head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.2 pkgsrc-2013Q2-base:1.2 pkgsrc-2013Q1:1.1.0.2; locks; strict; comment @# @; 1.2 date 2013.05.03.16.48.38; author drochner; state dead; branches; next 1.1; 1.1 date 2013.04.19.14.02.45; author bouyer; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2013.04.19.14.02.45; author tron; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2013.04.24.22.25.48; author tron; state Exp; branches; next ; desc @@ 1.2 log @update to 4.1.5 This integrates fixes for all vulnerabilities which were patched in pkgsrc before. Among many bug fixes and improvements (around 50 since Xen 4.1.4): * ACPI APEI/ERST finally working on production systems * Bug fixes for other low level system state handling * Support for xz compressed Dom0 and DomU kernels @ text @$NetBSD: patch-CVE-2013-1964-1,v 1.1 2013/04/19 14:02:45 bouyer Exp $ http://lists.xen.org/archives/html/xen-announce/2013-04/msg00006.html --- xen/common/grant_table.c.orig +++ xen/common/grant_table.c @@@@ -598,7 +598,7 @@@@ __gnttab_map_grant_ref( act->start = 0; act->length = PAGE_SIZE; act->is_sub_page = 0; - act->trans_dom = rd->domain_id; + act->trans_domain = rd; act->trans_gref = op->ref; } } @@@@ -1629,11 +1629,10 @@@@ __release_grant_for_copy( struct active_grant_entry *act; unsigned long r_frame; uint16_t *status; - domid_t trans_domid; grant_ref_t trans_gref; int released_read; int released_write; - struct domain *trans_dom; + struct domain *td; released_read = 0; released_write = 0; @@@@ -1647,15 +1646,13 @@@@ __release_grant_for_copy( if (rd->grant_table->gt_version == 1) { status = &sha->flags; - trans_domid = rd->domain_id; - /* Shut the compiler up. This'll never be used, because - trans_domid == rd->domain_id, but gcc doesn't know that. */ - trans_gref = 0x1234567; + td = rd; + trans_gref = gref; } else { status = &status_entry(rd->grant_table, gref); - trans_domid = act->trans_dom; + td = act->trans_domain; trans_gref = act->trans_gref; } @@@@ -1683,21 +1680,16 @@@@ __release_grant_for_copy( spin_unlock(&rd->grant_table->lock); - if ( trans_domid != rd->domain_id ) + if ( td != rd ) { - if ( released_write || released_read ) - { - trans_dom = rcu_lock_domain_by_id(trans_domid); - if ( trans_dom != NULL ) - { - /* Recursive calls, but they're tail calls, so it's - okay. */ - if ( released_write ) - __release_grant_for_copy(trans_dom, trans_gref, 0); - else if ( released_read ) - __release_grant_for_copy(trans_dom, trans_gref, 1); - } - } + /* Recursive calls, but they're tail calls, so it's + okay. */ + if ( released_write ) + __release_grant_for_copy(td, trans_gref, 0); + else if ( released_read ) + __release_grant_for_copy(td, trans_gref, 1); + + rcu_unlock_domain(td); } } @@@@ -1734,7 +1726,7 @@@@ __acquire_grant_for_copy( uint32_t old_pin; domid_t trans_domid; grant_ref_t trans_gref; - struct domain *rrd; + struct domain *td; unsigned long gfn; unsigned long grant_frame; unsigned trans_page_off; @@@@ -1788,8 +1780,8 @@@@ __acquire_grant_for_copy( status) ) != GNTST_okay ) goto unlock_out; - trans_domid = ld->domain_id; - trans_gref = 