X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from SMTP.EU.CITRIX.COM (smtp.eu.citrix.com [62.200.22.115]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 718C0DC0295 for ; Fri, 16 Nov 2012 16:53:39 +0000 (UTC) X-IronPort-AV: E=Sophos;i="4.83,265,1352073600"; d="scan'208";a="15856313" Received: from lonpmailmx01.citrite.net ([10.30.203.162]) by LONPIPO01.EU.CITRIX.COM with ESMTP/TLS/RC4-MD5; 16 Nov 2012 16:53:27 +0000 Received: from mac.citrite.net (10.31.3.235) by LONPMAILMX01.citrite.net (10.30.203.162) with Microsoft SMTP Server id 8.3.279.1; Fri, 16 Nov 2012 16:53:26 +0000 From: Roger Pau Monne To: CC: Roger Pau Monne Subject: [alpine-devel] [PATCH 2/4] xen: add a bunch of security fixes Date: Fri, 16 Nov 2012 17:53:16 +0100 Message-ID: <1353084798-65779-3-git-send-email-roger.pau@citrix.com> X-Mailer: git-send-email 1.7.7.5 (Apple Git-26) In-Reply-To: <1353084798-65779-1-git-send-email-roger.pau@citrix.com> References: <1353084798-65779-1-git-send-email-roger.pau@citrix.com> X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain This covers: XSA-20 XSA-22 XSA-23 XSA-24 Signed-off-by: Roger Pau Monne --- main/xen/APKBUILD | 8 +++++++ main/xen/xsa20.patch | 38 +++++++++++++++++++++++++++++++++++ main/xen/xsa22-4.2-unstable.patch | 40 +++++++++++++++++++++++++++++++++++++ main/xen/xsa23-4.2-unstable.patch | 32 +++++++++++++++++++++++++++++ main/xen/xsa24.patch | 26 ++++++++++++++++++++++++ 5 files changed, 144 insertions(+), 0 deletions(-) create mode 100644 main/xen/xsa20.patch create mode 100644 main/xen/xsa22-4.2-unstable.patch create mode 100644 main/xen/xsa23-4.2-unstable.patch create mode 100644 main/xen/xsa24.patch diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index 7143850..1777d47 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -19,6 +19,10 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g librt.patch make_stubdoms.patch qemu-xen_paths.patch + xsa20.patch + xsa22-4.2-unstable.patch + xsa23-4.2-unstable.patch + xsa24.patch xsa25-4.2.patch xenstored.initd @@ -134,6 +138,10 @@ md5sums="f4f217969afc38f09251039966d91a87 xen-4.2.0.tar.gz 2dc5ddf47c53ea168729975046c3c1f9 librt.patch 41ad48fdc269749776fa6aa04f6778c2 make_stubdoms.patch 1ccde6b36a6f9542a16d998204dc9a22 qemu-xen_paths.patch +fb7e76f00c2a4e63b408cb67df7d1a7b xsa20.patch +5a67dfac5e6f5a0836aeaefa1804c09f xsa22-4.2-unstable.patch +9151e7c648b12f518826ad0f0a67da42 xsa23-4.2-unstable.patch +9bd8b30094f8eb2408846c1b6ed0cad6 xsa24.patch 9fc7097ed2e5e756c4ae91145c143433 xsa25-4.2.patch 4ee9bf0c09269995569c9f05d4e8c779 xenstored.initd b017ccdd5e1c27bbf1513e3569d4ff07 xenstored.confd diff --git a/main/xen/xsa20.patch b/main/xen/xsa20.patch new file mode 100644 index 0000000..bedd318 --- /dev/null +++ b/main/xen/xsa20.patch @@ -0,0 +1,38 @@ +VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability + +The timer action for a vcpu periodic timer is to calculate the next +expiry time, and to reinsert itself into the timer queue. If the +deadline ends up in the past, Xen never leaves __do_softirq(). The +affected PCPU will stay in an infinite loop until Xen is killed by the +watchdog (if enabled). + +This is a security problem, XSA-20 / CVE-2012-4535. + +Signed-off-by: Andrew Cooper +Acked-by: Ian Campbell + +diff -r 478ba3f146df xen/common/domain.c +--- a/xen/common/domain.c ++++ b/xen/common/domain.c +@@ -903,6 +903,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN + if ( set.period_ns < MILLISECS(1) ) + return -EINVAL; + ++ if ( set.period_ns > STIME_DELTA_MAX ) ++ return -EINVAL; ++ + v->periodic_period = set.period_ns; + vcpu_force_reschedule(v); + +diff -r 478ba3f146df xen/include/xen/time.h +--- a/xen/include/xen/time.h ++++ b/xen/include/xen/time.h +@@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t); + #define MILLISECS(_ms) ((s_time_t)((_ms) * 1000000ULL)) + #define MICROSECS(_us) ((s_time_t)((_us) * 