Sync from SUSE:SLFO:Main xen revision 8d29a7d10d60058ce13aa728041a2bc4

This commit is contained in:
Adrian Schröter 2024-12-09 12:16:23 +01:00
parent 245e26a41b
commit 4ce9e75764
25 changed files with 80 additions and 763 deletions

View File

@ -1,30 +0,0 @@
# Commit 303d3ff85c90ee4af4bad4e3b1d4932fa2634d64
# Date 2024-07-30 11:55:56 +0200
# Author Ross Lagerwall <ross.lagerwall@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
bunzip2: fix rare decompression failure
The decompression code parses a huffman tree and counts the number of
symbols for a given bit length. In rare cases, there may be >= 256
symbols with a given bit length, causing the unsigned char to overflow.
This causes a decompression failure later when the code tries and fails to
find the bit length for a given symbol.
Since the maximum number of symbols is 258, use unsigned short instead.
Fixes: ab77e81f6521 ("x86/dom0: support bzip2 and lzma compressed bzImage payloads")
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/common/bunzip2.c
+++ b/xen/common/bunzip2.c
@@ -221,7 +221,8 @@ static int __init get_next_block(struct
RUNB) */
symCount = symTotal+2;
for (j = 0; j < groupCount; j++) {
- unsigned char length[MAX_SYMBOLS], temp[MAX_HUFCODE_BITS+1];
+ unsigned char length[MAX_SYMBOLS];
+ unsigned short temp[MAX_HUFCODE_BITS+1];
int minLen, maxLen, pp;
/* Read Huffman code lengths for each symbol. They're
stored in a way similar to mtf; record a starting

View File

@ -1,99 +0,0 @@
Subject: x86/IOMMU: move tracking in iommu_identity_mapping()
From: Teddy Astie teddy.astie@vates.tech Tue Aug 13 16:36:40 2024 +0200
Date: Tue Aug 13 16:36:40 2024 +0200:
Git: beadd68b5490ada053d72f8a9ce6fd696d626596
If for some reason xmalloc() fails after having mapped the reserved
regions, an error is reported, but the regions remain mapped in the P2M.
Similarly if an error occurs during set_identity_p2m_entry() (except on
the first call), the partial mappings of the region would be retained
without being tracked anywhere, and hence without there being a way to
remove them again from the domain's P2M.
Move the setting up of the list entry ahead of trying to map the region.
In cases other than the first mapping failing, keep record of the full
region, such that a subsequent unmapping request can be properly torn
down.
To compensate for the potentially excess unmapping requests, don't log a
warning from p2m_remove_identity_entry() when there really was nothing
mapped at a given GFN.
This is XSA-460 / CVE-2024-31145.
Fixes: 2201b67b9128 ("VT-d: improve RMRR region handling")
Fixes: c0e19d7c6c42 ("IOMMU: generalize VT-d's tracking of mapped RMRR regions")
Signed-off-by: Teddy Astie <teddy.astie@vates.tech>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index e7e327d6a6..1739133fc2 100644
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -1267,9 +1267,11 @@ int p2m_remove_identity_entry(struct domain *d, unsigned long gfn_l)
else
{
gfn_unlock(p2m, gfn, 0);
- printk(XENLOG_G_WARNING
- "non-identity map d%d:%lx not cleared (mapped to %lx)\n",
- d->domain_id, gfn_l, mfn_x(mfn));
+ if ( (p2mt != p2m_invalid && p2mt != p2m_mmio_dm) ||
+ a != p2m_access_n || !mfn_eq(mfn, INVALID_MFN) )
+ printk(XENLOG_G_WARNING
+ "non-identity map %pd:%lx not cleared (mapped to %lx)\n",
+ d, gfn_l, mfn_x(mfn));
ret = 0;
}
diff --git a/xen/drivers/passthrough/x86/iommu.c b/xen/drivers/passthrough/x86/iommu.c
index cc0062b027..8b1e0596b8 100644
--- a/xen/drivers/passthrough/x86/iommu.c
+++ b/xen/drivers/passthrough/x86/iommu.c
@@ -267,24 +267,36 @@ int iommu_identity_mapping(struct domain *d, p2m_access_t p2ma,
if ( p2ma == p2m_access_x )
return -ENOENT;
- while ( base_pfn < end_pfn )
- {
- int err = set_identity_p2m_entry(d, base_pfn, p2ma, flag);
-
- if ( err )
- return err;
- base_pfn++;
- }
-
map = xmalloc(struct identity_map);
if ( !map )
return -ENOMEM;
+
map->base = base;
map->end = end;
map->access = p2ma;
map->count = 1;
+
+ /*
+ * Insert into list ahead of mapping, so the range can be found when
+ * trying to clean up.
+ */
list_add_tail(&map->list, &hd->arch.identity_maps);
+ for ( ; base_pfn < end_pfn; ++base_pfn )
+ {
+ int err = set_identity_p2m_entry(d, base_pfn, p2ma, flag);
+
+ if ( !err )
+ continue;
+
+ if ( (map->base >> PAGE_SHIFT_4K) == base_pfn )
+ {
+ list_del(&map->list);
+ xfree(map);
+ }
+ return err;
+ }
+
return 0;
}

