Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 11 Jun 2015 18:08:42 +0000 (UTC)
From:      Baptiste Daroussin <bapt@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r389233 - in head/emulators/xen-kernel: . files
Message-ID:  <201506111808.t5BI8gOv009613@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: bapt
Date: Thu Jun 11 18:08:41 2015
New Revision: 389233
URL: https://svnweb.freebsd.org/changeset/ports/389233

Log:
  Fix plenty of security issues
  
  Security:	XSA-117 / CVE-2015-0268
  Security:	XSA-118 / CVE-2015-1563
  Security:	XSA-121 / CVE-2015-2044
  Security:	XSA-122 / CVE-2015-2045
  Security:	XSA-123 / CVE-2015-2151
  Security:	XSA-125 / CVE-2015-2752
  Security:	XSA-127 / CVE-2015-2751
  Security:	XSA-132 / CVE-2015-3340
  Security:	XSA-134 / CVE-2015-4163
  Security:	XSA-136 / CVE-2015-4164

Added:
  head/emulators/xen-kernel/files/xsa117.patch   (contents, props changed)
  head/emulators/xen-kernel/files/xsa118-4.5-unstable-1.patch   (contents, props changed)
  head/emulators/xen-kernel/files/xsa118-4.5-unstable-2.patch   (contents, props changed)
  head/emulators/xen-kernel/files/xsa121.patch   (contents, props changed)
  head/emulators/xen-kernel/files/xsa122.patch   (contents, props changed)
  head/emulators/xen-kernel/files/xsa123.patch   (contents, props changed)
  head/emulators/xen-kernel/files/xsa125.patch   (contents, props changed)
  head/emulators/xen-kernel/files/xsa127-4.x.patch   (contents, props changed)
  head/emulators/xen-kernel/files/xsa132.patch   (contents, props changed)
  head/emulators/xen-kernel/files/xsa134.patch   (contents, props changed)
  head/emulators/xen-kernel/files/xsa136.patch   (contents, props changed)
Modified:
  head/emulators/xen-kernel/Makefile
Directory Properties:
  head/emulators/xen-kernel/files/iommu_share_p2m_table.patch   (props changed)

Modified: head/emulators/xen-kernel/Makefile
==============================================================================
--- head/emulators/xen-kernel/Makefile	Thu Jun 11 17:40:54 2015	(r389232)
+++ head/emulators/xen-kernel/Makefile	Thu Jun 11 18:08:41 2015	(r389233)
@@ -3,7 +3,7 @@
 PORTNAME=	xen
 PKGNAMESUFFIX=	-kernel
 PORTVERSION=	4.5.0
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	emulators
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${PORTVERSION}/
 
@@ -25,7 +25,18 @@ ALL_TARGET=	build
 STRIP=		#
 WRKSRC_SUBDIR=	xen
 EXTRA_PATCHES=	${FILESDIR}/iommu_share_p2m_table.patch:-p2 \
-		${FILESDIR}/0001-x86-pvh-disable-posted-interrupts.patch:-p2
+		${FILESDIR}/0001-x86-pvh-disable-posted-interrupts.patch:-p2 \
+		${FILESDIR}/xsa117.patch:-p2 \
+		${FILESDIR}/xsa118-4.5-unstable-1.patch:-p2 \
+		${FILESDIR}/xsa118-4.5-unstable-2.patch:-p2 \
+		${FILESDIR}/xsa121.patch:-p2 \
+		${FILESDIR}/xsa122.patch:-p2 \
+		${FILESDIR}/xsa123.patch:-p2 \
+		${FILESDIR}/xsa125.patch:-p2 \
+		${FILESDIR}/xsa127-4.x.patch:-p2 \
+		${FILESDIR}/xsa132.patch:-p2 \
+		${FILESDIR}/xsa134.patch:-p2 \
+		${FILESDIR}/xsa136.patch:-p2
 
