[xen] Additional patch for XSA-98 on arm64

Fri Mar 13 20:02:38 UTC 2015

commit 3019908b4fb8d394b5108d0d08ef90b6202c9756
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Fri Mar 13 20:01:01 2015 +0000

    Additional patch for XSA-98 on arm64

 xen.spec           |  7 ++++++-
 xsa98-update.patch | 26 ++++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)
---

diff --git a/xen.spec b/xen.spec
index f1b5bbd..6d2a5f3 100644
--- a/xen.spec
+++ b/xen.spec
@@ -51,7 +51,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.5.0
-Release: 5%{?dist}
+Release: 6%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -92,6 +92,7 @@ Patch23: xsa121.patch
 Patch24: xsa122.patch
 Patch25: xsa123.patch
 Patch26: xsa119-unstable.patch
+Patch27: xsa98-update.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: transfig libidn-devel zlib-devel texi2html SDL-devel curl-devel
@@ -283,6 +284,7 @@ manage Xen virtual machines.
 %patch24 -p1
 %patch25 -p1
 %patch26 -p1
+%patch27 -p1
 
 # stubdom sources
 cp -v %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} stubdom
@@ -787,6 +789,9 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Fri Mar 13 2015 Michael Young <m.a.young at durham.ac.uk> - 4.5.0-6
+- Additional patch for XSA-98 on arm64
+
 * Thu Mar 12 2015 Michael Young <m.a.young at durham.ac.uk> - 4.5.0-5
 - HVM qemu unexpectedly enabling emulated VGA graphics backends [XSA-119,
 	CVE-2015-2152] (#1201365)
diff --git a/xsa98-update.patch b/xsa98-update.patch
new file mode 100644
index 0000000..cc52e3c
--- /dev/null
+++ b/xsa98-update.patch
@@ -0,0 +1,26 @@
+xen: arm: correct arm64 version of gva_to_ma_par
+
+The implementation was backwards and checked that the guest could
+read when asked about write and vice versa.
+
+This is an update to the fix for XSA-98.
+
+Reported-by: Tamas K Lengyel <tklengyel at sec.in.tum.de>
+Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
+
+diff --git a/xen/include/asm-arm/arm64/page.h b/xen/include/asm-arm/arm64/page.h
+index bb10164..386e434 100644
+--- a/xen/include/asm-arm/arm64/page.h
++++ b/xen/include/asm-arm/arm64/page.h
+@@ -86,9 +86,9 @@ static inline uint64_t gva_to_ma_par(vaddr_t va, unsigned int flags)
+     uint64_t par, tmp = READ_SYSREG64(PAR_EL1);
+ 
+     if ( (flags & GV2M_WRITE) == GV2M_WRITE )
+-        asm volatile ("at s12e1r, %0;" : : "r" (va));
+-    else
+         asm volatile ("at s12e1w, %0;" : : "r" (va));
++    else
++        asm volatile ("at s12e1r, %0;" : : "r" (va));
+     isb();
+     par = READ_SYSREG64(PAR_EL1);
+     WRITE_SYSREG64(tmp, PAR_EL1);
