[Pkg-xen-changes] r1147 - in branches/wheezy/xen/debian: . patches
Bastian Blank
waldi at alioth.debian.org
Fri Apr 19 10:01:17 UTC 2013
Author: waldi
Date: Fri Apr 19 10:01:17 2013
New Revision: 1147
Log:
* debian/changelog: Update.
* debian/patches:
Add fixes for CVE-2013-1917, CVE-2013-1919, CVE-2013-1920 and
CVE-2013-1964.
Added:
branches/wheezy/xen/debian/patches/CVE-2013-1917
branches/wheezy/xen/debian/patches/CVE-2013-1919
branches/wheezy/xen/debian/patches/CVE-2013-1920
branches/wheezy/xen/debian/patches/CVE-2013-1964
Modified:
branches/wheezy/xen/debian/changelog
branches/wheezy/xen/debian/patches/series
Modified: branches/wheezy/xen/debian/changelog
==============================================================================
--- branches/wheezy/xen/debian/changelog Thu Feb 14 20:07:04 2013 (r1146)
+++ branches/wheezy/xen/debian/changelog Fri Apr 19 10:01:17 2013 (r1147)
@@ -1,3 +1,16 @@
+xen (4.1.4-3) UNRELEASED; urgency=high
+
+ * Fix return from SYSENTER.
+ CVE-2013-1917
+ * Fix various problems with guest interrupt handling.
+ CVE-2013-1919
+ * Only save pointer after access checks.
+ CVE-2013-1920
+ * Fix domain locking for transitive grants.
+ CVE-2013-1964
+
+ -- Bastian Blank <waldi at debian.org> Fri, 19 Apr 2013 10:44:53 +0200
+
xen (4.1.4-2) unstable; urgency=low
* Use pre-device interrupt remapping mode per default. Fix removing old
Added: branches/wheezy/xen/debian/patches/CVE-2013-1917
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/wheezy/xen/debian/patches/CVE-2013-1917 Fri Apr 19 10:01:17 2013 (r1147)
@@ -0,0 +1,74 @@
+Description: x86: clear EFLAGS.NT in SYSENTER entry path
+ ... as it causes problems if we happen to exit back via IRET: In the
+ course of trying to handle the fault, the hypervisor creates a stack
+ frame by hand, and uses PUSHFQ to set the respective EFLAGS field, but
+ expects to be able to IRET through that stack frame to the second
+ portion of the fixup code (which causes a #GP due to the stored EFLAGS
+ having NT set).
+ .
+ And even if this worked (e.g if we cleared NT in that path), it would
+ then (through the fail safe callback) cause a #GP in the guest with the
+ SYSENTER handler's first instruction as the source, which in turn would
+ allow guest user mode code to crash the guest kernel.
+ .
+ Inject a #GP on the fake (NULL) address of the SYSENTER instruction
+ instead, just like in the case where the guest kernel didn't register
+ a corresponding entry point.
+ .
+ On 32-bit we also need to make sure we clear SYSENTER_CS for all CPUs
+ (neither #RESET nor #INIT guarantee this).
