pool/xen
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- bsc#983984 - VUL-0: CVE-2016-5338: xen: qemu: scsi: esp: OOB r/w

Browse Source 
access while processing ESP_FIFO 
  CVE-2016-5338-qemut-scsi-esp-OOB-rw-access-while-processing-ESP_FIFO.patch
- bsc#982960 - VUL-0: CVE-2016-5238: xen: qemu: scsi: esp: OOB
  write when using non-DMA mode in get_cmd
  CVE-2016-5238-qemut-scsi-esp-OOB-write-when-using-non-DMA-mode-in-get_cmd.patch

- fate#319989 - Update to Xen 4.7 RC5
  xen-4.7.0-testing-src.tar.bz2

- bsc#954872 - script block-dmmd not working as expected - libxl:
  error: libxl_dm.c (another modification)
  block-dmmd

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=435
This commit is contained in:
Charles Arnold 2016-06-09 22:06:26 +00:00 committed by Git OBS Bridge
parent 6f47abb900
commit 28ce061413
14 changed files with 163 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
0005-libxl-Load-guest-BIOS-from-file.patch
View File

@ -61,7 +61,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_dom.c
===================================================================
--- xen-4.7.0-testing.orig/tools/libxl/libxl_dom.c
+++ xen-4.7.0-testing/tools/libxl/libxl_dom.c
@@ -866,6 +866,38 @@ err:
@@ -860,6 +860,38 @@ err:
return ret;
}
@ -100,7 +100,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_dom.c
static int libxl__domain_firmware(libxl__gc *gc,
libxl_domain_build_info *info,
struct xc_dom_image *dom)
@@ -875,6 +907,7 @@ static int libxl__domain_firmware(libxl_
@@ -869,6 +901,7 @@ static int libxl__domain_firmware(libxl_
int e, rc;
int datalen = 0;
void *data;
@ -108,7 +108,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_dom.c
if (info->u.hvm.firmware)
firmware = info->u.hvm.firmware;
@@ -918,6 +951,30 @@ static int libxl__domain_firmware(libxl_
@@ -912,6 +945,30 @@ static int libxl__domain_firmware(libxl_
goto out;
}
@ -143,7 +143,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_internal.h
===================================================================
--- xen-4.7.0-testing.orig/tools/libxl/libxl_internal.h
+++ xen-4.7.0-testing/tools/libxl/libxl_internal.h
@@ -2314,6 +2314,8 @@ _hidden const char *libxl__xen_config_di
@@ -2317,6 +2317,8 @@ _hidden const char *libxl__xen_config_di
_hidden const char *libxl__xen_script_dir_path(void);
_hidden const char *libxl__lock_dir_path(void);
_hidden const char *libxl__run_dir_path(void);

37
CVE-2016-5238-qemut-scsi-esp-OOB-write-when-using-non-DMA-mode-in-get_cmd.patch Normal file
View File

@ -0,0 +1,37 @@
References: bsc#982960 CVE-2016-5238
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer.
Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi
command into a buffer. Add check to validate command length against
buffer size to avoid any overrun.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/scsi/esp.c | 3 +++
1 file changed, 3 insertions(+)
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
===================================================================
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/esp.c
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
@@ -176,6 +176,9 @@ static uint32_t get_cmd(ESPState *s, uin
s->dma_memory_read(s->dma_opaque, buf, dmalen);
} else {
dmalen = s->ti_size;
+ if (dmalen > TI_BUFSZ) {
+ return 0;
+ }
memcpy(buf, s->ti_buf, dmalen);
buf[0] = 0;
}
@@ -265,7 +268,7 @@ static void write_response(ESPState *s)
} else {
s->ti_size = 2;
s->ti_rptr = 0;
- s->ti_wptr = 0;
+ s->ti_wptr = 2;
s->rregs[ESP_RFLAGS] = 2;
}
esp_raise_irq(s);

