Accepting request 253627 from Virtualization

Security fix for os13.2 RC1

OBS-URL: https://build.opensuse.org/request/show/253627
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xen?expand=0&rev=196

xen.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Sep 30 09:01:16 MDT 2014 - carnold@suse.com
+
+- bnc#897657 - VUL-0: CVE-2014-7188: xen: XSA-108 Improper MSR
+  range used for x2APIC emulation
+  xsa108.patch
+
 -------------------------------------------------------------------
 Mon Sep 22 09:55:35 MDT 2014 - carnold@suse.com
 
@@ -24,14 +31,14 @@ Wed Sep 10 09:15:39 MDT 2014 - carnold@suse.com
 - bnc#895804 - VUL-0: CVE-2014-6268: xen: XSA-107: Mishandling of
   uninitialised FIFO-based event channel control blocks
   xsa107.patch
-- bnc#895802 - VUL-0: xen: XSA-106: Missing privilege level checks
+- bnc#895802 - VUL-0: CVE-2014-7156: xen: XSA-106: Missing
-  in x86 emulation of software interrupts
+  privilege level checks in x86 emulation of software interrupts
   xsa106.patch
-- bnc#895799 - VUL-0: xen: XSA-105: Missing privilege level checks
+- bnc#895799 - VUL-0: CVE-2014-7155: xen: XSA-105: Missing
-  in x86 HLT, LGDT, LIDT, and LMSW emulation
+  privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
   xsa105.patch
-- bnc#895798 - VUL-0: xen: XSA-104: Race condition in
+- bnc#895798 - VUL-0: CVE-2014-7154: xen: XSA-104: Race condition
-  HVMOP_track_dirty_vram
+  in HVMOP_track_dirty_vram
   xsa104.patch
 
 -------------------------------------------------------------------

xen.spec

@@ -15,6 +15,7 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
+
 # needssslcertforbuild
 
 Name:           xen
@@ -240,6 +241,7 @@ Patch104:       xsa104.patch
 Patch105:       xsa105.patch
 Patch106:       xsa106.patch
 Patch107:       xsa107.patch
+Patch108:       xsa108.patch
 # Upstream qemu
 Patch250:       VNC-Support-for-ExtendedKeyEvent-client-message.patch
 Patch251:       0001-net-move-the-tap-buffer-into-TAPState.patch
@@ -636,6 +638,7 @@ Authors:
 %patch105 -p1
 %patch106 -p1
 %patch107 -p1
+%patch108 -p1
 # Upstream qemu patches
 %patch250 -p1
 %patch251 -p1

xsa108.patch

@@ -0,0 +1,30 @@
+x86/HVM: properly bound x2APIC MSR range
+
+While the write path change appears to be purely cosmetic (but still
+gets done here for consistency), the read side mistake permitted
+accesses beyond the virtual APIC page.
+
+This is XSA-108.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -3101,7 +3101,7 @@ int hvm_msr_read_intercept(unsigned int 
+         *msr_content = vcpu_vlapic(v)->hw.apic_base_msr;
+         break;
+ 
+-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
++    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
+         if ( hvm_x2apic_msr_read(v, msr, msr_content) )
+             goto gp_fault;
+         break;
+@@ -3227,7 +3227,7 @@ int hvm_msr_write_intercept(unsigned int
+         vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content);
+         break;
+ 
+-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
++    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
+         if ( hvm_x2apic_msr_write(v, msr, msr_content) )
+             goto gp_fault;
+         break;