head	1.2;
access;
symbols
	pkgsrc-2016Q4:1.1.0.2
	pkgsrc-2016Q4-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2017.03.20.18.17.13;	author bouyer;	state dead;
branches;
next	1.1;
commitid	d3qkVwbNTy4nKjKz;

1.1
date	2016.11.22.20.59.01;	author bouyer;	state Exp;
branches;
next	;
commitid	qR9uGyGaHvIrravz;


desc
@@


1.2
log
@Update xenkernel46 and xentools46 to 4.6.5. Changes since 4.6.3:
various bug fixes. Includes all security patches up to and including
XSA-209
@
text
@$NetBSD: patch-XSA-197-2,v 1.1 2016/11/22 20:59:01 bouyer Exp $

From: Jan Beulich <jbeulich@@suse.com>
Subject: xen: fix ioreq handling

Avoid double fetches and bounds check size to avoid overflowing
internal variables.

This is XSA-197.

Reported-by: yanghongke <yanghongke@@huawei.com>
Signed-off-by: Jan Beulich <jbeulich@@suse.com>
Reviewed-by: Stefano Stabellini <sstabellini@@kernel.org>

--- qemu-xen/xen-hvm.c.orig
+++ qemu-xen/xen-hvm.c
@@@@ -817,6 +817,10 @@@@ static void cpu_ioreq_pio(ioreq_t *req)
 {
     uint32_t i;
 
+    if (req->size > sizeof(uint32_t)) {
+        hw_error("PIO: bad size (%u)", req->size);
+    }
+
     if (req->dir == IOREQ_READ) {
         if (!req->data_is_ptr) {
             req->data = do_inp(req->addr, req->size);
@@@@ -846,6 +850,10 @@@@ static void cpu_ioreq_move(ioreq_t *req)
 {
     uint32_t i;
 
+    if (req->size > sizeof(req->data)) {
+        hw_error("MMIO: bad size (%u)", req->size);
+    }
+
     if (!req->data_is_ptr) {
         if (req->dir == IOREQ_READ) {
             for (i = 0; i < req->count; i++) {
@@@@ -999,11 +1007,13 @@@@ static int handle_buffered_iopage(XenIOS
         req.df = 1;
         req.type = buf_req->type;
         req.data_is_ptr = 0;
+        xen_rmb();
         qw = (req.size == 8);
         if (qw) {
             buf_req = &buf_page->buf_ioreq[(rdptr + 1) %
                                            IOREQ_BUFFER_SLOT_NUM];
             req.data |= ((uint64_t)buf_req->data) << 32;
+            xen_rmb();
         }
 
         handle_ioreq(state, &req);
@@@@ -1034,7 +1044,11 @@@@ static void cpu_handle_ioreq(void *opaqu
 
     handle_buffered_iopage(state);
     if (req) {
-        handle_ioreq(state, req);
+        ioreq_t copy = *req;
+
+        xen_rmb();
+        handle_ioreq(state, &copy);
+        req->data = copy.data;
 
         if (req->state != STATE_IOREQ_INPROCESS) {
             fprintf(stderr, "Badness in I/O request ... not in service?!: "
@


1.1
log
@Backport upstream patches, fixing today's XSA 191, 192, 193, 195, 197, 198.
Bump PKGREVISIONs
@
text
@d1 1
a1 1
$NetBSD: $
@