65
CVE-2016-5338-qemut-scsi-esp-OOB-rw-access-while-processing-ESP_FIFO.patch Normal file
View File

@ -0,0 +1,65 @@
References: bsc#983984 CVE-2016-5338
The 53C9X Fast SCSI Controller(FSC) comes with internal 16-byte
FIFO buffers. One is used to handle commands and other is for
information transfer. Three control variables 'ti_rptr',
'ti_wptr' and 'ti_size' are used to control r/w access to the
information transfer buffer ti_buf[TI_BUFSZ=16]. In that,
'ti_rptr' is used as read index, where read occurs.
'ti_wptr' is a write index, where write would occur.
'ti_size' indicates total bytes to be read from the buffer.
While reading/writing to this buffer, index could exceed its
size. Add check to avoid OOB r/w access.
Reported-by: Huawei PSIRT <address@hidden>
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/scsi/esp.c | 20 +++++++++-----------
1 file changed, 9 insertions(+), 11 deletions(-)
Update as per:
-> https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg01326.html
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
===================================================================
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/esp.c
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
@@ -435,18 +435,17 @@ static uint32_t esp_mem_readb(void *opaq
DPRINTF("read reg[%d]: 0x%2.2x\n", saddr, s->rregs[saddr]);
switch (saddr) {
case ESP_FIFO:
- if (s->ti_size > 0) {
+ if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) {
+ /* Data out. */
+ ESP_ERROR("PIO data read not implemented\n");
+ s->rregs[ESP_FIFO] = 0;
+ esp_raise_irq(s);
+ } else if (s->ti_rptr < s->ti_wptr) {
s->ti_size--;
- if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) {
- /* Data out. */
- ESP_ERROR("PIO data read not implemented\n");
- s->rregs[ESP_FIFO] = 0;
- } else {
- s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++];
- }
+ s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++];
esp_raise_irq(s);
}
- if (s->ti_size == 0) {
+ if (s->ti_rptr == s->ti_wptr) {
s->ti_rptr = 0;
s->ti_wptr = 0;
}
@@ -482,7 +481,7 @@ static void esp_mem_writeb(void *opaque,
} else {
ESP_ERROR("fifo overrun\n");
}
- } else if (s->ti_size == TI_BUFSZ - 1) {
+ } else if (s->ti_wptr == TI_BUFSZ - 1) {
ESP_ERROR("fifo overrun\n");
} else {
s->ti_size++;

4
block-dmmd
View File

@ -272,7 +272,7 @@ case "$command" in
add)
p=`xenstore-read $XENBUS_PATH/params` || true
claim_lock "dmmd"
dmmd=$p
dmmd=${p#dmmd:}
parse_par activate "$dmmd"
rc=$?
if [ $rc -ne 0 ]; then
@ -291,7 +291,7 @@ case "$command" in
remove)
p=`xenstore-read $XENBUS_PATH/params` || true
claim_lock "dmmd"
dmmd=$p
dmmd=${p#dmmd:}
parse_par noactivate "$dmmd"
cleanup_stack
release_lock "dmmd"

4
ipxe.tar.bz2
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7f7466ee1dd84c86ee614b8d32313e1bcfcfbe4b394c14209b6fc32552bed334
size 2877765
oid sha256:cedb8a940072948d3c94933f75d48749ca5f3f7b4b103fab2146d86e7a04250e
size 2877499

2
libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch
View File

@ -11,7 +11,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl.c
===================================================================
--- xen-4.7.0-testing.orig/tools/libxl/libxl.c
+++ xen-4.7.0-testing/tools/libxl/libxl.c
@@ -2559,6 +2559,8 @@ static void device_disk_add(libxl__egc *
@@ -2575,6 +2575,8 @@ static void device_disk_add(libxl__egc *
flexarray_append_pair(back, "discard-enable",
libxl_defbool_val(disk->discard_enable) ?
"1" : "0");

