[Pkg-xen-changes] r1120 - in branches/wheezy/xen/debian: . patches
Bastian Blank
waldi at alioth.debian.org
Tue Nov 20 10:16:53 UTC 2012
Author: waldi
Date: Tue Nov 20 10:16:52 2012
New Revision: 1120
Log:
* debian/changelog: Update.
* debian/patches:
Add fixes for CVE-2012-4535, CVE-2012-4536, CVE-2012-4537, CVE-2012-4538,
CVE-2012-4539 and CVE-2012-4544.
Added:
branches/wheezy/xen/debian/patches/CVE-2012-4535
branches/wheezy/xen/debian/patches/CVE-2012-4536
branches/wheezy/xen/debian/patches/CVE-2012-4537
branches/wheezy/xen/debian/patches/CVE-2012-4538
branches/wheezy/xen/debian/patches/CVE-2012-4539
branches/wheezy/xen/debian/patches/CVE-2012-4544
Modified:
branches/wheezy/xen/debian/changelog
branches/wheezy/xen/debian/patches/series
Modified: branches/wheezy/xen/debian/changelog
==============================================================================
--- branches/wheezy/xen/debian/changelog Mon Nov 19 17:08:44 2012 (r1119)
+++ branches/wheezy/xen/debian/changelog Tue Nov 20 10:16:52 2012 (r1120)
@@ -1,6 +1,18 @@
xen (4.1.3-4) UNRELEASED; urgency=low
* Use linux 3.2.0-4 stuff.
+ * Fix overflow in timer calculations.
+ CVE-2012-4535
+ * Check value of physical interrupts parameter before using it.
+ CVE-2012-4536
+ * Error out on incorrect memory mapping updates.
+ CVE-2012-4537
+ * Check if toplevel page tables are present.
+ CVE-2012-4538
+ * Fix infinite loop in compatibility code.
+ CVE-2012-4539
+ * Limit maximum kernel and ramdisk size.
+ CVE-2012-2625, CVE-2012-4544
-- Bastian Blank <waldi at debian.org> Mon, 19 Nov 2012 18:07:59 +0100
Added: branches/wheezy/xen/debian/patches/CVE-2012-4535
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/wheezy/xen/debian/patches/CVE-2012-4535 Tue Nov 20 10:16:52 2012 (r1120)
@@ -0,0 +1,35 @@
+Description: VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability
+ The timer action for a vcpu periodic timer is to calculate the next
+ expiry time, and to reinsert itself into the timer queue. If the
+ deadline ends up in the past, Xen never leaves __do_softirq(). The
+ affected PCPU will stay in an infinite loop until Xen is killed by the
+ watchdog (if enabled).
+From: Andrew Cooper <andrew.cooper3 at citrix.com>
+Origin: upstream, commit:23406:701f5e3321c1
+Id: CVE-2012-4535
+---
+diff -r 448ffa4bcf63 -r 701f5e3321c1 xen/common/domain.c
+--- a/xen/common/domain.c Wed Nov 14 10:44:09 2012 +0100
++++ b/xen/common/domain.c Wed Nov 14 11:33:36 2012 +0000
+@@ -873,6 +873,9 @@
+ if ( set.period_ns < MILLISECS(1) )
+ return -EINVAL;
+
++ if ( set.period_ns > STIME_DELTA_MAX )
++ return -EINVAL;
++
+ v->periodic_period = set.period_ns;
+ vcpu_force_reschedule(v);
+
+diff -r 448ffa4bcf63 -r 701f5e3321c1 xen/include/xen/time.h
+--- a/xen/include/xen/time.h Wed Nov 14 10:44:09 2012 +0100
++++ b/xen/include/xen/time.h Wed Nov 14 11:33:36 2012 +0000
+@@ -53,6 +53,8 @@
+ #define MILLISECS(_ms) ((s_time_t)((_ms) * 1000000ULL))
+ #define MICROSECS(_us) ((s_time_t)((_us) * 1000ULL))
+ #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1))
++/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */
++#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2))
+
+ extern void update_vcpu_system_time(struct vcpu *v);
+ extern void update_domain_wallclock_time(struct domain *d);
Added: branches/wheezy/xen/debian/patches/CVE-2012-4536
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/wheezy/xen/debian/patches/CVE-2012-4536 Tue Nov 20 10:16:52 2012 (r1120)
@@ -0,0 +1,21 @@
+Description: x86/physdev: Range check pirq parameter from guests
+ Otherwise Xen will read beyond either end of the struct
+ domain.arch.pirq_emuirq array, usually resulting in a fatal page fault.
