From xen-announce-bounces@lists.xen.org Thu Apr 04 18:00:25 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 04 Apr 2013 18:00:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1UNoPh-0007KS-MX; Thu, 04 Apr 2013 17:57:29 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1UNoPf-0007K7-Ma; Thu, 04 Apr 2013 17:57:27 +0000 Received: from [85.158.139.83:45302] by server-12.bemta-5.messagelabs.com id F0/B8-11486-60FBD515; Thu, 04 Apr 2013 17:57:26 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-182.messagelabs.com!1365098244!25170210!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.8.6.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 27193 invoked from network); 4 Apr 2013 17:57:25 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-4.tower-182.messagelabs.com with AES256-SHA encrypted SMTP; 4 Apr 2013 17:57:25 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1UNoPY-0004tJ-1T; Thu, 04 Apr 2013 17:57:20 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1UNoPX-0000C9-VT; Thu, 04 Apr 2013 17:57:20 +0000 Date: Thu, 04 Apr 2013 17:57:19 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 47 (CVE-2013-1920) - Potential use of freed memory in event channel operations X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1920 / XSA-47 Potential use of freed memory in event channel operations ISSUE DESCRIPTION ================= Wrong ordering of operations upon extending the per-domain event channel tracking table can cause a pointer to freed memory to be left in place, when the hypervisor is under memory pressure and XSM (Xen Security Module) is enabled. IMPACT ====== Malicious guest kernels could inject arbitrary events or corrupt other hypervisor state, possibly leading to code execution. VULNERABLE SYSTEMS ================== All Xen versions from 3.2 onwards are vulnerable when making use of XSM. Configurations without XSM or with a dummy module are not affected. MITIGATION ========== Running without XSM (which is the default) will avoid this vulnerability, albeit doing so will likely lower overall security of systems that would otherwise have XSM enabled. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa47-4.1.patch Xen 4.1.x xsa47-4.2-unstable.patch Xen 4.2.x and xen-unstable $ sha256sum xsa47*.patch e49a03e0693de07ec1418eb16191854458e72088febd6948ea5bc1f900a1853a xsa47-4.1.patch c29b59492f9d7e3f74bfc41877a2c5cff70436d3738fd91066f396f969aab0a7 xsa47-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRXb5fAAoJEIP+FMlX6CvZ0RwH/AtcVQFvERB+16wSjN3GTguk LnakHD3NCVeaDNbkF0G4b4ibR5oOCAGO/9CQwcB1QKj67mvYJm2kglDnGWUmZUQC TKWZR5vA9D9YAQvll8mSwd3OdLBoN0IGYPp9AIVUi9zl34zF+ZzbtsC57dvmjQD6 /E0tMDgOoCsA8ARnuknjbgk+CbfsGi/dbxYGDla4/wMC9wbUhG1wcA9lqNa37azT 1lRIj8qI3TfWC4aMh1kZKPsljrHZLkfA2VxgkrTCjr7u2Usr7vgUsNT4F0rYouRI h5mo1JszJOnM2EHuzVbQrvBmaXlPIFF/S5cRvD6RIavEsOUet5au49Hnhb/ENG4= =/g6f -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa47-4.1.patch" Content-Disposition: attachment; filename="xsa47-4.1.patch" Content-Transfer-Encoding: base64 ZGVmZXIgZXZlbnQgY2hhbm5lbCBidWNrZXQgcG9pbnRlciBzdG9yZSB1bnRp bCBhZnRlciBYU00gY2hlY2tzCgpPdGhlcndpc2UgYSBkYW5nbGluZyBwb2lu dGVyIGNhbiBiZSBsZWZ0LCB3aGljaCB3b3VsZCBjYXVzZSBzdWJzZXF1ZW50 Cm1lbW9yeSBjb3JydXB0aW9uIGFzIHNvb24gYXMgdGhlIHNwYWNlIGdvdCBy ZS1hbGxvY2F0ZWQgZm9yIHNvbWUgb3RoZXIKcHVycG9zZS4KClRoaXMgaXMg Q1ZFLTIwMTMtMTkyMCAvIFhTQS00Ny4KClJlcG9ydGVkLWJ5OiBXZWkgTGl1 IDx3ZWkubGl1MkBjaXRyaXguY29tPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1 bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVl Z2FuIDx0aW1AeGVuLm9yZz4KCi0tLSBhL3hlbi9jb21tb24vZXZlbnRfY2hh bm5lbC5jCisrKyBiL3hlbi9jb21tb24vZXZlbnRfY2hhbm5lbC5jCkBAIC0x MDQsNyArMTA0LDYgQEAgc3RhdGljIGludCBnZXRfZnJlZV9wb3J0KHN0cnVj dCBkb21haW4gKgogICAgIGlmICggdW5saWtlbHkoY2huID09IE5VTEwpICkK ICAgICAgICAgcmV0dXJuIC1FTk9NRU07CiAgICAgbWVtc2V0KGNobiwgMCwg RVZUQ0hOU19QRVJfQlVDS0VUICogc2l6ZW9mKCpjaG4pKTsKLSAgICBidWNr ZXRfZnJvbV9wb3J0KGQsIHBvcnQpID0gY2huOwogCiAgICAgZm9yICggaSA9 IDA7IGkgPCBFVlRDSE5TX1BFUl9CVUNLRVQ7IGkrKyApCiAgICAgewpAQCAt MTE3LDYgKzExNiw4IEBAIHN0YXRpYyBpbnQgZ2V0X2ZyZWVfcG9ydChzdHJ1 Y3QgZG9tYWluICoKICAgICAgICAgfQogICAgIH0KIAorICAgIGJ1Y2tldF9m cm9tX3BvcnQoZCwgcG9ydCkgPSBjaG47CisKICAgICByZXR1cm4gcG9ydDsK IH0KIAo= --=separator Content-Type: application/octet-stream; name="xsa47-4.2-unstable.patch" Content-Disposition: attachment; filename="xsa47-4.2-unstable.patch" Content-Transfer-Encoding: base64 ZGVmZXIgZXZlbnQgY2hhbm5lbCBidWNrZXQgcG9pbnRlciBzdG9yZSB1bnRp bCBhZnRlciBYU00gY2hlY2tzCgpPdGhlcndpc2UgYSBkYW5nbGluZyBwb2lu dGVyIGNhbiBiZSBsZWZ0LCB3aGljaCB3b3VsZCBjYXVzZSBzdWJzZXF1ZW50 Cm1lbW9yeSBjb3JydXB0aW9uIGFzIHNvb24gYXMgdGhlIHNwYWNlIGdvdCBy ZS1hbGxvY2F0ZWQgZm9yIHNvbWUgb3RoZXIKcHVycG9zZS4KClRoaXMgaXMg Q1ZFLTIwMTMtMTkyMCAvIFhTQS00Ny4KClJlcG9ydGVkLWJ5OiBXZWkgTGl1 IDx3ZWkubGl1MkBjaXRyaXguY29tPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1 bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVl Z2FuIDx0aW1AeGVuLm9yZz4KCi0tLSBhL3hlbi9jb21tb24vZXZlbnRfY2hh bm5lbC5jCisrKyBiL3hlbi9jb21tb24vZXZlbnRfY2hhbm5lbC5jCkBAIC0x NDAsNyArMTQwLDYgQEAgc3RhdGljIGludCBnZXRfZnJlZV9wb3J0KHN0cnVj dCBkb21haW4gKgogICAgIGNobiA9IHh6YWxsb2NfYXJyYXkoc3RydWN0IGV2 dGNobiwgRVZUQ0hOU19QRVJfQlVDS0VUKTsKICAgICBpZiAoIHVubGlrZWx5 KGNobiA9PSBOVUxMKSApCiAgICAgICAgIHJldHVybiAtRU5PTUVNOwotICAg IGJ1Y2tldF9mcm9tX3BvcnQoZCwgcG9ydCkgPSBjaG47CiAKICAgICBmb3Ig KCBpID0gMDsgaSA8IEVWVENITlNfUEVSX0JVQ0tFVDsgaSsrICkKICAgICB7 CkBAIC0xNTMsNiArMTUyLDggQEAgc3RhdGljIGludCBnZXRfZnJlZV9wb3J0 KHN0cnVjdCBkb21haW4gKgogICAgICAgICB9CiAgICAgfQogCisgICAgYnVj a2V0X2Zyb21fcG9ydChkLCBwb3J0KSA9IGNobjsKKwogICAgIHJldHVybiBw b3J0OwogfQogCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Apr 04 18:00:25 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 04 Apr 2013 18:00:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1UNoPh-0007KS-MX; Thu, 04 Apr 2013 17:57:29 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1UNoPf-0007K7-Ma; Thu, 04 Apr 2013 17:57:27 +0000 Received: from [85.158.139.83:45302] by server-12.bemta-5.messagelabs.com id F0/B8-11486-60FBD515; Thu, 04 Apr 2013 17:57:26 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-182.messagelabs.com!1365098244!25170210!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.8.6.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 27193 invoked from network); 4 Apr 2013 17:57:25 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-4.tower-182.messagelabs.com with AES256-SHA encrypted SMTP; 4 Apr 2013 17:57:25 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1UNoPY-0004tJ-1T; Thu, 04 Apr 2013 17:57:20 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1UNoPX-0000C9-VT; Thu, 04 Apr 2013 17:57:20 +0000 Date: Thu, 04 Apr 2013 17:57:19 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 47 (CVE-2013-1920) - Potential use of freed memory in event channel operations X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1920 / XSA-47 Potential use of freed memory in event channel operations ISSUE DESCRIPTION ================= Wrong ordering of operations upon extending the per-domain event channel tracking table can cause a pointer to freed memory to be left in place, when the hypervisor is under memory pressure and XSM (Xen Security Module) is enabled. IMPACT ====== Malicious guest kernels could inject arbitrary events or corrupt other hypervisor state, possibly leading to code execution. VULNERABLE SYSTEMS ================== All Xen versions from 3.2 onwards are vulnerable when making use of XSM. Configurations without XSM or with a dummy module are not affected. MITIGATION ========== Running without XSM (which is the default) will avoid this vulnerability, albeit doing so will likely lower overall security of systems that would otherwise have XSM enabled. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa47-4.1.patch Xen 4.1.x xsa47-4.2-unstable.patch Xen 4.2.x and xen-unstable $ sha256sum xsa47*.patch e49a03e0693de07ec1418eb16191854458e72088febd6948ea5bc1f900a1853a xsa47-4.1.patch c29b59492f9d7e3f74bfc41877a2c5cff70436d3738fd91066f396f969aab0a7 xsa47-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRXb5fAAoJEIP+FMlX6CvZ0RwH/AtcVQFvERB+16wSjN3GTguk LnakHD3NCVeaDNbkF0G4b4ibR5oOCAGO/9CQwcB1QKj67mvYJm2kglDnGWUmZUQC TKWZR5vA9D9YAQvll8mSwd3OdLBoN0IGYPp9AIVUi9zl34zF+ZzbtsC57dvmjQD6 /E0tMDgOoCsA8ARnuknjbgk+CbfsGi/dbxYGDla4/wMC9wbUhG1wcA9lqNa37azT 1lRIj8qI3TfWC4aMh1kZKPsljrHZLkfA2VxgkrTCjr7u2Usr7vgUsNT4F0rYouRI h5mo1JszJOnM2EHuzVbQrvBmaXlPIFF/S5cRvD6RIavEsOUet5au49Hnhb/ENG4= =/g6f -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa47-4.1.patch" Content-Disposition: attachment; filename="xsa47-4.1.patch" Content-Transfer-Encoding: base64 ZGVmZXIgZXZlbnQgY2hhbm5lbCBidWNrZXQgcG9pbnRlciBzdG9yZSB1bnRp bCBhZnRlciBYU00gY2hlY2tzCgpPdGhlcndpc2UgYSBkYW5nbGluZyBwb2lu dGVyIGNhbiBiZSBsZWZ0LCB3aGljaCB3b3VsZCBjYXVzZSBzdWJzZXF1ZW50 Cm1lbW9yeSBjb3JydXB0aW9uIGFzIHNvb24gYXMgdGhlIHNwYWNlIGdvdCBy ZS1hbGxvY2F0ZWQgZm9yIHNvbWUgb3RoZXIKcHVycG9zZS4KClRoaXMgaXMg Q1ZFLTIwMTMtMTkyMCAvIFhTQS00Ny4KClJlcG9ydGVkLWJ5OiBXZWkgTGl1 IDx3ZWkubGl1MkBjaXRyaXguY29tPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1 bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVl Z2FuIDx0aW1AeGVuLm9yZz4KCi0tLSBhL3hlbi9jb21tb24vZXZlbnRfY2hh bm5lbC5jCisrKyBiL3hlbi9jb21tb24vZXZlbnRfY2hhbm5lbC5jCkBAIC0x MDQsNyArMTA0LDYgQEAgc3RhdGljIGludCBnZXRfZnJlZV9wb3J0KHN0cnVj dCBkb21haW4gKgogICAgIGlmICggdW5saWtlbHkoY2huID09IE5VTEwpICkK ICAgICAgICAgcmV0dXJuIC1FTk9NRU07CiAgICAgbWVtc2V0KGNobiwgMCwg RVZUQ0hOU19QRVJfQlVDS0VUICogc2l6ZW9mKCpjaG4pKTsKLSAgICBidWNr ZXRfZnJvbV9wb3J0KGQsIHBvcnQpID0gY2huOwogCiAgICAgZm9yICggaSA9 IDA7IGkgPCBFVlRDSE5TX1BFUl9CVUNLRVQ7IGkrKyApCiAgICAgewpAQCAt MTE3LDYgKzExNiw4IEBAIHN0YXRpYyBpbnQgZ2V0X2ZyZWVfcG9ydChzdHJ1 Y3QgZG9tYWluICoKICAgICAgICAgfQogICAgIH0KIAorICAgIGJ1Y2tldF9m cm9tX3BvcnQoZCwgcG9ydCkgPSBjaG47CisKICAgICByZXR1cm4gcG9ydDsK IH0KIAo= --=separator Content-Type: application/octet-stream; name="xsa47-4.2-unstable.patch" Content-Disposition: attachment; filename="xsa47-4.2-unstable.patch" Content-Transfer-Encoding: base64 ZGVmZXIgZXZlbnQgY2hhbm5lbCBidWNrZXQgcG9pbnRlciBzdG9yZSB1bnRp bCBhZnRlciBYU00gY2hlY2tzCgpPdGhlcndpc2UgYSBkYW5nbGluZyBwb2lu dGVyIGNhbiBiZSBsZWZ0LCB3aGljaCB3b3VsZCBjYXVzZSBzdWJzZXF1ZW50 Cm1lbW9yeSBjb3JydXB0aW9uIGFzIHNvb24gYXMgdGhlIHNwYWNlIGdvdCBy ZS1hbGxvY2F0ZWQgZm9yIHNvbWUgb3RoZXIKcHVycG9zZS4KClRoaXMgaXMg Q1ZFLTIwMTMtMTkyMCAvIFhTQS00Ny4KClJlcG9ydGVkLWJ5OiBXZWkgTGl1 IDx3ZWkubGl1MkBjaXRyaXguY29tPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1 bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVl Z2FuIDx0aW1AeGVuLm9yZz4KCi0tLSBhL3hlbi9jb21tb24vZXZlbnRfY2hh bm5lbC5jCisrKyBiL3hlbi9jb21tb24vZXZlbnRfY2hhbm5lbC5jCkBAIC0x NDAsNyArMTQwLDYgQEAgc3RhdGljIGludCBnZXRfZnJlZV9wb3J0KHN0cnVj dCBkb21haW4gKgogICAgIGNobiA9IHh6YWxsb2NfYXJyYXkoc3RydWN0IGV2 dGNobiwgRVZUQ0hOU19QRVJfQlVDS0VUKTsKICAgICBpZiAoIHVubGlrZWx5 KGNobiA9PSBOVUxMKSApCiAgICAgICAgIHJldHVybiAtRU5PTUVNOwotICAg IGJ1Y2tldF9mcm9tX3BvcnQoZCwgcG9ydCkgPSBjaG47CiAKICAgICBmb3Ig KCBpID0gMDsgaSA8IEVWVENITlNfUEVSX0JVQ0tFVDsgaSsrICkKICAgICB7 CkBAIC0xNTMsNiArMTUyLDggQEAgc3RhdGljIGludCBnZXRfZnJlZV9wb3J0 KHN0cnVjdCBkb21haW4gKgogICAgICAgICB9CiAgICAgfQogCisgICAgYnVj a2V0X2Zyb21fcG9ydChkLCBwb3J0KSA9IGNobjsKKwogICAgIHJldHVybiBw b3J0OwogfQogCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Apr 15 16:00:00 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Apr 2013 16:00:00 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1URllk-00051X-FW; Mon, 15 Apr 2013 15:56:36 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1URlli-00051I-Td; Mon, 15 Apr 2013 15:56:35 +0000 Received: from [85.158.137.99:27557] by server-10.bemta-3.messagelabs.com id 90/DF-19664-D232C615; Mon, 15 Apr 2013 15:56:29 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-217.messagelabs.com!1366041340!17478791!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.8.6.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 9814 invoked from network); 15 Apr 2013 15:55:41 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-16.tower-217.messagelabs.com with AES256-SHA encrypted SMTP; 15 Apr 2013 15:55:41 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1URlkk-0004Mi-EX; Mon, 15 Apr 2013 15:55:34 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1URlkk-0007dC-4q; Mon, 15 Apr 2013 15:55:34 +0000 Date: Mon, 15 Apr 2013 15:55:34 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 48 (CVE-2013-1922) - qemu-nbd format-guessing due to missing format specification X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1922 / XSA-48 version 2 qemu-nbd format-guessing due to missing format specification UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The qemu-nbd tool (shipped in the Xen hypervisor tools distribution as qemu-nbd-xen) autodetects the image format. If a particular disk image is intended to be raw, a guest operating system administrator could write a header to the image, describing another format than original one. This could lead to a scenario in which after restart of that guest, qemu-nbd would detect the new apparent format of the image, including a specified backing file or device, which could allow the guest to read any file on the host. IMPACT ====== qemu-nbd (qemu-nbd-xen) is not used by the toolstack software supplied with the Xen tree. However, it is built and installed, and so might be used by host administrators or by toolstacks other than libxl or xend. If qemu-nbd is used, a malicious guest administrator may be able to read any file on the host, depending exactly how. VULNERABLE SYSTEMS ================== For Xen systems using libxl (xl) or xend (xm): if neither qemu-nbd-xen nor qemu-nbd (since qemu-nbd-xen is installed under the latter name in /usr/lib/xen/bin) is explicitly invoked by scripts or other software not supplied by the Xen project, the system is not vulnerable. Xen systems using other toolstacks may be vulnerable if those toolstacks use qemu-nbd[-xen]. A guest administrator who runs qemu-nbd-xen by hand on a guest may be exposing themselves to this vulnerability. Only qemu-xen-upstream is vulnerable; qemu-xen-traditional has a fix which makes this bug not apply. However, the Xen build system builds and installs both by default, in some arbitrary order, to the same filename. So which is installed and might be used is not predictable unless the qemu-xen-upstream build is entirely disabled. Only systems with Xen 4.2 and later installed are vulnerable (by virtue of the presence of Xen) as earlier versions of Xen do not build qemu-xen-upstream at all. MITIGATION ========== No mitigation is available for users of qemu-nbd[-xen]. If you are using qemu-nbd[-xen] from qemu-xen-upstream on raw image files, then arranging to use qemu-xen-traditional instead will fail. If you wish enhanced assurance, removing all copies of of qemu-nbd and qemu-nbd-xen will provide confidence that this vulnerable utility is not being used. RESOLUTION ========== To resolve the problem, it is necessary to apply the attached patch (to the qemu-xen-upstream tree). It is ALSO NECESSARY to ensure that all invocations of qemu-nbd are provided with an appropriate -f (--format) option. Invoking qemu-nbd without this option remains unsafe and the patch does not prevent it. xsa48-4.2.patch Xen 4.2.x (Xen's qemu-upstream-4.2-testing.git) xsa48-unstable.patch Xen unstable (Xen's qemu-upstream-unstable.git) $ sha256sum xsa48* 11e5d1f576770fde67e80e3e8c30f9a1af404fe6d07f1c37e96d68677f31435c xsa48-4.2.patch 20dac78bff584951cb706bb76a3394b47525749655dba2f68a6d923faf168fe8 xsa48-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRbBX6AAoJEIP+FMlX6CvZBusIALRc+Cl0DUCJAbGkO8dmzOqA C7F9i1mD5gXZEmj0vBc8DEKivHFy3jgicL+j/SeUVMGouSi/FfntIUcevPHa3R1B 1cPr+oZq9OYZgs/QFbLMPXEeeA0zQiWVJB0AA0h/q+FX5aFE2VpHvi66dcOoBeTL kJHOSEjLmuMEa+Gn1r+Y7nL7XXb5osZKMBoIv5wNX1XNv4PH/yEChTuZ5VD0ScU0 Haib8k2SLDiDiZl/zF/6EdTb/13ceSE7WdBkaJqbbnI8KRbdAc8ERJBuoxupcnAW gPaVwlQ8RrGJrySofoiYozbZcAjbFQAUoxR2Vi6DxB/Lnn7V3PeFEwyXMQcx8ko= =Nel4 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa48-4.2.patch" Content-Disposition: attachment; filename="xsa48-4.2.patch" Content-Transfer-Encoding: base64 QWRkIC1mIEZNVCAgLyAtLWZvcm1hdCBGTVQgYXJnIHRvIHFlbXUtbmJkCgpG cm9tOiAiRGFuaWVsIFAuIEJlcnJhbmdlIiA8YmVycmFuZ2VAcmVkaGF0LmNv bT4KCkN1cnJlbnRseSB0aGUgcWVtdS1uYmQgcHJvZ3JhbSB3aWxsIGF1dG8t ZGV0ZWN0IHRoZSBmb3JtYXQgb2YKYW55IGRpc2sgaXQgaXMgZ2l2ZW4uIFRo aXMgYmVoYXZpb3VyIGlzIGtub3duIHRvIGJlIGluc2VjdXJlLgpGb3IgZXhh bXBsZSwgaWYgcWVtdS1uYmQgaW5pdGlhbGx5IGV4cG9zZXMgYSAncmF3JyBm aWxlIHRvIGFuCnVucHJpdmlsZWdlZCBhcHAsIGFuZCB0aGF0IGFwcCBydW5z CgogICAncWVtdS1pbWcgY3JlYXRlIC1mIHFjb3cyIC1vIGJhY2tpbmdfZmls ZT0vZXRjL3NoYWRvdyAvZGV2L25iZDAnCgp0aGVuIHRoZSBuZXh0IHRpbWUg dGhlIGFwcCBpcyBzdGFydGVkLCB0aGUgcWVtdS1uYmQgd2lsbCBub3cKZGV0 ZWN0IGl0IGFzIGEgJ3Fjb3cyJyBmaWxlIGFuZCBleHBvc2UgL2V0Yy9zaGFk b3cgdG8gdGhlCnVucHJpdmlsZWdlZCBhcHAuCgpUaGUgb25seSB3YXkgdG8g YXZvaWQgdGhpcyBpcyB0byBleHBsaWNpdGx5IHRlbGwgcWVtdS1uYmQgd2hh dApkaXNrIGZvcm1hdCB0byB1c2Ugb24gdGhlIGNvbW1hbmQgbGluZSwgY29t cGxldGVseSBkaXNhYmxpbmcKYXV0by1kZXRlY3Rpb24uIFRoaXMgcGF0Y2gg YWRkcyBhICctZicgLyAnLS1mb3JtYXQnIGFyZyBmb3IKdGhpcyBwdXJwb3Nl LCBtaXJyb3Jpbmcgd2hhdCBpcyBhbHJlYWR5IGF2YWlsYWJsZSB2aWEgcWVt dS1pbWcKYW5kIHFlbXUgY29tbWFuZHMuCgogIHFlbXUtbmJkIC0tZm9ybWF0 IHJhdyAtcCA5MDAwIGV2aWwuaW1nCgp3aWxsIG5vdyBhbHdheXMgdXNlIHJh dywgcmVnYXJkbGVzcyBvZiB3aGF0IGZvcm1hdCAnZXZpbC5pbWcnCmxvb2tz IGxpa2UgaXQgY29udGFpbnMKClNpZ25lZC1vZmYtYnk6IERhbmllbCBQLiBC ZXJyYW5nZSA8YmVycmFuZ2VAcmVkaGF0LmNvbT4KW1VzZSBlcnJ4LCBub3Qg ZXJyLiAtIFBhb2xvXQpTaWduZWQtb2ZmLWJ5OiBQYW9sbyBCb256aW5pIDxw Ym9uemluaUByZWRoYXQuY29tPgpTaWduZWQtb2ZmLWJ5OiBTdGVmYW5vIFN0 YWJlbGxpbmkgPHN0ZWZhbm8uc3RhYmVsbGluaUBldS5jaXRyaXguY29tPgoK WyBUaGlzIGlzIGEgc2VjdXJpdHkgaXNzdWUsIENWRS0yMDEzLTE5MjIgLyBY U0EtNDguIF0KCmRpZmYgLS1naXQgYS9xZW11LW5iZC5jIGIvcWVtdS1uYmQu YwppbmRleCAyOTFjYmEyLi44ZmJlMmNmIDEwMDY0NAotLS0gYS9xZW11LW5i ZC5jCisrKyBiL3FlbXUtbmJkLmMKQEAgLTI0Nyw2ICsyNDcsNyBAQCBvdXQ6 CiBpbnQgbWFpbihpbnQgYXJnYywgY2hhciAqKmFyZ3YpCiB7CiAgICAgQmxv Y2tEcml2ZXJTdGF0ZSAqYnM7CisgICAgQmxvY2tEcml2ZXIgKmRydjsKICAg ICBvZmZfdCBkZXZfb2Zmc2V0ID0gMDsKICAgICBvZmZfdCBvZmZzZXQgPSAw OwogICAgIHVpbnQzMl90IG5iZGZsYWdzID0gMDsKQEAgLTI1Niw3ICsyNTcs NyBAQCBpbnQgbWFpbihpbnQgYXJnYywgY2hhciAqKmFyZ3YpCiAgICAgc3Ry dWN0IHNvY2thZGRyX2luIGFkZHI7CiAgICAgc29ja2xlbl90IGFkZHJfbGVu ID0gc2l6ZW9mKGFkZHIpOwogICAgIG9mZl90IGZkX3NpemU7Ci0gICAgY29u c3QgY2hhciAqc29wdCA9ICJoVmI6bzpwOnJzblA6Yzpkdms6ZTp0IjsKKyAg ICBjb25zdCBjaGFyICpzb3B0ID0gImhWYjpvOnA6cnNuUDpjOmR2azplOmY6 dCI7CiAgICAgc3RydWN0IG9wdGlvbiBsb3B0W10gPSB7CiAgICAgICAgIHsg ImhlbHAiLCAwLCBOVUxMLCAnaCcgfSwKICAgICAgICAgeyAidmVyc2lvbiIs IDAsIE5VTEwsICdWJyB9LApAQCAtMjcxLDYgKzI3Miw3IEBAIGludCBtYWlu KGludCBhcmdjLCBjaGFyICoqYXJndikKICAgICAgICAgeyAic25hcHNob3Qi LCAwLCBOVUxMLCAncycgfSwKICAgICAgICAgeyAibm9jYWNoZSIsIDAsIE5V TEwsICduJyB9LAogICAgICAgICB7ICJzaGFyZWQiLCAxLCBOVUxMLCAnZScg fSwKKyAgICAgICAgeyAiZm9ybWF0IiwgMSwgTlVMTCwgJ2YnIH0sCiAgICAg ICAgIHsgInBlcnNpc3RlbnQiLCAwLCBOVUxMLCAndCcgfSwKICAgICAgICAg eyAidmVyYm9zZSIsIDAsIE5VTEwsICd2JyB9LAogICAgICAgICB7IE5VTEws IDAsIE5VTEwsIDAgfQpAQCAtMjkyLDYgKzI5NCw3IEBAIGludCBtYWluKGlu dCBhcmdjLCBjaGFyICoqYXJndikKICAgICBpbnQgbWF4X2ZkOwogICAgIGlu dCBwZXJzaXN0ZW50ID0gMDsKICAgICBwdGhyZWFkX3QgY2xpZW50X3RocmVh ZDsKKyAgICBjb25zdCBjaGFyICpmbXQgPSBOVUxMOwogCiAgICAgLyogVGhl IGNsaWVudCB0aHJlYWQgdXNlcyBTSUdURVJNIHRvIGludGVycnVwdCB0aGUg c2VydmVyLiAgQSBzaWduYWwKICAgICAgKiBoYW5kbGVyIGVuc3VyZXMgdGhh dCAicWVtdS1uYmQgLXYgLWMiIGV4aXRzIHdpdGggYSBuaWNlIHN0YXR1cyBj b2RlLgpAQCAtMzY4LDYgKzM3MSw5IEBAIGludCBtYWluKGludCBhcmdjLCBj aGFyICoqYXJndikKICAgICAgICAgICAgICAgICBlcnJ4KEVYSVRfRkFJTFVS RSwgIlNoYXJlZCBkZXZpY2UgbnVtYmVyIG11c3QgYmUgZ3JlYXRlciB0aGFu IDBcbiIpOwogICAgICAgICAgICAgfQogICAgICAgICAgICAgYnJlYWs7Cisg ICAgICAgIGNhc2UgJ2YnOgorICAgICAgICAgICAgZm10ID0gb3B0YXJnOwor ICAgICAgICAgICAgYnJlYWs7CiAJY2FzZSAndCc6CiAJICAgIHBlcnNpc3Rl bnQgPSAxOwogCSAgICBicmVhazsKQEAgLTQ3OCw5ICs0ODQsMTkgQEAgaW50 IG1haW4oaW50IGFyZ2MsIGNoYXIgKiphcmd2KQogICAgIGJkcnZfaW5pdCgp OwogICAgIGF0ZXhpdChiZHJ2X2Nsb3NlX2FsbCk7CiAKKyAgICBpZiAoZm10 KSB7CisgICAgICAgIGRydiA9IGJkcnZfZmluZF9mb3JtYXQoZm10KTsKKyAg ICAgICAgaWYgKCFkcnYpIHsKKyAgICAgICAgICAgIGVycngoRVhJVF9GQUlM VVJFLCAiVW5rbm93biBmaWxlIGZvcm1hdCAnJXMnIiwgZm10KTsKKyAgICAg ICAgfQorICAgIH0gZWxzZSB7CisgICAgICAgIGRydiA9IE5VTEw7CisgICAg fQorCiAgICAgYnMgPSBiZHJ2X25ldygiaGRhIik7CiAgICAgc3JjcGF0aCA9 IGFyZ3Zbb3B0aW5kXTsKLSAgICBpZiAoKHJldCA9IGJkcnZfb3Blbihicywg c3JjcGF0aCwgZmxhZ3MsIE5VTEwpKSA8IDApIHsKKyAgICByZXQgPSBiZHJ2 X29wZW4oYnMsIHNyY3BhdGgsIGZsYWdzLCBkcnYpOworICAgIGlmIChyZXQg PCAwKSB7CiAgICAgICAgIGVycm5vID0gLXJldDsKICAgICAgICAgZXJyKEVY SVRfRkFJTFVSRSwgIkZhaWxlZCB0byBiZHJ2X29wZW4gJyVzJyIsIGFyZ3Zb b3B0aW5kXSk7CiAgICAgfQpkaWZmIC0tZ2l0IGEvcWVtdS1uYmQudGV4aSBi L3FlbXUtbmJkLnRleGkKaW5kZXggNDQ5OTZjYy4uZjU2YzY4ZSAxMDA2NDQK LS0tIGEvcWVtdS1uYmQudGV4aQorKysgYi9xZW11LW5iZC50ZXhpCkBAIC0z Niw2ICszNiw4IEBAIEV4cG9ydCBRZW11IGRpc2sgaW1hZ2UgdXNpbmcgTkJE IHByb3RvY29sLgogICBkaXNjb25uZWN0IHRoZSBzcGVjaWZpZWQgZGV2aWNl CiBAaXRlbSAtZSwgLS1zaGFyZWQ9QHZhcntudW19CiAgIGRldmljZSBjYW4g YmUgc2hhcmVkIGJ5IEB2YXJ7bnVtfSBjbGllbnRzIChkZWZhdWx0IEBzYW1w ezF9KQorQGl0ZW0gLWYsIC0tZm9ybWF0PUB2YXJ7Zm10fQorICBmb3JjZSBi bG9jayBkcml2ZXIgZm9yIGZvcm1hdCBAdmFye2ZtdH0gaW5zdGVhZCBvZiBh dXRvLWRldGVjdGluZwogQGl0ZW0gLXQsIC0tcGVyc2lzdGVudAogICBkb24n dCBleGl0IG9uIHRoZSBsYXN0IGNvbm5lY3Rpb24KIEBpdGVtIC12LCAtLXZl cmJvc2UK --=separator Content-Type: application/octet-stream; name="xsa48-unstable.patch" Content-Disposition: attachment; filename="xsa48-unstable.patch" Content-Transfer-Encoding: base64 QWRkIC1mIEZNVCAgLyAtLWZvcm1hdCBGTVQgYXJnIHRvIHFlbXUtbmJkCgpG cm9tOiAiRGFuaWVsIFAuIEJlcnJhbmdlIiA8YmVycmFuZ2VAcmVkaGF0LmNv bT4KCkN1cnJlbnRseSB0aGUgcWVtdS1uYmQgcHJvZ3JhbSB3aWxsIGF1dG8t ZGV0ZWN0IHRoZSBmb3JtYXQgb2YKYW55IGRpc2sgaXQgaXMgZ2l2ZW4uIFRo aXMgYmVoYXZpb3VyIGlzIGtub3duIHRvIGJlIGluc2VjdXJlLgpGb3IgZXhh bXBsZSwgaWYgcWVtdS1uYmQgaW5pdGlhbGx5IGV4cG9zZXMgYSAncmF3JyBm aWxlIHRvIGFuCnVucHJpdmlsZWdlZCBhcHAsIGFuZCB0aGF0IGFwcCBydW5z CgogICAncWVtdS1pbWcgY3JlYXRlIC1mIHFjb3cyIC1vIGJhY2tpbmdfZmls ZT0vZXRjL3NoYWRvdyAvZGV2L25iZDAnCgp0aGVuIHRoZSBuZXh0IHRpbWUg dGhlIGFwcCBpcyBzdGFydGVkLCB0aGUgcWVtdS1uYmQgd2lsbCBub3cKZGV0 ZWN0IGl0IGFzIGEgJ3Fjb3cyJyBmaWxlIGFuZCBleHBvc2UgL2V0Yy9zaGFk b3cgdG8gdGhlCnVucHJpdmlsZWdlZCBhcHAuCgpUaGUgb25seSB3YXkgdG8g YXZvaWQgdGhpcyBpcyB0byBleHBsaWNpdGx5IHRlbGwgcWVtdS1uYmQgd2hh dApkaXNrIGZvcm1hdCB0byB1c2Ugb24gdGhlIGNvbW1hbmQgbGluZSwgY29t cGxldGVseSBkaXNhYmxpbmcKYXV0by1kZXRlY3Rpb24uIFRoaXMgcGF0Y2gg YWRkcyBhICctZicgLyAnLS1mb3JtYXQnIGFyZyBmb3IKdGhpcyBwdXJwb3Nl LCBtaXJyb3Jpbmcgd2hhdCBpcyBhbHJlYWR5IGF2YWlsYWJsZSB2aWEgcWVt dS1pbWcKYW5kIHFlbXUgY29tbWFuZHMuCgogIHFlbXUtbmJkIC0tZm9ybWF0 IHJhdyAtcCA5MDAwIGV2aWwuaW1nCgp3aWxsIG5vdyBhbHdheXMgdXNlIHJh dywgcmVnYXJkbGVzcyBvZiB3aGF0IGZvcm1hdCAnZXZpbC5pbWcnCmxvb2tz IGxpa2UgaXQgY29udGFpbnMKClNpZ25lZC1vZmYtYnk6IERhbmllbCBQLiBC ZXJyYW5nZSA8YmVycmFuZ2VAcmVkaGF0LmNvbT4KW1VzZSBlcnJ4LCBub3Qg ZXJyLiAtIFBhb2xvXQpTaWduZWQtb2ZmLWJ5OiBQYW9sbyBCb256aW5pIDxw Ym9uemluaUByZWRoYXQuY29tPgpTaWduZWQtb2ZmLWJ5OiBTdGVmYW5vIFN0 YWJlbGxpbmkgPHN0ZWZhbm8uc3RhYmVsbGluaUBldS5jaXRyaXguY29tPgoK WyBUaGlzIGlzIGEgc2VjdXJpdHkgaXNzdWUsIENWRS0yMDEzLTE5MjIgLyBY U0EtNDguIF0KCmRpZmYgLS1naXQgYS9xZW11LW5iZC5jIGIvcWVtdS1uYmQu YwppbmRleCA4MGYwOGQ4Li43M2Q4ODMzIDEwMDY0NAotLS0gYS9xZW11LW5i ZC5jCisrKyBiL3FlbXUtbmJkLmMKQEAgLTMwNSw2ICszMDUsNyBAQCBzdGF0 aWMgdm9pZCBuYmRfYWNjZXB0KHZvaWQgKm9wYXF1ZSkKIGludCBtYWluKGlu dCBhcmdjLCBjaGFyICoqYXJndikKIHsKICAgICBCbG9ja0RyaXZlclN0YXRl ICpiczsKKyAgICBCbG9ja0RyaXZlciAqZHJ2OwogICAgIG9mZl90IGRldl9v ZmZzZXQgPSAwOwogICAgIHVpbnQzMl90IG5iZGZsYWdzID0gMDsKICAgICBi b29sIGRpc2Nvbm5lY3QgPSBmYWxzZTsKQEAgLTMxMiw3ICszMTMsNyBAQCBp bnQgbWFpbihpbnQgYXJnYywgY2hhciAqKmFyZ3YpCiAgICAgY2hhciAqZGV2 aWNlID0gTlVMTDsKICAgICBpbnQgcG9ydCA9IE5CRF9ERUZBVUxUX1BPUlQ7 CiAgICAgb2ZmX3QgZmRfc2l6ZTsKLSAgICBjb25zdCBjaGFyICpzb3B0ID0g ImhWYjpvOnA6cnNuUDpjOmR2azplOnQiOworICAgIGNvbnN0IGNoYXIgKnNv cHQgPSAiaFZiOm86cDpyc25QOmM6ZHZrOmU6Zjp0IjsKICAgICBzdHJ1Y3Qg b3B0aW9uIGxvcHRbXSA9IHsKICAgICAgICAgeyAiaGVscCIsIDAsIE5VTEws ICdoJyB9LAogICAgICAgICB7ICJ2ZXJzaW9uIiwgMCwgTlVMTCwgJ1YnIH0s CkBAIC0zMzEsNiArMzMyLDcgQEAgaW50IG1haW4oaW50IGFyZ2MsIGNoYXIg Kiphcmd2KQogICAgICAgICB7ICJhaW8iLCAxLCBOVUxMLCBRRU1VX05CRF9P UFRfQUlPIH0sCiAjZW5kaWYKICAgICAgICAgeyAic2hhcmVkIiwgMSwgTlVM TCwgJ2UnIH0sCisgICAgICAgIHsgImZvcm1hdCIsIDEsIE5VTEwsICdmJyB9 LAogICAgICAgICB7ICJwZXJzaXN0ZW50IiwgMCwgTlVMTCwgJ3QnIH0sCiAg ICAgICAgIHsgInZlcmJvc2UiLCAwLCBOVUxMLCAndicgfSwKICAgICAgICAg eyBOVUxMLCAwLCBOVUxMLCAwIH0KQEAgLTM0OCw2ICszNTAsNyBAQCBpbnQg bWFpbihpbnQgYXJnYywgY2hhciAqKmFyZ3YpCiAgICAgYm9vbCBzZWVuX2Fp byA9IGZhbHNlOwogI2VuZGlmCiAgICAgcHRocmVhZF90IGNsaWVudF90aHJl YWQ7CisgICAgY29uc3QgY2hhciAqZm10ID0gTlVMTDsKIAogICAgIC8qIFRo ZSBjbGllbnQgdGhyZWFkIHVzZXMgU0lHVEVSTSB0byBpbnRlcnJ1cHQgdGhl IHNlcnZlci4gIEEgc2lnbmFsCiAgICAgICogaGFuZGxlciBlbnN1cmVzIHRo YXQgInFlbXUtbmJkIC12IC1jIiBleGl0cyB3aXRoIGEgbmljZSBzdGF0dXMg Y29kZS4KQEAgLTQ0Miw2ICs0NDUsOSBAQCBpbnQgbWFpbihpbnQgYXJnYywg Y2hhciAqKmFyZ3YpCiAgICAgICAgICAgICAgICAgZXJyeChFWElUX0ZBSUxV UkUsICJTaGFyZWQgZGV2aWNlIG51bWJlciBtdXN0IGJlIGdyZWF0ZXIgdGhh biAwXG4iKTsKICAgICAgICAgICAgIH0KICAgICAgICAgICAgIGJyZWFrOwor ICAgICAgICBjYXNlICdmJzoKKyAgICAgICAgICAgIGZtdCA9IG9wdGFyZzsK KyAgICAgICAgICAgIGJyZWFrOwogCWNhc2UgJ3QnOgogCSAgICBwZXJzaXN0 ZW50ID0gMTsKIAkgICAgYnJlYWs7CkBAIC01NDMsOSArNTQ5LDE5IEBAIGlu dCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikKICAgICBiZHJ2X2luaXQo KTsKICAgICBhdGV4aXQoYmRydl9jbG9zZV9hbGwpOwogCisgICAgaWYgKGZt dCkgeworICAgICAgICBkcnYgPSBiZHJ2X2ZpbmRfZm9ybWF0KGZtdCk7Cisg ICAgICAgIGlmICghZHJ2KSB7CisgICAgICAgICAgICBlcnJ4KEVYSVRfRkFJ TFVSRSwgIlVua25vd24gZmlsZSBmb3JtYXQgJyVzJyIsIGZtdCk7CisgICAg ICAgIH0KKyAgICB9IGVsc2UgeworICAgICAgICBkcnYgPSBOVUxMOworICAg IH0KKwogICAgIGJzID0gYmRydl9uZXcoImhkYSIpOwogICAgIHNyY3BhdGgg PSBhcmd2W29wdGluZF07Ci0gICAgaWYgKChyZXQgPSBiZHJ2X29wZW4oYnMs IHNyY3BhdGgsIGZsYWdzLCBOVUxMKSkgPCAwKSB7CisgICAgcmV0ID0gYmRy dl9vcGVuKGJzLCBzcmNwYXRoLCBmbGFncywgZHJ2KTsKKyAgICBpZiAocmV0 IDwgMCkgewogICAgICAgICBlcnJubyA9IC1yZXQ7CiAgICAgICAgIGVycihF WElUX0ZBSUxVUkUsICJGYWlsZWQgdG8gYmRydl9vcGVuICclcyciLCBhcmd2 W29wdGluZF0pOwogICAgIH0KZGlmZiAtLWdpdCBhL3FlbXUtbmJkLnRleGkg Yi9xZW11LW5iZC50ZXhpCmluZGV4IDY5NTVkOTAuLjcwYWJmZWIgMTAwNjQ0 Ci0tLSBhL3FlbXUtbmJkLnRleGkKKysrIGIvcWVtdS1uYmQudGV4aQpAQCAt MzYsNiArMzYsOCBAQCBFeHBvcnQgUUVNVSBkaXNrIGltYWdlIHVzaW5nIE5C RCBwcm90b2NvbC4KICAgZGlzY29ubmVjdCB0aGUgc3BlY2lmaWVkIGRldmlj ZQogQGl0ZW0gLWUsIC0tc2hhcmVkPUB2YXJ7bnVtfQogICBkZXZpY2UgY2Fu IGJlIHNoYXJlZCBieSBAdmFye251bX0gY2xpZW50cyAoZGVmYXVsdCBAc2Ft cHsxfSkKK0BpdGVtIC1mLCAtLWZvcm1hdD1AdmFye2ZtdH0KKyAgZm9yY2Ug YmxvY2sgZHJpdmVyIGZvciBmb3JtYXQgQHZhcntmbXR9IGluc3RlYWQgb2Yg YXV0by1kZXRlY3RpbmcKIEBpdGVtIC10LCAtLXBlcnNpc3RlbnQKICAgZG9u J3QgZXhpdCBvbiB0aGUgbGFzdCBjb25uZWN0aW9uCiBAaXRlbSAtdiwgLS12 ZXJib3NlCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Apr 15 16:00:00 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Apr 2013 16:00:00 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1URllk-00051X-FW; Mon, 15 Apr 2013 15:56:36 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1URlli-00051I-Td; Mon, 15 Apr 2013 15:56:35 +0000 Received: from [85.158.137.99:27557] by server-10.bemta-3.messagelabs.com id 90/DF-19664-D232C615; Mon, 15 Apr 2013 15:56:29 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-217.messagelabs.com!1366041340!17478791!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.8.6.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 9814 invoked from network); 15 Apr 2013 15:55:41 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-16.tower-217.messagelabs.com with AES256-SHA encrypted SMTP; 15 Apr 2013 15:55:41 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1URlkk-0004Mi-EX; Mon, 15 Apr 2013 15:55:34 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1URlkk-0007dC-4q; Mon, 15 Apr 2013 15:55:34 +0000 Date: Mon, 15 Apr 2013 15:55:34 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 48 (CVE-2013-1922) - qemu-nbd format-guessing due to missing format specification X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1922 / XSA-48 version 2 qemu-nbd format-guessing due to missing format specification UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The qemu-nbd tool (shipped in the Xen hypervisor tools distribution as qemu-nbd-xen) autodetects the image format. If a particular disk image is intended to be raw, a guest operating system administrator could write a header to the image, describing another format than original one. This could lead to a scenario in which after restart of that guest, qemu-nbd would detect the new apparent format of the image, including a specified backing file or device, which could allow the guest to read any file on the host. IMPACT ====== qemu-nbd (qemu-nbd-xen) is not used by the toolstack software supplied with the Xen tree. However, it is built and installed, and so might be used by host administrators or by toolstacks other than libxl or xend. If qemu-nbd is used, a malicious guest administrator may be able to read any file on the host, depending exactly how. VULNERABLE SYSTEMS ================== For Xen systems using libxl (xl) or xend (xm): if neither qemu-nbd-xen nor qemu-nbd (since qemu-nbd-xen is installed under the latter name in /usr/lib/xen/bin) is explicitly invoked by scripts or other software not supplied by the Xen project, the system is not vulnerable. Xen systems using other toolstacks may be vulnerable if those toolstacks use qemu-nbd[-xen]. A guest administrator who runs qemu-nbd-xen by hand on a guest may be exposing themselves to this vulnerability. Only qemu-xen-upstream is vulnerable; qemu-xen-traditional has a fix which makes this bug not apply. However, the Xen build system builds and installs both by default, in some arbitrary order, to the same filename. So which is installed and might be used is not predictable unless the qemu-xen-upstream build is entirely disabled. Only systems with Xen 4.2 and later installed are vulnerable (by virtue of the presence of Xen) as earlier versions of Xen do not build qemu-xen-upstream at all. MITIGATION ========== No mitigation is available for users of qemu-nbd[-xen]. If you are using qemu-nbd[-xen] from qemu-xen-upstream on raw image files, then arranging to use qemu-xen-traditional instead will fail. If you wish enhanced assurance, removing all copies of of qemu-nbd and qemu-nbd-xen will provide confidence that this vulnerable utility is not being used. RESOLUTION ========== To resolve the problem, it is necessary to apply the attached patch (to the qemu-xen-upstream tree). It is ALSO NECESSARY to ensure that all invocations of qemu-nbd are provided with an appropriate -f (--format) option. Invoking qemu-nbd without this option remains unsafe and the patch does not prevent it. xsa48-4.2.patch Xen 4.2.x (Xen's qemu-upstream-4.2-testing.git) xsa48-unstable.patch Xen unstable (Xen's qemu-upstream-unstable.git) $ sha256sum xsa48* 11e5d1f576770fde67e80e3e8c30f9a1af404fe6d07f1c37e96d68677f31435c xsa48-4.2.patch 20dac78bff584951cb706bb76a3394b47525749655dba2f68a6d923faf168fe8 xsa48-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRbBX6AAoJEIP+FMlX6CvZBusIALRc+Cl0DUCJAbGkO8dmzOqA C7F9i1mD5gXZEmj0vBc8DEKivHFy3jgicL+j/SeUVMGouSi/FfntIUcevPHa3R1B 1cPr+oZq9OYZgs/QFbLMPXEeeA0zQiWVJB0AA0h/q+FX5aFE2VpHvi66dcOoBeTL kJHOSEjLmuMEa+Gn1r+Y7nL7XXb5osZKMBoIv5wNX1XNv4PH/yEChTuZ5VD0ScU0 Haib8k2SLDiDiZl/zF/6EdTb/13ceSE7WdBkaJqbbnI8KRbdAc8ERJBuoxupcnAW gPaVwlQ8RrGJrySofoiYozbZcAjbFQAUoxR2Vi6DxB/Lnn7V3PeFEwyXMQcx8ko= =Nel4 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa48-4.2.patch" Content-Disposition: attachment; filename="xsa48-4.2.patch" Content-Transfer-Encoding: base64 QWRkIC1mIEZNVCAgLyAtLWZvcm1hdCBGTVQgYXJnIHRvIHFlbXUtbmJkCgpG cm9tOiAiRGFuaWVsIFAuIEJlcnJhbmdlIiA8YmVycmFuZ2VAcmVkaGF0LmNv bT4KCkN1cnJlbnRseSB0aGUgcWVtdS1uYmQgcHJvZ3JhbSB3aWxsIGF1dG8t ZGV0ZWN0IHRoZSBmb3JtYXQgb2YKYW55IGRpc2sgaXQgaXMgZ2l2ZW4uIFRo aXMgYmVoYXZpb3VyIGlzIGtub3duIHRvIGJlIGluc2VjdXJlLgpGb3IgZXhh bXBsZSwgaWYgcWVtdS1uYmQgaW5pdGlhbGx5IGV4cG9zZXMgYSAncmF3JyBm aWxlIHRvIGFuCnVucHJpdmlsZWdlZCBhcHAsIGFuZCB0aGF0IGFwcCBydW5z CgogICAncWVtdS1pbWcgY3JlYXRlIC1mIHFjb3cyIC1vIGJhY2tpbmdfZmls ZT0vZXRjL3NoYWRvdyAvZGV2L25iZDAnCgp0aGVuIHRoZSBuZXh0IHRpbWUg dGhlIGFwcCBpcyBzdGFydGVkLCB0aGUgcWVtdS1uYmQgd2lsbCBub3cKZGV0 ZWN0IGl0IGFzIGEgJ3Fjb3cyJyBmaWxlIGFuZCBleHBvc2UgL2V0Yy9zaGFk b3cgdG8gdGhlCnVucHJpdmlsZWdlZCBhcHAuCgpUaGUgb25seSB3YXkgdG8g YXZvaWQgdGhpcyBpcyB0byBleHBsaWNpdGx5IHRlbGwgcWVtdS1uYmQgd2hh dApkaXNrIGZvcm1hdCB0byB1c2Ugb24gdGhlIGNvbW1hbmQgbGluZSwgY29t cGxldGVseSBkaXNhYmxpbmcKYXV0by1kZXRlY3Rpb24uIFRoaXMgcGF0Y2gg YWRkcyBhICctZicgLyAnLS1mb3JtYXQnIGFyZyBmb3IKdGhpcyBwdXJwb3Nl LCBtaXJyb3Jpbmcgd2hhdCBpcyBhbHJlYWR5IGF2YWlsYWJsZSB2aWEgcWVt dS1pbWcKYW5kIHFlbXUgY29tbWFuZHMuCgogIHFlbXUtbmJkIC0tZm9ybWF0 IHJhdyAtcCA5MDAwIGV2aWwuaW1nCgp3aWxsIG5vdyBhbHdheXMgdXNlIHJh dywgcmVnYXJkbGVzcyBvZiB3aGF0IGZvcm1hdCAnZXZpbC5pbWcnCmxvb2tz IGxpa2UgaXQgY29udGFpbnMKClNpZ25lZC1vZmYtYnk6IERhbmllbCBQLiBC ZXJyYW5nZSA8YmVycmFuZ2VAcmVkaGF0LmNvbT4KW1VzZSBlcnJ4LCBub3Qg ZXJyLiAtIFBhb2xvXQpTaWduZWQtb2ZmLWJ5OiBQYW9sbyBCb256aW5pIDxw Ym9uemluaUByZWRoYXQuY29tPgpTaWduZWQtb2ZmLWJ5OiBTdGVmYW5vIFN0 YWJlbGxpbmkgPHN0ZWZhbm8uc3RhYmVsbGluaUBldS5jaXRyaXguY29tPgoK WyBUaGlzIGlzIGEgc2VjdXJpdHkgaXNzdWUsIENWRS0yMDEzLTE5MjIgLyBY U0EtNDguIF0KCmRpZmYgLS1naXQgYS9xZW11LW5iZC5jIGIvcWVtdS1uYmQu YwppbmRleCAyOTFjYmEyLi44ZmJlMmNmIDEwMDY0NAotLS0gYS9xZW11LW5i ZC5jCisrKyBiL3FlbXUtbmJkLmMKQEAgLTI0Nyw2ICsyNDcsNyBAQCBvdXQ6 CiBpbnQgbWFpbihpbnQgYXJnYywgY2hhciAqKmFyZ3YpCiB7CiAgICAgQmxv Y2tEcml2ZXJTdGF0ZSAqYnM7CisgICAgQmxvY2tEcml2ZXIgKmRydjsKICAg ICBvZmZfdCBkZXZfb2Zmc2V0ID0gMDsKICAgICBvZmZfdCBvZmZzZXQgPSAw OwogICAgIHVpbnQzMl90IG5iZGZsYWdzID0gMDsKQEAgLTI1Niw3ICsyNTcs NyBAQCBpbnQgbWFpbihpbnQgYXJnYywgY2hhciAqKmFyZ3YpCiAgICAgc3Ry dWN0IHNvY2thZGRyX2luIGFkZHI7CiAgICAgc29ja2xlbl90IGFkZHJfbGVu ID0gc2l6ZW9mKGFkZHIpOwogICAgIG9mZl90IGZkX3NpemU7Ci0gICAgY29u c3QgY2hhciAqc29wdCA9ICJoVmI6bzpwOnJzblA6Yzpkdms6ZTp0IjsKKyAg ICBjb25zdCBjaGFyICpzb3B0ID0gImhWYjpvOnA6cnNuUDpjOmR2azplOmY6 dCI7CiAgICAgc3RydWN0IG9wdGlvbiBsb3B0W10gPSB7CiAgICAgICAgIHsg ImhlbHAiLCAwLCBOVUxMLCAnaCcgfSwKICAgICAgICAgeyAidmVyc2lvbiIs IDAsIE5VTEwsICdWJyB9LApAQCAtMjcxLDYgKzI3Miw3IEBAIGludCBtYWlu KGludCBhcmdjLCBjaGFyICoqYXJndikKICAgICAgICAgeyAic25hcHNob3Qi LCAwLCBOVUxMLCAncycgfSwKICAgICAgICAgeyAibm9jYWNoZSIsIDAsIE5V