xen-4.3.2-1: updating version

author: André Fabian Silva Delgado <emulatorman@parabola.nu> 2014-02-25 03:54:30 -0200
committer: André Fabian Silva Delgado <emulatorman@parabola.nu> 2014-02-25 03:54:30 -0200
commit: ef908aca0b76901da1491ab0ed29a1e8e19640f6 (patch)
tree: 8b72691f726c72151b90b7180429f47c470d9f78 /kernels
parent: 9f723766b260d4942426216ecede5ebe4631c456 (diff)
download: abslibre-ef908aca0b76901da1491ab0ed29a1e8e19640f6.tar.gz
abslibre-ef908aca0b76901da1491ab0ed29a1e8e19640f6.tar.bz2
abslibre-ef908aca0b76901da1491ab0ed29a1e8e19640f6.zip
5 files changed, 60 insertions, 205 deletions
diff --git a/kernels/xen/ChangeLog b/kernels/xen/ChangeLog
index 63c33c223..8f9ef80fe 100644
--- a/kernels/xen/ChangeLog
+++ b/kernels/xen/ChangeLog
@@ -1,3 +1,10 @@
+2014-02-19 David Sutton <kantras - gmail.com>
+	* 4.3.2-1:
+	New upstream release
+	Removed unnecessary security patches (since now integrated into source)
+	Attempts to pull down additional required source file to ensure not corrupted
+	Added missing dependancy libseccomp
+
 2013-11-25 David Sutton <kantras - gmail.com>
 	* 4.3.1-2:
 	Changed bluez dependancy from bluez4 to bluez
diff --git a/kernels/xen/PKGBUILD b/kernels/xen/PKGBUILD
index 6ff16c8cd..e19b5c06f 100644
--- a/kernels/xen/PKGBUILD
+++ b/kernels/xen/PKGBUILD
@@ -5,8 +5,8 @@
 # Maintainer (Parabola): André Silva <emulatorman@parabola.nu>
 
 pkgname=xen
-pkgver=4.3.1
-pkgrel=2
+pkgver=4.3.2
+pkgrel=1
 pkgdesc="Virtual Machine Hypervisor & Tools (Parabola rebranded)"
 arch=(i686 x86_64)
 url="http://www.xenproject.org/"
@@ -21,6 +21,15 @@ options=(!buildflags !strip)
 install=$pkgname.install
 changelog=ChangeLog
 source=(http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.gz
+    http://xenbits.xen.org/xen-extfiles/ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz
+    http://xenbits.xen.org/xen-extfiles/lwip-1.3.0.tar.gz
+    http://xenbits.xen.org/xen-extfiles/zlib-1.2.3.tar.gz
+    http://xenbits.xen.org/xen-extfiles/newlib-1.16.0.tar.gz
+    http://xenbits.xen.org/xen-extfiles/pciutils-2.2.9.tar.bz2
+    http://xenbits.xen.org/xen-extfiles/polarssl-1.1.4-gpl.tgz
+    http://xenbits.xen.org/xen-extfiles/grub-0.97.tar.gz
+    http://xenbits.xen.org/xen-extfiles/tpm_emulator-0.7.4.tar.gz
+    http://xenbits.xen.org/xen-extfiles/gmp-4.3.2.tar.bz2
     xen.install
     09_xen
     bios_workaround.patch
@@ -38,11 +47,27 @@ source=(http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
     conf.d-xenstored
     tmpfiles.d-$pkgname.conf
     grub.conf
-    xsa73-4.3-unstable.patch
-    xsa75-4.3-unstable.patch
-    xsa78.patch
     $pkgname.conf)
-sha256sums=('3b5b7cc508b1739753585b5c25635471cdcef680e8770a78bf6ef9333d26a9fd'
+noextract=(lwip-1.3.0.tar.gz
+    zlib-1.2.3.tar.gz
+    newlib-1.16.0.tar.gz
+    pciutils-2.2.9.tar.bz2
+    polarssl-1.1.4-gpl.tgz
+    grub-0.97.tar.gz
+    tpm_emulator-0.7.4.tar.gz
+    gmp-4.3.2.tar.bz2
+    ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz)
+
+sha256sums=('17611d95f955302560ff72d97c08933b4e62bc2e8ffb71400fc54e388746ff69'
