Accepting request 253627 from Virtualization

Security fix for os13.2 RC1 OBS-URL: https://build.opensuse.org/request/show/253627 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xen?expand=0&rev=196
2014-10-05 18:30:33 +00:00 · 2014-10-05 18:30:33 +00:00 · f0dadd65e0
commit f0dadd65e0
parent 296b5421e5 4c13b01c59
3 changed files with 46 additions and 6 deletions
--- a/xen.changes
+++ b/xen.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Sep 30 09:01:16 MDT 2014 - carnold@suse.com
+
+- bnc#897657 - VUL-0: CVE-2014-7188: xen: XSA-108 Improper MSR
+  range used for x2APIC emulation
+  xsa108.patch
+
 -------------------------------------------------------------------
 Mon Sep 22 09:55:35 MDT 2014 - carnold@suse.com

@ -24,14 +31,14 @@ Wed Sep 10 09:15:39 MDT 2014 - carnold@suse.com
 - bnc#895804 - VUL-0: CVE-2014-6268: xen: XSA-107: Mishandling of
  uninitialised FIFO-based event channel control blocks
  xsa107.patch
- bnc#895802 - VUL-0: xen: XSA-106: Missing privilege level checks
-  in x86 emulation of software interrupts
+- bnc#895802 - VUL-0: CVE-2014-7156: xen: XSA-106: Missing
+  privilege level checks in x86 emulation of software interrupts
  xsa106.patch
- bnc#895799 - VUL-0: xen: XSA-105: Missing privilege level checks
-  in x86 HLT, LGDT, LIDT, and LMSW emulation
+- bnc#895799 - VUL-0: CVE-2014-7155: xen: XSA-105: Missing
+  privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
  xsa105.patch
- bnc#895798 - VUL-0: xen: XSA-104: Race condition in
-  HVMOP_track_dirty_vram
+- bnc#895798 - VUL-0: CVE-2014-7154: xen: XSA-104: Race condition
+  in HVMOP_track_dirty_vram
  xsa104.patch

 -------------------------------------------------------------------
--- a/xen.spec
+++ b/xen.spec
@ -15,6 +15,7 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #

+
 # needssslcertforbuild

 Name:           xen
@ -240,6 +241,7 @@ Patch104:       xsa104.patch
 Patch105:       xsa105.patch
 Patch106:       xsa106.patch
 Patch107:       xsa107.patch
+Patch108:       xsa108.patch
 # Upstream qemu
 Patch250:       VNC-Support-for-ExtendedKeyEvent-client-message.patch
 Patch251:       0001-net-move-the-tap-buffer-into-TAPState.patch
@ -636,6 +638,7 @@ Authors:
 %patch105 -p1
 %patch106 -p1
 %patch107 -p1
+%patch108 -p1
 # Upstream qemu patches
 %patch250 -p1
 %patch251 -p1
--- a/xsa108.patch
+++ b/xsa108.patch
@ -0,0 +1,30 @@
+x86/HVM: properly bound x2APIC MSR range
+
+While the write path change appears to be purely cosmetic (but still
+gets done here for consistency), the read side mistake permitted
+accesses beyond the virtual APIC page.
+
+This is XSA-108.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
+@@ -3101,7 +3101,7 @@ int hvm_msr_read_intercept(unsigned int 
+         *msr_content = vcpu_vlapic(v)->hw.apic_base_msr;
+         break;
+ 
+-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
+    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
+         if ( hvm_x2apic_msr_read(v, msr, msr_content) )
+             goto gp_fault;
+         break;
+@@ -3227,7 +3227,7 @@ int hvm_msr_write_intercept(unsigned int
+         vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content);
+         break;
+ 
+-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
+    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
+         if ( hvm_x2apic_msr_write(v, msr, msr_content) )
+             goto gp_fault;
+         break;