diff options
| author | Roger Pau Monné <royger@FreeBSD.org> | 2015-10-09 14:09:07 +0000 |
|---|---|---|
| committer | Roger Pau Monné <royger@FreeBSD.org> | 2015-10-09 14:09:07 +0000 |
| commit | 936db4de55dcc12b6c8b08cbbfd67dcbb53b4f6e (patch) | |
| tree | ca22b4db6b10bbf179e7282ec353428f37f1f0d0 /sysutils/xen-tools | |
| parent | d68358849f7e2156f462b7d52e157da058afff69 (diff) | |
| download | ports-936db4de55dcc12b6c8b08cbbfd67dcbb53b4f6e.tar.gz ports-936db4de55dcc12b6c8b08cbbfd67dcbb53b4f6e.zip | |
xen: update to 4.5.1
Update xen-kernel to 4.5.1 and add patches to allow live migration, save and
restore. Remove qemu-traditional patches (FreeBSD doesn't support
qemu-traditional) and add XSA-142.
Approved by: bapt
Differential revision: https://reviews.freebsd.org/D3854
Sponsored by: Citrix Systems R&D
Notes
Notes:
svn path=/head/; revision=398918
Diffstat (limited to 'sysutils/xen-tools')
| -rw-r--r-- | sysutils/xen-tools/Makefile | 6 | ||||
| -rw-r--r-- | sysutils/xen-tools/files/xsa135-qemut-1.patch | 92 | ||||
| -rw-r--r-- | sysutils/xen-tools/files/xsa135-qemut-2.patch | 45 | ||||
| -rw-r--r-- | sysutils/xen-tools/files/xsa138-qemut-1.patch | 77 | ||||
| -rw-r--r-- | sysutils/xen-tools/files/xsa138-qemut-2.patch | 71 | ||||
| -rw-r--r-- | sysutils/xen-tools/files/xsa142-4.5.patch | 53 |
6 files changed, 55 insertions, 289 deletions
diff --git a/sysutils/xen-tools/Makefile b/sysutils/xen-tools/Makefile index db35da71e0e0..fbb50e15087e 100644 --- a/sysutils/xen-tools/Makefile +++ b/sysutils/xen-tools/Makefile @@ -2,6 +2,7 @@ PORTNAME= xen PORTVERSION= 4.5.1 +PORTREVISION= 1 CATEGORIES= sysutils emulators MASTER_SITES= http://bits.xensource.com/oss-xen/release/${PORTVERSION}/ \ http://code.coreboot.org/p/seabios/downloads/get/:seabios @@ -48,6 +49,7 @@ QEMU_ARGS= --disable-gtk \ --cxx=c++ EXTRA_PATCHES= ${FILESDIR}/xsa137.patch:-p1 \ + ${FILESDIR}/xsa142-4.5.patch:-p1 \ ${FILESDIR}/0002-libxc-fix-xc_dom_load_elf_symtab.patch:-p1 CONFIGURE_ARGS+= --with-extra-qemuu-configure-args="${QEMU_ARGS}" @@ -75,10 +77,6 @@ post-patch: ${WRKSRC}/tools/libxl/libxl_dm.c \ ${WRKSRC}/tools/qemu-xen-traditional/i386-dm/helper2.c \ ${WRKSRC}/docs/man/* - @for p in ${FILESDIR}/*qemut*.patch; do \ - ${ECHO_CMD} "====> Applying $${p##*/}" ; \ - ${PATCH} -s -p1 -i $${p} -d ${WRKSRC}/tools/qemu-xen-traditional ; \ - done @for p in ${FILESDIR}/*qemuu*.patch; do \ ${ECHO_CMD} "====> Applying $${p##*/}" ; \ ${PATCH} -s -p1 -i $${p} -d ${WRKSRC}/tools/qemu-xen ; \ diff --git a/sysutils/xen-tools/files/xsa135-qemut-1.patch b/sysutils/xen-tools/files/xsa135-qemut-1.patch deleted file mode 100644 index 1102ce67fc3e..000000000000 --- a/sysutils/xen-tools/files/xsa135-qemut-1.patch +++ /dev/null @@ -1,92 +0,0 @@ -pcnet: fix Negative array index read - -From: Gonglei <arei.gonglei@huawei.com> - -s->xmit_pos maybe assigned to a negative value (-1), -but in this branch variable s->xmit_pos as an index to -array s->buffer. Let's add a check for s->xmit_pos. - -upstream-commit-id: 7b50d00911ddd6d56a766ac5671e47304c20a21b - -Signed-off-by: Gonglei <arei.gonglei@huawei.