summaryrefslogtreecommitdiff
path: root/kernels/xen
diff options
context:
space:
mode:
authorDrtan Samos <lashdu@drtan.twilightparadox.com>2014-03-03 18:49:15 +0100
committerDrtan Samos <lashdu@drtan.twilightparadox.com>2014-03-03 18:49:15 +0100
commit926e54e67433d33d75b19b21544c5b8303389aa0 (patch)
tree6177f2e93611ffba8ef822da12850bf3565d7766 /kernels/xen
parentc850156e865805296b73eee01caa4b4469191437 (diff)
parent535ef7c5859bc88ca3a0d382261632ec8d8df066 (diff)
downloadabslibre-926e54e67433d33d75b19b21544c5b8303389aa0.tar.gz
abslibre-926e54e67433d33d75b19b21544c5b8303389aa0.tar.bz2
abslibre-926e54e67433d33d75b19b21544c5b8303389aa0.zip
Merge branch 'master' of git://projects.parabolagnulinux.org/abslibre
Diffstat (limited to 'kernels/xen')
-rw-r--r--kernels/xen/ChangeLog7
-rw-r--r--kernels/xen/PKGBUILD75
-rw-r--r--kernels/xen/xsa73-4.3-unstable.patch105
-rw-r--r--kernels/xen/xsa75-4.3-unstable.patch55
-rw-r--r--kernels/xen/xsa78.patch23
5 files changed, 60 insertions, 205 deletions
diff --git a/kernels/xen/ChangeLog b/kernels/xen/ChangeLog
index 63c33c223..8f9ef80fe 100644
--- a/kernels/xen/ChangeLog
+++ b/kernels/xen/ChangeLog
@@ -1,3 +1,10 @@
+2014-02-19 David Sutton <kantras - gmail.com>
+ * 4.3.2-1:
+ New upstream release
+ Removed unnecessary security patches (since now integrated into source)
+ Attempts to pull down additional required source file to ensure not corrupted
+ Added missing dependancy libseccomp
+
2013-11-25 David Sutton <kantras - gmail.com>
* 4.3.1-2:
Changed bluez dependancy from bluez4 to bluez
diff --git a/kernels/xen/PKGBUILD b/kernels/xen/PKGBUILD
index 6ff16c8cd..e19b5c06f 100644
--- a/kernels/xen/PKGBUILD
+++ b/kernels/xen/PKGBUILD
@@ -5,8 +5,8 @@
# Maintainer (Parabola): André Silva <emulatorman@parabola.nu>
pkgname=xen
-pkgver=4.3.1
-pkgrel=2
+pkgver=4.3.2
+pkgrel=1
pkgdesc="Virtual Machine Hypervisor & Tools (Parabola rebranded)"
arch=(i686 x86_64)
url="http://www.xenproject.org/"
@@ -21,6 +21,15 @@ options=(!buildflags !strip)
install=$pkgname.install
changelog=ChangeLog
source=(http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.gz
+ http://xenbits.xen.org/xen-extfiles/ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz
+ http://xenbits.xen.org/xen-extfiles/lwip-1.3.0.tar.gz
+ http://xenbits.xen.org/xen-extfiles/zlib-1.2.3.tar.gz
+ http://xenbits.xen.org/xen-extfiles/newlib-1.16.0.tar.gz
+ http://xenbits.xen.org/xen-extfiles/pciutils-2.2.9.tar.bz2
+ http://xenbits.xen.org/xen-extfiles/polarssl-1.1.4-gpl.tgz
+ http://xenbits.xen.org/xen-extfiles/grub-0.97.tar.gz
+ http://xenbits.xen.org/xen-extfiles/tpm_emulator-0.7.4.tar.gz
+ http://xenbits.xen.org/xen-extfiles/gmp-4.3.2.tar.bz2
xen.install
09_xen
bios_workaround.patch
@@ -38,11 +47,27 @@ source=(http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
conf.d-xenstored
tmpfiles.d-$pkgname.conf
grub.conf
- xsa73-4.3-unstable.patch
- xsa75-4.3-unstable.patch
- xsa78.patch
$pkgname.conf)
-sha256sums=('3b5b7cc508b1739753585b5c25635471cdcef680e8770a78bf6ef9333d26a9fd'
