mirror of
https://github.com/Ponce/slackbuilds
synced 2024-11-24 10:02:29 +01:00
system/xen: XSA 207-210 update.
Signed-off-by: Mario Preksavec <mario@slackware.hr>
This commit is contained in:
parent
a0974db744
commit
8b6291f727
8 changed files with 369 additions and 1 deletions
|
@ -24,7 +24,7 @@
|
|||
|
||||
PRGNAM=xen
|
||||
VERSION=${VERSION:-4.8.0}
|
||||
BUILD=${BUILD:-1}
|
||||
BUILD=${BUILD:-2}
|
||||
TAG=${TAG:-_SBo}
|
||||
|
||||
SEABIOS=${SEABIOS:-1.10.0}
|
||||
|
|
31
system/xen/xsa/xsa207.patch
Normal file
31
system/xen/xsa/xsa207.patch
Normal file
|
@ -0,0 +1,31 @@
|
|||
From: Oleksandr Tyshchenko <olekstysh@gmail.com>
|
||||
Subject: IOMMU: always call teardown callback
|
||||
|
||||
There is a possible scenario when (d)->need_iommu remains unset
|
||||
during guest domain execution. For example, when no devices
|
||||
were assigned to it. Taking into account that teardown callback
|
||||
is not called when (d)->need_iommu is unset we might have unreleased
|
||||
resourses after destroying domain.
|
||||
|
||||
So, always call teardown callback to roll back actions
|
||||
that were performed in init callback.
|
||||
|
||||
This is XSA-207.
|
||||
|
||||
Signed-off-by: Oleksandr Tyshchenko <olekstysh@gmail.com>
|
||||
Reviewed-by: Jan Beulich <jbeulich@suse.com>
|
||||
Tested-by: Jan Beulich <jbeulich@suse.com>
|
||||
Tested-by: Julien Grall <julien.grall@arm.com>
|
||||
|
||||
--- a/xen/drivers/passthrough/iommu.c
|
||||
+++ b/xen/drivers/passthrough/iommu.c
|
||||
@@ -244,8 +244,7 @@ void iommu_domain_destroy(struct domain
|
||||
if ( !iommu_enabled || !dom_iommu(d)->platform_ops )
|
||||
return;
|
||||
|
||||
- if ( need_iommu(d) )
|
||||
- iommu_teardown(d);
|
||||
+ iommu_teardown(d);
|
||||
|
||||
arch_iommu_domain_destroy(d);
|
||||
}
|
56
system/xen/xsa/xsa208-qemut.patch
Normal file
56
system/xen/xsa/xsa208-qemut.patch
Normal file
|
@ -0,0 +1,56 @@
|
|||
From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 13 Feb 2017 15:22:15 +0000
|
||||
Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
|
||||
|
||||
When doing bitblt copy in backward mode, we should minus the
|
||||
blt width first just like the adding in the forward mode. This
|
||||
can avoid the oob access of the front of vga's vram.
|
||||
|
||||
This is XSA-208.
|
||||
|
||||
upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
|
||||
{ kraxel: with backward blits (negative pitch) addr is the topmost
|
||||
address, so check it as-is against vram size ]
|
||||
|
||||
[ This is CVE-2017-2615 / XSA-208 - Ian Jackson ]
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Cc: Laszlo Ersek <lersek@redhat.com>
|
||||
Cc: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
|
||||
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
||||
---
|
||||
hw/cirrus_vga.c | 7 +++----
|
||||
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
|
||||
index e6c3893..364e22d 100644
|
||||
--- a/hw/cirrus_vga.c
|
||||
+++ b/hw/cirrus_vga.c
|
||||
@@ -308,10 +308,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
{
|
||||
if (pitch < 0) {
|
||||
int64_t min = addr
|
||||
- + ((int64_t)s->cirrus_blt_height-1) * pitch;
|
||||
- int32_t max = addr
|
||||
- + s->cirrus_blt_width;
|
||||
- if (min < 0 || max >= s->vram_size) {
|
||||
+ + ((int64_t)s->cirrus_blt_height - 1) * pitch
|
||||
+ - s->cirrus_blt_width;
|
||||
+ if (min < -1 || addr >= s->vram_size) {
|
||||
return true;
|
||||
}
|
||||
} else {
|
||||
--
|
||||
2.1.4
|
||||
|
54
system/xen/xsa/xsa208-qemuu.patch
Normal file
54
system/xen/xsa/xsa208-qemuu.patch
Normal file
|
@ -0,0 +1,54 @@
|
|||
From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 13 Feb 2017 15:22:15 +0000
|
||||
Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
|
||||
|
||||
When doing bitblt copy in backward mode, we should minus the
|
||||
blt width first just like the adding in the forward mode. This
|
||||
can avoid the oob access of the front of vga's vram.
|
||||
|
||||
This is XSA-208.
