-git-${VERSION_IPXE}.tar.gz += http://xenbits.xensource.com/xen-extfiles/ 14SITES.ipxe-git-${VERSION_IPXE}.tar.gz += http://xenbits.xensource.com/xen-extfiles/
15 15
16MAINTAINER= pkgsrc-users@NetBSD.org 16MAINTAINER= pkgsrc-users@NetBSD.org
17HOMEPAGE= http://xen.org/ 17HOMEPAGE= http://xen.org/
cvs diff -r1.25 -r1.26 pkgsrc/sysutils/xentools45/Attic/distinfo (expand / switch to unified diff)

--- pkgsrc/sysutils/xentools45/Attic/distinfo 2016/08/06 12:41:36 1.25
+++ pkgsrc/sysutils/xentools45/Attic/distinfo 2016/09/11 11:38:10 1.26
@@ -1,38 +1,39 @@ @@ -1,38 +1,39 @@
1$NetBSD: distinfo,v 1.25 2016/08/06 12:41:36 spz Exp $ 1$NetBSD: distinfo,v 1.26 2016/09/11 11:38:10 spz Exp $
2 2
3SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88 3SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88
4RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8 4RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8
5SHA512 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = c5cb1cdff40d2d71fd3e692a9d0efadf2aa17290daf5195391a1c81ddd9dfc913a8e44d5be2b12be85b2a5565ea31631c99c7053564f2fb2225c80ea0bb0e4a4 5SHA512 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = c5cb1cdff40d2d71fd3e692a9d0efadf2aa17290daf5195391a1c81ddd9dfc913a8e44d5be2b12be85b2a5565ea31631c99c7053564f2fb2225c80ea0bb0e4a4
6Size (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 2867999 bytes 6Size (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 2867999 bytes
7SHA1 (xen-4.5.3.tar.gz) = 95d56c42642adcffe55dcf82a021d49115373108 7SHA1 (xen-4.5.3.tar.gz) = 95d56c42642adcffe55dcf82a021d49115373108
8RMD160 (xen-4.5.3.tar.gz) = 7ba586b20404e95308007663e87868c0ccc0e6f4 8RMD160 (xen-4.5.3.tar.gz) = 7ba586b20404e95308007663e87868c0ccc0e6f4
9SHA512 (xen-4.5.3.tar.gz) = 086b9b75e97d836498fd4f34b645c9b2f941db44efe8c7d23e53aa6455d40e1672962aaa7bac0db1db82255dba490c4fe996f356c184e71ea7fa5b483d9e9c0f 9SHA512 (xen-4.5.3.tar.gz) = 086b9b75e97d836498fd4f34b645c9b2f941db44efe8c7d23e53aa6455d40e1672962aaa7bac0db1db82255dba490c4fe996f356c184e71ea7fa5b483d9e9c0f
10Size (xen-4.5.3.tar.gz) = 18416997 bytes 10Size (xen-4.5.3.tar.gz) = 18416997 bytes
11SHA1 (patch-.._.._ipxe_src_core_settings.c) = 9e053e5e9936f49c46af0d59382a67d5f28cb39d 11SHA1 (patch-.._.._ipxe_src_core_settings.c) = 9e053e5e9936f49c46af0d59382a67d5f28cb39d
12SHA1 (patch-.._.._ipxe_src_interface_efi_efi_snp.c) = 7cd8a2d2dbeff55624b5d3461d22cd8331221762 12SHA1 (patch-.._.._ipxe_src_interface_efi_efi_snp.c) = 7cd8a2d2dbeff55624b5d3461d22cd8331221762
13SHA1 (patch-.._.._ipxe_src_net_fcels.c) = 7c13c87af5e38233f8b867503789f536394e7005 13SHA1 (patch-.._.._ipxe_src_net_fcels.c) = 7c13c87af5e38233f8b867503789f536394e7005
14SHA1 (patch-.._.._ipxe_src_net_tls.c) = c36b812c4c9a3aa7309219dfad2f7a24ba818e59 14SHA1 (patch-.._.._ipxe_src_net_tls.c) = c36b812c4c9a3aa7309219dfad2f7a24ba818e59
15SHA1 (patch-.._Config.mk) = 36a8942a9fc0f7d601c9b5f7fd1332db99f9ac4b 15SHA1 (patch-.._Config.mk) = 36a8942a9fc0f7d601c9b5f7fd1332db99f9ac4b
16SHA1 (patch-.._docs_man_xl.cfg.pod.5) = e2058495b6fe85af338e22560d46996d36aeedab 16SHA1 (patch-.._docs_man_xl.cfg.pod.5) = e2058495b6fe85af338e22560d46996d36aeedab
17SHA1 (patch-.._docs_man_xl.conf.pod.5) = 015da24a45388468d56f1ecfa60f6acf07bdfef8 17SHA1 (patch-.._docs_man_xl.conf.pod.5) = 015da24a45388468d56f1ecfa60f6acf07bdfef8
