Index: head/emulators/xen/Makefile =================================================================== --- head/emulators/xen/Makefile (revision 405278) +++ head/emulators/xen/Makefile (revision 405279) @@ -1,19 +1,20 @@ # $FreeBSD$ PORTNAME= xen PORTVERSION= 4.5.2 +PORTREVISION= 1 CATEGORIES= emulators MAINTAINER= royger@FreeBSD.org COMMENT= Xen Hyvervisor meta port LICENSE= GPLv2 ONLY_FOR_ARCHS= amd64 RUN_DEPENDS= /boot/xen:${PORTSDIR}/emulators/xen-kernel \ xl:${PORTSDIR}/sysutils/xen-tools USES= metaport .include Index: head/emulators/xen-kernel/Makefile =================================================================== --- head/emulators/xen-kernel/Makefile (revision 405278) +++ head/emulators/xen-kernel/Makefile (revision 405279) @@ -1,54 +1,59 @@ # $FreeBSD$ PORTNAME= xen PKGNAMESUFFIX= -kernel PORTVERSION= 4.5.2 +PORTREVISION= 1 CATEGORIES= emulators MASTER_SITES= http://bits.xensource.com/oss-xen/release/${PORTVERSION}/ MAINTAINER= royger@FreeBSD.org COMMENT= Hypervisor using a microkernel design LICENSE= GPLv2 ONLY_FOR_ARCHS= amd64 USES= cpe gmake python:build MAKE_ARGS= HOSTCC="${CC}" CC="${CC}" PYTHON=${PYTHON_CMD} \ NM="${NM}" LD="${LD}" USE_GCC= yes NO_MTREE= yes PLIST_FILES= /boot/xen \ /boot/xen.4th ALL_TARGET= build STRIP= # WRKSRC_SUBDIR= xen EXTRA_PATCHES= ${FILESDIR}/0001-introduce-a-helper-to-allocate-non-contiguous-memory.patch:-p2 \ ${FILESDIR}/0002-vmap-avoid-hitting-an-ASSERT-with-vfree-NULL.patch:-p2 \ ${FILESDIR}/0003-x86-shadow-fix-shadow_track_dirty_vram-to-work-on-hv.patch:-p2 \ ${FILESDIR}/0004-x86-hap-make-hap_track_dirty_vram-use-non-contiguous.patch:-p2 \ ${FILESDIR}/0005-x86-rework-paging_log_dirty_op-to-work-with-hvm-gues.patch:-p2 \ ${FILESDIR}/0006-xen-pvh-enable-mmu_update-hypercall.patch:-p2 \ ${FILESDIR}/0007-iommu-fix-usage-of-shared-EPT-IOMMU-page-tables-on-P.patch:-p2 \ - ${FILESDIR}/xsa156-4.5.patch:-p2 + ${FILESDIR}/xsa156-4.5.patch:-p2 \ + ${FILESDIR}/xsa159.patch:-p2 \ + ${FILESDIR}/xsa165-4.5.patch:-p2 \ + ${FILESDIR}/xsa166-4.5.patch:-p2 + .include .if ${OPSYS} != FreeBSD IGNORE= Only supported on FreeBSD .endif .if ${OSVERSION} < 1100055 IGNORE= Only supported on recent FreeBSD 11 .endif do-install: ${MKDIR} ${STAGEDIR}/boot ${INSTALL_PROGRAM} ${WRKSRC}/xen ${STAGEDIR}/boot ${INSTALL_DATA} ${FILESDIR}/xen.4th ${STAGEDIR}/boot .include #Filter out LDFLAGS .undef LDFLAGS RUN_DEPENDS:= ${RUN_DEPENDS:N*gcc*} Index: head/emulators/xen-kernel/files/xsa159.patch =================================================================== --- head/emulators/xen-kernel/files/xsa159.patch (nonexistent) +++ head/emulators/xen-kernel/files/xsa159.patch (revision 405279) @@ -0,0 +1,47 @@ +memory: fix XENMEM_exchange error handling + +assign_pages() can fail due to the domain getting killed in parallel, +which should not result in a hypervisor crash. + +Also delete a redundant put_gfn() - all relevant paths leading to the +"fail" label already do this (and there are also paths where it was +plain wrong). All of the put_gfn()-s got introduced by 51032ca058 +("Modify naming of queries into the p2m"), including the otherwise +unneeded initializer