pool/xen
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 233796 from Virtualization

Browse Source 
Bug fixes and pvscsi support

OBS-URL: https://build.opensuse.org/request/show/233796
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xen?expand=0&rev=187
This commit is contained in:
Stephan Kulow 2014-05-15 19:31:28 +00:00 committed by Git OBS Bridge
commit 57f0bf6c76
13 changed files with 1904 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

215
535a34eb-VT-d-suppress-UR-signaling-for-server-chipsets.patch Normal file
View File

@ -0,0 +1,215 @@
References: bnc#826717 CVE-2013-3495 XSA-59
# Commit d061d200eb92bcb1d86f9b55c6de73e35ce63fdf
# Date 2014-04-25 12:11:55 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
VT-d: suppress UR signaling for server chipsets
Unsupported Requests can be signaled for malformed writes to the MSI
address region, e.g. due to buggy or malicious DMA set up to that
region. These should normally result in IOMMU faults, but don't on
the server chipsets dealt with here.
IDs 0xe00, 0xe01, and 0xe04 ... 0xe0b (Ivytown) aren't needed here -
Intel confirmed the issue to be fixed in hardware there.
This is CVE-2013-3495 / XSA-59.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Don Dugger <donald.d.dugger@intel.com>
Acked-by: Tim Deegan <tim@xen.org>
Acked-by: Xiantao Zhang <xiantao.zhang@intel.com>
--- a/xen/drivers/passthrough/vtd/quirks.c
+++ b/xen/drivers/passthrough/vtd/quirks.c
@@ -27,6 +27,7 @@
#include <xen/softirq.h>
#include <xen/time.h>
#include <xen/pci.h>
+#include <xen/pci_ids.h>
#include <xen/pci_regs.h>
#include <xen/keyhandler.h>
#include <asm/msi.h>
@@ -390,12 +391,68 @@ void __init pci_vtd_quirk(struct pci_dev
int bus = pdev->bus;
int dev = PCI_SLOT(pdev->devfn);
int func = PCI_FUNC(pdev->devfn);
- int id, val;
+ int pos;
+ u32 val;
- id = pci_conf_read32(seg, bus, dev, func, 0);
- if ( id == 0x342e8086 || id == 0x3c288086 )
+ if ( pci_conf_read16(seg, bus, dev, func, PCI_VENDOR_ID) !=
+ PCI_VENDOR_ID_INTEL )
+ return;
+
+ switch ( pci_conf_read16(seg, bus, dev, func, PCI_DEVICE_ID) )
{
+ case 0x342e: /* Tylersburg chipset (Nehalem / Westmere systems) */
+ case 0x3c28: /* Sandybridge */
val = pci_conf_read32(seg, bus, dev, func, 0x1AC);
pci_conf_write32(seg, bus, dev, func, 0x1AC, val | (1 << 31));
+ break;
+
+ /* Tylersburg (EP)/Boxboro (MP) chipsets (NHM-EP/EX, WSM-EP/EX) */
+ case 0x3400 ... 0x3407: /* host bridges */
+ case 0x3408 ... 0x3411: case 0x3420 ... 0x3421: /* root ports */
+ /* JasperForest (Intel Xeon Processor C5500/C3500 */
+ case 0x3700 ... 0x370f: /* host bridges */
+ case 0x3720 ... 0x3724: /* root ports */
+ /* Sandybridge-EP (Romley) */
+ case 0x3c00: /* host bridge */
+ case 0x3c01 ... 0x3c0b: /* root ports */
+ pos = pci_find_ext_capability(seg, bus, pdev->devfn,
+ PCI_EXT_CAP_ID_ERR);
+ if ( !pos )
+ {
+ pos = pci_find_ext_capability(seg, bus, pdev->devfn,
+ PCI_EXT_CAP_ID_VNDR);
+ while ( pos )
+ {
+ val = pci_conf_read32(seg, bus, dev, func, pos + PCI_VNDR_HEADER);
+ if ( PCI_VNDR_HEADER_ID(val) == 4 && PCI_VNDR_HEADER_REV(val) == 1 )
+ {
+ pos += PCI_VNDR_HEADER;
+ break;
+ }
+ pos = pci_find_next_ext_capability(seg, bus, pdev->devfn, pos,
+ PCI_EXT_CAP_ID_VNDR);
+ }
+ }
+ if ( !pos )
+ {
+ printk(XENLOG_WARNING "%04x:%02x:%02x.%u without AER capability?\n",
+ seg, bus, dev, func);
+ break;
+ }
+
+ val = pci_conf_read32(seg, bus, dev, func, pos + PCI_ERR_UNCOR_MASK);
+ pci_conf_write32(seg, bus, dev, func, pos + PCI_ERR_UNCOR_MASK,
+ val | PCI_ERR_UNC_UNSUP);
+ val = pci_conf_read32(seg, bus, dev, func, pos + PCI_ERR_COR_MASK);
+ pci_conf_write32(seg, bus, dev, func, pos + PCI_ERR_COR_MASK,
+ val | PCI_ERR_COR_ADV_NFAT);
+
+ /* XPUNCERRMSK Send Completion with Unsupported Request */
+ val = pci_conf_read32(seg, bus, dev, func, 0x20c);
+ pci_conf_write32(seg, bus, dev, func, 0x20c, val | (1 << 4));
