diff --git a/0005-libxl-Load-guest-BIOS-from-file.patch b/0005-libxl-Load-guest-BIOS-from-file.patch index 6d2b766..f421001 100644 --- a/0005-libxl-Load-guest-BIOS-from-file.patch +++ b/0005-libxl-Load-guest-BIOS-from-file.patch @@ -61,7 +61,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_dom.c =================================================================== --- xen-4.7.0-testing.orig/tools/libxl/libxl_dom.c +++ xen-4.7.0-testing/tools/libxl/libxl_dom.c -@@ -866,6 +866,38 @@ err: +@@ -860,6 +860,38 @@ err: return ret; } @@ -100,7 +100,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_dom.c static int libxl__domain_firmware(libxl__gc *gc, libxl_domain_build_info *info, struct xc_dom_image *dom) -@@ -875,6 +907,7 @@ static int libxl__domain_firmware(libxl_ +@@ -869,6 +901,7 @@ static int libxl__domain_firmware(libxl_ int e, rc; int datalen = 0; void *data; @@ -108,7 +108,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_dom.c if (info->u.hvm.firmware) firmware = info->u.hvm.firmware; -@@ -918,6 +951,30 @@ static int libxl__domain_firmware(libxl_ +@@ -912,6 +945,30 @@ static int libxl__domain_firmware(libxl_ goto out; } @@ -143,7 +143,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_internal.h =================================================================== --- xen-4.7.0-testing.orig/tools/libxl/libxl_internal.h +++ xen-4.7.0-testing/tools/libxl/libxl_internal.h -@@ -2314,6 +2314,8 @@ _hidden const char *libxl__xen_config_di +@@ -2317,6 +2317,8 @@ _hidden const char *libxl__xen_config_di _hidden const char *libxl__xen_script_dir_path(void); _hidden const char *libxl__lock_dir_path(void); _hidden const char *libxl__run_dir_path(void); diff --git a/CVE-2016-5238-qemut-scsi-esp-OOB-write-when-using-non-DMA-mode-in-get_cmd.patch b/CVE-2016-5238-qemut-scsi-esp-OOB-write-when-using-non-DMA-mode-in-get_cmd.patch new file mode 100644 index 0000000..b506174 --- /dev/null +++ b/CVE-2016-5238-qemut-scsi-esp-OOB-write-when-using-non-DMA-mode-in-get_cmd.patch @@ -0,0 +1,37 @@ +References: bsc#982960 CVE-2016-5238 + +The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte +FIFO buffer. It is used to handle command and data transfer. +Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi +command into a buffer. Add check to validate command length against +buffer size to avoid any overrun. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +--- + hw/scsi/esp.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c +=================================================================== +--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/esp.c ++++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c +@@ -176,6 +176,9 @@ static uint32_t get_cmd(ESPState *s, uin + s->dma_memory_read(s->dma_opaque, buf, dmalen); + } else { + dmalen = s->ti_size; ++ if (dmalen > TI_BUFSZ) { ++ return 0; ++ } + memcpy(buf, s->ti_buf, dmalen); + buf[0] = 0; + } +@@ -265,7 +268,7 @@ static void write_response(ESPState *s) + } else { + s->ti_size = 2; + s->ti_rptr = 0; +- s->ti_wptr = 0; ++ s->ti_wptr = 2; + s->rregs[ESP_RFLAGS] = 2; + } + esp_raise_irq(s); diff --git a/CVE-2016-5338-qemut-scsi-esp-OOB-rw-access-while-processing-ESP_FIFO.patch b/CVE-2016-5338-qemut-scsi-esp-OOB-rw-access-while-processing-ESP_FIFO.patch new file mode 100644 index 0000000..5d034a3 --- /dev/null +++ b/CVE-2016-5338-qemut-scsi-esp-OOB-rw-access-while-processing-ESP_FIFO.patch @@ -0,0 +1,65 @@ +References: bsc#983984 CVE-2016-5338 + +The 53C9X Fast SCSI Controller(FSC) comes with internal 16-byte +FIFO buffers. One is used to handle commands and other is for +information