[xen/f16] fixes for CVE-2012-3494, CVE-2012-3495, CVE-2012-3496, CVE-2012-3498, CVE-2012-3515, CVE-2012-4411
myoung
myoung at fedoraproject.org
Thu Sep 6 21:45:10 UTC 2012
commit 5a5ea1ef385c78a5d69599a25a5130c3372cdbb5
Author: Michael Young <m.a.young at durham.ac.uk>
Date: Thu Sep 6 22:43:36 2012 +0100
fixes for CVE-2012-3494, CVE-2012-3495, CVE-2012-3496, CVE-2012-3498,
CVE-2012-3515, CVE-2012-4411
...-3220480734832a148d26f7a81f90af61c2ecfdd9.patch | 123 ++++++++++++++++++++
...-d7d453f51459b591faa96d1c123b5bfff7c5b6b6.patch | 36 ++++++
xen-4.1-testing.23349.patch | 29 +++++
xen-4.1-testing.23350.patch | 37 ++++++
xen-4.1-testing.23351.patch | 28 +++++
xen-4.1-testing.23352.patch | 38 ++++++
xen.spec | 29 +++++-
7 files changed, 319 insertions(+), 1 deletions(-)
---
diff --git a/qemu-xen-4.1-testing.git-3220480734832a148d26f7a81f90af61c2ecfdd9.patch b/qemu-xen-4.1-testing.git-3220480734832a148d26f7a81f90af61c2ecfdd9.patch
new file mode 100644
index 0000000..3eb6824
--- /dev/null
+++ b/qemu-xen-4.1-testing.git-3220480734832a148d26f7a81f90af61c2ecfdd9.patch
@@ -0,0 +1,123 @@
+From 3220480734832a148d26f7a81f90af61c2ecfdd9 Mon Sep 17 00:00:00 2001
+From: Ian Campbell <ian.campbell at citrix.com>
+Date: Wed, 5 Sep 2012 12:31:40 +0100
+Subject: [PATCH] console: bounds check whenever changing the cursor due to an escape code
+
+This is XSA-17 / CVE-2012-3515
+
+Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
+(cherry picked from commit a56ae4b5069c7b23ee657b15f08443a9b14a8e7b)
+---
+ console.c | 57 ++++++++++++++++++++++++++++-----------------------------
+ 1 files changed, 28 insertions(+), 29 deletions(-)
+
+diff --git a/tools/ioemu-qemu-xen/console.c b/tools/ioemu-qemu-xen/console.c
+index 5e6e3d0..9984d6f 100644
+--- a/tools/ioemu-qemu-xen/console.c
++++ b/tools/ioemu-qemu-xen/console.c
+@@ -794,6 +794,26 @@ static void console_clear_xy(TextConsole *s, int x, int y)
+ update_xy(s, x, y);
+ }
+
++/* set cursor, checking bounds */
++static void set_cursor(TextConsole *s, int x, int y)
++{
++ if (x < 0) {
++ x = 0;
++ }
++ if (y < 0) {
++ y = 0;
++ }
++ if (y >= s->height) {
++ y = s->height - 1;
++ }
++ if (x >= s->width) {
++ x = s->width - 1;
++ }
++
++ s->x = x;
++ s->y = y;
++}
++
+ static void console_putchar(TextConsole *s, int ch)
+ {
+ TextCell *c;
+@@ -869,7 +889,8 @@ static void console_putchar(TextConsole *s, int ch)
+ s->esc_params[s->nb_esc_params] * 10 + ch - '0';
+ }
+ } else {
+- s->nb_esc_params++;
++ if (s->nb_esc_params < MAX_ESC_PARAMS)
++ s->nb_esc_params++;
+ if (ch == ';')
+ break;
+ #ifdef DEBUG_CONSOLE
+@@ -883,59 +904,37 @@ static void console_putchar(TextConsole *s, int ch)
+ if (s->esc_params[0] == 0) {
+ s->esc_params[0] = 1;
+ }
+- s->y -= s->esc_params[0];
+- if (s->y < 0) {
+- s->y = 0;
+- }
++ set_cursor(s, s->x, s->y - s->esc_params[0]);
+ break;
+ case 'B':
+ /* move cursor down */
+ if (s->esc_params[0] == 0) {
+ s->esc_params[0] = 1;
+ }
+- s->y += s->esc_params[0];
+- if (s->y >= s->height) {
+- s->y = s->height - 1;
+- }
++ set_cursor(s, s->x, s->y + s->esc_params[0]);
