diff --git a/.gitignore b/.gitignore index e501535..4e9469c 100644 --- a/.gitignore +++ b/.gitignore @@ -6,4 +6,4 @@ lwip-1.3.0.tar.gz pciutils-2.2.9.tar.bz2 zlib-1.2.3.tar.gz polarssl-1.1.4-gpl.tgz -/xen-4.3.1.tar.gz +/xen-4.3.2.tar.gz diff --git a/sources b/sources index 47ee029..76174f1 100644 --- a/sources +++ b/sources @@ -4,4 +4,4 @@ bf8f1f9e3ca83d732c00a79a6ef29bc4 newlib-1.16.0.tar.gz cec05e7785497c5e19da2f114b934ffd pciutils-2.2.9.tar.bz2 debc62758716a169df9f62e6ab2bc634 zlib-1.2.3.tar.gz 7b72caf22b01464ee7d6165f2fd85f44 polarssl-1.1.4-gpl.tgz -7616b8704e1ab89c81f011f0e3703bc8 xen-4.3.1.tar.gz +83e0e13678383e4fbcaa69ce6064b187 xen-4.3.2.tar.gz diff --git a/xen.spec b/xen.spec index 7fbee28..2df4c3a 100644 --- a/xen.spec +++ b/xen.spec @@ -45,8 +45,8 @@ Summary: Xen is a virtual machine monitor Name: xen -Version: 4.3.1 -Release: 10%{?dist} +Version: 4.3.2 +Release: 1%{?dist} Group: Development/Libraries License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ @@ -98,20 +98,6 @@ Patch18: xen.fedora19.buildfix.patch Patch19: xen.pygrubtitlefix.patch Patch20: xen.xsm.enable.patch Patch21: xen.64.bit.hyp.on.ix86.patch -Patch22: xsa73-4.3-unstable.patch -Patch23: xsa75-4.3-unstable.patch -Patch24: xsa78.patch -Patch25: xsa74-4.3-unstable.patch -Patch26: xsa76.patch -Patch27: xsa82.patch -Patch28: xsa77-unstable.patch -Patch29: xsa80.patch -Patch30: xsa83.patch -Patch31: xsa87-unstable-4.3.patch -Patch32: xsa84-unstable-4.3.patch -Patch33: xsa85.patch -Patch34: xsa86.patch -Patch35: xsa88.patch Patch100: xen-configure-xend.patch @@ -292,20 +278,6 @@ manage Xen virtual machines. %if %build_crosshyp %patch21 -p1 %endif -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 -%patch25 -p1 -%patch26 -p1 -%patch27 -p1 -%patch28 -p1 -%patch29 -p1 -%patch30 -p1 -%patch31 -p1 -%patch32 -p1 -%patch33 -p1 -%patch34 -p1 -%patch35 -p1 %patch100 -p1 @@ -838,6 +810,10 @@ rm -rf %{buildroot} %endif %changelog +* Tue Feb 18 2014 Michael Young - 4.3.2-1 +- update to xen-4.3.2 +- remove patches that are now included + * Wed Feb 12 2014 Michael Young - 4.3.1-10 - use-after-free in xc_cpupool_getinfo() under memory pressure [XSA-88, CVE-2014-1950] (#1064491) diff --git a/xsa73-4.3-unstable.patch b/xsa73-4.3-unstable.patch deleted file mode 100644 index efa64f9..0000000 --- a/xsa73-4.3-unstable.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 068bfa76bbd52430e65853375e1d5db99d193e2f Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Thu, 31 Oct 2013 20:49:00 +0000 -Subject: [PATCH] gnttab: correct locking order reversal - -Coverity ID 1087189 - -Correct a lock order reversal between a domains page allocation and grant -table locks. - -This is XSA-73. - -Signed-off-by: Andrew Cooper - -Consolidate error handling. - -Signed-off-by: Jan Beulich -Reviewed-by: Keir Fraser -Tested-by: Matthew Daley ---- - xen/common/grant_table.c | 52 +++++++++++++++++++++++++++++++++++++++------- - 1 file changed, 44 insertions(+), 8 deletions(-) - -diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c -index f42bc7a..48df928 100644 ---- a/xen/common/grant_table.c -+++ b/xen/common/grant_table.c -@@ -1517,6 +1517,8 @@ gnttab_transfer( - - for ( i = 0; i < count; i++ ) - { -+ bool_t okay; -+ - if (i && hypercall_preempt_check()) - return i; - -@@ -1625,16 +1627,18 @@ gnttab_transfer( - * pages when it is dying. - */ - if ( unlikely(e->is_dying) || -- unlikely(e->tot_pages >= e->max_pages) || -- unlikely(!gnttab_prepare_for_transfer(e, d, gop.ref)) ) -+ unlikely(e->tot_pages >= e->max_pages) ) - { -- if ( !e->is_dying ) -- gdprintk(XENLOG_INFO, "gnttab_transfer: " -- "Transferee has no reservation " -- "headroom (%d,%d) or provided a bad grant ref (%08x) " -- "or is dying (%d)\n", -- e->tot_pages, e->max_pages, gop.ref, e->is_dying); - spin_unlock(&e->page_alloc_lock); -+ -+ if ( e->is_dying ) -+ gdprintk(XENLOG_INFO, "gnttab_transfer: " -+ "Transferee (d%d) is dying\n", e->domain_id); -+ else -+ gdprintk(XENLOG_INFO, "gnttab_transfer: " -+ "Transferee (d%d) has no headroom (tot %u, max %u)\n", -+ e->domain_id, e->tot_pages, e->max_pages); -+ - rcu_unlock_domain(e); - put_gfn(d, gop.mfn); - page->count_info &= ~(PGC_count_mask|PGC_allocated); -@@ -1646,6 +1650,38 @@ gnttab_transfer( - /* Okay, add the page to 'e'. */ - if ( unlikely(domain_adjust_tot_pages(e, 1) == 1) ) - get_knownalive_domain(e); -+ -+ /* -+ * We