Mail archive
alpine-aports

[alpine-aports] [PATCH] main/xen: upgrade to 4.9.0

From: Daniel Sabogal <dsabogalcc_at_gmail.com>
Date: Mon, 7 Aug 2017 11:39:55 -0400

fixes #7502

Security fixes for all applicable XSAs up to (and including) XSA-225
The kernel side of XSA-216 was fixed in 4.9.35
Included modified xattr_size_max.patch from main/qemu 2.8
---
 main/xen/APKBUILD                      |  33 +++---
 main/xen/musl-support.patch            |  23 +----
 main/xen/xenqemu-configure-ifunc.patch |  11 --
 main/xen/xenqemu-xattr-size-max.patch  |  13 +++
 main/xen/xsa213-4.8.patch              | 177 ---------------------------------
 main/xen/xsa214.patch                  |  41 --------
 6 files changed, 35 insertions(+), 263 deletions(-)
 delete mode 100644 main/xen/xenqemu-configure-ifunc.patch
 create mode 100644 main/xen/xenqemu-xattr-size-max.patch
 delete mode 100644 main/xen/xsa213-4.8.patch
 delete mode 100644 main/xen/xsa214.patch
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index e689037c2c..374292e7f6 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
_at_@ -2,8 +2,8 @@
 # Contributor: Roger Pau Monne <roger.pau_at_entel.upc.edu>
 # Maintainer: William Pitcock <nenolod_at_dereferenced.org>
 pkgname=xen
-pkgver=4.8.1
-pkgrel=4
+pkgver=4.9.0
+pkgrel=0
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86_64 armhf"
_at_@ -59,6 +59,20 @@ options="!strip"
 #   4.8.1-r2:
 #     - CVE-2017-8903 XSA-213
 #     - CVE-2017-8904 XSA-214
+#   4.9.0-r0:
+#     - CVE-2017-10911 XSA-216
+#     - CVE-2017-10912 XSA-217
+#     - CVE-2017-10913 XSA-218
+#     - CVE-2017-10914 XSA-218
+#     - CVE-2017-10915 XSA-219
+#     - CVE-2017-10916 XSA-220
+#     - CVE-2017-10917 XSA-221
+#     - CVE-2017-10918 XSA-222
+#     - CVE-2017-10919 XSA-223
+#     - CVE-2017-10920 XSA-224
+#     - CVE-2017-10921 XSA-224
+#     - CVE-2017-10922 XSA-224
+#     - CVE-2017-10923 XSA-225
 
 case "$CARCH" in
 x86*)
_at_@ -92,7 +106,7 @@ _TPMEMU_VERSION="0.7.4"
 # grep ^IPXE_GIT_TAG tools/firmware/etherboot/Makefile
 _IPXE_GIT_TAG=827dd1bfee67daa683935ce65316f7e0f057fe1c
 
-source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.gz
+source="https://downloads.xenproject.org/release/$pkgname/$pkgver/$pkgname-$pkgver.tar.gz
 	http://xenbits.xen.org/xen-extfiles/gmp-$_GMP_VERSION.tar.bz2
 	http://xenbits.xen.org/xen-extfiles/grub-$_GRUB_VERSION.tar.gz
 	http://xenbits.xen.org/xen-extfiles/lwip-$_LWIP_VERSION.tar.gz
_at_@ -103,9 +117,6 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	http://xenbits.xen.org/xen-extfiles/zlib-$_ZLIB_VERSION.tar.gz
 	http://xenbits.xen.org/xen-extfiles/ipxe-git-$_IPXE_GIT_TAG.tar.gz
 
-	xsa213-4.8.patch
-	xsa214.patch
-
 	qemu-coroutine-gthread.patch
 	qemu-xen_paths.patch
 
_at_@ -122,7 +133,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 
 	xenstore_client_transaction_fix.patch
 
