aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHenrik Riomar <henrik.riomar@gmail.com>2020-12-19 15:57:34 +0100
committerMilan P. Stanić <mps@arvanta.net>2020-12-31 09:15:55 +0000
commitd4b5d61f2b93d579fb30681dacb37f13569c41ec (patch)
treef81ae43c8735a38feb6d5f827cdb1171df8dc71a
parent1af501149c5d0a812c9798f6693774bffbea7f00 (diff)
main/xen: fix XSA-359
-rw-r--r--main/xen/APKBUILD4
-rw-r--r--main/xen/xsa359.patch40
2 files changed, 44 insertions, 0 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 2cb7e5e2e95..d9a45477c6c 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -209,6 +209,7 @@ options="!strip"
# - CVE-2020-29486 XSA-352
# - CVE-2020-29479 XSA-353
# - CVE-2020-29570 XSA-358
+# - CVE-2020-29571 XSA-359
case "$CARCH" in
x86*)
@@ -314,6 +315,8 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz
xsa358-4.14.patch
+ xsa359.patch
+
xenstored.initd
xenstored.confd
xenconsoled.initd
@@ -590,6 +593,7 @@ b1791c36e0eb0ae6bb89c0529922775e6b9c0ec66cfd99a203bc56ff0ddb071e98ae39e81d4f4d57
3fe751d9c802963ec57ffc88a69a08de63f0c45da914b9debc65fd77d5cb407080e7a6e3287a893ccf5c352a2d2786f831458cd302b99d1b3d490e9a7330fbad xsa352.patch
c458c962d9ae45c2fce049e6094923f72dfc87e0a20ef083371215cfe8345f437f556c4efadac841432db8421457eb0a6dea5d93ff148aff2466795125c759e1 xsa353.patch
0f7dcfa0115ac7e353bb0f645845b839fd628bdb553f8a5c5f03f2b5808515e255bcc6173b6b946a8901f62a80dcf9cf94f4039cd66e04315bd2ba849e585fde xsa358-4.14.patch
+a842b086044a2936b71f77afb6a30aa8eb336dda467d94ab2656936434f7a1301522f2c2d6a90ebb87d39aca16d3b9d875d36b0b14492420aca1782116ecc398 xsa359.patch
52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd
093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0 xenstored.confd
3c86ed48fbee0af4051c65c4a3893f131fa66e47bf083caf20c9b6aa4b63fdead8832f84a58d0e27964bc49ec8397251b34e5be5c212c139f556916dc8da9523 xenconsoled.initd
diff --git a/main/xen/xsa359.patch b/main/xen/xsa359.patch
new file mode 100644
index 00000000000..231810b2654
--- /dev/null
+++ b/main/xen/xsa359.patch
@@ -0,0 +1,40 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: evtchn/FIFO: add 2nd smp_rmb() to evtchn_fifo_word_from_port()
+
+Besides with add_page_to_event_array() the function also needs to
+synchronize with evtchn_fifo_init_control() setting both d->evtchn_fifo
+and (subsequently) d->evtchn_port_ops.
+
+This is XSA-359 / CVE-2020-29571.
+
+Reported-by: Julien Grall <jgrall@amazon.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Julien Grall <jgrall@amazon.com>
+
+--- a/xen/common/event_fifo.c
++++ b/xen/common/event_fifo.c
+@@ -55,6 +55,13 @@ static inline event_word_t *evtchn_fifo_
+ {
+ unsigned int p, w;
+
++ /*
++ * Callers aren't required to hold d->event_lock, so we need to synchronize
++ * with evtchn_fifo_init_control() setting d->evtchn_port_ops /after/
++ * d->evtchn_fifo.
++ */
++ smp_rmb();
++
+ if ( unlikely(port >= d->evtchn_fifo->num_evtchns) )
+ return NULL;
+
+@@ -606,6 +613,10 @@ int evtchn_fifo_init_control(struct evtc
+ if ( rc < 0 )
+ goto error;
+
++ /*
++ * This call, as a side effect, synchronizes with
++ * evtchn_fifo_word_from_port().
++ */
+ rc = map_control_block(v, gfn, offset);
+ if ( rc < 0 )
+ goto error;