Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2013-01-24 10:42:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xen", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/xen/xen.changes 2013-01-17 10:59:13.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new/xen.changes 2013-01-24 10:42:19.000000000 +0100 @@ -1,0 +2,42 @@ +Tue Jan 22 08:12:39 MST 2013 - [email protected] + +- bnc#797285 - VUL-0: Xen: XSA-34 (CVE-2013-0151) - nested + virtualization on 32-bit exposes host crash + CVE-2013-0151-xsa34.patch +- bnc#797287 - VUL-0: Xen: XSA-35 (CVE-2013-0152) - Nested HVM + exposes host to being driven out of memory by guest + CVE-2013-0152-xsa35.patch + +------------------------------------------------------------------- +Thu Jan 17 14:13:52 MST 2013 - [email protected] + +- bnc#793717 - NetWare will not boot on Xen 4.2 + xnloader.py + domUloader.py + pygrub-netware-xnloader.patch + Removed reverse-24757-use-grant-references.patch + +------------------------------------------------------------------- +Wed Jan 16 11:26:29 MST 2013 + +- bnc#797523 - VUL-1: CVE-2012-6075: qemu / kvm-qemu: e1000 + overflows under some conditions + CVE-2012-6075-xsa41.patch + +------------------------------------------------------------------- +Tue Jan 15 13:19:36 MST 2013 - [email protected] + +- Mask the floating point exceptions for guests like NetWare on + machines that support XSAVE. + x86-fpu-context-conditional.patch + +------------------------------------------------------------------- +Mon Jan 14 12:01:33 MST 2013 - [email protected] + +- fate##313584: pass bios information to XEN HVM guest + 26341-hvm-firmware-passthrough.patch + 26342-hvm-firmware-passthrough.patch + 26343-hvm-firmware-passthrough.patch + 26344-hvm-firmware-passthrough.patch + +------------------------------------------------------------------- Old: ---- reverse-24757-use-grant-references.patch New: ---- 26341-hvm-firmware-passthrough.patch 26342-hvm-firmware-passthrough.patch 26343-hvm-firmware-passthrough.patch 26344-hvm-firmware-passthrough.patch CVE-2012-6075-xsa41.patch CVE-2013-0151-xsa34.patch CVE-2013-0152-xsa35.patch pygrub-netware-xnloader.patch x86-fpu-context-conditional.patch xnloader.py ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xen.spec ++++++ --- /var/tmp/diff_new_pack.ewVUv7/_old 2013-01-24 10:42:22.000000000 +0100 +++ /var/tmp/diff_new_pack.ewVUv7/_new 2013-01-24 10:42:22.000000000 +0100 @@ -115,7 +115,7 @@ BuildRequires: module-init-tools BuildRequires: xorg-x11 %endif -Version: 4.2.1_02 +Version: 4.2.1_03 Release: 0 PreReq: %insserv_prereq %fillup_prereq Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) @@ -160,6 +160,7 @@ # init script and sysconf file for pciback Source34: init.pciback Source35: sysconfig.pciback +Source36: xnloader.py Source99: baselibs.conf # http://xenbits.xensource.com/ext/xenalyze Source20000: xenalyze.hg.tar.bz2 @@ -217,7 +218,14 @@ Patch26331: 26331-IOMMU-phantom-dev-quirk.patch Patch26332: 26332-x86-compat-show-guest-stack-mfn.patch Patch26333: 26333-x86-get_page_type-assert.patch +Patch26341: 26341-hvm-firmware-passthrough.patch +Patch26342: 26342-hvm-firmware-passthrough.patch +Patch26343: 26343-hvm-firmware-passthrough.patch +Patch26344: 26344-hvm-firmware-passthrough.patch Patch33: CVE-2012-5634-xsa33.patch +Patch34: CVE-2013-0151-xsa34.patch +Patch35: CVE-2013-0152-xsa35.patch +Patch41: CVE-2012-6075-xsa41.patch # Upstream qemu patches Patch100: VNC-Support-for-ExtendedKeyEvent-client-message.patch # Our patches @@ -311,8 +319,8 @@ Patch459: blktap-close-fifos.patch Patch460: blktap-disable-debug-printf.patch Patch461: xen-glibc217.patch -Patch462: reverse-24757-use-grant-references.patch -Patch463: xen-migration-bridge-check.patch +Patch462: xen-migration-bridge-check.patch +Patch463: pygrub-netware-xnloader.patch # Jim's domain lock patch Patch480: xend-domain-lock.patch Patch481: xend-domain-lock-sfex.patch @@ -328,6 +336,7 @@ Patch511: supported_module.diff Patch512: magic_ioport_compat.patch Patch513: xen.sles11sp1.fate311487.xen_platform_pci.dmistring.patch +Patch514: x86-fpu-context-conditional.patch Patch650: disable_emulated_device.diff Patch651: ioemu-disable-scsi.patch Patch652: ioemu-disable-emulated-ide-if-pv.patch @@ -725,7 +734,14 @@ %patch26331 -p1 %patch26332 -p1 %patch26333 -p1 +%patch26341 -p1 +%patch26342 -p1 +%patch26343 -p1 +%patch26344 -p1 %patch33 -p1 +%patch34 -p1 +%patch35 -p1 +%patch41 -p1 # Qemu %patch100 -p1 # Our patches @@ -831,6 +847,7 @@ %patch511 -p1 %patch512 -p1 %patch513 -p1 +%patch514 -p1 %patch650 -p1 %patch651 -p1 %patch652 -p1 @@ -1041,6 +1058,7 @@ ln -s /var/lib/xen/images $RPM_BUILD_ROOT/etc/xen/images # Bootloader install -m755 %SOURCE16 $RPM_BUILD_ROOT/usr/lib/xen/boot/ +install -m755 %SOURCE36 $RPM_BUILD_ROOT/%{_libdir}/python%{pyver}/site-packages # udev support mkdir -p $RPM_BUILD_ROOT/etc/udev/rules.d mv $RPM_BUILD_ROOT/etc/udev/rules.d/xen-backend.rules $RPM_BUILD_ROOT/etc/udev/rules.d/40-xen.rules @@ -1246,6 +1264,7 @@ %{_libdir}/python%{pyver}/site-packages/xen/* %{_libdir}/python%{pyver}/site-packages/grub/* %{_libdir}/python%{pyver}/site-packages/fsimage.so +%{_libdir}/python%{pyver}/site-packages/xnloader.py %config %{_fwdefdir}/xend-relocation-server %endif ++++++ 26341-hvm-firmware-passthrough.patch ++++++ fate#313584: pass bios information to XEN HVM guest # HG changeset patch # User Ross Philipson <[email protected]> # Date 1357838188 0 # Node ID 07bf59a7ce837bd795e2df2f28166cfe41990d3d # Parent 19fd1237ff0dfa3d97a896d6ed6fbbd33f816a9f HVM xenstore strings and firmware passthrough header Add public HVM definitions header for xenstore strings used in HVMLOADER. In addition this header describes the use of the firmware passthrough values set using xenstore. Signed-off-by: Ross Philipson <[email protected]> Committed-by: Keir Fraser <[email protected]> diff -r 19fd1237ff0d -r 07bf59a7ce83 xen/include/public/hvm/hvm_xs_strings.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xen/include/public/hvm/hvm_xs_strings.h Thu Jan 10 17:16:28 2013 +0000 @@ -0,0 +1,79 @@ +/****************************************************************************** + * hvm/hvm_xs_strings.h + * + * HVM xenstore strings used in HVMLOADER. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to + * deal in the Software without restriction, including without limitation the + * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or + * sell copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef __XEN_PUBLIC_HVM_HVM_XS_STRINGS_H__ +#define __XEN_PUBLIC_HVM_HVM_XS_STRINGS_H__ + +#define HVM_XS_HVMLOADER "hvmloader" +#define HVM_XS_BIOS "hvmloader/bios" +#define HVM_XS_GENERATION_ID_ADDRESS "hvmloader/generation-id-address" + +/* The following values allow additional ACPI tables to be added to the + * virtual ACPI BIOS that hvmloader constructs. The values specify the guest + * physical address and length of a block of ACPI tables to add. The format of + * the block is simply concatenated raw tables (which specify their own length + * in the ACPI header). + */ +#define HVM_XS_ACPI_PT_ADDRESS "hvmloader/acpi/address" +#define HVM_XS_ACPI_PT_LENGTH "hvmloader/acpi/length" + +/* Any