Sergey Lukin: 1 main/xen: security upgrade to 4.5.5 - fixes #6573 50 files changed, 156 insertions(+), 3638 deletions(-)
Copy & paste the following snippet into your terminal to import this patchset into git:
curl -s https://lists.alpinelinux.org/~alpine/aports/patches/2727/mbox | git am -3Learn more about email & git
Removed patches that are already applied in xen-4.5.5 https://www.xenproject.org/downloads/xen-archives/xen-45-series/xen-455.html New fixes: CVE-2016-10024, XSA-202: x86 PV guests may be able to mask interrupts http://xenbits.xen.org/xsa/advisory-202.html CVE-2016-10013, XSA-204: x86: Mishandling of SYSCALL singlestep during emulation http://xenbits.xen.org/xsa/advisory-204.html --- ...copy-of-every-xs-backend-in-libxl-in-_gen.patch | 98 --------- ...ord-backend-frontend-paths-in-libxl-DOMID.patch | 195 ---------------- ...not-trust-backend-in-libxl__device_exists.patch | 32 --- ...xl-Provide-libxl__backendpath_parse_domid.patch | 62 ------ ...t-trust-backend-for-vtpm-in-getinfo-excep.patch | 55 ----- ...t-trust-frontend-in-libxl__devices_destro.patch | 77 ------- ...ot-trust-backend-for-vtpm-in-getinfo-uuid.patch | 46 ---- ...ot-trust-frontend-in-libxl__device_nextid.patch | 43 ---- ...o-not-trust-frontend-for-disk-eject-event.patch | 104 --------- ...bxl-cdrom-eject-and-insert-write-to-libxl.patch | 73 ------ ...-Do-not-trust-backend-for-disk-eject-vdev.patch | 67 ------ ...Do-not-trust-frontend-for-disk-in-getinfo.patch | 79 ------- ...t-trust-backend-for-disk-fix-driver-domai.patch | 245 --------------------- ...libxl-Do-not-trust-frontend-for-vtpm-list.patch | 67 ------ ...-Do-not-trust-backend-for-disk-in-getinfo.patch | 35 --- ...Do-not-trust-frontend-for-vtpm-in-getinfo.patch | 61 ----- ...bxl-Do-not-trust-backend-for-cdrom-insert.patch | 94 -------- ...t-trust-frontend-for-nic-in-libxl_devid_t.patch | 47 ---- ...-not-trust-backend-for-channel-in-getinfo.patch | 38 ---- ...-Do-not-trust-frontend-for-nic-in-getinfo.patch | 73 ------ ...Do-not-trust-frontend-for-channel-in-list.patch | 104 --------- ...e-libxl__device_-nic-channel-_from_xs_be-.patch | 87 -------- ...not-trust-frontend-for-channel-in-getinfo.patch | 121 ---------- ...ibxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch | 101 --------- ...READ_LIBXLDEV-use-libxl_path-rather-than-.patch | 62 ------ ...libxl-Do-not-trust-backend-in-nic-getinfo.patch | 33 --- ...t-trust-backend-for-nic-in-devid_to_devic.patch | 48 ---- ...ibxl-Do-not-trust-backend-for-nic-in-list.patch | 80 ------- ...ibxl-Do-not-trust-backend-in-channel-list.patch | 58 ----- ...-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch | 48 ---- ...up-use-libxl__backendpath_parse_domid-in-.patch | 38 ---- .../xen/0020-libxl-Document-serial-correctly.patch | 38 ---- main/xen/APKBUILD | 209 ++---------------- main/xen/gnutls-3.4.0.patch | 36 --- main/xen/xsa169.patch | 33 --- main/xen/xsa172.patch | 39 ---- main/xen/xsa173-4.5.patch | 244 -------------------- main/xen/xsa176.patch | 45 ---- main/xen/xsa181.patch | 38 ---- main/xen/xsa182-4.5.patch | 102 --------- main/xen/xsa183-4.6.patch | 75 ------- main/xen/xsa184-qemut-master.patch | 43 ---- main/xen/xsa184-qemuu-master.patch | 43 ---- main/xen/xsa185.patch | 38 ---- ...-Correct-boundary-interactions-of-emulate.patch | 73 ------ ...llow-testing-of-instructions-crossing-the.patch | 41 ---- ...nt-Bounds-check-accesses-to-emulation-ctx.patch | 142 ------------ ...-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch | 42 ---- main/xen/xsa202-4.6.patch | 73 ++++++ main/xen/xsa204-4.5.patch | 69 ++++++ 50 files changed, 156 insertions(+), 3638 deletions(-) delete mode 100644 main/xen/0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch delete mode 100644 main/xen/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch delete mode 100644 main/xen/0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch delete mode 100644 main/xen/0002-libxl-Provide-libxl__backendpath_parse_domid.patch delete mode 100644 main/xen/0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch delete mode 100644 main/xen/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch delete mode 100644 main/xen/0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch delete mode 100644 main/xen/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch delete mode 100644 main/xen/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch delete mode 100644 main/xen/0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch delete mode 100644 main/xen/0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch delete mode 100644 main/xen/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch delete mode 100644 main/xen/0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch delete mode 100644 main/xen/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch delete mode 100644 main/xen/0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch delete mode 100644 main/xen/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch delete mode 100644 main/xen/0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch delete mode 100644 main/xen/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch delete mode 100644 main/xen/0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch delete mode 100644 main/xen/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch delete mode 100644 main/xen/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch delete mode 100644 main/xen/0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch delete mode 100644 main/xen/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch delete mode 100644 main/xen/0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch delete mode 100644 main/xen/0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch delete mode 100644 main/xen/0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch delete mode 100644 main/xen/0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch delete mode 100644 main/xen/0016-libxl-Do-not-trust-backend-for-nic-in-list.patch delete mode 100644 main/xen/0017-libxl-Do-not-trust-backend-in-channel-list.patch delete mode 100644 main/xen/0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch delete mode 100644 main/xen/0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch delete mode 100644 main/xen/0020-libxl-Document-serial-correctly.patch delete mode 100644 main/xen/gnutls-3.4.0.patch delete mode 100644 main/xen/xsa169.patch delete mode 100644 main/xen/xsa172.patch delete mode 100644 main/xen/xsa173-4.5.patch delete mode 100644 main/xen/xsa176.patch delete mode 100644 main/xen/xsa181.patch delete mode 100644 main/xen/xsa182-4.5.patch delete mode 100644 main/xen/xsa183-4.6.patch delete mode 100644 main/xen/xsa184-qemut-master.patch delete mode 100644 main/xen/xsa184-qemuu-master.patch delete mode 100644 main/xen/xsa185.patch delete mode 100644 main/xen/xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch delete mode 100644 main/xen/xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch delete mode 100644 main/xen/xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch delete mode 100644 main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch create mode 100644 main/xen/xsa202-4.6.patch create mode 100644 main/xen/xsa204-4.5.patch diff --git a/main/xen/0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch b/main/xen/0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch deleted file mode 100644 index c7e26bc..0000000 --- a/main/xen/0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch @@ -1,98 +0,0 @@ -From 27874bcfe5a2778d3441d86ed5e2ff1adc4baa35 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Fri, 29 Apr 2016 16:19:28 +0100 -Subject: [PATCH 01/20] libxl: Make copy of every xs backend in /libxl in - _generic_add - -We want to stop libxl trustingly reading information from the backend -directory (since this is, of course, writeable by the backend, which -might be a semi-trusted driver domain). - -In principle it is wrong in current libxl for anything to try to -divine virtual device configuration from xenstore: the JSON domain -config ought to supply that, and xenstore should only tell us which -devices actually exist. - -However: - -Firstly, there are several existing places where configuration -information is retrieved from xenstore rather than JSON. We do not -want to reen gineer this in a security patch. - -Secondly, we want to make a security patch which can be backported to -versions of libxl without the JSON configuration machinery. - -So we take the expedient approach of keeping a copy of the -configuration somewhere we trust, namely /libxl. This is obviously -fairly low-risk, although it does write significantly more keys in -xenstore. - -In this patch we make this change in libxl__device_generic_add. This -is responsible for actually writing the vast majority of device -information to xenstore. There are a few loose ends which will be -dealt with in a moment. - -Likewise, changes to readers to use the new location will appear in -further patches. - -This is part of XSA-178. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - docs/misc/xenstore-paths.markdown | 4 ++++ - tools/libxl/libxl_device.c | 23 +++++++++++++++++++++++ - 2 files changed, 27 insertions(+) - -diff --git a/docs/misc/xenstore-paths.markdown b/docs/misc/xenstore-paths.markdown -index 276273d..8c686ec 100644 ---- a/docs/misc/xenstore-paths.markdown -+++ b/docs/misc/xenstore-paths.markdown -@@ -404,6 +404,10 @@ Path in xenstore to the frontend, normally - Path in xenstore to the backend, normally - /local/domain/$BACKEND_DOMID/backend/$KIND/$DOMID/$DEVID - -+#### /libxl/$DOMID/device/$KIND/$DEVID/$NODE -+ -+Trustworthy copy of /local/domain/$DOMID/backend/$KIND/$DEVID/$NODE. -+ - #### /libxl/$DOMID/dm-version ("qemu\_xen"|"qemu\_xen\_traditional") = [n,INTERNAL] - - The device model version for a domain. -diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c -index 38ab393..ede7342 100644 ---- a/tools/libxl/libxl_device.c -+++ b/tools/libxl/libxl_device.c -@@ -185,6 +185,29 @@ retry_transaction: - xs_write(ctx->xsh, t, GCSPRINTF("%s/frontend", backend_path), - frontend_path, strlen(frontend_path)); - libxl__xs_writev(gc, t, backend_path, bents); -+ -+ /* -+ * We make a copy of everything for the backend in the libxl -+ * path as well. This means we don't need to trust the -+ * backend. Ideally this information would not be used and we -+ * would use the information from the json configuration -+ * instead. But there are still places in libxl that try to -+ * reconstruct a config from xenstore. -+ * -+ * This duplication will typically produces duplicate keys -+ * which will go out of date, but that's OK because nothing -+ * reads those. For example, there is usually -+ * /libxl/$guest/device/$kind/$devid/state -+ * which starts out containing XenbusStateInitialising ("1") -+ * just like the copy in -+ * /local/domain/$driverdom/backend/$guest/$kind/$devid/state -+ * but which won't ever be updated. -+ * -+ * This duplication is superfluous and messy but as discussed -+ * the proper fix is more intrusive than we want to do now. -+ */ -+ rc = libxl__xs_writev(gc, t, libxl_path, bents); -+ if (rc) goto out; - } - - if (!create_transaction) --- -1.9.1 - diff --git a/main/xen/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch b/main/xen/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch deleted file mode 100644 index 56a8f6c..0000000 --- a/main/xen/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch @@ -1,195 +0,0 @@ -From 3a4091efe0b4bcae46371491d74c15bba6f93275 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Mon, 16 May 2016 14:56:57 +0100 -Subject: [PATCH 01/12] libxl: Record backend/frontend paths in /libxl/$DOMID - -This gives us a record of all the backends we have set up for a -domain, which is separate from the frontends in - /local/domain/$DOMID/device. - -In particular: - -1. A guest has write permission for the frontend path: - /local/domain/$DOMID/device/$KIND/$DEVID -which means that the guest can completely delete the frontend. -(They can't recreate it because they don't have write permission -on the containing directory.) - -2. A guest has write permission for the backend path recorded in the -frontend, ie, it can write to - /local/domain/$DOMID/device/$KIND/$DEVID/backend -which means that the guest can break the association between -frontend and backend. - -So we can't rely on iterating over the frontends to find all the -backends, or examining a frontend to discover how a device is -configured. - -So, have libxl__device_generic_add record the frontend and backend -paths in /libxl/$DOMID/device, and have libxl__device_destroy remove -them again. - -Create the containing directory /libxl/GUEST/device in -libxl__domain_make. The already existing xs_rm in devices_destroy_cb -will take care of removing it. - -This is part of XSA-175. - -Backport note: Backported over 7472ced, which fixes a bug in driver -domain teardown. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- -v2: Correct actual path computation (!) -v3: Correct actual path computation - really this time (!) ---- - docs/misc/xenstore-paths.markdown | 15 +++++++++++++++ - tools/libxl/libxl_create.c | 2 ++ - tools/libxl/libxl_device.c | 34 +++++++++++++++++++++++++++++++++- - tools/libxl/libxl_internal.h | 1 + - 4 files changed, 51 insertions(+), 1 deletion(-) - -diff --git a/docs/misc/xenstore-paths.markdown b/docs/misc/xenstore-paths.markdown -index d94ea9d..276273d 100644 ---- a/docs/misc/xenstore-paths.markdown -+++ b/docs/misc/xenstore-paths.markdown -@@ -389,6 +389,21 @@ The guest's virtual time offset from UTC in seconds. - - ### libxl Specific Paths - -+#### /libxl/$DOMID/device/$KIND/$DEVID -+ -+Created by libxl for every frontend/backend pair created for $DOMID. -+Used by libxl for enumeration and management of the device. -+ -+#### /libxl/$DOMID/device/$KIND/$DEVID/frontend -+ -+Path in xenstore to the frontend, normally -+/local/domain/$DOMID/device/$KIND/$DEVID -+ -+#### /libxl/$DOMID/device/$KIND/$DEVID/backend -+ -+Path in xenstore to the backend, normally -+/local/domain/$BACKEND_DOMID/backend/$KIND/$DOMID/$DEVID -+ - #### /libxl/$DOMID/dm-version ("qemu\_xen"|"qemu\_xen\_traditional") = [n,INTERNAL] - - The device model version for a domain. -diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c -index 152fdbc..a4d4d4c 100644 ---- a/tools/libxl/libxl_create.c -+++ b/tools/libxl/libxl_create.c -@@ -586,6 +586,8 @@ retry_transaction: - - xs_rm(ctx->xsh, t, libxl_path); - libxl__xs_mkdir(gc, t, libxl_path, noperm, ARRAY_SIZE(noperm)); -+ libxl__xs_mkdir(gc, t, GCSPRINTF("%s/device", libxl_path), -+ noperm, ARRAY_SIZE(noperm)); - - xs_write(ctx->xsh, t, libxl__sprintf(gc, "%s/vm", dom_path), vm_path, strlen(vm_path)); - rc = libxl__domain_rename(gc, *domid, 0, info->name, t); -diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c -index 4b51ded..a8b97a3 100644 ---- a/tools/libxl/libxl_device.c -+++ b/tools/libxl/libxl_device.c -@@ -40,6 +40,15 @@ char *libxl__device_backend_path(libxl__gc *gc, libxl__device *device) - device->domid, device->devid); - } - -+char *libxl__device_libxl_path(libxl__gc *gc, libxl__device *device) -+{ -+ char *libxl_dom_path = libxl__xs_libxl_path(gc, device->domid); -+ -+ return GCSPRINTF("%s/device/%s/%d", libxl_dom_path, -+ libxl__device_kind_to_string(device->kind), -+ device->devid); -+} -+ - /* Returns 1 if device exists, 0 if not, ERROR_* (<0) on error. */ - int libxl__device_exists(libxl__gc *gc, xs_transaction_t t, - libxl__device *device) -@@ -105,14 +114,16 @@ int libxl__device_generic_add(libxl__gc *gc, xs_transaction_t t, - libxl__device *device, char **bents, char **fents, char **ro_fents) - { - libxl_ctx *ctx = libxl__gc_owner(gc); -- char *frontend_path, *backend_path; -+ char *frontend_path, *backend_path, *libxl_path; - struct xs_permissions frontend_perms[2]; - struct xs_permissions ro_frontend_perms[2]; - struct xs_permissions backend_perms[2]; - int create_transaction = t == XBT_NULL; -+ int rc; - - frontend_path = libxl__device_frontend_path(gc, device); - backend_path = libxl__device_backend_path(gc, device); -+ libxl_path = libxl__device_libxl_path(gc, device); - - frontend_perms[0].id = device->domid; - frontend_perms[0].perms = XS_PERM_NONE; -@@ -127,8 +138,22 @@ int libxl__device_generic_add(libxl__gc *gc, xs_transaction_t t, - retry_transaction: - if (create_transaction) - t = xs_transaction_start(ctx->xsh); -+ - /* FIXME: read frontend_path and check state before removing stuff */ - -+ rc = libxl__xs_rm_checked(gc, t, libxl_path); -+ if (rc) goto out; -+ -+ rc = libxl__xs_write_checked(gc, t, GCSPRINTF("%s/frontend",libxl_path), -+ frontend_path); -+ if (rc) goto out; -+ -+ rc = libxl__xs_write_checked(gc, t, GCSPRINTF("%s/backend",libxl_path), -+ backend_path); -+ if (rc) goto out; -+ -+ /* xxx much of this function lacks error checks! */ -+ - if (fents || ro_fents) { - xs_rm(ctx->xsh, t, frontend_path); - xs_mkdir(ctx->xsh, t, frontend_path); -@@ -174,6 +199,11 @@ retry_transaction: - } - } - return 0; -+ -+ out: -+ if (create_transaction && t) -+ libxl__xs_transaction_abort(gc, &t); -+ return rc; - } - - typedef struct { -@@ -570,6 +600,7 @@ int libxl__device_destroy(libxl__gc *gc, libxl__device *dev) - { - const char *be_path = libxl__device_backend_path(gc, dev); - const char *fe_path = libxl__device_frontend_path(gc, dev); -+ const char *libxl_path = libxl__device_libxl_path(gc, dev); - const char *tapdisk_path = GCSPRINTF("%s/%s", be_path, "tapdisk-params"); - const char *tapdisk_params; - xs_transaction_t t = 0; -@@ -594,6 +625,7 @@ int libxl__device_destroy(libxl__gc *gc, libxl__device *dev) - */ - libxl__xs_path_cleanup(gc, t, fe_path); - libxl__xs_path_cleanup(gc, t, be_path); -+ libxl__xs_path_cleanup(gc, t, libxl_path); - } else if (dev->backend_domid == domid) { - /* - * The driver domain is in charge for removing what it can -diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h -index ff88f3d..55b19d9 100644 ---- a/tools/libxl/libxl_internal.h -+++ b/tools/libxl/libxl_internal.h -@@ -1061,6 +1061,7 @@ _hidden int libxl__device_generic_add(libxl__gc *gc, xs_transaction_t t, - libxl__device *device, char **bents, char **fents, char **ro_fents); - _hidden char *libxl__device_backend_path(libxl__gc *gc, libxl__device *device); - _hidden char *libxl__device_frontend_path(libxl__gc *gc, libxl__device *device); -+_hidden char *libxl__device_libxl_path(libxl__gc *gc, libxl__device *device); - _hidden int libxl__parse_backend_path(libxl__gc *gc, const char *path, - libxl__device *dev); - _hidden int libxl__device_destroy(libxl__gc *gc, libxl__device *dev); --- -2.1.4 - diff --git a/main/xen/0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch b/main/xen/0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch deleted file mode 100644 index 0a53f7e..0000000 --- a/main/xen/0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch @@ -1,32 +0,0 @@ -From 840a49ab13e3f07898831635ee5046d0f6098be9 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Wed, 4 May 2016 15:04:35 +0100 -Subject: [PATCH 02/20] libxl: Do not trust backend in libxl__device_exists - -To determine whether a device is supposed to exist, look in /libxl, -rather than the backend. - -This is part of XSA-178. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl_device.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c -index ede7342..9d65a7e 100644 ---- a/tools/libxl/libxl_device.c -+++ b/tools/libxl/libxl_device.c -@@ -54,7 +54,7 @@ int libxl__device_exists(libxl__gc *gc, xs_transaction_t t, - libxl__device *device) - { - int rc; -- char *be_path = libxl__device_backend_path(gc, device); -+ char *be_path = libxl__device_libxl_path(gc, device); - const char *dir; - - rc = libxl__xs_read_checked(gc, t, be_path, &dir); --- -1.9.1 - diff --git a/main/xen/0002-libxl-Provide-libxl__backendpath_parse_domid.patch b/main/xen/0002-libxl-Provide-libxl__backendpath_parse_domid.patch deleted file mode 100644 index b0b7896..0000000 --- a/main/xen/0002-libxl-Provide-libxl__backendpath_parse_domid.patch @@ -1,62 +0,0 @@ -From c689a6c9471761b59e6d08dee1667834e0b7fc34 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Wed, 27 Apr 2016 16:34:19 +0100 -Subject: [PATCH 02/12] libxl: Provide libxl__backendpath_parse_domid - -Multiple places in libxl need to figure out the backend domid of a -device. This can be discovered easily by looking at the backend path, -which always starts /local/domain/$backend_domid/. - -There are no call sites yet. - -This is part of XSA-175. