diff options
| author |   Ian Delaney <idella4@gentoo.org> | 2013-05-20 14:16:15 +0000 |
|---|---|---|
| committer | Ian Delaney <idella4@gentoo.org> | 2013-05-20 14:16:15 +0000 |
| commit | e7075b7f64ce264d4d1fe3f53c08dccc230ccdf1 (patch) | |
| tree | d4fe8ffb87832885c8eb44fd222730874011f1dc /app-emulation/xen-pvgrub | |
| parent | version bump (diff) | |
| download | historical-e7075b7f64ce264d4d1fe3f53c08dccc230ccdf1.tar.gz historical-e7075b7f64ce264d4d1fe3f53c08dccc230ccdf1.tar.bz2 historical-e7075b7f64ce264d4d1fe3f53c08dccc230ccdf1.zip | |
rebump with sec. pathces, ditto bump
Package-Manager: portage-2.1.11.62/cvs/Linux x86_64
Manifest-Sign-Key: 0xB8072B0D
Diffstat (limited to 'app-emulation/xen-pvgrub')
9 files changed, 867 insertions, 5 deletions
diff --git a/app-emulation/xen-pvgrub/ChangeLog b/app-emulation/xen-pvgrub/ChangeLog index 05e07b16d8bd..7200c8d25dcc 100644 --- a/app-emulation/xen-pvgrub/ChangeLog +++ b/app-emulation/xen-pvgrub/ChangeLog @@ -1,6 +1,19 @@ # ChangeLog for app-emulation/xen-pvgrub # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-pvgrub/ChangeLog,v 1.23 2013/02/19 20:20:56 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-pvgrub/ChangeLog,v 1.24 2013/05/20 14:15:45 idella4 Exp $ + +*xen-pvgrub-4.2.1-r2 (20 May 2013) +*xen-pvgrub-4.2.2 (20 May 2013) + + 20 May 2013; Ian Delaney <idella4@gentoo.org> + +files/xen-4-CVE-2013-0215-XSA-38.patch, + +files/xen-4-CVE-2013-1919-XSA-46.patch, + +files/xen-4-CVE-2013-1922-XSA-48.patch, + +files/xen-4-CVE-2013-1952-XSA-49.patch, + +files/xen-4-CVE-2013-1952-XSA_49.patch, +xen-pvgrub-4.2.1-r2.ebuild, + +xen-pvgrub-4.2.2.ebuild, xen-pvgrub-4.2.0-r1.ebuild, + xen-pvgrub-4.2.1-r1.ebuild: + rebump with sec. pathces, ditto bump 19 Feb 2013; Ian Delaney <idella4@gentoo.org> -files/xen-4.2.1-CC.patch, files/xen-4.2.1-externals.patch, xen-pvgrub-4.2.1-r1.ebuild: diff --git a/app-emulation/xen-pvgrub/Manifest b/app-emulation/xen-pvgrub/Manifest index f9bdc86a0426..2e27e971668c 100644 --- a/app-emulation/xen-pvgrub/Manifest +++ b/app-emulation/xen-pvgrub/Manifest @@ -4,6 +4,11 @@ Hash: SHA256 AUX newlib-implicits.patch 5307 SHA256 34e85aa0380d10271748cdc6cb0ff3f502fe5c3113724ba8a2c2f69668970c46 SHA512 582cfa36dbb44e8abc83120d44af78a7a7cd3f7a009c65858f3d68276bf5f772b18c4692b7e68202f9ec246e29c785fa111b19bcaefc2f04f429f1b69e77d48f WHIRLPOOL 0d36e2f4ac6476522a05842ab1194e6c58d4fa6a03ae53b14b839aa4057ce55fdd6ec5fa47d28ddcaea22fed153ca60f50413cc77f9a4ded2397168395bf336b AUX xen-4-CVE-2012-4544-XSA-25.patch 12691 SHA256 2bbac6a09946722fc082124870d750a6b9ab93ea3166bf50faee717acf03d70b SHA512 e911636808ecb08510821bf18ba7807485f2b4b7288966349d40cb4091eeafbc5d9abbee5bc26f04dfe5f3157e9173d1820d1e3b2b25d1e678358ad8d5b2f901 WHIRLPOOL 48e08d9900536a65193290dd4e802a64c33033414ef55823ef21806905ba448bd4c57af4102752172035c0572c431f280f84cf362007911cb1ba2573d4379749 AUX xen-4-CVE-2012-6075-XSA-41.patch 1393 SHA256 6aa21c02e94cb9b4f612c7a9d1a8f980967692b1f20346da9670abb1d7ec688c SHA512 547f63e7eaf0a6db1a9de267cc6f9aa0f28e2221f2c69ca463ada85edbc07ac84c276dcd3ee017ab8846d4e4129e182fb76be35b91ae9a0e0afecdc091e0c305 WHIRLPOOL 848359780edc15895a09bf76afeaa503f907ac98a856b52d64ef4dcb137e2319222a47cd7a2866e6f25731498f487cfca2a462fb6dfcda8404026d8acfff5bcc +AUX xen-4-CVE-2013-0215-XSA-38.patch 2515 SHA256 7d7a5746bc76da747bf61eb87b3303a8f3abb0d96561f35a706c671317ebe4eb SHA512 2abe25c83a3ede047db380b0477ba1aaaf9d955e87244f8d2404699e011cac46ad5501a0f75b76b90b5dc276d19ae08600a2fe57a69681f97088b5d17d977066 WHIRLPOOL 5176ba1c9f3019c50c087c56185c393ae99c0504f10abf08d896998f80d9f0a05c8c103b4276c3370c72171fab2fdc07ba9c68261ac02c6a859ed7a74b6bd056 +AUX xen-4-CVE-2013-1919-XSA-46.patch 9844 SHA256 822da2303f1fc69648d7a29eb72fdda8e64baab3edc0e1548456d31e66ed1d7c SHA512 35ed4d580d219e977ee1085c223563f51ccd9ce3675df2660d10d99c366a2fe2446269c98ac9dbf57c37de83340f4b0868d0eb3c5d898be4c0fc80357f6ed780 WHIRLPOOL 36015584e3f72c3eea62cd0658230805645983be571768f068baa605b274d16cca9fc4dcb27152016dde81f6a1dbcd91430654af5c2c1b5211ed5c2441b65c1c +AUX xen-4-CVE-2013-1922-XSA-48.patch 3846 SHA256 dc23077028584e71a08dd0dc9e81552c76744a5ce9d39df5958a95ae9cf3107b SHA512 31dd8c62d41cc0a01a79d9b24a5b793f5e2058230808d9c5364c6ff3477ab02f3258f1bbd761d97dc1b97ee120b41524b999eaac77f33b606496fc324b5fa2e4 WHIRLPOOL 6913705b070daeac8925a44585f94f78ec43cf1d7a8feeba6839499b0340a727f3c39848627bcd58217b589a932fbfce13628bdca2b815e2ddf58b9c69c11721 +AUX xen-4-CVE-2013-1952-XSA-49.patch 1877 SHA256 37055cbc74111cbc507af3f09d6ac2e472f24efd54cd3e08583dc635e66a539f SHA512 1e3ef057744076b9fca22c1982f33d38be06ab8e5d57e40e3160fc2850b69711a1765e4a2b037f7bc1fdb8a9f93f1649d86ea3da972ec4af147b7b80191069f8 WHIRLPOOL 43e78ad3ba597e7084b6194507839b8cc4c21f45c8fd70f00cb061a4ad22ec9ec690bf35ffffc7e02c616de5f35b329c6c4e3a9cf5ddaf23cdf0525681f70639 +AUX xen-4-CVE-2013-1952-XSA_49.patch 1597 SHA256 