+
+ printk(XENLOG_INFO "Masked UR signaling on %04x:%02x:%02x.%u\n",
+ seg, bus, dev, func);
+ break;
}
}
--- a/xen/drivers/pci/pci.c
+++ b/xen/drivers/pci/pci.c
@@ -66,23 +66,33 @@ int pci_find_next_cap(u16 seg, u8 bus, u
/**
* pci_find_ext_capability - Find an extended capability
- * @dev: PCI device to query
+ * @seg/@bus/@devfn: PCI device to query
* @cap: capability code
*
* Returns the address of the requested extended capability structure
* within the device's PCI configuration space or 0 if the device does
- * not support it. Possible values for @cap:
- *
- * %PCI_EXT_CAP_ID_ERR Advanced Error Reporting
- * %PCI_EXT_CAP_ID_VC Virtual Channel
- * %PCI_EXT_CAP_ID_DSN Device Serial Number
- * %PCI_EXT_CAP_ID_PWR Power Budgeting
+ * not support it.
*/
int pci_find_ext_capability(int seg, int bus, int devfn, int cap)
{
+ return pci_find_next_ext_capability(seg, bus, devfn, 0, cap);
+}
+
+/**
+ * pci_find_next_ext_capability - Find another extended capability
+ * @seg/@bus/@devfn: PCI device to query
+ * @pos: starting position
+ * @cap: capability code
+ *
+ * Returns the address of the requested extended capability structure
+ * within the device's PCI configuration space or 0 if the device does
+ * not support it.
+ */
+int pci_find_next_ext_capability(int seg, int bus, int devfn, int start, int cap)
+{
u32 header;
int ttl = 480; /* 3840 bytes, minimum 8 bytes per capability */
- int pos = 0x100;
+ int pos = max(start, 0x100);
header = pci_conf_read32(seg, bus, PCI_SLOT(devfn), PCI_FUNC(devfn), pos);
@@ -92,9 +102,10 @@ int pci_find_ext_capability(int seg, int
*/
if ( (header == 0) || (header == -1) )
return 0;
+ ASSERT(start != pos || PCI_EXT_CAP_ID(header) == cap);
while ( ttl-- > 0 ) {
- if ( PCI_EXT_CAP_ID(header) == cap )
+ if ( PCI_EXT_CAP_ID(header) == cap && pos != start )
return pos;
pos = PCI_EXT_CAP_NEXT(header);
if ( pos < 0x100 )
--- a/xen/include/xen/pci.h
+++ b/xen/include/xen/pci.h
@@ -140,6 +140,7 @@ int pci_mmcfg_write(unsigned int seg, un
int pci_find_cap_offset(u16 seg, u8 bus, u8 dev, u8 func, u8 cap);
int pci_find_next_cap(u16 seg, u8 bus, unsigned int devfn, u8 pos, int cap);
int pci_find_ext_capability(int seg, int bus, int devfn, int cap);
+int pci_find_next_ext_capability(int seg, int bus, int devfn, int pos, int cap);
const char *parse_pci(const char *, unsigned int *seg, unsigned int *bus,
unsigned int *dev, unsigned int *func);
--- /dev/null
+++ b/xen/include/xen/pci_ids.h
@@ -0,0 +1,9 @@
+#define PCI_VENDOR_ID_AMD 0x1022
+
+#define PCI_VENDOR_ID_NVIDIA 0x10de
+
+#define PCI_VENDOR_ID_OXSEMI 0x1415
+
+#define PCI_VENDOR_ID_BROADCOM 0x14e4
+
+#define PCI_VENDOR_ID_INTEL 0x8086
--- a/xen/include/xen/pci_regs.h
+++ b/xen/include/xen/pci_regs.h
@@ -431,6 +431,7 @@
#define PCI_EXT_CAP_ID_VC 2
#define PCI_EXT_CAP_ID_DSN 3
#define PCI_EXT_CAP_ID_PWR 4
+#define PCI_EXT_CAP_ID_VNDR 11
#define PCI_EXT_CAP_ID_ACS 13
#define PCI_EXT_CAP_ID_ARI 14
#define PCI_EXT_CAP_ID_ATS 15
@@ -459,6 +460,7 @@
#define PCI_ERR_COR_BAD_DLLP 0x00000080 /* Bad DLLP Status */
#define PCI_ERR_COR_REP_ROLL 0x00000100 /* REPLAY_NUM Rollover */
#define PCI_ERR_COR_REP_TIMER 0x00001000 /* Replay Timer Timeout */
+#define PCI_ERR_COR_ADV_NFAT 0x00002000 /* Advisory Non-Fatal */
#define PCI_ERR_COR_MASK 20 /* Correctable Error Mask */
/* Same bits as above */
#define PCI_ERR_CAP 24 /* Advanced Error Capabilities */
@@ -510,6 +512,12 @@
#define PCI_PWR_CAP 12 /* Capability */
#define PCI_PWR_CAP_BUDGET(x) ((x) & 1) /* Included in system budget */
+/* Vendor-Specific (VSEC, PCI_EXT_CAP_ID_VNDR) */
+#define PCI_VNDR_HEADER 4 /* Vendor-Specific Header */
+#define PCI_VNDR_HEADER_ID(x) ((x) & 0xffff)
+#define PCI_VNDR_HEADER_REV(x) (((x) >> 16) & 0xf)
+#define PCI_VNDR_HEADER_LEN(x) (((x) >> 20) & 0xfff)
+
/*
* Hypertransport sub capability types
*