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl_device.c | 15 +++++++++++++++ - tools/libxl/libxl_internal.h | 2 ++ - 2 files changed, 17 insertions(+) - -diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c -index a8b97a3..9136b26 100644 ---- a/tools/libxl/libxl_device.c -+++ b/tools/libxl/libxl_device.c -@@ -288,6 +288,21 @@ static int disk_try_backend(disk_try_backend_args *a, - return 0; - } - -+int libxl__backendpath_parse_domid(libxl__gc *gc, const char *be_path, -+ libxl_domid *domid_out) { -+ int r; -+ unsigned int domid_sc; -+ char delim_sc; -+ -+ r = sscanf(be_path, "/local/domain/%u%c", &domid_sc, &delim_sc); -+ if (!(r==2 && delim_sc=='/')) { -+ LOG(ERROR, "internal error: backend path %s unparseable!", be_path); -+ return ERROR_FAIL; -+ } -+ *domid_out = domid_sc; -+ return 0; -+} -+ - int libxl__device_disk_set_backend(libxl__gc *gc, libxl_device_disk *disk) { - libxl_disk_backend ok; - disk_try_backend_args a; -diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h -index 55b19d9..bfe06bd 100644 ---- a/tools/libxl/libxl_internal.h -+++ b/tools/libxl/libxl_internal.h -@@ -594,6 +594,8 @@ _hidden bool libxl__xs_mkdir(libxl__gc *gc, xs_transaction_t t, - - _hidden char *libxl__xs_libxl_path(libxl__gc *gc, uint32_t domid); - -+_hidden int libxl__backendpath_parse_domid(libxl__gc *gc, const char *be_path, -+ libxl_domid *domid_out); - - /*----- "checked" xenstore access functions -----*/ - /* Each of these functions will check that it succeeded; if it --- -2.1.4 - diff --git a/main/xen/0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch b/main/xen/0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch deleted file mode 100644 index 501af92..0000000 --- a/main/xen/0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch @@ -1,55 +0,0 @@ -From eaf75a339a514007b60406eb3382ea23a9440663 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Fri, 29 Apr 2016 17:18:44 +0100 -Subject: [PATCH 03/20] libxl: Do not trust backend for vtpm in getinfo (except - uuid) - -* Do not check the backend for existence. We have already read the - /libxl path so know that the vtpm exists (or is supposed to); if the - backend doesn't exist then that must be the backend's doing. -* Get the frontend path from the /libxl directory. -* The frontend domid is the guest domid, and does not need to be read - from xenstore (!) - -We still attempt to read the uuid from the backend. This will be -fixed in the next patch. - -This is part of XSA-178. - -Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 10 ++-------- - 1 file changed, 2 insertions(+), 8 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 2dd2467..1c241ce 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -2238,9 +2238,6 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx, - if (!vtpminfo->backend) { - goto err; - } -- if(!libxl__xs_read(gc, XBT_NULL, vtpminfo->backend)) { -- goto err; -- } - - rc = libxl__backendpath_parse_domid(gc, vtpminfo->backend, - &vtpminfo->backend_id); -@@ -2259,11 +2256,8 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx, - vtpminfo->rref = val ? strtoul(val, NULL, 10) : -1; - - vtpminfo->frontend = xs_read(ctx->xsh, XBT_NULL, -- GCSPRINTF("%s/frontend", vtpminfo->backend), NULL); -- -- val = libxl__xs_read(gc, XBT_NULL, -- GCSPRINTF("%s/frontend-id", vtpminfo->backend)); -- vtpminfo->frontend_id = val ? strtoul(val, NULL, 10) : -1; -+ GCSPRINTF("%s/frontend", libxl_path), NULL); -+ vtpminfo->frontend_id = domid; - - val = libxl__xs_read(gc, XBT_NULL, - GCSPRINTF("%s/uuid", vtpminfo->backend)); --- -1.9.1 - diff --git a/main/xen/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch b/main/xen/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch deleted file mode 100644 index a21a853..0000000 --- a/main/xen/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch @@ -1,77 +0,0 @@ -From 924ac76cba810c3c8d594f78f96fbf7c792c3f54 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Tue, 3 May 2016 18:39:36 +0100 -Subject: [PATCH 03/12] libxl: Do not trust frontend in libxl__devices_destroy - -We need to enumerate the devices we have provided to a domain, without -trusting the guest-writeable (or, at least, guest-deletable) frontend -paths. - -Instead, enumerate via, and read the backend path from, /libxl. - -The console /libxl path is regular, so the special case for console 0 -is not relevant any more: /libxl/GUEST/device/console/0 will be found, -and then libxl__device_destroy will DTRT to the right frontend path. - -This is part of XSA-175. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl_device.c | 22 +++------------------- - 1 file changed, 3 insertions(+), 19 deletions(-) - -diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c -index 9136b26..38ab393 100644 ---- a/tools/libxl/libxl_device.c -+++ b/tools/libxl/libxl_device.c -@@ -683,7 +683,7 @@ void libxl__devices_destroy(libxl__egc *egc, libxl__devices_remove_state *drs) - libxl__multidev_begin(ao, multidev); - multidev->callback = devices_remove_callback; - -- path = GCSPRINTF("/local/domain/%d/device", domid); -+ path = GCSPRINTF("/libxl/%d/device", domid); - kinds = libxl__xs_directory(gc, XBT_NULL, path, &num_kinds); - if (!kinds) { - if (errno != ENOENT) { -@@ -696,12 +696,12 @@ void libxl__devices_destroy(libxl__egc *egc, libxl__devices_remove_state *drs) - if (libxl__device_kind_from_string(kinds[i], &kind)) - continue; - -- path = GCSPRINTF("/local/domain/%d/device/%s", domid, kinds[i]); -+ path = GCSPRINTF("/libxl/%d/device/%s", domid, kinds[i]); - devs = libxl__xs_directory(gc, XBT_NULL, path, &num_dev_xsentries); - if (!devs) - continue; - for (j = 0; j < num_dev_xsentries; j++) { -- path = GCSPRINTF("/local/domain/%d/device/%s/%s/backend", -+ path = GCSPRINTF("/libxl/%d/device/%s/%s/backend", - domid, kinds[i], devs[j]); - path = libxl__xs_read(gc, XBT_NULL, path); - GCNEW(dev); -@@ -726,22 +726,6 @@ void libxl__devices_destroy(libxl__egc *egc, libxl__devices_remove_state *drs) - } - } - -- /* console 0 frontend directory is not under /local/domain/<domid>/device */ -- path = GCSPRINTF("/local/domain/%d/console/backend", domid); -- path = libxl__xs_read(gc, XBT_NULL, path); -- GCNEW(dev); -- if (path && strcmp(path, "") && -- libxl__parse_backend_path(gc, path, dev) == 0) { -- dev->domid = domid; -- dev->kind = LIBXL__DEVICE_KIND_CONSOLE; -- dev->devid = 0; -- -- /* Currently console devices can be destroyed synchronously by just -- * removing xenstore entries, this is what libxl__device_destroy does. -- */ -- libxl__device_destroy(gc, dev); -- } -- - out: - libxl__multidev_prepared(egc, multidev, rc); - } --- -2.1.4 - diff --git a/main/xen/0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch b/main/xen/0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch deleted file mode 100644 index cb5dfc5..0000000 --- a/main/xen/0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch @@ -1,46 +0,0 @@ -From 2cd66e8bf49f5ff1aa03506aab74dd0ebe2776fa Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Fri, 29 Apr 2016 16:57:14 +0100 -Subject: [PATCH 04/20] libxl: Do not trust backend for vtpm in getinfo (uuid) - -Use uuid from /libxl, rather than from backend. I think the backend -is not supposed to change the uuid, since it seems to be set by libxl -during setup. - -If in fact the backend is supposed to be able to change the uuid, this -patch needs to be dropped and replaced by a patch which makes the vtpm -uuid lookup tolerate bad or missing data. - -This is part of XSA-178. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 1c241ce..23ff871 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -2200,7 +2200,7 @@ libxl_device_vtpm *libxl_device_vtpm_list(libxl_ctx *ctx, uint32_t domid, int *n - &vtpm->backend_domid); - if (rc) return NULL; - -- tmp = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/uuid", be_path)); -+ tmp = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/uuid", libxl_path)); - if (tmp) { - if(libxl_uuid_from_string(&(vtpm->uuid), tmp)) { - LOG(ERROR, "%s/uuid is a malformed uuid?? (%s) Probably a bug!!\n", be_path, tmp); -@@ -2260,7 +2260,7 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx, - vtpminfo->frontend_id = domid; - - val = libxl__xs_read(gc, XBT_NULL, -- GCSPRINTF("%s/uuid", vtpminfo->backend)); -+ GCSPRINTF("%s/uuid", libxl_path)); - if(val == NULL) { - LOG(ERROR, "%s/uuid does not exist!\n", vtpminfo->backend); - goto err; --- -1.9.1 - diff --git a/main/xen/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch b/main/xen/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch deleted file mode 100644 index cdbbc26..0000000 --- a/main/xen/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch @@ -1,43 +0,0 @@ -From 1070d8daa6a73a66ceabd9cd6c89ce712b69bafe Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Wed, 4 May 2016 15:30:32 +0100 -Subject: [PATCH 04/12] libxl: Do not trust frontend in libxl__device_nextid - -When selecting the devid for a new device, we should look in -/libxl/device for existing devices, not in the frontend area. - -This is part of XSA-175. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 312a371..170dd45 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -1985,15 +1985,16 @@ out: - /* common function to get next device id */ - static int libxl__device_nextid(libxl__gc *gc, uint32_t domid, char *device) - { -- char *dompath, **l; -+ char *libxl_dom_path, **l; - unsigned int nb; - int nextid = -1; - -- if (!(dompath = libxl__xs_get_dompath(gc, domid))) -+ if (!(libxl_dom_path = libxl__xs_libxl_path(gc, domid))) - return nextid; - - l = libxl__xs_directory(gc, XBT_NULL, -- GCSPRINTF("%s/device/%s", dompath, device), &nb); -+ GCSPRINTF("%s/device/%s", libxl_dom_path, device), -+ &nb); - if (l == NULL || nb == 0) - nextid = 0; - else --- -2.1.4 - diff --git a/main/xen/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch b/main/xen/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch deleted file mode 100644 index 2d9f922..0000000 --- a/main/xen/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch @@ -1,104 +0,0 @@ -From 1d70543c4e53c2fc283e520d098069ac41583469 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Wed, 27 Apr 2016 16:08:49 +0100 -Subject: [PATCH 05/12] libxl: Do not trust frontend for disk eject event - -Use the /libxl path for interpreting disk eject watch events: do not -read the backend path out of the frontend. Instead, use the version -in /libxl. That avoids us relying on the guest-modifiable -$frontend/backend pointer. - -To implement this we store the path - /libxl/$guest/device/vbd/$devid/backend -in the evgen structure. - -This is part of XSA-175. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 28 ++++++++++++++++++++++------ - tools/libxl/libxl_internal.h | 2 +- - 2 files changed, 23 insertions(+), 7 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 170dd45..9c0fed4 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -1323,9 +1323,10 @@ static void disk_eject_xswatch_callback(libxl__egc *egc, libxl__ev_xswatch *w, - const char *wpath, const char *epath) { - EGC_GC; - libxl_evgen_disk_eject *evg = (void*)w; -- char *backend; -+ const char *backend; - char *value; - char backend_type[BACKEND_STRING_SIZE+1]; -+ int rc; - - value = libxl__xs_read(gc, XBT_NULL, wpath); - -@@ -1341,9 +1342,16 @@ static void disk_eject_xswatch_callback(libxl__egc *egc, libxl__ev_xswatch *w, - libxl_event *ev = NEW_EVENT(egc, DISK_EJECT, evg->domid, evg->user); - libxl_device_disk *disk = &ev->u.disk_eject.disk; - -- backend = libxl__xs_read(gc, XBT_NULL, -- libxl__sprintf(gc, "%.*s/backend", -- (int)strlen(wpath)-6, wpath)); -+ rc = libxl__xs_read_checked(gc, XBT_NULL, evg->be_ptr_path, &backend); -+ if (rc) { -+ LIBXL__EVENT_DISASTER(egc, "xs_read failed reading be_ptr_path", -+ errno, LIBXL_EVENT_TYPE_DISK_EJECT); -+ return; -+ } -+ if (!backend) { -+ /* device has been removed, not simply ejected */ -+ return; -+ } - - sscanf(backend, - "/local/domain/%d/backend/%" TOSTRING(BACKEND_STRING_SIZE) -@@ -1392,11 +1400,18 @@ int libxl_evenable_disk_eject(libxl_ctx *ctx, uint32_t guest_domid, - if (!domid) - domid = guest_domid; - -- path = libxl__sprintf(gc, "%s/device/vbd/%d/eject", -+ int devid = libxl__device_disk_dev_number(vdev, NULL, NULL); -+ -+ path = GCSPRINTF("%s/device/vbd/%d/eject", - libxl__xs_get_dompath(gc, domid), -- libxl__device_disk_dev_number(vdev, NULL, NULL)); -+ devid); - if (!path) { rc = ERROR_NOMEM; goto out; } - -+ const char *libxl_path = GCSPRINTF("%s/device/vbd/%d", -+ libxl__xs_libxl_path(gc, domid), -+ devid); -+ evg->be_ptr_path = libxl__sprintf(NOGC, "%s/backend", libxl_path); -+ - rc = libxl__ev_xswatch_register(gc, &evg->watch, - disk_eject_xswatch_callback, path); - if (rc) goto out; -@@ -1423,6 +1438,7 @@ void libxl__evdisable_disk_eject(libxl__gc *gc, libxl_evgen_disk_eject *evg) { - libxl__ev_xswatch_deregister(gc, &evg->watch); - - free(evg->vdev); -+ free(evg->be_ptr_path); - free(evg); - - CTX_UNLOCK; -diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h -index bfe06bd..302585c 100644 ---- a/tools/libxl/libxl_internal.h -+++ b/tools/libxl/libxl_internal.h -@@ -271,7 +271,7 @@ struct libxl__evgen_disk_eject { - uint32_t domid; - LIBXL_LIST_ENTRY(libxl_evgen_disk_eject) entry; - libxl_ev_user user; -- char *vdev; -+ char *vdev, *be_ptr_path; - }; - _hidden void - libxl__evdisable_disk_eject(libxl__gc*, libxl_evgen_disk_eject*); --- -2.1.4 - diff --git a/main/xen/0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch b/main/xen/0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch deleted file mode 100644 index 625dd97..0000000 --- a/main/xen/0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch @@ -1,73 +0,0 @@ -From 2388be01dffb8a3aae85ea58052f6020057ae3bc Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Fri, 29 Apr 2016 19:15:13 +0100 -Subject: [PATCH 05/20] libxl: cdrom eject and insert: write to /libxl - -Copy the new type and params values to /libxl, so that the information -in /libxl is kept up to date. - -This is needed so that we can return this trustworthy information, -rather than trusting the backend-writeable parts of xenstore. - -This is part of XSA-178. - -Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 19 ++++++++++++++----- - 1 file changed, 14 insertions(+), 5 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 23ff871..7dcd672 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -2843,7 +2843,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk, - libxl_domain_config d_config; - int rc, dm_ver; - libxl__device device; -- const char * path; -+ const char *path, *libxl_path; - char * tmp; - libxl__domain_userdata_lock *lock = NULL; - xs_transaction_t t = XBT_NULL; -@@ -2911,6 +2911,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk, - if (rc) goto out; - - path = libxl__device_backend_path(gc, &device); -+ libxl_path = libxl__device_libxl_path(gc, &device); - - insert = flexarray_make(gc, 4, 1); - -@@ -2959,8 +2960,12 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk, - goto out; - } - -- rc = libxl__xs_writev(gc, t, path, -- libxl__xs_kvs_of_flexarray(gc, empty, empty->count)); -+ char **kvs = libxl__xs_kvs_of_flexarray(gc, empty, empty->count); -+ -+ rc = libxl__xs_writev(gc, t, path, kvs); -+ if (rc) goto out; -+ -+ rc = libxl__xs_writev(gc, t, libxl_path, kvs); - if (rc) goto out; - - rc = libxl__xs_transaction_commit(gc, &t); -@@ -2994,8 +2999,12 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk, - rc = libxl__set_domain_configuration(gc, domid, &d_config); - if (rc) goto out; - -- rc = libxl__xs_writev(gc, t, path, -- libxl__xs_kvs_of_flexarray(gc, insert, insert->count)); -+ char **kvs = libxl__xs_kvs_of_flexarray(gc, insert, insert->count); -+ -+ rc = libxl__xs_writev(gc, t, path, kvs); -+ if (rc) goto out; -+ -+ rc = libxl__xs_writev(gc, t, libxl_path, kvs); - if (rc) goto out; - - rc = libxl__xs_transaction_commit(gc, &t); --- -1.9.1 - diff --git a/main/xen/0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch b/main/xen/0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch deleted file mode 100644 index b3e42da..0000000 --- a/main/xen/0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch @@ -1,67 +0,0 @@ -From c7e9c4b1231effdc1283d9a4a2645e395adb01d5 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Fri, 29 Apr 2016 16:23:35 +0100 -Subject: [PATCH 06/20] libxl: Do not trust backend for disk eject vdev - -For disk eject, use configured vdev from /libxl, not backend. - -The backend directory is writeable by driver domains. This means that -a malicious driver domain could cause libxl to see a wrong vdev, -confusing the user or the toolstack. - -Use the vdev from the /libxl space, rather than the backend. - -For convenience, we read the vdev from the /libxl space into the evg -during setup and copy it on each event, rather than reading it afresh -each time (which would in any case involve generating or saving a copy -of the relevant /libxl path). - -This is part of XSA-178. - -Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 7dcd672..138167d 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -1368,8 +1368,7 @@ static void disk_eject_xswatch_callback(libxl__egc *egc, libxl__ev_xswatch *w, - disk->pdev_path = strdup(""); /* xxx fixme malloc failure */ - disk->format = LIBXL_DISK_FORMAT_EMPTY; - /* this value is returned to the user: do not free right away */ -- disk->vdev = xs_read(CTX->xsh, XBT_NULL, -- libxl__sprintf(gc, "%s/dev", backend), NULL); -+ disk->vdev = libxl__strdup(NOGC, evg->vdev); - disk->removable = 1; - disk->readwrite = 0; - disk->is_cdrom = 1; -@@ -1392,9 +1391,6 @@ int libxl_evenable_disk_eject(libxl_ctx *ctx, uint32_t guest_domid, - evg->domid = guest_domid; - LIBXL_LIST_INSERT_HEAD(&CTX->disk_eject_evgens, evg, entry); - -- evg->vdev = strdup(vdev); -- if (!evg->vdev) { rc = ERROR_NOMEM; goto out; } -- - uint32_t domid = libxl_get_stubdom_id(ctx, guest_domid); - - if (!domid) -@@ -1412,6 +1408,13 @@ int libxl_evenable_disk_eject(libxl_ctx *ctx, uint32_t guest_domid, - devid); - evg->be_ptr_path = libxl__sprintf(NOGC, "%s/backend", libxl_path); - -+ const char *configured_vdev; -+ rc = libxl__xs_read_checked(gc, XBT_NULL, -+ GCSPRINTF("%s/vdev", libxl_path), &configured_vdev); -+ if (rc) goto out; -+ -+ evg->vdev = libxl__strdup(NOGC, configured_vdev); -+ - rc = libxl__ev_xswatch_register(gc, &evg->watch, - disk_eject_xswatch_callback, path); - if (rc) goto out; --- -1.9.1 - diff --git a/main/xen/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch b/main/xen/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch deleted file mode 100644 index 2f8b633..0000000 --- a/main/xen/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch @@ -1,79 +0,0 @@ -From 11770db72bc644c322ad9044dbf86f9c6cb3a780 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Fri, 29 Apr 2016 19:21:51 +0100 -Subject: [PATCH 06/12] libxl: Do not trust frontend for disk in getinfo - -* Rename the frontend variable to `fe_path' to check we caught them all -* Read the backend path from /libxl, rather than from the frontend -* Parse the backend domid from the backend path, rather than reading it - from the frontend (and add the appropriate error path and initialisation) - -This is part of XSA-175. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 27 +++++++++++++++++++-------- - 1 file changed, 19 insertions(+), 8 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 9c0fed4..69b7da7 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -2796,27 +2796,34 @@ int libxl_device_disk_getinfo(libxl_ctx *ctx, uint32_t domid, - libxl_device_disk *disk, libxl_diskinfo *diskinfo) - { - GC_INIT(ctx); -- char *dompath, *diskpath; -+ char *dompath, *fe_path, *libxl_path; - char *val; -+ int rc; -+ -+ diskinfo->backend = NULL; - - dompath = libxl__xs_get_dompath(gc, domid); - diskinfo->devid = libxl__device_disk_dev_number(disk->vdev, NULL, NULL); - - /* tap devices entries in xenstore are written as vbd devices. */ -- diskpath = libxl__sprintf(gc, "%s/device/vbd/%d", dompath, diskinfo->devid); -+ fe_path = GCSPRINTF("%s/device/vbd/%d", dompath, diskinfo->devid); -+ libxl_path = GCSPRINTF("%s/device/vbd/%d", -+ libxl__xs_libxl_path(gc, domid), diskinfo->devid); - diskinfo->backend = xs_read(ctx->xsh, XBT_NULL, -- libxl__sprintf(gc, "%s/backend", diskpath), NULL); -+ GCSPRINTF("%s/backend", libxl_path), NULL); - if (!diskinfo->backend) { - GC_FREE; - return ERROR_FAIL; - } -- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/backend-id", diskpath)); -- diskinfo->backend_id = val ? strtoul(val, NULL, 10) : -1; -- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/state", diskpath)); -+ rc = libxl__backendpath_parse_domid(gc, diskinfo->backend, -+ &diskinfo->backend_id); -+ if (rc) goto out; -+ -+ val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/state", fe_path)); - diskinfo->state = val ? strtoul(val, NULL, 10) : -1; -- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/event-channel", diskpath)); -+ val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/event-channel", fe_path)); - diskinfo->evtch = val ? strtoul(val, NULL, 10) : -1; -- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/ring-ref", diskpath)); -+ val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/ring-ref", fe_path)); - diskinfo->rref = val ? strtoul(val, NULL, 10) : -1; - diskinfo->frontend = xs_read(ctx->xsh, XBT_NULL, - libxl__sprintf(gc, "%s/frontend", diskinfo->backend), NULL); -@@ -2825,6 +2832,10 @@ int libxl_device_disk_getinfo(libxl_ctx *ctx, uint32_t domid, - - GC_FREE; - return 0; -+ -+ out: -+ free(diskinfo->backend); -+ return rc; - } - - int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk, --- -2.1.4 - diff --git a/main/xen/0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch b/main/xen/0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch deleted file mode 100644 index 8fcf0f4..0000000 --- a/main/xen/0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch @@ -1,245 +0,0 @@ -From a81a94db7bdf0f6fbf24a79182d1d246cfc1dd96 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Fri, 29 Apr 2016 18:29:45 +0100 -Subject: [PATCH 07/20] libxl: Do not trust backend for disk; fix driver domain - disks list - -Rework libxl__device_disk_from_xs_be (which takes a backend path) into -to libxl__device_disk_from_xenstore (which takes a libxl path). - -libxl__device_disk_from_xenstore now finds the backend path itself, -although it doesn't use it any more for most of its functions. We -rename the variable from be_path to backend_path to make sure we -didn't miss any cases. - -All the data collection is now done by reading from the copy in -/libxl. - -libxl_device_disk_list and its helper libxl__append_disk_list (which -used to be libxl__append_disk_list_of_type) need extensive rework, -because they now need to specify the /libxl path rather than the -backend path. - -To do that they enumerate disks by looking in the appropriate area in -/libxl. Previously they scanned various of the backend directories in -dom0 (which was broken for driver domains). It is no longer necessary -to enumerate the various disk backends, because they all use the same -paths in /devices. libxl__device_disk_from_xenstore will parse the -type out of the backend path, for itself. (Indeed, it did so before - -the now-gone type parameter to libxl__append_disk_list_of_type wasn't -used other than to construct the directory to list.) - -Finally, remove a redundant store to pdisk->backend_domid in -libxl__append_disk_list[_of_type]. Even before this commit, that -store was not needed because libxl_device_disk_init (called by -libxl__device_disk_from_xenstore) would zero it. Now it overwrites -the correct backend domid with zero; so remove it. - -This is part of XSA-178. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- -v2: Also fix up COLO reads, following rebase ---- - tools/libxl/libxl.c | 84 +++++++++++++++++++++++++++-------------------------- - 1 file changed, 43 insertions(+), 41 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 138167d..6c59a6f 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -2617,8 +2617,8 @@ void libxl__device_disk_add(libxl__egc *egc, uint32_t domid, - device_disk_add(egc, domid, disk, aodev, NULL, NULL); - } - --static int libxl__device_disk_from_xs_be(libxl__gc *gc, -- const char *be_path, -+static int libxl__device_disk_from_xenstore(libxl__gc *gc, -+ const char *libxl_path, - libxl_device_disk *disk) - { - libxl_ctx *ctx = libxl__gc_owner(gc); -@@ -2628,15 +2628,27 @@ static int libxl__device_disk_from_xs_be(libxl__gc *gc, - - libxl_device_disk_init(disk); - -- rc = sscanf(be_path, "/local/domain/%d/", &disk->backend_domid); -+ const char *backend_path; -+ rc = libxl__xs_read_checked(gc, XBT_NULL, -+ GCSPRINTF("%s/backend", libxl_path), -+ &backend_path); -+ if (rc) goto out; -+ -+ if (!backend_path) { -+ LOG(ERROR, "disk %s does not exist (no backend path", libxl_path); -+ rc = ERROR_FAIL; -+ goto out; -+ } -+ -+ rc = sscanf(backend_path, "/local/domain/%d/", &disk->backend_domid); - if (rc != 1) { -- LOG(ERROR, "Unable to fetch device backend domid from %s", be_path); -+ LOG(ERROR, "Unable to fetch device backend domid from %s", backend_path); - goto cleanup; - } - - /* "params" may not be present; but everything else must be. */ - tmp = xs_read(ctx->xsh, XBT_NULL, -- libxl__sprintf(gc, "%s/params", be_path), &len); -+ libxl__sprintf(gc, "%s/params", libxl_path), &len); - if (tmp && strchr(tmp, ':')) { - disk->pdev_path = strdup(strchr(tmp, ':') + 1); - free(tmp); -@@ -2646,31 +2658,31 @@ static int libxl__device_disk_from_xs_be(libxl__gc *gc, - - - tmp = libxl__xs_read(gc, XBT_NULL, -- libxl__sprintf(gc, "%s/type", be_path)); -+ libxl__sprintf(gc, "%s/type", libxl_path)); - if (!tmp) { -- LOG(ERROR, "Missing xenstore node %s/type", be_path); -+ LOG(ERROR, "Missing xenstore node %s/type", libxl_path); - goto cleanup; - } - libxl_string_to_backend(ctx, tmp, &(disk->backend)); - - disk->vdev = xs_read(ctx->xsh, XBT_NULL, -- libxl__sprintf(gc, "%s/dev", be_path), &len); -+ libxl__sprintf(gc, "%s/dev", libxl_path), &len); - if (!disk->vdev) { -- LOG(ERROR, "Missing xenstore node %s/dev", be_path); -+ LOG(ERROR, "Missing xenstore node %s/dev", libxl_path); - goto cleanup; - } - - tmp = libxl__xs_read(gc, XBT_NULL, libxl__sprintf -- (gc, "%s/removable", be_path)); -+ (gc, "%s/removable", libxl_path)); - if (!tmp) { -- LOG(ERROR, "Missing xenstore node %s/removable", be_path); -+ LOG(ERROR, "Missing xenstore node %s/removable", libxl_path); - goto cleanup; - } - disk->removable = atoi(tmp); - -- tmp = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/mode", be_path)); -+ tmp = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/mode", libxl_path)); - if (!tmp) { -- LOG(ERROR, "Missing xenstore node %s/mode", be_path); -+ LOG(ERROR, "Missing xenstore node %s/mode", libxl_path); - goto cleanup; - } - if (!strcmp(tmp, "w")) -@@ -2679,9 +2691,9 @@ static int libxl__device_disk_from_xs_be(libxl__gc *gc, - disk->readwrite = 0; - - tmp = libxl__xs_read(gc, XBT_NULL, -- libxl__sprintf(gc, "%s/device-type", be_path)); -+ libxl__sprintf(gc, "%s/device-type", libxl_path)); - if (!tmp) { -- LOG(ERROR, "Missing xenstore node %s/device-type", be_path); -+ LOG(ERROR, "Missing xenstore node %s/device-type", libxl_path); - goto cleanup; - } - disk->is_cdrom = !strcmp(tmp, "cdrom"); -@@ -2690,15 +2702,17 @@ static int libxl__device_disk_from_xs_be(libxl__gc *gc, - - return 0; - cleanup: -+ rc = ERROR_FAIL; -+ out: - libxl_device_disk_dispose(disk); -- return ERROR_FAIL; -+ return rc; - } - - int libxl_vdev_to_device_disk(libxl_ctx *ctx, uint32_t domid, - const char *vdev, libxl_device_disk *disk) - { - GC_INIT(ctx); -- char *dompath, *path; -+ char *dom_xl_path, *libxl_path; - int devid = libxl__device_disk_dev_number(vdev, NULL, NULL); - int rc = ERROR_FAIL; - -@@ -2707,39 +2721,34 @@ int libxl_vdev_to_device_disk(libxl_ctx *ctx, uint32_t domid, - - libxl_device_disk_init(disk); - -- dompath = libxl__xs_get_dompath(gc, domid); -- if (!dompath) { -+ dom_xl_path = libxl__xs_libxl_path(gc, domid); -+ if (!dom_xl_path) { - goto out; - } -- path = libxl__xs_read(gc, XBT_NULL, -- libxl__sprintf(gc, "%s/device/vbd/%d/backend", -- dompath, devid)); -- if (!path) -- goto out; -+ libxl_path = GCSPRINTF("%s/device/vbd/%d", dom_xl_path, devid); - -- rc = libxl__device_disk_from_xs_be(gc, path, disk); -+ rc = libxl__device_disk_from_xenstore(gc, libxl_path, disk); - out: - GC_FREE; - return rc; - } - - --static int libxl__append_disk_list_of_type(libxl__gc *gc, -+static int libxl__append_disk_list(libxl__gc *gc, - uint32_t domid, -- const char *type, - libxl_device_disk **disks, - int *ndisks) - { -- char *be_path = NULL; -+ char *libxl_dir_path = NULL; - char **dir = NULL; - unsigned int n = 0; - libxl_device_disk *pdisk = NULL, *pdisk_end = NULL; - int rc=0; - int initial_disks = *ndisks; - -- be_path = libxl__sprintf(gc, "%s/backend/%s/%d", -- libxl__xs_get_dompath(gc, 0), type, domid); -- dir = libxl__xs_directory(gc, XBT_NULL, be_path, &n); -+ libxl_dir_path = GCSPRINTF("%s/device/vbd", -+ libxl__xs_libxl_path(gc, domid)); -+ dir = libxl__xs_directory(gc, XBT_NULL, libxl_dir_path, &n); - if (dir && n) { - libxl_device_disk *tmp; - tmp = realloc(*disks, sizeof (libxl_device_disk) * (*ndisks + n)); -@@ -2750,10 +2759,9 @@ static int libxl__append_disk_list_of_type(libxl__gc *gc, - pdisk_end = *disks + initial_disks + n; - for (; pdisk < pdisk_end; pdisk++, dir++) { - const char *p; -- p = libxl__sprintf(gc, "%s/%s", be_path, *dir); -- if ((rc=libxl__device_disk_from_xs_be(gc, p, pdisk))) -+ p = libxl__sprintf(gc, "%s/%s", libxl_dir_path, *dir); -+ if ((rc=libxl__device_disk_from_xenstore(gc, p, pdisk))) - goto out; -- pdisk->backend_domid = 0; - *ndisks += 1; - } - } -@@ -2769,13 +2777,7 @@ libxl_device_disk *libxl_device_disk_list(libxl_ctx *ctx, uint32_t domid, int *n - - *num = 0; - -- rc = libxl__append_disk_list_of_type(gc, domid, "vbd", &disks, num); -- if (rc) goto out_err; -- -- rc = libxl__append_disk_list_of_type(gc, domid, "tap", &disks, num); -- if (rc) goto out_err; -- -- rc = libxl__append_disk_list_of_type(gc, domid, "qdisk", &disks, num); -+ rc = libxl__append_disk_list(gc, domid, &disks, num); - if (rc) goto out_err; - - GC_FREE; --- -1.9.1 - diff --git a/main/xen/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch b/main/xen/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch deleted file mode 100644 index 6f0d487..0000000 --- a/main/xen/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch @@ -1,67 +0,0 @@ -From 54a34ac83f0826cd0213a6ebdb0c414cb5051ed2 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Tue, 3 May 2016 15:58:32 +0100 -Subject: [PATCH 07/12] libxl: Do not trust frontend for vtpm list - -libxl_device_vtpm_list needs to enumerate and identify devices without -trusting frontend-controlled data. So - -* Use the /libxl path to enumerate vtpms. -* Use the /libxl path to find the corresponding backends. -* Parse the backend path to find the backend domid. - -This is part of XSA-175. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 69b7da7..b91eee8 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -2173,14 +2173,15 @@ libxl_device_vtpm *libxl_device_vtpm_list(libxl_ctx *ctx, uint32_t domid, int *n - GC_INIT(ctx); - - libxl_device_vtpm* vtpms = NULL; -- char* fe_path = NULL; -+ char *libxl_path; - char** dir = NULL; - unsigned int ndirs = 0; -+ int rc; - - *num = 0; - -- fe_path = libxl__sprintf(gc, "%s/device/vtpm", libxl__xs_get_dompath(gc, domid)); -- dir = libxl__xs_directory(gc, XBT_NULL, fe_path, &ndirs); -+ libxl_path = GCSPRINTF("%s/device/vtpm", libxl__xs_libxl_path(gc, domid)); -+ dir = libxl__xs_directory(gc, XBT_NULL, libxl_path, &ndirs); - if (dir && ndirs) { - vtpms = malloc(sizeof(*vtpms) * ndirs); - libxl_device_vtpm* vtpm; -@@ -2189,16 +2190,15 @@ libxl_device_vtpm *libxl_device_vtpm_list(libxl_ctx *ctx, uint32_t domid, int *n - char* tmp; - const char* be_path = libxl__xs_read(gc, XBT_NULL, - GCSPRINTF("%s/%s/backend", -- fe_path, *dir)); -+ libxl_path, *dir)); - - libxl_device_vtpm_init(vtpm); - - vtpm->devid = atoi(*dir); - -- tmp = libxl__xs_read(gc, XBT_NULL, -- GCSPRINTF("%s/%s/backend-id", -- fe_path, *dir)); -- vtpm->backend_domid = atoi(tmp); -+ rc = libxl__backendpath_parse_domid(gc, be_path, -+ &vtpm->backend_domid); -+ if (rc) return NULL; - - tmp = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/uuid", be_path)); - if (tmp) { --- -2.1.4 - diff --git a/main/xen/0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch b/main/xen/0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch deleted file mode 100644 index d93e4f7..0000000 --- a/main/xen/0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch @@ -1,35 +0,0 @@ -From 2614f9ac7c96b3b0045cf38a1ec6edb89552a724 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Fri, 29 Apr 2016 19:10:45 +0100 -Subject: [PATCH 08/20] libxl: Do not trust backend for disk in getinfo - -Do not read the frontend path out of the backend. We have it in our -hand. Likewise the guest (frontend) domid was one of our parameters (!) - -This is part of XSA-178. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 6c59a6f..6f70cb8 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -2827,9 +2827,8 @@ int libxl_device_disk_getinfo(libxl_ctx *ctx, uint32_t domid, - val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/ring-ref", fe_path)); - diskinfo->rref = val ? strtoul(val, NULL, 10) : -1; - diskinfo->frontend = xs_read(ctx->xsh, XBT_NULL, -- libxl__sprintf(gc, "%s/frontend", diskinfo->backend), NULL); -- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/frontend-id", diskinfo->backend)); -- diskinfo->frontend_id = val ? strtoul(val, NULL, 10) : -1; -+ GCSPRINTF("%s/frontend", libxl_path), NULL); -+ diskinfo->frontend_id = domid; - - GC_FREE; - return 0; --- -1.9.1 - diff --git a/main/xen/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch b/main/xen/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch deleted file mode 100644 index 2c95766..0000000 --- a/main/xen/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch @@ -1,61 +0,0 @@ -From b83d66dfb3905dfd627f5e4833d74be274771e43 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Tue, 3 May 2016 16:00:20 +0100 -Subject: [PATCH 08/12] libxl: Do not trust frontend for vtpm in getinfo - -libxl_device_vtpm_getinfo needs to examine devices without trusting -frontend-controlled data. So: - -* Use /libxl to find the backend path. -* Parse the backend path to find the backend domid, rather than - reading it from the frontend. - -This is part of XSA-175. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index b91eee8..65b9953 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -2222,7 +2222,7 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx, - libxl_vtpminfo *vtpminfo) - { - GC_INIT(ctx); -- char *dompath, *vtpmpath; -+ char *libxl_path, *dompath, *vtpmpath; - char *val; - int rc = 0; - -@@ -2231,8 +2231,10 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx, - vtpminfo->devid = vtpm->devid; - - vtpmpath = GCSPRINTF("%s/device/vtpm/%d", dompath, vtpminfo->devid); -+ libxl_path = GCSPRINTF("%s/device/vtpm/%d", -+ libxl__xs_libxl_path(gc, domid), vtpminfo->devid); - vtpminfo->backend = xs_read(ctx->xsh, XBT_NULL, -- GCSPRINTF("%s/backend", vtpmpath), NULL); -+ GCSPRINTF("%s/backend", libxl_path), NULL); - if (!vtpminfo->backend) { - goto err; - } -@@ -2240,9 +2242,9 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx, - goto err; - } - -- val = libxl__xs_read(gc, XBT_NULL, -- GCSPRINTF("%s/backend-id", vtpmpath)); -- vtpminfo->backend_id = val ? strtoul(val, NULL, 10) : -1; -+ rc = libxl__backendpath_parse_domid(gc, vtpminfo->backend, -+ &vtpminfo->backend_id); -+ if (rc) goto exit; - - val = libxl__xs_read(gc, XBT_NULL, - GCSPRINTF("%s/state", vtpmpath)); --- -2.1.4 - diff --git a/main/xen/0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch b/main/xen/0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch deleted file mode 100644 index 8f1573a..0000000 --- a/main/xen/0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch @@ -1,94 +0,0 @@ -From 3a3c8b2702263eaec271564e6fde1400efb3716a Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Fri, 29 Apr 2016 19:13:17 +0100 -Subject: [PATCH 09/20] libxl: Do not trust backend for cdrom insert - -Use the /libxl path where appropriate. Rename `path' variable to -`be_path' to make sure we caught all the occurrences. - -Specifically, when checking that the device still exists, check the -`frontend' value in /libxl, rather than anything in the backend -directory. - -This is part of XSA-178. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 20 ++++++++++---------- - 1 file changed, 10 insertions(+), 10 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 6f70cb8..9f77269 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -2847,7 +2847,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk, - libxl_domain_config d_config; - int rc, dm_ver; - libxl__device device; -- const char *path, *libxl_path; -+ const char *be_path, *libxl_path; - char * tmp; - libxl__domain_userdata_lock *lock = NULL; - xs_transaction_t t = XBT_NULL; -@@ -2914,7 +2914,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk, - rc = libxl__device_from_disk(gc, domid, disk, &device); - if (rc) goto out; - -- path = libxl__device_backend_path(gc, &device); -+ be_path = libxl__device_backend_path(gc, &device); - libxl_path = libxl__device_libxl_path(gc, &device); - - insert = flexarray_make(gc, 4, 1); -@@ -2954,19 +2954,19 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk, - for (;;) { - rc = libxl__xs_transaction_start(gc, &t); - if (rc) goto out; -- /* Sanity check: make sure the backend exists before writing here */ -- tmp = libxl__xs_read(gc, t, libxl__sprintf(gc, "%s/frontend", path)); -+ /* Sanity check: make sure the device exists before writing here */ -+ tmp = libxl__xs_read(gc, t, GCSPRINTF("%s/frontend", libxl_path)); - if (!tmp) - { - LIBXL__LOG(ctx, LIBXL__LOG_ERROR, "Internal error: %s does not exist", -- libxl__sprintf(gc, "%s/frontend", path)); -+ libxl__sprintf(gc, "%s/frontend", libxl_path)); - rc = ERROR_FAIL; - goto out; - } - - char **kvs = libxl__xs_kvs_of_flexarray(gc, empty, empty->count); - -- rc = libxl__xs_writev(gc, t, path, kvs); -+ rc = libxl__xs_writev(gc, t, be_path, kvs); - if (rc) goto out; - - rc = libxl__xs_writev(gc, t, libxl_path, kvs); -@@ -2990,12 +2990,12 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk, - for (;;) { - rc = libxl__xs_transaction_start(gc, &t); - if (rc) goto out; -- /* Sanity check: make sure the backend exists before writing here */ -- tmp = libxl__xs_read(gc, t, libxl__sprintf(gc, "%s/frontend", path)); -+ /* Sanity check: make sure the device exists before writing here */ -+ tmp = libxl__xs_read(gc, t, GCSPRINTF("%s/frontend", libxl_path)); - if (!tmp) - { - LIBXL__LOG(ctx, LIBXL__LOG_ERROR, "Internal error: %s does not exist", -- libxl__sprintf(gc, "%s/frontend", path)); -+ libxl__sprintf(gc, "%s/frontend", libxl_path)); - rc = ERROR_FAIL; - goto out; - } -@@ -3005,7 +3005,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk, - - char **kvs = libxl__xs_kvs_of_flexarray(gc, insert, insert->count); - -- rc = libxl__xs_writev(gc, t, path, kvs); -+ rc = libxl__xs_writev(gc, t, be_path, kvs); - if (rc) goto out; - - rc = libxl__xs_writev(gc, t, libxl_path, kvs); --- -1.9.1 - diff --git a/main/xen/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch b/main/xen/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch deleted file mode 100644 index fd86cb8..0000000 --- a/main/xen/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch @@ -1,47 +0,0 @@ -From c626ea4768294b73ef24fafe7af9ad1221c1c48d Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Tue, 3 May 2016 15:52:53 +0100 -Subject: [PATCH 09/12] libxl: Do not trust frontend for nic in - libxl_devid_to_device_nic - -Find the backend by reading the pointer in /libxl rather than in the -guest's frontend area. - -This is part of XSA-175. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 65b9953..4c45269 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -3540,17 +3540,17 @@ int libxl_devid_to_device_nic(libxl_ctx *ctx, uint32_t domid, - int devid, libxl_device_nic *nic) - { - GC_INIT(ctx); -- char *dompath, *path; -+ char *libxl_dom_path, *path; - int rc = ERROR_FAIL; - - libxl_device_nic_init(nic); -- dompath = libxl__xs_get_dompath(gc, domid); -- if (!dompath) -+ libxl_dom_path = libxl__xs_libxl_path(gc, domid); -+ if (!libxl_dom_path) - goto out; - - path = libxl__xs_read(gc, XBT_NULL, -- libxl__sprintf(gc, "%s/device/vif/%d/backend", -- dompath, devid)); -+ GCSPRINTF("%s/device/vif/%d/backend", libxl_dom_path, -+ devid)); - if (!path) - goto out; - --- -2.1.4 - diff --git a/main/xen/0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch b/main/xen/0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch deleted file mode 100644 index 8295796..0000000 --- a/main/xen/0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch @@ -1,38 +0,0 @@ -From c9b8314ee99f30a62b7ff6db253598fa4e14ba54 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Wed, 4 May 2016 15:57:10 +0100 -Subject: [PATCH 10/20] libxl: Do not trust backend for channel in getinfo - -Do not read the frontend path out of the backend. We have it in our -hand. Likewise the guest (frontend) domid was one of our parameters (!) - -This is part of XSA-178. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 8 ++------ - 1 file changed, 2 insertions(+), 6 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 9f77269..35cfffe 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -3977,12 +3977,8 @@ int libxl_device_channel_getinfo(libxl_ctx *ctx, uint32_t domid, - - val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/state", fe_path)); - channelinfo->state = val ? strtoul(val, NULL, 10) : -1; -- channelinfo->frontend = xs_read(ctx->xsh, XBT_NULL, -- GCSPRINTF("%s/frontend", -- channelinfo->backend), NULL); -- val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/frontend-id", -- channelinfo->backend)); -- channelinfo->frontend_id = val ? strtoul(val, NULL, 10) : -1; -+ channelinfo->frontend = libxl__strdup(NOGC, fe_path); -+ channelinfo->frontend_id = domid; - val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/ring-ref", fe_path)); - channelinfo->rref = val ? strtoul(val, NULL, 10) : -1; - val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/port", fe_path)); --- -1.9.1 - diff --git a/main/xen/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch b/main/xen/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch deleted file mode 100644 index 60afaff..0000000 --- a/main/xen/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch @@ -1,73 +0,0 @@ -From 9d1982995e8d5645ae149bce670bea82fda31421 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Tue, 3 May 2016 16:31:07 +0100 -Subject: [PATCH 10/12] libxl: Do not trust frontend for nic in getinfo - -libxl_device_nic_getinfo needs to examine devices without trusting -frontend-controlled data. So: - -* Use /libxl to find the backend path. -* Parse the backend path to find the backend domid, rather than - reading it from the frontend. - -This is part of XSA-175. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 21 ++++++++++++++------- - 1 file changed, 14 insertions(+), 7 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 4c45269..34853f8 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -3629,22 +3629,27 @@ int libxl_device_nic_getinfo(libxl_ctx *ctx, uint32_t domid, - libxl_device_nic *nic, libxl_nicinfo *nicinfo) - { - GC_INIT(ctx); -- char *dompath, *nicpath; -+ char *dompath, *nicpath, *libxl_path; - char *val; -+ int rc; - - dompath = libxl__xs_get_dompath(gc, domid); - nicinfo->devid = nic->devid; - -- nicpath = libxl__sprintf(gc, "%s/device/vif/%d", dompath, nicinfo->devid); -+ nicpath = GCSPRINTF("%s/device/vif/%d", dompath, nicinfo->devid); -+ libxl_path = GCSPRINTF("%s/device/vif/%d", -+ libxl__xs_libxl_path(gc, domid), nicinfo->devid); - nicinfo->backend = xs_read(ctx->xsh, XBT_NULL, -- libxl__sprintf(gc, "%s/backend", nicpath), NULL); -+ GCSPRINTF("%s/backend", libxl_path), NULL); - if (!nicinfo->backend) { - GC_FREE; - return ERROR_FAIL; - } -- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/backend-id", nicpath)); -- nicinfo->backend_id = val ? strtoul(val, NULL, 10) : -1; -- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/state", nicpath)); -+ rc = libxl__backendpath_parse_domid(gc, nicinfo->backend, -+ &nicinfo->backend_id); -+ if (rc) goto out; -+ -+ val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/state", nicpath)); - nicinfo->state = val ? strtoul(val, NULL, 10) : -1; - val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/event-channel", nicpath)); - nicinfo->evtch = val ? strtoul(val, NULL, 10) : -1; -@@ -3657,8 +3662,10 @@ int libxl_device_nic_getinfo(libxl_ctx *ctx, uint32_t domid, - val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/frontend-id", nicinfo->backend)); - nicinfo->frontend_id = val ? strtoul(val, NULL, 10) : -1; - -+ rc = 0; -+ out: - GC_FREE; -- return 0; -+ return rc; - } - - const char *libxl__device_nic_devname(libxl__gc *gc, --- -2.1.4 - diff --git a/main/xen/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch b/main/xen/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch deleted file mode 100644 index b6c767a..0000000 --- a/main/xen/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch @@ -1,104 +0,0 @@ -From 55fcc20fa75d9458805bf8130ce257cddd8db71f Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Tue, 3 May 2016 17:01:56 +0100 -Subject: [PATCH 11/12] libxl: Do not trust frontend for channel in list - -libxl_device_channel_list should not trust frontend-provided data. - -So it needs to iterate using the /libxl paths, and read the backend -path out of /libxl. - -However, it also filters out pure "consoles", which are channels -without a "name". But the name was stored only in the frontend -directory, which the frontend can delete. - -So store the name in the backend too. (Ideally we would store it in -/libxl, where the backend can't write to it either, but -libxl__device_console_add not currently have access to the xenstore -transaction used by libxl__device_generic_add. Protection against the -backend will come later, in XSA-178.) - -Because the libxl paths are defined to be in terms of the frontend -device types, not the backend device types, it is no longer correct -for libxl__append_channel_list to take a type argument. Abolish this -(with no functional effect). - -This is part of XSA-175. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 25 ++++++++++++++----------- - 1 file changed, 14 insertions(+), 11 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 34853f8..6ffb173 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -3726,6 +3726,8 @@ int libxl__device_console_add(libxl__gc *gc, uint32_t domid, - if (console->name) { - flexarray_append(ro_front, "name"); - flexarray_append(ro_front, console->name); -+ flexarray_append(back, "name"); -+ flexarray_append(back, console->name); - } - if (console->connection) { - flexarray_append(back, "connection"); -@@ -3864,34 +3866,35 @@ static int libxl__device_channel_from_xs_be(libxl__gc *gc, - return rc; - } - --static int libxl__append_channel_list_of_type(libxl__gc *gc, -+static int libxl__append_channel_list(libxl__gc *gc, - uint32_t domid, -- const char *type, - libxl_device_channel **channels, - int *nchannels) - { -- char *fe_path = NULL, *be_path = NULL; -+ char *libxl_dir_path = NULL, *be_path = NULL; - char **dir = NULL; - unsigned int n = 0, devid = 0; - libxl_device_channel *next = NULL; - int rc = 0, i; - -- fe_path = GCSPRINTF("%s/device/%s", -- libxl__xs_get_dompath(gc, domid), type); -- dir = libxl__xs_directory(gc, XBT_NULL, fe_path, &n); -+ libxl_dir_path = GCSPRINTF("%s/device/console", -+ libxl__xs_libxl_path(gc, domid)); -+ dir = libxl__xs_directory(gc, XBT_NULL, libxl_dir_path, &n); - if (!dir || !n) - goto out; - - for (i = 0; i < n; i++) { -- const char *p, *name; -+ const char *libxl_path, *name; - libxl_device_channel *tmp; - -- p = libxl__sprintf(gc, "%s/%s", fe_path, dir[i]); -- name = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/name", p)); -+ libxl_path = GCSPRINTF("%s/%s", libxl_dir_path, dir[i]); -+ be_path = libxl__xs_read(gc, XBT_NULL, -+ GCSPRINTF("%s/backend", libxl_path)); -+ if (!be_path) continue; -+ name = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/name", be_path)); - /* 'channels' are consoles with names, so ignore all consoles - without names */ - if (!name) continue; -- be_path = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/backend", p)); - tmp = realloc(*channels, - sizeof(libxl_device_channel) * (*nchannels + devid + 1)); - if (!tmp) { -@@ -3922,7 +3925,7 @@ libxl_device_channel *libxl_device_channel_list(libxl_ctx *ctx, - - *num = 0; - -- rc = libxl__append_channel_list_of_type(gc, domid, "console", &channels, num); -+ rc = libxl__append_channel_list(gc, domid, &channels, num); - if (rc) goto out_err; - - GC_FREE; --- -2.1.4 - diff --git a/main/xen/0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch b/main/xen/0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch deleted file mode 100644 index 91c68a5..0000000 --- a/main/xen/0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch @@ -1,87 +0,0 @@ -From 382ed2f090cc79e52fd5ab2e0b51b278c5f61232 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Wed, 4 May 2016 16:18:36 +0100 -Subject: [PATCH 11/20] libxl: Rename libxl__device_{nic,channel}_from_xs_be to - _from_xenstore - -We are going to change these functions to expect, and be passed, a -/libxl path. So it is wrong that they are called _from_xs_be. - -Neither function reads anything which isn't found in both places, so -we can and will change the call sites later. - -The only remaining function in libxl called *_from_xs_be relates to -PCI devices, for which the backend domain is hardcoded to 0 throughout -the libxl_pci.c. - -No functional change. - -This is part of XSA-178. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 35cfffe..35cb6b0 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -3498,7 +3498,7 @@ out: - return; - } - --static int libxl__device_nic_from_xs_be(libxl__gc *gc, -+static int libxl__device_nic_from_xenstore(libxl__gc *gc, - const char *be_path, - libxl_device_nic *nic) - { -@@ -3561,7 +3561,7 @@ int libxl_devid_to_device_nic(libxl_ctx *ctx, uint32_t domid, - if (!path) - goto out; - -- rc = libxl__device_nic_from_xs_be(gc, path, nic); -+ rc = libxl__device_nic_from_xenstore(gc, path, nic); - if (rc) goto out; - - rc = 0; -@@ -3596,7 +3596,7 @@ static int libxl__append_nic_list_of_type(libxl__gc *gc, - for (; pnic < pnic_end; pnic++, dir++) { - const char *p; - p = libxl__sprintf(gc, "%s/%s", be_path, *dir); -- rc = libxl__device_nic_from_xs_be(gc, p, pnic); -+ rc = libxl__device_nic_from_xenstore(gc, p, pnic); - if (rc) goto out; - pnic->backend_domid = 0; - } -@@ -3846,7 +3846,7 @@ int libxl__init_console_from_channel(libxl__gc *gc, - return 0; - } - --static int libxl__device_channel_from_xs_be(libxl__gc *gc, -+static int libxl__device_channel_from_xenstore(libxl__gc *gc, - const char *be_path, - libxl_device_channel *channel) - { -@@ -3855,7 +3855,7 @@ static int libxl__device_channel_from_xs_be(libxl__gc *gc, - - libxl_device_channel_init(channel); - -- /* READ_BACKEND is from libxl__device_nic_from_xs_be above */ -+ /* READ_BACKEND is from libxl__device_nic_from_xenstore above */ - channel->name = READ_BACKEND(NOGC, "name"); - tmp = READ_BACKEND(gc, "connection"); - if (!strcmp(tmp, "pty")) { -@@ -3910,7 +3910,7 @@ static int libxl__append_channel_list(libxl__gc *gc, - } - *channels = tmp; - next = *channels + *nchannels + devid; -- rc = libxl__device_channel_from_xs_be(gc, be_path, next); -+ rc = libxl__device_channel_from_xenstore(gc, be_path, next); - if (rc) goto out; - next->devid = devid; - devid++; --- -1.9.1 - diff --git a/main/xen/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch b/main/xen/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch deleted file mode 100644 index 5018fac..0000000 --- a/main/xen/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch @@ -1,121 +0,0 @@ -From 0333ec931e023a66dc03392c9bcb1040018b00e8 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Tue, 3 May 2016 17:24:32 +0100 -Subject: [PATCH 12/12] libxl: Do not trust frontend for channel in getinfo - -libxl_device_channel_getinfo needs to examine devices without trusting -frontend-controlled data. So: - -* Use /libxl to find the backend path. -* Parse the backend path to find the backend domid, rather than - reading it from the frontend. -* Tolerate FRONTEND/tty vanishing. - -Note that there is a strange off-by-one error in the computation of -both fe_path and libxl_path in libxl_device_channel_getinfo: the -incoming channel->devid, which is copied to channelinfo->devid, has +1 -applied to calculate the frontend path (and, after this patch, the -libxl path). I.e., the devid passed to libxl_device_channel_getinfo -must be one less than the actual devid for the device being asked -about. - -This is actually a bug which mirrors a bug in -libxl__append_channel_list, which fills in the devids of the channel -devices it finds with sequentially increasing numbers starting at 0. - -In the usual case channels have real devids starting at 1 (because -there is the console, which is devid 0, but not a channel). So these -bugs usually cancel out. - -We do not address this problem at this time. This bug does not have -any security implications. - -This patch is part of XSA-175. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 44 ++++++++++++++++++++++++++++++++++++-------- - 1 file changed, 36 insertions(+), 8 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 6ffb173..2dd2467 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -3946,23 +3946,28 @@ int libxl_device_channel_getinfo(libxl_ctx *ctx, uint32_t domid, - libxl_channelinfo *channelinfo) - { - GC_INIT(ctx); -- char *dompath, *fe_path; -+ char *dompath, *fe_path, *libxl_path; - char *val; -+ int rc; - - dompath = libxl__xs_get_dompath(gc, domid); - channelinfo->devid = channel->devid; - -- fe_path = libxl__sprintf(gc, "%s/device/console/%d", dompath, -- channelinfo->devid + 1); -+ fe_path = GCSPRINTF("%s/device/console/%d", dompath, -+ channelinfo->devid + 1); -+ libxl_path = GCSPRINTF("%s/device/console/%d", -+ libxl__xs_libxl_path(gc, domid), -+ channelinfo->devid + 1); - channelinfo->backend = xs_read(ctx->xsh, XBT_NULL, -- libxl__sprintf(gc, "%s/backend", -- fe_path), NULL); -+ GCSPRINTF("%s/backend", libxl_path), NULL); - if (!channelinfo->backend) { - GC_FREE; - return ERROR_FAIL; - } -- val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/backend-id", fe_path)); -- channelinfo->backend_id = val ? strtoul(val, NULL, 10) : -1; -+ rc = libxl__backendpath_parse_domid(gc, channelinfo->backend, -+ &channelinfo->backend_id); -+ if (rc) goto out; -+ - val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/state", fe_path)); - channelinfo->state = val ? strtoul(val, NULL, 10) : -1; - channelinfo->frontend = xs_read(ctx->xsh, XBT_NULL, -@@ -3980,13 +3985,36 @@ int libxl_device_channel_getinfo(libxl_ctx *ctx, uint32_t domid, - switch (channel->connection) { - case LIBXL_CHANNEL_CONNECTION_PTY: - val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/tty", fe_path)); -+ /* -+ * It is obviously very wrong for this value to be in the -+ * frontend. But in XSA-175 we don't want to re-engineer -+ * this because other xenconsole code elsewhere (some -+ * even out of tree, perhaps) expects this node to be -+ * here. -+ * -+ * FE/pty is readonly for the guest. It always exists if -+ * FE does because libxl__device_console_add -+ * unconditionally creates it and nothing deletes it. -+ * -+ * The guest can delete the whole FE (which it has write -+ * privilege on) but the containing directories -+ * /local/GUEST[/device[/console]] are also RO for the -+ * guest. So if the guest deletes FE it cannot recreate -+ * it. -+ * -+ * Therefore the guest cannot cause FE/pty to contain bad -+ * data, although it can cause it to not exist. -+ */ -+ if (!val) val = "/NO-SUCH-PATH"; - channelinfo->u.pty.path = strdup(val); - break; - default: - break; - } -+ rc = 0; -+ out: - GC_FREE; -- return 0; -+ return rc; - } - - /******************************************************************************/ --- -2.1.4 - diff --git a/main/xen/0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch b/main/xen/0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch deleted file mode 100644 index 37dfca7..0000000 --- a/main/xen/0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch @@ -1,101 +0,0 @@ -From bbbe635e7c1824d4daa4920c24c369e332ba5236 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Wed, 4 May 2016 16:07:02 +0100 -Subject: [PATCH 12/20] libxl: Rename READ_BACKEND to READ_LIBXLDEV - -We are going to want to change all the functions that use READ_BACKEND -to get untrustworthy information from the backend, to use trustworthy -information from /libxl. - -This will involve replacing READ_BACKEND, which reads from be_path, -with a similar macro READ_LIBXLDEV, which reads from libxl_path. - -The macro name change generates a lot of clutter in the diff. So we -break it out into this separate patch. Here, we rename the macro, but -the implementation does not really match the new name. - -So, another way to look at this, is that we have transformed the bug: - * All of the backends use READ_BACKEND, which is unsafe -into the new bug: - * READ_LIBXLDEV actually reads be_path, which is unsafe. - -There is no functional change as yet. - -This is part of XSA-178. - -Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 22 +++++++++++----------- - 1 file changed, 11 insertions(+), 11 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 35cb6b0..a174382 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -21,8 +21,8 @@ - #define PAGE_TO_MEMKB(pages) ((pages) * 4) - #define BACKEND_STRING_SIZE 5 - --/* Utility to read backend xenstore keys */ --#define READ_BACKEND(tgc, subpath) ({ \ -+/* Utility to read /libxl or backend xenstore keys, from be_path */ -+#define READ_LIBXLDEV(tgc, subpath) ({ \ - rc = libxl__xs_read_checked(tgc, XBT_NULL, \ - GCSPRINTF("%s/" subpath, be_path), \ - &tmp); \ -@@ -3507,7 +3507,7 @@ static int libxl__device_nic_from_xenstore(libxl__gc *gc, - - libxl_device_nic_init(nic); - -- tmp = READ_BACKEND(gc, "handle"); -+ tmp = READ_LIBXLDEV(gc, "handle"); - if (tmp) - nic->devid = atoi(tmp); - else -@@ -3515,7 +3515,7 @@ static int libxl__device_nic_from_xenstore(libxl__gc *gc, - - /* nic->mtu = */ - -- tmp = READ_BACKEND(gc, "mac"); -+ tmp = READ_LIBXLDEV(gc, "mac"); - if (tmp) { - rc = libxl__parse_mac(tmp, nic->mac); - if (rc) goto out; -@@ -3523,12 +3523,12 @@ static int libxl__device_nic_from_xenstore(libxl__gc *gc, - memset(nic->mac, 0, sizeof(nic->mac)); - } - -- nic->ip = READ_BACKEND(NOGC, "ip"); -- nic->bridge = READ_BACKEND(NOGC, "bridge"); -- nic->script = READ_BACKEND(NOGC, "script"); -+ nic->ip = READ_LIBXLDEV(NOGC, "ip"); -+ nic->bridge = READ_LIBXLDEV(NOGC, "bridge"); -+ nic->script = READ_LIBXLDEV(NOGC, "script"); - - /* vif_ioemu nics use the same xenstore entries as vif interfaces */ -- tmp = READ_BACKEND(gc, "type"); -+ tmp = READ_LIBXLDEV(gc, "type"); - if (tmp) { - rc = libxl_nic_type_from_string(tmp, &nic->nictype); - if (rc) goto out; -@@ -3856,13 +3856,13 @@ static int libxl__device_channel_from_xenstore(libxl__gc *gc, - libxl_device_channel_init(channel); - - /* READ_BACKEND is from libxl__device_nic_from_xenstore above */ -- channel->name = READ_BACKEND(NOGC, "name"); -- tmp = READ_BACKEND(gc, "connection"); -+ channel->name = READ_LIBXLDEV(NOGC, "name"); -+ tmp = READ_LIBXLDEV(gc, "connection"); - if (!strcmp(tmp, "pty")) { - channel->connection = LIBXL_CHANNEL_CONNECTION_PTY; - } else if (!strcmp(tmp, "socket")) { - channel->connection = LIBXL_CHANNEL_CONNECTION_SOCKET; -- channel->u.socket.path = READ_BACKEND(NOGC, "path"); -+ channel->u.socket.path = READ_LIBXLDEV(NOGC, "path"); - } else { - rc = ERROR_INVAL; - goto out; --- -1.9.1 - diff --git a/main/xen/0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch b/main/xen/0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch deleted file mode 100644 index f4dce8c..0000000 --- a/main/xen/0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch @@ -1,62 +0,0 @@ -From 31be4b98a2d7ab851e37f9bc23cd446f3bdf367e Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Tue, 3 May 2016 15:40:18 +0100 -Subject: [PATCH 13/20] libxl: Have READ_LIBXLDEV use libxl_path rather than - be_path - -Fix the just-introduced bug in this macro: now it reads the -trustworthy libxl_path. Change the variable name in the two functions -(nic and channel) which use it. - -Shuffling the bump in the carpet along, we now introduce three new -bugs: the three call sites pass a backend path where a frontend path -is expected. - -No functional change. - -This is part of XSA-178. - -Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index a174382..702ac75 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -21,10 +21,10 @@ - #define PAGE_TO_MEMKB(pages) ((pages) * 4) - #define BACKEND_STRING_SIZE 5 - --/* Utility to read /libxl or backend xenstore keys, from be_path */ -+/* Utility to read /libxl xenstore keys, from libxl_path */ - #define READ_LIBXLDEV(tgc, subpath) ({ \ - rc = libxl__xs_read_checked(tgc, XBT_NULL, \ -- GCSPRINTF("%s/" subpath, be_path), \ -+ GCSPRINTF("%s/" subpath, libxl_path), \ - &tmp); \ - if (rc) goto out; \ - (char*)tmp; \ -@@ -3499,7 +3499,7 @@ out: - } - - static int libxl__device_nic_from_xenstore(libxl__gc *gc, -- const char *be_path, -+ const char *libxl_path, - libxl_device_nic *nic) - { - const char *tmp; -@@ -3847,7 +3847,7 @@ int libxl__init_console_from_channel(libxl__gc *gc, - } - - static int libxl__device_channel_from_xenstore(libxl__gc *gc, -- const char *be_path, -+ const char *libxl_path, - libxl_device_channel *channel) - { - const char *tmp; --- -1.9.1 - diff --git a/main/xen/0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch b/main/xen/0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch deleted file mode 100644 index e45a8c9..0000000 --- a/main/xen/0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch @@ -1,33 +0,0 @@ -From 517d1d86e158d12f634db1fabda13931bffe32fe Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Tue, 3 May 2016 16:35:21 +0100 -Subject: [PATCH 14/20] libxl: Do not trust backend in nic getinfo - -This is part of XSA-178. - -Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 702ac75..558d198 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -3664,10 +3664,8 @@ int libxl_device_nic_getinfo(libxl_ctx *ctx, uint32_t domid, - nicinfo->rref_tx = val ? strtoul(val, NULL, 10) : -1; - val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/rx-ring-ref", nicpath)); - nicinfo->rref_rx = val ? strtoul(val, NULL, 10) : -1; -- nicinfo->frontend = xs_read(ctx->xsh, XBT_NULL, -- libxl__sprintf(gc, "%s/frontend", nicinfo->backend), NULL); -- val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/frontend-id", nicinfo->backend)); -- nicinfo->frontend_id = val ? strtoul(val, NULL, 10) : -1; -+ nicinfo->frontend = libxl__strdup(NOGC, nicpath); -+ nicinfo->frontend_id = domid; - - rc = 0; - out: --- -1.9.1 - diff --git a/main/xen/0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch b/main/xen/0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch deleted file mode 100644 index 15af351..0000000 --- a/main/xen/0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch @@ -1,48 +0,0 @@ -From 6925b22ac3e1e876db542ab6ede6a88651cfaa44 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Wed, 4 May 2016 16:20:05 +0100 -Subject: [PATCH 15/20] libxl: Do not trust backend for nic in devid_to_device - -libxl_devid_to_device_nic should read the information it needs from -the /libxl/device path, not the backend. - -This is part of XSA-178. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 10 +++------- - 1 file changed, 3 insertions(+), 7 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 558d198..0f87ad7 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -3547,7 +3547,7 @@ int libxl_devid_to_device_nic(libxl_ctx *ctx, uint32_t domid, - int devid, libxl_device_nic *nic) - { - GC_INIT(ctx); -- char *libxl_dom_path, *path; -+ char *libxl_dom_path, *libxl_path; - int rc = ERROR_FAIL; - - libxl_device_nic_init(nic); -@@ -3555,13 +3555,9 @@ int libxl_devid_to_device_nic(libxl_ctx *ctx, uint32_t domid, - if (!libxl_dom_path) - goto out; - -- path = libxl__xs_read(gc, XBT_NULL, -- GCSPRINTF("%s/device/vif/%d/backend", libxl_dom_path, -- devid)); -- if (!path) -- goto out; -+ libxl_path = GCSPRINTF("%s/device/vif/%d", libxl_dom_path, devid); - -- rc = libxl__device_nic_from_xenstore(gc, path, nic); -+ rc = libxl__device_nic_from_xenstore(gc, libxl_path, nic); - if (rc) goto out; - - rc = 0; --- -1.9.1 - diff --git a/main/xen/0016-libxl-Do-not-trust-backend-for-nic-in-list.patch b/main/xen/0016-libxl-Do-not-trust-backend-for-nic-in-list.patch deleted file mode 100644 index 210ebbd..0000000 --- a/main/xen/0016-libxl-Do-not-trust-backend-for-nic-in-list.patch @@ -1,80 +0,0 @@ -From 1a75ae14d0e6b2969dc3b09f4f5963cd09a8118a Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Wed, 4 May 2016 16:23:57 +0100 -Subject: [PATCH 16/20] libxl: Do not trust backend for nic in list - -libxl_device_nic_list should use the /libxl path to search for -devices, and for obtaining the device information. - -The "type" parameter was always "vif". Abolish it. (In any case, -paths in /libxl/device are named after the frontend type which is -constant, not the backend type which might in future vary.) - -Abolish a redundant store to pnic->backend_domid. Before this commit, -that store was not needed because libxl_device_nic_init (called by -libxl__device_nic_from_xenstore) would zero it. Now it overwrites the -correct backend domid with zero; so remove it. - -This is part of XSA-178. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 16 +++++++--------- - 1 file changed, 7 insertions(+), 9 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 0f87ad7..9aebc9e 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -3566,21 +3566,20 @@ out: - return rc; - } - --static int libxl__append_nic_list_of_type(libxl__gc *gc, -+static int libxl__append_nic_list(libxl__gc *gc, - uint32_t domid, -- const char *type, - libxl_device_nic **nics, - int *nnics) - { -- char *be_path = NULL; -+ char *libxl_dir_path = NULL; - char **dir = NULL; - unsigned int n = 0; - libxl_device_nic *pnic = NULL, *pnic_end = NULL; - int rc; - -- be_path = libxl__sprintf(gc, "%s/backend/%s/%d", -- libxl__xs_get_dompath(gc, 0), type, domid); -- dir = libxl__xs_directory(gc, XBT_NULL, be_path, &n); -+ libxl_dir_path = GCSPRINTF("%s/device/vif", -+ libxl__xs_libxl_path(gc, domid)); -+ dir = libxl__xs_directory(gc, XBT_NULL, libxl_dir_path, &n); - if (dir && n) { - libxl_device_nic *tmp; - tmp = realloc(*nics, sizeof (libxl_device_nic) * (*nnics + n)); -@@ -3591,10 +3590,9 @@ static int libxl__append_nic_list_of_type(libxl__gc *gc, - pnic_end = *nics + *nnics + n; - for (; pnic < pnic_end; pnic++, dir++) { - const char *p; -- p = libxl__sprintf(gc, "%s/%s", be_path, *dir); -+ p = GCSPRINTF("%s/%s", libxl_dir_path, *dir); - rc = libxl__device_nic_from_xenstore(gc, p, pnic); - if (rc) goto out; -- pnic->backend_domid = 0; - } - *nnics += n; - } -@@ -3612,7 +3610,7 @@ libxl_device_nic *libxl_device_nic_list(libxl_ctx *ctx, uint32_t domid, int *num - - *num = 0; - -- rc = libxl__append_nic_list_of_type(gc, domid, "vif", &nics, num); -+ rc = libxl__append_nic_list(gc, domid, &nics, num); - if (rc) goto out_err; - - GC_FREE; --- -1.9.1 - diff --git a/main/xen/0017-libxl-Do-not-trust-backend-in-channel-list.patch b/main/xen/0017-libxl-Do-not-trust-backend-in-channel-list.patch deleted file mode 100644 index c31383b..0000000 --- a/main/xen/0017-libxl-Do-not-trust-backend-in-channel-list.patch @@ -1,58 +0,0 @@ -From 8df6d984e41c4a2f3f1ebc989063223eabb2cc0f Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Wed, 4 May 2016 16:59:38 +0100 -Subject: [PATCH 17/20] libxl: Do not trust backend in channel list - -Read the name from /libxl/device. Pass the /libxl path to -libxl__device_channel_from_xenstore. - -This removes the final route by which READ_LIBXLDEV might receive a -backend path. - -This is part of XSA-178. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- -v2: Remove be_path variable which is now no longer used. ---- - tools/libxl/libxl.c | 9 +++------ - 1 file changed, 3 insertions(+), 6 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 9aebc9e..a6701d4 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -3870,7 +3870,7 @@ static int libxl__append_channel_list(libxl__gc *gc, - libxl_device_channel **channels, - int *nchannels) - { -- char *libxl_dir_path = NULL, *be_path = NULL; -+ char *libxl_dir_path = NULL; - char **dir = NULL; - unsigned int n = 0, devid = 0; - libxl_device_channel *next = NULL; -@@ -3887,10 +3887,7 @@ static int libxl__append_channel_list(libxl__gc *gc, - libxl_device_channel *tmp; - - libxl_path = GCSPRINTF("%s/%s", libxl_dir_path, dir[i]); -- be_path = libxl__xs_read(gc, XBT_NULL, -- GCSPRINTF("%s/backend", libxl_path)); -- if (!be_path) continue; -- name = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/name", be_path)); -+ name = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/name", libxl_path)); - /* 'channels' are consoles with names, so ignore all consoles - without names */ - if (!name) continue; -@@ -3902,7 +3899,7 @@ static int libxl__append_channel_list(libxl__gc *gc, - } - *channels = tmp; - next = *channels + *nchannels + devid; -- rc = libxl__device_channel_from_xenstore(gc, be_path, next); -+ rc = libxl__device_channel_from_xenstore(gc, libxl_path, next); - if (rc) goto out; - next->devid = devid; - devid++; --- -1.9.1 - diff --git a/main/xen/0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch b/main/xen/0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch deleted file mode 100644 index 95d1480..0000000 --- a/main/xen/0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch @@ -1,48 +0,0 @@ -From 3675172b342d1c03b01e2ac0a9fe851391921ab7 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Tue, 3 May 2016 15:25:19 +0100 -Subject: [PATCH 18/20] libxl: Cleanup: Have libxl__alloc_vdev use /libxl - -When allocating a vdev for a new disk, look in /libxl/device, rather -than the frontends directory in xenstore. - -This is more in line with the other parts of libxl, which ought not to -trust frontends. In this case, though, there is no security bug prior -to this patch because the frontend is the toolstack domain itself. - -If libxl__alloc_vdev were ever changed to take a frontend domain -argument, this patch will fix a latent security bug. - -This is a followup to XSA-175. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index a6701d4..20a8960 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -3043,7 +3043,7 @@ static char * libxl__alloc_vdev(libxl__gc *gc, void *get_vdev_user, - { - const char *blkdev_start = (const char *) get_vdev_user; - int devid = 0, disk = 0, part = 0; -- char *dompath = libxl__xs_get_dompath(gc, LIBXL_TOOLSTACK_DOMID); -+ char *libxl_dom_path = libxl__xs_libxl_path(gc, LIBXL_TOOLSTACK_DOMID); - - libxl__device_disk_dev_number(blkdev_start, &disk, &part); - if (part != 0) { -@@ -3058,7 +3058,7 @@ static char * libxl__alloc_vdev(libxl__gc *gc, void *get_vdev_user, - return NULL; - if (libxl__xs_read(gc, t, - libxl__sprintf(gc, "%s/device/vbd/%d/backend", -- dompath, devid)) == NULL) { -+ libxl_dom_path, devid)) == NULL) { - if (errno == ENOENT) - return libxl__devid_to_localdev(gc, devid); - else --- -1.9.1 - diff --git a/main/xen/0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch b/main/xen/0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch deleted file mode 100644 index 8bdd209..0000000 --- a/main/xen/0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch @@ -1,38 +0,0 @@ -From 509ae901dc25c51553c49e6f4428ac8023b42625 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Fri, 29 Apr 2016 16:08:19 +0100 -Subject: [PATCH 19/20] libxl: Cleanup: use libxl__backendpath_parse_domid in - libxl__device_disk_from_xs_be - -Rather than an open-coded sscanf. No functional change with correct -input. - -This is a followup to XSA-175 and XSA-178. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - tools/libxl/libxl.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index 20a8960..c0a80cb 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -2640,10 +2640,10 @@ static int libxl__device_disk_from_xenstore(libxl__gc *gc, - goto out; - } - -- rc = sscanf(backend_path, "/local/domain/%d/", &disk->backend_domid); -- if (rc != 1) { -+ rc = libxl__backendpath_parse_domid(gc, backend_path, &disk->backend_domid); -+ if (rc) { - LOG(ERROR, "Unable to fetch device backend domid from %s", backend_path); -- goto cleanup; -+ goto out; - } - - /* "params" may not be present; but everything else must be. */ --- -1.9.1 - diff --git a/main/xen/0020-libxl-Document-serial-correctly.patch b/main/xen/0020-libxl-Document-serial-correctly.patch deleted file mode 100644 index 6c41be2..0000000 --- a/main/xen/0020-libxl-Document-serial-correctly.patch @@ -1,38 +0,0 @@ -From d8ac67eff778ae0c6b3286ab46328be5c6c90163 Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Wed, 4 May 2016 15:17:45 +0100 -Subject: [PATCH 20/20] libxl: Document ~/serial/ correctly - -xenstore-paths.markdown talked about ~/device/serial/, but that's not -used. - -(It is very wrong for this value, which contains a driver domain -filesystem path, to be in the guest's area of xenstore. However, it -is only ever created by libxl and ready by xenconsoled. When it is -created, it inherits the read-only permissions of /local/domain/DOMID. -So there is no security bug.) - -This is a followup to XSA-175. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Reviewed-by: Wei Liu <wei.liu2@citrix.com> ---- - docs/misc/xenstore-paths.markdown | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/docs/misc/xenstore-paths.markdown b/docs/misc/xenstore-paths.markdown -index 8c686ec..bfa6a79 100644 ---- a/docs/misc/xenstore-paths.markdown -+++ b/docs/misc/xenstore-paths.markdown -@@ -240,7 +240,7 @@ The primary PV console device. Described in [console.txt](console.txt) - - A secondary PV console device. Described in [console.txt](console.txt) - --#### ~/device/serial/$DEVID/* [HVM] -+#### ~/serial/$DEVID/* [HVM] - - An emulated serial device. Described in [console.txt](console.txt) - --- -1.9.1 - diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index 4c31811..e68129c 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -1,9 +1,10 @@ +# Contributor: Sergey Lukin <sergej.lukin@gmail.com> # Contributor: William Pitcock <nenolod@dereferenced.org> # Contributor: Roger Pau Monne <roger.pau@entel.upc.edu> # Maintainer: William Pitcock <nenolod@dereferenced.org> pkgname=xen -pkgver=4.5.3 -pkgrel=3 +pkgver=4.5.5 +pkgrel=0 pkgdesc="Xen hypervisor" url="http://www.xen.org/" arch="x86_64" @@ -17,20 +18,6 @@ makedepends="$depends_dev autoconf automake libtool" install="" subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-hypervisor" source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.gz - xsa169.patch - xsa172.patch - xsa173-4.5.patch - xsa176.patch - xsa181.patch - xsa182-4.5.patch - xsa183-4.6.patch - xsa184-qemut-master.patch - xsa184-qemuu-master.patch - xsa185.patch - xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch - xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch - xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch - xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch xsa190-4.5-CVE-2016-7777.patch xsa191-4.6-CVE-2016-9386.patch xsa192-4.5-CVE-2016-9382.patch @@ -45,40 +32,8 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g xsa201-1.patch xsa201-2.patch xsa201-4.patch - - 0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch - 0002-libxl-Provide-libxl__backendpath_parse_domid.patch - 0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch - 0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch - 0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch - 0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch - 0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch - 0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch - 0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch - 0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch - 0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch - 0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch - - 0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch - 0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch - 0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch - 0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch - 0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch - 0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch - 0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch - 0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch - 0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch - 0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch - 0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch - 0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch - 0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch - 0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch - 0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch - 0016-libxl-Do-not-trust-backend-for-nic-in-list.patch - 0017-libxl-Do-not-trust-backend-in-channel-list.patch - 0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch - 0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch - 0020-libxl-Document-serial-correctly.patch + xsa202-4.6.patch + xsa204-4.5.patch qemu-coroutine-gthread.patch qemu-xen-musl-openpty.patch @@ -86,7 +41,6 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g hotplug-vif-vtrill.patch 0001-ipxe-dont-clobber-ebp.patch - gnutls-3.4.0.patch init-xenstore-domain.patch @@ -264,21 +218,7 @@ hypervisor() { mv "$pkgdir"/boot "$subpkgdir"/ } -md5sums="a41baeb8ab0098dd2bce4249a95d1118 xen-4.5.3.tar.gz -0931b87a6b9ba846c5797dbbbacdf324 xsa169.patch -b14d9a4247ae654579cb757c9b0e949a xsa172.patch -335182c09c3b8e887a35c9677f2dc658 xsa173-4.5.patch -f5a889df9c86a2cda28da20ec7cd7adc xsa176.patch -fb3b353a4a4e334ef6bf1ed3f35552d6 xsa181.patch -732af8942ffbc31ca34fd9a7001e1923 xsa182-4.5.patch -f137255f6928d439a5ddf18ebab402d7 xsa183-4.6.patch -95bc220677fc2bb9a3df4dc14a0b31f6 xsa184-qemut-master.patch -cc0904605d03a9e4f6f21d16824e41c9 xsa184-qemuu-master.patch -8ae22c70681f3daf97ee7ef8ad947e76 xsa185.patch -9a2b74f2079ba0b7a6e2420e6887cc3a xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch -3d812cf9ccc8443874b36e061392d388 xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch -c426383254acdcbb9466bbec2d6f8d9b xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch -a98c0fa2579965d72272f381f193195d xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch +md5sums="a99baacf82aa111ed3130d6c361d74a8 xen-4.5.5.tar.gz 478b88d2ef7e67bc03d3637def41a485 xsa190-4.5-CVE-2016-7777.patch 5399accd478266047e9fada57bba1bf8 xsa191-4.6-CVE-2016-9386.patch fa8512910a0dbe7f49b1800518f9c204 xsa192-4.5-CVE-2016-9382.patch @@ -293,44 +233,13 @@ add3ad7828d582fc272073e906ce17a1 xsa200-4.6.patch 6580371b4b8db7cb6876f2b42ab3fc61 xsa201-1.patch 76394482eaf0caeb3e0611ba70e8923c xsa201-2.patch 9cb1516d783fc9c765e9a37574bb3cbd xsa201-4.patch -e60400a02f24b70dd9d39628a731dcda 0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch -83f68ebe641fde827b56996ffc5bbc5e 0002-libxl-Provide-libxl__backendpath_parse_domid.patch -197b0a2273b68c1cfe2a4482ceffdf4d 0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch -29cc618079c3f586043d665fe8daed24 0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch -f290be1ba26f480fd345ada649d59660 0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch -171dca83420ad3f706ba0466adf030fd 0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch -45bc938047bc7716b57eeb8508977a0f 0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch -ba83d5ea9a1615f2b1693acc3e54f298 0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch -141f2b28b04b4efbf909a4650696d71c 0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch -6611449c2c056fa074685b18443149e0 0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch -3264f8403d5cd025c25416a5de7aeb50 0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch -ae82256edf948e1c8ace6c576a4b2597 0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch -14719f6189df1270053184d8a90cc7d1 0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch -1ef583ccc14b6fea78d1891d13b3631c 0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch -f1f2c41ebc7ccda0f8a786a6170694c1 0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch -456b9afc8eb908d5147d9766169acec7 0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch -e6902e354cbfd0f8e56c7c2653c8a953 0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch -be2e9a515e6cc108abae8f2a726001ad 0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch -1ee13d702779674ef6c717621ffa9382 0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch -b5626d90c850d9598dede0740df96e09 0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch -d7ddba3f759d47495b72e8397f64363d 0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch -f8d01a242f6a65c801d8d201e13dffe4 0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch -bcf81392d6f29e737d72b548e4cb1378 0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch -1b484a77201c181a16518f566ea7f239 0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch -b69c6497bd05ce7f597062beb5f50305 0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch -d2d173fca2b2148f4cc0e1b70d67b29f 0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch -dbc827c44937e3d6f4d8a3387842a2dd 0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch -0fce7f760b34193fec742bba74423182 0016-libxl-Do-not-trust-backend-for-nic-in-list.patch -48673e67de7272a2495da63902f56bce 0017-libxl-Do-not-trust-backend-in-channel-list.patch -e6550be82f81c1e43c44a17acb5ca80e 0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch -39714ef39a07b62887c726eeedb7197f 0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch -e0138ef232bd7c5d8e28db853692e303 0020-libxl-Document-serial-correctly.patch +a5a39c6354c952095e1d78a582385933 xsa202-4.6.patch +9449168ccbc38442b8f55ad9c0964b9f xsa204-4.5.patch de1a3db370b87cfb0bddb51796b50315 