pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/sysutils/xenkernel41 add patches from upstream to fix ...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/0c883e52a7f0
branches:  trunk
changeset: 624825:0c883e52a7f0
user:      drochner <drochner%pkgsrc.org@localhost>
date:      Tue Oct 01 14:54:44 2013 +0000

description:
add patches from upstream to fix security problems:
-Information leak on AVX and/or LWP capable CPUs (CVE-2013-1442 / XSA-62)
-Information leaks through I/O instruction emulation
 (CVE-2013-4355 / XSA-63)
-Information leak through fbld instruction emulation
 (CVE-2013-4361 / XSA-66)
bump PKGREV

diffstat:

 sysutils/xenkernel41/Makefile                      |   3 +-
 sysutils/xenkernel41/distinfo                      |   8 ++-
 sysutils/xenkernel41/patches/patch-CVE-2013-1442   |  27 ++++++++
 sysutils/xenkernel41/patches/patch-CVE-2013-4355_1 |  38 +++++++++++
 sysutils/xenkernel41/patches/patch-CVE-2013-4355_2 |  71 ++++++++++++++++++++++
 sysutils/xenkernel41/patches/patch-CVE-2013-4355_3 |  36 +++++++++++
 sysutils/xenkernel41/patches/patch-CVE-2013-4355_4 |  24 +++++++
 sysutils/xenkernel41/patches/patch-CVE-2013-4361   |  20 ++++++
 8 files changed, 225 insertions(+), 2 deletions(-)

diffs (274 lines):

diff -r 23be63791822 -r 0c883e52a7f0 sysutils/xenkernel41/Makefile
--- a/sysutils/xenkernel41/Makefile     Tue Oct 01 14:50:38 2013 +0000
+++ b/sysutils/xenkernel41/Makefile     Tue Oct 01 14:54:44 2013 +0000
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile,v 1.25 2013/09/27 11:35:07 joerg Exp $
+# $NetBSD: Makefile,v 1.26 2013/10/01 14:54:44 drochner Exp $
 #
 
 VERSION=       4.1.6.1
 DISTNAME=      xen-${VERSION}
 PKGNAME=       xenkernel41-${VERSION}
+PKGREVISION=   1
 CATEGORIES=    sysutils
 MASTER_SITES=  http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff -r 23be63791822 -r 0c883e52a7f0 sysutils/xenkernel41/distinfo
--- a/sysutils/xenkernel41/distinfo     Tue Oct 01 14:50:38 2013 +0000
+++ b/sysutils/xenkernel41/distinfo     Tue Oct 01 14:54:44 2013 +0000
@@ -1,8 +1,14 @@
-$NetBSD: distinfo,v 1.19 2013/09/11 18:00:33 drochner Exp $
+$NetBSD: distinfo,v 1.20 2013/10/01 14:54:44 drochner Exp $
 
 SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0
 RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19
 Size (xen-4.1.6.1.tar.gz) = 10428485 bytes
+SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1
+SHA1 (patch-CVE-2013-4355_1) = 88cc2e7bf0993b2878a864e8b28ed989f8eeef3a
+SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509
+SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f
+SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8
+SHA1 (patch-CVE-2013-4361) = b9074af976ba98c02aeb84288a10527bf7693241
 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266
 SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b
 SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
diff -r 23be63791822 -r 0c883e52a7f0 sysutils/xenkernel41/patches/patch-CVE-2013-1442
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-1442  Tue Oct 01 14:54:44 2013 +0000
@@ -0,0 +1,27 @@
+$NetBSD: patch-CVE-2013-1442,v 1.1 2013/10/01 14:54:44 drochner Exp $
+
+http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg02523.html
+
+--- xen/arch/x86/i387.c.orig   2013-09-10 06:42:18.000000000 +0000
++++ xen/arch/x86/i387.c        2013-09-30 15:23:07.000000000 +0000
+@@ -103,9 +103,9 @@ void setup_fpu(struct vcpu *v)
+     {
+         /*
+          * XCR0 normally represents what guest OS set. In case of Xen itself, 
+-         * we set all supported feature mask before doing save/restore.
++         * we set all supported feature mask before restoring.
+          */
+-        set_xcr0(v->arch.xcr0_accum);
++        set_xcr0(xfeature_mask);
+         xrstor(v);
+         set_xcr0(v->arch.xcr0);
+     }
+@@ -149,7 +149,7 @@ void save_init_fpu(struct vcpu *v)
+     if ( xsave_enabled(v) )
+     {
+         /* XCR0 normally represents what guest OS set. In case of Xen itself,
+-         * we set all accumulated feature mask before doing save/restore.
++         * we set all accumulated feature mask before saving.
+          */
+         set_xcr0(v->arch.xcr0_accum);
+         if ( cpu_has_xsaveopt )
diff -r 23be63791822 -r 0c883e52a7f0 sysutils/xenkernel41/patches/patch-CVE-2013-4355_1
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1        Tue Oct 01 14:54:44 2013 +0000
@@ -0,0 +1,38 @@
+$NetBSD: patch-CVE-2013-4355_1,v 1.1 2013/10/01 14:54:44 drochner Exp $
+
+http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03160.html
+
+--- xen/arch/x86/hvm/hvm.c.orig        2013-09-10 06:42:18.000000000 +0000
++++ xen/arch/x86/hvm/hvm.c     2013-09-30 15:23:07.000000000 +0000
+@@ -1961,11 +1961,7 @@ void hvm_task_switch(
+ 
+     rc = hvm_copy_from_guest_virt(
+         &tss, prev_tr.base, sizeof(tss), PFEC_page_present);
+-    if ( rc == HVMCOPY_bad_gva_to_gfn )
+-        goto out;
+-    if ( rc == HVMCOPY_gfn_paged_out )
+-        goto out;
+-    if ( rc == HVMCOPY_gfn_shared )
++    if ( rc != HVMCOPY_okay )
+         goto out;
+ 
+     eflags = regs->eflags;
+@@ -2010,13 +2006,11 @@ void hvm_task_switch(
+ 
+     rc = hvm_copy_from_guest_virt(
+         &tss, tr.base, sizeof(tss), PFEC_page_present);
+-    if ( rc == HVMCOPY_bad_gva_to_gfn )
+-        goto out;
+-    if ( rc == HVMCOPY_gfn_paged_out )
+-        goto out;
+-    /* Note: this could be optimised, if the callee functions knew we want RO
+-     * access */
+-    if ( rc == HVMCOPY_gfn_shared )
++    /*
++     * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee
++     * functions knew we want RO access.
++     */
++    if ( rc != HVMCOPY_okay )
+         goto out;
+ 
+ 
diff -r 23be63791822 -r 0c883e52a7f0 sysutils/xenkernel41/patches/patch-CVE-2013-4355_2
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_2        Tue Oct 01 14:54:44 2013 +0000
@@ -0,0 +1,71 @@
+$NetBSD: patch-CVE-2013-4355_2,v 1.1 2013/10/01 14:54:44 drochner Exp $
+
+--- xen/arch/x86/hvm/intercept.c.orig  2013-09-10 06:42:18.000000000 +0000
++++ xen/arch/x86/hvm/intercept.c       2013-09-30 15:23:07.000000000 +0000
+@@ -93,17 +93,28 @@ static int hvm_mmio_access(struct vcpu *
+     {
+         for ( i = 0; i < p->count; i++ )
+         {
+-            int ret;
+-
+-            ret = hvm_copy_from_guest_phys(&data,
+-                                           p->data + (sign * i * p->size),
+-                                           p->size);
+-            if ( (ret == HVMCOPY_gfn_paged_out) || 
+-                 (ret == HVMCOPY_gfn_shared) )
++            switch ( hvm_copy_from_guest_phys(&data,
++                                              p->data + sign * i * p->size,
++                                              p->size) )
+             {
++            case HVMCOPY_okay:
++                break;
++            case HVMCOPY_gfn_paged_out:
++            case HVMCOPY_gfn_shared:
+                 rc = X86EMUL_RETRY;
+                 break;
++            case HVMCOPY_bad_gfn_to_mfn:
++                data = ~0;
++                break;
++            case HVMCOPY_bad_gva_to_gfn:
++                ASSERT(0);
++                /* fall through */
++            default:
++                rc = X86EMUL_UNHANDLEABLE;
++                break;
+             }
++            if ( rc != X86EMUL_OKAY )
++                break;
