Removed patches that are already applied in xen-4.5.5
https://www.xenproject.org/downloads/xen-archives/xen-45-series/xen-455.html
New fixes:
CVE-2016-10024, XSA-202: x86 PV guests may be able to mask interrupts
http://xenbits.xen.org/xsa/advisory-202.html
CVE-2016-10013, XSA-204: x86: Mishandling of SYSCALL singlestep during emulation
http://xenbits.xen.org/xsa/advisory-204.html
---
...copy-of-every-xs-backend-in-libxl-in-_gen.patch | 98 ---------
...ord-backend-frontend-paths-in-libxl-DOMID.patch | 195 ----------------
...not-trust-backend-in-libxl__device_exists.patch | 32 ---
...xl-Provide-libxl__backendpath_parse_domid.patch | 62 ------
...t-trust-backend-for-vtpm-in-getinfo-excep.patch | 55 -----
...t-trust-frontend-in-libxl__devices_destro.patch | 77 -------
...ot-trust-backend-for-vtpm-in-getinfo-uuid.patch | 46 ----
...ot-trust-frontend-in-libxl__device_nextid.patch | 43 ----
...o-not-trust-frontend-for-disk-eject-event.patch | 104 ---------
...bxl-cdrom-eject-and-insert-write-to-libxl.patch | 73 ------
...-Do-not-trust-backend-for-disk-eject-vdev.patch | 67 ------
...Do-not-trust-frontend-for-disk-in-getinfo.patch | 79 -------
...t-trust-backend-for-disk-fix-driver-domai.patch | 245 ---------------------
...libxl-Do-not-trust-frontend-for-vtpm-list.patch | 67 ------
...-Do-not-trust-backend-for-disk-in-getinfo.patch | 35 ---
...Do-not-trust-frontend-for-vtpm-in-getinfo.patch | 61 -----
...bxl-Do-not-trust-backend-for-cdrom-insert.patch | 94 --------
...t-trust-frontend-for-nic-in-libxl_devid_t.patch | 47 ----
...-not-trust-backend-for-channel-in-getinfo.patch | 38 ----
...-Do-not-trust-frontend-for-nic-in-getinfo.patch | 73 ------
...Do-not-trust-frontend-for-channel-in-list.patch | 104 ---------
...e-libxl__device_-nic-channel-_from_xs_be-.patch | 87 --------
...not-trust-frontend-for-channel-in-getinfo.patch | 121 ----------
...ibxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch | 101 ---------
...READ_LIBXLDEV-use-libxl_path-rather-than-.patch | 62 ------
...libxl-Do-not-trust-backend-in-nic-getinfo.patch | 33 ---
...t-trust-backend-for-nic-in-devid_to_devic.patch | 48 ----
...ibxl-Do-not-trust-backend-for-nic-in-list.patch | 80 -------
...ibxl-Do-not-trust-backend-in-channel-list.patch | 58 -----
...-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch | 48 ----
...up-use-libxl__backendpath_parse_domid-in-.patch | 38 ----
.../xen/0020-libxl-Document-serial-correctly.patch | 38 ----
main/xen/APKBUILD | 209 ++----------------
main/xen/gnutls-3.4.0.patch | 36 ---
main/xen/xsa169.patch | 33 ---
main/xen/xsa172.patch | 39 ----
main/xen/xsa173-4.5.patch | 244 --------------------
main/xen/xsa176.patch | 45 ----
main/xen/xsa181.patch | 38 ----
main/xen/xsa182-4.5.patch | 102 ---------
main/xen/xsa183-4.6.patch | 75 -------
main/xen/xsa184-qemut-master.patch | 43 ----
main/xen/xsa184-qemuu-master.patch | 43 ----
main/xen/xsa185.patch | 38 ----
...-Correct-boundary-interactions-of-emulate.patch | 73 ------
...llow-testing-of-instructions-crossing-the.patch | 41 ----
...nt-Bounds-check-accesses-to-emulation-ctx.patch | 142 ------------
...-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch | 42 ----
main/xen/xsa202-4.6.patch | 73 ++++++
main/xen/xsa204-4.5.patch | 69 ++++++
50 files changed, 156 insertions(+), 3638 deletions(-)
delete mode 100644 main/xen/0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch
delete mode 100644 main/xen/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
delete mode 100644 main/xen/0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch
delete mode 100644 main/xen/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
delete mode 100644 main/xen/0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch
delete mode 100644 main/xen/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
delete mode 100644 main/xen/0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch
delete mode 100644 main/xen/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
delete mode 100644 main/xen/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
delete mode 100644 main/xen/0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch
delete mode 100644 main/xen/0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch
delete mode 100644 main/xen/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
delete mode 100644 main/xen/0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch
delete mode 100644 main/xen/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
delete mode 100644 main/xen/0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch
delete mode 100644 main/xen/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
delete mode 100644 main/xen/0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch
delete mode 100644 main/xen/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
delete mode 100644 main/xen/0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch
delete mode 100644 main/xen/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
delete mode 100644 main/xen/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
delete mode 100644 main/xen/0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch
delete mode 100644 main/xen/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
delete mode 100644 main/xen/0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch
delete mode 100644 main/xen/0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch
delete mode 100644 main/xen/0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch
delete mode 100644 main/xen/0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch
delete mode 100644 main/xen/0016-libxl-Do-not-trust-backend-for-nic-in-list.patch
delete mode 100644 main/xen/0017-libxl-Do-not-trust-backend-in-channel-list.patch
delete mode 100644 main/xen/0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch
delete mode 100644 main/xen/0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch
delete mode 100644 main/xen/0020-libxl-Document-serial-correctly.patch
delete mode 100644 main/xen/gnutls-3.4.0.patch
delete mode 100644 main/xen/xsa169.patch
delete mode 100644 main/xen/xsa172.patch
delete mode 100644 main/xen/xsa173-4.5.patch
delete mode 100644 main/xen/xsa176.patch
delete mode 100644 main/xen/xsa181.patch
delete mode 100644 main/xen/xsa182-4.5.patch
delete mode 100644 main/xen/xsa183-4.6.patch
delete mode 100644 main/xen/xsa184-qemut-master.patch
delete mode 100644 main/xen/xsa184-qemuu-master.patch
delete mode 100644 main/xen/xsa185.patch
delete mode 100644 main/xen/xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
delete mode 100644 main/xen/xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
delete mode 100644 main/xen/xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
delete mode 100644 main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
create mode 100644 main/xen/xsa202-4.6.patch
create mode 100644 main/xen/xsa204-4.5.patch
diff --git a/main/xen/0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch b/main/xen/0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch
deleted file mode 100644
index c7e26bc..0000000
--- a/main/xen/0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch
@@ -1,98 +0,0 @@
-From 27874bcfe5a2778d3441d86ed5e2ff1adc4baa35 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 29 Apr 2016 16:19:28 +0100
-Subject: [PATCH 01/20] libxl: Make copy of every xs backend in /libxl in
- _generic_add
-
-We want to stop libxl trustingly reading information from the backend
-directory (since this is, of course, writeable by the backend, which
-might be a semi-trusted driver domain).
-
-In principle it is wrong in current libxl for anything to try to
-divine virtual device configuration from xenstore: the JSON domain
-config ought to supply that, and xenstore should only tell us which
-devices actually exist.
-
-However:
-
-Firstly, there are several existing places where configuration
-information is retrieved from xenstore rather than JSON. We do not
-want to reen gineer this in a security patch.
-
-Secondly, we want to make a security patch which can be backported to
-versions of libxl without the JSON configuration machinery.
-
-So we take the expedient approach of keeping a copy of the
-configuration somewhere we trust, namely /libxl. This is obviously
-fairly low-risk, although it does write significantly more keys in
-xenstore.
-
-In this patch we make this change in libxl__device_generic_add. This
-is responsible for actually writing the vast majority of device
-information to xenstore. There are a few loose ends which will be
-dealt with in a moment.
-
-Likewise, changes to readers to use the new location will appear in
-further patches.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- docs/misc/xenstore-paths.markdown | 4 ++++
- tools/libxl/libxl_device.c | 23 +++++++++++++++++++++++
- 2 files changed, 27 insertions(+)
-
-diff --git a/docs/misc/xenstore-paths.markdown b/docs/misc/xenstore-paths.markdown
-index 276273d..8c686ec 100644
---- a/docs/misc/xenstore-paths.markdown
-+++ b/docs/misc/xenstore-paths.markdown
-@@ -404,6 +404,10 @@ Path in xenstore to the frontend, normally
- Path in xenstore to the backend, normally
- /local/domain/$BACKEND_DOMID/backend/$KIND/$DOMID/$DEVID
-
-+#### /libxl/$DOMID/device/$KIND/$DEVID/$NODE
-+
-+Trustworthy copy of /local/domain/$DOMID/backend/$KIND/$DEVID/$NODE.
-+
- #### /libxl/$DOMID/dm-version ("qemu\_xen"|"qemu\_xen\_traditional") = [n,INTERNAL]
-
- The device model version for a domain.
-diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c
-index 38ab393..ede7342 100644
---- a/tools/libxl/libxl_device.c
-+++ b/tools/libxl/libxl_device.c
-@@ -185,6 +185,29 @@ retry_transaction:
- xs_write(ctx->xsh, t, GCSPRINTF("%s/frontend", backend_path),
- frontend_path, strlen(frontend_path));
- libxl__xs_writev(gc, t, backend_path, bents);
-+
-+ /*
-+ * We make a copy of everything for the backend in the libxl
-+ * path as well. This means we don't need to trust the
-+ * backend. Ideally this information would not be used and we
-+ * would use the information from the json configuration
-+ * instead. But there are still places in libxl that try to
-+ * reconstruct a config from xenstore.
-+ *
-+ * This duplication will typically produces duplicate keys
-+ * which will go out of date, but that's OK because nothing
-+ * reads those. For example, there is usually
-+ * /libxl/$guest/device/$kind/$devid/state
-+ * which starts out containing XenbusStateInitialising ("1")
-+ * just like the copy in
-+ * /local/domain/$driverdom/backend/$guest/$kind/$devid/state
-+ * but which won't ever be updated.
-+ *
-+ * This duplication is superfluous and messy but as discussed
-+ * the proper fix is more intrusive than we want to do now.
-+ */
-+ rc = libxl__xs_writev(gc, t, libxl_path, bents);
-+ if (rc) goto out;
- }
-
- if (!create_transaction)
---
-1.9.1
-
diff --git a/main/xen/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch b/main/xen/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
deleted file mode 100644
index 56a8f6c..0000000
--- a/main/xen/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
@@ -1,195 +0,0 @@
-From 3a4091efe0b4bcae46371491d74c15bba6f93275 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Mon, 16 May 2016 14:56:57 +0100
-Subject: [PATCH 01/12] libxl: Record backend/frontend paths in /libxl/$DOMID
-
-This gives us a record of all the backends we have set up for a
-domain, which is separate from the frontends in
- /local/domain/$DOMID/device.
-
-In particular:
-
-1. A guest has write permission for the frontend path:
- /local/domain/$DOMID/device/$KIND/$DEVID
-which means that the guest can completely delete the frontend.
-(They can't recreate it because they don't have write permission
-on the containing directory.)
-
-2. A guest has write permission for the backend path recorded in the
-frontend, ie, it can write to
- /local/domain/$DOMID/device/$KIND/$DEVID/backend
-which means that the guest can break the association between
-frontend and backend.
-
-So we can't rely on iterating over the frontends to find all the
-backends, or examining a frontend to discover how a device is
-configured.
-
-So, have libxl__device_generic_add record the frontend and backend
-paths in /libxl/$DOMID/device, and have libxl__device_destroy remove
-them again.
-
-Create the containing directory /libxl/GUEST/device in
-libxl__domain_make. The already existing xs_rm in devices_destroy_cb
-will take care of removing it.
-
-This is part of XSA-175.
-
-Backport note: Backported over 7472ced, which fixes a bug in driver
-domain teardown.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
-v2: Correct actual path computation (!)
-v3: Correct actual path computation - really this time (!)
----
- docs/misc/xenstore-paths.markdown | 15 +++++++++++++++
- tools/libxl/libxl_create.c | 2 ++
- tools/libxl/libxl_device.c | 34 +++++++++++++++++++++++++++++++++-
- tools/libxl/libxl_internal.h | 1 +
- 4 files changed, 51 insertions(+), 1 deletion(-)
-
-diff --git a/docs/misc/xenstore-paths.markdown b/docs/misc/xenstore-paths.markdown
-index d94ea9d..276273d 100644
---- a/docs/misc/xenstore-paths.markdown
-+++ b/docs/misc/xenstore-paths.markdown
-@@ -389,6 +389,21 @@ The guest's virtual time offset from UTC in seconds.
-
- ### libxl Specific Paths
-
-+#### /libxl/$DOMID/device/$KIND/$DEVID
-+
-+Created by libxl for every frontend/backend pair created for $DOMID.
-+Used by libxl for enumeration and management of the device.
-+
-+#### /libxl/$DOMID/device/$KIND/$DEVID/frontend
-+
-+Path in xenstore to the frontend, normally
-+/local/domain/$DOMID/device/$KIND/$DEVID
-+
-+#### /libxl/$DOMID/device/$KIND/$DEVID/backend
-+
-+Path in xenstore to the backend, normally
-+/local/domain/$BACKEND_DOMID/backend/$KIND/$DOMID/$DEVID
-+
- #### /libxl/$DOMID/dm-version ("qemu\_xen"|"qemu\_xen\_traditional") = [n,INTERNAL]
-
- The device model version for a domain.
-diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c
-index 152fdbc..a4d4d4c 100644
---- a/tools/libxl/libxl_create.c
-+++ b/tools/libxl/libxl_create.c
-@@ -586,6 +586,8 @@ retry_transaction:
-
- xs_rm(ctx->xsh, t, libxl_path);
- libxl__xs_mkdir(gc, t, libxl_path, noperm, ARRAY_SIZE(noperm));
-+ libxl__xs_mkdir(gc, t, GCSPRINTF("%s/device", libxl_path),
-+ noperm, ARRAY_SIZE(noperm));
-
- xs_write(ctx->xsh, t, libxl__sprintf(gc, "%s/vm", dom_path), vm_path, strlen(vm_path));
- rc = libxl__domain_rename(gc, *domid, 0, info->name, t);
-diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c
-index 4b51ded..a8b97a3 100644
---- a/tools/libxl/libxl_device.c
-+++ b/tools/libxl/libxl_device.c
-@@ -40,6 +40,15 @@ char *libxl__device_backend_path(libxl__gc *gc, libxl__device *device)
- device->domid, device->devid);
- }
-
-+char *libxl__device_libxl_path(libxl__gc *gc, libxl__device *device)
-+{
-+ char *libxl_dom_path = libxl__xs_libxl_path(gc, device->domid);
-+
-+ return GCSPRINTF("%s/device/%s/%d", libxl_dom_path,
-+ libxl__device_kind_to_string(device->kind),
-+ device->devid);
-+}
-+
- /* Returns 1 if device exists, 0 if not, ERROR_* (<0) on error. */
- int libxl__device_exists(libxl__gc *gc, xs_transaction_t t,
- libxl__device *device)
-@@ -105,14 +114,16 @@ int libxl__device_generic_add(libxl__gc *gc, xs_transaction_t t,
- libxl__device *device, char **bents, char **fents, char **ro_fents)
- {
- libxl_ctx *ctx = libxl__gc_owner(gc);
-- char *frontend_path, *backend_path;
-+ char *frontend_path, *backend_path, *libxl_path;
- struct xs_permissions frontend_perms[2];
- struct xs_permissions ro_frontend_perms[2];
- struct xs_permissions backend_perms[2];
- int create_transaction = t == XBT_NULL;
-+ int rc;
-
- frontend_path = libxl__device_frontend_path(gc, device);
- backend_path = libxl__device_backend_path(gc, device);
-+ libxl_path = libxl__device_libxl_path(gc, device);
-
- frontend_perms[0].id = device->domid;
- frontend_perms[0].perms = XS_PERM_NONE;
-@@ -127,8 +138,22 @@ int libxl__device_generic_add(libxl__gc *gc, xs_transaction_t t,
- retry_transaction:
- if (create_transaction)
- t = xs_transaction_start(ctx->xsh);
-+
- /* FIXME: read frontend_path and check state before removing stuff */
-
-+ rc = libxl__xs_rm_checked(gc, t, libxl_path);
-+ if (rc) goto out;
-+
-+ rc = libxl__xs_write_checked(gc, t, GCSPRINTF("%s/frontend",libxl_path),
-+ frontend_path);
-+ if (rc) goto out;
-+
-+ rc = libxl__xs_write_checked(gc, t, GCSPRINTF("%s/backend",libxl_path),
-+ backend_path);
-+ if (rc) goto out;
-+
-+ /* xxx much of this function lacks error checks! */
-+
- if (fents || ro_fents) {
- xs_rm(ctx->xsh, t, frontend_path);
- xs_mkdir(ctx->xsh, t, frontend_path);
-@@ -174,6 +199,11 @@ retry_transaction:
- }
- }
- return 0;
-+
-+ out:
-+ if (create_transaction && t)
-+ libxl__xs_transaction_abort(gc, &t);
-+ return rc;
- }
-
- typedef struct {
-@@ -570,6 +600,7 @@ int libxl__device_destroy(libxl__gc *gc, libxl__device *dev)
- {
- const char *be_path = libxl__device_backend_path(gc, dev);
- const char *fe_path = libxl__device_frontend_path(gc, dev);
-+ const char *libxl_path = libxl__device_libxl_path(gc, dev);
- const char *tapdisk_path = GCSPRINTF("%s/%s", be_path, "tapdisk-params");
- const char *tapdisk_params;
- xs_transaction_t t = 0;
-@@ -594,6 +625,7 @@ int libxl__device_destroy(libxl__gc *gc, libxl__device *dev)
- */
- libxl__xs_path_cleanup(gc, t, fe_path);
- libxl__xs_path_cleanup(gc, t, be_path);
-+ libxl__xs_path_cleanup(gc, t, libxl_path);
- } else if (dev->backend_domid == domid) {
- /*
- * The driver domain is in charge for removing what it can
-diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h
-index ff88f3d..55b19d9 100644
---- a/tools/libxl/libxl_internal.h
-+++ b/tools/libxl/libxl_internal.h
-@@ -1061,6 +1061,7 @@ _hidden int libxl__device_generic_add(libxl__gc *gc, xs_transaction_t t,
- libxl__device *device, char **bents, char **fents, char **ro_fents);
- _hidden char *libxl__device_backend_path(libxl__gc *gc, libxl__device *device);
- _hidden char *libxl__device_frontend_path(libxl__gc *gc, libxl__device *device);
-+_hidden char *libxl__device_libxl_path(libxl__gc *gc, libxl__device *device);
- _hidden int libxl__parse_backend_path(libxl__gc *gc, const char *path,
- libxl__device *dev);
- _hidden int libxl__device_destroy(libxl__gc *gc, libxl__device *dev);
---
-2.1.4
-
diff --git a/main/xen/0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch b/main/xen/0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch
deleted file mode 100644
index 0a53f7e..0000000
--- a/main/xen/0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch
@@ -1,32 +0,0 @@
-From 840a49ab13e3f07898831635ee5046d0f6098be9 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Wed, 4 May 2016 15:04:35 +0100
-Subject: [PATCH 02/20] libxl: Do not trust backend in libxl__device_exists
-
-To determine whether a device is supposed to exist, look in /libxl,
-rather than the backend.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl_device.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c
-index ede7342..9d65a7e 100644
---- a/tools/libxl/libxl_device.c
-+++ b/tools/libxl/libxl_device.c
-@@ -54,7 +54,7 @@ int libxl__device_exists(libxl__gc *gc, xs_transaction_t t,
- libxl__device *device)
- {
- int rc;
-- char *be_path = libxl__device_backend_path(gc, device);
-+ char *be_path = libxl__device_libxl_path(gc, device);
- const char *dir;
-
- rc = libxl__xs_read_checked(gc, t, be_path, &dir);
---
-1.9.1
-
diff --git a/main/xen/0002-libxl-Provide-libxl__backendpath_parse_domid.patch b/main/xen/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
deleted file mode 100644
index b0b7896..0000000
--- a/main/xen/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
@@ -1,62 +0,0 @@
-From c689a6c9471761b59e6d08dee1667834e0b7fc34 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Wed, 27 Apr 2016 16:34:19 +0100
-Subject: [PATCH 02/12] libxl: Provide libxl__backendpath_parse_domid
-
-Multiple places in libxl need to figure out the backend domid of a
-device. This can be discovered easily by looking at the backend path,
-which always starts /local/domain/$backend_domid/.
-
-There are no call sites yet.
-
-This is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl_device.c | 15 +++++++++++++++
- tools/libxl/libxl_internal.h | 2 ++
- 2 files changed, 17 insertions(+)
-
-diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c
-index a8b97a3..9136b26 100644
---- a/tools/libxl/libxl_device.c
-+++ b/tools/libxl/libxl_device.c
-@@ -288,6 +288,21 @@ static int disk_try_backend(disk_try_backend_args *a,
- return 0;
- }
-
-+int libxl__backendpath_parse_domid(libxl__gc *gc, const char *be_path,
-+ libxl_domid *domid_out) {
-+ int r;
-+ unsigned int domid_sc;
-+ char delim_sc;
-+
-+ r = sscanf(be_path, "/local/domain/%u%c", &domid_sc, &delim_sc);
-+ if (!(r==2 && delim_sc=='/')) {
-+ LOG(ERROR, "internal error: backend path %s unparseable!", be_path);
-+ return ERROR_FAIL;
-+ }
-+ *domid_out = domid_sc;
-+ return 0;
-+}
-+
- int libxl__device_disk_set_backend(libxl__gc *gc, libxl_device_disk *disk) {
- libxl_disk_backend ok;
- disk_try_backend_args a;
-diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h
-index 55b19d9..bfe06bd 100644
---- a/tools/libxl/libxl_internal.h
-+++ b/tools/libxl/libxl_internal.h
-@@ -594,6 +594,8 @@ _hidden bool libxl__xs_mkdir(libxl__gc *gc, xs_transaction_t t,
-
- _hidden char *libxl__xs_libxl_path(libxl__gc *gc, uint32_t domid);
-
-+_hidden int libxl__backendpath_parse_domid(libxl__gc *gc, const char *be_path,
-+ libxl_domid *domid_out);
-
- /*----- "checked" xenstore access functions -----*/
- /* Each of these functions will check that it succeeded; if it
---
-2.1.4
-
diff --git a/main/xen/0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch b/main/xen/0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch
deleted file mode 100644
index 501af92..0000000
--- a/main/xen/0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch
@@ -1,55 +0,0 @@
-From eaf75a339a514007b60406eb3382ea23a9440663 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 29 Apr 2016 17:18:44 +0100
-Subject: [PATCH 03/20] libxl: Do not trust backend for vtpm in getinfo (except
- uuid)
-
-* Do not check the backend for existence. We have already read the
- /libxl path so know that the vtpm exists (or is supposed to); if the
- backend doesn't exist then that must be the backend's doing.