View File

@ -1,31 +0,0 @@
Subject: x86/pass-through: documents as security-unsupported when sharing resources
From: Jan Beulich jbeulich@suse.com Tue Aug 13 16:37:25 2024 +0200
Date: Tue Aug 13 16:37:25 2024 +0200:
Git: 9c94eda1e3790820699a6de3f6a7c959ecf30600
When multiple devices share resources and one of them is to be passed
through to a guest, security of the entire system and of respective
guests individually cannot really be guaranteed without knowing
internals of any of the involved guests. Therefore such a configuration
cannot really be security-supported, yet making that explicit was so far
missing.
This is XSA-461 / CVE-2024-31146.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -841,6 +841,11 @@ This feature is not security supported:
Only systems using IOMMUs are supported.
+Passing through of devices sharing resources with another device is not
+security supported. Such sharing could e.g. be the same line interrupt being
+used by multiple devices, one of which is to be passed through, or two such
+devices having memory BARs within the same 4k page.
+
Not compatible with migration, populate-on-demand, altp2m,
introspection, memory sharing, or memory paging.

View File

@ -1,127 +0,0 @@
# Commit fb1658221a31ec1db33253a80001191391e73b17
# Date 2024-08-28 19:59:07 +0100
# Author Roger Pau Monne <roger.pau@citrix.com>
# Committer Andrew Cooper <andrew.cooper3@citrix.com>
x86/dom0: disable SMAP for PV domain building only
Move the logic that disables SMAP so it's only performed when building a PV
dom0, PVH dom0 builder doesn't require disabling SMAP.
The fixes tag is to account for the wrong usage of cpu_has_smap in
create_dom0(), it should instead have used
boot_cpu_has(X86_FEATURE_XEN_SMAP). Fix while moving the logic to apply to PV
only.
While there also make cr4_pv32_mask __ro_after_init.
Fixes: 493ab190e5b1 ('xen/sm{e, a}p: allow disabling sm{e, a}p for Xen itself')
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/include/asm/setup.h
+++ b/xen/arch/x86/include/asm/setup.h
@@ -64,6 +64,8 @@ extern bool opt_dom0_verbose;
extern bool opt_dom0_cpuid_faulting;
extern bool opt_dom0_msr_relaxed;
+extern unsigned long cr4_pv32_mask;
+
#define max_init_domid (0)
#endif
--- a/xen/arch/x86/pv/dom0_build.c
+++ b/xen/arch/x86/pv/dom0_build.c
@@ -354,11 +354,11 @@ static struct page_info * __init alloc_c
return page;
}
-int __init dom0_construct_pv(struct domain *d,
- const module_t *image,
- unsigned long image_headroom,
- module_t *initrd,
- const char *cmdline)
+static int __init dom0_construct(struct domain *d,
+ const module_t *image,
+ unsigned long image_headroom,
+ module_t *initrd,
+ const char *cmdline)
{
int i, rc, order, machine;
bool compatible, compat;
@@ -1048,6 +1048,36 @@ out:
return rc;
}
+
+int __init dom0_construct_pv(struct domain *d,
+ const module_t *image,
+ unsigned long image_headroom,
+ module_t *initrd,
+ const char *cmdline)
+{
+ int rc;
+
+ /*
+ * Clear SMAP in CR4 to allow user-accesses in construct_dom0(). This
+ * prevents us needing to rewrite construct_dom0() in terms of
+ * copy_{to,from}_user().
+ */
+ if ( boot_cpu_has(X86_FEATURE_XEN_SMAP) )
+ {
+ cr4_pv32_mask &= ~X86_CR4_SMAP;
+ write_cr4(read_cr4() & ~X86_CR4_SMAP);
+ }
+
+ rc = dom0_construct(d, image, image_headroom, initrd, cmdline);
+
+ if ( boot_cpu_has(X86_FEATURE_XEN_SMAP) )
+ {
+ write_cr4(read_cr4() | X86_CR4_SMAP);
+ cr4_pv32_mask |= X86_CR4_SMAP;
+ }
+
+ return rc;
+}
/*
* Local variables:
--- a/xen/arch/x86/setup.c
+++ b/xen/arch/x86/setup.c
@@ -79,8 +79,7 @@ bool __read_mostly use_invpcid;
int8_t __initdata opt_probe_port_aliases = -1;
boolean_param("probe-port-aliases", opt_probe_port_aliases);
-/* Only used in asm code and within this source file */
-unsigned long asmlinkage __read_mostly cr4_pv32_mask;
+unsigned long __ro_after_init cr4_pv32_mask;
/* **** Linux config option: propagated to domain0. */
/* "acpi=off": Sisables both ACPI table parsing and interpreter. */
@@ -955,26 +954,9 @@ static struct domain *__init create_dom0
}
}
- /*
- * Temporarily clear SMAP in CR4 to allow user-accesses in construct_dom0().
- * This saves a large number of corner cases interactions with
- * copy_from_user().
- */
- if ( cpu_has_smap )
- {
- cr4_pv32_mask &= ~X86_CR4_SMAP;
- write_cr4(read_cr4() & ~X86_CR4_SMAP);
- }
-
if ( construct_dom0(d, image, headroom, initrd, cmdline) != 0 )
panic("Could not construct domain 0\n");
- if ( cpu_has_smap )
- {
- write_cr4(read_cr4() | X86_CR4_SMAP);
- cr4_pv32_mask |= X86_CR4_SMAP;
- }
-
return d;
}

