head	1.2;
access;
symbols
	pkgsrc-2020Q3:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2020.11.06.21.45.49;	author bouyer;	state dead;
branches;
next	1.1;
commitid	WDPVMlrHGXeceSuC;

1.1
date	2020.10.01.12.41.19;	author bouyer;	state Exp;
branches
	1.1.2.1;
next	;
commitid	t8BQtD5cJssqocqC;

1.1.2.1
date	2020.10.01.12.41.19;	author bsiegert;	state dead;
branches;
next	1.1.2.2;
commitid	6fMH1kUIpq0AYCqC;

1.1.2.2
date	2020.10.04.20.44.32;	author bsiegert;	state Exp;
branches;
next	;
commitid	6fMH1kUIpq0AYCqC;


desc
@@


1.2
log
@Update xenkernel413 and xentools413 to 4.13.2. This includes fixes for
XSA up to XSA347, and an improved fix for XSA 286.
@
text
@$NetBSD: patch-XSA339,v 1.1 2020/10/01 12:41:19 bouyer Exp $

From: Andrew Cooper <andrew.cooper3@@citrix.com>
Subject: x86/pv: Avoid double exception injection

There is at least one path (SYSENTER with NT set, Xen converts to #GP) which
ends up injecting the #GP fault twice, first in compat_sysenter(), and then a
second time in compat_test_all_events(), due to the stale TBF_EXCEPTION left
in TRAPBOUNCE_flags.

The guest kernel sees the second fault first, which is a kernel level #GP
pointing at the head of the #GP handler, and is therefore a userspace
trigger-able DoS.

This particular bug has bitten us several times before, so rearrange
{compat_,}create_bounce_frame() to clobber TRAPBOUNCE on success, rather than
leaving this task to one area of code which isn't used uniformly.

Other scenarios which might result in a double injection (e.g. two calls
directly to compat_create_bounce_frame) will now crash the guest, which is far
more obvious than letting the kernel run with corrupt state.

This is XSA-339

Fixes: fdac9515607b ("x86: clear EFLAGS.NT in SYSENTER entry path")
Signed-off-by: Andrew Cooper <andrew.cooper3@@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@@suse.com>

diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
index c3e62f8734..73619f57ca 100644
--- xen/arch/x86/x86_64/compat/entry.S.orig
+++ xen/arch/x86/x86_64/compat/entry.S
@@@@ -78,7 +78,6 @@@@ compat_process_softirqs:
         sti
 .Lcompat_bounce_exception:
         call  compat_create_bounce_frame
-        movb  $0, TRAPBOUNCE_flags(%rdx)
         jmp   compat_test_all_events
 
 	ALIGN
@@@@ -352,7 +351,13 @@@@ __UNLIKELY_END(compat_bounce_null_selector)
         movl  %eax,UREGS_cs+8(%rsp)
         movl  TRAPBOUNCE_eip(%rdx),%eax
         movl  %eax,UREGS_rip+8(%rsp)
+
+        /* Trapbounce complete.  Clobber state to avoid an erroneous second injection. */
+        xor   %eax, %eax
+        mov   %ax,  TRAPBOUNCE_cs(%rdx)
+        mov   %al,  TRAPBOUNCE_flags(%rdx)
         ret
+
 .section .fixup,"ax"
 .Lfx13:
         xorl  %edi,%edi
diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
index 1e880eb9f6..71a00e846b 100644
--- xen/arch/x86/x86_64/entry.S.orig
+++ xen/arch/x86/x86_64/entry.S
@@@@ -90,7 +90,6 @@@@ process_softirqs:
         sti
 .Lbounce_exception:
         call  create_bounce_frame
-        movb  $0, TRAPBOUNCE_flags(%rdx)
         jmp   test_all_events
 
