[xen/f17] patch for [XSA-36, CVE-2013-0153] can cause boot time crash, backport the fixes discovered when buil
myoung
myoung at fedoraproject.org
Fri Feb 22 15:58:04 UTC 2013
commit 2c92871eeb9a4c58ece0ad0ff30a630cb7513fef
Author: Michael Young <m.a.young at durham.ac.uk>
Date: Fri Feb 22 15:56:44 2013 +0000
patch for [XSA-36, CVE-2013-0153] can cause boot time crash,
backport the fixes discovered when building with gcc 4.8
gcc48.build.patch | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++
xen.spec | 8 ++++++-
xsa36-4.1.patch | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 117 insertions(+), 1 deletions(-)
---
diff --git a/gcc48.build.patch b/gcc48.build.patch
new file mode 100644
index 0000000..0aded8e
--- /dev/null
+++ b/gcc48.build.patch
@@ -0,0 +1,55 @@
+--- xen-4.2.1/tools/libxc/xc_dom_boot.c.orig 2012-12-17 15:00:48.000000000 +0000
++++ xen-4.2.1/tools/libxc/xc_dom_boot.c 2013-01-28 22:21:13.215782329 +0000
+@@ -266,7 +266,7 @@
+ return rc;
+
+ /* let the vm run */
+- memset(ctxt, 0, sizeof(ctxt));
++ memset(ctxt, 0, sizeof(*ctxt));
+ if ( (rc = dom->arch_hooks->vcpu(dom, ctxt)) != 0 )
+ return rc;
+ xc_dom_unmap_all(dom);
+--- xen-4.2.1/tools/blktap2/drivers/md5.c.orig 2012-12-17 15:00:11.000000000 +0000
++++ xen-4.2.1/tools/blktap2/drivers/md5.c 2013-01-28 23:49:51.940289123 +0000
+@@ -174,7 +174,7 @@
+ MD5Transform(ctx->buf, (uint32_t *) ctx->in);
+ byteReverse((unsigned char *) ctx->buf, 4);
+ memcpy(digest, ctx->buf, 16);
+- memset(ctx, 0, sizeof(ctx)); /* In case it's sensitive */
++ memset(ctx, 0, sizeof(*ctx)); /* In case it's sensitive */
+ }
+
+ /* The four core functions - F1 is optimized somewhat */
+--- xen-4.2.1/tools/xenstat/libxenstat/src/xenstat_linux.c.orig 2012-12-17 15:01:35.000000000 +0000
++++ xen-4.2.1/tools/xenstat/libxenstat/src/xenstat_linux.c 2013-01-29 21:43:46.044169987 +0000
+@@ -113,7 +113,7 @@
+
+ /* Initialize all variables called has passed as non-NULL to zeros */
+ if (iface != NULL)
+- memset(iface, 0, sizeof(iface));
++ memset(iface, 0, sizeof(*iface));
+ if (rxBytes != NULL)
+ *rxBytes = 0;
+ if (rxPackets != NULL)
+--- xen-4.2.1/tools/debugger/kdd/kdd-xen.c.orig 2012-12-17 15:00:22.000000000 +0000
++++ xen-4.2.1/tools/debugger/kdd/kdd-xen.c 2013-01-29 21:45:12.652087239 +0000
+@@ -333,7 +333,7 @@
+ if (!cpu)
+ return -1;
+
+- memset(r, 0, sizeof(r));
++ memset(r, 0, sizeof(*r));
+
+ if (w64)
+ kdd_get_regs_x86_64(cpu, &r->r64);
+--- xen-4.2.1/tools/python/xen/lowlevel/netlink/libnetlink.c.orig 2012-12-17 15:01:24.000000000 +0000
++++ xen-4.2.1/tools/python/xen/lowlevel/netlink/libnetlink.c 2013-01-29 21:47:59.524001053 +0000
+@@ -37,7 +37,7 @@
+ int sndbuf = 32768;
+ int rcvbuf = 32768;
+
+- memset(rth, 0, sizeof(rth));
++ memset(rth, 0, sizeof(*rth));
+
+ rth->fd = socket(AF_NETLINK, SOCK_RAW, protocol);
+ if (rth->fd < 0) {
diff --git a/xen.spec b/xen.spec
index d1892d5..2f26f9b 100644
--- a/xen.spec
+++ b/xen.spec
@@ -20,7 +20,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.1.4
-Release: 5%{?dist}
+Release: 6%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -77,6 +77,7 @@ Patch56: xsa41-4.1.patch
Patch57: xsa27.fix.patch
Patch58: xsa36-4.1.patch
Patch59: xsa38.patch
+Patch60: gcc48.build.patch
Patch100: xen-configure-xend.patch
@@ -239,6 +240,7 @@ manage Xen virtual machines.
