---
main/mupdf/APKBUILD | 36 +++++++++++++++---------------------
main/mupdf/CVE-2017-6060.patch | 41 -----------------------------------------
main/mupdf/openjpeg-2.1.patch | 8 ++++----
main/mupdf/shared-lib.patch | 19 ++++++++++---------
4 files changed, 29 insertions(+), 75 deletions(-)
delete mode 100644 main/mupdf/CVE-2017-6060.patch
diff --git a/main/mupdf/APKBUILD b/main/mupdf/APKBUILD
index d6c76afd88..cfab6145db 100644
--- a/main/mupdf/APKBUILD
+++ b/main/mupdf/APKBUILD
@@ -2,22 +2,21 @@
# Contributor: Michael Zhou <zhoumichaely@gmail.com>
# Maintainer: Daniel Sabogal <dsabogalcc@gmail.com>
pkgname=mupdf
-pkgver=1.11
-pkgrel=1
+pkgver=1.12.0
+pkgrel=0
pkgdesc="A lightweight PDF and XPS viewer"
url="http://mupdf.com"
arch="all"
license="AGPL3+"
depends=""
makedepends="freetype-dev jpeg-dev jbig2dec-dev libx11-dev libxext-dev
- openjpeg-dev harfbuzz-dev glfw-dev"
+ openjpeg-dev harfbuzz-dev freeglut-dev"
subpackages="$pkgname-doc $pkgname-dev $pkgname-x11:_x11
$pkgname-gl:_gl $pkgname-tools:_tools"
options="!check"
-source="http://mupdf.com/downloads/archive/$pkgname-$pkgver-source.tar.gz
+source="http://mupdf.com/downloads/archive/$pkgname-$pkgver-source.tar.xz
shared-lib.patch
openjpeg-2.1.patch
- CVE-2017-6060.patch
"
# secfixes:
@@ -30,26 +29,21 @@ source="http://mupdf.com/downloads/archive/$pkgname-$pkgver-source.tar.gz
builddir="$srcdir/$pkgname-$pkgver-source"
prepare() {
- default_prepare || return 1
+ default_prepare
cd "$builddir"
for file in thirdparty/*; do
[ "${file##*/}" != "mujs" ] && rm -rf "$file"
done
-
- sed '/^JBIG2DEC_CFLAGS :=/s|$| -I./include/mupdf|' \
- -i Makethird || return 1
}
build() {
- make HAVE_GLFW=yes SYS_GLFW_LIBS="$(pkgconf --libs glfw3 gl)" \
- prefix=/usr -C "$builddir" || return 1
+ make prefix=/usr -C "$builddir"
}
package() {
- make HAVE_GLFW=yes \
- prefix=/usr DESTDIR="$pkgdir" \
- -C "$builddir" install || return 1
+ make prefix=/usr DESTDIR="$pkgdir" \
+ -C "$builddir" install
ln -s libmupdf.so.0 "$pkgdir"/usr/lib/libmupdf.so
ln -s libmupdfthird.so.0 "$pkgdir"/usr/lib/libmupdfthird.so
@@ -61,7 +55,7 @@ _x11() {
mkdir -p "$subpkgdir"/usr/bin
mv "$pkgdir"/usr/bin/mupdf-x11 \
- "$subpkgdir"/usr/bin/ || return 1
+ "$subpkgdir"/usr/bin/
ln -s /usr/bin/mupdf-x11 "$subpkgdir"/usr/bin/mupdf
}
@@ -71,7 +65,7 @@ _gl() {
mkdir -p "$subpkgdir"/usr/bin
mv "$pkgdir"/usr/bin/mupdf-gl \
- "$subpkgdir"/usr/bin/ || return 1
+ "$subpkgdir"/usr/bin/
}
_tools() {
@@ -80,12 +74,12 @@ _tools() {
mkdir -p "$subpkgdir"/usr/bin
mv "$pkgdir"/usr/bin/mutool \
+ "$pkgdir"/usr/bin/mjsgen \
"$pkgdir"/usr/bin/mujstest \
"$pkgdir"/usr/bin/muraster \
- "$subpkgdir"/usr/bin/ || return 1
+ "$subpkgdir"/usr/bin/
}
-sha512sums="501670f540e298a8126806ebbd9db8b29866f663b7bbf26c9ade1933e42f0c00ad410b9d93f3ddbfb3e45c38722869095de28d832fe3fb3703c55cc9a01dbf63 mupdf-1.11-source.tar.gz
