summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIan Delaney <della5@iinet.com.au>2013-02-12 21:30:39 +0800
committerIan Delaney <della5@iinet.com.au>2013-02-12 21:30:39 +0800
commit354b9c76006432cc0b64b5b148bc420ae4dd666c (patch)
treec58cecc82fbff80646fea48da4585dfb6a5d47e4
parentdrop xen-pvgrub-4.2.0 (diff)
downloadvirtualization-354b9c76006432cc0b64b5b148bc420ae4dd666c.tar.gz
virtualization-354b9c76006432cc0b64b5b148bc420ae4dd666c.tar.bz2
virtualization-354b9c76006432cc0b64b5b148bc420ae4dd666c.zip
Add xen-4.2.1-r1 and patches
Package-Manager: portage-2.1.11.40
-rw-r--r--app-emulation/xen/Manifest1
-rw-r--r--app-emulation/xen/files/xen-4-CVE-2012-5634-XSA-33.patch18
-rw-r--r--app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-34_35.patch70
-rw-r--r--app-emulation/xen/files/xen-4-CVE-2013-0154-XSA-37.patch23
-rw-r--r--app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch37
-rw-r--r--app-emulation/xen/xen-4.2.1-r1.ebuild123
6 files changed, 272 insertions, 0 deletions
diff --git a/app-emulation/xen/Manifest b/app-emulation/xen/Manifest
index e0a06e3..ddf30d9 100644
--- a/app-emulation/xen/Manifest
+++ b/app-emulation/xen/Manifest
@@ -1 +1,2 @@
DIST xen-4.2.0.tar.gz 15587687 SHA256 43f4a086e4e0330145a27b7ace8365c42b5afbc95cefadafe067be91bd3e5cfb SHA512 4fb56c79d722fb307bc657f16d02079c6636427e7650c4354193632d38d2d1db8e588f844ff0ca6e757c108ed639a528565ec9fc7c00bb4d5b6fbc9d122d8a70 WHIRLPOOL 369a109375864cb61920b56cf501522051d28513e738f0fd0e7b76244c3e08a8a0a6ff6cf245872d9bbd9c0f22c7da76c9cbc0f852bad6108ca25fd42dc677c0
+DIST xen-4.2.1.tar.gz 15593695 SHA256 fb8df5827ce3e2d2d3b078d9e5afde502beb5e7ab9442e51a94087061bd450c6 SHA512 fe27a965e2b34035bd025482eda9fc4d4e82523c929323fd30813367d5ffbe2fa1ed3d7d4479f2632e8b5625972448b7bd6a7768e8dc1dcd1b6747d281cc1a9e WHIRLPOOL 226bbed059541e804f1a44e721023ffbc04bae43000653b1d7d6a9bfec0d9efbf7a48b1b0a7ad3fcb8e34f8b91e1c620c2a8eddf97baad487e9db37d49a58f37
diff --git a/app-emulation/xen/files/xen-4-CVE-2012-5634-XSA-33.patch b/app-emulation/xen/files/xen-4-CVE-2012-5634-XSA-33.patch
new file mode 100644
index 0000000..20342ec
--- /dev/null
+++ b/app-emulation/xen/files/xen-4-CVE-2012-5634-XSA-33.patch
@@ -0,0 +1,18 @@
+VT-d: fix interrupt remapping source validation for devices behind legacy bridges
+Using SVT_VERIFY_BUS here doesn't make sense;
+
+native Linux also uses SVT_VERIFY_SID_SQ here instead.
+This is XSA-33 / CVE-2012-5634.
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- xen/drivers/passthrough/vtd/intremap.c
++++ xen/drivers/passthrough/vtd/intremap.c
+@@ -466,7 +466,7 @@ static void set_msi_source_id(struct pci_dev *pdev, struct iremap_entry *ire)
+ set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16,
+ (bus << 8) | pdev->bus);
+ else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE )
+- set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16,
++ set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16,
+ PCI_BDF2(bus, devfn));
+ }
+ break;
diff --git a/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-34_35.patch b/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-34_35.patch
new file mode 100644
index 0000000..f074fa6
--- /dev/null
+++ b/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-34_35.patch
@@ -0,0 +1,70 @@
+commit 66141b2e068fa39f28bdda6be05882e323663687
+Author: Michael Young
+Date: Tue Jan 22 22:22:10 2013 +0000
+
+ Security fix from nested virtualization CVE-2013-0151,
+ restore status option to xend which is used by libvirt
+#diff --git a/xsa34-4.2.patch b/xsa34-4.2.patch
+#new file mode 100644
+#index 0000000..f5328ef
+#--- /dev/null
+#+++ xsa34-4.2.patch
+#@@ -0,0 +1,30 @@
+#+x86_32: don't allow use of nested HVM
+#+
+#+There are (indirect) uses of map_domain_page() in the nested HVM code
+#+that are unsafe when not just using the 1:1 mapping.
+#+
+#+This is XSA-34 / CVE-2013-0151.
