diff options
| author |   Ian Delaney <idella4@gentoo.org> | 2013-06-26 14:42:15 +0000 |
|---|---|---|
| committer | Ian Delaney <idella4@gentoo.org> | 2013-06-26 14:42:15 +0000 |
| commit | c5c47a53903e939660d74f28375812629e3f5c04 (patch) | |
| tree | d6ec41f950657a6d95dfab197c994740498c0500 /app-emulation | |
| parent | Add epatch_user in src_prepare (diff) | |
| download | historical-c5c47a53903e939660d74f28375812629e3f5c04.tar.gz historical-c5c47a53903e939660d74f28375812629e3f5c04.tar.bz2 historical-c5c47a53903e939660d74f28375812629e3f5c04.zip | |
revbumps; add security patches XSA-55,56 to 4.2.1, 4.2.2, remove old ebuilds + disused patches
Package-Manager: portage-2.1.11.63/cvs/Linux x86_64
Manifest-Sign-Key: 0xB8072B0D
Diffstat (limited to 'app-emulation')
30 files changed, 7244 insertions, 1220 deletions
diff --git a/app-emulation/xen-tools/ChangeLog b/app-emulation/xen-tools/ChangeLog index 31d6a0715a5f..fce21e542e3a 100644 --- a/app-emulation/xen-tools/ChangeLog +++ b/app-emulation/xen-tools/ChangeLog @@ -1,6 +1,37 @@ # ChangeLog for app-emulation/xen-tools # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/ChangeLog,v 1.155 2013/05/30 13:55:02 jer Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/ChangeLog,v 1.156 2013/06/26 14:41:37 idella4 Exp $ + +*xen-tools-4.2.2-r2 (26 Jun 2013) +*xen-tools-4.2.1-r4 (26 Jun 2013) + + 26 Jun 2013; Ian Delaney <idella4@gentoo.org> + +files/xen-4.2-CVE-2013-1-XSA-55.patch, + +files/xen-4.2-CVE-2013-11-XSA-55.patch, + +files/xen-4.2-CVE-2013-12to13-XSA-55.patch, + +files/xen-4.2-CVE-2013-14-XSA-55.patch, + +files/xen-4.2-CVE-2013-15-XSA-55.patch, + +files/xen-4.2-CVE-2013-16-XSA-55.patch, + +files/xen-4.2-CVE-2013-17-XSA-55.patch, + +files/xen-4.2-CVE-2013-18to19-XSA-55.patch, + +files/xen-4.2-CVE-2013-2-XSA-55.patch, + +files/xen-4.2-CVE-2013-20to23-XSA-55.patch, + +files/xen-4.2-CVE-2013-3-XSA-55.patch, + +files/xen-4.2-CVE-2013-4-XSA-55.patch, + +files/xen-4.2-CVE-2013-5to7-XSA-55.patch, + +files/xen-4.2-CVE-2013-6-XSA-55.patch, + +files/xen-4.2-CVE-2013-7-XSA-55.patch, + +files/xen-4.2-CVE-2013-8-XSA-55.patch, + +files/xen-4.2-CVE-2013-9to10-XSA-55.patch, +files/xen-4.2-CVE-XSA-57.patch, + +xen-tools-4.2.1-r4.ebuild, +xen-tools-4.2.2-r2.ebuild, + -files/xen-4-CVE-2012-4544-XSA-25.patch, -files/xen-tools-3.3.0-nostrip.patch, + -files/xen-tools-4-add-nopie.patch, -files/xen-tools-4.1.1-curl.patch, + -files/xen-tools-4.1.1-libxl-tap.patch, -files/xen-tools-4.1.2-pyxml.patch, + -xen-tools-4.2.0-r3.ebuild, -xen-tools-4.2.1-r1.ebuild, + -xen-tools-4.2.1-r2.ebuild, -xen-tools-4.2.1.ebuild, + xen-tools-4.2.2-r1.ebuild: + revbumps; add security patches XSA-55,56 to 4.2.1, 4.2.2, remove old ebuilds + + disused patches 23 May 2013; Agostino Sarubbo <ago@gentoo.org> xen-tools-4.2.1-r3.ebuild: Stable for x86, wrt bug #464724 diff --git a/app-emulation/xen-tools/Manifest b/app-emulation/xen-tools/Manifest index 2124d8564c82..ec25c0bddd02 100644 --- a/app-emulation/xen-tools/Manifest +++ b/app-emulation/xen-tools/Manifest @@ -3,7 +3,6 @@ Hash: SHA256 AUX ipxe-nopie.patch 964 SHA256 0b70407969735f36587fade77f524c1c2077f28585b9e0df4fe347ecc5e379bf SHA512 510f0d88cf08a9a963c0ccf32e795e98f89e749f746ea244b29d7af770608287d8218b215ee46d73ec4f727d6dfbdb316048c6b42df55a8e154aa952abb50c1d WHIRLPOOL 38ed76955d51e9c4603a487e34340df7392e3011e5b2ed550bd945727733cc3f02691c6e0a58ecbe0dd56377a5b6a955a1516647c49cb85dfc809c852ede9e38 AUX stubs-32.h 537 SHA256 4c903162da80cefd394404cb8cd9963a6ef6e3ad6c7adcbaa450a002d929bfc5 SHA512 55308dbedaa91909a2213940f7a7b574cabe6b5a3104761a2a6f28d6aed00164544488c00cbf9d66a9a370a14c6b6d3a00434efd3ff0228cc8e4d81af19c0e68 WHIRLPOOL 9c006e266bea6bb9d623e76011a4eac07c5fe4fdf76a041cc42a2289a7e9163988bad0fb2f458e300e45aabf9fb864ec764a496d7f89d58e57a506bac206a5f1 -AUX xen-4-CVE-2012-4544-XSA-25.patch 12691 SHA256 2bbac6a09946722fc082124870d750a6b9ab93ea3166bf50faee717acf03d70b SHA512 e911636808ecb08510821bf18ba7807485f2b4b7288966349d40cb4091eeafbc5d9abbee5bc26f04dfe5f3157e9173d1820d1e3b2b25d1e678358ad8d5b2f901 WHIRLPOOL 48e08d9900536a65193290dd4e802a64c33033414ef55823ef21806905ba448bd4c57af4102752172035c0572c431f280f84cf362007911cb1ba2573d4379749 AUX xen-4-CVE-2012-6075-XSA-41.patch 1393 SHA256 6aa21c02e94cb9b4f612c7a9d1a8f980967692b1f20346da9670abb1d7ec688c SHA512 547f63e7eaf0a6db1a9de267cc6f9aa0f28e2221f2c69ca463ada85edbc07ac84c276dcd3ee017ab8846d4e4129e182fb76be35b91ae9a0e0afecdc091e0c305 WHIRLPOOL 848359780edc15895a09bf76afeaa503f907ac98a856b52d64ef4dcb137e2319222a47cd7a2866e6f25731498f487cfca2a462fb6dfcda8404026d8acfff5bcc AUX xen-4-CVE-2013-0215-XSA-38.patch 2515 SHA256 7d7a5746bc76da747bf61eb87b3303a8f3abb0d96561f35a706c671317ebe4eb SHA512 2abe25c83a3ede047db380b0477ba1aaaf9d955e87244f8d2404699e011cac46ad5501a0f75b76b90b5dc276d19ae08600a2fe57a69681f97088b5d17d977066 WHIRLPOOL 5176ba1c9f3019c50c087c56185c393ae99c0504f10abf08d896998f80d9f0a05c8c103b4276c3370c72171fab2fdc07ba9c68261ac02c6a859ed7a74b6bd056 AUX xen-4-CVE-2013-1919-XSA-46.patch 9844 SHA256 822da2303f1fc69648d7a29eb72fdda8e64baab3edc0e1548456d31e66ed1d7c SHA512 35ed4d580d219e977ee1085c223563f51ccd9ce3675df2660d10d99c366a2fe2446269c98ac9dbf57c37de83340f4b0868d0eb3c5d898be4c0fc80357f6ed780 WHIRLPOOL 36015584e3f72c3eea62cd0658230805645983be571768f068baa605b274d16cca9fc4dcb27152016dde81f6a1dbcd91430654af5c2c1b5211ed5c2441b65c1c @@ -13,19 +12,32 @@ AUX xen-4-CVE-2013-1952-XSA_49.patch 1597 SHA256 f7daee05c81bfa4effa821e22c8b086 AUX xen-4-CVE-2013-2072-XSA-56.patch 1748 SHA256 a691c5f5332a42c0d38ddb4dc037eb902f01ba31033b64c47d02909a8de0257d SHA512 26a1c2cc92ddd4c1ab6712b0e41a0135d0e76a7fe3a14b651fb0235e352e5a24077414371acccb93058b7ce4d882b667386811170ba74570c53165837bcd983d WHIRLPOOL 8c3a7b373564f808074f7876d1b25c9ae8960c0f5d9d0eb5b188e845499273bf878998f0a5ca056fb6920e1c15ebfc6f77e996b915e1c483059b5878ee5a7b2b AUX xen-4-fix_dotconfig-gcc.patch 9551 SHA256 93c8726fc3e0bd3f54d4162a3fdace45e3c3ea24fecf5f54270c6dc55c3924ab SHA512 64bfc2dd60bf5a7db593250f9da62cdea4daa458aa8c474ec47b065f6e19509555f48d49ec8624c484d873fe947b6f9cab98cdcd2c24ca8795eb1b64b378a004 WHIRLPOOL 341506ced55ae2ad30af1696434df25ba77c665042aa82dda35d0722f0cccbe567c8cebf51c2e20e0df3084f74f7eb7a69808dea2801f911b2d3c46a293b6ba2 AUX xen-4-ulong.patch 463 SHA256 160af74e6149a7c8066fa3f0b59c7dc36d0185adc98a3897de0ea26868778c1e SHA512 5188b1712009168c994ad72f9d0b0e9cd708a79244d2fbdd675b2fedb5f62b5b2f6c9f1bdd2101e2b66f1c08ab94f55230f4f269907671d82b00f510d059f2f2 WHIRLPOOL 86c98b5d698535893cd05f05481486a8a96f8ee96ce2add4e14de1d6a18701810d6a2c5925fa6cb367e95ef605c8bf9ebecb7dff7cf01763da4235a9c79c5b3f +AUX xen-4.2-CVE-2013-1-XSA-55.patch 12309 SHA256 03589da73c958503cc9d3a7403b07ee165cda2a61b696a12e432f071d33c8b8d SHA512 1f1e11233ae2503061f66e23bb8e438ceeb55504f9ce140a4093d7b826e42956baa477e2a02bb660e33874ea6fc671dce89094c6c8959aedf9137ff8e2efc9bd WHIRLPOOL 48fd1c4702ce347bbbc2b5a9cfc1d8198a995cc95182005625df71b4cab1b1dacc38a07d5751d17b411e76acba49ff5669c1fe9afbe208634c25a90a8eae4649 +AUX xen-4.2-CVE-2013-11-XSA-55.patch 30893 SHA256 799c45c01b3aadb3728632522da86b1b66550021a48526084bb4bdbaff2aa4da SHA512 a2fb5303d87d31e8f0a57c1ca21eaf08d35aae575e782ceff11454315a1738b2081759e64d5471338a577c6541856784fb034dce5f8853ad276c6078778c4809 WHIRLPOOL db49d15d2a51da5b2cfd6c3d139d999b64bb4e22c060f3dbd170ac5b325c8130d3d43a12281df57ea60c78e23c87ee49c0df3ca6046724242e23346b8faaa08d +AUX xen-4.2-CVE-2013-12to13-XSA-55.patch 12653 SHA256 0f150534386d4a54e9b8110988f2511b7f045b526e39985dc5dc904b0814b6c6 SHA512 d1c4ef396d90079c2bb4e12e2bfca1be55a12fe9d1f6388d159a996b2cd10d965c96fb84906f87e31fec6831cfd1ce38cb8964fe9b9bde3c19d37e5b88723551 WHIRLPOOL 884215d7cfd8ed1a4254d3dc41725782966f6a32929a5d74610fe350421a07b8e9d34d4b049e8f472d5d5052de8682a8837368be5007bc09e248790576cf4a3e +AUX xen-4.2-CVE-2013-14-XSA-55.patch 10103 SHA256 d9df769e1b6847a84cd85e3909acee85ce71fd3bc84945890d586388bc69cb11 SHA512 fcd09ca508e78a97169daf38ee455df6646c954bce7042259c7528b3cd2e6d24416d293b7c3b7fd4707caa29ee8d3916f07af5295341a043b350293a3dfe826f WHIRLPOOL 7d7599ca36bba2cbc9ea899dab98a231d4bdb60363aa5f5da36c00269bdb67f091e84c823c2c80cef985bfebbc8c1a3a207148c2b296084cf30d5252dee68eaf +AUX xen-4.2-CVE-2013-15-XSA-55.patch 30099 SHA256 cf32b0dfd4ab22d0fe8867259d1aee70d6d148dbc032b9399d91b8348b4b758c SHA512 86e150285a30cd58a8cd36ba8b6b32881b90c5a2d5e0f432dafe9bd55c06aae71a6c764bb05003b015ced7d0bdf687b8ae9ad155a71625839f45e82855cb47cc WHIRLPOOL 0ddab445ab4669eebb4fdfa0ccbac2438ae7c36776f925a8f09e5f30a938068705c99d4f67fbe5fa154051a90b66049b1c0578bb712f88cd90566f694d433ff5 +AUX xen-4.2-CVE-2013-16-XSA-55.patch 17193 SHA256 345068acdcf4f974d78d2f579c90c6d74ac3b6ed190eae0f182e5f12ac2c48fb SHA512 f650fb7c2a874c6f748a99d228d12931cbd77b45691dbc419d1f319c37534f58bf17aa4d47792931d368b8536e98790cb54fbafe356089964fa22c6366882ad4 WHIRLPOOL 5087bb9940b70a2d8283cbad2f782bf0e0c596f6a6b2a4173a9b2410bf512d063d8f3c2639c402ae61a411006167ecbc293303d00dcb68f5fe61d584b78ff0e7 +AUX xen-4.2-CVE-2013-17-XSA-55.patch 18342 SHA256 46665bce2e48a945ac25960f5f9459e9b9b5ffdc6284c0e8622d3fa01636c3a0 SHA512 f8923756911b18996be1a4ce9d8536291b3c7fd97362b840f784854fbe68753a9044da7e1db499f2b7cb85d0bd5e067a2e3ad763b2dad1b5c3dd8d94bd0f9c87 WHIRLPOOL 94001c689fac74225abad6162b3b16f7107e1de33e46090cb17ca5e8a61472236f9cf058737802d21d4fe42546c6c5d72b3cbf3961126abfb51aeff568c2b57d +AUX xen-4.2-CVE-2013-18to19-XSA-55.patch 17592 SHA256 13686af23eba9aa4b60416376b34092c5d69bb2c9e0100063c828398fe144758 SHA512 dcf867589d1b427c97f4367155f61cb30c8cc449bb04ae216b0a432b794ad0f9743f35a96f3c3c4be69710031097261b5fb26110de0c285f4e089592cade3403 WHIRLPOOL c6cad0db64d51dfd1e700272731984a2ba06c5defe9b0df482c5d0858d0e5e8db87295b02742f6b9dffa29c573b59d34120806702b84f045ca92c1d9b6618c66 +AUX xen-4.2-CVE-2013-2-XSA-55.patch 2074 SHA256 b7673609a18525f238d411f9b150c90ecf48248542cc95ca969c9a85995768f8 SHA512 d19d0135057a313f458feeb5ce149b31133e5c43dc133e24d2058ade5838e33637bd07cfa82e9fecd98a28dbf85a598c1a70f20c7998d7fae3d5509026e1f6e2 WHIRLPOOL 3eb934e836f84d49bce89b3b79fe19a70734b8590857c1c74954f0c619834546222229912aa9143d9e10c9e912575d3440e53dd8ce19493915e7e347a5c87adc +AUX xen-4.2-CVE-2013-20to23-XSA-55.patch 12908 SHA256 7422a1ae6d9aea2c0f7df0c459ac48f2a0ea5e1b4daaad0fd74a575ee0a5d73c SHA512 d03a0617d9e74e29b9dacc1a86268f164bb14b490c599166bc37b4524240a0d61d9e312cbe50a9eac1c6d98f050638bfb684cb13df1158478f09100948e5f9aa WHIRLPOOL 3142b686bf1279fb17c3a58c43f5b5a11814fbd3d455d7ebee0fe8f949668eed1bcd88ec5e6cbc71963ce99c830af4e21898cf2d4b7252c64d57b89e8ccc2bf4 +AUX xen-4.2-CVE-2013-3-XSA-55.patch 6149 SHA256 f5b809eceb7d342bac01f6a204eca7c89e1c62287040d2588b093b9cd0b5be22 SHA512 6f1ae849160076202d7dfacf2b8b880effeec19112ef18bb40ceaeac6649f9cd235e26eaaf78ffc83907f5098926818633b1344a3626454ad95dd97a1894ccf4 WHIRLPOOL 88f142e62caddffc611917e79dbbbda9870a779514fbee86c42888d53a2e94ad23fb25c626630410ef9cbb704fd5a3358d1a9bc98e2f9ef82298c2b00ba2bf95 +AUX xen-4.2-CVE-2013-4-XSA-55.patch 2139 SHA256 51b5f8a996f0d84c715235b1497e0816a6b31fbeea593b7c14925d11856e48b1 SHA512 41034da15f7ffdb6efee41dcc763276b1fcdf160edda88a15b0e0c39bc175a592825e9faa78b209a54f01dcb0e5198b6b40a924f49aed1334fdca54739f35e56 WHIRLPOOL 4da524a196fc713f75f57aacc178ad1b0e2e5ab6b00b941620f682a8894fca79a212155bc3e8200b870d3df959ef68f18cdd116ce64f1d3c93007159bdac4201 +AUX xen-4.2-CVE-2013-5to7-XSA-55.patch 6392 SHA256 2861fc68d7b9c49784deb43eeb7196e53316f5439d129d686b7b2157543f9c0a SHA512 1f69e1d9c56244bb8a97b0f9a426007e5779a7e88f2add879a289eda923723e3b4bddcc034797a4e79646780bca1b445fbbc857c9155e72d2177739525d5d88b WHIRLPOOL 4bd68553974eab849315ffff90ef7e0d7811923763ab3c0f111d60f15d574e65652aa5c60708bf60410f5caa0914a2d43dfb4242d7451fb76576a4d2b79fe1a8 +AUX xen-4.2-CVE-2013-6-XSA-55.patch 10103 SHA256 d9df769e1b6847a84cd85e3909acee85ce71fd3bc84945890d586388bc69cb11 SHA512 fcd09ca508e78a97169daf38ee455df6646c954bce7042259c7528b3cd2e6d24416d293b7c3b7fd4707caa29ee8d3916f07af5295341a043b350293a3dfe826f WHIRLPOOL 7d7599ca36bba2cbc9ea899dab98a231d4bdb60363aa5f5da36c00269bdb67f091e84c823c2c80cef985bfebbc8c1a3a207148c2b296084cf30d5252dee68eaf +AUX xen-4.2-CVE-2013-7-XSA-55.patch 15024 SHA256 4bca58ac49bd56f6defefbfa76cfd0e6d45aabb1641fa9e9f983edbc784a9d89 SHA512 0622b2cbb0dc6f7b6a86a0ed41229fa2574d655b2d7c7727e3c0c4416155e26dbd933af8812f0e3b13f196da4d9de1064dc620751ddd4f66b587ecd6f30902f5 WHIRLPOOL 9ffda09ae380b2417d3599a9fbf894becef9f9bf88277cf8b4195f86e271bb6452aedb33050ddac1c25c7fdf71bb754a361633526a90d61d5489d5dae064c4e4 +AUX xen-4.2-CVE-2013-8-XSA-55.patch 45483 SHA256 3e0efa56062f3425cc76519d34f5eb0ea08f434b75de334a3f781249c8ac6532 SHA512 ff634e98052b6368ec26e54c2dd7bb5c6ab0b82e3d5eba0cd4890dff151c64798a336d49bdfbc3a3c89a5021c07fb6edf472a37d79d7b43e262ab8f9ea89e5c8 WHIRLPOOL f16c5e4d22bb55057270c33b94d014580ff1c204b14d08770996d3daafafd70bdf58c92c63ce12665258840fff992916747fca96531d740bcddd27829763ae5e +AUX xen-4.2-CVE-2013-9to10-XSA-55.patch 11035 SHA256 c73c57ff530c15efa62ee4853d8213f0bac9c31280485f7b54e8b96721fadd92 SHA512 2991e7bf598ac2af57a96204a8babb4c15e5eb7c35c2477e4171b6c600ddc98906fe6dcda02fd5c155d196135b6c28631422bde5302db173ebdfc821089b8de1 WHIRLPOOL dbe8fa7421a68c13159b18b3bf898088c02d9b49d587a2f70a733d6a509fea13246b28b73136510b019d2b28fb23c45fb59e8711d189c0538a758639aaa62dd3 +AUX xen-4.2-CVE-XSA-57.patch 15550 SHA256 b698fb6230af3bf134e90f1611735ec2c4378df25a0ce2643171fbb75fbab489 SHA512 d2216dabd6265540d7a90002c739817a834c34b53a2c180796f264fb6a845bc3e2a8dd02dd7de9317475ff1659f35061c3e7eb51c4ced673a4b5638dba711484 WHIRLPOOL 59bdca24ab5eeb65c8f25c111edfc8b4ca7f62429502eff99e1612113d4dd8077fc38b13993df296bdb5a75831cc4725c25ab0d8b8843a3e3659f1e245cbcbd6 AUX xen-4.2.0-anti-download.patch 1028 SHA256 95ff7390d25eddf56af1d98b1310d2ebf97eebcad5c298c8320eb6ce9afd596e SHA512 8d84c3386764e2dd38bd0e93163c016b38d9e634cc4c9078138e593a887f3a9d2cecf391008004ae934a49b24af2a18051aab22b2a83b48fdad60ea50fc6120d WHIRLPOOL d95955f7236c1a4d9e23e5e4be1a8f8e9148511fc16b4fe0bba3854c02e24789c808739654684140d9900f22172b635c9af5bb6910f594b115b1eca4a7c907bc AUX xen-4.2.0-jserver.patch 900 SHA256 a8f9c0517b7fa4d56f3125515d260e60c51ef2cfe3fc22223c54415a92ffa16e SHA512 7f9bb7189273ecc34b5c66aea8cc9567a15c3d7e0fbd44e0f49669b067d719c9d85d6758cc213145679cbb8c2224cb5704aabb3ed40925bb2529965a5238d411 WHIRLPOOL ed6bcf1135c7dcb58eb2219c02b002fb57b16f50bfb0161bc64319b78dd7f8b87bc6206952755af900245d13073408946e31a51f01e95517f7def072f4810e66 AUX xen-4.2.0-nostrip.patch 1554 SHA256 3bab6078b59a086e214fa0786cb827eeeb009d6f7f9901f6a8f1a23b857259f9 SHA512 7fe44ac34a317fc2d1298cea5d26fdd778f8356f3ac9b4fc412c07ca471ea0b21e7fac29f456306681396dee835e4c18c35ce4b7ba47c47153989eeecfb96310 WHIRLPOOL 7701c5b521245ba0b66e9ff53c41ada8e216d36f7a92b2af45aaddc0bd210bbaf21cb9401036b995f2f8d2598edb9324ad50a91f71d08e427caca21b26f101bd AUX xen-consoles.logrotate 63 SHA256 0da87a4b9094f934e3de937e8ef8d3afc752e76793aa3d730182d0241e118b19 SHA512 ab2105c75cfe01768aecd5bcbb56269d63666e8a44e42b6a83aee87df6c84ee2f9ab249171c21b2e09f8fec2cae8318f6e87d160989398a3e7dd68db8d52c426 WHIRLPOOL be108bf298202851de434af513ac8c03a533e7621623c2a7e8f26d498074b3eec81b85b2ae29ad2ec67f4fe9937c88bd78c5f5e260793e7e69ec964d4adb989e -AUX xen-tools-3.3.0-nostrip.patch 1021 SHA256 2debac718c01a7eac4daf3182a7ae04aa562137d791cd510ecf1848d7eaccebd SHA512 034a93c416af954a8976594ec91901d4bb4401e0798da3bb26f2b59c00ee2597282a50fbbce77490dc485317f7b701bbd7c3efa4bf0f0752d0c23d731f0e4b1b WHIRLPOOL 223a3579308d11f2792394d5b42a3df9c200b6e83dc91db6c75f58c28d58892dc56c48414980b1bb4751db6e74c2f89a63623f63cec14bf948e6eb75f1d1925c AUX xen-tools-3.4.0-network-bridge-broadcast.patch 496 SHA256 d00a1954447fc29500ab2f1a8c7900310e0dee81942be5c922ad66b6b42dfb74 SHA512 496c61ec237506c77577e832828de923283f55ab07ad141718af1a719b1b5bcdb8152a8cffddc679ff4a3e389582e7b8de8aaf1b4c8b1124bf1563467bdf674f WHIRLPOOL f80a557ed62cc26a51f85bc8682a738ab29d4573e3261c440f6e66f50cd81263fa2c6898b1aa1b1c227a2d3923cc9fd718ffad2e123ee69c6d7929def7906433 -AUX xen-tools-4-add-nopie.patch 629 SHA256 9a84886118c22a926a1bc05ac8639d34dab76e0bc06348140d8d9622bf716347 SHA512 3a07f77d0ac810caf7501031a56208007e01cbf8cca0e1bd2b838c478aa429cdd5b5e120fce5dfdbfd9c22b5a6c32f7843bf277dc28c55d0076fd82a3c970f44 WHIRLPOOL 301c6f823cd9ec47618c3f78e7e9331bd0a124f289b83e4d01cd8a32a2ab16aef139ccf9dbf497b8edb2f7af24d47b1fd4ea617aa5e515185d101d6ae56a149a AUX xen-tools-4-docfix.patch 438 SHA256 016120c2333667aa84861ac9289c48a072c4842fb517936570882e1fc4060de6 SHA512 0a67d703749df823f5223b555c6dc896420e73ed7eeb5e77a8f8b950fc8bafaf9e20d66c35b29883b3cee6f8ca5054af3b55f804d20ae20d676feeeabf92b489 WHIRLPOOL fed73bd521b4cbea804ef4bc3b4b3a4007e7765cf0ab67e700e95afd328181ab5fce246b53a5e2a462baf6029664b25f82ffeabc1aaeb45fa99af344ecc957a5 AUX xen-tools-4-qemu-xen-doc.patch 820 SHA256 691b2d84f7312388d528c83f3e9e90521e6b2c97abae8ca8a83325655264c98a SHA512 bc07420be7629796e49e128c1cfbde8fa7d4dc3b66174462448e9033f78c0c982dfdbd4dde9b1c54a9862fd2f9602c6bac0be1dfc0df8280aaaf8de60acb708f WHIRLPOOL 4fc2907a42bc3f824160f92586392f7dba07c2229382585f5f7bf4c0f3ab2574a814e8e8fd076b68abb2580497492e1fc0e6181ffb8f1acb5c70e60caff81505 AUX xen-tools-4.1.1-bridge.patch 449 SHA256 71eea5408e3600c3c6f7ce4e8363ea2c19db36c1882e20cf0ef8143af527782b SHA512 3e4021c363bae11874b13675a8ad6aaf5b733e42a18e0d1259dce1cf2c305440dde13a7a08a584213dd96fa4b0a788048f6cb87a0f5b3ce777a2048215dbd779 WHIRLPOOL 9363d615578696899ba84d6d2026d3cc5115756a9d0ca5a91071ac4db6e2fa425135bbf6db320e90daf78f89c6203b291dcb2cc25a6e5db82b7c094d3c940cde -AUX xen-tools-4.1.1-curl.patch 550 SHA256 4bdb2875b36e7dbb0bd8d61b697da78007bb22922f56e020795c91ebb9ddd50b SHA512 d59a89a29ac687340953f48742451dcfebd94b8ede409184154d32a2371214cd8eae799240ff8a04aa0627973ea604b1461c9d937bc5ac0c86009dfa2b0875fe WHIRLPOOL 26262524f0a5cb6cb827cf65e52b3fbf86c98ab8928aa077fdc5ce5d81ee6d9a3c69d1b2fdc019560a9b0c528b318e1a0ca5c70a403b7a2627e087d43f0d9618 -AUX xen-tools-4.1.1-libxl-tap.patch 1071 SHA256 ee03a5b68a9edf5d4fe78a322ff261e13f6ded879f3898b0ea72c407f678f885 SHA512 6ce2ab4240b90d8490458747b2cc9df71a722c11987b3fa4632a7f174e4111df623a50796bf37ef5b3864a84530305de8da923525a0a7ce416942efc13d0b950 WHIRLPOOL a4bde6ea31a116b92c929eac01ec7425ec9d32c05ed1675f2bf62d96897cb6876ea8f55455c9825e8e55670afe4c6c61a99ecb24925ac93d2825903dcb617050 -AUX xen-tools-4.1.2-pyxml.patch 408 SHA256 6a8d8ca5478bc68850fd930749ca22207807c87f8624c0c3596a8cd70bc06c65 SHA512 ce6bae69e7ab1ef3cf4d9996399e1b08becd7dc18abd84724bb5c64b232354634657e3fd1acfb7953f07be4fd80f4ff1445257864a65482c6b4825ff99580faf WHIRLPOOL 888f464a910ac458fc1009908634f113181b492935a9d7651df4a81beed6b277b7b2bbc33bee300e721457a9c09723001e63f2e14c823283b1c6039cd09a7868 AUX xen-tools-4.2-xen_disk_leak.patch 2324 SHA256 b5d07dded35d48196afe4e52e7e48ef459b527c4b34f1aad13710dae94cba6c8 SHA512 bb8a36a30e69f6d09c9293cd76f071741ce04bf0d0129d9417b3fc41841f6dcb0160506a80222e67d58c78a289072913578868d6a055eb23266d15d5fa59ebe2 WHIRLPOOL c0c69406f564b335a3215a7cea8a447ad7d2b27590f3cf92c74c74356c46ed26557fee3ff5fac5a8ae54f7d8dc1772500d75d9de1630a57ee48d8193a6fdd1e9 AUX xenconsoled.confd 44 SHA256 2a74be03eb74f6013242a4a5d721df6cb9b959b43c405de1e32813f52d749060 SHA512 30df69cc38d0bed26bc4d6e08a2b62cbdc654d5f663009a05cb3b83b3e3dc5e206362d3fd59abbb753ceb8d6d79eaa6e15d079bb8f4f35dc74667103faf4e85d WHIRLPOOL 503f7b48842724e69e7e4ae752d0570c339b7214b5a5fa1db51300e65470803bb383524f6de6c5c08849a961f628f6db7764e3eddcc19accbd209777a0f27d68 AUX xenconsoled.initd 652 SHA256 1a5594e4e924b94490c5c942b1b63e5fe857b8ad8061060e5d8a3bdfc9f0f1b7 SHA512 7caba575ecc1bb7263539142fa087ec788c583128d7c5236c1fd342d06a238edbb0aaf0ea53ce6189e72cf4402dfc07205db477840e3fa7233b3a6f9a231c2e4 WHIRLPOOL bb58d60a7ee646b59fb1272143c8fcbef191d9f4d90fb933d8789c37f7c28d6b63e81c616f870456fe84f12402753edf3af637d4fa37e425049570824035d805 @@ -39,21 +51,18 @@ AUX xenstored.confd 42 SHA256 afcc14f014fe4ec478f85d230efefba9ffad024bf8c83b3007 AUX xenstored.initd 843 SHA256 7b03a4ed9d1798c6b43baca769fa2dd0bdcb949539abea32c23fa31a5a6cd08d SHA512 30d9413c8b5815defdc81f351b9aa1b7f88eadf407abd1757887c95103c04eb7c282f03f59521336071f4357561e6b5a85aa755747119eb465563ba1917deb28 WHIRLPOOL 4e7968f025fa5258fd319bf352a032cfcfb6ffdecfe6a50966ee59b3322717a6680e66ecf8beb372a1a8caaed2a16fe1657185fcf6cb6541ff4b0aa59c6131ce DIST ipxe.tar.gz 2867999 SHA256 632ce8c193ccacc3012bd354bdb733a4be126f7c098e111930aa41dad537405c SHA512 c5cb1cdff40d2d71fd3e692a9d0efadf2aa17290daf5195391a1c81ddd9dfc913a8e44d5be2b12be85b2a5565ea31631c99c7053564f2fb2225c80ea0bb0e4a4 WHIRLPOOL 58b7459aaf7323968e2f4d1cdcb563a04a0ee40d7d0e8fc600495baf6914127fbbbcddfb66199cd9f462eb59565b3d1ae90a05b3c771b8f13c2d2dcb6070eebc DIST seabios-0-20121121.tar.bz2 2199282 SHA256 f7f67181c6c0b4cea3a9db48e2569fdcbbc81b732a2f672079c42fb44153ee62 SHA512 4f886088ebaa911590b8cb19db5c5dbc8f1384d2d5a7c4bf04df083e177513b3123b1839dad744171670eded8b69ce092a774288aec1804d00aa32b1b6778599 WHIRLPOOL f2e62682d7213ee5eaecbc2590637ef36d9c86f746840c0ee758c0c153139f485032ea2cd098c87bb8a2b5f17f91375b8fb65599e3b71b45b1645df85a88887f -DIST xen-4.2.0.tar.gz 15587687 SHA256 43f4a086e4e0330145a27b7ace8365c42b5afbc95cefadafe067be91bd3e5cfb SHA512 4fb56c79d722fb307bc657f16d02079c6636427e7650c4354193632d38d2d1db8e588f844ff0ca6e757c108ed639a528565ec9fc7c00bb4d5b6fbc9d122d8a70 WHIRLPOOL 369a109375864cb61920b56cf501522051d28513e738f0fd0e7b76244c3e08a8a0a6ff6cf245872d9bbd9c0f22c7da76c9cbc0f852bad6108ca25fd42dc677c0 DIST xen-4.2.1.tar.gz 15593695 SHA256 fb8df5827ce3e2d2d3b078d9e5afde502beb5e7ab9442e51a94087061bd450c6 SHA512 fe27a965e2b34035bd025482eda9fc4d4e82523c929323fd30813367d5ffbe2fa1ed3d7d4479f2632e8b5625972448b7bd6a7768e8dc1dcd1b6747d281cc1a9e WHIRLPOOL 226bbed059541e804f1a44e721023ffbc04bae43000653b1d7d6a9bfec0d9efbf7a48b1b0a7ad3fcb8e34f8b91e1c620c2a8eddf97baad487e9db37d49a58f37 DIST xen-4.2.2.tar.gz 15602746 SHA256 c9bfe91a5e72f8545acebad9889d64368020359bfe18044c0e683133e55ae005 SHA512 4943b18016ed8c2b194a3b55e6655b3b734b39ffb8cb7ee0a0580f2f4460a1d0e92e1de8ac23f5186272914fad1650586af51fd7c3644d0310eb16f2e11c5e80 WHIRLPOOL 519eb87cb2da694696cbc3e72070a0a3bdb07c46fa266d855d8379eec3a92adfa4d434af3ac01c37834ce4a9174081a6c40030b185a70902329b185cb8d0bbea -EBUILD xen-tools-4.2.0-r3.ebuild 10190 SHA256 759af2416598e871367071f7045cd4971659309459c5efd6541c4d4e920a69a0 SHA512 85cdbfc9abd901b14990b1f2952748aaa861adc9b21c6b8859a2523e8c3e62e2f677da9c20218675d3a1aedb3e70a48f5b48eeb3fb37c5389f8e091ff43c5e5e WHIRLPOOL c881d9929ab45be9baec55e863c54e32328c5f7650f6c469171e7efd10c6589d0c454afb7295b89ab7bd649de1d7c5f3d835ae527463217b56e6076c42728afb -EBUILD xen-tools-4.2.1-r1.ebuild 10119 SHA256 d21c0bd5a1a44a7a87aa2521d9a1c9f8b569968ddf570aeae7f47bebc3c843c6 SHA512 ef77c4c08ec57970c699c09f51879f8b8dc5fc36141b3d68ad8fecce161d8810c79f7341b39c5b9944df9d1bc7e69fc85109fa9c23eb2e2d5a9e405bae652648 WHIRLPOOL 54597bf2c032718d0461017e22524f4ca1c6ab8ff55df54cd08f19f7c43d1cdc69f4a45d3aac695f34e0b67cb20186baa8aa4b2cdc3665049eb3ce52ca56a9d4 -EBUILD xen-tools-4.2.1-r2.ebuild 10256 SHA256 7a2eb13b5dce1cd71ea2ea45f6848d67e578fe531367480fbaa3ae18b3862af7 SHA512 0b79429e45747b6d1fd6da1f90807de3d97daee86b7ac76a288c6b5f08402c61f44a5f22064d749560a7decdf747114e92dcdaef1e7b0c236a59c59a4f54eddf WHIRLPOOL 5d3e42614d241fca5f2fa898c8bef6e527cd0e2967ea1a993ddb43d719158c9fe7646c1e67278c6a3444dced0be48090fb126262bcfee35baaf075d7d5251ebd EBUILD xen-tools-4.2.1-r3.ebuild 10572 SHA256 74dbace2d6506b8c0cbdc7eb11139b93a61b9222e404fa06f6bfa19893bd972b SHA512 3df78b6a7cb344ddbe92fffb28074f5bfb0fed816965b2858bf15ca3d676688e3713f1120fbd6589d2e1173c147ab21e5b826e1eabf17f65eeb7053884196e30 WHIRLPOOL e3d3b6db983bb8fca9add50d40b78b5b206cb797f5fc294e411a23b5b273be79d97333e8cbe78b99b4665887cb1b8268b0de316282ea897272aa6daa917faf32 -EBUILD xen-tools-4.2.1.ebuild 10279 SHA256 763ee5f7cce3cc7e55b7e3bab4d271c03115000053c809793ec30a14ad6681a4 SHA512 c91f648bce05a476780267cf2839431e200944bb4d9379f8cd9370b91ec241df2c29d119e4b4160f4802949a03bc2b93f2c837187325d9b72f0a573d3a951e03 WHIRLPOOL 88aa1ec2beb59fa5b62f88cd711a3823dbeebfca22395d12445e587c87e1de11333c07f9e0535b0e61ccb5403d75ea562f4e4759fc7f1a81489634061e22f852 +EBUILD xen-tools-4.2.1-r4.ebuild 11608 SHA256 2aa602d31228251d7bafca423690280dfe6fca323998a82d0e2b3be063a8c2d3 SHA512 6f43d625c93f646b034fbacad91e524c39e79c65b8a41bbc7fe379917571879c5b6ae803df42ae62773107fad11ab9e1915c512a7a80ef66ed49e0965a116677 WHIRLPOOL 61485d6ea79285c0f792d32a5265b049b36ffa029ec318cb432488fa1b95c51996828c8aeb138f59b2b67eac1349c8cb4bc165b25e3163100090e5495439b6cb EBUILD xen-tools-4.2.2-r1.ebuild 10495 SHA256 10315c17687e25b3d915d7ce4daadd58d35d5f60df09c7d9216ba7e33caf2f36 SHA512 224c0be7ae6c5d93d04309b9fbef0f09996f2e229f8e8fead8e87d00af755e069b4dd87b55688bf777c839458a306a4c6ffeacb6cb73a13467e0228b64aa3e1f WHIRLPOOL 147a4ca802320234ccc57f85de70f4ea5c196d6348f53b5456433d088a46ac0ae4b77b28fc784b3201ca7ab732aab735433ff9909c3eac06abb59e5f20d7a961 -MISC ChangeLog 36744 SHA256 7b12cdcb6305512423e91e609d1a6fb853026806f1cabec462bc48cda0a3fa3e SHA512 ac1e5e09b3517535450c0eacc4e93486441e8160f02ee91763b9704c4723f321fac1ff329650dc1b2d4da950171d087f6d4647aa65c49569a4b1dcd700472894 WHIRLPOOL acb42c87e15b4be459571e2eab39901e873830882f967579361b99089defff526da05362f23b7170c16b05dfbc2a0b6f0889e1c2948c0ad2fc9c3560809d85c6 +EBUILD xen-tools-4.2.2-r2.ebuild 11315 SHA256 473fad91f48a35cb27c2bcc6d442fa958f6ac06a6fcc0e817b0b20fb116ca4c4 SHA512 8c008b9b49b9e0b9fa773c27d8d84dc42a05a1ff619da4ab7da44c45c700e13612c11b596fbb1f694c3b87b1060610be022203062e7d4be21cd04e8a6234b5e7 WHIRLPOOL 58c6ac857ca4d0c543479fe3021ea9cb7fd05deb74d35f992a37a7c9d65218004146817a8a87c779b6f22d41261807040369c4ea4e257f47249f960fa35b4389 +MISC ChangeLog 38171 SHA256 ab59122b1891f17e0a0197e6ca6f4f7375327662483001a7e770a7d0404541c5 SHA512 0312151e83b7576745ff4352d67f8bd13b972849df11e75b7bda56c872d8f61cb20e96870fc5cf1197f753177b67e5c5d2926cc2c0cd42b01d50eeb6f9d74c1c WHIRLPOOL de44abfae430ac3a1a7a83c48aed6ed151cd83e4b5ebb7ef3d7e3b206e18c3c1df46fc8a301cb0d2f5690efc7cd43c063877619f2cbc8a28286880344d0508fd MISC metadata.xml 881 SHA256 52d19c65a78ed979b0d6df2f83fc281e8622296e2686c199dbc58cb76a70a57b SHA512 3e2400037f840272c38b0a7b9d46f9975d512bea13e6dc21bf8458fb68b1c741f4458a9eaf18aa53c3183ef4f83e70e8ae50e28132e563fc4a1d6463c77a586d WHIRLPOOL 3b030061503f4c2beec7f51d3bf790f358a4837d78d7a0faf0eee5214832fe888445a53c0b09b94bf8dd811e44523e0bb05535d58583499df97b32280f722312 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) -iEYEAREIAAYFAlGnWjcACgkQVWmRsqeSphO8jwCePlnOQqK5ozpRD/eQPRf7FcO5 -Bo0AnA8PDUJypYG7zE7Ya3HkCVoQmEb6 -=hrCw +iEYEAREIAAYFAlHK/a0ACgkQso7CE7gHKw235gCfbAw7O9bRo2p1a52XORZI1o+h +5LMAoIxE217MtHtgskwk3Y7Oi0xvS6R5 +=qzkG -----END PGP SIGNATURE----- diff --git a/app-emulation/xen-tools/files/xen-4-CVE-2012-4544-XSA-25.patch b/app-emulation/xen-tools/files/xen-4-CVE-2012-4544-XSA-25.patch deleted file mode 100644 index 35b9338341cf..000000000000 --- a/app-emulation/xen-tools/files/xen-4-CVE-2012-4544-XSA-25.patch +++ /dev/null @@ -1,369 +0,0 @@ - -# HG changeset patch -# User Ian Jackson <Ian.Jackson@eu.citrix.com> -# Date 1351264255 -3600 -# Node ID 537776f51f79c5789d06f97b363596a197c3e71c -# Parent 40ccbee890e1fc053de3046bbc3d13b8ff6f5d63 -libxc: builder: limit maximum size of kernel/ramdisk. - -Allowing user supplied kernels of arbitrary sizes, especially during -decompression, can swallow up dom0 memory leading to either virtual -address space exhaustion in the builder process or allocation -failures/OOM killing of both toolstack and unrelated processes. - -We disable these checks when building in a stub domain for pvgrub -since this uses the guest's own memory and is isolated. - -Decompression of gzip compressed kernels and ramdisks has been safe -since 14954:58205257517d (Xen 3.1.0 onwards). - -This is XSA-25 / CVE-2012-4544. - -Also make explicit checks for buffer overflows in various -decompression routines. These were already ruled out due to other -properties of the code but check them as a belt-and-braces measure. - -Signed-off-by: Ian Campbell <ian.campbell@citrix.com> -Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> - -diff -r 40ccbee890e1 -r 537776f51f79 stubdom/grub/kexec.c ---- stubdom/grub/kexec.c Thu Oct 25 15:36:32 2012 +0200 -+++ stubdom/grub/kexec.c Fri Oct 26 16:10:55 2012 +0100 -@@ -137,6 +137,10 @@ void kexec(void *kernel, long kernel_siz - dom = xc_dom_allocate(xc_handle, cmdline, features); - dom->allocate = kexec_allocate; - -+ /* We are using guest owned memory, therefore no limits. */ -+ xc_dom_kernel_max_size(dom, 0); -+ xc_dom_ramdisk_max_size(dom, 0); -+ - dom->kernel_blob = kernel; - dom->kernel_size = kernel_size; - -diff -r 40ccbee890e1 -r 537776f51f79 tools/libxc/xc_dom.h ---- tools/libxc/xc_dom.h Thu Oct 25 15:36:32 2012 +0200 -+++ tools/libxc/xc_dom.h Fri Oct 26 16:10:55 2012 +0100 -@@ -55,6 +55,9 @@ struct xc_dom_image { - void *ramdisk_blob; - size_t ramdisk_size; - -+ size_t max_kernel_size; -+ size_t max_ramdisk_size; -+ - /* arguments and parameters */ - char *cmdline; - uint32_t f_requested[XENFEAT_NR_SUBMAPS]; -@@ -180,6 +183,23 @@ void xc_dom_release_phys(struct xc_dom_i - void xc_dom_release(struct xc_dom_image *dom); - int xc_dom_mem_init(struct xc_dom_image *dom, unsigned int mem_mb); - -+/* Set this larger if you have enormous ramdisks/kernels. Note that -+ * you should trust all kernels not to be maliciously large (e.g. to -+ * exhaust all dom0 memory) if you do this (see CVE-2012-4544 / -+ * XSA-25). You can also set the default independently for -+ * ramdisks/kernels in xc_dom_allocate() or call -+ * xc_dom_{kernel,ramdisk}_max_size. -+ */ -+#ifndef XC_DOM_DECOMPRESS_MAX -+#define XC_DOM_DECOMPRESS_MAX (1024*1024*1024) /* 1GB */ -+#endif -+ -+int xc_dom_kernel_check_size(struct xc_dom_image *dom, size_t sz); -+int xc_dom_kernel_max_size(struct xc_dom_image *dom, size_t sz); -+ -+int xc_dom_ramdisk_check_size(struct xc_dom_image *dom, size_t sz); -+int xc_dom_ramdisk_max_size(struct xc_dom_image *dom, size_t sz); -+ - size_t xc_dom_check_gzip(xc_interface *xch, - void *blob, size_t ziplen); - int xc_dom_do_gunzip(xc_interface *xch, -@@ -240,7 +260,8 @@ void xc_dom_log_memory_footprint(struct - void *xc_dom_malloc(struct xc_dom_image *dom, size_t size); - void *xc_dom_malloc_page_aligned(struct xc_dom_image *dom, size_t size); - void *xc_dom_malloc_filemap(struct xc_dom_image *dom, -- const char *filename, size_t * size); -+ const char *filename, size_t * size, -+ const size_t max_size); - char *xc_dom_strdup(struct xc_dom_image *dom, const char *str); - - /* --- alloc memory pool ------------------------------------------- */ -diff -r 40ccbee890e1 -r 537776f51f79 tools/libxc/xc_dom_bzimageloader.c ---- tools/libxc/xc_dom_bzimageloader.c Thu Oct 25 15:36:32 2012 +0200 -+++ tools/libxc/xc_dom_bzimageloader.c Fri Oct 26 16:10:55 2012 +0100 -@@ -47,13 +47,19 @@ static int xc_try_bzip2_decode( - char *out_buf; - char *tmp_buf; - int retval = -1; -- int outsize; -+ unsigned int outsize; - uint64_t total; - - stream.bzalloc = NULL; - stream.bzfree = NULL; - stream.opaque = NULL; - -+ if ( dom->kernel_size == 0) -+ { -+ DOMPRINTF("BZIP2: Input is 0 size"); -+ return -1; -+ } -+ - ret = BZ2_bzDecompressInit(&stream, 0, 0); - if ( ret != BZ_OK ) - { -@@ -66,6 +72,17 @@ static int xc_try_bzip2_decode( - * the input buffer to start, and we'll realloc as needed. - */ - outsize = dom->kernel_size; -+ -+ /* -+ * stream.avail_in and outsize are unsigned int, while kernel_size -+ * is a size_t. Check we aren't overflowing. -+ */ -+ if ( outsize != dom->kernel_size ) -+ { -+ DOMPRINTF("BZIP2: Input too large"); -+ goto bzip2_cleanup; -+ } -+ - out_buf = malloc(outsize); - if ( out_buf == NULL ) - { -@@ -98,13 +115,20 @@ static int xc_try_bzip2_decode( - if ( stream.avail_out == 0 ) - { - /* Protect against output buffer overflow */ -- if ( outsize > INT_MAX / 2 ) -+ if ( outsize > UINT_MAX / 2 ) - { - DOMPRINTF("BZIP2: output buffer overflow"); - free(out_buf); - goto bzip2_cleanup; - } - -+ if ( xc_dom_kernel_check_size(dom, outsize * 2) ) -+ { -+ DOMPRINTF("BZIP2: output too large"); -+ free(out_buf); -+ goto bzip2_cleanup; -+ } -+ - tmp_buf = realloc(out_buf, outsize * 2); - if ( tmp_buf == NULL ) - { -@@ -172,9 +196,15 @@ static int _xc_try_lzma_decode( - unsigned char *out_buf; - unsigned char *tmp_buf; - int retval = -1; -- int outsize; -+ size_t outsize; - const char *msg; - -+ if ( dom->kernel_size == 0) -+ { -+ DOMPRINTF("%s: Input is 0 size", what); -+ return -1; -+ } -+ - /* sigh. We don't know up-front how much memory we are going to need - * for the output buffer. Allocate the output buffer to be equal - * the input buffer to start, and we'll realloc as needed. -@@ -244,13 +274,20 @@ static int _xc_try_lzma_decode( - if ( stream->avail_out == 0 ) - { - /* Protect against output buffer overflow */ -- if ( outsize > INT_MAX / 2 ) -+ if ( outsize > SIZE_MAX / 2 ) - { - DOMPRINTF("%s: output buffer overflow", what); - free(out_buf); - goto lzma_cleanup; - } - -+ if ( xc_dom_kernel_check_size(dom, outsize * 2) ) -+ { -+ DOMPRINTF("%s: output too large", what); -+ free(out_buf); -+ goto lzma_cleanup; -+ } -+ - tmp_buf = realloc(out_buf, outsize * 2); - if ( tmp_buf == NULL ) - { -@@ -359,6 +396,12 @@ static int xc_try_lzo1x_decode( - 0x89, 0x4c, 0x5a, 0x4f, 0x00, 0x0d, 0x0a, 0x1a, 0x0a - }; - -+ /* -+ * lzo_uint should match size_t. Check that this is the case to be -+ * sure we won't overflow various lzo_uint fields. -+ */ -+ XC_BUILD_BUG_ON(sizeof(lzo_uint) != sizeof(size_t)); -+ - ret = lzo_init(); - if ( ret != LZO_E_OK ) - { -@@ -438,6 +481,14 @@ static int xc_try_lzo1x_decode( - if ( src_len <= 0 || src_len > dst_len || src_len > left ) - break; - -+ msg = "Output buffer overflow"; -+ if ( *size > SIZE_MAX - dst_len ) -+ break; -+ -+ msg = "Decompressed image too large"; -+ if ( xc_dom_kernel_check_size(dom, *size + dst_len) ) -+ break; -+ - msg = "Failed to (re)alloc memory"; - tmp_buf = realloc(out_buf, *size + dst_len); - if ( tmp_buf == NULL ) -diff -r 40ccbee890e1 -r 537776f51f79 tools/libxc/xc_dom_core.c ---- tools/libxc/xc_dom_core.c Thu Oct 25 15:36:32 2012 +0200 -+++ tools/libxc/xc_dom_core.c Fri Oct 26 16:10:55 2012 +0100 -@@ -159,7 +159,8 @@ void *xc_dom_malloc_page_aligned(struct - } - - void *xc_dom_malloc_filemap(struct xc_dom_image *dom, -- const char *filename, size_t * size) -+ const char *filename, size_t * size, -+ const size_t max_size) - { - struct xc_dom_mem *block = NULL; - int fd = -1; -@@ -171,6 +172,13 @@ void *xc_dom_malloc_filemap(struct xc_do - lseek(fd, 0, SEEK_SET); - *size = lseek(fd, 0, SEEK_END); - -+ if ( max_size && *size > max_size ) -+ { -+ xc_dom_panic(dom->xch, XC_OUT_OF_MEMORY, -+ "tried to map file which is too large"); -+ goto err; -+ } -+ - block = malloc(sizeof(*block)); - if ( block == NULL ) - goto err; -@@ -222,6 +230,40 @@ char *xc_dom_strdup(struct xc_dom_image - } - - /* ------------------------------------------------------------------------ */ -+/* decompression buffer sizing */ -+int xc_dom_kernel_check_size(struct xc_dom_image *dom, size_t sz) -+{ -+ /* No limit */ -+ if ( !dom->max_kernel_size ) -+ return 0; -+ -+ if ( sz > dom->max_kernel_size ) -+ { -+ xc_dom_panic(dom->xch, XC_INVALID_KERNEL, -+ "kernel image too large"); -+ return 1; -+ } -+ -+ return 0; -+} -+ -+int xc_dom_ramdisk_check_size(struct xc_dom_image *dom, size_t sz) -+{ -+ /* No limit */ -+ if ( !dom->max_ramdisk_size ) -+ return 0; -+ -+ if ( sz > dom->max_ramdisk_size ) -+ { -+ xc_dom_panic(dom->xch, XC_INVALID_KERNEL, -+ "ramdisk image too large"); -+ return 1; -+ } -+ -+ return 0; -+} -+ -+/* ------------------------------------------------------------------------ */ - /* read files, copy memory blocks, with transparent gunzip */ - - size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen) -@@ -235,7 +277,7 @@ size_t xc_dom_check_gzip(xc_interface *x - - gzlen = blob + ziplen - 4; - unziplen = gzlen[3] << 24 | gzlen[2] << 16 | gzlen[1] << 8 | gzlen[0]; -- if ( (unziplen < 0) || (unziplen > (1024*1024*1024)) ) /* 1GB limit */ -+ if ( (unziplen < 0) || (unziplen > XC_DOM_DECOMPRESS_MAX) ) - { - xc_dom_printf - (xch, -@@ -288,6 +330,9 @@ int xc_dom_try_gunzip(struct xc_dom_imag - if ( unziplen == 0 ) - return 0; - -+ if ( xc_dom_kernel_check_size(dom, unziplen) ) -+ return 0; -+ - unzip = xc_dom_malloc(dom, unziplen); - if ( unzip == NULL ) - return -1; -@@ -588,6 +633,9 @@ struct xc_dom_image *xc_dom_allocate(xc_ - memset(dom, 0, sizeof(*dom)); - dom->xch = xch; - -+ dom->max_kernel_size = XC_DOM_DECOMPRESS_MAX; -+ dom->max_ramdisk_size = XC_DOM_DECOMPRESS_MAX; -+ - if ( cmdline ) - dom->cmdline = xc_dom_strdup(dom, cmdline); - if ( features ) -@@ -608,10 +656,25 @@ struct xc_dom_image *xc_dom_allocate(xc_ - return NULL; - } - -+int xc_dom_kernel_max_size(struct xc_dom_image *dom, size_t sz) -+{ -+ DOMPRINTF("%s: kernel_max_size=%zx", __FUNCTION__, sz); -+ dom->max_kernel_size = sz; -+ return 0; -+} -+ -+int xc_dom_ramdisk_max_size(struct xc_dom_image *dom, size_t sz) -+{ -+ DOMPRINTF("%s: ramdisk_max_size=%zx", __FUNCTION__, sz); -+ dom->max_ramdisk_size = sz; -+ return 0; -+} -+ - int xc_dom_kernel_file(struct xc_dom_image *dom, const char *filename) - { - DOMPRINTF("%s: filename=\"%s\"", __FUNCTION__, filename); -- dom->kernel_blob = xc_dom_malloc_filemap(dom, filename, &dom->kernel_size); -+ dom->kernel_blob = xc_dom_malloc_filemap(dom, filename, &dom->kernel_size, -+ dom->max_kernel_size); - if ( dom->kernel_blob == NULL ) - return -1; - return xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size); -@@ -621,7 +684,9 @@ int xc_dom_ramdisk_file(struct xc_dom_im - { - DOMPRINTF("%s: filename=\"%s\"", __FUNCTION__, filename); - dom->ramdisk_blob = -- xc_dom_malloc_filemap(dom, filename, &dom->ramdisk_size); -+ xc_dom_malloc_filemap(dom, filename, &dom->ramdisk_size, -+ dom->max_ramdisk_size); -+ - if ( dom->ramdisk_blob == NULL ) - return -1; - // return xc_dom_try_gunzip(dom, &dom->ramdisk_blob, &dom->ramdisk_size); -@@ -781,7 +846,11 @@ int xc_dom_build_image(struct xc_dom_ima - void *ramdiskmap; - - unziplen = xc_dom_check_gzip(dom->xch, dom->ramdisk_blob, dom->ramdisk_size); -+ if ( xc_dom_ramdisk_check_size(dom, unziplen) != 0 ) -+ unziplen = 0; -+ - ramdisklen = unziplen ? unziplen : dom->ramdisk_size; -+ - if ( xc_dom_alloc_segment(dom, &dom->ramdisk_seg, "ramdisk", 0, - ramdisklen) != 0 ) - goto err; - - diff --git a/app-emulation/xen-tools/files/xen-4.2-CVE-2013-1-XSA-55.patch b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-1-XSA-55.patch new file mode 100644 index 000000000000..d40959ca8ca8 --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-1-XSA-55.patch @@ -0,0 +1,417 @@ +From 9737484becab4a25159f1e985700eaee89690d34 Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Fri, 14 Jun 2013 16:43:15 +0100 +Subject: [PATCH 01/23] libelf: abolish libelf-relocate.c + +This file is not actually used. It's not built in Xen's instance of +libelf; in libxc's it's built but nothing in it is called. Do not +compile it in libxc, and delete it. + +This reduces the amount of work we need to do in forthcoming patches +to libelf (particularly since as libelf-relocate.c is not used it is +probably full of bugs). + +This is part of the fix to a security issue, XSA-55. + +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> +--- + tools/libxc/Makefile | 2 +- + xen/common/libelf/libelf-relocate.c | 372 ----------------------------------- + 2 files changed, 1 insertions(+), 373 deletions(-) + delete mode 100644 xen/common/libelf/libelf-relocate.c + +diff --git a/tools/libxc/Makefile b/tools/libxc/Makefile +index ca38cbd..d8c6a60 100644 +--- a/tools/libxc/Makefile ++++ b/tools/libxc/Makefile +@@ -53,7 +53,7 @@ vpath %.c ../../xen/common/libelf + CFLAGS += -I../../xen/common/libelf + + GUEST_SRCS-y += libelf-tools.c libelf-loader.c +-GUEST_SRCS-y += libelf-dominfo.c libelf-relocate.c ++GUEST_SRCS-y += libelf-dominfo.c + + # new domain builder + GUEST_SRCS-y += xc_dom_core.c xc_dom_boot.c +diff --git a/xen/common/libelf/libelf-relocate.c b/xen/common/libelf/libelf-relocate.c +#deleted file mode 100644 +index 7ef4b01..0000000 +--- a/xen/common/libelf/libelf-relocate.c ++++ /dev/null +@@ -1,372 +0,0 @@ +-/* +- * ELF relocation code (not used by xen kernel right now). +- * +- * This library is free software; you can redistribute it and/or +- * modify it under the terms of the GNU Lesser General Public +- * License as published by the Free Software Foundation; +- * version 2.1 of the License. +- * +- * This library is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +- * Lesser General Public License for more details. +- * +- * You should have received a copy of the GNU Lesser General Public +- * License along with this library; if not, write to the Free Software +- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +- */ +- +-#include "libelf-private.h" +- +-/* ------------------------------------------------------------------------ */ +- +-static const char *rel_names_i386[] = { +- "R_386_NONE", +- "R_386_32", +- "R_386_PC32", +- "R_386_GOT32", +- "R_386_PLT32", +- "R_386_COPY", +- "R_386_GLOB_DAT", +- "R_386_JMP_SLOT", +- "R_386_RELATIVE", +- "R_386_GOTOFF", +- "R_386_GOTPC", +- "R_386_32PLT", +- "R_386_TLS_TPOFF", +- "R_386_TLS_IE", +- "R_386_TLS_GOTIE", +- "R_386_TLS_LE", +- "R_386_TLS_GD", +- "R_386_TLS_LDM", +- "R_386_16", +- "R_386_PC16", +- "R_386_8", +- "R_386_PC8", +- "R_386_TLS_GD_32", +- "R_386_TLS_GD_PUSH", +- "R_386_TLS_GD_CALL", +- "R_386_TLS_GD_POP", +- "R_386_TLS_LDM_32", +- "R_386_TLS_LDM_PUSH", +- "R_386_TLS_LDM_CALL", +- "R_386_TLS_LDM_POP", +- "R_386_TLS_LDO_32", +- "R_386_TLS_IE_32", +- "R_386_TLS_LE_32", +- "R_386_TLS_DTPMOD32", +- "R_386_TLS_DTPOFF32", +- "R_386_TLS_TPOFF32", +-}; +- +-static int elf_reloc_i386(struct elf_binary *elf, int type, +- uint64_t addr, uint64_t value) +-{ +- void *ptr = elf_get_ptr(elf, addr); +- uint32_t *u32; +- +- switch ( type ) +- { +- case 1 /* R_386_32 */ : +- u32 = ptr; +- *u32 += elf->reloc_offset; +- break; +- case 2 /* R_386_PC32 */ : +- /* nothing */ +- break; +- default: +- return -1; +- } +- return 0; +-} +- +-/* ------------------------------------------------------------------------ */ +- +-static const char *rel_names_x86_64[] = { +- "R_X86_64_NONE", +- "R_X86_64_64", +- "R_X86_64_PC32", +- "R_X86_64_GOT32", +- "R_X86_64_PLT32", +- "R_X86_64_COPY", +- "R_X86_64_GLOB_DAT", +- "R_X86_64_JUMP_SLOT", +- "R_X86_64_RELATIVE", +- "R_X86_64_GOTPCREL", +- "R_X86_64_32", +- "R_X86_64_32S", +- "R_X86_64_16", +- "R_X86_64_PC16", +- "R_X86_64_8", +- "R_X86_64_PC8", +- "R_X86_64_DTPMOD64", +- "R_X86_64_DTPOFF64", +- "R_X86_64_TPOFF64", +- "R_X86_64_TLSGD", +- "R_X86_64_TLSLD", +- "R_X86_64_DTPOFF32", +- "R_X86_64_GOTTPOFF", +- "R_X86_64_TPOFF32", +-}; +- +-static int elf_reloc_x86_64(struct elf_binary *elf, int type, +- uint64_t addr, uint64_t value) +-{ +- void *ptr = elf_get_ptr(elf, addr); +- uint64_t *u64; +- uint32_t *u32; +- int32_t *s32; +- +- switch ( type ) +- { +- case 1 /* R_X86_64_64 */ : +- u64 = ptr; +- value += elf->reloc_offset; +- *u64 = value; +- break; +- case 2 /* R_X86_64_PC32 */ : +- u32 = ptr; +- *u32 = value - addr; +- if ( *u32 != (uint32_t)(value - addr) ) +- { +- elf_err(elf, "R_X86_64_PC32 overflow: 0x%" PRIx32 +- " != 0x%" PRIx32 "\n", +- *u32, (uint32_t) (value - addr)); +- return -1; +- } +- break; +- case 10 /* R_X86_64_32 */ : +- u32 = ptr; +- value += elf->reloc_offset; +- *u32 = value; +- if ( *u32 != value ) +- { +- elf_err(elf, "R_X86_64_32 overflow: 0x%" PRIx32 +- " != 0x%" PRIx64 "\n", +- *u32, value); +- return -1; +- } +- break; +- case 11 /* R_X86_64_32S */ : +- s32 = ptr; +- value += elf->reloc_offset; +- *s32 = value; +- if ( *s32 != (int64_t) value ) +- { +- elf_err(elf, "R_X86_64_32S overflow: 0x%" PRIx32 +- " != 0x%" PRIx64 "\n", +- *s32, (int64_t) value); +- return -1; +- } +- break; +- default: +- return -1; +- } +- return 0; +-} +- +-/* ------------------------------------------------------------------------ */ +- +-static struct relocs { +- const char **names; +- int count; +- int (*func) (struct elf_binary * elf, int type, uint64_t addr, +- uint64_t value); +-} relocs[] = +-/* *INDENT-OFF* */ +-{ +- [EM_386] = { +- .names = rel_names_i386, +- .count = sizeof(rel_names_i386) / sizeof(rel_names_i386[0]), +- .func = elf_reloc_i386, +- }, +- [EM_X86_64] = { +- .names = rel_names_x86_64, +- .count = sizeof(rel_names_x86_64) / sizeof(rel_names_x86_64[0]), +- .func = elf_reloc_x86_64, +- } +-}; +-/* *INDENT-ON* */ +- +-/* ------------------------------------------------------------------------ */ +- +-static const char *rela_name(int machine, int type) +-{ +- if ( machine > sizeof(relocs) / sizeof(relocs[0]) ) +- return "unknown mach"; +- if ( !relocs[machine].names ) +- return "unknown mach"; +- if ( type > relocs[machine].count ) +- return "unknown rela"; +- return relocs[machine].names[type]; +-} +- +-static int elf_reloc_section(struct elf_binary *elf, +- const elf_shdr * rels, +- const elf_shdr * sect, const elf_shdr * syms) +-{ +- const void *ptr, *end; +- const elf_shdr *shdr; +- const elf_rela *rela; +- const elf_rel *rel; +- const elf_sym *sym; +- uint64_t s_type; +- uint64_t r_offset; +- uint64_t r_info; +- uint64_t r_addend; +- int r_type, r_sym; +- size_t rsize; +- uint64_t shndx, sbase, addr, value; +- const char *sname; +- int machine; +- +- machine = elf_uval(elf, elf->ehdr, e_machine); +- if ( (machine >= (sizeof(relocs) / sizeof(relocs[0]))) || +- (relocs[machine].func == NULL) ) +- { +- elf_err(elf, "%s: can't handle machine %d\n", +- __FUNCTION__, machine); +- return -1; +- } +- if ( elf_swap(elf) ) +- { +- elf_err(elf, "%s: non-native byte order, relocation not supported\n", +- __FUNCTION__); +- return -1; +- } +- +- s_type = elf_uval(elf, rels, sh_type); +- rsize = (SHT_REL == s_type) ? elf_size(elf, rel) : elf_size(elf, rela); +- ptr = elf_section_start(elf, rels); +- end = elf_section_end(elf, rels); +- +- for ( ; ptr < end; ptr += rsize ) +- { +- switch ( s_type ) +- { +- case SHT_REL: +- rel = ptr; +- r_offset = elf_uval(elf, rel, r_offset); +- r_info = elf_uval(elf, rel, r_info); +- r_addend = 0; +- break; +- case SHT_RELA: +- rela = ptr; +- r_offset = elf_uval(elf, rela, r_offset); +- r_info = elf_uval(elf, rela, r_info); +- r_addend = elf_uval(elf, rela, r_addend); +- break; +- default: +- /* can't happen */ +- return -1; +- } +- if ( elf_64bit(elf) ) +- { +- r_type = ELF64_R_TYPE(r_info); +- r_sym = ELF64_R_SYM(r_info); +- } +- else +- { +- r_type = ELF32_R_TYPE(r_info); +- r_sym = ELF32_R_SYM(r_info); +- } +- +- sym = elf_sym_by_index(elf, r_sym); +- shndx = elf_uval(elf, sym, st_shndx); +- switch ( shndx ) +- { +- case SHN_UNDEF: +- sname = "*UNDEF*"; +- sbase = 0; +- break; +- case SHN_COMMON: +- elf_err(elf, "%s: invalid section: %" PRId64 "\n", +- __FUNCTION__, shndx); +- return -1; +- case SHN_ABS: +- sname = "*ABS*"; +- sbase = 0; +- break; +- default: +- shdr = elf_shdr_by_index(elf, shndx); +- if ( shdr == NULL ) +- { +- elf_err(elf, "%s: invalid section: %" PRId64 "\n", +- __FUNCTION__, shndx); +- return -1; +- } +- sname = elf_section_name(elf, shdr); +- sbase = elf_uval(elf, shdr, sh_addr); +- } +- +- addr = r_offset; +- value = elf_uval(elf, sym, st_value); +- value += r_addend; +- +- if ( elf->log_callback && (elf->verbose > 1) ) +- { +- uint64_t st_name = elf_uval(elf, sym, st_name); +- const char *name = st_name ? elf->sym_strtab + st_name : "*NONE*"; +- +- elf_msg(elf, +- "%s: type %s [%d], off 0x%" PRIx64 ", add 0x%" PRIx64 "," +- " sym %s [0x%" PRIx64 "], sec %s [0x%" PRIx64 "]" +- " -> addr 0x%" PRIx64 " value 0x%" PRIx64 "\n", +- __FUNCTION__, rela_name(machine, r_type), r_type, r_offset, +- r_addend, name, elf_uval(elf, sym, st_value), sname, sbase, +- addr, value); +- } +- +- if ( relocs[machine].func(elf, r_type, addr, value) == -1 ) +- { +- elf_err(elf, "%s: unknown/unsupported reloc type %s [%d]\n", +- __FUNCTION__, rela_name(machine, r_type), r_type); +- return -1; +- } +- } +- return 0; +-} +- +-int elf_reloc(struct elf_binary *elf) +-{ +- const elf_shdr *rels, *sect, *syms; +- uint64_t i, count, type; +- +- count = elf_shdr_count(elf); +- for ( i = 0; i < count; i++ ) +- { +- rels = elf_shdr_by_index(elf, i); +- type = elf_uval(elf, rels, sh_type); +- if ( (type != SHT_REL) && (type != SHT_RELA) ) +- continue; +- +- sect = elf_shdr_by_index(elf, elf_uval(elf, rels, sh_info)); +- syms = elf_shdr_by_index(elf, elf_uval(elf, rels, sh_link)); +- if ( NULL == sect || NULL == syms ) +- continue; +- +- if ( !(elf_uval(elf, sect, sh_flags) & SHF_ALLOC) ) +- { +- elf_msg(elf, "%s: relocations for %s, skipping\n", +- __FUNCTION__, elf_section_name(elf, sect)); +- continue; +- } +- +- elf_msg(elf, "%s: relocations for %s @ 0x%" PRIx64 "\n", +- __FUNCTION__, elf_section_name(elf, sect), +- elf_uval(elf, sect, sh_addr)); +- if ( elf_reloc_section(elf, rels, sect, syms) != 0 ) +- return -1; +- } +- return 0; +-} +- +-/* +- * Local variables: +- * mode: C +- * c-set-style: "BSD" +- * c-basic-offset: 4 +- * tab-width: 4 +- * indent-tabs-mode: nil +- * End: +- */ +-- +#1.7.2.5 + diff --git a/app-emulation/xen-tools/files/xen-4.2-CVE-2013-11-XSA-55.patch b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-11-XSA-55.patch new file mode 100644 index 000000000000..5ad78279b0db --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-11-XSA-55.patch @@ -0,0 +1,788 @@ +From cc8761371aac432318530c2ddfe2c8234bc0621f Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Fri, 14 Jun 2013 16:43:17 +0100 +Subject: [PATCH 11/23] libelf: check all pointer accesses + +We change the ELF_PTRVAL and ELF_HANDLE types and associated macros: + + * PTRVAL becomes a uintptr_t, for which we provide a typedef + elf_ptrval. This means no arithmetic done on it can overflow so + the compiler cannot do any malicious invalid pointer arithmetic + "optimisations". It also means that any places where we + dereference one of these pointers without using the appropriate + macros or functions become a compilation error. + + So we can be sure that we won't miss any memory accesses. + + All the PTRVAL variables were previously void* or char*, so + the actual address calculations are unchanged. + + * ELF_HANDLE becomes a union, one half of which keeps the pointer + value and the other half of which is just there to record the + type. + + The new type is not a pointer type so there can be no address + calculations on it whose meaning would change. Every assignment or + access has to go through one of our macros. + + * The distinction between const and non-const pointers and char*s + and void*s in libelf goes away. This was not important (and + anyway libelf tended to cast away const in various places). + + * The fields elf->image and elf->dest are renamed. That proves + that we haven't missed any unchecked uses of these actual + pointer values. + + * The caller may fill in elf->caller_xdest_base and _size to + specify another range of memory which is safe for libelf to + access, besides the input and output images. + + * When accesses fail due to being out of range, we mark the elf + "broken". This will be checked and used for diagnostics in + a following patch. + + We do not check for write accesses to the input image. This is + because libelf actually does this in a number of places. So we + simply permit that. + + * Each caller of libelf which used to set dest now sets + dest_base and dest_size. + + * In xc_dom_load_elf_symtab we provide a new actual-pointer + value hdr_ptr which we get from mapping the guest's kernel + area and use (checking carefully) as the caller_xdest area. + + * The STAR(h) macro in libelf-dominfo.c now uses elf_access_unsigned. + + * elf-init uses the new elf_uval_3264 accessor to access the 32-bit + fields, rather than an unchecked field access (ie, unchecked + pointer access). + + * elf_uval has been reworked to use elf_uval_3264. Both of these + macros are essentially new in this patch (although they are derived + from the old elf_uval) and need careful review. + + * ELF_ADVANCE_DEST is now safe in the sense that you can use it to + chop parts off the front of the dest area but if you chop more than + is available, the dest area is simply set to be empty, preventing + future accesses. + + * We introduce some #defines for memcpy, memset, memmove and strcpy: + - We provide elf_memcpy_safe and elf_memset_safe which take + PTRVALs and do checking on the supplied pointers. + - Users inside libelf must all be changed to either + elf_mem*_unchecked (which are just like mem*), or + elf_mem*_safe (which take PTRVALs) and are checked. Any + unchanged call sites become compilation errors. + + * We do _not_ at this time fix elf_access_unsigned so that it doesn't + make unaligned accesses. We hope that unaligned accesses are OK on + every supported architecture. But it does check the supplied + pointer for validity. + +This is part of the fix to a security issue, XSA-55. + +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +--- + tools/libxc/xc_dom_elfloader.c | 49 ++++++++-- + tools/libxc/xc_hvm_build_x86.c | 10 +- + xen/arch/x86/domain_build.c | 3 +- + xen/common/libelf/libelf-dominfo.c | 2 +- + xen/common/libelf/libelf-loader.c | 16 ++-- + xen/common/libelf/libelf-private.h | 13 +++ + xen/common/libelf/libelf-tools.c | 106 ++++++++++++++++++- + xen/include/xen/libelf.h | 198 +++++++++++++++++++++++++----------- + 8 files changed, 312 insertions(+), 85 deletions(-) + +diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c +index cc0f206..b82a08c 100644 +--- a/tools/libxc/xc_dom_elfloader.c ++++ b/tools/libxc/xc_dom_elfloader.c +@@ -130,20 +130,30 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, + + if ( load ) + { +- size_t allow_size; /* will be used in a forthcoming XSA-55 patch */ ++ char *hdr_ptr; ++ size_t allow_size; ++ + if ( !dom->bsd_symtab_start ) + return 0; + size = dom->kernel_seg.vend - dom->bsd_symtab_start; +- hdr = xc_dom_vaddr_to_ptr(dom, dom->bsd_symtab_start, &allow_size); +- *(int *)hdr = size - sizeof(int); ++ hdr_ptr = xc_dom_vaddr_to_ptr(dom, dom->bsd_symtab_start, &allow_size); ++ elf->caller_xdest_base = hdr_ptr; ++ elf->caller_xdest_size = allow_size; ++ hdr = ELF_REALPTR2PTRVAL(hdr_ptr); ++ elf_store_val(elf, int, hdr, size - sizeof(int)); + } + else + { ++ char *hdr_ptr; ++ + size = sizeof(int) + elf_size(elf, elf->ehdr) + + elf_shdr_count(elf) * elf_size(elf, shdr); +- hdr = xc_dom_malloc(dom, size); +- if ( hdr == NULL ) ++ hdr_ptr = xc_dom_malloc(dom, size); ++ if ( hdr_ptr == NULL ) + return 0; ++ elf->caller_xdest_base = hdr_ptr; ++ elf->caller_xdest_size = size; ++ hdr = ELF_REALPTR2PTRVAL(hdr_ptr); + dom->bsd_symtab_start = elf_round_up(elf, dom->kernel_seg.vend); + } + +@@ -171,9 +181,32 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, + ehdr->e_shoff = elf_size(elf, elf->ehdr); + ehdr->e_shstrndx = SHN_UNDEF; + } +- if ( elf_init(&syms, hdr + sizeof(int), size - sizeof(int)) ) ++ if ( elf->caller_xdest_size < sizeof(int) ) ++ { ++ DOMPRINTF("%s/%s: header size %"PRIx64" too small", ++ __FUNCTION__, load ? "load" : "parse", ++ (uint64_t)elf->caller_xdest_size); ++ return -1; ++ } ++ if ( elf_init(&syms, elf->caller_xdest_base + sizeof(int), ++ elf->caller_xdest_size - sizeof(int)) ) + return -1; + ++ /* ++ * The caller_xdest_{base,size} and dest_{base,size} need to ++ * remain valid so long as each struct elf_image does. The ++ * principle we adopt is that these values are set when the ++ * memory is allocated or mapped, and cleared when (and if) ++ * they are unmapped. ++ * ++ * Mappings of the guest are normally undone by xc_dom_unmap_all ++ * (directly or via xc_dom_release). We do not explicitly clear ++ * these because in fact that happens only at the end of ++ * xc_dom_boot_image, at which time all of these ELF loading ++ * functions have returned. No relevant struct elf_binary* ++ * escapes this file. ++ */ ++ + xc_elf_set_logfile(dom->xch, &syms, 1); + + symtab = dom->bsd_symtab_start + sizeof(int); +@@ -312,8 +345,10 @@ static int xc_dom_load_elf_kernel(struct xc_dom_image *dom) + { + struct elf_binary *elf = dom->private_loader; + int rc; ++ xen_pfn_t pages; + +- elf->dest = xc_dom_seg_to_ptr(dom, &dom->kernel_seg); ++ elf->dest_base = xc_dom_seg_to_ptr_pages(dom, &dom->kernel_seg, &pages); ++ elf->dest_size = pages * XC_DOM_PAGE_SIZE(dom); + rc = elf_load_binary(elf); + if ( rc < 0 ) + { +diff --git a/tools/libxc/xc_hvm_build_x86.c b/tools/libxc/xc_hvm_build_x86.c +index 15b603d..ccfd8b5 100644 +--- a/tools/libxc/xc_hvm_build_x86.c ++++ b/tools/libxc/xc_hvm_build_x86.c +@@ -104,11 +104,12 @@ static int loadelfimage( + for ( i = 0; i < pages; i++ ) + entries[i].mfn = parray[(elf->pstart >> PAGE_SHIFT) + i]; + +- elf->dest = xc_map_foreign_ranges( ++ elf->dest_base = xc_map_foreign_ranges( + xch, dom, pages << PAGE_SHIFT, PROT_READ | PROT_WRITE, 1 << PAGE_SHIFT, + entries, pages); +- if ( elf->dest == NULL ) ++ if ( elf->dest_base == NULL ) + goto err; ++ elf->dest_size = pages * PAGE_SIZE; + + ELF_ADVANCE_DEST(elf, elf->pstart & (PAGE_SIZE - 1)); + +@@ -117,8 +118,9 @@ static int loadelfimage( + if ( rc < 0 ) + PERROR("Failed to load elf binary\n"); + +- munmap(elf->dest, pages << PAGE_SHIFT); +- elf->dest = NULL; ++ munmap(elf->dest_base, pages << PAGE_SHIFT); ++ elf->dest_base = NULL; ++ elf->dest_size = 0; + + err: + free(entries); +diff --git a/xen/arch/x86/domain_build.c b/xen/arch/x86/domain_build.c +index 469d363..a655b21 100644 +--- a/xen/arch/x86/domain_build.c ++++ b/xen/arch/x86/domain_build.c +@@ -908,7 +908,8 @@ int __init construct_dom0( + write_ptbase(v); + + /* Copy the OS image and free temporary buffer. */ +- elf.dest = (void*)vkern_start; ++ elf.dest_base = (void*)vkern_start; ++ elf.dest_size = vkern_end - vkern_start; + rc = elf_load_binary(&elf); + if ( rc < 0 ) + { +diff --git a/xen/common/libelf/libelf-dominfo.c b/xen/common/libelf/libelf-dominfo.c +index b217f8f..98c80dc 100644 +--- a/xen/common/libelf/libelf-dominfo.c ++++ b/xen/common/libelf/libelf-dominfo.c +@@ -254,7 +254,7 @@ int elf_xen_parse_guest_info(struct elf_binary *elf, + int len; + + h = parms->guest_info; +-#define STAR(h) (*(h)) ++#define STAR(h) (elf_access_unsigned(elf, (h), 0, 1)) + while ( STAR(h) ) + { + elf_memset_unchecked(name, 0, sizeof(name)); +diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c +index 0fef84c..a3310e7 100644 +--- a/xen/common/libelf/libelf-loader.c ++++ b/xen/common/libelf/libelf-loader.c +@@ -24,23 +24,25 @@ + + /* ------------------------------------------------------------------------ */ + +-int elf_init(struct elf_binary *elf, const char *image, size_t size) ++int elf_init(struct elf_binary *elf, const char *image_input, size_t size) + { + ELF_HANDLE_DECL(elf_shdr) shdr; + uint64_t i, count, section, offset; + +- if ( !elf_is_elfbinary(image) ) ++ if ( !elf_is_elfbinary(image_input) ) + { + elf_err(elf, "%s: not an ELF binary\n", __FUNCTION__); + return -1; + } + + elf_memset_unchecked(elf, 0, sizeof(*elf)); +- elf->image = image; ++ elf->image_base = image_input; + elf->size = size; +- elf->ehdr = (elf_ehdr *)image; +- elf->class = elf->ehdr->e32.e_ident[EI_CLASS]; +- elf->data = elf->ehdr->e32.e_ident[EI_DATA]; ++ elf->ehdr = ELF_MAKE_HANDLE(elf_ehdr, (elf_ptrval)image_input); ++ elf->class = elf_uval_3264(elf, elf->ehdr, e32.e_ident[EI_CLASS]); ++ elf->data = elf_uval_3264(elf, elf->ehdr, e32.e_ident[EI_DATA]); ++ elf->caller_xdest_base = NULL; ++ elf->caller_xdest_size = 0; + + /* Sanity check phdr. */ + offset = elf_uval(elf, elf->ehdr, e_phoff) + +@@ -300,7 +302,7 @@ int elf_load_binary(struct elf_binary *elf) + + ELF_PTRVAL_VOID elf_get_ptr(struct elf_binary *elf, unsigned long addr) + { +- return elf->dest + addr - elf->pstart; ++ return ELF_REALPTR2PTRVAL(elf->dest_base) + addr - elf->pstart; + } + + uint64_t elf_lookup_addr(struct elf_binary * elf, const char *symbol) +diff --git a/xen/common/libelf/libelf-private.h b/xen/common/libelf/libelf-private.h +index 3ef753c..280dfd1 100644 +--- a/xen/common/libelf/libelf-private.h ++++ b/xen/common/libelf/libelf-private.h +@@ -86,6 +86,19 @@ do { strncpy((d),(s),sizeof((d))-1); \ + + #endif + ++#undef memcpy ++#undef memset ++#undef memmove ++#undef strcpy ++ ++#define memcpy MISTAKE_unspecified_memcpy ++#define memset MISTAKE_unspecified_memset ++#define memmove MISTAKE_unspecified_memmove ++#define strcpy MISTAKE_unspecified_strcpy ++ /* This prevents libelf from using these undecorated versions ++ * of memcpy, memset, memmove and strcpy. Every call site ++ * must either use elf_mem*_unchecked, or elf_mem*_safe. */ ++ + #endif /* __LIBELF_PRIVATE_H_ */ + + /* +diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c +index 3a0cde1..46ca553 100644 +--- a/xen/common/libelf/libelf-tools.c ++++ b/xen/common/libelf/libelf-tools.c +@@ -20,28 +20,100 @@ + + /* ------------------------------------------------------------------------ */ + +-uint64_t elf_access_unsigned(struct elf_binary * elf, const void *ptr, +- uint64_t offset, size_t size) ++void elf_mark_broken(struct elf_binary *elf, const char *msg) + { ++ if ( elf->broken == NULL ) ++ elf->broken = msg; ++} ++ ++const char *elf_check_broken(const struct elf_binary *elf) ++{ ++ return elf->broken; ++} ++ ++static int elf_ptrval_in_range(elf_ptrval ptrval, uint64_t size, ++ const void *region, uint64_t regionsize) ++ /* ++ * Returns true if the putative memory area [ptrval,ptrval+size> ++ * is completely inside the region [region,region+regionsize>. ++ * ++ * ptrval and size are the untrusted inputs to be checked. ++ * region and regionsize are trusted and must be correct and valid, ++ * although it is OK for region to perhaps be maliciously NULL ++ * (but not some other malicious value). ++ */ ++{ ++ elf_ptrval regionp = (elf_ptrval)region; ++ ++ if ( (region == NULL) || ++ (ptrval < regionp) || /* start is before region */ ++ (ptrval > regionp + regionsize) || /* start is after region */ ++ (size > regionsize - (ptrval - regionp)) ) /* too big */ ++ return 0; ++ return 1; ++} ++ ++int elf_access_ok(struct elf_binary * elf, ++ uint64_t ptrval, size_t size) ++{ ++ if ( elf_ptrval_in_range(ptrval, size, elf->image_base, elf->size) ) ++ return 1; ++ if ( elf_ptrval_in_range(ptrval, size, elf->dest_base, elf->dest_size) ) ++ return 1; ++ if ( elf_ptrval_in_range(ptrval, size, ++ elf->caller_xdest_base, elf->caller_xdest_size) ) ++ return 1; ++ elf_mark_broken(elf, "out of range access"); ++ return 0; ++} ++ ++void elf_memcpy_safe(struct elf_binary *elf, elf_ptrval dst, ++ elf_ptrval src, size_t size) ++{ ++ if ( elf_access_ok(elf, dst, size) && ++ elf_access_ok(elf, src, size) ) ++ { ++ /* use memmove because these checks do not prove that the ++ * regions don't overlap and overlapping regions grant ++ * permission for compiler malice */ ++ elf_memmove_unchecked(ELF_UNSAFE_PTR(dst), ELF_UNSAFE_PTR(src), size); ++ } ++} ++ ++void elf_memset_safe(struct elf_binary *elf, elf_ptrval dst, int c, size_t size) ++{ ++ if ( elf_access_ok(elf, dst, size) ) ++ { ++ elf_memset_unchecked(ELF_UNSAFE_PTR(dst), c, size); ++ } ++} ++ ++uint64_t elf_access_unsigned(struct elf_binary * elf, elf_ptrval base, ++ uint64_t moreoffset, size_t size) ++{ ++ elf_ptrval ptrval = base + moreoffset; + int need_swap = elf_swap(elf); + const uint8_t *u8; + const uint16_t *u16; + const uint32_t *u32; + const uint64_t *u64; + ++ if ( !elf_access_ok(elf, ptrval, size) ) ++ return 0; ++ + switch ( size ) + { + case 1: +- u8 = ptr + offset; ++ u8 = (const void*)ptrval; + return *u8; + case 2: +- u16 = ptr + offset; ++ u16 = (const void*)ptrval; + return need_swap ? bswap_16(*u16) : *u16; + case 4: +- u32 = ptr + offset; ++ u32 = (const void*)ptrval; + return need_swap ? bswap_32(*u32) : *u32; + case 8: +- u64 = ptr + offset; ++ u64 = (const void*)ptrval; + return need_swap ? bswap_64(*u64) : *u64; + default: + return 0; +@@ -122,6 +194,28 @@ const char *elf_section_name(struct elf_binary *elf, + return elf_strval(elf, elf->sec_strtab + elf_uval(elf, shdr, sh_name)); + } + ++const char *elf_strval(struct elf_binary *elf, elf_ptrval start) ++{ ++ uint64_t length; ++ ++ for ( length = 0; ; length++ ) { ++ if ( !elf_access_ok(elf, start + length, 1) ) ++ return NULL; ++ if ( !elf_access_unsigned(elf, start, length, 1) ) ++ /* ok */ ++ return ELF_UNSAFE_PTR(start); ++ } ++} ++ ++const char *elf_strfmt(struct elf_binary *elf, elf_ptrval start) ++{ ++ const char *str = elf_strval(elf, start); ++ ++ if ( str == NULL ) ++ return "(invalid)"; ++ return str; ++} ++ + ELF_PTRVAL_CONST_VOID elf_section_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr) + { + return ELF_IMAGE_BASE(elf) + elf_uval(elf, shdr, sh_offset); +diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h +index af5b5c5..ddc3ed7 100644 +--- a/xen/include/xen/libelf.h ++++ b/xen/include/xen/libelf.h +@@ -57,8 +57,9 @@ typedef void elf_log_callback(struct elf_binary*, void *caller_data, + * on this. + * This replaces variables which were char*,void* + * and their const versions, so we provide four +- * different declaration macros: ++ * different obsolete declaration macros: + * ELF_PTRVAL_{,CONST}{VOID,CHAR} ++ * New code can simply use the elf_ptrval typedef. + * HANDLE A pointer to a struct. There is one of these types + * for each pointer type - that is, for each "structname". + * In the arguments to the various HANDLE macros, structname +@@ -67,54 +68,66 @@ typedef void elf_log_callback(struct elf_binary*, void *caller_data, + * pointers. In the current code attempts to do so will + * compile, but in the next patch this will become a + * compile error. +- * We provide two declaration macros for const and +- * non-const pointers. ++ * We also provide a second declaration macro for ++ * pointers which were to const; this is obsolete. + */ + +-#define ELF_REALPTR2PTRVAL(realpointer) (realpointer) ++typedef uintptr_t elf_ptrval; ++ ++#define ELF_REALPTR2PTRVAL(realpointer) ((elf_ptrval)(realpointer)) + /* Converts an actual C pointer into a PTRVAL */ + +-#define ELF_HANDLE_DECL_NONCONST(structname) structname * +-#define ELF_HANDLE_DECL(structname) const structname * ++#define ELF_HANDLE_DECL_NONCONST(structname) structname##_handle /*obsolete*/ ++#define ELF_HANDLE_DECL(structname) structname##_handle + /* Provides a type declaration for a HANDLE. */ +- /* May only be used to declare ONE variable at a time */ + +-#define ELF_PTRVAL_VOID void * +-#define ELF_PTRVAL_CHAR char * +-#define ELF_PTRVAL_CONST_VOID const void * +-#define ELF_PTRVAL_CONST_CHAR const char * +- /* Provides a type declaration for a PTRVAL. */ +- /* May only be used to declare ONE variable at a time */ ++#define ELF_PTRVAL_VOID elf_ptrval /*obsolete*/ ++#define ELF_PTRVAL_CHAR elf_ptrval /*obsolete*/ ++#define ELF_PTRVAL_CONST_VOID elf_ptrval /*obsolete*/ ++#define ELF_PTRVAL_CONST_CHAR elf_ptrval /*obsolete*/ ++ ++#ifdef __XEN__ ++# define ELF_PRPTRVAL "lu" ++ /* ++ * PRIuPTR is misdefined in xen/include/xen/inttypes.h, on 32-bit, ++ * to "u", when in fact uintptr_t is an unsigned long. ++ */ ++#else ++# define ELF_PRPTRVAL PRIuPTR ++#endif ++ /* printf format a la PRId... for a PTRVAL */ + +-#define ELF_DEFINE_HANDLE(structname) /* empty */ ++#define ELF_DEFINE_HANDLE(structname) \ ++ typedef union { \ ++ elf_ptrval ptrval; \ ++ const structname *typeonly; /* for sizeof, offsetof, &c only */ \ ++ } structname##_handle; + /* + * This must be invoked for each HANDLE type to define + * the actual C type used for that kind of HANDLE. + */ + +-#define ELF_PRPTRVAL "p" +- /* printf format a la PRId... for a PTRVAL */ +- +-#define ELF_MAKE_HANDLE(structname, ptrval) (ptrval) ++#define ELF_MAKE_HANDLE(structname, ptrval) ((structname##_handle){ ptrval }) + /* Converts a PTRVAL to a HANDLE */ + +-#define ELF_IMAGE_BASE(elf) ((elf)->image) ++#define ELF_IMAGE_BASE(elf) ((elf_ptrval)(elf)->image_base) + /* Returns the base of the image as a PTRVAL. */ + +-#define ELF_HANDLE_PTRVAL(handleval) ((void*)(handleval)) ++#define ELF_HANDLE_PTRVAL(handleval) ((handleval).ptrval) + /* Converts a HANDLE to a PTRVAL. */ + +-#define ELF_OBSOLETE_VOIDP_CAST (void*)(uintptr_t) ++#define ELF_OBSOLETE_VOIDP_CAST /*empty*/ + /* +- * In some places the existing code needs to ++ * In some places the old code used to need to + * - cast away const (the existing code uses const a fair + * bit but actually sometimes wants to write to its input) + * from a PTRVAL. + * - convert an integer representing a pointer to a PTRVAL +- * This macro provides a suitable cast. ++ * Nowadays all of these re uintptr_ts so there is no const problem ++ * and no need for any casting. + */ + +-#define ELF_UNSAFE_PTR(ptrval) ((void*)(uintptr_t)(ptrval)) ++#define ELF_UNSAFE_PTR(ptrval) ((void*)(elf_ptrval)(ptrval)) + /* + * Turns a PTRVAL into an actual C pointer. Before this is done + * the caller must have ensured that the PTRVAL does in fact point +@@ -122,18 +135,21 @@ typedef void elf_log_callback(struct elf_binary*, void *caller_data, + */ + + /* PTRVALs can be INVALID (ie, NULL). */ +-#define ELF_INVALID_PTRVAL (NULL) /* returns NULL PTRVAL */ ++#define ELF_INVALID_PTRVAL ((elf_ptrval)0) /* returns NULL PTRVAL */ + #define ELF_INVALID_HANDLE(structname) /* returns NULL handle */ \ + ELF_MAKE_HANDLE(structname, ELF_INVALID_PTRVAL) +-#define ELF_PTRVAL_VALID(ptrval) (ptrval) /* } */ +-#define ELF_HANDLE_VALID(handleval) (handleval) /* } predicates */ +-#define ELF_PTRVAL_INVALID(ptrval) ((ptrval) == NULL) /* } */ ++#define ELF_PTRVAL_VALID(ptrval) (!!(ptrval)) /* } */ ++#define ELF_HANDLE_VALID(handleval) (!!(handleval).ptrval) /* } predicates */ ++#define ELF_PTRVAL_INVALID(ptrval) (!ELF_PTRVAL_VALID((ptrval))) /* } */ ++ ++#define ELF_MAX_PTRVAL (~(elf_ptrval)0) ++ /* PTRVAL value guaranteed to compare > to any valid PTRVAL */ + + /* For internal use by other macros here */ + #define ELF__HANDLE_FIELD_TYPE(handleval, elm) \ +- typeof((handleval)->elm) ++ typeof((handleval).typeonly->elm) + #define ELF__HANDLE_FIELD_OFFSET(handleval, elm) \ +- offsetof(typeof(*(handleval)),elm) ++ offsetof(typeof(*(handleval).typeonly),elm) + + + /* ------------------------------------------------------------------------ */ +@@ -182,7 +198,7 @@ ELF_DEFINE_HANDLE(elf_note) + + struct elf_binary { + /* elf binary */ +- const char *image; ++ const void *image_base; + size_t size; + char class; + char data; +@@ -190,10 +206,16 @@ struct elf_binary { + ELF_HANDLE_DECL(elf_ehdr) ehdr; + ELF_PTRVAL_CONST_CHAR sec_strtab; + ELF_HANDLE_DECL(elf_shdr) sym_tab; +- ELF_PTRVAL_CONST_CHAR sym_strtab; ++ uint64_t sym_strtab; + + /* loaded to */ +- char *dest; ++ /* ++ * dest_base and dest_size are trusted and must be correct; ++ * whenever dest_size is not 0, both of these must be valid ++ * so long as the struct elf_binary is in use. ++ */ ++ char *dest_base; ++ size_t dest_size; + uint64_t pstart; + uint64_t pend; + uint64_t reloc_offset; +@@ -201,12 +223,22 @@ struct elf_binary { + uint64_t bsd_symtab_pstart; + uint64_t bsd_symtab_pend; + ++ /* ++ * caller's other acceptable destination ++ * ++ * Again, these are trusted and must be valid (or 0) so long ++ * as the struct elf_binary is in use. ++ */ ++ void *caller_xdest_base; ++ uint64_t caller_xdest_size; ++ + #ifndef __XEN__ + /* misc */ + elf_log_callback *log_callback; + void *log_caller_data; + #endif + int verbose; ++ const char *broken; + }; + + /* ------------------------------------------------------------------------ */ +@@ -224,22 +256,27 @@ struct elf_binary { + #define elf_lsb(elf) (ELFDATA2LSB == (elf)->data) + #define elf_swap(elf) (NATIVE_ELFDATA != (elf)->data) + +-#define elf_uval(elf, str, elem) \ +- ((ELFCLASS64 == (elf)->class) \ +- ? elf_access_unsigned((elf), (str), \ +- offsetof(typeof(*(str)),e64.elem), \ +- sizeof((str)->e64.elem)) \ +- : elf_access_unsigned((elf), (str), \ +- offsetof(typeof(*(str)),e32.elem), \ +- sizeof((str)->e32.elem))) ++#define elf_uval_3264(elf, handle, elem) \ ++ elf_access_unsigned((elf), (handle).ptrval, \ ++ offsetof(typeof(*(handle).typeonly),elem), \ ++ sizeof((handle).typeonly->elem)) ++ ++#define elf_uval(elf, handle, elem) \ ++ ((ELFCLASS64 == (elf)->class) \ ++ ? elf_uval_3264(elf, handle, e64.elem) \ ++ : elf_uval_3264(elf, handle, e32.elem)) + /* + * Reads an unsigned field in a header structure in the ELF. + * str is a HANDLE, and elem is the field name in it. + */ + +-#define elf_size(elf, str) \ ++ ++#define elf_size(elf, handle_or_handletype) ({ \ ++ typeof(handle_or_handletype) elf_size__dummy; \ + ((ELFCLASS64 == (elf)->class) \ +- ? sizeof((str)->e64) : sizeof((str)->e32)) ++ ? sizeof(elf_size__dummy.typeonly->e64) \ ++ : sizeof(elf_size__dummy.typeonly->e32)); \ ++}) + /* + * Returns the size of the substructure for the appropriate 32/64-bitness. + * str should be a HANDLE. +@@ -251,23 +288,37 @@ uint64_t elf_access_unsigned(struct elf_binary *elf, ELF_PTRVAL_CONST_VOID ptr, + + uint64_t elf_round_up(struct elf_binary *elf, uint64_t addr); + ++const char *elf_strval(struct elf_binary *elf, elf_ptrval start); ++ /* may return NULL if the string is out of range etc. */ + +-#define elf_strval(elf,x) ((const char*)(x)) /* may return NULL in the future */ +-#define elf_strfmt(elf,x) ((const char*)(x)) /* will return (invalid) instead */ ++const char *elf_strfmt(struct elf_binary *elf, elf_ptrval start); ++ /* like elf_strval but returns "(invalid)" instead of NULL */ + +-#define elf_memcpy_safe(elf, dst, src, sz) memcpy((dst),(src),(sz)) +-#define elf_memset_safe(elf, dst, c, sz) memset((dst),(c),(sz)) ++void elf_memcpy_safe(struct elf_binary*, elf_ptrval dst, elf_ptrval src, size_t); ++void elf_memset_safe(struct elf_binary*, elf_ptrval dst, int c, size_t); + /* +- * Versions of memcpy and memset which will (in the next patch) +- * arrange never to write outside permitted areas. ++ * Versions of memcpy and memset which arrange never to write ++ * outside permitted areas. + */ + +-#define elf_store_val(elf, type, ptr, val) (*(type*)(ptr) = (val)) ++int elf_access_ok(struct elf_binary * elf, ++ uint64_t ptrval, size_t size); ++ ++#define elf_store_val(elf, type, ptr, val) \ ++ ({ \ ++ typeof(type) elf_store__val = (val); \ ++ elf_ptrval elf_store__targ = ptr; \ ++ if (elf_access_ok((elf), elf_store__targ, \ ++ sizeof(elf_store__val))) { \ ++ elf_memcpy_unchecked((void*)elf_store__targ, &elf_store__val, \ ++ sizeof(elf_store__val)); \ ++ } \ ++ }) \ + /* Stores a value at a particular PTRVAL. */ + +-#define elf_store_field(elf, hdr, elm, val) \ +- (elf_store_val((elf), ELF__HANDLE_FIELD_TYPE(hdr, elm), \ +- &((hdr)->elm), \ ++#define elf_store_field(elf, hdr, elm, val) \ ++ (elf_store_val((elf), ELF__HANDLE_FIELD_TYPE(hdr, elm), \ ++ ELF_HANDLE_PTRVAL(hdr) + ELF__HANDLE_FIELD_OFFSET(hdr, elm), \ + (val))) + /* Stores a 32/64-bit field. hdr is a HANDLE and elm is the field name. */ + +@@ -306,6 +357,10 @@ int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr) + /* xc_libelf_loader.c */ + + int elf_init(struct elf_binary *elf, const char *image, size_t size); ++ /* ++ * image and size must be correct. They will be recorded in ++ * *elf, and must remain valid while the elf is in use. ++ */ + #ifdef __XEN__ + void elf_set_verbose(struct elf_binary *elf); + #else +@@ -321,6 +376,9 @@ uint64_t elf_lookup_addr(struct elf_binary *elf, const char *symbol); + + void elf_parse_bsdsyms(struct elf_binary *elf, uint64_t pstart); /* private */ + ++void elf_mark_broken(struct elf_binary *elf, const char *msg); ++const char *elf_check_broken(const struct elf_binary *elf); /* NULL means OK */ ++ + /* ------------------------------------------------------------------------ */ + /* xc_libelf_relocate.c */ + +@@ -395,16 +453,38 @@ int elf_xen_parse_guest_info(struct elf_binary *elf, + int elf_xen_parse(struct elf_binary *elf, + struct elf_dom_parms *parms); + +-#define elf_memcpy_unchecked memcpy +-#define elf_memset_unchecked memset ++static inline void *elf_memcpy_unchecked(void *dest, const void *src, size_t n) ++ { return memcpy(dest, src, n); } ++static inline void *elf_memmove_unchecked(void *dest, const void *src, size_t n) ++ { return memmove(dest, src, n); } ++static inline void *elf_memset_unchecked(void *s, int c, size_t n) ++ { return memset(s, c, n); } + /* +- * Unsafe versions of memcpy and memset which take actual C +- * pointers. These are just like real memcpy and memset. ++ * Unsafe versions of memcpy, memmove memset which take actual C ++ * pointers. These are just like the real functions. ++ * We provide these so that in libelf-private.h we can #define ++ * memcpy, memset and memmove to undefined MISTAKE things. + */ + + +-#define ELF_ADVANCE_DEST(elf, amount) elf->dest += (amount) +- /* Advances past amount bytes of the current destination area. */ ++/* Advances past amount bytes of the current destination area. */ ++static inline void ELF_ADVANCE_DEST(struct elf_binary *elf, uint64_t amount) ++{ ++ if ( elf->dest_base == NULL ) ++ { ++ elf_mark_broken(elf, "advancing in null image"); ++ } ++ else if ( elf->dest_size >= amount ) ++ { ++ elf->dest_base += amount; ++ elf->dest_size -= amount; ++ } ++ else ++ { ++ elf->dest_size = 0; ++ elf_mark_broken(elf, "advancing past end (image very short?)"); ++ } ++} + + + #endif /* __XEN_LIBELF_H__ */ +-- +1.7.2.5 + diff --git a/app-emulation/xen-tools/files/xen-4.2-CVE-2013-12to13-XSA-55.patch b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-12to13-XSA-55.patch new file mode 100644 index 000000000000..952d8797d836 --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-12to13-XSA-55.patch @@ -0,0 +1,371 @@ +From d0790bdad7496e720416b2d4a04563c4c27e7b95 Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Fri, 14 Jun 2013 16:43:17 +0100 +Subject: [PATCH 12/23] libelf: Check pointer references in elf_is_elfbinary + +elf_is_elfbinary didn't take a length parameter and could potentially +access out of range when provided with a very short image. + +We only need to check the size is enough for the actual dereference in +elf_is_elfbinary; callers are just using it to check the magic number +and do their own checks (usually via the new elf_ptrval system) before +dereferencing other parts of the header. + +This is part of the fix to a security issue, XSA-55. + +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> +Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +--- + tools/libxc/xc_dom_elfloader.c | 2 +- + xen/arch/x86/bzimage.c | 4 ++-- + xen/common/libelf/libelf-loader.c | 2 +- + xen/common/libelf/libelf-tools.c | 9 ++++++--- + xen/include/xen/libelf.h | 4 +++- + 5 files changed, 13 insertions(+), 8 deletions(-) + +diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c +index b82a08c..ea45886 100644 +--- a/tools/libxc/xc_dom_elfloader.c ++++ b/tools/libxc/xc_dom_elfloader.c +@@ -95,7 +95,7 @@ static int check_elf_kernel(struct xc_dom_image *dom, int verbose) + return -EINVAL; + } + +- if ( !elf_is_elfbinary(dom->kernel_blob) ) ++ if ( !elf_is_elfbinary(dom->kernel_blob, dom->kernel_size) ) + { + if ( verbose ) + xc_dom_panic(dom->xch, +diff --git a/xen/arch/x86/bzimage.c b/xen/arch/x86/bzimage.c +index 5adc223..3600dca 100644 +--- a/xen/arch/x86/bzimage.c ++++ b/xen/arch/x86/bzimage.c +@@ -220,7 +220,7 @@ unsigned long __init bzimage_headroom(char *image_start, + image_length = hdr->payload_length; + } + +- if ( elf_is_elfbinary(image_start) ) ++ if ( elf_is_elfbinary(image_start, image_length) ) + return 0; + + orig_image_len = image_length; +@@ -251,7 +251,7 @@ int __init bzimage_parse(char *image_base, char **image_start, unsigned long *im + *image_len = hdr->payload_length; + } + +- if ( elf_is_elfbinary(*image_start) ) ++ if ( elf_is_elfbinary(*image_start, *image_len) ) + return 0; + + BUG_ON(!