-	xenqemu-configure-ifunc.patch
+	xenqemu-xattr-size-max.patch
 
 	xenstored.initd
 	xenstored.confd
_at_@ -345,7 +356,7 @@ EOF
 
 }
 
-sha512sums="9f535b4bb57d285dfb92c974d55513505cf485b2d7218fe8f6ed62768e2cee7f225b08adf6706590b2c0a04feca16e10915297c33b98e1b110f8ea7035f46c15  xen-4.8.1.tar.gz
+sha512sums="97f8075c49ef9ec0adbe95106c0cff4f9379578fd568777697565476c3fd948335d72ddcacf8be65fd9db219c0a35dcdc007f355f7e5874dd950fd4c0a0f966f  xen-4.9.0.tar.gz
 2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf  gmp-4.3.2.tar.bz2
 c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb  grub-0.97.tar.gz
 1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d  lwip-1.3.0.tar.gz
_at_@ -355,20 +366,18 @@ c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a36
 4928b5b82f57645be9408362706ff2c4d9baa635b21b0d41b1c82930e8c60a759b1ea4fa74d7e6c7cae1b7692d006aa5cb72df0c3b88bf049779aa2b566f9d35  tpm_emulator-0.7.4.tar.gz
 021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e  zlib-1.2.3.tar.gz
 82ba65e1c676d32b29c71e6395c9506cab952c8f8b03f692e2b50133be8f0c0146d0f22c223262d81a4df579986fde5abc6507869f4965be4846297ef7b4b890  ipxe-git-827dd1bfee67daa683935ce65316f7e0f057fe1c.tar.gz
-a3d0884cb2514c2b59a2715464600618cc41de0c59e0949e37d9544b1790dc43a6580b0d2bb2c7fcc15a518d9899660728b1d7ed961b74b37cabd99f7751c4f2  xsa213-4.8.patch
-ea12702e97b9417ea6c4120dbc7cf9c5e2b89f82b41cfd389069d3238891749474a5d3925d2dc571a7cc2aaf5e88af03ccc9af60046eaa39425b5af05f62fba0  xsa214.patch
 c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562  qemu-coroutine-gthread.patch
 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3  qemu-xen_paths.patch
 f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3  hotplug-vif-vtrill.patch
 5514d7697c87f7d54d64723d44446b9bd84f6c984e763bd21d4eeaf502bf0c5b765f7b2180f8ca496b3baf97e7efd600b1cc1fdd1284b6ecbffe9846190ca069  rombios-no-pie.patch
-15d8bfd94ef81b90bfa7480d482d7ff6a5a9dfe6769b3dd3e1d656a95523521e89b9e99f40f3edb457170df8bb5f921d1f720d566a70895882f8197ae0f3708d  musl-support.patch
+a3197d9c2455983554610031702ea95dc31f1b375b8c1291207d33c9e6114c6928417b4c8138cb5356ee58d07846963143abba5f204ecaee49eab6f84ad5e4f5  musl-support.patch
 77b08e9655e091b0352e4630d520b54c6ca6d659d1d38fbb4b3bfc9ff3e66db433a2e194ead32bb10ff962c382d800a670e82b7a62835b238e294b22808290ea  musl-hvmloader-fix-stdint.patch
 8c3b57eab8641bcee3dbdc1937ea7874f77b9722a5a0aa3ddb8dff8cc0ced7e19703ef5d998621b3809bea7c16f3346cfa47610ec9ab014ad0de12651c94e5ff  stdint_local.h
 853467a2d055c5bfbdc7bdca175a334241be44a7c5ac3c0a84a4bc5463b5c070b66d37e2a557429ef860727a6b7350683af758cc2494d85b6be4d883143a2c0d  elf_local.h
 79cb1b6b81b17cb87a064dfe3548949dfb80f64f203cac11ef327102b7a25794549ce2d9c019ebf05f752214da8e05065e9219d069e679c0ae5bee3d090c685e  xen-hotplug-lockfd.patch
 e76816c6ad0e91dc5f81947f266da3429b20e6d976c3e8c41202c6179532eec878a3f0913921ef3ac853c5dbad8082da3c9cd53b65081910516feb492577b7fc  xen-fd-is-file.c
 69dfa60628ca838678862383528654ecbdf4269cbb5c9cfb6b84d976202a8dea85d711aa65a52fa1b477fb0b30604ca70cf1337192d6fb9388a08bbe7fe56077  xenstore_client_transaction_fix.patch
-e0dd7069968d51574d6e5603d5738494b112bfda085bc75f10102658be3b2901d8d253c52927c707668e1cdb62d12c101213e42cd72d9b307fa83d1355a7526a  xenqemu-configure-ifunc.patch
+2094ea964fa610b2bf72fd2c7ede7e954899a75c0f5b08030cf1d74460fb759ade84866176e32f8fe29c921dfdc6dafd2b31e23ab9b0a3874d3dceeabdd1913b  xenqemu-xattr-size-max.patch
 52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50  xenstored.initd
 093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0  xenstored.confd
 3c86ed48fbee0af4051c65c4a3893f131fa66e47bf083caf20c9b6aa4b63fdead8832f84a58d0e27964bc49ec8397251b34e5be5c212c139f556916dc8da9523  xenconsoled.initd
diff --git a/main/xen/musl-support.patch b/main/xen/musl-support.patch
index 67bc27f528..ead6e08d1e 100644
--- a/main/xen/musl-support.patch
+++ b/main/xen/musl-support.patch
_at_@ -38,7 +38,7 @@
          /* child */
 -        r = login_tty(libxl__carefd_fd(bl->ptys[0].slave));
 +        r = setup_console_tty(libxl__carefd_fd(bl->ptys[0].slave));
-         if (r) { LOGE(ERROR, "login_tty failed"); exit(-1); }
+         if (r) { LOGED(ERROR, bl->domid, "login_tty failed"); exit(-1); }
          libxl__exec(gc, -1, -1, -1, bl->args[0], (char **) bl->args, env);
          exit(-1);
 --- xen-4.3.1.orig/tools/firmware/hvmloader/acpi/acpi2_0.h
_at_@ -62,24 +62,3 @@
  
