Excerpt from release notes:
This fixes the following critical vulnerabilities:
* CVE-2012-4535 / XSA-20:
Timer overflow DoS vulnerability
* CVE-2012-4537 / XSA-22:
Memory mapping failure DoS vulnerability
* CVE-2012-4538 / XSA-23:
Unhooking empty PAE entries DoS vulnerability
* CVE-2012-4539 / XSA-24:
Grant table hypercall infinite loop DoS vulnerability
* CVE-2012-4544,CVE-2012-2625 / XSA-25:
Xen domain builder Out-of-memory due to malicious kernel/ramdisk
* CVE-2012-5510 / XSA-26:
Grant table version switch list corruption vulnerability
* CVE-2012-5511 / XSA-27:
several HVM operations do not validate the range of their inputs
* CVE-2012-5513 / XSA-29:
XENMEM_exchange may overwrite hypervisor memory
* CVE-2012-5514 / XSA-30:
Broken error handling in guest_physmap_mark_populate_on_demand()
* CVE-2012-5515 / XSA-31:
Several memory hypercall operations allow invalid extent order
values
* CVE-2012-5525 / XSA-32:
several hypercalls do not validate input GFNs
We recommend all users of the 4.2.0 code base to update to this
point release.
Among many bug fixes and improvements (around 100 since Xen 4.2.0):
* A fix for a long standing time management issue
* Bug fixes for S3 (suspend to RAM) handling
* Bug fixes for other low level system state handling
* Bug fixes and improvements to the libxl tool stack
* Bug fixes to nested virtualization
---
Suitable for backporting to 2.5 stable
---
main/xen/APKBUILD | 30 +---
main/xen/make_stubdoms.patch | 184 -------------------
main/xen/xsa20.patch | 38 ----
main/xen/xsa22-4.2-unstable.patch | 40 ----
main/xen/xsa23-4.2-unstable.patch | 32 ----
main/xen/xsa24.patch | 26 ---
main/xen/xsa25-4.2.patch | 365 -------------------------------------
main/xen/xsa26-4.2.patch | 105 -----------
main/xen/xsa27-4.2.patch | 136 --------------
main/xen/xsa29-4.2-unstable.patch | 49 -----
main/xen/xsa30-4.2.patch | 56 ------
main/xen/xsa31-4.2-unstable.patch | 50 -----
main/xen/xsa32-4.2.patch | 22 ---
13 files changed, 3 insertions(+), 1130 deletions(-)
delete mode 100644 main/xen/make_stubdoms.patch
delete mode 100644 main/xen/xsa20.patch
delete mode 100644 main/xen/xsa22-4.2-unstable.patch
delete mode 100644 main/xen/xsa23-4.2-unstable.patch
delete mode 100644 main/xen/xsa24.patch
delete mode 100644 main/xen/xsa25-4.2.patch
delete mode 100644 main/xen/xsa26-4.2.patch
delete mode 100644 main/xen/xsa27-4.2.patch
delete mode 100644 main/xen/xsa29-4.2-unstable.patch
delete mode 100644 main/xen/xsa30-4.2.patch
delete mode 100644 main/xen/xsa31-4.2-unstable.patch
delete mode 100644 main/xen/xsa32-4.2.patch
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index e9503e8..36c11c7 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -2,8 +2,8 @@
# Contributor: Roger Pau Monne <roger.pau@entel.upc.edu>
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
-pkgver=4.2.0
-pkgrel=7
+pkgver=4.2.1
+pkgrel=0
pkgdesc="Xen hypervisor"
url="http://www.xen.org/"
arch="x86 x86_64"
@@ -17,19 +17,7 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-hypervisor $pkgnam
source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.gz
qemu_uclibc_configure.patch
librt.patch
- make_stubdoms.patch
qemu-xen_paths.patch
- xsa20.patch
- xsa22-4.2-unstable.patch
- xsa23-4.2-unstable.patch
- xsa24.patch
- xsa25-4.2.patch
- xsa26-4.2.patch
- xsa27-4.2.patch
- xsa29-4.2-unstable.patch
- xsa30-4.2.patch
- xsa31-4.2-unstable.patch
- xsa32-4.2.patch
xenstored.initd
xenstored.confd
@@ -139,22 +127,10 @@ xend() {
-exec mv '{}' "$subpkgdir"/"$sitepackages"/xen \;
}
-md5sums="f4f217969afc38f09251039966d91a87 xen-4.2.0.tar.gz
+md5sums="0d48cbe1767b82aba12517898d4e0408 xen-4.2.1.tar.gz
506e7ab6f9482dc95f230978d340bcd9 qemu_uclibc_configure.patch
2dc5ddf47c53ea168729975046c3c1f9 librt.patch
-41ad48fdc269749776fa6aa04f6778c2 make_stubdoms.patch
1ccde6b36a6f9542a16d998204dc9a22 qemu-xen_paths.patch
-fb7e76f00c2a4e63b408cb67df7d1a7b xsa20.patch
-5a67dfac5e6f5a0836aeaefa1804c09f xsa22-4.2-unstable.patch
-9151e7c648b12f518826ad0f0a67da42 xsa23-4.2-unstable.patch
-9bd8b30094f8eb2408846c1b6ed0cad6 xsa24.patch
-9fc7097ed2e5e756c4ae91145c143433 xsa25-4.2.patch
-281ad5fefa8856a5b431a7830be6c370 xsa26-4.2.patch
-d8cb820b85f86caa58ce1cc215aac069 xsa27-4.2.patch
-405531d7e434be9bc663c601d4dc67a4 xsa29-4.2-unstable.patch
-23f5ca5789f5358b8d2f8ce998db5ed6 xsa30-4.2.patch
-78fa8ac0ac907dd3ae7ef02bea623bb5 xsa31-4.2-unstable.patch
-2bd8f676273e644910e6a907372dfa31 xsa32-4.2.patch
95d8af17bf844d41a015ff32aae51ba1 xenstored.initd
b017ccdd5e1c27bbf1513e3569d4ff07 xenstored.confd
ed262f15fb880badb53575539468646c xenconsoled.initd
diff --git a/main/xen/make_stubdoms.patch b/main/xen/make_stubdoms.patch
deleted file mode 100644
index 0587ef1..0000000
--- a/main/xen/make_stubdoms.patch
@@ -1,184 +0,0 @@
-diff --git a/stubdom/Makefile b/stubdom/Makefile
-index 2da70e3..618624c 100644
---- a/stubdom/Makefile
-+++ b/stubdom/Makefile
-@@ -76,8 +76,6 @@ TARGET_LDFLAGS += -nostdlib -L$(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf/lib
-
- TARGETS=ioemu c caml grub xenstore
-
--CROSS_MAKE := $(MAKE) DESTDIR=
--
- .PHONY: all
- all: build
- ifeq ($(STUBDOM_SUPPORTED),1)
-@@ -113,8 +111,8 @@ $(NEWLIB_STAMPFILE): mk-headers-$(XEN_TARGET_ARCH) newlib-$(NEWLIB_VERSION)
- mkdir -p newlib-$(XEN_TARGET_ARCH)
- ( cd newlib-$(XEN_TARGET_ARCH) && \