18SHA1 (patch-.._docs_man_xl.pod.1) = b194f2c5608c6f0e80a4abd8655808cf91355cd5 18SHA1 (patch-.._docs_man_xl.pod.1) = b194f2c5608c6f0e80a4abd8655808cf91355cd5
19SHA1 (patch-.._docs_man_xlcpupool.cfg.pod.5) = b44813af965e4d9d0d51c18b22d286736a4663b2 19SHA1 (patch-.._docs_man_xlcpupool.cfg.pod.5) = b44813af965e4d9d0d51c18b22d286736a4663b2
20SHA1 (patch-.._docs_misc_xl-disk-configuration.txt) = 5b59cfc2569d1a4c10d6c0fcb98ed35278723b79 20SHA1 (patch-.._docs_misc_xl-disk-configuration.txt) = 5b59cfc2569d1a4c10d6c0fcb98ed35278723b79
21SHA1 (patch-Makefile) = eb5d3211b26c5f10a24fcca658c83d5f60990d9f 21SHA1 (patch-Makefile) = eb5d3211b26c5f10a24fcca658c83d5f60990d9f
22SHA1 (patch-Rules.mk) = e0dc4234c35dc2d78afad4a90b0af829a6a10b50 22SHA1 (patch-Rules.mk) = e0dc4234c35dc2d78afad4a90b0af829a6a10b50
23SHA1 (patch-XSA-178) = 5cb68dd7d82f537e9a9d0417cc79e8cafeb05ac2 23SHA1 (patch-XSA-178) = 5cb68dd7d82f537e9a9d0417cc79e8cafeb05ac2
24SHA1 (patch-XSA-179) = b73d44757651efe4b8df27cedd7f9827f3d6a6ca 24SHA1 (patch-XSA-179) = b73d44757651efe4b8df27cedd7f9827f3d6a6ca
25SHA1 (patch-XSA-180) = 58a93dec38792a36bca74123444eb72fafe158a3 25SHA1 (patch-XSA-180) = 58a93dec38792a36bca74123444eb72fafe158a3
 26SHA1 (patch-XSA-184) = 08103cae34512c1a3b9eb3e5cfdf8a15a302e419
26SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7 27SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7
27SHA1 (patch-configure) = 97fa4274e425984d593cd93aea36edc681462b88 28SHA1 (patch-configure) = 97fa4274e425984d593cd93aea36edc681462b88
28SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f 29SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f
29SHA1 (patch-examples_Makefile) = 5fe7bb876d254cf0c4f774ed0f08dcaea5b355ff 30SHA1 (patch-examples_Makefile) = 5fe7bb876d254cf0c4f774ed0f08dcaea5b355ff
30SHA1 (patch-firmware_etherboot_Makefile) = f55e14948b7191e533a82b8fc3575f1052f23c45 31SHA1 (patch-firmware_etherboot_Makefile) = f55e14948b7191e533a82b8fc3575f1052f23c45
31SHA1 (patch-firmware_etherboot_patches_series) = 2fa1342c78094c6dd5d60a07c236c4a1c0599fc4 32SHA1 (patch-firmware_etherboot_patches_series) = 2fa1342c78094c6dd5d60a07c236c4a1c0599fc4
32SHA1 (patch-firmware_hvmloader_Makefile) = bc5e81ddfc5e95887c2af4bb32eced9c5748b3c6 33SHA1 (patch-firmware_hvmloader_Makefile) = bc5e81ddfc5e95887c2af4bb32eced9c5748b3c6
33SHA1 (patch-hotplug_NetBSD_Makefile) = 6f6ec768b595c332a8757437a64509c0370e52da 34SHA1 (patch-hotplug_NetBSD_Makefile) = 6f6ec768b595c332a8757437a64509c0370e52da
34SHA1 (patch-hotplug_NetBSD_block) = f7ef26d13578b00138f459f6d16662d53820458c 35SHA1 (patch-hotplug_NetBSD_block) = f7ef26d13578b00138f459f6d16662d53820458c
35SHA1 (patch-hotplug_NetBSD_vif-bridge) = ac4cc7446715330b504b8cce8cbd47c8035cf33c 36SHA1 (patch-hotplug_NetBSD_vif-bridge) = ac4cc7446715330b504b8cce8cbd47c8035cf33c
36SHA1 (patch-hotplug_NetBSD_vif-ip) = ed23b0c16d87bd05230399d921e28860c5857b01 37SHA1 (patch-hotplug_NetBSD_vif-ip) = ed23b0c16d87bd05230399d921e28860c5857b01
37SHA1 (patch-hotplug_common_Makefile) = 1c8af96a3d0d1d5e9c168b1eb75fabb3e2164a19 38SHA1 (patch-hotplug_common_Makefile) = 1c8af96a3d0d1d5e9c168b1eb75fabb3e2164a19
38SHA1 (patch-include_xen-sys_NetBSD_gntdev.h) = b1f60f46e606b7591d68d98655d1cb29df977c14 39SHA1 (patch-include_xen-sys_NetBSD_gntdev.h) = b1f60f46e606b7591d68d98655d1cb29df977c14
File Added: pkgsrc/sysutils/xentools45/patches/Attic/patch-XSA-184
patches for XSA-184 from upstream:

From 17d8c4e47dfb41cb6778520ff2eab7a11fe12dfd Mon Sep 17 00:00:00 2001
From: P J P <ppandit@redhat.com>
Date: Tue, 26 Jul 2016 15:31:59 +0100
Subject: [PATCH] virtio: error out if guest exceeds virtqueue size

A broken or malicious guest can submit more requests than the virtqueue
size permits.

The guest can submit requests without bothering to wait for completion
and is therefore not bound by virtqueue size.  This requires reusing
vring descriptors in more than one request, which is incorrect but
possible.  Processing a request allocates a VirtQueueElement and
therefore causes unbounded memory allocation controlled by the guest.

Exit with an error if the guest provides more requests than the
virtqueue size permits.  This bounds memory allocation and makes the
buggy guest visible to the user.

Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 hw/virtio.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/virtio.c b/hw/virtio.c
index c26feff..42897bf 100644
--- qemu-xen-traditional/hw/virtio.c.orig	2016-01-04 15:36:03.000000000 +0000
+++ qemu-xen-traditional/hw/virtio.c	2016-09-11 11:01:37.000000000 +0000
@@ -421,6 +421,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue
     /* When we start there are none of either input nor output. */
     elem->out_num = elem->in_num = 0;
 
+    if (vq->inuse >= vq->vring.num) {
+        fprintf(stderr, "Virtqueue size exceeded");
+        exit(1);
+    }
+
     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
     do {
         struct iovec *sg;

From e469db25d6b2e5c71cd15451889226641c53a5cd Mon Sep 17 00:00:00 2001
From: P J P <ppandit@redhat.com>
Date: Mon, 25 Jul 2016 17:37:18 +0530
Subject: [PATCH] virtio: error out if guest exceeds virtqueue size

A broken or malicious guest can submit more requests than the virtqueue
size permits.

The guest can submit requests without bothering to wait for completion
and is therefore not bound by virtqueue size.  This requires reusing
vring descriptors in more than one request, which is incorrect but
possible.  Processing a request allocates a VirtQueueElement and
therefore causes unbounded memory allocation controlled by the guest.

Exit with an error if the guest provides more requests than the
virtqueue size permits.  This bounds memory allocation and makes the
buggy guest visible to the user.

Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 hw/virtio/virtio.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index d24f775..f8ac0fb 100644
--- qemu-xen/hw/virtio/virtio.c.orig	2016-02-18 17:30:28.000000000 +0000
+++ qemu-xen/hw/virtio/virtio.c	2016-09-11 11:01:48.000000000 +0000
@@ -459,6 +459,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue
 
     max = vq->vring.num;
 
+    if (vq->inuse >= max) {
+        error_report("Virtqueue size exceeded");
+        exit(1);
+    }
+
     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
     if (vq->vdev->guest_features & (1 << VIRTIO_RING_F_EVENT_IDX)) {
         vring_avail_event(vq, vring_avail_idx(vq));