pool/xen
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4f6abaa92b
xen/xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
Charles Arnold 8292994238 - bsc#960093 - VUL-0: CVE-2015-8615: xen: x86: unintentional 
logging upon guest changing callback method (XSA-169)
  5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch

- bsc#959387 - VUL-0: CVE-2015-8568 CVE-2015-8567: xen: qemu: net:
  vmxnet3: host memory leakage
  CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch

- bsc#957988 - VUL-0: CVE-2015-8550: xen: paravirtualized drivers
  incautious about shared memory contents (XSA-155)
  xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
  xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
  xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
  xsa155-qemuu-qdisk-double-access.patch
  xsa155-qemut-qdisk-double-access.patch
  xsa155-qemuu-xenfb.patch
  xsa155-qemut-xenfb.patch
- bsc#959006 - VUL-0: CVE-2015-8558: xen: qemu: usb: infinite loop
  in ehci_advance_state results in DoS
  CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch
- bsc#958918 - VUL-0: CVE-2015-7549: xen: qemu pci: null pointer
  dereference issue
  CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch
- bsc#958493 - VUL-0: CVE-2015-8504: xen: qemu: ui: vnc: avoid
  floating point exception
  CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch
  CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch
- bsc#958007 - VUL-0: CVE-2015-8554: xen: qemu-dm buffer overrun in
  MSI-X handling (XSA-164)
  xsa164.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=393
2016-01-04 22:25:00 +00:00

56 lines
2.1 KiB
Diff
Raw Blame History

References: bsc#957988
From 12b11658a9d6a654a1e7acbf2f2d56ce9a396c86 Mon Sep 17 00:00:00 2001
From: David Vrabel <david.vrabel@citrix.com>
Date: Fri, 20 Nov 2015 11:59:05 -0500
Subject: [PATCH 1/3] xen: Add RING_COPY_REQUEST()
Using RING_GET_REQUEST() on a shared ring is easy to use incorrectly
(i.e., by not considering that the other end may alter the data in the
shared ring while it is being inspected). Safe usage of a request
generally requires taking a local copy.
Provide a RING_COPY_REQUEST() macro to use instead of
RING_GET_REQUEST() and an open-coded memcpy(). This takes care of
ensuring that the copy is done correctly regardless of any possible
compiler optimizations.
Use a volatile source to prevent the compiler from reordering or
omitting the copy.
This is part of XSA155.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
---
v2: Add comment about GCC bug.
---
xen/include/public/io/ring.h | 14 ++++++++++++++
1 file changed, 14 insertions(+)
Index: xen-4.6.0-testing/xen/include/public/io/ring.h
===================================================================
--- xen-4.6.0-testing.orig/xen/include/public/io/ring.h
+++ xen-4.6.0-testing/xen/include/public/io/ring.h
@@ -212,6 +212,20 @@ typedef struct __name##_back_ring __name
#define RING_GET_REQUEST(_r, _idx) \
(&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req))
+/*
+ * Get a local copy of a request.
+ *
+ * Use this in preference to RING_GET_REQUEST() so all processing is
+ * done on a local copy that cannot be modified by the other end.
+ *
+ * Note that https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 may cause this
+ * to be ineffective where _req is a struct which consists of only bitfields.
+ */
+#define RING_COPY_REQUEST(_r, _idx, _req) do { \
+ /* Use volatile to force the copy into _req. */ \
+ *(_req) = *(volatile typeof(_req))RING_GET_REQUEST(_r, _idx); \
+} while (0)
+
#define RING_GET_RESPONSE(_r, _idx) \
(&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp))
Reference in New Issue View Git Blame Copy Permalink