head	1.2;
access;
symbols
	pkgsrc-2016Q4:1.1.0.18
	pkgsrc-2016Q4-base:1.1
	pkgsrc-2016Q3:1.1.0.16
	pkgsrc-2016Q3-base:1.1
	pkgsrc-2016Q2:1.1.0.14
	pkgsrc-2016Q2-base:1.1
	pkgsrc-2016Q1:1.1.0.12
	pkgsrc-2016Q1-base:1.1
	pkgsrc-2015Q4:1.1.0.10
	pkgsrc-2015Q4-base:1.1
	pkgsrc-2015Q3:1.1.0.8
	pkgsrc-2015Q3-base:1.1
	pkgsrc-2015Q2:1.1.0.6
	pkgsrc-2015Q2-base:1.1
	pkgsrc-2015Q1:1.1.0.4
	pkgsrc-2015Q1-base:1.1
	pkgsrc-2014Q4:1.1.0.2
	pkgsrc-2014Q4-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2016.12.29.19.13.02;	author wiz;	state dead;
branches;
next	1.1;
commitid	kFYPk8EnajcmFUzz;

1.1
date	2014.11.27.15.36.02;	author bouyer;	state Exp;
branches;
next	;
commitid	LdhG8IFZZBWRYPZx;


desc
@@


1.2
log
@Remove xenkernel and tools versions 3, 33, and 41.

As discussed on pkgsrc-users.
@
text
@$NetBSD: patch-CVE-2014-9030,v 1.1 2014/11/27 15:36:02 bouyer Exp $

x86/mm: fix a reference counting error in MMU_MACHPHYS_UPDATE

Any domain which can pass the XSM check against a translated guest can cause a
page reference to be leaked.

While shuffling the order of checks, drop the quite-pointless MEM_LOG().  This
brings the check in line with similar checks in the vicinity.

Discovered while reviewing the XSA-109/110 followup series.

This is XSA-113.

Signed-off-by: Andrew Cooper <andrew.cooper3@@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@@suse.com>
Reviewed-by: Tim Deegan <tim@@xen.org>

--- xen/arch/x86/mm.c.orig	2014-11-27 15:21:15.000000000 +0100
+++ xen/arch/x86/mm.c	2014-11-27 15:37:25.000000000 +0100
@@@@ -3888,6 +3892,12 @@@@
 
         case MMU_MACHPHYS_UPDATE:
 
+            if ( unlikely(paging_mode_translate(pg_owner)) )
+            {
+                rc = -EINVAL;
+                break;
+            }
+
             mfn = req.ptr >> PAGE_SHIFT;
             gpfn = req.val;
 
@@@@ -3901,12 +3911,6 @@@@
                 break;
             }
 
-            if ( unlikely(paging_mode_translate(pg_owner)) )
-            {
-                MEM_LOG("Mach-phys update on auto-translate guest");
-                break;
-            }
-
             set_gpfn_from_mfn(mfn, gpfn);
             okay = 1;
 
@


1.1
log
@backport patches from Xen advisory:
CVE-2014-7188/XSA-108:
x86/HVM: properly bound x2APIC MSR range, fixing:
A buggy or malicious HVM guest can crash the host or read data
relating to other guests or the hypervisor itself.

CVE-2014-8594/XSA-109:
x86: don't allow page table updates on non-PV page tables in do_mmu_update(),
fixing:
Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.

CVE-2014-8595/XSA-110:
x86emul: enforce privilege level restrictions when loading CS, fixing:
Malicious HVM guest user mode code may be able to elevate its
privileges to guest supervisor mode, or to crash the guest.

CVE-2014-8866/XSA-111:
x86: limit checks in hypercall_xlat_continuation() to actual arguments, fixing:
A buggy or malicious HVM guest can crash the host.

CVE-2014-8867/XSA-112:
x86/HVM: confine internally handled MMIO to solitary regions, fixing:
A buggy or malicious HVM guest can crash the host.

CVE-2014-9030/XSA-113:
x86/mm: fix a reference counting error in MMU_MACHPHYS_UPDATE, fixing:
Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.
@
text
@d1 1
a1 1
$NetBSD: patch-Config.mk,v 1.1 2013/06/13 21:49:59 joerg Exp $
@