Patches for aports can be sent to this list

1

[alpine-aports] [PATCH] main/mupdf: upgrade to 1.12.0

Daniel Sabogal
Details
Message ID
<20171215223855.3700-1-dsabogalcc@gmail.com>
Sender timestamp
1513377534
DKIM signature
missing
Download raw message
Patch: +29 -75
---
 main/mupdf/APKBUILD            | 36 +++++++++++++++---------------------
 main/mupdf/CVE-2017-6060.patch | 41 -----------------------------------------
 main/mupdf/openjpeg-2.1.patch  |  8 ++++----
 main/mupdf/shared-lib.patch    | 19 ++++++++++---------
 4 files changed, 29 insertions(+), 75 deletions(-)
 delete mode 100644 main/mupdf/CVE-2017-6060.patch

diff --git a/main/mupdf/APKBUILD b/main/mupdf/APKBUILD
index d6c76afd88..cfab6145db 100644
--- a/main/mupdf/APKBUILD
+++ b/main/mupdf/APKBUILD
@@ -2,22 +2,21 @@
 # Contributor: Michael Zhou <zhoumichaely@gmail.com>
 # Maintainer: Daniel Sabogal <dsabogalcc@gmail.com>
 pkgname=mupdf
-pkgver=1.11
-pkgrel=1
+pkgver=1.12.0
+pkgrel=0
 pkgdesc="A lightweight PDF and XPS viewer"
 url="http://mupdf.com"
 arch="all"
 license="AGPL3+"
 depends=""
 makedepends="freetype-dev jpeg-dev jbig2dec-dev libx11-dev libxext-dev
-	openjpeg-dev harfbuzz-dev glfw-dev"
+	openjpeg-dev harfbuzz-dev freeglut-dev"
 subpackages="$pkgname-doc $pkgname-dev $pkgname-x11:_x11
 	$pkgname-gl:_gl $pkgname-tools:_tools"
 options="!check"
-source="http://mupdf.com/downloads/archive/$pkgname-$pkgver-source.tar.gz
+source="http://mupdf.com/downloads/archive/$pkgname-$pkgver-source.tar.xz
 	shared-lib.patch
 	openjpeg-2.1.patch
-	CVE-2017-6060.patch
 	"
 
 # secfixes:
@@ -30,26 +29,21 @@ source="http://mupdf.com/downloads/archive/$pkgname-$pkgver-source.tar.gz
 
 builddir="$srcdir/$pkgname-$pkgver-source"
 prepare() {
-	default_prepare || return 1
+	default_prepare
 
 	cd "$builddir"
 	for file in thirdparty/*; do
 		[ "${file##*/}" != "mujs" ] && rm -rf "$file"
 	done
-
-	sed '/^JBIG2DEC_CFLAGS :=/s|$| -I./include/mupdf|' \
-		-i Makethird || return 1
 }
 
 build() {
-	make HAVE_GLFW=yes SYS_GLFW_LIBS="$(pkgconf --libs glfw3 gl)" \
-		prefix=/usr -C "$builddir" || return 1
+	make prefix=/usr -C "$builddir"
 }
 
 package() {
-	make HAVE_GLFW=yes \
-		prefix=/usr DESTDIR="$pkgdir" \
-		-C "$builddir" install || return 1
+	make prefix=/usr DESTDIR="$pkgdir" \
+		-C "$builddir" install
 
 	ln -s libmupdf.so.0 "$pkgdir"/usr/lib/libmupdf.so
 	ln -s libmupdfthird.so.0 "$pkgdir"/usr/lib/libmupdfthird.so
@@ -61,7 +55,7 @@ _x11() {
 
 	mkdir -p "$subpkgdir"/usr/bin
 	mv "$pkgdir"/usr/bin/mupdf-x11 \
-		"$subpkgdir"/usr/bin/ || return 1
+		"$subpkgdir"/usr/bin/
 	ln -s /usr/bin/mupdf-x11 "$subpkgdir"/usr/bin/mupdf
 }
 
@@ -71,7 +65,7 @@ _gl() {
 
 	mkdir -p "$subpkgdir"/usr/bin
 	mv "$pkgdir"/usr/bin/mupdf-gl \
-		"$subpkgdir"/usr/bin/ || return 1
+		"$subpkgdir"/usr/bin/
 }
 
