X-Original-To: alpine-aports@lists.alpinelinux.org
Received: from mail-qk0-f193.google.com (mail-qk0-f193.google.com [209.85.220.193])
	by lists.alpinelinux.org (Postfix) with ESMTP id 379D55C4CBC
	for <alpine-aports@lists.alpinelinux.org>; Mon,  4 Sep 2017 21:47:31 +0000 (GMT)
Received: by mail-qk0-f193.google.com with SMTP id c69so1020249qke.5
        for <alpine-aports@lists.alpinelinux.org>; Mon, 04 Sep 2017 14:47:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:subject:date:message-id;
        bh=2XszlQ49nrLTv5Go7dbQLIG56C1H21IAAH8Y+TjWBcw=;
        b=pgdxYfn4EIbpjRDg2TgHDb5SgkcKlmqpc88b3Ei43ZX/sWiFDuoUqOXa57G0H4LjOT
         m8m43ZQ4qQ9ncMXYYwgicmNOOhPDVZZJvFNvb2T5epkD9PU0wiVrWon7zv+GXIBj8ibf
         b0wPChhvu4lCp+a9DLcOMIWUMkpw63EDcuRga31TbDyGGRyYONEwug9Ar8M3oWEU1To4
         oFkhgs6BnLOCEJEayi8B02qATH8vv30IQUNC+6NuCvTm7mfo7stbBkvDV30sB9ikJxB+
         0djtQdfwcsItVM7Hb7tt3UH9kxni0hPbvKFss4NR/vhl9J5+2C8lFyR6wINcckuklxeD
         7MVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:subject:date:message-id;
        bh=2XszlQ49nrLTv5Go7dbQLIG56C1H21IAAH8Y+TjWBcw=;
        b=RFAfLXCBvmnViZuu9btXAYrEiUWyVigJWYqtoDEoJtbK85fxAOteY1rwcRzv4dnfOG
         PdN3JaaDVCsA3z4jUBfyQ7pOkhXe5tCVqQuzL52NTali5zNP/98y5q23ev20abZi8XCx
         TaaZW2Bsjx51AeCj1u3Yzg7tQsUskbpfEpnVMRE5WbKeE8z/mWb8SATD/TasM7tqnlX6
         ptxv1XInbDo/+01xEa1cwtOxlMBsiNLeNwLRFCpEeOcjhTVCTXrdWMMrv6pDQo4mCPj0
         sd1TwWoKK5Di2e+o3hcNmGTG5y4SSYxG/5Ggh4w+rb9CUio0C0+t2y6TgukiB2jbYcER
         Yemw==
X-Gm-Message-State: AHPjjUjwSu8Y8iJQgiddBPYrpiovrgt2vfcyZ+1EKpNqQnNTnGHB7nbx
	qxy7CYVUHefjCV17
X-Google-Smtp-Source: ADKCNb6KuNuToisNen0ikzCK7ba2vucqGbqzbPXsTjuLYTnYFQUDz6nTEWXeavd+devMAhPrm6Lpug==
X-Received: by 10.55.93.7 with SMTP id r7mr2429593qkb.125.1504561650304;
        Mon, 04 Sep 2017 14:47:30 -0700 (PDT)
Received: from localhost.localdomain (c-71-60-35-21.hsd1.pa.comcast.net. [71.60.35.21])
        by smtp.googlemail.com with ESMTPSA id t71sm4266360qka.61.2017.09.04.14.47.17
        for <alpine-aports@lists.alpinelinux.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 04 Sep 2017 14:47:18 -0700 (PDT)
From: Daniel Sabogal <dsabogalcc@gmail.com>
To: alpine-aports@lists.alpinelinux.org
Subject: [alpine-aports] [PATCH 1/2] main/xen: security fixes (XSA-226 and XSA-235)
Date: Mon,  4 Sep 2017 17:48:52 -0400
Message-Id: <20170904214853.11088-1-dsabogalcc@gmail.com>
X-Mailer: git-send-email 2.14.1
X-Mailinglist: alpine-aports
Precedence: list
List-Id: Alpine Development <alpine-aports.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-aports+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-aports@lists.alpinelinux.org>
List-Help: <mailto:alpine-aports+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-aports+subscribe@lists.alpinelinux.org?subject=subscribe>

Update patch for XSA-226 (fixes a regression).
http://openwall.com/lists/oss-security/2017/08/29/2

Include fix for XSA-235.
---
 main/xen/APKBUILD         |  8 ++++++--
 main/xen/xsa226-1.patch   | 15 +++++++++++++++
 main/xen/xsa235-4.9.patch | 49 +++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 70 insertions(+), 2 deletions(-)
 create mode 100644 main/xen/xsa235-4.9.patch

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 1274b35f4a..f450aa810a 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.9.0
-pkgrel=1
+pkgrel=2
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86_64 armhf"
@@ -78,6 +78,8 @@ options="!strip"
 #     - CVE-2017-12137 XSA-227
 #     - CVE-2017-12136 XSA-228
 #     - CVE-2017-12855 XSA-230
+#   4.9.0-r2:
+#     - XSA-235
 
 case "$CARCH" in
 x86*)
@@ -127,6 +129,7 @@ source="https://downloads.xenproject.org/release/$pkgname/$pkgver/$pkgname-$pkgv
 	xsa227.patch
 	xsa228.patch
 	xsa230.patch
+	xsa235-4.9.patch
 
