head	1.2;
access;
symbols
	pkgsrc-2020Q2:1.1.0.30
	pkgsrc-2020Q2-base:1.1
	pkgsrc-2020Q1:1.1.0.10
	pkgsrc-2020Q1-base:1.1
	pkgsrc-2019Q4:1.1.0.32
	pkgsrc-2019Q4-base:1.1
	pkgsrc-2019Q3:1.1.0.28
	pkgsrc-2019Q3-base:1.1
	pkgsrc-2019Q2:1.1.0.26
	pkgsrc-2019Q2-base:1.1
	pkgsrc-2019Q1:1.1.0.24
	pkgsrc-2019Q1-base:1.1
	pkgsrc-2018Q4:1.1.0.22
	pkgsrc-2018Q4-base:1.1
	pkgsrc-2018Q3:1.1.0.20
	pkgsrc-2018Q3-base:1.1
	pkgsrc-2018Q2:1.1.0.18
	pkgsrc-2018Q2-base:1.1
	pkgsrc-2018Q1:1.1.0.16
	pkgsrc-2018Q1-base:1.1
	pkgsrc-2017Q4:1.1.0.14
	pkgsrc-2017Q4-base:1.1
	pkgsrc-2017Q3:1.1.0.12
	pkgsrc-2017Q3-base:1.1
	pkgsrc-2017Q2:1.1.0.8
	pkgsrc-2017Q2-base:1.1
	pkgsrc-2017Q1:1.1.0.6
	pkgsrc-2017Q1-base:1.1
	pkgsrc-2016Q4:1.1.0.4
	pkgsrc-2016Q4-base:1.1
	pkgsrc-2016Q3:1.1.0.2
	pkgsrc-2016Q3-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2020.08.19.10.39.23;	author bouyer;	state dead;
branches;
next	1.1;
commitid	DGAMglRf0Jde6FkC;

1.1
date	2016.09.08.15.41.01;	author bouyer;	state Exp;
branches;
next	;
commitid	c9X7FynnoqZn5vlz;


desc
@@


1.2
log
@Remove xenkernel and xentools packages older than 4.11.
They're not maintained anymore upstream, and don't build on supported NetBSD
releases.
@
text
@$NetBSD: patch-XSA-187-1,v 1.1 2016/09/08 15:41:01 bouyer Exp $

From: Andrew Cooper <andrew.cooper3@@citrix.com>
Subject: x86/shadow: Avoid overflowing sh_ctxt->seg_reg[]

hvm_get_seg_reg() does not perform a range check on its input segment, calls
hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[].

x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will hit a BUG()
in {vmx,svm}_get_segment_register().

HVM guests running with shadow paging can end up performing a virtual to
linear translation with x86_seg_none.  This is used for addresses which are
already linear.  However, none of this is a legitimate pagetable update, so
fail the emulation in such a case.

This is XSA-187

Reported-by: Andrew Cooper <andrew.cooper3@@citrix.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@@citrix.com>
Reviewed-by: Tim Deegan <tim@@xen.org>

--- xen/arch/x86/mm/shadow/common.c.orig
+++ xen/arch/x86/mm/shadow/common.c
@@@@ -140,9 +140,18 @@@@ static int hvm_translate_linear_addr(
     struct sh_emulate_ctxt *sh_ctxt,
     unsigned long *paddr)
 {
-    struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt);
+    struct segment_register *reg;
     int okay;
 
+    /*
+     * Can arrive here with non-user segments.  However, no such cirucmstance
+     * is part of a legitimate pagetable update, so fail the emulation.
+     */
+    if ( !is_x86_user_segment(seg) )
+        return X86EMUL_UNHANDLEABLE;
+
+    reg = hvm_get_seg_reg(seg, sh_ctxt);
+
     okay = hvm_virtual_to_linear_addr(
         seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);
 
@


1.1
log
@Backport upstream patches for security issues:
XSA-185: x86: Disallow L3 recursive pagetable for 32-bit PV guests
XSA-187: x86 HVM: Overflow of sh_ctxt->seg_reg[]
bump PKGREVISION
@
text
@d1 1
a1 1
$NetBSD: $
@