must drop the lock to avoid a possible deadlock in -+ * gnttab_prepare_for_transfer. We have reserved a page in e so can -+ * safely drop the lock and re-aquire it later to add page to the -+ * pagelist. -+ */ -+ spin_unlock(&e->page_alloc_lock); -+ okay = gnttab_prepare_for_transfer(e, d, gop.ref); -+ spin_lock(&e->page_alloc_lock); -+ -+ if ( unlikely(!okay) || unlikely(e->is_dying) ) -+ { -+ bool_t drop_dom_ref = (domain_adjust_tot_pages(e, -1) == 0); -+ -+ spin_unlock(&e->page_alloc_lock); -+ -+ if ( okay /* i.e. e->is_dying due to the surrounding if() */ ) -+ gdprintk(XENLOG_INFO, "gnttab_transfer: " -+ "Transferee (d%d) is now dying\n", e->domain_id); -+ -+ if ( drop_dom_ref ) -+ put_domain(e); -+ rcu_unlock_domain(e); -+ -+ put_gfn(d, gop.mfn); -+ page->count_info &= ~(PGC_count_mask|PGC_allocated); -+ free_domheap_page(page); -+ gop.status = GNTST_general_error; -+ goto copyback; -+ } -+ - page_list_add_tail(page, &e->page_list); - page_set_owner(page, e); - --- -1.7.10.4 - diff --git a/xsa74-4.3-unstable.patch b/xsa74-4.3-unstable.patch deleted file mode 100644 index 4c9c27c..0000000 --- a/xsa74-4.3-unstable.patch +++ /dev/null @@ -1,41 +0,0 @@ -x86: restrict XEN_DOMCTL_getmemlist - -Coverity ID 1055652 - -(See the code comment.) - -This is CVE-2013-4553 / XSA-74. - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper -Reviewed-by: Tim Deegan - ---- a/xen/arch/x86/domctl.c -+++ b/xen/arch/x86/domctl.c -@@ -329,6 +329,26 @@ long arch_do_domctl( - break; - } - -+ /* -+ * XSA-74: This sub-hypercall is broken in several ways: -+ * - lock order inversion (p2m locks inside page_alloc_lock) -+ * - no preemption on huge max_pfns input -+ * - not (re-)checking d->is_dying with page_alloc_lock held -+ * - not honoring start_pfn input (which libxc also doesn't set) -+ * Additionally it is rather useless, as the result is stale by the -+ * time the caller gets to look at it. -+ * As it only has a single, non-production consumer (xen-mceinj), -+ * rather than trying to fix it we restrict it for the time being. -+ */ -+ if ( /* No nested locks inside copy_to_guest_offset(). */ -+ paging_mode_external(current->domain) || -+ /* Arbitrary limit capping processing time. */ -+ max_pfns > GB(4) / PAGE_SIZE ) -+ { -+ ret = -EOPNOTSUPP; -+ break; -+ } -+ - spin_lock(&d->page_alloc_lock); - - ret = i = 0; diff --git a/xsa75-4.3-unstable.patch b/xsa75-4.3-unstable.patch deleted file mode 100644 index b3724c3..0000000 --- a/xsa75-4.3-unstable.patch +++ /dev/null @@ -1,55 +0,0 @@ -nested VMX: VMLANUCH/VMRESUME emulation must check permission first thing - -Otherwise uninitialized data may be used, leading to crashes. - -This is XSA-75. - -Reported-and-tested-by: Jeff Zimmerman -Signed-off-by: Jan Beulich -Reviewed-and-tested-by: Andrew Cooper - ---- a/xen/arch/x86/hvm/vmx/vvmx.c -+++ b/xen/arch/x86/hvm/vmx/vvmx.c -@@ -1509,15 +1509,10 @@ static void clear_vvmcs_launched(struct - } - } - --int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs) -+static int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs) - { - struct nestedvmx *nvmx = &vcpu_2_nvmx(v); - struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v); -- int rc; -- -- rc = vmx_inst_check_privilege(regs, 0); -- if ( rc != X86EMUL_OKAY ) -- return rc; - - /* check VMCS is valid and IO BITMAP is set */ - if ( (nvcpu->nv_vvmcxaddr != VMCX_EADDR) && -@@ -1536,6 +1531,10 @@ int nvmx_handle_vmresume(struct cpu_user - struct vcpu *v = current; - struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v); - struct nestedvmx *nvmx = &vcpu_2_nvmx(v); -+ int rc = vmx_inst_check_privilege(regs, 0); -+ -+ if ( rc != X86EMUL_OKAY ) -+ return rc; - - if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR ) - { -@@ -1555,10 +1554,13 @@ int nvmx_handle_vmresume(struct cpu_user - int nvmx_handle_vmlaunch(struct cpu_user_regs *regs) - { - bool_t launched; -- int rc; - struct vcpu *v = current; - struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v); - struct nestedvmx *nvmx = &vcpu_2_nvmx(v); -+ int rc = vmx_inst_check_privilege(regs, 0); -+ -+ if ( rc != X86EMUL_OKAY ) -+ return rc; - - if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR ) - { diff --git a/xsa76.patch b/xsa76.patch deleted file mode 100644 index 54e4325..0000000 --- a/xsa76.patch +++ /dev/null @@ -1,19 +0,0 @@ -x86/HVM: only allow ring 0 guest code to make hypercalls - -Anything else would allow for privilege escalation. - -This is CVE-2013-4554 / XSA-76. - -Signed-off-by: Jan Beulich - ---- a/xen/arch/x86/hvm/hvm.c -+++ b/xen/arch/x86/hvm/hvm.c -@@ -3359,7 +3359,7 @@ int hvm_do_hypercall(struct cpu_user_reg - case 4: - case 2: - hvm_get_segment_register(curr, x86_seg_ss, &sreg); -- if ( unlikely(sreg.attr.fields.dpl == 3) ) -+ if ( unlikely(sreg.attr.fields.dpl) ) - { - default: - regs->eax = -EPERM; diff --git a/xsa77-unstable.patch b/xsa77-unstable.patch deleted file mode 100644 index 4ec475f..0000000 --- a/xsa77-unstable.patch +++ /dev/null @@ -1,214 +0,0 @@ -xen: list interfaces subject to the security process exception in XSA-77 - -List all the sub ops of: - __HYPERVISOR_domctl - __HYPERVISOR_sysctl - __HYPERVISOR_memory_op - __HYPERVISOR_tmem_op -which are subject to the policy given in -http://xenbits.xen.org/xsa/advisory-77.html - -It is expected that these lists will be whittled away as each interface is -audited for safety. - -New interfaces should be expected to be safe when introduced (IOW the list -should never be expanded). - -This is XSA-77. - -Signed-off-by: Ian Campbell - -diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt -index ff81b01..ddd5831 100644 ---- a/docs/misc/xsm-flask.txt -+++ b/docs/misc/xsm-flask.txt -@@ -17,6 +17,189 @@ Some examples of what FLASK can do: - Some of these examples require dom0 disaggregation to be useful, since the - domain build process requires the ability to write to the new domain's memory. - -+Security Status of dom0 disaggregation -+-------------------------------------- -+ -+Xen supports disaggregation of various support and management -+functions into their own domains, via the XSM mechanisms described in -+this document. -+ -+However the implementations of these support and management interfaces -+were originally written to be used only by the totally-privileged -+dom0, and have not been reviewed for security when exposed to -+supposedly-only-semi-privileged disaggregated management domains. But -+such management domains are (in such a design) to be seen as -+potentially hostile, e.g. due to privilege escalation following -+exploitation of a bug in the management domain. -+ -+Until the interfaces have been properly reviewed for security against -+hostile callers, the Xen.org security team intends (subject of course -+to the permission of anyone disclosing to us) to handle these and -+future vulnerabilities in these interfaces in public, as if they were -+normal non-security-related bugs. -+ -+This applies only to bugs which do no more than reduce the security of -+a radically disaggregated system to the security of a -+non-disaggregated one. Here a "radically disaggregated system" is one -+which uses the XSM mechanism to delegate the affected interfaces to -+other-than-fully-trusted domains. -+ -+This policy does not apply to bugs which affect stub device models, -+driver domains, or stub xenstored - even if those bugs do no worse -+than reduce the security of such a system to one whose device models, -+backend drivers, or xenstore, run in dom0. -+ -+For more information see http://xenbits.xen.org/xsa/advisory-77.html. -+ -+The following interfaces are covered by this statement. Interfaces -+not listed here are considered safe for disaggregation, security -+issues found in interfaces not listed here will be handled according -+to the normal security problem response policy -+http://www.xenproject.org/security-policy.html. -+ -+__HYPERVISOR_domctl (xen/include/public/domctl.h) -+ -+ The following subops are covered by this statement. subops not listed -+ here are considered safe for disaggregation. -+ -+ * XEN_DOMCTL_createdomain -+ * XEN_DOMCTL_destroydomain -+ * XEN_DOMCTL_pausedomain -+ * XEN_DOMCTL_unpausedomain -+ * XEN_DOMCTL_getdomaininfo -+ * XEN_DOMCTL_getmemlist -+ * XEN_DOMCTL_getpageframeinfo -+ * XEN_DOMCTL_getpageframeinfo2 -+ * XEN_DOMCTL_setvcpuaffinity -+ * XEN_DOMCTL_shadow_op -+ * XEN_DOMCTL_max_mem -+ * XEN_DOMCTL_setvcpucontext -+ * XEN_DOMCTL_getvcpucontext -+ * XEN_DOMCTL_getvcpuinfo -+ * XEN_DOMCTL_max_vcpus -+ * XEN_DOMCTL_scheduler_op -+ * XEN_DOMCTL_setdomainhandle -+ * XEN_DOMCTL_setdebugging -+ * XEN_DOMCTL_irq_permission -+ * XEN_DOMCTL_iomem_permission -+ * XEN_DOMCTL_ioport_permission -+ * XEN_DOMCTL_hypercall_init -+ * XEN_DOMCTL_arch_setup -+ * XEN_DOMCTL_settimeoffset -+ * XEN_DOMCTL_getvcpuaffinity -+ * XEN_DOMCTL_real_mode_area -+ * XEN_DOMCTL_resumedomain -+ * XEN_DOMCTL_sendtrigger -+ * XEN_DOMCTL_subscribe -+ * XEN_DOMCTL_gethvmcontext -+ * XEN_DOMCTL_sethvmcontext -+ * XEN_DOMCTL_set_address_size -+ * XEN_DOMCTL_get_address_size -+ * XEN_DOMCTL_assign_device -+ * XEN_DOMCTL_pin_mem_cacheattr -+ * XEN_DOMCTL_set_ext_vcpucontext -+ * XEN_DOMCTL_get_ext_vcpucontext -+ * XEN_DOMCTL_set_opt_feature -+ * XEN_DOMCTL_test_assign_device -+ * XEN_DOMCTL_set_target -+ * XEN_DOMCTL_deassign_device -+ * XEN_DOMCTL_set_cpuid -+ * XEN_DOMCTL_get_device_group -+ * XEN_DOMCTL_set_machine_address_size -+ * XEN_DOMCTL_get_machine_address_size -+ * XEN_DOMCTL_suppress_spurious_page_faults -+ * XEN_DOMCTL_debug_op -+ * XEN_DOMCTL_gethvmcontext_partial -+ * XEN_DOMCTL_mem_event_op -+ * XEN_DOMCTL_mem_sharing_op -+ * XEN_DOMCTL_disable_migrate -+ * XEN_DOMCTL_gettscinfo -+ * XEN_DOMCTL_settscinfo -+ * XEN_DOMCTL_getpageframeinfo3 -+ * XEN_DOMCTL_setvcpuextstate -+ * XEN_DOMCTL_getvcpuextstate -+ * XEN_DOMCTL_set_access_required -+ * XEN_DOMCTL_audit_p2m -+ * XEN_DOMCTL_set_virq_handler -+ * XEN_DOMCTL_set_broken_page_p2m -+ * XEN_DOMCTL_setnodeaffinity -+ * XEN_DOMCTL_getnodeaffinity -+ * XEN_DOMCTL_set_max_evtchn -+ * XEN_DOMCTL_gdbsx_guestmemio -+ * XEN_DOMCTL_gdbsx_pausevcpu -+ * XEN_DOMCTL_gdbsx_unpausevcpu -+ * XEN_DOMCTL_gdbsx_domstatus -+ -+__HYPERVISOR_sysctl (xen/include/public/sysctl.h) -+ -+ The following subops are covered by this statement. subops not listed -+ here are considered safe for disaggregation. -+ -+ * XEN_SYSCTL_readconsole -+ * XEN_SYSCTL_tbuf_op -+ * XEN_SYSCTL_physinfo -+ * XEN_SYSCTL_sched_id -+ * XEN_SYSCTL_perfc_op -+ * XEN_SYSCTL_getdomaininfolist -+ * XEN_SYSCTL_debug_keys -+ * XEN_SYSCTL_getcpuinfo -+ * XEN_SYSCTL_availheap -+ * XEN_SYSCTL_get_pmstat -+ * XEN_SYSCTL_cpu_hotplug -+ * XEN_SYSCTL_pm_op -+ * XEN_SYSCTL_page_offline_op -+ * XEN_SYSCTL_lockprof_op -+ * XEN_SYSCTL_topologyinfo -+ * XEN_SYSCTL_numainfo -+ * XEN_SYSCTL_cpupool_op -+ * XEN_SYSCTL_scheduler_op -+ * XEN_SYSCTL_coverage_op -+ -+__HYPERVISOR_memory_op (xen/include/public/memory.h) -+ -+ The following subops are covered by this statement. subops not listed -+ here are considered safe for disaggregation. -+ -+ * XENMEM_set_pod_target -+ * XENMEM_get_pod_target -+ * XENMEM_claim_pages -+ -+__HYPERVISOR_tmem_op (xen/include/public/tmem.h) -+ -+ The following tmem control ops, that is the sub-subops of -+ TMEM_CONTROL, are covered by this statement. -+ -+ Note that TMEM is also subject to a similar policy arising from -+ XSA-15 http://lists.xen.org/archives/html/xen-announce/2012-09/msg00006.html. -+ Due to this existing policy all TMEM Ops are already subject to -+ reduced security support. -+ -+ * TMEMC_THAW -+ * TMEMC_FREEZE -+ * TMEMC_FLUSH -+ * TMEMC_DESTROY -+ * TMEMC_LIST -+ * TMEMC_SET_WEIGHT -+ * TMEMC_SET_CAP -+ * TMEMC_SET_COMPRESS -+ * TMEMC_QUERY_FREEABLE_MB -+ * TMEMC_SAVE_BEGIN -+ * TMEMC_SAVE_GET_VERSION -+ * TMEMC_SAVE_GET_MAXPOOLS -+ * TMEMC_SAVE_GET_CLIENT_WEIGHT -+ * TMEMC_SAVE_GET_CLIENT_CAP -+ * TMEMC_SAVE_GET_CLIENT_FLAGS -+ * TMEMC_SAVE_GET_POOL_FLAGS -+ * TMEMC_SAVE_GET_POOL_NPAGES -+ * TMEMC_SAVE_GET_POOL_UUID -+ * TMEMC_SAVE_GET_NEXT_PAGE -+ * TMEMC_SAVE_GET_NEXT_INV -+ * TMEMC_SAVE_END -+ * TMEMC_RESTORE_BEGIN -+ * TMEMC_RESTORE_PUT_PAGE -+ * TMEMC_RESTORE_FLUSH_PAGE -+ -+ - - Setting up FLASK - ---------------- diff --git a/xsa78.patch b/xsa78.patch deleted file mode 100644 index f644d48..0000000 --- a/xsa78.patch +++ /dev/null @@ -1,23 +0,0 @@ -VT-d: fix TLB flushing in dma_pte_clear_one() - -The third parameter of __intel_iommu_iotlb_flush() is to indicate -whether the to be flushed entry was a present one. A few lines before, -we bailed if !dma_pte_present(*pte), so there's no need to check the -flag here again - we can simply always pass TRUE here. - -This is XSA-78. - -Suggested-by: Cheng Yueqiang -Signed-off-by: Jan Beulich - ---- a/xen/drivers/passthrough/vtd/iommu.c -+++ b/xen/drivers/passthrough/vtd/iommu.c -@@ -646,7 +646,7 @@ static void dma_pte_clear_one(struct dom - iommu_flush_cache_entry(pte, sizeof(struct dma_pte)); - - if ( !this_cpu(iommu_dont_flush_iotlb) ) -- __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K , 0, 1); -+ __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K, 1, 