head 1.2; access; symbols pkgsrc-2020Q2:1.1.0.36 pkgsrc-2020Q2-base:1.1 pkgsrc-2020Q1:1.1.0.16 pkgsrc-2020Q1-base:1.1 pkgsrc-2019Q4:1.1.0.38 pkgsrc-2019Q4-base:1.1 pkgsrc-2019Q3:1.1.0.34 pkgsrc-2019Q3-base:1.1 pkgsrc-2019Q2:1.1.0.32 pkgsrc-2019Q2-base:1.1 pkgsrc-2019Q1:1.1.0.30 pkgsrc-2019Q1-base:1.1 pkgsrc-2018Q4:1.1.0.28 pkgsrc-2018Q4-base:1.1 pkgsrc-2018Q3:1.1.0.26 pkgsrc-2018Q3-base:1.1 pkgsrc-2018Q2:1.1.0.24 pkgsrc-2018Q2-base:1.1 pkgsrc-2018Q1:1.1.0.22 pkgsrc-2018Q1-base:1.1 pkgsrc-2017Q4:1.1.0.20 pkgsrc-2017Q4-base:1.1 pkgsrc-2017Q3:1.1.0.18 pkgsrc-2017Q3-base:1.1 pkgsrc-2017Q2:1.1.0.14 pkgsrc-2017Q2-base:1.1 pkgsrc-2017Q1:1.1.0.12 pkgsrc-2017Q1-base:1.1 pkgsrc-2016Q4:1.1.0.10 pkgsrc-2016Q4-base:1.1 pkgsrc-2016Q3:1.1.0.8 pkgsrc-2016Q3-base:1.1 pkgsrc-2016Q2:1.1.0.6 pkgsrc-2016Q2-base:1.1 pkgsrc-2016Q1:1.1.0.4 pkgsrc-2016Q1-base:1.1 pkgsrc-2015Q4:1.1.0.2; locks; strict; comment @# @; 1.2 date 2020.08.19.10.39.24; author bouyer; state dead; branches; next 1.1; commitid DGAMglRf0Jde6FkC; 1.1 date 2016.01.07.17.53.58; author bouyer; state Exp; branches 1.1.2.1; next ; commitid sPBfKcCmelWSG1Qy; 1.1.2.1 date 2016.01.07.17.53.58; author bsiegert; state dead; branches; next 1.1.2.2; commitid DY7ZTsM4su8PtyQy; 1.1.2.2 date 2016.01.11.20.37.17; author bsiegert; state Exp; branches; next ; commitid DY7ZTsM4su8PtyQy; desc @@ 1.2 log @Remove xenkernel and xentools packages older than 4.11. They're not maintained anymore upstream, and don't build on supported NetBSD releases. @ text @$NetBSD: patch-CVE-2015-8550,v 1.1 2016/01/07 17:53:58 bouyer Exp $ patch for CVE-2015-8550 aka XSA-155 from http://xenbits.xenproject.org/xsa/xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch http://xenbits.xenproject.org/xsa/xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch http://xenbits.xenproject.org/xsa/xsa155-xen44-0003-libvchan-Read-prod-cons-only-once.patch http://xenbits.xenproject.org/xsa/xsa155-qemut-qdisk-double-access.patch http://xenbits.xenproject.org/xsa/xsa155-qemut-xenfb.patch http://xenbits.xenproject.org/xsa/xsa155-qemu-qdisk-double-access.patch http://xenbits.xenproject.org/xsa/xsa155-qemu-xenfb.patch --- ../xen/include/public/io/ring.h.orig +++ ../xen/include/public/io/ring.h @@@@ -212,6 +212,20 @@@@ typedef struct __name##_back_ring __name##_back_ring_t #define RING_GET_REQUEST(_r, _idx) \ (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req)) +/* + * Get a local copy of a request. + * + * Use this in preference to RING_GET_REQUEST() so all processing is + * done on a local copy that cannot be modified by the other end. + * + * Note that https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 may cause this + * to be ineffective where _req is a struct which consists of only bitfields. + */ +#define RING_COPY_REQUEST(_r, _idx, _req) do { \ + /* Use volatile to force the copy into _req. */ \ + *(_req) = *(volatile typeof(_req))RING_GET_REQUEST(_r, _idx); \ +} while (0) + #define RING_GET_RESPONSE(_r, _idx) \ (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp)) --- blktap2/drivers/block-log.c.orig +++ blktap2/drivers/block-log.c @@@@ -494,11 +494,12 @@@@ static int ctl_kick(struct tdlog_state* s, int fd) reqstart = s->bring.req_cons; reqend = s->sring->req_prod; + xen_mb(); BDPRINTF("ctl: ring kicked (start = %u, end = %u)", reqstart, reqend); while (reqstart != reqend) { /* XXX actually submit these! */ - memcpy(&req, RING_GET_REQUEST(&s->bring, reqstart), sizeof(req)); + RING_COPY_REQUEST(&s->bring, reqstart, &req); BDPRINTF("ctl: read request %"PRIu64":%u", req.sector, req.count); s->bring.req_cons = ++reqstart; --- blktap2/drivers/tapdisk-vbd.c.orig +++ blktap2/drivers/tapdisk-vbd.c @@@@ -1555,7 +1555,7 @@@@ tapdisk_vbd_pull_ring_requests(td_vbd_t *vbd) int idx; RING_IDX rp, rc; td_ring_t *ring; - blkif_request_t *req; + blkif_request_t req; td_vbd_request_t *vreq; ring = &vbd->ring; @@@@ -1566,16 +1566,16 @@@@ tapdisk_vbd_pull_ring_requests(td_vbd_t *vbd) xen_rmb(); for (rc = ring->fe_ring.req_cons; rc != rp; rc++) { - req = RING_GET_REQUEST(&ring->fe_ring, rc); + RING_COPY_REQUEST(&ring->fe_ring, rc, &req); ++ring->fe_ring.req_cons; - idx = req->id; + idx = req.id; vreq = &vbd->request_list[idx]; ASSERT(list_empty(&vreq->next)); ASSERT(vreq->secs_pending == 0); - memcpy(&vreq->req, req, sizeof(blkif_request_t)); + memcpy(&vreq->req, &req, sizeof(blkif_request_t)); vbd->received++; vreq->vbd = vbd; --- libvchan/io.c.orig +++ libvchan/io.c @@@@ -118,6 +118,7 @@@@ static inline int send_notify(struct libxenvchan *ctrl, uint8_t bit) static inline int raw_get_data_ready(struct libxenvchan *ctrl) { uint32_t ready = rd_prod(ctrl) - rd_cons(ctrl); + xen_mb(); /* Ensure 'ready' is read only once. */ if (ready >= rd_ring_size(ctrl)) /* We have no way to return errors. Locking up the ring is * better than the alternatives. */ @@@@ -159,6 +160,7 @@@@ int libxenvchan_data_ready(struct libxenvchan *ctrl) static inline int raw_get_buffer_space(struct libxenvchan *ctrl) { uint32_t ready = wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl)); + xen_mb(); /* Ensure 'ready' is read only once. */ if (ready > wr_ring_size(ctrl)) /* We have no way to return errors. Locking up the ring is * better than the alternatives. */ --- qemu-xen-traditional/hw/xen_blkif.h.orig 2013-10-10 16:15:47.000000000 +0200 +++ qemu-xen-traditional/hw/xen_blkif.h 2016-01-07 17:35:36.000000000 +0100 @@@@ -79,8 +79,10 @@@@ dst->handle = src->handle; dst->id = src->id; dst->sector_number = src->sector_number; - if (n > src->nr_segments) - n = src->nr_segments; + /* prevent the compiler from optimizing the code and using src->nr_segments instead */ + xen_mb(); + if (n > dst->nr_segments) + n = dst->nr_segments; for (i = 0; i < n; i++) dst->seg[i] = src->seg[i]; } @@@@ -94,8 +96,10 @@@@ dst->handle = src->handle; dst->id = src->id; dst->sector_number = src->sector_number; - if (n > src->nr_segments) - n = src->nr_segments; + /* prevent the compiler from optimizing the code and using src->nr_segments instead */ + xen_mb(); + if (n > dst->nr_segments) + n = dst->nr_segments; for (i = 0; i < n; i++) dst->seg[i] = src->seg[i]; } --- qemu-xen-traditional/hw/xenfb.c +++ qemu-xen-traditional/hw/xenfb.c @@@@ -827,18 +827,20 @@@@ static void xenfb_invalidate(void *opaque) static void xenfb_handle_events(struct XenFB *xenfb) { - uint32_t prod, cons; + uint32_t prod, cons, out_cons; struct xenfb_page *page = xenfb->c.page; prod = page->out_prod; - if (prod == page->out_cons) + out_cons = page->out_cons; + if (prod == out_cons) return; xen_rmb(); /* ensure we see ring contents up to prod */ - for (cons = page->out_cons; cons != prod; cons++) { + for (cons = out_cons; cons != prod; cons++) { union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons); + uint8_t type = event->type; int x, y, w, h; - switch (event->type) { + switch (type) { case XENFB_TYPE_UPDATE: if (xenfb->up_count == UP_QUEUE) xenfb->up_fullscreen = 1; --- qemu-xen/hw/xen_blkif.h.orig 2013-10-10 16:15:47.000000000 +0200 +++ qemu-xen/hw/xen_blkif.h 2016-01-07 17:35:36.000000000 +0100 @@@@ -79,8 +79,10 @@@@ dst->handle = src->handle; dst->id = src->id; dst->sector_number = src->sector_number; - if (n > src->nr_segments) - n = src->nr_segments; + /* prevent the compiler from optimizing the code and using src->nr_segments instead */ + xen_mb(); + if (n > dst->nr_segments) + n = dst->nr_segments; for (i = 0; i < n; i++) dst->seg[i] = src->seg[i]; } @@@@ -94,8 +96,10 @@@@ dst->handle = src->handle; dst->id = src->id; dst->sector_number = src->sector_number; - if (n > src->nr_segments) - n = src->nr_segments; + /* prevent the compiler from optimizing the code and using src->nr_segments instead */ + xen_mb(); + if (n > dst->nr_segments) + n = dst->nr_segments; for (i = 0; i < n; i++) dst->seg[i] = src->seg[i]; } --- qemu-xen/hw/xenfb.c.orig +++ qemu-xen/hw/xenfb.c @@@@ -784,18 +784,20 @@@@ static void xenfb_invalidate(void *opaque) static void xenfb_handle_events(struct XenFB *xenfb) { - uint32_t prod, cons; + uint32_t prod, cons, out_cons; struct xenfb_page *page = xenfb->c.page; prod = page->out_prod; - if (prod == page->out_cons) + out_cons = page->out_cons; + if (prod == out_cons) return; xen_rmb(); /* ensure we see ring contents up to prod */ - for (cons = page->out_cons; cons != prod; cons++) { + for (cons = out_cons; cons != prod; cons++) { union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons); + uint8_t type = event->type; int x, y, w, h; - switch (event->type) { + switch (type) { case XENFB_TYPE_UPDATE: if (xenfb->up_count == UP_QUEUE) xenfb->up_fullscreen = 1; @ 1.1 log @pply patches from Xen repository, fixing: CVE-2015-5307 and CVE-2015-8104 aka XSA-156 CVE-2015-8339 and CVE-2015-8340 aka XSA-159 CVE-2015-8555 aka XSA-165 XSA-166 CVE-2015-8550 aka XSA-155 CVE-2015-8554 aka XSA-164 Bump pkgrevision @ text @d1 1 a1 1 $NetBSD: patch-CVE-2015-2756,v 1.1 2015/04/19 13:13:21 spz Exp $ @ 1.1.2.1 log @file patch-CVE-2015-8550 was added on branch pkgsrc-2015Q4 on 2016-01-11 20:37:17 +0000 @ text @d1 213 @ 1.1.2.2 log @Pullup ticket #4886 - requested by bouyer sysutils/xenkernel42: security fix sysutils/xentools42: security fix Revisions pulled up: - sysutils/xenkernel42/Makefile 1.20 - sysutils/xenkernel42/distinfo 1.19 - sysutils/xenkernel42/patches/patch-CVE-2015-5307 1.1 - sysutils/xenkernel42/patches/patch-CVE-2015-8339 1.1 - sysutils/xenkernel42/patches/patch-CVE-2015-8555 1.1 - sysutils/xenkernel42/patches/patch-XSA-166 1.1 - sysutils/xentools42/Makefile 1.41 - sysutils/xentools42/distinfo 1.22 - sysutils/xentools42/patches/patch-CVE-2015-8550 1.1 - sysutils/xentools42/patches/patch-CVE-2015-8554 1.1 --- Module Name: pkgsrc Committed By: bouyer Date: Thu Jan 7 17:53:59 UTC 2016 Modified Files: pkgsrc/sysutils/xenkernel42: Makefile distinfo pkgsrc/sysutils/xentools42: Makefile distinfo Added Files: pkgsrc/sysutils/xenkernel42/patches: patch-CVE-2015-5307 patch-CVE-2015-8339 patch-CVE-2015-8555 patch-XSA-166 pkgsrc/sysutils/xentools42/patches: patch-CVE-2015-8550 patch-CVE-2015-8554 Log Message: pply patches from Xen repository, fixing: CVE-2015-5307 and CVE-2015-8104 aka XSA-156 CVE-2015-8339 and CVE-2015-8340 aka XSA-159 CVE-2015-8555 aka XSA-165 XSA-166 CVE-2015-8550 aka XSA-155 CVE-2015-8554 aka XSA-164 Bump pkgrevision @ text @a0 213 $NetBSD$ patch for CVE-2015-8550 aka XSA-155 from