 .include <bsd.port.options.mk>
 

Added: head/emulators/xen-kernel/files/xsa117.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/emulators/xen-kernel/files/xsa117.patch	Thu Jun 11 18:08:41 2015	(r389233)
@@ -0,0 +1,42 @@
+From 472dc9e627c8f1b9d7138b142a5b0838550a2072 Mon Sep 17 00:00:00 2001
+From: Julien Grall <julien.grall@linaro.org>
+Date: Fri, 23 Jan 2015 14:15:07 +0000
+Subject: [PATCH] xen/arm: vgic-v2: Don't crash the hypervisor if the SGI
+ target mode is invalid
+
+The GICv2 spec reserved the value 0b11 for GICD_SGIR.TargetListFilter.
+
+Even if it's an invalid value, a malicious guest could write this value
+and threfore crash the hypervisor.
+
+Replace the BUG() by logging the error and inject a data abort to the guest.
+
+This was introduced by commit ea37fd21110b6fbcf9257f814076a243d3873cb7
+"xen/arm: split vgic driver into generic and vgic-v2 driver".
+
+This is CVE-2015-0268 / XSA-117.
+
+Signed-off-by: Julien Grall <julien.grall@linaro.org>
+---
+ xen/arch/arm/vgic-v2.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/xen/arch/arm/vgic-v2.c b/xen/arch/arm/vgic-v2.c
+index 598bf06..9dc9a20 100644
+--- a/xen/arch/arm/vgic-v2.c
++++ b/xen/arch/arm/vgic-v2.c
+@@ -257,7 +257,10 @@ static int vgic_v2_to_sgi(struct vcpu *v, register_t sgir)
+         sgi_mode = SGI_TARGET_SELF;
+         break;
+     default:
+-        BUG();
++        printk(XENLOG_G_DEBUG
++               "%pv: vGICD: unhandled GICD_SGIR write %"PRIregister" with wrong mode\n",
++               v, sgir);
++        return 0;
+     }
+ 
+     return vgic_to_sgi(v, sgir, sgi_mode, virq, vcpu_mask);
+-- 
+2.1.4
+

