main/xen: security fixes (CVE-2013-2076,CVE-2013-2077,CVE-2013-2078)

ref #2044 ref #2049 ref #2054 fixes #2045 fixes #2050 fixes #2055 (cherry picked from commit f6e99451d47fbe7cdb852f48dd11006808db52ae)
author: Natanael Copa <ncopa@alpinelinux.org> 2013-06-04 09:30:54 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2013-06-04 09:57:28 +0000
commit: 793a2f362351c53c4175ab2cc395a92d6d83b209 (patch)
tree: 3ad8fd14601f7d5541d08483c3d0a82eaf2d6541
parent: ac5955de4454245ae2bb8ed063e8f530f1b4f2b3 (diff)
download: alpine_aports-793a2f362351c53c4175ab2cc395a92d6d83b209.tar.bz2
alpine_aports-793a2f362351c53c4175ab2cc395a92d6d83b209.tar.xz
alpine_aports-793a2f362351c53c4175ab2cc395a92d6d83b209.zip
4 files changed, 140 insertions, 1 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 0a972ff837..c052f76f4c 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.2.2
-pkgrel=0
+pkgrel=2
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86 x86_64"
@@ -24,6 +24,9 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
        xsa41b.patch
        xsa41c.patch
        xsa48-4.2.patch
+        xsa52-4.2-unstable.patch
+        xsa53-4.2.patch
+        xsa54.patch
        xsa56.patch
        fix-pod2man-choking.patch
@@ -149,6 +152,9 @@ md5sums="f7362b19401a47826f2d8fd603a1782a  xen-4.2.2.tar.gz
 ed7d0399c6ca6aeee479da5d8f807fe0  xsa41b.patch
 2f3dd7bdc59d104370066d6582725575  xsa41c.patch
 b3e3a57d189a4f86c9766eaf3b5207f4  xsa48-4.2.patch
+83a9cdd035bcd18bf035434a1ba08c38  xsa52-4.2-unstable.patch
+03a1a4ebc470ee7e638e04db2701a4f7  xsa53-4.2.patch
+a8393d1ec6b886ea72ffe624a04ee10a  xsa54.patch
 e70b9128ffc2175cea314a533a7d8457  xsa56.patch
 c1d1a415415b0192e5dae9032962bf61  fix-pod2man-choking.patch
 95d8af17bf844d41a015ff32aae51ba1  xenstored.initd
@@ -171,6 +177,9 @@ a0c225d716d343fe041b63e3940900c5b3573ed3bcfc5b7c2d52ea2861c3fc28  docs-Fix-gener
 896a07f57310c9bea9bc2a305166cf796282c381cb7839be49105b1726a860b5  xsa41b.patch
 683dd96a0a8899f794070c8c09643dfeeb39f92da531955cba961b45f6075914  xsa41c.patch
 dc23077028584e71a08dd0dc9e81552c76744a5ce9d39df5958a95ae9cf3107b  xsa48-4.2.patch
+5b8582185bf90386729e81db1f7780c69a891b074a87d9a619a90d6f639bea13  xsa52-4.2-unstable.patch
+785f7612bd229f7501f4e98e4760f307d90c64305ee14707d262b77f05fa683d  xsa53-4.2.patch
+5d94946b3c9cba52aae2bffd4b0ebb11d09181650b5322a3c85170674a05f6b7  xsa54.patch
 a691c5f5332a42c0d38ddb4dc037eb902f01ba31033b64c47d02909a8de0257d  xsa56.patch
 b4e7d43364a06b2cb04527db3e9567524bc489fef475709fd8493ebf1e62406d  fix-pod2man-choking.patch
 81d335946c81311c86e2f2112b773a568a5a530c0db9802b2fe559e71bb8b381  xenstored.initd
@@ -193,6 +202,9 @@ sha512sums="4943b18016ed8c2b194a3b55e6655b3b734b39ffb8cb7ee0a0580f2f4460a1d0e92e
 bda9105793f2327e1317991762120d0668af0e964076b18c9fdbfd509984b2e88d85df95702c46b2e00d5350e8113f6aa7b34b19064d19abbeb4d43f0c431d38  xsa41b.patch
