diff --git a/.gitignore b/.gitignore index 1eca093..a305564 100644 --- a/.gitignore +++ b/.gitignore @@ -6,4 +6,4 @@ lwip-1.3.0.tar.gz pciutils-2.2.9.tar.bz2 zlib-1.2.3.tar.gz /ipxe-git-v1.0.0.tar.gz -/xen-4.1.2.tar.gz +/xen-4.1.3.tar.gz diff --git a/CVE-2012-0217.patch b/CVE-2012-0217.patch deleted file mode 100644 index 7f6c597..0000000 --- a/CVE-2012-0217.patch +++ /dev/null @@ -1,54 +0,0 @@ - -# HG changeset patch -# User Jan Beulich -# Date 1339497510 -3600 -# Node ID f08e61b9b33f553b21870d58e7c4f95f2c9ac513 -# Parent 435493696053a079ec17d6e1a63e5f2be3a2c9d0 -x86_64: Do not execute sysret with a non-canonical return address - -Check for non-canonical guest RIP before attempting to execute sysret. -If sysret is executed with a non-canonical value in RCX, Intel CPUs -take the fault in ring0, but we will necessarily already have switched -to the the user's stack pointer. - -This is a security vulnerability, XSA-7 / CVE-2012-0217. - -Signed-off-by: Jan Beulich -Signed-off-by: Ian Campbell -Signed-off-by: Ian Jackson -Acked-by: Keir Fraser -Committed-by: Ian Jackson - -xen-unstable changeset: 25480:76eaf5966c05 -xen-unstable date: Tue Jun 12 11:33:40 2012 +0100 -Committed-by: Ian Jackson - -diff -r 435493696053 -r f08e61b9b33f xen/arch/x86/x86_64/entry.S ---- a/xen/arch/x86/x86_64/entry.S Fri May 25 08:18:47 2012 +0100 -+++ b/xen/arch/x86/x86_64/entry.S Tue Jun 12 11:38:30 2012 +0100 -@@ -40,6 +40,13 @@ restore_all_guest: - testw $TRAP_syscall,4(%rsp) - jz iret_exit_to_guest - -+ /* Don't use SYSRET path if the return address is not canonical. */ -+ movq 8(%rsp),%rcx -+ sarq $47,%rcx -+ incl %ecx -+ cmpl $1,%ecx -+ ja .Lforce_iret -+ - addq $8,%rsp - popq %rcx # RIP - popq %r11 # CS -@@ -50,6 +57,10 @@ restore_all_guest: - sysretq - 1: sysretl - -+.Lforce_iret: -+ /* Mimic SYSRET behavior. */ -+ movq 8(%rsp),%rcx # RIP -+ movq 24(%rsp),%r11 # RFLAGS - ALIGN - /* No special register assumptions. */ - iret_exit_to_guest: - diff --git a/CVE-2012-0218.patch b/CVE-2012-0218.patch deleted file mode 100644 index 22e13b5..0000000 --- a/CVE-2012-0218.patch +++ /dev/null @@ -1,134 +0,0 @@ - -# HG changeset patch -# User Jan Beulich -# Date 1339497971 -3600 -# Node ID 0fec1afa463808d91defa43f12cb744d3258a868 -# Parent f08e61b9b33f553b21870d58e7c4f95f2c9ac513 -x86-64: fix #GP generation in assembly code - -When guest use of sysenter (64-bit PV guest) or syscall (32-bit PV -guest) gets converted into a GP fault (due to no callback having got -registered), we must -- honor the GP fault handler's request the keep enabled or mask event - delivery -- not allow TBF_EXCEPTION to remain set past the generation of the - (guest) exception in the vCPU's trap_bounce.flags, as that would - otherwise allow for the next exception occurring in guest mode, - should it happen to get handled in Xen itself, to nevertheless get - bounced to the guest kernel. - -Also, just like compat mode syscall handling already did, native mode -sysenter handling should, when converting to #GP, subtract 2 from the -RIP present in the frame so that the guest's GP fault handler would -see the fault pointing to the offending instruction instead of past it. - -Finally, since those exception generating code blocks needed to be -modified anyway, convert them to make use of UNLIKELY_{START,END}(). - -[ This bug is security vulnerability, XSA-8 / CVE-2012-0218. ] - -Signed-off-by: Jan Beulich -Acked-by: Keir Fraser -Committed-by: Jan Beulich - -xen-unstable changeset: 25200:80f4113be500 25204:569d6f05e1ef -Committed-by: Ian Jackson - -diff -r f08e61b9b33f -r 0fec1afa4638 xen/arch/x86/x86_64/asm-offsets.c ---- a/xen/arch/x86/x86_64/asm-offsets.c Tue Jun 12 11:38:30 2012 +0100 -+++ b/xen/arch/x86/x86_64/asm-offsets.c Tue Jun 12 11:46:11 2012 +0100 -@@ -90,6 +90,8 @@ void __dummy__(void) - arch.guest_context.trap_ctxt[TRAP_gp_fault].address); - OFFSET(VCPU_gp_fault_sel, struct vcpu, - arch.guest_context.trap_ctxt[TRAP_gp_fault].cs); -+ OFFSET(VCPU_gp_fault_flags, struct vcpu, -+ arch.guest_context.trap_ctxt[TRAP_gp_fault].flags); - OFFSET(VCPU_kernel_sp, struct vcpu, arch.guest_context.kernel_sp); - OFFSET(VCPU_kernel_ss, struct vcpu, arch.guest_context.kernel_ss); - OFFSET(VCPU_guest_context_flags, struct vcpu, arch.guest_context.flags); -diff -r f08e61b9b33f -r 0fec1afa4638 xen/arch/x86/x86_64/compat/entry.S ---- a/xen/arch/x86/x86_64/compat/entry.S Tue Jun 12 11:38:30 2012 +0100 -+++ b/xen/arch/x86/x86_64/compat/entry.S Tue Jun 12 11:46:11 2012 +0100 -@@ -214,6 +214,7 @@ 1: call compat_create_bounce_frame - ENTRY(compat_post_handle_exception) - testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx) - jz compat_test_all_events -+.Lcompat_bounce_exception: - call compat_create_bounce_frame - movb $0,TRAPBOUNCE_flags(%rdx) - jmp compat_test_all_events -@@ -226,19 +227,20 @@ ENTRY(compat_syscall) - leaq VCPU_trap_bounce(%rbx),%rdx - testl $~3,%esi - leal (,%rcx,TBF_INTERRUPT),%ecx -- jz 2f --1: movq %rax,TRAPBOUNCE_eip(%rdx) -+UNLIKELY_START(z, compat_syscall_gpf) -+ movl $TRAP_gp_fault,UREGS_entry_vector(%rsp) -+ subl $2,UREGS_rip(%rsp) -+ movl $0,TRAPBOUNCE_error_code(%rdx) -+ movl VCPU_gp_fault_addr(%rbx),%eax -+ movzwl VCPU_gp_fault_sel(%rbx),%esi -+ testb $4,VCPU_gp_fault_flags(%rbx) -+ setnz %cl -+ leal TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx -+UNLIKELY_END(compat_syscall_gpf) -+ movq %rax,TRAPBOUNCE_eip(%rdx) - movw %si,TRAPBOUNCE_cs(%rdx) - movb %cl,TRAPBOUNCE_flags(%rdx) -- call compat_create_bounce_frame -- jmp compat_test_all_events --2: movl $TRAP_gp_fault,UREGS_entry_vector(%rsp) -- subl $2,UREGS_rip(%rsp) -- movq VCPU_gp_fault_addr(%rbx),%rax -- movzwl VCPU_gp_fault_sel(%rbx),%esi -- movb $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl -- movl $0,TRAPBOUNCE_error_code(%rdx) -- jmp 1b -+ jmp .Lcompat_bounce_exception - - ENTRY(compat_sysenter) - cmpl $TRAP_gp_fault,UREGS_entry_vector(%rsp) -diff -r f08e61b9b33f -r 0fec1afa4638 xen/arch/x86/x86_64/entry.S ---- a/xen/arch/x86/x86_64/entry.S Tue Jun 12 11:38:30 2012 +0100 -+++ b/xen/arch/x86/x86_64/entry.S Tue Jun 12 11:46:11 2012 +0100 -@@ -289,19 +289,21 @@ sysenter_eflags_saved: - leaq VCPU_trap_bounce(%rbx),%rdx - testq %rax,%rax - leal (,%rcx,TBF_INTERRUPT),%ecx -- jz 2f --1: movq VCPU_domain(%rbx),%rdi -+UNLIKELY_START(z, sysenter_gpf) -+ movl $TRAP_gp_fault,UREGS_entry_vector(%rsp) -+ subq $2,UREGS_rip(%rsp) -+ movl %eax,TRAPBOUNCE_error_code(%rdx) -+ movq VCPU_gp_fault_addr(%rbx),%rax -+ testb $4,VCPU_gp_fault_flags(%rbx) -+ setnz %cl -+ leal TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx -+UNLIKELY_END(sysenter_gpf) -+ movq VCPU_domain(%rbx),%rdi - movq %rax,TRAPBOUNCE_eip(%rdx) - movb %cl,TRAPBOUNCE_flags(%rdx) - testb $1,DOMAIN_is_32bit_pv(%rdi) - jnz compat_sysenter -- call create_bounce_frame -- jmp test_all_events --2: movl %eax,TRAPBOUNCE_error_code(%rdx) -- movq VCPU_gp_fault_addr(%rbx),%rax -- movb $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl -- movl $TRAP_gp_fault,UREGS_entry_vector(%rsp) -- jmp 1b -+ jmp .Lbounce_exception - - ENTRY(int80_direct_trap) - pushq $0 -@@ -493,6 +495,7 @@ 1: movq %rsp,%rdi - jnz compat_post_handle_exception - testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx) - jz test_all_events -+.Lbounce_exception: - call create_bounce_frame - movb $0,TRAPBOUNCE_flags(%rdx) - jmp test_all_events - diff --git a/CVE-2012-2934.patch b/CVE-2012-2934.patch deleted file mode 100644 index 4111927..0000000 --- a/CVE-2012-2934.patch +++ /dev/null @@ -1,60 +0,0 @@ - -# HG changeset patch -# User Jan Beulich -# Date 1339497777 -3600 -# Node ID a9c0a89c08f2a1c92f64f001b653d7c02fbc852c -# Parent 0fec1afa463808d91defa43f12cb744d3258a868 -x86-64: detect processors subject to AMD erratum #121 and refuse to boot - -Processors with this erratum are subject to a DoS attack by unprivileged -guest users. - -This is XSA-9 / CVE-2012-2934. - -Signed-off-by: Jan Beulich -Signed-off-by: Ian Campbell -Committed-by: Ian Jackson - -xen-unstable changeset: 25481:422880dc94a4 -xen-unstable date: Tue Jun 12 11:33:42 2012 +0100 -Committed-by: Ian Jackson - -diff -r 0fec1afa4638 -r a9c0a89c08f2 xen/arch/x86/cpu/amd.c ---- a/xen/arch/x86/cpu/amd.c Tue Jun 12 11:46:11 2012 +0100 -+++ b/xen/arch/x86/cpu/amd.c Tue Jun 12 11:42:57 2012 +0100 -@@ -32,6 +32,9 @@ - static char opt_famrev[14]; - string_param("cpuid_mask_cpu", opt_famrev); - -+static int opt_allow_unsafe; -+boolean_param("allow_unsafe", opt_allow_unsafe); -+ - static inline void wrmsr_amd(unsigned int index, unsigned int lo, - unsigned int hi) - { -@@ -620,6 +623,11 @@ static void __devinit init_amd(struct cp - clear_bit(X86_FEATURE_MCE, c->x86_capability); - - #ifdef __x86_64__ -+ if (cpu_has_amd_erratum(c, AMD_ERRATUM_121) && !opt_allow_unsafe) -+ panic("Xen will not boot on this CPU for security reasons.\n" -+ "Pass \"allow_unsafe\" if you're trusting all your" -+ " (PV) guest kernels.\n"); -+ - /* AMD CPUs do not support SYSENTER outside of legacy mode. */ - clear_bit(X86_FEATURE_SEP, c->x86_capability); - -diff -r 0fec1afa4638 -r a9c0a89c08f2 xen/include/asm-x86/amd.h ---- a/xen/include/asm-x86/amd.h Tue Jun 12 11:46:11 2012 +0100 -+++ b/xen/include/asm-x86/amd.h Tue Jun 12 11:42:57 2012 +0100 -@@ -127,6 +127,9 @@ - #define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff) - #define AMD_MODEL_RANGE_END(range) ((range) & 0xfff) - -+#define AMD_ERRATUM_121 \ -+ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x3f, 0xf)) -+ - #define AMD_ERRATUM_170 \ - AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x67, 0xf)) - - diff --git a/localgcc451fix.patch b/localgcc451fix.patch deleted file mode 100644 index 9b5bc16..0000000 --- a/localgcc451fix.patch +++ /dev/null @@ -1,26 +0,0 @@ ---- xen-4.0.1/tools/blktap/lib/blktaplib.h.orig 2010-08-25 11:22:07.000000000 +0100 -+++ xen-4.0.1/tools/blktap/lib/blktaplib.h 2010-08-29 20:57:11.000000000 +0100 -@@ -195,8 +195,10 @@ - pid_t pid; - } msg_pid_t; - -+#ifndef READ - #define READ 0 - #define WRITE 1 -+#endif - - /*Control Messages between manager and tapdev*/ - #define CTLMSG_PARAMS 1 ---- xen-4.0.1/tools/blktap2/include/blktaplib.h.orig 2010-08-25 11:22:07.000000000 +0100 -+++ xen-4.0.1/tools/blktap2/include/blktaplib.h 2010-08-29 21:50:50.000000000 +0100 -@@ -197,8 +197,10 @@ - int uuid_len; - } msg_lock_t; - -+#ifndef READ - #define READ 0 - #define WRITE 1 -+#endif - - /*Control Messages between manager and tapdev*/ - #define CTLMSG_PARAMS 1 diff --git a/localgcc45fix.patch b/localgcc45fix.patch deleted file mode 100644 index 153fd65..0000000 --- a/localgcc45fix.patch +++ /dev/null @@ -1,13 +0,0 @@ -xen-4.0.1/extras/mini-os/lib/math.c generates the warning -'tmp.ul[1]' may be used uninitialized in this function -under gcc 4.5 which I think is incorrect ---- xen-4.0.1/extras/mini-os/minios.mk.orig 2010-02-02 20:43:00.000000000 +0000 -+++ xen-4.0.1/extras/mini-os/minios.mk 2010-07-24 22:56:27.000000000 +0100 -@@ -10,6 +10,7 @@ - DEF_CFLAGS += $(call cc-option,$(CC),-fno-stack-protector,) - DEF_CFLAGS += $(call cc-option,$(CC),-fgnu89-inline) - DEF_CFLAGS += -Wstrict-prototypes -Wnested-externs -Wpointer-arith -Winline -+DEF_CFLAGS += -Wno-uninitialized - DEF_CPPFLAGS += -D__XEN_INTERFACE_VERSION__=$(XEN_INTERFACE_VERSION) - - DEF_ASFLAGS += -D__ASSEMBLY__ diff --git a/localgcc46fix.patch b/localgcc46fix.patch deleted file mode 100644 index e485c3b..0000000 --- a/localgcc46fix.