diff options
author | Christopher Clark <christopher.w.clark@gmail.com> | 2018-01-08 23:12:44 -0800 |
---|---|---|
committer | Bruce Ashfield <bruce.ashfield@windriver.com> | 2018-01-12 10:37:46 -0500 |
commit | 3f5221471424c3da63821c60ad720d793844e89e (patch) | |
tree | cffd5309d84c096daf8714af460922adf4011160 /recipes-extended/xen/files/xsa249.patch | |
parent | d1969606e3540d3771a5ba4626d4e5ea42bd683a (diff) | |
download | meta-virtualization-3f5221471424c3da63821c60ad720d793844e89e.tar.gz |
xen: upgrade 4.9.x recipe to 4.9.1 and apply XSA/CVE fix patches
Upgrade the Xen 4.9.x series recipe to latest 4.9.1
and apply patches for:
XSA-245 / CVE-2017-17046
XSA-246 / CVE-2017-17044
XSA-247 / CVE-2017-17045
XSA-248 / CVE-2017-17566
XSA-249 / CVE-2017-17563
XSA-250 / CVE-2017-17564
XSA-251 / CVE-2017-17565
Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Diffstat (limited to 'recipes-extended/xen/files/xsa249.patch')
-rw-r--r-- | recipes-extended/xen/files/xsa249.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/recipes-extended/xen/files/xsa249.patch b/recipes-extended/xen/files/xsa249.patch new file mode 100644 index 00000000..ecfa4305 --- /dev/null +++ b/recipes-extended/xen/files/xsa249.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From: Jan Beulich <jbeulich@suse.com> | ||
2 | Subject: x86/shadow: fix refcount overflow check | ||
3 | |||
4 | Commit c385d27079 ("x86 shadow: for multi-page shadows, explicitly track | ||
5 | the first page") reduced the refcount width to 25, without adjusting the | ||
6 | overflow check. Eliminate the disconnect by using a manifest constant. | ||
7 | |||
8 | Interestingly, up to commit 047782fa01 ("Out-of-sync L1 shadows: OOS | ||
9 | snapshot") the refcount was 27 bits wide, yet the check was already | ||
10 | using 26. | ||
11 | |||
12 | This is XSA-249. | ||
13 | |||
14 | Signed-off-by: Jan Beulich <jbeulich@suse.com> | ||
15 | Reviewed-by: George Dunlap <george.dunlap@citrix.com> | ||
16 | Reviewed-by: Tim Deegan <tim@xen.org> | ||
17 | --- | ||
18 | v2: Simplify expression back to the style it was. | ||
19 | |||
20 | --- a/xen/arch/x86/mm/shadow/private.h | ||
21 | +++ b/xen/arch/x86/mm/shadow/private.h | ||
22 | @@ -529,7 +529,7 @@ static inline int sh_get_ref(struct doma | ||
23 | x = sp->u.sh.count; | ||
24 | nx = x + 1; | ||
25 | |||
26 | - if ( unlikely(nx >= 1U<<26) ) | ||
27 | + if ( unlikely(nx >= (1U << PAGE_SH_REFCOUNT_WIDTH)) ) | ||
28 | { | ||
29 | SHADOW_PRINTK("shadow ref overflow, gmfn=%lx smfn=%lx\n", | ||
30 | __backpointer(sp), mfn_x(smfn)); | ||
31 | --- a/xen/include/asm-x86/mm.h | ||
32 | +++ b/xen/include/asm-x86/mm.h | ||
33 | @@ -82,7 +82,8 @@ struct page_info | ||
34 | unsigned long type:5; /* What kind of shadow is this? */ | ||
35 | unsigned long pinned:1; /* Is the shadow pinned? */ | ||
36 | unsigned long head:1; /* Is this the first page of the shadow? */ | ||
37 | - unsigned long count:25; /* Reference count */ | ||
38 | +#define PAGE_SH_REFCOUNT_WIDTH 25 | ||
39 | + unsigned long count:PAGE_SH_REFCOUNT_WIDTH; /* Reference count */ | ||
40 | } sh; | ||
41 | |||
42 | /* Page is on a free list: ((count_info & PGC_count_mask) == 0). */ | ||