head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.2 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.1.0.2 pkgsrc-2012Q4-base:1.1; locks; strict; comment @# @; 1.2 date 2013.01.17.19.37.55; author drochner; state dead; branches; next 1.1; 1.1 date 2012.12.05.19.16.27; author drochner; state Exp; branches; next ; desc @@ 1.2 log @update to 4.1.4 changes: -fixes for many vulnerabilities (were mostly patched in pkgsrc) -bug fixes and improvements (almost 100 since Xen 4.1.3). Highlights are: -A fix for a long standing time management issue -Bug fixes for S3 (suspend to RAM) handling -Bug fixes for other low level system state handling pkgsrc note: fixes for CVE-2012-5634 (interrupt issue on IOMMU systems) and CVE-2012-6075 (oversized packets from e1000 driver) are already included @ text @$NetBSD: patch-CVE-2012-5511_1,v 1.1 2012/12/05 19:16:27 drochner Exp $ see http://lists.xen.org/archives/html/xen-announce/2012-12/msg00006.html fix for CVE-2012-5512 is also here, see http://lists.xen.org/archives/html/xen-announce/2012-12/msg00003.html --- xen/arch/x86/hvm/hvm.c.orig 2012-08-10 13:51:44.000000000 +0000 +++ xen/arch/x86/hvm/hvm.c @@@@ -3446,6 +3446,9 @@@@ long do_hvm_op(unsigned long op, XEN_GUE if ( !is_hvm_domain(d) ) goto param_fail2; + if ( a.nr > GB(1) >> PAGE_SHIFT ) + goto param_fail2; + rc = xsm_hvm_param(d, op); if ( rc ) goto param_fail2; @@@@ -3473,7 +3476,6 @@@@ long do_hvm_op(unsigned long op, XEN_GUE struct xen_hvm_modified_memory a; struct domain *d; struct p2m_domain *p2m; - unsigned long pfn; if ( copy_from_guest(&a, arg, 1) ) return -EFAULT; @@@@ -3501,8 +3503,9 @@@@ long do_hvm_op(unsigned long op, XEN_GUE goto param_fail3; p2m = p2m_get_hostp2m(d); - for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) + while ( a.nr > 0 ) { + unsigned long pfn = a.first_pfn; p2m_type_t t; mfn_t mfn = gfn_to_mfn(p2m, pfn, &t); if ( p2m_is_paging(t) ) @@@@ -3523,6 +3526,19 @@@@ long do_hvm_op(unsigned long op, XEN_GUE /* don't take a long time and don't die either */ sh_remove_shadows(d->vcpu[0], mfn, 1, 0); } + + a.first_pfn++; + a.nr--; + + /* Check for continuation if it's not the last interation */ + if ( a.nr > 0 && hypercall_preempt_check() ) + { + if ( copy_to_guest(arg, &a, 1) ) + rc = -EFAULT; + else + rc = -EAGAIN; + break; + } } param_fail3: @@@@ -3566,7 +3582,6 @@@@ long do_hvm_op(unsigned long op, XEN_GUE struct xen_hvm_set_mem_type a; struct domain *d; struct p2m_domain *p2m; - unsigned long pfn; /* Interface types to internal p2m types */ p2m_type_t memtype[] = { @@@@ -3596,8 +3611,9 @@@@ long do_hvm_op(unsigned long op, XEN_GUE goto param_fail4; p2m = p2m_get_hostp2m(d); - for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) + while ( a.nr > 0 ) { + unsigned long pfn = a.first_pfn; p2m_type_t t; p2m_type_t nt; mfn_t mfn; @@@@ -3633,6 +3649,19 @@@@ long do_hvm_op(unsigned long op, XEN_GUE goto param_fail4; } } + + a.first_pfn++; + a.nr--; + + /* Check for continuation if it's not the last interation */ + if ( a.nr > 0 && hypercall_preempt_check() ) + { + if ( copy_to_guest(arg, &a, 1) ) + rc = -EFAULT; + else + rc = -EAGAIN; + goto param_fail4; + } } rc = 0; @@@@ -3670,7 +3699,7 @@@@ long do_hvm_op(unsigned long op, XEN_GUE return rc; rc = -EINVAL; - if ( !is_hvm_domain(d) ) + if ( !is_hvm_domain(d) || a.hvmmem_access >= ARRAY_SIZE(memaccess) ) goto param_fail5; p2m = p2m_get_hostp2m(d); @@@@ -3690,9 +3719,6 @@@@ long do_hvm_op(unsigned long op, XEN_GUE ((a.first_pfn + a.nr - 1) > domain_get_maximum_gpfn(d)) ) goto param_fail5; - if ( a.hvmmem_access >= ARRAY_SIZE(memaccess) ) - goto param_fail5; - for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) { p2m_type_t t; @ 1.1 log @add another batch of security patches from upstream bump PKGREV @ text @d1 1 a1 1 $NetBSD$ @