diff --git a/xen.spec b/xen.spec index 23df955..96c43a5 100644 --- a/xen.spec +++ b/xen.spec @@ -51,7 +51,7 @@ Summary: Xen is a virtual machine monitor Name: xen Version: 4.3.3 -Release: 9%{?dist} +Release: 10%{?dist} Group: Development/Libraries License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ @@ -118,6 +118,8 @@ Patch34: xl.migrate.debug.fail.patch Patch35: xsa114-4.3.patch Patch36: xl.migrate.debug.fail.fix.patch Patch37: xsa116-4.3-4.2.patch +Patch38: xsa121.patch +Patch39: xsa122.patch Patch100: xen-configure-xend.patch @@ -320,6 +322,8 @@ manage Xen virtual machines. %patch35 -p1 %patch36 -p1 %patch37 -p1 +%patch38 -p1 +%patch39 -p1 %patch100 -p1 @@ -893,6 +897,12 @@ rm -rf %{buildroot} %endif %changelog +* Thu Mar 05 2015 Michael Young - 4.3.3-10 +- Information leak via internal x86 system device emulation [XSA-121, + CVE-2015-2044] +- Information leak through version information hypercall [XSA-122, + CVE-2015-2045] + * Tue Jan 06 2015 Michael Young - 4.3.3-9 - xen crash due to use after free on hvm guest teardown [XSA-116, CVE-2015-0361] (#1179221) diff --git a/xsa121.patch b/xsa121.patch new file mode 100644 index 0000000..f3d1397 --- /dev/null +++ b/xsa121.patch @@ -0,0 +1,51 @@ +x86/HVM: return all ones on wrong-sized reads of system device I/O ports + +So far the value presented to the guest remained uninitialized. + +This is CVE-2015-2044 / XSA-121. + +Signed-off-by: Jan Beulich +Acked-by: Ian Campbell + +--- a/xen/arch/x86/hvm/i8254.c ++++ b/xen/arch/x86/hvm/i8254.c +@@ -486,6 +486,7 @@ static int handle_pit_io( + if ( bytes != 1 ) + { + gdprintk(XENLOG_WARNING, "PIT bad access\n"); ++ *val = ~0; + return X86EMUL_OKAY; + } + +--- a/xen/arch/x86/hvm/pmtimer.c ++++ b/xen/arch/x86/hvm/pmtimer.c +@@ -213,6 +213,7 @@ static int handle_pmt_io( + if ( bytes != 4 ) + { + gdprintk(XENLOG_WARNING, "HVM_PMT bad access\n"); ++ *val = ~0; + return X86EMUL_OKAY; + } + +--- a/xen/arch/x86/hvm/rtc.c ++++ b/xen/arch/x86/hvm/rtc.c +@@ -703,7 +703,8 @@ static int handle_rtc_io( + + if ( bytes != 1 ) + { +- gdprintk(XENLOG_WARNING, "HVM_RTC bas access\n"); ++ gdprintk(XENLOG_WARNING, "HVM_RTC bad access\n"); ++ *val = ~0; + return X86EMUL_OKAY; + } + +--- a/xen/arch/x86/hvm/vpic.c ++++ b/xen/arch/x86/hvm/vpic.c +@@ -331,6 +331,7 @@ static int vpic_intercept_pic_io( + if ( bytes != 1 ) + { + gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes); ++ *val = ~0; + return X86EMUL_OKAY; + } + diff --git a/xsa122.patch b/xsa122.patch new file mode 100644 index 0000000..1e58965 --- /dev/null +++ b/xsa122.patch @@ -0,0 +1,40 @@ +pre-fill structures for certain HYPERVISOR_xen_version sub-ops + +... avoiding to pass hypervisor stack contents back to the caller +through space unused by the respective strings. + +This is CVE-2015-2045 / XSA-122. + +Signed-off-by: Aaron Adams +Acked-by: Jan Beulich +Acked-by: Ian Campbell + +--- a/xen/common/kernel.c ++++ b/xen/common/kernel.c +@@ -240,6 +240,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL + case XENVER_extraversion: + { + xen_extraversion_t extraversion; ++ ++ memset(extraversion, 0, sizeof(extraversion)); + safe_strcpy(extraversion, xen_extra_version()); + if ( copy_to_guest(arg, extraversion, ARRAY_SIZE(extraversion)) ) + return -EFAULT; +@@ -249,6 +251,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL + case XENVER_compile_info: + { + struct xen_compile_info info; ++ ++ memset(&info, 0, sizeof(info)); + safe_strcpy(info.compiler, xen_compiler()); + safe_strcpy(info.compile_by, xen_compile_by()); + safe_strcpy(info.compile_domain, xen_compile_domain()); +@@ -284,6 +288,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL + case XENVER_changeset: + { + xen_changeset_info_t chgset; ++ ++ memset(chgset, 0, sizeof(chgset)); + safe_strcpy(chgset, xen_changeset()); + if ( copy_to_guest(arg, chgset, ARRAY_SIZE(chgset)) ) + return -EFAULT;