diff options
| author |   Ian Delaney <idella4@gentoo.org> | 2013-01-30 12:13:01 +0000 |
|---|---|---|
| committer | Ian Delaney <idella4@gentoo.org> | 2013-01-30 12:13:01 +0000 |
| commit | 98b7431b803b7c69e3e7bd06b3b0e06fb785b551 (patch) | |
| tree | 1621ba0b417ba389dc51c7c02dd8257a719fb11a /app-emulation | |
| parent | app-benchmarks/bootchart2: drop old; add USE=X for track-only installations, ... (diff) | |
| download | historical-98b7431b803b7c69e3e7bd06b3b0e06fb785b551.tar.gz historical-98b7431b803b7c69e3e7bd06b3b0e06fb785b551.tar.bz2 historical-98b7431b803b7c69e3e7bd06b3b0e06fb785b551.zip | |
revbumps; -4.2.0-r1, eclass python-single-r1 added to anable & ensure a build by py2 fixing Bug #453930, PYTHON_COMPAT set accordingly, EAPI->5, sed statements reduced to patches, many sec. patches added addressing Bugs #445254, #431156, #454314. -4.2.1-r1, changes mirrored in those of -4.2.0-r1, addition of 3 sec. patches that pertain to 4.2.1. Dropped 4.2.0 & 4.2.1 by virtue of being prone to failure in form of Bug #453930. Sees 4.2.0-r1 ready for testing for stable
Package-Manager: portage-2.1.11.40/cvs/Linux x86_64
Manifest-Sign-Key: 0xB8072B0D
Diffstat (limited to 'app-emulation')
18 files changed, 893 insertions, 28 deletions
diff --git a/app-emulation/xen/ChangeLog b/app-emulation/xen/ChangeLog index c42dec8e9a31..2292930b2006 100644 --- a/app-emulation/xen/ChangeLog +++ b/app-emulation/xen/ChangeLog @@ -1,6 +1,33 @@ # ChangeLog for app-emulation/xen # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.101 2013/01/24 09:18:34 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.102 2013/01/30 12:12:31 idella4 Exp $ + +*xen-4.2.1-r1 (30 Jan 2013) +*xen-4.2.0-r1 (30 Jan 2013) + + 30 Jan 2013; Ian Delaney <idella4@gentoo.org> + +files/xen-4-CVE-2012-4535-XSA-20.patch, + +files/xen-4-CVE-2012-4537-XSA-22.patch, + +files/xen-4-CVE-2012-4538-XSA-23.patch, + +files/xen-4-CVE-2012-4539-XSA-24.patch, + +files/xen-4-CVE-2012-5510-XSA-26.patch, + +files/xen-4-CVE-2012-5513-XSA-29.patch, + +files/xen-4-CVE-2012-5514-XSA-30.patch, + +files/xen-4-CVE-2012-5515-XSA-31.patch, + +files/xen-4-CVE-2012-5525-XSA-32.patch, + +files/xen-4-CVE-2012-5634-XSA-33.patch, + +files/xen-4-CVE-2013-0151-XSA-27_34_35.patch, + +files/xen-4-CVE-2013-0151-XSA-34_35.patch, + +files/xen-4-CVE-2013-0154-XSA-37.patch, +xen-4.2.0-r1.ebuild, + +xen-4.2.1-r1.ebuild, -xen-4.2.0.ebuild, -xen-4.2.1.ebuild, + files/xen-4-fix_dotconfig-gcc.patch: + revbumps; -4.2.0-r1, eclass python-single-r1 added to anable & ensure a build + by py2 fixing Bug #453930, PYTHON_COMPAT set accordingly, EAPI->5, sed + statements reduced to patches, many sec. patches added addressing Bugs + #445254, #431156, #454314. -4.2.1-r1, changes mirrored in those of -4.2.0-r1, + addition of 3 sec. patches that pertain to 4.2.1. Dropped 4.2.0 & 4.2.1 by + virtue of being prone to failure in form of Bug #453930. Sees 4.2.0-r1 ready + for testing for stable *xen-4.2.1 (24 Jan 2013) diff --git a/app-emulation/xen/Manifest b/app-emulation/xen/Manifest index 8790c52a2f70..31c82d78104b 100644 --- a/app-emulation/xen/Manifest +++ b/app-emulation/xen/Manifest @@ -1,7 +1,20 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 -AUX xen-4-fix_dotconfig-gcc.patch 1527 SHA256 ff14b537b72ca74f482e24626b041fbaffe6bb2744ac90968f9e50da8855eb13 SHA512 9e4691f435e4cd0874a19f75600578590968b1c477a5e16f606de58a54686da92faa29b7545e829220dc0dc8fb79e269232557444153b9e7dc814d3bf2e5349e WHIRLPOOL 64625ee28db1ab15002152066f1986326b7c6a55eaae2021e382885d968ded49f930a07a932f52a415da63cd8b3477042c7c7d7c8c5f2925a846b30c3f63d446 +AUX xen-4-CVE-2012-4535-XSA-20.patch 2030 SHA256 29e7078646f54139fd1ab3aac0c06a62f1d195a00c879069f6b82832877147c1 SHA512 8a1a27bcf489a04e148ce383feb61e6c179ed31ed1c3891b794e62978dc1d12d2b12ed1002cd109b8e8bf9e96ef7a80281a610281528d7f08e2e7a487181c76e WHIRLPOOL 03f1dbdccdd7f83e2342fbba060b120e6ab0c6596462ff815e89a9c235b069f7d4f7ffce5ae244f7fc41bff7d772a1413bd8906895246f2b7878f7cd155294f5 +AUX xen-4-CVE-2012-4537-XSA-22.patch 1752 SHA256 69a27d51cb18a6cedaeaf79114aa8022256cc315cc0af3d9461891faf84bf4a1 SHA512 0898376b5ef11599119e58ee1c8ad4942c695fb0e0c0a85f387aabbb057819d37c400c15aab762bb6a035fef816e8834dc7a277b8a7bc84c2aeeed154269f1c8 WHIRLPOOL 1056156ea955d1a612a5b61c59c214480eddee9522ea53e132a1fc5841589e194ea0c5f9ce952bd224ed8a74a81e684ab50cb5912344b43281f1cf129b4f05b7 +AUX xen-4-CVE-2012-4538-XSA-23.patch 1617 SHA256 1f6fa78f36a52e627d0c2bb5c8f183ac1a2c235ba6aafc6d0a5b44e63533c88e SHA512 78cd6c8c53e7cd8e9583fff27cc50673c2047b8f7caa26f08d1b1e9b82dfb96d8e871ab82f51e3a6cbbb00466b86428a6f91f1ae0f8d4148227124bc6b271106 WHIRLPOOL c8c99a3ba006f3262f2d185a685ec8693ff4694e1c6fbf07056558d7deb9f9339e6f8e267d61c1973e71652c4c3ba2d5c20b3184079b35587abaaab022fc806c +AUX xen-4-CVE-2012-4539-XSA-24.patch 1398 SHA256 f411efd160297077f03d6f89c1fc86f77ab077e9217c9f73b03beb9204f3c878 SHA512 e76f78e3b5c206113f66d683f871cfd0bbbbee9aae07c6231d54ea9a269d8c99f6047c5dfc3ab94b9240ed2d0bdf0f21ee34fda3d55f8ff93cd20029ed91ff67 WHIRLPOOL ae1835ed4a9c9900a3280f3f56696938d33dc15fb3751c623068b60fad7893630cdb10777fe15cc5b854efa949f948f6db0549b61c792496e22f2ea730424201 +AUX xen-4-CVE-2012-5510-XSA-26.patch 3900 SHA256 5734abcebc6df0605331a0098d539ecbcfb2c0f924eedc8c34154a21fe90c1bf SHA512 9d98db62be6f39966e257e305992ec5b5099b152b74da82423d20619beccab3f06c852bab1bbc4ebc531e339d7d1b6f54be875d02ae5261c32a2be19d1fd8f9d WHIRLPOOL af2923d55cb57d930037c3a117b892ba39e4c887a0454e6411a33db54a07e2eafb7408c24da1b54a82e99d353d042c127f433aa390bf781337afb5f421159694 +AUX xen-4-CVE-2012-5513-XSA-29.patch 2323 SHA256 04cf65183442e14dd981d8170f0fdcb66531f63c002c9a8d64052a05f598de6c SHA512 0d3a043c0fff8ec1120b65547fcff31b9fb098a853bdd21411a2bfe5a6b7648885f312a3cd3a43d628de481e6ce610d4d6ec3021bdc64f9951d50c4c2fa99335 WHIRLPOOL 20f76746c96e72a3555a784e7b74f77c0ee4868e92909d3231f887ca627ac4f4d7bdb7630d943edfcf183f681b82ac3d43b476bf5ab699febb23823e65aa82bb +AUX xen-4-CVE-2012-5514-XSA-30.patch 1919 SHA256 bfbf5cc52789f0acc68541ee3059ca1e619db3d5db2ab03068a70dfc356e8525 SHA512 cfe0890e1e41ff91199b7957c51131bfd66d21581fca89b79022215fe4b918b196dd64b4f1517abbea2df4c9a48e639a10b1833b81ed56cbbe9664681d3a18c0 