From 61e5c542fb778a4175268846463f1ac85a1e944364077c29c4d5e9b9c4cda473 Mon Sep 17 00:00:00 2001
From: OBS User unknown <null@suse.de>
Date: Mon, 19 Nov 2007 17:19:02 +0000
Subject: [PATCH] OBS-URL:
 https://build.opensuse.org/package/show/openSUSE:Factory/xen?expand=0&rev=34

---
 15434-irq-permissions.patch   |  20 ++
 16157-xenmon-security.patch   |  46 +++
 domUloader.py                 |  15 +-
 fix-ioemu-vnc-shift-key.patch | 547 ++++++++++++++++++++++++++++++++++
 fix-vncfb-shift-key.patch     | 142 +++++++++
 usercopy-gcc43-fix.patch      |  22 ++
 x86-page-cacheability.patch   |  13 +-
 xen.changes                   |  21 ++
 xen.spec                      |  23 +-
 9 files changed, 840 insertions(+), 9 deletions(-)
 create mode 100644 15434-irq-permissions.patch
 create mode 100644 16157-xenmon-security.patch
 create mode 100644 fix-ioemu-vnc-shift-key.patch
 create mode 100644 fix-vncfb-shift-key.patch
 create mode 100644 usercopy-gcc43-fix.patch

diff --git a/15434-irq-permissions.patch b/15434-irq-permissions.patch
new file mode 100644
index 0000000..dc9b338
--- /dev/null
+++ b/15434-irq-permissions.patch
@@ -0,0 +1,20 @@
+# HG changeset patch
+# User Keir Fraser <keir@xensource.com>
+# Date 1183059350 -3600
+# Node ID b377a102f0eb1b75ec76cf230ee8f259ed01c528
+# Parent  a5360bf1866892498f4fda9fb86f96035143221d
+xend: Fix irq-permissions setting during domain creation.
+Signed-off-by: Keir Fraser <keir@xensource.com>
+
+diff -r a5360bf18668 -r b377a102f0eb tools/python/xen/xend/server/irqif.py
+--- a/tools/python/xen/xend/server/irqif.py	Thu Jun 28 18:40:20 2007 +0100
++++ b/tools/python/xen/xend/server/irqif.py	Thu Jun 28 20:35:50 2007 +0100
+@@ -61,7 +61,7 @@ class IRQController(DevController):
+        
+         pirq = get_param('irq')
+ 
+-        rc = xc.domain_irq_permission(dom          = self.getDomid(),
++        rc = xc.domain_irq_permission(domid        = self.getDomid(),
+                                       pirq         = pirq,
+                                       allow_access = True)
+ 
diff --git a/16157-xenmon-security.patch b/16157-xenmon-security.patch
new file mode 100644
index 0000000..7874226
--- /dev/null
+++ b/16157-xenmon-security.patch
@@ -0,0 +1,46 @@
+# HG changeset patch
+# User Keir Fraser <keir@xensource.com>
+# Date 1193128003 -3600
+# Node ID b28ae5f00553ea053bd4e4576634d8ea49e77bc3
+# Parent  118a21c66fd53a08d7191159e5b2888f8d9e4ad2
+xenmon: Fix security vulnerability CVE-2007-3919.
+
+The xenbaked daemon and xenmon utility communicate via a mmap'ed
+shared file. Since this file is located in /tmp, unprivileged users
+can cause arbitrary files to be truncated by creating a symlink from
+the well-known /tmp filename to e.g., /etc/passwd.
+
+The fix is to place the shared file in a directory to which only root
+should have access (in this case /var/run/).
+
+This bug was reported, and the fix suggested, by Steve Kemp
+<skx@debian.org>. Thanks!
+
+Signed-off-by: Keir Fraser <keir@xensource.com>
+
+Index: xen-3.1-testing/tools/xenmon/xenbaked.c
+===================================================================
+--- xen-3.1-testing.orig/tools/xenmon/xenbaked.c
++++ xen-3.1-testing/tools/xenmon/xenbaked.c
+@@ -593,7 +593,7 @@ error_t cmd_parser(int key, char *arg, s
+     return 0;
+ }
+ 
+-#define SHARED_MEM_FILE "/tmp/xenq-shm"
++#define SHARED_MEM_FILE "/var/run/xenq-shm"
+ void alloc_qos_data(int ncpu)
+ {
+     int i, n, pgsize, off=0;
+Index: xen-3.1-testing/tools/xenmon/xenmon.py
+===================================================================
+--- xen-3.1-testing.orig/tools/xenmon/xenmon.py
++++ xen-3.1-testing/tools/xenmon/xenmon.py
+@@ -46,7 +46,7 @@ ST_QDATA = "%dQ" % (6*NDOMAINS + 4)
+ QOS_DATA_SIZE = struct.calcsize(ST_QDATA)*NSAMPLES + struct.calcsize(ST_DOM_INFO)*NDOMAINS + struct.calcsize("4i")
+ 
+ # location of mmaped file, hard coded right now
+-SHM_FILE = "/tmp/xenq-shm"
++SHM_FILE = "/var/run/xenq-shm"
+ 
+ # format strings
+ TOTALS = 15*' ' + "%6.2f%%" + 35*' ' + "%6.2f%%"
diff --git a/domUloader.py b/domUloader.py
index 34a7a55..64749f3 100644
--- a/domUloader.py
+++ b/domUloader.py
@@ -44,6 +44,9 @@ verbose = False
 dryrun = False
 tmpdir = '/var/lib/xen/tmp'
 in_args = ''
+# kpartx, left to its own devices, does not consistently pick the
+# same partition separator.  Explicitly specify it.