+noextract=(lwip-1.3.0.tar.gz
+ zlib-1.2.3.tar.gz
+ newlib-1.16.0.tar.gz
+ pciutils-2.2.9.tar.bz2
+ polarssl-1.1.4-gpl.tgz
+ grub-0.97.tar.gz
+ tpm_emulator-0.7.4.tar.gz
+ gmp-4.3.2.tar.bz2
+ ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz)
+
+sha256sums=('17611d95f955302560ff72d97c08933b4e62bc2e8ffb71400fc54e388746ff69'
+ '632ce8c193ccacc3012bd354bdb733a4be126f7c098e111930aa41dad537405c'
+ '772e4d550e07826665ed0528c071dd5404ef7dbe1825a38c8adbc2a00bca948f'
+ '1795c7d067a43174113fdf03447532f373e1c6c57c08d61d9e4e9be5e244b05e'
+ 'db426394965c48c1d29023e1cc6d965ea6b9a9035d8a849be2750ca4659a3d07'
+ 'f60ae61cfbd5da1d849d0beaa21f593c38dac9359f0b3ddc612f447408265b24'
+ '2d29fd04a0d0ba29dae6bd29fb418944c08d3916665dcca74afb297ef37584b6'
+ '4e1d15d12dbd3e9208111d6b806ad5a9857ca8850c47877d36575b904559260b'
+ '4e48ea0d83dd9441cc1af04ab18cd6c961b9fa54d5cbf2c2feee038988dea459'
+ '936162c0312886c21581002b79932829aa048cfaf9937c6265aeaa14f1cd1775'
'0f6ebf3437974d1708c9e74005b976479ab8ff28adec394208153bf404b411f8'
'74a957d783458b7481c7a09c3ed94ec2e07ee7943e4b7fa33d3684b8d585139e'
'914cc983da1fe89ff125d751c979b4968f8952da21b19b900fcd4e6b33e14552'
@@ -60,11 +85,17 @@ sha256sums=('3b5b7cc508b1739753585b5c25635471cdcef680e8770a78bf6ef9333d26a9fd'
'0e1ad0a6a72b0c22025a556c23235a8f663427f1e769c45fe39d1c525bf82eff'
'40e0760810a49f925f2ae9f986940b40eba477dc6d3e83a78baaae096513b3cf'
'78398fb27edfedb432b5f4e4bf87b5dbee41f180c623d29f758234a49d8bf4b4'
- '18f62049d714c3460df1f698663e42d0f8a16b9b4f62e66b40fdea635a348be5'
- '4bac312d49a4a88633af652c09128ba1bba2ca97e2e56e5fe7da6e4671c56ccb'
- 'bb13b280bb456c1d7c8f468e23e336e6b2d06eb364c6823f1b426fcfe09f6ed3'
'50a9b7fd19e8beb1dea09755f07318f36be0b7ec53d3c9e74f3266a63e682c0c')
-sha512sums=('f5250ad5ad3defc5dc1207eb6208a3928128ef57ac4162018bd92b750dc1df1eaaf37835528aca33a0f9e04c82d5f8c4ba79c03a1780d2b72cbb90cc26f77275'
+sha512sums=('ec94d849b56ec590b89022075ce43768d8ef44b7be9580ce032509b44c085f0f66495845607a18cd3dea6b89c69bc2a18012705556f59288cd8653c3e5eca302'
+ 'c5cb1cdff40d2d71fd3e692a9d0efadf2aa17290daf5195391a1c81ddd9dfc913a8e44d5be2b12be85b2a5565ea31631c99c7053564f2fb2225c80ea0bb0e4a4'
+ '1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d'
+ '021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e'
+ '40eb96bbc6736a16b6399e0cdb73e853d0d90b685c967e77899183446664d64570277a633fdafdefc351b46ce210a99115769a1d9f47ac749d7e82837d4d1ac3'
+ '2b3d98d027e46d8c08037366dde6f0781ca03c610ef2b380984639e4ef39899ed8d8b8e4cd9c9dc54df101279b95879bd66bfd4d04ad07fef41e847ea7ae32b5'
+ '88da614e4d3f4409c4fd3bb3e44c7587ba051e3fed4e33d526069a67e8180212e1ea22da984656f50e290049f60ddca65383e5983c0f8884f648d71f698303ad'
+ 'c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb'
+ '4928b5b82f57645be9408362706ff2c4d9baa635b21b0d41b1c82930e8c60a759b1ea4fa74d7e6c7cae1b7692d006aa5cb72df0c3b88bf049779aa2b566f9d35'
+ '2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf'
