Revert "main/xen: security fixes (CVE-2016-6258, CVE-2016-6259, CVE-2016-5403)"

This reverts commit 4138843cb6988b29e88e93a4eb1a87fd2e75cace.
author: Leonardo Arena <rnalrd@alpinelinux.org> 2016-08-15 07:45:32 +0000
committer: Leonardo Arena <rnalrd@alpinelinux.org> 2016-08-15 07:45:32 +0000
commit: 140745f2f4ae3fcdb9cd068fabd9d8b6f6ab21f9 (patch)
tree: ea2d661e874ff216bd44006ac1d94a2b216c2fd2 /main/xen
parent: 922c62b2fad1ec9d9da365d6a3c0e11c29bd8701 (diff)
5 files changed, 0 insertions, 280 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 7fa1e11d45c..afc4cf7a70b 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -53,11 +53,6 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	http://xenbits.xen.org/xen-extfiles/zlib-$_ZLIB_VERSION.tar.gz
 	http://xenbits.xen.org/xen-extfiles/ipxe-git-$_IPXE_GIT_TAG.tar.gz
 
-	xsa182-4.6.patch
-	xsa183-4.6.patch
-	xsa184-qemut-master.patch
-	xsa184-qemuu-master.patch
-
 	qemu-coroutine-gthread.patch
 	qemu-xen_paths.patch
 
@@ -260,10 +255,6 @@ cec05e7785497c5e19da2f114b934ffd  pciutils-2.2.9.tar.bz2
 e26becb8a6a2b6695f6b3e8097593db8  tpm_emulator-0.7.4.tar.gz
 debc62758716a169df9f62e6ab2bc634  zlib-1.2.3.tar.gz
 7496268cebf47d5c9ccb0696e3b26065  ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz
-0c0322407ec522b1b82d833dd6d38e88  xsa182-4.6.patch
-f137255f6928d439a5ddf18ebab402d7  xsa183-4.6.patch
-95bc220677fc2bb9a3df4dc14a0b31f6  xsa184-qemut-master.patch
-cc0904605d03a9e4f6f21d16824e41c9  xsa184-qemuu-master.patch
 de1a3db370b87cfb0bddb51796b50315  qemu-coroutine-gthread.patch
 08bfdf8caff5d631f53660bf3fd4edaf  qemu-xen_paths.patch
 e449bb3359b490804ffc7b0ae08d62a0  hotplug-vif-vtrill.patch
@@ -295,10 +286,6 @@ f60ae61cfbd5da1d849d0beaa21f593c38dac9359f0b3ddc612f447408265b24  pciutils-2.2.9
 4e48ea0d83dd9441cc1af04ab18cd6c961b9fa54d5cbf2c2feee038988dea459  tpm_emulator-0.7.4.tar.gz
 1795c7d067a43174113fdf03447532f373e1c6c57c08d61d9e4e9be5e244b05e  zlib-1.2.3.tar.gz
 632ce8c193ccacc3012bd354bdb733a4be126f7c098e111930aa41dad537405c  ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz
-f10665acaf17dedd15c40bfeb832b188db1ab3e789d95cc3787575529a280813  xsa182-4.6.patch
-0fee41f21a3eb4af1487590098047f4625688bcef7419572a8f418f9fb728468  xsa183-4.6.patch
-88c939c64b8f9fc9f86d0a30517d5455462d1ff837aa4285a9cb189b54c0cf20  xsa184-qemut-master.patch
-3877e19992c4532b8b2a37e151fe6a6187a1bbee2b54c1718b995260bb0fcf65  xsa184-qemuu-master.patch
 3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe  qemu-coroutine-gthread.patch
 e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98  qemu-xen_paths.patch
 dd1e784bc455eb62cb85b3fa24bfc34f575ceaab9597ef6a2f1ee7ff7b3cae0a  hotplug-vif-vtrill.patch
@@ -330,10 +317,6 @@ c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a36
 4928b5b82f57645be9408362706ff2c4d9baa635b21b0d41b1c82930e8c60a759b1ea4fa74d7e6c7cae1b7692d006aa5cb72df0c3b88bf049779aa2b566f9d35  tpm_emulator-0.7.4.tar.gz
 021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e  zlib-1.2.3.tar.gz
 c5cb1cdff40d2d71fd3e692a9d0efadf2aa17290daf5195391a1c81ddd9dfc913a8e44d5be2b12be85b2a5565ea31631c99c7053564f2fb2225c80ea0bb0e4a4  ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz
-ea94b7ad08dd19c205af584786d92e463a36b522b4a0fb62bd86ea828d867f58821b7ed4e42f35544cf18a6e9aac311ea6d8d085e802ee819a563fe6f6598e47  xsa182-4.6.patch
-f3495976ab219cfd376bae3ad409b452169df11ebcd36b106212db1b1fc8db8c50e721a5d1e23efbc25146946f922556014eda652517ee95efbfb3b482327e99  xsa183-4.6.patch
-14c07d077a9d60a03859ca1b92347517c93faf88db06f8cb0515e486a3919afa8401203161ff671dda8fbdb64e6ca5e86120f1b8f65e6bfaa63a8c6a33211bad  xsa184-qemut-master.patch
-862e00d9cd126f8323f9c9706bf6ce7896d97e68e647416c699d9f2e01b88083a5fea346b13403577311384946912123f64bf5a568f1a6f92077d28923df54c6  xsa184-qemuu-master.patch