+ break;
+ case 'C':
+ /* move cursor right */
+ if (s->esc_params[0] == 0) {
+ s->esc_params[0] = 1;
+ }
+- s->x += s->esc_params[0];
+- if (s->x >= s->width) {
+- s->x = s->width - 1;
+- }
++ set_cursor(s, s->x + s->esc_params[0], s->y);
+ break;
+ case 'D':
+ /* move cursor left */
+ if (s->esc_params[0] == 0) {
+ s->esc_params[0] = 1;
+ }
+- s->x -= s->esc_params[0];
+- if (s->x < 0) {
+- s->x = 0;
+- }
++ set_cursor(s, s->x - s->esc_params[0], s->y);
+ break;
+ case 'G':
+ /* move cursor to column */
+- s->x = s->esc_params[0] - 1;
+- if (s->x < 0) {
+- s->x = 0;
+- }
++ set_cursor(s, s->esc_params[0] - 1, s->y);
+ break;
+ case 'f':
+ case 'H':
+ /* move cursor to row, column */
+- s->x = s->esc_params[1] - 1;
+- if (s->x < 0) {
+- s->x = 0;
+- }
+- s->y = s->esc_params[0] - 1;
+- if (s->y < 0) {
+- s->y = 0;
+- }
++ set_cursor(s, s->esc_params[1] - 1, s->esc_params[0] - 1);
+ break;
+ case 'J':
+ switch (s->esc_params[0]) {
+--
+1.7.2.5
+
diff --git a/qemu-xen-4.1-testing.git-d7d453f51459b591faa96d1c123b5bfff7c5b6b6.patch b/qemu-xen-4.1-testing.git-d7d453f51459b591faa96d1c123b5bfff7c5b6b6.patch
new file mode 100644
index 0000000..f2f4ac7
--- /dev/null
+++ b/qemu-xen-4.1-testing.git-d7d453f51459b591faa96d1c123b5bfff7c5b6b6.patch
@@ -0,0 +1,36 @@
+From d7d453f51459b591faa96d1c123b5bfff7c5b6b6 Mon Sep 17 00:00:00 2001
+From: Ian Jackson <ian.jackson at eu.citrix.com>
+Date: Thu, 6 Sep 2012 17:05:30 +0100
+Subject: [PATCH] Disable qemu monitor by default. The qemu monitor is an overly
+ powerful feature which must be protected from untrusted (guest)
+ administrators.
+
+Neither xl nor xend expect qemu to produce this monitor unless it is
+explicitly requested.
+
+This is a security problem, XSA-19. Previously it was CVE-2007-0998
+in Red Hat but we haven't dealt with it in upstream. We hope to have
+a new CVE for it here but we don't have one yet.
+
+Signed-off-by: Ian Jackson <ian.jackson at eu.citrix.com>
+(cherry picked from commit bacc0d302445c75f18f4c826750fb5853b60e7ca)
+---
+ vl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/tools/ioemu-qemu-xen/vl.c b/tools/ioemu-qemu-xen/vl.c
+index f07a659..686a9bd 100644
+--- a/tools/ioemu-qemu-xen/vl.c
++++ b/tools/ioemu-qemu-xen/vl.c
+@@ -4910,7 +4910,7 @@ int main(int argc, char **argv, char **envp)
+ kernel_cmdline = "";
+ cyls = heads = secs = 0;
+ translation = BIOS_ATA_TRANSLATION_AUTO;
+- monitor_device = "vc:80Cx24C";
++ monitor_device = "null";
+
+ serial_devices[0] = "vc:80Cx24C";
+ for(i = 1; i < MAX_SERIAL_PORTS; i++)
+--
+1.7.2.5
+
diff --git a/xen-4.1-testing.23349.patch b/xen-4.1-testing.23349.patch
new file mode 100644
index 0000000..3836e92
--- /dev/null
+++ b/xen-4.1-testing.23349.patch
@@ -0,0 +1,29 @@
+
+# HG changeset patch
+# User Ian Jackson <Ian.Jackson at eu.citrix.com>
+# Date 1346844474 -3600
+# Node ID bcc3402927311c64cc04e59d3680680b09459da6
+# Parent d28a9ba889c02f835df05bc007c2b4828d86cff2
+xen: prevent a 64 bit guest setting reserved bits in DR7
+
+The upper 32 bits of this register are reserved and should be written as
+zero.