f7daee05c81bfa4effa821e22c8b0861c254b3a1d4e14b7da5709a6102997b87 SHA512 f4d49b90b08b5ac52a5e41f0b555db20e846016f0020e67ea243eed24f621b4b356c3c9e7c181e97fa2d428024a941b7b52eb5bfd933a850aafc4a7b51bb3295 WHIRLPOOL e0fb3d0d9463276dc6331547ef13d4117d7c3bb1503f9e60885553056a3452cba4937500834dedc79fde29198420bf0c7e5c7e9e596c8d27202559dd00c94bb7 AUX xen-4-fix_dotconfig-gcc.patch 9551 SHA256 93c8726fc3e0bd3f54d4162a3fdace45e3c3ea24fecf5f54270c6dc55c3924ab SHA512 64bfc2dd60bf5a7db593250f9da62cdea4daa458aa8c474ec47b065f6e19509555f48d49ec8624c484d873fe947b6f9cab98cdcd2c24ca8795eb1b64b378a004 WHIRLPOOL 341506ced55ae2ad30af1696434df25ba77c665042aa82dda35d0722f0cccbe567c8cebf51c2e20e0df3084f74f7eb7a69808dea2801f911b2d3c46a293b6ba2 AUX xen-4.2.0-externals.patch 4283 SHA256 6666c647d55a9d020be5ecad5ffc17bd3e739ef0d6a570457e6960fa0b0a0b4d SHA512 906ca695204a6c89d700c4a1cbc63faf614b8c2afd6e2a98f7b4f49a5ed2b1ccdeb64a9613f3e80e10ea3ddd8b7233c5a4e58e25edc2b5918bb230dac4f741d9 WHIRLPOOL 0c5ff52dd7c69d7f9f841b15b543374a22486f7369ed41b43bd0b86003d6a90c9434ff9e7af95923a68b17142036a1fe5d9dc0b5e2057aeb62f7fd8b89dfea8f AUX xen-4.2.0-jserver.patch 1487 SHA256 3bbf6d06ad1960e30dc84a3e3b179d5d23331ecf60d347871b7008c58456a6ed SHA512 f92bced9f3e7fec84b1bfce6ce3366f134cec2b892ffc3afcdd3fd3f73daf158c17c312260fae39bc9e04c1dab1045d17f0da706dd0dba0279e66dea454aed8d WHIRLPOOL 10828eb65effad714a61a18bcd6c33c2b7fb7fd0007b1a68aed7a653cd7e67acc04cc5eb9574d7d50c92fc7ca8223dff0c73f1cfde994e4ee1d787f536588b99 @@ -14,16 +19,19 @@ DIST newlib-1.16.0.tar.gz 12024353 SHA256 db426394965c48c1d29023e1cc6d965ea6b9a9 DIST pciutils-2.2.9.tar.bz2 212265 SHA256 f60ae61cfbd5da1d849d0beaa21f593c38dac9359f0b3ddc612f447408265b24 SHA512 2b3d98d027e46d8c08037366dde6f0781ca03c610ef2b380984639e4ef39899ed8d8b8e4cd9c9dc54df101279b95879bd66bfd4d04ad07fef41e847ea7ae32b5 WHIRLPOOL ce801947fcf7ba0b56710029f25e746d3e03a80699af9d3570efcd417b12b546264f286b2e78b1402cca766c08e35bdd0ff0a692ab4ad419295f00bcfe91130e DIST xen-4.2.0.tar.gz 15587687 SHA256 43f4a086e4e0330145a27b7ace8365c42b5afbc95cefadafe067be91bd3e5cfb SHA512 4fb56c79d722fb307bc657f16d02079c6636427e7650c4354193632d38d2d1db8e588f844ff0ca6e757c108ed639a528565ec9fc7c00bb4d5b6fbc9d122d8a70 WHIRLPOOL 369a109375864cb61920b56cf501522051d28513e738f0fd0e7b76244c3e08a8a0a6ff6cf245872d9bbd9c0f22c7da76c9cbc0f852bad6108ca25fd42dc677c0 DIST xen-4.2.1.tar.gz 15593695 SHA256 fb8df5827ce3e2d2d3b078d9e5afde502beb5e7ab9442e51a94087061bd450c6 SHA512 fe27a965e2b34035bd025482eda9fc4d4e82523c929323fd30813367d5ffbe2fa1ed3d7d4479f2632e8b5625972448b7bd6a7768e8dc1dcd1b6747d281cc1a9e WHIRLPOOL 226bbed059541e804f1a44e721023ffbc04bae43000653b1d7d6a9bfec0d9efbf7a48b1b0a7ad3fcb8e34f8b91e1c620c2a8eddf97baad487e9db37d49a58f37 +DIST xen-4.2.2.tar.gz 15602746 SHA256 c9bfe91a5e72f8545acebad9889d64368020359bfe18044c0e683133e55ae005 SHA512 4943b18016ed8c2b194a3b55e6655b3b734b39ffb8cb7ee0a0580f2f4460a1d0e92e1de8ac23f5186272914fad1650586af51fd7c3644d0310eb16f2e11c5e80 WHIRLPOOL 519eb87cb2da694696cbc3e72070a0a3bdb07c46fa266d855d8379eec3a92adfa4d434af3ac01c37834ce4a9174081a6c40030b185a70902329b185cb8d0bbea DIST zlib-1.2.3.tar.gz 496597 SHA256 1795c7d067a43174113fdf03447532f373e1c6c57c08d61d9e4e9be5e244b05e SHA512 021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e WHIRLPOOL 8fd7010faf6a48a9c7ff4bcfe3ce4fe9061eb541259e0a2d0def214e8c4becf2b22e8d6f96f65ca827abffeaa9d96e95ed2402844f99835f7b079fc9f3e84276 EBUILD xen-pvgrub-4.2.0-r1.ebuild 4475 SHA256 fceb4fa420c5ec25efb54c986c89c183b663f633a1ac3d1ed697503947524cb0 SHA512 953e3d435f03b4bc84a65c5a5abced627786d879b04e4dd70bfbe55d2e85d52d56f1ed24ede8b6e4fb9700b337e691d63a93fd0a70df6866888a8259dcfe9903 WHIRLPOOL 473239d1e09c24a6cc33a64c55917cbbe4c25e57dbe30e97bb2c9ccefaf8ff77dc7af61097527f7c8b608ddf33e13c26e990d3f2b0e40882dde3964342f7431a EBUILD xen-pvgrub-4.2.1-r1.ebuild 4284 SHA256 828aa5f490ff327d4ec7f980fb332718896ec3a29fe8b404a76a47f2f3a74c59 SHA512 85928afef0dc195519794363a1cba95c813372cc87901cbf37dfd08a92d1e3b370c6a224975a4b2ac6a7afbd8a7888400fbbca84b6aa171256a1d28fa597a0b0 WHIRLPOOL 4d9bc9d2879bc5a06df65f143753a520084307fc943e3d3a647b4d0c64fc92d141ab17131c21a571f4fa32e11ebe35e44cff436f012b2fd7d85dcd9ac22142c6 +EBUILD xen-pvgrub-4.2.1-r2.ebuild 4544 SHA256 b01606d665086adb4c9f692dbb5fbbaf4949d758241098cbfe4ce415254a34ba SHA512 b0c860ce244ee72d38437a43c46e7cd66422437d146121a09aa8a7a1aad0e4c331a2c459cfbf253a1b5343179d2353fd1763eb91b81e3aecd63a735ad00a16e4 WHIRLPOOL a01d4f16b6ade5a5c6fa3d23ef3b5048d494b167d48e654cbb61a5d3d966d718d60170488fb8ef4c4b87d807cfbb4608e5791ab58855f08b6b556adb9188a3ed EBUILD xen-pvgrub-4.2.1.ebuild 3676 SHA256 acd0892c712e9d0029d9ed6084fdfe872e44bc55b45a9de731cc88e56c7d5d05 SHA512 fa91836feb63768e8d1870874a3fb0445e5483ef708582003f7b13ac8315a1134425ddfb8be10565a779f0360cc95b670a86a6043fee4144846ab9548cc9a4dd WHIRLPOOL 349dbc28d6739e9820e3c42d6013acf1498a17c80e47477851ab5eca8320dae7fb78e4939c7ccc5e89a410c3fbe98684163b04c0ea144f7d796c46adcb67e6ac -MISC ChangeLog 5616 SHA256 d1a002e6385015f32f5716e61a81d72272c60b8c7b3236a8fca1c79072a4e2b8 SHA512 697899b54924e4bdb38ebe958d47dcc819f2d385a31c46548f89497cb75a03a10bb9e12650bc78996d64b9e21368f0b1e3fbcf6c4fe8a6ec5eb5e66e75406338 WHIRLPOOL 8ad498d5b4d6405d1636491cf2f298623dd2b9508dc1a181670a003a3e2165f964d73d7e9bc4217b3a91899f2f38e3d5f302dabe5f90304d72428f1c905b375b +EBUILD xen-pvgrub-4.2.2.ebuild 4390 SHA256 a8d90e9d7fe36308a76cb0e08d1da40b809b74572343c5150a79e1b8a70751dd SHA512 8fedd4dc35053018d6aad91f4042299cfd9f0bd0cdd1f0c6c85e76114878e9134cc00fabc58c5807c911b85dc69374dd47896d97a1e9d1bd91b434bfbca64b6d WHIRLPOOL d1e3f4227aebdf47f399a9d130c663c962dc8bcde151394803a767508aed77bb25939592fbae57ecaae435b8811cb2f9f6be0c7e7a40d2f6e3c4de1a8f741032 +MISC ChangeLog 6102 SHA256 18cc24c3d7ef58ce041b2c03b0b71165278f5b8e0193cc501556256073edf814 SHA512 10bfb0ddf40dd211ea1e5d5d6da89fed0404fca85682b4b39d78e2017d83052696ce7e8f78624e2bf66efc235dcfc58dc9e5c2861b1e45d036ede7e6ad7fad7b WHIRLPOOL 15efd7bb02642083db189b9b44343800bd762e3157560d9750c4159b53ed6c1d2c55fd22cf7dd3c4c47e029b37277ce3bdd29d555cc724c1dd5b17f0c0eadb9e MISC metadata.xml 156 SHA256 4a030777459245372bda9f7925f3a5ed3ef2b29b77e1a2971f3400ac2059b1e2 SHA512 66b610ce3a3c525f52ad132e0c6cab329866069d8f40cbfc7302b12f8fc1217705ce9d5aab9c08ee3f7eb86bd880b5c3595b10c3eb67932148a109ec11b88c22 WHIRLPOOL e7f151fa553d737c02f8791448170ddd88b9330b1b01a868cd5c32a875b58b36dd1e2b041308f657d35550f22e5798cd96037c3c890c0646119046f984505c23 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) -iEYEAREIAAYFAlEj3roACgkQso7CE7gHKw1BOgCgq3wyemdAMMZp/Mo+p4NZXRit -+gIAoJDOZUi1YaWOwzR7n8Nrscz/9MN/ -=aEBg +iEYEAREIAAYFAlGaMCMACgkQso7CE7gHKw3b/ACcC8I3ljJ3bcZAnqgQBkmeFKgK +rbUAoNgiqbWI3R5IiVgTn8NvcX8GBfy3 +=tU14 -----END PGP SIGNATURE----- diff --git a/app-emulation/xen-pvgrub/files/xen-4-CVE-2013-0215-XSA-38.patch b/app-emulation/xen-pvgrub/files/xen-4-CVE-2013-0215-XSA-38.patch new file mode 100644 index 000000000000..f4a5dc0881e8 --- /dev/null +++ b/app-emulation/xen-pvgrub/files/xen-4-CVE-2013-0215-XSA-38.patch @@ -0,0 +1,73 @@ +diff --git a/tools/ocaml/libs/xb/partial.ml b/tools/ocaml/libs/xb/partial.ml +index 3558889..d4d1c7b 100644 +--- a/tools/ocaml/libs/xb/partial.ml ++++ b/tools/ocaml/libs/xb/partial.ml +@@ -27,8 +27,15 @@ external header_size: unit -> int = "stub_header_size" + external header_of_string_internal: string -> int * int * int * int + = "stub_header_of_string" + ++let xenstore_payload_max = 4096 (* xen/include/public/io/xs_wire.h *) ++ + let of_string s = + let tid, rid, opint, dlen = header_of_string_internal s in ++ (* A packet which is bigger than xenstore_payload_max is illegal. ++ This will leave the guest connection is a bad state and will ++ be hard to recover from without restarting the connection ++ (ie rebooting the guest) *) ++ let dlen = min xenstore_payload_max dlen in + { + tid = tid; + rid = rid; +@@ -38,6 +45,7 @@ let of_string s = + } + + let append pkt s sz = ++ if pkt.len > 4096 then failwith "Buffer.add: cannot grow buffer"; + Buffer.add_string pkt.buf (String.sub s 0 sz) + + let to_complete pkt = +diff --git a/tools/ocaml/libs/xb/xs_ring_stubs.c b/tools/ocaml/libs/xb/xs_ring_stubs.c +index 00414c5..4888ac5 100644 +--- a/tools/ocaml/libs/xb/xs_ring_stubs.c ++++ b/tools/ocaml/libs/xb/xs_ring_stubs.c +@@ -39,21 +39,23 @@ static int xs_ring_read(struct mmap_interface *interface, + char *buffer, int len) + { + struct xenstore_domain_interface *intf = interface->addr; +- XENSTORE_RING_IDX cons, prod; ++ XENSTORE_RING_IDX cons, prod; /* offsets only */ + int to_read; + +- cons = intf->req_cons; +- prod = intf->req_prod; ++ cons = *(volatile uint32*)&intf->req_cons; ++ prod = *(volatile uint32*)&intf->req_prod; + xen_mb(); ++ cons = MASK_XENSTORE_IDX(cons); ++ prod = MASK_XENSTORE_IDX(prod); + if (prod == cons) + return 0; +- if (MASK_XENSTORE_IDX(prod) > MASK_XENSTORE_IDX(cons)) ++ if (prod > cons) + to_read = prod - cons; + else +- to_read = XENSTORE_RING_SIZE - MASK_XENSTORE_IDX(cons); ++ to_read = XENSTORE_RING_SIZE - cons; + if (to_read < len) + len = to_read; +- memcpy(buffer, intf->req + MASK_XENSTORE_IDX(cons), len); ++ memcpy(buffer, intf->req + cons, len); + xen_mb(); + intf->req_cons += len; + return len; +@@ -66,8 +68,8 @@ static int xs_ring_write(struct mmap_interface *interface, + XENSTORE_RING_IDX cons, prod; + int can_write; + +- cons = intf->rsp_cons; +- prod = intf->rsp_prod; ++ cons = *(volatile uint32*)&intf->rsp_cons; ++ prod = *(volatile uint32*)&intf->rsp_prod; + xen_mb(); + if ( (prod - cons) >= XENSTORE_RING_SIZE ) + return 0; diff --git a/app-emulation/xen-pvgrub/files/xen-4-CVE-2013-1919-XSA-46.patch b/app-emulation/xen-pvgrub/files/xen-4-CVE-2013-1919-XSA-46.patch new file mode 100644 index 000000000000..9448ea9c6748 --- /dev/null +++ b/app-emulation/xen-pvgrub/files/xen-4-CVE-2013-1919-XSA-46.patch @@ -0,0 +1,293 @@ +x86: fix various issues with handling guest IRQs + +- properly revoke IRQ access in map_domain_pirq() error path +- don't permit replacing an in use IRQ +- don't accept inputs in the GSI range for MAP_PIRQ_TYPE_MSI +- track IRQ access permission in host IRQ terms, not guest IRQ ones + (and with that, also disallow Dom0 access to IRQ0) + +This is CVE-2013-1919 / XSA-46. