aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Néri <dne+alpine@mayonnaise.net>2020-11-24 13:25:58 +0100
committerDaniel Néri <dne+alpine@mayonnaise.net>2020-11-24 13:25:58 +0100
commit88d37e53c627aca04ea99a9aaac9395e90571e9a (patch)
treefde9ab0cb9790d0d679163171f9ad047ac6fea55
parent4488ed6bf2a5ab97f06d35ee58035dc989b10a14 (diff)
downloadaports-88d37e53c627aca04ea99a9aaac9395e90571e9a.tar.gz
aports-88d37e53c627aca04ea99a9aaac9395e90571e9a.tar.bz2
aports-88d37e53c627aca04ea99a9aaac9395e90571e9a.tar.xz
main/xen: security fix for XSA-355
Fix stack corruption introduced by fix for XSA-346.
-rw-r--r--main/xen/APKBUILD6
-rw-r--r--main/xen/xsa355.patch23
2 files changed, 28 insertions, 1 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index d9d24e0197..0c943f89b9 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=xen
pkgver=4.14.0
-pkgrel=2
+pkgrel=3
pkgdesc="Xen hypervisor"
url="https://www.xenproject.org/"
arch="x86_64 armhf aarch64" # enable armv7 when builds with gcc8
@@ -195,6 +195,8 @@ options="!strip"
# - CVE-????-????? XSA-346
# - CVE-????-????? XSA-347
# - CVE-????-????? XSA-351
+# 4.14.0-r3:
+# - CVE-????-????? XSA-355
case "$CARCH" in
@@ -281,6 +283,7 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz
xsa351-arm.patch
xsa351-x86-4.14-1.patch
xsa351-x86-4.14-2.patch
+ xsa355.patch
qemu-xen-time64.patch
gcc10-etherboot-enum.patch
@@ -552,6 +555,7 @@ e02ecd756ceb02781b9dec14647132f4fbf575bea59948bcfd5fce85130282671b11f771c263d05d
ad019b570ad21e19a9c8719d7efba3c54d3224dd17abdee4430ea15c847b9fa8f45e0275df797940bd7619bae28600b8e1a0d6b7ded0da2fd27eb0571c5ab51e xsa351-arm.patch
92f2a8d04a36fc99060c0385aabe0515594f1ce432f1abb8e0506e726eb3951ba155871a3ce96fec4111a3a4f112c29a43c2842c5bd255e23933435b1e244503 xsa351-x86-4.14-1.patch
f7ff49294d4bbe64eff99972566c3a883a5f802cd302963f961a586d9c6735d25185efed97356ca528b8600402e061dfced26c1e5a428143c92a61dd14a355b4 xsa351-x86-4.14-2.patch
+70b4b03c956b189ed75d0105152945bf3bfbee406135cab32f7b8160739f207ae17f9e7028b13d298de97de6dadcb205e8a7cd2830cad8b91e8a62b93f168a80 xsa355.patch
231b5d0abf6420722534bf48b4f263bdf70dd258f5f34b344f230b4e166edb3ebaf769592f40653ea5836b4431ef951ebcf1995f09e2beb4a591edd3b024a652 qemu-xen-time64.patch
e72ae17cb80c78412996845b996e442cdc21ee4b840c8b7ebacca101619b3d47104bf6b6330520aecf0d7ccf2699826b4f2a649c729b21d5ac81b37f7fc505fc gcc10-etherboot-enum.patch
ea55e0a35e4282ccf6c38b0529edd5995fdfd82506cc19bf97ad677d218a5a44eae354d4fabbd524986700262e39684eb8239837e21b21d0da0051b669728a71 gcc10-arm64-force-inline-atomics.patch
diff --git a/main/xen/xsa355.patch b/main/xen/xsa355.patch
new file mode 100644
index 0000000000..491dd05028
--- /dev/null
+++ b/main/xen/xsa355.patch
@@ -0,0 +1,23 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: memory: fix off-by-one in XSA-346 change
+
+The comparison against ARRAY_SIZE() needs to be >= in order to avoid
+overrunning the pages[] array.
+
+This is XSA-355.
+
+Fixes: 5777a3742d88 ("IOMMU: hold page ref until after deferred TLB flush")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Julien Grall <jgrall@amazon.com>
+
+--- a/xen/common/memory.c
++++ b/xen/common/memory.c
+@@ -854,7 +854,7 @@ int xenmem_add_to_physmap(struct domain
+ ++extra.ppage;
+
+ /* Check for continuation if it's not the last iteration. */
+- if ( (++done > ARRAY_SIZE(pages) && extra.ppage) ||
++ if ( (++done >= ARRAY_SIZE(pages) && extra.ppage) ||
+ (xatp->size > done && hypercall_preempt_check()) )
+ {
+ rc = start + done;