diff options
| author | Baptiste Daroussin <bapt@FreeBSD.org> | 2015-06-11 18:08:41 +0000 |
|---|---|---|
| committer | Baptiste Daroussin <bapt@FreeBSD.org> | 2015-06-11 18:08:41 +0000 |
| commit | 41bd0097220815342ac2585cafc1c29b16dfd0a5 (patch) | |
| tree | 18f5812b2d56e7557585361a5df2fc8350d6ec99 /emulators | |
| parent | emulators/i386-wine-devel: update to 1.7.44. (diff) | |
Fix plenty of security issues
Security: XSA-117 / CVE-2015-0268
Security: XSA-118 / CVE-2015-1563
Security: XSA-121 / CVE-2015-2044
Security: XSA-122 / CVE-2015-2045
Security: XSA-123 / CVE-2015-2151
Security: XSA-125 / CVE-2015-2752
Security: XSA-127 / CVE-2015-2751
Security: XSA-132 / CVE-2015-3340
Security: XSA-134 / CVE-2015-4163
Security: XSA-136 / CVE-2015-4164
Notes
Notes:
svn path=/head/; revision=389233
Diffstat (limited to 'emulators')
| -rw-r--r-- | emulators/xen-kernel/Makefile | 15 | ||||
| -rw-r--r-- | emulators/xen-kernel/files/xsa117.patch | 42 | ||||
| -rw-r--r-- | emulators/xen-kernel/files/xsa118-4.5-unstable-1.patch | 253 | ||||
| -rw-r--r-- | emulators/xen-kernel/files/xsa118-4.5-unstable-2.patch | 115 | ||||
| -rw-r--r-- | emulators/xen-kernel/files/xsa121.patch | 51 | ||||
| -rw-r--r-- | emulators/xen-kernel/files/xsa122.patch | 40 | ||||
| -rw-r--r-- | emulators/xen-kernel/files/xsa123.patch | 24 | ||||
| -rw-r--r-- | emulators/xen-kernel/files/xsa125.patch | 71 | ||||
| -rw-r--r-- | emulators/xen-kernel/files/xsa127-4.x.patch | 50 | ||||
| -rw-r--r-- | emulators/xen-kernel/files/xsa132.patch | 29 | ||||
| -rw-r--r-- | emulators/xen-kernel/files/xsa134.patch | 23 | ||||
| -rw-r--r-- | emulators/xen-kernel/files/xsa136.patch | 19 |
12 files changed, 730 insertions, 2 deletions
diff --git a/emulators/xen-kernel/Makefile b/emulators/xen-kernel/Makefile index 6d6e39a39a06..949064b0d708 100644 --- a/emulators/xen-kernel/Makefile +++ b/emulators/xen-kernel/Makefile @@ -3,7 +3,7 @@ PORTNAME= xen PKGNAMESUFFIX= -kernel PORTVERSION= 4.5.0 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= emulators MASTER_SITES= http://bits.xensource.com/oss-xen/release/${PORTVERSION}/ @@ -25,7 +25,18 @@ ALL_TARGET= build STRIP= # WRKSRC_SUBDIR= xen EXTRA_PATCHES= ${FILESDIR}/iommu_share_p2m_table.patch:-p2 \ - ${FILESDIR}/0001-x86-pvh-disable-posted-interrupts.patch:-p2 + ${FILESDIR}/0001-x86-pvh-disable-posted-interrupts.patch:-p2 \ + ${FILESDIR}/xsa117.patch:-p2 \ + ${FILESDIR}/xsa118-4.5-unstable-1.patch:-p2 \ + ${FILESDIR}/xsa118-4.5-unstable-2.patch:-p2 \ + ${FILESDIR}/xsa121.patch:-p2 \ + ${FILESDIR}/xsa122.patch:-p2 \ + ${FILESDIR}/xsa123.patch:-p2 \ + ${FILESDIR}/xsa125.patch:-p2 \ + ${FILESDIR}/xsa127-4.x.patch:-p2 \ + ${FILESDIR}/xsa132.patch:-p2 \ + ${FILESDIR}/xsa134.patch:-p2 \ + ${FILESDIR}/xsa136.patch:-p2 .include <bsd.port.options.mk> diff --git a/emulators/xen-kernel/files/xsa117.patch b/emulators/xen-kernel/files/xsa117.patch new file mode 100644 index 000000000000..aa04fe45c07b --- /dev/null +++ b/emulators/xen-kernel/files/xsa117.patch @@ -0,0 +1,42 @@ +From 472dc9e627c8f1b9d7138b142a5b0838550a2072 Mon Sep 17 00:00:00 2001 +From: Julien Grall <julien.grall@linaro.org> +Date: Fri, 23 Jan 2015 14:15:07 +0000 +Subject: [PATCH] xen/arm: vgic-v2: Don't crash the hypervisor if the SGI + target mode is invalid + +The GICv2 spec reserved the value 0b11 for GICD_SGIR.TargetListFilter. + +Even if it's an invalid value, a malicious guest could write this value +and threfore crash the hypervisor. + +Replace the BUG() by logging the error and inject a data abort to the guest. + +This was introduced by commit ea37fd21110b6fbcf9257f814076a243d3873cb7 +"xen/arm: split vgic driver into generic and vgic-v2 driver". + +This is CVE-2015-0268 / XSA-117. + +Signed-off-by: Julien Grall <julien.grall@linaro.org> +--- + xen/arch/arm/vgic-v2.