'78bfb62166ffcf136e12985809b3f412e0145a7f17388a559071f644970ccdfd2a02fe9aa4a180069b923c2e4354b061a4057096de856497f10d9cac57eae4b3'
'8667a97e10f09c5ce5ba604e38a073b7d7944f4d24c5c78a7235443b65a8cc7b6e7de90e40aa335bb17fda0858d6b517ba1e8b5a0bd6bba4ad75ad44b73f6c9c'
'7118bf02ff5338e70b3f27f8ea390cd05ea37a4ceabb4adc9d32fc57329e35e98330f0e865261dd4e670436e1a725832598888d44b1e2b17b351f59318860878'
@@ -82,9 +113,6 @@ sha512sums=('f5250ad5ad3defc5dc1207eb6208a3928128ef57ac4162018bd92b750dc1df1eaaf
'c996d48737ad31528b0b2b1379e3ebae948d290de9ddc71f33c7c56f0634466bc7afb2eab847e851c19e3c13bb99468a0778d908606486959a40ff3272189bd3'
'53ba61587cc2e84044e935531ed161e22c36d9e90b43cab7b8e63bcc531deeefacca301b5dff39ce89210f06f1d1e4f4f5cf49d658ed5d9038c707e3c95c66ef'
'04000a802e96c11929cb94c9a2bcafbb4307620192388441d979ea85836c3395954dea53d449c1cc25c3a0a30c49d318b8de59a053c6254f5a81e87864648a9c'
- '78c94d3e473abaf857213754c7f0ef1a0dd06354cd137d1567a48d92b4106cbefd112f1dcecc90bc1f8c75d76a0e8a3425408f777044de8ec754bcda32bb7f97'
- '4fb6f678dccc9f23f2c3b27617718bc6c0a87505f7483f4d07563b7b2cc37d57d3b5ef658ee5867258916c5c2695a5086cc7790196aed85357c6d3168c06749b'
- 'b55cb25f88acc348e6777063f241269730f06482fe430706ac500cbd7127bc7c70188f84a282dc8a0369cc838999d47a09afc33fc9f24b5c214bdf59352c414c'
'ccaa2ff82e4203b11e5dec9aeccac2e165721d8067e0094603ecaa7a70b78c9eb9e2287a32687883d26b6ceae6f8d2ad7636ddf949eb658637b3ceaa6999711b')
prepare() {
@@ -101,14 +129,19 @@ prepare() {
# Uncomment line below if you want to enable ATI Passthrough support (some reported successes)
#patch -Np1 -i ../ati-passthrough.patch
- # Add Security Patches
- patch -Np1 -i ../xsa73-4.3-unstable.patch
- patch -Np1 -i ../xsa75-4.3-unstable.patch
- patch -Np1 -i ../xsa78.patch
-
# Fix Install Paths
sed -i 's:/sbin:/bin:' config/StdGNU.mk
+ # Copy supporting tarballs into place
+ cp ../lwip-1.3.0.tar.gz stubdom/
+ cp ../zlib-1.2.3.tar.gz stubdom/
+ cp ../newlib-1.16.0.tar.gz stubdom/
+ cp ../pciutils-2.2.9.tar.bz2 stubdom/
+ cp ../polarssl-1.1.4-gpl.tgz stubdom/
+ cp ../grub-0.97.tar.gz stubdom/
+ cp ../tpm_emulator-0.7.4.tar.gz stubdom/
+ cp ../gmp-4.3.2.tar.bz2 stubdom/
+
}
build() {
@@ -157,10 +190,8 @@ package() {
fi
# Compress and move syms file to a different directory
- if [ "$CARCH" == "x86_64" ]; then
- gzip boot/$pkgname-syms-$pkgver
- mv boot/$pkgname-syms-$pkgver.gz usr/share/xen
- fi
+ gzip boot/$pkgname-syms-$pkgver
+ mv boot/$pkgname-syms-$pkgver.gz usr/share/xen
##### Kill unwanted stuff #####
# hypervisor symlinks
diff --git a/kernels/xen/xsa73-4.3-unstable.patch b/kernels/xen/xsa73-4.3-unstable.patch
deleted file mode 100644
index aa36b40a1..000000000
--- a/kernels/xen/xsa73-4.3-unstable.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-From 068bfa76bbd52430e65853375e1d5db99d193e2f Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Thu, 31 Oct 2013 20:49:00 +0000
-Subject: [PATCH] gnttab: correct locking order reversal
-
-Coverity ID 1087189
-
-Correct a lock order reversal between a domains page allocation and grant
-table locks.
