Commit 850840a2 authored by Natanael Copa's avatar Natanael Copa

main/xen: security upgrade to 4.5.1

parent 10136242
......@@ -2,8 +2,8 @@
# Contributor: Roger Pau Monne <roger.pau@entel.upc.edu>
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
pkgver=4.5.0
pkgrel=1
pkgver=4.5.1
pkgrel=0
pkgdesc="Xen hypervisor"
url="http://www.xen.org/"
arch="x86_64"
......@@ -17,20 +17,8 @@ makedepends="$depends_dev autoconf automake libtool"
install=""
subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-hypervisor"
source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.gz
xsa117.patch
xsa118-4.5-unstable-1.patch
xsa118-4.5-unstable-2.patch
xsa119-unstable.patch
xsa121.patch
xsa122.patch
xsa123.patch
xsa125.patch
xsa126-qemut.patch
xsa126-qemuu.patch
xsa127-4.x.patch
xsa132.patch
xsa133-qemut.patch
xsa133-qemuu.patch
xsa135-qemut-1.patch
xsa135-qemut-2.patch
qemu-coroutine-gthread.patch
qemu-xen-musl-openpty.patch
......@@ -199,21 +187,9 @@ hypervisor() {
mv "$pkgdir"/boot "$subpkgdir"/
}
md5sums="9bac43d2419d05a647064d9253bb03fa xen-4.5.0.tar.gz
d43cf4b2da680dcf709714863c4f06ed xsa117.patch
27c7fd9e385440bed2d0f33d8f27c065 xsa118-4.5-unstable-1.patch
7816e8ea4718d79e65acd890bb9a6aed xsa118-4.5-unstable-2.patch
a96d0463ddf52699dc908908398d5960 xsa119-unstable.patch
ee80cffba0b858712d1e3eedf5df7775 xsa121.patch
8d46ed3846559a5492f686b4fe0fa4d4 xsa122.patch
4b98895abd06f41cdc2cf0e98ea05308 xsa123.patch
620fb94e090d7d735c3d96310c627972 xsa125.patch
941b4cb7f2a8ba31bf08ab5425891902 xsa126-qemut.patch
1ee5f45ecda3513e8a9708b2edf5141d xsa126-qemuu.patch
c7d2d6913945100b5048e5149d0f6af2 xsa127-4.x.patch
896d814b803427d72781cd9a1e11ebd2 xsa132.patch
c1b7aaa9c5e729b61712d27d1f9fae6a xsa133-qemut.patch
fdb8ba32313a5b8088773ffcfd865ae7 xsa133-qemuu.patch
md5sums="d12dc9e5e8bd22a68b5c7f53119221f1 xen-4.5.1.tar.gz
8035908817374d2d32aaadf942e3391d xsa135-qemut-1.patch
462f5d784493119bdfa6e7b5a628a88d xsa135-qemut-2.patch
de1a3db370b87cfb0bddb51796b50315 qemu-coroutine-gthread.patch
dd8603eaab5857816843bfc37647d569 qemu-xen-musl-openpty.patch
08bfdf8caff5d631f53660bf3fd4edaf qemu-xen_paths.patch
......@@ -236,21 +212,9 @@ dcdd1de2c29e469e834a02ede4f47806 xendomains.confd
9df68ac65dc3f372f5d61183abdc83ff xen-consoles.logrotate
6a2f777c16678d84039acf670d86fff6 xenqemu.confd
e1c9e1c83a5cc49224608a48060bd677 xenqemu.initd"
sha256sums="5bdb40e2b28d2eeb541bd71a9777f40cbe2ae444b987521d33f099541a006f3b xen-4.5.0.tar.gz
5d7c1ec3bd604ed49999a56fefeebda1206f424b1b48c0e44899f13bc1e55cd0 xsa117.patch
ee24a4c5e12b67d7539f08b644080c87797f31b4402215cd4efbbc6114bffc25 xsa118-4.5-unstable-1.patch
bd532e3cd535fcdea51f43631a519012baff068cb62d2205fc25f2c823f031eb xsa118-4.5-unstable-2.patch
ee44c8f6a7cf3ca7b2d9886047b91690aaa2b091baf8629d8ab4c298022c6c47 xsa119-unstable.patch
e74afb34e8059e8ee25b803019c192aa47c29208af2c19fb81aa84b0d7c0d268 xsa121.patch
13404ef363ee347db1571ee91afaa962a68e616a7596c2441a29e26f6db9ec47 xsa122.patch
994cf1487ec5c455fce4877168901e03283f0002062dcff8895a17ca30e010df xsa123.patch
