From 368a721cfdc418228722fc6d7f5d9e7c6f908865 Mon Sep 17 00:00:00 2001 From: Mario Preksavec Date: Fri, 29 Jul 2016 00:37:50 +0200 Subject: system/xen: Additional features, patches and script fixes. Signed-off-by: Mario Preksavec --- system/xen/README | 29 +++---- system/xen/dom0/README.dom0 | 34 ++++++++- system/xen/dom0/kernel-xen.sh | 39 +++++----- system/xen/patches/disable_git_checkout.diff | 44 ----------- system/xen/patches/qemu_configure_options.diff | 4 +- system/xen/xen.SlackBuild | 33 +++++--- system/xen/xen.info | 6 +- system/xen/xsa/xsa182-4.6.patch | 102 +++++++++++++++++++++++++ system/xen/xsa/xsa183-4.6.patch | 75 ++++++++++++++++++ system/xen/xsa/xsa184-qemut-master.patch | 43 +++++++++++ system/xen/xsa/xsa184-qemuu-master.patch | 43 +++++++++++ 11 files changed, 355 insertions(+), 97 deletions(-) delete mode 100644 system/xen/patches/disable_git_checkout.diff create mode 100644 system/xen/xsa/xsa182-4.6.patch create mode 100644 system/xen/xsa/xsa183-4.6.patch create mode 100644 system/xen/xsa/xsa184-qemut-master.patch create mode 100644 system/xen/xsa/xsa184-qemuu-master.patch diff --git a/system/xen/README b/system/xen/README index 4ae5848f40..7422c640a6 100644 --- a/system/xen/README +++ b/system/xen/README @@ -4,22 +4,23 @@ virtualization of x86, x86_64, IA64, ARM, and other CPU architectures. It supports a wide range of guest operating systems including Windows, Linux, Solaris, and various versions of the BSD operating systems. -mbootpack is an optional dependency, it creates LILO compatible kernel. -libssh2 is also optional dependency, it can be enabled with: LIBSSH2=yes -ocaml-findlib is yet another optional dependency, it builds oxenstored -Additionally, BlueZ support can be enabled with: BLUEZ=yes and ocaml +This script has a few optional dependencies: -In order to run Xen, you will need to install and boot from a Xen dom0 -kernel. Check README.dom0 (in docs/dom0) for more information on how to do -that. Additionally, README.domU has information about unpriviledged guests. + mbootpack - creates LILO compatible kernel images + libssh2 - mostly used by libvirt, enable with USE_LIBSSH2=yes + ocaml-findlib - autodetected, builds oxenstored binary + bluez - enable with USE_BLUEZ=yes -README.openvswitch-extended explains a bit more advanced aproach to Open -vSwitch setup, more adventureous folk can use: +Reading material: - INSTALL_OPENVSWITCH_EXTENDED=yes ./xen.SlackBuild + README.SLACKWARE - explains Xen daemons and system startup + README.dom0 - explains setting up privileged Xen domain (host) + README.domU - talks about unprivileged Xen domain (guest) + README.openvswitch-extended - additional Open vSwitch use case + README.xsa - building Xen with latest security fixes -This will install vif script and the config file under /etc/xen, helper -script will be stripped of its .sh suffix and installed into /usr/bin +Toggle additional features: -See README.SLACKWARE (which is also installed with the package docs) for -setup, configuration, and