Sat Apr 8 12:17:58 2017 UTC ()
add patch for XSA-212 from upstream
(http://xenbits.xen.org/xsa/advisory-212.html)


(spz)
diff -r1.10 -r1.11 pkgsrc/sysutils/xenkernel46/Makefile
diff -r1.7 -r1.8 pkgsrc/sysutils/xenkernel46/distinfo
diff -r0 -r1.1 pkgsrc/sysutils/xenkernel46/patches/patch-XSA-212
cvs diff -r1.10 -r1.11 pkgsrc/sysutils/xenkernel46/Attic/Makefile (expand / switch to unified diff)

--- pkgsrc/sysutils/xenkernel46/Attic/Makefile 2017/03/20 18:17:12 1.10
+++ pkgsrc/sysutils/xenkernel46/Attic/Makefile 2017/04/08 12:17:58 1.11
@@ -1,19 +1,19 @@ @@ -1,19 +1,19 @@
1# $NetBSD: Makefile,v 1.10 2017/03/20 18:17:12 bouyer Exp $ 1# $NetBSD: Makefile,v 1.11 2017/04/08 12:17:58 spz Exp $
2 2
3VERSION= 4.6.5 3VERSION= 4.6.5
4DISTNAME= xen-${VERSION} 4DISTNAME= xen-${VERSION}
5PKGNAME= xenkernel46-${VERSION} 5PKGNAME= xenkernel46-${VERSION}
6#PKGREVISION= 4 6PKGREVISION= 1
7CATEGORIES= sysutils 7CATEGORIES= sysutils
8MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ 8MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
9 9
10MAINTAINER= pkgsrc-users@NetBSD.org 10MAINTAINER= pkgsrc-users@NetBSD.org
11HOMEPAGE= http://xenproject.org/ 11HOMEPAGE= http://xenproject.org/
12COMMENT= Xen 4.6.x Kernel 12COMMENT= Xen 4.6.x Kernel
13 13
14LICENSE= gnu-gpl-v2 14LICENSE= gnu-gpl-v2
15 15
16ONLY_FOR_PLATFORM= Linux-2.6*-x86_64 16ONLY_FOR_PLATFORM= Linux-2.6*-x86_64
17ONLY_FOR_PLATFORM+= NetBSD-[5-9].*-x86_64 17ONLY_FOR_PLATFORM+= NetBSD-[5-9].*-x86_64
18 18
19NO_CONFIGURE= yes 19NO_CONFIGURE= yes
cvs diff -r1.7 -r1.8 pkgsrc/sysutils/xenkernel46/Attic/distinfo (expand / switch to unified diff)

--- pkgsrc/sysutils/xenkernel46/Attic/distinfo 2017/03/20 18:17:12 1.7
+++ pkgsrc/sysutils/xenkernel46/Attic/distinfo 2017/04/08 12:17:58 1.8
@@ -1,17 +1,18 @@ @@ -1,17 +1,18 @@
1$NetBSD: distinfo,v 1.7 2017/03/20 18:17:12 bouyer Exp $ 1$NetBSD: distinfo,v 1.8 2017/04/08 12:17:58 spz Exp $
2 2
3SHA1 (xen-4.6.5.tar.gz) = af371af662211ee1480167b6c9e35142156f3a8d 3SHA1 (xen-4.6.5.tar.gz) = af371af662211ee1480167b6c9e35142156f3a8d
4RMD160 (xen-4.6.5.tar.gz) = 3f2468d7d3715d14842ac57b2180118ef48e93fa 4RMD160 (xen-4.6.5.tar.gz) = 3f2468d7d3715d14842ac57b2180118ef48e93fa
5SHA512 (xen-4.6.5.tar.gz) = d3e1b16fa9d695a5fc28ca4375b8de3dfcab480437d4d0151972d9f286528c9f667841e7a6888c918c580371d6984658a8d3b92235553c8c9c052d93154547b5 5SHA512 (xen-4.6.5.tar.gz) = d3e1b16fa9d695a5fc28ca4375b8de3dfcab480437d4d0151972d9f286528c9f667841e7a6888c918c580371d6984658a8d3b92235553c8c9c052d93154547b5
6Size (xen-4.6.5.tar.gz) = 19712756 bytes 6Size (xen-4.6.5.tar.gz) = 19712756 bytes
7SHA1 (patch-Config.mk) = a2a104d023cea4e551a3ad40927d4884d6c610bf 7SHA1 (patch-Config.mk) = a2a104d023cea4e551a3ad40927d4884d6c610bf
 8SHA1 (patch-XSA-212) = 4637d51bcbb3b11fb0e22940f824ebacdaa15b4f
8SHA1 (patch-tools_xentrace_xenalyze.c) = ab973cb7090dc90867dcddf9ab8965f8f2f36c46 9SHA1 (patch-tools_xentrace_xenalyze.c) = ab973cb7090dc90867dcddf9ab8965f8f2f36c46
9SHA1 (patch-xen_Makefile) = be3f4577a205b23187b91319f91c50720919f70b 10SHA1 (patch-xen_Makefile) = be3f4577a205b23187b91319f91c50720919f70b
10SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154 11SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154
11SHA1 (patch-xen_arch_x86_mm.c) = 3c1435fa5db6a0f542e5efe726997f262fa04041 12SHA1 (patch-xen_arch_x86_mm.c) = 3c1435fa5db6a0f542e5efe726997f262fa04041
12SHA1 (patch-xen_arch_x86_xen.lds.S) = 58a890c404ca4f86ccfb58cf5a83b07e235034fc 13SHA1 (patch-xen_arch_x86_xen.lds.S) = 58a890c404ca4f86ccfb58cf5a83b07e235034fc
13SHA1 (patch-xen_common_page__alloc.c) = c4d606de1cada8cf89b5abd16efada3d58c68a03 14SHA1 (patch-xen_common_page__alloc.c) = c4d606de1cada8cf89b5abd16efada3d58c68a03
14SHA1 (patch-xen_drivers_passthrough_vtd_x86_ats.c) = f72fd4bb2aeeaeb0b167031dfd5498e73666aa4e 15SHA1 (patch-xen_drivers_passthrough_vtd_x86_ats.c) = f72fd4bb2aeeaeb0b167031dfd5498e73666aa4e
15SHA1 (patch-xen_include_asm-x86_current.h) = 8a21577be06383c0c7f53c15ba828f77fb6314ad 16SHA1 (patch-xen_include_asm-x86_current.h) = 8a21577be06383c0c7f53c15ba828f77fb6314ad
16SHA1 (patch-xen_include_asm-x86_spinlock.h) = a78fe84c87632f0524af255f173676732418a75e 17SHA1 (patch-xen_include_asm-x86_spinlock.h) = a78fe84c87632f0524af255f173676732418a75e
17SHA1 (patch-xen_include_xen_lib.h) = 82a219b7d9c5deaa2b8e0adc774f60395adc4815 18SHA1 (patch-xen_include_xen_lib.h) = 82a219b7d9c5deaa2b8e0adc774f60395adc4815
File Added: pkgsrc/sysutils/xenkernel46/patches/Attic/patch-XSA-212
$NetBSD: patch-XSA-212,v 1.1 2017/04/08 12:17:58 spz Exp $