 _tools() {
@@ -80,12 +74,12 @@ _tools() {
 
 	mkdir -p "$subpkgdir"/usr/bin
 	mv "$pkgdir"/usr/bin/mutool \
+		"$pkgdir"/usr/bin/mjsgen \
 		"$pkgdir"/usr/bin/mujstest \
 		"$pkgdir"/usr/bin/muraster \
-		"$subpkgdir"/usr/bin/ || return 1
+		"$subpkgdir"/usr/bin/
 }
 
-sha512sums="501670f540e298a8126806ebbd9db8b29866f663b7bbf26c9ade1933e42f0c00ad410b9d93f3ddbfb3e45c38722869095de28d832fe3fb3703c55cc9a01dbf63  mupdf-1.11-source.tar.gz
-b3ddbc22da894a8b9a0fa0c93711e2052b5d2ca29497473b6e15ffbae52faaafff9238619680de474c455ebd073c2d29ead4ff5d962fddb99f7ced27057fa77f  shared-lib.patch
-f8283db9a510527e84afeeb6eea89948161899c149a559c4a699c533445b42f30e5bf520616ca69d7feb554529ad494a60c276a1eecc915723ec0f264bbc0ed0  openjpeg-2.1.patch
-3e3f34e448967acb7772365065234c313cb014ebe6e3c3b3bcdbed2242b32ee5589ecd749d06fb4cd5f406eb37ca431e369c96b9adb3b5367d2e5296f1ca983e  CVE-2017-6060.patch"
+sha512sums="4c9ce81e7b0e2d77e017776fd9f700bc2f695f34b7fd97be7ba113ec1b340e7046c9db7d396abf19a98b1d0c7d72f01ecc1b44fadd250d2d6c6ffdcd9799bc16  mupdf-1.12.0-source.tar.xz
+8d3f22908060351e8bb171c7c8248662dd6ac3fb5c765ad0ce33f33c418f6bcfb1982ea8e97b4fefee067c675cac03f76e8b715640dfd3689e8d7738384b6536  shared-lib.patch
+3034e7d3248d904cc23e033a6331fc7a48d8f14e85deaa7b7b7bc37d8a3bc6c788e2fd0a866873a69c5f416d8de5b3a5b9efde4747fa50c2ea3c4b8d170aa549  openjpeg-2.1.patch"
diff --git a/main/mupdf/CVE-2017-6060.patch b/main/mupdf/CVE-2017-6060.patch
deleted file mode 100644
index cc03f6106b..0000000000
--- a/main/mupdf/CVE-2017-6060.patch
@@ -1,41 +0,0 @@
-squashed commits:
-06a012a42c9884e3cd653e7826cff1ddec04eb6e
-e089b2e2c1d38c5696c7dfd741e21f8f3ef22b14
-
-From 05cb7595b61aa00a29f1609b75d280b589091356 Mon Sep 17 00:00:00 2001
-From: Sebastian Rasmussen <sebras@gmail.com>
-Date: Tue, 11 Apr 2017 10:54:12 +0800
-Subject: [PATCH] Bug 697551: Make path and line buffers of equal size.
-
-Previously a too long line could be copied into the too short path buffer.
-
-jstest: Stop printing bogus script lines.
----
- platform/x11/jstest_main.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/platform/x11/jstest_main.c b/platform/x11/jstest_main.c
-index 13c3a0a3..36b32155 100644
---- a/platform/x11/jstest_main.c
-+++ b/platform/x11/jstest_main.c
-@@ -346,7 +346,7 @@ main(int argc, char *argv[])
- 				}
- 				else if (match(&line, "OPEN"))
- 				{
--					char path[1024];
-+					char path[LONGLINE];
- 					if (file_open)
- 						pdfapp_close(&gapp);
- 					if (prefix)
-@@ -402,7 +402,7 @@ main(int argc, char *argv[])
- 				}
- 				else
- 				{
--					fprintf(stderr, "Unmatched: %s\n", line);
-+					fprintf(stderr, "Ignoring line without script statement.\n");
- 				}
- 			}
- 			while (!feof(script));
--- 
-2.12.2
-
diff --git a/main/mupdf/openjpeg-2.1.patch b/main/mupdf/openjpeg-2.1.patch
index 3181c461f3..437e114cb9 100644
--- a/main/mupdf/openjpeg-2.1.patch
+++ b/main/mupdf/openjpeg-2.1.patch
@@ -1,12 +1,12 @@
---- mupdf-1.11-source/source/fitz/load-jpx.c.orig
-+++ mupdf-1.11-source/source/fitz/load-jpx.c
-@@ -444,11 +444,6 @@
+--- mupdf-1.12.0-source/source/fitz/load-jpx.c.orig
+@@ -445,11 +445,6 @@
  