+kpartx_args = '-p -part'
 
 # Helper functions
 
@@ -77,12 +80,14 @@ class Wholedisk:
     "Class representing a whole disk that may have partitions"
     def __init__(self, vdev, pdev):
         "c'tor: set up"
+        # Initialize object; will not raise:
         self.ldev = None
         self.vdev = vdev
         self.pdev = pdev
         self.mapped = 0
         self.partitions = []
         self.pcount = 0
+        # Finish initialization; may raise:
         self.is_blk = (S_ISBLK(os.stat(pdev)[ST_MODE]))
         self.pcount = self.scanpartitions()
 
@@ -150,7 +155,7 @@ class Wholedisk:
         self.loopsetup()
         # TODO: We could use fdisk -l instead and look at the type of
         #  partitions; this way we could also detect LVM and support it.
-        fd = os.popen("kpartx -l '%s'" % self.physdev())
+        fd = os.popen("kpartx %s -l '%s'" % (kpartx_args, self.physdev()))
         pcount = 0
         for line in fd.readlines():
             line = line.strip()
@@ -179,8 +184,8 @@ class Wholedisk:
         if not self.mapped:
             self.loopsetup()
             if self.pcount:
-                verbose_print("kpartx -a '%s'" % self.physdev())
-                fd = os.popen("kpartx -a '%s'" % self.physdev())
+                verbose_print("kpartx %s -a '%s'" % (kpartx_args, self.physdev()))
+                fd = os.popen("kpartx %s -a '%s'" % (kpartx_args, self.physdev()))
                 fd.close()
         self.mapped += 1
     
@@ -194,8 +199,8 @@ class Wholedisk:
         self.mapped -= 1
         if not self.mapped:
             if self.pcount:
-                verbose_print("kpartx -d '%s'" % self.physdev())
-                fd = os.popen("kpartx -d '%s'" % self.physdev())
+                verbose_print("kpartx %s -d '%s'" % (kpartx_args, self.physdev()))
+                fd = os.popen("kpartx %s -d '%s'" % (kpartx_args, self.physdev()))
                 fd.close()
             self.loopclean()
 
diff --git a/fix-ioemu-vnc-shift-key.patch b/fix-ioemu-vnc-shift-key.patch
new file mode 100644
index 0000000..fe62adf
--- /dev/null
+++ b/fix-ioemu-vnc-shift-key.patch
@@ -0,0 +1,547 @@
+Index: xen-3.0.4-testing/tools/ioemu/keymaps.c
+===================================================================
+--- xen-3.0.4-testing.orig/tools/ioemu/keymaps.c	2006-12-14 14:49:55.000000000 -0700
++++ xen-3.0.4-testing/tools/ioemu/keymaps.c	2007-09-14 08:31:29.000000000 -0600
+@@ -32,19 +32,50 @@
+     return 0;
+ }
+ 
++struct key_range {
++    int start;
++    int end;
++    struct key_range *next;
++};
++
+ #define MAX_NORMAL_KEYCODE 512
+ #define MAX_EXTRA_COUNT 256
+ typedef struct {
+     uint16_t keysym2keycode[MAX_NORMAL_KEYCODE];
+-    int keysym2numlock[MAX_NORMAL_KEYCODE];
+     struct {
+ 	int keysym;
+-	int numlock;
+ 	uint16_t keycode;
+     } keysym2keycode_extra[MAX_EXTRA_COUNT];
+     int extra_count;
++    struct key_range *keypad_range;
++    struct key_range *numlock_range;
++    struct key_range *shift_range;
+ } kbd_layout_t;
+ 
++static void add_to_key_range(struct key_range **krp, int code) {
++    struct key_range *kr;
++    for (kr = *krp; kr; kr = kr->next) {
++	if (code >= kr->start && code <= kr->end)
++	    break;
++	if (code == kr->start - 1) {
++	    kr->start--;
++	    break;
