pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2020Q1]: pkgsrc/sysutils/xenkernel411 Pullup ticket #6160 - re...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/2e51af7cf2a5
branches:  pkgsrc-2020Q1
changeset: 427501:2e51af7cf2a5
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Fri Apr 17 12:34:14 2020 +0000

description:
Pullup ticket #6160 - requested by bouyer
sysutils/xenkernel411: security fix

Revisions pulled up:
- sysutils/xenkernel411/Makefile                                1.13
- sysutils/xenkernel411/distinfo                                1.10-1.11
- sysutils/xenkernel411/patches/patch-XSA313                    1.1
- sysutils/xenkernel411/patches/patch-XSA316                    1.1
- sysutils/xenkernel411/patches/patch-XSA318                    1.1

---
   Module Name: pkgsrc
   Committed By:        bouyer
   Date:                Wed Apr 15 15:37:20 UTC 2020

   Modified Files:
        pkgsrc/sysutils/xenkernel411: Makefile distinfo
   Added Files:
        pkgsrc/sysutils/xenkernel411/patches: patch-XSA313 patch-XSA318

   Log Message:
   Apply upstream patches for security issues XSA313 and XSA318.
   Bump PKGREVISION

---
   Module Name: pkgsrc
   Committed By:        bouyer
   Date:                Wed Apr 15 15:45:05 UTC 2020

   Modified Files:
        pkgsrc/sysutils/xenkernel411: distinfo
   Added Files:
        pkgsrc/sysutils/xenkernel411/patches: patch-XSA316

   Log Message:
   Also apply patch for XSA316. ride previous PKGREVISION bump

diffstat:

 sysutils/xenkernel411/Makefile             |    4 +-
 sysutils/xenkernel411/distinfo             |    5 +-
 sysutils/xenkernel411/patches/patch-XSA313 |  160 +++++++++++++++++++++++++++++
 sysutils/xenkernel411/patches/patch-XSA316 |   32 +++++
 sysutils/xenkernel411/patches/patch-XSA318 |   41 +++++++
 5 files changed, 239 insertions(+), 3 deletions(-)

diffs (277 lines):

diff -r 192e9a28c11f -r 2e51af7cf2a5 sysutils/xenkernel411/Makefile
--- a/sysutils/xenkernel411/Makefile    Fri Apr 17 12:20:47 2020 +0000
+++ b/sysutils/xenkernel411/Makefile    Fri Apr 17 12:34:14 2020 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.12 2019/12/13 13:44:21 bouyer Exp $
+# $NetBSD: Makefile,v 1.12.2.1 2020/04/17 12:34:14 bsiegert Exp $
 
 VERSION=       4.11.3
-PKGREVISION=   1
+PKGREVISION=   2
 DISTNAME=      xen-${VERSION}
 PKGNAME=       xenkernel411-${VERSION}
 CATEGORIES=    sysutils
diff -r 192e9a28c11f -r 2e51af7cf2a5 sysutils/xenkernel411/distinfo
--- a/sysutils/xenkernel411/distinfo    Fri Apr 17 12:20:47 2020 +0000
+++ b/sysutils/xenkernel411/distinfo    Fri Apr 17 12:34:14 2020 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.9 2019/12/13 13:44:21 bouyer Exp $
+$NetBSD: distinfo,v 1.9.2.1 2020/04/17 12:34:14 bsiegert Exp $
 