- CC_FOR_TARGET="$(CC) $(TARGET_CPPFLAGS) $(TARGET_CFLAGS) $(NEWLIB_CFLAGS)" AR_FOR_TARGET=$(AR) LD_FOR_TARGET=$(LD) RANLIB_FOR_TARGET=$(RANLIB) ../newlib-$(NEWLIB_VERSION)/configure --prefix=$(CROSS_PREFIX) --verbose --target=$(GNU_TARGET_ARCH)-xen-elf --enable-newlib-io-long-long --disable-multilib && \
-- $(CROSS_MAKE) && \
-- $(CROSS_MAKE) install )
-+ $(MAKE) DESTDIR= && \
-+ $(MAKE) DESTDIR= install )
-
- ############
- # Cross-zlib
-@@ -133,8 +131,8 @@ cross-zlib: $(ZLIB_STAMPFILE)
- $(ZLIB_STAMPFILE): zlib-$(XEN_TARGET_ARCH) $(NEWLIB_STAMPFILE)
- ( cd $< && \
- CFLAGS="$(TARGET_CPPFLAGS) $(TARGET_CFLAGS)" CC=$(CC) ./configure --prefix=$(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf && \
-- $(CROSS_MAKE) libz.a && \
-- $(CROSS_MAKE) install )
-+ $(MAKE) DESTDIR= libz.a && \
-+ $(MAKE) DESTDIR= install )
-
- ##############
- # Cross-libpci
-@@ -158,7 +156,7 @@ $(LIBPCI_STAMPFILE): pciutils-$(XEN_TARGET_ARCH) $(NEWLIB_STAMPFILE) $(ZLIB_STAM
- chmod u+w lib/config.h && \
- echo '#define PCILIB_VERSION "$(LIBPCI_VERSION)"' >> lib/config.h && \
- ln -sf ../../libpci.config.mak lib/config.mk && \
-- $(CROSS_MAKE) CC="$(CC) $(TARGET_CPPFLAGS) $(TARGET_CFLAGS) -I$(call realpath,$(MINI_OS)/include)" lib/libpci.a && \
-+ $(MAKE) DESTDIR= CC="$(CC) $(TARGET_CPPFLAGS) $(TARGET_CFLAGS) -I$(call realpath,$(MINI_OS)/include)" lib/libpci.a && \
- $(INSTALL_DATA) lib/libpci.a $(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf/lib/ && \
- $(INSTALL_DIR) $(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf/include/pci && \
- $(INSTALL_DATA) lib/config.h lib/header.h lib/pci.h lib/types.h $(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf/include/pci/ \
-@@ -203,8 +201,8 @@ $(OCAML_STAMPFILE): ocaml-$(XEN_TARGET_ARCH)/.dirstamp
- -no-pthread -no-shared-libs -no-tk -no-curses \
- -cc "$(CC) -U_FORTIFY_SOURCE -fno-stack-protector -mno-red-zone"
- $(foreach i,$(MINIOS_HASNOT),sed -i 's,^\(#define HAS_$(i)\),//\1,' ocaml-$(XEN_TARGET_ARCH)/config/s.h ; )
-- $(CROSS_MAKE) -C ocaml-$(XEN_TARGET_ARCH) world
-- $(CROSS_MAKE) -C ocaml-$(XEN_TARGET_ARCH) opt
-+ $(MAKE) DESTDIR= -C ocaml-$(XEN_TARGET_ARCH) world
-+ $(MAKE) DESTDIR= -C ocaml-$(XEN_TARGET_ARCH) opt
- $(MAKE) -C ocaml-$(XEN_TARGET_ARCH) install
- touch $@
-
-@@ -219,7 +217,7 @@ QEMU_ROOT := $(shell if [ -d "$(CONFIG_QEMU)" ]; then echo "$(CONFIG_QEMU)"; els
-
- ifeq ($(QEMU_ROOT),.)
- $(XEN_ROOT)/tools/qemu-xen-traditional-dir:
-- $(CROSS_MAKE) -C $(XEN_ROOT)/tools qemu-xen-traditional-dir-find
-+ $(MAKE) DESTDIR= -C $(XEN_ROOT)/tools qemu-xen-traditional-dir-find
-
- ioemu/linkfarm.stamp: $(XEN_ROOT)/tools/qemu-xen-traditional-dir
- mkdir -p ioemu
-@@ -250,7 +248,7 @@ mk-headers-$(XEN_TARGET_ARCH): ioemu/linkfarm.stamp
- ( [ -h include/xen/libelf ] || ln -sf $(XEN_ROOT)/tools/include/xen/libelf include/xen/libelf ) && \
- mkdir -p include/xen-foreign && \
- ln -sf $(wildcard $(XEN_ROOT)/tools/include/xen-foreign/*) include/xen-foreign/ && \
-- $(CROSS_MAKE) -C include/xen-foreign/ && \
-+ $(MAKE) DESTDIR= -C include/xen-foreign/ && \
- ( [ -h include/xen/foreign ] || ln -sf ../xen-foreign include/xen/foreign )
- mkdir -p libxc-$(XEN_TARGET_ARCH)
- [ -h libxc-$(XEN_TARGET_ARCH)/Makefile ] || ( cd libxc-$(XEN_TARGET_ARCH) && \
-@@ -267,7 +265,7 @@ mk-headers-$(XEN_TARGET_ARCH): ioemu/linkfarm.stamp
- ln -sf $(XEN_ROOT)/tools/xenstore/*.c . && \
- ln -sf $(XEN_ROOT)/tools/xenstore/*.h . && \
- ln -sf $(XEN_ROOT)/tools/xenstore/Makefile . )
-- $(CROSS_MAKE) -C $(MINI_OS) links
-+ $(MAKE) DESTDIR= -C $(MINI_OS) links
- touch mk-headers-$(XEN_TARGET_ARCH)
-
- TARGETS_MINIOS=$(addprefix mini-os-$(XEN_TARGET_ARCH)-,$(TARGETS))
-@@ -284,7 +282,7 @@ $(TARGETS_MINIOS): mini-os-%:
- .PHONY: libxc
- libxc: libxc-$(XEN_TARGET_ARCH)/libxenctrl.a libxc-$(XEN_TARGET_ARCH)/libxenguest.a
- libxc-$(XEN_TARGET_ARCH)/libxenctrl.a: cross-zlib
-- CPPFLAGS="$(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" $(CROSS_MAKE) -C libxc-$(XEN_TARGET_ARCH)
-+ CPPFLAGS="$(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" $(MAKE) DESTDIR= -C libxc-$(XEN_TARGET_ARCH)
-
- libxc-$(XEN_TARGET_ARCH)/libxenguest.a: libxc-$(XEN_TARGET_ARCH)/libxenctrl.a
-
-@@ -302,7 +300,7 @@ ioemu: cross-zlib cross-libpci libxc
- TARGET_CFLAGS="$(TARGET_CFLAGS)" \
- TARGET_LDFLAGS="$(TARGET_LDFLAGS)" \
- $(QEMU_ROOT)/xen-setup-stubdom )
-- $(CROSS_MAKE) -C ioemu -f $(QEMU_ROOT)/Makefile
-+ $(MAKE) DESTDIR= -C ioemu -f $(QEMU_ROOT)/Makefile
-
- ######
- # caml
-@@ -310,7 +308,7 @@ ioemu: cross-zlib cross-libpci libxc
-
- .PHONY: caml
- caml: $(CROSS_ROOT)
-- CPPFLAGS="$(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" $(CROSS_MAKE) -C $@ LWIPDIR=$(CURDIR)/lwip-$(XEN_TARGET_ARCH) OCAMLC_CROSS_PREFIX=$(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf/bin/
-+ CPPFLAGS="$(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" $(MAKE) DESTDIR= -C $@ LWIPDIR=$(CURDIR)/lwip-$(XEN_TARGET_ARCH) OCAMLC_CROSS_PREFIX=$(CROSS_PREFIX)/$(GNU_TARGET_ARCH)-xen-elf/bin/
-
- ###
- # C
-@@ -318,7 +316,7 @@ caml: $(CROSS_ROOT)
-
- .PHONY: c
- c: $(CROSS_ROOT)
-- CPPFLAGS="$(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" $(CROSS_MAKE) -C $@ LWIPDIR=$(CURDIR)/lwip-$(XEN_TARGET_ARCH)
-+ CPPFLAGS="$(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" $(MAKE) DESTDIR= -C $@ LWIPDIR=$(CURDIR)/lwip-$(XEN_TARGET_ARCH)
-
- ######
- # Grub
-@@ -337,7 +335,7 @@ grub-upstream: grub-$(GRUB_VERSION).tar.gz
- .PHONY: grub
