head	1.2;
access;
symbols
	pkgsrc-2016Q4:1.1.0.22
	pkgsrc-2016Q4-base:1.1
	pkgsrc-2016Q3:1.1.0.20
	pkgsrc-2016Q3-base:1.1
	pkgsrc-2016Q2:1.1.0.18
	pkgsrc-2016Q2-base:1.1
	pkgsrc-2016Q1:1.1.0.16
	pkgsrc-2016Q1-base:1.1
	pkgsrc-2015Q4:1.1.0.14
	pkgsrc-2015Q4-base:1.1
	pkgsrc-2015Q3:1.1.0.12
	pkgsrc-2015Q3-base:1.1
	pkgsrc-2015Q2:1.1.0.10
	pkgsrc-2015Q2-base:1.1
	pkgsrc-2015Q1:1.1.0.8
	pkgsrc-2015Q1-base:1.1
	pkgsrc-2014Q4:1.1.0.6
	pkgsrc-2014Q4-base:1.1
	pkgsrc-2014Q3:1.1.0.4
	pkgsrc-2014Q3-base:1.1
	pkgsrc-2014Q2:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2016.12.29.19.13.02;	author wiz;	state dead;
branches;
next	1.1;
commitid	kFYPk8EnajcmFUzz;

1.1
date	2014.09.26.10.45.00;	author bouyer;	state Exp;
branches
	1.1.2.1;
next	;
commitid	R4afNEPClCK9nQRx;

1.1.2.1
date	2014.09.26.10.45.00;	author tron;	state dead;
branches;
next	1.1.2.2;
commitid	8pZmS45jOtauL6Sx;

1.1.2.2
date	2014.09.28.12.07.10;	author tron;	state Exp;
branches;
next	;
commitid	8pZmS45jOtauL6Sx;


desc
@@


1.2
log
@Remove xenkernel and tools versions 3, 33, and 41.

As discussed on pkgsrc-users.
@
text
@$NetBSD: patch-CVE-2014-7154,v 1.1 2014/09/26 10:45:00 bouyer Exp $

x86/shadow: fix race condition sampling the dirty vram state

d->arch.hvm_domain.dirty_vram must be read with the domain's paging lock held.

If not, two concurrent hypercalls could both end up attempting to free
dirty_vram (the second of which will free a wild pointer), or both end up
allocating a new dirty_vram structure (the first of which will be leaked).

This is XSA-104.

Signed-off-by: Andrew Cooper <andrew.cooper3@@citrix.com>
Reviewed-by: Tim Deegan <tim@@xen.org>

--- xen/arch/x86/mm/shadow/common.c.orig	2013-09-10 08:42:18.000000000 +0200
+++ xen/arch/x86/mm/shadow/common.c	2014-09-26 12:21:33.000000000 +0200
@@@@ -3640,7 +3640,7 @@@@
     int flush_tlb = 0;
     unsigned long i;
     p2m_type_t t;
-    struct sh_dirty_vram *dirty_vram = d->arch.hvm_domain.dirty_vram;
+    struct sh_dirty_vram *dirty_vram;
     struct p2m_domain *p2m = p2m_get_hostp2m(d);
 
     if (end_pfn < begin_pfn
@@@@ -3649,6 +3649,7 @@@@
         return -EINVAL;
 
     shadow_lock(d);
+    dirty_vram = d->arch.hvm_domain.dirty_vram;
 
     if ( dirty_vram && (!nr ||
              ( begin_pfn != dirty_vram->begin_pfn
@


1.1
log
@Add patch for:
XSA-104 (CVE-2014-7154) - Race condition in HVMOP_track_dirty_vram
XSA-105 (CVE-2014-7155) - Missing privilege level checks in x86 HLT, LGDT,
  LIDT, and LMSW emulation
XSA-106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation
  of software interrupts

bump PKGREVISION
@
text
@d1 1
a1 1
$NetBSD: $
@


1.1.2.1
log
@file patch-CVE-2014-7154 was added on branch pkgsrc-2014Q2 on 2014-09-28 12:07:10 +0000
@
text
@d1 34
@


1.1.2.2
log
@Pullup ticket #4505 - requested by bouyer
sysutils/xenkernel41: security patch

Revisions pulled up:
- sysutils/xenkernel41/Makefile                                 1.39
- sysutils/xenkernel41/distinfo                                 1.30
- sysutils/xenkernel41/patches/patch-CVE-2014-7154              1.1
- sysutils/xenkernel41/patches/patch-CVE-2014-7155              1.1
- sysutils/xenkernel41/patches/patch-CVE-2014-7156              1.1

---
   Module Name:	pkgsrc
   Committed By:	bouyer
   Date:		Fri Sep 26 10:45:00 UTC 2014

   Modified Files:
   	pkgsrc/sysutils/xenkernel41: Makefile distinfo
   Added Files:
   	pkgsrc/sysutils/xenkernel41/patches: patch-CVE-2014-7154
   	    patch-CVE-2014-7155 patch-CVE-2014-7156

   Log Message:
   Add patch for:
   XSA-104 (CVE-2014-7154) - Race condition in HVMOP_track_dirty_vram
   XSA-105 (CVE-2014-7155) - Missing privilege level checks in x86 HLT, LGDT,
     LIDT, and LMSW emulation
   XSA-106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation
     of software interrupts

   bump PKGREVISION
@
text
@a0 34
$NetBSD$

x86/shadow: fix race condition sampling the dirty vram state

d->arch.hvm_domain.dirty_vram must be read with the domain's paging lock held.

If not, two concurrent hypercalls could both end up attempting to free
dirty_vram (the second of which will free a wild pointer), or both end up
allocating a new dirty_vram structure (the first of which will be leaked).

This is XSA-104.

Signed-off-by: Andrew Cooper <andrew.cooper3@@citrix.com>
Reviewed-by: Tim Deegan <tim@@xen.org>

--- xen/arch/x86/mm/shadow/common.c.orig	2013-09-10 08:42:18.000000000 +0200
+++ xen/arch/x86/mm/shadow/common.c	2014-09-26 12:21:33.000000000 +0200
@@@@ -3640,7 +3640,7 @@@@
     int flush_tlb = 0;
     unsigned long i;
     p2m_type_t t;
-    struct sh_dirty_vram *dirty_vram = d->arch.hvm_domain.dirty_vram;
+    struct sh_dirty_vram *dirty_vram;
     struct p2m_domain *p2m = p2m_get_hostp2m(d);
 
     if (end_pfn < begin_pfn
@@@@ -3649,6 +3649,7 @@@@
         return -EINVAL;
 
     shadow_lock(d);
+    dirty_vram = d->arch.hvm_domain.dirty_vram;
 
     if ( dirty_vram && (!nr ||
              ( begin_pfn != dirty_vram->begin_pfn
@