diff options
Diffstat (limited to 'app-emulation/xen')
| -rw-r--r-- | app-emulation/xen/Manifest | 1 | ||||
| -rw-r--r-- | app-emulation/xen/files/xen-4-CVE-2012-5634-XSA-33.patch | 18 | ||||
| -rw-r--r-- | app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-34_35.patch | 70 | ||||
| -rw-r--r-- | app-emulation/xen/files/xen-4-CVE-2013-0154-XSA-37.patch | 23 | ||||
| -rw-r--r-- | app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch | 37 | ||||
| -rw-r--r-- | app-emulation/xen/xen-4.2.1-r1.ebuild | 123 |
6 files changed, 272 insertions, 0 deletions
diff --git a/app-emulation/xen/Manifest b/app-emulation/xen/Manifest index e0a06e3..ddf30d9 100644 --- a/app-emulation/xen/Manifest +++ b/app-emulation/xen/Manifest @@ -1 +1,2 @@ DIST xen-4.2.0.tar.gz 15587687 SHA256 43f4a086e4e0330145a27b7ace8365c42b5afbc95cefadafe067be91bd3e5cfb SHA512 4fb56c79d722fb307bc657f16d02079c6636427e7650c4354193632d38d2d1db8e588f844ff0ca6e757c108ed639a528565ec9fc7c00bb4d5b6fbc9d122d8a70 WHIRLPOOL 369a109375864cb61920b56cf501522051d28513e738f0fd0e7b76244c3e08a8a0a6ff6cf245872d9bbd9c0f22c7da76c9cbc0f852bad6108ca25fd42dc677c0 +DIST xen-4.2.1.tar.gz 15593695 SHA256 fb8df5827ce3e2d2d3b078d9e5afde502beb5e7ab9442e51a94087061bd450c6 SHA512 fe27a965e2b34035bd025482eda9fc4d4e82523c929323fd30813367d5ffbe2fa1ed3d7d4479f2632e8b5625972448b7bd6a7768e8dc1dcd1b6747d281cc1a9e WHIRLPOOL 226bbed059541e804f1a44e721023ffbc04bae43000653b1d7d6a9bfec0d9efbf7a48b1b0a7ad3fcb8e34f8b91e1c620c2a8eddf97baad487e9db37d49a58f37 diff --git a/app-emulation/xen/files/xen-4-CVE-2012-5634-XSA-33.patch b/app-emulation/xen/files/xen-4-CVE-2012-5634-XSA-33.patch new file mode 100644 index 0000000..20342ec --- /dev/null +++ b/app-emulation/xen/files/xen-4-CVE-2012-5634-XSA-33.patch @@ -0,0 +1,18 @@ +VT-d: fix interrupt remapping source validation for devices behind legacy bridges +Using SVT_VERIFY_BUS here doesn't make sense; + +native Linux also uses SVT_VERIFY_SID_SQ here instead. +This is XSA-33 / CVE-2012-5634. +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- xen/drivers/passthrough/vtd/intremap.c ++++ xen/drivers/passthrough/vtd/intremap.c +@@ -466,7 +466,7 @@ static void set_msi_source_id(struct pci_dev *pdev, struct iremap_entry *ire) + set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, + (bus << 8) | pdev->bus); + else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE ) +- set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, ++ set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, + PCI_BDF2(bus, devfn)); + } + break; diff --git a/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-34_35.patch b/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-34_35.patch new file mode 100644 index 0000000..f074fa6 --- /dev/null +++ b/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-34_35.patch @@ -0,0 +1,70 @@ +commit 66141b2e068fa39f28bdda6be05882e323663687 +Author: Michael Young +Date: Tue Jan 22 22:22:10 2013 +0000 + + Security fix from nested virtualization CVE-2013-0151, + restore status option to xend which is used by libvirt +#diff --git a/xsa34-4.2.patch b/xsa34-4.2.patch +#new file mode 100644 +#index 0000000..f5328ef +#--- /dev/null +#+++ xsa34-4.2.patch +#@@ -0,0 +1,30 @@ +#+x86_32: don't allow use of nested HVM +#+ +#+There are (indirect) uses of map_domain_page() in the nested HVM code +#+that are unsafe when not just using the 1:1 mapping. +#+ +#+This is XSA-34 / CVE-2013-0151. +#+ +#+Signed-off-by: Jan Beulich +#+ +#diff --git a/xsa35-4.2-with-xsa34.patch b/xsa35-4.2-with-xsa34.patch +#new