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Reviewed-by: Jason Wang <jasowang@redhat.com> -Reviewed-by: Jason Wang <jasowang@redhat.com> -Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> - -diff --git a/hw/pcnet.c b/hw/pcnet.c -index 7cc0637..9f3e1cc 100644 ---- a/hw/pcnet.c -+++ b/hw/pcnet.c -@@ -1250,7 +1250,7 @@ static void pcnet_transmit(PCNetState *s) - target_phys_addr_t xmit_cxda = 0; - int count = CSR_XMTRL(s)-1; - int add_crc = 0; -- -+ int bcnt; - s->xmit_pos = -1; - - if (!CSR_TXON(s)) { -@@ -1276,34 +1276,39 @@ static void pcnet_transmit(PCNetState *s) - if (BCR_SWSTYLE(s) != 1) - add_crc = GET_FIELD(tmd.status, TMDS, ADDFCS); - } -+ -+ if (s->xmit_pos < 0) { -+ goto txdone; -+ } -+ -+ bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -+ s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), -+ s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); -+ s->xmit_pos += bcnt; -+ - if (!GET_FIELD(tmd.status, TMDS, ENP)) { -- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), -- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); -- s->xmit_pos += bcnt; -- } else if (s->xmit_pos >= 0) { -- int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -- s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), -- s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); -- s->xmit_pos += bcnt; -+ goto txdone; -+ } - #ifdef PCNET_DEBUG -- printf("pcnet_transmit size=%d\n", s->xmit_pos); -+ printf("pcnet_transmit size=%d\n", s->xmit_pos); - #endif -- if (CSR_LOOP(s)) { -- if (BCR_SWSTYLE(s) == 1) -- add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); -- s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; -- pcnet_receive(s, s->buffer, s->xmit_pos); -- s->looptest = 0; -- } else -- if (s->vc) -- qemu_send_packet(s->vc, s->buffer, s->xmit_pos); -- -- s->csr[0] &= ~0x0008; /* clear TDMD */ -- s->csr[4] |= 0x0004; /* set TXSTRT */ -- s->xmit_pos = -1; -+ if (CSR_LOOP(s)) { -+ if (BCR_SWSTYLE(s) == 1) -+ add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); -+ s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; -+ pcnet_receive(s, s->buffer, s->xmit_pos); -+ s->looptest = 0; -+ } else { -+ if (s->vc) { -+ qemu_send_packet(s->vc, s->buffer, s->xmit_pos); -+ } - } - -+ s->csr[0] &= ~0x0008; /* clear TDMD */ -+ s->csr[4] |= 0x0004; /* set TXSTRT */ -+ s->xmit_pos = -1; -+ -+ txdone: - SET_FIELD(&tmd.status, TMDS, OWN, 0); - TMDSTORE(&tmd, PHYSADDR(s,CSR_CXDA(s))); - if (!CSR_TOKINTD(s) || (CSR_LTINTEN(s) && GET_FIELD(tmd.status, TMDS, LTINT))) diff --git a/sysutils/xen-tools/files/xsa135-qemut-2.patch b/sysutils/xen-tools/files/xsa135-qemut-2.patch deleted file mode 100644 index bc3d02f30f5f..000000000000 --- a/sysutils/xen-tools/files/xsa135-qemut-2.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 2630672ab22255de252f877709851c0557a1c647 Mon Sep 17 00:00:00 2001 -From: Petr Matousek <pmatouse@redhat.com> -Date: Sun, 24 May 2015 10:53:44 +0200 -Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx - -4096 is the maximum length per TMD and it is also currently the size of -the relay buffer pcnet driver uses for sending the packet data to QEMU -for further processing. With packet spanning multiple TMDs it can -happen that the overall packet size will be bigger than sizeof(buffer), -which results in memory corruption. - -Fix this by only allowing to queue maximum sizeof(buffer) bytes. - -This is CVE-2015-3209. - -Signed-off-by: Petr Matousek <pmatouse@redhat.com> -Reported-by: Matt Tait <matttait@google.com> -Reviewed-by: Peter Maydell <peter.maydell@linaro.org> -Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> ---- - hw/pcnet.