66
535a3516-VT-d-suppress-UR-signaling-for-desktop-chipsets.patch Normal file
View File

@ -0,0 +1,66 @@
References: bnc#826717 CVE-2013-3495 XSA-59
# Commit d6cb14b34ffc2a830022d059f1aa22bf19dcf55f
# Date 2014-04-25 12:12:38 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
VT-d: suppress UR signaling for desktop chipsets
Unsupported Requests can be signaled for malformed writes to the MSI
address region, e.g. due to buggy or malicious DMA set up to that
region. These should normally result in IOMMU faults, but don't on
the desktop chipsets dealt with here.
This is CVE-2013-3495 / XSA-59.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Don Dugger <donald.d.dugger@intel.com>
Acked-by: Tim Deegan <tim@xen.org>
Acked-by: Xiantao Zhang <xiantao.zhang@intel.com>
--- a/xen/drivers/passthrough/vtd/quirks.c
+++ b/xen/drivers/passthrough/vtd/quirks.c
@@ -393,6 +393,8 @@ void __init pci_vtd_quirk(struct pci_dev
int func = PCI_FUNC(pdev->devfn);
int pos;
u32 val;
+ u64 bar;
+ paddr_t pa;
if ( pci_conf_read16(seg, bus, dev, func, PCI_VENDOR_ID) !=
PCI_VENDOR_ID_INTEL )
@@ -454,5 +456,33 @@ void __init pci_vtd_quirk(struct pci_dev
printk(XENLOG_INFO "Masked UR signaling on %04x:%02x:%02x.%u\n",
seg, bus, dev, func);
break;
+
+ case 0x100: case 0x104: case 0x108: /* Sandybridge */
+ case 0x150: case 0x154: case 0x158: /* Ivybridge */
+ case 0xa04: /* Haswell ULT */
+ case 0xc00: case 0xc04: case 0xc08: /* Haswell */
+ bar = pci_conf_read32(seg, bus, dev, func, 0x6c);
+ bar = (bar << 32) | pci_conf_read32(seg, bus, dev, func, 0x68);
+ pa = bar & 0x7fffff000; /* bits 12...38 */
+ if ( (bar & 1) && pa &&
+ page_is_ram_type(paddr_to_pfn(pa), RAM_TYPE_RESERVED) )
+ {
+ u32 __iomem *va = ioremap(pa, PAGE_SIZE);
+
+ if ( va )
+ {
+ __set_bit(0x1c8 * 8 + 20, va);
+ iounmap(va);
+ printk(XENLOG_INFO "Masked UR signaling on %04x:%02x:%02x.%u\n",
+ seg, bus, dev, func);
+ }
+ else
+ printk(XENLOG_ERR "Could not map %"PRIpaddr" for %04x:%02x:%02x.%u\n",
+ pa, seg, bus, dev, func);
+ }
+ else
+ printk(XENLOG_WARNING "Bogus DMIBAR %#"PRIx64" on %04x:%02x:%02x.%u\n",
+ bar, seg, bus, dev, func);
+ break;
}
}

187
535a354b-passthrough-allow-to-suppress-SERR-and-PERR-signaling.patch Normal file
View File