0; + td = rd; + trans_gref = gref; if ( sha2 && (shah->flags & GTF_type_mask) == GTF_transitive ) { if ( !allow_transitive ) @@@@ -1811,14 +1803,15 @@@@ __acquire_grant_for_copy( that you don't need to go out of your way to avoid it in the guest. */ - rrd = rcu_lock_domain_by_id(trans_domid); - if ( rrd == NULL ) + /* We need to leave the rrd locked during the grant copy */ + td = rcu_lock_domain_by_id(trans_domid); + if ( td == NULL ) PIN_FAIL(unlock_out_clear, GNTST_general_error, "transitive grant referenced bad domain %d\n", trans_domid); spin_unlock(&rd->grant_table->lock); - rc = __acquire_grant_for_copy(rrd, trans_gref, rd, + rc = __acquire_grant_for_copy(td, trans_gref, rd, readonly, &grant_frame, &trans_page_off, &trans_length, 0, &ignore); @@@@ -1826,6 +1819,7 @@@@ __acquire_grant_for_copy( spin_lock(&rd->grant_table->lock); if ( rc != GNTST_okay ) { __fixup_status_for_copy_pin(act, status); + rcu_unlock_domain(td); spin_unlock(&rd->grant_table->lock); return rc; } @@@@ -1837,6 +1831,7 @@@@ __acquire_grant_for_copy( if ( act->pin != old_pin ) { __fixup_status_for_copy_pin(act, status); + rcu_unlock_domain(td); spin_unlock(&rd->grant_table->lock); return __acquire_grant_for_copy(rd, gref, ld, readonly, frame, page_off, length, @@@@ -1848,7 +1843,7 @@@@ __acquire_grant_for_copy( sub-page, but we always treat it as one because that blocks mappings of transitive grants. */ is_sub_page = 1; - *owning_domain = rrd; + *owning_domain = td; act->gfn = -1ul; } else if ( sha1 ) @@@@ -1894,7 +1889,7 @@@@ __acquire_grant_for_copy( act->is_sub_page = is_sub_page; act->start = trans_page_off; act->length = trans_length; - act->trans_dom = trans_domid; + act->trans_domain = td; act->trans_gref = trans_gref; act->frame = grant_frame; } @ 1.1 log @Add patches from Xen security advisory: http://lists.xen.org/archives/html/xen-announce/2013-04/msg00000.html http://lists.xen.org/archives/html/xen-announce/2013-04/msg00005.html http://lists.xen.org/archives/html/xen-announce/2013-04/msg00006.html bump PKGREVISION @ text @d1 1 a1 1 $NetBSD: patch-CVE-2012-5511_2,v 1.2 2013/01/17 19:37:55 drochner Exp $ @ 1.1.2.1 log @file patch-CVE-2013-1964-1 was added on branch pkgsrc-2013Q1 on 2013-04-24 22:25:48 +0000 @ text @d1 151 @ 1.1.2.2 log @Pullup ticket #4125 - requested by bouyer sysutils/xenkernel41: security patch Revisions pulled up: - sysutils/xenkernel41/Makefile 1.19-1.20 - sysutils/xenkernel41/distinfo 1.15-1.16 - sysutils/xenkernel41/patches/patch-CVE-2013-1917-1 1.1 - sysutils/xenkernel41/patches/patch-CVE-2013-1917-2 1.1 - sysutils/xenkernel41/patches/patch-CVE-2013-1917-3 1.1 - sysutils/xenkernel41/patches/patch-CVE-2013-1920 1.1 - sysutils/xenkernel41/patches/patch-CVE-2013-1964-1 1.1 - sysutils/xenkernel41/patches/patch-CVE-2013-1964-2 1.1 - sysutils/xenkernel41/patches/patch-Config.mk 1.1 - sysutils/xenkernel41/patches/patch-xen_Makefile 1.1 - sysutils/xenkernel41/patches/patch-xen_arch_x86_Rules.mk 1.1 - sysutils/xenkernel41/patches/patch-xen_arch_x86_cpu_mcheck_vmce.c 1.1 - sysutils/xenkernel41/patches/patch-xen_arch_x86_time.c 1.1 --- Module Name: pkgsrc