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/pcnet.c b/hw/pcnet.c -index bdfd38f..6d32e4c 100644 ---- a/hw/pcnet.c -+++ b/hw/pcnet.c -@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) - } - - bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -+ -+ /* if multi-tmd packet outsizes s->buffer then skip it silently. -+ Note: this is not what real hw does */ -+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) { -+ s->xmit_pos = -1; -+ goto txdone; -+ } -+ - s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), - s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); - s->xmit_pos += bcnt; --- -2.1.0 - diff --git a/sysutils/xen-tools/files/xsa138-qemut-1.patch b/sysutils/xen-tools/files/xsa138-qemut-1.patch deleted file mode 100644 index 6e0653a3cad2..000000000000 --- a/sysutils/xen-tools/files/xsa138-qemut-1.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 510952d4c33ee69574167ce30829b21c815a165b Mon Sep 17 00:00:00 2001 -From: Kevin Wolf <kwolf@redhat.com> -Date: Wed, 3 Jun 2015 14:13:31 +0200 -Subject: [PATCH 1/2] ide: Check array bounds before writing to io_buffer - (CVE-2015-5154) - -If the end_transfer_func of a command is called because enough data has -been read or written for the current PIO transfer, and it fails to -correctly call the command completion functions, the DRQ bit in the -status register and s->end_transfer_func may remain set. This allows the -guest to access further bytes in s->io_buffer beyond s->data_end, and -eventually overflowing the io_buffer. - -One case where this currently happens is emulation of the ATAPI command -START STOP UNIT. - -This patch fixes the problem by adding explicit array bounds checks -before accessing the buffer instead of relying on end_transfer_func to -function correctly. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Kevin Wolf <kwolf@redhat.com> ---- - hw/ide.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/hw/ide.c b/hw/ide.c -index 791666b..211ec88 100644 ---- a/hw/ide.c -+++ b/hw/ide.c -@@ -3002,6 +3002,10 @@ static void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) - buffered_pio_write(s, addr, 2); - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return; -+ } -+ - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -@@ -3021,6 +3025,10 @@ static uint32_t ide_data_readw(void *opaque, uint32_t addr) - buffered_pio_read(s, addr, 2); - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -@@ -3040,6 +3048,10 @@ static void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) - buffered_pio_write(s, addr, 4); - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return; -+ } -+ - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -@@ -3059,6 +3071,10 @@ static uint32_t ide_data_readl(void *opaque, uint32_t addr) - buffered_pio_read(s, addr, 4); - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; --- -2.1.4 - diff --git a/sysutils/xen-tools/files/xsa138-qemut-2.patch b/sysutils/xen-tools/files/xsa138-qemut-2.patch deleted file mode 100644 index f46ccd336cdb..000000000000 --- a/sysutils/xen-tools/files/xsa138-qemut-2.