 SHA1 (xen411/xen-4.11.3.tar.gz) = 2d77152168d6f9dcea50db9cb8e3e6a0720a4a1b
 RMD160 (xen411/xen-4.11.3.tar.gz) = cfb2e699842867b60d25a01963c564a6c5e580da
@@ -10,6 +10,9 @@
 SHA1 (patch-XSA309) = 78cf7306e9d1efcbf2ebf425025d46948ae83019
 SHA1 (patch-XSA310) = 77b711f4b75de1d473a6988eb6f2b48e37cc353a
 SHA1 (patch-XSA311) = 4d3e6cc39c2b95cb3339961271df2bc885667927
+SHA1 (patch-XSA313) = b2f281d6aed1207727cd454dcb5e914c7f6fb44b
+SHA1 (patch-XSA316) = 9cce683315e4c1ca6d53b578e69ae71e1db2b3eb
+SHA1 (patch-XSA318) = d0dcbb99ab584098aed7995a7a05d5bf4ac28d47
 SHA1 (patch-xen_Makefile) = 465388d80de414ca3bb84faefa0f52d817e423a6
 SHA1 (patch-xen_Rules.mk) = c743dc63f51fc280d529a7d9e08650292c171dac
 SHA1 (patch-xen_arch_x86_Rules.mk) = 0bedfc53a128a87b6a249ae04fbdf6a053bfb70b
diff -r 192e9a28c11f -r 2e51af7cf2a5 sysutils/xenkernel411/patches/patch-XSA313
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel411/patches/patch-XSA313        Fri Apr 17 12:34:14 2020 +0000
@@ -0,0 +1,160 @@
+$NetBSD: patch-XSA313,v 1.1.2.2 2020/04/17 12:34:14 bsiegert Exp $
+
+From: Jan Beulich <jbeulich%suse.com@localhost>
+Subject: xenoprof: clear buffer intended to be shared with guests
+
+alloc_xenheap_pages() making use of MEMF_no_scrub is fine for Xen
+internally used allocations, but buffers allocated to be shared with
+(unpriviliged) guests need to be zapped of their prior content.
+
+This is part of XSA-313.
+
+Reported-by: Ilja Van Sprundel <ivansprundel%ioactive.com@localhost>
+Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
+Reviewed-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Reviewed-by: Wei Liu <wl%xen.org@localhost>
+
+--- xen/common/xenoprof.c.orig
++++ xen/common/xenoprof.c
+@@ -253,6 +253,9 @@ static int alloc_xenoprof_struct(
+         return -ENOMEM;
+     }
+ 
++    for ( i = 0; i < npages; ++i )
++        clear_page(d->xenoprof->rawbuf + i * PAGE_SIZE);
++
+     d->xenoprof->npages = npages;
+     d->xenoprof->nbuf = nvcpu;
+     d->xenoprof->bufsize = bufsize;
+From: Jan Beulich <jbeulich%suse.com@localhost>
+Subject: xenoprof: limit consumption of shared buffer data
+
+Since a shared buffer can be written to by the guest, we may only read
+the head and tail pointers from there (all other fields should only ever
+be written to). Furthermore, for any particular operation the two values
+must be read exactly once, with both checks and consumption happening
+with the thus read values. (The backtrace related xenoprof_buf_space()
+use in xenoprof_log_event() is an exception: The values used there get
+re-checked by every subsequent xenoprof_add_sample().)
+
+Since that code needed touching, also fix the double increment of the
+lost samples count in case the backtrace related xenoprof_add_sample()
+invocation in xenoprof_log_event() fails.
+
+Where code is being touched anyway, add const as appropriate, but take
+the opportunity to entirely drop the now unused domain parameter of
+xenoprof_buf_space().
+
+This is part of XSA-313.
+
+Reported-by: Ilja Van Sprundel <ivansprundel%ioactive.com@localhost>
+Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
+Reviewed-by: George Dunlap <george.dunlap%citrix.com@localhost>
+Reviewed-by: Wei Liu <wl%xen.org@localhost>
+
+--- xen/common/xenoprof.c.orig
++++ xen/common/xenoprof.c
+@@ -479,25 +479,22 @@ static int add_passive_list(XEN_GUEST_HA
+ 
+ 
+ /* Get space in the buffer */
+-static int xenoprof_buf_space(struct domain *d, xenoprof_buf_t * buf, int size)
++static int xenoprof_buf_space(int head, int tail, int size)
+ {
+-    int head, tail;
+-
+-    head = xenoprof_buf(d, buf, event_head);
