diff options
| author |   Ian Delaney <idella4@gentoo.org> | 2013-11-06 06:45:19 +0000 |
|---|---|---|
| committer | Ian Delaney <idella4@gentoo.org> | 2013-11-06 06:45:19 +0000 |
| commit | 6cb570147d5707026f4e641cd40a7bba5444eb89 (patch) | |
| tree | ee37d4a6ddd00d16ae23c55bca11a63aa35cfab5 /app-emulation | |
| parent | Version bump and remove old. (diff) | |
| download | gentoo-2-6cb570147d5707026f4e641cd40a7bba5444eb89.tar.gz gentoo-2-6cb570147d5707026f4e641cd40a7bba5444eb89.tar.bz2 gentoo-2-6cb570147d5707026f4e641cd40a7bba5444eb89.zip | |
Adding more security patches to 4.3.0 from Bug #486354, 4.2.2 excluded again for now
(Portage version: 2.2.0/cvs/Linux x86_64, signed Manifest commit with key 0xB8072B0D)
Diffstat (limited to 'app-emulation')
| -rw-r--r-- | app-emulation/xen/ChangeLog | 11 | ||||
| -rw-r--r-- | app-emulation/xen/files/xen-CVE-2013-4368-XSA-67.patch | 37 | ||||
| -rw-r--r-- | app-emulation/xen/files/xen-CVE-2013-4375-XSA-71.patch | 39 | ||||
| -rw-r--r-- | app-emulation/xen/files/xen-CVE-2013-4494-XSA-73.patch | 105 | ||||
| -rw-r--r-- | app-emulation/xen/xen-4.2.2-r1.ebuild | 3 | ||||
| -rw-r--r-- | app-emulation/xen/xen-4.3.0-r2.ebuild | 138 |
6 files changed, 331 insertions, 2 deletions
diff --git a/app-emulation/xen/ChangeLog b/app-emulation/xen/ChangeLog index d1c9ec78280e..343cb3b8b539 100644 --- a/app-emulation/xen/ChangeLog +++ b/app-emulation/xen/ChangeLog @@ -1,6 +1,15 @@ # ChangeLog for app-emulation/xen # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.130 2013/10/04 18:20:01 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.131 2013/11/06 06:45:18 idella4 Exp $ + +*xen-4.3.0-r2 (06 Nov 2013) + + 06 Nov 2013; Ian Delaney <idella4@gentoo.org> + +files/xen-CVE-2013-4368-XSA-67.patch, +files/xen-CVE-2013-4375-XSA-71.patch, + +files/xen-CVE-2013-4494-XSA-73.patch, +xen-4.3.0-r2.ebuild, + xen-4.2.2-r1.ebuild, xen-4.3.0-r1.ebuild: + Adding more security patches to 4.3.0 from Bug #486354, 4.2.2 excluded again + for now 04 Oct 2013; Ian Delaney <idella4@gentoo.org> -xen-4.2.1-r4.ebuild: remove old diff --git a/app-emulation/xen/files/xen-CVE-2013-4368-XSA-67.patch b/app-emulation/xen/files/xen-CVE-2013-4368-XSA-67.patch new file mode 100644 index 000000000000..d81a0e18a921 --- /dev/null +++ b/app-emulation/xen/files/xen-CVE-2013-4368-XSA-67.patch @@ -0,0 +1,37 @@ +x86: check segment descriptor read result in 64-bit OUTS emulation + +When emulating such an operation from a 64-bit context (CS has long +mode set), and the data segment is overridden to FS/GS, the result of +reading the overridden segment's descriptor (read_descriptor) is not +checked. If it fails, data_base is left uninitialized. + +This can lead to 8 bytes of Xen's stack being leaked to the guest +(implicitly, i.e. via the address given in a #PF). + +Coverity-ID: 1055116 + +This is CVE-2013-4368 / XSA-67. + +Signed-off-by: Matthew Daley <mattjd@gmail.com> + +Fix formatting. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- a/xen/arch/x86/traps.c ++++ b/xen/arch/x86/traps.c +@@ -1993,10 +1993,10 @@ static int emulate_privileged_op(struct + break; + } + } +- else +- read_descriptor(data_sel, v, regs, +- &data_base, &data_limit, &ar, +- 0); ++ else if ( !read_descriptor(data_sel, v, regs, ++ &data_base, &data_limit, &ar, 0) || ++ !