 36b60478660ff7748328f5ab9adff13286eee1a1bad06e42fdf7e6aafe105103988525725aacd660cf5b2a184a9e2d6b3818655203c1fa07e07dcebdf23f35d9  xsa41c.patch
 31dd8c62d41cc0a01a79d9b24a5b793f5e2058230808d9c5364c6ff3477ab02f3258f1bbd761d97dc1b97ee120b41524b999eaac77f33b606496fc324b5fa2e4  xsa48-4.2.patch
+b64a965fab8534958e453c493211ed3a6555aafb90d18f6d56a45b41d3086a0029aee85b6b6eb93b0d861d5fdc0ef10fc32e9b4f83593b37c43922d838085dd8  xsa52-4.2-unstable.patch
+9b08924e563e79d2b308c1521da520c0579b334b61ac99a5593eabdb96dbda2da898b542cc47bda6d663c68343216d9d29c04853b6d1b6ecdde964b0cbb3f7ab  xsa53-4.2.patch
+c9010be637d4f96ef03c880e1ef28228f762c5980108380a105bd190b631a882c8dff81e9421246d88d597e72f69ad1a8c672be6ddd06936acfcacd4575a2650  xsa54.patch
 26a1c2cc92ddd4c1ab6712b0e41a0135d0e76a7fe3a14b651fb0235e352e5a24077414371acccb93058b7ce4d882b667386811170ba74570c53165837bcd983d  xsa56.patch
 ffb1113fcec0853b690c177655c7d1136388efdebf0d7f625b80481b98eadd3e9ef461442ced53e11acf0e347800a2b0a41e18b05065b5d04bffdd8a4e127cec  fix-pod2man-choking.patch
 792b062e8a16a2efd3cb4662d379d1500527f2a7ca9228d7831c2bd34f3b9141df949153ea05463a7758c3e3dd9a4182492ad5505fa38e298ecf8c99db77b4ee  xenstored.initd
diff --git a/main/xen/xsa52-4.2-unstable.patch b/main/xen/xsa52-4.2-unstable.patch
new file mode 100644
index 0000000000..14db8a8a7f
--- /dev/null
+++ b/main/xen/xsa52-4.2-unstable.patch
@@ -0,0 +1,46 @@
+x86/xsave: fix information leak on AMD CPUs
+Just like for FXSAVE/FXRSTOR, XSAVE/XRSTOR also don't save/restore the
+last instruction and operand pointers as well as the last opcode if
+there's no pending unmasked exception (see CVE-2006-1056 and commit
+9747:4d667a139318).
+While the FXSR solution sits in the save path, I prefer to have this in
+the restore path because there the handling is simpler (namely in the
+context of the pending changes to properly save the selector values for
+32-bit guest code).
+Also this is using FFREE instead of EMMS, as it doesn't seem unlikely
+that in the future we may see CPUs with x87 and SSE/AVX but no MMX
+support. The goal here anyway is just to avoid an FPU stack overflow.
+I would have preferred to use FFREEP instead of FFREE (freeing two
+stack slots at once), but AMD doesn't document that instruction.
+This is CVE-2013-2076 / XSA-52.
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+--- a/xen/arch/x86/xstate.c
+++ b/xen/arch/x86/xstate.c
+@@ -78,6 +78,21 @@ void xrstor(struct vcpu *v, uint64_t mas
+ 
+     struct xsave_struct *ptr = v->arch.xsave_area;
+ 
+    /*
+     * AMD CPUs don't save/restore FDP/FIP/FOP unless an exception
+     * is pending. Clear the x87 state here by setting it to fixed
+     * values. The hypervisor data segment can be sometimes 0 and
+     * sometimes new user value. Both should be ok. Use the FPU saved
+     * data block as a safe address because it should be in L1.