for k (with even a kind of misleading comment - +the compiler warning could actually have served as a hint that the use +is wrong). + +This is XSA-159. + +Reported-by: Julien Grall +Signed-off-by: Jan Beulich +Acked-by: Ian Campbell + +--- a/xen/common/memory.c ++++ b/xen/common/memory.c +@@ -334,7 +334,7 @@ static long memory_exchange(XEN_GUEST_HA + PAGE_LIST_HEAD(out_chunk_list); + unsigned long in_chunk_order, out_chunk_order; + xen_pfn_t gpfn, gmfn, mfn; +- unsigned long i, j, k = 0; /* gcc ... */ ++ unsigned long i, j, k; + unsigned int memflags = 0; + long rc = 0; + struct domain *d; +@@ -572,11 +572,12 @@ static long memory_exchange(XEN_GUEST_HA + fail: + /* Reassign any input pages we managed to steal. */ + while ( (page = page_list_remove_head(&in_chunk_list)) ) +- { +- put_gfn(d, gmfn + k--); + if ( assign_pages(d, page, 0, MEMF_no_refcount) ) +- BUG(); +- } ++ { ++ BUG_ON(!d->is_dying); ++ if ( test_and_clear_bit(_PGC_allocated, &page->count_info) ) ++ put_page(page); ++ } + + dying: + rcu_unlock_domain(d); Property changes on: head/emulators/xen-kernel/files/xsa159.patch ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Index: head/emulators/xen-kernel/files/xsa165-4.5.patch =================================================================== --- head/emulators/xen-kernel/files/xsa165-4.5.patch (nonexistent) +++ head/emulators/xen-kernel/files/xsa165-4.5.patch (revision 405279) @@ -0,0 +1,85 @@ +x86: don't leak ST(n)/XMMn values to domains first using them + +FNINIT doesn't alter these registers, and hence using it is +insufficient to initialize a guest's initial state. + +This is XSA-165. + +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper + +--- a/xen/arch/x86/domain.c ++++ b/xen/arch/x86/domain.c +@@ -798,6 +798,17 @@ int arch_set_info_guest( + if ( v->arch.xsave_area ) + v->arch.xsave_area->xsave_hdr.xstate_bv = XSTATE_FP_SSE; + } ++ else if ( v->arch.xsave_area ) ++ memset(&v->arch.xsave_area->xsave_hdr, 0, ++ sizeof(v->arch.xsave_area->xsave_hdr)); ++ else ++ { ++ typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt; ++ ++ memset(fpu_sse, 0, sizeof(*fpu_sse)); ++ fpu_sse->fcw = FCW_DEFAULT; ++ fpu_sse->mxcsr = MXCSR_DEFAULT; ++ } + + if ( !compat ) + { +--- a/xen/arch/x86/i387.c ++++ b/xen/arch/x86/i387.c +@@ -17,19 +17,6 @@ + #include + #include + +-static void fpu_init(void) +-{ +- unsigned long val; +- +- asm volatile ( "fninit" ); +- if ( cpu_has_xmm ) +- { +- /* load default value into MXCSR control/status register */ +- val = MXCSR_DEFAULT; +- asm volatile ( "ldmxcsr %0" : : "m" (val) ); +- } +-} +- + /*******************************/ + /* FPU Restore Functions */ + /*******************************/ +@@ -248,15 +235,8 @@ void vcpu_restore_fpu_lazy(struct vcpu * + + if ( cpu_has_xsave ) + fpu_xrstor(v, XSTATE_LAZY); +- else if ( v->fpu_initialised ) +- { +- if ( cpu_has_fxsr ) +- fpu_fxrstor(v); +- else +- fpu_frstor(v); +- } + else +- fpu_init(); ++ fpu_fxrstor(v); + + v->fpu_initialised = 1; + v->fpu_dirtied = 1; +@@ -317,7 +297,14 @@ int vcpu_init_fpu(struct vcpu *v) + else + { + v->arch.fpu_ctxt = _xzalloc(sizeof(v->arch.xsave_area->fpu_sse), 