1000ULL)) + #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1)) ++/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */ ++#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2)) + + extern void update_vcpu_system_time(struct vcpu *v); + extern void update_domain_wallclock_time(struct domain *d); diff --git a/main/xen/xsa22-4.2-unstable.patch b/main/xen/xsa22-4.2-unstable.patch new file mode 100644 index 0000000..e15fd73 --- /dev/null +++ b/main/xen/xsa22-4.2-unstable.patch @@ -0,0 +1,40 @@ +x86/physmap: Prevent incorrect updates of m2p mappings + +In certain conditions, such as low memory, set_p2m_entry() can fail. +Currently, the p2m and m2p tables will get out of sync because we still +update the m2p table after the p2m update has failed. + +If that happens, subsequent guest-invoked memory operations can cause +BUG()s and ASSERT()s to kill Xen. + +This is fixed by only updating the m2p table iff the p2m was +successfully updated. + +This is a security problem, XSA-22 / CVE-2012-4537. + +Signed-off-by: Andrew Cooper +Acked-by: Ian Campbell +Acked-by: Ian Jackson + +diff -r f53b9f915c3d xen/arch/x86/mm/p2m.c +--- a/xen/arch/x86/mm/p2m.c ++++ b/xen/arch/x86/mm/p2m.c +@@ -633,7 +633,10 @@ guest_physmap_add_entry(struct domain *d + if ( mfn_valid(_mfn(mfn)) ) + { + if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) ) ++ { + rc = -EINVAL; ++ goto out; /* Failed to update p2m, bail without updating m2p. */ ++ } + if ( !p2m_is_grant(t) ) + { + for ( i = 0; i < (1UL << page_order); i++ ) +@@ -656,6 +659,7 @@ guest_physmap_add_entry(struct domain *d + } + } + ++out: + p2m_unlock(p2m); + + return rc; diff --git a/main/xen/xsa23-4.2-unstable.patch b/main/xen/xsa23-4.2-unstable.patch new file mode 100644 index 0000000..be80a61 --- /dev/null +++ b/main/xen/xsa23-4.2-unstable.patch @@ -0,0 +1,32 @@ +xen/mm/shadow: check toplevel pagetables are present before unhooking them. + +If the guest has not fully populated its top-level PAE entries when it calls +HVMOP_pagetable_dying, the shadow code could try to unhook entries from +MFN 0. Add a check to avoid that case. + +This issue was introduced by c/s 21239:b9d2db109cf5. + +This is a security problem, XSA-23 / CVE-2012-4538. + +Signed-off-by: Tim Deegan +Tested-by: Andrew Cooper +Acked-by: Ian Campbell + +diff -r cc56c0394db7 xen/arch/x86/mm/shadow/multi.c +--- a/xen/arch/x86/mm/shadow/multi.c ++++ b/xen/arch/x86/mm/shadow/multi.c +@@ -4734,8 +4734,12 @@ static void sh_pagetable_dying(struct vc + unsigned long gfn; + mfn_t smfn, gmfn; + +- if ( fast_path ) +- smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i])); ++ if ( fast_path ) { ++ if ( pagetable_is_null(v->arch.shadow_table[i]) ) ++ smfn = _mfn(INVALID_MFN); ++ else ++ smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i])); ++ } + else + { + /* retrieving the l2s */ diff --git a/main/xen/xsa24.patch b/main/xen/xsa24.patch new file mode 100644 index 0000000..e46f513 --- /dev/null +++ b/main/xen/xsa24.patch @@ -0,0 +1,26 @@ +compat/gnttab: Prevent infinite loop in compat code + +c/s 20281:95ea2052b41b, which introduces Grant Table version 2 +hypercalls introduces a vulnerability whereby the compat hypercall +handler can fall into an infinite loop. + +If the watchdog is enabled, Xen will die after the timeout. + +This is a security problem, XSA-24 / CVE-2012-4539. + +Signed-off-by: Andrew Cooper +Acked-by: Jan Beulich +Acked-by: Ian Jackson + +diff -r bac883cf805a xen/common/compat/grant_table.c +--- a/xen/common/compat/grant_table.c ++++ b/xen/common/compat/grant_table.c +@@ -318,6 +318,8 @@ int compat_grant_table_op(unsigned int c + #undef XLAT_gnttab_get_status_frames_HNDL_frame_list + if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) ) + rc = -EFAULT; ++ else ++ i = 1; + } + break; + } -- 1.7.7.5 (Apple Git-26) --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---