View File

@ -1,49 +0,0 @@
Subject: Arm64: adjust __irq_to_desc() to fix build with gcc14
From: Jan Beulich jbeulich@suse.com Thu Aug 29 10:03:53 2024 +0200
Date: Thu Aug 29 10:03:53 2024 +0200:
Git: 99f942f3d410059dc223ee0a908827e928ef3592
With the original code I observe
In function __irq_to_desc,
inlined from route_irq_to_guest at arch/arm/irq.c:465:12:
arch/arm/irq.c:54:16: error: array subscript -2 is below array bounds of irq_desc_t[32] {aka struct irq_desc[32]} [-Werror=array-bounds=]
54 | return &this_cpu(local_irq_desc)[irq];
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
which looks pretty bogus: How in the world does the compiler arrive at
-2 when compiling route_irq_to_guest()? Yet independent of that the
function's parameter wants to be of unsigned type anyway, as shown by
a vast majority of callers (others use plain int when they really mean
non-negative quantities). With that adjustment the code compiles fine
again.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Michal Orzel <michal.orzel@amd.com>
diff --git a/xen/arch/arm/include/asm/irq.h b/xen/arch/arm/include/asm/irq.h
index ec437add09..88e060bf29 100644
--- a/xen/arch/arm/include/asm/irq.h
+++ b/xen/arch/arm/include/asm/irq.h
@@ -56,7 +56,7 @@ extern const unsigned int nr_irqs;
struct irq_desc;
struct irqaction;
-struct irq_desc *__irq_to_desc(int irq);
+struct irq_desc *__irq_to_desc(unsigned int irq);
#define irq_to_desc(irq) __irq_to_desc(irq)
diff --git a/xen/arch/arm/irq.c b/xen/arch/arm/irq.c
index 6b89f64fd1..b9757d7ad3 100644
--- a/xen/arch/arm/irq.c
+++ b/xen/arch/arm/irq.c
@@ -48,7 +48,7 @@ void irq_end_none(struct irq_desc *irq)
static irq_desc_t irq_desc[NR_IRQS];
static DEFINE_PER_CPU(irq_desc_t[NR_LOCAL_IRQS], local_irq_desc);
-struct irq_desc *__irq_to_desc(int irq)
+struct irq_desc *__irq_to_desc(unsigned int irq)
{
if ( irq < NR_LOCAL_IRQS )
return &this_cpu(local_irq_desc)[irq];