+#+
+#+Signed-off-by: Jan Beulich
+#+
+#diff --git a/xsa35-4.2-with-xsa34.patch b/xsa35-4.2-with-xsa34.patch
+#new file mode 100644
+#index 0000000..28c6171
+#--- /dev/null
+#+++ xsa35-4.2-with-xsa34.patch
+#@@ -0,0 +1,24 @@
+#+xen: Do not allow guests to enable nested HVM on themselves
+#+
+#+There is no reason for this and doing so exposes a memory leak to
+#+guests. Only toolstacks need write access to this HVM param.
+#+
+#+This is XSA-35 / CVE-2013-0152.
+#+
+#+Signed-off-by: Ian Campbell
+#+Acked-by: Jan Beulich
+#+
+--- xen/arch/x86/hvm/hvm.c
++++ xen/arch/x86/hvm/hvm.c
+@@ -3858,6 +3858,11 @@
+ rc = -EINVAL;
+ break;
+ case HVM_PARAM_NESTEDHVM:
++ if ( !IS_PRIV(current->domain) )
++ {
++ rc = -EPERM;
++ break;
++ }
+ if ( a.value > 1 )
+ rc = -EINVAL;
+ if ( !is_hvm_domain(d) )
+@@ -3926,6 +3926,10 @@ long do_hvm_op(unsigned long op, XEN_GUE
+ rc = -EINVAL;
+ break;
+ case HVM_PARAM_NESTEDHVM:
++#ifdef __i386__
++ if ( a.value )
++ rc = -EINVAL;
++#else
+ if ( a.value > 1 )
+ rc = -EINVAL;
+ if ( !is_hvm_domain(d) )
+@@ -3940,6 +3944,7 @@ long do_hvm_op(unsigned long op, XEN_GUE
+ for_each_vcpu(d, v)
+ if ( rc == 0 )
+ rc = nestedhvm_vcpu_initialise(v);
++#endif
+ break;
+ case HVM_PARAM_BUFIOREQ_EVTCHN:
+ rc = -EINVAL;
diff --git a/app-emulation/xen/files/xen-4-CVE-2013-0154-XSA-37.patch b/app-emulation/xen/files/xen-4-CVE-2013-0154-XSA-37.patch
new file mode 100644
index 0000000..bb43acd
--- /dev/null
+++ b/app-emulation/xen/files/xen-4-CVE-2013-0154-XSA-37.patch
@@ -0,0 +1,23 @@
+x86: fix assertion in get_page_type()
+
+c/s 22998:e9fab50d7b61 (and immediately following ones) made it
+possible that __get_page_type() returns other than -EINVAL, in
+particular -EBUSY. Consequently, the assertion in get_page_type()
+should check for only the return values we absolutely don't expect to
+see there.
+
+This is XSA-37 / CVE-2013-0154.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- xen/arch/x86/mm.c
++++ xen/arch/x86/mm.c
+@@ -2586,7 +2586,7 @@ int get_page_type(struct page_info *page
+ int rc = __get_page_type(page, type, 0);
+ if ( likely(rc == 0) )
+ return 1;
+- ASSERT(rc == -EINVAL);
++ ASSERT(rc != -EINTR && rc != -EAGAIN);
+ return 0;
+ }
+
diff --git a/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch b/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch
new file mode 100644
index 0000000..c0dbd20
--- /dev/null
+++ b/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch
@@ -0,0 +1,37 @@
+# Fix gcc-4.6
+diff -ur xen-4.2.0.orig/extras/mini-os/minios.mk xen-4.2.0/extras/mini-os/minios.mk
+--- extras/mini-os/minios.mk 2012-09-17 18:21:17.000000000 +0800
++++ extras/mini-os/minios.mk 2012-12-05 14:01:10.653260260 +0800
+@@ -6,7 +6,7 @@
+
+ # Define some default flags.
+ # NB. '-Wcast-qual' is nasty, so I omitted it.
+-DEF_CFLAGS += -fno-builtin -Wall -Werror -Wredundant-decls -Wno-format -Wno-redundant-decls
++DEF_CFLAGS += -fno-builtin -Wall -Wredundant-decls -Wno-format -Wno-redundant-decls
+ DEF_CFLAGS += $(call cc-option,$(CC),-fno-stack-protector,)
+ DEF_CFLAGS += $(call cc-option,$(CC),-fgnu89-inline)
+ DEF_CFLAGS += -Wstrict-prototypes -Wnested-externs -Wpointer-arith -Winline
+diff -ur xen-4.2.0.orig/tools/libxc/Makefile xen-4.2.0/tools/libxc/Makefile
+--- tools/libxc/Makefile 2012-09-17 18:21:18.000000000 +0800
++++ tools/libxc/Makefile 2012-12-05 14:01:10.653260260 +0800
+@@ -73,7 +73,7 @@
+
+ -include $(XEN_TARGET_ARCH)/Makefile
+
+-CFLAGS += -Werror -Wmissing-prototypes
++CFLAGS += -Wmissing-prototypes
+ CFLAGS += -I. $(CFLAGS_xeninclude)
+
+ # Needed for posix_fadvise64() in xc_linux.c
+# Drop .config
+diff -ur xen-4.2.0.orig/Config.mk xen-4.2.0/Config.mk
+--- Config.mk 2012-09-17 18:23:12.000000000 +0800
++++ Config.mk 2012-12-05 14:01:10.641260261 +0800
+@@ -7,7 +7,6 @@
+ # fallback for older make
+ realpath = $(wildcard $(foreach file,$(1),$(shell cd -P $(dir $(file)) && echo "$$PWD/$(notdir $(file))")))
+
+--include $(XEN_ROOT)/.config
+
+ # A debug build of Xen and tools?