Committed By: joerg Date: Thu Apr 11 19:57:53 UTC 2013 Modified Files: pkgsrc/sysutils/xenkernel3: Makefile distinfo pkgsrc/sysutils/xenkernel3/patches: patch-cw pkgsrc/sysutils/xenkernel33: Makefile distinfo pkgsrc/sysutils/xenkernel41: Makefile distinfo pkgsrc/sysutils/xentools3: Makefile distinfo pkgsrc/sysutils/xentools3-hvm: Makefile distinfo pkgsrc/sysutils/xentools3/patches: patch-.._patch-Config.mk patch-cg pkgsrc/sysutils/xentools33: Makefile distinfo pkgsrc/sysutils/xentools33/patches: patch-ab pkgsrc/sysutils/xentools41: Makefile distinfo Added Files: pkgsrc/sysutils/xenkernel3/patches: patch-xen_arch_x86_hvm_io.c patch-xen_arch_x86_string.c pkgsrc/sysutils/xenkernel33/patches: patch-Config.mk patch-xen_Makefile patch-xen_arch_x86_Rules.mk pkgsrc/sysutils/xenkernel41/patches: patch-Config.mk patch-xen_Makefile patch-xen_arch_x86_Rules.mk patch-xen_arch_x86_cpu_mcheck_vmce.c patch-xen_arch_x86_time.c pkgsrc/sysutils/xentools3-hvm/patches: patch-.._patch-Config.mk pkgsrc/sysutils/xentools3/patches: patch-libxc_xc__dom__x86.c pkgsrc/sysutils/xentools33/patches: patch-blktap_drivers_block-qcow.c patch-ioemu_block-vvfat.c pkgsrc/sysutils/xentools41/patches: patch-.._.._ipxe_src_arch_i386_include_librm.h patch-.._.._ipxe_src_core_settings.c patch-.._.._ipxe_src_net_tls.c patch-.._Config.mk patch-firmware_hvmloader_Makefile patch-libcx_xc__dom__boot.c patch-xenstat_libxenstat_Makefile Log Message: Allow building Xen infrastructure with Clang. Fix various bugs in xenkernel3, xenkernel41, xentools3 and xentools41 exposed by Clang default warnings. Bump revisions for those. --- Module Name: pkgsrc Committed By: bouyer Date: Fri Apr 19 14:02:46 UTC 2013 Modified Files: pkgsrc/sysutils/xenkernel41: Makefile distinfo Added Files: pkgsrc/sysutils/xenkernel41/patches: patch-CVE-2013-1917-1 patch-CVE-2013-1917-2 patch-CVE-2013-1917-3 patch-CVE-2013-1920 patch-CVE-2013-1964-1 patch-CVE-2013-1964-2 Log Message: Add patches from Xen security advisory: http://lists.xen.org/archives/html/xen-announce/2013-04/msg00000.html http://lists.xen.org/archives/html/xen-announce/2013-04/msg00005.html http://lists.xen.org/archives/html/xen-announce/2013-04/msg00006.html bump PKGREVISION @ text @a0 151 $NetBSD$ http://lists.xen.org/archives/html/xen-announce/2013-04/msg00006.html --- xen/common/grant_table.c.orig +++ xen/common/grant_table.c @@@@ -598,7 +598,7 @@@@ __gnttab_map_grant_ref( act->start = 0; act->length = PAGE_SIZE; act->is_sub_page = 0; - act->trans_dom = rd->domain_id; + act->trans_domain = rd; act->trans_gref = op->ref; } } @@@@ -1629,11 +1629,10 @@@@ __release_grant_for_copy( struct active_grant_entry *act; unsigned long r_frame; uint16_t *status; - domid_t trans_domid; grant_ref_t trans_gref; int released_read; int released_write; - struct domain *trans_dom; + struct domain *td; released_read = 0; released_write = 0; @@@@ -1647,15 +1646,13 @@@@ __release_grant_for_copy( if (rd->grant_table->gt_version == 1) { status = &sha->flags; - trans_domid = rd->domain_id; - /* Shut the compiler up. This'll never be used, because - trans_domid == rd->domain_id, but