View File

@ -1,84 +0,0 @@
# Commit bb03169bcb6ecccf372de1f6b9285cd519a26bb8
# Date 2024-09-03 10:53:44 +0100
# Author Javi Merino <javi.merino@cloud.com>
# Committer Andrew Cooper <andrew.cooper3@citrix.com>
libxl: Fix nul-termination of the return value of libxl_xen_console_read_line()
When built with ASAN, "xl dmesg" crashes in the "printf("%s", line)"
call in main_dmesg(). ASAN reports a heap buffer overflow: an
off-by-one access to cr->buffer.
The readconsole sysctl copies up to count characters into the buffer,
but it does not add a null character at the end. Despite the
documentation of libxl_xen_console_read_line(), line_r is not
nul-terminated if 16384 characters were copied to the buffer.
Fix this by asking xc_readconsolering() to fill the buffer up to size
- 1. As the number of characters in the buffer is only needed in
libxl_xen_console_read_line(), make it a local variable there instead
of part of the libxl__xen_console_reader struct.
Fixes: 4024bae739cc ("xl: Add subcommand 'xl dmesg'")
Reported-by: Edwin Török <edwin.torok@cloud.com>
Signed-off-by: Javi Merino <javi.merino@cloud.com>
Reviewed-by: Anthony PERARD <anthony.perard@vates.tech>
--- a/tools/libs/light/libxl_console.c
+++ b/tools/libs/light/libxl_console.c
@@ -774,12 +774,17 @@ libxl_xen_console_reader *
{
GC_INIT(ctx);
libxl_xen_console_reader *cr;
- unsigned int size = 16384;
+ /*
+ * We want xen to fill the buffer in as few hypercalls as
+ * possible, but xen will not nul-terminate it. The default size
+ * of Xen's console buffer is 16384. Leave one byte at the end
+ * for the null character.
+ */
+ unsigned int size = 16384 + 1;
cr = libxl__zalloc(NOGC, sizeof(libxl_xen_console_reader));
cr->buffer = libxl__zalloc(NOGC, size);
cr->size = size;
- cr->count = size;
cr->clear = clear;
cr->incremental = 1;
@@ -800,10 +805,16 @@ int libxl_xen_console_read_line(libxl_ct
char **line_r)
{
int ret;
+ /*
+ * Number of chars to copy into the buffer. xc_readconsolering()
+ * does not add a null character at the end, so leave a space for
+ * us to add it.
+ */
+ unsigned int nr_chars = cr->size - 1;
GC_INIT(ctx);
memset(cr->buffer, 0, cr->size);
- ret = xc_readconsolering(ctx->xch, cr->buffer, &cr->count,
+ ret = xc_readconsolering(ctx->xch, cr->buffer, &nr_chars,
cr->clear, cr->incremental, &cr->index);
if (ret < 0) {
LOGE(ERROR, "reading console ring buffer");
@@ -811,7 +822,7 @@ int libxl_xen_console_read_line(libxl_ct
return ERROR_FAIL;
}
if (!ret) {
- if (cr->count) {
+ if (nr_chars) {
*line_r = cr->buffer;
ret = 1;
} else {
--- a/tools/libs/light/libxl_internal.h
+++ b/tools/libs/light/libxl_internal.h
@@ -2077,7 +2077,6 @@ _hidden char *libxl__uuid2string(libxl__
struct libxl__xen_console_reader {
char *buffer;
unsigned int size;
- unsigned int count;
unsigned int clear;
unsigned int incremental;
unsigned int index;

View File

@ -1,54 +0,0 @@
# Commit d7c18b8720824d7efc39ffa7296751e1812865a9
# Date 2024-09-04 16:05:03 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
SUPPORT.md: split XSM from Flask
XSM is a generic framework, which in particular is also used by SILO.
With this it can't really be experimental: Arm mandates SILO for having
a security supported configuration.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -768,13 +768,21 @@ Compile time disabled for ARM by default
Status, x86: Supported, not security supported
-### XSM & FLASK
+### XSM (Xen Security Module) Framework
+
+XSM is a security policy framework. The dummy implementation is covered by this
+statement, and implements a policy whereby dom0 is all powerful. See below for
+alternative modules (FLASK, SILO).
+
+ Status: Supported
+
+### FLASK XSM Module
Status: Experimental
Compile time disabled by default.
-Also note that using XSM
+Also note that using FLASK
to delegate various domain control hypercalls
to particular other domains, rather than only permitting use by dom0,
is also specifically excluded from security support for many hypercalls.
@@ -787,6 +795,13 @@ Please see XSA-77 for more details.
The default policy includes FLASK labels and roles for a "typical" Xen-based system
with dom0, driver domains, stub domains, domUs, and so on.
+### SILO XSM Module
+
+SILO extends the dummy policy by enforcing that DomU-s can only communicate
+with Dom0, yet not with each other.
+
+ Status: Supported
+
## Virtual Hardware, Hypervisor
### x86/Nested PV

View File

@ -1,36 +0,0 @@
# Commit eb7cd0593d88c4b967a24bca8bd30591966676cd
# Date 2024-09-12 09:13:04 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/HVM: properly reject "indirect" VRAM writes
While ->count will only be different from 1 for "indirect" (data in
guest memory) accesses, it being 1 does not exclude the request being an
"indirect" one. Check both to be on the safe side, and bring the ->count
part also in line with what ioreq_send_buffered() actually refuses to
handle.
Fixes: 3bbaaec09b1b ("x86/hvm: unify stdvga mmio intercept with standard mmio intercept")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/hvm/stdvga.c
+++ b/xen/arch/x86/hvm/stdvga.c
@@ -530,14 +530,14 @@ static bool cf_check stdvga_mem_accept(
spin_lock(&s->lock);
- if ( p->dir == IOREQ_WRITE && p->count > 1 )
+ if ( p->dir == IOREQ_WRITE && (p->data_is_ptr || p->count != 1) )
{
/*
* We cannot return X86EMUL_UNHANDLEABLE on anything other then the
* first cycle of an I/O. So, since we cannot guarantee to always be
* able to send buffered writes, we have to reject any multi-cycle
- * I/O and, since we are rejecting an I/O, we must invalidate the
- * cache.
+ * or "indirect" I/O and, since we are rejecting an I/O, we must
+ * invalidate the cache.
* Single-cycle write transactions are accepted even if the cache is
* not active since we can assert, when in stdvga mode, that writes
* to VRAM have no side effect and thus we can try to buffer them.

