Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2015-05-16 07:12:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xen" Changes: -------- --- /work/SRC/openSUSE:Factory/xen/xen.changes 2015-05-06 11:17:22.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new/xen.changes 2015-05-16 07:12:47.000000000 +0200 @@ -1,0 +2,15 @@ +Mon May 11 15:07:30 MDT 2015 - carn...@suse.com + +- bsc#927967 - VUL-0: CVE-2015-3340: xen: Information leak through + XEN_DOMCTL_gettscinfo (XSA-132) + 5535f633-dont-leak-hypervisor-stack-to-toolstacks.patch + +------------------------------------------------------------------- +Thu May 7 06:53:15 MDT 2015 - carn...@suse.com + +- bnc#929339 - VUL-0: CVE-2015-3456: qemu kvm xen: VENOM qemu + floppy driver host code execution + CVE-2015-3456-xsa133-qemuu.patch + CVE-2015-3456-xsa133-qemut.patch + +------------------------------------------------------------------- New: ---- 5535f633-dont-leak-hypervisor-stack-to-toolstacks.patch CVE-2015-3456-xsa133-qemut.patch CVE-2015-3456-xsa133-qemuu.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xen.spec ++++++ --- /var/tmp/diff_new_pack.MqyynZ/_old 2015-05-16 07:12:50.000000000 +0200 +++ /var/tmp/diff_new_pack.MqyynZ/_new 2015-05-16 07:12:50.000000000 +0200 @@ -15,6 +15,7 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + # needssslcertforbuild Name: xen @@ -157,7 +158,7 @@ %endif %endif -Version: 4.5.0_03 +Version: 4.5.0_04 Release: 0 Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License: GPL-2.0 @@ -204,6 +205,7 @@ Patch2: 551ac326-xentop-add-support-for-qdisk.patch Patch3: 5513b458-allow-reboot-overrides-when-running-under-EFI.patch Patch4: 5513b4d1-dont-apply-reboot-quirks-if-reboot-set-by-user.patch +Patch5: 5535f633-dont-leak-hypervisor-stack-to-toolstacks.patch # Upstream qemu Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch @@ -214,6 +216,8 @@ Patch256: 0006-e1000-clear-EOP-for-multi-buffer-descriptors.patch Patch257: 0007-e1000-verify-we-have-buffers-upfront.patch Patch258: 0008-e1000-check-buffer-availability.patch +Patch260: CVE-2015-3456-xsa133-qemuu.patch +Patch261: CVE-2015-3456-xsa133-qemut.patch # Our platform specific patches Patch301: xen-destdir.patch Patch302: vif-bridge-no-iptables.patch @@ -507,6 +511,7 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 # Upstream qemu patches %patch250 -p1 %patch251 -p1 @@ -517,6 +522,8 @@ %patch256 -p1 %patch257 -p1 %patch258 -p1 +%patch260 -p1 +%patch261 -p1 # Our platform specific patches %patch301 -p1 %patch302 -p1 ++++++ 5535f633-dont-leak-hypervisor-stack-to-toolstacks.patch ++++++ Subject: domctl/sysctl: don't leak hypervisor stack to toolstacks From: Andrew Cooper andrew.coop...@citrix.com Tue Apr 21 09:03:15 2015 +0200 Date: Tue Apr 21 09:03:15 2015 +0200: Git: 4ff3449f0e9d175ceb9551d3f2aecb59273f639d This is CVE-2015-3340 / XSA-132. Signed-off-by: Andrew Cooper <andrew.coop...@citrix.com> Reviewed-by: Jan Beulich <jbeul...@suse.com> Acked-by: Ian Campbell <ian.campb...@citrix.com> Index: xen-4.5.0-testing/xen/arch/x86/domctl.c =================================================================== --- xen-4.5.0-testing.orig/xen/arch/x86/domctl.c +++ xen-4.5.0-testing/xen/arch/x86/domctl.c @@ -886,7 +886,7 @@ long arch_do_domctl( case XEN_DOMCTL_gettscinfo: { - xen_guest_tsc_info_t info; + xen_guest_tsc_info_t info = { 0 }; domain_pause(d); tsc_get_info(d, &info.tsc_mode, Index: xen-4.5.0-testing/xen/common/sysctl.c =================================================================== --- xen-4.5.0-testing.orig/xen/common/sysctl.c +++ xen-4.5.0-testing/xen/common/sysctl.c @@ -76,7 +76,7 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xe case XEN_SYSCTL_getdomaininfolist: { struct domain *d; - struct xen_domctl_getdomaininfo info; + struct xen_domctl_getdomaininfo info = { 0 }; u32 num_domains = 0; rcu_read_lock(&domlist_read_lock); ++++++ CVE-2015-3456-xsa133-qemut.patch ++++++ >From ac7ddbe342d7aa2303c39ca731cc6229dbbd739b Mon Sep 17 00:00:00 2001 From: Petr Matousek <pmato...@redhat.com> Date: Wed, 6 May 2015 09:48:59 +0200 Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer During processing of certain commands such as FD_CMD_READ_ID and FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could get out of bounds leading to memory corruption with values coming from the guest. Fix this by making sure that the index is always bounded by the allocated memory. This is CVE-2015-3456. Signed-off-by: Petr Matousek <pmato...@redhat.com> Reviewed-by: John Snow <js...