---
Apply against 2.3/2.4 stable trees
---
main/xen/APKBUILD | 50 +----
main/xen/xsa-12.patch | 32 ---
main/xen/xsa-13.patch | 41 ----
main/xen/xsa-14.patch | 32 ---
main/xen/xsa-15-1.patch | 37 ---
main/xen/xsa-15-2.patch | 54 -----
main/xen/xsa-15-3.patch | 32 ---
main/xen/xsa-15-4.patch | 51 -----
main/xen/xsa-15-5.patch | 563 ----------------------------------------------
main/xen/xsa-16.patch | 42 ----
main/xen/xsa-17.patch | 122 ----------
main/xen/xsa-20.patch | 56 -----
main/xen/xsa-21.patch | 42 ----
main/xen/xsa-22.patch | 51 -----
main/xen/xsa-23.patch | 44 ----
main/xen/xsa-24.patch | 41 ----
main/xen/xsa-25.patch | 474 --------------------------------------
main/xen/xsa26-4.1.patch | 107 ---------
main/xen/xsa27-4.1.patch | 168 --------------
main/xen/xsa28-4.1.patch | 36 ---
main/xen/xsa29-4.1.patch | 49 ----
main/xen/xsa30-4.1.patch | 57 -----
main/xen/xsa31-4.1.patch | 50 ----
23 files changed, 3 insertions(+), 2228 deletions(-)
delete mode 100644 main/xen/xsa-12.patch
delete mode 100644 main/xen/xsa-13.patch
delete mode 100644 main/xen/xsa-14.patch
delete mode 100644 main/xen/xsa-15-1.patch
delete mode 100644 main/xen/xsa-15-2.patch
delete mode 100644 main/xen/xsa-15-3.patch
delete mode 100644 main/xen/xsa-15-4.patch
delete mode 100644 main/xen/xsa-15-5.patch
delete mode 100644 main/xen/xsa-16.patch
delete mode 100644 main/xen/xsa-17.patch
delete mode 100644 main/xen/xsa-20.patch
delete mode 100644 main/xen/xsa-21.patch
delete mode 100644 main/xen/xsa-22.patch
delete mode 100644 main/xen/xsa-23.patch
delete mode 100644 main/xen/xsa-24.patch
delete mode 100644 main/xen/xsa-25.patch
delete mode 100644 main/xen/xsa26-4.1.patch
delete mode 100644 main/xen/xsa27-4.1.patch
delete mode 100644 main/xen/xsa28-4.1.patch
delete mode 100644 main/xen/xsa29-4.1.patch
delete mode 100644 main/xen/xsa30-4.1.patch
delete mode 100644 main/xen/xsa31-4.1.patch
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 2d8c316..e5eba08 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -2,8 +2,8 @@
# Contributor: Roger Pau Monne <roger.pau@entel.upc.edu>
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
-pkgver=4.1.3
-pkgrel=1
+pkgver=4.1.4
+pkgrel=0
pkgdesc="Xen hypervisor"
url="http://www.xen.org/"
arch="x86 x86_64"
@@ -22,28 +22,6 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
define_fsimage_dir.patch
librt.patch
busybox-sed.patch
- xsa-12.patch
- xsa-13.patch
- xsa-14.patch
- xsa-15-1.patch
- xsa-15-2.patch
- xsa-15-3.patch
- xsa-15-4.patch
- xsa-15-5.patch
- xsa-16.patch
- xsa-17.patch
- xsa-20.patch
- xsa-21.patch
- xsa-22.patch
- xsa-23.patch
- xsa-24.patch
- xsa-25.patch
- xsa26-4.1.patch
- xsa27-4.1.patch
- xsa28-4.1.patch
- xsa29-4.1.patch
- xsa30-4.1.patch
- xsa31-4.1.patch
xenstored.initd
xenstored.confd
@@ -135,7 +113,7 @@ hypervisor() {
mv "$pkgdir"/boot "$subpkgdir"/
}
-md5sums="bed929d5c5e5135cab40e2a6aab73fa0 xen-4.1.3.tar.gz
+md5sums="f71e0ffd2c31a855c28935f642ae94f8 xen-4.1.4.tar.gz
6d4b045ae56be6288733d0e078f591ea blktap2_libvhd_add_iconv.patch
ed3283697cb1ddff066f4087eabf68c6 detect_libiconv.patch
503f0883f4a0b50fe4e37e09ed9a6177 fix_bswap_blktap.patch
@@ -143,28 +121,6 @@ b973dc1ffcc6872e222b36f3b7b4836b fix_bswap_blktap2.patch
0bb8a435020a5a49b38b1a447fb69977 define_fsimage_dir.patch
fa06495a175571f4aa3b6cb88937953e librt.patch
1bea3543ddc712330527b62fd9ff6520 busybox-sed.patch
-8a7bf334786c3fcafa9f9ae407c56a86 xsa-12.patch
-73ba610d9098022f4fc3fb8b10111836 xsa-13.patch
-e7b2e777128fb45386642be324fbd85e xsa-14.patch
-e38a8799c358c5959bc0146f7fb7bd2f xsa-15-1.patch
-8097d6451ab6d33f8374df316562a961 xsa-15-2.patch
-75a12e9f62188677e5be6b33990b8b3c xsa-15-3.patch
-060667428ae4f12ab93a218238d3ff14 xsa-15-4.patch
-ff8c8c952808a5d1c8258013608b8f19 xsa-15-5.patch
-bbd0801bd2f8b501b366368be1520090 xsa-16.patch
-a9d0b6ea849e40be80bed23b93138bba xsa-17.patch
-c7ba117dba1ee05c8944cc62c4dd1ce1 xsa-20.patch
-1324c3a8999ca113ca0b60daad361bb0 xsa-21.patch
-24e3db4c01c2ad8d17539b7a20d057d2 xsa-22.patch
-4d16a72c8c5e28ab439227e7e96d5650 xsa-23.patch
-8d58e94aa0d3ed43178fdcbd1af7d9fc xsa-24.patch
-e5f0a25cc5cb7245be0be5c9d19adef2 xsa-25.patch
-0ef1933756429c5204d4cb59e20a609a xsa26-4.1.patch
-075932924d01e4fc231bf37a14241ccb xsa27-4.1.patch
-0d59195f99e5f871cd4606cfb9c2ffdf xsa28-4.1.patch
-8e69a2b2819a26504ca12353dc6ce829 xsa29-4.1.patch
-4acab55051e542761d9ac5f782964dcb xsa30-4.1.patch
-2b9c5737b2910dc077c6e654b973947f xsa31-4.1.patch
6e5739dad7e2bd1b625e55ddc6c782b7 xenstored.initd
b017ccdd5e1c27bbf1513e3569d4ff07 xenstored.confd
ed262f15fb880badb53575539468646c xenconsoled.initd
diff --git a/main/xen/xsa-12.patch b/main/xen/xsa-12.patch
deleted file mode 100644
index 8f7295a..0000000
--- a/main/xen/xsa-12.patch
@@ -1,32 +0,0 @@
-From ab4f401a1a2149dff14667a383f2e4a1757682ef Mon Sep 17 00:00:00 2001
-From: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Date: Wed, 5 Sep 2012 12:27:54 +0100
-Subject: [PATCH] xen: prevent a 64 bit guest setting reserved bits in DR7
-
-The upper 32 bits of this register are reserved and should be written as
-zero.
-
-This is XSA-12 / CVE-2012-3494
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
----
- xen/include/asm-x86/debugreg.h | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/xen/include/asm-x86/debugreg.h b/xen/include/asm-x86/debugreg.h
-index 9b7e971..24021b8 100644
---- a/xen/include/asm-x86/debugreg.h
-+++ b/xen/include/asm-x86/debugreg.h
-@@ -58,7 +58,7 @@
- We can slow the instruction pipeline for instructions coming via the
- gdt or the ldt if we want to. I am not sure why this is an advantage */
-
--#define DR_CONTROL_RESERVED_ZERO (0x0000d800ul) /* Reserved, read as zero */
-+#define DR_CONTROL_RESERVED_ZERO (~0xffff27fful) /* Reserved, read as zero */
- #define DR_CONTROL_RESERVED_ONE (0x00000400ul) /* Reserved, read as one */
- #define DR_LOCAL_EXACT_ENABLE (0x00000100ul) /* Local exact enable */
- #define DR_GLOBAL_EXACT_ENABLE (0x00000200ul) /* Global exact enable */
---
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-13.patch b/main/xen/xsa-13.patch
deleted file mode 100644
index 1a28194..0000000
--- a/main/xen/xsa-13.patch
@@ -1,41 +0,0 @@
-From 06f0a9bfc333916cece9516a7ff1e35289e9f16f Mon Sep 17 00:00:00 2001
-From: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Date: Wed, 5 Sep 2012 12:28:17 +0100
-Subject: [PATCH] xen: handle out-of-pirq condition correctly in
- PHYSDEVOP_get_free_pirq
-
-This is XSA-13 / CVE-2012-3495
-
-Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
-Signed-off-by: Jan Beulich <JBeulich@suse.com>
----
- xen/arch/x86/physdev.c | 11 ++++++++---
- 1 files changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/xen/arch/x86/physdev.c b/xen/arch/x86/physdev.c
-index 8c24559..e037a94 100644
---- a/xen/arch/x86/physdev.c
-+++ b/xen/arch/x86/physdev.c
-@@ -587,11 +587,16 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE(void) arg)
- break;
-
- spin_lock(&d->event_lock);
-- out.pirq = get_free_pirq(d, out.type, 0);
-- d->arch.pirq_irq[out.pirq] = PIRQ_ALLOCATED;
-+ ret = get_free_pirq(d, out.type, 0);
-+ if ( ret >= 0 )
-+ d->arch.pirq_irq[ret] = PIRQ_ALLOCATED;
- spin_unlock(&d->event_lock);
-
-- ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0;
-+ if ( ret >= 0 )
-+ {
-+ out.pirq = ret;
-+ ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0;
-+ }
-
- rcu_unlock_domain(d);
- break;
---
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-14.patch b/main/xen/xsa-14.patch
deleted file mode 100644
index 6029ced..0000000
--- a/main/xen/xsa-14.patch
@@ -1,32 +0,0 @@
-From 161e4805de91e10fbe30d91c1f1bbe967d4365d8 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Date: Wed, 5 Sep 2012 12:29:05 +0100
-Subject: [PATCH] xen: Don't BUG_ON() PoD operations on a non-translated
- guest.
-
-This is XSA-14 / CVE-2012-3496
-
-Signed-off-by: Tim Deegan <tim@xen.org>
-Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
-Tested-by: Ian Campbell <ian.campbell@citrix.com>
----
- xen/arch/x86/mm/p2m.c | 3 ++-
- 1 files changed, 2 insertions(+), 1 deletions(-)
-
-diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
-index e095118..eda9c8f 100644
---- a/xen/arch/x86/mm/p2m.c
-+++ b/xen/arch/x86/mm/p2m.c
-@@ -2414,7 +2414,8 @@ guest_physmap_mark_populate_on_demand(struct domain *d, unsigned long gfn,
- int pod_count = 0;
- int rc = 0;
-
-- BUG_ON(!paging_mode_translate(d));
-+ if ( !paging_mode_translate(d) )
-+ return -EINVAL;
-
- rc = gfn_check_limit(d, gfn, order);
- if ( rc != 0 )
---
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-15-1.patch b/main/xen/xsa-15-1.patch
deleted file mode 100644
index 4a68bc5..0000000
--- a/main/xen/xsa-15-1.patch
@@ -1,37 +0,0 @@
-From 16bae237b197bc925a60c5c783004e609e9b43c1 Mon Sep 17 00:00:00 2001
-From: Ian Campbell <ian.campbell@citrix.com>
-Date: Tue, 25 Sep 2012 12:24:06 +0200
-Subject: [PATCH] tmem: only allow tmem control operations from privileged
- domains
-
-This is part of XSA-15 / CVE-2012-3497.
-
-Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
-Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>
-Acked-by: Jan Beulich <jbeulich@suse.com>
-xen-unstable changeset: 25850:0dba5a888655
-xen-unstable date: Tue Sep 11 12:06:30 UTC 2012
----
- xen/common/tmem.c | 6 ++----
- 1 files changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/xen/common/tmem.c b/xen/common/tmem.c
-index 1c155db..06c9e0e 100644
---- a/xen/common/tmem.c
-+++ b/xen/common/tmem.c
-@@ -2544,10 +2544,8 @@ static NOINLINE int do_tmem_control(struct tmem_op *op)
- OID *oidp = (OID *)(&op->u.ctrl.oid[0]);
-
- if (!tmh_current_is_privileged())
-- {
-- /* don't fail... mystery: sometimes dom0 fails here */
-- /* return -EPERM; */
-- }
-+ return -EPERM;
-+
- switch(subop)
- {
- case TMEMC_THAW:
---
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-15-2.patch b/main/xen/xsa-15-2.patch
deleted file mode 100644
index c099431..0000000
--- a/main/xen/xsa-15-2.patch
@@ -1,54 +0,0 @@
-From afdc11f69ab71efa24145f9e747964066bcecefd Mon Sep 17 00:00:00 2001
-From: Ian Campbell <ian.campbell@citrix.com>
-Date: Tue, 25 Sep 2012 12:24:37 +0200
-Subject: [PATCH] tmem: consistently make pool_id a uint32_t
-
-Treating it as an int could allow a malicious guest to provide a
-negative pool_Id, by passing the MAX_POOLS_PER_DOMAIN limit check and
-allowing access to the negative offsets of the pool array.