+ debug ?= n
diff --git a/app-emulation/xen/xen-4.2.1-r1.ebuild b/app-emulation/xen/xen-4.2.1-r1.ebuild
new file mode 100644
index 0000000..b3d3a88
--- /dev/null
+++ b/app-emulation/xen/xen-4.2.1-r1.ebuild
@@ -0,0 +1,123 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.2.1-r1.ebuild,v 1.2 2013/01/31 15:43:53 idella4 Exp $
+
+EAPI=5
+
+PYTHON_COMPAT=( python{2_6,2_7} )
+
+if [[ $PV == *9999 ]]; then
+ KEYWORDS=""
+ REPO="xen-unstable.hg"
+ EHG_REPO_URI="http://xenbits.xensource.com/${REPO}"
+ S="${WORKDIR}/${REPO}"
+ live_eclass="mercurial"
+else
+ KEYWORDS="~amd64 ~x86"
+ SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz"
+fi
+
+inherit mount-boot flag-o-matic python-single-r1 toolchain-funcs ${live_eclass}
+
+DESCRIPTION="The Xen virtual machine monitor"
+HOMEPAGE="http://xen.org/"
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="custom-cflags debug flask pae xsm"
+
+RDEPEND=""
+PDEPEND="~app-emulation/xen-tools-${PV}"
+
+RESTRICT="test"
+
+# Approved by QA team in bug #144032
+QA_WX_LOAD="boot/xen-syms-${PV}"
+
+REQUIRED_USE="
+ flask? ( xsm )
+ "
+
+pkg_setup() {
+ python-single-r1_pkg_setup
+ if [[ -z ${XEN_TARGET_ARCH} ]]; then
+ if use x86 && use amd64; then
+ die "Confusion! Both x86 and amd64 are set in your use flags!"
+ elif use x86; then
+ export XEN_TARGET_ARCH="x86_32"
+ elif use amd64; then
+ export XEN_TARGET_ARCH="x86_64"
+ else
+ die "Unsupported architecture!"
+ fi
+ fi
+
+ if use flask ; then
+ export "XSM_ENABLE=y"
+ export "FLASK_ENABLE=y"
+ elif use xsm ; then
+ export "XSM_ENABLE=y"
+ fi
+}
+
+src_prepare() {
+ # Drop .config and fix gcc-4.6
+ epatch "${FILESDIR}"/${PN/-pvgrub/}-4-fix_dotconfig-gcc.patch
+
+ # if the user *really* wants to use their own custom-cflags, let them
+ if use custom-cflags; then
+ einfo "User wants their own CFLAGS - removing defaults"
+ # try and remove all the default custom-cflags
+ find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \
+ -e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \
+ -e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \
+ -e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \
+ -e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \
+ -e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \
+ -i {} \; || die "failed to re-set custom-cflags"
+ fi
+
+ # not strictly necessary to fix this
+ sed -i 's/, "-Werror"//' "${S}/tools/python/setup.py" || die "failed to re-set setup.py"
+
+ #Security patches
+ epatch "${FILESDIR}"/${PN}-4-CVE-2012-5634-XSA-33.patch \
+ "${FILESDIR}"/${PN}-4-CVE-2013-0151-XSA-34_35.patch \
+ "${FILESDIR}"/${PN}-4-CVE-2013-0154-XSA-37.patch
+}
+
+src_configure() {
+ use debug && myopt="${myopt} debug=y"
+ use pae && myopt="${myopt} pae=y"
+
+ if use custom-cflags; then
+ filter-flags -fPIE -fstack-protector
+ replace-flags -O3 -O2
+ else
+ unset CFLAGS
+ fi
+}
+
+src_compile() {
+ # Send raw LDFLAGS so that --as-needed works
+ emake CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" -C xen ${myopt}
+}
+
+src_install() {
+ local myopt
+ use debug && myopt="${myopt} debug=y"
+ use pae && myopt="${myopt} pae=y"
+
+ emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install
+}
+
+pkg_postinst() {
+ elog "Official Xen Guide and the unoffical wiki page:"
+ elog " http://www.gentoo.org/doc/en/xen-guide.xml"
+ elog " http://en.gentoo-wiki.com/wiki/Xen/"
+
+ if use pae; then
+ echo
+ ewarn "This is a PAE build of Xen. It will *only* boot PAE kernels!"
+ fi
+}