From owner-svn-ports-all@freebsd.org  Tue Apr  4 13:48:41 2017
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 93ADCD2E972;
 Tue,  4 Apr 2017 13:48:41 +0000 (UTC)
 (envelope-from royger@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 56BB3E0B;
 Tue,  4 Apr 2017 13:48:41 +0000 (UTC)
 (envelope-from royger@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v34DmeOJ097835;
 Tue, 4 Apr 2017 13:48:40 GMT (envelope-from royger@FreeBSD.org)
Received: (from royger@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id v34DmeZ1097833;
 Tue, 4 Apr 2017 13:48:40 GMT (envelope-from royger@FreeBSD.org)
Message-Id: <201704041348.v34DmeZ1097833@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: royger set sender to
 royger@FreeBSD.org using -f
From: =?UTF-8?Q?Roger_Pau_Monn=c3=a9?= <royger@FreeBSD.org>
Date: Tue, 4 Apr 2017 13:48:40 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-branches@freebsd.org
Subject: svn commit: r437733 - in branches/2017Q2/emulators/xen-kernel: . files
X-SVN-Group: ports-branches
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Apr 2017 13:48:41 -0000

Author: royger (src committer)
Date: Tue Apr  4 13:48:40 2017
New Revision: 437733
URL: https://svnweb.freebsd.org/changeset/ports/437733

Log:
  MFH: r437732
  
  xen: apply XSA-212
  
  And do some portlint fixing (thanks to Li-Wen Hsu).
  
  Sponsored by:	Citrix Systems R&D
  Approved by:	ports-secteam (junovitch)

Added:
  branches/2017Q2/emulators/xen-kernel/files/xsa212.patch
     - copied unchanged from r437732, head/emulators/xen-kernel/files/xsa212.patch
Modified:
  branches/2017Q2/emulators/xen-kernel/Makefile
Directory Properties:
  branches/2017Q2/   (props changed)

Modified: branches/2017Q2/emulators/xen-kernel/Makefile
==============================================================================
--- branches/2017Q2/emulators/xen-kernel/Makefile	Tue Apr  4 13:32:53 2017	(r437732)
+++ branches/2017Q2/emulators/xen-kernel/Makefile	Tue Apr  4 13:48:40 2017	(r437733)
@@ -1,11 +1,11 @@
 # $FreeBSD$
 
 PORTNAME=	xen
-PKGNAMESUFFIX=	-kernel
 PORTVERSION=	4.7.2
-PORTREVISION=   0
+PORTREVISION=	1
 CATEGORIES=	emulators
 MASTER_SITES=	http://downloads.xenproject.org/release/xen/${PORTVERSION}/
+PKGNAMESUFFIX=	-kernel
 
 MAINTAINER=	royger@FreeBSD.org
 COMMENT=	Hypervisor using a microkernel design
@@ -41,16 +41,17 @@ EXTRA_PATCHES=	${FILESDIR}/0001-xen-logd
 		${FILESDIR}/0002-xen-rework-paging_log_dirty_op-to-work-with-hvm-gues.patch:-p1 \
 		${FILESDIR}/kconf_arch.patch:-p1 \
 		${FILESDIR}/0001-x86-drop-unneeded-__packed-attributes.patch:-p1 \
-		${FILESDIR}/0002-build-clang-fix-XSM-dummy-policy-when-using-clang-4..patch:-p1
+		${FILESDIR}/0002-build-clang-fix-XSM-dummy-policy-when-using-clang-4..patch:-p1 \
+		${FILESDIR}/xsa212.patch:-p1
 
 .include <bsd.port.options.mk>
 
 .if ${OPSYS} != FreeBSD
-IGNORE=		Only supported on FreeBSD
+IGNORE=		only supported on FreeBSD
 .endif
 
 .if ${OSVERSION} < 1100055
-IGNORE=		Only supported on recent FreeBSD 11
+IGNORE=		only supported on recent FreeBSD 11
 .endif
 
 pre-build:

Copied: branches/2017Q2/emulators/xen-kernel/files/xsa212.patch (from r437732, head/emulators/xen-kernel/files/xsa212.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2017Q2/emulators/xen-kernel/files/xsa212.patch	Tue Apr  4 13:48:40 2017	(r437733, copy of r437732, head/emulators/xen-kernel/files/xsa212.patch)
@@ -0,0 +1,87 @@
+memory: properly check guest memory ranges in XENMEM_exchange handling
+
+The use of guest_handle_okay() here (as introduced by the XSA-29 fix)
+is insufficient here, guest_handle_subrange_okay() needs to be used
+instead.
+
+Note that the uses are okay in
+- XENMEM_add_to_physmap_batch handling due to the size field being only
+  16 bits wide,
+- livepatch_list() due to the limit of 1024 enforced on the
+  number-of-entries input (leaving aside the fact that this can be
+  called by a privileged domain only anyway),
+- compat mode handling due to counts there being limited to 32 bits,
+- everywhere else due to guest arrays being accessed sequentially from
+  index zero.
+
+This is XSA-212.
+
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/common/memory.c
++++ b/xen/common/memory.c
+@@ -436,8 +436,8 @@ static long memory_exchange(XEN_GUEST_HA
+         goto fail_early;
+     }
+ 
+-    if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) ||
+-         !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) )
++    if ( !guest_handle_subrange_okay(exch.in.extent_start, exch.nr_exchanged,
++                                     exch.in.nr_extents - 1) )
+     {
+         rc = -EFAULT;
+         goto fail_early;
+@@ -447,11 +447,27 @@ static long memory_exchange(XEN_GUEST_HA
+     {
+         in_chunk_order  = exch.out.extent_order - exch.in.extent_order;
+         out_chunk_order = 0;
++
++        if ( !guest_handle_subrange_okay(exch.out.extent_start,
++                                         exch.nr_exchanged >> in_chunk_order,
++                                         exch.out.nr_extents - 1) )
++        {
++            rc = -EFAULT;
++            goto fail_early;
++        }
+     }
+     else
+     {
+         in_chunk_order  = 0;
+         out_chunk_order = exch.in.extent_order - exch.out.extent_order;
++
++        if ( !guest_handle_subrange_okay(exch.out.extent_start,
++                                         exch.nr_exchanged << out_chunk_order,
++                                         exch.out.nr_extents - 1) )
++        {
++            rc = -EFAULT;
++            goto fail_early;
++        }
+     }
+ 
+     d = rcu_lock_domain_by_any_id(exch.in.domid);
+--- a/xen/include/asm-x86/x86_64/uaccess.h
++++ b/xen/include/asm-x86/x86_64/uaccess.h
+@@ -29,8 +29,9 @@ extern void *xlat_malloc(unsigned long *
+ /*
+  * Valid if in +ve half of 48-bit address space, or above Xen-reserved area.
+  * This is also valid for range checks (addr, addr+size). As long as the
+- * start address is outside the Xen-reserved area then we will access a
+- * non-canonical address (and thus fault) before ever reaching VIRT_START.
++ * start address is outside the Xen-reserved area, sequential accesses
++ * (starting at addr) will hit a non-canonical address (and thus fault)
++ * before ever reaching VIRT_START.
+  */
+ #define __addr_ok(addr) \
+     (((unsigned long)(addr) < (1UL<<47)) || \
+@@ -40,7 +41,8 @@ extern void *xlat_malloc(unsigned long *
+     (__addr_ok(addr) || is_compat_arg_xlat_range(addr, size))
+ 
+ #define array_access_ok(addr, count, size) \
+-    (access_ok(addr, (count)*(size)))
++    (likely(((count) ?: 0UL) < (~0UL / (size))) && \
++     access_ok(addr, (count) * (size)))
+ 
+ #define __compat_addr_ok(d, addr) \
+     ((unsigned long)(addr) < HYPERVISOR_COMPAT_VIRT_START(d))