Accepting request 307039 from Virtualization

Security maintenance update

OBS-URL: https://build.opensuse.org/request/show/307039
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xen?expand=0&rev=205

5535f633-dont-leak-hypervisor-stack-to-toolstacks.patch

@@ -0,0 +1,37 @@
+Subject: domctl/sysctl: don't leak hypervisor stack to toolstacks
+From: Andrew Cooper andrew.cooper3@citrix.com Tue Apr 21 09:03:15 2015 +0200
+Date: Tue Apr 21 09:03:15 2015 +0200:
+Git: 4ff3449f0e9d175ceb9551d3f2aecb59273f639d
+
+This is CVE-2015-3340 / XSA-132.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+Index: xen-4.5.0-testing/xen/arch/x86/domctl.c
+===================================================================
+--- xen-4.5.0-testing.orig/xen/arch/x86/domctl.c
++++ xen-4.5.0-testing/xen/arch/x86/domctl.c
+@@ -886,7 +886,7 @@ long arch_do_domctl(
+ 
+     case XEN_DOMCTL_gettscinfo:
+     {
+-        xen_guest_tsc_info_t info;
++        xen_guest_tsc_info_t info = { 0 };
+ 
+         domain_pause(d);
+         tsc_get_info(d, &info.tsc_mode,
+Index: xen-4.5.0-testing/xen/common/sysctl.c
+===================================================================
+--- xen-4.5.0-testing.orig/xen/common/sysctl.c
++++ xen-4.5.0-testing/xen/common/sysctl.c
+@@ -76,7 +76,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xe
+     case XEN_SYSCTL_getdomaininfolist:
+     { 
+         struct domain *d;
+-        struct xen_domctl_getdomaininfo info;
++        struct xen_domctl_getdomaininfo info = { 0 };
+         u32 num_domains = 0;
+ 
+         rcu_read_lock(&domlist_read_lock);

CVE-2015-3456-xsa133-qemut.patch

@@ -0,0 +1,80 @@
+From ac7ddbe342d7aa2303c39ca731cc6229dbbd739b Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Wed, 6 May 2015 09:48:59 +0200
+Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reviewed-by: John Snow <jsnow@redhat.com>
+---
+ hw/block/fdc.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+Index: xen-4.2.5-testing/tools/qemu-xen-traditional-dir-remote/hw/fdc.c
+===================================================================
+--- xen-4.2.5-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/fdc.c
++++ xen-4.2.5-testing/tools/qemu-xen-traditional-dir-remote/hw/fdc.c
+@@ -1318,7 +1318,7 @@ static uint32_t fdctrl_read_data (fdctrl
+ {
+     fdrive_t *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
++    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1327,8 +1327,8 @@ static uint32_t fdctrl_read_data (fdctrl
+         return 0;
+     }
+     pos = fdctrl->data_pos;
++    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1673,10 +1673,13 @@ static void fdctrl_handle_option (fdctrl
+ static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction)
+ {
+     fdrive_t *cur_drv = get_cur_drv(fdctrl);
++    uint32_t pos;
+ 
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++    pos = fdctrl->data_pos - 1;
++    pos %= FD_SECTOR_LEN;
++    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++        if (fdctrl->fifo[pos] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+             fdctrl->fifo[2] = 0;
+             fdctrl->fifo[3] = 0;
+@@ -1771,7 +1774,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
+ {
+     fdrive_t *cur_drv;
+-    int pos;
++    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -1817,7 +1820,9 @@ static void fdctrl_write_data (fdctrl_t
+     }
+ 
+     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+-    fdctrl->fifo[fdctrl->data_pos++] = value;
++    pos = fdctrl->data_pos++;
++    pos %= FD_SECTOR_LEN;
++    fdctrl->fifo[pos] = value;
+     if (fdctrl->data_pos == fdctrl->data_len) {
+         /* We now have all parameters
+          * and will be able to treat the command