-
-This is part of XSA-15 / CVE-2012-3497.
-
-Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
-Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>
-Acked-by: Jan Beulich <jbeulich@suse.com>
-xen-unstable changeset: 25851:fcf567acc92a
-xen-unstable date: Tue Sep 11 12:06:43 UTC 2012
----
- xen/common/tmem.c | 6 +++---
- 1 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/xen/common/tmem.c b/xen/common/tmem.c
-index 06c9e0e..63a9ed0 100644
---- a/xen/common/tmem.c
-+++ b/xen/common/tmem.c
-@@ -2420,7 +2420,7 @@ static NOINLINE int tmemc_save_subop(int cli_id, uint32_t pool_id,
- return rc;
- }
-
--static NOINLINE int tmemc_save_get_next_page(int cli_id, int pool_id,
-+static NOINLINE int tmemc_save_get_next_page(int cli_id, uint32_t pool_id,
- tmem_cli_va_t buf, uint32_t bufsize)
- {
- client_t *client = tmh_client_from_cli_id(cli_id);
-@@ -2512,7 +2512,7 @@ out:
- return ret;
- }
-
--static int tmemc_restore_put_page(int cli_id, int pool_id, OID *oidp,
-+static int tmemc_restore_put_page(int cli_id, uint32_t pool_id, OID *oidp,
- uint32_t index, tmem_cli_va_t buf, uint32_t bufsize)
- {
- client_t *client = tmh_client_from_cli_id(cli_id);
-@@ -2524,7 +2524,7 @@ static int tmemc_restore_put_page(int cli_id, int pool_id, OID *oidp,
- return do_tmem_put(pool,oidp,index,0,0,0,bufsize,buf.p);
- }
-
--static int tmemc_restore_flush_page(int cli_id, int pool_id, OID *oidp,
-+static int tmemc_restore_flush_page(int cli_id, uint32_t pool_id, OID *oidp,
- uint32_t index)
- {
- client_t *client = tmh_client_from_cli_id(cli_id);
---
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-15-3.patch b/main/xen/xsa-15-3.patch
deleted file mode 100644
index 7a4dec5..0000000
--- a/main/xen/xsa-15-3.patch
@@ -1,32 +0,0 @@
-From c7cafe83e0bee450cb0bde6c4921d5819dc96542 Mon Sep 17 00:00:00 2001
-From: Ian Campbell <ian.campbell@citrix.com>
-Date: Tue, 25 Sep 2012 12:24:57 +0200
-Subject: [PATCH] tmem: check the pool_id is valid when destroying a tmem pool
-
-This is part of XSA-15 / CVE-2012-3497.
-
-Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
-Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>
-Acked-by: Jan Beulich <jbeulich@suse.com>
-xen-unstable changeset: 25852:d189d99ef00c
-xen-unstable date: Tue Sep 11 12:06:54 UTC 2012
----
- xen/common/tmem.c | 2 ++
- 1 files changed, 2 insertions(+), 0 deletions(-)
-
-diff --git a/xen/common/tmem.c b/xen/common/tmem.c
-index 63a9ed0..6ad0670 100644
---- a/xen/common/tmem.c
-+++ b/xen/common/tmem.c
-@@ -1873,6 +1873,8 @@ static NOINLINE int do_tmem_destroy_pool(uint32_t pool_id)
-
- if ( client->pools == NULL )
- return 0;
-+ if ( pool_id >= MAX_POOLS_PER_DOMAIN )
-+ return 0;
- if ( (pool = client->pools[pool_id]) == NULL )
- return 0;
- client->pools[pool_id] = NULL;
---
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-15-4.patch b/main/xen/xsa-15-4.patch
deleted file mode 100644
index b9c6cfe..0000000
--- a/main/xen/xsa-15-4.patch
@@ -1,51 +0,0 @@
-From e28173699e5651c323f66062e73cca29a65c097f Mon Sep 17 00:00:00 2001
-From: Ian Campbell <ian.campbell@citrix.com>
-Date: Tue, 25 Sep 2012 12:25:25 +0200
-Subject: [PATCH] tmem: check for a valid client ("domain") in the save subops
-
-This is part of XSA-15 / CVE-2012-3497.
-
-Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
-Acked-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>
-xen-unstable changeset: 25853:f53c5aadbba9
-xen-unstable date: Tue Sep 11 12:17:27 UTC 2012
----
- xen/common/tmem.c | 8 ++++++++
- 1 files changed, 8 insertions(+), 0 deletions(-)
-
-diff --git a/xen/common/tmem.c b/xen/common/tmem.c
-index 6ad0670..83e3a06 100644
---- a/xen/common/tmem.c
-+++ b/xen/common/tmem.c
-@@ -2382,12 +2382,18 @@ static NOINLINE int tmemc_save_subop(int cli_id, uint32_t pool_id,
- rc = MAX_POOLS_PER_DOMAIN;
- break;
- case TMEMC_SAVE_GET_CLIENT_WEIGHT:
-+ if ( client == NULL )
-+ break;
- rc = client->weight == -1 ? -2 : client->weight;
- break;
- case TMEMC_SAVE_GET_CLIENT_CAP:
-+ if ( client == NULL )
-+ break;
- rc = client->cap == -1 ? -2 : client->cap;
- break;
- case TMEMC_SAVE_GET_CLIENT_FLAGS:
-+ if ( client == NULL )
-+ break;
- rc = (client->compress ? TMEM_CLIENT_COMPRESS : 0 ) |
- (client->was_frozen ? TMEM_CLIENT_FROZEN : 0 );
- break;
-@@ -2411,6 +2417,8 @@ static NOINLINE int tmemc_save_subop(int cli_id, uint32_t pool_id,
- *uuid = pool->uuid[1];
- rc = 0;
- case TMEMC_SAVE_END:
-+ if ( client == NULL )
-+ break;
- client->live_migrating = 0;
- if ( !list_empty(&client->persistent_invalidated_list) )
- list_for_each_entry_safe(pgp,pgp2,
---
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-15-5.patch b/main/xen/xsa-15-5.patch
deleted file mode 100644
index d45e96d..0000000
--- a/main/xen/xsa-15-5.patch
@@ -1,563 +0,0 @@
-From 1266749162fd232c79898706f01082847a0e618e Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich@suse.com>
-Date: Tue, 25 Sep 2012 12:26:06 +0200
-Subject: [PATCH] tmem: don't access guest memory without using the accessors
- intended for this
-
-This is not permitted, not even for buffers coming from Dom0 (and it
-would also break the moment Dom0 runs in HVM mode). An implication from
-the changes here is that tmh_copy_page() can't be used anymore for
-control operations calling tmh_copy_{from,to}_client() (as those pass
-the buffer by virtual address rather than MFN).
-
-Note that tmemc_save_get_next_page() previously didn't set the returned
-handle's pool_id field, while the new code does. It need to be
-confirmed that this is not a problem (otherwise the copy-out operation
-will require further tmh_...() abstractions to be added).
-
-Further note that the patch removes (rather than adjusts) an invalid
-call to unmap_domain_page() (no matching map_domain_page()) from
-tmh_compress_from_client() and adds a missing one to an error return
-path in tmh_copy_from_client().
-
-Finally note that the patch adds a previously missing return statement
-to cli_get_page() (without which that function could de-reference a
-NULL pointer, triggerable from guest mode).
-
-This is part of XSA-15 / CVE-2012-3497.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>
-xen-unstable changeset: 25854:ccd60ed6c555
-xen-unstable date: Tue Sep 11 12:17:49 UTC 2012
----
- xen/common/tmem.c | 90 ++++++++++++++++++++++++--------------------
- xen/common/tmem_xen.c | 90 ++++++++++++++++++++++++++++++-------------
- xen/include/xen/tmem_xen.h | 20 ++++++---
- 3 files changed, 125 insertions(+), 75 deletions(-)
-
-diff --git a/xen/common/tmem.c b/xen/common/tmem.c
-index 83e3a06..ae02b37 100644
---- a/xen/common/tmem.c
-+++ b/xen/common/tmem.c
-@@ -387,11 +387,13 @@ static NOINLINE int pcd_copy_to_client(tmem_cli_mfn_t cmfn, pgp_t *pgp)
- pcd = pgp->pcd;
- if ( pgp->size < PAGE_SIZE && pgp->size != 0 &&
- pcd->size < PAGE_SIZE && pcd->size != 0 )
-- ret = tmh_decompress_to_client(cmfn, pcd->cdata, pcd->size, NULL);
-+ ret = tmh_decompress_to_client(cmfn, pcd->cdata, pcd->size,
-+ tmh_cli_buf_null);
- else if ( tmh_tze_enabled() && pcd->size < PAGE_SIZE )
- ret = tmh_copy_tze_to_client(cmfn, pcd->tze, pcd->size);
- else
-- ret = tmh_copy_to_client(cmfn, pcd->pfp, 0, 0, PAGE_SIZE, NULL);
-+ ret = tmh_copy_to_client(cmfn, pcd->pfp, 0, 0, PAGE_SIZE,
-+ tmh_cli_buf_null);
- tmem_read_unlock(&pcd_tree_rwlocks[firstbyte]);
- return ret;
- }
-@@ -1447,7 +1449,7 @@ static inline void tmem_ensure_avail_pages(void)
- /************ TMEM CORE OPERATIONS ************************************/
-
- static NOINLINE int do_tmem_put_compress(pgp_t *pgp, tmem_cli_mfn_t cmfn,
-- void *cva)
-+ tmem_cli_va_t clibuf)
- {
- void *dst, *p;
- size_t size;
-@@ -1466,7 +1468,7 @@ static NOINLINE int do_tmem_put_compress(pgp_t *pgp, tmem_cli_mfn_t cmfn,
- if ( pgp->pfp != NULL )
- pgp_free_data(pgp, pgp->us.obj->pool);
- START_CYC_COUNTER(compress);
-- ret = tmh_compress_from_client(cmfn, &dst, &size, cva);
-+ ret = tmh_compress_from_client(cmfn, &dst, &size, clibuf);
- if ( (ret == -EFAULT) || (ret == 0) )
- goto out;
- else if ( (size == 0) || (size >= tmem_subpage_maxsize()) ) {
-@@ -1493,7 +1495,8 @@ out:
- }
-
- static NOINLINE int do_tmem_dup_put(pgp_t *pgp, tmem_cli_mfn_t cmfn,
-- pagesize_t tmem_offset, pagesize_t pfn_offset, pagesize_t len, void *cva)
-+ pagesize_t tmem_offset, pagesize_t pfn_offset, pagesize_t len,
