jcgruenhage/void-packages
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

xen: update to 4.5.0.

Browse source
This commit is contained in:
Juan RP 2015-01-15 16:00:35 +01:00
parent 663c61444d
commit 59294f2533
5 changed files with 7 additions and 237 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
common/shlibs
View file

@ -445,10 +445,10 @@ libparted.so.2 libparted-3.1_1
libparted-fs-resize.so.0 libparted-3.1_1
libntfs-3g.so.85 ntfs-3g-2014.2.15_1
libruby.so.2.2 ruby-2.2.0_1
libxenctrl.so.4.4 xen-libs-4.4_1<4.5
libxenguest.so.4.4 xen-libs-4.4_1<4.5
libxenctrl.so.4.5 xen-libs-4.5<4.6_1
libxenguest.so.4.5 xen-libs-4.5<4.6_1
libxlutil.so.4.3 xen-libs-4.3_1
libxenlight.so.4.4 xen-libs-4.4_1<4.5
libxenlight.so.4.5 xen-libs-4.5<4.6_1
libxenstore.so.3.0 xen-libs-4.2.2_2
libvhd.so.1.0 xen-libs-4.2.2_2
libxenstat.so.0 xen-libs-4.2.2_2

37
srcpkgs/xen/patches/xsa105.patch
View file

@ -1,37 +0,0 @@
x86/emulate: check cpl for all privileged instructions
Without this, it is possible for userspace to load its own IDT or GDT.
This is XSA-105.
Reported-by: Andrei LUTAS <vlutas@bitdefender.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Andrei LUTAS <vlutas@bitdefender.com>
--- xen/arch/x86/x86_emulate/x86_emulate.c
+++ xen/arch/x86/x86_emulate/x86_emulate.c
@@ -3314,6 +3314,7 @@ x86_emulate(
goto swint;
case 0xf4: /* hlt */
+ generate_exception_if(!mode_ring0(), EXC_GP, 0);
ctxt->retire.flags.hlt = 1;
break;
@@ -3710,6 +3711,7 @@ x86_emulate(
break;
case 2: /* lgdt */
case 3: /* lidt */
+ generate_exception_if(!mode_ring0(), EXC_GP, 0);
generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
fail_if(ops->write_segment == NULL);
memset(&reg, 0, sizeof(reg));
@@ -3738,6 +3740,7 @@ x86_emulate(
case 6: /* lmsw */
fail_if(ops->read_cr == NULL);
fail_if(ops->write_cr == NULL);
+ generate_exception_if(!mode_ring0(), EXC_GP, 0);
if ( (rc = ops->read_cr(0, &cr0, ctxt)) )
goto done;
if ( ea.type == OP_REG )

36
srcpkgs/xen/patches/xsa108.patch
View file

@ -1,36 +0,0 @@
x86/HVM: properly bound x2APIC MSR range
While the write path change appears to be purely cosmetic (but still
gets done here for consistency), the read side mistake permitted
accesses beyond the virtual APIC page.
Note that while this isn't fully in line with the specification
(digesting MSRs 0x800-0xBFF for the x2APIC), this is the minimal
possible fix addressing the security issue and getting x2APIC related
code into a consistent shape (elsewhere a 256 rather than 1024 wide
window is being used too). This will be dealt with subsequently.
This is XSA-108.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
--- xen/arch/x86/hvm/hvm.c
+++ xen/arch/x86/hvm/hvm.c
@@ -4380,7 +4380,7 @@ int hvm_msr_read_intercept(unsigned int
*msr_content = vcpu_vlapic(v)->hw.apic_base_msr;
break;
- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
+ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
if ( hvm_x2apic_msr_read(v, msr, msr_content) )
goto gp_fault;
break;
@@ -4506,7 +4506,7 @@ int hvm_msr_write_intercept(unsigned int
vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content);
break;
- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
+ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
if ( hvm_x2apic_msr_write(v, msr, msr_content) )
goto gp_fault;
break;