http://xenbits.xenproject.org/xsa/xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch http://xenbits.xenproject.org/xsa/xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch http://xenbits.xenproject.org/xsa/xsa155-xen44-0003-libvchan-Read-prod-cons-only-once.patch http://xenbits.xenproject.org/xsa/xsa155-qemut-qdisk-double-access.patch http://xenbits.xenproject.org/xsa/xsa155-qemut-xenfb.patch http://xenbits.xenproject.org/xsa/xsa155-qemu-qdisk-double-access.patch http://xenbits.xenproject.org/xsa/xsa155-qemu-xenfb.patch --- ../xen/include/public/io/ring.h.orig +++ ../xen/include/public/io/ring.h @@@@ -212,6 +212,20 @@@@ typedef struct __name##_back_ring __name##_back_ring_t #define RING_GET_REQUEST(_r, _idx) \ (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req)) +/* + * Get a local copy of a request. + * + * Use this in preference to RING_GET_REQUEST() so all processing is + * done on a local copy that cannot be modified by the other end. + * + * Note that https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 may cause this + * to be ineffective where _req is a struct which consists of only bitfields. + */ +#define RING_COPY_REQUEST(_r, _idx, _req) do { \ + /* Use volatile to force the copy into _req. */ \ + *(_req) = *(volatile typeof(_req))RING_GET_REQUEST(_r, _idx); \ +} while (0) + #define RING_GET_RESPONSE(_r, _idx) \ (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp)) --- blktap2/drivers/block-log.c.orig +++ blktap2/drivers/block-log.c @@@@ -494,11 +494,12 @@@@ static int ctl_kick(struct tdlog_state* s, int fd) reqstart = s->bring.req_cons; reqend = s->sring->req_prod; + xen_mb(); BDPRINTF("ctl: ring kicked (start = %u, end = %u)", reqstart, reqend); while (reqstart != reqend) { /* XXX actually submit these! */ - memcpy(&req, RING_GET_REQUEST(&s->bring, reqstart), sizeof(req)); + RING_COPY_REQUEST(&s->bring, reqstart, &req); BDPRINTF("ctl: read request %"PRIu64":%u", req.sector, req.count); s->bring.req_cons = ++reqstart; --- blktap2/drivers/tapdisk-vbd.c.orig +++ blktap2/drivers/tapdisk-vbd.c @@@@ -1555,7 +1555,7 @@@@ tapdisk_vbd_pull_ring_requests(td_vbd_t *vbd) int idx; RING_IDX rp, rc; td_ring_t *ring; - blkif_request_t *req; + blkif_request_t req; td_vbd_request_t *vreq; ring = &vbd->ring; @@@@ -1566,16 +1566,16 @@@@ tapdisk_vbd_pull_ring_requests(td_vbd_t *vbd) xen_rmb(); for (rc = ring->fe_ring.req_cons; rc != rp; rc++) { - req = RING_GET_REQUEST(&ring->fe_ring, rc); + RING_COPY_REQUEST(&ring->fe_ring, rc, &req); ++ring->fe_ring.req_cons; - idx = req->id; + idx = req.id; vreq = &vbd->request_list[idx]; ASSERT(list_empty(&vreq->next)); ASSERT(vreq->secs_pending == 0); - memcpy(&vreq->req, req, sizeof(blkif_request_t)); + memcpy(&vreq->req, &req, sizeof(blkif_request_t)); vbd->received++; vreq->vbd = vbd; --- libvchan/io.c.orig +++ libvchan/io.c @@@@ -118,6 +118,7 @@@@ static inline int send_notify(struct libxenvchan *ctrl, uint8_t bit) static inline int raw_get_data_ready(struct libxenvchan *ctrl) { uint32_t ready = rd_prod(ctrl) - rd_cons(ctrl); + xen_mb(); /* Ensure 'ready' is read only once. */ if (ready >= rd_ring_size(ctrl)) /* We have no way to return errors. Locking up the ring is * better than the alternatives. */ @@@@ -159,6 +160,7 @@@@ int libxenvchan_data_ready(struct libxenvchan *ctrl) static inline int raw_get_buffer_space(struct libxenvchan *ctrl) { uint32_t ready = wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl)); + xen_mb(); /* Ensure 'ready' is read only once. */ if (ready > wr_ring_size(ctrl)) /* We have no way to return errors. Locking up the ring is * better than the alternatives. */ --- qemu-xen-traditional/hw/xen_blkif.h.orig 2013-10-10 16:15:47.000000000 +0200 +++ qemu-xen-traditional/hw/xen_blkif.h 2016-01-07 17:35:36.000000000 +0100 @@@@ -79,8 +79,10 @@@@ dst->handle = src->handle; dst->id = src->id; dst->sector_number = src->sector_number; - if (n > src->nr_segments) - n = src->nr_segments; + /* prevent the compiler from optimizing the code and using src->nr_segments instead */ + xen_mb(); + if (n > dst->nr_segments) + n = dst->nr_segments; for (i = 0; i < n; i++) dst->seg[i] = src->seg[i]; } @@@@ -94,8 +96,10 @@@@ dst->handle = src->handle; dst->id = src->id; dst->sector_number = src->sector_number; - if (n > src->nr_segments) - n = src->nr_segments; + /* prevent the compiler from optimizing the code and using src->nr_segments instead */ + xen_mb(); + if (n > dst->nr_segments) + n = dst->nr_segments; for (i = 0; i < n; i++) dst->seg[i] = src->seg[i]; } --- qemu-xen-traditional/hw/xenfb.c +++ qemu-xen-traditional/hw/xenfb.c @@@@ -827,18 +827,20 @@@@ static void xenfb_invalidate(void *opaque) static void xenfb_handle_events(struct XenFB *xenfb) { - uint32_t prod, cons; + uint32_t prod, cons, out_cons; struct xenfb_page *page = xenfb->c.page; prod = page->out_prod; - if (prod == page->out_cons) + out_cons = page->out_cons; + if (prod == out_cons) return; xen_rmb(); /* ensure we see ring contents up to prod */ - for (cons = page->out_cons; cons != prod; cons++) { + for (cons = out_cons; cons != prod; cons++) { union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons); + uint8_t type = event->type; int x, y, w, h; - switch (event->type) { + switch (type) { case XENFB_TYPE_UPDATE: if (xenfb->up_count == UP_QUEUE) xenfb->up_fullscreen = 1; --- qemu-xen/hw/xen_blkif.h.orig 2013-10-10 16:15:47.000000000 +0200 +++ qemu-xen/hw/xen_blkif.h 2016-01-07 17:35:36.000000000 +0100 @@@@ -79,8 +79,10 @@@@ dst->handle = src->handle; dst->id = src->id; dst->sector_number = src->sector_number; - if (n > src->nr_segments) - n = src->nr_segments; + /* prevent the compiler from optimizing the code and using src->nr_segments instead */ + xen_mb(); + if (n > dst->nr_segments) + n = dst->nr_segments; for (i = 0; i < n; i++) dst->seg[i] = src->seg[i]; } @@@@ -94,8 +96,10 @@@@ dst->handle = src->handle; dst->id = src->id; dst->sector_number = src->sector_number; - if (n > src->nr_segments) - n = src->nr_segments; + /* prevent the compiler from optimizing the code and using src->nr_segments instead */ + xen_mb(); + if (n > dst->nr_segments) + n = dst->nr_segments; for (i = 0; i < n; i++) dst->seg[i] = src->seg[i]; } --- qemu-xen/hw/xenfb.c.orig +++ qemu-xen/hw/xenfb.c @@@@ -784,18 +784,20 @@@@ static void xenfb_invalidate(void *opaque) static void xenfb_handle_events(struct XenFB *xenfb) { - uint32_t prod, cons; + uint32_t prod, cons, out_cons; struct xenfb_page *page = xenfb->c.page; prod = page->out_prod; - if (prod == page->out_cons) + out_cons = page->out_cons; + if (prod == out_cons) return; xen_rmb(); /* ensure we see ring contents up to prod */ - for (cons = page->out_cons; cons != prod; cons++) { + for (cons = out_cons; cons != prod; cons++) { union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons); + uint8_t type = event->type; int x, y, w, h; - switch (event->type) { + switch (type) { case XENFB_TYPE_UPDATE: if (xenfb->up_count == UP_QUEUE) xenfb->up_fullscreen = 1; @