@ -0,0 +1,187 @@
# Commit 1a2a390a560e8319a6be98c7ab6cfaebd230f67e
# Date 2014-04-25 12:13:31 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
passthrough: allow to suppress SERR and PERR signaling altogether
This is just to have a workaround at hand in case other chipsets (not
covered by the previous two patches) also have similar issues.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Don Dugger <donald.d.dugger@intel.com>
Acked-by: Tim Deegan <tim@xen.org>
Acked-by: Xiantao Zhang <xiantao.zhang@intel.com>
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -772,6 +772,14 @@ Defaults to booting secondary processors
Default: `on`
+### pci
+> `= {no-}serr | {no-}perr`
+
+Disable signaling of SERR (system errors) and/or PERR (parity errors)
+on all PCI devices.
+
+Default: Signaling left as set by firmware.
+
### pci-phantom
> `=[<seg>:]<bus>:<device>,<stride>`
--- a/xen/drivers/passthrough/pci.c
+++ b/xen/drivers/passthrough/pci.c
@@ -154,6 +154,115 @@ static void __init parse_phantom_dev(cha
}
custom_param("pci-phantom", parse_phantom_dev);
+static u16 __read_mostly command_mask;
+static u16 __read_mostly bridge_ctl_mask;
+
+/*
+ * The 'pci' parameter controls certain PCI device aspects.
+ * Optional comma separated value may contain:
+ *
+ * serr don't suppress system errors (default)
+ * no-serr suppress system errors
+ * perr don't suppress parity errors (default)
+ * no-perr suppress parity errors
+ */
+static void __init parse_pci_param(char *s)
+{
+ char *ss;
+
+ do {
+ bool_t on = !!strncmp(s, "no-", 3);
+ u16 cmd_mask = 0, brctl_mask = 0;
+
+ if ( !on )
+ s += 3;
+
+ ss = strchr(s, ',');
+ if ( ss )
+ *ss = '\0';
+
+ if ( !strcmp(s, "serr") )
+ {
+ cmd_mask = PCI_COMMAND_SERR;
+ brctl_mask = PCI_BRIDGE_CTL_SERR | PCI_BRIDGE_CTL_DTMR_SERR;
+ }
+ else if ( !strcmp(s, "perr") )
+ {
+ cmd_mask = PCI_COMMAND_PARITY;
+ brctl_mask = PCI_BRIDGE_CTL_PARITY;
+ }
+
+ if ( on )
+ {
+ command_mask &= ~cmd_mask;
+ bridge_ctl_mask &= ~brctl_mask;
+ }
+ else
+ {
+ command_mask |= cmd_mask;
+ bridge_ctl_mask |= brctl_mask;
+ }
+
+ s = ss + 1;
+ } while ( ss );
+}
+custom_param("pci", parse_pci_param);
+
+static void check_pdev(const struct pci_dev *pdev)
+{
+#define PCI_STATUS_CHECK \
+ (PCI_STATUS_PARITY | PCI_STATUS_SIG_TARGET_ABORT | \
+ PCI_STATUS_REC_TARGET_ABORT | PCI_STATUS_REC_MASTER_ABORT | \
+ PCI_STATUS_SIG_SYSTEM_ERROR | PCI_STATUS_DETECTED_PARITY)
+ u16 seg = pdev->seg;
+ u8 bus = pdev->bus;
+ u8 dev = PCI_SLOT(pdev->devfn);
+ u8 func = PCI_FUNC(pdev->devfn);
+ u16 val;
+
+ if ( command_mask )
+ {
+ val = pci_conf_read16(seg, bus, dev, func, PCI_COMMAND);
+ if ( val & command_mask )
+ pci_conf_write16(seg, bus, dev, func, PCI_COMMAND,
+ val & ~command_mask);
+ val = pci_conf_read16(seg, bus, dev, func, PCI_STATUS);
+ if ( val & PCI_STATUS_CHECK )
+ {
+ printk(XENLOG_INFO "%04x:%02x:%02x.%u status %04x -> %04x\n",
+ seg, bus, dev, func, val, val & ~PCI_STATUS_CHECK);
+ pci_conf_write16(seg, bus, dev, func, PCI_STATUS,
+ val & PCI_STATUS_CHECK);
+ }
+ }
+
+ switch ( pci_conf_read8(seg, bus, dev, func, PCI_HEADER_TYPE) & 0x7f )
+ {
+ case PCI_HEADER_TYPE_BRIDGE:
+ if ( !bridge_ctl_mask )
+ break;
+ val = pci_conf_read16(seg, bus, dev, func, PCI_BRIDGE_CONTROL);
+ if ( val & bridge_ctl_mask )
+ pci_conf_write16(seg, bus, dev, func, PCI_BRIDGE_CONTROL,
+ val & ~bridge_ctl_mask);
+ val = pci_conf_read16(seg, bus, dev, func, PCI_SEC_STATUS);
+ if ( val & PCI_STATUS_CHECK )
+ {
+ printk(XENLOG_INFO
+ "%04x:%02x:%02x.%u secondary status %04x -> %04x\n",
+ seg, bus, dev, func, val, val & ~PCI_STATUS_CHECK);
+ pci_conf_write16(seg, bus, dev, func, PCI_SEC_STATUS,
+ val & PCI_STATUS_CHECK);
+ }
+ break;
+
+ case PCI_HEADER_TYPE_CARDBUS:
+ /* TODO */
+ break;
+ }
+#undef PCI_STATUS_CHECK
+}
+
static struct pci_dev *alloc_pdev(struct pci_seg *pseg, u8 bus, u8 devfn)
{
struct pci_dev *pdev;
@@ -252,6 +361,8 @@ static struct pci_dev *alloc_pdev(struct
break;
}
+ check_pdev(pdev);
+
return pdev;
}
@@ -566,6 +677,8 @@ int pci_add_device(u16 seg, u8 bus, u8 d
seg, bus, slot, func, ctrl);
}
+ check_pdev(pdev);
+
ret = 0;
if ( !pdev->domain )
{
--- a/xen/include/xen/pci_regs.h
+++ b/xen/include/xen/pci_regs.h
@@ -125,7 +125,7 @@
#define PCI_IO_RANGE_TYPE_16 0x00
#define PCI_IO_RANGE_TYPE_32 0x01
#define PCI_IO_RANGE_MASK (~0x0fUL)
-#define PCI_SEC_STATUS 0x1e /* Secondary status register, only bit 14 used */
+#define PCI_SEC_STATUS 0x1e /* Secondary status register */
#define PCI_MEMORY_BASE 0x20 /* Memory range behind */
#define PCI_MEMORY_LIMIT 0x22
#define PCI_MEMORY_RANGE_TYPE_MASK 0x0fUL
@@ -152,6 +152,7 @@
#define PCI_BRIDGE_CTL_MASTER_ABORT 0x20 /* Report master aborts */
#define PCI_BRIDGE_CTL_BUS_RESET 0x40 /* Secondary bus reset */
#define PCI_BRIDGE_CTL_FAST_BACK 0x80 /* Fast Back2Back enabled on secondary interface */
+#define PCI_BRIDGE_CTL_DTMR_SERR 0x800 /* SERR upon discard timer expiry */
/* Header type 2 (CardBus bridges) */
#define PCI_CB_CAPABILITY_LIST 0x14

