head	1.2;
access;
symbols
	pkgsrc-2020Q2:1.1.0.28
	pkgsrc-2020Q2-base:1.1
	pkgsrc-2020Q1:1.1.0.8
	pkgsrc-2020Q1-base:1.1
	pkgsrc-2019Q4:1.1.0.30
	pkgsrc-2019Q4-base:1.1
	pkgsrc-2019Q3:1.1.0.26
	pkgsrc-2019Q3-base:1.1
	pkgsrc-2019Q2:1.1.0.24
	pkgsrc-2019Q2-base:1.1
	pkgsrc-2019Q1:1.1.0.22
	pkgsrc-2019Q1-base:1.1
	pkgsrc-2018Q4:1.1.0.20
	pkgsrc-2018Q4-base:1.1
	pkgsrc-2018Q3:1.1.0.18
	pkgsrc-2018Q3-base:1.1
	pkgsrc-2018Q2:1.1.0.16
	pkgsrc-2018Q2-base:1.1
	pkgsrc-2018Q1:1.1.0.14
	pkgsrc-2018Q1-base:1.1
	pkgsrc-2017Q4:1.1.0.12
	pkgsrc-2017Q4-base:1.1
	pkgsrc-2017Q3:1.1.0.10
	pkgsrc-2017Q3-base:1.1
	pkgsrc-2017Q2:1.1.0.6
	pkgsrc-2017Q2-base:1.1
	pkgsrc-2017Q1:1.1.0.4
	pkgsrc-2017Q1-base:1.1
	pkgsrc-2016Q4:1.1.0.2
	pkgsrc-2016Q4-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2020.08.19.10.39.24;	author bouyer;	state dead;
branches;
next	1.1;
commitid	DGAMglRf0Jde6FkC;

1.1
date	2016.12.20.10.22.29;	author bouyer;	state Exp;
branches;
next	;
commitid	TxndvKOzkEv91Iyz;


desc
@@


1.2
log
@Remove xenkernel and xentools packages older than 4.11.
They're not maintained anymore upstream, and don't build on supported NetBSD
releases.
@
text
@$NetBSD: patch-XSA-199,v 1.1 2016/12/20 10:22:29 bouyer Exp $

From b73bd1edc05d1bad5c018228146930d79315a5da Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@@eu.citrix.com>
Date: Mon, 14 Nov 2016 17:19:46 +0000
Subject: [PATCH] qemu: ioport_read, ioport_write: be defensive about 32-bit
 addresses

On x86, ioport addresses are 16-bit.  That these functions take 32-bit
arguments is a mistake.  Changing the argument type to 16-bit will
discard the top bits of any erroneous values from elsewhere in qemu.

Also, check just before use that the value is in range.  (This turns
an ill-advised change to MAX_IOPORTS into a possible guest crash
rather than a privilege escalation vulnerability.)

And, in the Xen ioreq processor, clamp incoming ioport addresses to
16-bit values.  Xen will never write >16-bit values but the guest may
have access to the ioreq ring.  We want to defend the rest of the qemu
code from wrong values.

This is XSA-199.

Reported-by: yanghongke <yanghongke@@huawei.com>
Signed-off-by: Ian Jackson <Ian.Jackson@@eu.citrix.com>
---
 i386-dm/helper2.c | 2 ++
 vl.c              | 9 +++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/i386-dm/helper2.c b/i386-dm/helper2.c
index 2706f2e..5d276bb 100644
--- qemu-xen-traditional/i386-dm/helper2.c.orig
+++ qemu-xen-traditional/i386-dm/helper2.c
@@@@ -355,6 +355,8 @@@@
 
     sign = req->df ? -1 : 1;
 
+    req->addr &= 0x0ffffU;
+
     if (req->size > sizeof(unsigned long)) {
         fprintf(stderr, "PIO: bad size (%u)\n", req->size);
         exit(-1);
diff --git a/vl.c b/vl.c
index f9c4d7e..c3c5d63 100644
--- qemu-xen-traditional/vl.c.orig
+++ qemu-xen-traditional/vl.c
@@@@ -52,6 +52,7 @@@@
 
 #include <xen/hvm/hvm_info_table.h>
 
+#include <assert.h>
 #include <unistd.h>
 #include <fcntl.h>
 #include <signal.h>
@@@@ -290,26 +291,30 @@@@ PicState2 *isa_pic;
 static IOPortReadFunc default_ioport_readb, default_ioport_readw, default_ioport_readl;
 static IOPortWriteFunc default_ioport_writeb, default_ioport_writew, default_ioport_writel;
 
-static uint32_t ioport_read(int index, uint32_t address)
+static uint32_t ioport_read(int index, uint16_t address)
 {
     static IOPortReadFunc *default_func[3] = {
         default_ioport_readb,
         default_ioport_readw,
         default_ioport_readl
     };
+    if (address >= MAX_IOPORTS)
+        abort();
     IOPortReadFunc *func = ioport_read_table[index][address];
     if (!func)
         func = default_func[index];
     return func(ioport_opaque[address], address);
 }
 
-static void ioport_write(int index, uint32_t address, uint32_t data)
+static void ioport_write(int index, uint16_t address, uint32_t data)
 {
     static IOPortWriteFunc *default_func[3] = {
         default_ioport_writeb,
         default_ioport_writew,
         default_ioport_writel
     };
+    if (address >= MAX_IOPORTS)
+        abort();
     IOPortWriteFunc *func = ioport_write_table[index][address];
     if (!func)
         func = default_func[index];
-- 
2.1.4
--- qemu-xen/xen-all.c.orig	2016-12-20 10:53:18.000000000 +0100
+++ qemu-xen/xen-all.c	2016-12-20 10:53:46.000000000 +0100
@@@@ -661,6 +661,8 @@@@
 
     sign = req->df ? -1 : 1;
 
+    req->addr &= 0x0ffffU;
+
     if (req->size > sizeof(uint32_t)) {
         hw_error("PIO: bad size (%u)", req->size);
     }
--- qemu-xen/ioport.c.orig	2016-12-20 10:57:45.000000000 +0100
+++ qemu-xen/ioport.c	2016-12-20 10:58:26.000000000 +0100
@@@@ -64,6 +64,8 @@@@
         default_ioport_readl
     };
     IOPortReadFunc *func = ioport_read_table[index][address];
+    if (address >= MAX_IOPORTS)
+	abort();
     if (!func)
         func = default_func[index];
     return func(ioport_opaque[address], address);
@@@@ -76,6 +78,8 @@@@
         default_ioport_writew,
         default_ioport_writel
     };
+    if (address >= MAX_IOPORTS)
+	abort();
     IOPortWriteFunc *func = ioport_write_table[index][address];
     if (!func)
         func = default_func[index];
@


1.1
log
@Apply upstream patch for XSA-199, XSA-200 and XSA-204.
Bump PKGREVISIONs
@
text
@d1 1
a1 1
$NetBSD: patch-XSA-198,v 1.1 2016/11/22 20:57:11 bouyer Exp $
@