From f73a188c0534a6b925292f3aeaa594f568dd6a22 Mon Sep 17 00:00:00 2001 From: Yixun Lan Date: Fri, 24 Jan 2014 15:25:38 +0000 Subject: fix security bugs #499054, #499124 (Portage version: 2.2.8/cvs/Linux x86_64, signed Manifest commit with key 0xAABEFD55) --- app-emulation/xen/ChangeLog | 10 +- app-emulation/xen/files/xen-4-XSA-83.patch | 20 ++++ app-emulation/xen/files/xen-4.2-XSA-87.patch | 21 ++++ app-emulation/xen/files/xen-4.3-XSA-87.patch | 23 +++++ app-emulation/xen/xen-4.2.2-r3.ebuild | 144 +++++++++++++++++++++++++++ app-emulation/xen/xen-4.3.1-r4.ebuild | 143 ++++++++++++++++++++++++++ 6 files changed, 360 insertions(+), 1 deletion(-) create mode 100644 app-emulation/xen/files/xen-4-XSA-83.patch create mode 100644 app-emulation/xen/files/xen-4.2-XSA-87.patch create mode 100644 app-emulation/xen/files/xen-4.3-XSA-87.patch create mode 100644 app-emulation/xen/xen-4.2.2-r3.ebuild create mode 100644 app-emulation/xen/xen-4.3.1-r4.ebuild (limited to 'app-emulation') diff --git a/app-emulation/xen/ChangeLog b/app-emulation/xen/ChangeLog index 4db995ae9fd1..6c36f02438d2 100644 --- a/app-emulation/xen/ChangeLog +++ b/app-emulation/xen/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for app-emulation/xen # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.143 2014/01/17 02:44:09 dlan Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.144 2014/01/24 15:25:38 dlan Exp $ + +*xen-4.3.1-r4 (24 Jan 2014) +*xen-4.2.2-r3 (24 Jan 2014) + + 24 Jan 2014; Yixun Lan +xen-4.2.2-r3.ebuild, + +xen-4.3.1-r4.ebuild, +files/xen-4-XSA-83.patch, +files/xen-4.2-XSA-87.patch, + +files/xen-4.3-XSA-87.patch: + fix security bugs #499054, #499124 *xen-4.2.2-r2 (17 Jan 2014) diff --git a/app-emulation/xen/files/xen-4-XSA-83.patch b/app-emulation/xen/files/xen-4-XSA-83.patch new file mode 100644 index 000000000000..209c38b93d59 --- /dev/null +++ b/app-emulation/xen/files/xen-4-XSA-83.patch @@ -0,0 +1,20 @@ +x86/irq: avoid use-after-free on error path in pirq_guest_bind() + +This is XSA-83. + +Coverity-ID: 1146952 +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich + +--- a/xen/arch/x86/irq.c ++++ b/xen/arch/x86/irq.c +@@ -1590,8 +1590,7 @@ int pirq_guest_bind(struct vcpu *v, stru + printk(XENLOG_G_INFO + "Cannot bind IRQ%d to dom%d. Out of memory.\n", + pirq->pirq, v->domain->domain_id); +- rc = -ENOMEM; +- goto out; ++ return -ENOMEM; + } + + action = newaction; diff --git a/app-emulation/xen/files/xen-4.2-XSA-87.patch b/app-emulation/xen/files/xen-4.2-XSA-87.patch new file mode 100644 index 000000000000..494cf5e2bf5d --- /dev/null +++ b/app-emulation/xen/files/xen-4.2-XSA-87.patch @@ -0,0 +1,21 @@ +x86: PHYSDEVOP_{prepare,release}_msix are privileged + +Yet this wasn't being enforced. + +This is XSA-87. + +Signed-off-by: Jan Beulich + +--- a/xen/arch/x86/physdev.c ++++ b/xen/arch/x86/physdev.c +@@ -612,7 +612,9 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H + case PHYSDEVOP_release_msix: { + struct physdev_pci_device dev; + +- if ( copy_from_guest(&dev, arg, 1) ) ++ if ( !IS_PRIV(v->domain) ) ++ ret = -EPERM; ++ else if ( copy_from_guest(&dev, arg, 1) ) + ret = -EFAULT; + else + ret = pci_prepare_msix(dev.seg, dev.bus, dev.devfn, diff --git a/app-emulation/xen/files/xen-4.3-XSA-87.patch b/app-emulation/xen/files/xen-4.3-XSA-87.patch new file mode 100644 index 000000000000..3c31ed5d9f66 --- /dev/null +++ b/app-emulation/xen/files/xen-4.3-XSA-87.patch @@ -0,0 +1,23 @@ +x86: PHYSDEVOP_{prepare,release}_msix are privileged + +Yet this wasn't being enforced. + +This is XSA-87. + +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper + +--- 2014-01-14.orig/xen/arch/x86/physdev.c 2013-11-18 11:03:37.000000000 +0100 ++++ 2014-01-14/xen/arch/x86/physdev.c 2014-01-22 12:47:47.000000000 +0100 +@@ -640,7 +640,10 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H + if ( copy_from_guest(&dev, arg, 1) ) + ret = -EFAULT; + else +- ret = pci_prepare_msix(dev.seg, dev.bus, dev.devfn, ++ ret = xsm_resource_setup_pci(XSM_PRIV, ++ (dev.seg << 16) | (dev.bus << 8) | ++ dev.devfn) ?: ++ pci_prepare_msix(dev.seg, dev.bus, dev.devfn, + cmd != PHYSDEVOP_prepare_msix); + break; + } diff --git a/app-emulation/xen/xen-4.2.2-r3.ebuild b/app-emulation/xen/xen-4.2.2-r3.ebuild new file mode 100644 index 000000000000..4d59d8294604 --- /dev/null +++ b/app-emulation/xen/xen-4.2.2-r3.ebuild @@ -0,0 +1,144 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.2.2-r3.ebuild,v 1.1 2014/01/24 15:25:38 dlan Exp $ + +EAPI=5 + +PYTHON_COMPAT=( python{2_6,2_7} ) + +if [[ $PV == *9999 ]]; then + KEYWORDS="" + REPO="xen-unstable.hg" + EHG_REPO_URI="http://xenbits.xensource.com/${REPO}" + S="${WORKDIR}/${REPO}" + live_eclass="mercurial" +else + KEYWORDS="~amd64 ~x86" + SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz" +fi + +inherit mount-boot flag-o-matic python-any-r1 toolchain-funcs eutils ${live_eclass} + +DESCRIPTION="The Xen virtual machine monitor" +HOMEPAGE="http://xen.org/" +LICENSE="GPL-2" +SLOT="0" +IUSE="custom-cflags debug efi flask pae xsm" + +DEPEND="${PYTHON_DEPS} + efi? ( >=sys-devel/binutils-2.22[multitarget] ) + !efi? ( >=sys-devel/binutils-2.22[-multitarget] )" +RDEPEND="" +PDEPEND="~app-emulation/xen-tools-${PV}" + +RESTRICT="test" + +# Approved by QA team in bug #144032 +QA_WX_LOAD="boot/xen-syms-${PV}" + +REQUIRED_USE=" + flask? ( xsm ) + " + +#Security patches +XSA_PATCHES=( + "${FILESDIR}"/${PN}-4-CVE-2013-1918-XSA-45_[1-7].patch + "${FILESDIR}"/${PN}-4.2-2013-2076-XSA-52to54.patch + "${FILESDIR}"/${PN}-4.2-CVE-2013-1432-XSA-58.patch + "${FILESDIR}"/${PN}-4.2-CVE-2013-4553-XSA-74.patch + "${FILESDIR}"/${PN}-CVE-2013-4554-XSA-76.patch + "${FILESDIR}"/${PN}-CVE-2013-6400-XSA-80.patch + "${FILESDIR}"/${PN}-4-XSA-83.patch #bug #499054 + "${FILESDIR}"/${PN}-4.2-XSA-87.patch #bug #499124 +) + +pkg_setup() { + python-any-r1_pkg_setup + if [[ -z ${XEN_TARGET_ARCH} ]]; then + if use x86 && use amd64; then + die "Confusion! Both x86 and amd64 are set in your use flags!" + elif use x86; then + export XEN_TARGET_ARCH="x86_32" + elif use amd64; then + export