+             rc = write_handler(v, p->addr + (sign * i * p->size), p->size,
+                                data);
+             if ( rc != X86EMUL_OKAY )
+@@ -171,8 +182,28 @@ static int process_portio_intercept(port
+         for ( i = 0; i < p->count; i++ )
+         {
+             data = 0;
+-            (void)hvm_copy_from_guest_phys(&data, p->data + sign*i*p->size,
+-                                           p->size);
++            switch ( hvm_copy_from_guest_phys(&data,
++                                              p->data + sign * i * p->size,
++                                              p->size) )
++            {
++            case HVMCOPY_okay:
++                break;
++            case HVMCOPY_gfn_paged_out:
++            case HVMCOPY_gfn_shared:
++                rc = X86EMUL_RETRY;
++                break;
++            case HVMCOPY_bad_gfn_to_mfn:
++                data = ~0;
++                break;
++            case HVMCOPY_bad_gva_to_gfn:
++                ASSERT(0);
++                /* fall through */
++            default:
++                rc = X86EMUL_UNHANDLEABLE;
++                break;
++            }
++            if ( rc != X86EMUL_OKAY )
++                break;
+             rc = action(IOREQ_WRITE, p->addr, p->size, &data);
+             if ( rc != X86EMUL_OKAY )
+                 break;
diff -r 23be63791822 -r 0c883e52a7f0 sysutils/xenkernel41/patches/patch-CVE-2013-4355_3
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_3        Tue Oct 01 14:54:44 2013 +0000
@@ -0,0 +1,36 @@
+$NetBSD: patch-CVE-2013-4355_3,v 1.1 2013/10/01 14:54:44 drochner Exp $
+
+--- xen/arch/x86/hvm/io.c.orig 2013-09-10 06:42:18.000000000 +0000
++++ xen/arch/x86/hvm/io.c      2013-09-30 15:23:07.000000000 +0000
+@@ -333,14 +333,24 @@ static int dpci_ioport_write(uint32_t mp
+         data = p->data;
+         if ( p->data_is_ptr )
+         {
+-            int ret;
+-            
+-            ret = hvm_copy_from_guest_phys(&data, 
+-                                           p->data + (sign * i * p->size),
+-                                           p->size);
+-            if ( (ret == HVMCOPY_gfn_paged_out) &&
+-                 (ret == HVMCOPY_gfn_shared) )
++            switch ( hvm_copy_from_guest_phys(&data,
++                                              p->data + sign * i * p->size,
++                                              p->size) )
++            {
++            case HVMCOPY_okay:
++                break;
++            case HVMCOPY_gfn_paged_out:
++            case HVMCOPY_gfn_shared:
+                 return X86EMUL_RETRY;
++            case HVMCOPY_bad_gfn_to_mfn:
++                data = ~0;
++                break;
++            case HVMCOPY_bad_gva_to_gfn:
++                ASSERT(0);
++                /* fall through */
++            default:
++                return X86EMUL_UNHANDLEABLE;
++            }
+         }
+ 
+         switch ( p->size )
diff -r 23be63791822 -r 0c883e52a7f0 sysutils/xenkernel41/patches/patch-CVE-2013-4355_4
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_4        Tue Oct 01 14:54:44 2013 +0000
@@ -0,0 +1,24 @@
+$NetBSD: patch-CVE-2013-4355_4,v 1.1 2013/10/01 14:54:44 drochner Exp $
+
+--- xen/arch/x86/hvm/vmx/realmode.c.orig       2013-09-10 06:42:18.000000000 +0000
++++ xen/arch/x86/hvm/vmx/realmode.c    2013-09-30 15:23:07.000000000 +0000
+@@ -38,7 +38,9 @@ static void realmode_deliver_exception(
+ 
+  again:
+     last_byte = (vector * 4) + 3;
+-    if ( idtr->limit < last_byte )
++    if ( idtr->limit < last_byte ||
++         hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4) !=
++         HVMCOPY_okay )
+     {
+         /* Software interrupt? */
+         if ( insn_len != 0 )
+@@ -63,8 +65,6 @@ static void realmode_deliver_exception(
+         }
+     }
+ 
+-    (void)hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4);
+-
+     frame[0] = regs->eip + insn_len;
+     frame[1] = csr->sel;
+     frame[2] = regs->eflags & ~X86_EFLAGS_RF;
diff -r 23be63791822 -r 0c883e52a7f0 sysutils/xenkernel41/patches/patch-CVE-2013-4361
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4361  Tue Oct 01 14:54:44 2013 +0000
@@ -0,0 +1,20 @@
+$NetBSD: patch-CVE-2013-4361,v 1.1 2013/10/01 14:54:44 drochner Exp $
+
+http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03162.html
+
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig        2013-09-10 06:42:18.000000000 +0000
++++ xen/arch/x86/x86_emulate/x86_emulate.c     2013-09-30 15:23:08.000000000 +0000
+@@ -2975,11 +2975,11 @@ x86_emulate(
+                 break;
+             case 4: /* fbld m80dec */
+                 ea.bytes = 10;
+-                dst = ea;
++                src = ea;
+                 if ( (rc = ops->read(src.mem.seg, src.mem.off,
+                                      &src.val, src.bytes, ctxt)) != 0 )
+                     goto done;
+-                emulate_fpu_insn_memdst("fbld", src.val);
++                emulate_fpu_insn_memsrc("fbld", src.val);
+                 break;
+             case 5: /* fild m64i */
+                 ea.bytes = 8;



Home | Main Index | Thread Index | Old Index