+     */
+    if ( (mask & ptr->xsave_hdr.xstate_bv & XSTATE_FP) &&
+         !(ptr->fpu_sse.fsw & 0x0080) &&
+         boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
+        asm volatile ( "fnclex\n\t"        /* clear exceptions */
+                       "ffree %%st(7)\n\t" /* clear stack tag */
+                       "fildl %0"          /* load to clear state */
+                       : : "m" (ptr->fpu_sse) );
+
+     asm volatile (
+         ".byte " REX_PREFIX "0x0f,0xae,0x2f"
+         :
diff --git a/main/xen/xsa53-4.2.patch b/main/xen/xsa53-4.2.patch
new file mode 100644
index 0000000000..eb8e79bed2
--- /dev/null
+++ b/main/xen/xsa53-4.2.patch
@@ -0,0 +1,57 @@
+x86/xsave: recover from faults on XRSTOR
+Just like FXRSTOR, XRSTOR can raise #GP if bad content is being passed
+to it in the memory block (i.e. aspects not under the control of the
+hypervisor, other than e.g. proper alignment of the block).
+Also correct the comment explaining why FXRSTOR needs exception
+recovery code to not wrongly state that this can only be a result of
+the control tools passing a bad image.
+This is CVE-2013-2077 / XSA-53.
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+--- a/xen/arch/x86/i387.c
+++ b/xen/arch/x86/i387.c
+@@ -53,7 +53,7 @@ static inline void fpu_fxrstor(struct vc
+     /*
+      * FXRSTOR can fault if passed a corrupted data block. We handle this
+      * possibility, which may occur if the block was passed to us by control
+-     * tools, by silently clearing the block.
+     * tools or through VCPUOP_initialise, by silently clearing the block.
+      */
+     asm volatile (
+ #ifdef __i386__
+--- a/xen/arch/x86/xstate.c
+++ b/xen/arch/x86/xstate.c
+@@ -93,10 +93,25 @@ void xrstor(struct vcpu *v, uint64_t mas
+                        "fildl %0"          /* load to clear state */
+                        : : "m" (ptr->fpu_sse) );
+ 
+-    asm volatile (
+-        ".byte " REX_PREFIX "0x0f,0xae,0x2f"
+-        :
+-        : "m" (*ptr), "a" (lmask), "d" (hmask), "D"(ptr) );
+    /*
+     * XRSTOR can fault if passed a corrupted data block. We handle this
+     * possibility, which may occur if the block was passed to us by control
+     * tools or through VCPUOP_initialise, by silently clearing the block.
+     */
+    asm volatile ( "1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
+                   ".section .fixup,\"ax\"\n"
+                   "2: mov %5,%%ecx       \n"
+                   "   xor %1,%1          \n"
+                   "   rep stosb          \n"
+                   "   lea %2,%0          \n"
+                   "   mov %3,%1          \n"
+                   "   jmp 1b             \n"
+                   ".previous             \n"
+                   _ASM_EXTABLE(1b, 2b)
+                   : "+&D" (ptr), "+&a" (lmask)
+                   : "m" (*ptr), "g" (lmask), "d" (hmask),
+                     "m" (xsave_cntxt_size)
+                   : "ecx" );
+ }
+ 
+ bool_t xsave_enabled(const struct vcpu *v)
diff --git a/main/xen/xsa54.patch b/main/xen/xsa54.patch
new file mode 100644
index 0000000000..83c8993d6a
--- /dev/null
+++ b/main/xen/xsa54.patch
@@ -0,0 +1,24 @@
+x86/xsave: properly check guest input to XSETBV
+Other than the HVM emulation path, the PV case so far failed to check
+that YMM state requires SSE state to be enabled, allowing for a #GP to
+occur upon passing the inputs to XSETBV inside the hypervisor.
+This is CVE-2013-2078 / XSA-54.
