diff --git a/66a8b8ac-bunzip2-rare-failure.patch b/66a8b8ac-bunzip2-rare-failure.patch deleted file mode 100644 index ecad994..0000000 --- a/66a8b8ac-bunzip2-rare-failure.patch +++ /dev/null @@ -1,30 +0,0 @@ -# Commit 303d3ff85c90ee4af4bad4e3b1d4932fa2634d64 -# Date 2024-07-30 11:55:56 +0200 -# Author Ross Lagerwall -# Committer Jan Beulich -bunzip2: fix rare decompression failure - -The decompression code parses a huffman tree and counts the number of -symbols for a given bit length. In rare cases, there may be >= 256 -symbols with a given bit length, causing the unsigned char to overflow. -This causes a decompression failure later when the code tries and fails to -find the bit length for a given symbol. - -Since the maximum number of symbols is 258, use unsigned short instead. - -Fixes: ab77e81f6521 ("x86/dom0: support bzip2 and lzma compressed bzImage payloads") -Signed-off-by: Ross Lagerwall -Acked-by: Jan Beulich - ---- a/xen/common/bunzip2.c -+++ b/xen/common/bunzip2.c -@@ -221,7 +221,8 @@ static int __init get_next_block(struct - RUNB) */ - symCount = symTotal+2; - for (j = 0; j < groupCount; j++) { -- unsigned char length[MAX_SYMBOLS], temp[MAX_HUFCODE_BITS+1]; -+ unsigned char length[MAX_SYMBOLS]; -+ unsigned short temp[MAX_HUFCODE_BITS+1]; - int minLen, maxLen, pp; - /* Read Huffman code lengths for each symbol. They're - stored in a way similar to mtf; record a starting diff --git a/66bb6f78-x86-IOMMU-move-tracking-in-iommu_identity_mapping.patch b/66bb6f78-x86-IOMMU-move-tracking-in-iommu_identity_mapping.patch deleted file mode 100644 index 490e176..0000000 --- a/66bb6f78-x86-IOMMU-move-tracking-in-iommu_identity_mapping.patch +++ /dev/null @@ -1,99 +0,0 @@ -Subject: x86/IOMMU: move tracking in iommu_identity_mapping() -From: Teddy Astie teddy.astie@vates.tech Tue Aug 13 16:36:40 2024 +0200 -Date: Tue Aug 13 16:36:40 2024 +0200: -Git: beadd68b5490ada053d72f8a9ce6fd696d626596 - -If for some reason xmalloc() fails after having mapped the reserved -regions, an error is reported, but the regions remain mapped in the P2M. - -Similarly if an error occurs during set_identity_p2m_entry() (except on -the first call), the partial mappings of the region would be retained -without being tracked anywhere, and hence without there being a way to -remove them again from the domain's P2M. - -Move the setting up of the list entry ahead of trying to map the region. -In cases other than the first mapping failing, keep record of the full -region, such that a subsequent unmapping request can be properly torn -down. - -To compensate for the potentially excess unmapping requests, don't log a -warning from p2m_remove_identity_entry() when there really was nothing -mapped at a given GFN. - -This is XSA-460 / CVE-2024-31145. - -Fixes: 2201b67b9128 ("VT-d: improve RMRR region handling") -Fixes: c0e19d7c6c42 ("IOMMU: generalize VT-d's tracking of mapped RMRR regions") -Signed-off-by: Teddy Astie -Signed-off-by: Jan Beulich -Reviewed-by: Roger Pau Monné - -diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c -index e7e327d6a6..1739133fc2 100644 ---- a/xen/arch/x86/mm/p2m.c -+++ b/xen/arch/x86/mm/p2m.c -@@ -1267,9 +1267,11 @@ int p2m_remove_identity_entry(struct domain *d, unsigned long gfn_l) - else - { - gfn_unlock(p2m, gfn, 0); -- printk(XENLOG_G_WARNING -- "non-identity map d%d:%lx not cleared (mapped to %lx)\n", -- d->domain_id, gfn_l, mfn_x(mfn)); -+ if ( (p2mt != p2m_invalid && p2mt != p2m_mmio_dm) || -+ a != p2m_access_n || !mfn_eq(mfn, INVALID_MFN) ) -+ printk(XENLOG_G_WARNING -+ "non-identity map %pd:%lx not cleared (mapped to %lx)\n", -+ d, gfn_l, mfn_x(mfn)); - ret = 0; - } - -diff --git a/xen/drivers/passthrough/x86/iommu.c b/xen/drivers/passthrough/x86/iommu.c -index cc0062b027..8b1e0596b8 100644 ---- a/xen/drivers/passthrough/x86/iommu.c -+++ b/xen/drivers/passthrough/x86/iommu.c -@@ -267,24 +267,36 @@ int iommu_identity_mapping(struct domain *d, p2m_access_t p2ma, - if ( p2ma == p2m_access_x ) - return -ENOENT; - -- while ( base_pfn < end_pfn ) -- { -- int err = set_identity_p2m_entry(d, base_pfn, p2ma, flag); -- -- if ( err ) -- return err; -- base_pfn++; -- } -- - map = xmalloc(struct identity_map); - if ( !map ) - return -ENOMEM; -+ - map->base = base; - map->end = end; - map->access = p2ma; - map->count = 1; -+ -+ /* -+ * Insert into list ahead of mapping, so the range can be found when -+ * trying to clean up. -+ */ - list_add_tail(&map->list, &hd->arch.identity_maps); - -+ for ( ; base_pfn < end_pfn; ++base_pfn ) -+ { -+ int err = set_identity_p2m_entry(d, base_pfn, p2ma, flag); -+ -+ if ( !err ) -+ continue; -+ -+ if ( (map->base >> PAGE_SHIFT_4K) == base_pfn ) -+ { -+ list_del(&map->list); -+ xfree(map); -+ } -+ return err; -+ } -+ - return 0; - } - diff --git a/66bb6fa5-x86-pass-through-document-as-security-unsupported.patch b/66bb6fa5-x86-pass-through-document-as-security-unsupported.patch deleted file mode 100644 index b4431c9..0000000 --- a/66bb6fa5-x86-pass-through-document-as-security-unsupported.patch +++ /dev/null @@ -1,31 +0,0 @@ -Subject: x86/pass-through: documents as security-unsupported when sharing resources -From: Jan Beulich jbeulich@suse.com Tue Aug 13 16:37:25 2024 +0200 -Date: Tue Aug 13 16:37:25 2024 +0200: -Git: 9c94eda1e3790820699a6de3f6a7c959ecf30600 - -When multiple devices share resources and one of them is to be passed -through to a guest, security of the entire system and of respective -guests individually cannot really be guaranteed without knowing -internals of any of the involved guests. Therefore such a configuration -cannot really be security-supported, yet making that explicit was so far -missing. - -This is XSA-461 / CVE-2024-31146. - -Signed-off-by: Jan Beulich -Reviewed-by: Juergen Gross - ---- a/SUPPORT.md -+++ b/SUPPORT.md -@@ -841,6 +841,11 @@ This feature is not security supported: - - Only systems using IOMMUs are supported. - -+Passing through of devices sharing resources with another device is not -+security supported. Such sharing could e.g. be the same line interrupt being -+used by multiple devices, one of which is to be passed through, or two such -+devices having memory BARs within the same 4k page. -+ - Not compatible with migration, populate-on-demand, altp2m, - introspection, memory sharing, or memory paging. - diff --git a/66cf737b-x86-Dom0-disable-SMAP-for-PV-only.patch b/66cf737b-x86-Dom0-disable-SMAP-for-PV-only.patch deleted file mode 100644 index 486cc88..0000000 --- a/66cf737b-x86-Dom0-disable-SMAP-for-PV-only.patch +++ /dev/null @@ -1,127 +0,0 @@ -# Commit fb1658221a31ec1db33253a80001191391e73b17 -# Date 2024-08-28 19:59:07 +0100 -# Author Roger Pau Monne -# Committer Andrew Cooper -x86/dom0: disable SMAP for PV domain building only - -Move the logic that disables SMAP so it's only performed when building a PV -dom0, PVH dom0 builder doesn't require disabling SMAP. - -The fixes tag is to account for the wrong usage of cpu_has_smap in -create_dom0(), it should instead have used -boot_cpu_has(X86_FEATURE_XEN_SMAP). Fix while moving the logic to apply to PV -only. - -While there also make cr4_pv32_mask __ro_after_init. - -Fixes: 493ab190e5b1 ('xen/sm{e, a}p: allow disabling sm{e, a}p for Xen itself') -Signed-off-by: Roger Pau Monné -Reviewed-by: Jan Beulich -Reviewed-by: Andrew Cooper - ---- a/xen/arch/x86/include/asm/setup.h -+++ b/xen/arch/x86/include/asm/setup.h -@@ -64,6 +64,8 @@ extern bool opt_dom0_verbose; - extern bool opt_dom0_cpuid_faulting; - extern bool opt_dom0_msr_relaxed; - -+extern unsigned long cr4_pv32_mask; -+ - #define max_init_domid (0) - - #endif ---- a/xen/arch/x86/pv/dom0_build.c -+++ b/xen/arch/x86/pv/dom0_build.c -@@ -354,11 +354,11 @@ static struct page_info * __init alloc_c - return page; - } - --int __init dom0_construct_pv(struct domain *d, -- const module_t *image, -- unsigned long image_headroom, -- module_t *initrd, -- const char *cmdline) -+static int __init dom0_construct(struct domain *d, -+ const module_t *image, -+ unsigned long image_headroom, -+ module_t *initrd, -+ const char *cmdline) - { - int i, rc, order, machine; - bool compatible, compat; -@@ -1048,6 +1048,36 @@ out: - - return rc; - } -+ -+int __init dom0_construct_pv(struct domain *d, -+ const module_t *image, -+ unsigned long image_headroom, -+ module_t *initrd, -+ const char *cmdline) -+{ -+ int rc; -+ -+ /* -+ * Clear SMAP in CR4 to allow user-accesses in construct_dom0(). This -+ * prevents us needing to rewrite construct_dom0() in terms of -+ * copy_{to,from}_user(). -+ */ -+ if ( boot_cpu_has(X86_FEATURE_XEN_SMAP) ) -+ { -+ cr4_pv32_mask &= ~X86_CR4_SMAP; -+ write_cr4(read_cr4() & ~X86_CR4_SMAP); -+ } -+ -+ rc = dom0_construct(d, image, image_headroom, initrd, cmdline); -+ -+ if ( boot_cpu_has(X86_FEATURE_XEN_SMAP) ) -+ { -+ write_cr4(read_cr4() | X86_CR4_SMAP); -+ cr4_pv32_mask |= X86_CR4_SMAP; -+ } -+ -+ return rc; -+} - - /* - * Local variables: ---- a/xen/arch/x86/setup.c -+++ b/xen/arch/x86/setup.c -@@ -79,8 +79,7 @@ bool __read_mostly use_invpcid; - int8_t __initdata opt_probe_port_aliases = -1; - boolean_param("probe-port-aliases", opt_probe_port_aliases); - --/* Only used in asm code and within this source file */ --unsigned long asmlinkage __read_mostly cr4_pv32_mask; -+unsigned long __ro_after_init cr4_pv32_mask; - - /* **** Linux config option: propagated to domain0. */ - /* "acpi=off": Sisables both ACPI table parsing and interpreter. */ -@@ -955,26 +954,9 @@ static struct domain *__init create_dom0 - } - } - -- /* -- * Temporarily clear SMAP in CR4 to allow user-accesses in construct_dom0(). -- * This saves a large number of corner cases interactions with -- * copy_from_user(). -- */ -- if ( cpu_has_smap ) -- { -- cr4_pv32_mask &= ~X86_CR4_SMAP; -- write_cr4(read_cr4() & ~X86_CR4_SMAP); -- } -- - if ( construct_dom0(d, image, headroom, initrd, cmdline) != 0 ) - panic("Could not construct domain 0\n"); - -- if ( cpu_has_smap ) -- { -- write_cr4(read_cr4() | X86_CR4_SMAP); -- cr4_pv32_mask |= X86_CR4_SMAP; -- } -- - return d; - } - diff --git a/66d02b69-Arm64-adjust-irq_to_desc-to-fix-build-with-gcc14.patch b/66d02b69-Arm64-adjust-irq_to_desc-to-fix-build-with-gcc14.patch deleted file mode 100644 index 3e83c37..0000000 --- a/66d02b69-Arm64-adjust-irq_to_desc-to-fix-build-with-gcc14.patch +++ /dev/null @@ -1,49 +0,0 @@ -Subject: Arm64: adjust __irq_to_desc() to fix build with gcc14 -From: Jan Beulich jbeulich@suse.com Thu Aug 29 10:03:53 2024 +0200 -Date: Thu Aug 29 10:03:53 2024 +0200: -Git: 99f942f3d410059dc223ee0a908827e928ef3592 - -With the original code I observe - -In function ‘__irq_to_desc’, - inlined from ‘route_irq_to_guest’ at arch/arm/irq.c:465:12: -arch/arm/irq.c:54:16: error: array subscript -2 is below array bounds of ‘irq_desc_t[32]’ {aka ‘struct irq_desc[32]’} [-Werror=array-bounds=] - 54 | return &this_cpu(local_irq_desc)[irq]; - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -which looks pretty bogus: How in the world does the compiler arrive at --2 when compiling route_irq_to_guest()? Yet independent of that the -function's parameter wants to be of unsigned type anyway, as shown by -a vast majority of callers (others use plain int when they really mean -non-negative quantities). With that adjustment the code compiles fine -again. - -Signed-off-by: Jan Beulich -Acked-by: Michal Orzel - -diff --git a/xen/arch/arm/include/asm/irq.h b/xen/arch/arm/include/asm/irq.h -index ec437add09..88e060bf29 100644 ---- a/xen/arch/arm/include/asm/irq.h -+++ b/xen/arch/arm/include/asm/irq.h -@@ -56,7 +56,7 @@ extern const unsigned int nr_irqs; - struct irq_desc; - struct irqaction; - --struct irq_desc *__irq_to_desc(int irq); -+struct irq_desc *__irq_to_desc(unsigned int irq); - - #define irq_to_desc(irq) __irq_to_desc(irq) - -diff --git a/xen/arch/arm/irq.c b/xen/arch/arm/irq.c -index 6b89f64fd1..b9757d7ad3 100644 ---- a/xen/arch/arm/irq.c -+++ b/xen/arch/arm/irq.c -@@ -48,7 +48,7 @@ void irq_end_none(struct irq_desc *irq) - static irq_desc_t irq_desc[NR_IRQS]; - static DEFINE_PER_CPU(irq_desc_t[NR_LOCAL_IRQS], local_irq_desc); - --struct irq_desc *__irq_to_desc(int irq) -+struct irq_desc *__irq_to_desc(unsigned int irq) - { - if ( irq < NR_LOCAL_IRQS ) - return &this_cpu(local_irq_desc)[irq]; diff --git a/66d6dca8-libxl-nul-termination-in-xen_console_read_line.patch b/66d6dca8-libxl-nul-termination-in-xen_console_read_line.patch deleted file mode 100644 index 9596297..0000000 --- a/66d6dca8-libxl-nul-termination-in-xen_console_read_line.patch +++ /dev/null @@ -1,84 +0,0 @@ -# Commit bb03169bcb6ecccf372de1f6b9285cd519a26bb8 -# Date 2024-09-03 10:53:44 +0100 -# Author Javi Merino -# Committer Andrew Cooper -libxl: Fix nul-termination of the return value of libxl_xen_console_read_line() - -When built with ASAN, "xl dmesg" crashes in the "printf("%s", line)" -call in main_dmesg(). ASAN reports a heap buffer overflow: an -off-by-one access to cr->buffer. - -The readconsole sysctl copies up to count characters into the buffer, -but it does not add a null character at the end. Despite the -documentation of libxl_xen_console_read_line(), line_r is not -nul-terminated if 16384 characters were copied to the buffer. - -Fix this by asking xc_readconsolering() to fill the buffer up to size -- 1. As the number of characters in the buffer is only needed in -libxl_xen_console_read_line(), make it a local variable there instead -of part of the libxl__xen_console_reader struct. - -Fixes: 4024bae739cc ("xl: Add subcommand 'xl dmesg'") -Reported-by: Edwin Török -Signed-off-by: Javi Merino -Reviewed-by: Anthony PERARD - ---- a/tools/libs/light/libxl_console.c -+++ b/tools/libs/light/libxl_console.c -@@ -774,12 +774,17 @@ libxl_xen_console_reader * - { - GC_INIT(ctx); - libxl_xen_console_reader *cr; -- unsigned int size = 16384; -+ /* -+ * We want xen to fill the buffer in as few hypercalls as -+ * possible, but xen will not nul-terminate it. The default size -+ * of Xen's console buffer is 16384. Leave one byte at the end -+ * for the null character. -+ */ -+ unsigned int size = 16384 + 1; - - cr = libxl__zalloc(NOGC, sizeof(libxl_xen_console_reader)); - cr->buffer = libxl__zalloc(NOGC, size); - cr->size = size; -- cr->count = size; - cr->clear = clear; - cr->incremental = 1; - -@@ -800,10 +805,16 @@ int libxl_xen_console_read_line(libxl_ct - char **line_r) - { - int ret; -+ /* -+ * Number of chars to copy into the buffer. xc_readconsolering() -+ * does not add a null character at the end, so leave a space for -+ * us to add it. -+ */ -+ unsigned int nr_chars = cr->size - 1; - GC_INIT(ctx); - - memset(cr->buffer, 0, cr->size); -- ret = xc_readconsolering(ctx->xch, cr->buffer, &cr->count, -+ ret = xc_readconsolering(ctx->xch, cr->buffer, &nr_chars, - cr->clear, cr->incremental, &cr->index); - if (ret < 0) { - LOGE(ERROR, "reading console ring buffer"); -@@ -811,7 +822,7 @@ int libxl_xen_console_read_line(libxl_ct - return ERROR_FAIL; - } - if (!ret) { -- if (cr->count) { -+ if (nr_chars) { - *line_r = cr->buffer; - ret = 1; - } else { ---- a/tools/libs/light/libxl_internal.h -+++ b/tools/libs/light/libxl_internal.h -@@ -2077,7 +2077,6 @@ _hidden char *libxl__uuid2string(libxl__ - struct libxl__xen_console_reader { - char *buffer; - unsigned int size; -- unsigned int count; - unsigned int clear; - unsigned int incremental; - unsigned int index; diff --git a/66d8690f-SUPPORT-split-XSM-from-Flask.patch b/66d8690f-SUPPORT-split-XSM-from-Flask.patch deleted file mode 100644 index f214ba7..0000000 --- a/66d8690f-SUPPORT-split-XSM-from-Flask.patch +++ /dev/null @@ -1,54 +0,0 @@ -# Commit d7c18b8720824d7efc39ffa7296751e1812865a9 -# Date 2024-09-04 16:05:03 +0200 -# Author Jan Beulich -# Committer Jan Beulich -SUPPORT.md: split XSM from Flask - -XSM is a generic framework, which in particular is also used by SILO. -With this it can't really be experimental: Arm mandates SILO for having -a security supported configuration. - -Signed-off-by: Jan Beulich -Reviewed-by: Roger Pau Monné -Reviewed-by: Daniel P. Smith - ---- a/SUPPORT.md -+++ b/SUPPORT.md -@@ -768,13 +768,21 @@ Compile time disabled for ARM by default - - Status, x86: Supported, not security supported - --### XSM & FLASK -+### XSM (Xen Security Module) Framework -+ -+XSM is a security policy framework. The dummy implementation is covered by this -+statement, and implements a policy whereby dom0 is all powerful. See below for -+alternative modules (FLASK, SILO). -+ -+ Status: Supported -+ -+### FLASK XSM Module - - Status: Experimental - - Compile time disabled by default. - --Also note that using XSM -+Also note that using FLASK - to delegate various domain control hypercalls - to particular other domains, rather than only permitting use by dom0, - is also specifically excluded from security support for many hypercalls. -@@ -787,6 +795,13 @@ Please see XSA-77 for more details. - The default policy includes FLASK labels and roles for a "typical" Xen-based system - with dom0, driver domains, stub domains, domUs, and so on. - -+### SILO XSM Module -+ -+SILO extends the dummy policy by enforcing that DomU-s can only communicate -+with Dom0, yet not with each other. -+ -+ Status: Supported -+ - ## Virtual Hardware, Hypervisor - - ### x86/Nested PV diff --git a/66e29480-x86-HVM-properly-reject-indirect-VRAM-writes.patch b/66e29480-x86-HVM-properly-reject-indirect-VRAM-writes.patch deleted file mode 100644 index aa68111..0000000 --- a/66e29480-x86-HVM-properly-reject-indirect-VRAM-writes.patch +++ /dev/null @@ -1,36 +0,0 @@ -# Commit eb7cd0593d88c4b967a24bca8bd30591966676cd -# Date 2024-09-12 09:13:04 +0200 -# Author Jan Beulich -# Committer Jan Beulich -x86/HVM: properly reject "indirect" VRAM writes - -While ->count will only be different from 1 for "indirect" (data in -guest memory) accesses, it being 1 does not exclude the request being an -"indirect" one. Check both to be on the safe side, and bring the ->count -part also in line with what ioreq_send_buffered() actually refuses to -handle. - -Fixes: 3bbaaec09b1b ("x86/hvm: unify stdvga mmio intercept with standard mmio intercept") -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper - ---- a/xen/arch/x86/hvm/stdvga.c -+++ b/xen/arch/x86/hvm/stdvga.c -@@ -530,14 +530,14 @@ static bool cf_check stdvga_mem_accept( - - spin_lock(&s->lock); - -- if ( p->dir == IOREQ_WRITE && p->count > 1 ) -+ if ( p->dir == IOREQ_WRITE && (p->data_is_ptr || p->count != 1) ) - { - /* - * We cannot return X86EMUL_UNHANDLEABLE on anything other then the - * first cycle of an I/O. So, since we cannot guarantee to always be - * able to send buffered writes, we have to reject any multi-cycle -- * I/O and, since we are rejecting an I/O, we must invalidate the -- * cache. -+ * or "indirect" I/O and, since we are rejecting an I/O, we must -+ * invalidate the cache. - * Single-cycle write transactions are accepted