XEN_TARGET_ARCH="x86_64" + else + die "Unsupported architecture!" + fi + fi + + if use flask ; then + export "XSM_ENABLE=y" + export "FLASK_ENABLE=y" + elif use xsm ; then + export "XSM_ENABLE=y" + fi +} + +src_prepare() { + # Drop .config and fix gcc-4.6 + epatch "${FILESDIR}"/${PN/-pvgrub/}-4-fix_dotconfig-gcc.patch + + if use efi; then + epatch "${FILESDIR}"/${PN}-4.2-efi.patch + export EFI_VENDOR="gentoo" + export EFI_MOUNTPOINT="boot" + fi + + # if the user *really* wants to use their own custom-cflags, let them + if use custom-cflags; then + einfo "User wants their own CFLAGS - removing defaults" + # try and remove all the default custom-cflags + find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \ + -e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \ + -i {} \; || die "failed to re-set custom-cflags" + fi + + # not strictly necessary to fix this + sed -i 's/, "-Werror"//' "${S}/tools/python/setup.py" || die "failed to re-set setup.py" + + [[ ${XSA_PATCHES[@]} ]] && epatch "${XSA_PATCHES[@]}" + epatch_user +} + +src_configure() { + use debug && myopt="${myopt} debug=y" + use pae && myopt="${myopt} pae=y" + + if use custom-cflags; then + filter-flags -fPIE -fstack-protector + replace-flags -O3 -O2 + else + unset CFLAGS + fi +} + +src_compile() { + # Send raw LDFLAGS so that --as-needed works + emake CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" -C xen ${myopt} +} + +src_install() { + local myopt + use debug && myopt="${myopt} debug=y" + use pae && myopt="${myopt} pae=y" + + # The 'make install' doesn't 'mkdir -p' the subdirs + if use efi; then + mkdir -p "${D}"${EFI_MOUNTPOINT}/efi/${EFI_VENDOR} || die + fi + + emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install +} + +pkg_postinst() { + elog "Official Xen Guide and the unoffical wiki page:" + elog " http://www.gentoo.org/doc/en/xen-guide.xml" + elog " http://en.gentoo-wiki.com/wiki/Xen/" + + use pae && ewarn "This is a PAE build of Xen. It will *only* boot PAE kernels!" + use efi && einfo "The efi executable is installed in boot/efi/gentoo" +} diff --git a/app-emulation/xen/xen-4.3.1-r4.ebuild b/app-emulation/xen/xen-4.3.1-r4.ebuild new file mode 100644 index 000000000000..c3bae933263c --- /dev/null +++ b/app-emulation/xen/xen-4.3.1-r4.ebuild @@ -0,0 +1,143 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.3.1-r4.ebuild,v 1.1 2014/01/24 15:25:38 dlan Exp $ + +EAPI=5 + +PYTHON_COMPAT=( python2_7 ) + +if [[ $PV == *9999 ]]; then + KEYWORDS="" + REPO="xen-unstable.hg" + EHG_REPO_URI="http://xenbits.xensource.com/${REPO}" + S="${WORKDIR}/${REPO}" + live_eclass="mercurial" +else + # Set to match entry in stable 4.3.1-r1, Bug 493944 + KEYWORDS="~amd64 -x86" + SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz" +fi + +inherit mount-boot flag-o-matic python-any-r1 toolchain-funcs eutils ${live_eclass} + +DESCRIPTION="The Xen virtual machine monitor" +HOMEPAGE="http://xen.org/" +LICENSE="GPL-2" +SLOT="0" +IUSE="custom-cflags debug efi flask