From 77e786238cb7998304cfd8fe07f2a27fc6a2a72e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20N=C3=A9ri?= <dne+alpine@mayonnaise.net>
Date: Tue, 24 Nov 2020 13:25:58 +0100
Subject: [PATCH] main/xen: security fix for XSA-355

Fix stack corruption introduced by fix for XSA-346.
---
 main/xen/APKBUILD     |  6 +++++-
 main/xen/xsa355.patch | 23 +++++++++++++++++++++++
 2 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 main/xen/xsa355.patch

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index a57d02164a0f..8bd1fbb5b8b4 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=xen
 pkgver=4.13.2
-pkgrel=1
+pkgrel=2
 pkgdesc="Xen hypervisor"
 url="https://www.xenproject.org/"
 arch="x86_64 armhf aarch64" # enable armv7 when builds with gcc8
@@ -196,6 +196,8 @@ options="!strip"
 #     - CVE-????-????? XSA-347
 #   4.13.2-r1:
 #     - CVE-????-????? XSA-351
+#   4.13.2-r2:
+#     - CVE-????-????? XSA-355
 
 
 case "$CARCH" in
@@ -262,6 +264,7 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz
 
 	xsa351-x86-4.13-1.patch
 	xsa351-x86-4.13-2.patch
+	xsa355.patch
 
 	xenstored.initd
 	xenstored.confd
@@ -510,6 +513,7 @@ e76816c6ad0e91dc5f81947f266da3429b20e6d976c3e8c41202c6179532eec878a3f0913921ef3a
 8cb12dbfc05a53898a97d47d71ab6b8a6f81c5e5579fd765b37303faea95c645cb8dedc05e3d064bdf070e93814e00bf8939767acc1127513375bab0fe2f4436  py3-compat.patch
 fdea3f42de6024c4b28ed32e26aa8c03efd198e487e532081f6c0c229fb309a1e5a02d7ba4a66626470d0debbc8abc96cbf27f1aed24b71f95c085db7077c736  xsa351-x86-4.13-1.patch
 7b3f4b3e586b39c2c037ccdd7c9edc9c47d89bfc4c4135ba7f9ac016e6911562ee634c13760d1af50835cb9fd1776ef3d1624ca4768f2fdd7266b38b67911374  xsa351-x86-4.13-2.patch
+70b4b03c956b189ed75d0105152945bf3bfbee406135cab32f7b8160739f207ae17f9e7028b13d298de97de6dadcb205e8a7cd2830cad8b91e8a62b93f168a80  xsa355.patch
 52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50  xenstored.initd
 093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0  xenstored.confd
 3c86ed48fbee0af4051c65c4a3893f131fa66e47bf083caf20c9b6aa4b63fdead8832f84a58d0e27964bc49ec8397251b34e5be5c212c139f556916dc8da9523  xenconsoled.initd
diff --git a/main/xen/xsa355.patch b/main/xen/xsa355.patch
new file mode 100644
index 000000000000..491dd05028a8
--- /dev/null
+++ b/main/xen/xsa355.patch
@@ -0,0 +1,23 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: memory: fix off-by-one in XSA-346 change
+
+The comparison against ARRAY_SIZE() needs to be >= in order to avoid
+overrunning the pages[] array.
+
+This is XSA-355.
+
+Fixes: 5777a3742d88 ("IOMMU: hold page ref until after deferred TLB flush")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Julien Grall <jgrall@amazon.com>
+
+--- a/xen/common/memory.c
++++ b/xen/common/memory.c
+@@ -854,7 +854,7 @@ int xenmem_add_to_physmap(struct domain
+             ++extra.ppage;
+ 
+         /* Check for continuation if it's not the last iteration. */
+-        if ( (++done > ARRAY_SIZE(pages) && extra.ppage) ||
++        if ( (++done >= ARRAY_SIZE(pages) && extra.ppage) ||
+              (xatp->size > done && hypercall_preempt_check()) )
+         {
+             rc = start + done;
-- 
GitLab