diff options
| author |   Ian Delaney <idella4@gentoo.org> | 2014-01-06 09:40:15 +0000 |
|---|---|---|
| committer | Ian Delaney <idella4@gentoo.org> | 2014-01-06 09:40:15 +0000 |
| commit | d033fd05d7bc496eb9df604267c5495c54faca24 (patch) | |
| tree | e824977d7ab6016357021dd6b38be64fd841470f /app-emulation | |
| parent | Stable for sparc, wrt bug #494728 (diff) | |
| download | gentoo-2-d033fd05d7bc496eb9df604267c5495c54faca24.tar.gz gentoo-2-d033fd05d7bc496eb9df604267c5495c54faca24.tar.bz2 gentoo-2-d033fd05d7bc496eb9df604267c5495c54faca24.zip | |
add new sec patches, revbumps, patches prepared by dlan
(Portage version: 2.2.0/cvs/Linux x86_64, signed Manifest commit with key 0xB8072B0D)
Diffstat (limited to 'app-emulation')
| -rw-r--r-- | app-emulation/xen/ChangeLog | 11 | ||||
| -rw-r--r-- | app-emulation/xen/files/xen-4.3-CVE-2013-4553-XSA-74.patch | 41 | ||||
| -rw-r--r-- | app-emulation/xen/files/xen-CVE-2013-4554-XSA-76.patch | 19 | ||||
| -rw-r--r-- | app-emulation/xen/files/xen-CVE-2013-6400-XSA-80.patch | 72 | ||||
| -rw-r--r-- | app-emulation/xen/xen-4.3.0-r6.ebuild | 145 | ||||
| -rw-r--r-- | app-emulation/xen/xen-4.3.1-r3.ebuild | 141 |
6 files changed, 428 insertions, 1 deletions
diff --git a/app-emulation/xen/ChangeLog b/app-emulation/xen/ChangeLog index a9b5e662b824..6e4619b3a189 100644 --- a/app-emulation/xen/ChangeLog +++ b/app-emulation/xen/ChangeLog @@ -1,6 +1,15 @@ # ChangeLog for app-emulation/xen # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.141 2014/01/01 11:40:20 tomwij Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.142 2014/01/06 09:40:15 idella4 Exp $ + +*xen-4.3.1-r3 (06 Jan 2014) +*xen-4.3.0-r6 (06 Jan 2014) + + 06 Jan 2014; Ian Delaney <idella4@gentoo.org> + +files/xen-4.3-CVE-2013-4553-XSA-74.patch, + +files/xen-CVE-2013-4554-XSA-76.patch, +files/xen-CVE-2013-6400-XSA-80.patch, + +xen-4.3.0-r6.ebuild, +xen-4.3.1-r3.ebuild: + add new sec patches, revbumps, patches prepared by dlan 01 Jan 2014; Tom Wijsman <TomWij@gentoo.org> -files/xen-4-CVE-2012-5634-XSA-33.patch, diff --git a/app-emulation/xen/files/xen-4.3-CVE-2013-4553-XSA-74.patch b/app-emulation/xen/files/xen-4.3-CVE-2013-4553-XSA-74.patch new file mode 100644 index 000000000000..4c9c27c3b6a0 --- /dev/null +++ b/app-emulation/xen/files/xen-4.3-CVE-2013-4553-XSA-74.patch @@ -0,0 +1,41 @@ +x86: restrict XEN_DOMCTL_getmemlist + +Coverity ID 1055652 + +(See the code comment.) + +This is CVE-2013-4553 / XSA-74. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Tim Deegan <tim@xen.org> + +--- a/xen/arch/x86/domctl.c ++++ b/xen/arch/x86/domctl.c +@@ -329,6 +329,26 @@ long arch_do_domctl( + break; + } + ++ /* ++ * XSA-74: This sub-hypercall is broken in several ways: ++ * - lock order inversion (p2m locks inside page_alloc_lock) ++ * - no preemption on huge max_pfns input ++ * - not (re-)checking d->is_dying with page_alloc_lock held ++ * - not honoring start_pfn input (which libxc also doesn't set) ++ * Additionally it is rather useless, as the result is stale by the ++ * time the caller gets to look at it. ++ * As it only has a single, non-production consumer (xen-mceinj), ++ * rather than trying to fix it we restrict it for the time being. ++ */ ++ if ( /* No nested locks inside copy_to_guest_offset(). */ ++ paging_mode_external(current->domain) || ++ /* Arbitrary limit capping processing time. */ ++ max_pfns > GB(4) / PAGE_SIZE ) ++ { ++ ret = -EOPNOTSUPP; ++ break; ++ } ++ + spin_lock(&d->page_alloc_lock); + + ret = i = 0; diff --git a/app-emulation/xen/files/xen-CVE-2013-4554-XSA-76.patch b/app-emulation/xen/files/xen-CVE-2013-4554-XSA-76.patch new file mode 100644 index 000000000000..54e4325a0de8 --- /dev/null +++ b/app-emulation/xen/files/xen-CVE-2013-4554-XSA-76.patch @@ -0,0 +1,19 @@ +x86/HVM: only allow ring 0 guest code to make hypercalls + +Anything else would allow for privilege escalation. + +This is CVE-2013-4554 / XSA-76. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- a/xen/arch/x86/hvm/hvm.c ++++ b/xen/arch/x86/hvm/hvm.c +@@ -3359,7 +3359,7 @@ int hvm_do_hypercall(struct cpu_user_reg + case 4: + case 2: + hvm_get_segment_register(curr, x86_seg_ss, &sreg); +- if ( unlikely(sreg.attr.fields.dpl == 3) ) ++ if ( unlikely(sreg.attr.fields.dpl) ) + { + default: + regs->eax = -EPERM; diff --git a/app-emulation/xen/files/xen-CVE-2013-6400-XSA-80.patch b/app-emulation/xen/files/xen-CVE-2013-6400-XSA-80.patch new file mode 100644 index 000000000000..c9045959a018 --- /dev/null +++ b/app-emulation/xen/files/xen-CVE-2013-6400-XSA-80.patch @@ -0,0 +1,72 @@ +IOMMU: clear "don't flush" override on error paths + +Both xenmem_add_to_physmap() and iommu_populate_page_table() each have +an error path that fails to clear that flag, thus suppressing further +flushes on the respective pCPU. + +In iommu_populate_page_table() also slightly re-arrange code to avoid +the false impression of the flag in question being guarded by a +domain's page_alloc_lock. + +This is CVE-2013-6400 / XSA-80. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> + +--- a/xen/arch/x86/mm.c ++++ b/xen/arch/x86/mm.c +@@ -4648,7 +4648,7 @@ static int xenmem_add_to_physmap(struct + { + rc = xenmem_add_to_physmap_once(d, xatp); + if ( rc < 0 ) +- return rc; ++ break; + + xatp->idx++; + xatp->gpfn++; +--- a/xen/drivers/passthrough/iommu.c ++++ b/xen/drivers/passthrough/iommu.c +@@ -306,11 +306,11 @@ static int iommu_populate_page_table(str + { + struct hvm_iommu *hd = domain_hvm_iommu(d); + struct page_info *page; +- int rc; ++ int rc = 0; + ++ this_cpu(iommu_dont_flush_iotlb) = 1; + spin_lock(&d->page_alloc_lock); + +- this_cpu(iommu_dont_flush_iotlb) = 1; + page_list_for_each ( page, &d->page_list ) + { + if ( is_hvm_domain(d) || +@@ -320,18 +320,20 @@ static int iommu_populate_page_table(str + rc = hd->platform_ops->map_page( + d, mfn_to_gmfn(d, page_to_mfn(page)), page_to_mfn(page), + IOMMUF_readable|IOMMUF_writable); +- if (rc) +- { +- spin_unlock(&d->page_alloc_lock); +- hd->platform_ops->teardown(d); +- return rc; +- } ++ if ( rc ) ++ break; + } + } +- this_cpu(iommu_dont_flush_iotlb) = 0; +- iommu_iotlb_flush_all(d); ++ + spin_unlock(&d->page_alloc_lock); +- return 0; ++ this_cpu(iommu_dont_flush_iotlb) = 0; ++ ++ if ( !rc ) ++ iommu_iotlb_flush_all(d); ++ else ++ hd->platform_ops->teardown(d); ++ ++ return rc; + } + + diff --git a/app-emulation/xen/xen-4.3.0-r6.ebuild b/app-emulation/xen/xen-4.3.0-r6.ebuild new file mode 100644 index 000000000000..ec77c4a23a1a --- /dev/null +++ b/app-emulation/xen/xen-4.3.0-r6.ebuild @@ -0,0 +1,145 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.3.0-r6.ebuild,v 1.1 2014/01/06 09:40:15 idella4 Exp $ + +EAPI=5 + +PYTHON_COMPAT=( python2_7 ) + +if [[ $PV == *9999 ]]; then + KEYWORDS="" + REPO="xen-unstable.hg" + EHG_REPO_URI="http://xenbits.xensource.com/${REPO}" + S="${WORKDIR}/${REPO}" + live_eclass="mercurial" +else + # support dropped for regular 32 bit hypervisor, Bug 493944 + KEYWORDS="~amd64 -x86" + SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz" +fi + +inherit mount-boot flag-o-matic python-any-r1 toolchain-funcs eutils ${live_eclass} + +DESCRIPTION="The Xen virtual machine