Merge pull request #197 from eric-ch/xsa-12-2015

Linux 3.18.25 & latest XSAs
OpenXT · Jan 11, 2016 · c680add · c680add
2 parents 65109b8 + b8fdb85
commit c680add
Show file tree

Hide file tree

Showing 26 changed files with 2,157 additions and 75 deletions.
diff --git a/...d/xen/files/xsa-155-paravirtualized-drivers-incautious-about-shared-memory-contents.patch b/...d/xen/files/xsa-155-paravirtualized-drivers-incautious-about-shared-memory-contents.patch
@@ -0,0 +1,127 @@
+################################################################################
+SHORT DESCRIPTION: 
+################################################################################
+XSA-155 (http://xenbits.xen.org/xsa/advisory-155.html)
+paravirtualized drivers incautious about shared memory contents
+
+################################################################################
+LONG DESCRIPTION: 
+################################################################################
+Source: http://xenbits.xen.org/xsa/advisory-155.html
+Patches: xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
+         xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
+         xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
+
+The compiler can emit optimizations in the PV backend drivers which can lead to
+double fetch vulnerabilities. Specifically the shared memory between the
+frontend and backend can be fetched twice (during which time the frontend can
+alter the contents) possibly leading to arbitrary code execution in
+backend.
+
+Malicious guest administrators can cause denial of service.  If driver domains
+are not in use, the impact can be a host crash, or privilege escalation.
+
+################################################################################
+CHANGELOG 
+################################################################################
+Added in OpenXT, Xen 4.3.4 patch-queue: Eric Chanudet <[email protected]>
+
+################################################################################
+PATCHES 
+################################################################################
+Index: xen-4.3.4/xen/include/public/io/ring.h
+===================================================================
+--- xen-4.3.4.orig/xen/include/public/io/ring.h	2015-03-19 16:08:36.000000000 +0100
++++ xen-4.3.4/xen/include/public/io/ring.h	2015-12-18 17:36:55.133252177 +0100
+@@ -212,6 +212,20 @@
+ #define RING_GET_REQUEST(_r, _idx)                                      \
+     (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req))
+
++/*
++ * Get a local copy of a request.
++ *
++ * Use this in preference to RING_GET_REQUEST() so all processing is
++ * done on a local copy that cannot be modified by the other end.
++ *
++ * Note that https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 may cause this
++ * to be ineffective where _req is a struct which consists of only bitfields.
++ */
++#define RING_COPY_REQUEST(_r, _idx, _req) do {				\
++	/* Use volatile to force the copy into _req. */			\
++	*(_req) = *(volatile typeof(_req))RING_GET_REQUEST(_r, _idx);	\
++} while (0)
++
+ #define RING_GET_RESPONSE(_r, _idx)                                     \
+     (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp))
+
+Index: xen-4.3.4/tools/blktap2/drivers/block-log.c
+===================================================================
+--- xen-4.3.4.orig/tools/blktap2/drivers/block-log.c	2015-12-18 17:38:50.494965019 +0100
++++ xen-4.3.4/tools/blktap2/drivers/block-log.c	2015-12-18 17:39:01.971470485 +0100
+@@ -494,11 +494,12 @@
+   reqstart = s->bring.req_cons;
