pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/sysutils



Module Name:    pkgsrc
Committed By:   bouyer
Date:           Tue Dec 20 10:22:29 UTC 2016

Modified Files:
        pkgsrc/sysutils/xenkernel41: Makefile distinfo
        pkgsrc/sysutils/xenkernel42: Makefile distinfo
        pkgsrc/sysutils/xenkernel45: Makefile distinfo
        pkgsrc/sysutils/xenkernel46: Makefile distinfo
        pkgsrc/sysutils/xentools41: Makefile distinfo
        pkgsrc/sysutils/xentools42: Makefile distinfo
        pkgsrc/sysutils/xentools45: Makefile distinfo
        pkgsrc/sysutils/xentools46: Makefile distinfo
Added Files:
        pkgsrc/sysutils/xenkernel41/patches: patch-XSA-200 patch-XSA-204
        pkgsrc/sysutils/xenkernel42/patches: patch-XSA-200 patch-XSA-204
        pkgsrc/sysutils/xenkernel45/patches: patch-XSA-200 patch-XSA-204
        pkgsrc/sysutils/xenkernel46/patches: patch-XSA-200 patch-XSA-204
        pkgsrc/sysutils/xentools41/patches: patch-XSA-199
        pkgsrc/sysutils/xentools42/patches: patch-XSA-199
        pkgsrc/sysutils/xentools45/patches: patch-XSA-199
        pkgsrc/sysutils/xentools46/patches: patch-XSA-199

Log Message:
Apply upstream patch for XSA-199, XSA-200 and XSA-204.
Bump PKGREVISIONs


To generate a diff of this commit:
cvs rdiff -u -r1.52 -r1.53 pkgsrc/sysutils/xenkernel41/Makefile
cvs rdiff -u -r1.45 -r1.46 pkgsrc/sysutils/xenkernel41/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xenkernel41/patches/patch-XSA-200 \
    pkgsrc/sysutils/xenkernel41/patches/patch-XSA-204
cvs rdiff -u -r1.24 -r1.25 pkgsrc/sysutils/xenkernel42/Makefile
cvs rdiff -u -r1.23 -r1.24 pkgsrc/sysutils/xenkernel42/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xenkernel42/patches/patch-XSA-200 \
    pkgsrc/sysutils/xenkernel42/patches/patch-XSA-204
cvs rdiff -u -r1.23 -r1.24 pkgsrc/sysutils/xenkernel45/Makefile
cvs rdiff -u -r1.19 -r1.20 pkgsrc/sysutils/xenkernel45/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xenkernel45/patches/patch-XSA-200 \
    pkgsrc/sysutils/xenkernel45/patches/patch-XSA-204
cvs rdiff -u -r1.4 -r1.5 pkgsrc/sysutils/xenkernel46/Makefile
cvs rdiff -u -r1.3 -r1.4 pkgsrc/sysutils/xenkernel46/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xenkernel46/patches/patch-XSA-200 \
    pkgsrc/sysutils/xenkernel46/patches/patch-XSA-204
cvs rdiff -u -r1.64 -r1.65 pkgsrc/sysutils/xentools41/Makefile
cvs rdiff -u -r1.43 -r1.44 pkgsrc/sysutils/xentools41/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xentools41/patches/patch-XSA-199
cvs rdiff -u -r1.51 -r1.52 pkgsrc/sysutils/xentools42/Makefile
cvs rdiff -u -r1.29 -r1.30 pkgsrc/sysutils/xentools42/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xentools42/patches/patch-XSA-199
cvs rdiff -u -r1.40 -r1.41 pkgsrc/sysutils/xentools45/Makefile
cvs rdiff -u -r1.28 -r1.29 pkgsrc/sysutils/xentools45/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xentools45/patches/patch-XSA-199
cvs rdiff -u -r1.4 -r1.5 pkgsrc/sysutils/xentools46/Makefile
cvs rdiff -u -r1.2 -r1.3 pkgsrc/sysutils/xentools46/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xentools46/patches/patch-XSA-199

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/sysutils/xenkernel41/Makefile
diff -u pkgsrc/sysutils/xenkernel41/Makefile:1.52 pkgsrc/sysutils/xenkernel41/Makefile:1.53
--- pkgsrc/sysutils/xenkernel41/Makefile:1.52   Tue Nov 22 20:53:40 2016
+++ pkgsrc/sysutils/xenkernel41/Makefile        Tue Dec 20 10:22:28 2016
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.52 2016/11/22 20:53:40 bouyer Exp $
+# $NetBSD: Makefile,v 1.53 2016/12/20 10:22:28 bouyer Exp $
 
 VERSION=       4.1.6.1
 DISTNAME=      xen-${VERSION}
 PKGNAME=       xenkernel41-${VERSION}
-PKGREVISION=   21
+PKGREVISION=   22
 CATEGORIES=    sysutils
 MASTER_SITES=  http://bits.xensource.com/oss-xen/release/${VERSION}/
 

Index: pkgsrc/sysutils/xenkernel41/distinfo
diff -u pkgsrc/sysutils/xenkernel41/distinfo:1.45 pkgsrc/sysutils/xenkernel41/distinfo:1.46
--- pkgsrc/sysutils/xenkernel41/distinfo:1.45   Tue Nov 22 20:53:40 2016
+++ pkgsrc/sysutils/xenkernel41/distinfo        Tue Dec 20 10:22:28 2016
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.45 2016/11/22 20:53:40 bouyer Exp $
+$NetBSD: distinfo,v 1.46 2016/12/20 10:22:28 bouyer Exp $
 
 SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0
 RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19
@@ -44,6 +44,8 @@ SHA1 (patch-XSA-187-2) = e21b24771fa9417
 SHA1 (patch-XSA-191) = 5da559e104543b8d22ea60378d9160d2ad83b8d0
 SHA1 (patch-XSA-192) = b0f2801fe6db91c2a98b82897cdee057062c6c2b
 SHA1 (patch-XSA-195) = a04295b397126e1cc1f129bb3cb9fb872fcbb373
+SHA1 (patch-XSA-200) = 2e5f6e3596fa754030af29a1dc8fafb738ad1da4
+SHA1 (patch-XSA-204) = 99e2b88b551d80724fcc27f925fbf65d3fc468de
 SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b
 SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
 SHA1 (patch-xen_arch_x86_cpu_mcheck_vmce.c) = 5afd01780a13654f1d21bf1562f6431c8370be0b

Index: pkgsrc/sysutils/xenkernel42/Makefile
diff -u pkgsrc/sysutils/xenkernel42/Makefile:1.24 pkgsrc/sysutils/xenkernel42/Makefile:1.25
--- pkgsrc/sysutils/xenkernel42/Makefile:1.24   Tue Nov 22 20:55:29 2016
+++ pkgsrc/sysutils/xenkernel42/Makefile        Tue Dec 20 10:22:28 2016
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.24 2016/11/22 20:55:29 bouyer Exp $
+# $NetBSD: Makefile,v 1.25 2016/12/20 10:22:28 bouyer Exp $
 
 VERSION=       4.2.5
 DISTNAME=      xen-${VERSION}
 PKGNAME=       xenkernel42-${VERSION}
-PKGREVISION=   13
+PKGREVISION=   14
 CATEGORIES=    sysutils
 MASTER_SITES=  http://bits.xensource.com/oss-xen/release/${VERSION}/
 

Index: pkgsrc/sysutils/xenkernel42/distinfo
diff -u pkgsrc/sysutils/xenkernel42/distinfo:1.23 pkgsrc/sysutils/xenkernel42/distinfo:1.24
--- pkgsrc/sysutils/xenkernel42/distinfo:1.23   Tue Nov 22 20:55:29 2016
+++ pkgsrc/sysutils/xenkernel42/distinfo        Tue Dec 20 10:22:28 2016
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.23 2016/11/22 20:55:29 bouyer Exp $
+$NetBSD: distinfo,v 1.24 2016/12/20 10:22:28 bouyer Exp $
 