+From: Jan Beulich <jbeulich at suse.com>
+Origin: upstream, commit:b5d22afa109d
+Id: CVE-2013-1917 XSA-44
+---
+--- a/xen/arch/x86/acpi/suspend.c Thu Apr 18 15:29:45 2013 +0200
++++ b/xen/arch/x86/acpi/suspend.c Thu Apr 18 16:23:07 2013 +0200
+@@ -81,8 +81,12 @@
+ }
+
+ #else /* !defined(CONFIG_X86_64) */
+- if ( supervisor_mode_kernel && cpu_has_sep )
+- wrmsr(MSR_IA32_SYSENTER_ESP, &this_cpu(init_tss).esp1, 0);
++ if ( cpu_has_sep )
++ {
++ wrmsr(MSR_IA32_SYSENTER_CS, 0, 0);
++ if ( supervisor_mode_kernel )
++ wrmsr(MSR_IA32_SYSENTER_ESP, &this_cpu(init_tss).esp1, 0);
++ }
+ #endif
+
+ /* Maybe load the debug registers. */
+--- a/xen/arch/x86/cpu/common.c Thu Apr 18 15:29:45 2013 +0200
++++ b/xen/arch/x86/cpu/common.c Thu Apr 18 16:23:07 2013 +0200
+@@ -715,8 +715,11 @@
+ #if defined(CONFIG_X86_32)
+ t->ss0 = __HYPERVISOR_DS;
+ t->esp0 = get_stack_bottom();
+- if ( supervisor_mode_kernel && cpu_has_sep )
++ if ( cpu_has_sep ) {
++ wrmsr(MSR_IA32_SYSENTER_CS, 0, 0);
++ if ( supervisor_mode_kernel )
+ wrmsr(MSR_IA32_SYSENTER_ESP, &t->esp1, 0);
++ }
+ #elif defined(CONFIG_X86_64)
+ /* Bottom-of-stack must be 16-byte aligned! */
+ BUG_ON((get_stack_bottom() & 15) != 0);
+diff -r 8f3d4607baee -r b5d22afa109d xen/arch/x86/x86_64/entry.S
+--- a/xen/arch/x86/x86_64/entry.S Thu Apr 18 15:29:45 2013 +0200
++++ b/xen/arch/x86/x86_64/entry.S Thu Apr 18 16:23:07 2013 +0200
+@@ -288,7 +288,14 @@
+ movl $3,UREGS_cs(%rsp) /* ring 3 null cs */
+ movq VCPU_sysenter_addr(%rbx),%rax
+ setne %cl
++ testl $X86_EFLAGS_NT,UREGS_eflags(%rsp)
+ leaq VCPU_trap_bounce(%rbx),%rdx
++UNLIKELY_START(nz, sysenter_nt_set)
++ pushfq
++ andl $~X86_EFLAGS_NT,(%rsp)
++ popfq
++ xorl %eax,%eax
++UNLIKELY_END(sysenter_nt_set)
+ testq %rax,%rax
+ leal (,%rcx,TBF_INTERRUPT),%ecx
+ UNLIKELY_START(z, sysenter_gpf)
+
Added: branches/wheezy/xen/debian/patches/CVE-2013-1919
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/wheezy/xen/debian/patches/CVE-2013-1919 Fri Apr 19 10:01:17 2013 (r1147)
@@ -0,0 +1,249 @@
+Description: x86: fix various issues with handling guest IRQs
+ * properly revoke IRQ access in map_domain_pirq() error path
+ * don't permit replacing an in use IRQ
+ * don't accept inputs in the GSI range for MAP_PIRQ_TYPE_MSI
+ * track IRQ access permission in host IRQ terms, not guest IRQ ones
+ (and with that, also disallow Dom0 access to IRQ0)
+From: Jan Beulich <jbeulich at suse.com>
+Origin: upstream
+Id: CVE-2013-1919 XSA-46
+---
+--- a/tools/python/xen/xend/server/irqif.py Thu Apr 18 16:23:07 2013 +0200
++++ b/tools/python/xen/xend/server/irqif.py Thu Apr 18 16:24:08 2013 +0200
+@@ -73,6 +73,12 @@
+
+ pirq = get_param('irq')
+
++ rc = xc.physdev_map_pirq(domid = self.getDomid(),
++ index = pirq,
++ pirq = pirq)
++ if rc < 0:
++ raise VmError('irq: Failed to map irq %x' % (pirq))
++
+ rc = xc.domain_irq_permission(domid = self.getDomid(),
+ pirq = pirq,
+ allow_access = True)
+@@ -81,12 +87,6 @@
+ #todo non-fatal
+ raise VmError(
+ 'irq: Failed to configure irq: %d' % (pirq))
+- rc = xc.physdev_map_pirq(domid = self.getDomid(),
+- index = pirq,
+- pirq = pirq)
+- if rc < 0:
+- raise VmError(
+- 'irq: Failed to map irq %x' % (pirq))
+ back = dict([(k, config[k]) for k in self.valid_cfg if k in config])
+ return (self.allocateDeviceID(), back, {})
+
+--- a/xen/arch/x86/domain_build.c Thu Apr 18 16:23:07 2013 +0200
++++ b/xen/arch/x86/domain_build.c Thu Apr 18 16:24:08 2013 +0200
+@@ -1201,7 +1201,7 @@
+ /* DOM0 is permitted full I/O capabilities. */
+ rc |= ioports_permit_access(dom0, 0, 0xFFFF);
+ rc |= iomem_permit_access(dom0, 0UL, ~0UL);
+- rc |= irqs_permit_access(dom0, 0, d->nr_pirqs - 1);
++ rc |= irqs_permit_access(dom0, 1, nr_irqs_gsi - 1);
+
+ /*
+ * Modify I/O port access permissions.
