diff options
| author | Daniel Néri <dne+alpine@mayonnaise.net> | 2020-11-24 13:25:58 +0100 |
|---|---|---|
| committer | Daniel Néri <dne+alpine@mayonnaise.net> | 2020-11-24 13:25:58 +0100 |
| commit | 88d37e53c627aca04ea99a9aaac9395e90571e9a (patch) | |
| tree | fde9ab0cb9790d0d679163171f9ad047ac6fea55 | |
| parent | 4488ed6bf2a5ab97f06d35ee58035dc989b10a14 (diff) | |
| download | aports-88d37e53c627aca04ea99a9aaac9395e90571e9a.tar.gz aports-88d37e53c627aca04ea99a9aaac9395e90571e9a.tar.bz2 aports-88d37e53c627aca04ea99a9aaac9395e90571e9a.tar.xz | |
main/xen: security fix for XSA-355
Fix stack corruption introduced by fix for XSA-346.
| -rw-r--r-- | main/xen/APKBUILD | 6 | ||||
| -rw-r--r-- | main/xen/xsa355.patch | 23 |
2 files changed, 28 insertions, 1 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index d9d24e0197..0c943f89b9 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=xen pkgver=4.14.0 -pkgrel=2 +pkgrel=3 pkgdesc="Xen hypervisor" url="https://www.xenproject.org/" arch="x86_64 armhf aarch64" # enable armv7 when builds with gcc8 @@ -195,6 +195,8 @@ options="!strip" # - CVE-????-????? XSA-346 # - CVE-????-????? XSA-347 # - CVE-????-????? XSA-351 +# 4.14.0-r3: +# - CVE-????-????? XSA-355 case "$CARCH" in @@ -281,6 +283,7 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz xsa351-arm.patch xsa351-x86-4.14-1.patch xsa351-x86-4.14-2.patch + xsa355.patch qemu-xen-time64.patch gcc10-etherboot-enum.patch @@ -552,6 +555,7 @@ e02ecd756ceb02781b9dec14647132f4fbf575bea59948bcfd5fce85130282671b11f771c263d05d ad019b570ad21e19a9c8719d7efba3c54d3224dd17abdee4430ea15c847b9fa8f45e0275df797940bd7619bae28600b8e1a0d6b7ded0da2fd27eb0571c5ab51e xsa351-arm.patch 92f2a8d04a36fc99060c0385aabe0515594f1ce432f1abb8e0506e726eb3951ba155871a3ce96fec4111a3a4f112c29a43c2842c5bd255e23933435b1e244503 xsa351-x86-4.14-1.patch f7ff49294d4bbe64eff99972566c3a883a5f802cd302963f961a586d9c6735d25185efed97356ca528b8600402e061dfced26c1e5a428143c92a61dd14a355b4 xsa351-x86-4.14-2.patch +70b4b03c956b189ed75d0105152945bf3bfbee406135cab32f7b8160739f207ae17f9e7028b13d298de97de6dadcb205e8a7cd2830cad8b91e8a62b93f168a80 xsa355.patch 231b5d0abf6420722534bf48b4f263bdf70dd258f5f34b344f230b4e166edb3ebaf769592f40653ea5836b4431ef951ebcf1995f09e2beb4a591edd3b024a652 qemu-xen-time64.patch e72ae17cb80c78412996845b996e442cdc21ee4b840c8b7ebacca101619b3d47104bf6b6330520aecf0d7ccf2699826b4f2a649c729b21d5ac81b37f7fc505fc gcc10-etherboot-enum.patch ea55e0a35e4282ccf6c38b0529edd5995fdfd82506cc19bf97ad677d218a5a44eae354d4fabbd524986700262e39684eb8239837e21b21d0da0051b669728a71 gcc10-arm64-force-inline-atomics.patch diff --git a/main/xen/xsa355.patch b/main/xen/xsa355.patch new file mode 100644 index 0000000000..491dd05028 --- /dev/null +++ b/main/xen/xsa355.patch @@ -0,0 +1,23 @@ +From: Jan Beulich <jbeulich@suse.com> +Subject: memory: fix off-by-one in XSA-346 change + +The comparison against ARRAY_SIZE() needs to be >= in order to avoid +overrunning the pages[] array. + +This is XSA-355. + +Fixes: 5777a3742d88 ("IOMMU: hold page ref until after deferred TLB flush") +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Julien Grall <jgrall@amazon.com> + +--- a/xen/common/memory.c ++++ b/xen/common/memory.c +@@ -854,7 +854,7 @@ int xenmem_add_to_physmap(struct domain + ++extra.ppage; + + /* Check for continuation if it's not the last iteration. */ +- if ( (++done > ARRAY_SIZE(pages) && extra.ppage) || ++ if ( (++done >= ARRAY_SIZE(pages) && extra.ppage) || + (xatp->size > done && hypercall_preempt_check()) ) + { + rc = start + done; |