43
535e31bc-x86-HVM-correct-the-SMEP-logic-for-HVM_CR0_GUEST_RESERVED_BITS.patch Normal file
View File

@ -0,0 +1,43 @@
# Commit 31ee951a3bee6e7cc21f94f900fe989e3701a79a
# Date 2014-04-28 12:47:24 +0200
# Author Feng Wu <feng.wu@intel.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/HVM: correct the SMEP logic for HVM_CR0_GUEST_RESERVED_BITS
When checking the SMEP feature for HVM guests, we should check the
VCPU instead of the host CPU.
Signed-off-by: Feng Wu <feng.wu@intel.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/include/asm-x86/hvm/hvm.h
+++ b/xen/include/asm-x86/hvm/hvm.h
@@ -347,6 +347,19 @@ static inline int hvm_event_pending(stru
return hvm_funcs.event_pending(v);
}
+static inline bool_t hvm_vcpu_has_smep(void)
+{
+ unsigned int eax, ebx;
+
+ hvm_cpuid(0, &eax, NULL, NULL, NULL);
+
+ if ( eax < 7 )
+ return 0;
+
+ hvm_cpuid(7, NULL, &ebx, NULL, NULL);
+ return !!(ebx & cpufeat_mask(X86_FEATURE_SMEP));
+}
+
/* These reserved bits in lower 32 remain 0 after any load of CR0 */
#define HVM_CR0_GUEST_RESERVED_BITS \
(~((unsigned long) \
@@ -366,7 +379,7 @@ static inline int hvm_event_pending(stru
X86_CR4_DE | X86_CR4_PSE | X86_CR4_PAE | \
X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | \
X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | \
- (cpu_has_smep ? X86_CR4_SMEP : 0) | \
+ (hvm_vcpu_has_smep() ? X86_CR4_SMEP : 0) | \
(cpu_has_fsgsbase ? X86_CR4_FSGSBASE : 0) | \
((nestedhvm_enabled((_v)->domain) && cpu_has_vmx)\
? X86_CR4_VMXE : 0) | \

8
xsa92.patch → 535fa503-x86-HVM-restrict-HVMOP_set_mem_type.patch
View File

@ -1,3 +1,9 @@
References: bnc#875668 CVE-2014-3124 XSA-92
# Commit 83bb5eb4d340acebf27b34108fb1dae062146a68
# Date 2014-04-29 15:11:31 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/HVM: restrict HVMOP_set_mem_type x86/HVM: restrict HVMOP_set_mem_type
Permitting arbitrary type changes here has the potential of creating Permitting arbitrary type changes here has the potential of creating
@ -12,7 +18,7 @@ message.
Afaict the similar operation in p2m_set_mem_access() is safe. Afaict the similar operation in p2m_set_mem_access() is safe.
This is XSA-92. This is CVE-2014-3124 / XSA-92.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org> Reviewed-by: Tim Deegan <tim@xen.org>

27
53636978-hvm_set_ioreq_page-releases-wrong-page-in-error-path.patch Normal file
View File