Added: head/emulators/xen-kernel/files/xsa118-4.5-unstable-1.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/emulators/xen-kernel/files/xsa118-4.5-unstable-1.patch	Thu Jun 11 18:08:41 2015	(r389233)
@@ -0,0 +1,253 @@
+From e698f4ab05a710e4463317ea978d426d43107e27 Mon Sep 17 00:00:00 2001
+From: Julien Grall <julien.grall@linaro.org>
+Date: Mon, 19 Jan 2015 14:01:09 +0000
+Subject: [PATCH 1/2] xen/arm: vgic-v3: message in the emulation code should be
+ rate-limited
+
+printk by default is not rate-limited by default. Therefore a malicious guest
+may be able to flood the Xen console.
+
+If we use gdprintk, unnecessary information will be printed such as the
+filename and the line. Instead use XENLOG_G_{ERR,DEBUG} combine with %pv.
+
+Also remove the vGICv3 prefix which is not neccessary and update some
+message which were wrong.
+
+Signed-off-by: Julien Grall <julien.grall@linaro.org>
+---
+ xen/arch/arm/vgic-v3.c | 109 +++++++++++++++++++++++++++----------------------
+ 1 file changed, 61 insertions(+), 48 deletions(-)
+
+diff --git a/xen/arch/arm/vgic-v3.c b/xen/arch/arm/vgic-v3.c
+index ae4482c..bece189 100644
+--- a/xen/arch/arm/vgic-v3.c
++++ b/xen/arch/arm/vgic-v3.c
+@@ -168,13 +168,14 @@ static int __vgic_v3_rdistr_rd_mmio_read(struct vcpu *v, mmio_info_t *info,
+         /* Reserved0 */
+         goto read_as_zero;
+     default:
+-        printk("vGICv3: vGICR: read r%d offset %#08x\n not found",
+-               dabt.reg, gicr_reg);
++        printk(XENLOG_G_ERR
++               "%pv: vGICR: read r%d offset %#08x\n not found",
++               v, dabt.reg, gicr_reg);
+         return 0;
+     }
+ bad_width:
+-    printk("vGICv3: vGICR: bad read width %d r%d offset %#08x\n",
+-           dabt.size, dabt.reg, gicr_reg);
++    printk(XENLOG_G_ERR "%pv vGICR: bad read width %d r%d offset %#08x\n",
++           v, dabt.size, dabt.reg, gicr_reg);
+     domain_crash_synchronous();
+     return 0;
+ 
+@@ -244,12 +245,14 @@ static int __vgic_v3_rdistr_rd_mmio_write(struct vcpu *v, mmio_info_t *info,
+         /* RO */
+         goto write_ignore;
+     default:
+-        printk("vGICR: write r%d offset %#08x\n not found", dabt.reg, gicr_reg);
++        printk(XENLOG_G_ERR "%pv: vGICR: write r%d offset %#08x\n not found",
++               v, dabt.reg, gicr_reg);
+         return 0;
+     }
+ bad_width:
+-    printk("vGICR: bad write width %d r%d=%"PRIregister" offset %#08x\n",
+-           dabt.size, dabt.reg, *r, gicr_reg);
++    printk(XENLOG_G_ERR
++          "%pv: vGICR: bad write width %d r%d=%"PRIregister" offset %#08x\n",
++          v, dabt.size, dabt.reg, *r, gicr_reg);
+     domain_crash_synchronous();
+     return 0;
+ 
+@@ -345,15 +348,16 @@ static int __vgic_v3_distr_common_mmio_read(struct vcpu *v, mmio_info_t *info,
+         vgic_unlock_rank(v, rank, flags);
+         return 1;
+     default:
+-        printk("vGICv3: vGICD/vGICR: unhandled read r%d offset %#08x\n",
+-               dabt.reg, reg);
++        printk(XENLOG_G_ERR
++               "%pv: vGICD/vGICR: unhandled read r%d offset %#08x\n",
++               v, dabt.reg, reg);
+         return 0;
+     }
+ 
+ bad_width:
+-    dprintk(XENLOG_ERR,
+-            "vGICv3: vGICD/vGICR: bad read width %d r%d offset %#08x\n",
+-            dabt.size, dabt.reg, reg);
++    printk(XENLOG_G_ERR
++           "%pv: vGICD/vGICR: bad read width %d r%d offset %#08x\n",
++           v, dabt.size, dabt.reg, reg);
+     domain_crash_synchronous();
+     return 0;
+ 
+@@ -458,15 +462,16 @@ static int __vgic_v3_distr_common_mmio_write(struct vcpu *v, mmio_info_t *info,
+         vgic_unlock_rank(v, rank, flags);
+         return 1;
+     default:
+-        printk("vGICv3: vGICD/vGICR: unhandled write r%d "
+-               "=%"PRIregister" offset %#08x\n", dabt.reg, *r, reg);
++        printk(XENLOG_G_ERR
++               "%pv: vGICD/vGICR: unhandled write r%d=%"PRIregister" offset %#08x\n",
++               v, dabt.reg, *r, reg);
+         return 0;
+     }
+ 
+ bad_width:
+-    dprintk(XENLOG_ERR,
+-            "vGICv3: vGICD/vGICR: bad write width %d r%d=%"PRIregister" "
+-            "offset %#08x\n", dabt.size, dabt.reg, *r, reg);
++    printk(XENLOG_G_ERR
++           "%pv: vGICD/vGICR: bad write width %d r%d=%"PRIregister" offset %#08x\n",
++           v, dabt.size, dabt.reg, *r, reg);
+     domain_crash_synchronous();
+     return 0;
+ 
+@@ -521,13 +526,14 @@ static int vgic_v3_rdistr_sgi_mmio_read(struct vcpu *v, mmio_info_t *info,
+         if ( dabt.size != DABT_WORD ) goto bad_width;
+         return 1;
+     default:
+-        printk("vGICv3: vGICR: read r%d offset %#08x\n not found",
+-               dabt.reg, gicr_reg);
++        printk(XENLOG_G_ERR
++               "%pv: vGICR: SGI: read r%d offset %#08x\n not found",
++               v, dabt.reg, gicr_reg);
+         return 0;
+     }
+ bad_width:
+-    printk("vGICv3: vGICR: bad read width %d r%d offset %#08x\n",
+-           dabt.size, dabt.reg, gicr_reg);
++    printk(XENLOG_G_ERR "%pv: vGICR: SGI: bad read width %d r%d offset %#08x\n",
++           v, dabt.size, dabt.reg, gicr_reg);
+     domain_crash_synchronous();
+     return 0;
+ 
+@@ -585,14 +591,16 @@ static int vgic_v3_rdistr_sgi_mmio_write(struct vcpu *v, mmio_info_t *info,
+         /* We do not implement security extensions for guests, write ignore */
+         goto write_ignore;
+     default:
+-        printk("vGICv3: vGICR SGI: write r%d offset %#08x\n not found",
+-               dabt.reg, gicr_reg);
++        printk(XENLOG_G_ERR
++               "%pv: vGICR: SGI: write r%d offset %#08x\n not found",
++               v, dabt.reg, gicr_reg);
+         return 0;
+     }
+ 
+ bad_width:
+-    printk("vGICR SGI: bad write width %d r%d=%"PRIregister" offset %#08x\n",
+-           dabt.size, dabt.reg, *r, gicr_reg);
++    printk(XENLOG_G_ERR
++           "%pv: vGICR: SGI: bad write width %d r%d=%"PRIregister" offset %#08x\n",
++           v, dabt.size, dabt.reg, *r, gicr_reg);
+     domain_crash_synchronous();
+     return 0;
+ 
+@@ -618,9 +626,9 @@ static int vgic_v3_rdistr_mmio_read(struct vcpu *v, mmio_info_t *info)
+     else  if ( (offset >= SZ_64K) && (offset < 2 * SZ_64K) )
+         return vgic_v3_rdistr_sgi_mmio_read(v, info, (offset - SZ_64K));
+     else
+-        gdprintk(XENLOG_WARNING,
+-                 "vGICv3: vGICR: unknown gpa read address %"PRIpaddr"\n",
+-                 info->gpa);
++        printk(XENLOG_G_WARNING
++               "%pv: vGICR: unknown gpa read address %"PRIpaddr"\n",
++                v, info->gpa);
+ 
+     return 0;
+ }
+@@ -642,9 +650,9 @@ static int vgic_v3_rdistr_mmio_write(struct vcpu *v, mmio_info_t *info)
+     else  if ( (offset >= SZ_64K) && (offset < 2 * SZ_64K) )
+         return vgic_v3_rdistr_sgi_mmio_write(v, info, (offset - SZ_64K));
+     else
+-        gdprintk(XENLOG_WARNING,
+-                 "vGICV3: vGICR: unknown gpa write address %"PRIpaddr"\n",
+-                 info->gpa);
++        printk(XENLOG_G_WARNING
++               "%pv: vGICR: unknown gpa write address %"PRIpaddr"\n",
++               v, info->gpa);
+ 
+     return 0;
+ }
+@@ -770,18 +778,19 @@ static int vgic_v3_distr_mmio_read(struct vcpu *v, mmio_info_t *info)
+     case 0xf30 ... 0x5fcc:
+     case 0x8000 ... 0xbfcc:
+         /* These are reserved register addresses */
+-        printk("vGICv3: vGICD: read unknown 0x00c .. 0xfcc r%d offset %#08x\n",
+-               dabt.reg, gicd_reg);
++        printk(XENLOG_G_DEBUG
++               "%pv: vGICD: RAZ on reserved register offset %#08x\n",
++               v, gicd_reg);
+         goto read_as_zero;
+     default:
+-        printk("vGICv3: vGICD: unhandled read r%d offset %#08x\n",
+-               dabt.reg, gicd_reg);
++        printk(XENLOG_G_ERR "%pv: vGICD: unhandled read r%d offset %#08x\n",
++               v, dabt.reg, gicd_reg);
+         return 0;
+     }
+ 
+ bad_width:
+-    dprintk(XENLOG_ERR, "vGICv3: vGICD: bad read width %d r%d offset %#08x\n",
+-            dabt.size, dabt.reg, gicd_reg);
++    printk(XENLOG_G_ERR "%pv: vGICD: bad read width %d r%d offset %#08x\n",
++           v, dabt.size, dabt.reg, gicd_reg);
+     domain_crash_synchronous();
+     return 0;
+ 
+@@ -840,8 +849,9 @@ static int vgic_v3_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
+     case 0x020 ... 0x03c:
+     case 0xc000 ... 0xffcc:
+         /* Implementation defined -- write ignored */
+-        printk("vGICv3: vGICD: write unknown 0x020 - 0x03c r%d offset %#08x\n",
+-               dabt.reg, gicd_reg);
++        printk(XENLOG_G_DEBUG
++               "%pv: vGICD: WI on implementation defined register offset %#08x\n",
++               v, gicd_reg);
+         goto write_ignore;
+     case GICD_IGROUPR ... GICD_IGROUPRN:
+     case GICD_ISENABLER ... GICD_ISENABLERN:
+@@ -885,8 +895,9 @@ static int vgic_v3_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
+             new_target = new_irouter & MPIDR_AFF0_MASK;
+             if ( new_target >= v->domain->max_vcpus )
+             {
+-                printk("vGICv3: vGICD: wrong irouter at offset %#08x\n val 0x%lx vcpu %x",
+-                       gicd_reg, new_target, v->domain->max_vcpus);
++                printk(XENLOG_G_DEBUG
++                       "%pv: vGICD: wrong irouter at offset %#08x\n val 0x%lx vcpu %x",
++                       v, gicd_reg, new_target, v->domain->max_vcpus);
+                 vgic_unlock_rank(v, rank, flags);
+                 return 0;
+             }
+@@ -926,19 +937,21 @@ static int vgic_v3_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
+     case 0xf30 ... 0x5fcc:
+     case 0x8000 ... 0xbfcc:
+         /* Reserved register addresses */
+-        printk("vGICv3: vGICD: write unknown 0x00c 0xfcc  r%d offset %#08x\n",
+-                dabt.reg, gicd_reg);
++        printk(XENLOG_G_DEBUG
++               "%pv: vGICD: write unknown 0x00c 0xfcc  r%d offset %#08x\n",
++               v, dabt.reg, gicd_reg);
+         goto write_ignore;
+     default:
+-        printk("vGICv3: vGICD: unhandled write r%d=%"PRIregister" "
+-               "offset %#08x\n", dabt.reg, *r, gicd_reg);
++        printk(XENLOG_G_ERR
++               "%pv: vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n",
++               v, dabt.reg, *r, gicd_reg);
+         return 0;
+     }
+ 
+ bad_width:
+-    dprintk(XENLOG_ERR,
+-            "VGICv3: vGICD: bad write width %d r%d=%"PRIregister" "
+-            "offset %#08x\n", dabt.size, dabt.reg, *r, gicd_reg);
++    printk(XENLOG_G_ERR
++           "%pv: vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n",
++           v, dabt.size, dabt.reg, *r, gicd_reg);
+     domain_crash_synchronous();
+     return 0;
+ 
+-- 
+2.1.4
+

