From owner-svn-ports-head@freebsd.org Wed May 10 12:55:21 2017 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C9315D662C8; Wed, 10 May 2017 12:55:21 +0000 (UTC) (envelope-from royger@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A11FF170; Wed, 10 May 2017 12:55:21 +0000 (UTC) (envelope-from royger@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v4ACtKvD043610; Wed, 10 May 2017 12:55:20 GMT (envelope-from royger@FreeBSD.org) Received: (from royger@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v4ACtKbf043607; Wed, 10 May 2017 12:55:20 GMT (envelope-from royger@FreeBSD.org) Message-Id: <201705101255.v4ACtKbf043607@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: royger set sender to royger@FreeBSD.org using -f From: =?UTF-8?Q?Roger_Pau_Monn=c3=a9?= Date: Wed, 10 May 2017 12:55:20 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r440559 - in head/emulators/xen-kernel: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2017 12:55:21 -0000 Author: royger (src committer) Date: Wed May 10 12:55:20 2017 New Revision: 440559 URL: https://svnweb.freebsd.org/changeset/ports/440559 Log: xen: XSA-{213,214,215} Apply XSA-213, XSA-214 and XSA-215. MFH: 2017Q2 Approved by: bapt Sponsored by: Citrix Systems R&D Added: head/emulators/xen-kernel/files/xsa213-4.7.patch (contents, props changed) head/emulators/xen-kernel/files/xsa214.patch (contents, props changed) head/emulators/xen-kernel/files/xsa215.patch (contents, props changed) Modified: head/emulators/xen-kernel/Makefile Modified: head/emulators/xen-kernel/Makefile ============================================================================== --- head/emulators/xen-kernel/Makefile Wed May 10 12:53:21 2017 (r440558) +++ head/emulators/xen-kernel/Makefile Wed May 10 12:55:20 2017 (r440559) @@ -2,7 +2,7 @@ PORTNAME= xen PORTVERSION= 4.7.2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= emulators MASTER_SITES= http://downloads.xenproject.org/release/xen/${PORTVERSION}/ PKGNAMESUFFIX= -kernel @@ -42,7 +42,10 @@ EXTRA_PATCHES= ${FILESDIR}/0001-xen-logd ${FILESDIR}/kconf_arch.patch:-p1 \ ${FILESDIR}/0001-x86-drop-unneeded-__packed-attributes.patch:-p1 \ ${FILESDIR}/0002-build-clang-fix-XSM-dummy-policy-when-using-clang-4..patch:-p1 \ - ${FILESDIR}/xsa212.patch:-p1 + ${FILESDIR}/xsa212.patch:-p1 \ + ${FILESDIR}/xsa213-4.7.patch:-p1 \ + ${FILESDIR}/xsa214.patch:-p1 \ + ${FILESDIR}/xsa215.patch:-p1 .include Added: head/emulators/xen-kernel/files/xsa213-4.7.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/emulators/xen-kernel/files/xsa213-4.7.patch Wed May 10 12:55:20 2017 (r440559) @@ -0,0 +1,173 @@ +From: Jan Beulich +Subject: multicall: deal with early exit conditions + +In particular changes to guest privilege level require the multicall +sequence to be aborted, as hypercalls are permitted from kernel mode +only. While likely not very useful in a multicall, also properly handle +the return value in the HYPERVISOR_iret case (which should be the guest +specified value). + +This is XSA-213. + +Reported-by: Jann Horn +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper +Acked-by: Julien Grall + +--- a/xen/arch/arm/traps.c ++++ b/xen/arch/arm/traps.c +@@ -1529,30 +1529,33 @@ static bool_t check_multicall_32bit_clea + return true; + } + +-void do_multicall_call(struct multicall_entry *multi) ++enum mc_disposition do_multicall_call(struct multicall_entry *multi) + { + arm_hypercall_fn_t call = NULL; + + if ( multi->op >= ARRAY_SIZE(arm_hypercall_table) ) + { + multi->result = -ENOSYS; +- return; ++ return mc_continue; + } + + call = arm_hypercall_table[multi->op].fn; + if ( call == NULL ) + { + multi->result = -ENOSYS; +- return; ++ return mc_continue; + } + + if ( is_32bit_domain(current->domain) && + !check_multicall_32bit_clean(multi) ) +- return; ++ return mc_continue; + + multi->result = call(multi->args[0], multi->args[1], + multi->args[2], multi->args[3], + multi->args[4]); ++ ++ return likely(!psr_mode_is_user(guest_cpu_user_regs())) ++ ? mc_continue : mc_preempt; + } + + /* +--- a/xen/common/multicall.c ++++ b/xen/common/multicall.c +@@ -40,6 +40,7 @@ do_multicall( + struct mc_state *mcs = ¤t->mc_state; + uint32_t i; + int rc = 0; ++ enum mc_disposition disp = mc_continue; + + if ( unlikely(__test_and_set_bit(_MCSF_in_multicall, &mcs->flags)) ) + { +@@ -50,7 +51,7 @@ do_multicall( + if ( unlikely(!guest_handle_okay(call_list, nr_calls)) ) + rc = -EFAULT; + +- for ( i = 0; !rc && i < nr_calls; i++ ) ++ for ( i = 0; !rc && disp == mc_continue && i < nr_calls; i++ ) + { + if ( i && hypercall_preempt_check() ) + goto preempted; +@@ -63,7 +64,7 @@ do_multicall( + + trace_multicall_call(&mcs->call); + +- do_multicall_call(&mcs->call); ++ disp = do_multicall_call(&mcs->call); + + #ifndef NDEBUG + { +@@ -77,7 +78,14 @@ do_multicall( + } + #endif + +- if ( unlikely(__copy_field_to_guest(call_list, &mcs->call, result)) ) ++ if ( unlikely(disp == mc_exit) ) ++ { ++ if ( __copy_field_to_guest(call_list, &mcs->call, result) ) ++ /* nothing, best effort only */; ++ rc = mcs->call.result; ++ } ++ else if ( unlikely(__copy_field_to_guest(call_list, &mcs->call, ++ result)) ) + rc = -EFAULT; + else if ( mcs->flags & MCSF_call_preempted ) + { +@@ -93,6 +101,9 @@ do_multicall( + guest_handle_add_offset(call_list, 1); + } + ++ if ( unlikely(disp == mc_preempt) && i < nr_calls ) ++ goto preempted; ++ + perfc_incr(calls_to_multicall); + perfc_add(calls_from_multicall, i); + mcs->flags = 0; +--- a/xen/include/asm-arm/multicall.h ++++ b/xen/include/asm-arm/multicall.h +@@ -1,7 +1,11 @@ + #ifndef __ASM_ARM_MULTICALL_H__ + #define __ASM_ARM_MULTICALL_H__ + +-extern void do_multicall_call(struct multicall_entry *call); ++extern enum mc_disposition { ++ mc_continue, ++ mc_exit, ++ mc_preempt, ++} do_multicall_call(struct multicall_entry *call); + + #endif /* __ASM_ARM_MULTICALL_H__ */ + /* +--- a/xen/include/asm-x86/multicall.h ++++ b/xen/include/asm-x86/multicall.h +@@ -7,8 +7,21 @@ + + #include + ++enum mc_disposition { ++ mc_continue, ++ mc_exit, ++ mc_preempt, ++}; ++ ++#define multicall_ret(call) \ ++ (unlikely((call)->op == __HYPERVISOR_iret) \ ++ ? mc_exit \ ++ : likely(guest_kernel_mode(current, \ ++ guest_cpu_user_regs())) \ ++ ? mc_continue : mc_preempt) ++ + #define do_multicall_call(_call) \ +- do { \ ++ ({ \ + __asm__ __volatile__ ( \ + " movq %c1(%0),%%rax; " \ + " leaq hypercall_table(%%rip),%%rdi; " \ +@@ -37,9 +50,11 @@ + /* all the caller-saves registers */ \ + : "rax", "rcx", "rdx", "rsi", "rdi", \ + "r8", "r9", "r10", "r11" ); \ +- } while ( 0 ) ++ multicall_ret(_call); \ ++ }) + + #define compat_multicall_call(_call) \ ++ ({ \ + __asm__ __volatile__ ( \ + " movl %c1(%0),%%eax; " \ + " leaq compat_hypercall_table(%%rip),%%rdi; "\ +@@ -67,6 +82,8 @@ + "i" (-ENOSYS) \ + /* all the caller-saves registers */ \ + : "rax", "rcx", "rdx", "rsi", "rdi", \ +- "r8", "r9", "r10", "r11" ) \ ++ "r8", "r9", "r10", "r11" ); \ ++ multicall_ret(_call); \ ++ }) + + #endif /* __ASM_X86_MULTICALL_H__ */ Added: head/emulators/xen-kernel/files/xsa214.