diff options
| author | Kai Kang <kai.kang@windriver.com> | 2015-06-18 17:02:42 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-09-01 21:19:41 +0100 |
| commit | 328d35b53db61c86717c68cc564a790ccfa2956c (patch) | |
| tree | 6feab80e4eb7b1df81c6d6fdad6977726ed0f442 /meta/recipes-devtools/qemu/qemu/04-xen-MSI-dont-open-code-pass-through-of-enable-bit-mod-CVE-2015-4106.patch | |
| parent | 2adb210c8cc5a11bb899e7dc76c31159ff3d4116 (diff) | |
| download | poky-328d35b53db61c86717c68cc564a790ccfa2956c.tar.gz | |
qemu: backport patches to fix CVE issues
Backport patches to fix CVE-2015-4103, CVE-2015-4104, CVE-2015-4105 and
CVE-2015-4106. These patches are from debian, but they are originally
from:
http://git.qemu.org/?p=qemu.git;a=shortlog;h=c25bbf1
(From OE-Core master rev: 496b3ffba6755bb76709c88cf81399c9d23f830a)
(From OE-Core rev: 29746e78ca000f4464c8e0a1da55c77e02c651e4)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Refresh the following patches to apply cleanly to our qemu-2.2.0:
07-xen-pt-split-out-calculation-of-throughable-mask-CVE-2015-4106.patch
10-xen-pt-add-a-few-PCI-config-space-field-descriptions-CVE-2015-4106.patch
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/04-xen-MSI-dont-open-code-pass-through-of-enable-bit-mod-CVE-2015-4106.patch')
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/04-xen-MSI-dont-open-code-pass-through-of-enable-bit-mod-CVE-2015-4106.patch | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/04-xen-MSI-dont-open-code-pass-through-of-enable-bit-mod-CVE-2015-4106.patch b/meta/recipes-devtools/qemu/qemu/04-xen-MSI-dont-open-code-pass-through-of-enable-bit-mod-CVE-2015-4106.patch new file mode 100644 index 0000000000..87fb7f6fb7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/04-xen-MSI-dont-open-code-pass-through-of-enable-bit-mod-CVE-2015-4106.patch | |||
| @@ -0,0 +1,76 @@ | |||
| 1 | Upstream-Status: Backport | ||
| 2 | |||
| 3 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
| 4 | |||
| 5 | From d1d35cf4ffb6a60a356193397919e83306d0bb74 Mon Sep 17 00:00:00 2001 | ||
| 6 | From: Jan Beulich <jbeulich@suse.com> | ||
| 7 | Date: Tue, 2 Jun 2015 15:07:01 +0000 | ||
| 8 | Subject: xen/MSI: don't open-code pass-through of enable bit modifications | ||
| 9 | Bug-Debian: http://bugs.debian.org/787547 | ||
| 10 | |||
| 11 | Without this the actual XSA-131 fix would cause the enable bit to not | ||
| 12 | get set anymore (due to the write back getting suppressed there based | ||
| 13 | on the OR of emu_mask, ro_mask, and res_mask). | ||
| 14 | |||
| 15 | Note that the fiddling with the enable bit shouldn't really be done by | ||
| 16 | qemu, but making this work right (via libxc and the hypervisor) will | ||
| 17 | require more extensive changes, which can be postponed until after the | ||
| 18 | security issue got addressed. | ||
| 19 | |||
| 20 | This is a preparatory patch for XSA-131. | ||
| 21 | |||
| 22 | Signed-off-by: Jan Beulich <jbeulich@suse.com> | ||
| 23 | Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> | ||
| 24 | --- | ||
| 25 | hw/xen/xen_pt_config_init.c | 10 ++-------- | ||
| 26 | 1 file changed, 2 insertions(+), 8 deletions(-) | ||
| 27 | |||
| 28 | diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c | ||
| 29 | index 68b8f22..436d0fd 100644 | ||
| 30 | --- a/hw/xen/xen_pt_config_init.c | ||
| 31 | +++ b/hw/xen/xen_pt_config_init.c | ||
| 32 | @@ -1053,7 +1053,6 @@ static int xen_pt_msgctrl_reg_write(XenPCIPassthroughState *s, | ||
| 33 | XenPTMSI *msi = s->msi; | ||
| 34 | uint16_t writable_mask = 0; | ||
| 35 | uint16_t throughable_mask = 0; | ||
| 36 | - uint16_t raw_val; | ||
| 37 | |||
| 38 | /* Currently no support for multi-vector */ | ||
| 39 | if (*val & PCI_MSI_FLAGS_QSIZE) { | ||
| 40 | @@ -1066,12 +1065,11 @@ static int xen_pt_msgctrl_reg_write(XenPCIPassthroughState *s, | ||
| 41 | msi->flags |= cfg_entry->data & ~PCI_MSI_FLAGS_ENABLE; | ||
| 42 | |||
| 43 | /* create value for writing to I/O device register */ | ||
| 44 | - raw_val = *val; | ||
| 45 | throughable_mask = ~reg->emu_mask & valid_mask; | ||
| 46 | *val = XEN_PT_MERGE_VALUE(*val, dev_value, throughable_mask); | ||
| 47 | |||
| 48 | /* update MSI */ | ||
| 49 | - if (raw_val & PCI_MSI_FLAGS_ENABLE) { | ||
| 50 | + if (*val & PCI_MSI_FLAGS_ENABLE) { | ||
| 51 | /* setup MSI pirq for the first time */ | ||
| 52 | if (!msi->initialized) { | ||
| 53 | /* Init physical one */ | ||
| 54 | @@ -1099,10 +1097,6 @@ static int xen_pt_msgctrl_reg_write(XenPCIPassthroughState *s, | ||
| 55 | xen_pt_msi_disable(s); | ||
| 56 | } | ||
| 57 | |||
| 58 | - /* pass through MSI_ENABLE bit */ | ||
| 59 | - *val &= ~PCI_MSI_FLAGS_ENABLE; | ||
| 60 | - *val |= raw_val & PCI_MSI_FLAGS_ENABLE; | ||
| 61 | - | ||
| 62 | return 0; | ||
| 63 | } | ||
| 64 | |||
| 65 | @@ -1301,7 +1295,7 @@ static XenPTRegInfo xen_pt_emu_reg_msi[] = { | ||
| 66 | .size = 2, | ||
| 67 | .init_val = 0x0000, | ||
| 68 | .ro_mask = 0xFF8E, | ||
| 69 | - .emu_mask = 0x017F, | ||
| 70 | + .emu_mask = 0x017E, | ||
| 71 | .init = xen_pt_msgctrl_reg_init, | ||
| 72 | .u.w.read = xen_pt_word_reg_read, | ||
| 73 | .u.w.write = xen_pt_msgctrl_reg_write, | ||
| 74 | -- | ||
| 75 | 2.1.4 | ||
| 76 | |||