+--- a/xen/arch/x86/domctl.c Thu Apr 18 16:23:07 2013 +0200
++++ b/xen/arch/x86/domctl.c Thu Apr 18 16:24:08 2013 +0200
+@@ -908,9 +908,13 @@
+ goto bind_out;
+
+ ret = -EPERM;
+- if ( !IS_PRIV(current->domain) &&
+- !irq_access_permitted(current->domain, bind->machine_irq) )
+- goto bind_out;
++ if ( !IS_PRIV(current->domain) )
++ {
++ int irq = domain_pirq_to_irq(d, bind->machine_irq);
++
++ if ( irq <= 0 || !irq_access_permitted(current->domain, irq) )
++ goto bind_out;
++ }
+
+ ret = -ESRCH;
+ if ( iommu_enabled )
+@@ -938,9 +942,13 @@
+ bind = &(domctl->u.bind_pt_irq);
+
+ ret = -EPERM;
+- if ( !IS_PRIV(current->domain) &&
+- !irq_access_permitted(current->domain, bind->machine_irq) )
+- goto unbind_out;
++ if ( !IS_PRIV(current->domain) )
++ {
++ int irq = domain_pirq_to_irq(d, bind->machine_irq);
++
++ if ( irq <= 0 || !irq_access_permitted(current->domain, irq) )
++ goto unbind_out;
++ }
+
+ if ( iommu_enabled )
+ {
+--- a/xen/arch/x86/irq.c Thu Apr 18 16:23:07 2013 +0200
++++ b/xen/arch/x86/irq.c Thu Apr 18 16:24:08 2013 +0200
+@@ -174,6 +174,15 @@
+ out:
+ spin_unlock_irqrestore(&vector_lock, flags);
+
++ if ( irq > 0 && dom0 )
++ {
++ ret = irq_permit_access(dom0, irq);
++ if ( ret )
++ printk(XENLOG_G_ERR
++ "Could not grant Dom0 access to IRQ%d (error %d)\n",
++ irq, ret);
++ }
++
+ return irq;
+ }
+
+@@ -258,6 +267,17 @@
+ void destroy_irq(unsigned int irq)
+ {
+ BUG_ON(!MSI_IRQ(irq));
++
++ if ( dom0 )
++ {
++ int err = irq_deny_access(dom0, irq);
++
++ if ( err )
++ printk(XENLOG_G_ERR
++ "Could not revoke Dom0 access to IRQ%u (error %d)\n",
++ irq, err);
++ }
++
+ dynamic_irq_cleanup(irq);
+ clear_irq_vector(irq);
+ }
+@@ -1604,7 +1624,7 @@
+
+ if ( !IS_PRIV(current->domain) &&
+ !(IS_PRIV_FOR(current->domain, d) &&
+- irq_access_permitted(current->domain, pirq)))
++ irq_access_permitted(current->domain, irq)))
+ return -EPERM;
+
+ if ( pirq < 0 || pirq >= d->nr_pirqs || irq < 0 || irq >= nr_irqs )
+@@ -1625,11 +1645,12 @@
+ return 0;
+ }
+
+- ret = irq_permit_access(d, pirq);
++ ret = irq_permit_access(d, irq);
+ if ( ret )
+ {
+- dprintk(XENLOG_G_ERR, "dom%d: could not permit access to irq %d\n",
+- d->domain_id, pirq);
++ printk(XENLOG_G_ERR
++ "dom%d: could not permit access to IRQ%d (pirq %d)\n",
++ d->domain_id, irq, pirq);
+ return ret;
+ }
+
+@@ -1651,8 +1672,14 @@
+ spin_lock_irqsave(&desc->lock, flags);
+
+ if ( desc->handler != &no_irq_type )
++ {
++ spin_unlock_irqrestore(&desc->lock, flags);
+ dprintk(XENLOG_G_ERR, "dom%d: irq %d in use\n",
+ d->domain_id, irq);
++ pci_disable_msi(msi_desc);
++ ret = -EBUSY;
++ goto done;
++ }
+ desc->handler = &pci_msi_type;
+ if ( opt_irq_vector_map == OPT_IRQ_VECTOR_MAP_PERDEV
+ && !desc->chip_data->used_vectors )
+@@ -1680,6 +1707,10 @@
+ }
+
+ done:
++ if ( ret && irq_deny_access(d, irq) )
++ printk(XENLOG_G_ERR
++ "dom%d: could not revoke access to IRQ%d (pirq %d)\n",