+
+This is XSA-12 / CVE-2012-3494
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Reviewed-by: Ian Campbell <ian.campbell at citrix.com>
+
+diff -r d28a9ba889c0 -r bcc340292731 xen/include/asm-x86/debugreg.h
+--- a/xen/include/asm-x86/debugreg.h Tue Sep 04 14:56:48 2012 +0200
++++ b/xen/include/asm-x86/debugreg.h Wed Sep 05 12:27:54 2012 +0100
+@@ -58,7 +58,7 @@
+ We can slow the instruction pipeline for instructions coming via the
+ gdt or the ldt if we want to. I am not sure why this is an advantage */
+
+-#define DR_CONTROL_RESERVED_ZERO (0x0000d800ul) /* Reserved, read as zero */
++#define DR_CONTROL_RESERVED_ZERO (~0xffff27fful) /* Reserved, read as zero */
+ #define DR_CONTROL_RESERVED_ONE (0x00000400ul) /* Reserved, read as one */
+ #define DR_LOCAL_EXACT_ENABLE (0x00000100ul) /* Local exact enable */
+ #define DR_GLOBAL_EXACT_ENABLE (0x00000200ul) /* Global exact enable */
+
diff --git a/xen-4.1-testing.23350.patch b/xen-4.1-testing.23350.patch
new file mode 100644
index 0000000..e73dd17
--- /dev/null
+++ b/xen-4.1-testing.23350.patch
@@ -0,0 +1,37 @@
+
+# HG changeset patch
+# User Ian Jackson <Ian.Jackson at eu.citrix.com>
+# Date 1346844497 -3600
+# Node ID 6779ddca8593b766ccabcfec294ba10f17e68484
+# Parent bcc3402927311c64cc04e59d3680680b09459da6
+xen: handle out-of-pirq condition correctly in PHYSDEVOP_get_free_pirq
+
+This is XSA-13 / CVE-2012-3495
+
+Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
+Signed-off-by: Jan Beulich <JBeulich at suse.com>
+
+diff -r bcc340292731 -r 6779ddca8593 xen/arch/x86/physdev.c
+--- a/xen/arch/x86/physdev.c Wed Sep 05 12:27:54 2012 +0100
++++ b/xen/arch/x86/physdev.c Wed Sep 05 12:28:17 2012 +0100
+@@ -587,11 +587,16 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
+ break;
+
+ spin_lock(&d->event_lock);
+- out.pirq = get_free_pirq(d, out.type, 0);
+- d->arch.pirq_irq[out.pirq] = PIRQ_ALLOCATED;
++ ret = get_free_pirq(d, out.type, 0);
++ if ( ret >= 0 )
++ d->arch.pirq_irq[ret] = PIRQ_ALLOCATED;
+ spin_unlock(&d->event_lock);
+
+- ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0;
++ if ( ret >= 0 )
++ {
++ out.pirq = ret;
++ ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0;
++ }
+
+ rcu_unlock_domain(d);
+ break;
+
diff --git a/xen-4.1-testing.23351.patch b/xen-4.1-testing.23351.patch
new file mode 100644
index 0000000..f45eba7
--- /dev/null
+++ b/xen-4.1-testing.23351.patch
@@ -0,0 +1,28 @@
+
+# HG changeset patch
+# User Ian Jackson <Ian.Jackson at eu.citrix.com>
+# Date 1346844545 -3600
+# Node ID 8ebda5388e4e83a69c73bdd7621e76e1de4fc995
+# Parent 6779ddca8593b766ccabcfec294ba10f17e68484
+xen: Don't BUG_ON() PoD operations on a non-translated guest.