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
+@@ -2205,6 +2205,11 @@ static int emulate_privileged_op(struct 
+                     if ( !(new_xfeature & XSTATE_FP) || (new_xfeature & ~xfeature_mask) )
+                         goto fail;
+ 
+                    /* YMM state takes SSE state as prerequisite. */
+                    if ( (xfeature_mask & new_xfeature & XSTATE_YMM) &&
+                         !(new_xfeature & XSTATE_SSE) )
+                        goto fail;
+
+                     v->arch.xcr0 = new_xfeature;
+                     v->arch.xcr0_accum |= new_xfeature;
+                     set_xcr0(new_xfeature);
author	Natanael Copa <ncopa@alpinelinux.org>	2013-06-04 09:30:54 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2013-06-04 09:57:28 +0000
commit	793a2f362351c53c4175ab2cc395a92d6d83b209 (patch)
tree	3ad8fd14601f7d5541d08483c3d0a82eaf2d6541
parent	ac5955de4454245ae2bb8ed063e8f530f1b4f2b3 (diff)
download	alpine_aports-793a2f362351c53c4175ab2cc395a92d6d83b209.tar.bz2 alpine_aports-793a2f362351c53c4175ab2cc395a92d6d83b209.tar.xz alpine_aports-793a2f362351c53c4175ab2cc395a92d6d83b209.zip

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index 0a972ff837..c052f76f4c 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
3	# Maintainer: William Pitcock <nenolod@dereferenced.org>	3	# Maintainer: William Pitcock <nenolod@dereferenced.org>
4	pkgname=xen	4	pkgname=xen
5	pkgver=4.2.2	5	pkgver=4.2.2
6	pkgrel=0	6	pkgrel=2
7	pkgdesc="Xen hypervisor"	7	pkgdesc="Xen hypervisor"
8	url="http://www.xen.org/"	8	url="http://www.xen.org/"
9	arch="x86 x86_64"	9	arch="x86 x86_64"
@@ -24,6 +24,9 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
24	xsa41b.patch	24	xsa41b.patch
25	xsa41c.patch	25	xsa41c.patch
26	xsa48-4.2.patch	26	xsa48-4.2.patch
		27	xsa52-4.2-unstable.patch
		28	xsa53-4.2.patch
		29	xsa54.patch
27	xsa56.patch	30	xsa56.patch
28		31
29	fix-pod2man-choking.patch	32	fix-pod2man-choking.patch
@@ -149,6 +152,9 @@ md5sums="f7362b19401a47826f2d8fd603a1782a xen-4.2.2.tar.gz
149	ed7d0399c6ca6aeee479da5d8f807fe0 xsa41b.patch	152	ed7d0399c6ca6aeee479da5d8f807fe0 xsa41b.patch
150	2f3dd7bdc59d104370066d6582725575 xsa41c.patch	153	2f3dd7bdc59d104370066d6582725575 xsa41c.patch
151	b3e3a57d189a4f86c9766eaf3b5207f4 xsa48-4.2.patch	154	b3e3a57d189a4f86c9766eaf3b5207f4 xsa48-4.2.patch
		155	83a9cdd035bcd18bf035434a1ba08c38 xsa52-4.2-unstable.patch
		156	03a1a4ebc470ee7e638e04db2701a4f7 xsa53-4.2.patch
		157	a8393d1ec6b886ea72ffe624a04ee10a xsa54.patch
152	e70b9128ffc2175cea314a533a7d8457 xsa56.patch	158	e70b9128ffc2175cea314a533a7d8457 xsa56.patch
153	c1d1a415415b0192e5dae9032962bf61 fix-pod2man-choking.patch	159	c1d1a415415b0192e5dae9032962bf61 fix-pod2man-choking.patch
154	95d8af17bf844d41a015ff32aae51ba1 xenstored.initd	160	95d8af17bf844d41a015ff32aae51ba1 xenstored.initd
@@ -171,6 +177,9 @@ a0c225d716d343fe041b63e3940900c5b3573ed3bcfc5b7c2d52ea2861c3fc28 docs-Fix-gener
171	896a07f57310c9bea9bc2a305166cf796282c381cb7839be49105b1726a860b5 xsa41b.patch	177	896a07f57310c9bea9bc2a305166cf796282c381cb7839be49105b1726a860b5 xsa41b.patch