1); - - unmap_vtd_domain_page(page); - diff --git a/xsa80.patch b/xsa80.patch deleted file mode 100644 index c904595..0000000 --- a/xsa80.patch +++ /dev/null @@ -1,72 +0,0 @@ -IOMMU: clear "don't flush" override on error paths - -Both xenmem_add_to_physmap() and iommu_populate_page_table() each have -an error path that fails to clear that flag, thus suppressing further -flushes on the respective pCPU. - -In iommu_populate_page_table() also slightly re-arrange code to avoid -the false impression of the flag in question being guarded by a -domain's page_alloc_lock. - -This is CVE-2013-6400 / XSA-80. - -Signed-off-by: Jan Beulich -Acked-by: Ian Campbell - ---- a/xen/arch/x86/mm.c -+++ b/xen/arch/x86/mm.c -@@ -4648,7 +4648,7 @@ static int xenmem_add_to_physmap(struct - { - rc = xenmem_add_to_physmap_once(d, xatp); - if ( rc < 0 ) -- return rc; -+ break; - - xatp->idx++; - xatp->gpfn++; ---- a/xen/drivers/passthrough/iommu.c -+++ b/xen/drivers/passthrough/iommu.c -@@ -306,11 +306,11 @@ static int iommu_populate_page_table(str - { - struct hvm_iommu *hd = domain_hvm_iommu(d); - struct page_info *page; -- int rc; -+ int rc = 0; - -+ this_cpu(iommu_dont_flush_iotlb) = 1; - spin_lock(&d->page_alloc_lock); - -- this_cpu(iommu_dont_flush_iotlb) = 1; - page_list_for_each ( page, &d->page_list ) - { - if ( is_hvm_domain(d) || -@@ -320,18 +320,20 @@ static int iommu_populate_page_table(str - rc = hd->platform_ops->map_page( - d, mfn_to_gmfn(d, page_to_mfn(page)), page_to_mfn(page), - IOMMUF_readable|IOMMUF_writable); -- if (rc) -- { -- spin_unlock(&d->page_alloc_lock); -- hd->platform_ops->teardown(d); -- return rc; -- } -+ if ( rc ) -+ break; - } - } -- this_cpu(iommu_dont_flush_iotlb) = 0; -- iommu_iotlb_flush_all(d); -+ - spin_unlock(&d->page_alloc_lock); -- return 0; -+ this_cpu(iommu_dont_flush_iotlb) = 0; -+ -+ if ( !rc ) -+ iommu_iotlb_flush_all(d); -+ else -+ hd->platform_ops->teardown(d); -+ -+ return rc; - } - - diff --git a/xsa82.patch b/xsa82.patch deleted file mode 100644 index 6bcdffb..0000000 --- a/xsa82.patch +++ /dev/null @@ -1,44 +0,0 @@ -x86/AMD: work around erratum 793 - -The recommendation is to set a bit in an MSR - do this if the firmware -didn't, considering that otherwise we expose ourselves to a guest -induced DoS. - -This is CVE-2013-6885 / XSA-82. - -Signed-off-by: Jan Beulich -Acked-by: Suravee Suthikulpanit - ---- a/xen/arch/x86/cpu/amd.c -+++ b/xen/arch/x86/cpu/amd.c -@@ -476,6 +476,20 @@ static void __devinit init_amd(struct cp - "*** Pass \"allow_unsafe\" if you're trusting" - " all your (PV) guest kernels. ***\n"); - -+ if (c->x86 == 0x16 && c->x86_model <= 0xf) { -+ rdmsrl(MSR_AMD64_LS_CFG, value); -+ if (!(value & (1 << 15))) { -+ static bool_t warned; -+ -+ if (c == &boot_cpu_data || opt_cpu_info || -+ !test_and_set_bool(warned)) -+ printk(KERN_WARNING -+ "CPU%u: Applying workaround for erratum 793\n", -+ smp_processor_id()); -+ wrmsrl(MSR_AMD64_LS_CFG, value | (1 << 15)); -+ } -+ } -+ - /* AMD CPUs do not support SYSENTER outside of legacy mode. */ - clear_bit(X86_FEATURE_SEP, c->x86_capability); - ---- a/xen/include/asm-x86/msr-index.h -+++ b/xen/include/asm-x86/msr-index.h -@@ -213,6 +213,7 @@ - - /* AMD64 MSRs */ - #define MSR_AMD64_NB_CFG 0xc001001f -+#define MSR_AMD64_LS_CFG 0xc0011020 - #define MSR_AMD64_IC_CFG 0xc0011021 - #define MSR_AMD64_DC_CFG 0xc0011022 - #define AMD64_NB_CFG_CF8_EXT_ENABLE_BIT 46 diff --git a/xsa83.patch b/xsa83.patch deleted file mode 100644 index 209c38b..0000000 --- a/xsa83.patch +++ /dev/null @@ -1,20 +0,0 @@ -x86/irq: avoid use-after-free on error path in pirq_guest_bind() - -This is XSA-83. - -Coverity-ID: 1146952 -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich - ---- a/xen/arch/x86/irq.c -+++ b/xen/arch/x86/irq.c -@@ -1590,8 +1590,7 @@ int pirq_guest_bind(struct vcpu *v, stru - printk(XENLOG_G_INFO - "Cannot bind IRQ%d to dom%d. Out of memory.