WHIRLPOOL 3ae4d5f6186fb21049b9c345cd137e8c94e98e803b41f260032c3dd6317096b25bf979b1e09dce678301b79b68a082274bb8bb8b3eaf632ccd43be4fb9dac15a +AUX xen-4-CVE-2012-5515-XSA-31.patch 2331 SHA256 a4f3406177bd9657686f6e4f9448c6c1c4b4243609ca28d2b38c3922a611f3bd SHA512 e9e4f285515f371c6df718332c1a47d86d67cd47683c69698060f3041a76ca22679fedd5f676cfb739df5b1bedb1fb591435eb11abd888a74475b875e0106091 WHIRLPOOL 15080e438acb8ed797680fef356eccad4ef344c593ddc9b903efc6510eb63669b0eca94877221800ef806ebf5c649bfe57f2c4fe2866f48e16ab87a99461ec0b +AUX xen-4-CVE-2012-5525-XSA-32.patch 628 SHA256 f56a6739cf5de08e7a61732c290c5ae67e59e0d24b845823861693ccea5990ef SHA512 3cb7c31ef65765a4fb434e7677bc224de61ae4313099c57b428bd5d610fae3cad8b1f0a4a3315ec96f0fdb2c5706c13aa30619c57d6e15edf2528ae6cf05e74f WHIRLPOOL 27fcd464da8487a9b38c06b3b28e50aa87b18b4e25874156fe07791361ed6c46ae59f62c90d3df14560154e8493370af176e662295f379866c08fff2776f05b3 +AUX xen-4-CVE-2012-5634-XSA-33.patch 860 SHA256 47ef99cad90bfc8befb569ea430a25af6b50df2c6a912a8773b78fa12876940e SHA512 36082f51798ac3df9e1a6880f6b8c5e13c65ae416f7ac9b9b1c373fbef79771cc25be6d3ece058db14d08b6e28485aee14089fe6bdbaf3afc26d27cac7dda7ba WHIRLPOOL 00bb6832d612476395cabc74014efd35aa696d03c446786189aadb6e07aff5d2abf860b11e82195ebb5c920f75b133eb487bb85ffa9fd232ba95513231b71fef +AUX xen-4-CVE-2013-0151-XSA-27_34_35.patch 6927 SHA256 ae3432b7498ab7af6632bfac7334bb3112d78dba6604c1280577f0247d71a75c SHA512 6f100e12716fe712da111ac9df041d5455afaa4840e2772fa9b940f52a8a028e450adf5b07c3e413d6ce2a1209eda9a7a858e8747fe41ad8314e1d80af40d6db WHIRLPOOL 18ada6b2631a6f50d42ade57f8b0fd2e2f780df433b1d5997d70279474f3505d340818158bc2f6c050279d256073cee79765682c4c8f3aaf4f16ef4746462797 +AUX xen-4-CVE-2013-0151-XSA-34_35.patch 2216 SHA256 1e8303a295cdd6096345261af81b74506f4fcff15755f48b7b702e12284276c7 SHA512 65ba47e75a55b78a63505a779b21be5628867b8a586c0ebf7ceb9a874828a0fc5eb4d0ed327762eb5ecfdcc97c947c5bc42435a1a794ffeb515d6674b103903d WHIRLPOOL 495ddd4fb7fe0480418ff5e37ed419b665eb207166b065eabdd9a352b6ba31cd05564dd5682336360e29dd2b24fdf14a7505bcd457c85c079fa814ab7b48df9b +AUX xen-4-CVE-2013-0154-XSA-37.patch 686 SHA256 64f1eff89242ecb5c7c3cc50b40662210bf33563282125838d8c822af0c04e6b SHA512 eae9999ef99b9b4911b957d802e79f4102641c0e6f3b13feaf81d11d97df8a799a27640b69ff8f205667eb9714f4f14f2fbed2af5b338e5120b523724e996963 WHIRLPOOL dd508ab13199c579a84e54c44a3f4bd48d7cbeed5a89dd93477b51a705479348a3866defb24ab13aa6cd0f68b8eaaefb7cb516bef0971652958841cc7bb7ea46 +AUX xen-4-fix_dotconfig-gcc.patch 1525 SHA256 943119cde08d16d05a927a85fb54ee4cee323cb4870dd0d90a552051fedc9907 SHA512 aa507594d96159c4e01ccfc4781f9afe7b6fe125c9df5925128c002f28fdf04999954b523cc53c6d7eaa49cb6e05120605f4e7d6f8bab6d5718d73a60b5accea WHIRLPOOL 6f4395203199b8037363ed56256e12f426f0c26f449c5e4a001c5454370a0e412f18cd03099866c30592ee0413556b85b3c374efb7172212db37ff3891c004af AUX xen-4.1.1-iommu_sec_fix.patch 2851 SHA256 3a0ab3cb5c18db91f4be457cbba36189a558da7b794e1a35795f4fed3d48a7c8 SHA512 832ecee2dedeb13c3cc61298fa9dacd131623c84c06fa9d4ecbcc6be97d660c3fa025ae61654e0f31396b50d917de3c2ca77262ed18e006ec281a707a6cf662d WHIRLPOOL f787685f52f4bd27fa11e80f8025c4ea90cf831610d9ae69d34bb0eaee7a34017d7aa7868935e1936bc868503892ae923d8fdfc8eafea5fab8f33765452ea371 DIST xen-4.1.1.tar.gz 10355625 SHA256 246289227507466b5da8b2d0da84a5b0e68a392527b16cde38898d0348890f5b SHA512 0ec84db28af5b1206392b44e2c135859b3393d9c0eb1109f6a983492ba70622a145a08efce54f2943495feb06291d3fd5df9cc8ffea51e6e42aa69450edc87f2 WHIRLPOOL 58d83e71ac0a942830311d7eb5ebc5a7b34b118001f6f607ea7e5d7a959bafd72c9b8b6d010144fdef7417a238382602d948007be90f9ebf583b4d18897344c0 DIST xen-4.1.2.tar.gz 10365786 SHA256 7d9c93057cf480d3f1efa792b19285a84fa3c06060ea5c5c453be00887389b0d SHA512 8f50f238b0b474ec5556279cbd51d704b4365033f2541a5d0376f287b26b7e8f0193172041109d97bb76d35ace3adf71e12f89f5766ff79a8ea861e7282f00d7 WHIRLPOOL 93a4bdd05125ef722464ef682798191c8b3db7228cbc0a27bcbe7932a7776491f90e727e1fcc4a9e7ec3eada7f56c567c07ad61cdda2f514109f702800fe5566 @@ -9,14 +22,14 @@ DIST xen-4.2.0.tar.gz 15587687 SHA256 43f4a086e4e0330145a27b7ace8365c42b5afbc95c DIST xen-4.2.1.tar.gz 15593695 SHA256 fb8df5827ce3e2d2d3b078d9e5afde502beb5e7ab9442e51a94087061bd450c6 SHA512 fe27a965e2b34035bd025482eda9fc4d4e82523c929323fd30813367d5ffbe2fa1ed3d7d4479f2632e8b5625972448b7bd6a7768e8dc1dcd1b6747d281cc1a9e WHIRLPOOL 226bbed059541e804f1a44e721023ffbc04bae43000653b1d7d6a9bfec0d9efbf7a48b1b0a7ad3fcb8e34f8b91e1c620c2a8eddf97baad487e9db37d49a58f37 EBUILD xen-4.1.1-r2.ebuild 3326 SHA256 938ca3d3f2ae8c775fe30fbaa4444c0fd7a86016080362d4e0636e0a7977ee74 SHA512 af1fe8ecc1adc5b353b219c150871ebbffe78c7abc57c34df197bfd5a7c7ba790f743adc7c3d2e2f0194c56e8539d2009c9907be95cf69a96779de950a777067 WHIRLPOOL e3fca98777fe12e99418be2e09cb290b858202d44542306914d00d6f424950b85eee6b81b0e994b30f3432b3759ea5a26a97850ed94ad8b32abbe1b1dd13004e EBUILD xen-4.1.2.ebuild 3217 SHA256 374e77ab7aadd7bca98e6d668d0a9e26842c1582987b24bc5015424f2c194ad7 SHA512 94dca833fb2439e175d0c4868c648fd0cf5cb54960f7a45664dcb449a3473d342d04f5235ee22abfaa13296e2a1d0e8935e23e01d7949ff99409e3034e5b0ebe WHIRLPOOL b85040d9da4af45a1bd383310546056ad186113f56b96ca756957b711cd9f51f42a8aff60b634efbec1756fa296dc54be152d3f2ba72bb7ec99d9e5110b99db3 -EBUILD xen-4.2.0.ebuild 3218 SHA256 ff3b187eed6d61e5c0526c9ac048ee73776dd5ee3324b80471b9ea7493134982 SHA512 b18f7fd057f45757ce22fed4f2b0346d80bda87ef6f181cef58c358802e48cb1cdf813c9da1880baf0c8b9b38ab8ff2fae5c04a659b741081e90450a39566828 WHIRLPOOL 45ab5ef5ca2d1b0092b1820ad8f5b4d0469f039295846094c575342aabd797c0596ea23c5542bd0cae810cebbaac213eb895d235650ef1bf7b76339baf027043 -EBUILD xen-4.2.1.ebuild 3088 SHA256 d8c4b1574247c665cd23349f34f1c8e262aaf653a9d3a394d06a6442e9ea6921 SHA512 d4b0d6a04de2c757b128bd06d23fb52936ce601347daeb148ab4d011bc72971c66188fce5a8d304d8e6317c5c9b6d5c6d0c116c126e605aa130b87ab38dc9a3b WHIRLPOOL 995f419cd9aba7bff9cc4ccc46d8217c6b15c8752997b98ee76d5dcb82cab709496f33ae21bd2ee681bb969db6000b4b15f19ef2fe472dbbc2c7396ecca2c2de -MISC ChangeLog 16444 SHA256 a5f053c6100ad47974688b57e6f0ed63530b11f31d92fb96793c7ec65abc13bb SHA512 