even if the cache is - * not active since we can assert, when in stdvga mode, that writes - * to VRAM have no side effect and thus we can try to buffer them. diff --git a/66e44ae2-x86-ucode-AMD-buffer-underrun.patch b/66e44ae2-x86-ucode-AMD-buffer-underrun.patch deleted file mode 100644 index 58343b0..0000000 --- a/66e44ae2-x86-ucode-AMD-buffer-underrun.patch +++ /dev/null @@ -1,52 +0,0 @@ -# Commit a8bf14f6f331d4f428010b4277b67c33f561ed19 -# Date 2024-09-13 15:23:30 +0100 -# Author Demi Marie Obenour -# Committer Andrew Cooper -xen/ucode: Fix buffer under-run when parsing AMD containers - -The AMD container format has no formal spec. It is, at best, precision -guesswork based on AMD's prior contributions to open source projects. The -Equivalence Table has both an explicit length, and an expectation of having a -NULL entry at the end. - -Xen was sanity checking the NULL entry, but without confirming that an entry -was present, resulting in a read off the front of the buffer. With some -manual debugging/annotations this manifests as: - - (XEN) *** Buf ffff83204c00b19c, eq ffff83204c00b194 - (XEN) *** eq: 0c 00 00 00 44 4d 41 00 00 00 00 00 00 00 00 00 aa aa aa aa - ^-Actual buffer-------------------^ - (XEN) *** installed_cpu: 000c - (XEN) microcode: Bad equivalent cpu table - (XEN) Parsing microcode blob error -22 - -When loaded by hypercall, the 4 bytes interpreted as installed_cpu happen to -be the containing struct ucode_buf's len field, and luckily will be nonzero. - -When loaded at boot, it's possible for the access to #PF if the module happens -to have been placed on a 2M boundary by the bootloader. Under Linux, it will -commonly be the end of the CPIO header. - -Drop the probe of the NULL entry; Nothing else cares. A container without one -is well formed, insofar that we can still parse it correctly. With this -dropped, the same container results in: - - (XEN) microcode: couldn't find any matching ucode in the provided blob! - -Fixes: 4de936a38aa9 ("x86/ucode/amd: Rework parsing logic in cpu_request_microcode()") -Signed-off-by: Demi Marie Obenour -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich - ---- a/xen/arch/x86/cpu/microcode/amd.c -+++ b/xen/arch/x86/cpu/microcode/amd.c -@@ -336,8 +336,7 @@ static struct microcode_patch *cf_check - if ( size < sizeof(*et) || - (et = buf)->type != UCODE_EQUIV_CPU_TABLE_TYPE || - size - sizeof(*et) < et->len || -- et->len % sizeof(et->eq[0]) || -- et->eq[(et->len / sizeof(et->eq[0])) - 1].installed_cpu ) -+ et->len % sizeof(et->eq[0]) ) - { - printk(XENLOG_ERR "microcode: Bad equivalent cpu table\n"); - error = -EINVAL; diff --git a/66f2af41-x86-vLAPIC-undue-recursion-of-vlapic_error.patch b/66f2af41-x86-vLAPIC-undue-recursion-of-vlapic_error.patch deleted file mode 100644 index d942d71..0000000 --- a/66f2af41-x86-vLAPIC-undue-recursion-of-vlapic_error.patch +++ /dev/null @@ -1,48 +0,0 @@ -# Commit c42d9ec61f6d11e25fa77bd44dd11dad1edda268 -# Date 2024-09-24 14:23:29 +0200 -# Author Jan Beulich -# Committer Jan Beulich -x86/vLAPIC: prevent undue recursion of vlapic_error() - -With the error vector set to an illegal value, the function invoking -vlapic_set_irq() would bring execution back here, with the non-recursive -lock already held. Avoid the call in this case, merely further updating -ESR (if necessary). - -This is XSA-462 / CVE-2024-45817. - -Fixes: 5f32d186a8b1 ("x86/vlapic: don't silently accept bad vectors") -Reported-by: Federico Serafini -Reported-by: Andrew Cooper -Signed-off-by: Jan Beulich -Signed-off-by: Andrew Cooper -Reviewed-by: Andrew Cooper - ---- a/xen/arch/x86/hvm/vlapic.c -+++ b/xen/arch/x86/hvm/vlapic.c -@@ -112,9 +112,24 @@ static void vlapic_error(struct vlapic * - if ( (esr & errmask) != errmask ) - { - uint32_t lvterr = vlapic_get_reg(vlapic, APIC_LVTERR); -+ bool inj = false; - -- vlapic_set_reg(vlapic, APIC_ESR, esr | errmask); - if ( !(lvterr & APIC_LVT_MASKED) ) -+ { -+ /* -+ * If LVTERR is unmasked and has an illegal vector, vlapic_set_irq() -+ * will end up back here. Break the cycle by only injecting LVTERR -+ * if it will succeed, and folding in RECVILL otherwise. -+ */ -+ if ( (lvterr & APIC_VECTOR_MASK) >= 16 ) -+ inj = true; -+ else -+ errmask |= APIC_ESR_RECVILL; -+ } -+ -+ vlapic_set_reg(vlapic, APIC_ESR, esr | errmask); -+ -+ if ( inj ) - vlapic_set_irq(vlapic, lvterr & APIC_VECTOR_MASK, 0); - } - spin_unlock_irqrestore(&vlapic->esr_lock, flags); diff --git a/66f2fd92-x86-ucode-Intel-stricter-sanity-check.patch b/66f2fd92-x86-ucode-Intel-stricter-sanity-check.patch deleted file mode 100644 index 5bfed16..0000000 --- a/66f2fd92-x86-ucode-Intel-stricter-sanity-check.patch +++ /dev/null @@ -1,33 +0,0 @@ -# Commit 