transfer. Three control variables 'ti_rptr', +'ti_wptr' and 'ti_size' are used to control r/w access to the +information transfer buffer ti_buf[TI_BUFSZ=16]. In that, + +'ti_rptr' is used as read index, where read occurs. +'ti_wptr' is a write index, where write would occur. +'ti_size' indicates total bytes to be read from the buffer. + +While reading/writing to this buffer, index could exceed its +size. Add check to avoid OOB r/w access. + +Reported-by: Huawei PSIRT +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +--- + hw/scsi/esp.c | 20 +++++++++----------- + 1 file changed, 9 insertions(+), 11 deletions(-) + +Update as per: + -> https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg01326.html + +Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c +=================================================================== +--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/esp.c ++++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c +@@ -435,18 +435,17 @@ static uint32_t esp_mem_readb(void *opaq + DPRINTF("read reg[%d]: 0x%2.2x\n", saddr, s->rregs[saddr]); + switch (saddr) { + case ESP_FIFO: +- if (s->ti_size > 0) { ++ if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) { ++ /* Data out. */ ++ ESP_ERROR("PIO data read not implemented\n"); ++ s->rregs[ESP_FIFO] = 0; ++ esp_raise_irq(s); ++ } else if (s->ti_rptr < s->ti_wptr) { + s->ti_size--; +- if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) { +- /* Data out. */ +- ESP_ERROR("PIO data read not implemented\n"); +- s->rregs[ESP_FIFO] = 0; +- } else { +- s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++]; +- } ++ s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++]; + esp_raise_irq(s); + } +- if (s->ti_size == 0) { ++ if (s->ti_rptr == s->ti_wptr) { + s->ti_rptr = 0; + s->ti_wptr = 0; + } +@@ -482,7 +481,7 @@ static void esp_mem_writeb(void *opaque, + } else { + ESP_ERROR("fifo overrun\n"); + } +- } else if (s->ti_size == TI_BUFSZ - 1) { ++ } else if (s->ti_wptr == TI_BUFSZ - 1) { + ESP_ERROR("fifo overrun\n"); + } else { + s->ti_size++; diff --git a/block-dmmd b/block-dmmd index e681a43..64475ed 100644 --- a/block-dmmd +++ b/block-dmmd @@ -272,7 +272,7 @@ case "$command" in add) p=`xenstore-read $XENBUS_PATH/params` || true claim_lock "dmmd" - dmmd=$p + dmmd=${p#dmmd:} parse_par activate "$dmmd" rc=$? if [ $rc -ne 0 ]; then @@ -291,7 +291,7 @@ case "$command" in remove) p=`xenstore-read $XENBUS_PATH/params` || true claim_lock "dmmd" - dmmd=$p + dmmd=${p#dmmd:} parse_par noactivate "$dmmd" cleanup_stack release_lock "dmmd" diff --git a/ipxe.tar.bz2 b/ipxe.tar.bz2 index b4f59b9..0c0393c 100644 --- a/ipxe.tar.bz2 +++ b/ipxe.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:7f7466ee1dd84c86ee614b8d32313e1bcfcfbe4b394c14209b6fc32552bed334 -size 2877765 +oid sha256:cedb8a940072948d3c94933f75d48749ca5f3f7b4b103fab2146d86e7a04250e +size 2877499 diff --git a/libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch b/libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch index dda7628..2535774 100644 --- a/libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch +++ b/libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch @@ -11,7 +11,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl.c =================================================================== --- xen-4.7.0-testing.orig/tools/libxl/libxl.c +++ xen-4.7.0-testing/tools/libxl/libxl.c -@@ -2559,6 +2559,8 @@ static void device_disk_add(libxl__egc * +@@ -2575,6 +2575,8 @@ static void device_disk_add(libxl__egc * flexarray_append_pair(back, "discard-enable", libxl_defbool_val(disk->discard_enable) ? "1" : "0"); diff --git a/libxl.pvscsi.patch b/libxl.pvscsi.patch index ed08e80..bfbad39 100644 --- a/libxl.pvscsi.patch +++ b/libxl.pvscsi.patch @@ -154,7 +154,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl.c =================================================================== --- xen-4.7.0-testing.orig/tools/libxl/libxl.c +++ xen-4.7.0-testing/tools/libxl/libxl.c -@@ -4326,6 +4326,7 @@ DEFINE_DEVICE_REMOVE_CUSTOM(usbctrl, des +@@ -4387,6 +4387,7 @@ DEFINE_DEVICE_REMOVE_CUSTOM(usbctrl, des /* The following functions are defined: * libxl_device_disk_add * libxl_device_nic_add @@ -162,7 +162,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl.c * libxl_device_vtpm_add * libxl_device_usbctrl_add * libxl_device_usbdev_add -@@ -4357,6 +4358,9 @@ DEFINE_DEVICE_ADD(disk) +@@ -4418,6 +4419,9 @@ DEFINE_DEVICE_ADD(disk) /* nic */ DEFINE_DEVICE_ADD(nic) @@ -172,7 +172,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl.c /* vtpm */ DEFINE_DEVICE_ADD(vtpm) -@@ -7309,6 +7313,11 @@ int libxl_retrieve_domain_configuration( +@@ -7370,6 +7374,11 @@ int libxl_retrieve_domain_configuration( MERGE(nic, nics, COMPARE_DEVID, {}); @@ -248,7 +248,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_create.c =================================================================== --- xen-4.7.0-testing.orig/tools/libxl/libxl_create.c +++ xen-4.7.0-testing/tools/libxl/libxl_create.c -@@ -740,6 +740,8 @@ static void domcreate_bootloader_done(li +@@ -742,6 +742,8 @@ static void domcreate_bootloader_done(li static void domcreate_launch_dm(libxl__egc *egc, libxl__multidev *aodevs, int ret); @@ -257,7 +257,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_create.c static void domcreate_attach_vtpms(libxl__egc *egc, libxl__multidev *multidev, int ret); static void domcreate_attach_usbctrls(libxl__egc *egc, -@@ -1432,13 +1434,13 @@ static void domcreate_devmodel_started(l +@@ -1434,13 +1436,13 @@ static void domcreate_devmodel_started(l if (d_config->num_nics > 0) { /* Attach nics */ libxl__multidev_begin(ao, &dcs->multidev); @@ -273,7 +273,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_create.c return; error_out: -@@ -1446,7 +1448,7 @@ error_out: +@@ -1448,7 +1450,7 @@ error_out: domcreate_complete(egc, dcs, ret); } @@ -282,7 +282,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_create.c libxl__multidev *multidev, int ret) { -@@ -1461,6 +1463,39 @@ static void domcreate_attach_vtpms(libxl +@@ -1463,6 +1465,39 @@ static void domcreate_attach_vtpms(libxl goto error_out; } @@ -326,7 +326,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_device.c =================================================================== --- xen-4.7.0-testing.orig/tools/libxl/libxl_device.c +++ xen-4.7.0-testing/tools/libxl/libxl_device.c -@@ -616,6 +616,7 @@ void libxl__multidev_prepared(libxl__egc +@@ -684,6 +684,7 @@ void libxl__multidev_prepared(libxl__egc * The following functions are defined: * libxl__add_disks * libxl__add_nics @@ -334,7 +334,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_device.c * libxl__add_vtpms * libxl__add_usbctrls * libxl__add_usbs -@@ -637,6 +638,7 @@ void libxl__multidev_prepared(libxl__egc +@@ -705,6 +706,7 @@ void libxl__multidev_prepared(libxl__egc DEFINE_DEVICES_ADD(disk) DEFINE_DEVICES_ADD(nic) @@ -346,7 +346,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_internal.h =================================================================== --- xen-4.7.0-testing.orig/tools/libxl/libxl_internal.h +++ xen-4.7.0-testing/tools/libxl/libxl_internal.h -@@ -2627,6 +2627,10 @@ _hidden void libxl__device_nic_add(libxl +@@ -2630,6 +2630,10 @@ _hidden void libxl__device_nic_add(libxl libxl_device_nic *nic, libxl__ao_device *aodev); @@ -357,7 +357,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_internal.h _hidden void libxl__device_vtpm_add(libxl__egc *egc, uint32_t domid, libxl_device_vtpm *vtpm, libxl__ao_device *aodev); -@@ -3485,6 +3489,10 @@ _hidden void libxl__add_nics(libxl__egc +@@ -3488,6 +3492,10 @@ _hidden void libxl__add_nics(libxl__egc libxl_domain_config *d_config, libxl__multidev *multidev); diff --git a/libxl.set-migration-constraints-from-cmdline.patch b/libxl.set-migration-constraints-from-cmdline.patch index 3dae83b..3176dd7 100644 --- a/libxl.set-migration-constraints-from-cmdline.patch +++ b/libxl.set-migration-constraints-from-cmdline.patch @@ -331,7 +331,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_internal.h =================================================================== --- xen-4.7.0-testing.orig/tools/libxl/libxl_internal.h +++ xen-4.7.0-testing/tools/libxl/libxl_internal.h -@@ -3289,6 +3289,10 @@ struct libxl__domain_save_state { +@@ -3292,6 +3292,10 @@ struct libxl__domain_save_state { /* private */ int rc; int hvm; diff --git a/qemu-xen-traditional-dir-remote.tar.bz2 b/qemu-xen-traditional-dir-remote.tar.bz2 index 4dfaeb6..980eaee 100644 --- a/qemu-xen-traditional-dir-remote.tar.bz2 +++ b/qemu-xen-traditional-dir-remote.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:54cfea54f25455c6c81a20612fac0299891eac7cbce15a44d03c9696a9eb9cb0 -size 3237789 +oid sha256:5b687988f256884ff76fa098b9e80b35f6b6a4fb1657b9a1b397cfb1cf803a81 +size 3237484 diff --git a/stubdom.tar.bz2 b/stubdom.tar.bz2 index befbe6a..d25ac86 100644 --- a/stubdom.tar.bz2 +++ b/stubdom.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:2ee40d136161727460051051a7c5fbfc6ebdc16391dce5ea43db6756a768301b -size 17477603 +oid sha256:668c2c85b21a02203ccd8a559a0f8c7e01ca7f60ef4b12576e35490ec705b5f4 +size 17477020 diff --git a/xen-4.7.0-testing-src.tar.bz2 b/xen-4.7.0-testing-src.tar.bz2 index af76c29..70d86dc 100644 --- a/xen-4.7.0-testing-src.tar.bz2 +++ b/xen-4.7.0-testing-src.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:dd0d35cd73eb363317bdbda1a9e1900393451ab4e5069b7c142512a6a368902d -size 4465975 +oid sha256:d53bd33cf3e5fe1d7ac3145f6cc9a75829e1690fcc26ac9df113c212361dfcb7 +size 4465808 diff --git a/xen.changes b/xen.changes index 53dd8b1..43ba451 100644 --- a/xen.changes +++ b/xen.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Thu Jun 9 11:10:33 MDT 2016 - carnold@suse.com + +- bsc#983984 - VUL-0: CVE-2016-5338: xen: qemu: scsi: esp: OOB r/w + access while processing ESP_FIFO + CVE-2016-5338-qemut-scsi-esp-OOB-rw-access-while-processing-ESP_FIFO.patch +- bsc#982960 - VUL-0: CVE-2016-5238: xen: qemu: scsi: esp: OOB + write when using non-DMA mode in get_cmd + CVE-2016-5238-qemut-scsi-esp-OOB-write-when-using-non-DMA-mode-in-get_cmd.patch + +------------------------------------------------------------------- +Tue Jun 7 08:05:09 MDT 2016 - carnold@suse.com + +- fate#319989 - Update to Xen 4.7 RC5 + xen-4.7.0-testing-src.tar.bz2 + ------------------------------------------------------------------- Tue May 25 08:54:54 MDT 2016 - carnold@suse.com @@ -34,6 +50,13 @@ Tue May 17 10:16:47 MDT 2016 - carnold@suse.com x86-PoD-only-reclaim-if-needed.patch gcc6-warnings-as-errors.patch +------------------------------------------------------------------- +Wed May 11 16:55:23 MDT 2016 - carnold@suse.com + +- bsc#954872 - script block-dmmd not working as expected - libxl: + error: libxl_dm.c (another modification) + block-dmmd + ------------------------------------------------------------------- Tue May 10 14:39:00 MDT 2016 - carnold@suse.com diff --git a/xen.libxl.dmmd.patch b/xen.libxl.dmmd.patch index 594d27c..684e437 100644 --- a/xen.libxl.dmmd.patch +++ b/xen.libxl.dmmd.patch @@ -11,7 +11,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl.c =================================================================== --- xen-4.7.0-testing.orig/tools/libxl/libxl.c +++ xen-4.7.0-testing/tools/libxl/libxl.c -@@ -2506,6 +2506,10 @@ static void device_disk_add(libxl__egc * +@@ -2522,6 +2522,10 @@ static void device_disk_add(libxl__egc * /* now create a phy device to export the device to the guest */ goto do_backend_phy; case LIBXL_DISK_BACKEND_QDISK: @@ -26,7 +26,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_device.c =================================================================== --- xen-4.7.0-testing.orig/tools/libxl/libxl_device.c +++ xen-4.7.0-testing/tools/libxl/libxl_device.c -@@ -240,7 +240,8 @@ static int disk_try_backend(disk_try_bac +@@ -293,7 +293,8 @@ static int disk_try_backend(disk_try_bac return backend; case LIBXL_DISK_BACKEND_QDISK: @@ -40,7 +40,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_dm.c =================================================================== --- xen-4.7.0-testing.orig/tools/libxl/libxl_dm.c +++ xen-4.7.0-testing/tools/libxl/libxl_dm.c -@@ -887,6 +887,30 @@ static char *qemu_disk_ide_drive_string( +@@ -903,6 +903,30 @@ static char *qemu_disk_ide_drive_string( return drive; } @@ -71,7 +71,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_dm.c static int libxl__build_device_model_args_new(libxl__gc *gc, const char *dm, int guest_domid, const libxl_domain_config *guest_config, -@@ -1308,9 +1332,11 @@ static int libxl__build_device_model_arg +@@ -1326,9 +1350,11 @@ static int libxl__build_device_model_arg libxl__device_disk_dev_number(disks[i].vdev, &disk, &part); const char *format; char *drive; @@ -84,7 +84,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_dm.c if (dev_number == -1) { LOG(WARN, "unable to determine"" disk number for %s", disks[i].vdev); -@@ -1351,7 +1377,7 @@ static int libxl__build_device_model_arg +@@ -1369,7 +1395,7 @@ static int libxl__build_device_model_arg * the bootloader path. */ if (disks[i].backend == LIBXL_DISK_BACKEND_TAP) diff --git a/xen.spec b/xen.spec index e86c48b..0e168b3 100644 --- a/xen.spec +++ b/xen.spec @@ -160,7 +160,7 @@ BuildRequires: xorg-x11-util-devel %endif %endif -Version: 4.7.0_04 +Version: 4.7.0_06 Release: 0 Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License: GPL-2.0 @@ -229,6 +229,8 @@ Patch276: CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch Patch277: CVE-2016-4439-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-esp_reg_write.patch Patch278: CVE-2016-4441-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-get_cmd.patch Patch279: CVE-2014-3672-qemut-xsa180.patch +Patch280: CVE-2016-5238-qemut-scsi-esp-OOB-write-when-using-non-DMA-mode-in-get_cmd.patch +Patch281: CVE-2016-5338-qemut-scsi-esp-OOB-rw-access-while-processing-ESP_FIFO.patch # qemu-traditional patches that are not upstream Patch350: blktap.patch Patch351: cdrom-removable.patch @@ -546,6 +548,8 @@ Authors: %patch277 -p1 %patch278 -p1 %patch279 -p1 +%patch280 -p1 +%patch281 -p1 # Qemu traditional %patch350 -p1 %patch351 -p1 @@ -1047,7 +1051,7 @@ rm -f $RPM_BUILD_ROOT/usr/libexec/qemu-bridge-helper /usr/sbin/xen-list /usr/sbin/xen-destroy /usr/sbin/xen-bugtool -/usr/sbin/xen-xsplice +/usr/sbin/xen-livepatch %dir %attr(700,root,root) /etc/xen %dir /etc/xen/scripts %if %{?with_qemu_traditional}0