-+ tmem_cli_va_t clibuf)
- {
- pool_t *pool;
- obj_t *obj;
-@@ -1515,7 +1518,7 @@ static NOINLINE int do_tmem_dup_put(pgp_t *pgp, tmem_cli_mfn_t cmfn,
- /* can we successfully manipulate pgp to change out the data? */
- if ( len != 0 && client->compress && pgp->size != 0 )
- {
-- ret = do_tmem_put_compress(pgp,cmfn,cva);
-+ ret = do_tmem_put_compress(pgp, cmfn, clibuf);
- if ( ret == 1 )
- goto done;
- else if ( ret == 0 )
-@@ -1533,7 +1536,8 @@ copy_uncompressed:
- goto failed_dup;
- pgp->size = 0;
- /* tmh_copy_from_client properly handles len==0 and offsets != 0 */
-- ret = tmh_copy_from_client(pgp->pfp,cmfn,tmem_offset,pfn_offset,len,0);
-+ ret = tmh_copy_from_client(pgp->pfp, cmfn, tmem_offset, pfn_offset, len,
-+ tmh_cli_buf_null);
- if ( ret == -EFAULT )
- goto bad_copy;
- if ( tmh_dedup_enabled() && !is_persistent(pool) )
-@@ -1585,7 +1589,7 @@ cleanup:
- static NOINLINE int do_tmem_put(pool_t *pool,
- OID *oidp, uint32_t index,
- tmem_cli_mfn_t cmfn, pagesize_t tmem_offset,
-- pagesize_t pfn_offset, pagesize_t len, void *cva)
-+ pagesize_t pfn_offset, pagesize_t len, tmem_cli_va_t clibuf)
- {
- obj_t *obj = NULL, *objfound = NULL, *objnew = NULL;
- pgp_t *pgp = NULL, *pgpdel = NULL;
-@@ -1599,7 +1603,8 @@ static NOINLINE int do_tmem_put(pool_t *pool,
- {
- ASSERT_SPINLOCK(&objfound->obj_spinlock);
- if ((pgp = pgp_lookup_in_obj(objfound, index)) != NULL)
-- return do_tmem_dup_put(pgp,cmfn,tmem_offset,pfn_offset,len,cva);
-+ return do_tmem_dup_put(pgp, cmfn, tmem_offset, pfn_offset, len,
-+ clibuf);
- }
-
- /* no puts allowed into a frozen pool (except dup puts) */
-@@ -1634,7 +1639,7 @@ static NOINLINE int do_tmem_put(pool_t *pool,
- if ( len != 0 && client->compress )
- {
- ASSERT(pgp->pfp == NULL);
-- ret = do_tmem_put_compress(pgp,cmfn,cva);
-+ ret = do_tmem_put_compress(pgp, cmfn, clibuf);
- if ( ret == 1 )
- goto insert_page;
- if ( ret == -ENOMEM )
-@@ -1658,7 +1663,8 @@ copy_uncompressed:
- goto delete_and_free;
- }
- /* tmh_copy_from_client properly handles len==0 (TMEM_NEW_PAGE) */
-- ret = tmh_copy_from_client(pgp->pfp,cmfn,tmem_offset,pfn_offset,len,cva);
-+ ret = tmh_copy_from_client(pgp->pfp, cmfn, tmem_offset, pfn_offset, len,
-+ clibuf);
- if ( ret == -EFAULT )
- goto bad_copy;
- if ( tmh_dedup_enabled() && !is_persistent(pool) )
-@@ -1728,12 +1734,13 @@ free:
-
- static NOINLINE int do_tmem_get(pool_t *pool, OID *oidp, uint32_t index,
- tmem_cli_mfn_t cmfn, pagesize_t tmem_offset,
-- pagesize_t pfn_offset, pagesize_t len, void *cva)
-+ pagesize_t pfn_offset, pagesize_t len, tmem_cli_va_t clibuf)
- {
- obj_t *obj;
- pgp_t *pgp;
- client_t *client = pool->client;
- DECL_LOCAL_CYC_COUNTER(decompress);
-+ int rc = -EFAULT;
-
- if ( !_atomic_read(pool->pgp_count) )
- return -EEMPTY;
-@@ -1758,16 +1765,18 @@ static NOINLINE int do_tmem_get(pool_t *pool, OID *oidp, uint32_t index,
- if ( tmh_dedup_enabled() && !is_persistent(pool) &&
- pgp->firstbyte != NOT_SHAREABLE )
- {
-- if ( pcd_copy_to_client(cmfn, pgp) == -EFAULT )
-+ rc = pcd_copy_to_client(cmfn, pgp);
-+ if ( rc <= 0 )
- goto bad_copy;
- } else if ( pgp->size != 0 ) {
- START_CYC_COUNTER(decompress);
-- if ( tmh_decompress_to_client(cmfn, pgp->cdata,
-- pgp->size, cva) == -EFAULT )
-+ rc = tmh_decompress_to_client(cmfn, pgp->cdata,
-+ pgp->size, clibuf);
-+ if ( rc <= 0 )
- goto bad_copy;
- END_CYC_COUNTER(decompress);
- } else if ( tmh_copy_to_client(cmfn, pgp->pfp, tmem_offset,
-- pfn_offset, len, cva) == -EFAULT)
-+ pfn_offset, len, clibuf) == -EFAULT)
- goto bad_copy;
- if ( is_ephemeral(pool) )
- {
-@@ -1807,8 +1816,7 @@ static NOINLINE int do_tmem_get(pool_t *pool, OID *oidp, uint32_t index,
- bad_copy:
- /* this should only happen if the client passed a bad mfn */
- failed_copies++;
-- return -EFAULT;
--
-+ return rc;
- }
-
- static NOINLINE int do_tmem_flush_page(pool_t *pool, OID *oidp, uint32_t index)
-@@ -2348,7 +2356,6 @@ static NOINLINE int tmemc_save_subop(int cli_id, uint32_t pool_id,
- pool_t *pool = (client == NULL || pool_id >= MAX_POOLS_PER_DOMAIN)
- ? NULL : client->pools[pool_id];
- uint32_t p;
-- uint64_t *uuid;
- pgp_t *pgp, *pgp2;
- int rc = -1;
-
-@@ -2412,9 +2419,7 @@ static NOINLINE int tmemc_save_subop(int cli_id, uint32_t pool_id,
- case TMEMC_SAVE_GET_POOL_UUID:
- if ( pool == NULL )
- break;
-- uuid = (uint64_t *)buf.p;
-- *uuid++ = pool->uuid[0];
-- *uuid = pool->uuid[1];
-+ tmh_copy_to_client_buf(buf, pool->uuid, 2);
- rc = 0;
- case TMEMC_SAVE_END:
- if ( client == NULL )
-@@ -2439,7 +2444,7 @@ static NOINLINE int tmemc_save_get_next_page(int cli_id, uint32_t pool_id,
- pgp_t *pgp;
- OID oid;
- int ret = 0;
-- struct tmem_handle *h;
-+ struct tmem_handle h;
- unsigned int pagesize = 1 << (pool->pageshift+12);
-
- if ( pool == NULL || is_ephemeral(pool) )
-@@ -2470,11 +2475,13 @@ static NOINLINE int tmemc_save_get_next_page(int cli_id, uint32_t pool_id,
- pgp_t,us.pool_pers_pages);
- pool->cur_pgp = pgp;
- oid = pgp->us.obj->oid;
-- h = (struct tmem_handle *)buf.p;
-- *(OID *)&h->oid[0] = oid;
-- h->index = pgp->index;
-- buf.p = (void *)(h+1);
-- ret = do_tmem_get(pool, &oid, h->index,0,0,0,pagesize,buf.p);
-+ h.pool_id = pool_id;
-+ BUILD_BUG_ON(sizeof(h.oid) != sizeof(oid));
-+ memcpy(h.oid, oid.oid, sizeof(h.oid));
-+ h.index = pgp->index;
-+ tmh_copy_to_client_buf(buf, &h, 1);
-+ tmh_client_buf_add(buf, sizeof(h));
-+ ret = do_tmem_get(pool, &oid, pgp->index, 0, 0, 0, pagesize, buf);
-
- out:
- tmem_spin_unlock(&pers_lists_spinlock);
-@@ -2486,7 +2493,7 @@ static NOINLINE int tmemc_save_get_next_inv(int cli_id, tmem_cli_va_t buf,
- {
- client_t *client = tmh_client_from_cli_id(cli_id);
- pgp_t *pgp;
-- struct tmem_handle *h;
-+ struct tmem_handle h;
- int ret = 0;
-
- if ( client == NULL )
-@@ -2512,10 +2519,11 @@ static NOINLINE int tmemc_save_get_next_inv(int cli_id, tmem_cli_va_t buf,
- pgp_t,client_inv_pages);
- client->cur_pgp = pgp;
- }
-- h = (struct tmem_handle *)buf.p;
-- h->pool_id = pgp->pool_id;
-- *(OID *)&h->oid = pgp->inv_oid;
-- h->index = pgp->index;
-+ h.pool_id = pgp->pool_id;
-+ BUILD_BUG_ON(sizeof(h.oid) != sizeof(pgp->inv_oid));
-+ memcpy(h.oid, pgp->inv_oid.oid, sizeof(h.oid));
-+ h.index = pgp->index;
-+ tmh_copy_to_client_buf(buf, &h, 1);
- ret = 1;
- out:
- tmem_spin_unlock(&pers_lists_spinlock);
-@@ -2531,7 +2539,7 @@ static int tmemc_restore_put_page(int cli_id, uint32_t pool_id, OID *oidp,
-
- if ( pool == NULL )
- return -1;
-- return do_tmem_put(pool,oidp,index,0,0,0,bufsize,buf.p);
-+ return do_tmem_put(pool, oidp, index, 0, 0, 0, bufsize, buf);
- }
-
- static int tmemc_restore_flush_page(int cli_id, uint32_t pool_id, OID *oidp,
-@@ -2735,19 +2743,19 @@ EXPORT long do_tmem_op(tmem_cli_op_t uops)
- break;
- case TMEM_NEW_PAGE:
- tmem_ensure_avail_pages();
-- rc = do_tmem_put(pool, oidp,
-- op.u.gen.index, op.u.gen.cmfn, 0, 0, 0, NULL);
-+ rc = do_tmem_put(pool, oidp, op.u.gen.index, op.u.gen.cmfn, 0, 0, 0,
-+ tmh_cli_buf_null);
- break;
- case TMEM_PUT_PAGE:
- tmem_ensure_avail_pages();
-- rc = do_tmem_put(pool, oidp,
-- op.u.gen.index, op.u.gen.cmfn, 0, 0, PAGE_SIZE, NULL);
-+ rc = do_tmem_put(pool, oidp, op.u.gen.index, op.u.gen.cmfn, 0, 0,
-+ PAGE_SIZE, tmh_cli_buf_null);
- if (rc == 1) succ_put = 1;
- else non_succ_put = 1;
- break;
- case TMEM_GET_PAGE:
- rc = do_tmem_get(pool, oidp, op.u.gen.index, op.u.gen.cmfn,
-- 0, 0, PAGE_SIZE, 0);
-+ 0, 0, PAGE_SIZE, tmh_cli_buf_null);
- if (rc == 1) succ_get = 1;
- else non_succ_get = 1;
- break;
-@@ -2766,13 +2774,13 @@ EXPORT long do_tmem_op(tmem_cli_op_t uops)
- case TMEM_READ:
- rc = do_tmem_get(pool, oidp, op.u.gen.index, op.u.gen.cmfn,
- op.u.gen.tmem_offset, op.u.gen.pfn_offset,
-- op.u.gen.len,0);
-+ op.u.gen.len, tmh_cli_buf_null);
- break;
- case TMEM_WRITE:
- rc = do_tmem_put(pool, oidp,
- op.u.gen.index, op.u.gen.cmfn,
- op.u.gen.tmem_offset, op.u.gen.pfn_offset,
-- op.u.gen.len, NULL);
-+ op.u.gen.len, tmh_cli_buf_null);
- break;
- case TMEM_XCHG:
- /* need to hold global lock to ensure xchg is atomic */
-diff --git a/xen/common/tmem_xen.c b/xen/common/tmem_xen.c
-index 4934c42..bcd49f2 100644
---- a/xen/common/tmem_xen.c
-+++ b/xen/common/tmem_xen.c
-@@ -50,6 +50,7 @@ DECL_CYC_COUNTER(pg_copy);
- #define LZO_DSTMEM_PAGES 2
- static DEFINE_PER_CPU_READ_MOSTLY(unsigned char *, workmem);