usage hints. + BUILD_STUBDOM=yes - enables lightweight service/driver domains + INSTALL_OPENVSWITCH_EXTENDED=yes - systemwide install + WITH_OVMF=no - disables guest domain EFI/UEFI support diff --git a/system/xen/dom0/README.dom0 b/system/xen/dom0/README.dom0 index 4a3b8b21ad..c3c24cc2dc 100644 --- a/system/xen/dom0/README.dom0 +++ b/system/xen/dom0/README.dom0 @@ -10,7 +10,7 @@ Originally, booting Xen kernel with LILO bootloader is not supported, and GRUB has to be used. With mbootpack this has changed, and LILO can be used as well. Basically, mbootpack takes Linux kernel, initrd and Xen VMM, and packages them up into a file that looks like a bzImage Linux kernel. This script will select -LILO by default, changing to GRUB is easy, use: +LILO by default, changing to GRUB is easy: BOOTLOADER=grub ./kernel-xen.sh @@ -19,7 +19,7 @@ Slackware generic kernel requires initrd image, this script assumes root is on ROOTMOD=ext3 ROOTFS=ext3 ROOTDEV=/dev/sda5 ./kernel-xen.sh -When using LILO bootloader, this is what the most of lilo.conf should have: +When using LILO bootloader, this is what the lilo.conf should have: image = /boot/vmlinuz-xen root = /dev/sda2 @@ -38,6 +38,36 @@ When using GRUB, /boot/grub/menu.lst should have these: module /boot/vmlinuz-xen root=/dev/sda2 ro console=tty0 nomodeset module /boot/initrd-xen.gz +Booting Xen on a native EFI system is also an option, but the only clean +solution at this time requires a modified binutils package. More experienced +user can add "x86_64-pep" to the list of enabled targets and build/replace +binutils on their system. Subsequently, building Xen will now also create a +Xen EFI binary. + +To make things a bit easier, a copy of Xen EFI binary can be found here: + + http://slackware.hr/~mario/xen/xen.efi.gz + +If an automatic boot to Xen kernel is desired, the binary should be renamed and +copied to the following location: /boot/efi/EFI/BOOT/bootx64.efi +Downloaded binary should be unpacked first, and the config file should be +present in the same directory (same file name, minus the suffix). +For example: "xen.cfg" or "bootx64.cfg", and its contents: + + [global] + default=xen + + [xen] + options=dom0_mem=min:512M,max:512M,512M + kernel=vmlinuz-xen root=/dev/sda2 ro console=tty0 nomodeset + ramdisk=initrd-xen.gz + +There are some other EFI bootloaders, for example ELILO comes with the support +for VMM images, but their x86 support is lacking. GRUB2 apparently supports +only the chainloader method; however, the stock Slackware version is too old +for this task. rEFInd should work, but the Xen EFI method was satisfactory to +the author :-) + Troubleshooting dom0 crashes, freezes, blank screen and such: * Use /proc/fb to find an out of range device id, for example this can be diff --git a/system/xen/dom0/kernel-xen.sh b/system/xen/dom0/kernel-xen.sh index 9eb7a57a6d..15e7439f33 100644 --- a/system/xen/dom0/kernel-xen.sh +++ b/system/xen/dom0/kernel-xen.sh @@ -27,6 +27,12 @@ if [ "$BOOTLOADER" = lilo ] && [ ! -x /usr/bin/mbootpack ]; then exit fi +if [ ! -d /usr/src/linux-$KERNEL ]; then + echo "Missing kernel source in /usr/src/linux-$KERNEL" + echo "Get it from kernel.org and rerun this script." + exit +fi + CWD=$(pwd) TMP=${TMP:-/tmp/xen} @@ -35,12 +41,6 @@ set -e rm -rf $TMP mkdir -p $TMP -if [ ! -d /usr/src/linux-$KERNEL ]; then - echo "Missing kernel source in /usr/src/linux-$KERNEL" - echo "Get it from kernel.org and rerun this script." - exit -fi - # Prepare kernel source cd /usr/src cp -a linux-$KERNEL linux-$KERNEL-xen @@ -68,32 +68,27 @@ if [ "$MENUCONFIG" = yes ]; then done fi -make vmlinux modules +make bzImage modules make modules_install INSTALL_MOD_PATH=$TMP # Install modules cp -a $TMP/lib/modules/$KERNEL-xen /lib/modules -# Strip kernel symbols -strip vmlinux -o vmlinux-stripped - # Create initrd -mkinitrd -c -k $KERNEL-xen -m $ROOTMOD -f $ROOTFS -r $ROOTDEV -o /boot/initrd-$KERNEL-xen.gz +mkinitrd -c -k $KERNEL-xen -m $ROOTMOD -f $ROOTFS -r $ROOTDEV \ + -o /boot/initrd-$KERNEL-xen.gz -# For lilo we pack kernel up with mbootpack +# For lilo we use mbootpack if [ "$BOOTLOADER" = lilo ]; then gzip -d -c /boot/xen-$XEN.gz > xen-$XEN - gzip -d -c /boot/initrd-$KERNEL-xen.gz > initrd-$KERNEL-xen - mbootpack -o vmlinux-stripped-mboot -m vmlinux-stripped -m initrd-$KERNEL-xen xen-$XEN -# For lilo we need to keep kernel unpacked - cp -a vmlinux-stripped-mboot vmlinuz -elif [ "$BOOTLOADER" = grub ]; then - gzip vmlinux-stripped -c > vmlinuz + mbootpack -m arch/x86/boot/bzImage -m /boot/initrd-$KERNEL-xen.gz xen-$XEN \ + -o /boot/vmlinuz-$KERNEL-xen +else + cp arch/x86/boot/bzImage /boot/vmlinuz-$KERNEL-xen fi -install -D -m 644 vmlinuz /boot/vmlinuz-$KERNEL-xen -install -m 644 System.map /boot/System.map-$KERNEL-xen -install -m 644 .config /boot/config-$KERNEL-xen +cp System.map /boot/System.map-$KERNEL-xen +cp .config /boot/config-$KERNEL-xen cd /boot ln -s vmlinuz-$KERNEL-xen vmlinuz-xen @@ -104,4 +99,4 @@ ln -s initrd-$KERNEL-xen.gz initrd-xen.gz # Clean up kernel sources cd /usr/src/linux-$KERNEL-xen make clean -rm initrd-$KERNEL-xen vmlinux-stripped* vmlinuz xen-$XEN +rm xen-$XEN diff --git a/system/xen/patches/disable_git_checkout.diff b/system/xen/patches/disable_git_checkout.diff deleted file mode 100644 index 292a8ba569..0000000000 --- a/system/xen/patches/disable_git_checkout.diff +++ /dev/null @@ -1,44 +0,0 @@ ---- xen-4.6.1/tools/Makefile.orig 2016-02-09 15:44:19.000000000 +0100 -+++ xen-4.6.1/tools/Makefile 2016-02-20 20:22:38.659839628 +0100 -@@ -168,9 +168,9 @@ - set -ex; \ - if test -d $(QEMU_TRADITIONAL_LOC); then \ - mkdir -p qemu-xen-traditional-dir; \ -- else \ -- export GIT=$(GIT); \ -- $(XEN_ROOT)/scripts/git-checkout.sh $(QEMU_TRADITIONAL_LOC) $(QEMU_TRADITIONAL_REVISION) qemu-xen-traditional-dir; \ -+# else \ -+# export GIT=$(GIT); \ -+# $(XEN_ROOT)/scripts/git-checkout.sh $(QEMU_TRADITIONAL_LOC) $(QEMU_TRADITIONAL_REVISION) qemu-xen-traditional-dir; \ - fi - - .PHONY: qemu-xen-traditional-dir-force-update -@@ -214,9 +214,9 @@ - qemu-xen-dir-find: - if test -d $(QEMU_UPSTREAM_LOC) ; then \ - mkdir -p qemu-xen-dir; \ -- else \ -- export GIT=$(GIT); \ -- $(XEN_ROOT)/scripts/git-checkout.sh $(QEMU_UPSTREAM_LOC) $(QEMU_UPSTREAM_REVISION) qemu-xen-dir ; \ -+# else \ -+# export GIT=$(GIT); \ -+# $(XEN_ROOT)/scripts/git-checkout.sh $(QEMU_UPSTREAM_LOC) $(QEMU_UPSTREAM_REVISION) qemu-xen-dir ; \ - fi - - .PHONY: qemu-xen-dir-force-update ---- xen-4.6.1/tools/firmware/Makefile.orig 2016-02-09 15:44:19.000000000 +0100 -+++ xen-4.6.1/tools/firmware/Makefile 2016-02-20 20:23:33.994923068 +0100 -@@ -20,11 +20,11 @@ - LD32BIT-$(CONFIG_FreeBSD) := LD32BIT_FLAG=-melf_i386_fbsd - - ovmf-dir: -- GIT=$(GIT) $(XEN_ROOT)/scripts/git-checkout.sh $(OVMF_UPSTREAM_URL) $(OVMF_UPSTREAM_REVISION) ovmf-dir -+# GIT=$(GIT) $(XEN_ROOT)/scripts/git-checkout.sh $(OVMF_UPSTREAM_URL) $(OVMF_UPSTREAM_REVISION) ovmf-dir - cp ovmf-makefile ovmf-dir/Makefile; - - seabios-dir: -- GIT=$(GIT) $(XEN_ROOT)/scripts/git-checkout.sh $(SEABIOS_UPSTREAM_URL) $(SEABIOS_UPSTREAM_REVISION) seabios-dir -+# GIT=$(GIT) $(XEN_ROOT)/scripts/git-checkout.sh $(SEABIOS_UPSTREAM_URL) $(SEABIOS_UPSTREAM_REVISION) seabios-dir - $(MAKE) -C seabios-dir defconfig - - .PHONY: all diff --git a/system/xen/patches/qemu_configure_options.diff b/system/xen/patches/qemu_configure_options.diff index f15cd5bfa7..747ffadbf6 100644 --- a/system/xen/patches/qemu_configure_options.diff +++ b/system/xen/patches/qemu_configure_options.diff @@ -5,8 +5,8 @@ --disable-guest-agent \ --python=$(PYTHON) \ + --sysconfdir=/etc \ -+ --@@LIBSSH2@@able-libssh2 \ -+ --@@BLUEZ@@able-bluez \ ++ --@@CONF_LIBSSH2@@able-libssh2 \ ++ --@@CONF_BLUEZ@@able-bluez \ $(CONFIG_QEMUU_EXTRA_ARGS) \ --cpu=$(IOEMU_CPU_ARCH) \ $(IOEMU_CONFIGURE_CROSS); \ diff --git a/system/xen/xen.SlackBuild b/system/xen/xen.SlackBuild index 54b8d190ad..21afbcb9a9 100644 --- a/system/xen/xen.SlackBuild +++ b/system/xen/xen.SlackBuild @@ -24,10 +24,11 @@ PRGNAM=xen VERSION=${VERSION:-4.6.3} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} TAG=${TAG:-_SBo} SEABIOS=${SEABIOS:-1.8.2} +OVMF=${OVMF:-52a99493cce88a9d4ec8a02d7f1bd1a1001ce60d} if [ -z "$ARCH" ]; then case "$( uname -m )" in @@ -72,18 +73,23 @@ else fi case "${USE_LIBSSH2:-no}" in - yes) LIBSSH2="en" ;; - *) LIBSSH2="dis" ;; + yes) CONF_LIBSSH2="en" ;; + *) CONF_LIBSSH2="dis" ;; esac case "${USE_BLUEZ:-no}" in - yes) BLUEZ="en" ;; - *) BLUEZ="dis" ;; + yes) CONF_BLUEZ="en" ;; + *) CONF_BLUEZ="dis" ;; esac case "${BUILD_STUBDOM:-no}" in - yes) STUBDOM="en" ;; - *) STUBDOM="dis" ;; + yes) CONF_STUBDOM="en" ;; + *) CONF_STUBDOM="dis" ;; +esac + +case "${WITH_OVMF:-yes}" in + no) CONF_OVMF="dis" ;; + *) CONF_OVMF="en" ;; esac set -e @@ -111,20 +117,24 @@ for i in $CWD/xsa/* ; do done # Tweak some things -sed "s/@@LIBSSH2@@/$LIBSSH2/;s/@@BLUEZ@@/$BLUEZ/" \ +sed "s/@@CONF_LIBSSH2@@/$CONF_LIBSSH2/;s/@@CONF_BLUEZ@@/$CONF_BLUEZ/" \ $CWD/patches/qemu_configure_options.diff | patch -p1 patch -p1 <$CWD/patches/symlinks_instead_of_hardlinks.diff # Let's not download stuff during the build... patch -p1 <$CWD/patches/use_already_present_ipxe.diff -patch -p1 <$CWD/patches/disable_git_checkout.diff cp $CWD/ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz \ tools/firmware/etherboot/_ipxe.tar.gz ( + # Seabios cd tools/firmware tar -xf $CWD/seabios-$SEABIOS.tar.gz mv seabios-$SEABIOS seabios-dir-remote ln -s seabios-dir-remote seabios-dir + make -C seabios-dir defconfig + # OVMF + tar -xf $CWD/ovmf-git-$OVMF.tar.gz + cp ovmf-makefile ovmf-dir/Makefile ) cp $CWD/{lwip,zlib,newlib,pciutils,grub,gmp,tpm_emulator}-*.tar.?z* \ $CWD/polarssl-*.tgz stubdom @@ -141,7 +151,8 @@ CXXFLAGS="$SLKCFLAGS" \ --docdir=/usr/doc/$PRGNAM-$VERSION \ --disable-qemu-traditional \ --disable-rombios \ - --${STUBDOM}able-stubdom \ + --${CONF_STUBDOM}able-stubdom \ + --${CONF_OVMF}able-ovmf \ --build=$ARCH-slackware-linux make install-xen \ @@ -158,7 +169,7 @@ make install-tools \ MANDIR=/usr/man \ DESTDIR=$PKG -if [ "$STUBDOM" = "en" ]; then +if [ "$CONF_STUBDOM" = "en" ]; then make install-stubdom \ docdir=/usr/doc/$PRGNAM-$VERSION \ DOCDIR=/usr/doc/$PRGNAM-$VERSION \ diff --git a/system/xen/xen.info b/system/xen/xen.info index 2c2c3068ad..32ea026b57 100644 --- a/system/xen/xen.info +++ b/system/xen/xen.info @@ -11,7 +11,8 @@ DOWNLOAD="http://mirror.slackware.hr/sources/xen/xen-4.6.3.tar.gz \ http://mirror.slackware.hr/sources/xen-extfiles/polarssl-1.1.4-gpl.tgz \ http://mirror.slackware.hr/sources/xen-extfiles/gmp-4.3.2.tar.bz2 \ http://mirror.slackware.hr/sources/xen-extfiles/tpm_emulator-0.7.4.tar.gz \ - http://mirror.slackware.hr/sources/xen-extfiles/seabios-1.8.2.tar.gz" + http://mirror.slackware.hr/sources/xen-extfiles/seabios-1.8.2.tar.gz + http://mirror.slackware.hr/sources/xen-extfiles/ovmf-git-52a99493cce88a9d4ec8a02d7f1bd1a1001ce60d.tar.gz" MD5SUM="26419d8477082dbdb32ec75b00f00643 \ 7496268cebf47d5c9ccb0696e3b26065 \ 36cc57650cffda9a0269493be2a169bb \ @@ -22,7 +23,8 @@ MD5SUM="26419d8477082dbdb32ec75b00f00643 \ 7b72caf22b01464ee7d6165f2fd85f44 \ dd60683d7057917e34630b4a787932e8 \ e26becb8a6a2b6695f6b3e8097593db8 \ - d08a501fb918698f24a0de012c687729" + d08a501fb918698f24a0de012c687729 \ + bd4b1d36212692fa4874ecad2a42abed" REQUIRES="acpica yajl" DOWNLOAD_x86_64="" MD5SUM_x86_64="" diff --git a/system/xen/xsa/xsa182-4.6.patch b/system/xen/xsa/xsa182-4.6.patch new file mode 100644 index 0000000000..be2047d688 --- /dev/null +++ b/system/xen/xsa/xsa182-4.6.patch @@ -0,0 +1,102 @@ +From f48a75b0c10ac79b287ca2b580ecb9ea2f696607 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Mon, 11 Jul 2016 14:32:03 +0100 +Subject: [PATCH] x86/pv: Remove unsafe bits from the mod_l?