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 1ac0f60d558b7fca55c69a61ab4c4538af1f02f9 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf <kwolf@redhat.com> -Date: Wed, 3 Jun 2015 14:41:27 +0200 -Subject: [PATCH 2/2] ide: Clear DRQ after handling all expected accesses - -This is additional hardening against an end_transfer_func that fails to -clear the DRQ status bit. The bit must be unset as soon as the PIO -transfer has completed, so it's better to do this in a central place -instead of duplicating the code in all commands (and forgetting it in -some). - -Signed-off-by: Kevin Wolf <kwolf@redhat.com> ---- - hw/ide.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/hw/ide.c b/hw/ide.c -index 211ec88..7b84d1b 100644 ---- a/hw/ide.c -+++ b/hw/ide.c -@@ -3009,8 +3009,10 @@ static void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - static uint32_t ide_data_readw(void *opaque, uint32_t addr) -@@ -3032,8 +3034,10 @@ static uint32_t ide_data_readw(void *opaque, uint32_t addr) - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - -@@ -3055,8 +3059,10 @@ static void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - static uint32_t ide_data_readl(void *opaque, uint32_t addr) -@@ -3078,8 +3084,10 @@ static uint32_t ide_data_readl(void *opaque, uint32_t addr) - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - --- -2.1.4 - diff --git a/sysutils/xen-tools/files/xsa142-4.5.patch b/sysutils/xen-tools/files/xsa142-4.5.patch new file mode 100644 index 000000000000..712950f6795a --- /dev/null +++ b/sysutils/xen-tools/files/xsa142-4.5.patch @@ -0,0 +1,53 @@ +From 07ca00703f76ad392eda5ee52cce1197cf49c30a Mon Sep 17 00:00:00 2001 +From: Stefano Stabellini <stefano.stabellini@eu.citrix.com> +Subject: [PATCH v2.1 for-4.5] libxl: handle read-only drives with qemu-xen + +The current libxl code doesn't deal with read-only drives at all. + +Upstream QEMU and qemu-xen only support read-only cdrom drives: make +sure to specify "readonly=on" for cdrom drives and return error in case +the user requested a non-cdrom read-only drive. + +This is XSA-142, discovered by Lin Liu +(https://bugzilla.redhat.com/show_bug.cgi?id=1257893). + +Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> + +Backport to Xen 4.5 and earlier, apropos of report and review from +Michael Young. + +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +--- + tools/libxl/libxl_dm.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c +index b4ce523..d74fb14 100644 +--- a/tools/libxl/libxl_dm.c ++++ b/tools/libxl/libxl_dm.c +@@ -797,13 +797,18 @@ static char ** libxl__build_device_model_args_new(libxl__gc *gc, + if (disks[i].is_cdrom) { + if (disks[i].format == LIBXL_DISK_FORMAT_EMPTY) + drive = libxl__sprintf +- (gc, "if=ide,index=%d,media=cdrom,cache=writeback,id=ide-%i", +- disk, dev_number); ++ (gc, "if=ide,index=%d,readonly=%s,media=cdrom,cache=writeback,id=ide-%i", ++ disk, disks[i].readwrite ? "off" : "on", dev_number); + else + drive = libxl__sprintf +- (gc, "file=%s,if=ide,index=%d,media=cdrom,format=%s,cache=writeback,id=ide-%i", +- disks[i].pdev_path, disk, format, dev_number); ++ (gc, "file=%s,if=ide,index=%d,readonly=%s,media=cdrom,format=%s,cache=writeback,id=ide-%i", ++ disks[i].pdev_path, disk, disks[i].readwrite ? "off" : "on", format, dev_number); + } else { ++ if (!disks[i].readwrite) { ++ LIBXL__LOG(ctx, LIBXL__LOG_ERROR, "qemu-xen doesn't support read-only disk drivers"); ++ return NULL; ++ } ++ + if (disks[i].format == LIBXL_DISK_FORMAT_EMPTY) { + LIBXL__LOG(ctx, LIBXL__LOG_WARNING, "cannot support" + " empty disk format for %s", disks[i].vdev); +-- +1.7.10.4 + |