- static DEFINE_PER_CPU_READ_MOSTLY(unsigned char *, dstmem);
-+static DEFINE_PER_CPU_READ_MOSTLY(void *, scratch_page);
-
- #ifdef COMPARE_COPY_PAGE_SSE2
- #include <asm/flushtlb.h> /* REMOVE ME AFTER TEST */
-@@ -140,12 +141,12 @@ static inline void cli_put_page(void *cli_va, pfp_t *cli_pfp,
-
- EXPORT int tmh_copy_from_client(pfp_t *pfp,
- tmem_cli_mfn_t cmfn, pagesize_t tmem_offset,
-- pagesize_t pfn_offset, pagesize_t len, void *cli_va)
-+ pagesize_t pfn_offset, pagesize_t len, tmem_cli_va_t clibuf)
- {
- unsigned long tmem_mfn, cli_mfn = 0;
-- void *tmem_va;
-+ char *tmem_va, *cli_va = NULL;
- pfp_t *cli_pfp = NULL;
-- bool_t tmemc = cli_va != NULL; /* if true, cli_va is control-op buffer */
-+ int rc = 1;
-
- ASSERT(pfp != NULL);
- tmem_mfn = page_to_mfn(pfp);
-@@ -156,62 +157,76 @@ EXPORT int tmh_copy_from_client(pfp_t *pfp,
- unmap_domain_page(tmem_va);
- return 1;
- }
-- if ( !tmemc )
-+ if ( guest_handle_is_null(clibuf) )
- {
- cli_va = cli_get_page(cmfn, &cli_mfn, &cli_pfp, 0);
- if ( cli_va == NULL )
-+ {
-+ unmap_domain_page(tmem_va);
- return -EFAULT;
-+ }
- }
- mb();
-- if (len == PAGE_SIZE && !tmem_offset && !pfn_offset)
-+ if ( len == PAGE_SIZE && !tmem_offset && !pfn_offset && cli_va )
- tmh_copy_page(tmem_va, cli_va);
- else if ( (tmem_offset+len <= PAGE_SIZE) &&
- (pfn_offset+len <= PAGE_SIZE) )
-- memcpy((char *)tmem_va+tmem_offset,(char *)cli_va+pfn_offset,len);
-- if ( !tmemc )
-+ {
-+ if ( cli_va )
-+ memcpy(tmem_va + tmem_offset, cli_va + pfn_offset, len);
-+ else if ( copy_from_guest_offset(tmem_va + tmem_offset, clibuf,
-+ pfn_offset, len) )
-+ rc = -EFAULT;
-+ }
-+ if ( cli_va )
- cli_put_page(cli_va, cli_pfp, cli_mfn, 0);
- unmap_domain_page(tmem_va);
-- return 1;
-+ return rc;
- }
-
- EXPORT int tmh_compress_from_client(tmem_cli_mfn_t cmfn,
-- void **out_va, size_t *out_len, void *cli_va)
-+ void **out_va, size_t *out_len, tmem_cli_va_t clibuf)
- {
- int ret = 0;
- unsigned char *dmem = this_cpu(dstmem);
- unsigned char *wmem = this_cpu(workmem);
-+ char *scratch = this_cpu(scratch_page);
- pfp_t *cli_pfp = NULL;
- unsigned long cli_mfn = 0;
-- bool_t tmemc = cli_va != NULL; /* if true, cli_va is control-op buffer */
-+ void *cli_va = NULL;
-
- if ( dmem == NULL || wmem == NULL )
- return 0; /* no buffer, so can't compress */
-- if ( !tmemc )
-+ if ( guest_handle_is_null(clibuf) )
- {
- cli_va = cli_get_page(cmfn, &cli_mfn, &cli_pfp, 0);
- if ( cli_va == NULL )
- return -EFAULT;
- }
-+ else if ( !scratch )
-+ return 0;
-+ else if ( copy_from_guest(scratch, clibuf, PAGE_SIZE) )
-+ return -EFAULT;
- mb();
-- ret = lzo1x_1_compress(cli_va, PAGE_SIZE, dmem, out_len, wmem);
-+ ret = lzo1x_1_compress(cli_va ?: scratch, PAGE_SIZE, dmem, out_len, wmem);
- ASSERT(ret == LZO_E_OK);
- *out_va = dmem;
-- if ( !tmemc )
-+ if ( cli_va )
- cli_put_page(cli_va, cli_pfp, cli_mfn, 0);
-- unmap_domain_page(cli_va);
- return 1;
- }
-
- EXPORT int tmh_copy_to_client(tmem_cli_mfn_t cmfn, pfp_t *pfp,
-- pagesize_t tmem_offset, pagesize_t pfn_offset, pagesize_t len, void *cli_va)
-+ pagesize_t tmem_offset, pagesize_t pfn_offset, pagesize_t len,
-+ tmem_cli_va_t clibuf)
- {
- unsigned long tmem_mfn, cli_mfn = 0;
-- void *tmem_va;
-+ char *tmem_va, *cli_va = NULL;
- pfp_t *cli_pfp = NULL;
-- bool_t tmemc = cli_va != NULL; /* if true, cli_va is control-op buffer */
-+ int rc = 1;
-
- ASSERT(pfp != NULL);
-- if ( !tmemc )
-+ if ( guest_handle_is_null(clibuf) )
- {
- cli_va = cli_get_page(cmfn, &cli_mfn, &cli_pfp, 1);
- if ( cli_va == NULL )
-@@ -219,37 +234,48 @@ EXPORT int tmh_copy_to_client(tmem_cli_mfn_t cmfn, pfp_t *pfp,
- }
- tmem_mfn = page_to_mfn(pfp);
- tmem_va = map_domain_page(tmem_mfn);
-- if (len == PAGE_SIZE && !tmem_offset && !pfn_offset)
-+ if ( len == PAGE_SIZE && !tmem_offset && !pfn_offset && cli_va )
- tmh_copy_page(cli_va, tmem_va);
- else if ( (tmem_offset+len <= PAGE_SIZE) && (pfn_offset+len <= PAGE_SIZE) )
-- memcpy((char *)cli_va+pfn_offset,(char *)tmem_va+tmem_offset,len);
-+ {
-+ if ( cli_va )
-+ memcpy(cli_va + pfn_offset, tmem_va + tmem_offset, len);
-+ else if ( copy_to_guest_offset(clibuf, pfn_offset,
-+ tmem_va + tmem_offset, len) )
-+ rc = -EFAULT;
-+ }
- unmap_domain_page(tmem_va);
-- if ( !tmemc )
-+ if ( cli_va )
- cli_put_page(cli_va, cli_pfp, cli_mfn, 1);
- mb();
-- return 1;
-+ return rc;
- }
-
- EXPORT int tmh_decompress_to_client(tmem_cli_mfn_t cmfn, void *tmem_va,
-- size_t size, void *cli_va)
-+ size_t size, tmem_cli_va_t clibuf)
- {
- unsigned long cli_mfn = 0;
- pfp_t *cli_pfp = NULL;
-+ void *cli_va = NULL;
-+ char *scratch = this_cpu(scratch_page);
- size_t out_len = PAGE_SIZE;
-- bool_t tmemc = cli_va != NULL; /* if true, cli_va is control-op buffer */
- int ret;
-
-- if ( !tmemc )
-+ if ( guest_handle_is_null(clibuf) )
- {
- cli_va = cli_get_page(cmfn, &cli_mfn, &cli_pfp, 1);
- if ( cli_va == NULL )
- return -EFAULT;
- }
-- ret = lzo1x_decompress_safe(tmem_va, size, cli_va, &out_len);
-+ else if ( !scratch )
-+ return 0;
-+ ret = lzo1x_decompress_safe(tmem_va, size, cli_va ?: scratch, &out_len);
- ASSERT(ret == LZO_E_OK);
- ASSERT(out_len == PAGE_SIZE);
-- if ( !tmemc )
-+ if ( cli_va )
- cli_put_page(cli_va, cli_pfp, cli_mfn, 1);
-+ else if ( copy_to_guest(clibuf, scratch, PAGE_SIZE) )
-+ return -EFAULT;
- mb();
- return 1;
- }
-@@ -419,6 +445,11 @@ static int cpu_callback(
- struct page_info *p = alloc_domheap_pages(0, workmem_order, 0);
- per_cpu(workmem, cpu) = p ? page_to_virt(p) : NULL;
- }
-+ if ( per_cpu(scratch_page, cpu) == NULL )
-+ {
-+ struct page_info *p = alloc_domheap_page(NULL, 0);
-+ per_cpu(scratch_page, cpu) = p ? page_to_virt(p) : NULL;
-+ }
- break;
- }
- case CPU_DEAD:
-@@ -435,6 +466,11 @@ static int cpu_callback(
- free_domheap_pages(p, workmem_order);
- per_cpu(workmem, cpu) = NULL;
- }
-+ if ( per_cpu(scratch_page, cpu) != NULL )
-+ {
-+ free_domheap_page(virt_to_page(per_cpu(scratch_page, cpu)));
-+ per_cpu(scratch_page, cpu) = NULL;
-+ }
- break;
- }
- default:
-diff --git a/xen/include/xen/tmem_xen.h b/xen/include/xen/tmem_xen.h
-index 3dbf6f8..68ece29 100644
---- a/xen/include/xen/tmem_xen.h
-+++ b/xen/include/xen/tmem_xen.h
-@@ -482,27 +482,33 @@ static inline int tmh_get_tmemop_from_client(tmem_op_t *op, tmem_cli_op_t uops)
- return copy_from_guest(op, uops, 1);
- }
-
-+#define tmh_cli_buf_null guest_handle_from_ptr(NULL, char)
-+
- static inline void tmh_copy_to_client_buf_offset(tmem_cli_va_t clibuf, int off,
- char *tmembuf, int len)
- {
- copy_to_guest_offset(clibuf,off,tmembuf,len);
- }
-
-+#define tmh_copy_to_client_buf(clibuf, tmembuf, cnt) \
-+ copy_to_guest(guest_handle_cast(clibuf, void), tmembuf, cnt)
-+
-+#define tmh_client_buf_add guest_handle_add_offset
-+
- #define TMH_CLI_ID_NULL ((cli_id_t)((domid_t)-1L))
-
- #define tmh_cli_id_str "domid"
- #define tmh_client_str "domain"
-
--extern int tmh_decompress_to_client(tmem_cli_mfn_t,void*,size_t,void*);
-+int tmh_decompress_to_client(tmem_cli_mfn_t, void *, size_t, tmem_cli_va_t);
-
--extern int tmh_compress_from_client(tmem_cli_mfn_t,void**,size_t *,void*);
-+int tmh_compress_from_client(tmem_cli_mfn_t, void **, size_t *, tmem_cli_va_t);
-
--extern int tmh_copy_from_client(pfp_t *pfp,
-- tmem_cli_mfn_t cmfn, pagesize_t tmem_offset,
-- pagesize_t pfn_offset, pagesize_t len, void *cva);
-+int tmh_copy_from_client(pfp_t *, tmem_cli_mfn_t, pagesize_t tmem_offset,
-+ pagesize_t pfn_offset, pagesize_t len, tmem_cli_va_t);
-
--extern int tmh_copy_to_client(tmem_cli_mfn_t cmfn, pfp_t *pfp,
-- pagesize_t tmem_offset, pagesize_t pfn_offset, pagesize_t len, void *cva);
-+int tmh_copy_to_client(tmem_cli_mfn_t, pfp_t *, pagesize_t tmem_offset,
-+ pagesize_t pfn_offset, pagesize_t len, tmem_cli_va_t);
-
- extern int tmh_copy_tze_to_client(tmem_cli_mfn_t cmfn, void *tmem_va, pagesize_t len);
-
---
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-16.patch b/main/xen/xsa-16.patch
deleted file mode 100644
index a61988e..0000000
--- a/main/xen/xsa-16.patch
@@ -1,42 +0,0 @@
-From 8195a57243996267cdd9ba84dfea3c954a217a75 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Date: Wed, 5 Sep 2012 12:29:56 +0100
-Subject: [PATCH] x86/pvhvm: properly range-check
- PHYSDEVOP_map_pirq/MAP_PIRQ_TYPE_GSI
-
-This is being used as a array index, and hence must be validated before
-use.