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- xen-4.0.1/Config.mk.orig 2010-08-25 11:22:44.000000000 +0100 -+++ xen-4.0.1/Config.mk 2011-01-29 17:40:43.000000000 +0000 -@@ -135,6 +135,8 @@ - - LDFLAGS += $(foreach i, $(EXTRA_LIB), -L$(i)) - CFLAGS += $(foreach i, $(EXTRA_INCLUDES), -I$(i)) -+# temporary compile fix for rawhide -+CFLAGS += -Wunused-but-set-variable -Wno-error=unused-but-set-variable -Wuninitialized -Wno-error=uninitialized - - EMBEDDED_EXTRA_CFLAGS := -nopie -fno-stack-protector -fno-stack-protector-all - EMBEDDED_EXTRA_CFLAGS += -fno-exceptions diff --git a/localgcc47fix.patch b/localgcc47fix.patch deleted file mode 100644 index d959df9..0000000 --- a/localgcc47fix.patch +++ /dev/null @@ -1,32 +0,0 @@ ---- xen-4.1.2/xen/arch/x86/i8259.c.orig 2011-10-20 18:05:48.000000000 +0100 -+++ xen-4.1.2/xen/arch/x86/i8259.c 2012-01-15 00:37:08.583827754 +0000 -@@ -62,7 +62,7 @@ - IRQ(x,8), IRQ(x,9), IRQ(x,a), IRQ(x,b), \ - IRQ(x,c), IRQ(x,d), IRQ(x,e), IRQ(x,f) - -- static void (*interrupt[])(void) = { -+ static void (asmlinkage *interrupt[])(void) = { - IRQLIST_16(0x0), IRQLIST_16(0x1), IRQLIST_16(0x2), IRQLIST_16(0x3), - IRQLIST_16(0x4), IRQLIST_16(0x5), IRQLIST_16(0x6), IRQLIST_16(0x7), - IRQLIST_16(0x8), IRQLIST_16(0x9), IRQLIST_16(0xa), IRQLIST_16(0xb), ---- xen-4.1.2/xen/include/asm-x86/hvm/svm/intr.h.orig 2011-10-20 18:05:50.000000000 +0100 -+++ xen-4.1.2/xen/include/asm-x86/hvm/svm/intr.h 2012-01-15 16:38:13.199784658 +0000 -@@ -21,6 +21,6 @@ - #ifndef __ASM_X86_HVM_SVM_INTR_H__ - #define __ASM_X86_HVM_SVM_INTR_H__ - --void svm_intr_assist(void); -+asmlinkage void svm_intr_assist(void); - - #endif /* __ASM_X86_HVM_SVM_INTR_H__ */ ---- xen-4.1.2/xen/include/asm-x86/hvm/vmx/vmx.h.orig 2011-10-20 18:05:50.000000000 +0100 -+++ xen-4.1.2/xen/include/asm-x86/hvm/vmx/vmx.h 2012-01-15 17:06:07.495853077 +0000 -@@ -63,7 +63,7 @@ - - void vmx_asm_vmexit_handler(struct cpu_user_regs); - void vmx_asm_do_vmentry(void); --void vmx_intr_assist(void); -+asmlinkage void vmx_intr_assist(void); - void vmx_do_resume(struct vcpu *); - void vmx_vlapic_msr_changed(struct vcpu *v); - void vmx_realmode(struct cpu_user_regs *regs); diff --git a/pygrub.size.limits.patch b/pygrub.size.limits.patch index af2ff7c..ce4e056 100644 --- a/pygrub.size.limits.patch +++ b/pygrub.size.limits.patch @@ -1,80 +1,116 @@ -Make pygrub cope better with big files in the guest. -Only read the first megabyte of a configuration file (grub etc.) -Read the kernel and ramdisk files from the guest in one megabyte pieces -so pygrub doesn't grow too large if they are large. -If there are problems writing the temporary copies of the kernel and ramdisk -files delete them and exit. + +# HG changeset patch +# User M A Young +# Date 1341413174 -3600 +# Node ID 60f09d1ab1fe5dee87db1bf55c7479a5d71e85a5 +# Parent 42f76d536b116d2ebad1b6705ae51ecd171d2581 +pygrub: cope better with big files in the guest. + +Only read the first megabyte of a configuration file (grub etc.) and read the +kernel and ramdisk files from the guest in one megabyte pieces so pygrub +doesn't use a lot of memory if the files are large. With --not-really option +check that the chosen kernel and ramdisk files exist. If there are problems +writing the copy of the kernel or ramdisk, delete the copied files and exit in +case they have filled the filesystem. Signed-off-by: Michael Young +Acked-by: Matt Wilson +Acked-by: Ian Campbell +Acked-by: Ian Jackson +Committed-by: Ian Campbell ---- xen-4.2.0/tools/pygrub/src/pygrub.orig 2012-05-12 16:40:48.000000000 +0100 -+++ xen-4.2.0/tools/pygrub/src/pygrub -@@ -28,6 +28,7 @@ +diff -r 42f76d536b11 -r 60f09d1ab1fe tools/pygrub/src/pygrub +--- a/tools/pygrub/src/pygrub Tue Jul 03 13:39:01 2012 +0100 ++++ b/tools/pygrub/src/pygrub Wed Jul 04 15:46:14 2012 +0100 +@@ -28,6 +28,7 @@ import grub.LiloConf import grub.ExtLinuxConf PYGRUB_VER = 0.6 -+fs_read_max=1048576 ++FS_READ_MAX = 1024 * 1024 def enable_cursor(ison): if ison: -@@ -448,7 +449,8 @@ +@@ -448,7 +449,8 @@ class Grub: if self.__dict__.get('cf', None) is None: raise RuntimeError, "couldn't find bootloader config file in the image provided." f = fs.open_file(self.cf.filename) - buf = f.read() + # limit read size to avoid pathological cases -+ buf = f.read(fs_read_max) ++ buf = f.read(FS_READ_MAX) del f self.cf.parse(buf) -@@ -824,21 +826,46 @@ - if not_really: - bootcfg["kernel"] = "" % chosencfg["kernel"] - else: -- data = fs.open_file(chosencfg["kernel"]).read() -+ datafile = fs.open_file(chosencfg["kernel"]) - (tfd, bootcfg["kernel"]) = tempfile.mkstemp(prefix="boot_kernel.", - dir=output_directory) -- os.write(tfd, data) -+ dataoff=0 -+ data=datafile.read(fs_read_max) -+ while len(data)>0: +@@ -697,6 +699,37 @@ if __name__ == "__main__": + def usage(): + print >> sys.stderr, "Usage: %s [-q|--quiet] [-i|--interactive] [-n|--not-really] [--output=] [--kernel=] [--ramdisk=] [--args=] [--entry=] [--output-directory=] [--output-format=sxp|simple|simple0] " %(sys.argv[0],) + ++ def copy_from_image(fs, file_to_read, file_type, output_directory, ++ not_really): ++ if not_really: ++ if fs.file_exists(file_to_read): ++ return "<%s:%s>" % (file_type, file_to_read) ++ else: ++ sys.exit("The requested %s file does not exist" % file_type) ++ try: ++ datafile = fs.open_file(file_to_read) ++ except Exception, e: ++ print >>sys.stderr, e ++ sys.exit("Error opening %s in guest" % file_to_read) ++ (tfd, ret) = tempfile.mkstemp(prefix="boot_"+file_type+".", ++ dir=output_directory) ++ dataoff = 0 ++ while True: ++ data = datafile.read(FS_READ_MAX, dataoff) ++ if len(data) == 0: ++ os.close(tfd) ++ del datafile ++ return ret + try: + os.write(tfd, data) -+ except: -+ print "error writing temporary copy of kernel" ++ except Exception, e: ++ print >>sys.stderr, e + os.close(tfd) -+ os.unlink(bootcfg["kernel"]) -+ sys.exit(1) -+ dataoff+=len(data) -+ data=datafile.read(fs_read_max,dataoff) - os.close(tfd) -+ del datafile ++ os.unlink(ret) ++ del datafile ++ sys.exit("Error writing temporary copy of "+file_type) ++ dataoff += len(data) ++ + try: + opts, args = getopt.gnu_getopt(sys.argv[1:], 'qinh::', + ["quiet", "interactive", "not-really", "help", +@@ -821,24 +854,18 @@ if __name__ == "__main__": + if not fs: + raise RuntimeError, "Unable to find partition containing kernel" + +- if not_really: +- bootcfg["kernel"] = "" % chosencfg["kernel"] +- else: +- data = fs.open_file(chosencfg["kernel"]).read() +- (tfd, bootcfg["kernel"]) = tempfile.mkstemp(prefix="boot_kernel.", +- dir=output_directory) +- os.write(tfd, data) +- os.close(tfd) ++ bootcfg["kernel"] = copy_from_image(fs, chosencfg["kernel"], "kernel", ++ output_directory, not_really) if chosencfg["ramdisk"]: - if not_really: - bootcfg["ramdisk"] = "" % chosencfg["ramdisk"] - else: +- if not_really: +- bootcfg["ramdisk"] = "" % chosencfg["ramdisk"] +- else: - data = fs.open_file(chosencfg["ramdisk"],).read() -+ datafile = fs.open_file(chosencfg["ramdisk"],) - (tfd, bootcfg["ramdisk"]) = tempfile.mkstemp( - prefix="boot_ramdisk.", dir=output_directory) +- (tfd, bootcfg["ramdisk"]) = tempfile.mkstemp( +- prefix="boot_ramdisk.", dir=output_directory) - os.write(tfd, data) -+ dataoff=0 -+ data=datafile.read(fs_read_max) -+ while len(data)>0: -+ try: -+ os.write(tfd, data) -+ except: -+ print "error writing temporary copy of ramdisk" -+ os.close(tfd) -+ os.unlink(bootcfg["ramdisk"]) -+ os.unlink(bootcfg["kernel"]) -+ sys.exit(1) -+ dataoff+=len(data) -+ data=datafile.read(fs_read_max,dataoff) - os.close(tfd) -+ del datafile +- os.close(tfd) ++ try: ++ bootcfg["ramdisk"] = copy_from_image(fs, chosencfg["ramdisk"], ++ "ramdisk", output_directory, ++ not_really) ++ except: ++ if not not_really: ++ os.unlink(bootcfg["kernel"]) ++ raise else: initrd = None + diff --git a/pygrubfix2.patch b/pygrubfix2.patch deleted file mode 100644 index 7f308c6..0000000 --- a/pygrubfix2.patch +++ /dev/null @@ -1,92 +0,0 @@ ---- xen-4.1.2/tools/pygrub/src/pygrub.orig 2011-10-13 18:56:41.000000000 +0100 -+++ xen-4.1.2/tools/pygrub/src/pygrub 2011-10-13 20:46:58.000000000 +0100 -@@ -78,9 +78,17 @@ - def get_fs_offset_gpt(file): - fd = os.open(file, os.O_RDONLY) - # assume the first partition is an EFI system partition. -- os.lseek(fd, SECTOR_SIZE * 2, 0) -+ os.lseek(fd, SECTOR_SIZE, 0) - buf = os.read(fd, 512) -- return struct.unpack("0: -+ buf = os.read(fd, partsize) -+ offsets.append(struct.unpack(" 0: -+ menu_level -= 1 -+ continue -+ else: -+ raise RuntimeError, "syntax error: closing brace without menuentry" - - self.add_image(Grub2Image(title, img)) - img = None -@@ -414,6 +425,8 @@ - - if self.commands.has_key(com): - if self.commands[com] is not None: -+ if arg.strip() == "${saved_entry}": -+ arg = "0" - setattr(self, self.commands[com], arg.strip()) - else: - logging.info("Ignored directive %s" %(com,)) diff --git a/qemu-xen-4.1-testing.git-3cf61880403b4e484539596a95937cc066243388.patch b/qemu-xen-4.1-testing.git-3cf61880403b4e484539596a95937cc066243388.patch deleted file mode 100644 index 3b9933a..0000000 --- a/qemu-xen-4.1-testing.git-3cf61880403b4e484539596a95937cc066243388.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 3cf61880403b4e484539596a95937cc066243388 Mon Sep 17 00:00:00 2001 -From: Ian Campbell -Date: Thu, 2 Feb 2012 13:47:06 +0000 -Subject: [PATCH] e1000: bounds packet size against buffer size - -Otherwise we can write beyond the buffer and corrupt memory. This is tracked -as CVE-2012-0029. - -Signed-off-by: Anthony Liguori - -(Backported from qemu upstream 65f82df0d7a71ce1b10cd4c5ab08888d176ac840 - by Ian Campbell.) - -Signed-off-by: Ian Campbell -(cherry picked from commit ebe37b2a3f844bad02dcc30d081f39eda06118f8) ---- - hw/e1000.c | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/tools/ioemu-qemu-xen/hw/e1000.c b/tools/ioemu-qemu-xen/hw/e1000.c -index bb3689e..97104ed 100644 ---- a/tools/ioemu-qemu-xen/hw/e1000.c -+++ b/tools/ioemu-qemu-xen/hw/e1000.c -@@ -444,6 +444,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) - bytes = split_size; - if (tp->size + bytes > msh) - bytes = msh - tp->size; -+ -+ bytes = MIN(sizeof(tp->data) - tp->size, bytes); - cpu_physical_memory_read(addr, tp->data + tp->size, bytes); - if ((sz = tp->size + bytes) >= hdr && tp->size < hdr) - memmove(tp->header, tp->data, hdr); -@@ -459,6 +461,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) - // context descriptor TSE is not set, while data descriptor TSE is set - DBGOUT(TXERR, "TCP segmentaion Error\n"); - } else { -+ split_size = MIN(sizeof(tp->data) - tp->size, split_size); - cpu_physical_memory_read(addr, tp->data + tp->size, split_size); - tp->size += split_size; - } --- -1.7.2.5 - diff --git a/sources b/sources index 2df57a4..5bf4371 100644 --- a/sources +++ b/sources @@ -4,4 +4,4 @@ bf8f1f9e3ca83d732c00a79a6ef29bc4 newlib-1.16.0.tar.gz cec05e7785497c5e19da2f114b934ffd pciutils-2.2.9.tar.bz2 debc62758716a169df9f62e6ab2bc634 zlib-1.2.3.tar.gz fb7df96781d337899066d82059346885 ipxe-git-v1.0.0.tar.gz -73561faf3c1b5e36ec5c089b5db848ad xen-4.1.2.tar.gz +bed929d5c5e5135cab40e2a6aab73fa0 xen-4.1.3.tar.gz diff --git a/upstream-23936:cdb34816a40a-rework b/upstream-23936:cdb34816a40a-rework index b7bc317..aa5f40f 100644 --- a/upstream-23936:cdb34816a40a-rework +++ b/upstream-23936:cdb34816a40a-rework @@ -2430,7 +2430,7 @@ Signed-off-by: Jon Ludlam - - for (i=0; i - ret = caml_alloc(len, 0); - - for (i=0; i - -CAMLprim value stub_xc_readconsolering(value xch) -{ -- unsigned int size = RING_SIZE; +- unsigned int size = RING_SIZE - 1; - char *ring_ptr = ring; - - CAMLparam1(xch); diff --git a/xen-4.1-testing.23190.patch b/xen-4.1-testing.23190.patch deleted file mode 100644 index 2c51bc8..0000000 --- a/xen-4.1-testing.23190.patch +++ /dev/null @@ -1,64 +0,0 @@ - -# HG changeset patch -# User Stefano Stabellini -# Date 1321623485 0 -# Node ID 5a00ccfc63915650b8e1a262c2cad8e8d8670612 -# Parent e73ada19a69daf821aa7d80323f1bd76239b9bae -x86: re-inject emulated level pirqs in PV on HVM guests if still asserted - -PV on HVM guests can loose level interrupts coming from emulated -devices if they have been remapped onto event channels. The reason is -that we are missing the code to inject a pirq again in the guest when -the guest EOIs it, if it corresponds to an emulated level interrupt -and the interrupt is still asserted. - -Fix this issue and also return error when the guest tries to get the -irq_status of a non-existing pirq. - - -Changes in this backport: - - move the spinlock afterward to cover the new code only. - -Signed-off-by: Stefano Stabellini -Committed-by: Keir Fraser -xen-unstable changeset: 24007:0526644ad2a6 -xen-unstable date: Thu Oct 27 16:07:18 2011 +0100 - -diff -r e73ada19a69d -r 5a00ccfc6391 xen/arch/x86/physdev.c ---- a/xen/arch/x86/physdev.c Thu Nov 17 09:13:25 2011 +0000 -+++ b/xen/arch/x86/physdev.c Fri Nov 18 13:38:05 2011 +0000 -@@ -268,6 +268,20 @@ - ret = pirq_guest_eoi(v->domain, eoi.irq); - else - ret = 0; -+ spin_lock(&v->domain->event_lock); -+ if ( is_hvm_domain(v->domain) && -+ domain_pirq_to_emuirq(v->domain, eoi.irq) > 0 ) -+ { -+ struct hvm_irq *hvm_irq = &v->domain->arch.hvm_domain.irq; -+ int gsi = domain_pirq_to_emuirq(v->domain, eoi.irq); -+ -+ /* if this is a level irq and count > 0, send another -+ * notification */ -+ if ( gsi >= NR_ISAIRQS /* ISA irqs are edge triggered */ -+ && hvm_irq->gsi_assert_count[gsi] ) -+ send_guest_pirq(v->domain, eoi.irq); -+ } -+ spin_unlock(&v->domain->event_lock); - break; - } - -@@ -323,9 +337,10 @@ - break; - irq_status_query.flags = 0; - if ( is_hvm_domain(v->domain) && -- domain_pirq_to_irq(v->domain, irq) <= 0 ) -+ domain_pirq_to_irq(v->domain, irq) <= 0 && -+ domain_pirq_to_emuirq(v->domain, irq) == IRQ_UNBOUND ) - { -- ret = copy_to_guest(arg, &irq_status_query, 1) ? -EFAULT : 0; -+ ret = -EINVAL; - break; - } - - diff --git a/xen-4.1-testing.23297.patch b/xen-4.1-testing.23297.patch deleted file mode 100644 index bbb3897..0000000 --- a/xen-4.1-testing.23297.patch +++ /dev/null @@ -1,347 +0,0 @@ - -# HG changeset patch -# User Keir Fraser -# Date 1337011152 -3600 -# Node ID 35248be669e71520eb40e85986b106bd5164d7ea -# Parent 89c61e66f45f8ca3c8e96b1d348088f0caa12e73 -blktap2: Fix naked unchecked uses of read/write/chdir. - -These cause warnings under warn_unused_result, and for read/write we -ought to deal with partial io results. - -Signed-off-by: Keir Fraser -xen-unstable changeset: 25299:01d64a3dea71 -xen-unstable date: Fri May 11 18:30:29 2012 +0100 - - -blktap2: Fix another uninitialised value error - -gcc -O1 -fno-omit-frame-pointer -m32 -march=i686 -g --fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes --Wdeclaration-after-statement -D__XEN_TOOLS__ -MMD -MF -.block-remus.o.d -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 --D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -fno-optimize-sibling-calls --mno-tls-direct-seg-refs -Werror -g -Wno-unused -fno-strict-aliasing --I../include -I../drivers --I/home/osstest/build.12828.build-i386/xen-unstable/tools/blktap2/drivers/../../../tools/libxc --I/home/osstest/build.12828.build-i386/xen-unstable/tools/blktap2/drivers/../../../tools/include --D_GNU_SOURCE -DUSE_NFS_LOCKS -c -o block-remus.o block-remus.c - -block-remus.c: In function 'ramdisk_flush': -block-remus.c:508: error: 'buf' may be used uninitialized in this -function -make[5]: *** [block-remus.o] Error 1 - -This is because gcc can see that merge_requests doesn't always set -*mergedbuf but gcc isn't able to prove that it always does so if -merge_requests returns 0 and that in that case the value of -ramdisk_flush::buf isn't used. - -This is too useful a warning to disable, despite the occasional false -positive of this form. The conventional approach is to suppress the -warning by explicitly initialising the variable to 0. - -This has just come to light because 25275:27d63b9f111a reenabled -optimisation for this area of code, and gcc's data flow analysis -(which is required to trigger the uninitialised variable warning) only -occurs when optimisation is turned on. - -Signed-off-by: Ian