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/xen/arch/arm/vgic-v2.c b/xen/arch/arm/vgic-v2.c +index 598bf06..9dc9a20 100644 +--- a/xen/arch/arm/vgic-v2.c ++++ b/xen/arch/arm/vgic-v2.c +@@ -257,7 +257,10 @@ static int vgic_v2_to_sgi(struct vcpu *v, register_t sgir) + sgi_mode = SGI_TARGET_SELF; + break; + default: +- BUG(); ++ printk(XENLOG_G_DEBUG ++ "%pv: vGICD: unhandled GICD_SGIR write %"PRIregister" with wrong mode\n", ++ v, sgir); ++ return 0; + } + + return vgic_to_sgi(v, sgir, sgi_mode, virq, vcpu_mask); +-- +2.1.4 + diff --git a/emulators/xen-kernel/files/xsa118-4.5-unstable-1.patch b/emulators/xen-kernel/files/xsa118-4.5-unstable-1.patch new file mode 100644 index 000000000000..a714c8306e21 --- /dev/null +++ b/emulators/xen-kernel/files/xsa118-4.5-unstable-1.patch @@ -0,0 +1,253 @@ +From e698f4ab05a710e4463317ea978d426d43107e27 Mon Sep 17 00:00:00 2001 +From: Julien Grall <julien.grall@linaro.org> +Date: Mon, 19 Jan 2015 14:01:09 +0000 +Subject: [PATCH 1/2] xen/arm: vgic-v3: message in the emulation code should be + rate-limited + +printk by default is not rate-limited by default. Therefore a malicious guest +may be able to flood the Xen console. + +If we use gdprintk, unnecessary information will be printed such as the +filename and the line. Instead use XENLOG_G_{ERR,DEBUG} combine with %pv. + +Also remove the vGICv3 prefix which is not neccessary and update some +message which were wrong. + +Signed-off-by: Julien Grall <julien.grall@linaro.org> +--- + xen/arch/arm/vgic-v3.c | 109 +++++++++++++++++++++++++++---------------------- + 1 file changed, 61 insertions(+), 48 deletions(-) + +diff --git a/xen/arch/arm/vgic-v3.c b/xen/arch/arm/vgic-v3.c +index ae4482c..bece189 100644 +--- a/xen/arch/arm/vgic-v3.c ++++ b/xen/arch/arm/vgic-v3.c +@@ -168,13 +168,14 @@ static int __vgic_v3_rdistr_rd_mmio_read(struct vcpu *v, mmio_info_t *info, + /* Reserved0 */ + goto read_as_zero; + default: +- printk("vGICv3: vGICR: read r%d offset %#08x\n not found", +- dabt.reg, gicr_reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICR: read r%d offset %#08x\n not found", ++ v, dabt.reg, gicr_reg); + return 0; + } + bad_width: +- printk("vGICv3: vGICR: bad read width %d r%d offset %#08x\n", +- dabt.size, dabt.reg, gicr_reg); ++ printk(XENLOG_G_ERR "%pv vGICR: bad read width %d r%d offset %#08x\n", ++ v, dabt.size, dabt.reg, gicr_reg); + domain_crash_synchronous(); + return 0; + +@@ -244,12 +245,14 @@ static int __vgic_v3_rdistr_rd_mmio_write(struct vcpu *v, mmio_info_t *info, + /* RO */ + goto write_ignore; + default: +- printk("vGICR: write r%d offset %#08x\n not found", dabt.reg, gicr_reg); ++ printk(XENLOG_G_ERR "%pv: vGICR: write r%d offset %#08x\n not found", ++ v, dabt.reg, gicr_reg); + return 0; + } + bad_width: +- printk("vGICR: bad write width %d r%d=%"PRIregister" offset %#08x\n", +- dabt.size, dabt.reg, *r, gicr_reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICR: bad write width %d r%d=%"PRIregister" offset %#08x\n", ++ v, dabt.size, dabt.reg, *r, gicr_reg); + domain_crash_synchronous(); + return 0; + +@@ -345,15 +348,16 @@ static int __vgic_v3_distr_common_mmio_read(struct vcpu *v, mmio_info_t *info, + vgic_unlock_rank(v, rank, flags); + return 1; + default: +- printk("vGICv3: vGICD/vGICR: unhandled read r%d offset %#08x\n", +- dabt.reg, reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD/vGICR: unhandled read r%d offset %#08x\n", ++ v, dabt.reg, reg); + return 0; + } + + bad_width: +- dprintk(XENLOG_ERR, +- "vGICv3: vGICD/vGICR: bad