From d30d76759d48fd3a351f869843374111c5450514 Mon Sep 17 00:00:00 2001
From: Michael Young <m.a.young@durham.ac.uk>
Date: Jun 15 2014 16:34:34 +0000
Subject: Fix two %if line typos in the spec file,

Vulnerabilities in HVM MSI injection

---

diff --git a/xen.spec b/xen.spec
index c42d150..97b0c8c 100644
--- a/xen.spec
+++ b/xen.spec
@@ -53,7 +53,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.4.0
-Release: 5%{?dist}
+Release: 6%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -103,6 +103,7 @@ Patch21: xen.64.bit.hyp.on.ix86.patch
 Patch22: xen.console.fix.patch
 Patch23: xsa89.patch
 Patch24: xsa92.patch
+Patch25: xsa96.patch
 
 Patch99: localgcc490fix.patch
 Patch100: xen-configure-xend.patch
@@ -291,6 +292,7 @@ manage Xen virtual machines.
 %patch22 -p1
 %patch23 -p1
 %patch24 -p1
+%patch25 -p1
 
 %patch99 -p1
 %patch100 -p1
@@ -776,7 +778,7 @@ rm -rf %{buildroot}
 %dir %{_localstatedir}/lib/xenstored
 # Xenstore runtime state
 %ghost %{_localstatedir}/run/xenstored
-%if build_xend
+%if %build_xend
 # XenD runtime state
 %ghost %attr(0700,root,root) %{_localstatedir}/run/xend
 %ghost %attr(0700,root,root) %{_localstatedir}/run/xend/boot
@@ -840,7 +842,7 @@ rm -rf %{buildroot}
 /boot/xen-syms-*
 /boot/xen-*.gz
 /boot/xen.gz
-%if build_xsm
+%if %build_xsm
 %dir %attr(0755,root,root) /boot/flask
 /boot/flask/xenpolicy.*
 %endif
@@ -888,6 +890,11 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Sun Jun 15 2014 Michael Young <m.a.young@durham.ac.uk> - 4.4.0-6
+- Fix two %if line typos in the spec file
+- Vulnerabilities in HVM MSI injection [XSA-96, CVE-2014-3967,CVE-2014-3968]
+	(#1104583)
+
 * Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.4.0-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
 
diff --git a/xsa96.patch b/xsa96.patch
new file mode 100644
index 0000000..ef6443f
--- /dev/null
+++ b/xsa96.patch
@@ -0,0 +1,38 @@
+x86/HVM: eliminate vulnerabilities from hvm_inject_msi()
+
+- pirq_info() returns NULL for a non-allocated pIRQ, and hence we
+  mustn't unconditionally de-reference it, and we need to invoke it
+  another time after having called map_domain_emuirq_pirq()
+- don't use printk(), namely without XENLOG_GUEST, for error reporting
+
+This is XSA-96.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/irq.c
++++ b/xen/arch/x86/hvm/irq.c
+@@ -289,20 +289,18 @@ void hvm_inject_msi(struct domain *d, ui
+             struct pirq *info = pirq_info(d, pirq);
+ 
+             /* if it is the first time, allocate the pirq */
+-            if (info->arch.hvm.emuirq == IRQ_UNBOUND)
++            if ( !info || info->arch.hvm.emuirq == IRQ_UNBOUND )
+             {
+                 spin_lock(&d->event_lock);
+                 map_domain_emuirq_pirq(d, pirq, IRQ_MSI_EMU);
+                 spin_unlock(&d->event_lock);
++                info = pirq_info(d, pirq);
++                if ( !info )
++                    return;
+             } else if (info->arch.hvm.emuirq != IRQ_MSI_EMU)
+-            {
+-                printk("%s: pirq %d does not correspond to an emulated MSI\n", __func__, pirq);
+                 return;
+-            }
+             send_guest_pirq(d, info);
+             return;
+-        } else {
+-            printk("%s: error getting pirq from MSI: pirq = %d\n", __func__, pirq);
+         }
+     }
+