From nobody Thu Mar 9 15:08:12 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PXXcX6VVvz3x2NP; Thu, 9 Mar 2023 15:08:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PXXcX6CBVz3tS7; Thu, 9 Mar 2023 15:08:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1678374492; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=j6k5AG46g2Oac4eq2/RukwTuromCOxgVlSS98lnwlKs=; b=psiBsRkntI5MKmmIlBotZpz3xq+S/IEu/SYF7lZx+KFGliE3LT562Rna+RWTdSfu5x66Vd wYpBxS4Ldpvcg14s6utHq7yA+vbS6bkDzZlabn22Q7NMFbR+csY13SHVTAliYj2X1DUdA6 o0eOUBxinFSOO1ISanE8FZ1q+u9+LoOMF2h2Plrzaw5KVE9XpNenbURKwtdQnsMTL48+F2 K8pZcwZpPj4hemxqa6nlw3mOxk5LE9e6+htmK6Y8BdPzrlVPhP4S2OQ+JQvua/rB4w2QzS eCreO3+cVKYQ/79QkcVxlCw0b++nSESDUvKh4Y8A32UCjtWqfal7fxkhkIRU4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1678374492; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=j6k5AG46g2Oac4eq2/RukwTuromCOxgVlSS98lnwlKs=; b=MsyAbQgnBmCHxS/8hV6B0xmmG9tNBYDCREtJ8/yfCpf1DPOjooK2Si1+k8/8sbN0eLO8NE c51r1kWthQ/khS0TgomaPUTB5JhCXtw+jZBG1OLByddro9CzprL3FXEfTQSRC2tQ62Teiu s6GUsBcPSPLMXKVNw0wKWjgVWJ4uGgkbf8AnamjgyjV+U0sFF2Nih+tc/4Ggdt1Yy9B6Uj vdc1dDaBZCUGIwgAIa9Lm/8jhlB5AJfkijUGArjQbN2oROo9ATdTgvvxk1bZhKPobYaVqj 5KqbbtQvo2WSkxisjPz4cgOe89hgGPYlFFeYYRntenOQBdzPWQcrfcjRik7O1A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1678374492; a=rsa-sha256; cv=none; b=TG4rq5u+ixw6AsY7pR2p/HOBcUbGRoN3pjdisDYLclY8dfhMVkNwMJ/otYeA5M4bLSNH6/ gHHysFQzC3aJsQUHEuamHBiPvs/SjynbhLMSd2TDfyXwVhJ6LX0FI0xllmwqK7QOEjd/hh ul9y52lrzJAymO69jiVcuMIHrlWO0tB/VStv8efm9K/U2jV/S/66UE8KkFxqMZYUNC/aHO K3Qzor8g5DG3r3cSTJzozlxB8Uwdca63Q/3oNXdUgxID4FUxOerk7WkhpIkVE4hp3wFSSc VS5FBR2PQsaBs7TKI8i2t8TU+C4MB6NSk3Jxwf8jlHcs/52xzsi1o4z51UQW/g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PXXcX5F2nz1BtM; Thu, 9 Mar 2023 15:08:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 329F8C6K083006; Thu, 9 Mar 2023 15:08:12 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 329F8CFV083005; Thu, 9 Mar 2023 15:08:12 GMT (envelope-from git) Date: Thu, 9 Mar 2023 15:08:12 GMT Message-Id: <202303091508.329F8CFV083005@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: =?utf-8?Q?Roger=20Pau=20Monn=C3=A9?= Subject: git: 3688ce5f8484 - main - {emulators,sysutils}/xen-{kernel,tools}: update to 4.17 List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: royger X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 3688ce5f8484c0184c5374dc7be04d53a22b9623 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by royger: URL: https://cgit.FreeBSD.org/ports/commit/?id=3688ce5f8484c0184c5374dc7be04d53a22b9623 commit 3688ce5f8484c0184c5374dc7be04d53a22b9623 Author: Roger Pau Monné AuthorDate: 2023-03-09 14:58:44 +0000 Commit: Roger Pau Monné CommitDate: 2023-03-09 15:06:49 +0000 {emulators,sysutils}/xen-{kernel,tools}: update to 4.17 While there also update SeaBIOS to 1.16.1. Sponsored by: Citrix Systems R&D Approved by: bapt (implicit) --- emulators/xen-kernel/Makefile | 22 ++-- emulators/xen-kernel/distinfo | 6 +- ...m-introduce-hypercall-to-get-initial-vide.patch | 84 +++++++++++++ ...ne-split-retpoline-compiler-support-into-.patch | 66 ----------- ...-x86-spec-ctrl-Drop-use_spec_ctrl-boolean.patch | 65 ---------- ...Work-around-Clang-IAS-macro-expansion-bug.patch | 107 +++++++++++++++++ ...1-xen-x86-Remove-the-use-of-K-R-functions.patch | 78 ++++++++++++ .../0002-x86-clang-add-retpoline-support.patch | 56 --------- ...-ctrl-Introduce-new-has_spec_ctrl-boolean.patch | 97 --------------- emulators/xen-kernel/files/xsa395.patch | 42 ------- ...spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch | 118 ------------------ emulators/xen-kernel/files/xsa425.patch | 132 +++++++++++++++++++++ emulators/xen-kernel/files/xsa426.patch | 107 +++++++++++++++++ misc/seabios/Makefile | 2 +- misc/seabios/distinfo | 6 +- sysutils/xen-tools/Makefile | 8 +- sysutils/xen-tools/distinfo | 6 +- ...001-tools-Remove-the-use-of-K-R-functions.patch | 41 +++++++ ...1-xen-x86-Remove-the-use-of-K-R-functions.patch | 78 ++++++++++++ sysutils/xen-tools/pkg-plist | 39 +++--- 20 files changed, 675 insertions(+), 485 deletions(-) diff --git a/emulators/xen-kernel/Makefile b/emulators/xen-kernel/Makefile index dbfc3c40ca96..4844d8675227 100644 --- a/emulators/xen-kernel/Makefile +++ b/emulators/xen-kernel/Makefile @@ -1,5 +1,5 @@ PORTNAME= xen -PORTVERSION= 4.16.0 +PORTVERSION= 4.17.0 PORTREVISION= 0 CATEGORIES= emulators MASTER_SITES= http://downloads.xenproject.org/release/xen/${PORTVERSION}/ @@ -26,17 +26,15 @@ PLIST_FILES= /boot/xen \ lib/debug/boot/xen.debug \ lib/debug/boot/xen-debug.debug -# XSA-395 -EXTRA_PATCHES+= ${PATCHDIR}/xsa395.patch:-p1 - -# XSA-398 -EXTRA_PATCHES+= ${PATCHDIR}/0001-x86-spec-ctrl-Drop-use_spec_ctrl-boolean.patch:-p1 \ - ${PATCHDIR}/0002-x86-spec-ctrl-Introduce-new-has_spec_ctrl-boolean.patch:-p1 \ - ${PATCHDIR}/xsa398-4.16-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch:-p1 - -# Add retpoline support for clang builds -EXTRA_PATCHES+= ${PATCHDIR}/0001-x86-retpoline-split-retpoline-compiler-support-into-.patch:-p1 \ - ${PATCHDIR}/0002-x86-clang-add-retpoline-support.patch:-p1 +# XSAs +EXTRA_PATCHES+= ${PATCHDIR}/xsa425.patch:-p1 \ + ${PATCHDIR}/xsa426.patch:-p1 \ + ${PATCHDIR}/0001-xen-Work-around-Clang-IAS-macro-expansion-bug.patch:-p1 +# Backports +# clang build fixes +EXTRA_PATCHES+= ${PATCHDIR}/0001-xen-x86-Remove-the-use-of-K-R-functions.patch:-p1 +# Support for fetching video mode from PVH dom0 +EXTRA_PATCHES+= ${PATCHDIR}/0001-x86-platform-introduce-hypercall-to-get-initial-vide.patch:-p1 .include diff --git a/emulators/xen-kernel/distinfo b/emulators/xen-kernel/distinfo index d197e536add4..843b42797c93 100644 --- a/emulators/xen-kernel/distinfo +++ b/emulators/xen-kernel/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1648563575 -SHA256 (xen-4.16.0.tar.gz) = adc87a90e614d090a2014b9aebae8d815a7348bf329d169b3cb655256d0ee995 -SIZE (xen-4.16.0.tar.gz) = 44982322 +TIMESTAMP = 1678353105 +SHA256 (xen-4.17.0.tar.gz) = 119fc44fa3f9b581f1929c2ed8e0f97fac59a1828bc5ec5c244df096e7343ef9 +SIZE (xen-4.17.0.tar.gz) = 46484553 diff --git a/emulators/xen-kernel/files/0001-x86-platform-introduce-hypercall-to-get-initial-vide.patch b/emulators/xen-kernel/files/0001-x86-platform-introduce-hypercall-to-get-initial-vide.patch new file mode 100644 index 000000000000..747d6167fc59 --- /dev/null +++ b/emulators/xen-kernel/files/0001-x86-platform-introduce-hypercall-to-get-initial-vide.patch @@ -0,0 +1,84 @@ +From 4dd160583c798d3a5a451ea74633836891d15354 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= +Date: Tue, 6 Dec 2022 13:53:43 +0100 +Subject: [PATCH] x86/platform: introduce hypercall to get initial video + console settings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is required so PVH dom0 can get the initial video console state +as handled by Xen. PV dom0 will get this as part of the start_info, +but it doesn't seem necessary to place such information in the +HVM start info. + +Signed-off-by: Roger Pau Monné +Reviewed-by: Jan Beulich +--- + xen/arch/x86/platform_hypercall.c | 11 +++++++++++ + xen/drivers/video/vga.c | 2 +- + xen/include/public/platform.h | 6 ++++++ + 3 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/xen/arch/x86/platform_hypercall.c b/xen/arch/x86/platform_hypercall.c +index a7341dc3d7..3f0d0389af 100644 +--- a/xen/arch/x86/platform_hypercall.c ++++ b/xen/arch/x86/platform_hypercall.c +@@ -839,6 +839,17 @@ ret_t do_platform_op( + } + break; + ++ case XENPF_get_dom0_console: ++ if ( !fill_console_start_info(&op->u.dom0_console) ) ++ { ++ ret = -ENODEV; ++ break; ++ } ++ ++ if ( copy_field_to_guest(u_xenpf_op, op, u.dom0_console) ) ++ ret = -EFAULT; ++ break; ++ + default: + ret = -ENOSYS; + break; +diff --git a/xen/drivers/video/vga.c b/xen/drivers/video/vga.c +index 29a88e8241..0a03508bee 100644 +--- a/xen/drivers/video/vga.c ++++ b/xen/drivers/video/vga.c +@@ -205,7 +205,7 @@ static void cf_check vga_text_puts(const char *s, size_t nr) + } + } + +-int __init fill_console_start_info(struct dom0_vga_console_info *ci) ++int fill_console_start_info(struct dom0_vga_console_info *ci) + { + memcpy(ci, &vga_console_info, sizeof(*ci)); + return 1; +diff --git a/xen/include/public/platform.h b/xen/include/public/platform.h +index 5e1494fe9a..14784dfa77 100644 +--- a/xen/include/public/platform.h ++++ b/xen/include/public/platform.h +@@ -605,6 +605,11 @@ struct xenpf_symdata { + typedef struct xenpf_symdata xenpf_symdata_t; + DEFINE_XEN_GUEST_HANDLE(xenpf_symdata_t); + ++/* Fetch the video console information and mode setup by Xen. */ ++#define XENPF_get_dom0_console 64 ++typedef struct dom0_vga_console_info xenpf_dom0_console_t; ++DEFINE_XEN_GUEST_HANDLE(xenpf_dom0_console_t); ++ + /* + * ` enum neg_errnoval + * ` HYPERVISOR_platform_op(const struct xen_platform_op*); +@@ -635,6 +640,7 @@ struct xen_platform_op { + xenpf_core_parking_t core_parking; + xenpf_resource_op_t resource_op; + xenpf_symdata_t symdata; ++ xenpf_dom0_console_t dom0_console; + uint8_t pad[128]; + } u; + }; +-- +2.39.0 + diff --git a/emulators/xen-kernel/files/0001-x86-retpoline-split-retpoline-compiler-support-into-.patch b/emulators/xen-kernel/files/0001-x86-retpoline-split-retpoline-compiler-support-into-.patch deleted file mode 100644 index bee5db0ab16c..000000000000 --- a/emulators/xen-kernel/files/0001-x86-retpoline-split-retpoline-compiler-support-into-.patch +++ /dev/null @@ -1,66 +0,0 @@ -From e245bc154300b5d0367b64e8b937c9d1da508ad3 Mon Sep 17 00:00:00 2001 -From: Roger Pau Monne -Date: Fri, 