+   reqend = s->sring->req_prod;
+
++  xen_mb();
+   BDPRINTF("ctl: ring kicked (start = %u, end = %u)", reqstart, reqend);
+
+   while (reqstart != reqend) {
+     /* XXX actually submit these! */
+-    memcpy(&req, RING_GET_REQUEST(&s->bring, reqstart), sizeof(req));
++    RING_COPY_REQUEST(&s->bring, reqstart, &req);
+     BDPRINTF("ctl: read request %"PRIu64":%u", req.sector, req.count);
+     s->bring.req_cons = ++reqstart;
+
+Index: xen-4.3.4/tools/blktap2/drivers/tapdisk-vbd.c
+===================================================================
+--- xen-4.3.4.orig/tools/blktap2/drivers/tapdisk-vbd.c	2015-12-18 17:38:50.494965019 +0100
++++ xen-4.3.4/tools/blktap2/drivers/tapdisk-vbd.c	2015-12-18 17:39:01.971470485 +0100
+@@ -1587,7 +1587,7 @@
+ 	int idx;
+ 	RING_IDX rp, rc;
+ 	td_ring_t *ring;
+-	blkif_request_t *req;
++	blkif_request_t req;
+ 	td_vbd_request_t *vreq;
+
+ 	ring = &vbd->ring;
+@@ -1598,16 +1598,16 @@
+ 	xen_rmb();
+
+ 	for (rc = ring->fe_ring.req_cons; rc != rp; rc++) {
+-		req = RING_GET_REQUEST(&ring->fe_ring, rc);
++		RING_COPY_REQUEST(&ring->fe_ring, rc, &req);
+ 		++ring->fe_ring.req_cons;
+
+-		idx  = req->id;
++		idx  = req.id;
+ 		vreq = &vbd->request_list[idx];
+
+ 		ASSERT(list_empty(&vreq->next));
+ 		ASSERT(vreq->secs_pending == 0);
+
+-		memcpy(&vreq->req, req, sizeof(blkif_request_t));
++		memcpy(&vreq->req, &req, sizeof(blkif_request_t));
+ 		vbd->received++;
+ 		vreq->vbd = vbd;
+
+Index: xen-4.3.4/tools/libvchan/io.c
+===================================================================
+--- xen-4.3.4.orig/tools/libvchan/io.c	2015-12-18 17:38:49.978305609 +0100
++++ xen-4.3.4/tools/libvchan/io.c	2015-12-18 17:39:04.404769641 +0100
+@@ -118,6 +118,7 @@
+ static inline int raw_get_data_ready(struct libxenvchan *ctrl)
+ {
+ 	uint32_t ready = rd_prod(ctrl) - rd_cons(ctrl);
++	xen_mb(); /* Ensure 'ready' is read only once. */
+ 	if (ready >= rd_ring_size(ctrl))
+ 		/* We have no way to return errors.  Locking up the ring is
+ 		 * better than the alternatives. */
+@@ -159,6 +160,7 @@
+ static inline int raw_get_buffer_space(struct libxenvchan *ctrl)
+ {
+ 	uint32_t ready = wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl));
++	xen_mb(); /* Ensure 'ready' is read only once. */
+ 	if (ready > wr_ring_size(ctrl))
+ 		/* We have no way to return errors.  Locking up the ring is
+ 		 * better than the alternatives. */
diff --git a/recipes-extended/xen/files/xsa-159-XENMEM_exchange-error-handling-issues.patch b/recipes-extended/xen/files/xsa-159-XENMEM_exchange-error-handling-issues.patch
@@ -0,0 +1,61 @@
+################################################################################
+SHORT DESCRIPTION: 
+################################################################################
+XSA-159 (http://xenbits.xen.org/xsa/advisory-159.html)
+XENMEM_exchange error handling issues
+
+################################################################################
+LONG DESCRIPTION: 
+################################################################################
+Source: http://xenbits.xen.org/xsa/advisory-159.html
+Patches: xsa159.patch
+
+Error handling in the operation may involve handing back pages to
+the domain. This operation may fail when in parallel the domain gets
+torn down. So far this failure unconditionally resulted in the host
+being brought down due to an internal error being assumed. This is
+CVE-2015-8339.
+
+Furthermore error handling so far wrongly included the release of a
+lock. That lock, however, was either not acquired or already released
+on all paths leading to the error handling sequence. This is
+CVE-2015-8340.
