X-Original-To: alpine-devel@lists.alpinelinux.org
Delivered-To: alpine-devel@mail.alpinelinux.org
Received: from SMTP.EU.CITRIX.COM (unknown [46.33.159.39])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(No client certificate requested)
	by mail.alpinelinux.org (Postfix) with ESMTPS id AF289DC0182
	for <alpine-devel@lists.alpinelinux.org>; Tue, 22 Jan 2013 15:42:36 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="4.84,515,1355097600"; 
   d="scan'208";a="816699"
Received: from lonpmailmx01.citrite.net ([10.30.203.162])
  by LONPIPO01.EU.CITRIX.COM with ESMTP/TLS/RC4-MD5; 22 Jan 2013 15:42:23 +0000
Received: from localhost.localdomain (10.30.249.242) by
 LONPMAILMX01.citrite.net (10.30.203.162) with Microsoft SMTP Server id
 8.3.297.1; Tue, 22 Jan 2013 15:42:23 +0000
From: Roger Pau Monne <roger.pau@citrix.com>
To: <alpine-devel@lists.alpinelinux.org>
CC: Roger Pau Monne <roger.pau@citrix.com>
Subject: [alpine-devel] [PATCH] xen: XSA-34 and XSA-35
Date: Tue, 22 Jan 2013 16:40:46 +0100
Message-ID: <1358869246-83274-1-git-send-email-roger.pau@citrix.com>
X-Mailer: git-send-email 1.7.7.5 (Apple Git-26)
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain

Security fixes for nested virtualization. This only apply to Xen
4.2.x, only edge and 2.5.x Alpine Linux systems are affected.
---
 main/xen/APKBUILD                   |    6 +++++-
 main/xen/xsa34-4.2.patch            |   30 ++++++++++++++++++++++++++++++
 main/xen/xsa35-4.2-with-xsa34.patch |   24 ++++++++++++++++++++++++
 3 files changed, 59 insertions(+), 1 deletions(-)
 create mode 100644 main/xen/xsa34-4.2.patch
 create mode 100644 main/xen/xsa35-4.2-with-xsa34.patch

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 3c3a8a7..5e07fab 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.2.1
-pkgrel=4
+pkgrel=5
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86 x86_64"
@@ -22,6 +22,8 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	xsa41.patch
 	xsa41b.patch
 	xsa41c.patch
+	xsa34-4.2.patch
+	xsa35-4.2-with-xsa34.patch
 
 	xenstored.initd
 	xenstored.confd
@@ -141,6 +143,8 @@ md5sums="0d48cbe1767b82aba12517898d4e0408  xen-4.2.1.tar.gz
 8ad8942000b8a4be4917599cad9209cf  xsa41.patch
 ed7d0399c6ca6aeee479da5d8f807fe0  xsa41b.patch
 2f3dd7bdc59d104370066d6582725575  xsa41c.patch
+af10e1a3f757a184a1d79904a5ef8572  xsa34-4.2.patch
+8270dbf929e26b5e95532d10a697e404  xsa35-4.2-with-xsa34.patch
 95d8af17bf844d41a015ff32aae51ba1  xenstored.initd
 b017ccdd5e1c27bbf1513e3569d4ff07  xenstored.confd
 ed262f15fb880badb53575539468646c  xenconsoled.initd
diff --git a/main/xen/xsa34-4.2.patch b/main/xen/xsa34-4.2.patch
new file mode 100644
index 0000000..f5328ef
--- /dev/null
+++ b/main/xen/xsa34-4.2.patch
@@ -0,0 +1,30 @@
+x86_32: don't allow use of nested HVM
+
+There are (indirect) uses of map_domain_page() in the nested HVM code
+that are unsafe when not just using the 1:1 mapping.
+
+This is XSA-34 / CVE-2013-0151.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -3926,6 +3926,10 @@ long do_hvm_op(unsigned long op, XEN_GUE
+                     rc = -EINVAL;
+                 break;
+             case HVM_PARAM_NESTEDHVM:
++#ifdef __i386__
++                if ( a.value )
++                    rc = -EINVAL;
++#else
+                 if ( a.value > 1 )
+                     rc = -EINVAL;
+                 if ( !is_hvm_domain(d) )
+@@ -3940,6 +3944,7 @@ long do_hvm_op(unsigned long op, XEN_GUE
+                     for_each_vcpu(d, v)
+                         if ( rc == 0 )
+                             rc = nestedhvm_vcpu_initialise(v);
++#endif
+                 break;
+             case HVM_PARAM_BUFIOREQ_EVTCHN:
+                 rc = -EINVAL;
diff --git a/main/xen/xsa35-4.2-with-xsa34.patch b/main/xen/xsa35-4.2-with-xsa34.patch
new file mode 100644
index 0000000..89230e2
--- /dev/null
+++ b/main/xen/xsa35-4.2-with-xsa34.patch
@@ -0,0 +1,24 @@
+xen: Do not allow guests to enable nested HVM on themselves
+
+There is no reason for this and doing so exposes a memory leak to
+guests. Only toolstacks need write access to this HVM param.
+
+This is XSA-35 / CVE-2013-0152.
+
+Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
+Acked-by: Jan Beulich <JBeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -3862,6 +3862,11 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE(void) arg)
+                     rc = -EINVAL;
+                 break;
+             case HVM_PARAM_NESTEDHVM:
++                if ( !IS_PRIV(current->domain) )
++                {
++                    rc = -EPERM;
++                    break;
++                }
+ #ifdef __i386__
+                 if ( a.value )
+                     rc = -EINVAL;
-- 
1.7.7.5 (Apple Git-26)



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---