Added: head/emulators/xen-kernel/files/xsa118-4.5-unstable-2.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/emulators/xen-kernel/files/xsa118-4.5-unstable-2.patch	Thu Jun 11 18:08:41 2015	(r389233)
@@ -0,0 +1,115 @@
+From e8fa469595e29b2dbe6dde3a77ee2ea2d9e93283 Mon Sep 17 00:00:00 2001
+From: Julien Grall <julien.grall@linaro.org>
+Date: Mon, 19 Jan 2015 12:59:42 +0000
+Subject: [PATCH 2/2] xen/arm: vgic-v2: message in the emulation code should be
+ rate-limited
+
+printk is not rated-limited by default. Therefore a malicious guest may
+be able to flood the Xen console.
+
+If we use gdprintk, unecessary information will be printed such as the
+filename and the line. Instead use XENLOG_G_ERR combine with %pv.
+
+Signed-off-by: Julien Grall <julien.grall@linaro.org>
+---
+ xen/arch/arm/vgic-v2.c | 40 +++++++++++++++++++++++-----------------
+ 1 file changed, 23 insertions(+), 17 deletions(-)
+
+diff --git a/xen/arch/arm/vgic-v2.c b/xen/arch/arm/vgic-v2.c
+index 9dc9a20..3b87f54 100644
+--- a/xen/arch/arm/vgic-v2.c
++++ b/xen/arch/arm/vgic-v2.c
+@@ -198,7 +198,7 @@ static int vgic_v2_distr_mmio_read(struct vcpu *v, mmio_info_t *info)
+ 
+     case GICD_ICPIDR2:
+         if ( dabt.size != DABT_WORD ) goto bad_width;
+-        printk("vGICD: unhandled read from ICPIDR2\n");
++        printk(XENLOG_G_ERR "%pv: vGICD: unhandled read from ICPIDR2\n", v);
+         return 0;
+ 
+     /* Implementation defined -- read as zero */
+@@ -215,14 +215,14 @@ static int vgic_v2_distr_mmio_read(struct vcpu *v, mmio_info_t *info)
+         goto read_as_zero;
+ 
+     default:
+-        printk("vGICD: unhandled read r%d offset %#08x\n",
+-               dabt.reg, gicd_reg);
++        printk(XENLOG_G_ERR "%pv: vGICD: unhandled read r%d offset %#08x\n",
++               v, dabt.reg, gicd_reg);
+         return 0;
+     }
+ 
+ bad_width:
+-    printk("vGICD: bad read width %d r%d offset %#08x\n",
+-           dabt.size, dabt.reg, gicd_reg);
++    printk(XENLOG_G_ERR "%pv: vGICD: bad read width %d r%d offset %#08x\n",
++           v, dabt.size, dabt.reg, gicd_reg);
+     domain_crash_synchronous();
+     return 0;
+ 
+@@ -331,14 +331,16 @@ static int vgic_v2_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
+ 
+     case GICD_ISPENDR ... GICD_ISPENDRN:
+         if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width;
+-        printk("vGICD: unhandled %s write %#"PRIregister" to ISPENDR%d\n",
+-               dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ISPENDR);
++        printk(XENLOG_G_ERR
++               "%pv: vGICD: unhandled %s write %#"PRIregister" to ISPENDR%d\n",
++               v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ISPENDR);
+         return 0;
+ 
+     case GICD_ICPENDR ... GICD_ICPENDRN:
+         if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width;
+-        printk("vGICD: unhandled %s write %#"PRIregister" to ICPENDR%d\n",
+-               dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ICPENDR);
++        printk(XENLOG_G_ERR
++               "%pv: vGICD: unhandled %s write %#"PRIregister" to ICPENDR%d\n",
++               v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_ICPENDR);
+         return 0;
+ 
+     case GICD_ISACTIVER ... GICD_ISACTIVERN:
+@@ -457,14 +459,16 @@ static int vgic_v2_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
+ 
+     case GICD_CPENDSGIR ... GICD_CPENDSGIRN:
+         if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width;
+-        printk("vGICD: unhandled %s write %#"PRIregister" to ICPENDSGIR%d\n",
+-               dabt.size ? "word" : "byte", *r, gicd_reg - GICD_CPENDSGIR);
++        printk(XENLOG_G_ERR
++               "%pv: vGICD: unhandled %s write %#"PRIregister" to ICPENDSGIR%d\n",
++               v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_CPENDSGIR);
+         return 0;
+ 
+     case GICD_SPENDSGIR ... GICD_SPENDSGIRN:
+         if ( dabt.size != DABT_BYTE && dabt.size != DABT_WORD ) goto bad_width;
+-        printk("vGICD: unhandled %s write %#"PRIregister" to ISPENDSGIR%d\n",
+-               dabt.size ? "word" : "byte", *r, gicd_reg - GICD_SPENDSGIR);
++        printk(XENLOG_G_ERR
++               "%pv: vGICD: unhandled %s write %#"PRIregister" to ISPENDSGIR%d\n",
++               v, dabt.size ? "word" : "byte", *r, gicd_reg - GICD_SPENDSGIR);
+         return 0;
+ 
+     /* Implementation defined -- write ignored */
+@@ -489,14 +493,16 @@ static int vgic_v2_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
+         goto write_ignore;
+ 
+     default:
+-        printk("vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n",
+-               dabt.reg, *r, gicd_reg);
++        printk(XENLOG_G_ERR
++               "%pv: vGICD: unhandled write r%d=%"PRIregister" offset %#08x\n",
++               v, dabt.reg, *r, gicd_reg);
+         return 0;
+     }
+ 
+ bad_width:
+-    printk("vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n",
+-           dabt.size, dabt.reg, *r, gicd_reg);
++    printk(XENLOG_G_ERR
++           "%pv: vGICD: bad write width %d r%d=%"PRIregister" offset %#08x\n",
++           v, dabt.size, dabt.reg, *r, gicd_reg);
+     domain_crash_synchronous();
+     return 0;
+ 
+-- 
+2.1.4
+