25611e045f47bf7af0d2f33535c45b4c6dcb62870f8ea843577c27aba0db349033252d91aac041deff19495e25142decf5c2a66365bb35de0cae0232efefd682 WHIRLPOOL 805e1509ea5b31e48644da0e9c9452e01336470defc141c15739e9d5e6ed08d2cadbe2128b95fadf8a5f55b154254e55f3a7e1cc5730245c75c18a22df9ad0ff +EBUILD xen-4.2.0-r1.ebuild 3771 SHA256 84aff25a31896366e74d759dd76b8ef6fcfdaa54120248ba17aaf52438184472 SHA512 8bb2d617ba15bb68a646f49513d46be99f5f176bbf0732aceaf3bc7ca299fe15718440914f87b2c624ef9bcaafad1605372e10ab5a9a99f164888538d11367bf WHIRLPOOL 453db2195975dade439edd7c4994feb28417e073adc331c34f554d8f96f9f0faf95e03e481aea61f00d0260cc0c3a30d8382ec94e07af6fd430088d75105e654 +EBUILD xen-4.2.1-r1.ebuild 3367 SHA256 165d6f3f6774ead19ed11d9a1fe49ededade2e66f102deffb24221ff592dfb7d SHA512 effa5a482f3cebb9ff6be4a7bb1e09fbae40160b7f88178783e5a52d1e2748c6f57440999a362f9baddd79b40a5ed2d0fb53135c5516ca51100d42337c1e9b02 WHIRLPOOL 1c64514a07dfd1e69f4667c7fbaa3f2d935b62bbfe98261a93d190e15acb45e53d97e38231b565580512c6075d99c05625b8be75a41e2c4c0ef47efa085b861c +MISC ChangeLog 17728 SHA256 6490ab4f17ac78ce5733928f1cd50e1b8495d4b8347495f9e6c8a95693a6ec84 SHA512 0ea58a76faadd8d2a91d9968cfe6385033502ffef22116d0dea073a3fa8dbd722028c7cd022f86d22c8660bb760159a42d41ddf399070a4471175fda572c70dd WHIRLPOOL 74434c7ec8f6941f7020000fbf01f420063133e82807e60f665059cb6268ba7d324ae50a5568ffd5d65607450b2f08132c71f3ecf552512afd7c8d414141c0c9 MISC metadata.xml 484 SHA256 04c4175e3ad068efdc7c047e41347a84c796fbf22ff23c40ad86860f0662fe65 SHA512 acff2c2bbcba61be17a8036edeea6dae0a8d6f7cb6a47597ec6948935b1cbc2c2f9be43dd4cdb9da347fa725d30416ce78ffbde5381c33781dcc184a1f930541 WHIRLPOOL 1bc4a8f1375bb020d410077ba46e62776e71df06ca02accf1819580e87ef4e655722cc6f831a2f8b33614ae66a40bbf7e7268e84ffdd4c04cc1f599134580d68 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) -iEYEAREIAAYFAlEA/J4ACgkQso7CE7gHKw08dACggordoAUlNm/ogE7Ztikhl1hc -jjIAni1aN2LO/wmVje4+YsmKAvsGI/ks -=IquU +iEYEAREIAAYFAlEJDj8ACgkQso7CE7gHKw0zqQCfX+i51VXzowKW84/MafGcJnlp +A3oAn3x7zoos8MJg9xiws+pXwILGB1uU +=sni6 -----END PGP SIGNATURE----- diff --git a/app-emulation/xen/files/xen-4-CVE-2012-4535-XSA-20.patch b/app-emulation/xen/files/xen-4-CVE-2012-4535-XSA-20.patch new file mode 100644 index 000000000000..25b909a3ac85 --- /dev/null +++ b/app-emulation/xen/files/xen-4-CVE-2012-4535-XSA-20.patch @@ -0,0 +1,50 @@ + +# HG changeset patch +# User Ian Jackson <Ian.Jackson@eu.citrix.com> +# Date 1352892795 0 +# Node ID 788af5959f692ca16942937055afb09b760f2166 +# Parent bdb5cde7f79d77f8578bcd8e24d74d09a2c7caa6 +VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability + +The timer action for a vcpu periodic timer is to calculate the next +expiry time, and to reinsert itself into the timer queue. If the +deadline ends up in the past, Xen never leaves __do_softirq(). The +affected PCPU will stay in an infinite loop until Xen is killed by the +watchdog (if enabled). + +This is a security problem, XSA-20 / CVE-2012-4535. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> +Committed-by: Ian Jackson <ian.jackson@eu.citrix.com> + +xen-unstable changeset: 26148:bf58b94b3cef +Backport-requested-by: security@xen.org +Committed-by: Ian Jackson <ian.jackson@eu.citrix.com> + +diff -r bdb5cde7f79d -r 788af5959f69 xen/common/domain.c +--- xen/common/domain.c Wed Nov 14 10:40:41 2012 +0100 ++++ xen/common/domain.c Wed Nov 14 11:33:15 2012 +0000 +@@ -882,6 +882,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN + if ( set.period_ns < MILLISECS(1) ) + return -EINVAL; + ++ if ( set.period_ns > STIME_DELTA_MAX ) ++ return -EINVAL; ++ + v->periodic_period = set.period_ns; + vcpu_force_reschedule(v); + +diff -r bdb5cde7f79d -r 788af5959f69 xen/include/xen/time.h +--- xen/include/xen/time.h Wed Nov 14 10:40:41 2012 +0100 ++++ xen/include/xen/time.h Wed Nov 14 11:33:15 2012 +0000 +@@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t); + #define MILLISECS(_ms) ((s_time_t)((_ms) * 1000000ULL)) + #define MICROSECS(_us) ((s_time_t)((_us) * 1000ULL)) + #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1)) ++/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */ ++#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2)) + + extern void update_vcpu_system_time(struct vcpu *v); + extern void update_domain_wallclock_time(struct domain *d); + diff --git a/app-emulation/xen/files/xen-4-CVE-2012-4537-XSA-22.patch b/app-emulation/xen/files/xen-4-CVE-2012-4537-XSA-22.patch new file mode 100644 index 000000000000..a6d4dc20144f --- /dev/null +++ b/app-emulation/xen/files/xen-4-CVE-2012-4537-XSA-22.patch @@ -0,0 +1,50 @@ +# HG changeset patch +# User Ian Jackson <Ian.Jackson@eu.citrix.com> +# Date 1352893017 0 +# Node ID 4cffe28427e0c7dbeaa7c109ed393dde0fe026ba +# Parent 788af5959f692ca16942937055afb09b760f2166 +x86/physmap: Prevent incorrect updates of m2p mappings + +In certain conditions, such as low memory, set_p2m_entry() can fail. +Currently, the p2m and m2p tables will get out of sync because we still +update the m2p table after the p2m update has failed. + +If that happens, subsequent guest-invoked memory operations can cause +BUG()s and ASSERT()s to kill Xen. + +This is fixed by only updating the m2p table iff the p2m was +successfully updated. + +This is a security problem, XSA-22 / CVE-2012-4537. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> +Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> +Committed-by: Ian Jackson <ian.jackson@eu.citrix.com> + +xen-unstable changeset: 26149:6b6a4007a609 +Backport-requested-by: security@xen.org +Committed-by: Ian Jackson <ian.jackson@eu.citrix.com> + +diff -r 788af5959f69 -r 4cffe28427e0 xen/arch/x86/mm/p2m.c +--- xen/arch/x86/mm/p2m.c Wed Nov 14 11:33:15 2012 +0000 ++++ xen/arch/x86/mm/p2m.c Wed Nov 14 11:36:57 2012 +0000 +@@ -654,7 +654,10 @@ guest_physmap_add_entry(struct domain *d + if ( mfn_valid(_mfn(mfn)) ) + { + if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) ) ++ { + rc = -EINVAL; ++ goto out; /* Failed to update p2m, bail without updating m2p. */ ++ } + if ( !p2m_is_grant(t) ) + { + for ( i = 0; i < (1UL << page_order); i++ ) +@@ -677,6 +680,7 @@ guest_physmap_add_entry(struct domain *d + } + } + ++out: + p2m_unlock(p2m); + + return rc; diff --git a/app-emulation/xen/files/xen-4-CVE-2012-4538-XSA-23.patch b/app-emulation/xen/files/xen-4-CVE-2012-4538-XSA-23.patch new file mode 100644 index 000000000000..0cf28049565f --- /dev/null +++ b/app-emulation/xen/files/xen-4-CVE-2012-4538-XSA-23.patch @@ -0,0 +1,43 @@ + +# HG changeset patch +# User Ian Jackson <Ian.Jackson@eu.citrix.com> +# Date 1352893365 0 +# Node ID 159080b58dda9d19a5d3be42359e667bdb3e61ca +# Parent 4cffe28427e0c7dbeaa7c109ed393dde0fe026ba +xen/mm/shadow: check toplevel pagetables are present before unhooking them. + +If the guest has not fully populated its top-level PAE entries when it calls +HVMOP_pagetable_dying, the shadow code could try to unhook entries from +MFN 0. Add a check to avoid that case. + +This issue was introduced by c/s 21239:b9d2db109cf5. + +This is a security problem, XSA-23 / CVE-2012-4538. + +Signed-off-by: Tim Deegan <tim@xen.org> +Tested-by: Andrew Cooper <andrew.cooper3@citrix.