-* Get the frontend path from the /libxl directory.
-* The frontend domid is the guest domid, and does not need to be read
- from xenstore (!)
-
-We still attempt to read the uuid from the backend. This will be
-fixed in the next patch.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 10 ++--------
- 1 file changed, 2 insertions(+), 8 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 2dd2467..1c241ce 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -2238,9 +2238,6 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx,
- if (!vtpminfo->backend) {
- goto err;
- }
-- if(!libxl__xs_read(gc, XBT_NULL, vtpminfo->backend)) {
-- goto err;
-- }
-
- rc = libxl__backendpath_parse_domid(gc, vtpminfo->backend,
- &vtpminfo->backend_id);
-@@ -2259,11 +2256,8 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx,
- vtpminfo->rref = val ? strtoul(val, NULL, 10) : -1;
-
- vtpminfo->frontend = xs_read(ctx->xsh, XBT_NULL,
-- GCSPRINTF("%s/frontend", vtpminfo->backend), NULL);
--
-- val = libxl__xs_read(gc, XBT_NULL,
-- GCSPRINTF("%s/frontend-id", vtpminfo->backend));
-- vtpminfo->frontend_id = val ? strtoul(val, NULL, 10) : -1;
-+ GCSPRINTF("%s/frontend", libxl_path), NULL);
-+ vtpminfo->frontend_id = domid;
-
- val = libxl__xs_read(gc, XBT_NULL,
- GCSPRINTF("%s/uuid", vtpminfo->backend));
---
-1.9.1
-
diff --git a/main/xen/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch b/main/xen/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
deleted file mode 100644
index a21a853..0000000
--- a/main/xen/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
@@ -1,77 +0,0 @@
-From 924ac76cba810c3c8d594f78f96fbf7c792c3f54 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Tue, 3 May 2016 18:39:36 +0100
-Subject: [PATCH 03/12] libxl: Do not trust frontend in libxl__devices_destroy
-
-We need to enumerate the devices we have provided to a domain, without
-trusting the guest-writeable (or, at least, guest-deletable) frontend
-paths.
-
-Instead, enumerate via, and read the backend path from, /libxl.
-
-The console /libxl path is regular, so the special case for console 0
-is not relevant any more: /libxl/GUEST/device/console/0 will be found,
-and then libxl__device_destroy will DTRT to the right frontend path.
-
-This is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl_device.c | 22 +++-------------------
- 1 file changed, 3 insertions(+), 19 deletions(-)
-
-diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c
-index 9136b26..38ab393 100644
---- a/tools/libxl/libxl_device.c
-+++ b/tools/libxl/libxl_device.c
-@@ -683,7 +683,7 @@ void libxl__devices_destroy(libxl__egc *egc, libxl__devices_remove_state *drs)
- libxl__multidev_begin(ao, multidev);
- multidev->callback = devices_remove_callback;
-
-- path = GCSPRINTF("/local/domain/%d/device", domid);
-+ path = GCSPRINTF("/libxl/%d/device", domid);
- kinds = libxl__xs_directory(gc, XBT_NULL, path, &num_kinds);
- if (!kinds) {
- if (errno != ENOENT) {
-@@ -696,12 +696,12 @@ void libxl__devices_destroy(libxl__egc *egc, libxl__devices_remove_state *drs)
- if (libxl__device_kind_from_string(kinds[i], &kind))
- continue;
-
-- path = GCSPRINTF("/local/domain/%d/device/%s", domid, kinds[i]);
-+ path = GCSPRINTF("/libxl/%d/device/%s", domid, kinds[i]);
- devs = libxl__xs_directory(gc, XBT_NULL, path, &num_dev_xsentries);
- if (!devs)
- continue;
- for (j = 0; j < num_dev_xsentries; j++) {
-- path = GCSPRINTF("/local/domain/%d/device/%s/%s/backend",
-+ path = GCSPRINTF("/libxl/%d/device/%s/%s/backend",
- domid, kinds[i], devs[j]);
- path = libxl__xs_read(gc, XBT_NULL, path);
- GCNEW(dev);
-@@ -726,22 +726,6 @@ void libxl__devices_destroy(libxl__egc *egc, libxl__devices_remove_state *drs)
- }
- }
-
-- /* console 0 frontend directory is not under /local/domain/<domid>/device */
-- path = GCSPRINTF("/local/domain/%d/console/backend", domid);
-- path = libxl__xs_read(gc, XBT_NULL, path);
-- GCNEW(dev);
-- if (path && strcmp(path, "") &&
-- libxl__parse_backend_path(gc, path, dev) == 0) {
-- dev->domid = domid;
-- dev->kind = LIBXL__DEVICE_KIND_CONSOLE;
-- dev->devid = 0;
--
-- /* Currently console devices can be destroyed synchronously by just
-- * removing xenstore entries, this is what libxl__device_destroy does.
-- */
-- libxl__device_destroy(gc, dev);
-- }
--
- out:
- libxl__multidev_prepared(egc, multidev, rc);
- }
---
-2.1.4
-
diff --git a/main/xen/0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch b/main/xen/0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch
deleted file mode 100644
index cb5dfc5..0000000
--- a/main/xen/0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch
@@ -1,46 +0,0 @@
-From 2cd66e8bf49f5ff1aa03506aab74dd0ebe2776fa Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 29 Apr 2016 16:57:14 +0100
-Subject: [PATCH 04/20] libxl: Do not trust backend for vtpm in getinfo (uuid)
-
-Use uuid from /libxl, rather than from backend. I think the backend
-is not supposed to change the uuid, since it seems to be set by libxl
-during setup.
-
-If in fact the backend is supposed to be able to change the uuid, this
-patch needs to be dropped and replaced by a patch which makes the vtpm
-uuid lookup tolerate bad or missing data.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 1c241ce..23ff871 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -2200,7 +2200,7 @@ libxl_device_vtpm *libxl_device_vtpm_list(libxl_ctx *ctx, uint32_t domid, int *n
- &vtpm->backend_domid);
- if (rc) return NULL;
-
-- tmp = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/uuid", be_path));
-+ tmp = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/uuid", libxl_path));
- if (tmp) {
- if(libxl_uuid_from_string(&(vtpm->uuid), tmp)) {
- LOG(ERROR, "%s/uuid is a malformed uuid?? (%s) Probably a bug!!\n", be_path, tmp);
-@@ -2260,7 +2260,7 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx,
- vtpminfo->frontend_id = domid;
-
- val = libxl__xs_read(gc, XBT_NULL,
-- GCSPRINTF("%s/uuid", vtpminfo->backend));
-+ GCSPRINTF("%s/uuid", libxl_path));
- if(val == NULL) {
- LOG(ERROR, "%s/uuid does not exist!\n", vtpminfo->backend);
- goto err;
---
-1.9.1
-
diff --git a/main/xen/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch b/main/xen/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
deleted file mode 100644
index cdbbc26..0000000
--- a/main/xen/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
@@ -1,43 +0,0 @@
-From 1070d8daa6a73a66ceabd9cd6c89ce712b69bafe Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Wed, 4 May 2016 15:30:32 +0100
-Subject: [PATCH 04/12] libxl: Do not trust frontend in libxl__device_nextid
-
-When selecting the devid for a new device, we should look in
-/libxl/device for existing devices, not in the frontend area.
-
-This is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 312a371..170dd45 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -1985,15 +1985,16 @@ out:
- /* common function to get next device id */
- static int libxl__device_nextid(libxl__gc *gc, uint32_t domid, char *device)
- {
-- char *dompath, **l;
-+ char *libxl_dom_path, **l;
- unsigned int nb;
- int nextid = -1;
-
-- if (!(dompath = libxl__xs_get_dompath(gc, domid)))
-+ if (!(libxl_dom_path = libxl__xs_libxl_path(gc, domid)))
- return nextid;
-
- l = libxl__xs_directory(gc, XBT_NULL,
-- GCSPRINTF("%s/device/%s", dompath, device), &nb);
-+ GCSPRINTF("%s/device/%s", libxl_dom_path, device),
-+ &nb);
- if (l == NULL || nb == 0)
- nextid = 0;
- else
---
-2.1.4
-
diff --git a/main/xen/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch b/main/xen/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
deleted file mode 100644
index 2d9f922..0000000
--- a/main/xen/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
@@ -1,104 +0,0 @@
-From 1d70543c4e53c2fc283e520d098069ac41583469 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Wed, 27 Apr 2016 16:08:49 +0100
-Subject: [PATCH 05/12] libxl: Do not trust frontend for disk eject event
-
-Use the /libxl path for interpreting disk eject watch events: do not
-read the backend path out of the frontend. Instead, use the version
-in /libxl. That avoids us relying on the guest-modifiable
-$frontend/backend pointer.
-
-To implement this we store the path
- /libxl/$guest/device/vbd/$devid/backend
-in the evgen structure.
-
-This is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 28 ++++++++++++++++++++++------
- tools/libxl/libxl_internal.h | 2 +-
- 2 files changed, 23 insertions(+), 7 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 170dd45..9c0fed4 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -1323,9 +1323,10 @@ static void disk_eject_xswatch_callback(libxl__egc *egc, libxl__ev_xswatch *w,
- const char *wpath, const char *epath) {
- EGC_GC;
- libxl_evgen_disk_eject *evg = (void*)w;
-- char *backend;
-+ const char *backend;
- char *value;
- char backend_type[BACKEND_STRING_SIZE+1];
-+ int rc;
-
- value = libxl__xs_read(gc, XBT_NULL, wpath);
-
-@@ -1341,9 +1342,16 @@ static void disk_eject_xswatch_callback(libxl__egc *egc, libxl__ev_xswatch *w,
- libxl_event *ev = NEW_EVENT(egc, DISK_EJECT, evg->domid, evg->user);
- libxl_device_disk *disk = &ev->u.disk_eject.disk;
-
-- backend = libxl__xs_read(gc, XBT_NULL,
-- libxl__sprintf(gc, "%.*s/backend",
-- (int)strlen(wpath)-6, wpath));
-+ rc = libxl__xs_read_checked(gc, XBT_NULL, evg->be_ptr_path, &backend);
-+ if (rc) {
-+ LIBXL__EVENT_DISASTER(egc, "xs_read failed reading be_ptr_path",
-+ errno, LIBXL_EVENT_TYPE_DISK_EJECT);
-+ return;
-+ }
-+ if (!backend) {
-+ /* device has been removed, not simply ejected */
-+ return;
-+ }
-
- sscanf(backend,
- "/local/domain/%d/backend/%" TOSTRING(BACKEND_STRING_SIZE)
-@@ -1392,11 +1400,18 @@ int libxl_evenable_disk_eject(libxl_ctx *ctx, uint32_t guest_domid,
- if (!domid)
- domid = guest_domid;
-
-- path = libxl__sprintf(gc, "%s/device/vbd/%d/eject",
-+ int devid = libxl__device_disk_dev_number(vdev, NULL, NULL);
-+
-+ path = GCSPRINTF("%s/device/vbd/%d/eject",
- libxl__xs_get_dompath(gc, domid),
-- libxl__device_disk_dev_number(vdev, NULL, NULL));
-+ devid);
- if (!path) { rc = ERROR_NOMEM; goto out; }
-
-+ const char *libxl_path = GCSPRINTF("%s/device/vbd/%d",
-+ libxl__xs_libxl_path(gc, domid),
-+ devid);
-+ evg->be_ptr_path = libxl__sprintf(NOGC, "%s/backend", libxl_path);
-+
- rc = libxl__ev_xswatch_register(gc, &evg->watch,
- disk_eject_xswatch_callback, path);
- if (rc) goto out;
-@@ -1423,6 +1438,7 @@ void libxl__evdisable_disk_eject(libxl__gc *gc, libxl_evgen_disk_eject *evg) {
- libxl__ev_xswatch_deregister(gc, &evg->watch);
-
- free(evg->vdev);
-+ free(evg->be_ptr_path);
- free(evg);
-
- CTX_UNLOCK;
-diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h
-index bfe06bd..302585c 100644
---- a/tools/libxl/libxl_internal.h
-+++ b/tools/libxl/libxl_internal.h
-@@ -271,7 +271,7 @@ struct libxl__evgen_disk_eject {
- uint32_t domid;
- LIBXL_LIST_ENTRY(libxl_evgen_disk_eject) entry;
- libxl_ev_user user;
-- char *vdev;
-+ char *vdev, *be_ptr_path;
- };
- _hidden void
- libxl__evdisable_disk_eject(libxl__gc*, libxl_evgen_disk_eject*);
---
-2.1.4
-
diff --git a/main/xen/0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch b/main/xen/0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch
deleted file mode 100644
index 625dd97..0000000
--- a/main/xen/0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch
@@ -1,73 +0,0 @@
-From 2388be01dffb8a3aae85ea58052f6020057ae3bc Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 29 Apr 2016 19:15:13 +0100
-Subject: [PATCH 05/20] libxl: cdrom eject and insert: write to /libxl
-
-Copy the new type and params values to /libxl, so that the information
-in /libxl is kept up to date.
-
-This is needed so that we can return this trustworthy information,
-rather than trusting the backend-writeable parts of xenstore.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 19 ++++++++++++++-----
- 1 file changed, 14 insertions(+), 5 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 23ff871..7dcd672 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -2843,7 +2843,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
- libxl_domain_config d_config;
- int rc, dm_ver;
- libxl__device device;
-- const char * path;
-+ const char *path, *libxl_path;
- char * tmp;
- libxl__domain_userdata_lock *lock = NULL;
- xs_transaction_t t = XBT_NULL;
-@@ -2911,6 +2911,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
- if (rc) goto out;
-
- path = libxl__device_backend_path(gc, &device);
-+ libxl_path = libxl__device_libxl_path(gc, &device);
-
- insert = flexarray_make(gc, 4, 1);
-
-@@ -2959,8 +2960,12 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
- goto out;
- }
-
-- rc = libxl__xs_writev(gc, t, path,
-- libxl__xs_kvs_of_flexarray(gc, empty, empty->count));
-+ char **kvs = libxl__xs_kvs_of_flexarray(gc, empty, empty->count);
-+
-+ rc = libxl__xs_writev(gc, t, path, kvs);
-+ if (rc) goto out;
-+
-+ rc = libxl__xs_writev(gc, t, libxl_path, kvs);
- if (rc) goto out;
-
- rc = libxl__xs_transaction_commit(gc, &t);
-@@ -2994,8 +2999,12 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
- rc = libxl__set_domain_configuration(gc, domid, &d_config);
- if (rc) goto out;
-
-- rc = libxl__xs_writev(gc, t, path,
-- libxl__xs_kvs_of_flexarray(gc, insert, insert->count));
-+ char **kvs = libxl__xs_kvs_of_flexarray(gc, insert, insert->count);
-+
-+ rc = libxl__xs_writev(gc, t, path, kvs);
-+ if (rc) goto out;
-+
-+ rc = libxl__xs_writev(gc, t, libxl_path, kvs);
- if (rc) goto out;
-
- rc = libxl__xs_transaction_commit(gc, &t);
---
-1.9.1
-
diff --git a/main/xen/0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch b/main/xen/0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch
deleted file mode 100644
index b3e42da..0000000
--- a/main/xen/0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch
@@ -1,67 +0,0 @@
-From c7e9c4b1231effdc1283d9a4a2645e395adb01d5 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 29 Apr 2016 16:23:35 +0100
-Subject: [PATCH 06/20] libxl: Do not trust backend for disk eject vdev
-
-For disk eject, use configured vdev from /libxl, not backend.
-
-The backend directory is writeable by driver domains. This means that
-a malicious driver domain could cause libxl to see a wrong vdev,
-confusing the user or the toolstack.
-
-Use the vdev from the /libxl space, rather than the backend.
-
-For convenience, we read the vdev from the /libxl space into the evg
-during setup and copy it on each event, rather than reading it afresh
-each time (which would in any case involve generating or saving a copy
-of the relevant /libxl path).
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 13 ++++++++-----
- 1 file changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 7dcd672..138167d 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -1368,8 +1368,7 @@ static void disk_eject_xswatch_callback(libxl__egc *egc, libxl__ev_xswatch *w,
- disk->pdev_path = strdup(""); /* xxx fixme malloc failure */
- disk->format = LIBXL_DISK_FORMAT_EMPTY;
- /* this value is returned to the user: do not free right away */
-- disk->vdev = xs_read(CTX->xsh, XBT_NULL,
-- libxl__sprintf(gc, "%s/dev", backend), NULL);
-+ disk->vdev = libxl__strdup(NOGC, evg->vdev);
- disk->removable = 1;
- disk->readwrite = 0;
- disk->is_cdrom = 1;
-@@ -1392,9 +1391,6 @@ int libxl_evenable_disk_eject(libxl_ctx *ctx, uint32_t guest_domid,
- evg->domid = guest_domid;
- LIBXL_LIST_INSERT_HEAD(&CTX->disk_eject_evgens, evg, entry);
-
-- evg->vdev = strdup(vdev);
-- if (!evg->vdev) { rc = ERROR_NOMEM; goto out; }
--
- uint32_t domid = libxl_get_stubdom_id(ctx, guest_domid);
-
- if (!domid)
-@@ -1412,6 +1408,13 @@ int libxl_evenable_disk_eject(libxl_ctx *ctx, uint32_t guest_domid,
- devid);
- evg->be_ptr_path = libxl__sprintf(NOGC, "%s/backend", libxl_path);
-
-+ const char *configured_vdev;
-+ rc = libxl__xs_read_checked(gc, XBT_NULL,
-+ GCSPRINTF("%s/vdev", libxl_path), &configured_vdev);
-+ if (rc) goto out;
-+
-+ evg->vdev = libxl__strdup(NOGC, configured_vdev);
-+
- rc = libxl__ev_xswatch_register(gc, &evg->watch,
- disk_eject_xswatch_callback, path);
- if (rc) goto out;
---
-1.9.1
-
diff --git a/main/xen/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch b/main/xen/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
deleted file mode 100644
index 2f8b633..0000000
--- a/main/xen/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
@@ -1,79 +0,0 @@
-From 11770db72bc644c322ad9044dbf86f9c6cb3a780 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 29 Apr 2016 19:21:51 +0100
-Subject: [PATCH 06/12] libxl: Do not trust frontend for disk in getinfo
-
-* Rename the frontend variable to `fe_path' to check we caught them all
-* Read the backend path from /libxl, rather than from the frontend
-* Parse the backend domid from the backend path, rather than reading it
- from the frontend (and add the appropriate error path and initialisation)
-
-This is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 27 +++++++++++++++++++--------
- 1 file changed, 19 insertions(+), 8 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 9c0fed4..69b7da7 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -2796,27 +2796,34 @@ int libxl_device_disk_getinfo(libxl_ctx *ctx, uint32_t domid,
- libxl_device_disk *disk, libxl_diskinfo *diskinfo)
- {
- GC_INIT(ctx);
-- char *dompath, *diskpath;
-+ char *dompath, *fe_path, *libxl_path;
- char *val;
-+ int rc;
-+
-+ diskinfo->backend = NULL;
-
- dompath = libxl__xs_get_dompath(gc, domid);
- diskinfo->devid = libxl__device_disk_dev_number(disk->vdev, NULL, NULL);
-
- /* tap devices entries in xenstore are written as vbd devices. */
-- diskpath = libxl__sprintf(gc, "%s/device/vbd/%d", dompath, diskinfo->devid);
-+ fe_path = GCSPRINTF("%s/device/vbd/%d", dompath, diskinfo->devid);
-+ libxl_path = GCSPRINTF("%s/device/vbd/%d",
-+ libxl__xs_libxl_path(gc, domid), diskinfo->devid);
- diskinfo->backend = xs_read(ctx->xsh, XBT_NULL,
-- libxl__sprintf(gc, "%s/backend", diskpath), NULL);
-+ GCSPRINTF("%s/backend", libxl_path), NULL);
- if (!diskinfo->backend) {
- GC_FREE;
- return ERROR_FAIL;
- }
-- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/backend-id", diskpath));
-- diskinfo->backend_id = val ? strtoul(val, NULL, 10) : -1;
-- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/state", diskpath));
-+ rc = libxl__backendpath_parse_domid(gc, diskinfo->backend,
-+ &diskinfo->backend_id);
-+ if (rc) goto out;
-+
-+ val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/state", fe_path));
- diskinfo->state = val ? strtoul(val, NULL, 10) : -1;
-- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/event-channel", diskpath));
-+ val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/event-channel", fe_path));
- diskinfo->evtch = val ? strtoul(val, NULL, 10) : -1;
-- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/ring-ref", diskpath));
-+ val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/ring-ref", fe_path));
- diskinfo->rref = val ? strtoul(val, NULL, 10) : -1;
- diskinfo->frontend = xs_read(ctx->xsh, XBT_NULL,
- libxl__sprintf(gc, "%s/frontend", diskinfo->backend), NULL);
-@@ -2825,6 +2832,10 @@ int libxl_device_disk_getinfo(libxl_ctx *ctx, uint32_t domid,
-
- GC_FREE;
- return 0;
-+
-+ out:
-+ free(diskinfo->backend);
-+ return rc;
- }
-
- int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
---
-2.1.4
-
diff --git a/main/xen/0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch b/main/xen/0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch
deleted file mode 100644
index 8fcf0f4..0000000
--- a/main/xen/0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch
@@ -1,245 +0,0 @@
-From a81a94db7bdf0f6fbf24a79182d1d246cfc1dd96 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 29 Apr 2016 18:29:45 +0100
-Subject: [PATCH 07/20] libxl: Do not trust backend for disk; fix driver domain
- disks list
-
-Rework libxl__device_disk_from_xs_be (which takes a backend path) into
-to libxl__device_disk_from_xenstore (which takes a libxl path).
-
-libxl__device_disk_from_xenstore now finds the backend path itself,
-although it doesn't use it any more for most of its functions. We
-rename the variable from be_path to backend_path to make sure we
-didn't miss any cases.
-
-All the data collection is now done by reading from the copy in
-/libxl.
-
-libxl_device_disk_list and its helper libxl__append_disk_list (which
-used to be libxl__append_disk_list_of_type) need extensive rework,
-because they now need to specify the /libxl path rather than the
-backend path.
-
-To do that they enumerate disks by looking in the appropriate area in
-/libxl. Previously they scanned various of the backend directories in
-dom0 (which was broken for driver domains). It is no longer necessary
-to enumerate the various disk backends, because they all use the same
-paths in /devices. libxl__device_disk_from_xenstore will parse the
-type out of the backend path, for itself. (Indeed, it did so before -
-the now-gone type parameter to libxl__append_disk_list_of_type wasn't
-used other than to construct the directory to list.)