View File

@ -1,52 +0,0 @@
# Commit a8bf14f6f331d4f428010b4277b67c33f561ed19
# Date 2024-09-13 15:23:30 +0100
# Author Demi Marie Obenour <demi@invisiblethingslab.com>
# Committer Andrew Cooper <andrew.cooper3@citrix.com>
xen/ucode: Fix buffer under-run when parsing AMD containers
The AMD container format has no formal spec. It is, at best, precision
guesswork based on AMD's prior contributions to open source projects. The
Equivalence Table has both an explicit length, and an expectation of having a
NULL entry at the end.
Xen was sanity checking the NULL entry, but without confirming that an entry
was present, resulting in a read off the front of the buffer. With some
manual debugging/annotations this manifests as:
(XEN) *** Buf ffff83204c00b19c, eq ffff83204c00b194
(XEN) *** eq: 0c 00 00 00 44 4d 41 00 00 00 00 00 00 00 00 00 aa aa aa aa
^-Actual buffer-------------------^
(XEN) *** installed_cpu: 000c
(XEN) microcode: Bad equivalent cpu table
(XEN) Parsing microcode blob error -22
When loaded by hypercall, the 4 bytes interpreted as installed_cpu happen to
be the containing struct ucode_buf's len field, and luckily will be nonzero.
When loaded at boot, it's possible for the access to #PF if the module happens
to have been placed on a 2M boundary by the bootloader. Under Linux, it will
commonly be the end of the CPIO header.
Drop the probe of the NULL entry; Nothing else cares. A container without one
is well formed, insofar that we can still parse it correctly. With this
dropped, the same container results in:
(XEN) microcode: couldn't find any matching ucode in the provided blob!
Fixes: 4de936a38aa9 ("x86/ucode/amd: Rework parsing logic in cpu_request_microcode()")
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/arch/x86/cpu/microcode/amd.c
+++ b/xen/arch/x86/cpu/microcode/amd.c
@@ -336,8 +336,7 @@ static struct microcode_patch *cf_check
if ( size < sizeof(*et) ||
(et = buf)->type != UCODE_EQUIV_CPU_TABLE_TYPE ||
size - sizeof(*et) < et->len ||
- et->len % sizeof(et->eq[0]) ||
- et->eq[(et->len / sizeof(et->eq[0])) - 1].installed_cpu )
+ et->len % sizeof(et->eq[0]) )
{
printk(XENLOG_ERR "microcode: Bad equivalent cpu table\n");
error = -EINVAL;

View File

@ -1,48 +0,0 @@
# Commit c42d9ec61f6d11e25fa77bd44dd11dad1edda268
# Date 2024-09-24 14:23:29 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/vLAPIC: prevent undue recursion of vlapic_error()
With the error vector set to an illegal value, the function invoking
vlapic_set_irq() would bring execution back here, with the non-recursive
lock already held. Avoid the call in this case, merely further updating
ESR (if necessary).
This is XSA-462 / CVE-2024-45817.
Fixes: 5f32d186a8b1 ("x86/vlapic: don't silently accept bad vectors")
Reported-by: Federico Serafini <federico.serafini@bugseng.com>
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/hvm/vlapic.c
+++ b/xen/arch/x86/hvm/vlapic.c
@@ -112,9 +112,24 @@ static void vlapic_error(struct vlapic *
if ( (esr & errmask) != errmask )
{
uint32_t lvterr = vlapic_get_reg(vlapic, APIC_LVTERR);
+ bool inj = false;
- vlapic_set_reg(vlapic, APIC_ESR, esr | errmask);
if ( !(lvterr & APIC_LVT_MASKED) )
+ {
+ /*
+ * If LVTERR is unmasked and has an illegal vector, vlapic_set_irq()
+ * will end up back here. Break the cycle by only injecting LVTERR
+ * if it will succeed, and folding in RECVILL otherwise.
+ */
+ if ( (lvterr & APIC_VECTOR_MASK) >= 16 )
+ inj = true;
+ else
+ errmask |= APIC_ESR_RECVILL;
+ }
+
+ vlapic_set_reg(vlapic, APIC_ESR, esr | errmask);
+
+ if ( inj )
vlapic_set_irq(vlapic, lvterr & APIC_VECTOR_MASK, 0);
}
spin_unlock_irqrestore(&vlapic->esr_lock, flags);

View File

@ -1,33 +0,0 @@
# Commit 8752ad83e79754f8109457cff796e5f86f644348
# Date 2024-09-24 18:57:38 +0100
# Author Demi Marie Obenour <demi@invisiblethingslab.com>
# Committer Andrew Cooper <andrew.cooper3@citrix.com>
xen/ucode: Make Intel's microcode_sanity_check() stricter
The SDM states that data size must be a multiple of 4, but Xen doesn't check
this propery.
This is liable to cause a later failures, but should be checked explicitly.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/arch/x86/cpu/microcode/intel.c
+++ b/xen/arch/x86/cpu/microcode/intel.c
@@ -155,10 +155,13 @@ static int microcode_sanity_check(const
uint32_t sum;
/*
- * Total size must be a multiple of 1024 bytes. Data size and the header
- * must fit within it.
+ * The SDM states:
+ * - Data size must be a multiple of 4.
+ * - Total size must be a multiple of 1024 bytes. Data size and the
+ * header must fit within it.
*/
if ( (total_size & 1023) ||
+ (data_size & 3) ||
data_size > (total_size - MC_HEADER_SIZE) )
{
printk(XENLOG_WARNING "microcode: Bad size\n");