file mode 100644 +#index 0000000..28c6171 +#--- /dev/null +#+++ xsa35-4.2-with-xsa34.patch +#@@ -0,0 +1,24 @@ +#+xen: Do not allow guests to enable nested HVM on themselves +#+ +#+There is no reason for this and doing so exposes a memory leak to +#+guests. Only toolstacks need write access to this HVM param. +#+ +#+This is XSA-35 / CVE-2013-0152. +#+ +#+Signed-off-by: Ian Campbell +#+Acked-by: Jan Beulich +#+ +--- xen/arch/x86/hvm/hvm.c ++++ xen/arch/x86/hvm/hvm.c +@@ -3858,6 +3858,11 @@ + rc = -EINVAL; + break; + case HVM_PARAM_NESTEDHVM: ++ if ( !IS_PRIV(current->domain) ) ++ { ++ rc = -EPERM; ++ break; ++ } + if ( a.value > 1 ) + rc = -EINVAL; + if ( !is_hvm_domain(d) ) +@@ -3926,6 +3926,10 @@ long do_hvm_op(unsigned long op, XEN_GUE + rc = -EINVAL; + break; + case HVM_PARAM_NESTEDHVM: ++#ifdef __i386__ ++ if ( a.value ) ++ rc = -EINVAL; ++#else + if ( a.value > 1 ) + rc = -EINVAL; + if ( !is_hvm_domain(d) ) +@@ -3940,6 +3944,7 @@ long do_hvm_op(unsigned long op, XEN_GUE + for_each_vcpu(d, v) + if ( rc == 0 ) + rc = nestedhvm_vcpu_initialise(v); ++#endif + break; + case HVM_PARAM_BUFIOREQ_EVTCHN: + rc = -EINVAL; diff --git a/app-emulation/xen/files/xen-4-CVE-2013-0154-XSA-37.patch b/app-emulation/xen/files/xen-4-CVE-2013-0154-XSA-37.patch new file mode 100644 index 0000000..bb43acd --- /dev/null +++ b/app-emulation/xen/files/xen-4-CVE-2013-0154-XSA-37.patch @@ -0,0 +1,23 @@ +x86: fix assertion in get_page_type() + +c/s 22998:e9fab50d7b61 (and immediately following ones) made it +possible that __get_page_type() returns other than -EINVAL, in +particular -EBUSY. Consequently, the assertion in get_page_type() +should check for only the return values we absolutely don't expect to +see there. + +This is XSA-37 / CVE-2013-0154. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- xen/arch/x86/mm.c ++++ xen/arch/x86/mm.c +@@ -2586,7 +2586,7 @@ int get_page_type(struct page_info *page + int rc = __get_page_type(page, type, 0); + if ( likely(rc == 0) ) + return 1; +- ASSERT(rc == -EINVAL); ++ ASSERT(rc != -EINTR && rc != -EAGAIN); + return 0; + } + diff --git a/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch b/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch new file mode 100644 index 0000000..c0dbd20 --- /dev/null +++ b/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch @@ -0,0 +1,37 @@ +# Fix gcc-4.6 +diff -ur xen-4.2.0.orig/extras/mini-os/minios.mk xen-4.2.0/extras/mini-os/minios.mk +--- extras/mini-os/minios.mk 2012-09-17 18:21:17.000000000 +0800 ++++ extras/mini-os/minios.mk 2012-12-05 14:01:10.653260260 +0800 +@@ -6,7 +6,7 @@ + + # Define some default flags. + # NB. '-Wcast-qual' is nasty, so I omitted it. +-DEF_CFLAGS += -fno-builtin -Wall -Werror -Wredundant-decls -Wno-format -Wno-redundant-decls ++DEF_CFLAGS += -fno-builtin -Wall -Wredundant-decls -Wno-format -Wno-redundant-decls + DEF_CFLAGS += $(call cc-option,$(CC),-fno-stack-protector,) + DEF_CFLAGS += $(call cc-option,$(CC),-fgnu89-inline) + DEF_CFLAGS += -Wstrict-prototypes -Wnested-externs -Wpointer-arith -Winline +diff -ur xen-4.2.0.orig/tools/libxc/Makefile xen-4.2.0/tools/libxc/Makefile +--- tools/libxc/Makefile 2012-09-17 18:21:18.000000000 +0800 ++++ tools/libxc/Makefile 2012-12-05 14:01:10.653260260 +0800 +@@ -73,7 +73,7 @@ + + -include $(XEN_TARGET_ARCH)/Makefile + +-CFLAGS += -Werror -Wmissing-prototypes ++CFLAGS += -Wmissing-prototypes + CFLAGS += -I. $(CFLAGS_xeninclude) + + # Needed for posix_fadvise64() in xc_linux.c +# Drop .config +diff -ur xen-4.2.0.orig/Config.mk xen-4.2.0/Config.mk +--- Config.mk 2012-09-17 18:23:12.000000000 +0800 ++++ Config.mk 2012-12-05 14:01:10.641260261 +0800 +@@ -7,7 +7,6 @@ + # fallback for older make + realpath = $(wildcard $(foreach file,$(1),$(shell cd -P $(dir $(file)) && echo "$$PWD/$(notdir $(file))"))) + +--include $(XEN_ROOT)/.config + + # A debug build of Xen and tools? + debug ?