 	qemu-coroutine-gthread.patch
 	qemu-xen_paths.patch
@@ -377,11 +380,12 @@ c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a36
 4928b5b82f57645be9408362706ff2c4d9baa635b21b0d41b1c82930e8c60a759b1ea4fa74d7e6c7cae1b7692d006aa5cb72df0c3b88bf049779aa2b566f9d35  tpm_emulator-0.7.4.tar.gz
 021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e  zlib-1.2.3.tar.gz
 82ba65e1c676d32b29c71e6395c9506cab952c8f8b03f692e2b50133be8f0c0146d0f22c223262d81a4df579986fde5abc6507869f4965be4846297ef7b4b890  ipxe-git-827dd1bfee67daa683935ce65316f7e0f057fe1c.tar.gz
-e934ba5be6a526d164cb4c8bb71a679f2fedeaddb82d8f5ebbbbe3cbfaa6dd639c4e94662c6b7a9d066195f2a59e8d14dc3ee55dc94c09b4475d455d881b2741  xsa226-1.patch
+45fed43bbdcf63fc3ded0a2629e27a5d58306a244dba2e005cf8814aa50cde962c41e5e72075a1d678eb9c18af17e1cbf078884214fd29df0ad551977c9880c2  xsa226-1.patch
 4d1e729c592efefd705233b49484991801606b2122a64ff14abbf994bb3e77ec75c4989d43753ce2043cc4fe13d34fb1cef7ee1adb291ff16625bb3b125e5508  xsa226-2.patch
 7d66494e833d46f8a213af0f2b107a12617d5e8b45c3b07daee229c75bd6aad98284bc0e19f15706d044b58273cc7f0c193ef8553faa22fadeae349689e763c8  xsa227.patch
 d406f14531af707325790909d08ce299ac2f2cb4b87f9a8ddb0fba10bd83bed84cc1633e07632cc2f841c50bc1a9af6240c89539a2e6ba6028cb127e218f86fc  xsa228.patch
 df174a1675f74b73e78bc3cb1c9f16536199dfd1922c0cc545a807e92bc24941a816891838258e118f477109548487251a7eaccb2d1dd9b6994c8c76fc5b058f  xsa230.patch
+8bab6e59577b51f0c6b8a547c9a37a257bd0460e7219512e899d25f80a74084745d2a4c54e55ad12526663d40f218cb8f833b71350220d36e3750d002ff43d29  xsa235-4.9.patch
 c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562  qemu-coroutine-gthread.patch
 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3  qemu-xen_paths.patch
 f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3  hotplug-vif-vtrill.patch
diff --git a/main/xen/xsa226-1.patch b/main/xen/xsa226-1.patch
index 7711d3f888..d60bbe2db1 100644
--- a/main/xen/xsa226-1.patch
+++ b/main/xen/xsa226-1.patch
@@ -16,6 +16,21 @@ This is part of CVE-2017-12135 / XSA-226.
 
 Signed-off-by: Jan Beulich <jbeulich@suse.com>
 
+--- a/xen/common/compat/grant_table.c
++++ b/xen/common/compat/grant_table.c
+@@ -258,9 +258,9 @@ int compat_grant_table_op(unsigned int cmd,
+                 rc = gnttab_copy(guest_handle_cast(nat.uop, gnttab_copy_t), n);
+             if ( rc > 0 )
+             {
+-                ASSERT(rc < n);
+-                i -= n - rc;
+-                n = rc;
++                ASSERT(rc <= n);
++                i -= rc;
++                n -= rc;
+             }
+             if ( rc >= 0 )
+             {
 --- a/xen/common/grant_table.c
 +++ b/xen/common/grant_table.c
 @@ -2103,8 +2103,10 @@ __release_grant_for_copy(
diff --git a/main/xen/xsa235-4.9.patch b/main/xen/xsa235-4.9.patch
new file mode 100644
index 0000000000..25dd650755
--- /dev/null
+++ b/main/xen/xsa235-4.9.patch
@@ -0,0 +1,49 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: arm/mm: release grant lock on xenmem_add_to_physmap_one() error paths
+
+Commit 55021ff9ab ("xen/arm: add_to_physmap_one: Avoid to map mfn 0 if
+an error occurs") introduced error paths not releasing the grant table
+lock. Replace them by a suitable check after the lock was dropped.
+
+This is XSA-235.
+
+Reported-by: Wei Liu <wei.liu2@citrix.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Julien Grall <julien.grall@arm.com>
+
+--- a/xen/arch/arm/mm.c
++++ b/xen/arch/arm/mm.c
+@@ -1164,7 +1164,7 @@ int xenmem_add_to_physmap_one(
+             if ( idx < nr_status_frames(d->grant_table) )
+                 mfn = virt_to_mfn(d->grant_table->status[idx]);
+             else
+-                return -EINVAL;
++                mfn = mfn_x(INVALID_MFN);
+         }
+         else
+         {
+@@ -1175,14 +1175,21 @@ int xenmem_add_to_physmap_one(
+             if ( idx < nr_grant_frames(d->grant_table) )
+                 mfn = virt_to_mfn(d->grant_table->shared_raw[idx]);
+             else
+-                return -EINVAL;
++                mfn = mfn_x(INVALID_MFN);
+         }
+ 
+-        d->arch.grant_table_gfn[idx] = gfn;
++        if ( mfn != mfn_x(INVALID_MFN) )
++        {
++            d->arch.grant_table_gfn[idx] = gfn;
+ 
+-        t = p2m_ram_rw;
++            t = p2m_ram_rw;
++        }
+ 
+         grant_write_unlock(d->grant_table);
++
++        if ( mfn == mfn_x(INVALID_MFN) )
++            return -EINVAL;
++
+         break;
+     case XENMAPSPACE_shared_info:
+         if ( idx != 0 )
-- 
2.14.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---