diff --git a/.gitignore b/.gitignore index 90f2762..6bea248 100644 --- a/.gitignore +++ b/.gitignore @@ -6,4 +6,4 @@ lwip-1.3.0.tar.gz pciutils-2.2.9.tar.bz2 zlib-1.2.3.tar.gz polarssl-1.1.4-gpl.tgz -/xen-4.4.1.tar.gz +/xen-4.4.2.tar.gz diff --git a/sources b/sources index 4711157..bbea53f 100644 --- a/sources +++ b/sources @@ -4,4 +4,4 @@ bf8f1f9e3ca83d732c00a79a6ef29bc4 newlib-1.16.0.tar.gz cec05e7785497c5e19da2f114b934ffd pciutils-2.2.9.tar.bz2 debc62758716a169df9f62e6ab2bc634 zlib-1.2.3.tar.gz 7b72caf22b01464ee7d6165f2fd85f44 polarssl-1.1.4-gpl.tgz -1868433f393503000877d15cd4e93d15 xen-4.4.1.tar.gz +1812261459564147e6b9105115c511aa xen-4.4.2.tar.gz diff --git a/xen.spec b/xen.spec index 8936657..11dcdd0 100644 --- a/xen.spec +++ b/xen.spec @@ -52,8 +52,8 @@ Summary: Xen is a virtual machine monitor Name: xen -Version: 4.4.1 -Release: 16%{?dist} +Version: 4.4.2 +Release: 1%{?dist} Group: Development/Libraries License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ @@ -101,29 +101,11 @@ Patch20: xen.xsm.enable.patch Patch21: xen.64.bit.hyp.on.ix86.patch Patch22: xen.console.fix.patch Patch23: xen.ocamlfix.patch -Patch24: xsa107-4.4.patch -Patch25: xsa104.patch -Patch26: xsa105.patch -Patch27: xsa106.patch -Patch28: xsa108.patch -Patch29: xsa109.patch -Patch30: xsa110.patch Patch31: CVE-2014-0150.patch -Patch32: xsa113.patch -Patch33: xsa111.patch -Patch34: xsa112.patch Patch35: xen.git-3460eeb3fc2811efcf2e8ac13a0882ab72ef92bc.patch Patch36: xl.migrate.debug.crash.patch Patch37: xl.migrate.debug.fail.patch -Patch38: xsa114-4.4.patch Patch39: xl.migrate.debug.fail.fix.patch -Patch40: xsa116.patch -Patch41: xsa118-4.4.patch -Patch42: xsa121.patch -Patch43: xsa122.patch -Patch44: xsa123.patch -Patch45: xsa119-unstable.patch -Patch46: xsa98-update.patch Patch100: xen-configure-xend.patch @@ -309,29 +291,11 @@ manage Xen virtual machines. %endif %patch22 -p1 %patch23 -p1 -%patch24 -p1 -%patch25 -p1 -%patch26 -p1 -%patch27 -p1 -%patch28 -p1 -%patch29 -p1 -%patch30 -p1 %patch31 -p1 -%patch32 -p1 -%patch33 -p1 -%patch34 -p1 %patch35 -p1 %patch36 -p1 %patch37 -p1 -%patch38 -p1 %patch39 -p1 -%patch40 -p1 -%patch41 -p1 -%patch42 -p1 -%patch43 -p1 -%patch44 -p1 -%patch45 -p1 -%patch46 -p1 %patch100 -p1 @@ -935,6 +899,10 @@ rm -rf %{buildroot} %endif %changelog +* Mon Mar 23 2015 Michael Young - 4.4.2-1 +- update to xen-4.4.2 + remove patches for fixes that are now included + * Fri Mar 13 2015 Michael Young - 4.4.1-16 - Additional patch for XSA-98 on arm64 diff --git a/xsa104.patch b/xsa104.patch deleted file mode 100644 index 2c5b39e..0000000 --- a/xsa104.patch +++ /dev/null @@ -1,44 +0,0 @@ -x86/shadow: fix race condition sampling the dirty vram state - -d->arch.hvm_domain.dirty_vram must be read with the domain's paging lock held. - -If not, two concurrent hypercalls could both end up attempting to free -dirty_vram (the second of which will free a wild pointer), or both end up -allocating a new dirty_vram structure (the first of which will be leaked). - -This is XSA-104. - -Signed-off-by: Andrew Cooper -Reviewed-by: Tim Deegan - ---- a/xen/arch/x86/mm/shadow/common.c -+++ b/xen/arch/x86/mm/shadow/common.c -@@ -3485,7 +3485,7 @@ int shadow_track_dirty_vram(struct domai - int flush_tlb = 0; - unsigned long i; - p2m_type_t t; -- struct sh_dirty_vram *dirty_vram = d->arch.hvm_domain.dirty_vram; -+ struct sh_dirty_vram *dirty_vram; - struct p2m_domain *p2m = p2m_get_hostp2m(d); - - if ( end_pfn < begin_pfn || end_pfn > p2m->max_mapped_pfn + 1 ) -@@ -3495,6 +3495,8 @@ int shadow_track_dirty_vram(struct domai - p2m_lock(p2m_get_hostp2m(d)); - paging_lock(d); - -+ dirty_vram = d->arch.hvm_domain.dirty_vram; -+ - if ( dirty_vram && (!nr || - ( begin_pfn != dirty_vram->begin_pfn - || end_pfn != dirty_vram->end_pfn )) ) ---- a/xen/include/asm-x86/hvm/domain.h -+++ b/xen/include/asm-x86/hvm/domain.h -@@ -112,7 +112,7 @@ struct hvm_domain { - /* Memory ranges with pinned cache attributes. */ - struct list_head pinned_cacheattr_ranges; - -- /* VRAM dirty support. */ -+ /* VRAM dirty support. Protect with the domain paging lock. */ - struct sh_dirty_vram *dirty_vram; - - /* If one of vcpus of this domain is in no_fill_mode or diff --git a/xsa105.patch b/xsa105.patch deleted file mode 100644 index cc7cafd..0000000 --- a/xsa105.patch +++ /dev/null @@ -1,37 +0,0 @@ -x86/emulate: check cpl for all privileged instructions - -Without this, it is possible for userspace to load its own IDT or GDT. - -This is XSA-105. - -Reported-by: Andrei LUTAS -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich -Tested-by: Andrei LUTAS - ---- a/xen/arch/x86/x86_emulate/x86_emulate.c -+++ b/xen/arch/x86/x86_emulate/x86_emulate.c -@@ -3314,6 +3314,7 @@ x86_emulate( - goto swint; - - case 0xf4: /* hlt */ -+ generate_exception_if(!mode_ring0(), EXC_GP, 0); - ctxt->retire.flags.hlt = 1; - break; - -@@ -3710,6 +3711,7 @@ x86_emulate( - break; - case 2: /* lgdt */ - case 3: /* lidt */ -+ generate_exception_if(!mode_ring0(), EXC_GP, 0); - generate_exception_if(ea.type != OP_MEM, EXC_UD, -1); - fail_if(ops->write_segment == NULL); - memset(®, 0, sizeof(reg)); -@@ -3738,6 +3740,7 @@ x86_emulate( - case 6: /* lmsw */ - fail_if(ops->read_cr == NULL); - fail_if(ops->write_cr == NULL); -+ generate_exception_if(!mode_ring0(), EXC_GP, 0); - if ( (rc = ops->read_cr(0, &cr0, ctxt)) ) - goto done; - if ( ea.type == OP_REG ) diff --git a/xsa106.patch b/xsa106.patch deleted file mode 100644 index 436724d..0000000 --- a/xsa106.patch +++ /dev/null @@ -1,23 +0,0 @@ -x86emul: only emulate software interrupt injection for real mode - -Protected mode emulation currently lacks proper privilege checking of -the referenced IDT entry, and there's currently no legitimate way for -any of the respective instructions to reach the emulator when the guest -is in protected mode. - -This is XSA-106. - -Reported-by: Andrei LUTAS -Signed-off-by: Jan Beulich -Acked-by: Keir Fraser - ---- a/xen/arch/x86/x86_emulate/x86_emulate.c -+++ b/xen/arch/x86/x86_emulate/x86_emulate.c -@@ -2634,6 +2634,7 @@ x86_emulate( - case 0xcd: /* int imm8 */ - src.val = insn_fetch_type(uint8_t); - swint: -+ fail_if(!in_realmode(ctxt, ops)); /* XSA-106 */ - fail_if(ops->inject_sw_interrupt == NULL); - rc = ops->inject_sw_interrupt(src.val, _regs.eip - ctxt->regs->eip, - ctxt) ? : X86EMUL_EXCEPTION; diff --git a/xsa107-4.4.patch b/xsa107-4.4.patch deleted file mode 100644 index 2cea0b7..0000000 --- a/xsa107-4.4.patch +++ /dev/null @@ -1,165 +0,0 @@ -evtchn: check control block exists when using FIFO-based events - -When using the FIFO-based event channels, there are no checks for the -existance of a control block when binding an event or moving it to a -different VCPU. This is because events may be bound when the ABI is -in 2-level mode (e.g., by the toolstack before the domain is started). - -The guest may trigger a Xen crash in evtchn_fifo_set_pending() if: - - a) the event is bound to a VCPU without a control block; or - b) VCPU 0 does not have a control block. - -In case (a), Xen will crash when looking up the current queue. In -(b), Xen will crash when looking up the old queue (which defaults to a -queue on VCPU 0). - -By allocating all the per-VCPU structures when enabling the FIFO ABI, -we can be sure that v->evtchn_fifo is always valid. - -EVTCHNOP_init_control_block for all the other CPUs need only map the -shared control block. - -A single check in evtchn_fifo_set_pending() before accessing the -control block fixes all cases where the guest has not initialized some -control blocks. - -This is XSA-107. - -Reported-by: Vitaly Kuznetsov -Signed-off-by: David Vrabel -Reviewed-by: Jan Beulich - ---- a/xen/common/event_fifo.c -+++ b/xen/common/event_fifo.c -@@ -178,6 +178,19 @@ static void evtchn_fifo_set_pending(stru - bool_t linked = 0; - - /* -+ * Control block not mapped. The guest must not unmask an -+ * event until the control block is initialized, so we can -+ * just drop the event. -+ */ -+ if ( unlikely(!v->evtchn_fifo->control_block) ) -+ { -+ printk(XENLOG_G_WARNING -+ "d%dv%d has no FIFO event channel control block\n", -+ d->domain_id, v->vcpu_id); -+ goto done; -+ } -+ -+ /* - * No locking around getting the queue. This may race with - * changing the priority but we are allowed to signal the - * event once on the old priority. -@@ -385,36 +398,42 @@ static void init_queue(struct vcpu *v, s - { - spin_lock_init(&q->lock); - q->priority = i; -- q->head = &v->evtchn_fifo->control_block->head[i]; - } - --static int setup_control_block(struct vcpu *v, uint64_t gfn, uint32_t offset) -+static int setup_control_block(struct vcpu *v) - { -- struct domain *d = v->domain; - struct evtchn_fifo_vcpu *efv; -- void *virt; - unsigned int i; -- int rc; -- -- if ( v->evtchn_fifo ) -- return -EINVAL; - - efv = xzalloc(struct evtchn_fifo_vcpu); - if ( !efv ) - return -ENOMEM; - -- rc = map_guest_page(d, gfn, &virt); -+ for ( i = 0; i <= EVTCHN_FIFO_PRIORITY_MIN; i++ ) -+ init_queue(v, &efv->queue[i], i); -+ -+ v->evtchn_fifo = efv; -+ -+ return 0; -+} -+ -+static int map_control_block(struct vcpu *v, uint64_t gfn, uint32_t offset) -+{ -+ void *virt; -+ unsigned int i; -+ int rc; -+ -+ if ( v->evtchn_fifo->control_block ) -+ return -EINVAL; -+ -+ rc = map_guest_page(v->domain, gfn, &virt); - if ( rc < 0 ) -- { -- xfree(efv); - return rc; -- } - -- v->evtchn_fifo = efv; - v->evtchn_fifo->control_block = virt + offset; - - for ( i = 0; i <= EVTCHN_FIFO_PRIORITY_MIN; i++ ) -- init_queue(v, &v->evtchn_fifo->queue[i], i); -+ v->evtchn_fifo->queue[i].head = &v->evtchn_fifo->control_block->head[i]; - - return 0; - } -@@ -508,28 +527,43 @@ int evtchn_fifo_init_control(struct evtc - - spin_lock(&d->event_lock); - -- rc = setup_control_block(v, gfn, offset); -- - /* - * If this is the first control block, setup an empty event array - * and switch to the fifo port ops. - */ -- if ( rc == 0 && !d->evtchn_fifo ) -+ if ( !d->evtchn_fifo ) - { -+ struct vcpu *vcb; -+ -+ for_each_vcpu ( d, vcb ) { -+ rc = setup_control_block(vcb); -+ if ( rc < 0 ) -+ goto error; -+ } -+ - rc = setup_event_array(d); - if ( rc < 0 ) -- cleanup_control_block(v); -- else -- { -- d->evtchn_port_ops = &evtchn_port_ops_fifo; -- d->max_evtchns = EVTCHN_FIFO_NR_CHANNELS; -- setup_ports(d); -- } -+ goto error; -+ -+ rc = map_control_block(v, gfn, offset); -+ if ( rc < 0 ) -+ goto error; -+ -+ d->evtchn_port_ops = &evtchn_port_ops_fifo; -+ d->max_evtchns = EVTCHN_FIFO_NR_CHANNELS; -+ setup_ports(d); - } -+ else -+ rc = map_control_block(v, gfn, offset); - - spin_unlock(&d->event_lock); - - return rc; -+ -+ error: -+ evtchn_fifo_destroy(d); -+ spin_unlock(&d->event_lock); -+ return rc; - } - - static int add_page_to_event_array(struct domain *d, unsigned long gfn) diff --git a/xsa108.patch b/xsa108.patch deleted file mode 100644 index e162185..0000000 --- a/xsa108.patch +++ /dev/null @@ -1,36 +0,0 @@ -x86/HVM: properly bound x2APIC MSR range - -While the write path change appears to be purely cosmetic (but still -gets done here for consistency), the read side mistake permitted -accesses beyond the virtual APIC page. - -Note that while this isn't fully in line with the specification -(digesting MSRs 0x800-0xBFF for the x2APIC), this is the minimal -possible fix addressing the security issue and getting x2APIC related -code into a consistent shape (elsewhere a 256 rather than 1024 wide -window is being used too). This will be dealt with subsequently. - -This is XSA-108. - -Signed-off-by: Jan Beulich - ---- a/xen/arch/x86/hvm/hvm.c -+++ b/xen/arch/x86/hvm/hvm.c -@@ -4380,7 +4380,7 @@ int hvm_msr_read_intercept(unsigned int - *msr_content = vcpu_vlapic(v)->hw.apic_base_msr; - break; - -- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: -+ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff: - if ( hvm_x2apic_msr_read(v, msr, msr_content) ) - goto gp_fault; - break; -@@ -4506,7 +4506,7 @@ int hvm_msr_write_intercept(unsigned int - vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content); - break; - -- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: -+ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff: - if ( hvm_x2apic_msr_write(v, msr, msr_content) ) - goto gp_fault; - break; diff --git a/xsa109.patch b/xsa109.patch deleted file mode 100644 index 0028b2f..0000000 --- a/xsa109.patch +++ /dev/null @@ -1,25 +0,0 @@ -x86: don't allow page table updates on non-PV page tables in do_mmu_update() - -paging_write_guest_entry() and paging_cmpxchg_guest_entry() aren't -consistently supported for non-PV guests (they'd deref NULL for PVH or -non-HAP HVM ones). Don't allow respective MMU_* operations on the -page tables of such domains. - -This is XSA-109. - -Signed-off-by: Jan Beulich -Acked-by: Tim Deegan - ---- a/xen/arch/x86/mm.c -+++ b/xen/arch/x86/mm.c -@@ -3493,6 +3493,10 @@ long do_mmu_update( - { - p2m_type_t p2mt; - -+ rc = -EOPNOTSUPP; -+ if ( unlikely(paging_mode_refcounts(pt_owner)) ) -+ break; -+ - xsm_needed |= XSM_MMU_NORMAL_UPDATE; - if ( get_pte_flags(req.val) & _PAGE_PRESENT ) - { diff --git a/xsa110.patch b/xsa110.patch deleted file mode 100644 index 3e7479f..0000000 --- a/xsa110.patch +++ /dev/null @@ -1,156 +0,0 @@ -x86emul: enforce privilege level restrictions when loading CS - -Privilege level checks were basically missing for the CS case, the -only check that was done (RPL == DPL for nonconforming segments) -was solely covering a single special case (return to non-conforming -segment). - -Additionally in long mode the L bit set requires the D bit to be clear, -as was recently pointed out for KVM by Nadav Amit -. - -Finally we also need to force the loaded selector's RPL to CPL (at -least as long as lret/retf emulation doesn't support privilege level -changes). - -This is XSA-110. - -Signed-off-by: Jan Beulich -Reviewed-by: Tim Deegan - ---- a/xen/arch/x86/x86_emulate/x86_emulate.c -+++ b/xen/arch/x86/x86_emulate/x86_emulate.c -@@ -1119,7 +1119,7 @@ realmode_load_seg( - static int - protmode_load_seg( - enum x86_segment seg, -- uint16_t sel, -+ uint16_t sel, bool_t is_ret, - struct x86_emulate_ctxt *ctxt, - const struct x86_emulate_ops *ops) - { -@@ -1185,9 +1185,23 @@ protmode_load_seg( - /* Code segment? */ - if ( !(desc.b & (1u<<11)) ) - goto raise_exn; -- /* Non-conforming segment: check DPL against RPL. */ -- if ( ((desc.b & (6u<<9)) != (6u<<9)) && (dpl != rpl) ) -+ if ( is_ret -+ ? /* -+ * Really rpl < cpl, but our sole caller doesn't handle -+ * privilege level changes. -+ */ -+ rpl != cpl || (desc.b & (1 << 10) ? dpl > rpl : dpl != rpl) -+ : desc.b & (1 << 10) -+ /* Conforming segment: check DPL against CPL. */ -+ ? dpl > cpl -+ /* Non-conforming segment: check RPL and DPL against CPL. */ -+ : rpl > cpl || dpl != cpl ) - goto raise_exn; -+ /* 64-bit code segments (L bit set) must have D bit clear. */ -+ if ( in_longmode(ctxt, ops) && -+ (desc.b & (1 << 21)) && (desc.b & (1 << 22)) ) -+ goto raise_exn; -+ sel = (sel ^ rpl) | cpl; - break; - case x86_seg_ss: - /* Writable data segment? */ -@@ -1252,7 +1266,7 @@ protmode_load_seg( - static int - load_seg( - enum x86_segment seg, -- uint16_t sel, -+ uint16_t sel, bool_t is_ret, - struct x86_emulate_ctxt *ctxt, - const struct x86_emulate_ops *ops) - { -@@ -1261,7 +1275,7 @@ load_seg( - return X86EMUL_UNHANDLEABLE; - - if ( in_protmode(ctxt, ops) ) -- return protmode_load_seg(seg, sel, ctxt, ops); -+ return protmode_load_seg(seg, sel, is_ret, ctxt, ops); - - return realmode_load_seg(seg, sel, ctxt, ops); - } -@@ -2003,7 +2017,7 @@ x86_emulate( - if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes), - &dst.val, op_bytes, ctxt, ops)) != 0 ) - goto done; -- if ( (rc = load_seg(src.val, (uint16_t)dst.val, ctxt, ops)) != 0 ) -+ if ( (rc = load_seg(src.val, dst.val, 0, ctxt, ops)) != 0 ) - return rc; - break; - -@@ -2357,7 +2371,7 @@ x86_emulate( - enum x86_segment seg = decode_segment(modrm_reg); - generate_exception_if(seg == decode_segment_failed, EXC_UD, -1); - generate_exception_if(seg == x86_seg_cs, EXC_UD, -1); -- if ( (rc = load_seg(seg, (uint16_t)src.val, ctxt, ops)) != 0 ) -+ if ( (rc = load_seg(seg, src.val, 0, ctxt, ops)) != 0 ) - goto done; - if ( seg == x86_seg_ss ) - ctxt->retire.flags.mov_ss = 1; -@@ -2438,7 +2452,7 @@ x86_emulate( - &_regs.eip, op_bytes, ctxt)) ) - goto done; - -- if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) -+ if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 ) - goto done; - _regs.eip = eip; - break; -@@ -2662,7 +2676,7 @@ x86_emulate( - if ( (rc = read_ulong(src.mem.seg, src.mem.off + src.bytes, - &sel, 2, ctxt, ops)) != 0 ) - goto done; -- if ( (rc = load_seg(dst.val, (uint16_t)sel, ctxt, ops)) != 0 ) -+ if ( (rc = load_seg(dst.val, sel, 0, ctxt, ops)) != 0 ) - goto done; - dst.val = src.val; - break; -@@ -2736,7 +2750,7 @@ x86_emulate( - &dst.val, op_bytes, ctxt, ops)) || - (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes + offset), - &src.val, op_bytes, ctxt, ops)) || -- (rc = load_seg(x86_seg_cs, (uint16_t)src.val, ctxt, ops)) ) -+ (rc = load_seg(x86_seg_cs, src.val, 1, ctxt, ops)) ) - goto done; - _regs.eip = dst.val; - break; -@@ -2785,7 +2799,7 @@ x86_emulate( - _regs.eflags &= mask; - _regs.eflags |= (uint32_t)(eflags & ~mask) | 0x02; - _regs.eip = eip; -- if ( (rc = load_seg(x86_seg_cs, (uint16_t)cs, ctxt, ops)) != 0 ) -+ if ( (rc = load_seg(x86_seg_cs, cs, 1, ctxt, ops)) != 0 ) - goto done; - break; - } -@@ -3415,7 +3429,7 @@ x86_emulate( - generate_exception_if(mode_64bit(), EXC_UD, -1); - eip = insn_fetch_bytes(op_bytes); - sel = insn_fetch_type(uint16_t); -- if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) -+ if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 ) - goto done; - _regs.eip = eip; - break; -@@ -3714,7 +3728,7 @@ x86_emulate( - goto done; - } - -- if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 ) -+ if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 ) - goto done; - _regs.eip = src.val; - -@@ -3781,7 +3795,7 @@ x86_emulate( - generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1); - generate_exception_if(!mode_ring0(), EXC_GP, 0); - if ( (rc = load_seg((modrm_reg & 1) ? x86_seg_tr : x86_seg_ldtr, -- src.val, ctxt, ops)) != 0 ) -+ src.val, 0, ctxt, ops)) != 0 ) - goto done; - break; - diff --git a/xsa111.patch b/xsa111.patch deleted file mode 100644 index 1761316..0000000 --- a/xsa111.patch +++ /dev/null @@ -1,122 +0,0 @@ -x86: limit checks in hypercall_xlat_continuation() to actual arguments - -HVM/PVH guests can otherwise trigger the final BUG_ON() in that -function by entering 64-bit mode, setting the high halves of affected -registers to non-zero values, leaving 64-bit mode, and issuing a -hypercall that might get preempted and hence become subject to -continuation argument translation (HYPERVISOR_memory_op being the only -one possible for HVM, PVH also having the option of using -HYPERVISOR_mmuext_op). This issue got introduced when HVM code was -switched to use compat_memory_op() - neither that nor -hypercall_xlat_continuation() were originally intended to be used by -other than PV guests (which can't enter 64-bit mode and hence have no -way to alter the high halves of 64-bit registers). - -This is XSA-111. - -Signed-off-by: Jan Beulich -Reviewed-by: Tim Deegan - ---- a/xen/arch/x86/domain.c -+++ b/xen/arch/x86/domain.c -@@ -1750,7 +1750,8 @@ unsigned long hypercall_create_continuat - return op; - } - --int hypercall_xlat_continuation(unsigned int *id, unsigned int mask, ...) -+int hypercall_xlat_continuation(unsigned int *id, unsigned int nr, -+ unsigned int mask, ...) - { - int rc = 0; - struct mc_state *mcs = ¤t->mc_state; -@@ -1759,7 +1760,10 @@ int hypercall_xlat_continuation(unsigned - unsigned long nval = 0; - va_list args; - -- BUG_ON(id && *id > 5); -+ ASSERT(nr <= ARRAY_SIZE(mcs->call.args)); -+ ASSERT(!