(image_base < *image_start)); +diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c +index a3310e7..f8be635 100644 +--- a/xen/common/libelf/libelf-loader.c ++++ b/xen/common/libelf/libelf-loader.c +@@ -29,7 +29,7 @@ int elf_init(struct elf_binary *elf, const char *image_input, size_t size) + ELF_HANDLE_DECL(elf_shdr) shdr; + uint64_t i, count, section, offset; + +- if ( !elf_is_elfbinary(image_input) ) ++ if ( !elf_is_elfbinary(image_input, size) ) + { + elf_err(elf, "%s: not an ELF binary\n", __FUNCTION__); + return -1; +diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c +index 46ca553..744027e 100644 +--- a/xen/common/libelf/libelf-tools.c ++++ b/xen/common/libelf/libelf-tools.c +@@ -332,11 +332,14 @@ ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL( + + /* ------------------------------------------------------------------------ */ + +-int elf_is_elfbinary(const void *image) ++int elf_is_elfbinary(const void *image_start, size_t image_size) + { +- const Elf32_Ehdr *ehdr = image; ++ const Elf32_Ehdr *ehdr = image_start; + +- return IS_ELF(*ehdr); /* fixme unchecked */ ++ if ( image_size < sizeof(*ehdr) ) ++ return 0; ++ ++ return IS_ELF(*ehdr); + } + + int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr) +diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h +index ddc3ed7..ac93858 100644 +--- a/xen/include/xen/libelf.h ++++ b/xen/include/xen/libelf.h +@@ -350,7 +350,9 @@ uint64_t elf_note_numeric_array(struct elf_binary *, ELF_HANDLE_DECL(elf_note), + unsigned int unitsz, unsigned int idx); + ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); + +-int elf_is_elfbinary(const void *image); ++/* (Only) checks that the image has the right magic number. */ ++int elf_is_elfbinary(const void *image_start, size_t image_size); ++ + int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr); + + /* ------------------------------------------------------------------------ */ +-- +1.7.2.5 +#From a965b8f80388603d439ae2b8ee7b9b018a079f90 Mon Sep 17 00:00:00 2001 +#From: Ian Jackson <ian.jackson@eu.citrix.com> +#Date: Fri, 14 Jun 2013 16:43:17 +0100 +#Subject: [PATCH 13/23] libelf: Make all callers call elf_check_broken +# +#This arranges that if the new pointer reference error checking +#tripped, we actually get a message about it. In this patch these +#messages do not change the actual return values from the various +#functions: so pointer reference errors do not prevent loading. This +#is for fear that some existing kernels might cause the code to make +#these wild references, which would then break, which is not a good +#thing in a security patch. +# +#In xen/arch/x86/domain_build.c we have to introduce an "out" label and +#change all of the "return rc" beyond the relevant point into "goto +#out". +# +#Difference in the 4.2 series, compared to unstable: +# +#* tools/libxc/xc_hvm_build_x86.c:setup_guest and +# xen/arch/arm/kernel.c:kernel_try_elf_prepare have different +# error handling in 4.2 to unstable; patch adjusted accordingly. +# +#This is part of the fix to a security issue, XSA-55. +# +#Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +# +#xen-unstable version Reviewed-by: George Dunlap <george.dunlap@eu.citrix.com> +#--- +# tools/libxc/xc_dom_elfloader.c | 25 +++++++++++++++++++++---- +# tools/libxc/xc_hvm_build_x86.c | 5 +++++ +# tools/xcutils/readnotes.c | 3 +++ +# xen/arch/arm/kernel.c | 15 ++++++++++++++- +# xen/arch/x86/domain_build.c | 28 +++++++++++++++++++++------- +# 5 files changed, 64 insertions(+), 12 deletions(-) +# +diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c +index ea45886..4fb4da2 100644 +--- a/tools/libxc/xc_dom_elfloader.c ++++ b/tools/libxc/xc_dom_elfloader.c +@@ -276,6 +276,13 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, + elf_store_field(elf, shdr, e32.sh_name, 0); + } + ++ if ( elf_check_broken(&syms) ) ++ DOMPRINTF("%s: symbols ELF broken: %s", __FUNCTION__, ++ elf_check_broken(&syms)); ++ if ( elf_check_broken(elf) ) ++ DOMPRINTF("%s: ELF broken: %s", __FUNCTION__, ++ elf_check_broken(elf)); ++ + if ( tables == 0 ) + { + DOMPRINTF("%s: no symbol table present", __FUNCTION__); +@@ -312,19 +319,23 @@ static int xc_dom_parse_elf_kernel(struct xc_dom_image *dom) + { + xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: ELF image" + " has no shstrtab", __FUNCTION__); +- return -EINVAL; ++ rc = -EINVAL; ++ goto out; + } + + /* parse binary and get xen meta info */ + elf_parse_binary(elf); + if ( (rc = elf_xen_parse(elf, &dom->parms)) != 0 ) +- return rc; ++ { ++ goto out; ++ } + + if ( elf_xen_feature_get(XENFEAT_dom0, dom->parms.f_required) ) + { + xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: Kernel does not" + " support unprivileged (DomU) operation", __FUNCTION__); +- return -EINVAL; ++ rc = -EINVAL; ++ goto out; + } + + /* find kernel segment */ +@@ -338,7 +349,13 @@ static int xc_dom_parse_elf_kernel(struct xc_dom_image *dom) + DOMPRINTF("%s: %s: 0x%" PRIx64 " -> 0x%" PRIx64 "", + __FUNCTION__, dom->guest_type, + dom->kernel_seg.vstart, dom->kernel_seg.vend); +- return 0; ++ rc = 0; ++out: ++ if ( elf_check_broken(elf) ) ++ DOMPRINTF("%s: ELF broken: %s", __FUNCTION__, ++ elf_check_broken(elf)); ++ ++ return rc; + } + + static int xc_dom_load_elf_kernel(struct xc_dom_image *dom) +diff --git a/tools/libxc/xc_hvm_build_x86.c b/tools/libxc/xc_hvm_build_x86.c +index ccfd8b5..8165287 100644 +--- a/tools/libxc/xc_hvm_build_x86.c ++++ b/tools/libxc/xc_hvm_build_x86.c +@@ -403,11 +403,16 @@ static int setup_guest(xc_interface *xch, + munmap(page0, PAGE_SIZE); + } + ++ if ( elf_check_broken(&elf) ) ++ ERROR("HVM ELF broken: %s", elf_check_broken(&elf)); ++ + free(page_array); + return 0; + + error_out: + free(page_array); ++ if ( elf_check_broken(&elf) ) ++ ERROR("HVM ELF broken, failing: %s", elf_check_broken(&elf)); + return -1; + } + +diff --git a/tools/xcutils/readnotes.c b/tools/xcutils/readnotes.c +index cfae994..d1f7a30 100644 +--- a/tools/xcutils/readnotes.c ++++ b/tools/xcutils/readnotes.c +@@ -301,6 +301,9 @@ int main(int argc, char **argv) + printf("__xen_guest: %s\n", + elf_strfmt(&elf, elf_section_start(&elf, shdr))); + ++ if (elf_check_broken(&elf)) ++ printf("warning: broken ELF: %s\n", elf_check_broken(&elf)); ++ + return 0; + } + +diff --git a/xen/arch/arm/kernel.c b/xen/arch/arm/kernel.c +index 2d56130..dec0519 100644 +--- a/xen/arch/arm/kernel.c ++++ b/xen/arch/arm/kernel.c +@@ -146,6 +146,8 @@ static int kernel_try_elf_prepare(struct kernel_info *info) + { + int rc; + ++ memset(&info->elf.elf, 0, sizeof(info->elf.elf)); ++ + info->kernel_order = get_order_from_bytes(KERNEL_FLASH_SIZE); + info->kernel_img = alloc_xenheap_pages(info->kernel_order, 0); + if ( info->kernel_img == NULL ) +@@ -160,7 +162,7 @@ static int kernel_try_elf_prepare(struct kernel_info *info) + #endif + elf_parse_binary(&info->elf.elf); + if ( (rc = elf_xen_parse(&info->elf.elf, &info->elf.parms)) != 0 ) +- return rc; ++ goto err; + + /* + * TODO: can the ELF header be used to find the physical address +@@ -169,7 +171,18 @@ static int kernel_try_elf_prepare(struct kernel_info *info) + info->entry = info->elf.parms.virt_entry; + info->load = kernel_elf_load; + ++ if ( elf_check_broken(&info->elf.elf) ) ++ printk("Xen: warning: ELF kernel broken: %s\n", ++ elf_check_broken(&info->elf.elf)); ++ + return 0; ++ ++err: ++ if ( elf_check_broken(&info->elf.elf) ) ++ printk("Xen: ELF kernel broken: %s\n", ++ elf_check_broken(&info->elf.elf)); ++ ++ return rc; + } + + int kernel_prepare(struct kernel_info *info) +diff --git a/xen/arch/x86/domain_build.c b/xen/arch/x86/domain_build.c +index a655b21..0dbec96 100644 +--- a/xen/arch/x86/domain_build.c ++++ b/xen/arch/x86/domain_build.c +@@ -374,7 +374,7 @@ int __init construct_dom0( + #endif + elf_parse_binary(&elf); + if ( (rc = elf_xen_parse(&elf, &parms)) != 0 ) +- return rc; ++ goto out; + + /* compatibility check */ + compatible = 0; +@@ -413,14 +413,16 @@ int __init construct_dom0( + if ( !compatible ) + { + printk("Mismatch between Xen and DOM0 kernel\n"); +- return -EINVAL; ++ rc = -EINVAL; ++ goto out; + } + + if ( parms.elf_notes[XEN_ELFNOTE_SUPPORTED_FEATURES].type != XEN_ENT_NONE && + !test_bit(XENFEAT_dom0, parms.f_supported) ) + { + printk("Kernel does not support Dom0 operation\n"); +- return -EINVAL; ++ rc = -EINVAL; ++ goto out; + } + + #if defined(__x86_64__) +@@ -734,7 +736,8 @@ int __init construct_dom0( + (v_end > HYPERVISOR_COMPAT_VIRT_START(d)) ) + { + printk("DOM0 image overlaps with Xen private area.\n"); +- return -EINVAL; ++ rc = -EINVAL; ++ goto out; + } + + if ( is_pv_32on64_domain(d) ) +@@ -914,7 +917,7 @@ int __init construct_dom0( + if ( rc < 0 ) + { + printk("Failed to load the kernel binary\n"); +- return rc; ++ goto out; + } + bootstrap_map(NULL); + +@@ -925,7 +928,8 @@ int __init construct_dom0( + { + write_ptbase(current); + printk("Invalid HYPERCALL_PAGE field in ELF notes.\n"); +- return -1; ++ rc = -1; ++ goto out; + } + hypercall_page_initialise( + d, (void *)(unsigned long)parms.virt_hypercall); +@@ -1272,9 +1276,19 @@ int __init construct_dom0( + + BUG_ON(rc != 0); + +- iommu_dom0_init(dom0); ++ if ( elf_check_broken(&elf) ) ++ printk(" Xen warning: dom0 kernel broken ELF: %s\n", ++ elf_check_broken(&elf)); + ++ iommu_dom0_init(dom0); + return 0; ++ ++out: ++ if ( elf_check_broken(&elf) ) ++ printk(" Xen dom0 kernel broken ELF: %s\n", ++ elf_check_broken(&elf)); ++ ++ return rc; + } + + /* +-- +1.7.2.5 + + diff --git a/app-emulation/xen-tools/files/xen-4.2-CVE-2013-14-XSA-55.patch b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-14-XSA-55.patch new file mode 100644 index 000000000000..67990a2435c3 --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-14-XSA-55.patch @@ -0,0 +1,252 @@ +From 3fb6ccf2faccaf5e22e33a3155ccc72d732896d8 Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Fri, 14 Jun 2013 16:43:18 +0100 +Subject: [PATCH 14/23] libelf: use C99 bool for booleans + +We want to remove uses of "int" because signed integers have +undesirable undefined behaviours on overflow. Malicious compilers can +turn apparently-correct code into code with security vulnerabilities +etc. + +In this patch we change all the booleans in libelf to C99 bool, +from <stdbool.h>. + +For the one visible libelf boolean in libxc's public interface we +retain the use of int to avoid changing the ABI; libxc converts it to +a bool for consumption by libelf. + +It is OK to change all values only ever used as booleans to _Bool +(bool) because conversion from any scalar type to a _Bool works the +same as the boolean test in if() or ?: and is always defined (C99 +6.3.1.2). But we do need to check that all these variables really are +only ever used that way. (It is theoretically possible that the old +code truncated some 64-bit values to 32-bit ints which might become +zero depending on the value, which would mean a behavioural change in +this patch, but it seems implausible that treating 0x????????00000000 +as false could have been intended.) + +This is part of the fix to a security issue, XSA-55. + +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +Acked-by: George Dunlap <george.dunlap@eu.citrix.com> +--- + tools/libxc/xc_dom_elfloader.c | 8 ++++---- + xen/common/libelf/libelf-dominfo.c | 2 +- + xen/common/libelf/libelf-loader.c | 4 ++-- + xen/common/libelf/libelf-private.h | 2 +- + xen/common/libelf/libelf-tools.c | 10 +++++----- + xen/include/xen/libelf.h | 18 ++++++++++-------- + 6 files changed, 23 insertions(+), 21 deletions(-) + +diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c +index 4fb4da2..9ba64ae 100644 +--- a/tools/libxc/xc_dom_elfloader.c ++++ b/tools/libxc/xc_dom_elfloader.c +@@ -34,7 +34,7 @@ + /* ------------------------------------------------------------------------ */ + + static void log_callback(struct elf_binary *elf, void *caller_data, +- int iserr, const char *fmt, va_list al) { ++ bool iserr, const char *fmt, va_list al) { + xc_interface *xch = caller_data; + + xc_reportv(xch, +@@ -46,7 +46,7 @@ static void log_callback(struct elf_binary *elf, void *caller_data, + + void xc_elf_set_logfile(xc_interface *xch, struct elf_binary *elf, + int verbose) { +- elf_set_log(elf, log_callback, xch, verbose); ++ elf_set_log(elf, log_callback, xch, verbose /* convert to bool */); + } + + /* ------------------------------------------------------------------------ */ +@@ -84,7 +84,7 @@ static char *xc_dom_guest_type(struct xc_dom_image *dom, + /* ------------------------------------------------------------------------ */ + /* parse elf binary */ + +-static int check_elf_kernel(struct xc_dom_image *dom, int verbose) ++static int check_elf_kernel(struct xc_dom_image *dom, bool verbose) + { + if ( dom->kernel_blob == NULL ) + { +@@ -112,7 +112,7 @@ static int xc_dom_probe_elf_kernel(struct xc_dom_image *dom) + } + + static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, +- struct elf_binary *elf, int load) ++ struct elf_binary *elf, bool load) + { + struct elf_binary syms; + ELF_HANDLE_DECL_NONCONST(elf_shdr) shdr; ELF_HANDLE_DECL(elf_shdr) shdr2; +diff --git a/xen/common/libelf/libelf-dominfo.c b/xen/common/libelf/libelf-dominfo.c +index 98c80dc..12b6c2a 100644 +--- a/xen/common/libelf/libelf-dominfo.c ++++ b/xen/common/libelf/libelf-dominfo.c +@@ -101,7 +101,7 @@ int elf_xen_parse_note(struct elf_binary *elf, + /* *INDENT-OFF* */ + static const struct { + char *name; +- int str; ++ bool str; + } note_desc[] = { + [XEN_ELFNOTE_ENTRY] = { "ENTRY", 0}, + [XEN_ELFNOTE_HYPERCALL_PAGE] = { "HYPERCALL_PAGE", 0}, +diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c +index f8be635..0dccd4d 100644 +--- a/xen/common/libelf/libelf-loader.c ++++ b/xen/common/libelf/libelf-loader.c +@@ -92,7 +92,7 @@ int elf_init(struct elf_binary *elf, const char *image_input, size_t size) + } + + #ifndef __XEN__ +-void elf_call_log_callback(struct elf_binary *elf, int iserr, ++void elf_call_log_callback(struct elf_binary *elf, bool iserr, + const char *fmt,...) { + va_list al; + +@@ -107,7 +107,7 @@ void elf_call_log_callback(struct elf_binary *elf, int iserr, + } + + void elf_set_log(struct elf_binary *elf, elf_log_callback *log_callback, +- void *log_caller_data, int verbose) ++ void *log_caller_data, bool verbose) + { + elf->log_callback = log_callback; + elf->log_caller_data = log_caller_data; +diff --git a/xen/common/libelf/libelf-private.h b/xen/common/libelf/libelf-private.h +index 280dfd1..277be04 100644 +--- a/xen/common/libelf/libelf-private.h ++++ b/xen/common/libelf/libelf-private.h +@@ -77,7 +77,7 @@ + #define elf_err(elf, fmt, args ... ) \ + elf_call_log_callback(elf, 1, fmt , ## args ); + +-void elf_call_log_callback(struct elf_binary*, int iserr, const char *fmt,...); ++void elf_call_log_callback(struct elf_binary*, bool iserr, const char *fmt,...); + + #define safe_strcpy(d,s) \ + do { strncpy((d),(s),sizeof((d))-1); \ +diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c +index 744027e..fa58f76 100644 +--- a/xen/common/libelf/libelf-tools.c ++++ b/xen/common/libelf/libelf-tools.c +@@ -31,7 +31,7 @@ const char *elf_check_broken(const struct elf_binary *elf) + return elf->broken; + } + +-static int elf_ptrval_in_range(elf_ptrval ptrval, uint64_t size, ++static bool elf_ptrval_in_range(elf_ptrval ptrval, uint64_t size, + const void *region, uint64_t regionsize) + /* + * Returns true if the putative memory area [ptrval,ptrval+size> +@@ -53,7 +53,7 @@ static int elf_ptrval_in_range(elf_ptrval ptrval, uint64_t size, + return 1; + } + +-int elf_access_ok(struct elf_binary * elf, ++bool elf_access_ok(struct elf_binary * elf, + uint64_t ptrval, size_t size) + { + if ( elf_ptrval_in_range(ptrval, size, elf->image_base, elf->size) ) +@@ -92,7 +92,7 @@ uint64_t elf_access_unsigned(struct elf_binary * elf, elf_ptrval base, + uint64_t moreoffset, size_t size) + { + elf_ptrval ptrval = base + moreoffset; +- int need_swap = elf_swap(elf); ++ bool need_swap = elf_swap(elf); + const uint8_t *u8; + const uint16_t *u16; + const uint32_t *u32; +@@ -332,7 +332,7 @@ ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL( + + /* ------------------------------------------------------------------------ */ + +-int elf_is_elfbinary(const void *image_start, size_t image_size) ++bool elf_is_elfbinary(const void *image_start, size_t image_size) + { + const Elf32_Ehdr *ehdr = image_start; + +@@ -342,7 +342,7 @@ int elf_is_elfbinary(const void *image_start, size_t image_size) + return IS_ELF(*ehdr); + } + +-int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr) ++bool elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr) + { + uint64_t p_type = elf_uval(elf, phdr, p_type); + uint64_t p_flags = elf_uval(elf, phdr, p_flags); +diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h +index ac93858..951430f 100644 +--- a/xen/include/xen/libelf.h ++++ b/xen/include/xen/libelf.h +@@ -29,6 +29,8 @@ + #error define architectural endianness + #endif + ++#include <stdbool.h> ++ + #undef ELFSIZE + #include "elfstructs.h" + #ifdef __XEN__ +@@ -42,7 +44,7 @@ + + struct elf_binary; + typedef void elf_log_callback(struct elf_binary*, void *caller_data, +- int iserr, const char *fmt, va_list al); ++ bool iserr, const char *fmt, va_list al); + + #endif + +@@ -237,7 +239,7 @@ struct elf_binary { + elf_log_callback *log_callback; + void *log_caller_data; + #endif +- int verbose; ++ bool verbose; + const char *broken; + }; + +@@ -301,8 +303,8 @@ void elf_memset_safe(struct elf_binary*, elf_ptrval dst, int c, size_t); + * outside permitted areas. + */ + +-int elf_access_ok(struct elf_binary * elf, +- uint64_t ptrval, size_t size); ++bool elf_access_ok(struct elf_binary * elf, ++ uint64_t ptrval, size_t size); + + #define elf_store_val(elf, type, ptr, val) \ + ({ \ +@@ -351,9 +353,9 @@ uint64_t elf_note_numeric_array(struct elf_binary *, ELF_HANDLE_DECL(elf_note), + ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); + + /* (Only) checks that the image has the right magic number. */ +-int elf_is_elfbinary(const void *image_start, size_t image_size); ++bool elf_is_elfbinary(const void *image_start, size_t image_size); + +-int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr); ++bool elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr); + + /* ------------------------------------------------------------------------ */ + /* xc_libelf_loader.c */ +@@ -367,7 +369,7 @@ int elf_init(struct elf_binary *elf, const char *image, size_t size); + void elf_set_verbose(struct elf_binary *elf); + #else + void elf_set_log(struct elf_binary *elf, elf_log_callback*, +- void *log_caller_pointer, int verbose); ++ void *log_caller_pointer, bool verbose); + #endif + + void elf_parse_binary(struct elf_binary *elf); +@@ -419,7 +421,7 @@ struct elf_dom_parms { + char xen_ver[16]; + char loader[16]; + int pae; +- int bsd_symtab; ++ bool bsd_symtab; + uint64_t virt_base; + uint64_t virt_entry; + uint64_t virt_hypercall; +-- +1.7.2.5 + diff --git a/app-emulation/xen-tools/files/xen-4.2-CVE-2013-15-XSA-55.patch b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-15-XSA-55.patch new file mode 100644 index 000000000000..f55701dae332 --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-15-XSA-55.patch @@ -0,0 +1,759 @@ +From e673ca50127b6c1263727aa31de0b8bb966ca7a2 Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Fri, 14 Jun 2013 16:43:18 +0100 +Subject: [PATCH 15/23] libelf: use only unsigned integers + +Signed integers have undesirable undefined behaviours on overflow. +Malicious compilers can turn apparently-correct code into code with +security vulnerabilities etc. + +So use only unsigned integers. Exceptions are booleans (which we have +already changed) and error codes. + +We _do_ change all the chars which aren't fixed constants from our own +text segment, but not the char*s. This is because it is safe to +access an arbitrary byte through a char*, but not necessarily safe to +convert an arbitrary value to a char. + +As a consequence we need to compile libelf with -Wno-pointer-sign. + +It is OK to change all the signed integers to unsigned because all the +inequalities in libelf are in contexts where we don't "expect" +negative numbers. + +In libelf-dominfo.c:elf_xen_parse we rename a variable "rc" to +"more_notes" as it actually contains a note count derived from the +input image. The "error" return value from elf_xen_parse_notes is +changed from -1 to ~0U. + +grepping shows only one occurrence of "PRId" or "%d" or "%ld" in +libelf and xc_dom_elfloader.c (a "%d" which becomes "%u"). + +This is part of the fix to a security issue, XSA-55. + +For those concerned about unintentional functional changes, the +following rune produces a version of the patch which is much smaller +and eliminates only non-functional changes: + + GIT_EXTERNAL_DIFF=.../unsigned-differ git-diff <before>..<after> + +where <before> and <after> are git refs for the code before and after +this patch, and unsigned-differ is this shell script: + + #!/bin/bash + set -e + + seddery () { + perl -pe 's/\b(?:elf_errorstatus|elf_negerrnoval)\b/int/g' + } + + path="$1" + in="$2" + out="$5" + + set +e + diff -pu --label "$path~" <(seddery <"$in") --label "$path" <(seddery <"$out") + rc=$? + set -e + if [ $rc = 1 ]; then rc=0; fi + exit $rc + +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +--- + tools/libxc/Makefile | 9 +++++- + tools/libxc/xc_dom.h | 7 +++-- + tools/libxc/xc_dom_elfloader.c | 42 ++++++++++++++++------------- + tools/xcutils/readnotes.c | 15 +++++----- + xen/common/libelf/Makefile | 2 + + xen/common/libelf/libelf-dominfo.c | 52 ++++++++++++++++++----------------- + xen/common/libelf/libelf-loader.c | 20 +++++++------- + xen/common/libelf/libelf-tools.c | 24 ++++++++-------- + xen/include/xen/libelf.h | 21 ++++++++------ + 9 files changed, 105 insertions(+), 87 deletions(-) + +diff --git a/tools/libxc/Makefile b/tools/libxc/Makefile +index d8c6a60..a3fd90c 100644 +--- a/tools/libxc/Makefile ++++ b/tools/libxc/Makefile +@@ -52,8 +52,13 @@ endif + vpath %.c ../../xen/common/libelf + CFLAGS += -I../../xen/common/libelf + +-GUEST_SRCS-y += libelf-tools.c libelf-loader.c +-GUEST_SRCS-y += libelf-dominfo.c ++ELF_SRCS-y += libelf-tools.c libelf-loader.c ++ELF_SRCS-y += libelf-dominfo.c ++ ++GUEST_SRCS-y += $(ELF_SRCS-y) ++ ++$(patsubst %.c,%.o,$(ELF_SRCS-y)): CFLAGS += -Wno-pointer-sign ++$(patsubst %.c,%.opic,$(ELF_SRCS-y)): CFLAGS += -Wno-pointer-sign + + # new domain builder + GUEST_SRCS-y += xc_dom_core.c xc_dom_boot.c +diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h +index 9f8037e..0161459 100644 +--- a/tools/libxc/xc_dom.h ++++ b/tools/libxc/xc_dom.h +@@ -140,9 +140,10 @@ struct xc_dom_image { + + struct xc_dom_loader { + char *name; +- int (*probe) (struct xc_dom_image * dom); +- int (*parser) (struct xc_dom_image * dom); +- int (*loader) (struct xc_dom_image * dom); ++ /* Sadly the error returns from these functions are not consistent: */ ++ elf_negerrnoval (*probe) (struct xc_dom_image * dom); ++ elf_negerrnoval (*parser) (struct xc_dom_image * dom); ++ elf_errorstatus (*loader) (struct xc_dom_image * dom); + + struct xc_dom_loader *next; + }; +diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c +index 9ba64ae..62a0d3b 100644 +--- a/tools/libxc/xc_dom_elfloader.c ++++ b/tools/libxc/xc_dom_elfloader.c +@@ -84,7 +84,7 @@ static char *xc_dom_guest_type(struct xc_dom_image *dom, + /* ------------------------------------------------------------------------ */ + /* parse elf binary */ + +-static int check_elf_kernel(struct xc_dom_image *dom, bool verbose) ++static elf_negerrnoval check_elf_kernel(struct xc_dom_image *dom, bool verbose) + { + if ( dom->kernel_blob == NULL ) + { +@@ -106,12 +106,12 @@ static int check_elf_kernel(struct xc_dom_image *dom, bool verbose) + return 0; + } + +-static int xc_dom_probe_elf_kernel(struct xc_dom_image *dom) ++static elf_negerrnoval xc_dom_probe_elf_kernel(struct xc_dom_image *dom) + { + return check_elf_kernel(dom, 0); + } + +-static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, ++static elf_errorstatus xc_dom_load_elf_symtab(struct xc_dom_image *dom, + struct elf_binary *elf, bool load) + { + struct elf_binary syms; +@@ -119,7 +119,7 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, + xen_vaddr_t symtab, maxaddr; + ELF_PTRVAL_CHAR hdr; + size_t size; +- int h, count, type, i, tables = 0; ++ unsigned h, count, type, i, tables = 0; + + if ( elf_swap(elf) ) + { +@@ -140,13 +140,13 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, + elf->caller_xdest_base = hdr_ptr; + elf->caller_xdest_size = allow_size; + hdr = ELF_REALPTR2PTRVAL(hdr_ptr); +- elf_store_val(elf, int, hdr, size - sizeof(int)); ++ elf_store_val(elf, unsigned, hdr, size - sizeof(unsigned)); + } + else + { + char *hdr_ptr; + +- size = sizeof(int) + elf_size(elf, elf->ehdr) + ++ size = sizeof(unsigned) + elf_size(elf, elf->ehdr) + + elf_shdr_count(elf) * elf_size(elf, shdr); + hdr_ptr = xc_dom_malloc(dom, size); + if ( hdr_ptr == NULL ) +@@ -157,15 +157,15 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, + dom->bsd_symtab_start = elf_round_up(elf, dom->kernel_seg.vend); + } + +- elf_memcpy_safe(elf, hdr + sizeof(int), ++ elf_memcpy_safe(elf, hdr + sizeof(unsigned), + ELF_IMAGE_BASE(elf), + elf_size(elf, elf->ehdr)); +- elf_memcpy_safe(elf, hdr + sizeof(int) + elf_size(elf, elf->ehdr), ++ elf_memcpy_safe(elf, hdr + sizeof(unsigned) + elf_size(elf, elf->ehdr), + ELF_IMAGE_BASE(elf) + elf_uval(elf, elf->ehdr, e_shoff), + elf_shdr_count(elf) * elf_size(elf, shdr)); + if ( elf_64bit(elf) ) + { +- Elf64_Ehdr *ehdr = (Elf64_Ehdr *)(hdr + sizeof(int)); ++ Elf64_Ehdr *ehdr = (Elf64_Ehdr *)(hdr + sizeof(unsigned)); + ehdr->e_phoff = 0; + ehdr->e_phentsize = 0; + ehdr->e_phnum = 0; +@@ -174,22 +174,22 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, + } + else + { +- Elf32_Ehdr *ehdr = (Elf32_Ehdr *)(hdr + sizeof(int)); ++ Elf32_Ehdr *ehdr = (Elf32_Ehdr *)(hdr + sizeof(unsigned)); + ehdr->e_phoff = 0; + ehdr->e_phentsize = 0; + ehdr->e_phnum = 0; + ehdr->e_shoff = elf_size(elf, elf->ehdr); + ehdr->e_shstrndx = SHN_UNDEF; + } +- if ( elf->caller_xdest_size < sizeof(int) ) ++ if ( elf->caller_xdest_size < sizeof(unsigned) ) + { + DOMPRINTF("%s/%s: header size %"PRIx64" too small", + __FUNCTION__, load ? "load" : "parse", + (uint64_t)elf->caller_xdest_size); + return -1; + } +- if ( elf_init(&syms, elf->caller_xdest_base + sizeof(int), +- elf->caller_xdest_size - sizeof(int)) ) ++ if ( elf_init(&syms, elf->caller_xdest_base + sizeof(unsigned), ++ elf->caller_xdest_size - sizeof(unsigned)) ) + return -1; + + /* +@@ -209,7 +209,7 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, + + xc_elf_set_logfile(dom->xch, &syms, 1); + +- symtab = dom->bsd_symtab_start + sizeof(int); ++ symtab = dom->bsd_symtab_start + sizeof(unsigned); + maxaddr = elf_round_up(&syms, symtab + elf_size(&syms, syms.ehdr) + + elf_shdr_count(&syms) * elf_size(&syms, shdr)); + +@@ -255,7 +255,7 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, + size = elf_uval(&syms, shdr, sh_size); + maxaddr = elf_round_up(&syms, maxaddr + size); + tables++; +- DOMPRINTF("%s: h=%d %s, size=0x%zx, maxaddr=0x%" PRIx64 "", ++ DOMPRINTF("%s: h=%u %s, size=0x%zx, maxaddr=0x%" PRIx64 "", + __FUNCTION__, h, + type == SHT_SYMTAB ? "symtab" : "strtab", + size, maxaddr); +@@ -294,10 +294,14 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, + return 0; + } + +-static int xc_dom_parse_elf_kernel(struct xc_dom_image *dom) ++static elf_errorstatus xc_dom_parse_elf_kernel(struct xc_dom_image *dom) ++ /* ++ * This function sometimes returns -1 for error and sometimes ++ * an errno value. ?!?! ++ */ + { + struct elf_binary *elf; +- int rc; ++ elf_errorstatus rc; + + rc = check_elf_kernel(dom, 1); + if ( rc != 0 ) +@@ -358,10 +362,10 @@ out: + return rc; + } + +-static int xc_dom_load_elf_kernel(struct xc_dom_image *dom) ++static elf_errorstatus xc_dom_load_elf_kernel(struct xc_dom_image *dom) + { + struct elf_binary *elf = dom->private_loader; +- int rc; ++ elf_errorstatus rc; + xen_pfn_t pages; + + elf->dest_base = xc_dom_seg_to_ptr_pages(dom, &dom->kernel_seg, &pages); +diff --git a/tools/xcutils/readnotes.c b/tools/xcutils/readnotes.c +index d1f7a30..2ca7732 100644 +--- a/tools/xcutils/readnotes.c ++++ b/tools/xcutils/readnotes.c +@@ -70,7 +70,7 @@ static void print_numeric_note(const char *prefix, struct elf_binary *elf, + ELF_HANDLE_DECL(elf_note) note) + { + uint64_t value = elf_note_numeric(elf, note); +- int descsz = elf_uval(elf, note, descsz); ++ unsigned descsz = elf_uval(elf, note, descsz); + + printf("%s: %#*" PRIx64 " (%d bytes)\n", + prefix, 2+2*descsz, value, descsz); +@@ -79,7 +79,7 @@ static void print_numeric_note(const char *prefix, struct elf_binary *elf, + static void print_l1_mfn_valid_note(const char *prefix, struct elf_binary *elf, + ELF_HANDLE_DECL(elf_note) note) + { +- int descsz = elf_uval(elf, note, descsz); ++ unsigned descsz = elf_uval(elf, note, descsz); + ELF_PTRVAL_CONST_VOID desc = elf_note_desc(elf, note); + + /* XXX should be able to cope with a list of values. */ +@@ -99,10 +99,10 @@ static void print_l1_mfn_valid_note(const char *prefix, struct elf_binary *elf, + + } + +-static int print_notes(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) start, ELF_HANDLE_DECL(elf_note) end) ++static unsigned print_notes(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) start, ELF_HANDLE_DECL(elf_note) end) + { + ELF_HANDLE_DECL(elf_note) note; +- int notes_found = 0; ++ unsigned notes_found = 0; + const char *this_note_name; + + for ( note = start; ELF_HANDLE_PTRVAL(note) < ELF_HANDLE_PTRVAL(end); note = elf_note_next(elf, note) ) +@@ -161,7 +161,7 @@ static int print_notes(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) start, + break; + default: + printf("unknown note type %#x\n", +- (int)elf_uval(elf, note, type)); ++ (unsigned)elf_uval(elf, note, type)); + break; + } + } +@@ -171,12 +171,13 @@ static int print_notes(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) start, + int main(int argc, char **argv) + { + const char *f; +- int fd,h,size,usize,count; ++ int fd; ++ unsigned h,size,usize,count; + void *image,*tmp; + struct stat st; + struct elf_binary elf; + ELF_HANDLE_DECL(elf_shdr) shdr; +- int notes_found = 0; ++ unsigned notes_found = 0; + + struct setup_header *hdr; + uint64_t payload_offset, payload_length; +diff --git a/xen/common/libelf/Makefile b/xen/common/libelf/Makefile +index 18dc8e2..5bf8f76 100644 +--- a/xen/common/libelf/Makefile ++++ b/xen/common/libelf/Makefile +@@ -2,6 +2,8 @@ obj-bin-y := libelf.o + + SECTIONS := text data $(SPECIAL_DATA_SECTIONS) + ++CFLAGS += -Wno-pointer-sign ++ + libelf.o: libelf-temp.o Makefile + $(OBJCOPY) $(foreach s,$(SECTIONS),--rename-section .$(s)=.init.$(s)) $< $@ + +diff --git a/xen/common/libelf/libelf-dominfo.c b/xen/common/libelf/libelf-dominfo.c +index 12b6c2a..cdd0d31 100644 +--- a/xen/common/libelf/libelf-dominfo.c ++++ b/xen/common/libelf/libelf-dominfo.c +@@ -29,15 +29,15 @@ static const char *const elf_xen_feature_names[] = { + [XENFEAT_pae_pgdir_above_4gb] = "pae_pgdir_above_4gb", + [XENFEAT_dom0] = "dom0" + }; +-static const int elf_xen_features = ++static const unsigned elf_xen_features = + sizeof(elf_xen_feature_names) / sizeof(elf_xen_feature_names[0]); + +-int elf_xen_parse_features(const char *features, ++elf_errorstatus elf_xen_parse_features(const char *features, + uint32_t *supported, + uint32_t *required) + { +- char feature[64]; +- int pos, len, i; ++ unsigned char feature[64]; ++ unsigned pos, len, i; + + if ( features == NULL ) + return 0; +@@ -94,7 +94,7 @@ int elf_xen_parse_features(const char *features, + /* ------------------------------------------------------------------------ */ + /* xen elf notes */ + +-int elf_xen_parse_note(struct elf_binary *elf, ++elf_errorstatus elf_xen_parse_note(struct elf_binary *elf, + struct elf_dom_parms *parms, + ELF_HANDLE_DECL(elf_note) note) + { +@@ -125,7 +125,7 @@ int elf_xen_parse_note(struct elf_binary *elf, + const char *str = NULL; + uint64_t val = 0; + unsigned int i; +- int type = elf_uval(elf, note, type); ++ unsigned type = elf_uval(elf, note, type); + + if ( (type >= sizeof(note_desc) / sizeof(note_desc[0])) || + (note_desc[type].name == NULL) ) +@@ -216,12 +216,14 @@ int elf_xen_parse_note(struct elf_binary *elf, + return 0; + } + +-static int elf_xen_parse_notes(struct elf_binary *elf, ++#define ELF_NOTE_INVALID (~0U) ++ ++static unsigned elf_xen_parse_notes(struct elf_binary *elf, + struct elf_dom_parms *parms, + ELF_PTRVAL_CONST_VOID start, + ELF_PTRVAL_CONST_VOID end) + { +- int xen_elfnotes = 0; ++ unsigned xen_elfnotes = 0; + ELF_HANDLE_DECL(elf_note) note; + const char *note_name; + +@@ -237,7 +239,7 @@ static int elf_xen_parse_notes(struct elf_binary *elf, + if ( strcmp(note_name, "Xen") ) + continue; + if ( elf_xen_parse_note(elf, parms, note) ) +- return -1; ++ return ELF_NOTE_INVALID; + xen_elfnotes++; + } + return xen_elfnotes; +@@ -246,12 +248,12 @@ static int elf_xen_parse_notes(struct elf_binary *elf, + /* ------------------------------------------------------------------------ */ + /* __xen_guest section */ + +-int elf_xen_parse_guest_info(struct elf_binary *elf, ++elf_errorstatus elf_xen_parse_guest_info(struct elf_binary *elf, + struct elf_dom_parms *parms) + { + ELF_PTRVAL_CONST_CHAR h; +- char name[32], value[128]; +- int len; ++ unsigned char name[32], value[128]; ++ unsigned len; + + h = parms->guest_info; + #define STAR(h) (elf_access_unsigned(elf, (h), 0, 1)) +@@ -334,13 +336,13 @@ int elf_xen_parse_guest_info(struct elf_binary *elf, + /* ------------------------------------------------------------------------ */ + /* sanity checks */ + +-static int elf_xen_note_check(struct elf_binary *elf, ++static elf_errorstatus elf_xen_note_check(struct elf_binary *elf, + struct elf_dom_parms *parms) + { + if ( (ELF_PTRVAL_INVALID(parms->elf_note_start)) && + (ELF_PTRVAL_INVALID(parms->guest_info)) ) + { +- int machine = elf_uval(elf, elf->ehdr, e_machine); ++ unsigned machine = elf_uval(elf, elf->ehdr, e_machine); + if ( (machine == EM_386) || (machine == EM_X86_64) ) + { + elf_err(elf, "%s: ERROR: Not a Xen-ELF image: " +@@ -378,7 +380,7 @@ static int elf_xen_note_check(struct elf_binary *elf, + return 0; + } + +-static int elf_xen_addr_calc_check(struct elf_binary *elf, ++static elf_errorstatus elf_xen_addr_calc_check(struct elf_binary *elf, + struct elf_dom_parms *parms) + { + if ( (parms->elf_paddr_offset != UNSET_ADDR) && +@@ -464,13 +466,13 @@ static int elf_xen_addr_calc_check(struct elf_binary *elf, + /* ------------------------------------------------------------------------ */ + /* glue it all together ... */ + +-int elf_xen_parse(struct elf_binary *elf, ++elf_errorstatus elf_xen_parse(struct elf_binary *elf, + struct elf_dom_parms *parms) + { + ELF_HANDLE_DECL(elf_shdr) shdr; + ELF_HANDLE_DECL(elf_phdr) phdr; +- int xen_elfnotes = 0; +- int i, count, rc; ++ unsigned xen_elfnotes = 0; ++ unsigned i, count, more_notes; + + elf_memset_unchecked(parms, 0, sizeof(*parms)); + parms->virt_base = UNSET_ADDR; +@@ -495,13 +497,13 @@ int elf_xen_parse(struct elf_binary *elf, + if (elf_uval(elf, phdr, p_offset) == 0) + continue; + +- rc = elf_xen_parse_notes(elf, parms, ++ more_notes = elf_xen_parse_notes(elf, parms, + elf_segment_start(elf, phdr), + elf_segment_end(elf, phdr)); +- if ( rc == -1 ) ++ if ( more_notes == ELF_NOTE_INVALID ) + return -1; + +- xen_elfnotes += rc; ++ xen_elfnotes += more_notes; + } + + /* +@@ -518,17 +520,17 @@ int elf_xen_parse(struct elf_binary *elf, + if ( elf_uval(elf, shdr, sh_type) != SHT_NOTE ) + continue; + +- rc = elf_xen_parse_notes(elf, parms, ++ more_notes = elf_xen_parse_notes(elf, parms, + elf_section_start(elf, shdr), + elf_section_end(elf, shdr)); + +- if ( rc == -1 ) ++ if ( more_notes == ELF_NOTE_INVALID ) + return -1; + +- if ( xen_elfnotes == 0 && rc > 0 ) ++ if ( xen_elfnotes == 0 && more_notes > 0 ) + elf_msg(elf, "%s: using notes from SHT_NOTE section\n", __FUNCTION__); + +- xen_elfnotes += rc; ++ xen_elfnotes += more_notes; + } + + } +diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c +index 0dccd4d..c3a9e51 100644 +--- a/xen/common/libelf/libelf-loader.c ++++ b/xen/common/libelf/libelf-loader.c +@@ -24,7 +24,7 @@ + + /* ------------------------------------------------------------------------ */ + +-int elf_init(struct elf_binary *elf, const char *image_input, size_t size) ++elf_errorstatus elf_init(struct elf_binary *elf, const char *image_input, size_t size) + { + ELF_HANDLE_DECL(elf_shdr) shdr; + uint64_t i, count, section, offset; +@@ -114,7 +114,7 @@ void elf_set_log(struct elf_binary *elf, elf_log_callback *log_callback, + elf->verbose = verbose; + } + +-static int elf_load_image(struct elf_binary *elf, ++static elf_errorstatus elf_load_image(struct elf_binary *elf, + ELF_PTRVAL_VOID dst, ELF_PTRVAL_CONST_VOID src, + uint64_t filesz, uint64_t memsz) + { +@@ -129,9 +129,9 @@ void elf_set_verbose(struct elf_binary *elf) + elf->verbose = 1; + } + +-static int elf_load_image(struct elf_binary *elf, ELF_PTRVAL_VOID dst, ELF_PTRVAL_CONST_VOID src, uint64_t filesz, uint64_t memsz) ++static elf_errorstatus elf_load_image(struct elf_binary *elf, ELF_PTRVAL_VOID dst, ELF_PTRVAL_CONST_VOID src, uint64_t filesz, uint64_t memsz) + { +- int rc; ++ elf_errorstatus rc; + if ( filesz > ULONG_MAX || memsz > ULONG_MAX ) + return -1; + /* We trust the dom0 kernel image completely, so we don't care +@@ -151,7 +151,7 @@ void elf_parse_bsdsyms(struct elf_binary *elf, uint64_t pstart) + { + uint64_t sz; + ELF_HANDLE_DECL(elf_shdr) shdr; +- int i, type; ++ unsigned i, type; + + if ( !ELF_HANDLE_VALID(elf->sym_tab) ) + return; +@@ -187,7 +187,7 @@ static void elf_load_bsdsyms(struct elf_binary *elf) + ELF_PTRVAL_VOID symbase; + ELF_PTRVAL_VOID symtab_addr; + ELF_HANDLE_DECL_NONCONST(elf_shdr) shdr; +- int i, type; ++ unsigned i, type; + + if ( !elf->bsd_symtab_pstart ) + return; +@@ -220,7 +220,7 @@ do { \ + elf_memcpy_safe(elf, ELF_HANDLE_PTRVAL(shdr), + ELF_IMAGE_BASE(elf) + elf_uval(elf, elf->ehdr, e_shoff), + sz); +- maxva = ELF_OBSOLETE_VOIDP_CAST elf_round_up(elf, (long)maxva + sz); ++ maxva = ELF_OBSOLETE_VOIDP_CAST elf_round_up(elf, (unsigned long)maxva + sz); + + for ( i = 0; i < elf_shdr_count(elf); i++ ) + { +@@ -233,10 +233,10 @@ do { \ + elf_memcpy_safe(elf, maxva, elf_section_start(elf, shdr), sz); + /* Mangled to be based on ELF header location. */ + elf_hdr_elm(elf, shdr, sh_offset, maxva - symtab_addr); +- maxva = ELF_OBSOLETE_VOIDP_CAST elf_round_up(elf, (long)maxva + sz); ++ maxva = ELF_OBSOLETE_VOIDP_CAST elf_round_up(elf, (unsigned long)maxva + sz); + } + shdr = ELF_MAKE_HANDLE(elf_shdr, ELF_HANDLE_PTRVAL(shdr) + +- (long)elf_uval(elf, elf->ehdr, e_shentsize)); ++ (unsigned long)elf_uval(elf, elf->ehdr, e_shentsize)); + } + + /* Write down the actual sym size. */ +@@ -273,7 +273,7 @@ void elf_parse_binary(struct elf_binary *elf) + __FUNCTION__, elf->pstart, elf->pend); + } + +-int elf_load_binary(struct elf_binary *elf) ++elf_errorstatus elf_load_binary(struct elf_binary *elf) + { + ELF_HANDLE_DECL(elf_phdr) phdr; + uint64_t i, count, paddr, offset, filesz, memsz; +diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c +index fa58f76..46d4ab1 100644 +--- a/xen/common/libelf/libelf-tools.c ++++ b/xen/common/libelf/libelf-tools.c +@@ -122,19 +122,19 @@ uint64_t elf_access_unsigned(struct elf_binary * elf, elf_ptrval base, + + uint64_t elf_round_up(struct elf_binary *elf, uint64_t addr) + { +- int elf_round = (elf_64bit(elf) ? 8 : 4) - 1; ++ uint64_t elf_round = (elf_64bit(elf) ? 