be0c7cceb1af4b7b1341f37c1e20cf804ea3ac7d3c2ca2e5599f936479d5e0de xsa125.patch
791c288379fcd8b30ee473d42f1113c8ffa5f244dd82df9db6cc4597c81155b7 xsa126-qemut.patch
bbb8c840f3ef182508cff36803d861f15923325075ccc58801673b23dfc1a169 xsa126-qemuu.patch
e5fd3c126ae10fe45283e6eb1a4216b75057f1772d869d2b3a26398b0984c7bd xsa127-4.x.patch
329d4edf1e1133795ece41f2fc8887c5f4cc06b42ced63c810c610b17bcee46d xsa132.patch
8d8c82fedf4beb6ad1a27002c1d3fb3031e43a732316e2049ec5d04939c159bc xsa133-qemut.patch
032481a153d80192112e42f704dc7180aeb995a12d3ddef0efec4eb87c044079 xsa133-qemuu.patch
sha256sums="668c11d4fca67ac44329e369f810356eacd37b28d28fb96e66aac77f3c5e1371 xen-4.5.1.tar.gz
b4b66d772e52ec35f7256b168ac68f5cf0901590112b3b4db860d1b9c2f513f6 xsa135-qemut-1.patch
0d98a8c4498390a93665872dea9b4b00781578e95e6c78a49632bacb5f70edb8 xsa135-qemut-2.patch
3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe qemu-coroutine-gthread.patch
fe76c7c8faf686060b20491bfed4a13ce37b1bc3dcdbf33d242e388cee14c7c1 qemu-xen-musl-openpty.patch
e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98 qemu-xen_paths.patch
......@@ -273,21 +237,9 @@ d13719093a2c3824525f36ac91ac3c9bd1154e5ba0974e5441e4a2ab5e883521 xenconsoled.in
0da87a4b9094f934e3de937e8ef8d3afc752e76793aa3d730182d0241e118b19 xen-consoles.logrotate
4cfcddcade5d055422ab4543e8caa6e5c5eee7625c41880a9000b7a87c7c424e xenqemu.confd
c92bbb1166edd61141fdf678116974209c4422daf373cdd5bc438aa4adb25b8d xenqemu.initd"
sha512sums="31621fbaf621ad350125d03366ecff4dec5d810b0c1242ca0e28788f7556ac1443d7ee9247e1f76dec07e148e0b4ae16d08a7c10101bb78d6529375f3e40998e xen-4.5.0.tar.gz
517dfa702d6c80816d27bbc8fb55e6cd72856e157e6a18ff2d13b310f9173f8bb23940e43bb85acf41fd035e7415597f237c1d2805c87ff1e5c37c49ab4d4ed0 xsa117.patch
4074546aab41f9a9093b0bc1124e02d443402c1976484797c3ef59bc5cfa84202e22c5247eb99b0f0a7b0918a6d79ff612b1c59f0e5154bc79926c553e784f91 xsa118-4.5-unstable-1.patch
5a11cac98ee70d3bfc86a9096b2007c0bbf000b4abf6e53aaf7cb574ac59dcc39a31585bf85f58349b3c94535ef3abf0ddfced20af723dcc4a03a288dfc550a6 xsa118-4.5-unstable-2.patch
96c782934f52a1e541909270e88f38b22335ccb20562cefa068ad2b6713011cdeb0cb9d3ad9523a6ae1c52703b62f57fae53a7986b518a73a094719475a2e9db xsa119-unstable.patch
c58967af871518340745fd9023822ec4cc42c90c7f99f5e91eaec2da33476f50819ac84f70a38bafcd26cd60909ea9f54920606ec970150e3c2b5b28ee021883 xsa121.patch
723e9c2d12a5c6a9acac3c3feba06cb811e9af4949d6b5f75814fff89fef7e53bc90fe1562b70a5983f72ec623fe14fb2f83f4b23039cf83f50c9cc337ab22d3 xsa122.patch
1ebcfa74a1922656584fdd6c46563a88e7e76320e6605bdda837f8710872e5b2144c86a57c8246e7b33c7b7f344ce068807a7da5ecbc07c231ae61959e43290d xsa123.patch
cf05a33319018093003a72d3187d361c893490cd6728b9a3e3adf2d925287c838eae16554f8f5d4e2ffef3199e3da28ff7573fa5211b2246f0d3d2da30ff5130 xsa125.patch
b65565d1e8fd0a41a683c22664cc024b9193f733f7029a4421730a63c23190ff4d6d3afb7bfddcccd290c8986b866d989e6ddfa9c5d99f6aa73e0516c2d2d511 xsa126-qemut.patch
5ade1fb69e48d12b60fc867b00a59dcd94d3db264c9f3cf6937551ef142fd37285ba59b81b95883f16b21d287fda5eef5f114df155fef059ba97535168fd358a xsa126-qemuu.patch