-
-This is XSA-16 / CVE-2012-3498.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
----
- xen/arch/x86/physdev.c | 7 +++++++
- 1 files changed, 7 insertions(+), 0 deletions(-)
-
-diff --git a/xen/arch/x86/physdev.c b/xen/arch/x86/physdev.c
-index e037a94..a5a58a1 100644
---- a/xen/arch/x86/physdev.c
-+++ b/xen/arch/x86/physdev.c
-@@ -40,11 +40,18 @@ static int physdev_hvm_map_pirq(
- struct hvm_girq_dpci_mapping *girq;
- uint32_t machine_gsi = 0;
-
-+ if ( map->index < 0 || map->index >= NR_HVM_IRQS )
-+ {
-+ ret = -EINVAL;
-+ break;
-+ }
-+
- /* find the machine gsi corresponding to the
- * emulated gsi */
- hvm_irq_dpci = domain_get_irq_dpci(d);
- if ( hvm_irq_dpci )
- {
-+ BUILD_BUG_ON(ARRAY_SIZE(hvm_irq_dpci->girq) < NR_HVM_IRQS);
- list_for_each_entry ( girq,
- &hvm_irq_dpci->girq[map->index],
- list )
---
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-17.patch b/main/xen/xsa-17.patch
deleted file mode 100644
index 891037b..0000000
--- a/main/xen/xsa-17.patch
@@ -1,122 +0,0 @@
-From a56ae4b5069c7b23ee657b15f08443a9b14a8e7b Mon Sep 17 00:00:00 2001
-From: Ian Campbell <ian.campbell@citrix.com>
-Date: Wed, 5 Sep 2012 12:31:40 +0100
-Subject: [PATCH] console: bounds check whenever changing the cursor due to an escape code
-
-This is XSA-17 / CVE-2012-3515
-
-Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
----
- console.c | 57 ++++++++++++++++++++++++++++-----------------------------
- 1 files changed, 28 insertions(+), 29 deletions(-)
-
-diff --git a/tools/ioemu-qemu-xen/console.c b/tools/ioemu-qemu-xen/console.c
-index 5e6e3d0..9984d6f 100644
---- a/tools/ioemu-qemu-xen/console.c
-+++ b/tools/ioemu-qemu-xen/console.c
-@@ -794,6 +794,26 @@ static void console_clear_xy(TextConsole *s, int x, int y)
- update_xy(s, x, y);
- }
-
-+/* set cursor, checking bounds */
-+static void set_cursor(TextConsole *s, int x, int y)
-+{
-+ if (x < 0) {
-+ x = 0;
-+ }
-+ if (y < 0) {
-+ y = 0;
-+ }
-+ if (y >= s->height) {
-+ y = s->height - 1;
-+ }
-+ if (x >= s->width) {
-+ x = s->width - 1;
-+ }
-+
-+ s->x = x;
-+ s->y = y;
-+}
-+
- static void console_putchar(TextConsole *s, int ch)
- {
- TextCell *c;
-@@ -869,7 +889,8 @@ static void console_putchar(TextConsole *s, int ch)
- s->esc_params[s->nb_esc_params] * 10 + ch - '0';
- }
- } else {
-- s->nb_esc_params++;
-+ if (s->nb_esc_params < MAX_ESC_PARAMS)
-+ s->nb_esc_params++;
- if (ch == ';')
- break;
- #ifdef DEBUG_CONSOLE
-@@ -883,59 +904,37 @@ static void console_putchar(TextConsole *s, int ch)
- if (s->esc_params[0] == 0) {
- s->esc_params[0] = 1;
- }
-- s->y -= s->esc_params[0];
-- if (s->y < 0) {
-- s->y = 0;
-- }
-+ set_cursor(s, s->x, s->y - s->esc_params[0]);
- break;
- case 'B':
- /* move cursor down */
- if (s->esc_params[0] == 0) {
- s->esc_params[0] = 1;
- }
-- s->y += s->esc_params[0];
-- if (s->y >= s->height) {
-- s->y = s->height - 1;
-- }
-+ set_cursor(s, s->x, s->y + s->esc_params[0]);
- break;
- case 'C':
- /* move cursor right */
- if (s->esc_params[0] == 0) {
- s->esc_params[0] = 1;
- }
-- s->x += s->esc_params[0];
-- if (s->x >= s->width) {
-- s->x = s->width - 1;
-- }
-+ set_cursor(s, s->x + s->esc_params[0], s->y);
- break;
- case 'D':
- /* move cursor left */
- if (s->esc_params[0] == 0) {
- s->esc_params[0] = 1;
- }
-- s->x -= s->esc_params[0];
-- if (s->x < 0) {
-- s->x = 0;
-- }
-+ set_cursor(s, s->x - s->esc_params[0], s->y);
- break;
- case 'G':
- /* move cursor to column */
-- s->x = s->esc_params[0] - 1;
-- if (s->x < 0) {
-- s->x = 0;
-- }
-+ set_cursor(s, s->esc_params[0] - 1, s->y);
- break;
- case 'f':
- case 'H':
- /* move cursor to row, column */
-- s->x = s->esc_params[1] - 1;
-- if (s->x < 0) {
-- s->x = 0;
-- }
-- s->y = s->esc_params[0] - 1;
-- if (s->y < 0) {
-- s->y = 0;
-- }
-+ set_cursor(s, s->esc_params[1] - 1, s->esc_params[0] - 1);
- break;
- case 'J':
- switch (s->esc_params[0]) {
---
-1.7.2.5
-
diff --git a/main/xen/xsa-20.patch b/main/xen/xsa-20.patch
deleted file mode 100644
index a8c8838..0000000
--- a/main/xen/xsa-20.patch
@@ -1,56 +0,0 @@
-From f2e0eab9afae9245f38a31deeafe90953d63ea07 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Date: Wed, 14 Nov 2012 11:33:36 +0000
-Subject: [PATCH] VCPU/timers: Prevent overflow in calculations, leading to
- DoS vulnerability
-
-The timer action for a vcpu periodic timer is to calculate the next
-expiry time, and to reinsert itself into the timer queue. If the
-deadline ends up in the past, Xen never leaves __do_softirq(). The
-affected PCPU will stay in an infinite loop until Xen is killed by the
-watchdog (if enabled).
-
-This is a security problem, XSA-20 / CVE-2012-4535.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
-xen-unstable changeset: 26148:bf58b94b3cef
-Backport-requested-by: security@xen.org
-Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
----
- xen/common/domain.c | 3 +++
- xen/include/xen/time.h | 2 ++
- 2 files changed, 5 insertions(+), 0 deletions(-)
-
-diff --git a/xen/common/domain.c b/xen/common/domain.c
-index 98e36ee..054f7c4 100644
---- a/xen/common/domain.c
-+++ b/xen/common/domain.c
-@@ -873,6 +873,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN_GUEST_HANDLE(void) arg)
- if ( set.period_ns < MILLISECS(1) )
- return -EINVAL;
-
-+ if ( set.period_ns > STIME_DELTA_MAX )
-+ return -EINVAL;
-+
- v->periodic_period = set.period_ns;
- vcpu_force_reschedule(v);
-
-diff --git a/xen/include/xen/time.h b/xen/include/xen/time.h
-index 0f67e90..c7b420b 100644
---- a/xen/include/xen/time.h
-+++ b/xen/include/xen/time.h
-@@ -53,6 +53,8 @@ struct tm gmtime(unsigned long t);
- #define MILLISECS(_ms) ((s_time_t)((_ms) * 1000000ULL))
- #define MICROSECS(_us) ((s_time_t)((_us) * 1000ULL))
- #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1))
-+/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */
-+#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2))
-
- extern void update_vcpu_system_time(struct vcpu *v);
- extern void update_domain_wallclock_time(struct domain *d);
---
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-21.patch b/main/xen/xsa-21.patch
deleted file mode 100644
index d82e570..0000000
--- a/main/xen/xsa-21.patch
@@ -1,42 +0,0 @@
-From 50d1a7fea0a60cd66733cfd8666a95f00d586549 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Date: Wed, 14 Nov 2012 11:35:06 +0000
-Subject: [PATCH] x86/physdev: Range check pirq parameter from guests
-
-Otherwise Xen will read beyond either end of the struct
-domain.arch.pirq_emuirq array, usually resulting in a fatal page fault.
-
-This vulnerability was introduced by c/s 23241:d21100f1d00e, which adds
-a call to domain_pirq_to_emuirq() which uses the guest provided pirq
-value before range checking it, and was fixed by c/s 23573:584c2e5e03d9
-which changed the behaviour of the domain_pirq_to_emuirq() macro to use
-radix trees instead of a flat array.
-
-This is XSA-21 / CVE-2012-4536.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
----
- xen/arch/x86/physdev.c | 4 ++++
- 1 files changed, 4 insertions(+), 0 deletions(-)
-
-diff --git a/xen/arch/x86/physdev.c b/xen/arch/x86/physdev.c
-index 7d5a023..de364f0 100644
---- a/xen/arch/x86/physdev.c
-+++ b/xen/arch/x86/physdev.c
-@@ -234,6 +234,10 @@ static int physdev_unmap_pirq(struct physdev_unmap_pirq *unmap)
- if ( ret )
- return ret;
-
-+ ret = -EINVAL;
-+ if ( unmap->pirq < 0 || unmap->pirq >= d->nr_pirqs )
-+ goto free_domain;
-+
- if ( is_hvm_domain(d) )
- {
- spin_lock(&d->event_lock);
---
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-22.patch b/main/xen/xsa-22.patch
deleted file mode 100644
index 570005f..0000000
--- a/main/xen/xsa-22.patch
@@ -1,51 +0,0 @@
-From 9070a6ef041756341286e88e7fad7de3e01c66f9 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Date: Wed, 14 Nov 2012 11:40:45 +0000
-Subject: [PATCH] x86/physmap: Prevent incorrect updates of m2p mappings
-
-In certain conditions, such as low memory, set_p2m_entry() can fail.
-Currently, the p2m and m2p tables will get out of sync because we still
-update the m2p table after the p2m update has failed.
-
-If that happens, subsequent guest-invoked memory operations can cause
-BUG()s and ASSERT()s to kill Xen.
-
-This is fixed by only updating the m2p table iff the p2m was
-successfully updated.
-
-This is a security problem, XSA-22 / CVE-2012-4537.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
----
- xen/arch/x86/mm/p2m.c | 4 ++++
- 1 files changed, 4 insertions(+), 0 deletions(-)
-
-diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
-index 82e1b55..f494d25 100644
---- a/xen/arch/x86/mm/p2m.c
-+++ b/xen/arch/x86/mm/p2m.c
-@@ -2558,7 +2558,10 @@ guest_physmap_add_entry(struct p2m_domain *p2m, unsigned long gfn,
- if ( mfn_valid(_mfn(mfn)) )
- {
- if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) )
-+ {
- rc = -EINVAL;
-+ goto out; /* Failed to update p2m, bail without updating m2p. */
-+ }
- if ( !p2m_is_grant(t) )
- {
- for ( i = 0; i < (1UL << page_order); i++ )
-@@ -2579,6 +2582,7 @@ guest_physmap_add_entry(struct p2m_domain *p2m, unsigned long gfn,
- }
- }
-
-+out:
- audit_p2m(p2m, 1);
- p2m_unlock(p2m);
-
---
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-23.patch b/main/xen/xsa-23.patch
deleted file mode 100644
index 35a6470..0000000
--- a/main/xen/xsa-23.patch
@@ -1,44 +0,0 @@
-From 1d435032de14b9dec808102940309047903f7ed0 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Date: Wed, 14 Nov 2012 11:43:29 +0000
-Subject: [PATCH] xen/mm/shadow: check toplevel pagetables are present before
- unhooking them.
-
-If the guest has not fully populated its top-level PAE entries when it calls
-HVMOP_pagetable_dying, the shadow code could try to unhook entries from
-MFN 0. Add a check to avoid that case.
-
-This issue was introduced by c/s 21239:b9d2db109cf5.
-
-This is a security problem, XSA-23 / CVE-2012-4538.
-
-Signed-off-by: Tim Deegan <tim@xen.org>
-Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
----
- xen/arch/x86/mm/shadow/multi.c | 8 ++++++--
- 1 files changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
-index d510e7f..91879cf 100644
---- a/xen/arch/x86/mm/shadow/multi.c
-+++ b/xen/arch/x86/mm/shadow/multi.c
-@@ -4737,8 +4737,12 @@ static void sh_pagetable_dying(struct vcpu *v, paddr_t gpa)
- }
- for ( i = 0; i < 4; i++ )
- {
-- if ( fast_path )
-- smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
-+ if ( fast_path ) {
-+ if ( pagetable_is_null(v->arch.shadow_table[i]) )
-+ smfn = _mfn(INVALID_MFN);
-+ else
-+ smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
-+ }
- else
- {
- /* retrieving the l2s */
---
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-24.patch b/main/xen/xsa-24.patch
deleted file mode 100644
index 53c6fe7..0000000
--- a/main/xen/xsa-24.patch
@@ -1,41 +0,0 @@
-From 95a0c10357c502a0b0b960e7133e792695ef0b58 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Date: Wed, 14 Nov 2012 11:46:12 +0000
-Subject: [PATCH] compat/gnttab: Prevent infinite loop in compat code
-
-c/s 20281:95ea2052b41b, which introduces Grant Table version 2
-hypercalls introduces a vulnerability whereby the compat hypercall
-handler can fall into an infinite loop.
-
-If the watchdog is enabled, Xen will die after the timeout.
-
-This is a security problem, XSA-24 / CVE-2012-4539.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
-xen-unstable changeset: 26151:b64a7d868f06
-Backport-requested-by: security@xen.org
-Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
----
- xen/common/compat/grant_table.c | 2 ++
- 1 files changed, 2 insertions(+), 0 deletions(-)
-
-diff --git a/xen/common/compat/grant_table.c b/xen/common/compat/grant_table.c
-index ca60395..d09a65b 100644
---- a/xen/common/compat/grant_table.c
-+++ b/xen/common/compat/grant_table.c
-@@ -310,6 +310,8 @@ int compat_grant_table_op(unsigned int cmd,
- #undef XLAT_gnttab_get_status_frames_HNDL_frame_list
- if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) )
- rc = -EFAULT;
-+ else
-+ i = 1;
- }
- break;
- }
---
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa-25.patch b/main/xen/xsa-25.patch
deleted file mode 100644
index 0157f20..0000000
--- a/main/xen/xsa-25.patch
@@ -1,474 +0,0 @@
-From 7ce4c765975097bddffaa2fc482d5c16355687af Mon Sep 17 00:00:00 2001
-From: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Date: Fri, 26 Oct 2012 16:10:04 +0100
-Subject: [PATCH] libxc: builder: limit maximum size of kernel/ramdisk.
-
-Allowing user supplied kernels of arbitrary sizes, especially during
-decompression, can swallow up dom0 memory leading to either virtual
-address space exhaustion in the builder process or allocation
-failures/OOM killing of both toolstack and unrelated processes.
-
-We disable these checks when building in a stub domain for pvgrub
-since this uses the guest's own memory and is isolated.
-
-Decompression of gzip compressed kernels and ramdisks has been safe
-since 14954:58205257517d (Xen 3.1.0 onwards).
-
-This is XSA-25 / CVE-2012-4544.