++	}
++	if (code == kr->end + 1) {
++	    kr->end++;
++	    break;
++	}
++    }
++    if (kr == NULL) {
++	kr = qemu_mallocz(sizeof(*kr));
++	if (kr) {
++	    kr->start = kr->end = code;
++	    kr->next = *krp;
++	    *krp = kr;
++	}
++    }
++}
++
+ static kbd_layout_t *parse_keyboard_layout(const char *language,
+ 					   kbd_layout_t * k)
+ {
+@@ -52,8 +83,6 @@
+     char file_name[1024];
+     char line[1024];
+     int len;
+-    int *keycode2numlock;
+-    int i;
+ 
+     snprintf(file_name, sizeof(file_name),
+              "%s/keymaps/%s", bios_dir, language);
+@@ -67,15 +96,6 @@
+ 		"Could not read keymap file: '%s'\n", file_name);
+ 	return 0;
+     }
+-
+-    /* Allocate a temporary map tracking which keycodes change when numlock is
+-       set.  Keycodes are 16 bit, so 65536 is safe. */
+-    keycode2numlock = malloc(65536 * sizeof(int));
+-    if (!keycode2numlock) {
+-        perror("Could not read keymap file");
+-	return 0;
+-    }
+-
+     for(;;) {
+ 	if (fgets(line, 1024, f) == NULL)
+             break;
+@@ -99,19 +119,25 @@
+ 		if (keysym == 0) {
+                     //		    fprintf(stderr, "Warning: unknown keysym %s\n", line);
+ 		} else {
+-		    char *rest = end_of_keysym + 1;
+-		    int keycode = strtol(rest, &rest, 0);
+-		    int numlock = (rest != NULL &&
+-		                   strstr(rest, "numlock") != NULL);
+-
+-                    keycode2numlock[keycode] = numlock;
++		    const char *rest = end_of_keysym + 1;
++		    char *rest2;
++		    int keycode = strtol(rest, &rest2, 0);
++
++		    if (rest && strstr(rest, "numlock")) {
++			add_to_key_range(&k->keypad_range, keycode);
++			add_to_key_range(&k->numlock_range, keysym);
++			fprintf(stderr, "keypad keysym %04x keycode %d\n", keysym, keycode);
++		    }
++		    if (rest && strstr(rest, "shift")) {
++			add_to_key_range(&k->shift_range, keysym);
++			fprintf(stderr, "shift keysym %04x keycode %d\n", keysym, keycode);
++		    }
+ 
+ 		    /* if(keycode&0x80)
+ 		       keycode=(keycode<<8)^0x80e0; */
+ 		    if (keysym < MAX_NORMAL_KEYCODE) {
+ 			//fprintf(stderr,"Setting keysym %s (%d) to %d\n",line,keysym,keycode);
+ 			k->keysym2keycode[keysym] = keycode;
+-			k->keysym2numlock[keysym] = numlock;
+ 		    } else {
+ 			if (k->extra_count >= MAX_EXTRA_COUNT) {
+ 			    fprintf(stderr,
+@@ -126,8 +152,6 @@
+ 				keysym = keysym;
+ 			    k->keysym2keycode_extra[k->extra_count].
+ 				keycode = keycode;
+-			    k->keysym2keycode_extra[k->extra_count].
+-				numlock = numlock;
+ 			    k->extra_count++;
+ 			}
+ 		    }
+@@ -136,22 +160,6 @@
+ 	}
+     }
+     fclose(f);
+-
+-    for (i = 0; i < MAX_NORMAL_KEYCODE; i++) {
+-        if (k->keysym2numlock[i] != 1) {
+-            k->keysym2numlock[i] = -keycode2numlock[k->keysym2keycode[i]];
+-        }
+-    }
+-
+-    for (i = 0; i < k->extra_count; i++) {
+-        if (k->keysym2keycode_extra[i].numlock != 1) {
+-            k->keysym2keycode_extra[i].numlock =
+-                -keycode2numlock[k->keysym2keycode_extra[i].keycode];
+-        }
+-    }
+-
+-    free(keycode2numlock);
+-
+     return k;
+ }
+ 
+@@ -181,24 +189,35 @@
+     return 0;
+ }
+ 
+-/**
+- * Returns 1 if the given keysym requires numlock to be pressed, -1 if it
+- * requires it to be cleared, and 0 otherwise.