++ d->domain_id, irq, pirq);
+ return ret;
+ }
+
+@@ -1736,10 +1767,11 @@
+ if (msi_desc)
+ msi_free_irq(msi_desc);
+
+- ret = irq_deny_access(d, pirq);
++ ret = irq_deny_access(d, irq);
+ if ( ret )
+- dprintk(XENLOG_G_ERR, "dom%d: could not deny access to irq %d\n",
+- d->domain_id, pirq);
++ printk(XENLOG_G_ERR
++ "dom%d: could not deny access to IRQ%d (pirq %d)\n",
++ d->domain_id, irq, pirq);
+
+ if ( desc->handler == &pci_msi_type )
+ desc->handler = &no_irq_type;
+--- a/xen/arch/x86/physdev.c Thu Apr 18 16:23:07 2013 +0200
++++ b/xen/arch/x86/physdev.c Thu Apr 18 16:24:08 2013 +0200
+@@ -147,7 +147,7 @@
+ if ( irq == -1 )
+ irq = create_irq();
+
+- if ( irq < 0 || irq >= nr_irqs )
++ if ( irq < nr_irqs_gsi || irq >= nr_irqs )
+ {
+ dprintk(XENLOG_G_ERR, "dom%d: can't create irq for msi!\n",
+ d->domain_id);
+--- a/xen/common/domctl.c Thu Apr 18 16:23:07 2013 +0200
++++ b/xen/common/domctl.c Thu Apr 18 16:24:08 2013 +0200
+@@ -854,9 +854,9 @@
+ if ( pirq >= d->nr_pirqs )
+ ret = -EINVAL;
+ else if ( op->u.irq_permission.allow_access )
+- ret = irq_permit_access(d, pirq);
++ ret = pirq_permit_access(d, pirq);
+ else
+- ret = irq_deny_access(d, pirq);
++ ret = pirq_deny_access(d, pirq);
+
+ rcu_unlock_domain(d);
+ }
+--- a/xen/common/event_channel.c Thu Apr 18 16:23:07 2013 +0200
++++ b/xen/common/event_channel.c Thu Apr 18 16:24:08 2013 +0200
+@@ -332,7 +332,7 @@
+ if ( (pirq < 0) || (pirq >= d->nr_pirqs) )
+ return -EINVAL;
+
+- if ( !is_hvm_domain(d) && !irq_access_permitted(d, pirq) )
++ if ( !is_hvm_domain(d) && !pirq_access_permitted(d, pirq) )
+ return -EPERM;
+
+ spin_lock(&d->event_lock);
+--- a/xen/include/xen/iocap.h Thu Apr 18 16:23:07 2013 +0200
++++ b/xen/include/xen/iocap.h Thu Apr 18 16:24:08 2013 +0200
+@@ -28,4 +28,22 @@
+ #define irq_access_permitted(d, i) \
+ rangeset_contains_singleton((d)->irq_caps, i)
+
++#define pirq_permit_access(d, i) ({ \
++ struct domain *d__ = (d); \
++ int i__ = domain_pirq_to_irq(d__, i); \
++ i__ > 0 ? rangeset_add_singleton(d__->irq_caps, i__)\
++ : -EINVAL; \
++})
++#define pirq_deny_access(d, i) ({ \
++ struct domain *d__ = (d); \
++ int i__ = domain_pirq_to_irq(d__, i); \
++ i__ > 0 ? rangeset_remove_singleton(d__->irq_caps, i__)\
++ : -EINVAL; \
++})
++#define pirq_access_permitted(d, i) ({ \
++ struct domain *d__ = (d); \
++ rangeset_contains_singleton(d__->irq_caps, \
++ domain_pirq_to_irq(d__, i));\
++})
++
+ #endif /* __XEN_IOCAP_H__ */
+
Added: branches/wheezy/xen/debian/patches/CVE-2013-1920
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/wheezy/xen/debian/patches/CVE-2013-1920 Fri Apr 19 10:01:17 2013 (r1147)
@@ -0,0 +1,28 @@
+Description: defer event channel bucket pointer store until after XSM checks
+ Otherwise a dangling pointer can be left, which would cause subsequent
+ memory corruption as soon as the space got re-allocated for some other
+ purpose.