TEwsICduJyB9LAogICAgICAgICB7ICJzaGFyZWQiLCAxLCBOVUxMLCAnZScg fSwKKyAgICAgICAgeyAiZm9ybWF0IiwgMSwgTlVMTCwgJ2YnIH0sCiAgICAg ICAgIHsgInBlcnNpc3RlbnQiLCAwLCBOVUxMLCAndCcgfSwKICAgICAgICAg eyAidmVyYm9zZSIsIDAsIE5VTEwsICd2JyB9LAogICAgICAgICB7IE5VTEws IDAsIE5VTEwsIDAgfQpAQCAtMjkyLDYgKzI5NCw3IEBAIGludCBtYWluKGlu dCBhcmdjLCBjaGFyICoqYXJndikKICAgICBpbnQgbWF4X2ZkOwogICAgIGlu dCBwZXJzaXN0ZW50ID0gMDsKICAgICBwdGhyZWFkX3QgY2xpZW50X3RocmVh ZDsKKyAgICBjb25zdCBjaGFyICpmbXQgPSBOVUxMOwogCiAgICAgLyogVGhl IGNsaWVudCB0aHJlYWQgdXNlcyBTSUdURVJNIHRvIGludGVycnVwdCB0aGUg c2VydmVyLiAgQSBzaWduYWwKICAgICAgKiBoYW5kbGVyIGVuc3VyZXMgdGhh dCAicWVtdS1uYmQgLXYgLWMiIGV4aXRzIHdpdGggYSBuaWNlIHN0YXR1cyBj b2RlLgpAQCAtMzY4LDYgKzM3MSw5IEBAIGludCBtYWluKGludCBhcmdjLCBj aGFyICoqYXJndikKICAgICAgICAgICAgICAgICBlcnJ4KEVYSVRfRkFJTFVS RSwgIlNoYXJlZCBkZXZpY2UgbnVtYmVyIG11c3QgYmUgZ3JlYXRlciB0aGFu IDBcbiIpOwogICAgICAgICAgICAgfQogICAgICAgICAgICAgYnJlYWs7Cisg ICAgICAgIGNhc2UgJ2YnOgorICAgICAgICAgICAgZm10ID0gb3B0YXJnOwor ICAgICAgICAgICAgYnJlYWs7CiAJY2FzZSAndCc6CiAJICAgIHBlcnNpc3Rl bnQgPSAxOwogCSAgICBicmVhazsKQEAgLTQ3OCw5ICs0ODQsMTkgQEAgaW50 IG1haW4oaW50IGFyZ2MsIGNoYXIgKiphcmd2KQogICAgIGJkcnZfaW5pdCgp OwogICAgIGF0ZXhpdChiZHJ2X2Nsb3NlX2FsbCk7CiAKKyAgICBpZiAoZm10 KSB7CisgICAgICAgIGRydiA9IGJkcnZfZmluZF9mb3JtYXQoZm10KTsKKyAg ICAgICAgaWYgKCFkcnYpIHsKKyAgICAgICAgICAgIGVycngoRVhJVF9GQUlM VVJFLCAiVW5rbm93biBmaWxlIGZvcm1hdCAnJXMnIiwgZm10KTsKKyAgICAg ICAgfQorICAgIH0gZWxzZSB7CisgICAgICAgIGRydiA9IE5VTEw7CisgICAg fQorCiAgICAgYnMgPSBiZHJ2X25ldygiaGRhIik7CiAgICAgc3JjcGF0aCA9 IGFyZ3Zbb3B0aW5kXTsKLSAgICBpZiAoKHJldCA9IGJkcnZfb3Blbihicywg c3JjcGF0aCwgZmxhZ3MsIE5VTEwpKSA8IDApIHsKKyAgICByZXQgPSBiZHJ2 X29wZW4oYnMsIHNyY3BhdGgsIGZsYWdzLCBkcnYpOworICAgIGlmIChyZXQg PCAwKSB7CiAgICAgICAgIGVycm5vID0gLXJldDsKICAgICAgICAgZXJyKEVY SVRfRkFJTFVSRSwgIkZhaWxlZCB0byBiZHJ2X29wZW4gJyVzJyIsIGFyZ3Zb b3B0aW5kXSk7CiAgICAgfQpkaWZmIC0tZ2l0IGEvcWVtdS1uYmQudGV4aSBi L3FlbXUtbmJkLnRleGkKaW5kZXggNDQ5OTZjYy4uZjU2YzY4ZSAxMDA2NDQK LS0tIGEvcWVtdS1uYmQudGV4aQorKysgYi9xZW11LW5iZC50ZXhpCkBAIC0z Niw2ICszNiw4IEBAIEV4cG9ydCBRZW11IGRpc2sgaW1hZ2UgdXNpbmcgTkJE IHByb3RvY29sLgogICBkaXNjb25uZWN0IHRoZSBzcGVjaWZpZWQgZGV2aWNl CiBAaXRlbSAtZSwgLS1zaGFyZWQ9QHZhcntudW19CiAgIGRldmljZSBjYW4g YmUgc2hhcmVkIGJ5IEB2YXJ7bnVtfSBjbGllbnRzIChkZWZhdWx0IEBzYW1w ezF9KQorQGl0ZW0gLWYsIC0tZm9ybWF0PUB2YXJ7Zm10fQorICBmb3JjZSBi bG9jayBkcml2ZXIgZm9yIGZvcm1hdCBAdmFye2ZtdH0gaW5zdGVhZCBvZiBh dXRvLWRldGVjdGluZwogQGl0ZW0gLXQsIC0tcGVyc2lzdGVudAogICBkb24n dCBleGl0IG9uIHRoZSBsYXN0IGNvbm5lY3Rpb24KIEBpdGVtIC12LCAtLXZl cmJvc2UK --=separator Content-Type: application/octet-stream; name="xsa48-unstable.patch" Content-Disposition: attachment; filename="xsa48-unstable.patch" Content-Transfer-Encoding: base64 QWRkIC1mIEZNVCAgLyAtLWZvcm1hdCBGTVQgYXJnIHRvIHFlbXUtbmJkCgpG cm9tOiAiRGFuaWVsIFAuIEJlcnJhbmdlIiA8YmVycmFuZ2VAcmVkaGF0LmNv bT4KCkN1cnJlbnRseSB0aGUgcWVtdS1uYmQgcHJvZ3JhbSB3aWxsIGF1dG8t ZGV0ZWN0IHRoZSBmb3JtYXQgb2YKYW55IGRpc2sgaXQgaXMgZ2l2ZW4uIFRo aXMgYmVoYXZpb3VyIGlzIGtub3duIHRvIGJlIGluc2VjdXJlLgpGb3IgZXhh bXBsZSwgaWYgcWVtdS1uYmQgaW5pdGlhbGx5IGV4cG9zZXMgYSAncmF3JyBm aWxlIHRvIGFuCnVucHJpdmlsZWdlZCBhcHAsIGFuZCB0aGF0IGFwcCBydW5z CgogICAncWVtdS1pbWcgY3JlYXRlIC1mIHFjb3cyIC1vIGJhY2tpbmdfZmls ZT0vZXRjL3NoYWRvdyAvZGV2L25iZDAnCgp0aGVuIHRoZSBuZXh0IHRpbWUg dGhlIGFwcCBpcyBzdGFydGVkLCB0aGUgcWVtdS1uYmQgd2lsbCBub3cKZGV0 ZWN0IGl0IGFzIGEgJ3Fjb3cyJyBmaWxlIGFuZCBleHBvc2UgL2V0Yy9zaGFk b3cgdG8gdGhlCnVucHJpdmlsZWdlZCBhcHAuCgpUaGUgb25seSB3YXkgdG8g YXZvaWQgdGhpcyBpcyB0byBleHBsaWNpdGx5IHRlbGwgcWVtdS1uYmQgd2hh dApkaXNrIGZvcm1hdCB0byB1c2Ugb24gdGhlIGNvbW1hbmQgbGluZSwgY29t cGxldGVseSBkaXNhYmxpbmcKYXV0by1kZXRlY3Rpb24uIFRoaXMgcGF0Y2gg YWRkcyBhICctZicgLyAnLS1mb3JtYXQnIGFyZyBmb3IKdGhpcyBwdXJwb3Nl LCBtaXJyb3Jpbmcgd2hhdCBpcyBhbHJlYWR5IGF2YWlsYWJsZSB2aWEgcWVt dS1pbWcKYW5kIHFlbXUgY29tbWFuZHMuCgogIHFlbXUtbmJkIC0tZm9ybWF0 IHJhdyAtcCA5MDAwIGV2aWwuaW1nCgp3aWxsIG5vdyBhbHdheXMgdXNlIHJh dywgcmVnYXJkbGVzcyBvZiB3aGF0IGZvcm1hdCAnZXZpbC5pbWcnCmxvb2tz IGxpa2UgaXQgY29udGFpbnMKClNpZ25lZC1vZmYtYnk6IERhbmllbCBQLiBC ZXJyYW5nZSA8YmVycmFuZ2VAcmVkaGF0LmNvbT4KW1VzZSBlcnJ4LCBub3Qg ZXJyLiAtIFBhb2xvXQpTaWduZWQtb2ZmLWJ5OiBQYW9sbyBCb256aW5pIDxw Ym9uemluaUByZWRoYXQuY29tPgpTaWduZWQtb2ZmLWJ5OiBTdGVmYW5vIFN0 YWJlbGxpbmkgPHN0ZWZhbm8uc3RhYmVsbGluaUBldS5jaXRyaXguY29tPgoK WyBUaGlzIGlzIGEgc2VjdXJpdHkgaXNzdWUsIENWRS0yMDEzLTE5MjIgLyBY U0EtNDguIF0KCmRpZmYgLS1naXQgYS9xZW11LW5iZC5jIGIvcWVtdS1uYmQu YwppbmRleCA4MGYwOGQ4Li43M2Q4ODMzIDEwMDY0NAotLS0gYS9xZW11LW5i ZC5jCisrKyBiL3FlbXUtbmJkLmMKQEAgLTMwNSw2ICszMDUsNyBAQCBzdGF0 aWMgdm9pZCBuYmRfYWNjZXB0KHZvaWQgKm9wYXF1ZSkKIGludCBtYWluKGlu dCBhcmdjLCBjaGFyICoqYXJndikKIHsKICAgICBCbG9ja0RyaXZlclN0YXRl ICpiczsKKyAgICBCbG9ja0RyaXZlciAqZHJ2OwogICAgIG9mZl90IGRldl9v ZmZzZXQgPSAwOwogICAgIHVpbnQzMl90IG5iZGZsYWdzID0gMDsKICAgICBi b29sIGRpc2Nvbm5lY3QgPSBmYWxzZTsKQEAgLTMxMiw3ICszMTMsNyBAQCBp bnQgbWFpbihpbnQgYXJnYywgY2hhciAqKmFyZ3YpCiAgICAgY2hhciAqZGV2 aWNlID0gTlVMTDsKICAgICBpbnQgcG9ydCA9IE5CRF9ERUZBVUxUX1BPUlQ7 CiAgICAgb2ZmX3QgZmRfc2l6ZTsKLSAgICBjb25zdCBjaGFyICpzb3B0ID0g ImhWYjpvOnA6cnNuUDpjOmR2azplOnQiOworICAgIGNvbnN0IGNoYXIgKnNv cHQgPSAiaFZiOm86cDpyc25QOmM6ZHZrOmU6Zjp0IjsKICAgICBzdHJ1Y3Qg b3B0aW9uIGxvcHRbXSA9IHsKICAgICAgICAgeyAiaGVscCIsIDAsIE5VTEws ICdoJyB9LAogICAgICAgICB7ICJ2ZXJzaW9uIiwgMCwgTlVMTCwgJ1YnIH0s CkBAIC0zMzEsNiArMzMyLDcgQEAgaW50IG1haW4oaW50IGFyZ2MsIGNoYXIg Kiphcmd2KQogICAgICAgICB7ICJhaW8iLCAxLCBOVUxMLCBRRU1VX05CRF9P UFRfQUlPIH0sCiAjZW5kaWYKICAgICAgICAgeyAic2hhcmVkIiwgMSwgTlVM TCwgJ2UnIH0sCisgICAgICAgIHsgImZvcm1hdCIsIDEsIE5VTEwsICdmJyB9 LAogICAgICAgICB7ICJwZXJzaXN0ZW50IiwgMCwgTlVMTCwgJ3QnIH0sCiAg ICAgICAgIHsgInZlcmJvc2UiLCAwLCBOVUxMLCAndicgfSwKICAgICAgICAg eyBOVUxMLCAwLCBOVUxMLCAwIH0KQEAgLTM0OCw2ICszNTAsNyBAQCBpbnQg bWFpbihpbnQgYXJnYywgY2hhciAqKmFyZ3YpCiAgICAgYm9vbCBzZWVuX2Fp byA9IGZhbHNlOwogI2VuZGlmCiAgICAgcHRocmVhZF90IGNsaWVudF90aHJl YWQ7CisgICAgY29uc3QgY2hhciAqZm10ID0gTlVMTDsKIAogICAgIC8qIFRo ZSBjbGllbnQgdGhyZWFkIHVzZXMgU0lHVEVSTSB0byBpbnRlcnJ1cHQgdGhl IHNlcnZlci4gIEEgc2lnbmFsCiAgICAgICogaGFuZGxlciBlbnN1cmVzIHRo YXQgInFlbXUtbmJkIC12IC1jIiBleGl0cyB3aXRoIGEgbmljZSBzdGF0dXMg Y29kZS4KQEAgLTQ0Miw2ICs0NDUsOSBAQCBpbnQgbWFpbihpbnQgYXJnYywg Y2hhciAqKmFyZ3YpCiAgICAgICAgICAgICAgICAgZXJyeChFWElUX0ZBSUxV UkUsICJTaGFyZWQgZGV2aWNlIG51bWJlciBtdXN0IGJlIGdyZWF0ZXIgdGhh biAwXG4iKTsKICAgICAgICAgICAgIH0KICAgICAgICAgICAgIGJyZWFrOwor ICAgICAgICBjYXNlICdmJzoKKyAgICAgICAgICAgIGZtdCA9IG9wdGFyZzsK KyAgICAgICAgICAgIGJyZWFrOwogCWNhc2UgJ3QnOgogCSAgICBwZXJzaXN0 ZW50ID0gMTsKIAkgICAgYnJlYWs7CkBAIC01NDMsOSArNTQ5LDE5IEBAIGlu dCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikKICAgICBiZHJ2X2luaXQo KTsKICAgICBhdGV4aXQoYmRydl9jbG9zZV9hbGwpOwogCisgICAgaWYgKGZt dCkgeworICAgICAgICBkcnYgPSBiZHJ2X2ZpbmRfZm9ybWF0KGZtdCk7Cisg ICAgICAgIGlmICghZHJ2KSB7CisgICAgICAgICAgICBlcnJ4KEVYSVRfRkFJ TFVSRSwgIlVua25vd24gZmlsZSBmb3JtYXQgJyVzJyIsIGZtdCk7CisgICAg ICAgIH0KKyAgICB9IGVsc2UgeworICAgICAgICBkcnYgPSBOVUxMOworICAg IH0KKwogICAgIGJzID0gYmRydl9uZXcoImhkYSIpOwogICAgIHNyY3BhdGgg PSBhcmd2W29wdGluZF07Ci0gICAgaWYgKChyZXQgPSBiZHJ2X29wZW4oYnMs IHNyY3BhdGgsIGZsYWdzLCBOVUxMKSkgPCAwKSB7CisgICAgcmV0ID0gYmRy dl9vcGVuKGJzLCBzcmNwYXRoLCBmbGFncywgZHJ2KTsKKyAgICBpZiAocmV0 IDwgMCkgewogICAgICAgICBlcnJubyA9IC1yZXQ7CiAgICAgICAgIGVycihF WElUX0ZBSUxVUkUsICJGYWlsZWQgdG8gYmRydl9vcGVuICclcyciLCBhcmd2 W29wdGluZF0pOwogICAgIH0KZGlmZiAtLWdpdCBhL3FlbXUtbmJkLnRleGkg Yi9xZW11LW5iZC50ZXhpCmluZGV4IDY5NTVkOTAuLjcwYWJmZWIgMTAwNjQ0 Ci0tLSBhL3FlbXUtbmJkLnRleGkKKysrIGIvcWVtdS1uYmQudGV4aQpAQCAt MzYsNiArMzYsOCBAQCBFeHBvcnQgUUVNVSBkaXNrIGltYWdlIHVzaW5nIE5C RCBwcm90b2NvbC4KICAgZGlzY29ubmVjdCB0aGUgc3BlY2lmaWVkIGRldmlj ZQogQGl0ZW0gLWUsIC0tc2hhcmVkPUB2YXJ7bnVtfQogICBkZXZpY2UgY2Fu IGJlIHNoYXJlZCBieSBAdmFye251bX0gY2xpZW50cyAoZGVmYXVsdCBAc2Ft cHsxfSkKK0BpdGVtIC1mLCAtLWZvcm1hdD1AdmFye2ZtdH0KKyAgZm9yY2Ug YmxvY2sgZHJpdmVyIGZvciBmb3JtYXQgQHZhcntmbXR9IGluc3RlYWQgb2Yg YXV0by1kZXRlY3RpbmcKIEBpdGVtIC10LCAtLXBlcnNpc3RlbnQKICAgZG9u J3QgZXhpdCBvbiB0aGUgbGFzdCBjb25uZWN0aW9uCiBAaXRlbSAtdiwgLS12 ZXJib3NlCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Apr 15 16:05:30 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Apr 2013 16:05:30 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1URlrS-000694-Bh; Mon, 15 Apr 2013 16:02:30 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1URlnU-0005EP-Di for xen-announce@lists.xen.org; Mon, 15 Apr 2013 15:58:24 +0000 Received: from [193.109.254.147:57411] by server-5.bemta-14.messagelabs.com id 5C/3E-09030-F932C615; Mon, 15 Apr 2013 15:58:23 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-5.tower-27.messagelabs.com!1366041495!6138093!1 X-Originating-IP: [209.85.210.52] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.8.6.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 31102 invoked from network); 15 Apr 2013 15:58:17 -0000 Received: from mail-da0-f52.google.com (HELO mail-da0-f52.google.com) (209.85.210.52) by server-5.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 15 Apr 2013 15:58:17 -0000 Received: by mail-da0-f52.google.com with SMTP id f10so2125433dak.25 for ; Mon, 15 Apr 2013 08:58:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:sender:message-id:date:from:reply-to:user-agent :mime-version:to:subject:content-type:content-transfer-encoding; bh=SUIxf7Ot/TeWL3SooqPxAK8RCMSuAzgY3ok8iHFPbh4=; b=CpKff6suOL7L7aM0h5Hv8zrpcbOOnAXA0zj7brs8mEL4iCtU7u2K04SrAU5+P0Rvj6 gt66n/ffTcimBxX8EO16fQtaejNjRGbHAuzw5LwmbH2ZXkcqBEHOiGIaPM/Ss8jdAfHN 6j7ALDZ80SVzYJeDpMBLZIux8Mgho1AMrz5UIKyQ1FNEXV+wzfbpKnkvA9sRuWADrND2 dIvuiOaY0X2E7+xOTMNgxtZbhyTeVLG2RMsruXatAbCFjh8cL7d2kNHezK7cg7x6qF+5 CyTh/CQMrjYRM3QGO12ZdP4zB6p+7PPqrigXuZ0/cC6Hby+4w9giWXfJXw6iRv8MeMWk PP6g== X-Received: by 10.68.0.67 with SMTP id 3mr29728650pbc.219.1366041494806; Mon, 15 Apr 2013 08:58:14 -0700 (PDT) Received: from [172.16.26.11] ([69.38.217.3]) by mx.google.com with ESMTPS id qr7sm20809111pbc.16.2013.04.15.08.58.13 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 15 Apr 2013 08:58:14 -0700 (PDT) Message-ID: <516C2393.8040409@xen.org> Date: Mon, 15 Apr 2013 16:58:11 +0100 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130328 Thunderbird/17.0.5 MIME-Version: 1.0 To: xen-announce@lists.xen.org X-Mailman-Approved-At: Mon, 15 Apr 2013 16:02:28 +0000 Subject: [Xen-announce] Xen is now a Linux Foundation Collaborative Project X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="windows-1252"; Format="flowed" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org Dear community members, almost a year ago, I floated the idea within Citrix of finding a = non-profit home for the Xen Project. At this point, I had worked for and = with the Xen community for just over a year. We only just implemented = community-led Governance and it was clear that at some point Xen would = need to become a truly vendor neutral project. You cannot imagine how = pleased I was, when almost immediately I got full support from Citrix = management to pursue the idea of finding a vendor-neutral home for Xen. = We looked at various options and it quickly became clear that The Linux = Foundation was the most natural fit for the Xen Project. And then the = hard work to pull everything together started =85 but this is a story for = some other time. The good news is that as of today, The Xen Project is a = Linux Foundation Collaborative Project with an impressive Advisory Board = consisting of companies that will contribute to, fund and guide the = non-technical aspects of the Xen Project. An increase in Diversity =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Let=92s have a quick recap of Xen Governance Evolution: in early 2011, the = developer community largely operated through a set of unwritten rules. = This made it hard to join the community. In retrospect this had actually = stopped vendors from contributing and was the reason why some early = contributors abandoned Xen. Since then, we defined ourXen Governance = formalizing values, roles, decision making, the project life-cycle and = other areas. Ownership and responsibilities of tasks have been = distributed to community members. We also created a forum for = distinguished community members (individuals as well as vendors = contributing to the project) through the Xen Maintainer, Committer and = Developer Meetings, which have evolved into a Project Management = Committee (even though we don=92t call it a PMC). Also, we have a better = approach to planning and generating a Xen Roadmap, a well-defined = Security Vulnerability Process and other community initiatives. The = effect all this had is that the contributor community grew from 6 = organizations contributing more than 1% to the code in 2010 to 13 = organizations in 2012. The next logical step for Xen was to become a = truly independent open source project, and this has now happened. Bringing Users and Developers Together =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D One thing I am really pleased with is the diverse list of companies that = joined the Xen Advisory Board to support the project financially. * Hardware and Silicon vendors such as AMD, Calxeda, Cisco, Intel and = Samsung. * Companies that use Xen in software products such as Bromium, Citrix = and Oracle. * Large scale users of Xen, such as Amazon Web Services, CA = Technologies, Google and Verizon. This is a good and healthy mix. Because of Xen=92s roots as a University = project, it was an almost exclusively developer-focused community. Some = even complained that the project didn=92t care a lot about its users. But = for open source projects to succeed, tending and growing your user base = is essential. In the last two years, the community started a program of = change and has engaged its user base much more. Having good user = representation on the Xen Advisory Board should help foster and = accelerate this change. The icing on the cake is the new xenproject.org = site (which we are launching as beta today) is designed to be a site for = the entire community: bringing users, developers as well as companies = together. More Collaboration =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D For the Xen 4.3 release we have already seen an increased amount of = collaboration and up-front planning on issues such as performance and = scalability improvements, new features such as PVH and Xen ARM support = for ARM based servers, UEFI secure boot, working with upstream projects = such as Linux and QEMU, downstream Linux and BSD distros and cloud = orchestration stacks. Embedding Xen into the Linux family as a Linux = Foundation Collaborative project should lead to more such collaboration = as part of the wider Linux and open source community. Of course this = will not happen by itself: one of my personal priorities for the rest of = this year is that more collaboration happens. What is going to change? =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D If you are a Xen User or Developer pretty much nothing initially. = Everything will continue to run as it always has. In the longer run, I = am confident that the Xen Collaborative Project will lead to more code = contributions, better integration with Linux distributions, increased = adoption of Xen, more integration with other projects, better marketing = and a lot more. All the changes should be positive. There will be some short-term changes though that will affect you: = xen.org will move to xenproject.org, the Xen Logo is changing and we = have a new Xen Community website at xenproject.org (which means the old = site will be archived). Because the domain changes cannot be implemented = entirely without impacting our users and developers, this may be also a = good opportunity to look at some housekeeping activites (wiki = categorization to improve navigation, killing some old archived lists, = ... ). Any changes will be made with the community in accordance with = existing community processes. Unfortunately we could not involve you = when we prepared the new xenproject.org community website: I hope you = understand that we had to keep the creation of the Xen Linux Foundation = Collaborative Project under wraps. But there will be plenty of = opportunity to listen to you and make changes in the coming weeks. In any case, I am quite excited about what is happening and I hope you = are too. Lars Further Information =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D - Announcement : = https://www.linuxfoundation.org/news-media/announcements/2013/04/xen-become= -linux-foundation-collaborative-project - New Xen Prpject Community Web-site : http://www.xenproject.org - FAQ : http://www.xenproject.org/xen-project-faq.html _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce From xen-announce-bounces@lists.xen.org Mon Apr 15 16:05:30 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 15 Apr 2013 16:05:30 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1URlrS-000694-Bh; Mon, 15 Apr 2013 16:02:30 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1URlnU-0005EP-Di for xen-announce@lists.xen.org; Mon, 15 Apr 2013 15:58:24 +0000 Received: from [193.109.254.147:57411] by server-5.bemta-14.messagelabs.com id 5C/3E-09030-F932C615; Mon, 15 Apr 2013 15:58:23 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-5.tower-27.messagelabs.com!1366041495!6138093!1 X-Originating-IP: [209.85.210.52] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.8.6.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 31102 invoked from network); 15 Apr 2013 15:58:17 -0000 Received: from mail-da0-f52.google.com (HELO mail-da0-f52.google.com) (209.85.210.52) by server-5.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 15 Apr 2013 15:58:17 -0000 Received: by mail-da0-f52.google.com with SMTP id f10so2125433dak.25 for ; Mon, 15 Apr 2013 08:58:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:sender:message-id:date:from:reply-to:user-agent :mime-version:to:subject:content-type:content-transfer-encoding; bh=SUIxf7Ot/TeWL3SooqPxAK8RCMSuAzgY3ok8iHFPbh4=; b=CpKff6suOL7L7aM0h5Hv8zrpcbOOnAXA0zj7brs8mEL4iCtU7u2K04SrAU5+P0Rvj6 gt66n/ffTcimBxX8EO16fQtaejNjRGbHAuzw5LwmbH2ZXkcqBEHOiGIaPM/Ss8jdAfHN 6j7ALDZ80SVzYJeDpMBLZIux8Mgho1AMrz5UIKyQ1FNEXV+wzfbpKnkvA9sRuWADrND2 dIvuiOaY0X2E7+xOTMNgxtZbhyTeVLG2RMsruXatAbCFjh8cL7d2kNHezK7cg7x6qF+5 CyTh/CQMrjYRM3QGO12ZdP4zB6p+7PPqrigXuZ0/cC6Hby+4w9giWXfJXw6iRv8MeMWk PP6g== X-Received: by 10.68.0.67 with SMTP id 3mr29728650pbc.219.1366041494806; Mon, 15 Apr 2013 08:58:14 -0700 (PDT) Received: from [172.16.26.11] ([69.38.217.3]) by mx.google.com with ESMTPS id qr7sm20809111pbc.16.2013.04.15.08.58.13 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 15 Apr 2013 08:58:14 -0700 (PDT) Message-ID: <516C2393.8040409@xen.org> Date: Mon, 15 Apr 2013 16:58:11 +0100 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130328 Thunderbird/17.0.5 MIME-Version: 1.0 To: xen-announce@lists.xen.org X-Mailman-Approved-At: Mon, 15 Apr 2013 16:02:28 +0000 Subject: [Xen-announce] Xen is now a Linux Foundation Collaborative Project X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="windows-1252"; Format="flowed" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org Dear community members, almost a year ago, I floated the idea within Citrix of finding a = non-profit home for the Xen Project. At this point, I had worked for and = with the Xen community for just over a year. We only just implemented = community-led Governance and it was clear that at some point Xen would = need to become a truly vendor neutral project. You cannot imagine how = pleased I was, when almost immediately I got full support from Citrix = management to pursue the idea of finding a vendor-neutral home for Xen. = We looked at various options and it quickly became clear that The Linux = Foundation was the most natural fit for the Xen Project. And then the = hard work to pull everything together started =85 but this is a story for = some other time. The good news is that as of today, The Xen Project is a = Linux Foundation Collaborative Project with an impressive Advisory Board = consisting of companies that will contribute to, fund and guide the = non-technical aspects of the Xen Project. An increase in Diversity =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Let=92s have a quick recap of Xen Governance Evolution: in early 2011, the = developer community largely operated through a set of unwritten rules. = This made it hard to join the community. In retrospect this had actually = stopped vendors from contributing and was the reason why some early = contributors abandoned Xen. Since then, we defined ourXen Governance = formalizing values, roles, decision making, the project life-cycle and = other areas. Ownership and responsibilities of tasks have been = distributed to community members. We also created a forum for = distinguished community members (individuals as well as vendors = contributing to the project) through the Xen Maintainer, Committer and = Developer Meetings, which have evolved into a Project Management = Committee (even though we don=92t call it a PMC). Also, we have a better = approach to planning and generating a Xen Roadmap, a well-defined = Security Vulnerability Process and other community initiatives. The = effect all this had is that the contributor community grew from 6 = organizations contributing more than 1% to the code in 2010 to 13 = organizations in 2012. The next logical step for Xen was to become a = truly independent open source project, and this has now happened. Bringing Users and Developers Together =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D One thing I am really pleased with is the diverse list of companies that = joined the Xen Advisory Board to support the project financially. * Hardware and Silicon vendors such as AMD, Calxeda, Cisco, Intel and = Samsung. * Companies that use Xen in software products such as Bromium, Citrix = and Oracle. * Large scale users of Xen, such as Amazon Web Services, CA = Technologies, Google and Verizon. This is a good and healthy mix. Because of Xen=92s roots as a University = project, it was an almost exclusively developer-focused community. Some = even complained that the project didn=92t care a lot about its users. But = for open source projects to succeed, tending and growing your user base = is essential. In the last two years, the community started a program of = change and has engaged its user base much more. Having good user = representation on the Xen Advisory Board should help foster and = accelerate this change. The icing on the cake is the new xenproject.org = site (which we are launching as beta today) is designed to be a site for = the entire community: bringing users, developers as well as companies = together. More Collaboration =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D For the Xen 4.3 release we have already seen an increased amount of = collaboration and up-front planning on issues such as performance and = scalability improvements, new features such as PVH and Xen ARM support = for ARM based servers, UEFI secure boot, working with upstream projects = such as Linux and QEMU, downstream Linux and BSD distros and cloud = orchestration stacks. Embedding Xen into the Linux family as a Linux = Foundation Collaborative project should lead to more such collaboration = as part of the wider Linux and open source community. Of course this = will not happen by itself: one of my personal priorities for the rest of = this year is that more collaboration happens. What is going to change? =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D If you are a Xen User or Developer pretty much nothing initially. = Everything will continue to run as it always has. In the longer run, I = am confident that the Xen Collaborative Project will lead to more code = contributions, better integration with Linux distributions, increased = adoption of Xen, more integration with other projects, better marketing = and a lot more. All the changes should be positive. There will be some short-term changes though that will affect you: = xen.org will move to xenproject.org, the Xen Logo is changing and we = have a new Xen Community website at xenproject.org (which means the old = site will be archived). Because the domain changes cannot be implemented = entirely without impacting our users and developers, this may be also a = good opportunity to look at some housekeeping activites (wiki = categorization to improve navigation, killing some old archived lists, = ... ). Any changes will be made with the community in accordance with = existing community processes. Unfortunately we could not involve you = when we prepared the new xenproject.org community website: I hope you = understand that we had to keep the creation of the Xen Linux Foundation = Collaborative Project under wraps. But there will be plenty of = opportunity to listen to you and make changes in the coming weeks. In any case, I am quite excited about what is happening and I hope you = are too. Lars Further Information =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D - Announcement : = https://www.linuxfoundation.org/news-media/announcements/2013/04/xen-become= -linux-foundation-collaborative-project - New Xen Prpject Community Web-site : http://www.xenproject.org - FAQ : http://www.xenproject.org/xen-project-faq.html _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce From xen-announce-bounces@lists.xen.org Thu Apr 18 13:39:20 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 18 Apr 2013 13:39:20 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USp0y-0004f7-6Q; Thu, 18 Apr 2013 13:36:40 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USp0v-0004eK-K8; Thu, 18 Apr 2013 13:36:38 +0000 Received: from [85.158.138.51:41587] by server-11.bemta-3.messagelabs.com id 52/46-01263-4E6FF615; Thu, 18 Apr 2013 13:36:36 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-174.messagelabs.com!1366292194!29032550!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=2.0 required=7.0 tests=SUBJECT_RANDOMQ X-StarScan-Received: X-StarScan-Version: 6.8.6.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 21264 invoked from network); 18 Apr 2013 13:36:35 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-174.messagelabs.com with AES256-SHA encrypted SMTP; 18 Apr 2013 13:36:35 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USp0i-00024w-JO; Thu, 18 Apr 2013 13:36:24 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1USp0i-0002mC-Gc; Thu, 18 Apr 2013 13:36:24 +0000 Date: Thu, 18 Apr 2013 13:36:24 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 46 (CVE-2013-1919) - Several access permission issues with IRQs for unprivileged guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1919 / XSA-46 version 3 Several access permission issues with IRQs for unprivileged guests UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Various IRQ related access control operations may not have the intended effect, thus potentially permitting a stub domain to grant its client domain access to an IRQ it doesn't have access to itself. IMPACT ====== Malicious or buggy stub domains kernels can mount a denial of service attack possibly affecting the whole system. VULNERABLE SYSTEMS ================== Only Xen systems using stub domains are vulnerable. Only guests with passed-through IRQs or PCI devices are able to exploit the vulnerability. It is remotely possible that PV guests with passthrough IRQs or devices may also be able to exploit this vulnerability, although we think this is unlikely. MITIGATION ========== Servicing HVM guests with passthrough IRQs or PCI devices in dom0 (ie, not using a stub domain device model) should avoid this vulnerability. Reconfiguring the system to disable IRQ/PCI passthrough and instead providing the guests with appropriate paravirtualised facilities will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa46-4.1.patch Xen 4.1.x xsa46-4.2.patch Xen 4.2.x xsa46-unstable.patch xen-unstable $ sha256sum xsa46*.patch 3b2ea317c1cf2ba428cc14946d030d38294747fef2beeb16eba30bcf3b1bc2cc xsa46-4.1.patch 822da2303f1fc69648d7a29eb72fdda8e64baab3edc0e1548456d31e66ed1d7c xsa46-4.2.patch 6987201720ef8af89a4682bddc33f639e1f87dc12f1ea7aee1f2e0481b1e909c xsa46-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRb/aXAAoJEIP+FMlX6CvZV94IAJPB3B2qnny5zhfOqp2yO17+ nMJ+Hk3EBuMWXJVF8apjxsgfrZa0paNSU0zyhQIFV0ObVU9B90tfJfb3L+L7+t8G 3Z9vPzE6aHZ32+OlMOIHWIvHZiiDZhM7siqayYqPphJbYW0l2jvogY9BO+00ALkr ctoFPzMhweVf1EK5WMLC4py8Xa06qddaOKj0Jg+DuLQzlgCyeuAfFtg/UmKFUL2k yDpIXTYt3/7uleR60VMEmRZWQqQN/j1jGS+XQyOzgIDaM1DRvCE+fUmmULCsd0Je 0m/4lHm6O69XZ/z3TZ4bKqlzr8KRM2YEEzKk9L3MpRgdVh1mRLAwrsW8gwGBbyc= =rw/Y -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa46-4.1.patch" Content-Disposition: attachment; filename="xsa46-4.1.patch" Content-Transfer-Encoding: base64 eDg2OiBmaXggdmFyaW91cyBpc3N1ZXMgd2l0aCBoYW5kbGluZyBndWVzdCBJ UlFzCgotIHByb3Blcmx5IHJldm9rZSBJUlEgYWNjZXNzIGluIG1hcF9kb21h aW5fcGlycSgpIGVycm9yIHBhdGgKLSBkb24ndCBwZXJtaXQgcmVwbGFjaW5n IGFuIGluIHVzZSBJUlEKLSBkb24ndCBhY2NlcHQgaW5wdXRzIGluIHRoZSBH U0kgcmFuZ2UgZm9yIE1BUF9QSVJRX1RZUEVfTVNJCi0gdHJhY2sgSVJRIGFj Y2VzcyBwZXJtaXNzaW9uIGluIGhvc3QgSVJRIHRlcm1zLCBub3QgZ3Vlc3Qg SVJRIG9uZXMKICAoYW5kIHdpdGggdGhhdCwgYWxzbyBkaXNhbGxvdyBEb20w IGFjY2VzcyB0byBJUlEwKQoKVGhpcyBpcyBDVkUtMjAxMy0xOTE5IC8gWFNB LTQ2LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpBY2tlZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzdGVmYW5v LnN0YWJlbGxpbmlAZXUuY2l0cml4LmNvbT4KCi0tLSBhL3Rvb2xzL3B5dGhv bi94ZW4veGVuZC9zZXJ2ZXIvaXJxaWYucHkKKysrIGIvdG9vbHMvcHl0aG9u L3hlbi94ZW5kL3NlcnZlci9pcnFpZi5weQpAQCAtNzMsNiArNzMsMTIgQEAg Y2xhc3MgSVJRQ29udHJvbGxlcihEZXZDb250cm9sbGVyKToKICAgICAgICAK ICAgICAgICAgcGlycSA9IGdldF9wYXJhbSgnaXJxJykKIAorICAgICAgICBy YyA9IHhjLnBoeXNkZXZfbWFwX3BpcnEoZG9taWQgPSBzZWxmLmdldERvbWlk KCksCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpbmRleCA9 IHBpcnEsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwaXJx ICA9IHBpcnEpCisgICAgICAgIGlmIHJjIDwgMDoKKyAgICAgICAgICAgIHJh aXNlIFZtRXJyb3IoJ2lycTogRmFpbGVkIHRvIG1hcCBpcnEgJXgnICUgKHBp cnEpKQorCiAgICAgICAgIHJjID0geGMuZG9tYWluX2lycV9wZXJtaXNzaW9u KGRvbWlkICAgICAgICA9IHNlbGYuZ2V0RG9taWQoKSwKICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgcGlycSAgICAgICAgID0gcGly cSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWxs b3dfYWNjZXNzID0gVHJ1ZSkKQEAgLTgxLDEyICs4Nyw2IEBAIGNsYXNzIElS UUNvbnRyb2xsZXIoRGV2Q29udHJvbGxlcik6CiAgICAgICAgICAgICAjdG9k byBub24tZmF0YWwKICAgICAgICAgICAgIHJhaXNlIFZtRXJyb3IoCiAgICAg ICAgICAgICAgICAgJ2lycTogRmFpbGVkIHRvIGNvbmZpZ3VyZSBpcnE6ICVk JyAlIChwaXJxKSkKLSAgICAgICAgcmMgPSB4Yy5waHlzZGV2X21hcF9waXJx KGRvbWlkID0gc2VsZi5nZXREb21pZCgpLAotICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICBpbmRleCA9IHBpcnEsCi0gICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIHBpcnEgID0gcGlycSkKLSAgICAgICAgaWYgcmMg PCAwOgotICAgICAgICAgICAgcmFpc2UgVm1FcnJvcigKLSAgICAgICAgICAg ICAgICAnaXJxOiBGYWlsZWQgdG8gbWFwIGlycSAleCcgJSAocGlycSkpCiAg ICAgICAgIGJhY2sgPSBkaWN0KFsoaywgY29uZmlnW2tdKSBmb3IgayBpbiBz ZWxmLnZhbGlkX2NmZyBpZiBrIGluIGNvbmZpZ10pCiAgICAgICAgIHJldHVy biAoc2VsZi5hbGxvY2F0ZURldmljZUlEKCksIGJhY2ssIHt9KQogCi0tLSBh L3hlbi9hcmNoL3g4Ni9kb21haW5fYnVpbGQuYworKysgYi94ZW4vYXJjaC94 ODYvZG9tYWluX2J1aWxkLmMKQEAgLTEyMDEsNyArMTIwMSw3IEBAIGludCBf X2luaXQgY29uc3RydWN0X2RvbTAoCiAgICAgLyogRE9NMCBpcyBwZXJtaXR0 ZWQgZnVsbCBJL08gY2FwYWJpbGl0aWVzLiAqLwogICAgIHJjIHw9IGlvcG9y dHNfcGVybWl0X2FjY2Vzcyhkb20wLCAwLCAweEZGRkYpOwogICAgIHJjIHw9 IGlvbWVtX3Blcm1pdF9hY2Nlc3MoZG9tMCwgMFVMLCB+MFVMKTsKLSAgICBy YyB8PSBpcnFzX3Blcm1pdF9hY2Nlc3MoZG9tMCwgMCwgZC0+bnJfcGlycXMg LSAxKTsKKyAgICByYyB8PSBpcnFzX3Blcm1pdF9hY2Nlc3MoZG9tMCwgMSwg bnJfaXJxc19nc2kgLSAxKTsKIAogICAgIC8qCiAgICAgICogTW9kaWZ5IEkv TyBwb3J0IGFjY2VzcyBwZXJtaXNzaW9ucy4KLS0tIGEveGVuL2FyY2gveDg2 L2RvbWN0bC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9kb21jdGwuYwpAQCAtOTA4 LDkgKzkwOCwxMyBAQCBsb25nIGFyY2hfZG9fZG9tY3RsKAogICAgICAgICAg ICAgZ290byBiaW5kX291dDsKIAogICAgICAgICByZXQgPSAtRVBFUk07Ci0g ICAgICAgIGlmICggIUlTX1BSSVYoY3VycmVudC0+ZG9tYWluKSAmJgotICAg ICAgICAgICAgICFpcnFfYWNjZXNzX3Blcm1pdHRlZChjdXJyZW50LT5kb21h aW4sIGJpbmQtPm1hY2hpbmVfaXJxKSApCi0gICAgICAgICAgICBnb3RvIGJp bmRfb3V0OworICAgICAgICBpZiAoICFJU19QUklWKGN1cnJlbnQtPmRvbWFp bikgKQorICAgICAgICB7CisgICAgICAgICAgICBpbnQgaXJxID0gZG9tYWlu X3BpcnFfdG9faXJxKGQsIGJpbmQtPm1hY2hpbmVfaXJxKTsKKworICAgICAg ICAgICAgaWYgKCBpcnEgPD0gMCB8fCAhaXJxX2FjY2Vzc19wZXJtaXR0ZWQo Y3VycmVudC0+ZG9tYWluLCBpcnEpICkKKyAgICAgICAgICAgICAgICBnb3Rv IGJpbmRfb3V0OworICAgICAgICB9CiAKICAgICAgICAgcmV0ID0gLUVTUkNI OwogICAgICAgICBpZiAoIGlvbW11X2VuYWJsZWQgKQpAQCAtOTM4LDkgKzk0 MiwxMyBAQCBsb25nIGFyY2hfZG9fZG9tY3RsKAogICAgICAgICBiaW5kID0g Jihkb21jdGwtPnUuYmluZF9wdF9pcnEpOwogCiAgICAgICAgIHJldCA9IC1F UEVSTTsKLSAgICAgICAgaWYgKCAhSVNfUFJJVihjdXJyZW50LT5kb21haW4p ICYmCi0gICAgICAgICAgICAgIWlycV9hY2Nlc3NfcGVybWl0dGVkKGN1cnJl bnQtPmRvbWFpbiwgYmluZC0+bWFjaGluZV9pcnEpICkKLSAgICAgICAgICAg IGdvdG8gdW5iaW5kX291dDsKKyAgICAgICAgaWYgKCAhSVNfUFJJVihjdXJy ZW50LT5kb21haW4pICkKKyAgICAgICAgeworICAgICAgICAgICAgaW50IGly cSA9IGRvbWFpbl9waXJxX3RvX2lycShkLCBiaW5kLT5tYWNoaW5lX2lycSk7 CisKKyAgICAgICAgICAgIGlmICggaXJxIDw9IDAgfHwgIWlycV9hY2Nlc3Nf cGVybWl0dGVkKGN1cnJlbnQtPmRvbWFpbiwgaXJxKSApCisgICAgICAgICAg ICAgICAgZ290byB1bmJpbmRfb3V0OworICAgICAgICB9CiAKICAgICAgICAg aWYgKCBpb21tdV9lbmFibGVkICkKICAgICAgICAgewotLS0gYS94ZW4vYXJj aC94ODYvaXJxLmMKKysrIGIveGVuL2FyY2gveDg2L2lycS5jCkBAIC0xNzQs NiArMTc0LDE1IEBAIGludCBjcmVhdGVfaXJxKHZvaWQpCiBvdXQ6CiAgICAg IHNwaW5fdW5sb2NrX2lycXJlc3RvcmUoJnZlY3Rvcl9sb2NrLCBmbGFncyk7 CiAKKyAgICBpZiAoIGlycSA+IDAgJiYgZG9tMCApCisgICAgeworICAgICAg ICByZXQgPSBpcnFfcGVybWl0X2FjY2Vzcyhkb20wLCBpcnEpOworICAgICAg ICBpZiAoIHJldCApCisgICAgICAgICAgICBwcmludGsoWEVOTE9HX0dfRVJS CisgICAgICAgICAgICAgICAgICAgIkNvdWxkIG5vdCBncmFudCBEb20wIGFj Y2VzcyB0byBJUlElZCAoZXJyb3IgJWQpXG4iLAorICAgICAgICAgICAgICAg ICAgIGlycSwgcmV0KTsKKyAgICB9CisKICAgICByZXR1cm4gaXJxOwogfQog CkBAIC0yNTgsNiArMjY3LDE3IEBAIHZvaWQgY2xlYXJfaXJxX3ZlY3Rvcihp bnQgaXJxKQogdm9pZCBkZXN0cm95X2lycSh1bnNpZ25lZCBpbnQgaXJxKQog ewogICAgIEJVR19PTighTVNJX0lSUShpcnEpKTsKKworICAgIGlmICggZG9t MCApCisgICAgeworICAgICAgICBpbnQgZXJyID0gaXJxX2RlbnlfYWNjZXNz KGRvbTAsIGlycSk7CisKKyAgICAgICAgaWYgKCBlcnIgKQorICAgICAgICAg ICAgcHJpbnRrKFhFTkxPR19HX0VSUgorICAgICAgICAgICAgICAgICAgICJD b3VsZCBub3QgcmV2b2tlIERvbTAgYWNjZXNzIHRvIElSUSV1IChlcnJvciAl