+            '632ce8c193ccacc3012bd354bdb733a4be126f7c098e111930aa41dad537405c'
+            '772e4d550e07826665ed0528c071dd5404ef7dbe1825a38c8adbc2a00bca948f'
+            '1795c7d067a43174113fdf03447532f373e1c6c57c08d61d9e4e9be5e244b05e'
+            'db426394965c48c1d29023e1cc6d965ea6b9a9035d8a849be2750ca4659a3d07'
+            'f60ae61cfbd5da1d849d0beaa21f593c38dac9359f0b3ddc612f447408265b24'
+            '2d29fd04a0d0ba29dae6bd29fb418944c08d3916665dcca74afb297ef37584b6'
+            '4e1d15d12dbd3e9208111d6b806ad5a9857ca8850c47877d36575b904559260b'
+            '4e48ea0d83dd9441cc1af04ab18cd6c961b9fa54d5cbf2c2feee038988dea459'
+            '936162c0312886c21581002b79932829aa048cfaf9937c6265aeaa14f1cd1775'
             '0f6ebf3437974d1708c9e74005b976479ab8ff28adec394208153bf404b411f8'
             '74a957d783458b7481c7a09c3ed94ec2e07ee7943e4b7fa33d3684b8d585139e'
             '914cc983da1fe89ff125d751c979b4968f8952da21b19b900fcd4e6b33e14552'
@@ -60,11 +85,17 @@ sha256sums=('3b5b7cc508b1739753585b5c25635471cdcef680e8770a78bf6ef9333d26a9fd'
             '0e1ad0a6a72b0c22025a556c23235a8f663427f1e769c45fe39d1c525bf82eff'
             '40e0760810a49f925f2ae9f986940b40eba477dc6d3e83a78baaae096513b3cf'
             '78398fb27edfedb432b5f4e4bf87b5dbee41f180c623d29f758234a49d8bf4b4'
-            '18f62049d714c3460df1f698663e42d0f8a16b9b4f62e66b40fdea635a348be5'
-            '4bac312d49a4a88633af652c09128ba1bba2ca97e2e56e5fe7da6e4671c56ccb'
-            'bb13b280bb456c1d7c8f468e23e336e6b2d06eb364c6823f1b426fcfe09f6ed3'
             '50a9b7fd19e8beb1dea09755f07318f36be0b7ec53d3c9e74f3266a63e682c0c')
-sha512sums=('f5250ad5ad3defc5dc1207eb6208a3928128ef57ac4162018bd92b750dc1df1eaaf37835528aca33a0f9e04c82d5f8c4ba79c03a1780d2b72cbb90cc26f77275'
+sha512sums=('ec94d849b56ec590b89022075ce43768d8ef44b7be9580ce032509b44c085f0f66495845607a18cd3dea6b89c69bc2a18012705556f59288cd8653c3e5eca302'
+            'c5cb1cdff40d2d71fd3e692a9d0efadf2aa17290daf5195391a1c81ddd9dfc913a8e44d5be2b12be85b2a5565ea31631c99c7053564f2fb2225c80ea0bb0e4a4'
+            '1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d'
+            '021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e'
+            '40eb96bbc6736a16b6399e0cdb73e853d0d90b685c967e77899183446664d64570277a633fdafdefc351b46ce210a99115769a1d9f47ac749d7e82837d4d1ac3'
+            '2b3d98d027e46d8c08037366dde6f0781ca03c610ef2b380984639e4ef39899ed8d8b8e4cd9c9dc54df101279b95879bd66bfd4d04ad07fef41e847ea7ae32b5'
+            '88da614e4d3f4409c4fd3bb3e44c7587ba051e3fed4e33d526069a67e8180212e1ea22da984656f50e290049f60ddca65383e5983c0f8884f648d71f698303ad'
+            'c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb'
+            '4928b5b82f57645be9408362706ff2c4d9baa635b21b0d41b1c82930e8c60a759b1ea4fa74d7e6c7cae1b7692d006aa5cb72df0c3b88bf049779aa2b566f9d35'
+            '2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf'
             '78bfb62166ffcf136e12985809b3f412e0145a7f17388a559071f644970ccdfd2a02fe9aa4a180069b923c2e4354b061a4057096de856497f10d9cac57eae4b3'
