From 23a29f32635fa475d39eedb08ee07bd767281c38 Mon Sep 17 00:00:00 2001 From: Juan RP Date: Thu, 25 Sep 2014 20:52:18 +0200 Subject: [PATCH] xen: apply patch for XSA-105. See http://seclists.org/oss-sec/2014/q3/637 --- srcpkgs/xen/patches/xsa105.patch | 37 ++++++++++++++++++++++++++++++++ srcpkgs/xen/template | 2 +- 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 srcpkgs/xen/patches/xsa105.patch diff --git a/srcpkgs/xen/patches/xsa105.patch b/srcpkgs/xen/patches/xsa105.patch new file mode 100644 index 00000000000..978ca9920f5 --- /dev/null +++ b/srcpkgs/xen/patches/xsa105.patch @@ -0,0 +1,37 @@ +x86/emulate: check cpl for all privileged instructions + +Without this, it is possible for userspace to load its own IDT or GDT. + +This is XSA-105. + +Reported-by: Andrei LUTAS +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +Tested-by: Andrei LUTAS + +--- xen/arch/x86/x86_emulate/x86_emulate.c ++++ xen/arch/x86/x86_emulate/x86_emulate.c +@@ -3314,6 +3314,7 @@ x86_emulate( + goto swint; + + case 0xf4: /* hlt */ ++ generate_exception_if(!mode_ring0(), EXC_GP, 0); + ctxt->retire.flags.hlt = 1; + break; + +@@ -3710,6 +3711,7 @@ x86_emulate( + break; + case 2: /* lgdt */ + case 3: /* lidt */ ++ generate_exception_if(!mode_ring0(), EXC_GP, 0); + generate_exception_if(ea.type != OP_MEM, EXC_UD, -1); + fail_if(ops->write_segment == NULL); + memset(®, 0, sizeof(reg)); +@@ -3738,6 +3740,7 @@ x86_emulate( + case 6: /* lmsw */ + fail_if(ops->read_cr == NULL); + fail_if(ops->write_cr == NULL); ++ generate_exception_if(!mode_ring0(), EXC_GP, 0); + if ( (rc = ops->read_cr(0, &cr0, ctxt)) ) + goto done; + if ( ea.type == OP_REG ) diff --git a/srcpkgs/xen/template b/srcpkgs/xen/template index 5701a0ca51c..604642f5fa4 100644 --- a/srcpkgs/xen/template +++ b/srcpkgs/xen/template @@ -2,7 +2,7 @@ pkgname=xen version=4.4.1 wrksrc=xen-${version} -revision=1 +revision=2 short_desc="The Xen hypervisor utilities" maintainer="Juan RP " homepage="http://xen.org"