  #include "atomicio.h"
  #include "libvhd-journal.h"
---- xen-4.3.1.orig/tools/blktap2/include/atomicio.h
-+++ xen-4.3.1/tools/blktap2/include/atomicio.h
-_at_@ -25,6 +25,8 @@
-  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-  */
- 
-+#include <sys/types.h>
-+
- /*
-  * Ensure all of data on socket comes through. f==read || f==vwrite
-  */
---- xen-4.3.1.orig/tools/blktap2/drivers/block-remus.c
-+++ xen-4.3.1/tools/blktap2/drivers/block-remus.c
-_at_@ -54,7 +54,6 @@
- #include <netinet/in.h>
- #include <arpa/inet.h>
- #include <sys/param.h>
--#include <sys/sysctl.h>
- #include <unistd.h>
- #include <sys/stat.h>
- 
diff --git a/main/xen/xenqemu-configure-ifunc.patch b/main/xen/xenqemu-configure-ifunc.patch
deleted file mode 100644
index a201e141e6..0000000000
--- a/main/xen/xenqemu-configure-ifunc.patch
+++ /dev/null
_at_@ -1,11 +0,0 @@
---- ./tools/qemu-xen/configure.orig
-+++ ./tools/qemu-xen/configure
-_at_@ -1805,7 +1805,7 @@
- EOF
-   if compile_object "" ; then
-       if has readelf; then
--          if readelf --syms $TMPO 2>/dev/null |grep -q "IFUNC.*foo"; then
-+          if readelf --syms $TMPO 2>/dev/null |grep -q "IFUNC.*foo" && ldd $TMPO >/dev/null 2>&1; then
-               avx2_opt="yes"
-           fi
-       fi
diff --git a/main/xen/xenqemu-xattr-size-max.patch b/main/xen/xenqemu-xattr-size-max.patch
new file mode 100644
index 0000000000..b0c02cbdad
--- /dev/null
+++ b/main/xen/xenqemu-xattr-size-max.patch
_at_@ -0,0 +1,13 @@
+--- xen-4.9.0/tools/qemu-xen/hw/9pfs/9p.c.orig
++++ xen-4.9.0/tools/qemu-xen/hw/9pfs/9p.c
+_at_@ -25,6 +25,10 @@
+ #include "trace.h"
+ #include "migration/migration.h"
+ 
++#ifdef __linux__
++#include <linux/limits.h> /* for XATTR_SIZE_MAX */
++#endif
++
+ int open_fd_hw;
+ int total_open_fd;
+ static int open_fd_rc;
diff --git a/main/xen/xsa213-4.8.patch b/main/xen/xsa213-4.8.patch
deleted file mode 100644
index 2f9fa6ab11..0000000000
--- a/main/xen/xsa213-4.8.patch
+++ /dev/null
_at_@ -1,177 +0,0 @@
-From: Jan Beulich <jbeulich_at_suse.com>
-Subject: multicall: deal with early exit conditions
-
-In particular changes to guest privilege level require the multicall
-sequence to be aborted, as hypercalls are permitted from kernel mode
-only. While likely not very useful in a multicall, also properly handle
-the return value in the HYPERVISOR_iret case (which should be the guest
-specified value).
-
-This is XSA-213.
-
-Reported-by: Jann Horn <jannh_at_google.com>
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Acked-by: Julien Grall <julien.grall_at_arm.com>
-
---- a/xen/arch/arm/traps.c
-+++ b/xen/arch/arm/traps.c
-_at_@ -1550,7 +1550,7 @@ static bool_t check_multicall_32bit_clea
-     return true;
- }
- 
--void arch_do_multicall_call(struct mc_state *state)
-+enum mc_disposition arch_do_multicall_call(struct mc_state *state)
- {
-     struct multicall_entry *multi = &state->call;
-     arm_hypercall_fn_t call = NULL;
-_at_@ -1558,23 +1558,26 @@ void arch_do_multicall_call(struct mc_st
-     if ( multi->op >= ARRAY_SIZE(arm_hypercall_table) )
-     {
-         multi->result = -ENOSYS;
--        return;
-+        return mc_continue;
-     }
- 
-     call = arm_hypercall_table[multi->op].fn;
-     if ( call == NULL )
-     {
-         multi->result = -ENOSYS;