+From: Andrew Cooper <andrew.cooper3 at citrix.com>
+Origin: upstream, commit:23407:210f16b6509b
+Id: CVE-2012-4536
+---
+diff -r 701f5e3321c1 -r 210f16b6509b xen/arch/x86/physdev.c
+--- a/xen/arch/x86/physdev.c Wed Nov 14 11:33:36 2012 +0000
++++ b/xen/arch/x86/physdev.c Wed Nov 14 11:35:06 2012 +0000
+@@ -234,6 +234,10 @@
+ if ( ret )
+ return ret;
+
++ ret = -EINVAL;
++ if ( unmap->pirq < 0 || unmap->pirq >= d->nr_pirqs )
++ goto free_domain;
++
+ if ( is_hvm_domain(d) )
+ {
+ spin_lock(&d->event_lock);
Added: branches/wheezy/xen/debian/patches/CVE-2012-4537
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/wheezy/xen/debian/patches/CVE-2012-4537 Tue Nov 20 10:16:52 2012 (r1120)
@@ -0,0 +1,36 @@
+Description: x86/physmap: Prevent incorrect updates of m2p mappings
+ In certain conditions, such as low memory, set_p2m_entry() can fail.
+ Currently, the p2m and m2p tables will get out of sync because we still
+ update the m2p table after the p2m update has failed.
+ .
+ If that happens, subsequent guest-invoked memory operations can cause
+ BUG()s and ASSERT()s to kill Xen.
+ .
+ This is fixed by only updating the m2p table iff the p2m was
+ successfully updated.
+From: Andrew Cooper <andrew.cooper3 at citrix.com>
+Origin: upstream, commit:23408:f635b1447d7e
+Id: CVE-2012-4537
+---
+diff -r 210f16b6509b -r f635b1447d7e xen/arch/x86/mm/p2m.c
+--- a/xen/arch/x86/mm/p2m.c Wed Nov 14 11:35:06 2012 +0000
++++ b/xen/arch/x86/mm/p2m.c Wed Nov 14 11:40:45 2012 +0000
+@@ -2558,7 +2558,10 @@
+ if ( mfn_valid(_mfn(mfn)) )
+ {
+ if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) )
++ {
+ rc = -EINVAL;
++ goto out; /* Failed to update p2m, bail without updating m2p. */
++ }
+ if ( !p2m_is_grant(t) )
+ {
+ for ( i = 0; i < (1UL << page_order); i++ )
+@@ -2579,6 +2582,7 @@
+ }
+ }
+
++out:
+ audit_p2m(p2m, 1);
+ p2m_unlock(p2m);
+
Added: branches/wheezy/xen/debian/patches/CVE-2012-4538
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/wheezy/xen/debian/patches/CVE-2012-4538 Tue Nov 20 10:16:52 2012 (r1120)
@@ -0,0 +1,26 @@
+Description: xen/mm/shadow: check toplevel pagetables are present before unhooking them.
+ If the guest has not fully populated its top-level PAE entries when it calls
+ HVMOP_pagetable_dying, the shadow code could try to unhook entries from
+ MFN 0. Add a check to avoid that case.
