head 1.2; access; symbols pkgsrc-2022Q2:1.1.0.14 pkgsrc-2022Q2-base:1.1 pkgsrc-2022Q1:1.1.0.12 pkgsrc-2022Q1-base:1.1 pkgsrc-2021Q4:1.1.0.10 pkgsrc-2021Q4-base:1.1 pkgsrc-2021Q3:1.1.0.8 pkgsrc-2021Q3-base:1.1 pkgsrc-2021Q2:1.1.0.6 pkgsrc-2021Q2-base:1.1 pkgsrc-2021Q1:1.1.0.4 pkgsrc-2021Q1-base:1.1 pkgsrc-2020Q4:1.1.0.2 pkgsrc-2020Q4-base:1.1; locks; strict; comment @# @; 1.2 date 2022.06.28.16.33.25; author bouyer; state dead; branches; next 1.1; commitid lkljtNX5KSYPgPJD; 1.1 date 2020.12.17.16.47.30; author bouyer; state Exp; branches; next ; commitid 1uKObHFfDJWDh7AC; desc @@ 1.2 log @Remove xenkernel411 and xenkernel411, they're EOL upstream @ text @$NetBSD: patch-XSA359,v 1.1 2020/12/17 16:47:30 bouyer Exp $ From: Jan Beulich Subject: evtchn/FIFO: add 2nd smp_rmb() to evtchn_fifo_word_from_port() Besides with add_page_to_event_array() the function also needs to synchronize with evtchn_fifo_init_control() setting both d->evtchn_fifo and (subsequently) d->evtchn_port_ops. This is XSA-359 / CVE-2020-29571. Reported-by: Julien Grall Signed-off-by: Jan Beulich Reviewed-by: Julien Grall --- xen/common/event_fifo.c.orig +++ xen/common/event_fifo.c @@@@ -55,6 +55,13 @@@@ static inline event_word_t *evtchn_fifo_ { unsigned int p, w; + /* + * Callers aren't required to hold d->event_lock, so we need to synchronize + * with evtchn_fifo_init_control() setting d->evtchn_port_ops /after/ + * d->evtchn_fifo. + */ + smp_rmb(); + if ( unlikely(port >= d->evtchn_fifo->num_evtchns) ) return NULL; @@@@ -606,6 +613,10 @@@@ int evtchn_fifo_init_control(struct evtc if ( rc < 0 ) goto error; + /* + * This call, as a side effect, synchronizes with + * evtchn_fifo_word_from_port(). + */ rc = map_control_block(v, gfn, offset); if ( rc < 0 ) goto error; @ 1.1 log @Add upstream patches for Xen security advisory 348, 358 and 359. Bump PKGREVISION @ text @d1 1 a1 1 $NetBSD: $ @