 SHA1 (xen-4.2.5.tar.gz) = f42741e4ec174495ace70c4b17a6b9b0e60e798a
 RMD160 (xen-4.2.5.tar.gz) = 7d4f7f1b32ee541d341a756b1f8da02816438d19
@@ -33,6 +33,8 @@ SHA1 (patch-XSA-187-2) = ed2d384b4cf4294
 SHA1 (patch-XSA-191) = 7a5e2e78c457c5922e2ccd711f2a39afba238e40
 SHA1 (patch-XSA-192) = f95757227ece59a2f320308edefcf01f1a96212c
 SHA1 (patch-XSA-195) = bb20234c4db0dc098ea47564732e87710bfcb9d8
+SHA1 (patch-XSA-200) = 2f615fa9c4ac43fc98f6c897acb5ee7e4651a668
+SHA1 (patch-XSA-204) = f6a59adf3cbd0aab59ccf233240a6b4e9ee2913b
 SHA1 (patch-xen_Makefile) = e0d1b74518b9675ddc64295d1523ded9a8757c0a
 SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2
 SHA1 (patch-xen_arch_x86_hvm_hvm.c) = b6bac1d466ba5bc276bc3aea9d4c9df37f2b9b0f

Index: pkgsrc/sysutils/xenkernel45/Makefile
diff -u pkgsrc/sysutils/xenkernel45/Makefile:1.23 pkgsrc/sysutils/xenkernel45/Makefile:1.24
--- pkgsrc/sysutils/xenkernel45/Makefile:1.23   Tue Nov 22 20:57:10 2016
+++ pkgsrc/sysutils/xenkernel45/Makefile        Tue Dec 20 10:22:28 2016
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.23 2016/11/22 20:57:10 bouyer Exp $
+# $NetBSD: Makefile,v 1.24 2016/12/20 10:22:28 bouyer Exp $
 
 VERSION=       4.5.5
 DISTNAME=      xen-${VERSION}
 PKGNAME=       xenkernel45-${VERSION}
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    sysutils
 MASTER_SITES=  http://bits.xensource.com/oss-xen/release/${VERSION}/
 

Index: pkgsrc/sysutils/xenkernel45/distinfo
diff -u pkgsrc/sysutils/xenkernel45/distinfo:1.19 pkgsrc/sysutils/xenkernel45/distinfo:1.20
--- pkgsrc/sysutils/xenkernel45/distinfo:1.19   Tue Nov 22 20:57:10 2016
+++ pkgsrc/sysutils/xenkernel45/distinfo        Tue Dec 20 10:22:28 2016
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.19 2016/11/22 20:57:10 bouyer Exp $
+$NetBSD: distinfo,v 1.20 2016/12/20 10:22:28 bouyer Exp $
 
 SHA1 (xen-4.5.5.tar.gz) = 4073d411c72d3298baacfc15577b92b9ae577073
 RMD160 (xen-4.5.5.tar.gz) = 34132ab04752dc594fbdc1404c95f402b7bbbe39
@@ -11,6 +11,8 @@ SHA1 (patch-XSA-193) = 7088e2278da771f71
 SHA1 (patch-XSA-195) = 0a44b7deda6a17c88e9d1858eeb7c33b0ebaf3f7
 SHA1 (patch-XSA-196-1) = bdcd7673443fbf59aeff8ad019ffbe39758fcaee
 SHA1 (patch-XSA-196-2) = 81b1d46f3ec8a3c5133f6a923fee0ab1b2b1c6a0
+SHA1 (patch-XSA-200) = 37254653e3f9016de0440047465fddce7e9b1874
+SHA1 (patch-XSA-204) = 4d5616f418e3ea010af4cb9e5d1ad14c8adcbf1c
 SHA1 (patch-xen_Makefile) = 750d0c8d4fea14d3ef3f872de5242a1f5104cbbe
 SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154
 SHA1 (patch-xen_common_page__alloc.c) = c4d606de1cada8cf89b5abd16efada3d58c68a03

Index: pkgsrc/sysutils/xenkernel46/Makefile
diff -u pkgsrc/sysutils/xenkernel46/Makefile:1.4 pkgsrc/sysutils/xenkernel46/Makefile:1.5
--- pkgsrc/sysutils/xenkernel46/Makefile:1.4    Tue Nov 22 20:59:01 2016
+++ pkgsrc/sysutils/xenkernel46/Makefile        Tue Dec 20 10:22:28 2016
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.4 2016/11/22 20:59:01 bouyer Exp $
+# $NetBSD: Makefile,v 1.5 2016/12/20 10:22:28 bouyer Exp $
 
 VERSION=       4.6.3
 DISTNAME=      xen-${VERSION}
 PKGNAME=       xenkernel46-${VERSION}
-PKGREVISION=   2
+PKGREVISION=   3
 CATEGORIES=    sysutils
 MASTER_SITES=  http://bits.xensource.com/oss-xen/release/${VERSION}/
 

Index: pkgsrc/sysutils/xenkernel46/distinfo
diff -u pkgsrc/sysutils/xenkernel46/distinfo:1.3 pkgsrc/sysutils/xenkernel46/distinfo:1.4
--- pkgsrc/sysutils/xenkernel46/distinfo:1.3    Tue Nov 22 20:59:01 2016
+++ pkgsrc/sysutils/xenkernel46/distinfo        Tue Dec 20 10:22:28 2016
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.3 2016/11/22 20:59:01 bouyer Exp $
+$NetBSD: distinfo,v 1.4 2016/12/20 10:22:28 bouyer Exp $
 
 SHA1 (xen-4.6.3.tar.gz) = 2aa59d0a05a6c5ac7f336f2069c66a54f95c4349
 RMD160 (xen-4.6.3.tar.gz) = 2798bd888ee001a4829165e55feb705a86af4f74
@@ -16,6 +16,8 @@ SHA1 (patch-XSA-193) = 89fdeea8af25de42b
 SHA1 (patch-XSA-195) = 0a44b7deda6a17c88e9d1858eeb7c33b0ebaf3f7
 SHA1 (patch-XSA-196-1) = bdcd7673443fbf59aeff8ad019ffbe39758fcaee
 SHA1 (patch-XSA-196-2) = 81b1d46f3ec8a3c5133f6a923fee0ab1b2b1c6a0
+SHA1 (patch-XSA-200) = 37254653e3f9016de0440047465fddce7e9b1874
+SHA1 (patch-XSA-204) = 05defb8d99976a712024d35a81f4dde5627107d9
 SHA1 (patch-xen_Makefile) = be3f4577a205b23187b91319f91c50720919f70b
 SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154
 SHA1 (patch-xen_common_page__alloc.c) = c4d606de1cada8cf89b5abd16efada3d58c68a03

Index: pkgsrc/sysutils/xentools41/Makefile
diff -u pkgsrc/sysutils/xentools41/Makefile:1.64 pkgsrc/sysutils/xentools41/Makefile:1.65
--- pkgsrc/sysutils/xentools41/Makefile:1.64    Tue Nov 22 20:53:40 2016
+++ pkgsrc/sysutils/xentools41/Makefile Tue Dec 20 10:22:29 2016
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.64 2016/11/22 20:53:40 bouyer Exp $
+# $NetBSD: Makefile,v 1.65 2016/12/20 10:22:29 bouyer Exp $
 #
 # VERSION is set in version.mk as it is shared with other packages
 .include               "version.mk"
 
 DISTNAME=              xen-${VERSION}
 PKGNAME=               xentools41-${VERSION}
-PKGREVISION=           17
+PKGREVISION=           18
 CATEGORIES=            sysutils
 MASTER_SITES=  http://bits.xensource.com/oss-xen/release/${VERSION}/
 

Index: pkgsrc/sysutils/xentools41/distinfo
diff -u pkgsrc/sysutils/xentools41/distinfo:1.43 pkgsrc/sysutils/xentools41/distinfo:1.44
--- pkgsrc/sysutils/xentools41/distinfo:1.43    Tue Nov 22 20:53:40 2016
+++ pkgsrc/sysutils/xentools41/distinfo Tue Dec 20 10:22:29 2016
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.43 2016/11/22 20:53:40 bouyer Exp $
+$NetBSD: distinfo,v 1.44 2016/12/20 10:22:29 bouyer Exp $
 
 SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485
 RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547
@@ -19,6 +19,7 @@ SHA1 (patch-CVE-2015-8550) = dfd72a54d27
 SHA1 (patch-CVE-2015-8554) = 7f444009519399038c657fa3e59fd2170f99bb70
 SHA1 (patch-XSA-197) = 4980664bbb3f3d8277f888f6304a8552ec714a26
 SHA1 (patch-XSA-198) = 98a18927de1e3427cb4fbcc5675fa608d1cd5ba8
+SHA1 (patch-XSA-199) = 406f14cdb356f0d7abe3a843a5efa1dc398c77bd
 SHA1 (patch-aa) = 9b53ba4a809dad7a1de34c8fa0dbe493d7256ada
 SHA1 (patch-ab) = 0906a5ec3a7450fc987b01289e2560e60966d00d
 SHA1 (patch-ac) = c3cc5335a1d6b066307c5f03fe72f513a9eb2bdb

Index: pkgsrc/sysutils/xentools42/Makefile
diff -u pkgsrc/sysutils/xentools42/Makefile:1.51 pkgsrc/sysutils/xentools42/Makefile:1.52
--- pkgsrc/sysutils/xentools42/Makefile:1.51    Tue Nov 22 20:55:29 2016
+++ pkgsrc/sysutils/xentools42/Makefile Tue Dec 20 10:22:29 2016
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.51 2016/11/22 20:55:29 bouyer Exp $
+# $NetBSD: Makefile,v 1.52 2016/12/20 10:22:29 bouyer Exp $
 
 VERSION=       4.2.5
 VERSION_IPXE=  1.0.0
 
 DISTNAME=              xen-${VERSION}
 PKGNAME=               xentools42-${VERSION}
-PKGREVISION=           19
+PKGREVISION=           20
 CATEGORIES=            sysutils
 MASTER_SITES=          http://bits.xensource.com/oss-xen/release/${VERSION}/
 

Index: pkgsrc/sysutils/xentools42/distinfo
diff -u pkgsrc/sysutils/xentools42/distinfo:1.29 pkgsrc/sysutils/xentools42/distinfo:1.30
--- pkgsrc/sysutils/xentools42/distinfo:1.29    Tue Nov 22 20:55:29 2016
+++ pkgsrc/sysutils/xentools42/distinfo Tue Dec 20 10:22:29 2016
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.29 2016/11/22 20:55:29 bouyer Exp $
+$NetBSD: distinfo,v 1.30 2016/12/20 10:22:29 bouyer Exp $
 
 SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485
 RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547
@@ -42,6 +42,7 @@ SHA1 (patch-Rules.mk) = 25a04293f6fe638b
 SHA1 (patch-XSA-197-1) = 79b4bc63bfbe7f69ed3ba38a667f185f8cb65cc9
 SHA1 (patch-XSA-197-2) = 1734d4313b66f958a312676da489b94773524128
 SHA1 (patch-XSA-198) = 38d120b4be3e04f87e75e6838a64d44e180d708b
+SHA1 (patch-XSA-199) = e34c7557a1df7131000f5e408e89d3aaa4b10189
 SHA1 (patch-blktap_drivers_Makefile) = c6be57154a403a64e3d6bc22d6bd833fe33fc9af
 SHA1 (patch-configure) = 11df58a8e1cd6bcc319db0aff508367e59592cba
 SHA1 (patch-examples_Makefile) = ee02f973416ca4ffda5381cd7a4ddb3b43579621

Index: pkgsrc/sysutils/xentools45/Makefile
diff -u pkgsrc/sysutils/xentools45/Makefile:1.40 pkgsrc/sysutils/xentools45/Makefile:1.41
--- pkgsrc/sysutils/xentools45/Makefile:1.40    Tue Nov 22 20:57:10 2016
+++ pkgsrc/sysutils/xentools45/Makefile Tue Dec 20 10:22:29 2016
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.40 2016/11/22 20:57:10 bouyer Exp $
+# $NetBSD: Makefile,v 1.41 2016/12/20 10:22:29 bouyer Exp $
 
 VERSION=       4.5.5
-PKGREVISION=   1
+PKGREVISION=   2
 VERSION_IPXE=  9a93db3f0947484e30e753bbd61a10b17336e20e
 
 DISTNAME=              xen-${VERSION}

Index: pkgsrc/sysutils/xentools45/distinfo
diff -u pkgsrc/sysutils/xentools45/distinfo:1.28 pkgsrc/sysutils/xentools45/distinfo:1.29
--- pkgsrc/sysutils/xentools45/distinfo:1.28    Tue Nov 22 20:57:10 2016
+++ pkgsrc/sysutils/xentools45/distinfo Tue Dec 20 10:22:29 2016
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.28 2016/11/22 20:57:10 bouyer Exp $
+$NetBSD: distinfo,v 1.29 2016/12/20 10:22:29 bouyer Exp $
 
 SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88
 RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8
@@ -24,6 +24,7 @@ SHA1 (patch-XSA-184) = b9089f29b67d1756e
 SHA1 (patch-XSA-197-1) = a481196957f8942253cb18e5eef089e491d02652
 SHA1 (patch-XSA-197-2) = f5cf82cf04303f145e3cfea29c4104bc058dd043
 SHA1 (patch-XSA-198) = 5a61b6b4af265ba0b90d5750166924daafe554d7
+SHA1 (patch-XSA-199) = 481c740d36a5b8415275c4b1152bb7e2a45349a1
 SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7
 SHA1 (patch-configure) = 97fa4274e425984d593cd93aea36edc681462b88
 SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f

Index: pkgsrc/sysutils/xentools46/Makefile
diff -u pkgsrc/sysutils/xentools46/Makefile:1.4 pkgsrc/sysutils/xentools46/Makefile:1.5
--- pkgsrc/sysutils/xentools46/Makefile:1.4     Tue Nov 22 20:59:01 2016
+++ pkgsrc/sysutils/xentools46/Makefile Tue Dec 20 10:22:29 2016
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.4 2016/11/22 20:59:01 bouyer Exp $
+# $NetBSD: Makefile,v 1.5 2016/12/20 10:22:29 bouyer Exp $
 
 VERSION=       4.6.3
 VERSION_IPXE=  9a93db3f0947484e30e753bbd61a10b17336e20e
 
 DISTNAME=              xen-${VERSION}
 PKGNAME=               xentools46-${VERSION}
-PKGREVISION=           2
+PKGREVISION=           3
 CATEGORIES=            sysutils
 MASTER_SITES=          http://bits.xensource.com/oss-xen/release/${VERSION}/
 

Index: pkgsrc/sysutils/xentools46/distinfo
diff -u pkgsrc/sysutils/xentools46/distinfo:1.2 pkgsrc/sysutils/xentools46/distinfo:1.3
--- pkgsrc/sysutils/xentools46/distinfo:1.2     Tue Nov 22 20:59:01 2016
+++ pkgsrc/sysutils/xentools46/distinfo Tue Dec 20 10:22:29 2016
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.2 2016/11/22 20:59:01 bouyer Exp $
+$NetBSD: distinfo,v 1.3 2016/12/20 10:22:29 bouyer Exp $
 
 SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88
 RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8
@@ -23,6 +23,7 @@ SHA1 (patch-Rules.mk) = ec0af52c49471820
 SHA1 (patch-XSA-197-1) = 4d373d23cd7032cc505300d865b6eaa8e80e2290
 SHA1 (patch-XSA-197-2) = 3dc303f22d0744f64eb4552f4de10fc11f32bb01
 SHA1 (patch-XSA-198) = 5a61b6b4af265ba0b90d5750166924daafe554d7
+SHA1 (patch-XSA-199) = 481c740d36a5b8415275c4b1152bb7e2a45349a1
 SHA1 (patch-configure) = a58d149de07613fb03444234278778a6a24b9b26
 SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f
 SHA1 (patch-examples_Makefile) = 5fe7bb876d254cf0c4f774ed0f08dcaea5b355ff

