3 files changed, 118 insertions, 1 deletions

diff --git a/sysutils/xen-tools/Makefile b/sysutils/xen-tools/Makefile
index 3a21eea9700c..c13390465ca5 100644
--- a/sysutils/xen-tools/Makefile
+++ b/sysutils/xen-tools/Makefile
@@ -2,6 +2,7 @@
 
 PORTNAME=	xen
 PORTVERSION=	4.5.2
+PORTREVISION=   1
 CATEGORIES=	sysutils emulators
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${PORTVERSION}/ \
 		http://code.coreboot.org/p/seabios/downloads/get/:seabios
@@ -47,7 +48,8 @@ QEMU_ARGS=	--disable-gtk \
 		--disable-curl \
 		--cxx=c++
 
-EXTRA_PATCHES=	${FILESDIR}/0002-libxc-fix-xc_dom_load_elf_symtab.patch:-p1
+EXTRA_PATCHES=	${FILESDIR}/0002-libxc-fix-xc_dom_load_elf_symtab.patch:-p1 \
+		${FILESDIR}/xsa160-4.6.patch:-p1
 
 CONFIGURE_ARGS+=	--with-extra-qemuu-configure-args="${QEMU_ARGS}"
 SHEBANG_FILES=	tools/misc/xencov_split \
@@ -74,6 +76,10 @@ post-patch:
 		${WRKSRC}/tools/libxl/libxl_dm.c \
 		${WRKSRC}/tools/qemu-xen-traditional/i386-dm/helper2.c \
 		${WRKSRC}/docs/man/*
+	@for p in ${FILESDIR}/*qemuu*.patch; do \
+                 ${ECHO_CMD} "====> Applying $${p##*/}" ; \
+                 ${PATCH} -s -p1 -i $${p} -d ${WRKSRC}/tools/qemu-xen ; \
+         done
 
 post-install:
 	${MKDIR} ${STAGEDIR}/var/run/xen
diff --git a/sysutils/xen-tools/files/xsa160-4.6.patch b/sysutils/xen-tools/files/xsa160-4.6.patch
new file mode 100644
index 000000000000..36db34f2c097
--- /dev/null
+++ b/sysutils/xen-tools/files/xsa160-4.6.patch
@@ -0,0 +1,69 @@
+From adcbd15b1aec8367f790774c998db199c9b577bf Mon Sep 17 00:00:00 2001
+From: Ian Jackson <ian.jackson@eu.citrix.com>
+Date: Wed, 18 Nov 2015 15:34:54 +0000
+Subject: [PATCH] libxl: Fix bootloader-related virtual memory leak on pv
+ build failure
+
+The bootloader may call libxl__file_reference_map(), which mmap's the
+pv_kernel and pv_ramdisk into process memory.  This was only unmapped,
+however, on the success path of libxl__build_pv().  If there were a
+failure anywhere between libxl_bootloader.c:parse_bootloader_result()
+and the end of libxl__build_pv(), the calls to
+libxl__file_reference_unmap() would be skipped, leaking the mapped
+virtual memory.
+
+Ideally this would be fixed by adding the unmap calls to the
+destruction path for libxl__domain_build_state.  Unfortunately the
+lifetime of the libxl__domain_build_state is opaque, and it doesn't
+have a proper destruction path.  But, the only thing in it that isn't
+from the gc are these bootloader references, and they are only ever
+set for one libxl__domain_build_state, the one which is
+libxl__domain_create_state.build_state.
+
+So we can clean up in the exit path from libxl__domain_create_*, which
+always comes through domcreate_complete.
+
+Remove the now-redundant unmaps in libxl__build_pv's success path.
+
+This is XSA-160.
+
+Signed-off-by: George Dunlap <george.dunlap@citrix.com>
+Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
+Tested-by: George Dunlap <george.dunlap@citrix.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+---
+ tools/libxl/libxl_create.c |    3 +++
+ tools/libxl/libxl_dom.c    |    3 ---
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c
+index f5771da..278b9ed 100644
+--- a/tools/libxl/libxl_create.c
++++ b/tools/libxl/libxl_create.c
+@@ -1484,6 +1484,9 @@ static void domcreate_complete(libxl__egc *egc,
+     libxl_domain_config *const d_config = dcs->guest_config;
+     libxl_domain_config *d_config_saved = &dcs->guest_config_saved;
+ 
++    libxl__file_reference_unmap(&dcs->build_state.pv_kernel);
++    libxl__file_reference_unmap(&dcs->build_state.pv_ramdisk);
++
+     if (!rc && d_config->b_info.exec_ssidref)
+         rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid, d_config->b_info.exec_ssidref);
+ 
+diff --git a/tools/libxl/libxl_dom.c b/tools/libxl/libxl_dom.c
+index 8019f4e..2da3ac4 100644
+--- a/tools/libxl/libxl_dom.c
++++ b/tools/libxl/libxl_dom.c
+@@ -750,9 +750,6 @@ int libxl__build_pv(libxl__gc *gc, uint32_t domid,
+         state->store_mfn = xc_dom_p2m_host(dom, dom->xenstore_pfn);
+     }
+ 
+-    libxl__file_reference_unmap(&state->pv_kernel);
+-    libxl__file_reference_unmap(&state->pv_ramdisk);
+-
+     ret = 0;
+ out:
+     xc_dom_release(dom);
+-- 
+1.7.10.4
+
diff --git a/sysutils/xen-tools/files/xsa162-qemuu.patch b/sysutils/xen-tools/files/xsa162-qemuu.patch
new file mode 100644
index 000000000000..2e3352d88b62
--- /dev/null
+++ b/sysutils/xen-tools/files/xsa162-qemuu.patch
@@ -0,0 +1,42 @@
+net: pcnet: add check to validate receive data size(CVE-2015-7504)
+
+In loopback mode, pcnet_receive routine appends CRC code to the
+receive buffer. If the data size given is same as the buffer size,
+the appended CRC code overwrites 4 bytes after s->buffer. Added a
+check to avoid that.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/net/pcnet.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index 3437376..5f55591 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1085,7 +1085,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
+                 uint32_t fcs = ~0;
+                 uint8_t *p = src;
+ 
+-                while (p != &src[size-4])
++                while (p != &src[size])
+                     CRC(fcs, *p++);
+                 crc_err = (*(uint32_t *)p != htonl(fcs));
+             }
+@@ -1234,8 +1234,10 @@ static void pcnet_transmit(PCNetState *s)
+         bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+ 
+         /* if multi-tmd packet outsizes s->buffer then skip it silently.
+-           Note: this is not what real hw does */
+-        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
++         * Note: this is not what real hw does.
++         * Last four bytes of s->buffer are used to store CRC FCS code.
++         */
++        if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
+             s->xmit_pos = -1;
+             goto txdone;
+         }
+-- 
+2.4.3
+