  #else /* HAVE_LURATECH */
  
 -#define OPJ_STATIC
 -#define OPJ_HAVE_INTTYPES_H
--#if !defined(_WIN32) && !defined(_WIN64)
+-#if !defined(_MSC_VER) || _MSC_VER >= 1600
 -#define OPJ_HAVE_STDINT_H
 -#endif
  #define USE_JPIP
diff --git a/main/mupdf/shared-lib.patch b/main/mupdf/shared-lib.patch
index a73d885364..a3d039a575 100644
--- a/main/mupdf/shared-lib.patch
+++ b/main/mupdf/shared-lib.patch
@@ -1,14 +1,15 @@
---- mupdf-1.11-source/Makefile.orig
-+++ mupdf-1.11-source/Makefile
-@@ -15,6 +15,7 @@
+--- mupdf-1.12.0-source/Makefile.orig
+@@ -14,7 +14,7 @@
+ # Do not specify CFLAGS or LIBS on the make invocation line - specify
  # XCFLAGS or XLIBS instead. Make ignores any lines in the makefile that
  # set a variable that was set on the command line.
- CFLAGS += $(XCFLAGS) -Iinclude -Igenerated
-+CFLAGS += -fPIC
+-CFLAGS += $(XCFLAGS) -Iinclude
++CFLAGS += $(XCFLAGS) -Iinclude -fPIC
  LIBS += $(XLIBS) -lm
  
  LIBS += $(FREETYPE_LIBS)
-@@ -73,6 +74,7 @@
+@@ -75,6 +75,7 @@
  CXX_CMD = $(QUIET_CXX) $(CXX) $(CFLAGS) -o $@ -c $<
  AR_CMD = $(QUIET_AR) $(AR) cr $@ $^
  LINK_CMD = $(QUIET_LINK) $(CC) $(LDFLAGS) -o $@ $^ $(LIBS)
@@ -16,7 +17,7 @@
  MKDIR_CMD = $(QUIET_MKDIR) mkdir -p $@
  RM_CMD = $(QUIET_RM) rm -f $@
  TAGS_CMD = $(QUIET_TAGS) ctags $^
-@@ -88,6 +90,9 @@
+@@ -90,6 +91,9 @@
  	$(AR_CMD)
  	$(RANLIB_CMD)
  
@@ -26,7 +27,7 @@
  $(OUT)/%.exe: $(OUT)/%.o | $(ALL_DIR)
  	$(LINK_CMD)
  
-@@ -300,8 +305,8 @@
+@@ -312,8 +316,8 @@
  
  # --- Library ---
  
@@ -36,4 +37,4 @@
 +THIRD_LIB = $(OUT)/libmupdfthird.so.0
  THREAD_LIB = $(OUT)/libmuthreads.a
  
- MUPDF_OBJ := $(FITZ_OBJ) $(FONT_OBJ) $(PDF_OBJ) $(XPS_OBJ) $(SVG_OBJ) $(CBZ_OBJ) $(HTML_OBJ) $(GPRF_OBJ)
+ MUPDF_OBJ := \
-- 
2.15.0



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---

[alpine-aports] [PATCH 3.7-stable/edge] main/xen: security fixes for (XSA-248, XSA-249, XSA-250, XSA-251)

Daniel Sabogal
Details
Message ID
<20171215223855.3700-2-dsabogalcc@gmail.com>
In-Reply-To
<20171215223855.3700-1-dsabogalcc@gmail.com> (view parent)
Sender timestamp
1513377535
DKIM signature
missing
Download raw message
Patch: +308 -1
---
 main/xen/APKBUILD     |  15 ++++-
 main/xen/xsa248.patch | 164 ++++++++++++++++++++++++++++++++++++++++++++++++++
 main/xen/xsa249.patch |  42 +++++++++++++
 main/xen/xsa250.patch |  67 +++++++++++++++++++++
 main/xen/xsa251.patch |  21 +++++++
 5 files changed, 308 insertions(+), 1 deletion(-)
 create mode 100644 main/xen/xsa248.patch
 create mode 100644 main/xen/xsa249.patch
 create mode 100644 main/xen/xsa250.patch
 create mode 100644 main/xen/xsa251.patch

