aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Néri <dne+alpine@mayonnaise.net>2020-11-24 13:25:58 +0100
committerDaniel Néri <dne+alpine@mayonnaise.net>2020-11-27 14:54:29 +0100
commit803c562e66fffe39278c4685fab318169da0fb62 (patch)
treedbb9c0ce806a95398ec1c0df7e8568016081fd7c
parentfa11e9b06c1a77eb1858a84e52daa6397e35a5a2 (diff)
downloadaports-3.10-stable.tar.gz
aports-3.10-stable.tar.bz2
aports-3.10-stable.tar.xz
main/xen: security fix for XSA-3553.10-stable
Fix stack corruption introduced by fix for XSA-346.
-rw-r--r--main/xen/APKBUILD3
-rw-r--r--main/xen/xsa355.patch23
2 files changed, 26 insertions, 0 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index af44c932a3..e9681fad15 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -195,6 +195,7 @@ options="!strip"
# - CVE-????-????? XSA-346
# - CVE-????-????? XSA-347
# - CVE-2020-28368 XSA-351
+# - CVE-????-????? XSA-355
case "$CARCH" in
@@ -261,6 +262,7 @@ source="https://downloads.xenproject.org/release/$pkgname/$pkgver/$pkgname-$pkgv
xsa351-x86-4.12-1.patch
xsa351-x86-4.12-2.patch
+ xsa355.patch
xenstored.initd
xenstored.confd
@@ -517,6 +519,7 @@ e76816c6ad0e91dc5f81947f266da3429b20e6d976c3e8c41202c6179532eec878a3f0913921ef3a
8c9cfc6afca325df1d8026e21ed03fa8cd2c7e1a21a56cc1968301c5ab634bfe849951899e75d328951d7a41273d1e49a2448edbadec0029ed410c43c0549812 hotplug-Linux-iscsi-block-handle-lun-1.patch
b19c167ee9eaafc0b37c2f77418787e044e5e8a29e4a4b6bdf4ada5d75cd3f52231bfc70b69929af3934151efc661dd47974b0372ae0a23ba1293f7f23458d15 xsa351-x86-4.12-1.patch
3b08cc4a5608f53d5a64f6eff00eb018f751ae0c8d855b98c53a58d3766c1472a236bb3d11002d1aa5d4b75d0d645b8fa052c76b69639f76cf1062b73e2d5ab1 xsa351-x86-4.12-2.patch
+70b4b03c956b189ed75d0105152945bf3bfbee406135cab32f7b8160739f207ae17f9e7028b13d298de97de6dadcb205e8a7cd2830cad8b91e8a62b93f168a80 xsa355.patch
52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd
093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0 xenstored.confd
3c86ed48fbee0af4051c65c4a3893f131fa66e47bf083caf20c9b6aa4b63fdead8832f84a58d0e27964bc49ec8397251b34e5be5c212c139f556916dc8da9523 xenconsoled.initd
diff --git a/main/xen/xsa355.patch b/main/xen/xsa355.patch
new file mode 100644
index 0000000000..491dd05028
--- /dev/null
+++ b/main/xen/xsa355.patch
@@ -0,0 +1,23 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: memory: fix off-by-one in XSA-346 change
+
+The comparison against ARRAY_SIZE() needs to be >= in order to avoid
+overrunning the pages[] array.
+
+This is XSA-355.
+
+Fixes: 5777a3742d88 ("IOMMU: hold page ref until after deferred TLB flush")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Julien Grall <jgrall@amazon.com>
+
+--- a/xen/common/memory.c
++++ b/xen/common/memory.c
+@@ -854,7 +854,7 @@ int xenmem_add_to_physmap(struct domain
+ ++extra.ppage;
+
+ /* Check for continuation if it's not the last iteration. */
+- if ( (++done > ARRAY_SIZE(pages) && extra.ppage) ||
++ if ( (++done >= ARRAY_SIZE(pages) && extra.ppage) ||
+ (xatp->size > done && hypercall_preempt_check()) )
+ {
+ rc = start + done;