Added: head/emulators/xen-kernel/files/xsa121.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/emulators/xen-kernel/files/xsa121.patch	Thu Jun 11 18:08:41 2015	(r389233)
@@ -0,0 +1,51 @@
+x86/HVM: return all ones on wrong-sized reads of system device I/O ports
+
+So far the value presented to the guest remained uninitialized.
+
+This is CVE-2015-2044 / XSA-121.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+--- a/xen/arch/x86/hvm/i8254.c
++++ b/xen/arch/x86/hvm/i8254.c
+@@ -486,6 +486,7 @@ static int handle_pit_io(
+     if ( bytes != 1 )
+     {
+         gdprintk(XENLOG_WARNING, "PIT bad access\n");
++        *val = ~0;
+         return X86EMUL_OKAY;
+     }
+ 
+--- a/xen/arch/x86/hvm/pmtimer.c
++++ b/xen/arch/x86/hvm/pmtimer.c
+@@ -213,6 +213,7 @@ static int handle_pmt_io(
+     if ( bytes != 4 )
+     {
+         gdprintk(XENLOG_WARNING, "HVM_PMT bad access\n");
++        *val = ~0;
+         return X86EMUL_OKAY;
+     }
+     
+--- a/xen/arch/x86/hvm/rtc.c
++++ b/xen/arch/x86/hvm/rtc.c
+@@ -703,7 +703,8 @@ static int handle_rtc_io(
+ 
+     if ( bytes != 1 )
+     {
+-        gdprintk(XENLOG_WARNING, "HVM_RTC bas access\n");
++        gdprintk(XENLOG_WARNING, "HVM_RTC bad access\n");
++        *val = ~0;
+         return X86EMUL_OKAY;
+     }
+     
+--- a/xen/arch/x86/hvm/vpic.c
++++ b/xen/arch/x86/hvm/vpic.c
+@@ -331,6 +331,7 @@ static int vpic_intercept_pic_io(
+     if ( bytes != 1 )
+     {
+         gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes);
++        *val = ~0;
+         return X86EMUL_OKAY;
+     }
+ 