Added files:

Index: pkgsrc/sysutils/xenkernel41/patches/patch-XSA-200
diff -u /dev/null pkgsrc/sysutils/xenkernel41/patches/patch-XSA-200:1.1
--- /dev/null   Tue Dec 20 10:22:29 2016
+++ pkgsrc/sysutils/xenkernel41/patches/patch-XSA-200   Tue Dec 20 10:22:28 2016
@@ -0,0 +1,57 @@
+$NetBSD: patch-XSA-200,v 1.1 2016/12/20 10:22:28 bouyer Exp $
+
+From: Jan Beulich <jbeulich%suse.com@localhost>
+Subject: x86emul: CMPXCHG8B ignores operand size prefix
+
+Otherwise besides mis-handling the instruction, the comparison failure
+case would result in uninitialized stack data being handed back to the
+guest in rDX:rAX (32 bits leaked for 32-bit guests, 96 bits for 64-bit
+ones).
+
+This is XSA-200.
+
+Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
+
+--- tools/tests/x86_emulator/test_x86_emulator.c.orig
++++ tools/tests/x86_emulator/test_x86_emulator.c
+@@ -429,6 +429,24 @@ int main(int argc, char **argv)
+         goto fail;
+     printf("okay\n");
+ 
++    printf("%-40s", "Testing cmpxchg8b (%edi) [opsize]...");
++    instr[0] = 0x66; instr[1] = 0x0f; instr[2] = 0xc7; instr[3] = 0x0f;
++    res[0]      = 0x12345678;
++    res[1]      = 0x87654321;
++    regs.eflags = 0x200;
++    regs.eip    = (unsigned long)&instr[0];
++    regs.edi    = (unsigned long)res;
++    rc = x86_emulate(&ctxt, &emulops);
++    if ( (rc != X86EMUL_OKAY) ||
++         (res[0] != 0x12345678) ||
++         (res[1] != 0x87654321) ||
++         (regs.eax != 0x12345678) ||
++         (regs.edx != 0x87654321) ||
++         ((regs.eflags&0x240) != 0x200) ||
++         (regs.eip != (unsigned long)&instr[4]) )
++        goto fail;
++    printf("okay\n");
++
+     printf("%-40s", "Testing movsxbd (%%eax),%%ecx...");
+     instr[0] = 0x0f; instr[1] = 0xbe; instr[2] = 0x08;
+     regs.eflags = 0x200;
+--- ./xen/arch/x86/x86_emulate/x86_emulate.c.orig      2016-12-19 21:54:25.000000000 +0100
++++ ./xen/arch/x86/x86_emulate/x86_emulate.c   2016-12-19 22:00:32.000000000 +0100
+@@ -4183,7 +4183,12 @@
+ 
+         generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1);
+         generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
+-        op_bytes *= 2;
++      if ( op_bytes == 8 )
++      {
++          /* vcpu_must_have_cx16() XXX doens't exists */
++          op_bytes = 16;
++      } else
++          op_bytes = 8;
+ 
+         /* Get actual old value. */
+         for ( i = 0; i < (op_bytes/sizeof(long)); i++ )
Index: pkgsrc/sysutils/xenkernel41/patches/patch-XSA-204
diff -u /dev/null pkgsrc/sysutils/xenkernel41/patches/patch-XSA-204:1.1
--- /dev/null   Tue Dec 20 10:22:29 2016
+++ pkgsrc/sysutils/xenkernel41/patches/patch-XSA-204   Tue Dec 20 10:22:28 2016
@@ -0,0 +1,71 @@
+$NetBSD: patch-XSA-204,v 1.1 2016/12/20 10:22:28 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Date: Sun, 18 Dec 2016 15:42:59 +0000
+Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL
+
+A singlestep #DB is determined by the resulting eflags value from the
+execution of SYSCALL, not the original eflags value.
+
+By using the original eflags value, we negate the guest kernels attempt to
+protect itself from a privilege escalation by masking TF.
+
+Introduce a tf boolean and have the SYSCALL emulation recalculate it
+after the instruction is complete.
+
+This is XSA-204
+
+Signed-off-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Reviewed-by: Jan Beulich <jbeulich%suse.com@localhost>
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index 0c43fe1..f675dc9 100644
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig        2016-12-19 22:02:25.000000000 +0100
++++ xen/arch/x86/x86_emulate/x86_emulate.c     2016-12-19 22:05:31.000000000 +0100
+@@ -1233,6 +1233,7 @@
+ #define REPE_PREFIX  1
+ #define REPNE_PREFIX 2
+     unsigned int lock_prefix = 0, rep_prefix = 0;
++    bool_t tf = !!(ctxt->regs->eflags & EFLG_TF);
+     int override_seg = -1, rc = X86EMUL_OKAY;
+     struct operand src, dst;
+ 
+@@ -3498,9 +3499,8 @@
+         break;
+     }
+ 
+-    /* Inject #DB if single-step tracing was enabled at instruction start. */
+-    if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) &&
+-         (ops->inject_hw_exception != NULL) )
++    /* Should a singlestep #DB be raised? */
++    if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) )
+         rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
+ 
+     /* Commit shadow register state. */
+@@ -3685,6 +3685,23 @@
+              (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) )
+             goto done;
+ 
++        /*
++         * SYSCALL (unlike most instructions) evaluates its singlestep action
++         * based on the resulting EFLG_TF, not the starting EFLG_TF.
++         *
++         * As the #DB is raised after the CPL change and before the OS can
++         * switch stack, it is a large risk for privilege escalation.
++         *
++         * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
++         * vulnerability.  Running the #DB handler on an IST stack is also a
++         * mitigation.
++         *
++         * 32bit kernels have no ability to mask EFLG_TF at all.  Their only
++         * mitigation is to use a task gate for handling #DB (or to not use
++         * enable EFER.SCE to start with).
++         */
++        tf = !!(_regs.eflags & EFLG_TF);
++
+         break;
+     }
+ 

