diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2016-10-21 14:24:07 +0200 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2016-10-21 14:24:07 +0200 |
commit | 7a1fa50fc838cd70f0faff3af1d1c258a13001ec (patch) | |
tree | ca010ba1a43f18a889807a34d965447c45ee6364 | |
parent | b282e4fbccb2759d3d0306e35fae749419713410 (diff) | |
download | alpine_aports-7a1fa50fc838cd70f0faff3af1d1c258a13001ec.tar.bz2 alpine_aports-7a1fa50fc838cd70f0faff3af1d1c258a13001ec.tar.xz alpine_aports-7a1fa50fc838cd70f0faff3af1d1c258a13001ec.zip |
main/xen: security fix for CVE-2016-7777
-rw-r--r-- | main/xen/APKBUILD | 8 | ||||
-rw-r--r-- | main/xen/xsa190-4.6.patch | 163 |
2 files changed, 170 insertions, 1 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index ad36b07a6c..2131d1dcd0 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD | |||
@@ -3,7 +3,7 @@ | |||
3 | # Maintainer: William Pitcock <nenolod@dereferenced.org> | 3 | # Maintainer: William Pitcock <nenolod@dereferenced.org> |
4 | pkgname=xen | 4 | pkgname=xen |
5 | pkgver=4.6.3 | 5 | pkgver=4.6.3 |
6 | pkgrel=3 | 6 | pkgrel=4 |
7 | pkgdesc="Xen hypervisor" | 7 | pkgdesc="Xen hypervisor" |
8 | url="http://www.xen.org/" | 8 | url="http://www.xen.org/" |
9 | arch="x86_64" | 9 | arch="x86_64" |
@@ -26,6 +26,8 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-hypervisor" | |||
26 | # - CVE-2016-7092 XSA-185 | 26 | # - CVE-2016-7092 XSA-185 |
27 | # - CVE-2016-7093 XSA-186 | 27 | # - CVE-2016-7093 XSA-186 |
28 | # - CVE-2016-7094 XSA-187 | 28 | # - CVE-2016-7094 XSA-187 |
29 | # 4.6.3-r3: | ||
30 | # - CVE-2016-7777 XSA-190 | ||
29 | 31 | ||
30 | # grep _VERSION= stubdom/configure | 32 | # grep _VERSION= stubdom/configure |
31 | _ZLIB_VERSION="1.2.3" | 33 | _ZLIB_VERSION="1.2.3" |
@@ -61,6 +63,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g | |||
61 | xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch | 63 | xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch |
62 | xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch | 64 | xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch |
63 | xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch | 65 | xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch |
66 | xsa190-4.6.patch | ||
64 | 67 | ||
65 | xenstore_client_transaction_fix.patch | 68 | xenstore_client_transaction_fix.patch |
66 | qemu-coroutine-gthread.patch | 69 | qemu-coroutine-gthread.patch |
@@ -266,6 +269,7 @@ cc0904605d03a9e4f6f21d16824e41c9 xsa184-qemuu-master.patch | |||
266 | 3d812cf9ccc8443874b36e061392d388 xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch | 269 | 3d812cf9ccc8443874b36e061392d388 xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch |
267 | c426383254acdcbb9466bbec2d6f8d9b xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch | 270 | c426383254acdcbb9466bbec2d6f8d9b xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch |
268 | a98c0fa2579965d72272f381f193195d xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch | 271 | a98c0fa2579965d72272f381f193195d xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch |
272 | 2c6f0d0ec618a832cc4f5316624fac5e xsa190-4.6.patch | ||
269 | b05500e9fdcec5a076ab8817fc313ac3 xenstore_client_transaction_fix.patch | 273 | b05500e9fdcec5a076ab8817fc313ac3 xenstore_client_transaction_fix.patch |