_entry() fastpath + +All changes in writeability and cacheability must go through full +re-validation. + +Rework the logic as a whitelist, to make it clearer to follow. + +This is XSA-182 + +Reported-by: Jérémie Boutoille +Signed-off-by: Andrew Cooper +Reviewed-by: Tim Deegan +--- + xen/arch/x86/mm.c | 28 ++++++++++++++++------------ + xen/include/asm-x86/page.h | 1 + + 2 files changed, 17 insertions(+), 12 deletions(-) + +diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c +index daf02ab..8dd22b8 100644 +--- a/xen/arch/x86/mm.c ++++ b/xen/arch/x86/mm.c +@@ -1780,6 +1780,14 @@ static inline int update_intpte(intpte_t *p, + _t ## e_get_intpte(_o), _t ## e_get_intpte(_n), \ + (_m), (_v), (_ad)) + ++/* ++ * PTE flags that a guest may change without re-validating the PTE. ++ * All other bits affect translation, caching, or Xen's safety. ++ */ ++#define FASTPATH_FLAG_WHITELIST \ ++ (_PAGE_NX_BIT | _PAGE_AVAIL_HIGH | _PAGE_AVAIL | _PAGE_GLOBAL | \ ++ _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_USER) ++ + /* Update the L1 entry at pl1e to new value nl1e. */ + static int mod_l1_entry(l1_pgentry_t *pl1e, l1_pgentry_t nl1e, + unsigned long gl1mfn, int preserve_ad, +@@ -1820,9 +1828,8 @@ static int mod_l1_entry(l1_pgentry_t *pl1e, l1_pgentry_t nl1e, + return -EINVAL; + } + +- /* Fast path for identical mapping, r/w, presence, and cachability. */ +- if ( !l1e_has_changed(ol1e, nl1e, +- PAGE_CACHE_ATTRS | _PAGE_RW | _PAGE_PRESENT) ) ++ /* Fast path for sufficiently-similar mappings. */ ++ if ( !l1e_has_changed(ol1e, nl1e, ~FASTPATH_FLAG_WHITELIST) ) + { + adjust_guest_l1e(nl1e, pt_dom); + if ( UPDATE_ENTRY(l1, pl1e, ol1e, nl1e, gl1mfn, pt_vcpu, +@@ -1904,11 +1911,8 @@ static int mod_l2_entry(l2_pgentry_t *pl2e, + return -EINVAL; + } + +- /* Fast path for identical mapping and presence. */ +- if ( !l2e_has_changed(ol2e, nl2e, +- unlikely(opt_allow_superpage) +- ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT +- : _PAGE_PRESENT) ) ++ /* Fast path for sufficiently-similar mappings. */ ++ if ( !l2e_has_changed(ol2e, nl2e, ~FASTPATH_FLAG_WHITELIST) ) + { + adjust_guest_l2e(nl2e, d); + if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) ) +@@ -1973,8 +1977,8 @@ static int mod_l3_entry(l3_pgentry_t *pl3e, + return -EINVAL; + } + +- /* Fast path for identical mapping and presence. */ +- if ( !l3e_has_changed(ol3e, nl3e, _PAGE_PRESENT) ) ++ /* Fast path for sufficiently-similar mappings. */ ++ if ( !l3e_has_changed(ol3e, nl3e, ~FASTPATH_FLAG_WHITELIST) ) + { + adjust_guest_l3e(nl3e, d); + rc = UPDATE_ENTRY(l3, pl3e, ol3e, nl3e, pfn, vcpu, preserve_ad); +@@ -2037,8 +2041,8 @@ static int mod_l4_entry(l4_pgentry_t *pl4e, + return -EINVAL; + } + +- /* Fast path for identical mapping and presence. */ +- if ( !l4e_has_changed(ol4e, nl4e, _PAGE_PRESENT) ) ++ /* Fast path for sufficiently-similar mappings. */ ++ if ( !l4e_has_changed(ol4e, nl4e, ~FASTPATH_FLAG_WHITELIST) ) + { + adjust_guest_l4e(nl4e, d); + rc = UPDATE_ENTRY(l4, pl4e, ol4e, nl4e, pfn, vcpu, preserve_ad); +diff --git a/xen/include/asm-x86/page.h b/xen/include/asm-x86/page.h +index 66b611c..1a59ed8 100644 +--- a/xen/include/asm-x86/page.h ++++ b/xen/include/asm-x86/page.h +@@ -311,6 +311,7 @@ void efi_update_l4_pgtable(unsigned int l4idx, l4_pgentry_t); + #define _PAGE_AVAIL2 _AC(0x800,U) + #define _PAGE_AVAIL _AC(0xE00,U) + #define _PAGE_PSE_PAT _AC(0x1000,U) ++#define _PAGE_AVAIL_HIGH (_AC(0x7ff, U) << 12) + #define _PAGE_NX (cpu_has_nx ? _PAGE_NX_BIT : 0) + /* non-architectural flags */ + #define _PAGE_PAGED 0x2000U +-- +2.1.4 + diff --git a/system/xen/xsa/xsa183-4.6.patch b/system/xen/xsa/xsa183-4.6.patch new file mode 100644 index 0000000000..84d70077c8 --- /dev/null +++ b/system/xen/xsa/xsa183-4.6.patch @@ -0,0 +1,75 @@ +From 777ebe30e81ab284f9b78392875fe884a593df35 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Wed, 15 Jun 2016 18:32:14 +0100 +Subject: [PATCH] x86/entry: Avoid SMAP violation in + compat_create_bounce_frame() + +A 32bit guest kernel might be running on user mappings. +compat_create_bounce_frame() must whitelist its guest accesses to avoid +risking a SMAP violation. + +For both variants of create_bounce_frame(), re-blacklist user accesses if +execution exits via an exception table redirection. + +This is XSA-183 / CVE-2016-6259 + +Signed-off-by: Andrew Cooper +Reviewed-by: George Dunlap +Reviewed-by: Jan Beulich +--- +v2: + * Include CLAC on the exit paths from compat_create_bounce_frame which occur + from faults attempting to load %fs + * Reposition ASM_STAC to avoid breaking the macro-op fusion of test/jz +--- + xen/arch/x86/x86_64/compat/entry.S | 3 +++ + xen/arch/x86/x86_64/entry.S | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S +index 0e3db7c..1eaf4bb 100644 +--- a/xen/arch/x86/x86_64/compat/entry.S ++++ b/xen/arch/x86/x86_64/compat/entry.S +@@ -350,6 +350,7 @@ ENTRY(compat_int80_direct_trap) + compat_create_bounce_frame: + ASSERT_INTERRUPTS_ENABLED + mov %fs,%edi ++ ASM_STAC + testb $2,UREGS_cs+8(%rsp) + jz 1f + /* Push new frame at registered guest-OS stack base. */ +@@ -403,6 +404,7 @@ UNLIKELY_START(nz, compat_bounce_failsafe) + movl %ds,%eax + .Lft12: movl %eax,%fs:0*4(%rsi) # DS + UNLIKELY_END(compat_bounce_failsafe) ++ ASM_CLAC + /* Rewrite our stack frame and return to guest-OS mode. */ + /* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */ + andl $~(X86_EFLAGS_VM|X86_EFLAGS_RF|\ +@@ -448,6 +450,7 @@ compat_crash_page_fault_4: + addl $4,%esi + compat_crash_page_fault: + .Lft14: mov %edi,%fs ++ ASM_CLAC + movl %esi,%edi + call show_page_walk + jmp dom_crash_sync_extable +diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S +index 6e27508..0c2e63a 100644 +--- a/xen/arch/x86/x86_64/entry.S ++++ b/xen/arch/x86/x86_64/entry.S +@@ -462,9 +462,11 @@ domain_crash_page_fault_16: + domain_crash_page_fault_8: + addq $8,%rsi + domain_crash_page_fault: ++ ASM_CLAC + movq %rsi,%rdi + call show_page_walk + ENTRY(dom_crash_sync_extable) ++ ASM_CLAC + # Get out of the guest-save area of the stack. + GET_STACK_BASE(%rax) + leaq STACK_CPUINFO_FIELD(guest_cpu_user_regs)(%rax),%rsp +-- +2.1.4 + diff --git a/system/xen/xsa/xsa184-qemut-master.patch b/system/xen/xsa/xsa184-qemut-master.patch new file mode 100644 index 0000000000..d15167f4ac --- /dev/null +++ b/system/xen/xsa/xsa184-qemut-master.patch @@ -0,0 +1,43 @@ +From 