diff options
author | Henrik Riomar <henrik.riomar@gmail.com> | 2020-12-19 15:57:34 +0100 |
---|---|---|
committer | Milan P. Stanić <mps@arvanta.net> | 2020-12-31 09:15:55 +0000 |
commit | d4b5d61f2b93d579fb30681dacb37f13569c41ec (patch) | |
tree | f81ae43c8735a38feb6d5f827cdb1171df8dc71a | |
parent | 1af501149c5d0a812c9798f6693774bffbea7f00 (diff) |
main/xen: fix XSA-359
This is CVE-2020-29571
-rw-r--r-- | main/xen/APKBUILD | 4 | ||||
-rw-r--r-- | main/xen/xsa359.patch | 40 |
2 files changed, 44 insertions, 0 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index 2cb7e5e2e95..d9a45477c6c 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -209,6 +209,7 @@ options="!strip" # - CVE-2020-29486 XSA-352 # - CVE-2020-29479 XSA-353 # - CVE-2020-29570 XSA-358 +# - CVE-2020-29571 XSA-359 case "$CARCH" in x86*) @@ -314,6 +315,8 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz xsa358-4.14.patch + xsa359.patch + xenstored.initd xenstored.confd xenconsoled.initd @@ -590,6 +593,7 @@ b1791c36e0eb0ae6bb89c0529922775e6b9c0ec66cfd99a203bc56ff0ddb071e98ae39e81d4f4d57 3fe751d9c802963ec57ffc88a69a08de63f0c45da914b9debc65fd77d5cb407080e7a6e3287a893ccf5c352a2d2786f831458cd302b99d1b3d490e9a7330fbad xsa352.patch c458c962d9ae45c2fce049e6094923f72dfc87e0a20ef083371215cfe8345f437f556c4efadac841432db8421457eb0a6dea5d93ff148aff2466795125c759e1 xsa353.patch 0f7dcfa0115ac7e353bb0f645845b839fd628bdb553f8a5c5f03f2b5808515e255bcc6173b6b946a8901f62a80dcf9cf94f4039cd66e04315bd2ba849e585fde xsa358-4.14.patch +a842b086044a2936b71f77afb6a30aa8eb336dda467d94ab2656936434f7a1301522f2c2d6a90ebb87d39aca16d3b9d875d36b0b14492420aca1782116ecc398 xsa359.patch 52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd 093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0 xenstored.confd 3c86ed48fbee0af4051c65c4a3893f131fa66e47bf083caf20c9b6aa4b63fdead8832f84a58d0e27964bc49ec8397251b34e5be5c212c139f556916dc8da9523 xenconsoled.initd diff --git a/main/xen/xsa359.patch b/main/xen/xsa359.patch new file mode 100644 index 00000000000..231810b2654 --- /dev/null +++ b/main/xen/xsa359.patch @@ -0,0 +1,40 @@ +From: Jan Beulich <jbeulich@suse.com> +Subject: evtchn/FIFO: add 2nd smp_rmb() to evtchn_fifo_word_from_port() + +Besides with add_page_to_event_array() the function also needs to +synchronize with evtchn_fifo_init_control() setting both d->evtchn_fifo +and (subsequently) d->evtchn_port_ops. + +This is XSA-359 / CVE-2020-29571. + +Reported-by: Julien Grall <jgrall@amazon.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Julien Grall <jgrall@amazon.com> + +--- a/xen/common/event_fifo.c ++++ b/xen/common/event_fifo.c +@@ -55,6 +55,13 @@ static inline event_word_t *evtchn_fifo_ + { + unsigned int p, w; + ++ /* ++ * Callers aren't required to hold d->event_lock, so we need to synchronize ++ * with evtchn_fifo_init_control() setting d->evtchn_port_ops /after/ ++ * d->evtchn_fifo. ++ */ ++ smp_rmb(); ++ + if ( unlikely(port >= d->evtchn_fifo->num_evtchns) ) + return NULL; + +@@ -606,6 +613,10 @@ int evtchn_fifo_init_control(struct evtc + if ( rc < 0 ) + goto error; + ++ /* ++ * This call, as a side effect, synchronizes with ++ * evtchn_fifo_word_from_port(). ++ */ + rc = map_control_block(v, gfn, offset); + if ( rc < 0 ) + goto error; |