head	1.6;
access;
symbols
	pkgsrc-2016Q4:1.5.0.18
	pkgsrc-2016Q4-base:1.5
	pkgsrc-2016Q3:1.5.0.16
	pkgsrc-2016Q3-base:1.5
	pkgsrc-2016Q2:1.5.0.14
	pkgsrc-2016Q2-base:1.5
	pkgsrc-2016Q1:1.5.0.12
	pkgsrc-2016Q1-base:1.5
	pkgsrc-2015Q4:1.5.0.10
	pkgsrc-2015Q4-base:1.5
	pkgsrc-2015Q3:1.5.0.8
	pkgsrc-2015Q3-base:1.5
	pkgsrc-2015Q2:1.5.0.6
	pkgsrc-2015Q2-base:1.5
	pkgsrc-2015Q1:1.5.0.4
	pkgsrc-2015Q1-base:1.5
	pkgsrc-2014Q4:1.5.0.2
	pkgsrc-2014Q4-base:1.5
	pkgsrc-2014Q3:1.4.0.4
	pkgsrc-2014Q3-base:1.4
	pkgsrc-2014Q2:1.4.0.2
	pkgsrc-2014Q2-base:1.4
	pkgsrc-2014Q1:1.3.0.2
	pkgsrc-2014Q1-base:1.3
	pkgsrc-2013Q4:1.2.0.2
	pkgsrc-2013Q4-base:1.2;
locks; strict;
comment	@# @;


1.6
date	2016.12.29.19.13.01;	author wiz;	state dead;
branches;
next	1.5;
commitid	kFYPk8EnajcmFUzz;

1.5
date	2014.10.01.17.18.22;	author drochner;	state Exp;
branches;
next	1.4;
commitid	uQZFio3RHGgJnwSx;

1.4
date	2014.05.05.13.39.10;	author drochner;	state Exp;
branches;
next	1.3;
commitid	fCmPMDBllSEAXlzx;

1.3
date	2014.03.28.16.07.08;	author drochner;	state Exp;
branches;
next	1.2;
commitid	fQVuxvisEXah0uux;

1.2
date	2013.11.29.19.29.58;	author drochner;	state Exp;
branches;
next	1.1;
commitid	wDkfBReSSkKIWcfx;

1.1
date	2013.10.01.14.54.44;	author drochner;	state Exp;
branches;
next	;
commitid	5JKxvOI8cbQPjB7x;


desc
@@


1.6
log
@Remove xenkernel and tools versions 3, 33, and 41.

As discussed on pkgsrc-users.
@
text
@$NetBSD: patch-CVE-2013-4355_1,v 1.5 2014/10/01 17:18:22 drochner Exp $

http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03160.html
also fixes
http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg03827.html
(CVE-2013-4554)
also fixes
http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html
(CVE-2014-2599)
also fixes
http://lists.xenproject.org/archives/html/xen-devel/2014-04/msg03853.html
(CVE-2014-3124)
also fixes
http://lists.xenproject.org/archives/html/xen-devel/2014-10/msg00065.html
(CVE-2014-7188)

--- xen/arch/x86/hvm/hvm.c.orig	2013-09-10 06:42:18.000000000 +0000
+++ xen/arch/x86/hvm/hvm.c	2014-10-01 16:40:48.000000000 +0000
@@@@ -1961,11 +1961,7 @@@@ void hvm_task_switch(
 
     rc = hvm_copy_from_guest_virt(
         &tss, prev_tr.base, sizeof(tss), PFEC_page_present);
-    if ( rc == HVMCOPY_bad_gva_to_gfn )
-        goto out;
-    if ( rc == HVMCOPY_gfn_paged_out )
-        goto out;
-    if ( rc == HVMCOPY_gfn_shared )
+    if ( rc != HVMCOPY_okay )
         goto out;
 
     eflags = regs->eflags;
@@@@ -2010,13 +2006,11 @@@@ void hvm_task_switch(
 
     rc = hvm_copy_from_guest_virt(
         &tss, tr.base, sizeof(tss), PFEC_page_present);
-    if ( rc == HVMCOPY_bad_gva_to_gfn )
-        goto out;
-    if ( rc == HVMCOPY_gfn_paged_out )
-        goto out;
-    /* Note: this could be optimised, if the callee functions knew we want RO
-     * access */
-    if ( rc == HVMCOPY_gfn_shared )
+    /*
+     * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee
+     * functions knew we want RO access.
+     */
+    if ( rc != HVMCOPY_okay )
         goto out;
 
 
@@@@ -2409,7 +2403,7 @@@@ int hvm_msr_read_intercept(unsigned int 
         *msr_content = vcpu_vlapic(v)->hw.apic_base_msr;
         break;
 
-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
+    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
         if ( hvm_x2apic_msr_read(v, msr, msr_content) )
             goto gp_fault;
         break;
@@@@ -2529,7 +2523,7 @@@@ int hvm_msr_write_intercept(unsigned int
         vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content);
         break;
 
