head 1.2; access; symbols pkgsrc-2020Q2:1.1.0.42 pkgsrc-2020Q2-base:1.1 pkgsrc-2020Q1:1.1.0.22 pkgsrc-2020Q1-base:1.1 pkgsrc-2019Q4:1.1.0.44 pkgsrc-2019Q4-base:1.1 pkgsrc-2019Q3:1.1.0.40 pkgsrc-2019Q3-base:1.1 pkgsrc-2019Q2:1.1.0.38 pkgsrc-2019Q2-base:1.1 pkgsrc-2019Q1:1.1.0.36 pkgsrc-2019Q1-base:1.1 pkgsrc-2018Q4:1.1.0.34 pkgsrc-2018Q4-base:1.1 pkgsrc-2018Q3:1.1.0.32 pkgsrc-2018Q3-base:1.1 pkgsrc-2018Q2:1.1.0.30 pkgsrc-2018Q2-base:1.1 pkgsrc-2018Q1:1.1.0.28 pkgsrc-2018Q1-base:1.1 pkgsrc-2017Q4:1.1.0.26 pkgsrc-2017Q4-base:1.1 pkgsrc-2017Q3:1.1.0.24 pkgsrc-2017Q3-base:1.1 pkgsrc-2017Q2:1.1.0.20 pkgsrc-2017Q2-base:1.1 pkgsrc-2017Q1:1.1.0.18 pkgsrc-2017Q1-base:1.1 pkgsrc-2016Q4:1.1.0.16 pkgsrc-2016Q4-base:1.1 pkgsrc-2016Q3:1.1.0.14 pkgsrc-2016Q3-base:1.1 pkgsrc-2016Q2:1.1.0.12 pkgsrc-2016Q2-base:1.1 pkgsrc-2016Q1:1.1.0.10 pkgsrc-2016Q1-base:1.1 pkgsrc-2015Q4:1.1.0.8 pkgsrc-2015Q4-base:1.1 pkgsrc-2015Q3:1.1.0.6 pkgsrc-2015Q3-base:1.1 pkgsrc-2015Q2:1.1.0.4 pkgsrc-2015Q2-base:1.1 pkgsrc-2015Q1:1.1.0.2; locks; strict; comment @# @; 1.2 date 2020.08.19.10.39.23; author bouyer; state dead; branches; next 1.1; commitid DGAMglRf0Jde6FkC; 1.1 date 2015.04.19.13.13.20; author spz; state Exp; branches 1.1.2.1; next ; commitid C4uc4kMktu1eBciy; 1.1.2.1 date 2015.04.19.13.13.20; author tron; state dead; branches; next 1.1.2.2; commitid XOJeB58WDS2DVwjy; 1.1.2.2 date 2015.04.29.21.11.12; author tron; state Exp; branches; next ; commitid XOJeB58WDS2DVwjy; desc @@ 1.2 log @Remove xenkernel and xentools packages older than 4.11. They're not maintained anymore upstream, and don't build on supported NetBSD releases. @ text @$NetBSD: patch-CVE-2015-2752,v 1.1 2015/04/19 13:13:20 spz Exp $ Patch for CVE-2015-2752 aka XSA-125 from http://xenbits.xenproject.org/xsa/xsa125-4.2.patch --- tools/libxc/xc_domain.c.orig 2014-09-02 06:22:57.000000000 +0000 +++ tools/libxc/xc_domain.c @@@@ -1352,6 +1352,13 @@@@ int xc_domain_bind_pt_isa_irq( PT_IRQ_TYPE_ISA, 0, 0, 0, machine_irq)); } +#ifndef min +#define min(X, Y) ({ \ + const typeof (X) _x = (X); \ + const typeof (Y) _y = (Y); \ + (void) (&_x == &_y); \ + (_x < _y) ? _x : _y; }) +#endif int xc_domain_memory_mapping( xc_interface *xch, uint32_t domid, @@@@ -1361,17 +1368,55 @@@@ int xc_domain_memory_mapping( uint32_t add_mapping) { DECLARE_DOMCTL; + int ret = 0, err; + unsigned long done = 0, nr, max_batch_sz; + + if ( !nr_mfns ) + return 0; domctl.cmd = XEN_DOMCTL_memory_mapping; domctl.domain = domid; - domctl.u.memory_mapping.first_gfn = first_gfn; - domctl.u.memory_mapping.first_mfn = first_mfn; - domctl.u.memory_mapping.nr_mfns = nr_mfns; domctl.u.memory_mapping.add_mapping = add_mapping; + max_batch_sz = nr_mfns; + do + { + nr = min(nr_mfns - done, max_batch_sz); + domctl.u.memory_mapping.nr_mfns = nr; + domctl.u.memory_mapping.first_gfn = first_gfn + done; + domctl.u.memory_mapping.first_mfn = first_mfn + done; + err = do_domctl(xch, &domctl); + if ( err && errno == E2BIG ) + { + if ( max_batch_sz <= 1 ) + break; + max_batch_sz >>= 1; + continue; + } + /* Save the first error... */ + if ( !ret ) + ret = err; + /* .. and ignore the rest of them when removing. */ + if ( err && add_mapping != DPCI_REMOVE_MAPPING ) + break; + + done += nr; + } while ( done < nr_mfns ); + + /* + * Undo what we have done unless unmapping, by unmapping the entire