From 4c13b01c5935f2c587171232a995e6e9067b5374ad31f4116e6a6bf60f2964e7 Mon Sep 17 00:00:00 2001 From: Charles Arnold Date: Thu, 2 Oct 2014 12:46:51 +0000 Subject: [PATCH] - bnc#897657 - VUL-0: CVE-2014-7188: xen: XSA-108 Improper MSR range used for x2APIC emulation xsa108.patch - bnc#895802 - VUL-0: CVE-2014-7156: xen: XSA-106: Missing privilege level checks in x86 emulation of software interrupts - bnc#895799 - VUL-0: CVE-2014-7155: xen: XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation - bnc#895798 - VUL-0: CVE-2014-7154: xen: XSA-104: Race condition in HVMOP_track_dirty_vram OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=333 --- xen.changes | 19 +++++++++++++------ xen.spec | 3 +++ xsa108.patch | 30 ++++++++++++++++++++++++++++++ 3 files changed, 46 insertions(+), 6 deletions(-) create mode 100644 xsa108.patch diff --git a/xen.changes b/xen.changes index c3cd0ec..571d959 100644 --- a/xen.changes +++ b/xen.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Sep 30 09:01:16 MDT 2014 - carnold@suse.com + +- bnc#897657 - VUL-0: CVE-2014-7188: xen: XSA-108 Improper MSR + range used for x2APIC emulation + xsa108.patch + ------------------------------------------------------------------- Mon Sep 22 09:55:35 MDT 2014 - carnold@suse.com @@ -24,14 +31,14 @@ Wed Sep 10 09:15:39 MDT 2014 - carnold@suse.com - bnc#895804 - VUL-0: CVE-2014-6268: xen: XSA-107: Mishandling of uninitialised FIFO-based event channel control blocks xsa107.patch -- bnc#895802 - VUL-0: xen: XSA-106: Missing privilege level checks - in x86 emulation of software interrupts +- bnc#895802 - VUL-0: CVE-2014-7156: xen: XSA-106: Missing + privilege level checks in x86 emulation of software interrupts xsa106.patch -- bnc#895799 - VUL-0: xen: XSA-105: Missing privilege level checks - in x86 HLT, LGDT, LIDT, and LMSW emulation +- bnc#895799 - VUL-0: CVE-2014-7155: xen: XSA-105: Missing + privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation xsa105.patch -- bnc#895798 - VUL-0: xen: XSA-104: Race condition in - HVMOP_track_dirty_vram +- bnc#895798 - VUL-0: CVE-2014-7154: xen: XSA-104: Race condition + in HVMOP_track_dirty_vram xsa104.patch ------------------------------------------------------------------- diff --git a/xen.spec b/xen.spec index 38bbf1c..e769d53 100644 --- a/xen.spec +++ b/xen.spec @@ -15,6 +15,7 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + # needssslcertforbuild Name: xen @@ -240,6 +241,7 @@ Patch104: xsa104.patch Patch105: xsa105.patch Patch106: xsa106.patch Patch107: xsa107.patch +Patch108: xsa108.patch # Upstream qemu Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch @@ -636,6 +638,7 @@ Authors: %patch105 -p1 %patch106 -p1 %patch107 -p1 +%patch108 -p1 # Upstream qemu patches %patch250 -p1 %patch251 -p1 diff --git a/xsa108.patch b/xsa108.patch new file mode 100644 index 0000000..685632b --- /dev/null +++ b/xsa108.patch @@ -0,0 +1,30 @@ +x86/HVM: properly bound x2APIC MSR range + +While the write path change appears to be purely cosmetic (but still +gets done here for consistency), the read side mistake permitted +accesses beyond the virtual APIC page. + +This is XSA-108. + +Signed-off-by: Jan Beulich + +--- a/xen/arch/x86/hvm/hvm.c ++++ b/xen/arch/x86/hvm/hvm.c +@@ -3101,7 +3101,7 @@ int hvm_msr_read_intercept(unsigned int + *msr_content = vcpu_vlapic(v)->hw.apic_base_msr; + break; + +- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: ++ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff: + if ( hvm_x2apic_msr_read(v, msr, msr_content) ) + goto gp_fault; + break; +@@ -3227,7 +3227,7 @@ int hvm_msr_write_intercept(unsigned int + vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content); + break; + +- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: ++ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff: + if ( hvm_x2apic_msr_write(v, msr, msr_content) ) + goto gp_fault; + break;