22
libxl.pvscsi.patch
View File

@ -154,7 +154,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl.c
===================================================================
--- xen-4.7.0-testing.orig/tools/libxl/libxl.c
+++ xen-4.7.0-testing/tools/libxl/libxl.c
@@ -4326,6 +4326,7 @@ DEFINE_DEVICE_REMOVE_CUSTOM(usbctrl, des
@@ -4387,6 +4387,7 @@ DEFINE_DEVICE_REMOVE_CUSTOM(usbctrl, des
/* The following functions are defined:
* libxl_device_disk_add
* libxl_device_nic_add
@ -162,7 +162,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl.c
* libxl_device_vtpm_add
* libxl_device_usbctrl_add
* libxl_device_usbdev_add
@@ -4357,6 +4358,9 @@ DEFINE_DEVICE_ADD(disk)
@@ -4418,6 +4419,9 @@ DEFINE_DEVICE_ADD(disk)
/* nic */
DEFINE_DEVICE_ADD(nic)
@ -172,7 +172,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl.c
/* vtpm */
DEFINE_DEVICE_ADD(vtpm)
@@ -7309,6 +7313,11 @@ int libxl_retrieve_domain_configuration(
@@ -7370,6 +7374,11 @@ int libxl_retrieve_domain_configuration(
MERGE(nic, nics, COMPARE_DEVID, {});
@ -248,7 +248,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_create.c
===================================================================
--- xen-4.7.0-testing.orig/tools/libxl/libxl_create.c
+++ xen-4.7.0-testing/tools/libxl/libxl_create.c
@@ -740,6 +740,8 @@ static void domcreate_bootloader_done(li
@@ -742,6 +742,8 @@ static void domcreate_bootloader_done(li
static void domcreate_launch_dm(libxl__egc *egc, libxl__multidev *aodevs,
int ret);
@ -257,7 +257,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_create.c
static void domcreate_attach_vtpms(libxl__egc *egc, libxl__multidev *multidev,
int ret);
static void domcreate_attach_usbctrls(libxl__egc *egc,
@@ -1432,13 +1434,13 @@ static void domcreate_devmodel_started(l
@@ -1434,13 +1436,13 @@ static void domcreate_devmodel_started(l
if (d_config->num_nics > 0) {
/* Attach nics */
libxl__multidev_begin(ao, &dcs->multidev);
@ -273,7 +273,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_create.c
return;
error_out:
@@ -1446,7 +1448,7 @@ error_out:
@@ -1448,7 +1450,7 @@ error_out:
domcreate_complete(egc, dcs, ret);
}
@ -282,7 +282,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_create.c
libxl__multidev *multidev,
int ret)
{
@@ -1461,6 +1463,39 @@ static void domcreate_attach_vtpms(libxl
@@ -1463,6 +1465,39 @@ static void domcreate_attach_vtpms(libxl
goto error_out;
}
@ -326,7 +326,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_device.c
===================================================================
--- xen-4.7.0-testing.orig/tools/libxl/libxl_device.c
+++ xen-4.7.0-testing/tools/libxl/libxl_device.c
@@ -616,6 +616,7 @@ void libxl__multidev_prepared(libxl__egc
@@ -684,6 +684,7 @@ void libxl__multidev_prepared(libxl__egc
* The following functions are defined:
* libxl__add_disks
* libxl__add_nics
@ -334,7 +334,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_device.c
* libxl__add_vtpms
* libxl__add_usbctrls
* libxl__add_usbs
@@ -637,6 +638,7 @@ void libxl__multidev_prepared(libxl__egc
@@ -705,6 +706,7 @@ void libxl__multidev_prepared(libxl__egc
DEFINE_DEVICES_ADD(disk)
DEFINE_DEVICES_ADD(nic)
@ -346,7 +346,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_internal.h
===================================================================
--- xen-4.7.0-testing.orig/tools/libxl/libxl_internal.h
+++ xen-4.7.0-testing/tools/libxl/libxl_internal.h
@@ -2627,6 +2627,10 @@ _hidden void libxl__device_nic_add(libxl
@@ -2630,6 +2630,10 @@ _hidden void libxl__device_nic_add(libxl
libxl_device_nic *nic,
libxl__ao_device *aodev);
@ -357,7 +357,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_internal.h
_hidden void libxl__device_vtpm_add(libxl__egc *egc, uint32_t domid,
libxl_device_vtpm *vtpm,
libxl__ao_device *aodev);
@@ -3485,6 +3489,10 @@ _hidden void libxl__add_nics(libxl__egc
@@ -3488,6 +3492,10 @@ _hidden void libxl__add_nics(libxl__egc
libxl_domain_config *d_config,
libxl__multidev *multidev);