Index: pkgsrc/sysutils/xenkernel42/patches/patch-XSA-200
diff -u /dev/null pkgsrc/sysutils/xenkernel42/patches/patch-XSA-200:1.1
--- /dev/null   Tue Dec 20 10:22:30 2016
+++ pkgsrc/sysutils/xenkernel42/patches/patch-XSA-200   Tue Dec 20 10:22:28 2016
@@ -0,0 +1,57 @@
+$NetBSD: patch-XSA-200,v 1.1 2016/12/20 10:22:28 bouyer Exp $
+
+From: Jan Beulich <jbeulich%suse.com@localhost>
+Subject: x86emul: CMPXCHG8B ignores operand size prefix
+
+Otherwise besides mis-handling the instruction, the comparison failure
+case would result in uninitialized stack data being handed back to the
+guest in rDX:rAX (32 bits leaked for 32-bit guests, 96 bits for 64-bit
+ones).
+
+This is XSA-200.
+
+Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
+
+--- tools/tests/x86_emulator/test_x86_emulator.c.orig
++++ tools/tests/x86_emulator/test_x86_emulator.c
+@@ -429,6 +429,24 @@ int main(int argc, char **argv)
+         goto fail;
+     printf("okay\n");
+ 
++    printf("%-40s", "Testing cmpxchg8b (%edi) [opsize]...");
++    instr[0] = 0x66; instr[1] = 0x0f; instr[2] = 0xc7; instr[3] = 0x0f;
++    res[0]      = 0x12345678;
++    res[1]      = 0x87654321;
++    regs.eflags = 0x200;
++    regs.eip    = (unsigned long)&instr[0];
++    regs.edi    = (unsigned long)res;
++    rc = x86_emulate(&ctxt, &emulops);
++    if ( (rc != X86EMUL_OKAY) ||
++         (res[0] != 0x12345678) ||
++         (res[1] != 0x87654321) ||
++         (regs.eax != 0x12345678) ||
++         (regs.edx != 0x87654321) ||
++         ((regs.eflags&0x240) != 0x200) ||
++         (regs.eip != (unsigned long)&instr[4]) )
++        goto fail;
++    printf("okay\n");
++
+     printf("%-40s", "Testing movsxbd (%%eax),%%ecx...");
+     instr[0] = 0x0f; instr[1] = 0xbe; instr[2] = 0x08;
+     regs.eflags = 0x200;
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -4494,9 +4498,11 @@
+ 
+         generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1);
+         generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
+-        if ( op_bytes == 8 )
++        if ( op_bytes == 8 ) {
+             vcpu_must_have_cx16();
+-        op_bytes *= 2;
++          op_bytes = 16;
++      } else
++            op_bytes = 8;
+ 
+         /* Get actual old value. */
+         for ( i = 0; i < (op_bytes/sizeof(long)); i++ )
Index: pkgsrc/sysutils/xenkernel42/patches/patch-XSA-204
diff -u /dev/null pkgsrc/sysutils/xenkernel42/patches/patch-XSA-204:1.1
--- /dev/null   Tue Dec 20 10:22:30 2016
+++ pkgsrc/sysutils/xenkernel42/patches/patch-XSA-204   Tue Dec 20 10:22:28 2016
@@ -0,0 +1,71 @@
+$NetBSD: patch-XSA-204,v 1.1 2016/12/20 10:22:28 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Date: Sun, 18 Dec 2016 15:42:59 +0000
+Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL
+
+A singlestep #DB is determined by the resulting eflags value from the
+execution of SYSCALL, not the original eflags value.
+
+By using the original eflags value, we negate the guest kernels attempt to
+protect itself from a privilege escalation by masking TF.
+
+Introduce a tf boolean and have the SYSCALL emulation recalculate it
+after the instruction is complete.
+
+This is XSA-204
+
+Signed-off-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Reviewed-by: Jan Beulich <jbeulich%suse.com@localhost>
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index 0c43fe1..f675dc9 100644
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig        2016-12-19 23:22:20.000000000 +0100
++++ xen/arch/x86/x86_emulate/x86_emulate.c     2016-12-19 23:22:38.000000000 +0100
+@@ -1348,6 +1348,7 @@
+     union vex vex = {};
+     unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes;
+     bool_t lock_prefix = 0;
++    bool_t tf = !!(ctxt->regs->eflags & EFLG_TF);
+     int override_seg = -1, rc = X86EMUL_OKAY;
+     struct operand src, dst;
+     DECLARE_ALIGNED(mmval_t, mmval);
+@@ -3679,9 +3680,8 @@
+         break;
+     }
+ 
+-    /* Inject #DB if single-step tracing was enabled at instruction start. */
+-    if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) &&
+-         (ops->inject_hw_exception != NULL) )
++    /* Should a singlestep #DB be raised? */
++    if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) )
+         rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
+ 
+     /* Commit shadow register state. */
+@@ -3866,6 +3866,23 @@
+              (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) )
+             goto done;
+ 
++        /*
++         * SYSCALL (unlike most instructions) evaluates its singlestep action
++         * based on the resulting EFLG_TF, not the starting EFLG_TF.
++         *
++         * As the #DB is raised after the CPL change and before the OS can
++         * switch stack, it is a large risk for privilege escalation.
++         *
++         * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
++         * vulnerability.  Running the #DB handler on an IST stack is also a
++         * mitigation.
++         *
++         * 32bit kernels have no ability to mask EFLG_TF at all.  Their only
++         * mitigation is to use a task gate for handling #DB (or to not use
++         * enable EFER.SCE to start with).
++         */
++        tf = !!(_regs.eflags & EFLG_TF);
++
+         break;
+     }
+ 

Index: pkgsrc/sysutils/xenkernel45/patches/patch-XSA-200
diff -u /dev/null pkgsrc/sysutils/xenkernel45/patches/patch-XSA-200:1.1
--- /dev/null   Tue Dec 20 10:22:30 2016
+++ pkgsrc/sysutils/xenkernel45/patches/patch-XSA-200   Tue Dec 20 10:22:28 2016
@@ -0,0 +1,57 @@
+$NetBSD: patch-XSA-200,v 1.1 2016/12/20 10:22:28 bouyer Exp $
+
+From: Jan Beulich <jbeulich%suse.com@localhost>
+Subject: x86emul: CMPXCHG8B ignores operand size prefix
+
+Otherwise besides mis-handling the instruction, the comparison failure
+case would result in uninitialized stack data being handed back to the
+guest in rDX:rAX (32 bits leaked for 32-bit guests, 96 bits for 64-bit
+ones).
+
+This is XSA-200.
+
+Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
+
+--- tools/tests/x86_emulator/test_x86_emulator.c.orig
++++ tools/tests/x86_emulator/test_x86_emulator.c
+@@ -429,6 +429,24 @@ int main(int argc, char **argv)
+         goto fail;
+     printf("okay\n");
+ 
++    printf("%-40s", "Testing cmpxchg8b (%edi) [opsize]...");
++    instr[0] = 0x66; instr[1] = 0x0f; instr[2] = 0xc7; instr[3] = 0x0f;
++    res[0]      = 0x12345678;
++    res[1]      = 0x87654321;
++    regs.eflags = 0x200;
++    regs.eip    = (unsigned long)&instr[0];
++    regs.edi    = (unsigned long)res;
++    rc = x86_emulate(&ctxt, &emulops);
++    if ( (rc != X86EMUL_OKAY) ||
++         (res[0] != 0x12345678) ||
++         (res[1] != 0x87654321) ||
++         (regs.eax != 0x12345678) ||
++         (regs.edx != 0x87654321) ||
++         ((regs.eflags&0x240) != 0x200) ||
++         (regs.eip != (unsigned long)&instr[4]) )
++        goto fail;
++    printf("okay\n");
++
+     printf("%-40s", "Testing movsxbd (%%eax),%%ecx...");
+     instr[0] = 0x0f; instr[1] = 0xbe; instr[2] = 0x08;
+     regs.eflags = 0x200;
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -4739,8 +4739,12 @@ x86_emulate(
+         generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1);
+         generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
+         if ( op_bytes == 8 )
++        {
+             vcpu_must_have_cx16();
+-        op_bytes *= 2;
++            op_bytes = 16;
++        }
++        else
++            op_bytes = 8;
+ 
+         /* Get actual old value. */
+         if ( (rc = ops->read(ea.mem.seg, ea.mem.off, old, op_bytes,
Index: pkgsrc/sysutils/xenkernel45/patches/patch-XSA-204
diff -u /dev/null pkgsrc/sysutils/xenkernel45/patches/patch-XSA-204:1.1
--- /dev/null   Tue Dec 20 10:22:30 2016
+++ pkgsrc/sysutils/xenkernel45/patches/patch-XSA-204   Tue Dec 20 10:22:28 2016
@@ -0,0 +1,71 @@
+$NetBSD: patch-XSA-204,v 1.1 2016/12/20 10:22:28 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Date: Sun, 18 Dec 2016 15:42:59 +0000
+Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL
+
+A singlestep #DB is determined by the resulting eflags value from the
+execution of SYSCALL, not the original eflags value.
+
+By using the original eflags value, we negate the guest kernels attempt to
+protect itself from a privilege escalation by masking TF.
+
+Introduce a tf boolean and have the SYSCALL emulation recalculate it
+after the instruction is complete.
+
+This is XSA-204
+
+Signed-off-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Reviewed-by: Jan Beulich <jbeulich%suse.com@localhost>
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index 0c43fe1..f675dc9 100644
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1537,6 +1537,7 @@ x86_emulate(
+     union vex vex = {};
+     unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes;
+     bool_t lock_prefix = 0;
++    bool_t tf = !!(ctxt->regs->eflags & EFLG_TF);
+     int override_seg = -1, rc = X86EMUL_OKAY;
+     struct operand src = { .reg = REG_POISON };
+     struct operand dst = { .reg = REG_POISON };
+@@ -3881,9 +3882,8 @@ x86_emulate(
+         break;
+     }
+ 
+-    /* Inject #DB if single-step tracing was enabled at instruction start. */
+-    if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) &&
+-         (ops->inject_hw_exception != NULL) )
++    /* Should a singlestep #DB be raised? */
++    if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) )
+         rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
+ 
+     /* Commit shadow register state. */
+@@ -4068,6 +4068,23 @@ x86_emulate(
+              (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) )
+             goto done;
+ 
++        /*
++         * SYSCALL (unlike most instructions) evaluates its singlestep action
++         * based on the resulting EFLG_TF, not the starting EFLG_TF.
++         *
++         * As the #DB is raised after the CPL change and before the OS can
++         * switch stack, it is a large risk for privilege escalation.
++         *
++         * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
++         * vulnerability.  Running the #DB handler on an IST stack is also a
++         * mitigation.
++         *
++         * 32bit kernels have no ability to mask EFLG_TF at all.  Their only
++         * mitigation is to use a task gate for handling #DB (or to not use
++         * enable EFER.SCE to start with).
++         */
++        tf = !!(_regs.eflags & EFLG_TF);
++
+         break;
+     }
+ 