\n", - pirq->pirq, v->domain->domain_id); -- rc = -ENOMEM; -- goto out; -+ return -ENOMEM; - } - - action = newaction; diff --git a/xsa84-unstable-4.3.patch b/xsa84-unstable-4.3.patch deleted file mode 100644 index abff42e..0000000 --- a/xsa84-unstable-4.3.patch +++ /dev/null @@ -1,153 +0,0 @@ -flask: fix reading strings from guest memory - -Since the string size is being specified by the guest, we must range -check it properly before doing allocations based on it. While for the -two cases that are exposed only to trusted guests (via policy -restriction) this just uses an arbitrary upper limit (PAGE_SIZE), for -the FLASK_[GS]ETBOOL case (which any guest can use) the upper limit -gets enforced based on the longest name across all boolean settings. - -This is XSA-84. - -Reported-by: Matthew Daley -Signed-off-by: Jan Beulich -Acked-by: Daniel De Graaf - ---- a/xen/xsm/flask/flask_op.c -+++ b/xen/xsm/flask/flask_op.c -@@ -53,6 +53,7 @@ static DEFINE_SPINLOCK(sel_sem); - /* global data for booleans */ - static int bool_num = 0; - static int *bool_pending_values = NULL; -+static size_t bool_maxstr; - static int flask_security_make_bools(void); - - extern int ss_initialized; -@@ -71,9 +72,15 @@ static int domain_has_security(struct do - perms, NULL); - } - --static int flask_copyin_string(XEN_GUEST_HANDLE_PARAM(char) u_buf, char **buf, uint32_t size) -+static int flask_copyin_string(XEN_GUEST_HANDLE_PARAM(char) u_buf, char **buf, -+ size_t size, size_t max_size) - { -- char *tmp = xmalloc_bytes(size + 1); -+ char *tmp; -+ -+ if ( size > max_size ) -+ return -ENOENT; -+ -+ tmp = xmalloc_array(char, size + 1); - if ( !tmp ) - return -ENOMEM; - -@@ -99,7 +106,7 @@ static int flask_security_user(struct xe - if ( rv ) - return rv; - -- rv = flask_copyin_string(arg->u.user, &user, arg->size); -+ rv = flask_copyin_string(arg->u.user, &user, arg->size, PAGE_SIZE); - if ( rv ) - return rv; - -@@ -210,7 +217,7 @@ static int flask_security_context(struct - if ( rv ) - return rv; - -- rv = flask_copyin_string(arg->context, &buf, arg->size); -+ rv = flask_copyin_string(arg->context, &buf, arg->size, PAGE_SIZE); - if ( rv ) - return rv; - -@@ -303,7 +310,7 @@ static int flask_security_resolve_bool(s - if ( arg->bool_id != -1 ) - return 0; - -- rv = flask_copyin_string(arg->name, &name, arg->size); -+ rv = flask_copyin_string(arg->name, &name, arg->size, bool_maxstr); - if ( rv ) - return rv; - -@@ -334,7 +341,7 @@ static int flask_security_set_bool(struc - int num; - int *values; - -- rv = security_get_bools(&num, NULL, &values); -+ rv = security_get_bools(&num, NULL, &values, NULL); - if ( rv != 0 ) - goto out; - -@@ -440,7 +447,7 @@ static int flask_security_make_bools(voi - - xfree(bool_pending_values); - -- ret = security_get_bools(&num, NULL, &values); -+ ret = security_get_bools(&num, NULL, &values, &bool_maxstr); - if ( ret != 0 ) - goto out; - ---- a/xen/xsm/flask/include/conditional.h -+++ b/xen/xsm/flask/include/conditional.h -@@ -13,7 +13,9 @@ - #ifndef _FLASK_CONDITIONAL_H_ - #define _FLASK_CONDITIONAL_H_ - --int security_get_bools(int *len, char ***names, int **values); -+#include -+ -+int security_get_bools(int *len, char ***names, int **values, size_t *maxstr); - - int security_set_bools(int len, int *values); - ---- a/xen/xsm/flask/ss/services.c -+++ b/xen/xsm/flask/ss/services.c -@@ -1850,7 +1850,7 @@ int security_find_bool(const char *name) - return rv; - } - --int security_get_bools(int *len, char ***names, int **values) -+int security_get_bools(int *len, char ***names, int **values, size_t *maxstr) - { - int i, rc = -ENOMEM; - -@@ -1858,6 +1858,8 @@ int security_get_bools(int *len, char ** - if ( names ) - *names = NULL; - *values = NULL; -+ if ( maxstr ) -+ *maxstr = 0; - - *len = policydb.p_bools.nprim; - if ( !*len ) -@@ -1879,16 +1881,17 @@ int security_get_bools(int *len, char ** - - for ( i = 0; i < *len; i++ ) - { -- size_t name_len; -+ size_t name_len = strlen(policydb.p_bool_val_to_name[i]); -+ - (*values)[i] = policydb.bool_val_to_struct[i]->state; - if ( names ) { -- name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; -- (*names)[i] = (char*)xmalloc_array(char, name_len); -+ (*names)[i] = xmalloc_array(char, name_len + 1); - if ( !(*names)[i] ) - goto err; -- strlcpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); -- (*names)[i][name_len - 1] = 0; -+ strlcpy((*names)[i], policydb.p_bool_val_to_name[i], name_len + 1); - } -+ if ( maxstr && name_len > *maxstr ) -+ *maxstr = name_len; - } - rc = 0; - out: -@@ -2006,7 +2009,7 @@ static int security_preserve_bools(struc - struct cond_bool_datum *booldatum; - struct cond_node *cur; - -- rc = security_get_bools(&nbools, &bnames, &bvalues); -+ rc = security_get_bools(&nbools, &bnames, &bvalues, NULL); - if ( rc ) - goto out; - for ( i = 0; i < nbools; i++ ) diff --git a/xsa85.patch b/xsa85.patch deleted file mode 100644 index 2976b2a..0000000 --- a/xsa85.