8 : 4) - 1; + + return (addr + elf_round) & ~elf_round; + } + + /* ------------------------------------------------------------------------ */ + +-int elf_shdr_count(struct elf_binary *elf) ++unsigned elf_shdr_count(struct elf_binary *elf) + { + return elf_uval(elf, elf->ehdr, e_shnum); + } + +-int elf_phdr_count(struct elf_binary *elf) ++unsigned elf_phdr_count(struct elf_binary *elf) + { + return elf_uval(elf, elf->ehdr, e_phnum); + } +@@ -144,7 +144,7 @@ ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_name(struct elf_binary *elf, const char *n + uint64_t count = elf_shdr_count(elf); + ELF_HANDLE_DECL(elf_shdr) shdr; + const char *sname; +- int i; ++ unsigned i; + + for ( i = 0; i < count; i++ ) + { +@@ -156,7 +156,7 @@ ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_name(struct elf_binary *elf, const char *n + return ELF_INVALID_HANDLE(elf_shdr); + } + +-ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, int index) ++ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, unsigned index) + { + uint64_t count = elf_shdr_count(elf); + ELF_PTRVAL_CONST_VOID ptr; +@@ -170,7 +170,7 @@ ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, int index) + return ELF_MAKE_HANDLE(elf_shdr, ptr); + } + +-ELF_HANDLE_DECL(elf_phdr) elf_phdr_by_index(struct elf_binary *elf, int index) ++ELF_HANDLE_DECL(elf_phdr) elf_phdr_by_index(struct elf_binary *elf, unsigned index) + { + uint64_t count = elf_uval(elf, elf->ehdr, e_phnum); + ELF_PTRVAL_CONST_VOID ptr; +@@ -264,7 +264,7 @@ ELF_HANDLE_DECL(elf_sym) elf_sym_by_name(struct elf_binary *elf, const char *sym + return ELF_INVALID_HANDLE(elf_sym); + } + +-ELF_HANDLE_DECL(elf_sym) elf_sym_by_index(struct elf_binary *elf, int index) ++ELF_HANDLE_DECL(elf_sym) elf_sym_by_index(struct elf_binary *elf, unsigned index) + { + ELF_PTRVAL_CONST_VOID ptr = elf_section_start(elf, elf->sym_tab); + ELF_HANDLE_DECL(elf_sym) sym; +@@ -280,7 +280,7 @@ const char *elf_note_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note + + ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note) + { +- int namesz = (elf_uval(elf, note, namesz) + 3) & ~3; ++ unsigned namesz = (elf_uval(elf, note, namesz) + 3) & ~3; + + return ELF_HANDLE_PTRVAL(note) + elf_size(elf, note) + namesz; + } +@@ -288,7 +288,7 @@ ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_ + uint64_t elf_note_numeric(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note) + { + ELF_PTRVAL_CONST_VOID desc = elf_note_desc(elf, note); +- int descsz = elf_uval(elf, note, descsz); ++ unsigned descsz = elf_uval(elf, note, descsz); + + switch (descsz) + { +@@ -306,7 +306,7 @@ uint64_t elf_note_numeric_array(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note + unsigned int unitsz, unsigned int idx) + { + ELF_PTRVAL_CONST_VOID desc = elf_note_desc(elf, note); +- int descsz = elf_uval(elf, note, descsz); ++ unsigned descsz = elf_uval(elf, note, descsz); + + if ( descsz % unitsz || idx >= descsz / unitsz ) + return 0; +@@ -324,8 +324,8 @@ uint64_t elf_note_numeric_array(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note + + ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note) + { +- int namesz = (elf_uval(elf, note, namesz) + 3) & ~3; +- int descsz = (elf_uval(elf, note, descsz) + 3) & ~3; ++ unsigned namesz = (elf_uval(elf, note, namesz) + 3) & ~3; ++ unsigned descsz = (elf_uval(elf, note, descsz) + 3) & ~3; + + return ELF_MAKE_HANDLE(elf_note, ELF_HANDLE_PTRVAL(note) + elf_size(elf, note) + namesz + descsz); + } +diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h +index 951430f..87e126a 100644 +--- a/xen/include/xen/libelf.h ++++ b/xen/include/xen/libelf.h +@@ -31,6 +31,9 @@ + + #include <stdbool.h> + ++typedef int elf_errorstatus; /* 0: ok; -ve (normally -1): error */ ++typedef int elf_negerrnoval; /* 0: ok; -EFOO: error */ ++ + #undef ELFSIZE + #include "elfstructs.h" + #ifdef __XEN__ +@@ -328,12 +331,12 @@ bool elf_access_ok(struct elf_binary * elf, + /* ------------------------------------------------------------------------ */ + /* xc_libelf_tools.c */ + +-int elf_shdr_count(struct elf_binary *elf); +-int elf_phdr_count(struct elf_binary *elf); ++unsigned elf_shdr_count(struct elf_binary *elf); ++unsigned elf_phdr_count(struct elf_binary *elf); + + ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_name(struct elf_binary *elf, const char *name); +-ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, int index); +-ELF_HANDLE_DECL(elf_phdr) elf_phdr_by_index(struct elf_binary *elf, int index); ++ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, unsigned index); ++ELF_HANDLE_DECL(elf_phdr) elf_phdr_by_index(struct elf_binary *elf, unsigned index); + + const char *elf_section_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr); /* might return NULL if inputs are invalid */ + ELF_PTRVAL_CONST_VOID elf_section_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr); +@@ -343,7 +346,7 @@ ELF_PTRVAL_CONST_VOID elf_segment_start(struct elf_binary *elf, ELF_HANDLE_DECL( + ELF_PTRVAL_CONST_VOID elf_segment_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr); + + ELF_HANDLE_DECL(elf_sym) elf_sym_by_name(struct elf_binary *elf, const char *symbol); +-ELF_HANDLE_DECL(elf_sym) elf_sym_by_index(struct elf_binary *elf, int index); ++ELF_HANDLE_DECL(elf_sym) elf_sym_by_index(struct elf_binary *elf, unsigned index); + + const char *elf_note_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); /* may return NULL */ + ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); +@@ -360,7 +363,7 @@ bool elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr + /* ------------------------------------------------------------------------ */ + /* xc_libelf_loader.c */ + +-int elf_init(struct elf_binary *elf, const char *image, size_t size); ++elf_errorstatus elf_init(struct elf_binary *elf, const char *image, size_t size); + /* + * image and size must be correct. They will be recorded in + * *elf, and must remain valid while the elf is in use. +@@ -373,7 +376,7 @@ void elf_set_log(struct elf_binary *elf, elf_log_callback*, + #endif + + void elf_parse_binary(struct elf_binary *elf); +-int elf_load_binary(struct elf_binary *elf); ++elf_errorstatus elf_load_binary(struct elf_binary *elf); + + ELF_PTRVAL_VOID elf_get_ptr(struct elf_binary *elf, unsigned long addr); + uint64_t elf_lookup_addr(struct elf_binary *elf, const char *symbol); +@@ -386,7 +389,7 @@ const char *elf_check_broken(const struct elf_binary *elf); /* NULL means OK */ + /* ------------------------------------------------------------------------ */ + /* xc_libelf_relocate.c */ + +-int elf_reloc(struct elf_binary *elf); ++elf_errorstatus elf_reloc(struct elf_binary *elf); + + /* ------------------------------------------------------------------------ */ + /* xc_libelf_dominfo.c */ +@@ -420,7 +423,7 @@ struct elf_dom_parms { + char guest_ver[16]; + char xen_ver[16]; + char loader[16]; +- int pae; ++ int pae; /* some kind of enum apparently */ + bool bsd_symtab; + uint64_t virt_base; + uint64_t virt_entry; +-- +1.7.2.5 + diff --git a/app-emulation/xen-tools/files/xen-4.2-CVE-2013-16-XSA-55.patch b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-16-XSA-55.patch new file mode 100644 index 000000000000..fe09e46effcf --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-16-XSA-55.patch @@ -0,0 +1,409 @@ +From 52d8cc2dd3bb3e0f6d51e00280da934e8d91653a Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Fri, 14 Jun 2013 16:43:18 +0100 +Subject: [PATCH 16/23] libelf: check loops for running away + +Ensure that libelf does not have any loops which can run away +indefinitely even if the input is bogus. (Grepped for \bfor, \bwhile +and \bgoto in libelf and xc_dom_*loader*.c.) + +Changes needed: + * elf_note_next uses the note's unchecked alleged length, which might + wrap round. If it does, return ELF_MAX_PTRVAL (0xfff..fff) instead, + which will be beyond the end of the section and so terminate the + caller's loop. Also check that the returned psuedopointer is sane. + * In various loops over section and program headers, check that the + calculated header pointer is still within the image, and quit the + loop if it isn't. + * Some fixed limits to avoid potentially O(image_size^2) loops: + - maximum length of strings: 4K (longer ones ignored totally) + - maximum total number of ELF notes: 65536 (any more are ignored) + * Check that the total program contents (text, data) we copy or + initialise doesn't exceed twice the output image area size. + * Remove an entirely useless loop from elf_xen_parse (!) + * Replace a nested search loop in in xc_dom_load_elf_symtab in + xc_dom_elfloader.c by a precomputation of a bitmap of referenced + symtabs. + +We have not changed loops which might, in principle, iterate over the +whole image - even if they might do so one byte at a time with a +nontrivial access check function in the middle. + +This is part of the fix to a security issue, XSA-55. + +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +--- + tools/libxc/xc_dom_elfloader.c | 33 ++++++++++++++++++------- + xen/common/libelf/libelf-dominfo.c | 43 ++++++++++++++++++++------------ + xen/common/libelf/libelf-loader.c | 47 ++++++++++++++++++++++++++++++++++- + xen/common/libelf/libelf-tools.c | 28 ++++++++++++++++++++- + xen/include/xen/libelf.h | 13 ++++++++++ + 5 files changed, 135 insertions(+), 29 deletions(-) + +diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c +index 62a0d3b..c5014d2 100644 +--- a/tools/libxc/xc_dom_elfloader.c ++++ b/tools/libxc/xc_dom_elfloader.c +@@ -28,6 +28,7 @@ + + #include "xg_private.h" + #include "xc_dom.h" ++#include "xc_bitops.h" + + #define XEN_VER "xen-3.0" + +@@ -120,6 +121,7 @@ static elf_errorstatus xc_dom_load_elf_symtab(struct xc_dom_image *dom, + ELF_PTRVAL_CHAR hdr; + size_t size; + unsigned h, count, type, i, tables = 0; ++ unsigned long *strtab_referenced = NULL; + + if ( elf_swap(elf) ) + { +@@ -220,22 +222,35 @@ static elf_errorstatus xc_dom_load_elf_symtab(struct xc_dom_image *dom, + symtab, maxaddr); + + count = elf_shdr_count(&syms); ++ /* elf_shdr_count guarantees that count is reasonable */ ++ ++ strtab_referenced = xc_dom_malloc(dom, bitmap_size(count)); ++ if ( strtab_referenced == NULL ) ++ return -1; ++ bitmap_clear(strtab_referenced, count); ++ /* Note the symtabs @h linked to by any strtab @i. */ ++ for ( i = 0; i < count; i++ ) ++ { ++ shdr2 = elf_shdr_by_index(&syms, i); ++ if ( elf_uval(&syms, shdr2, sh_type) == SHT_SYMTAB ) ++ { ++ h = elf_uval(&syms, shdr2, sh_link); ++ if (h < count) ++ set_bit(h, strtab_referenced); ++ } ++ } ++ + for ( h = 0; h < count; h++ ) + { + shdr = ELF_OBSOLETE_VOIDP_CAST elf_shdr_by_index(&syms, h); ++ if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(shdr), 1) ) ++ /* input has an insane section header count field */ ++ break; + type = elf_uval(&syms, shdr, sh_type); + if ( type == SHT_STRTAB ) + { +- /* Look for a strtab @i linked to symtab @h. */ +- for ( i = 0; i < count; i++ ) +- { +- shdr2 = elf_shdr_by_index(&syms, i); +- if ( (elf_uval(&syms, shdr2, sh_type) == SHT_SYMTAB) && +- (elf_uval(&syms, shdr2, sh_link) == h) ) +- break; +- } + /* Skip symtab @h if we found no corresponding strtab @i. */ +- if ( i == count ) ++ if ( !test_bit(h, strtab_referenced) ) + { + if ( elf_64bit(&syms) ) + elf_store_field(elf, shdr, e64.sh_offset, 0); +diff --git a/xen/common/libelf/libelf-dominfo.c b/xen/common/libelf/libelf-dominfo.c +index cdd0d31..25a10d7 100644 +--- a/xen/common/libelf/libelf-dominfo.c ++++ b/xen/common/libelf/libelf-dominfo.c +@@ -221,7 +221,8 @@ elf_errorstatus elf_xen_parse_note(struct elf_binary *elf, + static unsigned elf_xen_parse_notes(struct elf_binary *elf, + struct elf_dom_parms *parms, + ELF_PTRVAL_CONST_VOID start, +- ELF_PTRVAL_CONST_VOID end) ++ ELF_PTRVAL_CONST_VOID end, ++ unsigned *total_note_count) + { + unsigned xen_elfnotes = 0; + ELF_HANDLE_DECL(elf_note) note; +@@ -233,6 +234,12 @@ static unsigned elf_xen_parse_notes(struct elf_binary *elf, + ELF_HANDLE_PTRVAL(note) < parms->elf_note_end; + note = elf_note_next(elf, note) ) + { ++ if ( *total_note_count >= ELF_MAX_TOTAL_NOTE_COUNT ) ++ { ++ elf_mark_broken(elf, "too many ELF notes"); ++ break; ++ } ++ (*total_note_count)++; + note_name = elf_note_name(elf, note); + if ( note_name == NULL ) + continue; +@@ -473,6 +480,7 @@ elf_errorstatus elf_xen_parse(struct elf_binary *elf, + ELF_HANDLE_DECL(elf_phdr) phdr; + unsigned xen_elfnotes = 0; + unsigned i, count, more_notes; ++ unsigned total_note_count = 0; + + elf_memset_unchecked(parms, 0, sizeof(*parms)); + parms->virt_base = UNSET_ADDR; +@@ -487,6 +495,9 @@ elf_errorstatus elf_xen_parse(struct elf_binary *elf, + for ( i = 0; i < count; i++ ) + { + phdr = elf_phdr_by_index(elf, i); ++ if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(phdr), 1) ) ++ /* input has an insane program header count field */ ++ break; + if ( elf_uval(elf, phdr, p_type) != PT_NOTE ) + continue; + +@@ -499,7 +510,8 @@ elf_errorstatus elf_xen_parse(struct elf_binary *elf, + + more_notes = elf_xen_parse_notes(elf, parms, + elf_segment_start(elf, phdr), +- elf_segment_end(elf, phdr)); ++ elf_segment_end(elf, phdr), ++ &total_note_count); + if ( more_notes == ELF_NOTE_INVALID ) + return -1; + +@@ -516,13 +528,17 @@ elf_errorstatus elf_xen_parse(struct elf_binary *elf, + for ( i = 0; i < count; i++ ) + { + shdr = elf_shdr_by_index(elf, i); ++ if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(shdr), 1) ) ++ /* input has an insane section header count field */ ++ break; + + if ( elf_uval(elf, shdr, sh_type) != SHT_NOTE ) + continue; + + more_notes = elf_xen_parse_notes(elf, parms, + elf_section_start(elf, shdr), +- elf_section_end(elf, shdr)); ++ elf_section_end(elf, shdr), ++ &total_note_count); + + if ( more_notes == ELF_NOTE_INVALID ) + return -1; +@@ -540,20 +556,15 @@ elf_errorstatus elf_xen_parse(struct elf_binary *elf, + */ + if ( xen_elfnotes == 0 ) + { +- count = elf_shdr_count(elf); +- for ( i = 0; i < count; i++ ) ++ shdr = elf_shdr_by_name(elf, "__xen_guest"); ++ if ( ELF_HANDLE_VALID(shdr) ) + { +- shdr = elf_shdr_by_name(elf, "__xen_guest"); +- if ( ELF_HANDLE_VALID(shdr) ) +- { +- parms->guest_info = elf_section_start(elf, shdr); +- parms->elf_note_start = ELF_INVALID_PTRVAL; +- parms->elf_note_end = ELF_INVALID_PTRVAL; +- elf_msg(elf, "%s: __xen_guest: \"%s\"\n", __FUNCTION__, +- elf_strfmt(elf, parms->guest_info)); +- elf_xen_parse_guest_info(elf, parms); +- break; +- } ++ parms->guest_info = elf_section_start(elf, shdr); ++ parms->elf_note_start = ELF_INVALID_PTRVAL; ++ parms->elf_note_end = ELF_INVALID_PTRVAL; ++ elf_msg(elf, "%s: __xen_guest: \"%s\"\n", __FUNCTION__, ++ elf_strfmt(elf, parms->guest_info)); ++ elf_xen_parse_guest_info(elf, parms); + } + } + +diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c +index c3a9e51..06799af 100644 +--- a/xen/common/libelf/libelf-loader.c ++++ b/xen/common/libelf/libelf-loader.c +@@ -75,6 +75,9 @@ elf_errorstatus elf_init(struct elf_binary *elf, const char *image_input, size_t + for ( i = 0; i < count; i++ ) + { + shdr = elf_shdr_by_index(elf, i); ++ if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(shdr), 1) ) ++ /* input has an insane section header count field */ ++ break; + if ( elf_uval(elf, shdr, sh_type) != SHT_SYMTAB ) + continue; + elf->sym_tab = shdr; +@@ -170,6 +173,9 @@ void elf_parse_bsdsyms(struct elf_binary *elf, uint64_t pstart) + for ( i = 0; i < elf_shdr_count(elf); i++ ) + { + shdr = elf_shdr_by_index(elf, i); ++ if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(shdr), 1) ) ++ /* input has an insane section header count field */ ++ break; + type = elf_uval(elf, shdr, sh_type); + if ( (type == SHT_STRTAB) || (type == SHT_SYMTAB) ) + sz = elf_round_up(elf, sz + elf_uval(elf, shdr, sh_size)); +@@ -224,6 +230,9 @@ do { \ + + for ( i = 0; i < elf_shdr_count(elf); i++ ) + { ++ elf_ptrval old_shdr_p; ++ elf_ptrval new_shdr_p; ++ + type = elf_uval(elf, shdr, sh_type); + if ( (type == SHT_STRTAB) || (type == SHT_SYMTAB) ) + { +@@ -235,8 +244,16 @@ do { \ + elf_hdr_elm(elf, shdr, sh_offset, maxva - symtab_addr); + maxva = ELF_OBSOLETE_VOIDP_CAST elf_round_up(elf, (unsigned long)maxva + sz); + } +- shdr = ELF_MAKE_HANDLE(elf_shdr, ELF_HANDLE_PTRVAL(shdr) + +- (unsigned long)elf_uval(elf, elf->ehdr, e_shentsize)); ++ old_shdr_p = ELF_HANDLE_PTRVAL(shdr); ++ new_shdr_p = old_shdr_p + elf_uval(elf, elf->ehdr, e_shentsize); ++ if ( new_shdr_p <= old_shdr_p ) /* wrapped or stuck */ ++ { ++ elf_mark_broken(elf, "bad section header length"); ++ break; ++ } ++ if ( !elf_access_ok(elf, new_shdr_p, 1) ) /* outside image */ ++ break; ++ shdr = ELF_MAKE_HANDLE(elf_shdr, new_shdr_p); + } + + /* Write down the actual sym size. */ +@@ -256,6 +273,9 @@ void elf_parse_binary(struct elf_binary *elf) + for ( i = 0; i < count; i++ ) + { + phdr = elf_phdr_by_index(elf, i); ++ if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(phdr), 1) ) ++ /* input has an insane program header count field */ ++ break; + if ( !elf_phdr_is_loadable(elf, phdr) ) + continue; + paddr = elf_uval(elf, phdr, p_paddr); +@@ -278,11 +298,20 @@ elf_errorstatus elf_load_binary(struct elf_binary *elf) + ELF_HANDLE_DECL(elf_phdr) phdr; + uint64_t i, count, paddr, offset, filesz, memsz; + ELF_PTRVAL_VOID dest; ++ /* ++ * Let bizarre ELFs write the output image up to twice; this ++ * calculation is just to ensure our copying loop is no worse than ++ * O(domain_size). ++ */ ++ uint64_t remain_allow_copy = (uint64_t)elf->dest_size * 2; + + count = elf_uval(elf, elf->ehdr, e_phnum); + for ( i = 0; i < count; i++ ) + { + phdr = elf_phdr_by_index(elf, i); ++ if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(phdr), 1) ) ++ /* input has an insane program header count field */ ++ break; + if ( !elf_phdr_is_loadable(elf, phdr) ) + continue; + paddr = elf_uval(elf, phdr, p_paddr); +@@ -290,6 +319,20 @@ elf_errorstatus elf_load_binary(struct elf_binary *elf) + filesz = elf_uval(elf, phdr, p_filesz); + memsz = elf_uval(elf, phdr, p_memsz); + dest = elf_get_ptr(elf, paddr); ++ ++ /* ++ * We need to check that the input image doesn't have us copy ++ * the whole image zillions of times, as that could lead to ++ * O(n^2) time behaviour and possible DoS by a malicous ELF. ++ */ ++ if ( remain_allow_copy < memsz ) ++ { ++ elf_mark_broken(elf, "program segments total to more" ++ " than the input image size"); ++ break; ++ } ++ remain_allow_copy -= memsz; ++ + elf_msg(elf, "%s: phdr %" PRIu64 " at 0x%"ELF_PRPTRVAL" -> 0x%"ELF_PRPTRVAL"\n", + __func__, i, dest, (ELF_PTRVAL_VOID)(dest + filesz)); + if ( elf_load_image(elf, dest, ELF_IMAGE_BASE(elf) + offset, filesz, memsz) != 0 ) +diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c +index 46d4ab1..4a83133 100644 +--- a/xen/common/libelf/libelf-tools.c ++++ b/xen/common/libelf/libelf-tools.c +@@ -131,7 +131,16 @@ uint64_t elf_round_up(struct elf_binary *elf, uint64_t addr) + + unsigned elf_shdr_count(struct elf_binary *elf) + { +- return elf_uval(elf, elf->ehdr, e_shnum); ++ unsigned count = elf_uval(elf, elf->ehdr, e_shnum); ++ uint64_t max = elf->size / sizeof(Elf32_Shdr); ++ if (max > ~(unsigned)0) ++ max = ~(unsigned)0; /* Xen doesn't have limits.h :-/ */ ++ if (count > max) ++ { ++ elf_mark_broken(elf, "far too many section headers"); ++ count = max; ++ } ++ return count; + } + + unsigned elf_phdr_count(struct elf_binary *elf) +@@ -149,6 +158,9 @@ ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_name(struct elf_binary *elf, const char *n + for ( i = 0; i < count; i++ ) + { + shdr = elf_shdr_by_index(elf, i); ++ if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(shdr), 1) ) ++ /* input has an insane section header count field */ ++ break; + sname = elf_section_name(elf, shdr); + if ( sname && !strcmp(sname, name) ) + return shdr; +@@ -204,6 +216,11 @@ const char *elf_strval(struct elf_binary *elf, elf_ptrval start) + if ( !elf_access_unsigned(elf, start, length, 1) ) + /* ok */ + return ELF_UNSAFE_PTR(start); ++ if ( length >= ELF_MAX_STRING_LENGTH ) ++ { ++ elf_mark_broken(elf, "excessively long string"); ++ return NULL; ++ } + } + } + +@@ -327,7 +344,14 @@ ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL( + unsigned namesz = (elf_uval(elf, note, namesz) + 3) & ~3; + unsigned descsz = (elf_uval(elf, note, descsz) + 3) & ~3; + +- return ELF_MAKE_HANDLE(elf_note, ELF_HANDLE_PTRVAL(note) + elf_size(elf, note) + namesz + descsz); ++ elf_ptrval ptrval = ELF_HANDLE_PTRVAL(note) ++ + elf_size(elf, note) + namesz + descsz; ++ ++ if ( ( ptrval <= ELF_HANDLE_PTRVAL(note) || /* wrapped or stuck */ ++ !elf_access_ok(elf, ELF_HANDLE_PTRVAL(note), 1) ) ) ++ ptrval = ELF_MAX_PTRVAL; /* terminate caller's loop */ ++ ++ return ELF_MAKE_HANDLE(elf_note, ptrval); + } + + /* ------------------------------------------------------------------------ */ +diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h +index 87e126a..f95fe88 100644 +--- a/xen/include/xen/libelf.h ++++ b/xen/include/xen/libelf.h +@@ -51,6 +51,9 @@ typedef void elf_log_callback(struct elf_binary*, void *caller_data, + + #endif + ++#define ELF_MAX_STRING_LENGTH 4096 ++#define ELF_MAX_TOTAL_NOTE_COUNT 65536 ++ + /* ------------------------------------------------------------------------ */ + + /* Macros for accessing the input image and output area. */ +@@ -353,6 +356,16 @@ ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_ + uint64_t elf_note_numeric(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); + uint64_t elf_note_numeric_array(struct elf_binary *, ELF_HANDLE_DECL(elf_note), + unsigned int unitsz, unsigned int idx); ++ ++/* ++ * If you use elf_note_next in a loop, you must put a nontrivial upper ++ * bound on the returned value as part of your loop condition. In ++ * some cases elf_note_next will substitute ELF_PTRVAL_MAX as return ++ * value to indicate that the iteration isn't going well (for example, ++ * the putative "next" value would be earlier in memory). In this ++ * case the caller's loop must terminate. Checking against the ++ * end of the notes segment with a strict inequality is sufficient. ++ */ + ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); + + /* (Only) checks that the image has the right magic number. */ +-- +1.7.2.5 + diff --git a/app-emulation/xen-tools/files/xen-4.2-CVE-2013-17-XSA-55.patch b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-17-XSA-55.patch new file mode 100644 index 000000000000..4369599742c3 --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-17-XSA-55.patch @@ -0,0 +1,406 @@ +From 3baaa4ffcd3e7dd6227f9bdf817f90e5b75aeda2 Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Fri, 14 Jun 2013 16:43:19 +0100 +Subject: [PATCH 17/23] libelf: abolish obsolete macros + +Abolish ELF_PTRVAL_[CONST_]{CHAR,VOID}; change uses to elf_ptrval. +Abolish ELF_HANDLE_DECL_NONCONST; change uses to ELF_HANDLE_DECL. +Abolish ELF_OBSOLETE_VOIDP_CAST; simply remove all uses. + +No functional change. (Verified by diffing assembler output.) + +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> + +v2: New patch. +--- + tools/libxc/xc_dom_elfloader.c | 8 +++--- + tools/xcutils/readnotes.c | 2 +- + xen/common/libelf/libelf-dominfo.c | 6 ++-- + xen/common/libelf/libelf-loader.c | 24 +++++++++--------- + xen/common/libelf/libelf-tools.c | 24 +++++++++--------- + xen/include/xen/libelf.h | 48 +++++++++--------------------------- + 6 files changed, 44 insertions(+), 68 deletions(-) + +diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c +index c5014d2..9fc4b94 100644 +--- a/tools/libxc/xc_dom_elfloader.c ++++ b/tools/libxc/xc_dom_elfloader.c +@@ -116,9 +116,9 @@ static elf_errorstatus xc_dom_load_elf_symtab(struct xc_dom_image *dom, + struct elf_binary *elf, bool load) + { + struct elf_binary syms; +- ELF_HANDLE_DECL_NONCONST(elf_shdr) shdr; ELF_HANDLE_DECL(elf_shdr) shdr2; ++ ELF_HANDLE_DECL(elf_shdr) shdr; ELF_HANDLE_DECL(elf_shdr) shdr2; + xen_vaddr_t symtab, maxaddr; +- ELF_PTRVAL_CHAR hdr; ++ elf_ptrval hdr; + size_t size; + unsigned h, count, type, i, tables = 0; + unsigned long *strtab_referenced = NULL; +@@ -242,7 +242,7 @@ static elf_errorstatus xc_dom_load_elf_symtab(struct xc_dom_image *dom, + + for ( h = 0; h < count; h++ ) + { +- shdr = ELF_OBSOLETE_VOIDP_CAST elf_shdr_by_index(&syms, h); ++ shdr = elf_shdr_by_index(&syms, h); + if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(shdr), 1) ) + /* input has an insane section header count field */ + break; +@@ -278,7 +278,7 @@ static elf_errorstatus xc_dom_load_elf_symtab(struct xc_dom_image *dom, + if ( load ) + { + shdr2 = elf_shdr_by_index(elf, h); +- elf_memcpy_safe(elf, ELF_OBSOLETE_VOIDP_CAST elf_section_start(&syms, shdr), ++ elf_memcpy_safe(elf, elf_section_start(&syms, shdr), + elf_section_start(elf, shdr2), + size); + } +diff --git a/tools/xcutils/readnotes.c b/tools/xcutils/readnotes.c +index 2ca7732..5fa445e 100644 +--- a/tools/xcutils/readnotes.c ++++ b/tools/xcutils/readnotes.c +@@ -80,7 +80,7 @@ static void print_l1_mfn_valid_note(const char *prefix, struct elf_binary *elf, + ELF_HANDLE_DECL(elf_note) note) + { + unsigned descsz = elf_uval(elf, note, descsz); +- ELF_PTRVAL_CONST_VOID desc = elf_note_desc(elf, note); ++ elf_ptrval desc = elf_note_desc(elf, note); + + /* XXX should be able to cope with a list of values. */ + switch ( descsz / 2 ) +diff --git a/xen/common/libelf/libelf-dominfo.c b/xen/common/libelf/libelf-dominfo.c +index 25a10d7..412ea70 100644 +--- a/xen/common/libelf/libelf-dominfo.c ++++ b/xen/common/libelf/libelf-dominfo.c +@@ -220,8 +220,8 @@ elf_errorstatus elf_xen_parse_note(struct elf_binary *elf, + + static unsigned elf_xen_parse_notes(struct elf_binary *elf, + struct elf_dom_parms *parms, +- ELF_PTRVAL_CONST_VOID start, +- ELF_PTRVAL_CONST_VOID end, ++ elf_ptrval start, ++ elf_ptrval end, + unsigned *total_note_count) + { + unsigned xen_elfnotes = 0; +@@ -258,7 +258,7 @@ static unsigned elf_xen_parse_notes(struct elf_binary *elf, + elf_errorstatus elf_xen_parse_guest_info(struct elf_binary *elf, + struct elf_dom_parms *parms) + { +- ELF_PTRVAL_CONST_CHAR h; ++ elf_ptrval h; + unsigned char name[32], value[128]; + unsigned len; + +diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c +index 06799af..e2e75af 100644 +--- a/xen/common/libelf/libelf-loader.c ++++ b/xen/common/libelf/libelf-loader.c +@@ -118,7 +118,7 @@ void elf_set_log(struct elf_binary *elf, elf_log_callback *log_callback, + } + + static elf_errorstatus elf_load_image(struct elf_binary *elf, +- ELF_PTRVAL_VOID dst, ELF_PTRVAL_CONST_VOID src, ++ elf_ptrval dst, elf_ptrval src, + uint64_t filesz, uint64_t memsz) + { + elf_memcpy_safe(elf, dst, src, filesz); +@@ -132,7 +132,7 @@ void elf_set_verbose(struct elf_binary *elf) + elf->verbose = 1; + } + +-static elf_errorstatus elf_load_image(struct elf_binary *elf, ELF_PTRVAL_VOID dst, ELF_PTRVAL_CONST_VOID src, uint64_t filesz, uint64_t memsz) ++static elf_errorstatus elf_load_image(struct elf_binary *elf, elf_ptrval dst, elf_ptrval src, uint64_t filesz, uint64_t memsz) + { + elf_errorstatus rc; + if ( filesz > ULONG_MAX || memsz > ULONG_MAX ) +@@ -187,12 +187,12 @@ void elf_parse_bsdsyms(struct elf_binary *elf, uint64_t pstart) + + static void elf_load_bsdsyms(struct elf_binary *elf) + { +- ELF_HANDLE_DECL_NONCONST(elf_ehdr) sym_ehdr; ++ ELF_HANDLE_DECL(elf_ehdr) sym_ehdr; + unsigned long sz; +- ELF_PTRVAL_VOID maxva; +- ELF_PTRVAL_VOID symbase; +- ELF_PTRVAL_VOID symtab_addr; +- ELF_HANDLE_DECL_NONCONST(elf_shdr) shdr; ++ elf_ptrval maxva; ++ elf_ptrval symbase; ++ elf_ptrval symtab_addr; ++ ELF_HANDLE_DECL(elf_shdr) shdr; + unsigned i, type; + + if ( !elf->bsd_symtab_pstart ) +@@ -226,7 +226,7 @@ do { \ + elf_memcpy_safe(elf, ELF_HANDLE_PTRVAL(shdr), + ELF_IMAGE_BASE(elf) + elf_uval(elf, elf->ehdr, e_shoff), + sz); +- maxva = ELF_OBSOLETE_VOIDP_CAST elf_round_up(elf, (unsigned long)maxva + sz); ++ maxva = elf_round_up(elf, (unsigned long)maxva + sz); + + for ( i = 0; i < elf_shdr_count(elf); i++ ) + { +@@ -242,7 +242,7 @@ do { \ + elf_memcpy_safe(elf, maxva, elf_section_start(elf, shdr), sz); + /* Mangled to be based on ELF header location. */ + elf_hdr_elm(elf, shdr, sh_offset, maxva - symtab_addr); +- maxva = ELF_OBSOLETE_VOIDP_CAST elf_round_up(elf, (unsigned long)maxva + sz); ++ maxva = elf_round_up(elf, (unsigned long)maxva + sz); + } + old_shdr_p = ELF_HANDLE_PTRVAL(shdr); + new_shdr_p = old_shdr_p + elf_uval(elf, elf->ehdr, e_shentsize); +@@ -297,7 +297,7 @@ elf_errorstatus elf_load_binary(struct elf_binary *elf) + { + ELF_HANDLE_DECL(elf_phdr) phdr; + uint64_t i, count, paddr, offset, filesz, memsz; +- ELF_PTRVAL_VOID dest; ++ elf_ptrval dest; + /* + * Let bizarre ELFs write the output image up to twice; this + * calculation is just to ensure our copying loop is no worse than +@@ -334,7 +334,7 @@ elf_errorstatus elf_load_binary(struct elf_binary *elf) + remain_allow_copy -= memsz; + + elf_msg(elf, "%s: phdr %" PRIu64 " at 0x%"ELF_PRPTRVAL" -> 0x%"ELF_PRPTRVAL"\n", +- __func__, i, dest, (ELF_PTRVAL_VOID)(dest + filesz)); ++ __func__, i, dest, (elf_ptrval)(dest + filesz)); + if ( elf_load_image(elf, dest, ELF_IMAGE_BASE(elf) + offset, filesz, memsz) != 0 ) + return -1; + } +@@ -343,7 +343,7 @@ elf_errorstatus elf_load_binary(struct elf_binary *elf) + return 0; + } + +-ELF_PTRVAL_VOID elf_get_ptr(struct elf_binary *elf, unsigned long addr) ++elf_ptrval elf_get_ptr(struct elf_binary *elf, unsigned long addr) + { + return ELF_REALPTR2PTRVAL(elf->dest_base) + addr - elf->pstart; + } +diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c +index 4a83133..e202249 100644 +--- a/xen/common/libelf/libelf-tools.c ++++ b/xen/common/libelf/libelf-tools.c +@@ -171,7 +171,7 @@ ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_name(struct elf_binary *elf, const char *n + ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, unsigned index) + { + uint64_t count = elf_shdr_count(elf); +- ELF_PTRVAL_CONST_VOID ptr; ++ elf_ptrval ptr; + + if ( index >= count ) + return ELF_INVALID_HANDLE(elf_shdr); +@@ -185,7 +185,7 @@ ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, unsigned ind + ELF_HANDLE_DECL(elf_phdr) elf_phdr_by_index(struct elf_binary *elf, unsigned index) + { + uint64_t count = elf_uval(elf, elf->ehdr, e_phnum); +- ELF_PTRVAL_CONST_VOID ptr; ++ elf_ptrval ptr; + + if ( index >= count ) + return ELF_INVALID_HANDLE(elf_phdr); +@@ -233,24 +233,24 @@ const char *elf_strfmt(struct elf_binary *elf, elf_ptrval start) + return str; + } + +-ELF_PTRVAL_CONST_VOID elf_section_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr) ++elf_ptrval elf_section_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr) + { + return ELF_IMAGE_BASE(elf) + elf_uval(elf, shdr, sh_offset); + } + +-ELF_PTRVAL_CONST_VOID elf_section_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr) ++elf_ptrval elf_section_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr) + { + return ELF_IMAGE_BASE(elf) + + elf_uval(elf, shdr, sh_offset) + elf_uval(elf, shdr, sh_size); + } + +-ELF_PTRVAL_CONST_VOID elf_segment_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr) ++elf_ptrval elf_segment_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr) + { + return ELF_IMAGE_BASE(elf) + + elf_uval(elf, phdr, p_offset); + } + +-ELF_PTRVAL_CONST_VOID elf_segment_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr) ++elf_ptrval elf_segment_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr) + { + return ELF_IMAGE_BASE(elf) + + elf_uval(elf, phdr, p_offset) + elf_uval(elf, phdr, p_filesz); +@@ -258,8 +258,8 @@ ELF_PTRVAL_CONST_VOID elf_segment_end(struct elf_binary *elf, ELF_HANDLE_DECL(el + + ELF_HANDLE_DECL(elf_sym) elf_sym_by_name(struct elf_binary *elf, const char *symbol) + { +- ELF_PTRVAL_CONST_VOID ptr = elf_section_start(elf, elf->sym_tab); +- ELF_PTRVAL_CONST_VOID end = elf_section_end(elf, elf->sym_tab); ++ elf_ptrval ptr = elf_section_start(elf, elf->sym_tab); ++ elf_ptrval end = elf_section_end(elf, elf->sym_tab); + ELF_HANDLE_DECL(elf_sym) sym; + uint64_t info, name; + const char *sym_name; +@@ -283,7 +283,7 @@ ELF_HANDLE_DECL(elf_sym) elf_sym_by_name(struct elf_binary *elf, const char *sym + + ELF_HANDLE_DECL(elf_sym) elf_sym_by_index(struct elf_binary *elf, unsigned index) + { +- ELF_PTRVAL_CONST_VOID ptr = elf_section_start(elf, elf->sym_tab); ++ elf_ptrval ptr = elf_section_start(elf, elf->sym_tab); + ELF_HANDLE_DECL(elf_sym) sym; + + sym = ELF_MAKE_HANDLE(elf_sym, ptr + index * elf_size(elf, sym)); +@@ -295,7 +295,7 @@ const char *elf_note_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note + return elf_strval(elf, ELF_HANDLE_PTRVAL(note) + elf_size(elf, note)); + } + +-ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note) ++elf_ptrval elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note) + { + unsigned namesz = (elf_uval(elf, note, namesz) + 3) & ~3; + +@@ -304,7 +304,7 @@ ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_ + + uint64_t elf_note_numeric(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note) + { +- ELF_PTRVAL_CONST_VOID desc = elf_note_desc(elf, note); ++ elf_ptrval desc = elf_note_desc(elf, note); + unsigned descsz = elf_uval(elf, note, descsz); + + switch (descsz) +@@ -322,7 +322,7 @@ uint64_t elf_note_numeric(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note + uint64_t elf_note_numeric_array(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note, + unsigned int unitsz, unsigned int idx) + { +- ELF_PTRVAL_CONST_VOID desc = elf_note_desc(elf, note); ++ elf_ptrval desc = elf_note_desc(elf, note); + unsigned descsz = elf_uval(elf, note, descsz); + + if ( descsz % unitsz || idx >= descsz / unitsz ) +diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h +index f95fe88..174f8da 100644 +--- a/xen/include/xen/libelf.h ++++ b/xen/include/xen/libelf.h +@@ -61,13 +61,8 @@ typedef void elf_log_callback(struct elf_binary*, void *caller_data, + /* + * We abstract away the pointerness of these pointers, replacing + * various void*, char* and struct* with the following: +- * PTRVAL A pointer to a byte; one can do pointer arithmetic ++ * elf_ptrval A pointer to a byte; one can do pointer arithmetic + * on this. +- * This replaces variables which were char*,void* +- * and their const versions, so we provide four +- * different obsolete declaration macros: +- * ELF_PTRVAL_{,CONST}{VOID,CHAR} +- * New code can simply use the elf_ptrval typedef. + * HANDLE A pointer to a struct. There is one of these types + * for each pointer type - that is, for each "structname". + * In the arguments to the various HANDLE macros, structname +@@ -76,8 +71,6 @@ typedef void elf_log_callback(struct elf_binary*, void *caller_data, + * pointers. In the current code attempts to do so will + * compile, but in the next patch this will become a + * compile error. +- * We also provide a second declaration macro for +- * pointers which were to const; this is obsolete. + */ + + typedef uintptr_t elf_ptrval; +@@ -85,15 +78,9 @@ typedef uintptr_t elf_ptrval; + #define ELF_REALPTR2PTRVAL(realpointer) ((elf_ptrval)(realpointer)) + /* Converts an actual C pointer into a PTRVAL */ + +-#define ELF_HANDLE_DECL_NONCONST(structname) structname##_handle /*obsolete*/ + #define ELF_HANDLE_DECL(structname) structname##_handle + /* Provides a type declaration for a HANDLE. */ + +-#define ELF_PTRVAL_VOID elf_ptrval /*obsolete*/ +-#define ELF_PTRVAL_CHAR elf_ptrval /*obsolete*/ +-#define ELF_PTRVAL_CONST_VOID elf_ptrval /*obsolete*/ +-#define ELF_PTRVAL_CONST_CHAR elf_ptrval /*obsolete*/ +- + #ifdef __XEN__ + # define ELF_PRPTRVAL "lu" + /* +@@ -124,17 +111,6 @@ typedef uintptr_t elf_ptrval; + #define ELF_HANDLE_PTRVAL(handleval) ((handleval).ptrval) + /* Converts a HANDLE to a PTRVAL. */ + +-#define ELF_OBSOLETE_VOIDP_CAST /*empty*/ +- /* +- * In some places the old code used to need to +- * - cast away const (the existing code uses const a fair +- * bit but actually sometimes wants to write to its input) +- * from a PTRVAL. +- * - convert an integer representing a pointer to a PTRVAL +- * Nowadays all of these re uintptr_ts so there is no const problem +- * and no need for any casting. +- */ +- + #define ELF_UNSAFE_PTR(ptrval) ((void*)(elf_ptrval)(ptrval)) + /* + * Turns a PTRVAL into an actual C pointer. Before this is done +@@ -212,7 +188,7 @@ struct elf_binary { + char data; + + ELF_HANDLE_DECL(elf_ehdr) ehdr; +- ELF_PTRVAL_CONST_CHAR sec_strtab; ++ elf_ptrval sec_strtab; + ELF_HANDLE_DECL(elf_shdr) sym_tab; + uint64_t sym_strtab; + +@@ -290,7 +266,7 @@ struct elf_binary { + * str should be a HANDLE. + */ + +-uint64_t elf_access_unsigned(struct elf_binary *elf, ELF_PTRVAL_CONST_VOID ptr, ++uint64_t elf_access_unsigned(struct elf_binary *elf, elf_ptrval ptr, + uint64_t offset, size_t size); + /* Reads a field at arbitrary offset and alignemnt */ + +@@ -342,17 +318,17 @@ ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, unsigned ind + ELF_HANDLE_DECL(elf_phdr) elf_phdr_by_index(struct elf_binary *elf, unsigned index); + + const char *elf_section_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr); /* might return NULL if inputs are invalid */ +-ELF_PTRVAL_CONST_VOID elf_section_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr); +-ELF_PTRVAL_CONST_VOID elf_section_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr); ++elf_ptrval elf_section_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr); ++elf_ptrval elf_section_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr); + +-ELF_PTRVAL_CONST_VOID elf_segment_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr); +-ELF_PTRVAL_CONST_VOID elf_segment_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr); ++elf_ptrval elf_segment_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr); ++elf_ptrval elf_segment_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr); + + ELF_HANDLE_DECL(elf_sym) elf_sym_by_name(struct elf_binary *elf, const char *symbol); + ELF_HANDLE_DECL(elf_sym) elf_sym_by_index(struct elf_binary *elf, unsigned index); + + const char *elf_note_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); /* may return NULL */ +-ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); ++elf_ptrval elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); + uint64_t elf_note_numeric(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); + uint64_t elf_note_numeric_array(struct elf_binary *, ELF_HANDLE_DECL(elf_note), + unsigned int unitsz, unsigned int idx); +@@ -391,7 +367,7 @@ void elf_set_log(struct elf_binary *elf, elf_log_callback*, + void elf_parse_binary(struct elf_binary *elf); + elf_errorstatus elf_load_binary(struct elf_binary *elf); + +-ELF_PTRVAL_VOID elf_get_ptr(struct elf_binary *elf, unsigned long addr); ++elf_ptrval elf_get_ptr(struct elf_binary *elf, unsigned long addr); + uint64_t elf_lookup_addr(struct elf_binary *elf, const char *symbol); + + void elf_parse_bsdsyms(struct elf_binary *elf, uint64_t pstart); /* private */ +@@ -426,9 +402,9 @@ struct xen_elfnote { + + struct elf_dom_parms { + /* raw */ +- ELF_PTRVAL_CONST_CHAR guest_info; +- ELF_PTRVAL_CONST_VOID elf_note_start; +- ELF_PTRVAL_CONST_VOID elf_note_end; ++ elf_ptrval guest_info; ++ elf_ptrval elf_note_start; ++ elf_ptrval elf_note_end; + struct xen_elfnote elf_notes[XEN_ELFNOTE_MAX + 1]; + + /* parsed */ +-- +1.7.2.5 + diff --git a/app-emulation/xen-tools/files/xen-4.2-CVE-2013-18to19-XSA-55.patch b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-18to19-XSA-55.patch new file mode 100644 index 000000000000..a275ed83bcf4 --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-18to19-XSA-55.patch @@ -0,0 +1,450 @@ +From b06e277b1fc08c7da3befeb3ac3950e1d941585d Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Fri, 14 Jun 2013 16:43:19 +0100 +Subject: [PATCH 18/23] libxc: Add range checking to xc_dom_binloader + +This is a simple binary image loader with its own metadata format. +However, it is too careless with image-supplied values. + +Add the following checks: + + * That the image is bigger than the metadata table; otherwise the + pointer arithmetic to calculate the metadata table location may + yield undefined and dangerous values. + + * When clamping the end of the region to search, that we do not + calculate pointers beyond the end of the image. The C + specification does not permit this and compilers are becoming ever + more determined to miscompile code when they can "prove" various + falsehoods based on assertions from the C spec. + + * That the supplied image is big enough for the text we are allegedly + copying from it. Otherwise we might have a read overrun and copy + the results (perhaps a lot of secret data) into the guest. + +This is part of the fix to a security issue, XSA-55. + +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +--- + tools/libxc/xc_dom_binloader.c | 15 +++++++++++++-- + 1 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/tools/libxc/xc_dom_binloader.c b/tools/libxc/xc_dom_binloader.c +index bde93f7..8596a28 100644 +--- a/tools/libxc/xc_dom_binloader.c ++++ b/tools/libxc/xc_dom_binloader.c +@@ -123,10 +123,13 @@ static struct xen_bin_image_table *find_table(struct xc_dom_image *dom) + uint32_t *probe_ptr; + uint32_t *probe_end; + ++ if ( dom->kernel_size < sizeof(*table) ) ++ return NULL; + probe_ptr = dom->kernel_blob; +- probe_end = dom->kernel_blob + dom->kernel_size - sizeof(*table); +- if ( (void*)probe_end > (dom->kernel_blob + 8192) ) ++ if ( dom->kernel_size > (8192 + sizeof(*table)) ) + probe_end = dom->kernel_blob + 8192; ++ else ++ probe_end = dom->kernel_blob + dom->kernel_size - sizeof(*table); + + for ( table = NULL; probe_ptr < probe_end; probe_ptr++ ) + { +@@ -282,6 +285,14 @@ static int xc_dom_load_bin_kernel(struct xc_dom_image *dom) + return -EINVAL; + } + ++ if ( image_size < skip || ++ image_size - skip < text_size ) ++ { ++ DOMPRINTF("%s: image is too small for declared text size", ++ __FUNCTION__); ++ return -EINVAL; ++ } ++ + memcpy(dest, image + skip, text_size); + memset(dest + text_size, 0, bss_size); + +-- +1.7.2.5 +#From 77c0829fa751f052f7b8ec08287aef6e7ba97bc5 Mon Sep 17 00:00:00 2001 +#From: Ian Jackson <ian.jackson@eu.citrix.com> +#Date: Fri, 14 Jun 2013 16:43:19 +0100 +#Subject: [PATCH 19/23] libxc: check failure of xc_dom_*_to_ptr, xc_map_foreign_range +# +#The return values from xc_dom_*_to_ptr and xc_map_foreign_range are +#sometimes dereferenced, or subjected to pointer arithmetic, without +#checking whether the relevant function failed and returned NULL. +# +#Add an appropriate error check at every call site. +# +#Changes in the 4.2 backport of this series: +#* Fix tools/libxc/xc_dom_x86.c:setup_pgtables_x86_32. +#* Fix tools/libxc/xc_dom_ia64.c:start_info_ia64. +#* Fix tools/libxc/ia64/xc_ia64_dom_fwloader.c:xc_dom_load_fw_kernel. +# +#This is part of the fix to a security issue, XSA-55. +# +#Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +#--- +# tools/libxc/ia64/xc_ia64_dom_fwloader.c | 2 + +# tools/libxc/xc_dom_binloader.c | 6 +++ +# tools/libxc/xc_dom_core.c | 6 +++ +# tools/libxc/xc_dom_elfloader.c | 13 +++++++ +# tools/libxc/xc_dom_ia64.c | 6 +++ +# tools/libxc/xc_dom_x86.c | 55 +++++++++++++++++++++++++++++++ +# tools/libxc/xc_domain_restore.c | 27 +++++++++++++++ +# tools/libxc/xc_offline_page.c | 5 +++ +# 8 files changed, 120 insertions(+), 0 deletions(-) +# +diff --git a/tools/libxc/ia64/xc_ia64_dom_fwloader.c b/tools/libxc/ia64/xc_ia64_dom_fwloader.c +index cdf3333..dbd3349 100644 +--- a/tools/libxc/ia64/xc_ia64_dom_fwloader.c ++++ b/tools/libxc/ia64/xc_ia64_dom_fwloader.c +@@ -60,6 +60,8 @@ static int xc_dom_load_fw_kernel(struct xc_dom_image *dom) + unsigned long i; + + dest = xc_dom_vaddr_to_ptr(dom, dom->kernel_seg.vstart); ++ if ( dest == NULL ) ++ return -1; + memcpy(dest, dom->kernel_blob, FW_SIZE); + + /* Synchronize cache. */ +diff --git a/tools/libxc/xc_dom_binloader.c