16); +- if ( !v->arch.fpu_ctxt ) ++ if ( v->arch.fpu_ctxt ) ++ { ++ typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt; ++ ++ fpu_sse->fcw = FCW_DEFAULT; ++ fpu_sse->mxcsr = MXCSR_DEFAULT; ++ } ++ else + { + rc = -ENOMEM; + goto done; Property changes on: head/emulators/xen-kernel/files/xsa165-4.5.patch ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Index: head/emulators/xen-kernel/files/xsa166-4.5.patch =================================================================== --- head/emulators/xen-kernel/files/xsa166-4.5.patch (nonexistent) +++ head/emulators/xen-kernel/files/xsa166-4.5.patch (revision 405279) @@ -0,0 +1,44 @@ +x86/HVM: avoid reading ioreq state more than once + +Otherwise, especially when the compiler chooses to translate the +switch() to a jump table, unpredictable behavior (and in the jump table +case arbitrary code execution) can result. + +This is XSA-166. + +Signed-off-by: Jan Beulich +Acked-by: Ian Campbell + +--- a/xen/arch/x86/hvm/hvm.c ++++ b/xen/arch/x86/hvm/hvm.c +@@ -400,23 +400,23 @@ bool_t hvm_io_pending(struct vcpu *v) + + static bool_t hvm_wait_for_io(struct hvm_ioreq_vcpu *sv, ioreq_t *p) + { ++ unsigned int state; ++ + /* NB. Optimised for common case (p->state == STATE_IOREQ_NONE). */ +- while ( p->state != STATE_IOREQ_NONE ) ++ while ( (state = p->state) != STATE_IOREQ_NONE ) + { +- switch ( p->state ) ++ rmb(); ++ switch ( state ) + { + case STATE_IORESP_READY: /* IORESP_READY -> NONE */ +- rmb(); /* see IORESP_READY /then/ read contents of ioreq */ + hvm_io_assist(p); + break; + case STATE_IOREQ_READY: /* IOREQ_{READY,INPROCESS} -> IORESP_READY */ + case STATE_IOREQ_INPROCESS: +- wait_on_xen_event_channel(sv->ioreq_evtchn, +- (p->state != STATE_IOREQ_READY) && +- (p->state != STATE_IOREQ_INPROCESS)); ++ wait_on_xen_event_channel(sv->ioreq_evtchn, p->state != state); + break; + default: +- gdprintk(XENLOG_ERR, "Weird HVM iorequest state %d.\n", p->state); ++ gdprintk(XENLOG_ERR, "Weird HVM iorequest state %u\n", state); + domain_crash(sv->vcpu->domain); + return 0; /* bail */ + } Property changes on: head/emulators/xen-kernel/files/xsa166-4.5.patch ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Index: head/sysutils/xen-tools/Makefile =================================================================== --- head/sysutils/xen-tools/Makefile (revision 405278) +++ head/sysutils/xen-tools/Makefile (revision 405279) @@ -1,81 +1,87 @@ # $FreeBSD$ PORTNAME= xen PORTVERSION= 4.5.2 +PORTREVISION= 1 CATEGORIES= sysutils emulators MASTER_SITES= http://bits.xensource.com/oss-xen/release/${PORTVERSION}/ \ http://code.coreboot.org/p/seabios/downloads/get/:seabios PKGNAMESUFFIX= -tools MAINTAINER= royger@FreeBSD.org COMMENT= Xen management tool, based on LibXenlight LICENSE= GPLv2 LGPL3 LICENSE_COMB= multi LIB_DEPENDS= libyajl.so:${PORTSDIR}/devel/yajl \ liblzo2.so:${PORTSDIR}/archivers/lzo2 \ libpixman-1.so:${PORTSDIR}/x11/pixman BUILD_DEPENDS= dev86>0:${PORTSDIR}/devel/dev86 OPTIONS_DEFINE= DOCS ONLY_FOR_ARCHS= amd64 ONLY_FOR_ARCHS_REASON= "not yet ported to anything other than amd64" SEABIOSVERSION= 1.8.1 