             '8667a97e10f09c5ce5ba604e38a073b7d7944f4d24c5c78a7235443b65a8cc7b6e7de90e40aa335bb17fda0858d6b517ba1e8b5a0bd6bba4ad75ad44b73f6c9c'
             '7118bf02ff5338e70b3f27f8ea390cd05ea37a4ceabb4adc9d32fc57329e35e98330f0e865261dd4e670436e1a725832598888d44b1e2b17b351f59318860878'
@@ -82,9 +113,6 @@ sha512sums=('f5250ad5ad3defc5dc1207eb6208a3928128ef57ac4162018bd92b750dc1df1eaaf
             'c996d48737ad31528b0b2b1379e3ebae948d290de9ddc71f33c7c56f0634466bc7afb2eab847e851c19e3c13bb99468a0778d908606486959a40ff3272189bd3'
             '53ba61587cc2e84044e935531ed161e22c36d9e90b43cab7b8e63bcc531deeefacca301b5dff39ce89210f06f1d1e4f4f5cf49d658ed5d9038c707e3c95c66ef'
             '04000a802e96c11929cb94c9a2bcafbb4307620192388441d979ea85836c3395954dea53d449c1cc25c3a0a30c49d318b8de59a053c6254f5a81e87864648a9c'
-            '78c94d3e473abaf857213754c7f0ef1a0dd06354cd137d1567a48d92b4106cbefd112f1dcecc90bc1f8c75d76a0e8a3425408f777044de8ec754bcda32bb7f97'
-            '4fb6f678dccc9f23f2c3b27617718bc6c0a87505f7483f4d07563b7b2cc37d57d3b5ef658ee5867258916c5c2695a5086cc7790196aed85357c6d3168c06749b'
-            'b55cb25f88acc348e6777063f241269730f06482fe430706ac500cbd7127bc7c70188f84a282dc8a0369cc838999d47a09afc33fc9f24b5c214bdf59352c414c'
             'ccaa2ff82e4203b11e5dec9aeccac2e165721d8067e0094603ecaa7a70b78c9eb9e2287a32687883d26b6ceae6f8d2ad7636ddf949eb658637b3ceaa6999711b')
 
 prepare() {
@@ -101,14 +129,19 @@ prepare() {
     # Uncomment line below if you want to enable ATI Passthrough support (some reported successes)
     #patch -Np1 -i ../ati-passthrough.patch
 
-    # Add Security Patches
-    patch -Np1 -i ../xsa73-4.3-unstable.patch
-    patch -Np1 -i ../xsa75-4.3-unstable.patch
-    patch -Np1 -i ../xsa78.patch
-
     # Fix Install Paths
     sed -i 's:/sbin:/bin:' config/StdGNU.mk
 
+    # Copy supporting tarballs into place
+    cp ../lwip-1.3.0.tar.gz stubdom/
+    cp ../zlib-1.2.3.tar.gz stubdom/
+    cp ../newlib-1.16.0.tar.gz stubdom/
+    cp ../pciutils-2.2.9.tar.bz2 stubdom/
+    cp ../polarssl-1.1.4-gpl.tgz stubdom/
+    cp ../grub-0.97.tar.gz stubdom/
+    cp ../tpm_emulator-0.7.4.tar.gz stubdom/
+    cp ../gmp-4.3.2.tar.bz2 stubdom/
+
 }
 
 build() {
@@ -157,10 +190,8 @@ package() {
     fi
 
     # Compress and move syms file to a different directory
-    if [ "$CARCH" == "x86_64" ]; then
-      gzip boot/$pkgname-syms-$pkgver
-      mv boot/$pkgname-syms-$pkgver.gz usr/share/xen
-    fi
+    gzip boot/$pkgname-syms-$pkgver
+    mv boot/$pkgname-syms-$pkgver.gz usr/share/xen
 
     ##### Kill unwanted stuff #####
     # hypervisor symlinks
diff --git a/kernels/xen/xsa73-4.3-unstable.patch b/kernels/xen/xsa73-4.3-unstable.patch
deleted file mode 100644
index aa36b40a1..000000000
--- a/kernels/xen/xsa73-4.3-unstable.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-From 068bfa76bbd52430e65853375e1d5db99d193e2f Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Thu, 31 Oct 2013 20:49:00 +0000
-Subject: [PATCH] gnttab: correct locking order reversal
-
-Coverity ID 1087189
-
-Correct a lock order reversal between a domains page allocation and grant
-table locks.