18 Feb 2022 15:34:14 +0100 -Subject: [PATCH 1/2] x86/retpoline: split retpoline compiler support into - separate option -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Keep the previous option as a way to signal generic retpoline support -regardless of the underlying compiler, while introducing a new -CC_HAS_INDIRECT_THUNK that signals whether the underlying compiler -supports retpoline. - -No functional change intended. - -Signed-off-by: Roger Pau Monné -Acked-by: Andrew Cooper ---- - xen/arch/x86/Kconfig | 6 +++++- - xen/arch/x86/arch.mk | 10 ++++++---- - 2 files changed, 11 insertions(+), 5 deletions(-) - -diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig -index b4abfca46f..fe89fa7274 100644 ---- a/xen/arch/x86/Kconfig -+++ b/xen/arch/x86/Kconfig -@@ -32,9 +32,13 @@ config ARCH_DEFCONFIG - string - default "arch/x86/configs/x86_64_defconfig" - --config INDIRECT_THUNK -+config CC_HAS_INDIRECT_THUNK - def_bool $(cc-option,-mindirect-branch-register) - -+config INDIRECT_THUNK -+ def_bool y -+ depends on CC_HAS_INDIRECT_THUNK -+ - config HAS_AS_CET_SS - # binutils >= 2.29 or LLVM >= 6 - def_bool $(as-instr,wrssq %rax$(comma)0;setssbsy) -diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk -index bfd5eaa35f..15d0cbe487 100644 ---- a/xen/arch/x86/arch.mk -+++ b/xen/arch/x86/arch.mk -@@ -42,10 +42,12 @@ CFLAGS += -mno-red-zone -fpic - # SSE setup for variadic function calls. - CFLAGS += -mno-sse $(call cc-option,$(CC),-mskip-rax-setup) - --# Compile with thunk-extern, indirect-branch-register if avaiable. --CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch=thunk-extern --CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch-register --CFLAGS-$(CONFIG_INDIRECT_THUNK) += -fno-jump-tables -+ifeq ($(CONFIG_INDIRECT_THUNK),y) -+# Compile with gcc thunk-extern, indirect-branch-register if available. -+CFLAGS-$(CONFIG_CC_IS_GCC) += -mindirect-branch=thunk-extern -+CFLAGS-$(CONFIG_CC_IS_GCC) += -mindirect-branch-register -+CFLAGS-$(CONFIG_CC_IS_GCC) += -fno-jump-tables -+endif - - # If supported by the compiler, reduce stack alignment to 8 bytes. But allow - # this to be overridden elsewhere. --- -2.35.1 - diff --git a/emulators/xen-kernel/files/0001-x86-spec-ctrl-Drop-use_spec_ctrl-boolean.patch b/emulators/xen-kernel/files/0001-x86-spec-ctrl-Drop-use_spec_ctrl-boolean.patch deleted file mode 100644 index 42bde92c5de5..000000000000 --- a/emulators/xen-kernel/files/0001-x86-spec-ctrl-Drop-use_spec_ctrl-boolean.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 7f34b6a895d10744bab32fc843246c45da444d8b Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Tue, 25 Jan 2022 16:09:59 +0000 -Subject: [PATCH 1/2] x86/spec-ctrl: Drop use_spec_ctrl boolean - -Several bugfixes have reduced the utility of this variable from it's original -purpose, and now all it does is aid in the setup of SCF_ist_wrmsr. - -Simplify the logic by drop the variable, and doubling up the setting of -SCF_ist_wrmsr for the PV and HVM blocks, which will make the AMD SPEC_CTRL -support easier to follow. Leave a comment explaining why SCF_ist_wrmsr is -still necessary for the VMExit case. - -No functional change. - -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich -(cherry picked from commit ec083bf552c35e10347449e21809f4780f8155d2) ---- - xen/arch/x86/spec_ctrl.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c -index c18cc8aa49..8a550d0a09 100644 ---- a/xen/arch/x86/spec_ctrl.c -+++ b/xen/arch/x86/spec_ctrl.c -@@ -927,7 +927,7 @@ static __init void mds_calculations(uint64_t caps) - void __init init_speculation_mitigations(void) - { - enum ind_thunk thunk = THUNK_DEFAULT; -- bool use_spec_ctrl = false, ibrs = false, hw_smt_enabled; -+ bool ibrs = false, hw_smt_enabled; - bool cpu_has_bug_taa; - uint64_t caps = 0; - -@@ -1016,19 +1016,21 @@ void __init init_speculation_mitigations(void) - { - if ( opt_msr_sc_pv ) - { -- use_spec_ctrl = true; -+ default_spec_ctrl_flags |= SCF_ist_wrmsr; - setup_force_cpu_cap(X86_FEATURE_SC_MSR_PV); - } - - if ( opt_msr_sc_hvm ) - { -- use_spec_ctrl = true; -+ /* -+ * While the guest MSR_SPEC_CTRL value is loaded/saved atomically, -+ * Xen's value is not restored atomically. An early NMI hitting -+ * the VMExit path needs to restore Xen's value for safety. -+ */ -+ default_spec_ctrl_flags |= SCF_ist_wrmsr; - setup_force_cpu_cap(X86_FEATURE_SC_MSR_HVM); - } - -- if ( use_spec_ctrl ) -- default_spec_ctrl_flags |= SCF_ist_wrmsr; -- - if ( ibrs ) - default_xen_spec_ctrl |= SPEC_CTRL_IBRS; - } --- -2.35.1 - diff --git a/emulators/xen-kernel/files/0001-xen-Work-around-Clang-IAS-macro-expansion-bug.patch b/emulators/xen-kernel/files/0001-xen-Work-around-Clang-IAS-macro-expansion-bug.patch new file mode 100644 index 000000000000..62f912f089e7 --- /dev/null +++ b/emulators/xen-kernel/files/0001-xen-Work-around-Clang-IAS-macro-expansion-bug.patch @@ -0,0 +1,107 @@ +From a2adacff0b91cc7b977abb209dc419a2ef15963f Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Fri, 17 Feb 2023 00:12:24 +0000 +Subject: [PATCH] xen: Work around Clang-IAS macro \@ expansion bug + +https://github.com/llvm/llvm-project/issues/60792 + +It turns out that Clang-IAS does not expand \@ uniquely in a translaition +unit, and the XSA-426 change tickles this bug: + + :4:1: error: invalid symbol redefinition + .L1_fill_rsb_loop: + ^ + make[3]: *** [Rules.mk:247: arch/x86/acpi/cpu_idle.o] Error 1 + +Extend DO_OVERWRITE_RSB with an optional parameter so C callers can mix %= in +too, which Clang does seem to expand properly. + +Fixes: 63305e5392ec ("x86/spec-ctrl: Mitigate Cross-Thread Return Address Predictions") +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +--- + xen/arch/x86/include/asm/spec_ctrl.h | 4 ++-- + xen/arch/x86/include/asm/spec_ctrl_asm.h | 19 ++++++++++++------- + 2 files changed, 14 insertions(+), 9 deletions(-) + +diff --git a/xen/arch/x86/include/asm/spec_ctrl.h b/xen/arch/x86/include/asm/spec_ctrl.h +index 3cf8a7d304..f718f94088 100644 +--- a/xen/arch/x86/include/asm/spec_ctrl.h ++++ b/xen/arch/x86/include/asm/spec_ctrl.h +@@ -83,7 +83,7 @@ static always_inline void spec_ctrl_new_guest_context(void) + wrmsrl(MSR_PRED_CMD, PRED_CMD_IBPB); + + /* (ab)use alternative_input() to specify clobbers. */ +- alternative_input("", "DO_OVERWRITE_RSB", X86_BUG_IBPB_NO_RET, ++ alternative_input("", "DO_OVERWRITE_RSB xu=%=", X86_BUG_IBPB_NO_RET, + : "rax", "rcx"); + } + +@@ -172,7 +172,7 @@ static always_inline void spec_ctrl_enter_idle(struct cpu_info *info) + * + * (ab)use alternative_input() to specify clobbers. + */ +- alternative_input("", "DO_OVERWRITE_RSB", X86_FEATURE_SC_RSB_IDLE, ++ alternative_input("", "DO_OVERWRITE_RSB xu=%=", X86_FEATURE_SC_RSB_IDLE, + : "rax", "rcx"); + } + +diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h +index fab27ff553..f23bb105c5 100644 +--- a/xen/arch/x86/include/asm/spec_ctrl_asm.h ++++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h +@@ -117,11 +117,16 @@ + .L\@_done: + .endm + +-.macro DO_OVERWRITE_RSB tmp=rax ++.macro DO_OVERWRITE_RSB tmp=rax xu + /* + * Requires nothing + * Clobbers \tmp (%rax by default), %rcx + * ++ * xu is an optional parameter to add eXtra Uniqueness. It is intended for ++ * passing %= in from an asm() block, in order to work around ++ * https://github.com/llvm/llvm-project/issues/60792 where Clang-IAS doesn't ++ * expand \@ uniquely. ++ * + * Requires 256 bytes of {,shadow}stack space, but %rsp/SSP has no net + * change. Based on Google's performance numbers, the loop is unrolled to 16 + * iterations and two calls per iteration. +@@ -136,27 +141,27 @@ + mov $16, %ecx /* 16 iterations, two calls per loop */ + mov %rsp, %\tmp /* Store the current %rsp */ + +-.L\@_fill_rsb_loop: ++.L\@_fill_rsb_loop\xu: + + .irp n, 1, 2 /* Unrolled twice. */ +- call .L\@_insert_rsb_entry_\n /* Create an RSB entry. */ ++ call .L\@_insert_rsb_entry\xu\n /* Create an RSB entry. */ + int3 /* Halt rogue speculation. */ + +-.L\@_insert_rsb_entry_\n: ++.L\@_insert_rsb_entry\xu\n: + .endr + + sub $1, %ecx +- jnz .L\@_fill_rsb_loop ++ jnz .L\@_fill_rsb_loop\xu + mov %\tmp, %rsp /* Restore old %rsp */ + + #ifdef CONFIG_XEN_SHSTK + mov $1, %ecx + rdsspd %ecx + cmp $1, %ecx +- je .L\@_shstk_done ++ je .L\@_shstk_done\xu + mov $64, %ecx /* 64 * 4 bytes, given incsspd */ + incsspd %ecx /* Restore old SSP */ +-.L\@_shstk_done: ++.L\@_shstk_done\xu: + #endif + .endm + +-- +2.39.0 + diff --git a/emulators/xen-kernel/files/0001-xen-x86-Remove-the-use-of-K-R-functions.patch b/emulators/xen-kernel/files/0001-xen-x86-Remove-the-use-of-K-R-functions.patch new file mode 100644 index 000000000000..cab6f0e93b9f --- /dev/null +++ b/emulators/xen-kernel/files/0001-xen-x86-Remove-the-use-of-K-R-functions.patch @@ -0,0 +1,78 @@ +From 22b2fa4766728c3057757c00e79da5f7803fff33 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Thu, 16 Feb 2023 22:14:12 +0000 +Subject: [PATCH] xen/x86: Remove the use of K&R functions + +Clang-15 (as seen in the FreeBSD 14 tests) complains: + + arch/x86/time.c:1364:20: error: a function declaration without a + prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] + s_time_t get_s_time() + ^ + void + +The error message is a bit confusing but appears to new as part of +-Wdeprecated-non-prototype which is part of supporting C2x which formally +removes K&R syntax. + +Either way, fix the identified functions. + +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +--- + xen/arch/x86/hvm/vmx/vmcs.c | 2 +- + xen/arch/x86/time.c | 2 +- + xen/drivers/passthrough/iommu.c | 4 ++-- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c +index 09edbd23b3..e1c268789e 100644 +--- a/xen/arch/x86/hvm/vmx/vmcs.c ++++ b/xen/arch/x86/hvm/vmx/vmcs.c +@@ -781,7 +781,7 @@ static int _vmx_cpu_up(bool bsp) + return 0; + } + +-int cf_check vmx_cpu_up() ++int cf_check vmx_cpu_up(void) + { + return _vmx_cpu_up(false); + } +diff --git a/xen/arch/x86/time.c b/xen/arch/x86/time.c +index 782b11c8a9..4e44a43cc5 100644 +--- a/xen/arch/x86/time.c ++++ b/xen/arch/x86/time.c +@@ -1361,7 +1361,7 @@ s_time_t get_s_time_fixed(u64 at_tsc) + return t->stamp.local_stime + scale_delta(delta, &t->tsc_scale); + } + +-s_time_t get_s_time() ++s_time_t get_s_time(void) + { + return get_s_time_fixed(0); + } +diff --git a/xen/drivers/passthrough/iommu.c b/xen/drivers/passthrough/iommu.c +index 921b71e819..0e187f6ae3 100644 +--- a/xen/drivers/passthrough/iommu.c ++++ b/xen/drivers/passthrough/iommu.c +@@ -606,7 +606,7 @@ int __init iommu_setup(void) + return rc; + } + +-int iommu_suspend() ++int iommu_suspend(void) + { + if ( iommu_enabled ) + return iommu_call(iommu_get_ops(), suspend); +@@ -614,7 +614,7 @@ int iommu_suspend() + return 0; + } + +-void iommu_resume() ++void iommu_resume(void) + { + if ( iommu_enabled ) + iommu_vcall(iommu_get_ops(), resume); +-- +2.39.0 + diff --git a/emulators/xen-kernel/files/0002-x86-clang-add-retpoline-support.patch b/emulators/xen-kernel/files/0002-x86-clang-add-retpoline-support.patch deleted file mode 100644 index e650a71b59ab..000000000000 --- a/emulators/xen-kernel/files/0002-x86-clang-add-retpoline-support.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 9412486707f8f1ca2eb31c2ef330c5e39c0a2f30 Mon Sep 17 00:00:00 2001 -From: Roger Pau Monne -Date: Fri, 18 Feb 2022 15:34:15 +0100 -Subject: [PATCH 2/2] x86/clang: add retpoline support -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Detect whether the compiler supports clang retpoline option and enable -by default if available, just like it's done for gcc. - -Note clang already disables jump tables when retpoline is enabled, so -there's no need to also pass the fno-jump-tables parameter. Also clang -already passes the return address in a register always on amd64, so -there's no need for any equivalent mindirect-branch-register -parameter. - -Reported-by: Andrew Cooper -Signed-off-by: Roger Pau Monné -Acked-by: Andrew Cooper ---- - xen/arch/x86/Kconfig | 3 ++- - xen/arch/x86/arch.mk | 3 +++ - 2 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig -index fe89fa7274..1465874097 100644 ---- a/xen/arch/x86/Kconfig -+++ b/xen/arch/x86/Kconfig -@@ -33,7 +33,8 @@ config ARCH_DEFCONFIG - default "arch/x86/configs/x86_64_defconfig" - - config CC_HAS_INDIRECT_THUNK -- def_bool $(cc-option,-mindirect-branch-register) -+ def_bool $(cc-option,-mindirect-branch-register) || \ -+ $(cc-option,-mretpoline-external-thunk) - - config INDIRECT_THUNK - def_bool y -diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk -index 15d0cbe487..edfc043dbb 100644 ---- a/xen/arch/x86/arch.mk -+++ b/xen/arch/x86/arch.mk -@@ -47,6 +47,9 @@ ifeq ($(CONFIG_INDIRECT_THUNK),y) - CFLAGS-$(CONFIG_CC_IS_GCC) += -mindirect-branch=thunk-extern - CFLAGS-$(CONFIG_CC_IS_GCC) += -mindirect-branch-register - CFLAGS-$(CONFIG_CC_IS_GCC) += -fno-jump-tables -+ -+# Enable clang retpoline support if available. -+CFLAGS-$(CONFIG_CC_IS_CLANG) += -mretpoline-external-thunk - endif - - # If supported by the compiler, reduce stack alignment to 8 bytes. But allow --- -2.35.1 - diff --git a/emulators/xen-kernel/files/0002-x86-spec-ctrl-Introduce-new-has_spec_ctrl-boolean.patch b/emulators/xen-kernel/files/0002-x86-spec-ctrl-Introduce-new-has_spec_ctrl-boolean.patch deleted file mode 100644 index 7b6b1e062721..000000000000 --- a/emulators/xen-kernel/files/0002-x86-spec-ctrl-Introduce-new-has_spec_ctrl-boolean.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 08fc03c855c071e9b1aaaa96403f2a90433336a7 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Tue, 25 Jan 2022 17:14:48 +0000 -Subject: [PATCH 2/2] x86/spec-ctrl: Introduce new has_spec_ctrl boolean - -Most MSR_SPEC_CTRL setup will be common between Intel and AMD. Instead of -opencoding an OR of two features everywhere, introduce has_spec_ctrl instead. - -Reword the comment above the Intel specific alternatives block to highlight -that it is Intel specific, and pull the setting of default_xen_spec_ctrl.IBRS -out because it will want to be common. - -No functional change. - -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich -(cherry picked from commit 5d9eff3a312763d889cfbf3c8468b6dfb3ab490c) ---- - xen/arch/x86/spec_ctrl.c | 22 +++++++++++----------- - 1 file changed, 11 insertions(+), 11 deletions(-) - -diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c -index 8a550d0a09..2072daf662 100644 ---- a/xen/arch/x86/spec_ctrl.c -+++ b/xen/arch/x86/spec_ctrl.c -@@ -927,7 +927,7 @@ static __init void mds_calculations(uint64_t caps) - void __init init_speculation_mitigations(void) - { - enum ind_thunk thunk = THUNK_DEFAULT; -- bool ibrs = false, hw_smt_enabled; -+ bool has_spec_ctrl, ibrs = false, hw_smt_enabled; - bool cpu_has_bug_taa; - uint64_t caps = 0; - -@@ -936,6 +936,8 @@ void __init init_speculation_mitigations(void) - - hw_smt_enabled = check_smt_enabled(); - -+ has_spec_ctrl = boot_cpu_has(X86_FEATURE_IBRSB); -+ - /* - * First, disable the use of retpolines if Xen is using shadow stacks, as - * they are incompatible. -@@ -973,11 +975,11 @@ void __init init_speculation_mitigations(void) - */ - else if ( retpoline_safe(caps) ) - thunk = THUNK_RETPOLINE; -- else if ( boot_cpu_has(X86_FEATURE_IBRSB) ) -+ else if ( has_spec_ctrl ) - ibrs = true; - } - /* Without compiler thunk support, use IBRS if available. */ -- else if ( boot_cpu_has(X86_FEATURE_IBRSB) ) -+ else if ( has_spec_ctrl ) - ibrs = true; - } - -@@ -1008,10 +1010,7 @@ void __init init_speculation_mitigations(void) - else if ( thunk == THUNK_JMP ) - setup_force_cpu_cap(X86_FEATURE_IND_THUNK_JMP); - -- /* -- * If we are on hardware supporting MSR_SPEC_CTRL, see about setting up -- * the alternatives blocks so we can virtualise support for guests. -- */ -+ /* Intel hardware: MSR_SPEC_CTRL alternatives setup. */ - if ( boot_cpu_has(X86_FEATURE_IBRSB) ) - { - if ( opt_msr_sc_pv ) -@@ -1030,11 +1029,12 @@ void __init init_speculation_mitigations(void) - default_spec_ctrl_flags |= SCF_ist_wrmsr; - setup_force_cpu_cap(X86_FEATURE_SC_MSR_HVM); - } -- -- if ( ibrs ) -- default_xen_spec_ctrl |= SPEC_CTRL_IBRS; - } - -+ /* If we have IBRS available, see whether we should use it. */ -+ if ( has_spec_ctrl && ibrs ) -+ default_xen_spec_ctrl |= SPEC_CTRL_IBRS; -+ - /* If we have SSBD available, see whether we should use it. */ - if ( boot_cpu_has(X86_FEATURE_SSBD) && opt_ssbd ) - default_xen_spec_ctrl |= SPEC_CTRL_SSBD; -@@ -1268,7 +1268,7 @@ void __init init_speculation_mitigations(void) - * boot won't have any other code running in a position to mount an - * attack. - */ -- if ( boot_cpu_has(X86_FEATURE_IBRSB) ) -+ if ( has_spec_ctrl ) - { - bsp_delay_spec_ctrl = !cpu_has_hypervisor && default_xen_spec_ctrl; - --- -2.35.1 - diff --git a/emulators/xen-kernel/files/xsa395.patch b/emulators/xen-kernel/files/xsa395.patch deleted file mode 100644 index 13b731102d41..000000000000 --- a/emulators/xen-kernel/files/xsa395.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 4cc924c3e3a0d53306d08b04720c427d1c298ba8 Mon Sep 17 00:00:00 2001 -From: Julien Grall -Date: Wed, 5 Jan 2022 18:09:20 +0000 -Subject: [PATCH] passthrough/x86: stop pirq iteration immediately in case of - error - -pt_pirq_iterate() will iterate in batch over all the PIRQs. The outer -loop will bail out if 'rc' is non-zero but the inner loop will continue. - -This means 'rc' will get clobbered and we may miss any errors (such as --ERESTART in the case of the callback pci_clean_dpci_irq()). - -This is CVE-2022-23035 / XSA-395. - -Fixes: c24536b636f2 ("replace d->nr_pirqs sized arrays with radix tree") -Fixes: f6dd295381f4 ("dpci: replace tasklet with softirq") -Signed-off-by: Julien Grall -Signed-off-by: Jan Beulich -Reviewed-by: Roger Pau Monné ---- - xen/drivers/passthrough/x86/hvm.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/xen/drivers/passthrough/x86/hvm.c b/xen/drivers/passthrough/x86/hvm.c -index 351daafdc9bf..0b37cd145b60 100644 ---- a/xen/drivers/passthrough/x86/hvm.c -+++ b/xen/drivers/passthrough/x86/hvm.c -@@ -732,7 +732,11 @@ int pt_pirq_iterate(struct domain *d, - - pirq = pirqs[i]->pirq; - if ( (pirq_dpci->flags & HVM_IRQ_DPCI_MAPPED) ) -+ { - rc = cb(d, pirq_dpci, arg); -+ if ( rc ) -+ break; -+ } - } - } while ( !rc && ++pirq < d->nr_pirqs && n == ARRAY_SIZE(pirqs) ); - --- -2.32.0 - diff --git a/emulators/xen-kernel/files/xsa398-4.16-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch b/emulators/xen-kernel/files/xsa398-4.16-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch deleted file mode 100644 index 7c28ac096ad0..000000000000 --- a/emulators/xen-kernel/files/xsa398-4.16-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch +++ /dev/null @@ -1,118 +0,0 @@ -From c374a8c5cc74535e16410b7a0d9e92bf5de54f79 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Mon, 7 Mar 2022 16:35:52 +0000 -Subject: x86/spec-ctrl: Cease using thunk=lfence on AMD - -AMD have updated their Spectre v2 guidance, and lfence/jmp is no longer -considered safe. AMD are recommending using retpoline everywhere. - -Retpoline is incompatible with CET. All