[xen/f17] make xendomains systemd script executable, security patch for CVE-2013-1920 / XSA-47

[myoung]

commit 66b88b10ab38036e3b594872875068beda844574
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Fri Apr 5 00:26:47 2013 +0100

    make xendomains systemd script executable, security patch for
    CVE-2013-1920 / XSA-47

 xen.spec        |   12 ++++++++++--
 xsa47-4.1.patch |   31 +++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 2 deletions(-)
---
diff --git a/xen.spec b/xen.spec
index 2f26f9b..032995f 100644
--- a/xen.spec
+++ b/xen.spec
@@ -20,7 +20,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.1.4
-Release: 6%{?dist}
+Release: 7%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -78,6 +78,7 @@ Patch57: xsa27.fix.patch
 Patch58: xsa36-4.1.patch
 Patch59: xsa38.patch
 Patch60: gcc48.build.patch
+Patch61: xsa47-4.1.patch
 
 Patch100: xen-configure-xend.patch
 
@@ -241,6 +242,7 @@ manage Xen virtual machines.
 %patch58 -p1
 %patch59 -p1
 %patch60 -p1
+%patch61 -p1
 
 %patch100 -p1
 
@@ -362,7 +364,7 @@ install -m 644 %{SOURCE45} %{buildroot}%{_unitdir}/xenconsoled.service
 install -m 644 %{SOURCE46} %{buildroot}%{_unitdir}/xen-watchdog.service
 install -m 644 %{SOURCE47} %{buildroot}%{_unitdir}/xendomains.service
 mkdir -p %{buildroot}%{_libexecdir}
-install -m 644 %{SOURCE48} %{buildroot}%{_libexecdir}/xendomains
+install -m 755 %{SOURCE48} %{buildroot}%{_libexecdir}/xendomains
 %endif
 
 # config file only used for hotplug, Fedora uses udev instead
@@ -699,6 +701,12 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Thu Apr 04 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-7
+- make xendomains systemd script executable (#919705)
+- Potential use of freed memory in event channel operations [XSA-47,
+  CVE-2013-1920]
+
+
 * Fri Feb 22 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-6
 - patch for [XSA-36, CVE-2013-0153] can cause boot time crash
 - backport the fixes discovered when building with gcc 4.8
diff --git a/xsa47-4.1.patch b/xsa47-4.1.patch
new file mode 100644
index 0000000..bbad0c4
--- /dev/null
+++ b/xsa47-4.1.patch
@@ -0,0 +1,31 @@
+defer event channel bucket pointer store until after XSM checks
+
+Otherwise a dangling pointer can be left, which would cause subsequent
+memory corruption as soon as the space got re-allocated for some other
+purpose.
+
+This is CVE-2013-1920 / XSA-47.
+
+Reported-by: Wei Liu <wei.liu2 at citrix.com>
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Reviewed-by: Tim Deegan <tim at xen.org>
+
+--- a/xen/common/event_channel.c
++++ b/xen/common/event_channel.c
+@@ -104,7 +104,6 @@ static int get_free_port(struct domain *
+     if ( unlikely(chn == NULL) )
+         return -ENOMEM;
+     memset(chn, 0, EVTCHNS_PER_BUCKET * sizeof(*chn));
+-    bucket_from_port(d, port) = chn;
+ 
+     for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ )
+     {
+@@ -117,6 +116,8 @@ static int get_free_port(struct domain *
+         }
+     }
+ 
++    bucket_from_port(d, port) = chn;
++
+     return port;
+ }
+