region. + * Errors here are ignored. + */ + if ( ret && add_mapping != DPCI_REMOVE_MAPPING ) + xc_domain_memory_mapping(xch, domid, first_gfn, first_mfn, nr_mfns, + DPCI_REMOVE_MAPPING); + + /* We might get E2BIG so many times that we never advance. */ + if ( !done && !ret ) + ret = -1; - return do_domctl(xch, &domctl); + return ret; } - +#undef min int xc_domain_ioport_mapping( xc_interface *xch, uint32_t domid, --- xen/arch/x86/domctl.c.orig 2014-09-02 06:22:57.000000000 +0000 +++ xen/arch/x86/domctl.c @@@@ -865,6 +865,11 @@@@ long arch_do_domctl( (gfn + nr_mfns - 1) < gfn ) /* wrap? */ break; + ret = -E2BIG; + /* Must break hypercall up as this could take a while. */ + if ( nr_mfns > 64 ) + break; + ret = -EPERM; if ( !IS_PRIV(current->domain) && !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) ) --- xen/include/public/domctl.h.orig 2014-09-02 06:22:57.000000000 +0000 +++ xen/include/public/domctl.h @@@@ -507,6 +507,7 @@@@ DEFINE_XEN_GUEST_HANDLE(xen_domctl_bind_ /* Bind machine I/O address range -> HVM address range. */ +/* If this returns -E2BIG lower nr_mfns value. */ /* XEN_DOMCTL_memory_mapping */ #define DPCI_ADD_MAPPING 1 #define DPCI_REMOVE_MAPPING 0 @ 1.1 log @apply fixes from upstream for XSA-125 Long latency MMIO mapping operations are not preemptible XSA-126 Unmediated PCI command register access in qemu @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-CVE-2015-2752 was added on branch pkgsrc-2015Q1 on 2015-04-29 21:11:12 +0000 @ text @d1 108 @ 1.1.2.2 log @Pullup ticket #4698 - requested by spz Pullup ticket #4698 - requested by spz sysutils/xenkernel41: security patch sysutils/xenkernel42: security patch sysutils/xenkernel45: security patch Revisions pulled up: - sysutils/xenkernel41/Makefile 1.45 - sysutils/xenkernel41/distinfo 1.36 - sysutils/xenkernel41/patches/patch-CVE-2015-2752 1.1 - sysutils/xenkernel41/patches/patch-CVE-2015-2756 1.1 - sysutils/xenkernel42/Makefile 1.15 - sysutils/xenkernel42/distinfo 1.13 - sysutils/xenkernel42/patches/patch-CVE-2015-2752 1.1 - sysutils/xenkernel42/patches/patch-CVE-2015-2756 1.1 - sysutils/xenkernel45/Makefile 1.6 - sysutils/xenkernel45/distinfo 1.5 - sysutils/xenkernel45/patches/patch-CVE-2015-2752 1.1 - sysutils/xenkernel45/patches/patch-CVE-2015-2756 1.1 - sysutils/xentools41/Makefile 1.50 - sysutils/xentools41/distinfo 1.38 - sysutils/xentools41/patches/patch-CVE-2015-2752 1.1 - sysutils/xentools41/patches/patch-CVE-2015-2756 1.1 - sysutils/xentools42/Makefile 1.27 - sysutils/xentools42/distinfo 1.16 - sysutils/xentools42/patches/patch-CVE-2015-2752 1.1 - sysutils/xentools42/patches/patch-CVE-2015-2756 1.1 - sysutils/xentools45/Makefile 1.6 - sysutils/xentools45/distinfo 1.6 - sysutils/xentools45/patches/patch-CVE-2015-2752 1.1 - sysutils/xentools45/patches/patch-CVE-2015-2756 1.1 --- Module Name: pkgsrc Committed By: spz Date: Sun Apr 19 13:13:21 UTC 2015 Modified Files: pkgsrc/sysutils/xenkernel41: Makefile distinfo pkgsrc/sysutils/xenkernel42: Makefile distinfo pkgsrc/sysutils/xenkernel45: Makefile distinfo pkgsrc/sysutils/xentools41: Makefile distinfo pkgsrc/sysutils/xentools42: Makefile distinfo pkgsrc/sysutils/xentools45: Makefile distinfo Added Files: pkgsrc/sysutils/xenkernel41/patches: patch-CVE-2015-2752 patch-CVE-2015-2756 pkgsrc/sysutils/xenkernel42/patches: patch-CVE-2015-2752 