-
-This is CVE-2013-4494 / XSA-73.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
-Consolidate error handling.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Keir Fraser <keir@xen.org>
-Tested-by: Matthew Daley <mattjd@gmail.com>
----
- xen/common/grant_table.c | 52 +++++++++++++++++++++++++++++++++++++++-------
- 1 file changed, 44 insertions(+), 8 deletions(-)
-
-diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
-index f42bc7a..48df928 100644
---- a/xen/common/grant_table.c
-+++ b/xen/common/grant_table.c
-@@ -1518,6 +1518,8 @@ gnttab_transfer(
-
- for ( i = 0; i < count; i++ )
- {
-+ bool_t okay;
-+
- if (i && hypercall_preempt_check())
- return i;
-
-@@ -1626,16 +1628,18 @@ gnttab_transfer(
- * pages when it is dying.
- */
- if ( unlikely(e->is_dying) ||
-- unlikely(e->tot_pages >= e->max_pages) ||
-- unlikely(!gnttab_prepare_for_transfer(e, d, gop.ref)) )
-+ unlikely(e->tot_pages >= e->max_pages) )
- {
-- if ( !e->is_dying )
-- gdprintk(XENLOG_INFO, "gnttab_transfer: "
-- "Transferee has no reservation "
-- "headroom (%d,%d) or provided a bad grant ref (%08x) "
-- "or is dying (%d)\n",
-- e->tot_pages, e->max_pages, gop.ref, e->is_dying);
- spin_unlock(&e->page_alloc_lock);
-+
-+ if ( e->is_dying )
-+ gdprintk(XENLOG_INFO, "gnttab_transfer: "
-+ "Transferee (d%d) is dying\n", e->domain_id);
-+ else
-+ gdprintk(XENLOG_INFO, "gnttab_transfer: "
-+ "Transferee (d%d) has no headroom (tot %u, max %u)\n",
-+ e->domain_id, e->tot_pages, e->max_pages);
-+
- rcu_unlock_domain(e);
- put_gfn(d, gop.mfn);
- page->count_info &= ~(PGC_count_mask|PGC_allocated);
-@@ -1647,6 +1651,38 @@ gnttab_transfer(
- /* Okay, add the page to 'e'. */
- if ( unlikely(domain_adjust_tot_pages(e, 1) == 1) )
- get_knownalive_domain(e);
-+
-+ /*
-+ * We must drop the lock to avoid a possible deadlock in
-+ * gnttab_prepare_for_transfer. We have reserved a page in e so can
-+ * safely drop the lock and re-aquire it later to add page to the
-+ * pagelist.