+From: Jan Beulich <jbeulich at suse.com>
+Origin: upstream
+Id: CVE-2013-1920 XSA-47
+---
+--- a/xen/common/event_channel.c Tue Apr 02 12:39:15 2013 +0200
++++ b/xen/common/event_channel.c Fri Apr 05 10:04:03 2013 +0200
+@@ -104,7 +104,6 @@
+ if ( unlikely(chn == NULL) )
+ return -ENOMEM;
+ memset(chn, 0, EVTCHNS_PER_BUCKET * sizeof(*chn));
+- bucket_from_port(d, port) = chn;
+
+ for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ )
+ {
+@@ -117,6 +116,8 @@
+ }
+ }
+
++ bucket_from_port(d, port) = chn;
++
+ return port;
+ }
+
+
Added: branches/wheezy/xen/debian/patches/CVE-2013-1964
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/wheezy/xen/debian/patches/CVE-2013-1964 Fri Apr 19 10:01:17 2013 (r1147)
@@ -0,0 +1,178 @@
+Description: Fix rcu domain locking for transitive grants
+ When acquiring a transitive grant for copy then the owning domain
+ needs to be locked down as well as the granting domain. This was being
+ done, but the unlocking was not. The acquire code now stores the
+ struct domain * of the owning domain (rather than the domid) in the
+ active entry in the granting domain. The release code then does the
+ unlock on the owning domain. Note that I believe I also fixed a bug
+ where, for non-transitive grants the active entry contained a
+ reference to the acquiring domain rather than the granting
+ domain. From my reading of the code this would stop the release code
+ for transitive grants from terminating its recursion correctly.
+ .
+ Also, for non-transitive grants we now avoid incorrectly recursing
+ in __release_grant_for_copy.
+From: Paul Durrant <paul.durrant at citrix.com>
+From: Jan Beulich <jbeulich at suse.com>
+Origin: upstream
+Id: CVE-2013-1964 XSA-50
+---
+--- a/xen/common/grant_table.c Thu Apr 18 16:24:08 2013 +0200
++++ b/xen/common/grant_table.c Thu Apr 18 17:38:17 2013 +0200
+@@ -598,7 +598,7 @@
+ act->start = 0;
+ act->length = PAGE_SIZE;
+ act->is_sub_page = 0;
+- act->trans_dom = rd->domain_id;
++ act->trans_domain = rd;
+ act->trans_gref = op->ref;
+ }
+ }
+@@ -1629,11 +1629,10 @@
+ struct active_grant_entry *act;
+ unsigned long r_frame;
+ uint16_t *status;
+- domid_t trans_domid;
+ grant_ref_t trans_gref;
+ int released_read;
+ int released_write;
+- struct domain *trans_dom;
++ struct domain *td;
+
+ released_read = 0;
+ released_write = 0;
+@@ -1647,15 +1646,13 @@
+ if (rd->grant_table->gt_version == 1)
+ {
+ status = &sha->flags;
+- trans_domid = rd->domain_id;
+- /* Shut the compiler up. This'll never be used, because
+- trans_domid == rd->domain_id, but gcc doesn't know that. */
+- trans_gref = 0x1234567;
++ td = rd;
++ trans_gref = gref;
+ }
+ else
+ {
+ status = &status_entry(rd->grant_table, gref);
+- trans_domid = act->trans_dom;
++ td = act->trans_domain;
+ trans_gref = act->trans_gref;
+ }
+
+@@ -1683,21 +1680,16 @@
+
+ spin_unlock(&rd->grant_table->lock);
+
+- if ( trans_domid != rd->domain_id )
++ if ( td != rd )
+ {
+- if ( released_write || released_read )
+- {
+- trans_dom = rcu_lock_domain_by_id(trans_domid);
+- if ( trans_dom != NULL )
+- {
+- /* Recursive calls, but they're tail calls, so it's
+- okay. */
+- if ( released_write )
+- __release_grant_for_copy(trans_dom, trans_gref, 0);
+- else if ( released_read )
+- __release_grant_for_copy(trans_dom, trans_gref, 1);
+- }
+- }