172	683dd96a0a8899f794070c8c09643dfeeb39f92da531955cba961b45f6075914 xsa41c.patch	178	683dd96a0a8899f794070c8c09643dfeeb39f92da531955cba961b45f6075914 xsa41c.patch
173	dc23077028584e71a08dd0dc9e81552c76744a5ce9d39df5958a95ae9cf3107b xsa48-4.2.patch	179	dc23077028584e71a08dd0dc9e81552c76744a5ce9d39df5958a95ae9cf3107b xsa48-4.2.patch
		180	5b8582185bf90386729e81db1f7780c69a891b074a87d9a619a90d6f639bea13 xsa52-4.2-unstable.patch
		181	785f7612bd229f7501f4e98e4760f307d90c64305ee14707d262b77f05fa683d xsa53-4.2.patch
		182	5d94946b3c9cba52aae2bffd4b0ebb11d09181650b5322a3c85170674a05f6b7 xsa54.patch
174	a691c5f5332a42c0d38ddb4dc037eb902f01ba31033b64c47d02909a8de0257d xsa56.patch	183	a691c5f5332a42c0d38ddb4dc037eb902f01ba31033b64c47d02909a8de0257d xsa56.patch
175	b4e7d43364a06b2cb04527db3e9567524bc489fef475709fd8493ebf1e62406d fix-pod2man-choking.patch	184	b4e7d43364a06b2cb04527db3e9567524bc489fef475709fd8493ebf1e62406d fix-pod2man-choking.patch
176	81d335946c81311c86e2f2112b773a568a5a530c0db9802b2fe559e71bb8b381 xenstored.initd	185	81d335946c81311c86e2f2112b773a568a5a530c0db9802b2fe559e71bb8b381 xenstored.initd
@@ -193,6 +202,9 @@ sha512sums="4943b18016ed8c2b194a3b55e6655b3b734b39ffb8cb7ee0a0580f2f4460a1d0e92e
193	bda9105793f2327e1317991762120d0668af0e964076b18c9fdbfd509984b2e88d85df95702c46b2e00d5350e8113f6aa7b34b19064d19abbeb4d43f0c431d38 xsa41b.patch	202	bda9105793f2327e1317991762120d0668af0e964076b18c9fdbfd509984b2e88d85df95702c46b2e00d5350e8113f6aa7b34b19064d19abbeb4d43f0c431d38 xsa41b.patch
194	36b60478660ff7748328f5ab9adff13286eee1a1bad06e42fdf7e6aafe105103988525725aacd660cf5b2a184a9e2d6b3818655203c1fa07e07dcebdf23f35d9 xsa41c.patch	203	36b60478660ff7748328f5ab9adff13286eee1a1bad06e42fdf7e6aafe105103988525725aacd660cf5b2a184a9e2d6b3818655203c1fa07e07dcebdf23f35d9 xsa41c.patch
195	31dd8c62d41cc0a01a79d9b24a5b793f5e2058230808d9c5364c6ff3477ab02f3258f1bbd761d97dc1b97ee120b41524b999eaac77f33b606496fc324b5fa2e4 xsa48-4.2.patch	204	31dd8c62d41cc0a01a79d9b24a5b793f5e2058230808d9c5364c6ff3477ab02f3258f1bbd761d97dc1b97ee120b41524b999eaac77f33b606496fc324b5fa2e4 xsa48-4.2.patch
		205	b64a965fab8534958e453c493211ed3a6555aafb90d18f6d56a45b41d3086a0029aee85b6b6eb93b0d861d5fdc0ef10fc32e9b4f83593b37c43922d838085dd8 xsa52-4.2-unstable.patch
		206	9b08924e563e79d2b308c1521da520c0579b334b61ac99a5593eabdb96dbda2da898b542cc47bda6d663c68343216d9d29c04853b6d1b6ecdde964b0cbb3f7ab xsa53-4.2.patch
		207	c9010be637d4f96ef03c880e1ef28228f762c5980108380a105bd190b631a882c8dff81e9421246d88d597e72f69ad1a8c672be6ddd06936acfcacd4575a2650 xsa54.patch
196	26a1c2cc92ddd4c1ab6712b0e41a0135d0e76a7fe3a14b651fb0235e352e5a24077414371acccb93058b7ce4d882b667386811170ba74570c53165837bcd983d xsa56.patch	208	26a1c2cc92ddd4c1ab6712b0e41a0135d0e76a7fe3a14b651fb0235e352e5a24077414371acccb93058b7ce4d882b667386811170ba74570c53165837bcd983d xsa56.patch
197	ffb1113fcec0853b690c177655c7d1136388efdebf0d7f625b80481b98eadd3e9ef461442ced53e11acf0e347800a2b0a41e18b05065b5d04bffdd8a4e127cec fix-pod2man-choking.patch	209	ffb1113fcec0853b690c177655c7d1136388efdebf0d7f625b80481b98eadd3e9ef461442ced53e11acf0e347800a2b0a41e18b05065b5d04bffdd8a4e127cec fix-pod2man-choking.patch
