[xen] update to 4.1.3 - fixes XSA-11, CVE-2012-3433
myoung
myoung at fedoraproject.org
Fri Aug 10 17:58:09 UTC 2012
commit ec7aaf951ecaad46e6a5e92ebbcb6151d34baf84
Author: Michael Young <m.a.young at durham.ac.uk>
Date: Fri Aug 10 18:56:25 2012 +0100
update to 4.1.3 - fixes XSA-11, CVE-2012-3433
.gitignore | 2 +-
CVE-2012-0217.patch | 54 ---
CVE-2012-0218.patch | 134 --------
CVE-2012-2934.patch | 60 ----
localgcc451fix.patch | 26 --
localgcc45fix.patch | 13 -
localgcc46fix.patch | 11 -
localgcc47fix.patch | 32 --
pygrub.size.limits.patch | 142 +++++---
pygrubfix2.patch | 92 -----
...-3cf61880403b4e484539596a95937cc066243388.patch | 43 ---
sources | 2 +-
upstream-23936:cdb34816a40a-rework | 6 +-
xen-4.1-testing.23190.patch | 64 ----
xen-4.1-testing.23297.patch | 347 --------------------
xen-4.1-testing.23298.patch | 42 ---
xen-4.1-testing.23325.patch | 41 ---
xen-no-werror.patch | 12 -
xen.spec | 46 +--
xend.empty.xml.patch | 15 -
20 files changed, 106 insertions(+), 1078 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 1eca093..a305564 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,4 +6,4 @@ lwip-1.3.0.tar.gz
pciutils-2.2.9.tar.bz2
zlib-1.2.3.tar.gz
/ipxe-git-v1.0.0.tar.gz
-/xen-4.1.2.tar.gz
+/xen-4.1.3.tar.gz
diff --git a/pygrub.size.limits.patch b/pygrub.size.limits.patch
index af2ff7c..ce4e056 100644
--- a/pygrub.size.limits.patch
+++ b/pygrub.size.limits.patch
@@ -1,80 +1,116 @@
-Make pygrub cope better with big files in the guest.
-Only read the first megabyte of a configuration file (grub etc.)
-Read the kernel and ramdisk files from the guest in one megabyte pieces
-so pygrub doesn't grow too large if they are large.
-If there are problems writing the temporary copies of the kernel and ramdisk
-files delete them and exit.
+
+# HG changeset patch
+# User M A Young <m.a.young at durham.ac.uk>
+# Date 1341413174 -3600
+# Node ID 60f09d1ab1fe5dee87db1bf55c7479a5d71e85a5
+# Parent 42f76d536b116d2ebad1b6705ae51ecd171d2581
+pygrub: cope better with big files in the guest.
+
+Only read the first megabyte of a configuration file (grub etc.) and read the
+kernel and ramdisk files from the guest in one megabyte pieces so pygrub
+doesn't use a lot of memory if the files are large. With --not-really option
+check that the chosen kernel and ramdisk files exist. If there are problems
+writing the copy of the kernel or ramdisk, delete the copied files and exit in
+case they have filled the filesystem.
Signed-off-by: Michael Young <m.a.young at durham.ac.uk>
+Acked-by: Matt Wilson <msw at amazon.com>
+Acked-by: Ian Campbell <ian.campbell at citrix.com>
+Acked-by: Ian Jackson <Ian.Jackson at eu.citrix.com>
+Committed-by: Ian Campbell <ian.campbell at citrix.com>
---- xen-4.2.0/tools/pygrub/src/pygrub.orig 2012-05-12 16:40:48.000000000 +0100
-+++ xen-4.2.0/tools/pygrub/src/pygrub
-@@ -28,6 +28,7 @@
+diff -r 42f76d536b11 -r 60f09d1ab1fe tools/pygrub/src/pygrub
+--- a/tools/pygrub/src/pygrub Tue Jul 03 13:39:01 2012 +0100
++++ b/tools/pygrub/src/pygrub Wed Jul 04 15:46:14 2012 +0100
+@@ -28,6 +28,7 @@ import grub.LiloConf
import grub.ExtLinuxConf
PYGRUB_VER = 0.6
-+fs_read_max=1048576
++FS_READ_MAX = 1024 * 1024
def enable_cursor(ison):
if ison:
-@@ -448,7 +449,8 @@
+@@ -448,7 +449,8 @@ class Grub:
if self.__dict__.get('cf', None) is None:
raise RuntimeError, "couldn't find bootloader config file in the image provided."