-
-Finally, remove a redundant store to pdisk->backend_domid in
-libxl__append_disk_list[_of_type]. Even before this commit, that
-store was not needed because libxl_device_disk_init (called by
-libxl__device_disk_from_xenstore) would zero it. Now it overwrites
-the correct backend domid with zero; so remove it.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
-v2: Also fix up COLO reads, following rebase
----
- tools/libxl/libxl.c | 84 +++++++++++++++++++++++++++--------------------------
- 1 file changed, 43 insertions(+), 41 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 138167d..6c59a6f 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -2617,8 +2617,8 @@ void libxl__device_disk_add(libxl__egc *egc, uint32_t domid,
- device_disk_add(egc, domid, disk, aodev, NULL, NULL);
- }
-
--static int libxl__device_disk_from_xs_be(libxl__gc *gc,
-- const char *be_path,
-+static int libxl__device_disk_from_xenstore(libxl__gc *gc,
-+ const char *libxl_path,
- libxl_device_disk *disk)
- {
- libxl_ctx *ctx = libxl__gc_owner(gc);
-@@ -2628,15 +2628,27 @@ static int libxl__device_disk_from_xs_be(libxl__gc *gc,
-
- libxl_device_disk_init(disk);
-
-- rc = sscanf(be_path, "/local/domain/%d/", &disk->backend_domid);
-+ const char *backend_path;
-+ rc = libxl__xs_read_checked(gc, XBT_NULL,
-+ GCSPRINTF("%s/backend", libxl_path),
-+ &backend_path);
-+ if (rc) goto out;
-+
-+ if (!backend_path) {
-+ LOG(ERROR, "disk %s does not exist (no backend path", libxl_path);
-+ rc = ERROR_FAIL;
-+ goto out;
-+ }
-+
-+ rc = sscanf(backend_path, "/local/domain/%d/", &disk->backend_domid);
- if (rc != 1) {
-- LOG(ERROR, "Unable to fetch device backend domid from %s", be_path);
-+ LOG(ERROR, "Unable to fetch device backend domid from %s", backend_path);
- goto cleanup;
- }
-
- /* "params" may not be present; but everything else must be. */
- tmp = xs_read(ctx->xsh, XBT_NULL,
-- libxl__sprintf(gc, "%s/params", be_path), &len);
-+ libxl__sprintf(gc, "%s/params", libxl_path), &len);
- if (tmp && strchr(tmp, ':')) {
- disk->pdev_path = strdup(strchr(tmp, ':') + 1);
- free(tmp);
-@@ -2646,31 +2658,31 @@ static int libxl__device_disk_from_xs_be(libxl__gc *gc,
-
-
- tmp = libxl__xs_read(gc, XBT_NULL,
-- libxl__sprintf(gc, "%s/type", be_path));
-+ libxl__sprintf(gc, "%s/type", libxl_path));
- if (!tmp) {
-- LOG(ERROR, "Missing xenstore node %s/type", be_path);
-+ LOG(ERROR, "Missing xenstore node %s/type", libxl_path);
- goto cleanup;
- }
- libxl_string_to_backend(ctx, tmp, &(disk->backend));
-
- disk->vdev = xs_read(ctx->xsh, XBT_NULL,
-- libxl__sprintf(gc, "%s/dev", be_path), &len);
-+ libxl__sprintf(gc, "%s/dev", libxl_path), &len);
- if (!disk->vdev) {
-- LOG(ERROR, "Missing xenstore node %s/dev", be_path);
-+ LOG(ERROR, "Missing xenstore node %s/dev", libxl_path);
- goto cleanup;
- }
-
- tmp = libxl__xs_read(gc, XBT_NULL, libxl__sprintf
-- (gc, "%s/removable", be_path));
-+ (gc, "%s/removable", libxl_path));
- if (!tmp) {
-- LOG(ERROR, "Missing xenstore node %s/removable", be_path);
-+ LOG(ERROR, "Missing xenstore node %s/removable", libxl_path);
- goto cleanup;
- }
- disk->removable = atoi(tmp);
-
-- tmp = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/mode", be_path));
-+ tmp = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/mode", libxl_path));
- if (!tmp) {
-- LOG(ERROR, "Missing xenstore node %s/mode", be_path);
-+ LOG(ERROR, "Missing xenstore node %s/mode", libxl_path);
- goto cleanup;
- }
- if (!strcmp(tmp, "w"))
-@@ -2679,9 +2691,9 @@ static int libxl__device_disk_from_xs_be(libxl__gc *gc,
- disk->readwrite = 0;
-
- tmp = libxl__xs_read(gc, XBT_NULL,
-- libxl__sprintf(gc, "%s/device-type", be_path));
-+ libxl__sprintf(gc, "%s/device-type", libxl_path));
- if (!tmp) {
-- LOG(ERROR, "Missing xenstore node %s/device-type", be_path);
-+ LOG(ERROR, "Missing xenstore node %s/device-type", libxl_path);
- goto cleanup;
- }
- disk->is_cdrom = !strcmp(tmp, "cdrom");
-@@ -2690,15 +2702,17 @@ static int libxl__device_disk_from_xs_be(libxl__gc *gc,
-
- return 0;
- cleanup:
-+ rc = ERROR_FAIL;
-+ out:
- libxl_device_disk_dispose(disk);
-- return ERROR_FAIL;
-+ return rc;
- }
-
- int libxl_vdev_to_device_disk(libxl_ctx *ctx, uint32_t domid,
- const char *vdev, libxl_device_disk *disk)
- {
- GC_INIT(ctx);
-- char *dompath, *path;
-+ char *dom_xl_path, *libxl_path;
- int devid = libxl__device_disk_dev_number(vdev, NULL, NULL);
- int rc = ERROR_FAIL;
-
-@@ -2707,39 +2721,34 @@ int libxl_vdev_to_device_disk(libxl_ctx *ctx, uint32_t domid,
-
- libxl_device_disk_init(disk);
-
-- dompath = libxl__xs_get_dompath(gc, domid);
-- if (!dompath) {
-+ dom_xl_path = libxl__xs_libxl_path(gc, domid);
-+ if (!dom_xl_path) {
- goto out;
- }
-- path = libxl__xs_read(gc, XBT_NULL,
-- libxl__sprintf(gc, "%s/device/vbd/%d/backend",
-- dompath, devid));
-- if (!path)
-- goto out;
-+ libxl_path = GCSPRINTF("%s/device/vbd/%d", dom_xl_path, devid);
-
-- rc = libxl__device_disk_from_xs_be(gc, path, disk);
-+ rc = libxl__device_disk_from_xenstore(gc, libxl_path, disk);
- out:
- GC_FREE;
- return rc;
- }
-
-
--static int libxl__append_disk_list_of_type(libxl__gc *gc,
-+static int libxl__append_disk_list(libxl__gc *gc,
- uint32_t domid,
-- const char *type,
- libxl_device_disk **disks,
- int *ndisks)
- {
-- char *be_path = NULL;
-+ char *libxl_dir_path = NULL;
- char **dir = NULL;
- unsigned int n = 0;
- libxl_device_disk *pdisk = NULL, *pdisk_end = NULL;
- int rc=0;
- int initial_disks = *ndisks;
-
-- be_path = libxl__sprintf(gc, "%s/backend/%s/%d",
-- libxl__xs_get_dompath(gc, 0), type, domid);
-- dir = libxl__xs_directory(gc, XBT_NULL, be_path, &n);
-+ libxl_dir_path = GCSPRINTF("%s/device/vbd",
-+ libxl__xs_libxl_path(gc, domid));
-+ dir = libxl__xs_directory(gc, XBT_NULL, libxl_dir_path, &n);
- if (dir && n) {
- libxl_device_disk *tmp;
- tmp = realloc(*disks, sizeof (libxl_device_disk) * (*ndisks + n));
-@@ -2750,10 +2759,9 @@ static int libxl__append_disk_list_of_type(libxl__gc *gc,
- pdisk_end = *disks + initial_disks + n;
- for (; pdisk < pdisk_end; pdisk++, dir++) {
- const char *p;
-- p = libxl__sprintf(gc, "%s/%s", be_path, *dir);
-- if ((rc=libxl__device_disk_from_xs_be(gc, p, pdisk)))
-+ p = libxl__sprintf(gc, "%s/%s", libxl_dir_path, *dir);
-+ if ((rc=libxl__device_disk_from_xenstore(gc, p, pdisk)))
- goto out;
-- pdisk->backend_domid = 0;
- *ndisks += 1;
- }
- }
-@@ -2769,13 +2777,7 @@ libxl_device_disk *libxl_device_disk_list(libxl_ctx *ctx, uint32_t domid, int *n
-
- *num = 0;
-
-- rc = libxl__append_disk_list_of_type(gc, domid, "vbd", &disks, num);
-- if (rc) goto out_err;
--
-- rc = libxl__append_disk_list_of_type(gc, domid, "tap", &disks, num);
-- if (rc) goto out_err;
--
-- rc = libxl__append_disk_list_of_type(gc, domid, "qdisk", &disks, num);
-+ rc = libxl__append_disk_list(gc, domid, &disks, num);
- if (rc) goto out_err;
-
- GC_FREE;
---
-1.9.1
-
diff --git a/main/xen/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch b/main/xen/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
deleted file mode 100644
index 6f0d487..0000000
--- a/main/xen/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
@@ -1,67 +0,0 @@
-From 54a34ac83f0826cd0213a6ebdb0c414cb5051ed2 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Tue, 3 May 2016 15:58:32 +0100
-Subject: [PATCH 07/12] libxl: Do not trust frontend for vtpm list
-
-libxl_device_vtpm_list needs to enumerate and identify devices without
-trusting frontend-controlled data. So
-
-* Use the /libxl path to enumerate vtpms.
-* Use the /libxl path to find the corresponding backends.
-* Parse the backend path to find the backend domid.
-
-This is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 16 ++++++++--------
- 1 file changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 69b7da7..b91eee8 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -2173,14 +2173,15 @@ libxl_device_vtpm *libxl_device_vtpm_list(libxl_ctx *ctx, uint32_t domid, int *n
- GC_INIT(ctx);
-
- libxl_device_vtpm* vtpms = NULL;
-- char* fe_path = NULL;
-+ char *libxl_path;
- char** dir = NULL;
- unsigned int ndirs = 0;
-+ int rc;
-
- *num = 0;
-
-- fe_path = libxl__sprintf(gc, "%s/device/vtpm", libxl__xs_get_dompath(gc, domid));
-- dir = libxl__xs_directory(gc, XBT_NULL, fe_path, &ndirs);
-+ libxl_path = GCSPRINTF("%s/device/vtpm", libxl__xs_libxl_path(gc, domid));
-+ dir = libxl__xs_directory(gc, XBT_NULL, libxl_path, &ndirs);
- if (dir && ndirs) {
- vtpms = malloc(sizeof(*vtpms) * ndirs);
- libxl_device_vtpm* vtpm;
-@@ -2189,16 +2190,15 @@ libxl_device_vtpm *libxl_device_vtpm_list(libxl_ctx *ctx, uint32_t domid, int *n
- char* tmp;
- const char* be_path = libxl__xs_read(gc, XBT_NULL,
- GCSPRINTF("%s/%s/backend",
-- fe_path, *dir));
-+ libxl_path, *dir));
-
- libxl_device_vtpm_init(vtpm);
-
- vtpm->devid = atoi(*dir);
-
-- tmp = libxl__xs_read(gc, XBT_NULL,
-- GCSPRINTF("%s/%s/backend-id",
-- fe_path, *dir));
-- vtpm->backend_domid = atoi(tmp);
-+ rc = libxl__backendpath_parse_domid(gc, be_path,
-+ &vtpm->backend_domid);
-+ if (rc) return NULL;
-
- tmp = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/uuid", be_path));
- if (tmp) {
---
-2.1.4
-
diff --git a/main/xen/0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch b/main/xen/0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch
deleted file mode 100644
index d93e4f7..0000000
--- a/main/xen/0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch
@@ -1,35 +0,0 @@
-From 2614f9ac7c96b3b0045cf38a1ec6edb89552a724 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 29 Apr 2016 19:10:45 +0100
-Subject: [PATCH 08/20] libxl: Do not trust backend for disk in getinfo
-
-Do not read the frontend path out of the backend. We have it in our
-hand. Likewise the guest (frontend) domid was one of our parameters (!)
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 6c59a6f..6f70cb8 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -2827,9 +2827,8 @@ int libxl_device_disk_getinfo(libxl_ctx *ctx, uint32_t domid,
- val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/ring-ref", fe_path));
- diskinfo->rref = val ? strtoul(val, NULL, 10) : -1;
- diskinfo->frontend = xs_read(ctx->xsh, XBT_NULL,
-- libxl__sprintf(gc, "%s/frontend", diskinfo->backend), NULL);
-- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/frontend-id", diskinfo->backend));
-- diskinfo->frontend_id = val ? strtoul(val, NULL, 10) : -1;
-+ GCSPRINTF("%s/frontend", libxl_path), NULL);
-+ diskinfo->frontend_id = domid;
-
- GC_FREE;
- return 0;
---
-1.9.1
-
diff --git a/main/xen/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch b/main/xen/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
deleted file mode 100644
index 2c95766..0000000
--- a/main/xen/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
@@ -1,61 +0,0 @@
-From b83d66dfb3905dfd627f5e4833d74be274771e43 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Tue, 3 May 2016 16:00:20 +0100
-Subject: [PATCH 08/12] libxl: Do not trust frontend for vtpm in getinfo
-
-libxl_device_vtpm_getinfo needs to examine devices without trusting
-frontend-controlled data. So:
-
-* Use /libxl to find the backend path.
-* Parse the backend path to find the backend domid, rather than
- reading it from the frontend.
-
-This is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 12 +++++++-----
- 1 file changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index b91eee8..65b9953 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -2222,7 +2222,7 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx,
- libxl_vtpminfo *vtpminfo)
- {
- GC_INIT(ctx);
-- char *dompath, *vtpmpath;
-+ char *libxl_path, *dompath, *vtpmpath;
- char *val;
- int rc = 0;
-
-@@ -2231,8 +2231,10 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx,
- vtpminfo->devid = vtpm->devid;
-
- vtpmpath = GCSPRINTF("%s/device/vtpm/%d", dompath, vtpminfo->devid);
-+ libxl_path = GCSPRINTF("%s/device/vtpm/%d",
-+ libxl__xs_libxl_path(gc, domid), vtpminfo->devid);
- vtpminfo->backend = xs_read(ctx->xsh, XBT_NULL,
-- GCSPRINTF("%s/backend", vtpmpath), NULL);
-+ GCSPRINTF("%s/backend", libxl_path), NULL);
- if (!vtpminfo->backend) {
- goto err;
- }
-@@ -2240,9 +2242,9 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx,
- goto err;
- }
-
-- val = libxl__xs_read(gc, XBT_NULL,
-- GCSPRINTF("%s/backend-id", vtpmpath));
-- vtpminfo->backend_id = val ? strtoul(val, NULL, 10) : -1;
-+ rc = libxl__backendpath_parse_domid(gc, vtpminfo->backend,
-+ &vtpminfo->backend_id);
-+ if (rc) goto exit;
-
- val = libxl__xs_read(gc, XBT_NULL,
- GCSPRINTF("%s/state", vtpmpath));
---
-2.1.4
-
diff --git a/main/xen/0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch b/main/xen/0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch
deleted file mode 100644
index 8f1573a..0000000
--- a/main/xen/0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch
@@ -1,94 +0,0 @@
-From 3a3c8b2702263eaec271564e6fde1400efb3716a Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 29 Apr 2016 19:13:17 +0100
-Subject: [PATCH 09/20] libxl: Do not trust backend for cdrom insert
-
-Use the /libxl path where appropriate. Rename `path' variable to
-`be_path' to make sure we caught all the occurrences.
-
-Specifically, when checking that the device still exists, check the
-`frontend' value in /libxl, rather than anything in the backend
-directory.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 20 ++++++++++----------
- 1 file changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 6f70cb8..9f77269 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -2847,7 +2847,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
- libxl_domain_config d_config;
- int rc, dm_ver;
- libxl__device device;
-- const char *path, *libxl_path;
-+ const char *be_path, *libxl_path;
- char * tmp;
- libxl__domain_userdata_lock *lock = NULL;
- xs_transaction_t t = XBT_NULL;
-@@ -2914,7 +2914,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
- rc = libxl__device_from_disk(gc, domid, disk, &device);
- if (rc) goto out;
-
-- path = libxl__device_backend_path(gc, &device);
-+ be_path = libxl__device_backend_path(gc, &device);
- libxl_path = libxl__device_libxl_path(gc, &device);
-
- insert = flexarray_make(gc, 4, 1);
-@@ -2954,19 +2954,19 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
- for (;;) {
- rc = libxl__xs_transaction_start(gc, &t);
- if (rc) goto out;
-- /* Sanity check: make sure the backend exists before writing here */
-- tmp = libxl__xs_read(gc, t, libxl__sprintf(gc, "%s/frontend", path));
-+ /* Sanity check: make sure the device exists before writing here */
-+ tmp = libxl__xs_read(gc, t, GCSPRINTF("%s/frontend", libxl_path));
- if (!tmp)
- {
- LIBXL__LOG(ctx, LIBXL__LOG_ERROR, "Internal error: %s does not exist",
-- libxl__sprintf(gc, "%s/frontend", path));
-+ libxl__sprintf(gc, "%s/frontend", libxl_path));
- rc = ERROR_FAIL;
- goto out;
- }
-
- char **kvs = libxl__xs_kvs_of_flexarray(gc, empty, empty->count);
-
-- rc = libxl__xs_writev(gc, t, path, kvs);
-+ rc = libxl__xs_writev(gc, t, be_path, kvs);
- if (rc) goto out;
-
- rc = libxl__xs_writev(gc, t, libxl_path, kvs);
-@@ -2990,12 +2990,12 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
- for (;;) {
- rc = libxl__xs_transaction_start(gc, &t);
- if (rc) goto out;
-- /* Sanity check: make sure the backend exists before writing here */
-- tmp = libxl__xs_read(gc, t, libxl__sprintf(gc, "%s/frontend", path));
-+ /* Sanity check: make sure the device exists before writing here */
-+ tmp = libxl__xs_read(gc, t, GCSPRINTF("%s/frontend", libxl_path));
- if (!tmp)
- {
- LIBXL__LOG(ctx, LIBXL__LOG_ERROR, "Internal error: %s does not exist",
-- libxl__sprintf(gc, "%s/frontend", path));
-+ libxl__sprintf(gc, "%s/frontend", libxl_path));
- rc = ERROR_FAIL;
- goto out;
- }
-@@ -3005,7 +3005,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
-
- char **kvs = libxl__xs_kvs_of_flexarray(gc, insert, insert->count);
-
-- rc = libxl__xs_writev(gc, t, path, kvs);
-+ rc = libxl__xs_writev(gc, t, be_path, kvs);
- if (rc) goto out;
-
- rc = libxl__xs_writev(gc, t, libxl_path, kvs);
---
-1.9.1
-
diff --git a/main/xen/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch b/main/xen/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
deleted file mode 100644
index fd86cb8..0000000
--- a/main/xen/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
@@ -1,47 +0,0 @@
-From c626ea4768294b73ef24fafe7af9ad1221c1c48d Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Tue, 3 May 2016 15:52:53 +0100
-Subject: [PATCH 09/12] libxl: Do not trust frontend for nic in
- libxl_devid_to_device_nic
-
-Find the backend by reading the pointer in /libxl rather than in the
-guest's frontend area.
-
-This is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 65b9953..4c45269 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -3540,17 +3540,17 @@ int libxl_devid_to_device_nic(libxl_ctx *ctx, uint32_t domid,
- int devid, libxl_device_nic *nic)
- {
- GC_INIT(ctx);
-- char *dompath, *path;
-+ char *libxl_dom_path, *path;
- int rc = ERROR_FAIL;
-
- libxl_device_nic_init(nic);
-- dompath = libxl__xs_get_dompath(gc, domid);
-- if (!dompath)
-+ libxl_dom_path = libxl__xs_libxl_path(gc, domid);
-+ if (!libxl_dom_path)
- goto out;
-
- path = libxl__xs_read(gc, XBT_NULL,
-- libxl__sprintf(gc, "%s/device/vif/%d/backend",
-- dompath, devid));
-+ GCSPRINTF("%s/device/vif/%d/backend", libxl_dom_path,
-+ devid));
- if (!path)
- goto out;
-
---
-2.1.4
-
diff --git a/main/xen/0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch b/main/xen/0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch
deleted file mode 100644
index 8295796..0000000
--- a/main/xen/0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch
@@ -1,38 +0,0 @@
-From c9b8314ee99f30a62b7ff6db253598fa4e14ba54 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Wed, 4 May 2016 15:57:10 +0100
-Subject: [PATCH 10/20] libxl: Do not trust backend for channel in getinfo
-
-Do not read the frontend path out of the backend. We have it in our
-hand. Likewise the guest (frontend) domid was one of our parameters (!)
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 8 ++------
- 1 file changed, 2 insertions(+), 6 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 9f77269..35cfffe 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -3977,12 +3977,8 @@ int libxl_device_channel_getinfo(libxl_ctx *ctx, uint32_t domid,
-
- val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/state", fe_path));
- channelinfo->state = val ? strtoul(val, NULL, 10) : -1;
-- channelinfo->frontend = xs_read(ctx->xsh, XBT_NULL,
-- GCSPRINTF("%s/frontend",
-- channelinfo->backend), NULL);
-- val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/frontend-id",
-- channelinfo->backend));
-- channelinfo->frontend_id = val ? strtoul(val, NULL, 10) : -1;
-+ channelinfo->frontend = libxl__strdup(NOGC, fe_path);
-+ channelinfo->frontend_id = domid;
- val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/ring-ref", fe_path));
- channelinfo->rref = val ? strtoul(val, NULL, 10) : -1;
- val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/port", fe_path));
---
-1.9.1
-
diff --git a/main/xen/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch b/main/xen/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
deleted file mode 100644
index 60afaff..0000000
--- a/main/xen/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
@@ -1,73 +0,0 @@
-From 9d1982995e8d5645ae149bce670bea82fda31421 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Tue, 3 May 2016 16:31:07 +0100
-Subject: [PATCH 10/12] libxl: Do not trust frontend for nic in getinfo
-
-libxl_device_nic_getinfo needs to examine devices without trusting
-frontend-controlled data. So:
-
-* Use /libxl to find the backend path.
-* Parse the backend path to find the backend domid, rather than
- reading it from the frontend.