monitor" +HOMEPAGE="http://xen.org/" +LICENSE="GPL-2" +SLOT="0" +IUSE="custom-cflags debug efi flask xsm" + +DEPEND="${PYTHON_DEPS} + efi? ( >=sys-devel/binutils-2.22[multitarget] ) + !efi? ( >=sys-devel/binutils-2.22[-multitarget] )" +RDEPEND="" +PDEPEND="~app-emulation/xen-tools-${PV}" + +RESTRICT="test" + +# Approved by QA team in bug #144032 +QA_WX_LOAD="boot/xen-syms-${PV}" + +REQUIRED_USE="flask? ( xsm )" + +#Security patches +XSA_PATCHES=( + "${FILESDIR}"/${PN}-CVE-2013-1442-XSA-62.patch + "${FILESDIR}"/${PN}-CVE-2013-4355-XSA-63.patch + "${FILESDIR}"/${PN}-CVE-2013-4356-XSA-64.patch + "${FILESDIR}"/${PN}-CVE-2013-4361-XSA-66.patch + "${FILESDIR}"/${PN}-CVE-2013-4368-XSA-67.patch + "${FILESDIR}"/${PN}-CVE-2013-4375-XSA-71.patch + "${FILESDIR}"/${PN}-CVE-2013-4494-XSA-73.patch + "${FILESDIR}"/${PN}-4.3-CVE-2013-6375-XSA-75.patch + "${FILESDIR}"/${PN}-CVE-2013-6375-XSA-78.patch + "${FILESDIR}"/${PN}-CVE-2013-6885-XSA-82.patch + "${FILESDIR}"/${PN}-4.3-CVE-2013-4553-XSA-74.patch + "${FILESDIR}"/${PN}-CVE-2013-4554-XSA-76.patch + "${FILESDIR}"/${PN}-CVE-2013-6400-XSA-80.patch +) + +pkg_setup() { + python-any-r1_pkg_setup + if [[ -z ${XEN_TARGET_ARCH} ]]; then + if use x86 && use amd64; then + die "Confusion! Both x86 and amd64 are set in your use flags!" + elif use x86; then + export XEN_TARGET_ARCH="x86_32" + elif use amd64; then + export XEN_TARGET_ARCH="x86_64" + else + die "Unsupported architecture!" + fi + fi + + if use flask ; then + export "XSM_ENABLE=y" + export "FLASK_ENABLE=y" + elif use xsm ; then + export "XSM_ENABLE=y" + fi +} + +src_prepare() { + # Drop .config and fix gcc-4.6 + epatch "${FILESDIR}"/${PN/-pvgrub/}-4.3-fix_dotconfig-gcc.patch + + if use efi; then + epatch "${FILESDIR}"/${PN}-4.2-efi.patch + export EFI_VENDOR="gentoo" + export EFI_MOUNTPOINT="boot" + fi + + # if the user *really* wants to use their own custom-cflags, let them + if use custom-cflags; then + einfo "User wants their own CFLAGS - removing defaults" + # try and remove all the default custom-cflags + find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \ + -e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \ + -i {} \; || die "failed to re-set custom-cflags" + fi + + # not strictly necessary to fix this + sed -i 's/, "-Werror"//' "${S}/tools/python/setup.py" || die "failed to re-set setup.py" + + [[ ${XSA_PATCHES[@]} ]] && epatch "${XSA_PATCHES[@]}" + epatch_user +} + +src_configure() { + use debug && myopt="${myopt} debug=y" + + if use custom-cflags; then + filter-flags -fPIE -fstack-protector + replace-flags -O3 -O2 + else + unset CFLAGS + fi +} + +src_compile() { + # Send raw LDFLAGS so that --as-needed works + emake CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" -C xen ${myopt} +} + +src_install() { + local myopt + use debug && myopt="${myopt} debug=y" + + # The 'make install' doesn't 'mkdir -p' the subdirs + if use efi; then + mkdir -p "${D}"${EFI_MOUNTPOINT}/efi/${EFI_VENDOR} || die + fi + + emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install +} + +pkg_postinst() { + elog "Official Xen Guide and the unoffical wiki page:" + elog " http://www.gentoo.org/doc/en/xen-guide.xml" + elog " http://en.gentoo-wiki.com/wiki/Xen/" + + use efi && einfo "The efi executable is installed in boot/efi/gentoo" +} diff --git a/app-emulation/xen/xen-4.3.1-r3.ebuild b/app-emulation/xen/xen-4.3.1-r3.ebuild new file mode 100644 index 000000000000..ecfb0fa7eaa5 --- /dev/null +++ b/app-emulation/xen/xen-4.3.1-r3.ebuild @@ -0,0 +1,141 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.3.1-r3.ebuild,v 