[xen/f17] VT-d interrupt remapping source validation flaw CVE-2012-5634

[myoung]

commit e1ac9c761b79517555f1ae7697847a79e32fb98e
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Fri Jan 11 23:08:45 2013 +0000

    VT-d interrupt remapping source validation flaw CVE-2012-5634

 xen.spec        |   10 +++++++++-
 xsa33-4.1.patch |   21 +++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletions(-)
---
diff --git a/xen.spec b/xen.spec
index 50277e6..cfc2d42 100644
--- a/xen.spec
+++ b/xen.spec
@@ -20,7 +20,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.1.4
-Release: 1%{?dist}
+Release: 2%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -72,6 +72,8 @@ Patch52: upstream-23938:fa04fbd56521-rework
 Patch53: upstream-23939:51288f69523f-rework
 Patch54: upstream-23940:187d59e32a58
 
+Patch55: xsa33-4.1.patch
+
 Patch100: xen-configure-xend.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -228,6 +230,8 @@ manage Xen virtual machines.
 %patch53 -p1
 %patch54 -p1
 
+%patch55 -p1
+
 %patch100 -p1
 
 # stubdom sources
@@ -685,6 +689,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Fri Jan 11 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-2
+- VT-d interrupt remapping source validation flaw [XSA-33,
+    CVE-2012-5634] (#893568)
+
 * Tue Dec 18 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-1
 - update to xen-4.1.4
 - remove patches that are included in 4.1.4
diff --git a/xsa33-4.1.patch b/xsa33-4.1.patch
new file mode 100644
index 0000000..d0bdeb4
--- /dev/null
+++ b/xsa33-4.1.patch
@@ -0,0 +1,21 @@
+VT-d: fix interrupt remapping source validation for devices behind
+legacy bridges
+
+Using SVT_VERIFY_BUS here doesn't make sense; native Linux also
+uses SVT_VERIFY_SID_SQ here instead.
+
+This is XSA-33 / CVE-2012-5634.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+
+--- a/xen/drivers/passthrough/vtd/intremap.c
++++ b/xen/drivers/passthrough/vtd/intremap.c
+@@ -499,7 +499,7 @@ static void set_msi_source_id(struct pci_dev *pdev, struct iremap_entry *ire)
+                 set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16,
+                             (bus << 8) | pdev->bus);
+             else if ( pdev_type(bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE )
+-                set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16,
++                set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16,
+                             PCI_BDF2(bus, devfn));
+         }
+         break;