-
-This is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 21 ++++++++++++++-------
- 1 file changed, 14 insertions(+), 7 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 4c45269..34853f8 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -3629,22 +3629,27 @@ int libxl_device_nic_getinfo(libxl_ctx *ctx, uint32_t domid,
- libxl_device_nic *nic, libxl_nicinfo *nicinfo)
- {
- GC_INIT(ctx);
-- char *dompath, *nicpath;
-+ char *dompath, *nicpath, *libxl_path;
- char *val;
-+ int rc;
-
- dompath = libxl__xs_get_dompath(gc, domid);
- nicinfo->devid = nic->devid;
-
-- nicpath = libxl__sprintf(gc, "%s/device/vif/%d", dompath, nicinfo->devid);
-+ nicpath = GCSPRINTF("%s/device/vif/%d", dompath, nicinfo->devid);
-+ libxl_path = GCSPRINTF("%s/device/vif/%d",
-+ libxl__xs_libxl_path(gc, domid), nicinfo->devid);
- nicinfo->backend = xs_read(ctx->xsh, XBT_NULL,
-- libxl__sprintf(gc, "%s/backend", nicpath), NULL);
-+ GCSPRINTF("%s/backend", libxl_path), NULL);
- if (!nicinfo->backend) {
- GC_FREE;
- return ERROR_FAIL;
- }
-- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/backend-id", nicpath));
-- nicinfo->backend_id = val ? strtoul(val, NULL, 10) : -1;
-- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/state", nicpath));
-+ rc = libxl__backendpath_parse_domid(gc, nicinfo->backend,
-+ &nicinfo->backend_id);
-+ if (rc) goto out;
-+
-+ val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/state", nicpath));
- nicinfo->state = val ? strtoul(val, NULL, 10) : -1;
- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/event-channel", nicpath));
- nicinfo->evtch = val ? strtoul(val, NULL, 10) : -1;
-@@ -3657,8 +3662,10 @@ int libxl_device_nic_getinfo(libxl_ctx *ctx, uint32_t domid,
- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/frontend-id", nicinfo->backend));
- nicinfo->frontend_id = val ? strtoul(val, NULL, 10) : -1;
-
-+ rc = 0;
-+ out:
- GC_FREE;
-- return 0;
-+ return rc;
- }
-
- const char *libxl__device_nic_devname(libxl__gc *gc,
---
-2.1.4
-
diff --git a/main/xen/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch b/main/xen/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
deleted file mode 100644
index b6c767a..0000000
--- a/main/xen/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
@@ -1,104 +0,0 @@
-From 55fcc20fa75d9458805bf8130ce257cddd8db71f Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Tue, 3 May 2016 17:01:56 +0100
-Subject: [PATCH 11/12] libxl: Do not trust frontend for channel in list
-
-libxl_device_channel_list should not trust frontend-provided data.
-
-So it needs to iterate using the /libxl paths, and read the backend
-path out of /libxl.
-
-However, it also filters out pure "consoles", which are channels
-without a "name". But the name was stored only in the frontend
-directory, which the frontend can delete.
-
-So store the name in the backend too. (Ideally we would store it in
-/libxl, where the backend can't write to it either, but
-libxl__device_console_add not currently have access to the xenstore
-transaction used by libxl__device_generic_add. Protection against the
-backend will come later, in XSA-178.)
-
-Because the libxl paths are defined to be in terms of the frontend
-device types, not the backend device types, it is no longer correct
-for libxl__append_channel_list to take a type argument. Abolish this
-(with no functional effect).
-
-This is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 25 ++++++++++++++-----------
- 1 file changed, 14 insertions(+), 11 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 34853f8..6ffb173 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -3726,6 +3726,8 @@ int libxl__device_console_add(libxl__gc *gc, uint32_t domid,
- if (console->name) {
- flexarray_append(ro_front, "name");
- flexarray_append(ro_front, console->name);
-+ flexarray_append(back, "name");
-+ flexarray_append(back, console->name);
- }
- if (console->connection) {
- flexarray_append(back, "connection");
-@@ -3864,34 +3866,35 @@ static int libxl__device_channel_from_xs_be(libxl__gc *gc,
- return rc;
- }
-
--static int libxl__append_channel_list_of_type(libxl__gc *gc,
-+static int libxl__append_channel_list(libxl__gc *gc,
- uint32_t domid,
-- const char *type,
- libxl_device_channel **channels,
- int *nchannels)
- {
-- char *fe_path = NULL, *be_path = NULL;
-+ char *libxl_dir_path = NULL, *be_path = NULL;
- char **dir = NULL;
- unsigned int n = 0, devid = 0;
- libxl_device_channel *next = NULL;
- int rc = 0, i;
-
-- fe_path = GCSPRINTF("%s/device/%s",
-- libxl__xs_get_dompath(gc, domid), type);
-- dir = libxl__xs_directory(gc, XBT_NULL, fe_path, &n);
-+ libxl_dir_path = GCSPRINTF("%s/device/console",
-+ libxl__xs_libxl_path(gc, domid));
-+ dir = libxl__xs_directory(gc, XBT_NULL, libxl_dir_path, &n);
- if (!dir || !n)
- goto out;
-
- for (i = 0; i < n; i++) {
-- const char *p, *name;
-+ const char *libxl_path, *name;
- libxl_device_channel *tmp;
-
-- p = libxl__sprintf(gc, "%s/%s", fe_path, dir[i]);
-- name = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/name", p));
-+ libxl_path = GCSPRINTF("%s/%s", libxl_dir_path, dir[i]);
-+ be_path = libxl__xs_read(gc, XBT_NULL,
-+ GCSPRINTF("%s/backend", libxl_path));
-+ if (!be_path) continue;
-+ name = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/name", be_path));
- /* 'channels' are consoles with names, so ignore all consoles
- without names */
- if (!name) continue;
-- be_path = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/backend", p));
- tmp = realloc(*channels,
- sizeof(libxl_device_channel) * (*nchannels + devid + 1));
- if (!tmp) {
-@@ -3922,7 +3925,7 @@ libxl_device_channel *libxl_device_channel_list(libxl_ctx *ctx,
-
- *num = 0;
-
-- rc = libxl__append_channel_list_of_type(gc, domid, "console", &channels, num);
-+ rc = libxl__append_channel_list(gc, domid, &channels, num);
- if (rc) goto out_err;
-
- GC_FREE;
---
-2.1.4
-
diff --git a/main/xen/0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch b/main/xen/0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch
deleted file mode 100644
index 91c68a5..0000000
--- a/main/xen/0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch
@@ -1,87 +0,0 @@
-From 382ed2f090cc79e52fd5ab2e0b51b278c5f61232 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Wed, 4 May 2016 16:18:36 +0100
-Subject: [PATCH 11/20] libxl: Rename libxl__device_{nic,channel}_from_xs_be to
- _from_xenstore
-
-We are going to change these functions to expect, and be passed, a
-/libxl path. So it is wrong that they are called _from_xs_be.
-
-Neither function reads anything which isn't found in both places, so
-we can and will change the call sites later.
-
-The only remaining function in libxl called *_from_xs_be relates to
-PCI devices, for which the backend domain is hardcoded to 0 throughout
-the libxl_pci.c.
-
-No functional change.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 35cfffe..35cb6b0 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -3498,7 +3498,7 @@ out:
- return;
- }
-
--static int libxl__device_nic_from_xs_be(libxl__gc *gc,
-+static int libxl__device_nic_from_xenstore(libxl__gc *gc,
- const char *be_path,
- libxl_device_nic *nic)
- {
-@@ -3561,7 +3561,7 @@ int libxl_devid_to_device_nic(libxl_ctx *ctx, uint32_t domid,
- if (!path)
- goto out;
-
-- rc = libxl__device_nic_from_xs_be(gc, path, nic);
-+ rc = libxl__device_nic_from_xenstore(gc, path, nic);
- if (rc) goto out;
-
- rc = 0;
-@@ -3596,7 +3596,7 @@ static int libxl__append_nic_list_of_type(libxl__gc *gc,
- for (; pnic < pnic_end; pnic++, dir++) {
- const char *p;
- p = libxl__sprintf(gc, "%s/%s", be_path, *dir);
-- rc = libxl__device_nic_from_xs_be(gc, p, pnic);
-+ rc = libxl__device_nic_from_xenstore(gc, p, pnic);
- if (rc) goto out;
- pnic->backend_domid = 0;
- }
-@@ -3846,7 +3846,7 @@ int libxl__init_console_from_channel(libxl__gc *gc,
- return 0;
- }
-
--static int libxl__device_channel_from_xs_be(libxl__gc *gc,
-+static int libxl__device_channel_from_xenstore(libxl__gc *gc,
- const char *be_path,
- libxl_device_channel *channel)
- {
-@@ -3855,7 +3855,7 @@ static int libxl__device_channel_from_xs_be(libxl__gc *gc,
-
- libxl_device_channel_init(channel);
-
-- /* READ_BACKEND is from libxl__device_nic_from_xs_be above */
-+ /* READ_BACKEND is from libxl__device_nic_from_xenstore above */
- channel->name = READ_BACKEND(NOGC, "name");
- tmp = READ_BACKEND(gc, "connection");
- if (!strcmp(tmp, "pty")) {
-@@ -3910,7 +3910,7 @@ static int libxl__append_channel_list(libxl__gc *gc,
- }
- *channels = tmp;
- next = *channels + *nchannels + devid;
-- rc = libxl__device_channel_from_xs_be(gc, be_path, next);
-+ rc = libxl__device_channel_from_xenstore(gc, be_path, next);
- if (rc) goto out;
- next->devid = devid;
- devid++;
---
-1.9.1
-
diff --git a/main/xen/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch b/main/xen/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
deleted file mode 100644
index 5018fac..0000000
--- a/main/xen/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
@@ -1,121 +0,0 @@
-From 0333ec931e023a66dc03392c9bcb1040018b00e8 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Tue, 3 May 2016 17:24:32 +0100
-Subject: [PATCH 12/12] libxl: Do not trust frontend for channel in getinfo
-
-libxl_device_channel_getinfo needs to examine devices without trusting
-frontend-controlled data. So:
-
-* Use /libxl to find the backend path.
-* Parse the backend path to find the backend domid, rather than
- reading it from the frontend.
-* Tolerate FRONTEND/tty vanishing.
-
-Note that there is a strange off-by-one error in the computation of
-both fe_path and libxl_path in libxl_device_channel_getinfo: the
-incoming channel->devid, which is copied to channelinfo->devid, has +1
-applied to calculate the frontend path (and, after this patch, the
-libxl path). I.e., the devid passed to libxl_device_channel_getinfo
-must be one less than the actual devid for the device being asked
-about.
-
-This is actually a bug which mirrors a bug in
-libxl__append_channel_list, which fills in the devids of the channel
-devices it finds with sequentially increasing numbers starting at 0.
-
-In the usual case channels have real devids starting at 1 (because
-there is the console, which is devid 0, but not a channel). So these
-bugs usually cancel out.
-
-We do not address this problem at this time. This bug does not have
-any security implications.
-
-This patch is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 44 ++++++++++++++++++++++++++++++++++++--------
- 1 file changed, 36 insertions(+), 8 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 6ffb173..2dd2467 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -3946,23 +3946,28 @@ int libxl_device_channel_getinfo(libxl_ctx *ctx, uint32_t domid,
- libxl_channelinfo *channelinfo)
- {
- GC_INIT(ctx);
-- char *dompath, *fe_path;
-+ char *dompath, *fe_path, *libxl_path;
- char *val;
-+ int rc;
-
- dompath = libxl__xs_get_dompath(gc, domid);
- channelinfo->devid = channel->devid;
-
-- fe_path = libxl__sprintf(gc, "%s/device/console/%d", dompath,
-- channelinfo->devid + 1);
-+ fe_path = GCSPRINTF("%s/device/console/%d", dompath,
-+ channelinfo->devid + 1);
-+ libxl_path = GCSPRINTF("%s/device/console/%d",
-+ libxl__xs_libxl_path(gc, domid),
-+ channelinfo->devid + 1);
- channelinfo->backend = xs_read(ctx->xsh, XBT_NULL,
-- libxl__sprintf(gc, "%s/backend",
-- fe_path), NULL);
-+ GCSPRINTF("%s/backend", libxl_path), NULL);
- if (!channelinfo->backend) {
- GC_FREE;
- return ERROR_FAIL;
- }
-- val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/backend-id", fe_path));
-- channelinfo->backend_id = val ? strtoul(val, NULL, 10) : -1;
-+ rc = libxl__backendpath_parse_domid(gc, channelinfo->backend,
-+ &channelinfo->backend_id);
-+ if (rc) goto out;
-+
- val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/state", fe_path));
- channelinfo->state = val ? strtoul(val, NULL, 10) : -1;
- channelinfo->frontend = xs_read(ctx->xsh, XBT_NULL,
-@@ -3980,13 +3985,36 @@ int libxl_device_channel_getinfo(libxl_ctx *ctx, uint32_t domid,
- switch (channel->connection) {
- case LIBXL_CHANNEL_CONNECTION_PTY:
- val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/tty", fe_path));
-+ /*
-+ * It is obviously very wrong for this value to be in the
-+ * frontend. But in XSA-175 we don't want to re-engineer
-+ * this because other xenconsole code elsewhere (some
-+ * even out of tree, perhaps) expects this node to be
-+ * here.
-+ *
-+ * FE/pty is readonly for the guest. It always exists if
-+ * FE does because libxl__device_console_add
-+ * unconditionally creates it and nothing deletes it.
-+ *
-+ * The guest can delete the whole FE (which it has write
-+ * privilege on) but the containing directories
-+ * /local/GUEST[/device[/console]] are also RO for the
-+ * guest. So if the guest deletes FE it cannot recreate
-+ * it.
-+ *
-+ * Therefore the guest cannot cause FE/pty to contain bad
-+ * data, although it can cause it to not exist.
-+ */
-+ if (!val) val = "/NO-SUCH-PATH";
- channelinfo->u.pty.path = strdup(val);
- break;
- default:
- break;
- }
-+ rc = 0;
-+ out:
- GC_FREE;
-- return 0;
-+ return rc;
- }
-
- /******************************************************************************/
---
-2.1.4
-
diff --git a/main/xen/0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch b/main/xen/0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch
deleted file mode 100644
index 37dfca7..0000000
--- a/main/xen/0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch
@@ -1,101 +0,0 @@
-From bbbe635e7c1824d4daa4920c24c369e332ba5236 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Wed, 4 May 2016 16:07:02 +0100
-Subject: [PATCH 12/20] libxl: Rename READ_BACKEND to READ_LIBXLDEV
-
-We are going to want to change all the functions that use READ_BACKEND
-to get untrustworthy information from the backend, to use trustworthy
-information from /libxl.
-
-This will involve replacing READ_BACKEND, which reads from be_path,
-with a similar macro READ_LIBXLDEV, which reads from libxl_path.
-
-The macro name change generates a lot of clutter in the diff. So we
-break it out into this separate patch. Here, we rename the macro, but
-the implementation does not really match the new name.
-
-So, another way to look at this, is that we have transformed the bug:
- * All of the backends use READ_BACKEND, which is unsafe
-into the new bug:
- * READ_LIBXLDEV actually reads be_path, which is unsafe.
-
-There is no functional change as yet.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 22 +++++++++++-----------
- 1 file changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 35cb6b0..a174382 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -21,8 +21,8 @@
- #define PAGE_TO_MEMKB(pages) ((pages) * 4)
- #define BACKEND_STRING_SIZE 5
-
--/* Utility to read backend xenstore keys */
--#define READ_BACKEND(tgc, subpath) ({ \
-+/* Utility to read /libxl or backend xenstore keys, from be_path */
-+#define READ_LIBXLDEV(tgc, subpath) ({ \
- rc = libxl__xs_read_checked(tgc, XBT_NULL, \
- GCSPRINTF("%s/" subpath, be_path), \
- &tmp); \
-@@ -3507,7 +3507,7 @@ static int libxl__device_nic_from_xenstore(libxl__gc *gc,
-
- libxl_device_nic_init(nic);
-
-- tmp = READ_BACKEND(gc, "handle");
-+ tmp = READ_LIBXLDEV(gc, "handle");
- if (tmp)
- nic->devid = atoi(tmp);
- else
-@@ -3515,7 +3515,7 @@ static int libxl__device_nic_from_xenstore(libxl__gc *gc,
-
- /* nic->mtu = */
-
-- tmp = READ_BACKEND(gc, "mac");
-+ tmp = READ_LIBXLDEV(gc, "mac");
- if (tmp) {
- rc = libxl__parse_mac(tmp, nic->mac);
- if (rc) goto out;
-@@ -3523,12 +3523,12 @@ static int libxl__device_nic_from_xenstore(libxl__gc *gc,
- memset(nic->mac, 0, sizeof(nic->mac));
- }
-
-- nic->ip = READ_BACKEND(NOGC, "ip");
-- nic->bridge = READ_BACKEND(NOGC, "bridge");
-- nic->script = READ_BACKEND(NOGC, "script");
-+ nic->ip = READ_LIBXLDEV(NOGC, "ip");
-+ nic->bridge = READ_LIBXLDEV(NOGC, "bridge");
-+ nic->script = READ_LIBXLDEV(NOGC, "script");
-
- /* vif_ioemu nics use the same xenstore entries as vif interfaces */
-- tmp = READ_BACKEND(gc, "type");
-+ tmp = READ_LIBXLDEV(gc, "type");
- if (tmp) {
- rc = libxl_nic_type_from_string(tmp, &nic->nictype);
- if (rc) goto out;
-@@ -3856,13 +3856,13 @@ static int libxl__device_channel_from_xenstore(libxl__gc *gc,
- libxl_device_channel_init(channel);
-
- /* READ_BACKEND is from libxl__device_nic_from_xenstore above */
-- channel->name = READ_BACKEND(NOGC, "name");
-- tmp = READ_BACKEND(gc, "connection");
-+ channel->name = READ_LIBXLDEV(NOGC, "name");
-+ tmp = READ_LIBXLDEV(gc, "connection");
- if (!strcmp(tmp, "pty")) {
- channel->connection = LIBXL_CHANNEL_CONNECTION_PTY;
- } else if (!strcmp(tmp, "socket")) {
- channel->connection = LIBXL_CHANNEL_CONNECTION_SOCKET;
-- channel->u.socket.path = READ_BACKEND(NOGC, "path");
-+ channel->u.socket.path = READ_LIBXLDEV(NOGC, "path");
- } else {
- rc = ERROR_INVAL;
- goto out;
---
-1.9.1
-
diff --git a/main/xen/0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch b/main/xen/0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch
deleted file mode 100644
index f4dce8c..0000000
--- a/main/xen/0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch
@@ -1,62 +0,0 @@
-From 31be4b98a2d7ab851e37f9bc23cd446f3bdf367e Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Tue, 3 May 2016 15:40:18 +0100
-Subject: [PATCH 13/20] libxl: Have READ_LIBXLDEV use libxl_path rather than
- be_path
-
-Fix the just-introduced bug in this macro: now it reads the
-trustworthy libxl_path. Change the variable name in the two functions
-(nic and channel) which use it.
-
-Shuffling the bump in the carpet along, we now introduce three new
-bugs: the three call sites pass a backend path where a frontend path
-is expected.
-
-No functional change.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index a174382..702ac75 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -21,10 +21,10 @@
- #define PAGE_TO_MEMKB(pages) ((pages) * 4)
- #define BACKEND_STRING_SIZE 5
-
--/* Utility to read /libxl or backend xenstore keys, from be_path */
-+/* Utility to read /libxl xenstore keys, from libxl_path */
- #define READ_LIBXLDEV(tgc, subpath) ({ \
- rc = libxl__xs_read_checked(tgc, XBT_NULL, \
-- GCSPRINTF("%s/" subpath, be_path), \
-+ GCSPRINTF("%s/" subpath, libxl_path), \
- &tmp); \
- if (rc) goto out; \
- (char*)tmp; \
-@@ -3499,7 +3499,7 @@ out:
- }
-
- static int libxl__device_nic_from_xenstore(libxl__gc *gc,
-- const char *be_path,
-+ const char *libxl_path,
- libxl_device_nic *nic)
- {
- const char *tmp;
-@@ -3847,7 +3847,7 @@ int libxl__init_console_from_channel(libxl__gc *gc,
- }
-
- static int libxl__device_channel_from_xenstore(libxl__gc *gc,
-- const char *be_path,
-+ const char *libxl_path,
- libxl_device_channel *channel)
- {
- const char *tmp;
---
-1.9.1
-
diff --git a/main/xen/0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch b/main/xen/0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch
deleted file mode 100644
index e45a8c9..0000000
--- a/main/xen/0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch
@@ -1,33 +0,0 @@
-From 517d1d86e158d12f634db1fabda13931bffe32fe Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Tue, 3 May 2016 16:35:21 +0100
-Subject: [PATCH 14/20] libxl: Do not trust backend in nic getinfo
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 702ac75..558d198 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -3664,10 +3664,8 @@ int libxl_device_nic_getinfo(libxl_ctx *ctx, uint32_t domid,
- nicinfo->rref_tx = val ? strtoul(val, NULL, 10) : -1;
- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/rx-ring-ref", nicpath));
- nicinfo->rref_rx = val ? strtoul(val, NULL, 10) : -1;
-- nicinfo->frontend = xs_read(ctx->xsh, XBT_NULL,
-- libxl__sprintf(gc, "%s/frontend", nicinfo->backend), NULL);
-- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/frontend-id", nicinfo->backend));
-- nicinfo->frontend_id = val ? strtoul(val, NULL, 10) : -1;
-+ nicinfo->frontend = libxl__strdup(NOGC, nicpath);
-+ nicinfo->frontend_id = domid;
-
- rc = 0;
- out:
---
-1.9.1
-
diff --git a/main/xen/0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch b/main/xen/0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch
deleted file mode 100644
index 15af351..0000000
--- a/main/xen/0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch
@@ -1,48 +0,0 @@
-From 6925b22ac3e1e876db542ab6ede6a88651cfaa44 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Wed, 4 May 2016 16:20:05 +0100
-Subject: [PATCH 15/20] libxl: Do not trust backend for nic in devid_to_device
-
-libxl_devid_to_device_nic should read the information it needs from
-the /libxl/device path, not the backend.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 10 +++-------
- 1 file changed, 3 insertions(+), 7 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 558d198..0f87ad7 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -3547,7 +3547,7 @@ int libxl_devid_to_device_nic(libxl_ctx *ctx, uint32_t domid,
- int devid, libxl_device_nic *nic)
- {
- GC_INIT(ctx);
-- char *libxl_dom_path, *path;
-+ char *libxl_dom_path, *libxl_path;
- int rc = ERROR_FAIL;
-
- libxl_device_nic_init(nic);
-@@ -3555,13 +3555,9 @@ int libxl_devid_to_device_nic(libxl_ctx *ctx, uint32_t domid,
- if (!libxl_dom_path)
- goto out;
-
-- path = libxl__xs_read(gc, XBT_NULL,
-- GCSPRINTF("%s/device/vif/%d/backend", libxl_dom_path,
-- devid));
-- if (!path)
-- goto out;
-+ libxl_path = GCSPRINTF("%s/device/vif/%d", libxl_dom_path, devid);
-
-- rc = libxl__device_nic_from_xenstore(gc, path, nic);
-+ rc = libxl__device_nic_from_xenstore(gc, libxl_path, nic);
- if (rc) goto out;
-
- rc = 0;
---
-1.9.1
-
diff --git a/main/xen/0016-libxl-Do-not-trust-backend-for-nic-in-list.patch b/main/xen/0016-libxl-Do-not-trust-backend-for-nic-in-list.patch
deleted file mode 100644
index 210ebbd..0000000
--- a/main/xen/0016-libxl-Do-not-trust-backend-for-nic-in-list.patch
@@ -1,80 +0,0 @@
-From 1a75ae14d0e6b2969dc3b09f4f5963cd09a8118a Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Wed, 4 May 2016 16:23:57 +0100
-Subject: [PATCH 16/20] libxl: Do not trust backend for nic in list
-
-libxl_device_nic_list should use the /libxl path to search for
-devices, and for obtaining the device information.
