[Pkg-xen-changes] r1098 - in branches/wheezy/xen/debian: . patches
Bastian Blank
waldi at alioth.debian.org
Fri Sep 7 16:05:35 UTC 2012
Author: waldi
Date: Fri Sep 7 16:05:34 2012
New Revision: 1098
Log:
* debian/changelog: Update.
* debian/patches: Add security fixes.
Added:
branches/wheezy/xen/debian/patches/CVE-2012-3494
branches/wheezy/xen/debian/patches/CVE-2012-3495
branches/wheezy/xen/debian/patches/CVE-2012-3496
branches/wheezy/xen/debian/patches/CVE-2012-3498
branches/wheezy/xen/debian/patches/CVE-2012-3515
Modified:
branches/wheezy/xen/debian/changelog
branches/wheezy/xen/debian/patches/series
Modified: branches/wheezy/xen/debian/changelog
==============================================================================
--- branches/wheezy/xen/debian/changelog Fri Aug 17 09:25:55 2012 (r1097)
+++ branches/wheezy/xen/debian/changelog Fri Sep 7 16:05:34 2012 (r1098)
@@ -1,3 +1,18 @@
+xen (4.1.3-2) UNRELEASED; urgency=low
+
+ * Don't allow writing reserved bits in debug register.
+ CVE-2012-3494
+ * Fix error handling in interrupt assignment.
+ CVE-2012-3495
+ * Don't trigger bug messages on invalid flags.
+ CVE-2012-3496
+ * Check array bounds in interrupt assignment.
+ CVE-2012-3498
+ * Properly check bounds while setting the cursor in qemu.
+ CVE-2012-3515
+
+ -- Bastian Blank <waldi at debian.org> Wed, 05 Sep 2012 18:23:55 +0200
+
xen (4.1.3-1) unstable; urgency=medium
* New upstream release: (closes: #683286)
Added: branches/wheezy/xen/debian/patches/CVE-2012-3494
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/wheezy/xen/debian/patches/CVE-2012-3494 Fri Sep 7 16:05:34 2012 (r1098)
@@ -0,0 +1,27 @@
+# HG changeset patch
+# User Ian Jackson <Ian.Jackson at eu.citrix.com>
+# Date 1346844474 -3600
+# Node ID bcc3402927311c64cc04e59d3680680b09459da6
+# Parent d28a9ba889c02f835df05bc007c2b4828d86cff2
+xen: prevent a 64 bit guest setting reserved bits in DR7
+
+The upper 32 bits of this register are reserved and should be written as
+zero.
+
+This is XSA-12 / CVE-2012-3494
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Reviewed-by: Ian Campbell <ian.campbell at citrix.com>
+
+diff -r d28a9ba889c0 -r bcc340292731 xen/include/asm-x86/debugreg.h
+--- a/xen/include/asm-x86/debugreg.h Tue Sep 04 14:56:48 2012 +0200
++++ b/xen/include/asm-x86/debugreg.h Wed Sep 05 12:27:54 2012 +0100
+@@ -58,7 +58,7 @@
+ We can slow the instruction pipeline for instructions coming via the
+ gdt or the ldt if we want to. I am not sure why this is an advantage */
+
+-#define DR_CONTROL_RESERVED_ZERO (0x0000d800ul) /* Reserved, read as zero */
++#define DR_CONTROL_RESERVED_ZERO (~0xffff27fful) /* Reserved, read as zero */
+ #define DR_CONTROL_RESERVED_ONE (0x00000400ul) /* Reserved, read as one */
+ #define DR_LOCAL_EXACT_ENABLE (0x00000100ul) /* Local exact enable */
+ #define DR_GLOBAL_EXACT_ENABLE (0x00000200ul) /* Global exact enable */