-
-Also make explicit checks for buffer overflows in various
-decompression routines. These were already ruled out due to other
-properties of the code but check them as a belt-and-braces measure.
-
-Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
-Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-[ Includes 25589:60f09d1ab1fe for CVE-2012-2625 ]
----
- stubdom/grub/kexec.c | 4 ++
- tools/libxc/xc_dom.h | 23 ++++++++++-
- tools/libxc/xc_dom_bzimageloader.c | 59 +++++++++++++++++++++++++--
- tools/libxc/xc_dom_core.c | 77 ++++++++++++++++++++++++++++++++++--
- tools/pygrub/src/pygrub | 61 ++++++++++++++++++++--------
- 5 files changed, 198 insertions(+), 26 deletions(-)
-
-diff --git a/stubdom/grub/kexec.c b/stubdom/grub/kexec.c
-index 06bef52..b21c91a 100644
---- a/stubdom/grub/kexec.c
-+++ b/stubdom/grub/kexec.c
-@@ -137,6 +137,10 @@ void kexec(void *kernel, long kernel_size, void *module, long module_size, char
- dom = xc_dom_allocate(xc_handle, cmdline, features);
- dom->allocate = kexec_allocate;
-
-+ /* We are using guest owned memory, therefore no limits. */
-+ xc_dom_kernel_max_size(dom, 0);
-+ xc_dom_ramdisk_max_size(dom, 0);
-+
- dom->kernel_blob = kernel;
- dom->kernel_size = kernel_size;
-
-diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h
-index e72f066..7043f96 100644
---- a/tools/libxc/xc_dom.h
-+++ b/tools/libxc/xc_dom.h
-@@ -52,6 +52,9 @@ struct xc_dom_image {
- void *ramdisk_blob;
- size_t ramdisk_size;
-
-+ size_t max_kernel_size;
-+ size_t max_ramdisk_size;
-+
- /* arguments and parameters */
- char *cmdline;
- uint32_t f_requested[XENFEAT_NR_SUBMAPS];
-@@ -175,6 +178,23 @@ void xc_dom_release_phys(struct xc_dom_image *dom);
- void xc_dom_release(struct xc_dom_image *dom);
- int xc_dom_mem_init(struct xc_dom_image *dom, unsigned int mem_mb);
-
-+/* Set this larger if you have enormous ramdisks/kernels. Note that
-+ * you should trust all kernels not to be maliciously large (e.g. to
-+ * exhaust all dom0 memory) if you do this (see CVE-2012-4544 /
-+ * XSA-25). You can also set the default independently for
-+ * ramdisks/kernels in xc_dom_allocate() or call
-+ * xc_dom_{kernel,ramdisk}_max_size.
-+ */
-+#ifndef XC_DOM_DECOMPRESS_MAX
-+#define XC_DOM_DECOMPRESS_MAX (1024*1024*1024) /* 1GB */
-+#endif
-+
-+int xc_dom_kernel_check_size(struct xc_dom_image *dom, size_t sz);
-+int xc_dom_kernel_max_size(struct xc_dom_image *dom, size_t sz);
-+
-+int xc_dom_ramdisk_check_size(struct xc_dom_image *dom, size_t sz);
-+int xc_dom_ramdisk_max_size(struct xc_dom_image *dom, size_t sz);
-+
- size_t xc_dom_check_gzip(xc_interface *xch,
- void *blob, size_t ziplen);
- int xc_dom_do_gunzip(xc_interface *xch,
-@@ -224,7 +244,8 @@ void xc_dom_log_memory_footprint(struct xc_dom_image *dom);
- void *xc_dom_malloc(struct xc_dom_image *dom, size_t size);
- void *xc_dom_malloc_page_aligned(struct xc_dom_image *dom, size_t size);
- void *xc_dom_malloc_filemap(struct xc_dom_image *dom,
-- const char *filename, size_t * size);
-+ const char *filename, size_t * size,
-+ const size_t max_size);
- char *xc_dom_strdup(struct xc_dom_image *dom, const char *str);
-
- /* --- alloc memory pool ------------------------------------------- */
-diff --git a/tools/libxc/xc_dom_bzimageloader.c b/tools/libxc/xc_dom_bzimageloader.c
-index 9852e67..73cfad1 100644
---- a/tools/libxc/xc_dom_bzimageloader.c
-+++ b/tools/libxc/xc_dom_bzimageloader.c
-@@ -47,13 +47,19 @@ static int xc_try_bzip2_decode(
- char *out_buf;
- char *tmp_buf;
- int retval = -1;
-- int outsize;
-+ unsigned int outsize;
- uint64_t total;
-
- stream.bzalloc = NULL;
- stream.bzfree = NULL;
- stream.opaque = NULL;
-
-+ if ( dom->kernel_size == 0)
-+ {
-+ DOMPRINTF("BZIP2: Input is 0 size");
-+ return -1;
-+ }
-+
- ret = BZ2_bzDecompressInit(&stream, 0, 0);
- if ( ret != BZ_OK )
- {
-@@ -66,6 +72,17 @@ static int xc_try_bzip2_decode(
- * the input buffer to start, and we'll realloc as needed.
- */
- outsize = dom->kernel_size;
-+
-+ /*
-+ * stream.avail_in and outsize are unsigned int, while kernel_size
-+ * is a size_t. Check we aren't overflowing.
-+ */
-+ if ( outsize != dom->kernel_size )
-+ {
-+ DOMPRINTF("BZIP2: Input too large");
-+ goto bzip2_cleanup;
-+ }
-+
- out_buf = malloc(outsize);
- if ( out_buf == NULL )
- {
-@@ -98,13 +115,20 @@ static int xc_try_bzip2_decode(
- if ( stream.avail_out == 0 )
- {
- /* Protect against output buffer overflow */
-- if ( outsize > INT_MAX / 2 )
-+ if ( outsize > UINT_MAX / 2 )
- {
- DOMPRINTF("BZIP2: output buffer overflow");
- free(out_buf);
- goto bzip2_cleanup;
- }
-
-+ if ( xc_dom_kernel_check_size(dom, outsize * 2) )
-+ {
-+ DOMPRINTF("BZIP2: output too large");
-+ free(out_buf);
-+ goto bzip2_cleanup;
-+ }
-+
- tmp_buf = realloc(out_buf, outsize * 2);
- if ( tmp_buf == NULL )
- {
-@@ -172,9 +196,15 @@ static int xc_try_lzma_decode(
- unsigned char *out_buf;
- unsigned char *tmp_buf;
- int retval = -1;
-- int outsize;
-+ size_t outsize;
- const char *msg;
-
-+ if ( dom->kernel_size == 0)
-+ {
-+ DOMPRINTF("LZMA: Input is 0 size");
-+ return -1;
-+ }
-+
- ret = lzma_alone_decoder(&stream, 128*1024*1024);
- if ( ret != LZMA_OK )
- {
-@@ -251,13 +281,20 @@ static int xc_try_lzma_decode(
- if ( stream.avail_out == 0 )
- {
- /* Protect against output buffer overflow */
-- if ( outsize > INT_MAX / 2 )
-+ if ( outsize > SIZE_MAX / 2 )
- {
- DOMPRINTF("LZMA: output buffer overflow");
- free(out_buf);
- goto lzma_cleanup;
- }
-
-+ if ( xc_dom_kernel_check_size(dom, outsize * 2) )
-+ {
-+ DOMPRINTF("LZMA: output too large");
-+ free(out_buf);
-+ goto lzma_cleanup;
-+ }
-+
- tmp_buf = realloc(out_buf, outsize * 2);
- if ( tmp_buf == NULL )
- {
-@@ -327,6 +364,12 @@ static int xc_try_lzo1x_decode(
- 0x89, 0x4c, 0x5a, 0x4f, 0x00, 0x0d, 0x0a, 0x1a, 0x0a
- };
-
-+ /*
-+ * lzo_uint should match size_t. Check that this is the case to be
-+ * sure we won't overflow various lzo_uint fields.
-+ */
-+ XC_BUILD_BUG_ON(sizeof(lzo_uint) != sizeof(size_t));
-+
- ret = lzo_init();
- if ( ret != LZO_E_OK )
- {
-@@ -406,6 +449,14 @@ static int xc_try_lzo1x_decode(
- if ( src_len <= 0 || src_len > dst_len || src_len > left )
- break;
-
-+ msg = "Output buffer overflow";
-+ if ( *size > SIZE_MAX - dst_len )
-+ break;
-+
-+ msg = "Decompressed image too large";
-+ if ( xc_dom_kernel_check_size(dom, *size + dst_len) )
-+ break;
-+
- msg = "Failed to (re)alloc memory";
- tmp_buf = realloc(out_buf, *size + dst_len);
- if ( tmp_buf == NULL )
-diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c
-index fea9de5..2a01d7c 100644
---- a/tools/libxc/xc_dom_core.c
-+++ b/tools/libxc/xc_dom_core.c
-@@ -159,7 +159,8 @@ void *xc_dom_malloc_page_aligned(struct xc_dom_image *dom, size_t size)
- }
-
- void *xc_dom_malloc_filemap(struct xc_dom_image *dom,
-- const char *filename, size_t * size)
-+ const char *filename, size_t * size,
-+ const size_t max_size)
- {
- struct xc_dom_mem *block = NULL;
- int fd = -1;
-@@ -171,6 +172,13 @@ void *xc_dom_malloc_filemap(struct xc_dom_image *dom,
- lseek(fd, 0, SEEK_SET);
- *size = lseek(fd, 0, SEEK_END);
-
-+ if ( max_size && *size > max_size )
-+ {
-+ xc_dom_panic(dom->xch, XC_OUT_OF_MEMORY,
-+ "tried to map file which is too large");
-+ goto err;
-+ }
-+
- block = malloc(sizeof(*block));
- if ( block == NULL )
- goto err;
-@@ -222,6 +230,40 @@ char *xc_dom_strdup(struct xc_dom_image *dom, const char *str)
- }
-
- /* ------------------------------------------------------------------------ */
-+/* decompression buffer sizing */
-+int xc_dom_kernel_check_size(struct xc_dom_image *dom, size_t sz)
-+{
-+ /* No limit */
-+ if ( !dom->max_kernel_size )
-+ return 0;
-+
-+ if ( sz > dom->max_kernel_size )
-+ {
-+ xc_dom_panic(dom->xch, XC_INVALID_KERNEL,
-+ "kernel image too large");
-+ return 1;
-+ }
-+
-+ return 0;
-+}
-+
-+int xc_dom_ramdisk_check_size(struct xc_dom_image *dom, size_t sz)
-+{
-+ /* No limit */
-+ if ( !dom->max_ramdisk_size )
-+ return 0;
-+
-+ if ( sz > dom->max_ramdisk_size )
-+ {
-+ xc_dom_panic(dom->xch, XC_INVALID_KERNEL,
-+ "ramdisk image too large");
-+ return 1;
-+ }
-+
-+ return 0;
-+}
-+
-+/* ------------------------------------------------------------------------ */
- /* read files, copy memory blocks, with transparent gunzip */
-
- size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen)
-@@ -235,7 +277,7 @@ size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen)
-
- gzlen = blob + ziplen - 4;
- unziplen = gzlen[3] << 24 | gzlen[2] << 16 | gzlen[1] << 8 | gzlen[0];
-- if ( (unziplen < 0) || (unziplen > (1024*1024*1024)) ) /* 1GB limit */
-+ if ( (unziplen < 0) || (unziplen > XC_DOM_DECOMPRESS_MAX) )
- {
- xc_dom_printf
- (xch,
-@@ -288,6 +330,9 @@ int xc_dom_try_gunzip(struct xc_dom_image *dom, void **blob, size_t * size)
- if ( unziplen == 0 )
- return 0;
-
-+ if ( xc_dom_kernel_check_size(dom, unziplen) )
-+ return 0;
-+
- unzip = xc_dom_malloc(dom, unziplen);
- if ( unzip == NULL )
- return -1;
-@@ -588,6 +633,9 @@ struct xc_dom_image *xc_dom_allocate(xc_interface *xch,
- memset(dom, 0, sizeof(*dom));
- dom->xch = xch;
-
-+ dom->max_kernel_size = XC_DOM_DECOMPRESS_MAX;
-+ dom->max_ramdisk_size = XC_DOM_DECOMPRESS_MAX;
-+
- if ( cmdline )
- dom->cmdline = xc_dom_strdup(dom, cmdline);
- if ( features )
-@@ -608,10 +656,25 @@ struct xc_dom_image *xc_dom_allocate(xc_interface *xch,
- return NULL;
- }
-
-+int xc_dom_kernel_max_size(struct xc_dom_image *dom, size_t sz)
-+{
-+ DOMPRINTF("%s: kernel_max_size=%zx", __FUNCTION__, sz);
-+ dom->max_kernel_size = sz;
-+ return 0;
-+}
-+
-+int xc_dom_ramdisk_max_size(struct xc_dom_image *dom, size_t sz)
-+{
-+ DOMPRINTF("%s: ramdisk_max_size=%zx", __FUNCTION__, sz);
-+ dom->max_ramdisk_size = sz;
-+ return 0;
-+}
-+
- int xc_dom_kernel_file(struct xc_dom_image *dom, const char *filename)
- {
- DOMPRINTF("%s: filename=\"%s\"", __FUNCTION__, filename);
-- dom->kernel_blob = xc_dom_malloc_filemap(dom, filename, &dom->kernel_size);
-+ dom->kernel_blob = xc_dom_malloc_filemap(dom, filename, &dom->kernel_size,
-+ dom->max_kernel_size);
- if ( dom->kernel_blob == NULL )
- return -1;
- return xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size);
-@@ -621,7 +684,9 @@ int xc_dom_ramdisk_file(struct xc_dom_image *dom, const char *filename)
- {
- DOMPRINTF("%s: filename=\"%s\"", __FUNCTION__, filename);
- dom->ramdisk_blob =
-- xc_dom_malloc_filemap(dom, filename, &dom->ramdisk_size);
-+ xc_dom_malloc_filemap(dom, filename, &dom->ramdisk_size,
-+ dom->max_ramdisk_size);
-+
- if ( dom->ramdisk_blob == NULL )
- return -1;
- // return xc_dom_try_gunzip(dom, &dom->ramdisk_blob, &dom->ramdisk_size);
-@@ -781,7 +846,11 @@ int xc_dom_build_image(struct xc_dom_image *dom)
- void *ramdiskmap;
-
- unziplen = xc_dom_check_gzip(dom->xch, dom->ramdisk_blob, dom->ramdisk_size);
-+ if ( xc_dom_ramdisk_check_size(dom, unziplen) != 0 )
-+ unziplen = 0;
-+
- ramdisklen = unziplen ? unziplen : dom->ramdisk_size;
-+
- if ( xc_dom_alloc_segment(dom, &dom->ramdisk_seg, "ramdisk", 0,
- ramdisklen) != 0 )
- goto err;
-diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub
-index 17c0083..1a3c1c3 100644
---- a/tools/pygrub/src/pygrub
-+++ b/tools/pygrub/src/pygrub
-@@ -28,6 +28,7 @@ import grub.LiloConf
- import grub.ExtLinuxConf
-
- PYGRUB_VER = 0.6
-+FS_READ_MAX = 1024 * 1024
-
- def enable_cursor(ison):
- if ison:
-@@ -421,7 +422,8 @@ class Grub:
- if self.__dict__.get('cf', None) is None:
- raise RuntimeError, "couldn't find bootloader config file in the image provided."