View File

@ -1,69 +0,0 @@
References: bsc#1225953
Compiling against gcc14.
../../../../../newlib-1.16.0/newlib/libc/stdlib/wcstoull.c: In function wcstoull:
../../../../../newlib-1.16.0/newlib/libc/stdlib/wcstoull.c:136:16: error: implicit declaration of function _wcstoull_r; did you mean wcstoull? [-Wimplicit-function-declaration]
136 | return _wcstoull_r (_REENT, s, ptr, base);
| ^~~~~~~~~~~
| wcstoull
In file included from ../../../../../newlib-1.16.0/newlib/libc/reent/signalr.c:7:
../../../../../newlib-1.16.0/newlib/libc/reent/signalr.c: In function _kill_r:
../../../../../newlib-1.16.0/newlib/libc/reent/signalr.c:61:14: error: implicit declaration of function kill; did you mean _kill? [-Wimplicit-function-declaration]
61 | if ((ret = _kill (pid, sig)) == -1 && errno != 0)
| ^~~~~
Index: xen-4.19.0-testing/stubdom/Makefile
===================================================================
--- xen-4.19.0-testing.orig/stubdom/Makefile
+++ xen-4.19.0-testing/stubdom/Makefile
@@ -97,6 +97,7 @@ newlib-$(NEWLIB_VERSION): newlib-$(NEWLI
patch -d $@ -p1 < newlib-disable-texinfo.patch
patch -d $@ -p1 < newlib-cygmon-gmon.patch
patch -d $@ -p1 < newlib-makedoc.patch
+ patch -d $@ -p1 < newlib-gcc14-pragmas.patch
find $@ -type f | xargs perl -i.bak \
-pe 's/\b_(tzname|daylight|timezone)\b/$$1/g'
touch $@
Index: xen-4.19.0-testing/stubdom/newlib-gcc14-pragmas.patch
===================================================================
--- /dev/null
+++ xen-4.19.0-testing/stubdom/newlib-gcc14-pragmas.patch
@@ -0,0 +1,36 @@
+--- newlib-1.16.0/newlib/libc/stdlib/wcstoull.c.orig 2024-06-04 15:32:01.495146632 -0600
++++ newlib-1.16.0/newlib/libc/stdlib/wcstoull.c 2024-06-04 15:38:56.627156524 -0600
+@@ -127,6 +127,10 @@ PORTABILITY
+
+ #ifndef _REENT_ONLY
+
++#if __GNUC__ >= 14
++#pragma GCC diagnostic ignored "-Wimplicit-function-declaration"
++#endif
++
+ unsigned long long
+ _DEFUN (wcstoull, (s, ptr, base),
+ _CONST wchar_t *s _AND
+--- newlib-1.16.0/newlib/libc/reent/signalr.c.orig 2024-06-04 15:39:15.139156966 -0600
++++ newlib-1.16.0/newlib/libc/reent/signalr.c 2024-06-04 15:40:24.899158628 -0600
+@@ -49,6 +49,10 @@ DESCRIPTION
+ <<errno>>.
+ */
+
++#if __GNUC__ >= 14
++#pragma GCC diagnostic ignored "-Wimplicit-function-declaration"
++#endif
++
+ int
+ _DEFUN (_kill_r, (ptr, pid, sig),
+ struct _reent *ptr _AND
+--- newlib-1.16.0/newlib/doc/makedoc.c.orig 2024-06-04 16:07:54.423197934 -0600
++++ newlib-1.16.0/newlib/doc/makedoc.c 2024-06-04 16:15:15.395208441 -0600
+@@ -798,6 +798,7 @@ DEFUN( iscommand,(ptr, idx),
+ }
+
+
++static unsigned int
+ DEFUN(copy_past_newline,(ptr, idx, dst),
+ string_type *ptr AND
+ unsigned int idx AND

View File

@ -93,7 +93,7 @@ Signed-off-by: Olaf Hering <olaf@aepfle.de>
dss->checkpointed_stream = LIBXL_CHECKPOINTED_STREAM_NONE;
--- a/tools/libs/light/libxl_internal.h
+++ b/tools/libs/light/libxl_internal.h
@@ -3652,9 +3652,11 @@ struct libxl__domain_save_state {
@@ -3651,9 +3651,11 @@ struct libxl__domain_save_state {
libxl_domain_type type;
int live;
int debug;