598761b014cf17fa9ee1ac56ad7cf5c27cda208e180b471d2946a14079886c60448c6f2e7e0633bd1d85b5737af2a4e76b7377e58726f617e982c5c5395f03d9 xsa127-4.x.patch
23d4fb293c678b8b0a6c48cbd696761bd35179e56c7d9b1d8090006241e33dc5cc4d77a2598f27dd3943a9d13a38c6b21714d2a639e6f9c0d86a0a5c747becee xsa132.patch
a06bf522ab6076fbb5869e9a5f1aba37d41fba21d8a327b85ea315ca8814cb959fef2d3458c7f6d2b758eb5a4b7b54ed81b14bb80512205eb2a90d46ca432f95 xsa133-qemut.patch
fc97003d6817fa44dac7e72db1b5bdb0905a138d65caf12f8b1e3cd5855b3b8d441caf95f7c902f36b4c21c862148ab31e45b6ef1ffd22c25875a04cb29c9911 xsa133-qemuu.patch
sha512sums="9436243e26bc64bc836a179abdc3a6b1b6fa9d3f2170453092c18be71fa62e18cd4465a9154c0f28a7ac8d69d08361ba1defef240a51197f058c012c3855ba04 xen-4.5.1.tar.gz
68824ec4d8a201c9687bd2de82489730908a70914243067f9e76a2584ce73212fd55ec00d6cf1301f7d1c73e32c9e46a93d3da4a6a61781ddec4f863190fb02b xsa135-qemut-1.patch
c29683569affcef4d45ec510b0b8b6d7c4466fc3026005b0612876ce1b7dc52ead77880a3204b5df78d836bdf197b872780c67afd49a895f9f7a47aabf3d9064 xsa135-qemut-2.patch
c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562 qemu-coroutine-gthread.patch
a8b7378516172389450834985e8558d7a86d7cd808154bdc846bb98325e40fc4e87b1fc6d725297f4bef6eb54ebcbcbfa4d9d0363d83f635755795fb0726e006 qemu-xen-musl-openpty.patch
1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch
......
From 472dc9e627c8f1b9d7138b142a5b0838550a2072 Mon Sep 17 00:00:00 2001
From: Julien Grall <julien.grall@linaro.org>
Date: Fri, 23 Jan 2015 14:15:07 +0000
Subject: [PATCH] xen/arm: vgic-v2: Don't crash the hypervisor if the SGI
target mode is invalid
The GICv2 spec reserved the value 0b11 for GICD_SGIR.TargetListFilter.
Even if it's an invalid value, a malicious guest could write this value
and threfore crash the hypervisor.
Replace the BUG() by logging the error and inject a data abort to the guest.
This was introduced by commit ea37fd21110b6fbcf9257f814076a243d3873cb7
"xen/arm: split vgic driver into generic and vgic-v2 driver".
This is CVE-2015-0268 / XSA-117.
Signed-off-by: Julien Grall <julien.grall@linaro.org>
---
xen/arch/arm/vgic-v2.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/xen/arch/arm/vgic-v2.c b/xen/arch/arm/vgic-v2.c
index 598bf06..9dc9a20 100644
--- a/xen/arch/arm/vgic-v2.c
+++ b/xen/arch/arm/vgic-v2.c
@@ -257,7 +257,10 @@ static int vgic_v2_to_sgi(struct vcpu *v, register_t sgir)
sgi_mode = SGI_TARGET_SELF;
break;
default:
- BUG();
+ printk(XENLOG_G_DEBUG
+ "%pv: vGICD: unhandled GICD_SGIR write %"PRIregister" with wrong mode\n",
+ v, sgir);
+ return 0;
}
return vgic_to_sgi(v, sgir, sgi_mode, virq, vcpu_mask);
--
2.1.4
This diff is collapsed.
From e8fa469595e29b2dbe6dde3a77ee2ea2d9e93283 Mon Sep 17 00:00:00 2001
From: Julien Grall <julien.grall@linaro.org>
Date: Mon, 19 Jan 2015 12:59:42 +0000
Subject: [PATCH 2/2] xen/arm: vgic-v2: message in the emulation code should be
rate-limited
printk is not rated-limited by default. Therefore a malicious guest may
be able to flood the Xen console.