++ /* Recursive calls, but they're tail calls, so it's
++ okay. */
++ if ( released_write )
++ __release_grant_for_copy(td, trans_gref, 0);
++ else if ( released_read )
++ __release_grant_for_copy(td, trans_gref, 1);
++
++ rcu_unlock_domain(td);
+ }
+ }
+
+@@ -1734,7 +1726,7 @@
+ uint32_t old_pin;
+ domid_t trans_domid;
+ grant_ref_t trans_gref;
+- struct domain *rrd;
++ struct domain *td;
+ unsigned long gfn;
+ unsigned long grant_frame;
+ unsigned trans_page_off;
+@@ -1788,8 +1780,8 @@
+ status) ) != GNTST_okay )
+ goto unlock_out;
+
+- trans_domid = ld->domain_id;
+- trans_gref = 0;
++ td = rd;
++ trans_gref = gref;
+ if ( sha2 && (shah->flags & GTF_type_mask) == GTF_transitive )
+ {
+ if ( !allow_transitive )
+@@ -1811,14 +1803,15 @@
+ that you don't need to go out of your way to avoid it
+ in the guest. */
+
+- rrd = rcu_lock_domain_by_id(trans_domid);
+- if ( rrd == NULL )
++ /* We need to leave the rrd locked during the grant copy */
++ td = rcu_lock_domain_by_id(trans_domid);
++ if ( td == NULL )
+ PIN_FAIL(unlock_out_clear, GNTST_general_error,
+ "transitive grant referenced bad domain %d\n",
+ trans_domid);
+ spin_unlock(&rd->grant_table->lock);
+
+- rc = __acquire_grant_for_copy(rrd, trans_gref, rd,
++ rc = __acquire_grant_for_copy(td, trans_gref, rd,
+ readonly, &grant_frame,
+ &trans_page_off, &trans_length,
+ 0, &ignore);
+@@ -1826,6 +1819,7 @@
+ spin_lock(&rd->grant_table->lock);
+ if ( rc != GNTST_okay ) {
+ __fixup_status_for_copy_pin(act, status);
++ rcu_unlock_domain(td);
+ spin_unlock(&rd->grant_table->lock);
+ return rc;
+ }
+@@ -1837,6 +1831,7 @@
+ if ( act->pin != old_pin )
+ {
+ __fixup_status_for_copy_pin(act, status);
++ rcu_unlock_domain(td);
+ spin_unlock(&rd->grant_table->lock);
+ return __acquire_grant_for_copy(rd, gref, ld, readonly,
+ frame, page_off, length,
+@@ -1848,7 +1843,7 @@
+ sub-page, but we always treat it as one because that
+ blocks mappings of transitive grants. */
+ is_sub_page = 1;
+- *owning_domain = rrd;
++ *owning_domain = td;
+ act->gfn = -1ul;
+ }
+ else if ( sha1 )
+@@ -1894,7 +1889,7 @@
+ act->is_sub_page = is_sub_page;
+ act->start = trans_page_off;
+ act->length = trans_length;
+- act->trans_dom = trans_domid;
++ act->trans_domain = td;
+ act->trans_gref = trans_gref;
+ act->frame = grant_frame;
+ }
+--- a/xen/include/xen/grant_table.h Thu Apr 18 16:24:08 2013 +0200
++++ b/xen/include/xen/grant_table.h Thu Apr 18 17:38:17 2013 +0200
+@@ -32,7 +32,7 @@
+ struct active_grant_entry {
+ u32 pin; /* Reference count information. */
+ domid_t domid; /* Domain being granted access. */
+- domid_t trans_dom;
++ struct domain *trans_domain;
+ uint32_t trans_gref;
+ unsigned long frame; /* Frame being granted. */
+ unsigned long gfn; /* Guest's idea of the frame being granted. */
+
Modified: branches/wheezy/xen/debian/patches/series
==============================================================================
--- branches/wheezy/xen/debian/patches/series Thu Feb 14 20:07:04 2013 (r1146)
+++ branches/wheezy/xen/debian/patches/series Fri Apr 19 10:01:17 2013 (r1147)
@@ -11,6 +11,10 @@
CVE-2013-0153-2
CVE-2013-0153-3
CVE-2013-0153-4
+CVE-2013-1917
+CVE-2013-1919
+CVE-2013-1920
+CVE-2013-1964
upstream-23001:9eb9948904cd
upstream-23002:eb64b8f8eebb
More information about the Pkg-xen-changes
mailing list