b/tools/libxc/xc_dom_binloader.c +index 8596a28..553b366 100644 +--- a/tools/libxc/xc_dom_binloader.c ++++ b/tools/libxc/xc_dom_binloader.c +@@ -277,6 +277,12 @@ static int xc_dom_load_bin_kernel(struct xc_dom_image *dom) + DOMPRINTF(" bss_size: 0x%" PRIx32 "", bss_size); + + dest = xc_dom_vaddr_to_ptr(dom, dom->kernel_seg.vstart, &dest_size); ++ if ( dest == NULL ) ++ { ++ DOMPRINTF("%s: xc_dom_vaddr_to_ptr(dom, dom->kernel_seg.vstart)" ++ " => NULL", __FUNCTION__); ++ return -EINVAL; ++ } + + if ( dest_size < text_size || + dest_size - text_size < bss_size ) +diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c +index 8913e41..a54ddae 100644 +--- a/tools/libxc/xc_dom_core.c ++++ b/tools/libxc/xc_dom_core.c +@@ -868,6 +868,12 @@ int xc_dom_build_image(struct xc_dom_image *dom) + ramdisklen) != 0 ) + goto err; + ramdiskmap = xc_dom_seg_to_ptr(dom, &dom->ramdisk_seg); ++ if ( ramdiskmap == NULL ) ++ { ++ DOMPRINTF("%s: xc_dom_seg_to_ptr(dom, &dom->ramdisk_seg) => NULL", ++ __FUNCTION__); ++ goto err; ++ } + if ( unziplen ) + { + if ( xc_dom_do_gunzip(dom->xch, +diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c +index 9fc4b94..61b5798 100644 +--- a/tools/libxc/xc_dom_elfloader.c ++++ b/tools/libxc/xc_dom_elfloader.c +@@ -139,6 +139,12 @@ static elf_errorstatus xc_dom_load_elf_symtab(struct xc_dom_image *dom, + return 0; + size = dom->kernel_seg.vend - dom->bsd_symtab_start; + hdr_ptr = xc_dom_vaddr_to_ptr(dom, dom->bsd_symtab_start, &allow_size); ++ if ( hdr_ptr == NULL ) ++ { ++ DOMPRINTF("%s/load: xc_dom_vaddr_to_ptr(dom,dom->bsd_symtab_start" ++ " => NULL", __FUNCTION__); ++ return -1; ++ } + elf->caller_xdest_base = hdr_ptr; + elf->caller_xdest_size = allow_size; + hdr = ELF_REALPTR2PTRVAL(hdr_ptr); +@@ -384,7 +390,14 @@ static elf_errorstatus xc_dom_load_elf_kernel(struct xc_dom_image *dom) + xen_pfn_t pages; + + elf->dest_base = xc_dom_seg_to_ptr_pages(dom, &dom->kernel_seg, &pages); ++ if ( elf->dest_base == NULL ) ++ { ++ DOMPRINTF("%s: xc_dom_vaddr_to_ptr(dom,dom->kernel_seg)" ++ " => NULL", __FUNCTION__); ++ return -1; ++ } + elf->dest_size = pages * XC_DOM_PAGE_SIZE(dom); ++ + rc = elf_load_binary(elf); + if ( rc < 0 ) + { +diff --git a/tools/libxc/xc_dom_ia64.c b/tools/libxc/xc_dom_ia64.c +index dcd1523..7c0eff1 100644 +--- a/tools/libxc/xc_dom_ia64.c ++++ b/tools/libxc/xc_dom_ia64.c +@@ -60,6 +60,12 @@ int start_info_ia64(struct xc_dom_image *dom) + + DOMPRINTF_CALLED(dom->xch); + ++ if ( start_info == NULL ) ++ { ++ DOMPRINTF("%s: xc_dom_pfn_to_ptr failed on start_info", __FUNCTION__); ++ return -1; /* our caller throws away our return value :-/ */ ++ } ++ + memset(start_info, 0, sizeof(*start_info)); + sprintf(start_info->magic, dom->guest_type); + start_info->flags = dom->flags; +diff --git a/tools/libxc/xc_dom_x86.c b/tools/libxc/xc_dom_x86.c +index 0cf1687..75d6b83 100644 +--- a/tools/libxc/xc_dom_x86.c ++++ b/tools/libxc/xc_dom_x86.c +@@ -144,6 +144,9 @@ static int setup_pgtables_x86_32(struct xc_dom_image *dom) + xen_vaddr_t addr; + xen_pfn_t pgpfn; + ++ if ( l2tab == NULL ) ++ goto pfn_error; ++ + for ( addr = dom->parms.virt_base; addr < dom->virt_pgtab_end; + addr += PAGE_SIZE_X86 ) + { +@@ -151,6 +154,8 @@ static int setup_pgtables_x86_32(struct xc_dom_image *dom) + { + /* get L1 tab, make L2 entry */ + l1tab = xc_dom_pfn_to_ptr(dom, l1pfn, 1); ++ if ( l1tab == NULL ) ++ goto pfn_error; + l2off = l2_table_offset_i386(addr); + l2tab[l2off] = + pfn_to_paddr(xc_dom_p2m_guest(dom, l1pfn)) | L2_PROT; +@@ -169,6 +174,11 @@ static int setup_pgtables_x86_32(struct xc_dom_image *dom) + l1tab = NULL; + } + return 0; ++ ++pfn_error: ++ xc_dom_panic(dom->xch, XC_INTERNAL_ERROR, ++ "%s: xc_dom_pfn_to_ptr failed", __FUNCTION__); ++ return -EINVAL; + } + + /* +@@ -219,6 +229,12 @@ static xen_pfn_t move_l3_below_4G(struct xc_dom_image *dom, + goto out; + + l3tab = xc_dom_pfn_to_ptr(dom, l3pfn, 1); ++ if ( l3tab == NULL ) ++ { ++ DOMPRINTF("%s: xc_dom_pfn_to_ptr(dom, l3pfn, 1) => NULL", ++ __FUNCTION__); ++ return l3mfn; /* our one call site will call xc_dom_panic and fail */ ++ } + memset(l3tab, 0, XC_DOM_PAGE_SIZE(dom)); + + DOMPRINTF("%s: successfully relocated L3 below 4G. " +@@ -262,6 +278,8 @@ static int setup_pgtables_x86_32_pae(struct xc_dom_image *dom) + } + + l3tab = xc_dom_pfn_to_ptr(dom, l3pfn, 1); ++ if ( l3tab == NULL ) ++ goto pfn_error; + + for ( addr = dom->parms.virt_base; addr < dom->virt_pgtab_end; + addr += PAGE_SIZE_X86 ) +@@ -270,6 +288,8 @@ static int setup_pgtables_x86_32_pae(struct xc_dom_image *dom) + { + /* get L2 tab, make L3 entry */ + l2tab = xc_dom_pfn_to_ptr(dom, l2pfn, 1); ++ if ( l2tab == NULL ) ++ goto pfn_error; + l3off = l3_table_offset_pae(addr); + l3tab[l3off] = + pfn_to_paddr(xc_dom_p2m_guest(dom, l2pfn)) | L3_PROT; +@@ -280,6 +300,8 @@ static int setup_pgtables_x86_32_pae(struct xc_dom_image *dom) + { + /* get L1 tab, make L2 entry */ + l1tab = xc_dom_pfn_to_ptr(dom, l1pfn, 1); ++ if ( l1tab == NULL ) ++ goto pfn_error; + l2off = l2_table_offset_pae(addr); + l2tab[l2off] = + pfn_to_paddr(xc_dom_p2m_guest(dom, l1pfn)) | L2_PROT; +@@ -306,6 +328,11 @@ static int setup_pgtables_x86_32_pae(struct xc_dom_image *dom) + l3tab[3] = pfn_to_paddr(xc_dom_p2m_guest(dom, l2pfn)) | L3_PROT; + } + return 0; ++ ++pfn_error: ++ xc_dom_panic(dom->xch, XC_INTERNAL_ERROR, ++ "%s: xc_dom_pfn_to_ptr failed", __FUNCTION__); ++ return -EINVAL; + } + + #undef L1_PROT +@@ -344,6 +371,9 @@ static int setup_pgtables_x86_64(struct xc_dom_image *dom) + uint64_t addr; + xen_pfn_t pgpfn; + ++ if ( l4tab == NULL ) ++ goto pfn_error; ++ + for ( addr = dom->parms.virt_base; addr < dom->virt_pgtab_end; + addr += PAGE_SIZE_X86 ) + { +@@ -351,6 +381,8 @@ static int setup_pgtables_x86_64(struct xc_dom_image *dom) + { + /* get L3 tab, make L4 entry */ + l3tab = xc_dom_pfn_to_ptr(dom, l3pfn, 1); ++ if ( l3tab == NULL ) ++ goto pfn_error; + l4off = l4_table_offset_x86_64(addr); + l4tab[l4off] = + pfn_to_paddr(xc_dom_p2m_guest(dom, l3pfn)) | L4_PROT; +@@ -361,6 +393,8 @@ static int setup_pgtables_x86_64(struct xc_dom_image *dom) + { + /* get L2 tab, make L3 entry */ + l2tab = xc_dom_pfn_to_ptr(dom, l2pfn, 1); ++ if ( l2tab == NULL ) ++ goto pfn_error; + l3off = l3_table_offset_x86_64(addr); + l3tab[l3off] = + pfn_to_paddr(xc_dom_p2m_guest(dom, l2pfn)) | L3_PROT; +@@ -373,6 +407,8 @@ static int setup_pgtables_x86_64(struct xc_dom_image *dom) + { + /* get L1 tab, make L2 entry */ + l1tab = xc_dom_pfn_to_ptr(dom, l1pfn, 1); ++ if ( l1tab == NULL ) ++ goto pfn_error; + l2off = l2_table_offset_x86_64(addr); + l2tab[l2off] = + pfn_to_paddr(xc_dom_p2m_guest(dom, l1pfn)) | L2_PROT; +@@ -393,6 +429,11 @@ static int setup_pgtables_x86_64(struct xc_dom_image *dom) + l1tab = NULL; + } + return 0; ++ ++pfn_error: ++ xc_dom_panic(dom->xch, XC_INTERNAL_ERROR, ++ "%s: xc_dom_pfn_to_ptr failed", __FUNCTION__); ++ return -EINVAL; + } + + #undef L1_PROT +@@ -410,6 +451,8 @@ static int alloc_magic_pages(struct xc_dom_image *dom) + if ( xc_dom_alloc_segment(dom, &dom->p2m_seg, "phys2mach", 0, p2m_size) ) + return -1; + dom->p2m_guest = xc_dom_seg_to_ptr(dom, &dom->p2m_seg); ++ if ( dom->p2m_guest == NULL ) ++ return -1; + + /* allocate special pages */ + dom->start_info_pfn = xc_dom_alloc_page(dom, "start info"); +@@ -434,6 +477,12 @@ static int start_info_x86_32(struct xc_dom_image *dom) + + DOMPRINTF_CALLED(dom->xch); + ++ if ( start_info == NULL ) ++ { ++ DOMPRINTF("%s: xc_dom_pfn_to_ptr failed on start_info", __FUNCTION__); ++ return -1; /* our caller throws away our return value :-/ */ ++ } ++ + memset(start_info, 0, sizeof(*start_info)); + strncpy(start_info->magic, dom->guest_type, sizeof(start_info->magic)); + start_info->magic[sizeof(start_info->magic) - 1] = '\0'; +@@ -474,6 +523,12 @@ static int start_info_x86_64(struct xc_dom_image *dom) + + DOMPRINTF_CALLED(dom->xch); + ++ if ( start_info == NULL ) ++ { ++ DOMPRINTF("%s: xc_dom_pfn_to_ptr failed on start_info", __FUNCTION__); ++ return -1; /* our caller throws away our return value :-/ */ ++ } ++ + memset(start_info, 0, sizeof(*start_info)); + strncpy(start_info->magic, dom->guest_type, sizeof(start_info->magic)); + start_info->magic[sizeof(start_info->magic) - 1] = '\0'; +diff --git a/tools/libxc/xc_domain_restore.c b/tools/libxc/xc_domain_restore.c +index b4c0b10..3994f8f 100644 +--- a/tools/libxc/xc_domain_restore.c ++++ b/tools/libxc/xc_domain_restore.c +@@ -1556,6 +1556,12 @@ int xc_domain_restore(xc_interface *xch, int io_fd, uint32_t dom, + mfn = ctx->p2m[pfn]; + buf = xc_map_foreign_range(xch, dom, PAGE_SIZE, + PROT_READ | PROT_WRITE, mfn); ++ if ( buf == NULL ) ++ { ++ ERROR("xc_map_foreign_range for generation id" ++ " buffer failed"); ++ goto out; ++ } + + generationid = *(unsigned long long *)(buf + offset); + *(unsigned long long *)(buf + offset) = generationid + 1; +@@ -1713,6 +1719,11 @@ int xc_domain_restore(xc_interface *xch, int io_fd, uint32_t dom, + l3tab = (uint64_t *) + xc_map_foreign_range(xch, dom, PAGE_SIZE, + PROT_READ, ctx->p2m[i]); ++ if ( l3tab == NULL ) ++ { ++ PERROR("xc_map_foreign_range failed (for l3tab)"); ++ goto out; ++ } + + for ( j = 0; j < 4; j++ ) + l3ptes[j] = l3tab[j]; +@@ -1739,6 +1750,11 @@ int xc_domain_restore(xc_interface *xch, int io_fd, uint32_t dom, + l3tab = (uint64_t *) + xc_map_foreign_range(xch, dom, PAGE_SIZE, + PROT_READ | PROT_WRITE, ctx->p2m[i]); ++ if ( l3tab == NULL ) ++ { ++ PERROR("xc_map_foreign_range failed (for l3tab, 2nd)"); ++ goto out; ++ } + + for ( j = 0; j < 4; j++ ) + l3tab[j] = l3ptes[j]; +@@ -1909,6 +1925,12 @@ int xc_domain_restore(xc_interface *xch, int io_fd, uint32_t dom, + SET_FIELD(ctxt, user_regs.edx, mfn); + start_info = xc_map_foreign_range( + xch, dom, PAGE_SIZE, PROT_READ | PROT_WRITE, mfn); ++ if ( start_info == NULL ) ++ { ++ PERROR("xc_map_foreign_range failed (for start_info)"); ++ goto out; ++ } ++ + SET_FIELD(start_info, nr_pages, dinfo->p2m_size); + SET_FIELD(start_info, shared_info, shared_info_frame<<PAGE_SHIFT); + SET_FIELD(start_info, flags, 0); +@@ -2056,6 +2078,11 @@ int xc_domain_restore(xc_interface *xch, int io_fd, uint32_t dom, + /* Restore contents of shared-info page. No checking needed. */ + new_shared_info = xc_map_foreign_range( + xch, dom, PAGE_SIZE, PROT_WRITE, shared_info_frame); ++ if ( new_shared_info == NULL ) ++ { ++ PERROR("xc_map_foreign_range failed (for new_shared_info)"); ++ goto out; ++ } + + /* restore saved vcpu_info and arch specific info */ + MEMCPY_FIELD(new_shared_info, old_shared_info, vcpu_info); +diff --git a/tools/libxc/xc_offline_page.c b/tools/libxc/xc_offline_page.c +index 089a361..36b9812 100644 +--- a/tools/libxc/xc_offline_page.c ++++ b/tools/libxc/xc_offline_page.c +@@ -714,6 +714,11 @@ int xc_exchange_page(xc_interface *xch, int domid, xen_pfn_t mfn) + + new_p = xc_map_foreign_range(xch, domid, PAGE_SIZE, + PROT_READ|PROT_WRITE, new_mfn); ++ if ( new_p == NULL ) ++ { ++ ERROR("failed to map new_p for copy, guest may be broken?"); ++ goto failed; ++ } + memcpy(new_p, backup, PAGE_SIZE); + munmap(new_p, PAGE_SIZE); + mops.arg1.mfn = new_mfn; +-- +1.7.2.5 + diff --git a/app-emulation/xen-tools/files/xen-4.2-CVE-2013-2-XSA-55.patch b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-2-XSA-55.patch new file mode 100644 index 000000000000..c26605ff4499 --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-2-XSA-55.patch @@ -0,0 +1,56 @@ +From a672da4b2d58ef12be9d7407160e9fb43cac75d9 Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Fri, 14 Jun 2013 16:43:16 +0100 +Subject: [PATCH 02/23] libxc: introduce xc_dom_seg_to_ptr_pages + +Provide a version of xc_dom_seg_to_ptr which returns the number of +guest pages it has actually mapped. This is useful for callers who +want to do range checking; we will use this later in this series. + +This is part of the fix to a security issue, XSA-55. + +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> +Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +--- + tools/libxc/xc_dom.h | 19 ++++++++++++++++--- + 1 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h +index 6a72aa9..9af2195 100644 +--- a/tools/libxc/xc_dom.h ++++ b/tools/libxc/xc_dom.h +@@ -278,14 +278,27 @@ void *xc_dom_pfn_to_ptr(struct xc_dom_image *dom, xen_pfn_t first, + void xc_dom_unmap_one(struct xc_dom_image *dom, xen_pfn_t pfn); + void xc_dom_unmap_all(struct xc_dom_image *dom); + +-static inline void *xc_dom_seg_to_ptr(struct xc_dom_image *dom, +- struct xc_dom_seg *seg) ++static inline void *xc_dom_seg_to_ptr_pages(struct xc_dom_image *dom, ++ struct xc_dom_seg *seg, ++ xen_pfn_t *pages_out) + { + xen_vaddr_t segsize = seg->vend - seg->vstart; + unsigned int page_size = XC_DOM_PAGE_SIZE(dom); + xen_pfn_t pages = (segsize + page_size - 1) / page_size; ++ void *retval; ++ ++ retval = xc_dom_pfn_to_ptr(dom, seg->pfn, pages); ++ ++ *pages_out = retval ? pages : 0; ++ return retval; ++} ++ ++static inline void *xc_dom_seg_to_ptr(struct xc_dom_image *dom, ++ struct xc_dom_seg *seg) ++{ ++ xen_pfn_t dummy; + +- return xc_dom_pfn_to_ptr(dom, seg->pfn, pages); ++ return xc_dom_seg_to_ptr_pages(dom, seg, &dummy); + } + + static inline void *xc_dom_vaddr_to_ptr(struct xc_dom_image *dom, +-- +1.7.2.5 + diff --git a/app-emulation/xen-tools/files/xen-4.2-CVE-2013-20to23-XSA-55.patch b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-20to23-XSA-55.patch new file mode 100644 index 000000000000..b4c6dcad2961 --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-20to23-XSA-55.patch @@ -0,0 +1,381 @@ +From 8dc90d163650ce8aa36ae0b46debab83cc61edb6 Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Fri, 14 Jun 2013 16:43:19 +0100 +Subject: [PATCH 20/23] libxc: check return values from malloc + +A sufficiently malformed input to libxc (such as a malformed input ELF +or other guest-controlled data) might cause one of libxc's malloc() to +fail. In this case we need to make sure we don't dereference or do +pointer arithmetic on the result. + +Search for all occurrences of \b(m|c|re)alloc in libxc, and all +functions which call them, and add appropriate error checking where +missing. + +This includes the functions xc_dom_malloc*, which now print a message +when they fail so that callers don't have to do so. + +The function xc_cpuid_to_str wasn't provided with a sane return value +and has a pretty strange API, which now becomes a little stranger. +There are no in-tree callers. + +Changes in the Xen 4.2 version of this series: +* No need to fix code relating to ARM. +* No need to fix code relating to superpage support. +* Additionally fix `dom->p2m_host = xc_dom_malloc...' in xc_dom_ia64.c. + +This is part of the fix to a security issue, XSA-55. + +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +--- + tools/libxc/xc_cpuid_x86.c | 20 ++++++++++++++++++-- + tools/libxc/xc_dom_core.c | 13 +++++++++++++ + tools/libxc/xc_dom_elfloader.c | 2 ++ + tools/libxc/xc_dom_ia64.c | 6 ++++++ + tools/libxc/xc_dom_x86.c | 3 +++ + tools/libxc/xc_domain_restore.c | 5 +++++ + tools/libxc/xc_linux_osdep.c | 4 ++++ + tools/libxc/xc_private.c | 2 ++ + tools/libxc/xenctrl.h | 2 +- + 9 files changed, 54 insertions(+), 3 deletions(-) + +diff --git a/tools/libxc/xc_cpuid_x86.c b/tools/libxc/xc_cpuid_x86.c +index 0882ce6..da435ce 100644 +--- a/tools/libxc/xc_cpuid_x86.c ++++ b/tools/libxc/xc_cpuid_x86.c +@@ -589,6 +589,8 @@ static int xc_cpuid_do_domctl( + static char *alloc_str(void) + { + char *s = malloc(33); ++ if ( s == NULL ) ++ return s; + memset(s, 0, 33); + return s; + } +@@ -600,6 +602,8 @@ void xc_cpuid_to_str(const unsigned int *regs, char **strs) + for ( i = 0; i < 4; i++ ) + { + strs[i] = alloc_str(); ++ if ( strs[i] == NULL ) ++ continue; + for ( j = 0; j < 32; j++ ) + strs[i][j] = !!((regs[i] & (1U << (31 - j)))) ? '1' : '0'; + } +@@ -680,7 +684,7 @@ int xc_cpuid_check( + const char **config, + char **config_transformed) + { +- int i, j; ++ int i, j, rc; + unsigned int regs[4]; + + memset(config_transformed, 0, 4 * sizeof(*config_transformed)); +@@ -692,6 +696,11 @@ int xc_cpuid_check( + if ( config[i] == NULL ) + continue; + config_transformed[i] = alloc_str(); ++ if ( config_transformed[i] == NULL ) ++ { ++ rc = -ENOMEM; ++ goto fail_rc; ++ } + for ( j = 0; j < 32; j++ ) + { + unsigned char val = !!((regs[i] & (1U << (31 - j)))); +@@ -708,12 +717,14 @@ int xc_cpuid_check( + return 0; + + fail: ++ rc = -EPERM; ++ fail_rc: + for ( i = 0; i < 4; i++ ) + { + free(config_transformed[i]); + config_transformed[i] = NULL; + } +- return -EPERM; ++ return rc; + } + + /* +@@ -758,6 +769,11 @@ int xc_cpuid_set( + } + + config_transformed[i] = alloc_str(); ++ if ( config_transformed[i] == NULL ) ++ { ++ rc = -ENOMEM; ++ goto fail; ++ } + + for ( j = 0; j < 32; j++ ) + { +diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c +index a54ddae..3cbf9f7 100644 +--- a/tools/libxc/xc_dom_core.c ++++ b/tools/libxc/xc_dom_core.c +@@ -120,9 +120,17 @@ void *xc_dom_malloc(struct xc_dom_image *dom, size_t size) + { + struct xc_dom_mem *block; + ++ if ( size > SIZE_MAX - sizeof(*block) ) ++ { ++ DOMPRINTF("%s: unreasonable allocation size", __FUNCTION__); ++ return NULL; ++ } + block = malloc(sizeof(*block) + size); + if ( block == NULL ) ++ { ++ DOMPRINTF("%s: allocation failed", __FUNCTION__); + return NULL; ++ } + memset(block, 0, sizeof(*block) + size); + block->next = dom->memblocks; + dom->memblocks = block; +@@ -138,7 +146,10 @@ void *xc_dom_malloc_page_aligned(struct xc_dom_image *dom, size_t size) + + block = malloc(sizeof(*block)); + if ( block == NULL ) ++ { ++ DOMPRINTF("%s: allocation failed", __FUNCTION__); + return NULL; ++ } + memset(block, 0, sizeof(*block)); + block->mmap_len = size; + block->mmap_ptr = mmap(NULL, block->mmap_len, +@@ -146,6 +157,7 @@ void *xc_dom_malloc_page_aligned(struct xc_dom_image *dom, size_t size) + -1, 0); + if ( block->mmap_ptr == MAP_FAILED ) + { ++ DOMPRINTF("%s: mmap failed", __FUNCTION__); + free(block); + return NULL; + } +@@ -202,6 +214,7 @@ void *xc_dom_malloc_filemap(struct xc_dom_image *dom, + close(fd); + if ( block != NULL ) + free(block); ++ DOMPRINTF("%s: failed (on file `%s')", __FUNCTION__, filename); + return NULL; + } + +diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c +index 61b5798..be58276 100644 +--- a/tools/libxc/xc_dom_elfloader.c ++++ b/tools/libxc/xc_dom_elfloader.c +@@ -329,6 +329,8 @@ static elf_errorstatus xc_dom_parse_elf_kernel(struct xc_dom_image *dom) + return rc; + + elf = xc_dom_malloc(dom, sizeof(*elf)); ++ if ( elf == NULL ) ++ return -1; + dom->private_loader = elf; + rc = elf_init(elf, dom->kernel_blob, dom->kernel_size); + xc_elf_set_logfile(dom->xch, elf, 1); +diff --git a/tools/libxc/xc_dom_ia64.c b/tools/libxc/xc_dom_ia64.c +index 7c0eff1..076821c 100644 +--- a/tools/libxc/xc_dom_ia64.c ++++ b/tools/libxc/xc_dom_ia64.c +@@ -188,6 +188,12 @@ int arch_setup_meminit(struct xc_dom_image *dom) + + /* setup initial p2m */ + dom->p2m_host = xc_dom_malloc(dom, sizeof(xen_pfn_t) * nbr); ++ if ( dom->p2m_host == NULL ) ++ { ++ DOMPRINTF("%s: xc_dom_malloc failed for p2m_host", ++ __FUNCTION__); ++ return -1; ++ } + for ( pfn = 0; pfn < nbr; pfn++ ) + dom->p2m_host[pfn] = start + pfn; + +diff --git a/tools/libxc/xc_dom_x86.c b/tools/libxc/xc_dom_x86.c +index 75d6b83..448d9a1 100644 +--- a/tools/libxc/xc_dom_x86.c ++++ b/tools/libxc/xc_dom_x86.c +@@ -780,6 +780,9 @@ int arch_setup_meminit(struct xc_dom_image *dom) + } + + dom->p2m_host = xc_dom_malloc(dom, sizeof(xen_pfn_t) * dom->total_pages); ++ if ( dom->p2m_host == NULL ) ++ return -EINVAL; ++ + if ( dom->superpages ) + { + int count = dom->total_pages >> SUPERPAGE_PFN_SHIFT; +diff --git a/tools/libxc/xc_domain_restore.c b/tools/libxc/xc_domain_restore.c +index 3994f8f..f9ed6b2 100644 +--- a/tools/libxc/xc_domain_restore.c ++++ b/tools/libxc/xc_domain_restore.c +@@ -1180,6 +1180,11 @@ static int apply_batch(xc_interface *xch, uint32_t dom, struct restore_ctx *ctx, + + /* Map relevant mfns */ + pfn_err = calloc(j, sizeof(*pfn_err)); ++ if ( pfn_err == NULL ) ++ { ++ PERROR("allocation for pfn_err failed"); ++ return -1; ++ } + region_base = xc_map_foreign_bulk( + xch, dom, PROT_WRITE, region_mfn, pfn_err, j); + +diff --git a/tools/libxc/xc_linux_osdep.c b/tools/libxc/xc_linux_osdep.c +index 787e742..98e041c 100644 +--- a/tools/libxc/xc_linux_osdep.c ++++ b/tools/libxc/xc_linux_osdep.c +@@ -378,6 +378,8 @@ static void *linux_privcmd_map_foreign_range(xc_interface *xch, xc_osdep_handle + + num = (size + XC_PAGE_SIZE - 1) >> XC_PAGE_SHIFT; + arr = calloc(num, sizeof(xen_pfn_t)); ++ if ( arr == NULL ) ++ return NULL; + + for ( i = 0; i < num; i++ ) + arr[i] = mfn + i; +@@ -402,6 +404,8 @@ static void *linux_privcmd_map_foreign_ranges(xc_interface *xch, xc_osdep_handle + num_per_entry = chunksize >> XC_PAGE_SHIFT; + num = num_per_entry * nentries; + arr = calloc(num, sizeof(xen_pfn_t)); ++ if ( arr == NULL ) ++ return NULL; + + for ( i = 0; i < nentries; i++ ) + for ( j = 0; j < num_per_entry; j++ ) +diff --git a/tools/libxc/xc_private.c b/tools/libxc/xc_private.c +index 3e03a91..848ceed 100644 +--- a/tools/libxc/xc_private.c ++++ b/tools/libxc/xc_private.c +@@ -771,6 +771,8 @@ const char *xc_strerror(xc_interface *xch, int errcode) + errbuf = pthread_getspecific(errbuf_pkey); + if (errbuf == NULL) { + errbuf = malloc(XS_BUFSIZE); ++ if ( errbuf == NULL ) ++ return "(failed to allocate errbuf)"; + pthread_setspecific(errbuf_pkey, errbuf); + } + +diff --git a/tools/libxc/xenctrl.h b/tools/libxc/xenctrl.h +index b7741ca..8952048 100644 +--- a/tools/libxc/xenctrl.h ++++ b/tools/libxc/xenctrl.h +@@ -1778,7 +1778,7 @@ int xc_cpuid_set(xc_interface *xch, + int xc_cpuid_apply_policy(xc_interface *xch, + domid_t domid); + void xc_cpuid_to_str(const unsigned int *regs, +- char **strs); ++ char **strs); /* some strs[] may be NULL if ENOMEM */ + int xc_mca_op(xc_interface *xch, struct xen_mc *mc); + #endif + +-- +1.7.2.5 +#From 052a689aa526ca51fd70528d4b0f83dfb2de99c1 Mon Sep 17 00:00:00 2001 +#From: Ian Jackson <ian.jackson@eu.citrix.com> +#Date: Fri, 14 Jun 2013 16:43:19 +0100 +#Subject: [PATCH 21/23] libxc: range checks in xc_dom_p2m_host and _guest +# +#These functions take guest pfns and look them up in the p2m. They did +#no range checking. +# +#However, some callers, notably xc_dom_boot.c:setup_hypercall_page want +#to pass untrusted guest-supplied value(s). It is most convenient to +#detect this here and return INVALID_MFN. +# +#This is part of the fix to a security issue, XSA-55. +# +#Changes from Xen 4.2 version of this patch: +#* 4.2 lacks dom->rambase_pfn, so don't add/subtract/check it. +# +#Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +#--- +# tools/libxc/xc_dom.h | 4 ++++ +# 1 files changed, 4 insertions(+), 0 deletions(-) +# +diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h +index 0161459..d801f66 100644 +--- a/tools/libxc/xc_dom.h ++++ b/tools/libxc/xc_dom.h +@@ -331,6 +331,8 @@ static inline xen_pfn_t xc_dom_p2m_host(struct xc_dom_image *dom, xen_pfn_t pfn) + { + if (dom->shadow_enabled) + return pfn; ++ if (pfn >= dom->total_pages) ++ return INVALID_MFN; + return dom->p2m_host[pfn]; + } + +@@ -339,6 +341,8 @@ static inline xen_pfn_t xc_dom_p2m_guest(struct xc_dom_image *dom, + { + if (xc_dom_feature_translated(dom)) + return pfn; ++ if (pfn >= dom->total_pages) ++ return INVALID_MFN; + return dom->p2m_host[pfn]; + } + +-- +1.7.2.5 +#From 2a548e22915535ac13694eb38222903bca7245e3 Mon Sep 17 00:00:00 2001 +#From: Matthew Daley <mattjd@gmail.com> +#Date: Fri, 14 Jun 2013 16:43:19 +0100 +#Subject: [PATCH 22/23] libxc: check blob size before proceeding in xc_dom_check_gzip +# +#This is part of the fix to a security issue, XSA-55. +# +#Signed-off-by: Matthew Daley <mattjd@gmail.com> +#--- +# tools/libxc/xc_dom_core.c | 5 +++++ +# 1 files changed, 5 insertions(+), 0 deletions(-) +# +diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c +index 3cbf9f7..f8d1b08 100644 +--- a/tools/libxc/xc_dom_core.c ++++ b/tools/libxc/xc_dom_core.c +@@ -284,6 +284,11 @@ size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen) + unsigned char *gzlen; + size_t unziplen; + ++ if ( ziplen < 6 ) ++ /* Too small. We need (i.e. the subsequent code relies on) ++ * 2 bytes for the magic number plus 4 bytes length. */ ++ return 0; ++ + if ( strncmp(blob, "\037\213", 2) ) + /* not gzipped */ + return 0; +-- +1.7.2.5 +#From d21d36e84354c04638b60a739a5f7c3d9f8adaf8 Mon Sep 17 00:00:00 2001 +#From: Ian Jackson <ian.jackson@eu.citrix.com> +#Date: Fri, 14 Jun 2013 16:43:19 +0100 +#Subject: [PATCH 23/23] libxc: Better range check in xc_dom_alloc_segment +# +#If seg->pfn is too large, the arithmetic in the range check might +#overflow, defeating the range check. +# +#This is part of the fix to a security issue, XSA-55. +# +#Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +#Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> +#--- +# tools/libxc/xc_dom_core.c | 3 ++- +# 1 files changed, 2 insertions(+), 1 deletions(-) +# +diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c +index f8d1b08..e79e38d 100644 +--- a/tools/libxc/xc_dom_core.c ++++ b/tools/libxc/xc_dom_core.c +@@ -509,7 +509,8 @@ int xc_dom_alloc_segment(struct xc_dom_image *dom, + seg->vstart = start; + seg->pfn = (seg->vstart - dom->parms.virt_base) / page_size; + +- if ( pages > dom->total_pages || /* double test avoids overflow probs */ ++ if ( pages > dom->total_pages || /* multiple test avoids overflow probs */ ++ seg->pfn > dom->total_pages || + pages > dom->total_pages - seg->pfn) + { + xc_dom_panic(dom->xch, XC_OUT_OF_MEMORY, +-- +1.7.2.5 + + diff --git a/app-emulation/xen-tools/files/xen-4.2-CVE-2013-3-XSA-55.patch b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-3-XSA-55.patch new file mode 100644 index 000000000000..59303215e67e --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-3-XSA-55.patch @@ -0,0 +1,156 @@ +From 8c738fa5c1f3cfcd935b6191b3526f7ac8b2a5bd Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Fri, 14 Jun 2013 16:43:16 +0100 +Subject: [PATCH 03/23] libxc: Fix range checking in xc_dom_pfn_to_ptr etc. + +* Ensure that xc_dom_pfn_to_ptr (when called with count==0) does not + return a previously-allocated block which is entirely before the + requested pfn (!) + +* Provide a version of xc_dom_pfn_to_ptr, xc_dom_pfn_to_ptr_retcount, + which provides the length of the mapped region via an out parameter. + +* Change xc_dom_vaddr_to_ptr to always provide the length of the + mapped region and change the call site in xc_dom_binloader.c to + check it. The call site in xc_dom_load_elf_symtab will be corrected + in a forthcoming patch, and for now ignores the returned length. + +This is part of the fix to a security issue, XSA-55. + +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +--- + tools/libxc/xc_dom.h | 16 +++++++++++++--- + tools/libxc/xc_dom_binloader.c | 11 ++++++++++- + tools/libxc/xc_dom_core.c | 13 +++++++++++++ + tools/libxc/xc_dom_elfloader.c | 3 ++- + 4 files changed, 38 insertions(+), 5 deletions(-) + +diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h +index 9af2195..9f8037e 100644 +--- a/tools/libxc/xc_dom.h ++++ b/tools/libxc/xc_dom.h +@@ -275,6 +275,8 @@ int xc_dom_alloc_segment(struct xc_dom_image *dom, + + void *xc_dom_pfn_to_ptr(struct xc_dom_image *dom, xen_pfn_t first, + xen_pfn_t count); ++void *xc_dom_pfn_to_ptr_retcount(struct xc_dom_image *dom, xen_pfn_t first, ++ xen_pfn_t count, xen_pfn_t *count_out); + void xc_dom_unmap_one(struct xc_dom_image *dom, xen_pfn_t pfn); + void xc_dom_unmap_all(struct xc_dom_image *dom); + +@@ -302,13 +304,21 @@ static inline void *xc_dom_seg_to_ptr(struct xc_dom_image *dom, + } + + static inline void *xc_dom_vaddr_to_ptr(struct xc_dom_image *dom, +- xen_vaddr_t vaddr) ++ xen_vaddr_t vaddr, ++ size_t *safe_region_out) + { + unsigned int page_size = XC_DOM_PAGE_SIZE(dom); + xen_pfn_t page = (vaddr - dom->parms.virt_base) / page_size; + unsigned int offset = (vaddr - dom->parms.virt_base) % page_size; +- void *ptr = xc_dom_pfn_to_ptr(dom, page, 0); +- return (ptr ? (ptr + offset) : NULL); ++ xen_pfn_t safe_region_count; ++ void *ptr; ++ ++ *safe_region_out = 0; ++ ptr = xc_dom_pfn_to_ptr_retcount(dom, page, 0, &safe_region_count); ++ if ( ptr == NULL ) ++ return ptr; ++ *safe_region_out = (safe_region_count << XC_DOM_PAGE_SHIFT(dom)) - offset; ++ return ptr; + } + + static inline int xc_dom_feature_translated(struct xc_dom_image *dom) +diff --git a/tools/libxc/xc_dom_binloader.c b/tools/libxc/xc_dom_binloader.c +index 769e97d..bde93f7 100644 +--- a/tools/libxc/xc_dom_binloader.c ++++ b/tools/libxc/xc_dom_binloader.c +@@ -249,6 +249,7 @@ static int xc_dom_load_bin_kernel(struct xc_dom_image *dom) + char *image = dom->kernel_blob; + char *dest; + size_t image_size = dom->kernel_size; ++ size_t dest_size; + uint32_t start_addr; + uint32_t load_end_addr; + uint32_t bss_end_addr; +@@ -272,7 +273,15 @@ static int xc_dom_load_bin_kernel(struct xc_dom_image *dom) + DOMPRINTF(" text_size: 0x%" PRIx32 "", text_size); + DOMPRINTF(" bss_size: 0x%" PRIx32 "", bss_size); + +- dest = xc_dom_vaddr_to_ptr(dom, dom->kernel_seg.vstart); ++ dest = xc_dom_vaddr_to_ptr(dom, dom->kernel_seg.vstart, &dest_size); ++ ++ if ( dest_size < text_size || ++ dest_size - text_size < bss_size ) ++ { ++ DOMPRINTF("%s: mapped region is too small for image", __FUNCTION__); ++ return -EINVAL; ++ } ++ + memcpy(dest, image + skip, text_size); + memset(dest + text_size, 0, bss_size); + +diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c +index 2a01d7c..8913e41 100644 +--- a/tools/libxc/xc_dom_core.c ++++ b/tools/libxc/xc_dom_core.c +@@ -351,10 +351,19 @@ int xc_dom_try_gunzip(struct xc_dom_image *dom, void **blob, size_t * size) + void *xc_dom_pfn_to_ptr(struct xc_dom_image *dom, xen_pfn_t pfn, + xen_pfn_t count) + { ++ xen_pfn_t count_out_dummy; ++ return xc_dom_pfn_to_ptr_retcount(dom, pfn, count, &count_out_dummy); ++} ++ ++void *xc_dom_pfn_to_ptr_retcount(struct xc_dom_image *dom, xen_pfn_t pfn, ++ xen_pfn_t count, xen_pfn_t *count_out) ++{ + struct xc_dom_phys *phys; + unsigned int page_shift = XC_DOM_PAGE_SHIFT(dom); + char *mode = "unset"; + ++ *count_out = 0; ++ + if ( pfn > dom->total_pages || /* multiple checks to avoid overflows */ + count > dom->total_pages || + pfn > dom->total_pages - count ) +@@ -384,6 +393,7 @@ void *xc_dom_pfn_to_ptr(struct xc_dom_image *dom, xen_pfn_t pfn, + phys->count); + return NULL; + } ++ *count_out = count; + } + else + { +@@ -391,6 +401,9 @@ void *xc_dom_pfn_to_ptr(struct xc_dom_image *dom, xen_pfn_t pfn, + just hand out a pointer to it */ + if ( pfn < phys->first ) + continue; ++ if ( pfn >= phys->first + phys->count ) ++ continue; ++ *count_out = phys->count - (pfn - phys->first); + } + return phys->ptr + ((pfn - phys->first) << page_shift); + } +diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c +index 2e69559..031b5b6 100644 +--- a/tools/libxc/xc_dom_elfloader.c ++++ b/tools/libxc/xc_dom_elfloader.c +@@ -130,10 +130,11 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, + + if ( load ) + { ++ size_t allow_size; /* will be used in a forthcoming XSA-55 patch */ + if ( !dom->bsd_symtab_start ) + return 0; + size = dom->kernel_seg.vend - dom->bsd_symtab_start; +- hdr = xc_dom_vaddr_to_ptr(dom, dom->bsd_symtab_start); ++ hdr = xc_dom_vaddr_to_ptr(dom, dom->bsd_symtab_start, &allow_size); + *(int *)hdr = size - sizeof(int); + } + else +-- +1.7.2.5 + diff --git a/app-emulation/xen-tools/files/xen-4.2-CVE-2013-4-XSA-55.patch b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-4-XSA-55.patch new file mode 100644 index 000000000000..6eb2bac5c0f6 --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-4-XSA-55.patch @@ -0,0 +1,55 @@ +From 035634047d10c678cbb8801c4263747bdaf4e5b1 Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Fri, 14 Jun 2013 16:43:16 +0100 +Subject: [PATCH 04/23] libelf: add `struct elf_binary*' parameter to elf_load_image + +The meat of this function is going to need a copy of the elf pointer, +in forthcoming patches. + +No functional change in this patch. + +This is part of the fix to a security issue, XSA-55. + +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> +Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +--- + xen/common/libelf/libelf-loader.c | 8 +++++--- + 1 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c +index ab58b8b..0559d88 100644 +--- a/xen/common/libelf/libelf-loader.c ++++ b/xen/common/libelf/libelf-loader.c +@@ -108,7 +108,8 @@ void elf_set_log(struct elf_binary *elf, elf_log_callback *log_callback, + elf->verbose = verbose; + } + +-static int elf_load_image(void *dst, const void *src, uint64_t filesz, uint64_t memsz) ++static int elf_load_image(struct elf_binary *elf, ++ void *dst, const void *src, uint64_t filesz, uint64_t memsz) + { + memcpy(dst, src, filesz); + memset(dst + filesz, 0, memsz - filesz); +@@ -122,7 +123,8 @@ void elf_set_verbose(struct elf_binary *elf) + elf->verbose = 1; + } + +-static int elf_load_image(void *dst, const void *src, uint64_t filesz, uint64_t memsz) ++static int elf_load_image(struct elf_binary *elf, ++ void *dst, const void *src, uint64_t filesz, uint64_t memsz) + { + int rc; + if ( filesz > ULONG_MAX || memsz > ULONG_MAX ) +@@ -279,7 +281,7 @@ int elf_load_binary(struct elf_binary *elf) + dest = elf_get_ptr(elf, paddr); + elf_msg(elf, "%s: phdr %" PRIu64 " at 0x%p -> 0x%p\n", + __func__, i, dest, dest + filesz); +- if ( elf_load_image(dest, elf->image + offset, filesz, memsz) != 0 ) ++ if ( elf_load_image(elf, dest, elf->image + offset, filesz, memsz) != 0 ) + return -1; + } + +-- +1.7.2.5 + diff --git a/app-emulation/xen-tools/files/xen-4.2-CVE-2013-5to7-XSA-55.patch b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-5to7-XSA-55.patch new file mode 100644 index 000000000000..6a3ecc08e90d --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-5to7-XSA-55.patch @@ -0,0 +1,174 @@ +From 83ec905922b496e1a5756e3a88405eb6c2c6ba88 Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Fri, 14 Jun 2013 16:43:16 +0100 +Subject: [PATCH 05/23] libelf: abolish elf_sval and elf_access_signed + +These are not used anywhere. + +This is part of the fix to a security issue, XSA-55. + +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> +--- + xen/common/libelf/libelf-tools.c | 28 ---------------------------- + xen/include/xen/libelf.h | 11 ----------- + 2 files changed, 0 insertions(+), 39 deletions(-) + +diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c +index cb97908..2f54142 100644 +--- a/xen/common/libelf/libelf-tools.c ++++ b/xen/common/libelf/libelf-tools.c +@@ -48,34 +48,6 @@ uint64_t elf_access_unsigned(struct elf_binary * elf, const void *ptr, + } + } + +-int64_t elf_access_signed(struct elf_binary *elf, const void *ptr, +- uint64_t offset, size_t size) +-{ +- int need_swap = elf_swap(elf); +- const int8_t *s8; +- const int16_t *s16; +- const int32_t *s32; +- const int64_t *s64; +- +- switch ( size ) +- { +- case 1: +- s8 = ptr + offset; +- return *s8; +- case 2: +- s16 = ptr + offset; +- return need_swap ? bswap_16(*s16) : *s16; +- case 4: +- s32 = ptr + offset; +- return need_swap ? bswap_32(*s32) : *s32; +- case 8: +- s64 = ptr + offset; +- return need_swap ? bswap_64(*s64) : *s64; +- default: +- return 0; +- } +-} +- + uint64_t elf_round_up(struct elf_binary *elf, uint64_t addr) + { + int elf_round = (elf_64bit(elf) ? 