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> + +--- a/tools/libxl/libxl_create.c ++++ b/tools/libxl/libxl_create.c +@@ -968,14 +968,16 @@ static void domcreate_launch_dm(libxl__e + } + + for (i = 0; i < d_config->b_info.num_irqs; i++) { +- uint32_t irq = d_config->b_info.irqs[i]; ++ int irq = d_config->b_info.irqs[i]; + +- LOG(DEBUG, "dom%d irq %"PRIx32, domid, irq); ++ LOG(DEBUG, "dom%d irq %d", domid, irq); + +- ret = xc_domain_irq_permission(CTX->xch, domid, irq, 1); ++ ret = irq >= 0 ? xc_physdev_map_pirq(CTX->xch, domid, irq, &irq) ++ : -EOVERFLOW; ++ if (!ret) ++ ret = xc_domain_irq_permission(CTX->xch, domid, irq, 1); + if ( ret<0 ){ +- LOGE(ERROR, +- "failed give dom%d access to irq %"PRId32, domid, irq); ++ LOGE(ERROR, "failed give dom%d access to irq %d", domid, irq); + ret = ERROR_FAIL; + } + } +--- a/tools/python/xen/xend/server/irqif.py ++++ b/tools/python/xen/xend/server/irqif.py +@@ -73,6 +73,12 @@ class IRQController(DevController): + + pirq = get_param('irq') + ++ rc = xc.physdev_map_pirq(domid = self.getDomid(), ++ index = pirq, ++ pirq = pirq) ++ if rc < 0: ++ raise VmError('irq: Failed to map irq %x' % (pirq)) ++ + rc = xc.domain_irq_permission(domid = self.getDomid(), + pirq = pirq, + allow_access = True) +@@ -81,12 +87,6 @@ class IRQController(DevController): + #todo non-fatal + raise VmError( + 'irq: Failed to configure irq: %d' % (pirq)) +- rc = xc.physdev_map_pirq(domid = self.getDomid(), +- index = pirq, +- pirq = pirq) +- if rc < 0: +- raise VmError( +- 'irq: Failed to map irq %x' % (pirq)) + back = dict([(k, config[k]) for k in self.valid_cfg if k in config]) + return (self.allocateDeviceID(), back, {}) + +--- a/xen/arch/x86/domain_build.c ++++ b/xen/arch/x86/domain_build.c +@@ -1219,7 +1219,7 @@ int __init construct_dom0( + /* DOM0 is permitted full I/O capabilities. */ + rc |= ioports_permit_access(dom0, 0, 0xFFFF); + rc |= iomem_permit_access(dom0, 0UL, ~0UL); +- rc |= irqs_permit_access(dom0, 0, d->nr_pirqs - 1); ++ rc |= irqs_permit_access(dom0, 1, nr_irqs_gsi - 1); + + /* + * Modify I/O port access permissions. +--- a/xen/arch/x86/domctl.c ++++ b/xen/arch/x86/domctl.c +@@ -772,9 +772,13 @@ long arch_do_domctl( + goto bind_out; + + ret = -EPERM; +- if ( !IS_PRIV(current->domain) && +- !irq_access_permitted(current->domain, bind->machine_irq) ) +- goto bind_out; ++ if ( !IS_PRIV(current->domain) ) ++ { ++ int irq = domain_pirq_to_irq(d, bind->machine_irq); ++ ++ if ( irq <= 0 || !irq_access_permitted(current->domain, irq) ) ++ goto bind_out; ++ } + + ret = -ESRCH; + if ( iommu_enabled ) +@@ -803,9 +807,13 @@ long arch_do_domctl( + bind = &(domctl->u.bind_pt_irq); + + ret = -EPERM; +- if ( !IS_PRIV(current->domain) && +- !irq_access_permitted(current->domain, bind->machine_irq) ) +- goto unbind_out; ++ if ( !IS_PRIV(current->domain) ) ++ { ++ int irq = domain_pirq_to_irq(d, bind->machine_irq); ++ ++ if ( irq <= 0 || !irq_access_permitted(current->domain, irq) ) ++ goto unbind_out; ++ } + + if ( iommu_enabled ) + { +--- a/xen/arch/x86/irq.c ++++ b/xen/arch/x86/irq.c +@@ -184,6 +184,14 @@ int create_irq(int node) + desc->arch.used = IRQ_UNUSED; + irq = ret; + } ++ else if ( dom0 ) ++ { ++ ret = irq_permit_access(dom0, irq); ++ if ( ret ) ++ printk(XENLOG_G_ERR ++ "Could not grant Dom0 access to IRQ%d (error %d)\n", ++ irq, ret); ++ } + + return irq; + } +@@ -280,6 +288,17 @@ void clear_irq_vector(int irq) + void destroy_irq(unsigned int irq) + { + BUG_ON(!MSI_IRQ(irq)); ++ ++ if ( dom0 ) ++ { ++ int err = irq_deny_access(dom0, irq); ++ ++ if ( err ) ++ printk(XENLOG_G_ERR ++ "Could not revoke Dom0 access to IRQ%u (error %d)\n", ++ irq, err); ++ } ++ + dynamic_irq_cleanup(irq); + clear_irq_vector(irq); + } +@@ -1858,7 +1877,7 @@ int map_domain_pirq( + + if ( !IS_PRIV(current->domain) && + !