- grub: grub-upstream $(CROSS_ROOT)
- mkdir -p grub-$(XEN_TARGET_ARCH)
-- CPPFLAGS="$(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" $(CROSS_MAKE) -C $@ OBJ_DIR=$(CURDIR)/grub-$(XEN_TARGET_ARCH)
-+ CPPFLAGS="$(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" $(MAKE) DESTDIR= -C $@ OBJ_DIR=$(CURDIR)/grub-$(XEN_TARGET_ARCH)
-
- ##########
- # xenstore
-@@ -345,7 +343,7 @@ grub: grub-upstream $(CROSS_ROOT)
-
- .PHONY: xenstore
- xenstore: $(CROSS_ROOT)
-- CPPFLAGS="$(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" $(CROSS_MAKE) -C $@ xenstored.a CONFIG_STUBDOM=y
-+ CPPFLAGS="$(TARGET_CPPFLAGS)" CFLAGS="$(TARGET_CFLAGS)" $(MAKE) DESTDIR= -C $@ xenstored.a CONFIG_STUBDOM=y
-
- ########
- # minios
-@@ -354,23 +352,23 @@ xenstore: $(CROSS_ROOT)
- .PHONY: ioemu-stubdom
- ioemu-stubdom: APP_OBJS=$(CURDIR)/ioemu/i386-stubdom/qemu.a $(CURDIR)/ioemu/i386-stubdom/libqemu.a $(CURDIR)/ioemu/libqemu_common.a
- ioemu-stubdom: mini-os-$(XEN_TARGET_ARCH)-ioemu lwip-$(XEN_TARGET_ARCH) libxc ioemu
-- DEF_CPPFLAGS="$(TARGET_CPPFLAGS)" DEF_CFLAGS="$(TARGET_CFLAGS)" DEF_LDFLAGS="$(TARGET_LDFLAGS)" MINIOS_CONFIG="$(CURDIR)/ioemu-minios.cfg" $(CROSS_MAKE) -C $(MINI_OS) OBJ_DIR=$(CURDIR)/$< LWIPDIR=$(CURDIR)/lwip-$(XEN_TARGET_ARCH) APP_OBJS="$(APP_OBJS)"
-+ DEF_CPPFLAGS="$(TARGET_CPPFLAGS)" DEF_CFLAGS="$(TARGET_CFLAGS)" DEF_LDFLAGS="$(TARGET_LDFLAGS)" MINIOS_CONFIG="$(CURDIR)/ioemu-minios.cfg" $(MAKE) DESTDIR= -C $(MINI_OS) OBJ_DIR=$(CURDIR)/$< LWIPDIR=$(CURDIR)/lwip-$(XEN_TARGET_ARCH) APP_OBJS="$(APP_OBJS)"
-
- .PHONY: caml-stubdom
- caml-stubdom: mini-os-$(XEN_TARGET_ARCH)-caml lwip-$(XEN_TARGET_ARCH) libxc cross-ocaml caml
-- DEF_CPPFLAGS="$(TARGET_CPPFLAGS)" DEF_CFLAGS="$(TARGET_CFLAGS)" DEF_LDFLAGS="$(TARGET_LDFLAGS)" MINIOS_CONFIG="$(CURDIR)/caml/minios.cfg" $(CROSS_MAKE) -C $(MINI_OS) OBJ_DIR=$(CURDIR)/$< LWIPDIR=$(CURDIR)/lwip-$(XEN_TARGET_ARCH) APP_OBJS="$(CURDIR)/caml/main-caml.o $(CURDIR)/caml/caml.o $(CAMLLIB)/libasmrun.a"
-+ DEF_CPPFLAGS="$(TARGET_CPPFLAGS)" DEF_CFLAGS="$(TARGET_CFLAGS)" DEF_LDFLAGS="$(TARGET_LDFLAGS)" MINIOS_CONFIG="$(CURDIR)/caml/minios.cfg" $(MAKE) DESTDIR= -C $(MINI_OS) OBJ_DIR=$(CURDIR)/$< LWIPDIR=$(CURDIR)/lwip-$(XEN_TARGET_ARCH) APP_OBJS="$(CURDIR)/caml/main-caml.o $(CURDIR)/caml/caml.o $(CAMLLIB)/libasmrun.a"
-
- .PHONY: c-stubdom
- c-stubdom: mini-os-$(XEN_TARGET_ARCH)-c lwip-$(XEN_TARGET_ARCH) libxc c
-- DEF_CPPFLAGS="$(TARGET_CPPFLAGS)" DEF_CFLAGS="$(TARGET_CFLAGS)" DEF_LDFLAGS="$(TARGET_LDFLAGS)" MINIOS_CONFIG="$(CURDIR)/c/minios.cfg" $(CROSS_MAKE) -C $(MINI_OS) OBJ_DIR=$(CURDIR)/$< LWIPDIR=$(CURDIR)/lwip-$(XEN_TARGET_ARCH) APP_OBJS=$(CURDIR)/c/main.a
-+ DEF_CPPFLAGS="$(TARGET_CPPFLAGS)" DEF_CFLAGS="$(TARGET_CFLAGS)" DEF_LDFLAGS="$(TARGET_LDFLAGS)" MINIOS_CONFIG="$(CURDIR)/c/minios.cfg" $(MAKE) DESTDIR= -C $(MINI_OS) OBJ_DIR=$(CURDIR)/$< LWIPDIR=$(CURDIR)/lwip-$(XEN_TARGET_ARCH) APP_OBJS=$(CURDIR)/c/main.a
-
- .PHONY: pv-grub
- pv-grub: mini-os-$(XEN_TARGET_ARCH)-grub libxc grub
-- DEF_CPPFLAGS="$(TARGET_CPPFLAGS)" DEF_CFLAGS="$(TARGET_CFLAGS)" DEF_LDFLAGS="$(TARGET_LDFLAGS)" MINIOS_CONFIG="$(CURDIR)/grub/minios.cfg" $(CROSS_MAKE) -C $(MINI_OS) OBJ_DIR=$(CURDIR)/$< APP_OBJS=$(CURDIR)/grub-$(XEN_TARGET_ARCH)/main.a
-+ DEF_CPPFLAGS="$(TARGET_CPPFLAGS)" DEF_CFLAGS="$(TARGET_CFLAGS)" DEF_LDFLAGS="$(TARGET_LDFLAGS)" MINIOS_CONFIG="$(CURDIR)/grub/minios.cfg" $(MAKE) DESTDIR= -C $(MINI_OS) OBJ_DIR=$(CURDIR)/$< APP_OBJS=$(CURDIR)/grub-$(XEN_TARGET_ARCH)/main.a
-
- .PHONY: xenstore-stubdom
- xenstore-stubdom: mini-os-$(XEN_TARGET_ARCH)-xenstore libxc xenstore
-- DEF_CPPFLAGS="$(TARGET_CPPFLAGS)" DEF_CFLAGS="$(TARGET_CFLAGS)" DEF_LDFLAGS="$(TARGET_LDFLAGS)" MINIOS_CONFIG="$(CURDIR)/xenstore-minios.cfg" $(CROSS_MAKE) -C $(MINI_OS) OBJ_DIR=$(CURDIR)/$< APP_OBJS=$(CURDIR)/xenstore/xenstored.a
-+ DEF_CPPFLAGS="$(TARGET_CPPFLAGS)" DEF_CFLAGS="$(TARGET_CFLAGS)" DEF_LDFLAGS="$(TARGET_LDFLAGS)" MINIOS_CONFIG="$(CURDIR)/xenstore-minios.cfg" $(MAKE) DESTDIR= -C $(MINI_OS) OBJ_DIR=$(CURDIR)/$< APP_OBJS=$(CURDIR)/xenstore/xenstored.a
-
- #########
- # install
-@@ -412,13 +410,13 @@ clean:
- rm -fr mini-os-$(XEN_TARGET_ARCH)-caml
- rm -fr mini-os-$(XEN_TARGET_ARCH)-grub
- rm -fr mini-os-$(XEN_TARGET_ARCH)-xenstore
-- $(CROSS_MAKE) -C caml clean
-- $(CROSS_MAKE) -C c clean
-+ $(MAKE) DESTDIR= -C caml clean
-+ $(MAKE) DESTDIR= -C c clean
- rm -fr grub-$(XEN_TARGET_ARCH)
- rm -f $(STUBDOMPATH)
-- [ ! -d libxc-$(XEN_TARGET_ARCH) ] || $(CROSS_MAKE) -C libxc-$(XEN_TARGET_ARCH) clean
-- -[ ! -d ioemu ] || $(CROSS_MAKE) -C ioemu clean
-- -[ ! -d xenstore ] || $(CROSS_MAKE) -C xenstore clean
-+ [ ! -d libxc-$(XEN_TARGET_ARCH) ] || $(MAKE) DESTDIR= -C libxc-$(XEN_TARGET_ARCH) clean
-+ -[ ! -d ioemu ] || $(MAKE) DESTDIR= -C ioemu clean
-+ -[ ! -d xenstore ] || $(MAKE) DESTDIR= -C xenstore clean
-
- # clean the cross-compilation result
- .PHONY: crossclean
diff --git a/main/xen/xsa20.patch b/main/xen/xsa20.patch
deleted file mode 100644
index bedd318..0000000
--- a/main/xen/xsa20.patch
@@ -1,38 +0,0 @@
-VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability
-
-The timer action for a vcpu periodic timer is to calculate the next
-expiry time, and to reinsert itself into the timer queue. If the
-deadline ends up in the past, Xen never leaves __do_softirq(). The
-affected PCPU will stay in an infinite loop until Xen is killed by the
-watchdog (if enabled).