Added: head/emulators/xen-kernel/files/xsa122.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/emulators/xen-kernel/files/xsa122.patch	Thu Jun 11 18:08:41 2015	(r389233)
@@ -0,0 +1,40 @@
+pre-fill structures for certain HYPERVISOR_xen_version sub-ops
+
+... avoiding to pass hypervisor stack contents back to the caller
+through space unused by the respective strings.
+
+This is CVE-2015-2045 / XSA-122.
+
+Signed-off-by: Aaron Adams <Aaron.Adams@nccgroup.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+--- a/xen/common/kernel.c
++++ b/xen/common/kernel.c
+@@ -240,6 +240,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
+     case XENVER_extraversion:
+     {
+         xen_extraversion_t extraversion;
++
++        memset(extraversion, 0, sizeof(extraversion));
+         safe_strcpy(extraversion, xen_extra_version());
+         if ( copy_to_guest(arg, extraversion, ARRAY_SIZE(extraversion)) )
+             return -EFAULT;
+@@ -249,6 +251,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
+     case XENVER_compile_info:
+     {
+         struct xen_compile_info info;
++
++        memset(&info, 0, sizeof(info));
+         safe_strcpy(info.compiler,       xen_compiler());
+         safe_strcpy(info.compile_by,     xen_compile_by());
+         safe_strcpy(info.compile_domain, xen_compile_domain());
+@@ -284,6 +288,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
+     case XENVER_changeset:
+     {
+         xen_changeset_info_t chgset;
++
++        memset(chgset, 0, sizeof(chgset));
+         safe_strcpy(chgset, xen_changeset());
+         if ( copy_to_guest(arg, chgset, ARRAY_SIZE(chgset)) )
+             return -EFAULT;

