From: Tony Vroon <chainsaw@gentoo.org>
Date: Tue, 11 Oct 2011 20:25:50 +0000 (+0000)
Subject: Patches by Ian "idella4" Delaney to address security bugs #385319 and #386371.
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=861c1e248b6367fe4e2bfb00aa025703f8a60ef8;p=gentoo.git

Patches by Ian "idella4" Delaney to address security bugs #385319 and #386371.

Package-Manager: portage-2.1.10.25/cvs/Linux x86_64
---

diff --git a/app-emulation/xen/ChangeLog b/app-emulation/xen/ChangeLog
index 49845852fda1..4fff1bb008f9 100644
--- a/app-emulation/xen/ChangeLog
+++ b/app-emulation/xen/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for app-emulation/xen
 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.85 2011/09/29 14:21:09 tomka Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.86 2011/10/11 20:25:50 chainsaw Exp $
+
+*xen-3.4.2-r4 (11 Oct 2011)
+
+  11 Oct 2011; Tony Vroon <chainsaw@gentoo.org> +xen-3.4.2-r4.ebuild,
+  +files/xen-3.4.2-CVE-2011-1583.patch,
+  +files/xen-3.4.2-fix-__addr_ok-limit.patch:
+  Patches by Ian "idella4" Delaney to address security bugs #385319 and
+  #386371.
 
   29 Sep 2011; Thomas Kahle <tomka@gentoo.org> xen-3.4.2-r3.ebuild:
   x86 stable per bug 379241
diff --git a/app-emulation/xen/Manifest b/app-emulation/xen/Manifest
index fa4fd388e6f8..70e45e0dd943 100644
--- a/app-emulation/xen/Manifest
+++ b/app-emulation/xen/Manifest
@@ -1,8 +1,7 @@
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA256
-
 AUX xen-3.3.0-unexported-target-fix.patch 788 RMD160 4b30444c021479cbd3969493639533fc1e43e781 SHA1 9119f06b4a005c385ac27e085e2d96ccf9cd4dc9 SHA256 e46f5fbe4c579b84f895f0ac6e05589553a11305ca30e69405082d58abd9ee07
+AUX xen-3.4.2-CVE-2011-1583.patch 2893 RMD160 c6ae9661202dafc2abdcf3aaf939464d14ded9fd SHA1 b2140fe7d615b542a96dadaaf8ace382e528d2cb SHA256 809c1744aee7569db31e9959c1e2c433ef6f4067134b26f70a689e056a024df9
 AUX xen-3.4.2-dump_registers-watchdog-fix.patch 533 RMD160 766249003d91cbec3b0014a8446e1a4d01cd847a SHA1 6306250671976c638f814a4958211af4bacb53b4 SHA256 17d18f268efd302085bdfa0673e2d9478e84206b6d060d0a63854441233a81c6
+AUX xen-3.4.2-fix-__addr_ok-limit.patch 3380 RMD160 8b8104a370847c1c148255855901b9dd32e6c888 SHA1 e3dd5cfda2410917b0844dff999ccbee2463ccb4 SHA256 dab6954da3cbf7592a36a6234561174d0d117711b87c0868d17f9d21af75a835
 AUX xen-3.4.2-no-DMA.patch 2708 RMD160 9aa83e21e8b07feca1f799f9efb4f9cd5728c6c6 SHA1 e55fa5a04203470af68452762f919b402854fce9 SHA256 87a3fe134b8d3c762d4d229986ccb77898a603a18974f453cfdf6ba9d68fe982
 AUX xen-3.4.2-werror-idiocy.patch 16826 RMD160 14f4678c723fd9241c88786b5b07a8c25252ce6f SHA1 f15d3c4d37b9c11fed49c025de2eaeb6911845a1 SHA256 261ef6541736f1df757476590bb8581cac376c9408e5041e8356336e13025c67
 AUX xen-4.1.1-iommu_sec_fix.patch 2851 RMD160 4367178c10cdc1e752f3e9ffb70f42e6e7179242 SHA1 8487f85dbf81bf245deaccca5ff5b8f46e60d112 SHA256 3a0ab3cb5c18db91f4be457cbba36189a558da7b794e1a35795f4fed3d48a7c8
@@ -10,14 +9,8 @@ DIST xen-3.4.2.tar.gz 11187726 RMD160 2ef81df1f44356d60e04e21df2173ce5357d8509 S
