From owner-svn-ports-all@freebsd.org Tue Apr 4 13:48:41 2017 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 93ADCD2E972; Tue, 4 Apr 2017 13:48:41 +0000 (UTC) (envelope-from royger@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 56BB3E0B; Tue, 4 Apr 2017 13:48:41 +0000 (UTC) (envelope-from royger@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v34DmeOJ097835; Tue, 4 Apr 2017 13:48:40 GMT (envelope-from royger@FreeBSD.org) Received: (from royger@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v34DmeZ1097833; Tue, 4 Apr 2017 13:48:40 GMT (envelope-from royger@FreeBSD.org) Message-Id: <201704041348.v34DmeZ1097833@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: royger set sender to royger@FreeBSD.org using -f From: =?UTF-8?Q?Roger_Pau_Monn=c3=a9?= Date: Tue, 4 Apr 2017 13:48:40 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r437733 - in branches/2017Q2/emulators/xen-kernel: . files X-SVN-Group: ports-branches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Apr 2017 13:48:41 -0000 Author: royger (src committer) Date: Tue Apr 4 13:48:40 2017 New Revision: 437733 URL: https://svnweb.freebsd.org/changeset/ports/437733 Log: MFH: r437732 xen: apply XSA-212 And do some portlint fixing (thanks to Li-Wen Hsu). Sponsored by: Citrix Systems R&D Approved by: ports-secteam (junovitch) Added: branches/2017Q2/emulators/xen-kernel/files/xsa212.patch - copied unchanged from r437732, head/emulators/xen-kernel/files/xsa212.patch Modified: branches/2017Q2/emulators/xen-kernel/Makefile Directory Properties: branches/2017Q2/ (props changed) Modified: branches/2017Q2/emulators/xen-kernel/Makefile ============================================================================== --- branches/2017Q2/emulators/xen-kernel/Makefile Tue Apr 4 13:32:53 2017 (r437732) +++ branches/2017Q2/emulators/xen-kernel/Makefile Tue Apr 4 13:48:40 2017 (r437733) @@ -1,11 +1,11 @@ # $FreeBSD$ PORTNAME= xen -PKGNAMESUFFIX= -kernel PORTVERSION= 4.7.2 -PORTREVISION= 0 +PORTREVISION= 1 CATEGORIES= emulators MASTER_SITES= http://downloads.xenproject.org/release/xen/${PORTVERSION}/ +PKGNAMESUFFIX= -kernel MAINTAINER= royger@FreeBSD.org COMMENT= Hypervisor using a microkernel design @@ -41,16 +41,17 @@ EXTRA_PATCHES= ${FILESDIR}/0001-xen-logd ${FILESDIR}/0002-xen-rework-paging_log_dirty_op-to-work-with-hvm-gues.patch:-p1 \ ${FILESDIR}/kconf_arch.patch:-p1 \ ${FILESDIR}/0001-x86-drop-unneeded-__packed-attributes.patch:-p1 \ - ${FILESDIR}/0002-build-clang-fix-XSM-dummy-policy-when-using-clang-4..patch:-p1 + ${FILESDIR}/0002-build-clang-fix-XSM-dummy-policy-when-using-clang-4..patch:-p1 \ + ${FILESDIR}/xsa212.patch:-p1 .include .if ${OPSYS} != FreeBSD -IGNORE= Only supported on FreeBSD +IGNORE= only supported on FreeBSD .endif .if ${OSVERSION} < 1100055 -IGNORE= Only supported on recent FreeBSD 11 +IGNORE= only supported on recent FreeBSD 11 .endif pre-build: Copied: branches/2017Q2/emulators/xen-kernel/files/xsa212.patch (from r437732, head/emulators/xen-kernel/files/xsa212.patch) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/emulators/xen-kernel/files/xsa212.patch Tue Apr 4 13:48:40 2017 (r437733, copy of r437732, head/emulators/xen-kernel/files/xsa212.patch) @@ -0,0 +1,87 @@ +memory: properly check guest memory ranges in XENMEM_exchange handling + +The use of guest_handle_okay() here (as introduced by the XSA-29 fix) +is insufficient here, guest_handle_subrange_okay() needs to be used +instead. + +Note that the uses are okay in +- XENMEM_add_to_physmap_batch handling due to the size field being only + 16 bits wide, +- livepatch_list() due to the limit of 1024 enforced on the + number-of-entries input (leaving aside the fact that this can be + called by a privileged domain only anyway), +- compat mode handling due to counts there being limited to 32 bits, +- everywhere else due to guest arrays being accessed sequentially from + index zero. + +This is XSA-212. + +Reported-by: Jann Horn +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper + +--- a/xen/common/memory.c ++++ b/xen/common/memory.c +@@ -436,8 +436,8 @@ static long memory_exchange(XEN_GUEST_HA + goto fail_early; + } + +- if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) || +- !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) ) ++ if ( !guest_handle_subrange_okay(exch.in.extent_start, exch.nr_exchanged, ++ exch.in.nr_extents - 1) ) + { + rc = -EFAULT; + goto fail_early; +@@ -447,11 +447,27 @@ static long memory_exchange(XEN_GUEST_HA + { + in_chunk_order = exch.out.extent_order - exch.in.extent_order; + out_chunk_order = 0; ++ ++ if ( !guest_handle_subrange_okay(exch.out.extent_start, ++ exch.nr_exchanged >> in_chunk_order, ++ exch.out.nr_extents - 1) ) ++ { ++ rc = -EFAULT; ++ goto fail_early; ++ } + } + else + { + in_chunk_order = 0; + out_chunk_order = exch.in.extent_order - exch.out.extent_order; ++ ++ if ( !guest_handle_subrange_okay(exch.out.extent_start, ++ exch.nr_exchanged << out_chunk_order, ++ exch.out.nr_extents - 1) ) ++ { ++ rc = -EFAULT; ++ goto fail_early; ++ } + } + + d = rcu_lock_domain_by_any_id(exch.in.domid); +--- a/xen/include/asm-x86/x86_64/uaccess.h ++++ b/xen/include/asm-x86/x86_64/uaccess.h +@@ -29,8 +29,9 @@ extern void *xlat_malloc(unsigned long * + /* + * Valid if in +ve half of 48-bit address space, or above Xen-reserved area. + * This is also valid for range checks (addr, addr+size). As long as the +- * start address is outside the Xen-reserved area then we will access a +- * non-canonical address (and thus fault) before ever reaching VIRT_START. ++ * start address is outside the Xen-reserved area, sequential accesses ++ * (starting at addr) will hit a non-canonical address (and thus fault) ++ * before ever reaching VIRT_START. + */ + #define __addr_ok(addr) \ + (((unsigned long)(addr) < (1UL<<47)) || \ +@@ -40,7 +41,8 @@ extern void *xlat_malloc(unsigned long * + (__addr_ok(addr) || is_compat_arg_xlat_range(addr, size)) + + #define array_access_ok(addr, count, size) \ +- (access_ok(addr, (count)*(size))) ++ (likely(((count) ?: 0UL) < (~0UL / (size))) && \ ++ access_ok(addr, (count) * (size))) + + #define __compat_addr_ok(d, addr) \ + ((unsigned long)(addr) < HYPERVISOR_COMPAT_VIRT_START(d))