patch-CVE-2015-2756 pkgsrc/sysutils/xenkernel45/patches: patch-CVE-2015-2752 patch-CVE-2015-2756 pkgsrc/sysutils/xentools41/patches: patch-CVE-2015-2752 patch-CVE-2015-2756 pkgsrc/sysutils/xentools42/patches: patch-CVE-2015-2752 patch-CVE-2015-2756 pkgsrc/sysutils/xentools45/patches: patch-CVE-2015-2752 patch-CVE-2015-2756 Log Message: apply fixes from upstream for XSA-125 Long latency MMIO mapping operations are not preemptible XSA-126 Unmediated PCI command register access in qemu @ text @a0 108 $NetBSD$ Patch for CVE-2015-2752 aka XSA-125 from http://xenbits.xenproject.org/xsa/xsa125-4.2.patch --- tools/libxc/xc_domain.c.orig 2014-09-02 06:22:57.000000000 +0000 +++ tools/libxc/xc_domain.c @@@@ -1352,6 +1352,13 @@@@ int xc_domain_bind_pt_isa_irq( PT_IRQ_TYPE_ISA, 0, 0, 0, machine_irq)); } +#ifndef min +#define min(X, Y) ({ \ + const typeof (X) _x = (X); \ + const typeof (Y) _y = (Y); \ + (void) (&_x == &_y); \ + (_x < _y) ? _x : _y; }) +#endif int xc_domain_memory_mapping( xc_interface *xch, uint32_t domid, @@@@ -1361,17 +1368,55 @@@@ int xc_domain_memory_mapping( uint32_t add_mapping) { DECLARE_DOMCTL; + int ret = 0, err; + unsigned long done = 0, nr, max_batch_sz; + + if ( !nr_mfns ) + return 0; domctl.cmd = XEN_DOMCTL_memory_mapping; domctl.domain = domid; - domctl.u.memory_mapping.first_gfn = first_gfn; - domctl.u.memory_mapping.first_mfn = first_mfn; - domctl.u.memory_mapping.nr_mfns = nr_mfns; domctl.u.memory_mapping.add_mapping = add_mapping; + max_batch_sz = nr_mfns; + do + { + nr = min(nr_mfns - done, max_batch_sz); + domctl.u.memory_mapping.nr_mfns = nr; + domctl.u.memory_mapping.first_gfn = first_gfn + done; + domctl.u.memory_mapping.first_mfn = first_mfn + done; + err = do_domctl(xch, &domctl); + if ( err && errno == E2BIG ) + { + if ( max_batch_sz <= 1 ) + break; + max_batch_sz >>= 1; + continue; + } + /* Save the first error... */ + if ( !ret ) + ret = err; + /* .. and ignore the rest of them when removing. */ + if ( err && add_mapping != DPCI_REMOVE_MAPPING ) + break; + + done += nr; + } while ( done < nr_mfns ); + + /* + * Undo what we have done unless unmapping, by unmapping the entire region. + * Errors here are ignored. + */ + if ( ret && add_mapping != DPCI_REMOVE_MAPPING ) + xc_domain_memory_mapping(xch, domid, first_gfn, first_mfn, nr_mfns, + DPCI_REMOVE_MAPPING); + + /* We might get E2BIG so many times that we never advance. */ + if ( !done && !ret ) + ret = -1; - return do_domctl(xch, &domctl); + return ret; } - +#undef min int xc_domain_ioport_mapping( xc_interface *xch, uint32_t domid, --- xen/arch/x86/domctl.c.orig 2014-09-02 06:22:57.000000000 +0000 +++ xen/arch/x86/domctl.c @@@@ -865,6 +865,11 @@@@ long arch_do_domctl( (gfn + nr_mfns - 1) < gfn ) /* wrap? */ break; + ret = -E2BIG; + /* Must break hypercall up as this could take a while. */ + if ( nr_mfns > 64 ) + break; + ret = -EPERM; if ( !IS_PRIV(current->domain) && !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) ) --- xen/include/public/domctl.h.orig 2014-09-02 06:22:57.000000000 +0000 +++ xen/include/public/domctl.h @@@@ -507,6 +507,7 @@@@ DEFINE_XEN_GUEST_HANDLE(xen_domctl_bind_ /* Bind machine I/O address range -> HVM address range. */ +/* If this returns -E2BIG lower nr_mfns value. */ /* XEN_DOMCTL_memory_mapping */ #define DPCI_ADD_MAPPING 1 #define DPCI_REMOVE_MAPPING 0 @