ZClcbiIsCisgICAgICAgICAgICAgICAgICAgaXJxLCBlcnIpOworICAgIH0K KwogICAgIGR5bmFtaWNfaXJxX2NsZWFudXAoaXJxKTsKICAgICBjbGVhcl9p cnFfdmVjdG9yKGlycSk7CiB9CkBAIC0xNjA0LDcgKzE2MjQsNyBAQCBpbnQg bWFwX2RvbWFpbl9waXJxKAogCiAgICAgaWYgKCAhSVNfUFJJVihjdXJyZW50 LT5kb21haW4pICYmCiAgICAgICAgICAhKElTX1BSSVZfRk9SKGN1cnJlbnQt PmRvbWFpbiwgZCkgJiYKLSAgICAgICAgICAgaXJxX2FjY2Vzc19wZXJtaXR0 ZWQoY3VycmVudC0+ZG9tYWluLCBwaXJxKSkpCisgICAgICAgICAgIGlycV9h Y2Nlc3NfcGVybWl0dGVkKGN1cnJlbnQtPmRvbWFpbiwgaXJxKSkpCiAgICAg ICAgIHJldHVybiAtRVBFUk07CiAKICAgICBpZiAoIHBpcnEgPCAwIHx8IHBp cnEgPj0gZC0+bnJfcGlycXMgfHwgaXJxIDwgMCB8fCBpcnEgPj0gbnJfaXJx cyApCkBAIC0xNjI1LDExICsxNjQ1LDEyIEBAIGludCBtYXBfZG9tYWluX3Bp cnEoCiAgICAgICAgIHJldHVybiAwOwogICAgIH0KIAotICAgIHJldCA9IGly cV9wZXJtaXRfYWNjZXNzKGQsIHBpcnEpOworICAgIHJldCA9IGlycV9wZXJt aXRfYWNjZXNzKGQsIGlycSk7CiAgICAgaWYgKCByZXQgKQogICAgIHsKLSAg ICAgICAgZHByaW50ayhYRU5MT0dfR19FUlIsICJkb20lZDogY291bGQgbm90 IHBlcm1pdCBhY2Nlc3MgdG8gaXJxICVkXG4iLAotICAgICAgICAgICAgICAg IGQtPmRvbWFpbl9pZCwgcGlycSk7CisgICAgICAgIHByaW50ayhYRU5MT0df R19FUlIKKyAgICAgICAgICAgICAgICJkb20lZDogY291bGQgbm90IHBlcm1p dCBhY2Nlc3MgdG8gSVJRJWQgKHBpcnEgJWQpXG4iLAorICAgICAgICAgICAg ICAgZC0+ZG9tYWluX2lkLCBpcnEsIHBpcnEpOwogICAgICAgICByZXR1cm4g cmV0OwogICAgIH0KIApAQCAtMTY1MSw4ICsxNjcyLDE0IEBAIGludCBtYXBf ZG9tYWluX3BpcnEoCiAgICAgICAgIHNwaW5fbG9ja19pcnFzYXZlKCZkZXNj LT5sb2NrLCBmbGFncyk7CiAKICAgICAgICAgaWYgKCBkZXNjLT5oYW5kbGVy ICE9ICZub19pcnFfdHlwZSApCisgICAgICAgIHsKKyAgICAgICAgICAgIHNw aW5fdW5sb2NrX2lycXJlc3RvcmUoJmRlc2MtPmxvY2ssIGZsYWdzKTsKICAg ICAgICAgICAgIGRwcmludGsoWEVOTE9HX0dfRVJSLCAiZG9tJWQ6IGlycSAl ZCBpbiB1c2VcbiIsCiAgICAgICAgICAgICAgICAgICAgIGQtPmRvbWFpbl9p ZCwgaXJxKTsKKyAgICAgICAgICAgIHBjaV9kaXNhYmxlX21zaShtc2lfZGVz Yyk7CisgICAgICAgICAgICByZXQgPSAtRUJVU1k7CisgICAgICAgICAgICBn b3RvIGRvbmU7CisgICAgICAgIH0KICAgICAgICAgZGVzYy0+aGFuZGxlciA9 ICZwY2lfbXNpX3R5cGU7CiAgICAgICAgIGlmICggb3B0X2lycV92ZWN0b3Jf bWFwID09IE9QVF9JUlFfVkVDVE9SX01BUF9QRVJERVYKICAgICAgICAgICAg ICAmJiAhZGVzYy0+Y2hpcF9kYXRhLT51c2VkX3ZlY3RvcnMgKQpAQCAtMTY4 MCw2ICsxNzA3LDEwIEBAIGludCBtYXBfZG9tYWluX3BpcnEoCiAgICAgfQog CiBkb25lOgorICAgIGlmICggcmV0ICYmIGlycV9kZW55X2FjY2VzcyhkLCBp cnEpICkKKyAgICAgICAgcHJpbnRrKFhFTkxPR19HX0VSUgorICAgICAgICAg ICAgICAgImRvbSVkOiBjb3VsZCBub3QgcmV2b2tlIGFjY2VzcyB0byBJUlEl ZCAocGlycSAlZClcbiIsCisgICAgICAgICAgICAgICBkLT5kb21haW5faWQs IGlycSwgcGlycSk7CiAgICAgcmV0dXJuIHJldDsKIH0KIApAQCAtMTczNiwx MCArMTc2NywxMSBAQCBpbnQgdW5tYXBfZG9tYWluX3BpcnEoc3RydWN0IGRv bWFpbiAqZCwgCiAgICAgaWYgKG1zaV9kZXNjKQogICAgICAgICBtc2lfZnJl ZV9pcnEobXNpX2Rlc2MpOwogCi0gICAgcmV0ID0gaXJxX2RlbnlfYWNjZXNz KGQsIHBpcnEpOworICAgIHJldCA9IGlycV9kZW55X2FjY2VzcyhkLCBpcnEp OwogICAgIGlmICggcmV0ICkKLSAgICAgICAgZHByaW50ayhYRU5MT0dfR19F UlIsICJkb20lZDogY291bGQgbm90IGRlbnkgYWNjZXNzIHRvIGlycSAlZFxu IiwKLSAgICAgICAgICAgICAgICBkLT5kb21haW5faWQsIHBpcnEpOworICAg ICAgICBwcmludGsoWEVOTE9HX0dfRVJSCisgICAgICAgICAgICAgICAiZG9t JWQ6IGNvdWxkIG5vdCBkZW55IGFjY2VzcyB0byBJUlElZCAocGlycSAlZClc biIsCisgICAgICAgICAgICAgICBkLT5kb21haW5faWQsIGlycSwgcGlycSk7 CiAKICAgICBpZiAoIGRlc2MtPmhhbmRsZXIgPT0gJnBjaV9tc2lfdHlwZSAp CiAgICAgICAgIGRlc2MtPmhhbmRsZXIgPSAmbm9faXJxX3R5cGU7Ci0tLSBh L3hlbi9hcmNoL3g4Ni9waHlzZGV2LmMKKysrIGIveGVuL2FyY2gveDg2L3Bo eXNkZXYuYwpAQCAtMTQ3LDcgKzE0Nyw3IEBAIHN0YXRpYyBpbnQgcGh5c2Rl dl9tYXBfcGlycShzdHJ1Y3QgcGh5c2QKICAgICAgICAgaWYgKCBpcnEgPT0g LTEgKQogICAgICAgICAgICAgaXJxID0gY3JlYXRlX2lycSgpOwogCi0gICAg ICAgIGlmICggaXJxIDwgMCB8fCBpcnEgPj0gbnJfaXJxcyApCisgICAgICAg IGlmICggaXJxIDwgbnJfaXJxc19nc2kgfHwgaXJxID49IG5yX2lycXMgKQog ICAgICAgICB7CiAgICAgICAgICAgICBkcHJpbnRrKFhFTkxPR19HX0VSUiwg ImRvbSVkOiBjYW4ndCBjcmVhdGUgaXJxIGZvciBtc2khXG4iLAogICAgICAg ICAgICAgICAgICAgICBkLT5kb21haW5faWQpOwotLS0gYS94ZW4vY29tbW9u L2RvbWN0bC5jCisrKyBiL3hlbi9jb21tb24vZG9tY3RsLmMKQEAgLTg1NCw5 ICs4NTQsOSBAQCBsb25nIGRvX2RvbWN0bChYRU5fR1VFU1RfSEFORExFKHhl bl9kb21jCiAgICAgICAgIGlmICggcGlycSA+PSBkLT5ucl9waXJxcyApCiAg ICAgICAgICAgICByZXQgPSAtRUlOVkFMOwogICAgICAgICBlbHNlIGlmICgg b3AtPnUuaXJxX3Blcm1pc3Npb24uYWxsb3dfYWNjZXNzICkKLSAgICAgICAg ICAgIHJldCA9IGlycV9wZXJtaXRfYWNjZXNzKGQsIHBpcnEpOworICAgICAg ICAgICAgcmV0ID0gcGlycV9wZXJtaXRfYWNjZXNzKGQsIHBpcnEpOwogICAg ICAgICBlbHNlCi0gICAgICAgICAgICByZXQgPSBpcnFfZGVueV9hY2Nlc3Mo ZCwgcGlycSk7CisgICAgICAgICAgICByZXQgPSBwaXJxX2RlbnlfYWNjZXNz KGQsIHBpcnEpOwogCiAgICAgICAgIHJjdV91bmxvY2tfZG9tYWluKGQpOwog ICAgIH0KLS0tIGEveGVuL2NvbW1vbi9ldmVudF9jaGFubmVsLmMKKysrIGIv eGVuL2NvbW1vbi9ldmVudF9jaGFubmVsLmMKQEAgLTMzMSw3ICszMzEsNyBA QCBzdGF0aWMgbG9uZyBldnRjaG5fYmluZF9waXJxKGV2dGNobl9iaW5kCiAg ICAgaWYgKCAocGlycSA8IDApIHx8IChwaXJxID49IGQtPm5yX3BpcnFzKSAp CiAgICAgICAgIHJldHVybiAtRUlOVkFMOwogCi0gICAgaWYgKCAhaXNfaHZt X2RvbWFpbihkKSAmJiAhaXJxX2FjY2Vzc19wZXJtaXR0ZWQoZCwgcGlycSkg KQorICAgIGlmICggIWlzX2h2bV9kb21haW4oZCkgJiYgIXBpcnFfYWNjZXNz X3Blcm1pdHRlZChkLCBwaXJxKSApCiAgICAgICAgIHJldHVybiAtRVBFUk07 CiAKICAgICBzcGluX2xvY2soJmQtPmV2ZW50X2xvY2spOwotLS0gYS94ZW4v aW5jbHVkZS94ZW4vaW9jYXAuaAorKysgYi94ZW4vaW5jbHVkZS94ZW4vaW9j YXAuaApAQCAtMjgsNCArMjgsMjIgQEAKICNkZWZpbmUgaXJxX2FjY2Vzc19w ZXJtaXR0ZWQoZCwgaSkgICAgICAgICAgICAgICAgICAgICAgXAogICAgIHJh bmdlc2V0X2NvbnRhaW5zX3NpbmdsZXRvbigoZCktPmlycV9jYXBzLCBpKQog CisjZGVmaW5lIHBpcnFfcGVybWl0X2FjY2VzcyhkLCBpKSAoeyAgICAgICAg ICAgICAgICAgICAgIFwKKyAgICBzdHJ1Y3QgZG9tYWluICpkX18gPSAoZCk7 ICAgICAgICAgICAgICAgICAgICAgICAgICAgXAorICAgIGludCBpX18gPSBk b21haW5fcGlycV90b19pcnEoZF9fLCBpKTsgICAgICAgICAgICAgICBcCisg ICAgaV9fID4gMCA/IHJhbmdlc2V0X2FkZF9zaW5nbGV0b24oZF9fLT5pcnFf Y2FwcywgaV9fKVwKKyAgICAgICAgICAgIDogLUVJTlZBTDsgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgXAorfSkKKyNkZWZpbmUgcGlycV9k ZW55X2FjY2VzcyhkLCBpKSAoeyAgICAgICAgICAgICAgICAgICAgICAgXAor ICAgIHN0cnVjdCBkb21haW4gKmRfXyA9IChkKTsgICAgICAgICAgICAgICAg ICAgICAgICAgICBcCisgICAgaW50IGlfXyA9IGRvbWFpbl9waXJxX3RvX2ly cShkX18sIGkpOyAgICAgICAgICAgICAgIFwKKyAgICBpX18gPiAwID8gcmFu Z2VzZXRfcmVtb3ZlX3NpbmdsZXRvbihkX18tPmlycV9jYXBzLCBpX18pXAor ICAgICAgICAgICAgOiAtRUlOVkFMOyAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICBcCit9KQorI2RlZmluZSBwaXJxX2FjY2Vzc19wZXJtaXR0 ZWQoZCwgaSkgKHsgICAgICAgICAgICAgICAgICBcCisgICAgc3RydWN0IGRv bWFpbiAqZF9fID0gKGQpOyAgICAgICAgICAgICAgICAgICAgICAgICAgIFwK KyAgICByYW5nZXNldF9jb250YWluc19zaW5nbGV0b24oZF9fLT5pcnFfY2Fw cywgICAgICAgICAgXAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICBkb21haW5fcGlycV90b19pcnEoZF9fLCBpKSk7XAorfSkKKwogI2VuZGlm IC8qIF9fWEVOX0lPQ0FQX0hfXyAqLwo= --=separator Content-Type: application/octet-stream; name="xsa46-4.2.patch" Content-Disposition: attachment; filename="xsa46-4.2.patch" Content-Transfer-Encoding: base64 eDg2OiBmaXggdmFyaW91cyBpc3N1ZXMgd2l0aCBoYW5kbGluZyBndWVzdCBJ UlFzCgotIHByb3Blcmx5IHJldm9rZSBJUlEgYWNjZXNzIGluIG1hcF9kb21h aW5fcGlycSgpIGVycm9yIHBhdGgKLSBkb24ndCBwZXJtaXQgcmVwbGFjaW5n IGFuIGluIHVzZSBJUlEKLSBkb24ndCBhY2NlcHQgaW5wdXRzIGluIHRoZSBH U0kgcmFuZ2UgZm9yIE1BUF9QSVJRX1RZUEVfTVNJCi0gdHJhY2sgSVJRIGFj Y2VzcyBwZXJtaXNzaW9uIGluIGhvc3QgSVJRIHRlcm1zLCBub3QgZ3Vlc3Qg SVJRIG9uZXMKICAoYW5kIHdpdGggdGhhdCwgYWxzbyBkaXNhbGxvdyBEb20w IGFjY2VzcyB0byBJUlEwKQoKVGhpcyBpcyBDVkUtMjAxMy0xOTE5IC8gWFNB LTQ2LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpBY2tlZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzdGVmYW5v LnN0YWJlbGxpbmlAZXUuY2l0cml4LmNvbT4KCi0tLSBhL3Rvb2xzL2xpYnhs L2xpYnhsX2NyZWF0ZS5jCisrKyBiL3Rvb2xzL2xpYnhsL2xpYnhsX2NyZWF0 ZS5jCkBAIC05NjgsMTQgKzk2OCwxNiBAQCBzdGF0aWMgdm9pZCBkb21jcmVh dGVfbGF1bmNoX2RtKGxpYnhsX19lCiAgICAgfQogCiAgICAgZm9yIChpID0g MDsgaSA8IGRfY29uZmlnLT5iX2luZm8ubnVtX2lycXM7IGkrKykgewotICAg ICAgICB1aW50MzJfdCBpcnEgPSBkX2NvbmZpZy0+Yl9pbmZvLmlycXNbaV07 CisgICAgICAgIGludCBpcnEgPSBkX2NvbmZpZy0+Yl9pbmZvLmlycXNbaV07 CiAKLSAgICAgICAgTE9HKERFQlVHLCAiZG9tJWQgaXJxICUiUFJJeDMyLCBk b21pZCwgaXJxKTsKKyAgICAgICAgTE9HKERFQlVHLCAiZG9tJWQgaXJxICVk IiwgZG9taWQsIGlycSk7CiAKLSAgICAgICAgcmV0ID0geGNfZG9tYWluX2ly cV9wZXJtaXNzaW9uKENUWC0+eGNoLCBkb21pZCwgaXJxLCAxKTsKKyAgICAg ICAgcmV0ID0gaXJxID49IDAgPyB4Y19waHlzZGV2X21hcF9waXJxKENUWC0+ eGNoLCBkb21pZCwgaXJxLCAmaXJxKQorICAgICAgICAgICAgICAgICAgICAg ICA6IC1FT1ZFUkZMT1c7CisgICAgICAgIGlmICghcmV0KQorICAgICAgICAg ICAgcmV0ID0geGNfZG9tYWluX2lycV9wZXJtaXNzaW9uKENUWC0+eGNoLCBk b21pZCwgaXJxLCAxKTsKICAgICAgICAgaWYgKCByZXQ8MCApewotICAgICAg ICAgICAgTE9HRShFUlJPUiwKLSAgICAgICAgICAgICAgICAgImZhaWxlZCBn aXZlIGRvbSVkIGFjY2VzcyB0byBpcnEgJSJQUklkMzIsIGRvbWlkLCBpcnEp OworICAgICAgICAgICAgTE9HRShFUlJPUiwgImZhaWxlZCBnaXZlIGRvbSVk IGFjY2VzcyB0byBpcnEgJWQiLCBkb21pZCwgaXJxKTsKICAgICAgICAgICAg IHJldCA9IEVSUk9SX0ZBSUw7CiAgICAgICAgIH0KICAgICB9Ci0tLSBhL3Rv b2xzL3B5dGhvbi94ZW4veGVuZC9zZXJ2ZXIvaXJxaWYucHkKKysrIGIvdG9v bHMvcHl0aG9uL3hlbi94ZW5kL3NlcnZlci9pcnFpZi5weQpAQCAtNzMsNiAr NzMsMTIgQEAgY2xhc3MgSVJRQ29udHJvbGxlcihEZXZDb250cm9sbGVyKToK ICAgICAgICAKICAgICAgICAgcGlycSA9IGdldF9wYXJhbSgnaXJxJykKIAor ICAgICAgICByYyA9IHhjLnBoeXNkZXZfbWFwX3BpcnEoZG9taWQgPSBzZWxm LmdldERvbWlkKCksCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICBpbmRleCA9IHBpcnEsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICBwaXJxICA9IHBpcnEpCisgICAgICAgIGlmIHJjIDwgMDoKKyAgICAg ICAgICAgIHJhaXNlIFZtRXJyb3IoJ2lycTogRmFpbGVkIHRvIG1hcCBpcnEg JXgnICUgKHBpcnEpKQorCiAgICAgICAgIHJjID0geGMuZG9tYWluX2lycV9w ZXJtaXNzaW9uKGRvbWlkICAgICAgICA9IHNlbGYuZ2V0RG9taWQoKSwKICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcGlycSAgICAg ICAgID0gcGlycSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgYWxsb3dfYWNjZXNzID0gVHJ1ZSkKQEAgLTgxLDEyICs4Nyw2IEBA IGNsYXNzIElSUUNvbnRyb2xsZXIoRGV2Q29udHJvbGxlcik6CiAgICAgICAg ICAgICAjdG9kbyBub24tZmF0YWwKICAgICAgICAgICAgIHJhaXNlIFZtRXJy b3IoCiAgICAgICAgICAgICAgICAgJ2lycTogRmFpbGVkIHRvIGNvbmZpZ3Vy ZSBpcnE6ICVkJyAlIChwaXJxKSkKLSAgICAgICAgcmMgPSB4Yy5waHlzZGV2 X21hcF9waXJxKGRvbWlkID0gc2VsZi5nZXREb21pZCgpLAotICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICBpbmRleCA9IHBpcnEsCi0gICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIHBpcnEgID0gcGlycSkKLSAgICAg ICAgaWYgcmMgPCAwOgotICAgICAgICAgICAgcmFpc2UgVm1FcnJvcigKLSAg ICAgICAgICAgICAgICAnaXJxOiBGYWlsZWQgdG8gbWFwIGlycSAleCcgJSAo cGlycSkpCiAgICAgICAgIGJhY2sgPSBkaWN0KFsoaywgY29uZmlnW2tdKSBm b3IgayBpbiBzZWxmLnZhbGlkX2NmZyBpZiBrIGluIGNvbmZpZ10pCiAgICAg ICAgIHJldHVybiAoc2VsZi5hbGxvY2F0ZURldmljZUlEKCksIGJhY2ssIHt9 KQogCi0tLSBhL3hlbi9hcmNoL3g4Ni9kb21haW5fYnVpbGQuYworKysgYi94 ZW4vYXJjaC94ODYvZG9tYWluX2J1aWxkLmMKQEAgLTEyMTksNyArMTIxOSw3 IEBAIGludCBfX2luaXQgY29uc3RydWN0X2RvbTAoCiAgICAgLyogRE9NMCBp cyBwZXJtaXR0ZWQgZnVsbCBJL08gY2FwYWJpbGl0aWVzLiAqLwogICAgIHJj IHw9IGlvcG9ydHNfcGVybWl0X2FjY2Vzcyhkb20wLCAwLCAweEZGRkYpOwog ICAgIHJjIHw9IGlvbWVtX3Blcm1pdF9hY2Nlc3MoZG9tMCwgMFVMLCB+MFVM KTsKLSAgICByYyB8PSBpcnFzX3Blcm1pdF9hY2Nlc3MoZG9tMCwgMCwgZC0+ bnJfcGlycXMgLSAxKTsKKyAgICByYyB8PSBpcnFzX3Blcm1pdF9hY2Nlc3Mo ZG9tMCwgMSwgbnJfaXJxc19nc2kgLSAxKTsKIAogICAgIC8qCiAgICAgICog TW9kaWZ5IEkvTyBwb3J0IGFjY2VzcyBwZXJtaXNzaW9ucy4KLS0tIGEveGVu L2FyY2gveDg2L2RvbWN0bC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9kb21jdGwu YwpAQCAtNzcyLDkgKzc3MiwxMyBAQCBsb25nIGFyY2hfZG9fZG9tY3RsKAog ICAgICAgICAgICAgZ290byBiaW5kX291dDsKIAogICAgICAgICByZXQgPSAt RVBFUk07Ci0gICAgICAgIGlmICggIUlTX1BSSVYoY3VycmVudC0+ZG9tYWlu KSAmJgotICAgICAgICAgICAgICFpcnFfYWNjZXNzX3Blcm1pdHRlZChjdXJy ZW50LT5kb21haW4sIGJpbmQtPm1hY2hpbmVfaXJxKSApCi0gICAgICAgICAg ICBnb3RvIGJpbmRfb3V0OworICAgICAgICBpZiAoICFJU19QUklWKGN1cnJl bnQtPmRvbWFpbikgKQorICAgICAgICB7CisgICAgICAgICAgICBpbnQgaXJx ID0gZG9tYWluX3BpcnFfdG9faXJxKGQsIGJpbmQtPm1hY2hpbmVfaXJxKTsK KworICAgICAgICAgICAgaWYgKCBpcnEgPD0gMCB8fCAhaXJxX2FjY2Vzc19w ZXJtaXR0ZWQoY3VycmVudC0+ZG9tYWluLCBpcnEpICkKKyAgICAgICAgICAg ICAgICBnb3RvIGJpbmRfb3V0OworICAgICAgICB9CiAKICAgICAgICAgcmV0 ID0gLUVTUkNIOwogICAgICAgICBpZiAoIGlvbW11X2VuYWJsZWQgKQpAQCAt ODAzLDkgKzgwNywxMyBAQCBsb25nIGFyY2hfZG9fZG9tY3RsKAogICAgICAg ICBiaW5kID0gJihkb21jdGwtPnUuYmluZF9wdF9pcnEpOwogCiAgICAgICAg IHJldCA9IC1FUEVSTTsKLSAgICAgICAgaWYgKCAhSVNfUFJJVihjdXJyZW50 LT5kb21haW4pICYmCi0gICAgICAgICAgICAgIWlycV9hY2Nlc3NfcGVybWl0 dGVkKGN1cnJlbnQtPmRvbWFpbiwgYmluZC0+bWFjaGluZV9pcnEpICkKLSAg ICAgICAgICAgIGdvdG8gdW5iaW5kX291dDsKKyAgICAgICAgaWYgKCAhSVNf UFJJVihjdXJyZW50LT5kb21haW4pICkKKyAgICAgICAgeworICAgICAgICAg ICAgaW50IGlycSA9IGRvbWFpbl9waXJxX3RvX2lycShkLCBiaW5kLT5tYWNo aW5lX2lycSk7CisKKyAgICAgICAgICAgIGlmICggaXJxIDw9IDAgfHwgIWly cV9hY2Nlc3NfcGVybWl0dGVkKGN1cnJlbnQtPmRvbWFpbiwgaXJxKSApCisg ICAgICAgICAgICAgICAgZ290byB1bmJpbmRfb3V0OworICAgICAgICB9CiAK ICAgICAgICAgaWYgKCBpb21tdV9lbmFibGVkICkKICAgICAgICAgewotLS0g YS94ZW4vYXJjaC94ODYvaXJxLmMKKysrIGIveGVuL2FyY2gveDg2L2lycS5j CkBAIC0xODQsNiArMTg0LDE0IEBAIGludCBjcmVhdGVfaXJxKGludCBub2Rl KQogICAgICAgICBkZXNjLT5hcmNoLnVzZWQgPSBJUlFfVU5VU0VEOwogICAg ICAgICBpcnEgPSByZXQ7CiAgICAgfQorICAgIGVsc2UgaWYgKCBkb20wICkK KyAgICB7CisgICAgICAgIHJldCA9IGlycV9wZXJtaXRfYWNjZXNzKGRvbTAs IGlycSk7CisgICAgICAgIGlmICggcmV0ICkKKyAgICAgICAgICAgIHByaW50 ayhYRU5MT0dfR19FUlIKKyAgICAgICAgICAgICAgICAgICAiQ291bGQgbm90 IGdyYW50IERvbTAgYWNjZXNzIHRvIElSUSVkIChlcnJvciAlZClcbiIsCisg ICAgICAgICAgICAgICAgICAgaXJxLCByZXQpOworICAgIH0KIAogICAgIHJl dHVybiBpcnE7CiB9CkBAIC0yODAsNiArMjg4LDE3IEBAIHZvaWQgY2xlYXJf aXJxX3ZlY3RvcihpbnQgaXJxKQogdm9pZCBkZXN0cm95X2lycSh1bnNpZ25l ZCBpbnQgaXJxKQogewogICAgIEJVR19PTighTVNJX0lSUShpcnEpKTsKKwor ICAgIGlmICggZG9tMCApCisgICAgeworICAgICAgICBpbnQgZXJyID0gaXJx X2RlbnlfYWNjZXNzKGRvbTAsIGlycSk7CisKKyAgICAgICAgaWYgKCBlcnIg KQorICAgICAgICAgICAgcHJpbnRrKFhFTkxPR19HX0VSUgorICAgICAgICAg ICAgICAgICAgICJDb3VsZCBub3QgcmV2b2tlIERvbTAgYWNjZXNzIHRvIElS USV1IChlcnJvciAlZClcbiIsCisgICAgICAgICAgICAgICAgICAgaXJxLCBl cnIpOworICAgIH0KKwogICAgIGR5bmFtaWNfaXJxX2NsZWFudXAoaXJxKTsK ICAgICBjbGVhcl9pcnFfdmVjdG9yKGlycSk7CiB9CkBAIC0xODU4LDcgKzE4 NzcsNyBAQCBpbnQgbWFwX2RvbWFpbl9waXJxKAogCiAgICAgaWYgKCAhSVNf UFJJVihjdXJyZW50LT5kb21haW4pICYmCiAgICAgICAgICAhKElTX1BSSVZf Rk9SKGN1cnJlbnQtPmRvbWFpbiwgZCkgJiYKLSAgICAgICAgICAgaXJxX2Fj Y2Vzc19wZXJtaXR0ZWQoY3VycmVudC0+ZG9tYWluLCBwaXJxKSkpCisgICAg ICAgICAgIGlycV9hY2Nlc3NfcGVybWl0dGVkKGN1cnJlbnQtPmRvbWFpbiwg aXJxKSkpCiAgICAgICAgIHJldHVybiAtRVBFUk07CiAKICAgICBpZiAoIHBp cnEgPCAwIHx8IHBpcnEgPj0gZC0+bnJfcGlycXMgfHwgaXJxIDwgMCB8fCBp cnEgPj0gbnJfaXJxcyApCkBAIC0xODg3LDE3ICsxOTA2LDE4IEBAIGludCBt YXBfZG9tYWluX3BpcnEoCiAgICAgICAgIHJldHVybiByZXQ7CiAgICAgfQog Ci0gICAgcmV0ID0gaXJxX3Blcm1pdF9hY2Nlc3MoZCwgcGlycSk7CisgICAg cmV0ID0gaXJxX3Blcm1pdF9hY2Nlc3MoZCwgaXJxKTsKICAgICBpZiAoIHJl dCApCiAgICAgewotICAgICAgICBkcHJpbnRrKFhFTkxPR19HX0VSUiwgImRv bSVkOiBjb3VsZCBub3QgcGVybWl0IGFjY2VzcyB0byBpcnEgJWRcbiIsCi0g ICAgICAgICAgICAgICAgZC0+ZG9tYWluX2lkLCBwaXJxKTsKKyAgICAgICAg cHJpbnRrKFhFTkxPR19HX0VSUgorICAgICAgICAgICAgICAgImRvbSVkOiBj b3VsZCBub3QgcGVybWl0IGFjY2VzcyB0byBJUlElZCAocGlycSAlZClcbiIs CisgICAgICAgICAgICAgICBkLT5kb21haW5faWQsIGlycSwgcGlycSk7CiAg ICAgICAgIHJldHVybiByZXQ7CiAgICAgfQogCiAgICAgcmV0ID0gcHJlcGFy ZV9kb21haW5faXJxX3BpcnEoZCwgaXJxLCBwaXJxLCAmaW5mbyk7CiAgICAg aWYgKCByZXQgKQotICAgICAgICByZXR1cm4gcmV0OworICAgICAgICBnb3Rv IHJldm9rZTsKIAogICAgIGRlc2MgPSBpcnFfdG9fZGVzYyhpcnEpOwogCkBA IC0xOTIxLDggKzE5NDEsMTQgQEAgaW50IG1hcF9kb21haW5fcGlycSgKICAg ICAgICAgc3Bpbl9sb2NrX2lycXNhdmUoJmRlc2MtPmxvY2ssIGZsYWdzKTsK IAogICAgICAgICBpZiAoIGRlc2MtPmhhbmRsZXIgIT0gJm5vX2lycV90eXBl ICkKKyAgICAgICAgeworICAgICAgICAgICAgc3Bpbl91bmxvY2tfaXJxcmVz dG9yZSgmZGVzYy0+bG9jaywgZmxhZ3MpOwogICAgICAgICAgICAgZHByaW50 ayhYRU5MT0dfR19FUlIsICJkb20lZDogaXJxICVkIGluIHVzZVxuIiwKICAg ICAgICAgICAgICAgICAgICAgZC0+ZG9tYWluX2lkLCBpcnEpOworICAgICAg ICAgICAgcGNpX2Rpc2FibGVfbXNpKG1zaV9kZXNjKTsKKyAgICAgICAgICAg IHJldCA9IC1FQlVTWTsKKyAgICAgICAgICAgIGdvdG8gZG9uZTsKKyAgICAg ICAgfQogICAgICAgICBzZXR1cF9tc2lfaGFuZGxlcihkZXNjLCBtc2lfZGVz Yyk7CiAKICAgICAgICAgaWYgKCBvcHRfaXJxX3ZlY3Rvcl9tYXAgPT0gT1BU X0lSUV9WRUNUT1JfTUFQX1BFUkRFVgpAQCAtMTk1MSw3ICsxOTc3LDE0IEBA IGludCBtYXBfZG9tYWluX3BpcnEoCiAKIGRvbmU6CiAgICAgaWYgKCByZXQg KQorICAgIHsKICAgICAgICAgY2xlYW51cF9kb21haW5faXJxX3BpcnEoZCwg aXJxLCBpbmZvKTsKKyByZXZva2U6CisgICAgICAgIGlmICggaXJxX2Rlbnlf YWNjZXNzKGQsIGlycSkgKQorICAgICAgICAgICAgcHJpbnRrKFhFTkxPR19H X0VSUgorICAgICAgICAgICAgICAgICAgICJkb20lZDogY291bGQgbm90IHJl dm9rZSBhY2Nlc3MgdG8gSVJRJWQgKHBpcnEgJWQpXG4iLAorICAgICAgICAg ICAgICAgICAgIGQtPmRvbWFpbl9pZCwgaXJxLCBwaXJxKTsKKyAgICB9CiAg ICAgcmV0dXJuIHJldDsKIH0KIApAQCAtMjAxNywxMCArMjA1MCwxMSBAQCBp bnQgdW5tYXBfZG9tYWluX3BpcnEoc3RydWN0IGRvbWFpbiAqZCwgCiAgICAg aWYgKCAhZm9yY2VkX3VuYmluZCApCiAgICAgICAgIGNsZWFudXBfZG9tYWlu X2lycV9waXJxKGQsIGlycSwgaW5mbyk7CiAKLSAgICByZXQgPSBpcnFfZGVu eV9hY2Nlc3MoZCwgcGlycSk7CisgICAgcmV0ID0gaXJxX2RlbnlfYWNjZXNz KGQsIGlycSk7CiAgICAgaWYgKCByZXQgKQotICAgICAgICBkcHJpbnRrKFhF TkxPR19HX0VSUiwgImRvbSVkOiBjb3VsZCBub3QgZGVueSBhY2Nlc3MgdG8g aXJxICVkXG4iLAotICAgICAgICAgICAgICAgIGQtPmRvbWFpbl9pZCwgcGly cSk7CisgICAgICAgIHByaW50ayhYRU5MT0dfR19FUlIKKyAgICAgICAgICAg ICAgICJkb20lZDogY291bGQgbm90IGRlbnkgYWNjZXNzIHRvIElSUSVkIChw aXJxICVkKVxuIiwKKyAgICAgICAgICAgICAgIGQtPmRvbWFpbl9pZCwgaXJx LCBwaXJxKTsKIAogIGRvbmU6CiAgICAgcmV0dXJuIHJldDsKLS0tIGEveGVu L2FyY2gveDg2L3BoeXNkZXYuYworKysgYi94ZW4vYXJjaC94ODYvcGh5c2Rl di5jCkBAIC0xNDcsNyArMTQ3LDcgQEAgaW50IHBoeXNkZXZfbWFwX3BpcnEo ZG9taWRfdCBkb21pZCwgaW50IAogICAgICAgICBpZiAoIGlycSA9PSAtMSAp CiAgICAgICAgICAgICBpcnEgPSBjcmVhdGVfaXJxKE5VTUFfTk9fTk9ERSk7 CiAKLSAgICAgICAgaWYgKCBpcnEgPCAwIHx8IGlycSA+PSBucl9pcnFzICkK KyAgICAgICAgaWYgKCBpcnEgPCBucl9pcnFzX2dzaSB8fCBpcnEgPj0gbnJf aXJxcyApCiAgICAgICAgIHsKICAgICAgICAgICAgIGRwcmludGsoWEVOTE9H X0dfRVJSLCAiZG9tJWQ6IGNhbid0IGNyZWF0ZSBpcnEgZm9yIG1zaSFcbiIs CiAgICAgICAgICAgICAgICAgICAgIGQtPmRvbWFpbl9pZCk7Ci0tLSBhL3hl bi9jb21tb24vZG9tY3RsLmMKKysrIGIveGVuL2NvbW1vbi9kb21jdGwuYwpA QCAtMjUsNiArMjUsNyBAQAogI2luY2x1ZGUgPHhlbi9wYWdpbmcuaD4KICNp bmNsdWRlIDx4ZW4vaHlwZXJjYWxsLmg+CiAjaW5jbHVkZSA8YXNtL2N1cnJl bnQuaD4KKyNpbmNsdWRlIDxhc20vaXJxLmg+CiAjaW5jbHVkZSA8YXNtL3Bh Z2UuaD4KICNpbmNsdWRlIDxwdWJsaWMvZG9tY3RsLmg+CiAjaW5jbHVkZSA8 eHNtL3hzbS5oPgpAQCAtODk3LDkgKzg5OCw5IEBAIGxvbmcgZG9fZG9tY3Rs KFhFTl9HVUVTVF9IQU5ETEUoeGVuX2RvbWMKICAgICAgICAgZWxzZSBpZiAo IHhzbV9pcnFfcGVybWlzc2lvbihkLCBwaXJxLCBhbGxvdykgKQogICAgICAg ICAgICAgcmV0ID0gLUVQRVJNOwogICAgICAgICBlbHNlIGlmICggYWxsb3cg KQotICAgICAgICAgICAgcmV0ID0gaXJxX3Blcm1pdF9hY2Nlc3MoZCwgcGly cSk7CisgICAgICAgICAgICByZXQgPSBwaXJxX3Blcm1pdF9hY2Nlc3MoZCwg cGlycSk7CiAgICAgICAgIGVsc2UKLSAgICAgICAgICAgIHJldCA9IGlycV9k ZW55X2FjY2VzcyhkLCBwaXJxKTsKKyAgICAgICAgICAgIHJldCA9IHBpcnFf ZGVueV9hY2Nlc3MoZCwgcGlycSk7CiAKICAgICAgICAgcmN1X3VubG9ja19k b21haW4oZCk7CiAgICAgfQotLS0gYS94ZW4vY29tbW9uL2V2ZW50X2NoYW5u ZWwuYworKysgYi94ZW4vY29tbW9uL2V2ZW50X2NoYW5uZWwuYwpAQCAtMzY5 LDcgKzM2OSw3IEBAIHN0YXRpYyBsb25nIGV2dGNobl9iaW5kX3BpcnEoZXZ0 Y2huX2JpbmQKICAgICBpZiAoIChwaXJxIDwgMCkgfHwgKHBpcnEgPj0gZC0+ bnJfcGlycXMpICkKICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAKLSAgICBp ZiAoICFpc19odm1fZG9tYWluKGQpICYmICFpcnFfYWNjZXNzX3Blcm1pdHRl ZChkLCBwaXJxKSApCisgICAgaWYgKCAhaXNfaHZtX2RvbWFpbihkKSAmJiAh cGlycV9hY2Nlc3NfcGVybWl0dGVkKGQsIHBpcnEpICkKICAgICAgICAgcmV0 dXJuIC1FUEVSTTsKIAogICAgIHNwaW5fbG9jaygmZC0+ZXZlbnRfbG9jayk7 Ci0tLSBhL3hlbi9pbmNsdWRlL3hlbi9pb2NhcC5oCisrKyBiL3hlbi9pbmNs dWRlL3hlbi9pb2NhcC5oCkBAIC0yOCw0ICsyOCwyMiBAQAogI2RlZmluZSBp cnFfYWNjZXNzX3Blcm1pdHRlZChkLCBpKSAgICAgICAgICAgICAgICAgICAg ICBcCiAgICAgcmFuZ2VzZXRfY29udGFpbnNfc2luZ2xldG9uKChkKS0+aXJx X2NhcHMsIGkpCiAKKyNkZWZpbmUgcGlycV9wZXJtaXRfYWNjZXNzKGQsIGkp ICh7ICAgICAgICAgICAgICAgICAgICAgXAorICAgIHN0cnVjdCBkb21haW4g KmRfXyA9IChkKTsgICAgICAgICAgICAgICAgICAgICAgICAgICBcCisgICAg aW50IGlfXyA9IGRvbWFpbl9waXJxX3RvX2lycShkX18sIGkpOyAgICAgICAg ICAgICAgIFwKKyAgICBpX18gPiAwID8gcmFuZ2VzZXRfYWRkX3NpbmdsZXRv bihkX18tPmlycV9jYXBzLCBpX18pXAorICAgICAgICAgICAgOiAtRUlOVkFM OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCit9KQorI2Rl ZmluZSBwaXJxX2RlbnlfYWNjZXNzKGQsIGkpICh7ICAgICAgICAgICAgICAg ICAgICAgICBcCisgICAgc3RydWN0IGRvbWFpbiAqZF9fID0gKGQpOyAgICAg ICAgICAgICAgICAgICAgICAgICAgIFwKKyAgICBpbnQgaV9fID0gZG9tYWlu X3BpcnFfdG9faXJxKGRfXywgaSk7ICAgICAgICAgICAgICAgXAorICAgIGlf XyA+IDAgPyByYW5nZXNldF9yZW1vdmVfc2luZ2xldG9uKGRfXy0+aXJxX2Nh cHMsIGlfXylcCisgICAgICAgICAgICA6IC1FSU5WQUw7ICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIFwKK30pCisjZGVmaW5lIHBpcnFfYWNj ZXNzX3Blcm1pdHRlZChkLCBpKSAoeyAgICAgICAgICAgICAgICAgIFwKKyAg ICBzdHJ1Y3QgZG9tYWluICpkX18gPSAoZCk7ICAgICAgICAgICAgICAgICAg ICAgICAgICAgXAorICAgIHJhbmdlc2V0X2NvbnRhaW5zX3NpbmdsZXRvbihk X18tPmlycV9jYXBzLCAgICAgICAgICBcCisgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIGRvbWFpbl9waXJxX3RvX2lycShkX18sIGkpKTtcCit9 KQorCiAjZW5kaWYgLyogX19YRU5fSU9DQVBfSF9fICovCg== --=separator Content-Type: application/octet-stream; name="xsa46-unstable.patch" Content-Disposition: attachment; filename="xsa46-unstable.patch" Content-Transfer-Encoding: base64 eDg2OiBmaXggdmFyaW91cyBpc3N1ZXMgd2l0aCBoYW5kbGluZyBndWVzdCBJ UlFzCgotIHByb3Blcmx5IHJldm9rZSBJUlEgYWNjZXNzIGluIG1hcF9kb21h aW5fcGlycSgpIGVycm9yIHBhdGgKLSBkb24ndCBwZXJtaXQgcmVwbGFjaW5n IGFuIGluIHVzZSBJUlEKLSBkb24ndCBhY2NlcHQgaW5wdXRzIGluIHRoZSBH U0kgcmFuZ2UgZm9yIE1BUF9QSVJRX1RZUEVfTVNJCi0gdHJhY2sgSVJRIGFj Y2VzcyBwZXJtaXNzaW9uIGluIGhvc3QgSVJRIHRlcm1zLCBub3QgZ3Vlc3Qg SVJRIG9uZXMKICAoYW5kIHdpdGggdGhhdCwgYWxzbyBkaXNhbGxvdyBEb20w IGFjY2VzcyB0byBJUlEwKQoKVGhpcyBpcyBDVkUtMjAxMy0xOTE5IC8gWFNB LTQ2LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpBY2tlZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzdGVmYW5v LnN0YWJlbGxpbmlAZXUuY2l0cml4LmNvbT4KCi0tLSBhL3Rvb2xzL2xpYnhs L2xpYnhsX2NyZWF0ZS5jCisrKyBiL3Rvb2xzL2xpYnhsL2xpYnhsX2NyZWF0 ZS5jCkBAIC05NTgsMTQgKzk1OCwxNiBAQCBzdGF0aWMgdm9pZCBkb21jcmVh dGVfbGF1bmNoX2RtKGxpYnhsX19lCiAgICAgfQogCiAgICAgZm9yIChpID0g MDsgaSA8IGRfY29uZmlnLT5iX2luZm8ubnVtX2lycXM7IGkrKykgewotICAg ICAgICB1aW50MzJfdCBpcnEgPSBkX2NvbmZpZy0+Yl9pbmZvLmlycXNbaV07 CisgICAgICAgIGludCBpcnEgPSBkX2NvbmZpZy0+Yl9pbmZvLmlycXNbaV07 CiAKLSAgICAgICAgTE9HKERFQlVHLCAiZG9tJWQgaXJxICUiUFJJeDMyLCBk b21pZCwgaXJxKTsKKyAgICAgICAgTE9HKERFQlVHLCAiZG9tJWQgaXJxICVk IiwgZG9taWQsIGlycSk7CiAKLSAgICAgICAgcmV0ID0geGNfZG9tYWluX2ly cV9wZXJtaXNzaW9uKENUWC0+eGNoLCBkb21pZCwgaXJxLCAxKTsKKyAgICAg ICAgcmV0ID0gaXJxID49IDAgPyB4Y19waHlzZGV2X21hcF9waXJxKENUWC0+ eGNoLCBkb21pZCwgaXJxLCAmaXJxKQorICAgICAgICAgICAgICAgICAgICAg ICA6IC1FT1ZFUkZMT1c7CisgICAgICAgIGlmICghcmV0KQorICAgICAgICAg ICAgcmV0ID0geGNfZG9tYWluX2lycV9wZXJtaXNzaW9uKENUWC0+eGNoLCBk b21pZCwgaXJxLCAxKTsKICAgICAgICAgaWYgKHJldCA8IDApIHsKLSAgICAg ICAgICAgIExPR0UoRVJST1IsCi0gICAgICAgICAgICAgICAgICJmYWlsZWQg Z2l2ZSBkb20lZCBhY2Nlc3MgdG8gaXJxICUiUFJJZDMyLCBkb21pZCwgaXJx KTsKKyAgICAgICAgICAgIExPR0UoRVJST1IsICJmYWlsZWQgZ2l2ZSBkb20l ZCBhY2Nlc3MgdG8gaXJxICVkIiwgZG9taWQsIGlycSk7CiAgICAgICAgICAg ICByZXQgPSBFUlJPUl9GQUlMOwogICAgICAgICB9CiAgICAgfQotLS0gYS90 b29scy9weXRob24veGVuL3hlbmQvc2VydmVyL2lycWlmLnB5CisrKyBiL3Rv b2xzL3B5dGhvbi94ZW4veGVuZC9zZXJ2ZXIvaXJxaWYucHkKQEAgLTczLDYg KzczLDEyIEBAIGNsYXNzIElSUUNvbnRyb2xsZXIoRGV2Q29udHJvbGxlcik6 CiAgICAgICAgCiAgICAgICAgIHBpcnEgPSBnZXRfcGFyYW0oJ2lycScpCiAK KyAgICAgICAgcmMgPSB4Yy5waHlzZGV2X21hcF9waXJxKGRvbWlkID0gc2Vs Zi5nZXREb21pZCgpLAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgaW5kZXggPSBwaXJxLAorICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgcGlycSAgPSBwaXJxKQorICAgICAgICBpZiByYyA8IDA6CisgICAg ICAgICAgICByYWlzZSBWbUVycm9yKCdpcnE6IEZhaWxlZCB0byBtYXAgaXJx ICV4JyAlIChwaXJxKSkKKwogICAgICAgICByYyA9IHhjLmRvbWFpbl9pcnFf cGVybWlzc2lvbihkb21pZCAgICAgICAgPSBzZWxmLmdldERvbWlkKCksCiAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBpcnEgICAg ICAgICA9IHBpcnEsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIGFsbG93X2FjY2VzcyA9IFRydWUpCkBAIC04MSwxMiArODcsNiBA QCBjbGFzcyBJUlFDb250cm9sbGVyKERldkNvbnRyb2xsZXIpOgogICAgICAg ICAgICAgI3RvZG8gbm9uLWZhdGFsCiAgICAgICAgICAgICByYWlzZSBWbUVy cm9yKAogICAgICAgICAgICAgICAgICdpcnE6IEZhaWxlZCB0byBjb25maWd1 cmUgaXJxOiAlZCcgJSAocGlycSkpCi0gICAgICAgIHJjID0geGMucGh5c2Rl dl9tYXBfcGlycShkb21pZCA9IHNlbGYuZ2V0RG9taWQoKSwKLSAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgaW5kZXggPSBwaXJxLAotICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICBwaXJxICA9IHBpcnEpCi0gICAg ICAgIGlmIHJjIDwgMDoKLSAgICAgICAgICAgIHJhaXNlIFZtRXJyb3IoCi0g ICAgICAgICAgICAgICAgJ2lycTogRmFpbGVkIHRvIG1hcCBpcnEgJXgnICUg KHBpcnEpKQogICAgICAgICBiYWNrID0gZGljdChbKGssIGNvbmZpZ1trXSkg Zm9yIGsgaW4gc2VsZi52YWxpZF9jZmcgaWYgayBpbiBjb25maWddKQogICAg ICAgICByZXR1cm4gKHNlbGYuYWxsb2NhdGVEZXZpY2VJRCgpLCBiYWNrLCB7 fSkKIAotLS0gYS94ZW4vYXJjaC94ODYvZG9tYWluX2J1aWxkLmMKKysrIGIv eGVuL2FyY2gveDg2L2RvbWFpbl9idWlsZC5jCkBAIC0xMDgwLDcgKzEwODAs NyBAQCBpbnQgX19pbml0IGNvbnN0cnVjdF9kb20wKAogICAgIC8qIERPTTAg aXMgcGVybWl0dGVkIGZ1bGwgSS9PIGNhcGFiaWxpdGllcy4gKi8KICAgICBy YyB8PSBpb3BvcnRzX3Blcm1pdF9hY2Nlc3MoZG9tMCwgMCwgMHhGRkZGKTsK ICAgICByYyB8PSBpb21lbV9wZXJtaXRfYWNjZXNzKGRvbTAsIDBVTCwgfjBV TCk7Ci0gICAgcmMgfD0gaXJxc19wZXJtaXRfYWNjZXNzKGRvbTAsIDAsIGQt Pm5yX3BpcnFzIC0gMSk7CisgICAgcmMgfD0gaXJxc19wZXJtaXRfYWNjZXNz KGRvbTAsIDEsIG5yX2lycXNfZ3NpIC0gMSk7CiAKICAgICAvKgogICAgICAq IE1vZGlmeSBJL08gcG9ydCBhY2Nlc3MgcGVybWlzc2lvbnMuCi0tLSBhL3hl bi9hcmNoL3g4Ni9kb21jdGwuYworKysgYi94ZW4vYXJjaC94ODYvZG9tY3Rs LmMKQEAgLTU3OCw5ICs1NzgsMTMgQEAgbG9uZyBhcmNoX2RvX2RvbWN0bCgK ICAgICAgICAgICAgIGJyZWFrOwogCiAgICAgICAgIHJldCA9IC1FUEVSTTsK LSAgICAgICAgaWYgKCAhSVNfUFJJVihjdXJyZW50LT5kb21haW4pICYmCi0g ICAgICAgICAgICAgIWlycV9hY2Nlc3NfcGVybWl0dGVkKGN1cnJlbnQtPmRv bWFpbiwgYmluZC0+bWFjaGluZV9pcnEpICkKLSAgICAgICAgICAgIGJyZWFr OworICAgICAgICBpZiAoICFJU19QUklWKGN1cnJlbnQtPmRvbWFpbikgKQor ICAgICAgICB7CisgICAgICAgICAgICBpbnQgaXJxID0gZG9tYWluX3BpcnFf dG9faXJxKGQsIGJpbmQtPm1hY2hpbmVfaXJxKTsKKworICAgICAgICAgICAg aWYgKCBpcnEgPD0gMCB8fCAhaXJxX2FjY2Vzc19wZXJtaXR0ZWQoY3VycmVu dC0+ZG9tYWluLCBpcnEpICkKKyAgICAgICAgICAgICAgICBicmVhazsKKyAg ICAgICAgfQogCiAgICAgICAgIHJldCA9IC1FU1JDSDsKICAgICAgICAgaWYg KCBpb21tdV9lbmFibGVkICkKQEAgLTYwMiw5ICs2MDYsMTMgQEAgbG9uZyBh cmNoX2RvX2RvbWN0bCgKICAgICAgICAgYmluZCA9ICYoZG9tY3RsLT51LmJp bmRfcHRfaXJxKTsKIAogICAgICAgICByZXQgPSAtRVBFUk07Ci0gICAgICAg IGlmICggIUlTX1BSSVYoY3VycmVudC0+ZG9tYWluKSAmJgotICAgICAgICAg ICAgICFpcnFfYWNjZXNzX3Blcm1pdHRlZChjdXJyZW50LT5kb21haW4sIGJp bmQtPm1hY2hpbmVfaXJxKSApCi0gICAgICAgICAgICBicmVhazsKKyAgICAg ICAgaWYgKCAhSVNfUFJJVihjdXJyZW50LT5kb21haW4pICkKKyAgICAgICAg eworICAgICAgICAgICAgaW50IGlycSA9IGRvbWFpbl9waXJxX3RvX2lycShk LCBiaW5kLT5tYWNoaW5lX2lycSk7CisKKyAgICAgICAgICAgIGlmICggaXJx IDw9IDAgfHwgIWlycV9hY2Nlc3NfcGVybWl0dGVkKGN1cnJlbnQtPmRvbWFp biwgaXJxKSApCisgICAgICAgICAgICAgICAgYnJlYWs7CisgICAgICAgIH0K IAogICAgICAgICByZXQgPSB4c21fdW5iaW5kX3B0X2lycShYU01fSE9PSywg ZCwgYmluZCk7CiAgICAgICAgIGlmICggcmV0ICkKLS0tIGEveGVuL2FyY2gv eDg2L2lycS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9pcnEuYwpAQCAtMTg0LDYg KzE4NCwxNCBAQCBpbnQgY3JlYXRlX2lycShpbnQgbm9kZSkKICAgICAgICAg ZGVzYy0+YXJjaC51c2VkID0gSVJRX1VOVVNFRDsKICAgICAgICAgaXJxID0g cmV0OwogICAgIH0KKyAgICBlbHNlIGlmICggZG9tMCApCisgICAgeworICAg ICAgICByZXQgPSBpcnFfcGVybWl0X2FjY2Vzcyhkb20wLCBpcnEpOworICAg ICAgICBpZiAoIHJldCApCisgICAgICAgICAgICBwcmludGsoWEVOTE9HX0df RVJSCisgICAgICAgICAgICAgICAgICAgIkNvdWxkIG5vdCBncmFudCBEb20w IGFjY2VzcyB0byBJUlElZCAoZXJyb3IgJWQpXG4iLAorICAgICAgICAgICAg ICAgICAgIGlycSwgcmV0KTsKKyAgICB9CiAKICAgICByZXR1cm4gaXJxOwog fQpAQCAtMjgwLDYgKzI4OCwxNyBAQCB2b2lkIGNsZWFyX2lycV92ZWN0b3Io aW50IGlycSkKIHZvaWQgZGVzdHJveV9pcnEodW5zaWduZWQgaW50IGlycSkK IHsKICAgICBCVUdfT04oIU1TSV9JUlEoaXJxKSk7CisKKyAgICBpZiAoIGRv bTAgKQorICAgIHsKKyAgICAgICAgaW50IGVyciA9IGlycV9kZW55X2FjY2Vz cyhkb20wLCBpcnEpOworCisgICAgICAgIGlmICggZXJyICkKKyAgICAgICAg ICAgIHByaW50ayhYRU5MT0dfR19FUlIKKyAgICAgICAgICAgICAgICAgICAi Q291bGQgbm90IHJldm9rZSBEb20wIGFjY2VzcyB0byBJUlEldSAoZXJyb3Ig JWQpXG4iLAorICAgICAgICAgICAgICAgICAgIGlycSwgZXJyKTsKKyAgICB9 CisKICAgICBkeW5hbWljX2lycV9jbGVhbnVwKGlycSk7CiAgICAgY2xlYXJf aXJxX3ZlY3RvcihpcnEpOwogfQpAQCAtMTg3Miw3ICsxODkxLDcgQEAgaW50 IG1hcF9kb21haW5fcGlycSgKICAgICBBU1NFUlQoc3Bpbl9pc19sb2NrZWQo JmQtPmV2ZW50X2xvY2spKTsKIAogICAgIGlmICggIUlTX1BSSVYoY3VycmVu dC0+ZG9tYWluKSAmJgotICAgICAgICAgIWlycV9hY2Nlc3NfcGVybWl0dGVk KGN1cnJlbnQtPmRvbWFpbiwgcGlycSkpCisgICAgICAgICAhaXJxX2FjY2Vz c19wZXJtaXR0ZWQoY3VycmVudC0+ZG9tYWluLCBpcnEpKQogICAgICAgICBy ZXR1cm4gLUVQRVJNOwogCiAgICAgaWYgKCBwaXJxIDwgMCB8fCBwaXJxID49 IGQtPm5yX3BpcnFzIHx8IGlycSA8IDAgfHwgaXJxID49IG5yX2lycXMgKQpA QCAtMTkwMSwxNyArMTkyMCwxOCBAQCBpbnQgbWFwX2RvbWFpbl9waXJxKAog ICAgICAgICByZXR1cm4gcmV0OwogICAgIH0KIAotICAgIHJldCA9IGlycV9w ZXJtaXRfYWNjZXNzKGQsIHBpcnEpOworICAgIHJldCA9IGlycV9wZXJtaXRf YWNjZXNzKGQsIGlycSk7CiAgICAgaWYgKCByZXQgKQogICAgIHsKLSAgICAg ICAgZHByaW50ayhYRU5MT0dfR19FUlIsICJkb20lZDogY291bGQgbm90IHBl cm1pdCBhY2Nlc3MgdG8gaXJxICVkXG4iLAotICAgICAgICAgICAgICAgIGQt PmRvbWFpbl9pZCwgcGlycSk7CisgICAgICAgIHByaW50ayhYRU5MT0dfR19F UlIKKyAgICAgICAgICAgICAgICJkb20lZDogY291bGQgbm90IHBlcm1pdCBh Y2Nlc3MgdG8gSVJRJWQgKHBpcnEgJWQpXG4iLAorICAgICAgICAgICAgICAg ZC0+ZG9tYWluX2lkLCBpcnEsIHBpcnEpOwogICAgICAgICByZXR1cm4gcmV0 OwogICAgIH0KIAogICAgIHJldCA9IHByZXBhcmVfZG9tYWluX2lycV9waXJx KGQsIGlycSwgcGlycSwgJmluZm8pOwogICAgIGlmICggcmV0ICkKLSAgICAg ICAgcmV0dXJuIHJldDsKKyAgICAgICAgZ290byByZXZva2U7CiAKICAgICBk ZXNjID0gaXJxX3RvX2Rlc2MoaXJxKTsKIApAQCAtMTkzNSw4ICsxOTU1LDE0 IEBAIGludCBtYXBfZG9tYWluX3BpcnEoCiAgICAgICAgIHNwaW5fbG9ja19p cnFzYXZlKCZkZXNjLT5sb2NrLCBmbGFncyk7CiAKICAgICAgICAgaWYgKCBk ZXNjLT5oYW5kbGVyICE9ICZub19pcnFfdHlwZSApCisgICAgICAgIHsKKyAg ICAgICAgICAgIHNwaW5fdW5sb2NrX2lycXJlc3RvcmUoJmRlc2MtPmxvY2ss IGZsYWdzKTsKICAgICAgICAgICAgIGRwcmludGsoWEVOTE9HX0dfRVJSLCAi ZG9tJWQ6IGlycSAlZCBpbiB1c2VcbiIsCiAgICAgICAgICAgICAgICAgICAg IGQtPmRvbWFpbl9pZCwgaXJxKTsKKyAgICAgICAgICAgIHBjaV9kaXNhYmxl X21zaShtc2lfZGVzYyk7CisgICAgICAgICAgICByZXQgPSAtRUJVU1k7Cisg ICAgICAgICAgICBnb3RvIGRvbmU7CisgICAgICAgIH0KICAgICAgICAgc2V0 dXBfbXNpX2hhbmRsZXIoZGVzYywgbXNpX2Rlc2MpOwogCiAgICAgICAgIGlm ICggb3B0X2lycV92ZWN0b3JfbWFwID09IE9QVF9JUlFfVkVDVE9SX01BUF9Q RVJERVYKQEAgLTE5NjUsNyArMTk5MSwxNCBAQCBpbnQgbWFwX2RvbWFpbl9w aXJxKAogCiBkb25lOgogICAgIGlmICggcmV0ICkKKyAgICB7CiAgICAgICAg IGNsZWFudXBfZG9tYWluX2lycV9waXJxKGQsIGlycSwgaW5mbyk7CisgcmV2 b2tlOgorICAgICAgICBpZiAoIGlycV9kZW55X2FjY2VzcyhkLCBpcnEpICkK KyAgICAgICAgICAgIHByaW50ayhYRU5MT0dfR19FUlIKKyAgICAgICAgICAg ICAgICAgICAiZG9tJWQ6IGNvdWxkIG5vdCByZXZva2UgYWNjZXNzIHRvIElS USVkIChwaXJxICVkKVxuIiwKKyAgICAgICAgICAgICAgICAgICBkLT5kb21h aW5faWQsIGlycSwgcGlycSk7CisgICAgfQogICAgIHJldHVybiByZXQ7CiB9 CiAKQEAgLTIwMzYsMTAgKzIwNjksMTEgQEAgaW50IHVubWFwX2RvbWFpbl9w aXJxKHN0cnVjdCBkb21haW4gKmQsIAogICAgIGlmICggIWZvcmNlZF91bmJp bmQgKQogICAgICAgICBjbGVhbnVwX2RvbWFpbl9pcnFfcGlycShkLCBpcnEs IGluZm8pOwogCi0gICAgcmV0ID0gaXJxX2RlbnlfYWNjZXNzKGQsIHBpcnEp OworICAgIHJldCA9IGlycV9kZW55X2FjY2VzcyhkLCBpcnEpOwogICAgIGlm ICggcmV0ICkKLSAgICAgICAgZHByaW50ayhYRU5MT0dfR19FUlIsICJkb20l ZDogY291bGQgbm90IGRlbnkgYWNjZXNzIHRvIGlycSAlZFxuIiwKLSAgICAg ICAgICAgICAgICBkLT5kb21haW5faWQsIHBpcnEpOworICAgICAgICBwcmlu dGsoWEVOTE9HX0dfRVJSCisgICAgICAgICAgICAgICAiZG9tJWQ6IGNvdWxk IG5vdCBkZW55IGFjY2VzcyB0byBJUlElZCAocGlycSAlZClcbiIsCisgICAg ICAgICAgICAgICBkLT5kb21haW5faWQsIGlycSwgcGlycSk7CiAKICBkb25l OgogICAgIHJldHVybiByZXQ7Ci0tLSBhL3hlbi9hcmNoL3g4Ni9waHlzZGV2 LmMKKysrIGIveGVuL2FyY2gveDg2L3BoeXNkZXYuYwpAQCAtMTQ0LDcgKzE0 NCw3IEBAIGludCBwaHlzZGV2X21hcF9waXJxKGRvbWlkX3QgZG9taWQsIGlu dCAKICAgICAgICAgaWYgKCBpcnEgPT0gLTEgKQogICAgICAgICAgICAgaXJx ID0gY3JlYXRlX2lycShOVU1BX05PX05PREUpOwogCi0gICAgICAgIGlmICgg aXJxIDwgMCB8fCBpcnEgPj0gbnJfaXJxcyApCisgICAgICAgIGlmICggaXJx IDwgbnJfaXJxc19nc2kgfHwgaXJxID49IG5yX2lycXMgKQogICAgICAgICB7 CiAgICAgICAgICAgICBkcHJpbnRrKFhFTkxPR19HX0VSUiwgImRvbSVkOiBj YW4ndCBjcmVhdGUgaXJxIGZvciBtc2khXG4iLAogICAgICAgICAgICAgICAg ICAgICBkLT5kb21haW5faWQpOwotLS0gYS94ZW4vY29tbW9uL2RvbWN0bC5j CisrKyBiL3hlbi9jb21tb24vZG9tY3RsLmMKQEAgLTI1LDYgKzI1LDcgQEAK ICNpbmNsdWRlIDx4ZW4vcGFnaW5nLmg+CiAjaW5jbHVkZSA8eGVuL2h5cGVy Y2FsbC5oPgogI2luY2x1ZGUgPGFzbS9jdXJyZW50Lmg+CisjaW5jbHVkZSA8 YXNtL2lycS5oPgogI2luY2x1ZGUgPGFzbS9wYWdlLmg+CiAjaW5jbHVkZSA8 cHVibGljL2RvbWN0bC5oPgogI2luY2x1ZGUgPHhzbS94c20uaD4KQEAgLTcy Myw5ICs3MjQsOSBAQCBsb25nIGRvX2RvbWN0bChYRU5fR1VFU1RfSEFORExF X1BBUkFNKHhlCiAgICAgICAgIGVsc2UgaWYgKCB4c21faXJxX3Blcm1pc3Np b24oWFNNX0hPT0ssIGQsIHBpcnEsIGFsbG93KSApCiAgICAgICAgICAgICBy ZXQgPSAtRVBFUk07CiAgICAgICAgIGVsc2UgaWYgKCBhbGxvdyApCi0gICAg ICAgICAgICByZXQgPSBpcnFfcGVybWl0X2FjY2VzcyhkLCBwaXJxKTsKKyAg ICAgICAgICAgIHJldCA9IHBpcnFfcGVybWl0X2FjY2VzcyhkLCBwaXJxKTsK ICAgICAgICAgZWxzZQotICAgICAgICAgICAgcmV0ID0gaXJxX2RlbnlfYWNj ZXNzKGQsIHBpcnEpOworICAgICAgICAgICAgcmV0ID0gcGlycV9kZW55X2Fj Y2VzcyhkLCBwaXJxKTsKICAgICB9CiAgICAgYnJlYWs7CiAKLS0tIGEveGVu L2NvbW1vbi9ldmVudF9jaGFubmVsLmMKKysrIGIveGVuL2NvbW1vbi9ldmVu dF9jaGFubmVsLmMKQEAgLTM2OSw3ICszNjksNyBAQCBzdGF0aWMgbG9uZyBl dnRjaG5fYmluZF9waXJxKGV2dGNobl9iaW5kCiAgICAgaWYgKCAocGlycSA8 IDApIHx8IChwaXJxID49IGQtPm5yX3BpcnFzKSApCiAgICAgICAgIHJldHVy biAtRUlOVkFMOwogCi0gICAgaWYgKCAhaXNfaHZtX2RvbWFpbihkKSAmJiAh aXJxX2FjY2Vzc19wZXJtaXR0ZWQoZCwgcGlycSkgKQorICAgIGlmICggIWlz X2h2bV9kb21haW4oZCkgJiYgIXBpcnFfYWNjZXNzX3Blcm1pdHRlZChkLCBw aXJxKSApCiAgICAgICAgIHJldHVybiAtRVBFUk07CiAKICAgICBzcGluX2xv Y2soJmQtPmV2ZW50X2xvY2spOwotLS0gYS94ZW4vaW5jbHVkZS94ZW4vaW9j YXAuaAorKysgYi94ZW4vaW5jbHVkZS94ZW4vaW9jYXAuaApAQCAtMjgsNCAr MjgsMjIgQEAKICNkZWZpbmUgaXJxX2FjY2Vzc19wZXJtaXR0ZWQoZCwgaSkg ICAgICAgICAgICAgICAgICAgICAgXAogICAgIHJhbmdlc2V0X2NvbnRhaW5z X3NpbmdsZXRvbigoZCktPmlycV9jYXBzLCBpKQogCisjZGVmaW5lIHBpcnFf cGVybWl0X2FjY2VzcyhkLCBpKSAoeyAgICAgICAgICAgICAgICAgICAgIFwK KyAgICBzdHJ1Y3QgZG9tYWluICpkX18gPSAoZCk7ICAgICAgICAgICAgICAg ICAgICAgICAgICAgXAorICAgIGludCBpX18gPSBkb21haW5fcGlycV90b19p cnEoZF9fLCBpKTsgICAgICAgICAgICAgICBcCisgICAgaV9fID4gMCA/IHJh bmdlc2V0X2FkZF9zaW5nbGV0b24oZF9fLT5pcnFfY2FwcywgaV9fKVwKKyAg ICAgICAgICAgIDogLUVJTlZBTDsgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgXAorfSkKKyNkZWZpbmUgcGlycV9kZW55X2FjY2VzcyhkLCBp KSAoeyAgICAgICAgICAgICAgICAgICAgICAgXAorICAgIHN0cnVjdCBkb21h aW4gKmRfXyA9IChkKTsgICAgICAgICAgICAgICAgICAgICAgICAgICBcCisg ICAgaW50IGlfXyA9IGRvbWFpbl9waXJxX3RvX2lycShkX18sIGkpOyAgICAg ICAgICAgICAgIFwKKyAgICBpX18gPiAwID8gcmFuZ2VzZXRfcmVtb3ZlX3Np bmdsZXRvbihkX18tPmlycV9jYXBzLCBpX18pXAorICAgICAgICAgICAgOiAt RUlOVkFMOyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCit9 KQorI2RlZmluZSBwaXJxX2FjY2Vzc19wZXJtaXR0ZWQoZCwgaSkgKHsgICAg ICAgICAgICAgICAgICBcCisgICAgc3RydWN0IGRvbWFpbiAqZF9fID0gKGQp OyAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKKyAgICByYW5nZXNldF9j b250YWluc19zaW5nbGV0b24oZF9fLT5pcnFfY2FwcywgICAgICAgICAgXAor ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkb21haW5fcGlycV90 b19pcnEoZF9fLCBpKSk7XAorfSkKKwogI2VuZGlmIC8qIF9fWEVOX0lPQ0FQ X0hfXyAqLwo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Apr 18 13:39:20 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 18 Apr 2013 13:39:20 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USp0y-0004f7-6Q; Thu, 18 Apr 2013 13:36:40 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USp0v-0004eK-K8; Thu, 18 Apr 2013 13:36:38 +0000 Received: from [85.158.138.51:41587] by server-11.bemta-3.messagelabs.com id 52/46-01263-4E6FF615; Thu, 18 Apr 2013 13:36:36 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-174.messagelabs.com!1366292194!29032550!