+- */
+-static int keysym2numlock(void *kbd_layout, int keysym)
++static int keycodeIsKeypad(void *kbd_layout, int keycode)
+ {
+     kbd_layout_t *k = kbd_layout;
+-    if (keysym < MAX_NORMAL_KEYCODE) {
+-	return k->keysym2numlock[keysym];
+-    } else {
+-	int i;
+-#ifdef XK_ISO_Left_Tab
+-	if (keysym == XK_ISO_Left_Tab)
+-	    keysym = XK_Tab;
+-#endif
+-	for (i = 0; i < k->extra_count; i++)
+-	    if (k->keysym2keycode_extra[i].keysym == keysym)
+-		return k->keysym2keycode_extra[i].numlock;
+-    }
++    struct key_range *kr;
++
++    for (kr = k->keypad_range; kr; kr = kr->next)
++	if (keycode >= kr->start && keycode <= kr->end)
++	    return 1;
++    return 0;
++}
++
++static int keysymIsNumlock(void *kbd_layout, int keysym)
++{
++    kbd_layout_t *k = kbd_layout;
++    struct key_range *kr;
++
++    for (kr = k->numlock_range; kr; kr = kr->next)
++	if (keysym >= kr->start && keysym <= kr->end)
++	    return 1;
++    return 0;
++}
++
++static int keysymIsShift(void *kbd_layout, int keysym)
++{
++    kbd_layout_t *k = kbd_layout;
++    struct key_range *kr;
++
++    for (kr = k->shift_range; kr; kr = kr->next)
++	if (keysym >= kr->start && keysym <= kr->end)
++	    return 1;
+     return 0;
+ }
+Index: xen-3.0.4-testing/tools/ioemu/vnc.c
+===================================================================
+--- xen-3.0.4-testing.orig/tools/ioemu/vnc.c	2007-09-14 08:30:01.000000000 -0600
++++ xen-3.0.4-testing/tools/ioemu/vnc.c	2007-09-14 09:23:48.000000000 -0600
+@@ -46,10 +46,6 @@
+ #include "keymaps.c"
+ #include "d3des.h"
+ 
+-#define XK_MISCELLANY
+-#define XK_LATIN1
+-#include <X11/keysymdef.h>
+-
+ typedef struct Buffer
+ {
+     size_t capacity;
+@@ -113,9 +109,8 @@
+     int visible_w;
+     int visible_h;
+ 
+-    int ctl_keys;               /* Ctrl+Alt starts calibration */
+-    int shift_keys;             /* Shift / CapsLock keys */
+-    int numlock;
++    /* input */
++    uint8_t modifiers_state[256];
+ };
+ 
+ #define DIRTY_PIXEL_BITS 64
+@@ -855,133 +850,209 @@
+     }
+ }
+ 
+-static void press_key(VncState *vs, int keycode)
++static void reset_keys(VncState *vs)
++{
++    int i;
++    for(i = 0; i < 256; i++) {
++        if (vs->modifiers_state[i]) {
++            if (i & 0x80)
++                kbd_put_keycode(0xe0);
++            kbd_put_keycode(i | 0x80);
++            vs->modifiers_state[i] = 0;
++        }
++    }
++}
++
++static void press_key(VncState *vs, int keysym)
++{
++    kbd_put_keycode(keysym2scancode(vs->kbd_layout, keysym) & 0x7f);
++    kbd_put_keycode(keysym2scancode(vs->kbd_layout, keysym) | 0x80);
++}
++
++static void press_key_shift_down(VncState *vs, int down, int keycode)
+ {
+-    kbd_put_keycode(keysym2scancode(vs->kbd_layout, keycode) & 0x7f);
+-    kbd_put_keycode(keysym2scancode(vs->kbd_layout, keycode) | 0x80);
++    if (down)
++        kbd_put_keycode(0x2a & 0x7f);
++
++    if (keycode & 0x80)
++        kbd_put_keycode(0xe0);
++    if (down)
++        kbd_put_keycode(keycode & 0x7f);
++    else
++        kbd_put_keycode(keycode | 0x80);
++
++    if (!down)
++        kbd_put_keycode(0x2a | 0x80);
++}
++
++static void press_key_shift_up(VncState *vs, int down, int keycode)
++{
++    if (down) {
++        if (vs->modifiers_state[0x2a])
++            kbd_put_keycode(0x2a | 0x80);
++        if (vs->modifiers_state[0x36])
++            kbd_put_keycode(0x36 | 0x80);
++    }
++
++    if (keycode & 0x80)
++        kbd_put_keycode(0xe0);
++    if (down)
++        kbd_put_keycode(keycode & 0x7f);
++    else
++        kbd_put_keycode(keycode | 0x80);
++
++    if (!down) {
++        if (vs->modifiers_state[0x2a])
++            kbd_put_keycode(0x2a & 0x7f);
++        if (vs->modifiers_state[0x36])
++            kbd_put_keycode(0x36 & 0x7f);
++    }
+ }
+ 
+ static void do_key_event(VncState *vs, int down, uint32_t sym)
+ {
+-    sym &= 0xFFFF;
++    int keycode;
++    int shift_keys = 0;
++    int shift = 0;
+ 
+     if (is_graphic_console()) {
+-	int keycode;
+-	int numlock;
++        if (sym >= 'A' && sym <= 'Z') {
++            sym = sym - 'A' + 'a';
++            shift = 1;
++        }
++        else {
++            shift = keysymIsShift(vs->kbd_layout, sym & 0xFFFF);
++        }
++    }
++    shift_keys = vs->modifiers_state[0x2a] | vs->modifiers_state[0x36];
+ 
+-	keycode = keysym2scancode(vs->kbd_layout, sym);
+-	numlock = keysym2numlock(vs->kbd_layout, sym);
++    keycode = keysym2scancode(vs->kbd_layout, sym & 0xFFFF);
++    if (keycode == 0) {
++        fprintf(stderr, "Key lost : keysym=0x%x(%d)\n", sym, sym);
++        return;
++    }
+ 
++    /* QEMU console switch */
++    switch(keycode) {
++    case 0x2a:                          /* Left Shift */
++    case 0x36:                          /* Right Shift */
++    case 0x1d:                          /* Left CTRL */
++    case 0x9d:                          /* Right CTRL */
++    case 0x38:                          /* Left ALT */
++    case 0xb8:                          /* Right ALT */
++        if (down) {
++            vs->modifiers_state[keycode] = 1;
++            kbd_put_keycode(keycode & 0x7f);
++        }
++        else {
++            vs->modifiers_state[keycode] = 0;
++            kbd_put_keycode(keycode | 0x80);
++        }
++        return;
++    case 0x02 ... 0x0a: /* '1' to '9' keys */
++        if (down && vs->modifiers_state[0x1d] && vs->modifiers_state[0x38]) {
++            /* Reset the modifiers sent to the current console */
++            reset_keys(vs);
++            console_select(keycode - 0x02);
++            return;
++        }
++        break;
++    case 0x45:			/* NumLock */
++	if (down) {
++            kbd_put_keycode(keycode & 0x7f);
++        }
++        else {
++	    vs->modifiers_state[keycode] ^= 1;
++            kbd_put_keycode(keycode | 0x80);
++        }
++	return;
++    }
++
++    if (keycodeIsKeypad(vs->kbd_layout, keycode)) {
+         /* If the numlock state needs to change then simulate an additional
+            keypress before sending this one.  This will happen if the user
+            toggles numlock away from the VNC window.