read width %d r%d offset %#08x\n", +- dabt.size, dabt.reg, reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD/vGICR: bad read width %d r%d offset %#08x\n", ++ v, dabt.size, dabt.reg, reg); + domain_crash_synchronous(); + return 0; + +@@ -458,15 +462,16 @@ static int __vgic_v3_distr_common_mmio_write(struct vcpu *v, mmio_info_t *info, + vgic_unlock_rank(v, rank, flags); + return 1; + default: +- printk("vGICv3: vGICD/vGICR: unhandled write r%d " +- "=%"PRIregister" offset %#08x\n", dabt.reg, *r, reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD/vGICR: unhandled write r%d=%"PRIregister" offset %#08x\n", ++ v, dabt.reg, *r, reg); + return 0; + } + + bad_width: +- dprintk(XENLOG_ERR, +- "vGICv3: vGICD/vGICR: bad write width %d r%d=%"PRIregister" " +- "offset %#08x\n", dabt.size, dabt.reg, *r, reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD/vGICR: bad write width %d r%d=%"PRIregister" offset %#08x\n", ++ v, dabt.size, dabt.reg, *r, reg); + domain_crash_synchronous(); + return 0; + +@@ -521,13 +526,14 @@ static int vgic_v3_rdistr_sgi_mmio_read(struct vcpu *v, mmio_info_t *info, + if ( dabt.size != DABT_WORD ) goto bad_width; + return 1; + default: +- printk("vGICv3: vGICR: read r%d offset %#08x\n not found", +- dabt.reg, gicr_reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICR: SGI: read r%d offset %#08x\n not found", ++ v, dabt.reg, gicr_reg); + return 0; + } + bad_width: +- printk("vGICv3: vGICR: bad read width %d r%d offset %#08x\n", +- dabt.size, dabt.reg, gicr_reg); ++ printk(XENLOG_G_ERR "%pv: vGICR: SGI: bad read width %d r%d offset %#08x\n", ++ v, dabt.size, dabt.reg, gicr_reg); + domain_crash_synchronous(); + return 0; + +@@ -585,14 +591,16 @@ static int vgic_v3_rdistr_sgi_mmio_write(struct vcpu *v, mmio_info_t *info, + /* We do not implement security extensions for guests, write ignore */ + goto write_ignore; + default: +- printk("vGICv3: vGICR SGI: write r%d offset %#08x\n not found", +- dabt.reg, gicr_reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICR: SGI: write r%d offset %#08x\n not found", ++ v, dabt.reg, gicr_reg); + return 0; + } + + bad_width: +- printk("vGICR SGI: bad write width %d r%d=%"PRIregister" offset %#08x\n", +- dabt.size, dabt.reg, *r, gicr_reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICR: SGI: bad write width %d r%d=%"PRIregister" offset %#08x\n", ++ v, dabt.size, dabt.reg, *r, gicr_reg); + domain_crash_synchronous(); + return 0; + +@@ -618,9 +626,9 @@ static int vgic_v3_rdistr_mmio_read(struct vcpu *v, mmio_info_t *info) + else if ( (offset >= SZ_64K) && (offset < 2 * SZ_64K) ) + return vgic_v3_rdistr_sgi_mmio_read(v, info, (offset - SZ_64K)); + else +- gdprintk(XENLOG_WARNING, +- "vGICv3: vGICR: unknown gpa read address %"PRIpaddr"\n", +- info->gpa); ++ printk(XENLOG_G_WARNING ++ "%pv: vGICR: unknown gpa read address %"PRIpaddr"\n", ++ v, info->gpa); + + return 0; + } +@@ -642,9 +650,9 @@ static int vgic_v3_rdistr_mmio_write(struct vcpu *v, mmio_info_t *info) + else if ( (offset >= SZ_64K) && (offset < 2 * SZ_64K) ) + return vgic_v3_rdistr_sgi_mmio_write(v, info, (offset - SZ_64K)); + else +- gdprintk(XENLOG_WARNING, +- "vGICV3: vGICR: unknown gpa write address %"PRIpaddr"\n", +- info->gpa); ++ printk(XENLOG_G_WARNING ++ "%pv: vGICR: unknown gpa write address %"PRIpaddr"\n", ++ v, info->gpa); + + return 0; + } +@@ -770,18 +778,19 @@ static int vgic_v3_distr_mmio_read(struct vcpu *v, mmio_info_t *info) + case 0xf30 ... 0x5fcc: + case 0x8000 ... 0xbfcc: + /* These are reserved register addresses */ +- printk("vGICv3: vGICD: read unknown 0x00c .. 