(ar & _SEGMENT_S) || !(ar & _SEGMENT_P) ) ++ goto fail; + data_limit = ~0UL; + ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P; + } diff --git a/app-emulation/xen/files/xen-CVE-2013-4375-XSA-71.patch b/app-emulation/xen/files/xen-CVE-2013-4375-XSA-71.patch new file mode 100644 index 000000000000..3fb2338ab76b --- /dev/null +++ b/app-emulation/xen/files/xen-CVE-2013-4375-XSA-71.patch @@ -0,0 +1,39 @@ +From 23260e589e52ec83349f22198eab2331b5a1684e Mon Sep 17 00:00:00 2001 +From: Matthew Daley <mattjd@gmail.com> +Date: Wed, 25 Sep 2013 12:28:47 +1200 +Subject: [PATCH] xen_disk: mark ioreq as mapped before unmapping in error + case + +Commit c6961b7d ("xen_disk: use bdrv_aio_flush instead of bdrv_flush") +modified the semantics of ioreq_{un,}map so that they are idempotent if +called when they're not needed (ie., twice in a row). However, it neglected +to handle the case where batch mapping is not being used (the default), and +one of the grants fails to map. In this case, ioreq_unmap will be called to +unwind and unmap any mappings already performed, but ioreq_unmap simply +returns due to the aforementioned change (the ioreq has not already been +marked as mapped). + +The frontend user can therefore force xen_disk to leak grant mappings, a +per-backend-domain limited resource. + +Fix by marking the ioreq as mapped before calling ioreq_unmap in this +situation. + +This is XSA-71 / CVE-2013-4375 + +Signed-off-by: Matthew Daley <mattjd@gmail.com> +--- + hw/xen_disk.c | 1 + + 1 file changed, 1 insertion(+) + +diff -ur xen-4.3.0.orig/tools/qemu-xen-traditional/hw/xen_disk.c xen-4.3.0/tools/qemu-xen-traditional/hw/xen_disk.c +--- tools/qemu-xen-traditional/hw/xen_disk.c 2013-06-18 00:39:51.000000000 +0800 ++++ tools/qemu-xen-traditional/hw/xen_disk.c 2013-11-06 11:05:44.977888267 +0800 +@@ -298,6 +298,7 @@ + xen_be_printf(&ioreq->blkdev->xendev, 0, + "can't map grant ref %d (%s, %d maps)\n", + ioreq->refs[i], strerror(errno), ioreq->blkdev->cnt_map); ++ ioreq->mapped = 1; + ioreq_unmap(ioreq); + return -1; + } diff --git a/app-emulation/xen/files/xen-CVE-2013-4494-XSA-73.patch b/app-emulation/xen/files/xen-CVE-2013-4494-XSA-73.patch new file mode 100644 index 000000000000..e644afe3b0da --- /dev/null +++ b/app-emulation/xen/files/xen-CVE-2013-4494-XSA-73.patch @@ -0,0 +1,105 @@ +From 068bfa76bbd52430e65853375e1d5db99d193e2f Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Thu, 31 Oct 2013 20:49:00 +0000 +Subject: [PATCH] gnttab: correct locking order reversal + +Coverity ID 1087189 + +Correct a lock order reversal between a domains page allocation and grant +table locks. + +This is CVE-2013-4494 / XSA-73. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> + +Consolidate error handling. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Keir Fraser <keir@xen.org> +Tested-by: Matthew Daley <mattjd@gmail.com> +--- + xen/common/grant_table.c | 52 +++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 44 insertions(+), 8 deletions(-) + +diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c +index f42bc7a..48df928 100644 +--- a/xen/common/grant_table.c ++++ b/xen/common/grant_table.c +@@ -1517,6 +1517,8 @@ gnttab_transfer( + + for ( i = 0; i < count; i++ ) + { ++ bool_t okay; ++ + if (i && hypercall_preempt_check()) + return