CET-capable hardware has efficient -IBRS (specifically, not something retrofitted in microcode), so use IBRS (and -STIBP for consistency sake). - -This is a logical change on AMD, but not on Intel as the default calculations -would end up with these settings anyway. Leave behind a message if IBRS is -found to be missing. - -Also update the default heuristics to never select THUNK_LFENCE. This causes -AMD CPUs to change their default to retpoline. - -Also update the printed message to include the AMD MSR_SPEC_CTRL settings, and -STIBP now that we set it for consistency sake. - -This is part of XSA-398 / CVE-2021-26401. - -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich -(cherry picked from commit 8d03080d2a339840d3a59e0932a94f804e45110d) - -diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc -index 995197f4b23e..f606dc0e14c1 100644 ---- a/docs/misc/xen-command-line.pandoc -+++ b/docs/misc/xen-command-line.pandoc -@@ -2269,9 +2269,9 @@ to use. - - If Xen was compiled with INDIRECT_THUNK support, `bti-thunk=` can be used to - select which of the thunks gets patched into the `__x86_indirect_thunk_%reg` --locations. The default thunk is `retpoline` (generally preferred for Intel --hardware), with the alternatives being `jmp` (a `jmp *%reg` gadget, minimal --overhead), and `lfence` (an `lfence; jmp *%reg` gadget, preferred for AMD). -+locations. The default thunk is `retpoline` (generally preferred), with the -+alternatives being `jmp` (a `jmp *%reg` gadget, minimal overhead), and -+`lfence` (an `lfence; jmp *%reg` gadget). - - On hardware supporting IBRS (Indirect Branch Restricted Speculation), the - `ibrs=` option can be used to force or prevent Xen using the feature itself. -diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c -index cbeeb199037e..ae076bec3ab0 100644 ---- a/xen/arch/x86/spec_ctrl.c -+++ b/xen/arch/x86/spec_ctrl.c -@@ -367,14 +367,19 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) - "\n"); - - /* Settings for Xen's protection, irrespective of guests. */ -- printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s%s%s\n", -+ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s, Other:%s%s%s%s%s\n", - thunk == THUNK_NONE ? "N/A" : - thunk == THUNK_RETPOLINE ? "RETPOLINE" : - thunk == THUNK_LFENCE ? "LFENCE" : - thunk == THUNK_JMP ? "JMP" : "?", -- !boot_cpu_has(X86_FEATURE_IBRSB) ? "No" : -+ (!boot_cpu_has(X86_FEATURE_IBRSB) && -+ !boot_cpu_has(X86_FEATURE_IBRS)) ? "No" : - (default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", -- !boot_cpu_has(X86_FEATURE_SSBD) ? "" : -+ (!boot_cpu_has(X86_FEATURE_STIBP) && -+ !boot_cpu_has(X86_FEATURE_AMD_STIBP)) ? "" : -+ (default_xen_spec_ctrl & SPEC_CTRL_STIBP) ? " STIBP+" : " STIBP-", -+ (!boot_cpu_has(X86_FEATURE_SSBD) && -+ !boot_cpu_has(X86_FEATURE_AMD_SSBD)) ? "" : - (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", - !(caps & ARCH_CAPS_TSX_CTRL) ? "" : - (opt_tsx & 1) ? " TSX+" : " TSX-", -@@ -945,10 +950,23 @@ void __init init_speculation_mitigations(void) - /* - * First, disable the use of retpolines if Xen is using shadow stacks, as - * they are incompatible. -+ * -+ * In the absence of retpolines, IBRS needs to be used for speculative -+ * safety. All CET-capable hardware has efficient IBRS. - */ -- if ( cpu_has_xen_shstk && -- (opt_thunk == THUNK_DEFAULT || opt_thunk == THUNK_RETPOLINE) ) -- thunk = THUNK_JMP; -+ if ( cpu_has_xen_shstk ) -+ { -+ if ( !has_spec_ctrl ) -+ printk(XENLOG_WARNING "?!? CET active, but no MSR_SPEC_CTRL?\n"); -+ else if ( opt_ibrs == -1 ) -+ { -+ opt_ibrs = ibrs = true; -+ default_xen_spec_ctrl |= SPEC_CTRL_IBRS | SPEC_CTRL_STIBP; -+ } -+ -+ if ( opt_thunk == THUNK_DEFAULT || opt_thunk == THUNK_RETPOLINE ) -+ thunk = THUNK_JMP; -+ } - - /* - * Has the user specified any custom BTI mitigations? If so, follow their -@@ -968,16 +986,10 @@ void __init init_speculation_mitigations(void) - if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) ) - { - /* -- * AMD's recommended mitigation is to set lfence as being dispatch -- * serialising, and to use IND_THUNK_LFENCE. -- */ -- if ( cpu_has_lfence_dispatch ) -- thunk = THUNK_LFENCE; -- /* -- * On Intel hardware, we'd like to use retpoline in preference to -+ * On all hardware, we'd like to use retpoline in preference to - * IBRS, but only if it is safe on this hardware. - */ -- else if ( retpoline_safe(caps) ) -+ if ( retpoline_safe(caps) ) - thunk = THUNK_RETPOLINE; - else if ( has_spec_ctrl ) - ibrs = true; diff --git a/emulators/xen-kernel/files/xsa425.patch b/emulators/xen-kernel/files/xsa425.patch new file mode 100644 index 000000000000..b36732025e83 --- /dev/null +++ b/emulators/xen-kernel/files/xsa425.patch @@ -0,0 +1,132 @@ +From: Jason Andryuk +Subject: Revert "tools/xenstore: simplify loop handling connection I/O" + +I'm observing guest kexec trigger xenstored to abort on a double free. + +gdb output: +Program received signal SIGABRT, Aborted. +__pthread_kill_implementation (no_tid=0, signo=6, threadid=140645614258112) at ./nptl/pthread_kill.c:44 +44 ./nptl/pthread_kill.c: No such file or directory. +(gdb) bt + at ./nptl/pthread_kill.c:44 + at ./nptl/pthread_kill.c:78 + at ./nptl/pthread_kill.c:89 + at ../sysdeps/posix/raise.c:26 + at talloc.c:119 + ptr=ptr@entry=0x559fae724290) at talloc.c:232 + at xenstored_core.c:2945 +(gdb) frame 5 + at talloc.c:119 +119 TALLOC_ABORT("Bad talloc magic value - double free"); +(gdb) frame 7 + at xenstored_core.c:2945 +2945 talloc_increase_ref_count(conn); +(gdb) p conn +$1 = (struct connection *) 0x559fae724290 + +Looking at a xenstore trace, we have: +IN 0x559fae71f250 20230120 17:40:53 READ (/local/domain/3/image/device-model-dom +id ) +wrl: dom 0 1 msec 10000 credit 1000000 reserve 100 disc +ard +wrl: dom 3 1 msec 10000 credit 1000000 reserve 100 disc +ard +wrl: dom 0 0 msec 10000 credit 1000000 reserve 0 disc +ard +wrl: dom 3 0 msec 10000 credit 1000000 reserve 0 disc +ard +OUT 0x559fae71f250 20230120 17:40:53 ERROR (ENOENT ) +wrl: dom 0 1 msec 10000 credit 1000000 reserve 100 disc +ard +wrl: dom 3 1 msec 10000 credit 1000000 reserve 100 disc +ard +IN 0x559fae71f250 20230120 17:40:53 RELEASE (3 ) +DESTROY watch 0x559fae73f630 +DESTROY watch 0x559fae75ddf0 +DESTROY watch 0x559fae75ec30 +DESTROY watch 0x559fae75ea60 +DESTROY watch 0x559fae732c00 +DESTROY watch 0x559fae72cea0 +DESTROY watch 0x559fae728fc0 +DESTROY watch 0x559fae729570 +DESTROY connection 0x559fae724290 +orphaned node /local/domain/3/device/suspend/event-channel deleted +orphaned node /local/domain/3/device/vbd/51712 deleted +orphaned node /local/domain/3/device/vkbd/0 deleted +orphaned node /local/domain/3/device/vif/0 deleted +orphaned node /local/domain/3/control/shutdown deleted +orphaned node /local/domain/3/control/feature-poweroff deleted +orphaned node /local/domain/3/control/feature-reboot deleted +orphaned node /local/domain/3/control/feature-suspend deleted +orphaned node /local/domain/3/control/feature-s3 deleted +orphaned node /local/domain/3/control/feature-s4 deleted +orphaned node /local/domain/3/control/sysrq deleted +orphaned node /local/domain/3/data deleted +orphaned node /local/domain/3/drivers deleted +orphaned node /local/domain/3/feature deleted +orphaned node /local/domain/3/attr deleted +orphaned node /local/domain/3/error deleted +orphaned node /local/domain/3/console/backend-id deleted + +and no further output. + +The trace shows that DESTROY was called for connection 0x559fae724290, +but that is the same pointer (conn) main() was looping through from +connections. So it wasn't actually removed from the connections list? + +Reverting commit e8e6e42279a5 "tools/xenstore: simplify loop handling +connection I/O" fixes the abort/double free. I think the use of +list_for_each_entry_safe is incorrect. list_for_each_entry_safe makes +traversal safe for deleting the current iterator, but RELEASE/do_release +will delete some other entry in the connections list. I think the +observed abort is because list_for_each_entry has next pointing to the +deleted connection, and it is used in the subsequent iteration. + +Add a comment explaining the unsuitability of list_for_each_entry_safe. +Also notice that the old code takes a reference on next which would +prevents a use-after-free. + +This reverts commit e8e6e42279a5723239c5c40ba4c7f579a979465d. + +This is XSA-425/CVE-2022-42330. + +Fixes: e8e6e42279a5 ("tools/xenstore: simplify loop handling connection I/O") +Signed-off-by: Jason Andryuk +Reviewed-by: Juergen Gross +Reviewed-by: Julien Grall +--- + tools/xenstore/xenstored_core.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c +index 78a3edaa4e..029e3852fc 100644 +--- a/tools/xenstore/xenstored_core.c ++++ b/tools/xenstore/xenstored_core.c +@@ -2941,8 +2941,23 @@ int main(int argc, char *argv[]) + } + } + +- list_for_each_entry_safe(conn, next, &connections, list) { +- talloc_increase_ref_count(conn); ++ /* ++ * list_for_each_entry_safe is not suitable here because ++ * handle_input may delete entries besides the current one, but ++ * those may be in the temporary next which would trigger a ++ * use-after-free. list_for_each_entry_safe is only safe for ++ * deleting the current entry. ++ */ ++ next = list_entry(connections.next, typeof(*conn), list); ++ if (&next->list != &connections) ++ talloc_increase_ref_count(next); ++ while (&next->list != &connections) { ++ conn = next; ++ ++ next = list_entry(conn->list.next, ++ typeof(*conn), list); ++ if (&next->list != &connections) *** 475 LINES SKIPPED ***