X-Original-To: alpine-aports@lists.alpinelinux.org
Received: from mail-qk0-f193.google.com (mail-qk0-f193.google.com [209.85.220.193])
	by lists.alpinelinux.org (Postfix) with ESMTP id 155525C57D4
	for <alpine-aports@lists.alpinelinux.org>; Tue, 24 Oct 2017 19:15:28 +0000 (GMT)
Received: by mail-qk0-f193.google.com with SMTP id y23so27661690qkb.10
        for <alpine-aports@lists.alpinelinux.org>; Tue, 24 Oct 2017 12:15:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:subject:date:message-id:in-reply-to:references;
        bh=S6ZHahYiL/Av/zdUg8IbtMQbv7tGNoz+qK5wcyPZqsI=;
        b=Y9xxOQ+4mw7cdCW40G9no6hGxYFuuM+PO7M+96jPvVGoGyZJ2N1yxjUN7su8+K3tRr
         5WLmCCdIC16C7kYsLjA1O7gcBWzDOiPBg0JifJPbv6PHPB3RwMRHYkJ/oM3VgkpUu1de
         n9PqEAL4KDCqm+d9BhOfFrOlVWTb2a5aayl4yqSx0O5No3k2TocYUwlrueC/BI8Vu4R7
         QwgcwVPzwWQh5Pmfxl/mc/38wCpWn6E7CupW1o4d16GXeUZDGtGBNejVQscxU2lSa7XS
         r5P/y7tuD1mgB7UCIJM9+UDFW7kJqezbc51g/gVSTLOi46CrjGrFKX01ttWfqgnGIHeA
         12OQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
         :references;
        bh=S6ZHahYiL/Av/zdUg8IbtMQbv7tGNoz+qK5wcyPZqsI=;
        b=OuRdL6dQ15gps4ZQbV9r7+Z4rPSFq/e2nf5aTkU1B9heWVKO6Mgf031sZUBGtk9/u3
         zX5ea+cItwik78xljt8PiHfT4/ZtJhL8hdPlCQGxy3qXtnonfpeB4T8aBtwgukFt6V9K
         CvmlxUz1usgJTOGLHi7OywggIPpOvZGXx+WSD8UnScDy3moNAUZcWrF4gyn/3+F1QYKV
         +xBsZavoZ+toXpR+4y5VKt5FDXnSZmcYM77qktAmH7QxEdbp5hdAFpsOn44mACh/Ak1+
         6OK+nvS4oSkxQCjF0RrPDjVnRL+1zrdYOAFvniNp4YFiVtu391mkC0RtSMfGHZTlzaJG
         bYKg==
X-Gm-Message-State: AMCzsaVtHgXl9MtdonH7MBWtK16BV9546ZCt50n3iHfhmjI29onaCEcn
	KiVjM3xK/fqNJRpjdG0ahcfufA==
X-Google-Smtp-Source: ABhQp+Sn4Ua9bDrDf3JWwcVJmp2yPHbv4+uO7OoccYuttBrLBovXdNeV/HlyHS86Ea31W+n+z9y7Yw==
X-Received: by 10.55.76.67 with SMTP id z64mr26188170qka.346.1508872527573;
        Tue, 24 Oct 2017 12:15:27 -0700 (PDT)
Received: from localhost.localdomain (c-71-60-35-21.hsd1.pa.comcast.net. [71.60.35.21])
        by smtp.googlemail.com with ESMTPSA id m65sm656932qkl.87.2017.10.24.12.15.26
        for <alpine-aports@lists.alpinelinux.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 24 Oct 2017 12:15:27 -0700 (PDT)
From: Daniel Sabogal <dsabogalcc@gmail.com>
To: alpine-aports@lists.alpinelinux.org
Subject: [alpine-aports] [PATCH] main/xen: security fix for xsa236 (CVE-2017-15597)
Date: Tue, 24 Oct 2017 15:17:31 -0400
Message-Id: <20171024191731.13890-2-dsabogalcc@gmail.com>
X-Mailer: git-send-email 2.14.2
In-Reply-To: <20171024191731.13890-1-dsabogalcc@gmail.com>
References: <20171024191731.13890-1-dsabogalcc@gmail.com>
X-Mailinglist: alpine-aports
Precedence: list
List-Id: Alpine Development <alpine-aports.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-aports+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-aports@lists.alpinelinux.org>
List-Help: <mailto:alpine-aports+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-aports+subscribe@lists.alpinelinux.org?subject=subscribe>

---
 main/xen/APKBUILD         |  6 ++++-
 main/xen/xsa236-4.9.patch | 66 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+), 1 deletion(-)
 create mode 100644 main/xen/xsa236-4.9.patch