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 593bc8c63d582ec0fc2b3a35336106cf9c3a8b34 Mon Sep 17 00:00:00 2001 -From: Matthew Daley -Date: Sun, 12 Jan 2014 14:29:32 +1300 -Subject: [PATCH] xsm/flask: correct off-by-one in - flask_security_avc_cachestats cpu id check - -This is XSA-85 - -Signed-off-by: Matthew Daley -Reviewed-by: Jan Beulich -Reviewed-by: Ian Campbell ---- - xen/xsm/flask/flask_op.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c -index 4426ab9..22878f5 100644 ---- a/xen/xsm/flask/flask_op.c -+++ b/xen/xsm/flask/flask_op.c -@@ -457,7 +457,7 @@ static int flask_security_avc_cachestats(struct xen_flask_cache_stats *arg) - { - struct avc_cache_stats *st; - -- if ( arg->cpu > nr_cpu_ids ) -+ if ( arg->cpu >= nr_cpu_ids ) - return -ENOENT; - if ( !cpu_online(arg->cpu) ) - return -ENOENT; --- -1.8.5.2 - diff --git a/xsa86.patch b/xsa86.patch deleted file mode 100644 index 25ecb1e..0000000 --- a/xsa86.patch +++ /dev/null @@ -1,169 +0,0 @@ -From b4c452646efd37b4cd0996256dd0ab7bf6ccb7f6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= - -Date: Mon, 20 Jan 2014 15:51:56 +0000 -Subject: [PATCH] libvchan: Fix handling of invalid ring buffer indices -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The remote (hostile) process can set ring buffer indices to any value -at any time. If that happens, it is possible to get "buffer space" -(either for writing data, or ready for reading) negative or greater -than buffer size. This will end up with buffer overflow in the second -memcpy inside of do_send/do_recv. - -Fix this by introducing new available bytes accessor functions -raw_get_data_ready and raw_get_buffer_space which are robust against -mad ring states, and only return sanitised values. - -Proof sketch of correctness: - -Now {rd,wr}_{cons,prod} are only ever used in the raw available bytes -functions, and in do_send and do_recv. - -The raw available bytes functions do unsigned arithmetic on the -returned values. If the result is "negative" or too big it will be ->ring_size (since we used unsigned arithmetic). Otherwise the result -is a positive in-range value representing a reasonable ring state, in -which case we can safely convert it to int (as the rest of the code -expects). - -do_send and do_recv immediately mask the ring index value with the -ring size. The result is always going to be plausible. If the ring -state has become mad, the worst case is that our behaviour is -inconsistent with the peer's ring pointer. I.e. we read or write to -arguably-incorrect parts of the ring - but always parts of the ring. -And of course if a peer misoperates the ring they can achieve this -effect anyway. - -So the security problem is fixed. - -This is XSA-86. - -(The patch is essentially Ian Jackson's work, although parts of the -commit message are by Marek.) - -Signed-off-by: Marek Marczykowski-Górecki -Signed-off-by: Ian Jackson -Cc: Marek Marczykowski-Górecki -Cc: Joanna Rutkowska ---- - tools/libvchan/io.c | 47 +++++++++++++++++++++++++++++++++++++++++------ - 1 file changed, 41 insertions(+), 6 deletions(-) - -diff --git a/tools/libvchan/io.c b/tools/libvchan/io.c -index 2383364..804c63c 100644 ---- a/tools/libvchan/io.c -+++ b/tools/libvchan/io.c -@@ -111,12 +111,26 @@ static inline int send_notify(struct libxenvchan *ctrl, uint8_t bit) - return 0; - } - -+/* -+ * Get the amount of buffer space available, and do nothing about -+ * notifications. -+ */ -+static inline int raw_get_data_ready(struct libxenvchan *ctrl) -+{ -+ uint32_t ready = rd_prod(ctrl) - rd_cons(ctrl); -+ if (ready >= rd_ring_size(ctrl)) -+ /* We have no way to return errors. Locking up the ring is -+ * better than the alternatives. */ -+ return 0; -+ return ready; -+} -+ - /** - * Get the amount of buffer space available and enable notifications if needed. - */ - static inline int fast_get_data_ready(struct libxenvchan *ctrl, size_t request) - { -- int ready = rd_prod(ctrl) - rd_cons(ctrl); -+ int ready = raw_get_data_ready(ctrl); - if (ready >= request) - return ready; - /* We plan to consume all data; please tell us if you send more */ -@@ -126,7 +140,7 @@ static inline int fast_get_data_ready(struct libxenvchan *ctrl, size_t request) - * will not get notified even though the actual amount of data ready is - * above request. Reread rd_prod