xsm" + +DEPEND="${PYTHON_DEPS} + efi? ( >=sys-devel/binutils-2.22[multitarget] ) + !efi? ( >=sys-devel/binutils-2.22[-multitarget] )" +RDEPEND="" +PDEPEND="~app-emulation/xen-tools-${PV}" + +RESTRICT="test" + +# Approved by QA team in bug #144032 +QA_WX_LOAD="boot/xen-syms-${PV}" + +REQUIRED_USE="flask? ( xsm )" + +# Security patches +XSA_PATCHES=( + "${FILESDIR}"/${PN}-CVE-2013-4375-XSA-71.patch + "${FILESDIR}"/${PN}-CVE-2013-4494-XSA-73.patch + "${FILESDIR}"/${PN}-4.3-CVE-2013-6375-XSA-75.patch + "${FILESDIR}"/${PN}-CVE-2013-6375-XSA-78.patch + "${FILESDIR}"/${PN}-CVE-2013-6885-XSA-82.patch + "${FILESDIR}"/${PN}-4.3-CVE-2013-4553-XSA-74.patch + "${FILESDIR}"/${PN}-CVE-2013-4554-XSA-76.patch + "${FILESDIR}"/${PN}-CVE-2013-6400-XSA-80.patch + "${FILESDIR}"/${PN}-4-XSA-83.patch #bug #499054 + "${FILESDIR}"/${PN}-4.3-XSA-87.patch #bug #499124 +) + +pkg_setup() { + python-any-r1_pkg_setup + if [[ -z ${XEN_TARGET_ARCH} ]]; then + if use x86 && use amd64; then + die "Confusion! Both x86 and amd64 are set in your use flags!" + elif use x86; then + export XEN_TARGET_ARCH="x86_32" + elif use amd64; then + export XEN_TARGET_ARCH="x86_64" + else + die "Unsupported architecture!" + fi + fi + + if use flask ; then + export "XSM_ENABLE=y" + export "FLASK_ENABLE=y" + elif use xsm ; then + export "XSM_ENABLE=y" + fi +} + +src_prepare() { + # Drop .config and fix gcc-4.6 + epatch "${FILESDIR}"/${PN/-pvgrub/}-4.3-fix_dotconfig-gcc.patch + + if use efi; then + epatch "${FILESDIR}"/${PN}-4.2-efi.patch + export EFI_VENDOR="gentoo" + export EFI_MOUNTPOINT="boot" + fi + + # if the user *really* wants to use their own custom-cflags, let them + if use custom-cflags; then + einfo "User wants their own CFLAGS - removing defaults" + # try and remove all the default custom-cflags + find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \ + -e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \ + -i {} \; || die "failed to re-set custom-cflags" + fi + + # not strictly necessary to fix this + sed -i 's/, "-Werror"//' "${S}/tools/python/setup.py" || die "failed to re-set setup.py" + + [[ ${XSA_PATCHES[@]} ]] && epatch "${XSA_PATCHES[@]}" + + epatch_user +} + +src_configure() { + use debug && myopt="${myopt} debug=y" + + if use custom-cflags; then + filter-flags -fPIE -fstack-protector + replace-flags -O3 -O2 + else + unset CFLAGS + fi +} + +src_compile() { + # Send raw LDFLAGS so that --as-needed works + emake CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" -C xen ${myopt} +} + +src_install() { + local myopt + use debug && myopt="${myopt} debug=y" + + # The 'make install' doesn't 'mkdir -p' the subdirs + if use efi; then + mkdir -p "${D}"${EFI_MOUNTPOINT}/efi/${EFI_VENDOR} || die + fi + + emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install +} + +pkg_postinst() { + elog "Official Xen Guide and the unoffical wiki page:" + elog " http://www.gentoo.org/doc/en/xen-guide.xml" + elog " http://en.gentoo-wiki.com/wiki/Xen/" + + use efi && einfo "The efi executable is installed in boot/efi/gentoo" +} -- cgit v1.2.3-65-gdbad