1 files changed, 94 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/09-xen-pt-mark-reserved-bits-in-PCI-config-space-fields-CVE-2015-4106.patch b/meta/recipes-devtools/qemu/qemu/09-xen-pt-mark-reserved-bits-in-PCI-config-space-fields-CVE-2015-4106.patch
new file mode 100644
index 0000000000..99b8ba4904
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/09-xen-pt-mark-reserved-bits-in-PCI-config-space-fields-CVE-2015-4106.patch
@@ -0,0 +1,94 @@
+Upstream-Status: Backport
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+From 0ad3393ad032f76e88b4dbd04d36ad84dff75dd6 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Tue, 2 Jun 2015 15:07:01 +0000
+Subject: xen/pt: mark reserved bits in PCI config space fields
+Bug-Debian: http://bugs.debian.org/787547
+The adjustments are solely to make the subsequent patches work right
+(and hence make the patch set consistent), namely if permissive mode
+(introduced by the last patch) gets used (as both reserved registers
+and reserved fields must be similarly protected from guest access in
+default mode, but the guest should be allowed access to them in
+permissive mode).
+This is a preparatory patch for XSA-131.
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+---
+ hw/xen/xen_pt.h             |  2 ++
+ hw/xen/xen_pt_config_init.c | 14 +++++++++-----
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+diff --git a/hw/xen/xen_pt.h b/hw/xen/xen_pt.h
+index 8c9b6c2..f9795eb 100644
+--- a/hw/xen/xen_pt.h
+++ b/hw/xen/xen_pt.h
+@@ -101,6 +101,8 @@ struct XenPTRegInfo {
+     uint32_t offset;
+     uint32_t size;
+     uint32_t init_val;
+    /* reg reserved field mask (ON:reserved, OFF:defined) */
+    uint32_t res_mask;
+     /* reg read only field mask (ON:RO/ROS, OFF:other) */
+     uint32_t ro_mask;
+     /* reg emulate field mask (ON:emu, OFF:passthrough) */
+diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c
+index 9f6c00e..efd8bac 100644
+--- a/hw/xen/xen_pt_config_init.c
+++ b/hw/xen/xen_pt_config_init.c
+@@ -578,7 +578,7 @@ static XenPTRegInfo xen_pt_emu_reg_header0[] = {
+         .offset     = PCI_COMMAND,
+         .size       = 2,
+         .init_val   = 0x0000,
+-        .ro_mask    = 0xF880,
+        .res_mask   = 0xF880,
+         .emu_mask   = 0x0743,
+         .init       = xen_pt_common_reg_init,
+         .u.w.read   = xen_pt_word_reg_read,
+@@ -603,7 +603,8 @@ static XenPTRegInfo xen_pt_emu_reg_header0[] = {
+         .offset     = PCI_STATUS,
+         .size       = 2,
+         .init_val   = 0x0000,
+-        .ro_mask    = 0x06FF,
+        .res_mask   = 0x0007,
+        .ro_mask    = 0x06F8,
+         .emu_mask   = 0x0010,
+         .init       = xen_pt_status_reg_init,
+         .u.w.read   = xen_pt_word_reg_read,
+@@ -980,7 +981,8 @@ static XenPTRegInfo xen_pt_emu_reg_pm[] = {
+         .offset     = PCI_PM_CTRL,
+         .size       = 2,
+         .init_val   = 0x0008,
+-        .ro_mask    = 0xE1FC,
+        .res_mask   = 0x00F0,
+        .ro_mask    = 0xE10C,
+         .emu_mask   = 0x810B,
+         .init       = xen_pt_common_reg_init,
+         .u.w.read   = xen_pt_word_reg_read,
+@@ -1268,7 +1270,8 @@ static XenPTRegInfo xen_pt_emu_reg_msi[] = {
+         .offset     = PCI_MSI_FLAGS,
+         .size       = 2,
+         .init_val   = 0x0000,
+-        .ro_mask    = 0xFF8E,
+        .res_mask   = 0xFE00,
+        .ro_mask    = 0x018E,
+         .emu_mask   = 0x017E,
+         .init       = xen_pt_msgctrl_reg_init,
+         .u.w.read   = xen_pt_word_reg_read,
+@@ -1446,7 +1449,8 @@ static XenPTRegInfo xen_pt_emu_reg_msix[] = {
+         .offset     = PCI_MSI_FLAGS,
+         .size       = 2,
+         .init_val   = 0x0000,
+-        .ro_mask    = 0x3FFF,
+        .res_mask   = 0x3800,
+        .ro_mask    = 0x07FF,
+         .emu_mask   = 0x0000,
+         .init       = xen_pt_msixctrl_reg_init,
+         .u.w.read   = xen_pt_word_reg_read,
+-- 
+2.1.4

diff --git a/meta/recipes-devtools/qemu/qemu/09-xen-pt-mark-reserved-bits-in-PCI-config-space-fields-CVE-2015-4106.patch b/meta/recipes-devtools/qemu/qemu/09-xen-pt-mark-reserved-bits-in-PCI-config-space-fields-CVE-2015-4106.patch new file mode 100644 index 0000000000..99b8ba4904 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/09-xen-pt-mark-reserved-bits-in-PCI-config-space-fields-CVE-2015-4106.patch
@@ -0,0 +1,94 @@
	1	Upstream-Status: Backport
	2
	3	Signed-off-by: Kai Kang <kai.kang@windriver.com>
	4
	5	From 0ad3393ad032f76e88b4dbd04d36ad84dff75dd6 Mon Sep 17 00:00:00 2001
	6	From: Jan Beulich <jbeulich@suse.com>
	7	Date: Tue, 2 Jun 2015 15:07:01 +0000
	8	Subject: xen/pt: mark reserved bits in PCI config space fields
	9	Bug-Debian: http://bugs.debian.org/787547
	10
	11	The adjustments are solely to make the subsequent patches work right
	12	(and hence make the patch set consistent), namely if permissive mode
	13	(introduced by the last patch) gets used (as both reserved registers
	14	and reserved fields must be similarly protected from guest access in
	15	default mode, but the guest should be allowed access to them in
	16	permissive mode).