-
-This is a security problem, XSA-20 / CVE-2012-4535.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-
-diff -r 478ba3f146df xen/common/domain.c
---- a/xen/common/domain.c
-+++ b/xen/common/domain.c
-@@ -903,6 +903,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
- if ( set.period_ns < MILLISECS(1) )
- return -EINVAL;
-
-+ if ( set.period_ns > STIME_DELTA_MAX )
-+ return -EINVAL;
-+
- v->periodic_period = set.period_ns;
- vcpu_force_reschedule(v);
-
-diff -r 478ba3f146df xen/include/xen/time.h
---- a/xen/include/xen/time.h
-+++ b/xen/include/xen/time.h
-@@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t);
- #define MILLISECS(_ms) ((s_time_t)((_ms) * 1000000ULL))
- #define MICROSECS(_us) ((s_time_t)((_us) * 1000ULL))
- #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1))
-+/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */
-+#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2))
-
- extern void update_vcpu_system_time(struct vcpu *v);
- extern void update_domain_wallclock_time(struct domain *d);
diff --git a/main/xen/xsa22-4.2-unstable.patch b/main/xen/xsa22-4.2-unstable.patch
deleted file mode 100644
index e15fd73..0000000
--- a/main/xen/xsa22-4.2-unstable.patch
@@ -1,40 +0,0 @@
-x86/physmap: Prevent incorrect updates of m2p mappings
-
-In certain conditions, such as low memory, set_p2m_entry() can fail.
-Currently, the p2m and m2p tables will get out of sync because we still
-update the m2p table after the p2m update has failed.
-
-If that happens, subsequent guest-invoked memory operations can cause
-BUG()s and ASSERT()s to kill Xen.
-
-This is fixed by only updating the m2p table iff the p2m was
-successfully updated.
-
-This is a security problem, XSA-22 / CVE-2012-4537.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
-diff -r f53b9f915c3d xen/arch/x86/mm/p2m.c
---- a/xen/arch/x86/mm/p2m.c
-+++ b/xen/arch/x86/mm/p2m.c
-@@ -633,7 +633,10 @@ guest_physmap_add_entry(struct domain *d
- if ( mfn_valid(_mfn(mfn)) )
- {
- if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) )
-+ {
- rc = -EINVAL;
-+ goto out; /* Failed to update p2m, bail without updating m2p. */
-+ }
- if ( !p2m_is_grant(t) )
- {
- for ( i = 0; i < (1UL << page_order); i++ )
-@@ -656,6 +659,7 @@ guest_physmap_add_entry(struct domain *d
- }
- }
-
-+out:
- p2m_unlock(p2m);
-
- return rc;
diff --git a/main/xen/xsa23-4.2-unstable.patch b/main/xen/xsa23-4.2-unstable.patch
deleted file mode 100644
index be80a61..0000000
--- a/main/xen/xsa23-4.2-unstable.patch
@@ -1,32 +0,0 @@
-xen/mm/shadow: check toplevel pagetables are present before unhooking them.
-
-If the guest has not fully populated its top-level PAE entries when it calls
-HVMOP_pagetable_dying, the shadow code could try to unhook entries from
-MFN 0. Add a check to avoid that case.
-
-This issue was introduced by c/s 21239:b9d2db109cf5.
-
-This is a security problem, XSA-23 / CVE-2012-4538.
-
-Signed-off-by: Tim Deegan <tim@xen.org>
-Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-
-diff -r cc56c0394db7 xen/arch/x86/mm/shadow/multi.c
---- a/xen/arch/x86/mm/shadow/multi.c
-+++ b/xen/arch/x86/mm/shadow/multi.c
-@@ -4734,8 +4734,12 @@ static void sh_pagetable_dying(struct vc
- unsigned long gfn;
- mfn_t smfn, gmfn;
-
-- if ( fast_path )
-- smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
-+ if ( fast_path ) {
-+ if ( pagetable_is_null(v->arch.shadow_table[i]) )
-+ smfn = _mfn(INVALID_MFN);
-+ else
-+ smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
-+ }
- else
- {
- /* retrieving the l2s */
diff --git a/main/xen/xsa24.patch b/main/xen/xsa24.patch
deleted file mode 100644
index e46f513..0000000
--- a/main/xen/xsa24.patch
@@ -1,26 +0,0 @@
-compat/gnttab: Prevent infinite loop in compat code
-
-c/s 20281:95ea2052b41b, which introduces Grant Table version 2
-hypercalls introduces a vulnerability whereby the compat hypercall
-handler can fall into an infinite loop.
-
-If the watchdog is enabled, Xen will die after the timeout.
-
-This is a security problem, XSA-24 / CVE-2012-4539.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
-diff -r bac883cf805a xen/common/compat/grant_table.c
---- a/xen/common/compat/grant_table.c
-+++ b/xen/common/compat/grant_table.c
-@@ -318,6 +318,8 @@ int compat_grant_table_op(unsigned int c
- #undef XLAT_gnttab_get_status_frames_HNDL_frame_list
- if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) )
- rc = -EFAULT;
-+ else
-+ i = 1;
- }
- break;
- }
diff --git a/main/xen/xsa25-4.2.patch b/main/xen/xsa25-4.2.patch
deleted file mode 100644
index 088d787..0000000
--- a/main/xen/xsa25-4.2.patch
@@ -1,365 +0,0 @@
-libxc: builder: limit maximum size of kernel/ramdisk.
-
-Allowing user supplied kernels of arbitrary sizes, especially during
-decompression, can swallow up dom0 memory leading to either virtual
-address space exhaustion in the builder process or allocation
-failures/OOM killing of both toolstack and unrelated processes.
-
-We disable these checks when building in a stub domain for pvgrub
-since this uses the guest's own memory and is isolated.
-
-Decompression of gzip compressed kernels and ramdisks has been safe
-since 14954:58205257517d (Xen 3.1.0 onwards).
-
-This is XSA-25 / CVE-2012-4544.
-
-Also make explicit checks for buffer overflows in various
-decompression routines. These were already ruled out due to other
-properties of the code but check them as a belt-and-braces measure.
