diff options
| author | Christopher Clark <christopher.w.clark@gmail.com> | 2018-01-08 23:12:44 -0800 |
|---|---|---|
| committer | Bruce Ashfield <bruce.ashfield@windriver.com> | 2018-01-12 10:37:46 -0500 |
| commit | 3f5221471424c3da63821c60ad720d793844e89e (patch) | |
| tree | cffd5309d84c096daf8714af460922adf4011160 /recipes-extended/xen/files/xsa249.patch | |
| parent | d1969606e3540d3771a5ba4626d4e5ea42bd683a (diff) | |
| download | meta-virtualization-3f5221471424c3da63821c60ad720d793844e89e.tar.gz | |
xen: upgrade 4.9.x recipe to 4.9.1 and apply XSA/CVE fix patches
Upgrade the Xen 4.9.x series recipe to latest 4.9.1
and apply patches for:
XSA-245 / CVE-2017-17046
XSA-246 / CVE-2017-17044
XSA-247 / CVE-2017-17045
XSA-248 / CVE-2017-17566
XSA-249 / CVE-2017-17563
XSA-250 / CVE-2017-17564
XSA-251 / CVE-2017-17565
Signed-off-by: Christopher Clark <christopher.clark6@baesystems.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Diffstat (limited to 'recipes-extended/xen/files/xsa249.patch')
| -rw-r--r-- | recipes-extended/xen/files/xsa249.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/recipes-extended/xen/files/xsa249.patch b/recipes-extended/xen/files/xsa249.patch new file mode 100644 index 00000000..ecfa4305 --- /dev/null +++ b/recipes-extended/xen/files/xsa249.patch | |||
| @@ -0,0 +1,42 @@ | |||
| 1 | From: Jan Beulich <jbeulich@suse.com> | ||
| 2 | Subject: x86/shadow: fix refcount overflow check | ||
| 3 | |||
| 4 | Commit c385d27079 ("x86 shadow: for multi-page shadows, explicitly track | ||
| 5 | the first page") reduced the refcount width to 25, without adjusting the | ||
| 6 | overflow check. Eliminate the disconnect by using a manifest constant. | ||
| 7 | |||
| 8 | Interestingly, up to commit 047782fa01 ("Out-of-sync L1 shadows: OOS | ||
| 9 | snapshot") the refcount was 27 bits wide, yet the check was already | ||
| 10 | using 26. | ||
| 11 | |||
| 12 | This is XSA-249. | ||
| 13 | |||
| 14 | Signed-off-by: Jan Beulich <jbeulich@suse.com> | ||
| 15 | Reviewed-by: George Dunlap <george.dunlap@citrix.com> | ||
| 16 | Reviewed-by: Tim Deegan <tim@xen.org> | ||
| 17 | --- | ||
| 18 | v2: Simplify expression back to the style it was. | ||
| 19 | |||
| 20 | --- a/xen/arch/x86/mm/shadow/private.h | ||
| 21 | +++ b/xen/arch/x86/mm/shadow/private.h | ||
| 22 | @@ -529,7 +529,7 @@ static inline int sh_get_ref(struct doma | ||
| 23 | x = sp->u.sh.count; | ||
| 24 | nx = x + 1; | ||
| 25 | |||
| 26 | - if ( unlikely(nx >= 1U<<26) ) | ||
| 27 | + if ( unlikely(nx >= (1U << PAGE_SH_REFCOUNT_WIDTH)) ) | ||
| 28 | { | ||
| 29 | SHADOW_PRINTK("shadow ref overflow, gmfn=%lx smfn=%lx\n", | ||
| 30 | __backpointer(sp), mfn_x(smfn)); | ||
| 31 | --- a/xen/include/asm-x86/mm.h | ||
| 32 | +++ b/xen/include/asm-x86/mm.h | ||
| 33 | @@ -82,7 +82,8 @@ struct page_info | ||
| 34 | unsigned long type:5; /* What kind of shadow is this? */ | ||
| 35 | unsigned long pinned:1; /* Is the shadow pinned? */ | ||
| 36 | unsigned long head:1; /* Is this the first page of the shadow? */ | ||
| 37 | - unsigned long count:25; /* Reference count */ | ||
| 38 | +#define PAGE_SH_REFCOUNT_WIDTH 25 | ||
| 39 | + unsigned long count:PAGE_SH_REFCOUNT_WIDTH; /* Reference count */ | ||
| 40 | } sh; | ||
| 41 | |||
| 42 | /* Page is on a free list: ((count_info & PGC_count_mask) == 0). */ | ||