1.1 2014/01/06 09:40:15 idella4 Exp $ + +EAPI=5 + +PYTHON_COMPAT=( python2_7 ) + +if [[ $PV == *9999 ]]; then + KEYWORDS="" + REPO="xen-unstable.hg" + EHG_REPO_URI="http://xenbits.xensource.com/${REPO}" + S="${WORKDIR}/${REPO}" + live_eclass="mercurial" +else + # Set to match entry in stable 4.3.1-r1, Bug 493944 + KEYWORDS="~amd64 -x86" + SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz" +fi + +inherit mount-boot flag-o-matic python-any-r1 toolchain-funcs eutils ${live_eclass} + +DESCRIPTION="The Xen virtual machine monitor" +HOMEPAGE="http://xen.org/" +LICENSE="GPL-2" +SLOT="0" +IUSE="custom-cflags debug efi flask xsm" + +DEPEND="${PYTHON_DEPS} + efi? ( >=sys-devel/binutils-2.22[multitarget] ) + !efi? ( >=sys-devel/binutils-2.22[-multitarget] )" +RDEPEND="" +PDEPEND="~app-emulation/xen-tools-${PV}" + +RESTRICT="test" + +# Approved by QA team in bug #144032 +QA_WX_LOAD="boot/xen-syms-${PV}" + +REQUIRED_USE="flask? ( xsm )" + +# Security patches +XSA_PATCHES=( + "${FILESDIR}"/${PN}-CVE-2013-4375-XSA-71.patch + "${FILESDIR}"/${PN}-CVE-2013-4494-XSA-73.patch + "${FILESDIR}"/${PN}-4.3-CVE-2013-6375-XSA-75.patch + "${FILESDIR}"/${PN}-CVE-2013-6375-XSA-78.patch + "${FILESDIR}"/${PN}-CVE-2013-6885-XSA-82.patch + "${FILESDIR}"/${PN}-4.3-CVE-2013-4553-XSA-74.patch + "${FILESDIR}"/${PN}-CVE-2013-4554-XSA-76.patch + "${FILESDIR}"/${PN}-CVE-2013-6400-XSA-80.patch +) + +pkg_setup() { + python-any-r1_pkg_setup + if [[ -z ${XEN_TARGET_ARCH} ]]; then + if use x86 && use amd64; then + die "Confusion! Both x86 and amd64 are set in your use flags!" + elif use x86; then + export XEN_TARGET_ARCH="x86_32" + elif use amd64; then + export XEN_TARGET_ARCH="x86_64" + else + die "Unsupported architecture!" + fi + fi + + if use flask ; then + export "XSM_ENABLE=y" + export "FLASK_ENABLE=y" + elif use xsm ; then + export "XSM_ENABLE=y" + fi +} + +src_prepare() { + # Drop .config and fix gcc-4.6 + epatch "${FILESDIR}"/${PN/-pvgrub/}-4.3-fix_dotconfig-gcc.patch + + if use efi; then + epatch "${FILESDIR}"/${PN}-4.2-efi.patch + export EFI_VENDOR="gentoo" + export EFI_MOUNTPOINT="boot" + fi + + # if the user *really* wants to use their own custom-cflags, let them + if use custom-cflags; then + einfo "User wants their own CFLAGS - removing defaults" + # try and remove all the default custom-cflags + find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \ + -e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \ + -i {} \; || die "failed to re-set custom-cflags" + fi + + # not strictly necessary to fix this + sed -i 's/, "-Werror"//' "${S}/tools/python/setup.py" || die "failed to re-set setup.py" + + [[ ${XSA_PATCHES[@]} ]] && epatch "${XSA_PATCHES[@]}" + + epatch_user +} + +src_configure() { + use debug && myopt="${myopt} debug=y" + + if use custom-cflags; then + filter-flags -fPIE -fstack-protector + replace-flags -O3 -O2 + else + unset CFLAGS + fi +} + +src_compile() { + # Send raw LDFLAGS so that --as-needed works + emake CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" -C xen ${myopt} +} + +src_install() { + local myopt + use debug && myopt="${myopt} debug=y" + + # The 'make install' doesn't 'mkdir -p' the subdirs + if use efi; then + mkdir -p "${D}"${EFI_MOUNTPOINT}/efi/${EFI_VENDOR} || die + fi + + emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install +} + +pkg_postinst() { + elog "Official Xen Guide and the unoffical wiki page:" + elog " http://www.gentoo.org/doc/en/xen-guide.xml" + elog " http://en.gentoo-wiki.com/wiki/Xen/" + + use efi && einfo "The efi executable is installed in boot/efi/gentoo" +} |