From: Sergey Lukin <sergej.lukin@gmail.com>
To: alpine-aports@lists.alpinelinux.org
Cc: Sergey Lukin <sergej.lukin@gmail.com>
Subject: [alpine-aports] [PATCH v3.3] main/xen: security fixes #6572
Date: Tue, 27 Dec 2016 10:01:59 +0000
Message-Id: <1482832919-4267-1-git-send-email-sergej.lukin@gmail.com>
Precedence: list

CVE-2016-10024, XSA-202: x86 PV guests may be able to mask interrupts
http://xenbits.xen.org/xsa/advisory-202.html

CVE-2016-10025, XSA-203: x86: missing NULL pointer check in VMFUNC emulation
http://xenbits.xen.org/xsa/advisory-203.html

CVE-2016-10013, XSA-204: x86: Mishandling of SYSCALL singlestep during emulation
http://xenbits.xen.org/xsa/advisory-204.html
---
 main/xen/APKBUILD         | 19 +++++++++++-
 main/xen/xsa202-4.6.patch | 73 +++++++++++++++++++++++++++++++++++++++++++++++
 main/xen/xsa203-4.7.patch | 19 ++++++++++++
 main/xen/xsa204-4.7.patch | 69 ++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 179 insertions(+), 1 deletion(-)
 create mode 100644 main/xen/xsa202-4.6.patch
 create mode 100644 main/xen/xsa203-4.7.patch
 create mode 100644 main/xen/xsa204-4.7.patch

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 6cf681e..dfeec64 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -1,9 +1,10 @@
+# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
 # Contributor: William Pitcock <nenolod@dereferenced.org>
 # Contributor: Roger Pau Monne <roger.pau@entel.upc.edu>
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.6.3
-pkgrel=4
+pkgrel=5
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86_64"
@@ -24,6 +25,10 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-hypervisor"
 #     - CVE-2016-9816 XSA-201
 #     - CVE-2016-9817 XSA-201
 #     - CVE-2016-9818 XSA-201
+#   4.6.3-r5:
+#     - CVE-2016-10024 XSA-202
+#     - CVE-2016-10025 XSA-203
+#     - CVE-2016-10013 XSA-204
 
 # grep _VERSION= stubdom/configure
 _ZLIB_VERSION="1.2.3"
@@ -74,6 +79,9 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	xsa201-2.patch
 	xsa201-3-4.7.patch
 	xsa201-4.patch
+	xsa202-4.6.patch
+	xsa203-4.7.patch
+	xsa204-4.7.patch
 