DISTFILES+= ${DISTNAME}.tar.gz \ seabios-${SEABIOSVERSION}.tar.gz:seabios WRKSRC= ${WRKDIR}/xen-${PORTVERSION} USES= cpe gmake libtool perl5 pkgconfig python shebangfix USE_GNOME= glib20 USE_LDCONFIG= yes GNU_CONFIGURE= yes CONFIGURE_ENV= HOSTCC="${CC}" CC="${CC}" \ ac_cv_path_BASH=${TRUE} \ ac_cv_path_XGETTEXT=${TRUE} MAKE_ARGS= HOSTCC="${CC}" CC="${CC}" GCC="${GCC}" cc="${GCC}" QEMU_ARGS= --disable-gtk \ --disable-smartcard-nss \ --disable-sdl \ --disable-vte \ --disable-glx \ --disable-curses \ --disable-tools \ --disable-curl \ --cxx=c++ -EXTRA_PATCHES= ${FILESDIR}/0002-libxc-fix-xc_dom_load_elf_symtab.patch:-p1 +EXTRA_PATCHES= ${FILESDIR}/0002-libxc-fix-xc_dom_load_elf_symtab.patch:-p1 \ + ${FILESDIR}/xsa160-4.6.patch:-p1 CONFIGURE_ARGS+= --with-extra-qemuu-configure-args="${QEMU_ARGS}" SHEBANG_FILES= tools/misc/xencov_split \ tools/misc/xen-ringwatch USE_GCC= yes ALL_TARGET= tools docs INSTALL_TARGET= install-tools install-docs .include .if ${OPSYS} != FreeBSD IGNORE= only supported on FreeBSD .endif post-extract: ${MV} ${WRKDIR}/seabios-${SEABIOSVERSION} ${WRKSRC}/tools/firmware/seabios-dir post-patch: @${REINPLACE_CMD} "s,x86_64,amd64,g" ${WRKSRC}/tools/configure @${REINPLACE_CMD} -e "s,/var/lib,/var/db,g" \ ${WRKSRC}/tools/Makefile \ ${WRKSRC}/tools/libxc/include/xenguest.h \ ${WRKSRC}/tools/libxl/libxl_dom.c \ ${WRKSRC}/tools/libxl/libxl_dm.c \ ${WRKSRC}/tools/qemu-xen-traditional/i386-dm/helper2.c \ ${WRKSRC}/docs/man/* + @for p in ${FILESDIR}/*qemuu*.patch; do \ + ${ECHO_CMD} "====> Applying $${p##*/}" ; \ + ${PATCH} -s -p1 -i $${p} -d ${WRKSRC}/tools/qemu-xen ; \ + done post-install: ${MKDIR} ${STAGEDIR}/var/run/xen .include Index: head/sysutils/xen-tools/files/xsa160-4.6.patch =================================================================== --- head/sysutils/xen-tools/files/xsa160-4.6.patch (nonexistent) +++ head/sysutils/xen-tools/files/xsa160-4.6.patch (revision 405279) @@ -0,0 +1,69 @@ +From adcbd15b1aec8367f790774c998db199c9b577bf Mon Sep 17 00:00:00 2001 +From: Ian Jackson +Date: Wed, 18 Nov 2015 15:34:54 +0000 +Subject: [PATCH] libxl: Fix bootloader-related virtual memory leak on pv + build failure + +The bootloader may call libxl__file_reference_map(), which mmap's the +pv_kernel and pv_ramdisk into process memory. This was only unmapped, +however, on the success path of libxl__build_pv(). If there were a +failure anywhere between libxl_bootloader.c:parse_bootloader_result() +and the end of libxl__build_pv(), the calls to +libxl__file_reference_unmap() would be skipped, leaking the mapped +virtual memory. + +Ideally this would be fixed by adding the unmap calls to the +destruction path for libxl__domain_build_state. Unfortunately the +lifetime of the libxl__domain_build_state is opaque, and it doesn't +have a proper destruction path. But, the only thing in it that isn't +from the gc are these bootloader references, and they are only ever +set for one libxl__domain_build_state, the one which is +libxl__domain_create_state.build_state. + +So we can clean up in the exit path from libxl__domain_create_*, which +always comes through domcreate_complete. + +Remove