1 files changed, 76 insertions, 0 deletions

diff --git a/meta/recipes-devtools/qemu/qemu/04-xen-MSI-dont-open-code-pass-through-of-enable-bit-mod-CVE-2015-4106.patch b/meta/recipes-devtools/qemu/qemu/04-xen-MSI-dont-open-code-pass-through-of-enable-bit-mod-CVE-2015-4106.patch
new file mode 100644
index 0000000000..87fb7f6fb7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/04-xen-MSI-dont-open-code-pass-through-of-enable-bit-mod-CVE-2015-4106.patch
@@ -0,0 +1,76 @@
+Upstream-Status: Backport
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From d1d35cf4ffb6a60a356193397919e83306d0bb74 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Tue, 2 Jun 2015 15:07:01 +0000
+Subject: xen/MSI: don't open-code pass-through of enable bit modifications
+Bug-Debian: http://bugs.debian.org/787547
+
+Without this the actual XSA-131 fix would cause the enable bit to not
+get set anymore (due to the write back getting suppressed there based
+on the OR of emu_mask, ro_mask, and res_mask).
+
+Note that the fiddling with the enable bit shouldn't really be done by
+qemu, but making this work right (via libxc and the hypervisor) will
+require more extensive changes, which can be postponed until after the
+security issue got addressed.
+
+This is a preparatory patch for XSA-131.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+---
+ hw/xen/xen_pt_config_init.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c
+index 68b8f22..436d0fd 100644
+--- a/hw/xen/xen_pt_config_init.c
++++ b/hw/xen/xen_pt_config_init.c
+@@ -1053,7 +1053,6 @@ static int xen_pt_msgctrl_reg_write(XenPCIPassthroughState *s,
+     XenPTMSI *msi = s->msi;
+     uint16_t writable_mask = 0;
+     uint16_t throughable_mask = 0;
+-    uint16_t raw_val;
+ 
+     /* Currently no support for multi-vector */
+     if (*val & PCI_MSI_FLAGS_QSIZE) {
+@@ -1066,12 +1065,11 @@ static int xen_pt_msgctrl_reg_write(XenPCIPassthroughState *s,
+     msi->flags |= cfg_entry->data & ~PCI_MSI_FLAGS_ENABLE;
+ 
+     /* create value for writing to I/O device register */
+-    raw_val = *val;
+     throughable_mask = ~reg->emu_mask & valid_mask;
+     *val = XEN_PT_MERGE_VALUE(*val, dev_value, throughable_mask);
+ 
+     /* update MSI */
+-    if (raw_val & PCI_MSI_FLAGS_ENABLE) {
++    if (*val & PCI_MSI_FLAGS_ENABLE) {
+         /* setup MSI pirq for the first time */
+         if (!msi->initialized) {
+             /* Init physical one */
+@@ -1099,10 +1097,6 @@ static int xen_pt_msgctrl_reg_write(XenPCIPassthroughState *s,
+         xen_pt_msi_disable(s);
+     }
+ 
+-    /* pass through MSI_ENABLE bit */
+-    *val &= ~PCI_MSI_FLAGS_ENABLE;
+-    *val |= raw_val & PCI_MSI_FLAGS_ENABLE;
+-
+     return 0;
+ }
+ 
+@@ -1301,7 +1295,7 @@ static XenPTRegInfo xen_pt_emu_reg_msi[] = {
+         .size       = 2,
+         .init_val   = 0x0000,
+         .ro_mask    = 0xFF8E,
+-        .emu_mask   = 0x017F,
++        .emu_mask   = 0x017E,
+         .init       = xen_pt_msgctrl_reg_init,
+         .u.w.read   = xen_pt_word_reg_read,
+         .u.w.write  = xen_pt_msgctrl_reg_write,
+-- 
+2.1.4
+