 DIST xen-4.1.1.tar.gz 10355625 RMD160 4b3c0641b0f098889f627662aa6b8fea00c5b636 SHA1 f1b5ef4b663c339faf9c77fc895327cfbcc9776c SHA256 246289227507466b5da8b2d0da84a5b0e68a392527b16cde38898d0348890f5b
 EBUILD xen-3.4.2-r1.ebuild 3058 RMD160 19a8baa3dbf87f4c5d4e5019f88ae4dc5ccc32e6 SHA1 aed8b48c47b8f713dbc17d67fa2d21c838f7f071 SHA256 719917cfbf0605d4951415d9f53c49262d92ba8e8921a3835aefcd549dd275bb
 EBUILD xen-3.4.2-r3.ebuild 3068 RMD160 a7823f95b67e2f237a5395a0063525794bf21820 SHA1 b7ea3ce1c4df92ee1d87101fda58765cc580168f SHA256 df35d173a9fbcd041e8d33f7edc5478c9e3ed5f64a1f3b17caf746f5bd92252b
+EBUILD xen-3.4.2-r4.ebuild 3249 RMD160 c00e2aa265dc4c37f8e09854af296b150bd46fb8 SHA1 84b162ac12b34afe544d6dcc232016e97fa95d0a SHA256 fa50d0fc5c8e6adb09b6db324cedf22d50abf2be09111ac25af20e31fffe3948
 EBUILD xen-4.1.1-r2.ebuild 3015 RMD160 2026eb17050ee40ae504b3f377b0e0895849d02a SHA1 2d505aa3cf488a79c3518d9d5bf4d70d6c84f9c7 SHA256 4ae066db6bbdd5ca3c377944b9b3c2abc94d2095c075cb20485908bc954fdf78
 EBUILD xen-9999.ebuild 2929 RMD160 34b61aa566948357bed2bde59d06e38fdc21249c SHA1 5dfa8cebff2f2b9a10e40b888e151baf8afb804c SHA256 62f131e504a87ab2e05b1109325167ae9f6d9747ae90d89536d49734c7445f0e
-MISC ChangeLog 13823 RMD160 c00c5de5640dd8647d239fcf91a7d0fc5af221f6 SHA1 7a8036b12e92cb3dda2c667a560275485aaee75a SHA256 08aae3b2a4ff8c7cabee2cce2e90789a30ccfe279a54ee46bd9fa9815939e5cb
+MISC ChangeLog 14095 RMD160 ca58af04653c5017cb44648cd405ca940e5d1d37 SHA1 b64619008aac2f528a5ab268d26a4a8c686e22b4 SHA256 5a84a264a57918a9035c0255914539ccc67cfdf362e9e279eec375595c011cf0
 MISC metadata.xml 581 RMD160 d22ffb491d9dad33425b97add683dd6b8b9139e1 SHA1 649f65e9fd2ab25e32394c555a24fc0f6b59c37f SHA256 1cf2cc4bb5b5278ac75e74910607518ddd2bd6454f18325319ce1ac102fab535
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.17 (GNU/Linux)
-
-iF4EAREIAAYFAk6EfuAACgkQodBTJSDyo65dcgD/fYfP/HNKV7TieMkgrLpNZmuj
-PojFPqGBLufQjoyxdrcA/i+QMNeTlx88eCXqNY4ekfD1mU+qLSqmUdHftRi4vzjB
-=7N/T
------END PGP SIGNATURE-----
diff --git a/app-emulation/xen/files/xen-3.4.2-CVE-2011-1583.patch b/app-emulation/xen/files/xen-3.4.2-CVE-2011-1583.patch
new file mode 100644
index 000000000000..f5cec4dbe709
--- /dev/null
+++ b/app-emulation/xen/files/xen-3.4.2-CVE-2011-1583.patch
@@ -0,0 +1,87 @@
+--- tools/libxc/xc_dom_bzimageloader.c	2009-11-10 23:12:56.000000000 +0800
++++ tools/libxc/xc_dom_bzimageloader.c	2011-10-09 20:10:08.972815311 +0800
+@@ -308,19 +308,19 @@ 
+ 
+ extern struct xc_dom_loader elf_loader;
+ 
+-static unsigned int payload_offset(struct setup_header *hdr)
++static int check_magic(struct xc_dom_image *dom, const void *magic, size_t len)
+ {
+-    unsigned int off;
++    if (len > dom->kernel_size)
++       return 0;
++    
++        return (memcmp(dom->kernel_blob, magic, len) == 0);
++ }
+ 
+-    off = (hdr->setup_sects + 1) * 512;
+-    off += hdr->payload_offset;
+-    return off;
+-}
+-
+-static int xc_dom_probe_bzimage_kernel(struct xc_dom_image *dom)
++static int check_bzimage_kernel(struct xc_dom_image *dom, int verbose)
+ {
+     struct setup_header *hdr;