270 | de1a3db370b87cfb0bddb51796b50315 qemu-coroutine-gthread.patch | 274 | de1a3db370b87cfb0bddb51796b50315 qemu-coroutine-gthread.patch |
271 | 08bfdf8caff5d631f53660bf3fd4edaf qemu-xen_paths.patch | 275 | 08bfdf8caff5d631f53660bf3fd4edaf qemu-xen_paths.patch |
@@ -307,6 +311,7 @@ f2082a36d968a47e477bb5082d0e0aaa58e6cb3dc20b26389f043a9b7b595fa6 xsa186-0001-x8 | |||
307 | 7482a823c3443e26dee1111c4904162845eaa9f826aa7bf8348007406d91bddd xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch | 311 | 7482a823c3443e26dee1111c4904162845eaa9f826aa7bf8348007406d91bddd xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch |
308 | be9fe85d36c2c1fbca246c1f4d834c3ef11b6ab3d5467da0ac8c079aa5a68de9 xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch | 312 | be9fe85d36c2c1fbca246c1f4d834c3ef11b6ab3d5467da0ac8c079aa5a68de9 xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch |
309 | b96731379ea77d49ffff31d969f4742dde985ef7a86af9422dcac8327c2a1916 xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch | 313 | b96731379ea77d49ffff31d969f4742dde985ef7a86af9422dcac8327c2a1916 xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch |
314 | dbfc4b36132c841959847dfbb85a188ee6489ad3b8d7ecec43c55a303a43df21 xsa190-4.6.patch | ||
310 | c9691bd43a87a939d9a883279813c405eb5ac428a4f4f89e8eef01fbb4d2d6d1 xenstore_client_transaction_fix.patch | 315 | c9691bd43a87a939d9a883279813c405eb5ac428a4f4f89e8eef01fbb4d2d6d1 xenstore_client_transaction_fix.patch |
311 | 3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe qemu-coroutine-gthread.patch | 316 | 3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe qemu-coroutine-gthread.patch |
312 | e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98 qemu-xen_paths.patch | 317 | e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98 qemu-xen_paths.patch |
@@ -348,6 +353,7 @@ bf899dde20cee730598b90e0a07941155b20e0ea17b9a3017a53bd0e1495fb6e5dc251934e01d029 | |||
348 | 6583c843855d300b3d40321d909b64ab0df6b03da62b3400cb7e58a9249077112e5951e14449880cfc8d593dabd9afcffc15ff77555f745b478f7af939b3219e xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch | 353 | 6583c843855d300b3d40321d909b64ab0df6b03da62b3400cb7e58a9249077112e5951e14449880cfc8d593dabd9afcffc15ff77555f745b478f7af939b3219e xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch |
349 | d85bc3c56805ff5b3df6b85b2b34ff97d15fe254fc5a873b5c43c2c15564eea42753723a6296292a543e7b7dc83ad71f0fafe01fa6a6ebf82fa0a7268fc67486 xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch | 354 | d85bc3c56805ff5b3df6b85b2b34ff97d15fe254fc5a873b5c43c2c15564eea42753723a6296292a543e7b7dc83ad71f0fafe01fa6a6ebf82fa0a7268fc67486 xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch |
350 | 63f30d4a6842fc516d33334b25806e10a89228fec32315df27c9c271303d02619be4a88e638e41920ad808215280c3fce697574d05c5fb3f184844069383a201 xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch | 355 | 63f30d4a6842fc516d33334b25806e10a89228fec32315df27c9c271303d02619be4a88e638e41920ad808215280c3fce697574d05c5fb3f184844069383a201 xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch |
356 | ba155f6ee81718ecaa2289998c8204e2f6ba9a6d70b042a3eaa9373d8dcd030091feca829b51914f0071d6672fad5a3f9c253da579780aa429b51c24c0bf228c xsa190-4.6.patch | ||