+         */
+-	if (numlock == 1) {
+-	    if (!vs->numlock) {
+-		vs->numlock = 1;
+-		press_key(vs, XK_Num_Lock);
+-	    }
+-	}
+-	else if (numlock == -1) {
+-	    if (vs->numlock) {
+-		vs->numlock = 0;
+-		press_key(vs, XK_Num_Lock);
++        if (keysymIsNumlock(vs->kbd_layout, sym & 0xFFFF)) {
++	    if (!vs->modifiers_state[0x45]) {
++		vs->modifiers_state[0x45] = 1;
++		press_key(vs, 0xff7f);
+ 	    }
+-        }
+-
+-	if (keycode & 0x80)
+-	    kbd_put_keycode(0xe0);
+-	if (down)
+-	    kbd_put_keycode(keycode & 0x7f);
+-	else
+-	    kbd_put_keycode(keycode | 0x80);
+-    } else if (down) {
+-	int qemu_keysym = 0;
+-
+-	if (sym <= 128) { /* normal ascii */
+-	    int shifted = vs->shift_keys == 1 || vs->shift_keys == 2;
+-	    qemu_keysym = sym;
+-	    if (sym >= 'a' && sym <= 'z' && shifted)
+-	        qemu_keysym -= 'a' - 'A';
+ 	} else {
+-	    switch (sym) {
+-	    case XK_Up: qemu_keysym = QEMU_KEY_UP; break;
+-	    case XK_Down: qemu_keysym = QEMU_KEY_DOWN; break;
+-	    case XK_Left: qemu_keysym = QEMU_KEY_LEFT; break;
+-	    case XK_Right: qemu_keysym = QEMU_KEY_RIGHT; break;
+-	    case XK_Home: qemu_keysym = QEMU_KEY_HOME; break;
+-	    case XK_End: qemu_keysym = QEMU_KEY_END; break;
+-	    case XK_Page_Up: qemu_keysym = QEMU_KEY_PAGEUP; break;
+-	    case XK_Page_Down: qemu_keysym = QEMU_KEY_PAGEDOWN; break;
+-	    case XK_BackSpace: qemu_keysym = QEMU_KEY_BACKSPACE; break;
+-	    case XK_Delete: qemu_keysym = QEMU_KEY_DELETE; break;
+-	    case XK_Return:
+-	    case XK_Linefeed: qemu_keysym = sym; break;
+-	    default: break;
++	    if (vs->modifiers_state[0x45]) {
++		vs->modifiers_state[0x45] = 0;
++		press_key(vs, 0xff7f);
+ 	    }
+-	}
+-	if (qemu_keysym != 0)
+-	    kbd_put_keysym(qemu_keysym);
++        }
+     }
+ 
+-    if (down) {
+-	switch (sym) {
+-	case XK_Control_L:
+-	    vs->ctl_keys |= 1;
+-	    break;
+-
+-	case XK_Alt_L:
+-	    vs->ctl_keys |= 2;
+-	    break;
+-
+-	case XK_Shift_L:
+-	    vs->shift_keys |= 1;
+-	    break;
++    if (is_graphic_console()) {
++        /*  If the shift state needs to change then simulate an additional
++            keypress before sending this one.
