diff options
| author |   Ian Delaney <idella4@gentoo.org> | 2013-06-28 15:07:40 +0000 |
|---|---|---|
| committer | Ian Delaney <idella4@gentoo.org> | 2013-06-28 15:07:40 +0000 |
| commit | 74dcaedbb1bf69a6635a645969588ad0626f228c (patch) | |
| tree | c45243df3d7736d730985b037bbe0bdae713be00 /app-emulation | |
| parent | Bump to TeX Live 2013 (diff) | |
| download | gentoo-2-74dcaedbb1bf69a6635a645969588ad0626f228c.tar.gz gentoo-2-74dcaedbb1bf69a6635a645969588ad0626f228c.tar.bz2 gentoo-2-74dcaedbb1bf69a6635a645969588ad0626f228c.zip | |
Add sec patch XSA-58 wrt Bug #472214, refrained from revbump since last 2 are still poised for testing
(Portage version: 2.1.11.63/cvs/Linux x86_64, signed Manifest commit with key 0xB8072B0D)
Diffstat (limited to 'app-emulation')
| -rw-r--r-- | app-emulation/xen/ChangeLog | 8 | ||||
| -rw-r--r-- | app-emulation/xen/files/xen-4.2-CVE-2013-1432-XSA-58.patch | 130 | ||||
| -rw-r--r-- | app-emulation/xen/xen-4.2.1-r4.ebuild | 5 | ||||
| -rw-r--r-- | app-emulation/xen/xen-4.2.2-r1.ebuild | 5 |
4 files changed, 143 insertions, 5 deletions
diff --git a/app-emulation/xen/ChangeLog b/app-emulation/xen/ChangeLog index 2e10d3dec494..6617660f3f98 100644 --- a/app-emulation/xen/ChangeLog +++ b/app-emulation/xen/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for app-emulation/xen # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.122 2013/06/27 06:05:11 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.123 2013/06/28 15:07:40 idella4 Exp $ + + 28 Jun 2013; Ian Delaney <idella4@gentoo.org> + +files/xen-4.2-CVE-2013-1432-XSA-58.patch, xen-4.2.1-r4.ebuild, + xen-4.2.2-r1.ebuild: + Add sec patch XSA-58 wrt Bug #472214, refrained from revbump since last 2 are + still poised for testing 27 Jun 2013; Ian Delaney <idella4@gentoo.org> xen-4.2.1-r4.ebuild: correction to pacth name diff --git a/app-emulation/xen/files/xen-4.2-CVE-2013-1432-XSA-58.patch b/app-emulation/xen/files/xen-4.2-CVE-2013-1432-XSA-58.patch new file mode 100644 index 000000000000..c3b8aaafa5ae --- /dev/null +++ b/app-emulation/xen/files/xen-4.2-CVE-2013-1432-XSA-58.patch @@ -0,0 +1,130 @@ +x86: fix page refcount handling in page table pin error path + +In the original patch 7 of the series addressing XSA-45 I mistakenly +took the addition of the call to get_page_light() in alloc_page_type() +to cover two decrements that would happen: One for the PGT_partial bit +that is getting set along with the call, and the other for the page +reference the caller hold (and would be dropping on its error path). +But of course the additional page reference is tied to the PGT_partial +bit, and hence any caller of a function that may leave +->arch.old_guest_table non-NULL for error cleanup purposes has to make +sure a respective page reference gets retained. + +Similar issues were then also spotted elsewhere: In effect all callers +of get_page_type_preemptible() need to deal with errors in similar +ways. To make sure error handling can work this way without leaking +page references, a respective assertion gets added to that function. + +This is CVE-2013-1432 / XSA-58. + +Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Tested-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Tim Deegan <tim@xen.org> + +--- a/xen/arch/x86/domain.c ++++ b/xen/arch/x86/domain.c +@@ -941,6 +941,10 @@ int arch_set_info_guest( + if ( v->vcpu_id == 0 ) + d->vm_assist = c(vm_assist); + ++ rc = put_old_guest_table(current); ++ if ( rc ) ++ return rc; ++ + if ( !compat ) + rc = (int)set_gdt(v, c.nat->gdt_frames, c.nat->gdt_ents); + #ifdef CONFIG_COMPAT +@@ -980,18 +984,24 @@ int arch_set_info_guest( + } + else + { +- /* +- * Since v->arch.guest_table{,_user} are both NULL, this effectively +- * is just a call to put_old_guest_table(). +- */ + if ( !compat ) +- rc = vcpu_destroy_pagetables(v); ++ rc = put_old_guest_table(v); + if ( !rc ) + rc = get_page_type_preemptible(cr3_page, + !compat ? PGT_root_page_table + : PGT_l3_page_table); +- if ( rc == -EINTR ) ++ switch ( rc ) ++ { ++ case -EINTR: + rc = -EAGAIN; ++ case -EAGAIN: ++ case 0: ++ break; ++ default: ++ if ( cr3_page == current->arch.old_guest_table ) ++ cr3_page = NULL; ++ break; ++ } + } + if ( rc ) + /* handled below */; +@@ -1018,6 +1028,11 @@ int arch_set_info_guest( + pagetable_get_page(v->arch.guest_table); + v->arch.guest_table = pagetable_null(); + break; ++ default: ++ if ( cr3_page == current->arch.old_guest_table ) ++ cr3_page = NULL; ++ case 0: ++ break; + } + } + if ( !rc ) +--- a/xen/arch/x86/mm.c ++++ b/xen/arch/x86/mm.c +@@ -718,7 +718,8 @@ static int get_page_and_type_from_pagenr + get_page_type_preemptible(page, type) : + (get_page_type(page, type) ? 0 : -EINVAL)); + +- if ( unlikely(rc) && partial >= 0 ) ++ if ( unlikely(rc) && partial >= 0 && ++ (!preemptible || page != current->arch.old_guest_table) ) + put_page(page); + + return rc; +@@ -2638,6 +2639,7 @@ int put_page_type_preemptible(struct pag + + int get_page_type_preemptible(struct page_info *page, unsigned long type) + { ++ ASSERT(!current->arch.old_guest_table); + return __get_page_type(page, type, 1); + } + +@@ -2848,7 +2850,7 @@ static void put_superpage(unsigned long + + #endif + +-static int put_old_guest_table(struct vcpu *v) ++int put_old_guest_table(struct vcpu *v) + { + int rc; + +@@ -3253,7 +3255,8 @@ long do_mmuext_op( + rc = -EAGAIN; + else if ( rc != -EAGAIN ) + MEM_LOG("Error while pinning mfn %lx", page_to_mfn(page)); +- put_page(page); ++ if ( page != curr->arch.old_guest_table ) ++ put_page(page); + break; + } + +--- a/xen/include/asm-x86/mm.h ++++ b/xen/include/asm-x86/mm.h +@@ -374,6 +374,7 @@ void put_page_type(struct page_info *pag + int get_page_type(struct page_info *page, unsigned long type); + int put_page_type_preemptible(struct page_info *page); + int get_page_type_preemptible(struct page_info *page, unsigned long type); ++int put_old_guest_table(struct vcpu *); + int get_page_from_l1e( + l1_pgentry_t l1e, struct domain *l1e_owner, struct domain *pg_owner); + void put_page_from_l1e(l1_pgentry_t l1e, struct domain *l1e_owner); + diff --git a/app-emulation/xen/xen-4.2.1-r4.ebuild b/app-emulation/xen/xen-4.2.1-r4.ebuild index 9ae72f4a1af7..f8f7643cde8e 100644 --- a/app-emulation/xen/xen-4.2.1-r4.ebuild +++ b/app-emulation/xen/xen-4.2.1-r4.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.2.1-r4.ebuild,v 1.2 2013/06/27 06:05:11 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.2.1-r4.ebuild,v 1.3 2013/06/28 15:07:39 idella4 Exp $ EAPI=5 @@ -94,7 +94,8 @@ src_prepare() { "${FILESDIR}"/${PN}-4-CVE-2013-0153-XSA-36.patch \ "${FILESDIR}"/${PN}-4-CVE-2013-1917-XSA-44.patch \ "${FILESDIR}"/${PN}-4-CVE-2013-1918-XSA-45_[1-7].patch \ - "${FILESDIR}"/${PN}-4.2-2013-2076-XSA-52to54.patch + "${FILESDIR}"/${PN}-4.2-2013-2076-XSA-52to54.patch \ + "${FILESDIR}"/${PN}-4.2-CVE-2013-1432-XSA-58.patch } src_configure() { diff --git a/app-emulation/xen/xen-4.2.2-r1.ebuild b/app-emulation/xen/xen-4.2.2-r1.ebuild index 27a3eb9d060d..2074348207f8 100644 --- a/app-emulation/xen/xen-4.2.2-r1.ebuild +++ b/app-emulation/xen/xen-4.2.2-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.2.2-r1.ebuild,v 1.1 2013/06/26 06:35:38 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.2.2-r1.ebuild,v 1.2 2013/06/28 15:07:40 idella4 Exp $ EAPI=5 @@ -89,7 +89,8 @@ src_prepare() { #Security patches epatch "${FILESDIR}"/${PN}-4-CVE-2013-1918-XSA-45_[1-7].patch \ - "${FILESDIR}"/${PN}-4.2-2013-2076-XSA-52to54.patch + "${FILESDIR}"/${PN}-4.2-2013-2076-XSA-52to54.patch \ + "${FILESDIR}"/${PN}-4.2-CVE-2013-1432-XSA-58.patch epatch_user } |