351 | 69dfa60628ca838678862383528654ecbdf4269cbb5c9cfb6b84d976202a8dea85d711aa65a52fa1b477fb0b30604ca70cf1337192d6fb9388a08bbe7fe56077 xenstore_client_transaction_fix.patch | 357 | 69dfa60628ca838678862383528654ecbdf4269cbb5c9cfb6b84d976202a8dea85d711aa65a52fa1b477fb0b30604ca70cf1337192d6fb9388a08bbe7fe56077 xenstore_client_transaction_fix.patch |
352 | c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562 qemu-coroutine-gthread.patch | 358 | c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562 qemu-coroutine-gthread.patch |
353 | 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch | 359 | 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch |
diff --git a/main/xen/xsa190-4.6.patch b/main/xen/xsa190-4.6.patch new file mode 100644 index 0000000000..b950ae9506 --- /dev/null +++ b/main/xen/xsa190-4.6.patch | |||
@@ -0,0 +1,163 @@ | |||
1 | x86emul: honor guest CR0.TS and CR0.EM | ||
2 | |||
3 | We must not emulate any instructions accessing respective registers | ||
4 | when either of these flags is set in the guest view of the register, or | ||
5 | else we may do so on data not belonging to the guest's current task. | ||
6 | |||
7 | Being architecturally required behavior, the logic gets placed in the | ||
8 | instruction emulator instead of hvmemul_get_fpu(). It should be noted, | ||
9 | though, that hvmemul_get_fpu() being the only current handler for the | ||
10 | get_fpu() callback, we don't have an active problem with CR4: Both | ||
11 | CR4.OSFXSR and CR4.OSXSAVE get handled as necessary by that function. | ||
12 | |||
13 | This is XSA-190. | ||
14 | |||
15 | Signed-off-by: Jan Beulich <jbeulich@suse.com> | ||
16 | Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
17 | |||
18 | --- a/tools/tests/x86_emulator/test_x86_emulator.c | ||
19 | +++ b/tools/tests/x86_emulator/test_x86_emulator.c | ||
20 | @@ -129,6 +129,22 @@ static inline uint64_t xgetbv(uint32_t x | ||
21 | (ebx & (1U << 5)) != 0; \ | ||
22 | }) | ||
23 | |||
24 | +static int read_cr( | ||
25 | + unsigned int reg, | ||
26 | + unsigned long *val, | ||
27 | + struct x86_emulate_ctxt *ctxt) | ||
28 | +{ | ||
29 | + /* Fake just enough state for the emulator's _get_fpu() to be happy. */ | ||
30 | + switch ( reg ) | ||
31 | + { | ||
32 | + case 0: | ||
33 | + *val = 0x00000001; /* PE */ | ||
34 | + return X86EMUL_OKAY; | ||
35 | + } | ||
36 | + | ||
37 | + return X86EMUL_UNHANDLEABLE; | ||
38 | +} | ||
39 | + | ||
40 | int get_fpu( | ||
41 | void (*exception_callback)(void *, struct cpu_user_regs *), | ||
42 | void *exception_callback_arg, | ||
43 | @@ -160,6 +176,7 @@ static struct x86_emulate_ops emulops = | ||
44 | .write = write, | ||
45 | .cmpxchg = cmpxchg, | ||
46 | .cpuid = cpuid, | ||
47 | + .read_cr = read_cr, | ||
48 | .get_fpu = get_fpu, | ||
49 | }; | ||
50 | |||
51 | --- a/xen/arch/x86/hvm/emulate.c | ||
52 | +++ b/xen/arch/x86/hvm/emulate.c | ||
53 | @@ -1557,6 +1557,7 @@ static int hvmemul_get_fpu( | ||
54 | switch ( type ) | ||
55 | { | ||
56 | case X86EMUL_FPU_fpu: | ||
57 | + case X86EMUL_FPU_wait: | ||
58 | break; | ||
59 | case X86EMUL_FPU_mmx: | ||
60 | if ( !cpu_has_mmx ) | ||
61 | @@ -1564,7 +1565,6 @@ static int hvmemul_get_fpu( | ||
62 | break; | ||
63 | case X86EMUL_FPU_xmm: | ||
64 | if ( !cpu_has_xmm || | ||
65 | - (curr->arch.hvm_vcpu.guest_cr[0] & X86_CR0_EM) || | ||
66 | !(curr->arch.hvm_vcpu.guest_cr[4] & X86_CR4_OSFXSR) ) | ||
67 | return X86EMUL_UNHANDLEABLE; | ||
68 | break; | ||
69 | --- a/xen/arch/x86/x86_emulate/x86_emulate.c | ||
70 | +++ b/xen/arch/x86/x86_emulate/x86_emulate.c | ||