(mask >> nr)); -+ -+ BUG_ON(id && *id >= nr); - BUG_ON(id && (mask & (1U << *id))); - - va_start(args, mask); -@@ -1772,7 +1776,7 @@ int hypercall_xlat_continuation(unsigned - return 0; - } - -- for ( i = 0; i < 6; ++i, mask >>= 1 ) -+ for ( i = 0; i < nr; ++i, mask >>= 1 ) - { - if ( mask & 1 ) - { -@@ -1800,7 +1804,7 @@ int hypercall_xlat_continuation(unsigned - else - { - regs = guest_cpu_user_regs(); -- for ( i = 0; i < 6; ++i, mask >>= 1 ) -+ for ( i = 0; i < nr; ++i, mask >>= 1 ) - { - unsigned long *reg; - ---- a/xen/arch/x86/x86_64/compat/mm.c -+++ b/xen/arch/x86/x86_64/compat/mm.c -@@ -118,7 +118,7 @@ int compat_arch_memory_op(unsigned long - break; - - if ( rc == __HYPERVISOR_memory_op ) -- hypercall_xlat_continuation(NULL, 0x2, nat, arg); -+ hypercall_xlat_continuation(NULL, 2, 0x2, nat, arg); - - XLAT_pod_target(&cmp, nat); - -@@ -354,7 +354,7 @@ int compat_mmuext_op(XEN_GUEST_HANDLE_PA - left = 1; - if ( arg1 != MMU_UPDATE_PREEMPTED ) - { -- BUG_ON(!hypercall_xlat_continuation(&left, 0x01, nat_ops, -+ BUG_ON(!hypercall_xlat_continuation(&left, 4, 0x01, nat_ops, - cmp_uops)); - if ( !test_bit(_MCSF_in_multicall, &mcs->flags) ) - regs->_ecx += count - i; -@@ -362,7 +362,7 @@ int compat_mmuext_op(XEN_GUEST_HANDLE_PA - mcs->compat_call.args[1] += count - i; - } - else -- BUG_ON(hypercall_xlat_continuation(&left, 0)); -+ BUG_ON(hypercall_xlat_continuation(&left, 4, 0)); - BUG_ON(left != arg1); - } - else ---- a/xen/common/compat/memory.c -+++ b/xen/common/compat/memory.c -@@ -282,7 +282,7 @@ int compat_memory_op(unsigned int cmd, X - break; - - cmd = 0; -- if ( hypercall_xlat_continuation(&cmd, 0x02, nat.hnd, compat) ) -+ if ( hypercall_xlat_continuation(&cmd, 2, 0x02, nat.hnd, compat) ) - { - BUG_ON(rc != __HYPERVISOR_memory_op); - BUG_ON((cmd & MEMOP_CMD_MASK) != op); ---- a/xen/include/xen/compat.h -+++ b/xen/include/xen/compat.h -@@ -195,6 +195,8 @@ static inline int name(k xen_ ## n *x, k - * This option is useful for extracting the "op" argument or similar from the - * hypercall to enable further xlat processing. - * -+ * nr: Total number of arguments the hypercall has. -+ * - * mask: Specifies which of the hypercall arguments require compat translation. - * bit 0 indicates that the 0'th argument requires translation, bit 1 indicates - * that the first argument requires translation and so on. Native and compat -@@ -214,7 +216,8 @@ static inline int name(k xen_ ## n *x, k - * - * Return: Number of arguments which were actually translated. - */ --int hypercall_xlat_continuation(unsigned int *id, unsigned int mask, ...); -+int hypercall_xlat_continuation(unsigned int *id, unsigned int nr, -+ unsigned int mask, ...); - - /* In-place translation functons: */ - struct start_info; diff --git a/xsa112.patch b/xsa112.patch deleted file mode 100644 index a3da626..0000000 --- a/xsa112.patch +++ /dev/null @@ -1,88 +0,0 @@ -x86/HVM: confine internally handled MMIO to solitary regions - -While it is generally wrong to cross region boundaries when dealing -with MMIO accesses of repeated string instructions (currently only -MOVS) as that would do things a guest doesn't expect (leaving aside -that none of these regions would normally be accessed with repeated -string instructions in the first place), this is even more of a problem -for all virtual MSI-X page accesses (both msixtbl_{read,write}() can be -made dereference NULL "entry" pointers this way) as well as undersized -(1- or 2-byte) LAPIC writes (causing vlapic_read_aligned() to access -space beyond the one memory page set up for holding LAPIC register -values). - -Since those functions validly assume to be called only with addresses -their respective checking functions indicated to be okay, it is generic -code that needs to be fixed to clip the repetition count. - -To be on the safe side (and consistent), also do the same for buffered -I/O intercepts, even if their only client (stdvga) doesn't put the -hypervisor at risk (i.e. "only" guest misbehavior would result). - -This is CVE-2014-8867 / XSA-112. - -Signed-off-by: Jan Beulich -Reviewed-by: Tim Deegan - ---- a/xen/arch/x86/hvm/intercept.c -+++ b/xen/arch/x86/hvm/intercept.c -@@ -181,11 +181,24 @@ int hvm_mmio_intercept(ioreq_t *p) - int i; - - for ( i = 0; i < HVM_MMIO_HANDLER_NR; i++ ) -- if ( hvm_mmio_handlers[i]->check_handler(v, p->addr) ) -+ { -+ hvm_mmio_check_t check_handler = -+ hvm_mmio_handlers[i]->check_handler; -+ -+ if ( check_handler(v, p->addr) ) -+ { -+ if ( unlikely(p->count > 1) && -+ !check_handler(v, unlikely(p->df) -+ ? p->addr - (p->count - 1L) * p->size -+ : p->addr + (p->count - 1L) * p->size) ) -+ p->count = 1; -+ - return hvm_mmio_access( - v, p, - hvm_mmio_handlers[i]->read_handler, - hvm_mmio_handlers[i]->write_handler); -+ } -+ } - - return X86EMUL_UNHANDLEABLE; - } -@@ -342,6 +355,13 @@ int hvm_io_intercept(ioreq_t *p, int typ - if ( type == HVM_PORTIO ) - return process_portio_intercept( - handler->hdl_list[i].action.portio, p); -+ -+ if ( unlikely(p->count > 1) && -+ (unlikely(p->df) -+ ? p->addr - (p->count - 1L) * p->size < addr -+ : p->addr + p->count * 1L * p->size - 1 >= addr + size) ) -+ p->count = 1; -+ - return handler->hdl_list[i].action.mmio(p); - } - } ---- a/xen/arch/x86/hvm/vmsi.c -+++ b/xen/arch/x86/hvm/vmsi.c -@@ -226,6 +226,8 @@ static int msixtbl_read( - rcu_read_lock(&msixtbl_rcu_lock); - - entry = msixtbl_find_entry(v, address); -+ if ( !entry ) -+ goto out; - offset = address & (PCI_MSIX_ENTRY_SIZE - 1); - - if ( offset != PCI_MSIX_ENTRY_VECTOR_CTRL_OFFSET ) -@@ -268,6 +270,8 @@ static int msixtbl_write(struct vcpu *v, - rcu_read_lock(&msixtbl_rcu_lock); - - entry = msixtbl_find_entry(v, address); -+ if ( !entry ) -+ goto out; - nr_entry = (address - entry->gtable) / PCI_MSIX_ENTRY_SIZE; - - offset = address & (PCI_MSIX_ENTRY_SIZE - 1); diff --git a/xsa113.patch b/xsa113.patch deleted file mode 100644 index adc8bba..0000000 --- a/xsa113.patch +++ /dev/null @@ -1,45 +0,0 @@ -x86/mm: fix a reference counting error in MMU_MACHPHYS_UPDATE - -Any domain which can pass the XSM check against a