-
-Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
-Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
-diff --git a/stubdom/grub/kexec.c b/stubdom/grub/kexec.c
-index 06bef52..b21c91a 100644
---- a/stubdom/grub/kexec.c
-+++ b/stubdom/grub/kexec.c
-@@ -137,6 +137,10 @@ void kexec(void *kernel, long kernel_size, void *module, long module_size, char
- dom = xc_dom_allocate(xc_handle, cmdline, features);
- dom->allocate = kexec_allocate;
-
-+ /* We are using guest owned memory, therefore no limits. */
-+ xc_dom_kernel_max_size(dom, 0);
-+ xc_dom_ramdisk_max_size(dom, 0);
-+
- dom->kernel_blob = kernel;
- dom->kernel_size = kernel_size;
-
-diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h
-index 2aef64a..6a72aa9 100644
---- a/tools/libxc/xc_dom.h
-+++ b/tools/libxc/xc_dom.h
-@@ -55,6 +55,9 @@ struct xc_dom_image {
- void *ramdisk_blob;
- size_t ramdisk_size;
-
-+ size_t max_kernel_size;
-+ size_t max_ramdisk_size;
-+
- /* arguments and parameters */
- char *cmdline;
- uint32_t f_requested[XENFEAT_NR_SUBMAPS];
-@@ -180,6 +183,23 @@ void xc_dom_release_phys(struct xc_dom_image *dom);
- void xc_dom_release(struct xc_dom_image *dom);
- int xc_dom_mem_init(struct xc_dom_image *dom, unsigned int mem_mb);
-
-+/* Set this larger if you have enormous ramdisks/kernels. Note that
-+ * you should trust all kernels not to be maliciously large (e.g. to
-+ * exhaust all dom0 memory) if you do this (see CVE-2012-4544 /
-+ * XSA-25). You can also set the default independently for
-+ * ramdisks/kernels in xc_dom_allocate() or call
-+ * xc_dom_{kernel,ramdisk}_max_size.
-+ */
-+#ifndef XC_DOM_DECOMPRESS_MAX
-+#define XC_DOM_DECOMPRESS_MAX (1024*1024*1024) /* 1GB */
-+#endif
-+
-+int xc_dom_kernel_check_size(struct xc_dom_image *dom, size_t sz);
-+int xc_dom_kernel_max_size(struct xc_dom_image *dom, size_t sz);
-+
-+int xc_dom_ramdisk_check_size(struct xc_dom_image *dom, size_t sz);
-+int xc_dom_ramdisk_max_size(struct xc_dom_image *dom, size_t sz);
-+
- size_t xc_dom_check_gzip(xc_interface *xch,
- void *blob, size_t ziplen);
- int xc_dom_do_gunzip(xc_interface *xch,
-@@ -240,7 +260,8 @@ void xc_dom_log_memory_footprint(struct xc_dom_image *dom);
- void *xc_dom_malloc(struct xc_dom_image *dom, size_t size);
- void *xc_dom_malloc_page_aligned(struct xc_dom_image *dom, size_t size);
- void *xc_dom_malloc_filemap(struct xc_dom_image *dom,
-- const char *filename, size_t * size);
-+ const char *filename, size_t * size,
-+ const size_t max_size);
- char *xc_dom_strdup(struct xc_dom_image *dom, const char *str);
-
- /* --- alloc memory pool ------------------------------------------- */
-diff --git a/tools/libxc/xc_dom_bzimageloader.c b/tools/libxc/xc_dom_bzimageloader.c
-index 113d40f..b1b2eb0 100644
---- a/tools/libxc/xc_dom_bzimageloader.c
-+++ b/tools/libxc/xc_dom_bzimageloader.c
-@@ -47,13 +47,19 @@ static int xc_try_bzip2_decode(
- char *out_buf;
- char *tmp_buf;
- int retval = -1;
-- int outsize;
-+ unsigned int outsize;
- uint64_t total;
-
- stream.bzalloc = NULL;
- stream.bzfree = NULL;
- stream.opaque = NULL;
-
-+ if ( dom->kernel_size == 0)
-+ {
-+ DOMPRINTF("BZIP2: Input is 0 size");
-+ return -1;
-+ }
-+
- ret = BZ2_bzDecompressInit(&stream, 0, 0);
- if ( ret != BZ_OK )
- {
-@@ -66,6 +72,17 @@ static int xc_try_bzip2_decode(
- * the input buffer to start, and we'll realloc as needed.
- */
- outsize = dom->kernel_size;
-+
-+ /*
-+ * stream.avail_in and outsize are unsigned int, while kernel_size
-+ * is a size_t. Check we aren't overflowing.
-+ */
-+ if ( outsize != dom->kernel_size )
-+ {
-+ DOMPRINTF("BZIP2: Input too large");
-+ goto bzip2_cleanup;
-+ }
-+
- out_buf = malloc(outsize);
- if ( out_buf == NULL )
- {
-@@ -98,13 +115,20 @@ static int xc_try_bzip2_decode(
- if ( stream.avail_out == 0 )
- {
- /* Protect against output buffer overflow */
-- if ( outsize > INT_MAX / 2 )
-+ if ( outsize > UINT_MAX / 2 )
- {
- DOMPRINTF("BZIP2: output buffer overflow");
- free(out_buf);
- goto bzip2_cleanup;
- }
-
-+ if ( xc_dom_kernel_check_size(dom, outsize * 2) )
-+ {
-+ DOMPRINTF("BZIP2: output too large");
-+ free(out_buf);
-+ goto bzip2_cleanup;
-+ }
-+
- tmp_buf = realloc(out_buf, outsize * 2);
- if ( tmp_buf == NULL )
- {
-@@ -172,9 +196,15 @@ static int _xc_try_lzma_decode(
- unsigned char *out_buf;
- unsigned char *tmp_buf;
- int retval = -1;
-- int outsize;
-+ size_t outsize;
- const char *msg;
-
-+ if ( dom->kernel_size == 0)
-+ {
-+ DOMPRINTF("%s: Input is 0 size", what);
-+ return -1;
-+ }
-+
- /* sigh. We don't know up-front how much memory we are going to need
- * for the output buffer. Allocate the output buffer to be equal
- * the input buffer to start, and we'll realloc as needed.
-@@ -244,13 +274,20 @@ static int _xc_try_lzma_decode(
- if ( stream->avail_out == 0 )
- {
- /* Protect against output buffer overflow */
-- if ( outsize > INT_MAX / 2 )
-+ if ( outsize > SIZE_MAX / 2 )
- {
- DOMPRINTF("%s: output buffer overflow", what);
- free(out_buf);
- goto lzma_cleanup;
- }
-
-+ if ( xc_dom_kernel_check_size(dom, outsize * 2) )
-+ {
-+ DOMPRINTF("%s: output too large", what);
-+ free(out_buf);
-+ goto lzma_cleanup;
-+ }
-+
- tmp_buf = realloc(out_buf, outsize * 2);
- if ( tmp_buf == NULL )
- {
-@@ -359,6 +396,12 @@ static int xc_try_lzo1x_decode(
- 0x89, 0x4c, 0x5a, 0x4f, 0x00, 0x0d, 0x0a, 0x1a, 0x0a
- };
-
-+ /*
-+ * lzo_uint should match size_t. Check that this is the case to be
-+ * sure we won't overflow various lzo_uint fields.