17d8c4e47dfb41cb6778520ff2eab7a11fe12dfd Mon Sep 17 00:00:00 2001 +From: P J P +Date: Tue, 26 Jul 2016 15:31:59 +0100 +Subject: [PATCH] virtio: error out if guest exceeds virtqueue size + +A broken or malicious guest can submit more requests than the virtqueue +size permits. + +The guest can submit requests without bothering to wait for completion +and is therefore not bound by virtqueue size. This requires reusing +vring descriptors in more than one request, which is incorrect but +possible. Processing a request allocates a VirtQueueElement and +therefore causes unbounded memory allocation controlled by the guest. + +Exit with an error if the guest provides more requests than the +virtqueue size permits. This bounds memory allocation and makes the +buggy guest visible to the user. + +Reported-by: Zhenhao Hong +Signed-off-by: Stefan Hajnoczi +--- + hw/virtio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/virtio.c b/hw/virtio.c +index c26feff..42897bf 100644 +--- a/hw/virtio.c ++++ b/hw/virtio.c +@@ -421,6 +421,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem) + /* When we start there are none of either input nor output. */ + elem->out_num = elem->in_num = 0; + ++ if (vq->inuse >= vq->vring.num) { ++ fprintf(stderr, "Virtqueue size exceeded"); ++ exit(1); ++ } ++ + i = head = virtqueue_get_head(vq, vq->last_avail_idx++); + do { + struct iovec *sg; +-- +2.1.4 + diff --git a/system/xen/xsa/xsa184-qemuu-master.patch b/system/xen/xsa/xsa184-qemuu-master.patch new file mode 100644 index 0000000000..ef96bff80c --- /dev/null +++ b/system/xen/xsa/xsa184-qemuu-master.patch @@ -0,0 +1,43 @@ +From e469db25d6b2e5c71cd15451889226641c53a5cd Mon Sep 17 00:00:00 2001 +From: P J P +Date: Mon, 25 Jul 2016 17:37:18 +0530 +Subject: [PATCH] virtio: error out if guest exceeds virtqueue size + +A broken or malicious guest can submit more requests than the virtqueue +size permits. + +The guest can submit requests without bothering to wait for completion +and is therefore not bound by virtqueue size. This requires reusing +vring descriptors in more than one request, which is incorrect but +possible. Processing a request allocates a VirtQueueElement and +therefore causes unbounded memory allocation controlled by the guest. + +Exit with an error if the guest provides more requests than the +virtqueue size permits. This bounds memory allocation and makes the +buggy guest visible to the user. + +Reported-by: Zhenhao Hong +Signed-off-by: Stefan Hajnoczi +--- + hw/virtio/virtio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index d24f775..f8ac0fb 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -483,6 +483,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem) + + max = vq->vring.num; + ++ if (vq->inuse >= max) { ++ error_report("Virtqueue size exceeded"); ++ exit(1); ++ } ++ + i = head = virtqueue_get_head(vq, vq->last_avail_idx++); + if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) { + vring_set_avail_event(vq, vq->last_avail_idx); +-- +2.1.4 + -- cgit v1.2.3