8752ad83e79754f8109457cff796e5f86f644348 -# Date 2024-09-24 18:57:38 +0100 -# Author Demi Marie Obenour -# Committer Andrew Cooper -xen/ucode: Make Intel's microcode_sanity_check() stricter - -The SDM states that data size must be a multiple of 4, but Xen doesn't check -this propery. - -This is liable to cause a later failures, but should be checked explicitly. - -Signed-off-by: Demi Marie Obenour -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich - ---- a/xen/arch/x86/cpu/microcode/intel.c -+++ b/xen/arch/x86/cpu/microcode/intel.c -@@ -155,10 +155,13 @@ static int microcode_sanity_check(const - uint32_t sum; - - /* -- * Total size must be a multiple of 1024 bytes. Data size and the header -- * must fit within it. -+ * The SDM states: -+ * - Data size must be a multiple of 4. -+ * - Total size must be a multiple of 1024 bytes. Data size and the -+ * header must fit within it. - */ - if ( (total_size & 1023) || -+ (data_size & 3) || - data_size > (total_size - MC_HEADER_SIZE) ) - { - printk(XENLOG_WARNING "microcode: Bad size\n"); diff --git a/gcc14-fixes.patch b/gcc14-fixes.patch deleted file mode 100644 index b245902..0000000 --- a/gcc14-fixes.patch +++ /dev/null @@ -1,69 +0,0 @@ -References: bsc#1225953 - -Compiling against gcc14. - ../../../../../newlib-1.16.0/newlib/libc/stdlib/wcstoull.c: In function ‘wcstoull’: - ../../../../../newlib-1.16.0/newlib/libc/stdlib/wcstoull.c:136:16: error: implicit declaration of function ‘_wcstoull_r’; did you mean ‘wcstoull’? [-Wimplicit-function-declaration] - 136 | return _wcstoull_r (_REENT, s, ptr, base); - | ^~~~~~~~~~~ - | wcstoull - - In file included from ../../../../../newlib-1.16.0/newlib/libc/reent/signalr.c:7: - ../../../../../newlib-1.16.0/newlib/libc/reent/signalr.c: In function ‘_kill_r’: - ../../../../../newlib-1.16.0/newlib/libc/reent/signalr.c:61:14: error: implicit declaration of function ‘kill’; did you mean ‘_kill’? [-Wimplicit-function-declaration] - 61 | if ((ret = _kill (pid, sig)) == -1 && errno != 0) - | ^~~~~ - - -Index: xen-4.19.0-testing/stubdom/Makefile -=================================================================== ---- xen-4.19.0-testing.orig/stubdom/Makefile -+++ xen-4.19.0-testing/stubdom/Makefile -@@ -97,6 +97,7 @@ newlib-$(NEWLIB_VERSION): newlib-$(NEWLI - patch -d $@ -p1 < newlib-disable-texinfo.patch - patch -d $@ -p1 < newlib-cygmon-gmon.patch - patch -d $@ -p1 < newlib-makedoc.patch -+ patch -d $@ -p1 < newlib-gcc14-pragmas.patch - find $@ -type f | xargs perl -i.bak \ - -pe 's/\b_(tzname|daylight|timezone)\b/$$1/g' - touch $@ -Index: xen-4.19.0-testing/stubdom/newlib-gcc14-pragmas.patch -=================================================================== ---- /dev/null -+++ xen-4.19.0-testing/stubdom/newlib-gcc14-pragmas.patch -@@ -0,0 +1,36 @@ -+--- newlib-1.16.0/newlib/libc/stdlib/wcstoull.c.orig 2024-06-04 15:32:01.495146632 -0600 -++++ newlib-1.16.0/newlib/libc/stdlib/wcstoull.c 2024-06-04 15:38:56.627156524 -0600 -+@@ -127,6 +127,10 @@ PORTABILITY -+ -+ #ifndef _REENT_ONLY -+ -++#if __GNUC__ >= 14 -++#pragma GCC diagnostic ignored "-Wimplicit-function-declaration" -++#endif -++ -+ unsigned long long -+ _DEFUN (wcstoull, (s, ptr, base), -+ _CONST wchar_t *s _AND -+--- newlib-1.16.0/newlib/libc/reent/signalr.c.orig 2024-06-04 15:39:15.139156966 -0600 -++++ newlib-1.16.0/newlib/libc/reent/signalr.c 2024-06-04 15:40:24.899158628 -0600 -+@@ -49,6 +49,10 @@ DESCRIPTION -+ <>. -+ */ -+ -++#if __GNUC__ >= 14 -++#pragma GCC diagnostic ignored "-Wimplicit-function-declaration" -++#endif -++ -+ int -+ _DEFUN (_kill_r, (ptr, pid, sig), -+ struct _reent *ptr _AND -+--- newlib-1.16.0/newlib/doc/makedoc.c.orig 2024-06-04 16:07:54.423197934 -0600 -++++ newlib-1.16.0/newlib/doc/makedoc.c 2024-06-04 16:15:15.395208441 -0600 -+@@ -798,6 +798,7 @@ DEFUN( iscommand,(ptr, idx), -+ } -+ -+ -++static unsigned int -+ DEFUN(copy_past_newline,(ptr, idx, dst), -+ string_type *ptr AND -+ unsigned int idx AND diff --git a/libxc-sr-abort_if_busy.patch b/libxc-sr-abort_if_busy.patch index 4542824..16dd0b6 100644 --- a/libxc-sr-abort_if_busy.patch +++ b/libxc-sr-abort_if_busy.patch @@ -93,7 +93,7 @@ Signed-off-by: Olaf Hering dss->checkpointed_stream = LIBXL_CHECKPOINTED_STREAM_NONE; --- a/tools/libs/light/libxl_internal.h +++ b/tools/libs/light/libxl_internal.h -@@ -3652,9 +3652,11 @@ struct libxl__domain_save_state { +@@ -3651,9 +3651,11 @@ struct libxl__domain_save_state { libxl_domain_type type; int live; int debug; diff --git a/libxc-sr-max_iters.patch b/libxc-sr-max_iters.patch index ae1160c..80dea52 100644 --- a/libxc-sr-max_iters.patch +++ b/libxc-sr-max_iters.patch @@ -77,7 +77,7 @@ Signed-off-by: Olaf Hering dss->checkpointed_stream = LIBXL_CHECKPOINTED_STREAM_NONE; --- a/tools/libs/light/libxl_internal.h +++ b/tools/libs/light/libxl_internal.h -@@ -3653,6 +3653,7 @@ struct libxl__domain_save_state { +@@ -3652,6 +3652,7 @@ struct libxl__domain_save_state { int live; int debug; int checkpointed_stream; diff --git a/libxc-sr-min_remaining.patch b/libxc-sr-min_remaining.patch index 855a03a..90a63bd 100644 --- a/libxc-sr-min_remaining.patch +++ b/libxc-sr-min_remaining.patch @@ -82,7 +82,7 @@ Signed-off-by: Olaf Hering dss->checkpointed_stream = LIBXL_CHECKPOINTED_STREAM_NONE; --- a/tools/libs/light/libxl_internal.h +++ b/tools/libs/light/libxl_internal.h -@@ -3654,6 +3654,7 @@ struct libxl__domain_save_state { +@@ -3653,6 +3653,7 @@ struct libxl__domain_save_state { int debug; int checkpointed_stream; uint32_t max_iters; diff --git a/libxl.LIBXL_HOTPLUG_TIMEOUT.patch b/libxl.LIBXL_HOTPLUG_TIMEOUT.patch index 7e72a28..ddd465a 100644 --- a/libxl.LIBXL_HOTPLUG_TIMEOUT.patch +++ b/libxl.LIBXL_HOTPLUG_TIMEOUT.patch @@ -286,7 +286,7 @@ the execution time of each script. libxl__xswait_callback *callback; /* remaining fields are private to xswait */ libxl__ev_time time_ev; -@@ -2704,6 +2706,7 @@ struct libxl__async_exec_state { +@@ -2703,6 +2705,7 @@ struct libxl__async_exec_state { char **args; /* execution arguments */ char **env; /* execution environment */ @@ -294,7 +294,7 @@ the execution time of each script. /* private */ libxl__ev_time time; libxl__ev_child child; -@@ -4893,6 +4896,9 @@ _hidden int userlookup_helper_getpwuid(l +@@ -4892,6 +4895,9 @@ _hidden int userlookup_helper_getpwuid(l #endif diff --git a/mini-os.tar.bz2 b/mini-os.tar.bz2 index 65b94da..fd8260f 100644 --- a/mini-os.tar.bz2 +++ b/mini-os.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:f06e0a7df8e90621815c9119c11adfd31b3240387b2eb1d9da37e73b98b35ee8 -size 320089 +oid sha256:1b927573a970da1e99e437251b3cda8159f0d504e2cc2a73db64c513c4e93eb4 +size 320125 diff --git a/stdvga-cache.patch b/stdvga-cache.patch deleted file mode 100644 index 8a4df5b..0000000 --- a/stdvga-cache.patch +++ /dev/null @@ -1,16 +0,0 @@ -Index: xen-4.18.0-testing/xen/arch/x86/hvm/stdvga.c -=================================================================== ---- xen-4.18.0-testing.orig/xen/arch/x86/hvm/stdvga.c -+++ xen-4.18.0-testing/xen/arch/x86/hvm/stdvga.c -@@ -165,7 +165,10 @@ static int stdvga_outb(uint64_t addr, ui - - /* When in standard vga mode, emulate here all writes to the vram buffer - * so we can immediately satisfy reads without waiting for qemu. */ -- s->stdvga = (s->sr[7] == 0x00); -+ s->stdvga = -+ (s->sr[7] == 0x00) && /* standard vga mode */ -+ (s->gr[6] == 0x05); /* misc graphics register w/ MemoryMapSelect=1 -+ * 0xa0000-0xaffff (64k region), AlphaDis=1 */ - - if ( !prev_stdvga && s->stdvga ) - { diff --git a/stubdom.tar.bz2 b/stubdom.tar.bz2 index 63afb0e..1438c00 100644 --- a/stubdom.tar.bz2 +++ b/stubdom.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:7bbf10959de4f319861633267ea33f378051ede9ec2881862a54257b3447d4c9 -size 19767990 +oid sha256:abb6d90f3e99ffba39086895ff8ad7ae4b622a9f388b56d3f636fcf4337b6b1b +size 19768501 diff --git a/x86-ioapic-ack-default.patch b/x86-ioapic-ack-default.patch index acdde0d..2aa998b 100644 --- a/x86-ioapic-ack-default.patch +++ b/x86-ioapic-ack-default.patch @@ -2,7 +2,7 @@ Change default IO-APIC ack mode for single IO-APIC systems to old-style. --- a/xen/arch/x86/io_apic.c +++ b/xen/arch/x86/io_apic.c -@@ -2071,7 +2071,10 @@ void __init setup_IO_APIC(void) +@@ -2136,7 +2136,10 @@ void __init setup_IO_APIC(void) io_apic_irqs = ~PIC_IRQS; printk("ENABLING IO-APIC IRQs\n"); diff --git a/xen-4.19.0-testing-src.tar.bz2 b/xen-4.19.0-testing-src.tar.bz2 deleted file mode 100644 index 978b286..0000000 --- a/xen-4.19.0-testing-src.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6435f03f315fa9f47501779aaca9ed8db7fd95328df91393023e2c765e206d29 -size 5646136 diff --git a/xen-4.19.1-testing-src.tar.bz2 b/xen-4.19.1-testing-src.tar.bz2 new file mode 100644 index 0000000..9f337c8 --- /dev/null +++ b/xen-4.19.1-testing-src.