2
libxl.set-migration-constraints-from-cmdline.patch
View File

@ -331,7 +331,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_internal.h
===================================================================
--- xen-4.7.0-testing.orig/tools/libxl/libxl_internal.h
+++ xen-4.7.0-testing/tools/libxl/libxl_internal.h
@@ -3289,6 +3289,10 @@ struct libxl__domain_save_state {
@@ -3292,6 +3292,10 @@ struct libxl__domain_save_state {
/* private */
int rc;
int hvm;

4
qemu-xen-traditional-dir-remote.tar.bz2
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:54cfea54f25455c6c81a20612fac0299891eac7cbce15a44d03c9696a9eb9cb0
size 3237789
oid sha256:5b687988f256884ff76fa098b9e80b35f6b6a4fb1657b9a1b397cfb1cf803a81
size 3237484

4
stubdom.tar.bz2
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2ee40d136161727460051051a7c5fbfc6ebdc16391dce5ea43db6756a768301b
size 17477603
oid sha256:668c2c85b21a02203ccd8a559a0f8c7e01ca7f60ef4b12576e35490ec705b5f4
size 17477020

4
xen-4.7.0-testing-src.tar.bz2
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:dd0d35cd73eb363317bdbda1a9e1900393451ab4e5069b7c142512a6a368902d
size 4465975
oid sha256:d53bd33cf3e5fe1d7ac3145f6cc9a75829e1690fcc26ac9df113c212361dfcb7
size 4465808

23
xen.changes
View File

@ -1,3 +1,19 @@
-------------------------------------------------------------------
Thu Jun 9 11:10:33 MDT 2016 - carnold@suse.com
- bsc#983984 - VUL-0: CVE-2016-5338: xen: qemu: scsi: esp: OOB r/w
access while processing ESP_FIFO
CVE-2016-5338-qemut-scsi-esp-OOB-rw-access-while-processing-ESP_FIFO.patch
- bsc#982960 - VUL-0: CVE-2016-5238: xen: qemu: scsi: esp: OOB
write when using non-DMA mode in get_cmd
CVE-2016-5238-qemut-scsi-esp-OOB-write-when-using-non-DMA-mode-in-get_cmd.patch
-------------------------------------------------------------------
Tue Jun 7 08:05:09 MDT 2016 - carnold@suse.com
- fate#319989 - Update to Xen 4.7 RC5
xen-4.7.0-testing-src.tar.bz2
-------------------------------------------------------------------
Tue May 25 08:54:54 MDT 2016 - carnold@suse.com
@ -34,6 +50,13 @@ Tue May 17 10:16:47 MDT 2016 - carnold@suse.com
x86-PoD-only-reclaim-if-needed.patch
gcc6-warnings-as-errors.patch
-------------------------------------------------------------------
Wed May 11 16:55:23 MDT 2016 - carnold@suse.com
- bsc#954872 - script block-dmmd not working as expected - libxl:
error: libxl_dm.c (another modification)
block-dmmd
-------------------------------------------------------------------
Tue May 10 14:39:00 MDT 2016 - carnold@suse.com

