[xen] Hypervisor memory corruption due to x86 emulator flaw

[myoung]

commit a2775c65933792f29fb43bb5a7ef4f4f8ea3394c
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Tue Mar 10 22:09:29 2015 +0000

    Hypervisor memory corruption due to x86 emulator flaw

 xen.spec     |  8 +++++++-
 xsa123.patch | 24 ++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)
---
diff --git a/xen.spec b/xen.spec
index 26addaf..d6e89e7 100644
--- a/xen.spec
+++ b/xen.spec
@@ -51,7 +51,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.5.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -90,6 +90,7 @@ Patch21: xsa117.patch
 Patch22: xen.gcc5.fix.patch
 Patch23: xsa121.patch
 Patch24: xsa122.patch
+Patch25: xsa123.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: transfig libidn-devel zlib-devel texi2html SDL-devel curl-devel
@@ -279,6 +280,7 @@ manage Xen virtual machines.
 %patch22 -p1
 %patch23 -p1
 %patch24 -p1
+%patch25 -p1
 
 # stubdom sources
 cp -v %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} stubdom
@@ -783,6 +785,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Tue Mar 10 2015 Michael Young <m.a.young at durham.ac.uk> - 4.5.0-4
+- Hypervisor memory corruption due to x86 emulator flaw [XSA-123,
+	CVE-2015-2151] (#1200398)
+
 * Thu Mar 05 2015 Michael Young <m.a.young at durham.ac.uk> - 4.5.0-3
 - Information leak via internal x86 system device emulation [XSA-121,
 	CVE-2015-2044]
diff --git a/xsa123.patch b/xsa123.patch
new file mode 100644
index 0000000..653996d
--- /dev/null
+++ b/xsa123.patch
@@ -0,0 +1,24 @@
+x86emul: fully ignore segment override for register-only operations
+
+For ModRM encoded instructions with register operands we must not
+overwrite ea.mem.seg (if a - bogus in that case - segment override was
+present) as it aliases with ea.reg.
+
+This is CVE-2015-2151 / XSA-123.
+
+Reported-by: Felix Wilhelm <fwilhelm at ernw.de>
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Reviewed-by: Tim Deegan <tim at xen.org>
+Reviewed-by: Keir Fraser <keir at xen.org>
+
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1757,7 +1757,7 @@ x86_emulate(
+         }
+     }
+ 
+-    if ( override_seg != -1 )
++    if ( override_seg != -1 && ea.type == OP_MEM )
+         ea.mem.seg = override_seg;
+ 
+     /* Early operand adjustments. */