         ALIGN
@@@@ -512,6 +511,11 @@@@ UNLIKELY_START(z, create_bounce_frame_bad_bounce_ip)
         jmp   asm_domain_crash_synchronous  /* Does not return */
 __UNLIKELY_END(create_bounce_frame_bad_bounce_ip)
         movq  %rax,UREGS_rip+8(%rsp)
+
+        /* Trapbounce complete.  Clobber state to avoid an erroneous second injection. */
+        xor   %eax, %eax
+        mov   %rax, TRAPBOUNCE_eip(%rdx)
+        mov   %al,  TRAPBOUNCE_flags(%rdx)
         ret
 
         .pushsection .fixup, "ax", @@progbits
@


1.1
log
@Add uptream fixes for
XSA333, XSA334, XSA336, XSA337, XSA338, XSA339, XSA340, XSA342, XSA343, XSA344
bump PKGREVISION
@
text
@d1 1
a1 1
$NetBSD: $
@


1.1.2.1
log
@file patch-XSA339 was added on branch pkgsrc-2020Q3 on 2020-10-04 20:44:32 +0000
@
text
@d1 78
@


1.1.2.2
log
@Pullup ticket #6332 - requested by bouyer
sysutils/xenkernel411: security fix
sysutils/xenkernel413: security fix

Revisions pulled up:
- sysutils/xenkernel411/Makefile                                1.16
- sysutils/xenkernel411/distinfo                                1.14
- sysutils/xenkernel411/patches/patch-XSA333                    1.1
- sysutils/xenkernel411/patches/patch-XSA336                    1.1
- sysutils/xenkernel411/patches/patch-XSA337                    1.1
- sysutils/xenkernel411/patches/patch-XSA338                    1.1
- sysutils/xenkernel411/patches/patch-XSA339                    1.1
- sysutils/xenkernel411/patches/patch-XSA340                    1.1
- sysutils/xenkernel411/patches/patch-XSA342                    1.1
- sysutils/xenkernel411/patches/patch-XSA343                    1.1
- sysutils/xenkernel411/patches/patch-XSA344                    1.1
- sysutils/xenkernel413/Makefile                                1.5
- sysutils/xenkernel413/distinfo                                1.3
- sysutils/xenkernel413/patches/patch-XSA333                    1.1
- sysutils/xenkernel413/patches/patch-XSA334                    1.1
- sysutils/xenkernel413/patches/patch-XSA336                    1.1
- sysutils/xenkernel413/patches/patch-XSA337                    1.1
- sysutils/xenkernel413/patches/patch-XSA338                    1.1
- sysutils/xenkernel413/patches/patch-XSA339                    1.1
- sysutils/xenkernel413/patches/patch-XSA340                    1.1
- sysutils/xenkernel413/patches/patch-XSA342                    1.1
- sysutils/xenkernel413/patches/patch-XSA343                    1.1
- sysutils/xenkernel413/patches/patch-XSA344                    1.1

---
   Module Name:	pkgsrc
   Committed By:	bouyer
   Date:		Thu Oct  1 12:41:19 UTC 2020

   Modified Files:
   	pkgsrc/sysutils/xenkernel413: Makefile distinfo
   Added Files:
   	pkgsrc/sysutils/xenkernel413/patches: patch-XSA333 patch-XSA334
   	    patch-XSA336 patch-XSA337 patch-XSA338 patch-XSA339 patch-XSA340
   	    patch-XSA342 patch-XSA343 patch-XSA344

   Log Message:
   Add uptream fixes for
   XSA333, XSA334, XSA336, XSA337, XSA338, XSA339, XSA340, XSA342, XSA343, XSA344
   bump PKGREVISION

---
   Module Name:	pkgsrc
   Committed By:	bouyer
   Date:		Fri Oct  2 13:00:48 UTC 2020

   Modified Files:
   	pkgsrc/sysutils/xenkernel411: Makefile distinfo
   Added Files:
   	pkgsrc/sysutils/xenkernel411/patches: patch-XSA333 patch-XSA336
   	    patch-XSA337 patch-XSA338 patch-XSA339 patch-XSA340 patch-XSA342
   	    patch-XSA343 patch-XSA344

