head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.2
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.1.0.2
	pkgsrc-2012Q4-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2013.01.17.19.37.55;	author drochner;	state dead;
branches;
next	1.1;

1.1
date	2012.12.05.19.16.27;	author drochner;	state Exp;
branches;
next	;


desc
@@


1.2
log
@update to 4.1.4
changes:
-fixes for many vulnerabilities (were mostly patched in pkgsrc)
-bug fixes and improvements (almost 100 since Xen 4.1.3). Highlights are:
 -A fix for a long standing time management issue
 -Bug fixes for S3 (suspend to RAM) handling
 -Bug fixes for other low level system state handling

pkgsrc note:
fixes for CVE-2012-5634 (interrupt issue on IOMMU systems)
and CVE-2012-6075 (oversized packets from e1000 driver)
are already included
@
text
@$NetBSD: patch-CVE-2012-5513_2,v 1.1 2012/12/05 19:16:27 drochner Exp $

fix for CVE-2012-5515 is also here, see
http://lists.xen.org/archives/html/xen-announce/2012-12/msg00001.html

--- xen/common/memory.c.orig	2012-08-10 13:51:48.000000000 +0000
+++ xen/common/memory.c
@@@@ -117,7 +117,8 @@@@ static void populate_physmap(struct memo
 
         if ( a->memflags & MEMF_populate_on_demand )
         {
-            if ( guest_physmap_mark_populate_on_demand(d, gpfn,
+            if ( a->extent_order > MAX_ORDER ||
+		 guest_physmap_mark_populate_on_demand(d, gpfn,
                                                        a->extent_order) < 0 )
                 goto out;
         }
@@@@ -216,7 +217,8 @@@@ static void decrease_reservation(struct 
     xen_pfn_t gmfn;
 
     if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done,
-                                     a->nr_extents-1) )
+                                     a->nr_extents-1) ||
+         a->extent_order > MAX_ORDER )
         return;
 
     for ( i = a->nr_done; i < a->nr_extents; i++ )
@@@@ -278,6 +280,9 @@@@ static long memory_exchange(XEN_GUEST_HA
     if ( (exch.nr_exchanged > exch.in.nr_extents) ||
          /* Input and output domain identifiers match? */
          (exch.in.domid != exch.out.domid) ||
+         /* Extent orders are sensible? */
+         (exch.in.extent_order > MAX_ORDER) ||
+         (exch.out.extent_order > MAX_ORDER) ||
          /* Sizes of input and output lists do not overflow a long? */
          ((~0UL >> exch.in.extent_order) < exch.in.nr_extents) ||
          ((~0UL >> exch.out.extent_order) < exch.out.nr_extents) ||
@@@@ -289,6 +294,13 @@@@ static long memory_exchange(XEN_GUEST_HA
         goto fail_early;
     }
 
+    if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) ||
+         !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) )
+    {
+        rc = -EFAULT;
+        goto fail_early;
+    }
+
     /* Only privileged guests can allocate multi-page contiguous extents. */
     if ( !multipage_allocation_permitted(current->domain,
                                          exch.in.extent_order) ||
@


1.1
log
@add another batch of security patches from upstream
bump PKGREV
@
text
@d1 1
a1 1
$NetBSD$
@