If we use gdprintk, unecessary information will be printed such as the
filename and the line. Instead use XENLOG_G_ERR combine with %pv.
Signed-off-by: Julien Grall <julien.grall@linaro.org>
---
xen/arch/arm/vgic-v2.c | 40 +++++++++++++++++++++++-----------------
1 file changed, 23 insertions(+), 17 deletions(-)
diff --git a/xen/arch/arm/vgic-v2.c b/xen/arch/arm/vgic-v2.c
index 9dc9a20..3b87f54 100644
--- a/xen/arch/arm/vgic-v2.c
+++ b/xen/arch/arm/vgic-v2.c
@@ -198,7 +198,7 @@ static int vgic_v2_distr_mmio_read(struct vcpu *v, mmio_info_t *info)
case GICD_ICPIDR2:
if ( dabt.size != DABT_WORD ) goto bad_width;
- printk("vGICD: unhandled read from ICPIDR2\n");
+ printk(XENLOG_G_ERR "%pv: vGICD: unhandled read from ICPIDR2\n", v);
return 0;
/* Implementation defined -- read as zero */
@@ -215,14 +215,14 @@ static int vgic_v2_distr_mmio_read(struct vcpu *v, mmio_info_t *info)
goto read_as_zero;
default:
- printk("vGICD: unhandled read r%d offset %#08x\n",
- dabt.reg, gicd_reg);
+ printk(XENLOG_G_ERR "%pv: vGICD: unhandled read r%d offset %#08x\n",
+ v, dabt.reg, gicd_reg);
return 0;
}
bad_width:
- printk("vGICD: bad read width %d r%d offset %#08x\n",
- dabt.size, dabt.reg, gicd_reg);
+ printk(XENLOG_G_ERR "%pv: vGICD: bad read width %d r%d offset %#08x\n",
+ v, dabt.size, dabt.reg, gicd_reg);
domain_crash_synchronous();
return 0;
@@ -331,14 +331,16 @@ static int vgic_v2_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
case GICD_ISPENDR ... GICD_ISPENDRN:
if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width;
- printk("vGICD: unhandled %s write %#"PRIregister" to ISPENDR%d\n",
- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ISPENDR);
+ printk(XENLOG_G_ERR
+ "%pv: vGICD: unhandled %s write %#"PRIregister" to ISPENDR%d\n",
+ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ISPENDR);
return 0;
case GICD_ICPENDR ... GICD_ICPENDRN:
if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width;
- printk("vGICD: unhandled %s write %#"PRIregister" to ICPENDR%d\n",
- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ICPENDR);
+ printk(XENLOG_G_ERR
+ "%pv: vGICD: unhandled %s write %#"PRIregister" to ICPENDR%d\n",
+ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ICPENDR);
return 0;
case GICD_ISACTIVER ... GICD_ISACTIVERN:
@@ -457,14 +459,16 @@ static int vgic_v2_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
case GICD_CPENDSGIR ... GICD_CPENDSGIRN:
if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width;
- printk("vGICD: unhandled %s write %#"PRIregister" to ICPENDSGIR%d\n",
- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_CPENDSGIR);
+ printk(XENLOG_G_ERR
+ "%pv: vGICD: unhandled %s write %#"PRIregister" to ICPENDSGIR%d\n",
+ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_CPENDSGIR);
return 0;
case GICD_SPENDSGIR ... GICD_SPENDSGIRN:
if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width;
- printk("vGICD: unhandled %s write %#"PRIregister" to ISPENDSGIR%d\n",
- dabt.size ? "word" : "byte", *r, gicd_reg - GICD_SPENDSGIR);
+ printk(XENLOG_G_ERR
+ "%pv: vGICD: unhandled %s write %#"PRIregister" to ISPENDSGIR%d\n",
+ v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_SPENDSGIR);
return 0;
/* Implementation defined -- write ignored */
@@ -489,14 +493,16 @@ static int vgic_v2_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
goto write_ignore;
default:
- printk("vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n",
- dabt.reg, *r, gicd_reg);
+ printk(XENLOG_G_ERR
+ "%pv: vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n",
+ v, dabt.reg, *r, gicd_reg);
return 0;
}
bad_width:
- printk("vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n",
- dabt.size, dabt.reg, *r, gicd_reg);
+ printk(XENLOG_G_ERR
+ "%pv: vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n",
+ v, dabt.size, dabt.reg, *r, gicd_reg);
domain_crash_synchronous();
return 0;
--
2.1.4
From f433bfafbaf7d8a41c4c27aa3e8e78b1ab900b69 Mon Sep 17 00:00:00 2001
From: Ian Campbell <ian.campbell@citrix.com>
Date: Fri, 20 Feb 2015 14:41:09 +0000
Subject: [PATCH] tools: libxl: Explicitly disable graphics backends on qemu
cmdline
By default qemu will try to create some sort of backend for the
emulated VGA device, either SDL or VNC.