+-    int ret;
++    uint64_t payload_offset, payload_length;
++    /* int ret; */
+ 
+     if ( dom->kernel_blob == NULL )
+     {
+@@ -352,20 +352,47 @@ 
+         return -EINVAL;
+     }
+ 
+-    dom->kernel_blob = dom->kernel_blob + payload_offset(hdr);
+-    dom->kernel_size = hdr->payload_length;
++     /* upcast to 64 bits to avoid overflow */
++    /* setup_sects is u8 and so cannot overflow */
++    payload_offset = (hdr->setup_sects + 1) * 512;
++    payload_offset += hdr->payload_offset;
++    payload_length = hdr->payload_length;
+ 
+-    if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 )
+-    {
++/*    if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 )
++    { 
+         ret = xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size);
+-        if ( ret == -1 )
++        if ( ret == -1 )  */
++     if ( payload_offset >= dom->kernel_size )
++     {
++         xc_dom_panic(XC_INVALID_KERNEL, "%s: payload offset overflow",
++                     __FUNCTION__);
++        return -EINVAL;
++    }
++    if ( (payload_offset + payload_length) > dom->kernel_size )
++    {
++       xc_dom_panic(XC_INVALID_KERNEL, "%s: payload length overflow",
++                     __FUNCTION__);
++    }
++
++    dom->kernel_blob = dom->kernel_blob + payload_offset;
++    dom->kernel_size = payload_length;
++    
++    if ( check_magic(dom, "\037\213", 2) )
++    {
++        if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 )
+         {
+-            xc_dom_panic(XC_INVALID_KERNEL,
+-                         "%s: unable to gzip decompress kernel\n",
+-                         __FUNCTION__);
++            if ( verbose )
++                xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\$n",
++                             __FUNCTION__);
+             return -EINVAL;
+         }
+     }
++    else
++    {
++        xc_dom_panic(XC_INVALID_KERNEL, "%s: unknown compression format\n",
++                     __FUNCTION__);
++           return -EINVAL;
++     }
+     else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 )
+     {
+         ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size);
diff --git a/app-emulation/xen/files/xen-3.4.2-fix-__addr_ok-limit.patch b/app-emulation/xen/files/xen-3.4.2-fix-__addr_ok-limit.patch
new file mode 100644
index 000000000000..861600821f81
--- /dev/null
+++ b/app-emulation/xen/files/xen-3.4.2-fix-__addr_ok-limit.patch
@@ -0,0 +1,101 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+             Xen Security Advisory CVE-2011-2901 / XSA-4
+                        revision no.2
+        Xen <= 3.3 DoS due to incorrect virtual address validation
+
+ISSUE DESCRIPTION
+=================
+
+The x86_64 __addr_ok() macro intends to ensure that the checked
+address is either in the positive half of the 48-bit virtual address
+space, or above the Xen-reserved area. However, the current shift
+count is off-by-one, allowing full access to the "negative half" too,
+via certain hypercalls which ignore virtual-address bits [63:48].