%patch57 -p1
%patch58 -p1
%patch59 -p1
+%patch60 -p1
%patch100 -p1
@@ -697,6 +699,10 @@ rm -rf %{buildroot}
%endif
%changelog
+* Fri Feb 22 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-6
+- patch for [XSA-36, CVE-2013-0153] can cause boot time crash
+- backport the fixes discovered when building with gcc 4.8
+
* Fri Feb 15 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-5
- patch for [XSA-38, CVE-2013-0215] was flawed
diff --git a/xsa36-4.1.patch b/xsa36-4.1.patch
index f4b15e2..e5ae9ef 100644
--- a/xsa36-4.1.patch
+++ b/xsa36-4.1.patch
@@ -37,6 +37,23 @@ This is XSA-36 / CVE-2013-0153.
Signed-off-by: Jan Beulich <jbeulich at suse.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky at amd.com>
+AMD IOMMU: also spot missing IO-APIC entries in IVRS table
+
+Apart from dealing duplicate conflicting entries, we also have to
+handle firmware omitting IO-APIC entries in IVRS altogether. Not doing
+so has resulted in c/s 26517:601139e2b0db to crash such systems during
+boot (whereas with the change here the IOMMU gets disabled just as is
+being done in the other cases, i.e. unless global tables are being
+used).
+
+Debugging this issue has also pointed out that the debug log output is
+pretty ugly to look at - consolidate the output, and add one extra
+item for the IVHD special entries, so that future issues are easier
+to analyze.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Tested-by: Sander Eikelenboom <linux at eikelenboom.it>
+
--- a/xen/arch/x86/irq.c
+++ b/xen/arch/x86/irq.c
@@ -1677,9 +1677,6 @@ int map_domain_pirq(
@@ -158,6 +175,44 @@ Signed-off-by: Boris Ostrovsky <boris.ostrovsky at amd.com>
}
static int __init parse_ivhd_block(struct acpi_ivhd_block_header *ivhd_block)
+@@ -817,6 +867,7 @@ static int __init parse_ivrs_table(struc
+ {
+ struct acpi_ivrs_block_header *ivrs_block;
+ unsigned long length;
++ unsigned int apic;
+ int error = 0;
+ struct acpi_table_header *table = (struct acpi_table_header *)_table;
+
+@@ -851,6 +902,29 @@ static int __init parse_ivrs_table(struc
+ length += ivrs_block->length;
+ }
+
++ /* Each IO-APIC must have been mentioned in the table. */
++ for ( apic = 0; !error && apic < nr_ioapics; ++apic )
++ {
++ if ( !nr_ioapic_registers[apic] ||
++ ioapic_bdf[IO_APIC_ID(apic)].pin_setup )
++ continue;
++
++ printk(XENLOG_ERR "IVHD Error: no information for IO-APIC %#x\n",
++ IO_APIC_ID(apic));
++ if ( amd_iommu_perdev_intremap )
++ error = -ENXIO;
++ else
++ {
++ ioapic_bdf[IO_APIC_ID(apic)].pin_setup = xzalloc_array(
++ unsigned long, BITS_TO_LONGS(nr_ioapic_registers[apic]));
++ if ( !ioapic_bdf[IO_APIC_ID(apic)].pin_setup )
++ {
++ printk(XENLOG_ERR "IVHD Error: Out of memory\n");
++ error = -ENOMEM;
++ }
++ }
++ }
++
+ return error;
+ }
+
--- a/xen/drivers/passthrough/amd/iommu_init.c
+++ b/xen/drivers/passthrough/amd/iommu_init.c
@@ -897,12 +897,45 @@ static int __init amd_iommu_setup_device
More information about the scm-commits
mailing list