+From: Tim Deegan <tim at xen.org>
+Origin: upstream, commit:23409:61eb3d030f52
+Id: CVE-2012-4538
+---
+diff -r f635b1447d7e -r 61eb3d030f52 xen/arch/x86/mm/shadow/multi.c
+--- a/xen/arch/x86/mm/shadow/multi.c Wed Nov 14 11:40:45 2012 +0000
++++ b/xen/arch/x86/mm/shadow/multi.c Wed Nov 14 11:43:29 2012 +0000
+@@ -4737,8 +4737,12 @@
+ }
+ for ( i = 0; i < 4; i++ )
+ {
+- if ( fast_path )
+- smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
++ if ( fast_path ) {
++ if ( pagetable_is_null(v->arch.shadow_table[i]) )
++ smfn = _mfn(INVALID_MFN);
++ else
++ smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
++ }
+ else
+ {
+ /* retrieving the l2s */
Added: branches/wheezy/xen/debian/patches/CVE-2012-4539
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/wheezy/xen/debian/patches/CVE-2012-4539 Tue Nov 20 10:16:52 2012 (r1120)
@@ -0,0 +1,17 @@
+Description: compat/gnttab: Prevent infinite loop in compat code
+From: Andrew Cooper <andrew.cooper3 at citrix.com>
+Origin: upstream, commit:23410:178f63286b02
+Id: CVE-2012-4539
+---
+diff -r 61eb3d030f52 -r 178f63286b02 xen/common/compat/grant_table.c
+--- a/xen/common/compat/grant_table.c Wed Nov 14 11:43:29 2012 +0000
++++ b/xen/common/compat/grant_table.c Wed Nov 14 11:46:12 2012 +0000
+@@ -310,6 +310,8 @@
+ #undef XLAT_gnttab_get_status_frames_HNDL_frame_list
+ if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) )
+ rc = -EFAULT;
++ else
++ i = 1;
+ }
+ break;
+ }
Added: branches/wheezy/xen/debian/patches/CVE-2012-4544
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/wheezy/xen/debian/patches/CVE-2012-4544 Tue Nov 20 10:16:52 2012 (r1120)
@@ -0,0 +1,449 @@
+Description: libxc: builder: limit maximum size of kernel/ramdisk.
+ Allowing user supplied kernels of arbitrary sizes, especially during
+ decompression, can swallow up dom0 memory leading to either virtual
+ address space exhaustion in the builder process or allocation
+ failures/OOM killing of both toolstack and unrelated processes.
+ .
+ We disable these checks when building in a stub domain for pvgrub
+ since this uses the guest's own memory and is isolated.
+ .
+ Also make explicit checks for buffer overflows in various
+ decompression routines. These were already ruled out due to other
+ properties of the code but check them as a belt-and-braces measure.
+From: Ian Campbell <ian.campbell at citrix.com>
+Origin: upstream, commit:23385:69d1cc78a5bd
+Id: CVE-2012-2625, CVE-2012-4544
+---
+diff -r a15596a619ed -r 69d1cc78a5bd stubdom/grub/kexec.c
+--- a/stubdom/grub/kexec.c Thu Oct 04 10:44:43 2012 +0200
++++ b/stubdom/grub/kexec.c Fri Oct 26 16:10:04 2012 +0100
+@@ -137,6 +137,10 @@
+ dom = xc_dom_allocate(xc_handle, cmdline, features);
+ dom->allocate = kexec_allocate;
+
++ /* We are using guest owned memory, therefore no limits. */
++ xc_dom_kernel_max_size(dom, 0);
++ xc_dom_ramdisk_max_size(dom, 0);
++
+ dom->kernel_blob = kernel;
+ dom->kernel_size = kernel_size;
+
+diff -r a15596a619ed -r 69d1cc78a5bd tools/libxc/xc_dom.h
+--- a/tools/libxc/xc_dom.h Thu Oct 04 10:44:43 2012 +0200
++++ b/tools/libxc/xc_dom.h Fri Oct 26 16:10:04 2012 +0100
+@@ -52,6 +52,9 @@
+ void *ramdisk_blob;
+ size_t ramdisk_size;
+
++ size_t max_kernel_size;
++ size_t max_ramdisk_size;
++
+ /* arguments and parameters */
+ char *cmdline;
+ uint32_t f_requested[XENFEAT_NR_SUBMAPS];
+@@ -175,6 +178,23 @@
+ void xc_dom_release(struct xc_dom_image *dom);
+ int xc_dom_mem_init(struct xc_dom_image *dom, unsigned int mem_mb);
+
++/* Set this larger if you have enormous ramdisks/kernels. Note that
++ * you should trust all kernels not to be maliciously large (e.g. to
++ * exhaust all dom0 memory) if you do this (see CVE-2012-4544 /
++ * XSA-25). You can also set the default independently for
++ * ramdisks/kernels in xc_dom_allocate() or call
++ * xc_dom_{kernel,ramdisk}_max_size.