10
xen.libxl.dmmd.patch
View File

@ -11,7 +11,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl.c
===================================================================
--- xen-4.7.0-testing.orig/tools/libxl/libxl.c
+++ xen-4.7.0-testing/tools/libxl/libxl.c
@@ -2506,6 +2506,10 @@ static void device_disk_add(libxl__egc *
@@ -2522,6 +2522,10 @@ static void device_disk_add(libxl__egc *
/* now create a phy device to export the device to the guest */
goto do_backend_phy;
case LIBXL_DISK_BACKEND_QDISK:
@ -26,7 +26,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_device.c
===================================================================
--- xen-4.7.0-testing.orig/tools/libxl/libxl_device.c
+++ xen-4.7.0-testing/tools/libxl/libxl_device.c
@@ -240,7 +240,8 @@ static int disk_try_backend(disk_try_bac
@@ -293,7 +293,8 @@ static int disk_try_backend(disk_try_bac
return backend;
case LIBXL_DISK_BACKEND_QDISK:
@ -40,7 +40,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_dm.c
===================================================================
--- xen-4.7.0-testing.orig/tools/libxl/libxl_dm.c
+++ xen-4.7.0-testing/tools/libxl/libxl_dm.c
@@ -887,6 +887,30 @@ static char *qemu_disk_ide_drive_string(
@@ -903,6 +903,30 @@ static char *qemu_disk_ide_drive_string(
return drive;
}
@ -71,7 +71,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_dm.c
static int libxl__build_device_model_args_new(libxl__gc *gc,
const char *dm, int guest_domid,
const libxl_domain_config *guest_config,
@@ -1308,9 +1332,11 @@ static int libxl__build_device_model_arg
@@ -1326,9 +1350,11 @@ static int libxl__build_device_model_arg
libxl__device_disk_dev_number(disks[i].vdev, &disk, &part);
const char *format;
char *drive;
@ -84,7 +84,7 @@ Index: xen-4.7.0-testing/tools/libxl/libxl_dm.c
if (dev_number == -1) {
LOG(WARN, "unable to determine"" disk number for %s",
disks[i].vdev);
@@ -1351,7 +1377,7 @@ static int libxl__build_device_model_arg
@@ -1369,7 +1395,7 @@ static int libxl__build_device_model_arg
* the bootloader path.
*/
if (disks[i].backend == LIBXL_DISK_BACKEND_TAP)

8
xen.spec
View File

@ -160,7 +160,7 @@ BuildRequires: xorg-x11-util-devel
%endif
%endif
Version: 4.7.0_04
Version: 4.7.0_06
Release: 0
Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel)
License: GPL-2.0
@ -229,6 +229,8 @@ Patch276: CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch
Patch277: CVE-2016-4439-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-esp_reg_write.patch
Patch278: CVE-2016-4441-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-get_cmd.patch
Patch279: CVE-2014-3672-qemut-xsa180.patch
Patch280: CVE-2016-5238-qemut-scsi-esp-OOB-write-when-using-non-DMA-mode-in-get_cmd.patch
Patch281: CVE-2016-5338-qemut-scsi-esp-OOB-rw-access-while-processing-ESP_FIFO.patch
# qemu-traditional patches that are not upstream
Patch350: blktap.patch
Patch351: cdrom-removable.patch
@ -546,6 +548,8 @@ Authors:
%patch277 -p1
%patch278 -p1
%patch279 -p1
%patch280 -p1
%patch281 -p1
# Qemu traditional
%patch350 -p1
%patch351 -p1
@ -1047,7 +1051,7 @@ rm -f $RPM_BUILD_ROOT/usr/libexec/qemu-bridge-helper
/usr/sbin/xen-list
/usr/sbin/xen-destroy
/usr/sbin/xen-bugtool
/usr/sbin/xen-xsplice
/usr/sbin/xen-livepatch
%dir %attr(700,root,root) /etc/xen
%dir /etc/xen/scripts
%if %{?with_qemu_traditional}0