However when the user specifies sdl=0 and vnc=0 in their configuration
libxl was not explicitly disabling either backend, which could lead to
one unexpectedly running.
If either sdl=1 or vnc=1 is configured then both before and after this
change only the backends which are explicitly enabled are configured,
i.e. this issue only occurs when all backends are supposed to have
been disabled.
This affects qemu-xen and qemu-xen-traditional differently.
If qemu-xen was compiled with SDL support then this would result in an
SDL window being opened if $DISPLAY is valid, or a failure to start
the guest if not. Passing "-display none" to qemu before any further
-sdl options disables this default behaviour and ensures that SDL is
only started if the libxl configuration demands it.
If qemu-xen was compiled without SDL support then qemu would instead
start a VNC server listening on ::1 (IPv6 localhost) or 127.0.0.1
(IPv4 localhost) with IPv6 preferred if available. Explicitly pass
"-vnc none" when vnc is not enabled in the libxl configuration to
remove this possibility.
qemu-xen-traditional would never start a vnc backend unless asked.
However by default it will start an SDL backend, the way to disable
this is to pass a -vnc option. In other words passing "-vnc none" will
disable both vnc and sdl by default. sdl can then be reenabled if
configured by subsequent use of the -sdl option.
Tested with both qemu-xen and qemu-xen-traditional built with SDL
support and:
xl cr # defaults
xl cr sdl=0 vnc=0
xl cr sdl=1 vnc=0
xl cr sdl=0 vnc=1
xl cr sdl=0 vnc=0 vga=\"none\"
xl cr sdl=0 vnc=0 nographic=1
with both valid and invalid $DISPLAY.
This is XSA-119.
Reported-by: Sander Eikelenboom <linux@eikelenboom.it>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
---
tools/libxl/libxl_dm.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
index 8599a6a..3b918c6 100644
--- a/tools/libxl/libxl_dm.c
+++ b/tools/libxl/libxl_dm.c
@@ -180,7 +180,14 @@ static char ** libxl__build_device_model_args_old(libxl__gc *gc,
if (libxl_defbool_val(vnc->findunused)) {
flexarray_append(dm_args, "-vncunused");
}
- }
+ } else
+ /*
+ * VNC is not enabled by default by qemu-xen-traditional,
+ * however passing -vnc none causes SDL to not be
+ * (unexpectedly) enabled by default. This is overridden by
+ * explicitly passing -sdl below as required.
+ */
+ flexarray_append_pair(dm_args, "-vnc", "none");
if (sdl) {
flexarray_append(dm_args, "-sdl");
@@ -522,7 +529,17 @@ static char ** libxl__build_device_model_args_new(libxl__gc *gc,
}
flexarray_append(dm_args, vncarg);
- }
+ } else
+ /*
+ * Ensure that by default no vnc server is created.
+ */
+ flexarray_append_pair(dm_args, "-vnc", "none");
+
+ /*
+ * Ensure that by default no display backend is created. Further
+ * options given below might then enable more.
+ */
+ flexarray_append_pair(dm_args, "-display", "none");
if (sdl) {
flexarray_append(dm_args, "-sdl");
--
2.1.4
x86/HVM: return all ones on wrong-sized reads of system device I/O ports
So far the value presented to the guest remained uninitialized.