Added: head/emulators/xen-kernel/files/xsa123.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/emulators/xen-kernel/files/xsa123.patch	Thu Jun 11 18:08:41 2015	(r389233)
@@ -0,0 +1,24 @@
+x86emul: fully ignore segment override for register-only operations
+
+For ModRM encoded instructions with register operands we must not
+overwrite ea.mem.seg (if a - bogus in that case - segment override was
+present) as it aliases with ea.reg.
+
+This is CVE-2015-2151 / XSA-123.
+
+Reported-by: Felix Wilhelm <fwilhelm@ernw.de>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+Reviewed-by: Keir Fraser <keir@xen.org>
+
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1757,7 +1757,7 @@ x86_emulate(
+         }
+     }
+ 
+-    if ( override_seg != -1 )
++    if ( override_seg != -1 && ea.type == OP_MEM )
+         ea.mem.seg = override_seg;
+ 
+     /* Early operand adjustments. */

Added: head/emulators/xen-kernel/files/xsa125.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/emulators/xen-kernel/files/xsa125.patch	Thu Jun 11 18:08:41 2015	(r389233)
@@ -0,0 +1,71 @@
+From 98670acc98cad5aee0e0714694a64d3b96675c36 Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Wed, 19 Nov 2014 12:57:11 -0500
+Subject: [PATCH] Limit XEN_DOMCTL_memory_mapping hypercall to only process up
+ to 64 GFNs (or less)
+
+Said hypercall for large BARs can take quite a while. As such
+we can require that the hypercall MUST break up the request
+in smaller values.
+
+Another approach is to add preemption to it - whether we do the
+preemption using hypercall_create_continuation or returning
+EAGAIN to userspace (and have it re-invocate the call) - either
+way the issue we cannot easily solve is that in 'map_mmio_regions'
+if we encounter an error we MUST call 'unmap_mmio_regions' for the
+whole BAR region.
+
+Since the preemption would re-use input fields such as nr_mfns,
+first_gfn, first_mfn - we would lose the original values -
+and only undo what was done in the current round (i.e. ignoring
+anything that was done prior to earlier preemptions).
+
+Unless we re-used the return value as 'EAGAIN|nr_mfns_done<<10' but
+that puts a limit (since the return value is a long) on the amount
+of nr_mfns that can provided.
+
+This patch sidesteps this problem by:
+ - Setting an hard limit of nr_mfns having to be 64 or less.
+ - Toolstack adjusts correspondingly to the nr_mfn limit.
+ - If the there is an error when adding the toolstack will call the
+   remove operation to remove the whole region.
+
+The need to break this hypercall down is for large BARs can take
+more than the guest (initial domain usually) time-slice. This has
+the negative result in that the guest is locked out for a long
+duration and is unable to act on any pending events.
+
+We also augment the code to return zero if nr_mfns instead
+of trying to the hypercall.
+
+Suggested-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+---
+[v50: Simplify loop]
+[v51: If max_batch_sz 1 (or less) we would return zero. Fix that]
+[v52: Handle nr_mfns being zero]
+[v53: Fix up return value]
+---
+ tools/libxc/xc_domain.c     | 46 +++++++++++++++++++++++++++++++++++++++++----
+ xen/common/domctl.c         |  5 +++++
+ xen/include/public/domctl.h |  1 +
+ 3 files changed, 48 insertions(+), 4 deletions(-)
+
+diff --git a/xen/common/domctl.c b/xen/common/domctl.c
+index d396cc4..c2e60a7 100644
+--- a/xen/common/domctl.c
++++ b/xen/common/domctl.c
+@@ -1027,6 +1027,11 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
+              (gfn + nr_mfns - 1) < gfn ) /* wrap? */
+             break;
+ 
++        ret = -E2BIG;
++        /* Must break hypercall up as this could take a while. */
++        if ( nr_mfns > 64 )
++            break;
++
+         ret = -EPERM;
+         if ( !iomem_access_permitted(current->domain, mfn, mfn_end) ||
+              !iomem_access_permitted(d, mfn, mfn_end) )

