Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 5 Jan 2016 10:06:07 +0000 (UTC)
From:      =?UTF-8?Q?Roger_Pau_Monn=c3=a9?= <royger@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r405279 - in head: emulators/xen emulators/xen-kernel emulators/xen-kernel/files sysutils/xen-tools sysutils/xen-tools/files
Message-ID:  <201601051006.u05A67ZC073546@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: royger (src committer)
Date: Tue Jan  5 10:06:07 2016
New Revision: 405279
URL: https://svnweb.freebsd.org/changeset/ports/405279

Log:
  xen: fix XSAs
  
  Add the following XSA patches: 159, 160, 162, 165, 166.
  
  Security:		CVE-2015-8339
  Security:		CVE-2015-8340
  Security:		CVE-2015-8341
  Security:		CVE-2015-7504
  Security:		CVE-2015-8555
  PR:			205841
  MFH:			2016Q1
  Sponsored by:		Citrix Systems R&D
  Requested by:		junovitch
  Reviewed by:		junovitch
  Differential revision:	https://reviews.freebsd.org/D4783

Added:
  head/emulators/xen-kernel/files/xsa159.patch   (contents, props changed)
  head/emulators/xen-kernel/files/xsa165-4.5.patch   (contents, props changed)
  head/emulators/xen-kernel/files/xsa166-4.5.patch   (contents, props changed)
  head/sysutils/xen-tools/files/xsa160-4.6.patch   (contents, props changed)
  head/sysutils/xen-tools/files/xsa162-qemuu.patch   (contents, props changed)
Modified:
  head/emulators/xen-kernel/Makefile
  head/emulators/xen/Makefile
  head/sysutils/xen-tools/Makefile

Modified: head/emulators/xen-kernel/Makefile
==============================================================================
--- head/emulators/xen-kernel/Makefile	Tue Jan  5 09:19:44 2016	(r405278)
+++ head/emulators/xen-kernel/Makefile	Tue Jan  5 10:06:07 2016	(r405279)
@@ -3,6 +3,7 @@
 PORTNAME=	xen
 PKGNAMESUFFIX=	-kernel
 PORTVERSION=	4.5.2
+PORTREVISION=   1
 CATEGORIES=	emulators
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${PORTVERSION}/
 
@@ -30,7 +31,11 @@ EXTRA_PATCHES=	${FILESDIR}/0001-introduc
 		${FILESDIR}/0005-x86-rework-paging_log_dirty_op-to-work-with-hvm-gues.patch:-p2 \
 		${FILESDIR}/0006-xen-pvh-enable-mmu_update-hypercall.patch:-p2 \
 		${FILESDIR}/0007-iommu-fix-usage-of-shared-EPT-IOMMU-page-tables-on-P.patch:-p2 \
-		${FILESDIR}/xsa156-4.5.patch:-p2
+		${FILESDIR}/xsa156-4.5.patch:-p2 \
+		${FILESDIR}/xsa159.patch:-p2 \
+		${FILESDIR}/xsa165-4.5.patch:-p2 \
+		${FILESDIR}/xsa166-4.5.patch:-p2
+
 
 .include <bsd.port.options.mk>
 

Added: head/emulators/xen-kernel/files/xsa159.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/emulators/xen-kernel/files/xsa159.patch	Tue Jan  5 10:06:07 2016	(r405279)
@@ -0,0 +1,47 @@
+memory: fix XENMEM_exchange error handling
+
+assign_pages() can fail due to the domain getting killed in parallel,
+which should not result in a hypervisor crash.
+
+Also delete a redundant put_gfn() - all relevant paths leading to the
+"fail" label already do this (and there are also paths where it was
+plain wrong). All of the put_gfn()-s got introduced by 51032ca058
+("Modify naming of queries into the p2m"), including the otherwise
+unneeded initializer for k (with even a kind of misleading comment -
+the compiler warning could actually have served as a hint that the use
+is wrong).
+
+This is XSA-159.
+
+Reported-by: Julien Grall <julien.grall@citrix.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+--- a/xen/common/memory.c
++++ b/xen/common/memory.c
+@@ -334,7 +334,7 @@ static long memory_exchange(XEN_GUEST_HA
+     PAGE_LIST_HEAD(out_chunk_list);
+     unsigned long in_chunk_order, out_chunk_order;
+     xen_pfn_t     gpfn, gmfn, mfn;
+-    unsigned long i, j, k = 0; /* gcc ... */
++    unsigned long i, j, k;
+     unsigned int  memflags = 0;
+     long          rc = 0;
+     struct domain *d;
+@@ -572,11 +572,12 @@ static long memory_exchange(XEN_GUEST_HA
+  fail:
+     /* Reassign any input pages we managed to steal. */
+     while ( (page = page_list_remove_head(&in_chunk_list)) )
+-    {
+-        put_gfn(d, gmfn + k--);
+         if ( assign_pages(d, page, 0, MEMF_no_refcount) )
+-            BUG();
+-    }
++        {
++            BUG_ON(!d->is_dying);
++            if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
++                put_page(page);
++        }
+ 
+  dying:
+     rcu_unlock_domain(d);

