add patches from upstream to fix two security problems:

-another lock inversion -privilege escalation (not exploitable in standard setups) bump PKGREV
TritonDataCenter · Nov 29, 2013 · fe7d55d · fe7d55d
1 parent 87efe77
commit fe7d55d
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 6 deletions.
diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.28 2013/11/23 14:04:59 drochner Exp $
+# $NetBSD: Makefile,v 1.29 2013/11/29 19:29:58 drochner Exp $
 #
 
 VERSION=	4.1.6.1
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel41-${VERSION}
-PKGREVISION=	3
+PKGREVISION=	4
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 

diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo
@@ -1,16 +1,17 @@
-$NetBSD: distinfo,v 1.22 2013/11/23 14:04:59 drochner Exp $
+$NetBSD: distinfo,v 1.23 2013/11/29 19:29:58 drochner Exp $
 
 SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0
 RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19
 Size (xen-4.1.6.1.tar.gz) = 10428485 bytes
 SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1
-SHA1 (patch-CVE-2013-4355_1) = 88cc2e7bf0993b2878a864e8b28ed989f8eeef3a
+SHA1 (patch-CVE-2013-4355_1) = a28e4fc0cbe5409a759e689ff1af82792f560a39
 SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509
 SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f
 SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8
 SHA1 (patch-CVE-2013-4361) = b9074af976ba98c02aeb84288a10527bf7693241
 SHA1 (patch-CVE-2013-4368) = 77caf392b472e5586eb2fa6a37d173cd856f6f15
 SHA1 (patch-CVE-2013-4494) = d74dfc898d1128f3c205bd178c8cf663935711e3
+SHA1 (patch-CVE-2013-4553) = 6708dcef1737b119a3fcf2e3414c22c115cbacc1
 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266
 SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b
 SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2

diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1 b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1
@@ -1,9 +1,12 @@
-$NetBSD: patch-CVE-2013-4355_1,v 1.1 2013/10/01 14:54:44 drochner Exp $
+$NetBSD
 
 http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03160.html
+also fixes
+http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg03827.html
+(CVE-2013-4554)
 
 --- xen/arch/x86/hvm/hvm.c.orig	2013-09-10 06:42:18.000000000 +0000
-+++ xen/arch/x86/hvm/hvm.c	2013-09-30 15:23:07.000000000 +0000
++++ xen/arch/x86/hvm/hvm.c	2013-11-29 15:12:29.000000000 +0000
 @@ -1961,11 +1961,7 @@ void hvm_task_switch(
 
      rc = hvm_copy_from_guest_virt(
@@ -36,3 +39,12 @@ http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03160.html
          goto out;
 
 
+@@ -2834,7 +2828,7 @@ int hvm_do_hypercall(struct cpu_user_reg
+     case 4:
+     case 2:
+         hvm_get_segment_register(curr, x86_seg_ss, &sreg);
+-        if ( unlikely(sreg.attr.fields.dpl == 3) )
++        if ( unlikely(sreg.attr.fields.dpl) )
+         {
+     default:
+             regs->eax = -EPERM;
diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4553 b/sysutils/xenkernel41/patches/patch-CVE-2013-4553
@@ -0,0 +1,33 @@
+$NetBSD: patch-CVE-2013-4553,v 1.1 2013/11/29 19:29:58 drochner Exp $
+
+http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg03828.html
+
+--- xen/arch/x86/domctl.c.orig	2013-09-10 06:42:18.000000000 +0000
++++ xen/arch/x86/domctl.c	2013-11-29 15:19:13.000000000 +0000
+@@ -383,6 +383,26 @@ long arch_do_domctl(
+                 break;
+             }
+
++            /*
++             * XSA-74: This sub-hypercall is broken in several ways:
++             * - lock order inversion (p2m locks inside page_alloc_lock)
++             * - no preemption on huge max_pfns input
++             * - not (re-)checking d->is_dying with page_alloc_lock held
++             * - not honoring start_pfn input (which libxc also doesn't set)
++             * Additionally it is rather useless, as the result is stale by
++             * the time the caller gets to look at it.
++             * As it only has a single, non-production consumer (xen-mceinj),
++             * rather than trying to fix it we restrict it for the time being.
++             */
++            if ( /* No nested locks inside copy_to_guest_offset(). */
++                 paging_mode_external(current->domain) ||
++                 /* Arbitrary limit capping processing time. */
++                 max_pfns > GB(4) / PAGE_SIZE )
++            {
++                ret = -EOPNOTSUPP;
++                break;
++            }
++
+             spin_lock(&d->page_alloc_lock);
+
+             if ( unlikely(d->is_dying) ) {