8 : 4) - 1; +diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h +index e8f6508..38e490c 100644 +--- a/xen/include/xen/libelf.h ++++ b/xen/include/xen/libelf.h +@@ -136,23 +136,12 @@ struct elf_binary { + offsetof(typeof(*(str)),e32.elem), \ + sizeof((str)->e32.elem))) + +-#define elf_sval(elf, str, elem) \ +- ((ELFCLASS64 == (elf)->class) \ +- ? elf_access_signed((elf), (str), \ +- offsetof(typeof(*(str)),e64.elem), \ +- sizeof((str)->e64.elem)) \ +- : elf_access_signed((elf), (str), \ +- offsetof(typeof(*(str)),e32.elem), \ +- sizeof((str)->e32.elem))) +- + #define elf_size(elf, str) \ + ((ELFCLASS64 == (elf)->class) \ + ? sizeof((str)->e64) : sizeof((str)->e32)) + + uint64_t elf_access_unsigned(struct elf_binary *elf, const void *ptr, + uint64_t offset, size_t size); +-int64_t elf_access_signed(struct elf_binary *elf, const void *ptr, +- uint64_t offset, size_t size); + + uint64_t elf_round_up(struct elf_binary *elf, uint64_t addr); + +-- +1.7.2.5 +#From 682a04488e7b3bd6c3448ab60599566eb7c6177a Mon Sep 17 00:00:00 2001 +#From: Ian Jackson <ian.jackson@eu.citrix.com> +#Date: Fri, 14 Jun 2013 16:43:16 +0100 +#Subject: [PATCH 06/23] libelf: move include of <asm/guest_access.h> to top of file +# +#libelf-loader.c #includes <asm/guest_access.h>, when being compiled +#for Xen. Currently it does this in the middle of the file. +# +#Move this #include to the top of the file, before libelf-private.h. +#This is necessary because in forthcoming patches we will introduce +#private #defines of memcpy etc. which would interfere with definitions +#in headers #included from guest_access.h. +# +#No semantic or functional change in this patch. +# +#This is part of the fix to a security issue, XSA-55. +# +#Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +#Acked-by: Ian Campbell <ian.campbell@citrix.com> +#Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +#--- +# xen/common/libelf/libelf-loader.c | 5 ++++- +# 1 files changed, 4 insertions(+), 1 deletions(-) +# +diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c +index 0559d88..ec0706b 100644 +--- a/xen/common/libelf/libelf-loader.c ++++ b/xen/common/libelf/libelf-loader.c +@@ -16,6 +16,10 @@ + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + ++#ifdef __XEN__ ++#include <asm/guest_access.h> ++#endif ++ + #include "libelf-private.h" + + /* ------------------------------------------------------------------------ */ +@@ -116,7 +120,6 @@ static int elf_load_image(struct elf_binary *elf, + return 0; + } + #else +-#include <asm/guest_access.h> + + void elf_set_verbose(struct elf_binary *elf) + { +-- +1.7.2.5 +#From de9089b449d2508b1ba05590905c7ebaee00c8c4 Mon Sep 17 00:00:00 2001 +#From: Ian Jackson <ian.jackson@eu.citrix.com> +#Date: Fri, 14 Jun 2013 16:43:16 +0100 +#Subject: [PATCH 07/23] libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised +# +#xc_dom_load_elf_symtab (with load==0) calls elf_round_up, but it +#mistakenly used the uninitialised variable "syms" when calculating +#dom->bsd_symtab_start. This should be a reference to "elf". +# +#This change might have the effect of rounding the value differently. +#Previously if the uninitialised value (a single byte on the stack) was +#ELFCLASS64 (ie, 2), the alignment would be to 8 bytes, otherwise to 4. +# +#However, the value is calculated from dom->kernel_seg.vend so this +#could only make a difference if that value wasn't already aligned to 8 +#bytes. +# +#This is part of the fix to a security issue, XSA-55. +# +#Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +#Acked-by: Ian Campbell <ian.campbell@citrix.com> +#--- +# tools/libxc/xc_dom_elfloader.c | 2 +- +# 1 files changed, 1 insertions(+), 1 deletions(-) +# +diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c +index 031b5b6..e82f6e9 100644 +--- a/tools/libxc/xc_dom_elfloader.c ++++ b/tools/libxc/xc_dom_elfloader.c +@@ -144,7 +144,7 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, + hdr = xc_dom_malloc(dom, size); + if ( hdr == NULL ) + return 0; +- dom->bsd_symtab_start = elf_round_up(&syms, dom->kernel_seg.vend); ++ dom->bsd_symtab_start = elf_round_up(elf, dom->kernel_seg.vend); + } + + memcpy(hdr + sizeof(int), +-- +1.7.2.5 diff --git a/app-emulation/xen-tools/files/xen-4.2-CVE-2013-6-XSA-55.patch b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-6-XSA-55.patch new file mode 100644 index 000000000000..67990a2435c3 --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-6-XSA-55.patch @@ -0,0 +1,252 @@ +From 3fb6ccf2faccaf5e22e33a3155ccc72d732896d8 Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Fri, 14 Jun 2013 16:43:18 +0100 +Subject: [PATCH 14/23] libelf: use C99 bool for booleans + +We want to remove uses of "int" because signed integers have +undesirable undefined behaviours on overflow. Malicious compilers can +turn apparently-correct code into code with security vulnerabilities +etc. + +In this patch we change all the booleans in libelf to C99 bool, +from <stdbool.h>. + +For the one visible libelf boolean in libxc's public interface we +retain the use of int to avoid changing the ABI; libxc converts it to +a bool for consumption by libelf. + +It is OK to change all values only ever used as booleans to _Bool +(bool) because conversion from any scalar type to a _Bool works the +same as the boolean test in if() or ?: and is always defined (C99 +6.3.1.2). But we do need to check that all these variables really are +only ever used that way. (It is theoretically possible that the old +code truncated some 64-bit values to 32-bit ints which might become +zero depending on the value, which would mean a behavioural change in +this patch, but it seems implausible that treating 0x????????00000000 +as false could have been intended.) + +This is part of the fix to a security issue, XSA-55. + +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +Acked-by: George Dunlap <george.dunlap@eu.citrix.com> +--- + tools/libxc/xc_dom_elfloader.c | 8 ++++---- + xen/common/libelf/libelf-dominfo.c | 2 +- + xen/common/libelf/libelf-loader.c | 4 ++-- + xen/common/libelf/libelf-private.h | 2 +- + xen/common/libelf/libelf-tools.c | 10 +++++----- + xen/include/xen/libelf.h | 18 ++++++++++-------- + 6 files changed, 23 insertions(+), 21 deletions(-) + +diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c +index 4fb4da2..9ba64ae 100644 +--- a/tools/libxc/xc_dom_elfloader.c ++++ b/tools/libxc/xc_dom_elfloader.c +@@ -34,7 +34,7 @@ + /* ------------------------------------------------------------------------ */ + + static void log_callback(struct elf_binary *elf, void *caller_data, +- int iserr, const char *fmt, va_list al) { ++ bool iserr, const char *fmt, va_list al) { + xc_interface *xch = caller_data; + + xc_reportv(xch, +@@ -46,7 +46,7 @@ static void log_callback(struct elf_binary *elf, void *caller_data, + + void xc_elf_set_logfile(xc_interface *xch, struct elf_binary *elf, + int verbose) { +- elf_set_log(elf, log_callback, xch, verbose); ++ elf_set_log(elf, log_callback, xch, verbose /* convert to bool */); + } + + /* ------------------------------------------------------------------------ */ +@@ -84,7 +84,7 @@ static char *xc_dom_guest_type(struct xc_dom_image *dom, + /* ------------------------------------------------------------------------ */ + /* parse elf binary */ + +-static int check_elf_kernel(struct xc_dom_image *dom, int verbose) ++static int check_elf_kernel(struct xc_dom_image *dom, bool verbose) + { + if ( dom->kernel_blob == NULL ) + { +@@ -112,7 +112,7 @@ static int xc_dom_probe_elf_kernel(struct xc_dom_image *dom) + } + + static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, +- struct elf_binary *elf, int load) ++ struct elf_binary *elf, bool load) + { + struct elf_binary syms; + ELF_HANDLE_DECL_NONCONST(elf_shdr) shdr; ELF_HANDLE_DECL(elf_shdr) shdr2; +diff --git a/xen/common/libelf/libelf-dominfo.c b/xen/common/libelf/libelf-dominfo.c +index 98c80dc..12b6c2a 100644 +--- a/xen/common/libelf/libelf-dominfo.c ++++ b/xen/common/libelf/libelf-dominfo.c +@@ -101,7 +101,7 @@ int elf_xen_parse_note(struct elf_binary *elf, + /* *INDENT-OFF* */ + static const struct { + char *name; +- int str; ++ bool str; + } note_desc[] = { + [XEN_ELFNOTE_ENTRY] = { "ENTRY", 0}, + [XEN_ELFNOTE_HYPERCALL_PAGE] = { "HYPERCALL_PAGE", 0}, +diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c +index f8be635..0dccd4d 100644 +--- a/xen/common/libelf/libelf-loader.c ++++ b/xen/common/libelf/libelf-loader.c +@@ -92,7 +92,7 @@ int elf_init(struct elf_binary *elf, const char *image_input, size_t size) + } + + #ifndef __XEN__ +-void elf_call_log_callback(struct elf_binary *elf, int iserr, ++void elf_call_log_callback(struct elf_binary *elf, bool iserr, + const char *fmt,...) { + va_list al; + +@@ -107,7 +107,7 @@ void elf_call_log_callback(struct elf_binary *elf, int iserr, + } + + void elf_set_log(struct elf_binary *elf, elf_log_callback *log_callback, +- void *log_caller_data, int verbose) ++ void *log_caller_data, bool verbose) + { + elf->log_callback = log_callback; + elf->log_caller_data = log_caller_data; +diff --git a/xen/common/libelf/libelf-private.h b/xen/common/libelf/libelf-private.h +index 280dfd1..277be04 100644 +--- a/xen/common/libelf/libelf-private.h ++++ b/xen/common/libelf/libelf-private.h +@@ -77,7 +77,7 @@ + #define elf_err(elf, fmt, args ... ) \ + elf_call_log_callback(elf, 1, fmt , ## args ); + +-void elf_call_log_callback(struct elf_binary*, int iserr, const char *fmt,...); ++void elf_call_log_callback(struct elf_binary*, bool iserr, const char *fmt,...); + + #define safe_strcpy(d,s) \ + do { strncpy((d),(s),sizeof((d))-1); \ +diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c +index 744027e..fa58f76 100644 +--- a/xen/common/libelf/libelf-tools.c ++++ b/xen/common/libelf/libelf-tools.c +@@ -31,7 +31,7 @@ const char *elf_check_broken(const struct elf_binary *elf) + return elf->broken; + } + +-static int elf_ptrval_in_range(elf_ptrval ptrval, uint64_t size, ++static bool elf_ptrval_in_range(elf_ptrval ptrval, uint64_t size, + const void *region, uint64_t regionsize) + /* + * Returns true if the putative memory area [ptrval,ptrval+size> +@@ -53,7 +53,7 @@ static int elf_ptrval_in_range(elf_ptrval ptrval, uint64_t size, + return 1; + } + +-int elf_access_ok(struct elf_binary * elf, ++bool elf_access_ok(struct elf_binary * elf, + uint64_t ptrval, size_t size) + { + if ( elf_ptrval_in_range(ptrval, size, elf->image_base, elf->size) ) +@@ -92,7 +92,7 @@ uint64_t elf_access_unsigned(struct elf_binary * elf, elf_ptrval base, + uint64_t moreoffset, size_t size) + { + elf_ptrval ptrval = base + moreoffset; +- int need_swap = elf_swap(elf); ++ bool need_swap = elf_swap(elf); + const uint8_t *u8; + const uint16_t *u16; + const uint32_t *u32; +@@ -332,7 +332,7 @@ ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL( + + /* ------------------------------------------------------------------------ */ + +-int elf_is_elfbinary(const void *image_start, size_t image_size) ++bool elf_is_elfbinary(const void *image_start, size_t image_size) + { + const Elf32_Ehdr *ehdr = image_start; + +@@ -342,7 +342,7 @@ int elf_is_elfbinary(const void *image_start, size_t image_size) + return IS_ELF(*ehdr); + } + +-int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr) ++bool elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr) + { + uint64_t p_type = elf_uval(elf, phdr, p_type); + uint64_t p_flags = elf_uval(elf, phdr, p_flags); +diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h +index ac93858..951430f 100644 +--- a/xen/include/xen/libelf.h ++++ b/xen/include/xen/libelf.h +@@ -29,6 +29,8 @@ + #error define architectural endianness + #endif + ++#include <stdbool.h> ++ + #undef ELFSIZE + #include "elfstructs.h" + #ifdef __XEN__ +@@ -42,7 +44,7 @@ + + struct elf_binary; + typedef void elf_log_callback(struct elf_binary*, void *caller_data, +- int iserr, const char *fmt, va_list al); ++ bool iserr, const char *fmt, va_list al); + + #endif + +@@ -237,7 +239,7 @@ struct elf_binary { + elf_log_callback *log_callback; + void *log_caller_data; + #endif +- int verbose; ++ bool verbose; + const char *broken; + }; + +@@ -301,8 +303,8 @@ void elf_memset_safe(struct elf_binary*, elf_ptrval dst, int c, size_t); + * outside permitted areas. + */ + +-int elf_access_ok(struct elf_binary * elf, +- uint64_t ptrval, size_t size); ++bool elf_access_ok(struct elf_binary * elf, ++ uint64_t ptrval, size_t size); + + #define elf_store_val(elf, type, ptr, val) \ + ({ \ +@@ -351,9 +353,9 @@ uint64_t elf_note_numeric_array(struct elf_binary *, ELF_HANDLE_DECL(elf_note), + ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); + + /* (Only) checks that the image has the right magic number. */ +-int elf_is_elfbinary(const void *image_start, size_t image_size); ++bool elf_is_elfbinary(const void *image_start, size_t image_size); + +-int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr); ++bool elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr); + + /* ------------------------------------------------------------------------ */ + /* xc_libelf_loader.c */ +@@ -367,7 +369,7 @@ int elf_init(struct elf_binary *elf, const char *image, size_t size); + void elf_set_verbose(struct elf_binary *elf); + #else + void elf_set_log(struct elf_binary *elf, elf_log_callback*, +- void *log_caller_pointer, int verbose); ++ void *log_caller_pointer, bool verbose); + #endif + + void elf_parse_binary(struct elf_binary *elf); +@@ -419,7 +421,7 @@ struct elf_dom_parms { + char xen_ver[16]; + char loader[16]; + int pae; +- int bsd_symtab; ++ bool bsd_symtab; + uint64_t virt_base; + uint64_t virt_entry; + uint64_t virt_hypercall; +-- +1.7.2.5 + diff --git a/app-emulation/xen-tools/files/xen-4.2-CVE-2013-7-XSA-55.patch b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-7-XSA-55.patch new file mode 100644 index 000000000000..61076204fa30 --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-7-XSA-55.patch @@ -0,0 +1,382 @@ +From 77c0829fa751f052f7b8ec08287aef6e7ba97bc5 Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Fri, 14 Jun 2013 16:43:19 +0100 +Subject: [PATCH 19/23] libxc: check failure of xc_dom_*_to_ptr, xc_map_foreign_range + +The return values from xc_dom_*_to_ptr and xc_map_foreign_range are +sometimes dereferenced, or subjected to pointer arithmetic, without +checking whether the relevant function failed and returned NULL. + +Add an appropriate error check at every call site. + +Changes in the 4.2 backport of this series: +* Fix tools/libxc/xc_dom_x86.c:setup_pgtables_x86_32. +* Fix tools/libxc/xc_dom_ia64.c:start_info_ia64. +* Fix tools/libxc/ia64/xc_ia64_dom_fwloader.c:xc_dom_load_fw_kernel. + +This is part of the fix to a security issue, XSA-55. + +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +--- + tools/libxc/ia64/xc_ia64_dom_fwloader.c | 2 + + tools/libxc/xc_dom_binloader.c | 6 +++ + tools/libxc/xc_dom_core.c | 6 +++ + tools/libxc/xc_dom_elfloader.c | 13 +++++++ + tools/libxc/xc_dom_ia64.c | 6 +++ + tools/libxc/xc_dom_x86.c | 55 +++++++++++++++++++++++++++++++ + tools/libxc/xc_domain_restore.c | 27 +++++++++++++++ + tools/libxc/xc_offline_page.c | 5 +++ + 8 files changed, 120 insertions(+), 0 deletions(-) + +diff --git a/tools/libxc/ia64/xc_ia64_dom_fwloader.c b/tools/libxc/ia64/xc_ia64_dom_fwloader.c +index cdf3333..dbd3349 100644 +--- a/tools/libxc/ia64/xc_ia64_dom_fwloader.c ++++ b/tools/libxc/ia64/xc_ia64_dom_fwloader.c +@@ -60,6 +60,8 @@ static int xc_dom_load_fw_kernel(struct xc_dom_image *dom) + unsigned long i; + + dest = xc_dom_vaddr_to_ptr(dom, dom->kernel_seg.vstart); ++ if ( dest == NULL ) ++ return -1; + memcpy(dest, dom->kernel_blob, FW_SIZE); + + /* Synchronize cache. */ +diff --git a/tools/libxc/xc_dom_binloader.c b/tools/libxc/xc_dom_binloader.c +index 8596a28..553b366 100644 +--- a/tools/libxc/xc_dom_binloader.c ++++ b/tools/libxc/xc_dom_binloader.c +@@ -277,6 +277,12 @@ static int xc_dom_load_bin_kernel(struct xc_dom_image *dom) + DOMPRINTF(" bss_size: 0x%" PRIx32 "", bss_size); + + dest = xc_dom_vaddr_to_ptr(dom, dom->kernel_seg.vstart, &dest_size); ++ if ( dest == NULL ) ++ { ++ DOMPRINTF("%s: xc_dom_vaddr_to_ptr(dom, dom->kernel_seg.vstart)" ++ " => NULL", __FUNCTION__); ++ return -EINVAL; ++ } + + if ( dest_size < text_size || + dest_size - text_size < bss_size ) +diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c +index 8913e41..a54ddae 100644 +--- a/tools/libxc/xc_dom_core.c ++++ b/tools/libxc/xc_dom_core.c +@@ -868,6 +868,12 @@ int xc_dom_build_image(struct xc_dom_image *dom) + ramdisklen) != 0 ) + goto err; + ramdiskmap = xc_dom_seg_to_ptr(dom, &dom->ramdisk_seg); ++ if ( ramdiskmap == NULL ) ++ { ++ DOMPRINTF("%s: xc_dom_seg_to_ptr(dom, &dom->ramdisk_seg) => NULL", ++ __FUNCTION__); ++ goto err; ++ } + if ( unziplen ) + { + if ( xc_dom_do_gunzip(dom->xch, +diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c +index 9fc4b94..61b5798 100644 +--- a/tools/libxc/xc_dom_elfloader.c ++++ b/tools/libxc/xc_dom_elfloader.c +@@ -139,6 +139,12 @@ static elf_errorstatus xc_dom_load_elf_symtab(struct xc_dom_image *dom, + return 0; + size = dom->kernel_seg.vend - dom->bsd_symtab_start; + hdr_ptr = xc_dom_vaddr_to_ptr(dom, dom->bsd_symtab_start, &allow_size); ++ if ( hdr_ptr == NULL ) ++ { ++ DOMPRINTF("%s/load: xc_dom_vaddr_to_ptr(dom,dom->bsd_symtab_start" ++ " => NULL", __FUNCTION__); ++ return -1; ++ } + elf->caller_xdest_base = hdr_ptr; + elf->caller_xdest_size = allow_size; + hdr = ELF_REALPTR2PTRVAL(hdr_ptr); +@@ -384,7 +390,14 @@ static elf_errorstatus xc_dom_load_elf_kernel(struct xc_dom_image *dom) + xen_pfn_t pages; + + elf->dest_base = xc_dom_seg_to_ptr_pages(dom, &dom->kernel_seg, &pages); ++ if ( elf->dest_base == NULL ) ++ { ++ DOMPRINTF("%s: xc_dom_vaddr_to_ptr(dom,dom->kernel_seg)" ++ " => NULL", __FUNCTION__); ++ return -1; ++ } + elf->dest_size = pages * XC_DOM_PAGE_SIZE(dom); ++ + rc = elf_load_binary(elf); + if ( rc < 0 ) + { +diff --git a/tools/libxc/xc_dom_ia64.c b/tools/libxc/xc_dom_ia64.c +index dcd1523..7c0eff1 100644 +--- a/tools/libxc/xc_dom_ia64.c ++++ b/tools/libxc/xc_dom_ia64.c +@@ -60,6 +60,12 @@ int start_info_ia64(struct xc_dom_image *dom) + + DOMPRINTF_CALLED(dom->xch); + ++ if ( start_info == NULL ) ++ { ++ DOMPRINTF("%s: xc_dom_pfn_to_ptr failed on start_info", __FUNCTION__); ++ return -1; /* our caller throws away our return value :-/ */ ++ } ++ + memset(start_info, 0, sizeof(*start_info)); + sprintf(start_info->magic, dom->guest_type); + start_info->flags = dom->flags; +diff --git a/tools/libxc/xc_dom_x86.c b/tools/libxc/xc_dom_x86.c +index 0cf1687..75d6b83 100644 +--- a/tools/libxc/xc_dom_x86.c ++++ b/tools/libxc/xc_dom_x86.c +@@ -144,6 +144,9 @@ static int setup_pgtables_x86_32(struct xc_dom_image *dom) + xen_vaddr_t addr; + xen_pfn_t pgpfn; + ++ if ( l2tab == NULL ) ++ goto pfn_error; ++ + for ( addr = dom->parms.virt_base; addr < dom->virt_pgtab_end; + addr += PAGE_SIZE_X86 ) + { +@@ -151,6 +154,8 @@ static int setup_pgtables_x86_32(struct xc_dom_image *dom) + { + /* get L1 tab, make L2 entry */ + l1tab = xc_dom_pfn_to_ptr(dom, l1pfn, 1); ++ if ( l1tab == NULL ) ++ goto pfn_error; + l2off = l2_table_offset_i386(addr); + l2tab[l2off] = + pfn_to_paddr(xc_dom_p2m_guest(dom, l1pfn)) | L2_PROT; +@@ -169,6 +174,11 @@ static int setup_pgtables_x86_32(struct xc_dom_image *dom) + l1tab = NULL; + } + return 0; ++ ++pfn_error: ++ xc_dom_panic(dom->xch, XC_INTERNAL_ERROR, ++ "%s: xc_dom_pfn_to_ptr failed", __FUNCTION__); ++ return -EINVAL; + } + + /* +@@ -219,6 +229,12 @@ static xen_pfn_t move_l3_below_4G(struct xc_dom_image *dom, + goto out; + + l3tab = xc_dom_pfn_to_ptr(dom, l3pfn, 1); ++ if ( l3tab == NULL ) ++ { ++ DOMPRINTF("%s: xc_dom_pfn_to_ptr(dom, l3pfn, 1) => NULL", ++ __FUNCTION__); ++ return l3mfn; /* our one call site will call xc_dom_panic and fail */ ++ } + memset(l3tab, 0, XC_DOM_PAGE_SIZE(dom)); + + DOMPRINTF("%s: successfully relocated L3 below 4G. " +@@ -262,6 +278,8 @@ static int setup_pgtables_x86_32_pae(struct xc_dom_image *dom) + } + + l3tab = xc_dom_pfn_to_ptr(dom, l3pfn, 1); ++ if ( l3tab == NULL ) ++ goto pfn_error; + + for ( addr = dom->parms.virt_base; addr < dom->virt_pgtab_end; + addr += PAGE_SIZE_X86 ) +@@ -270,6 +288,8 @@ static int setup_pgtables_x86_32_pae(struct xc_dom_image *dom) + { + /* get L2 tab, make L3 entry */ + l2tab = xc_dom_pfn_to_ptr(dom, l2pfn, 1); ++ if ( l2tab == NULL ) ++ goto pfn_error; + l3off = l3_table_offset_pae(addr); + l3tab[l3off] = + pfn_to_paddr(xc_dom_p2m_guest(dom, l2pfn)) | L3_PROT; +@@ -280,6 +300,8 @@ static int setup_pgtables_x86_32_pae(struct xc_dom_image *dom) + { + /* get L1 tab, make L2 entry */ + l1tab = xc_dom_pfn_to_ptr(dom, l1pfn, 1); ++ if ( l1tab == NULL ) ++ goto pfn_error; + l2off = l2_table_offset_pae(addr); + l2tab[l2off] = + pfn_to_paddr(xc_dom_p2m_guest(dom, l1pfn)) | L2_PROT; +@@ -306,6 +328,11 @@ static int setup_pgtables_x86_32_pae(struct xc_dom_image *dom) + l3tab[3] = pfn_to_paddr(xc_dom_p2m_guest(dom, l2pfn)) | L3_PROT; + } + return 0; ++ ++pfn_error: ++ xc_dom_panic(dom->xch, XC_INTERNAL_ERROR, ++ "%s: xc_dom_pfn_to_ptr failed", __FUNCTION__); ++ return -EINVAL; + } + + #undef L1_PROT +@@ -344,6 +371,9 @@ static int setup_pgtables_x86_64(struct xc_dom_image *dom) + uint64_t addr; + xen_pfn_t pgpfn; + ++ if ( l4tab == NULL ) ++ goto pfn_error; ++ + for ( addr = dom->parms.virt_base; addr < dom->virt_pgtab_end; + addr += PAGE_SIZE_X86 ) + { +@@ -351,6 +381,8 @@ static int setup_pgtables_x86_64(struct xc_dom_image *dom) + { + /* get L3 tab, make L4 entry */ + l3tab = xc_dom_pfn_to_ptr(dom, l3pfn, 1); ++ if ( l3tab == NULL ) ++ goto pfn_error; + l4off = l4_table_offset_x86_64(addr); + l4tab[l4off] = + pfn_to_paddr(xc_dom_p2m_guest(dom, l3pfn)) | L4_PROT; +@@ -361,6 +393,8 @@ static int setup_pgtables_x86_64(struct xc_dom_image *dom) + { + /* get L2 tab, make L3 entry */ + l2tab = xc_dom_pfn_to_ptr(dom, l2pfn, 1); ++ if ( l2tab == NULL ) ++ goto pfn_error; + l3off = l3_table_offset_x86_64(addr); + l3tab[l3off] = + pfn_to_paddr(xc_dom_p2m_guest(dom, l2pfn)) | L3_PROT; +@@ -373,6 +407,8 @@ static int setup_pgtables_x86_64(struct xc_dom_image *dom) + { + /* get L1 tab, make L2 entry */ + l1tab = xc_dom_pfn_to_ptr(dom, l1pfn, 1); ++ if ( l1tab == NULL ) ++ goto pfn_error; + l2off = l2_table_offset_x86_64(addr); + l2tab[l2off] = + pfn_to_paddr(xc_dom_p2m_guest(dom, l1pfn)) | L2_PROT; +@@ -393,6 +429,11 @@ static int setup_pgtables_x86_64(struct xc_dom_image *dom) + l1tab = NULL; + } + return 0; ++ ++pfn_error: ++ xc_dom_panic(dom->xch, XC_INTERNAL_ERROR, ++ "%s: xc_dom_pfn_to_ptr failed", __FUNCTION__); ++ return -EINVAL; + } + + #undef L1_PROT +@@ -410,6 +451,8 @@ static int alloc_magic_pages(struct xc_dom_image *dom) + if ( xc_dom_alloc_segment(dom, &dom->p2m_seg, "phys2mach", 0, p2m_size) ) + return -1; + dom->p2m_guest = xc_dom_seg_to_ptr(dom, &dom->p2m_seg); ++ if ( dom->p2m_guest == NULL ) ++ return -1; + + /* allocate special pages */ + dom->start_info_pfn = xc_dom_alloc_page(dom, "start info"); +@@ -434,6 +477,12 @@ static int start_info_x86_32(struct xc_dom_image *dom) + + DOMPRINTF_CALLED(dom->xch); + ++ if ( start_info == NULL ) ++ { ++ DOMPRINTF("%s: xc_dom_pfn_to_ptr failed on start_info", __FUNCTION__); ++ return -1; /* our caller throws away our return value :-/ */ ++ } ++ + memset(start_info, 0, sizeof(*start_info)); + strncpy(start_info->magic, dom->guest_type, sizeof(start_info->magic)); + start_info->magic[sizeof(start_info->magic) - 1] = '\0'; +@@ -474,6 +523,12 @@ static int start_info_x86_64(struct xc_dom_image *dom) + + DOMPRINTF_CALLED(dom->xch); + ++ if ( start_info == NULL ) ++ { ++ DOMPRINTF("%s: xc_dom_pfn_to_ptr failed on start_info", __FUNCTION__); ++ return -1; /* our caller throws away our return value :-/ */ ++ } ++ + memset(start_info, 0, sizeof(*start_info)); + strncpy(start_info->magic, dom->guest_type, sizeof(start_info->magic)); + start_info->magic[sizeof(start_info->magic) - 1] = '\0'; +diff --git a/tools/libxc/xc_domain_restore.c b/tools/libxc/xc_domain_restore.c +index b4c0b10..3994f8f 100644 +--- a/tools/libxc/xc_domain_restore.c ++++ b/tools/libxc/xc_domain_restore.c +@@ -1556,6 +1556,12 @@ int xc_domain_restore(xc_interface *xch, int io_fd, uint32_t dom, + mfn = ctx->p2m[pfn]; + buf = xc_map_foreign_range(xch, dom, PAGE_SIZE, + PROT_READ | PROT_WRITE, mfn); ++ if ( buf == NULL ) ++ { ++ ERROR("xc_map_foreign_range for generation id" ++ " buffer failed"); ++ goto out; ++ } + + generationid = *(unsigned long long *)(buf + offset); + *(unsigned long long *)(buf + offset) = generationid + 1; +@@ -1713,6 +1719,11 @@ int xc_domain_restore(xc_interface *xch, int io_fd, uint32_t dom, + l3tab = (uint64_t *) + xc_map_foreign_range(xch, dom, PAGE_SIZE, + PROT_READ, ctx->p2m[i]); ++ if ( l3tab == NULL ) ++ { ++ PERROR("xc_map_foreign_range failed (for l3tab)"); ++ goto out; ++ } + + for ( j = 0; j < 4; j++ ) + l3ptes[j] = l3tab[j]; +@@ -1739,6 +1750,11 @@ int xc_domain_restore(xc_interface *xch, int io_fd, uint32_t dom, + l3tab = (uint64_t *) + xc_map_foreign_range(xch, dom, PAGE_SIZE, + PROT_READ | PROT_WRITE, ctx->p2m[i]); ++ if ( l3tab == NULL ) ++ { ++ PERROR("xc_map_foreign_range failed (for l3tab, 2nd)"); ++ goto out; ++ } + + for ( j = 0; j < 4; j++ ) + l3tab[j] = l3ptes[j]; +@@ -1909,6 +1925,12 @@ int xc_domain_restore(xc_interface *xch, int io_fd, uint32_t dom, + SET_FIELD(ctxt, user_regs.edx, mfn); + start_info = xc_map_foreign_range( + xch, dom, PAGE_SIZE, PROT_READ | PROT_WRITE, mfn); ++ if ( start_info == NULL ) ++ { ++ PERROR("xc_map_foreign_range failed (for start_info)"); ++ goto out; ++ } ++ + SET_FIELD(start_info, nr_pages, dinfo->p2m_size); + SET_FIELD(start_info, shared_info, shared_info_frame<<PAGE_SHIFT); + SET_FIELD(start_info, flags, 0); +@@ -2056,6 +2078,11 @@ int xc_domain_restore(xc_interface *xch, int io_fd, uint32_t dom, + /* Restore contents of shared-info page. No checking needed. */ + new_shared_info = xc_map_foreign_range( + xch, dom, PAGE_SIZE, PROT_WRITE, shared_info_frame); ++ if ( new_shared_info == NULL ) ++ { ++ PERROR("xc_map_foreign_range failed (for new_shared_info)"); ++ goto out; ++ } + + /* restore saved vcpu_info and arch specific info */ + MEMCPY_FIELD(new_shared_info, old_shared_info, vcpu_info); +diff --git a/tools/libxc/xc_offline_page.c b/tools/libxc/xc_offline_page.c +index 089a361..36b9812 100644 +--- a/tools/libxc/xc_offline_page.c ++++ b/tools/libxc/xc_offline_page.c +@@ -714,6 +714,11 @@ int xc_exchange_page(xc_interface *xch, int domid, xen_pfn_t mfn) + + new_p = xc_map_foreign_range(xch, domid, PAGE_SIZE, + PROT_READ|PROT_WRITE, new_mfn); ++ if ( new_p == NULL ) ++ { ++ ERROR("failed to map new_p for copy, guest may be broken?"); ++ goto failed; ++ } + memcpy(new_p, backup, PAGE_SIZE); + munmap(new_p, PAGE_SIZE); + mops.arg1.mfn = new_mfn; +-- +1.7.2.5 + diff --git a/app-emulation/xen-tools/files/xen-4.2-CVE-2013-8-XSA-55.patch b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-8-XSA-55.patch new file mode 100644 index 000000000000..a9256b54444f --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-8-XSA-55.patch @@ -0,0 +1,1196 @@ +From 40020ab55a1e9a1674ddecdb70299fab4fe8579d Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Fri, 14 Jun 2013 16:43:17 +0100 +Subject: [PATCH 08/23] libelf: introduce macros for memory access and pointer handling + +We introduce a collection of macros which abstract away all the +pointer arithmetic and dereferences used for accessing the input ELF +and the output area(s). We use the new macros everywhere. + +For now, these macros are semantically identical to the code they +replace, so this patch has no functional change. + +elf_is_elfbinary is an exception: since it doesn't take an elf*, we +need to handle it differently. In a future patch we will change it to +take, and check, a length parameter. For now we just mark it with a +fixme. + +That this patch has no functional change can be verified as follows: + + 0. Copy the scripts "comparison-generate" and "function-filter" + out of this commit message. + 1. Check out the tree before this patch. + 2. Run the script ../comparison-generate .... ../before + 3. Check out the tree after this patch. + 4. Run the script ../comparison-generate .... ../after + 5. diff --exclude=\*.[soi] -ruN before/ after/ |less + +Expect these differences: + * stubdom/zlib-x86_64/ztest*.s2 + The filename of this test file apparently contains the pid. + * xen/common/version.s2 + The xen build timestamp appears in two diff hunks. + +Verification that this is all that's needed: + In a completely built xen.git, + find * -name .*.d -type f | xargs grep -l libelf\.h + Expect results in: + xen/arch/x86: Checked above. + tools/libxc: Checked above. + tools/xcutils/readnotes: Checked above. + tools/xenstore: Checked above. + xen/common/libelf: + This is the build for the hypervisor; checked in B above. + stubdom: + We have one stubdom which reads ELFs using our libelf, + pvgrub, which is checked above. + +I have not done this verification for ARM. + +This is part of the fix to a security issue, XSA-55. + +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> +Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> + +-8<- comparison-generate -8<- + #!/bin/bash + # usage: + # cd xen.git + # .../comparison-generate OUR-CONFIG BUILD-RUNE-PREFIX ../before|../after + # eg: + # .../comparison-generate ~/work/.config 'schroot -pc64 --' ../before + set -ex + + test $# = 3 || need-exactly-three-arguments + + our_config=$1 + build_rune_prefix=$2 + result_dir=$3 + + git clean -x -d -f + + cp "$our_config" . + + cat <<END >>.config + debug_symbols=n + CFLAGS += -save-temps + END + + perl -i~ -pe 's/ -g / -g0 / if m/^CFLAGS/' xen/Rules.mk + + if [ -f ./configure ]; then + $build_rune_prefix ./configure + fi + + $build_rune_prefix make -C xen + $build_rune_prefix make -C tools/include + $build_rune_prefix make -C stubdom grub + $build_rune_prefix make -C tools/libxc + $build_rune_prefix make -C tools/xenstore + $build_rune_prefix make -C tools/xcutils + + rm -rf "$result_dir" + mkdir "$result_dir" + + set +x + for f in `find xen tools stubdom -name \*.[soi]`; do + mkdir -p "$result_dir"/`dirname $f` + cp $f "$result_dir"/${f} + case $f in + *.s) + ../function-filter <$f >"$result_dir"/${f}2 + ;; + esac + done + + echo ok. +-8<- + +-8<- function-filter -8<- + #!/usr/bin/perl -w + # function-filter + # script for massaging gcc-generated labels to be consistent + use strict; + our @lines; + my $sedderybody = "sub seddery () {\n"; + while (<>) { + push @lines, $_; + if (m/^(__FUNCTION__|__func__)\.(\d+)\:/) { + $sedderybody .= " s/\\b$1\\.$2\\b/__XSA55MANGLED__$1.$./g;\n"; + } + } + $sedderybody .= "}\n1;\n"; + eval $sedderybody or die $@; + foreach (@lines) { + seddery(); + print or die $!; + } +-8<- +--- + tools/libxc/xc_dom_elfloader.c | 30 +++--- + tools/libxc/xc_hvm_build_x86.c | 2 +- + tools/xcutils/readnotes.c | 26 +++--- + xen/common/libelf/libelf-dominfo.c | 51 +++++----- + xen/common/libelf/libelf-loader.c | 84 +++++++++-------- + xen/common/libelf/libelf-tools.c | 94 +++++++++--------- + xen/include/xen/libelf.h | 188 +++++++++++++++++++++++++++++++----- + 7 files changed, 312 insertions(+), 163 deletions(-) + +diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c +index e82f6e9..cc0f206 100644 +--- a/tools/libxc/xc_dom_elfloader.c ++++ b/tools/libxc/xc_dom_elfloader.c +@@ -115,9 +115,9 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, + struct elf_binary *elf, int load) + { + struct elf_binary syms; +- const elf_shdr *shdr, *shdr2; ++ ELF_HANDLE_DECL_NONCONST(elf_shdr) shdr; ELF_HANDLE_DECL(elf_shdr) shdr2; + xen_vaddr_t symtab, maxaddr; +- char *hdr; ++ ELF_PTRVAL_CHAR hdr; + size_t size; + int h, count, type, i, tables = 0; + +@@ -147,11 +147,11 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, + dom->bsd_symtab_start = elf_round_up(elf, dom->kernel_seg.vend); + } + +- memcpy(hdr + sizeof(int), +- elf->image, ++ elf_memcpy_safe(elf, hdr + sizeof(int), ++ ELF_IMAGE_BASE(elf), + elf_size(elf, elf->ehdr)); +- memcpy(hdr + sizeof(int) + elf_size(elf, elf->ehdr), +- elf->image + elf_uval(elf, elf->ehdr, e_shoff), ++ elf_memcpy_safe(elf, hdr + sizeof(int) + elf_size(elf, elf->ehdr), ++ ELF_IMAGE_BASE(elf) + elf_uval(elf, elf->ehdr, e_shoff), + elf_shdr_count(elf) * elf_size(elf, shdr)); + if ( elf_64bit(elf) ) + { +@@ -189,7 +189,7 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, + count = elf_shdr_count(&syms); + for ( h = 0; h < count; h++ ) + { +- shdr = elf_shdr_by_index(&syms, h); ++ shdr = ELF_OBSOLETE_VOIDP_CAST elf_shdr_by_index(&syms, h); + type = elf_uval(&syms, shdr, sh_type); + if ( type == SHT_STRTAB ) + { +@@ -205,9 +205,9 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, + if ( i == count ) + { + if ( elf_64bit(&syms) ) +- *(Elf64_Off*)(&shdr->e64.sh_offset) = 0; ++ elf_store_field(elf, shdr, e64.sh_offset, 0); + else +- *(Elf32_Off*)(&shdr->e32.sh_offset) = 0; ++ elf_store_field(elf, shdr, e32.sh_offset, 0); + continue; + } + } +@@ -216,9 +216,9 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, + { + /* Mangled to be based on ELF header location. */ + if ( elf_64bit(&syms) ) +- *(Elf64_Off*)(&shdr->e64.sh_offset) = maxaddr - symtab; ++ elf_store_field(elf, shdr, e64.sh_offset, maxaddr - symtab); + else +- *(Elf32_Off*)(&shdr->e32.sh_offset) = maxaddr - symtab; ++ elf_store_field(elf, shdr, e32.sh_offset, maxaddr - symtab); + size = elf_uval(&syms, shdr, sh_size); + maxaddr = elf_round_up(&syms, maxaddr + size); + tables++; +@@ -230,7 +230,7 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, + if ( load ) + { + shdr2 = elf_shdr_by_index(elf, h); +- memcpy((void*)elf_section_start(&syms, shdr), ++ elf_memcpy_safe(elf, ELF_OBSOLETE_VOIDP_CAST elf_section_start(&syms, shdr), + elf_section_start(elf, shdr2), + size); + } +@@ -238,9 +238,9 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, + + /* Name is NULL. */ + if ( elf_64bit(&syms) ) +- *(Elf64_Word*)(&shdr->e64.sh_name) = 0; ++ elf_store_field(elf, shdr, e64.sh_name, 0); + else +- *(Elf32_Word*)(&shdr->e32.sh_name) = 0; ++ elf_store_field(elf, shdr, e32.sh_name, 0); + } + + if ( tables == 0 ) +@@ -275,7 +275,7 @@ static int xc_dom_parse_elf_kernel(struct xc_dom_image *dom) + } + + /* Find the section-header strings table. */ +- if ( elf->sec_strtab == NULL ) ++ if ( ELF_PTRVAL_INVALID(elf->sec_strtab) ) + { + xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: ELF image" + " has no shstrtab", __FUNCTION__); +diff --git a/tools/libxc/xc_hvm_build_x86.c b/tools/libxc/xc_hvm_build_x86.c +index cf5d7fb..15b603d 100644 +--- a/tools/libxc/xc_hvm_build_x86.c ++++ b/tools/libxc/xc_hvm_build_x86.c +@@ -110,7 +110,7 @@ static int loadelfimage( + if ( elf->dest == NULL ) + goto err; + +- elf->dest += elf->pstart & (PAGE_SIZE - 1); ++ ELF_ADVANCE_DEST(elf, elf->pstart & (PAGE_SIZE - 1)); + + /* Load the initial elf image. */ + rc = elf_load_binary(elf); +diff --git a/tools/xcutils/readnotes.c b/tools/xcutils/readnotes.c +index c926186..2af047d 100644 +--- a/tools/xcutils/readnotes.c ++++ b/tools/xcutils/readnotes.c +@@ -61,13 +61,13 @@ struct setup_header { + } __attribute__((packed)); + + static void print_string_note(const char *prefix, struct elf_binary *elf, +- const elf_note *note) ++ ELF_HANDLE_DECL(elf_note) note) + { + printf("%s: %s\n", prefix, (char*)elf_note_desc(elf, note)); + } + + static void print_numeric_note(const char *prefix, struct elf_binary *elf, +- const elf_note *note) ++ ELF_HANDLE_DECL(elf_note) note) + { + uint64_t value = elf_note_numeric(elf, note); + int descsz = elf_uval(elf, note, descsz); +@@ -98,12 +98,12 @@ static void print_l1_mfn_valid_note(const char *prefix, struct elf_binary *elf, + + } + +-static int print_notes(struct elf_binary *elf, const elf_note *start, const elf_note *end) ++static int print_notes(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) start, ELF_HANDLE_DECL(elf_note) end) + { +- const elf_note *note; ++ ELF_HANDLE_DECL(elf_note) note; + int notes_found = 0; + +- for ( note = start; note < end; note = elf_note_next(elf, note) ) ++ for ( note = start; ELF_HANDLE_PTRVAL(note) < ELF_HANDLE_PTRVAL(end); note = elf_note_next(elf, note) ) + { + if (0 != strcmp(elf_note_name(elf, note), "Xen")) + continue; +@@ -170,7 +170,7 @@ int main(int argc, char **argv) + void *image,*tmp; + struct stat st; + struct elf_binary elf; +- const elf_shdr *shdr; ++ ELF_HANDLE_DECL(elf_shdr) shdr; + int notes_found = 0; + + struct setup_header *hdr; +@@ -257,7 +257,7 @@ int main(int argc, char **argv) + count = elf_phdr_count(&elf); + for ( h=0; h < count; h++) + { +- const elf_phdr *phdr; ++ ELF_HANDLE_DECL(elf_phdr) phdr; + phdr = elf_phdr_by_index(&elf, h); + if (elf_uval(&elf, phdr, p_type) != PT_NOTE) + continue; +@@ -269,8 +269,8 @@ int main(int argc, char **argv) + continue; + + notes_found = print_notes(&elf, +- elf_segment_start(&elf, phdr), +- elf_segment_end(&elf, phdr)); ++ ELF_MAKE_HANDLE(elf_note, elf_segment_start(&elf, phdr)), ++ ELF_MAKE_HANDLE(elf_note, elf_segment_end(&elf, phdr))); + } + + if ( notes_found == 0 ) +@@ -278,13 +278,13 @@ int main(int argc, char **argv) + count = elf_shdr_count(&elf); + for ( h=0; h < count; h++) + { +- const elf_shdr *shdr; ++ ELF_HANDLE_DECL(elf_shdr) shdr; + shdr = elf_shdr_by_index(&elf, h); + if (elf_uval(&elf, shdr, sh_type) != SHT_NOTE) + continue; + notes_found = print_notes(&elf, +- elf_section_start(&elf, shdr), +- elf_section_end(&elf, shdr)); ++ ELF_MAKE_HANDLE(elf_note, elf_section_start(&elf, shdr)), ++ ELF_MAKE_HANDLE(elf_note, elf_section_end(&elf, shdr))); + if ( notes_found ) + fprintf(stderr, "using notes from SHT_NOTE section\n"); + +@@ -292,7 +292,7 @@ int main(int argc, char **argv) + } + + shdr = elf_shdr_by_name(&elf, "__xen_guest"); +- if (shdr) ++ if (ELF_HANDLE_VALID(shdr)) + printf("__xen_guest: %s\n", (char*)elf_section_start(&elf, shdr)); + + return 0; +diff --git a/xen/common/libelf/libelf-dominfo.c b/xen/common/libelf/libelf-dominfo.c +index 523837f..7140d59 100644 +--- a/xen/common/libelf/libelf-dominfo.c ++++ b/xen/common/libelf/libelf-dominfo.c +@@ -44,7 +44,7 @@ int elf_xen_parse_features(const char *features, + + for ( pos = 0; features[pos] != '\0'; pos += len ) + { +- memset(feature, 0, sizeof(feature)); ++ elf_memset_unchecked(feature, 0, sizeof(feature)); + for ( len = 0;; len++ ) + { + if ( len >= sizeof(feature)-1 ) +@@ -96,7 +96,7 @@ int elf_xen_parse_features(const char *features, + + int elf_xen_parse_note(struct elf_binary *elf, + struct elf_dom_parms *parms, +- const elf_note *note) ++ ELF_HANDLE_DECL(elf_note) note) + { + /* *INDENT-OFF* */ + static const struct { +@@ -215,15 +215,16 @@ int elf_xen_parse_note(struct elf_binary *elf, + + static int elf_xen_parse_notes(struct elf_binary *elf, + struct elf_dom_parms *parms, +- const void *start, const void *end) ++ ELF_PTRVAL_CONST_VOID start, ++ ELF_PTRVAL_CONST_VOID end) + { + int xen_elfnotes = 0; +- const elf_note *note; ++ ELF_HANDLE_DECL(elf_note) note; + + parms->elf_note_start = start; + parms->elf_note_end = end; +- for ( note = parms->elf_note_start; +- (void *)note < parms->elf_note_end; ++ for ( note = ELF_MAKE_HANDLE(elf_note, parms->elf_note_start); ++ ELF_HANDLE_PTRVAL(note) < parms->elf_note_end; + note = elf_note_next(elf, note) ) + { + if ( strcmp(elf_note_name(elf, note), "Xen") ) +@@ -241,45 +242,46 @@ static int elf_xen_parse_notes(struct elf_binary *elf, + int elf_xen_parse_guest_info(struct elf_binary *elf, + struct elf_dom_parms *parms) + { +- const char *h; ++ ELF_PTRVAL_CONST_CHAR h; + char name[32], value[128]; + int len; + + h = parms->guest_info; +- while ( *h ) ++#define STAR(h) (*(h)) ++ while ( STAR(h) ) + { +- memset(name, 0, sizeof(name)); +- memset(value, 0, sizeof(value)); ++ elf_memset_unchecked(name, 0, sizeof(name)); ++ elf_memset_unchecked(value, 0, sizeof(value)); + for ( len = 0;; len++, h++ ) + { + if ( len >= sizeof(name)-1 ) + break; +- if ( *h == '\0' ) ++ if ( STAR(h) == '\0' ) + break; +- if ( *h == ',' ) ++ if ( STAR(h) == ',' ) + { + h++; + break; + } +- if ( *h == '=' ) ++ if ( STAR(h) == '=' ) + { + h++; + for ( len = 0;; len++, h++ ) + { + if ( len >= sizeof(value)-1 ) + break; +- if ( *h == '\0' ) ++ if ( STAR(h) == '\0' ) + break; +- if ( *h == ',' ) ++ if ( STAR(h) == ',' ) + { + h++; + break; + } +- value[len] = *h; ++ value[len] = STAR(h); + } + break; + } +- name[len] = *h; ++ name[len] = STAR(h); + } + elf_msg(elf, "%s: %s=\"%s\"\n", __FUNCTION__, name, value); + +@@ -328,7 +330,8 @@ int elf_xen_parse_guest_info(struct elf_binary *elf, + static int elf_xen_note_check(struct elf_binary *elf, + struct elf_dom_parms *parms) + { +- if ( (parms->elf_note_start == NULL) && (parms->guest_info == NULL) ) ++ if ( (ELF_PTRVAL_INVALID(parms->elf_note_start)) && ++ (ELF_PTRVAL_INVALID(parms->guest_info)) ) + { + int machine = elf_uval(elf, elf->ehdr, e_machine); + if ( (machine == EM_386) || (machine == EM_X86_64) ) +@@ -457,12 +460,12 @@ static int elf_xen_addr_calc_check(struct elf_binary *elf, + int elf_xen_parse(struct elf_binary *elf, + struct elf_dom_parms *parms) + { +- const elf_shdr *shdr; +- const elf_phdr *phdr; ++ ELF_HANDLE_DECL(elf_shdr) shdr; ++ ELF_HANDLE_DECL(elf_phdr) phdr; + int xen_elfnotes = 0; + int i, count, rc; + +- memset(parms, 0, sizeof(*parms)); ++ elf_memset_unchecked(parms, 0, sizeof(*parms)); + parms->virt_base = UNSET_ADDR; + parms->virt_entry = UNSET_ADDR; + parms->virt_hypercall = UNSET_ADDR; +@@ -532,11 +535,11 @@ int elf_xen_parse(struct elf_binary *elf, + for ( i = 0; i < count; i++ ) + { + shdr = elf_shdr_by_name(elf, "__xen_guest"); +- if ( shdr ) ++ if ( ELF_HANDLE_VALID(shdr) ) + { + parms->guest_info = elf_section_start(elf, shdr); +- parms->elf_note_start = NULL; +- parms->elf_note_end = NULL; ++ parms->elf_note_start = ELF_INVALID_PTRVAL; ++ parms->elf_note_end = ELF_INVALID_PTRVAL; + elf_msg(elf, "%s: __xen_guest: \"%s\"\n", __FUNCTION__, + parms->guest_info); + elf_xen_parse_guest_info(elf, parms); +diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c +index ec0706b..0fef84c 100644 +--- a/xen/common/libelf/libelf-loader.c ++++ b/xen/common/libelf/libelf-loader.c +@@ -26,7 +26,7 @@ + + int elf_init(struct elf_binary *elf, const char *image, size_t size) + { +- const elf_shdr *shdr; ++ ELF_HANDLE_DECL(elf_shdr) shdr; + uint64_t i, count, section, offset; + + if ( !elf_is_elfbinary(image) ) +@@ -35,7 +35,7 @@ int elf_init(struct elf_binary *elf, const char *image, size_t size) + return -1; + } + +- memset(elf, 0, sizeof(*elf)); ++ elf_memset_unchecked(elf, 0, sizeof(*elf)); + elf->image = image; + elf->size = size; + elf->ehdr = (elf_ehdr *)image; +@@ -65,7 +65,7 @@ int elf_init(struct elf_binary *elf, const char *image, size_t size) + /* Find section string table. */ + section = elf_uval(elf, elf->ehdr, e_shstrndx); + shdr = elf_shdr_by_index(elf, section); +- if ( shdr != NULL ) ++ if ( ELF_HANDLE_VALID(shdr) ) + elf->sec_strtab = elf_section_start(elf, shdr); + + /* Find symbol table and symbol string table. */ +@@ -77,9 +77,9 @@ int elf_init(struct elf_binary *elf, const char *image, size_t size) + continue; + elf->sym_tab = shdr; + shdr = elf_shdr_by_index(elf, elf_uval(elf, shdr, sh_link)); +- if ( shdr == NULL ) ++ if ( !ELF_HANDLE_VALID(shdr) ) + { +- elf->sym_tab = NULL; ++ elf->sym_tab = ELF_INVALID_HANDLE(elf_shdr); + continue; + } + elf->sym_strtab = elf_section_start(elf, shdr); +@@ -113,10 +113,11 @@ void elf_set_log(struct elf_binary *elf, elf_log_callback *log_callback, + } + + static int elf_load_image(struct elf_binary *elf, +- void *dst, const void *src, uint64_t filesz, uint64_t memsz) ++ ELF_PTRVAL_VOID dst, ELF_PTRVAL_CONST_VOID src, ++ uint64_t filesz, uint64_t memsz) + { +- memcpy(dst, src, filesz); +- memset(dst + filesz, 0, memsz - filesz); ++ elf_memcpy_safe(elf, dst, src, filesz); ++ elf_memset_safe(elf, dst + filesz, 0, memsz - filesz); + return 0; + } + #else +@@ -126,16 +127,17 @@ void elf_set_verbose(struct elf_binary *elf) + elf->verbose = 1; + } + +-static int elf_load_image(struct elf_binary *elf, +- void *dst, const void *src, uint64_t filesz, uint64_t memsz) ++static int elf_load_image(struct elf_binary *elf, ELF_PTRVAL_VOID dst, ELF_PTRVAL_CONST_VOID src, uint64_t filesz, uint64_t memsz) + { + int rc; + if ( filesz > ULONG_MAX || memsz > ULONG_MAX ) + return -1; +- rc = raw_copy_to_guest(dst, src, filesz); ++ /* We trust the dom0 kernel image completely, so we don't care ++ * about overruns etc. here. */ ++ rc = raw_copy_to_guest(ELF_UNSAFE_PTR(dst), ELF_UNSAFE_PTR(src), filesz); + if ( rc != 0 ) + return -1; +- rc = raw_clear_guest(dst + filesz, memsz - filesz); ++ rc = raw_clear_guest(ELF_UNSAFE_PTR(dst + filesz), memsz - filesz); + if ( rc != 0 ) + return -1; + return 0; +@@ -146,10 +148,10 @@ static int elf_load_image(struct elf_binary *elf, + void elf_parse_bsdsyms(struct elf_binary *elf, uint64_t pstart) + { + uint64_t sz; +- const elf_shdr *shdr; ++ ELF_HANDLE_DECL(elf_shdr) shdr; + int i, type; + +- if ( !elf->sym_tab ) ++ if ( !ELF_HANDLE_VALID(elf->sym_tab) ) + return; + + pstart = elf_round_up(elf, pstart); +@@ -166,7 +168,7 @@ void elf_parse_bsdsyms(struct elf_binary *elf, uint64_t pstart) + for ( i = 0; i < elf_shdr_count(elf); i++ ) + { + shdr = elf_shdr_by_index(elf, i); +- type = elf_uval(elf, (elf_shdr *)shdr, sh_type); ++ type = elf_uval(elf, shdr, sh_type); + if ( (type == SHT_STRTAB) || (type == SHT_SYMTAB) ) + sz = elf_round_up(elf, sz + elf_uval(elf, shdr, sh_size)); + } +@@ -177,10 +179,12 @@ void elf_parse_bsdsyms(struct elf_binary *elf, uint64_t pstart) + + static void elf_load_bsdsyms(struct elf_binary *elf) + { +- elf_ehdr *sym_ehdr; ++ ELF_HANDLE_DECL_NONCONST(elf_ehdr) sym_ehdr; + unsigned long sz; +- char *maxva, *symbase, *symtab_addr; +- elf_shdr *shdr; ++ ELF_PTRVAL_VOID maxva; ++ ELF_PTRVAL_VOID symbase; ++ ELF_PTRVAL_VOID symtab_addr; ++ ELF_HANDLE_DECL_NONCONST(elf_shdr) shdr; + int i, type; + + if ( !elf->bsd_symtab_pstart ) +@@ -189,18 +193,18 @@ static void elf_load_bsdsyms(struct elf_binary *elf) + #define elf_hdr_elm(_elf, _hdr, _elm, _val) \ + do { \ + if ( elf_64bit(_elf) ) \ +- (_hdr)->e64._elm = _val; \ ++ elf_store_field(_elf, _hdr, e64._elm, _val); \ + else \ +- (_hdr)->e32._elm = _val; \ ++ elf_store_field(_elf, _hdr, e32._elm, _val); \ + } while ( 0 ) + + symbase = elf_get_ptr(elf, elf->bsd_symtab_pstart); + symtab_addr = maxva = symbase + sizeof(uint32_t); + + /* Set up Elf header. */ +- sym_ehdr = (elf_ehdr *)symtab_addr; ++ sym_ehdr = ELF_MAKE_HANDLE(elf_ehdr, symtab_addr); + sz = elf_uval(elf, elf->ehdr, e_ehsize); +- memcpy(sym_ehdr, elf->ehdr, sz); ++ elf_memcpy_safe(elf, ELF_HANDLE_PTRVAL(sym_ehdr), ELF_HANDLE_PTRVAL(elf->ehdr), sz); + maxva += sz; /* no round up */ + + elf_hdr_elm(elf, sym_ehdr, e_phoff, 0); +@@ -209,37 +213,39 @@ do { \ + elf_hdr_elm(elf, sym_ehdr, e_phnum, 0); + + /* Copy Elf section headers. */ +- shdr = (elf_shdr *)maxva; ++ shdr = ELF_MAKE_HANDLE(elf_shdr, maxva); + sz = elf_shdr_count(elf) * elf_uval(elf, elf->ehdr, e_shentsize); +- memcpy(shdr, elf->image + elf_uval(elf, elf->ehdr, e_shoff), sz); +- maxva = (char *)(long)elf_round_up(elf, (long)maxva + sz); ++ elf_memcpy_safe(elf, ELF_HANDLE_PTRVAL(shdr), ++ ELF_IMAGE_BASE(elf) + elf_uval(elf, elf->ehdr, e_shoff), ++ sz); ++ maxva = ELF_OBSOLETE_VOIDP_CAST elf_round_up(elf, (long)maxva + sz); + + for ( i = 0; i < elf_shdr_count(elf); i++ ) + { + type = elf_uval(elf, shdr, sh_type); + if ( (type == SHT_STRTAB) || (type == SHT_SYMTAB) ) + { +- elf_msg(elf, "%s: shdr %i at 0x%p -> 0x%p\n", __func__, i, ++ elf_msg(elf, "%s: shdr %i at 0x%"ELF_PRPTRVAL" -> 0x%"ELF_PRPTRVAL"\n", __func__, i, + elf_section_start(elf, shdr), maxva); + sz = elf_uval(elf, shdr, sh_size); +- memcpy(maxva, elf_section_start(elf, shdr), sz); ++ elf_memcpy_safe(elf, maxva, elf_section_start(elf, shdr), sz); + /* Mangled to be based on ELF header location. */ + elf_hdr_elm(elf, shdr, sh_offset, maxva - symtab_addr); +- maxva = (char *)(long)elf_round_up(elf, (long)maxva + sz); ++ maxva = ELF_OBSOLETE_VOIDP_CAST elf_round_up(elf, (long)maxva + sz); + } +- shdr = (elf_shdr *)((long)shdr + ++ shdr = ELF_MAKE_HANDLE(elf_shdr, ELF_HANDLE_PTRVAL(shdr) + + (long)elf_uval(elf, elf->ehdr, e_shentsize)); + } + + /* Write down the actual sym size. */ +- *(uint32_t *)symbase = maxva - symtab_addr; ++ elf_store_val(elf, uint32_t, symbase, maxva - symtab_addr); + + #undef elf_ehdr_elm + } + + void elf_parse_binary(struct elf_binary *elf) + { +- const elf_phdr *phdr; ++ ELF_HANDLE_DECL(elf_phdr) phdr; + uint64_t low = -1; + uint64_t high = 0; + uint64_t i, count, paddr, memsz; +@@ -267,9 +273,9 @@ void elf_parse_binary(struct elf_binary *elf) + + int elf_load_binary(struct elf_binary *elf) + { +- const elf_phdr *phdr; ++ ELF_HANDLE_DECL(elf_phdr) phdr; + uint64_t i, count, paddr, offset, filesz, memsz; +- char *dest; ++ ELF_PTRVAL_VOID dest; + + count = elf_uval(elf, elf->ehdr, e_phnum); + for ( i = 0; i < count; i++ ) +@@ -282,9 +288,9 @@ int elf_load_binary(struct elf_binary *elf) + filesz = elf_uval(elf, phdr, p_filesz); + memsz = elf_uval(elf, phdr, p_memsz); + dest = elf_get_ptr(elf, paddr); +- elf_msg(elf, "%s: phdr %" PRIu64 " at 0x%p -> 0x%p\n", +- __func__, i, dest, dest + filesz); +- if ( elf_load_image(elf, dest, elf->image + offset, filesz, memsz) != 0 ) ++ elf_msg(elf, "%s: phdr %" PRIu64 " at 0x%"ELF_PRPTRVAL" -> 0x%"ELF_PRPTRVAL"\n", ++ __func__, i, dest, (ELF_PTRVAL_VOID)(dest + filesz)); ++ if ( elf_load_image(elf, dest, ELF_IMAGE_BASE(elf) + offset, filesz, memsz) != 0 ) + return -1; + } + +@@ -292,18 +298,18 @@ int elf_load_binary(struct elf_binary *elf) + return 0; + } + +-void *elf_get_ptr(struct elf_binary *elf, unsigned long addr) ++ELF_PTRVAL_VOID elf_get_ptr(struct elf_binary *elf, unsigned long addr) + { + return elf->dest + addr - elf->pstart; + } + + uint64_t elf_lookup_addr(struct elf_binary * elf, const char *symbol) + { +- const elf_sym *sym; ++ ELF_HANDLE_DECL(elf_sym) sym; + uint64_t value; + + sym = elf_sym_by_name(elf, symbol); +- if ( sym == NULL ) ++ if ( !ELF_HANDLE_VALID(sym) ) + { + elf_err(elf, "%s: not found: %s\n", __FUNCTION__, symbol); + return -1; +diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c +index 2f54142..f1fd886 100644 +--- a/xen/common/libelf/libelf-tools.c ++++ b/xen/common/libelf/libelf-tools.c +@@ -67,10 +67,10 @@ int elf_phdr_count(struct elf_binary *elf) + return elf_uval(elf, elf->ehdr, e_phnum); + } + +-const elf_shdr *elf_shdr_by_name(struct elf_binary *elf, const char *name) ++ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_name(struct elf_binary *elf, const char *name) + { + uint64_t count = elf_shdr_count(elf); +- const elf_shdr *shdr; ++ ELF_HANDLE_DECL(elf_shdr) shdr; + const char *sname; + int i; + +@@ -81,76 +81,80 @@ const elf_shdr *elf_shdr_by_name(struct elf_binary *elf, const char *name) + if ( sname && !strcmp(sname, name) ) + return shdr; + } +- return NULL; ++ return ELF_INVALID_HANDLE(elf_shdr); + } + +-const elf_shdr *elf_shdr_by_index(struct elf_binary *elf, int index) ++ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, int index) + { + uint64_t count = elf_shdr_count(elf); +- const void *ptr; ++ ELF_PTRVAL_CONST_VOID ptr; + + if ( index >= count ) +- return NULL; ++ return ELF_INVALID_HANDLE(elf_shdr); + +- ptr = (elf->image ++ ptr = (ELF_IMAGE_BASE(elf) + + elf_uval(elf, elf->ehdr, e_shoff) + + elf_uval(elf, elf->ehdr, e_shentsize) * index); +- return ptr; ++ return ELF_MAKE_HANDLE(elf_shdr, ptr); + } + +-const elf_phdr *elf_phdr_by_index(struct elf_binary *elf, int index) ++ELF_HANDLE_DECL(elf_phdr) elf_phdr_by_index(struct elf_binary *elf, int index) + { + uint64_t count = elf_uval(elf, elf->ehdr, e_phnum); +- const void *ptr; ++ ELF_PTRVAL_CONST_VOID ptr; + + if ( index >= count ) +- return NULL; ++ return ELF_INVALID_HANDLE(elf_phdr); + +- ptr = (elf->image ++ ptr = (ELF_IMAGE_BASE(elf) + + elf_uval(elf, elf->ehdr, e_phoff) + + elf_uval(elf, elf->ehdr, e_phentsize) * index); +- return ptr; ++ return ELF_MAKE_HANDLE(elf_phdr, ptr); + } + +-const char *elf_section_name(struct elf_binary *elf, const elf_shdr * shdr) ++ ++const char *elf_section_name(struct elf_binary *elf, ++ ELF_HANDLE_DECL(elf_shdr) shdr) + { +- if ( elf->sec_strtab == NULL ) ++ if ( ELF_PTRVAL_INVALID(elf->sec_strtab) ) + return "unknown"; ++ + return elf->sec_strtab + elf_uval(elf, shdr, sh_name); + } + +-const void *elf_section_start(struct elf_binary *elf, const elf_shdr * shdr) ++ELF_PTRVAL_CONST_VOID elf_section_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr) + { +- return elf->image + elf_uval(elf, shdr, sh_offset); ++ return ELF_IMAGE_BASE(elf) + elf_uval(elf, shdr, sh_offset); + } + +-const void *elf_section_end(struct elf_binary *elf, const elf_shdr * shdr) ++ELF_PTRVAL_CONST_VOID elf_section_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr) + { +- return elf->image ++ return ELF_IMAGE_BASE(elf) + + elf_uval(elf, shdr, sh_offset) + elf_uval(elf, shdr, sh_size); + } + +-const void *elf_segment_start(struct elf_binary *elf, const elf_phdr * phdr) ++ELF_PTRVAL_CONST_VOID elf_segment_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr) + { +- return elf->image + elf_uval(elf, phdr, p_offset); ++ return ELF_IMAGE_BASE(elf) ++ + elf_uval(elf, phdr, p_offset); + } + +-const void *elf_segment_end(struct elf_binary *elf, const elf_phdr * phdr) ++ELF_PTRVAL_CONST_VOID elf_segment_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr) + { +- return elf->image ++ return ELF_IMAGE_BASE(elf) + + elf_uval(elf, phdr, p_offset) + elf_uval(elf, phdr, p_filesz); + } + +-const elf_sym *elf_sym_by_name(struct elf_binary *elf, const char *symbol) ++ELF_HANDLE_DECL(elf_sym) elf_sym_by_name(struct elf_binary *elf, const char *symbol) + { +- const void *ptr = elf_section_start(elf, elf->sym_tab); +- const void *end = elf_section_end(elf, elf->sym_tab); +- const elf_sym *sym; ++ ELF_PTRVAL_CONST_VOID ptr = elf_section_start(elf, elf->sym_tab); ++ ELF_PTRVAL_CONST_VOID end = elf_section_end(elf, elf->sym_tab); ++ ELF_HANDLE_DECL(elf_sym) sym; + uint64_t info, name; + + for ( ; ptr < end; ptr += elf_size(elf, sym) ) + { +- sym = ptr; ++ sym = ELF_MAKE_HANDLE(elf_sym, ptr); + info = elf_uval(elf, sym, st_info); + name = elf_uval(elf, sym, st_name); + if ( ELF32_ST_BIND(info) != STB_GLOBAL ) +@@ -159,33 +163,33 @@ const elf_sym *elf_sym_by_name(struct elf_binary *elf, const char *symbol) + continue; + return sym; + } +- return NULL; ++ return ELF_INVALID_HANDLE(elf_sym); + } + +-const elf_sym *elf_sym_by_index(struct elf_binary *elf, int index) ++ELF_HANDLE_DECL(elf_sym) elf_sym_by_index(struct elf_binary *elf, int index) + { +- const void *ptr = elf_section_start(elf, elf->sym_tab); +- const elf_sym *sym; ++ ELF_PTRVAL_CONST_VOID ptr = elf_section_start(elf, elf->sym_tab); ++ ELF_HANDLE_DECL(elf_sym) sym; + +- sym = ptr + index * elf_size(elf, sym); ++ sym = ELF_MAKE_HANDLE(elf_sym, ptr + index * elf_size(elf, sym)); + return sym; + } + +-const char *elf_note_name(struct elf_binary *elf, const elf_note * note) ++const char *elf_note_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note) + { +- return (void *)note + elf_size(elf, note); ++ return ELF_HANDLE_PTRVAL(note) + elf_size(elf, note); + } + +-const void *elf_note_desc(struct elf_binary *elf, const elf_note * note) ++ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note) + { + int namesz = (elf_uval(elf, note, namesz) + 3) & ~3; + +- return (void *)note + elf_size(elf, note) + namesz; ++ return ELF_HANDLE_PTRVAL(note) + elf_size(elf, note) + namesz; + } + +-uint64_t elf_note_numeric(struct elf_binary *elf, const elf_note * note) ++uint64_t elf_note_numeric(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note) + { +- const void *desc = elf_note_desc(elf, note); ++ ELF_PTRVAL_CONST_VOID desc = elf_note_desc(elf, note); + int descsz = elf_uval(elf, note, descsz); + + switch (descsz) +@@ -200,10 +204,10 @@ uint64_t elf_note_numeric(struct elf_binary *elf, const elf_note * note) + } + } + +-uint64_t elf_note_numeric_array(struct elf_binary *elf, const elf_note *note, ++uint64_t elf_note_numeric_array(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note, + unsigned int unitsz, unsigned int idx) + { +- const void *desc = elf_note_desc(elf, note); ++ ELF_PTRVAL_CONST_VOID desc = elf_note_desc(elf, note); + int descsz = elf_uval(elf, note, descsz); + + if ( descsz % unitsz || idx >= descsz / unitsz ) +@@ -220,12 +224,12 @@ uint64_t elf_note_numeric_array(struct elf_binary *elf, const elf_note *note, + } + } + +-const elf_note *elf_note_next(struct elf_binary *elf, const elf_note * note) ++ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note) + { + int namesz = (elf_uval(elf, note, namesz) + 3) & ~3; + int descsz = (elf_uval(elf, note, descsz) + 3) & ~3; + +- return (void *)note + elf_size(elf, note) + namesz + descsz; ++ return ELF_MAKE_HANDLE(elf_note, ELF_HANDLE_PTRVAL(note) + elf_size(elf, note) + namesz + descsz); + } + + /* ------------------------------------------------------------------------ */ +@@ -234,10 +238,10 @@ int elf_is_elfbinary(const void *image) + { + const Elf32_Ehdr *ehdr = image; + +- return IS_ELF(*ehdr); ++ return IS_ELF(*ehdr); /* fixme unchecked */ + } + +-int elf_phdr_is_loadable(struct elf_binary *elf, const elf_phdr * phdr) ++int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr) + { + uint64_t p_type = elf_uval(elf, phdr, p_type); + uint64_t p_flags = elf_uval(elf, phdr, p_flags); +diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h +index 38e490c..cefd3d3 100644 +--- a/xen/include/xen/libelf.h ++++ b/xen/include/xen/libelf.h +@@ -48,6 +48,97 @@ typedef void elf_log_callback(struct elf_binary*, void *caller_data, + + /* ------------------------------------------------------------------------ */ + ++/* Macros for accessing the input image and output area. */ ++ ++/* ++ * We abstract away the pointerness of these pointers, replacing ++ * various void*, char* and struct* with the following: ++ * PTRVAL A pointer to a byte; one can do pointer arithmetic ++ * on this. ++ * This replaces variables which were char*,void* ++ * and their const versions, so we provide four ++ * different declaration macros: ++ * ELF_PTRVAL_{,CONST}{VOID,CHAR} ++ * HANDLE A pointer to a struct. There is one of these types ++ * for each pointer type - that is, for each "structname". ++ * In the arguments to the various HANDLE macros, structname ++ * must be a single identifier which is a typedef. ++ * It is not permitted to do arithmetic on these ++ * pointers. In the current code attempts to do so will ++ * compile, but in the next patch this will become a ++ * compile error. ++ * We provide two declaration macros for const and ++ * non-const pointers. ++ */ ++ ++#define ELF_REALPTR2PTRVAL(realpointer) (realpointer) ++ /* Converts an actual C pointer into a PTRVAL */ ++ ++#define ELF_HANDLE_DECL_NONCONST(structname) structname * ++#define ELF_HANDLE_DECL(structname) const structname * ++ /* Provides a type declaration for a HANDLE. */ ++ /* May only be used to declare ONE variable at a time */ ++ ++#define ELF_PTRVAL_VOID void * ++#define ELF_PTRVAL_CHAR char * ++#define ELF_PTRVAL_CONST_VOID const void * ++#define ELF_PTRVAL_CONST_CHAR const char * ++ /* Provides a type declaration for a PTRVAL. */ ++ /* May only be used to declare ONE variable at a time */ ++ ++#define ELF_DEFINE_HANDLE(structname) /* empty */ ++ /* ++ * This must be invoked for each HANDLE type to define ++ * the actual C type used for that kind of HANDLE. ++ */ ++ ++#define ELF_PRPTRVAL "p" ++ /* printf format a la PRId... for a PTRVAL */ ++ ++#define ELF_MAKE_HANDLE(structname, ptrval) (ptrval) ++ /* Converts a PTRVAL to a HANDLE */ ++ ++#define ELF_IMAGE_BASE(elf) ((elf)->image) ++ /* Returns the base of the image as a PTRVAL. */ ++ ++#define ELF_HANDLE_PTRVAL(handleval) ((void*)(handleval)) ++ /* Converts a HANDLE to a PTRVAL. */ ++ ++#define ELF_OBSOLETE_VOIDP_CAST (void*)(uintptr_t) ++ /* ++ * In some places the existing code needs to ++ * - cast away const (the existing code uses const a fair ++ * bit but actually sometimes wants to write to its input) ++ * from a PTRVAL. ++ * - convert an integer representing a pointer to a PTRVAL ++ * This macro provides a suitable cast. ++ */ ++ ++#define ELF_UNSAFE_PTR(ptrval) ((void*)(uintptr_t)(ptrval)) ++ /* ++ * Turns a PTRVAL into an actual C pointer. Before this is done ++ * the caller must have ensured that the PTRVAL does in fact point ++ * to a permissible location. ++ */ ++ ++/* PTRVALs can be INVALID (ie, NULL). */ ++#define ELF_INVALID_PTRVAL (NULL) /* returns NULL PTRVAL */ ++#define ELF_INVALID_HANDLE(structname) /* returns NULL handle */ \ ++ ELF_MAKE_HANDLE(structname, ELF_INVALID_PTRVAL) ++#define ELF_PTRVAL_VALID(ptrval) (ptrval) /* } */ ++#define ELF_HANDLE_VALID(handleval) (handleval) /* } predicates */ ++#define ELF_PTRVAL_INVALID(ptrval) ((ptrval) == NULL) /* } */ ++ ++/* For internal use by other macros here */ ++#define ELF__HANDLE_FIELD_TYPE(handleval, elm) \ ++ typeof((handleval)->elm) ++#define ELF__HANDLE_FIELD_OFFSET(handleval, elm) \ ++ offsetof(typeof(*(handleval)),elm) ++ ++ ++/* ------------------------------------------------------------------------ */ ++ ++ + typedef union { + Elf32_Ehdr e32; + Elf64_Ehdr e64; +@@ -83,6 +174,12 @@ typedef union { + Elf64_Note e64; + } elf_note; + ++ELF_DEFINE_HANDLE(elf_ehdr) ++ELF_DEFINE_HANDLE(elf_shdr) ++ELF_DEFINE_HANDLE(elf_phdr) ++ELF_DEFINE_HANDLE(elf_sym) ++ELF_DEFINE_HANDLE(elf_note) ++ + struct elf_binary { + /* elf binary */ + const char *image; +@@ -90,10 +187,10 @@ struct elf_binary { + char class; + char data; + +- const elf_ehdr *ehdr; +- const char *sec_strtab; +- const elf_shdr *sym_tab; +- const char *sym_strtab; ++ ELF_HANDLE_DECL(elf_ehdr) ehdr; ++ ELF_PTRVAL_CONST_CHAR sec_strtab; ++ ELF_HANDLE_DECL(elf_shdr) sym_tab; ++ ELF_PTRVAL_CONST_CHAR sym_strtab; + + /* loaded to */ + char *dest; +@@ -135,45 +232,72 @@ struct elf_binary { + : elf_access_unsigned((elf), (str), \ + offsetof(typeof(*(str)),e32.elem), \ + sizeof((str)->e32.elem))) ++ /* ++ * Reads an unsigned field in a header structure in the ELF. ++ * str is a HANDLE, and elem is the field name in it. ++ */ + + #define elf_size(elf, str) \ + ((ELFCLASS64 == (elf)->class) \ + ? sizeof((str)->e64) : sizeof((str)->e32)) ++ /* ++ * Returns the size of the substructure for the appropriate 32/64-bitness. ++ * str should be a HANDLE. ++ */ + +-uint64_t elf_access_unsigned(struct elf_binary *elf, const void *ptr, ++uint64_t elf_access_unsigned(struct elf_binary *elf, ELF_PTRVAL_CONST_VOID ptr, + uint64_t offset, size_t size); ++ /* Reads a field at arbitrary offset and alignemnt */ + + uint64_t elf_round_up(struct elf_binary *elf, uint64_t addr); + ++ ++#define elf_memcpy_safe(elf, dst, src, sz) memcpy((dst),(src),(sz)) ++#define elf_memset_safe(elf, dst, c, sz) memset((dst),(c),(sz)) ++ /* ++ * Versions of memcpy and memset which will (in the next patch) ++ * arrange never to write outside permitted areas. ++ */ ++ ++#define elf_store_val(elf, type, ptr, val) (*(type*)(ptr) = (val)) ++ /* Stores a value at a particular PTRVAL. */ ++ ++#define elf_store_field(elf, hdr, elm, val) \ ++ (elf_store_val((elf), ELF__HANDLE_FIELD_TYPE(hdr, elm), \ ++ &((hdr)->elm), \ ++ (val))) ++ /* Stores a 32/64-bit field. hdr is a HANDLE and elm is the field name. */ ++ ++ + /* ------------------------------------------------------------------------ */ + /* xc_libelf_tools.c */ + + int elf_shdr_count(struct elf_binary *elf); + int elf_phdr_count(struct elf_binary *elf); + +-const elf_shdr *elf_shdr_by_name(struct elf_binary *elf, const char *name); +-const elf_shdr *elf_shdr_by_index(struct elf_binary *elf, int index); +-const elf_phdr *elf_phdr_by_index(struct elf_binary *elf, int index); ++ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_name(struct elf_binary *elf, const char *name); ++ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, int index); ++ELF_HANDLE_DECL(elf_phdr) elf_phdr_by_index(struct elf_binary *elf, int index); + +-const char *elf_section_name(struct elf_binary *elf, const elf_shdr * shdr); +-const void *elf_section_start(struct elf_binary *elf, const elf_shdr * shdr); +-const void *elf_section_end(struct elf_binary *elf, const elf_shdr * shdr); ++const char *elf_section_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr); ++ELF_PTRVAL_CONST_VOID elf_section_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr); ++ELF_PTRVAL_CONST_VOID elf_section_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr); + +-const void *elf_segment_start(struct elf_binary *elf, const elf_phdr * phdr); +-const void *elf_segment_end(struct elf_binary *elf, const elf_phdr * phdr); ++ELF_PTRVAL_CONST_VOID elf_segment_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr); ++ELF_PTRVAL_CONST_VOID elf_segment_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr); + +-const elf_sym *elf_sym_by_name(struct elf_binary *elf, const char *symbol); +-const elf_sym *elf_sym_by_index(struct elf_binary *elf, int index); ++ELF_HANDLE_DECL(elf_sym) elf_sym_by_name(struct elf_binary *elf, const char *symbol); ++ELF_HANDLE_DECL(elf_sym) elf_sym_by_index(struct elf_binary *elf, int index); + +-const char *elf_note_name(struct elf_binary *elf, const elf_note * note); +-const void *elf_note_desc(struct elf_binary *elf, const elf_note * note); +-uint64_t elf_note_numeric(struct elf_binary *elf, const elf_note * note); +-uint64_t elf_note_numeric_array(struct elf_binary *, const elf_note *, ++const char *elf_note_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); ++ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); ++uint64_t elf_note_numeric(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); ++uint64_t elf_note_numeric_array(struct elf_binary *, ELF_HANDLE_DECL(elf_note), + unsigned int unitsz, unsigned int idx); +-const elf_note *elf_note_next(struct elf_binary *elf, const elf_note * note); ++ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); + + int elf_is_elfbinary(const void *image); +-int elf_phdr_is_loadable(struct elf_binary *elf, const elf_phdr * phdr); ++int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr); + + /* ------------------------------------------------------------------------ */ + /* xc_libelf_loader.c */ +@@ -189,7 +313,7 @@ void elf_set_log(struct elf_binary *elf, elf_log_callback*, + void elf_parse_binary(struct elf_binary *elf); + int elf_load_binary(struct elf_binary *elf); + +-void *elf_get_ptr(struct elf_binary *elf, unsigned long addr); ++ELF_PTRVAL_VOID elf_get_ptr(struct elf_binary *elf, unsigned long addr); + uint64_t elf_lookup_addr(struct elf_binary *elf, const char *symbol); + + void elf_parse_bsdsyms(struct elf_binary *elf, uint64_t pstart); /* private */ +@@ -221,9 +345,9 @@ struct xen_elfnote { + + struct elf_dom_parms { + /* raw */ +- const char *guest_info; +- const void *elf_note_start; +- const void *elf_note_end; ++ ELF_PTRVAL_CONST_CHAR guest_info; ++ ELF_PTRVAL_CONST_VOID elf_note_start; ++ ELF_PTRVAL_CONST_VOID elf_note_end; + struct xen_elfnote elf_notes[XEN_ELFNOTE_MAX + 1]; + + /* parsed */ +@@ -262,10 +386,22 @@ int elf_xen_parse_features(const char *features, + uint32_t *required); + int elf_xen_parse_note(struct elf_binary *elf, + struct elf_dom_parms *parms, +- const elf_note *note); ++ ELF_HANDLE_DECL(elf_note) note); + int elf_xen_parse_guest_info(struct elf_binary *elf, + struct elf_dom_parms *parms); + int elf_xen_parse(struct elf_binary *elf, + struct elf_dom_parms *parms); + ++#define elf_memcpy_unchecked memcpy ++#define elf_memset_unchecked memset ++ /* ++ * Unsafe versions of memcpy and memset which take actual C ++ * pointers. These are just like real memcpy and memset. ++ */ ++ ++ ++#define ELF_ADVANCE_DEST(elf, amount) elf->dest += (amount) ++ /* Advances past amount bytes of the current destination area. */ ++ ++ + #endif /* __XEN_LIBELF_H__ */ +-- +1.7.2.5 + diff --git a/app-emulation/xen-tools/files/xen-4.2-CVE-2013-9to10-XSA-55.patch b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-9to10-XSA-55.patch new file mode 100644 index 000000000000..9ec5241bec8c --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4.2-CVE-2013-9to10-XSA-55.patch @@ -0,0 +1,261 @@ +From 59f66d58180832af6b99a9e4489031b5c2f627ab Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Fri, 14 Jun 2013 16:43:17 +0100 +Subject: [PATCH 09/23] tools/xcutils/readnotes: adjust print_l1_mfn_valid_note + +Use the new PTRVAL macros and elf_access_unsigned in +print_l1_mfn_valid_note. + +No functional change unless the input is wrong, or we are reading a +file for a different endianness. + +Separated out from the previous patch because this change does produce +a difference in the generated code. + +This is part of the fix to a security issue, XSA-55. + +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> +--- + tools/xcutils/readnotes.c | 11 ++++++----- + 1 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/tools/xcutils/readnotes.c b/tools/xcutils/readnotes.c +index 2af047d..7ff2530 100644 +--- a/tools/xcutils/readnotes.c ++++ b/tools/xcutils/readnotes.c +@@ -77,22 +77,23 @@ static void print_numeric_note(const char *prefix, struct elf_binary *elf, + } + + static void print_l1_mfn_valid_note(const char *prefix, struct elf_binary *elf, +- const elf_note *note) ++ ELF_HANDLE_DECL(elf_note) note) + { + int descsz = elf_uval(elf, note, descsz); +- const uint32_t *desc32 = elf_note_desc(elf, note); +- const uint64_t *desc64 = elf_note_desc(elf, note); ++ ELF_PTRVAL_CONST_VOID desc = elf_note_desc(elf, note); + + /* XXX should be able to cope with a list of values. */ + switch ( descsz / 2 ) + { + case 8: + printf("%s: mask=%#"PRIx64" value=%#"PRIx64"\n", prefix, +- desc64[0], desc64[1]); ++ elf_access_unsigned(elf, desc, 0, 8), ++ elf_access_unsigned(elf, desc, 8, 8)); + break; + case 4: + printf("%s: mask=%#"PRIx32" value=%#"PRIx32"\n", prefix, +- desc32[0],desc32[1]); ++ (uint32_t)elf_access_unsigned(elf, desc, 0, 4), ++ (uint32_t)elf_access_unsigned(elf, desc, 4, 4)); + break; + } + +-- +1.7.2.5 +#From db14d5bd9b6508adfcd2b910f454fae12fa4ba00 Mon Sep 17 00:00:00 2001 +#From: Ian Jackson <ian.jackson@eu.citrix.com> +#Date: Fri, 14 Jun 2013 16:43:17 +0100 +#Subject: [PATCH 10/23] libelf: check nul-terminated strings properly +# +#It is not safe to simply take pointers into the ELF and use them as C +#pointers. They might not be properly nul-terminated (and the pointers +#might be wild). +# +#So we are going to introduce a new function elf_strval for safely +#getting strings. This will check that the addresses are in range and +#that there is a proper nul-terminated string. Of course it might +#discover that there isn't. In that case, it will be made to fail. +#This means that elf_note_name might fail, too. +# +#For the benefit of call sites which are just going to pass the value +#to a printf-like function, we provide elf_strfmt which returns +#"(invalid)" on failure rather than NULL. +# +#In this patch we introduce dummy definitions of these functions. We +#introduce calls to elf_strval and elf_strfmt everywhere, and update +#all the call sites with appropriate error checking. +# +#There is not yet any semantic change, since before this patch all the +#places where we introduce elf_strval dereferenced the value anyway, so +#it mustn't have been NULL. +# +#In future patches, when elf_strval is made able return NULL, when it +#does so it will mark the elf "broken" so that an appropriate +#diagnostic can be printed. +# +#This is part of the fix to a security issue, XSA-55. +# +#Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +#Acked-by: Ian Campbell <ian.campbell@citrix.com> +#Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +#--- +# tools/xcutils/readnotes.c | 11 ++++++++--- +# xen/common/libelf/libelf-dominfo.c | 13 ++++++++++--- +# xen/common/libelf/libelf-tools.c | 10 +++++++--- +# xen/include/xen/libelf.h | 7 +++++-- +# 4 files changed, 30 insertions(+), 11 deletions(-) +# +diff --git a/tools/xcutils/readnotes.c b/tools/xcutils/readnotes.c +index 7ff2530..cfae994 100644 +--- a/tools/xcutils/readnotes.c ++++ b/tools/xcutils/readnotes.c +@@ -63,7 +63,7 @@ struct setup_header { + static void print_string_note(const char *prefix, struct elf_binary *elf, + ELF_HANDLE_DECL(elf_note) note) + { +- printf("%s: %s\n", prefix, (char*)elf_note_desc(elf, note)); ++ printf("%s: %s\n", prefix, elf_strfmt(elf, elf_note_desc(elf, note))); + } + + static void print_numeric_note(const char *prefix, struct elf_binary *elf, +@@ -103,10 +103,14 @@ static int print_notes(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) start, + { + ELF_HANDLE_DECL(elf_note) note; + int notes_found = 0; ++ const char *this_note_name; + + for ( note = start; ELF_HANDLE_PTRVAL(note) < ELF_HANDLE_PTRVAL(end); note = elf_note_next(elf, note) ) + { +- if (0 != strcmp(elf_note_name(elf, note), "Xen")) ++ this_note_name = elf_note_name(elf, note); ++ if (NULL == this_note_name) ++ continue; ++ if (0 != strcmp(this_note_name, "Xen")) + continue; + + notes_found++; +@@ -294,7 +298,8 @@ int main(int argc, char **argv) + + shdr = elf_shdr_by_name(&elf, "__xen_guest"); + if (ELF_HANDLE_VALID(shdr)) +- printf("__xen_guest: %s\n", (char*)elf_section_start(&elf, shdr)); ++ printf("__xen_guest: %s\n", ++ elf_strfmt(&elf, elf_section_start(&elf, shdr))); + + return 0; + } +diff --git a/xen/common/libelf/libelf-dominfo.c b/xen/common/libelf/libelf-dominfo.c +index 7140d59..b217f8f 100644 +--- a/xen/common/libelf/libelf-dominfo.c ++++ b/xen/common/libelf/libelf-dominfo.c +@@ -137,7 +137,10 @@ int elf_xen_parse_note(struct elf_binary *elf, + + if ( note_desc[type].str ) + { +- str = elf_note_desc(elf, note); ++ str = elf_strval(elf, elf_note_desc(elf, note)); ++ if (str == NULL) ++ /* elf_strval will mark elf broken if it fails so no need to log */ ++ return 0; + elf_msg(elf, "%s: %s = \"%s\"\n", __FUNCTION__, + note_desc[type].name, str); + parms->elf_notes[type].type = XEN_ENT_STR; +@@ -220,6 +223,7 @@ static int elf_xen_parse_notes(struct elf_binary *elf, + { + int xen_elfnotes = 0; + ELF_HANDLE_DECL(elf_note) note; ++ const char *note_name; + + parms->elf_note_start = start; + parms->elf_note_end = end; +@@ -227,7 +231,10 @@ static int elf_xen_parse_notes(struct elf_binary *elf, + ELF_HANDLE_PTRVAL(note) < parms->elf_note_end; + note = elf_note_next(elf, note) ) + { +- if ( strcmp(elf_note_name(elf, note), "Xen") ) ++ note_name = elf_note_name(elf, note); ++ if ( note_name == NULL ) ++ continue; ++ if ( strcmp(note_name, "Xen") ) + continue; + if ( elf_xen_parse_note(elf, parms, note) ) + return -1; +@@ -541,7 +548,7 @@ int elf_xen_parse(struct elf_binary *elf, + parms->elf_note_start = ELF_INVALID_PTRVAL; + parms->elf_note_end = ELF_INVALID_PTRVAL; + elf_msg(elf, "%s: __xen_guest: \"%s\"\n", __FUNCTION__, +- parms->guest_info); ++ elf_strfmt(elf, parms->guest_info)); + elf_xen_parse_guest_info(elf, parms); + break; + } +diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c +index f1fd886..3a0cde1 100644 +--- a/xen/common/libelf/libelf-tools.c ++++ b/xen/common/libelf/libelf-tools.c +@@ -119,7 +119,7 @@ const char *elf_section_name(struct elf_binary *elf, + if ( ELF_PTRVAL_INVALID(elf->sec_strtab) ) + return "unknown"; + +- return elf->sec_strtab + elf_uval(elf, shdr, sh_name); ++ return elf_strval(elf, elf->sec_strtab + elf_uval(elf, shdr, sh_name)); + } + + ELF_PTRVAL_CONST_VOID elf_section_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr) +@@ -151,6 +151,7 @@ ELF_HANDLE_DECL(elf_sym) elf_sym_by_name(struct elf_binary *elf, const char *sym + ELF_PTRVAL_CONST_VOID end = elf_section_end(elf, elf->sym_tab); + ELF_HANDLE_DECL(elf_sym) sym; + uint64_t info, name; ++ const char *sym_name; + + for ( ; ptr < end; ptr += elf_size(elf, sym) ) + { +@@ -159,7 +160,10 @@ ELF_HANDLE_DECL(elf_sym) elf_sym_by_name(struct elf_binary *elf, const char *sym + name = elf_uval(elf, sym, st_name); + if ( ELF32_ST_BIND(info) != STB_GLOBAL ) + continue; +- if ( strcmp(elf->sym_strtab + name, symbol) ) ++ sym_name = elf_strval(elf, elf->sym_strtab + name); ++ if ( sym_name == NULL ) /* out of range, oops */ ++ return ELF_INVALID_HANDLE(elf_sym); ++ if ( strcmp(sym_name, symbol) ) + continue; + return sym; + } +@@ -177,7 +181,7 @@ ELF_HANDLE_DECL(elf_sym) elf_sym_by_index(struct elf_binary *elf, int index) + + const char *elf_note_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note) + { +- return ELF_HANDLE_PTRVAL(note) + elf_size(elf, note); ++ return elf_strval(elf, ELF_HANDLE_PTRVAL(note) + elf_size(elf, note)); + } + + ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note) +diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h +index cefd3d3..af5b5c5 100644 +--- a/xen/include/xen/libelf.h ++++ b/xen/include/xen/libelf.h +@@ -252,6 +252,9 @@ uint64_t elf_access_unsigned(struct elf_binary *elf, ELF_PTRVAL_CONST_VOID ptr, + uint64_t elf_round_up(struct elf_binary *elf, uint64_t addr); + + ++#define elf_strval(elf,x) ((const char*)(x)) /* may return NULL in the future */ ++#define elf_strfmt(elf,x) ((const char*)(x)) /* will return (invalid) instead */ ++ + #define elf_memcpy_safe(elf, dst, src, sz) memcpy((dst),(src),(sz)) + #define elf_memset_safe(elf, dst, c, sz) memset((dst),(c),(sz)) + /* +@@ -279,7 +282,7 @@ ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_name(struct elf_binary *elf, const char *n + ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, int index); + ELF_HANDLE_DECL(elf_phdr) elf_phdr_by_index(struct elf_binary *elf, int index); + +-const char *elf_section_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr); ++const char *elf_section_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr); /* might return NULL if inputs are invalid */ + ELF_PTRVAL_CONST_VOID elf_section_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr); + ELF_PTRVAL_CONST_VOID elf_section_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr); + +@@ -289,7 +292,7 @@ ELF_PTRVAL_CONST_VOID elf_segment_end(struct elf_binary *elf, ELF_HANDLE_DECL(el + ELF_HANDLE_DECL(elf_sym) elf_sym_by_name(struct elf_binary *elf, const char *symbol); + ELF_HANDLE_DECL(elf_sym) elf_sym_by_index(struct elf_binary *elf, int index); + +-const char *elf_note_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); ++const char *elf_note_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); /* may return NULL */ + ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); + uint64_t elf_note_numeric(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); + uint64_t elf_note_numeric_array(struct elf_binary *, ELF_HANDLE_DECL(elf_note), +-- +1.7.2.5 + diff --git a/app-emulation/xen-tools/files/xen-4.2-CVE-XSA-57.patch b/app-emulation/xen-tools/files/xen-4.2-CVE-XSA-57.patch new file mode 100644 index 000000000000..165da86c5e8e --- /dev/null +++ b/app-emulation/xen-tools/files/xen-4.2-CVE-XSA-57.patch @@ -0,0 +1,334 @@ +libxl: Restrict permissions on PV console device xenstore nodes + +Matthew Daley has observed that the PV console protocol places sensitive host +state into a guest writeable xenstore locations, this includes: + + - The pty used to communicate between the console backend daemon and its + client, allowing the guest administrator to read and write arbitrary host + files. + - The output file, allowing the guest administrator to write arbitrary host + files or to target arbitrary qemu chardevs which include sockets, udp, ptr, + pipes etc (see -chardev in qemu(1) for a more complete list). + - The maximum buffer size, allowing the guest administrator to consume more + resources than the host administrator has configured. + - The backend to use (qemu vs xenconsoled), potentially allowing the guest + administrator to confuse host software. + +So we arrange to make the sensitive keys in the xenstore frontend directory +read only for the guest. This is safe since the xenstore permissions model, +unlike POSIX directory permissions, does not allow the guest to remove and +recreate a node if it has write access to the containing directory. + +There are a few associated wrinkles: + + - The primary PV console is "special". It's xenstore node is not under the + usual /devices/ subtree and it does not use the customary xenstore state + machine protocol. Unfortunately its directory is used for other things, + including the vnc-port node, which we do not want the guest to be able to + write to. Rather than trying to track down all the possible secondary uses + of this directory just make it r/o to the guest. All newly created + subdirectories inherit these permissions and so are now safe by default. + + - The other serial consoles do use the customary xenstore state machine and + therefore need write access to at least the "protocol" and "state" nodes, + however they may also want to use arbitrary "feature-foo" nodes (although + I'm not aware of any) and therefore we cannot simply lock down the entire + frontend directory. Instead we add support to libxl__device_generic_add for + frontend keys which are explicitly read only and use that to lock down the + sensitive keys. + + - Minios' console frontend wants to write the "type" node, which it has no + business doing since this is a host/toolstack level decision. This fails + now that the node has become read only to the PV guest. Since the toolstack + already writes this node just remove the attempt to set it. + +This is CVE-XXXX-XXX / XSA-57 + +Signed-off-by: Ian Campbell <ian.campbell@citrix.com> + +Conflicts: + tools/libxl/libxl.c (no vtpm, free front_ro on error in + libxl__device_console_add) + +diff --git a/extras/mini-os/console/xenbus.c b/extras/mini-os/console/xenbus.c +index 77de82a..e65baf7 100644 +--- a/extras/mini-os/console/xenbus.c ++++ b/extras/mini-os/console/xenbus.c +@@ -122,12 +122,6 @@ again: + goto abort_transaction; + } + +- err = xenbus_printf(xbt, nodename, "type", "%s", "ioemu"); +- if (err) { +- message = "writing type"; +- goto abort_transaction; +- } +- + snprintf(path, sizeof(path), "%s/state", nodename); + err = xenbus_switch_state(xbt, path, XenbusStateConnected); + if (err) { +diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c +index a6e9601..32d788a 100644 +--- a/tools/libxl/libxl.c ++++ b/tools/libxl/libxl.c +@@ -1920,8 +1920,9 @@ static void device_disk_add(libxl__egc *egc, uint32_t domid, + flexarray_append(front, disk->is_cdrom ? "cdrom" : "disk"); + + libxl__device_generic_add(gc, t, device, +- libxl__xs_kvs_of_flexarray(gc, back, back->count), +- libxl__xs_kvs_of_flexarray(gc, front, front->count)); ++ libxl__xs_kvs_of_flexarray(gc, back, back->count), ++ libxl__xs_kvs_of_flexarray(gc, front, front->count), ++ NULL); + + rc = libxl__xs_transaction_commit(gc, &t); + if (!rc) break; +@@ -2633,8 +2634,9 @@ void libxl__device_nic_add(libxl__egc *egc, uint32_t domid, + flexarray_append(front, libxl__sprintf(gc, + LIBXL_MAC_FMT, LIBXL_MAC_BYTES(nic->mac))); + libxl__device_generic_add(gc, XBT_NULL, device, +- libxl__xs_kvs_of_flexarray(gc, back, back->count), +- libxl__xs_kvs_of_flexarray(gc, front, front->count)); ++ libxl__xs_kvs_of_flexarray(gc, back, back->count), ++ libxl__xs_kvs_of_flexarray(gc, front, front->count), ++ NULL); + + aodev->dev = device; + aodev->action = DEVICE_CONNECT; +@@ -2830,7 +2832,7 @@ int libxl__device_console_add(libxl__gc *gc, uint32_t domid, + libxl__device_console *console, + libxl__domain_build_state *state) + { +- flexarray_t *front; ++ flexarray_t *front, *ro_front; + flexarray_t *back; + libxl__device device; + int rc; +@@ -2845,6 +2847,11 @@ int libxl__device_console_add(libxl__gc *gc, uint32_t domid, + rc = ERROR_NOMEM; + goto out; + } ++ ro_front = flexarray_make(16, 1); ++ if (!ro_front) { ++ rc = ERROR_NOMEM; ++ goto out; ++ } + back = flexarray_make(16, 1); + if (!back) { + rc = ERROR_NOMEM; +@@ -2871,21 +2878,24 @@ int libxl__device_console_add(libxl__gc *gc, uint32_t domid, + + flexarray_append(front, "backend-id"); + flexarray_append(front, libxl__sprintf(gc, "%d", console->backend_domid)); +- flexarray_append(front, "limit"); +- flexarray_append(front, libxl__sprintf(gc, "%d", LIBXL_XENCONSOLE_LIMIT)); +- flexarray_append(front, "type"); ++ ++ flexarray_append(ro_front, "limit"); ++ flexarray_append(ro_front, libxl__sprintf(gc, "%d", LIBXL_XENCONSOLE_LIMIT)); ++ flexarray_append(ro_front, "type"); + if (console->consback == LIBXL__CONSOLE_BACKEND_XENCONSOLED) +- flexarray_append(front, "xenconsoled"); ++ flexarray_append(ro_front, "xenconsoled"); + else +- flexarray_append(front, "ioemu"); +- flexarray_append(front, "output"); +- flexarray_append(front, console->output); ++ flexarray_append(ro_front, "ioemu"); ++ flexarray_append(ro_front, "output"); ++ flexarray_append(ro_front, console->output); ++ flexarray_append(ro_front, "tty"); ++ flexarray_append(ro_front, ""); + + if (state) { +- flexarray_append(front, "port"); +- flexarray_append(front, libxl__sprintf(gc, "%"PRIu32, state->console_port)); +- flexarray_append(front, "ring-ref"); +- flexarray_append(front, libxl__sprintf(gc, "%lu", state->console_mfn)); ++ flexarray_append(ro_front, "port"); ++ flexarray_append(ro_front, libxl__sprintf(gc, "%"PRIu32, state->console_port)); ++ flexarray_append(ro_front, "ring-ref"); ++ flexarray_append(ro_front, libxl__sprintf(gc, "%lu", state->console_mfn)); + } else { + flexarray_append(front, "state"); + flexarray_append(front, libxl__sprintf(gc, "%d", 1)); +@@ -2894,11 +2904,13 @@ int libxl__device_console_add(libxl__gc *gc, uint32_t domid, + } + + libxl__device_generic_add(gc, XBT_NULL, &device, +- libxl__xs_kvs_of_flexarray(gc, back, back->count), +- libxl__xs_kvs_of_flexarray(gc, front, front->count)); ++ libxl__xs_kvs_of_flexarray(gc, back, back->count), ++ libxl__xs_kvs_of_flexarray(gc, front, front->count), ++ libxl__xs_kvs_of_flexarray(gc, ro_front, ro_front->count)); + rc = 0; + out_free: + flexarray_free(back); ++ flexarray_free(ro_front); + flexarray_free(front); + out: + return rc; +@@ -2982,8 +2994,9 @@ int libxl__device_vkb_add(libxl__gc *gc, uint32_t domid, + flexarray_append(front, libxl__sprintf(gc, "%d", 1)); + + libxl__device_generic_add(gc, XBT_NULL, &device, +- libxl__xs_kvs_of_flexarray(gc, back, back->count), +- libxl__xs_kvs_of_flexarray(gc, front, front->count)); ++ libxl__xs_kvs_of_flexarray(gc, back, back->count), ++ libxl__xs_kvs_of_flexarray(gc, front, front->count), ++ NULL); + rc = 0; + out_free: + flexarray_free(back); +@@ -3096,8 +3109,9 @@ int libxl__device_vfb_add(libxl__gc *gc, uint32_t domid, libxl_device_vfb *vfb) + flexarray_append_pair(front, "state", libxl__sprintf(gc, "%d", 1)); + + libxl__device_generic_add(gc, XBT_NULL, &device, +- libxl__xs_kvs_of_flexarray(gc, back, back->count), +- libxl__xs_kvs_of_flexarray(gc, front, front->count)); ++ libxl__xs_kvs_of_flexarray(gc, back, back->count), ++ libxl__xs_kvs_of_flexarray(gc, front, front->count), ++ NULL); + rc = 0; + out_free: + flexarray_free(front); +diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c +index c3283f1..1c04a21 100644 +--- a/tools/libxl/libxl_device.c ++++ b/tools/libxl/libxl_device.c +@@ -84,11 +84,12 @@ out: + } + + int libxl__device_generic_add(libxl__gc *gc, xs_transaction_t t, +- libxl__device *device, char **bents, char **fents) ++ libxl__device *device, char **bents, char **fents, char **ro_fents) + { + libxl_ctx *ctx = libxl__gc_owner(gc); + char *frontend_path, *backend_path; + struct xs_permissions frontend_perms[2]; ++ struct xs_permissions ro_frontend_perms[2]; + struct xs_permissions backend_perms[2]; + int create_transaction = t == XBT_NULL; + +@@ -100,22 +101,37 @@ int libxl__device_generic_add(libxl__gc *gc, xs_transaction_t t, + frontend_perms[1].id = device->backend_domid; + frontend_perms[1].perms = XS_PERM_READ; + +- backend_perms[0].id = device->backend_domid; +- backend_perms[0].perms = XS_PERM_NONE; +- backend_perms[1].id = device->domid; +- backend_perms[1].perms = XS_PERM_READ; ++ ro_frontend_perms[0].id = backend_perms[0].id = device->backend_domid; ++ ro_frontend_perms[0].perms = backend_perms[0].perms = XS_PERM_NONE; ++ ro_frontend_perms[1].id = backend_perms[1].id = device->domid; ++ ro_frontend_perms[1].perms = backend_perms[1].perms = XS_PERM_READ; + + retry_transaction: + if (create_transaction) + t = xs_transaction_start(ctx->xsh); + /* FIXME: read frontend_path and check state before removing stuff */ + +- if (fents) { ++ if (fents || ro_fents) { + xs_rm(ctx->xsh, t, frontend_path); + xs_mkdir(ctx->xsh, t, frontend_path); +- xs_set_permissions(ctx->xsh, t, frontend_path, frontend_perms, ARRAY_SIZE(frontend_perms)); ++ /* Console 0 is a special case. It doesn't use the regular PV ++ * state machine but also the frontend directory has ++ * historically contained other information, such as the ++ * vnc-port, which we don't want the guest fiddling with. ++ */ ++ if (device->kind == LIBXL__DEVICE_KIND_CONSOLE && device->devid == 0) ++ xs_set_permissions(ctx->xsh, t, frontend_path, ++ ro_frontend_perms, ARRAY_SIZE(ro_frontend_perms)); ++ else ++ xs_set_permissions(ctx->xsh, t, frontend_path, ++ frontend_perms, ARRAY_SIZE(frontend_perms)); + xs_write(ctx->xsh, t, libxl__sprintf(gc, "%s/backend", frontend_path), backend_path, strlen(backend_path)); +- libxl__xs_writev(gc, t, frontend_path, fents); ++ if (fents) ++ libxl__xs_writev_perms(gc, t, frontend_path, fents, ++ frontend_perms, ARRAY_SIZE(frontend_perms)); ++ if (ro_fents) ++ libxl__xs_writev_perms(gc, t, frontend_path, ro_fents, ++ ro_frontend_perms, ARRAY_SIZE(ro_frontend_perms)); + } + + if (bents) { +diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h +index 13fa509..ae96a74 100644 +--- a/tools/libxl/libxl_internal.h ++++ b/tools/libxl/libxl_internal.h +@@ -516,6 +516,11 @@ _hidden char **libxl__xs_kvs_of_flexarray(libxl__gc *gc, flexarray_t *array, int + /* treats kvs as pairs of keys and values and writes each to dir. */ + _hidden int libxl__xs_writev(libxl__gc *gc, xs_transaction_t t, + const char *dir, char **kvs); ++/* as writev but also sets the permissions on each path */ ++_hidden int libxl__xs_writev_perms(libxl__gc *gc, xs_transaction_t t, ++ const char *dir, char *kvs[], ++ struct xs_permissions *perms, ++ unsigned int num_perms); + /* _atonce creates a transaction and writes all keys at once */ + _hidden int libxl__xs_writev_atonce(libxl__gc *gc, + const char *dir, char **kvs); +@@ -930,7 +935,7 @@ _hidden int libxl__device_console_add(libxl__gc *gc, uint32_t domid, + libxl__domain_build_state *state); + + _hidden int libxl__device_generic_add(libxl__gc *gc, xs_transaction_t t, +- libxl__device *device, char **bents, char **fents); ++ libxl__device *device, char **bents, char **fents, char **ro_fents); + _hidden char *libxl__device_backend_path(libxl__gc *gc, libxl__device *device); + _hidden char *libxl__device_frontend_path(libxl__gc *gc, libxl__device *device); + _hidden int libxl__parse_backend_path(libxl__gc *gc, const char *path, +diff --git a/tools/libxl/libxl_pci.c b/tools/libxl/libxl_pci.c +index 48986f3..d373b4d 100644 +--- a/tools/libxl/libxl_pci.c ++++ b/tools/libxl/libxl_pci.c +@@ -106,7 +106,8 @@ int libxl__create_pci_backend(libxl__gc *gc, uint32_t domid, + + libxl__device_generic_add(gc, XBT_NULL, &device, + libxl__xs_kvs_of_flexarray(gc, back, back->count), +- libxl__xs_kvs_of_flexarray(gc, front, front->count)); ++ libxl__xs_kvs_of_flexarray(gc, front, front->count), ++ NULL); + + out: + if (back) +diff --git a/tools/libxl/libxl_xshelp.c b/tools/libxl/libxl_xshelp.c +index 52af484..d7eaa66 100644 +--- a/tools/libxl/libxl_xshelp.c ++++ b/tools/libxl/libxl_xshelp.c +@@ -41,8 +41,10 @@ char **libxl__xs_kvs_of_flexarray(libxl__gc *gc, flexarray_t *array, int length) + return kvs; + } + +-int libxl__xs_writev(libxl__gc *gc, xs_transaction_t t, +- const char *dir, char *kvs[]) ++int libxl__xs_writev_perms(libxl__gc *gc, xs_transaction_t t, ++ const char *dir, char *kvs[], ++ struct xs_permissions *perms, ++ unsigned int num_perms) + { + libxl_ctx *ctx = libxl__gc_owner(gc); + char *path; +@@ -56,11 +58,19 @@ int libxl__xs_writev(libxl__gc *gc, xs_transaction_t t, + if (path && kvs[i + 1]) { + int length = strlen(kvs[i + 1]); + xs_write(ctx->xsh, t, path, kvs[i + 1], length); ++ if (perms) ++ xs_set_permissions(ctx->xsh, t, path, perms, num_perms); + } + } + return 0; + } + ++int libxl__xs_writev(libxl__gc *gc, xs_transaction_t t, ++ const char *dir, char *kvs[]) ++{ ++ return libxl__xs_writev_perms(gc, t, dir, kvs, NULL, 0); ++} ++ + int libxl__xs_writev_atonce(libxl__gc *gc, + const char *dir, char *kvs[]) + { + diff --git a/app-emulation/xen-tools/files/xen-tools-3.3.0-nostrip.patch b/app-emulation/xen-tools/files/xen-tools-3.3.0-nostrip.patch deleted file mode 100644 index 48e7cd5778bc..000000000000 --- a/app-emulation/xen-tools/files/xen-tools-3.3.0-nostrip.patch +++ /dev/null @@ -1,26 +0,0 @@ -Index: xen-3.3.0/tools/ioemu-qemu-xen/Makefile -=================================================================== ---- xen-3.3.0.orig/tools/ioemu-qemu-xen/Makefile -+++ xen-3.3.0/tools/ioemu-qemu-xen/Makefile -@@ -205,7 +205,7 @@ endif - install: all $(if $(BUILD_DOCS),install-doc) - mkdir -p "$(DESTDIR)$(bindir)" - ifneq ($(TOOLS),) -- $(INSTALL) -m 755 -s $(TOOLS) "$(DESTDIR)$(bindir)" -+ $(INSTALL) -m 755 $(TOOLS) "$(DESTDIR)$(bindir)" - endif - mkdir -p "$(DESTDIR)$(datadir)" - set -e; for x in bios.bin vgabios.bin vgabios-cirrus.bin ppc_rom.bin \ -Index: xen-3.3.0/tools/ioemu-qemu-xen/Makefile.target -=================================================================== ---- xen-3.3.0.orig/tools/ioemu-qemu-xen/Makefile.target -+++ xen-3.3.0/tools/ioemu-qemu-xen/Makefile.target -@@ -707,7 +707,7 @@ clean: - - install: all install-hook - ifneq ($(PROGS),) -- $(INSTALL) -m 755 -s $(PROGS) "$(DESTDIR)$(bindir)" -+ $(INSTALL) -m 755 $(PROGS) "$(DESTDIR)$(bindir)" - endif - - # Include automatically generated dependency files diff --git a/app-emulation/xen-tools/files/xen-tools-4-add-nopie.patch b/app-emulation/xen-tools/files/xen-tools-4-add-nopie.patch deleted file mode 100644 index 0d8f8237a7f1..000000000000 --- a/app-emulation/xen-tools/files/xen-tools-4-add-nopie.patch +++ /dev/null @@ -1,15 +0,0 @@ -2011-10-22 Ralf Glauberman <ralfglauberman@gmx.de> - - #360805 Don't compile ipxe with pie on hardened. - * /tools/firmware/etherboot/patches/ipxe-nopie.patche New patch -Reconstituted patch; Tue Jan 29 14:35:13 WST 2013 - -diff -ur xen-4.2.0.orig/tools/firmware/etherboot/patches/series xen-4.2.0/tools/firmware/etherboot/patches/series ---- tools/firmware/etherboot/patches/series 2013-01-29 14:34:10.773520921 +0800 -+++ tools/firmware/etherboot/patches/series 2013-01-29 14:33:31.781519209 +0800 -@@ -2,3 +2,4 @@ - build_fix_1.patch - build_fix_2.patch - build_fix_3.patch -+ipxe-nopie.patch - diff --git a/app-emulation/xen-tools/files/xen-tools-4.1.1-curl.patch b/app-emulation/xen-tools/files/xen-tools-4.1.1-curl.patch deleted file mode 100644 index c3fd9138699f..000000000000 --- a/app-emulation/xen-tools/files/xen-tools-4.1.1-curl.patch +++ /dev/null @@ -1,10 +0,0 @@ -diff -ur xen-4.1.1.orig//tools/check/check_curl xen-4.1.1/tools/check/check_curl ---- xen-4.1.1.orig//tools/check/check_curl 2011-06-15 00:03:44.000000000 +0800 -+++ xen-4.1.1/tools/check/check_curl 2011-10-14 00:42:08.189717078 +0800 -@@ -9,5 +9,6 @@ - fi - - has_or_fail curl-config - curl_libs=`curl-config --libs` || fail "curl-config --libs failed" -+curl_libs=`echo $curl_libs | sed -re 's/-(W|march|mtune|pipe)[^[:space:]]*[[:space:]]//g'` || fail "curl-config --libs failed" - test_link $curl_libs || fail "dependency libraries for curl are missing" diff --git a/app-emulation/xen-tools/files/xen-tools-4.1.1-libxl-tap.patch b/app-emulation/xen-tools/files/xen-tools-4.1.1-libxl-tap.patch deleted file mode 100644 index ba72c497aa68..000000000000 --- a/app-emulation/xen-tools/files/xen-tools-4.1.1-libxl-tap.patch +++ /dev/null @@ -1,37 +0,0 @@ -Index: xen-tools-4.1.1/tools/libxl/libxl_dm.c -=================================================================== ---- xen-4.1.1.orig/tools/libxl/libxl_dm.c Tue Mar 15 10:14:27 2011 +0000 -+++ xen-4.1.1/tools/libxl/libxl_dm.c Tue Mar 15 18:19:47 2011 +0000 -@@ -828,8 +828,29 @@ - goto out; - } - -- if (nr_disks > 0 && !libxl__blktap_enabled(&gc)) -- ret = 1; -+ if (nr_disks > 0) { -+ int blktap_enabled = -1; -+ for (i = 0; i < nr_disks; i++) { -+ switch (disks[i].backend) { -+ case DISK_BACKEND_TAP: -+ if (blktap_enabled == -1) -+ blktap_enabled = libxl__blktap_enabled(&gc); -+ if (!blktap_enabled) { -+ ret = 1; -+ goto out; -+ } -+ break; -+ -+ case DISK_BACKEND_QDISK: -+ ret = 1; -+ goto out; -+ -+ case DISK_BACKEND_PHY: -+ case DISK_BACKEND_UNKNOWN: -+ break; -+ } -+ } -+ } - - out: - libxl__free_all(&gc); - diff --git a/app-emulation/xen-tools/files/xen-tools-4.1.2-pyxml.patch b/app-emulation/xen-tools/files/xen-tools-4.1.2-pyxml.patch deleted file mode 100644 index 5b14e4c410df..000000000000 --- a/app-emulation/xen-tools/files/xen-tools-4.1.2-pyxml.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- tools/python/xen/xm/create.py -+++ tools/python/xen/xm/create.py -@@ -1538,6 +1538,9 @@ - SXPPrettyPrint.prettyprint(config) - - if opts.vals.xmldryrun and serverType == SERVER_XEN_API: -+ import xml -+ if hasattr(xml, "use_pyxml"): -+ xml.use_pyxml() - from xml.dom.ext import PrettyPrint as XMLPrettyPrint - XMLPrettyPrint(doc) - diff --git a/app-emulation/xen-tools/xen-tools-4.2.0-r3.ebuild b/app-emulation/xen-tools/xen-tools-4.2.0-r3.ebuild deleted file mode 100644 index 8d2b62c8e7f7..000000000000 --- a/app-emulation/xen-tools/xen-tools-4.2.0-r3.ebuild +++ /dev/null @@ -1,345 +0,0 @@ -# Copyright 1999-2013 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/xen-tools-4.2.0-r3.ebuild,v 1.10 2013/03/05 18:05:35 idella4 Exp $ - -EAPI=5 - -PYTHON_COMPAT=( python{2_6,2_7} ) -PYTHON_REQ_USE='xml,threads' - -IPXE_TARBALL_URL="http://dev.gentoo.org/~idella4/tarballs/ipxe.tar.gz" -XEN_SEABIOS_URL="http://dev.gentoo.org/~idella4/tarballs/seabios-0-20121121.tar.bz2" - -if [[ $PV == *9999 ]]; then - KEYWORDS="" - REPO="xen-unstable.hg" - EHG_REPO_URI="http://xenbits.xensource.com/${REPO}" - S="${WORKDIR}/${REPO}" - live_eclass="mercurial" -else - KEYWORDS="amd64 x86" - SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz - $IPXE_TARBALL_URL - $XEN_SEABIOS_URL" - S="${WORKDIR}/xen-${PV}" -fi - -inherit flag-o-matic eutils multilib python-single-r1 toolchain-funcs udev ${live_eclass} - -DESCRIPTION="Xend daemon and tools" -HOMEPAGE="http://xen.org/" -DOCS=( README docs/README.xen-bugtool ) - -LICENSE="GPL-2" -SLOT="0" -# TODO soon; ocaml up for a potential name change -IUSE="api custom-cflags debug doc flask hvm ocaml qemu pygrub screen static-libs xend" - -REQUIRED_USE="hvm? ( qemu )" - -CDEPEND="dev-libs/yajl - dev-python/lxml[${PYTHON_USEDEP}] - dev-python/pypam[${PYTHON_USEDEP}] - sys-libs/zlib - sys-power/iasl - ocaml? ( dev-ml/findlib ) - hvm? ( media-libs/libsdl ) - ${PYTHON_DEPS} - api? ( dev-libs/libxml2 - net-misc/curl ) - ${PYTHON_DEPS} - pygrub? ( ${PYTHON_DEPS//${PYTHON_REQ_USE}/ncurses} )" -DEPEND="${CDEPEND} - sys-devel/bin86 - sys-devel/dev86 - dev-lang/perl - app-misc/pax-utils - doc? ( - app-doc/doxygen - dev-tex/latex2html[png,gif] - media-gfx/transfig - media-gfx/graphviz - dev-tex/xcolor - dev-texlive/texlive-latexextra - virtual/latex-base - dev-tex/latexmk - dev-texlive/texlive-latex - dev-texlive/texlive-pictures - dev-texlive/texlive-latexrecommended - ) - hvm? ( x11-proto/xproto - )" -RDEPEND="${CDEPEND} - sys-apps/iproute2 - net-misc/bridge-utils - ocaml? ( >=dev-lang/ocaml-3.12.0 ) - screen? ( - app-misc/screen - app-admin/logrotate - ) - virtual/udev" - -# hvmloader is used to bootstrap a fully virtualized kernel -# Approved by QA team in bug #144032 -QA_WX_LOAD="usr/lib/xen/boot/hvmloader" - -RESTRICT="test" - -pkg_setup() { - python-single-r1_pkg_setup - export "CONFIG_LOMOUNT=y" - - if has_version dev-libs/libgcrypt; then - export "CONFIG_GCRYPT=y" - fi - - if use qemu; then - export "CONFIG_IOEMU=y" - else - export "CONFIG_IOEMU=n" - fi - - if ! use x86 && ! has x86 $(get_all_abis) && use hvm; then - eerror "HVM (VT-x and AMD-v) cannot be built on this system. An x86 or" - eerror "an amd64 multilib profile is required. Remove the hvm use flag" - eerror "to build xen-tools on your current profile." - die "USE=hvm is unsupported on this system." - fi - - if [[ -z ${XEN_TARGET_ARCH} ]] ; then - if use x86 && use amd64; then - die "Confusion! Both x86 and amd64 are set in your use flags!" - elif use x86; then - export XEN_TARGET_ARCH="x86_32" - elif use amd64 ; then - export XEN_TARGET_ARCH="x86_64" - else - die "Unsupported architecture!" - fi - fi - - use api && export "LIBXENAPI_BINDINGS=y" - use flask && export "FLASK_ENABLE=y" -} - -src_prepare() { - # Drop .config, fixes to gcc-4.6 - epatch "${FILESDIR}"/${PN/-tools/}-4-fix_dotconfig-gcc.patch - - # Xend - if ! use xend; then - sed -e 's:xm xen-bugtool xen-python-path xend:xen-bugtool xen-python-path:' \ - -i tools/misc/Makefile || die "Disabling xend failed" - sed -e 's:^XEND_INITD:#XEND_INITD:' \ - -i tools/examples/Makefile || die "Disabling xend failed" - fi - - # if the user *really* wants to use their own custom-cflags, let them - if use custom-cflags; then - einfo "User wants their own CFLAGS - removing defaults" - - # try and remove all the default cflags - find "${S}" \( -name Makefile -o -name Rules.mk -o -name Config.mk \) \ - -exec sed \ - -e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \ - -e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \ - -e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \ - -e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \ - -e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \ - -i {} + || die "failed to re-set custom-cflags" - fi - - if ! use pygrub; then - sed -e '/^SUBDIRS-$(PYTHON_TOOLS) += pygrub$/d' -i tools/Makefile || die - fi - - # Disable hvm support on systems that don't support x86_32 binaries. - if ! use hvm; then - sed -e '/^CONFIG_IOEMU := y$/d' -i config/*.mk || die - sed -e '/SUBDIRS-$(CONFIG_X86) += firmware/d' -i tools/Makefile || die - fi - - # Don't bother with qemu, only needed for fully virtualised guests - if ! use qemu; then - sed -e "/^CONFIG_IOEMU := y$/d" -i config/*.mk || die - sed -e "s:install-tools\: tools/ioemu-dir:install-tools\: :g" -i Makefile || die - fi - - # Fix texi2html build error with new texi2html - epatch "${FILESDIR}"/${PN}-4-docfix.patch - - # Fix network broadcast on bridged networks - epatch "${FILESDIR}/${PN}-3.4.0-network-bridge-broadcast.patch" - - # Prevent the downloading of ipxe, seabios - epatch "${FILESDIR}"/${P/-tools/}-anti-download.patch - cp "${DISTDIR}"/ipxe.tar.gz tools/firmware/etherboot/ || die - mv ../seabios-dir-remote tools/firmware/ || die - pushd tools/firmware/ > /dev/null - ln -s seabios-dir-remote seabios-dir || die - popd > /dev/null - - # Fix bridge by idella4, bug #362575 - epatch "${FILESDIR}/${PN}-4.1.1-bridge.patch" - - # Don't build ipxe with pie on hardened, Bug #360805 - if gcc-specs-pie; then - epatch "${FILESDIR}"/ipxe-nopie.patch - fi - - # Prevent double stripping of files at install - epatch "${FILESDIR}"/${P/-tools/}-nostrip.patch - - # fix jobserver in Makefile - epatch "${FILESDIR}"/${P/-tools/}-jserver.patch - - #Sec patches - epatch "${FILESDIR}"/xen-4-CVE-2012-4544-XSA-25.patch \ - "${FILESDIR}"/xen-4-CVE-2012-6075-XSA-41.patch -} - -src_compile() { - export VARTEXFONTS="${T}/fonts" - local myopt - use debug && myopt="${myopt} debug=y" - - use custom-cflags || unset CFLAGS - if test-flag-CC -fno-strict-overflow; then - append-flags -fno-strict-overflow - fi - - unset LDFLAGS - unset CFLAGS - emake CC="$(tc-getCC)" LD="$(tc-getLD)" -C tools ${myopt} - - use doc && emake -C docs txt html - emake -C docs man-pages -} - -src_install() { - # Override auto-detection in the build system, bug #382573 - export INITD_DIR=/tmp/init.d - export CONFIG_LEAF_DIR=../tmp/default - - # Let the build system compile installed Python modules. - local PYTHONDONTWRITEBYTECODE - export PYTHONDONTWRITEBYTECODE - - emake DESTDIR="${D}" DOCDIR="/usr/share/doc/${PF}" \ - install-tools - - # Fix the remaining Python shebangs. - python_fix_shebang "${D}" - - # Remove RedHat-specific stuff - rm -rf "${D}"tmp || die - - # uncomment lines in xl.conf - sed -e 's:^#autoballoon=1:autoballoon=1:' \ - -e 's:^#lockfile="/var/lock/xl":lockfile="/var/lock/xl":' \ - -e 's:^#vifscript="vif-bridge":vifscript="vif-bridge":' \ - -i tools/examples/xl.conf || die - - if use doc; then - emake DESTDIR="${D}" DOCDIR="/usr/share/doc/${PF}" install-docs - - dohtml -r docs/html/ - docinto pdf - dodoc ${DOCS[@]} - [ -d "${D}"/usr/share/doc/xen ] && mv "${ED}"/usr/share/doc/xen/* "${ED}"/usr/share/doc/${PF}/html - fi - - rm -rf "${D}"/usr/share/doc/xen/ - doman docs/man?/* - - if use xend; then - newinitd "${FILESDIR}"/xend.initd-r2 xend || die "Couldn't install xen.initd" - fi - newconfd "${FILESDIR}"/xendomains.confd xendomains - newconfd "${FILESDIR}"/xenstored.confd xenstored - newconfd "${FILESDIR}"/xenconsoled.confd xenconsoled - newinitd "${FILESDIR}"/xendomains.initd-r2 xendomains - newinitd "${FILESDIR}"/xenstored.initd xenstored - newinitd "${FILESDIR}"/xenconsoled.initd xenconsoled - - if use screen; then - cat "${FILESDIR}"/xendomains-screen.confd >> "${D}"/etc/conf.d/xendomains || die - cp "${FILESDIR}"/xen-consoles.logrotate "${D}"/etc/xen/ || die - keepdir /var/log/xen-consoles - fi - - # Set dirs for qemu files,; Bug #458818 - if use qemu; then - if use x86; then - dodir /usr/lib/xen/bin - elif use amd64; then - mv "${D}"usr/lib/xen/bin/qemu* "${D}"usr/$(get_libdir)/xen/bin/ || die - fi - fi - - # For -static-libs wrt Bug 384355 - if ! use static-libs; then - rm -f "${D}"usr/$(get_libdir)/*.a "${ED}"usr/$(get_libdir)/ocaml/*/*.a - fi - - # xend expects these to exist - keepdir /var/run/xenstored /var/lib/xenstored /var/xen/dump /var/lib/xen /var/log/xen - - # for xendomains - keepdir /etc/xen/auto - - # Temp QA workaround - dodir "$(udev_get_udevdir)" - mv "${D}"/etc/udev/* "${ED}/$(udev_get_udevdir)" - rm -rf "${D}"/etc/udev - - # Remove files failing QA AFTER emake installs them, avoiding seeking absent files - find "${D}" \( -name openbios-sparc32 -o -name openbios-sparc64 \ - -o -name openbios-ppc -o -name palcode-clipper \) -delete || die -} - -pkg_postinst() { - elog "Official Xen Guide and the unoffical wiki page:" - elog " http://www.gentoo.org/doc/en/xen-guide.xml" - elog " http://gentoo-wiki.com/HOWTO_Xen_and_Gentoo" - - if [[ "$(scanelf -s __guard -q "${PYTHON}")" ]] ; then - echo - ewarn "xend may not work when python is built with stack smashing protection (ssp)." - ewarn "If 'xm create' fails with '<ProtocolError for /RPC2: -1 >', see bug #141866" - ewarn "This problem may be resolved as of Xen 3.0.4, if not post in the bug." - fi - - # TODO: we need to have the current Python slot here. - if ! has_version "dev-lang/python[ncurses]"; then - echo - ewarn "NB: Your dev-lang/python is built without USE=ncurses." - ewarn "Please rebuild python with USE=ncurses to make use of xenmon.py." - fi - - if has_version "sys-apps/iproute2[minimal]"; then - echo - ewarn "Your sys-apps/iproute2 is built with USE=minimal. Networking" - ewarn "will not work until you rebuild iproute2 without USE=minimal." - fi - - if ! use hvm; then - echo - elog "HVM (VT-x and AMD-V) support has been disabled. If you need hvm" - elog "support enable the hvm use flag." - elog "An x86 or amd64 multilib system is required to build HVM support." - echo - elog "The qemu use flag has been removed and replaced with hvm." - fi - - if use xend; then - echo - elog "xend capability has been enabled and installed" - fi - - if grep -qsF XENSV= "${ROOT}/etc/conf.d/xend"; then - echo - elog "xensv is broken upstream (Gentoo bug #142011)." - elog "Please remove '${ROOT%/}/etc/conf.d/xend', as it is no longer needed." - fi -} diff --git a/app-emulation/xen-tools/xen-tools-4.2.1-r2.ebuild b/app-emulation/xen-tools/xen-tools-4.2.1-r2.ebuild deleted file mode 100644 index a1c3581c60a7..000000000000 --- a/app-emulation/xen-tools/xen-tools-4.2.1-r2.ebuild +++ /dev/null @@ -1,347 +0,0 @@ -# Copyright 1999-2013 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/xen-tools-4.2.1-r2.ebuild,v 1.6 2013/03/05 18:05:35 idella4 Exp $ - -EAPI=5 - -PYTHON_COMPAT=( python{2_6,2_7} ) -PYTHON_REQ_USE='xml,threads' - -IPXE_TARBALL_URL="http://dev.gentoo.org/~idella4/tarballs/ipxe.tar.gz" -XEN_SEABIOS_URL="http://dev.gentoo.org/~idella4/tarballs/seabios-0-20121121.tar.bz2" - -if [[ $PV == *9999 ]]; then - KEYWORDS="" - REPO="xen-unstable.hg" - EHG_REPO_URI="http://xenbits.xensource.com/${REPO}" - S="${WORKDIR}/${REPO}" - live_eclass="mercurial" -else - KEYWORDS="~amd64 ~x86" - SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz - $IPXE_TARBALL_URL - $XEN_SEABIOS_URL" - S="${WORKDIR}/xen-${PV}" -fi - -inherit flag-o-matic eutils multilib python-single-r1 toolchain-funcs udev ${live_eclass} - -DESCRIPTION="Xend daemon and tools" -HOMEPAGE="http://xen.org/" -DOCS=( README docs/README.xen-bugtool ) - -LICENSE="GPL-2" -SLOT="0" -IUSE="api custom-cflags debug doc flask hvm qemu ocaml pygrub screen static-libs xend" - -REQUIRED_USE="hvm? ( qemu )" - -CDEPEND="<dev-libs/yajl-2 - dev-python/lxml[${PYTHON_USEDEP}] - dev-python/pypam[${PYTHON_USEDEP}] - sys-libs/zlib - sys-power/iasl - ocaml? ( dev-ml/findlib ) - hvm? ( media-libs/libsdl ) - ${PYTHON_DEPS} - api? ( dev-libs/libxml2 - net-misc/curl ) - ${PYTHON_DEPS} - pygrub? ( ${PYTHON_DEPS//${PYTHON_REQ_USE}/ncurses} )" -DEPEND="${CDEPEND} - sys-devel/bin86 - sys-devel/dev86 - dev-lang/perl - app-misc/pax-utils - doc? ( - app-doc/doxygen - dev-tex/latex2html[png,gif] - media-gfx/transfig - media-gfx/graphviz - dev-tex/xcolor - dev-texlive/texlive-latexextra - virtual/latex-base - dev-tex/latexmk - dev-texlive/texlive-latex - dev-texlive/texlive-pictures - dev-texlive/texlive-latexrecommended - ) - hvm? ( x11-proto/xproto - )" -RDEPEND="${CDEPEND} - sys-apps/iproute2 - net-misc/bridge-utils - ocaml? ( >=dev-lang/ocaml-3.12.0 ) - screen? ( - app-misc/screen - app-admin/logrotate - ) - virtual/udev" - -# hvmloader is used to bootstrap a fully virtualized kernel -# Approved by QA team in bug #144032 -QA_WX_LOAD="usr/lib/xen/boot/hvmloader" - -RESTRICT="test" - -pkg_setup() { - python-single-r1_pkg_setup - export "CONFIG_LOMOUNT=y" - - if has_version dev-libs/libgcrypt; then - export "CONFIG_GCRYPT=y" - fi - - if use qemu; then - export "CONFIG_IOEMU=y" - else - export "CONFIG_IOEMU=n" - fi - - if ! use x86 && ! has x86 $(get_all_abis) && use hvm; then - eerror "HVM (VT-x and AMD-v) cannot be built on this system. An x86 or" - eerror "an amd64 multilib profile is required. Remove the hvm use flag" - eerror "to build xen-tools on your current profile." - die "USE=hvm is unsupported on this system." - fi - - if [[ -z ${XEN_TARGET_ARCH} ]] ; then - if use x86 && use amd64; then - die "Confusion! Both x86 and amd64 are set in your use flags!" - elif use x86; then - export XEN_TARGET_ARCH="x86_32" - elif use amd64 ; then - export XEN_TARGET_ARCH="x86_64" - else - die "Unsupported architecture!" - fi - fi - - use api && export "LIBXENAPI_BINDINGS=y" - use flask && export "FLASK_ENABLE=y" -} - -src_prepare() { - # Drop .config, fixes to gcc-4.6 - epatch "${FILESDIR}"/${PN/-tools/}-4-fix_dotconfig-gcc.patch - - # Xend - if ! use xend; then - sed -e 's:xm xen-bugtool xen-python-path xend:xen-bugtool xen-python-path:' \ - -i tools/misc/Makefile || die "Disabling xend failed" - sed -e 's:^XEND_INITD:#XEND_INITD:' \ - -i tools/examples/Makefile || die "Disabling xend failed" - fi - - # if the user *really* wants to use their own custom-cflags, let them - if use custom-cflags; then - einfo "User wants their own CFLAGS - removing defaults" - - # try and remove all the default cflags - find "${S}" \( -name Makefile -o -name Rules.mk -o -name Config.mk \) \ - -exec sed \ - -e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \ - -e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \ - -e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \ - -e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \ - -e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \ - -i {} + || die "failed to re-set custom-cflags" - fi - - if ! use pygrub; then - sed -e '/^SUBDIRS-$(PYTHON_TOOLS) += pygrub$/d' -i tools/Makefile || die - fi - - # Disable hvm support on systems that don't support x86_32 binaries. - if ! use hvm; then - sed -e '/^CONFIG_IOEMU := y$/d' -i config/*.mk || die - sed -e '/SUBDIRS-$(CONFIG_X86) += firmware/d' -i tools/Makefile || die - fi - - # Don't bother with qemu, only needed for fully virtualised guests - if ! use qemu; then - sed -e "/^CONFIG_IOEMU := y$/d" -i config/*.mk || die - sed -e "s:install-tools\: tools/ioemu-dir:install-tools\: :g" -i Makefile || die - fi - - # Fix texi2html build error with new texi2html - epatch "${FILESDIR}"/${PN}-4-docfix.patch - - # Fix network broadcast on bridged networks - epatch "${FILESDIR}/${PN}-3.4.0-network-bridge-broadcast.patch" - - # Prevent the downloading of ipxe, seabios - epatch "${FILESDIR}"/${PN/-tools/}-4.2.0-anti-download.patch - cp "${DISTDIR}"/ipxe.tar.gz tools/firmware/etherboot/ || die - mv ../seabios-dir-remote tools/firmware/ || die - pushd tools/firmware/ > /dev/null - ln -s seabios-dir-remote seabios-dir || die - popd > /dev/null - - # Fix bridge by idella4, bug #362575 - epatch "${FILESDIR}/${PN}-4.1.1-bridge.patch" - - # Don't build ipxe with pie on hardened, Bug #360805 - if gcc-specs-pie; then - epatch "${FILESDIR}"/ipxe-nopie.patch - fi - - # Prevent double stripping of files at install - epatch "${FILESDIR}"/${PN/-tools/}-4.2.0-nostrip.patch - - # fix jobserver in Makefile - epatch "${FILESDIR}"/${PN/-tools/}-4.2.0-jserver.patch - - #Sec patch, currently valid - epatch "${FILESDIR}"/xen-4-CVE-2012-6075-XSA-41.patch - - if use hvm; then - cp -r "${FILESDIR}"/stubs-32.h xen/tools/include || die "copy of header file failed" - einfo "stubs-32.h added" - fi -} - -src_compile() { - export VARTEXFONTS="${T}/fonts" - local myopt - use debug && myopt="${myopt} debug=y" - - use custom-cflags || unset CFLAGS - if test-flag-CC -fno-strict-overflow; then - append-flags -fno-strict-overflow - fi - - unset LDFLAGS - unset CFLAGS - emake CC="$(tc-getCC)" LD="$(tc-getLD)" -C tools ${myopt} - - use doc && emake -C docs txt html - emake -C docs man-pages -} - -src_install() { - # Override auto-detection in the build system, bug #382573 - export INITD_DIR=/tmp/init.d - export CONFIG_LEAF_DIR=../tmp/default - - # Let the build system compile installed Python modules. - local PYTHONDONTWRITEBYTECODE - export PYTHONDONTWRITEBYTECODE - - emake DESTDIR="${D}" DOCDIR="/usr/share/doc/${PF}" install-tools - - # Fix the remaining Python shebangs. - python_fix_shebang "${D}" - - # Remove RedHat-specific stuff - rm -rf "${D}"tmp || die - - # uncomment lines in xl.conf - sed -e 's:^#autoballoon=1:autoballoon=1:' \ - -e 's:^#lockfile="/var/lock/xl":lockfile="/var/lock/xl":' \ - -e 's:^#vifscript="vif-bridge":vifscript="vif-bridge":' \ - -i tools/examples/xl.conf || die - - if use doc; then - emake DESTDIR="${D}" DOCDIR="/usr/share/doc/${PF}" install-docs - - dohtml -r docs/ - docinto pdf - dodoc ${DOCS[@]} - [ -d "${D}"/usr/share/doc/xen ] && mv "${D}"/usr/share/doc/xen/* "${D}"/usr/share/doc/${PF}/html - fi - - rm -rf "${D}"/usr/share/doc/xen/ - doman docs/man?/* - - if use xend; then - newinitd "${FILESDIR}"/xend.initd-r2 xend || die "Couldn't install xen.initd" - fi - newconfd "${FILESDIR}"/xendomains.confd xendomains - newconfd "${FILESDIR}"/xenstored.confd xenstored - newconfd "${FILESDIR}"/xenconsoled.confd xenconsoled - newinitd "${FILESDIR}"/xendomains.initd-r2 xendomains - newinitd "${FILESDIR}"/xenstored.initd xenstored - newinitd "${FILESDIR}"/xenconsoled.initd xenconsoled - - if use screen; then - cat "${FILESDIR}"/xendomains-screen.confd >> "${D}"/etc/conf.d/xendomains || die - cp "${FILESDIR}"/xen-consoles.logrotate "${D}"/etc/xen/ || die - keepdir /var/log/xen-consoles - fi - - # Set dirs for qemu files,; Bug #458818 - if use qemu; then - if use x86; then - dodir /usr/lib/xen/bin - elif use amd64; then - mv "${D}"usr/lib/xen/bin/qemu* "${D}"usr/$(get_libdir)/xen/bin/ || die - fi - fi - - # For -static-libs wrt Bug 384355 - if ! use static-libs; then - rm -f "${D}"usr/$(get_libdir)/*.a "${D}"usr/$(get_libdir)/ocaml/*/*.a - fi - - # xend expects these to exist - keepdir /var/run/xenstored /var/lib/xenstored /var/xen/dump /var/lib/xen /var/log/xen - - # for xendomains - keepdir /etc/xen/auto - - # Temp QA workaround - dodir "$(udev_get_udevdir)" - mv "${D}"/etc/udev/* "${D}/$(udev_get_udevdir)" - rm -rf "${D}"/etc/udev - - # Remove files failing QA AFTER emake installs them, avoiding seeking absent files - find "${D}" \( -name openbios-sparc32 -o -name openbios-sparc64 \ - -o -name openbios-ppc -o -name palcode-clipper \) -delete || die -} - -pkg_postinst() { - elog "Official Xen Guide and the unoffical wiki page:" - elog " http://www.gentoo.org/doc/en/xen-guide.xml" - elog " http://gentoo-wiki.com/HOWTO_Xen_and_Gentoo" - - if [[ "$(scanelf -s __guard -q "${PYTHON}")" ]] ; then - echo - ewarn "xend may not work when python is built with stack smashing protection (ssp)." - ewarn "If 'xm create' fails with '<ProtocolError for /RPC2: -1 >', see bug #141866" - ewarn "This problem may be resolved as of Xen 3.0.4, if not post in the bug." - fi - - # TODO: we need to have the current Python slot here. - if ! has_version "dev-lang/python[ncurses]"; then - echo - ewarn "NB: Your dev-lang/python is built without USE=ncurses." - ewarn "Please rebuild python with USE=ncurses to make use of xenmon.py." - fi - - if has_version "sys-apps/iproute2[minimal]"; then - echo - ewarn "Your sys-apps/iproute2 is built with USE=minimal. Networking" - ewarn "will not work until you rebuild iproute2 without USE=minimal." - fi - - if ! use hvm; then - echo - elog "HVM (VT-x and AMD-V) support has been disabled. If you need hvm" - elog "support enable the hvm use flag." - elog "An x86 or amd64 multilib system is required to build HVM support." - echo - elog "The qemu use flag has been removed and replaced with hvm." - fi - - if use xend; then - echo - elog "xend capability has been enabled and installed" - fi - - if grep -qsF XENSV= "${ROOT}/etc/conf.d/xend"; then - echo - elog "xensv is broken upstream (Gentoo bug #142011)." - elog "Please remove '${ROOT%/}/etc/conf.d/xend', as it is no longer needed." - fi -} diff --git a/app-emulation/xen-tools/xen-tools-4.2.1.ebuild b/app-emulation/xen-tools/xen-tools-4.2.1-r4.ebuild index b61b1d2641ec..c1392c3e66ce 100644 --- a/app-emulation/xen-tools/xen-tools-4.2.1.ebuild +++ b/app-emulation/xen-tools/xen-tools-4.2.1-r4.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/xen-tools-4.2.1.ebuild,v 1.2 2013/01/24 08:53:49 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/xen-tools-4.2.1-r4.ebuild,v 1.1 2013/06/26 14:41:37 idella4 Exp $ EAPI=5 @@ -23,6 +23,7 @@ else $XEN_SEABIOS_URL" S="${WORKDIR}/xen-${PV}" fi + inherit flag-o-matic eutils multilib python-single-r1 toolchain-funcs udev ${live_eclass} DESCRIPTION="Xend daemon and tools" @@ -31,29 +32,28 @@ DOCS=( README docs/README.xen-bugtool ) LICENSE="GPL-2" SLOT="0" -# TODO soon;ocaml IUSE="api custom-cflags debug doc flask hvm qemu ocaml pygrub screen static-libs xend" REQUIRED_USE="hvm? ( qemu )" -CDEPEND="<dev-libs/yajl-2 +CDEPEND="dev-libs/yajl dev-python/lxml[${PYTHON_USEDEP}] dev-python/pypam[${PYTHON_USEDEP}] dev-python/pyxml[${PYTHON_USEDEP}] sys-libs/zlib sys-power/iasl - dev-ml/findlib + ocaml? ( dev-ml/findlib ) hvm? ( media-libs/libsdl ) - api? ( dev-libs/libxml2 net-misc/curl ) + ${PYTHON_DEPS} + api? ( dev-libs/libxml2 + net-misc/curl ) ${PYTHON_DEPS} pygrub? ( ${PYTHON_DEPS//${PYTHON_REQ_USE}/ncurses} )" - DEPEND="${CDEPEND} sys-devel/bin86 sys-devel/dev86 dev-lang/perl app-misc/pax-utils - dev-ml/findlib doc? ( app-doc/doxygen dev-tex/latex2html[png,gif] @@ -67,16 +67,12 @@ DEPEND="${CDEPEND} dev-texlive/texlive-pictures dev-texlive/texlive-latexrecommended ) - hvm? ( - x11-proto/xproto - sys-devel/dev86 - ) - " - + hvm? ( x11-proto/xproto ) + qemu? ( >=sys-apps/texinfo-5 )" RDEPEND="${CDEPEND} sys-apps/iproute2 net-misc/bridge-utils - >=dev-lang/ocaml-3.12.0 + ocaml? ( >=dev-lang/ocaml-3.12.0 ) screen? ( app-misc/screen app-admin/logrotate @@ -127,10 +123,8 @@ pkg_setup() { } src_prepare() { - sed -e 's/-Wall//' -i Config.mk || die "Couldn't sanitize CFLAGS" - - # Drop .config - sed -e '/-include $(XEN_ROOT)\/.config/d' -i Config.mk || die "Couldn't drop" + # Drop .config, fixes to gcc-4.6 + epatch "${FILESDIR}"/${PN/-tools/}-4-fix_dotconfig-gcc.patch # Xend if ! use xend; then @@ -139,6 +133,7 @@ src_prepare() { sed -e 's:^XEND_INITD:#XEND_INITD:' \ -i tools/examples/Makefile || die "Disabling xend failed" fi + # if the user *really* wants to use their own custom-cflags, let them if use custom-cflags; then einfo "User wants their own CFLAGS - removing defaults" @@ -170,13 +165,9 @@ src_prepare() { sed -e "s:install-tools\: tools/ioemu-dir:install-tools\: :g" -i Makefile || die fi - # Fix build for gcc-4.6 - find "${S}" \( -name Makefile -o -name Rules.mk -o -name Config.mk \) \ - -exec sed -e "s:-Werror::g" -i {} + || die "Failed to remove -Werror" - - # Fix texi2html build error with new texi2html - sed -r -e "s:(texi2html.*) -number:\1:" \ - -i tools/qemu-xen-traditional/Makefile || die + # Fix texi2html build error with new texi2html, qemu.doc.html + epatch "${FILESDIR}"/${PN}-4-docfix.patch \ + "${FILESDIR}"/${PN}-4-qemu-xen-doc.patch # Fix network broadcast on bridged networks epatch "${FILESDIR}/${PN}-3.4.0-network-bridge-broadcast.patch" @@ -194,7 +185,7 @@ src_prepare() { # Don't build ipxe with pie on hardened, Bug #360805 if gcc-specs-pie; then - epatch "${FILESDIR}/ipxe-nopie.patch" + epatch "${FILESDIR}"/ipxe-nopie.patch fi # Prevent double stripping of files at install @@ -202,6 +193,34 @@ src_prepare() { # fix jobserver in Makefile epatch "${FILESDIR}"/${PN/-tools/}-4.2.0-jserver.patch + + # add missing typedef + epatch "${FILESDIR}"/xen-4-ulong.patch \ + "${FILESDIR}"/${PN}-4.2-xen_disk_leak.patch + + #Sec patches currently valid + epatch "${FILESDIR}"/xen-4-CVE-2012-6075-XSA-41.patch \ + "${FILESDIR}"/xen-4-CVE-2013-0215-XSA-38.patch \ + "${FILESDIR}"/xen-4-CVE-2013-1919-XSA-46.patch \ + "${FILESDIR}"/xen-4-CVE-2013-1922-XSA-48.patch \ + "${FILESDIR}"/xen-4-CVE-2013-1952-XSA_49.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-1-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-2-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-3-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-4-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-5to7-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-8-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-9to10-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-11-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-12to13-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-14-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-15-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-16-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-17-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-18to19-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-20to23-XSA-55.patch \ + "${FILESDIR}"/xen-4-CVE-2013-2072-XSA-56.patch \ + "${FILESDIR}"/xen-4.2-CVE-XSA-57.patch } src_compile() { @@ -218,12 +237,7 @@ src_compile() { unset CFLAGS emake CC="$(tc-getCC)" LD="$(tc-getLD)" -C tools ${myopt} - if use doc; then - sh ./docs/check_pkgs || die "package check failed" - emake docs - emake dev-docs - fi - + use doc && emake -C docs txt html emake -C docs man-pages } @@ -254,7 +268,7 @@ src_install() { if use doc; then emake DESTDIR="${ED}" DOCDIR="/usr/share/doc/${PF}" install-docs - dohtml -r docs/api/ + dohtml -r docs/ docinto pdf dodoc ${DOCS[@]} [ -d "${ED}"/usr/share/doc/xen ] && mv "${ED}"/usr/share/doc/xen/* "${ED}"/usr/share/doc/${PF}/html @@ -279,6 +293,11 @@ src_install() { keepdir /var/log/xen-consoles fi + if use qemu; then + mkdir -p "${D}"usr/lib64/xen/bin || die + mv "${D}"usr/lib/xen/bin/qemu* "${D}"usr/lib64/xen/bin/ || die + fi + # For -static-libs wrt Bug 384355 if ! use static-libs; then rm -f "${ED}"usr/$(get_libdir)/*.a "${ED}"usr/$(get_libdir)/ocaml/*/*.a diff --git a/app-emulation/xen-tools/xen-tools-4.2.1-r1.ebuild b/app-emulation/xen-tools/xen-tools-4.2.2-r2.ebuild index 64c317761e34..50dab2baa7a8 100644 --- a/app-emulation/xen-tools/xen-tools-4.2.1-r1.ebuild +++ b/app-emulation/xen-tools/xen-tools-4.2.2-r2.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/xen-tools-4.2.1-r1.ebuild,v 1.9 2013/05/15 17:47:47 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/xen-tools-4.2.2-r2.ebuild,v 1.1 2013/06/26 14:41:37 idella4 Exp $ EAPI=5 @@ -36,13 +36,14 @@ IUSE="api custom-cflags debug doc flask hvm qemu ocaml pygrub screen static-libs REQUIRED_USE="hvm? ( qemu )" -CDEPEND="dev-libs/yajl +CDEPEND="dev-libs/lzo:2 + dev-libs/yajl dev-python/lxml[${PYTHON_USEDEP}] dev-python/pypam[${PYTHON_USEDEP}] dev-python/pyxml[${PYTHON_USEDEP}] sys-libs/zlib sys-power/iasl - ocaml? ( dev-ml/findlib ) + dev-ml/findlib hvm? ( media-libs/libsdl ) ${PYTHON_DEPS} api? ( dev-libs/libxml2 @@ -67,12 +68,12 @@ DEPEND="${CDEPEND} dev-texlive/texlive-pictures dev-texlive/texlive-latexrecommended ) - hvm? ( x11-proto/xproto - )" + hvm? ( x11-proto/xproto ) + qemu? ( >=sys-apps/texinfo-5 )" RDEPEND="${CDEPEND} sys-apps/iproute2 net-misc/bridge-utils - ocaml? ( >=dev-lang/ocaml-3.12.0 ) + ocaml? ( >=dev-lang/ocaml-4 ) screen? ( app-misc/screen app-admin/logrotate @@ -165,8 +166,9 @@ src_prepare() { sed -e "s:install-tools\: tools/ioemu-dir:install-tools\: :g" -i Makefile || die fi - # Fix texi2html build error with new texi2html - epatch "${FILESDIR}"/${PN}-4-docfix.patch + # Fix texi2html build error with new texi2html, qemu.doc.html + epatch "${FILESDIR}"/${PN}-4-docfix.patch \ + "${FILESDIR}"/${PN}-4-qemu-xen-doc.patch # Fix network broadcast on bridged networks epatch "${FILESDIR}/${PN}-3.4.0-network-bridge-broadcast.patch" @@ -193,8 +195,33 @@ src_prepare() { # fix jobserver in Makefile epatch "${FILESDIR}"/${PN/-tools/}-4.2.0-jserver.patch - #Sec patch, currently valid - epatch "${FILESDIR}"/xen-4-CVE-2012-6075-XSA-41.patch + # add missing header + epatch "${FILESDIR}"/xen-4-ulong.patch \ + "${FILESDIR}"/${PN}-4.2-xen_disk_leak.patch + + #Security patches, currently valid + epatch "${FILESDIR}"/xen-4-CVE-2012-6075-XSA-41.patch \ + "${FILESDIR}"/xen-4-CVE-2013-1922-XSA-48.patch \ + "${FILESDIR}"/xen-4-CVE-2013-1952-XSA-49.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-1-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-2-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-3-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-4-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-5to7-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-8-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-9to10-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-11-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-12to13-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-14-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-15-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-16-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-17-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-18to19-XSA-55.patch \ + "${FILESDIR}"/xen-4.2-CVE-2013-20to23-XSA-55.patch \ + "${FILESDIR}"/xen-4-CVE-2013-2072-XSA-56.patch \ + "${FILESDIR}"/xen-4.2-CVE-XSA-57.patch + + epatch_user } src_compile() { |