Added: branches/wheezy/xen/debian/patches/CVE-2012-3495
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/wheezy/xen/debian/patches/CVE-2012-3495 Fri Sep 7 16:05:34 2012 (r1098)
@@ -0,0 +1,35 @@
+# HG changeset patch
+# User Ian Jackson <Ian.Jackson at eu.citrix.com>
+# Date 1346844497 -3600
+# Node ID 6779ddca8593b766ccabcfec294ba10f17e68484
+# Parent bcc3402927311c64cc04e59d3680680b09459da6
+xen: handle out-of-pirq condition correctly in PHYSDEVOP_get_free_pirq
+
+This is XSA-13 / CVE-2012-3495
+
+Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
+Signed-off-by: Jan Beulich <JBeulich at suse.com>
+
+diff -r bcc340292731 -r 6779ddca8593 xen/arch/x86/physdev.c
+--- a/xen/arch/x86/physdev.c Wed Sep 05 12:27:54 2012 +0100
++++ b/xen/arch/x86/physdev.c Wed Sep 05 12:28:17 2012 +0100
+@@ -587,11 +587,16 @@
+ break;
+
+ spin_lock(&d->event_lock);
+- out.pirq = get_free_pirq(d, out.type, 0);
+- d->arch.pirq_irq[out.pirq] = PIRQ_ALLOCATED;
++ ret = get_free_pirq(d, out.type, 0);
++ if ( ret >= 0 )
++ d->arch.pirq_irq[ret] = PIRQ_ALLOCATED;
+ spin_unlock(&d->event_lock);
+
+- ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0;
++ if ( ret >= 0 )
++ {
++ out.pirq = ret;
++ ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0;
++ }
+
+ rcu_unlock_domain(d);
+ break;
Added: branches/wheezy/xen/debian/patches/CVE-2012-3496
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/wheezy/xen/debian/patches/CVE-2012-3496 Fri Sep 7 16:05:34 2012 (r1098)
@@ -0,0 +1,26 @@
+# HG changeset patch
+# User Ian Jackson <Ian.Jackson at eu.citrix.com>
+# Date 1346844545 -3600
+# Node ID 8ebda5388e4e83a69c73bdd7621e76e1de4fc995
+# Parent 6779ddca8593b766ccabcfec294ba10f17e68484
+xen: Don't BUG_ON() PoD operations on a non-translated guest.
+
+This is XSA-14 / CVE-2012-3496
+
+Signed-off-by: Tim Deegan <tim at xen.org>
+Reviewed-by: Ian Campbell <ian.campbell at citrix.com>
+Tested-by: Ian Campbell <ian.campbell at citrix.com>
+
+diff -r 6779ddca8593 -r 8ebda5388e4e xen/arch/x86/mm/p2m.c
+--- a/xen/arch/x86/mm/p2m.c Wed Sep 05 12:28:17 2012 +0100
++++ b/xen/arch/x86/mm/p2m.c Wed Sep 05 12:29:05 2012 +0100
+@@ -2414,7 +2414,8 @@
+ int pod_count = 0;
+ int rc = 0;
+
+- BUG_ON(!paging_mode_translate(d));
++ if ( !paging_mode_translate(d) )
++ return -EINVAL;
+
+ rc = gfn_check_limit(d, gfn, order);
+ if ( rc != 0 )
Added: branches/wheezy/xen/debian/patches/CVE-2012-3498
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/wheezy/xen/debian/patches/CVE-2012-3498 Fri Sep 7 16:05:34 2012 (r1098)
@@ -0,0 +1,36 @@
+# HG changeset patch
+# User Ian Jackson <Ian.Jackson at eu.citrix.com>
+# Date 1346844596 -3600
+# Node ID 936f63ee4dadb832222c029e958ae7c7564ec0e8
+# Parent 8ebda5388e4e83a69c73bdd7621e76e1de4fc995
+x86/pvhvm: properly range-check PHYSDEVOP_map_pirq/MAP_PIRQ_TYPE_GSI
+
+This is being used as a array index, and hence must be validated before
+use.