(IS_PRIV_FOR(current->domain, d) && +- irq_access_permitted(current->domain, pirq))) ++ irq_access_permitted(current->domain, irq))) + return -EPERM; + + if ( pirq < 0 || pirq >= d->nr_pirqs || irq < 0 || irq >= nr_irqs ) +@@ -1887,17 +1906,18 @@ int map_domain_pirq( + return ret; + } + +- ret = irq_permit_access(d, pirq); ++ ret = irq_permit_access(d, irq); + if ( ret ) + { +- dprintk(XENLOG_G_ERR, "dom%d: could not permit access to irq %d\n", +- d->domain_id, pirq); ++ printk(XENLOG_G_ERR ++ "dom%d: could not permit access to IRQ%d (pirq %d)\n", ++ d->domain_id, irq, pirq); + return ret; + } + + ret = prepare_domain_irq_pirq(d, irq, pirq, &info); + if ( ret ) +- return ret; ++ goto revoke; + + desc = irq_to_desc(irq); + +@@ -1921,8 +1941,14 @@ int map_domain_pirq( + spin_lock_irqsave(&desc->lock, flags); + + if ( desc->handler != &no_irq_type ) ++ { ++ spin_unlock_irqrestore(&desc->lock, flags); + dprintk(XENLOG_G_ERR, "dom%d: irq %d in use\n", + d->domain_id, irq); ++ pci_disable_msi(msi_desc); ++ ret = -EBUSY; ++ goto done; ++ } + setup_msi_handler(desc, msi_desc); + + if ( opt_irq_vector_map == OPT_IRQ_VECTOR_MAP_PERDEV +@@ -1951,7 +1977,14 @@ int map_domain_pirq( + + done: + if ( ret ) ++ { + cleanup_domain_irq_pirq(d, irq, info); ++ revoke: ++ if ( irq_deny_access(d, irq) ) ++ printk(XENLOG_G_ERR ++ "dom%d: could not revoke access to IRQ%d (pirq %d)\n", ++ d->domain_id, irq, pirq); ++ } + return ret; + } + +@@ -2017,10 +2050,11 @@ int unmap_domain_pirq(struct domain *d, + if ( !forced_unbind ) + cleanup_domain_irq_pirq(d, irq, info); + +- ret = irq_deny_access(d, pirq); ++ ret = irq_deny_access(d, irq); + if ( ret ) +- dprintk(XENLOG_G_ERR, "dom%d: could not deny access to irq %d\n", +- d->domain_id, pirq); ++ printk(XENLOG_G_ERR ++ "dom%d: could not deny access to IRQ%d (pirq %d)\n", ++ d->domain_id, irq, pirq); + + done: + return ret; +--- a/xen/arch/x86/physdev.c ++++ b/xen/arch/x86/physdev.c +@@ -147,7 +147,7 @@ int physdev_map_pirq(domid_t domid, int + if ( irq == -1 ) + irq = create_irq(NUMA_NO_NODE); + +- if ( irq < 0 || irq >= nr_irqs ) ++ if ( irq < nr_irqs_gsi || irq >= nr_irqs ) + { + dprintk(XENLOG_G_ERR, "dom%d: can't create irq for msi!\n", + d->domain_id); +--- a/xen/common/domctl.c ++++ b/xen/common/domctl.c +@@ -25,6 +25,7 @@ + #include <xen/paging.h> + #include <xen/hypercall.h> + #include <asm/current.h> ++#include <asm/irq.h> + #include <asm/page.h> + #include <public/domctl.h> + #include <xsm/xsm.h> +@@ -897,9 +898,9 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc + else if ( xsm_irq_permission(d, pirq, allow) ) + ret = -EPERM; + else if ( allow ) +- ret = irq_permit_access(d, pirq); ++ ret = pirq_permit_access(d, pirq); + else +- ret = irq_deny_access(d, pirq); ++ ret = pirq_deny_access(d, pirq); + + rcu_unlock_domain(d); + } +--- a/xen/common/event_channel.c ++++ b/xen/common/event_channel.c +@@ -369,7 +369,7 @@ static long evtchn_bind_pirq(evtchn_bind + if ( (pirq < 0) || (pirq >= d->nr_pirqs) ) + return -EINVAL; + +- if ( !is_hvm_domain(d) && !irq_access_permitted(d, pirq) ) ++ if ( !is_hvm_domain(d) && !pirq_access_permitted(d, pirq) ) + return -EPERM; + + spin_lock(&d->event_lock); +--- a/xen/include/xen/iocap.h ++++ b/xen/include/xen/iocap.h +@@ -28,4 +28,22 @@ + #define irq_access_permitted(d, i) \ + rangeset_contains_singleton((d)->irq_caps, i) + ++#define pirq_permit_access(d, i) ({ \ ++ struct domain *d__ = (d); \ ++ int i__ = domain_pirq_to_irq(d__, i); \ ++ i__ > 0 ? rangeset_add_singleton(d__->irq_caps, i__)\ ++ : -EINVAL; \ ++}) ++#define pirq_deny_access(d, i) ({ \ ++ struct domain *d__ = (d); \ ++ int i__ = domain_pirq_to_irq(d__, i); \ ++ i__ > 0 ? rangeset_remove_singleton(d__->irq_caps, i__)\ ++ : -EINVAL; \ ++}) ++#define pirq_access_permitted(d, i) ({ \ ++ struct domain *d__ = (d); \ ++ rangeset_contains_singleton(d__->irq_caps, \ ++ domain_pirq_to_irq(d__, i));\ ++}) ++ + #endif /* __XEN_IOCAP_H__ */ diff --git a/app-emulation/xen-pvgrub/files/xen-4-CVE-2013-1922-XSA-48.patch b/app-emulation/xen-pvgrub/files/xen-4-CVE-2013-1922-XSA-48.patch new file mode 100644 index 000000000000..998dbcb1d516 --- /dev/null +++ b/app-emulation/xen-pvgrub/files/xen-4-CVE-2013-1922-XSA-48.patch @@ -0,0 +1,114 @@ +Add -f FMT / --format FMT arg to qemu-nbd + +From: "Daniel P. Berrange" <berrange@redhat.com> + +Currently the qemu-nbd program will auto-detect the format of +any disk it is given. This behaviour is known to be insecure. +For example, if qemu-nbd initially exposes a 'raw' file to an +unprivileged app, and that app runs + + 'qemu-img create -f qcow2 -o backing_file=/etc/shadow /dev/nbd0' + +then the next time the app is started, the qemu-nbd will now +detect it as a 'qcow2' file and expose /etc/shadow to the +unprivileged app. + +The only way to avoid this is to explicitly tell qemu-nbd what +disk format to use on the command line, completely disabling +auto-detection. This patch adds a '-f' / '--format' arg for +this purpose, mirroring what is already available via qemu-img +and qemu commands. + + qemu-nbd --format raw -p 9000 evil.img + +will now always use raw, regardless of what format 'evil.img' +looks like it contains + +Signed-off-by: Daniel P. Berrange <berrange@redhat.com> +[Use errx, not err. - Paolo] +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> + +[ This is a security issue, CVE-2013-1922 / XSA-48. ] + +diff --git a/qemu-nbd.c b/qemu-nbd.c +index 291cba2..8fbe2cf 100644 +--- a/tools/qemu-xen/qemu-nbd.c ++++ b/tools/qemu-xen/qemu-nbd.c +@@ -247,6 +247,7 @@ out: + int main(int argc, char **argv) + { + BlockDriverState *bs; ++ BlockDriver *drv; + off_t dev_offset = 0; + off_t offset = 0; + uint32_t nbdflags = 0; +@@ -256,7 +257,7 @@ int main(int argc, char **argv) + struct sockaddr_in addr; + socklen_t addr_len = sizeof(addr); + off_t fd_size; +- const char *sopt = "hVb:o:p:rsnP:c:dvk:e:t"; ++ const char *sopt = "hVb:o:p:rsnP:c:dvk:e:f:t"; + struct option lopt[] = { + { "help", 0, NULL, 'h' }, + { "version", 0, NULL, 'V' }, +@@ -271,6 +272,7 @@ int main(int argc, char **argv) + { "snapshot", 0, NULL, 's' }, + { "nocache", 0, NULL, 'n' }, + { "shared", 1, NULL, 'e' }, ++ { "format", 1, NULL, 'f' }, + { "persistent", 0, NULL, 't' }, + { "verbose", 0, NULL, 'v' }, + { NULL, 0, NULL, 0 } +@@ -292,6 +294,7 @@ int main(int argc, char **argv) + int max_fd; + int persistent = 0; + pthread_t client_thread; ++ const char *fmt = NULL; + + /* The client thread uses SIGTERM to interrupt the server. A signal + * handler ensures that "qemu-nbd -v -c" exits with a nice status code. +@@ -368,6 +371,9 @@ int main(int argc, char **argv) + errx(EXIT_FAILURE, "Shared device number must be greater than 0\n"); + } + break; ++ case 'f': ++ fmt = optarg; ++ break; + case 't': + persistent = 1; + break; +@@ -478,9 +484,19 @@ int main(int argc, char **argv) + bdrv_init(); + atexit(bdrv_close_all); + ++ if (fmt) { ++ drv = bdrv_find_format(fmt); ++ if (!drv) { ++ errx(EXIT_FAILURE, "Unknown file format '%s'", fmt); ++ } ++ } else { ++ drv = NULL; ++ } ++ + bs = bdrv_new("hda"); + srcpath = argv[optind]; +- if ((ret = bdrv_open(bs, srcpath, flags, NULL)) < 0) { ++ ret = bdrv_open(bs, srcpath, flags, drv); ++ if (ret < 0) { + errno = -ret; + err(EXIT_FAILURE, "Failed to bdrv_open '%s'", argv[optind]); + } +diff --git a/qemu-nbd.texi b/qemu-nbd.texi +index 44996cc..f56c68e 100644 +--- a/tools/qemu-xen/qemu-nbd.texi ++++ b/tools/qemu-xen/qemu-nbd.texi +@@ -36,6 +36,8 @@ Export Qemu disk image using NBD protocol. + disconnect the specified device + @item -e, --shared=@var{num} + device can be shared by @var{num} clients (default @samp{1}) ++@item -f, --format=@var{fmt} ++ force block driver for format @var{fmt} instead of auto-detecting + @item -t, --persistent + don't exit on the last connection + @item -v, --verbose diff --git a/app-emulation/xen-pvgrub/files/xen-4-CVE-2013-1952-XSA-49.patch b/app-emulation/xen-pvgrub/files/xen-4-CVE-2013-1952-XSA-49.patch new file mode 100644 index 000000000000..4b92c7f98d35 --- /dev/null +++ b/app-emulation/xen-pvgrub/files/xen-4-CVE-2013-1952-XSA-49.patch @@ -0,0 +1,50 @@ +VT-d: don't permit SVT_NO_VERIFY entries for known device types + +Only in cases where we don't know what to do we should leave the IRTE +blank (suppressing all validation), but we should always log a warning +in those cases (as being insecure). + +This is CVE-2013-1952 / XSA-49. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Acked-by: "Zhang, Xiantao" <xiantao.zhang@intel.com> + +--- a/xen/drivers/passthrough/vtd/intremap.c ++++ b/xen/drivers/passthrough/vtd/intremap.c +@@ -440,16 +440,15 @@ static void set_msi_source_id(struct pci + type = pdev_type(seg, bus, devfn); + switch ( type ) + { ++ case DEV_TYPE_PCIe_ENDPOINT: + case DEV_TYPE_PCIe_BRIDGE: + case DEV_TYPE_PCIe2PCI_BRIDGE: +- case DEV_TYPE_LEGACY_PCI_BRIDGE: +- break; +- +- case DEV_TYPE_PCIe_ENDPOINT: + set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, PCI_BDF2(bus, devfn)); + break; + + case DEV_TYPE_PCI: ++ case DEV_TYPE_LEGACY_PCI_BRIDGE: ++ /* case DEV_TYPE_PCI2PCIe_BRIDGE: */ + ret = find_upstream_bridge(seg, &bus, &devfn, &secbus); + if ( ret == 0 ) /* integrated PCI device */ + { +@@ -461,10 +460,15 @@ static void set_msi_source_id(struct pci + if ( pdev_type(seg, bus, devfn) == DEV_TYPE_PCIe2PCI_BRIDGE ) + set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, + (bus << 8) | pdev->bus); +- else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE ) ++ else + set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, + PCI_BDF2(bus, devfn)); + } ++ else ++ dprintk(XENLOG_WARNING VTDPREFIX, ++ "d%d: no upstream bridge for %04x:%02x:%02x.%u\n", ++ pdev->domain->domain_id, ++ seg, bus, PCI_SLOT(devfn), PCI_FUNC(devfn)); + break; + + default: diff --git a/app-emulation/xen-pvgrub/files/xen-4-CVE-2013-1952-XSA_49.patch b/app-emulation/xen-pvgrub/files/xen-4-CVE-2013-1952-XSA_49.patch new file mode 100644 index 000000000000..4543f21bc460 --- /dev/null +++ b/app-emulation/xen-pvgrub/files/xen-4-CVE-2013-1952-XSA_49.patch @@ -0,0 +1,41 @@ +diff -ur xen-4.2.1.orig/xen/drivers/passthrough/vtd/intremap.c xen-4.2.1/xen/drivers/passthrough/vtd/intremap.c +--- xen/drivers/passthrough/vtd/intremap.c 2012-12-17 23:01:55.000000000 +0800 ++++ xen/drivers/passthrough/vtd/intremap.c 2013-05-15 23:09:06.704546506 +0800 +@@ -440,16 +440,17 @@ + type = pdev_type(seg, bus, devfn); + switch ( type ) + { ++ case DEV_TYPE_PCIe_ENDPOINT: + case