198	792b062e8a16a2efd3cb4662d379d1500527f2a7ca9228d7831c2bd34f3b9141df949153ea05463a7758c3e3dd9a4182492ad5505fa38e298ecf8c99db77b4ee xenstored.initd	210	792b062e8a16a2efd3cb4662d379d1500527f2a7ca9228d7831c2bd34f3b9141df949153ea05463a7758c3e3dd9a4182492ad5505fa38e298ecf8c99db77b4ee xenstored.initd


diff --git a/main/xen/xsa52-4.2-unstable.patch b/main/xen/xsa52-4.2-unstable.patch new file mode 100644 index 0000000000..14db8a8a7f --- /dev/null +++ b/main/xen/xsa52-4.2-unstable.patch
@@ -0,0 +1,46 @@
		1	x86/xsave: fix information leak on AMD CPUs
		2
		3	Just like for FXSAVE/FXRSTOR, XSAVE/XRSTOR also don't save/restore the
		4	last instruction and operand pointers as well as the last opcode if
		5	there's no pending unmasked exception (see CVE-2006-1056 and commit
		6	9747:4d667a139318).
		7
		8	While the FXSR solution sits in the save path, I prefer to have this in
		9	the restore path because there the handling is simpler (namely in the
		10	context of the pending changes to properly save the selector values for
		11	32-bit guest code).
		12
		13	Also this is using FFREE instead of EMMS, as it doesn't seem unlikely
		14	that in the future we may see CPUs with x87 and SSE/AVX but no MMX
		15	support. The goal here anyway is just to avoid an FPU stack overflow.
		16	I would have preferred to use FFREEP instead of FFREE (freeing two
		17	stack slots at once), but AMD doesn't document that instruction.
		18
		19	This is CVE-2013-2076 / XSA-52.
		20
		21	Signed-off-by: Jan Beulich <jbeulich@suse.com>
		22
		23	--- a/xen/arch/x86/xstate.c
		24	+++ b/xen/arch/x86/xstate.c
		25	@@ -78,6 +78,21 @@ void xrstor(struct vcpu *v, uint64_t mas
		26
		27	struct xsave_struct *ptr = v->arch.xsave_area;
		28
		29	+ /*
		30	+ * AMD CPUs don't save/restore FDP/FIP/FOP unless an exception
		31	+ * is pending. Clear the x87 state here by setting it to fixed
		32	+ * values. The hypervisor data segment can be sometimes 0 and
		33	+ * sometimes new user value. Both should be ok. Use the FPU saved
		34	+ * data block as a safe address because it should be in L1.
		35	+ */
		36	+ if ( (mask & ptr->xsave_hdr.xstate_bv & XSTATE_FP) &&
		37	+ !(ptr->fpu_sse.fsw & 0x0080) &&
		38	+ boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
		39	+ asm volatile ( "fnclex\n\t" /* clear exceptions */
		40	+ "ffree %%st(7)\n\t" /* clear stack tag */
		41	+ "fildl %0" /* load to clear state */
		42	+ : : "m" (ptr->fpu_sse) );
		43	+
		44	asm volatile (
		45	".byte " REX_PREFIX "0x0f,0xae,0x2f"
		46	:


diff --git a/main/xen/xsa53-4.2.patch b/main/xen/xsa53-4.2.patch new file mode 100644 index 0000000000..eb8e79bed2 --- /dev/null +++ b/main/xen/xsa53-4.2.patch
@@ -0,0 +1,57 @@
		1	x86/xsave: recover from faults on XRSTOR
		2
		3	Just like FXRSTOR, XRSTOR can raise #GP if bad content is being passed
		4	to it in the memory block (i.e. aspects not under the control of the
		5	hypervisor, other than e.g. proper alignment of the block).