 	qemu-coroutine-gthread.patch
 	qemu-xen_paths.patch
@@ -306,6 +314,9 @@ add3ad7828d582fc272073e906ce17a1  xsa200-4.6.patch
 76394482eaf0caeb3e0611ba70e8923c  xsa201-2.patch
 136b9ad8b2bcc57d5a7ed3bf13bebe3c  xsa201-3-4.7.patch
 9cb1516d783fc9c765e9a37574bb3cbd  xsa201-4.patch
+a5a39c6354c952095e1d78a582385933  xsa202-4.6.patch
+da401ec1a25668a2dabc666f6687409b  xsa203-4.7.patch
+dc4ad05682ce371e1755817b22229601  xsa204-4.7.patch
 de1a3db370b87cfb0bddb51796b50315  qemu-coroutine-gthread.patch
 08bfdf8caff5d631f53660bf3fd4edaf  qemu-xen_paths.patch
 e449bb3359b490804ffc7b0ae08d62a0  hotplug-vif-vtrill.patch
@@ -361,6 +372,9 @@ d3af265879196c05b3fdd2cdeb5e95446f454dd3c1151452fe4f3389eccc39e4  xsa197-qemut-C
 0ba570ed7df172475bc745e02b89670608251634895e5279edcf534619d6d81b  xsa201-2.patch
 a9cf56564d020675c0f2f1ea15009a712f172be3d53ea8ddf2f48adaac392e76  xsa201-3-4.7.patch
 388d548cd4e30883ae100863d33e792869e7dbd86054299a91b64db6d6599919  xsa201-4.patch
+e007187639f5392a9256979504d50eff0ae38309a61524ea42c4150fab38b6f4  xsa202-4.6.patch
+7cc04278778fe885e4c3ae3f846d099075a38bccfafe6dff018ba525499b4e46  xsa203-4.7.patch
+d0359f26e9be783672896200e14d85a3111c29d7da580313b593fca04688fef2  xsa204-4.7.patch
 3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe  qemu-coroutine-gthread.patch
 e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98  qemu-xen_paths.patch
 dd1e784bc455eb62cb85b3fa24bfc34f575ceaab9597ef6a2f1ee7ff7b3cae0a  hotplug-vif-vtrill.patch
@@ -416,6 +430,9 @@ b61429fbf4d1677a8dab2710ab21335f18b3f998f2e5e19e45a4727f71b9671b3d1bd709bef3594c
 afed1ed3c5b4dd3a1d2c1c0fe824cdeb58efdc40fdaf5ce439deb2feef63141168114ea362fc5c683eb0494bb6bd3c76773b099495af21550ae3a1e5cb4e924d  xsa201-2.patch
 ad0f4217ef8218dac6997385690981e7a88d05b735e04779f582ad4a0307d8e7804c015971403133fe1d3334c628da784c696161768b275ed3ab64d6140293dc  xsa201-3-4.7.patch
 1761ca422fe9e3caee3442b43b84da49721a01ed8417f653c568695b08718c40be1493cc7a0a6145c7ce195c7fb0c753b190fe2f1782d5242e1e304c18005610  xsa201-4.patch
+dee7a595324ea5de3754c9aad2422fc2021bcb53999e344dbe6e4edfd4772a5ed20e8ebfb40750b81287a2a022037d49cbe4f0f7ba481ae0ac79a4249ef630bf  xsa202-4.6.patch
+b86ef48db23dacb51fbbdd55041bf08fac8aa0db76a272bb2f9d9be7195cd9a359a30fbbb61e040c66f23358f12ae102a92a30296fb18e4feb1023b58ffad4ff  xsa203-4.7.patch
+a2a091cd51ed54f5b5ba4131efc1c9cc0a69a647cea46415f73c29e5764efb00025e2e65bd5d24cf26f903263fce150b2b1c52ca5d61fd81dea7efe16abf57be  xsa204-4.7.patch
 c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562  qemu-coroutine-gthread.patch
 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3  qemu-xen_paths.patch
 f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3  hotplug-vif-vtrill.patch
diff --git a/main/xen/xsa202-4.6.patch b/main/xen/xsa202-4.6.patch
new file mode 100644
index 0000000..0c7fff0
--- /dev/null
+++ b/main/xen/xsa202-4.6.patch
@@ -0,0 +1,73 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86: force EFLAGS.IF on when exiting to PV guests
+
+Guest kernels modifying instructions in the process of being emulated
+for another of their vCPU-s may effect EFLAGS.IF to be cleared upon
+next exiting to guest context, by converting the being emulated
+instruction to CLI (at the right point in time). Prevent any such bad
+effects by always forcing EFLAGS.IF on. And to cover hypothetical other
+similar issues, also force EFLAGS.{IOPL,NT,VM} to zero.
+
+This is XSA-202.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/x86_64/compat/entry.S
++++ b/xen/arch/x86/x86_64/compat/entry.S
+@@ -174,6 +174,8 @@ compat_bad_hypercall:
+ /* %rbx: struct vcpu, interrupts disabled */
+ ENTRY(compat_restore_all_guest)
+         ASSERT_INTERRUPTS_DISABLED
++        mov   $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11d
++        and   UREGS_eflags(%rsp),%r11d
+ .Lcr4_orig:
+         .skip .Lcr4_alt_end - .Lcr4_alt, 0x90
+ .Lcr4_orig_end:
+@@ -209,6 +211,8 @@ ENTRY(compat_restore_all_guest)
+                              (.Lcr4_orig_end - .Lcr4_orig), \
+                              (.Lcr4_alt_end - .Lcr4_alt)
+         .popsection
++        or    $X86_EFLAGS_IF,%r11
++        mov   %r11d,UREGS_eflags(%rsp)
+         RESTORE_ALL adj=8 compat=1
+ .Lft0:  iretq
+ 
+--- a/xen/arch/x86/x86_64/entry.S
++++ b/xen/arch/x86/x86_64/entry.S
+@@ -40,28 +40,29 @@ restore_all_guest:
+         testw $TRAP_syscall,4(%rsp)
+         jz    iret_exit_to_guest
+ 
++        movq  24(%rsp),%r11           # RFLAGS