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index bb02b2bee9..067f1b3648 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.9.1
-pkgrel=1
+pkgrel=2
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86_64 armhf aarch64"
@@ -101,6 +101,11 @@ options="!strip"
 #   4.9.1-r1:
 #     - XSA-246
 #     - XSA-247
+#   4.9.1-r2:
+#     - XSA-248
+#     - XSA-249
+#     - XSA-250
+#     - XSA-251
 
 case "$CARCH" in
 x86*)
@@ -151,6 +156,10 @@ source="https://downloads.xenproject.org/release/$pkgname/$pkgver/$pkgname-$pkgv
 	xsa246-4.9.patch
 	xsa247-4.9-1.patch
 	xsa247-4.9-2.patch
+	xsa248.patch
+	xsa249.patch
+	xsa250.patch
+	xsa251.patch
 
 	qemu-coroutine-gthread.patch
 	qemu-xen_paths.patch
@@ -413,6 +422,10 @@ c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a36
 b00f42d2069f273e204698177d2c36950cee759a92dfe7833c812ddff4dedde2c4a842980927ec4fc46d1f54b49879bf3a3681c6faf30b72fb3ad6a7eba060b2  xsa246-4.9.patch
 c5e064543048751fda86ce64587493518da87d219ff077abb83ac13d8381ceb29f1b6479fc0b761b8f7a04c8c70203791ac4a8cc79bbc6f4dcfa6661c4790c5e  xsa247-4.9-1.patch
 71aefbe27cbd1d1d363b7d5826c69a238e4aad2958a1c6da330ae5daee791f54ce1d01fb79db84ed4248ab8b1593c9c28c3de5108f4d0953b04f7819af23a1d1  xsa247-4.9-2.patch
+6415689190b8f4ead7a3482a2285485af4acd4f3565521736f8fe975c74c7c70b27608e0142a7165b4f735b547b688db99a6027697e77b3e1d15c09e14b4f0a6  xsa248.patch
+05a2e954bab1877500eb5ed3a8c49edb27411ed3ec9dbfb2115b7804a3b03c6d45c9f08a7ed96ff2b586346f321142065a8c5a5d996468496b373637b6ee31b9  xsa249.patch
+b3030f09ddb4f9e4a356519c7b74d393e8db085278a1e616788c81d19988699a6efdd8568277c25514f3298ca92e5a09e3cd08b0a308a4d2ddb55374a8445657  xsa250.patch
+928153b48af2bd6b334058c5919880cfc7d665c63e0232932866941cbea6deb8d0d83f70dff0974d3df27fc84096beca51139a0b1c0585978f298256b3fd82eb  xsa251.patch
 c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562  qemu-coroutine-gthread.patch
 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3  qemu-xen_paths.patch
 f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3  hotplug-vif-vtrill.patch
diff --git a/main/xen/xsa248.patch b/main/xen/xsa248.patch
new file mode 100644
index 0000000000..966c16e043
--- /dev/null
+++ b/main/xen/xsa248.patch
@@ -0,0 +1,164 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86/mm: don't wrongly set page ownership
+
+PV domains can obtain mappings of any pages owned by the correct domain,
+including ones that aren't actually assigned as "normal" RAM, but used
+by Xen internally.  At the moment such "internal" pages marked as owned
+by a guest include pages used to track logdirty bits, as well as p2m
+pages and the "unpaged pagetable" for HVM guests. Since the PV memory
+management and shadow code conflict in their use of struct page_info
+fields, and since shadow code is being used for log-dirty handling for
+PV domains, pages coming from the shadow pool must, for PV domains, not
+have the domain set as their owner.
+
+While the change could be done conditionally for just the PV case in
+shadow code, do it unconditionally (and for consistency also for HAP),
+just to be on the safe side.
+
+There's one special case though for shadow code: The page table used for
+running a HVM guest in unpaged mode is subject to get_page() (in
+set_shadow_status()) and hence must have its owner set.
+
+This is XSA-248.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+Reviewed-by: George Dunlap <george.dunlap@citrix.com>
+---
+v2: Drop PGC_page_table related pieces.
+
+--- a/xen/arch/x86/mm/hap/hap.c
