From a78f618921b7bc6ab0762bdc03024c47d2226259 Mon Sep 17 00:00:00 2001 From: Michael Young Date: Feb 16 2017 00:06:49 +0000 Subject: patch to build with gcc7 memory leak when destroying guest without PT devices [XSA-207] (#1422492) update patches for XSA-208 after upstream revision (no functional change) --- diff --git a/xen.gcc7.fix.patch b/xen.gcc7.fix.patch new file mode 100644 index 0000000..9f4b852 --- /dev/null +++ b/xen.gcc7.fix.patch @@ -0,0 +1,86 @@ +--- xen-4.8.0/xen/include/asm-x86/x86_64/uaccess.h.orig 2016-12-05 12:03:27.000000000 +0000 ++++ xen-4.8.0/xen/include/asm-x86/x86_64/uaccess.h 2017-02-11 22:55:19.112487384 +0000 +@@ -46,7 +46,7 @@ + ((unsigned long)(addr) < HYPERVISOR_COMPAT_VIRT_START(d)) + + #define __compat_access_ok(d, addr, size) \ +- __compat_addr_ok(d, (unsigned long)(addr) + ((size) ? (size) - 1 : 0)) ++ __compat_addr_ok(d, (unsigned long)(addr) + ((size)>0 ? (size) - 1 : 0)) + + #define compat_access_ok(addr, size) \ + __compat_access_ok(current->domain, addr, size) +--- xen-4.8.0/xen/arch/arm/platforms/brcm.c.orig 2016-12-05 12:03:27.000000000 +0000 ++++ xen-4.8.0/xen/arch/arm/platforms/brcm.c 2017-02-11 23:05:35.521865198 +0000 +@@ -271,7 +271,7 @@ + return brcm_populate_plat_regs(); + } + +-static const char const *brcm_dt_compat[] __initconst = ++static const char *brcm_dt_compat[] __initconst = + { + "brcm,bcm7445d0", + NULL +--- xen-4.8.0/xen/arch/arm/platforms/rcar2.c.orig 2016-12-05 12:03:27.000000000 +0000 ++++ xen-4.8.0/xen/arch/arm/platforms/rcar2.c 2017-02-12 15:59:23.574607734 +0000 +@@ -46,7 +46,7 @@ + return 0; + } + +-static const char const *rcar2_dt_compat[] __initdata = ++static const char *rcar2_dt_compat[] __initdata = + { + "renesas,lager", + NULL +--- xen-4.8.0/tools/misc/xenlockprof.c.orig 2016-12-05 12:03:27.000000000 +0000 ++++ xen-4.8.0/tools/misc/xenlockprof.c 2017-02-12 15:53:26.585588293 +0000 +@@ -24,7 +24,7 @@ + uint32_t i, j, n; + uint64_t time; + double l, b, sl, sb; +- char name[60]; ++ char name[90]; + DECLARE_HYPERCALL_BUFFER(xc_lockprof_data_t, data); + + if ( (argc > 2) || ((argc == 2) && (strcmp(argv[1], "-r") != 0)) ) +--- xen-4.8.0/tools/xenpmd/xenpmd.c.orig 2016-12-05 12:03:27.000000000 +0000 ++++ xen-4.8.0/tools/xenpmd/xenpmd.c 2017-02-12 16:24:40.617934526 +0000 +@@ -87,12 +87,12 @@ + + #ifdef RUN_IN_SIMULATE_MODE + #define BATTERY_DIR_PATH "/tmp/battery" +- #define BATTERY_INFO_FILE_PATH "/tmp/battery/%s/info" +- #define BATTERY_STATE_FILE_PATH "/tmp/battery/%s/state" ++ #define BATTERY_INFO_FILE_PATH "/tmp/battery/%.13s/info" ++ #define BATTERY_STATE_FILE_PATH "/tmp/battery/%.12s/state" + #else + #define BATTERY_DIR_PATH "/proc/acpi/battery" +- #define BATTERY_INFO_FILE_PATH "/proc/acpi/battery/%s/info" +- #define BATTERY_STATE_FILE_PATH "/proc/acpi/battery/%s/state" ++ #define BATTERY_INFO_FILE_PATH "/proc/acpi/battery/%.7s/info" ++ #define BATTERY_STATE_FILE_PATH "/proc/acpi/battery/%.6s/state" + #endif + + FILE *get_next_battery_file(DIR *battery_dir, +--- xen-4.8.0/tools/ocaml/libs/xc/xenctrl_stubs.c.orig 2016-12-05 12:03:27.000000000 +0000 ++++ xen-4.8.0/tools/ocaml/libs/xc/xenctrl_stubs.c 2017-02-12 17:04:37.165498277 +0000 +@@ -62,7 +62,7 @@ + "%d: %s", errno, strerror(errno)); + else + snprintf(error_str, sizeof(error_str), +- "%d: %s: %s", error->code, ++ "%d: %s: %.200s", error->code, + xc_error_code_to_desc(error->code), + error->message); + } else { +--- xen-4.8.0/extras/mini-os/Makefile.orig 2016-09-28 12:09:38.000000000 +0100 ++++ xen-4.8.0/extras/mini-os/Makefile 2017-02-15 21:15:19.340197960 +0000 +@@ -142,6 +142,9 @@ + APP_LDLIBS += -lz + APP_LDLIBS += -lm + LDLIBS += -lc ++ifeq ($(MINIOS_TARGET_ARCH),x86_32) ++LDLIBS += -L$(shell dirname `gcc -m32 -print-libgcc-file-name`) -lgcc ++endif + endif + + ifneq ($(APP_OBJS)-$(lwip),-y) diff --git a/xen.spec b/xen.spec index e7660ae..f4630d5 100644 --- a/xen.spec +++ b/xen.spec @@ -114,6 +114,8 @@ Patch54: qemu.git-12351a91da97b414eec8cdb09f1d9f41e535a401.patch Patch55: qemu.git-069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da.patch Patch56: xsa208-qemut.patch Patch57: xsa208-qemuu.patch +Patch58: xen.gcc7.fix.patch +Patch59: xsa207.