++ */
++#ifndef XC_DOM_DECOMPRESS_MAX
++#define XC_DOM_DECOMPRESS_MAX (1024*1024*1024) /* 1GB */
++#endif
++
++int xc_dom_kernel_check_size(struct xc_dom_image *dom, size_t sz);
++int xc_dom_kernel_max_size(struct xc_dom_image *dom, size_t sz);
++
++int xc_dom_ramdisk_check_size(struct xc_dom_image *dom, size_t sz);
++int xc_dom_ramdisk_max_size(struct xc_dom_image *dom, size_t sz);
++
+ size_t xc_dom_check_gzip(xc_interface *xch,
+ void *blob, size_t ziplen);
+ int xc_dom_do_gunzip(xc_interface *xch,
+@@ -224,7 +244,8 @@
+ void *xc_dom_malloc(struct xc_dom_image *dom, size_t size);
+ void *xc_dom_malloc_page_aligned(struct xc_dom_image *dom, size_t size);
+ void *xc_dom_malloc_filemap(struct xc_dom_image *dom,
+- const char *filename, size_t * size);
++ const char *filename, size_t * size,
++ const size_t max_size);
+ char *xc_dom_strdup(struct xc_dom_image *dom, const char *str);
+
+ /* --- alloc memory pool ------------------------------------------- */
+diff -r a15596a619ed -r 69d1cc78a5bd tools/libxc/xc_dom_bzimageloader.c
+--- a/tools/libxc/xc_dom_bzimageloader.c Thu Oct 04 10:44:43 2012 +0200
++++ b/tools/libxc/xc_dom_bzimageloader.c Fri Oct 26 16:10:04 2012 +0100
+@@ -47,13 +47,19 @@
+ char *out_buf;
+ char *tmp_buf;
+ int retval = -1;
+- int outsize;
++ unsigned int outsize;
+ uint64_t total;
+
+ stream.bzalloc = NULL;
+ stream.bzfree = NULL;
+ stream.opaque = NULL;
+
++ if ( dom->kernel_size == 0)
++ {
++ DOMPRINTF("BZIP2: Input is 0 size");
++ return -1;
++ }
++
+ ret = BZ2_bzDecompressInit(&stream, 0, 0);
+ if ( ret != BZ_OK )
+ {
+@@ -66,6 +72,17 @@
+ * the input buffer to start, and we'll realloc as needed.
+ */
+ outsize = dom->kernel_size;
++
++ /*
++ * stream.avail_in and outsize are unsigned int, while kernel_size
++ * is a size_t. Check we aren't overflowing.
++ */
++ if ( outsize != dom->kernel_size )
++ {
++ DOMPRINTF("BZIP2: Input too large");
++ goto bzip2_cleanup;
++ }
++
+ out_buf = malloc(outsize);
+ if ( out_buf == NULL )
+ {
+@@ -98,13 +115,20 @@
+ if ( stream.avail_out == 0 )
+ {
+ /* Protect against output buffer overflow */
+- if ( outsize > INT_MAX / 2 )
++ if ( outsize > UINT_MAX / 2 )
+ {
+ DOMPRINTF("BZIP2: output buffer overflow");
+ free(out_buf);
+ goto bzip2_cleanup;
+ }
+
++ if ( xc_dom_kernel_check_size(dom, outsize * 2) )
++ {
++ DOMPRINTF("BZIP2: output too large");
++ free(out_buf);
++ goto bzip2_cleanup;
++ }
++
+ tmp_buf = realloc(out_buf, outsize * 2);
+ if ( tmp_buf == NULL )
+ {
+@@ -172,9 +196,15 @@
+ unsigned char *out_buf;
+ unsigned char *tmp_buf;
+ int retval = -1;
+- int outsize;
++ size_t outsize;
+ const char *msg;
+
++ if ( dom->kernel_size == 0)
++ {
++ DOMPRINTF("LZMA: Input is 0 size");
++ return -1;
++ }
++
+ ret = lzma_alone_decoder(&stream, 128*1024*1024);
+ if ( ret != LZMA_OK )
+ {
+@@ -251,13 +281,20 @@
+ if ( stream.avail_out == 0 )
+ {
+ /* Protect against output buffer overflow */
+- if ( outsize > INT_MAX / 2 )
++ if ( outsize > SIZE_MAX / 2 )
+ {
+ DOMPRINTF("LZMA: output buffer overflow");
+ free(out_buf);
+ goto lzma_cleanup;
+ }
+
++ if ( xc_dom_kernel_check_size(dom, outsize * 2) )
++ {
++ DOMPRINTF("LZMA: output too large");
++ free(out_buf);
++ goto lzma_cleanup;
++ }
++
+ tmp_buf = realloc(out_buf, outsize * 2);
+ if ( tmp_buf == NULL )
+ {
+@@ -327,6 +364,12 @@
+ 0x89, 0x4c, 0x5a, 0x4f, 0x00, 0x0d, 0x0a, 0x1a, 0x0a
+ };
+
++ /*
++ * lzo_uint should match size_t. Check that this is the case to be
++ * sure we won't overflow various lzo_uint fields.