-+ */
-+ XC_BUILD_BUG_ON(sizeof(lzo_uint) != sizeof(size_t));
-+
- ret = lzo_init();
- if ( ret != LZO_E_OK )
- {
-@@ -438,6 +481,14 @@ static int xc_try_lzo1x_decode(
- if ( src_len <= 0 || src_len > dst_len || src_len > left )
- break;
-
-+ msg = "Output buffer overflow";
-+ if ( *size > SIZE_MAX - dst_len )
-+ break;
-+
-+ msg = "Decompressed image too large";
-+ if ( xc_dom_kernel_check_size(dom, *size + dst_len) )
-+ break;
-+
- msg = "Failed to (re)alloc memory";
- tmp_buf = realloc(out_buf, *size + dst_len);
- if ( tmp_buf == NULL )
-diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c
-index fea9de5..2a01d7c 100644
---- a/tools/libxc/xc_dom_core.c
-+++ b/tools/libxc/xc_dom_core.c
-@@ -159,7 +159,8 @@ void *xc_dom_malloc_page_aligned(struct xc_dom_image *dom, size_t size)
- }
-
- void *xc_dom_malloc_filemap(struct xc_dom_image *dom,
-- const char *filename, size_t * size)
-+ const char *filename, size_t * size,
-+ const size_t max_size)
- {
- struct xc_dom_mem *block = NULL;
- int fd = -1;
-@@ -171,6 +172,13 @@ void *xc_dom_malloc_filemap(struct xc_dom_image *dom,
- lseek(fd, 0, SEEK_SET);
- *size = lseek(fd, 0, SEEK_END);
-
-+ if ( max_size && *size > max_size )
-+ {
-+ xc_dom_panic(dom->xch, XC_OUT_OF_MEMORY,
-+ "tried to map file which is too large");
-+ goto err;
-+ }
-+
- block = malloc(sizeof(*block));
- if ( block == NULL )
- goto err;
-@@ -222,6 +230,40 @@ char *xc_dom_strdup(struct xc_dom_image *dom, const char *str)
- }
-
- /* ------------------------------------------------------------------------ */
-+/* decompression buffer sizing */
-+int xc_dom_kernel_check_size(struct xc_dom_image *dom, size_t sz)
-+{
-+ /* No limit */
-+ if ( !dom->max_kernel_size )
-+ return 0;
-+
-+ if ( sz > dom->max_kernel_size )
-+ {
-+ xc_dom_panic(dom->xch, XC_INVALID_KERNEL,
-+ "kernel image too large");
-+ return 1;
-+ }
-+
-+ return 0;
-+}
-+
-+int xc_dom_ramdisk_check_size(struct xc_dom_image *dom, size_t sz)
-+{
-+ /* No limit */
-+ if ( !dom->max_ramdisk_size )
-+ return 0;
-+
-+ if ( sz > dom->max_ramdisk_size )
-+ {
-+ xc_dom_panic(dom->xch, XC_INVALID_KERNEL,
-+ "ramdisk image too large");
-+ return 1;
-+ }
-+
-+ return 0;
-+}
-+
-+/* ------------------------------------------------------------------------ */
- /* read files, copy memory blocks, with transparent gunzip */
-
- size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen)
-@@ -235,7 +277,7 @@ size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen)
-
- gzlen = blob + ziplen - 4;
- unziplen = gzlen[3] << 24 | gzlen[2] << 16 | gzlen[1] << 8 | gzlen[0];
-- if ( (unziplen < 0) || (unziplen > (1024*1024*1024)) ) /* 1GB limit */
-+ if ( (unziplen < 0) || (unziplen > XC_DOM_DECOMPRESS_MAX) )
- {
- xc_dom_printf
- (xch,
-@@ -288,6 +330,9 @@ int xc_dom_try_gunzip(struct xc_dom_image *dom, void **blob, size_t * size)
- if ( unziplen == 0 )
- return 0;
-
-+ if ( xc_dom_kernel_check_size(dom, unziplen) )
-+ return 0;
-+
- unzip = xc_dom_malloc(dom, unziplen);
- if ( unzip == NULL )
- return -1;
-@@ -588,6 +633,9 @@ struct xc_dom_image *xc_dom_allocate(xc_interface *xch,
- memset(dom, 0, sizeof(*dom));
- dom->xch = xch;
-
-+ dom->max_kernel_size = XC_DOM_DECOMPRESS_MAX;
-+ dom->max_ramdisk_size = XC_DOM_DECOMPRESS_MAX;
-+
- if ( cmdline )
- dom->cmdline = xc_dom_strdup(dom, cmdline);
- if ( features )
-@@ -608,10 +656,25 @@ struct xc_dom_image *xc_dom_allocate(xc_interface *xch,
- return NULL;
- }
-
-+int xc_dom_kernel_max_size(struct xc_dom_image *dom, size_t sz)
-+{
-+ DOMPRINTF("%s: kernel_max_size=%zx", __FUNCTION__, sz);
-+ dom->max_kernel_size = sz;
-+ return 0;
-+}
-+
-+int xc_dom_ramdisk_max_size(struct xc_dom_image *dom, size_t sz)
-+{
-+ DOMPRINTF("%s: ramdisk_max_size=%zx", __FUNCTION__, sz);
-+ dom->max_ramdisk_size = sz;
-+ return 0;
-+}
-+
- int xc_dom_kernel_file(struct xc_dom_image *dom, const char *filename)
- {
- DOMPRINTF("%s: filename=\"%s\"", __FUNCTION__, filename);
-- dom->kernel_blob = xc_dom_malloc_filemap(dom, filename, &dom->kernel_size);
-+ dom->kernel_blob = xc_dom_malloc_filemap(dom, filename, &dom->kernel_size,
-+ dom->max_kernel_size);
- if ( dom->kernel_blob == NULL )
- return -1;
- return xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size);
-@@ -621,7 +684,9 @@ int xc_dom_ramdisk_file(struct xc_dom_image *dom, const char *filename)
- {
- DOMPRINTF("%s: filename=\"%s\"", __FUNCTION__, filename);
- dom->ramdisk_blob =
-- xc_dom_malloc_filemap(dom, filename, &dom->ramdisk_size);
-+ xc_dom_malloc_filemap(dom, filename, &dom->ramdisk_size,
-+ dom->max_ramdisk_size);
-+
- if ( dom->ramdisk_blob == NULL )
- return -1;
- // return xc_dom_try_gunzip(dom, &dom->ramdisk_blob, &dom->ramdisk_size);
-@@ -781,7 +846,11 @@ int xc_dom_build_image(struct xc_dom_image *dom)
- void *ramdiskmap;
-
- unziplen = xc_dom_check_gzip(dom->xch, dom->ramdisk_blob, dom->ramdisk_size);
-+ if ( xc_dom_ramdisk_check_size(dom, unziplen) != 0 )
-+ unziplen = 0;
-+
- ramdisklen = unziplen ? unziplen : dom->ramdisk_size;
-+
- if ( xc_dom_alloc_segment(dom, &dom->ramdisk_seg, "ramdisk", 0,
- ramdisklen) != 0 )
- goto err;
diff --git a/main/xen/xsa26-4.2.patch b/main/xen/xsa26-4.2.patch
deleted file mode 100644
index 44b8f34..0000000
--- a/main/xen/xsa26-4.2.patch
@@ -1,105 +0,0 @@
-gnttab: fix releasing of memory upon switches between versions
-
-gnttab_unpopulate_status_frames() incompletely freed the pages
-previously used as status frame in that they did not get removed from
-the domain's xenpage_list, thus causing subsequent list corruption
-when those pages did get allocated again for the same or another purpose.
-
-Similarly, grant_table_create() and gnttab_grow_table() both improperly
-clean up in the event of an error - pages already shared with the guest
-can't be freed by just passing them to free_xenheap_page(). Fix this by
-sharing the pages only after all allocations succeeded.