	17
	18	This is a preparatory patch for XSA-131.
	19
	20	Signed-off-by: Jan Beulich <jbeulich@suse.com>
	21	---
	22	hw/xen/xen_pt.h \| 2 ++
	23	hw/xen/xen_pt_config_init.c \| 14 +++++++++-----
	24	2 files changed, 11 insertions(+), 5 deletions(-)
	25
	26	diff --git a/hw/xen/xen_pt.h b/hw/xen/xen_pt.h
	27	index 8c9b6c2..f9795eb 100644
	28	--- a/hw/xen/xen_pt.h
	29	+++ b/hw/xen/xen_pt.h
	30	@@ -101,6 +101,8 @@ struct XenPTRegInfo {
	31	uint32_t offset;
	32	uint32_t size;
	33	uint32_t init_val;
	34	+ /* reg reserved field mask (ON:reserved, OFF:defined) */
	35	+ uint32_t res_mask;
	36	/* reg read only field mask (ON:RO/ROS, OFF:other) */
	37	uint32_t ro_mask;
	38	/* reg emulate field mask (ON:emu, OFF:passthrough) */
	39	diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c
	40	index 9f6c00e..efd8bac 100644
	41	--- a/hw/xen/xen_pt_config_init.c
	42	+++ b/hw/xen/xen_pt_config_init.c
	43	@@ -578,7 +578,7 @@ static XenPTRegInfo xen_pt_emu_reg_header0[] = {
	44	.offset = PCI_COMMAND,
	45	.size = 2,
	46	.init_val = 0x0000,
	47	- .ro_mask = 0xF880,
	48	+ .res_mask = 0xF880,
	49	.emu_mask = 0x0743,
	50	.init = xen_pt_common_reg_init,
	51	.u.w.read = xen_pt_word_reg_read,
	52	@@ -603,7 +603,8 @@ static XenPTRegInfo xen_pt_emu_reg_header0[] = {
	53	.offset = PCI_STATUS,
	54	.size = 2,
	55	.init_val = 0x0000,
	56	- .ro_mask = 0x06FF,
	57	+ .res_mask = 0x0007,
	58	+ .ro_mask = 0x06F8,
	59	.emu_mask = 0x0010,
	60	.init = xen_pt_status_reg_init,
	61	.u.w.read = xen_pt_word_reg_read,
	62	@@ -980,7 +981,8 @@ static XenPTRegInfo xen_pt_emu_reg_pm[] = {
	63	.offset = PCI_PM_CTRL,
	64	.size = 2,
	65	.init_val = 0x0008,
	66	- .ro_mask = 0xE1FC,
	67	+ .res_mask = 0x00F0,
	68	+ .ro_mask = 0xE10C,
	69	.emu_mask = 0x810B,
	70	.init = xen_pt_common_reg_init,
	71	.u.w.read = xen_pt_word_reg_read,
	72	@@ -1268,7 +1270,8 @@ static XenPTRegInfo xen_pt_emu_reg_msi[] = {
	73	.offset = PCI_MSI_FLAGS,
	74	.size = 2,
	75	.init_val = 0x0000,
	76	- .ro_mask = 0xFF8E,
	77	+ .res_mask = 0xFE00,
	78	+ .ro_mask = 0x018E,
	79	.emu_mask = 0x017E,
	80	.init = xen_pt_msgctrl_reg_init,
	81	.u.w.read = xen_pt_word_reg_read,
	82	@@ -1446,7 +1449,8 @@ static XenPTRegInfo xen_pt_emu_reg_msix[] = {
	83	.offset = PCI_MSI_FLAGS,
	84	.size = 2,
	85	.init_val = 0x0000,
	86	- .ro_mask = 0x3FFF,
	87	+ .res_mask = 0x3800,
	88	+ .ro_mask = 0x07FF,
	89	.emu_mask = 0x0000,
	90	.init = xen_pt_msixctrl_reg_init,
	91	.u.w.read = xen_pt_word_reg_read,
	92	--
	93	2.1.4
	94