translated guest can cause a -page reference to be leaked. - -While shuffling the order of checks, drop the quite-pointless MEM_LOG(). This -brings the check in line with similar checks in the vicinity. - -Discovered while reviewing the XSA-109/110 followup series. - -This is XSA-113. - -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich -Reviewed-by: Tim Deegan - ---- a/xen/arch/x86/mm.c -+++ b/xen/arch/x86/mm.c -@@ -3619,6 +3619,12 @@ long do_mmu_update( - - case MMU_MACHPHYS_UPDATE: - -+ if ( unlikely(paging_mode_translate(pg_owner)) ) -+ { -+ rc = -EINVAL; -+ break; -+ } -+ - mfn = req.ptr >> PAGE_SHIFT; - gpfn = req.val; - -@@ -3638,13 +3644,6 @@ long do_mmu_update( - break; - } - -- if ( unlikely(paging_mode_translate(pg_owner)) ) -- { -- MEM_LOG("Mach-phys update on auto-translate guest"); -- rc = -EINVAL; -- break; -- } -- - set_gpfn_from_mfn(mfn, gpfn); - - paging_mark_dirty(pg_owner, mfn); diff --git a/xsa114-4.4.patch b/xsa114-4.4.patch deleted file mode 100644 index a640747..0000000 --- a/xsa114-4.4.patch +++ /dev/null @@ -1,498 +0,0 @@ -switch to write-biased r/w locks - -This is to improve fairness: A permanent flow of read acquires can -otherwise lock out eventual writers indefinitely. - -This is XSA-114 / CVE-2014-9065. - -Signed-off-by: Keir Fraser -Reviewed-by: Jan Beulich -Reviewed-by: Andrew Cooper -Tested-by: Andrew Cooper - ---- a/xen/common/spinlock.c -+++ b/xen/common/spinlock.c -@@ -271,112 +271,151 @@ void _spin_unlock_recursive(spinlock_t * - - void _read_lock(rwlock_t *lock) - { -+ uint32_t x; -+ - check_lock(&lock->debug); -- while ( unlikely(!_raw_read_trylock(&lock->raw)) ) -- { -- while ( likely(_raw_rw_is_write_locked(&lock->raw)) ) -+ do { -+ while ( (x = lock->lock) & RW_WRITE_FLAG ) - cpu_relax(); -- } -+ } while ( cmpxchg(&lock->lock, x, x+1) != x ); - preempt_disable(); - } - - void _read_lock_irq(rwlock_t *lock) - { -+ uint32_t x; -+ - ASSERT(local_irq_is_enabled()); - local_irq_disable(); - check_lock(&lock->debug); -- while ( unlikely(!_raw_read_trylock(&lock->raw)) ) -- { -- local_irq_enable(); -- while ( likely(_raw_rw_is_write_locked(&lock->raw)) ) -- cpu_relax(); -- local_irq_disable(); -- } -+ do { -+ if ( (x = lock->lock) & RW_WRITE_FLAG ) -+ { -+ local_irq_enable(); -+ while ( (x = lock->lock) & RW_WRITE_FLAG ) -+ cpu_relax(); -+ local_irq_disable(); -+ } -+ } while ( cmpxchg(&lock->lock, x, x+1) != x ); - preempt_disable(); - } - - unsigned long _read_lock_irqsave(rwlock_t *lock) - { -+ uint32_t x; - unsigned long flags; -+ - local_irq_save(flags); - check_lock(&lock->debug); -- while ( unlikely(!_raw_read_trylock(&lock->raw)) ) -- { -- local_irq_restore(flags); -- while ( likely(_raw_rw_is_write_locked(&lock->raw)) ) -- cpu_relax(); -- local_irq_save(flags); -- } -+ do { -+ if ( (x = lock->lock) & RW_WRITE_FLAG ) -+ { -+ local_irq_restore(flags); -+ while ( (x = lock->lock) & RW_WRITE_FLAG ) -+ cpu_relax(); -+ local_irq_save(flags); -+ } -+ } while ( cmpxchg(&lock->lock, x, x+1) != x ); - preempt_disable(); - return flags; - } - - int _read_trylock(rwlock_t *lock) - { -+ uint32_t x; -+ - check_lock(&lock->debug); -- if ( !_raw_read_trylock(&lock->raw) ) -- return 0; -+ do { -+ if ( (x = lock->lock) & RW_WRITE_FLAG ) -+ return 0; -+ } while ( cmpxchg(&lock->lock, x, x+1) != x ); - preempt_disable(); - return 1; - } - - void _read_unlock(rwlock_t *lock) - { -+ uint32_t x, y; -+ - preempt_enable(); -- _raw_read_unlock(&lock->raw); -+ x = lock->lock; -+ while ( (y = cmpxchg(&lock->lock, x, x-1)) != x ) -+ x = y; - } - - void _read_unlock_irq(rwlock_t *lock) - { -- preempt_enable(); -- _raw_read_unlock(&lock->raw); -+ _read_unlock(lock); - local_irq_enable(); - } - - void _read_unlock_irqrestore(rwlock_t *lock, unsigned long flags) - { -- preempt_enable(); -- _raw_read_unlock(&lock->raw); -+ _read_unlock(lock); - local_irq_restore(flags); - } - - void _write_lock(rwlock_t *lock) - { -+ uint32_t x; -+ - check_lock(&lock->debug); -- while ( unlikely(!_raw_write_trylock(&lock->raw)) ) -- { -- while ( likely(_raw_rw_is_locked(&lock->raw)) ) -+ do { -+ while ( (x = lock->lock) & RW_WRITE_FLAG ) - cpu_relax(); -+ } while ( cmpxchg(&lock->lock, x, x|RW_WRITE_FLAG) != x ); -+ while ( x != 0 ) -+ { -+ cpu_relax(); -+ x = lock->lock & ~RW_WRITE_FLAG; - } - preempt_disable(); - } - - void _write_lock_irq(rwlock_t *lock) - { -+ uint32_t x; -+ - ASSERT(local_irq_is_enabled()); - local_irq_disable(); - check_lock(&lock->debug); -- while ( unlikely(!_raw_write_trylock(&lock->raw)) ) -+ do { -+ if ( (x = lock->lock) & RW_WRITE_FLAG ) -+ { -+ local_irq_enable(); -+ while ( (x = lock->lock) & RW_WRITE_FLAG ) -+ cpu_relax(); -+ local_irq_disable(); -+ } -+ } while ( cmpxchg(&lock->lock, x, x|RW_WRITE_FLAG) != x ); -+ while ( x != 0 ) - { -- local_irq_enable(); -- while ( likely(_raw_rw_is_locked(&lock->raw)) ) -- cpu_relax(); -- local_irq_disable(); -+ cpu_relax(); -+ x = lock->lock & ~RW_WRITE_FLAG; - } - preempt_disable(); - } - - unsigned long _write_lock_irqsave(rwlock_t *lock) - { -+ uint32_t x; - unsigned long flags; -+ - local_irq_save(flags); - check_lock(&lock->debug); -- while ( unlikely(!_raw_write_trylock(&lock->raw)) ) -+ do { -+ if ( (x = lock->lock) & RW_WRITE_FLAG ) -+ { -+ local_irq_restore(flags); -+ while ( (x = lock->lock) & RW_WRITE_FLAG ) -+ cpu_relax(); -+ local_irq_save(flags); -+ } -+ } while ( cmpxchg(&lock->lock, x, x|RW_WRITE_FLAG) != x ); -+ while ( x != 0 ) - { -- local_irq_restore(flags); -- while ( likely(_raw_rw_is_locked(&lock->raw)) ) -- cpu_relax(); -- local_irq_save(flags); -+ cpu_relax(); -+ x = lock->lock & ~RW_WRITE_FLAG; - } - preempt_disable(); - return flags; -@@ -384,9 +423,13 @@ unsigned long _write_lock_irqsave(rwlock - - int _write_trylock(rwlock_t *lock) - { -+ uint32_t x; -+ - check_lock(&lock->debug); -- if ( !