-b3ddbc22da894a8b9a0fa0c93711e2052b5d2ca29497473b6e15ffbae52faaafff9238619680de474c455ebd073c2d29ead4ff5d962fddb99f7ced27057fa77f shared-lib.patch
-f8283db9a510527e84afeeb6eea89948161899c149a559c4a699c533445b42f30e5bf520616ca69d7feb554529ad494a60c276a1eecc915723ec0f264bbc0ed0 openjpeg-2.1.patch
-3e3f34e448967acb7772365065234c313cb014ebe6e3c3b3bcdbed2242b32ee5589ecd749d06fb4cd5f406eb37ca431e369c96b9adb3b5367d2e5296f1ca983e CVE-2017-6060.patch"
+sha512sums="4c9ce81e7b0e2d77e017776fd9f700bc2f695f34b7fd97be7ba113ec1b340e7046c9db7d396abf19a98b1d0c7d72f01ecc1b44fadd250d2d6c6ffdcd9799bc16 mupdf-1.12.0-source.tar.xz
+8d3f22908060351e8bb171c7c8248662dd6ac3fb5c765ad0ce33f33c418f6bcfb1982ea8e97b4fefee067c675cac03f76e8b715640dfd3689e8d7738384b6536 shared-lib.patch
+3034e7d3248d904cc23e033a6331fc7a48d8f14e85deaa7b7b7bc37d8a3bc6c788e2fd0a866873a69c5f416d8de5b3a5b9efde4747fa50c2ea3c4b8d170aa549 openjpeg-2.1.patch"
diff --git a/main/mupdf/CVE-2017-6060.patch b/main/mupdf/CVE-2017-6060.patch
deleted file mode 100644
index cc03f6106b..0000000000
--- a/main/mupdf/CVE-2017-6060.patch
@@ -1,41 +0,0 @@
-squashed commits:
-06a012a42c9884e3cd653e7826cff1ddec04eb6e
-e089b2e2c1d38c5696c7dfd741e21f8f3ef22b14
-
-From 05cb7595b61aa00a29f1609b75d280b589091356 Mon Sep 17 00:00:00 2001
-From: Sebastian Rasmussen <sebras@gmail.com>
-Date: Tue, 11 Apr 2017 10:54:12 +0800
-Subject: [PATCH] Bug 697551: Make path and line buffers of equal size.
-
-Previously a too long line could be copied into the too short path buffer.
-
-jstest: Stop printing bogus script lines.
----
- platform/x11/jstest_main.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/platform/x11/jstest_main.c b/platform/x11/jstest_main.c
-index 13c3a0a3..36b32155 100644
---- a/platform/x11/jstest_main.c
-+++ b/platform/x11/jstest_main.c
-@@ -346,7 +346,7 @@ main(int argc, char *argv[])
- }
- else if (match(&line, "OPEN"))
- {
-- char path[1024];
-+ char path[LONGLINE];
- if (file_open)
- pdfapp_close(&gapp);
- if (prefix)
-@@ -402,7 +402,7 @@ main(int argc, char *argv[])
- }
- else
- {
-- fprintf(stderr, "Unmatched: %s\n", line);
-+ fprintf(stderr, "Ignoring line without script statement.\n");
- }
- }
- while (!feof(script));
---
-2.12.2
-
diff --git a/main/mupdf/openjpeg-2.1.patch b/main/mupdf/openjpeg-2.1.patch
index 3181c461f3..437e114cb9 100644
--- a/main/mupdf/openjpeg-2.1.patch
+++ b/main/mupdf/openjpeg-2.1.patch
@@ -1,12 +1,12 @@
---- mupdf-1.11-source/source/fitz/load-jpx.c.orig
-+++ mupdf-1.11-source/source/fitz/load-jpx.c
-@@ -444,11 +444,6 @@
+--- mupdf-1.12.0-source/source/fitz/load-jpx.c.orig
++++ mupdf-1.12.0-source/source/fitz/load-jpx.c
+@@ -445,11 +445,6 @@
#else /* HAVE_LURATECH */
-#define OPJ_STATIC
-#define OPJ_HAVE_INTTYPES_H
