head	1.3;
access;
symbols
	pkgsrc-2013Q2:1.3.0.2
	pkgsrc-2013Q2-base:1.3
	pkgsrc-2012Q4:1.2.0.2
	pkgsrc-2012Q4-base:1.2
	pkgsrc-2012Q3:1.1.0.2
	pkgsrc-2012Q3-base:1.1;
locks; strict;
comment	@# @;


1.3
date	2013.01.17.19.37.54;	author drochner;	state dead;
branches;
next	1.2;

1.2
date	2012.11.14.13.42.41;	author drochner;	state Exp;
branches;
next	1.1;

1.1
date	2012.09.12.11.04.18;	author drochner;	state Exp;
branches;
next	;


desc
@@


1.3
log
@update to 4.1.4
changes:
-fixes for many vulnerabilities (were mostly patched in pkgsrc)
-bug fixes and improvements (almost 100 since Xen 4.1.3). Highlights are:
 -A fix for a long standing time management issue
 -Bug fixes for S3 (suspend to RAM) handling
 -Bug fixes for other low level system state handling

pkgsrc note:
fixes for CVE-2012-5634 (interrupt issue on IOMMU systems)
and CVE-2012-6075 (oversized packets from e1000 driver)
are already included
@
text
@$NetBSD: patch-CVE-2012-3498,v 1.2 2012/11/14 13:42:41 drochner Exp $

contains patch for CVE-2012-3495
see http://lists.xen.org/archives/html/xen-devel/2012-09/msg00187.html
and http://lists.xen.org/archives/html/xen-devel/2012-09/msg00197.html
and patch for CVE-2012-4536
see http://lists.xen.org/archives/html/xen-devel/2012-11/msg00503.html

--- xen/arch/x86/physdev.c.orig	2012-08-10 13:51:46.000000000 +0000
+++ xen/arch/x86/physdev.c
@@@@ -40,11 +40,18 @@@@ static int physdev_hvm_map_pirq(
         struct hvm_girq_dpci_mapping *girq;
         uint32_t machine_gsi = 0;
 
+        if ( map->index < 0 || map->index >= NR_HVM_IRQS )
+        {
+            ret = -EINVAL;
+            break;
+        }
+
         /* find the machine gsi corresponding to the
          * emulated gsi */
         hvm_irq_dpci = domain_get_irq_dpci(d);
         if ( hvm_irq_dpci )
         {
+            BUILD_BUG_ON(ARRAY_SIZE(hvm_irq_dpci->girq) < NR_HVM_IRQS);
             list_for_each_entry ( girq,
                                   &hvm_irq_dpci->girq[map->index],
                                   list )
@@@@ -230,6 +237,10 @@@@ static int physdev_unmap_pirq(struct phy
     if ( ret )
         return ret;
 
+    ret = -EINVAL;
+    if ( unmap->pirq < 0 || unmap->pirq >= d->nr_pirqs )
+	goto free_domain;
+
     if ( is_hvm_domain(d) )
     {
         spin_lock(&d->event_lock);
@@@@ -587,11 +598,16 @@@@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
             break;
 
         spin_lock(&d->event_lock);
-        out.pirq = get_free_pirq(d, out.type, 0);
-        d->arch.pirq_irq[out.pirq] = PIRQ_ALLOCATED;
+        ret = get_free_pirq(d, out.type, 0);
+        if ( ret >= 0 )
+            d->arch.pirq_irq[ret] = PIRQ_ALLOCATED;
         spin_unlock(&d->event_lock);
 
-        ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0;
+        if ( ret >= 0 )
+        {
+            out.pirq = ret;
+            ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0;
+        }
 
         rcu_unlock_domain(d);
         break;
@


1.2
log
@add patches from Xen SA 20..24 to fix various security problems
(CVE-2012-4535..4539)
bump PKGREV
@
text
@d1 1
a1 1
$NetBSD$
@


1.1
log
@update to 4.1.3
also add security patches from upstream (for CVE-2012-3497, no patches
are available yet)

changes:
-fixes for vulnerabilities were integrated
-many bug fixes and improvements, Highlights are:
 -Updates for the latest Intel/AMD CPU revisions
 -Bug fixes for IOMMU handling (device passthrough to HVM guests)

approved by maintainer
@
text
@d6 2
d9 1
a9 1
--- xen/arch/x86/physdev.c.orig	2012-09-12 09:41:55.000000000 +0000
d30 12
a41 1
@@@@ -587,11 +594,16 @@@@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
@