= n diff --git a/app-emulation/xen/xen-4.2.1-r1.ebuild b/app-emulation/xen/xen-4.2.1-r1.ebuild new file mode 100644 index 0000000..b3d3a88 --- /dev/null +++ b/app-emulation/xen/xen-4.2.1-r1.ebuild @@ -0,0 +1,123 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.2.1-r1.ebuild,v 1.2 2013/01/31 15:43:53 idella4 Exp $ + +EAPI=5 + +PYTHON_COMPAT=( python{2_6,2_7} ) + +if [[ $PV == *9999 ]]; then + KEYWORDS="" + REPO="xen-unstable.hg" + EHG_REPO_URI="http://xenbits.xensource.com/${REPO}" + S="${WORKDIR}/${REPO}" + live_eclass="mercurial" +else + KEYWORDS="~amd64 ~x86" + SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz" +fi + +inherit mount-boot flag-o-matic python-single-r1 toolchain-funcs ${live_eclass} + +DESCRIPTION="The Xen virtual machine monitor" +HOMEPAGE="http://xen.org/" + +LICENSE="GPL-2" +SLOT="0" +IUSE="custom-cflags debug flask pae xsm" + +RDEPEND="" +PDEPEND="~app-emulation/xen-tools-${PV}" + +RESTRICT="test" + +# Approved by QA team in bug #144032 +QA_WX_LOAD="boot/xen-syms-${PV}" + +REQUIRED_USE=" + flask? ( xsm ) + " + +pkg_setup() { + python-single-r1_pkg_setup + if [[ -z ${XEN_TARGET_ARCH} ]]; then + if use x86 && use amd64; then + die "Confusion! Both x86 and amd64 are set in your use flags!" + elif use x86; then + export XEN_TARGET_ARCH="x86_32" + elif use amd64; then + export XEN_TARGET_ARCH="x86_64" + else + die "Unsupported architecture!" + fi + fi + + if use flask ; then + export "XSM_ENABLE=y" + export "FLASK_ENABLE=y" + elif use xsm ; then + export "XSM_ENABLE=y" + fi +} + +src_prepare() { + # Drop .config and fix gcc-4.6 + epatch "${FILESDIR}"/${PN/-pvgrub/}-4-fix_dotconfig-gcc.patch + + # if the user *really* wants to use their own custom-cflags, let them + if use custom-cflags; then + einfo "User wants their own CFLAGS - removing defaults" + # try and remove all the default custom-cflags + find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \ + -e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \ + -i {} \; || die "failed to re-set custom-cflags" + fi + + # not strictly necessary to fix this + sed -i 's/, "-Werror"//' "${S}/tools/python/setup.py" || die "failed to re-set setup.py" + + #Security patches + epatch "${FILESDIR}"/${PN}-4-CVE-2012-5634-XSA-33.patch \ + "${FILESDIR}"/${PN}-4-CVE-2013-0151-XSA-34_35.patch \ + "${FILESDIR}"/${PN}-4-CVE-2013-0154-XSA-37.patch +} + +src_configure() { + use debug && myopt="${myopt} debug=y" + use pae && myopt="${myopt} pae=y" + + if use custom-cflags; then + filter-flags -fPIE -fstack-protector + replace-flags -O3 -O2 + else + unset CFLAGS + fi +} + +src_compile() { + # Send raw LDFLAGS so that --as-needed works + emake CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" -C xen ${myopt} +} + +src_install() { + local myopt + use debug && myopt="${myopt} debug=y" + use pae && myopt="${myopt} pae=y" + + emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install +} + +pkg_postinst() { + elog "Official Xen Guide and the unoffical wiki page:" + elog " http://www.gentoo.org/doc/en/xen-guide.xml" + elog " http://en.gentoo-wiki.com/wiki/Xen/" + + if use pae; then + echo + ewarn "This is a PAE build of Xen. It will *only* boot PAE kernels!" + fi +} |