diff options
| author | Graham Christensen <graham@grahamc.com> | 2017-02-22 07:59:26 -0500 |
|---|---|---|
| committer | Graham Christensen <graham@grahamc.com> | 2017-02-22 08:00:45 -0500 |
| commit | cc4919da8968ccdd2e4f76cbdde7e2ed6c385130 (patch) | |
| tree | a44f2c2fe624a66802b4810abdd57456a804397e /pkgs/applications/virtualization | |
| parent | 026cfee6b0dce860841d85b8a50a00e944cf59a2 (diff) | |
| download | nixlib-cc4919da8968ccdd2e4f76cbdde7e2ed6c385130.tar nixlib-cc4919da8968ccdd2e4f76cbdde7e2ed6c385130.tar.gz nixlib-cc4919da8968ccdd2e4f76cbdde7e2ed6c385130.tar.bz2 nixlib-cc4919da8968ccdd2e4f76cbdde7e2ed6c385130.tar.lz nixlib-cc4919da8968ccdd2e4f76cbdde7e2ed6c385130.tar.xz nixlib-cc4919da8968ccdd2e4f76cbdde7e2ed6c385130.tar.zst nixlib-cc4919da8968ccdd2e4f76cbdde7e2ed6c385130.zip | |
xen: patch for XSAs: 197, 199, 207, 208, 209
XSA-197 Issue Description: > The compiler can emit optimizations in qemu which can lead to double > fetch vulnerabilities. Specifically data on the rings shared > between qemu and the hypervisor (which the guest under control can > obtain mappings of) can be fetched twice (during which time the > guest can alter the contents) possibly leading to arbitrary code > execution in qemu. More: https://xenbits.xen.org/xsa/advisory-197.html XSA-199 Issue Description: > The code in qemu which implements ioport read/write looks up the > specified ioport address in a dispatch table. The argument to the > dispatch function is a uint32_t, and is used without a range check, > even though the table has entries for only 2^16 ioports. > > When qemu is used as a standalone emulator, ioport accesses are > generated only from cpu instructions emulated by qemu, and are > therefore necessarily 16-bit, so there is no vulnerability. > > When qemu is used as a device model within Xen, io requests are > generated by the hypervisor and read by qemu from a shared ring. The > entries in this ring use a common structure, including a 64-bit > address field, for various accesses, including ioport addresses. > > Xen will write only 16-bit address ioport accesses. However, > depending on the Xen and qemu version, the ring may be writeable by > the guest. If so, the guest can generate out-of-range ioport > accesses, resulting in wild pointer accesses within qemu. More: https://xenbits.xen.org/xsa/advisory-199.html XSA-207 Issue Description: > Certain internal state is set up, during domain construction, in > preparation for possible pass-through device assignment. On ARM and > AMD V-i hardware this setup includes memory allocation. On guest > teardown, cleanup was erroneously only performed when the guest > actually had a pass-through device assigned. More: https://xenbits.xen.org/xsa/advisory-207.html XSA-209 Issue Description: > When doing bitblt copy backwards, qemu should negate the blit width. > This avoids an oob access before the start of video memory. More: https://xenbits.xen.org/xsa/advisory-208.html XSA-208 Issue Description: > In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine > cirrus_bitblt_cputovideo fails to check wethehr the specified memory > region is safe. More: https://xenbits.xen.org/xsa/advisory-209.html
Diffstat (limited to 'pkgs/applications/virtualization')
| -rw-r--r-- | pkgs/applications/virtualization/xen/4.5.nix | 42 |
1 files changed, 36 insertions, 6 deletions
diff --git a/pkgs/applications/virtualization/xen/4.5.nix b/pkgs/applications/virtualization/xen/4.5.nix index dc9d92534f00..bc8d89af5b2a 100644 --- a/pkgs/applications/virtualization/xen/4.5.nix +++ b/pkgs/applications/virtualization/xen/4.5.nix @@ -41,6 +41,20 @@ let rev = "refs/tags/qemu-xen-${version}"; sha256 = "014s755slmsc7xzy7qhk9i3kbjr2grxb5yznjp71dl6xxfvnday2"; }; + patches = [ + (xsaPatch { + name = "197-4.5-qemuu"; + sha256 = "09gp980qdlfpfmxy0nk7ncyaa024jnrpzx9gpq2kah21xygy5myx"; + }) + (xsaPatch { + name = "208-qemuu-4.7"; + sha256 = "0z9b1whr8rp2riwq7wndzcnd7vw1ckwx0vbk098k2pcflrzppgrb"; + }) + (xsaPatch { + name = "209-qemuu"; + sha256 = "05df4165by6pzxrnizkw86n2f77k9i1g4fqqpws81ycb9ng4jzin"; + }) + ]; } { git = { name = "qemu-xen-traditional"; url = https://xenbits.xen.org/git-http/qemu-xen-traditional.git; @@ -48,6 +62,24 @@ let rev = "refs/tags/xen-${version}"; sha256 = "0n0ycxlf1wgdjkdl8l2w1i0zzssk55dfv67x8i6b2ima01r0k93r"; }; + patches = [ + (xsaPatch { + name = "197-4.5-qemut"; + sha256 = "17l7npw00gyhqzzaqamwm9cawfvzm90zh6jjyy95dmqbh7smvy79"; + }) + (xsaPatch { + name = "199-trad"; + sha256 = "0dfw6ciycw9a9s97sbnilnzhipnzmdm9f7xcfngdjfic8cqdcv42"; + }) + (xsaPatch { + name = "208-qemut"; + sha256 = "0960vhchixp60j9h2lawgbgzf6mpcdk440kblk25a37bd6172l54"; + }) + (xsaPatch { + name = "209-qemut"; + sha256 = "1hq8ghfzw6c47pb5vf9ngxwgs8slhbbw6cq7gk0nam44rwvz743r"; + }) + ]; } { git = { name = "xen-libhvm"; url = https://github.com/ts468/xen-libhvm; @@ -63,12 +95,6 @@ let } ]; - # Note this lacks patches for: - # XSA-201 - # XSA-199 - # XSA-197 - # they didn't apply, and there are plenty of other patches here - # to get this deployed as-is. xenPatches = [ ./0001-libxl-Spice-image-compression-setting-support-for-up.patch ./0002-libxl-Spice-streaming-video-setting-support-for-upst.patch ./0003-Add-qxl-vga-interface-support-for-upstream-qem.patch @@ -116,6 +142,10 @@ let name = "204-4.5"; sha256 = "083z9pbdz3f532fnzg7n2d5wzv6rmqc0f4mvc3mnmkd0rzqw8vcp"; }) + (xsaPatch { + name = "207"; + sha256 = "0wdlhijmw9mdj6a82pyw1rwwiz605dwzjc392zr3fpb2jklrvibc"; + }) ]; }; |