++ */
++ XC_BUILD_BUG_ON(sizeof(lzo_uint) != sizeof(size_t));
++
+ ret = lzo_init();
+ if ( ret != LZO_E_OK )
+ {
+@@ -406,6 +449,14 @@
+ if ( src_len <= 0 || src_len > dst_len || src_len > left )
+ break;
+
++ msg = "Output buffer overflow";
++ if ( *size > SIZE_MAX - dst_len )
++ break;
++
++ msg = "Decompressed image too large";
++ if ( xc_dom_kernel_check_size(dom, *size + dst_len) )
++ break;
++
+ msg = "Failed to (re)alloc memory";
+ tmp_buf = realloc(out_buf, *size + dst_len);
+ if ( tmp_buf == NULL )
+diff -r a15596a619ed -r 69d1cc78a5bd tools/libxc/xc_dom_core.c
+--- a/tools/libxc/xc_dom_core.c Thu Oct 04 10:44:43 2012 +0200
++++ b/tools/libxc/xc_dom_core.c Fri Oct 26 16:10:04 2012 +0100
+@@ -159,7 +159,8 @@
+ }
+
+ void *xc_dom_malloc_filemap(struct xc_dom_image *dom,
+- const char *filename, size_t * size)
++ const char *filename, size_t * size,
++ const size_t max_size)
+ {
+ struct xc_dom_mem *block = NULL;
+ int fd = -1;
+@@ -171,6 +172,13 @@
+ lseek(fd, 0, SEEK_SET);
+ *size = lseek(fd, 0, SEEK_END);
+
++ if ( max_size && *size > max_size )
++ {
++ xc_dom_panic(dom->xch, XC_OUT_OF_MEMORY,
++ "tried to map file which is too large");
++ goto err;
++ }
++
+ block = malloc(sizeof(*block));
+ if ( block == NULL )
+ goto err;
+@@ -222,6 +230,40 @@
+ }
+
+ /* ------------------------------------------------------------------------ */
++/* decompression buffer sizing */
++int xc_dom_kernel_check_size(struct xc_dom_image *dom, size_t sz)
++{
++ /* No limit */
++ if ( !dom->max_kernel_size )
++ return 0;
++
++ if ( sz > dom->max_kernel_size )
++ {
++ xc_dom_panic(dom->xch, XC_INVALID_KERNEL,
++ "kernel image too large");
++ return 1;
++ }
++
++ return 0;
++}
++
++int xc_dom_ramdisk_check_size(struct xc_dom_image *dom, size_t sz)
++{
++ /* No limit */
++ if ( !dom->max_ramdisk_size )
++ return 0;
++
++ if ( sz > dom->max_ramdisk_size )
++ {
++ xc_dom_panic(dom->xch, XC_INVALID_KERNEL,
++ "ramdisk image too large");
++ return 1;
++ }
++
++ return 0;
++}
++
++/* ------------------------------------------------------------------------ */
+ /* read files, copy memory blocks, with transparent gunzip */
+
+ size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen)
+@@ -235,7 +277,7 @@
+
+ gzlen = blob + ziplen - 4;
+ unziplen = gzlen[3] << 24 | gzlen[2] << 16 | gzlen[1] << 8 | gzlen[0];
+- if ( (unziplen < 0) || (unziplen > (1024*1024*1024)) ) /* 1GB limit */
++ if ( (unziplen < 0) || (unziplen > XC_DOM_DECOMPRESS_MAX) )
+ {
+ xc_dom_printf
+ (xch,