f = fs.open_file(self.cf.filename)
- buf = f.read()
+ # limit read size to avoid pathological cases
-+ buf = f.read(fs_read_max)
++ buf = f.read(FS_READ_MAX)
del f
self.cf.parse(buf)
-@@ -824,21 +826,46 @@
- if not_really:
- bootcfg["kernel"] = "<kernel:%s>" % chosencfg["kernel"]
- else:
-- data = fs.open_file(chosencfg["kernel"]).read()
-+ datafile = fs.open_file(chosencfg["kernel"])
- (tfd, bootcfg["kernel"]) = tempfile.mkstemp(prefix="boot_kernel.",
- dir=output_directory)
-- os.write(tfd, data)
-+ dataoff=0
-+ data=datafile.read(fs_read_max)
-+ while len(data)>0:
+@@ -697,6 +699,37 @@ if __name__ == "__main__":
+ def usage():
+ print >> sys.stderr, "Usage: %s [-q|--quiet] [-i|--interactive] [-n|--not-really] [--output=] [--kernel=] [--ramdisk=] [--args=] [--entry=] [--output-directory=] [--output-format=sxp|simple|simple0] <image>" %(sys.argv[0],)
+
++ def copy_from_image(fs, file_to_read, file_type, output_directory,
++ not_really):
++ if not_really:
++ if fs.file_exists(file_to_read):
++ return "<%s:%s>" % (file_type, file_to_read)
++ else:
++ sys.exit("The requested %s file does not exist" % file_type)
++ try:
++ datafile = fs.open_file(file_to_read)
++ except Exception, e:
++ print >>sys.stderr, e
++ sys.exit("Error opening %s in guest" % file_to_read)
++ (tfd, ret) = tempfile.mkstemp(prefix="boot_"+file_type+".",
++ dir=output_directory)
++ dataoff = 0
++ while True:
++ data = datafile.read(FS_READ_MAX, dataoff)
++ if len(data) == 0:
++ os.close(tfd)
++ del datafile
++ return ret
+ try:
+ os.write(tfd, data)
-+ except:
-+ print "error writing temporary copy of kernel"
++ except Exception, e:
++ print >>sys.stderr, e
+ os.close(tfd)
-+ os.unlink(bootcfg["kernel"])
-+ sys.exit(1)
-+ dataoff+=len(data)
-+ data=datafile.read(fs_read_max,dataoff)
- os.close(tfd)
-+ del datafile
++ os.unlink(ret)
++ del datafile
++ sys.exit("Error writing temporary copy of "+file_type)
++ dataoff += len(data)
++
+ try:
+ opts, args = getopt.gnu_getopt(sys.argv[1:], 'qinh::',
+ ["quiet", "interactive", "not-really", "help",
+@@ -821,24 +854,18 @@ if __name__ == "__main__":
+ if not fs:
+ raise RuntimeError, "Unable to find partition containing kernel"
+
+- if not_really:
+- bootcfg["kernel"] = "<kernel:%s>" % chosencfg["kernel"]
+- else:
+- data = fs.open_file(chosencfg["kernel"]).read()
+- (tfd, bootcfg["kernel"]) = tempfile.mkstemp(prefix="boot_kernel.",
+- dir=output_directory)
+- os.write(tfd, data)
+- os.close(tfd)
++ bootcfg["kernel"] = copy_from_image(fs, chosencfg["kernel"], "kernel",
++ output_directory, not_really)
if chosencfg["ramdisk"]:
- if not_really:
- bootcfg["ramdisk"] = "<ramdisk:%s>" % chosencfg["ramdisk"]
- else:
+- if not_really:
+- bootcfg["ramdisk"] = "<ramdisk:%s>" % chosencfg["ramdisk"]
+- else:
- data = fs.open_file(chosencfg["ramdisk"],).read()
-+ datafile = fs.open_file(chosencfg["ramdisk"],)
- (tfd, bootcfg["ramdisk"]) = tempfile.mkstemp(
- prefix="boot_ramdisk.", dir=output_directory)
+- (tfd, bootcfg["ramdisk"]) = tempfile.mkstemp(
+- prefix="boot_ramdisk.", dir=output_directory)
- os.write(tfd, data)
-+ dataoff=0
-+ data=datafile.read(fs_read_max)
-+ while len(data)>0:
-+ try:
-+ os.write(tfd, data)
-+ except:
-+ print "error writing temporary copy of ramdisk"
-+ os.close(tfd)
-+ os.unlink(bootcfg["ramdisk"])
-+ os.unlink(bootcfg["kernel"])
-+ sys.exit(1)
-+ dataoff+=len(data)
-+ data=datafile.read(fs_read_max,dataoff)
- os.close(tfd)
-+ del datafile
+- os.close(tfd)
++ try:
++ bootcfg["ramdisk"] = copy_from_image(fs, chosencfg["ramdisk"],
++ "ramdisk", output_directory,
++ not_really)
++ except:
++ if not not_really:
++ os.unlink(bootcfg["kernel"])
++ raise
else:
initrd = None
+
diff --git a/sources b/sources
index 2df57a4..5bf4371 100644
--- a/sources
+++ b/sources
