head	1.2;
access;
symbols
	pkgsrc-2021Q1:1.1.0.4
	pkgsrc-2021Q1-base:1.1
	pkgsrc-2020Q4:1.1.0.2
	pkgsrc-2020Q4-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2021.03.30.06.59.03;	author bouyer;	state dead;
branches;
next	1.1;
commitid	0qeTE1RWBrm5HiNC;

1.1
date	2020.12.16.17.15.22;	author bouyer;	state Exp;
branches;
next	;
commitid	lqdzL12FPu8WsZzC;


desc
@@


1.2
log
@Update xentools413 and xentools413 to 4.13.3.
Changes since 4.13.2: inlcude security fixes for all XSA known to date
(up to XSA-369). Other minor bug fixes.
@
text
@$NetSBD: $

From: Jan Beulich <jbeulich@@suse.com>
Subject: evtchn/FIFO: re-order and synchronize (with) map_control_block()

For evtchn_fifo_set_pending()'s check of the control block having been
set to be effective, ordering of respective reads and writes needs to be
ensured: The control block pointer needs to be recorded strictly after
the setting of all the queue heads, and it needs checking strictly
before any uses of them (this latter aspect was already guaranteed).

This is XSA-358 / CVE-2020-29570.

Reported-by: Julien Grall <jgrall@@amazon.com>
Signed-off-by: Jan Beulich <jbeulich@@suse.com>
Acked-by: Julien Grall <jgrall@@amazon.com>
---
v3: Drop read-side barrier again, leveraging guest_test_and_set_bit().
v2: Re-base over queue locking re-work.

--- xen/common/event_fifo.c.orig
+++ xen/common/event_fifo.c
@@@@ -474,6 +478,7 @@@@ static int setup_control_block(struct vc
 static int map_control_block(struct vcpu *v, uint64_t gfn, uint32_t offset)
 {
     void *virt;
+    struct evtchn_fifo_control_block *control_block;
     unsigned int i;
     int rc;
 
@@@@ -484,10 +489,15 @@@@ static int map_control_block(struct vcpu
     if ( rc < 0 )
         return rc;
 
-    v->evtchn_fifo->control_block = virt + offset;
+    control_block = virt + offset;
 
     for ( i = 0; i <= EVTCHN_FIFO_PRIORITY_MIN; i++ )
-        v->evtchn_fifo->queue[i].head = &v->evtchn_fifo->control_block->head[i];
+        v->evtchn_fifo->queue[i].head = &control_block->head[i];
+
+    /* All queue heads must have been set before setting the control block. */
+    smp_wmb();
+
+    v->evtchn_fifo->control_block = control_block;
 
     return 0;
 }
@


1.1
log
@Add upstream patches for Xen seciruty advisory 348, 358 and 359.
Bump PKGREVISION
@
text
@@