|
||||
|
||||
upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
|
||||
{ kraxel: with backward blits (negative pitch) addr is the topmost
|
||||
address, so check it as-is against vram size ]
|
||||
|
||||
[ This is CVE-2017-2615 / XSA-208 - Ian Jackson ]
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Cc: Laszlo Ersek <lersek@redhat.com>
|
||||
Cc: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
|
||||
---
|
||||
hw/display/cirrus_vga.c | 7 +++----
|
||||
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index bdb092e..3bbe3d5 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -277,10 +277,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
}
|
||||
if (pitch < 0) {
|
||||
int64_t min = addr
|
||||
- + ((int64_t)s->cirrus_blt_height-1) * pitch;
|
||||
- int32_t max = addr
|
||||
- + s->cirrus_blt_width;
|
||||
- if (min < 0 || max > s->vga.vram_size) {
|
||||
+ + ((int64_t)s->cirrus_blt_height - 1) * pitch
|
||||
+ - s->cirrus_blt_width;
|
||||
+ if (min < -1 || addr >= s->vga.vram_size) {
|
||||
return true;
|
||||
}
|
||||
} else {
|
||||
--
|
||||
1.8.3.1
|
54
system/xen/xsa/xsa209-qemut.patch
Normal file
54
system/xen/xsa/xsa209-qemut.patch
Normal file
|
@ -0,0 +1,54 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
|
||||
|
||||
CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
|
||||
and blit width, at all. Oops. Fix it.
|
||||
|
||||
Security impact: high.
|
||||
|
||||
The missing blit destination check allows to write to host memory.
|
||||
Basically same as CVE-2014-8106 for the other blit variants.
|
||||
|
||||
The missing blit width check allows to overflow cirrus_bltbuf,
|
||||
with the attractive target cirrus_srcptr (current cirrus_bltbuf write
|
||||
position) being located right after cirrus_bltbuf in CirrusVGAState.
|
||||
|
||||
Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
|
||||
hasn't full control over cirrus_srcptr though, only one byte can be
|
||||
changed. Once the first byte has been modified further writes land
|
||||
elsewhere.
|
||||
|
||||
[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ]
|
||||
|
||||
Fixed compilation by removing extra parameter to blit_is_unsafe. -iwj
|
||||
|
||||
Reported-by: Gerd Hoffmann <ghoffman@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
||||
---
|
||||
diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
|
||||
index e6c3893..45facb6 100644
|
||||
--- a/hw/cirrus_vga.c
|
||||
+++ b/hw/cirrus_vga.c
|
||||
@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
|
||||
{
|
||||
int w;
|
||||
|
||||
+ if (blit_is_unsafe(s)) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
|
||||
s->cirrus_srcptr = &s->cirrus_bltbuf[0];
|
||||
s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
|
||||
@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
|
||||
}
|
||||
s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
|
||||
}
|
||||
+
|
||||
+ /* the blit_is_unsafe call above should catch this */
|
||||
+ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
|
||||
+
|
||||
s->cirrus_srcptr = s->cirrus_bltbuf;
|
||||
s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
|
||||
cirrus_update_memory_access(s);
|
|
@ -0,0 +1,72 @@
|
|||
From 52b7f43c8fa185ab856bcaacda7abc9a6fc07f84 Mon Sep 17 00:00:00 2001
|
||||
From: Bruce Rogers <brogers@suse.com>
|
||||
Date: Tue, 21 Feb 2017 10:54:38 -0800
|
||||
Subject: [PATCH 1/2] display: cirrus: ignore source pitch value as needed in
|
||||
blit_is_unsafe
|
||||
|
||||
Commit 4299b90 added a check which is too broad, given that the source
|
||||
pitch value is not required to be initialized for solid fill operations.
|
||||
This patch refines the blit_is_unsafe() check to ignore source pitch in
|
||||
that case. After applying the above commit as a security patch, we
|
||||
noticed the SLES 11 SP4 guest gui failed to initialize properly.
|
||||
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
Message-id: 20170109203520.5619-1-brogers@suse.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/display/cirrus_vga.c | 11 +++++++----
|
||||
1 file changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 7bf3707..34a6900 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -288,7 +288,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
return false;
|
||||
}
|
||||
|
||||
-static bool blit_is_unsafe(struct CirrusVGAState *s)
|
||||
+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
|
||||
{
|
||||
/* should be the case, see cirrus_bitblt_start */
|
||||
assert(s->cirrus_blt_width > 0);
|
||||
@@ -302,6 +302,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
|
||||
s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
|
||||
return true;
|
||||
}
|
||||
+ if (dst_only) {
|
||||
+ return false;
|
||||
+ }
|
||||
if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
|
||||
s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
|
||||
return true;
|
||||
@@ -667,7 +670,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
|
||||
|
||||
dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
|
||||
|
||||
- if (blit_is_unsafe(s))
|
||||
+ if (blit_is_unsafe(s, false))
|
||||
return 0;
|
||||
|
||||
(*s->cirrus_rop) (s, dst, src,
|
||||
@@ -685,7 +688,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
{
|
||||
cirrus_fill_t rop_func;
|
||||
|
||||
- if (blit_is_unsafe(s)) {
|
||||
+ if (blit_is_unsafe(s, true)) {
|
||||
return 0;
|
||||
}
|
||||
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
|
||||
@@ -784,7 +787,7 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
|
||||
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
|
||||
{
|
||||
- if (blit_is_unsafe(s))
|
||||
+ if (blit_is_unsafe(s, false))
|
||||
return 0;
|
||||
|
||||
cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -0,0 +1,60 @@
|
|||
From 15268f91fbe75b38a851c458aef74e693d646ea5 Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Tue, 21 Feb 2017 10:54:59 -0800
|
||||
Subject: [PATCH 2/2] cirrus: add blit_is_unsafe call to
|
||||
cirrus_bitblt_cputovideo
|
||||
|
||||
CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
|
||||
and blit width, at all. Oops. Fix it.
