diff options
author | Roger Pau Monné <royger@FreeBSD.org> | 2016-01-05 10:06:07 +0000 |
---|---|---|
committer | Roger Pau Monné <royger@FreeBSD.org> | 2016-01-05 10:06:07 +0000 |
commit | b24beda464f6422c4aaf9cfc8a6aed815d72a8d4 (patch) | |
tree | 5d4bd02c64d0c7ebb6978b889b09a86bb3ceec6d /sysutils/xen-tools | |
parent | 9d3d2c0c9a430cfd6954bd3271cedc2c51881de3 (diff) | |
download | ports-b24beda464f6422c4aaf9cfc8a6aed815d72a8d4.tar.gz ports-b24beda464f6422c4aaf9cfc8a6aed815d72a8d4.zip |
Notes
Diffstat (limited to 'sysutils/xen-tools')
-rw-r--r-- | sysutils/xen-tools/Makefile | 8 | ||||
-rw-r--r-- | sysutils/xen-tools/files/xsa160-4.6.patch | 69 | ||||
-rw-r--r-- | sysutils/xen-tools/files/xsa162-qemuu.patch | 42 |
3 files changed, 118 insertions, 1 deletions
diff --git a/sysutils/xen-tools/Makefile b/sysutils/xen-tools/Makefile index 3a21eea9700c..c13390465ca5 100644 --- a/sysutils/xen-tools/Makefile +++ b/sysutils/xen-tools/Makefile @@ -2,6 +2,7 @@ PORTNAME= xen PORTVERSION= 4.5.2 +PORTREVISION= 1 CATEGORIES= sysutils emulators MASTER_SITES= http://bits.xensource.com/oss-xen/release/${PORTVERSION}/ \ http://code.coreboot.org/p/seabios/downloads/get/:seabios @@ -47,7 +48,8 @@ QEMU_ARGS= --disable-gtk \ --disable-curl \ --cxx=c++ -EXTRA_PATCHES= ${FILESDIR}/0002-libxc-fix-xc_dom_load_elf_symtab.patch:-p1 +EXTRA_PATCHES= ${FILESDIR}/0002-libxc-fix-xc_dom_load_elf_symtab.patch:-p1 \ + ${FILESDIR}/xsa160-4.6.patch:-p1 CONFIGURE_ARGS+= --with-extra-qemuu-configure-args="${QEMU_ARGS}" SHEBANG_FILES= tools/misc/xencov_split \ @@ -74,6 +76,10 @@ post-patch: ${WRKSRC}/tools/libxl/libxl_dm.c \ ${WRKSRC}/tools/qemu-xen-traditional/i386-dm/helper2.c \ ${WRKSRC}/docs/man/* + @for p in ${FILESDIR}/*qemuu*.patch; do \ + ${ECHO_CMD} "====> Applying $${p##*/}" ; \ + ${PATCH} -s -p1 -i $${p} -d ${WRKSRC}/tools/qemu-xen ; \ + done post-install: ${MKDIR} ${STAGEDIR}/var/run/xen diff --git a/sysutils/xen-tools/files/xsa160-4.6.patch b/sysutils/xen-tools/files/xsa160-4.6.patch new file mode 100644 index 000000000000..36db34f2c097 --- /dev/null +++ b/sysutils/xen-tools/files/xsa160-4.6.patch @@ -0,0 +1,69 @@ +From adcbd15b1aec8367f790774c998db199c9b577bf Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Wed, 18 Nov 2015 15:34:54 +0000 +Subject: [PATCH] libxl: Fix bootloader-related virtual memory leak on pv + build failure + +The bootloader may call libxl__file_reference_map(), which mmap's the +pv_kernel and pv_ramdisk into process memory. This was only unmapped, +however, on the success path of libxl__build_pv(). If there were a +failure anywhere between libxl_bootloader.c:parse_bootloader_result() +and the end of libxl__build_pv(), the calls to +libxl__file_reference_unmap() would be skipped, leaking the mapped +virtual memory. + +Ideally this would be fixed by adding the unmap calls to the +destruction path for libxl__domain_build_state. Unfortunately the +lifetime of the libxl__domain_build_state is opaque, and it doesn't +have a proper destruction path. But, the only thing in it that isn't +from the gc are these bootloader references, and they are only ever +set for one libxl__domain_build_state, the one which is +libxl__domain_create_state.build_state. + +So we can clean up in the exit path from libxl__domain_create_*, which +always comes through domcreate_complete. + +Remove the now-redundant unmaps in libxl__build_pv's success path. + +This is XSA-160. + +Signed-off-by: George Dunlap <george.dunlap@citrix.com> +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +Tested-by: George Dunlap <george.dunlap@citrix.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> +--- + tools/libxl/libxl_create.c | 3 +++ + tools/libxl/libxl_dom.c | 3 --- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c +index f5771da..278b9ed 100644 +--- a/tools/libxl/libxl_create.c ++++ b/tools/libxl/libxl_create.c +@@ -1484,6 +1484,9 @@ static void domcreate_complete(libxl__egc *egc, + libxl_domain_config *const d_config = dcs->guest_config; + libxl_domain_config *d_config_saved = &dcs->guest_config_saved; + ++ libxl__file_reference_unmap(&dcs->build_state.pv_kernel); ++ libxl__file_reference_unmap(&dcs->build_state.pv_ramdisk); ++ + if (!rc && d_config->b_info.exec_ssidref) + rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid, d_config->b_info.exec_ssidref); + +diff --git a/tools/libxl/libxl_dom.c b/tools/libxl/libxl_dom.c +index 8019f4e..2da3ac4 100644 +--- a/tools/libxl/libxl_dom.c ++++ b/tools/libxl/libxl_dom.c +@@ -750,9 +750,6 @@ int libxl__build_pv(libxl__gc *gc, uint32_t domid, + state->store_mfn = xc_dom_p2m_host(dom, dom->xenstore_pfn); + } + +- libxl__file_reference_unmap(&state->pv_kernel); +- libxl__file_reference_unmap(&state->pv_ramdisk); +- + ret = 0; + out: + xc_dom_release(dom); +-- +1.7.10.4 + diff --git a/sysutils/xen-tools/files/xsa162-qemuu.patch b/sysutils/xen-tools/files/xsa162-qemuu.patch new file mode 100644 index 000000000000..2e3352d88b62 --- /dev/null +++ b/sysutils/xen-tools/files/xsa162-qemuu.patch @@ -0,0 +1,42 @@ +net: pcnet: add check to validate receive data size(CVE-2015-7504) + +In loopback mode, pcnet_receive routine appends CRC code to the +receive buffer. If the data size given is same as the buffer size, +the appended CRC code overwrites 4 bytes after s->buffer. Added a +check to avoid that. + +Reported-by: Qinghao Tang <luodalongde@gmail.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +--- + hw/net/pcnet.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index 3437376..5f55591 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1085,7 +1085,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + uint32_t fcs = ~0; + uint8_t *p = src; + +- while (p != &src[size-4]) ++ while (p != &src[size]) + CRC(fcs, *p++); + crc_err = (*(uint32_t *)p != htonl(fcs)); + } +@@ -1234,8 +1234,10 @@ static void pcnet_transmit(PCNetState *s) + bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); + + /* if multi-tmd packet outsizes s->buffer then skip it silently. +- Note: this is not what real hw does */ +- if (s->xmit_pos + bcnt > sizeof(s->buffer)) { ++ * Note: this is not what real hw does. ++ * Last four bytes of s->buffer are used to store CRC FCS code. ++ */ ++ if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) { + s->xmit_pos = -1; + goto txdone; + } +-- +2.4.3 + |