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=2.0 required=7.0 tests=SUBJECT_RANDOMQ X-StarScan-Received: X-StarScan-Version: 6.8.6.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 21264 invoked from network); 18 Apr 2013 13:36:35 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-174.messagelabs.com with AES256-SHA encrypted SMTP; 18 Apr 2013 13:36:35 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USp0i-00024w-JO; Thu, 18 Apr 2013 13:36:24 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1USp0i-0002mC-Gc; Thu, 18 Apr 2013 13:36:24 +0000 Date: Thu, 18 Apr 2013 13:36:24 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 46 (CVE-2013-1919) - Several access permission issues with IRQs for unprivileged guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1919 / XSA-46 version 3 Several access permission issues with IRQs for unprivileged guests UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Various IRQ related access control operations may not have the intended effect, thus potentially permitting a stub domain to grant its client domain access to an IRQ it doesn't have access to itself. IMPACT ====== Malicious or buggy stub domains kernels can mount a denial of service attack possibly affecting the whole system. VULNERABLE SYSTEMS ================== Only Xen systems using stub domains are vulnerable. Only guests with passed-through IRQs or PCI devices are able to exploit the vulnerability. It is remotely possible that PV guests with passthrough IRQs or devices may also be able to exploit this vulnerability, although we think this is unlikely. MITIGATION ========== Servicing HVM guests with passthrough IRQs or PCI devices in dom0 (ie, not using a stub domain device model) should avoid this vulnerability. Reconfiguring the system to disable IRQ/PCI passthrough and instead providing the guests with appropriate paravirtualised facilities will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa46-4.1.patch Xen 4.1.x xsa46-4.2.patch Xen 4.2.x xsa46-unstable.patch xen-unstable $ sha256sum xsa46*.patch 3b2ea317c1cf2ba428cc14946d030d38294747fef2beeb16eba30bcf3b1bc2cc xsa46-4.1.patch 822da2303f1fc69648d7a29eb72fdda8e64baab3edc0e1548456d31e66ed1d7c xsa46-4.2.patch 6987201720ef8af89a4682bddc33f639e1f87dc12f1ea7aee1f2e0481b1e909c xsa46-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRb/aXAAoJEIP+FMlX6CvZV94IAJPB3B2qnny5zhfOqp2yO17+ nMJ+Hk3EBuMWXJVF8apjxsgfrZa0paNSU0zyhQIFV0ObVU9B90tfJfb3L+L7+t8G 3Z9vPzE6aHZ32+OlMOIHWIvHZiiDZhM7siqayYqPphJbYW0l2jvogY9BO+00ALkr ctoFPzMhweVf1EK5WMLC4py8Xa06qddaOKj0Jg+DuLQzlgCyeuAfFtg/UmKFUL2k yDpIXTYt3/7uleR60VMEmRZWQqQN/j1jGS+XQyOzgIDaM1DRvCE+fUmmULCsd0Je 0m/4lHm6O69XZ/z3TZ4bKqlzr8KRM2YEEzKk9L3MpRgdVh1mRLAwrsW8gwGBbyc= =rw/Y -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa46-4.1.patch" Content-Disposition: attachment; filename="xsa46-4.1.patch" Content-Transfer-Encoding: base64 eDg2OiBmaXggdmFyaW91cyBpc3N1ZXMgd2l0aCBoYW5kbGluZyBndWVzdCBJ UlFzCgotIHByb3Blcmx5IHJldm9rZSBJUlEgYWNjZXNzIGluIG1hcF9kb21h aW5fcGlycSgpIGVycm9yIHBhdGgKLSBkb24ndCBwZXJtaXQgcmVwbGFjaW5n IGFuIGluIHVzZSBJUlEKLSBkb24ndCBhY2NlcHQgaW5wdXRzIGluIHRoZSBH U0kgcmFuZ2UgZm9yIE1BUF9QSVJRX1RZUEVfTVNJCi0gdHJhY2sgSVJRIGFj Y2VzcyBwZXJtaXNzaW9uIGluIGhvc3QgSVJRIHRlcm1zLCBub3QgZ3Vlc3Qg SVJRIG9uZXMKICAoYW5kIHdpdGggdGhhdCwgYWxzbyBkaXNhbGxvdyBEb20w IGFjY2VzcyB0byBJUlEwKQoKVGhpcyBpcyBDVkUtMjAxMy0xOTE5IC8gWFNB LTQ2LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpBY2tlZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzdGVmYW5v LnN0YWJlbGxpbmlAZXUuY2l0cml4LmNvbT4KCi0tLSBhL3Rvb2xzL3B5dGhv bi94ZW4veGVuZC9zZXJ2ZXIvaXJxaWYucHkKKysrIGIvdG9vbHMvcHl0aG9u L3hlbi94ZW5kL3NlcnZlci9pcnFpZi5weQpAQCAtNzMsNiArNzMsMTIgQEAg Y2xhc3MgSVJRQ29udHJvbGxlcihEZXZDb250cm9sbGVyKToKICAgICAgICAK ICAgICAgICAgcGlycSA9IGdldF9wYXJhbSgnaXJxJykKIAorICAgICAgICBy YyA9IHhjLnBoeXNkZXZfbWFwX3BpcnEoZG9taWQgPSBzZWxmLmdldERvbWlk KCksCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpbmRleCA9 IHBpcnEsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwaXJx ICA9IHBpcnEpCisgICAgICAgIGlmIHJjIDwgMDoKKyAgICAgICAgICAgIHJh aXNlIFZtRXJyb3IoJ2lycTogRmFpbGVkIHRvIG1hcCBpcnEgJXgnICUgKHBp cnEpKQorCiAgICAgICAgIHJjID0geGMuZG9tYWluX2lycV9wZXJtaXNzaW9u KGRvbWlkICAgICAgICA9IHNlbGYuZ2V0RG9taWQoKSwKICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgcGlycSAgICAgICAgID0gcGly cSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWxs b3dfYWNjZXNzID0gVHJ1ZSkKQEAgLTgxLDEyICs4Nyw2IEBAIGNsYXNzIElS UUNvbnRyb2xsZXIoRGV2Q29udHJvbGxlcik6CiAgICAgICAgICAgICAjdG9k byBub24tZmF0YWwKICAgICAgICAgICAgIHJhaXNlIFZtRXJyb3IoCiAgICAg ICAgICAgICAgICAgJ2lycTogRmFpbGVkIHRvIGNvbmZpZ3VyZSBpcnE6ICVk JyAlIChwaXJxKSkKLSAgICAgICAgcmMgPSB4Yy5waHlzZGV2X21hcF9waXJx KGRvbWlkID0gc2VsZi5nZXREb21pZCgpLAotICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICBpbmRleCA9IHBpcnEsCi0gICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIHBpcnEgID0gcGlycSkKLSAgICAgICAgaWYgcmMg PCAwOgotICAgICAgICAgICAgcmFpc2UgVm1FcnJvcigKLSAgICAgICAgICAg ICAgICAnaXJxOiBGYWlsZWQgdG8gbWFwIGlycSAleCcgJSAocGlycSkpCiAg ICAgICAgIGJhY2sgPSBkaWN0KFsoaywgY29uZmlnW2tdKSBmb3IgayBpbiBz ZWxmLnZhbGlkX2NmZyBpZiBrIGluIGNvbmZpZ10pCiAgICAgICAgIHJldHVy biAoc2VsZi5hbGxvY2F0ZURldmljZUlEKCksIGJhY2ssIHt9KQogCi0tLSBh L3hlbi9hcmNoL3g4Ni9kb21haW5fYnVpbGQuYworKysgYi94ZW4vYXJjaC94 ODYvZG9tYWluX2J1aWxkLmMKQEAgLTEyMDEsNyArMTIwMSw3IEBAIGludCBf X2luaXQgY29uc3RydWN0X2RvbTAoCiAgICAgLyogRE9NMCBpcyBwZXJtaXR0 ZWQgZnVsbCBJL08gY2FwYWJpbGl0aWVzLiAqLwogICAgIHJjIHw9IGlvcG9y dHNfcGVybWl0X2FjY2Vzcyhkb20wLCAwLCAweEZGRkYpOwogICAgIHJjIHw9 IGlvbWVtX3Blcm1pdF9hY2Nlc3MoZG9tMCwgMFVMLCB+MFVMKTsKLSAgICBy YyB8PSBpcnFzX3Blcm1pdF9hY2Nlc3MoZG9tMCwgMCwgZC0+bnJfcGlycXMg LSAxKTsKKyAgICByYyB8PSBpcnFzX3Blcm1pdF9hY2Nlc3MoZG9tMCwgMSwg bnJfaXJxc19nc2kgLSAxKTsKIAogICAgIC8qCiAgICAgICogTW9kaWZ5IEkv TyBwb3J0IGFjY2VzcyBwZXJtaXNzaW9ucy4KLS0tIGEveGVuL2FyY2gveDg2 L2RvbWN0bC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9kb21jdGwuYwpAQCAtOTA4 LDkgKzkwOCwxMyBAQCBsb25nIGFyY2hfZG9fZG9tY3RsKAogICAgICAgICAg ICAgZ290byBiaW5kX291dDsKIAogICAgICAgICByZXQgPSAtRVBFUk07Ci0g ICAgICAgIGlmICggIUlTX1BSSVYoY3VycmVudC0+ZG9tYWluKSAmJgotICAg ICAgICAgICAgICFpcnFfYWNjZXNzX3Blcm1pdHRlZChjdXJyZW50LT5kb21h aW4sIGJpbmQtPm1hY2hpbmVfaXJxKSApCi0gICAgICAgICAgICBnb3RvIGJp bmRfb3V0OworICAgICAgICBpZiAoICFJU19QUklWKGN1cnJlbnQtPmRvbWFp bikgKQorICAgICAgICB7CisgICAgICAgICAgICBpbnQgaXJxID0gZG9tYWlu X3BpcnFfdG9faXJxKGQsIGJpbmQtPm1hY2hpbmVfaXJxKTsKKworICAgICAg ICAgICAgaWYgKCBpcnEgPD0gMCB8fCAhaXJxX2FjY2Vzc19wZXJtaXR0ZWQo Y3VycmVudC0+ZG9tYWluLCBpcnEpICkKKyAgICAgICAgICAgICAgICBnb3Rv IGJpbmRfb3V0OworICAgICAgICB9CiAKICAgICAgICAgcmV0ID0gLUVTUkNI OwogICAgICAgICBpZiAoIGlvbW11X2VuYWJsZWQgKQpAQCAtOTM4LDkgKzk0 MiwxMyBAQCBsb25nIGFyY2hfZG9fZG9tY3RsKAogICAgICAgICBiaW5kID0g Jihkb21jdGwtPnUuYmluZF9wdF9pcnEpOwogCiAgICAgICAgIHJldCA9IC1F UEVSTTsKLSAgICAgICAgaWYgKCAhSVNfUFJJVihjdXJyZW50LT5kb21haW4p ICYmCi0gICAgICAgICAgICAgIWlycV9hY2Nlc3NfcGVybWl0dGVkKGN1cnJl bnQtPmRvbWFpbiwgYmluZC0+bWFjaGluZV9pcnEpICkKLSAgICAgICAgICAg IGdvdG8gdW5iaW5kX291dDsKKyAgICAgICAgaWYgKCAhSVNfUFJJVihjdXJy ZW50LT5kb21haW4pICkKKyAgICAgICAgeworICAgICAgICAgICAgaW50IGly cSA9IGRvbWFpbl9waXJxX3RvX2lycShkLCBiaW5kLT5tYWNoaW5lX2lycSk7 CisKKyAgICAgICAgICAgIGlmICggaXJxIDw9IDAgfHwgIWlycV9hY2Nlc3Nf cGVybWl0dGVkKGN1cnJlbnQtPmRvbWFpbiwgaXJxKSApCisgICAgICAgICAg ICAgICAgZ290byB1bmJpbmRfb3V0OworICAgICAgICB9CiAKICAgICAgICAg aWYgKCBpb21tdV9lbmFibGVkICkKICAgICAgICAgewotLS0gYS94ZW4vYXJj aC94ODYvaXJxLmMKKysrIGIveGVuL2FyY2gveDg2L2lycS5jCkBAIC0xNzQs NiArMTc0LDE1IEBAIGludCBjcmVhdGVfaXJxKHZvaWQpCiBvdXQ6CiAgICAg IHNwaW5fdW5sb2NrX2lycXJlc3RvcmUoJnZlY3Rvcl9sb2NrLCBmbGFncyk7 CiAKKyAgICBpZiAoIGlycSA+IDAgJiYgZG9tMCApCisgICAgeworICAgICAg ICByZXQgPSBpcnFfcGVybWl0X2FjY2Vzcyhkb20wLCBpcnEpOworICAgICAg ICBpZiAoIHJldCApCisgICAgICAgICAgICBwcmludGsoWEVOTE9HX0dfRVJS CisgICAgICAgICAgICAgICAgICAgIkNvdWxkIG5vdCBncmFudCBEb20wIGFj Y2VzcyB0byBJUlElZCAoZXJyb3IgJWQpXG4iLAorICAgICAgICAgICAgICAg ICAgIGlycSwgcmV0KTsKKyAgICB9CisKICAgICByZXR1cm4gaXJxOwogfQog CkBAIC0yNTgsNiArMjY3LDE3IEBAIHZvaWQgY2xlYXJfaXJxX3ZlY3Rvcihp bnQgaXJxKQogdm9pZCBkZXN0cm95X2lycSh1bnNpZ25lZCBpbnQgaXJxKQog ewogICAgIEJVR19PTighTVNJX0lSUShpcnEpKTsKKworICAgIGlmICggZG9t MCApCisgICAgeworICAgICAgICBpbnQgZXJyID0gaXJxX2RlbnlfYWNjZXNz KGRvbTAsIGlycSk7CisKKyAgICAgICAgaWYgKCBlcnIgKQorICAgICAgICAg ICAgcHJpbnRrKFhFTkxPR19HX0VSUgorICAgICAgICAgICAgICAgICAgICJD b3VsZCBub3QgcmV2b2tlIERvbTAgYWNjZXNzIHRvIElSUSV1IChlcnJvciAl ZClcbiIsCisgICAgICAgICAgICAgICAgICAgaXJxLCBlcnIpOworICAgIH0K KwogICAgIGR5bmFtaWNfaXJxX2NsZWFudXAoaXJxKTsKICAgICBjbGVhcl9p cnFfdmVjdG9yKGlycSk7CiB9CkBAIC0xNjA0LDcgKzE2MjQsNyBAQCBpbnQg bWFwX2RvbWFpbl9waXJxKAogCiAgICAgaWYgKCAhSVNfUFJJVihjdXJyZW50 LT5kb21haW4pICYmCiAgICAgICAgICAhKElTX1BSSVZfRk9SKGN1cnJlbnQt PmRvbWFpbiwgZCkgJiYKLSAgICAgICAgICAgaXJxX2FjY2Vzc19wZXJtaXR0 ZWQoY3VycmVudC0+ZG9tYWluLCBwaXJxKSkpCisgICAgICAgICAgIGlycV9h Y2Nlc3NfcGVybWl0dGVkKGN1cnJlbnQtPmRvbWFpbiwgaXJxKSkpCiAgICAg ICAgIHJldHVybiAtRVBFUk07CiAKICAgICBpZiAoIHBpcnEgPCAwIHx8IHBp cnEgPj0gZC0+bnJfcGlycXMgfHwgaXJxIDwgMCB8fCBpcnEgPj0gbnJfaXJx cyApCkBAIC0xNjI1LDExICsxNjQ1LDEyIEBAIGludCBtYXBfZG9tYWluX3Bp cnEoCiAgICAgICAgIHJldHVybiAwOwogICAgIH0KIAotICAgIHJldCA9IGly cV9wZXJtaXRfYWNjZXNzKGQsIHBpcnEpOworICAgIHJldCA9IGlycV9wZXJt aXRfYWNjZXNzKGQsIGlycSk7CiAgICAgaWYgKCByZXQgKQogICAgIHsKLSAg ICAgICAgZHByaW50ayhYRU5MT0dfR19FUlIsICJkb20lZDogY291bGQgbm90 IHBlcm1pdCBhY2Nlc3MgdG8gaXJxICVkXG4iLAotICAgICAgICAgICAgICAg IGQtPmRvbWFpbl9pZCwgcGlycSk7CisgICAgICAgIHByaW50ayhYRU5MT0df R19FUlIKKyAgICAgICAgICAgICAgICJkb20lZDogY291bGQgbm90IHBlcm1p dCBhY2Nlc3MgdG8gSVJRJWQgKHBpcnEgJWQpXG4iLAorICAgICAgICAgICAg ICAgZC0+ZG9tYWluX2lkLCBpcnEsIHBpcnEpOwogICAgICAgICByZXR1cm4g cmV0OwogICAgIH0KIApAQCAtMTY1MSw4ICsxNjcyLDE0IEBAIGludCBtYXBf ZG9tYWluX3BpcnEoCiAgICAgICAgIHNwaW5fbG9ja19pcnFzYXZlKCZkZXNj LT5sb2NrLCBmbGFncyk7CiAKICAgICAgICAgaWYgKCBkZXNjLT5oYW5kbGVy ICE9ICZub19pcnFfdHlwZSApCisgICAgICAgIHsKKyAgICAgICAgICAgIHNw aW5fdW5sb2NrX2lycXJlc3RvcmUoJmRlc2MtPmxvY2ssIGZsYWdzKTsKICAg ICAgICAgICAgIGRwcmludGsoWEVOTE9HX0dfRVJSLCAiZG9tJWQ6IGlycSAl ZCBpbiB1c2VcbiIsCiAgICAgICAgICAgICAgICAgICAgIGQtPmRvbWFpbl9p ZCwgaXJxKTsKKyAgICAgICAgICAgIHBjaV9kaXNhYmxlX21zaShtc2lfZGVz Yyk7CisgICAgICAgICAgICByZXQgPSAtRUJVU1k7CisgICAgICAgICAgICBn b3RvIGRvbmU7CisgICAgICAgIH0KICAgICAgICAgZGVzYy0+aGFuZGxlciA9 ICZwY2lfbXNpX3R5cGU7CiAgICAgICAgIGlmICggb3B0X2lycV92ZWN0b3Jf bWFwID09IE9QVF9JUlFfVkVDVE9SX01BUF9QRVJERVYKICAgICAgICAgICAg ICAmJiAhZGVzYy0+Y2hpcF9kYXRhLT51c2VkX3ZlY3RvcnMgKQpAQCAtMTY4 MCw2ICsxNzA3LDEwIEBAIGludCBtYXBfZG9tYWluX3BpcnEoCiAgICAgfQog CiBkb25lOgorICAgIGlmICggcmV0ICYmIGlycV9kZW55X2FjY2VzcyhkLCBp cnEpICkKKyAgICAgICAgcHJpbnRrKFhFTkxPR19HX0VSUgorICAgICAgICAg ICAgICAgImRvbSVkOiBjb3VsZCBub3QgcmV2b2tlIGFjY2VzcyB0byBJUlEl ZCAocGlycSAlZClcbiIsCisgICAgICAgICAgICAgICBkLT5kb21haW5faWQs IGlycSwgcGlycSk7CiAgICAgcmV0dXJuIHJldDsKIH0KIApAQCAtMTczNiwx MCArMTc2NywxMSBAQCBpbnQgdW5tYXBfZG9tYWluX3BpcnEoc3RydWN0IGRv bWFpbiAqZCwgCiAgICAgaWYgKG1zaV9kZXNjKQogICAgICAgICBtc2lfZnJl ZV9pcnEobXNpX2Rlc2MpOwogCi0gICAgcmV0ID0gaXJxX2RlbnlfYWNjZXNz KGQsIHBpcnEpOworICAgIHJldCA9IGlycV9kZW55X2FjY2VzcyhkLCBpcnEp OwogICAgIGlmICggcmV0ICkKLSAgICAgICAgZHByaW50ayhYRU5MT0dfR19F UlIsICJkb20lZDogY291bGQgbm90IGRlbnkgYWNjZXNzIHRvIGlycSAlZFxu IiwKLSAgICAgICAgICAgICAgICBkLT5kb21haW5faWQsIHBpcnEpOworICAg ICAgICBwcmludGsoWEVOTE9HX0dfRVJSCisgICAgICAgICAgICAgICAiZG9t JWQ6IGNvdWxkIG5vdCBkZW55IGFjY2VzcyB0byBJUlElZCAocGlycSAlZClc biIsCisgICAgICAgICAgICAgICBkLT5kb21haW5faWQsIGlycSwgcGlycSk7 CiAKICAgICBpZiAoIGRlc2MtPmhhbmRsZXIgPT0gJnBjaV9tc2lfdHlwZSAp CiAgICAgICAgIGRlc2MtPmhhbmRsZXIgPSAmbm9faXJxX3R5cGU7Ci0tLSBh L3hlbi9hcmNoL3g4Ni9waHlzZGV2LmMKKysrIGIveGVuL2FyY2gveDg2L3Bo eXNkZXYuYwpAQCAtMTQ3LDcgKzE0Nyw3IEBAIHN0YXRpYyBpbnQgcGh5c2Rl dl9tYXBfcGlycShzdHJ1Y3QgcGh5c2QKICAgICAgICAgaWYgKCBpcnEgPT0g LTEgKQogICAgICAgICAgICAgaXJxID0gY3JlYXRlX2lycSgpOwogCi0gICAg ICAgIGlmICggaXJxIDwgMCB8fCBpcnEgPj0gbnJfaXJxcyApCisgICAgICAg IGlmICggaXJxIDwgbnJfaXJxc19nc2kgfHwgaXJxID49IG5yX2lycXMgKQog ICAgICAgICB7CiAgICAgICAgICAgICBkcHJpbnRrKFhFTkxPR19HX0VSUiwg ImRvbSVkOiBjYW4ndCBjcmVhdGUgaXJxIGZvciBtc2khXG4iLAogICAgICAg ICAgICAgICAgICAgICBkLT5kb21haW5faWQpOwotLS0gYS94ZW4vY29tbW9u L2RvbWN0bC5jCisrKyBiL3hlbi9jb21tb24vZG9tY3RsLmMKQEAgLTg1NCw5 ICs4NTQsOSBAQCBsb25nIGRvX2RvbWN0bChYRU5fR1VFU1RfSEFORExFKHhl bl9kb21jCiAgICAgICAgIGlmICggcGlycSA+PSBkLT5ucl9waXJxcyApCiAg ICAgICAgICAgICByZXQgPSAtRUlOVkFMOwogICAgICAgICBlbHNlIGlmICgg b3AtPnUuaXJxX3Blcm1pc3Npb24uYWxsb3dfYWNjZXNzICkKLSAgICAgICAg ICAgIHJldCA9IGlycV9wZXJtaXRfYWNjZXNzKGQsIHBpcnEpOworICAgICAg ICAgICAgcmV0ID0gcGlycV9wZXJtaXRfYWNjZXNzKGQsIHBpcnEpOwogICAg ICAgICBlbHNlCi0gICAgICAgICAgICByZXQgPSBpcnFfZGVueV9hY2Nlc3Mo ZCwgcGlycSk7CisgICAgICAgICAgICByZXQgPSBwaXJxX2RlbnlfYWNjZXNz KGQsIHBpcnEpOwogCiAgICAgICAgIHJjdV91bmxvY2tfZG9tYWluKGQpOwog ICAgIH0KLS0tIGEveGVuL2NvbW1vbi9ldmVudF9jaGFubmVsLmMKKysrIGIv eGVuL2NvbW1vbi9ldmVudF9jaGFubmVsLmMKQEAgLTMzMSw3ICszMzEsNyBA QCBzdGF0aWMgbG9uZyBldnRjaG5fYmluZF9waXJxKGV2dGNobl9iaW5kCiAg ICAgaWYgKCAocGlycSA8IDApIHx8IChwaXJxID49IGQtPm5yX3BpcnFzKSAp CiAgICAgICAgIHJldHVybiAtRUlOVkFMOwogCi0gICAgaWYgKCAhaXNfaHZt X2RvbWFpbihkKSAmJiAhaXJxX2FjY2Vzc19wZXJtaXR0ZWQoZCwgcGlycSkg KQorICAgIGlmICggIWlzX2h2bV9kb21haW4oZCkgJiYgIXBpcnFfYWNjZXNz X3Blcm1pdHRlZChkLCBwaXJxKSApCiAgICAgICAgIHJldHVybiAtRVBFUk07 CiAKICAgICBzcGluX2xvY2soJmQtPmV2ZW50X2xvY2spOwotLS0gYS94ZW4v aW5jbHVkZS94ZW4vaW9jYXAuaAorKysgYi94ZW4vaW5jbHVkZS94ZW4vaW9j YXAuaApAQCAtMjgsNCArMjgsMjIgQEAKICNkZWZpbmUgaXJxX2FjY2Vzc19w ZXJtaXR0ZWQoZCwgaSkgICAgICAgICAgICAgICAgICAgICAgXAogICAgIHJh bmdlc2V0X2NvbnRhaW5zX3NpbmdsZXRvbigoZCktPmlycV9jYXBzLCBpKQog CisjZGVmaW5lIHBpcnFfcGVybWl0X2FjY2VzcyhkLCBpKSAoeyAgICAgICAg ICAgICAgICAgICAgIFwKKyAgICBzdHJ1Y3QgZG9tYWluICpkX18gPSAoZCk7 ICAgICAgICAgICAgICAgICAgICAgICAgICAgXAorICAgIGludCBpX18gPSBk b21haW5fcGlycV90b19pcnEoZF9fLCBpKTsgICAgICAgICAgICAgICBcCisg ICAgaV9fID4gMCA/IHJhbmdlc2V0X2FkZF9zaW5nbGV0b24oZF9fLT5pcnFf Y2FwcywgaV9fKVwKKyAgICAgICAgICAgIDogLUVJTlZBTDsgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgXAorfSkKKyNkZWZpbmUgcGlycV9k ZW55X2FjY2VzcyhkLCBpKSAoeyAgICAgICAgICAgICAgICAgICAgICAgXAor ICAgIHN0cnVjdCBkb21haW4gKmRfXyA9IChkKTsgICAgICAgICAgICAgICAg ICAgICAgICAgICBcCisgICAgaW50IGlfXyA9IGRvbWFpbl9waXJxX3RvX2ly cShkX18sIGkpOyAgICAgICAgICAgICAgIFwKKyAgICBpX18gPiAwID8gcmFu Z2VzZXRfcmVtb3ZlX3NpbmdsZXRvbihkX18tPmlycV9jYXBzLCBpX18pXAor ICAgICAgICAgICAgOiAtRUlOVkFMOyAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICBcCit9KQorI2RlZmluZSBwaXJxX2FjY2Vzc19wZXJtaXR0 ZWQoZCwgaSkgKHsgICAgICAgICAgICAgICAgICBcCisgICAgc3RydWN0IGRv bWFpbiAqZF9fID0gKGQpOyAgICAgICAgICAgICAgICAgICAgICAgICAgIFwK KyAgICByYW5nZXNldF9jb250YWluc19zaW5nbGV0b24oZF9fLT5pcnFfY2Fw cywgICAgICAgICAgXAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICBkb21haW5fcGlycV90b19pcnEoZF9fLCBpKSk7XAorfSkKKwogI2VuZGlm IC8qIF9fWEVOX0lPQ0FQX0hfXyAqLwo= --=separator Content-Type: application/octet-stream; name="xsa46-4.2.patch" Content-Disposition: attachment; filename="xsa46-4.2.patch" Content-Transfer-Encoding: base64 eDg2OiBmaXggdmFyaW91cyBpc3N1ZXMgd2l0aCBoYW5kbGluZyBndWVzdCBJ UlFzCgotIHByb3Blcmx5IHJldm9rZSBJUlEgYWNjZXNzIGluIG1hcF9kb21h aW5fcGlycSgpIGVycm9yIHBhdGgKLSBkb24ndCBwZXJtaXQgcmVwbGFjaW5n IGFuIGluIHVzZSBJUlEKLSBkb24ndCBhY2NlcHQgaW5wdXRzIGluIHRoZSBH U0kgcmFuZ2UgZm9yIE1BUF9QSVJRX1RZUEVfTVNJCi0gdHJhY2sgSVJRIGFj Y2VzcyBwZXJtaXNzaW9uIGluIGhvc3QgSVJRIHRlcm1zLCBub3QgZ3Vlc3Qg SVJRIG9uZXMKICAoYW5kIHdpdGggdGhhdCwgYWxzbyBkaXNhbGxvdyBEb20w IGFjY2VzcyB0byBJUlEwKQoKVGhpcyBpcyBDVkUtMjAxMy0xOTE5IC8gWFNB LTQ2LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpBY2tlZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzdGVmYW5v LnN0YWJlbGxpbmlAZXUuY2l0cml4LmNvbT4KCi0tLSBhL3Rvb2xzL2xpYnhs L2xpYnhsX2NyZWF0ZS5jCisrKyBiL3Rvb2xzL2xpYnhsL2xpYnhsX2NyZWF0 ZS5jCkBAIC05NjgsMTQgKzk2OCwxNiBAQCBzdGF0aWMgdm9pZCBkb21jcmVh dGVfbGF1bmNoX2RtKGxpYnhsX19lCiAgICAgfQogCiAgICAgZm9yIChpID0g MDsgaSA8IGRfY29uZmlnLT5iX2luZm8ubnVtX2lycXM7IGkrKykgewotICAg ICAgICB1aW50MzJfdCBpcnEgPSBkX2NvbmZpZy0+Yl9pbmZvLmlycXNbaV07 CisgICAgICAgIGludCBpcnEgPSBkX2NvbmZpZy0+Yl9pbmZvLmlycXNbaV07 CiAKLSAgICAgICAgTE9HKERFQlVHLCAiZG9tJWQgaXJxICUiUFJJeDMyLCBk b21pZCwgaXJxKTsKKyAgICAgICAgTE9HKERFQlVHLCAiZG9tJWQgaXJxICVk IiwgZG9taWQsIGlycSk7CiAKLSAgICAgICAgcmV0ID0geGNfZG9tYWluX2ly cV9wZXJtaXNzaW9uKENUWC0+eGNoLCBkb21pZCwgaXJxLCAxKTsKKyAgICAg ICAgcmV0ID0gaXJxID49IDAgPyB4Y19waHlzZGV2X21hcF9waXJxKENUWC0+ eGNoLCBkb21pZCwgaXJxLCAmaXJxKQorICAgICAgICAgICAgICAgICAgICAg ICA6IC1FT1ZFUkZMT1c7CisgICAgICAgIGlmICghcmV0KQorICAgICAgICAg ICAgcmV0ID0geGNfZG9tYWluX2lycV9wZXJtaXNzaW9uKENUWC0+eGNoLCBk b21pZCwgaXJxLCAxKTsKICAgICAgICAgaWYgKCByZXQ8MCApewotICAgICAg ICAgICAgTE9HRShFUlJPUiwKLSAgICAgICAgICAgICAgICAgImZhaWxlZCBn aXZlIGRvbSVkIGFjY2VzcyB0byBpcnEgJSJQUklkMzIsIGRvbWlkLCBpcnEp OworICAgICAgICAgICAgTE9HRShFUlJPUiwgImZhaWxlZCBnaXZlIGRvbSVk IGFjY2VzcyB0byBpcnEgJWQiLCBkb21pZCwgaXJxKTsKICAgICAgICAgICAg IHJldCA9IEVSUk9SX0ZBSUw7CiAgICAgICAgIH0KICAgICB9Ci0tLSBhL3Rv b2xzL3B5dGhvbi94ZW4veGVuZC9zZXJ2ZXIvaXJxaWYucHkKKysrIGIvdG9v bHMvcHl0aG9uL3hlbi94ZW5kL3NlcnZlci9pcnFpZi5weQpAQCAtNzMsNiAr NzMsMTIgQEAgY2xhc3MgSVJRQ29udHJvbGxlcihEZXZDb250cm9sbGVyKToK ICAgICAgICAKICAgICAgICAgcGlycSA9IGdldF9wYXJhbSgnaXJxJykKIAor ICAgICAgICByYyA9IHhjLnBoeXNkZXZfbWFwX3BpcnEoZG9taWQgPSBzZWxm LmdldERvbWlkKCksCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICBpbmRleCA9IHBpcnEsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICBwaXJxICA9IHBpcnEpCisgICAgICAgIGlmIHJjIDwgMDoKKyAgICAg ICAgICAgIHJhaXNlIFZtRXJyb3IoJ2lycTogRmFpbGVkIHRvIG1hcCBpcnEg JXgnICUgKHBpcnEpKQorCiAgICAgICAgIHJjID0geGMuZG9tYWluX2lycV9w ZXJtaXNzaW9uKGRvbWlkICAgICAgICA9IHNlbGYuZ2V0RG9taWQoKSwKICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcGlycSAgICAg ICAgID0gcGlycSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgYWxsb3dfYWNjZXNzID0gVHJ1ZSkKQEAgLTgxLDEyICs4Nyw2IEBA IGNsYXNzIElSUUNvbnRyb2xsZXIoRGV2Q29udHJvbGxlcik6CiAgICAgICAg ICAgICAjdG9kbyBub24tZmF0YWwKICAgICAgICAgICAgIHJhaXNlIFZtRXJy b3IoCiAgICAgICAgICAgICAgICAgJ2lycTogRmFpbGVkIHRvIGNvbmZpZ3Vy ZSBpcnE6ICVkJyAlIChwaXJxKSkKLSAgICAgICAgcmMgPSB4Yy5waHlzZGV2 X21hcF9waXJxKGRvbWlkID0gc2VsZi5nZXREb21pZCgpLAotICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICBpbmRleCA9IHBpcnEsCi0gICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIHBpcnEgID0gcGlycSkKLSAgICAg ICAgaWYgcmMgPCAwOgotICAgICAgICAgICAgcmFpc2UgVm1FcnJvcigKLSAg ICAgICAgICAgICAgICAnaXJxOiBGYWlsZWQgdG8gbWFwIGlycSAleCcgJSAo cGlycSkpCiAgICAgICAgIGJhY2sgPSBkaWN0KFsoaywgY29uZmlnW2tdKSBm b3IgayBpbiBzZWxmLnZhbGlkX2NmZyBpZiBrIGluIGNvbmZpZ10pCiAgICAg ICAgIHJldHVybiAoc2VsZi5hbGxvY2F0ZURldmljZUlEKCksIGJhY2ssIHt9 KQogCi0tLSBhL3hlbi9hcmNoL3g4Ni9kb21haW5fYnVpbGQuYworKysgYi94 ZW4vYXJjaC94ODYvZG9tYWluX2J1aWxkLmMKQEAgLTEyMTksNyArMTIxOSw3 IEBAIGludCBfX2luaXQgY29uc3RydWN0X2RvbTAoCiAgICAgLyogRE9NMCBp cyBwZXJtaXR0ZWQgZnVsbCBJL08gY2FwYWJpbGl0aWVzLiAqLwogICAgIHJj IHw9IGlvcG9ydHNfcGVybWl0X2FjY2Vzcyhkb20wLCAwLCAweEZGRkYpOwog ICAgIHJjIHw9IGlvbWVtX3Blcm1pdF9hY2Nlc3MoZG9tMCwgMFVMLCB+MFVM KTsKLSAgICByYyB8PSBpcnFzX3Blcm1pdF9hY2Nlc3MoZG9tMCwgMCwgZC0+ bnJfcGlycXMgLSAxKTsKKyAgICByYyB8PSBpcnFzX3Blcm1pdF9hY2Nlc3Mo ZG9tMCwgMSwgbnJfaXJxc19nc2kgLSAxKTsKIAogICAgIC8qCiAgICAgICog TW9kaWZ5IEkvTyBwb3J0IGFjY2VzcyBwZXJtaXNzaW9ucy4KLS0tIGEveGVu L2FyY2gveDg2L2RvbWN0bC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9kb21jdGwu YwpAQCAtNzcyLDkgKzc3MiwxMyBAQCBsb25nIGFyY2hfZG9fZG9tY3RsKAog ICAgICAgICAgICAgZ290byBiaW5kX291dDsKIAogICAgICAgICByZXQgPSAt RVBFUk07Ci0gICAgICAgIGlmICggIUlTX1BSSVYoY3VycmVudC0+ZG9tYWlu KSAmJgotICAgICAgICAgICAgICFpcnFfYWNjZXNzX3Blcm1pdHRlZChjdXJy ZW50LT5kb21haW4sIGJpbmQtPm1hY2hpbmVfaXJxKSApCi0gICAgICAgICAg ICBnb3RvIGJpbmRfb3V0OworICAgICAgICBpZiAoICFJU19QUklWKGN1cnJl bnQtPmRvbWFpbikgKQorICAgICAgICB7CisgICAgICAgICAgICBpbnQgaXJx ID0gZG9tYWluX3BpcnFfdG9faXJxKGQsIGJpbmQtPm1hY2hpbmVfaXJxKTsK KworICAgICAgICAgICAgaWYgKCBpcnEgPD0gMCB8fCAhaXJxX2FjY2Vzc19w ZXJtaXR0ZWQoY3VycmVudC0+ZG9tYWluLCBpcnEpICkKKyAgICAgICAgICAg ICAgICBnb3RvIGJpbmRfb3V0OworICAgICAgICB9CiAKICAgICAgICAgcmV0 ID0gLUVTUkNIOwogICAgICAgICBpZiAoIGlvbW11X2VuYWJsZWQgKQpAQCAt ODAzLDkgKzgwNywxMyBAQCBsb25nIGFyY2hfZG9fZG9tY3RsKAogICAgICAg ICBiaW5kID0gJihkb21jdGwtPnUuYmluZF9wdF9pcnEpOwogCiAgICAgICAg IHJldCA9IC1FUEVSTTsKLSAgICAgICAgaWYgKCAhSVNfUFJJVihjdXJyZW50 LT5kb21haW4pICYmCi0gICAgICAgICAgICAgIWlycV9hY2Nlc3NfcGVybWl0 dGVkKGN1cnJlbnQtPmRvbWFpbiwgYmluZC0+bWFjaGluZV9pcnEpICkKLSAg ICAgICAgICAgIGdvdG8gdW5iaW5kX291dDsKKyAgICAgICAgaWYgKCAhSVNf UFJJVihjdXJyZW50LT5kb21haW4pICkKKyAgICAgICAgeworICAgICAgICAg ICAgaW50IGlycSA9IGRvbWFpbl9waXJxX3RvX2lycShkLCBiaW5kLT5tYWNo aW5lX2lycSk7CisKKyAgICAgICAgICAgIGlmICggaXJxIDw9IDAgfHwgIWly cV9hY2Nlc3NfcGVybWl0dGVkKGN1cnJlbnQtPmRvbWFpbiwgaXJxKSApCisg ICAgICAgICAgICAgICAgZ290byB1bmJpbmRfb3V0OworICAgICAgICB9CiAK ICAgICAgICAgaWYgKCBpb21tdV9lbmFibGVkICkKICAgICAgICAgewotLS0g YS94ZW4vYXJjaC94ODYvaXJxLmMKKysrIGIveGVuL2FyY2gveDg2L2lycS5j CkBAIC0xODQsNiArMTg0LDE0IEBAIGludCBjcmVhdGVfaXJxKGludCBub2Rl KQogICAgICAgICBkZXNjLT5hcmNoLnVzZWQgPSBJUlFfVU5VU0VEOwogICAg ICAgICBpcnEgPSByZXQ7CiAgICAgfQorICAgIGVsc2UgaWYgKCBkb20wICkK KyAgICB7CisgICAgICAgIHJldCA9IGlycV9wZXJtaXRfYWNjZXNzKGRvbTAs IGlycSk7CisgICAgICAgIGlmICggcmV0ICkKKyAgICAgICAgICAgIHByaW50 ayhYRU5MT0dfR19FUlIKKyAgICAgICAgICAgICAgICAgICAiQ291bGQgbm90 IGdyYW50IERvbTAgYWNjZXNzIHRvIElSUSVkIChlcnJvciAlZClcbiIsCisg ICAgICAgICAgICAgICAgICAgaXJxLCByZXQpOworICAgIH0KIAogICAgIHJl dHVybiBpcnE7CiB9CkBAIC0yODAsNiArMjg4LDE3IEBAIHZvaWQgY2xlYXJf aXJxX3ZlY3RvcihpbnQgaXJxKQogdm9pZCBkZXN0cm95X2lycSh1bnNpZ25l ZCBpbnQgaXJxKQogewogICAgIEJVR19PTighTVNJX0lSUShpcnEpKTsKKwor ICAgIGlmICggZG9tMCApCisgICAgeworICAgICAgICBpbnQgZXJyID0gaXJx X2RlbnlfYWNjZXNzKGRvbTAsIGlycSk7CisKKyAgICAgICAgaWYgKCBlcnIg KQorICAgICAgICAgICAgcHJpbnRrKFhFTkxPR19HX0VSUgorICAgICAgICAg ICAgICAgICAgICJDb3VsZCBub3QgcmV2b2tlIERvbTAgYWNjZXNzIHRvIElS USV1IChlcnJvciAlZClcbiIsCisgICAgICAgICAgICAgICAgICAgaXJxLCBl cnIpOworICAgIH0KKwogICAgIGR5bmFtaWNfaXJxX2NsZWFudXAoaXJxKTsK ICAgICBjbGVhcl9pcnFfdmVjdG9yKGlycSk7CiB9CkBAIC0xODU4LDcgKzE4 NzcsNyBAQCBpbnQgbWFwX2RvbWFpbl9waXJxKAogCiAgICAgaWYgKCAhSVNf UFJJVihjdXJyZW50LT5kb21haW4pICYmCiAgICAgICAgICAhKElTX1BSSVZf Rk9SKGN1cnJlbnQtPmRvbWFpbiwgZCkgJiYKLSAgICAgICAgICAgaXJxX2Fj Y2Vzc19wZXJtaXR0ZWQoY3VycmVudC0+ZG9tYWluLCBwaXJxKSkpCisgICAg ICAgICAgIGlycV9hY2Nlc3NfcGVybWl0dGVkKGN1cnJlbnQtPmRvbWFpbiwg aXJxKSkpCiAgICAgICAgIHJldHVybiAtRVBFUk07CiAKICAgICBpZiAoIHBp cnEgPCAwIHx8IHBpcnEgPj0gZC0+bnJfcGlycXMgfHwgaXJxIDwgMCB8fCBp cnEgPj0gbnJfaXJxcyApCkBAIC0xODg3LDE3ICsxOTA2LDE4IEBAIGludCBt YXBfZG9tYWluX3BpcnEoCiAgICAgICAgIHJldHVybiByZXQ7CiAgICAgfQog Ci0gICAgcmV0ID0gaXJxX3Blcm1pdF9hY2Nlc3MoZCwgcGlycSk7CisgICAg cmV0ID0gaXJxX3Blcm1pdF9hY2Nlc3MoZCwgaXJxKTsKICAgICBpZiAoIHJl dCApCiAgICAgewotICAgICAgICBkcHJpbnRrKFhFTkxPR19HX0VSUiwgImRv bSVkOiBjb3VsZCBub3QgcGVybWl0IGFjY2VzcyB0byBpcnEgJWRcbiIsCi0g ICAgICAgICAgICAgICAgZC0+ZG9tYWluX2lkLCBwaXJxKTsKKyAgICAgICAg cHJpbnRrKFhFTkxPR19HX0VSUgorICAgICAgICAgICAgICAgImRvbSVkOiBj b3VsZCBub3QgcGVybWl0IGFjY2VzcyB0byBJUlElZCAocGlycSAlZClcbiIs CisgICAgICAgICAgICAgICBkLT5kb21haW5faWQsIGlycSwgcGlycSk7CiAg ICAgICAgIHJldHVybiByZXQ7CiAgICAgfQogCiAgICAgcmV0ID0gcHJlcGFy ZV9kb21haW5faXJxX3BpcnEoZCwgaXJxLCBwaXJxLCAmaW5mbyk7CiAgICAg aWYgKCByZXQgKQotICAgICAgICByZXR1cm4gcmV0OworICAgICAgICBnb3Rv IHJldm9rZTsKIAogICAgIGRlc2MgPSBpcnFfdG9fZGVzYyhpcnEpOwogCkBA IC0xOTIxLDggKzE5NDEsMTQgQEAgaW50IG1hcF9kb21haW5fcGlycSgKICAg ICAgICAgc3Bpbl9sb2NrX2lycXNhdmUoJmRlc2MtPmxvY2ssIGZsYWdzKTsK IAogICAgICAgICBpZiAoIGRlc2MtPmhhbmRsZXIgIT0gJm5vX2lycV90eXBl ICkKKyAgICAgICAgeworICAgICAgICAgICAgc3Bpbl91bmxvY2tfaXJxcmVz dG9yZSgmZGVzYy0+bG9jaywgZmxhZ3MpOwogICAgICAgICAgICAgZHByaW50 ayhYRU5MT0dfR19FUlIsICJkb20lZDogaXJxICVkIGluIHVzZVxuIiwKICAg ICAgICAgICAgICAgICAgICAgZC0+ZG9tYWluX2lkLCBpcnEpOworICAgICAg ICAgICAgcGNpX2Rpc2FibGVfbXNpKG1zaV9kZXNjKTsKKyAgICAgICAgICAg IHJldCA9IC1FQlVTWTsKKyAgICAgICAgICAgIGdvdG8gZG9uZTsKKyAgICAg ICAgfQogICAgICAgICBzZXR1cF9tc2lfaGFuZGxlcihkZXNjLCBtc2lfZGVz Yyk7CiAKICAgICAgICAgaWYgKCBvcHRfaXJxX3ZlY3Rvcl9tYXAgPT0gT1BU X0lSUV9WRUNUT1JfTUFQX1BFUkRFVgpAQCAtMTk1MSw3ICsxOTc3LDE0IEBA IGludCBtYXBfZG9tYWluX3BpcnEoCiAKIGRvbmU6CiAgICAgaWYgKCByZXQg KQorICAgIHsKICAgICAgICAgY2xlYW51cF9kb21haW5faXJxX3BpcnEoZCwg aXJxLCBpbmZvKTsKKyByZXZva2U6CisgICAgICAgIGlmICggaXJxX2Rlbnlf YWNjZXNzKGQsIGlycSkgKQorICAgICAgICAgICAgcHJpbnRrKFhFTkxPR19H X0VSUgorICAgICAgICAgICAgICAgICAgICJkb20lZDogY291bGQgbm90IHJl dm9rZSBhY2Nlc3MgdG8gSVJRJWQgKHBpcnEgJWQpXG4iLAorICAgICAgICAg ICAgICAgICAgIGQtPmRvbWFpbl9pZCwgaXJxLCBwaXJxKTsKKyAgICB9CiAg ICAgcmV0dXJuIHJldDsKIH0KIApAQCAtMjAxNywxMCArMjA1MCwxMSBAQCBp bnQgdW5tYXBfZG9tYWluX3BpcnEoc3RydWN0IGRvbWFpbiAqZCwgCiAgICAg aWYgKCAhZm9yY2VkX3VuYmluZCApCiAgICAgICAgIGNsZWFudXBfZG9tYWlu X2lycV9waXJxKGQsIGlycSwgaW5mbyk7CiAKLSAgICByZXQgPSBpcnFfZGVu eV9hY2Nlc3MoZCwgcGlycSk7CisgICAgcmV0ID0gaXJxX2RlbnlfYWNjZXNz KGQsIGlycSk7CiAgICAgaWYgKCByZXQgKQotICAgICAgICBkcHJpbnRrKFhF TkxPR19HX0VSUiwgImRvbSVkOiBjb3VsZCBub3QgZGVueSBhY2Nlc3MgdG8g aXJxICVkXG4iLAotICAgICAgICAgICAgICAgIGQtPmRvbWFpbl9pZCwgcGly cSk7CisgICAgICAgIHByaW50ayhYRU5MT0dfR19FUlIKKyAgICAgICAgICAg ICAgICJkb20lZDogY291bGQgbm90IGRlbnkgYWNjZXNzIHRvIElSUSVkIChw aXJxICVkKVxuIiwKKyAgICAgICAgICAgICAgIGQtPmRvbWFpbl9pZCwgaXJx LCBwaXJxKTsKIAogIGRvbmU6CiAgICAgcmV0dXJuIHJldDsKLS0tIGEveGVu L2FyY2gveDg2L3BoeXNkZXYuYworKysgYi94ZW4vYXJjaC94ODYvcGh5c2Rl di5jCkBAIC0xNDcsNyArMTQ3LDcgQEAgaW50IHBoeXNkZXZfbWFwX3BpcnEo ZG9taWRfdCBkb21pZCwgaW50IAogICAgICAgICBpZiAoIGlycSA9PSAtMSAp CiAgICAgICAgICAgICBpcnEgPSBjcmVhdGVfaXJxKE5VTUFfTk9fTk9ERSk7 CiAKLSAgICAgICAgaWYgKCBpcnEgPCAwIHx8IGlycSA+PSBucl9pcnFzICkK KyAgICAgICAgaWYgKCBpcnEgPCBucl9pcnFzX2dzaSB8fCBpcnEgPj0gbnJf aXJxcyApCiAgICAgICAgIHsKICAgICAgICAgICAgIGRwcmludGsoWEVOTE9H X0dfRVJSLCAiZG9tJWQ6IGNhbid0IGNyZWF0ZSBpcnEgZm9yIG1zaSFcbiIs CiAgICAgICAgICAgICAgICAgICAgIGQtPmRvbWFpbl9pZCk7Ci0tLSBhL3hl bi9jb21tb24vZG9tY3RsLmMKKysrIGIveGVuL2NvbW1vbi9kb21jdGwuYwpA QCAtMjUsNiArMjUsNyBAQAogI2luY2x1ZGUgPHhlbi9wYWdpbmcuaD4KICNp bmNsdWRlIDx4ZW4vaHlwZXJjYWxsLmg+CiAjaW5jbHVkZSA8YXNtL2N1cnJl bnQuaD4KKyNpbmNsdWRlIDxhc20vaXJxLmg+CiAjaW5jbHVkZSA8YXNtL3Bh Z2UuaD4KICNpbmNsdWRlIDxwdWJsaWMvZG9tY3RsLmg+CiAjaW5jbHVkZSA8 eHNtL3hzbS5oPgpAQCAtODk3LDkgKzg5OCw5IEBAIGxvbmcgZG9fZG9tY3Rs KFhFTl9HVUVTVF9IQU5ETEUoeGVuX2RvbWMKICAgICAgICAgZWxzZSBpZiAo IHhzbV9pcnFfcGVybWlzc2lvbihkLCBwaXJxLCBhbGxvdykgKQogICAgICAg ICAgICAgcmV0ID0gLUVQRVJNOwogICAgICAgICBlbHNlIGlmICggYWxsb3cg KQotICAgICAgICAgICAgcmV0ID0gaXJxX3Blcm1pdF9hY2Nlc3MoZCwgcGly cSk7CisgICAgICAgICAgICByZXQgPSBwaXJxX3Blcm1pdF9hY2Nlc3MoZCwg cGlycSk7CiAgICAgICAgIGVsc2UKLSAgICAgICAgICAgIHJldCA9IGlycV9k ZW55X2FjY2VzcyhkLCBwaXJxKTsKKyAgICAgICAgICAgIHJldCA9IHBpcnFf ZGVueV9hY2Nlc3MoZCwgcGlycSk7CiAKICAgICAgICAgcmN1X3VubG9ja19k b21haW4oZCk7CiAgICAgfQotLS0gYS94ZW4vY29tbW9uL2V2ZW50X2NoYW5u ZWwuYworKysgYi94ZW4vY29tbW9uL2V2ZW50X2NoYW5uZWwuYwpAQCAtMzY5 LDcgKzM2OSw3IEBAIHN0YXRpYyBsb25nIGV2dGNobl9iaW5kX3BpcnEoZXZ0 Y2huX2JpbmQKICAgICBpZiAoIChwaXJxIDwgMCkgfHwgKHBpcnEgPj0gZC0+ bnJfcGlycXMpICkKICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAKLSAgICBp ZiAoICFpc19odm1fZG9tYWluKGQpICYmICFpcnFfYWNjZXNzX3Blcm1pdHRl ZChkLCBwaXJxKSApCisgICAgaWYgKCAhaXNfaHZtX2RvbWFpbihkKSAmJiAh cGlycV9hY2Nlc3NfcGVybWl0dGVkKGQsIHBpcnEpICkKICAgICAgICAgcmV0 dXJuIC1FUEVSTTsKIAogICAgIHNwaW5fbG9jaygmZC0+ZXZlbnRfbG9jayk7 Ci0tLSBhL3hlbi9pbmNsdWRlL3hlbi9pb2NhcC5oCisrKyBiL3hlbi9pbmNs dWRlL3hlbi9pb2NhcC5oCkBAIC0yOCw0ICsyOCwyMiBAQAogI2RlZmluZSBp cnFfYWNjZXNzX3Blcm1pdHRlZChkLCBpKSAgICAgICAgICAgICAgICAgICAg ICBcCiAgICAgcmFuZ2VzZXRfY29udGFpbnNfc2luZ2xldG9uKChkKS0+aXJx X2NhcHMsIGkpCiAKKyNkZWZpbmUgcGlycV9wZXJtaXRfYWNjZXNzKGQsIGkp ICh7ICAgICAgICAgICAgICAgICAgICAgXAorICAgIHN0cnVjdCBkb21haW4g KmRfXyA9IChkKTsgICAgICAgICAgICAgICAgICAgICAgICAgICBcCisgICAg aW50IGlfXyA9IGRvbWFpbl9waXJxX3RvX2lycShkX18sIGkpOyAgICAgICAg ICAgICAgIFwKKyAgICBpX18gPiAwID8gcmFuZ2VzZXRfYWRkX3NpbmdsZXRv bihkX18tPmlycV9jYXBzLCBpX18pXAorICAgICAgICAgICAgOiAtRUlOVkFM OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCit9KQorI2Rl ZmluZSBwaXJxX2RlbnlfYWNjZXNzKGQsIGkpICh7ICAgICAgICAgICAgICAg ICAgICAgICBcCisgICAgc3RydWN0IGRvbWFpbiAqZF9fID0gKGQpOyAgICAg ICAgICAgICAgICAgICAgICAgICAgIFwKKyAgICBpbnQgaV9fID0gZG9tYWlu X3BpcnFfdG9faXJxKGRfXywgaSk7ICAgICAgICAgICAgICAgXAorICAgIGlf XyA+IDAgPyByYW5nZXNldF9yZW1vdmVfc2luZ2xldG9uKGRfXy0+aXJxX2Nh cHMsIGlfXylcCisgICAgICAgICAgICA6IC1FSU5WQUw7ICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIFwKK30pCisjZGVmaW5lIHBpcnFfYWNj ZXNzX3Blcm1pdHRlZChkLCBpKSAoeyAgICAgICAgICAgICAgICAgIFwKKyAg ICBzdHJ1Y3QgZG9tYWluICpkX18gPSAoZCk7ICAgICAgICAgICAgICAgICAg ICAgICAgICAgXAorICAgIHJhbmdlc2V0X2NvbnRhaW5zX3NpbmdsZXRvbihk X18tPmlycV9jYXBzLCAgICAgICAgICBcCisgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIGRvbWFpbl9waXJxX3RvX2lycShkX18sIGkpKTtcCit9 KQorCiAjZW5kaWYgLyogX19YRU5fSU9DQVBfSF9fICovCg== --=separator Content-Type: application/octet-stream; name="xsa46-unstable.patch" Content-Disposition: attachment; filename="xsa46-unstable.patch" Content-Transfer-Encoding: base64 eDg2OiBmaXggdmFyaW91cyBpc3N1ZXMgd2l0aCBoYW5kbGluZyBndWVzdCBJ UlFzCgotIHByb3Blcmx5IHJldm9rZSBJUlEgYWNjZXNzIGluIG1hcF9kb21h aW5fcGlycSgpIGVycm9yIHBhdGgKLSBkb24ndCBwZXJtaXQgcmVwbGFjaW5n IGFuIGluIHVzZSBJUlEKLSBkb24ndCBhY2NlcHQgaW5wdXRzIGluIHRoZSBH U0kgcmFuZ2UgZm9yIE1BUF9QSVJRX1RZUEVfTVNJCi0gdHJhY2sgSVJRIGFj Y2VzcyBwZXJtaXNzaW9uIGluIGhvc3QgSVJRIHRlcm1zLCBub3QgZ3Vlc3Qg SVJRIG9uZXMKICAoYW5kIHdpdGggdGhhdCwgYWxzbyBkaXNhbGxvdyBEb20w IGFjY2VzcyB0byBJUlEwKQoKVGhpcyBpcyBDVkUtMjAxMy0xOTE5IC8gWFNB LTQ2LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpBY2tlZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzdGVmYW5v LnN0YWJlbGxpbmlAZXUuY2l0cml4LmNvbT4KCi0tLSBhL3Rvb2xzL2xpYnhs L2xpYnhsX2NyZWF0ZS5jCisrKyBiL3Rvb2xzL2xpYnhsL2xpYnhsX2NyZWF0 ZS5jCkBAIC05NTgsMTQgKzk1OCwxNiBAQCBzdGF0aWMgdm9pZCBkb21jcmVh dGVfbGF1bmNoX2RtKGxpYnhsX19lCiAgICAgfQogCiAgICAgZm9yIChpID0g MDsgaSA8IGRfY29uZmlnLT5iX2luZm8ubnVtX2lycXM7IGkrKykgewotICAg ICAgICB1aW50MzJfdCBpcnEgPSBkX2NvbmZpZy0+Yl9pbmZvLmlycXNbaV07 CisgICAgICAgIGludCBpcnEgPSBkX2NvbmZpZy0+Yl9pbmZvLmlycXNbaV07 CiAKLSAgICAgICAgTE9HKERFQlVHLCAiZG9tJWQgaXJxICUiUFJJeDMyLCBk b21pZCwgaXJxKTsKKyAgICAgICAgTE9HKERFQlVHLCAiZG9tJWQgaXJxICVk IiwgZG9taWQsIGlycSk7CiAKLSAgICAgICAgcmV0ID0geGNfZG9tYWluX2ly cV9wZXJtaXNzaW9uKENUWC0+eGNoLCBkb21pZCwgaXJxLCAxKTsKKyAgICAg ICAgcmV0ID0gaXJxID49IDAgPyB4Y19waHlzZGV2X21hcF9waXJxKENUWC0+ eGNoLCBkb21pZCwgaXJxLCAmaXJxKQorICAgICAgICAgICAgICAgICAgICAg ICA6IC1FT1ZFUkZMT1c7CisgICAgICAgIGlmICghcmV0KQorICAgICAgICAg ICAgcmV0ID0geGNfZG9tYWluX2lycV9wZXJtaXNzaW9uKENUWC0+eGNoLCBk b21pZCwgaXJxLCAxKTsKICAgICAgICAgaWYgKHJldCA8IDApIHsKLSAgICAg ICAgICAgIExPR0UoRVJST1IsCi0gICAgICAgICAgICAgICAgICJmYWlsZWQg Z2l2ZSBkb20lZCBhY2Nlc3MgdG8gaXJxICUiUFJJZDMyLCBkb21pZCwgaXJx KTsKKyAgICAgICAgICAgIExPR0UoRVJST1IsICJmYWlsZWQgZ2l2ZSBkb20l ZCBhY2Nlc3MgdG8gaXJxICVkIiwgZG9taWQsIGlycSk7CiAgICAgICAgICAg ICByZXQgPSBFUlJPUl9GQUlMOwogICAgICAgICB9CiAgICAgfQotLS0gYS90 b29scy9weXRob24veGVuL3hlbmQvc2VydmVyL2lycWlmLnB5CisrKyBiL3Rv b2xzL3B5dGhvbi94ZW4veGVuZC9zZXJ2ZXIvaXJxaWYucHkKQEAgLTczLDYg KzczLDEyIEBAIGNsYXNzIElSUUNvbnRyb2xsZXIoRGV2Q29udHJvbGxlcik6 CiAgICAgICAgCiAgICAgICAgIHBpcnEgPSBnZXRfcGFyYW0oJ2lycScpCiAK KyAgICAgICAgcmMgPSB4Yy5waHlzZGV2X21hcF9waXJxKGRvbWlkID0gc2Vs Zi5nZXREb21pZCgpLAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgaW5kZXggPSBwaXJxLAorICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgcGlycSAgPSBwaXJxKQorICAgICAgICBpZiByYyA8IDA6CisgICAg ICAgICAgICByYWlzZSBWbUVycm9yKCdpcnE6IEZhaWxlZCB0byBtYXAgaXJx ICV4JyAlIChwaXJxKSkKKwogICAgICAgICByYyA9IHhjLmRvbWFpbl9pcnFf cGVybWlzc2lvbihkb21pZCAgICAgICAgPSBzZWxmLmdldERvbWlkKCksCiAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBpcnEgICAg ICAgICA9IHBpcnEsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIGFsbG93X2FjY2VzcyA9IFRydWUpCkBAIC04MSwxMiArODcsNiBA QCBjbGFzcyBJUlFDb250cm9sbGVyKERldkNvbnRyb2xsZXIpOgogICAgICAg ICAgICAgI3RvZG8gbm9uLWZhdGFsCiAgICAgICAgICAgICByYWlzZSBWbUVy cm9yKAogICAgICAgICAgICAgICAgICdpcnE6IEZhaWxlZCB0byBjb25maWd1 cmUgaXJxOiAlZCcgJSAocGlycSkpCi0gICAgICAgIHJjID0geGMucGh5c2Rl dl9tYXBfcGlycShkb21pZCA9IHNlbGYuZ2V0RG9taWQoKSwKLSAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgaW5kZXggPSBwaXJxLAotICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICBwaXJxICA9IHBpcnEpCi0gICAg ICAgIGlmIHJjIDwgMDoKLSAgICAgICAgICAgIHJhaXNlIFZtRXJyb3IoCi0g ICAgICAgICAgICAgICAgJ2lycTogRmFpbGVkIHRvIG1hcCBpcnEgJXgnICUg KHBpcnEpKQogICAgICAgICBiYWNrID0gZGljdChbKGssIGNvbmZpZ1trXSkg Zm9yIGsgaW4gc2VsZi52YWxpZF9jZmcgaWYgayBpbiBjb25maWddKQogICAg ICAgICByZXR1cm4gKHNlbGYuYWxsb2NhdGVEZXZpY2VJRCgpLCBiYWNrLCB7 fSkKIAotLS0gYS94ZW4vYXJjaC94ODYvZG9tYWluX2J1aWxkLmMKKysrIGIv eGVuL2FyY2gveDg2L2RvbWFpbl9idWlsZC5jCkBAIC0xMDgwLDcgKzEwODAs NyBAQCBpbnQgX19pbml0IGNvbnN0cnVjdF9kb20wKAogICAgIC8qIERPTTAg aXMgcGVybWl0dGVkIGZ1bGwgSS9PIGNhcGFiaWxpdGllcy4gKi8KICAgICBy YyB8PSBpb3BvcnRzX3Blcm1pdF9hY2Nlc3MoZG9tMCwgMCwgMHhGRkZGKTsK ICAgICByYyB8PSBpb21lbV9wZXJtaXRfYWNjZXNzKGRvbTAsIDBVTCwgfjBV TCk7Ci0gICAgcmMgfD0gaXJxc19wZXJtaXRfYWNjZXNzKGRvbTAsIDAsIGQt Pm5yX3BpcnFzIC0gMSk7CisgICAgcmMgfD0gaXJxc19wZXJtaXRfYWNjZXNz KGRvbTAsIDEsIG5yX2lycXNfZ3NpIC0gMSk7CiAKICAgICAvKgogICAgICAq IE1vZGlmeSBJL08gcG9ydCBhY2Nlc3MgcGVybWlzc2lvbnMuCi0tLSBhL3hl bi9hcmNoL3g4Ni9kb21jdGwuYworKysgYi94ZW4vYXJjaC94ODYvZG9tY3Rs LmMKQEAgLTU3OCw5ICs1NzgsMTMgQEAgbG9uZyBhcmNoX2RvX2RvbWN0bCgK ICAgICAgICAgICAgIGJyZWFrOwogCiAgICAgICAgIHJldCA9IC1FUEVSTTsK LSAgICAgICAgaWYgKCAhSVNfUFJJVihjdXJyZW50LT5kb21haW4pICYmCi0g ICAgICAgICAgICAgIWlycV9hY2Nlc3NfcGVybWl0dGVkKGN1cnJlbnQtPmRv bWFpbiwgYmluZC0+bWFjaGluZV9pcnEpICkKLSAgICAgICAgICAgIGJyZWFr OworICAgICAgICBpZiAoICFJU19QUklWKGN1cnJlbnQtPmRvbWFpbikgKQor ICAgICAgICB7CisgICAgICAgICAgICBpbnQgaXJxID0gZG9tYWluX3BpcnFf dG9faXJxKGQsIGJpbmQtPm1hY2hpbmVfaXJxKTsKKworICAgICAgICAgICAg aWYgKCBpcnEgPD0gMCB8fCAhaXJxX2FjY2Vzc19wZXJtaXR0ZWQoY3VycmVu dC0+ZG9tYWluLCBpcnEpICkKKyAgICAgICAgICAgICAgICBicmVhazsKKyAg ICAgICAgfQogCiAgICAgICAgIHJldCA9IC1FU1JDSDsKICAgICAgICAgaWYg KCBpb21tdV9lbmFibGVkICkKQEAgLTYwMiw5ICs2MDYsMTMgQEAgbG9uZyBh cmNoX2RvX2RvbWN0bCgKICAgICAgICAgYmluZCA9ICYoZG9tY3RsLT51LmJp bmRfcHRfaXJxKTsKIAogICAgICAgICByZXQgPSAtRVBFUk07Ci0gICAgICAg IGlmICggIUlTX1BSSVYoY3VycmVudC0+ZG9tYWluKSAmJgotICAgICAgICAg ICAgICFpcnFfYWNjZXNzX3Blcm1pdHRlZChjdXJyZW50LT5kb21haW4sIGJp bmQtPm1hY2hpbmVfaXJxKSApCi0gICAgICAgICAgICBicmVhazsKKyAgICAg ICAgaWYgKCAhSVNfUFJJVihjdXJyZW50LT5kb21haW4pICkKKyAgICAgICAg eworICAgICAgICAgICAgaW50IGlycSA9IGRvbWFpbl9waXJxX3RvX2lycShk LCBiaW5kLT5tYWNoaW5lX2lycSk7CisKKyAgICAgICAgICAgIGlmICggaXJx IDw9IDAgfHwgIWlycV9hY2Nlc3NfcGVybWl0dGVkKGN1cnJlbnQtPmRvbWFp biwgaXJxKSApCisgICAgICAgICAgICAgICAgYnJlYWs7CisgICAgICAgIH0K