This is CVE-2015-2044 / XSA-121.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
--- a/xen/arch/x86/hvm/i8254.c
+++ b/xen/arch/x86/hvm/i8254.c
@@ -486,6 +486,7 @@ static int handle_pit_io(
if ( bytes != 1 )
{
gdprintk(XENLOG_WARNING, "PIT bad access\n");
+ *val = ~0;
return X86EMUL_OKAY;
}
--- a/xen/arch/x86/hvm/pmtimer.c
+++ b/xen/arch/x86/hvm/pmtimer.c
@@ -213,6 +213,7 @@ static int handle_pmt_io(
if ( bytes != 4 )
{
gdprintk(XENLOG_WARNING, "HVM_PMT bad access\n");
+ *val = ~0;
return X86EMUL_OKAY;
}
--- a/xen/arch/x86/hvm/rtc.c
+++ b/xen/arch/x86/hvm/rtc.c
@@ -703,7 +703,8 @@ static int handle_rtc_io(
if ( bytes != 1 )
{
- gdprintk(XENLOG_WARNING, "HVM_RTC bas access\n");
+ gdprintk(XENLOG_WARNING, "HVM_RTC bad access\n");
+ *val = ~0;
return X86EMUL_OKAY;
}
--- a/xen/arch/x86/hvm/vpic.c
+++ b/xen/arch/x86/hvm/vpic.c
@@ -331,6 +331,7 @@ static int vpic_intercept_pic_io(
if ( bytes != 1 )
{
gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes);
+ *val = ~0;
return X86EMUL_OKAY;
}
pre-fill structures for certain HYPERVISOR_xen_version sub-ops
... avoiding to pass hypervisor stack contents back to the caller
through space unused by the respective strings.
This is CVE-2015-2045 / XSA-122.
Signed-off-by: Aaron Adams <Aaron.Adams@nccgroup.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
--- a/xen/common/kernel.c
+++ b/xen/common/kernel.c
@@ -240,6 +240,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
case XENVER_extraversion:
{
xen_extraversion_t extraversion;
+
+ memset(extraversion, 0, sizeof(extraversion));
safe_strcpy(extraversion, xen_extra_version());
if ( copy_to_guest(arg, extraversion, ARRAY_SIZE(extraversion)) )
return -EFAULT;
@@ -249,6 +251,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
case XENVER_compile_info:
{
struct xen_compile_info info;
+
+ memset(&info, 0, sizeof(info));
safe_strcpy(info.compiler, xen_compiler());
safe_strcpy(info.compile_by, xen_compile_by());
safe_strcpy(info.compile_domain, xen_compile_domain());
@@ -284,6 +288,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
case XENVER_changeset:
{
xen_changeset_info_t chgset;
+
+ memset(chgset, 0, sizeof(chgset));
safe_strcpy(chgset, xen_changeset());
if ( copy_to_guest(arg, chgset, ARRAY_SIZE(chgset)) )
return -EFAULT;
x86emul: fully ignore segment override for register-only operations
For ModRM encoded instructions with register operands we must not
overwrite ea.mem.seg (if a - bogus in that case - segment override was
present) as it aliases with ea.reg.
This is CVE-2015-2151 / XSA-123.
Reported-by: Felix Wilhelm <fwilhelm@ernw.de>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
Reviewed-by: Keir Fraser <keir@xen.org>
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -1757,7 +1757,7 @@ x86_emulate(
}
}
- if ( override_seg != -1 )
+ if ( override_seg != -1 && ea.type == OP_MEM )
ea.mem.seg = override_seg;
/* Early operand adjustments. */
From 98670acc98cad5aee0e0714694a64d3b96675c36 Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date: Wed, 19 Nov 2014 12:57:11 -0500
Subject: [PATCH] Limit XEN_DOMCTL_memory_mapping hypercall to only process up
to 64 GFNs (or less)
Said hypercall for large BARs can take quite a while. As such
we can require that the hypercall MUST break up the request
in smaller values.
Another approach is to add preemption to it - whether we do the
preemption using hypercall_create_continuation or returning
EAGAIN to userspace (and have it re-invocate the call) - either
way the issue we cannot easily solve is that in 'map_mmio_regions'
if we encounter an error we MUST call 'unmap_mmio_regions' for the
whole BAR region.
Since the preemption would re-use input fields such as nr_mfns,
first_gfn, first_mfn - we would lose the original values -
and only undo what was done in the current round (i.e. ignoring
anything that was done prior to earlier preemptions).
Unless we re-used the return value as 'EAGAIN|nr_mfns_done<<10' but
that puts a limit (since the return value is a long) on the amount
of nr_mfns that can provided.
This patch sidesteps this problem by:
- Setting an hard limit of nr_mfns having to be 64 or less.
- Toolstack adjusts correspondingly to the nr_mfn limit.
- If the there is an error when adding the toolstack will call the
remove operation to remove the whole region.
The need to break this hypercall down is for large BARs can take
more than the guest (initial domain usually) time-slice. This has
the negative result in that the guest is locked out for a long
duration and is unable to act on any pending events.
We also augment the code to return zero if nr_mfns instead
of trying to the hypercall.