@@ -4,4 +4,4 @@ bf8f1f9e3ca83d732c00a79a6ef29bc4 newlib-1.16.0.tar.gz
cec05e7785497c5e19da2f114b934ffd pciutils-2.2.9.tar.bz2
debc62758716a169df9f62e6ab2bc634 zlib-1.2.3.tar.gz
fb7df96781d337899066d82059346885 ipxe-git-v1.0.0.tar.gz
-73561faf3c1b5e36ec5c089b5db848ad xen-4.1.2.tar.gz
+bed929d5c5e5135cab40e2a6aab73fa0 xen-4.1.3.tar.gz
diff --git a/upstream-23936:cdb34816a40a-rework b/upstream-23936:cdb34816a40a-rework
index b7bc317..aa5f40f 100644
--- a/upstream-23936:cdb34816a40a-rework
+++ b/upstream-23936:cdb34816a40a-rework
@@ -2430,7 +2430,7 @@ Signed-off-by: Jon Ludlam <jonathan.ludlam at eu.citrix.com>
-
- for (i=0; i<len; i++) {
- if (Bool_val(Field(cpumap, i)))
-- c_cpumap[i/8] |= i << (i&7);
+- c_cpumap[i/8] |= 1 << (i&7);
- }
- retval = xc_vcpu_setaffinity(_H(xch), _D(domid),
- Int_val(vcpu), c_cpumap);
@@ -2466,7 +2466,7 @@ Signed-off-by: Jon Ludlam <jonathan.ludlam at eu.citrix.com>
- ret = caml_alloc(len, 0);
-
- for (i=0; i<len; i++) {
-- if (c_cpumap[i%8] & 1 << (i&7))
+- if (c_cpumap[i/8] & 1 << (i&7))
- Store_field(ret, i, Val_true);
- else
- Store_field(ret, i, Val_false);
@@ -2523,7 +2523,7 @@ Signed-off-by: Jon Ludlam <jonathan.ludlam at eu.citrix.com>
-
-CAMLprim value stub_xc_readconsolering(value xch)
-{
-- unsigned int size = RING_SIZE;
+- unsigned int size = RING_SIZE - 1;
- char *ring_ptr = ring;
-
- CAMLparam1(xch);
diff --git a/xen.spec b/xen.spec
index 324920f..4268fb2 100644
--- a/xen.spec
+++ b/xen.spec
@@ -19,8 +19,8 @@
Summary: Xen is a virtual machine monitor
Name: xen
-Version: 4.1.2
-Release: 25%{?dist}
+Version: 4.1.3
+Release: 1%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -58,30 +58,14 @@ Patch1: xen-initscript.patch
Patch4: xen-dumpdir.patch
Patch5: xen-net-disable-iptables-on-bridge.patch
-Patch10: xen-no-werror.patch
-
-Patch18: localgcc45fix.patch
-Patch20: localgcc451fix.patch
Patch23: grub-ext4-support.patch
-Patch26: localgcc46fix.patch
Patch28: pygrubfix.patch
-Patch31: pygrubfix2.patch
-Patch32: xen-4.1-testing.23190.patch
-Patch33: xend.empty.xml.patch
Patch34: xend.catchbt.patch
Patch35: xend-pci-loop.patch
-Patch36: localgcc47fix.patch
-Patch37: qemu-xen-4.1-testing.git-3cf61880403b4e484539596a95937cc066243388.patch
Patch38: xen-backend.rules.patch
Patch39: xend.selinux.fixes.patch
Patch40: pygrub.size.limits.patch
-Patch41: xen-4.1-testing.23297.patch
-Patch42: CVE-2012-0217.patch
-Patch43: CVE-2012-0218.patch
-Patch44: CVE-2012-2934.patch
Patch45: xen-no-pyxml.patch
-Patch46: xen-4.1-testing.23325.patch
-Patch47: xen-4.1-testing.23298.patch
Patch50: upstream-23936:cdb34816a40a-rework
Patch51: upstream-23937:5173834e8476
@@ -232,29 +216,13 @@ manage Xen virtual machines.
%patch4 -p1
%patch5 -p1
-%patch10 -p1
-
-%patch18 -p1
-%patch20 -p1
-%patch26 -p1
%patch28 -p1
-%patch31 -p1
-%patch32 -p1
-%patch33 -p1
%patch34 -p1
%patch35 -p1
-%patch36 -p1
-%patch37 -p1
%patch38 -p1
%patch39 -p1
%patch40 -p1
-%patch41 -p1
-%patch42 -p1
-%patch43 -p1
-%patch44 -p1
%patch45 -p1
-%patch46 -p1
-%patch47 -p1
%patch50 -p1
%patch51 -p1
@@ -719,6 +687,16 @@ rm -rf %{buildroot}
%endif
%changelog
+* Fri Aug 10 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.3-1
+- update to 4.1.3
+ includes fix for untrusted HVM guest can cause the dom0 to hang or
+ crash [XSA-11, CVE-2012-3433] (#843582)
+- remove patches that are now upstream
+- remove some unnecessary compile fixes
+- adjust upstream-23936:cdb34816a40a-rework for backported fix for
+ upstream-23940:187d59e32a58
+- replace pygrub.size.limits.patch with upstreamed version
+
* Tue Aug 07 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.2-25
- remove some unnecessary cache flushing that slow things down
- change python options on xend to reduce selinux problems (#845444)
More information about the scm-commits
mailing list