+-    tail = xenoprof_buf(d, buf, event_tail);
+-
+     return ((tail > head) ? 0 : size) + tail - head - 1;
+ }
+ 
+ /* Check for space and add a sample. Return 1 if successful, 0 otherwise. */
+-static int xenoprof_add_sample(struct domain *d, xenoprof_buf_t *buf,
++static int xenoprof_add_sample(const struct domain *d,
++                               const struct xenoprof_vcpu *v,
+                                uint64_t eip, int mode, int event)
+ {
++    xenoprof_buf_t *buf = v->buffer;
+     int head, tail, size;
+ 
+     head = xenoprof_buf(d, buf, event_head);
+     tail = xenoprof_buf(d, buf, event_tail);
+-    size = xenoprof_buf(d, buf, event_size);
++    size = v->event_size;
+     
+     /* make sure indexes in shared buffer are sane */
+     if ( (head < 0) || (head >= size) || (tail < 0) || (tail >= size) )
+@@ -506,7 +503,7 @@ static int xenoprof_add_sample(struct do
+         return 0;
+     }
+ 
+-    if ( xenoprof_buf_space(d, buf, size) > 0 )
++    if ( xenoprof_buf_space(head, tail, size) > 0 )
+     {
+         xenoprof_buf(d, buf, event_log[head].eip) = eip;
+         xenoprof_buf(d, buf, event_log[head].mode) = mode;
+@@ -530,7 +527,6 @@ static int xenoprof_add_sample(struct do
+ int xenoprof_add_trace(struct vcpu *vcpu, uint64_t pc, int mode)
+ {
+     struct domain *d = vcpu->domain;
+-    xenoprof_buf_t *buf = d->xenoprof->vcpu[vcpu->vcpu_id].buffer;
+ 
+     /* Do not accidentally write an escape code due to a broken frame. */
+     if ( pc == XENOPROF_ESCAPE_CODE )
+@@ -539,7 +535,8 @@ int xenoprof_add_trace(struct vcpu *vcpu
+         return 0;
+     }
+ 
+-    return xenoprof_add_sample(d, buf, pc, mode, 0);
++    return xenoprof_add_sample(d, &d->xenoprof->vcpu[vcpu->vcpu_id],
++                               pc, mode, 0);
+ }
+ 
+ void xenoprof_log_event(struct vcpu *vcpu, const struct cpu_user_regs *regs,
+@@ -570,17 +567,22 @@ void xenoprof_log_event(struct vcpu *vcp
+     /* Provide backtrace if requested. */
+     if ( backtrace_depth > 0 )
+     {
+-        if ( (xenoprof_buf_space(d, buf, v->event_size) < 2) ||
+-             !xenoprof_add_sample(d, buf, XENOPROF_ESCAPE_CODE, mode, 
+-                                  XENOPROF_TRACE_BEGIN) )
++        if ( xenoprof_buf_space(xenoprof_buf(d, buf, event_head),
++                                xenoprof_buf(d, buf, event_tail),
++                                v->event_size) < 2 )
+         {
+             xenoprof_buf(d, buf, lost_samples)++;
+             lost_samples++;
+             return;
+         }
++
++        /* xenoprof_add_sample() will increment lost_samples on failure */
++        if ( !xenoprof_add_sample(d, v, XENOPROF_ESCAPE_CODE, mode,
++                                  XENOPROF_TRACE_BEGIN) )
++            return;
+     }
+ 
+-    if ( xenoprof_add_sample(d, buf, pc, mode, event) )
++    if ( xenoprof_add_sample(d, v, pc, mode, event) )
+     {
+         if ( is_active(vcpu->domain) )
+             active_samples++;
+--- xen/include/xen/xenoprof.h.orig
++++ xen/include/xen/xenoprof.h
+@@ -61,12 +61,12 @@ struct xenoprof {
+ 
+ #ifndef CONFIG_COMPAT
+ #define XENOPROF_COMPAT(x) 0
+-#define xenoprof_buf(d, b, field) ((b)->field)
++#define xenoprof_buf(d, b, field) ACCESS_ONCE((b)->field)
+ #else
+ #define XENOPROF_COMPAT(x) ((x)->is_compat)
+-#define xenoprof_buf(d, b, field) (*(!(d)->xenoprof->is_compat ? \
+-                                       &(b)->native.field : \
+-                                       &(b)->compat.field))
++#define xenoprof_buf(d, b, field) ACCESS_ONCE(*(!(d)->xenoprof->is_compat \