++        andq  $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11
++        orq   $X86_EFLAGS_IF,%r11
++
+         /* Don't use SYSRET path if the return address is not canonical. */
+         movq  8(%rsp),%rcx
+         sarq  $47,%rcx
+         incl  %ecx
+         cmpl  $1,%ecx
+-        ja    .Lforce_iret
++        movq  8(%rsp),%rcx            # RIP
++        ja    iret_exit_to_guest
+ 
+         cmpw  $FLAT_USER_CS32,16(%rsp)# CS
+-        movq  8(%rsp),%rcx            # RIP
+-        movq  24(%rsp),%r11           # RFLAGS
+         movq  32(%rsp),%rsp           # RSP
+         je    1f
+         sysretq
+ 1:      sysretl
+ 
+-.Lforce_iret:
+-        /* Mimic SYSRET behavior. */
+-        movq  8(%rsp),%rcx            # RIP
+-        movq  24(%rsp),%r11           # RFLAGS
+         ALIGN
+ /* No special register assumptions. */
+ iret_exit_to_guest:
++        andl  $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),24(%rsp)
++        orl   $X86_EFLAGS_IF,24(%rsp)
+         addq  $8,%rsp
+ .Lft0:  iretq
+ 
diff --git a/main/xen/xsa203-4.7.patch b/main/xen/xsa203-4.7.patch
new file mode 100644
index 0000000..d623d84
--- /dev/null
+++ b/main/xen/xsa203-4.7.patch
@@ -0,0 +1,19 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86/HVM: add missing NULL check before using VMFUNC hook
+
+This is XSA-203.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/hvm/emulate.c
++++ b/xen/arch/x86/hvm/emulate.c
+@@ -1643,6 +1643,8 @@ static int hvmemul_vmfunc(
+ {
+     int rc;
+ 
++    if ( !hvm_funcs.altp2m_vcpu_emulate_vmfunc )
++        return X86EMUL_UNHANDLEABLE;
+     rc = hvm_funcs.altp2m_vcpu_emulate_vmfunc(ctxt->regs);
+     if ( rc != X86EMUL_OKAY )
+         hvmemul_inject_hw_exception(TRAP_invalid_op, 0, ctxt);
diff --git a/main/xen/xsa204-4.7.patch b/main/xen/xsa204-4.7.patch
new file mode 100644
index 0000000..ea41789
--- /dev/null
+++ b/main/xen/xsa204-4.7.patch
@@ -0,0 +1,69 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Sun, 18 Dec 2016 15:42:59 +0000
+Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL
+
+A singlestep #DB is determined by the resulting eflags value from the
+execution of SYSCALL, not the original eflags value.
+
+By using the original eflags value, we negate the guest kernels attempt to
+protect itself from a privilege escalation by masking TF.
+
+Introduce a tf boolean and have the SYSCALL emulation recalculate it
+after the instruction is complete.
+
+This is XSA-204
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index bca7045..abe442e 100644
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1582,6 +1582,7 @@ x86_emulate(
+     union vex vex = {};
+     unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes;
+     bool_t lock_prefix = 0;
++    bool_t tf = !!(ctxt->regs->eflags & EFLG_TF);
+     int override_seg = -1, rc = X86EMUL_OKAY;
+     struct operand src = { .reg = REG_POISON };
+     struct operand dst = { .reg = REG_POISON };
+@@ -3910,9 +3911,8 @@ x86_emulate(
+     }
+ 
+  no_writeback:
+-    /* Inject #DB if single-step tracing was enabled at instruction start. */
+-    if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) &&
+-         (ops->inject_hw_exception != NULL) )
++    /* Should a singlestep #DB be raised? */
++    if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) )
+         rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
+ 
+     /* Commit shadow register state. */
+@@ -4143,6 +4143,23 @@ x86_emulate(
+              (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) )
+             goto done;
+ 
++        /*
++         * SYSCALL (unlike most instructions) evaluates its singlestep action
++         * based on the resulting EFLG_TF, not the starting EFLG_TF.
++         *
++         * As the #DB is raised after the CPL change and before the OS can
++         * switch stack, it is a large risk for privilege escalation.
++         *
++         * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
++         * vulnerability.  Running the #DB handler on an IST stack is also a
++         * mitigation.
++         *
++         * 32bit kernels have no ability to mask EFLG_TF at all.  Their only
++         * mitigation is to use a task gate for handling #DB (or to not use
++         * enable EFER.SCE to start with).
++         */
++        tf = !!(_regs.eflags & EFLG_TF);
++
+         break;
+     }
+ 
-- 
2.6.6



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---