--#if !defined(_WIN32) && !defined(_WIN64)
+-#if !defined(_MSC_VER) || _MSC_VER >= 1600
-#define OPJ_HAVE_STDINT_H
-#endif
#define USE_JPIP
diff --git a/main/mupdf/shared-lib.patch b/main/mupdf/shared-lib.patch
index a73d885364..a3d039a575 100644
--- a/main/mupdf/shared-lib.patch
+++ b/main/mupdf/shared-lib.patch
@@ -1,14 +1,15 @@
---- mupdf-1.11-source/Makefile.orig
-+++ mupdf-1.11-source/Makefile
-@@ -15,6 +15,7 @@
+--- mupdf-1.12.0-source/Makefile.orig
++++ mupdf-1.12.0-source/Makefile
+@@ -14,7 +14,7 @@
+ # Do not specify CFLAGS or LIBS on the make invocation line - specify
# XCFLAGS or XLIBS instead. Make ignores any lines in the makefile that
# set a variable that was set on the command line.
- CFLAGS += $(XCFLAGS) -Iinclude -Igenerated
-+CFLAGS += -fPIC
+-CFLAGS += $(XCFLAGS) -Iinclude
++CFLAGS += $(XCFLAGS) -Iinclude -fPIC
LIBS += $(XLIBS) -lm
LIBS += $(FREETYPE_LIBS)
-@@ -73,6 +74,7 @@
+@@ -75,6 +75,7 @@
CXX_CMD = $(QUIET_CXX) $(CXX) $(CFLAGS) -o $@ -c $<
AR_CMD = $(QUIET_AR) $(AR) cr $@ $^
LINK_CMD = $(QUIET_LINK) $(CC) $(LDFLAGS) -o $@ $^ $(LIBS)
@@ -16,7 +17,7 @@
MKDIR_CMD = $(QUIET_MKDIR) mkdir -p $@
RM_CMD = $(QUIET_RM) rm -f $@
TAGS_CMD = $(QUIET_TAGS) ctags $^
-@@ -88,6 +90,9 @@
+@@ -90,6 +91,9 @@
$(AR_CMD)
$(RANLIB_CMD)
@@ -26,7 +27,7 @@
$(OUT)/%.exe: $(OUT)/%.o | $(ALL_DIR)
$(LINK_CMD)
-@@ -300,8 +305,8 @@
+@@ -312,8 +316,8 @@
# --- Library ---
@@ -36,4 +37,4 @@
+THIRD_LIB = $(OUT)/libmupdfthird.so.0
THREAD_LIB = $(OUT)/libmuthreads.a
- MUPDF_OBJ := $(FITZ_OBJ) $(FONT_OBJ) $(PDF_OBJ) $(XPS_OBJ) $(SVG_OBJ) $(CBZ_OBJ) $(HTML_OBJ) $(GPRF_OBJ)
+ MUPDF_OBJ := \
--
2.15.0
---
Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org
Help: alpine-aports+help@lists.alpinelinux.org
---
---
main/xen/APKBUILD | 15 ++++-
main/xen/xsa248.patch | 164 ++++++++++++++++++++++++++++++++++++++++++++++++++
main/xen/xsa249.patch | 42 +++++++++++++
main/xen/xsa250.patch | 67 +++++++++++++++++++++
main/xen/xsa251.patch | 21 +++++++
5 files changed, 308 insertions(+), 1 deletion(-)
create mode 100644 main/xen/xsa248.patch
create mode 100644 main/xen/xsa249.patch
create mode 100644 main/xen/xsa250.patch
create mode 100644 main/xen/xsa251.patch
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index bb02b2bee9..067f1b3648 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
pkgver=4.9.1
-pkgrel=1
+pkgrel=2
pkgdesc="Xen hypervisor"
url="http://www.xen.org/"
arch="x86_64 armhf aarch64"
@@ -101,6 +101,11 @@ options="!strip"
# 4.9.1-r1:
# - XSA-246
# - XSA-247
+# 4.9.1-r2:
+# - XSA-248
+# - XSA-249
+# - XSA-250
+# - XSA-251
case "$CARCH" in
x86*)
@@ -151,6 +156,10 @@ source="https://downloads.xenproject.org/release/$pkgname/$pkgver/$pkgname-$pkgv
xsa246-4.9.patch
xsa247-4.9-1.patch
xsa247-4.9-2.patch
+ xsa248.patch
+ xsa249.patch
+ xsa250.patch
+ xsa251.patch