   Log Message:
   dd uptream fixes for
   XSA333, XSA336, XSA337, XSA338, XSA339, XSA340, XSA342, XSA343, XSA344
   bump PKGREVISION
@
text
@a0 78
$NetBSD: patch-XSA339,v 1.1 2020/10/01 12:41:19 bouyer Exp $

From: Andrew Cooper <andrew.cooper3@@citrix.com>
Subject: x86/pv: Avoid double exception injection

There is at least one path (SYSENTER with NT set, Xen converts to #GP) which
ends up injecting the #GP fault twice, first in compat_sysenter(), and then a
second time in compat_test_all_events(), due to the stale TBF_EXCEPTION left
in TRAPBOUNCE_flags.

The guest kernel sees the second fault first, which is a kernel level #GP
pointing at the head of the #GP handler, and is therefore a userspace
trigger-able DoS.

This particular bug has bitten us several times before, so rearrange
{compat_,}create_bounce_frame() to clobber TRAPBOUNCE on success, rather than
leaving this task to one area of code which isn't used uniformly.

Other scenarios which might result in a double injection (e.g. two calls
directly to compat_create_bounce_frame) will now crash the guest, which is far
more obvious than letting the kernel run with corrupt state.

This is XSA-339

Fixes: fdac9515607b ("x86: clear EFLAGS.NT in SYSENTER entry path")
Signed-off-by: Andrew Cooper <andrew.cooper3@@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@@suse.com>

diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
index c3e62f8734..73619f57ca 100644
--- xen/arch/x86/x86_64/compat/entry.S.orig
+++ xen/arch/x86/x86_64/compat/entry.S
@@@@ -78,7 +78,6 @@@@ compat_process_softirqs:
         sti
 .Lcompat_bounce_exception:
         call  compat_create_bounce_frame
-        movb  $0, TRAPBOUNCE_flags(%rdx)
         jmp   compat_test_all_events
 
 	ALIGN
@@@@ -352,7 +351,13 @@@@ __UNLIKELY_END(compat_bounce_null_selector)
         movl  %eax,UREGS_cs+8(%rsp)
         movl  TRAPBOUNCE_eip(%rdx),%eax
         movl  %eax,UREGS_rip+8(%rsp)
+
+        /* Trapbounce complete.  Clobber state to avoid an erroneous second injection. */
+        xor   %eax, %eax
+        mov   %ax,  TRAPBOUNCE_cs(%rdx)
+        mov   %al,  TRAPBOUNCE_flags(%rdx)
         ret
+
 .section .fixup,"ax"
 .Lfx13:
         xorl  %edi,%edi
diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
index 1e880eb9f6..71a00e846b 100644
--- xen/arch/x86/x86_64/entry.S.orig
+++ xen/arch/x86/x86_64/entry.S
@@@@ -90,7 +90,6 @@@@ process_softirqs:
         sti
 .Lbounce_exception:
         call  create_bounce_frame
-        movb  $0, TRAPBOUNCE_flags(%rdx)
         jmp   test_all_events
 
         ALIGN
@@@@ -512,6 +511,11 @@@@ UNLIKELY_START(z, create_bounce_frame_bad_bounce_ip)
         jmp   asm_domain_crash_synchronous  /* Does not return */
 __UNLIKELY_END(create_bounce_frame_bad_bounce_ip)
         movq  %rax,UREGS_rip+8(%rsp)
+
+        /* Trapbounce complete.  Clobber state to avoid an erroneous second injection. */
+        xor   %eax, %eax
+        mov   %rax, TRAPBOUNCE_eip(%rdx)
+        mov   %al,  TRAPBOUNCE_flags(%rdx)
         ret
 
         .pushsection .fixup, "ax", @@progbits
@