Suggested-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
[v50: Simplify loop]
[v51: If max_batch_sz 1 (or less) we would return zero. Fix that]
[v52: Handle nr_mfns being zero]
[v53: Fix up return value]
---
tools/libxc/xc_domain.c | 46 +++++++++++++++++++++++++++++++++++++++++----
xen/common/domctl.c | 5 +++++
xen/include/public/domctl.h | 1 +
3 files changed, 48 insertions(+), 4 deletions(-)
diff --git a/tools/libxc/xc_domain.c b/tools/libxc/xc_domain.c
index 845d1d7..bba7672 100644
--- a/tools/libxc/xc_domain.c
+++ b/tools/libxc/xc_domain.c
@@ -1988,6 +1988,8 @@ int xc_domain_memory_mapping(
{
DECLARE_DOMCTL;
xc_dominfo_t info;
+ int ret = 0, err;
+ unsigned long done = 0, nr, max_batch_sz;
if ( xc_domain_getinfo(xch, domid, 1, &info) != 1 ||
info.domid != domid )
@@ -1998,14 +2000,50 @@ int xc_domain_memory_mapping(
if ( !xc_core_arch_auto_translated_physmap(&info) )
return 0;
+ if ( !nr_mfns )
+ return 0;
+
domctl.cmd = XEN_DOMCTL_memory_mapping;
domctl.domain = domid;
- domctl.u.memory_mapping.first_gfn = first_gfn;
- domctl.u.memory_mapping.first_mfn = first_mfn;
- domctl.u.memory_mapping.nr_mfns = nr_mfns;
domctl.u.memory_mapping.add_mapping = add_mapping;
+ max_batch_sz = nr_mfns;
+ do
+ {
+ nr = min(nr_mfns - done, max_batch_sz);
+ domctl.u.memory_mapping.nr_mfns = nr;
+ domctl.u.memory_mapping.first_gfn = first_gfn + done;
+ domctl.u.memory_mapping.first_mfn = first_mfn + done;
+ err = do_domctl(xch, &domctl);
+ if ( err && errno == E2BIG )
+ {
+ if ( max_batch_sz <= 1 )
+ break;
+ max_batch_sz >>= 1;
+ continue;
+ }
+ /* Save the first error... */
+ if ( !ret )
+ ret = err;
+ /* .. and ignore the rest of them when removing. */
+ if ( err && add_mapping != DPCI_REMOVE_MAPPING )
+ break;
- return do_domctl(xch, &domctl);
+ done += nr;
+ } while ( done < nr_mfns );
+
+ /*
+ * Undo what we have done unless unmapping, by unmapping the entire region.
+ * Errors here are ignored.
+ */
+ if ( ret && add_mapping != DPCI_REMOVE_MAPPING )
+ xc_domain_memory_mapping(xch, domid, first_gfn, first_mfn, nr_mfns,
+ DPCI_REMOVE_MAPPING);
+
+ /* We might get E2BIG so many times that we never advance. */
+ if ( !done && !ret )
+ ret = -1;
+
+ return ret;
}
int xc_domain_ioport_mapping(
diff --git a/xen/common/domctl.c b/xen/common/domctl.c
index d396cc4..c2e60a7 100644
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -1027,6 +1027,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
(gfn + nr_mfns - 1) < gfn ) /* wrap? */
break;
+ ret = -E2BIG;
+ /* Must break hypercall up as this could take a while. */
+ if ( nr_mfns > 64 )
+ break;
+
ret = -EPERM;
if ( !iomem_access_permitted(current->domain, mfn, mfn_end) ||
!iomem_access_permitted(d, mfn, mfn_end) )
diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h
index ca0e51e..0c9f474 100644
--- a/xen/include/public/domctl.h
+++ b/xen/include/public/domctl.h
@@ -543,6 +543,7 @@ DEFINE_XEN_GUEST_HANDLE(xen_domctl_bind_pt_irq_t);
/* Bind machine I/O address range -> HVM address range. */
+/* If this returns -E2BIG lower nr_mfns value. */
/* XEN_DOMCTL_memory_mapping */
#define DPCI_ADD_MAPPING 1
#define DPCI_REMOVE_MAPPING 0
--
2.1.0
xen: limit guest control of PCI command register
Otherwise the guest can abuse that control to cause e.g. PCIe
Unsupported Request responses (by disabling memory and/or I/O decoding
and subsequently causing [CPU side] accesses to the respective address
ranges), which (depending on system configuration) may be fatal to the
host.