qemu-coroutine-gthread.patch
qemu-xen_paths.patch
@@ -413,6 +422,10 @@ c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a36
b00f42d2069f273e204698177d2c36950cee759a92dfe7833c812ddff4dedde2c4a842980927ec4fc46d1f54b49879bf3a3681c6faf30b72fb3ad6a7eba060b2 xsa246-4.9.patch
c5e064543048751fda86ce64587493518da87d219ff077abb83ac13d8381ceb29f1b6479fc0b761b8f7a04c8c70203791ac4a8cc79bbc6f4dcfa6661c4790c5e xsa247-4.9-1.patch
71aefbe27cbd1d1d363b7d5826c69a238e4aad2958a1c6da330ae5daee791f54ce1d01fb79db84ed4248ab8b1593c9c28c3de5108f4d0953b04f7819af23a1d1 xsa247-4.9-2.patch
+6415689190b8f4ead7a3482a2285485af4acd4f3565521736f8fe975c74c7c70b27608e0142a7165b4f735b547b688db99a6027697e77b3e1d15c09e14b4f0a6 xsa248.patch
+05a2e954bab1877500eb5ed3a8c49edb27411ed3ec9dbfb2115b7804a3b03c6d45c9f08a7ed96ff2b586346f321142065a8c5a5d996468496b373637b6ee31b9 xsa249.patch
+b3030f09ddb4f9e4a356519c7b74d393e8db085278a1e616788c81d19988699a6efdd8568277c25514f3298ca92e5a09e3cd08b0a308a4d2ddb55374a8445657 xsa250.patch
+928153b48af2bd6b334058c5919880cfc7d665c63e0232932866941cbea6deb8d0d83f70dff0974d3df27fc84096beca51139a0b1c0585978f298256b3fd82eb xsa251.patch
c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562 qemu-coroutine-gthread.patch
1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch
f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3 hotplug-vif-vtrill.patch
diff --git a/main/xen/xsa248.patch b/main/xen/xsa248.patch
new file mode 100644
index 0000000000..966c16e043
--- /dev/null
+++ b/main/xen/xsa248.patch
@@ -0,0 +1,164 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86/mm: don't wrongly set page ownership
+
+PV domains can obtain mappings of any pages owned by the correct domain,
+including ones that aren't actually assigned as "normal" RAM, but used
+by Xen internally. At the moment such "internal" pages marked as owned
+by a guest include pages used to track logdirty bits, as well as p2m
+pages and the "unpaged pagetable" for HVM guests. Since the PV memory
+management and shadow code conflict in their use of struct page_info
+fields, and since shadow code is being used for log-dirty handling for
+PV domains, pages coming from the shadow pool must, for PV domains, not
+have the domain set as their owner.
+
+While the change could be done conditionally for just the PV case in
+shadow code, do it unconditionally (and for consistency also for HAP),
+just to be on the safe side.
+
+There's one special case though for shadow code: The page table used for
+running a HVM guest in unpaged mode is subject to get_page() (in
+set_shadow_status()) and hence must have its owner set.
+
+This is XSA-248.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+Reviewed-by: George Dunlap <george.dunlap@citrix.com>
+---
+v2: Drop PGC_page_table related pieces.