Added: head/emulators/xen-kernel/files/xsa127-4.x.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/emulators/xen-kernel/files/xsa127-4.x.patch	Thu Jun 11 18:08:41 2015	(r389233)
@@ -0,0 +1,50 @@
+domctl: don't allow a toolstack domain to call domain_pause() on itself
+
+These DOMCTL subops were accidentally declared safe for disaggregation
+in the wake of XSA-77.
+
+This is XSA-127.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+--- a/xen/arch/x86/domctl.c
++++ b/xen/arch/x86/domctl.c
+@@ -888,6 +888,10 @@ long arch_do_domctl(
+     {
+         xen_guest_tsc_info_t info;
+ 
++        ret = -EINVAL;
++        if ( d == current->domain ) /* no domain_pause() */
++            break;
++
+         domain_pause(d);
+         tsc_get_info(d, &info.tsc_mode,
+                         &info.elapsed_nsec,
+@@ -903,6 +907,10 @@ long arch_do_domctl(
+ 
+     case XEN_DOMCTL_settscinfo:
+     {
++        ret = -EINVAL;
++        if ( d == current->domain ) /* no domain_pause() */
++            break;
++
+         domain_pause(d);
+         tsc_set_info(d, domctl->u.tsc_info.info.tsc_mode,
+                      domctl->u.tsc_info.info.elapsed_nsec,
+--- a/xen/common/domctl.c
++++ b/xen/common/domctl.c
+@@ -522,8 +522,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe
+ 
+     case XEN_DOMCTL_resumedomain:
+     {
+-        domain_resume(d);
+-        ret = 0;
++        if ( d == current->domain ) /* no domain_pause() */
++            ret = -EINVAL;
++        else
++            domain_resume(d);
+     }
+     break;
+ 

Added: head/emulators/xen-kernel/files/xsa132.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/emulators/xen-kernel/files/xsa132.patch	Thu Jun 11 18:08:41 2015	(r389233)
@@ -0,0 +1,29 @@
+domctl/sysctl: don't leak hypervisor stack to toolstacks
+
+This is XSA-132.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/domctl.c
++++ b/xen/arch/x86/domctl.c
+@@ -884,7 +884,7 @@ long arch_do_domctl(
+ 
+     case XEN_DOMCTL_gettscinfo:
+     {
+-        xen_guest_tsc_info_t info;
++        xen_guest_tsc_info_t info = { 0 };
+ 
+         ret = -EINVAL;
+         if ( d == current->domain ) /* no domain_pause() */
+--- a/xen/common/sysctl.c
++++ b/xen/common/sysctl.c
+@@ -76,7 +76,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xe
+     case XEN_SYSCTL_getdomaininfolist:
+     { 
+         struct domain *d;
+-        struct xen_domctl_getdomaininfo info;
++        struct xen_domctl_getdomaininfo info = { 0 };
+         u32 num_domains = 0;
+ 
+         rcu_read_lock(&domlist_read_lock);

Added: head/emulators/xen-kernel/files/xsa134.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/emulators/xen-kernel/files/xsa134.patch	Thu Jun 11 18:08:41 2015	(r389233)
@@ -0,0 +1,23 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: gnttab: add missing version check to GNTTABOP_swap_grant_ref handling
+
+... avoiding NULL derefs when the version to use wasn't set yet (via
+GNTTABOP_setup_table or GNTTABOP_set_version).
+
+This is XSA-134.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+--- a/xen/common/grant_table.c
++++ b/xen/common/grant_table.c
+@@ -2592,6 +2592,9 @@ __gnttab_swap_grant_ref(grant_ref_t ref_
+ 
+     spin_lock(&gt->lock);
+ 
++    if ( gt->gt_version == 0 )
++        PIN_FAIL(out, GNTST_general_error, "grant table not yet set up\n");
++
+     /* Bounds check on the grant refs */
+     if ( unlikely(ref_a >= nr_grant_entries(d->grant_table)))
+         PIN_FAIL(out, GNTST_bad_gntref, "Bad ref-a (%d).\n", ref_a);

Added: head/emulators/xen-kernel/files/xsa136.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/emulators/xen-kernel/files/xsa136.patch	Thu Jun 11 18:08:41 2015	(r389233)
@@ -0,0 +1,19 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/traps: loop in the correct direction in compat_iret()
+
+This is XSA-136.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/x86_64/compat/traps.c
++++ b/xen/arch/x86/x86_64/compat/traps.c
+@@ -119,7 +119,7 @@ unsigned int compat_iret(void)
+         }
+         else if ( ksp > regs->_esp )
+         {
+-            for (i = 9; i > 0; ++i)
++            for ( i = 9; i > 0; --i )
+             {
+                 rc |= __get_user(x, (u32 *)regs->rsp + i);
+                 rc |= __put_user(x, (u32 *)(unsigned long)ksp + i);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201506111808.t5BI8gOv009613>