xen/CVE-2013-1952-xsa49.patch

References: bnc#8161663 CVE-2013-1952 XSA-49

VT-d: don't permit SVT_NO_VERIFY entries for known device types

Only in cases where we don't know what to do we should leave the IRTE
blank (suppressing all validation), but we should always log a warning
in those cases (as being insecure).

This is CVE-2013-1952 / XSA-49.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: "Zhang, Xiantao" <xiantao.zhang@intel.com>

Index: xen-4.2.1-testing/xen/drivers/passthrough/vtd/intremap.c
===================================================================
--- xen-4.2.1-testing.orig/xen/drivers/passthrough/vtd/intremap.c
+++ xen-4.2.1-testing/xen/drivers/passthrough/vtd/intremap.c
@@ -440,12 +440,9 @@ static void set_msi_source_id(struct pci
     {
         unsigned int sq;
 
+    case DEV_TYPE_PCIe_ENDPOINT:
     case DEV_TYPE_PCIe_BRIDGE:
     case DEV_TYPE_PCIe2PCI_BRIDGE:
-    case DEV_TYPE_LEGACY_PCI_BRIDGE:
-        break;
-
-    case DEV_TYPE_PCIe_ENDPOINT:
         switch ( pdev->phantom_stride )
         {
         case 1: sq = SQ_13_IGNORE_3; break;
@@ -457,6 +454,8 @@ static void set_msi_source_id(struct pci
         break;
 
     case DEV_TYPE_PCI:
+    case DEV_TYPE_LEGACY_PCI_BRIDGE:
+    case DEV_TYPE_PCI2PCIe_BRIDGE:
         ret = find_upstream_bridge(seg, &bus, &devfn, &secbus);
         if ( ret == 0 ) /* integrated PCI device */
         {
@@ -468,10 +467,15 @@ static void set_msi_source_id(struct pci
             if ( pdev_type(seg, bus, devfn) == DEV_TYPE_PCIe2PCI_BRIDGE )
                 set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16,
                             (bus << 8) | pdev->bus);
-            else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE )
+            else
                 set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16,
                             PCI_BDF2(bus, devfn));
         }
+        else
+            dprintk(XENLOG_WARNING VTDPREFIX,
+                    "d%d: no upstream bridge for %04x:%02x:%02x.%u\n",
+                    pdev->domain->domain_id,
+                    seg, bus, PCI_SLOT(devfn), PCI_FUNC(devfn));
         break;
 
     default:
- add xorg-x11-util-devel to BuildRequires to get lndir(1) - remove xen.migrate.tools_notify_restore_to_hangup_during_migration_--abort_if_busy.patch It changed migration protocol and upstream wants a different solution - bnc#802221 - fix xenpaging readd xenpaging.qemu.flush-cache.patch - Upstream patches from Jan 26891-x86-S3-Fix-cpu-pool-scheduling-after-suspend-resume.patch 26930-x86-EFI-fix-runtime-call-status-for-compat-mode-Dom0.patch - Additional fix for bnc#816159 CVE-2013-1918-xsa45-followup.patch - bnc#817068 - Xen guest with >1 sr-iov vf won't start xen-managed-pci-device.patch - Update to Xen 4.2.2 c/s 26064 The following recent security patches are included in the tarball CVE-2013-0151-xsa34.patch (bnc#797285) CVE-2012-6075-xsa41.patch (bnc#797523) CVE-2013-1917-xsa44.patch (bnc#813673) CVE-2013-1919-xsa46.patch (bnc#813675) - Upstream patch from Jan 26902-x86-EFI-pass-boot-services-variable-info-to-runtime-code.patch - bnc#816159 - VUL-0: xen: CVE-2013-1918: XSA-45: Several long latency operations are not preemptible CVE-2013-1918-xsa45-1-vcpu-destroy-pagetables-preemptible.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=237 2013-05-07 14:35:00 +00:00			`References: bnc#8161663 CVE-2013-1952 XSA-49`

			`VT-d: don't permit SVT_NO_VERIFY entries for known device types`

			`Only in cases where we don't know what to do we should leave the IRTE`
			`blank (suppressing all validation), but we should always log a warning`
			`in those cases (as being insecure).`

			`This is CVE-2013-1952 / XSA-49.`

			`Signed-off-by: Jan Beulich <jbeulich@suse.com>`
			`Acked-by: "Zhang, Xiantao" <xiantao.zhang@intel.com>`

			`Index: xen-4.2.1-testing/xen/drivers/passthrough/vtd/intremap.c`
			`===================================================================`
			`--- xen-4.2.1-testing.orig/xen/drivers/passthrough/vtd/intremap.c`
			`+++ xen-4.2.1-testing/xen/drivers/passthrough/vtd/intremap.c`
			`@@ -440,12 +440,9 @@ static void set_msi_source_id(struct pci`
			`{`
			`unsigned int sq;`

			`+ case DEV_TYPE_PCIe_ENDPOINT:`
			`case DEV_TYPE_PCIe_BRIDGE:`
			`case DEV_TYPE_PCIe2PCI_BRIDGE:`
			`- case DEV_TYPE_LEGACY_PCI_BRIDGE:`
			`- break;`
			`-`
			`- case DEV_TYPE_PCIe_ENDPOINT:`
			`switch ( pdev->phantom_stride )`
			`{`
			`case 1: sq = SQ_13_IGNORE_3; break;`
			`@@ -457,6 +454,8 @@ static void set_msi_source_id(struct pci`
			`break;`

			`case DEV_TYPE_PCI:`
			`+ case DEV_TYPE_LEGACY_PCI_BRIDGE:`
			`+ case DEV_TYPE_PCI2PCIe_BRIDGE:`
			`ret = find_upstream_bridge(seg, &bus, &devfn, &secbus);`
			`if ( ret == 0 ) /* integrated PCI device */`
			`{`
			`@@ -468,10 +467,15 @@ static void set_msi_source_id(struct pci`
			`if ( pdev_type(seg, bus, devfn) == DEV_TYPE_PCIe2PCI_BRIDGE )`
			`set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16,`
			`(bus << 8) \| pdev->bus);`
			`- else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE )`
			`+ else`
			`set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16,`
			`PCI_BDF2(bus, devfn));`
			`}`
			`+ else`
			`+ dprintk(XENLOG_WARNING VTDPREFIX,`
			`+ "d%d: no upstream bridge for %04x:%02x:%02x.%u\n",`
			`+ pdev->domain->domain_id,`
			`+ seg, bus, PCI_SLOT(devfn), PCI_FUNC(devfn));`
			`break;`

			`default:`