diff --git a/5535f633-dont-leak-hypervisor-stack-to-toolstacks.patch b/5535f633-dont-leak-hypervisor-stack-to-toolstacks.patch new file mode 100644 index 0000000..96edbdf --- /dev/null +++ b/5535f633-dont-leak-hypervisor-stack-to-toolstacks.patch @@ -0,0 +1,37 @@ +Subject: domctl/sysctl: don't leak hypervisor stack to toolstacks +From: Andrew Cooper andrew.cooper3@citrix.com Tue Apr 21 09:03:15 2015 +0200 +Date: Tue Apr 21 09:03:15 2015 +0200: +Git: 4ff3449f0e9d175ceb9551d3f2aecb59273f639d + +This is CVE-2015-3340 / XSA-132. + +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +Acked-by: Ian Campbell + +Index: xen-4.5.0-testing/xen/arch/x86/domctl.c +=================================================================== +--- xen-4.5.0-testing.orig/xen/arch/x86/domctl.c ++++ xen-4.5.0-testing/xen/arch/x86/domctl.c +@@ -886,7 +886,7 @@ long arch_do_domctl( + + case XEN_DOMCTL_gettscinfo: + { +- xen_guest_tsc_info_t info; ++ xen_guest_tsc_info_t info = { 0 }; + + domain_pause(d); + tsc_get_info(d, &info.tsc_mode, +Index: xen-4.5.0-testing/xen/common/sysctl.c +=================================================================== +--- xen-4.5.0-testing.orig/xen/common/sysctl.c ++++ xen-4.5.0-testing/xen/common/sysctl.c +@@ -76,7 +76,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xe + case XEN_SYSCTL_getdomaininfolist: + { + struct domain *d; +- struct xen_domctl_getdomaininfo info; ++ struct xen_domctl_getdomaininfo info = { 0 }; + u32 num_domains = 0; + + rcu_read_lock(&domlist_read_lock); diff --git a/CVE-2015-3456-xsa133-qemut.patch b/CVE-2015-3456-xsa133-qemut.patch new file mode 100644 index 0000000..1765290 --- /dev/null +++ b/CVE-2015-3456-xsa133-qemut.patch @@ -0,0 +1,80 @@ +From ac7ddbe342d7aa2303c39ca731cc6229dbbd739b Mon Sep 17 00:00:00 2001 +From: Petr Matousek +Date: Wed, 6 May 2015 09:48:59 +0200 +Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. + +Signed-off-by: Petr Matousek +Reviewed-by: John Snow +--- + hw/block/fdc.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +Index: xen-4.2.5-testing/tools/qemu-xen-traditional-dir-remote/hw/fdc.c +=================================================================== +--- xen-4.2.5-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/fdc.c ++++ xen-4.2.5-testing/tools/qemu-xen-traditional-dir-remote/hw/fdc.c +@@ -1318,7 +1318,7 @@ static uint32_t fdctrl_read_data (fdctrl + { + fdrive_t *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1327,8 +1327,8 @@ static uint32_t fdctrl_read_data (fdctrl + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1673,10 +1673,13 @@ static void fdctrl_handle_option (fdctrl + static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction) + { + fdrive_t *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1771,7 +1774,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) + { + fdrive_t *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -1817,7 +1820,9 @@ static void fdctrl_write_data (fdctrl_t + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command diff --git a/CVE-2015-3456-xsa133-qemuu.patch b/CVE-2015-3456-xsa133-qemuu.patch new file mode 100644 index 0000000..1fb479f --- /dev/null +++ b/CVE-2015-3456-xsa133-qemuu.patch @@ -0,0 +1,80 @@ +From ac7ddbe342d7aa2303c39ca731cc6229dbbd739b Mon Sep 17 00:00:00 2001 +From: Petr Matousek +Date: Wed, 6 May 2015 09:48:59 +0200 +Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. + +Signed-off-by: Petr Matousek +Reviewed-by: John Snow +--- + hw/block/fdc.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +Index: xen-4.4.2-testing/tools/qemu-xen-dir-remote/hw/block/fdc.c +=================================================================== +--- xen-4.4.2-testing.orig/tools/qemu-xen-dir-remote/hw/block/fdc.c ++++ xen-4.4.2-testing/tools/qemu-xen-dir-remote/hw/block/fdc.c +@@ -1440,7 +1440,7 @@ static uint32_t fdctrl_read_data(FDCtrl + { + FDrive *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1449,8 +1449,8 @@ static uint32_t fdctrl_read_data(FDCtrl + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1794,10 +1794,13 @@ static void fdctrl_handle_option(FDCtrl + static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) + { + FDrive *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1897,7 +1900,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + { + FDrive *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -1945,7 +1948,9 @@ static void fdctrl_write_data(FDCtrl *fd + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command diff --git a/xen.changes b/xen.changes index eb46158..2529de2 100644 --- a/xen.changes +++ b/xen.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Mon May 11 15:07:30 MDT 2015 - carnold@suse.com + +- bsc#927967 - VUL-0: CVE-2015-3340: xen: Information leak through + XEN_DOMCTL_gettscinfo (XSA-132) + 5535f633-dont-leak-hypervisor-stack-to-toolstacks.patch + +------------------------------------------------------------------- +Thu May 7 06:53:15 MDT 2015 - carnold@suse.com + +- bnc#929339 - VUL-0: CVE-2015-3456: qemu kvm xen: VENOM qemu + floppy driver host code execution + CVE-2015-3456-xsa133-qemuu.patch + CVE-2015-3456-xsa133-qemut.patch + ------------------------------------------------------------------- Mon Apr 27 09:55:01 MDT 2015 - carnold@suse.com diff --git a/xen.spec b/xen.spec index 0387a7d..5d4b005 100644 --- a/xen.spec +++ b/xen.spec @@ -15,6 +15,7 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + # needssslcertforbuild Name: xen @@ -157,7 +158,7 @@ BuildRequires: xorg-x11-util-devel %endif %endif -Version: 4.5.0_03 +Version: 4.5.0_04 Release: 0 Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License: GPL-2.0 @@ -204,6 +205,7 @@ Patch1: 5124efbe-add-qxl-support.patch Patch2: 551ac326-xentop-add-support-for-qdisk.patch Patch3: 5513b458-allow-reboot-overrides-when-running-under-EFI.patch Patch4: 5513b4d1-dont-apply-reboot-quirks-if-reboot-set-by-user.patch +Patch5: 5535f633-dont-leak-hypervisor-stack-to-toolstacks.patch # Upstream qemu Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch @@ -214,6 +216,8 @@ Patch255: 0005-e1000-multi-buffer-packet-support.patch Patch256: 0006-e1000-clear-EOP-for-multi-buffer-descriptors.patch Patch257: 0007-e1000-verify-we-have-buffers-upfront.patch Patch258: 0008-e1000-check-buffer-availability.patch +Patch260: CVE-2015-3456-xsa133-qemuu.patch +Patch261: CVE-2015-3456-xsa133-qemut.patch # Our platform specific patches Patch301: xen-destdir.patch Patch302: vif-bridge-no-iptables.patch @@ -507,6 +511,7 @@ Authors: %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 # Upstream qemu patches %patch250 -p1 %patch251 -p1 @@ -517,6 +522,8 @@ Authors: %patch256 -p1 %patch257 -p1 %patch258 -p1 +%patch260 -p1 +%patch261 -p1 # Our platform specific patches %patch301 -p1 %patch302 -p1