Index: pkgsrc/sysutils/xenkernel46/patches/patch-XSA-200
diff -u /dev/null pkgsrc/sysutils/xenkernel46/patches/patch-XSA-200:1.1
--- /dev/null   Tue Dec 20 10:22:30 2016
+++ pkgsrc/sysutils/xenkernel46/patches/patch-XSA-200   Tue Dec 20 10:22:29 2016
@@ -0,0 +1,57 @@
+$NetBSD: patch-XSA-200,v 1.1 2016/12/20 10:22:29 bouyer Exp $
+
+From: Jan Beulich <jbeulich%suse.com@localhost>
+Subject: x86emul: CMPXCHG8B ignores operand size prefix
+
+Otherwise besides mis-handling the instruction, the comparison failure
+case would result in uninitialized stack data being handed back to the
+guest in rDX:rAX (32 bits leaked for 32-bit guests, 96 bits for 64-bit
+ones).
+
+This is XSA-200.
+
+Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
+
+--- tools/tests/x86_emulator/test_x86_emulator.c.orig
++++ tools/tests/x86_emulator/test_x86_emulator.c
+@@ -429,6 +429,24 @@ int main(int argc, char **argv)
+         goto fail;
+     printf("okay\n");
+ 
++    printf("%-40s", "Testing cmpxchg8b (%edi) [opsize]...");
++    instr[0] = 0x66; instr[1] = 0x0f; instr[2] = 0xc7; instr[3] = 0x0f;
++    res[0]      = 0x12345678;
++    res[1]      = 0x87654321;
++    regs.eflags = 0x200;
++    regs.eip    = (unsigned long)&instr[0];
++    regs.edi    = (unsigned long)res;
++    rc = x86_emulate(&ctxt, &emulops);
++    if ( (rc != X86EMUL_OKAY) ||
++         (res[0] != 0x12345678) ||
++         (res[1] != 0x87654321) ||
++         (regs.eax != 0x12345678) ||
++         (regs.edx != 0x87654321) ||
++         ((regs.eflags&0x240) != 0x200) ||
++         (regs.eip != (unsigned long)&instr[4]) )
++        goto fail;
++    printf("okay\n");
++
+     printf("%-40s", "Testing movsxbd (%%eax),%%ecx...");
+     instr[0] = 0x0f; instr[1] = 0xbe; instr[2] = 0x08;
+     regs.eflags = 0x200;
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -4739,8 +4739,12 @@ x86_emulate(
+         generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1);
+         generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
+         if ( op_bytes == 8 )
++        {
+             vcpu_must_have_cx16();
+-        op_bytes *= 2;
++            op_bytes = 16;
++        }
++        else
++            op_bytes = 8;
+ 
+         /* Get actual old value. */
+         if ( (rc = ops->read(ea.mem.seg, ea.mem.off, old, op_bytes,
Index: pkgsrc/sysutils/xenkernel46/patches/patch-XSA-204
diff -u /dev/null pkgsrc/sysutils/xenkernel46/patches/patch-XSA-204:1.1
--- /dev/null   Tue Dec 20 10:22:30 2016
+++ pkgsrc/sysutils/xenkernel46/patches/patch-XSA-204   Tue Dec 20 10:22:29 2016
@@ -0,0 +1,71 @@
+$NetBSD: patch-XSA-204,v 1.1 2016/12/20 10:22:29 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Date: Sun, 18 Dec 2016 15:42:59 +0000
+Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL
+
+A singlestep #DB is determined by the resulting eflags value from the
+execution of SYSCALL, not the original eflags value.
+
+By using the original eflags value, we negate the guest kernels attempt to
+protect itself from a privilege escalation by masking TF.
+
+Introduce a tf boolean and have the SYSCALL emulation recalculate it
+after the instruction is complete.
+
+This is XSA-204
+
+Signed-off-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Reviewed-by: Jan Beulich <jbeulich%suse.com@localhost>
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index bca7045..abe442e 100644
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1582,6 +1582,7 @@ x86_emulate(
+     union vex vex = {};
+     unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes;
+     bool_t lock_prefix = 0;
++    bool_t tf = !!(ctxt->regs->eflags & EFLG_TF);
+     int override_seg = -1, rc = X86EMUL_OKAY;
+     struct operand src = { .reg = REG_POISON };
+     struct operand dst = { .reg = REG_POISON };
+@@ -3910,9 +3911,8 @@ x86_emulate(
+     }
+ 
+  no_writeback:
+-    /* Inject #DB if single-step tracing was enabled at instruction start. */
+-    if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) &&
+-         (ops->inject_hw_exception != NULL) )
++    /* Should a singlestep #DB be raised? */
++    if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) )
+         rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
+ 
+     /* Commit shadow register state. */
+@@ -4143,6 +4143,23 @@ x86_emulate(
+              (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) )
+             goto done;
+ 
++        /*
++         * SYSCALL (unlike most instructions) evaluates its singlestep action
++         * based on the resulting EFLG_TF, not the starting EFLG_TF.
++         *
++         * As the #DB is raised after the CPL change and before the OS can
++         * switch stack, it is a large risk for privilege escalation.
++         *
++         * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
++         * vulnerability.  Running the #DB handler on an IST stack is also a
++         * mitigation.
++         *
++         * 32bit kernels have no ability to mask EFLG_TF at all.  Their only
++         * mitigation is to use a task gate for handling #DB (or to not use
++         * enable EFER.SCE to start with).
++         */
++        tf = !!(_regs.eflags & EFLG_TF);
++
+         break;
+     }
+ 