@ -0,0 +1,27 @@
# Commit 16e2a7596e9fc86881c73cef57602b2c88155528
# Date 2014-05-02 11:46:32 +0200
# Author Paul Durrant <paul.durrant@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
hvm_set_ioreq_page() releases wrong page in error path
The function calls prepare_ring_for_helper() to acquire a mapping for the
given gmfn, then checks (under lock) to see if the ioreq page is already
set up but, if it is, the function then releases the in-use ioreq page
mapping on the error path rather than the one it just acquired. This patch
fixes this bug.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -478,7 +478,7 @@ static int hvm_set_ioreq_page(
if ( (iorp->va != NULL) || d->is_dying )
{
- destroy_ring_for_helper(&iorp->va, iorp->page);
+ destroy_ring_for_helper(&va, page);
spin_unlock(&iorp->lock);
return -EINVAL;
}

81
53636ebf-x86-fix-guest-CPUID-handling.patch Normal file
View File

@ -0,0 +1,81 @@
# Commit 4c0ff6bd54b5a67f8f820f9ed0a89a79f1a26a1c
# Date 2014-05-02 12:09:03 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86: fix guest CPUID handling
The way XEN_DOMCTL_set_cpuid got handled so far allowed for surprises
to the caller. With this set of operations
- set leaf A (using array index 0)
- set leaf B (using array index 1)
- clear leaf A (clearing array index 0)
- set leaf B (using array index 0)
- clear leaf B (clearing array index 0)
the entry for leaf B at array index 1 would still be in place, while
the caller would expect it to be cleared.
While looking at the use sites of d->arch.cpuid[] I also noticed that
the allocation of the array needlessly uses the zeroing form - the
relevant fields of the array elements get set in a loop immediately
following the allocation.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Tim Deegan <tim@xen.org>
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -553,7 +553,7 @@ int arch_domain_create(struct domain *d,
if ( !is_idle_domain(d) )
{
- d->arch.cpuids = xzalloc_array(cpuid_input_t, MAX_CPUID_INPUT);
+ d->arch.cpuids = xmalloc_array(cpuid_input_t, MAX_CPUID_INPUT);
rc = -ENOMEM;
if ( d->arch.cpuids == NULL )
goto fail;
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -920,7 +920,7 @@ long arch_do_domctl(
case XEN_DOMCTL_set_cpuid:
{
xen_domctl_cpuid_t *ctl = &domctl->u.cpuid;
- cpuid_input_t *cpuid = NULL;
+ cpuid_input_t *cpuid, *unused = NULL;
int i;
for ( i = 0; i < MAX_CPUID_INPUT; i++ )
@@ -928,7 +928,11 @@ long arch_do_domctl(
cpuid = &d->arch.cpuids[i];
if ( cpuid->input[0] == XEN_CPUID_INPUT_UNUSED )
- break;
+ {
+ if ( !unused )
+ unused = cpuid;
+ continue;
+ }
if ( (cpuid->input[0] == ctl->input[0]) &&
((cpuid->input[1] == XEN_CPUID_INPUT_UNUSED) ||
@@ -936,15 +940,12 @@ long arch_do_domctl(
break;
}
- if ( i == MAX_CPUID_INPUT )
- {
- ret = -ENOENT;
- }
+ if ( i < MAX_CPUID_INPUT )
+ *cpuid = *ctl;
+ else if ( unused )
+ *unused = *ctl;
else
- {
- memcpy(cpuid, ctl, sizeof(cpuid_input_t));
- ret = 0;
- }
+ ret = -ENOENT;
}
break;

2
libxl.add-option-for-discard-support-to-xl-disk-conf.patch
View File

@ -54,7 +54,7 @@ Index: xen-4.4.0-testing/tools/libxl/libxl.c
=================================================================== ===================================================================
--- xen-4.4.0-testing.orig/tools/libxl/libxl.c --- xen-4.4.0-testing.orig/tools/libxl/libxl.c
+++ xen-4.4.0-testing/tools/libxl/libxl.c +++ xen-4.4.0-testing/tools/libxl/libxl.c
@@ -2213,6 +2213,8 @@ static void device_disk_add(libxl__egc * @@ -2480,6 +2480,8 @@ static void device_disk_add(libxl__egc *
flexarray_append(back, disk->readwrite ? "w" : "r"); flexarray_append(back, disk->readwrite ? "w" : "r");
flexarray_append(back, "device-type"); flexarray_append(back, "device-type");
flexarray_append(back, disk->is_cdrom ? "cdrom" : "disk"); flexarray_append(back, disk->is_cdrom ? "cdrom" : "disk");