- f = fs.open_file(self.cf.filename)
-- buf = f.read()
-+ # limit read size to avoid pathological cases
-+ buf = f.read(FS_READ_MAX)
- del f
- self.cf.parse(buf)
-
-@@ -670,6 +672,37 @@ if __name__ == "__main__":
- def usage():
- print >> sys.stderr, "Usage: %s [-q|--quiet] [-i|--interactive] [-n|--not-really] [--output=] [--kernel=] [--ramdisk=] [--args=] [--entry=] [--output-directory=] [--output-format=sxp|simple|simple0] <image>" %(sys.argv[0],)
-
-+ def copy_from_image(fs, file_to_read, file_type, output_directory,
-+ not_really):
-+ if not_really:
-+ if fs.file_exists(file_to_read):
-+ return "<%s:%s>" % (file_type, file_to_read)
-+ else:
-+ sys.exit("The requested %s file does not exist" % file_type)
-+ try:
-+ datafile = fs.open_file(file_to_read)
-+ except Exception, e:
-+ print >>sys.stderr, e
-+ sys.exit("Error opening %s in guest" % file_to_read)
-+ (tfd, ret) = tempfile.mkstemp(prefix="boot_"+file_type+".",
-+ dir=output_directory)
-+ dataoff = 0
-+ while True:
-+ data = datafile.read(FS_READ_MAX, dataoff)
-+ if len(data) == 0:
-+ os.close(tfd)
-+ del datafile
-+ return ret
-+ try:
-+ os.write(tfd, data)
-+ except Exception, e:
-+ print >>sys.stderr, e
-+ os.close(tfd)
-+ os.unlink(ret)
-+ del datafile
-+ sys.exit("Error writing temporary copy of "+file_type)
-+ dataoff += len(data)
-+
- try:
- opts, args = getopt.gnu_getopt(sys.argv[1:], 'qinh::',
- ["quiet", "interactive", "not-really", "help",
-@@ -786,24 +819,18 @@ if __name__ == "__main__":
- if not fs:
- raise RuntimeError, "Unable to find partition containing kernel"
-
-- if not_really:
-- bootcfg["kernel"] = "<kernel:%s>" % chosencfg["kernel"]
-- else:
-- data = fs.open_file(chosencfg["kernel"]).read()
-- (tfd, bootcfg["kernel"]) = tempfile.mkstemp(prefix="boot_kernel.",
-- dir=output_directory)
-- os.write(tfd, data)
-- os.close(tfd)
-+ bootcfg["kernel"] = copy_from_image(fs, chosencfg["kernel"], "kernel",
-+ output_directory, not_really)
-
- if chosencfg["ramdisk"]:
-- if not_really:
-- bootcfg["ramdisk"] = "<ramdisk:%s>" % chosencfg["ramdisk"]
-- else:
-- data = fs.open_file(chosencfg["ramdisk"],).read()
-- (tfd, bootcfg["ramdisk"]) = tempfile.mkstemp(
-- prefix="boot_ramdisk.", dir=output_directory)
-- os.write(tfd, data)
-- os.close(tfd)
-+ try:
-+ bootcfg["ramdisk"] = copy_from_image(fs, chosencfg["ramdisk"],
-+ "ramdisk", output_directory,
-+ not_really)
-+ except:
-+ if not not_really:
-+ os.unlink(bootcfg["kernel"])
-+ raise
- else:
- initrd = None
-
---
-1.7.7.5 (Apple Git-26)
-
diff --git a/main/xen/xsa26-4.1.patch b/main/xen/xsa26-4.1.patch
deleted file mode 100644
index e8b8e7d..0000000
--- a/main/xen/xsa26-4.1.patch
@@ -1,107 +0,0 @@
-gnttab: fix releasing of memory upon switches between versions
-
-gnttab_unpopulate_status_frames() incompletely freed the pages
-previously used as status frame in that they did not get removed from
-the domain's xenpage_list, thus causing subsequent list corruption
-when those pages did get allocated again for the same or another purpose.
-
-Similarly, grant_table_create() and gnttab_grow_table() both improperly
-clean up in the event of an error - pages already shared with the guest
-can't be freed by just passing them to free_xenheap_page(). Fix this by
-sharing the pages only after all allocations succeeded.
-
-This is CVE-2012-5510 / XSA-26.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-
-diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
-index 6c0aa6f..a180aef 100644
---- a/xen/common/grant_table.c
-+++ b/xen/common/grant_table.c
-@@ -1126,12 +1126,13 @@ fault:
- }
-
- static int
--gnttab_populate_status_frames(struct domain *d, struct grant_table *gt)
-+gnttab_populate_status_frames(struct domain *d, struct grant_table *gt,
-+ unsigned int req_nr_frames)
- {
- unsigned i;
- unsigned req_status_frames;
-
-- req_status_frames = grant_to_status_frames(gt->nr_grant_frames);
-+ req_status_frames = grant_to_status_frames(req_nr_frames);
- for ( i = nr_status_frames(gt); i < req_status_frames; i++ )
- {
- if ( (gt->status[i] = alloc_xenheap_page()) == NULL )
-@@ -1162,7 +1163,12 @@ gnttab_unpopulate_status_frames(struct domain *d, struct grant_table *gt)
-
- for ( i = 0; i < nr_status_frames(gt); i++ )
- {
-- page_set_owner(virt_to_page(gt->status[i]), dom_xen);
-+ struct page_info *pg = virt_to_page(gt->status[i]);
-+
-+ BUG_ON(page_get_owner(pg) != d);
-+ if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) )
-+ put_page(pg);
-+ BUG_ON(pg->count_info & ~PGC_xen_heap);
- free_xenheap_page(gt->status[i]);
- gt->status[i] = NULL;
- }
-@@ -1200,19 +1206,18 @@ gnttab_grow_table(struct domain *d, unsigned int req_nr_frames)
- clear_page(gt->shared_raw[i]);
- }
-
-- /* Share the new shared frames with the recipient domain */
-- for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ )
-- gnttab_create_shared_page(d, gt, i);
--
-- gt->nr_grant_frames = req_nr_frames;
--
- /* Status pages - version 2 */
- if (gt->gt_version > 1)
- {
-- if ( gnttab_populate_status_frames(d, gt) )
-+ if ( gnttab_populate_status_frames(d, gt, req_nr_frames) )
- goto shared_alloc_failed;
- }
-
-+ /* Share the new shared frames with the recipient domain */
-+ for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ )
-+ gnttab_create_shared_page(d, gt, i);
-+ gt->nr_grant_frames = req_nr_frames;
-+
- return 1;
-
- shared_alloc_failed:
-@@ -2134,7 +2139,7 @@ gnttab_set_version(XEN_GUEST_HANDLE(gnttab_set_version_t uop))
-
- if ( op.version == 2 && gt->gt_version < 2 )
- {
-- res = gnttab_populate_status_frames(d, gt);
-+ res = gnttab_populate_status_frames(d, gt, nr_grant_frames(gt));
- if ( res < 0)
- goto out_unlock;
- }
-@@ -2449,9 +2454,6 @@ grant_table_create(
- clear_page(t->shared_raw[i]);
- }
-
-- for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ )
-- gnttab_create_shared_page(d, t, i);
--
- /* Status pages for grant table - for version 2 */
- t->status = xmalloc_array(grant_status_t *,
- grant_to_status_frames(max_nr_grant_frames));
-@@ -2459,6 +2461,10 @@ grant_table_create(
- goto no_mem_4;
- memset(t->status, 0,
- grant_to_status_frames(max_nr_grant_frames) * sizeof(t->status[0]));
-+
-+ for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ )
-+ gnttab_create_shared_page(d, t, i);
-+
- t->nr_status_frames = 0;
-
- /* Okay, install the structure. */
diff --git a/main/xen/xsa27-4.1.patch b/main/xen/xsa27-4.1.patch
deleted file mode 100644
index f0764cb..0000000
--- a/main/xen/xsa27-4.1.patch
@@ -1,168 +0,0 @@
-hvm: Limit the size of large HVM op batches
-
-Doing large p2m updates for HVMOP_track_dirty_vram without preemption
-ties up the physical processor. Integrating preemption into the p2m
-updates is hard so simply limit to 1GB which is sufficient for a 15000
-* 15000 * 32bpp framebuffer.
-
-For HVMOP_modified_memory and HVMOP_set_mem_type preemptible add the
-necessary machinery to handle preemption.
-
-This is CVE-2012-5511 / XSA-27.
-
-Signed-off-by: Tim Deegan <tim@xen.org>
-Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
-Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
-x86/paging: Don't allocate user-controlled amounts of stack memory.
-
-This is XSA-27 / CVE-2012-5511.
-
-Signed-off-by: Tim Deegan <tim@xen.org>
-Acked-by: Jan Beulich <jbeulich@suse.com>
-v2: Provide definition of GB to fix x86-32 compile.