i; + +@@ -1625,16 +1627,18 @@ gnttab_transfer( + * pages when it is dying. + */ + if ( unlikely(e->is_dying) || +- unlikely(e->tot_pages >= e->max_pages) || +- unlikely(!gnttab_prepare_for_transfer(e, d, gop.ref)) ) ++ unlikely(e->tot_pages >= e->max_pages) ) + { +- if ( !e->is_dying ) +- gdprintk(XENLOG_INFO, "gnttab_transfer: " +- "Transferee has no reservation " +- "headroom (%d,%d) or provided a bad grant ref (%08x) " +- "or is dying (%d)\n", +- e->tot_pages, e->max_pages, gop.ref, e->is_dying); + spin_unlock(&e->page_alloc_lock); ++ ++ if ( e->is_dying ) ++ gdprintk(XENLOG_INFO, "gnttab_transfer: " ++ "Transferee (d%d) is dying\n", e->domain_id); ++ else ++ gdprintk(XENLOG_INFO, "gnttab_transfer: " ++ "Transferee (d%d) has no headroom (tot %u, max %u)\n", ++ e->domain_id, e->tot_pages, e->max_pages); ++ + rcu_unlock_domain(e); + put_gfn(d, gop.mfn); + page->count_info &= ~(PGC_count_mask|PGC_allocated); +@@ -1646,6 +1650,38 @@ gnttab_transfer( + /* Okay, add the page to 'e'. */ + if ( unlikely(domain_adjust_tot_pages(e, 1) == 1) ) + get_knownalive_domain(e); ++ ++ /* ++ * We must drop the lock to avoid a possible deadlock in ++ * gnttab_prepare_for_transfer. We have reserved a page in e so can ++ * safely drop the lock and re-aquire it later to add page to the ++ * pagelist. ++ */ ++ spin_unlock(&e->page_alloc_lock); ++ okay = gnttab_prepare_for_transfer(e, d, gop.ref); ++ spin_lock(&e->page_alloc_lock); ++ ++ if ( unlikely(!okay) || unlikely(e->is_dying) ) ++ { ++ bool_t drop_dom_ref = (domain_adjust_tot_pages(e, -1) == 0); ++ ++ spin_unlock(&e->page_alloc_lock); ++ ++ if ( okay /* i.e. e->is_dying due to the surrounding if() */ ) ++ gdprintk(XENLOG_INFO, "gnttab_transfer: " ++ "Transferee (d%d) is now dying\n", e->domain_id); ++ ++ if ( drop_dom_ref ) ++ put_domain(e); ++ rcu_unlock_domain(e); ++ ++ put_gfn(d, gop.mfn); ++ page->count_info &= ~(PGC_count_mask|PGC_allocated); ++ free_domheap_page(page); ++ gop.status = GNTST_general_error; ++ goto copyback; ++ } ++ + page_list_add_tail(page, &e->page_list); + page_set_owner(page, e); + +-- +1.7.10.4 + diff --git a/app-emulation/xen/xen-4.2.2-r1.ebuild b/app-emulation/xen/xen-4.2.2-r1.ebuild index ad6789e697df..d69c0484e41c 100644 --- a/app-emulation/xen/xen-4.2.2-r1.ebuild +++ b/app-emulation/xen/xen-4.2.2-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.2.2-r1.ebuild,v 1.5 2013/07/28 09:13:36 jcallen Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.2.2-r1.ebuild,v 1.6 2013/11/06 06:45:18 idella4 Exp $ EAPI=5 @@ -92,6 +92,7 @@ src_prepare() { epatch "${FILESDIR}"/${PN}-4-CVE-2013-1918-XSA-45_[1-7].patch \ "${FILESDIR}"/${PN}-4.2-2013-2076-XSA-52to54.patch \ "${FILESDIR}"/${PN}-4.2-CVE-2013-1432-XSA-58.patch + epatch_user } diff --git a/app-emulation/xen/xen-4.3.0-r2.ebuild b/app-emulation/xen/xen-4.3.0-r2.ebuild new file mode 100644 index 000000000000..0eebe254b236 --- /dev/null +++ b/app-emulation/xen/xen-4.3.0-r2.ebuild @@ -0,0 +1,138 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.3.0-r2.ebuild,v 1.1 2013/11/06 06:45:18 idella4 Exp $ + +EAPI=5 + +PYTHON_COMPAT=( python2_7 ) + +if [[ $PV == *9999 ]]; then + KEYWORDS="" + REPO="xen-unstable.hg" + EHG_REPO_URI="http://xenbits.xensource.com/${REPO}" + S="${WORKDIR}/${REPO}" + live_eclass="mercurial" +else + KEYWORDS="~amd64 ~x86" + SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz" +fi + +inherit mount-boot flag-o-matic python-any-r1 toolchain-funcs eutils ${live_eclass} + +DESCRIPTION="The Xen virtual machine monitor" +HOMEPAGE="http://xen.org/" +LICENSE="GPL-2" +SLOT="0" +IUSE="custom-cflags debug efi flask pae xsm" + +DEPEND="${PYTHON_DEPS} + efi? ( >=sys-devel/binutils-2.22[multitarget] ) + !efi? ( >=sys-devel/binutils-2.22[-multitarget] )" +RDEPEND="" +PDEPEND="~app-emulation/xen-tools-${PV}" + +RESTRICT="test" + +# Approved by QA team in bug #144032 +QA_WX_LOAD="boot/xen-syms-${PV}" + +REQUIRED_USE="flask? ( xsm )" + +pkg_setup() { + python-any-r1_pkg_setup + if [[ -z ${XEN_TARGET_ARCH} ]]; then + if use x86 && use amd64; then + die "Confusion! Both x86 and amd64 are set in your use flags!" + elif use x86; then + export XEN_TARGET_ARCH="x86_32" + elif use amd64; then + export XEN_TARGET_ARCH="x86_64" + else + die "Unsupported architecture!" + fi + fi + + if use flask ; then + export "XSM_ENABLE=y" + export "FLASK_ENABLE=y" + elif use xsm ; then + export "XSM_ENABLE=y" + fi +} + +src_prepare() { + # Drop .config and fix gcc-4.6 + epatch "${FILESDIR}"/${PN/-pvgrub/}-4.3-fix_dotconfig-gcc.patch + + if use efi; then + epatch "${FILESDIR}"/${PN}-4.2-efi.patch + export EFI_VENDOR="gentoo" + export EFI_MOUNTPOINT="boot" + fi + + # if the user *really* wants to use their own custom-cflags, let them + if use custom-cflags; then + einfo "User wants their own CFLAGS - removing defaults" + # try and remove all the default custom-cflags + find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \ + -e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \ + -i {} \; || die "failed to re-set custom-cflags" + fi + + # not strictly necessary to fix this + sed -i 's/, "-Werror"//' "${S}/tools/python/setup.py" || die "failed to re-set setup.py" + + #Security patches + epatch "${FILESDIR}"/${PN}-CVE-2013-1442-XSA-62.patch \ + "${FILESDIR}"/${PN}-CVE-2013-4355-XSA-63.patch \ + "${FILESDIR}"/${PN}-CVE-2013-4356-XSA-64.patch \ + "${FILESDIR}"/${PN}-CVE-2013-4361-XSA-66.patch \ + "${FILESDIR}"/${PN}-CVE-2013-4368-XSA-67.patch \ + "${FILESDIR}"/${PN}-CVE-2013-4375-XSA-71.patch \ + "${FILESDIR}"/${PN}-CVE-2013-4494-XSA-73.patch + + epatch_user +} + +src_configure() { + use debug && myopt="${myopt} debug=y" + use pae && myopt="${myopt} pae=y" + + if use custom-cflags; then + filter-flags -fPIE -fstack-protector + replace-flags -O3 -O2 + else + unset CFLAGS + fi +} + +src_compile() { + # Send raw LDFLAGS so that --as-needed works + emake CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" -C xen ${myopt} +} + +src_install() { + local myopt + use debug && myopt="${myopt} debug=y" + use pae && myopt="${myopt} pae=y" + + # The 'make install' doesn't 'mkdir -p' the subdirs + if use efi; then + mkdir -p "${D}"${EFI_MOUNTPOINT}/efi/${EFI_VENDOR} || die + fi + + emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install +} + +pkg_postinst() { + elog "Official Xen Guide and the unoffical wiki page:" + elog " http://www.gentoo.org/doc/en/xen-guide.xml" + elog " http://en.gentoo-wiki.com/wiki/Xen/" + + use pae && ewarn "This is a PAE build of Xen. It will *only* boot PAE kernels!" + use efi && einfo "The efi executable is installed in boot/efi/gentoo" +} |