Index: branches/2015Q3/sysutils/xen-tools/Makefile =================================================================== --- branches/2015Q3/sysutils/xen-tools/Makefile (revision 394514) +++ branches/2015Q3/sysutils/xen-tools/Makefile (revision 394515) @@ -1,92 +1,93 @@ # $FreeBSD$ PORTNAME= xen PKGNAMESUFFIX= -tools PORTVERSION= 4.5.0 -PORTREVISION= 7 +PORTREVISION= 8 CATEGORIES= sysutils emulators MASTER_SITES= http://bits.xensource.com/oss-xen/release/${PORTVERSION}/ \ http://code.coreboot.org/p/seabios/downloads/get/:seabios MAINTAINER= bapt@FreeBSD.org COMMENT= Xen management tool, based on LibXenlight LICENSE= GPLv2 LGPL3 LICENSE_COMB= multi OPTIONS_DEFINE= DOCS LIB_DEPENDS= libyajl.so:${PORTSDIR}/devel/yajl \ liblzo2.so:${PORTSDIR}/archivers/lzo2 \ libpixman-1.so:${PORTSDIR}/x11/pixman BUILD_DEPENDS= dev86>0:${PORTSDIR}/devel/dev86 ONLY_FOR_ARCHS= amd64 ONLY_FOR_ARCHS_REASON= "not yet ported to anything other than amd64" SEABIOSVERSION= 1.8.1 DISTFILES+= ${DISTNAME}.tar.gz \ seabios-${SEABIOSVERSION}.tar.gz:seabios WRKSRC= ${WRKDIR}/xen-${PORTVERSION} USES= cpe gmake perl5 python shebangfix libtool pkgconfig USE_GNOME= glib20 GNU_CONFIGURE= yes CONFIGURE_ENV= HOSTCC="${CC}" CC="${CC}" \ ac_cv_path_BASH=${TRUE} \ ac_cv_path_XGETTEXT=${TRUE} MAKE_ARGS= HOSTCC="${CC}" CC="${CC}" GCC="${GCC}" cc="${GCC}" QEMU_ARGS= --disable-gtk \ --disable-smartcard-nss \ --disable-sdl \ --disable-vte \ --disable-glx \ --disable-curses \ --disable-tools \ --disable-curl \ --cxx=c++ EXTRA_PATCHES= ${FILESDIR}/xsa119-unstable.patch:-p1 \ ${FILESDIR}/xsa125.patch:-p1 \ + ${FILESDIR}/xsa137.patch:-p1 \ ${FILESDIR}/0001-libelf-fix-elf_parse_bsdsyms-call.patch:-p1 \ ${FILESDIR}/0002-libxc-fix-xc_dom_load_elf_symtab.patch:-p1 CONFIGURE_ARGS+= --with-extra-qemuu-configure-args="${QEMU_ARGS}" SHEBANG_FILES= tools/misc/xencov_split \ tools/misc/xen-ringwatch USE_GCC= yes ALL_TARGET= tools docs INSTALL_TARGET= install-tools install-docs .include .if ${OPSYS} != FreeBSD IGNORE= Only supported on FreeBSD .endif post-extract: ${MV} ${WRKDIR}/seabios-${SEABIOSVERSION} ${WRKSRC}/tools/firmware/seabios-dir post-patch: @${REINPLACE_CMD} "s,x86_64,amd64,g" ${WRKSRC}/tools/configure @${REINPLACE_CMD} -e "s,/var/lib,/var/db,g" \ ${WRKSRC}/tools/Makefile \ ${WRKSRC}/tools/libxc/include/xenguest.h \ ${WRKSRC}/tools/libxl/libxl_dom.c \ ${WRKSRC}/tools/libxl/libxl_dm.c \ ${WRKSRC}/tools/qemu-xen-traditional/i386-dm/helper2.c \ ${WRKSRC}/docs/man/* @for p in ${FILESDIR}/*qemut*.patch; do \ ${ECHO_CMD} "====> Applying $${p##*/}" ; \ patch -s -p1 -i $${p} -d ${WRKSRC}/tools/qemu-xen-traditional ; \ done @for p in ${FILESDIR}/*qemuu*.patch; do \ ${ECHO_CMD} "====> Applying $${p##*/}" ; \ patch -s -p1 -i $${p} -d ${WRKSRC}/tools/qemu-xen ; \ done post-install: ${MKDIR} ${STAGEDIR}/var/run/xen .include Index: branches/2015Q3/sysutils/xen-tools/files/xsa137.patch =================================================================== --- branches/2015Q3/sysutils/xen-tools/files/xsa137.patch (nonexistent) +++ branches/2015Q3/sysutils/xen-tools/files/xsa137.patch (revision 394515) @@ -0,0 +1,231 @@ +From 593fe52faa1b85567a7ec20c69d8cfbc7368ae5b Mon Sep 17 00:00:00 2001 +From: Ian Jackson +Date: Mon, 15 Jun 2015 14:50:42 +0100 +Subject: [PATCH] xl: Sane handling of extra config file arguments + +Various xl sub-commands take additional parameters containing = as +additional config fragments. + +The handling of these config fragments has a number of bugs: + + 1. Use of a static 1024-byte buffer. (If truncation would occur, + with semi-trusted input, a security risk arises due to quotes + being lost.) + + 2. Mishandling of the return value from snprintf, so that if + truncation occurs, the to-write pointer is updated with the + wanted-to-write length, resulting in stack corruption. (This is + XSA-137.) + + 3. Clone-and-hack of the code for constructing the appended + config file. + +These are fixed here, by introducing a new function +`string_realloc_append' and using it everywhere. The `extra_info' +buffers are replaced by pointers, which start off NULL and are +explicitly freed on all return paths. + +The separate variable which will become dom_info.extra_config is +abolished (which involves moving the clearing of dom_info). + +Additional bugs I observe, not fixed here: + + 4. The functions which now call string_realloc_append use ad-hoc + error returns, with multiple calls to `return'. This currently + necessitates multiple new calls to `free'. + + 5. Many of the paths in xl call exit(-rc) where rc is a libxl status + code. This is a ridiculous exit status `convention'. + + 6. The loops for handling extra config data are clone-and-hacks. + + 7. Once the extra config buffer is accumulated, it must be combined + with the appropriate main config file. The code to do this + combining is clone-and-hacked too. + +Signed-off-by: Ian Jackson +Tested-by: Ian Jackson +Acked-by: Ian Campbell +--- +v2: Use SSIZE_MAX, not INT_MAX. + Check *accumulate for NULL, not accumulate. + Move memset of dom_info. +--- + tools/libxl/xl_cmdimpl.c | 64 +++++++++++++++++++++++++++++----------------- + 1 file changed, 40 insertions(+), 24 deletions(-) + +diff --git a/tools/libxl/xl_cmdimpl.c b/tools/libxl/xl_cmdimpl.c +index c858068..c01a851 100644 +--- a/tools/libxl/xl_cmdimpl.c ++++ b/tools/libxl/xl_cmdimpl.c +@@ -151,7 +151,7 @@ struct domain_create { + int console_autoconnect; + int checkpointed_stream; + const char *config_file; +- const char *extra_config; /* extra config string */ ++ char *extra_config; /* extra config string */ + const char *restore_file; + int migrate_fd; /* -1 means none */ + char **migration_domname_r; /* from malloc */ +@@ -4805,11 +4805,25 @@ int main_vm_list(int argc, char **argv) + return 0; + } + ++static void string_realloc_append(char **accumulate, const char *more) ++{ ++ /* Appends more to accumulate. Accumulate is either NULL, or ++ * points (always) to a malloc'd nul-terminated string. */ ++ ++ size_t oldlen = *accumulate ? strlen(*accumulate) : 0; ++ size_t morelen = strlen(more) + 1/*nul*/; ++ if (oldlen > SSIZE_MAX || morelen > SSIZE_MAX - oldlen) { ++ fprintf(stderr,"Additional config data far too large\n"); ++ exit(-ERROR_FAIL); ++ } ++ ++ *accumulate = xrealloc(*accumulate, oldlen + morelen); ++ memcpy(*accumulate + oldlen, more, morelen); ++} ++ + int main_create(int argc, char **argv) + { + const char *filename = NULL; +- char *p; +- char extra_config[1024]; + struct domain_create dom_info; + int paused = 0, debug = 0, daemonize = 1, console_autoconnect = 0, + quiet = 0, monitor = 1, vnc = 0, vncautopass = 0; +@@ -4824,6 +4838,8 @@ int main_create(int argc, char **argv) + {0, 0, 0, 0} + }; + ++ dom_info.extra_config = NULL; ++ + if (argv[1] && argv[1][0] != '-' && !strchr(argv[1], '=')) { + filename = argv[1]; + argc--; argv++; +@@ -4863,20 +4879,21 @@ int main_create(int argc, char **argv) + break; + } + +- extra_config[0] = '\0'; +- for (p = extra_config; optind < argc; optind++) { ++ memset(&dom_info, 0, sizeof(dom_info)); ++ ++ for (; optind < argc; optind++) { + if (strchr(argv[optind], '=') != NULL) { +- p += snprintf(p, sizeof(extra_config) - (p - extra_config), +- "%s\n", argv[optind]); ++ string_realloc_append(&dom_info.extra_config, argv[optind]); ++ string_realloc_append(&dom_info.extra_config, "\n"); + } else if (!filename) { + filename = argv[optind]; + } else { + help("create"); ++ free(dom_info.extra_config); + return 2; + } + } + +- memset(&dom_info, 0, sizeof(dom_info)); + dom_info.debug = debug; + dom_info.daemonize = daemonize; + dom_info.monitor = monitor; +@@ -4884,16 +4901,18 @@ int main_create(int argc, char **argv) + dom_info.dryrun = dryrun_only; + dom_info.quiet = quiet; + dom_info.config_file = filename; +- dom_info.extra_config = extra_config; + dom_info.migrate_fd = -1; + dom_info.vnc = vnc; + dom_info.vncautopass = vncautopass; + dom_info.console_autoconnect = console_autoconnect; + + rc = create_domain(&dom_info); +- if (rc < 0) ++ if (rc < 0) { ++ free(dom_info.extra_config); + return -rc; ++ } + ++ free(dom_info.extra_config); + return 0; + } + +@@ -4901,8 +4920,7 @@ int main_config_update(int argc, char **argv) + { + uint32_t domid; + const char *filename = NULL; +- char *p; +- char extra_config[1024]; ++ char *extra_config = NULL; + void *config_data = 0; + int config_len = 0; + libxl_domain_config d_config; +@@ -4940,15 +4958,15 @@ int main_config_update(int argc, char **argv) + break; + } + +- extra_config[0] = '\0'; +- for (p = extra_config; optind < argc; optind++) { ++ for (; optind < argc; optind++) { + if (strchr(argv[optind], '=') != NULL) { +- p += snprintf(p, sizeof(extra_config) - (p - extra_config), +- "%s\n", argv[optind]); ++ string_realloc_append(&extra_config, argv[optind]); ++ string_realloc_append(&extra_config, "\n"); + } else if (!filename) { + filename = argv[optind]; + } else { + help("create"); ++ free(extra_config); + return 2; + } + } +@@ -4957,7 +4975,8 @@ int main_config_update(int argc, char **argv) + rc = libxl_read_file_contents(ctx, filename, + &config_data, &config_len); + if (rc) { fprintf(stderr, "Failed to read config file: %s: %s\n", +- filename, strerror(errno)); return ERROR_FAIL; } ++ filename, strerror(errno)); ++ free(extra_config); return ERROR_FAIL; } + if (strlen(extra_config)) { + if (config_len > INT_MAX - (strlen(extra_config) + 2 + 1)) { + fprintf(stderr, "Failed to attach extra configration\n"); +@@ -4998,7 +5017,7 @@ int main_config_update(int argc, char **argv) + libxl_domain_config_dispose(&d_config); + + free(config_data); +- ++ free(extra_config); + return 0; + } + +@@ -7255,7 +7274,7 @@ int main_cpupoolcreate(int argc, char **argv) + { + const char *filename = NULL, *config_src=NULL; + const char *p; +- char extra_config[1024]; ++ char *extra_config = NULL; + int opt; + static struct option opts[] = { + {"defconfig", 1, 0, 'f'}, +@@ -7289,13 +7308,10 @@ int main_cpupoolcreate(int argc, char **argv) + break; + } + +- memset(extra_config, 0, sizeof(extra_config)); + while (optind < argc) { + if ((p = strchr(argv[optind], '='))) { +- if (strlen(extra_config) + 1 + strlen(argv[optind]) < sizeof(extra_config)) { +- strcat(extra_config, "\n"); +- strcat(extra_config, argv[optind]); +- } ++ string_realloc_append(&extra_config, "\n"); ++ string_realloc_append(&extra_config, argv[optind]); + } else if (!filename) { + filename = argv[optind]; + } else { +-- +1.7.10.4 + Property changes on: branches/2015Q3/sysutils/xen-tools/files/xsa137.patch ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2015Q3 =================================================================== --- branches/2015Q3 (revision 394514) +++ branches/2015Q3 (revision 394515) Property changes on: branches/2015Q3 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r391737