forked from jsonn/pkgsrc
-
Notifications
You must be signed in to change notification settings - Fork 64
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add patches from upstream to fix two security problems:
-another lock inversion -privilege escalation (not exploitable in standard setups) bump PKGREV
- Loading branch information
drochner
committed
Nov 29, 2013
1 parent
87efe77
commit fe7d55d
Showing
4 changed files
with
52 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
$NetBSD: patch-CVE-2013-4553,v 1.1 2013/11/29 19:29:58 drochner Exp $ | ||
|
||
http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg03828.html | ||
|
||
--- xen/arch/x86/domctl.c.orig 2013-09-10 06:42:18.000000000 +0000 | ||
+++ xen/arch/x86/domctl.c 2013-11-29 15:19:13.000000000 +0000 | ||
@@ -383,6 +383,26 @@ long arch_do_domctl( | ||
break; | ||
} | ||
|
||
+ /* | ||
+ * XSA-74: This sub-hypercall is broken in several ways: | ||
+ * - lock order inversion (p2m locks inside page_alloc_lock) | ||
+ * - no preemption on huge max_pfns input | ||
+ * - not (re-)checking d->is_dying with page_alloc_lock held | ||
+ * - not honoring start_pfn input (which libxc also doesn't set) | ||
+ * Additionally it is rather useless, as the result is stale by | ||
+ * the time the caller gets to look at it. | ||
+ * As it only has a single, non-production consumer (xen-mceinj), | ||
+ * rather than trying to fix it we restrict it for the time being. | ||
+ */ | ||
+ if ( /* No nested locks inside copy_to_guest_offset(). */ | ||
+ paging_mode_external(current->domain) || | ||
+ /* Arbitrary limit capping processing time. */ | ||
+ max_pfns > GB(4) / PAGE_SIZE ) | ||
+ { | ||
+ ret = -EOPNOTSUPP; | ||
+ break; | ||
+ } | ||
+ | ||
spin_lock(&d->page_alloc_lock); | ||
|
||
if ( unlikely(d->is_dying) ) { |