+@@ -288,6 +330,9 @@
+ if ( unziplen == 0 )
+ return 0;
+
++ if ( xc_dom_kernel_check_size(dom, unziplen) )
++ return 0;
++
+ unzip = xc_dom_malloc(dom, unziplen);
+ if ( unzip == NULL )
+ return -1;
+@@ -588,6 +633,9 @@
+ memset(dom, 0, sizeof(*dom));
+ dom->xch = xch;
+
++ dom->max_kernel_size = XC_DOM_DECOMPRESS_MAX;
++ dom->max_ramdisk_size = XC_DOM_DECOMPRESS_MAX;
++
+ if ( cmdline )
+ dom->cmdline = xc_dom_strdup(dom, cmdline);
+ if ( features )
+@@ -608,10 +656,25 @@
+ return NULL;
+ }
+
++int xc_dom_kernel_max_size(struct xc_dom_image *dom, size_t sz)
++{
++ DOMPRINTF("%s: kernel_max_size=%zx", __FUNCTION__, sz);
++ dom->max_kernel_size = sz;
++ return 0;
++}
++
++int xc_dom_ramdisk_max_size(struct xc_dom_image *dom, size_t sz)
++{
++ DOMPRINTF("%s: ramdisk_max_size=%zx", __FUNCTION__, sz);
++ dom->max_ramdisk_size = sz;
++ return 0;
++}
++
+ int xc_dom_kernel_file(struct xc_dom_image *dom, const char *filename)
+ {
+ DOMPRINTF("%s: filename=\"%s\"", __FUNCTION__, filename);
+- dom->kernel_blob = xc_dom_malloc_filemap(dom, filename, &dom->kernel_size);
++ dom->kernel_blob = xc_dom_malloc_filemap(dom, filename, &dom->kernel_size,
++ dom->max_kernel_size);
+ if ( dom->kernel_blob == NULL )
+ return -1;
+ return xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size);
+@@ -621,7 +684,9 @@
+ {
+ DOMPRINTF("%s: filename=\"%s\"", __FUNCTION__, filename);
+ dom->ramdisk_blob =
+- xc_dom_malloc_filemap(dom, filename, &dom->ramdisk_size);
++ xc_dom_malloc_filemap(dom, filename, &dom->ramdisk_size,
++ dom->max_ramdisk_size);
++
+ if ( dom->ramdisk_blob == NULL )
+ return -1;
+ // return xc_dom_try_gunzip(dom, &dom->ramdisk_blob, &dom->ramdisk_size);
+@@ -781,7 +846,11 @@
+ void *ramdiskmap;
+
+ unziplen = xc_dom_check_gzip(dom->xch, dom->ramdisk_blob, dom->ramdisk_size);
++ if ( xc_dom_ramdisk_check_size(dom, unziplen) != 0 )
++ unziplen = 0;
++
+ ramdisklen = unziplen ? unziplen : dom->ramdisk_size;
++
+ if ( xc_dom_alloc_segment(dom, &dom->ramdisk_seg, "ramdisk", 0,
+ ramdisklen) != 0 )
+ goto err;
+diff -r a15596a619ed -r 69d1cc78a5bd tools/pygrub/src/pygrub
+--- a/tools/pygrub/src/pygrub Thu Oct 04 10:44:43 2012 +0200
++++ b/tools/pygrub/src/pygrub Fri Oct 26 16:10:04 2012 +0100
+@@ -28,6 +28,7 @@
+ import grub.ExtLinuxConf
+
+ PYGRUB_VER = 0.6
++FS_READ_MAX = 1024 * 1024
+
+ def enable_cursor(ison):
+ if ison:
+@@ -421,7 +422,8 @@
+ if self.__dict__.get('cf', None) is None:
+ raise RuntimeError, "couldn't find bootloader config file in the image provided."