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: transfig libidn-devel zlib-devel texi2html SDL-devel curl-devel @@ -316,6 +318,8 @@ manage Xen virtual machines. %patch49 -p1 %patch50 -p1 %patch51 -p1 +%patch58 -p1 +%patch59 -p1 # qemu-xen-traditional patches pushd tools/qemu-xen-traditional @@ -851,6 +855,11 @@ rm -rf %{buildroot} %endif %changelog +* Wed Feb 15 2017 Michael Young +- patch to build with gcc7 +- memory leak when destroying guest without PT devices [XSA-207] (#1422492) +- update patches for XSA-208 after upstream revision (no functional change) + * Fri Feb 10 2017 Michael Young - 4.8.0-3 - Qemu: net: mcf_fec: infinite loop while receiving data in mcf_fec_receive [CVE-2016-9776] diff --git a/xsa207.patch b/xsa207.patch new file mode 100644 index 0000000..6fb86fc --- /dev/null +++ b/xsa207.patch @@ -0,0 +1,31 @@ +From: Oleksandr Tyshchenko +Subject: IOMMU: always call teardown callback + +There is a possible scenario when (d)->need_iommu remains unset +during guest domain execution. For example, when no devices +were assigned to it. Taking into account that teardown callback +is not called when (d)->need_iommu is unset we might have unreleased +resourses after destroying domain. + +So, always call teardown callback to roll back actions +that were performed in init callback. + +This is XSA-207. + +Signed-off-by: Oleksandr Tyshchenko +Reviewed-by: Jan Beulich +Tested-by: Jan Beulich +Tested-by: Julien Grall + +--- a/xen/drivers/passthrough/iommu.c ++++ b/xen/drivers/passthrough/iommu.c +@@ -244,8 +244,7 @@ void iommu_domain_destroy(struct domain + if ( !iommu_enabled || !dom_iommu(d)->platform_ops ) + return; + +- if ( need_iommu(d) ) +- iommu_teardown(d); ++ iommu_teardown(d); + + arch_iommu_domain_destroy(d); + } diff --git a/xsa208-qemut.patch b/xsa208-qemut.patch index fa3bae0..5ea73c5 100644 --- a/xsa208-qemut.patch +++ b/xsa208-qemut.patch @@ -1,34 +1,43 @@ -From: Li Qiang +From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 13 Feb 2017 15:22:15 +0000 +Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615) When doing bitblt copy in backward mode, we should minus the blt width first just like the adding in the forward mode. This can avoid the oob access of the front of vga's vram. -Signed-off-by: Li Qiang -Message-id: address@hidden +This is XSA-208. + +upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64 + +Signed-off-by: Li Qiang { kraxel: with backward blits (negative pitch) addr is the topmost address, so check it as-is against vram size ] [ This is CVE-2017-2615 / XSA-208 - Ian Jackson ] -Cc: address@hidden -Cc: P J P -Cc: Laszlo Ersek -Cc: Paolo Bonzini -Cc: Wolfgang Bumiller +Cc: qemu-stable@nongnu.org +Cc: P J P +Cc: Laszlo Ersek +Cc: Paolo Bonzini +Cc: Wolfgang Bumiller Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) -Signed-off-by: Gerd Hoffmann +Signed-off-by: Gerd Hoffmann +Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com +Reviewed-by: Laszlo Ersek +Signed-off-by: Stefano Stabellini Signed-off-by: Ian Jackson --- - hw/display/cirrus_vga.c | 7 +++---- + hw/cirrus_vga.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c -index bdb092e..3bbe3d5 100644 +index e6c3893..364e22d 100644 --- a/hw/cirrus_vga.c +++ b/hw/cirrus_vga.c -@@ -307,10 +307,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, +@@ -308,10 +308,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, } if (pitch < 0) { int64_t min = addr @@ -42,3 +51,6 @@ index bdb092e..3bbe3d5 100644 return true; } } else { +-- +2.1.4 + diff --git a/xsa208-qemuu.patch b/xsa208-qemuu.patch index c97f67f..8c8ad2d 100644 --- a/xsa208-qemuu.patch +++ b/xsa208-qemuu.patch @@ -1,24 +1,33 @@ -From: Li Qiang +From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 13 Feb 2017 15:22:15 +0000 +Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615) When doing bitblt copy in backward mode, we should minus the blt width first just like the adding in the forward mode. This can avoid the oob access of the front of vga's vram. -Signed-off-by: Li Qiang -Message-id: address@hidden +This is XSA-208. + +upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64 + +Signed-off-by: Li Qiang { kraxel: with backward blits (negative pitch) addr is the topmost address, so check it as-is against vram size ] [ This is CVE-2017-2615 / XSA-208 - Ian Jackson ] -Cc: address@hidden -Cc: P J P -Cc: Laszlo Ersek -Cc: Paolo Bonzini -Cc: Wolfgang Bumiller +Cc: qemu-stable@nongnu.org +Cc: P J P +Cc: Laszlo Ersek +Cc: Paolo Bonzini +Cc: Wolfgang Bumiller Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) -Signed-off-by: Gerd Hoffmann +Signed-off-by: Gerd Hoffmann +Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com +Reviewed-by: Laszlo Ersek +Signed-off-by: Stefano Stabellini --- hw/display/cirrus_vga.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-)