@redhat.com> --- hw/block/fdc.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) Index: xen-4.2.5-testing/tools/qemu-xen-traditional-dir-remote/hw/fdc.c =================================================================== --- xen-4.2.5-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/fdc.c +++ xen-4.2.5-testing/tools/qemu-xen-traditional-dir-remote/hw/fdc.c @@ -1318,7 +1318,7 @@ static uint32_t fdctrl_read_data (fdctrl { fdrive_t *cur_drv; uint32_t retval = 0; - int pos; + uint32_t pos; cur_drv = get_cur_drv(fdctrl); fdctrl->dsr &= ~FD_DSR_PWRDOWN; @@ -1327,8 +1327,8 @@ static uint32_t fdctrl_read_data (fdctrl return 0; } pos = fdctrl->data_pos; + pos %= FD_SECTOR_LEN; if (fdctrl->msr & FD_MSR_NONDMA) { - pos %= FD_SECTOR_LEN; if (pos == 0) { if (fdctrl->data_pos != 0) if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { @@ -1673,10 +1673,13 @@ static void fdctrl_handle_option (fdctrl static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction) { fdrive_t *cur_drv = get_cur_drv(fdctrl); + uint32_t pos; - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { + pos = fdctrl->data_pos - 1; + pos %= FD_SECTOR_LEN; + if (fdctrl->fifo[pos] & 0x80) { /* Command parameters done */ - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { + if (fdctrl->fifo[pos] & 0x40) { fdctrl->fifo[0] = fdctrl->fifo[1]; fdctrl->fifo[2] = 0; fdctrl->fifo[3] = 0; @@ -1771,7 +1774,7 @@ static uint8_t command_to_handler[256]; static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) { fdrive_t *cur_drv; - int pos; + uint32_t pos; /* Reset mode */ if (!(fdctrl->dor & FD_DOR_nRESET)) { @@ -1817,7 +1820,9 @@ static void fdctrl_write_data (fdctrl_t } FLOPPY_DPRINTF("%s: %02x\n", __func__, value); - fdctrl->fifo[fdctrl->data_pos++] = value; + pos = fdctrl->data_pos++; + pos %= FD_SECTOR_LEN; + fdctrl->fifo[pos] = value; if (fdctrl->data_pos == fdctrl->data_len) { /* We now have all parameters * and will be able to treat the command ++++++ CVE-2015-3456-xsa133-qemuu.patch ++++++ >From ac7ddbe342d7aa2303c39ca731cc6229dbbd739b Mon Sep 17 00:00:00 2001 From: Petr Matousek <pmato...@redhat.com> Date: Wed, 6 May 2015 09:48:59 +0200 Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer During processing of certain commands such as FD_CMD_READ_ID and FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could get out of bounds leading to memory corruption with values coming from the guest. Fix this by making sure that the index is always bounded by the allocated memory. This is CVE-2015-3456. Signed-off-by: Petr Matousek <pmato...@redhat.com> Reviewed-by: John Snow <js...@redhat.com> --- hw/block/fdc.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) Index: xen-4.4.2-testing/tools/qemu-xen-dir-remote/hw/block/fdc.c =================================================================== --- xen-4.4.2-testing.orig/tools/qemu-xen-dir-remote/hw/block/fdc.c +++ xen-4.4.2-testing/tools/qemu-xen-dir-remote/hw/block/fdc.c @@ -1440,7 +1440,7 @@ static uint32_t fdctrl_read_data(FDCtrl { FDrive *cur_drv; uint32_t retval = 0; - int pos; + uint32_t pos; cur_drv = get_cur_drv(fdctrl); fdctrl->dsr &= ~FD_DSR_PWRDOWN; @@ -1449,8 +1449,8 @@ static uint32_t fdctrl_read_data(FDCtrl return 0; } pos = fdctrl->data_pos; + pos %= FD_SECTOR_LEN; if (fdctrl->msr & FD_MSR_NONDMA) { - pos %= FD_SECTOR_LEN; if (pos == 0) { if (fdctrl->data_pos != 0) if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { @@ -1794,10 +1794,13 @@ static void fdctrl_handle_option(FDCtrl static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) { FDrive *cur_drv = get_cur_drv(fdctrl); + uint32_t pos; - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { + pos = fdctrl->data_pos - 1; + pos %= FD_SECTOR_LEN; + if (fdctrl->fifo[pos] & 0x80) { /* Command parameters done */ - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { + if (fdctrl->fifo[pos] & 0x40) { fdctrl->fifo[0] = fdctrl->fifo[1]; fdctrl->fifo[2] = 0; fdctrl->fifo[3] = 0; @@ -1897,7 +1900,7 @@ static uint8_t command_to_handler[256]; static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) { FDrive *cur_drv; - int pos; + uint32_t pos; /* Reset mode */ if (!(fdctrl->dor & FD_DOR_nRESET)) { @@ -1945,7 +1948,9 @@ static void fdctrl_write_data(FDCtrl *fd } FLOPPY_DPRINTF("%s: %02x\n", __func__, value); - fdctrl->fifo[fdctrl->data_pos++] = value; + pos = fdctrl->data_pos++; + pos %= FD_SECTOR_LEN; + fdctrl->fifo[pos] = value; if (fdctrl->data_pos == fdctrl->data_len) { /* We now have all parameters * and will be able to treat the command