		6
		7	Also correct the comment explaining why FXRSTOR needs exception
		8	recovery code to not wrongly state that this can only be a result of
		9	the control tools passing a bad image.
		10
		11	This is CVE-2013-2077 / XSA-53.
		12
		13	Signed-off-by: Jan Beulich <jbeulich@suse.com>
		14
		15	--- a/xen/arch/x86/i387.c
		16	+++ b/xen/arch/x86/i387.c
		17	@@ -53,7 +53,7 @@ static inline void fpu_fxrstor(struct vc
		18	/*
		19	* FXRSTOR can fault if passed a corrupted data block. We handle this
		20	* possibility, which may occur if the block was passed to us by control
		21	- * tools, by silently clearing the block.
		22	+ * tools or through VCPUOP_initialise, by silently clearing the block.
		23	*/
		24	asm volatile (
		25	#ifdef __i386__
		26	--- a/xen/arch/x86/xstate.c
		27	+++ b/xen/arch/x86/xstate.c
		28	@@ -93,10 +93,25 @@ void xrstor(struct vcpu *v, uint64_t mas
		29	"fildl %0" /* load to clear state */
		30	: : "m" (ptr->fpu_sse) );
		31
		32	- asm volatile (
		33	- ".byte " REX_PREFIX "0x0f,0xae,0x2f"
		34	- :
		35	- : "m" (*ptr), "a" (lmask), "d" (hmask), "D"(ptr) );
		36	+ /*
		37	+ * XRSTOR can fault if passed a corrupted data block. We handle this
		38	+ * possibility, which may occur if the block was passed to us by control
		39	+ * tools or through VCPUOP_initialise, by silently clearing the block.
		40	+ */
		41	+ asm volatile ( "1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
		42	+ ".section .fixup,\"ax\"\n"
		43	+ "2: mov %5,%%ecx \n"
		44	+ " xor %1,%1 \n"
		45	+ " rep stosb \n"
		46	+ " lea %2,%0 \n"
		47	+ " mov %3,%1 \n"
		48	+ " jmp 1b \n"
		49	+ ".previous \n"
		50	+ _ASM_EXTABLE(1b, 2b)
		51	+ : "+&D" (ptr), "+&a" (lmask)
		52	+ : "m" (*ptr), "g" (lmask), "d" (hmask),
		53	+ "m" (xsave_cntxt_size)
		54	+ : "ecx" );
		55	}
		56
		57	bool_t xsave_enabled(const struct vcpu *v)


diff --git a/main/xen/xsa54.patch b/main/xen/xsa54.patch new file mode 100644 index 0000000000..83c8993d6a --- /dev/null +++ b/main/xen/xsa54.patch
@@ -0,0 +1,24 @@
		1	x86/xsave: properly check guest input to XSETBV
		2
		3	Other than the HVM emulation path, the PV case so far failed to check
		4	that YMM state requires SSE state to be enabled, allowing for a #GP to
		5	occur upon passing the inputs to XSETBV inside the hypervisor.
		6
		7	This is CVE-2013-2078 / XSA-54.
		8
		9	Signed-off-by: Jan Beulich <jbeulich@suse.com>
		10
		11	--- a/xen/arch/x86/traps.c
		12	+++ b/xen/arch/x86/traps.c
		13	@@ -2205,6 +2205,11 @@ static int emulate_privileged_op(struct
		14	if ( !(new_xfeature & XSTATE_FP) \|\| (new_xfeature & ~xfeature_mask) )
		15	goto fail;
		16
		17	+ /* YMM state takes SSE state as prerequisite. */
		18	+ if ( (xfeature_mask & new_xfeature & XSTATE_YMM) &&
		19	+ !(new_xfeature & XSTATE_SSE) )
		20	+ goto fail;
		21	+
		22	v->arch.xcr0 = new_xfeature;
		23	v->arch.xcr0_accum \|= new_xfeature;
		24	set_xcr0(new_xfeature);