diff --git a/xen-initscript.patch b/xen-initscript.patch index e01384e..b0112e5 100644 --- a/xen-initscript.patch +++ b/xen-initscript.patch @@ -1,6 +1,6 @@ ---- xen-4.1.0/tools/misc/xend.orig 2010-02-02 20:43:01.000000000 +0000 -+++ xen-4.1.0/tools/misc/xend 2010-02-02 21:16:13.000000000 +0000 -@@ -8,103 +8,16 @@ +--- xen-4.2.1/tools/misc/xend.orig 2012-12-17 15:01:18.000000000 +0000 ++++ xen-4.2.1/tools/misc/xend 2013-01-22 21:26:39.387953003 +0000 +@@ -8,103 +8,18 @@ """Xen management daemon. Provides console server and HTTP management api. @@ -97,7 +97,8 @@ - start_blktapctrl() - return daemon.stop() or daemon.start() - elif sys.argv[1] == 'status': -- return daemon.status() ++ if sys.argv[1:] and sys.argv[1] == 'status': + return daemon.status() - else: - print 'not an option:', sys.argv[1] - return 1 diff --git a/xen.spec b/xen.spec index 1e072a1..901c8f5 100644 --- a/xen.spec +++ b/xen.spec @@ -27,7 +27,7 @@ Summary: Xen is a virtual machine monitor Name: xen Version: 4.2.1 -Release: 4%{?dist} +Release: 5%{?dist} Group: Development/Libraries License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ @@ -76,6 +76,8 @@ Patch49: xen.fedora.efi.build.patch Patch55: qemu-xen.trad.buildfix.patch Patch56: xen.fedora19.buildfix.patch Patch57: xsa33-4.2-unstable.patch +Patch58: xsa34-4.2.patch +Patch59: xsa35-4.2-with-xsa34.patch Patch61: xsa37-4.2.patch Patch62: man.formatting.patch Patch63: xsa41.patch @@ -245,6 +247,8 @@ manage Xen virtual machines. %patch55 -p1 %patch56 -p1 %patch57 -p1 +%patch58 -p1 +%patch59 -p1 %patch61 -p1 %patch62 -p1 %patch63 -p1 @@ -737,6 +741,12 @@ rm -rf %{buildroot} %endif %changelog +* Tue Jan 22 2013 Michael Young - 4.2.1-5 +- nested virtualization on 32-bit guest can crash host [XSA-34, + CVE-2013-0151] also nested HVM on guest can cause host to run out + of memory [XSA-35, CVE-2013-0152] (#902792) +- restore status option to xend which is used by libvirt (#893699) + * Thu Jan 17 2013 Michael Young - 4.2.1-4 - Buffer overflow when processing large packets in qemu e1000 device driver [XSA-41, CVE-2012-6075] diff --git a/xsa34-4.2.patch b/xsa34-4.2.patch new file mode 100644 index 0000000..f5328ef --- /dev/null +++ b/xsa34-4.2.patch @@ -0,0 +1,30 @@ +x86_32: don't allow use of nested HVM + +There are (indirect) uses of map_domain_page() in the nested HVM code +that are unsafe when not just using the 1:1 mapping. + +This is XSA-34 / CVE-2013-0151. + +Signed-off-by: Jan Beulich + +--- a/xen/arch/x86/hvm/hvm.c ++++ b/xen/arch/x86/hvm/hvm.c +@@ -3926,6 +3926,10 @@ long do_hvm_op(unsigned long op, XEN_GUE + rc = -EINVAL; + break; + case HVM_PARAM_NESTEDHVM: ++#ifdef __i386__ ++ if ( a.value ) ++ rc = -EINVAL; ++#else + if ( a.value > 1 ) + rc = -EINVAL; + if ( !is_hvm_domain(d) ) +@@ -3940,6 +3944,7 @@ long do_hvm_op(unsigned long op, XEN_GUE + for_each_vcpu(d, v) + if ( rc == 0 ) + rc = nestedhvm_vcpu_initialise(v); ++#endif + break; + case HVM_PARAM_BUFIOREQ_EVTCHN: + rc = -EINVAL; diff --git a/xsa35-4.2-with-xsa34.patch b/xsa35-4.2-with-xsa34.patch new file mode 100644 index 0000000..28c6171 --- /dev/null +++ b/xsa35-4.2-with-xsa34.patch @@ -0,0 +1,24 @@ +xen: Do not allow guests to enable nested HVM on themselves + +There is no reason for this and doing so exposes a memory leak to +guests. Only toolstacks need write access to this HVM param. + +This is XSA-35 / CVE-2013-0152. + +Signed-off-by: Ian Campbell +Acked-by: Jan Beulich + +--- a/xen/arch/x86/hvm/hvm.c ++++ b/xen/arch/x86/hvm/hvm.c +@@ -3862,6 +3862,11 @@ long do_hvm_op(unsigned long op, XEN_GUE + rc = -EINVAL; + break; + case HVM_PARAM_NESTEDHVM: ++ if ( !IS_PRIV(current->domain) ) ++ { ++ rc = -EPERM; ++ break; ++ } + #ifdef __i386__ + if ( a.value ) + rc = -EINVAL;