1189
libxl.pvscsi.patch Normal file
View File

File diff suppressed because it is too large Load Diff

48
pygrub-boot-legacy-sles.patch
View File

@ -1,23 +1,38 @@
Index: xen-4.3.1-testing/tools/pygrub/src/pygrub Index: xen-4.4.0-testing/tools/pygrub/src/pygrub
=================================================================== ===================================================================
--- xen-4.3.1-testing.orig/tools/pygrub/src/pygrub --- xen-4.4.0-testing.orig/tools/pygrub/src/pygrub
+++ xen-4.3.1-testing/tools/pygrub/src/pygrub +++ xen-4.4.0-testing/tools/pygrub/src/pygrub
@@ -607,6 +607,14 @@ def run_grub(file, entry, fs, cfg_args): @@ -452,7 +452,7 @@ class Grub:
print " args: %s" % img.args self.cf.filename = f
print " initrd: %s" % img.initrd[1] break
if self.__dict__.get('cf', None) is None:
- raise RuntimeError, "couldn't find bootloader config file in the image provided."
+ return
f = fs.open_file(self.cf.filename)
# limit read size to avoid pathological cases
buf = f.read(FS_READ_MAX)
@@ -598,6 +598,20 @@ def run_grub(file, entry, fs, cfg_args):
+ # If grub has no menu entries to select, look for vmlinuz-xen and initrd-xen in /boot g = Grub(file, fs)
+ if len(g.cf.images) == 0:
+ # If missing config or grub has no menu entries to select, look for
+ # vmlinuz-xen and initrd-xen in /boot
+ if g.__dict__.get('cf', None) is None or len(g.cf.images) == 0:
+ if not list_entries:
+ chosencfg = { "kernel": None, "ramdisk": None, "args": "" } + chosencfg = { "kernel": None, "ramdisk": None, "args": "" }
+ chosencfg = sniff_xen_kernel(fs, incfg) + chosencfg = sniff_xen_kernel(fs, incfg)
+ if chosencfg["kernel"] and chosencfg["ramdisk"]: + if chosencfg["kernel"] and chosencfg["ramdisk"]:
+ chosencfg["args"] = cfg_args + chosencfg["args"] = cfg_args
+ return chosencfg + return chosencfg
+ if g.__dict__.get('cf', None) is None:
+ raise RuntimeError, "couldn't find bootloader config file in the image provided."
+ else:
+ return
+ +
if interactive and not list_entries: if list_entries:
curses.wrapper(run_main) for i in range(len(g.cf.images)):
else: img = g.cf.images[i]
@@ -693,6 +701,14 @@ def sniff_netware(fs, cfg): @@ -693,6 +707,14 @@ def sniff_netware(fs, cfg):
return cfg return cfg
@ -32,3 +47,12 @@ Index: xen-4.3.1-testing/tools/pygrub/src/pygrub
def format_sxp(kernel, ramdisk, args): def format_sxp(kernel, ramdisk, args):
s = "linux (kernel %s)" % kernel s = "linux (kernel %s)" % kernel
if ramdisk: if ramdisk:
@@ -773,7 +795,7 @@ if __name__ == "__main__":
debug = False
not_really = False
output_format = "sxp"
- output_directory = "/var/run/xend/boot"
+ output_directory = "/var/run/xen"
# what was passed in
incfg = { "kernel": None, "ramdisk": None, "args": "" }

29
xen.changes
View File

@ -1,3 +1,32 @@
-------------------------------------------------------------------
Mon May 12 18:00:14 CEST 2014 - ohering@suse.de
- fate#316613: Implement pvscsi in xl/libxl
libxl.pvscsi.patch
-------------------------------------------------------------------
Fri May 9 08:07:34 MDT 2014 - carnold@suse.com
- bnc#875668 - VUL-0: CVE-2014-3124: xen: XSA-92:
HVMOP_set_mem_type allows invalid P2M entries to be created
535fa503-x86-HVM-restrict-HVMOP_set_mem_type.patch (replaces xsa92.patch)
- bnc#826717 - VUL-0: CVE-2013-3495: XSA-59: xen: Intel VT-d
Interrupt Remapping engines can be evaded by native NMI interrupts
535a34eb-VT-d-suppress-UR-signaling-for-server-chipsets.patch
535a3516-VT-d-suppress-UR-signaling-for-desktop-chipsets.patch
- Upstream patches from Jan
535a354b-passthrough-allow-to-suppress-SERR-and-PERR-signaling.patch
535e31bc-x86-HVM-correct-the-SMEP-logic-for-HVM_CR0_GUEST_RESERVED_BITS.patch
53636978-hvm_set_ioreq_page-releases-wrong-page-in-error-path.patch
53636ebf-x86-fix-guest-CPUID-handling.patch
-------------------------------------------------------------------
Tue May 6 13:24:14 MDT 2014 - carnold@suse.com
- Fix pygrub to handle VM with no grub/menu.lst file.
- Don't use /var/run/xend/boot for temporary boot directory
pygrub-boot-legacy-sles.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Sat Apr 26 09:56:36 MDT 2014 - carnold@suse.com Sat Apr 26 09:56:36 MDT 2014 - carnold@suse.com

