Security fixes for nested virtualization. This only apply to Xen
4.2.x, only edge and 2.5.x Alpine Linux systems are affected.
---
main/xen/APKBUILD | 6 +++++-
main/xen/xsa34-4.2.patch | 30 ++++++++++++++++++++++++++++++
main/xen/xsa35-4.2-with-xsa34.patch | 24 ++++++++++++++++++++++++
3 files changed, 59 insertions(+), 1 deletions(-)
create mode 100644 main/xen/xsa34-4.2.patch
create mode 100644 main/xen/xsa35-4.2-with-xsa34.patch
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 3c3a8a7..5e07fab 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
pkgver=4.2.1
-pkgrel=4
+pkgrel=5
pkgdesc="Xen hypervisor"
url="http://www.xen.org/"
arch="x86 x86_64"
@@ -22,6 +22,8 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
xsa41.patch
xsa41b.patch
xsa41c.patch
+ xsa34-4.2.patch
+ xsa35-4.2-with-xsa34.patch
xenstored.initd
xenstored.confd
@@ -141,6 +143,8 @@ md5sums="0d48cbe1767b82aba12517898d4e0408 xen-4.2.1.tar.gz
8ad8942000b8a4be4917599cad9209cf xsa41.patch
ed7d0399c6ca6aeee479da5d8f807fe0 xsa41b.patch
2f3dd7bdc59d104370066d6582725575 xsa41c.patch
+af10e1a3f757a184a1d79904a5ef8572 xsa34-4.2.patch
+8270dbf929e26b5e95532d10a697e404 xsa35-4.2-with-xsa34.patch
95d8af17bf844d41a015ff32aae51ba1 xenstored.initd
b017ccdd5e1c27bbf1513e3569d4ff07 xenstored.confd
ed262f15fb880badb53575539468646c xenconsoled.initd
diff --git a/main/xen/xsa34-4.2.patch b/main/xen/xsa34-4.2.patch
new file mode 100644
index 0000000..f5328ef
--- /dev/null
+++ b/main/xen/xsa34-4.2.patch
@@ -0,0 +1,30 @@
+x86_32: don't allow use of nested HVM
+
+There are (indirect) uses of map_domain_page() in the nested HVM code
+that are unsafe when not just using the 1:1 mapping.
+
+This is XSA-34 / CVE-2013-0151.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -3926,6 +3926,10 @@ long do_hvm_op(unsigned long op, XEN_GUE
+ rc = -EINVAL;
+ break;
+ case HVM_PARAM_NESTEDHVM:
++#ifdef __i386__
++ if ( a.value )
++ rc = -EINVAL;
++#else
+ if ( a.value > 1 )
+ rc = -EINVAL;
+ if ( !is_hvm_domain(d) )
+@@ -3940,6 +3944,7 @@ long do_hvm_op(unsigned long op, XEN_GUE
+ for_each_vcpu(d, v)
+ if ( rc == 0 )
+ rc = nestedhvm_vcpu_initialise(v);
++#endif
+ break;
+ case HVM_PARAM_BUFIOREQ_EVTCHN:
+ rc = -EINVAL;
diff --git a/main/xen/xsa35-4.2-with-xsa34.patch b/main/xen/xsa35-4.2-with-xsa34.patch
new file mode 100644
index 0000000..89230e2
--- /dev/null
+++ b/main/xen/xsa35-4.2-with-xsa34.patch
@@ -0,0 +1,24 @@
+xen: Do not allow guests to enable nested HVM on themselves
+
+There is no reason for this and doing so exposes a memory leak to
+guests. Only toolstacks need write access to this HVM param.
+
+This is XSA-35 / CVE-2013-0152.
+
+Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
+Acked-by: Jan Beulich <JBeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -3862,6 +3862,11 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE(void) arg)
+ rc = -EINVAL;
+ break;
+ case HVM_PARAM_NESTEDHVM:
++ if ( !IS_PRIV(current->domain) )
++ {
++ rc = -EPERM;
++ break;
++ }
+ #ifdef __i386__
+ if ( a.value )
+ rc = -EINVAL;
--
1.7.7.5 (Apple Git-26)
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---