+@@ -286,8 +286,7 @@ static struct page_info *hap_alloc_p2m_p
+     {
+         d->arch.paging.hap.total_pages--;
+         d->arch.paging.hap.p2m_pages++;
+-        page_set_owner(pg, d);
+-        pg->count_info |= 1;
++        ASSERT(!page_get_owner(pg) && !(pg->count_info & PGC_count_mask));
+     }
+     else if ( !d->arch.paging.p2m_alloc_failed )
+     {
+@@ -302,21 +301,23 @@ static struct page_info *hap_alloc_p2m_p
+ 
+ static void hap_free_p2m_page(struct domain *d, struct page_info *pg)
+ {
++    struct domain *owner = page_get_owner(pg);
++
+     /* This is called both from the p2m code (which never holds the 
+      * paging lock) and the log-dirty code (which always does). */
+     paging_lock_recursive(d);
+ 
+-    ASSERT(page_get_owner(pg) == d);
+-    /* Should have just the one ref we gave it in alloc_p2m_page() */
+-    if ( (pg->count_info & PGC_count_mask) != 1 ) {
+-        HAP_ERROR("Odd p2m page %p count c=%#lx t=%"PRtype_info"\n",
+-                     pg, pg->count_info, pg->u.inuse.type_info);
++    /* Should still have no owner and count zero. */
++    if ( owner || (pg->count_info & PGC_count_mask) )
++    {
++        HAP_ERROR("d%d: Odd p2m page %"PRI_mfn" d=%d c=%lx t=%"PRtype_info"\n",
++                  d->domain_id, mfn_x(page_to_mfn(pg)),
++                  owner ? owner->domain_id : DOMID_INVALID,
++                  pg->count_info, pg->u.inuse.type_info);
+         WARN();
++        pg->count_info &= ~PGC_count_mask;
++        page_set_owner(pg, NULL);
+     }
+-    pg->count_info &= ~PGC_count_mask;
+-    /* Free should not decrement domain's total allocation, since
+-     * these pages were allocated without an owner. */
+-    page_set_owner(pg, NULL);
+     d->arch.paging.hap.p2m_pages--;
+     d->arch.paging.hap.total_pages++;
+     hap_free(d, page_to_mfn(pg));
+--- a/xen/arch/x86/mm/shadow/common.c
+@@ -1503,32 +1503,29 @@ shadow_alloc_p2m_page(struct domain *d)
+     pg = mfn_to_page(shadow_alloc(d, SH_type_p2m_table, 0));
+     d->arch.paging.shadow.p2m_pages++;
+     d->arch.paging.shadow.total_pages--;
++    ASSERT(!page_get_owner(pg) && !(pg->count_info & PGC_count_mask));
+ 
+     paging_unlock(d);
+ 
+-    /* Unlike shadow pages, mark p2m pages as owned by the domain.
+-     * Marking the domain as the owner would normally allow the guest to
+-     * create mappings of these pages, but these p2m pages will never be
+-     * in the domain's guest-physical address space, and so that is not
+-     * believed to be a concern. */
+-    page_set_owner(pg, d);
+-    pg->count_info |= 1;
+     return pg;
+ }
+ 
+ static void
+ shadow_free_p2m_page(struct domain *d, struct page_info *pg)
+ {
+-    ASSERT(page_get_owner(pg) == d);
+-    /* Should have just the one ref we gave it in alloc_p2m_page() */
+-    if ( (pg->count_info & PGC_count_mask) != 1 )
++    struct domain *owner = page_get_owner(pg);
++
++    /* Should still have no owner and count zero. */
++    if ( owner || (pg->count_info & PGC_count_mask) )
+     {
+-        SHADOW_ERROR("Odd p2m page count c=%#lx t=%"PRtype_info"\n",
++        SHADOW_ERROR("d%d: Odd p2m page %"PRI_mfn" d=%d c=%lx t=%"PRtype_info"\n",
++                     d->domain_id, mfn_x(page_to_mfn(pg)),
++                     owner ? owner->domain_id : DOMID_INVALID,
+                      pg->count_info, pg->u.inuse.type_info);
++        pg->count_info &= ~PGC_count_mask;
++        page_set_owner(pg, NULL);
+     }
+-    pg->count_info &= ~PGC_count_mask;