-
-The "type" parameter was always "vif". Abolish it. (In any case,
-paths in /libxl/device are named after the frontend type which is
-constant, not the backend type which might in future vary.)
-
-Abolish a redundant store to pnic->backend_domid. Before this commit,
-that store was not needed because libxl_device_nic_init (called by
-libxl__device_nic_from_xenstore) would zero it. Now it overwrites the
-correct backend domid with zero; so remove it.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 16 +++++++---------
- 1 file changed, 7 insertions(+), 9 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 0f87ad7..9aebc9e 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -3566,21 +3566,20 @@ out:
- return rc;
- }
-
--static int libxl__append_nic_list_of_type(libxl__gc *gc,
-+static int libxl__append_nic_list(libxl__gc *gc,
- uint32_t domid,
-- const char *type,
- libxl_device_nic **nics,
- int *nnics)
- {
-- char *be_path = NULL;
-+ char *libxl_dir_path = NULL;
- char **dir = NULL;
- unsigned int n = 0;
- libxl_device_nic *pnic = NULL, *pnic_end = NULL;
- int rc;
-
-- be_path = libxl__sprintf(gc, "%s/backend/%s/%d",
-- libxl__xs_get_dompath(gc, 0), type, domid);
-- dir = libxl__xs_directory(gc, XBT_NULL, be_path, &n);
-+ libxl_dir_path = GCSPRINTF("%s/device/vif",
-+ libxl__xs_libxl_path(gc, domid));
-+ dir = libxl__xs_directory(gc, XBT_NULL, libxl_dir_path, &n);
- if (dir && n) {
- libxl_device_nic *tmp;
- tmp = realloc(*nics, sizeof (libxl_device_nic) * (*nnics + n));
-@@ -3591,10 +3590,9 @@ static int libxl__append_nic_list_of_type(libxl__gc *gc,
- pnic_end = *nics + *nnics + n;
- for (; pnic < pnic_end; pnic++, dir++) {
- const char *p;
-- p = libxl__sprintf(gc, "%s/%s", be_path, *dir);
-+ p = GCSPRINTF("%s/%s", libxl_dir_path, *dir);
- rc = libxl__device_nic_from_xenstore(gc, p, pnic);
- if (rc) goto out;
-- pnic->backend_domid = 0;
- }
- *nnics += n;
- }
-@@ -3612,7 +3610,7 @@ libxl_device_nic *libxl_device_nic_list(libxl_ctx *ctx, uint32_t domid, int *num
-
- *num = 0;
-
-- rc = libxl__append_nic_list_of_type(gc, domid, "vif", &nics, num);
-+ rc = libxl__append_nic_list(gc, domid, &nics, num);
- if (rc) goto out_err;
-
- GC_FREE;
---
-1.9.1
-
diff --git a/main/xen/0017-libxl-Do-not-trust-backend-in-channel-list.patch b/main/xen/0017-libxl-Do-not-trust-backend-in-channel-list.patch
deleted file mode 100644
index c31383b..0000000
--- a/main/xen/0017-libxl-Do-not-trust-backend-in-channel-list.patch
@@ -1,58 +0,0 @@
-From 8df6d984e41c4a2f3f1ebc989063223eabb2cc0f Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Wed, 4 May 2016 16:59:38 +0100
-Subject: [PATCH 17/20] libxl: Do not trust backend in channel list
-
-Read the name from /libxl/device. Pass the /libxl path to
-libxl__device_channel_from_xenstore.
-
-This removes the final route by which READ_LIBXLDEV might receive a
-backend path.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
-v2: Remove be_path variable which is now no longer used.
----
- tools/libxl/libxl.c | 9 +++------
- 1 file changed, 3 insertions(+), 6 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 9aebc9e..a6701d4 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -3870,7 +3870,7 @@ static int libxl__append_channel_list(libxl__gc *gc,
- libxl_device_channel **channels,
- int *nchannels)
- {
-- char *libxl_dir_path = NULL, *be_path = NULL;
-+ char *libxl_dir_path = NULL;
- char **dir = NULL;
- unsigned int n = 0, devid = 0;
- libxl_device_channel *next = NULL;
-@@ -3887,10 +3887,7 @@ static int libxl__append_channel_list(libxl__gc *gc,
- libxl_device_channel *tmp;
-
- libxl_path = GCSPRINTF("%s/%s", libxl_dir_path, dir[i]);
-- be_path = libxl__xs_read(gc, XBT_NULL,
-- GCSPRINTF("%s/backend", libxl_path));
-- if (!be_path) continue;
-- name = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/name", be_path));
-+ name = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/name", libxl_path));
- /* 'channels' are consoles with names, so ignore all consoles
- without names */
- if (!name) continue;
-@@ -3902,7 +3899,7 @@ static int libxl__append_channel_list(libxl__gc *gc,
- }
- *channels = tmp;
- next = *channels + *nchannels + devid;
-- rc = libxl__device_channel_from_xenstore(gc, be_path, next);
-+ rc = libxl__device_channel_from_xenstore(gc, libxl_path, next);
- if (rc) goto out;
- next->devid = devid;
- devid++;
---
-1.9.1
-
diff --git a/main/xen/0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch b/main/xen/0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch
deleted file mode 100644
index 95d1480..0000000
--- a/main/xen/0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch
@@ -1,48 +0,0 @@
-From 3675172b342d1c03b01e2ac0a9fe851391921ab7 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Tue, 3 May 2016 15:25:19 +0100
-Subject: [PATCH 18/20] libxl: Cleanup: Have libxl__alloc_vdev use /libxl
-
-When allocating a vdev for a new disk, look in /libxl/device, rather
-than the frontends directory in xenstore.
-
-This is more in line with the other parts of libxl, which ought not to
-trust frontends. In this case, though, there is no security bug prior
-to this patch because the frontend is the toolstack domain itself.
-
-If libxl__alloc_vdev were ever changed to take a frontend domain
-argument, this patch will fix a latent security bug.
-
-This is a followup to XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index a6701d4..20a8960 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -3043,7 +3043,7 @@ static char * libxl__alloc_vdev(libxl__gc *gc, void *get_vdev_user,
- {
- const char *blkdev_start = (const char *) get_vdev_user;
- int devid = 0, disk = 0, part = 0;
-- char *dompath = libxl__xs_get_dompath(gc, LIBXL_TOOLSTACK_DOMID);
-+ char *libxl_dom_path = libxl__xs_libxl_path(gc, LIBXL_TOOLSTACK_DOMID);
-
- libxl__device_disk_dev_number(blkdev_start, &disk, &part);
- if (part != 0) {
-@@ -3058,7 +3058,7 @@ static char * libxl__alloc_vdev(libxl__gc *gc, void *get_vdev_user,
- return NULL;
- if (libxl__xs_read(gc, t,
- libxl__sprintf(gc, "%s/device/vbd/%d/backend",
-- dompath, devid)) == NULL) {
-+ libxl_dom_path, devid)) == NULL) {
- if (errno == ENOENT)
- return libxl__devid_to_localdev(gc, devid);
- else
---
-1.9.1
-
diff --git a/main/xen/0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch b/main/xen/0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch
deleted file mode 100644
index 8bdd209..0000000
--- a/main/xen/0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch
@@ -1,38 +0,0 @@
-From 509ae901dc25c51553c49e6f4428ac8023b42625 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 29 Apr 2016 16:08:19 +0100
-Subject: [PATCH 19/20] libxl: Cleanup: use libxl__backendpath_parse_domid in
- libxl__device_disk_from_xs_be
-
-Rather than an open-coded sscanf. No functional change with correct
-input.
-
-This is a followup to XSA-175 and XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- tools/libxl/libxl.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 20a8960..c0a80cb 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -2640,10 +2640,10 @@ static int libxl__device_disk_from_xenstore(libxl__gc *gc,
- goto out;
- }
-
-- rc = sscanf(backend_path, "/local/domain/%d/", &disk->backend_domid);
-- if (rc != 1) {
-+ rc = libxl__backendpath_parse_domid(gc, backend_path, &disk->backend_domid);
-+ if (rc) {
- LOG(ERROR, "Unable to fetch device backend domid from %s", backend_path);
-- goto cleanup;
-+ goto out;
- }
-
- /* "params" may not be present; but everything else must be. */
---
-1.9.1
-
diff --git a/main/xen/0020-libxl-Document-serial-correctly.patch b/main/xen/0020-libxl-Document-serial-correctly.patch
deleted file mode 100644
index 6c41be2..0000000
--- a/main/xen/0020-libxl-Document-serial-correctly.patch
@@ -1,38 +0,0 @@
-From d8ac67eff778ae0c6b3286ab46328be5c6c90163 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Wed, 4 May 2016 15:17:45 +0100
-Subject: [PATCH 20/20] libxl: Document ~/serial/ correctly
-
-xenstore-paths.markdown talked about ~/device/serial/, but that's not
-used.
-
-(It is very wrong for this value, which contains a driver domain
-filesystem path, to be in the guest's area of xenstore. However, it
-is only ever created by libxl and ready by xenconsoled. When it is
-created, it inherits the read-only permissions of /local/domain/DOMID.
-So there is no security bug.)
-
-This is a followup to XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2@citrix.com>
----
- docs/misc/xenstore-paths.markdown | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs/misc/xenstore-paths.markdown b/docs/misc/xenstore-paths.markdown
-index 8c686ec..bfa6a79 100644
---- a/docs/misc/xenstore-paths.markdown
-+++ b/docs/misc/xenstore-paths.markdown
-@@ -240,7 +240,7 @@ The primary PV console device. Described in [console.txt](console.txt)
-
- A secondary PV console device. Described in [console.txt](console.txt)
-
--#### ~/device/serial/$DEVID/* [HVM]
-+#### ~/serial/$DEVID/* [HVM]
-
- An emulated serial device. Described in [console.txt](console.txt)
-
---
-1.9.1
-
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 4c31811..e68129c 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -1,9 +1,10 @@
+# Contributor: Sergey Lukin <sergej.lukin@gmail.com>
# Contributor: William Pitcock <nenolod@dereferenced.org>
# Contributor: Roger Pau Monne <roger.pau@entel.upc.edu>
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
-pkgver=4.5.3
-pkgrel=3
+pkgver=4.5.5
+pkgrel=0
pkgdesc="Xen hypervisor"
url="http://www.xen.org/"
arch="x86_64"
@@ -17,20 +18,6 @@ makedepends="$depends_dev autoconf automake libtool"
install=""
subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-hypervisor"
source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.gz
- xsa169.patch
- xsa172.patch
- xsa173-4.5.patch
- xsa176.patch
- xsa181.patch
- xsa182-4.5.patch
- xsa183-4.6.patch
- xsa184-qemut-master.patch
- xsa184-qemuu-master.patch
- xsa185.patch
- xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
- xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
- xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
- xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
xsa190-4.5-CVE-2016-7777.patch
xsa191-4.6-CVE-2016-9386.patch
xsa192-4.5-CVE-2016-9382.patch
@@ -45,40 +32,8 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
xsa201-1.patch
xsa201-2.patch
xsa201-4.patch
-
- 0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
- 0002-libxl-Provide-libxl__backendpath_parse_domid.patch
- 0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
- 0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
- 0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
- 0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
- 0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
- 0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
- 0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
- 0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
- 0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
- 0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
-
- 0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch
- 0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch
- 0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch
- 0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch
- 0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch
- 0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch
- 0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch
- 0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch
- 0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch
- 0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch
- 0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch
- 0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch
- 0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch
- 0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch
- 0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch
- 0016-libxl-Do-not-trust-backend-for-nic-in-list.patch
- 0017-libxl-Do-not-trust-backend-in-channel-list.patch
- 0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch
- 0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch
- 0020-libxl-Document-serial-correctly.patch
+ xsa202-4.6.patch
+ xsa204-4.5.patch
qemu-coroutine-gthread.patch
qemu-xen-musl-openpty.patch
@@ -86,7 +41,6 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
hotplug-vif-vtrill.patch
0001-ipxe-dont-clobber-ebp.patch
- gnutls-3.4.0.patch
init-xenstore-domain.patch
@@ -264,21 +218,7 @@ hypervisor() {
mv "$pkgdir"/boot "$subpkgdir"/
}
-md5sums="a41baeb8ab0098dd2bce4249a95d1118 xen-4.5.3.tar.gz
-0931b87a6b9ba846c5797dbbbacdf324 xsa169.patch
-b14d9a4247ae654579cb757c9b0e949a xsa172.patch
-335182c09c3b8e887a35c9677f2dc658 xsa173-4.5.patch
-f5a889df9c86a2cda28da20ec7cd7adc xsa176.patch
-fb3b353a4a4e334ef6bf1ed3f35552d6 xsa181.patch
-732af8942ffbc31ca34fd9a7001e1923 xsa182-4.5.patch
-f137255f6928d439a5ddf18ebab402d7 xsa183-4.6.patch
-95bc220677fc2bb9a3df4dc14a0b31f6 xsa184-qemut-master.patch
-cc0904605d03a9e4f6f21d16824e41c9 xsa184-qemuu-master.patch
-8ae22c70681f3daf97ee7ef8ad947e76 xsa185.patch
-9a2b74f2079ba0b7a6e2420e6887cc3a xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
-3d812cf9ccc8443874b36e061392d388 xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
-c426383254acdcbb9466bbec2d6f8d9b xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
-a98c0fa2579965d72272f381f193195d xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
+md5sums="a99baacf82aa111ed3130d6c361d74a8 xen-4.5.5.tar.gz
478b88d2ef7e67bc03d3637def41a485 xsa190-4.5-CVE-2016-7777.patch
5399accd478266047e9fada57bba1bf8 xsa191-4.6-CVE-2016-9386.patch
fa8512910a0dbe7f49b1800518f9c204 xsa192-4.5-CVE-2016-9382.patch
@@ -293,44 +233,13 @@ add3ad7828d582fc272073e906ce17a1 xsa200-4.6.patch
6580371b4b8db7cb6876f2b42ab3fc61 xsa201-1.patch
76394482eaf0caeb3e0611ba70e8923c xsa201-2.patch
9cb1516d783fc9c765e9a37574bb3cbd xsa201-4.patch
-e60400a02f24b70dd9d39628a731dcda 0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
-83f68ebe641fde827b56996ffc5bbc5e 0002-libxl-Provide-libxl__backendpath_parse_domid.patch
-197b0a2273b68c1cfe2a4482ceffdf4d 0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
-29cc618079c3f586043d665fe8daed24 0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
-f290be1ba26f480fd345ada649d59660 0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
-171dca83420ad3f706ba0466adf030fd 0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
-45bc938047bc7716b57eeb8508977a0f 0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
-ba83d5ea9a1615f2b1693acc3e54f298 0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
-141f2b28b04b4efbf909a4650696d71c 0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
-6611449c2c056fa074685b18443149e0 0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
-3264f8403d5cd025c25416a5de7aeb50 0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
-ae82256edf948e1c8ace6c576a4b2597 0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
-14719f6189df1270053184d8a90cc7d1 0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch
-1ef583ccc14b6fea78d1891d13b3631c 0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch
-f1f2c41ebc7ccda0f8a786a6170694c1 0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch
-456b9afc8eb908d5147d9766169acec7 0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch
-e6902e354cbfd0f8e56c7c2653c8a953 0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch
-be2e9a515e6cc108abae8f2a726001ad 0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch
-1ee13d702779674ef6c717621ffa9382 0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch
-b5626d90c850d9598dede0740df96e09 0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch
-d7ddba3f759d47495b72e8397f64363d 0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch
-f8d01a242f6a65c801d8d201e13dffe4 0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch
-bcf81392d6f29e737d72b548e4cb1378 0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch
-1b484a77201c181a16518f566ea7f239 0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch
-b69c6497bd05ce7f597062beb5f50305 0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch
-d2d173fca2b2148f4cc0e1b70d67b29f 0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch
-dbc827c44937e3d6f4d8a3387842a2dd 0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch
-0fce7f760b34193fec742bba74423182 0016-libxl-Do-not-trust-backend-for-nic-in-list.patch
-48673e67de7272a2495da63902f56bce 0017-libxl-Do-not-trust-backend-in-channel-list.patch
-e6550be82f81c1e43c44a17acb5ca80e 0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch
-39714ef39a07b62887c726eeedb7197f 0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch
-e0138ef232bd7c5d8e28db853692e303 0020-libxl-Document-serial-correctly.patch
+a5a39c6354c952095e1d78a582385933 xsa202-4.6.patch
+9449168ccbc38442b8f55ad9c0964b9f xsa204-4.5.patch
de1a3db370b87cfb0bddb51796b50315 qemu-coroutine-gthread.patch
dd8603eaab5857816843bfc37647d569 qemu-xen-musl-openpty.patch
08bfdf8caff5d631f53660bf3fd4edaf qemu-xen_paths.patch
e449bb3359b490804ffc7b0ae08d62a0 hotplug-vif-vtrill.patch
229539a822e14a6a62babffd71ecfbf3 0001-ipxe-dont-clobber-ebp.patch
-a0a0294eccbaef77a2f8f5c2789f011c gnutls-3.4.0.patch
08a30d56902b660f5102a5c208e545c9 init-xenstore-domain.patch
0984e3000de17a6d14b8014a3ced46a4 musl-support.patch
513456607a2adfaa0baf1e3ae5124b23 musl-hvmloader-fix-stdint.patch
@@ -347,21 +256,7 @@ dcdd1de2c29e469e834a02ede4f47806 xendomains.confd
9df68ac65dc3f372f5d61183abdc83ff xen-consoles.logrotate
6a2f777c16678d84039acf670d86fff6 xenqemu.confd
e1c9e1c83a5cc49224608a48060bd677 xenqemu.initd"
-sha256sums="22b6dcb6725434e4baa48f1482328a04064e21d951d7c7c4b994b3d7ad4910fa xen-4.5.3.tar.gz
-b818922880313cdbc12ea68ae757da5eabed9b3c9e1f8acefe1653683545ccbe xsa169.patch
-f18282fcb794b8772bc3af51d56860050071bd62a5a909b8f2fc2018e2958154 xsa172.patch
-8cd255416975b5589b85911142b385cc1ed78b8ea5e16ebe9d6c60e2679b23aa xsa173-4.5.patch
-e61c52477a8d8aa79111d686b103202ff8a558d8b3356635288c1290789b7eb3 xsa176.patch
-6756fcf44446675e5277f6d6c0e8a0aaa51a7909ad9a55af89a09367fded8733 xsa181.patch
-2383695b1dc114e4e31e42dd05d4c86239ce9606478b5e1a71db1111d95b63a2 xsa182-4.5.patch
-0fee41f21a3eb4af1487590098047f4625688bcef7419572a8f418f9fb728468 xsa183-4.6.patch
-88c939c64b8f9fc9f86d0a30517d5455462d1ff837aa4285a9cb189b54c0cf20 xsa184-qemut-master.patch
-3877e19992c4532b8b2a37e151fe6a6187a1bbee2b54c1718b995260bb0fcf65 xsa184-qemuu-master.patch
-3328a1953ecdf4de35462ea8396b0927171d718e95f73a87a7f651427bd8f8b4 xsa185.patch
-f2082a36d968a47e477bb5082d0e0aaa58e6cb3dc20b26389f043a9b7b595fa6 xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
-7482a823c3443e26dee1111c4904162845eaa9f826aa7bf8348007406d91bddd xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
-be9fe85d36c2c1fbca246c1f4d834c3ef11b6ab3d5467da0ac8c079aa5a68de9 xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
-b96731379ea77d49ffff31d969f4742dde985ef7a86af9422dcac8327c2a1916 xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
+sha256sums="e2216e31f774be6bb1bba922288fbbc00bb549c2feb9c12472f60fe689aee4f8 xen-4.5.5.tar.gz
477d56c41cc2101432459ab79e4d5663aade779c36285f5c1d6d6ed4e34e1009 xsa190-4.5-CVE-2016-7777.patch
d95a1f0dd5c45497ca56e2e1390fc688bf0a4a7a7fd10c65ae25b4bbb3353b69 xsa191-4.6-CVE-2016-9386.patch
bb0c6622c6f5c5eb9a680020d865802069446830b4a170bcb82336f6c3b77f55 xsa192-4.5-CVE-2016-9382.patch
@@ -376,44 +271,13 @@ d662353629117b9c978cf5444995b41e77b079cc665e078ae7868b715c47c382 xsa197-4.5-qem
163aeb9ae3ffce28e0bc95bdfff490d2df6f6f0b85ac1d4f447bea921f0a0dda xsa201-1.patch
0ba570ed7df172475bc745e02b89670608251634895e5279edcf534619d6d81b xsa201-2.patch
388d548cd4e30883ae100863d33e792869e7dbd86054299a91b64db6d6599919 xsa201-4.patch
-a262c85f9145f71df512338ef1a4b77c05086a894d58ba3d911ea6984bbeaed5 0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
