[xen/f17] patch for [XSA-36, CVE-2013-0153] can cause boot time crash, backport the fixes discovered when buil

myoung myoung at fedoraproject.org
Fri Feb 22 15:58:04 UTC 2013 

commit 2c92871eeb9a4c58ece0ad0ff30a630cb7513fef
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Fri Feb 22 15:56:44 2013 +0000

    patch for [XSA-36, CVE-2013-0153] can cause boot time crash,
    backport the fixes discovered when building with gcc 4.8

 gcc48.build.patch |   55 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 xen.spec          |    8 ++++++-
 xsa36-4.1.patch   |   55 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 117 insertions(+), 1 deletions(-)
---
diff --git a/gcc48.build.patch b/gcc48.build.patch
new file mode 100644
index 0000000..0aded8e
--- /dev/null
+++ b/gcc48.build.patch
@@ -0,0 +1,55 @@
+--- xen-4.2.1/tools/libxc/xc_dom_boot.c.orig	2012-12-17 15:00:48.000000000 +0000
++++ xen-4.2.1/tools/libxc/xc_dom_boot.c	2013-01-28 22:21:13.215782329 +0000
+@@ -266,7 +266,7 @@
+         return rc;
+ 
+     /* let the vm run */
+-    memset(ctxt, 0, sizeof(ctxt));
++    memset(ctxt, 0, sizeof(*ctxt));
+     if ( (rc = dom->arch_hooks->vcpu(dom, ctxt)) != 0 )
+         return rc;
+     xc_dom_unmap_all(dom);
+--- xen-4.2.1/tools/blktap2/drivers/md5.c.orig	2012-12-17 15:00:11.000000000 +0000
++++ xen-4.2.1/tools/blktap2/drivers/md5.c	2013-01-28 23:49:51.940289123 +0000
+@@ -174,7 +174,7 @@
+     MD5Transform(ctx->buf, (uint32_t *) ctx->in);
+     byteReverse((unsigned char *) ctx->buf, 4);
+     memcpy(digest, ctx->buf, 16);
+-    memset(ctx, 0, sizeof(ctx));     /* In case it's sensitive */
++    memset(ctx, 0, sizeof(*ctx));     /* In case it's sensitive */
+ }
+ 
+ /* The four core functions - F1 is optimized somewhat */
+--- xen-4.2.1/tools/xenstat/libxenstat/src/xenstat_linux.c.orig	2012-12-17 15:01:35.000000000 +0000
++++ xen-4.2.1/tools/xenstat/libxenstat/src/xenstat_linux.c	2013-01-29 21:43:46.044169987 +0000
+@@ -113,7 +113,7 @@
+ 
+ 	/* Initialize all variables called has passed as non-NULL to zeros */
+ 	if (iface != NULL)
+-		memset(iface, 0, sizeof(iface));
++		memset(iface, 0, sizeof(*iface));
+ 	if (rxBytes != NULL)
+ 		*rxBytes = 0;
+ 	if (rxPackets != NULL)
+--- xen-4.2.1/tools/debugger/kdd/kdd-xen.c.orig	2012-12-17 15:00:22.000000000 +0000
++++ xen-4.2.1/tools/debugger/kdd/kdd-xen.c	2013-01-29 21:45:12.652087239 +0000
+@@ -333,7 +333,7 @@
+     if (!cpu) 
+         return -1;
+ 
+-    memset(r, 0, sizeof(r));
++    memset(r, 0, sizeof(*r));
+     
+     if (w64)
+         kdd_get_regs_x86_64(cpu, &r->r64);
+--- xen-4.2.1/tools/python/xen/lowlevel/netlink/libnetlink.c.orig	2012-12-17 15:01:24.000000000 +0000
++++ xen-4.2.1/tools/python/xen/lowlevel/netlink/libnetlink.c	2013-01-29 21:47:59.524001053 +0000
+@@ -37,7 +37,7 @@
+        int sndbuf = 32768;
+        int rcvbuf = 32768;
+ 
+-       memset(rth, 0, sizeof(rth));
++       memset(rth, 0, sizeof(*rth));
+ 
+        rth->fd = socket(AF_NETLINK, SOCK_RAW, protocol);
+        if (rth->fd < 0) {
diff --git a/xen.spec b/xen.spec
index d1892d5..2f26f9b 100644
--- a/xen.spec
+++ b/xen.spec
@@ -20,7 +20,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.1.4
-Release: 5%{?dist}
+Release: 6%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -77,6 +77,7 @@ Patch56: xsa41-4.1.patch
 Patch57: xsa27.fix.patch
 Patch58: xsa36-4.1.patch
 Patch59: xsa38.patch
+Patch60: gcc48.build.patch
 
