xen: apply patch for XSA-105.

See http://seclists.org/oss-sec/2014/q3/637
2014-09-25 20:52:18 +02:00 · 2014-09-25 20:52:18 +02:00 · 23a29f3263
parent 4b20ea60ad
commit 23a29f3263
2 changed files with 38 additions and 1 deletions
--- a/srcpkgs/xen/patches/xsa105.patch
+++ b/srcpkgs/xen/patches/xsa105.patch
@ -0,0 +1,37 @@
+x86/emulate: check cpl for all privileged instructions
+
+Without this, it is possible for userspace to load its own IDT or GDT.
+
+This is XSA-105.
+
+Reported-by: Andrei LUTAS <vlutas@bitdefender.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Tested-by: Andrei LUTAS <vlutas@bitdefender.com>
+
+--- xen/arch/x86/x86_emulate/x86_emulate.c
+++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -3314,6 +3314,7 @@ x86_emulate(
+         goto swint;
+ 
+     case 0xf4: /* hlt */
+        generate_exception_if(!mode_ring0(), EXC_GP, 0);
+         ctxt->retire.flags.hlt = 1;
+         break;
+ 
+@@ -3710,6 +3711,7 @@ x86_emulate(
+             break;
+         case 2: /* lgdt */
+         case 3: /* lidt */
+            generate_exception_if(!mode_ring0(), EXC_GP, 0);
+             generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
+             fail_if(ops->write_segment == NULL);
+             memset(&reg, 0, sizeof(reg));
+@@ -3738,6 +3740,7 @@ x86_emulate(
+         case 6: /* lmsw */
+             fail_if(ops->read_cr == NULL);
+             fail_if(ops->write_cr == NULL);
+            generate_exception_if(!mode_ring0(), EXC_GP, 0);
+             if ( (rc = ops->read_cr(0, &cr0, ctxt)) )
+                 goto done;
+             if ( ea.type == OP_REG )
--- a/srcpkgs/xen/template
+++ b/srcpkgs/xen/template
@ -2,7 +2,7 @@
 pkgname=xen
 version=4.4.1
 wrksrc=xen-${version}
-revision=1
+revision=2
 short_desc="The Xen hypervisor utilities"
 maintainer="Juan RP <xtraeme@gmail.com>"
 homepage="http://xen.org"