number of SMBIOS types can be passed through to an HVM guest using + * the following xenstore values. The values specify the guest physical + * address and length of a block of SMBIOS structures for hvmloader to use. + * The block is formatted in the following way: + * + * <length><struct><length><struct>... + * + * Each length separator is a 32b integer indicating the length of the next + * SMBIOS structure. For DMTF defined types (0 - 121), the passed in struct + * will replace the default structure in hvmloader. In addition, any + * OEM/vendortypes (128 - 255) will all be added. + */ +#define HVM_XS_SMBIOS_PT_ADDRESS "hvmloader/smbios/address" +#define HVM_XS_SMBIOS_PT_LENGTH "hvmloader/smbios/length" + +/* Set to 1 to enable SMBIOS default portable battery (type 22) values. */ +#define HVM_XS_SMBIOS_DEFAULT_BATTERY "hvmloader/smbios/default_battery" + +/* The following xenstore values are used to override some of the default + * string values in the SMBIOS table constructed in hvmloader. + */ +#define HVM_XS_BIOS_STRINGS "bios-strings" +#define HVM_XS_BIOS_VENDOR "bios-strings/bios-vendor" +#define HVM_XS_BIOS_VERSION "bios-strings/bios-version" +#define HVM_XS_SYSTEM_MANUFACTURER "bios-strings/system-manufacturer" +#define HVM_XS_SYSTEM_PRODUCT_NAME "bios-strings/system-product-name" +#define HVM_XS_SYSTEM_VERSION "bios-strings/system-version" +#define HVM_XS_SYSTEM_SERIAL_NUMBER "bios-strings/system-serial-number" +#define HVM_XS_ENCLOSURE_MANUFACTURER "bios-strings/enclosure-manufacturer" +#define HVM_XS_ENCLOSURE_SERIAL_NUMBER "bios-strings/enclosure-serial-number" +#define HVM_XS_BATTERY_MANUFACTURER "bios-strings/battery-manufacturer" +#define HVM_XS_BATTERY_DEVICE_NAME "bios-strings/battery-device-name" + +/* 1 to 99 OEM strings can be set in xenstore using values of the form + * below. These strings will be loaded into the SMBIOS type 11 structure. + */ +#define HVM_XS_OEM_STRINGS "bios-strings/oem-%02d" + +#endif /* __XEN_PUBLIC_HVM_HVM_XS_STRINGS_H__ */ ++++++ 26342-hvm-firmware-passthrough.patch ++++++ fate#313584: pass bios information to XEN HVM guest # HG changeset patch # User Ross Philipson <[email protected]> # Date 1357838241 0 # Node ID cabf395a6c849cc65e56f1640b18db0c3e0faf5d # Parent 07bf59a7ce837bd795e2df2f28166cfe41990d3d HVM firmware passthrough control tools support Xen control tools support for loading the firmware passthrough blocks during domain construction. SMBIOS and ACPI blocks are passed in using the new xc_hvm_build_args structure. Each block is read and loaded into the new domain address space behind the HVMLOADER image. The base address for the two blocks is returned as an out parameter to the caller via the args structure. Signed-off-by: Ross Philipson <[email protected]> Committed-by: Keir Fraser <[email protected]> diff -r 07bf59a7ce83 -r cabf395a6c84 tools/libxc/xc_hvm_build_arm.c --- a/tools/libxc/xc_hvm_build_arm.c Thu Jan 10 17:16:28 2013 +0000 +++ b/tools/libxc/xc_hvm_build_arm.c Thu Jan 10 17:17:21 2013 +0000 @@ -22,7 +22,7 @@ #include <xenguest.h> int xc_hvm_build(xc_interface *xch, uint32_t domid, - const struct xc_hvm_build_args *hvm_args) + struct xc_hvm_build_args *hvm_args) { errno = ENOSYS; return -1; diff -r 07bf59a7ce83 -r cabf395a6c84 tools/libxc/xc_hvm_build_x86.c --- a/tools/libxc/xc_hvm_build_x86.c Thu Jan 10 17:16:28 2013 +0000 +++ b/tools/libxc/xc_hvm_build_x86.c Thu Jan 10 17:17:21 2013 +0000 @@ -49,6 +49,40 @@ #define NR_SPECIAL_PAGES 8 #define special_pfn(x) (0xff000u - NR_SPECIAL_PAGES + (x)) +static int modules_init(struct xc_hvm_build_args *args, + uint64_t