memory: properly check guest memory ranges in XENMEM_exchange handling

The use of guest_handle_okay() here (as introduced by the XSA-29 fix)
is insufficient here, guest_handle_subrange_okay() needs to be used
instead.

Note that the uses are okay in
- XENMEM_add_to_physmap_batch handling due to the size field being only
  16 bits wide,
- livepatch_list() due to the limit of 1024 enforced on the
  number-of-entries input (leaving aside the fact that this can be
  called by a privileged domain only anyway),
- compat mode handling due to counts there being limited to 32 bits,
- everywhere else due to guest arrays being accessed sequentially from
  index zero.

This is XSA-212.

Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

--- xen/common/memory.c
+++ xen/common/memory.c
@@ -436,8 +436,8 @@ static long memory_exchange(XEN_GUEST_HA
         goto fail_early;
     }
 
-    if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) ||
-         !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) )
+    if ( !guest_handle_subrange_okay(exch.in.extent_start, exch.nr_exchanged,
+                                     exch.in.nr_extents - 1) )
     {
         rc = -EFAULT;
         goto fail_early;
@@ -447,11 +447,27 @@ static long memory_exchange(XEN_GUEST_HA
     {
         in_chunk_order  = exch.out.extent_order - exch.in.extent_order;
         out_chunk_order = 0;
+
+        if ( !guest_handle_subrange_okay(exch.out.extent_start,
+                                         exch.nr_exchanged >> in_chunk_order,
+                                         exch.out.nr_extents - 1) )
+        {
+            rc = -EFAULT;
+            goto fail_early;
+        }
     }
     else
     {
         in_chunk_order  = 0;
         out_chunk_order = exch.in.extent_order - exch.out.extent_order;
+
+        if ( !guest_handle_subrange_okay(exch.out.extent_start,
+                                         exch.nr_exchanged << out_chunk_order,
+                                         exch.out.nr_extents - 1) )
+        {
+            rc = -EFAULT;
+            goto fail_early;
+        }
     }
 
     d = rcu_lock_domain_by_any_id(exch.in.domid);
--- xen/include/asm-x86/x86_64/uaccess.h
+++ xen/include/asm-x86/x86_64/uaccess.h
@@ -29,8 +29,9 @@ extern void *xlat_malloc(unsigned long *
 /*
  * Valid if in +ve half of 48-bit address space, or above Xen-reserved area.
  * This is also valid for range checks (addr, addr+size). As long as the
- * start address is outside the Xen-reserved area then we will access a
- * non-canonical address (and thus fault) before ever reaching VIRT_START.
+ * start address is outside the Xen-reserved area, sequential accesses
+ * (starting at addr) will hit a non-canonical address (and thus fault)
+ * before ever reaching VIRT_START.
  */
 #define __addr_ok(addr) \
     (((unsigned long)(addr) < (1UL<<47)) || \
@@ -40,7 +41,8 @@ extern void *xlat_malloc(unsigned long *
     (__addr_ok(addr) || is_compat_arg_xlat_range(addr, size))
 
 #define array_access_ok(addr, count, size) \
-    (access_ok(addr, (count)*(size)))
+    (likely(((count) ?: 0UL) < (~0UL / (size))) && \
+     access_ok(addr, (count) * (size)))
 
 #define __compat_addr_ok(d, addr) \
     ((unsigned long)(addr) < HYPERVISOR_COMPAT_VIRT_START(d))