head	1.2;
access;
symbols
	pkgsrc-2016Q4:1.1.0.2
	pkgsrc-2016Q4-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2017.03.20.18.17.13;	author bouyer;	state dead;
branches;
next	1.1;
commitid	d3qkVwbNTy4nKjKz;

1.1
date	2016.12.20.10.22.29;	author bouyer;	state Exp;
branches;
next	;
commitid	TxndvKOzkEv91Iyz;


desc
@@


1.2
log
@Update xenkernel46 and xentools46 to 4.6.5. Changes since 4.6.3:
various bug fixes. Includes all security patches up to and including
XSA-209
@
text
@$NetBSD: patch-XSA-200,v 1.1 2016/12/20 10:22:29 bouyer Exp $

From: Jan Beulich <jbeulich@@suse.com>
Subject: x86emul: CMPXCHG8B ignores operand size prefix

Otherwise besides mis-handling the instruction, the comparison failure
case would result in uninitialized stack data being handed back to the
guest in rDX:rAX (32 bits leaked for 32-bit guests, 96 bits for 64-bit
ones).

This is XSA-200.

Signed-off-by: Jan Beulich <jbeulich@@suse.com>

--- tools/tests/x86_emulator/test_x86_emulator.c.orig
+++ tools/tests/x86_emulator/test_x86_emulator.c
@@@@ -429,6 +429,24 @@@@ int main(int argc, char **argv)
         goto fail;
     printf("okay\n");
 
+    printf("%-40s", "Testing cmpxchg8b (%edi) [opsize]...");
+    instr[0] = 0x66; instr[1] = 0x0f; instr[2] = 0xc7; instr[3] = 0x0f;
+    res[0]      = 0x12345678;
+    res[1]      = 0x87654321;
+    regs.eflags = 0x200;
+    regs.eip    = (unsigned long)&instr[0];
+    regs.edi    = (unsigned long)res;
+    rc = x86_emulate(&ctxt, &emulops);
+    if ( (rc != X86EMUL_OKAY) ||
+         (res[0] != 0x12345678) ||
+         (res[1] != 0x87654321) ||
+         (regs.eax != 0x12345678) ||
+         (regs.edx != 0x87654321) ||
+         ((regs.eflags&0x240) != 0x200) ||
+         (regs.eip != (unsigned long)&instr[4]) )
+        goto fail;
+    printf("okay\n");
+
     printf("%-40s", "Testing movsxbd (%%eax),%%ecx...");
     instr[0] = 0x0f; instr[1] = 0xbe; instr[2] = 0x08;
     regs.eflags = 0x200;
--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
+++ xen/arch/x86/x86_emulate/x86_emulate.c
@@@@ -4739,8 +4739,12 @@@@ x86_emulate(
         generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1);
         generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
         if ( op_bytes == 8 )
+        {
             vcpu_must_have_cx16();
-        op_bytes *= 2;
+            op_bytes = 16;
+        }
+        else
+            op_bytes = 8;
 
         /* Get actual old value. */
         if ( (rc = ops->read(ea.mem.seg, ea.mem.off, old, op_bytes,
@


1.1
log
@Apply upstream patch for XSA-199, XSA-200 and XSA-204.
Bump PKGREVISIONs
@
text
@d1 1
a1 1
$NetBSD: patch-XSA-195,v 1.1 2016/11/22 20:57:10 bouyer Exp $
@