to cover this case. - */ -- return rd_prod(ctrl) - rd_cons(ctrl); -+ return raw_get_data_ready(ctrl); - } - - int libxenvchan_data_ready(struct libxenvchan *ctrl) -@@ -135,7 +149,21 @@ int libxenvchan_data_ready(struct libxenvchan *ctrl) - * when it changes - */ - request_notify(ctrl, VCHAN_NOTIFY_WRITE); -- return rd_prod(ctrl) - rd_cons(ctrl); -+ return raw_get_data_ready(ctrl); -+} -+ -+/** -+ * Get the amount of buffer space available, and do nothing -+ * about notifications -+ */ -+static inline int raw_get_buffer_space(struct libxenvchan *ctrl) -+{ -+ uint32_t ready = wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl)); -+ if (ready > wr_ring_size(ctrl)) -+ /* We have no way to return errors. Locking up the ring is -+ * better than the alternatives. */ -+ return 0; -+ return ready; - } - - /** -@@ -143,7 +171,7 @@ int libxenvchan_data_ready(struct libxenvchan *ctrl) - */ - static inline int fast_get_buffer_space(struct libxenvchan *ctrl, size_t request) - { -- int ready = wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl)); -+ int ready = raw_get_buffer_space(ctrl); - if (ready >= request) - return ready; - /* We plan to fill the buffer; please tell us when you've read it */ -@@ -153,7 +181,7 @@ static inline int fast_get_buffer_space(struct libxenvchan *ctrl, size_t request - * will not get notified even though the actual amount of buffer space - * is above request. Reread wr_cons to cover this case. - */ -- return wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl)); -+ return raw_get_buffer_space(ctrl); - } - - int libxenvchan_buffer_space(struct libxenvchan *ctrl) -@@ -162,7 +190,7 @@ int libxenvchan_buffer_space(struct libxenvchan *ctrl) - * when it changes - */ - request_notify(ctrl, VCHAN_NOTIFY_READ); -- return wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl)); -+ return raw_get_buffer_space(ctrl); - } - - int libxenvchan_wait(struct libxenvchan *ctrl) -@@ -176,6 +204,8 @@ int libxenvchan_wait(struct libxenvchan *ctrl) - - /** - * returns -1 on error, or size on success -+ * -+ * caller must have checked that enough space is available - */ - static int do_send(struct libxenvchan *ctrl, const void *data, size_t size) - { -@@ -248,6 +278,11 @@ int libxenvchan_write(struct libxenvchan *ctrl, const void *data, size_t size) - } - } - -+/** -+ * returns -1 on error, or size on success -+ * -+ * caller must have checked that enough data is available -+ */ - static int do_recv(struct libxenvchan *ctrl, void *data, size_t size) - { - int real_idx = rd_cons(ctrl) & (rd_ring_size(ctrl) - 1); --- -1.7.10.4 - diff --git a/xsa87-unstable-4.3.patch b/xsa87-unstable-4.3.patch deleted file mode 100644 index 3c31ed5..0000000 --- a/xsa87-unstable-4.3.patch +++ /dev/null @@ -1,23 +0,0 @@ -x86: PHYSDEVOP_{prepare,release}_msix are privileged - -Yet this wasn't being enforced. - -This is XSA-87. - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper - ---- 2014-01-14.orig/xen/arch/x86/physdev.c 2013-11-18 11:03:37.000000000 +0100 -+++ 2014-01-14/xen/arch/x86/physdev.c 2014-01-22 12:47:47.000000000 +0100 -@@ -640,7 +640,10 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H - if ( copy_from_guest(&dev, arg, 1) ) - ret = -EFAULT; - else -- ret = pci_prepare_msix(dev.seg, dev.bus, dev.devfn, -+ ret = xsm_resource_setup_pci(XSM_PRIV, -+ (dev.seg << 16) | (dev.bus << 8) | -+ dev.devfn) ?: -+ pci_prepare_msix(dev.seg, dev.bus, dev.devfn, - cmd != PHYSDEVOP_prepare_msix); - break; - } diff --git a/xsa88.patch b/xsa88.patch deleted file mode 100644 index a9fc806..0000000 --- a/xsa88.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Andrew Cooper -Date: Wed, 22 Jan 2014 17:47:21 +0000 -Subject: libxc: Fix out-of-memory error handling in xc_cpupool_getinfo() - -Avoid freeing info then returning it to the caller. - -This is XSA-88. - -Coverity-ID: 1056192 -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich ---- - tools/libxc/xc_cpupool.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/tools/libxc/xc_cpupool.c b/tools/libxc/xc_cpupool.c -index c8c2a33..6393cfb 100644 ---- a/tools/libxc/xc_cpupool.c -+++ b/tools/libxc/xc_cpupool.c -@@ -104,6 +104,7 @@ xc_cpupoolinfo_t *xc_cpupool_getinfo(xc_interface *xch, - info->cpumap = xc_cpumap_alloc(xch); - if (!info->cpumap) { - free(info); -+ info = NULL; - goto out; - } - info->cpupool_id = sysctl.u.cpupool_op.cpupool_id;