-
-This is CVE-2012-5510 / XSA-26.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-
-diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
-index c01ad00..6fb2be9 100644
---- a/xen/common/grant_table.c
-+++ b/xen/common/grant_table.c
-@@ -1173,12 +1173,13 @@ fault:
- }
-
- static int
--gnttab_populate_status_frames(struct domain *d, struct grant_table *gt)
-+gnttab_populate_status_frames(struct domain *d, struct grant_table *gt,
-+ unsigned int req_nr_frames)
- {
- unsigned i;
- unsigned req_status_frames;
-
-- req_status_frames = grant_to_status_frames(gt->nr_grant_frames);
-+ req_status_frames = grant_to_status_frames(req_nr_frames);
- for ( i = nr_status_frames(gt); i < req_status_frames; i++ )
- {
- if ( (gt->status[i] = alloc_xenheap_page()) == NULL )
-@@ -1209,7 +1210,12 @@ gnttab_unpopulate_status_frames(struct domain *d, struct grant_table *gt)
-
- for ( i = 0; i < nr_status_frames(gt); i++ )
- {
-- page_set_owner(virt_to_page(gt->status[i]), dom_xen);
-+ struct page_info *pg = virt_to_page(gt->status[i]);
-+
-+ BUG_ON(page_get_owner(pg) != d);
-+ if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) )
-+ put_page(pg);
-+ BUG_ON(pg->count_info & ~PGC_xen_heap);
- free_xenheap_page(gt->status[i]);
- gt->status[i] = NULL;
- }
-@@ -1247,19 +1253,18 @@ gnttab_grow_table(struct domain *d, unsigned int req_nr_frames)
- clear_page(gt->shared_raw[i]);
- }
-
-- /* Share the new shared frames with the recipient domain */
-- for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ )
-- gnttab_create_shared_page(d, gt, i);
--
-- gt->nr_grant_frames = req_nr_frames;
--
- /* Status pages - version 2 */
- if (gt->gt_version > 1)
- {
-- if ( gnttab_populate_status_frames(d, gt) )
-+ if ( gnttab_populate_status_frames(d, gt, req_nr_frames) )
- goto shared_alloc_failed;
- }
-
-+ /* Share the new shared frames with the recipient domain */
-+ for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ )
-+ gnttab_create_shared_page(d, gt, i);
-+ gt->nr_grant_frames = req_nr_frames;
-+
- return 1;
-
- shared_alloc_failed:
-@@ -2157,7 +2162,7 @@ gnttab_set_version(XEN_GUEST_HANDLE(gnttab_set_version_t uop))
-
- if ( op.version == 2 && gt->gt_version < 2 )
- {
-- res = gnttab_populate_status_frames(d, gt);
-+ res = gnttab_populate_status_frames(d, gt, nr_grant_frames(gt));
- if ( res < 0)
- goto out_unlock;
- }
-@@ -2600,14 +2605,15 @@ grant_table_create(
- clear_page(t->shared_raw[i]);
- }
-
-- for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ )
-- gnttab_create_shared_page(d, t, i);
--
- /* Status pages for grant table - for version 2 */
- t->status = xzalloc_array(grant_status_t *,
- grant_to_status_frames(max_nr_grant_frames));
- if ( t->status == NULL )
- goto no_mem_4;
-+
-+ for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ )
-+ gnttab_create_shared_page(d, t, i);
-+
- t->nr_status_frames = 0;
-
- /* Okay, install the structure. */
diff --git a/main/xen/xsa27-4.2.patch b/main/xen/xsa27-4.2.patch
deleted file mode 100644
index 62a8d76..0000000
--- a/main/xen/xsa27-4.2.patch
@@ -1,136 +0,0 @@
-hvm: Limit the size of large HVM op batches
-
-Doing large p2m updates for HVMOP_track_dirty_vram without preemption
-ties up the physical processor. Integrating preemption into the p2m
-updates is hard so simply limit to 1GB which is sufficient for a 15000
-* 15000 * 32bpp framebuffer.
-
-For HVMOP_modified_memory and HVMOP_set_mem_type preemptible add the
-necessary machinery to handle preemption.
-
-This is CVE-2012-5511 / XSA-27.
-
-Signed-off-by: Tim Deegan <tim@xen.org>
-Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
-Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
-v2: Provide definition of GB to fix x86-32 compile.
-
-Signed-off-by: Jan Beulich <JBeulich@suse.com>
-Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
-
-diff -r 7c4d806b3753 xen/arch/x86/hvm/hvm.c
---- a/xen/arch/x86/hvm/hvm.c Fri Nov 16 15:56:14 2012 +0000
-+++ b/xen/arch/x86/hvm/hvm.c Mon Nov 19 14:42:10 2012 +0000
-@@ -3969,6 +3969,9 @@ long do_hvm_op(unsigned long op, XEN_GUE
- if ( !is_hvm_domain(d) )
- goto param_fail2;
-
-+ if ( a.nr > GB(1) >> PAGE_SHIFT )
-+ goto param_fail2;
-+
- rc = xsm_hvm_param(d, op);
- if ( rc )
- goto param_fail2;
-@@ -3995,7 +3998,6 @@ long do_hvm_op(unsigned long op, XEN_GUE
- {
- struct xen_hvm_modified_memory a;
- struct domain *d;
-- unsigned long pfn;
-
- if ( copy_from_guest(&a, arg, 1) )
- return -EFAULT;
-@@ -4022,9 +4024,11 @@ long do_hvm_op(unsigned long op, XEN_GUE
- if ( !paging_mode_log_dirty(d) )
- goto param_fail3;
-
-- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ )
-+ while ( a.nr > 0 )
- {
-+ unsigned long pfn = a.first_pfn;
- struct page_info *page;
-+
- page = get_page_from_gfn(d, pfn, NULL, P2M_UNSHARE);
- if ( page )
- {
-@@ -4034,6 +4038,19 @@ long do_hvm_op(unsigned long op, XEN_GUE
- sh_remove_shadows(d->vcpu[0], _mfn(page_to_mfn(page)), 1, 0);
- put_page(page);
- }
-+
-+ a.first_pfn++;
-+ a.nr--;
-+
-+ /* Check for continuation if it's not the last interation */
-+ if ( a.nr > 0 && hypercall_preempt_check() )
-+ {
-+ if ( copy_to_guest(arg, &a, 1) )
-+ rc = -EFAULT;
-+ else
-+ rc = -EAGAIN;
-+ break;
-+ }
- }
-
- param_fail3:
-@@ -4089,7 +4106,6 @@ long do_hvm_op(unsigned long op, XEN_GUE
- {
- struct xen_hvm_set_mem_type a;
- struct domain *d;
-- unsigned long pfn;
-
- /* Interface types to internal p2m types */
- p2m_type_t memtype[] = {
-@@ -4122,8 +4138,9 @@ long do_hvm_op(unsigned long op, XEN_GUE
- if ( a.hvmmem_type >= ARRAY_SIZE(memtype) )
- goto param_fail4;
-
-- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ )
-+ while ( a.nr )
- {
-+ unsigned long pfn = a.first_pfn;
- p2m_type_t t;
- p2m_type_t nt;
- mfn_t mfn;
-@@ -4163,6 +4180,19 @@ long do_hvm_op(unsigned long op, XEN_GUE
- }
- }
- put_gfn(d, pfn);
-+
-+ a.first_pfn++;
-+ a.nr--;
-+
-+ /* Check for continuation if it's not the last interation */
-+ if ( a.nr > 0 && hypercall_preempt_check() )
-+ {
-+ if ( copy_to_guest(arg, &a, 1) )
-+ rc = -EFAULT;
-+ else
-+ rc = -EAGAIN;
-+ goto param_fail4;
-+ }
- }
-
- rc = 0;
-diff -r 7c4d806b3753 xen/include/asm-x86/config.h
---- a/xen/include/asm-x86/config.h Fri Nov 16 15:56:14 2012 +0000
-+++ b/xen/include/asm-x86/config.h Mon Nov 19 14:42:10 2012 +0000
-@@ -119,6 +119,9 @@ extern char wakeup_start[];
- extern unsigned int video_mode, video_flags;
- extern unsigned short boot_edid_caps;
- extern unsigned char boot_edid_info[128];
-+
-+#define GB(_gb) (_gb ## UL << 30)
-+
- #endif
-
- #define asmlinkage
-@@ -134,7 +137,6 @@ extern unsigned char boot_edid_info[128]
- #define PML4_ADDR(_slot) \
- ((((_slot ## UL) >> 8) * 0xffff000000000000UL) | \
- (_slot ## UL << PML4_ENTRY_BITS))
--#define GB(_gb) (_gb ## UL << 30)
- #else
- #define PML4_ENTRY_BYTES (1 << PML4_ENTRY_BITS)
- #define PML4_ADDR(_slot) \
diff --git a/main/xen/xsa29-4.2-unstable.patch b/main/xen/xsa29-4.2-unstable.patch
deleted file mode 100644
index ec3111f..0000000
--- a/main/xen/xsa29-4.2-unstable.patch
@@ -1,49 +0,0 @@
-xen: add missing guest address range checks to XENMEM_exchange handlers
-
-Ever since its existence (3.0.3 iirc) the handler for this has been
-using non address range checking guest memory accessors (i.e.