DEV_TYPE_PCIe_BRIDGE: + case DEV_TYPE_PCIe2PCI_BRIDGE: +- case DEV_TYPE_LEGACY_PCI_BRIDGE: +- break; + +- case DEV_TYPE_PCIe_ENDPOINT: + set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, PCI_BDF2(bus, devfn)); + break; + + case DEV_TYPE_PCI: ++ case DEV_TYPE_LEGACY_PCI_BRIDGE: ++ /* case DEV_TYPE_PCI2PCIe_BRIDGE: */ ++ + ret = find_upstream_bridge(seg, &bus, &devfn, &secbus); + if ( ret == 0 ) /* integrated PCI device */ + { +@@ -461,10 +462,15 @@ + if ( pdev_type(seg, bus, devfn) == DEV_TYPE_PCIe2PCI_BRIDGE ) + set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, + (bus << 8) | pdev->bus); +- else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE ) ++ else + set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, + PCI_BDF2(bus, devfn)); + } ++ else ++ dprintk(XENLOG_WARNING VTDPREFIX, ++ "d%d: no upstream bridge for %04x:%02x:%02x.%u\n", ++ pdev->domain->domain_id, ++ seg, bus, PCI_SLOT(devfn), PCI_FUNC(devfn)); + break; + + default: diff --git a/app-emulation/xen-pvgrub/xen-pvgrub-4.2.1-r2.ebuild b/app-emulation/xen-pvgrub/xen-pvgrub-4.2.1-r2.ebuild new file mode 100644 index 000000000000..0447dd542a15 --- /dev/null +++ b/app-emulation/xen-pvgrub/xen-pvgrub-4.2.1-r2.ebuild @@ -0,0 +1,136 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-pvgrub/xen-pvgrub-4.2.1-r2.ebuild,v 1.1 2013/05/20 14:15:45 idella4 Exp $ + +EAPI=4 +PYTHON_DEPEND="2:2.6" + +inherit flag-o-matic eutils multilib python toolchain-funcs + +XEN_EXTFILES_URL="http://xenbits.xensource.com/xen-extfiles" +LIBPCI_URL=ftp://atrey.karlin.mff.cuni.cz/pub/linux/pci +GRUB_URL=mirror://gnu-alpha/grub +SRC_URI=" + http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz + $GRUB_URL/grub-0.97.tar.gz + $XEN_EXTFILES_URL/zlib-1.2.3.tar.gz + $LIBPCI_URL/pciutils-2.2.9.tar.bz2 + $XEN_EXTFILES_URL/lwip-1.3.0.tar.gz + $XEN_EXTFILES_URL/newlib/newlib-1.16.0.tar.gz" + +S="${WORKDIR}/xen-${PV}" + +DESCRIPTION="allows to boot Xen domU kernels from a menu.lst laying inside guest filesystem" +HOMEPAGE="http://xen.org/" +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="custom-cflags" + +DEPEND="sys-devel/gettext" + +RDEPEND=">=app-emulation/xen-4.2.1" + +pkg_setup() { + python_set_active_version 2 + python_pkg_setup +} + +retar-externals() { + # Purely to unclutter src_prepare + local set="grub-0.97.tar.gz lwip-1.3.0.tar.gz newlib-1.16.0.tar.gz zlib-1.2.3.tar.gz" + + # epatch can't patch in $WORKDIR, requires a sed; Bug #455194. Patchable, but sed informative + sed -e s':AR=${AR-"ar rc"}:AR=${AR-"ar"}:' \ + -i "${WORKDIR}"/zlib-1.2.3/configure + sed -e 's:^AR=ar rc:AR=ar:' \ + -e s':$(AR) $@:$(AR) rc $@:' \ + -i "${WORKDIR}"/zlib-1.2.3/{Makefile,Makefile.in} + einfo "zlib Makefile edited" + + cd "${WORKDIR}" + tar czp zlib-1.2.3 -f zlib-1.2.3.tar.gz + tar czp grub-0.97 -f grub-0.97.tar.gz + tar czp lwip -f lwip-1.3.0.tar.gz + tar czp newlib-1.16.0 -f newlib-1.16.0.tar.gz + mv $set "${S}"/stubdom/ + einfo "tarballs moved to source" +} + +src_prepare() { + # if the user *really* wants to use their own custom-cflags, let them + if use custom-cflags; then + einfo "User wants their own CFLAGS - removing defaults" + # try and remove all the default custom-cflags + find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \ + -e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \ + -i {} \; + fi + + # Patch the unmergeable newlib, fix most of the leftover gcc QA issues + cp "${FILESDIR}"/newlib-implicits.patch stubdom || die + + # Patch stubdom/Makefile to patch insource newlib & prevent internal downloading + epatch "${FILESDIR}"/${P/-pvgrub/}-externals.patch + + # Drop .config and Fix gcc-4.6 + epatch "${FILESDIR}"/${PN/-pvgrub/}-4-fix_dotconfig-gcc.patch + + # fix jobserver in Makefile + epatch "${FILESDIR}"/${PN/-pvgrub/}-4.2.0-jserver.patch + + #Sec patch + epatch "${FILESDIR}"/${PN/-pvgrub/}-4-CVE-2012-6075-XSA-41.patch \ + "${FILESDIR}"/xen-4-CVE-2013-0215-XSA-38.patch \ + "${FILESDIR}"/xen-4-CVE-2013-1919-XSA-46.patch \ + "${FILESDIR}"/xen-4-CVE-2013-1922-XSA-48.patch \ + "${FILESDIR}"/xen-4-CVE-2013-1952-XSA_49.patch + + #Substitute for internal downloading. pciutils copied only due to the only .bz2 + cp $DISTDIR/pciutils-2.2.9.tar.bz2 ./stubdom/ || die "pciutils not copied to stubdom" + retar-externals || die "re-tar procedure failed" +} + +src_compile() { + use custom-cflags || unset CFLAGS + if test-flag-CC -fno-strict-overflow; then + append-flags -fno-strict-overflow + fi + + emake CC="$(tc-getCC)" LD="$(tc-getLD)" AR="$(tc-getAR)" -C tools/include + + if use x86; then + emake CC="$(tc-getCC)" LD="$(tc-getLD)" AR="$(tc-getAR)" \ + XEN_TARGET_ARCH="x86_32" -C stubdom pv-grub + elif use amd64; then + emake CC="$(tc-getCC)" LD="$(tc-getLD)" AR="$(tc-getAR)" \ + XEN_TARGET_ARCH="x86_64" -C stubdom pv-grub + if use multilib; then + multilib_toolchain_setup x86 + emake CC="$(tc-getCC)" AR="$(tc-getAR)" \ + XEN_TARGET_ARCH="x86_32" -C