156
srcpkgs/xen/patches/xsa110.patch
View file

@ -1,156 +0,0 @@
x86emul: enforce privilege level restrictions when loading CS
Privilege level checks were basically missing for the CS case, the
only check that was done (RPL == DPL for nonconforming segments)
was solely covering a single special case (return to non-conforming
segment).
Additionally in long mode the L bit set requires the D bit to be clear,
as was recently pointed out for KVM by Nadav Amit
<namit@cs.technion.ac.il>.
Finally we also need to force the loaded selector's RPL to CPL (at
least as long as lret/retf emulation doesn't support privilege level
changes).
This is XSA-110.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
--- xen/arch/x86/x86_emulate/x86_emulate.c
+++ xen/arch/x86/x86_emulate/x86_emulate.c
@@ -1119,7 +1119,7 @@ realmode_load_seg(
static int
protmode_load_seg(
enum x86_segment seg,
- uint16_t sel,
+ uint16_t sel, bool_t is_ret,
struct x86_emulate_ctxt *ctxt,
const struct x86_emulate_ops *ops)
{
@@ -1185,9 +1185,23 @@ protmode_load_seg(
/* Code segment? */
if ( !(desc.b & (1u<<11)) )
goto raise_exn;
- /* Non-conforming segment: check DPL against RPL. */
- if ( ((desc.b & (6u<<9)) != (6u<<9)) && (dpl != rpl) )
+ if ( is_ret
+ ? /*
+ * Really rpl < cpl, but our sole caller doesn't handle
+ * privilege level changes.
+ */
+ rpl != cpl || (desc.b & (1 << 10) ? dpl > rpl : dpl != rpl)
+ : desc.b & (1 << 10)
+ /* Conforming segment: check DPL against CPL. */
+ ? dpl > cpl
+ /* Non-conforming segment: check RPL and DPL against CPL. */
+ : rpl > cpl || dpl != cpl )
goto raise_exn;
+ /* 64-bit code segments (L bit set) must have D bit clear. */
+ if ( in_longmode(ctxt, ops) &&
+ (desc.b & (1 << 21)) && (desc.b & (1 << 22)) )
+ goto raise_exn;
+ sel = (sel ^ rpl) | cpl;
break;
case x86_seg_ss:
/* Writable data segment? */
@@ -1252,7 +1266,7 @@ protmode_load_seg(
static int
load_seg(
enum x86_segment seg,
- uint16_t sel,
+ uint16_t sel, bool_t is_ret,
struct x86_emulate_ctxt *ctxt,
const struct x86_emulate_ops *ops)
{
@@ -1261,7 +1275,7 @@ load_seg(
return X86EMUL_UNHANDLEABLE;
if ( in_protmode(ctxt, ops) )
- return protmode_load_seg(seg, sel, ctxt, ops);
+ return protmode_load_seg(seg, sel, is_ret, ctxt, ops);
return realmode_load_seg(seg, sel, ctxt, ops);
}
@@ -2003,7 +2017,7 @@ x86_emulate(
if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes),
&dst.val, op_bytes, ctxt, ops)) != 0 )
goto done;
- if ( (rc = load_seg(src.val, (uint16_t)dst.val, ctxt, ops)) != 0 )
+ if ( (rc = load_seg(src.val, dst.val, 0, ctxt, ops)) != 0 )
return rc;
break;
@@ -2357,7 +2371,7 @@ x86_emulate(
enum x86_segment seg = decode_segment(modrm_reg);
generate_exception_if(seg == decode_segment_failed, EXC_UD, -1);
generate_exception_if(seg == x86_seg_cs, EXC_UD, -1);
- if ( (rc = load_seg(seg, (uint16_t)src.val, ctxt, ops)) != 0 )
+ if ( (rc = load_seg(seg, src.val, 0, ctxt, ops)) != 0 )
goto done;
if ( seg == x86_seg_ss )
ctxt->retire.flags.mov_ss = 1;
@@ -2438,7 +2452,7 @@ x86_emulate(
&_regs.eip, op_bytes, ctxt)) )
goto done;
- if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 )
+ if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 )
goto done;
_regs.eip = eip;
break;
@@ -2662,7 +2676,7 @@ x86_emulate(
if ( (rc = read_ulong(src.mem.seg, src.mem.off + src.bytes,
&sel, 2, ctxt, ops)) != 0 )
goto done;
- if ( (rc = load_seg(dst.val, (uint16_t)sel, ctxt, ops)) != 0 )
+ if ( (rc = load_seg(dst.val, sel, 0, ctxt, ops)) != 0 )
goto done;
dst.val = src.val;
break;
@@ -2736,7 +2750,7 @@ x86_emulate(
&dst.val, op_bytes, ctxt, ops)) ||
(rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes + offset),
&src.val, op_bytes, ctxt, ops)) ||
- (rc = load_seg(x86_seg_cs, (uint16_t)src.val, ctxt, ops)) )
+ (rc = load_seg(x86_seg_cs, src.val, 1, ctxt, ops)) )
goto done;
_regs.eip = dst.val;
break;
@@ -2785,7 +2799,7 @@ x86_emulate(
_regs.eflags &= mask;
_regs.eflags |= (uint32_t)(eflags & ~mask) | 0x02;
_regs.eip = eip;
- if ( (rc = load_seg(x86_seg_cs, (uint16_t)cs, ctxt, ops)) != 0 )
+ if ( (rc = load_seg(x86_seg_cs, cs, 1, ctxt, ops)) != 0 )
goto done;
break;
}
@@ -3415,7 +3429,7 @@ x86_emulate(
generate_exception_if(mode_64bit(), EXC_UD, -1);
eip = insn_fetch_bytes(op_bytes);
sel = insn_fetch_type(uint16_t);
- if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 )
+ if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 )
goto done;
_regs.eip = eip;
break;
@@ -3714,7 +3728,7 @@ x86_emulate(
goto done;
}
- if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 )
+ if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 )
goto done;
_regs.eip = src.val;
@@ -3781,7 +3795,7 @@ x86_emulate(
generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1);
generate_exception_if(!mode_ring0(), EXC_GP, 0);
if ( (rc = load_seg((modrm_reg & 1) ? x86_seg_tr : x86_seg_ldtr,
- src.val, ctxt, ops)) != 0 )
+ src.val, 0, ctxt, ops)) != 0 )
goto done;
break;

9
srcpkgs/xen/template
View file

@ -1,14 +1,14 @@
# Template file for 'xen'
pkgname=xen
version=4.4.1
wrksrc=xen-${version}
revision=6
version=4.5.0
wrksrc="xen-${version}"
revision=1
short_desc="The Xen hypervisor utilities"
maintainer="Juan RP <xtraeme@gmail.com>"
homepage="http://xen.org"
license="GPL-2"
distfiles="http://bits.xensource.com/oss-xen/release/$version/xen-$version.tar.gz"
checksum=55b49d3c4575d7791275125ff87c0f86f1d1e0f7f2718b6fd1c4f88a9bc7ea25
checksum=5bdb40e2b28d2eeb541bd71a9777f40cbe2ae444b987521d33f099541a006f3b
only_for_archs="x86_64"
@ -19,7 +19,6 @@ makedepends="
ncurses-devel liblzma-devel python-devel yajl-devel libuuid-devel libglib-devel
dev86 acpica-utils pixman-devel gcc-multilib"
depends="xen-hypervisor"
replaces="runit-void<20141013_2"
build_options="systemd"
make_dirs="