-the ones prefixed with two underscores) without first range
-checking the accessed space (via guest_handle_okay()), allowing
-a guest to access and overwrite hypervisor memory.
-
-This is XSA-29 / CVE-2012-5513.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
-diff --git a/xen/common/compat/memory.c b/xen/common/compat/memory.c
-index 996151c..a49f51b 100644
---- a/xen/common/compat/memory.c
-+++ b/xen/common/compat/memory.c
-@@ -115,6 +115,12 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) compat)
- (cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) )
- return -EINVAL;
-
-+ if ( !compat_handle_okay(cmp.xchg.in.extent_start,
-+ cmp.xchg.in.nr_extents) ||
-+ !compat_handle_okay(cmp.xchg.out.extent_start,
-+ cmp.xchg.out.nr_extents) )
-+ return -EFAULT;
-+
- start_extent = cmp.xchg.nr_exchanged;
- end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) /
- (((1U << ABS(order_delta)) + 1) *
-diff --git a/xen/common/memory.c b/xen/common/memory.c
-index 83e2666..bdb6ed8 100644
---- a/xen/common/memory.c
-+++ b/xen/common/memory.c
-@@ -308,6 +308,13 @@ static long memory_exchange(XEN_GUEST_HANDLE_PARAM(xen_memory_exchange_t) arg)
- goto fail_early;
- }
-
-+ if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) ||
-+ !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) )
-+ {
-+ rc = -EFAULT;
-+ goto fail_early;
-+ }
-+
- /* Only privileged guests can allocate multi-page contiguous extents. */
- if ( !multipage_allocation_permitted(current->domain,
- exch.in.extent_order) ||
diff --git a/main/xen/xsa30-4.2.patch b/main/xen/xsa30-4.2.patch
deleted file mode 100644
index c46571d..0000000
--- a/main/xen/xsa30-4.2.patch
@@ -1,56 +0,0 @@
-xen: fix error handling of guest_physmap_mark_populate_on_demand()
-
-The only user of the "out" label bypasses a necessary unlock, thus
-enabling the caller to lock up Xen.
-
-Also, the function was never meant to be called by a guest for itself,
-so rather than inspecting the code paths in depth for potential other
-problems this might cause, and adjusting e.g. the non-guest printk()
-in the above error path, just disallow the guest access to it.
-
-Finally, the printk() (considering its potential of spamming the log,
-the more that it's not using XENLOG_GUEST), is being converted to
-P2M_DEBUG(), as debugging is what it apparently was added for in the
-first place.
-
-This is XSA-30 / CVE-2012-5514.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
-Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
-diff -r 7c4d806b3753 xen/arch/x86/mm/p2m-pod.c
---- a/xen/arch/x86/mm/p2m-pod.c Fri Nov 16 15:56:14 2012 +0000
-+++ b/xen/arch/x86/mm/p2m-pod.c Thu Nov 22 17:02:32 2012 +0000
-@@ -1117,6 +1117,9 @@ guest_physmap_mark_populate_on_demand(st
- mfn_t omfn;
- int rc = 0;
-
-+ if ( !IS_PRIV_FOR(current->domain, d) )
-+ return -EPERM;
-+
- if ( !paging_mode_translate(d) )
- return -EINVAL;
-
-@@ -1135,8 +1138,7 @@ guest_physmap_mark_populate_on_demand(st
- omfn = p2m->get_entry(p2m, gfn + i, &ot, &a, 0, NULL);
- if ( p2m_is_ram(ot) )
- {
-- printk("%s: gfn_to_mfn returned type %d!\n",
-- __func__, ot);
-+ P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot);
- rc = -EBUSY;
- goto out;
- }
-@@ -1160,9 +1162,9 @@ guest_physmap_mark_populate_on_demand(st
- pod_unlock(p2m);
- }
-
-+out:
- gfn_unlock(p2m, gfn, order);
-
--out:
- return rc;
- }
-
diff --git a/main/xen/xsa31-4.2-unstable.patch b/main/xen/xsa31-4.2-unstable.patch
deleted file mode 100644
index 2229c4c..0000000
--- a/main/xen/xsa31-4.2-unstable.patch
@@ -1,50 +0,0 @@
-memop: limit guest specified extent order
-
-Allowing unbounded order values here causes almost unbounded loops
-and/or partially incomplete requests, particularly in PoD code.
-
-The added range checks in populate_physmap(), decrease_reservation(),
-and the "in" one in memory_exchange() architecturally all could use
-PADDR_BITS - PAGE_SHIFT, and are being artificially constrained to
-MAX_ORDER.
-
-This is XSA-31 / CVE-2012-5515.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Tim Deegan <tim@xen.org>
-Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
-diff --git a/xen/common/memory.c b/xen/common/memory.c
-index 83e2666..2e56d46 100644
---- a/xen/common/memory.c
-+++ b/xen/common/memory.c
-@@ -115,7 +115,8 @@ static void populate_physmap(struct memop_args *a)
-
- if ( a->memflags & MEMF_populate_on_demand )
- {
-- if ( guest_physmap_mark_populate_on_demand(d, gpfn,
-+ if ( a->extent_order > MAX_ORDER ||
-+ guest_physmap_mark_populate_on_demand(d, gpfn,
- a->extent_order) < 0 )
- goto out;
- }
-@@ -235,7 +236,8 @@ static void decrease_reservation(struct memop_args *a)
- xen_pfn_t gmfn;
-
- if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done,
-- a->nr_extents-1) )
-+ a->nr_extents-1) ||
-+ a->extent_order > MAX_ORDER )
- return;
-
- for ( i = a->nr_done; i < a->nr_extents; i++ )
-@@ -297,6 +299,9 @@ static long memory_exchange(XEN_GUEST_HANDLE_PARAM(xen_memory_exchange_t) arg)
- if ( (exch.nr_exchanged > exch.in.nr_extents) ||
- /* Input and output domain identifiers match? */
- (exch.in.domid != exch.out.domid) ||
-+ /* Extent orders are sensible? */
-+ (exch.in.extent_order > MAX_ORDER) ||
-+ (exch.out.extent_order > MAX_ORDER) ||
- /* Sizes of input and output lists do not overflow a long? */
- ((~0UL >> exch.in.extent_order) < exch.in.nr_extents) ||
- ((~0UL >> exch.out.extent_order) < exch.out.nr_extents) ||
diff --git a/main/xen/xsa32-4.2.patch b/main/xen/xsa32-4.2.patch
deleted file mode 100644
index 9800609..0000000
--- a/main/xen/xsa32-4.2.patch
@@ -1,22 +0,0 @@
-x86: get_page_from_gfn() must return NULL for invalid GFNs
-
-... also in the non-translated case.
-
-This is XSA-32 / CVE-2012-xxxx.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Tim Deegan <tim@xen.org>
-
-diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h
-index 7a7c7eb..d5665b8 100644
---- a/xen/include/asm-x86/p2m.h
-+++ b/xen/include/asm-x86/p2m.h
-@@ -400,7 +400,7 @@ static inline struct page_info *get_page_from_gfn(
- if (t)
- *t = p2m_ram_rw;
- page = __mfn_to_page(gfn);
-- return get_page(page, d) ? page : NULL;
-+ return mfn_valid(gfn) && get_page(page, d) ? page : NULL;
- }
-
-
--
1.7.7.5 (Apple Git-26)
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---