+Vulnerable hypercalls exist only in very old versions of the
+hypervisor.
+
+VULNERABLE SYSTEMS
+==================
+
+All systems running a Xen 3.3 or earlier hypervisor with 64-bit PV
+guests with untrusted administrators are vulnerable.
+
+IMPACT
+======
+
+A malicious guest administrator on a vulnerable system is able to
+crash the host.
+
+There are no known further exploits but these have not been ruled out.
+
+RESOLUTION
+==========
+
+The attached patch resolves the issue.
+
+Alternatively, users may choose to upgrade to a more recent hypervisor
+
+PATCHES
+=======
+
+The following patch resolves this issue.
+
+Filename: fix-__addr_ok-limit.patch
+SHA1: f18bde8d276110451c608a16f577865aa1226b4f
+SHA256: 2da5aac72e1ac4849c34d38374ae456795905fd9512eef94b48fc31383c21636
+
+This patch should apply cleanly, and fix the problem, for all affected
+versions of Xen.
+
+It is harmless when applied to later hypervisors and will be included
+in the Xen unstable branch in due course.
+
+VERSION HISTORY
+===============
+
+Analysis following version 1 of this advisory (sent out to the
+predisclosure list during the embargo period) indicates that the
+actual DoS vulnerability only exists in very old hypervisors, Xen 3.3
+and earlier, contrary to previous reports.
+
+This advisory is no longer embargoed.
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+iQEcBAEBAgAGBQJOYLq2AAoJEIP+FMlX6CvZLegH/26/oJBkd/WM/yYhXkzlbnIP
+MxF6Fgy96Omu8poQTanD7g1vEcM0TOLY+Kk3GGsfj4aDdEJ5Nq4ZOW8ooI0VnVcD
+7VXQqFsXPxre+eZ6g+G0AsmzdsG45C3qujUTRfGKqzYwXqjWjt9nNsdIy1Mrz8/4
+zG1uLDkN0LXnBG2Te4q8ZckYwMq8gFXHHnH35RfQ5Besu6pvJmtK3rFXETdlP12A
+JjBh7t5jsCfzvYWFQehVp8mJupuftiOBPClmVh4vrvN9gYd5rzEgB4Q9Ioiqz2qT
+2bE1zegR8NeOKBOi9xriTU8F530OdFzeWAbo7D5gyEbYdc60eNwbadcgNGLbzMg=
+=09T8
+-----END PGP SIGNATURE-----
+
+Subject: XSA-4: xen: correct limit checking in x86_64 version of __addr_ok
+
+The x86_64 __addr_ok() macro intends to ensure that the checked
+address is either in the positive half of the 48-bit virtual address
+space, or above the Xen-reserved area. However, the current shift
+count is off-by-one, allowing full access to the "negative half"
+too. Guests may exploit this to gain access to off-limits ranges.
+
+This issue has been assigned CVE-2011-2901.
+
+Signed-off-by: Laszlo Ersek <lersek@...hat.com>
+Signed-off-by: Ian Campbell <ian.campbell@...rix.com>
+
+diff --git a/xen/include/asm-x86/x86_64/uaccess.h
+b/xen/include/asm-x86/x86_64/uaccess.h
+--- a/xen/include/asm-x86/x86_64/uaccess.h
++++ b/xen/include/asm-x86/x86_64/uaccess.h
+@@ -34,7 +34,7 @@
+  * non-canonical address (and thus fault) before ever reaching VIRT_START.