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cdc1dd6308b4b347d2003ebe414dc47023fd5ddcc3746254fea666dd701c6498 +size 5654644 diff --git a/xen-supportconfig b/xen-supportconfig index a4d325a..f77bd03 100644 --- a/xen-supportconfig +++ b/xen-supportconfig @@ -60,11 +60,15 @@ conf_files $OF "$XEN_CONF_FILES" log_cmd $OF "xl list --long" log_cmd $OF "xl dmesg" # network-related info often useful for debugging -if [ systemctl is-enabled NetworkManager.service 2>&1 > /dev/null ]; then +if systemctl is-enabled NetworkManager.service &> /dev/null ; then log_write $OF "NOTE: NetworkManager should not be enabled on a Xen host" fi -log_cmd $OF "route -n" -log_cmd $OF "arp -v" +for proto in '-4' '-6' +do + log_cmd $OF "ip $proto neighbor show" + log_cmd $OF "ip $proto route show" + log_cmd $OF "ip $proto address show" +done log_cmd $OF "ip link show type bridge" log_cmd $OF "bridge link show" # list contents of common config and image directories diff --git a/xen.changes b/xen.changes index 7962988..ec3820b 100644 --- a/xen.changes +++ b/xen.changes @@ -1,3 +1,57 @@ +------------------------------------------------------------------- +Wed Dec 4 09:16:24 MST 2024 - carnold@suse.com + +- Update to Xen 4.19.1 bug fix release (jsc#PED-8907) + xen-4.19.1-testing-src.tar.bz2 + * No upstream changelog found in sources or webpage +- Dropped patches + 66a8b8ac-bunzip2-rare-failure.patch + 66bb6f78-x86-IOMMU-move-tracking-in-iommu_identity_mapping.patch + 66bb6fa5-x86-pass-through-document-as-security-unsupported.patch + 66cf737b-x86-Dom0-disable-SMAP-for-PV-only.patch + 66d02b69-Arm64-adjust-irq_to_desc-to-fix-build-with-gcc14.patch + 66d6dca8-libxl-nul-termination-in-xen_console_read_line.patch + 66d8690f-SUPPORT-split-XSM-from-Flask.patch + 66e29480-x86-HVM-properly-reject-indirect-VRAM-writes.patch + 66e44ae2-x86-ucode-AMD-buffer-underrun.patch + 66f2af41-x86-vLAPIC-undue-recursion-of-vlapic_error.patch + 66f2fd92-x86-ucode-Intel-stricter-sanity-check.patch + xsa463-01.patch + xsa463-02.patch + xsa463-03.patch + xsa463-04.patch + xsa463-05.patch + xsa463-06.patch + xsa463-07.patch + xsa463-08.patch + xsa463-09.patch + xsa464.patch + gcc14-fixes.patch + +------------------------------------------------------------------- +Wed Oct 30 09:34:38 MDT 2024 - carnold@suse.com + +- bsc#1232622 - VUL-0: CVE-2024-45818: xen: Deadlock in x86 HVM + standard VGA handling (XSA-463) + xsa463-01.patch + xsa463-02.patch + xsa463-03.patch + xsa463-04.patch + xsa463-05.patch + xsa463-06.patch + xsa463-07.patch + xsa463-08.patch + xsa463-09.patch +- bsc#1232624 - VUL-0: CVE-2024-45819: xen: libxl leaks data to PVH + guests via ACPI tables (XSA-464) + xsa464.patch +- Drop stdvga-cache.patch + +------------------------------------------------------------------- +Tue Oct 29 12:34:56 UTC 2024 - ohering@suse.de + +- bsc#1232542 - remove usage of net-tools-deprecated from supportconfig plugin + ------------------------------------------------------------------- Thu Sep 26 11:30:00 CEST 2024 - jbeulich@suse.com diff --git a/xen.spec b/xen.spec index be8c0d9..30c95f2 100644 --- a/xen.spec +++ b/xen.spec @@ -30,7 +30,7 @@ Name: xen ExclusiveArch: %ix86 x86_64 aarch64 -%define xen_build_dir xen-4.19.0-testing +%define xen_build_dir xen-4.19.1-testing # %define with_gdbsx 0 %define with_dom0_support 0 @@ -124,12 +124,12 @@ BuildRequires: pesign-obs-integration BuildRequires: python-rpm-macros Provides: installhint(reboot-needed) -Version: 4.19.0_04 +Version: 4.19.1_02 Release: 0 Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License: GPL-2.0-only Group: System/Kernel -Source0: xen-4.19.0-testing-src.tar.bz2 +Source0: xen-4.19.1-testing-src.tar.bz2 Source1: stubdom.tar.bz2 Source2: mini-os.tar.bz2 Source9: xen.changes @@ -159,17 +159,6 @@ Source10183: xen_maskcalc.py # For xen-libs Source99: baselibs.conf # Upstream patches -Patch1: 66a8b8ac-bunzip2-rare-failure.patch -Patch2: 66bb6f78-x86-IOMMU-move-tracking-in-iommu_identity_mapping.patch -Patch3: 66bb6fa5-x86-pass-through-document-as-security-unsupported.patch -Patch4: 66cf737b-x86-Dom0-disable-SMAP-for-PV-only.patch -Patch5: 66d02b69-Arm64-adjust-irq_to_desc-to-fix-build-with-gcc14.patch -Patch6: 66d6dca8-libxl-nul-termination-in-xen_console_read_line.patch -Patch7: 66d8690f-SUPPORT-split-XSM-from-Flask.patch -Patch8: 66e29480-x86-HVM-properly-reject-indirect-VRAM-writes.patch -Patch9: 66e44ae2-x86-ucode-AMD-buffer-underrun.patch -Patch10: 66f2af41-x86-vLAPIC-undue-recursion-of-vlapic_error.patch -Patch11: 66f2fd92-x86-ucode-Intel-stricter-sanity-check.patch # EMBARGOED security fixes # libxc Patch301: libxc-bitmap-long.patch @@ -215,15 +204,13 @@ Patch408: ignore-ip-command-script-errors.patch # Needs to go upstream Patch420: suspend_evtchn_lock.patch Patch421: vif-route.patch -Patch422: gcc14-fixes.patch # Other bug fixes or features Patch450: xen.sysconfig-fillup.patch Patch451: xenconsole-no-multiple-connections.patch Patch452: hibernate.patch -Patch453: stdvga-cache.patch -Patch454: xl-save-pc.patch -Patch455: pygrub-boot-legacy-sles.patch -Patch456: pygrub-handle-one-line-menu-entries.patch +Patch453: xl-save-pc.patch +Patch454: pygrub-boot-legacy-sles.patch +Patch455: pygrub-handle-one-line-menu-entries.patch Patch461: libxl.max_event_channels.patch Patch463: libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch Patch464: xen.libxl.dmmd.patch