-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
+    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
         if ( hvm_x2apic_msr_write(v, msr, msr_content) )
             goto gp_fault;
         break;
@@@@ -2834,7 +2828,7 @@@@ int hvm_do_hypercall(struct cpu_user_reg
     case 4:
     case 2:
         hvm_get_segment_register(curr, x86_seg_ss, &sreg);
-        if ( unlikely(sreg.attr.fields.dpl == 3) )
+        if ( unlikely(sreg.attr.fields.dpl) )
         {
     default:
             regs->eax = -EPERM;
@@@@ -3657,13 +3651,9 @@@@ long do_hvm_op(unsigned long op, XEN_GUE
                 rc = -EINVAL;
                 goto param_fail4;
             } 
-            if ( p2m_is_grant(t) )
-            {
-                gdprintk(XENLOG_WARNING,
-                         "type for pfn 0x%lx changed to grant while "
-                         "we were working?\n", pfn);
+            if ( !p2m_is_ram(t) &&
+                 (!p2m_is_hole(t) || a.hvmmem_type != HVMMEM_mmio_dm) )
                 goto param_fail4;
-            }
             else
             {
                 nt = p2m_change_type(p2m, pfn, t, memtype[a.hvmmem_type]);
@@@@ -3746,7 +3736,7 @@@@ long do_hvm_op(unsigned long op, XEN_GUE
              ((a.first_pfn + a.nr - 1) > domain_get_maximum_gpfn(d)) )
             goto param_fail5;
             
-        for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ )
+        for ( pfn = a.first_pfn; a.nr; ++pfn )
         {
             p2m_type_t t;
             mfn_t mfn;
@@@@ -3759,6 +3749,17 @@@@ long do_hvm_op(unsigned long op, XEN_GUE
             p2m_unlock(p2m);
             if ( !success )
                 goto param_fail5;
+
+            /* Check for continuation if it's not the last interation. */
+            if ( --a.nr && hypercall_preempt_check() )
+            {
+                a.first_pfn = pfn + 1;
+                if ( copy_to_guest(arg, &a, 1) )
+                    rc = -EFAULT;
+                else
+                    rc = -EAGAIN;
+                goto param_fail5;
+            }
         }
 
         rc = 0;
@


1.5
log
@fix out-of-bounds memory read access in x2APIC emulation (HVM only)
(CVE-2014-7188)
bump PKGREV
@
text
@d1 1
a1 1
$NetBSD$
@


1.4
log
@fix possible creation of invalid P2M entries, leading to xen crash
The vulnerability is only exposed to service domains for HVM guests
which have privilege over the guest.  In a usual configuration that
means only device model emulators (qemu-dm).
bump PKGREV
@
text
@d13 3
d18 1
a18 1
+++ xen/arch/x86/hvm/hvm.c	2014-04-30 13:11:30.000000000 +0000
d51 18
@


1.3
log
@add patch from upstream (XSA-89) to fix:
Processing of the HVMOP_set_mem_access HVM control operations does not
check the size of its input and can tie up a physical CPU for extended
periods of time.
bump PKGREV
@
text
@d10 3
d14 3
a16 3
--- xen/arch/x86/hvm/hvm.c.orig	2014-03-28 15:27:28.000000000 +0000
+++ xen/arch/x86/hvm/hvm.c	2014-03-28 15:27:36.000000000 +0000
@@@@ -1961,11 +1961,7 @@@@
d29 1
a29 1
@@@@ -2010,13 +2006,11 @@@@
d48 1
a48 1
@@@@ -2834,7 +2828,7 @@@@
d57 17
a73 1
@@@@ -3746,7 +3740,7 @@@@
d82 1
a82 1
@@@@ -3759,6 +3753,17 @@@@
@


1.2
log
@add patches from upstream to fix two security problems:
-another lock inversion
-privilege escalation (not exploitable in standard setups)
bump PKGREV
@
text
@d1 1
a1 1
$NetBSD
d7 3
d11 3
a13 3
--- xen/arch/x86/hvm/hvm.c.orig	2013-09-10 06:42:18.000000000 +0000
+++ xen/arch/x86/hvm/hvm.c	2013-11-29 15:12:29.000000000 +0000
@@@@ -1961,11 +1961,7 @@@@ void hvm_task_switch(
d26 1
a26 1
@@@@ -2010,13 +2006,11 @@@@ void hvm_task_switch(
d45 1
a45 1
@@@@ -2834,7 +2828,7 @@@@ int hvm_do_hypercall(struct cpu_user_reg
d54 27
@


1.1
log
@add patches from upstream to fix security problems:
-Information leak on AVX and/or LWP capable CPUs (CVE-2013-1442 / XSA-62)
-Information leaks through I/O instruction emulation
 (CVE-2013-4355 / XSA-63)
-Information leak through fbld instruction emulation
 (CVE-2013-4361 / XSA-66)
bump PKGREV
@
text
@d1 1
a1 1
$NetBSD$
d4 3
d9 1
a9 1
+++ xen/arch/x86/hvm/hvm.c	2013-09-30 15:23:07.000000000 +0000
d42 9
@