IAogICAgICAgICByZXQgPSB4c21fdW5iaW5kX3B0X2lycShYU01fSE9PSywg ZCwgYmluZCk7CiAgICAgICAgIGlmICggcmV0ICkKLS0tIGEveGVuL2FyY2gv eDg2L2lycS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9pcnEuYwpAQCAtMTg0LDYg KzE4NCwxNCBAQCBpbnQgY3JlYXRlX2lycShpbnQgbm9kZSkKICAgICAgICAg ZGVzYy0+YXJjaC51c2VkID0gSVJRX1VOVVNFRDsKICAgICAgICAgaXJxID0g cmV0OwogICAgIH0KKyAgICBlbHNlIGlmICggZG9tMCApCisgICAgeworICAg ICAgICByZXQgPSBpcnFfcGVybWl0X2FjY2Vzcyhkb20wLCBpcnEpOworICAg ICAgICBpZiAoIHJldCApCisgICAgICAgICAgICBwcmludGsoWEVOTE9HX0df RVJSCisgICAgICAgICAgICAgICAgICAgIkNvdWxkIG5vdCBncmFudCBEb20w IGFjY2VzcyB0byBJUlElZCAoZXJyb3IgJWQpXG4iLAorICAgICAgICAgICAg ICAgICAgIGlycSwgcmV0KTsKKyAgICB9CiAKICAgICByZXR1cm4gaXJxOwog fQpAQCAtMjgwLDYgKzI4OCwxNyBAQCB2b2lkIGNsZWFyX2lycV92ZWN0b3Io aW50IGlycSkKIHZvaWQgZGVzdHJveV9pcnEodW5zaWduZWQgaW50IGlycSkK IHsKICAgICBCVUdfT04oIU1TSV9JUlEoaXJxKSk7CisKKyAgICBpZiAoIGRv bTAgKQorICAgIHsKKyAgICAgICAgaW50IGVyciA9IGlycV9kZW55X2FjY2Vz cyhkb20wLCBpcnEpOworCisgICAgICAgIGlmICggZXJyICkKKyAgICAgICAg ICAgIHByaW50ayhYRU5MT0dfR19FUlIKKyAgICAgICAgICAgICAgICAgICAi Q291bGQgbm90IHJldm9rZSBEb20wIGFjY2VzcyB0byBJUlEldSAoZXJyb3Ig JWQpXG4iLAorICAgICAgICAgICAgICAgICAgIGlycSwgZXJyKTsKKyAgICB9 CisKICAgICBkeW5hbWljX2lycV9jbGVhbnVwKGlycSk7CiAgICAgY2xlYXJf aXJxX3ZlY3RvcihpcnEpOwogfQpAQCAtMTg3Miw3ICsxODkxLDcgQEAgaW50 IG1hcF9kb21haW5fcGlycSgKICAgICBBU1NFUlQoc3Bpbl9pc19sb2NrZWQo JmQtPmV2ZW50X2xvY2spKTsKIAogICAgIGlmICggIUlTX1BSSVYoY3VycmVu dC0+ZG9tYWluKSAmJgotICAgICAgICAgIWlycV9hY2Nlc3NfcGVybWl0dGVk KGN1cnJlbnQtPmRvbWFpbiwgcGlycSkpCisgICAgICAgICAhaXJxX2FjY2Vz c19wZXJtaXR0ZWQoY3VycmVudC0+ZG9tYWluLCBpcnEpKQogICAgICAgICBy ZXR1cm4gLUVQRVJNOwogCiAgICAgaWYgKCBwaXJxIDwgMCB8fCBwaXJxID49 IGQtPm5yX3BpcnFzIHx8IGlycSA8IDAgfHwgaXJxID49IG5yX2lycXMgKQpA QCAtMTkwMSwxNyArMTkyMCwxOCBAQCBpbnQgbWFwX2RvbWFpbl9waXJxKAog ICAgICAgICByZXR1cm4gcmV0OwogICAgIH0KIAotICAgIHJldCA9IGlycV9w ZXJtaXRfYWNjZXNzKGQsIHBpcnEpOworICAgIHJldCA9IGlycV9wZXJtaXRf YWNjZXNzKGQsIGlycSk7CiAgICAgaWYgKCByZXQgKQogICAgIHsKLSAgICAg ICAgZHByaW50ayhYRU5MT0dfR19FUlIsICJkb20lZDogY291bGQgbm90IHBl cm1pdCBhY2Nlc3MgdG8gaXJxICVkXG4iLAotICAgICAgICAgICAgICAgIGQt PmRvbWFpbl9pZCwgcGlycSk7CisgICAgICAgIHByaW50ayhYRU5MT0dfR19F UlIKKyAgICAgICAgICAgICAgICJkb20lZDogY291bGQgbm90IHBlcm1pdCBh Y2Nlc3MgdG8gSVJRJWQgKHBpcnEgJWQpXG4iLAorICAgICAgICAgICAgICAg ZC0+ZG9tYWluX2lkLCBpcnEsIHBpcnEpOwogICAgICAgICByZXR1cm4gcmV0 OwogICAgIH0KIAogICAgIHJldCA9IHByZXBhcmVfZG9tYWluX2lycV9waXJx KGQsIGlycSwgcGlycSwgJmluZm8pOwogICAgIGlmICggcmV0ICkKLSAgICAg ICAgcmV0dXJuIHJldDsKKyAgICAgICAgZ290byByZXZva2U7CiAKICAgICBk ZXNjID0gaXJxX3RvX2Rlc2MoaXJxKTsKIApAQCAtMTkzNSw4ICsxOTU1LDE0 IEBAIGludCBtYXBfZG9tYWluX3BpcnEoCiAgICAgICAgIHNwaW5fbG9ja19p cnFzYXZlKCZkZXNjLT5sb2NrLCBmbGFncyk7CiAKICAgICAgICAgaWYgKCBk ZXNjLT5oYW5kbGVyICE9ICZub19pcnFfdHlwZSApCisgICAgICAgIHsKKyAg ICAgICAgICAgIHNwaW5fdW5sb2NrX2lycXJlc3RvcmUoJmRlc2MtPmxvY2ss IGZsYWdzKTsKICAgICAgICAgICAgIGRwcmludGsoWEVOTE9HX0dfRVJSLCAi ZG9tJWQ6IGlycSAlZCBpbiB1c2VcbiIsCiAgICAgICAgICAgICAgICAgICAg IGQtPmRvbWFpbl9pZCwgaXJxKTsKKyAgICAgICAgICAgIHBjaV9kaXNhYmxl X21zaShtc2lfZGVzYyk7CisgICAgICAgICAgICByZXQgPSAtRUJVU1k7Cisg ICAgICAgICAgICBnb3RvIGRvbmU7CisgICAgICAgIH0KICAgICAgICAgc2V0 dXBfbXNpX2hhbmRsZXIoZGVzYywgbXNpX2Rlc2MpOwogCiAgICAgICAgIGlm ICggb3B0X2lycV92ZWN0b3JfbWFwID09IE9QVF9JUlFfVkVDVE9SX01BUF9Q RVJERVYKQEAgLTE5NjUsNyArMTk5MSwxNCBAQCBpbnQgbWFwX2RvbWFpbl9w aXJxKAogCiBkb25lOgogICAgIGlmICggcmV0ICkKKyAgICB7CiAgICAgICAg IGNsZWFudXBfZG9tYWluX2lycV9waXJxKGQsIGlycSwgaW5mbyk7CisgcmV2 b2tlOgorICAgICAgICBpZiAoIGlycV9kZW55X2FjY2VzcyhkLCBpcnEpICkK KyAgICAgICAgICAgIHByaW50ayhYRU5MT0dfR19FUlIKKyAgICAgICAgICAg ICAgICAgICAiZG9tJWQ6IGNvdWxkIG5vdCByZXZva2UgYWNjZXNzIHRvIElS USVkIChwaXJxICVkKVxuIiwKKyAgICAgICAgICAgICAgICAgICBkLT5kb21h aW5faWQsIGlycSwgcGlycSk7CisgICAgfQogICAgIHJldHVybiByZXQ7CiB9 CiAKQEAgLTIwMzYsMTAgKzIwNjksMTEgQEAgaW50IHVubWFwX2RvbWFpbl9w aXJxKHN0cnVjdCBkb21haW4gKmQsIAogICAgIGlmICggIWZvcmNlZF91bmJp bmQgKQogICAgICAgICBjbGVhbnVwX2RvbWFpbl9pcnFfcGlycShkLCBpcnEs IGluZm8pOwogCi0gICAgcmV0ID0gaXJxX2RlbnlfYWNjZXNzKGQsIHBpcnEp OworICAgIHJldCA9IGlycV9kZW55X2FjY2VzcyhkLCBpcnEpOwogICAgIGlm ICggcmV0ICkKLSAgICAgICAgZHByaW50ayhYRU5MT0dfR19FUlIsICJkb20l ZDogY291bGQgbm90IGRlbnkgYWNjZXNzIHRvIGlycSAlZFxuIiwKLSAgICAg ICAgICAgICAgICBkLT5kb21haW5faWQsIHBpcnEpOworICAgICAgICBwcmlu dGsoWEVOTE9HX0dfRVJSCisgICAgICAgICAgICAgICAiZG9tJWQ6IGNvdWxk IG5vdCBkZW55IGFjY2VzcyB0byBJUlElZCAocGlycSAlZClcbiIsCisgICAg ICAgICAgICAgICBkLT5kb21haW5faWQsIGlycSwgcGlycSk7CiAKICBkb25l OgogICAgIHJldHVybiByZXQ7Ci0tLSBhL3hlbi9hcmNoL3g4Ni9waHlzZGV2 LmMKKysrIGIveGVuL2FyY2gveDg2L3BoeXNkZXYuYwpAQCAtMTQ0LDcgKzE0 NCw3IEBAIGludCBwaHlzZGV2X21hcF9waXJxKGRvbWlkX3QgZG9taWQsIGlu dCAKICAgICAgICAgaWYgKCBpcnEgPT0gLTEgKQogICAgICAgICAgICAgaXJx ID0gY3JlYXRlX2lycShOVU1BX05PX05PREUpOwogCi0gICAgICAgIGlmICgg aXJxIDwgMCB8fCBpcnEgPj0gbnJfaXJxcyApCisgICAgICAgIGlmICggaXJx IDwgbnJfaXJxc19nc2kgfHwgaXJxID49IG5yX2lycXMgKQogICAgICAgICB7 CiAgICAgICAgICAgICBkcHJpbnRrKFhFTkxPR19HX0VSUiwgImRvbSVkOiBj YW4ndCBjcmVhdGUgaXJxIGZvciBtc2khXG4iLAogICAgICAgICAgICAgICAg ICAgICBkLT5kb21haW5faWQpOwotLS0gYS94ZW4vY29tbW9uL2RvbWN0bC5j CisrKyBiL3hlbi9jb21tb24vZG9tY3RsLmMKQEAgLTI1LDYgKzI1LDcgQEAK ICNpbmNsdWRlIDx4ZW4vcGFnaW5nLmg+CiAjaW5jbHVkZSA8eGVuL2h5cGVy Y2FsbC5oPgogI2luY2x1ZGUgPGFzbS9jdXJyZW50Lmg+CisjaW5jbHVkZSA8 YXNtL2lycS5oPgogI2luY2x1ZGUgPGFzbS9wYWdlLmg+CiAjaW5jbHVkZSA8 cHVibGljL2RvbWN0bC5oPgogI2luY2x1ZGUgPHhzbS94c20uaD4KQEAgLTcy Myw5ICs3MjQsOSBAQCBsb25nIGRvX2RvbWN0bChYRU5fR1VFU1RfSEFORExF X1BBUkFNKHhlCiAgICAgICAgIGVsc2UgaWYgKCB4c21faXJxX3Blcm1pc3Np b24oWFNNX0hPT0ssIGQsIHBpcnEsIGFsbG93KSApCiAgICAgICAgICAgICBy ZXQgPSAtRVBFUk07CiAgICAgICAgIGVsc2UgaWYgKCBhbGxvdyApCi0gICAg ICAgICAgICByZXQgPSBpcnFfcGVybWl0X2FjY2VzcyhkLCBwaXJxKTsKKyAg ICAgICAgICAgIHJldCA9IHBpcnFfcGVybWl0X2FjY2VzcyhkLCBwaXJxKTsK ICAgICAgICAgZWxzZQotICAgICAgICAgICAgcmV0ID0gaXJxX2RlbnlfYWNj ZXNzKGQsIHBpcnEpOworICAgICAgICAgICAgcmV0ID0gcGlycV9kZW55X2Fj Y2VzcyhkLCBwaXJxKTsKICAgICB9CiAgICAgYnJlYWs7CiAKLS0tIGEveGVu L2NvbW1vbi9ldmVudF9jaGFubmVsLmMKKysrIGIveGVuL2NvbW1vbi9ldmVu dF9jaGFubmVsLmMKQEAgLTM2OSw3ICszNjksNyBAQCBzdGF0aWMgbG9uZyBl dnRjaG5fYmluZF9waXJxKGV2dGNobl9iaW5kCiAgICAgaWYgKCAocGlycSA8 IDApIHx8IChwaXJxID49IGQtPm5yX3BpcnFzKSApCiAgICAgICAgIHJldHVy biAtRUlOVkFMOwogCi0gICAgaWYgKCAhaXNfaHZtX2RvbWFpbihkKSAmJiAh aXJxX2FjY2Vzc19wZXJtaXR0ZWQoZCwgcGlycSkgKQorICAgIGlmICggIWlz X2h2bV9kb21haW4oZCkgJiYgIXBpcnFfYWNjZXNzX3Blcm1pdHRlZChkLCBw aXJxKSApCiAgICAgICAgIHJldHVybiAtRVBFUk07CiAKICAgICBzcGluX2xv Y2soJmQtPmV2ZW50X2xvY2spOwotLS0gYS94ZW4vaW5jbHVkZS94ZW4vaW9j YXAuaAorKysgYi94ZW4vaW5jbHVkZS94ZW4vaW9jYXAuaApAQCAtMjgsNCAr MjgsMjIgQEAKICNkZWZpbmUgaXJxX2FjY2Vzc19wZXJtaXR0ZWQoZCwgaSkg ICAgICAgICAgICAgICAgICAgICAgXAogICAgIHJhbmdlc2V0X2NvbnRhaW5z X3NpbmdsZXRvbigoZCktPmlycV9jYXBzLCBpKQogCisjZGVmaW5lIHBpcnFf cGVybWl0X2FjY2VzcyhkLCBpKSAoeyAgICAgICAgICAgICAgICAgICAgIFwK KyAgICBzdHJ1Y3QgZG9tYWluICpkX18gPSAoZCk7ICAgICAgICAgICAgICAg ICAgICAgICAgICAgXAorICAgIGludCBpX18gPSBkb21haW5fcGlycV90b19p cnEoZF9fLCBpKTsgICAgICAgICAgICAgICBcCisgICAgaV9fID4gMCA/IHJh bmdlc2V0X2FkZF9zaW5nbGV0b24oZF9fLT5pcnFfY2FwcywgaV9fKVwKKyAg ICAgICAgICAgIDogLUVJTlZBTDsgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgXAorfSkKKyNkZWZpbmUgcGlycV9kZW55X2FjY2VzcyhkLCBp KSAoeyAgICAgICAgICAgICAgICAgICAgICAgXAorICAgIHN0cnVjdCBkb21h aW4gKmRfXyA9IChkKTsgICAgICAgICAgICAgICAgICAgICAgICAgICBcCisg ICAgaW50IGlfXyA9IGRvbWFpbl9waXJxX3RvX2lycShkX18sIGkpOyAgICAg ICAgICAgICAgIFwKKyAgICBpX18gPiAwID8gcmFuZ2VzZXRfcmVtb3ZlX3Np bmdsZXRvbihkX18tPmlycV9jYXBzLCBpX18pXAorICAgICAgICAgICAgOiAt RUlOVkFMOyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCit9 KQorI2RlZmluZSBwaXJxX2FjY2Vzc19wZXJtaXR0ZWQoZCwgaSkgKHsgICAg ICAgICAgICAgICAgICBcCisgICAgc3RydWN0IGRvbWFpbiAqZF9fID0gKGQp OyAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKKyAgICByYW5nZXNldF9j b250YWluc19zaW5nbGV0b24oZF9fLT5pcnFfY2FwcywgICAgICAgICAgXAor ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkb21haW5fcGlycV90 b19pcnEoZF9fLCBpKSk7XAorfSkKKwogI2VuZGlmIC8qIF9fWEVOX0lPQ0FQ X0hfXyAqLwo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Apr 18 13:41:47 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 18 Apr 2013 13:41:47 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USp40-0005Gt-Oy; Thu, 18 Apr 2013 13:39:48 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USp3x-0005G0-92; Thu, 18 Apr 2013 13:39:45 +0000 Received: from [193.109.254.147:43884] by server-4.bemta-14.messagelabs.com id AC/09-17387-F97FF615; Thu, 18 Apr 2013 13:39:43 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-14.tower-27.messagelabs.com!1366292189!1664356!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.8.6.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 21244 invoked from network); 18 Apr 2013 13:36:31 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-14.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 18 Apr 2013 13:36:31 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USp0e-00024n-08; Thu, 18 Apr 2013 13:36:20 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1USp0d-0002lj-Ax; Thu, 18 Apr 2013 13:36:19 +0000 Date: Thu, 18 Apr 2013 13:36:19 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 44 (CVE-2013-1917) - Xen PV DoS vulnerability with SYSENTER X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1917 / XSA-44 version 2 Xen PV DoS vulnerability with SYSENTER UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The SYSENTER instruction can be used by PV guests to accelerate system call processing. This instruction, however, leaves the EFLAGS register mostly unmodified - in particular, the NT flag doesn't get cleared. If the hypervisor subsequently uses IRET to return to the guest (which it will always do if the guest is a 32-bit one), that instruction will cause a #GP fault to be raised, but the recovery code in the hypervisor will again try to use IRET without intermediately clearing the NT flag. The #GP fault raised on this second IRET is a fatal event, causing the hypervisor to crash. IMPACT ====== Malicious or buggy unprivileged user space can cause the entire host to crash. VULNERABLE SYSTEMS ================== All 64-bit Xen versions from 3.1 onwards running on Intel CPUs are vulnerable. 32-bit Xen is not affected, as it doesn't permit the use of SYSENTER by PV guests. 64-bit Xen run on AMD CPUs isn't affected since AMD CPUs don't allow the use of SYSENTER in long mode. The vulnerability is only exposed by PV guests. MITIGATION ========== Running only HVM guests, or running PV guests on only 32-bit hosts or only AMD CPUs will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa44-4.1.patch Xen 4.1.x xsa44-4.2.patch Xen 4.2.x xsa44-unstable.patch xen-unstable $ sha256sum xsa44*.patch 3dbf47224be0f8fc66ba08d8a46b910bd9a3e672ffe864aa77c698bef0e27783 xsa44-4.1.patch c6c3afa228426d78e0484b7ac34210f642f79add35c4a04ca5ff7db5f2539e49 xsa44-4.2.patch 0e6ad83da75dc207a165411844c0985fd7f9588d92c2c95911c245485351bf36 xsa44-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRb/ZcAAoJEIP+FMlX6CvZCwMH/iTJCG4P9d+0nADT6YB3JmPl e9eO+cE+rGHBy5pdKAh1UF1JG9VvQe76hlJP3YS0QaXMNtN6k2dxoHZEj1hpSzKJ Q+KfS/R9yvVlputbfsVPSYYTl1bzDzMlWqyy/cZUZZVpGkMhVw1dLjJp4NvohCWb OABvchlbY1tW2Vk4tNWy4vhVGHdzxegrtttEuAIBoXHtCIIeH3/0nwqokahfKzog cKr5+y9K0JgbFSGP25POu/e7s9+sUKjJfUsFVw3+HknBW+zgJZ8fcu+/J0eJlgb5 0tkq749p+DtRE+kqS4sSM71+iGmnpWh+a0lsBmhARa6pyKVN+ccMvzvh809ItQg= =w315 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa44-4.1.patch" Content-Disposition: attachment; filename="xsa44-4.1.patch" Content-Transfer-Encoding: base64 eDg2OiBjbGVhciBFRkxBR1MuTlQgaW4gU1lTRU5URVIgZW50cnkgcGF0aAoK Li4uIGFzIGl0IGNhdXNlcyBwcm9ibGVtcyBpZiB3ZSBoYXBwZW4gdG8gZXhp dCBiYWNrIHZpYSBJUkVUOiBJbiB0aGUKY291cnNlIG9mIHRyeWluZyB0byBo YW5kbGUgdGhlIGZhdWx0LCB0aGUgaHlwZXJ2aXNvciBjcmVhdGVzIGEgc3Rh Y2sKZnJhbWUgYnkgaGFuZCwgYW5kIHVzZXMgUFVTSEZRIHRvIHNldCB0aGUg cmVzcGVjdGl2ZSBFRkxBR1MgZmllbGQsIGJ1dApleHBlY3RzIHRvIGJlIGFi bGUgdG8gSVJFVCB0aHJvdWdoIHRoYXQgc3RhY2sgZnJhbWUgdG8gdGhlIHNl Y29uZApwb3J0aW9uIG9mIHRoZSBmaXh1cCBjb2RlICh3aGljaCBjYXVzZXMg YSAjR1AgZHVlIHRvIHRoZSBzdG9yZWQgRUZMQUdTCmhhdmluZyBOVCBzZXQp LgoKQW5kIGV2ZW4gaWYgdGhpcyB3b3JrZWQgKGUuZyBpZiB3ZSBjbGVhcmVk IE5UIGluIHRoYXQgcGF0aCksIGl0IHdvdWxkCnRoZW4gKHRocm91Z2ggdGhl IGZhaWwgc2FmZSBjYWxsYmFjaykgY2F1c2UgYSAjR1AgaW4gdGhlIGd1ZXN0 IHdpdGggdGhlClNZU0VOVEVSIGhhbmRsZXIncyBmaXJzdCBpbnN0cnVjdGlv biBhcyB0aGUgc291cmNlLCB3aGljaCBpbiB0dXJuIHdvdWxkCmFsbG93IGd1 ZXN0IHVzZXIgbW9kZSBjb2RlIHRvIGNyYXNoIHRoZSBndWVzdCBrZXJuZWwu CgpJbmplY3QgYSAjR1Agb24gdGhlIGZha2UgKE5VTEwpIGFkZHJlc3Mgb2Yg dGhlIFNZU0VOVEVSIGluc3RydWN0aW9uCmluc3RlYWQsIGp1c3QgbGlrZSBp biB0aGUgY2FzZSB3aGVyZSB0aGUgZ3Vlc3Qga2VybmVsIGRpZG4ndCByZWdp c3RlcgphIGNvcnJlc3BvbmRpbmcgZW50cnkgcG9pbnQuCgpPbiAzMi1iaXQg d2UgYWxzbyBuZWVkIHRvIG1ha2Ugc3VyZSB3ZSBjbGVhciBTWVNFTlRFUl9D UyBmb3IgYWxsIENQVXMKKG5laXRoZXIgI1JFU0VUIG5vciAjSU5JVCBndWFy YW50ZWUgdGhpcykuCgpUaGlzIGlzIENWRS0yMDEzLTE5MTcgLyBYU0EtNDQu CgpSZXBvcnRlZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNA Y2l0aXJ4LmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVs aWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJl dy5jb29wZXIzQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gv eDg2L2FjcGkvc3VzcGVuZC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9hY3BpL3N1 c3BlbmQuYwpAQCAtODEsOCArODEsMTIgQEAgdm9pZCByZXN0b3JlX3Jlc3Rf cHJvY2Vzc29yX3N0YXRlKHZvaWQpCiAgICAgfQogCiAjZWxzZSAvKiAhZGVm aW5lZChDT05GSUdfWDg2XzY0KSAqLwotICAgIGlmICggc3VwZXJ2aXNvcl9t b2RlX2tlcm5lbCAmJiBjcHVfaGFzX3NlcCApCi0gICAgICAgIHdybXNyKE1T Ul9JQTMyX1NZU0VOVEVSX0VTUCwgJnRoaXNfY3B1KGluaXRfdHNzKS5lc3Ax LCAwKTsKKyAgICBpZiAoIGNwdV9oYXNfc2VwICkKKyAgICB7CisgICAgICAg IHdybXNyKE1TUl9JQTMyX1NZU0VOVEVSX0NTLCAwLCAwKTsKKyAgICAgICAg aWYgKCBzdXBlcnZpc29yX21vZGVfa2VybmVsICkKKyAgICAgICAgICAgIHdy bXNyKE1TUl9JQTMyX1NZU0VOVEVSX0VTUCwgJnRoaXNfY3B1KGluaXRfdHNz KS5lc3AxLCAwKTsKKyAgICB9CiAjZW5kaWYKIAogICAgIC8qIE1heWJlIGxv YWQgdGhlIGRlYnVnIHJlZ2lzdGVycy4gKi8KLS0tIGEveGVuL2FyY2gveDg2 L2NwdS9jb21tb24uYworKysgYi94ZW4vYXJjaC94ODYvY3B1L2NvbW1vbi5j CkBAIC03MTUsOCArNzE1LDExIEBAIHZvaWQgX19jcHVpbml0IGNwdV9pbml0 KHZvaWQpCiAjaWYgZGVmaW5lZChDT05GSUdfWDg2XzMyKQogCXQtPnNzMCAg PSBfX0hZUEVSVklTT1JfRFM7CiAJdC0+ZXNwMCA9IGdldF9zdGFja19ib3R0 b20oKTsKLQlpZiAoIHN1cGVydmlzb3JfbW9kZV9rZXJuZWwgJiYgY3B1X2hh c19zZXAgKQorCWlmICggY3B1X2hhc19zZXAgKSB7CisJICAgIHdybXNyKE1T Ul9JQTMyX1NZU0VOVEVSX0NTLCAwLCAwKTsKKwkgICAgaWYgKCBzdXBlcnZp c29yX21vZGVfa2VybmVsICkKIAkJd3Jtc3IoTVNSX0lBMzJfU1lTRU5URVJf RVNQLCAmdC0+ZXNwMSwgMCk7CisJfQogI2VsaWYgZGVmaW5lZChDT05GSUdf WDg2XzY0KQogCS8qIEJvdHRvbS1vZi1zdGFjayBtdXN0IGJlIDE2LWJ5dGUg YWxpZ25lZCEgKi8KIAlCVUdfT04oKGdldF9zdGFja19ib3R0b20oKSAmIDE1 KSAhPSAwKTsKLS0tIGEveGVuL2FyY2gveDg2L3g4Nl82NC9lbnRyeS5TCisr KyBiL3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnkuUwpAQCAtMjg3LDcgKzI4 NywxNCBAQCBzeXNlbnRlcl9lZmxhZ3Nfc2F2ZWQ6CiAgICAgICAgIG1vdmwg ICQzLFVSRUdTX2NzKCVyc3ApICAvKiByaW5nIDMgbnVsbCBjcyAqLwogICAg ICAgICBtb3ZxICBWQ1BVX3N5c2VudGVyX2FkZHIoJXJieCksJXJheAogICAg ICAgICBzZXRuZSAlY2wKKyAgICAgICAgdGVzdGwgJFg4Nl9FRkxBR1NfTlQs VVJFR1NfZWZsYWdzKCVyc3ApCiAgICAgICAgIGxlYXEgIFZDUFVfdHJhcF9i b3VuY2UoJXJieCksJXJkeAorVU5MSUtFTFlfU1RBUlQobnosIHN5c2VudGVy X250X3NldCkKKyAgICAgICAgcHVzaGZxCisgICAgICAgIGFuZGwgICR+WDg2 X0VGTEFHU19OVCwoJXJzcCkKKyAgICAgICAgcG9wZnEKKyAgICAgICAgeG9y bCAgJWVheCwlZWF4CitVTkxJS0VMWV9FTkQoc3lzZW50ZXJfbnRfc2V0KQog ICAgICAgICB0ZXN0cSAlcmF4LCVyYXgKICAgICAgICAgbGVhbCAgKCwlcmN4 LFRCRl9JTlRFUlJVUFQpLCVlY3gKIFVOTElLRUxZX1NUQVJUKHosIHN5c2Vu dGVyX2dwZikK --=separator Content-Type: application/octet-stream; name="xsa44-4.2.patch" Content-Disposition: attachment; filename="xsa44-4.2.patch" Content-Transfer-Encoding: base64 eDg2OiBjbGVhciBFRkxBR1MuTlQgaW4gU1lTRU5URVIgZW50cnkgcGF0aAoK Li4uIGFzIGl0IGNhdXNlcyBwcm9ibGVtcyBpZiB3ZSBoYXBwZW4gdG8gZXhp dCBiYWNrIHZpYSBJUkVUOiBJbiB0aGUKY291cnNlIG9mIHRyeWluZyB0byBo YW5kbGUgdGhlIGZhdWx0LCB0aGUgaHlwZXJ2aXNvciBjcmVhdGVzIGEgc3Rh Y2sKZnJhbWUgYnkgaGFuZCwgYW5kIHVzZXMgUFVTSEZRIHRvIHNldCB0aGUg cmVzcGVjdGl2ZSBFRkxBR1MgZmllbGQsIGJ1dApleHBlY3RzIHRvIGJlIGFi bGUgdG8gSVJFVCB0aHJvdWdoIHRoYXQgc3RhY2sgZnJhbWUgdG8gdGhlIHNl Y29uZApwb3J0aW9uIG9mIHRoZSBmaXh1cCBjb2RlICh3aGljaCBjYXVzZXMg YSAjR1AgZHVlIHRvIHRoZSBzdG9yZWQgRUZMQUdTCmhhdmluZyBOVCBzZXQp LgoKQW5kIGV2ZW4gaWYgdGhpcyB3b3JrZWQgKGUuZyBpZiB3ZSBjbGVhcmVk IE5UIGluIHRoYXQgcGF0aCksIGl0IHdvdWxkCnRoZW4gKHRocm91Z2ggdGhl IGZhaWwgc2FmZSBjYWxsYmFjaykgY2F1c2UgYSAjR1AgaW4gdGhlIGd1ZXN0 IHdpdGggdGhlClNZU0VOVEVSIGhhbmRsZXIncyBmaXJzdCBpbnN0cnVjdGlv biBhcyB0aGUgc291cmNlLCB3aGljaCBpbiB0dXJuIHdvdWxkCmFsbG93IGd1 ZXN0IHVzZXIgbW9kZSBjb2RlIHRvIGNyYXNoIHRoZSBndWVzdCBrZXJuZWwu CgpJbmplY3QgYSAjR1Agb24gdGhlIGZha2UgKE5VTEwpIGFkZHJlc3Mgb2Yg dGhlIFNZU0VOVEVSIGluc3RydWN0aW9uCmluc3RlYWQsIGp1c3QgbGlrZSBp biB0aGUgY2FzZSB3aGVyZSB0aGUgZ3Vlc3Qga2VybmVsIGRpZG4ndCByZWdp c3RlcgphIGNvcnJlc3BvbmRpbmcgZW50cnkgcG9pbnQuCgpPbiAzMi1iaXQg d2UgYWxzbyBuZWVkIHRvIG1ha2Ugc3VyZSB3ZSBjbGVhciBTWVNFTlRFUl9D UyBmb3IgYWxsIENQVXMKKG5laXRoZXIgI1JFU0VUIG5vciAjSU5JVCBndWFy YW50ZWUgdGhpcykuCgpUaGlzIGlzIENWRS0yMDEzLTE5MTcgLyBYU0EtNDQu CgpSZXBvcnRlZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNA Y2l0aXJ4LmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVs aWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJl dy5jb29wZXIzQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gv eDg2L2FjcGkvc3VzcGVuZC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9hY3BpL3N1 c3BlbmQuYwpAQCAtODEsOCArODEsMTIgQEAgdm9pZCByZXN0b3JlX3Jlc3Rf cHJvY2Vzc29yX3N0YXRlKHZvaWQpCiAgICAgfQogCiAjZWxzZSAvKiAhZGVm aW5lZChDT05GSUdfWDg2XzY0KSAqLwotICAgIGlmICggc3VwZXJ2aXNvcl9t b2RlX2tlcm5lbCAmJiBjcHVfaGFzX3NlcCApCi0gICAgICAgIHdybXNyKE1T Ul9JQTMyX1NZU0VOVEVSX0VTUCwgJnRoaXNfY3B1KGluaXRfdHNzKS5lc3Ax LCAwKTsKKyAgICBpZiAoIGNwdV9oYXNfc2VwICkKKyAgICB7CisgICAgICAg IHdybXNyKE1TUl9JQTMyX1NZU0VOVEVSX0NTLCAwLCAwKTsKKyAgICAgICAg aWYgKCBzdXBlcnZpc29yX21vZGVfa2VybmVsICkKKyAgICAgICAgICAgIHdy bXNyKE1TUl9JQTMyX1NZU0VOVEVSX0VTUCwgJnRoaXNfY3B1KGluaXRfdHNz KS5lc3AxLCAwKTsKKyAgICB9CiAjZW5kaWYKIAogICAgIC8qIE1heWJlIGxv YWQgdGhlIGRlYnVnIHJlZ2lzdGVycy4gKi8KLS0tIGEveGVuL2FyY2gveDg2 L2NwdS9jb21tb24uYworKysgYi94ZW4vYXJjaC94ODYvY3B1L2NvbW1vbi5j CkBAIC02NTUsOCArNjU1LDExIEBAIHZvaWQgX19jcHVpbml0IGNwdV9pbml0 KHZvaWQpCiAjaWYgZGVmaW5lZChDT05GSUdfWDg2XzMyKQogCXQtPnNzMCAg PSBfX0hZUEVSVklTT1JfRFM7CiAJdC0+ZXNwMCA9IGdldF9zdGFja19ib3R0 b20oKTsKLQlpZiAoIHN1cGVydmlzb3JfbW9kZV9rZXJuZWwgJiYgY3B1X2hh c19zZXAgKQorCWlmICggY3B1X2hhc19zZXAgKSB7CisJICAgIHdybXNyKE1T Ul9JQTMyX1NZU0VOVEVSX0NTLCAwLCAwKTsKKwkgICAgaWYgKCBzdXBlcnZp c29yX21vZGVfa2VybmVsICkKIAkJd3Jtc3IoTVNSX0lBMzJfU1lTRU5URVJf RVNQLCAmdC0+ZXNwMSwgMCk7CisJfQogI2VsaWYgZGVmaW5lZChDT05GSUdf WDg2XzY0KQogCS8qIEJvdHRvbS1vZi1zdGFjayBtdXN0IGJlIDE2LWJ5dGUg YWxpZ25lZCEgKi8KIAlCVUdfT04oKGdldF9zdGFja19ib3R0b20oKSAmIDE1 KSAhPSAwKTsKLS0tIGEveGVuL2FyY2gveDg2L3g4Nl82NC9lbnRyeS5TCisr KyBiL3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnkuUwpAQCAtMjg0LDcgKzI4 NCwxNCBAQCBzeXNlbnRlcl9lZmxhZ3Nfc2F2ZWQ6CiAgICAgICAgIGNtcGIg ICQwLFZDUFVfc3lzZW50ZXJfZGlzYWJsZXNfZXZlbnRzKCVyYngpCiAgICAg ICAgIG1vdnEgIFZDUFVfc3lzZW50ZXJfYWRkciglcmJ4KSwlcmF4CiAgICAg ICAgIHNldG5lICVjbAorICAgICAgICB0ZXN0bCAkWDg2X0VGTEFHU19OVCxV UkVHU19lZmxhZ3MoJXJzcCkKICAgICAgICAgbGVhcSAgVkNQVV90cmFwX2Jv dW5jZSglcmJ4KSwlcmR4CitVTkxJS0VMWV9TVEFSVChueiwgc3lzZW50ZXJf bnRfc2V0KQorICAgICAgICBwdXNoZnEKKyAgICAgICAgYW5kbCAgJH5YODZf RUZMQUdTX05ULCglcnNwKQorICAgICAgICBwb3BmcQorICAgICAgICB4b3Js ICAlZWF4LCVlYXgKK1VOTElLRUxZX0VORChzeXNlbnRlcl9udF9zZXQpCiAg ICAgICAgIHRlc3RxICVyYXgsJXJheAogICAgICAgICBsZWFsICAoLCVyY3gs VEJGX0lOVEVSUlVQVCksJWVjeAogVU5MSUtFTFlfU1RBUlQoeiwgc3lzZW50 ZXJfZ3BmKQo= --=separator Content-Type: application/octet-stream; name="xsa44-unstable.patch" Content-Disposition: attachment; filename="xsa44-unstable.patch" Content-Transfer-Encoding: base64 eDg2OiBjbGVhciBFRkxBR1MuTlQgaW4gU1lTRU5URVIgZW50cnkgcGF0aAoK Li4uIGFzIGl0IGNhdXNlcyBwcm9ibGVtcyBpZiB3ZSBoYXBwZW4gdG8gZXhp dCBiYWNrIHZpYSBJUkVUOiBJbiB0aGUKY291cnNlIG9mIHRyeWluZyB0byBo YW5kbGUgdGhlIGZhdWx0LCB0aGUgaHlwZXJ2aXNvciBjcmVhdGVzIGEgc3Rh Y2sKZnJhbWUgYnkgaGFuZCwgYW5kIHVzZXMgUFVTSEZRIHRvIHNldCB0aGUg cmVzcGVjdGl2ZSBFRkxBR1MgZmllbGQsIGJ1dApleHBlY3RzIHRvIGJlIGFi bGUgdG8gSVJFVCB0aHJvdWdoIHRoYXQgc3RhY2sgZnJhbWUgdG8gdGhlIHNl Y29uZApwb3J0aW9uIG9mIHRoZSBmaXh1cCBjb2RlICh3aGljaCBjYXVzZXMg YSAjR1AgZHVlIHRvIHRoZSBzdG9yZWQgRUZMQUdTCmhhdmluZyBOVCBzZXQp LgoKQW5kIGV2ZW4gaWYgdGhpcyB3b3JrZWQgKGUuZyBpZiB3ZSBjbGVhcmVk IE5UIGluIHRoYXQgcGF0aCksIGl0IHdvdWxkCnRoZW4gKHRocm91Z2ggdGhl IGZhaWwgc2FmZSBjYWxsYmFjaykgY2F1c2UgYSAjR1AgaW4gdGhlIGd1ZXN0 IHdpdGggdGhlClNZU0VOVEVSIGhhbmRsZXIncyBmaXJzdCBpbnN0cnVjdGlv biBhcyB0aGUgc291cmNlLCB3aGljaCBpbiB0dXJuIHdvdWxkCmFsbG93IGd1 ZXN0IHVzZXIgbW9kZSBjb2RlIHRvIGNyYXNoIHRoZSBndWVzdCBrZXJuZWwu CgpJbmplY3QgYSAjR1Agb24gdGhlIGZha2UgKE5VTEwpIGFkZHJlc3Mgb2Yg dGhlIFNZU0VOVEVSIGluc3RydWN0aW9uCmluc3RlYWQsIGp1c3QgbGlrZSBp biB0aGUgY2FzZSB3aGVyZSB0aGUgZ3Vlc3Qga2VybmVsIGRpZG4ndCByZWdp c3RlcgphIGNvcnJlc3BvbmRpbmcgZW50cnkgcG9pbnQuCgpUaGlzIGlzIENW RS0yMDEzLTE5MTcgLyBYU0EtNDQuCgpSZXBvcnRlZC1ieTogQW5kcmV3IENv b3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0aXJ4LmNvbT4KU2lnbmVkLW9mZi1i eTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6 IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CkFj a2VkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXgu Y29tPgoKLS0tIGEveGVuL2FyY2gveDg2L3g4Nl82NC9lbnRyeS5TCisrKyBi L3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnkuUwpAQCAtMjgxLDcgKzI4MSwx NCBAQCBzeXNlbnRlcl9lZmxhZ3Nfc2F2ZWQ6CiAgICAgICAgIGNtcGIgICQw LFZDUFVfc3lzZW50ZXJfZGlzYWJsZXNfZXZlbnRzKCVyYngpCiAgICAgICAg IG1vdnEgIFZDUFVfc3lzZW50ZXJfYWRkciglcmJ4KSwlcmF4CiAgICAgICAg IHNldG5lICVjbAorICAgICAgICB0ZXN0bCAkWDg2X0VGTEFHU19OVCxVUkVH U19lZmxhZ3MoJXJzcCkKICAgICAgICAgbGVhcSAgVkNQVV90cmFwX2JvdW5j ZSglcmJ4KSwlcmR4CitVTkxJS0VMWV9TVEFSVChueiwgc3lzZW50ZXJfbnRf c2V0KQorICAgICAgICBwdXNoZnEKKyAgICAgICAgYW5kbCAgJH5YODZfRUZM QUdTX05ULCglcnNwKQorICAgICAgICBwb3BmcQorICAgICAgICB4b3JsICAl ZWF4LCVlYXgKK1VOTElLRUxZX0VORChzeXNlbnRlcl9udF9zZXQpCiAgICAg ICAgIHRlc3RxICVyYXgsJXJheAogICAgICAgICBsZWFsICAoLCVyY3gsVEJG X0lOVEVSUlVQVCksJWVjeAogVU5MSUtFTFlfU1RBUlQoeiwgc3lzZW50ZXJf Z3BmKQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Apr 18 13:41:47 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 18 Apr 2013 13:41:47 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USp40-0005Gt-Oy; Thu, 18 Apr 2013 13:39:48 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USp3x-0005G0-92; Thu, 18 Apr 2013 13:39:45 +0000 Received: from [193.109.254.147:43884] by server-4.bemta-14.messagelabs.com id AC/09-17387-F97FF615; Thu, 18 Apr 2013 13:39:43 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-14.tower-27.messagelabs.com!1366292189!1664356!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.8.6.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 21244 invoked from network); 18 Apr 2013 13:36:31 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-14.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 18 Apr 2013 13:36:31 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USp0e-00024n-08; Thu, 18 Apr 2013 13:36:20 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1USp0d-0002lj-Ax; Thu, 18 Apr 2013 13:36:19 +0000 Date: Thu, 18 Apr 2013 13:36:19 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 44 (CVE-2013-1917) - Xen PV DoS vulnerability with SYSENTER X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1917 / XSA-44 version 2 Xen PV DoS vulnerability with SYSENTER UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The SYSENTER instruction can be used by PV guests to accelerate system call processing. This instruction, however, leaves the EFLAGS register mostly unmodified - in particular, the NT flag doesn't get cleared. If the hypervisor subsequently uses IRET to return to the guest (which it will always do if the guest is a 32-bit one), that instruction will cause a #GP fault to be raised, but the recovery code in the hypervisor will again try to use IRET without intermediately clearing the NT flag. The #GP fault raised on this second IRET is a fatal event, causing the hypervisor to crash. IMPACT ====== Malicious or buggy unprivileged user space can cause the entire host to crash. VULNERABLE SYSTEMS ================== All 64-bit Xen versions from 3.1 onwards running on Intel CPUs are vulnerable. 32-bit Xen is not affected, as it doesn't permit the use of SYSENTER by PV guests. 64-bit Xen run on AMD CPUs isn't affected since AMD CPUs don't allow the use of SYSENTER in long mode. The vulnerability is only exposed by PV guests. MITIGATION ========== Running only HVM guests, or running PV guests on only 32-bit hosts or only AMD CPUs will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa44-4.1.patch Xen 4.1.x xsa44-4.2.patch Xen 4.2.x xsa44-unstable.patch xen-unstable $ sha256sum xsa44*.patch 3dbf47224be0f8fc66ba08d8a46b910bd9a3e672ffe864aa77c698bef0e27783 xsa44-4.1.patch c6c3afa228426d78e0484b7ac34210f642f79add35c4a04ca5ff7db5f2539e49 xsa44-4.2.patch 0e6ad83da75dc207a165411844c0985fd7f9588d92c2c95911c245485351bf36 xsa44-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRb/ZcAAoJEIP+FMlX6CvZCwMH/iTJCG4P9d+0nADT6YB3JmPl e9eO+cE+rGHBy5pdKAh1UF1JG9VvQe76hlJP3YS0QaXMNtN6k2dxoHZEj1hpSzKJ Q+KfS/R9yvVlputbfsVPSYYTl1bzDzMlWqyy/cZUZZVpGkMhVw1dLjJp4NvohCWb OABvchlbY1tW2Vk4tNWy4vhVGHdzxegrtttEuAIBoXHtCIIeH3/0nwqokahfKzog cKr5+y9K0JgbFSGP25POu/e7s9+sUKjJfUsFVw3+HknBW+zgJZ8fcu+/J0eJlgb5 0tkq749p+DtRE+kqS4sSM71+iGmnpWh+a0lsBmhARa6pyKVN+ccMvzvh809ItQg= =w315 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa44-4.1.patch" Content-Disposition: attachment; filename="xsa44-4.1.patch" Content-Transfer-Encoding: base64 eDg2OiBjbGVhciBFRkxBR1MuTlQgaW4gU1lTRU5URVIgZW50cnkgcGF0aAoK Li4uIGFzIGl0IGNhdXNlcyBwcm9ibGVtcyBpZiB3ZSBoYXBwZW4gdG8gZXhp dCBiYWNrIHZpYSBJUkVUOiBJbiB0aGUKY291cnNlIG9mIHRyeWluZyB0byBo YW5kbGUgdGhlIGZhdWx0LCB0aGUgaHlwZXJ2aXNvciBjcmVhdGVzIGEgc3Rh Y2sKZnJhbWUgYnkgaGFuZCwgYW5kIHVzZXMgUFVTSEZRIHRvIHNldCB0aGUg cmVzcGVjdGl2ZSBFRkxBR1MgZmllbGQsIGJ1dApleHBlY3RzIHRvIGJlIGFi bGUgdG8gSVJFVCB0aHJvdWdoIHRoYXQgc3RhY2sgZnJhbWUgdG8gdGhlIHNl Y29uZApwb3J0aW9uIG9mIHRoZSBmaXh1cCBjb2RlICh3aGljaCBjYXVzZXMg YSAjR1AgZHVlIHRvIHRoZSBzdG9yZWQgRUZMQUdTCmhhdmluZyBOVCBzZXQp LgoKQW5kIGV2ZW4gaWYgdGhpcyB3b3JrZWQgKGUuZyBpZiB3ZSBjbGVhcmVk IE5UIGluIHRoYXQgcGF0aCksIGl0IHdvdWxkCnRoZW4gKHRocm91Z2ggdGhl IGZhaWwgc2FmZSBjYWxsYmFjaykgY2F1c2UgYSAjR1AgaW4gdGhlIGd1ZXN0 IHdpdGggdGhlClNZU0VOVEVSIGhhbmRsZXIncyBmaXJzdCBpbnN0cnVjdGlv biBhcyB0aGUgc291cmNlLCB3aGljaCBpbiB0dXJuIHdvdWxkCmFsbG93IGd1 ZXN0IHVzZXIgbW9kZSBjb2RlIHRvIGNyYXNoIHRoZSBndWVzdCBrZXJuZWwu CgpJbmplY3QgYSAjR1Agb24gdGhlIGZha2UgKE5VTEwpIGFkZHJlc3Mgb2Yg dGhlIFNZU0VOVEVSIGluc3RydWN0aW9uCmluc3RlYWQsIGp1c3QgbGlrZSBp biB0aGUgY2FzZSB3aGVyZSB0aGUgZ3Vlc3Qga2VybmVsIGRpZG4ndCByZWdp c3RlcgphIGNvcnJlc3BvbmRpbmcgZW50cnkgcG9pbnQuCgpPbiAzMi1iaXQg d2UgYWxzbyBuZWVkIHRvIG1ha2Ugc3VyZSB3ZSBjbGVhciBTWVNFTlRFUl9D UyBmb3IgYWxsIENQVXMKKG5laXRoZXIgI1JFU0VUIG5vciAjSU5JVCBndWFy YW50ZWUgdGhpcykuCgpUaGlzIGlzIENWRS0yMDEzLTE5MTcgLyBYU0EtNDQu CgpSZXBvcnRlZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNA Y2l0aXJ4LmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVs aWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJl dy5jb29wZXIzQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gv eDg2L2FjcGkvc3VzcGVuZC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9hY3BpL3N1 c3BlbmQuYwpAQCAtODEsOCArODEsMTIgQEAgdm9pZCByZXN0b3JlX3Jlc3Rf cHJvY2Vzc29yX3N0YXRlKHZvaWQpCiAgICAgfQogCiAjZWxzZSAvKiAhZGVm aW5lZChDT05GSUdfWDg2XzY0KSAqLwotICAgIGlmICggc3VwZXJ2aXNvcl9t b2RlX2tlcm5lbCAmJiBjcHVfaGFzX3NlcCApCi0gICAgICAgIHdybXNyKE1T Ul9JQTMyX1NZU0VOVEVSX0VTUCwgJnRoaXNfY3B1KGluaXRfdHNzKS5lc3Ax LCAwKTsKKyAgICBpZiAoIGNwdV9oYXNfc2VwICkKKyAgICB7CisgICAgICAg IHdybXNyKE1TUl9JQTMyX1NZU0VOVEVSX0NTLCAwLCAwKTsKKyAgICAgICAg aWYgKCBzdXBlcnZpc29yX21vZGVfa2VybmVsICkKKyAgICAgICAgICAgIHdy bXNyKE1TUl9JQTMyX1NZU0VOVEVSX0VTUCwgJnRoaXNfY3B1KGluaXRfdHNz KS5lc3AxLCAwKTsKKyAgICB9CiAjZW5kaWYKIAogICAgIC8qIE1heWJlIGxv YWQgdGhlIGRlYnVnIHJlZ2lzdGVycy4gKi8KLS0tIGEveGVuL2FyY2gveDg2 L2NwdS9jb21tb24uYworKysgYi94ZW4vYXJjaC94ODYvY3B1L2NvbW1vbi5j CkBAIC03MTUsOCArNzE1LDExIEBAIHZvaWQgX19jcHVpbml0IGNwdV9pbml0 KHZvaWQpCiAjaWYgZGVmaW5lZChDT05GSUdfWDg2XzMyKQogCXQtPnNzMCAg PSBfX0hZUEVSVklTT1JfRFM7CiAJdC0+ZXNwMCA9IGdldF9zdGFja19ib3R0 b20oKTsKLQlpZiAoIHN1cGVydmlzb3JfbW9kZV9rZXJuZWwgJiYgY3B1X2hh c19zZXAgKQorCWlmICggY3B1X2hhc19zZXAgKSB7CisJICAgIHdybXNyKE1T Ul9JQTMyX1NZU0VOVEVSX0NTLCAwLCAwKTsKKwkgICAgaWYgKCBzdXBlcnZp c29yX21vZGVfa2VybmVsICkKIAkJd3Jtc3IoTVNSX0lBMzJfU1lTRU5URVJf RVNQLCAmdC0+ZXNwMSwgMCk7CisJfQogI2VsaWYgZGVmaW5lZChDT05GSUdf WDg2XzY0KQogCS8qIEJvdHRvbS1vZi1zdGFjayBtdXN0IGJlIDE2LWJ5dGUg YWxpZ25lZCEgKi8KIAlCVUdfT04oKGdldF9zdGFja19ib3R0b20oKSAmIDE1 KSAhPSAwKTsKLS0tIGEveGVuL2FyY2gveDg2L3g4Nl82NC9lbnRyeS5TCisr KyBiL3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnkuUwpAQCAtMjg3LDcgKzI4 NywxNCBAQCBzeXNlbnRlcl9lZmxhZ3Nfc2F2ZWQ6CiAgICAgICAgIG1vdmwg ICQzLFVSRUdTX2NzKCVyc3ApICAvKiByaW5nIDMgbnVsbCBjcyAqLwogICAg ICAgICBtb3ZxICBWQ1BVX3N5c2VudGVyX2FkZHIoJXJieCksJXJheAogICAg ICAgICBzZXRuZSAlY2wKKyAgICAgICAgdGVzdGwgJFg4Nl9FRkxBR1NfTlQs VVJFR1NfZWZsYWdzKCVyc3ApCiAgICAgICAgIGxlYXEgIFZDUFVfdHJhcF9i b3VuY2UoJXJieCksJXJkeAorVU5MSUtFTFlfU1RBUlQobnosIHN5c2VudGVy X250X3NldCkKKyAgICAgICAgcHVzaGZxCisgICAgICAgIGFuZGwgICR+WDg2 X0VGTEFHU19OVCwoJXJzcCkKKyAgICAgICAgcG9wZnEKKyAgICAgICAgeG9y bCAgJWVheCwlZWF4CitVTkxJS0VMWV9FTkQoc3lzZW50ZXJfbnRfc2V0KQog ICAgICAgICB0ZXN0cSAlcmF4LCVyYXgKICAgICAgICAgbGVhbCAgKCwlcmN4 LFRCRl9JTlRFUlJVUFQpLCVlY3gKIFVOTElLRUxZX1NUQVJUKHosIHN5c2Vu dGVyX2dwZikK --=separator Content-Type: application/octet-stream; name="xsa44-4.2.patch" Content-Disposition: attachment; filename="xsa44-4.2.patch" Content-Transfer-Encoding: base64 eDg2OiBjbGVhciBFRkxBR1MuTlQgaW4gU1lTRU5URVIgZW50cnkgcGF0aAoK Li4uIGFzIGl0IGNhdXNlcyBwcm9ibGVtcyBpZiB3ZSBoYXBwZW4gdG8gZXhp dCBiYWNrIHZpYSBJUkVUOiBJbiB0aGUKY291cnNlIG9mIHRyeWluZyB0byBo YW5kbGUgdGhlIGZhdWx0LCB0aGUgaHlwZXJ2aXNvciBjcmVhdGVzIGEgc3Rh Y2sKZnJhbWUgYnkgaGFuZCwgYW5kIHVzZXMgUFVTSEZRIHRvIHNldCB0aGUg cmVzcGVjdGl2ZSBFRkxBR1MgZmllbGQsIGJ1dApleHBlY3RzIHRvIGJlIGFi bGUgdG8gSVJFVCB0aHJvdWdoIHRoYXQgc3RhY2sgZnJhbWUgdG8gdGhlIHNl Y29uZApwb3J0aW9uIG9mIHRoZSBmaXh1cCBjb2RlICh3aGljaCBjYXVzZXMg YSAjR1AgZHVlIHRvIHRoZSBzdG9yZWQgRUZMQUdTCmhhdmluZyBOVCBzZXQp LgoKQW5kIGV2ZW4gaWYgdGhpcyB3b3JrZWQgKGUuZyBpZiB3ZSBjbGVhcmVk IE5UIGluIHRoYXQgcGF0aCksIGl0IHdvdWxkCnRoZW4gKHRocm91Z2ggdGhl IGZhaWwgc2FmZSBjYWxsYmFjaykgY2F1c2UgYSAjR1AgaW4gdGhlIGd1ZXN0 IHdpdGggdGhlClNZU0VOVEVSIGhhbmRsZXIncyBmaXJzdCBpbnN0cnVjdGlv biBhcyB0aGUgc291cmNlLCB3aGljaCBpbiB0dXJuIHdvdWxkCmFsbG93IGd1 ZXN0IHVzZXIgbW9kZSBjb2RlIHRvIGNyYXNoIHRoZSBndWVzdCBrZXJuZWwu CgpJbmplY3QgYSAjR1Agb24gdGhlIGZha2UgKE5VTEwpIGFkZHJlc3Mgb2Yg dGhlIFNZU0VOVEVSIGluc3RydWN0aW9uCmluc3RlYWQsIGp1c3QgbGlrZSBp biB0aGUgY2FzZSB3aGVyZSB0aGUgZ3Vlc3Qga2VybmVsIGRpZG4ndCByZWdp c3RlcgphIGNvcnJlc3BvbmRpbmcgZW50cnkgcG9pbnQuCgpPbiAzMi1iaXQg d2UgYWxzbyBuZWVkIHRvIG1ha2Ugc3VyZSB3ZSBjbGVhciBTWVNFTlRFUl9D UyBmb3IgYWxsIENQVXMKKG5laXRoZXIgI1JFU0VUIG5vciAjSU5JVCBndWFy YW50ZWUgdGhpcykuCgpUaGlzIGlzIENWRS0yMDEzLTE5MTcgLyBYU0EtNDQu CgpSZXBvcnRlZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNA Y2l0aXJ4LmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVs aWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJl dy5jb29wZXIzQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gv eDg2L2FjcGkvc3VzcGVuZC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9hY3BpL3N1 c3BlbmQuYwpAQCAtODEsOCArODEsMTIgQEAgdm9pZCByZXN0b3JlX3Jlc3Rf cHJvY2Vzc29yX3N0YXRlKHZvaWQpCiAgICAgfQogCiAjZWxzZSAvKiAhZGVm aW5lZChDT05GSUdfWDg2XzY0KSAqLwotICAgIGlmICggc3VwZXJ2aXNvcl9t b2RlX2tlcm5lbCAmJiBjcHVfaGFzX3NlcCApCi0gICAgICAgIHdybXNyKE1T Ul9JQTMyX1NZU0VOVEVSX0VTUCwgJnRoaXNfY3B1KGluaXRfdHNzKS5lc3Ax LCAwKTsKKyAgICBpZiAoIGNwdV9oYXNfc2VwICkKKyAgICB7CisgICAgICAg IHdybXNyKE1TUl9JQTMyX1NZU0VOVEVSX0NTLCAwLCAwKTsKKyAgICAgICAg aWYgKCBzdXBlcnZpc29yX21vZGVfa2VybmVsICkKKyAgICAgICAgICAgIHdy bXNyKE1TUl9JQTMyX1NZU0VOVEVSX0VTUCwgJnRoaXNfY3B1KGluaXRfdHNz KS5lc3AxLCAwKTsKKyAgICB9CiAjZW5kaWYKIAogICAgIC8qIE1heWJlIGxv YWQgdGhlIGRlYnVnIHJlZ2lzdGVycy4gKi8KLS0tIGEveGVuL2FyY2gveDg2 L2NwdS9jb21tb24uYworKysgYi94ZW4vYXJjaC94ODYvY3B1L2NvbW1vbi5j CkBAIC02NTUsOCArNjU1LDExIEBAIHZvaWQgX19jcHVpbml0IGNwdV9pbml0 KHZvaWQpCiAjaWYgZGVmaW5lZChDT05GSUdfWDg2XzMyKQogCXQtPnNzMCAg PSBfX0hZUEVSVklTT1JfRFM7CiAJdC0+ZXNwMCA9IGdldF9zdGFja19ib3R0 b20oKTsKLQlpZiAoIHN1cGVydmlzb3JfbW9kZV9rZXJuZWwgJiYgY3B1X2hh c19zZXAgKQorCWlmICggY3B1X2hhc19zZXAgKSB7CisJICAgIHdybXNyKE1T Ul9JQTMyX1NZU0VOVEVSX0NTLCAwLCAwKTsKKwkgICAgaWYgKCBzdXBlcnZp c29yX21vZGVfa2VybmVsICkKIAkJd3Jtc3IoTVNSX0lBMzJfU1lTRU5URVJf RVNQLCAmdC0+ZXNwMSwgMCk7CisJfQogI2VsaWYgZGVmaW5lZChDT05GSUdf WDg2XzY0KQogCS8qIEJvdHRvbS1vZi1zdGFjayBtdXN0IGJlIDE2LWJ5dGUg YWxpZ25lZCEgKi8KIAlCVUdfT04oKGdldF9zdGFja19ib3R0b20oKSAmIDE1 KSAhPSAwKTsKLS0tIGEveGVuL2FyY2gveDg2L3g4Nl82NC9lbnRyeS5TCisr KyBiL3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnkuUwpAQCAtMjg0LDcgKzI4 NCwxNCBAQCBzeXNlbnRlcl9lZmxhZ3Nfc2F2ZWQ6CiAgICAgICAgIGNtcGIg ICQwLFZDUFVfc3lzZW50ZXJfZGlzYWJsZXNfZXZlbnRzKCVyYngpCiAgICAg ICAgIG1vdnEgIFZDUFVfc3lzZW50ZXJfYWRkciglcmJ4KSwlcmF4CiAgICAg ICAgIHNldG5lICVjbAorICAgICAgICB0ZXN0bCAkWDg2X0VGTEFHU19OVCxV UkVHU19lZmxhZ3MoJXJzcCkKICAgICAgICAgbGVhcSAgVkNQVV90cmFwX2Jv dW5jZSglcmJ4KSwlcmR4CitVTkxJS0VMWV9TVEFSVChueiwgc3lzZW50ZXJf bnRfc2V0KQorICAgICAgICBwdXNoZnEKKyAgICAgICAgYW5kbCAgJH5YODZf RUZMQUdTX05ULCglcnNwKQorICAgICAgICBwb3BmcQorICAgICAgICB4b3Js ICAlZWF4LCVlYXgKK1VOTElLRUxZX0VORChzeXNlbnRlcl9udF9zZXQpCiAg ICAgICAgIHRlc3RxICVyYXgsJXJheAogICAgICAgICBsZWFsICAoLCVyY3gs VEJGX0lOVEVSUlVQVCksJWVjeAogVU5MSUtFTFlfU1RBUlQoeiwgc3lzZW50 ZXJfZ3BmKQo= --=separator Content-Type: application/octet-stream; name="xsa44-unstable.patch" Content-Disposition: attachment; filename="xsa44-unstable.patch" Content-Transfer-Encoding: base64 eDg2OiBjbGVhciBFRkxBR1MuTlQgaW4gU1lTRU5URVIgZW50cnkgcGF0aAoK Li4uIGFzIGl0IGNhdXNlcyBwcm9ibGVtcyBpZiB3ZSBoYXBwZW4gdG8gZXhp dCBiYWNrIHZpYSBJUkVUOiBJbiB0aGUKY291cnNlIG9mIHRyeWluZyB0byBo YW5kbGUgdGhlIGZhdWx0LCB0aGUgaHlwZXJ2aXNvciBjcmVhdGVzIGEgc3Rh Y2sKZnJhbWUgYnkgaGFuZCwgYW5kIHVzZXMgUFVTSEZRIHRvIHNldCB0aGUg cmVzcGVjdGl2ZSBFRkxBR1MgZmllbGQsIGJ1dApleHBlY3RzIHRvIGJlIGFi bGUgdG8gSVJFVCB0aHJvdWdoIHRoYXQgc3RhY2sgZnJhbWUgdG8gdGhlIHNl Y29uZApwb3J0aW9uIG9mIHRoZSBmaXh1cCBjb2RlICh3aGljaCBjYXVzZXMg YSAjR1AgZHVlIHRvIHRoZSBzdG9yZWQgRUZMQUdTCmhhdmluZyBOVCBzZXQp LgoKQW5kIGV2ZW4gaWYgdGhpcyB3b3JrZWQgKGUuZyBpZiB3ZSBjbGVhcmVk IE5UIGluIHRoYXQgcGF0aCksIGl0IHdvdWxkCnRoZW4gKHRocm91Z2ggdGhl IGZhaWwgc2FmZSBjYWxsYmFjaykgY2F1c2UgYSAjR1AgaW4gdGhlIGd1ZXN0 IHdpdGggdGhlClNZU0VOVEVSIGhhbmRsZXIncyBmaXJzdCBpbnN0cnVjdGlv biBhcyB0aGUgc291cmNlLCB3aGljaCBpbiB0dXJuIHdvdWxkCmFsbG93IGd1 ZXN0IHVzZXIgbW9kZSBjb2RlIHRvIGNyYXNoIHRoZSBndWVzdCBrZXJuZWwu CgpJbmplY3QgYSAjR1Agb24gdGhlIGZha2UgKE5VTEwpIGFkZHJlc3Mgb2Yg dGhlIFNZU0VOVEVSIGluc3RydWN0aW9uCmluc3RlYWQsIGp1c3QgbGlrZSBp biB0aGUgY2FzZSB3aGVyZSB0aGUgZ3Vlc3Qga2VybmVsIGRpZG4ndCByZWdp c3RlcgphIGNvcnJlc3BvbmRpbmcgZW50cnkgcG9pbnQuCgpUaGlzIGlzIENW RS0yMDEzLTE5MTcgLyBYU0EtNDQuCgpSZXBvcnRlZC1ieTogQW5kcmV3IENv b3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0aXJ4LmNvbT4KU2lnbmVkLW9mZi1i eTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6 IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CkFj a2VkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXgu Y29tPgoKLS0tIGEveGVuL2FyY2gveDg2L3g4Nl82NC9lbnRyeS5TCisrKyBi L3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnkuUwpAQCAtMjgxLDcgKzI4MSwx NCBAQCBzeXNlbnRlcl9lZmxhZ3Nfc2F2ZWQ6CiAgICAgICAgIGNtcGIgICQw LFZDUFVfc3lzZW50ZXJfZGlzYWJsZXNfZXZlbnRzKCVyYngpCiAgICAgICAg IG1vdnEgIFZDUFVfc3lzZW50ZXJfYWRkciglcmJ4KSwlcmF4CiAgICAgICAg IHNldG5lICVjbAorICAgICAgICB0ZXN0bCAkWDg2X0VGTEFHU19OVCxVUkVH U19lZmxhZ3MoJXJzcCkKICAgICAgICAgbGVhcSAgVkNQVV90cmFwX2JvdW5j ZSglcmJ4KSwlcmR4CitVTkxJS0VMWV9TVEFSVChueiwgc3lzZW50ZXJfbnRf c2V0KQorICAgICAgICBwdXNoZnEKKyAgICAgICAgYW5kbCAgJH5YODZfRUZM QUdTX05ULCglcnNwKQorICAgICAgICBwb3BmcQorICAgICAgICB4b3JsICAl ZWF4LCVlYXgKK1VOTElLRUxZX0VORChzeXNlbnRlcl9udF9zZXQpCiAgICAg ICAgIHRlc3RxICVyYXgsJXJheAogICAgICAgICBsZWFsICAoLCVyY3gsVEJG X0lOVEVSUlVQVCksJWVjeAogVU5MSUtFTFlfU1RBUlQoeiwgc3lzZW50ZXJf Z3BmKQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Apr 18 13:53:29 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 18 Apr 2013 13:53:29 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USpF2-00074H-B8; Thu, 18 Apr 2013 13:51:12 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USpEz-00073m-Ul; Thu, 18 Apr 2013 13:51:10 +0000 Received: from [85.158.143.99:40264] by server-2.bemta-4.messagelabs.com id 20/F7-12656-D4AFF615; Thu, 18 Apr 2013 13:51:09 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-6.tower-216.messagelabs.com!1366293063!21880990!