++        */
++        if (shift && !shift_keys) {
++            press_key_shift_down(vs, down, keycode);
++            return;
++        }
++        else if (!shift && shift_keys) {
++            press_key_shift_up(vs, down, keycode);
++            return;
++        }
+ 
+-	default:
+-	    break;
+-	}
++        if (keycode & 0x80)
++            kbd_put_keycode(0xe0);
++        if (down)
++            kbd_put_keycode(keycode & 0x7f);
++        else
++            kbd_put_keycode(keycode | 0x80);
+     } else {
+-	switch (sym) {
+-	case XK_Control_L:
+-	    vs->ctl_keys &= ~1;
+-	    break;
+-
+-	case XK_Alt_L:
+-	    vs->ctl_keys &= ~2;
+-	    break;
+-
+-	case XK_Shift_L:
+-	    vs->shift_keys &= ~1;
+-	    break;
+-
+-	case XK_Caps_Lock:
+-	    vs->shift_keys ^= 2;
+-	    break;
+-
+-	case XK_Num_Lock:
+-	    vs->numlock = !vs->numlock;
+-	    break;
+-
+-	case XK_1 ... XK_9:
+-	    if ((vs->ctl_keys & 3) != 3)
+-		break;
+-
+-	    console_select(sym - XK_1);
+-	    if (is_graphic_console()) {
+-		/* tell the vga console to redisplay itself */
+-		vga_hw_invalidate();
+-		vnc_dpy_update(vs->ds, 0, 0, vs->ds->width, vs->ds->height);
+-	    }
+-	    break;
+-	}
++        /* QEMU console emulation */
++        if (down) {
++            switch (keycode) {
++            case 0x2a:                          /* Left Shift */
++            case 0x36:                          /* Right Shift */
++            case 0x1d:                          /* Left CTRL */
++            case 0x9d:                          /* Right CTRL */
++            case 0x38:                          /* Left ALT */
++            case 0xb8:                          /* Right ALT */
++                break;
++            case 0xc8:
++                kbd_put_keysym(QEMU_KEY_UP);
++                break;
++            case 0xd0:
++                kbd_put_keysym(QEMU_KEY_DOWN);
++                break;
++            case 0xcb:
++                kbd_put_keysym(QEMU_KEY_LEFT);
++                break;
++            case 0xcd:
++                kbd_put_keysym(QEMU_KEY_RIGHT);
++                break;
++            case 0xd3:
++                kbd_put_keysym(QEMU_KEY_DELETE);
++                break;
++            case 0xc7:
++                kbd_put_keysym(QEMU_KEY_HOME);
++                break;
++            case 0xcf:
++                kbd_put_keysym(QEMU_KEY_END);
++                break;
++            case 0xc9:
++                kbd_put_keysym(QEMU_KEY_PAGEUP);
++                break;
++            case 0xd1:
++                kbd_put_keysym(QEMU_KEY_PAGEDOWN);
++                break;
++            default:
++                kbd_put_keysym(sym);
++                break;
++            }
++        }
+     }
+ }
+ 
+ static void key_event(VncState *vs, int down, uint32_t sym)
+ {
+-    if (sym >= 'A' && sym <= 'Z')
+-	sym = sym - 'A' + 'a';
+     do_key_event(vs, down, sym);
+ }
+ 
+@@ -1385,7 +1456,6 @@
+     vs->lsock = -1;
+     vs->csock = -1;
+     vs->depth = 4;
+-    vs->numlock = 0;
+ 
+     vs->ds = ds;
+ 
diff --git a/fix-vncfb-shift-key.patch b/fix-vncfb-shift-key.patch
new file mode 100644
index 0000000..b9358be
--- /dev/null
+++ b/fix-vncfb-shift-key.patch
@@ -0,0 +1,142 @@
+Index: xen-3.1-testing/tools/xenfb/vncfb.c
+===================================================================
+--- xen-3.1-testing.orig/tools/xenfb/vncfb.c	2007-05-17 09:51:10.000000000 -0600
++++ xen-3.1-testing/tools/xenfb/vncfb.c	2007-09-14 11:59:57.000000000 -0600
+@@ -55,12 +55,47 @@
+ unsigned char keycode_table[512];
+ 
+ static void *kbd_layout;
++uint8_t modifiers_state[256];
+ 
+ static int btnmap[] = {
+ 	BTN_LEFT, BTN_MIDDLE, BTN_RIGHT, BTN_SIDE,
+ 	BTN_EXTRA, BTN_FORWARD, BTN_BACK, BTN_TASK
+ };
+ 
++static void press_key_shift_down(struct xenfb* xenfb, int down, int scancode)
++{
++	if (down)
++		xenfb_send_key(xenfb, 1, keycode_table[0x2a]);
++
++	if (xenfb_send_key(xenfb, down, keycode_table[scancode]) < 0)
++		fprintf(stderr, "Key %d %s lost (%s)\n",
++			scancode, "down", strerror(errno));
++
++	if (!down)
++		xenfb_send_key(xenfb, 0, keycode_table[0x2a]);
++}
++
++static void press_key_shift_up(struct xenfb* xenfb, int down, int scancode)
++{
++	if (down) {
++		if (modifiers_state[0x2a])
++			xenfb_send_key(xenfb, 0, keycode_table[0x2a]);
++		if (modifiers_state[0x36])
++			xenfb_send_key(xenfb, 0, keycode_table[0x36]);
++	}
++
++	if (xenfb_send_key(xenfb, down, keycode_table[scancode]) < 0)
++		fprintf(stderr, "Key %d %s lost (%s)\n",
++			scancode, "down", strerror(errno));
++
++	if (!down) {
++		if (modifiers_state[0x2a])
++			xenfb_send_key(xenfb, 1, keycode_table[0x2a]);
++		if (modifiers_state[0x36])
++			xenfb_send_key(xenfb, 1, keycode_table[0x36]);
++	}
++}
++
+ static void on_kbd_event(rfbBool down, rfbKeySym keycode, rfbClientPtr cl)
+ {
+ 	/*
+@@ -75,14 +110,75 @@
+ 	rfbScreenInfoPtr server = cl->screen;