 Patch100: xen-configure-xend.patch
 
@@ -239,6 +240,7 @@ manage Xen virtual machines.
 %patch57 -p1
 %patch58 -p1
 %patch59 -p1
+%patch60 -p1
 
 %patch100 -p1
 
@@ -697,6 +699,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Fri Feb 22 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-6
+- patch for [XSA-36, CVE-2013-0153] can cause boot time crash
+- backport the fixes discovered when building with gcc 4.8
+
 * Fri Feb 15 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-5
 - patch for [XSA-38, CVE-2013-0215] was flawed
 
diff --git a/xsa36-4.1.patch b/xsa36-4.1.patch
index f4b15e2..e5ae9ef 100644
--- a/xsa36-4.1.patch
+++ b/xsa36-4.1.patch
@@ -37,6 +37,23 @@ This is XSA-36 / CVE-2013-0153.
 Signed-off-by: Jan Beulich <jbeulich at suse.com>
 Signed-off-by: Boris Ostrovsky <boris.ostrovsky at amd.com>
 
+AMD IOMMU: also spot missing IO-APIC entries in IVRS table
+
+Apart from dealing duplicate conflicting entries, we also have to
+handle firmware omitting IO-APIC entries in IVRS altogether. Not doing
+so has resulted in c/s 26517:601139e2b0db to crash such systems during
+boot (whereas with the change here the IOMMU gets disabled just as is
+being done in the other cases, i.e. unless global tables are being
+used).
+
+Debugging this issue has also pointed out that the debug log output is
+pretty ugly to look at - consolidate the output, and add one extra
+item for the IVHD special entries, so that future issues are easier
+to analyze.
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Tested-by: Sander Eikelenboom <linux at eikelenboom.it>
+
 --- a/xen/arch/x86/irq.c
 +++ b/xen/arch/x86/irq.c
 @@ -1677,9 +1677,6 @@ int map_domain_pirq(
@@ -158,6 +175,44 @@ Signed-off-by: Boris Ostrovsky <boris.ostrovsky at amd.com>
  }
  
  static int __init parse_ivhd_block(struct acpi_ivhd_block_header *ivhd_block)
+@@ -817,6 +867,7 @@ static int __init parse_ivrs_table(struc
+ {
+     struct acpi_ivrs_block_header *ivrs_block;
+     unsigned long length;
++    unsigned int apic;
+     int error = 0;
+     struct acpi_table_header *table = (struct acpi_table_header *)_table;
+ 
+@@ -851,6 +902,29 @@ static int __init parse_ivrs_table(struc
+         length += ivrs_block->length;
+     }
+ 
++    /* Each IO-APIC must have been mentioned in the table. */
++    for ( apic = 0; !error && apic < nr_ioapics; ++apic )
++    {
++        if ( !nr_ioapic_registers[apic] ||
++             ioapic_bdf[IO_APIC_ID(apic)].pin_setup )
++            continue;
++
++        printk(XENLOG_ERR "IVHD Error: no information for IO-APIC %#x\n",
++               IO_APIC_ID(apic));
++        if ( amd_iommu_perdev_intremap )
++            error = -ENXIO;
++        else
++        {
++            ioapic_bdf[IO_APIC_ID(apic)].pin_setup = xzalloc_array(
++                unsigned long, BITS_TO_LONGS(nr_ioapic_registers[apic]));
++            if ( !ioapic_bdf[IO_APIC_ID(apic)].pin_setup )
++            {
++                printk(XENLOG_ERR "IVHD Error: Out of memory\n");
++                error = -ENOMEM;
++            }
++        }
++    }
++
+     return error;
+ }
+ 
 --- a/xen/drivers/passthrough/amd/iommu_init.c
 +++ b/xen/drivers/passthrough/amd/iommu_init.c
 @@ -897,12 +897,45 @@ static int __init amd_iommu_setup_device

More information about the scm-commits mailing list