_raw_write_trylock(&lock->raw) ) -- return 0; -+ do { -+ if ( (x = lock->lock) != 0 ) -+ return 0; -+ } while ( cmpxchg(&lock->lock, x, x|RW_WRITE_FLAG) != x ); - preempt_disable(); - return 1; - } -@@ -394,33 +437,32 @@ int _write_trylock(rwlock_t *lock) - void _write_unlock(rwlock_t *lock) - { - preempt_enable(); -- _raw_write_unlock(&lock->raw); -+ if ( cmpxchg(&lock->lock, RW_WRITE_FLAG, 0) != RW_WRITE_FLAG ) -+ BUG(); - } - - void _write_unlock_irq(rwlock_t *lock) - { -- preempt_enable(); -- _raw_write_unlock(&lock->raw); -+ _write_unlock(lock); - local_irq_enable(); - } - - void _write_unlock_irqrestore(rwlock_t *lock, unsigned long flags) - { -- preempt_enable(); -- _raw_write_unlock(&lock->raw); -+ _write_unlock(lock); - local_irq_restore(flags); - } - - int _rw_is_locked(rwlock_t *lock) - { - check_lock(&lock->debug); -- return _raw_rw_is_locked(&lock->raw); -+ return (lock->lock != 0); /* anyone in critical section? */ - } - - int _rw_is_write_locked(rwlock_t *lock) - { - check_lock(&lock->debug); -- return _raw_rw_is_write_locked(&lock->raw); -+ return (lock->lock == RW_WRITE_FLAG); /* writer in critical section? */ - } - - #ifdef LOCK_PROFILE ---- a/xen/include/asm-arm/arm32/spinlock.h -+++ b/xen/include/asm-arm/arm32/spinlock.h -@@ -55,84 +55,6 @@ static always_inline int _raw_spin_trylo - } - } - --typedef struct { -- volatile unsigned int lock; --} raw_rwlock_t; -- --#define _RAW_RW_LOCK_UNLOCKED { 0 } -- --static always_inline int _raw_read_trylock(raw_rwlock_t *rw) --{ -- unsigned long tmp, tmp2 = 1; -- -- __asm__ __volatile__( --"1: ldrex %0, [%2]\n" --" adds %0, %0, #1\n" --" strexpl %1, %0, [%2]\n" -- : "=&r" (tmp), "+r" (tmp2) -- : "r" (&rw->lock) -- : "cc"); -- -- smp_mb(); -- return tmp2 == 0; --} -- --static always_inline int _raw_write_trylock(raw_rwlock_t *rw) --{ -- unsigned long tmp; -- -- __asm__ __volatile__( --"1: ldrex %0, [%1]\n" --" teq %0, #0\n" --" strexeq %0, %2, [%1]" -- : "=&r" (tmp) -- : "r" (&rw->lock), "r" (0x80000000) -- : "cc"); -- -- if (tmp == 0) { -- smp_mb(); -- return 1; -- } else { -- return 0; -- } --} -- --static inline void _raw_read_unlock(raw_rwlock_t *rw) --{ -- unsigned long tmp, tmp2; -- -- smp_mb(); -- -- __asm__ __volatile__( --"1: ldrex %0, [%2]\n" --" sub %0, %0, #1\n" --" strex %1, %0, [%2]\n" --" teq %1, #0\n" --" bne 1b" -- : "=&r" (tmp), "=&r" (tmp2) -- : "r" (&rw->lock) -- : "cc"); -- -- if (tmp == 0) -- dsb_sev(); --} -- --static inline void _raw_write_unlock(raw_rwlock_t *rw) --{ -- smp_mb(); -- -- __asm__ __volatile__( -- "str %1, [%0]\n" -- : -- : "r" (&rw->lock), "r" (0) -- : "cc"); -- -- dsb_sev(); --} -- --#define _raw_rw_is_locked(x) ((x)->lock != 0) --#define _raw_rw_is_write_locked(x) ((x)->lock == 0x80000000) -- - #endif /* __ASM_SPINLOCK_H */ - /* - * Local variables: ---- a/xen/include/asm-arm/arm64/spinlock.h -+++ b/xen/include/asm-arm/arm64/spinlock.h -@@ -52,69 +52,6 @@ static always_inline int _raw_spin_trylo - return !tmp; - } - --typedef struct { -- volatile unsigned int lock; --} raw_rwlock_t; -- --#define _RAW_RW_LOCK_UNLOCKED { 0 } -- --static always_inline int _raw_read_trylock(raw_rwlock_t *rw) --{ -- unsigned int tmp, tmp2 = 1; -- -- asm volatile( -- " ldaxr %w0, %2\n" -- " add %w0, %w0, #1\n" -- " tbnz %w0, #31, 1f\n" -- " stxr %w1, %w0, %2\n" -- "1:\n" -- : "=&r" (tmp), "+r" (tmp2), "+Q" (rw->lock) -- : -- : "cc", "memory"); -- -- return !tmp2; --} -- --static always_inline int _raw_write_trylock(raw_rwlock_t *rw) --{ -- unsigned int tmp; -- -- asm volatile( -- " ldaxr %w0, %1\n" -- " cbnz %w0, 1f\n" -- " stxr %w0, %w2, %1\n" -- "1:\n" -- : "=&r" (tmp), "+Q" (rw->lock) -- : "r" (0x80000000) -- : "cc", "memory"); -- -- return !tmp; --} -- --static inline void _raw_read_unlock(raw_rwlock_t *rw) --{ -- unsigned int tmp, tmp2; -- -- asm volatile( -- " 1: ldxr %w0, %2\n" -- " sub %w0, %w0, #1\n" -- " stlxr %w1, %w0, %2\n" -- " cbnz %w1, 1b\n" -- : "=&r" (tmp), "=&r" (tmp2), "+Q" (rw->lock) -- : -- : "cc", "memory"); --} -- --static inline void _raw_write_unlock(raw_rwlock_t *rw) --{ -- asm volatile( -- " stlr %w1, %0\n" -- : "=Q" (rw->lock) : "r" (0) : "memory"); --} -- --#define _raw_rw_is_locked(x) ((x)->lock != 0) --#define _raw_rw_is_write_locked(x) ((x)->lock == 0x80000000) -- - #endif /* __ASM_SPINLOCK_H */ - /* - * Local variables: ---- a/xen/include/asm-x86/spinlock.h -+++ b/xen/include/asm-x86/spinlock.h -@@ -31,58 +31,4 @@ static always_inline int _raw_spin_trylo - return (oldval > 0); - } - --typedef struct { -- volatile int lock; --} raw_rwlock_t; -- --#define RW_WRITE_BIAS 0x7fffffff --#define _RAW_RW_LOCK_UNLOCKED /*(raw_rwlock_t)*/ { 0 } -- --static always_inline int _raw_read_trylock(raw_rwlock_t *rw) --{ -- int acquired; -- -- asm volatile ( -- " lock; decl %0 \n" -- " jns 2f \n" --#ifdef __clang__ /* clang's builtin assember can't do .subsection */ -- "1: .pushsection .fixup,\"ax\"\n" --#else -- "1: .subsection 1 \n" --#endif -- "2: lock; incl %0 \n" -- " decl %1 \n" -- " jmp 1b \n" --#ifdef __clang__ -- " .popsection \n" --#else -- " .subsection 0 \n" --#endif -- : "=m" (rw->lock), "=r" (acquired) : "1" (1) : "memory" ); -- -- return acquired; --} -- --static always_inline int _raw_write_trylock(raw_rwlock_t *rw) --{ -- return (cmpxchg(&rw->lock, 0, RW_WRITE_BIAS) == 0); --} -- --static always_inline void _raw_read_unlock(raw_rwlock_t *rw) --{ -- asm volatile ( -- "lock ; incl %0" -- : "=m" ((rw)->lock) : : "memory" ); --} -- --static always_inline void _raw_write_unlock(raw_rwlock_t *rw) --{ -- asm volatile ( -- "lock ; subl %1,%0" -- : "=m" ((rw)->lock) : "i" (RW_WRITE_BIAS) : "memory" ); --} -- --#define _raw_rw_is_locked(x) ((x)->lock != 0) --#define _raw_rw_is_write_locked(x) ((x)->lock > 0) -- - #endif /* __ASM_SPINLOCK_H */ ---- a/xen/include/xen/spinlock.h -+++ b/xen/include/xen/spinlock.h -@@ -141,11 +141,13 @@ typedef struct spinlock { - #define spin_lock_init(l) (*(l) = (spinlock_t)SPIN_LOCK_UNLOCKED) - - typedef struct { -- raw_rwlock_t raw; -+ volatile uint32_t lock; - struct lock_debug debug; - } rwlock_t; - --#define RW_LOCK_UNLOCKED { _RAW_RW_LOCK_UNLOCKED, _LOCK_DEBUG } -+#define RW_WRITE_FLAG (1u<<31) -+ -+#define RW_LOCK_UNLOCKED { 0, _LOCK_DEBUG } - #define DEFINE_RWLOCK(l) rwlock_t l = RW_LOCK_UNLOCKED - #define rwlock_init(l) (*(l) = (rwlock_t)RW_LOCK_UNLOCKED) - diff --git a/xsa116.patch b/xsa116.patch deleted file mode 100644 index 816a9bd..0000000 --- a/xsa116.patch +++ /dev/null @@ -1,33 +0,0 @@ -x86/HVM: prevent use-after-free when destroying a domain - -hvm_domain_relinquish_resources() can free certain domain resources -which can still be accessed, e.g. by HVMOP_set_param, while the domain -is being cleaned up. - -Signed-off-by: Mihai Donțu -Tested-by: Răzvan Cojocaru -Reviewed-by: Andrew Cooper -Reviewed-by: Jan Beulich - ---- a/xen/arch/x86/hvm/hvm.c -+++ b/xen/arch/x86/hvm/hvm.c -@@ -1487,9 +1487,6 @@ int hvm_domain_initialise(struct domain - - void hvm_domain_relinquish_resources(struct domain *d) - { -- xfree(d->arch.hvm_domain.io_handler); -- xfree(d->arch.hvm_domain.params); -- - if ( is_pvh_domain(d) ) - return; - -@@ -1511,6 +1508,9 @@ void hvm_domain_relinquish_resources(str - - void hvm_domain_destroy(struct domain *d) - { -+ xfree(d->arch.hvm_domain.io_handler); -+ xfree(d->arch.hvm_domain.params); -+ - hvm_destroy_cacheattr_region_list(d); - - if ( is_pvh_domain(d) ) diff --git a/xsa118-4.4.patch b/xsa118-4.4.patch deleted file mode 100644 index 9a15de2..0000000 --- a/xsa118-4.4.