Added: head/emulators/xen-kernel/files/xsa165-4.5.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/emulators/xen-kernel/files/xsa165-4.5.patch	Tue Jan  5 10:06:07 2016	(r405279)
@@ -0,0 +1,85 @@
+x86: don't leak ST(n)/XMMn values to domains first using them
+
+FNINIT doesn't alter these registers, and hence using it is
+insufficient to initialize a guest's initial state.
+
+This is XSA-165.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/domain.c
++++ b/xen/arch/x86/domain.c
+@@ -798,6 +798,17 @@ int arch_set_info_guest(
+         if ( v->arch.xsave_area )
+              v->arch.xsave_area->xsave_hdr.xstate_bv = XSTATE_FP_SSE;
+     }
++    else if ( v->arch.xsave_area )
++        memset(&v->arch.xsave_area->xsave_hdr, 0,
++               sizeof(v->arch.xsave_area->xsave_hdr));
++    else
++    {
++        typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt;
++
++        memset(fpu_sse, 0, sizeof(*fpu_sse));
++        fpu_sse->fcw = FCW_DEFAULT;
++        fpu_sse->mxcsr = MXCSR_DEFAULT;
++    }
+ 
+     if ( !compat )
+     {
+--- a/xen/arch/x86/i387.c
++++ b/xen/arch/x86/i387.c
+@@ -17,19 +17,6 @@
+ #include <asm/xstate.h>
+ #include <asm/asm_defns.h>
+ 
+-static void fpu_init(void)
+-{
+-    unsigned long val;
+-    
+-    asm volatile ( "fninit" );
+-    if ( cpu_has_xmm )
+-    {
+-        /* load default value into MXCSR control/status register */
+-        val = MXCSR_DEFAULT;
+-        asm volatile ( "ldmxcsr %0" : : "m" (val) );
+-    }
+-}
+-
+ /*******************************/
+ /*     FPU Restore Functions   */
+ /*******************************/
+@@ -248,15 +235,8 @@ void vcpu_restore_fpu_lazy(struct vcpu *
+ 
+     if ( cpu_has_xsave )
+         fpu_xrstor(v, XSTATE_LAZY);
+-    else if ( v->fpu_initialised )
+-    {
+-        if ( cpu_has_fxsr )
+-            fpu_fxrstor(v);
+-        else
+-            fpu_frstor(v);
+-    }
+     else
+-        fpu_init();
++        fpu_fxrstor(v);
+ 
+     v->fpu_initialised = 1;
+     v->fpu_dirtied = 1;
+@@ -317,7 +297,14 @@ int vcpu_init_fpu(struct vcpu *v)
+     else
+     {
+         v->arch.fpu_ctxt = _xzalloc(sizeof(v->arch.xsave_area->fpu_sse), 16);
+-        if ( !v->arch.fpu_ctxt )
++        if ( v->arch.fpu_ctxt )
++        {
++            typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt;
++
++            fpu_sse->fcw = FCW_DEFAULT;
++            fpu_sse->mxcsr = MXCSR_DEFAULT;
++        }
++        else
+         {
+             rc = -ENOMEM;
+             goto done;