-+ */
-+ spin_unlock(&e->page_alloc_lock);
-+ okay = gnttab_prepare_for_transfer(e, d, gop.ref);
-+ spin_lock(&e->page_alloc_lock);
-+
-+ if ( unlikely(!okay) || unlikely(e->is_dying) )
-+ {
-+ bool_t drop_dom_ref = (domain_adjust_tot_pages(e, -1) == 0);
-+
-+ spin_unlock(&e->page_alloc_lock);
-+
-+ if ( okay /* i.e. e->is_dying due to the surrounding if() */ )
-+ gdprintk(XENLOG_INFO, "gnttab_transfer: "
-+ "Transferee (d%d) is now dying\n", e->domain_id);
-+
-+ if ( drop_dom_ref )
-+ put_domain(e);
-+ rcu_unlock_domain(e);
-+
-+ put_gfn(d, gop.mfn);
-+ page->count_info &= ~(PGC_count_mask|PGC_allocated);
-+ free_domheap_page(page);
-+ gop.status = GNTST_general_error;
-+ goto copyback;
-+ }
-+
- page_list_add_tail(page, &e->page_list);
- page_set_owner(page, e);
-
---
-1.7.10.4
-
diff --git a/kernels/xen/xsa75-4.3-unstable.patch b/kernels/xen/xsa75-4.3-unstable.patch
deleted file mode 100644
index 6c0c5bca1..000000000
--- a/kernels/xen/xsa75-4.3-unstable.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-nested VMX: VMLANUCH/VMRESUME emulation must check permission first thing
-
-Otherwise uninitialized data may be used, leading to crashes.
-
-This is XSA-75.
-
-Reported-and-tested-by: Jeff Zimmerman <Jeff_Zimmerman@McAfee.com>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-and-tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
---- a/xen/arch/x86/hvm/vmx/vvmx.c
-+++ b/xen/arch/x86/hvm/vmx/vvmx.c
-@@ -1508,15 +1508,10 @@ static void clear_vvmcs_launched(struct
- }
- }
-
--int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs)
-+static int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs)
- {
- struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
- struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
-- int rc;
--
-- rc = vmx_inst_check_privilege(regs, 0);
-- if ( rc != X86EMUL_OKAY )
-- return rc;
-
- /* check VMCS is valid and IO BITMAP is set */
- if ( (nvcpu->nv_vvmcxaddr != VMCX_EADDR) &&
-@@ -1535,6 +1530,10 @@ int nvmx_handle_vmresume(struct cpu_user
- struct vcpu *v = current;
- struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
- struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
-+ int rc = vmx_inst_check_privilege(regs, 0);
-+
-+ if ( rc != X86EMUL_OKAY )
-+ return rc;
-
- if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
- {
-@@ -1554,10 +1553,13 @@ int nvmx_handle_vmresume(struct cpu_user
- int nvmx_handle_vmlaunch(struct cpu_user_regs *regs)
- {
- bool_t launched;
-- int rc;
- struct vcpu *v = current;
- struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
- struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
-+ int rc = vmx_inst_check_privilege(regs, 0);
-+
-+ if ( rc != X86EMUL_OKAY )
-+ return rc;
-
- if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
- {
diff --git a/kernels/xen/xsa78.patch b/kernels/xen/xsa78.patch
deleted file mode 100644
index 180506cdd..000000000
--- a/kernels/xen/xsa78.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-VT-d: fix TLB flushing in dma_pte_clear_one()
-
-The third parameter of __intel_iommu_iotlb_flush() is to indicate
-whether the to be flushed entry was a present one. A few lines before,
-we bailed if !dma_pte_present(*pte), so there's no need to check the
-flag here again - we can simply always pass TRUE here.
-
-This is CVE-2013-6375 / XSA-78.
-
-Suggested-by: Cheng Yueqiang <yqcheng.2008@phdis.smu.edu.sg>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-
---- a/xen/drivers/passthrough/vtd/iommu.c
-+++ b/xen/drivers/passthrough/vtd/iommu.c
-@@ -646,7 +646,7 @@ static void dma_pte_clear_one(struct dom
- iommu_flush_cache_entry(pte, sizeof(struct dma_pte));
-
- if ( !this_cpu(iommu_dont_flush_iotlb) )
-- __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K , 0, 1);
-+ __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K, 1, 1);
-
- unmap_vtd_domain_page(page);
-