View File

@ -77,7 +77,7 @@ Signed-off-by: Olaf Hering <olaf@aepfle.de>
dss->checkpointed_stream = LIBXL_CHECKPOINTED_STREAM_NONE;
--- a/tools/libs/light/libxl_internal.h
+++ b/tools/libs/light/libxl_internal.h
@@ -3653,6 +3653,7 @@ struct libxl__domain_save_state {
@@ -3652,6 +3652,7 @@ struct libxl__domain_save_state {
int live;
int debug;
int checkpointed_stream;

View File

@ -82,7 +82,7 @@ Signed-off-by: Olaf Hering <olaf@aepfle.de>
dss->checkpointed_stream = LIBXL_CHECKPOINTED_STREAM_NONE;
--- a/tools/libs/light/libxl_internal.h
+++ b/tools/libs/light/libxl_internal.h
@@ -3654,6 +3654,7 @@ struct libxl__domain_save_state {
@@ -3653,6 +3653,7 @@ struct libxl__domain_save_state {
int debug;
int checkpointed_stream;
uint32_t max_iters;

View File

@ -286,7 +286,7 @@ the execution time of each script.
libxl__xswait_callback *callback;
/* remaining fields are private to xswait */
libxl__ev_time time_ev;
@@ -2704,6 +2706,7 @@ struct libxl__async_exec_state {
@@ -2703,6 +2705,7 @@ struct libxl__async_exec_state {
char **args; /* execution arguments */
char **env; /* execution environment */
@ -294,7 +294,7 @@ the execution time of each script.
/* private */
libxl__ev_time time;
libxl__ev_child child;
@@ -4893,6 +4896,9 @@ _hidden int userlookup_helper_getpwuid(l
@@ -4892,6 +4895,9 @@ _hidden int userlookup_helper_getpwuid(l
#endif

BIN
mini-os.tar.bz2 (Stored with Git LFS)

Binary file not shown.

View File

@ -1,16 +0,0 @@
Index: xen-4.18.0-testing/xen/arch/x86/hvm/stdvga.c
===================================================================
--- xen-4.18.0-testing.orig/xen/arch/x86/hvm/stdvga.c
+++ xen-4.18.0-testing/xen/arch/x86/hvm/stdvga.c
@@ -165,7 +165,10 @@ static int stdvga_outb(uint64_t addr, ui
/* When in standard vga mode, emulate here all writes to the vram buffer
* so we can immediately satisfy reads without waiting for qemu. */
- s->stdvga = (s->sr[7] == 0x00);
+ s->stdvga =
+ (s->sr[7] == 0x00) && /* standard vga mode */
+ (s->gr[6] == 0x05); /* misc graphics register w/ MemoryMapSelect=1
+ * 0xa0000-0xaffff (64k region), AlphaDis=1 */
if ( !prev_stdvga && s->stdvga )
{

BIN
stubdom.tar.bz2 (Stored with Git LFS)

Binary file not shown.

View File

@ -2,7 +2,7 @@ Change default IO-APIC ack mode for single IO-APIC systems to old-style.
--- a/xen/arch/x86/io_apic.c
+++ b/xen/arch/x86/io_apic.c
@@ -2071,7 +2071,10 @@ void __init setup_IO_APIC(void)
@@ -2136,7 +2136,10 @@ void __init setup_IO_APIC(void)
io_apic_irqs = ~PIC_IRQS;
printk("ENABLING IO-APIC IRQs\n");

BIN
xen-4.19.0-testing-src.tar.bz2 (Stored with Git LFS)

Binary file not shown.

BIN
xen-4.19.1-testing-src.tar.bz2 (Stored with Git LFS) Normal file

Binary file not shown.

View File

@ -60,11 +60,15 @@ conf_files $OF "$XEN_CONF_FILES"
log_cmd $OF "xl list --long"
log_cmd $OF "xl dmesg"
# network-related info often useful for debugging
if [ systemctl is-enabled NetworkManager.service 2>&1 > /dev/null ]; then
if systemctl is-enabled NetworkManager.service &> /dev/null ; then
log_write $OF "NOTE: NetworkManager should not be enabled on a Xen host"
fi
log_cmd $OF "route -n"
log_cmd $OF "arp -v"
for proto in '-4' '-6'
do
log_cmd $OF "ip $proto neighbor show"
log_cmd $OF "ip $proto route show"
log_cmd $OF "ip $proto address show"
done
log_cmd $OF "ip link show type bridge"
log_cmd $OF "bridge link show"
# list contents of common config and image directories

