head 1.2; access; symbols pkgsrc-2021Q1:1.1.0.4 pkgsrc-2021Q1-base:1.1 pkgsrc-2020Q4:1.1.0.2; locks; strict; comment @# @; 1.2 date 2021.03.30.06.59.03; author bouyer; state dead; branches; next 1.1; commitid 0qeTE1RWBrm5HiNC; 1.1 date 2021.02.03.22.30.22; author bouyer; state Exp; branches 1.1.2.1; next ; commitid gYCUHk6zDJqcDjGC; 1.1.2.1 date 2021.02.03.22.30.22; author spz; state dead; branches; next 1.1.2.2; commitid Rpl0MBhCLP3Os9IC; 1.1.2.2 date 2021.02.18.05.21.21; author spz; state Exp; branches; next ; commitid Rpl0MBhCLP3Os9IC; desc @@ 1.2 log @Update xentools413 and xentools413 to 4.13.3. Changes since 4.13.2: inlcude security fixes for all XSA known to date (up to XSA-369). Other minor bug fixes. @ text @$NetBSD: patch-XSA355,v 1.1 2021/02/03 22:30:22 bouyer Exp $ From: Jan Beulich Subject: memory: fix off-by-one in XSA-346 change The comparison against ARRAY_SIZE() needs to be >= in order to avoid overrunning the pages[] array. This is XSA-355. Fixes: 5777a3742d88 ("IOMMU: hold page ref until after deferred TLB flush") Signed-off-by: Jan Beulich Reviewed-by: Julien Grall --- xen/common/memory.c.orig +++ xen/common/memory.c @@@@ -854,7 +854,7 @@@@ int xenmem_add_to_physmap(struct domain ++extra.ppage; /* Check for continuation if it's not the last iteration. */ - if ( (++done > ARRAY_SIZE(pages) && extra.ppage) || + if ( (++done >= ARRAY_SIZE(pages) && extra.ppage) || (xatp->size > done && hypercall_preempt_check()) ) { rc = start + done; @ 1.1 log @Add upstream patch for Xen Security Advisory 355 Also, fix xenstored looping keeping the CPU 100% busy and leaking file descriptors. @ text @d1 1 a1 1 $NetBSD: $ @ 1.1.2.1 log @file patch-XSA355 was added on branch pkgsrc-2020Q4 on 2021-02-18 05:21:21 +0000 @ text @d1 25 @ 1.1.2.2 log @Pullup ticket #6423 - requested by bouyer sysutils/xentools413: security patch Revisions pulled up: - sysutils/xentools413/Makefile 1.16 - sysutils/xentools413/distinfo 1.8 - sysutils/xentools413/patches/patch-XSA355 1.1 - sysutils/xentools413/patches/patch-tools_xenstore_xenstored_core.c 1.1 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bouyer Date: Wed Feb 3 22:30:22 UTC 2021 Modified Files: pkgsrc/sysutils/xentools413: Makefile distinfo Added Files: pkgsrc/sysutils/xentools413/patches: patch-XSA355 patch-tools_xenstore_xenstored_core.c Log Message: Add upstream patch for Xen Security Advisory 355 Also, fix xenstored looping keeping the CPU 100% busy and leaking file descriptors. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 pkgsrc/sysutils/xentools413/Makefile cvs rdiff -u -r1.7 -r1.8 pkgsrc/sysutils/xentools413/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xentools413/patches/patch-XSA355 \ pkgsrc/sysutils/xentools413/patches/patch-tools_xenstore_xenstored_core.c @ text @a0 25 $NetBSD$ From: Jan Beulich Subject: memory: fix off-by-one in XSA-346 change The comparison against ARRAY_SIZE() needs to be >= in order to avoid overrunning the pages[] array. This is XSA-355. Fixes: 5777a3742d88 ("IOMMU: hold page ref until after deferred TLB flush") Signed-off-by: Jan Beulich Reviewed-by: Julien Grall --- xen/common/memory.c.orig +++ xen/common/memory.c @@@@ -854,7 +854,7 @@@@ int xenmem_add_to_physmap(struct domain ++extra.ppage; /* Check for continuation if it's not the last iteration. */ - if ( (++done > ARRAY_SIZE(pages) && extra.ppage) || + if ( (++done >= ARRAY_SIZE(pages) && extra.ppage) || (xatp->size > done && hypercall_preempt_check()) ) { rc = start + done; @