|
||||
|
||||
Security impact: high.
|
||||
|
||||
The missing blit destination check allows to write to host memory.
|
||||
Basically same as CVE-2014-8106 for the other blit variants.
|
||||
|
||||
The missing blit width check allows to overflow cirrus_bltbuf,
|
||||
with the attractive target cirrus_srcptr (current cirrus_bltbuf write
|
||||
position) being located right after cirrus_bltbuf in CirrusVGAState.
|
||||
|
||||
Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
|
||||
hasn't full control over cirrus_srcptr though, only one byte can be
|
||||
changed. Once the first byte has been modified further writes land
|
||||
elsewhere.
|
||||
|
||||
[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ]
|
||||
|
||||
Reported-by: Gerd Hoffmann <ghoffman@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/display/cirrus_vga.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 34a6900..5901250 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -865,6 +865,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
|
||||
{
|
||||
int w;
|
||||
|
||||
+ if (blit_is_unsafe(s, true)) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
|
||||
s->cirrus_srcptr = &s->cirrus_bltbuf[0];
|
||||
s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
|
||||
@@ -890,6 +894,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
|
||||
}
|
||||
s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
|
||||
}
|
||||
+
|
||||
+ /* the blit_is_unsafe call above should catch this */
|
||||
+ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
|
||||
+
|
||||
s->cirrus_srcptr = s->cirrus_bltbuf;
|
||||
s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
|
||||
cirrus_update_memory_access(s);
|
||||
--
|
||||
2.1.4
|
||||
|
41
system/xen/xsa/xsa210.patch
Normal file
41
system/xen/xsa/xsa210.patch
Normal file
|
@ -0,0 +1,41 @@
|
|||
From: Julien Grall <julien.grall@arm.com>
|
||||
Subject: arm/p2m: remove the page from p2m->pages list before freeing it
|
||||
|
||||
The p2m code is using the page list field to link all the pages used
|
||||
for the stage-2 page tables. The page is added into the p2m->pages
|
||||
list just after the allocation but never removed from the list.
|
||||
|
||||
The page list field is also used by the allocator, not removing may
|
||||
result a later Xen crash due to inconsistency (see [1]).
|
||||
|
||||
This bug was introduced by the reworking of p2m code in commit 2ef3e36ec7
|
||||
"xen/arm: p2m: Introduce p2m_set_entry and __p2m_set_entry".
|
||||
|
||||
[1] https://lists.xenproject.org/archives/html/xen-devel/2017-02/msg00524.html
|
||||
|
||||
Reported-by: Vijaya Kumar K <Vijaya.Kumar@cavium.com>
|
||||
Signed-off-by: Julien Grall <julien.grall@arm.com>
|
||||
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
|
||||
|
||||
--- a/xen/arch/arm/p2m.c
|
||||
+++ b/xen/arch/arm/p2m.c
|
||||
@@ -660,6 +660,7 @@ static void p2m_free_entry(struct p2m_domain *p2m,
|
||||
unsigned int i;
|
||||
lpae_t *table;
|
||||
mfn_t mfn;
|
||||
+ struct page_info *pg;
|
||||
|
||||
/* Nothing to do if the entry is invalid. */
|
||||
if ( !p2m_valid(entry) )
|
||||
@@ -697,7 +698,10 @@ static void p2m_free_entry(struct p2m_domain *p2m,
|
||||
mfn = _mfn(entry.p2m.base);
|
||||
ASSERT(mfn_valid(mfn_x(mfn)));
|
||||
|
||||
- free_domheap_page(mfn_to_page(mfn_x(mfn)));
|
||||
+ pg = mfn_to_page(mfn_x(mfn));
|
||||
+
|
||||
+ page_list_del(pg, &p2m->pages);
|
||||
+ free_domheap_page(pg);
|
||||
}
|
||||
|
||||
static bool p2m_split_superpage(struct p2m_domain *p2m, lpae_t *entry,
|
Loading…
Reference in a new issue