+
+################################################################################
+CHANGELOG 
+################################################################################
+Added in OpenXT, Xen 4.3.4 patch-queue: Eric Chanudet <[email protected]>
+
+################################################################################
+PATCHES 
+################################################################################
+Index: xen-4.3.4/xen/common/memory.c
+===================================================================
+--- xen-4.3.4.orig/xen/common/memory.c	2015-12-14 13:24:27.461775959 +0100
++++ xen-4.3.4/xen/common/memory.c	2015-12-18 18:07:09.554428333 +0100
+@@ -442,7 +442,7 @@
+     PAGE_LIST_HEAD(out_chunk_list);
+     unsigned long in_chunk_order, out_chunk_order;
+     xen_pfn_t     gpfn, gmfn, mfn;
+-    unsigned long i, j, k = 0; /* gcc ... */
++    unsigned long i, j, k;
+     unsigned int  memflags = 0;
+     long          rc = 0;
+     struct domain *d;
+@@ -679,11 +679,12 @@
+  fail:
+     /* Reassign any input pages we managed to steal. */
+     while ( (page = page_list_remove_head(&in_chunk_list)) )
+-    {
+-        put_gfn(d, gmfn + k--);
+         if ( assign_pages(d, page, 0, MEMF_no_refcount) )
+-            BUG();
+-    }
++        {
++            BUG_ON(!d->is_dying);
++            if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
++                put_page(page);
++        }
+
+  dying:
+     rcu_unlock_domain(d);
diff --git a/recipes-extended/xen/files/xsa-160-libxl-leak-of-pv-kernel-and-initrd-on-error.patch b/recipes-extended/xen/files/xsa-160-libxl-leak-of-pv-kernel-and-initrd-on-error.patch
@@ -0,0 +1,58 @@
+################################################################################
+SHORT DESCRIPTION: 
+################################################################################
+XSA-160 (http://xenbits.xen.org/xsa/advisory-160.html)
+libxl leak of pv kernel and initrd on error
+
+################################################################################
+LONG DESCRIPTION: 
+################################################################################
+Source: http://xenbits.xen.org/xsa/advisory-160.html
+Patches: xsa160-4.4.patch
+
+when constructing a guest which is configured to use a pv bootloader
+which runs as a userspace process in the toolstack domain
+(e.g. pygrub) libxl creates a mapping of the files to be used as
+kernel and initial ramdisk when building the guest domain.
+
+however if building the domain subsequently fails these mappings would
+not be released leading to a leak of virtual address space in the
+calling process, as well as preventing the recovery of the temporary
+disk files containing the kernel and initial ramdisk.
+
+################################################################################
+CHANGELOG 
+################################################################################
+Added in OpenXT, Xen 4.3.4 patch-queue: Eric Chanudet <[email protected]>
+
+################################################################################
+PATCHES 
+################################################################################
+Index: xen-4.3.4/tools/libxl/libxl_create.c
+===================================================================
+--- xen-4.3.4.orig/tools/libxl/libxl_create.c	2015-03-19 16:08:36.000000000 +0100
++++ xen-4.3.4/tools/libxl/libxl_create.c	2015-12-18 18:09:49.188858815 +0100
+@@ -1197,6 +1197,9 @@
+     STATE_AO_GC(dcs->ao);
+     libxl_domain_config *const d_config = dcs->guest_config;
+
++    libxl__file_reference_unmap(&dcs->build_state.pv_kernel);
++    libxl__file_reference_unmap(&dcs->build_state.pv_ramdisk);
++
+     if (!rc && d_config->b_info.exec_ssidref)
+         rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid, d_config->b_info.exec_ssidref);
+
+Index: xen-4.3.4/tools/libxl/libxl_dom.c
+===================================================================
+--- xen-4.3.4.orig/tools/libxl/libxl_dom.c	2015-12-14 13:24:27.655106526 +0100
++++ xen-4.3.4/tools/libxl/libxl_dom.c	2015-12-18 18:09:49.192192102 +0100
+@@ -420,9 +420,6 @@
+         state->store_mfn = xc_dom_p2m_host(dom, dom->xenstore_pfn);
+     }
+
+-    libxl__file_reference_unmap(&state->pv_kernel);
+-    libxl__file_reference_unmap(&state->pv_ramdisk);
+-
+     ret = 0;
+ out:
+     xc_dom_release(dom);
diff --git a/...es-extended/xen/files/xsa-165-information-leak-in-legacy-x86-FPU-XMM-initialization.patch b/...es-extended/xen/files/xsa-165-information-leak-in-legacy-x86-FPU-XMM-initialization.patch
@@ -0,0 +1,103 @@
+################################################################################
+SHORT DESCRIPTION: 
+################################################################################
+XSA-165 (http://xenbits.xen.org/xsa/advisory-165.html)
+libxl: information leak in legacy x86 FPU/XMM initialization
+
+################################################################################
+LONG DESCRIPTION: 
+################################################################################
+Source: http://xenbits.xen.org/xsa/advisory-165.html
+Patches: xsa165-4.3.patch
+
+When XSAVE/XRSTOR are not in use by Xen to manage guest extended register
+state, the initial values in the FPU stack and XMM registers seen by the guest
+upon first use are those left there by the previous user of those registers.