gcc doesn't know that. */ - trans_gref = 0x1234567; + td = rd; + trans_gref = gref; } else { status = &status_entry(rd->grant_table, gref); - trans_domid = act->trans_dom; + td = act->trans_domain; trans_gref = act->trans_gref; } @@@@ -1683,21 +1680,16 @@@@ __release_grant_for_copy( spin_unlock(&rd->grant_table->lock); - if ( trans_domid != rd->domain_id ) + if ( td != rd ) { - if ( released_write || released_read ) - { - trans_dom = rcu_lock_domain_by_id(trans_domid); - if ( trans_dom != NULL ) - { - /* Recursive calls, but they're tail calls, so it's - okay. */ - if ( released_write ) - __release_grant_for_copy(trans_dom, trans_gref, 0); - else if ( released_read ) - __release_grant_for_copy(trans_dom, trans_gref, 1); - } - } + /* Recursive calls, but they're tail calls, so it's + okay. */ + if ( released_write ) + __release_grant_for_copy(td, trans_gref, 0); + else if ( released_read ) + __release_grant_for_copy(td, trans_gref, 1); + + rcu_unlock_domain(td); } } @@@@ -1734,7 +1726,7 @@@@ __acquire_grant_for_copy( uint32_t old_pin; domid_t trans_domid; grant_ref_t trans_gref; - struct domain *rrd; + struct domain *td; unsigned long gfn; unsigned long grant_frame; unsigned trans_page_off; @@@@ -1788,8 +1780,8 @@@@ __acquire_grant_for_copy( status) ) != GNTST_okay ) goto unlock_out; - trans_domid = ld->domain_id; - trans_gref = 0; + td = rd; + trans_gref = gref; if ( sha2 && (shah->flags & GTF_type_mask) == GTF_transitive ) { if ( !allow_transitive ) @@@@ -1811,14 +1803,15 @@@@ __acquire_grant_for_copy( that you don't need to go out of your way to avoid it in the guest. */ - rrd = rcu_lock_domain_by_id(trans_domid); - if ( rrd == NULL ) + /* We need to leave the rrd locked during the grant copy */ + td = rcu_lock_domain_by_id(trans_domid); + if ( td == NULL ) PIN_FAIL(unlock_out_clear, GNTST_general_error, "transitive grant referenced bad domain %d\n", trans_domid); spin_unlock(&rd->grant_table->lock); - rc = __acquire_grant_for_copy(rrd, trans_gref, rd, + rc = __acquire_grant_for_copy(td, trans_gref, rd, readonly, &grant_frame, &trans_page_off, &trans_length, 0, &ignore); @@@@ -1826,6 +1819,7 @@@@ __acquire_grant_for_copy( spin_lock(&rd->grant_table->lock); if ( rc != GNTST_okay ) { __fixup_status_for_copy_pin(act, status); + rcu_unlock_domain(td); spin_unlock(&rd->grant_table->lock); return rc; } @@@@ -1837,6 +1831,7 @@@@ __acquire_grant_for_copy( if ( act->pin != old_pin ) { __fixup_status_for_copy_pin(act, status); + rcu_unlock_domain(td); spin_unlock(&rd->grant_table->lock); return __acquire_grant_for_copy(rd, gref, ld, readonly, frame, page_off, length, @@@@ -1848,7 +1843,7 @@@@ __acquire_grant_for_copy( sub-page, but we always treat it as one because that blocks mappings of transitive grants. */ is_sub_page = 1; - *owning_domain = rrd; + *owning_domain = td; act->gfn = -1ul; } else if ( sha1 ) @@@@ -1894,7 +1889,7 @@@@ __acquire_grant_for_copy( act->is_sub_page = is_sub_page; act->start = trans_page_off; act->length = trans_length; - act->trans_dom = trans_domid; + act->trans_domain = td; act->trans_gref = trans_gref; act->frame = grant_frame; } @