+
+--- a/xen/arch/x86/mm/hap/hap.c
++++ b/xen/arch/x86/mm/hap/hap.c
+@@ -286,8 +286,7 @@ static struct page_info *hap_alloc_p2m_p
+ {
+ d->arch.paging.hap.total_pages--;
+ d->arch.paging.hap.p2m_pages++;
+- page_set_owner(pg, d);
+- pg->count_info |= 1;
++ ASSERT(!page_get_owner(pg) && !(pg->count_info & PGC_count_mask));
+ }
+ else if ( !d->arch.paging.p2m_alloc_failed )
+ {
+@@ -302,21 +301,23 @@ static struct page_info *hap_alloc_p2m_p
+
+ static void hap_free_p2m_page(struct domain *d, struct page_info *pg)
+ {
++ struct domain *owner = page_get_owner(pg);
++
+ /* This is called both from the p2m code (which never holds the
+ * paging lock) and the log-dirty code (which always does). */
+ paging_lock_recursive(d);
+
+- ASSERT(page_get_owner(pg) == d);
+- /* Should have just the one ref we gave it in alloc_p2m_page() */
+- if ( (pg->count_info & PGC_count_mask) != 1 ) {
+- HAP_ERROR("Odd p2m page %p count c=%#lx t=%"PRtype_info"\n",
+- pg, pg->count_info, pg->u.inuse.type_info);
++ /* Should still have no owner and count zero. */
++ if ( owner || (pg->count_info & PGC_count_mask) )
++ {
++ HAP_ERROR("d%d: Odd p2m page %"PRI_mfn" d=%d c=%lx t=%"PRtype_info"\n",
++ d->domain_id, mfn_x(page_to_mfn(pg)),
++ owner ? owner->domain_id : DOMID_INVALID,
++ pg->count_info, pg->u.inuse.type_info);
+ WARN();
++ pg->count_info &= ~PGC_count_mask;
++ page_set_owner(pg, NULL);
+ }
+- pg->count_info &= ~PGC_count_mask;
+- /* Free should not decrement domain's total allocation, since
+- * these pages were allocated without an owner. */
+- page_set_owner(pg, NULL);
+ d->arch.paging.hap.p2m_pages--;
+ d->arch.paging.hap.total_pages++;
+ hap_free(d, page_to_mfn(pg));
+--- a/xen/arch/x86/mm/shadow/common.c
++++ b/xen/arch/x86/mm/shadow/common.c
+@@ -1503,32 +1503,29 @@ shadow_alloc_p2m_page(struct domain *d)
+ pg = mfn_to_page(shadow_alloc(d, SH_type_p2m_table, 0));
+ d->arch.paging.shadow.p2m_pages++;
+ d->arch.paging.shadow.total_pages--;
++ ASSERT(!page_get_owner(pg) && !(pg->count_info & PGC_count_mask));
+
+ paging_unlock(d);
+
+- /* Unlike shadow pages, mark p2m pages as owned by the domain.
+- * Marking the domain as the owner would normally allow the guest to
+- * create mappings of these pages, but these p2m pages will never be
+- * in the domain's guest-physical address space, and so that is not
+- * believed to be a concern. */
+- page_set_owner(pg, d);
+- pg->count_info |= 1;
+ return pg;
+ }
+
+ static void
+ shadow_free_p2m_page(struct domain *d, struct page_info *pg)
+ {
+- ASSERT(page_get_owner(pg) == d);
+- /* Should have just the one ref we gave it in alloc_p2m_page() */
+- if ( (pg->count_info & PGC_count_mask) != 1 )
++ struct domain *owner = page_get_owner(pg);
++
++ /* Should still have no owner and count zero. */
++ if ( owner || (pg->count_info & PGC_count_mask) )
+ {
+- SHADOW_ERROR("Odd p2m page count c=%#lx t=%"PRtype_info"\n",
++ SHADOW_ERROR("d%d: Odd p2m page %"PRI_mfn" d=%d c=%lx t=%"PRtype_info"\n",
++ d->domain_id, mfn_x(page_to_mfn(pg)),
++ owner ? owner->domain_id : DOMID_INVALID,
+ pg->count_info, pg->u.inuse.type_info);
++ pg->count_info &= ~PGC_count_mask;
++ page_set_owner(pg, NULL);
+ }
+- pg->count_info &= ~PGC_count_mask;
+ pg->u.sh.type = SH_type_p2m_table; /* p2m code reuses type-info */
+- page_set_owner(pg, NULL);
+
+ /* This is called both from the p2m code (which never holds the
+ * paging lock) and the log-dirty code (which always does). */
+@@ -3132,7 +3129,9 @@ int shadow_enable(struct domain *d, u32
+ e = __map_domain_page(pg);