+  */
+ #define __addr_ok(addr) \
+-    (((unsigned long)(addr) < (1UL<<48)) || \
++    (((unsigned long)(addr) < (1UL<<47)) || \
+      ((unsigned long)(addr) >= HYPERVISOR_VIRT_END))
+
+ #define access_ok(addr, size) \
diff --git a/app-emulation/xen/xen-3.4.2-r4.ebuild b/app-emulation/xen/xen-3.4.2-r4.ebuild
new file mode 100644
index 000000000000..352f7e2ee694
--- /dev/null
+++ b/app-emulation/xen/xen-3.4.2-r4.ebuild
@@ -0,0 +1,114 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-3.4.2-r4.ebuild,v 1.1 2011/10/11 20:25:50 chainsaw Exp $
+
+EAPI=2
+
+inherit mount-boot flag-o-matic toolchain-funcs base
+
+DESCRIPTION="The Xen virtual machine monitor"
+HOMEPAGE="http://xen.org/"
+SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="debug custom-cflags pae acm flask xsm"
+
+RDEPEND="|| ( sys-boot/grub
+		sys-boot/grub-static )
+		>=sys-kernel/xen-sources-2.6.18"
+PDEPEND="~app-emulation/xen-tools-${PV}"
+PATCHES=(
+	"${FILESDIR}/"${PN}-3.3.0-unexported-target-fix.patch
+	"${FILESDIR}/"${P}-dump_registers-watchdog-fix.patch
+	"${FILESDIR}/"${P}-no-DMA.patch
+	"${FILESDIR}/"${P}-werror-idiocy.patch
+	"${FILESDIR}/"${P}-fix-__addr_ok-limit.patch
+	"${FILESDIR}/"${P}-CVE-2011-1583.patch
+)
+
+RESTRICT="test"
+
+# Approved by QA team in bug #144032
+QA_WX_LOAD="boot/xen-syms-${PV}"
+
+pkg_setup() {
+	if [ -x "${S}/.config/" ]; then
+		die "You will need to remove ${S}/.config by hand"
+	fi
+	if [[ -z ${XEN_TARGET_ARCH} ]]; then
+		if use x86 && use amd64; then
+			die "Confusion! Both x86 and amd64 are set in your use flags!"
+		elif use x86; then
+			export XEN_TARGET_ARCH="x86_32"
+		elif use amd64; then
+			export XEN_TARGET_ARCH="x86_64"
+		else
+			die "Unsupported architecture!"
+		fi
+	fi
+
+	if use xsm ; then
+		export "XSM_ENABLE=y"
+		use acm && export "ACM_SECURITY=y"
+		if use flask ; then
+			! use acm  && export "FLASK_ENABLE=y"
+			  use acm  && ewarn "Both acm and flask XSM specified, defaulting to acm."
+		fi
+	elif use acm || use flask ; then
+		ewarn "acm and flask require USE=xsm to be set, dropping use flags"
+	fi
+}
+
+src_prepare() {
+	base_src_prepare
+
+	# if the user *really* wants to use their own custom-cflags, let them
+	if use custom-cflags; then
+		einfo "User wants their own CFLAGS - removing defaults"
+		# try and remove all the default custom-cflags
+		find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \
+			-e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \
+			-i {} \;
+	fi
+}
+
+src_compile() {
+	local myopt
+	use debug && myopt="${myopt} debug=y"
+	use pae && myopt="${myopt} pae=y"
+
+	if use custom-cflags; then
+		filter-flags -fPIE -fstack-protector
+		replace-flags -O3 -O2
+	else
+		unset CFLAGS
+	fi
+
+	# Send raw LDFLAGS so that --as-needed works
+	emake CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" -C xen ${myopt} || die "compile failed"
+}
+
+src_install() {
+	local myopt
+	use debug && myopt="${myopt} debug=y"
+	use pae && myopt="${myopt} pae=y"
+
+	emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install || die "install failed"
+}
+
+pkg_postinst() {
+	elog "Official Xen Guide and the unoffical wiki page:"
+	elog " http://www.gentoo.org/doc/en/xen-guide.xml"
+	elog " http://en.gentoo-wiki.com/wiki/Xen/"
+
+	if use pae; then
+		echo
+		ewarn "This is a PAE build of Xen. It will *only* boot PAE kernels!"
+	fi
+}