diff --git a/xen.spec b/xen.spec index 9ea1c8d..0bc4b64 100644 --- a/xen.spec +++ b/xen.spec @@ -46,7 +46,7 @@ Summary: Xen is a virtual machine monitor Name: xen Version: 4.3.1 -Release: 7%{?dist} +Release: 8%{?dist} Group: Development/Libraries License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ @@ -107,6 +107,7 @@ Patch27: xsa82.patch Patch28: xsa77-unstable.patch Patch29: xsa80.patch Patch30: xsa83.patch +Patch31: xsa87-unstable-4.3.patch Patch100: xen-configure-xend.patch @@ -296,6 +297,7 @@ manage Xen virtual machines. %patch28 -p1 %patch29 -p1 %patch30 -p1 +%patch31 -p1 %patch100 -p1 @@ -828,6 +830,10 @@ rm -rf %{buildroot} %endif %changelog +* Fri Jan 24 2014 Michael Young - 4.3.1-8 +- PHYSDEVOP_{prepare,release}_msix exposed to unprivileged pv guests + [XSA-87, CVE-2014-1666] + * Thu Jan 23 2014 Michael Young - 4.3.1-7 - Out-of-memory condition yielding memory corruption during IRQ setup [XSA-83, CVE-2014-1642] (#1057142) diff --git a/xsa87-unstable-4.3.patch b/xsa87-unstable-4.3.patch new file mode 100644 index 0000000..3c31ed5 --- /dev/null +++ b/xsa87-unstable-4.3.patch @@ -0,0 +1,23 @@ +x86: PHYSDEVOP_{prepare,release}_msix are privileged + +Yet this wasn't being enforced. + +This is XSA-87. + +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper + +--- 2014-01-14.orig/xen/arch/x86/physdev.c 2013-11-18 11:03:37.000000000 +0100 ++++ 2014-01-14/xen/arch/x86/physdev.c 2014-01-22 12:47:47.000000000 +0100 +@@ -640,7 +640,10 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H + if ( copy_from_guest(&dev, arg, 1) ) + ret = -EFAULT; + else +- ret = pci_prepare_msix(dev.seg, dev.bus, dev.devfn, ++ ret = xsm_resource_setup_pci(XSM_PRIV, ++ (dev.seg << 16) | (dev.bus << 8) | ++ dev.devfn) ?: ++ pci_prepare_msix(dev.seg, dev.bus, dev.devfn, + cmd != PHYSDEVOP_prepare_msix); + break; + }