View File

@ -1,3 +1,57 @@
-------------------------------------------------------------------
Wed Dec 4 09:16:24 MST 2024 - carnold@suse.com
- Update to Xen 4.19.1 bug fix release (jsc#PED-8907)
xen-4.19.1-testing-src.tar.bz2
* No upstream changelog found in sources or webpage
- Dropped patches
66a8b8ac-bunzip2-rare-failure.patch
66bb6f78-x86-IOMMU-move-tracking-in-iommu_identity_mapping.patch
66bb6fa5-x86-pass-through-document-as-security-unsupported.patch
66cf737b-x86-Dom0-disable-SMAP-for-PV-only.patch
66d02b69-Arm64-adjust-irq_to_desc-to-fix-build-with-gcc14.patch
66d6dca8-libxl-nul-termination-in-xen_console_read_line.patch
66d8690f-SUPPORT-split-XSM-from-Flask.patch
66e29480-x86-HVM-properly-reject-indirect-VRAM-writes.patch
66e44ae2-x86-ucode-AMD-buffer-underrun.patch
66f2af41-x86-vLAPIC-undue-recursion-of-vlapic_error.patch
66f2fd92-x86-ucode-Intel-stricter-sanity-check.patch
xsa463-01.patch
xsa463-02.patch
xsa463-03.patch
xsa463-04.patch
xsa463-05.patch
xsa463-06.patch
xsa463-07.patch
xsa463-08.patch
xsa463-09.patch
xsa464.patch
gcc14-fixes.patch
-------------------------------------------------------------------
Wed Oct 30 09:34:38 MDT 2024 - carnold@suse.com
- bsc#1232622 - VUL-0: CVE-2024-45818: xen: Deadlock in x86 HVM
standard VGA handling (XSA-463)
xsa463-01.patch
xsa463-02.patch
xsa463-03.patch
xsa463-04.patch
xsa463-05.patch
xsa463-06.patch
xsa463-07.patch
xsa463-08.patch
xsa463-09.patch
- bsc#1232624 - VUL-0: CVE-2024-45819: xen: libxl leaks data to PVH
guests via ACPI tables (XSA-464)
xsa464.patch
- Drop stdvga-cache.patch
-------------------------------------------------------------------
Tue Oct 29 12:34:56 UTC 2024 - ohering@suse.de
- bsc#1232542 - remove usage of net-tools-deprecated from supportconfig plugin
-------------------------------------------------------------------
Thu Sep 26 11:30:00 CEST 2024 - jbeulich@suse.com

View File

@ -30,7 +30,7 @@
Name: xen
ExclusiveArch: %ix86 x86_64 aarch64
%define xen_build_dir xen-4.19.0-testing
%define xen_build_dir xen-4.19.1-testing
#
%define with_gdbsx 0
%define with_dom0_support 0
@ -124,12 +124,12 @@ BuildRequires: pesign-obs-integration
BuildRequires: python-rpm-macros
Provides: installhint(reboot-needed)
Version: 4.19.0_04
Version: 4.19.1_02
Release: 0
Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel)
License: GPL-2.0-only
Group: System/Kernel
Source0: xen-4.19.0-testing-src.tar.bz2
Source0: xen-4.19.1-testing-src.tar.bz2
Source1: stubdom.tar.bz2
Source2: mini-os.tar.bz2
Source9: xen.changes
@ -159,17 +159,6 @@ Source10183: xen_maskcalc.py
# For xen-libs
Source99: baselibs.conf
# Upstream patches
Patch1: 66a8b8ac-bunzip2-rare-failure.patch
Patch2: 66bb6f78-x86-IOMMU-move-tracking-in-iommu_identity_mapping.patch
Patch3: 66bb6fa5-x86-pass-through-document-as-security-unsupported.patch
Patch4: 66cf737b-x86-Dom0-disable-SMAP-for-PV-only.patch
Patch5: 66d02b69-Arm64-adjust-irq_to_desc-to-fix-build-with-gcc14.patch
Patch6: 66d6dca8-libxl-nul-termination-in-xen_console_read_line.patch
Patch7: 66d8690f-SUPPORT-split-XSM-from-Flask.patch
Patch8: 66e29480-x86-HVM-properly-reject-indirect-VRAM-writes.patch
Patch9: 66e44ae2-x86-ucode-AMD-buffer-underrun.patch
Patch10: 66f2af41-x86-vLAPIC-undue-recursion-of-vlapic_error.patch
Patch11: 66f2fd92-x86-ucode-Intel-stricter-sanity-check.patch
# EMBARGOED security fixes
# libxc
Patch301: libxc-bitmap-long.patch
@ -215,15 +204,13 @@ Patch408: ignore-ip-command-script-errors.patch
# Needs to go upstream
Patch420: suspend_evtchn_lock.patch
Patch421: vif-route.patch
Patch422: gcc14-fixes.patch
# Other bug fixes or features
Patch450: xen.sysconfig-fillup.patch
Patch451: xenconsole-no-multiple-connections.patch
Patch452: hibernate.patch
Patch453: stdvga-cache.patch
Patch454: xl-save-pc.patch
Patch455: pygrub-boot-legacy-sles.patch
Patch456: pygrub-handle-one-line-menu-entries.patch
Patch453: xl-save-pc.patch
Patch454: pygrub-boot-legacy-sles.patch
Patch455: pygrub-handle-one-line-menu-entries.patch
Patch461: libxl.max_event_channels.patch
Patch463: libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch
Patch464: xen.libxl.dmmd.patch