From a1bac0f7dfe3e1a29c03f7e307ea6da355859409 Mon Sep 17 00:00:00 2001 From: Kai Kang Date: Thu, 18 Jun 2015 17:02:42 +0800 Subject: qemu: backport patches to fix CVE issues Backport patches to fix CVE-2015-4103, CVE-2015-4104, CVE-2015-4105 and CVE-2015-4106. These patches are from debian, but they are originally from: http://git.qemu.org/?p=qemu.git;a=shortlog;h=c25bbf1 (From OE-Core rev: 496b3ffba6755bb76709c88cf81399c9d23f830a) Signed-off-by: Kai Kang Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- ...s-through-of-enable-bit-mod-CVE-2015-4106.patch | 76 ++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/04-xen-MSI-dont-open-code-pass-through-of-enable-bit-mod-CVE-2015-4106.patch (limited to 'meta/recipes-devtools/qemu/qemu/04-xen-MSI-dont-open-code-pass-through-of-enable-bit-mod-CVE-2015-4106.patch') diff --git a/meta/recipes-devtools/qemu/qemu/04-xen-MSI-dont-open-code-pass-through-of-enable-bit-mod-CVE-2015-4106.patch b/meta/recipes-devtools/qemu/qemu/04-xen-MSI-dont-open-code-pass-through-of-enable-bit-mod-CVE-2015-4106.patch new file mode 100644 index 0000000000..87fb7f6fb7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/04-xen-MSI-dont-open-code-pass-through-of-enable-bit-mod-CVE-2015-4106.patch @@ -0,0 +1,76 @@ +Upstream-Status: Backport + +Signed-off-by: Kai Kang + +From d1d35cf4ffb6a60a356193397919e83306d0bb74 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Tue, 2 Jun 2015 15:07:01 +0000 +Subject: xen/MSI: don't open-code pass-through of enable bit modifications +Bug-Debian: http://bugs.debian.org/787547 + +Without this the actual XSA-131 fix would cause the enable bit to not +get set anymore (due to the write back getting suppressed there based +on the OR of emu_mask, ro_mask, and res_mask). + +Note that the fiddling with the enable bit shouldn't really be done by +qemu, but making this work right (via libxc and the hypervisor) will +require more extensive changes, which can be postponed until after the +security issue got addressed. + +This is a preparatory patch for XSA-131. + +Signed-off-by: Jan Beulich +Acked-by: Stefano Stabellini +--- + hw/xen/xen_pt_config_init.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c +index 68b8f22..436d0fd 100644 +--- a/hw/xen/xen_pt_config_init.c ++++ b/hw/xen/xen_pt_config_init.c +@@ -1053,7 +1053,6 @@ static int xen_pt_msgctrl_reg_write(XenPCIPassthroughState *s, + XenPTMSI *msi = s->msi; + uint16_t writable_mask = 0; + uint16_t throughable_mask = 0; +- uint16_t raw_val; + + /* Currently no support for multi-vector */ + if (*val & PCI_MSI_FLAGS_QSIZE) { +@@ -1066,12 +1065,11 @@ static int xen_pt_msgctrl_reg_write(XenPCIPassthroughState *s, + msi->flags |= cfg_entry->data & ~PCI_MSI_FLAGS_ENABLE; + + /* create value for writing to I/O device register */ +- raw_val = *val; + throughable_mask = ~reg->emu_mask & valid_mask; + *val = XEN_PT_MERGE_VALUE(*val, dev_value, throughable_mask); + + /* update MSI */ +- if (raw_val & PCI_MSI_FLAGS_ENABLE) { ++ if (*val & PCI_MSI_FLAGS_ENABLE) { + /* setup MSI pirq for the first time */ + if (!msi->initialized) { + /* Init physical one */ +@@ -1099,10 +1097,6 @@ static int xen_pt_msgctrl_reg_write(XenPCIPassthroughState *s, + xen_pt_msi_disable(s); + } + +- /* pass through MSI_ENABLE bit */ +- *val &= ~PCI_MSI_FLAGS_ENABLE; +- *val |= raw_val & PCI_MSI_FLAGS_ENABLE; +- + return 0; + } + +@@ -1301,7 +1295,7 @@ static XenPTRegInfo xen_pt_emu_reg_msi[] = { + .size = 2, + .init_val = 0x0000, + .ro_mask = 0xFF8E, +- .emu_mask = 0x017F, ++ .emu_mask = 0x017E, + .init = xen_pt_msgctrl_reg_init, + .u.w.read = xen_pt_word_reg_read, + .u.w.write = xen_pt_msgctrl_reg_write, +-- +2.1.4 + -- cgit v1.2.3-54-g00ecf