-676806c5713a60f113264298c48c3ac34e3370a6bfb8628d5b8700edfe2415e3 0002-libxl-Provide-libxl__backendpath_parse_domid.patch
-50518f86aedf7857ca3644a2f073745017d12263880990cb7f0d4b3b9e264ac5 0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
-e9207a4a35c13061b502935a31ad09cf4ca8048804f1a62d1c1ccfde5ff3432c 0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
-78baa5268af36baa546e4cd8e7f62d830c860ee3051bba5273266ca0f95627ae 0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
-c59be732bbf602d7d3b5dcbf3a0ca86d6f624585ba2e29f8d0f82c74f7bd33a3 0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
-5c1aa2cc37240cdc4dce5c5067f18c36466d9271ab81c6a7a38d8674b534cd86 0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
-020287ae99d9c049c12087d828ea2d898686ab8600c0f9f8f2042b297ebc968e 0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
-4781d673403b3bb0f43196af1aec52f8769bcf7352afd239d874f381a1d0e9cc 0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
-c6a0fb210488794188924a90df4450e42782f99651b7a016e072a7df7d26d3d6 0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
-3f3eec4f45925a9de39fcfd14e7709b3fc8245425b8ae45213afee1ede2b09a0 0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
-084b0054f223addeab3ff951ac1362b7d48379ddf0556eae9971f1a87507c2d4 0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
-129eb3792374c1970cbd7518ac36f31988950d9f1d7bdf84932862d5eac311b1 0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch
-938bda668578c153696af0ce5f43f4dbdb822a299edb7c8e530c13d2ecb308e6 0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch
-f928280f0a4dde6cbe81c52320ea5ff4f0424e34c217c558a8effe8a54522048 0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch
-a606cf11ba60f9449a9b295c4d7ffdb8b4cd60d2ff9c92ee24d2054ce0f1f8b9 0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch
-29fc43237fb525c1e56fd9e90c59a461dad79de542273125a6bbb26286b7c71e 0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch
-1ed713cc915ecd0aceba4725f24edeedb13db0ad6771846c7a9b897f95af10d8 0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch
-eb83ac44edb61932c8b0f97754329c14b951b5d71ac33a37d483efb05c199cac 0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch
-236c65539a4c2b5563cd968cebafa6cf4fc9ba2e92b502168548ff210a791be3 0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch
-43117dac4db02a0b480a6fc63baaf0f60623ea6da13e5658d95d8a7cafb49951 0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch
-e104ad6054ff8d994b4967f9fb382b900e65c0727f4549662f3163b9eaa530e7 0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch
-422939d58850d39584e57daf5f7c1db8368763c9bfe9af7668a4dab40602eca5 0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch
-37c7b5a3a0365120b07219bb584d6bc5967e30cb98301ac7d9ba92a9750055c4 0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch
-89616deb7983a298a4943d7b49658625d08a41bfe6188c3cb771e484b564667b 0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch
-8c7a2a4714013f8868d1357d498b63e7dfa9fe59c4f8adaaa3388e9c9341ed92 0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch
-e812adffc3960974775a4cf44e24b47a297036d88b606e2b0af1e402477062e9 0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch
-63f6852cb78051b2475a7dfe2e0f7a77c2eb5f59f5e9d2b36658ff89b4bd3e2a 0016-libxl-Do-not-trust-backend-for-nic-in-list.patch
-b480b7873eea48ae4c316840519b1a4a986e81d4b32112bd72055fae468c8ab2 0017-libxl-Do-not-trust-backend-in-channel-list.patch
-d4e37a3f3f4ecf8f03716ade37f6b285ec60f16d7725491ca5a06f1f3f98ec88 0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch
-368526875f928f4877e4047e86da726a7ad8e70d2c56fd10b5d12d45743e0f8f 0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch
-300a4ea3dbf57ac523d7903adcd4545d2a972215d948759dc5ac872ac47ceea9 0020-libxl-Document-serial-correctly.patch
+e007187639f5392a9256979504d50eff0ae38309a61524ea42c4150fab38b6f4 xsa202-4.6.patch
+e523b65ba122c8e22d32004d2035facaf06295094fdc8b67c151b6f44799ef0b xsa204-4.5.patch
3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe qemu-coroutine-gthread.patch
fe76c7c8faf686060b20491bfed4a13ce37b1bc3dcdbf33d242e388cee14c7c1 qemu-xen-musl-openpty.patch
e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98 qemu-xen_paths.patch
dd1e784bc455eb62cb85b3fa24bfc34f575ceaab9597ef6a2f1ee7ff7b3cae0a hotplug-vif-vtrill.patch
751ef06569de66578b8713dc170976832b0671ac2696f32eb9ad69d60332d594 0001-ipxe-dont-clobber-ebp.patch
-e25d38376e22f6f935d2c0ce1b9d6e6b47ff261b5e6056bc3b47168739d7a992 gnutls-3.4.0.patch
0204d69804e83864cd6b2122f51b9c1940588158a35c159a7ef0c3b8fb0af4cb init-xenstore-domain.patch
2fea4ceec8872f5560023fa135e3ff03d6deee4299e53d3a33ec59c31779b2c5 musl-support.patch
479b9605e85c865be6117b6d1993124dbbb7da7f95d0e896e4c0fe5cdfeb74d3 musl-hvmloader-fix-stdint.patch
@@ -430,21 +294,7 @@ d13719093a2c3824525f36ac91ac3c9bd1154e5ba0974e5441e4a2ab5e883521 xenconsoled.in
0da87a4b9094f934e3de937e8ef8d3afc752e76793aa3d730182d0241e118b19 xen-consoles.logrotate
4cfcddcade5d055422ab4543e8caa6e5c5eee7625c41880a9000b7a87c7c424e xenqemu.confd
c92bbb1166edd61141fdf678116974209c4422daf373cdd5bc438aa4adb25b8d xenqemu.initd"
-sha512sums="086b9b75e97d836498fd4f34b645c9b2f941db44efe8c7d23e53aa6455d40e1672962aaa7bac0db1db82255dba490c4fe996f356c184e71ea7fa5b483d9e9c0f xen-4.5.3.tar.gz
-5bc99d5b4e8e57852c88401c49cc97f82706763f88682ed8faad6344fb0e17782ed7ba063fd463c3da46e28994af11e575ce6e02aa957ff042e3c86269d15acc xsa169.patch
-8636f74b270b0ccf56ea6bab4c90d0ee909e5d2891987b4572df4a0906e2230e046aad0c99add6c1d70f7023cc6d99bcfd2947c953f600074a6ed7c176a5d3dc xsa172.patch
-14b017f2e1b39adbb55ba35eafe139172609dada23e16999272d8c712e14045752933400721bc6eb6cb80a3427f3d44d829e492590e2cd5b7fe9bcfaa356b9e7 xsa173-4.5.patch
-0f86e4e4ee94c22166174d018954f60d9700ea4d880f4ca41b6ae1b242a4e1649da305851ef4d9b3aa91d512411a3a423f1aadceb20714d160d4d97d145dc312 xsa176.patch
-4505d0b8740609db6a6013f72bda7693ef57f4febbd0e8a20a86a7bf717234495824e895e39bf7dc710a6ae78320723b10e1c3570018b1e7fbe26959f252eb05 xsa181.patch
-9e2cba41ef7df8d74e74b030340f5c9a58fd95d55e5853c35aab011bcbc7d207479b9c374e3912d8ac0f4e8eb01fa4f9a1e281ca13bb9472dc66f0e110ba6d6a xsa182-4.5.patch
-f3495976ab219cfd376bae3ad409b452169df11ebcd36b106212db1b1fc8db8c50e721a5d1e23efbc25146946f922556014eda652517ee95efbfb3b482327e99 xsa183-4.6.patch
-14c07d077a9d60a03859ca1b92347517c93faf88db06f8cb0515e486a3919afa8401203161ff671dda8fbdb64e6ca5e86120f1b8f65e6bfaa63a8c6a33211bad xsa184-qemut-master.patch
-862e00d9cd126f8323f9c9706bf6ce7896d97e68e647416c699d9f2e01b88083a5fea346b13403577311384946912123f64bf5a568f1a6f92077d28923df54c6 xsa184-qemuu-master.patch
-6b774cfef049d457d89149a973b5a5af674b995726c88ce09278f4a64cb94f5b3c2c2380a6273475a13eb9cdd972f5429f393247ecca6463f6068d606ea74886 xsa185.patch
-bf899dde20cee730598b90e0a07941155b20e0ea17b9a3017a53bd0e1495fb6e5dc251934e01d02937b56ad65faf3accecf695b4fd7f6dcc0bae91290bd87b19 xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
-6583c843855d300b3d40321d909b64ab0df6b03da62b3400cb7e58a9249077112e5951e14449880cfc8d593dabd9afcffc15ff77555f745b478f7af939b3219e xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
-d85bc3c56805ff5b3df6b85b2b34ff97d15fe254fc5a873b5c43c2c15564eea42753723a6296292a543e7b7dc83ad71f0fafe01fa6a6ebf82fa0a7268fc67486 xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
-63f30d4a6842fc516d33334b25806e10a89228fec32315df27c9c271303d02619be4a88e638e41920ad808215280c3fce697574d05c5fb3f184844069383a201 xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
+sha512sums="7e8d7e0248daa91389db0250c5f214dc1ab46c058d556a4326c801933ead05cc450cb9510108586418de029b81a80fd9f272ec1749d288a8250e69599aa2d769 xen-4.5.5.tar.gz
23ca5b5c86186b3683be38b65ed30d0ddf15d9ae29e462ae9b2606d78d84ceafa3913a2648d0430872aef1e6209c443b81d8bd4ae4c01b9021c75db1ed05ba5a xsa190-4.5-CVE-2016-7777.patch
502f50bece05d52b127c497eda0236a9011e56885fb0b5fac74ab449c2eac94d0f2cf64da16808c25f8a3091aef0a9586ad5c19f6b98a8c459908149d629b321 xsa191-4.6-CVE-2016-9386.patch
d158cd493ccc516814201cb147ad99688223437938e655c5c8d75c2b73e14c319dc94e6077a9ec6521f2ca5e6af5d118f923f333702a83266c0ba44cc18efa9e xsa192-4.5-CVE-2016-9382.patch
@@ -459,44 +309,13 @@ b61429fbf4d1677a8dab2710ab21335f18b3f998f2e5e19e45a4727f71b9671b3d1bd709bef3594c
67006c1ac5d0b01eb65b5a9b6583ef31c0df0cdb6331af983d972d9b0c4bc21416484d88445edb8ee8470becdc11bc88fad4a617aac40ae26610eb2bee40bd01 xsa201-1.patch
afed1ed3c5b4dd3a1d2c1c0fe824cdeb58efdc40fdaf5ce439deb2feef63141168114ea362fc5c683eb0494bb6bd3c76773b099495af21550ae3a1e5cb4e924d xsa201-2.patch
1761ca422fe9e3caee3442b43b84da49721a01ed8417f653c568695b08718c40be1493cc7a0a6145c7ce195c7fb0c753b190fe2f1782d5242e1e304c18005610 xsa201-4.patch
-3868b99fc9048d8eef58e949bc5caace6b964345fff92322a191b49fc3991373d785b9287e23d4fc1572a02ba278de5eba299caeeb6e6e46ecb87c2c309c943e 0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
-60b9289891b3d69798da5c55abe06c4fda2ada1657178042a6f560fddd9d3495c7725516dd94d8a22c53990f63de873fa8d0363a57804b351f84e36de3bb4452 0002-libxl-Provide-libxl__backendpath_parse_domid.patch
-f13b453de38ef3e4847e819b82eecec0e4461f824cb6b15b752a364ee4ec4c4d8c5e9193964976d1d937e422938d13c8271fcd113abd1b3e4a8875114f4075c2 0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
-31d2370b4479bd06510b04bd5a5d3e6d58688960d37bea16a2b5b7ae7cd427bf322a63864eef5251b358bfe3ec9550b2b0bff568194c85e2e7ab44771edb5b4b 0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
-011e859a6be428f9da6545607f0f0ab9487c61051623c6d45d89d64631dc50305ed0a0717785ccc5f671ee1c24282a1f598704b4b6fd4227bf0eecafb0e88e67 0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
-7ce011b474a2d29f3efe883733280ac79eaad959ceb606a72924bf3824c79b049a6773d1c300af38c24d2d3fbbbeab73252997497a29fa0cf32e1394d6309e92 0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
-d01d5080d110327077d237d0e9d2c3977915f00bfdd85b339a04ef095b9651a51991807aae74567b0d2bb874020e9ac4f44548d9f8a61effb7188793a8c17f73 0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
-b30c0086d5056678237d34bcf0a4aeb0f22221d3c6c692765fa1ab775a8ad49227a47d0594331978f2c7e6851a814d0348ca408e82b046c9b25218954c092516 0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
-9cf217d2d6063c985393df9e330190f3cabad9e3d70dad18d5b169145fae59c1a401f04040a04ef7b17b9b21a406230c6b048d05b9ebd6518edeb4e69e91b6b4 0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
-d6003448e456cd42f0a28f887a2859b399058cdd76f286d7f9617cd462976d0a8781dba9132f5db00387c6fd60867a6c8b090b0d10eccbf74462d5dc63dc5294 0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
-3ffcf00f4ba76841b1af4145983160016d329f140d2363ccadfcd7f3de2ff752a6bbd65d0b4f0bf06a06518e066ba49243b1d12dda2f8e557eb8c82c8c1a12b1 0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
-f0d383c623cafae7f4aad9bf0444aa2bcf4baeb73e2c2c815136b19ed28cdbb8d6b7db1074949d322d4e3b3d5ff12770bac942f594743405111829f91368c3eb 0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
-a4f4d4832a11bdbfceeac47f057ac1ab587a772107fca1b3b54d442a4ea42c10d9b031aa876705bb7d0399f532f674b5044596fc82dfeba709e73825ffb4be7c 0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch
-56fbd31171868c16d0c4b9218bdc91034e8c12c18f7028222d99fcaba0a8c9cbf215e3fd638db8eafb08a6967f7236b8fd3a0d09c26f23e41643e27520b8848c 0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch
-7258a9199744242a5c2d4ebd279c130c3fe58dd30512ba1dae43e8fabd6eef407285f2a91e9ffc136be67e584249f836196fb3bdc3f1071324f3eb06f5adcfe5 0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch
-6383c34a639d389e9b04c736fa57386a3ff31654ad8c288a327d6982c9ff2dc802568deb3d0936db0e806863c300d2c361ab85b3f01bcc38fc1e8ed630fc7be9 0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch
-971368329285d11893ec470354549318051f29f23ba10eaf97340b95acdac2f7e07879fd119e6a5c3746fbdab9d80f2235e166f4240c0d1ea27b00998b43afd3 0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch
-4b801e725e8f6b32c8a78fe8249a0e57297cf12687614fd61b964b5d017c4a1a2fbae0e274d89ed8ef0d817ae7a29aff07380e007cf4451b297011459caeb3ff 0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch
-ee157ddf088dd12be957aa9df6b70df6743631c3669009be82a335cadcf5d8d7ae4b6332e05881160d5891f6e89294d853d199b4b36243f0c315d95003c4d0fc 0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch
-5878ca43f14f5c8562c40fb217a87d96c2b65120b73968d5ac6fe8273490f00c4dc2925cf5b60a9b8ccc245a6461ad2671c76e6317a99ba73d3fa3e5a58fd8b7 0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch
-c45b8a5baefa928135841d0d8fa53cb636d74351d151cc004bf306996ec6b5e8b5cb433083941dd46c67b35016b0db8acf3554a11a60273c9bbd539a96103ddd 0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch
-6101486f20e8167b3424cb0ae410dded7266d9e6f77059ee61d9704d492272f7e2f8407a66f71ce04b6a36239ea200c9373c91046a06ba869bd439e54a740d51 0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch
-cb8625745a11907b2193e03c890fdb809abc9245b2ef7351d9f8da3f98a5503f94786522f891a353ea7e8bc5cd87c6d822a4e3243ab10b411c29dbc1c61e656b 0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch
-bfed26b4bf72321f8807c38dfdb90d46317d1c46f91e72ff7fc4843933a9af8bbedf1b7acb51d5d63d2faf304b6ee5db81fa73339de0bc02d8f9c6fe275025c6 0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch
-a7a4877e7694cfede4c999b887e6acc74863ed7d0356cb11dee14b422f217b3d3eae7429430d911fb45a437eeb6753c0ab67aa5a5f07a286f37e77e3892ed314 0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch
-56d4f648bd6923d51a7fc4d4a13f23f840a9885054413f5d56b5b085993b567548d2e88bf1e19b071261e050ff19243228d67e1bec797e6f5fe05c5add2ac4ee 0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch
-b27845729c1c2409922d97398d5da6186e37860be627b17bf46a9df9defbefb9c9f5233b11f1f9b13d6e251a9da0c9c23ddb875ffef8b18a8a461cec05f6c00a 0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch
-ceb8025b56dc93d99cb6d0017ce1349c1f2bab723aed0fc71378a8becc1e11af9eab2f63190d7de8b3cd4405317dcab67675ffcfb4013879a0e4d575d7117a5c 0016-libxl-Do-not-trust-backend-for-nic-in-list.patch
-0874114b826d40d994c9fb17b17debbf5a461ddd9cdad84a8b8f4ced4ab946e8592f059b36a4712aff13889c344e25d7dc49dc169987349aa5727a45e0b81b78 0017-libxl-Do-not-trust-backend-in-channel-list.patch
-0f623c6055d8a0c7fd3da2f252418c2d86a847c70496eb937588d7dd479032394ba1f3f77b92e9026101be12bdfcd7862573e5b619856c7f917f23b8efde24f1 0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch
-1bf024ed18f27ae13c7071ed3b59f0334d51843f6ece66e815e71d5a2b107ca4b91c8b40d9742f6a1d56e41177080b5cba18922a44f4fecead2b3c7e97218d05 0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch
-1988754ebacf96768b3a4efcef60af69107ad5b4882a4dadb5c13ec2b0b0eb6ec54fb7d3092418e0f35257dacc02cb71c5a981f112e9104e9662072a4e5f62ef 0020-libxl-Document-serial-correctly.patch
+dee7a595324ea5de3754c9aad2422fc2021bcb53999e344dbe6e4edfd4772a5ed20e8ebfb40750b81287a2a022037d49cbe4f0f7ba481ae0ac79a4249ef630bf xsa202-4.6.patch
+0ab83e29f10288f24f46de6f9ea267a3ee6eaef356e1905318006d20ffa1dba43c7661229246e394c8454c15e3127df7de026bde02ab3614e1c2ef8fc7396850 xsa204-4.5.patch
c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562 qemu-coroutine-gthread.patch
a8b7378516172389450834985e8558d7a86d7cd808154bdc846bb98325e40fc4e87b1fc6d725297f4bef6eb54ebcbcbfa4d9d0363d83f635755795fb0726e006 qemu-xen-musl-openpty.patch
1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch
f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3 hotplug-vif-vtrill.patch
c3a1b270347a99c8ce21118010ad8d817b4462a31cc5c75352faa7086969ef0646f3f4d0922d85c2e504cff091ce7e9fe79c92f983c2ba4af2fae85c52c3835a 0001-ipxe-dont-clobber-ebp.patch
-e9b88234bd67c2d65fcda1a56deeaf60aaa4c8b2afff128028c6a1478c89f828584dab1ac04f8d9d53cf17d26572e5505d0bbfcc4b2a6842cc749c6c018c0e51 gnutls-3.4.0.patch
475eb800660dc928914b8c15562f18f24d6e7a76f4cc7bed9249ce52d444c29aec1aef843eb37ade0c7c9616195bbbc1606a3195e25b2bd4b6a1d1af5f69256e init-xenstore-domain.patch
76bd60768b296752ca11195bb03a57584686461da45255cb540977111a73c42b5b92362fd46d97bfd20487c96971dd5aed7eae7d8bf1aad7d5199adb875d4962 musl-support.patch
08cf7fac825dd3da5f33856abf6692da00d8928ab73050b3ae0a643ddb97c8ae323238a80152fd31595ac1c31678d559232264258c189e2c05ecaf33e295f13e musl-hvmloader-fix-stdint.patch
diff --git a/main/xen/gnutls-3.4.0.patch b/main/xen/gnutls-3.4.0.patch
deleted file mode 100644
index 9d2ed16..0000000
--- a/main/xen/gnutls-3.4.0.patch
@@ -1,36 +0,0 @@
---- ./tools/qemu-xen-traditional/vnc.c.orig
-+++ ./tools/qemu-xen-traditional/vnc.c
-@@ -2137,10 +2137,6 @@
-
-
- static int vnc_start_tls(struct VncState *vs) {
-- static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
-- static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
-- static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0};
-- static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0};
-
- VNC_DEBUG("Do TLS setup\n");
- if (vnc_tls_initialize() < 0) {
-@@ -2161,21 +2157,7 @@
- return -1;
- }
-
-- if (gnutls_kx_set_priority(vs->tls_session, NEED_X509_AUTH(vs) ? kx_x509 : kx_anon) < 0) {
-- gnutls_deinit(vs->tls_session);
-- vs->tls_session = NULL;
-- vnc_client_error(vs);
-- return -1;
-- }
--
-- if (gnutls_certificate_type_set_priority(vs->tls_session, cert_type_priority) < 0) {
-- gnutls_deinit(vs->tls_session);
-- vs->tls_session = NULL;
-- vnc_client_error(vs);
-- return -1;
-- }
--
-- if (gnutls_protocol_set_priority(vs->tls_session, protocol_priority) < 0) {
-+ if (gnutls_priority_set_direct(vs->tls_session, NEED_X509_AUTH(vs) ? "NORMAL" : "NORMAL:+ANON-DH", NULL) < 0) {
- gnutls_deinit(vs->tls_session);
- vs->tls_session = NULL;
- vnc_client_error(vs);
diff --git a/main/xen/xsa169.patch b/main/xen/xsa169.patch
deleted file mode 100644
index 617e457..0000000
--- a/main/xen/xsa169.patch
@@ -1,33 +0,0 @@
-x86: make debug output consistent in hvm_set_callback_via
-
-The unconditional printks in the switch statement of the
-hvm_set_callback_via function results in Xen log spam in non debug
-versions of Xen. The printks are for debug output only so conditionally
-compile the entire switch statement on debug versions of Xen only.
-
-This is XSA-169.
-
-Signed-off-by: Malcolm Crossley <malcolm.crossley@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-
---- a/xen/arch/x86/hvm/irq.c
-+++ b/xen/arch/x86/hvm/irq.c
-@@ -386,7 +386,8 @@ void hvm_set_callback_via(struct domain
-
- spin_unlock(&d->arch.hvm_domain.irq_lock);
-
-- dprintk(XENLOG_G_INFO, "Dom%u callback via changed to ", d->domain_id);
-+#ifndef NDEBUG
-+ printk(XENLOG_G_INFO "Dom%u callback via changed to ", d->domain_id);
- switch ( via_type )
- {
- case HVMIRQ_callback_gsi:
-@@ -402,6 +403,7 @@ void hvm_set_callback_via(struct domain
- printk("None\n");
- break;
- }
-+#endif
- }
-
- struct hvm_intack hvm_vcpu_has_pending_irq(struct vcpu *v)
diff --git a/main/xen/xsa172.patch b/main/xen/xsa172.patch
deleted file mode 100644
index 8b1d01f..0000000
--- a/main/xen/xsa172.patch
@@ -1,39 +0,0 @@
-x86: fix information leak on AMD CPUs
-
-The fix for XSA-52 was wrong, and so was the change synchronizing that
-new behavior to the FXRSTOR logic: AMD's manuals explictly state that
-writes to the ES bit are ignored, and it instead gets calculated from
-the exception and mask bits (it gets set whenever there is an unmasked
-exception, and cleared otherwise). Hence we need to follow that model
-in our workaround.
-
-This is XSA-172.
-
-The first hunk (xen/arch/x86/i387.c:fpu_fxrstor) is CVE-2016-3159.
-The second hunk (xen/arch/x86/xstate.c:xrstor) is CVE-2016-3158.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
---- a/xen/arch/x86/i387.c
-+++ b/xen/arch/x86/i387.c
-@@ -49,7 +49,7 @@ static inline void fpu_fxrstor(struct vc
- * sometimes new user value. Both should be ok. Use the FPU saved
- * data block as a safe address because it should be in L1.
- */
-- if ( !(fpu_ctxt->fsw & 0x0080) &&
-+ if ( !(fpu_ctxt->fsw & ~fpu_ctxt->fcw & 0x003f) &&
- boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
- {
- asm volatile ( "fnclex\n\t"
---- a/xen/arch/x86/xstate.c
-+++ b/xen/arch/x86/xstate.c
-@@ -344,7 +344,7 @@ void xrstor(struct vcpu *v, uint64_t mas
- * data block as a safe address because it should be in L1.