+     pg->u.sh.type = SH_type_p2m_table; /* p2m code reuses type-info */
+-    page_set_owner(pg, NULL);
+ 
+     /* This is called both from the p2m code (which never holds the
+      * paging lock) and the log-dirty code (which always does). */
+@@ -3132,7 +3129,9 @@ int shadow_enable(struct domain *d, u32
+         e = __map_domain_page(pg);
+         write_32bit_pse_identmap(e);
+         unmap_domain_page(e);
++        pg->count_info = 1;
+         pg->u.inuse.type_info = PGT_l2_page_table | 1 | PGT_validated;
++        page_set_owner(pg, d);
+     }
+ 
+     paging_lock(d);
+@@ -3170,7 +3169,11 @@ int shadow_enable(struct domain *d, u32
+     if ( rv != 0 && !pagetable_is_null(p2m_get_pagetable(p2m)) )
+         p2m_teardown(p2m);
+     if ( rv != 0 && pg != NULL )
++    {
++        pg->count_info &= ~PGC_count_mask;
++        page_set_owner(pg, NULL);
+         shadow_free_p2m_page(d, pg);
++    }
+     domain_unpause(d);
+     return rv;
+ }
+@@ -3279,7 +3282,22 @@ out:
+ 
+     /* Must be called outside the lock */
+     if ( unpaged_pagetable )
++    {
++        if ( page_get_owner(unpaged_pagetable) == d &&
++             (unpaged_pagetable->count_info & PGC_count_mask) == 1 )
++        {
++            unpaged_pagetable->count_info &= ~PGC_count_mask;
++            page_set_owner(unpaged_pagetable, NULL);
++        }
++        /* Complain here in cases where shadow_free_p2m_page() won't. */
++        else if ( !page_get_owner(unpaged_pagetable) &&
++                  !(unpaged_pagetable->count_info & PGC_count_mask) )
++            SHADOW_ERROR("d%d: Odd unpaged pt %"PRI_mfn" c=%lx t=%"PRtype_info"\n",
++                         d->domain_id, mfn_x(page_to_mfn(unpaged_pagetable)),
++                         unpaged_pagetable->count_info,
++                         unpaged_pagetable->u.inuse.type_info);
+         shadow_free_p2m_page(d, unpaged_pagetable);
++    }
+ }
+ 
+ void shadow_final_teardown(struct domain *d)
diff --git a/main/xen/xsa249.patch b/main/xen/xsa249.patch
new file mode 100644
index 0000000000..ecfa4305e5
--- /dev/null
+++ b/main/xen/xsa249.patch
@@ -0,0 +1,42 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86/shadow: fix refcount overflow check
+
+Commit c385d27079 ("x86 shadow: for multi-page shadows, explicitly track
+the first page") reduced the refcount width to 25, without adjusting the
+overflow check. Eliminate the disconnect by using a manifest constant.
+
+Interestingly, up to commit 047782fa01 ("Out-of-sync L1 shadows: OOS
+snapshot") the refcount was 27 bits wide, yet the check was already
+using 26.
+
+This is XSA-249.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: George Dunlap <george.dunlap@citrix.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+---
+v2: Simplify expression back to the style it was.
+
+--- a/xen/arch/x86/mm/shadow/private.h
+@@ -529,7 +529,7 @@ static inline int sh_get_ref(struct doma
+     x = sp->u.sh.count;
+     nx = x + 1;
+ 
+-    if ( unlikely(nx >= 1U<<26) )
++    if ( unlikely(nx >= (1U << PAGE_SH_REFCOUNT_WIDTH)) )
+     {
+         SHADOW_PRINTK("shadow ref overflow, gmfn=%lx smfn=%lx\n",
+                        __backpointer(sp), mfn_x(smfn));
+--- a/xen/include/asm-x86/mm.h
+@@ -82,7 +82,8 @@ struct page_info
+             unsigned long type:5;   /* What kind of shadow is this? */
+             unsigned long pinned:1; /* Is the shadow pinned? */
+             unsigned long head:1;   /* Is this the first page of the shadow? */
+-            unsigned long count:25; /* Reference count */