0xfcc r%d offset %#08x\n", +- dabt.reg, gicd_reg); ++ printk(XENLOG_G_DEBUG ++ "%pv: vGICD: RAZ on reserved register offset %#08x\n", ++ v, gicd_reg); + goto read_as_zero; + default: +- printk("vGICv3: vGICD: unhandled read r%d offset %#08x\n", +- dabt.reg, gicd_reg); ++ printk(XENLOG_G_ERR "%pv: vGICD: unhandled read r%d offset %#08x\n", ++ v, dabt.reg, gicd_reg); + return 0; + } + + bad_width: +- dprintk(XENLOG_ERR, "vGICv3: vGICD: bad read width %d r%d offset %#08x\n", +- dabt.size, dabt.reg, gicd_reg); ++ printk(XENLOG_G_ERR "%pv: vGICD: bad read width %d r%d offset %#08x\n", ++ v, dabt.size, dabt.reg, gicd_reg); + domain_crash_synchronous(); + return 0; + +@@ -840,8 +849,9 @@ static int vgic_v3_distr_mmio_write(struct vcpu *v, mmio_info_t *info) + case 0x020 ... 0x03c: + case 0xc000 ... 0xffcc: + /* Implementation defined -- write ignored */ +- printk("vGICv3: vGICD: write unknown 0x020 - 0x03c r%d offset %#08x\n", +- dabt.reg, gicd_reg); ++ printk(XENLOG_G_DEBUG ++ "%pv: vGICD: WI on implementation defined register offset %#08x\n", ++ v, gicd_reg); + goto write_ignore; + case GICD_IGROUPR ... GICD_IGROUPRN: + case GICD_ISENABLER ... GICD_ISENABLERN: +@@ -885,8 +895,9 @@ static int vgic_v3_distr_mmio_write(struct vcpu *v, mmio_info_t *info) + new_target = new_irouter & MPIDR_AFF0_MASK; + if ( new_target >= v->domain->max_vcpus ) + { +- printk("vGICv3: vGICD: wrong irouter at offset %#08x\n val 0x%lx vcpu %x", +- gicd_reg, new_target, v->domain->max_vcpus); ++ printk(XENLOG_G_DEBUG ++ "%pv: vGICD: wrong irouter at offset %#08x\n val 0x%lx vcpu %x", ++ v, gicd_reg, new_target, v->domain->max_vcpus); + vgic_unlock_rank(v, rank, flags); + return 0; + } +@@ -926,19 +937,21 @@ static int vgic_v3_distr_mmio_write(struct vcpu *v, mmio_info_t *info) + case 0xf30 ... 0x5fcc: + case 0x8000 ... 0xbfcc: + /* Reserved register addresses */ +- printk("vGICv3: vGICD: write unknown 0x00c 0xfcc r%d offset %#08x\n", +- dabt.reg, gicd_reg); ++ printk(XENLOG_G_DEBUG ++ "%pv: vGICD: write unknown 0x00c 0xfcc r%d offset %#08x\n", ++ v, dabt.reg, gicd_reg); + goto write_ignore; + default: +- printk("vGICv3: vGICD: unhandled write r%d=%"PRIregister" " +- "offset %#08x\n", dabt.reg, *r, gicd_reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n", ++ v, dabt.reg, *r, gicd_reg); + return 0; + } + + bad_width: +- dprintk(XENLOG_ERR, +- "VGICv3: vGICD: bad write width %d r%d=%"PRIregister" " +- "offset %#08x\n", dabt.size, dabt.reg, *r, gicd_reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n", ++ v, dabt.size, dabt.reg, *r, gicd_reg); + domain_crash_synchronous(); + return 0; + +-- +2.1.4 + diff --git a/emulators/xen-kernel/files/xsa118-4.5-unstable-2.patch b/emulators/xen-kernel/files/xsa118-4.5-unstable-2.patch new file mode 100644 index 000000000000..621b739b4a55 --- /dev/null +++ b/emulators/xen-kernel/files/xsa118-4.5-unstable-2.patch @@ -0,0 +1,115 @@ +From e8fa469595e29b2dbe6dde3a77ee2ea2d9e93283 Mon Sep 17 00:00:00 2001 +From: Julien Grall <julien.grall@linaro.org> +Date: Mon, 19 Jan 2015 12:59:42 +0000 +Subject: [PATCH 2/2] xen/arm: vgic-v2: message in the emulation code should be + rate-limited + +printk is not rated-limited by default. Therefore a malicious guest may +be able to flood the Xen console. + +If we use gdprintk, unecessary information will be printed such as the +filename and the line. Instead use XENLOG_G_ERR combine with %pv. + +Signed-off-by: Julien Grall <julien.grall@linaro.org> +--- + xen/arch/arm/vgic-v2.c | 40 +++++++++++++++++++++++----------------- + 1 file changed, 23 insertions(+), 17 deletions(-) + +diff --git a/xen/arch/arm/vgic-v2.c b/xen/arch/arm/vgic-v2.c +index 9dc9a20..3b87f54 100644 +--- a/xen/arch/arm/vgic-v2.c ++++ b/xen/arch/arm/vgic-v2.c +@@ -198,7 +198,7 @@ static int vgic_v2_distr_mmio_read(struct vcpu *v, mmio_info_t *info) + + case GICD_ICPIDR2: + if ( dabt.size != DABT_WORD ) goto bad_width; +- printk("vGICD: unhandled read from ICPIDR2\n"); ++ printk(XENLOG_G_ERR "%pv: vGICD: unhandled read from ICPIDR2\n", v); + return 0; + + /* Implementation defined -- read as zero */ +@@ -215,14 +215,14 @@ static int vgic_v2_distr_mmio_read(struct vcpu *v, mmio_info_t *info) + goto read_as_zero; + + default: +- printk("vGICD: unhandled read r%d offset %#08x\n", +- dabt.reg, gicd_reg); ++ printk(XENLOG_G_ERR "%pv: vGICD: unhandled read r%d offset %#08x\n", ++ v, dabt.reg, gicd_reg); + return 0; + } + + bad_width: +- printk("vGICD: bad read width %d r%d offset %#08x\n", +- dabt.size, dabt.reg, gicd_reg); ++ printk(XENLOG_G_ERR "%pv: vGICD: bad read width %d r%d offset %#08x\n", ++ v, dabt.size, dabt.reg, gicd_reg); + domain_crash_synchronous(); + return 0; + +@@ -331,14 +331,16 @@ static int vgic_v2_distr_mmio_write(struct vcpu *v, mmio_info_t *info) + + case GICD_ISPENDR ... GICD_ISPENDRN: + if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width; +- printk("vGICD: unhandled %s write %#"PRIregister" to ISPENDR%d\n", +- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ISPENDR); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD: unhandled %s write %#"PRIregister" to ISPENDR%d\n", ++ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ISPENDR); + return 0; + + case GICD_ICPENDR ... GICD_ICPENDRN: + if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width; +- printk("vGICD: unhandled %s write %#"PRIregister" to ICPENDR%d\n", +- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ICPENDR); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD: unhandled %s write %#"PRIregister" to ICPENDR%d\n", ++ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ICPENDR); + return 0; + + case GICD_ISACTIVER ... GICD_ISACTIVERN: +@@ -457,14 +459,16 @@ static int vgic_v2_distr_mmio_write(struct vcpu *v, mmio_info_t *info) + + case GICD_CPENDSGIR ... GICD_CPENDSGIRN: + if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width; +- printk("vGICD: unhandled %s write %#"PRIregister" to ICPENDSGIR%d\n", +- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_CPENDSGIR); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD: unhandled %s write %#"PRIregister" to ICPENDSGIR%d\n", ++ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_CPENDSGIR); + return 0; + + case GICD_SPENDSGIR ... GICD_SPENDSGIRN: + if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width; +- printk("vGICD: unhandled %s write %#"PRIregister" to ISPENDSGIR%d\n", +- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_SPENDSGIR); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD: unhandled %s write %#"PRIregister" to ISPENDSGIR%d\n", ++ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_SPENDSGIR); + return 0; + + /* Implementation defined -- write ignored */ +@@ -489,14 +493,16 @@ static int vgic_v2_distr_mmio_write(struct vcpu *v, mmio_info_t *info) + goto write_ignore; + + default: +- printk("vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n", +- dabt.reg, *r, gicd_reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n", ++ v, dabt.reg, *r, gicd_reg); + return 0; + } + + bad_width: +- printk("vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n", +- dabt.size, dabt.reg, *r, gicd_reg); ++ printk(XENLOG_G_ERR ++ "%pv: vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n", ++ v, dabt.size, dabt.reg, *r, gicd_reg); + domain_crash_synchronous(); + return 0; + +-- +2.1.4 + diff --git a/emulators/xen-kernel/files/xsa121.patch b/emulators/xen-kernel/files/xsa121.patch new file mode 100644 index 000000000000..f3d1397d6daf --- /dev/null +++ b/emulators/xen-kernel/files/xsa121.patch @@ -0,0 +1,51 @@ +x86/HVM: return all ones on wrong-sized reads of system device I/O ports + +So far the value presented to the guest remained uninitialized. + +This is CVE-2015-2044 / XSA-121. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> + +--- a/xen/arch/x86/hvm/i8254.c ++++ b/xen/arch/x86/hvm/i8254.c +@@ -486,6 +486,7 @@ static int handle_pit_io( + if ( bytes != 1 ) + { + gdprintk(XENLOG_WARNING, "PIT bad access\n"); ++ *val = ~0; + return X86EMUL_OKAY; + } + +--- a/xen/arch/x86/hvm/pmtimer.c ++++ b/xen/arch/x86/hvm/pmtimer.c +@@ -213,6 +213,7 @@ static int handle_pmt_io( + if ( bytes != 4 ) + { + gdprintk(XENLOG_WARNING, "HVM_PMT bad access\n"); ++ *val = ~0; + return X86EMUL_OKAY; + } + +--- a/xen/arch/x86/hvm/rtc.c ++++ b/xen/arch/x86/hvm/rtc.c +@@ -703,7 +703,8 @@ static int handle_rtc_io( + + if ( bytes != 1 ) + { +- gdprintk(XENLOG_WARNING, "HVM_RTC bas access\n"); ++ gdprintk(XENLOG_WARNING, "HVM_RTC bad access\n"); ++ *val = ~0; + return X86EMUL_OKAY; + } + +--- a/xen/arch/x86/hvm/vpic.c ++++ b/xen/arch/x86/hvm/vpic.c +@@ -331,6 +331,7 @@ static int vpic_intercept_pic_io( + if ( bytes != 1 ) + { + gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes); ++ *val = ~0; + return X86EMUL_OKAY; + } + diff --git a/emulators/xen-kernel/files/xsa122.patch b/emulators/xen-kernel/files/xsa122.patch new file mode 100644 index 000000000000..1e58965b54dd --- /dev/null +++ b/emulators/xen-kernel/files/xsa122.patch @@ -0,0 +1,40 @@ +pre-fill structures for certain HYPERVISOR_xen_version sub-ops + +... avoiding to pass hypervisor stack contents back to the caller +through space unused by the respective strings. + +This is CVE-2015-2045 / XSA-122. + +Signed-off-by: Aaron Adams <Aaron.Adams@nccgroup.com> +Acked-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> + +--- a/xen/common/kernel.c ++++ b/xen/common/kernel.c +@@ -240,6 +240,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL + case XENVER_extraversion: + { + xen_extraversion_t extraversion; ++ ++ memset(extraversion, 0, sizeof(extraversion)); + safe_strcpy(extraversion, xen_extra_version()); + if ( copy_to_guest(arg, extraversion, ARRAY_SIZE(extraversion)) ) + return -EFAULT; +@@ -249,6 +251,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL + case XENVER_compile_info: + { + struct xen_compile_info info; ++ ++ memset(&info, 0, sizeof(info)); + safe_strcpy(info.compiler, xen_compiler()); + safe_strcpy(info.compile_by, xen_compile_by()); + safe_strcpy(info.compile_domain, xen_compile_domain()); +@@ -284,6 +288,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL + case XENVER_changeset: + { + xen_changeset_info_t chgset; ++ ++ memset(chgset, 0, sizeof(chgset)); + safe_strcpy(chgset, xen_changeset()); + if ( copy_to_guest(arg, chgset, ARRAY_SIZE(chgset)) ) + return -EFAULT; diff --git a/emulators/xen-kernel/files/xsa123.patch b/emulators/xen-kernel/files/xsa123.patch new file mode 100644 index 000000000000..653996d31788 --- /dev/null +++ b/emulators/xen-kernel/files/xsa123.patch @@ -0,0 +1,24 @@ +x86emul: fully ignore segment override for register-only operations + +For ModRM encoded instructions with register operands we must not +overwrite ea.mem.seg (if a - bogus in that case - segment override was +present) as it aliases with ea.reg. + +This is CVE-2015-2151 / XSA-123. + +Reported-by: Felix Wilhelm <fwilhelm@ernw.de> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Tim Deegan <tim@xen.org> +Reviewed-by: Keir Fraser <keir@xen.org> + +--- a/xen/arch/x86/x86_emulate/x86_emulate.c ++++ b/xen/arch/x86/x86_emulate/x86_emulate.c +@@ -1757,7 +1757,7 @@ x86_emulate( + } + } + +- if ( override_seg != -1 ) ++ if ( override_seg != -1 && ea.type == OP_MEM ) + ea.mem.seg = override_seg; + + /* Early operand adjustments. */ diff --git a/emulators/xen-kernel/files/xsa125.patch b/emulators/xen-kernel/files/xsa125.patch new file mode 100644 index 000000000000..ac35ca5f548e --- /dev/null +++ b/emulators/xen-kernel/files/xsa125.patch @@ -0,0 +1,71 @@ +From 98670acc98cad5aee0e0714694a64d3b96675c36 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Date: Wed, 19 Nov 2014 12:57:11 -0500 +Subject: [PATCH] Limit XEN_DOMCTL_memory_mapping hypercall to only process up + to 64 GFNs (or less) + +Said hypercall for large BARs can take quite a while. As such +we can require that the hypercall MUST break up the request +in smaller values. + +Another approach is to add preemption to it - whether we do the +preemption using hypercall_create_continuation or returning +EAGAIN to userspace (and have it re-invocate the call) - either +way the issue we cannot easily solve is that in 'map_mmio_regions' +if we encounter an error we MUST call 'unmap_mmio_regions' for the +whole BAR region. + +Since the preemption would re-use input fields such as nr_mfns, +first_gfn, first_mfn - we would lose the original values - +and only undo what was done in the current round (i.e. ignoring +anything that was done prior to earlier preemptions). + +Unless we re-used the return value as 'EAGAIN|nr_mfns_done<<10' but +that puts a limit (since the return value is a long) on the amount +of nr_mfns that can provided. + +This patch sidesteps this problem by: + - Setting an hard limit of nr_mfns having to be 64 or less. + - Toolstack adjusts correspondingly to the nr_mfn limit. + - If the there is an error when adding the toolstack will call the + remove operation to remove the whole region. + +The need to break this hypercall down is for large BARs can take +more than the guest (initial domain usually) time-slice. This has +the negative result in that the guest is locked out for a long +duration and is unable to act on any pending events. + +We also augment the code to return zero if nr_mfns instead +of trying to the hypercall. + +Suggested-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Jan Beulich <jbeulich@suse.com> +Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> +--- +[v50: Simplify loop] +[v51: If max_batch_sz 1 (or less) we would return zero. Fix that] +[v52: Handle nr_mfns being zero] +[v53: Fix up return value] +--- + tools/libxc/xc_domain.c | 46 +++++++++++++++++++++++++++++++++++++++++---- + xen/common/domctl.c | 5 +++++ + xen/include/public/domctl.h | 1 + + 3 files changed, 48 insertions(+), 4 deletions(-) + +diff --git a/xen/common/domctl.c b/xen/common/domctl.c +index d396cc4..c2e60a7 100644 +--- a/xen/common/domctl.c ++++ b/xen/common/domctl.c +@@ -1027,6 +1027,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) + (gfn + nr_mfns - 1) < gfn ) /* wrap? */ + break; + ++ ret = -E2BIG; ++ /* Must break hypercall up as this could take a while. */ ++ if ( nr_mfns > 64 ) ++ break; ++ + ret = -EPERM; + if ( !iomem_access_permitted(current->domain, mfn, mfn_end) || + !iomem_access_permitted(d, mfn, mfn_end) ) diff --git a/emulators/xen-kernel/files/xsa127-4.x.patch b/emulators/xen-kernel/files/xsa127-4.x.patch new file mode 100644 index 000000000000..463b1ddf774a --- /dev/null +++ b/emulators/xen-kernel/files/xsa127-4.x.patch @@ -0,0 +1,50 @@ +domctl: don't allow a toolstack domain to call domain_pause() on itself + +These DOMCTL subops were accidentally declared safe for disaggregation +in the wake of XSA-77. + +This is XSA-127. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> + +--- a/xen/arch/x86/domctl.c ++++ b/xen/arch/x86/domctl.c +@@ -888,6 +888,10 @@ long arch_do_domctl( + { + xen_guest_tsc_info_t info; + ++ ret = -EINVAL; ++ if ( d == current->domain ) /* no domain_pause() */ ++ break; ++ + domain_pause(d); + tsc_get_info(d, &info.tsc_mode, + &info.elapsed_nsec, +@@ -903,6 +907,10 @@ long arch_do_domctl( + + case XEN_DOMCTL_settscinfo: + { ++ ret = -EINVAL; ++ if ( d == current->domain ) /* no domain_pause() */ ++ break; ++ + domain_pause(d); + tsc_set_info(d, domctl->u.tsc_info.info.tsc_mode, + domctl->u.tsc_info.info.elapsed_nsec, +--- a/xen/common/domctl.c ++++ b/xen/common/domctl.c +@@ -522,8 +522,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe + + case XEN_DOMCTL_resumedomain: + { +- domain_resume(d); +- ret = 0; ++ if ( d == current->domain ) /* no domain_pause() */ ++ ret = -EINVAL; ++ else ++ domain_resume(d); + } + break; + diff --git a/emulators/xen-kernel/files/xsa132.patch b/emulators/xen-kernel/files/xsa132.patch new file mode 100644 index 000000000000..321c87bf62d5 --- /dev/null +++ b/emulators/xen-kernel/files/xsa132.patch @@ -0,0 +1,29 @@ +domctl/sysctl: don't leak hypervisor stack to toolstacks + +This is XSA-132. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> + +--- a/xen/arch/x86/domctl.c ++++ b/xen/arch/x86/domctl.c +@@ -884,7 +884,7 @@ long arch_do_domctl( + + case XEN_DOMCTL_gettscinfo: + { +- xen_guest_tsc_info_t info; ++ xen_guest_tsc_info_t info = { 0 }; + + ret = -EINVAL; + if ( d == current->domain ) /* no domain_pause() */ +--- a/xen/common/sysctl.c ++++ b/xen/common/sysctl.c +@@ -76,7 +76,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xe + case XEN_SYSCTL_getdomaininfolist: + { + struct domain *d; +- struct xen_domctl_getdomaininfo info; ++ struct xen_domctl_getdomaininfo info = { 0 }; + u32 num_domains = 0; + + rcu_read_lock(&domlist_read_lock); diff --git a/emulators/xen-kernel/files/xsa134.patch b/emulators/xen-kernel/files/xsa134.patch new file mode 100644 index 000000000000..16b93ac59f65 --- /dev/null +++ b/emulators/xen-kernel/files/xsa134.patch @@ -0,0 +1,23 @@ +From: Jan Beulich <jbeulich@suse.com> +Subject: gnttab: add missing version check to GNTTABOP_swap_grant_ref handling + +... avoiding NULL derefs when the version to use wasn't set yet (via +GNTTABOP_setup_table or GNTTABOP_set_version). + +This is XSA-134. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> + +--- a/xen/common/grant_table.c ++++ b/xen/common/grant_table.c +@@ -2592,6 +2592,9 @@ __gnttab_swap_grant_ref(grant_ref_t ref_ + + spin_lock(>->lock); + ++ if ( gt->gt_version == 0 ) ++ PIN_FAIL(out, GNTST_general_error, "grant table not yet set up\n"); ++ + /* Bounds check on the grant refs */ + if ( unlikely(ref_a >= nr_grant_entries(d->grant_table))) + PIN_FAIL(out, GNTST_bad_gntref, "Bad ref-a (%d).\n", ref_a); diff --git a/emulators/xen-kernel/files/xsa136.patch b/emulators/xen-kernel/files/xsa136.patch new file mode 100644 index 000000000000..fda3fa238902 --- /dev/null +++ b/emulators/xen-kernel/files/xsa136.patch @@ -0,0 +1,19 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/traps: loop in the correct direction in compat_iret() + +This is XSA-136. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> + +--- a/xen/arch/x86/x86_64/compat/traps.c ++++ b/xen/arch/x86/x86_64/compat/traps.c +@@ -119,7 +119,7 @@ unsigned int compat_iret(void) + } + else if ( ksp > regs->_esp ) + { +- for (i = 9; i > 0; ++i) ++ for ( i = 9; i > 0; --i ) + { + rc |= __get_user(x, (u32 *)regs->rsp + i); + rc |= __put_user(x, (u32 *)(unsigned long)ksp + i); |