21
xen.spec
View File

@ -15,7 +15,6 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/ # Please submit bugfixes or comments via http://bugs.opensuse.org/
# #
# needssslcertforbuild # needssslcertforbuild
Name: xen Name: xen
@ -154,7 +153,7 @@ BuildRequires: xorg-x11-util-devel
%endif %endif
%endif %endif
Version: 4.4.0_16 Version: 4.4.0_18
Release: 0 Release: 0
PreReq: %insserv_prereq %fillup_prereq PreReq: %insserv_prereq %fillup_prereq
Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel)
@ -243,7 +242,13 @@ Patch27: 534bbd90-x86-nested-HAP-don-t-BUG-on-legitimate-error.patch
Patch28: 534bdf47-x86-HAP-also-flush-TLB-when-altering-a-present-1G-or-intermediate-entry.patch Patch28: 534bdf47-x86-HAP-also-flush-TLB-when-altering-a-present-1G-or-intermediate-entry.patch
Patch29: 53563ea4-x86-MSI-drop-workaround-for-insecure-Dom0-kernels.patch Patch29: 53563ea4-x86-MSI-drop-workaround-for-insecure-Dom0-kernels.patch
Patch30: 5357baff-x86-add-missing-break-in-dom0_pit_access.patch Patch30: 5357baff-x86-add-missing-break-in-dom0_pit_access.patch
Patch92: xsa92.patch Patch31: 535a34eb-VT-d-suppress-UR-signaling-for-server-chipsets.patch
Patch32: 535a3516-VT-d-suppress-UR-signaling-for-desktop-chipsets.patch
Patch33: 535a354b-passthrough-allow-to-suppress-SERR-and-PERR-signaling.patch
Patch34: 535e31bc-x86-HVM-correct-the-SMEP-logic-for-HVM_CR0_GUEST_RESERVED_BITS.patch
Patch35: 535fa503-x86-HVM-restrict-HVMOP_set_mem_type.patch
Patch36: 53636978-hvm_set_ioreq_page-releases-wrong-page-in-error-path.patch
Patch37: 53636ebf-x86-fix-guest-CPUID-handling.patch
# Upstream qemu # Upstream qemu
Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch
Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch
@ -311,6 +316,7 @@ Patch386: libxc-pass-errno-to-callers-of-xc_domain_save.patch
Patch387: libxl.set-migration-constraints-from-cmdline.patch Patch387: libxl.set-migration-constraints-from-cmdline.patch
Patch388: libxl.honor-more-top-level-vfb-options.patch Patch388: libxl.honor-more-top-level-vfb-options.patch
Patch389: qemu-xen-upstream-megasas-buildtime.patch Patch389: qemu-xen-upstream-megasas-buildtime.patch
Patch390: libxl.pvscsi.patch
# Xend # Xend
Patch400: xend-set-migration-constraints-from-cmdline.patch Patch400: xend-set-migration-constraints-from-cmdline.patch
Patch402: xen.migrate.tools-xend_move_assert_to_exception_block.patch Patch402: xen.migrate.tools-xend_move_assert_to_exception_block.patch
@ -633,7 +639,13 @@ Authors:
%patch28 -p1 %patch28 -p1
%patch29 -p1 %patch29 -p1
%patch30 -p1 %patch30 -p1
%patch92 -p1 %patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
# Upstream qemu patches # Upstream qemu patches
%patch250 -p1 %patch250 -p1
%patch251 -p1 %patch251 -p1
@ -700,6 +712,7 @@ Authors:
%patch387 -p1 %patch387 -p1
%patch388 -p1 %patch388 -p1
%patch389 -p1 %patch389 -p1
%patch390 -p1
# Xend # Xend
%patch400 -p1 %patch400 -p1
%patch402 -p1 %patch402 -p1

2
xend-tools-watchdog-support.patch
View File

@ -129,7 +129,7 @@ Index: xen-4.4.0-testing/tools/libxl/xl_cmdimpl.c
=================================================================== ===================================================================
--- xen-4.4.0-testing.orig/tools/libxl/xl_cmdimpl.c --- xen-4.4.0-testing.orig/tools/libxl/xl_cmdimpl.c
+++ xen-4.4.0-testing/tools/libxl/xl_cmdimpl.c +++ xen-4.4.0-testing/tools/libxl/xl_cmdimpl.c
@@ -1737,6 +1737,8 @@ skip_vfb: @@ -1915,6 +1915,8 @@ skip_vfb:
xlu_cfg_replace_string (config, "soundhw", &b_info->u.hvm.soundhw, 0); xlu_cfg_replace_string (config, "soundhw", &b_info->u.hvm.soundhw, 0);
xlu_cfg_get_defbool(config, "xen_platform_pci", xlu_cfg_get_defbool(config, "xen_platform_pci",
&b_info->u.hvm.xen_platform_pci, 0); &b_info->u.hvm.xen_platform_pci, 0);