--        return;
-+        return mc_continue;
-     }
- 
-     if ( is_32bit_domain(current->domain) &&
-          !check_multicall_32bit_clean(multi) )
--        return;
-+        return mc_continue;
- 
-     multi->result = call(multi->args[0], multi->args[1],
-                          multi->args[2], multi->args[3],
-                          multi->args[4]);
-+
-+    return likely(!psr_mode_is_user(guest_cpu_user_regs()))
-+           ? mc_continue : mc_preempt;
- }
- 
- /*
---- a/xen/arch/x86/hypercall.c
-+++ b/xen/arch/x86/hypercall.c
-_at_@ -255,15 +255,19 @@ void pv_hypercall(struct cpu_user_regs *
-     perfc_incr(hypercalls);
- }
- 
--void arch_do_multicall_call(struct mc_state *state)
-+enum mc_disposition arch_do_multicall_call(struct mc_state *state)
- {
--    if ( !is_pv_32bit_vcpu(current) )
-+    struct vcpu *curr = current;
-+    unsigned long op;
-+
-+    if ( !is_pv_32bit_vcpu(curr) )
-     {
-         struct multicall_entry *call = &state->call;
- 
--        if ( (call->op < ARRAY_SIZE(pv_hypercall_table)) &&
--             pv_hypercall_table[call->op].native )
--            call->result = pv_hypercall_table[call->op].native(
-+        op = call->op;
-+        if ( (op < ARRAY_SIZE(pv_hypercall_table)) &&
-+             pv_hypercall_table[op].native )
-+            call->result = pv_hypercall_table[op].native(
-                 call->args[0], call->args[1], call->args[2],
-                 call->args[3], call->args[4], call->args[5]);
-         else
-_at_@ -274,15 +278,21 @@ void arch_do_multicall_call(struct mc_st
-     {
-         struct compat_multicall_entry *call = &state->compat_call;
- 
--        if ( (call->op < ARRAY_SIZE(pv_hypercall_table)) &&
--             pv_hypercall_table[call->op].compat )
--            call->result = pv_hypercall_table[call->op].compat(
-+        op = call->op;
-+        if ( (op < ARRAY_SIZE(pv_hypercall_table)) &&
-+             pv_hypercall_table[op].compat )
-+            call->result = pv_hypercall_table[op].compat(
-                 call->args[0], call->args[1], call->args[2],
-                 call->args[3], call->args[4], call->args[5]);
-         else
-             call->result = -ENOSYS;
-     }
- #endif
-+
-+    return unlikely(op == __HYPERVISOR_iret)
-+           ? mc_exit
-+           : likely(guest_kernel_mode(curr, guest_cpu_user_regs()))
-+             ? mc_continue : mc_preempt;
- }
- 
- /*
---- a/xen/common/multicall.c
-+++ b/xen/common/multicall.c
-_at_@ -40,6 +40,7 @@ do_multicall(
-     struct mc_state *mcs = &current->mc_state;
-     uint32_t         i;
-     int              rc = 0;
-+    enum mc_disposition disp = mc_continue;
- 
-     if ( unlikely(__test_and_set_bit(_MCSF_in_multicall, &mcs->flags)) )
-     {
-_at_@ -50,7 +51,7 @@ do_multicall(
-     if ( unlikely(!guest_handle_okay(call_list, nr_calls)) )
-         rc = -EFAULT;
- 
--    for ( i = 0; !rc && i < nr_calls; i++ )
-+    for ( i = 0; !rc && disp == mc_continue && i < nr_calls; i++ )
-     {
-         if ( i && hypercall_preempt_check() )
-             goto preempted;
-_at_@ -63,7 +64,7 @@ do_multicall(
- 
-         trace_multicall_call(&mcs->call);
- 
--        arch_do_multicall_call(mcs);
-+        disp = arch_do_multicall_call(mcs);
- 