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index aefd35f76d..55fdf988ca 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.9.0
-pkgrel=6
+pkgrel=7
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86_64 armhf aarch64"
@@ -96,6 +96,8 @@ options="!strip"
 #     - CVE-2017-15593 XSA-242
 #     - CVE-2017-15592 XSA-243
 #     - CVE-2017-15594 XSA-244
+#   4.9.0-r7:
+#     - CVE-2017-15597 XSA-236
 
 case "$CARCH" in
 x86*)
@@ -153,6 +155,7 @@ source="https://downloads.xenproject.org/release/$pkgname/$pkgver/$pkgname-$pkgv
 	xsa233.patch
 	xsa234-4.9.patch
 	xsa235-4.9.patch
+	xsa236-4.9.patch
 	xsa237-1.patch
 	xsa237-2.patch
 	xsa237-3.patch
@@ -430,6 +433,7 @@ fb742225a4f3dbf2a574c4a6e3ef61a5da0c91aaeed77a2247023bdefcd4e0b6c08f1c9ffb42eaac
 a322ac6c5ac2f858a59096108032fd42974eaaeeebd8f4966119149665f32bed281e333e743136e79add2e6f3844d88b6a3e4d5a685c2808702fd3a9e6396cd4  xsa233.patch
 cafeef137cd82cefc3e974b42b974c6562e822c9b359efb654ac374e663d9fc123be210eec17b278f40eabb77c93d3bf0ff03e445607159ad0712808a609a906  xsa234-4.9.patch
 8bab6e59577b51f0c6b8a547c9a37a257bd0460e7219512e899d25f80a74084745d2a4c54e55ad12526663d40f218cb8f833b71350220d36e3750d002ff43d29  xsa235-4.9.patch
+a951c3d29a6b05b42021bd49419becff51123a245256659240a3af5701bbf51e7d3c1a79835a7cc9a5fdf7c1c6aa330a35a586cb56d69d847c256642f0fc8e55  xsa236-4.9.patch
 a447b4f0a5379da46b5f0eb5b77eab07c3cfe8d303af6e116e03c7d88a9fc9ea154043165631d29248c07516ab8fdfd5de4da1ccf0ab7358d90fb7f9c87bf221  xsa237-1.patch
 10f2d84f783fb8bae5a39c463a32f4ac5d4d2614a7eecf109dcccd5418b8ec5e523691e79b3578d9c7b113f368a94d360acb9534808c440852a91c36369f88fd  xsa237-2.patch
 50607fca2e02eed322927e0288c77e7a6c541794fa2c70c78ada0c2fa762b5ad0f3b5108ecb9f01d8826f89dab492d56c502236c70234e6ba741e94a39356ea3  xsa237-3.patch
diff --git a/main/xen/xsa236-4.9.patch b/main/xen/xsa236-4.9.patch
new file mode 100644
index 0000000000..203025dbae
--- /dev/null
+++ b/main/xen/xsa236-4.9.patch
@@ -0,0 +1,66 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: gnttab: fix pin count / page reference race
+
+Dropping page references before decrementing pin counts is a bad idea
+if assumptions are being made that a non-zero pin count implies a valid
+page. Fix the order of operations in gnttab_copy_release_buf(), but at
+the same time also remove the assertion that was found to trigger:
+map_grant_ref() also has the potential of causing a race here, and
+changing the order of operations there would likely be quite a bit more
+involved.
+
+This is XSA-236.
+
+Reported-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/common/grant_table.c
++++ b/xen/common/grant_table.c
+@@ -2330,9 +2330,20 @@ __acquire_grant_for_copy(
+         td = page_get_owner_and_reference(*page);
+         /*
+          * act->pin being non-zero should guarantee the page to have a
+-         * non-zero refcount and hence a valid owner.
++         * non-zero refcount and hence a valid owner (matching the one on
++         * record), with one exception: If the owning domain is dying we
++         * had better not make implications from pin count (map_grant_ref()
++         * updates pin counts before obtaining page references, for
++         * example).
+          */
+-        ASSERT(td);
++        if ( td != rd || rd->is_dying )
++        {
++            if ( td )
++                put_page(*page);
++            *page = NULL;
++            rc = GNTST_bad_domain;
++            goto unlock_out_clear;
++        }
+     }
+ 
+     act->pin += readonly ? GNTPIN_hstr_inc : GNTPIN_hstw_inc;
+@@ -2451,6 +2462,11 @@ static void gnttab_copy_release_buf(stru
+         unmap_domain_page(buf->virt);
+         buf->virt = NULL;
+     }
++    if ( buf->have_grant )
++    {
++        __release_grant_for_copy(buf->domain, buf->ptr.u.ref, buf->read_only);
++        buf->have_grant = 0;
++    }
+     if ( buf->have_type )
+     {
+         put_page_type(buf->page);
+@@ -2461,11 +2477,6 @@ static void gnttab_copy_release_buf(stru
+         put_page(buf->page);
+         buf->page = NULL;
+     }
+-    if ( buf->have_grant )
+-    {
+-        __release_grant_for_copy(buf->domain, buf->ptr.u.ref, buf->read_only);
+-        buf->have_grant = 0;
+-    }
+ }
+ 
+ static int gnttab_copy_claim_buf(const struct gnttab_copy *op,
-- 
2.14.2



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---