+
+This is XSA-16 / CVE-2012-3498.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+
+diff -r 8ebda5388e4e -r 936f63ee4dad xen/arch/x86/physdev.c
+--- a/xen/arch/x86/physdev.c Wed Sep 05 12:29:05 2012 +0100
++++ b/xen/arch/x86/physdev.c Wed Sep 05 12:29:56 2012 +0100
+@@ -40,11 +40,18 @@
+ struct hvm_girq_dpci_mapping *girq;
+ uint32_t machine_gsi = 0;
+
++ if ( map->index < 0 || map->index >= NR_HVM_IRQS )
++ {
++ ret = -EINVAL;
++ break;
++ }
++
+ /* find the machine gsi corresponding to the
+ * emulated gsi */
+ hvm_irq_dpci = domain_get_irq_dpci(d);
+ if ( hvm_irq_dpci )
+ {
++ BUILD_BUG_ON(ARRAY_SIZE(hvm_irq_dpci->girq) < NR_HVM_IRQS);
+ list_for_each_entry ( girq,
+ &hvm_irq_dpci->girq[map->index],
+ list )
Added: branches/wheezy/xen/debian/patches/CVE-2012-3515
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/wheezy/xen/debian/patches/CVE-2012-3515 Fri Sep 7 16:05:34 2012 (r1098)
@@ -0,0 +1,118 @@
+commit 3220480734832a148d26f7a81f90af61c2ecfdd9
+Author: Ian Campbell <ian.campbell at citrix.com>
+Date: Wed Sep 5 12:31:40 2012 +0100
+
+ console: bounds check whenever changing the cursor due to an escape code
+
+ This is XSA-17 / CVE-2012-3515
+
+ Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
+ (cherry picked from commit a56ae4b5069c7b23ee657b15f08443a9b14a8e7b)
+
+diff --git a/console.c b/console.c
+index 5e6e3d0..9984d6f 100644
+--- a/qemu/console.c
++++ b/qemu/console.c
+@@ -794,6 +794,26 @@ static void console_clear_xy(TextConsole *s, int x, int y)
+ update_xy(s, x, y);
+ }
+
++/* set cursor, checking bounds */
++static void set_cursor(TextConsole *s, int x, int y)
++{
++ if (x < 0) {
++ x = 0;
++ }
++ if (y < 0) {
++ y = 0;
++ }
++ if (y >= s->height) {
++ y = s->height - 1;
++ }
++ if (x >= s->width) {
++ x = s->width - 1;
++ }
++
++ s->x = x;
++ s->y = y;
++}
++
+ static void console_putchar(TextConsole *s, int ch)
+ {
+ TextCell *c;
+@@ -869,7 +889,8 @@ static void console_putchar(TextConsole *s, int ch)
+ s->esc_params[s->nb_esc_params] * 10 + ch - '0';
+ }
+ } else {
+- s->nb_esc_params++;
++ if (s->nb_esc_params < MAX_ESC_PARAMS)
++ s->nb_esc_params++;
+ if (ch == ';')
+ break;
+ #ifdef DEBUG_CONSOLE
+@@ -883,59 +904,37 @@ static void console_putchar(TextConsole *s, int ch)
+ if (s->esc_params[0] == 0) {
+ s->esc_params[0] = 1;
+ }
+- s->y -= s->esc_params[0];
+- if (s->y < 0) {
+- s->y = 0;
+- }
++ set_cursor(s, s->x, s->y - s->esc_params[0]);
+ break;
+ case 'B':
+ /* move cursor down */
+ if (s->esc_params[0] == 0) {
+ s->esc_params[0] = 1;
+ }
+- s->y += s->esc_params[0];
+- if (s->y >= s->height) {
+- s->y = s->height - 1;
+- }
++ set_cursor(s, s->x, s->y + s->esc_params[0]);
+ break;
+ case 'C':
+ /* move cursor right */
+ if (s->esc_params[0] == 0) {
+ s->esc_params[0] = 1;
+ }
+- s->x += s->esc_params[0];
+- if (s->x >= s->width) {
+- s->x = s->width - 1;
+- }
++ set_cursor(s, s->x + s->esc_params[0], s->y);
+ break;
+ case 'D':
+ /* move cursor left */
+ if (s->esc_params[0] == 0) {
+ s->esc_params[0] = 1;
+ }
+- s->x -= s->esc_params[0];
+- if (s->x < 0) {
+- s->x = 0;
+- }
++ set_cursor(s, s->x - s->esc_params[0], s->y);
+ break;
+ case 'G':
+ /* move cursor to column */
+- s->x = s->esc_params[0] - 1;
+- if (s->x < 0) {
+- s->x = 0;
+- }
++ set_cursor(s, s->esc_params[0] - 1, s->y);
+ break;
+ case 'f':
+ case 'H':
+ /* move cursor to row, column */
+- s->x = s->esc_params[1] - 1;
+- if (s->x < 0) {
+- s->x = 0;
+- }
+- s->y = s->esc_params[0] - 1;
+- if (s->y < 0) {
+- s->y = 0;
+- }
++ set_cursor(s, s->esc_params[1] - 1, s->esc_params[0] - 1);
+ break;
+ case 'J':
+ switch (s->esc_params[0]) {
Modified: branches/wheezy/xen/debian/patches/series
==============================================================================
--- branches/wheezy/xen/debian/patches/series Fri Aug 17 09:25:55 2012 (r1097)
+++ branches/wheezy/xen/debian/patches/series Fri Sep 7 16:05:34 2012 (r1098)
@@ -4,6 +4,12 @@
upstream-23939:51288f69523f-rework
upstream-25290:7a6dcecb1781-rework
+CVE-2012-3494
+CVE-2012-3495
+CVE-2012-3496
+CVE-2012-3498
+CVE-2012-3515
+
xen-x86-interrupt-pointer-missmatch.diff
version.patch
More information about the Pkg-xen-changes
mailing list