qemu-coroutine-gthread.patch dd8603eaab5857816843bfc37647d569 qemu-xen-musl-openpty.patch 08bfdf8caff5d631f53660bf3fd4edaf qemu-xen_paths.patch e449bb3359b490804ffc7b0ae08d62a0 hotplug-vif-vtrill.patch 229539a822e14a6a62babffd71ecfbf3 0001-ipxe-dont-clobber-ebp.patch -a0a0294eccbaef77a2f8f5c2789f011c gnutls-3.4.0.patch 08a30d56902b660f5102a5c208e545c9 init-xenstore-domain.patch 0984e3000de17a6d14b8014a3ced46a4 musl-support.patch 513456607a2adfaa0baf1e3ae5124b23 musl-hvmloader-fix-stdint.patch @@ -347,21 +256,7 @@ dcdd1de2c29e469e834a02ede4f47806 xendomains.confd 9df68ac65dc3f372f5d61183abdc83ff xen-consoles.logrotate 6a2f777c16678d84039acf670d86fff6 xenqemu.confd e1c9e1c83a5cc49224608a48060bd677 xenqemu.initd" -sha256sums="22b6dcb6725434e4baa48f1482328a04064e21d951d7c7c4b994b3d7ad4910fa xen-4.5.3.tar.gz -b818922880313cdbc12ea68ae757da5eabed9b3c9e1f8acefe1653683545ccbe xsa169.patch -f18282fcb794b8772bc3af51d56860050071bd62a5a909b8f2fc2018e2958154 xsa172.patch -8cd255416975b5589b85911142b385cc1ed78b8ea5e16ebe9d6c60e2679b23aa xsa173-4.5.patch -e61c52477a8d8aa79111d686b103202ff8a558d8b3356635288c1290789b7eb3 xsa176.patch -6756fcf44446675e5277f6d6c0e8a0aaa51a7909ad9a55af89a09367fded8733 xsa181.patch -2383695b1dc114e4e31e42dd05d4c86239ce9606478b5e1a71db1111d95b63a2 xsa182-4.5.patch -0fee41f21a3eb4af1487590098047f4625688bcef7419572a8f418f9fb728468 xsa183-4.6.patch -88c939c64b8f9fc9f86d0a30517d5455462d1ff837aa4285a9cb189b54c0cf20 xsa184-qemut-master.patch -3877e19992c4532b8b2a37e151fe6a6187a1bbee2b54c1718b995260bb0fcf65 xsa184-qemuu-master.patch -3328a1953ecdf4de35462ea8396b0927171d718e95f73a87a7f651427bd8f8b4 xsa185.patch -f2082a36d968a47e477bb5082d0e0aaa58e6cb3dc20b26389f043a9b7b595fa6 xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch -7482a823c3443e26dee1111c4904162845eaa9f826aa7bf8348007406d91bddd xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch -be9fe85d36c2c1fbca246c1f4d834c3ef11b6ab3d5467da0ac8c079aa5a68de9 xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch -b96731379ea77d49ffff31d969f4742dde985ef7a86af9422dcac8327c2a1916 xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch +sha256sums="e2216e31f774be6bb1bba922288fbbc00bb549c2feb9c12472f60fe689aee4f8 xen-4.5.5.tar.gz 477d56c41cc2101432459ab79e4d5663aade779c36285f5c1d6d6ed4e34e1009 xsa190-4.5-CVE-2016-7777.patch d95a1f0dd5c45497ca56e2e1390fc688bf0a4a7a7fd10c65ae25b4bbb3353b69 xsa191-4.6-CVE-2016-9386.patch bb0c6622c6f5c5eb9a680020d865802069446830b4a170bcb82336f6c3b77f55 xsa192-4.5-CVE-2016-9382.patch @@ -376,44 +271,13 @@ d662353629117b9c978cf5444995b41e77b079cc665e078ae7868b715c47c382 xsa197-4.5-qem 163aeb9ae3ffce28e0bc95bdfff490d2df6f6f0b85ac1d4f447bea921f0a0dda xsa201-1.patch 0ba570ed7df172475bc745e02b89670608251634895e5279edcf534619d6d81b xsa201-2.patch 388d548cd4e30883ae100863d33e792869e7dbd86054299a91b64db6d6599919 xsa201-4.patch -a262c85f9145f71df512338ef1a4b77c05086a894d58ba3d911ea6984bbeaed5 0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch -676806c5713a60f113264298c48c3ac34e3370a6bfb8628d5b8700edfe2415e3 0002-libxl-Provide-libxl__backendpath_parse_domid.patch -50518f86aedf7857ca3644a2f073745017d12263880990cb7f0d4b3b9e264ac5 0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch -e9207a4a35c13061b502935a31ad09cf4ca8048804f1a62d1c1ccfde5ff3432c 0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch -78baa5268af36baa546e4cd8e7f62d830c860ee3051bba5273266ca0f95627ae 0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch -c59be732bbf602d7d3b5dcbf3a0ca86d6f624585ba2e29f8d0f82c74f7bd33a3 0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch -5c1aa2cc37240cdc4dce5c5067f18c36466d9271ab81c6a7a38d8674b534cd86 0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch -020287ae99d9c049c12087d828ea2d898686ab8600c0f9f8f2042b297ebc968e 0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch -4781d673403b3bb0f43196af1aec52f8769bcf7352afd239d874f381a1d0e9cc 0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch -c6a0fb210488794188924a90df4450e42782f99651b7a016e072a7df7d26d3d6 0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch -3f3eec4f45925a9de39fcfd14e7709b3fc8245425b8ae45213afee1ede2b09a0 0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch -084b0054f223addeab3ff951ac1362b7d48379ddf0556eae9971f1a87507c2d4 0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch -129eb3792374c1970cbd7518ac36f31988950d9f1d7bdf84932862d5eac311b1 0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch -938bda668578c153696af0ce5f43f4dbdb822a299edb7c8e530c13d2ecb308e6 0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch -f928280f0a4dde6cbe81c52320ea5ff4f0424e34c217c558a8effe8a54522048 0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch -a606cf11ba60f9449a9b295c4d7ffdb8b4cd60d2ff9c92ee24d2054ce0f1f8b9 0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch -29fc43237fb525c1e56fd9e90c59a461dad79de542273125a6bbb26286b7c71e 0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch -1ed713cc915ecd0aceba4725f24edeedb13db0ad6771846c7a9b897f95af10d8 0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch -eb83ac44edb61932c8b0f97754329c14b951b5d71ac33a37d483efb05c199cac 0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch -236c65539a4c2b5563cd968cebafa6cf4fc9ba2e92b502168548ff210a791be3 0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch -43117dac4db02a0b480a6fc63baaf0f60623ea6da13e5658d95d8a7cafb49951 0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch -e104ad6054ff8d994b4967f9fb382b900e65c0727f4549662f3163b9eaa530e7 0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch -422939d58850d39584e57daf5f7c1db8368763c9bfe9af7668a4dab40602eca5 0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch -37c7b5a3a0365120b07219bb584d6bc5967e30cb98301ac7d9ba92a9750055c4 0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch -89616deb7983a298a4943d7b49658625d08a41bfe6188c3cb771e484b564667b 0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch -8c7a2a4714013f8868d1357d498b63e7dfa9fe59c4f8adaaa3388e9c9341ed92 0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch -e812adffc3960974775a4cf44e24b47a297036d88b606e2b0af1e402477062e9 0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch -63f6852cb78051b2475a7dfe2e0f7a77c2eb5f59f5e9d2b36658ff89b4bd3e2a 0016-libxl-Do-not-trust-backend-for-nic-in-list.patch -b480b7873eea48ae4c316840519b1a4a986e81d4b32112bd72055fae468c8ab2 0017-libxl-Do-not-trust-backend-in-channel-list.patch -d4e37a3f3f4ecf8f03716ade37f6b285ec60f16d7725491ca5a06f1f3f98ec88 0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch -368526875f928f4877e4047e86da726a7ad8e70d2c56fd10b5d12d45743e0f8f 0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch -300a4ea3dbf57ac523d7903adcd4545d2a972215d948759dc5ac872ac47ceea9 0020-libxl-Document-serial-correctly.patch +e007187639f5392a9256979504d50eff0ae38309a61524ea42c4150fab38b6f4 xsa202-4.6.patch +e523b65ba122c8e22d32004d2035facaf06295094fdc8b67c151b6f44799ef0b xsa204-4.5.patch 3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe qemu-coroutine-gthread.patch fe76c7c8faf686060b20491bfed4a13ce37b1bc3dcdbf33d242e388cee14c7c1 qemu-xen-musl-openpty.patch e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98 qemu-xen_paths.patch dd1e784bc455eb62cb85b3fa24bfc34f575ceaab9597ef6a2f1ee7ff7b3cae0a hotplug-vif-vtrill.patch 751ef06569de66578b8713dc170976832b0671ac2696f32eb9ad69d60332d594 0001-ipxe-dont-clobber-ebp.patch -e25d38376e22f6f935d2c0ce1b9d6e6b47ff261b5e6056bc3b47168739d7a992 gnutls-3.4.0.patch 0204d69804e83864cd6b2122f51b9c1940588158a35c159a7ef0c3b8fb0af4cb init-xenstore-domain.patch 2fea4ceec8872f5560023fa135e3ff03d6deee4299e53d3a33ec59c31779b2c5 musl-support.patch 479b9605e85c865be6117b6d1993124dbbb7da7f95d0e896e4c0fe5cdfeb74d3 musl-hvmloader-fix-stdint.patch @@ -430,21 +294,7 @@ d13719093a2c3824525f36ac91ac3c9bd1154e5ba0974e5441e4a2ab5e883521 xenconsoled.in 0da87a4b9094f934e3de937e8ef8d3afc752e76793aa3d730182d0241e118b19 xen-consoles.logrotate 4cfcddcade5d055422ab4543e8caa6e5c5eee7625c41880a9000b7a87c7c424e xenqemu.confd c92bbb1166edd61141fdf678116974209c4422daf373cdd5bc438aa4adb25b8d xenqemu.initd" -sha512sums="086b9b75e97d836498fd4f34b645c9b2f941db44efe8c7d23e53aa6455d40e1672962aaa7bac0db1db82255dba490c4fe996f356c184e71ea7fa5b483d9e9c0f xen-4.5.3.tar.gz -5bc99d5b4e8e57852c88401c49cc97f82706763f88682ed8faad6344fb0e17782ed7ba063fd463c3da46e28994af11e575ce6e02aa957ff042e3c86269d15acc xsa169.patch -8636f74b270b0ccf56ea6bab4c90d0ee909e5d2891987b4572df4a0906e2230e046aad0c99add6c1d70f7023cc6d99bcfd2947c953f600074a6ed7c176a5d3dc xsa172.patch -14b017f2e1b39adbb55ba35eafe139172609dada23e16999272d8c712e14045752933400721bc6eb6cb80a3427f3d44d829e492590e2cd5b7fe9bcfaa356b9e7 xsa173-4.5.patch -0f86e4e4ee94c22166174d018954f60d9700ea4d880f4ca41b6ae1b242a4e1649da305851ef4d9b3aa91d512411a3a423f1aadceb20714d160d4d97d145dc312 xsa176.patch -4505d0b8740609db6a6013f72bda7693ef57f4febbd0e8a20a86a7bf717234495824e895e39bf7dc710a6ae78320723b10e1c3570018b1e7fbe26959f252eb05 xsa181.patch -9e2cba41ef7df8d74e74b030340f5c9a58fd95d55e5853c35aab011bcbc7d207479b9c374e3912d8ac0f4e8eb01fa4f9a1e281ca13bb9472dc66f0e110ba6d6a xsa182-4.5.patch -f3495976ab219cfd376bae3ad409b452169df11ebcd36b106212db1b1fc8db8c50e721a5d1e23efbc25146946f922556014eda652517ee95efbfb3b482327e99 xsa183-4.6.patch -14c07d077a9d60a03859ca1b92347517c93faf88db06f8cb0515e486a3919afa8401203161ff671dda8fbdb64e6ca5e86120f1b8f65e6bfaa63a8c6a33211bad xsa184-qemut-master.patch -862e00d9cd126f8323f9c9706bf6ce7896d97e68e647416c699d9f2e01b88083a5fea346b13403577311384946912123f64bf5a568f1a6f92077d28923df54c6 xsa184-qemuu-master.patch -6b774cfef049d457d89149a973b5a5af674b995726c88ce09278f4a64cb94f5b3c2c2380a6273475a13eb9cdd972f5429f393247ecca6463f6068d606ea74886 xsa185.patch -bf899dde20cee730598b90e0a07941155b20e0ea17b9a3017a53bd0e1495fb6e5dc251934e01d02937b56ad65faf3accecf695b4fd7f6dcc0bae91290bd87b19 xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch -6583c843855d300b3d40321d909b64ab0df6b03da62b3400cb7e58a9249077112e5951e14449880cfc8d593dabd9afcffc15ff77555f745b478f7af939b3219e xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch -d85bc3c56805ff5b3df6b85b2b34ff97d15fe254fc5a873b5c43c2c15564eea42753723a6296292a543e7b7dc83ad71f0fafe01fa6a6ebf82fa0a7268fc67486 xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch -63f30d4a6842fc516d33334b25806e10a89228fec32315df27c9c271303d02619be4a88e638e41920ad808215280c3fce697574d05c5fb3f184844069383a201 xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch +sha512sums="7e8d7e0248daa91389db0250c5f214dc1ab46c058d556a4326c801933ead05cc450cb9510108586418de029b81a80fd9f272ec1749d288a8250e69599aa2d769 xen-4.5.5.tar.gz 23ca5b5c86186b3683be38b65ed30d0ddf15d9ae29e462ae9b2606d78d84ceafa3913a2648d0430872aef1e6209c443b81d8bd4ae4c01b9021c75db1ed05ba5a xsa190-4.5-CVE-2016-7777.patch 502f50bece05d52b127c497eda0236a9011e56885fb0b5fac74ab449c2eac94d0f2cf64da16808c25f8a3091aef0a9586ad5c19f6b98a8c459908149d629b321 xsa191-4.6-CVE-2016-9386.patch d158cd493ccc516814201cb147ad99688223437938e655c5c8d75c2b73e14c319dc94e6077a9ec6521f2ca5e6af5d118f923f333702a83266c0ba44cc18efa9e xsa192-4.5-CVE-2016-9382.patch @@ -459,44 +309,13 @@ b61429fbf4d1677a8dab2710ab21335f18b3f998f2e5e19e45a4727f71b9671b3d1bd709bef3594c 67006c1ac5d0b01eb65b5a9b6583ef31c0df0cdb6331af983d972d9b0c4bc21416484d88445edb8ee8470becdc11bc88fad4a617aac40ae26610eb2bee40bd01 xsa201-1.patch afed1ed3c5b4dd3a1d2c1c0fe824cdeb58efdc40fdaf5ce439deb2feef63141168114ea362fc5c683eb0494bb6bd3c76773b099495af21550ae3a1e5cb4e924d xsa201-2.patch 1761ca422fe9e3caee3442b43b84da49721a01ed8417f653c568695b08718c40be1493cc7a0a6145c7ce195c7fb0c753b190fe2f1782d5242e1e304c18005610 xsa201-4.patch -3868b99fc9048d8eef58e949bc5caace6b964345fff92322a191b49fc3991373d785b9287e23d4fc1572a02ba278de5eba299caeeb6e6e46ecb87c2c309c943e 0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch -60b9289891b3d69798da5c55abe06c4fda2ada1657178042a6f560fddd9d3495c7725516dd94d8a22c53990f63de873fa8d0363a57804b351f84e36de3bb4452 0002-libxl-Provide-libxl__backendpath_parse_domid.patch -f13b453de38ef3e4847e819b82eecec0e4461f824cb6b15b752a364ee4ec4c4d8c5e9193964976d1d937e422938d13c8271fcd113abd1b3e4a8875114f4075c2 0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch -31d2370b4479bd06510b04bd5a5d3e6d58688960d37bea16a2b5b7ae7cd427bf322a63864eef5251b358bfe3ec9550b2b0bff568194c85e2e7ab44771edb5b4b 0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch -011e859a6be428f9da6545607f0f0ab9487c61051623c6d45d89d64631dc50305ed0a0717785ccc5f671ee1c24282a1f598704b4b6fd4227bf0eecafb0e88e67 0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch -7ce011b474a2d29f3efe883733280ac79eaad959ceb606a72924bf3824c79b049a6773d1c300af38c24d2d3fbbbeab73252997497a29fa0cf32e1394d6309e92 0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch -d01d5080d110327077d237d0e9d2c3977915f00bfdd85b339a04ef095b9651a51991807aae74567b0d2bb874020e9ac4f44548d9f8a61effb7188793a8c17f73 0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch -b30c0086d5056678237d34bcf0a4aeb0f22221d3c6c692765fa1ab775a8ad49227a47d0594331978f2c7e6851a814d0348ca408e82b046c9b25218954c092516 0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch -9cf217d2d6063c985393df9e330190f3cabad9e3d70dad18d5b169145fae59c1a401f04040a04ef7b17b9b21a406230c6b048d05b9ebd6518edeb4e69e91b6b4 0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch -d6003448e456cd42f0a28f887a2859b399058cdd76f286d7f9617cd462976d0a8781dba9132f5db00387c6fd60867a6c8b090b0d10eccbf74462d5dc63dc5294 0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch -3ffcf00f4ba76841b1af4145983160016d329f140d2363ccadfcd7f3de2ff752a6bbd65d0b4f0bf06a06518e066ba49243b1d12dda2f8e557eb8c82c8c1a12b1 0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch -f0d383c623cafae7f4aad9bf0444aa2bcf4baeb73e2c2c815136b19ed28cdbb8d6b7db1074949d322d4e3b3d5ff12770bac942f594743405111829f91368c3eb 0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch -a4f4d4832a11bdbfceeac47f057ac1ab587a772107fca1b3b54d442a4ea42c10d9b031aa876705bb7d0399f532f674b5044596fc82dfeba709e73825ffb4be7c 0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch -56fbd31171868c16d0c4b9218bdc91034e8c12c18f7028222d99fcaba0a8c9cbf215e3fd638db8eafb08a6967f7236b8fd3a0d09c26f23e41643e27520b8848c 0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch -7258a9199744242a5c2d4ebd279c130c3fe58dd30512ba1dae43e8fabd6eef407285f2a91e9ffc136be67e584249f836196fb3bdc3f1071324f3eb06f5adcfe5 0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch -6383c34a639d389e9b04c736fa57386a3ff31654ad8c288a327d6982c9ff2dc802568deb3d0936db0e806863c300d2c361ab85b3f01bcc38fc1e8ed630fc7be9 0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch -971368329285d11893ec470354549318051f29f23ba10eaf97340b95acdac2f7e07879fd119e6a5c3746fbdab9d80f2235e166f4240c0d1ea27b00998b43afd3 0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch -4b801e725e8f6b32c8a78fe8249a0e57297cf12687614fd61b964b5d017c4a1a2fbae0e274d89ed8ef0d817ae7a29aff07380e007cf4451b297011459caeb3ff 0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch -ee157ddf088dd12be957aa9df6b70df6743631c3669009be82a335cadcf5d8d7ae4b6332e05881160d5891f6e89294d853d199b4b36243f0c315d95003c4d0fc 0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch -5878ca43f14f5c8562c40fb217a87d96c2b65120b73968d5ac6fe8273490f00c4dc2925cf5b60a9b8ccc245a6461ad2671c76e6317a99ba73d3fa3e5a58fd8b7 0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch -c45b8a5baefa928135841d0d8fa53cb636d74351d151cc004bf306996ec6b5e8b5cb433083941dd46c67b35016b0db8acf3554a11a60273c9bbd539a96103ddd 0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch -6101486f20e8167b3424cb0ae410dded7266d9e6f77059ee61d9704d492272f7e2f8407a66f71ce04b6a36239ea200c9373c91046a06ba869bd439e54a740d51 0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch -cb8625745a11907b2193e03c890fdb809abc9245b2ef7351d9f8da3f98a5503f94786522f891a353ea7e8bc5cd87c6d822a4e3243ab10b411c29dbc1c61e656b 0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch -bfed26b4bf72321f8807c38dfdb90d46317d1c46f91e72ff7fc4843933a9af8bbedf1b7acb51d5d63d2faf304b6ee5db81fa73339de0bc02d8f9c6fe275025c6 0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch -a7a4877e7694cfede4c999b887e6acc74863ed7d0356cb11dee14b422f217b3d3eae7429430d911fb45a437eeb6753c0ab67aa5a5f07a286f37e77e3892ed314 0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch -56d4f648bd6923d51a7fc4d4a13f23f840a9885054413f5d56b5b085993b567548d2e88bf1e19b071261e050ff19243228d67e1bec797e6f5fe05c5add2ac4ee 0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch -b27845729c1c2409922d97398d5da6186e37860be627b17bf46a9df9defbefb9c9f5233b11f1f9b13d6e251a9da0c9c23ddb875ffef8b18a8a461cec05f6c00a 0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch -ceb8025b56dc93d99cb6d0017ce1349c1f2bab723aed0fc71378a8becc1e11af9eab2f63190d7de8b3cd4405317dcab67675ffcfb4013879a0e4d575d7117a5c 0016-libxl-Do-not-trust-backend-for-nic-in-list.patch -0874114b826d40d994c9fb17b17debbf5a461ddd9cdad84a8b8f4ced4ab946e8592f059b36a4712aff13889c344e25d7dc49dc169987349aa5727a45e0b81b78 0017-libxl-Do-not-trust-backend-in-channel-list.patch -0f623c6055d8a0c7fd3da2f252418c2d86a847c70496eb937588d7dd479032394ba1f3f77b92e9026101be12bdfcd7862573e5b619856c7f917f23b8efde24f1 0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch -1bf024ed18f27ae13c7071ed3b59f0334d51843f6ece66e815e71d5a2b107ca4b91c8b40d9742f6a1d56e41177080b5cba18922a44f4fecead2b3c7e97218d05 0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch -1988754ebacf96768b3a4efcef60af69107ad5b4882a4dadb5c13ec2b0b0eb6ec54fb7d3092418e0f35257dacc02cb71c5a981f112e9104e9662072a4e5f62ef 0020-libxl-Document-serial-correctly.patch +dee7a595324ea5de3754c9aad2422fc2021bcb53999e344dbe6e4edfd4772a5ed20e8ebfb40750b81287a2a022037d49cbe4f0f7ba481ae0ac79a4249ef630bf xsa202-4.6.patch +0ab83e29f10288f24f46de6f9ea267a3ee6eaef356e1905318006d20ffa1dba43c7661229246e394c8454c15e3127df7de026bde02ab3614e1c2ef8fc7396850 xsa204-4.5.patch c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562 qemu-coroutine-gthread.patch a8b7378516172389450834985e8558d7a86d7cd808154bdc846bb98325e40fc4e87b1fc6d725297f4bef6eb54ebcbcbfa4d9d0363d83f635755795fb0726e006 qemu-xen-musl-openpty.patch 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3 hotplug-vif-vtrill.patch c3a1b270347a99c8ce21118010ad8d817b4462a31cc5c75352faa7086969ef0646f3f4d0922d85c2e504cff091ce7e9fe79c92f983c2ba4af2fae85c52c3835a 0001-ipxe-dont-clobber-ebp.patch -e9b88234bd67c2d65fcda1a56deeaf60aaa4c8b2afff128028c6a1478c89f828584dab1ac04f8d9d53cf17d26572e5505d0bbfcc4b2a6842cc749c6c018c0e51 gnutls-3.4.0.patch 475eb800660dc928914b8c15562f18f24d6e7a76f4cc7bed9249ce52d444c29aec1aef843eb37ade0c7c9616195bbbc1606a3195e25b2bd4b6a1d1af5f69256e init-xenstore-domain.patch 76bd60768b296752ca11195bb03a57584686461da45255cb540977111a73c42b5b92362fd46d97bfd20487c96971dd5aed7eae7d8bf1aad7d5199adb875d4962 musl-support.patch 08cf7fac825dd3da5f33856abf6692da00d8928ab73050b3ae0a643ddb97c8ae323238a80152fd31595ac1c31678d559232264258c189e2c05ecaf33e295f13e musl-hvmloader-fix-stdint.patch diff --git a/main/xen/gnutls-3.4.0.patch b/main/xen/gnutls-3.4.0.patch deleted file mode 100644 index 9d2ed16..0000000 --- a/main/xen/gnutls-3.4.0.patch @@ -1,36 +0,0 @@ ---- ./tools/qemu-xen-traditional/vnc.c.orig -+++ ./tools/qemu-xen-traditional/vnc.c -@@ -2137,10 +2137,6 @@ - - - static int vnc_start_tls(struct VncState *vs) { -- static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 }; -- static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 }; -- static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0}; -- static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0}; - - VNC_DEBUG("Do TLS setup\n"); - if (vnc_tls_initialize() < 0) { -@@ -2161,21 +2157,7 @@ - return -1; - } - -- if (gnutls_kx_set_priority(vs->tls_session, NEED_X509_AUTH(vs) ? kx_x509 : kx_anon) < 0) { -- gnutls_deinit(vs->tls_session); -- vs->tls_session = NULL; -- vnc_client_error(vs); -- return -1; -- } -- -- if (gnutls_certificate_type_set_priority(vs->tls_session, cert_type_priority) < 0) { -- gnutls_deinit(vs->tls_session); -- vs->tls_session = NULL; -- vnc_client_error(vs); -- return -1; -- } -- -- if (gnutls_protocol_set_priority(vs->tls_session, protocol_priority) < 0) { -+ if (gnutls_priority_set_direct(vs->tls_session, NEED_X509_AUTH(vs) ? "NORMAL" : "NORMAL:+ANON-DH", NULL) < 0) { - gnutls_deinit(vs->tls_session); - vs->tls_session = NULL; - vnc_client_error(vs); diff --git a/main/xen/xsa169.patch b/main/xen/xsa169.patch deleted file mode 100644 index 617e457..0000000 --- a/main/xen/xsa169.patch @@ -1,33 +0,0 @@ -x86: make debug output consistent in hvm_set_callback_via - -The unconditional printks in the switch statement of the -hvm_set_callback_via function results in Xen log spam in non debug -versions of Xen. The printks are for debug output only so conditionally -compile the entire switch statement on debug versions of Xen only. - -This is XSA-169. - -Signed-off-by: Malcolm Crossley <malcolm.crossley@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> - ---- a/xen/arch/x86/hvm/irq.c -+++ b/xen/arch/x86/hvm/irq.c -@@ -386,7 +386,8 @@ void hvm_set_callback_via(struct domain - - spin_unlock(&d->arch.hvm_domain.irq_lock); - -- dprintk(XENLOG_G_INFO, "Dom%u callback via changed to ", d->domain_id); -+#ifndef NDEBUG -+ printk(XENLOG_G_INFO "Dom%u callback via changed to ", d->domain_id); - switch ( via_type ) - { - case HVMIRQ_callback_gsi: -@@ -402,6 +403,7 @@ void hvm_set_callback_via(struct domain - printk("None\n"); - break; - } -+#endif - } - - struct hvm_intack hvm_vcpu_has_pending_irq(struct vcpu *v) diff --git a/main/xen/xsa172.patch b/main/xen/xsa172.patch deleted file mode 100644 index 8b1d01f..0000000 --- a/main/xen/xsa172.patch @@ -1,39 +0,0 @@ -x86: fix information leak on AMD CPUs - -The fix for XSA-52 was wrong, and so was the change synchronizing that -new behavior to the FXRSTOR logic: AMD's manuals explictly state that -writes to the ES bit are ignored, and it instead gets calculated from -the exception and mask bits (it gets set whenever there is an unmasked -exception, and cleared otherwise). Hence we need to follow that model -in our workaround. - -This is XSA-172. - -The first hunk (xen/arch/x86/i387.c:fpu_fxrstor) is CVE-2016-3159. -The second hunk (xen/arch/x86/xstate.c:xrstor) is CVE-2016-3158. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> - ---- a/xen/arch/x86/i387.c -+++ b/xen/arch/x86/i387.c -@@ -49,7 +49,7 @@ static inline void fpu_fxrstor(struct vc - * sometimes new user value. Both should be ok. Use the FPU saved - * data block as a safe address because it should be in L1. - */ -- if ( !(fpu_ctxt->fsw & 0x0080) && -+ if ( !(fpu_ctxt->fsw & ~fpu_ctxt->fcw & 0x003f) && - boot_cpu_data.x86_vendor == X86_VENDOR_AMD ) - { - asm volatile ( "fnclex\n\t" ---- a/xen/arch/x86/xstate.c -+++ b/xen/arch/x86/xstate.c -@@ -344,7 +344,7 @@ void xrstor(struct vcpu *v, uint64_t mas - * data block as a safe address because it should be in L1. - */ - if ( (mask & ptr->xsave_hdr.xstate_bv & XSTATE_FP) && -- !(ptr->fpu_sse.fsw & 0x0080) && -+ !(ptr->fpu_sse.fsw & ~ptr->fpu_sse.fcw & 0x003f) && - boot_cpu_data.x86_vendor == X86_VENDOR_AMD ) - asm volatile ( "fnclex\n\t" /* clear exceptions */ - "ffree %%st(7)\n\t" /* clear stack tag */ diff --git a/main/xen/xsa173-4.5.patch b/main/xen/xsa173-4.5.patch deleted file mode 100644 index d0ebe4a..0000000 --- a/main/xen/xsa173-4.5.patch @@ -1,244 +0,0 @@ -commit 9d7687d60ae2e09ad2a77b05bd820e7850709375 -Author: Tim Deegan <tim@xen.org> -Date: Wed Mar 16 16:56:04 2016 +0000 - - x86: limit GFNs to 32 bits for shadowed superpages. - - Superpage shadows store the shadowed GFN in the backpointer field, - which for non-BIGMEM builds is 32 bits wide. Shadowing a superpage - mapping of a guest-physical address above 2^44 would lead to the GFN - being truncated there, and a crash when we come to remove the shadow - from the hash table. - - Track the valid width of a GFN for each guest, including reporting it - through CPUID, and enforce it in the shadow pagetables. Set the - maximum witth to 32 for guests where this truncation could occur. - - This is XSA-173. - - Signed-off-by: Tim Deegan <tim@xen.org> - Signed-off-by: Jan Beulich <jbeulich@suse.com> - -Reported-by: Ling Liu <liuling-it@360.cn> -diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c -index 5c8d3c2..7dc8220 100644 ---- a/xen/arch/x86/cpu/common.c -+++ b/xen/arch/x86/cpu/common.c -@@ -37,6 +37,7 @@ integer_param("cpuid_mask_ext_edx", opt_cpuid_mask_ext_edx); - struct cpu_dev * cpu_devs[X86_VENDOR_NUM] = {}; - - unsigned int paddr_bits __read_mostly = 36; -+unsigned int hap_paddr_bits __read_mostly = 36; - - /* - * Default host IA32_CR_PAT value to cover all memory types. -@@ -209,7 +210,7 @@ static void __init early_cpu_detect(void) - - static void __cpuinit generic_identify(struct cpuinfo_x86 *c) - { -- u32 tfms, capability, excap, ebx; -+ u32 tfms, capability, excap, ebx, eax; - - /* Get vendor name */ - cpuid(0x00000000, &c->cpuid_level, -@@ -246,8 +247,11 @@ static void __cpuinit generic_identify(struct cpuinfo_x86 *c) - } - if ( c->extended_cpuid_level >= 0x80000004 ) - get_model_name(c); /* Default name */ -- if ( c->extended_cpuid_level >= 0x80000008 ) -- paddr_bits = cpuid_eax(0x80000008) & 0xff; -+ if ( c->extended_cpuid_level >= 0x80000008 ) { -+ eax = cpuid_eax(0x80000008); -+ paddr_bits = eax & 0xff; -+ hap_paddr_bits = ((eax >> 16) & 0xff) ?: paddr_bits; -+ } - } - - /* Might lift BIOS max_leaf=3 limit. */ -diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c -index 41fb10a..cac458a 100644 ---- a/xen/arch/x86/hvm/hvm.c -+++ b/xen/arch/x86/hvm/hvm.c -@@ -4327,8 +4327,7 @@ void hvm_cpuid(unsigned int input, unsigned int *eax, unsigned int *ebx, - break; - - case 0x80000008: -- count = cpuid_eax(0x80000008); -- count = (count >> 16) & 0xff ?: count & 0xff; -+ count = d->arch.paging.gfn_bits + PAGE_SHIFT; - if ( (*eax & 0xff) > count ) - *eax = (*eax & ~0xff) | count; - -diff --git a/xen/arch/x86/mm/guest_walk.c b/xen/arch/x86/mm/guest_walk.c -index 1b26175..50ba7d5 100644 ---- a/xen/arch/x86/mm/guest_walk.c -+++ b/xen/arch/x86/mm/guest_walk.c -@@ -94,6 +94,12 @@ void *map_domain_gfn(struct p2m_domain *p2m, gfn_t gfn, mfn_t *mfn, - struct page_info *page; - void *map; - -+ if ( gfn_x(gfn) >> p2m->domain->arch.paging.gfn_bits ) -+ { -+ *rc = _PAGE_INVALID_BIT; -+ return NULL; -+ } -+ - /* Translate the gfn, unsharing if shared */ - page = get_page_from_gfn_p2m(p2m->domain, p2m, gfn_x(gfn), p2mt, NULL, - q); -@@ -327,20 +333,8 @@ guest_walk_tables(struct vcpu *v, struct p2m_domain *p2m, - flags &= ~_PAGE_PAT; - - if ( gfn_x(start) & GUEST_L2_GFN_MASK & ~0x1 ) -- { --#if GUEST_PAGING_LEVELS == 2 -- /* -- * Note that _PAGE_INVALID_BITS is zero in this case, yielding a -- * no-op here. -- * -- * Architecturally, the walk should fail if bit 21 is set (others -- * aren't being checked at least in PSE36 mode), but we'll ignore -- * this here in order to avoid specifying a non-natural, non-zero -- * _PAGE_INVALID_BITS value just for that case. -- */ --#endif - rc |= _PAGE_INVALID_BITS; -- } -+ - /* Increment the pfn by the right number of 4k pages. - * Mask out PAT and invalid bits. */ - start = _gfn((gfn_x(start) & ~GUEST_L2_GFN_MASK) + -@@ -423,5 +417,11 @@ set_ad: - put_page(mfn_to_page(mfn_x(gw->l1mfn))); - } - -+ /* If this guest has a restricted physical address space then the -+ * target GFN must fit within it. */ -+ if ( !(rc & _PAGE_PRESENT) -+ && gfn_x(guest_l1e_get_gfn(gw->l1e)) >> d->arch.paging.gfn_bits ) -+ rc |= _PAGE_INVALID_BITS; -+ - return rc; - } -diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c -index 0c80012..84531b1 100644 ---- a/xen/arch/x86/mm/hap/hap.c -+++ b/xen/arch/x86/mm/hap/hap.c -@@ -429,6 +429,8 @@ void hap_domain_init(struct domain *d) - { - INIT_PAGE_LIST_HEAD(&d->arch.paging.hap.freelist); - -+ d->arch.paging.gfn_bits = hap_paddr_bits - PAGE_SHIFT; -+ - /* Use HAP logdirty mechanism. */ - paging_log_dirty_init(d, hap_enable_log_dirty, - hap_disable_log_dirty, -diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c -index 18026fe..9028d82 100644 ---- a/xen/arch/x86/mm/shadow/common.c -+++ b/xen/arch/x86/mm/shadow/common.c -@@ -48,6 +48,16 @@ void shadow_domain_init(struct domain *d, unsigned int domcr_flags) - INIT_PAGE_LIST_HEAD(&d->arch.paging.shadow.freelist); - INIT_PAGE_LIST_HEAD(&d->arch.paging.shadow.pinned_shadows); - -+ d->arch.paging.gfn_bits = paddr_bits - PAGE_SHIFT; -+#ifndef CONFIG_BIGMEM -+ /* -+ * Shadowed superpages store GFNs in 32-bit page_info fields. -+ * Note that we cannot use guest_supports_superpages() here. -+ */ -+ if ( !is_pv_domain(d) || opt_allow_superpage ) -+ d->arch.paging.gfn_bits = 32; -+#endif -+ - /* Use shadow pagetables for log-dirty support */ - paging_log_dirty_init(d, shadow_enable_log_dirty, - shadow_disable_log_dirty, shadow_clean_dirty_bitmap); -diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c -index d6802ff..7589d23 100644 ---- a/xen/arch/x86/mm/shadow/multi.c -+++ b/xen/arch/x86/mm/shadow/multi.c -@@ -527,7 +527,8 @@ _sh_propagate(struct vcpu *v, - ASSERT(GUEST_PAGING_LEVELS > 3 || level != 3); - - /* Check there's something for the shadows to map to */ -- if ( !p2m_is_valid(p2mt) && !p2m_is_grant(p2mt) ) -+ if ( (!p2m_is_valid(p2mt) && !p2m_is_grant(p2mt)) -+ || gfn_x(target_gfn) >> d->arch.paging.gfn_bits ) - { - *sp = shadow_l1e_empty(); - goto done; -diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h -index 6a77a93..e8df4a9 100644 ---- a/xen/include/asm-x86/domain.h -+++ b/xen/include/asm-x86/domain.h -@@ -188,6 +188,9 @@ struct paging_domain { - /* log dirty support */ - struct log_dirty_domain log_dirty; - -+ /* Number of valid bits in a gfn. */ -+ unsigned int gfn_bits; -+ - /* preemption handling */ - struct { - const struct domain *dom; -diff --git a/xen/include/asm-x86/guest_pt.h b/xen/include/asm-x86/guest_pt.h -index d2a8250..d95f835 100644 ---- a/xen/include/asm-x86/guest_pt.h -+++ b/xen/include/asm-x86/guest_pt.h -@@ -220,15 +220,17 @@ guest_supports_nx(struct vcpu *v) - } - - --/* Some bits are invalid in any pagetable entry. */ --#if GUEST_PAGING_LEVELS == 2 --#define _PAGE_INVALID_BITS (0) --#elif GUEST_PAGING_LEVELS == 3 --#define _PAGE_INVALID_BITS \ -- get_pte_flags(((1ull<<63) - 1) & ~((1ull<<paddr_bits) - 1)) --#else /* GUEST_PAGING_LEVELS == 4 */ -+/* -+ * Some bits are invalid in any pagetable entry. -+ * Normal flags values get represented in 24-bit values (see -+ * get_pte_flags() and put_pte_flags()), so set bit 24 in -+ * addition to be able to flag out of range frame numbers. -+ */ -+#if GUEST_PAGING_LEVELS == 3 - #define _PAGE_INVALID_BITS \ -- get_pte_flags(((1ull<<52) - 1) & ~((1ull<<paddr_bits) - 1)) -+ (_PAGE_INVALID_BIT | get_pte_flags(((1ull << 63) - 1) & ~(PAGE_SIZE - 1))) -+#else /* 2-level and 4-level */ -+#define _PAGE_INVALID_BITS _PAGE_INVALID_BIT - #endif - - -diff --git a/xen/include/asm-x86/processor.h b/xen/include/asm-x86/processor.h -index b4e4731..56fc5a2 100644 ---- a/xen/include/asm-x86/processor.h -+++ b/xen/include/asm-x86/processor.h -@@ -203,6 +203,8 @@ extern u32 cpuid_ext_features; - - /* Maximum width of physical addresses supported by the hardware */ - extern unsigned int paddr_bits; -+/* Max physical address width supported within HAP guests */ -+extern unsigned int hap_paddr_bits; - - extern void identify_cpu(struct cpuinfo_x86 *); - extern void setup_clear_cpu_cap(unsigned int); -diff --git a/xen/include/asm-x86/x86_64/page.h b/xen/include/asm-x86/x86_64/page.h -index 1d54587..f1d1b6c 100644 ---- a/xen/include/asm-x86/x86_64/page.h -+++ b/xen/include/asm-x86/x86_64/page.h -@@ -141,6 +141,12 @@ typedef l4_pgentry_t root_pgentry_t; - #define _PAGE_GNTTAB (1U<<22) - - /* -+ * Bit 24 of a 24-bit flag mask! This is not any bit of a real pte, -+ * and is only used for signalling in variables that contain flags. -+ */ -+#define _PAGE_INVALID_BIT (1U<<24) -+ -+/* - * Bit 12 of a 24-bit flag mask. This corresponds to bit 52 of a pte. - * This is needed to distinguish between user and kernel PTEs since _PAGE_USER - * is asserted for both. diff --git a/main/xen/xsa176.patch b/main/xen/xsa176.patch deleted file mode 100644 index 1c15abd..0000000 --- a/main/xen/xsa176.patch @@ -1,45 +0,0 @@ -x86/mm: fully honor PS bits in guest page table walks - -In L4 entries it is currently unconditionally reserved (and hence -should, when set, always result in a reserved bit page fault), and is -reserved on hardware not supporting 1Gb pages (and hence should, when -set, similarly cause a reserved bit page fault on such hardware). - -This is CVE-2016-4480 / XSA-176. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> -Tested-by: Andrew Cooper <andrew.cooper3@citrix.com> - ---- a/xen/arch/x86/mm/guest_walk.c -+++ b/xen/arch/x86/mm/guest_walk.c -@@ -226,6 +226,11 @@ guest_walk_tables(struct vcpu *v, struct - rc |= _PAGE_PRESENT; - goto out; - } -+ if ( gflags & _PAGE_PSE ) -+ { -+ rc |= _PAGE_PSE | _PAGE_INVALID_BIT; -+ goto out; -+ } - rc |= ((gflags & mflags) ^ mflags); - - /* Map the l3 table */ -@@ -247,7 +252,7 @@ guest_walk_tables(struct vcpu *v, struct - } - rc |= ((gflags & mflags) ^ mflags); - -- pse1G = (gflags & _PAGE_PSE) && guest_supports_1G_superpages(v); -+ pse1G = !!(gflags & _PAGE_PSE); - - if ( pse1G ) - { -@@ -267,6 +272,8 @@ guest_walk_tables(struct vcpu *v, struct - /* _PAGE_PSE_PAT not set: remove _PAGE_PAT from flags. */ - flags &= ~_PAGE_PAT; - -+ if ( !guest_supports_1G_superpages(v) ) -+ rc |= _PAGE_PSE | _PAGE_INVALID_BIT; - if ( gfn_x(start) & GUEST_L3_GFN_MASK & ~0x1 ) - rc |= _PAGE_INVALID_BITS; - diff --git a/main/xen/xsa181.patch b/main/xen/xsa181.patch deleted file mode 100644 index c44541e..0000000 --- a/main/xen/xsa181.patch @@ -1,38 +0,0 @@ -From ee488e2133e581967d13d5287d7bd654e9b2e2a6 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper <andrew.cooper3@citrix.com> -Date: Thu, 2 Jun 2016 14:19:00 +0100 -Subject: [PATCH] xen/arm: Don't free p2m->root in p2m_teardown() before it has - been allocated - -If p2m_init() didn't complete successfully, (e.g. due to VMID -exhaustion), p2m_teardown() is called and unconditionally tries to free -p2m->root before it has been allocated. free_domheap_pages() doesn't -tolerate NULL pointers. - -This is XSA-181 - -Reported-by: Aaron Cornelius <Aaron.Cornelius@dornerworks.com> -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Julien Grall <julien.grall@arm.com> ---- - xen/arch/arm/p2m.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c -index 838d004..6a19c57 100644 ---- a/xen/arch/arm/p2m.c -+++ b/xen/arch/arm/p2m.c -@@ -1408,7 +1408,8 @@ void p2m_teardown(struct domain *d) - while ( (pg = page_list_remove_head(&p2m->pages)) ) - free_domheap_page(pg); - -- free_domheap_pages(p2m->root, P2M_ROOT_ORDER); -+ if ( p2m->root ) -+ free_domheap_pages(p2m->root, P2M_ROOT_ORDER); - - p2m->root = NULL; - --- -2.1.4 - diff --git a/main/xen/xsa182-4.5.patch b/main/xen/xsa182-4.5.patch deleted file mode 100644 index 95971a4..0000000 --- a/main/xen/xsa182-4.5.patch @@ -1,102 +0,0 @@ -From 798c1498f764bfaa7b0b955bab40b01b0610d372 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper <andrew.cooper3@citrix.com> -Date: Mon, 11 Jul 2016 14:32:03 +0100 -Subject: [PATCH] x86/pv: Remove unsafe bits from the mod_l?_entry() fastpath - -All changes in writeability and cacheability must go through full -re-validation. - -Rework the logic as a whitelist, to make it clearer to follow. - -This is XSA-182 - -Reported-by: Jérémie Boutoille <jboutoille@ext.quarkslab.com> -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Tim Deegan <tim@xen.org> ---- - xen/arch/x86/mm.c | 28 ++++++++++++++++------------ - xen/include/asm-x86/page.h | 1 + - 2 files changed, 17 insertions(+), 12 deletions(-) - -diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c -index b4c4fa4..a68a1ab 100644 ---- a/xen/arch/x86/mm.c -+++ b/xen/arch/x86/mm.c -@@ -1695,6 +1695,14 @@ static inline int update_intpte(intpte_t *p, - _t ## e_get_intpte(_o), _t ## e_get_intpte(_n), \ - (_m), (_v), (_ad)) - -+/* -+ * PTE flags that a guest may change without re-validating the PTE. -+ * All other bits affect translation, caching, or Xen's safety. -+ */ -+#define FASTPATH_FLAG_WHITELIST \ -+ (_PAGE_NX_BIT | _PAGE_AVAIL_HIGH | _PAGE_AVAIL | _PAGE_GLOBAL | \ -+ _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_USER) -+ - /* Update the L1 entry at pl1e to new value nl1e. */ - static int mod_l1_entry(l1_pgentry_t *pl1e, l1_pgentry_t nl1e, - unsigned long gl1mfn, int preserve_ad, -@@ -1735,9 +1743,8 @@ static int mod_l1_entry(l1_pgentry_t *pl1e, l1_pgentry_t nl1e, - return -EINVAL; - } - -- /* Fast path for identical mapping, r/w, presence, and cachability. */ -- if ( !l1e_has_changed(ol1e, nl1e, -- PAGE_CACHE_ATTRS | _PAGE_RW | _PAGE_PRESENT) ) -+ /* Fast path for sufficiently-similar mappings. */ -+ if ( !l1e_has_changed(ol1e, nl1e, ~FASTPATH_FLAG_WHITELIST) ) - { - adjust_guest_l1e(nl1e, pt_dom); - if ( UPDATE_ENTRY(l1, pl1e, ol1e, nl1e, gl1mfn, pt_vcpu, -@@ -1819,11 +1826,8 @@ static int mod_l2_entry(l2_pgentry_t *pl2e, - return -EINVAL; - } - -- /* Fast path for identical mapping and presence. */ -- if ( !l2e_has_changed(ol2e, nl2e, -- unlikely(opt_allow_superpage) -- ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT -- : _PAGE_PRESENT) ) -+ /* Fast path for sufficiently-similar mappings. */ -+ if ( !l2e_has_changed(ol2e, nl2e, ~FASTPATH_FLAG_WHITELIST) ) - { - adjust_guest_l2e(nl2e, d); - if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) ) -@@ -1888,8 +1892,8 @@ static int mod_l3_entry(l3_pgentry_t *pl3e, - return -EINVAL; - } - -- /* Fast path for identical mapping and presence. */ -- if ( !l3e_has_changed(ol3e, nl3e, _PAGE_PRESENT) ) -+ /* Fast path for sufficiently-similar mappings. */ -+ if ( !l3e_has_changed(ol3e, nl3e, ~FASTPATH_FLAG_WHITELIST) ) - { - adjust_guest_l3e(nl3e, d); - rc = UPDATE_ENTRY(l3, pl3e, ol3e, nl3e, pfn, vcpu, preserve_ad); -@@ -1952,8 +1956,8 @@ static int mod_l4_entry(l4_pgentry_t *pl4e, - return -EINVAL; - } - -- /* Fast path for identical mapping and presence. */ -- if ( !l4e_has_changed(ol4e, nl4e, _PAGE_PRESENT) ) -+ /* Fast path for sufficiently-similar mappings. */ -+ if ( !l4e_has_changed(ol4e, nl4e, ~FASTPATH_FLAG_WHITELIST) ) - { - adjust_guest_l4e(nl4e, d); - rc = UPDATE_ENTRY(l4, pl4e, ol4e, nl4e, pfn, vcpu, preserve_ad); -diff --git a/xen/include/asm-x86/page.h b/xen/include/asm-x86/page.h -index 6dc9646..03c024c 100644 ---- a/xen/include/asm-x86/page.h -+++ b/xen/include/asm-x86/page.h -@@ -308,6 +308,7 @@ void efi_update_l4_pgtable(unsigned int l4idx, l4_pgentry_t); - #define _PAGE_AVAIL2 _AC(0x800,U) - #define _PAGE_AVAIL _AC(0xE00,U) - #define _PAGE_PSE_PAT _AC(0x1000,U) -+#define _PAGE_AVAIL_HIGH (_AC(0x7ff, U) << 12) - /* non-architectural flags */ - #define _PAGE_PAGED 0x2000U - #define _PAGE_SHARED 0x4000U --- -2.1.4 - diff --git a/main/xen/xsa183-4.6.patch b/main/xen/xsa183-4.6.patch deleted file mode 100644 index 84d7007..0000000 --- a/main/xen/xsa183-4.6.patch @@ -1,75 +0,0 @@ -From 777ebe30e81ab284f9b78392875fe884a593df35 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper <andrew.cooper3@citrix.com> -Date: Wed, 15 Jun 2016 18:32:14 +0100 -Subject: [PATCH] x86/entry: Avoid SMAP violation in - compat_create_bounce_frame() - -A 32bit guest kernel might be running on user mappings. -compat_create_bounce_frame() must whitelist its guest accesses to avoid -risking a SMAP violation. - -For both variants of create_bounce_frame(), re-blacklist user accesses if -execution exits via an exception table redirection. - -This is XSA-183 / CVE-2016-6259 - -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: George Dunlap <george.dunlap@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> ---- -v2: - * Include CLAC on the exit paths from compat_create_bounce_frame which occur - from faults attempting to load %fs - * Reposition ASM_STAC to avoid breaking the macro-op fusion of test/jz ---- - xen/arch/x86/x86_64/compat/entry.S | 3 +++ - xen/arch/x86/x86_64/entry.S | 2 ++ - 2 files changed, 5 insertions(+) - -diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S -index 0e3db7c..1eaf4bb 100644 ---- a/xen/arch/x86/x86_64/compat/entry.S -+++ b/xen/arch/x86/x86_64/compat/entry.S -@@ -350,6 +350,7 @@ ENTRY(compat_int80_direct_trap) - compat_create_bounce_frame: - ASSERT_INTERRUPTS_ENABLED - mov %fs,%edi -+ ASM_STAC - testb $2,UREGS_cs+8(%rsp) - jz 1f - /* Push new frame at registered guest-OS stack base. */ -@@ -403,6 +404,7 @@ UNLIKELY_START(nz, compat_bounce_failsafe) - movl %ds,%eax - .Lft12: movl %eax,%fs:0*4(%rsi) # DS - UNLIKELY_END(compat_bounce_failsafe) -+ ASM_CLAC - /* Rewrite our stack frame and return to guest-OS mode. */ - /* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */ - andl $~(X86_EFLAGS_VM|X86_EFLAGS_RF|\ -@@ -448,6 +450,7 @@ compat_crash_page_fault_4: - addl $4,%esi - compat_crash_page_fault: - .Lft14: mov %edi,%fs -+ ASM_CLAC - movl %esi,%edi - call show_page_walk - jmp dom_crash_sync_extable -diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S -index 6e27508..0c2e63a 100644 ---- a/xen/arch/x86/x86_64/entry.S -+++ b/xen/arch/x86/x86_64/entry.S -@@ -462,9 +462,11 @@ domain_crash_page_fault_16: - domain_crash_page_fault_8: - addq $8,%rsi - domain_crash_page_fault: -+ ASM_CLAC - movq %rsi,%rdi - call show_page_walk - ENTRY(dom_crash_sync_extable) -+ ASM_CLAC - # Get out of the guest-save area of the stack. - GET_STACK_BASE(%rax) - leaq STACK_CPUINFO_FIELD(guest_cpu_user_regs)(%rax),%rsp --- -2.1.4 - diff --git a/main/xen/xsa184-qemut-master.patch b/main/xen/xsa184-qemut-master.patch deleted file mode 100644 index b376f33..0000000 --- a/main/xen/xsa184-qemut-master.patch @@ -1,43 +0,0 @@ -From 17d8c4e47dfb41cb6778520ff2eab7a11fe12dfd Mon Sep 17 00:00:00 2001 -From: P J P <ppandit@redhat.com> -Date: Tue, 26 Jul 2016 15:31:59 +0100 -Subject: [PATCH] virtio: error out if guest exceeds virtqueue size - -A broken or malicious guest can submit more requests than the virtqueue -size permits. - -The guest can submit requests without bothering to wait for completion -and is therefore not bound by virtqueue size. This requires reusing -vring descriptors in more than one request, which is incorrect but -possible. Processing a request allocates a VirtQueueElement and -therefore causes unbounded memory allocation controlled by the guest. - -Exit with an error if the guest provides more requests than the -virtqueue size permits. This bounds memory allocation and makes the -buggy guest visible to the user. - -Reported-by: Zhenhao Hong <zhenhaohong@gmail.com> -Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> ---- - hw/virtio.