- #ifndef NDEBUG
-         {
-_at_@ -77,7 +78,14 @@ do_multicall(
-         }
- #endif
- 
--        if ( unlikely(__copy_field_to_guest(call_list, &mcs->call, result)) )
-+        if ( unlikely(disp == mc_exit) )
-+        {
-+            if ( __copy_field_to_guest(call_list, &mcs->call, result) )
-+                /* nothing, best effort only */;
-+            rc = mcs->call.result;
-+        }
-+        else if ( unlikely(__copy_field_to_guest(call_list, &mcs->call,
-+                                                 result)) )
-             rc = -EFAULT;
-         else if ( mcs->flags & MCSF_call_preempted )
-         {
-_at_@ -93,6 +101,9 @@ do_multicall(
-             guest_handle_add_offset(call_list, 1);
-     }
- 
-+    if ( unlikely(disp == mc_preempt) && i < nr_calls )
-+        goto preempted;
-+
-     perfc_incr(calls_to_multicall);
-     perfc_add(calls_from_multicall, i);
-     mcs->flags = 0;
---- a/xen/include/xen/multicall.h
-+++ b/xen/include/xen/multicall.h
-_at_@ -24,6 +24,10 @@ struct mc_state {
-     };
- };
- 
--void arch_do_multicall_call(struct mc_state *mc);
-+enum mc_disposition {
-+    mc_continue,
-+    mc_exit,
-+    mc_preempt,
-+} arch_do_multicall_call(struct mc_state *mc);
- 
- #endif /* __XEN_MULTICALL_H__ */
diff --git a/main/xen/xsa214.patch b/main/xen/xsa214.patch
deleted file mode 100644
index 46a3d3a4c6..0000000000
--- a/main/xen/xsa214.patch
+++ /dev/null
_at_@ -1,41 +0,0 @@
-From: Jan Beulich <jbeulich_at_suse.com>
-Subject: x86: discard type information when stealing pages
-
-While a page having just a single general reference left necessarily
-has a zero type reference count too, its type may still be valid (and
-in validated state; at present this is only possible and relevant for
-PGT_seg_desc_page, as page tables have their type forcibly zapped when
-their type reference count drops to zero, and
-PGT_{writable,shared}_page pages don't require any validation). In
-such a case when the page is being re-used with the same type again,
-validation is being skipped. As validation criteria differ between
-32- and 64-bit guests, pages to be transferred between guests need to
-have their validation indicator zapped (and with it we zap all other
-type information at once).
-
-This is XSA-214.
-
-Reported-by: Jann Horn <jannh_at_google.com>
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-_at_@ -4466,6 +4466,17 @@ int steal_page(
-         y = cmpxchg(&page->count_info, x, x & ~PGC_count_mask);
-     } while ( y != x );
- 
-+    /*
-+     * With the sole reference dropped temporarily, no-one can update type
-+     * information. Type count also needs to be zero in this case, but e.g.
-+     * PGT_seg_desc_page may still have PGT_validated set, which we need to
-+     * clear before transferring ownership (as validation criteria vary
-+     * depending on domain type).
-+     */
-+    BUG_ON(page->u.inuse.type_info & (PGT_count_mask | PGT_locked |
-+                                      PGT_pinned));
-+    page->u.inuse.type_info = 0;
-+
-     /* Swizzle the owner then reinstate the PGC_allocated reference. */
-     page_set_owner(page, NULL);
-     y = page->count_info;
-- 
2.13.3
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Mon Aug 07 2017 - 11:39:55 GMT