- */
- if ( (mask & ptr->xsave_hdr.xstate_bv & XSTATE_FP) &&
-- !(ptr->fpu_sse.fsw & 0x0080) &&
-+ !(ptr->fpu_sse.fsw & ~ptr->fpu_sse.fcw & 0x003f) &&
- boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
- asm volatile ( "fnclex\n\t" /* clear exceptions */
- "ffree %%st(7)\n\t" /* clear stack tag */
diff --git a/main/xen/xsa173-4.5.patch b/main/xen/xsa173-4.5.patch
deleted file mode 100644
index d0ebe4a..0000000
--- a/main/xen/xsa173-4.5.patch
@@ -1,244 +0,0 @@
-commit 9d7687d60ae2e09ad2a77b05bd820e7850709375
-Author: Tim Deegan <tim@xen.org>
-Date: Wed Mar 16 16:56:04 2016 +0000
-
- x86: limit GFNs to 32 bits for shadowed superpages.
-
- Superpage shadows store the shadowed GFN in the backpointer field,
- which for non-BIGMEM builds is 32 bits wide. Shadowing a superpage
- mapping of a guest-physical address above 2^44 would lead to the GFN
- being truncated there, and a crash when we come to remove the shadow
- from the hash table.
-
- Track the valid width of a GFN for each guest, including reporting it
- through CPUID, and enforce it in the shadow pagetables. Set the
- maximum witth to 32 for guests where this truncation could occur.
-
- This is XSA-173.
-
- Signed-off-by: Tim Deegan <tim@xen.org>
- Signed-off-by: Jan Beulich <jbeulich@suse.com>
-
-Reported-by: Ling Liu <liuling-it@360.cn>
-diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c
-index 5c8d3c2..7dc8220 100644
---- a/xen/arch/x86/cpu/common.c
-+++ b/xen/arch/x86/cpu/common.c
-@@ -37,6 +37,7 @@ integer_param("cpuid_mask_ext_edx", opt_cpuid_mask_ext_edx);
- struct cpu_dev * cpu_devs[X86_VENDOR_NUM] = {};
-
- unsigned int paddr_bits __read_mostly = 36;
-+unsigned int hap_paddr_bits __read_mostly = 36;
-
- /*
- * Default host IA32_CR_PAT value to cover all memory types.
-@@ -209,7 +210,7 @@ static void __init early_cpu_detect(void)
-
- static void __cpuinit generic_identify(struct cpuinfo_x86 *c)
- {
-- u32 tfms, capability, excap, ebx;
-+ u32 tfms, capability, excap, ebx, eax;
-
- /* Get vendor name */
- cpuid(0x00000000, &c->cpuid_level,
-@@ -246,8 +247,11 @@ static void __cpuinit generic_identify(struct cpuinfo_x86 *c)
- }
- if ( c->extended_cpuid_level >= 0x80000004 )
- get_model_name(c); /* Default name */
-- if ( c->extended_cpuid_level >= 0x80000008 )
-- paddr_bits = cpuid_eax(0x80000008) & 0xff;
-+ if ( c->extended_cpuid_level >= 0x80000008 ) {
-+ eax = cpuid_eax(0x80000008);
-+ paddr_bits = eax & 0xff;
-+ hap_paddr_bits = ((eax >> 16) & 0xff) ?: paddr_bits;
-+ }
- }
-
- /* Might lift BIOS max_leaf=3 limit. */
-diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
-index 41fb10a..cac458a 100644
---- a/xen/arch/x86/hvm/hvm.c
-+++ b/xen/arch/x86/hvm/hvm.c
-@@ -4327,8 +4327,7 @@ void hvm_cpuid(unsigned int input, unsigned int *eax, unsigned int *ebx,
- break;
-
- case 0x80000008:
-- count = cpuid_eax(0x80000008);
-- count = (count >> 16) & 0xff ?: count & 0xff;
-+ count = d->arch.paging.gfn_bits + PAGE_SHIFT;
- if ( (*eax & 0xff) > count )
- *eax = (*eax & ~0xff) | count;
-
-diff --git a/xen/arch/x86/mm/guest_walk.c b/xen/arch/x86/mm/guest_walk.c
-index 1b26175..50ba7d5 100644
---- a/xen/arch/x86/mm/guest_walk.c
-+++ b/xen/arch/x86/mm/guest_walk.c
-@@ -94,6 +94,12 @@ void *map_domain_gfn(struct p2m_domain *p2m, gfn_t gfn, mfn_t *mfn,
- struct page_info *page;
- void *map;
-
-+ if ( gfn_x(gfn) >> p2m->domain->arch.paging.gfn_bits )
-+ {
-+ *rc = _PAGE_INVALID_BIT;
-+ return NULL;
-+ }
-+
- /* Translate the gfn, unsharing if shared */
- page = get_page_from_gfn_p2m(p2m->domain, p2m, gfn_x(gfn), p2mt, NULL,
- q);
-@@ -327,20 +333,8 @@ guest_walk_tables(struct vcpu *v, struct p2m_domain *p2m,
- flags &= ~_PAGE_PAT;
-
- if ( gfn_x(start) & GUEST_L2_GFN_MASK & ~0x1 )
-- {
--#if GUEST_PAGING_LEVELS == 2
-- /*
-- * Note that _PAGE_INVALID_BITS is zero in this case, yielding a
-- * no-op here.
-- *
-- * Architecturally, the walk should fail if bit 21 is set (others
-- * aren't being checked at least in PSE36 mode), but we'll ignore
-- * this here in order to avoid specifying a non-natural, non-zero
-- * _PAGE_INVALID_BITS value just for that case.
-- */
--#endif
- rc |= _PAGE_INVALID_BITS;
-- }
-+
- /* Increment the pfn by the right number of 4k pages.
- * Mask out PAT and invalid bits. */
- start = _gfn((gfn_x(start) & ~GUEST_L2_GFN_MASK) +
-@@ -423,5 +417,11 @@ set_ad:
- put_page(mfn_to_page(mfn_x(gw->l1mfn)));
- }
-
-+ /* If this guest has a restricted physical address space then the
-+ * target GFN must fit within it. */
-+ if ( !(rc & _PAGE_PRESENT)
-+ && gfn_x(guest_l1e_get_gfn(gw->l1e)) >> d->arch.paging.gfn_bits )
-+ rc |= _PAGE_INVALID_BITS;
-+
- return rc;
- }
-diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c
-index 0c80012..84531b1 100644
---- a/xen/arch/x86/mm/hap/hap.c
-+++ b/xen/arch/x86/mm/hap/hap.c
-@@ -429,6 +429,8 @@ void hap_domain_init(struct domain *d)
- {
- INIT_PAGE_LIST_HEAD(&d->arch.paging.hap.freelist);
-
-+ d->arch.paging.gfn_bits = hap_paddr_bits - PAGE_SHIFT;
-+
- /* Use HAP logdirty mechanism. */
- paging_log_dirty_init(d, hap_enable_log_dirty,
- hap_disable_log_dirty,
-diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c
-index 18026fe..9028d82 100644
---- a/xen/arch/x86/mm/shadow/common.c
-+++ b/xen/arch/x86/mm/shadow/common.c
-@@ -48,6 +48,16 @@ void shadow_domain_init(struct domain *d, unsigned int domcr_flags)
- INIT_PAGE_LIST_HEAD(&d->arch.paging.shadow.freelist);
- INIT_PAGE_LIST_HEAD(&d->arch.paging.shadow.pinned_shadows);
-
-+ d->arch.paging.gfn_bits = paddr_bits - PAGE_SHIFT;
-+#ifndef CONFIG_BIGMEM
-+ /*
-+ * Shadowed superpages store GFNs in 32-bit page_info fields.
-+ * Note that we cannot use guest_supports_superpages() here.
-+ */
-+ if ( !is_pv_domain(d) || opt_allow_superpage )
-+ d->arch.paging.gfn_bits = 32;
-+#endif
-+
- /* Use shadow pagetables for log-dirty support */
- paging_log_dirty_init(d, shadow_enable_log_dirty,
- shadow_disable_log_dirty, shadow_clean_dirty_bitmap);
-diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
-index d6802ff..7589d23 100644
---- a/xen/arch/x86/mm/shadow/multi.c
-+++ b/xen/arch/x86/mm/shadow/multi.c
-@@ -527,7 +527,8 @@ _sh_propagate(struct vcpu *v,
- ASSERT(GUEST_PAGING_LEVELS > 3 || level != 3);
-
- /* Check there's something for the shadows to map to */
-- if ( !p2m_is_valid(p2mt) && !p2m_is_grant(p2mt) )
-+ if ( (!p2m_is_valid(p2mt) && !p2m_is_grant(p2mt))
-+ || gfn_x(target_gfn) >> d->arch.paging.gfn_bits )
- {
- *sp = shadow_l1e_empty();
- goto done;
-diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h
-index 6a77a93..e8df4a9 100644
---- a/xen/include/asm-x86/domain.h
-+++ b/xen/include/asm-x86/domain.h
-@@ -188,6 +188,9 @@ struct paging_domain {
- /* log dirty support */
- struct log_dirty_domain log_dirty;
-
-+ /* Number of valid bits in a gfn. */
-+ unsigned int gfn_bits;
-+
- /* preemption handling */
- struct {
- const struct domain *dom;
-diff --git a/xen/include/asm-x86/guest_pt.h b/xen/include/asm-x86/guest_pt.h
-index d2a8250..d95f835 100644
---- a/xen/include/asm-x86/guest_pt.h
-+++ b/xen/include/asm-x86/guest_pt.h
-@@ -220,15 +220,17 @@ guest_supports_nx(struct vcpu *v)
- }
-
-
--/* Some bits are invalid in any pagetable entry. */
--#if GUEST_PAGING_LEVELS == 2
--#define _PAGE_INVALID_BITS (0)
--#elif GUEST_PAGING_LEVELS == 3
--#define _PAGE_INVALID_BITS \
-- get_pte_flags(((1ull<<63) - 1) & ~((1ull<<paddr_bits) - 1))
--#else /* GUEST_PAGING_LEVELS == 4 */
-+/*
-+ * Some bits are invalid in any pagetable entry.
-+ * Normal flags values get represented in 24-bit values (see
-+ * get_pte_flags() and put_pte_flags()), so set bit 24 in
-+ * addition to be able to flag out of range frame numbers.
-+ */
-+#if GUEST_PAGING_LEVELS == 3
- #define _PAGE_INVALID_BITS \
-- get_pte_flags(((1ull<<52) - 1) & ~((1ull<<paddr_bits) - 1))
-+ (_PAGE_INVALID_BIT | get_pte_flags(((1ull << 63) - 1) & ~(PAGE_SIZE - 1)))
-+#else /* 2-level and 4-level */
-+#define _PAGE_INVALID_BITS _PAGE_INVALID_BIT
- #endif
-
-
-diff --git a/xen/include/asm-x86/processor.h b/xen/include/asm-x86/processor.h
-index b4e4731..56fc5a2 100644
---- a/xen/include/asm-x86/processor.h
-+++ b/xen/include/asm-x86/processor.h
-@@ -203,6 +203,8 @@ extern u32 cpuid_ext_features;
-
- /* Maximum width of physical addresses supported by the hardware */
- extern unsigned int paddr_bits;
-+/* Max physical address width supported within HAP guests */
-+extern unsigned int hap_paddr_bits;
-
- extern void identify_cpu(struct cpuinfo_x86 *);
- extern void setup_clear_cpu_cap(unsigned int);
-diff --git a/xen/include/asm-x86/x86_64/page.h b/xen/include/asm-x86/x86_64/page.h
-index 1d54587..f1d1b6c 100644
---- a/xen/include/asm-x86/x86_64/page.h
-+++ b/xen/include/asm-x86/x86_64/page.h
-@@ -141,6 +141,12 @@ typedef l4_pgentry_t root_pgentry_t;
- #define _PAGE_GNTTAB (1U<<22)
-
- /*
-+ * Bit 24 of a 24-bit flag mask! This is not any bit of a real pte,
-+ * and is only used for signalling in variables that contain flags.
-+ */
-+#define _PAGE_INVALID_BIT (1U<<24)
-+
-+/*
- * Bit 12 of a 24-bit flag mask. This corresponds to bit 52 of a pte.
- * This is needed to distinguish between user and kernel PTEs since _PAGE_USER
- * is asserted for both.
diff --git a/main/xen/xsa176.patch b/main/xen/xsa176.patch
deleted file mode 100644
index 1c15abd..0000000
--- a/main/xen/xsa176.patch
@@ -1,45 +0,0 @@
-x86/mm: fully honor PS bits in guest page table walks
-
-In L4 entries it is currently unconditionally reserved (and hence
-should, when set, always result in a reserved bit page fault), and is
-reserved on hardware not supporting 1Gb pages (and hence should, when
-set, similarly cause a reserved bit page fault on such hardware).
-
-This is CVE-2016-4480 / XSA-176.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
---- a/xen/arch/x86/mm/guest_walk.c
-+++ b/xen/arch/x86/mm/guest_walk.c
-@@ -226,6 +226,11 @@ guest_walk_tables(struct vcpu *v, struct
- rc |= _PAGE_PRESENT;
- goto out;
- }
-+ if ( gflags & _PAGE_PSE )
-+ {
-+ rc |= _PAGE_PSE | _PAGE_INVALID_BIT;
-+ goto out;
-+ }
- rc |= ((gflags & mflags) ^ mflags);
-
- /* Map the l3 table */
-@@ -247,7 +252,7 @@ guest_walk_tables(struct vcpu *v, struct
- }
- rc |= ((gflags & mflags) ^ mflags);
-
-- pse1G = (gflags & _PAGE_PSE) && guest_supports_1G_superpages(v);
-+ pse1G = !!(gflags & _PAGE_PSE);
-
- if ( pse1G )
- {
-@@ -267,6 +272,8 @@ guest_walk_tables(struct vcpu *v, struct
- /* _PAGE_PSE_PAT not set: remove _PAGE_PAT from flags. */
- flags &= ~_PAGE_PAT;
-
-+ if ( !guest_supports_1G_superpages(v) )
-+ rc |= _PAGE_PSE | _PAGE_INVALID_BIT;
- if ( gfn_x(start) & GUEST_L3_GFN_MASK & ~0x1 )
- rc |= _PAGE_INVALID_BITS;
-
diff --git a/main/xen/xsa181.patch b/main/xen/xsa181.patch
deleted file mode 100644
index c44541e..0000000
--- a/main/xen/xsa181.patch
@@ -1,38 +0,0 @@
-From ee488e2133e581967d13d5287d7bd654e9b2e2a6 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Thu, 2 Jun 2016 14:19:00 +0100
-Subject: [PATCH] xen/arm: Don't free p2m->root in p2m_teardown() before it has
- been allocated
-
-If p2m_init() didn't complete successfully, (e.g. due to VMID
-exhaustion), p2m_teardown() is called and unconditionally tries to free
-p2m->root before it has been allocated. free_domheap_pages() doesn't
-tolerate NULL pointers.
-
-This is XSA-181
-
-Reported-by: Aaron Cornelius <Aaron.Cornelius@dornerworks.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Julien Grall <julien.grall@arm.com>
----
- xen/arch/arm/p2m.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
-index 838d004..6a19c57 100644
---- a/xen/arch/arm/p2m.c
-+++ b/xen/arch/arm/p2m.c
-@@ -1408,7 +1408,8 @@ void p2m_teardown(struct domain *d)
- while ( (pg = page_list_remove_head(&p2m->pages)) )
- free_domheap_page(pg);
-
-- free_domheap_pages(p2m->root, P2M_ROOT_ORDER);
-+ if ( p2m->root )
-+ free_domheap_pages(p2m->root, P2M_ROOT_ORDER);
-
- p2m->root = NULL;
-
---
-2.1.4
-
diff --git a/main/xen/xsa182-4.5.patch b/main/xen/xsa182-4.5.patch
deleted file mode 100644
index 95971a4..0000000
--- a/main/xen/xsa182-4.5.patch
@@ -1,102 +0,0 @@
-From 798c1498f764bfaa7b0b955bab40b01b0610d372 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Mon, 11 Jul 2016 14:32:03 +0100
-Subject: [PATCH] x86/pv: Remove unsafe bits from the mod_l?_entry() fastpath
-
-All changes in writeability and cacheability must go through full
-re-validation.
-
-Rework the logic as a whitelist, to make it clearer to follow.
-
-This is XSA-182
-
-Reported-by: Jérémie Boutoille <jboutoille@ext.quarkslab.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Tim Deegan <tim@xen.org>
----
- xen/arch/x86/mm.c | 28 ++++++++++++++++------------
- xen/include/asm-x86/page.h | 1 +
- 2 files changed, 17 insertions(+), 12 deletions(-)
-
-diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
-index b4c4fa4..a68a1ab 100644
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-@@ -1695,6 +1695,14 @@ static inline int update_intpte(intpte_t *p,
- _t ## e_get_intpte(_o), _t ## e_get_intpte(_n), \
- (_m), (_v), (_ad))
-
-+/*
-+ * PTE flags that a guest may change without re-validating the PTE.
-+ * All other bits affect translation, caching, or Xen's safety.
-+ */
-+#define FASTPATH_FLAG_WHITELIST \
-+ (_PAGE_NX_BIT | _PAGE_AVAIL_HIGH | _PAGE_AVAIL | _PAGE_GLOBAL | \
-+ _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_USER)
-+
- /* Update the L1 entry at pl1e to new value nl1e. */
- static int mod_l1_entry(l1_pgentry_t *pl1e, l1_pgentry_t nl1e,
- unsigned long gl1mfn, int preserve_ad,
-@@ -1735,9 +1743,8 @@ static int mod_l1_entry(l1_pgentry_t *pl1e, l1_pgentry_t nl1e,
- return -EINVAL;
- }
-
-- /* Fast path for identical mapping, r/w, presence, and cachability. */
-- if ( !l1e_has_changed(ol1e, nl1e,
-- PAGE_CACHE_ATTRS | _PAGE_RW | _PAGE_PRESENT) )
-+ /* Fast path for sufficiently-similar mappings. */
-+ if ( !l1e_has_changed(ol1e, nl1e, ~FASTPATH_FLAG_WHITELIST) )
- {
- adjust_guest_l1e(nl1e, pt_dom);
- if ( UPDATE_ENTRY(l1, pl1e, ol1e, nl1e, gl1mfn, pt_vcpu,
-@@ -1819,11 +1826,8 @@ static int mod_l2_entry(l2_pgentry_t *pl2e,
- return -EINVAL;
- }
-
-- /* Fast path for identical mapping and presence. */
-- if ( !l2e_has_changed(ol2e, nl2e,
-- unlikely(opt_allow_superpage)
-- ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT
-- : _PAGE_PRESENT) )
-+ /* Fast path for sufficiently-similar mappings. */
-+ if ( !l2e_has_changed(ol2e, nl2e, ~FASTPATH_FLAG_WHITELIST) )
- {
- adjust_guest_l2e(nl2e, d);
- if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) )
-@@ -1888,8 +1892,8 @@ static int mod_l3_entry(l3_pgentry_t *pl3e,
- return -EINVAL;
- }
-
-- /* Fast path for identical mapping and presence. */
-- if ( !l3e_has_changed(ol3e, nl3e, _PAGE_PRESENT) )
-+ /* Fast path for sufficiently-similar mappings. */
-+ if ( !l3e_has_changed(ol3e, nl3e, ~FASTPATH_FLAG_WHITELIST) )
- {
- adjust_guest_l3e(nl3e, d);
- rc = UPDATE_ENTRY(l3, pl3e, ol3e, nl3e, pfn, vcpu, preserve_ad);
-@@ -1952,8 +1956,8 @@ static int mod_l4_entry(l4_pgentry_t *pl4e,
- return -EINVAL;
- }
-
-- /* Fast path for identical mapping and presence. */
-- if ( !l4e_has_changed(ol4e, nl4e, _PAGE_PRESENT) )
-+ /* Fast path for sufficiently-similar mappings. */
-+ if ( !l4e_has_changed(ol4e, nl4e, ~FASTPATH_FLAG_WHITELIST) )
- {
- adjust_guest_l4e(nl4e, d);
- rc = UPDATE_ENTRY(l4, pl4e, ol4e, nl4e, pfn, vcpu, preserve_ad);
-diff --git a/xen/include/asm-x86/page.h b/xen/include/asm-x86/page.h
-index 6dc9646..03c024c 100644
---- a/xen/include/asm-x86/page.h
-+++ b/xen/include/asm-x86/page.h
-@@ -308,6 +308,7 @@ void efi_update_l4_pgtable(unsigned int l4idx, l4_pgentry_t);
- #define _PAGE_AVAIL2 _AC(0x800,U)
- #define _PAGE_AVAIL _AC(0xE00,U)
- #define _PAGE_PSE_PAT _AC(0x1000,U)
-+#define _PAGE_AVAIL_HIGH (_AC(0x7ff, U) << 12)
- /* non-architectural flags */
- #define _PAGE_PAGED 0x2000U
- #define _PAGE_SHARED 0x4000U
---
-2.1.4
-
diff --git a/main/xen/xsa183-4.6.patch b/main/xen/xsa183-4.6.patch
deleted file mode 100644
index 84d7007..0000000
--- a/main/xen/xsa183-4.6.patch
@@ -1,75 +0,0 @@
-From 777ebe30e81ab284f9b78392875fe884a593df35 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Wed, 15 Jun 2016 18:32:14 +0100
-Subject: [PATCH] x86/entry: Avoid SMAP violation in
- compat_create_bounce_frame()
-
-A 32bit guest kernel might be running on user mappings.
-compat_create_bounce_frame() must whitelist its guest accesses to avoid
-risking a SMAP violation.
-
-For both variants of create_bounce_frame(), re-blacklist user accesses if
-execution exits via an exception table redirection.
-
-This is XSA-183 / CVE-2016-6259
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: George Dunlap <george.dunlap@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
----
-v2:
- * Include CLAC on the exit paths from compat_create_bounce_frame which occur
- from faults attempting to load %fs
- * Reposition ASM_STAC to avoid breaking the macro-op fusion of test/jz
----
- xen/arch/x86/x86_64/compat/entry.S | 3 +++
- xen/arch/x86/x86_64/entry.S | 2 ++
- 2 files changed, 5 insertions(+)
-
-diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
-index 0e3db7c..1eaf4bb 100644
---- a/xen/arch/x86/x86_64/compat/entry.S
-+++ b/xen/arch/x86/x86_64/compat/entry.S
-@@ -350,6 +350,7 @@ ENTRY(compat_int80_direct_trap)
- compat_create_bounce_frame:
- ASSERT_INTERRUPTS_ENABLED
- mov %fs,%edi
-+ ASM_STAC
- testb $2,UREGS_cs+8(%rsp)
- jz 1f
- /* Push new frame at registered guest-OS stack base. */
-@@ -403,6 +404,7 @@ UNLIKELY_START(nz, compat_bounce_failsafe)
- movl %ds,%eax
- .Lft12: movl %eax,%fs:0*4(%rsi) # DS
- UNLIKELY_END(compat_bounce_failsafe)
-+ ASM_CLAC
- /* Rewrite our stack frame and return to guest-OS mode. */
- /* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */
- andl $~(X86_EFLAGS_VM|X86_EFLAGS_RF|\
-@@ -448,6 +450,7 @@ compat_crash_page_fault_4:
- addl $4,%esi
- compat_crash_page_fault:
- .Lft14: mov %edi,%fs
-+ ASM_CLAC
- movl %esi,%edi
- call show_page_walk
- jmp dom_crash_sync_extable
-diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
-index 6e27508..0c2e63a 100644
---- a/xen/arch/x86/x86_64/entry.S
-+++ b/xen/arch/x86/x86_64/entry.S
-@@ -462,9 +462,11 @@ domain_crash_page_fault_16:
- domain_crash_page_fault_8:
- addq $8,%rsi
- domain_crash_page_fault:
-+ ASM_CLAC
- movq %rsi,%rdi
- call show_page_walk
- ENTRY(dom_crash_sync_extable)
-+ ASM_CLAC
- # Get out of the guest-save area of the stack.