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> +Committed-by: Ian Jackson <ian.jackson@eu.citrix.com> + +xen-unstable changeset: 26150:c7a01b6450e4 +Backport-requested-by: security@xen.org +Committed-by: Ian Jackson <ian.jackson@eu.citrix.com> + +diff -r 4cffe28427e0 -r 159080b58dda xen/arch/x86/mm/shadow/multi.c +--- xen/arch/x86/mm/shadow/multi.c Wed Nov 14 11:36:57 2012 +0000 ++++ xen/arch/x86/mm/shadow/multi.c Wed Nov 14 11:42:45 2012 +0000 +@@ -4734,8 +4734,12 @@ static void sh_pagetable_dying(struct vc + unsigned long gfn; + mfn_t smfn, gmfn; + +- if ( fast_path ) +- smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i])); ++ if ( fast_path ) { ++ if ( pagetable_is_null(v->arch.shadow_table[i]) ) ++ smfn = _mfn(INVALID_MFN); ++ else ++ smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i])); ++ } + else + { + /* retrieving the l2s */ diff --git a/app-emulation/xen/files/xen-4-CVE-2012-4539-XSA-24.patch b/app-emulation/xen/files/xen-4-CVE-2012-4539-XSA-24.patch new file mode 100644 index 000000000000..27ba9378f172 --- /dev/null +++ b/app-emulation/xen/files/xen-4-CVE-2012-4539-XSA-24.patch @@ -0,0 +1,36 @@ +# HG changeset patch +# User Ian Jackson <Ian.Jackson@eu.citrix.com> +# Date 1352893567 0 +# Node ID 8ca6372315f826881f9de141ac1227ef962100cf +# Parent 159080b58dda9d19a5d3be42359e667bdb3e61ca +compat/gnttab: Prevent infinite loop in compat code + +c/s 20281:95ea2052b41b, which introduces Grant Table version 2 +hypercalls introduces a vulnerability whereby the compat hypercall +handler can fall into an infinite loop. + +If the watchdog is enabled, Xen will die after the timeout. + +This is a security problem, XSA-24 / CVE-2012-4539. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Acked-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> +Committed-by: Ian Jackson <ian.jackson@eu.citrix.com> + +xen-unstable changeset: 26151:b64a7d868f06 +Backport-requested-by: security@xen.org +Committed-by: Ian Jackson <ian.jackson@eu.citrix.com> + +diff -r 159080b58dda -r 8ca6372315f8 xen/common/compat/grant_table.c +--- xen/common/compat/grant_table.c Wed Nov 14 11:42:45 2012 +0000 ++++ xen/common/compat/grant_table.c Wed Nov 14 11:46:07 2012 +0000 +@@ -318,6 +318,8 @@ int compat_grant_table_op(unsigned int c + #undef XLAT_gnttab_get_status_frames_HNDL_frame_list + if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) ) + rc = -EFAULT; ++ else ++ i = 1; + } + break; + } diff --git a/app-emulation/xen/files/xen-4-CVE-2012-5510-XSA-26.patch b/app-emulation/xen/files/xen-4-CVE-2012-5510-XSA-26.patch new file mode 100644 index 000000000000..0046170d1341 --- /dev/null +++ b/app-emulation/xen/files/xen-4-CVE-2012-5510-XSA-26.patch @@ -0,0 +1,113 @@ +# HG changeset patch +# User Jan Beulich <jbeulich@suse.com> +# Date 1354644138 0 +# Node ID dea7d4e5bfc1627133c0c19706fea1fbc9e5a378 +# Parent 9e13427c023020756768c73217dab05295709fb3 +gnttab: fix releasing of memory upon switches between versions + +gnttab_unpopulate_status_frames() incompletely freed the pages +previously used as status frame in that they did not get removed from +the domain's xenpage_list, thus causing subsequent list corruption +when those pages did get allocated again for the same or another purpose. + +Similarly, grant_table_create() and gnttab_grow_table() both improperly +clean up in the event of an error - pages already shared with the guest +can't be freed by just passing them to free_xenheap_page(). Fix this by +sharing the pages only after all allocations succeeded. + +This is CVE-2012-5510 / XSA-26. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> +Committed-by: Ian Jackson <ian.jackson.citrix.com> + +diff -r 9e13427c0230 -r dea7d4e5bfc1 xen/common/grant_table.c +--- xen/common/grant_table.c Thu Nov 29 16:59:43 2012 +0000 ++++ xen/common/grant_table.c Tue Dec 04 18:02:18 2012 +0000 +@@ -1173,12 +1173,13 @@ fault: + } + + static int +-gnttab_populate_status_frames(struct domain *d, struct grant_table *gt) ++gnttab_populate_status_frames(struct domain *d, struct grant_table *gt, ++ unsigned int req_nr_frames) + { + unsigned i; + unsigned req_status_frames; + +- req_status_frames = grant_to_status_frames(gt->nr_grant_frames); ++ req_status_frames = grant_to_status_frames(req_nr_frames); + for ( i = nr_status_frames(gt); i < req_status_frames; i++ ) + { + if ( (gt->status[i] = alloc_xenheap_page()) == NULL ) +@@ -1209,7 +1210,12 @@ gnttab_unpopulate_status_frames(struct d + + for ( i = 0; i < nr_status_frames(gt); i++ ) + { +- page_set_owner(virt_to_page(gt->status[i]), dom_xen); ++ struct page_info *pg = virt_to_page(gt->status[i]); ++ ++ BUG_ON(page_get_owner(pg) != d); ++ if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) ) ++ put_page(pg); ++ BUG_ON(pg->count_info & ~PGC_xen_heap); + free_xenheap_page(gt->status[i]); + gt->status[i] = NULL; + } +@@ -1247,19 +1253,18 @@ gnttab_grow_table(struct domain *d, unsi + clear_page(gt->shared_raw[i]); + } + ++ /* Status pages - version 2 */ ++ if (gt->gt_version > 1) ++ { ++ if ( gnttab_populate_status_frames(d, gt, req_nr_frames) ) ++ goto shared_alloc_failed; ++ } ++ + /* Share the new shared frames with the recipient domain */ + for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ ) + gnttab_create_shared_page(d, gt, i); +- + gt->nr_grant_frames = req_nr_frames; + +- /* Status pages - version 2 */ +- if (gt->gt_version > 1) +- { +- if ( gnttab_populate_status_frames(d, gt) ) +- goto shared_alloc_failed; +- } +- + return 1; + + shared_alloc_failed: +@@ -2157,7 +2162,7 @@ gnttab_set_version(XEN_GUEST_HANDLE(gntt + + if ( op.version == 2 && gt->gt_version < 2 ) + { +- res = gnttab_populate_status_frames(d, gt); ++ res = gnttab_populate_status_frames(d, gt, nr_grant_frames(gt)); + if ( res < 0) + goto out_unlock; + } +@@ -2600,14 +2605,15 @@ grant_table_create( + clear_page(t->shared_raw[i]); + } + +- for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) +- gnttab_create_shared_page(d, t, i); +- + /* Status pages for grant table - for version 2 */ + t->status = xzalloc_array(grant_status_t *, + grant_to_status_frames(max_nr_grant_frames)); + if ( t->status == NULL ) + goto no_mem_4; ++ ++ for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) ++ gnttab_create_shared_page(d, t, i); ++ + t->nr_status_frames = 0; + + /* Okay, install the structure. */ + + diff --git a/app-emulation/xen/files/xen-4-CVE-2012-5513-XSA-29.patch b/app-emulation/xen/files/xen-4-CVE-2012-5513-XSA-29.patch new file mode 100644 index 000000000000..9c11a1462ee7 --- /dev/null +++ b/app-emulation/xen/files/xen-4-CVE-2012-5513-XSA-29.patch @@ -0,0 +1,56 @@ + +# HG changeset patch +# User Jan Beulich <jbeulich@suse.com> +# Date 1354644164 0 +# Node ID 83ab3cd0f8e44ad588932aba93d3b5f92a888a08 +# Parent 5771c761ff1bb249dc683d7ec019d76a2a03a048 +xen: add missing guest address range checks to XENMEM_exchange handlers + +Ever since its existence (3.0.3 iirc) the handler for this has been +using non address range checking guest memory accessors (i.e. +the ones prefixed with two underscores) without first range +checking the accessed space (via guest_handle_okay()), allowing +a guest to access and overwrite hypervisor memory. + +This is XSA-29 / CVE-2012-5513. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> +Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> +Committed-by: Ian Jackson <ian.jackson.citrix.com> + +diff -r 5771c761ff1b -r 83ab3cd0f8e4 xen/common/compat/memory.c +--- a/xen/common/compat/memory.c Tue Dec 04 18:02:38 2012 +0000 ++++ b/xen/common/compat/memory.c Tue Dec 04 18:02:44 2012 +0000 +@@ -115,6 +115,12 @@ int compat_memory_op(unsigned int cmd, X + (cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) ) + return -EINVAL; + ++ if ( !compat_handle_okay(cmp.xchg.in.extent_start, ++ cmp.xchg.in.nr_extents) || ++ !compat_handle_okay(cmp.xchg.out.extent_start, ++ cmp.xchg.out.nr_extents) ) ++ return -EFAULT; ++ + start_extent = cmp.xchg.nr_exchanged; + end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) / + (((1U << ABS(order_delta)) + 1) * +diff -r 5771c761ff1b -r 83ab3cd0f8e4 xen/common/memory.c +--- a/xen/common/memory.c Tue Dec 04 18:02:38 2012 +0000 ++++ b/xen/common/memory.c Tue Dec 04 18:02:44 2012 +0000 +@@ -308,6 +308,13 @@ static long memory_exchange(XEN_GUEST_HA + goto fail_early; + } + ++ if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) || ++ !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) ) ++ { ++ rc = -EFAULT; ++ goto fail_early; ++ } ++ + /* Only privileged guests can allocate multi-page contiguous extents. */ + if ( !multipage_allocation_permitted(current->domain, + exch.in.extent_order) || + + diff --git a/app-emulation/xen/files/xen-4-CVE-2012-5514-XSA-30.patch b/app-emulation/xen/files/xen-4-CVE-2012-5514-XSA-30.patch new file mode 100644 index 000000000000..726592550439 --- /dev/null +++ b/app-emulation/xen/files/xen-4-CVE-2012-5514-XSA-30.patch @@ -0,0 +1,56 @@ +xen: fix error handling of guest_physmap_mark_populate_on_demand() + +The only user of the "out" label bypasses a necessary unlock, thus +enabling the caller to lock up Xen. + +Also, the function was never meant to be called by a guest for itself, +so rather than inspecting the code paths in depth for potential other +problems this might cause, and adjusting e.g. the non-guest printk() +in the above error path, just disallow the guest access to it. + +Finally, the printk() (considering its potential of spamming the log, +the more that it's not using XENLOG_GUEST), is being converted to +P2M_DEBUG(), as debugging is what it apparently was added for in the +first place. + +This is XSA-30 / CVE-2012-5514. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> +Acked-by: George Dunlap <george.dunlap@eu.citrix.com> +Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> +Committed-by: Ian Jackson <ian.jackson.citrix.com> + +diff -r 83ab3cd0f8e4 -r 09a48c5da636 xen/arch/x86/mm/p2m-pod.c +--- xen/arch/x86/mm/p2m-pod.c Tue Dec 04 18:02:44 2012 +0000 ++++ xen/arch/x86/mm/p2m-pod.c Tue Dec 04 18:02:48 2012 +0000 +@@ -1117,6 +1117,9 @@ guest_physmap_mark_populate_on_demand(st + mfn_t omfn; + int rc = 0; + ++ if ( !IS_PRIV_FOR(current->domain, d) ) ++ return -EPERM; ++ + if ( !paging_mode_translate(d) ) + return -EINVAL; + +@@ -1135,8 +1138,7 @@ guest_physmap_mark_populate_on_demand(st + omfn = p2m->get_entry(p2m, gfn + i, &ot, &a, 0, NULL); + if ( p2m_is_ram(ot) ) + { +- printk("%s: gfn_to_mfn returned type %d!\n", +- __func__, ot); ++ P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot); + rc = -EBUSY; + goto out; + } +@@ -1160,9 +1162,9 @@ guest_physmap_mark_populate_on_demand(st + pod_unlock(p2m); + } + ++out: + gfn_unlock(p2m, gfn, order); + +-out: + return rc; + } diff --git a/app-emulation/xen/files/xen-4-CVE-2012-5515-XSA-31.patch b/app-emulation/xen/files/xen-4-CVE-2012-5515-XSA-31.patch new file mode 100644 index 000000000000..a7183230e05f --- /dev/null +++ b/app-emulation/xen/files/xen-4-CVE-2012-5515-XSA-31.patch @@ -0,0 +1,58 @@ + +# HG changeset patch +# User Jan Beulich <jbeulich@suse.com> +# Date 1354644172 0 +# Node ID 2c3f00c5189b9269f9840be93d03f058c8994f6e +# Parent 09a48c5da6368ac61bdba5ee09253c2b20d7b577 +memop: limit guest specified extent order + +Allowing unbounded order values here causes almost unbounded loops +and/or partially incomplete requests, particularly in PoD code. + +The added range checks in populate_physmap(), decrease_reservation(), +and the "in" one in memory_exchange() architecturally all could use +PADDR_BITS - PAGE_SHIFT, and are being artificially constrained to +MAX_ORDER. + +This is XSA-31 / CVE-2012-5515. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Tim Deegan <tim@xen.org> +Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> +Committed-by: Ian Jackson <ian.jackson.citrix.com> + +diff -r 09a48c5da636 -r 2c3f00c5189b xen/common/memory.c +--- xen/common/memory.c Tue Dec 04 18:02:48 2012 +0000 ++++ xen/common/memory.c Tue Dec 04 18:02:52 2012 +0000 +@@ -115,7 +115,8 @@ static void populate_physmap(struct memo + + if ( a->memflags & MEMF_populate_on_demand ) + { +- if ( guest_physmap_mark_populate_on_demand(d, gpfn, ++ if ( a->extent_order > MAX_ORDER || ++ guest_physmap_mark_populate_on_demand(d, gpfn, + a->extent_order) < 0 ) + goto out; + } +@@ -235,7 +236,8 @@ static void decrease_reservation(struct + xen_pfn_t gmfn; + + if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done, +- a->nr_extents-1) ) ++ a->nr_extents-1) || ++ a->extent_order > MAX_ORDER ) + return; + + for ( i = a->nr_done; i < a->nr_extents; i++ ) +@@ -297,6 +299,9 @@ static long memory_exchange(XEN_GUEST_HA + if ( (exch.nr_exchanged > exch.in.nr_extents) || + /* Input and output domain identifiers match? */ + (exch.in.domid != exch.out.domid) || ++ /* Extent orders are sensible? */ ++ (exch.in.extent_order > MAX_ORDER) || ++ (exch.out.extent_order > MAX_ORDER) || + /* Sizes of input and output lists do not overflow a long? */ + ((~0UL >> exch.in.extent_order) < exch.in.nr_extents) || + ((~0UL >> exch.out.extent_order) < exch.out.nr_extents) || + + diff --git a/app-emulation/xen/files/xen-4-CVE-2012-5525-XSA-32.patch b/app-emulation/xen/files/xen-4-CVE-2012-5525-XSA-32.patch new file mode 100644 index 000000000000..776d3cd02233 --- /dev/null +++ b/app-emulation/xen/files/xen-4-CVE-2012-5525-XSA-32.patch @@ -0,0 +1,23 @@ +x86: get_page_from_gfn() must return NULL for invalid GFNs + +... also in the non-translated case. + +This is XSA-32 / CVE-2012-xxxx. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Tim Deegan <tim@xen.org> + +diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h +index 28be4e8..907a817 100644 +--- xen/include/asm-x86/p2m.h ++++ xen/include/asm-x86/p2m.h +@@ -384,7 +384,7 @@ static inline struct page_info *get_page_from_gfn( + if (t) + *t = p2m_ram_rw; + page = __mfn_to_page(gfn); +- return get_page(page, d) ? page : NULL; ++ return mfn_valid(gfn) && get_page(page, d) ? page : NULL; + } + + + diff --git a/app-emulation/xen/files/xen-4-CVE-2012-5634-XSA-33.patch b/app-emulation/xen/files/xen-4-CVE-2012-5634-XSA-33.patch new file mode 100644 index 000000000000..20342eceef16 --- /dev/null +++ b/app-emulation/xen/files/xen-4-CVE-2012-5634-XSA-33.patch @@ -0,0 +1,18 @@ +VT-d: fix interrupt remapping source validation for devices behind legacy bridges +Using SVT_VERIFY_BUS here doesn't make sense; + +native Linux also uses SVT_VERIFY_SID_SQ here instead. +This is XSA-33 / CVE-2012-5634. +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- xen/drivers/passthrough/vtd/intremap.c ++++ xen/drivers/passthrough/vtd/intremap.c +@@ -466,7 +466,7 @@ static void set_msi_source_id(struct pci_dev *pdev, struct iremap_entry *ire) + set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, + (bus << 8) | pdev->bus); + else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE ) +- set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, ++ set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, + PCI_BDF2(bus, devfn)); + } + break; diff --git a/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-27_34_35.patch b/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-27_34_35.patch new file mode 100644 index 000000000000..adc26a6b8729 --- /dev/null +++ b/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-27_34_35.patch @@ -0,0 +1,211 @@ +commit 66141b2e068fa39f28bdda6be05882e323663687 +Author: Michael Young +Date: Tue Jan 22 22:22:10 2013 +0000 + + Security fix from nested virtualization CVE-2013-0151, + restore status option to xend which is used by libvirt +#diff --git a/xsa34-4.2.patch b/xsa34-4.2.patch +#new file mode 100644 +#index 0000000..f5328ef +#--- /dev/null +#+++ xsa34-4.2.patch +#@@ -0,0 +1,30 @@ +#+x86_32: don't allow use of nested HVM +#+ +#+There are (indirect) uses of map_domain_page() in the nested HVM code +#+that are unsafe when not just using the 1:1 mapping. +#+ +#+This is XSA-34 / CVE-2013-0151. +#+ +#+Signed-off-by: Jan Beulich +#+ +#diff --git a/xsa35-4.2-with-xsa34.patch b/xsa35-4.2-with-xsa34.patch +#new file mode 100644 +#index 0000000..28c6171 +#--- /dev/null +#+++ xsa35-4.2-with-xsa34.patch +#@@ -0,0 +1,24 @@ +#+xen: Do not allow guests to enable nested HVM on themselves +#+ +#+There is no reason for this and doing so exposes a memory leak to +#+guests. Only toolstacks need write access to this HVM param. +#+ +#+This is XSA-35 / CVE-2013-0152. +#+ +#+Signed-off-by: Ian Campbell +#+Acked-by: Jan Beulich +#+ +--- xen/arch/x86/hvm/hvm.c ++++ xen/arch/x86/hvm/hvm.c +@@ -3858,6 +3858,11 @@ + rc = -EINVAL; + break; + case HVM_PARAM_NESTEDHVM: ++ if ( !IS_PRIV(current->domain) ) ++ { ++ rc = -EPERM; ++ break; ++ } + if ( a.value > 1 ) + rc = -EINVAL; + if ( !is_hvm_domain(d) ) +@@ -3926,6 +3926,10 @@ long do_hvm_op(unsigned long op, XEN_GUE + rc = -EINVAL; + break; + case HVM_PARAM_NESTEDHVM: ++#ifdef __i386__ ++ if ( a.value ) ++ rc = -EINVAL; ++#else + if ( a.value > 1 ) + rc = -EINVAL; + if ( !is_hvm_domain(d) ) +@@ -3940,6 +3944,7 @@ long do_hvm_op(unsigned long op, XEN_GUE + for_each_vcpu(d, v) + if ( rc == 0 ) + rc = nestedhvm_vcpu_initialise(v); ++#endif + break; + case HVM_PARAM_BUFIOREQ_EVTCHN: + rc = -EINVAL; +# HG changeset patch +# User Tim Deegan <tim@xen.org> +# Date 1354644158 0 +# Node ID 5771c761ff1bb249dc683d7ec019d76a2a03a048 +# Parent dea7d4e5bfc1627133c0c19706fea1fbc9e5a378 +#hvm: Limit the size of large HVM op batches +# +#Doing large p2m updates for HVMOP_track_dirty_vram without preemption +#ties up the physical processor. Integrating preemption into the p2m +#updates is hard so simply limit to 1GB which is sufficient for a 15000 +#* 15000 * 32bpp framebuffer. +# +#For HVMOP_modified_memory and HVMOP_set_mem_type preemptible add the +#necessary machinery to handle preemption. +# +#This is CVE-2012-5511 / XSA-27. +# +#Signed-off-by: Tim Deegan <tim@xen.org> +#Signed-off-by: Ian Campbell <ian.campbell@citrix.com> +#Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> +#Committed-by: Ian Jackson <ian.jackson.citrix.com> +# +#v2: Provide definition of GB to fix x86-32 compile. +# +#Signed-off-by: Jan Beulich <JBeulich@suse.com> +#Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> +diff -r dea7d4e5bfc1 -r 5771c761ff1b xen/arch/x86/hvm/hvm.c +--- xen/arch/x86/hvm/hvm.c Tue Dec 04 18:02:18 2012 +0000 ++++ xen/arch/x86/hvm/hvm.c Tue Dec 04 18:02:38 2012 +0000 +@@ -3969,6 +3969,9 @@ long do_hvm_op(unsigned long op, XEN_GUE + if ( !is_hvm_domain(d) ) + goto param_fail2; + ++ if ( a.nr > GB(1) >> PAGE_SHIFT ) ++ goto param_fail2; ++ + rc = xsm_hvm_param(d, op); + if ( rc ) + goto param_fail2; +@@ -3995,7 +3998,6 @@ long do_hvm_op(unsigned long op, XEN_GUE + { + struct xen_hvm_modified_memory a; + struct domain *d; +- unsigned long pfn; + + if ( copy_from_guest(&a, arg, 1) ) + return -EFAULT; +@@ -4022,9 +4024,11 @@ long do_hvm_op(unsigned long op, XEN_GUE + if ( !paging_mode_log_dirty(d) ) + goto param_fail3; + +- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) ++ while ( a.nr > 0 ) + { ++ unsigned long pfn = a.first_pfn; + struct page_info *page; ++ + page = get_page_from_gfn(d, pfn, NULL, P2M_UNSHARE); + if ( page ) + { +@@ -4034,6 +4038,19 @@ long do_hvm_op(unsigned long op, XEN_GUE + sh_remove_shadows(d->vcpu[0], _mfn(page_to_mfn(page)), 1, 0); + put_page(page); + } ++ ++ a.first_pfn++; ++ a.nr--; ++ ++ /* Check for continuation if it's not the last interation */ ++ if ( a.nr > 0 && hypercall_preempt_check() ) ++ { ++ if ( copy_to_guest(arg, &a, 1) ) ++ rc = -EFAULT; ++ else ++ rc = -EAGAIN; ++ break; ++ } + } + + param_fail3: +@@ -4089,7 +4106,6 @@ long do_hvm_op(unsigned long op, XEN_GUE + { + struct xen_hvm_set_mem_type a; + struct domain *d; +- unsigned long pfn; + + /* Interface types to internal p2m types */ + p2m_type_t memtype[] = { +@@ -4122,8 +4138,9 @@ long do_hvm_op(unsigned long op, XEN_GUE + if ( a.hvmmem_type >= ARRAY_SIZE(memtype) ) + goto param_fail4; + +- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) ++ while ( a.nr ) + { ++ unsigned long pfn = a.first_pfn; + p2m_type_t t; + p2m_type_t nt; + mfn_t mfn; +@@ -4163,6 +4180,19 @@ long do_hvm_op(unsigned long op, XEN_GUE + } + } + put_gfn(d, pfn); ++ ++ a.first_pfn++; ++ a.nr--; ++ ++ /* Check for continuation if it's not the last interation */ ++ if ( a.nr > 0 && hypercall_preempt_check() ) ++ { ++ if ( copy_to_guest(arg, &a, 1) ) ++ rc = -EFAULT; ++ else ++ rc = -EAGAIN; ++ goto param_fail4; ++ } + } + + rc = 0; +diff -r dea7d4e5bfc1 -r 5771c761ff1b xen/include/asm-x86/config.h +--- xen/include/asm-x86/config.h Tue Dec 04 18:02:18 2012 +0000 ++++ xen/include/asm-x86/config.h Tue Dec 04 18:02:38 2012 +0000 +@@ -119,6 +119,9 @@ extern char wakeup_start[]; + extern unsigned int video_mode, video_flags; + extern unsigned short boot_edid_caps; + extern unsigned char boot_edid_info[128]; ++ ++#define GB(_gb) (_gb ## UL << 30) ++ + #endif + + #define asmlinkage +@@ -134,7 +137,6 @@ extern unsigned char boot_edid_info[128] + #define PML4_ADDR(_slot) \ + ((((_slot ## UL) >> 8) * 0xffff000000000000UL) | \ + (_slot ## UL << PML4_ENTRY_BITS)) +-#define GB(_gb) (_gb ## UL << 30) + #else + #define PML4_ENTRY_BYTES (1 << PML4_ENTRY_BITS) + #define PML4_ADDR(_slot) \ + diff --git a/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-34_35.patch b/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-34_35.patch new file mode 100644 index 000000000000..f074fa666cbe --- /dev/null +++ b/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-34_35.patch @@ -0,0 +1,70 @@ +commit 66141b2e068fa39f28bdda6be05882e323663687 +Author: Michael Young +Date: Tue Jan 22 22:22:10 2013 +0000 + + Security fix from nested virtualization CVE-2013-0151, + restore status option to xend which is used by libvirt +#diff --git a/xsa34-4.2.patch b/xsa34-4.2.patch +#new file mode 100644 +#index 0000000..f5328ef +#--- /dev/null +#+++ xsa34-4.2.patch +#@@ -0,0 +1,30 @@ +#+x86_32: don't allow use of nested HVM +#+ +#+There are (indirect) uses of map_domain_page() in the nested HVM code +#+that are unsafe when not just using the 1:1 mapping. +#+ +#+This is XSA-34 / CVE-2013-0151. +#+ +#+Signed-off-by: Jan Beulich +#+ +#diff --git a/xsa35-4.2-with-xsa34.patch b/xsa35-4.2-with-xsa34.patch +#new file mode 100644 +#index 0000000..28c6171 +#--- /dev/null +#+++ xsa35-4.2-with-xsa34.patch +#@@ -0,0 +1,24 @@ +#+xen: Do not allow guests to enable nested HVM on themselves +#+ +#+There is no reason for this and doing so exposes a memory leak to +#+guests. Only toolstacks need write access to this HVM param. +#+ +#+This is XSA-35 / CVE-2013-0152. +#+ +#+Signed-off-by: Ian Campbell +#+Acked-by: Jan Beulich +#+ +--- xen/arch/x86/hvm/hvm.c ++++ xen/arch/x86/hvm/hvm.c +@@ -3858,6 +3858,11 @@ + rc = -EINVAL; + break; + case HVM_PARAM_NESTEDHVM: ++ if ( !IS_PRIV(current->domain) ) ++ { ++ rc = -EPERM; ++ break; ++ } + if ( a.value > 1 ) + rc = -EINVAL; + if ( !is_hvm_domain(d) ) +@@ -3926,6 +3926,10 @@ long do_hvm_op(unsigned long op, XEN_GUE + rc = -EINVAL; + break; + case HVM_PARAM_NESTEDHVM: ++#ifdef __i386__ ++ if ( a.value ) ++ rc = -EINVAL; ++#else + if ( a.value > 1 ) + rc = -EINVAL; + if ( !is_hvm_domain(d) ) +@@ -3940,6 +3944,7 @@ long do_hvm_op(unsigned long op, XEN_GUE + for_each_vcpu(d, v) + if ( rc == 0 ) + rc = nestedhvm_vcpu_initialise(v); ++#endif + break; + case HVM_PARAM_BUFIOREQ_EVTCHN: + rc = -EINVAL; diff --git a/app-emulation/xen/files/xen-4-CVE-2013-0154-XSA-37.patch b/app-emulation/xen/files/xen-4-CVE-2013-0154-XSA-37.patch new file mode 100644 index 000000000000..bb43acd633d5 --- /dev/null +++ b/app-emulation/xen/files/xen-4-CVE-2013-0154-XSA-37.patch @@ -0,0 +1,23 @@ +x86: fix assertion in get_page_type() + +c/s 22998:e9fab50d7b61 (and immediately following ones) made it +possible that __get_page_type() returns other than -EINVAL, in +particular -EBUSY. Consequently, the assertion in get_page_type() +should check for only the return values we absolutely don't expect to +see there. + +This is XSA-37 / CVE-2013-0154. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- xen/arch/x86/mm.c ++++ xen/arch/x86/mm.c +@@ -2586,7 +2586,7 @@ int get_page_type(struct page_info *page + int rc = __get_page_type(page, type, 0); + if ( likely(rc == 0) ) + return 1; +- ASSERT(rc == -EINVAL); ++ ASSERT(rc != -EINTR && rc != -EAGAIN); + return 0; + } + diff --git a/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch b/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch index 78eb12b0fc64..c0dbd20ece46 100644 --- a/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch +++ b/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch @@ -7,7 +7,7 @@ diff -ur xen-4.2.0.orig/extras/mini-os/minios.mk xen-4.2.0/extras/mini-os/minios # Define some default flags. # NB. '-Wcast-qual' is nasty, so I omitted it. -DEF_CFLAGS += -fno-builtin -Wall -Werror -Wredundant-decls -Wno-format -Wno-redundant-decls -+DEF_CFLAGS += -fno-builtin -Wall -Wredundant-decls -Wno-format -Wno-redundant-decls ++DEF_CFLAGS += -fno-builtin -Wall -Wredundant-decls -Wno-format -Wno-redundant-decls DEF_CFLAGS += $(call cc-option,$(CC),-fno-stack-protector,) DEF_CFLAGS += $(call cc-option,$(CC),-fgnu89-inline) DEF_CFLAGS += -Wstrict-prototypes -Wnested-externs -Wpointer-arith -Winline @@ -19,7 +19,7 @@ diff -ur xen-4.2.0.orig/tools/libxc/Makefile xen-4.2.0/tools/libxc/Makefile -include $(XEN_TARGET_ARCH)/Makefile -CFLAGS += -Werror -Wmissing-prototypes -+CFLAGS += -Wmissing-prototypes ++CFLAGS += -Wmissing-prototypes CFLAGS += -I. $(CFLAGS_xeninclude) # Needed for posix_fadvise64() in xc_linux.c diff --git a/app-emulation/xen/xen-4.2.0.ebuild b/app-emulation/xen/xen-4.2.0-r1.ebuild index f436d0b49ffa..50e56010e7f3 100644 --- a/app-emulation/xen/xen-4.2.0.ebuild +++ b/app-emulation/xen/xen-4.2.0-r1.ebuild @@ -1,8 +1,10 @@ -# Copyright 1999-2012 Gentoo Foundation +# Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.2.0.ebuild,v 1.1 2012/12/04 12:35:44 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.2.0-r1.ebuild,v 1.1 2013/01/30 12:12:31 idella4 Exp $ -EAPI="4" +EAPI=5 + +PYTHON_COMPAT=( python{2_6,2_7} ) if [[ $PV == *9999 ]]; then KEYWORDS="" @@ -15,7 +17,7 @@ else SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz" fi -inherit mount-boot flag-o-matic toolchain-funcs ${live_eclass} +inherit mount-boot flag-o-matic python-single-r1 toolchain-funcs ${live_eclass} DESCRIPTION="The Xen virtual machine monitor" HOMEPAGE="http://xen.org/" @@ -26,7 +28,7 @@ IUSE="custom-cflags debug flask pae xsm" RDEPEND="|| ( sys-boot/grub sys-boot/grub-static )" -PDEPEND="~app-emulation/xen-tools-${PV}" +PDEPEND="~app-emulation/xen-tools-${PV}[${PYTHON_USEDEP}]" RESTRICT="test" @@ -36,8 +38,8 @@ QA_WX_LOAD="boot/xen-syms-${PV}" REQUIRED_USE=" flask? ( xsm ) " - pkg_setup() { + python-single-r1_pkg_setup if [[ -z ${XEN_TARGET_ARCH} ]]; then if use x86 && use amd64; then die "Confusion! Both x86 and amd64 are set in your use flags!" @@ -59,9 +61,8 @@ pkg_setup() { } src_prepare() { - - # Drop .config - sed -e '/-include $(XEN_ROOT)\/.config/d' -i Config.mk || die "Couldn't drop" + # Drop .config, fix gcc-4.6 + epatch "${FILESDIR}"/${PN}-4-fix_dotconfig-gcc.patch # if the user *really* wants to use their own custom-cflags, let them if use custom-cflags; then @@ -76,11 +77,21 @@ src_prepare() { -i {} \; || die "failed to re-set custom-cflags" fi - # remove -Werror for gcc-4.6's sake - find "${S}" -name 'Makefile*' -o -name '*.mk' -o -name 'common.make' | \ - xargs sed -i 's/ *-Werror */ /' # not strictly necessary to fix this sed -i 's/, "-Werror"//' "${S}/tools/python/setup.py" || die "failed to re-set setup.py" + + #Security patches + epatch "${FILESDIR}"/${PN}-4-CVE-2012-4535-XSA-20.patch \ + "${FILESDIR}"/${PN}-4-CVE-2012-4537-XSA-22.patch \ + "${FILESDIR}"/${PN}-4-CVE-2012-4538-XSA-23.patch \ + "${FILESDIR}"/${PN}-4-CVE-2012-4539-XSA-24.patch \ + "${FILESDIR}"/${PN}-4-CVE-2012-5510-XSA-26.patch \ + "${FILESDIR}"/${PN}-4-CVE-2012-5514-XSA-30.patch \ + "${FILESDIR}"/${PN}-4-CVE-2012-5515-XSA-31.patch \ + "${FILESDIR}"/${PN}-4-CVE-2012-5525-XSA-32.patch \ + "${FILESDIR}"/${PN}-4-CVE-2012-5634-XSA-33.patch \ + "${FILESDIR}"/${PN}-4-CVE-2013-0151-XSA-27_34_35.patch \ + "${FILESDIR}"/${PN}-4-CVE-2013-0154-XSA-37.patch } src_configure() { diff --git a/app-emulation/xen/xen-4.2.1.ebuild b/app-emulation/xen/xen-4.2.1-r1.ebuild index 6918ac0122dd..2e882bce1972 100644 --- a/app-emulation/xen/xen-4.2.1.ebuild +++ b/app-emulation/xen/xen-4.2.1-r1.ebuild @@ -1,8 +1,10 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.2.1.ebuild,v 1.1 2013/01/24 09:18:34 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.2.1-r1.ebuild,v 1.1 2013/01/30 12:12:31 idella4 Exp $ -EAPI="4" +EAPI=5 + +PYTHON_COMPAT=( python{2_6,2_7} ) if [[ $PV == *9999 ]]; then KEYWORDS="" @@ -15,7 +17,7 @@ else SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz" fi -inherit mount-boot flag-o-matic toolchain-funcs ${live_eclass} +inherit mount-boot flag-o-matic python-single-r1 toolchain-funcs ${live_eclass} DESCRIPTION="The Xen virtual machine monitor" HOMEPAGE="http://xen.org/" @@ -38,6 +40,7 @@ REQUIRED_USE=" " pkg_setup() { + python-single-r1_pkg_setup if [[ -z ${XEN_TARGET_ARCH} ]]; then if use x86 && use amd64; then die "Confusion! Both x86 and amd64 are set in your use flags!" @@ -59,9 +62,8 @@ pkg_setup() { } src_prepare() { - - # Drop .config and Fix gcc-4.6 - epatch "${FILESDIR}"/${PN/-pvgrub/}-4-fix_dotconfig-gcc.patch # Drop .config + # Drop .config and fix gcc-4.6 + epatch "${FILESDIR}"/${PN/-pvgrub/}-4-fix_dotconfig-gcc.patch # if the user *really* wants to use their own custom-cflags, let them if use custom-cflags; then @@ -78,6 +80,11 @@ src_prepare() { # not strictly necessary to fix this sed -i 's/, "-Werror"//' "${S}/tools/python/setup.py" || die "failed to re-set setup.py" + + #Security patches + epatch "${FILESDIR}"/${PN}-4-CVE-2012-5634-XSA-33.patch \ + "${FILESDIR}"/${PN}-4-CVE-2013-0151-XSA-34_35.patch \ + "${FILESDIR}"/${PN}-4-CVE-2013-0154-XSA-37.patch } src_configure() { |