From aee8f0789f13ebd995f26a7ef4a057acdc38bf20 Mon Sep 17 00:00:00 2001
From: Juan RP <xtraeme@gmail.com>
Date: Wed, 15 Oct 2014 18:20:01 +0200
Subject: [PATCH] xen: patch for XSA-108.

---
 srcpkgs/xen/patches/xsa108.patch | 36 ++++++++++++++++++++++++++++++++
 srcpkgs/xen/template             |  4 +---
 2 files changed, 37 insertions(+), 3 deletions(-)
 create mode 100644 srcpkgs/xen/patches/xsa108.patch

diff --git a/srcpkgs/xen/patches/xsa108.patch b/srcpkgs/xen/patches/xsa108.patch
new file mode 100644
index 0000000000..85cf443793
--- /dev/null
+++ b/srcpkgs/xen/patches/xsa108.patch
@@ -0,0 +1,36 @@
+x86/HVM: properly bound x2APIC MSR range
+
+While the write path change appears to be purely cosmetic (but still
+gets done here for consistency), the read side mistake permitted
+accesses beyond the virtual APIC page.
+
+Note that while this isn't fully in line with the specification
+(digesting MSRs 0x800-0xBFF for the x2APIC), this is the minimal
+possible fix addressing the security issue and getting x2APIC related
+code into a consistent shape (elsewhere a 256 rather than 1024 wide
+window is being used too). This will be dealt with subsequently.
+
+This is XSA-108.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- xen/arch/x86/hvm/hvm.c
++++ xen/arch/x86/hvm/hvm.c
+@@ -4380,7 +4380,7 @@ int hvm_msr_read_intercept(unsigned int 
+         *msr_content = vcpu_vlapic(v)->hw.apic_base_msr;
+         break;
+ 
+-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
++    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
+         if ( hvm_x2apic_msr_read(v, msr, msr_content) )
+             goto gp_fault;
+         break;
+@@ -4506,7 +4506,7 @@ int hvm_msr_write_intercept(unsigned int
+         vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content);
+         break;
+ 
+-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
++    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
+         if ( hvm_x2apic_msr_write(v, msr, msr_content) )
+             goto gp_fault;
+         break;
diff --git a/srcpkgs/xen/template b/srcpkgs/xen/template
index 124398b7a9..d4b3787793 100644
--- a/srcpkgs/xen/template
+++ b/srcpkgs/xen/template
@@ -2,7 +2,7 @@
 pkgname=xen
 version=4.4.1
 wrksrc=xen-${version}
-revision=3
+revision=4
 short_desc="The Xen hypervisor utilities"
 maintainer="Juan RP <xtraeme@gmail.com>"
 homepage="http://xen.org"
@@ -117,7 +117,6 @@ do_install() {
 
 xen-hypervisor_package() {
 	short_desc="Xen Hypervisor"
-	replaces="xen<4.3.1_2"
 	nostrip_files="xen-syms-${version}"
 	pkg_install() {
 		vmove boot
@@ -134,7 +133,6 @@ xen-devel_package() {
 }
 xen-libs_package() {
 	short_desc+=" - runtime libraries"
-	replaces="xen<4.3.1_2"
 	pkg_install() {
 		vmove "usr/lib/*.so.*"
 	}