++                                                ? &(b)->native.field \
++                                                : &(b)->compat.field))
+ #endif
+ 
+ struct domain;
diff -r 192e9a28c11f -r 2e51af7cf2a5 sysutils/xenkernel411/patches/patch-XSA316
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel411/patches/patch-XSA316        Fri Apr 17 12:34:14 2020 +0000
@@ -0,0 +1,32 @@
+$NetBSD: patch-XSA316,v 1.1.2.2 2020/04/17 12:34:14 bsiegert Exp $
+
+From: Ross Lagerwall <ross.lagerwall%citrix.com@localhost>
+Subject: xen/gnttab: Fix error path in map_grant_ref()
+
+Part of XSA-295 (c/s 863e74eb2cffb) inadvertently re-positioned the brackets,
+changing the logic.  If the _set_status() call fails, the grant_map hypercall
+would fail with a status of 1 (rc != GNTST_okay) instead of the expected
+negative GNTST_* error.
+
+This error path can be taken due to bad guest state, and causes net/blk-back
+in Linux to crash.
+
+This is XSA-316.
+
+Signed-off-by: Ross Lagerwall <ross.lagerwall%citrix.com@localhost>
+Reviewed-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Reviewed-by: Julien Grall <jgrall%amazon.com@localhost>
+
+diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
+index 9fd6e60416..4b5344dc21 100644
+--- xen/common/grant_table.c.orig
++++ xen/common/grant_table.c
+@@ -1031,7 +1031,7 @@ map_grant_ref(
+     {
+         if ( (rc = _set_status(shah, status, rd, rgt->gt_version, act,
+                                op->flags & GNTMAP_readonly, 1,
+-                               ld->domain_id) != GNTST_okay) )
++                               ld->domain_id)) != GNTST_okay )
+             goto act_release_out;
+ 
+         if ( !act->pin )
diff -r 192e9a28c11f -r 2e51af7cf2a5 sysutils/xenkernel411/patches/patch-XSA318
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel411/patches/patch-XSA318        Fri Apr 17 12:34:14 2020 +0000
@@ -0,0 +1,41 @@
+$NetBSD: patch-XSA318,v 1.1.2.2 2020/04/17 12:34:14 bsiegert Exp $
+
+From: Jan Beulich <jbeulich%suse.com@localhost>
+Subject: gnttab: fix GNTTABOP_copy continuation handling
+
+The XSA-226 fix was flawed - the backwards transformation on rc was done
+too early, causing a continuation to not get invoked when the need for
+preemption was determined at the very first iteration of the request.
+This in particular means that all of the status fields of the individual
+operations would be left untouched, i.e. set to whatever the caller may
+or may not have initialized them to.
+
+This is part of XSA-318.
+
+Reported-by: Pawel Wieczorkiewicz <wipawel%amazon.de@localhost>
+Tested-by: Pawel Wieczorkiewicz <wipawel%amazon.de@localhost>
+Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
+Reviewed-by: Juergen Gross <jgross%suse.com@localhost>
+
+--- xen/common/grant_table.c.orig
++++ xen/common/grant_table.c
+@@ -3576,8 +3576,7 @@ do_grant_table_op(
+         rc = gnttab_copy(copy, count);
+         if ( rc > 0 )
+         {
+-            rc = count - rc;
+-            guest_handle_add_offset(copy, rc);
++            guest_handle_add_offset(copy, count - rc);
+             uop = guest_handle_cast(copy, void);
+         }
+         break;
+@@ -3644,6 +3643,9 @@ do_grant_table_op(
+   out:
+     if ( rc > 0 || opaque_out != 0 )
+     {
++        /* Adjust rc, see gnttab_copy() for why this is needed. */
++        if ( cmd == GNTTABOP_copy )
++            rc = count - rc;
+         ASSERT(rc < count);
+         ASSERT((opaque_out & GNTTABOP_CMD_MASK) == 0);
+         rc = hypercall_create_continuation(__HYPERVISOR_grant_table_op, "ihi",



Home | Main Index | Thread Index | Old Index