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/emulators/xen-kernel/files/xsa214.patch Wed May 10 12:55:20 2017 (r440559) @@ -0,0 +1,41 @@ +From: Jan Beulich +Subject: x86: discard type information when stealing pages + +While a page having just a single general reference left necessarily +has a zero type reference count too, its type may still be valid (and +in validated state; at present this is only possible and relevant for +PGT_seg_desc_page, as page tables have their type forcibly zapped when +their type reference count drops to zero, and +PGT_{writable,shared}_page pages don't require any validation). In +such a case when the page is being re-used with the same type again, +validation is being skipped. As validation criteria differ between +32- and 64-bit guests, pages to be transferred between guests need to +have their validation indicator zapped (and with it we zap all other +type information at once). + +This is XSA-214. + +Reported-by: Jann Horn +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper + +--- a/xen/arch/x86/mm.c ++++ b/xen/arch/x86/mm.c +@@ -4466,6 +4466,17 @@ int steal_page( + y = cmpxchg(&page->count_info, x, x & ~PGC_count_mask); + } while ( y != x ); + ++ /* ++ * With the sole reference dropped temporarily, no-one can update type ++ * information. Type count also needs to be zero in this case, but e.g. ++ * PGT_seg_desc_page may still have PGT_validated set, which we need to ++ * clear before transferring ownership (as validation criteria vary ++ * depending on domain type). ++ */ ++ BUG_ON(page->u.inuse.type_info & (PGT_count_mask | PGT_locked | ++ PGT_pinned)); ++ page->u.inuse.type_info = 0; ++ + /* Swizzle the owner then reinstate the PGC_allocated reference. */ + page_set_owner(page, NULL); + y = page->count_info; Added: head/emulators/xen-kernel/files/xsa215.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/emulators/xen-kernel/files/xsa215.patch Wed May 10 12:55:20 2017 (r440559) @@ -0,0 +1,37 @@ +From: Jan Beulich +Subject: x86: correct create_bounce_frame + +We may push up to 96 bytes on the guest (kernel) stack, so we should +also cover as much in the early range check. Note that this is the +simplest possible patch, which has the theoretical potential of +breaking a guest: We only really push 96 bytes when invoking the +failsafe callback, ordinary exceptions only have 56 or 64 bytes pushed +(without / with error code respectively). There is, however, no PV OS +known to place a kernel stack there. + +This is XSA-215. + +Reported-by: Jann Horn +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper + +--- a/xen/arch/x86/x86_64/entry.S ++++ b/xen/arch/x86/x86_64/entry.S +@@ -347,7 +347,7 @@ int80_slow_path: + jmp handle_exception_saved + + /* CREATE A BASIC EXCEPTION FRAME ON GUEST OS STACK: */ +-/* { RCX, R11, [DS-GS,] [CR2,] [ERRCODE,] RIP, CS, RFLAGS, RSP, SS } */ ++/* { RCX, R11, [DS-GS,] [ERRCODE,] RIP, CS, RFLAGS, RSP, SS } */ + /* %rdx: trap_bounce, %rbx: struct vcpu */ + /* On return only %rbx and %rdx are guaranteed non-clobbered. */ + create_bounce_frame: +@@ -367,7 +367,7 @@ create_bounce_frame: + 2: andq $~0xf,%rsi # Stack frames are 16-byte aligned. + movq $HYPERVISOR_VIRT_START,%rax + cmpq %rax,%rsi +- movq $HYPERVISOR_VIRT_END+60,%rax ++ movq $HYPERVISOR_VIRT_END+12*8,%rax + sbb %ecx,%ecx # In +ve address space? Then okay. + cmpq %rax,%rsi + adc %ecx,%ecx # Above Xen private area? Then okay.