aboutsummaryrefslogtreecommitdiff
path: root/sysutils/xen-tools/files/xsa126-qemuu.patch
diff options
context:
space:
mode:
Diffstat (limited to 'sysutils/xen-tools/files/xsa126-qemuu.patch')
-rw-r--r--sysutils/xen-tools/files/xsa126-qemuu.patch128
1 files changed, 0 insertions, 128 deletions
diff --git a/sysutils/xen-tools/files/xsa126-qemuu.patch b/sysutils/xen-tools/files/xsa126-qemuu.patch
deleted file mode 100644
index 21805a43be51..000000000000
--- a/sysutils/xen-tools/files/xsa126-qemuu.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-xen: limit guest control of PCI command register
-
-Otherwise the guest can abuse that control to cause e.g. PCIe
-Unsupported Request responses (by disabling memory and/or I/O decoding
-and subsequently causing [CPU side] accesses to the respective address
-ranges), which (depending on system configuration) may be fatal to the
-host.
-
-This is CVE-2015-2756 / XSA-126.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-
---- a/hw/xen/xen_pt.c
-+++ b/hw/xen/xen_pt.c
-@@ -388,7 +388,7 @@ static const MemoryRegionOps ops = {
- .write = xen_pt_bar_write,
- };
-
--static int xen_pt_register_regions(XenPCIPassthroughState *s)
-+static int xen_pt_register_regions(XenPCIPassthroughState *s, uint16_t *cmd)
- {
- int i = 0;
- XenHostPCIDevice *d = &s->real_device;
-@@ -406,6 +406,7 @@ static int xen_pt_register_regions(XenPC
-
- if (r->type & XEN_HOST_PCI_REGION_TYPE_IO) {
- type = PCI_BASE_ADDRESS_SPACE_IO;
-+ *cmd |= PCI_COMMAND_IO;
- } else {
- type = PCI_BASE_ADDRESS_SPACE_MEMORY;
- if (r->type & XEN_HOST_PCI_REGION_TYPE_PREFETCH) {
-@@ -414,6 +415,7 @@ static int xen_pt_register_regions(XenPC
- if (r->type & XEN_HOST_PCI_REGION_TYPE_MEM_64) {
- type |= PCI_BASE_ADDRESS_MEM_TYPE_64;
- }
-+ *cmd |= PCI_COMMAND_MEMORY;
- }
-
- memory_region_init_io(&s->bar[i], OBJECT(s), &ops, &s->dev,
-@@ -638,6 +640,7 @@ static int xen_pt_initfn(PCIDevice *d)
- XenPCIPassthroughState *s = DO_UPCAST(XenPCIPassthroughState, dev, d);
- int rc = 0;
- uint8_t machine_irq = 0;
-+ uint16_t cmd = 0;
- int pirq = XEN_PT_UNASSIGNED_PIRQ;
-
- /* register real device */
-@@ -672,7 +675,7 @@ static int xen_pt_initfn(PCIDevice *d)
- s->io_listener = xen_pt_io_listener;
-
- /* Handle real device's MMIO/PIO BARs */
-- xen_pt_register_regions(s);
-+ xen_pt_register_regions(s, &cmd);
-
- /* reinitialize each config register to be emulated */
- if (xen_pt_config_init(s)) {
-@@ -736,6 +739,11 @@ static int xen_pt_initfn(PCIDevice *d)
- }
-
- out:
-+ if (cmd) {
-+ xen_host_pci_set_word(&s->real_device, PCI_COMMAND,
-+ pci_get_word(d->config + PCI_COMMAND) | cmd);
-+ }
-+
- memory_listener_register(&s->memory_listener, &address_space_memory);
- memory_listener_register(&s->io_listener, &address_space_io);
- XEN_PT_LOG(d,
---- a/hw/xen/xen_pt_config_init.c
-+++ b/hw/xen/xen_pt_config_init.c
-@@ -286,23 +286,6 @@ static int xen_pt_irqpin_reg_init(XenPCI
- }
-
- /* Command register */
--static int xen_pt_cmd_reg_read(XenPCIPassthroughState *s, XenPTReg *cfg_entry,
-- uint16_t *value, uint16_t valid_mask)
--{
-- XenPTRegInfo *reg = cfg_entry->reg;
-- uint16_t valid_emu_mask = 0;
-- uint16_t emu_mask = reg->emu_mask;
--
-- if (s->is_virtfn) {
-- emu_mask |= PCI_COMMAND_MEMORY;
-- }
--
-- /* emulate word register */
-- valid_emu_mask = emu_mask & valid_mask;
-- *value = XEN_PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask);
--
-- return 0;
--}
- static int xen_pt_cmd_reg_write(XenPCIPassthroughState *s, XenPTReg *cfg_entry,
- uint16_t *val, uint16_t dev_value,
- uint16_t valid_mask)
-@@ -310,18 +293,13 @@ static int xen_pt_cmd_reg_write(XenPCIPa
- XenPTRegInfo *reg = cfg_entry->reg;
- uint16_t writable_mask = 0;
- uint16_t throughable_mask = 0;
-- uint16_t emu_mask = reg->emu_mask;
--
-- if (s->is_virtfn) {
-- emu_mask |= PCI_COMMAND_MEMORY;
-- }
-
- /* modify emulate register */
- writable_mask = ~reg->ro_mask & valid_mask;
- cfg_entry->data = XEN_PT_MERGE_VALUE(*val, cfg_entry->data, writable_mask);
-
- /* create value for writing to I/O device register */
-- throughable_mask = ~emu_mask & valid_mask;
-+ throughable_mask = ~reg->emu_mask & valid_mask;
-
- if (*val & PCI_COMMAND_INTX_DISABLE) {
- throughable_mask |= PCI_COMMAND_INTX_DISABLE;
-@@ -605,9 +583,9 @@ static XenPTRegInfo xen_pt_emu_reg_heade
- .size = 2,
- .init_val = 0x0000,
- .ro_mask = 0xF880,
-- .emu_mask = 0x0740,
-+ .emu_mask = 0x0743,
- .init = xen_pt_common_reg_init,
-- .u.w.read = xen_pt_cmd_reg_read,
-+ .u.w.read = xen_pt_word_reg_read,
- .u.w.write = xen_pt_cmd_reg_write,
- },
- /* Capabilities Pointer reg */