 c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562  qemu-coroutine-gthread.patch
 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3  qemu-xen_paths.patch
 f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3  hotplug-vif-vtrill.patch
diff --git a/main/xen/xsa182-4.6.patch b/main/xen/xsa182-4.6.patch
deleted file mode 100644
index be2047d6881..00000000000
--- a/main/xen/xsa182-4.6.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From f48a75b0c10ac79b287ca2b580ecb9ea2f696607 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Mon, 11 Jul 2016 14:32:03 +0100
-Subject: [PATCH] x86/pv: Remove unsafe bits from the mod_l?_entry() fastpath
-
-All changes in writeability and cacheability must go through full
-re-validation.
-
-Rework the logic as a whitelist, to make it clearer to follow.
-
-This is XSA-182
-
-Reported-by: Jérémie Boutoille <jboutoille@ext.quarkslab.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Tim Deegan <tim@xen.org>
----
- xen/arch/x86/mm.c          | 28 ++++++++++++++++------------
- xen/include/asm-x86/page.h |  1 +
- 2 files changed, 17 insertions(+), 12 deletions(-)
-
-diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
-index daf02ab..8dd22b8 100644
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-@@ -1780,6 +1780,14 @@ static inline int update_intpte(intpte_t *p,
-                   _t ## e_get_intpte(_o), _t ## e_get_intpte(_n),   \
-                   (_m), (_v), (_ad))
- 
-+/*
-+ * PTE flags that a guest may change without re-validating the PTE.
-+ * All other bits affect translation, caching, or Xen's safety.
-+ */
-+#define FASTPATH_FLAG_WHITELIST                                     \
-+    (_PAGE_NX_BIT | _PAGE_AVAIL_HIGH | _PAGE_AVAIL | _PAGE_GLOBAL | \
-+     _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_USER)
-+
- /* Update the L1 entry at pl1e to new value nl1e. */
- static int mod_l1_entry(l1_pgentry_t *pl1e, l1_pgentry_t nl1e,
-                         unsigned long gl1mfn, int preserve_ad,
-@@ -1820,9 +1828,8 @@ static int mod_l1_entry(l1_pgentry_t *pl1e, l1_pgentry_t nl1e,
-             return -EINVAL;
-         }
- 
--        /* Fast path for identical mapping, r/w, presence, and cachability. */
--        if ( !l1e_has_changed(ol1e, nl1e,
--                              PAGE_CACHE_ATTRS | _PAGE_RW | _PAGE_PRESENT) )
-+        /* Fast path for sufficiently-similar mappings. */
-+        if ( !l1e_has_changed(ol1e, nl1e, ~FASTPATH_FLAG_WHITELIST) )
-         {
-             adjust_guest_l1e(nl1e, pt_dom);
-             if ( UPDATE_ENTRY(l1, pl1e, ol1e, nl1e, gl1mfn, pt_vcpu,
-@@ -1904,11 +1911,8 @@ static int mod_l2_entry(l2_pgentry_t *pl2e,
-             return -EINVAL;
-         }
- 
--        /* Fast path for identical mapping and presence. */
--        if ( !l2e_has_changed(ol2e, nl2e,
--                              unlikely(opt_allow_superpage)
--                              ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT
--                              : _PAGE_PRESENT) )
-+        /* Fast path for sufficiently-similar mappings. */
-+        if ( !l2e_has_changed(ol2e, nl2e, ~FASTPATH_FLAG_WHITELIST) )
-         {
-             adjust_guest_l2e(nl2e, d);
-             if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) )
-@@ -1973,8 +1977,8 @@ static int mod_l3_entry(l3_pgentry_t *pl3e,
-             return -EINVAL;
-         }
- 
--        /* Fast path for identical mapping and presence. */
--        if ( !l3e_has_changed(ol3e, nl3e, _PAGE_PRESENT) )
-+        /* Fast path for sufficiently-similar mappings. */
-+        if ( !l3e_has_changed(ol3e, nl3e, ~FASTPATH_FLAG_WHITELIST) )
-         {
-             adjust_guest_l3e(nl3e, d);
-             rc = UPDATE_ENTRY(l3, pl3e, ol3e, nl3e, pfn, vcpu, preserve_ad);
