From 54f013cbd2041ea0e6df86ab2272cfd9114f72d3 Mon Sep 17 00:00:00 2001
From: Michael Young <m.a.young@durham.ac.uk>
Date: Nov 26 2013 22:56:01 +0000
Subject: Lock order reversal between page_alloc_lock and mm_rwlock,

Hypercalls exposed to privilege rings 1 and 2 of HVM guests

---

diff --git a/xen.spec b/xen.spec
index f0d7543..b8aaa6d 100644
--- a/xen.spec
+++ b/xen.spec
@@ -27,7 +27,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.2.3
-Release: 9%{?dist}
+Release: 10%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -93,6 +93,8 @@ Patch115: xsa72.patch
 Patch116: xsa73-4.2.patch
 Patch117: xsa75-4.2.patch
 Patch118: xsa78.patch
+Patch119: xsa74-4.1-4.2.patch
+Patch120: xsa76.patch
 
 Patch100: xen-configure-xend.patch
 
@@ -276,6 +278,8 @@ manage Xen virtual machines.
 %patch116 -p1
 %patch117 -p1
 %patch118 -p1
+%patch119 -p1
+%patch120 -p1
 
 %patch100 -p1
 
@@ -769,6 +773,12 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Tue Nov 26 2013 Michael Young <m.a.young@durham.ac.uk> - 4.2.3-10
+- Lock order reversal between page_alloc_lock and mm_rwlock
+    [XSA-74, CVE-2013-4553] (#1034925)
+- Hypercalls exposed to privilege rings 1 and 2 of HVM guests
+    [XSA-76, CVE-2013-4554] (#1034923)
+
 * Thu Nov 21 2013 Michael Young <m.a.young@durham.ac.uk> - 4.2.3-9
 - Insufficient TLB flushing in VT-d (iommu) code
     [XSA-78, CVE-2013-6375] (#1033149)
diff --git a/xsa74-4.1-4.2.patch b/xsa74-4.1-4.2.patch
new file mode 100644
index 0000000..490f84e
--- /dev/null
+++ b/xsa74-4.1-4.2.patch
@@ -0,0 +1,41 @@
+x86: restrict XEN_DOMCTL_getmemlist
+
+Coverity ID 1055652
+
+(See the code comment.)
+
+This is CVE-2013-4553 / XSA-74.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+
+--- a/xen/arch/x86/domctl.c
++++ b/xen/arch/x86/domctl.c
+@@ -385,6 +385,26 @@ long arch_do_domctl(
+                 break;
+             }
+ 
++            /*
++             * XSA-74: This sub-hypercall is broken in several ways:
++             * - lock order inversion (p2m locks inside page_alloc_lock)
++             * - no preemption on huge max_pfns input
++             * - not (re-)checking d->is_dying with page_alloc_lock held
++             * - not honoring start_pfn input (which libxc also doesn't set)
++             * Additionally it is rather useless, as the result is stale by
++             * the time the caller gets to look at it.
++             * As it only has a single, non-production consumer (xen-mceinj),
++             * rather than trying to fix it we restrict it for the time being.
++             */
++            if ( /* No nested locks inside copy_to_guest_offset(). */
++                 paging_mode_external(current->domain) ||
++                 /* Arbitrary limit capping processing time. */
++                 max_pfns > GB(4) / PAGE_SIZE )
++            {
++                ret = -EOPNOTSUPP;
++                break;
++            }
++
+             spin_lock(&d->page_alloc_lock);
+ 
+             if ( unlikely(d->is_dying) ) {
diff --git a/xsa76.patch b/xsa76.patch
new file mode 100644
index 0000000..54e4325
--- /dev/null
+++ b/xsa76.patch
@@ -0,0 +1,19 @@
+x86/HVM: only allow ring 0 guest code to make hypercalls
+
+Anything else would allow for privilege escalation.
+
+This is CVE-2013-4554 / XSA-76.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -3359,7 +3359,7 @@ int hvm_do_hypercall(struct cpu_user_reg
+     case 4:
+     case 2:
+         hvm_get_segment_register(curr, x86_seg_ss, &sreg);
+-        if ( unlikely(sreg.attr.fields.dpl == 3) )
++        if ( unlikely(sreg.attr.fields.dpl) )
+         {
+     default:
+             regs->eax = -EPERM;