Jackson -xen-unstable changeset: 25281:60064411a8a9 -xen-unstable date: Thu May 10 14:26:14 2012 +0100 - - -blktap2: Do not build with -O0 - -Signed-off-by: Keir Fraser -xen-unstable changeset: 25275:27d63b9f111a -xen-unstable date: Thu May 10 11:22:18 2012 +0100 - - -blktap2: Fix uninitialised value error. - -Signed-off-by: Keir Fraser -xen-unstable changeset: 25274:cb82b5aa73bd -xen-unstable date: Thu May 10 11:21:59 2012 +0100 - - -tools/blktap2: fix out of bounds access in block-log.c - -block-log.c: In function 'ctl_close_sock': -block-log.c:363:23: warning: array subscript is above array bounds -[-Warray-bounds] - -Adjust loop condition in ctl_close_sock() to fix warning. -Adjust array acccess in ctl_close() to actually access the array -member. - -Signed-off-by: Olaf Hering -Acked-by: Ian Jackson -Committed-by: Keir Fraser -xen-unstable changeset: 25273:83a02f225bde -xen-unstable date: Thu May 10 11:20:04 2012 +0100 - - -tools/blktap2: fix build errors caused by Werror in -vhd_journal_write_entry - --O2 -Wall -Werror triggers these warnings: - -libvhd-journal.c: In function 'vhd_journal_write_entry': -libvhd-journal.c:335: warning: statement with no effect - -Really return the error from vhd_journal_write() to caller. - -v2: - - simplify the patch by just adding the missing return statement - -Signed-off-by: Olaf Hering -Committed-by: Keir Fraser -xen-unstable changeset: 25272:ca02580986d2 -xen-unstable date: Thu May 10 11:19:05 2012 +0100 - -diff -r 89c61e66f45f -r 35248be669e7 tools/blktap2/drivers/Makefile ---- a/tools/blktap2/drivers/Makefile Mon May 14 16:51:27 2012 +0100 -+++ b/tools/blktap2/drivers/Makefile Mon May 14 16:59:12 2012 +0100 -@@ -9,7 +9,7 @@ QCOW_UTIL = img2qcow qcow-create qcow2r - LOCK_UTIL = lock-util - INST_DIR = $(SBINDIR) - --CFLAGS += -Werror -g -O0 -+CFLAGS += -Werror -g - CFLAGS += -Wno-unused - CFLAGS += -fno-strict-aliasing - CFLAGS += -I$(BLKTAP_ROOT)/include -I$(BLKTAP_ROOT)/drivers -diff -r 89c61e66f45f -r 35248be669e7 tools/blktap2/drivers/block-log.c ---- a/tools/blktap2/drivers/block-log.c Mon May 14 16:51:27 2012 +0100 -+++ b/tools/blktap2/drivers/block-log.c Mon May 14 16:59:12 2012 +0100 -@@ -347,11 +347,11 @@ static int ctl_open(struct tdlog_state* - static int ctl_close(struct tdlog_state* s) - { - while (s->connected) { -+ s->connected--; - tapdisk_server_unregister_event(s->connections[s->connected].id); - close(s->connections[s->connected].fd); - s->connections[s->connected].fd = -1; - s->connections[s->connected].id = 0; -- s->connected--; - } - - if (s->ctl.fd >= 0) { -@@ -382,7 +382,7 @@ static int ctl_close_sock(struct tdlog_s - { - int i; - -- for (i = 0; i <= s->connected; i++) { -+ for (i = 0; i < s->connected; i++) { - if (s->connections[i].fd == fd) { - tapdisk_server_unregister_event(s->connections[i].id); - close(s->connections[i].fd); -diff -r 89c61e66f45f -r 35248be669e7 tools/blktap2/drivers/block-qcow.c ---- a/tools/blktap2/drivers/block-qcow.c Mon May 14 16:51:27 2012 +0100 -+++ b/tools/blktap2/drivers/block-qcow.c Mon May 14 16:59:12 2012 +0100 -@@ -1428,7 +1428,7 @@ int tdqcow_get_parent_id(td_driver_t *dr - { - off_t off; - char *buf, *filename; -- int len, secs, type, err = -EINVAL; -+ int len, secs, type = 0, err = -EINVAL; - struct tdqcow_state *child = (struct tdqcow_state *)driver->data; - - if (!child->backing_file_offset) -diff -r 89c61e66f45f -r 35248be669e7 tools/blktap2/drivers/block-remus.c ---- a/tools/blktap2/drivers/block-remus.c Mon May 14 16:51:27 2012 +0100 -+++ b/tools/blktap2/drivers/block-remus.c Mon May 14 16:59:12 2012 +0100 -@@ -505,7 +505,7 @@ fail: - static int ramdisk_flush(td_driver_t *driver, struct tdremus_state* s) - { - uint64_t* sectors; -- char* buf; -+ char* buf = NULL; - uint64_t base, batchlen; - int i, j, count = 0; - -diff -r 89c61e66f45f -r 35248be669e7 tools/blktap2/drivers/tapdisk-diff.c ---- a/tools/blktap2/drivers/tapdisk-diff.c Mon May 14 16:51:27 2012 +0100 -+++ b/tools/blktap2/drivers/tapdisk-diff.c Mon May 14 16:59:12 2012 +0100 -@@ -39,6 +39,7 @@ - #include "tapdisk-vbd.h" - #include "tapdisk-server.h" - #include "tapdisk-disktype.h" -+#include "tapdisk-utils.h" - #include "libvhd.h" - - #define POLL_READ 0 -@@ -170,7 +171,7 @@ tapdisk_stream_poll_clear(struct tapdisk - { - int dummy; - -- read(p->pipe[POLL_READ], &dummy, sizeof(dummy)); -+ read_exact(p->pipe[POLL_READ], &dummy, sizeof(dummy)); - p->set = 0; - } - -@@ -180,7 +181,7 @@ tapdisk_stream_poll_set(struct tapdisk_s - int dummy = 0; - - if (!p->set) { -- write(p->pipe[POLL_WRITE], &dummy, sizeof(dummy)); -+ write_exact(p->pipe[POLL_WRITE], &dummy, sizeof(dummy)); - p->set = 1; - } - } -diff -r 89c61e66f45f -r 35248be669e7 tools/blktap2/drivers/tapdisk-log.c ---- a/tools/blktap2/drivers/tapdisk-log.c Mon May 14 16:51:27 2012 +0100 -+++ b/tools/blktap2/drivers/tapdisk-log.c Mon May 14 16:59:12 2012 +0100 -@@ -37,6 +37,7 @@ - #include - - #include "tapdisk-log.h" -+#include "tapdisk-utils.h" - - #define MAX_ENTRY_LEN 512 - #define MAX_ERROR_MESSAGES 16 -@@ -247,7 +248,7 @@ tlog_flush(void) - wsize = ((size + 511) & (~511)); - - memset(tapdisk_log.buf + size, '\n', wsize - size); -- write(fd, tapdisk_log.buf, wsize); -+ write_exact(fd, tapdisk_log.buf, wsize); - - tapdisk_log.p = tapdisk_log.buf; - -diff -r 89c61e66f45f -r 35248be669e7 tools/blktap2/drivers/tapdisk-queue.c ---- a/tools/blktap2/drivers/tapdisk-queue.c Mon May 14 16:51:27 2012 +0100 -+++ b/tools/blktap2/drivers/tapdisk-queue.c Mon May 14 