CVE-2015-3456-xsa133-qemuu.patch

@@ -0,0 +1,80 @@
+From ac7ddbe342d7aa2303c39ca731cc6229dbbd739b Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Wed, 6 May 2015 09:48:59 +0200
+Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reviewed-by: John Snow <jsnow@redhat.com>
+---
+ hw/block/fdc.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+Index: xen-4.4.2-testing/tools/qemu-xen-dir-remote/hw/block/fdc.c
+===================================================================
+--- xen-4.4.2-testing.orig/tools/qemu-xen-dir-remote/hw/block/fdc.c
++++ xen-4.4.2-testing/tools/qemu-xen-dir-remote/hw/block/fdc.c
+@@ -1440,7 +1440,7 @@ static uint32_t fdctrl_read_data(FDCtrl
+ {
+     FDrive *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
++    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1449,8 +1449,8 @@ static uint32_t fdctrl_read_data(FDCtrl
+         return 0;
+     }
+     pos = fdctrl->data_pos;
++    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1794,10 +1794,13 @@ static void fdctrl_handle_option(FDCtrl
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+     FDrive *cur_drv = get_cur_drv(fdctrl);
++    uint32_t pos;
+ 
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++    pos = fdctrl->data_pos - 1;
++    pos %= FD_SECTOR_LEN;
++    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++        if (fdctrl->fifo[pos] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+             fdctrl->fifo[2] = 0;
+             fdctrl->fifo[3] = 0;
+@@ -1897,7 +1900,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+     FDrive *cur_drv;
+-    int pos;
++    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -1945,7 +1948,9 @@ static void fdctrl_write_data(FDCtrl *fd
+     }
+ 
+     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+-    fdctrl->fifo[fdctrl->data_pos++] = value;
++    pos = fdctrl->data_pos++;
++    pos %= FD_SECTOR_LEN;
++    fdctrl->fifo[pos] = value;
+     if (fdctrl->data_pos == fdctrl->data_len) {
+         /* We now have all parameters
+          * and will be able to treat the command

xen.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Mon May 11 15:07:30 MDT 2015 - carnold@suse.com
+
+- bsc#927967 - VUL-0: CVE-2015-3340: xen: Information leak through
+  XEN_DOMCTL_gettscinfo (XSA-132) 
+  5535f633-dont-leak-hypervisor-stack-to-toolstacks.patch
+
+-------------------------------------------------------------------
+Thu May  7 06:53:15 MDT 2015 - carnold@suse.com
+
+- bnc#929339 - VUL-0: CVE-2015-3456: qemu kvm xen: VENOM qemu
+  floppy driver host code execution
+  CVE-2015-3456-xsa133-qemuu.patch
+  CVE-2015-3456-xsa133-qemut.patch
+
 -------------------------------------------------------------------
 Mon Apr 27 09:55:01 MDT 2015 - carnold@suse.com
 

xen.spec

@@ -15,6 +15,7 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
+
 # needssslcertforbuild
 
 Name:           xen
@@ -157,7 +158,7 @@ BuildRequires:  xorg-x11-util-devel
 %endif
 %endif
 
-Version:        4.5.0_03
+Version:        4.5.0_04
 Release:        0
 Summary:        Xen Virtualization: Hypervisor (aka VMM aka Microkernel)
 License:        GPL-2.0
@@ -204,6 +205,7 @@ Patch1:         5124efbe-add-qxl-support.patch
 Patch2:         551ac326-xentop-add-support-for-qdisk.patch
 Patch3:         5513b458-allow-reboot-overrides-when-running-under-EFI.patch
 Patch4:         5513b4d1-dont-apply-reboot-quirks-if-reboot-set-by-user.patch
+Patch5:         5535f633-dont-leak-hypervisor-stack-to-toolstacks.patch
 # Upstream qemu
 Patch250:       VNC-Support-for-ExtendedKeyEvent-client-message.patch
 Patch251:       0001-net-move-the-tap-buffer-into-TAPState.patch
@@ -214,6 +216,8 @@ Patch255:       0005-e1000-multi-buffer-packet-support.patch
 Patch256:       0006-e1000-clear-EOP-for-multi-buffer-descriptors.patch
 Patch257:       0007-e1000-verify-we-have-buffers-upfront.patch
 Patch258:       0008-e1000-check-buffer-availability.patch
+Patch260:       CVE-2015-3456-xsa133-qemuu.patch
+Patch261:       CVE-2015-3456-xsa133-qemut.patch
 # Our platform specific patches
 Patch301:       xen-destdir.patch
 Patch302:       vif-bridge-no-iptables.patch
@@ -507,6 +511,7 @@ Authors:
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 # Upstream qemu patches
 %patch250 -p1
 %patch251 -p1
@@ -517,6 +522,8 @@ Authors:
 %patch256 -p1
 %patch257 -p1
 %patch258 -p1
+%patch260 -p1
+%patch261 -p1
 # Our platform specific patches
 %patch301 -p1
 %patch302 -p1