-
-This is CVE-2013-4494 / XSA-73.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
-Consolidate error handling.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Keir Fraser <keir@xen.org>
-Tested-by: Matthew Daley <mattjd@gmail.com>
----
- xen/common/grant_table.c |   52 +++++++++++++++++++++++++++++++++++++++-------
- 1 file changed, 44 insertions(+), 8 deletions(-)
-
-diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
-index f42bc7a..48df928 100644
---- a/xen/common/grant_table.c
-+++ b/xen/common/grant_table.c
-@@ -1518,6 +1518,8 @@ gnttab_transfer(
- 
-     for ( i = 0; i < count; i++ )
-     {
-+        bool_t okay;
-+
-         if (i && hypercall_preempt_check())
-             return i;
- 
-@@ -1626,16 +1628,18 @@ gnttab_transfer(
-          * pages when it is dying.
-          */
-         if ( unlikely(e->is_dying) ||
--             unlikely(e->tot_pages >= e->max_pages) ||
--             unlikely(!gnttab_prepare_for_transfer(e, d, gop.ref)) )
-+             unlikely(e->tot_pages >= e->max_pages) )
-         {
--            if ( !e->is_dying )
--                gdprintk(XENLOG_INFO, "gnttab_transfer: "
--                        "Transferee has no reservation "
--                        "headroom (%d,%d) or provided a bad grant ref (%08x) "
--                        "or is dying (%d)\n",
--                        e->tot_pages, e->max_pages, gop.ref, e->is_dying);
-             spin_unlock(&e->page_alloc_lock);
-+
-+            if ( e->is_dying )
-+                gdprintk(XENLOG_INFO, "gnttab_transfer: "
-+                         "Transferee (d%d) is dying\n", e->domain_id);
-+            else
-+                gdprintk(XENLOG_INFO, "gnttab_transfer: "
-+                         "Transferee (d%d) has no headroom (tot %u, max %u)\n",
-+                         e->domain_id, e->tot_pages, e->max_pages);
-+
-             rcu_unlock_domain(e);
-             put_gfn(d, gop.mfn);
-             page->count_info &= ~(PGC_count_mask|PGC_allocated);
-@@ -1647,6 +1651,38 @@ gnttab_transfer(
-         /* Okay, add the page to 'e'. */
-         if ( unlikely(domain_adjust_tot_pages(e, 1) == 1) )
-             get_knownalive_domain(e);
-+
-+        /*
-+         * We must drop the lock to avoid a possible deadlock in
-+         * gnttab_prepare_for_transfer.  We have reserved a page in e so can
-+         * safely drop the lock and re-aquire it later to add page to the
-+         * pagelist.
-+         */
-+        spin_unlock(&e->page_alloc_lock);
-+        okay = gnttab_prepare_for_transfer(e, d, gop.ref);
-+        spin_lock(&e->page_alloc_lock);
-+
-+        if ( unlikely(!okay) || unlikely(e->is_dying) )
-+        {
-+            bool_t drop_dom_ref = (domain_adjust_tot_pages(e, -1) == 0);
-+
-+            spin_unlock(&e->page_alloc_lock);
-+
-+            if ( okay /* i.e. e->is_dying due to the surrounding if() */ )
-+                gdprintk(XENLOG_INFO, "gnttab_transfer: "
-+                         "Transferee (d%d) is now dying\n", e->domain_id);
-+
-+            if ( drop_dom_ref )
-+                put_domain(e);
-+            rcu_unlock_domain(e);
-+
-+            put_gfn(d, gop.mfn);
-+            page->count_info &= ~(PGC_count_mask|PGC_allocated);
-+            free_domheap_page(page);
-+            gop.status = GNTST_general_error;
-+            goto copyback;
-+        }
-+
-         page_list_add_tail(page, &e->page_list);
-         page_set_owner(page, e);
- 
--- 
-1.7.10.4
-
diff --git a/kernels/xen/xsa75-4.3-unstable.patch b/kernels/xen/xsa75-4.3-unstable.patch
deleted file mode 100644
index 6c0c5bca1..000000000
--- a/kernels/xen/xsa75-4.3-unstable.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-nested VMX: VMLANUCH/VMRESUME emulation must check permission first thing
-
-Otherwise uninitialized data may be used, leading to crashes.