+ 	struct xenfb *xenfb = server->screenData;
+ 	int scancode;
++	int shift = 0;
++	int shift_keys = 0;
+ 
+-	if (keycode >= 'A' && keycode <= 'Z')
++	if (keycode >= 'A' && keycode <= 'Z') {
+ 		keycode += 'a' - 'A';
++		shift = 1;
++	}
++	else {
++		shift = keysymIsShift(kbd_layout, keycode);
++	}
++	shift_keys = modifiers_state[0x2a] | modifiers_state[0x36];
+ 
+-	scancode = keycode_table[keysym2scancode(kbd_layout, keycode)];
++	scancode = keysym2scancode(kbd_layout, keycode);
+ 	if (scancode == 0)
+ 		return;
+-	if (xenfb_send_key(xenfb, down, scancode) < 0)
++
++	switch(scancode) {
++	case 0x2a:			/* Left Shift */
++	case 0x36:			/* Right Shift */
++	case 0x1d:			/* Left CTRL */
++	case 0x9d:			/* Right CTRL */
++	case 0x38:			/* Left ALT */
++	case 0xb8:			/* Right ALT */
++		if (down)
++			modifiers_state[scancode] = 1;
++		else
++			modifiers_state[scancode] = 0;
++		xenfb_send_key(xenfb, down, keycode_table[scancode]);
++		return;
++	case 0x45:			/* NumLock */
++		if (!down)
++			modifiers_state[scancode] ^= 1;
++		xenfb_send_key(xenfb, down, keycode_table[scancode]);
++		return;
++	}
++
++	if (keycodeIsKeypad(kbd_layout, scancode)) {
++	/* If the numlock state needs to change then simulate an additional
++	   keypress before sending this one.  This will happen if the user
++	   toggles numlock away from the VNC window.
++	*/
++		if (keysymIsNumlock(kbd_layout, keycode)) {
++			if (!modifiers_state[0x45]) {
++				modifiers_state[0x45] = 1;
++				xenfb_send_key(xenfb, 1, keycode_table[0x45]);
++				xenfb_send_key(xenfb, 0, keycode_table[0x45]);
++			}
++		} else {
++			if (modifiers_state[0x45]) {
++				modifiers_state[0x45] = 0;
++				xenfb_send_key(xenfb, 1, keycode_table[0x45]);
++				xenfb_send_key(xenfb, 0, keycode_table[0x45]);
++			}
++		}
++	}
++
++	/* If the shift state needs to change then simulate an additional
++	   keypress before sending this one.
++	*/
++	if (shift && !shift_keys) {
++		press_key_shift_down(xenfb, down, scancode);
++		return;
++	}
++	else if (!shift && shift_keys) {
++		press_key_shift_up(xenfb, down, scancode);
++		return;
++	}
++
++	if (xenfb_send_key(xenfb, down, keycode_table[scancode]) < 0)
+ 		fprintf(stderr, "Key %d %s lost (%s)\n",
+ 			scancode, down ? "down" : "up",
+ 			strerror(errno));
+@@ -314,6 +410,10 @@
+ 			atkbd_set2_keycode[atkbd_unxlate_table[i] | 0x80];
+ 	}
+ 
++	for (i = 0; i < 256; i++ ) {
++		modifiers_state[i] = 0;
++	}
++
+ 	fake_argv[2] = portstr;
+ 
+         if (title != NULL)
diff --git a/usercopy-gcc43-fix.patch b/usercopy-gcc43-fix.patch
new file mode 100644
index 0000000..3e1db5f
--- /dev/null
+++ b/usercopy-gcc43-fix.patch
@@ -0,0 +1,22 @@
+Index: xen-3.1-testing/xen/arch/x86/usercopy.c
+===================================================================
+--- xen-3.1-testing.orig/xen/arch/x86/usercopy.c
++++ xen-3.1-testing/xen/arch/x86/usercopy.c
+@@ -41,7 +41,7 @@ unsigned long __copy_to_user_ll(void __u
+ 		"	"__FIXUP_WORD" 0b,3b\n"
+ 		"	"__FIXUP_WORD" 1b,2b\n"
+ 		".previous"
+-		: "=&c"(__n), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
++		: "=&c"(__n), "=&D" (__d0), "=&S" (__d1), "=&r"(__d2)
+ 		: "3"(__n), "0"(__n), "1"(to), "2"(from)
+ 		: "memory");
+ 	return (unsigned)__n;
+@@ -85,7 +85,7 @@ __copy_from_user_ll(void *to, const void
+ 		"	"__FIXUP_WORD" 0b,3b\n"
+ 		"	"__FIXUP_WORD" 1b,6b\n"
+ 		".previous"
+-		: "=&c"(__n), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
++		: "=&c"(__n), "=&D" (__d0), "=&S" (__d1), "=&r"(__d2)
+ 		: "3"(__n), "0"(__n), "1"(to), "2"(from)
+ 		: "memory");
+ 	return (unsigned)__n;
diff --git a/x86-page-cacheability.patch b/x86-page-cacheability.patch
index 925000c..3249be3 100644
--- a/x86-page-cacheability.patch
+++ b/x86-page-cacheability.patch
@@ -165,7 +165,18 @@ Index: xen-3.1-testing/xen/arch/x86/mm.c
          return 0;
      }
  
-@@ -624,9 +702,9 @@ get_page_from_l1e(
+@@ -624,15 +702,20 @@ get_page_from_l1e(
+             return 1;
+ 
+         d = dom_io;
++        /* For now ignore cacheability attributes on MMIO pages - Linux'
++         * ACPI code maps all memory cacheable (thus relying on MTRRs being
++         * set correctly), which conflicts with most other subsystems using
++         * uncacheable mappings. */
++        flags = (flags & ~PAGE_CACHE_ATTRS) | _PAGE_RW;
+     }
+ 
+     /* Foreign mappings into guests in shadow external mode don't
       * contribute to writeable mapping refcounts.  (This allows the
       * qemu-dm helper process in dom0 to map the domain's memory without
       * messing up the count of "real" writable mappings.) */
diff --git a/xen.changes b/xen.changes
index 876a1ad..aa7324b 100644
--- a/xen.changes
+++ b/xen.changes
@@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Mon Nov  5 09:38:14 MST 2007 - jfehlig@novell.com
+
+- Added upstream c/s 15434 to allow access to serial devices.