+ write_32bit_pse_identmap(e);
+ unmap_domain_page(e);
++ pg->count_info = 1;
+ pg->u.inuse.type_info = PGT_l2_page_table | 1 | PGT_validated;
++ page_set_owner(pg, d);
+ }
+
+ paging_lock(d);
+@@ -3170,7 +3169,11 @@ int shadow_enable(struct domain *d, u32
+ if ( rv != 0 && !pagetable_is_null(p2m_get_pagetable(p2m)) )
+ p2m_teardown(p2m);
+ if ( rv != 0 && pg != NULL )
++ {
++ pg->count_info &= ~PGC_count_mask;
++ page_set_owner(pg, NULL);
+ shadow_free_p2m_page(d, pg);
++ }
+ domain_unpause(d);
+ return rv;
+ }
+@@ -3279,7 +3282,22 @@ out:
+
+ /* Must be called outside the lock */
+ if ( unpaged_pagetable )
++ {
++ if ( page_get_owner(unpaged_pagetable) == d &&
++ (unpaged_pagetable->count_info & PGC_count_mask) == 1 )
++ {
++ unpaged_pagetable->count_info &= ~PGC_count_mask;
++ page_set_owner(unpaged_pagetable, NULL);
++ }
++ /* Complain here in cases where shadow_free_p2m_page() won't. */
++ else if ( !page_get_owner(unpaged_pagetable) &&
++ !(unpaged_pagetable->count_info & PGC_count_mask) )
++ SHADOW_ERROR("d%d: Odd unpaged pt %"PRI_mfn" c=%lx t=%"PRtype_info"\n",
++ d->domain_id, mfn_x(page_to_mfn(unpaged_pagetable)),
++ unpaged_pagetable->count_info,
++ unpaged_pagetable->u.inuse.type_info);
+ shadow_free_p2m_page(d, unpaged_pagetable);
++ }
+ }
+
+ void shadow_final_teardown(struct domain *d)
diff --git a/main/xen/xsa249.patch b/main/xen/xsa249.patch
new file mode 100644
index 0000000000..ecfa4305e5
--- /dev/null
+++ b/main/xen/xsa249.patch
@@ -0,0 +1,42 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86/shadow: fix refcount overflow check
+
+Commit c385d27079 ("x86 shadow: for multi-page shadows, explicitly track
+the first page") reduced the refcount width to 25, without adjusting the
+overflow check. Eliminate the disconnect by using a manifest constant.
+
+Interestingly, up to commit 047782fa01 ("Out-of-sync L1 shadows: OOS
+snapshot") the refcount was 27 bits wide, yet the check was already
+using 26.
+
+This is XSA-249.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: George Dunlap <george.dunlap@citrix.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+---
+v2: Simplify expression back to the style it was.
+
+--- a/xen/arch/x86/mm/shadow/private.h
++++ b/xen/arch/x86/mm/shadow/private.h
+@@ -529,7 +529,7 @@ static inline int sh_get_ref(struct doma
+ x = sp->u.sh.count;
+ nx = x + 1;
+
+- if ( unlikely(nx >= 1U<<26) )
++ if ( unlikely(nx >= (1U << PAGE_SH_REFCOUNT_WIDTH)) )
+ {
+ SHADOW_PRINTK("shadow ref overflow, gmfn=%lx smfn=%lx\n",
+ __backpointer(sp), mfn_x(smfn));
+--- a/xen/include/asm-x86/mm.h
++++ b/xen/include/asm-x86/mm.h
+@@ -82,7 +82,8 @@ struct page_info
+ unsigned long type:5; /* What kind of shadow is this? */
+ unsigned long pinned:1; /* Is the shadow pinned? */
+ unsigned long head:1; /* Is this the first page of the shadow? */
+- unsigned long count:25; /* Reference count */
++#define PAGE_SH_REFCOUNT_WIDTH 25
++ unsigned long count:PAGE_SH_REFCOUNT_WIDTH; /* Reference count */
+ } sh;
+
+ /* Page is on a free list: ((count_info & PGC_count_mask) == 0). */
diff --git a/main/xen/xsa250.patch b/main/xen/xsa250.patch
new file mode 100644
index 0000000000..26aeb33fed
--- /dev/null
+++ b/main/xen/xsa250.patch
@@ -0,0 +1,67 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86/shadow: fix ref-counting error handling
+
+The old-Linux handling in shadow_set_l4e() mistakenly ORed together the
+results of sh_get_ref() and sh_pin(). As the latter failing is not a
+correctness problem, simply ignore its return value.