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 172cf0489b504b35c7c1666fb7d015006976c4e7 Mon Sep 17 00:00:00 2001 -From: Julien Grall -Date: Mon, 19 Jan 2015 12:59:42 +0000 -Subject: [PATCH] xen/arm: vgic: message in the emulation code should be - rate-limited - -printk is not rated-limited by default. Therefore a malicious guest may -be able to flood the Xen console. - -If we use gdprintk, unecessary information will be printed such as the -filename and the line. Instead use XENLOG_G_ERR combine with %pv. - -Signed-off-by: Julien Grall ---- - xen/arch/arm/vgic.c | 40 +++++++++++++++++++++++----------------- - 1 file changed, 23 insertions(+), 17 deletions(-) - -diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c -index 8d1b79e..b2262c6 100644 ---- a/xen/arch/arm/vgic.c -+++ b/xen/arch/arm/vgic.c -@@ -332,7 +332,7 @@ static int vgic_distr_mmio_read(struct vcpu *v, mmio_info_t *info) - - case GICD_ICPIDR2: - if ( dabt.size != 2 ) goto bad_width; -- printk("vGICD: unhandled read from ICPIDR2\n"); -+ printk(XENLOG_G_ERR "%pv: vGICD: unhandled read from ICPIDR2\n", v); - return 0; - - /* Implementation defined -- read as zero */ -@@ -349,14 +349,14 @@ static int vgic_distr_mmio_read(struct vcpu *v, mmio_info_t *info) - goto read_as_zero; - - default: -- printk("vGICD: unhandled read r%d offset %#08x\n", -- dabt.reg, offset); -+ printk(XENLOG_G_ERR "%pv: vGICD: unhandled read r%d offset %#08x\n", -+ v, dabt.reg, offset); - return 0; - } - - bad_width: -- printk("vGICD: bad read width %d r%d offset %#08x\n", -- dabt.size, dabt.reg, offset); -+ printk(XENLOG_G_ERR "%pv: vGICD: bad read width %d r%d offset %#08x\n", -+ v, dabt.size, dabt.reg, offset); - domain_crash_synchronous(); - return 0; - -@@ -523,14 +523,16 @@ static int vgic_distr_mmio_write(struct vcpu *v, mmio_info_t *info) - - case GICD_ISPENDR ... GICD_ISPENDRN: - if ( dabt.size != 0 && dabt.size != 2 ) goto bad_width; -- printk("vGICD: unhandled %s write %#"PRIregister" to ISPENDR%d\n", -- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ISPENDR); -+ printk(XENLOG_G_ERR -+ "%pv: vGICD: unhandled %s write %#"PRIregister" to ISPENDR%d\n", -+ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ISPENDR); - return 0; - - case GICD_ICPENDR ... GICD_ICPENDRN: - if ( dabt.size != 0 && dabt.size != 2 ) goto bad_width; -- printk("vGICD: unhandled %s write %#"PRIregister" to ICPENDR%d\n", -- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ICPENDR); -+ printk(XENLOG_G_ERR -+ "%pv: vGICD: unhandled %s write %#"PRIregister" to ICPENDR%d\n", -+ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ICPENDR); - return 0; - - case GICD_ISACTIVER ... GICD_ISACTIVERN: -@@ -606,14 +608,16 @@ static int vgic_distr_mmio_write(struct vcpu *v, mmio_info_t *info) - - case GICD_CPENDSGIR ... GICD_CPENDSGIRN: - if ( dabt.size != 0 && dabt.size != 2 ) goto bad_width; -- printk("vGICD: unhandled %s write %#"PRIregister" to ICPENDSGIR%d\n", -- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_CPENDSGIR); -+ printk(XENLOG_G_ERR -+ "%pv: vGICD: unhandled %s write %#"PRIregister" to ICPENDSGIR%d\n", -+ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_CPENDSGIR); - return 0; - - case GICD_SPENDSGIR ... GICD_SPENDSGIRN: - if ( dabt.size != 0 && dabt.size != 2 ) goto bad_width; -- printk("vGICD: unhandled %s write %#"PRIregister" to ISPENDSGIR%d\n", -- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_SPENDSGIR); -+ printk(XENLOG_G_ERR -+ "%pv: vGICD: unhandled %s write %#"PRIregister" to ISPENDSGIR%d\n", -+ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_SPENDSGIR); - return 0; - - /* Implementation defined -- write ignored */ -@@ -638,14 +642,16 @@ static int vgic_distr_mmio_write(struct vcpu *v, mmio_info_t *info) - goto write_ignore; - - default: -- printk("vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n", -- dabt.reg, *r, offset); -+ printk(XENLOG_G_ERR -+ "%pv: vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n", -+ v, dabt.reg, *r, offset); - return 0; - } - - bad_width: -- printk("vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n", -- dabt.size, dabt.reg, *r, offset); -+ printk(XENLOG_G_ERR -+ "%pv: vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n", -+ v, dabt.size, dabt.reg, *r, offset); - domain_crash_synchronous(); - return 0; - --- -2.1.4 - diff --git a/xsa119-unstable.patch b/xsa119-unstable.patch deleted file mode 100644 index f696eb5..0000000 --- a/xsa119-unstable.patch +++ /dev/null @@ -1,99 +0,0 @@ -From f433bfafbaf7d8a41c4c27aa3e8e78b1ab900b69 Mon Sep 17 00:00:00 2001 -From: Ian Campbell -Date: Fri, 20 Feb 2015 14:41:09 +0000 -Subject: [PATCH] tools: libxl: Explicitly disable graphics backends on qemu - cmdline - -By default qemu will try to create some sort of backend for the -emulated VGA device, either SDL or VNC. - -However when the user specifies sdl=0 and vnc=0 in their configuration -libxl was not explicitly disabling either backend, which could lead to -one unexpectedly running. - -If either sdl=1 or vnc=1 is configured then both before and after this -change only the backends which are explicitly enabled are configured, -i.e. this issue only occurs when all backends are supposed to have -been disabled. - -This affects qemu-xen and qemu-xen-traditional differently. - -If qemu-xen was compiled with SDL support then this would result in an -SDL window being opened if $DISPLAY is valid, or a failure to start -the guest if not. Passing "-display none" to qemu before any further --sdl options disables this default behaviour and ensures that SDL is -only started if the libxl configuration demands it. - -If qemu-xen was compiled without SDL support then qemu would instead -start a VNC server listening on ::1 (IPv6 localhost) or 127.0.0.1 -(IPv4 localhost) with IPv6 preferred if available. Explicitly pass -"-vnc none" when vnc is not enabled in the libxl configuration to -remove this possibility. - -qemu-xen-traditional would never start a vnc backend unless asked. -However by default it will start an SDL backend, the way to disable -this is to pass a -vnc option. In other words passing "-vnc none" will -disable both vnc and sdl by default. sdl can then be reenabled if -configured by subsequent use of the -sdl option. - -Tested with both qemu-xen and qemu-xen-traditional built with SDL -support and: - xl cr # defaults - xl cr sdl=0 vnc=0 - xl cr sdl=1 vnc=0 - xl cr sdl=0 vnc=1 - xl cr sdl=0 vnc=0 vga=\"none\" - xl cr sdl=0 vnc=0 nographic=1 -with both valid and invalid $DISPLAY. - -This is XSA-119. - -Reported-by: Sander Eikelenboom -Signed-off-by: Ian Campbell -Acked-by: Ian Jackson ---- - tools/libxl/libxl_dm.c | 21 +++++++++++++++++++-- - 1 file changed, 19 insertions(+), 2 deletions(-) - -diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c -index 8599a6a..3b918c6 100644 ---- a/tools/libxl/libxl_dm.c -+++ b/tools/libxl/libxl_dm.c -@@ -180,7 +180,14 @@ static char ** libxl__build_device_model_args_old(libxl__gc *gc, - if (libxl_defbool_val(vnc->findunused)) { - flexarray_append(dm_args, "-vncunused"); - } -- } -+ } else -+ /* -+ * VNC is not enabled by default by qemu-xen-traditional, -+ * however passing -vnc none causes SDL to not be -+ * (unexpectedly) enabled by default. This is overridden by -+ * explicitly passing -sdl below as required. -+ */ -+ flexarray_append_pair(dm_args, "-vnc", "none"); - - if (sdl) { - flexarray_append(dm_args, "-sdl"); -@@ -522,7 +529,17 @@ static char ** libxl__build_device_model_args_new(libxl__gc *gc, - } - - flexarray_append(dm_args, vncarg); -- } -+ } else -+ /* -+ * Ensure that by default no vnc server is created. -+ */ -+ flexarray_append_pair(dm_args, "-vnc", "none"); -+ -+ /* -+ * Ensure that by default no display backend is created. Further -+ * options given below might then enable more. -+ */ -+ flexarray_append_pair(dm_args, "-display", "none"); - - if (sdl) { - flexarray_append(dm_args, "-sdl"); --- -2.1.4 - diff --git a/xsa121.patch b/xsa121.patch deleted file mode 100644 index f3d1397..0000000 --- a/xsa121.patch +++ /dev/null @@ -1,51 +0,0 @@ -x86/HVM: return all ones on wrong-sized reads of system device I/O ports - -So far the value presented to the guest remained uninitialized. - -This is CVE-2015-2044 / XSA-121. - -Signed-off-by: Jan Beulich -Acked-by: Ian Campbell - ---- a/xen/arch/x86/hvm/i8254.c -+++ b/xen/arch/x86/hvm/i8254.c -@@ -486,6 +486,7 @@ static int handle_pit_io( - if ( bytes != 1 ) - { - gdprintk(XENLOG_WARNING, "PIT bad access\n"); -+ *val = ~0; - return X86EMUL_OKAY; - } - ---- a/xen/arch/x86/hvm/pmtimer.c -+++ b/xen/arch/x86/hvm/pmtimer.c -@@ -213,6 +213,7 @@ static int handle_pmt_io( - if ( bytes != 4 ) - { - gdprintk(XENLOG_WARNING, "HVM_PMT bad access\n"); -+ *val = ~0; - return X86EMUL_OKAY; - } - ---- a/xen/arch/x86/hvm/rtc.c -+++ b/xen/arch/x86/hvm/rtc.c -@@ -703,7 +703,8 @@ static int handle_rtc_io( - - if ( bytes != 1 ) - { -- gdprintk(XENLOG_WARNING, "HVM_RTC bas access\n"); -+ gdprintk(XENLOG_WARNING, "HVM_RTC bad access\n"); -+ *val = ~0; - return X86EMUL_OKAY; - } - ---- a/xen/arch/x86/hvm/vpic.c -+++ b/xen/arch/x86/hvm/vpic.c -@@ -331,6 +331,7 @@ static int vpic_intercept_pic_io( - if ( bytes != 1 ) - { - gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes); -+ *val = ~0; - return X86EMUL_OKAY; - } - diff --git a/xsa122.patch b/xsa122.patch deleted file mode 100644 index 1e58965..0000000 --- a/xsa122.patch +++ /dev/null @@ -1,40 +0,0 @@ -pre-fill structures for certain HYPERVISOR_xen_version sub-ops - -... avoiding to pass hypervisor stack contents back to the caller -through space unused by the respective strings. - -This is CVE-2015-2045 / XSA-122. - -Signed-off-by: Aaron Adams -Acked-by: Jan Beulich -Acked-by: Ian Campbell - ---- a/xen/common/kernel.c -+++ b/xen/common/kernel.c -@@ -240,6 +240,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL - case XENVER_extraversion: - { - xen_extraversion_t extraversion; -+ -+ memset(extraversion, 0, sizeof(extraversion)); - safe_strcpy(extraversion, xen_extra_version()); - if ( copy_to_guest(arg, extraversion, ARRAY_SIZE(extraversion)) ) - return -EFAULT; -@@ -249,6 +251,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL - case XENVER_compile_info: - { - struct xen_compile_info info; -+ -+ memset(&info, 0, sizeof(info)); - safe_strcpy(info.compiler, xen_compiler()); - safe_strcpy(info.compile_by, xen_compile_by()); - safe_strcpy(info.compile_domain, xen_compile_domain()); -@@ -284,6 +288,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL - case XENVER_changeset: - { - xen_changeset_info_t chgset; -+ -+ memset(chgset, 0, sizeof(chgset)); - safe_strcpy(chgset, xen_changeset()); - if ( copy_to_guest(arg, chgset, ARRAY_SIZE(chgset)) ) - return -EFAULT; diff --git a/xsa123.patch b/xsa123.patch deleted file mode 100644 index 653996d..0000000 --- a/xsa123.patch +++ /dev/null @@ -1,24 +0,0 @@ -x86emul: fully ignore segment override for register-only operations - -For ModRM encoded instructions with register operands we must not -overwrite ea.mem.seg (if a - bogus in that case - segment override was -present) as it aliases with ea.reg. - -This is CVE-2015-2151 / XSA-123. - -Reported-by: Felix Wilhelm -Signed-off-by: Jan Beulich -Reviewed-by: Tim Deegan -Reviewed-by: Keir Fraser - ---- a/xen/arch/x86/x86_emulate/x86_emulate.c -+++ b/xen/arch/x86/x86_emulate/x86_emulate.c -@@ -1757,7 +1757,7 @@ x86_emulate( - } - } - -- if ( override_seg != -1 ) -+ if ( override_seg != -1 && ea.type == OP_MEM ) - ea.mem.seg = override_seg; - - /* Early operand adjustments. */ diff --git a/xsa98-update.patch b/xsa98-update.patch deleted file mode 100644 index cc52e3c..0000000 --- a/xsa98-update.patch +++ /dev/null @@ -1,26 +0,0 @@ -xen: arm: correct arm64 version of gva_to_ma_par - -The implementation was backwards and checked that the guest could -read when asked about write and vice versa. - -This is an update to the fix for XSA-98. - -Reported-by: Tamas K Lengyel -Signed-off-by: Ian Campbell - -diff --git a/xen/include/asm-arm/arm64/page.h b/xen/include/asm-arm/arm64/page.h -index bb10164..386e434 100644 ---- a/xen/include/asm-arm/arm64/page.h -+++ b/xen/include/asm-arm/arm64/page.h -@@ -86,9 +86,9 @@ static inline uint64_t gva_to_ma_par(vaddr_t va, unsigned int flags) - uint64_t par, tmp = READ_SYSREG64(PAR_EL1); - - if ( (flags & GV2M_WRITE) == GV2M_WRITE ) -- asm volatile ("at s12e1r, %0;" : : "r" (va)); -- else - asm volatile ("at s12e1w, %0;" : : "r" (va)); -+ else -+ asm volatile ("at s12e1r, %0;" : : "r" (va)); - isb(); - par = READ_SYSREG64(PAR_EL1); - WRITE_SYSREG64(tmp, PAR_EL1);