+  Bug #338486.
+
+-------------------------------------------------------------------
+Thu Nov  1 13:17:46 MDT 2007 - carnold@novell.com
+
+- 334445: xenbaked: Fix security vulnerability CVE-2007-3919.
+
+-------------------------------------------------------------------
+Thu Nov  1 11:30:35 MDT 2007 - carnold@novell.com
+
+- #310279: Kernel Panic while booting Xen
+
+-------------------------------------------------------------------
+Tue Oct  2 17:05:28 MDT 2007 - ccoffing@novell.com
+
+- #286859: Fix booting from SAN
+
 -------------------------------------------------------------------
 Thu Sep 13 11:26:33 MDT 2007 - ccoffing@novell.com
 
diff --git a/xen.spec b/xen.spec
index 9380668..438b019 100644
--- a/xen.spec
+++ b/xen.spec
@@ -34,7 +34,7 @@ BuildRequires:  glibc-32bit glibc-devel-32bit
 BuildRequires:  kernel-source kernel-syms module-init-tools xorg-x11
 %endif
 Version:        3.1.0_15042
-Release:        45
+Release:        69
 License:        GPL v2 only
 Group:          System/Kernel
 AutoReqProv:    on
@@ -112,6 +112,8 @@ Patch51:        15716_dev_detach.patch
 Patch52:        fix_15716.patch
 Patch53:        hvm_vnc.diff
 Patch54:        xend_mem_leak.diff
+Patch55:        16157-xenmon-security.patch
+Patch56:        15434-irq-permissions.patch
 # Our patches
 Patch100:       xen-config.diff
 Patch101:       xend-config.diff
@@ -160,6 +162,9 @@ Patch154:       pci-passthru-reboot-fix.patch
 Patch155:       keymap_nl-be.patch
 Patch156:       svm-cr8-performance.diff
 Patch157:       xend-reboot.diff
+Patch158:       fix-ioemu-vnc-shift-key.patch
+Patch159:       fix-vncfb-shift-key.patch
+Patch160:       usercopy-gcc43-fix.patch
 # Patches from Jan
 Patch200:       inval-sh-ldt.patch
 Patch201:       32on64-cpuid.patch
@@ -360,7 +365,6 @@ Summary:        Xen Virtualization: Control tools for domain U
 Group:          System/Kernel
 Conflicts:      xen-tools
 AutoReqProv:    on
- 
 
 %description tools-domU
 Xen is a virtual machine monitor for x86 that supports execution of
@@ -618,6 +622,8 @@ Authors:
 %patch52 -p1
 %patch53 -p1
 %patch54 -p1
+%patch55 -p1
+%patch56 -p1
 %patch100 -p1
 %patch101 -p1
 %patch102 -p1
@@ -665,6 +671,9 @@ Authors:
 %patch155 -p1
 %patch156 -p1
 %patch157 -p1
+%patch158 -p1
+%patch159 -p1
+%patch160 -p1
 %patch200 -p1
 %patch201 -p1
 %patch202 -p1
@@ -1004,8 +1013,16 @@ rm -f  $RPM_BUILD_ROOT/%pysite/*.egg-info
 
 %postun libs
 /sbin/ldconfig
-
 %changelog
+* Mon Nov 05 2007 - jfehlig@novell.com
+- Added upstream c/s 15434 to allow access to serial devices.
+  Bug #338486.
+* Thu Nov 01 2007 - carnold@novell.com
+- 334445: xenbaked: Fix security vulnerability CVE-2007-3919.
+* Thu Nov 01 2007 - carnold@novell.com
+- #310279: Kernel Panic while booting Xen
+* Tue Oct 02 2007 - ccoffing@novell.com
+- #286859: Fix booting from SAN
 * Thu Sep 13 2007 - ccoffing@novell.com
 - #310338: Fix "No such file or directory" in network-multinet
 * Wed Sep 12 2007 - jfehlig@novell.com