71 | @@ -366,6 +366,9 @@ typedef union { | ||
72 | |||
73 | /* Control register flags. */ | ||
74 | #define CR0_PE (1<<0) | ||
75 | +#define CR0_MP (1<<1) | ||
76 | +#define CR0_EM (1<<2) | ||
77 | +#define CR0_TS (1<<3) | ||
78 | #define CR4_TSD (1<<2) | ||
79 | |||
80 | /* EFLAGS bit definitions. */ | ||
81 | @@ -393,6 +396,7 @@ typedef union { | ||
82 | #define EXC_OF 4 | ||
83 | #define EXC_BR 5 | ||
84 | #define EXC_UD 6 | ||
85 | +#define EXC_NM 7 | ||
86 | #define EXC_TS 10 | ||
87 | #define EXC_NP 11 | ||
88 | #define EXC_SS 12 | ||
89 | @@ -674,10 +678,45 @@ static void fpu_handle_exception(void *_ | ||
90 | regs->eip += fic->insn_bytes; | ||
91 | } | ||
92 | |||
93 | +static int _get_fpu( | ||
94 | + enum x86_emulate_fpu_type type, | ||
95 | + struct fpu_insn_ctxt *fic, | ||
96 | + struct x86_emulate_ctxt *ctxt, | ||
97 | + const struct x86_emulate_ops *ops) | ||
98 | +{ | ||
99 | + int rc; | ||
100 | + | ||
101 | + fic->exn_raised = 0; | ||
102 | + | ||
103 | + fail_if(!ops->get_fpu); | ||
104 | + rc = ops->get_fpu(fpu_handle_exception, fic, type, ctxt); | ||
105 | + | ||
106 | + if ( rc == X86EMUL_OKAY ) | ||
107 | + { | ||
108 | + unsigned long cr0; | ||
109 | + | ||
110 | + fail_if(!ops->read_cr); | ||
111 | + rc = ops->read_cr(0, &cr0, ctxt); | ||
112 | + if ( rc != X86EMUL_OKAY ) | ||
113 | + return rc; | ||
114 | + if ( cr0 & CR0_EM ) | ||
115 | + { | ||
116 | + generate_exception_if(type == X86EMUL_FPU_fpu, EXC_NM, -1); | ||
117 | + generate_exception_if(type == X86EMUL_FPU_mmx, EXC_UD, -1); | ||
118 | + generate_exception_if(type == X86EMUL_FPU_xmm, EXC_UD, -1); | ||
119 | + } | ||
120 | + generate_exception_if((cr0 & CR0_TS) && | ||
121 | + (type != X86EMUL_FPU_wait || (cr0 & CR0_MP)), | ||
122 | + EXC_NM, -1); | ||
123 | + } | ||
124 | + | ||
125 | + done: | ||
126 | + return rc; | ||
127 | +} | ||
128 | + | ||
129 | #define get_fpu(_type, _fic) \ | ||
130 | -do{ (_fic)->exn_raised = 0; \ | ||
131 | - fail_if(ops->get_fpu == NULL); \ | ||
132 | - rc = ops->get_fpu(fpu_handle_exception, _fic, _type, ctxt); \ | ||
133 | +do { \ | ||
134 | + rc = _get_fpu(_type, _fic, ctxt, ops); \ | ||
135 | if ( rc ) goto done; \ | ||
136 | } while (0) | ||
137 | #define _put_fpu() \ | ||
138 | @@ -2508,8 +2547,14 @@ x86_emulate( | ||
139 | } | ||
140 | |||
141 | case 0x9b: /* wait/fwait */ | ||
142 | - emulate_fpu_insn("fwait"); | ||
143 | + { | ||
144 | + struct fpu_insn_ctxt fic = { .insn_bytes = 1 }; | ||
145 | + | ||
146 | + get_fpu(X86EMUL_FPU_wait, &fic); | ||
147 | + asm volatile ( "fwait" ::: "memory" ); | ||
148 | + put_fpu(&fic); | ||
149 | break; | ||
150 | + } | ||
151 | |||
152 | case 0x9c: /* pushf */ | ||
153 | src.val = _regs.eflags; | ||
154 | --- a/xen/arch/x86/x86_emulate/x86_emulate.h | ||
155 | +++ b/xen/arch/x86/x86_emulate/x86_emulate.h | ||
156 | @@ -115,6 +115,7 @@ struct __packed segment_register { | ||
157 | /* FPU sub-types which may be requested via ->get_fpu(). */ | ||
158 | enum x86_emulate_fpu_type { | ||
159 | X86EMUL_FPU_fpu, /* Standard FPU coprocessor instruction set */ | ||
160 | + X86EMUL_FPU_wait, /* WAIT/FWAIT instruction */ | ||
161 | X86EMUL_FPU_mmx, /* MMX instruction set (%mm0-%mm7) */ | ||
162 | X86EMUL_FPU_xmm, /* SSE instruction set (%xmm0-%xmm7/15) */ | ||
163 | X86EMUL_FPU_ymm /* AVX/XOP instruction set (%ymm0-%ymm7/15) */ | ||