diff --git a/xen.spec b/xen.spec index a39316f..162dc5e 100644 --- a/xen.spec +++ b/xen.spec @@ -51,7 +51,7 @@ Summary: Xen is a virtual machine monitor Name: xen Version: 4.5.2 -Release: 2%{?dist} +Release: 3%{?dist} Group: Development/Libraries License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ @@ -97,6 +97,9 @@ Patch28: qemu.git-29b9f5efd78ae0f9cc02dd169b6e80d2c404bade.patch Patch29: qemu.git-0cf33fb6b49a19de32859e2cdc6021334f448fb3.patch Patch30: qemu.trad.CVE-2015-7295.patch Patch31: xsa156-4.5.patch +Patch32: xsa162-qemut.patch +Patch33: xsa162-qemuu.patch +Patch34: xsa163.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: transfig libidn-devel zlib-devel texi2html SDL-devel curl-devel @@ -295,6 +298,9 @@ manage Xen virtual machines. %patch29 -p1 %patch30 -p1 %patch31 -p1 +%patch32 -p1 +%patch33 -p1 +%patch34 -p1 # stubdom sources cp -v %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} stubdom @@ -818,6 +824,11 @@ rm -rf %{buildroot} %endif %changelog +* Sun Dec 06 2015 Michael Young - 4.5.2-3 +- heap buffer overflow vulnerability in pcnet emulator [XSA-162, + CVE-2015-7504] (#1286544) +- virtual PMU is unsupported [XSA-163] (#1285351) + * Tue Nov 10 2015 Michael Young - 4.5.2-2 - x86: CPU lockup during exception delivery [XSA-156, CVE-2015-5307, CVE-2015-8104] (#1279689, #1279690) diff --git a/xsa162-qemut.patch b/xsa162-qemut.patch new file mode 100644 index 0000000..f57f669 --- /dev/null +++ b/xsa162-qemut.patch @@ -0,0 +1,48 @@ +net: pcnet: add check to validate receive data size(CVE-2015-7504) + +In loopback mode, pcnet_receive routine appends CRC code to the +receive buffer. If the data size given is same as the buffer size, +the appended CRC code overwrites 4 bytes after s->buffer. Added a +check to avoid that. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +--- + hw/net/pcnet.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/tools/qemu-xen-traditional/hw/pcnet.c b/tools/qemu-xen-traditional/hw/pcnet.c +index 4e81267..6a101f2 100644 +--- a/tools/qemu-xen-traditional/hw/pcnet.c ++++ b/tools/qemu-xen-traditional/hw/pcnet.c +@@ -1153,7 +1153,7 @@ static void pcnet_receive(void *opaque, const uint8_t *buf, int size) + uint32_t fcs = ~0; + uint8_t *p = src; + +- while (p != &src[size-4]) ++ while (p != &src[size]) + CRC(fcs, *p++); + crc_err = (*(uint32_t *)p != htonl(fcs)); + } +@@ -1284,12 +1284,13 @@ static void pcnet_transmit(PCNetState *s) + bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); + + /* if multi-tmd packet outsizes s->buffer then skip it silently. +- Note: this is not what real hw does */ +- if (s->xmit_pos + bcnt > sizeof(s->buffer)) { +- s->xmit_pos = -1; +- goto txdone; ++ * Note: this is not what real hw does. ++ * Last four bytes of s->buffer are used to store CRC FCS code. ++ */ ++ if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) { ++ s->xmit_pos = -1; ++ goto txdone; + } +- + s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), + s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); + s->xmit_pos += bcnt; +--- +-2.4.3 +- diff --git a/xsa162-qemuu.patch b/xsa162-qemuu.patch new file mode 100644 index 0000000..2aebba2 --- /dev/null +++ b/xsa162-qemuu.patch @@ -0,0 +1,42 @@ +net: pcnet: add check to validate receive data size(CVE-2015-7504) + +In loopback mode, pcnet_receive routine appends CRC code to the +receive buffer. If the data size given is same as the buffer size, +the appended CRC code overwrites 4 bytes after s->buffer. Added a +check to avoid that. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +--- + tools/qemu-xen/hw/net/pcnet.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/tools/qemu-xen/hw/net/pcnet.c b/tools/qemu-xen/hw/net/pcnet.c +index 3437376..5f55591 100644 +--- a/tools/qemu-xen/hw/net/pcnet.c ++++ b/tools/qemu-xen/hw/net/pcnet.c +@@ -1085,7 +1085,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + uint32_t fcs = ~0; + uint8_t *p = src; + +- while (p != &src[size-4]) ++ while (p != &src[size]) + CRC(fcs, *p++); + crc_err = (*(uint32_t *)p != htonl(fcs)); + } +@@ -1234,8 +1234,10 @@ static void pcnet_transmit(PCNetState *s) + bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); + + /* if multi-tmd packet outsizes s->buffer then skip it silently. +- Note: this is not what real hw does */ +- if (s->xmit_pos + bcnt > sizeof(s->buffer)) { ++ * Note: this is not what real hw does. ++ * Last four bytes of s->buffer are used to store CRC FCS code. ++ */ ++ if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) { + s->xmit_pos = -1; + goto txdone; + } +-- +2.4.3 + diff --git a/xsa163.patch b/xsa163.patch new file mode 100644 index 0000000..d2bb036 --- /dev/null +++ b/xsa163.patch @@ -0,0 +1,23 @@ +x86/vPMU: document as unsupported + +This is XSA-163. + +Signed-off-by: Jan Beulich +--- +Note that the referenced link will only become active after public +disclosure. + +--- a/docs/misc/xen-command-line.markdown ++++ b/docs/misc/xen-command-line.markdown +@@ -1482,8 +1482,9 @@ feature is switched on on Intel processo + Note that if **watchdog** option is also specified vpmu will be turned off. + + *Warning:* +-As the BTS virtualisation is not 100% safe and because of the nehalem quirk +-don't use the vpmu flag on production systems with Intel cpus! ++As the virtualisation is not 100% safe, don't use the vpmu flag on ++production systems (see Xen Security Advisory 163, ++http://xenbits.xen.org/xsa/advisory-163.html)! + + ### watchdog + > `= force | `