This is CVE-2015-2756 / XSA-126.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
--- a/tools/qemu-xen-traditional/hw/pass-through.c
+++ b/tools/qemu-xen-traditional/hw/pass-through.c
@@ -172,9 +172,6 @@ static int pt_word_reg_read(struct pt_de
static int pt_long_reg_read(struct pt_dev *ptdev,
struct pt_reg_tbl *cfg_entry,
uint32_t *value, uint32_t valid_mask);
-static int pt_cmd_reg_read(struct pt_dev *ptdev,
- struct pt_reg_tbl *cfg_entry,
- uint16_t *value, uint16_t valid_mask);
static int pt_bar_reg_read(struct pt_dev *ptdev,
struct pt_reg_tbl *cfg_entry,
uint32_t *value, uint32_t valid_mask);
@@ -286,9 +283,9 @@ static struct pt_reg_info_tbl pt_emu_reg
.size = 2,
.init_val = 0x0000,
.ro_mask = 0xF880,
- .emu_mask = 0x0740,
+ .emu_mask = 0x0743,
.init = pt_common_reg_init,
- .u.w.read = pt_cmd_reg_read,
+ .u.w.read = pt_word_reg_read,
.u.w.write = pt_cmd_reg_write,
.u.w.restore = pt_cmd_reg_restore,
},
@@ -1905,7 +1902,7 @@ static int pt_dev_is_virtfn(struct pci_d
return rc;
}
-static int pt_register_regions(struct pt_dev *assigned_device)
+static int pt_register_regions(struct pt_dev *assigned_device, uint16_t *cmd)
{
int i = 0;
uint32_t bar_data = 0;
@@ -1925,17 +1922,26 @@ static int pt_register_regions(struct pt
/* Register current region */
if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_IO )
+ {
pci_register_io_region((PCIDevice *)assigned_device, i,
(uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_IO,
pt_ioport_map);
+ *cmd |= PCI_COMMAND_IO;
+ }
else if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_MEM_PREFETCH )
+ {
pci_register_io_region((PCIDevice *)assigned_device, i,
(uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM_PREFETCH,
pt_iomem_map);
+ *cmd |= PCI_COMMAND_MEMORY;
+ }
else
+ {
pci_register_io_region((PCIDevice *)assigned_device, i,
(uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM,
pt_iomem_map);
+ *cmd |= PCI_COMMAND_MEMORY;
+ }
PT_LOG("IO region registered (size=0x%08x base_addr=0x%08x)\n",
(uint32_t)(pci_dev->size[i]),
@@ -3263,27 +3269,6 @@ static int pt_long_reg_read(struct pt_de
return 0;
}
-/* read Command register */
-static int pt_cmd_reg_read(struct pt_dev *ptdev,
- struct pt_reg_tbl *cfg_entry,
- uint16_t *value, uint16_t valid_mask)
-{
- struct pt_reg_info_tbl *reg = cfg_entry->reg;
- uint16_t valid_emu_mask = 0;
- uint16_t emu_mask = reg->emu_mask;
-
- if ( ptdev->is_virtfn )
- emu_mask |= PCI_COMMAND_MEMORY;
- if ( pt_is_iomul(ptdev) )
- emu_mask |= PCI_COMMAND_IO;
-
- /* emulate word register */
- valid_emu_mask = emu_mask & valid_mask;
- *value = PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask);
-
- return 0;
-}
-
/* read BAR */
static int pt_bar_reg_read(struct pt_dev *ptdev,
struct pt_reg_tbl *cfg_entry,
@@ -3418,19 +3403,13 @@ static int pt_cmd_reg_write(struct pt_de
uint16_t writable_mask = 0;
uint16_t throughable_mask = 0;
uint16_t wr_value = *value;
- uint16_t emu_mask = reg->emu_mask;
-
- if ( ptdev->is_virtfn )
- emu_mask |= PCI_COMMAND_MEMORY;
- if ( pt_is_iomul(ptdev) )
- emu_mask |= PCI_COMMAND_IO;
/* modify emulate register */
writable_mask = ~reg->ro_mask & valid_mask;
cfg_entry->data = PT_MERGE_VALUE(*value, cfg_entry->data, writable_mask);
/* create value for writing to I/O device register */
- throughable_mask = ~emu_mask & valid_mask;
+ throughable_mask = ~reg->emu_mask & valid_mask;
if (*value & PCI_COMMAND_DISABLE_INTx)
{
@@ -4211,6 +4190,7 @@ static struct pt_dev * register_real_dev
struct pt_dev *assigned_device = NULL;
struct pci_dev *pci_dev;
uint8_t e_device, e_intx;
+ uint16_t cmd = 0;