vend, struct elf_binary *elf, + uint64_t *mstart_out, uint64_t *mend_out) +{ +#define MODULE_ALIGN 1UL << 7 +#define MB_ALIGN 1UL << 20 +#define MKALIGN(x, a) (((uint64_t)(x) + (a) - 1) & ~(uint64_t)((a) - 1)) + uint64_t total_len = 0, offset1 = 0; + + if ( (args->acpi_module.length == 0)&&(args->smbios_module.length == 0) ) + return 0; + + /* Find the total length for the firmware modules with a reasonable large + * alignment size to align each the modules. + */ + total_len = MKALIGN(args->acpi_module.length, MODULE_ALIGN); + offset1 = total_len; + total_len += MKALIGN(args->smbios_module.length, MODULE_ALIGN); + + /* Want to place the modules 1Mb+change behind the loader image. */ + *mstart_out = MKALIGN(elf->pend, MB_ALIGN) + (MB_ALIGN); + *mend_out = *mstart_out + total_len; + + if ( *mend_out > vend ) + return -1; + + if ( args->acpi_module.length != 0 ) + args->acpi_module.guest_addr_out = *mstart_out; + if ( args->smbios_module.length != 0 ) + args->smbios_module.guest_addr_out = *mstart_out + offset1; + + return 0; +} + static void build_hvm_info(void *hvm_info_page, uint64_t mem_size, uint64_t mmio_start, uint64_t mmio_size) { @@ -86,9 +120,8 @@ static void build_hvm_info(void *hvm_inf hvm_info->checksum = -sum; } -static int loadelfimage( - xc_interface *xch, - struct elf_binary *elf, uint32_t dom, unsigned long *parray) +static int loadelfimage(xc_interface *xch, struct elf_binary *elf, + uint32_t dom, unsigned long *parray) { privcmd_mmap_entry_t *entries = NULL; unsigned long pfn_start = elf->pstart >> PAGE_SHIFT; @@ -126,6 +159,66 @@ static int loadelfimage( return rc; } +static int loadmodules(xc_interface *xch, + struct xc_hvm_build_args *args, + uint64_t mstart, uint64_t mend, + uint32_t dom, unsigned long *parray) +{ + privcmd_mmap_entry_t *entries = NULL; + unsigned long pfn_start; + unsigned long pfn_end; + size_t pages; + uint32_t i; + uint8_t *dest; + int rc = -1; + + if ( (mstart == 0)||(mend == 0) ) + return 0; + + pfn_start = (unsigned long)(mstart >> PAGE_SHIFT); + pfn_end = (unsigned long)((mend + PAGE_SIZE - 1) >> PAGE_SHIFT); + pages = pfn_end - pfn_start; + + /* Map address space for module list. */ + entries = calloc(pages, sizeof(privcmd_mmap_entry_t)); + if ( entries == NULL ) + goto error_out; + + for ( i = 0; i < pages; i++ ) + entries[i].mfn = parray[(mstart >> PAGE_SHIFT) + i]; + + dest = xc_map_foreign_ranges( + xch, dom, pages << PAGE_SHIFT, PROT_READ | PROT_WRITE, 1 << PAGE_SHIFT, + entries, pages); + if ( dest == NULL ) + goto error_out; + + /* Zero the range so padding is clear between modules */ + memset(dest, 0, pages << PAGE_SHIFT); + + /* Load modules into range */ + if ( args->acpi_module.length != 0 ) + { + memcpy(dest, + args->acpi_module.data, + args->acpi_module.length); + } + if ( args->smbios_module.length != 0 ) + { + memcpy(dest + (args->smbios_module.guest_addr_out - mstart), + args->smbios_module.data, + args->smbios_module.length); + } + + munmap(dest, pages << PAGE_SHIFT); + rc = 0; + + error_out: + free(entries); + + return rc; +} + /* * Check whether there exists mmio hole in the specified memory range. * Returns 1 if exists, else returns 0. @@ -140,7 +233,7 @@ static int check_mmio_hole(uint64_t star } static int setup_guest(xc_interface *xch, - uint32_t dom, const struct xc_hvm_build_args *args, + uint32_t dom, struct xc_hvm_build_args *args, char *image, unsigned long image_size) { xen_pfn_t *page_array = NULL; @@ -153,6 +246,7 @@ static int setup_guest(xc_interface *xch uint32_t *ident_pt; struct elf_binary elf; uint64_t v_start, v_end; + uint64_t m_start = 0, m_end = 0; int rc; xen_capabilities_info_t caps; unsigned long stat_normal_pages = 0, stat_2mb_pages = 0, @@ -178,11 +272,19 @@ static int setup_guest(xc_interface *xch goto error_out; } + if ( modules_init(args, v_end, &elf, &m_start, &m_end) != 0 ) + { + ERROR("Insufficient space to load modules."); + goto error_out; + } + IPRINTF("VIRTUAL MEMORY ARRANGEMENT:\n" " Loader: %016"PRIx64"->%016"PRIx64"\n" + " Modules: %016"PRIx64"->%016"PRIx64"\n" " TOTAL: %016"PRIx64"->%016"PRIx64"\n" " ENTRY ADDRESS: %016"PRIx64"\n", elf.pstart, elf.pend, + m_start, m_end, v_start, v_end, elf_uval(&elf, elf.ehdr, e_entry)); @@ -337,6 +439,9 @@ static int setup_guest(xc_interface *xch if ( loadelfimage(xch, &elf, dom, page_array) != 0 ) goto error_out; + if ( loadmodules(xch, args, m_start, m_end, dom, page_array) != 0 ) + goto error_out; + if ( (hvm_info_page = xc_map_foreign_range( xch, dom, PAGE_SIZE, PROT_READ | PROT_WRITE, HVM_INFO_PFN)) == NULL ) @@ -413,7 +518,7 @@ static int setup_guest(xc_interface *xch * Create a domain for a virtualized Linux, using files/filenames. */ int xc_hvm_build(xc_interface *xch, uint32_t domid, - const struct xc_hvm_build_args *hvm_args) + struct xc_hvm_build_args *hvm_args) { struct xc_hvm_build_args args = *hvm_args; void *image; @@ -441,6 +546,15 @@ int xc_hvm_build(xc_interface *xch, uint sts = setup_guest(xch, domid, &args, image, image_size); + if (!sts) + { + /* Return module load addresses to caller */ + hvm_args->acpi_module.guest_addr_out = + args.acpi_module.guest_addr_out; + hvm_args->smbios_module.guest_addr_out = + args.smbios_module.guest_addr_out; + } + free(image); return sts; @@ -461,6 +575,7 @@ int xc_hvm_build_target_mem(xc_interface { struct xc_hvm_build_args args = {}; + memset(&args, 0, sizeof(struct xc_hvm_build_args)); args.mem_size = (uint64_t)memsize << 20; args.mem_target = (uint64_t)target << 20; args.image_file_name = image_name; diff -r 07bf59a7ce83 -r cabf395a6c84 tools/libxc/xenguest.h --- a/tools/libxc/xenguest.h Thu Jan 10 17:16:28 2013 +0000 +++ b/tools/libxc/xenguest.h Thu Jan 10 17:17:21 2013 +0000 @@ -211,11 +211,23 @@ int xc_linux_build_mem(xc_interface *xch unsigned int console_evtchn, unsigned long *console_mfn); +struct xc_hvm_firmware_module { + uint8_t *data; + uint32_t length; + uint64_t guest_addr_out; +}; + struct xc_hvm_build_args { uint64_t mem_size; /* Memory size in bytes. */ uint64_t mem_target; /* Memory target in bytes. */ uint64_t mmio_size; /* Size of the MMIO hole in bytes. */ const char *image_file_name; /* File name of the image to load. */ + + /* Extra ACPI tables passed to HVMLOADER */ + struct xc_hvm_firmware_module acpi_module; + + /* Extra SMBIOS structures passed to HVMLOADER */ + struct xc_hvm_firmware_module smbios_module; }; /** @@ -228,7 +240,7 @@ struct xc_hvm_build_args { * are optional. */ int xc_hvm_build(xc_interface *xch, uint32_t domid, - const struct xc_hvm_build_args *hvm_args); + struct xc_hvm_build_args *hvm_args); int xc_hvm_build_target_mem(xc_interface *xch, uint32_t domid, diff -r 07bf59a7ce83 -r cabf395a6c84 tools/libxc/xg_private.c --- a/tools/libxc/xg_private.c Thu Jan 10 17:16:28 2013 +0000 +++ b/tools/libxc/xg_private.c Thu Jan 10 17:17:21 2013 +0000 @@ -192,7 +192,7 @@ unsigned long csum_page(void *page) __attribute__((weak)) int xc_hvm_build(xc_interface *xch, uint32_t domid, - const struct xc_hvm_build_args *hvm_args) + struct xc_hvm_build_args *hvm_args) { errno = ENOSYS; return -1; ++++++ 26343-hvm-firmware-passthrough.patch ++++++ ++++ 645 lines (skipped) ++++++ 26344-hvm-firmware-passthrough.patch ++++++ fate#313584: pass bios information to XEN HVM guest # HG changeset patch # User Ross Philipson <[email protected]> # Date 1357838323 0 # Node ID b9c38bea15b117552ecb51809779c7cfef82dd44 # Parent a7ce196f40444fafbe8f13b2d80e4885d4321806 HVM firmware passthrough ACPI processing ACPI table passthrough support allowing additional static tables and SSDTs (AML code) to be loaded. These additional tables are added at the end of the secondary table list in the RSDT/XSDT tables. Signed-off-by: Ross Philipson <[email protected]> Committed-by: Keir Fraser <[email protected]> diff -r a7ce196f4044 -r b9c38bea15b1 tools/firmware/hvmloader/acpi/build.c --- a/tools/firmware/hvmloader/acpi/build.c Thu Jan 10 17:18:10 2013 +0000 +++ b/tools/firmware/hvmloader/acpi/build.c Thu Jan 10 17:18:43 2013 +0000 @@ -23,6 +23,9 @@ #include "ssdt_pm.h" #include "../config.h" #include "../util.h" +#include <xen/hvm/hvm_xs_strings.h> + +#define ACPI_MAX_SECONDARY_TABLES 16 #define align16(sz) (((sz) + 15) & ~15) #define fixed_strcpy(d, s) strncpy((d), (s), sizeof(d)) @@ -198,6 +201,52 @@ static struct acpi_20_waet *construct_wa return waet; } +static int construct_passthrough_tables(unsigned long *table_ptrs, + int nr_tables) +{ + const char *s; + uint8_t *acpi_pt_addr; + uint32_t acpi_pt_length; + struct acpi_header *header; + int nr_added; + int nr_max = (ACPI_MAX_SECONDARY_TABLES - nr_tables - 1); + uint32_t total = 0; + uint8_t *buffer; + + s = xenstore_read(HVM_XS_ACPI_PT_ADDRESS, NULL); + if ( s == NULL ) + return 0; + + acpi_pt_addr = (uint8_t*)(uint32_t)strtoll(s, NULL, 0); + if ( acpi_pt_addr == NULL ) + return 0; + + s = xenstore_read(HVM_XS_ACPI_PT_LENGTH, NULL); + if ( s == NULL ) + return 0; + + acpi_pt_length = (uint32_t)strtoll(s, NULL, 0); + + for ( nr_added = 0; nr_added < nr_max; nr_added++ ) + { + if ( (acpi_pt_length - total) < sizeof(struct acpi_header) ) + break; + + header = (struct acpi_header*)acpi_pt_addr; + + buffer = mem_alloc(header->length, 16); + if ( buffer == NULL ) + break; + memcpy(buffer, header, header->length); + + table_ptrs[nr_tables++] = (unsigned long)buffer; + total += header->length; + acpi_pt_addr += header->length; + } + + return nr_added; +} + static int construct_secondary_tables(unsigned long *table_ptrs, struct acpi_info *info) { @@ -293,6 +342,9 @@ static int construct_secondary_tables(un } } + /* Load any additional tables passed through. */ + nr_tables += construct_passthrough_tables(table_ptrs, nr_tables); + table_ptrs[nr_tables] = 0; return nr_tables; } @@ -327,7 +379,7 @@ void acpi_build_tables(struct acpi_confi struct acpi_10_fadt *fadt_10; struct acpi_20_facs *facs; unsigned char *dsdt; - unsigned long secondary_tables[16]; + unsigned long secondary_tables[ACPI_MAX_SECONDARY_TABLES]; int nr_secondaries, i; unsigned long vm_gid_addr; ++++++ CVE-2012-6075-xsa41.patch ++++++ Subject: e1000: Discard packets that are too long if !SBP and !LPE From: Michael Contreras [email protected] Sun Dec 2 20:11:22 2012 -0800 Date: Wed Jan 16 14:12:40 2013 +0000: Git: b4e9b8169dedc0bcf0d3abe07642f761ac70aeea The e1000_receive function for the e1000 needs to discard packets longer than 1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes this behavior and allocates memory based on this assumption. Signed-off-by: Michael Contreras <[email protected]> Signed-off-by: Anthony Liguori <[email protected]> Subject: e1000: Discard oversized packets based on SBP|LPE From: Michael Contreras <[email protected]> Date: Wed, 5 Dec 2012 18:31:30 +0000 (-0500) e1000: Discard oversized packets based on SBP|LPE Discard packets longer than 16384 when !SBP to match the hardware behavior. Signed-off-by: Michael Contreras <[email protected]> Signed-off-by: Stefan Hajnoczi <[email protected]> [ This is a security vulnerability, CVE-2012-6075 / XSA-41. ] (cherry picked from commit 4c2cae2a882db4d2a231b27b3b31a5bbec6dacbf) Index: xen-4.2.