Index: pkgsrc/sysutils/xentools41/patches/patch-XSA-199
diff -u /dev/null pkgsrc/sysutils/xentools41/patches/patch-XSA-199:1.1
--- /dev/null   Tue Dec 20 10:22:30 2016
+++ pkgsrc/sysutils/xentools41/patches/patch-XSA-199    Tue Dec 20 10:22:29 2016
@@ -0,0 +1,90 @@
+$NetBSD: patch-XSA-199,v 1.1 2016/12/20 10:22:29 bouyer Exp $
+
+From b73bd1edc05d1bad5c018228146930d79315a5da Mon Sep 17 00:00:00 2001
+From: Ian Jackson <ian.jackson%eu.citrix.com@localhost>
+Date: Mon, 14 Nov 2016 17:19:46 +0000
+Subject: [PATCH] qemu: ioport_read, ioport_write: be defensive about 32-bit
+ addresses
+
+On x86, ioport addresses are 16-bit.  That these functions take 32-bit
+arguments is a mistake.  Changing the argument type to 16-bit will
+discard the top bits of any erroneous values from elsewhere in qemu.
+
+Also, check just before use that the value is in range.  (This turns
+an ill-advised change to MAX_IOPORTS into a possible guest crash
+rather than a privilege escalation vulnerability.)
+
+And, in the Xen ioreq processor, clamp incoming ioport addresses to
+16-bit values.  Xen will never write >16-bit values but the guest may
+have access to the ioreq ring.  We want to defend the rest of the qemu
+code from wrong values.
+
+This is XSA-199.
+
+Reported-by: yanghongke <yanghongke%huawei.com@localhost>
+Signed-off-by: Ian Jackson <Ian.Jackson%eu.citrix.com@localhost>
+---
+ i386-dm/helper2.c | 2 ++
+ vl.c              | 9 +++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/i386-dm/helper2.c b/i386-dm/helper2.c
+index 2706f2e..5d276bb 100644
+--- ioemu-qemu-xen/i386-dm/helper2.c.orig
++++ ioemu-qemu-xen/i386-dm/helper2.c
+@@ -375,6 +375,8 @@ static void cpu_ioreq_pio(CPUState *env, ioreq_t *req)
+ 
+     sign = req->df ? -1 : 1;
+ 
++    req->addr &= 0x0ffffU;
++
+     if (req->size > sizeof(req->data)) {
+         fprintf(stderr, "MMIO: bad size (%u)\n", req->size);
+         exit(-1);
+diff --git a/vl.c b/vl.c
+index f9c4d7e..c3c5d63 100644
+--- ioemu-qemu-xen/vl.c.orig
++++ ioemu-qemu-xen/vl.c
+@@ -52,6 +52,7 @@
+ 
+ #include <xen/hvm/hvm_info_table.h>
+ 
++#include <assert.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+ #include <signal.h>
+@@ -290,26 +291,30 @@ PicState2 *isa_pic;
+ static IOPortReadFunc default_ioport_readb, default_ioport_readw, default_ioport_readl;
+ static IOPortWriteFunc default_ioport_writeb, default_ioport_writew, default_ioport_writel;
+ 
+-static uint32_t ioport_read(int index, uint32_t address)
++static uint32_t ioport_read(int index, uint16_t address)
+ {
+     static IOPortReadFunc *default_func[3] = {
+         default_ioport_readb,
+         default_ioport_readw,
+         default_ioport_readl
+     };
++    if (address >= MAX_IOPORTS)
++        abort();
+     IOPortReadFunc *func = ioport_read_table[index][address];
+     if (!func)
+         func = default_func[index];
+     return func(ioport_opaque[address], address);
+ }
+ 
+-static void ioport_write(int index, uint32_t address, uint32_t data)
++static void ioport_write(int index, uint16_t address, uint32_t data)
+ {
+     static IOPortWriteFunc *default_func[3] = {
+         default_ioport_writeb,
+         default_ioport_writew,
+         default_ioport_writel
+     };
++    if (address >= MAX_IOPORTS)
++        abort();
+     IOPortWriteFunc *func = ioport_write_table[index][address];
+     if (!func)
+         func = default_func[index];
+-- 
+2.1.4

Index: pkgsrc/sysutils/xentools42/patches/patch-XSA-199
diff -u /dev/null pkgsrc/sysutils/xentools42/patches/patch-XSA-199:1.1
--- /dev/null   Tue Dec 20 10:22:30 2016
+++ pkgsrc/sysutils/xentools42/patches/patch-XSA-199    Tue Dec 20 10:22:29 2016
@@ -0,0 +1,121 @@
+$NetBSD: patch-XSA-199,v 1.1 2016/12/20 10:22:29 bouyer Exp $
+
+From b73bd1edc05d1bad5c018228146930d79315a5da Mon Sep 17 00:00:00 2001
+From: Ian Jackson <ian.jackson%eu.citrix.com@localhost>
+Date: Mon, 14 Nov 2016 17:19:46 +0000
+Subject: [PATCH] qemu: ioport_read, ioport_write: be defensive about 32-bit
+ addresses
+
+On x86, ioport addresses are 16-bit.  That these functions take 32-bit
+arguments is a mistake.  Changing the argument type to 16-bit will
+discard the top bits of any erroneous values from elsewhere in qemu.
+
+Also, check just before use that the value is in range.  (This turns
+an ill-advised change to MAX_IOPORTS into a possible guest crash
+rather than a privilege escalation vulnerability.)
+
+And, in the Xen ioreq processor, clamp incoming ioport addresses to
+16-bit values.  Xen will never write >16-bit values but the guest may
+have access to the ioreq ring.  We want to defend the rest of the qemu
+code from wrong values.
+
+This is XSA-199.
+
+Reported-by: yanghongke <yanghongke%huawei.com@localhost>
+Signed-off-by: Ian Jackson <Ian.Jackson%eu.citrix.com@localhost>
+---
+ i386-dm/helper2.c | 2 ++
+ vl.c              | 9 +++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/i386-dm/helper2.c b/i386-dm/helper2.c
+index 2706f2e..5d276bb 100644
+--- qemu-xen-traditional/i386-dm/helper2.c.orig
++++ qemu-xen-traditional/i386-dm/helper2.c
+@@ -355,6 +355,8 @@
+ 
+     sign = req->df ? -1 : 1;
+ 
++    req->addr &= 0x0ffffU;
++
+     if (req->size > sizeof(unsigned long)) {
+         fprintf(stderr, "PIO: bad size (%u)\n", req->size);
+         exit(-1);
+diff --git a/vl.c b/vl.c
+index f9c4d7e..c3c5d63 100644
+--- qemu-xen-traditional/vl.c.orig
++++ qemu-xen-traditional/vl.c
+@@ -52,6 +52,7 @@
+ 
+ #include <xen/hvm/hvm_info_table.h>
+ 
++#include <assert.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+ #include <signal.h>
+@@ -290,26 +291,30 @@ PicState2 *isa_pic;
+ static IOPortReadFunc default_ioport_readb, default_ioport_readw, default_ioport_readl;
+ static IOPortWriteFunc default_ioport_writeb, default_ioport_writew, default_ioport_writel;
+ 
+-static uint32_t ioport_read(int index, uint32_t address)
++static uint32_t ioport_read(int index, uint16_t address)
+ {
+     static IOPortReadFunc *default_func[3] = {
+         default_ioport_readb,
+         default_ioport_readw,
+         default_ioport_readl
+     };
++    if (address >= MAX_IOPORTS)
++        abort();
+     IOPortReadFunc *func = ioport_read_table[index][address];
+     if (!func)
+         func = default_func[index];
+     return func(ioport_opaque[address], address);
+ }
+ 
+-static void ioport_write(int index, uint32_t address, uint32_t data)
++static void ioport_write(int index, uint16_t address, uint32_t data)
+ {
+     static IOPortWriteFunc *default_func[3] = {
+         default_ioport_writeb,
+         default_ioport_writew,
+         default_ioport_writel
+     };
++    if (address >= MAX_IOPORTS)
++        abort();
+     IOPortWriteFunc *func = ioport_write_table[index][address];
+     if (!func)
+         func = default_func[index];
+-- 
+2.1.4
+--- qemu-xen/xen-all.c.orig    2016-12-20 10:53:18.000000000 +0100
++++ qemu-xen/xen-all.c 2016-12-20 10:53:46.000000000 +0100
+@@ -661,6 +661,8 @@
+ 
+     sign = req->df ? -1 : 1;
+ 
++    req->addr &= 0x0ffffU;
++
+     if (req->size > sizeof(uint32_t)) {
+         hw_error("PIO: bad size (%u)", req->size);
+     }
+--- qemu-xen/ioport.c.orig     2016-12-20 10:57:45.000000000 +0100
++++ qemu-xen/ioport.c  2016-12-20 10:58:26.000000000 +0100
+@@ -64,6 +64,8 @@
+         default_ioport_readl
+     };
+     IOPortReadFunc *func = ioport_read_table[index][address];
++    if (address >= MAX_IOPORTS)
++      abort();
+     if (!func)
+         func = default_func[index];
+     return func(ioport_opaque[address], address);
+@@ -76,6 +78,8 @@
+         default_ioport_writew,
+         default_ioport_writel
+     };
++    if (address >= MAX_IOPORTS)
++      abort();
+     IOPortWriteFunc *func = ioport_write_table[index][address];
+     if (!func)
+         func = default_func[index];