Added: head/emulators/xen-kernel/files/xsa166-4.5.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/emulators/xen-kernel/files/xsa166-4.5.patch	Tue Jan  5 10:06:07 2016	(r405279)
@@ -0,0 +1,44 @@
+x86/HVM: avoid reading ioreq state more than once
+
+Otherwise, especially when the compiler chooses to translate the
+switch() to a jump table, unpredictable behavior (and in the jump table
+case arbitrary code execution) can result.
+
+This is XSA-166.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -400,23 +400,23 @@ bool_t hvm_io_pending(struct vcpu *v)
+ 
+ static bool_t hvm_wait_for_io(struct hvm_ioreq_vcpu *sv, ioreq_t *p)
+ {
++    unsigned int state;
++
+     /* NB. Optimised for common case (p->state == STATE_IOREQ_NONE). */
+-    while ( p->state != STATE_IOREQ_NONE )
++    while ( (state = p->state) != STATE_IOREQ_NONE )
+     {
+-        switch ( p->state )
++        rmb();
++        switch ( state )
+         {
+         case STATE_IORESP_READY: /* IORESP_READY -> NONE */
+-            rmb(); /* see IORESP_READY /then/ read contents of ioreq */
+             hvm_io_assist(p);
+             break;
+         case STATE_IOREQ_READY:  /* IOREQ_{READY,INPROCESS} -> IORESP_READY */
+         case STATE_IOREQ_INPROCESS:
+-            wait_on_xen_event_channel(sv->ioreq_evtchn,
+-                                      (p->state != STATE_IOREQ_READY) &&
+-                                      (p->state != STATE_IOREQ_INPROCESS));
++            wait_on_xen_event_channel(sv->ioreq_evtchn, p->state != state);
+             break;
+         default:
+-            gdprintk(XENLOG_ERR, "Weird HVM iorequest state %d.\n", p->state);
++            gdprintk(XENLOG_ERR, "Weird HVM iorequest state %u\n", state);
+             domain_crash(sv->vcpu->domain);
+             return 0; /* bail */
+         }

Modified: head/emulators/xen/Makefile
==============================================================================
--- head/emulators/xen/Makefile	Tue Jan  5 09:19:44 2016	(r405278)
+++ head/emulators/xen/Makefile	Tue Jan  5 10:06:07 2016	(r405279)
@@ -2,6 +2,7 @@
 
 PORTNAME=	xen
 PORTVERSION=	4.5.2
+PORTREVISION=   1
 CATEGORIES=	emulators
 
 MAINTAINER=	royger@FreeBSD.org

Modified: head/sysutils/xen-tools/Makefile
==============================================================================
--- head/sysutils/xen-tools/Makefile	Tue Jan  5 09:19:44 2016	(r405278)
+++ head/sysutils/xen-tools/Makefile	Tue Jan  5 10:06:07 2016	(r405279)
@@ -2,6 +2,7 @@
 
 PORTNAME=	xen
 PORTVERSION=	4.5.2
+PORTREVISION=   1
 CATEGORIES=	sysutils emulators
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${PORTVERSION}/ \
 		http://code.coreboot.org/p/seabios/downloads/get/:seabios
@@ -47,7 +48,8 @@ QEMU_ARGS=	--disable-gtk \
 		--disable-curl \
 		--cxx=c++
 
-EXTRA_PATCHES=	${FILESDIR}/0002-libxc-fix-xc_dom_load_elf_symtab.patch:-p1
+EXTRA_PATCHES=	${FILESDIR}/0002-libxc-fix-xc_dom_load_elf_symtab.patch:-p1 \
+		${FILESDIR}/xsa160-4.6.patch:-p1
 
 CONFIGURE_ARGS+=	--with-extra-qemuu-configure-args="${QEMU_ARGS}"
 SHEBANG_FILES=	tools/misc/xencov_split \
@@ -74,6 +76,10 @@ post-patch:
 		${WRKSRC}/tools/libxl/libxl_dm.c \
 		${WRKSRC}/tools/qemu-xen-traditional/i386-dm/helper2.c \
 		${WRKSRC}/docs/man/*
+	@for p in ${FILESDIR}/*qemuu*.patch; do \
+                 ${ECHO_CMD} "====> Applying $${p##*/}" ; \
+                 ${PATCH} -s -p1 -i $${p} -d ${WRKSRC}/tools/qemu-xen ; \
+         done
 