- GET_STACK_BASE(%rax)
- leaq STACK_CPUINFO_FIELD(guest_cpu_user_regs)(%rax),%rsp
---
-2.1.4
-
diff --git a/main/xen/xsa184-qemut-master.patch b/main/xen/xsa184-qemut-master.patch
deleted file mode 100644
index b376f33..0000000
--- a/main/xen/xsa184-qemut-master.patch
@@ -1,43 +0,0 @@
-From 17d8c4e47dfb41cb6778520ff2eab7a11fe12dfd Mon Sep 17 00:00:00 2001
-From: P J P <ppandit@redhat.com>
-Date: Tue, 26 Jul 2016 15:31:59 +0100
-Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
-
-A broken or malicious guest can submit more requests than the virtqueue
-size permits.
-
-The guest can submit requests without bothering to wait for completion
-and is therefore not bound by virtqueue size. This requires reusing
-vring descriptors in more than one request, which is incorrect but
-possible. Processing a request allocates a VirtQueueElement and
-therefore causes unbounded memory allocation controlled by the guest.
-
-Exit with an error if the guest provides more requests than the
-virtqueue size permits. This bounds memory allocation and makes the
-buggy guest visible to the user.
-
-Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- hw/virtio.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/virtio.c b/hw/virtio.c
-index c26feff..42897bf 100644
---- a/tools/qemu-xen-traditional/hw/virtio.c
-+++ b/tools/qemu-xen-traditional/hw/virtio.c
-@@ -421,6 +421,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
- /* When we start there are none of either input nor output. */
- elem->out_num = elem->in_num = 0;
-
-+ if (vq->inuse >= vq->vring.num) {
-+ fprintf(stderr, "Virtqueue size exceeded");
-+ exit(1);
-+ }
-+
- i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
- do {
- struct iovec *sg;
---
-2.1.4
-
diff --git a/main/xen/xsa184-qemuu-master.patch b/main/xen/xsa184-qemuu-master.patch
deleted file mode 100644
index bbe44e8..0000000
--- a/main/xen/xsa184-qemuu-master.patch
@@ -1,43 +0,0 @@
-From e469db25d6b2e5c71cd15451889226641c53a5cd Mon Sep 17 00:00:00 2001
-From: P J P <ppandit@redhat.com>
-Date: Mon, 25 Jul 2016 17:37:18 +0530
-Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
-
-A broken or malicious guest can submit more requests than the virtqueue
-size permits.
-
-The guest can submit requests without bothering to wait for completion
-and is therefore not bound by virtqueue size. This requires reusing
-vring descriptors in more than one request, which is incorrect but
-possible. Processing a request allocates a VirtQueueElement and
-therefore causes unbounded memory allocation controlled by the guest.
-
-Exit with an error if the guest provides more requests than the
-virtqueue size permits. This bounds memory allocation and makes the
-buggy guest visible to the user.
-
-Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- hw/virtio/virtio.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
-index d24f775..f8ac0fb 100644
---- a/tools/qemu-xen/hw/virtio/virtio.c
-+++ b/tools/qemu-xen/hw/virtio/virtio.c
-@@ -483,6 +483,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
-
- max = vq->vring.num;
-
-+ if (vq->inuse >= max) {
-+ error_report("Virtqueue size exceeded");
-+ exit(1);
-+ }
-+
- i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
- if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) {
- vring_set_avail_event(vq, vq->last_avail_idx);
---
-2.1.4
-
diff --git a/main/xen/xsa185.patch b/main/xen/xsa185.patch
deleted file mode 100644
index a4c133e..0000000
--- a/main/xen/xsa185.patch
@@ -1,38 +0,0 @@
-From 30aba4992b18245c436f16df7326a16c01a51570 Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich@suse.com>
-Date: Mon, 8 Aug 2016 10:58:12 +0100
-Subject: x86/32on64: don't allow recursive page tables from L3
-
-L3 entries are special in PAE mode, and hence can't reasonably be used
-for setting up recursive (and hence linear) page table mappings. Since
-abuse is possible when the guest in fact gets run on 4-level page
-tables, this needs to be excluded explicitly.
-
-This is XSA-185.
-
-Reported-by: Jérémie Boutoille <jboutoille@ext.quarkslab.com>
-Reported-by: 栾尚聪(好风) <shangcong.lsc@alibaba-inc.com>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
----
- xen/arch/x86/mm.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
-index 109b8be..69b8b8d 100644
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-@@ -1122,7 +1122,9 @@ get_page_from_l3e(
-
- rc = get_page_and_type_from_pagenr(
- l3e_get_pfn(l3e), PGT_l2_page_table, d, partial, 1);
-- if ( unlikely(rc == -EINVAL) && get_l3_linear_pagetable(l3e, pfn, d) )
-+ if ( unlikely(rc == -EINVAL) &&
-+ !is_pv_32bit_domain(d) &&
-+ get_l3_linear_pagetable(l3e, pfn, d) )
- rc = 0;
-
- return rc;
---
-2.1.4
-
diff --git a/main/xen/xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch b/main/xen/xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
deleted file mode 100644
index b257497..0000000
--- a/main/xen/xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
@@ -1,73 +0,0 @@
-From e938be013ba73ff08fa4f1d8670501aacefde7fb Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Fri, 22 Jul 2016 16:02:54 +0000
-Subject: [PATCH 1/2] x86/emulate: Correct boundary interactions of emulated
- instructions
-
-This reverts most of c/s 0640ffb6 "x86emul: fix rIP handling".
-
-Experimentally, in long mode processors will execute an instruction stream
-which crosses the 64bit -1 -> 0 virtual boundary, whether the instruction
-boundary is aligned on the virtual boundary, or is misaligned.
-
-In compatibility mode, Intel processors will execute an instruction stream
-which crosses the 32bit -1 -> 0 virtual boundary, while AMD processors raise a
-segmentation fault. Xen's segmentation behaviour matches AMD.
-
-For 16bit code, hardware does not ever truncated %ip. %eip is always used and
-behaves normally as a 32bit register, including in 16bit protected mode
-segments, as well as in Real and Unreal mode.
-
-This is XSA-186
-
-Reported-by: Brian Marcotte <marcotte@panix.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
----
- xen/arch/x86/x86_emulate/x86_emulate.c | 22 ++++------------------
- 1 file changed, 4 insertions(+), 18 deletions(-)
-
-diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
-index d5a56cf..bf3529a 100644
---- a/xen/arch/x86/x86_emulate/x86_emulate.c
-+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
-@@ -1570,10 +1570,6 @@ x86_emulate(
- #endif
- }
-
-- /* Truncate rIP to def_ad_bytes (2 or 4) if necessary. */
-- if ( def_ad_bytes < sizeof(_regs.eip) )
-- _regs.eip &= (1UL << (def_ad_bytes * 8)) - 1;
--
- /* Prefix bytes. */
- for ( ; ; )
- {
-@@ -3906,21 +3902,11 @@ x86_emulate(
-
- /* Commit shadow register state. */
- _regs.eflags &= ~EFLG_RF;
-- switch ( __builtin_expect(def_ad_bytes, sizeof(_regs.eip)) )
-- {
-- uint16_t ip;
-
-- case 2:
-- ip = _regs.eip;
-- _regs.eip = ctxt->regs->eip;
-- *(uint16_t *)&_regs.eip = ip;
-- break;
--#ifdef __x86_64__
-- case 4:
-- _regs.rip = _regs._eip;
-- break;
--#endif
-- }
-+ /* Zero the upper 32 bits of %rip if not in long mode. */
-+ if ( def_ad_bytes < sizeof(_regs.eip) )
-+ _regs.eip = (uint32_t)_regs.eip;
-+
- *ctxt->regs = _regs;
-
- done:
---
-2.1.4
-
diff --git a/main/xen/xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch b/main/xen/xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
deleted file mode 100644
index 07c30a2..0000000
--- a/main/xen/xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
@@ -1,41 +0,0 @@
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Subject: hvm/fep: Allow testing of instructions crossing the -1 -> 0 virtual boundary
-
-The Force Emulation Prefix is named to follow its PV counterpart for cpuid or
-rdtsc, but isn't really an instruction prefix. It behaves as a break-out into
-Xen, with the purpose of emulating the next instruction in the current state.
-
-It is important to be able to test legal situations which occur in real
-hardware, including instruction which cross certain boundaries, and
-instructions starting at 0.
-
-Reported-by: Brian Marcotte <marcotte@panix.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-
---- a/xen/arch/x86/hvm/svm/svm.c
-+++ b/xen/arch/x86/hvm/svm/svm.c
-@@ -2139,6 +2139,10 @@ static void svm_vmexit_ud_intercept(stru
- {
- regs->eip += sizeof(sig);
- regs->eflags &= ~X86_EFLAGS_RF;
-+
-+ /* Zero the upper 32 bits of %rip if not in long mode. */
-+ if ( svm_guest_x86_mode(current) != 8 )
-+ regs->eip = regs->_eip;
- }
- }
-
---- a/xen/arch/x86/hvm/vmx/vmx.c
-+++ b/xen/arch/x86/hvm/vmx/vmx.c
-@@ -2757,6 +2757,10 @@ static void vmx_vmexit_ud_intercept(stru
- {
- regs->eip += sizeof(sig);
- regs->eflags &= ~X86_EFLAGS_RF;
-+
-+ /* Zero the upper 32 bits of %rip if not in long mode. */
-+ if ( vmx_guest_x86_mode(current) != 8 )
-+ regs->eip = regs->_eip;
- }
- }
-
diff --git a/main/xen/xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch b/main/xen/xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
deleted file mode 100644
index e8cd1e7..0000000
--- a/main/xen/xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
@@ -1,142 +0,0 @@
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Subject: x86/segment: Bounds check accesses to emulation ctxt->seg_reg[]
-
-HVM HAP codepaths have space for all segment registers in the seg_reg[]
-cache (with x86_seg_none still risking an array overrun), while the shadow
-codepaths only have space for the user segments.
-
-Range check the input segment of *_get_seg_reg() against the size of the array
-used to cache the results, to avoid overruns in the case that the callers
-don't filter their input suitably.
-
-Subsume the is_x86_user_segment(seg) checks from the shadow code, which were
-an incomplete attempt at range checking, and are now superceeded. Make
-hvm_get_seg_reg() static, as it is not used outside of shadow/common.c
-
-No functional change, but far easier to reason that no overflow is possible.
-
-Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Tim Deegan <tim@xen.org>
-Acked-by: Jan Beulich <jbeulich@suse.com>
-
---- a/xen/arch/x86/hvm/emulate.c
-+++ b/xen/arch/x86/hvm/emulate.c
-@@ -526,6 +526,8 @@ static int hvmemul_virtual_to_linear(
- ? 1 : 4096);
-
- reg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
-+ if ( IS_ERR(reg) )
-+ return -PTR_ERR(reg);
-
- if ( (hvmemul_ctxt->ctxt.regs->eflags & X86_EFLAGS_DF) && (*reps > 1) )
- {
-@@ -1360,6 +1362,10 @@ static int hvmemul_read_segment(
- struct hvm_emulate_ctxt *hvmemul_ctxt =
- container_of(ctxt, struct hvm_emulate_ctxt, ctxt);
- struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
-+
-+ if ( IS_ERR(sreg) )
-+ return -PTR_ERR(sreg);
-+
- memcpy(reg, sreg, sizeof(struct segment_register));
- return X86EMUL_OKAY;
- }
-@@ -1373,6 +1379,9 @@ static int hvmemul_write_segment(
- container_of(ctxt, struct hvm_emulate_ctxt, ctxt);
- struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
-
-+ if ( IS_ERR(sreg) )
-+ return -PTR_ERR(sreg);
-+
- memcpy(sreg, reg, sizeof(struct segment_register));
- __set_bit(seg, &hvmemul_ctxt->seg_reg_dirty);
-
-@@ -1911,10 +1920,17 @@ void hvm_emulate_writeback(
- }
- }
-
-+/*
-+ * Callers which pass a known in-range x86_segment can rely on the return
-+ * pointer being valid. Other callers must explicitly check for errors.
-+ */
- struct segment_register *hvmemul_get_seg_reg(
- enum x86_segment seg,
- struct hvm_emulate_ctxt *hvmemul_ctxt)
- {
-+ if ( seg < 0 || seg >= ARRAY_SIZE(hvmemul_ctxt->seg_reg) )
-+ return ERR_PTR(-X86EMUL_UNHANDLEABLE);
-+
- if ( !__test_and_set_bit(seg, &hvmemul_ctxt->seg_reg_accessed) )
- hvm_get_segment_register(current, seg, &hvmemul_ctxt->seg_reg[seg]);
- return &hvmemul_ctxt->seg_reg[seg];
---- a/xen/arch/x86/mm/shadow/common.c
-+++ b/xen/arch/x86/mm/shadow/common.c
-@@ -125,10 +125,19 @@ __initcall(shadow_audit_key_init);
- /* x86 emulator support for the shadow code
- */
-
-+/*
-+ * Callers which pass a known in-range x86_segment can rely on the return
-+ * pointer being valid. Other callers must explicitly check for errors.
-+ */
- struct segment_register *hvm_get_seg_reg(
- enum x86_segment seg, struct sh_emulate_ctxt *sh_ctxt)
- {
-- struct segment_register *seg_reg = &sh_ctxt->seg_reg[seg];
-+ struct segment_register *seg_reg;
-+
-+ if ( seg < 0 || seg >= ARRAY_SIZE(sh_ctxt->seg_reg) )
-+ return ERR_PTR(-X86EMUL_UNHANDLEABLE);
-+
-+ seg_reg = &sh_ctxt->seg_reg[seg];
- if ( !__test_and_set_bit(seg, &sh_ctxt->valid_seg_regs) )
- hvm_get_segment_register(current, seg, seg_reg);
- return seg_reg;
-@@ -145,14 +154,9 @@ static int hvm_translate_linear_addr(
- struct segment_register *reg;
- int okay;
-
-- /*
-- * Can arrive here with non-user segments. However, no such cirucmstance
-- * is part of a legitimate pagetable update, so fail the emulation.
-- */
-- if ( !is_x86_user_segment(seg) )
-- return X86EMUL_UNHANDLEABLE;
--
- reg = hvm_get_seg_reg(seg, sh_ctxt);
-+ if ( IS_ERR(reg) )
-+ return -PTR_ERR(reg);
-
- okay = hvm_virtual_to_linear_addr(
- seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);
-@@ -254,9 +258,6 @@ hvm_emulate_write(enum x86_segment seg,
- unsigned long addr;
- int rc;
-
-- if ( !is_x86_user_segment(seg) )
-- return X86EMUL_UNHANDLEABLE;
--
- /* How many emulations could we save if we unshadowed on stack writes? */
- if ( seg == x86_seg_ss )
- perfc_incr(shadow_fault_emulate_stack);
-@@ -284,9 +285,6 @@ hvm_emulate_cmpxchg(enum x86_segment seg
- unsigned long addr, old[2], new[2];
- int rc;
-
-- if ( !is_x86_user_segment(seg) )
-- return X86EMUL_UNHANDLEABLE;
--
- rc = hvm_translate_linear_addr(
- seg, offset, bytes, hvm_access_write, sh_ctxt, &addr);
- if ( rc )
---- a/xen/include/asm-x86/hvm/emulate.h
-+++ b/xen/include/asm-x86/hvm/emulate.h
-@@ -13,6 +13,7 @@
- #define __ASM_X86_HVM_EMULATE_H__
-
- #include <xen/config.h>
-+#include <xen/err.h>
- #include <asm/hvm/hvm.h>
- #include <asm/x86_emulate.h>
-
diff --git a/main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch b/main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
deleted file mode 100644
index bc99596..0000000
--- a/main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
@@ -1,42 +0,0 @@
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Subject: x86/shadow: Avoid overflowing sh_ctxt->seg_reg[]
-
-hvm_get_seg_reg() does not perform a range check on its input segment, calls
-hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[].
-
-x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will hit a BUG()
-in {vmx,svm}_get_segment_register().
-
-HVM guests running with shadow paging can end up performing a virtual to
-linear translation with x86_seg_none. This is used for addresses which are
-already linear. However, none of this is a legitimate pagetable update, so
-fail the emulation in such a case.
-
-This is XSA-187
-
-Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Tim Deegan <tim@xen.org>
-
---- a/xen/arch/x86/mm/shadow/common.c
-+++ b/xen/arch/x86/mm/shadow/common.c
-@@ -140,9 +140,18 @@ static int hvm_translate_linear_addr(
- struct sh_emulate_ctxt *sh_ctxt,
- unsigned long *paddr)
- {
-- struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt);
-+ struct segment_register *reg;
- int okay;
-
-+ /*
-+ * Can arrive here with non-user segments. However, no such cirucmstance
-+ * is part of a legitimate pagetable update, so fail the emulation.
-+ */
-+ if ( !is_x86_user_segment(seg) )
-+ return X86EMUL_UNHANDLEABLE;
-+
-+ reg = hvm_get_seg_reg(seg, sh_ctxt);
-+
- okay = hvm_virtual_to_linear_addr(
- seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);
-
diff --git a/main/xen/xsa202-4.6.patch b/main/xen/xsa202-4.6.patch
new file mode 100644
index 0000000..0c7fff0
--- /dev/null
+++ b/main/xen/xsa202-4.6.patch
@@ -0,0 +1,73 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86: force EFLAGS.IF on when exiting to PV guests
+
+Guest kernels modifying instructions in the process of being emulated
+for another of their vCPU-s may effect EFLAGS.IF to be cleared upon
+next exiting to guest context, by converting the being emulated
+instruction to CLI (at the right point in time). Prevent any such bad
+effects by always forcing EFLAGS.IF on. And to cover hypothetical other
+similar issues, also force EFLAGS.{IOPL,NT,VM} to zero.
+
+This is XSA-202.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/x86_64/compat/entry.S
++++ b/xen/arch/x86/x86_64/compat/entry.S
+@@ -174,6 +174,8 @@ compat_bad_hypercall:
+ /* %rbx: struct vcpu, interrupts disabled */
+ ENTRY(compat_restore_all_guest)
+ ASSERT_INTERRUPTS_DISABLED
++ mov $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11d
++ and UREGS_eflags(%rsp),%r11d
+ .Lcr4_orig:
+ .skip .Lcr4_alt_end - .Lcr4_alt, 0x90
+ .Lcr4_orig_end:
+@@ -209,6 +211,8 @@ ENTRY(compat_restore_all_guest)
+ (.Lcr4_orig_end - .Lcr4_orig), \
+ (.Lcr4_alt_end - .Lcr4_alt)
+ .popsection
++ or $X86_EFLAGS_IF,%r11
++ mov %r11d,UREGS_eflags(%rsp)
+ RESTORE_ALL adj=8 compat=1
+ .Lft0: iretq
+
+--- a/xen/arch/x86/x86_64/entry.S
++++ b/xen/arch/x86/x86_64/entry.S
+@@ -40,28 +40,29 @@ restore_all_guest:
+ testw $TRAP_syscall,4(%rsp)
+ jz iret_exit_to_guest
+
++ movq 24(%rsp),%r11 # RFLAGS
++ andq $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11
++ orq $X86_EFLAGS_IF,%r11
++
+ /* Don't use SYSRET path if the return address is not canonical. */
+ movq 8(%rsp),%rcx
+ sarq $47,%rcx
+ incl %ecx
+ cmpl $1,%ecx
+- ja .Lforce_iret
++ movq 8(%rsp),%rcx # RIP
++ ja iret_exit_to_guest
+
+ cmpw $FLAT_USER_CS32,16(%rsp)# CS
+- movq 8(%rsp),%rcx # RIP
+- movq 24(%rsp),%r11 # RFLAGS
+ movq 32(%rsp),%rsp # RSP
+ je 1f
+ sysretq
+ 1: sysretl
+
+-.Lforce_iret:
+- /* Mimic SYSRET behavior. */
+- movq 8(%rsp),%rcx # RIP
+- movq 24(%rsp),%r11 # RFLAGS
+ ALIGN
+ /* No special register assumptions. */
+ iret_exit_to_guest:
++ andl $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),24(%rsp)
++ orl $X86_EFLAGS_IF,24(%rsp)
+ addq $8,%rsp
+ .Lft0: iretq
+
diff --git a/main/xen/xsa204-4.5.patch b/main/xen/xsa204-4.5.patch
new file mode 100644
index 0000000..352845a
--- /dev/null
+++ b/main/xen/xsa204-4.5.patch
@@ -0,0 +1,69 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Sun, 18 Dec 2016 15:42:59 +0000
+Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL
+
+A singlestep #DB is determined by the resulting eflags value from the
+execution of SYSCALL, not the original eflags value.
+
+By using the original eflags value, we negate the guest kernels attempt to
+protect itself from a privilege escalation by masking TF.
+
+Introduce a tf boolean and have the SYSCALL emulation recalculate it
+after the instruction is complete.
+
+This is XSA-204
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index 0c43fe1..f675dc9 100644
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1537,6 +1537,7 @@ x86_emulate(
+ union vex vex = {};
+ unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes;
+ bool_t lock_prefix = 0;
++ bool_t tf = !!(ctxt->regs->eflags & EFLG_TF);
+ int override_seg = -1, rc = X86EMUL_OKAY;
+ struct operand src = { .reg = REG_POISON };
+ struct operand dst = { .reg = REG_POISON };
+@@ -3881,9 +3882,8 @@ x86_emulate(
+ break;
+ }
+
+- /* Inject #DB if single-step tracing was enabled at instruction start. */
+- if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) &&
+- (ops->inject_hw_exception != NULL) )
++ /* Should a singlestep #DB be raised? */
++ if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) )
+ rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
+
+ /* Commit shadow register state. */
+@@ -4068,6 +4068,23 @@ x86_emulate(
+ (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) )
+ goto done;
+
++ /*
++ * SYSCALL (unlike most instructions) evaluates its singlestep action
++ * based on the resulting EFLG_TF, not the starting EFLG_TF.
++ *
++ * As the #DB is raised after the CPL change and before the OS can
++ * switch stack, it is a large risk for privilege escalation.
++ *
++ * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
++ * vulnerability. Running the #DB handler on an IST stack is also a
++ * mitigation.
++ *
++ * 32bit kernels have no ability to mask EFLG_TF at all. Their only
++ * mitigation is to use a task gate for handling #DB (or to not use
++ * enable EFER.SCE to start with).
++ */
++ tf = !!(_regs.eflags & EFLG_TF);
++
+ break;
+ }
+
--
2.4.11
---
Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org
Help: alpine-aports+help@lists.alpinelinux.org
---