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/virtio.c b/hw/virtio.c -index c26feff..42897bf 100644 ---- a/tools/qemu-xen-traditional/hw/virtio.c -+++ b/tools/qemu-xen-traditional/hw/virtio.c -@@ -421,6 +421,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem) - /* When we start there are none of either input nor output. */ - elem->out_num = elem->in_num = 0; - -+ if (vq->inuse >= vq->vring.num) { -+ fprintf(stderr, "Virtqueue size exceeded"); -+ exit(1); -+ } -+ - i = head = virtqueue_get_head(vq, vq->last_avail_idx++); - do { - struct iovec *sg; --- -2.1.4 - diff --git a/main/xen/xsa184-qemuu-master.patch b/main/xen/xsa184-qemuu-master.patch deleted file mode 100644 index bbe44e8..0000000 --- a/main/xen/xsa184-qemuu-master.patch @@ -1,43 +0,0 @@ -From e469db25d6b2e5c71cd15451889226641c53a5cd Mon Sep 17 00:00:00 2001 -From: P J P <ppandit@redhat.com> -Date: Mon, 25 Jul 2016 17:37:18 +0530 -Subject: [PATCH] virtio: error out if guest exceeds virtqueue size - -A broken or malicious guest can submit more requests than the virtqueue -size permits. - -The guest can submit requests without bothering to wait for completion -and is therefore not bound by virtqueue size. This requires reusing -vring descriptors in more than one request, which is incorrect but -possible. Processing a request allocates a VirtQueueElement and -therefore causes unbounded memory allocation controlled by the guest. - -Exit with an error if the guest provides more requests than the -virtqueue size permits. This bounds memory allocation and makes the -buggy guest visible to the user. - -Reported-by: Zhenhao Hong <zhenhaohong@gmail.com> -Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> ---- - hw/virtio/virtio.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index d24f775..f8ac0fb 100644 ---- a/tools/qemu-xen/hw/virtio/virtio.c -+++ b/tools/qemu-xen/hw/virtio/virtio.c -@@ -483,6 +483,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem) - - max = vq->vring.num; - -+ if (vq->inuse >= max) { -+ error_report("Virtqueue size exceeded"); -+ exit(1); -+ } -+ - i = head = virtqueue_get_head(vq, vq->last_avail_idx++); - if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) { - vring_set_avail_event(vq, vq->last_avail_idx); --- -2.1.4 - diff --git a/main/xen/xsa185.patch b/main/xen/xsa185.patch deleted file mode 100644 index a4c133e..0000000 --- a/main/xen/xsa185.patch @@ -1,38 +0,0 @@ -From 30aba4992b18245c436f16df7326a16c01a51570 Mon Sep 17 00:00:00 2001 -From: Jan Beulich <jbeulich@suse.com> -Date: Mon, 8 Aug 2016 10:58:12 +0100 -Subject: x86/32on64: don't allow recursive page tables from L3 - -L3 entries are special in PAE mode, and hence can't reasonably be used -for setting up recursive (and hence linear) page table mappings. Since -abuse is possible when the guest in fact gets run on 4-level page -tables, this needs to be excluded explicitly. - -This is XSA-185. - -Reported-by: Jérémie Boutoille <jboutoille@ext.quarkslab.com> -Reported-by: 栾尚聪(好风) <shangcong.lsc@alibaba-inc.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> ---- - xen/arch/x86/mm.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c -index 109b8be..69b8b8d 100644 ---- a/xen/arch/x86/mm.c -+++ b/xen/arch/x86/mm.c -@@ -1122,7 +1122,9 @@ get_page_from_l3e( - - rc = get_page_and_type_from_pagenr( - l3e_get_pfn(l3e), PGT_l2_page_table, d, partial, 1); -- if ( unlikely(rc == -EINVAL) && get_l3_linear_pagetable(l3e, pfn, d) ) -+ if ( unlikely(rc == -EINVAL) && -+ !is_pv_32bit_domain(d) && -+ get_l3_linear_pagetable(l3e, pfn, d) ) - rc = 0; - - return rc; --- -2.1.4 - diff --git a/main/xen/xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch b/main/xen/xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch deleted file mode 100644 index b257497..0000000 --- a/main/xen/xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch @@ -1,73 +0,0 @@ -From e938be013ba73ff08fa4f1d8670501aacefde7fb Mon Sep 17 00:00:00 2001 -From: Andrew Cooper <andrew.cooper3@citrix.com> -Date: Fri, 22 Jul 2016 16:02:54 +0000 -Subject: [PATCH 1/2] x86/emulate: Correct boundary interactions of emulated - instructions - -This reverts most of c/s 0640ffb6 "x86emul: fix rIP handling". - -Experimentally, in long mode processors will execute an instruction stream -which crosses the 64bit -1 -> 0 virtual boundary, whether the instruction -boundary is aligned on the virtual boundary, or is misaligned. - -In compatibility mode, Intel processors will execute an instruction stream -which crosses the 32bit -1 -> 0 virtual boundary, while AMD processors raise a -segmentation fault. Xen's segmentation behaviour matches AMD. - -For 16bit code, hardware does not ever truncated %ip. %eip is always used and -behaves normally as a 32bit register, including in 16bit protected mode -segments, as well as in Real and Unreal mode. - -This is XSA-186 - -Reported-by: Brian Marcotte <marcotte@panix.com> -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> ---- - xen/arch/x86/x86_emulate/x86_emulate.c | 22 ++++------------------ - 1 file changed, 4 insertions(+), 18 deletions(-) - -diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c -index d5a56cf..bf3529a 100644 ---- a/xen/arch/x86/x86_emulate/x86_emulate.c -+++ b/xen/arch/x86/x86_emulate/x86_emulate.c -@@ -1570,10 +1570,6 @@ x86_emulate( - #endif - } - -- /* Truncate rIP to def_ad_bytes (2 or 4) if necessary. */ -- if ( def_ad_bytes < sizeof(_regs.eip) ) -- _regs.eip &= (1UL << (def_ad_bytes * 8)) - 1; -- - /* Prefix bytes. */ - for ( ; ; ) - { -@@ -3906,21 +3902,11 @@ x86_emulate( - - /* Commit shadow register state. */ - _regs.eflags &= ~EFLG_RF; -- switch ( __builtin_expect(def_ad_bytes, sizeof(_regs.eip)) ) -- { -- uint16_t ip; - -- case 2: -- ip = _regs.eip; -- _regs.eip = ctxt->regs->eip; -- *(uint16_t *)&_regs.eip = ip; -- break; --#ifdef __x86_64__ -- case 4: -- _regs.rip = _regs._eip; -- break; --#endif -- } -+ /* Zero the upper 32 bits of %rip if not in long mode. */ -+ if ( def_ad_bytes < sizeof(_regs.eip) ) -+ _regs.eip = (uint32_t)_regs.eip; -+ - *ctxt->regs = _regs; - - done: --- -2.1.4 - diff --git a/main/xen/xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch b/main/xen/xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch deleted file mode 100644 index 07c30a2..0000000 --- a/main/xen/xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch @@ -1,41 +0,0 @@ -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: hvm/fep: Allow testing of instructions crossing the -1 -> 0 virtual boundary - -The Force Emulation Prefix is named to follow its PV counterpart for cpuid or -rdtsc, but isn't really an instruction prefix. It behaves as a break-out into -Xen, with the purpose of emulating the next instruction in the current state. - -It is important to be able to test legal situations which occur in real -hardware, including instruction which cross certain boundaries, and -instructions starting at 0. - -Reported-by: Brian Marcotte <marcotte@panix.com> -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> - ---- a/xen/arch/x86/hvm/svm/svm.c -+++ b/xen/arch/x86/hvm/svm/svm.c -@@ -2139,6 +2139,10 @@ static void svm_vmexit_ud_intercept(stru - { - regs->eip += sizeof(sig); - regs->eflags &= ~X86_EFLAGS_RF; -+ -+ /* Zero the upper 32 bits of %rip if not in long mode. */ -+ if ( svm_guest_x86_mode(current) != 8 ) -+ regs->eip = regs->_eip; - } - } - ---- a/xen/arch/x86/hvm/vmx/vmx.c -+++ b/xen/arch/x86/hvm/vmx/vmx.c -@@ -2757,6 +2757,10 @@ static void vmx_vmexit_ud_intercept(stru - { - regs->eip += sizeof(sig); - regs->eflags &= ~X86_EFLAGS_RF; -+ -+ /* Zero the upper 32 bits of %rip if not in long mode. */ -+ if ( vmx_guest_x86_mode(current) != 8 ) -+ regs->eip = regs->_eip; - } - } - diff --git a/main/xen/xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch b/main/xen/xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch deleted file mode 100644 index e8cd1e7..0000000 --- a/main/xen/xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch @@ -1,142 +0,0 @@ -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/segment: Bounds check accesses to emulation ctxt->seg_reg[] - -HVM HAP codepaths have space for all segment registers in the seg_reg[] -cache (with x86_seg_none still risking an array overrun), while the shadow -codepaths only have space for the user segments. - -Range check the input segment of *_get_seg_reg() against the size of the array -used to cache the results, to avoid overruns in the case that the callers -don't filter their input suitably. - -Subsume the is_x86_user_segment(seg) checks from the shadow code, which were -an incomplete attempt at range checking, and are now superceeded. Make -hvm_get_seg_reg() static, as it is not used outside of shadow/common.c - -No functional change, but far easier to reason that no overflow is possible. - -Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Acked-by: Tim Deegan <tim@xen.org> -Acked-by: Jan Beulich <jbeulich@suse.com> - ---- a/xen/arch/x86/hvm/emulate.c -+++ b/xen/arch/x86/hvm/emulate.c -@@ -526,6 +526,8 @@ static int hvmemul_virtual_to_linear( - ? 1 : 4096); - - reg = hvmemul_get_seg_reg(seg, hvmemul_ctxt); -+ if ( IS_ERR(reg) ) -+ return -PTR_ERR(reg); - - if ( (hvmemul_ctxt->ctxt.regs->eflags & X86_EFLAGS_DF) && (*reps > 1) ) - { -@@ -1360,6 +1362,10 @@ static int hvmemul_read_segment( - struct hvm_emulate_ctxt *hvmemul_ctxt = - container_of(ctxt, struct hvm_emulate_ctxt, ctxt); - struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt); -+ -+ if ( IS_ERR(sreg) ) -+ return -PTR_ERR(sreg); -+ - memcpy(reg, sreg, sizeof(struct segment_register)); - return X86EMUL_OKAY; - } -@@ -1373,6 +1379,9 @@ static int hvmemul_write_segment( - container_of(ctxt, struct hvm_emulate_ctxt, ctxt); - struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt); - -+ if ( IS_ERR(sreg) ) -+ return -PTR_ERR(sreg); -+ - memcpy(sreg, reg, sizeof(struct segment_register)); - __set_bit(seg, &hvmemul_ctxt->seg_reg_dirty); - -@@ -1911,10 +1920,17 @@ void hvm_emulate_writeback( - } - } - -+/* -+ * Callers which pass a known in-range x86_segment can rely on the return -+ * pointer being valid. Other callers must explicitly check for errors. -+ */ - struct segment_register *hvmemul_get_seg_reg( - enum x86_segment seg, - struct hvm_emulate_ctxt *hvmemul_ctxt) - { -+ if ( seg < 0 || seg >= ARRAY_SIZE(hvmemul_ctxt->seg_reg) ) -+ return ERR_PTR(-X86EMUL_UNHANDLEABLE); -+ - if ( !__test_and_set_bit(seg, &hvmemul_ctxt->seg_reg_accessed) ) - hvm_get_segment_register(current, seg, &hvmemul_ctxt->seg_reg[seg]); - return &hvmemul_ctxt->seg_reg[seg]; ---- a/xen/arch/x86/mm/shadow/common.c -+++ b/xen/arch/x86/mm/shadow/common.c -@@ -125,10 +125,19 @@ __initcall(shadow_audit_key_init); - /* x86 emulator support for the shadow code - */ - -+/* -+ * Callers which pass a known in-range x86_segment can rely on the return -+ * pointer being valid. Other callers must explicitly check for errors. -+ */ - struct segment_register *hvm_get_seg_reg( - enum x86_segment seg, struct sh_emulate_ctxt *sh_ctxt) - { -- struct segment_register *seg_reg = &sh_ctxt->seg_reg[seg]; -+ struct segment_register *seg_reg; -+ -+ if ( seg < 0 || seg >= ARRAY_SIZE(sh_ctxt->seg_reg) ) -+ return ERR_PTR(-X86EMUL_UNHANDLEABLE); -+ -+ seg_reg = &sh_ctxt->seg_reg[seg]; - if ( !__test_and_set_bit(seg, &sh_ctxt->valid_seg_regs) ) - hvm_get_segment_register(current, seg, seg_reg); - return seg_reg; -@@ -145,14 +154,9 @@ static int hvm_translate_linear_addr( - struct segment_register *reg; - int okay; - -- /* -- * Can arrive here with non-user segments. However, no such cirucmstance -- * is part of a legitimate pagetable update, so fail the emulation. -- */ -- if ( !is_x86_user_segment(seg) ) -- return X86EMUL_UNHANDLEABLE; -- - reg = hvm_get_seg_reg(seg, sh_ctxt); -+ if ( IS_ERR(reg) ) -+ return -PTR_ERR(reg); - - okay = hvm_virtual_to_linear_addr( - seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr); -@@ -254,9 +258,6 @@ hvm_emulate_write(enum x86_segment seg, - unsigned long addr; - int rc; - -- if ( !is_x86_user_segment(seg) ) -- return X86EMUL_UNHANDLEABLE; -- - /* How many emulations could we save if we unshadowed on stack writes? */ - if ( seg == x86_seg_ss ) - perfc_incr(shadow_fault_emulate_stack); -@@ -284,9 +285,6 @@ hvm_emulate_cmpxchg(enum x86_segment seg - unsigned long addr, old[2], new[2]; - int rc; - -- if ( !is_x86_user_segment(seg) ) -- return X86EMUL_UNHANDLEABLE; -- - rc = hvm_translate_linear_addr( - seg, offset, bytes, hvm_access_write, sh_ctxt, &addr); - if ( rc ) ---- a/xen/include/asm-x86/hvm/emulate.h -+++ b/xen/include/asm-x86/hvm/emulate.h -@@ -13,6 +13,7 @@ - #define __ASM_X86_HVM_EMULATE_H__ - - #include <xen/config.h> -+#include <xen/err.h> - #include <asm/hvm/hvm.h> - #include <asm/x86_emulate.h> - diff --git a/main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch b/main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch deleted file mode 100644 index bc99596..0000000 --- a/main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch @@ -1,42 +0,0 @@ -From: Andrew Cooper <andrew.cooper3@citrix.com> -Subject: x86/shadow: Avoid overflowing sh_ctxt->seg_reg[] - -hvm_get_seg_reg() does not perform a range check on its input segment, calls -hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[]. - -x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will hit a BUG() -in {vmx,svm}_get_segment_register(). - -HVM guests running with shadow paging can end up performing a virtual to -linear translation with x86_seg_none. This is used for addresses which are -already linear. However, none of this is a legitimate pagetable update, so -fail the emulation in such a case. - -This is XSA-187 - -Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> -Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> -Reviewed-by: Tim Deegan <tim@xen.org> - ---- a/xen/arch/x86/mm/shadow/common.c -+++ b/xen/arch/x86/mm/shadow/common.c -@@ -140,9 +140,18 @@ static int hvm_translate_linear_addr( - struct sh_emulate_ctxt *sh_ctxt, - unsigned long *paddr) - { -- struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt); -+ struct segment_register *reg; - int okay; - -+ /* -+ * Can arrive here with non-user segments. However, no such cirucmstance -+ * is part of a legitimate pagetable update, so fail the emulation. -+ */ -+ if ( !is_x86_user_segment(seg) ) -+ return X86EMUL_UNHANDLEABLE; -+ -+ reg = hvm_get_seg_reg(seg, sh_ctxt); -+ - okay = hvm_virtual_to_linear_addr( - seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr); - diff --git a/main/xen/xsa202-4.6.patch b/main/xen/xsa202-4.6.patch new file mode 100644 index 0000000..0c7fff0 --- /dev/null +++ b/main/xen/xsa202-4.6.patch @@ -0,0 +1,73 @@ +From: Jan Beulich <jbeulich@suse.com> +Subject: x86: force EFLAGS.IF on when exiting to PV guests + +Guest kernels modifying instructions in the process of being emulated +for another of their vCPU-s may effect EFLAGS.IF to be cleared upon +next exiting to guest context, by converting the being emulated +instruction to CLI (at the right point in time). Prevent any such bad +effects by always forcing EFLAGS.IF on. And to cover hypothetical other +similar issues, also force EFLAGS.{IOPL,NT,VM} to zero. + +This is XSA-202. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- a/xen/arch/x86/x86_64/compat/entry.S ++++ b/xen/arch/x86/x86_64/compat/entry.S +@@ -174,6 +174,8 @@ compat_bad_hypercall: + /* %rbx: struct vcpu, interrupts disabled */ + ENTRY(compat_restore_all_guest) + ASSERT_INTERRUPTS_DISABLED ++ mov $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11d ++ and UREGS_eflags(%rsp),%r11d + .Lcr4_orig: + .skip .Lcr4_alt_end - .Lcr4_alt, 0x90 + .Lcr4_orig_end: +@@ -209,6 +211,8 @@ ENTRY(compat_restore_all_guest) + (.Lcr4_orig_end - .Lcr4_orig), \ + (.Lcr4_alt_end - .Lcr4_alt) + .popsection ++ or $X86_EFLAGS_IF,%r11 ++ mov %r11d,UREGS_eflags(%rsp) + RESTORE_ALL adj=8 compat=1 + .Lft0: iretq + +--- a/xen/arch/x86/x86_64/entry.S ++++ b/xen/arch/x86/x86_64/entry.S +@@ -40,28 +40,29 @@ restore_all_guest: + testw $TRAP_syscall,4(%rsp) + jz iret_exit_to_guest + ++ movq 24(%rsp),%r11 # RFLAGS ++ andq $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11 ++ orq $X86_EFLAGS_IF,%r11 ++ + /* Don't use SYSRET path if the return address is not canonical. */ + movq 8(%rsp),%rcx + sarq $47,%rcx + incl %ecx + cmpl $1,%ecx +- ja .Lforce_iret ++ movq 8(%rsp),%rcx # RIP ++ ja iret_exit_to_guest + + cmpw $FLAT_USER_CS32,16(%rsp)# CS +- movq 8(%rsp),%rcx # RIP +- movq 24(%rsp),%r11 # RFLAGS + movq 32(%rsp),%rsp # RSP + je 1f + sysretq + 1: sysretl + +-.Lforce_iret: +- /* Mimic SYSRET behavior. */ +- movq 8(%rsp),%rcx # RIP +- movq 24(%rsp),%r11 # RFLAGS + ALIGN + /* No special register assumptions. */ + iret_exit_to_guest: ++ andl $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),24(%rsp) ++ orl $X86_EFLAGS_IF,24(%rsp) + addq $8,%rsp + .Lft0: iretq + diff --git a/main/xen/xsa204-4.5.patch b/main/xen/xsa204-4.5.patch new file mode 100644 index 0000000..352845a --- /dev/null +++ b/main/xen/xsa204-4.5.patch @@ -0,0 +1,69 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Sun, 18 Dec 2016 15:42:59 +0000 +Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL + +A singlestep #DB is determined by the resulting eflags value from the +execution of SYSCALL, not the original eflags value. + +By using the original eflags value, we negate the guest kernels attempt to +protect itself from a privilege escalation by masking TF. + +Introduce a tf boolean and have the SYSCALL emulation recalculate it +after the instruction is complete. + +This is XSA-204 + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +--- + xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c +index 0c43fe1..f675dc9 100644 +--- a/xen/arch/x86/x86_emulate/x86_emulate.c ++++ b/xen/arch/x86/x86_emulate/x86_emulate.c +@@ -1537,6 +1537,7 @@ x86_emulate( + union vex vex = {}; + unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes; + bool_t lock_prefix = 0; ++ bool_t tf = !!(ctxt->regs->eflags & EFLG_TF); + int override_seg = -1, rc = X86EMUL_OKAY; + struct operand src = { .reg = REG_POISON }; + struct operand dst = { .reg = REG_POISON }; +@@ -3881,9 +3882,8 @@ x86_emulate( + break; + } + +- /* Inject #DB if single-step tracing was enabled at instruction start. */ +- if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) && +- (ops->inject_hw_exception != NULL) ) ++ /* Should a singlestep #DB be raised? */ ++ if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) ) + rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION; + + /* Commit shadow register state. */ +@@ -4068,6 +4068,23 @@ x86_emulate( + (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) ) + goto done; + ++ /* ++ * SYSCALL (unlike most instructions) evaluates its singlestep action ++ * based on the resulting EFLG_TF, not the starting EFLG_TF. ++ * ++ * As the #DB is raised after the CPL change and before the OS can ++ * switch stack, it is a large risk for privilege escalation. ++ * ++ * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any ++ * vulnerability. Running the #DB handler on an IST stack is also a ++ * mitigation. ++ * ++ * 32bit kernels have no ability to mask EFLG_TF at all. Their only ++ * mitigation is to use a task gate for handling #DB (or to not use ++ * enable EFER.SCE to start with). ++ */ ++ tf = !!(_regs.eflags & EFLG_TF); ++ + break; + } + -- 2.4.11 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---