++#define PAGE_SH_REFCOUNT_WIDTH 25
++            unsigned long count:PAGE_SH_REFCOUNT_WIDTH; /* Reference count */
+         } sh;
+ 
+         /* Page is on a free list: ((count_info & PGC_count_mask) == 0). */
diff --git a/main/xen/xsa250.patch b/main/xen/xsa250.patch
new file mode 100644
index 0000000000..26aeb33fed
--- /dev/null
+++ b/main/xen/xsa250.patch
@@ -0,0 +1,67 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86/shadow: fix ref-counting error handling
+
+The old-Linux handling in shadow_set_l4e() mistakenly ORed together the
+results of sh_get_ref() and sh_pin(). As the latter failing is not a
+correctness problem, simply ignore its return value.
+
+In sh_set_toplevel_shadow() a failing sh_get_ref() must not be
+accompanied by installing the entry, despite the domain being crashed.
+
+This is XSA-250.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+
+--- a/xen/arch/x86/mm/shadow/multi.c
+@@ -923,7 +923,7 @@ static int shadow_set_l4e(struct domain
+                           shadow_l4e_t new_sl4e,
+                           mfn_t sl4mfn)
+ {
+-    int flags = 0, ok;
++    int flags = 0;
+     shadow_l4e_t old_sl4e;
+     paddr_t paddr;
+     ASSERT(sl4e != NULL);
+@@ -938,15 +938,16 @@ static int shadow_set_l4e(struct domain
+     {
+         /* About to install a new reference */
+         mfn_t sl3mfn = shadow_l4e_get_mfn(new_sl4e);
+-        ok = sh_get_ref(d, sl3mfn, paddr);
+-        /* Are we pinning l3 shadows to handle wierd linux behaviour? */
+-        if ( sh_type_is_pinnable(d, SH_type_l3_64_shadow) )
+-            ok |= sh_pin(d, sl3mfn);
+-        if ( !ok )
++
++        if ( !sh_get_ref(d, sl3mfn, paddr) )
+         {
+             domain_crash(d);
+             return SHADOW_SET_ERROR;
+         }
++
++        /* Are we pinning l3 shadows to handle weird Linux behaviour? */
++        if ( sh_type_is_pinnable(d, SH_type_l3_64_shadow) )
++            sh_pin(d, sl3mfn);
+     }
+ 
+     /* Write the new entry */
+@@ -3965,14 +3966,15 @@ sh_set_toplevel_shadow(struct vcpu *v,
+ 
+     /* Take a ref to this page: it will be released in sh_detach_old_tables()
+      * or the next call to set_toplevel_shadow() */
+-    if ( !sh_get_ref(d, smfn, 0) )
++    if ( sh_get_ref(d, smfn, 0) )
++        new_entry = pagetable_from_mfn(smfn);
++    else
+     {
+         SHADOW_ERROR("can't install %#lx as toplevel shadow\n", mfn_x(smfn));
+         domain_crash(d);
++        new_entry = pagetable_null();
+     }
+ 
+-    new_entry = pagetable_from_mfn(smfn);
+-
+  install_new_entry:
+     /* Done.  Install it */
+     SHADOW_PRINTK("%u/%u [%u] gmfn %#"PRI_mfn" smfn %#"PRI_mfn"\n",
diff --git a/main/xen/xsa251.patch b/main/xen/xsa251.patch
new file mode 100644
index 0000000000..582ef622eb
--- /dev/null
+++ b/main/xen/xsa251.patch
@@ -0,0 +1,21 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86/paging: don't unconditionally BUG() on finding SHARED_M2P_ENTRY
+
+PV guests can fully control the values written into the P2M.
+
+This is XSA-251.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/mm/paging.c
+@@ -274,7 +274,7 @@ void paging_mark_pfn_dirty(struct domain
+         return;
+ 
+     /* Shared MFNs should NEVER be marked dirty */
+-    BUG_ON(SHARED_M2P(pfn_x(pfn)));
++    BUG_ON(paging_mode_translate(d) && SHARED_M2P(pfn_x(pfn)));
+ 
+     /*
+      * Values with the MSB set denote MFNs that aren't really part of the
-- 
2.15.0



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---