-@@ -2037,8 +2041,8 @@ static int mod_l4_entry(l4_pgentry_t *pl4e,
-             return -EINVAL;
-         }
- 
--        /* Fast path for identical mapping and presence. */
--        if ( !l4e_has_changed(ol4e, nl4e, _PAGE_PRESENT) )
-+        /* Fast path for sufficiently-similar mappings. */
-+        if ( !l4e_has_changed(ol4e, nl4e, ~FASTPATH_FLAG_WHITELIST) )
-         {
-             adjust_guest_l4e(nl4e, d);
-             rc = UPDATE_ENTRY(l4, pl4e, ol4e, nl4e, pfn, vcpu, preserve_ad);
-diff --git a/xen/include/asm-x86/page.h b/xen/include/asm-x86/page.h
-index 66b611c..1a59ed8 100644
---- a/xen/include/asm-x86/page.h
-+++ b/xen/include/asm-x86/page.h
-@@ -311,6 +311,7 @@ void efi_update_l4_pgtable(unsigned int l4idx, l4_pgentry_t);
- #define _PAGE_AVAIL2   _AC(0x800,U)
- #define _PAGE_AVAIL    _AC(0xE00,U)
- #define _PAGE_PSE_PAT  _AC(0x1000,U)
-+#define _PAGE_AVAIL_HIGH (_AC(0x7ff, U) << 12)
- #define _PAGE_NX       (cpu_has_nx ? _PAGE_NX_BIT : 0)
- /* non-architectural flags */
- #define _PAGE_PAGED   0x2000U
--- 
-2.1.4
-
diff --git a/main/xen/xsa183-4.6.patch b/main/xen/xsa183-4.6.patch
deleted file mode 100644
index 84d70077c89..00000000000
--- a/main/xen/xsa183-4.6.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 777ebe30e81ab284f9b78392875fe884a593df35 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Wed, 15 Jun 2016 18:32:14 +0100
-Subject: [PATCH] x86/entry: Avoid SMAP violation in
- compat_create_bounce_frame()
-
-A 32bit guest kernel might be running on user mappings.
-compat_create_bounce_frame() must whitelist its guest accesses to avoid
-risking a SMAP violation.
-
-For both variants of create_bounce_frame(), re-blacklist user accesses if
-execution exits via an exception table redirection.
-
-This is XSA-183 / CVE-2016-6259
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: George Dunlap <george.dunlap@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
----
-v2:
- * Include CLAC on the exit paths from compat_create_bounce_frame which occur
-   from faults attempting to load %fs
- * Reposition ASM_STAC to avoid breaking the macro-op fusion of test/jz
----
- xen/arch/x86/x86_64/compat/entry.S | 3 +++
- xen/arch/x86/x86_64/entry.S        | 2 ++
- 2 files changed, 5 insertions(+)
-
-diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
-index 0e3db7c..1eaf4bb 100644
---- a/xen/arch/x86/x86_64/compat/entry.S
-+++ b/xen/arch/x86/x86_64/compat/entry.S
-@@ -350,6 +350,7 @@ ENTRY(compat_int80_direct_trap)
- compat_create_bounce_frame:
-         ASSERT_INTERRUPTS_ENABLED
-         mov   %fs,%edi
-+        ASM_STAC
-         testb $2,UREGS_cs+8(%rsp)
-         jz    1f
-         /* Push new frame at registered guest-OS stack base. */
-@@ -403,6 +404,7 @@ UNLIKELY_START(nz, compat_bounce_failsafe)
-         movl  %ds,%eax
- .Lft12: movl  %eax,%fs:0*4(%rsi)        # DS
- UNLIKELY_END(compat_bounce_failsafe)
-+        ASM_CLAC
-         /* Rewrite our stack frame and return to guest-OS mode. */
-         /* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */
-         andl  $~(X86_EFLAGS_VM|X86_EFLAGS_RF|\
-@@ -448,6 +450,7 @@ compat_crash_page_fault_4:
-         addl  $4,%esi
- compat_crash_page_fault:
- .Lft14: mov   %edi,%fs
-+        ASM_CLAC
-         movl  %esi,%edi
-         call  show_page_walk
-         jmp   dom_crash_sync_extable
-diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
-index 6e27508..0c2e63a 100644
---- a/xen/arch/x86/x86_64/entry.S
-+++ b/xen/arch/x86/x86_64/entry.S
-@@ -462,9 +462,11 @@ domain_crash_page_fault_16:
- domain_crash_page_fault_8:
-         addq  $8,%rsi
- domain_crash_page_fault:
-+        ASM_CLAC
-         movq  %rsi,%rdi
-         call  show_page_walk
- ENTRY(dom_crash_sync_extable)
-+        ASM_CLAC
-         # Get out of the guest-save area of the stack.