the now-redundant unmaps in libxl__build_pv's success path. + +This is XSA-160. + +Signed-off-by: George Dunlap +Signed-off-by: Ian Jackson +Tested-by: George Dunlap +Acked-by: Ian Campbell +--- + tools/libxl/libxl_create.c | 3 +++ + tools/libxl/libxl_dom.c | 3 --- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c +index f5771da..278b9ed 100644 +--- a/tools/libxl/libxl_create.c ++++ b/tools/libxl/libxl_create.c +@@ -1484,6 +1484,9 @@ static void domcreate_complete(libxl__egc *egc, + libxl_domain_config *const d_config = dcs->guest_config; + libxl_domain_config *d_config_saved = &dcs->guest_config_saved; + ++ libxl__file_reference_unmap(&dcs->build_state.pv_kernel); ++ libxl__file_reference_unmap(&dcs->build_state.pv_ramdisk); ++ + if (!rc && d_config->b_info.exec_ssidref) + rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid, d_config->b_info.exec_ssidref); + +diff --git a/tools/libxl/libxl_dom.c b/tools/libxl/libxl_dom.c +index 8019f4e..2da3ac4 100644 +--- a/tools/libxl/libxl_dom.c ++++ b/tools/libxl/libxl_dom.c +@@ -750,9 +750,6 @@ int libxl__build_pv(libxl__gc *gc, uint32_t domid, + state->store_mfn = xc_dom_p2m_host(dom, dom->xenstore_pfn); + } + +- libxl__file_reference_unmap(&state->pv_kernel); +- libxl__file_reference_unmap(&state->pv_ramdisk); +- + ret = 0; + out: + xc_dom_release(dom); +-- +1.7.10.4 + Property changes on: head/sysutils/xen-tools/files/xsa160-4.6.patch ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Index: head/sysutils/xen-tools/files/xsa162-qemuu.patch =================================================================== --- head/sysutils/xen-tools/files/xsa162-qemuu.patch (nonexistent) +++ head/sysutils/xen-tools/files/xsa162-qemuu.patch (revision 405279) @@ -0,0 +1,42 @@ +net: pcnet: add check to validate receive data size(CVE-2015-7504) + +In loopback mode, pcnet_receive routine appends CRC code to the +receive buffer. If the data size given is same as the buffer size, +the appended CRC code overwrites 4 bytes after s->buffer. Added a +check to avoid that. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +--- + hw/net/pcnet.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index 3437376..5f55591 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1085,7 +1085,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + uint32_t fcs = ~0; + uint8_t *p = src; + +- while (p != &src[size-4]) ++ while (p != &src[size]) + CRC(fcs, *p++); + crc_err = (*(uint32_t *)p != htonl(fcs)); + } +@@ -1234,8 +1234,10 @@ static void pcnet_transmit(PCNetState *s) + bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); + + /* if multi-tmd packet outsizes s->buffer then skip it silently. +- Note: this is not what real hw does */ +- if (s->xmit_pos + bcnt > sizeof(s->buffer)) { ++ * Note: this is not what real hw does. ++ * Last four bytes of s->buffer are used to store CRC FCS code. ++ */ ++ if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) { + s->xmit_pos = -1; + goto txdone; + } +-- +2.4.3 + Property changes on: head/sysutils/xen-tools/files/xsa162-qemuu.patch ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property