-
-Signed-off-by: Jan Beulich <JBeulich@suse.com>
-Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
-
-diff -r 5639047d6c9f xen/arch/x86/hvm/hvm.c
---- a/xen/arch/x86/hvm/hvm.c Mon Nov 19 09:43:48 2012 +0100
-+++ b/xen/arch/x86/hvm/hvm.c Mon Nov 19 16:00:33 2012 +0000
-@@ -3471,6 +3471,9 @@ long do_hvm_op(unsigned long op, XEN_GUE
- if ( !is_hvm_domain(d) )
- goto param_fail2;
-
-+ if ( a.nr > GB(1) >> PAGE_SHIFT )
-+ goto param_fail2;
-+
- rc = xsm_hvm_param(d, op);
- if ( rc )
- goto param_fail2;
-@@ -3498,7 +3501,6 @@ long do_hvm_op(unsigned long op, XEN_GUE
- struct xen_hvm_modified_memory a;
- struct domain *d;
- struct p2m_domain *p2m;
-- unsigned long pfn;
-
- if ( copy_from_guest(&a, arg, 1) )
- return -EFAULT;
-@@ -3526,8 +3528,9 @@ long do_hvm_op(unsigned long op, XEN_GUE
- goto param_fail3;
-
- p2m = p2m_get_hostp2m(d);
-- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ )
-+ while ( a.nr > 0 )
- {
-+ unsigned long pfn = a.first_pfn;
- p2m_type_t t;
- mfn_t mfn = gfn_to_mfn(p2m, pfn, &t);
- if ( p2m_is_paging(t) )
-@@ -3548,6 +3551,19 @@ long do_hvm_op(unsigned long op, XEN_GUE
- /* don't take a long time and don't die either */
- sh_remove_shadows(d->vcpu[0], mfn, 1, 0);
- }
-+
-+ a.first_pfn++;
-+ a.nr--;
-+
-+ /* Check for continuation if it's not the last interation */
-+ if ( a.nr > 0 && hypercall_preempt_check() )
-+ {
-+ if ( copy_to_guest(arg, &a, 1) )
-+ rc = -EFAULT;
-+ else
-+ rc = -EAGAIN;
-+ break;
-+ }
- }
-
- param_fail3:
-@@ -3595,7 +3611,6 @@ long do_hvm_op(unsigned long op, XEN_GUE
- struct xen_hvm_set_mem_type a;
- struct domain *d;
- struct p2m_domain *p2m;
-- unsigned long pfn;
-
- /* Interface types to internal p2m types */
- p2m_type_t memtype[] = {
-@@ -3625,8 +3640,9 @@ long do_hvm_op(unsigned long op, XEN_GUE
- goto param_fail4;
-
- p2m = p2m_get_hostp2m(d);
-- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ )
-+ while ( a.nr > 0 )
- {
-+ unsigned long pfn = a.first_pfn;
- p2m_type_t t;
- p2m_type_t nt;
- mfn_t mfn;
-@@ -3662,6 +3678,19 @@ long do_hvm_op(unsigned long op, XEN_GUE
- goto param_fail4;
- }
- }
-+
-+ a.first_pfn++;
-+ a.nr--;
-+
-+ /* Check for continuation if it's not the last interation */
-+ if ( a.nr > 0 && hypercall_preempt_check() )
-+ {
-+ if ( copy_to_guest(arg, &a, 1) )
-+ rc = -EFAULT;
-+ else
-+ rc = -EAGAIN;
-+ goto param_fail4;
-+ }
- }
-
- rc = 0;
-diff -r 5639047d6c9f xen/arch/x86/mm/paging.c
---- a/xen/arch/x86/mm/paging.c Mon Nov 19 09:43:48 2012 +0100
-+++ b/xen/arch/x86/mm/paging.c Mon Nov 19 16:00:33 2012 +0000
-@@ -529,13 +529,18 @@ int paging_log_dirty_range(struct domain
-
- if ( !d->arch.paging.log_dirty.fault_count &&
- !d->arch.paging.log_dirty.dirty_count ) {
-- int size = (nr + BITS_PER_LONG - 1) / BITS_PER_LONG;
-- unsigned long zeroes[size];
-- memset(zeroes, 0x00, size * BYTES_PER_LONG);
-+ static uint8_t zeroes[PAGE_SIZE];
-+ int off, size;
-+
-+ size = ((nr + BITS_PER_LONG - 1) / BITS_PER_LONG) * sizeof (long);
- rv = 0;
-- if ( copy_to_guest_offset(dirty_bitmap, 0, (uint8_t *) zeroes,
-- size * BYTES_PER_LONG) != 0 )
-- rv = -EFAULT;
-+ for ( off = 0; !rv && off < size; off += sizeof zeroes )
-+ {
-+ int todo = min(size - off, (int) PAGE_SIZE);
-+ if ( copy_to_guest_offset(dirty_bitmap, off, zeroes, todo) )
-+ rv = -EFAULT;
-+ off += todo;
-+ }
- goto out;
- }
- d->arch.paging.log_dirty.fault_count = 0;
-diff -r 5639047d6c9f xen/include/asm-x86/config.h
---- a/xen/include/asm-x86/config.h Mon Nov 19 09:43:48 2012 +0100
-+++ b/xen/include/asm-x86/config.h Mon Nov 19 16:00:33 2012 +0000
-@@ -108,6 +108,9 @@ extern unsigned int trampoline_xen_phys_
- extern unsigned char trampoline_cpu_started;
- extern char wakeup_start[];
- extern unsigned int video_mode, video_flags;
-+
-+#define GB(_gb) (_gb ## UL << 30)
-+
- #endif
-
- #define asmlinkage
-@@ -123,7 +126,6 @@ extern unsigned int video_mode, video_fl
- #define PML4_ADDR(_slot) \
- ((((_slot ## UL) >> 8) * 0xffff000000000000UL) | \
- (_slot ## UL << PML4_ENTRY_BITS))
--#define GB(_gb) (_gb ## UL << 30)
- #else
- #define PML4_ENTRY_BYTES (1 << PML4_ENTRY_BITS)
- #define PML4_ADDR(_slot) \
diff --git a/main/xen/xsa28-4.1.patch b/main/xen/xsa28-4.1.patch
deleted file mode 100644
index fe4638e..0000000
--- a/main/xen/xsa28-4.1.patch
@@ -1,36 +0,0 @@
-x86/HVM: range check xen_hvm_set_mem_access.hvmmem_access before use
-
-Otherwise an out of bounds array access can happen if changing the
-default access is being requested, which - if it doesn't crash Xen -
-would subsequently allow reading arbitrary memory through
-HVMOP_get_mem_access (again, unless that operation crashes Xen).
-
-This is XSA-28 / CVE-2012-5512.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Tim Deegan <tim@xen.org>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-
-diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
-index 66cf805..08b6418 100644
---- a/xen/arch/x86/hvm/hvm.c
-+++ b/xen/arch/x86/hvm/hvm.c
-@@ -3699,7 +3699,7 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE(void) arg)
- return rc;
-
- rc = -EINVAL;
-- if ( !is_hvm_domain(d) )
-+ if ( !is_hvm_domain(d) || a.hvmmem_access >= ARRAY_SIZE(memaccess) )
- goto param_fail5;
-
- p2m = p2m_get_hostp2m(d);
-@@ -3719,9 +3719,6 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE(void) arg)
- ((a.first_pfn + a.nr - 1) > domain_get_maximum_gpfn(d)) )
- goto param_fail5;
-
-- if ( a.hvmmem_access >= ARRAY_SIZE(memaccess) )
-- goto param_fail5;
--
- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ )
- {
- p2m_type_t t;
diff --git a/main/xen/xsa29-4.1.patch b/main/xen/xsa29-4.1.patch
deleted file mode 100644
index f8f6e38..0000000
--- a/main/xen/xsa29-4.1.patch
@@ -1,49 +0,0 @@
-xen: add missing guest address range checks to XENMEM_exchange handlers
-
-Ever since its existence (3.0.3 iirc) the handler for this has been
-using non address range checking guest memory accessors (i.e.
-the ones prefixed with two underscores) without first range
-checking the accessed space (via guest_handle_okay()), allowing
-a guest to access and overwrite hypervisor memory.
-
-This is XSA-29 / CVE-2012-5513.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
-diff --git a/xen/common/compat/memory.c b/xen/common/compat/memory.c
-index 2402984..1d877fc 100644
---- a/xen/common/compat/memory.c
-+++ b/xen/common/compat/memory.c
-@@ -114,6 +114,12 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE(void) compat)
- (cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) )
- return -EINVAL;
-
-+ if ( !compat_handle_okay(cmp.xchg.in.extent_start,
-+ cmp.xchg.in.nr_extents) ||
-+ !compat_handle_okay(cmp.xchg.out.extent_start,
-+ cmp.xchg.out.nr_extents) )
-+ return -EFAULT;
-+
- start_extent = cmp.xchg.nr_exchanged;
- end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) /
- (((1U << ABS(order_delta)) + 1) *
-diff --git a/xen/common/memory.c b/xen/common/memory.c
-index 4e7c234..59379d3 100644
---- a/xen/common/memory.c
-+++ b/xen/common/memory.c
-@@ -289,6 +289,13 @@ static long memory_exchange(XEN_GUEST_HANDLE(xen_memory_exchange_t) arg)
- goto fail_early;
- }
-
-+ if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) ||
-+ !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) )
-+ {
-+ rc = -EFAULT;
-+ goto fail_early;
-+ }
-+
- /* Only privileged guests can allocate multi-page contiguous extents. */
- if ( !multipage_allocation_permitted(current->domain,
- exch.in.extent_order) ||
diff --git a/main/xen/xsa30-4.1.patch b/main/xen/xsa30-4.1.patch
deleted file mode 100644
index 817879a..0000000
--- a/main/xen/xsa30-4.1.patch
@@ -1,57 +0,0 @@
-xen: fix error handling of guest_physmap_mark_populate_on_demand()
-
-The only user of the "out" label bypasses a necessary unlock, thus
-enabling the caller to lock up Xen.
-
-Also, the function was never meant to be called by a guest for itself,
-so rather than inspecting the code paths in depth for potential other
-problems this might cause, and adjusting e.g. the non-guest printk()
-in the above error path, just disallow the guest access to it.
-
-Finally, the printk() (considering its potential of spamming the log,
-the more that it's not using XENLOG_GUEST), is being converted to
-P2M_DEBUG(), as debugging is what it apparently was added for in the
-first place.
-
-This is XSA-30 / CVE-2012-5514.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
-Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
-diff -r 5639047d6c9f xen/arch/x86/mm/p2m.c
---- a/xen/arch/x86/mm/p2m.c Mon Nov 19 09:43:48 2012 +0100
-+++ b/xen/arch/x86/mm/p2m.c Thu Nov 22 17:07:37 2012 +0000
-@@ -2412,6 +2412,9 @@ guest_physmap_mark_populate_on_demand(st
- mfn_t omfn;
- int rc = 0;
-
-+ if ( !IS_PRIV_FOR(current->domain, d) )
-+ return -EPERM;
-+
- if ( !paging_mode_translate(d) )
- return -EINVAL;
-
-@@ -2430,8 +2433,7 @@ guest_physmap_mark_populate_on_demand(st
- omfn = gfn_to_mfn_query(p2m, gfn + i, &ot);
- if ( p2m_is_ram(ot) )
- {
-- printk("%s: gfn_to_mfn returned type %d!\n",
-- __func__, ot);
-+ P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot);
- rc = -EBUSY;
- goto out;
- }
-@@ -2453,10 +2455,10 @@ guest_physmap_mark_populate_on_demand(st
- BUG_ON(p2m->pod.entry_count < 0);
- }
-
-+out:
- audit_p2m(p2m, 1);
- p2m_unlock(p2m);
-
--out:
- return rc;
- }
-
diff --git a/main/xen/xsa31-4.1.patch b/main/xen/xsa31-4.1.patch
deleted file mode 100644
index 1f3d929..0000000
--- a/main/xen/xsa31-4.1.patch
@@ -1,50 +0,0 @@
-memop: limit guest specified extent order
-
-Allowing unbounded order values here causes almost unbounded loops
-and/or partially incomplete requests, particularly in PoD code.
-
-The added range checks in populate_physmap(), decrease_reservation(),
-and the "in" one in memory_exchange() architecturally all could use
-PADDR_BITS - PAGE_SHIFT, and are being artificially constrained to
-MAX_ORDER.
-
-This is XSA-31 / CVE-2012-5515.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Tim Deegan <tim@xen.org>
-Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
-diff --git a/xen/common/memory.c b/xen/common/memory.c
-index 4e7c234..9b9fb18 100644
---- a/xen/common/memory.c
-+++ b/xen/common/memory.c
-@@ -117,7 +117,8 @@ static void populate_physmap(struct memop_args *a)
-
- if ( a->memflags & MEMF_populate_on_demand )
- {
-- if ( guest_physmap_mark_populate_on_demand(d, gpfn,
-+ if ( a->extent_order > MAX_ORDER ||
-+ guest_physmap_mark_populate_on_demand(d, gpfn,
- a->extent_order) < 0 )
- goto out;
- }
-@@ -216,7 +217,8 @@ static void decrease_reservation(struct memop_args *a)
- xen_pfn_t gmfn;
-
- if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done,
-- a->nr_extents-1) )
-+ a->nr_extents-1) ||
-+ a->extent_order > MAX_ORDER )
- return;
-
- for ( i = a->nr_done; i < a->nr_extents; i++ )
-@@ -278,6 +280,9 @@ static long memory_exchange(XEN_GUEST_HANDLE(xen_memory_exchange_t) arg)
- if ( (exch.nr_exchanged > exch.in.nr_extents) ||
- /* Input and output domain identifiers match? */
- (exch.in.domid != exch.out.domid) ||
-+ /* Extent orders are sensible? */
-+ (exch.in.extent_order > MAX_ORDER) ||
-+ (exch.out.extent_order > MAX_ORDER) ||
- /* Sizes of input and output lists do not overflow a long? */
- ((~0UL >> exch.in.extent_order) < exch.in.nr_extents) ||
- ((~0UL >> exch.out.extent_order) < exch.out.nr_extents) ||
--
1.7.7.5 (Apple Git-26)
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---