Index: pkgsrc/sysutils/xentools45/patches/patch-XSA-199
diff -u /dev/null pkgsrc/sysutils/xentools45/patches/patch-XSA-199:1.1
--- /dev/null   Tue Dec 20 10:22:30 2016
+++ pkgsrc/sysutils/xentools45/patches/patch-XSA-199    Tue Dec 20 10:22:29 2016
@@ -0,0 +1,90 @@
+$NetBSD: patch-XSA-199,v 1.1 2016/12/20 10:22:29 bouyer Exp $
+
+From b73bd1edc05d1bad5c018228146930d79315a5da Mon Sep 17 00:00:00 2001
+From: Ian Jackson <ian.jackson%eu.citrix.com@localhost>
+Date: Mon, 14 Nov 2016 17:19:46 +0000
+Subject: [PATCH] qemu: ioport_read, ioport_write: be defensive about 32-bit
+ addresses
+
+On x86, ioport addresses are 16-bit.  That these functions take 32-bit
+arguments is a mistake.  Changing the argument type to 16-bit will
+discard the top bits of any erroneous values from elsewhere in qemu.
+
+Also, check just before use that the value is in range.  (This turns
+an ill-advised change to MAX_IOPORTS into a possible guest crash
+rather than a privilege escalation vulnerability.)
+
+And, in the Xen ioreq processor, clamp incoming ioport addresses to
+16-bit values.  Xen will never write >16-bit values but the guest may
+have access to the ioreq ring.  We want to defend the rest of the qemu
+code from wrong values.
+
+This is XSA-199.
+
+Reported-by: yanghongke <yanghongke%huawei.com@localhost>
+Signed-off-by: Ian Jackson <Ian.Jackson%eu.citrix.com@localhost>
+---
+ i386-dm/helper2.c | 2 ++
+ vl.c              | 9 +++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/i386-dm/helper2.c b/i386-dm/helper2.c
+index 2706f2e..5d276bb 100644
+--- qemu-xen-traditional/i386-dm/helper2.c.orig
++++ qemu-xen-traditional/i386-dm/helper2.c
+@@ -375,6 +375,8 @@ static void cpu_ioreq_pio(CPUState *env, ioreq_t *req)
+ {
+     uint32_t i;
+ 
++    req->addr &= 0x0ffffU;
++
+     if (req->size > sizeof(unsigned long)) {
+         fprintf(stderr, "PIO: bad size (%u)\n", req->size);
+         exit(-1);
+diff --git a/vl.c b/vl.c
+index f9c4d7e..c3c5d63 100644
+--- qemu-xen-traditional/vl.c.orig
++++ qemu-xen-traditional/vl.c
+@@ -52,6 +52,7 @@
+ 
+ #include <xen/hvm/hvm_info_table.h>
+ 
++#include <assert.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+ #include <signal.h>
+@@ -290,26 +291,30 @@ PicState2 *isa_pic;
+ static IOPortReadFunc default_ioport_readb, default_ioport_readw, default_ioport_readl;
+ static IOPortWriteFunc default_ioport_writeb, default_ioport_writew, default_ioport_writel;
+ 
+-static uint32_t ioport_read(int index, uint32_t address)
++static uint32_t ioport_read(int index, uint16_t address)
+ {
+     static IOPortReadFunc *default_func[3] = {
+         default_ioport_readb,
+         default_ioport_readw,
+         default_ioport_readl
+     };
++    if (address >= MAX_IOPORTS)
++        abort();
+     IOPortReadFunc *func = ioport_read_table[index][address];
+     if (!func)
+         func = default_func[index];
+     return func(ioport_opaque[address], address);
+ }
+ 
+-static void ioport_write(int index, uint32_t address, uint32_t data)
++static void ioport_write(int index, uint16_t address, uint32_t data)
+ {
+     static IOPortWriteFunc *default_func[3] = {
+         default_ioport_writeb,
+         default_ioport_writew,
+         default_ioport_writel
+     };
++    if (address >= MAX_IOPORTS)
++        abort();
+     IOPortWriteFunc *func = ioport_write_table[index][address];
+     if (!func)
+         func = default_func[index];
+-- 
+2.1.4

Index: pkgsrc/sysutils/xentools46/patches/patch-XSA-199
diff -u /dev/null pkgsrc/sysutils/xentools46/patches/patch-XSA-199:1.1
--- /dev/null   Tue Dec 20 10:22:30 2016
+++ pkgsrc/sysutils/xentools46/patches/patch-XSA-199    Tue Dec 20 10:22:29 2016
@@ -0,0 +1,90 @@
+$NetBSD: patch-XSA-199,v 1.1 2016/12/20 10:22:29 bouyer Exp $
+
+From b73bd1edc05d1bad5c018228146930d79315a5da Mon Sep 17 00:00:00 2001
+From: Ian Jackson <ian.jackson%eu.citrix.com@localhost>
+Date: Mon, 14 Nov 2016 17:19:46 +0000
+Subject: [PATCH] qemu: ioport_read, ioport_write: be defensive about 32-bit
+ addresses
+
+On x86, ioport addresses are 16-bit.  That these functions take 32-bit
+arguments is a mistake.  Changing the argument type to 16-bit will
+discard the top bits of any erroneous values from elsewhere in qemu.
+
+Also, check just before use that the value is in range.  (This turns
+an ill-advised change to MAX_IOPORTS into a possible guest crash
+rather than a privilege escalation vulnerability.)
+
+And, in the Xen ioreq processor, clamp incoming ioport addresses to
+16-bit values.  Xen will never write >16-bit values but the guest may
+have access to the ioreq ring.  We want to defend the rest of the qemu
+code from wrong values.
+
+This is XSA-199.
+
+Reported-by: yanghongke <yanghongke%huawei.com@localhost>
+Signed-off-by: Ian Jackson <Ian.Jackson%eu.citrix.com@localhost>
+---
+ i386-dm/helper2.c | 2 ++
+ vl.c              | 9 +++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/i386-dm/helper2.c b/i386-dm/helper2.c
+index 2706f2e..5d276bb 100644
+--- qemu-xen-traditional/i386-dm/helper2.c.orig
++++ qemu-xen-traditional/i386-dm/helper2.c
+@@ -375,6 +375,8 @@ static void cpu_ioreq_pio(CPUState *env, ioreq_t *req)
+ {
+     uint32_t i;
+ 
++    req->addr &= 0x0ffffU;
++
+     if (req->size > sizeof(unsigned long)) {
+         fprintf(stderr, "PIO: bad size (%u)\n", req->size);
+         exit(-1);
+diff --git a/vl.c b/vl.c
+index f9c4d7e..c3c5d63 100644
+--- qemu-xen-traditional/vl.c.orig
++++ qemu-xen-traditional/vl.c
+@@ -52,6 +52,7 @@
+ 
+ #include <xen/hvm/hvm_info_table.h>
+ 
++#include <assert.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+ #include <signal.h>
+@@ -290,26 +291,30 @@ PicState2 *isa_pic;
+ static IOPortReadFunc default_ioport_readb, default_ioport_readw, default_ioport_readl;
+ static IOPortWriteFunc default_ioport_writeb, default_ioport_writew, default_ioport_writel;
+ 
+-static uint32_t ioport_read(int index, uint32_t address)
++static uint32_t ioport_read(int index, uint16_t address)
+ {
+     static IOPortReadFunc *default_func[3] = {
+         default_ioport_readb,
+         default_ioport_readw,
+         default_ioport_readl
+     };
++    if (address >= MAX_IOPORTS)
++        abort();
+     IOPortReadFunc *func = ioport_read_table[index][address];
+     if (!func)
+         func = default_func[index];
+     return func(ioport_opaque[address], address);
+ }
+ 
+-static void ioport_write(int index, uint32_t address, uint32_t data)
++static void ioport_write(int index, uint16_t address, uint32_t data)
+ {
+     static IOPortWriteFunc *default_func[3] = {
+         default_ioport_writeb,
+         default_ioport_writew,
+         default_ioport_writel
+     };
++    if (address >= MAX_IOPORTS)
++        abort();
+     IOPortWriteFunc *func = ioport_write_table[index][address];
+     if (!func)
+         func = default_func[index];
+-- 
+2.1.4



Home | Main Index | Thread Index | Old Index