16:59:12 2012 +0100 -@@ -435,7 +435,7 @@ tapdisk_lio_ack_event(struct tqueue *que - uint64_t val; - - if (lio->flags & LIO_FLAG_EVENTFD) -- read(lio->event_fd, &val, sizeof(val)); -+ read_exact(lio->event_fd, &val, sizeof(val)); - } - - static void -diff -r 89c61e66f45f -r 35248be669e7 tools/blktap2/drivers/tapdisk-stream.c ---- a/tools/blktap2/drivers/tapdisk-stream.c Mon May 14 16:51:27 2012 +0100 -+++ b/tools/blktap2/drivers/tapdisk-stream.c Mon May 14 16:59:12 2012 +0100 -@@ -38,6 +38,7 @@ - #include "tapdisk-vbd.h" - #include "tapdisk-server.h" - #include "tapdisk-disktype.h" -+#include "tapdisk-utils.h" - - #define POLL_READ 0 - #define POLL_WRITE 1 -@@ -145,7 +146,7 @@ tapdisk_stream_poll_clear(struct tapdisk - { - int dummy; - -- read(p->pipe[POLL_READ], &dummy, sizeof(dummy)); -+ read_exact(p->pipe[POLL_READ], &dummy, sizeof(dummy)); - p->set = 0; - } - -@@ -155,7 +156,7 @@ tapdisk_stream_poll_set(struct tapdisk_s - int dummy = 0; - - if (!p->set) { -- write(p->pipe[POLL_WRITE], &dummy, sizeof(dummy)); -+ write_exact(p->pipe[POLL_WRITE], &dummy, sizeof(dummy)); - p->set = 1; - } - } -@@ -203,7 +204,7 @@ tapdisk_stream_print_request(struct tapd - { - unsigned long idx = (unsigned long)tapdisk_stream_request_idx(s, sreq); - char *buf = (char *)MMAP_VADDR(s->vbd->ring.vstart, idx, 0); -- write(s->out_fd, buf, sreq->secs << SECTOR_SHIFT); -+ write_exact(s->out_fd, buf, sreq->secs << SECTOR_SHIFT); - } - - static void -diff -r 89c61e66f45f -r 35248be669e7 tools/blktap2/drivers/tapdisk-utils.c ---- a/tools/blktap2/drivers/tapdisk-utils.c Mon May 14 16:51:27 2012 +0100 -+++ b/tools/blktap2/drivers/tapdisk-utils.c Mon May 14 16:59:12 2012 +0100 -@@ -175,3 +175,40 @@ int tapdisk_linux_version(void) - } - - #endif -+int read_exact(int fd, void *data, size_t size) -+{ -+ size_t offset = 0; -+ ssize_t len; -+ -+ while ( offset < size ) -+ { -+ len = read(fd, (char *)data + offset, size - offset); -+ if ( (len == -1) && (errno == EINTR) ) -+ continue; -+ if ( len == 0 ) -+ errno = 0; -+ if ( len <= 0 ) -+ return -1; -+ offset += len; -+ } -+ -+ return 0; -+} -+ -+int write_exact(int fd, const void *data, size_t size) -+{ -+ size_t offset = 0; -+ ssize_t len; -+ -+ while ( offset < size ) -+ { -+ len = write(fd, (const char *)data + offset, size - offset); -+ if ( (len == -1) && (errno == EINTR) ) -+ continue; -+ if ( len <= 0 ) -+ return -1; -+ offset += len; -+ } -+ -+ return 0; -+} -diff -r 89c61e66f45f -r 35248be669e7 tools/blktap2/drivers/tapdisk-utils.h ---- a/tools/blktap2/drivers/tapdisk-utils.h Mon May 14 16:51:27 2012 +0100 -+++ b/tools/blktap2/drivers/tapdisk-utils.h Mon May 14 16:59:12 2012 +0100 -@@ -39,4 +39,7 @@ int tapdisk_namedup(char **, const char - int tapdisk_get_image_size(int, uint64_t *, uint32_t *); - int tapdisk_linux_version(void); - -+int read_exact(int fd, void *data, size_t size); /* EOF => -1, errno=0 */ -+int write_exact(int fd, const void *data, size_t size); -+ - #endif -diff -r 89c61e66f45f -r 35248be669e7 tools/blktap2/drivers/tapdisk2.c ---- a/tools/blktap2/drivers/tapdisk2.c Mon May 14 16:51:27 2012 +0100 -+++ b/tools/blktap2/drivers/tapdisk2.c Mon May 14 16:59:12 2012 +0100 -@@ -79,7 +79,12 @@ main(int argc, char *argv[]) - if (optind != argc) - usage(argv[0], EINVAL); - -- chdir("/"); -+ if (chdir("/")) { -+ DPRINTF("failed to chdir(/): %d\n", errno); -+ err = 1; -+ goto out; -+ } -+ - tapdisk_start_logging("tapdisk2"); - - err = tapdisk_server_init(); -diff -r 89c61e66f45f -r 35248be669e7 tools/blktap2/vhd/lib/libvhd-journal.c ---- a/tools/blktap2/vhd/lib/libvhd-journal.c Mon May 14 16:51:27 2012 +0100 -+++ b/tools/blktap2/vhd/lib/libvhd-journal.c Mon May 14 16:59:12 2012 +0100 -@@ -332,7 +332,7 @@ vhd_journal_write_entry(vhd_journal_t *j - - err = vhd_journal_write(j, &e, sizeof(vhd_journal_entry_t)); - if (err) -- err; -+ return err; - - return 0; - } - diff --git a/xen-4.1-testing.23298.patch b/xen-4.1-testing.23298.patch deleted file mode 100644 index 3ef4add..0000000 --- a/xen-4.1-testing.23298.patch +++ /dev/null @@ -1,42 +0,0 @@ - -# HG changeset patch -# User Wei Wang -# Date 1337930327 -3600 -# Node ID 435493696053a079ec17d6e1a63e5f2be3a2c9d0 -# Parent 35248be669e71520eb40e85986b106bd5164d7ea -x86/cpuidle: do not flush cache unless entering C3 - -Nor is there a need to disable bus master arbitration in that case. - -Signed-off-by: Wei Wang -Modified-by: Zhang, Yang Z -Signed-off-by: Jan Beulich -Committed-by: Jan Beulich -xen-unstable changeset: 25195:a06e6cdeafe3 -xen-unstable date: Mon Apr 16 13:05:28 2012 +0200 - -diff -r 35248be669e7 -r 435493696053 xen/arch/x86/acpi/cpu_idle.c ---- a/xen/arch/x86/acpi/cpu_idle.c Mon May 14 16:59:12 2012 +0100 -+++ b/xen/arch/x86/acpi/cpu_idle.c Fri May 25 08:18:47 2012 +0100 -@@ -483,7 +483,9 @@ static void acpi_processor_idle(void) - * not set. In that case we cannot do much, we enter C3 - * without doing anything. - */ -- if ( power->flags.bm_check && power->flags.bm_control ) -+ if ( cx->type != ACPI_STATE_C3 ) -+ /* nothing to be done here */; -+ else if ( power->flags.bm_check && power->flags.bm_control ) - { - spin_lock(&c3_cpu_status.lock); - if ( ++c3_cpu_status.count == num_online_cpus() ) -@@ -505,7 +507,8 @@ static void acpi_processor_idle(void) - /* Invoke C3 */ - acpi_idle_do_entry(cx); - -- if ( power->flags.bm_check && power->flags.bm_control ) -+ if ( (cx->type == ACPI_STATE_C3) && -+ power->flags.bm_check && power->flags.bm_control ) - { - /* Enable bus master arbitration */ - spin_lock(&c3_cpu_status.lock); - diff --git a/xen-4.1-testing.23325.patch b/xen-4.1-testing.23325.patch deleted file mode 100644 index e68897c..0000000 --- a/xen-4.1-testing.23325.patch +++ /dev/null @@ -1,41 +0,0 @@ - -# HG changeset patch -# User Jan Beulich -# Date 1343318195 -3600 -# Node ID a43f5b4b03319117edba76ebca8f827119d4e9a8 -# Parent e89be0dedeb4e4a9556cf3e1b9a5295ba0b59edf -x86/hvm: don't leave emulator in inconsistent state - -The fact that handle_mmio(), and thus the instruction emulator, is -being run through twice for emulations that require involvement of the -device model, allows for the second run to see a different guest state -than the first one. Since only the MMIO-specific emulation routines -update the vCPU's io_state, if they get invoked on the second pass, -internal state (and particularly this variable) can be left in a state -making successful emulation of a subsequent MMIO operation impossible. - -Consequently, whenever the emulator invocation returns without -requesting a retry of the guest instruction, reset io_state. - -[ This is a security issue. XSA#10. -iwj ] - -Signed-off-by: Jan Beulich -Acked-by: Keir Fraser -Committed-by: Ian Jackson - -xen-unstable changeset: 25682:ffcb24876b4f -Committed-by: Ian Jackson - -diff -r e89be0dedeb4 -r a43f5b4b0331 xen/arch/x86/hvm/io.c ---- a/xen/arch/x86/hvm/io.c Sun Jul 22 16:39:00 2012 +0100 -+++ b/xen/arch/x86/hvm/io.c Thu Jul 26 16:56:35 2012 +0100 -@@ -176,6 +176,8 @@ int handle_mmio(void) - - rc = hvm_emulate_one(&ctxt); - -+ if ( rc != X86EMUL_RETRY ) -+ curr->arch.hvm_vcpu.io_state = HVMIO_none; - if ( curr->arch.hvm_vcpu.io_state == HVMIO_awaiting_completion ) - curr->arch.hvm_vcpu.io_state = HVMIO_handle_mmio_awaiting_completion; - else - diff --git a/xen-no-werror.patch b/xen-no-werror.patch deleted file mode 100644 index ccf281e..0000000 --- a/xen-no-werror.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up xen-3.4.0/tools/libxc/Makefile.werror xen-3.4.0/tools/libxc/Makefile ---- xen-3.4.0/tools/libxc/Makefile.werror 2009-08-05 13:40:32.000000000 +0200 -+++ xen-3.4.0/tools/libxc/Makefile 2009-08-05 13:40:52.000000000 +0200 -@@ -52,7 +52,7 @@ GUEST_SRCS-$(CONFIG_IA64) += xc_dom_i - - -include $(XEN_TARGET_ARCH)/Makefile - --CFLAGS += -Werror -Wmissing-prototypes -+CFLAGS += -Wmissing-prototypes - CFLAGS += $(INCLUDES) -I. -I../xenstore -I../include - - # Needed for posix_fadvise64() in xc_linux.c diff --git a/xen.spec b/xen.spec index 324920f..4268fb2 100644 --- a/xen.spec +++ b/xen.spec @@ -19,8 +19,8 @@ Summary: Xen is a virtual machine monitor Name: xen -Version: 4.1.2 -Release: 25%{?dist} +Version: 4.1.3 +Release: 1%{?dist} Group: Development/Libraries License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ @@ -58,30 +58,14 @@ Patch1: xen-initscript.patch Patch4: xen-dumpdir.patch Patch5: xen-net-disable-iptables-on-bridge.patch -Patch10: xen-no-werror.patch - -Patch18: localgcc45fix.patch -Patch20: localgcc451fix.patch Patch23: grub-ext4-support.patch -Patch26: localgcc46fix.patch Patch28: pygrubfix.patch -Patch31: pygrubfix2.patch -Patch32: xen-4.1-testing.23190.patch -Patch33: xend.empty.xml.patch Patch34: xend.catchbt.patch Patch35: xend-pci-loop.patch -Patch36: localgcc47fix.patch -Patch37: qemu-xen-4.1-testing.git-3cf61880403b4e484539596a95937cc066243388.patch Patch38: xen-backend.rules.patch Patch39: xend.selinux.fixes.patch Patch40: pygrub.size.limits.patch -Patch41: xen-4.1-testing.23297.patch -Patch42: CVE-2012-0217.patch -Patch43: CVE-2012-0218.patch -Patch44: CVE-2012-2934.patch Patch45: xen-no-pyxml.patch -Patch46: xen-4.1-testing.23325.patch -Patch47: xen-4.1-testing.23298.patch Patch50: upstream-23936:cdb34816a40a-rework Patch51: upstream-23937:5173834e8476 @@ -232,29 +216,13 @@ manage Xen virtual machines. %patch4 -p1 %patch5 -p1 -%patch10 -p1 - -%patch18 -p1 -%patch20 -p1 -%patch26 -p1 %patch28 -p1 -%patch31 -p1 -%patch32 -p1 -%patch33 -p1 %patch34 -p1 %patch35 -p1 -%patch36 -p1 -%patch37 -p1 %patch38 -p1 %patch39 -p1 %patch40 -p1 -%patch41 -p1 -%patch42 -p1 -%patch43 -p1 -%patch44 -p1 %patch45 -p1 -%patch46 -p1 -%patch47 -p1 %patch50 -p1 %patch51 -p1 @@ -719,6 +687,16 @@ rm -rf %{buildroot} %endif %changelog +* Fri Aug 10 2012 Michael Young - 4.1.3-1 +- update to 4.1.3 + includes fix for untrusted HVM guest can cause the dom0 to hang or + crash [XSA-11, CVE-2012-3433] (#843582) +- remove patches that are now upstream +- remove some unnecessary compile fixes +- adjust upstream-23936:cdb34816a40a-rework for backported fix for + upstream-23940:187d59e32a58 +- replace pygrub.size.limits.patch with upstreamed version + * Tue Aug 07 2012 Michael Young - 4.1.2-25 - remove some unnecessary cache flushing that slow things down - change python options on xend to reduce selinux problems (#845444) diff --git a/xend.empty.xml.patch b/xend.empty.xml.patch deleted file mode 100644 index e3f29d3..0000000 --- a/xend.empty.xml.patch +++ /dev/null @@ -1,15 +0,0 @@ -http://lists.xensource.com/archives/html/xen-devel/2011-11/msg00218.html - -diff -r 54a5e994a241 -r 76391f599433 tools/python/xen/xend/XendStateStore.py ---- a/tools/python/xen/xend/XendStateStore.py Wed Nov 02 17:09:09 2011 +0000 -+++ b/tools/python/xen/xend/XendStateStore.py Thu Nov 03 12:02:44 2011 -0400 -@@ -101,6 +101,9 @@ class XendStateStore: - if not os.path.exists(xml_path): - return {} - -+ if not os.path.getsize(xml_path) == 0: -+ return {} -+ - dom = minidom.parse(xml_path) - root = dom.documentElement - state = {}