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.8.6.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 3178 invoked from network); 18 Apr 2013 13:51:04 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-6.tower-216.messagelabs.com with AES256-SHA encrypted SMTP; 18 Apr 2013 13:51:04 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USpEl-0002GE-NE; Thu, 18 Apr 2013 13:50:55 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1USpEl-00036n-C9; Thu, 18 Apr 2013 13:50:55 +0000 Date: Thu, 18 Apr 2013 13:50:55 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 44 (CVE-2013-1917) - Xen PV DoS vulnerability with SYSENTER X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1917 / XSA-44 version 3 Xen PV DoS vulnerability with SYSENTER UPDATES IN VERSION 3 ==================== Backported patch for 4.0 now available. ISSUE DESCRIPTION ================= The SYSENTER instruction can be used by PV guests to accelerate system call processing. This instruction, however, leaves the EFLAGS register mostly unmodified - in particular, the NT flag doesn't get cleared. If the hypervisor subsequently uses IRET to return to the guest (which it will always do if the guest is a 32-bit one), that instruction will cause a #GP fault to be raised, but the recovery code in the hypervisor will again try to use IRET without intermediately clearing the NT flag. The #GP fault raised on this second IRET is a fatal event, causing the hypervisor to crash. IMPACT ====== Malicious or buggy unprivileged user space can cause the entire host to crash. VULNERABLE SYSTEMS ================== All 64-bit Xen versions from 3.1 onwards running on Intel CPUs are vulnerable. 32-bit Xen is not affected, as it doesn't permit the use of SYSENTER by PV guests. 64-bit Xen run on AMD CPUs isn't affected since AMD CPUs don't allow the use of SYSENTER in long mode. The vulnerability is only exposed by PV guests. MITIGATION ========== Running only HVM guests, or running PV guests on only 32-bit hosts or only AMD CPUs will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa44-4.0.patch Xen 4.0.x xsa44-4.1.patch Xen 4.1.x xsa44-4.2.patch Xen 4.2.x xsa44-unstable.patch xen-unstable $ sha256sum xsa44*.patch 4de554d29adbae41a65d401becd9d074be27932ad9f3e0ed78ecb89de3ed35b5 xsa44-4.0.patch 3dbf47224be0f8fc66ba08d8a46b910bd9a3e672ffe864aa77c698bef0e27783 xsa44-4.1.patch c6c3afa228426d78e0484b7ac34210f642f79add35c4a04ca5ff7db5f2539e49 xsa44-4.2.patch 0e6ad83da75dc207a165411844c0985fd7f9588d92c2c95911c245485351bf36 xsa44-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRb/oqAAoJEIP+FMlX6CvZ9EYH/2OAz/GRAX4A2Y52HoUfslN9 lZa4YNJOtPOuLITMeapu7MXBgRJYA/GPFzfBVlAoPNQTNpUD0Mfxvwz9mVGIUtNX t0Mriz/oFGDqHzvz3rksmvG9y6tMfwa++srXms/uTXd3T1CxeGIHA4hMuvCRkMAU HQHQ1pfsK6XGHV+ITeJVBGEwKh+aDxBfqIXDU1yhgTA9djpsHXWNAsu5mNRBsb0i zMVxZg+x1maHhxigLwsEm1poxneWhkq+0pvTo/hCdK2XcK9NaUXNAALMZfQn5kgK IwaC52V3FJSxErIWlZz6IW6Zq4tugzu/VJ92hrM0fubd04mfFG15+buc+NdUmvk= =qSef -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa44-4.0.patch" Content-Disposition: attachment; filename="xsa44-4.0.patch" Content-Transfer-Encoding: base64 eDg2OiBjbGVhciBFRkxBR1MuTlQgaW4gU1lTRU5URVIgZW50cnkgcGF0aAoK Li4uIGFzIGl0IGNhdXNlcyBwcm9ibGVtcyBpZiB3ZSBoYXBwZW4gdG8gZXhp dCBiYWNrIHZpYSBJUkVUOiBJbiB0aGUKY291cnNlIG9mIHRyeWluZyB0byBo YW5kbGUgdGhlIGZhdWx0LCB0aGUgaHlwZXJ2aXNvciBjcmVhdGVzIGEgc3Rh Y2sKZnJhbWUgYnkgaGFuZCwgYW5kIHVzZXMgUFVTSEZRIHRvIHNldCB0aGUg cmVzcGVjdGl2ZSBFRkxBR1MgZmllbGQsIGJ1dApleHBlY3RzIHRvIGJlIGFi bGUgdG8gSVJFVCB0aHJvdWdoIHRoYXQgc3RhY2sgZnJhbWUgdG8gdGhlIHNl Y29uZApwb3J0aW9uIG9mIHRoZSBmaXh1cCBjb2RlICh3aGljaCBjYXVzZXMg YSAjR1AgZHVlIHRvIHRoZSBzdG9yZWQgRUZMQUdTCmhhdmluZyBOVCBzZXQp LgoKQW5kIGV2ZW4gaWYgdGhpcyB3b3JrZWQgKGUuZyBpZiB3ZSBjbGVhcmVk IE5UIGluIHRoYXQgcGF0aCksIGl0IHdvdWxkCnRoZW4gKHRocm91Z2ggdGhl IGZhaWwgc2FmZSBjYWxsYmFjaykgY2F1c2UgYSAjR1AgaW4gdGhlIGd1ZXN0 IHdpdGggdGhlClNZU0VOVEVSIGhhbmRsZXIncyBmaXJzdCBpbnN0cnVjdGlv biBhcyB0aGUgc291cmNlLCB3aGljaCBpbiB0dXJuIHdvdWxkCmFsbG93IGd1 ZXN0IHVzZXIgbW9kZSBjb2RlIHRvIGNyYXNoIHRoZSBndWVzdCBrZXJuZWwu CgpJbmplY3QgYSAjR1Agb24gdGhlIGZha2UgKE5VTEwpIGFkZHJlc3Mgb2Yg dGhlIFNZU0VOVEVSIGluc3RydWN0aW9uCmluc3RlYWQsIGp1c3QgbGlrZSBp biB0aGUgY2FzZSB3aGVyZSB0aGUgZ3Vlc3Qga2VybmVsIGRpZG4ndCByZWdp c3RlcgphIGNvcnJlc3BvbmRpbmcgZW50cnkgcG9pbnQuCgpPbiAzMi1iaXQg d2UgYWxzbyBuZWVkIHRvIG1ha2Ugc3VyZSB3ZSBjbGVhciBTWVNFTlRFUl9D UyBmb3IgYWxsIENQVXMKKG5laXRoZXIgI1JFU0VUIG5vciAjSU5JVCBndWFy YW50ZWUgdGhpcykuCgpUaGlzIGlzIENWRS0yMDEzLTE5MTcgLyBYU0EtNDQu CgpSZXBvcnRlZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNA Y2l0aXJ4LmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVs aWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJl dy5jb29wZXIzQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpTaWduZWQtb2ZmLWJ5OiBJ YW4gQ2FtcGJlbGwgPElhbi5DYW1wYmVsbEBjaXRyaXguY29tPgoKZGlmZiAt LWdpdCBhL3hlbi9hcmNoL3g4Ni9hY3BpL3N1c3BlbmQuYyBiL3hlbi9hcmNo L3g4Ni9hY3BpL3N1c3BlbmQuYwppbmRleCBkZGRkYmM4Li43ODE5YjMwIDEw MDY0NAotLS0gYS94ZW4vYXJjaC94ODYvYWNwaS9zdXNwZW5kLmMKKysrIGIv eGVuL2FyY2gveDg2L2FjcGkvc3VzcGVuZC5jCkBAIC01OSw4ICs1OSwxMiBA QCB2b2lkIHJlc3RvcmVfcmVzdF9wcm9jZXNzb3Jfc3RhdGUodm9pZCkKICAg ICAgICAgd3Jtc3IoTVNSX0lBMzJfU1lTRU5URVJfQ1MsIF9fSFlQRVJWSVNP Ul9DUywgMCk7CiAgICAgfQogI2Vsc2UgLyogIWRlZmluZWQoQ09ORklHX1g4 Nl82NCkgKi8KLSAgICBpZiAoIHN1cGVydmlzb3JfbW9kZV9rZXJuZWwgJiYg Y3B1X2hhc19zZXAgKQotICAgICAgICB3cm1zcihNU1JfSUEzMl9TWVNFTlRF Ul9FU1AsICZ0aGlzX2NwdShpbml0X3RzcykuZXNwMSwgMCk7CisgICAgaWYg KCBjcHVfaGFzX3NlcCApCisgICAgeworICAgICAgICB3cm1zcihNU1JfSUEz Ml9TWVNFTlRFUl9DUywgMCwgMCk7CisgICAgICAgIGlmICggc3VwZXJ2aXNv cl9tb2RlX2tlcm5lbCApCisgICAgICAgICAgICB3cm1zcihNU1JfSUEzMl9T WVNFTlRFUl9FU1AsICZ0aGlzX2NwdShpbml0X3RzcykuZXNwMSwgMCk7Cisg ICAgfQogI2VuZGlmCiAKICAgICAvKiBNYXliZSBsb2FkIHRoZSBkZWJ1ZyBy ZWdpc3RlcnMuICovCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94ODYvY3B1L2Nv bW1vbi5jIGIveGVuL2FyY2gveDg2L2NwdS9jb21tb24uYwppbmRleCBlZGE3 NTM0Li5jYjNhN2MyIDEwMDY0NAotLS0gYS94ZW4vYXJjaC94ODYvY3B1L2Nv bW1vbi5jCisrKyBiL3hlbi9hcmNoL3g4Ni9jcHUvY29tbW9uLmMKQEAgLTYy Myw4ICs2MjMsMTEgQEAgdm9pZCBfX2NwdWluaXQgY3B1X2luaXQodm9pZCkK ICNpZiBkZWZpbmVkKENPTkZJR19YODZfMzIpCiAJdC0+c3MwICA9IF9fSFlQ RVJWSVNPUl9EUzsKIAl0LT5lc3AwID0gZ2V0X3N0YWNrX2JvdHRvbSgpOwot CWlmICggc3VwZXJ2aXNvcl9tb2RlX2tlcm5lbCAmJiBjcHVfaGFzX3NlcCAp CisJaWYgKCBjcHVfaGFzX3NlcCApIHsKKwkgICAgd3Jtc3IoTVNSX0lBMzJf U1lTRU5URVJfQ1MsIDAsIDApOworCSAgICBpZiAoIHN1cGVydmlzb3JfbW9k ZV9rZXJuZWwgKQogCQl3cm1zcihNU1JfSUEzMl9TWVNFTlRFUl9FU1AsICZ0 LT5lc3AxLCAwKTsKKwl9CiAjZWxpZiBkZWZpbmVkKENPTkZJR19YODZfNjQp CiAJLyogQm90dG9tLW9mLXN0YWNrIG11c3QgYmUgMTYtYnl0ZSBhbGlnbmVk ISAqLwogCUJVR19PTigoZ2V0X3N0YWNrX2JvdHRvbSgpICYgMTUpICE9IDAp OwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L3g4Nl82NC9lbnRyeS5TIGIv eGVuL2FyY2gveDg2L3g4Nl82NC9lbnRyeS5TCmluZGV4IDllOWRiMzMuLmU0 YzBmZGUgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnku UworKysgYi94ZW4vYXJjaC94ODYveDg2XzY0L2VudHJ5LlMKQEAgLTMwMCw3 ICszMDAsMTQgQEAgc3lzZW50ZXJfZWZsYWdzX3NhdmVkOgogICAgICAgICBt b3ZsICAkMyxVUkVHU19jcyglcnNwKSAgLyogcmluZyAzIG51bGwgY3MgKi8K ICAgICAgICAgbW92cSAgVkNQVV9zeXNlbnRlcl9hZGRyKCVyYngpLCVyYXgK ICAgICAgICAgc2V0bmUgJWNsCisgICAgICAgIHRlc3RsICRYODZfRUZMQUdT X05ULFVSRUdTX2VmbGFncyglcnNwKQogICAgICAgICBsZWFxICBWQ1BVX3Ry YXBfYm91bmNlKCVyYngpLCVyZHgKKwlqeiAgICBzeXNlbnRlcl9udF9ub3Rf c2V0CisgICAgICAgIHB1c2hmcQorICAgICAgICBhbmRsICAkflg4Nl9FRkxB R1NfTlQsKCVyc3ApCisgICAgICAgIHBvcGZxCisgICAgICAgIHhvcmwgICVl YXgsJWVheAorc3lzZW50ZXJfbnRfbm90X3NldDoKICAgICAgICAgdGVzdHEg JXJheCwlcmF4CiAgICAgICAgIGxlYWwgICgsJXJjeCxUQkZfSU5URVJSVVBU KSwlZWN4CiAgICAgICAgIGp6ICAgIDJmCg== --=separator Content-Type: application/octet-stream; name="xsa44-4.1.patch" Content-Disposition: attachment; filename="xsa44-4.1.patch" Content-Transfer-Encoding: base64 eDg2OiBjbGVhciBFRkxBR1MuTlQgaW4gU1lTRU5URVIgZW50cnkgcGF0aAoK Li4uIGFzIGl0IGNhdXNlcyBwcm9ibGVtcyBpZiB3ZSBoYXBwZW4gdG8gZXhp dCBiYWNrIHZpYSBJUkVUOiBJbiB0aGUKY291cnNlIG9mIHRyeWluZyB0byBo YW5kbGUgdGhlIGZhdWx0LCB0aGUgaHlwZXJ2aXNvciBjcmVhdGVzIGEgc3Rh Y2sKZnJhbWUgYnkgaGFuZCwgYW5kIHVzZXMgUFVTSEZRIHRvIHNldCB0aGUg cmVzcGVjdGl2ZSBFRkxBR1MgZmllbGQsIGJ1dApleHBlY3RzIHRvIGJlIGFi bGUgdG8gSVJFVCB0aHJvdWdoIHRoYXQgc3RhY2sgZnJhbWUgdG8gdGhlIHNl Y29uZApwb3J0aW9uIG9mIHRoZSBmaXh1cCBjb2RlICh3aGljaCBjYXVzZXMg YSAjR1AgZHVlIHRvIHRoZSBzdG9yZWQgRUZMQUdTCmhhdmluZyBOVCBzZXQp LgoKQW5kIGV2ZW4gaWYgdGhpcyB3b3JrZWQgKGUuZyBpZiB3ZSBjbGVhcmVk IE5UIGluIHRoYXQgcGF0aCksIGl0IHdvdWxkCnRoZW4gKHRocm91Z2ggdGhl IGZhaWwgc2FmZSBjYWxsYmFjaykgY2F1c2UgYSAjR1AgaW4gdGhlIGd1ZXN0 IHdpdGggdGhlClNZU0VOVEVSIGhhbmRsZXIncyBmaXJzdCBpbnN0cnVjdGlv biBhcyB0aGUgc291cmNlLCB3aGljaCBpbiB0dXJuIHdvdWxkCmFsbG93IGd1 ZXN0IHVzZXIgbW9kZSBjb2RlIHRvIGNyYXNoIHRoZSBndWVzdCBrZXJuZWwu CgpJbmplY3QgYSAjR1Agb24gdGhlIGZha2UgKE5VTEwpIGFkZHJlc3Mgb2Yg dGhlIFNZU0VOVEVSIGluc3RydWN0aW9uCmluc3RlYWQsIGp1c3QgbGlrZSBp biB0aGUgY2FzZSB3aGVyZSB0aGUgZ3Vlc3Qga2VybmVsIGRpZG4ndCByZWdp c3RlcgphIGNvcnJlc3BvbmRpbmcgZW50cnkgcG9pbnQuCgpPbiAzMi1iaXQg d2UgYWxzbyBuZWVkIHRvIG1ha2Ugc3VyZSB3ZSBjbGVhciBTWVNFTlRFUl9D UyBmb3IgYWxsIENQVXMKKG5laXRoZXIgI1JFU0VUIG5vciAjSU5JVCBndWFy YW50ZWUgdGhpcykuCgpUaGlzIGlzIENWRS0yMDEzLTE5MTcgLyBYU0EtNDQu CgpSZXBvcnRlZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNA Y2l0aXJ4LmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVs aWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJl dy5jb29wZXIzQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gv eDg2L2FjcGkvc3VzcGVuZC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9hY3BpL3N1 c3BlbmQuYwpAQCAtODEsOCArODEsMTIgQEAgdm9pZCByZXN0b3JlX3Jlc3Rf cHJvY2Vzc29yX3N0YXRlKHZvaWQpCiAgICAgfQogCiAjZWxzZSAvKiAhZGVm aW5lZChDT05GSUdfWDg2XzY0KSAqLwotICAgIGlmICggc3VwZXJ2aXNvcl9t b2RlX2tlcm5lbCAmJiBjcHVfaGFzX3NlcCApCi0gICAgICAgIHdybXNyKE1T Ul9JQTMyX1NZU0VOVEVSX0VTUCwgJnRoaXNfY3B1KGluaXRfdHNzKS5lc3Ax LCAwKTsKKyAgICBpZiAoIGNwdV9oYXNfc2VwICkKKyAgICB7CisgICAgICAg IHdybXNyKE1TUl9JQTMyX1NZU0VOVEVSX0NTLCAwLCAwKTsKKyAgICAgICAg aWYgKCBzdXBlcnZpc29yX21vZGVfa2VybmVsICkKKyAgICAgICAgICAgIHdy bXNyKE1TUl9JQTMyX1NZU0VOVEVSX0VTUCwgJnRoaXNfY3B1KGluaXRfdHNz KS5lc3AxLCAwKTsKKyAgICB9CiAjZW5kaWYKIAogICAgIC8qIE1heWJlIGxv YWQgdGhlIGRlYnVnIHJlZ2lzdGVycy4gKi8KLS0tIGEveGVuL2FyY2gveDg2 L2NwdS9jb21tb24uYworKysgYi94ZW4vYXJjaC94ODYvY3B1L2NvbW1vbi5j CkBAIC03MTUsOCArNzE1LDExIEBAIHZvaWQgX19jcHVpbml0IGNwdV9pbml0 KHZvaWQpCiAjaWYgZGVmaW5lZChDT05GSUdfWDg2XzMyKQogCXQtPnNzMCAg PSBfX0hZUEVSVklTT1JfRFM7CiAJdC0+ZXNwMCA9IGdldF9zdGFja19ib3R0 b20oKTsKLQlpZiAoIHN1cGVydmlzb3JfbW9kZV9rZXJuZWwgJiYgY3B1X2hh c19zZXAgKQorCWlmICggY3B1X2hhc19zZXAgKSB7CisJICAgIHdybXNyKE1T Ul9JQTMyX1NZU0VOVEVSX0NTLCAwLCAwKTsKKwkgICAgaWYgKCBzdXBlcnZp c29yX21vZGVfa2VybmVsICkKIAkJd3Jtc3IoTVNSX0lBMzJfU1lTRU5URVJf RVNQLCAmdC0+ZXNwMSwgMCk7CisJfQogI2VsaWYgZGVmaW5lZChDT05GSUdf WDg2XzY0KQogCS8qIEJvdHRvbS1vZi1zdGFjayBtdXN0IGJlIDE2LWJ5dGUg YWxpZ25lZCEgKi8KIAlCVUdfT04oKGdldF9zdGFja19ib3R0b20oKSAmIDE1 KSAhPSAwKTsKLS0tIGEveGVuL2FyY2gveDg2L3g4Nl82NC9lbnRyeS5TCisr KyBiL3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnkuUwpAQCAtMjg3LDcgKzI4 NywxNCBAQCBzeXNlbnRlcl9lZmxhZ3Nfc2F2ZWQ6CiAgICAgICAgIG1vdmwg ICQzLFVSRUdTX2NzKCVyc3ApICAvKiByaW5nIDMgbnVsbCBjcyAqLwogICAg ICAgICBtb3ZxICBWQ1BVX3N5c2VudGVyX2FkZHIoJXJieCksJXJheAogICAg ICAgICBzZXRuZSAlY2wKKyAgICAgICAgdGVzdGwgJFg4Nl9FRkxBR1NfTlQs VVJFR1NfZWZsYWdzKCVyc3ApCiAgICAgICAgIGxlYXEgIFZDUFVfdHJhcF9i b3VuY2UoJXJieCksJXJkeAorVU5MSUtFTFlfU1RBUlQobnosIHN5c2VudGVy X250X3NldCkKKyAgICAgICAgcHVzaGZxCisgICAgICAgIGFuZGwgICR+WDg2 X0VGTEFHU19OVCwoJXJzcCkKKyAgICAgICAgcG9wZnEKKyAgICAgICAgeG9y bCAgJWVheCwlZWF4CitVTkxJS0VMWV9FTkQoc3lzZW50ZXJfbnRfc2V0KQog ICAgICAgICB0ZXN0cSAlcmF4LCVyYXgKICAgICAgICAgbGVhbCAgKCwlcmN4 LFRCRl9JTlRFUlJVUFQpLCVlY3gKIFVOTElLRUxZX1NUQVJUKHosIHN5c2Vu dGVyX2dwZikK --=separator Content-Type: application/octet-stream; name="xsa44-4.2.patch" Content-Disposition: attachment; filename="xsa44-4.2.patch" Content-Transfer-Encoding: base64 eDg2OiBjbGVhciBFRkxBR1MuTlQgaW4gU1lTRU5URVIgZW50cnkgcGF0aAoK Li4uIGFzIGl0IGNhdXNlcyBwcm9ibGVtcyBpZiB3ZSBoYXBwZW4gdG8gZXhp dCBiYWNrIHZpYSBJUkVUOiBJbiB0aGUKY291cnNlIG9mIHRyeWluZyB0byBo YW5kbGUgdGhlIGZhdWx0LCB0aGUgaHlwZXJ2aXNvciBjcmVhdGVzIGEgc3Rh Y2sKZnJhbWUgYnkgaGFuZCwgYW5kIHVzZXMgUFVTSEZRIHRvIHNldCB0aGUg cmVzcGVjdGl2ZSBFRkxBR1MgZmllbGQsIGJ1dApleHBlY3RzIHRvIGJlIGFi bGUgdG8gSVJFVCB0aHJvdWdoIHRoYXQgc3RhY2sgZnJhbWUgdG8gdGhlIHNl Y29uZApwb3J0aW9uIG9mIHRoZSBmaXh1cCBjb2RlICh3aGljaCBjYXVzZXMg YSAjR1AgZHVlIHRvIHRoZSBzdG9yZWQgRUZMQUdTCmhhdmluZyBOVCBzZXQp LgoKQW5kIGV2ZW4gaWYgdGhpcyB3b3JrZWQgKGUuZyBpZiB3ZSBjbGVhcmVk IE5UIGluIHRoYXQgcGF0aCksIGl0IHdvdWxkCnRoZW4gKHRocm91Z2ggdGhl IGZhaWwgc2FmZSBjYWxsYmFjaykgY2F1c2UgYSAjR1AgaW4gdGhlIGd1ZXN0 IHdpdGggdGhlClNZU0VOVEVSIGhhbmRsZXIncyBmaXJzdCBpbnN0cnVjdGlv biBhcyB0aGUgc291cmNlLCB3aGljaCBpbiB0dXJuIHdvdWxkCmFsbG93IGd1 ZXN0IHVzZXIgbW9kZSBjb2RlIHRvIGNyYXNoIHRoZSBndWVzdCBrZXJuZWwu CgpJbmplY3QgYSAjR1Agb24gdGhlIGZha2UgKE5VTEwpIGFkZHJlc3Mgb2Yg dGhlIFNZU0VOVEVSIGluc3RydWN0aW9uCmluc3RlYWQsIGp1c3QgbGlrZSBp biB0aGUgY2FzZSB3aGVyZSB0aGUgZ3Vlc3Qga2VybmVsIGRpZG4ndCByZWdp c3RlcgphIGNvcnJlc3BvbmRpbmcgZW50cnkgcG9pbnQuCgpPbiAzMi1iaXQg d2UgYWxzbyBuZWVkIHRvIG1ha2Ugc3VyZSB3ZSBjbGVhciBTWVNFTlRFUl9D UyBmb3IgYWxsIENQVXMKKG5laXRoZXIgI1JFU0VUIG5vciAjSU5JVCBndWFy YW50ZWUgdGhpcykuCgpUaGlzIGlzIENWRS0yMDEzLTE5MTcgLyBYU0EtNDQu CgpSZXBvcnRlZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNA Y2l0aXJ4LmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVs aWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJl dy5jb29wZXIzQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gv eDg2L2FjcGkvc3VzcGVuZC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9hY3BpL3N1 c3BlbmQuYwpAQCAtODEsOCArODEsMTIgQEAgdm9pZCByZXN0b3JlX3Jlc3Rf cHJvY2Vzc29yX3N0YXRlKHZvaWQpCiAgICAgfQogCiAjZWxzZSAvKiAhZGVm aW5lZChDT05GSUdfWDg2XzY0KSAqLwotICAgIGlmICggc3VwZXJ2aXNvcl9t b2RlX2tlcm5lbCAmJiBjcHVfaGFzX3NlcCApCi0gICAgICAgIHdybXNyKE1T Ul9JQTMyX1NZU0VOVEVSX0VTUCwgJnRoaXNfY3B1KGluaXRfdHNzKS5lc3Ax LCAwKTsKKyAgICBpZiAoIGNwdV9oYXNfc2VwICkKKyAgICB7CisgICAgICAg IHdybXNyKE1TUl9JQTMyX1NZU0VOVEVSX0NTLCAwLCAwKTsKKyAgICAgICAg aWYgKCBzdXBlcnZpc29yX21vZGVfa2VybmVsICkKKyAgICAgICAgICAgIHdy bXNyKE1TUl9JQTMyX1NZU0VOVEVSX0VTUCwgJnRoaXNfY3B1KGluaXRfdHNz KS5lc3AxLCAwKTsKKyAgICB9CiAjZW5kaWYKIAogICAgIC8qIE1heWJlIGxv YWQgdGhlIGRlYnVnIHJlZ2lzdGVycy4gKi8KLS0tIGEveGVuL2FyY2gveDg2 L2NwdS9jb21tb24uYworKysgYi94ZW4vYXJjaC94ODYvY3B1L2NvbW1vbi5j CkBAIC02NTUsOCArNjU1LDExIEBAIHZvaWQgX19jcHVpbml0IGNwdV9pbml0 KHZvaWQpCiAjaWYgZGVmaW5lZChDT05GSUdfWDg2XzMyKQogCXQtPnNzMCAg PSBfX0hZUEVSVklTT1JfRFM7CiAJdC0+ZXNwMCA9IGdldF9zdGFja19ib3R0 b20oKTsKLQlpZiAoIHN1cGVydmlzb3JfbW9kZV9rZXJuZWwgJiYgY3B1X2hh c19zZXAgKQorCWlmICggY3B1X2hhc19zZXAgKSB7CisJICAgIHdybXNyKE1T Ul9JQTMyX1NZU0VOVEVSX0NTLCAwLCAwKTsKKwkgICAgaWYgKCBzdXBlcnZp c29yX21vZGVfa2VybmVsICkKIAkJd3Jtc3IoTVNSX0lBMzJfU1lTRU5URVJf RVNQLCAmdC0+ZXNwMSwgMCk7CisJfQogI2VsaWYgZGVmaW5lZChDT05GSUdf WDg2XzY0KQogCS8qIEJvdHRvbS1vZi1zdGFjayBtdXN0IGJlIDE2LWJ5dGUg YWxpZ25lZCEgKi8KIAlCVUdfT04oKGdldF9zdGFja19ib3R0b20oKSAmIDE1 KSAhPSAwKTsKLS0tIGEveGVuL2FyY2gveDg2L3g4Nl82NC9lbnRyeS5TCisr KyBiL3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnkuUwpAQCAtMjg0LDcgKzI4 NCwxNCBAQCBzeXNlbnRlcl9lZmxhZ3Nfc2F2ZWQ6CiAgICAgICAgIGNtcGIg ICQwLFZDUFVfc3lzZW50ZXJfZGlzYWJsZXNfZXZlbnRzKCVyYngpCiAgICAg ICAgIG1vdnEgIFZDUFVfc3lzZW50ZXJfYWRkciglcmJ4KSwlcmF4CiAgICAg ICAgIHNldG5lICVjbAorICAgICAgICB0ZXN0bCAkWDg2X0VGTEFHU19OVCxV UkVHU19lZmxhZ3MoJXJzcCkKICAgICAgICAgbGVhcSAgVkNQVV90cmFwX2Jv dW5jZSglcmJ4KSwlcmR4CitVTkxJS0VMWV9TVEFSVChueiwgc3lzZW50ZXJf bnRfc2V0KQorICAgICAgICBwdXNoZnEKKyAgICAgICAgYW5kbCAgJH5YODZf RUZMQUdTX05ULCglcnNwKQorICAgICAgICBwb3BmcQorICAgICAgICB4b3Js ICAlZWF4LCVlYXgKK1VOTElLRUxZX0VORChzeXNlbnRlcl9udF9zZXQpCiAg ICAgICAgIHRlc3RxICVyYXgsJXJheAogICAgICAgICBsZWFsICAoLCVyY3gs VEJGX0lOVEVSUlVQVCksJWVjeAogVU5MSUtFTFlfU1RBUlQoeiwgc3lzZW50 ZXJfZ3BmKQo= --=separator Content-Type: application/octet-stream; name="xsa44-unstable.patch" Content-Disposition: attachment; filename="xsa44-unstable.patch" Content-Transfer-Encoding: base64 eDg2OiBjbGVhciBFRkxBR1MuTlQgaW4gU1lTRU5URVIgZW50cnkgcGF0aAoK Li4uIGFzIGl0IGNhdXNlcyBwcm9ibGVtcyBpZiB3ZSBoYXBwZW4gdG8gZXhp dCBiYWNrIHZpYSBJUkVUOiBJbiB0aGUKY291cnNlIG9mIHRyeWluZyB0byBo YW5kbGUgdGhlIGZhdWx0LCB0aGUgaHlwZXJ2aXNvciBjcmVhdGVzIGEgc3Rh Y2sKZnJhbWUgYnkgaGFuZCwgYW5kIHVzZXMgUFVTSEZRIHRvIHNldCB0aGUg cmVzcGVjdGl2ZSBFRkxBR1MgZmllbGQsIGJ1dApleHBlY3RzIHRvIGJlIGFi bGUgdG8gSVJFVCB0aHJvdWdoIHRoYXQgc3RhY2sgZnJhbWUgdG8gdGhlIHNl Y29uZApwb3J0aW9uIG9mIHRoZSBmaXh1cCBjb2RlICh3aGljaCBjYXVzZXMg YSAjR1AgZHVlIHRvIHRoZSBzdG9yZWQgRUZMQUdTCmhhdmluZyBOVCBzZXQp LgoKQW5kIGV2ZW4gaWYgdGhpcyB3b3JrZWQgKGUuZyBpZiB3ZSBjbGVhcmVk IE5UIGluIHRoYXQgcGF0aCksIGl0IHdvdWxkCnRoZW4gKHRocm91Z2ggdGhl IGZhaWwgc2FmZSBjYWxsYmFjaykgY2F1c2UgYSAjR1AgaW4gdGhlIGd1ZXN0 IHdpdGggdGhlClNZU0VOVEVSIGhhbmRsZXIncyBmaXJzdCBpbnN0cnVjdGlv biBhcyB0aGUgc291cmNlLCB3aGljaCBpbiB0dXJuIHdvdWxkCmFsbG93IGd1 ZXN0IHVzZXIgbW9kZSBjb2RlIHRvIGNyYXNoIHRoZSBndWVzdCBrZXJuZWwu CgpJbmplY3QgYSAjR1Agb24gdGhlIGZha2UgKE5VTEwpIGFkZHJlc3Mgb2Yg dGhlIFNZU0VOVEVSIGluc3RydWN0aW9uCmluc3RlYWQsIGp1c3QgbGlrZSBp biB0aGUgY2FzZSB3aGVyZSB0aGUgZ3Vlc3Qga2VybmVsIGRpZG4ndCByZWdp c3RlcgphIGNvcnJlc3BvbmRpbmcgZW50cnkgcG9pbnQuCgpUaGlzIGlzIENW RS0yMDEzLTE5MTcgLyBYU0EtNDQuCgpSZXBvcnRlZC1ieTogQW5kcmV3IENv b3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0aXJ4LmNvbT4KU2lnbmVkLW9mZi1i eTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6 IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CkFj a2VkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXgu Y29tPgoKLS0tIGEveGVuL2FyY2gveDg2L3g4Nl82NC9lbnRyeS5TCisrKyBi L3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnkuUwpAQCAtMjgxLDcgKzI4MSwx NCBAQCBzeXNlbnRlcl9lZmxhZ3Nfc2F2ZWQ6CiAgICAgICAgIGNtcGIgICQw LFZDUFVfc3lzZW50ZXJfZGlzYWJsZXNfZXZlbnRzKCVyYngpCiAgICAgICAg IG1vdnEgIFZDUFVfc3lzZW50ZXJfYWRkciglcmJ4KSwlcmF4CiAgICAgICAg IHNldG5lICVjbAorICAgICAgICB0ZXN0bCAkWDg2X0VGTEFHU19OVCxVUkVH U19lZmxhZ3MoJXJzcCkKICAgICAgICAgbGVhcSAgVkNQVV90cmFwX2JvdW5j ZSglcmJ4KSwlcmR4CitVTkxJS0VMWV9TVEFSVChueiwgc3lzZW50ZXJfbnRf c2V0KQorICAgICAgICBwdXNoZnEKKyAgICAgICAgYW5kbCAgJH5YODZfRUZM QUdTX05ULCglcnNwKQorICAgICAgICBwb3BmcQorICAgICAgICB4b3JsICAl ZWF4LCVlYXgKK1VOTElLRUxZX0VORChzeXNlbnRlcl9udF9zZXQpCiAgICAg ICAgIHRlc3RxICVyYXgsJXJheAogICAgICAgICBsZWFsICAoLCVyY3gsVEJG X0lOVEVSUlVQVCksJWVjeAogVU5MSUtFTFlfU1RBUlQoeiwgc3lzZW50ZXJf Z3BmKQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Apr 18 13:53:29 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 18 Apr 2013 13:53:29 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USpF2-00074H-B8; Thu, 18 Apr 2013 13:51:12 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USpEz-00073m-Ul; Thu, 18 Apr 2013 13:51:10 +0000 Received: from [85.158.143.99:40264] by server-2.bemta-4.messagelabs.com id 20/F7-12656-D4AFF615; Thu, 18 Apr 2013 13:51:09 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-6.tower-216.messagelabs.com!1366293063!21880990!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.8.6.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 3178 invoked from network); 18 Apr 2013 13:51:04 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-6.tower-216.messagelabs.com with AES256-SHA encrypted SMTP; 18 Apr 2013 13:51:04 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USpEl-0002GE-NE; Thu, 18 Apr 2013 13:50:55 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1USpEl-00036n-C9; Thu, 18 Apr 2013 13:50:55 +0000 Date: Thu, 18 Apr 2013 13:50:55 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 44 (CVE-2013-1917) - Xen PV DoS vulnerability with SYSENTER X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1917 / XSA-44 version 3 Xen PV DoS vulnerability with SYSENTER UPDATES IN VERSION 3 ==================== Backported patch for 4.0 now available. ISSUE DESCRIPTION ================= The SYSENTER instruction can be used by PV guests to accelerate system call processing. This instruction, however, leaves the EFLAGS register mostly unmodified - in particular, the NT flag doesn't get cleared. If the hypervisor subsequently uses IRET to return to the guest (which it will always do if the guest is a 32-bit one), that instruction will cause a #GP fault to be raised, but the recovery code in the hypervisor will again try to use IRET without intermediately clearing the NT flag. The #GP fault raised on this second IRET is a fatal event, causing the hypervisor to crash. IMPACT ====== Malicious or buggy unprivileged user space can cause the entire host to crash. VULNERABLE SYSTEMS ================== All 64-bit Xen versions from 3.1 onwards running on Intel CPUs are vulnerable. 32-bit Xen is not affected, as it doesn't permit the use of SYSENTER by PV guests. 64-bit Xen run on AMD CPUs isn't affected since AMD CPUs don't allow the use of SYSENTER in long mode. The vulnerability is only exposed by PV guests. MITIGATION ========== Running only HVM guests, or running PV guests on only 32-bit hosts or only AMD CPUs will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa44-4.0.patch Xen 4.0.x xsa44-4.1.patch Xen 4.1.x xsa44-4.2.patch Xen 4.2.x xsa44-unstable.patch xen-unstable $ sha256sum xsa44*.patch 4de554d29adbae41a65d401becd9d074be27932ad9f3e0ed78ecb89de3ed35b5 xsa44-4.0.patch 3dbf47224be0f8fc66ba08d8a46b910bd9a3e672ffe864aa77c698bef0e27783 xsa44-4.1.patch c6c3afa228426d78e0484b7ac34210f642f79add35c4a04ca5ff7db5f2539e49 xsa44-4.2.patch 0e6ad83da75dc207a165411844c0985fd7f9588d92c2c95911c245485351bf36 xsa44-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRb/oqAAoJEIP+FMlX6CvZ9EYH/2OAz/GRAX4A2Y52HoUfslN9 lZa4YNJOtPOuLITMeapu7MXBgRJYA/GPFzfBVlAoPNQTNpUD0Mfxvwz9mVGIUtNX t0Mriz/oFGDqHzvz3rksmvG9y6tMfwa++srXms/uTXd3T1CxeGIHA4hMuvCRkMAU HQHQ1pfsK6XGHV+ITeJVBGEwKh+aDxBfqIXDU1yhgTA9djpsHXWNAsu5mNRBsb0i zMVxZg+x1maHhxigLwsEm1poxneWhkq+0pvTo/hCdK2XcK9NaUXNAALMZfQn5kgK IwaC52V3FJSxErIWlZz6IW6Zq4tugzu/VJ92hrM0fubd04mfFG15+buc+NdUmvk= =qSef -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa44-4.0.patch" Content-Disposition: attachment; filename="xsa44-4.0.patch" Content-Transfer-Encoding: base64 eDg2OiBjbGVhciBFRkxBR1MuTlQgaW4gU1lTRU5URVIgZW50cnkgcGF0aAoK Li4uIGFzIGl0IGNhdXNlcyBwcm9ibGVtcyBpZiB3ZSBoYXBwZW4gdG8gZXhp dCBiYWNrIHZpYSBJUkVUOiBJbiB0aGUKY291cnNlIG9mIHRyeWluZyB0byBo YW5kbGUgdGhlIGZhdWx0LCB0aGUgaHlwZXJ2aXNvciBjcmVhdGVzIGEgc3Rh Y2sKZnJhbWUgYnkgaGFuZCwgYW5kIHVzZXMgUFVTSEZRIHRvIHNldCB0aGUg cmVzcGVjdGl2ZSBFRkxBR1MgZmllbGQsIGJ1dApleHBlY3RzIHRvIGJlIGFi bGUgdG8gSVJFVCB0aHJvdWdoIHRoYXQgc3RhY2sgZnJhbWUgdG8gdGhlIHNl Y29uZApwb3J0aW9uIG9mIHRoZSBmaXh1cCBjb2RlICh3aGljaCBjYXVzZXMg YSAjR1AgZHVlIHRvIHRoZSBzdG9yZWQgRUZMQUdTCmhhdmluZyBOVCBzZXQp LgoKQW5kIGV2ZW4gaWYgdGhpcyB3b3JrZWQgKGUuZyBpZiB3ZSBjbGVhcmVk IE5UIGluIHRoYXQgcGF0aCksIGl0IHdvdWxkCnRoZW4gKHRocm91Z2ggdGhl IGZhaWwgc2FmZSBjYWxsYmFjaykgY2F1c2UgYSAjR1AgaW4gdGhlIGd1ZXN0 IHdpdGggdGhlClNZU0VOVEVSIGhhbmRsZXIncyBmaXJzdCBpbnN0cnVjdGlv biBhcyB0aGUgc291cmNlLCB3aGljaCBpbiB0dXJuIHdvdWxkCmFsbG93IGd1 ZXN0IHVzZXIgbW9kZSBjb2RlIHRvIGNyYXNoIHRoZSBndWVzdCBrZXJuZWwu CgpJbmplY3QgYSAjR1Agb24gdGhlIGZha2UgKE5VTEwpIGFkZHJlc3Mgb2Yg dGhlIFNZU0VOVEVSIGluc3RydWN0aW9uCmluc3RlYWQsIGp1c3QgbGlrZSBp biB0aGUgY2FzZSB3aGVyZSB0aGUgZ3Vlc3Qga2VybmVsIGRpZG4ndCByZWdp c3RlcgphIGNvcnJlc3BvbmRpbmcgZW50cnkgcG9pbnQuCgpPbiAzMi1iaXQg d2UgYWxzbyBuZWVkIHRvIG1ha2Ugc3VyZSB3ZSBjbGVhciBTWVNFTlRFUl9D UyBmb3IgYWxsIENQVXMKKG5laXRoZXIgI1JFU0VUIG5vciAjSU5JVCBndWFy YW50ZWUgdGhpcykuCgpUaGlzIGlzIENWRS0yMDEzLTE5MTcgLyBYU0EtNDQu CgpSZXBvcnRlZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNA Y2l0aXJ4LmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVs aWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJl dy5jb29wZXIzQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpTaWduZWQtb2ZmLWJ5OiBJ YW4gQ2FtcGJlbGwgPElhbi5DYW1wYmVsbEBjaXRyaXguY29tPgoKZGlmZiAt LWdpdCBhL3hlbi9hcmNoL3g4Ni9hY3BpL3N1c3BlbmQuYyBiL3hlbi9hcmNo L3g4Ni9hY3BpL3N1c3BlbmQuYwppbmRleCBkZGRkYmM4Li43ODE5YjMwIDEw MDY0NAotLS0gYS94ZW4vYXJjaC94ODYvYWNwaS9zdXNwZW5kLmMKKysrIGIv eGVuL2FyY2gveDg2L2FjcGkvc3VzcGVuZC5jCkBAIC01OSw4ICs1OSwxMiBA QCB2b2lkIHJlc3RvcmVfcmVzdF9wcm9jZXNzb3Jfc3RhdGUodm9pZCkKICAg ICAgICAgd3Jtc3IoTVNSX0lBMzJfU1lTRU5URVJfQ1MsIF9fSFlQRVJWSVNP Ul9DUywgMCk7CiAgICAgfQogI2Vsc2UgLyogIWRlZmluZWQoQ09ORklHX1g4 Nl82NCkgKi8KLSAgICBpZiAoIHN1cGVydmlzb3JfbW9kZV9rZXJuZWwgJiYg Y3B1X2hhc19zZXAgKQotICAgICAgICB3cm1zcihNU1JfSUEzMl9TWVNFTlRF Ul9FU1AsICZ0aGlzX2NwdShpbml0X3RzcykuZXNwMSwgMCk7CisgICAgaWYg KCBjcHVfaGFzX3NlcCApCisgICAgeworICAgICAgICB3cm1zcihNU1JfSUEz Ml9TWVNFTlRFUl9DUywgMCwgMCk7CisgICAgICAgIGlmICggc3VwZXJ2aXNv cl9tb2RlX2tlcm5lbCApCisgICAgICAgICAgICB3cm1zcihNU1JfSUEzMl9T WVNFTlRFUl9FU1AsICZ0aGlzX2NwdShpbml0X3RzcykuZXNwMSwgMCk7Cisg ICAgfQogI2VuZGlmCiAKICAgICAvKiBNYXliZSBsb2FkIHRoZSBkZWJ1ZyBy ZWdpc3RlcnMuICovCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94ODYvY3B1L2Nv bW1vbi5jIGIveGVuL2FyY2gveDg2L2NwdS9jb21tb24uYwppbmRleCBlZGE3 NTM0Li5jYjNhN2MyIDEwMDY0NAotLS0gYS94ZW4vYXJjaC94ODYvY3B1L2Nv bW1vbi5jCisrKyBiL3hlbi9hcmNoL3g4Ni9jcHUvY29tbW9uLmMKQEAgLTYy Myw4ICs2MjMsMTEgQEAgdm9pZCBfX2NwdWluaXQgY3B1X2luaXQodm9pZCkK ICNpZiBkZWZpbmVkKENPTkZJR19YODZfMzIpCiAJdC0+c3MwICA9IF9fSFlQ RVJWSVNPUl9EUzsKIAl0LT5lc3AwID0gZ2V0X3N0YWNrX2JvdHRvbSgpOwot CWlmICggc3VwZXJ2aXNvcl9tb2RlX2tlcm5lbCAmJiBjcHVfaGFzX3NlcCAp CisJaWYgKCBjcHVfaGFzX3NlcCApIHsKKwkgICAgd3Jtc3IoTVNSX0lBMzJf U1lTRU5URVJfQ1MsIDAsIDApOworCSAgICBpZiAoIHN1cGVydmlzb3JfbW9k ZV9rZXJuZWwgKQogCQl3cm1zcihNU1JfSUEzMl9TWVNFTlRFUl9FU1AsICZ0 LT5lc3AxLCAwKTsKKwl9CiAjZWxpZiBkZWZpbmVkKENPTkZJR19YODZfNjQp CiAJLyogQm90dG9tLW9mLXN0YWNrIG11c3QgYmUgMTYtYnl0ZSBhbGlnbmVk ISAqLwogCUJVR19PTigoZ2V0X3N0YWNrX2JvdHRvbSgpICYgMTUpICE9IDAp OwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L3g4Nl82NC9lbnRyeS5TIGIv eGVuL2FyY2gveDg2L3g4Nl82NC9lbnRyeS5TCmluZGV4IDllOWRiMzMuLmU0 YzBmZGUgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnku UworKysgYi94ZW4vYXJjaC94ODYveDg2XzY0L2VudHJ5LlMKQEAgLTMwMCw3 ICszMDAsMTQgQEAgc3lzZW50ZXJfZWZsYWdzX3NhdmVkOgogICAgICAgICBt b3ZsICAkMyxVUkVHU19jcyglcnNwKSAgLyogcmluZyAzIG51bGwgY3MgKi8K ICAgICAgICAgbW92cSAgVkNQVV9zeXNlbnRlcl9hZGRyKCVyYngpLCVyYXgK ICAgICAgICAgc2V0bmUgJWNsCisgICAgICAgIHRlc3RsICRYODZfRUZMQUdT X05ULFVSRUdTX2VmbGFncyglcnNwKQogICAgICAgICBsZWFxICBWQ1BVX3Ry YXBfYm91bmNlKCVyYngpLCVyZHgKKwlqeiAgICBzeXNlbnRlcl9udF9ub3Rf c2V0CisgICAgICAgIHB1c2hmcQorICAgICAgICBhbmRsICAkflg4Nl9FRkxB R1NfTlQsKCVyc3ApCisgICAgICAgIHBvcGZxCisgICAgICAgIHhvcmwgICVl YXgsJWVheAorc3lzZW50ZXJfbnRfbm90X3NldDoKICAgICAgICAgdGVzdHEg JXJheCwlcmF4CiAgICAgICAgIGxlYWwgICgsJXJjeCxUQkZfSU5URVJSVVBU KSwlZWN4CiAgICAgICAgIGp6ICAgIDJmCg== --=separator Content-Type: application/octet-stream; name="xsa44-4.1.patch" Content-Disposition: attachment; filename="xsa44-4.1.patch" Content-Transfer-Encoding: base64 eDg2OiBjbGVhciBFRkxBR1MuTlQgaW4gU1lTRU5URVIgZW50cnkgcGF0aAoK Li4uIGFzIGl0IGNhdXNlcyBwcm9ibGVtcyBpZiB3ZSBoYXBwZW4gdG8gZXhp dCBiYWNrIHZpYSBJUkVUOiBJbiB0aGUKY291cnNlIG9mIHRyeWluZyB0byBo YW5kbGUgdGhlIGZhdWx0LCB0aGUgaHlwZXJ2aXNvciBjcmVhdGVzIGEgc3Rh Y2sKZnJhbWUgYnkgaGFuZCwgYW5kIHVzZXMgUFVTSEZRIHRvIHNldCB0aGUg cmVzcGVjdGl2ZSBFRkxBR1MgZmllbGQsIGJ1dApleHBlY3RzIHRvIGJlIGFi bGUgdG8gSVJFVCB0aHJvdWdoIHRoYXQgc3RhY2sgZnJhbWUgdG8gdGhlIHNl Y29uZApwb3J0aW9uIG9mIHRoZSBmaXh1cCBjb2RlICh3aGljaCBjYXVzZXMg YSAjR1AgZHVlIHRvIHRoZSBzdG9yZWQgRUZMQUdTCmhhdmluZyBOVCBzZXQp LgoKQW5kIGV2ZW4gaWYgdGhpcyB3b3JrZWQgKGUuZyBpZiB3ZSBjbGVhcmVk IE5UIGluIHRoYXQgcGF0aCksIGl0IHdvdWxkCnRoZW4gKHRocm91Z2ggdGhl IGZhaWwgc2FmZSBjYWxsYmFjaykgY2F1c2UgYSAjR1AgaW4gdGhlIGd1ZXN0 IHdpdGggdGhlClNZU0VOVEVSIGhhbmRsZXIncyBmaXJzdCBpbnN0cnVjdGlv biBhcyB0aGUgc291cmNlLCB3aGljaCBpbiB0dXJuIHdvdWxkCmFsbG93IGd1 ZXN0IHVzZXIgbW9kZSBjb2RlIHRvIGNyYXNoIHRoZSBndWVzdCBrZXJuZWwu CgpJbmplY3QgYSAjR1Agb24gdGhlIGZha2UgKE5VTEwpIGFkZHJlc3Mgb2Yg dGhlIFNZU0VOVEVSIGluc3RydWN0aW9uCmluc3RlYWQsIGp1c3QgbGlrZSBp biB0aGUgY2FzZSB3aGVyZSB0aGUgZ3Vlc3Qga2VybmVsIGRpZG4ndCByZWdp c3RlcgphIGNvcnJlc3BvbmRpbmcgZW50cnkgcG9pbnQuCgpPbiAzMi1iaXQg d2UgYWxzbyBuZWVkIHRvIG1ha2Ugc3VyZSB3ZSBjbGVhciBTWVNFTlRFUl9D UyBmb3IgYWxsIENQVXMKKG5laXRoZXIgI1JFU0VUIG5vciAjSU5JVCBndWFy YW50ZWUgdGhpcykuCgpUaGlzIGlzIENWRS0yMDEzLTE5MTcgLyBYU0EtNDQu CgpSZXBvcnRlZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNA Y2l0aXJ4LmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVs aWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJl dy5jb29wZXIzQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gv eDg2L2FjcGkvc3VzcGVuZC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9hY3BpL3N1 c3BlbmQuYwpAQCAtODEsOCArODEsMTIgQEAgdm9pZCByZXN0b3JlX3Jlc3Rf cHJvY2Vzc29yX3N0YXRlKHZvaWQpCiAgICAgfQogCiAjZWxzZSAvKiAhZGVm aW5lZChDT05GSUdfWDg2XzY0KSAqLwotICAgIGlmICggc3VwZXJ2aXNvcl9t b2RlX2tlcm5lbCAmJiBjcHVfaGFzX3NlcCApCi0gICAgICAgIHdybXNyKE1T Ul9JQTMyX1NZU0VOVEVSX0VTUCwgJnRoaXNfY3B1KGluaXRfdHNzKS5lc3Ax LCAwKTsKKyAgICBpZiAoIGNwdV9oYXNfc2VwICkKKyAgICB7CisgICAgICAg IHdybXNyKE1TUl9JQTMyX1NZU0VOVEVSX0NTLCAwLCAwKTsKKyAgICAgICAg aWYgKCBzdXBlcnZpc29yX21vZGVfa2VybmVsICkKKyAgICAgICAgICAgIHdy bXNyKE1TUl9JQTMyX1NZU0VOVEVSX0VTUCwgJnRoaXNfY3B1KGluaXRfdHNz KS5lc3AxLCAwKTsKKyAgICB9CiAjZW5kaWYKIAogICAgIC8qIE1heWJlIGxv YWQgdGhlIGRlYnVnIHJlZ2lzdGVycy4gKi8KLS0tIGEveGVuL2FyY2gveDg2 L2NwdS9jb21tb24uYworKysgYi94ZW4vYXJjaC94ODYvY3B1L2NvbW1vbi5j CkBAIC03MTUsOCArNzE1LDExIEBAIHZvaWQgX19jcHVpbml0IGNwdV9pbml0 KHZvaWQpCiAjaWYgZGVmaW5lZChDT05GSUdfWDg2XzMyKQogCXQtPnNzMCAg PSBfX0hZUEVSVklTT1JfRFM7CiAJdC0+ZXNwMCA9IGdldF9zdGFja19ib3R0 b20oKTsKLQlpZiAoIHN1cGVydmlzb3JfbW9kZV9rZXJuZWwgJiYgY3B1X2hh c19zZXAgKQorCWlmICggY3B1X2hhc19zZXAgKSB7CisJICAgIHdybXNyKE1T Ul9JQTMyX1NZU0VOVEVSX0NTLCAwLCAwKTsKKwkgICAgaWYgKCBzdXBlcnZp c29yX21vZGVfa2VybmVsICkKIAkJd3Jtc3IoTVNSX0lBMzJfU1lTRU5URVJf RVNQLCAmdC0+ZXNwMSwgMCk7CisJfQogI2VsaWYgZGVmaW5lZChDT05GSUdf WDg2XzY0KQogCS8qIEJvdHRvbS1vZi1zdGFjayBtdXN0IGJlIDE2LWJ5dGUg YWxpZ25lZCEgKi8KIAlCVUdfT04oKGdldF9zdGFja19ib3R0b20oKSAmIDE1 KSAhPSAwKTsKLS0tIGEveGVuL2FyY2gveDg2L3g4Nl82NC9lbnRyeS5TCisr KyBiL3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnkuUwpAQCAtMjg3LDcgKzI4 NywxNCBAQCBzeXNlbnRlcl9lZmxhZ3Nfc2F2ZWQ6CiAgICAgICAgIG1vdmwg ICQzLFVSRUdTX2NzKCVyc3ApICAvKiByaW5nIDMgbnVsbCBjcyAqLwogICAg ICAgICBtb3ZxICBWQ1BVX3N5c2VudGVyX2FkZHIoJXJieCksJXJheAogICAg ICAgICBzZXRuZSAlY2wKKyAgICAgICAgdGVzdGwgJFg4Nl9FRkxBR1NfTlQs VVJFR1NfZWZsYWdzKCVyc3ApCiAgICAgICAgIGxlYXEgIFZDUFVfdHJhcF9i b3VuY2UoJXJieCksJXJkeAorVU5MSUtFTFlfU1RBUlQobnosIHN5c2VudGVy X250X3NldCkKKyAgICAgICAgcHVzaGZxCisgICAgICAgIGFuZGwgICR+WDg2 X0VGTEFHU19OVCwoJXJzcCkKKyAgICAgICAgcG9wZnEKKyAgICAgICAgeG9y bCAgJWVheCwlZWF4CitVTkxJS0VMWV9FTkQoc3lzZW50ZXJfbnRfc2V0KQog ICAgICAgICB0ZXN0cSAlcmF4LCVyYXgKICAgICAgICAgbGVhbCAgKCwlcmN4 LFRCRl9JTlRFUlJVUFQpLCVlY3gKIFVOTElLRUxZX1NUQVJUKHosIHN5c2Vu dGVyX2dwZikK --=separator Content-Type: application/octet-stream; name="xsa44-4.2.patch" Content-Disposition: attachment; filename="xsa44-4.2.patch" Content-Transfer-Encoding: base64 eDg2OiBjbGVhciBFRkxBR1MuTlQgaW4gU1lTRU5URVIgZW50cnkgcGF0aAoK Li4uIGFzIGl0IGNhdXNlcyBwcm9ibGVtcyBpZiB3ZSBoYXBwZW4gdG8gZXhp dCBiYWNrIHZpYSBJUkVUOiBJbiB0aGUKY291cnNlIG9mIHRyeWluZyB0byBo YW5kbGUgdGhlIGZhdWx0LCB0aGUgaHlwZXJ2aXNvciBjcmVhdGVzIGEgc3Rh Y2sKZnJhbWUgYnkgaGFuZCwgYW5kIHVzZXMgUFVTSEZRIHRvIHNldCB0aGUg cmVzcGVjdGl2ZSBFRkxBR1MgZmllbGQsIGJ1dApleHBlY3RzIHRvIGJlIGFi bGUgdG8gSVJFVCB0aHJvdWdoIHRoYXQgc3RhY2sgZnJhbWUgdG8gdGhlIHNl Y29uZApwb3J0aW9uIG9mIHRoZSBmaXh1cCBjb2RlICh3aGljaCBjYXVzZXMg YSAjR1AgZHVlIHRvIHRoZSBzdG9yZWQgRUZMQUdTCmhhdmluZyBOVCBzZXQp LgoKQW5kIGV2ZW4gaWYgdGhpcyB3b3JrZWQgKGUuZyBpZiB3ZSBjbGVhcmVk IE5UIGluIHRoYXQgcGF0aCksIGl0IHdvdWxkCnRoZW4gKHRocm91Z2ggdGhl IGZhaWwgc2FmZSBjYWxsYmFjaykgY2F1c2UgYSAjR1AgaW4gdGhlIGd1ZXN0 IHdpdGggdGhlClNZU0VOVEVSIGhhbmRsZXIncyBmaXJzdCBpbnN0cnVjdGlv biBhcyB0aGUgc291cmNlLCB3aGljaCBpbiB0dXJuIHdvdWxkCmFsbG93IGd1 ZXN0IHVzZXIgbW9kZSBjb2RlIHRvIGNyYXNoIHRoZSBndWVzdCBrZXJuZWwu CgpJbmplY3QgYSAjR1Agb24gdGhlIGZha2UgKE5VTEwpIGFkZHJlc3Mgb2Yg dGhlIFNZU0VOVEVSIGluc3RydWN0aW9uCmluc3RlYWQsIGp1c3QgbGlrZSBp biB0aGUgY2FzZSB3aGVyZSB0aGUgZ3Vlc3Qga2VybmVsIGRpZG4ndCByZWdp c3RlcgphIGNvcnJlc3BvbmRpbmcgZW50cnkgcG9pbnQuCgpPbiAzMi1iaXQg d2UgYWxzbyBuZWVkIHRvIG1ha2Ugc3VyZSB3ZSBjbGVhciBTWVNFTlRFUl9D UyBmb3IgYWxsIENQVXMKKG5laXRoZXIgI1JFU0VUIG5vciAjSU5JVCBndWFy YW50ZWUgdGhpcykuCgpUaGlzIGlzIENWRS0yMDEzLTE5MTcgLyBYU0EtNDQu CgpSZXBvcnRlZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNA Y2l0aXJ4LmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVs aWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJl dy5jb29wZXIzQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gv