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c =================================================================== --- xen-4.2.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c +++ xen-4.2.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c @@ -55,6 +55,11 @@ static int debugflags = DBGBIT(TXERR) | #define REG_IOADDR 0x0 #define REG_IODATA 0x4 +/* this is the size past which hardware will drop packets when setting LPE=0 */ +#define MAXIMUM_ETHERNET_VLAN_SIZE 1522 +/* this is the size past which hardware will drop packets when setting LPE=1 */ +#define MAXIMUM_ETHERNET_LPE_SIZE 16384 + /* * HW models: * E1000_DEV_ID_82540EM works with Windows and Linux @@ -628,6 +633,14 @@ e1000_receive(void *opaque, const uint8_ return; } + /* Discard oversized packets if !LPE and !SBP. */ + if ((size > MAXIMUM_ETHERNET_LPE_SIZE || + (size > MAXIMUM_ETHERNET_VLAN_SIZE + && !(s->mac_reg[RCTL] & E1000_RCTL_LPE))) + && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) { + return; + } + if (!receive_filter(s, buf, size)) return; Index: xen-4.2.1-testing/tools/qemu-xen-dir-remote/hw/e1000.c =================================================================== --- xen-4.2.1-testing.orig/tools/qemu-xen-dir-remote/hw/e1000.c +++ xen-4.2.1-testing/tools/qemu-xen-dir-remote/hw/e1000.c @@ -59,6 +59,11 @@ static int debugflags = DBGBIT(TXERR) | #define PNPMMIO_SIZE 0x20000 #define MIN_BUF_SIZE 60 /* Min. octets in an ethernet frame sans FCS */ +/* this is the size past which hardware will drop packets when setting LPE=0 */ +#define MAXIMUM_ETHERNET_VLAN_SIZE 1522 +/* this is the size past which hardware will drop packets when setting LPE=1 */ +#define MAXIMUM_ETHERNET_LPE_SIZE 16384 + /* * HW models: * E1000_DEV_ID_82540EM works with Windows and Linux @@ -693,6 +698,14 @@ e1000_receive(VLANClientState *nc, const size = sizeof(min_buf); } + /* Discard oversized packets if !LPE and !SBP. */ + if ((size > MAXIMUM_ETHERNET_LPE_SIZE || + (size > MAXIMUM_ETHERNET_VLAN_SIZE + && !(s->mac_reg[RCTL] & E1000_RCTL_LPE))) + && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) { + return size; + } + if (!receive_filter(s, buf, size)) return size; ++++++ CVE-2013-0151-xsa34.patch ++++++ References: CVE-2013-0151 XSA-34 bnc#797285 x86_32: don't allow use of nested HVM There are (indirect) uses of map_domain_page() in the nested HVM code that are unsafe when not just using the 1:1 mapping. This is XSA-34 / CVE-2013-0151. Signed-off-by: Jan Beulich <[email protected]> --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -3930,6 +3930,10 @@ long do_hvm_op(unsigned long op, XEN_GUE rc = -EINVAL; break; case HVM_PARAM_NESTEDHVM: +#ifdef __i386__ + if ( a.value ) + rc = -EINVAL; +#else if ( a.value > 1 ) rc = -EINVAL; if ( !is_hvm_domain(d) ) @@ -3944,6 +3948,7 @@ long do_hvm_op(unsigned long op, XEN_GUE for_each_vcpu(d, v) if ( rc == 0 ) rc = nestedhvm_vcpu_initialise(v); +#endif break; case HVM_PARAM_BUFIOREQ_EVTCHN: rc = -EINVAL; ++++++ CVE-2013-0152-xsa35.patch ++++++ References: CVE-2013-0152 XSA-35 bnc#797287 xen: Do not allow guests to enable nested HVM on themselves There is no reason for this and doing so exposes a memory leak to guests. Only toolstacks need write access to this HVM param. This is XSA-35 / CVE-2013-0152. Signed-off-by: Ian Campbell <[email protected]> Acked-by: Jan Beulich <[email protected]> --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -3930,6 +3930,11 @@ long do_hvm_op(unsigned long op, XEN_GUE rc = -EINVAL; break; case HVM_PARAM_NESTEDHVM: + if ( !IS_PRIV(current->domain) ) + { + rc = -EPERM; + break; + } #ifdef __i386__ if ( a.value ) rc = -EINVAL; ++++++ domUloader.py ++++++ --- /var/tmp/diff_new_pack.ewVUv7/_old 2013-01-24 10:42:22.000000000 +0100 +++ /var/tmp/diff_new_pack.ewVUv7/_new 2013-01-24 10:42:22.000000000 +0100 @@ -37,6 +37,7 @@ from xen.xend import sxp import tempfile import time +import xnloader # Global options quiet = False @@ -447,6 +448,7 @@ raise sxpr += "(ramdisk %s)" % inm part.umount() + xnloader.patch_netware_loader(knm) return sxpr def main(argv): ++++++ pygrub-netware-xnloader.patch ++++++ Index: xen-4.2.1-testing/tools/pygrub/src/pygrub =================================================================== --- xen-4.2.1-testing.orig/tools/pygrub/src/pygrub +++ xen-4.2.1-testing/tools/pygrub/src/pygrub @@ -26,6 +26,7 @@ import fsimage import grub.GrubConf import grub.LiloConf import grub.ExtLinuxConf +import xnloader PYGRUB_VER = 0.6 FS_READ_MAX = 1024 * 1024 @@ -734,6 +735,8 @@ if __name__ == "__main__": if len(data) == 0: os.close(tfd) del datafile + if file_to_read == "/nwserver/xnloader.sys": + xnloader.patch_netware_loader(ret) return ret try: os.write(tfd, data) ++++++ x86-fpu-context-conditional.patch ++++++ --- 2013-01-08.orig/xen/arch/x86/domain.c 2013-01-08 00:00:00.000000000 +0100 +++ 2013-01-08/xen/arch/x86/domain.c 2013-01-15 15:46:17.000000000 +0100 @@ -834,7 +834,9 @@ int arch_set_info_guest( v->arch.vgc_flags = flags; - memcpy(v->arch.fpu_ctxt, &c.nat->fpu_ctxt, sizeof(c.nat->fpu_ctxt)); + if ( flags & VGCF_I387_VALID ) + memcpy(v->arch.fpu_ctxt, &c.nat->fpu_ctxt, sizeof(c.nat->fpu_ctxt)); + if ( !compat ) { memcpy(&v->arch.user_regs, &c.nat->user_regs, sizeof(c.nat->user_regs)); ++++++ xnloader.py ++++++ # NetWare-specific operations # # Copyright (c) 2013 Suse Linux Products. # Author: Charles Arnold <[email protected]> # # This software may be freely redistributed under the terms of the GNU # general public license. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # Binary patching of xnloader.sys # For launching NetWare on Xen 4.2 and newer import os, sys, base64 CODE_OFFSET=0x49F5 NUMBER_OF_CODE_BYTES=17 ORIGINAL_CODE="BA00080000C786FC1F0000FFFFFFFF31C9" PATCHED_CODE="BAF8070000834C961CFFB9080000009090" XNLOADER_SYS_MD5SUM="eb76cce2a2d45928ea2bf26e01430af2" def patch_netware_loader(loader): """Open the given xnloader.sys file and patch the relevant code hunk.""" # domUloader calls this with all kernels so perhaps this is not the NetWare loader md5sum_cmd = 'md5sum ' + loader p = os.popen(md5sum_cmd) sum = p.read().split()[0] p.close() if sum != XNLOADER_SYS_MD5SUM: return try: fd = os.open(loader, os.O_RDWR) except Exception, e: print >>sys.stderr, e raise # Validate minimum size for I/O stat = os.fstat(fd) if stat.st_size < CODE_OFFSET+NUMBER_OF_CODE_BYTES: os.close(fd) return # Seek to location of code hunk os.lseek(fd, CODE_OFFSET, os.SEEK_SET) # Read code bytes at offset buf = os.read(fd, NUMBER_OF_CODE_BYTES) code_as_hex = base64.b16encode(buf) if code_as_hex == ORIGINAL_CODE: # Seek back to start location of the code hunk os.lseek(fd, CODE_OFFSET, os.SEEK_SET) # Convert the PATCHED_CODE string to raw binary code_as_bin = base64.b16decode(PATCHED_CODE) # Write the patched code os.write(fd, code_as_bin) os.close(fd) -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