 post-install:
 	${MKDIR} ${STAGEDIR}/var/run/xen

Added: head/sysutils/xen-tools/files/xsa160-4.6.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/sysutils/xen-tools/files/xsa160-4.6.patch	Tue Jan  5 10:06:07 2016	(r405279)
@@ -0,0 +1,69 @@
+From adcbd15b1aec8367f790774c998db199c9b577bf Mon Sep 17 00:00:00 2001
+From: Ian Jackson <ian.jackson@eu.citrix.com>
+Date: Wed, 18 Nov 2015 15:34:54 +0000
+Subject: [PATCH] libxl: Fix bootloader-related virtual memory leak on pv
+ build failure
+
+The bootloader may call libxl__file_reference_map(), which mmap's the
+pv_kernel and pv_ramdisk into process memory.  This was only unmapped,
+however, on the success path of libxl__build_pv().  If there were a
+failure anywhere between libxl_bootloader.c:parse_bootloader_result()
+and the end of libxl__build_pv(), the calls to
+libxl__file_reference_unmap() would be skipped, leaking the mapped
+virtual memory.
+
+Ideally this would be fixed by adding the unmap calls to the
+destruction path for libxl__domain_build_state.  Unfortunately the
+lifetime of the libxl__domain_build_state is opaque, and it doesn't
+have a proper destruction path.  But, the only thing in it that isn't
+from the gc are these bootloader references, and they are only ever
+set for one libxl__domain_build_state, the one which is
+libxl__domain_create_state.build_state.
+
+So we can clean up in the exit path from libxl__domain_create_*, which
+always comes through domcreate_complete.
+
+Remove the now-redundant unmaps in libxl__build_pv's success path.
+
+This is XSA-160.
+
+Signed-off-by: George Dunlap <george.dunlap@citrix.com>
+Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
+Tested-by: George Dunlap <george.dunlap@citrix.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+---
+ tools/libxl/libxl_create.c |    3 +++
+ tools/libxl/libxl_dom.c    |    3 ---
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c
+index f5771da..278b9ed 100644
+--- a/tools/libxl/libxl_create.c
++++ b/tools/libxl/libxl_create.c
+@@ -1484,6 +1484,9 @@ static void domcreate_complete(libxl__egc *egc,
+     libxl_domain_config *const d_config = dcs->guest_config;
+     libxl_domain_config *d_config_saved = &dcs->guest_config_saved;
+ 
++    libxl__file_reference_unmap(&dcs->build_state.pv_kernel);
++    libxl__file_reference_unmap(&dcs->build_state.pv_ramdisk);
++
+     if (!rc && d_config->b_info.exec_ssidref)
+         rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid, d_config->b_info.exec_ssidref);
+ 
+diff --git a/tools/libxl/libxl_dom.c b/tools/libxl/libxl_dom.c
+index 8019f4e..2da3ac4 100644
+--- a/tools/libxl/libxl_dom.c
++++ b/tools/libxl/libxl_dom.c
+@@ -750,9 +750,6 @@ int libxl__build_pv(libxl__gc *gc, uint32_t domid,
+         state->store_mfn = xc_dom_p2m_host(dom, dom->xenstore_pfn);
+     }
+ 
+-    libxl__file_reference_unmap(&state->pv_kernel);
+-    libxl__file_reference_unmap(&state->pv_ramdisk);
+-
+     ret = 0;
+ out:
+     xc_dom_release(dom);
+-- 
+1.7.10.4
+

Added: head/sysutils/xen-tools/files/xsa162-qemuu.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/sysutils/xen-tools/files/xsa162-qemuu.patch	Tue Jan  5 10:06:07 2016	(r405279)
@@ -0,0 +1,42 @@
+net: pcnet: add check to validate receive data size(CVE-2015-7504)
+
+In loopback mode, pcnet_receive routine appends CRC code to the
+receive buffer. If the data size given is same as the buffer size,
+the appended CRC code overwrites 4 bytes after s->buffer. Added a
+check to avoid that.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/net/pcnet.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index 3437376..5f55591 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1085,7 +1085,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
+                 uint32_t fcs = ~0;
+                 uint8_t *p = src;
+ 
+-                while (p != &src[size-4])
++                while (p != &src[size])
+                     CRC(fcs, *p++);
+                 crc_err = (*(uint32_t *)p != htonl(fcs));
+             }
+@@ -1234,8 +1234,10 @@ static void pcnet_transmit(PCNetState *s)
+         bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+ 
+         /* if multi-tmd packet outsizes s->buffer then skip it silently.
+-           Note: this is not what real hw does */
+-        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
++         * Note: this is not what real hw does.
++         * Last four bytes of s->buffer are used to store CRC FCS code.
++         */
++        if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
+             s->xmit_pos = -1;
+             goto txdone;
+         }
+-- 
+2.4.3
+



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201601051006.u05A67ZC073546>