+ f = fs.open_file(self.cf.filename)
+- buf = f.read()
++ # limit read size to avoid pathological cases
++ buf = f.read(FS_READ_MAX)
+ del f
+ self.cf.parse(buf)
+
+@@ -670,6 +672,37 @@
+ def usage():
+ print >> sys.stderr, "Usage: %s [-q|--quiet] [-i|--interactive] [-n|--not-really] [--output=] [--kernel=] [--ramdisk=] [--args=] [--entry=] [--output-directory=] [--output-format=sxp|simple|simple0] <image>" %(sys.argv[0],)
+
++ def copy_from_image(fs, file_to_read, file_type, output_directory,
++ not_really):
++ if not_really:
++ if fs.file_exists(file_to_read):
++ return "<%s:%s>" % (file_type, file_to_read)
++ else:
++ sys.exit("The requested %s file does not exist" % file_type)
++ try:
++ datafile = fs.open_file(file_to_read)
++ except Exception, e:
++ print >>sys.stderr, e
++ sys.exit("Error opening %s in guest" % file_to_read)
++ (tfd, ret) = tempfile.mkstemp(prefix="boot_"+file_type+".",
++ dir=output_directory)
++ dataoff = 0
++ while True:
++ data = datafile.read(FS_READ_MAX, dataoff)
++ if len(data) == 0:
++ os.close(tfd)
++ del datafile
++ return ret
++ try:
++ os.write(tfd, data)
++ except Exception, e:
++ print >>sys.stderr, e
++ os.close(tfd)
++ os.unlink(ret)
++ del datafile
++ sys.exit("Error writing temporary copy of "+file_type)
++ dataoff += len(data)
++
+ try:
+ opts, args = getopt.gnu_getopt(sys.argv[1:], 'qinh::',
+ ["quiet", "interactive", "not-really", "help",
+@@ -786,24 +819,18 @@
+ if not fs:
+ raise RuntimeError, "Unable to find partition containing kernel"
+
+- if not_really:
+- bootcfg["kernel"] = "<kernel:%s>" % chosencfg["kernel"]
+- else:
+- data = fs.open_file(chosencfg["kernel"]).read()
+- (tfd, bootcfg["kernel"]) = tempfile.mkstemp(prefix="boot_kernel.",
+- dir=output_directory)
+- os.write(tfd, data)
+- os.close(tfd)
++ bootcfg["kernel"] = copy_from_image(fs, chosencfg["kernel"], "kernel",
++ output_directory, not_really)
+
+ if chosencfg["ramdisk"]:
+- if not_really:
+- bootcfg["ramdisk"] = "<ramdisk:%s>" % chosencfg["ramdisk"]
+- else:
+- data = fs.open_file(chosencfg["ramdisk"],).read()
+- (tfd, bootcfg["ramdisk"]) = tempfile.mkstemp(
+- prefix="boot_ramdisk.", dir=output_directory)
+- os.write(tfd, data)
+- os.close(tfd)
++ try:
++ bootcfg["ramdisk"] = copy_from_image(fs, chosencfg["ramdisk"],
++ "ramdisk", output_directory,
++ not_really)
++ except:
++ if not not_really:
++ os.unlink(bootcfg["kernel"])
++ raise
+ else:
+ initrd = None
+
Modified: branches/wheezy/xen/debian/patches/series
==============================================================================
--- branches/wheezy/xen/debian/patches/series Mon Nov 19 17:08:44 2012 (r1119)
+++ branches/wheezy/xen/debian/patches/series Tue Nov 20 10:16:52 2012 (r1120)
@@ -10,6 +10,12 @@
CVE-2012-3498
CVE-2012-3515
CVE-2012-4411
+CVE-2012-4535
+CVE-2012-4536
+CVE-2012-4537
+CVE-2012-4538
+CVE-2012-4539
+CVE-2012-4544
xen-x86-interrupt-pointer-missmatch.diff
More information about the Pkg-xen-changes
mailing list