+
+In sh_set_toplevel_shadow() a failing sh_get_ref() must not be
+accompanied by installing the entry, despite the domain being crashed.
+
+This is XSA-250.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+
+--- a/xen/arch/x86/mm/shadow/multi.c
++++ b/xen/arch/x86/mm/shadow/multi.c
+@@ -923,7 +923,7 @@ static int shadow_set_l4e(struct domain
+ shadow_l4e_t new_sl4e,
+ mfn_t sl4mfn)
+ {
+- int flags = 0, ok;
++ int flags = 0;
+ shadow_l4e_t old_sl4e;
+ paddr_t paddr;
+ ASSERT(sl4e != NULL);
+@@ -938,15 +938,16 @@ static int shadow_set_l4e(struct domain
+ {
+ /* About to install a new reference */
+ mfn_t sl3mfn = shadow_l4e_get_mfn(new_sl4e);
+- ok = sh_get_ref(d, sl3mfn, paddr);
+- /* Are we pinning l3 shadows to handle wierd linux behaviour? */
+- if ( sh_type_is_pinnable(d, SH_type_l3_64_shadow) )
+- ok |= sh_pin(d, sl3mfn);
+- if ( !ok )
++
++ if ( !sh_get_ref(d, sl3mfn, paddr) )
+ {
+ domain_crash(d);
+ return SHADOW_SET_ERROR;
+ }
++
++ /* Are we pinning l3 shadows to handle weird Linux behaviour? */
++ if ( sh_type_is_pinnable(d, SH_type_l3_64_shadow) )
++ sh_pin(d, sl3mfn);
+ }
+
+ /* Write the new entry */
+@@ -3965,14 +3966,15 @@ sh_set_toplevel_shadow(struct vcpu *v,
+
+ /* Take a ref to this page: it will be released in sh_detach_old_tables()
+ * or the next call to set_toplevel_shadow() */
+- if ( !sh_get_ref(d, smfn, 0) )
++ if ( sh_get_ref(d, smfn, 0) )
++ new_entry = pagetable_from_mfn(smfn);
++ else
+ {
+ SHADOW_ERROR("can't install %#lx as toplevel shadow\n", mfn_x(smfn));
+ domain_crash(d);
++ new_entry = pagetable_null();
+ }
+
+- new_entry = pagetable_from_mfn(smfn);
+-
+ install_new_entry:
+ /* Done. Install it */
+ SHADOW_PRINTK("%u/%u [%u] gmfn %#"PRI_mfn" smfn %#"PRI_mfn"\n",
diff --git a/main/xen/xsa251.patch b/main/xen/xsa251.patch
new file mode 100644
index 0000000000..582ef622eb
--- /dev/null
+++ b/main/xen/xsa251.patch
@@ -0,0 +1,21 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86/paging: don't unconditionally BUG() on finding SHARED_M2P_ENTRY
+
+PV guests can fully control the values written into the P2M.
+
+This is XSA-251.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/mm/paging.c
++++ b/xen/arch/x86/mm/paging.c
+@@ -274,7 +274,7 @@ void paging_mark_pfn_dirty(struct domain
+ return;
+
+ /* Shared MFNs should NEVER be marked dirty */
+- BUG_ON(SHARED_M2P(pfn_x(pfn)));
++ BUG_ON(paging_mode_translate(d) && SHARED_M2P(pfn_x(pfn)));
+
+ /*
+ * Values with the MSB set denote MFNs that aren't really part of the
--
2.15.0
---
Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org
Help: alpine-aports+help@lists.alpinelinux.org
---