stubdom pv-grub + fi + fi +} + +src_install() { + if use x86; then + emake XEN_TARGET_ARCH="x86_32" DESTDIR="${D}" -C stubdom install-grub + fi + if use amd64; then + emake XEN_TARGET_ARCH="x86_64" DESTDIR="${D}" -C stubdom install-grub + if use multilib; then + emake XEN_TARGET_ARCH="x86_32" DESTDIR="${D}" -C stubdom install-grub + fi + fi +} + +pkg_postinst() { + elog "Official Xen Guide and the unoffical wiki page:" + elog " http://www.gentoo.org/doc/en/xen-guide.xml" + elog " http://en.gentoo-wiki.com/wiki/Xen/" +} diff --git a/app-emulation/xen-pvgrub/xen-pvgrub-4.2.2.ebuild b/app-emulation/xen-pvgrub/xen-pvgrub-4.2.2.ebuild new file mode 100644 index 000000000000..3528a602e080 --- /dev/null +++ b/app-emulation/xen-pvgrub/xen-pvgrub-4.2.2.ebuild @@ -0,0 +1,134 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-pvgrub/xen-pvgrub-4.2.2.ebuild,v 1.1 2013/05/20 14:15:45 idella4 Exp $ + +EAPI=4 +PYTHON_DEPEND="2:2.6" + +inherit flag-o-matic eutils multilib python toolchain-funcs + +XEN_EXTFILES_URL="http://xenbits.xensource.com/xen-extfiles" +LIBPCI_URL=ftp://atrey.karlin.mff.cuni.cz/pub/linux/pci +GRUB_URL=mirror://gnu-alpha/grub +SRC_URI=" + http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz + $GRUB_URL/grub-0.97.tar.gz + $XEN_EXTFILES_URL/zlib-1.2.3.tar.gz + $LIBPCI_URL/pciutils-2.2.9.tar.bz2 + $XEN_EXTFILES_URL/lwip-1.3.0.tar.gz + $XEN_EXTFILES_URL/newlib/newlib-1.16.0.tar.gz" + +S="${WORKDIR}/xen-${PV}" + +DESCRIPTION="allows to boot Xen domU kernels from a menu.lst laying inside guest filesystem" +HOMEPAGE="http://xen.org/" +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="custom-cflags" + +DEPEND="sys-devel/gettext" + +RDEPEND=">=app-emulation/xen-4.2.1" + +pkg_setup() { + python_set_active_version 2 + python_pkg_setup +} + +retar-externals() { + # Purely to unclutter src_prepare + local set="grub-0.97.tar.gz lwip-1.3.0.tar.gz newlib-1.16.0.tar.gz zlib-1.2.3.tar.gz" + + # epatch can't patch in $WORKDIR, requires a sed; Bug #455194. Patchable, but sed informative + sed -e s':AR=${AR-"ar rc"}:AR=${AR-"ar"}:' \ + -i "${WORKDIR}"/zlib-1.2.3/configure + sed -e 's:^AR=ar rc:AR=ar:' \ + -e s':$(AR) $@:$(AR) rc $@:' \ + -i "${WORKDIR}"/zlib-1.2.3/{Makefile,Makefile.in} + einfo "zlib Makefile edited" + + cd "${WORKDIR}" + tar czp zlib-1.2.3 -f zlib-1.2.3.tar.gz + tar czp grub-0.97 -f grub-0.97.tar.gz + tar czp lwip -f lwip-1.3.0.tar.gz + tar czp newlib-1.16.0 -f newlib-1.16.0.tar.gz + mv $set "${S}"/stubdom/ + einfo "tarballs moved to source" +} + +src_prepare() { + # if the user *really* wants to use their own custom-cflags, let them + if use custom-cflags; then + einfo "User wants their own CFLAGS - removing defaults" + # try and remove all the default custom-cflags + find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \ + -e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \ + -i {} \; + fi + + # Patch the unmergeable newlib, fix most of the leftover gcc QA issues + cp "${FILESDIR}"/newlib-implicits.patch stubdom || die + + # Patch stubdom/Makefile to patch insource newlib & prevent internal downloading + epatch "${FILESDIR}"/${PN/-pvgrub/}-4.2.1-externals.patch + + # Drop .config and Fix gcc-4.6 + epatch "${FILESDIR}"/${PN/-pvgrub/}-4-fix_dotconfig-gcc.patch + + # fix jobserver in Makefile + epatch "${FILESDIR}"/${PN/-pvgrub/}-4.2.0-jserver.patch + + #Sec patch + epatch "${FILESDIR}"/${PN/-pvgrub/}-4-CVE-2012-6075-XSA-41.patch \ + "${FILESDIR}"/xen-4-CVE-2013-1922-XSA-48.patch \ + "${FILESDIR}"/xen-4-CVE-2013-1952-XSA-49.patch + + #Substitute for internal downloading. pciutils copied only due to the only .bz2 + cp $DISTDIR/pciutils-2.2.9.tar.bz2 ./stubdom/ || die "pciutils not copied to stubdom" + retar-externals || die "re-tar procedure failed" +} + +src_compile() { + use custom-cflags || unset CFLAGS + if test-flag-CC -fno-strict-overflow; then + append-flags -fno-strict-overflow + fi + + emake CC="$(tc-getCC)" LD="$(tc-getLD)" AR="$(tc-getAR)" -C tools/include + + if use x86; then + emake CC="$(tc-getCC)" LD="$(tc-getLD)" AR="$(tc-getAR)" \ + XEN_TARGET_ARCH="x86_32" -C stubdom pv-grub + elif use amd64; then + emake CC="$(tc-getCC)" LD="$(tc-getLD)" AR="$(tc-getAR)" \ + XEN_TARGET_ARCH="x86_64" -C stubdom pv-grub + if use multilib; then + multilib_toolchain_setup x86 + emake CC="$(tc-getCC)" AR="$(tc-getAR)" \ + XEN_TARGET_ARCH="x86_32" -C stubdom pv-grub + fi + fi +} + +src_install() { + if use x86; then + emake XEN_TARGET_ARCH="x86_32" DESTDIR="${D}" -C stubdom install-grub + fi + if use amd64; then + emake XEN_TARGET_ARCH="x86_64" DESTDIR="${D}" -C stubdom install-grub + if use multilib; then + emake XEN_TARGET_ARCH="x86_32" DESTDIR="${D}" -C stubdom install-grub + fi + fi +} + +pkg_postinst() { + elog "Official Xen Guide and the unoffical wiki page:" + elog " http://www.gentoo.org/doc/en/xen-guide.xml" + elog " http://en.gentoo-wiki.com/wiki/Xen/" +} |