-         GET_STACK_BASE(%rax)
-         leaq  STACK_CPUINFO_FIELD(guest_cpu_user_regs)(%rax),%rsp
--- 
-2.1.4
-
diff --git a/main/xen/xsa184-qemut-master.patch b/main/xen/xsa184-qemut-master.patch
deleted file mode 100644
index b376f33a527..00000000000
--- a/main/xen/xsa184-qemut-master.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 17d8c4e47dfb41cb6778520ff2eab7a11fe12dfd Mon Sep 17 00:00:00 2001
-From: P J P <ppandit@redhat.com>
-Date: Tue, 26 Jul 2016 15:31:59 +0100
-Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
-
-A broken or malicious guest can submit more requests than the virtqueue
-size permits.
-
-The guest can submit requests without bothering to wait for completion
-and is therefore not bound by virtqueue size.  This requires reusing
-vring descriptors in more than one request, which is incorrect but
-possible.  Processing a request allocates a VirtQueueElement and
-therefore causes unbounded memory allocation controlled by the guest.
-
-Exit with an error if the guest provides more requests than the
-virtqueue size permits.  This bounds memory allocation and makes the
-buggy guest visible to the user.
-
-Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- hw/virtio.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/virtio.c b/hw/virtio.c
-index c26feff..42897bf 100644
---- a/tools/qemu-xen-traditional/hw/virtio.c
-+++ b/tools/qemu-xen-traditional/hw/virtio.c
-@@ -421,6 +421,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
-     /* When we start there are none of either input nor output. */
-     elem->out_num = elem->in_num = 0;
- 
-+    if (vq->inuse >= vq->vring.num) {
-+        fprintf(stderr, "Virtqueue size exceeded");
-+        exit(1);
-+    }
-+
-     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
-     do {
-         struct iovec *sg;
--- 
-2.1.4
-
diff --git a/main/xen/xsa184-qemuu-master.patch b/main/xen/xsa184-qemuu-master.patch
deleted file mode 100644
index bbe44e8fcb7..00000000000
--- a/main/xen/xsa184-qemuu-master.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From e469db25d6b2e5c71cd15451889226641c53a5cd Mon Sep 17 00:00:00 2001
-From: P J P <ppandit@redhat.com>
-Date: Mon, 25 Jul 2016 17:37:18 +0530
-Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
-
-A broken or malicious guest can submit more requests than the virtqueue
-size permits.
-
-The guest can submit requests without bothering to wait for completion
-and is therefore not bound by virtqueue size.  This requires reusing
-vring descriptors in more than one request, which is incorrect but
-possible.  Processing a request allocates a VirtQueueElement and
-therefore causes unbounded memory allocation controlled by the guest.
-
-Exit with an error if the guest provides more requests than the
-virtqueue size permits.  This bounds memory allocation and makes the
-buggy guest visible to the user.
-
-Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- hw/virtio/virtio.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
-index d24f775..f8ac0fb 100644
---- a/tools/qemu-xen/hw/virtio/virtio.c
-+++ b/tools/qemu-xen/hw/virtio/virtio.c
-@@ -483,6 +483,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
- 
-     max = vq->vring.num;
- 
-+    if (vq->inuse >= max) {
-+        error_report("Virtqueue size exceeded");
-+        exit(1);
-+    }
-+
-     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
-     if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) {
-         vring_set_avail_event(vq, vq->last_avail_idx);
--- 
-2.1.4
-
author	Leonardo Arena <rnalrd@alpinelinux.org>	2016-08-15 07:45:32 +0000
committer	Leonardo Arena <rnalrd@alpinelinux.org>	2016-08-15 07:45:32 +0000
commit	140745f2f4ae3fcdb9cd068fabd9d8b6f6ab21f9 (patch)
tree	ea2d661e874ff216bd44006ac1d94a2b216c2fd2 /main/xen
parent	922c62b2fad1ec9d9da365d6a3c0e11c29bd8701 (diff)