-
-This is XSA-75.
-
-Reported-and-tested-by: Jeff Zimmerman <Jeff_Zimmerman@McAfee.com>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-and-tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
---- a/xen/arch/x86/hvm/vmx/vvmx.c
-+++ b/xen/arch/x86/hvm/vmx/vvmx.c
-@@ -1508,15 +1508,10 @@ static void clear_vvmcs_launched(struct 
-     }
- }
- 
--int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs)
-+static int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs)
- {
-     struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
-     struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
--    int rc;
--
--    rc = vmx_inst_check_privilege(regs, 0);
--    if ( rc != X86EMUL_OKAY )
--        return rc;
- 
-     /* check VMCS is valid and IO BITMAP is set */
-     if ( (nvcpu->nv_vvmcxaddr != VMCX_EADDR) &&
-@@ -1535,6 +1530,10 @@ int nvmx_handle_vmresume(struct cpu_user
-     struct vcpu *v = current;
-     struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
-     struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
-+    int rc = vmx_inst_check_privilege(regs, 0);
-+
-+    if ( rc != X86EMUL_OKAY )
-+        return rc;
- 
-     if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
-     {
-@@ -1554,10 +1553,13 @@ int nvmx_handle_vmresume(struct cpu_user
- int nvmx_handle_vmlaunch(struct cpu_user_regs *regs)
- {
-     bool_t launched;
--    int rc;
-     struct vcpu *v = current;
-     struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
-     struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
-+    int rc = vmx_inst_check_privilege(regs, 0);
-+
-+    if ( rc != X86EMUL_OKAY )
-+        return rc;
- 
-     if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
-     {
diff --git a/kernels/xen/xsa78.patch b/kernels/xen/xsa78.patch
deleted file mode 100644
index 180506cdd..000000000
--- a/kernels/xen/xsa78.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-VT-d: fix TLB flushing in dma_pte_clear_one()
-
-The third parameter of __intel_iommu_iotlb_flush() is to indicate
-whether the to be flushed entry was a present one. A few lines before,
-we bailed if !dma_pte_present(*pte), so there's no need to check the
-flag here again - we can simply always pass TRUE here.
-
-This is CVE-2013-6375 / XSA-78.
-
-Suggested-by: Cheng Yueqiang <yqcheng.2008@phdis.smu.edu.sg>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-
---- a/xen/drivers/passthrough/vtd/iommu.c
-+++ b/xen/drivers/passthrough/vtd/iommu.c
-@@ -646,7 +646,7 @@ static void dma_pte_clear_one(struct dom
-     iommu_flush_cache_entry(pte, sizeof(struct dma_pte));
- 
-     if ( !this_cpu(iommu_dont_flush_iotlb) )
--        __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K , 0, 1);
-+        __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K, 1, 1);
- 
-     unmap_vtd_domain_page(page);
-
author	André Fabian Silva Delgado <emulatorman@parabola.nu>	2014-02-25 03:54:30 -0200
committer	André Fabian Silva Delgado <emulatorman@parabola.nu>	2014-02-25 03:54:30 -0200
commit	ef908aca0b76901da1491ab0ed29a1e8e19640f6 (patch)
tree	8b72691f726c72151b90b7180429f47c470d9f78 /kernels
parent	9f723766b260d4942426216ecede5ebe4631c456 (diff)
download	abslibre-ef908aca0b76901da1491ab0ed29a1e8e19640f6.tar.gz abslibre-ef908aca0b76901da1491ab0ed29a1e8e19640f6.tar.bz2 abslibre-ef908aca0b76901da1491ab0ed29a1e8e19640f6.zip