+
+################################################################################
+CHANGELOG 
+################################################################################
+Added in OpenXT, Xen 4.3.4 patch-queue: Eric Chanudet <[email protected]>
+
+################################################################################
+PATCHES 
+################################################################################
+Index: xen-4.3.4/xen/arch/x86/domain.c
+===================================================================
+--- xen-4.3.4.orig/xen/arch/x86/domain.c	2015-03-19 16:08:36.000000000 +0100
++++ xen-4.3.4/xen/arch/x86/domain.c	2015-12-18 18:15:44.813876567 +0100
+@@ -730,6 +730,17 @@
+
+     if ( flags & VGCF_I387_VALID )
+         memcpy(v->arch.fpu_ctxt, &c.nat->fpu_ctxt, sizeof(c.nat->fpu_ctxt));
++    else if ( v->arch.xsave_area )
++        memset(&v->arch.xsave_area->xsave_hdr, 0,
++               sizeof(v->arch.xsave_area->xsave_hdr));
++    else
++    {
++        typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt;
++
++        memset(fpu_sse, 0, sizeof(*fpu_sse));
++        fpu_sse->fcw = FCW_DEFAULT;
++        fpu_sse->mxcsr = MXCSR_DEFAULT;
++    }
+
+     if ( !compat )
+     {
+Index: xen-4.3.4/xen/arch/x86/i387.c
+===================================================================
+--- xen-4.3.4.orig/xen/arch/x86/i387.c	2015-03-19 16:08:36.000000000 +0100
++++ xen-4.3.4/xen/arch/x86/i387.c	2015-12-18 18:15:44.813876567 +0100
+@@ -17,19 +17,6 @@
+ #include <asm/xstate.h>
+ #include <asm/asm_defns.h>
+
+-static void fpu_init(void)
+-{
+-    unsigned long val;
+-    
+-    asm volatile ( "fninit" );
+-    if ( cpu_has_xmm )
+-    {
+-        /* load default value into MXCSR control/status register */
+-        val = MXCSR_DEFAULT;
+-        asm volatile ( "ldmxcsr %0" : : "m" (val) );
+-    }
+-}
+-
+ /*******************************/
+ /*     FPU Restore Functions   */
+ /*******************************/
+@@ -254,15 +241,8 @@
+
+     if ( cpu_has_xsave )
+         fpu_xrstor(v, XSTATE_LAZY);
+-    else if ( v->fpu_initialised )
+-    {
+-        if ( cpu_has_fxsr )
+-            fpu_fxrstor(v);
+-        else
+-            fpu_frstor(v);
+-    }
+     else
+-        fpu_init();
++        fpu_fxrstor(v);
+
+     v->fpu_initialised = 1;
+     v->fpu_dirtied = 1;
+@@ -323,7 +303,14 @@
+     else
+     {
+         v->arch.fpu_ctxt = _xzalloc(sizeof(v->arch.xsave_area->fpu_sse), 16);
+-        if ( !v->arch.fpu_ctxt )
++        if ( v->arch.fpu_ctxt )
++        {
++            typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt;
++
++            fpu_sse->fcw = FCW_DEFAULT;
++            fpu_sse->mxcsr = MXCSR_DEFAULT;
++        }
++        else
+         {
+             rc = -ENOMEM;
+             goto done;