+
+This is XSA-14 / CVE-2012-3496
+
+Signed-off-by: Tim Deegan <tim at xen.org>
+Reviewed-by: Ian Campbell <ian.campbell at citrix.com>
+Tested-by: Ian Campbell <ian.campbell at citrix.com>
+
+diff -r 6779ddca8593 -r 8ebda5388e4e xen/arch/x86/mm/p2m.c
+--- a/xen/arch/x86/mm/p2m.c Wed Sep 05 12:28:17 2012 +0100
++++ b/xen/arch/x86/mm/p2m.c Wed Sep 05 12:29:05 2012 +0100
+@@ -2414,7 +2414,8 @@ guest_physmap_mark_populate_on_demand(st
+ int pod_count = 0;
+ int rc = 0;
+
+- BUG_ON(!paging_mode_translate(d));
++ if ( !paging_mode_translate(d) )
++ return -EINVAL;
+
+ rc = gfn_check_limit(d, gfn, order);
+ if ( rc != 0 )
+
diff --git a/xen-4.1-testing.23352.patch b/xen-4.1-testing.23352.patch
new file mode 100644
index 0000000..588701c
--- /dev/null
+++ b/xen-4.1-testing.23352.patch
@@ -0,0 +1,38 @@
+
+# HG changeset patch
+# User Ian Jackson <Ian.Jackson at eu.citrix.com>
+# Date 1346844596 -3600
+# Node ID 936f63ee4dadb832222c029e958ae7c7564ec0e8
+# Parent 8ebda5388e4e83a69c73bdd7621e76e1de4fc995
+x86/pvhvm: properly range-check PHYSDEVOP_map_pirq/MAP_PIRQ_TYPE_GSI
+
+This is being used as a array index, and hence must be validated before
+use.
+
+This is XSA-16 / CVE-2012-3498.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+
+diff -r 8ebda5388e4e -r 936f63ee4dad xen/arch/x86/physdev.c
+--- a/xen/arch/x86/physdev.c Wed Sep 05 12:29:05 2012 +0100
++++ b/xen/arch/x86/physdev.c Wed Sep 05 12:29:56 2012 +0100
+@@ -40,11 +40,18 @@ static int physdev_hvm_map_pirq(
+ struct hvm_girq_dpci_mapping *girq;
+ uint32_t machine_gsi = 0;
+
++ if ( map->index < 0 || map->index >= NR_HVM_IRQS )
++ {
++ ret = -EINVAL;
++ break;
++ }
++
+ /* find the machine gsi corresponding to the
+ * emulated gsi */
+ hvm_irq_dpci = domain_get_irq_dpci(d);
+ if ( hvm_irq_dpci )
+ {
++ BUILD_BUG_ON(ARRAY_SIZE(hvm_irq_dpci->girq) < NR_HVM_IRQS);
+ list_for_each_entry ( girq,
+ &hvm_irq_dpci->girq[map->index],
+ list )
+
diff --git a/xen.spec b/xen.spec
index 7329d1f..31252c5 100644
--- a/xen.spec
+++ b/xen.spec
@@ -10,7 +10,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.1.3
-Release: 1%{?dist}
+Release: 2%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -56,6 +56,13 @@ Patch52: upstream-23938:fa04fbd56521-rework
Patch53: upstream-23939:51288f69523f-rework
Patch54: upstream-23940:187d59e32a58
+Patch60: xen-4.1-testing.23349.patch
+Patch61: xen-4.1-testing.23350.patch
+Patch62: xen-4.1-testing.23351.patch
+Patch63: xen-4.1-testing.23352.patch
+Patch64: qemu-xen-4.1-testing.git-3220480734832a148d26f7a81f90af61c2ecfdd9.patch
+Patch65: qemu-xen-4.1-testing.git-d7d453f51459b591faa96d1c123b5bfff7c5b6b6.patch
+
Patch100: xen-configure-xend.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -211,6 +218,13 @@ manage Xen virtual machines.
%patch53 -p1
%patch54 -p1
+%patch60 -p1
+%patch61 -p1
+%patch62 -p1
+%patch63 -p1
+%patch64 -p1
+%patch65 -p1
+
%patch100 -p1
# stubdom sources
@@ -616,6 +630,19 @@ rm -rf %{buildroot}
%endif
%changelog
+* Thu Sep 06 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.3-2
+- 6 security fixes
+ a malicious 64-bit PV guest can crash the dom0 [XSA-12, CVE-2012-3494]
+ (#854585)
+ a malicious crash might be able to crash the dom0 or escalate privileges
+ [XSA-13, CVE-2012-3495] (#854589)
+ a malicious PV guest can crash the dom0 [XSA-14, CVE-2012-3496] (#854590)
+ a malicious HVM guest can crash the dom0 and might be able to read
+ hypervisor or guest memory [XSA-16, CVE-2012-3498] (#854593)
+ an HVM guest could use VT100 escape sequences to escalate privileges to
+ that of the qemu process [XSA-17, CVE-2012-3515] (#854599)
+ disable qemu monitor by default [XSA-19, CVE-2012-4411] (#855141)
+
* Sat Aug 11 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.3-1
- includes fix for untrusted HVM guest can cause the dom0 to hang or
crash [XSA-11, CVE-2012-3433] (#843582)
More information about the scm-commits
mailing list