eDg2L2FjcGkvc3VzcGVuZC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9hY3BpL3N1 c3BlbmQuYwpAQCAtODEsOCArODEsMTIgQEAgdm9pZCByZXN0b3JlX3Jlc3Rf cHJvY2Vzc29yX3N0YXRlKHZvaWQpCiAgICAgfQogCiAjZWxzZSAvKiAhZGVm aW5lZChDT05GSUdfWDg2XzY0KSAqLwotICAgIGlmICggc3VwZXJ2aXNvcl9t b2RlX2tlcm5lbCAmJiBjcHVfaGFzX3NlcCApCi0gICAgICAgIHdybXNyKE1T Ul9JQTMyX1NZU0VOVEVSX0VTUCwgJnRoaXNfY3B1KGluaXRfdHNzKS5lc3Ax LCAwKTsKKyAgICBpZiAoIGNwdV9oYXNfc2VwICkKKyAgICB7CisgICAgICAg IHdybXNyKE1TUl9JQTMyX1NZU0VOVEVSX0NTLCAwLCAwKTsKKyAgICAgICAg aWYgKCBzdXBlcnZpc29yX21vZGVfa2VybmVsICkKKyAgICAgICAgICAgIHdy bXNyKE1TUl9JQTMyX1NZU0VOVEVSX0VTUCwgJnRoaXNfY3B1KGluaXRfdHNz KS5lc3AxLCAwKTsKKyAgICB9CiAjZW5kaWYKIAogICAgIC8qIE1heWJlIGxv YWQgdGhlIGRlYnVnIHJlZ2lzdGVycy4gKi8KLS0tIGEveGVuL2FyY2gveDg2 L2NwdS9jb21tb24uYworKysgYi94ZW4vYXJjaC94ODYvY3B1L2NvbW1vbi5j CkBAIC02NTUsOCArNjU1LDExIEBAIHZvaWQgX19jcHVpbml0IGNwdV9pbml0 KHZvaWQpCiAjaWYgZGVmaW5lZChDT05GSUdfWDg2XzMyKQogCXQtPnNzMCAg PSBfX0hZUEVSVklTT1JfRFM7CiAJdC0+ZXNwMCA9IGdldF9zdGFja19ib3R0 b20oKTsKLQlpZiAoIHN1cGVydmlzb3JfbW9kZV9rZXJuZWwgJiYgY3B1X2hh c19zZXAgKQorCWlmICggY3B1X2hhc19zZXAgKSB7CisJICAgIHdybXNyKE1T Ul9JQTMyX1NZU0VOVEVSX0NTLCAwLCAwKTsKKwkgICAgaWYgKCBzdXBlcnZp c29yX21vZGVfa2VybmVsICkKIAkJd3Jtc3IoTVNSX0lBMzJfU1lTRU5URVJf RVNQLCAmdC0+ZXNwMSwgMCk7CisJfQogI2VsaWYgZGVmaW5lZChDT05GSUdf WDg2XzY0KQogCS8qIEJvdHRvbS1vZi1zdGFjayBtdXN0IGJlIDE2LWJ5dGUg YWxpZ25lZCEgKi8KIAlCVUdfT04oKGdldF9zdGFja19ib3R0b20oKSAmIDE1 KSAhPSAwKTsKLS0tIGEveGVuL2FyY2gveDg2L3g4Nl82NC9lbnRyeS5TCisr KyBiL3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnkuUwpAQCAtMjg0LDcgKzI4 NCwxNCBAQCBzeXNlbnRlcl9lZmxhZ3Nfc2F2ZWQ6CiAgICAgICAgIGNtcGIg ICQwLFZDUFVfc3lzZW50ZXJfZGlzYWJsZXNfZXZlbnRzKCVyYngpCiAgICAg ICAgIG1vdnEgIFZDUFVfc3lzZW50ZXJfYWRkciglcmJ4KSwlcmF4CiAgICAg ICAgIHNldG5lICVjbAorICAgICAgICB0ZXN0bCAkWDg2X0VGTEFHU19OVCxV UkVHU19lZmxhZ3MoJXJzcCkKICAgICAgICAgbGVhcSAgVkNQVV90cmFwX2Jv dW5jZSglcmJ4KSwlcmR4CitVTkxJS0VMWV9TVEFSVChueiwgc3lzZW50ZXJf bnRfc2V0KQorICAgICAgICBwdXNoZnEKKyAgICAgICAgYW5kbCAgJH5YODZf RUZMQUdTX05ULCglcnNwKQorICAgICAgICBwb3BmcQorICAgICAgICB4b3Js ICAlZWF4LCVlYXgKK1VOTElLRUxZX0VORChzeXNlbnRlcl9udF9zZXQpCiAg ICAgICAgIHRlc3RxICVyYXgsJXJheAogICAgICAgICBsZWFsICAoLCVyY3gs VEJGX0lOVEVSUlVQVCksJWVjeAogVU5MSUtFTFlfU1RBUlQoeiwgc3lzZW50 ZXJfZ3BmKQo= --=separator Content-Type: application/octet-stream; name="xsa44-unstable.patch" Content-Disposition: attachment; filename="xsa44-unstable.patch" Content-Transfer-Encoding: base64 eDg2OiBjbGVhciBFRkxBR1MuTlQgaW4gU1lTRU5URVIgZW50cnkgcGF0aAoK Li4uIGFzIGl0IGNhdXNlcyBwcm9ibGVtcyBpZiB3ZSBoYXBwZW4gdG8gZXhp dCBiYWNrIHZpYSBJUkVUOiBJbiB0aGUKY291cnNlIG9mIHRyeWluZyB0byBo YW5kbGUgdGhlIGZhdWx0LCB0aGUgaHlwZXJ2aXNvciBjcmVhdGVzIGEgc3Rh Y2sKZnJhbWUgYnkgaGFuZCwgYW5kIHVzZXMgUFVTSEZRIHRvIHNldCB0aGUg cmVzcGVjdGl2ZSBFRkxBR1MgZmllbGQsIGJ1dApleHBlY3RzIHRvIGJlIGFi bGUgdG8gSVJFVCB0aHJvdWdoIHRoYXQgc3RhY2sgZnJhbWUgdG8gdGhlIHNl Y29uZApwb3J0aW9uIG9mIHRoZSBmaXh1cCBjb2RlICh3aGljaCBjYXVzZXMg YSAjR1AgZHVlIHRvIHRoZSBzdG9yZWQgRUZMQUdTCmhhdmluZyBOVCBzZXQp LgoKQW5kIGV2ZW4gaWYgdGhpcyB3b3JrZWQgKGUuZyBpZiB3ZSBjbGVhcmVk IE5UIGluIHRoYXQgcGF0aCksIGl0IHdvdWxkCnRoZW4gKHRocm91Z2ggdGhl IGZhaWwgc2FmZSBjYWxsYmFjaykgY2F1c2UgYSAjR1AgaW4gdGhlIGd1ZXN0 IHdpdGggdGhlClNZU0VOVEVSIGhhbmRsZXIncyBmaXJzdCBpbnN0cnVjdGlv biBhcyB0aGUgc291cmNlLCB3aGljaCBpbiB0dXJuIHdvdWxkCmFsbG93IGd1 ZXN0IHVzZXIgbW9kZSBjb2RlIHRvIGNyYXNoIHRoZSBndWVzdCBrZXJuZWwu CgpJbmplY3QgYSAjR1Agb24gdGhlIGZha2UgKE5VTEwpIGFkZHJlc3Mgb2Yg dGhlIFNZU0VOVEVSIGluc3RydWN0aW9uCmluc3RlYWQsIGp1c3QgbGlrZSBp biB0aGUgY2FzZSB3aGVyZSB0aGUgZ3Vlc3Qga2VybmVsIGRpZG4ndCByZWdp c3RlcgphIGNvcnJlc3BvbmRpbmcgZW50cnkgcG9pbnQuCgpUaGlzIGlzIENW RS0yMDEzLTE5MTcgLyBYU0EtNDQuCgpSZXBvcnRlZC1ieTogQW5kcmV3IENv b3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0aXJ4LmNvbT4KU2lnbmVkLW9mZi1i eTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpUZXN0ZWQtYnk6 IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CkFj a2VkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXgu Y29tPgoKLS0tIGEveGVuL2FyY2gveDg2L3g4Nl82NC9lbnRyeS5TCisrKyBi L3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnkuUwpAQCAtMjgxLDcgKzI4MSwx NCBAQCBzeXNlbnRlcl9lZmxhZ3Nfc2F2ZWQ6CiAgICAgICAgIGNtcGIgICQw LFZDUFVfc3lzZW50ZXJfZGlzYWJsZXNfZXZlbnRzKCVyYngpCiAgICAgICAg IG1vdnEgIFZDUFVfc3lzZW50ZXJfYWRkciglcmJ4KSwlcmF4CiAgICAgICAg IHNldG5lICVjbAorICAgICAgICB0ZXN0bCAkWDg2X0VGTEFHU19OVCxVUkVH U19lZmxhZ3MoJXJzcCkKICAgICAgICAgbGVhcSAgVkNQVV90cmFwX2JvdW5j ZSglcmJ4KSwlcmR4CitVTkxJS0VMWV9TVEFSVChueiwgc3lzZW50ZXJfbnRf c2V0KQorICAgICAgICBwdXNoZnEKKyAgICAgICAgYW5kbCAgJH5YODZfRUZM QUdTX05ULCglcnNwKQorICAgICAgICBwb3BmcQorICAgICAgICB4b3JsICAl ZWF4LCVlYXgKK1VOTElLRUxZX0VORChzeXNlbnRlcl9udF9zZXQpCiAgICAg ICAgIHRlc3RxICVyYXgsJXJheAogICAgICAgICBsZWFsICAoLCVyY3gsVEJG X0lOVEVSUlVQVCksJWVjeAogVU5MSUtFTFlfU1RBUlQoeiwgc3lzZW50ZXJf Z3BmKQo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Apr 18 15:18:36 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 18 Apr 2013 15:18:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USqZX-0004kX-D3; Thu, 18 Apr 2013 15:16:27 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USqZV-0004k3-AU; Thu, 18 Apr 2013 15:16:25 +0000 Received: from [85.158.137.99:16974] by server-15.bemta-3.messagelabs.com id A5/A6-23142-84E00715; Thu, 18 Apr 2013 15:16:24 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-7.tower-217.messagelabs.com!1366298182!12363928!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.8.6.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 18447 invoked from network); 18 Apr 2013 15:16:23 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-7.tower-217.messagelabs.com with AES256-SHA encrypted SMTP; 18 Apr 2013 15:16:23 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USqZL-0003Lx-Lj; Thu, 18 Apr 2013 15:16:15 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1USqZL-0005h1-D2; Thu, 18 Apr 2013 15:16:15 +0000 Date: Thu, 18 Apr 2013 15:16:15 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 50 (CVE-2013-1964) - grant table hypercall acquire/release imbalance X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1964 / XSA-50 grant table hypercall acquire/release imbalance ISSUE DESCRIPTION ================= When releasing a non-v1 non-transitive grant after doing a grant copy operation, Xen incorrectly recurses (as if for a transitive grant) and releases an unrelated grant reference. IMPACT ====== A malicious guest administrator can cause undefined behaviour; depending on the dom0 kernel a host crash is possible, but information leakage or privilege escalation cannot be ruled out. VULNERABLE SYSTEMS ================== Xen 4.0 and 4.1 are vulnerable. Any kind of guest can trigger the vulnerability. Xen 4.2 and xen-unstable, as well as Xen 3.x and earlier, are not vulnerable. MITIGATION ========== Using only trustworthy guest kernels will avoid the vulnerability. Using a debug build of Xen will eliminate the possible information leak or privilege violation; instead, if the vulnerability is attacked, Xen will crash. NOTE REGARDING EMBARGO ====================== A crash resulting from this bug has been reported by a user on the public xen-devel mailing list. There is therefore no embargo. RESOLUTION ========== Applying the attached patch resolves this issue. xsa50-4.1.patch $ sha256sum xsa50-*.patch 29f76073311a372dd30dd4788447850465d2575d5ff7b2c10912a69e4941fb21 xsa50-4.1.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRcA4pAAoJEIP+FMlX6CvZHhsIAK2RYhWr4CQ2ziTh3o1cbkXe HfDcWHjLTe1+zoULCKbptUHcoH6/oPxwZBklAfNSECFT47a4FKZu/ARCP1IBtot2 o6cuTTlYgLMMpSfVW//aDJQ59YivhcwN5omLEp4G8N/YHw0IA1W58/IpNKXVbNNy pmMEqus/QUH8EzGaxLfwIfSrJR96x96QKOlG94lohY5P5aipx/5vXzUPyRFXLbOZ jr8Ve+woNuYAeBx3zue7TNfhePVuDUl8b7ufhsuYdwkODzEXCNLcJM93Z3eaKfPp CVDBE38GUO9hr5CpBh5QgGeCCeMhxwI8jXTXUb6N8KFrwgbq04HP7BOmVI4O8Xs= =jiz6 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa50-4.1.patch" Content-Disposition: attachment; filename="xsa50-4.1.patch" Content-Transfer-Encoding: base64 Rml4IHJjdSBkb21haW4gbG9ja2luZyBmb3IgdHJhbnNpdGl2ZSBncmFudHMK CldoZW4gYWNxdWlyaW5nIGEgdHJhbnNpdGl2ZSBncmFudCBmb3IgY29weSB0 aGVuIHRoZSBvd25pbmcgZG9tYWluCm5lZWRzIHRvIGJlIGxvY2tlZCBkb3du IGFzIHdlbGwgYXMgdGhlIGdyYW50aW5nIGRvbWFpbi4gVGhpcyB3YXMgYmVp bmcKZG9uZSwgYnV0IHRoZSB1bmxvY2tpbmcgd2FzIG5vdC4gVGhlIGFjcXVp cmUgY29kZSBub3cgc3RvcmVzIHRoZQpzdHJ1Y3QgZG9tYWluICogb2YgdGhl IG93bmluZyBkb21haW4gKHJhdGhlciB0aGFuIHRoZSBkb21pZCkgaW4gdGhl CmFjdGl2ZSBlbnRyeSBpbiB0aGUgZ3JhbnRpbmcgZG9tYWluLiBUaGUgcmVs ZWFzZSBjb2RlIHRoZW4gZG9lcyB0aGUKdW5sb2NrIG9uIHRoZSBvd25pbmcg ZG9tYWluLiAgTm90ZSB0aGF0IEkgYmVsaWV2ZSBJIGFsc28gZml4ZWQgYSBi dWcKd2hlcmUsIGZvciBub24tdHJhbnNpdGl2ZSBncmFudHMgdGhlIGFjdGl2 ZSBlbnRyeSBjb250YWluZWQgYQpyZWZlcmVuY2UgdG8gdGhlIGFjcXVpcmlu ZyBkb21haW4gcmF0aGVyIHRoYW4gdGhlIGdyYW50aW5nCmRvbWFpbi4gRnJv bSBteSByZWFkaW5nIG9mIHRoZSBjb2RlIHRoaXMgd291bGQgc3RvcCB0aGUg cmVsZWFzZSBjb2RlCmZvciB0cmFuc2l0aXZlIGdyYW50cyBmcm9tIHRlcm1p bmF0aW5nIGl0cyByZWN1cnNpb24gY29ycmVjdGx5LgoKU2lnbmVkLW9mZi1i eTogUGF1bCBEdXJyYW50IDxwYXVsLmR1cnJhbnRAY2l0cml4LmNvbT4KCkFs c28sIGZvciBub24tdHJhbnNpdGl2ZSBncmFudHMgd2Ugbm93IGF2b2lkIGlu Y29ycmVjdGx5IHJlY3Vyc2luZwppbiBfX3JlbGVhc2VfZ3JhbnRfZm9yX2Nv cHkuCgpUaGlzIGlzIENWRS0yMDEzLTE5NjQgLyBYU0EtNTAuCgpSZXBvcnRl ZC1ieTogTWFudWVsIEJvdXllciA8Ym91eWVyQGFudGlvY2hlLmV1Lm9yZz4K VGVzdGVkLWJ5OiBNYW51ZWwgQm91eWVyIDxib3V5ZXJAYW50aW9jaGUuZXUu b3JnPgoKLS0tIGEveGVuL2NvbW1vbi9ncmFudF90YWJsZS5jCisrKyBiL3hl bi9jb21tb24vZ3JhbnRfdGFibGUuYwpAQCAtNTk4LDcgKzU5OCw3IEBAIF9f Z250dGFiX21hcF9ncmFudF9yZWYoCiAgICAgICAgICAgICBhY3QtPnN0YXJ0 ID0gMDsKICAgICAgICAgICAgIGFjdC0+bGVuZ3RoID0gUEFHRV9TSVpFOwog ICAgICAgICAgICAgYWN0LT5pc19zdWJfcGFnZSA9IDA7Ci0gICAgICAgICAg ICBhY3QtPnRyYW5zX2RvbSA9IHJkLT5kb21haW5faWQ7CisgICAgICAgICAg ICBhY3QtPnRyYW5zX2RvbWFpbiA9IHJkOwogICAgICAgICAgICAgYWN0LT50 cmFuc19ncmVmID0gb3AtPnJlZjsKICAgICAgICAgfQogICAgIH0KQEAgLTE2 MjksMTEgKzE2MjksMTAgQEAgX19yZWxlYXNlX2dyYW50X2Zvcl9jb3B5KAog ICAgIHN0cnVjdCBhY3RpdmVfZ3JhbnRfZW50cnkgKmFjdDsKICAgICB1bnNp Z25lZCBsb25nIHJfZnJhbWU7CiAgICAgdWludDE2X3QgKnN0YXR1czsKLSAg ICBkb21pZF90IHRyYW5zX2RvbWlkOwogICAgIGdyYW50X3JlZl90IHRyYW5z X2dyZWY7CiAgICAgaW50IHJlbGVhc2VkX3JlYWQ7CiAgICAgaW50IHJlbGVh c2VkX3dyaXRlOwotICAgIHN0cnVjdCBkb21haW4gKnRyYW5zX2RvbTsKKyAg ICBzdHJ1Y3QgZG9tYWluICp0ZDsKIAogICAgIHJlbGVhc2VkX3JlYWQgPSAw OwogICAgIHJlbGVhc2VkX3dyaXRlID0gMDsKQEAgLTE2NDcsMTUgKzE2NDYs MTMgQEAgX19yZWxlYXNlX2dyYW50X2Zvcl9jb3B5KAogICAgIGlmIChyZC0+ Z3JhbnRfdGFibGUtPmd0X3ZlcnNpb24gPT0gMSkKICAgICB7CiAgICAgICAg IHN0YXR1cyA9ICZzaGEtPmZsYWdzOwotICAgICAgICB0cmFuc19kb21pZCA9 IHJkLT5kb21haW5faWQ7Ci0gICAgICAgIC8qIFNodXQgdGhlIGNvbXBpbGVy IHVwLiAgVGhpcydsbCBuZXZlciBiZSB1c2VkLCBiZWNhdXNlCi0gICAgICAg ICAgIHRyYW5zX2RvbWlkID09IHJkLT5kb21haW5faWQsIGJ1dCBnY2MgZG9l c24ndCBrbm93IHRoYXQuICovCi0gICAgICAgIHRyYW5zX2dyZWYgPSAweDEy MzQ1Njc7CisgICAgICAgIHRkID0gcmQ7CisgICAgICAgIHRyYW5zX2dyZWYg PSBncmVmOwogICAgIH0KICAgICBlbHNlCiAgICAgewogICAgICAgICBzdGF0 dXMgPSAmc3RhdHVzX2VudHJ5KHJkLT5ncmFudF90YWJsZSwgZ3JlZik7Ci0g ICAgICAgIHRyYW5zX2RvbWlkID0gYWN0LT50cmFuc19kb207CisgICAgICAg IHRkID0gYWN0LT50cmFuc19kb21haW47CiAgICAgICAgIHRyYW5zX2dyZWYg PSBhY3QtPnRyYW5zX2dyZWY7CiAgICAgfQogCkBAIC0xNjgzLDIxICsxNjgw LDE2IEBAIF9fcmVsZWFzZV9ncmFudF9mb3JfY29weSgKIAogICAgIHNwaW5f dW5sb2NrKCZyZC0+Z3JhbnRfdGFibGUtPmxvY2spOwogCi0gICAgaWYgKCB0 cmFuc19kb21pZCAhPSByZC0+ZG9tYWluX2lkICkKKyAgICBpZiAoIHRkICE9 IHJkICkKICAgICB7Ci0gICAgICAgIGlmICggcmVsZWFzZWRfd3JpdGUgfHwg cmVsZWFzZWRfcmVhZCApCi0gICAgICAgIHsKLSAgICAgICAgICAgIHRyYW5z X2RvbSA9IHJjdV9sb2NrX2RvbWFpbl9ieV9pZCh0cmFuc19kb21pZCk7Ci0g ICAgICAgICAgICBpZiAoIHRyYW5zX2RvbSAhPSBOVUxMICkKLSAgICAgICAg ICAgIHsKLSAgICAgICAgICAgICAgICAvKiBSZWN1cnNpdmUgY2FsbHMsIGJ1 dCB0aGV5J3JlIHRhaWwgY2FsbHMsIHNvIGl0J3MKLSAgICAgICAgICAgICAg ICAgICBva2F5LiAqLwotICAgICAgICAgICAgICAgIGlmICggcmVsZWFzZWRf d3JpdGUgKQotICAgICAgICAgICAgICAgICAgICBfX3JlbGVhc2VfZ3JhbnRf Zm9yX2NvcHkodHJhbnNfZG9tLCB0cmFuc19ncmVmLCAwKTsKLSAgICAgICAg ICAgICAgICBlbHNlIGlmICggcmVsZWFzZWRfcmVhZCApCi0gICAgICAgICAg ICAgICAgICAgIF9fcmVsZWFzZV9ncmFudF9mb3JfY29weSh0cmFuc19kb20s IHRyYW5zX2dyZWYsIDEpOwotICAgICAgICAgICAgfQotICAgICAgICB9Cisg ICAgICAgIC8qIFJlY3Vyc2l2ZSBjYWxscywgYnV0IHRoZXkncmUgdGFpbCBj YWxscywgc28gaXQncworICAgICAgICAgICBva2F5LiAqLworICAgICAgICBp ZiAoIHJlbGVhc2VkX3dyaXRlICkKKyAgICAgICAgICAgIF9fcmVsZWFzZV9n cmFudF9mb3JfY29weSh0ZCwgdHJhbnNfZ3JlZiwgMCk7CisgICAgICAgIGVs c2UgaWYgKCByZWxlYXNlZF9yZWFkICkKKyAgICAgICAgICAgIF9fcmVsZWFz ZV9ncmFudF9mb3JfY29weSh0ZCwgdHJhbnNfZ3JlZiwgMSk7CisKKwlyY3Vf dW5sb2NrX2RvbWFpbih0ZCk7CiAgICAgfQogfQogCkBAIC0xNzM0LDcgKzE3 MjYsNyBAQCBfX2FjcXVpcmVfZ3JhbnRfZm9yX2NvcHkoCiAgICAgdWludDMy X3Qgb2xkX3BpbjsKICAgICBkb21pZF90IHRyYW5zX2RvbWlkOwogICAgIGdy YW50X3JlZl90IHRyYW5zX2dyZWY7Ci0gICAgc3RydWN0IGRvbWFpbiAqcnJk OworICAgIHN0cnVjdCBkb21haW4gKnRkOwogICAgIHVuc2lnbmVkIGxvbmcg Z2ZuOwogICAgIHVuc2lnbmVkIGxvbmcgZ3JhbnRfZnJhbWU7CiAgICAgdW5z aWduZWQgdHJhbnNfcGFnZV9vZmY7CkBAIC0xNzg4LDggKzE3ODAsOCBAQCBf X2FjcXVpcmVfZ3JhbnRfZm9yX2NvcHkoCiAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgc3RhdHVzKSApICE9IEdOVFNUX29rYXkgKQogICAgICAg ICAgICAgIGdvdG8gdW5sb2NrX291dDsKIAotICAgICAgICB0cmFuc19kb21p ZCA9IGxkLT5kb21haW5faWQ7Ci0gICAgICAgIHRyYW5zX2dyZWYgPSAwOwor ICAgICAgICB0ZCA9IHJkOworICAgICAgICB0cmFuc19ncmVmID0gZ3JlZjsK ICAgICAgICAgaWYgKCBzaGEyICYmIChzaGFoLT5mbGFncyAmIEdURl90eXBl X21hc2spID09IEdURl90cmFuc2l0aXZlICkKICAgICAgICAgewogICAgICAg ICAgICAgaWYgKCAhYWxsb3dfdHJhbnNpdGl2ZSApCkBAIC0xODExLDE0ICsx ODAzLDE1IEBAIF9fYWNxdWlyZV9ncmFudF9mb3JfY29weSgKICAgICAgICAg ICAgICAgIHRoYXQgeW91IGRvbid0IG5lZWQgdG8gZ28gb3V0IG9mIHlvdXIg d2F5IHRvIGF2b2lkIGl0CiAgICAgICAgICAgICAgICBpbiB0aGUgZ3Vlc3Qu ICovCiAKLSAgICAgICAgICAgIHJyZCA9IHJjdV9sb2NrX2RvbWFpbl9ieV9p ZCh0cmFuc19kb21pZCk7Ci0gICAgICAgICAgICBpZiAoIHJyZCA9PSBOVUxM ICkKKyAgICAgICAgICAgIC8qIFdlIG5lZWQgdG8gbGVhdmUgdGhlIHJyZCBs b2NrZWQgZHVyaW5nIHRoZSBncmFudCBjb3B5ICovCisgICAgICAgICAgICB0 ZCA9IHJjdV9sb2NrX2RvbWFpbl9ieV9pZCh0cmFuc19kb21pZCk7CisgICAg ICAgICAgICBpZiAoIHRkID09IE5VTEwgKQogICAgICAgICAgICAgICAgIFBJ Tl9GQUlMKHVubG9ja19vdXRfY2xlYXIsIEdOVFNUX2dlbmVyYWxfZXJyb3Is CiAgICAgICAgICAgICAgICAgICAgICAgICAgInRyYW5zaXRpdmUgZ3JhbnQg cmVmZXJlbmNlZCBiYWQgZG9tYWluICVkXG4iLAogICAgICAgICAgICAgICAg ICAgICAgICAgIHRyYW5zX2RvbWlkKTsKICAgICAgICAgICAgIHNwaW5fdW5s b2NrKCZyZC0+Z3JhbnRfdGFibGUtPmxvY2spOwogCi0gICAgICAgICAgICBy YyA9IF9fYWNxdWlyZV9ncmFudF9mb3JfY29weShycmQsIHRyYW5zX2dyZWYs IHJkLAorICAgICAgICAgICAgcmMgPSBfX2FjcXVpcmVfZ3JhbnRfZm9yX2Nv cHkodGQsIHRyYW5zX2dyZWYsIHJkLAogICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgcmVhZG9ubHksICZncmFudF9mcmFtZSwK ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZ0 cmFuc19wYWdlX29mZiwgJnRyYW5zX2xlbmd0aCwKICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIDAsICZpZ25vcmUpOwpAQCAt MTgyNiw2ICsxODE5LDcgQEAgX19hY3F1aXJlX2dyYW50X2Zvcl9jb3B5KAog ICAgICAgICAgICAgc3Bpbl9sb2NrKCZyZC0+Z3JhbnRfdGFibGUtPmxvY2sp OwogICAgICAgICAgICAgaWYgKCByYyAhPSBHTlRTVF9va2F5ICkgewogICAg ICAgICAgICAgICAgIF9fZml4dXBfc3RhdHVzX2Zvcl9jb3B5X3BpbihhY3Qs IHN0YXR1cyk7CisgICAgICAgICAgICAgICAgcmN1X3VubG9ja19kb21haW4o dGQpOwogICAgICAgICAgICAgICAgIHNwaW5fdW5sb2NrKCZyZC0+Z3JhbnRf dGFibGUtPmxvY2spOwogICAgICAgICAgICAgICAgIHJldHVybiByYzsKICAg ICAgICAgICAgIH0KQEAgLTE4MzcsNiArMTgzMSw3IEBAIF9fYWNxdWlyZV9n cmFudF9mb3JfY29weSgKICAgICAgICAgICAgIGlmICggYWN0LT5waW4gIT0g b2xkX3BpbiApCiAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgX19m aXh1cF9zdGF0dXNfZm9yX2NvcHlfcGluKGFjdCwgc3RhdHVzKTsKKyAgICAg ICAgICAgICAgICByY3VfdW5sb2NrX2RvbWFpbih0ZCk7CiAgICAgICAgICAg ICAgICAgc3Bpbl91bmxvY2soJnJkLT5ncmFudF90YWJsZS0+bG9jayk7CiAg ICAgICAgICAgICAgICAgcmV0dXJuIF9fYWNxdWlyZV9ncmFudF9mb3JfY29w eShyZCwgZ3JlZiwgbGQsIHJlYWRvbmx5LAogICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZnJhbWUsIHBhZ2Vfb2Zm LCBsZW5ndGgsCkBAIC0xODQ4LDcgKzE4NDMsNyBAQCBfX2FjcXVpcmVfZ3Jh bnRfZm9yX2NvcHkoCiAgICAgICAgICAgICAgICBzdWItcGFnZSwgYnV0IHdl IGFsd2F5cyB0cmVhdCBpdCBhcyBvbmUgYmVjYXVzZSB0aGF0CiAgICAgICAg ICAgICAgICBibG9ja3MgbWFwcGluZ3Mgb2YgdHJhbnNpdGl2ZSBncmFudHMu ICovCiAgICAgICAgICAgICBpc19zdWJfcGFnZSA9IDE7Ci0gICAgICAgICAg ICAqb3duaW5nX2RvbWFpbiA9IHJyZDsKKyAgICAgICAgICAgICpvd25pbmdf ZG9tYWluID0gdGQ7CiAgICAgICAgICAgICBhY3QtPmdmbiA9IC0xdWw7CiAg ICAgICAgIH0KICAgICAgICAgZWxzZSBpZiAoIHNoYTEgKQpAQCAtMTg5NCw3 ICsxODg5LDcgQEAgX19hY3F1aXJlX2dyYW50X2Zvcl9jb3B5KAogICAgICAg ICAgICAgYWN0LT5pc19zdWJfcGFnZSA9IGlzX3N1Yl9wYWdlOwogICAgICAg ICAgICAgYWN0LT5zdGFydCA9IHRyYW5zX3BhZ2Vfb2ZmOwogICAgICAgICAg ICAgYWN0LT5sZW5ndGggPSB0cmFuc19sZW5ndGg7Ci0gICAgICAgICAgICBh Y3QtPnRyYW5zX2RvbSA9IHRyYW5zX2RvbWlkOworICAgICAgICAgICAgYWN0 LT50cmFuc19kb21haW4gPSB0ZDsKICAgICAgICAgICAgIGFjdC0+dHJhbnNf Z3JlZiA9IHRyYW5zX2dyZWY7CiAgICAgICAgICAgICBhY3QtPmZyYW1lID0g Z3JhbnRfZnJhbWU7CiAgICAgICAgIH0KLS0tIGEveGVuL2luY2x1ZGUveGVu L2dyYW50X3RhYmxlLmgKKysrIGIveGVuL2luY2x1ZGUveGVuL2dyYW50X3Rh YmxlLmgKQEAgLTMyLDcgKzMyLDcgQEAKIHN0cnVjdCBhY3RpdmVfZ3JhbnRf ZW50cnkgewogICAgIHUzMiAgICAgICAgICAgcGluOyAgICAvKiBSZWZlcmVu Y2UgY291bnQgaW5mb3JtYXRpb24uICAgICAgICAgICAgICovCiAgICAgZG9t aWRfdCAgICAgICBkb21pZDsgIC8qIERvbWFpbiBiZWluZyBncmFudGVkIGFj Y2Vzcy4gICAgICAgICAgICAgKi8KLSAgICBkb21pZF90ICAgICAgIHRyYW5z X2RvbTsKKyAgICBzdHJ1Y3QgZG9tYWluICp0cmFuc19kb21haW47CiAgICAg dWludDMyX3QgICAgICB0cmFuc19ncmVmOwogICAgIHVuc2lnbmVkIGxvbmcg ZnJhbWU7ICAvKiBGcmFtZSBiZWluZyBncmFudGVkLiAgICAgICAgICAgICAg ICAgICAgICovCiAgICAgdW5zaWduZWQgbG9uZyBnZm47ICAgIC8qIEd1ZXN0 J3MgaWRlYSBvZiB0aGUgZnJhbWUgYmVpbmcgZ3JhbnRlZC4gKi8K --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Apr 18 15:18:36 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 18 Apr 2013 15:18:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USqZX-0004kX-D3; Thu, 18 Apr 2013 15:16:27 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USqZV-0004k3-AU; Thu, 18 Apr 2013 15:16:25 +0000 Received: from [85.158.137.99:16974] by server-15.bemta-3.messagelabs.com id A5/A6-23142-84E00715; Thu, 18 Apr 2013 15:16:24 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-7.tower-217.messagelabs.com!1366298182!12363928!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.8.6.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 18447 invoked from network); 18 Apr 2013 15:16:23 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-7.tower-217.messagelabs.com with AES256-SHA encrypted SMTP; 18 Apr 2013 15:16:23 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1USqZL-0003Lx-Lj; Thu, 18 Apr 2013 15:16:15 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1USqZL-0005h1-D2; Thu, 18 Apr 2013 15:16:15 +0000 Date: Thu, 18 Apr 2013 15:16:15 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 50 (CVE-2013-1964) - grant table hypercall acquire/release imbalance X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1964 / XSA-50 grant table hypercall acquire/release imbalance ISSUE DESCRIPTION ================= When releasing a non-v1 non-transitive grant after doing a grant copy operation, Xen incorrectly recurses (as if for a transitive grant) and releases an unrelated grant reference. IMPACT ====== A malicious guest administrator can cause undefined behaviour; depending on the dom0 kernel a host crash is possible, but information leakage or privilege escalation cannot be ruled out. VULNERABLE SYSTEMS ================== Xen 4.0 and 4.1 are vulnerable. Any kind of guest can trigger the vulnerability. Xen 4.2 and xen-unstable, as well as Xen 3.x and earlier, are not vulnerable. MITIGATION ========== Using only trustworthy guest kernels will avoid the vulnerability. Using a debug build of Xen will eliminate the possible information leak or privilege violation; instead, if the vulnerability is attacked, Xen will crash. NOTE REGARDING EMBARGO ====================== A crash resulting from this bug has been reported by a user on the public xen-devel mailing list. There is therefore no embargo. RESOLUTION ========== Applying the attached patch resolves this issue. xsa50-4.1.patch $ sha256sum xsa50-*.patch 29f76073311a372dd30dd4788447850465d2575d5ff7b2c10912a69e4941fb21 xsa50-4.1.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRcA4pAAoJEIP+FMlX6CvZHhsIAK2RYhWr4CQ2ziTh3o1cbkXe HfDcWHjLTe1+zoULCKbptUHcoH6/oPxwZBklAfNSECFT47a4FKZu/ARCP1IBtot2 o6cuTTlYgLMMpSfVW//aDJQ59YivhcwN5omLEp4G8N/YHw0IA1W58/IpNKXVbNNy pmMEqus/QUH8EzGaxLfwIfSrJR96x96QKOlG94lohY5P5aipx/5vXzUPyRFXLbOZ jr8Ve+woNuYAeBx3zue7TNfhePVuDUl8b7ufhsuYdwkODzEXCNLcJM93Z3eaKfPp CVDBE38GUO9hr5CpBh5QgGeCCeMhxwI8jXTXUb6N8KFrwgbq04HP7BOmVI4O8Xs= =jiz6 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa50-4.1.patch" Content-Disposition: attachment; filename="xsa50-4.1.patch" Content-Transfer-Encoding: base64 Rml4IHJjdSBkb21haW4gbG9ja2luZyBmb3IgdHJhbnNpdGl2ZSBncmFudHMK CldoZW4gYWNxdWlyaW5nIGEgdHJhbnNpdGl2ZSBncmFudCBmb3IgY29weSB0 aGVuIHRoZSBvd25pbmcgZG9tYWluCm5lZWRzIHRvIGJlIGxvY2tlZCBkb3du IGFzIHdlbGwgYXMgdGhlIGdyYW50aW5nIGRvbWFpbi4gVGhpcyB3YXMgYmVp bmcKZG9uZSwgYnV0IHRoZSB1bmxvY2tpbmcgd2FzIG5vdC4gVGhlIGFjcXVp cmUgY29kZSBub3cgc3RvcmVzIHRoZQpzdHJ1Y3QgZG9tYWluICogb2YgdGhl IG93bmluZyBkb21haW4gKHJhdGhlciB0aGFuIHRoZSBkb21pZCkgaW4gdGhl CmFjdGl2ZSBlbnRyeSBpbiB0aGUgZ3JhbnRpbmcgZG9tYWluLiBUaGUgcmVs ZWFzZSBjb2RlIHRoZW4gZG9lcyB0aGUKdW5sb2NrIG9uIHRoZSBvd25pbmcg ZG9tYWluLiAgTm90ZSB0aGF0IEkgYmVsaWV2ZSBJIGFsc28gZml4ZWQgYSBi dWcKd2hlcmUsIGZvciBub24tdHJhbnNpdGl2ZSBncmFudHMgdGhlIGFjdGl2 ZSBlbnRyeSBjb250YWluZWQgYQpyZWZlcmVuY2UgdG8gdGhlIGFjcXVpcmlu ZyBkb21haW4gcmF0aGVyIHRoYW4gdGhlIGdyYW50aW5nCmRvbWFpbi4gRnJv bSBteSByZWFkaW5nIG9mIHRoZSBjb2RlIHRoaXMgd291bGQgc3RvcCB0aGUg cmVsZWFzZSBjb2RlCmZvciB0cmFuc2l0aXZlIGdyYW50cyBmcm9tIHRlcm1p bmF0aW5nIGl0cyByZWN1cnNpb24gY29ycmVjdGx5LgoKU2lnbmVkLW9mZi1i eTogUGF1bCBEdXJyYW50IDxwYXVsLmR1cnJhbnRAY2l0cml4LmNvbT4KCkFs c28sIGZvciBub24tdHJhbnNpdGl2ZSBncmFudHMgd2Ugbm93IGF2b2lkIGlu Y29ycmVjdGx5IHJlY3Vyc2luZwppbiBfX3JlbGVhc2VfZ3JhbnRfZm9yX2Nv cHkuCgpUaGlzIGlzIENWRS0yMDEzLTE5NjQgLyBYU0EtNTAuCgpSZXBvcnRl ZC1ieTogTWFudWVsIEJvdXllciA8Ym91eWVyQGFudGlvY2hlLmV1Lm9yZz4K VGVzdGVkLWJ5OiBNYW51ZWwgQm91eWVyIDxib3V5ZXJAYW50aW9jaGUuZXUu b3JnPgoKLS0tIGEveGVuL2NvbW1vbi9ncmFudF90YWJsZS5jCisrKyBiL3hl bi9jb21tb24vZ3JhbnRfdGFibGUuYwpAQCAtNTk4LDcgKzU5OCw3IEBAIF9f Z250dGFiX21hcF9ncmFudF9yZWYoCiAgICAgICAgICAgICBhY3QtPnN0YXJ0 ID0gMDsKICAgICAgICAgICAgIGFjdC0+bGVuZ3RoID0gUEFHRV9TSVpFOwog ICAgICAgICAgICAgYWN0LT5pc19zdWJfcGFnZSA9IDA7Ci0gICAgICAgICAg ICBhY3QtPnRyYW5zX2RvbSA9IHJkLT5kb21haW5faWQ7CisgICAgICAgICAg ICBhY3QtPnRyYW5zX2RvbWFpbiA9IHJkOwogICAgICAgICAgICAgYWN0LT50 cmFuc19ncmVmID0gb3AtPnJlZjsKICAgICAgICAgfQogICAgIH0KQEAgLTE2 MjksMTEgKzE2MjksMTAgQEAgX19yZWxlYXNlX2dyYW50X2Zvcl9jb3B5KAog ICAgIHN0cnVjdCBhY3RpdmVfZ3JhbnRfZW50cnkgKmFjdDsKICAgICB1bnNp Z25lZCBsb25nIHJfZnJhbWU7CiAgICAgdWludDE2X3QgKnN0YXR1czsKLSAg ICBkb21pZF90IHRyYW5zX2RvbWlkOwogICAgIGdyYW50X3JlZl90IHRyYW5z X2dyZWY7CiAgICAgaW50IHJlbGVhc2VkX3JlYWQ7CiAgICAgaW50IHJlbGVh c2VkX3dyaXRlOwotICAgIHN0cnVjdCBkb21haW4gKnRyYW5zX2RvbTsKKyAg ICBzdHJ1Y3QgZG9tYWluICp0ZDsKIAogICAgIHJlbGVhc2VkX3JlYWQgPSAw OwogICAgIHJlbGVhc2VkX3dyaXRlID0gMDsKQEAgLTE2NDcsMTUgKzE2NDYs MTMgQEAgX19yZWxlYXNlX2dyYW50X2Zvcl9jb3B5KAogICAgIGlmIChyZC0+ Z3JhbnRfdGFibGUtPmd0X3ZlcnNpb24gPT0gMSkKICAgICB7CiAgICAgICAg IHN0YXR1cyA9ICZzaGEtPmZsYWdzOwotICAgICAgICB0cmFuc19kb21pZCA9 IHJkLT5kb21haW5faWQ7Ci0gICAgICAgIC8qIFNodXQgdGhlIGNvbXBpbGVy IHVwLiAgVGhpcydsbCBuZXZlciBiZSB1c2VkLCBiZWNhdXNlCi0gICAgICAg ICAgIHRyYW5zX2RvbWlkID09IHJkLT5kb21haW5faWQsIGJ1dCBnY2MgZG9l c24ndCBrbm93IHRoYXQuICovCi0gICAgICAgIHRyYW5zX2dyZWYgPSAweDEy MzQ1Njc7CisgICAgICAgIHRkID0gcmQ7CisgICAgICAgIHRyYW5zX2dyZWYg PSBncmVmOwogICAgIH0KICAgICBlbHNlCiAgICAgewogICAgICAgICBzdGF0 dXMgPSAmc3RhdHVzX2VudHJ5KHJkLT5ncmFudF90YWJsZSwgZ3JlZik7Ci0g ICAgICAgIHRyYW5zX2RvbWlkID0gYWN0LT50cmFuc19kb207CisgICAgICAg IHRkID0gYWN0LT50cmFuc19kb21haW47CiAgICAgICAgIHRyYW5zX2dyZWYg PSBhY3QtPnRyYW5zX2dyZWY7CiAgICAgfQogCkBAIC0xNjgzLDIxICsxNjgw LDE2IEBAIF9fcmVsZWFzZV9ncmFudF9mb3JfY29weSgKIAogICAgIHNwaW5f dW5sb2NrKCZyZC0+Z3JhbnRfdGFibGUtPmxvY2spOwogCi0gICAgaWYgKCB0 cmFuc19kb21pZCAhPSByZC0+ZG9tYWluX2lkICkKKyAgICBpZiAoIHRkICE9 IHJkICkKICAgICB7Ci0gICAgICAgIGlmICggcmVsZWFzZWRfd3JpdGUgfHwg cmVsZWFzZWRfcmVhZCApCi0gICAgICAgIHsKLSAgICAgICAgICAgIHRyYW5z X2RvbSA9IHJjdV9sb2NrX2RvbWFpbl9ieV9pZCh0cmFuc19kb21pZCk7Ci0g ICAgICAgICAgICBpZiAoIHRyYW5zX2RvbSAhPSBOVUxMICkKLSAgICAgICAg ICAgIHsKLSAgICAgICAgICAgICAgICAvKiBSZWN1cnNpdmUgY2FsbHMsIGJ1 dCB0aGV5J3JlIHRhaWwgY2FsbHMsIHNvIGl0J3MKLSAgICAgICAgICAgICAg ICAgICBva2F5LiAqLwotICAgICAgICAgICAgICAgIGlmICggcmVsZWFzZWRf d3JpdGUgKQotICAgICAgICAgICAgICAgICAgICBfX3JlbGVhc2VfZ3JhbnRf Zm9yX2NvcHkodHJhbnNfZG9tLCB0cmFuc19ncmVmLCAwKTsKLSAgICAgICAg ICAgICAgICBlbHNlIGlmICggcmVsZWFzZWRfcmVhZCApCi0gICAgICAgICAg ICAgICAgICAgIF9fcmVsZWFzZV9ncmFudF9mb3JfY29weSh0cmFuc19kb20s IHRyYW5zX2dyZWYsIDEpOwotICAgICAgICAgICAgfQotICAgICAgICB9Cisg ICAgICAgIC8qIFJlY3Vyc2l2ZSBjYWxscywgYnV0IHRoZXkncmUgdGFpbCBj YWxscywgc28gaXQncworICAgICAgICAgICBva2F5LiAqLworICAgICAgICBp ZiAoIHJlbGVhc2VkX3dyaXRlICkKKyAgICAgICAgICAgIF9fcmVsZWFzZV9n cmFudF9mb3JfY29weSh0ZCwgdHJhbnNfZ3JlZiwgMCk7CisgICAgICAgIGVs c2UgaWYgKCByZWxlYXNlZF9yZWFkICkKKyAgICAgICAgICAgIF9fcmVsZWFz ZV9ncmFudF9mb3JfY29weSh0ZCwgdHJhbnNfZ3JlZiwgMSk7CisKKwlyY3Vf dW5sb2NrX2RvbWFpbih0ZCk7CiAgICAgfQogfQogCkBAIC0xNzM0LDcgKzE3 MjYsNyBAQCBfX2FjcXVpcmVfZ3JhbnRfZm9yX2NvcHkoCiAgICAgdWludDMy X3Qgb2xkX3BpbjsKICAgICBkb21pZF90IHRyYW5zX2RvbWlkOwogICAgIGdy YW50X3JlZl90IHRyYW5zX2dyZWY7Ci0gICAgc3RydWN0IGRvbWFpbiAqcnJk OworICAgIHN0cnVjdCBkb21haW4gKnRkOwogICAgIHVuc2lnbmVkIGxvbmcg Z2ZuOwogICAgIHVuc2lnbmVkIGxvbmcgZ3JhbnRfZnJhbWU7CiAgICAgdW5z aWduZWQgdHJhbnNfcGFnZV9vZmY7CkBAIC0xNzg4LDggKzE3ODAsOCBAQCBf X2FjcXVpcmVfZ3JhbnRfZm9yX2NvcHkoCiAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgc3RhdHVzKSApICE9IEdOVFNUX29rYXkgKQogICAgICAg ICAgICAgIGdvdG8gdW5sb2NrX291dDsKIAotICAgICAgICB0cmFuc19kb21p ZCA9IGxkLT5kb21haW5faWQ7Ci0gICAgICAgIHRyYW5zX2dyZWYgPSAwOwor ICAgICAgICB0ZCA9IHJkOworICAgICAgICB0cmFuc19ncmVmID0gZ3JlZjsK ICAgICAgICAgaWYgKCBzaGEyICYmIChzaGFoLT5mbGFncyAmIEdURl90eXBl X21hc2spID09IEdURl90cmFuc2l0aXZlICkKICAgICAgICAgewogICAgICAg ICAgICAgaWYgKCAhYWxsb3dfdHJhbnNpdGl2ZSApCkBAIC0xODExLDE0ICsx ODAzLDE1IEBAIF9fYWNxdWlyZV9ncmFudF9mb3JfY29weSgKICAgICAgICAg ICAgICAgIHRoYXQgeW91IGRvbid0IG5lZWQgdG8gZ28gb3V0IG9mIHlvdXIg d2F5IHRvIGF2b2lkIGl0CiAgICAgICAgICAgICAgICBpbiB0aGUgZ3Vlc3Qu ICovCiAKLSAgICAgICAgICAgIHJyZCA9IHJjdV9sb2NrX2RvbWFpbl9ieV9p ZCh0cmFuc19kb21pZCk7Ci0gICAgICAgICAgICBpZiAoIHJyZCA9PSBOVUxM ICkKKyAgICAgICAgICAgIC8qIFdlIG5lZWQgdG8gbGVhdmUgdGhlIHJyZCBs b2NrZWQgZHVyaW5nIHRoZSBncmFudCBjb3B5ICovCisgICAgICAgICAgICB0 ZCA9IHJjdV9sb2NrX2RvbWFpbl9ieV9pZCh0cmFuc19kb21pZCk7CisgICAg ICAgICAgICBpZiAoIHRkID09IE5VTEwgKQogICAgICAgICAgICAgICAgIFBJ Tl9GQUlMKHVubG9ja19vdXRfY2xlYXIsIEdOVFNUX2dlbmVyYWxfZXJyb3Is CiAgICAgICAgICAgICAgICAgICAgICAgICAgInRyYW5zaXRpdmUgZ3JhbnQg cmVmZXJlbmNlZCBiYWQgZG9tYWluICVkXG4iLAogICAgICAgICAgICAgICAg ICAgICAgICAgIHRyYW5zX2RvbWlkKTsKICAgICAgICAgICAgIHNwaW5fdW5s b2NrKCZyZC0+Z3JhbnRfdGFibGUtPmxvY2spOwogCi0gICAgICAgICAgICBy YyA9IF9fYWNxdWlyZV9ncmFudF9mb3JfY29weShycmQsIHRyYW5zX2dyZWYs IHJkLAorICAgICAgICAgICAgcmMgPSBfX2FjcXVpcmVfZ3JhbnRfZm9yX2Nv cHkodGQsIHRyYW5zX2dyZWYsIHJkLAogICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgcmVhZG9ubHksICZncmFudF9mcmFtZSwK ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZ0 cmFuc19wYWdlX29mZiwgJnRyYW5zX2xlbmd0aCwKICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIDAsICZpZ25vcmUpOwpAQCAt MTgyNiw2ICsxODE5LDcgQEAgX19hY3F1aXJlX2dyYW50X2Zvcl9jb3B5KAog ICAgICAgICAgICAgc3Bpbl9sb2NrKCZyZC0+Z3JhbnRfdGFibGUtPmxvY2sp OwogICAgICAgICAgICAgaWYgKCByYyAhPSBHTlRTVF9va2F5ICkgewogICAg ICAgICAgICAgICAgIF9fZml4dXBfc3RhdHVzX2Zvcl9jb3B5X3BpbihhY3Qs IHN0YXR1cyk7CisgICAgICAgICAgICAgICAgcmN1X3VubG9ja19kb21haW4o dGQpOwogICAgICAgICAgICAgICAgIHNwaW5fdW5sb2NrKCZyZC0+Z3JhbnRf dGFibGUtPmxvY2spOwogICAgICAgICAgICAgICAgIHJldHVybiByYzsKICAg ICAgICAgICAgIH0KQEAgLTE4MzcsNiArMTgzMSw3IEBAIF9fYWNxdWlyZV9n cmFudF9mb3JfY29weSgKICAgICAgICAgICAgIGlmICggYWN0LT5waW4gIT0g b2xkX3BpbiApCiAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgX19m aXh1cF9zdGF0dXNfZm9yX2NvcHlfcGluKGFjdCwgc3RhdHVzKTsKKyAgICAg ICAgICAgICAgICByY3VfdW5sb2NrX2RvbWFpbih0ZCk7CiAgICAgICAgICAg ICAgICAgc3Bpbl91bmxvY2soJnJkLT5ncmFudF90YWJsZS0+bG9jayk7CiAg ICAgICAgICAgICAgICAgcmV0dXJuIF9fYWNxdWlyZV9ncmFudF9mb3JfY29w eShyZCwgZ3JlZiwgbGQsIHJlYWRvbmx5LAogICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZnJhbWUsIHBhZ2Vfb2Zm LCBsZW5ndGgsCkBAIC0xODQ4LDcgKzE4NDMsNyBAQCBfX2FjcXVpcmVfZ3Jh bnRfZm9yX2NvcHkoCiAgICAgICAgICAgICAgICBzdWItcGFnZSwgYnV0IHdl IGFsd2F5cyB0cmVhdCBpdCBhcyBvbmUgYmVjYXVzZSB0aGF0CiAgICAgICAg ICAgICAgICBibG9ja3MgbWFwcGluZ3Mgb2YgdHJhbnNpdGl2ZSBncmFudHMu ICovCiAgICAgICAgICAgICBpc19zdWJfcGFnZSA9IDE7Ci0gICAgICAgICAg ICAqb3duaW5nX2RvbWFpbiA9IHJyZDsKKyAgICAgICAgICAgICpvd25pbmdf ZG9tYWluID0gdGQ7CiAgICAgICAgICAgICBhY3QtPmdmbiA9IC0xdWw7CiAg ICAgICAgIH0KICAgICAgICAgZWxzZSBpZiAoIHNoYTEgKQpAQCAtMTg5NCw3 ICsxODg5LDcgQEAgX19hY3F1aXJlX2dyYW50X2Zvcl9jb3B5KAogICAgICAg ICAgICAgYWN0LT5pc19zdWJfcGFnZSA9IGlzX3N1Yl9wYWdlOwogICAgICAg ICAgICAgYWN0LT5zdGFydCA9IHRyYW5zX3BhZ2Vfb2ZmOwogICAgICAgICAg ICAgYWN0LT5sZW5ndGggPSB0cmFuc19sZW5ndGg7Ci0gICAgICAgICAgICBh Y3QtPnRyYW5zX2RvbSA9IHRyYW5zX2RvbWlkOworICAgICAgICAgICAgYWN0 LT50cmFuc19kb21haW4gPSB0ZDsKICAgICAgICAgICAgIGFjdC0+dHJhbnNf Z3JlZiA9IHRyYW5zX2dyZWY7CiAgICAgICAgICAgICBhY3QtPmZyYW1lID0g Z3JhbnRfZnJhbWU7CiAgICAgICAgIH0KLS0tIGEveGVuL2luY2x1ZGUveGVu L2dyYW50X3RhYmxlLmgKKysrIGIveGVuL2luY2x1ZGUveGVuL2dyYW50X3Rh YmxlLmgKQEAgLTMyLDcgKzMyLDcgQEAKIHN0cnVjdCBhY3RpdmVfZ3JhbnRf ZW50cnkgewogICAgIHUzMiAgICAgICAgICAgcGluOyAgICAvKiBSZWZlcmVu Y2UgY291bnQgaW5mb3JtYXRpb24uICAgICAgICAgICAgICovCiAgICAgZG9t aWRfdCAgICAgICBkb21pZDsgIC8qIERvbWFpbiBiZWluZyBncmFudGVkIGFj Y2Vzcy4gICAgICAgICAgICAgKi8KLSAgICBkb21pZF90ICAgICAgIHRyYW5z X2RvbTsKKyAgICBzdHJ1Y3QgZG9tYWluICp0cmFuc19kb21haW47CiAgICAg dWludDMyX3QgICAgICB0cmFuc19ncmVmOwogICAgIHVuc2lnbmVkIGxvbmcg ZnJhbWU7ICAvKiBGcmFtZSBiZWluZyBncmFudGVkLiAgICAgICAgICAgICAg ICAgICAgICovCiAgICAgdW5zaWduZWQgbG9uZyBnZm47ICAgIC8qIEd1ZXN0 J3MgaWRlYSBvZiB0aGUgZnJhbWUgYmVpbmcgZ3JhbnRlZC4gKi8K --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Apr 25 10:45:13 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 25 Apr 2013 10:45:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1UVJdY-00068J-7Q; Thu, 25 Apr 2013 10:42:48 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1UVJdN-00067R-2y for xen-announce@lists.xen.org; Thu, 25 Apr 2013 10:42:37 +0000 Received: from [85.158.143.99:39702] by server-3.bemta-4.messagelabs.com id E1/3D-02186-C9809715; Thu, 25 Apr 2013 10:42:36 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-7.tower-216.messagelabs.com!1366886552!26612901!1 X-Originating-IP: [74.125.83.41] X-SpamReason: No, hits=0.1 required=7.0 tests=HTML_50_60,HTML_MESSAGE X-StarScan-Received: X-StarScan-Version: 6.8.6.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 30122 invoked from network); 25 Apr 2013 10:42:32 -0000 Received: from mail-ee0-f41.google.com (HELO mail-ee0-f41.google.com) (74.125.83.41) by server-7.tower-216.messagelabs.com with RC4-SHA encrypted SMTP; 25 Apr 2013 10:42:32 -0000 Received: by mail-ee0-f41.google.com with SMTP id c50so848273eek.14 for ; Thu, 25 Apr 2013 03:42:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:sender:message-id:date:from:reply-to:user-agent :mime-version:to:subject:references:in-reply-to :x-forwarded-message-id:content-type; bh=+F5R/NzsPuRSNESb9lMe36M3qbRwpQI1qDXoINL8Cbo=; b=sxObQKK+tjV3hNfLJEP83sS9LUWhTZpMGko95wjJ07cQ0LtXEDDTBFUbF99zfWw/hk rcr62a3+nlSxyKzIMk6dIBL95yfNgQ4Gn10//87UAJbC4qjyfz6b29Yd30Mrn4+oIguw Or/GlSBlxS/gvKOlgerL0X72NHuvlVywz0ROAcZCWswHZR6ClOMeJJpqqwiWjGVhHuzV 5VHkR48TKiOoA9k6tQoJJ5P5yYUx8de3waUNujP085Sg9m6by4SsHqxSmdDwiFWaB+RH o+qIN2+SZgkqfOIQy/L05+vvaSVLa556Mp+JUfWncCioQhrm+5gbnMN+Pff2LXKpHTL4 csyQ== X-Received: by 10.15.22.199 with SMTP id f47mr74196310eeu.11.1366886552233; Thu, 25 Apr 2013 03:42:32 -0700 (PDT) Received: from [172.16.26.11] ([151.226.27.255]) by mx.google.com with ESMTPSA id d47sm9632744eem.9.2013.04.25.03.42.30 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 25 Apr 2013 03:42:31 -0700 (PDT) Message-ID: <51790895.7030408@xen.org> Date: Thu, 25 Apr 2013 11:42:29 +0100 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130328 Thunderbird/17.0.5 MIME-Version: 1.0 To: xen-announce@lists.xen.org References: <517901CC.2040203@xen.org> In-Reply-To: <517901CC.2040203@xen.org> X-Forwarded-Message-Id: <517901CC.2040203@xen.org> X-Mailman-Approved-At: Thu, 25 Apr 2013 10:42:46 +0000 Subject: [Xen-announce] Xen 4.1.5 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============4704625352750690909==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org This is a multi-part message in MIME format. --===============4704625352750690909== Content-Type: multipart/alternative; boundary="------------090304080107060504070608" This is a multi-part message in MIME format. --------------090304080107060504070608 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit -------- Original Message -------- Subject: [Xen-devel] [ANNOUNCE] Xen 4.1.5 released Date: Thu, 25 Apr 2013 10:56:52 +0100 From: Jan Beulich To: xen-devel All, I am pleased to announce the release of Xen 4.1.5. This is available immediately from its git repository: http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.1 (tag RELEASE-4.1.5) or from the XenProject download page http://www.xenproject.org/downloads/xen-archives/supported-xen-41-series/xen-415.html This fixes the following critical vulnerabilities: * CVE-2012-5634 / XSA-33: VT-d interrupt remapping source validation flaw * CVE-2013-0153 / XSA-36: interrupt remap entries shared and old ones not cleared on AMD IOMMUs * CVE-2013-0215 / XSA-38: oxenstored incorrect handling of certain Xenbus ring states * CVE-2012-6075 / XSA-41: qemu (e1000 device driver): Buffer overflow when processing large packets * CVE-2013-1917 / XSA-44: Xen PV DoS vulnerability with SYSENTER * CVE-2013-1919 / XSA-46: Several access permission issues with IRQs for unprivileged guests * CVE-2013-1920 / XSA-47: Potential use of freed memory in event channel operations * CVE-2013-1964 / XSA-50: grant table hypercall acquire/release imbalance We recommend all users of the 4.1 stable series to update to this latest point release. Among many bug fixes and improvements (around 50 since Xen 4.1.4): * ACPI APEI/ERST finally working on production systems * Bug fixes for other low level system state handling * Support for xz compressed Dom0 and DomU kernels Regards, Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --------------090304080107060504070608 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit


-------- Original Message --------
Subject: [Xen-devel] [ANNOUNCE] Xen 4.1.5 released
Date: Thu, 25 Apr 2013 10:56:52 +0100
From: Jan Beulich <JBeulich@suse.com>
To: xen-devel <xen-devel@lists.xen.org> 


All,

I am pleased to announce the release of Xen 4.1.5. This is
available immediately from its git repository:
http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.1
(tag RELEASE-4.1.5) or from the XenProject download page
http://www.xenproject.org/downloads/xen-archives/supported-xen-41-series/xen-415.html

This fixes the following critical vulnerabilities:
 * CVE-2012-5634 / XSA-33:
    VT-d interrupt remapping source validation flaw
 * CVE-2013-0153 / XSA-36:
    interrupt remap entries shared and old ones not cleared on AMD IOMMUs
 * CVE-2013-0215 / XSA-38:
    oxenstored incorrect handling of certain Xenbus ring states
 * CVE-2012-6075 / XSA-41:
    qemu (e1000 device driver): Buffer overflow when processing large packets
 * CVE-2013-1917 / XSA-44:
    Xen PV DoS vulnerability with SYSENTER
 * CVE-2013-1919 / XSA-46:
    Several access permission issues with IRQs for unprivileged guests
 * CVE-2013-1920 / XSA-47:
    Potential use of freed memory in event channel operations
 * CVE-2013-1964 / XSA-50:
    grant table hypercall acquire/release imbalance

We recommend all users of the 4.1 stable series to update to this
latest point release.

Among many bug fixes and improvements (around 50 since Xen 4.1.4):
 * ACPI APEI/ERST finally working on production systems
 * Bug fixes for other low level system state handling
 * Support for xz compressed Dom0 and DomU kernels

Regards,
Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel




--------------090304080107060504070608-- --===============4704625352750690909== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============4704625352750690909==-- From xen-announce-bounces@lists.xen.org Thu Apr 25 10:45:13 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 25 Apr 2013 10:45:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1UVJdY-00068J-7Q; Thu, 25 Apr 2013 10:42:48 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1UVJdN-00067R-2y for xen-announce@lists.xen.org; Thu, 25 Apr 2013 10:42:37 +0000 Received: from [85.158.143.99:39702] by server-3.bemta-4.messagelabs.com id E1/3D-02186-C9809715; Thu, 25 Apr 2013 10:42:36 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-7.tower-216.messagelabs.com!1366886552!26612901!1 X-Originating-IP: [74.125.83.41] X-SpamReason: No, hits=0.1 required=7.0 tests=HTML_50_60,HTML_MESSAGE X-StarScan-Received: X-StarScan-Version: 6.8.6.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 30122 invoked from network); 25 Apr 2013 10:42:32 -0000 Received: from mail-ee0-f41.google.com (HELO mail-ee0-f41.google.com) (74.125.83.41) by server-7.tower-216.messagelabs.com with RC4-SHA encrypted SMTP; 25 Apr 2013 10:42:32 -0000 Received: by mail-ee0-f41.google.com with SMTP id c50so848273eek.14 for ; Thu, 25 Apr 2013 03:42:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:sender:message-id:date:from:reply-to:user-agent :mime-version:to:subject:references:in-reply-to :x-forwarded-message-id:content-type; bh=+F5R/NzsPuRSNESb9lMe36M3qbRwpQI1qDXoINL8Cbo=; b=sxObQKK+tjV3hNfLJEP83sS9LUWhTZpMGko95wjJ07cQ0LtXEDDTBFUbF99zfWw/hk rcr62a3+nlSxyKzIMk6dIBL95yfNgQ4Gn10//87UAJbC4qjyfz6b29Yd30Mrn4+oIguw Or/GlSBlxS/gvKOlgerL0X72NHuvlVywz0ROAcZCWswHZR6ClOMeJJpqqwiWjGVhHuzV 5VHkR48TKiOoA9k6tQoJJ5P5yYUx8de3waUNujP085Sg9m6by4SsHqxSmdDwiFWaB+RH o+qIN2+SZgkqfOIQy/L05+vvaSVLa556Mp+JUfWncCioQhrm+5gbnMN+Pff2LXKpHTL4 csyQ== X-Received: by 10.15.22.199 with SMTP id f47mr74196310eeu.11.1366886552233; Thu, 25 Apr 2013 03:42:32 -0700 (PDT) Received: from [172.16.26.11] ([151.226.27.255]) by mx.google.com with ESMTPSA id d47sm9632744eem.9.2013.04.25.03.42.30 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 25 Apr 2013 03:42:31 -0700 (PDT) Message-ID: <51790895.7030408@xen.org> Date: Thu, 25 Apr 2013 11:42:29 +0100 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130328 Thunderbird/17.0.5 MIME-Version: 1.0 To: xen-announce@lists.xen.org References: <517901CC.2040203@xen.org> In-Reply-To: <517901CC.2040203@xen.org> X-Forwarded-Message-Id: <517901CC.2040203@xen.org> X-Mailman-Approved-At: Thu, 25 Apr 2013 10:42:46 +0000 Subject: [Xen-announce] Xen 4.1.5 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============4704625352750690909==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org This is a multi-part message in MIME format. --===============4704625352750690909== Content-Type: multipart/alternative; boundary="------------090304080107060504070608" This is a multi-part message in MIME format. --------------090304080107060504070608 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit -------- Original Message -------- Subject: [Xen-devel] [ANNOUNCE] Xen 4.1.5 released Date: Thu, 25 Apr 2013 10:56:52 +0100 From: Jan Beulich To: xen-devel All, I am pleased to announce the release of Xen 4.1.5. This is available immediately from its git repository: http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.1 (tag RELEASE-4.1.5) or from the XenProject download page http://www.xenproject.org/downloads/xen-archives/supported-xen-41-series/xen-415.html This fixes the following critical vulnerabilities: * CVE-2012-5634 / XSA-33: VT-d interrupt remapping source validation flaw * CVE-2013-0153 / XSA-36: interrupt remap entries shared and old ones not cleared on AMD IOMMUs * CVE-2013-0215 / XSA-38: oxenstored incorrect handling of certain Xenbus ring states * CVE-2012-6075 / XSA-41: qemu (e1000 device driver): Buffer overflow when processing large packets * CVE-2013-1917 / XSA-44: Xen PV DoS vulnerability with SYSENTER * CVE-2013-1919 / XSA-46: Several access permission issues with IRQs for unprivileged guests * CVE-2013-1920 / XSA-47: Potential use of freed memory in event channel operations * CVE-2013-1964 / XSA-50: grant table hypercall acquire/release imbalance We recommend all users of the 4.1 stable series to update to this latest point release. Among many bug fixes and improvements (around 50 since Xen 4.1.4): * ACPI APEI/ERST finally working on production systems * Bug fixes for other low level system state handling * Support for xz compressed Dom0 and DomU kernels Regards, Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --------------090304080107060504070608 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit


-------- Original Message --------
Subject: [Xen-devel] [ANNOUNCE] Xen 4.1.5 released
Date: Thu, 25 Apr 2013 10:56:52 +0100
From: Jan Beulich <JBeulich@suse.com>
To: xen-devel <xen-devel@lists.xen.org> 


All,

I am pleased to announce the release of Xen 4.1.5. This is
available immediately from its git repository:
http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.1
(tag RELEASE-4.1.5) or from the XenProject download page
http://www.xenproject.org/downloads/xen-archives/supported-xen-41-series/xen-415.html

This fixes the following critical vulnerabilities:
 * CVE-2012-5634 / XSA-33:
    VT-d interrupt remapping source validation flaw
 * CVE-2013-0153 / XSA-36:
    interrupt remap entries shared and old ones not cleared on AMD IOMMUs
 * CVE-2013-0215 / XSA-38:
    oxenstored incorrect handling of certain Xenbus ring states
 * CVE-2012-6075 / XSA-41:
    qemu (e1000 device driver): Buffer overflow when processing large packets
 * CVE-2013-1917 / XSA-44:
    Xen PV DoS vulnerability with SYSENTER
 * CVE-2013-1919 / XSA-46:
    Several access permission issues with IRQs for unprivileged guests
 * CVE-2013-1920 / XSA-47:
    Potential use of freed memory in event channel operations
 * CVE-2013-1964 / XSA-50:
    grant table hypercall acquire/release imbalance

We recommend all users of the 4.1 stable series to update to this
latest point release.

Among many bug fixes and improvements (around 50 since Xen 4.1.4):
 * ACPI APEI/ERST finally working on production systems
 * Bug fixes for other low level system state handling
 * Support for xz compressed Dom0 and DomU kernels

Regards,
Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel




--------------090304080107060504070608-- --===============4704625352750690909== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============4704625352750690909==-- From xen-announce-bounces@lists.xen.org Thu Apr 25 10:45:14 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 25 Apr 2013 10:45:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1UVJdX-00068A-Js; Thu, 25 Apr 2013 10:42:47 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1UVJd1-00065w-LE for xen-announce@lists.xen.org; Thu, 25 Apr 2013 10:42:15 +0000 Received: from [193.109.254.147:31790] by server-16.bemta-14.messagelabs.com id 86/D3-29589-68809715; Thu, 25 Apr 2013 10:42:14 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-16.tower-27.messagelabs.com!1366886530!9179382!1 X-Originating-IP: [209.85.215.173] X-SpamReason: No, hits=0.6 required=7.0 tests=HTML_40_50,HTML_MESSAGE X-StarScan-Received: X-StarScan-Version: 6.8.6.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 19687 invoked from network); 25 Apr 2013 10:42:11 -0000 Received: from mail-ea0-f173.google.com (HELO mail-ea0-f173.google.com) (209.85.215.173) by server-16.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 25 Apr 2013 10:42:11 -0000 Received: by mail-ea0-f173.google.com with SMTP id m14so1197956eaj.32 for ; Thu, 25 Apr 2013 03:42:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:sender:message-id:date:from:reply-to:user-agent :mime-version:to:subject:references:in-reply-to :x-forwarded-message-id:content-type; bh=uTP4zhS1UCGbydIBXEXyDDGxRMQ2Va0HJbSyDSyqZMU=; b=aYdQ5Uk+lLQX/AEwHJ/gHPC9XQbohRWPG1vca4q6wIq8rXlx/pIvdhnlrIBog8bclO xKScl4Ykeqf2nUCNw9uWaOfHtdeAdee94u3Meo4PKBvehOD9jX3kHT2WArwTCsaKChAT AlOTJJHYCndCIy5FLYbsWOr9Xcgs/Z3G1BH2k3SELphQYFIrodp1wsgMEPrPkuargSuR Nd5X4gUQurvgv92BcT2Z7/7Cq+YqUHcGevz5LWIk4I2dTS0fmMZYmNk8qPvDGKbPA14Q OzbhdbNGqDSrlXR/D5RkZvrb+/cWh0jGsh/HDyZOXlE9QFjXvJBqogR1VtH2UjFyauaR Hssg== X-Received: by 10.15.95.74 with SMTP id bc50mr49038328eeb.36.1366886530506; Thu, 25 Apr 2013 03:42:10 -0700 (PDT) Received: from [172.16.26.11] ([151.226.27.255]) by mx.google.com with ESMTPSA id n48sm9610790eeg.12.2013.04.25.03.42.08 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 25 Apr 2013 03:42:09 -0700 (PDT) Message-ID: <5179087E.7010401@xen.org> Date: Thu, 25 Apr 2013 11:42:06 +0100 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130328 Thunderbird/17.0.5 MIME-Version: 1.0 To: xen-announce@lists.xen.org References: <5179019D.6000805@xen.org> In-Reply-To: <5179019D.6000805@xen.org> X-Forwarded-Message-Id: <5179019D.6000805@xen.org> X-Mailman-Approved-At: Thu, 25 Apr 2013 10:42:46 +0000 Subject: [Xen-announce] Xen 4.2.2 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============5915725113315646620==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org This is a multi-part message in MIME format. --===============5915725113315646620== Content-Type: multipart/alternative; boundary="------------090008090304030501030804" This is a multi-part message in MIME format. --------------090008090304030501030804 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit -------- Original Message -------- Subject: [Xen-devel] [ANNOUNCE] Xen 4.2.2 released Date: Thu, 25 Apr 2013 10:56:02 +0100 From: Jan Beulich To: xen-devel All, I am pleased to announce the release of Xen 4.2.2. This is available immediately from its git repository http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.2 (tag RELEASE-4.2.2) or from the XenProject download page http://www.xenproject.org/downloads/xen-archives/supported-xen-42-series/xen-422.html This fixes the following critical vulnerabilities: * CVE-2012-5634 / XSA-33: VT-d interrupt remapping source validation flaw * CVE-2013-0151 / XSA-34: nested virtualization on 32-bit exposes host crash * CVE-2013-0152 / XSA-35: Nested HVM exposes host to being driven out of memory by guest * CVE-2013-0153 / XSA-36: interrupt remap entries shared and old ones not cleared on AMD IOMMUs * CVE-2013-0154 / XSA-37: Hypervisor crash due to incorrect ASSERT (debug build only) * CVE-2013-0215 / XSA-38: oxenstored incorrect handling of certain Xenbus ring states * CVE-2012-6075 / XSA-41: qemu (e1000 device driver): Buffer overflow when processing large packets * CVE-2013-1917 / XSA-44: Xen PV DoS vulnerability with SYSENTER * CVE-2013-1919 / XSA-46: Several access permission issues with IRQs for unprivileged guests * CVE-2013-1920 / XSA-47: Potential use of freed memory in event channel operations * CVE-2013-1922 / XSA-48: qemu-nbd format-guessing due to missing format specification We recommend all users of the 4.2 stable series to update to this point release. Among many bug fixes and improvements (around 100 since Xen 4.2.1): * ACPI APEI/ERST finally working on production systems * Bug fixes for other low level system state handling * Bug fixes and improvements to the libxl tool stack * Bug fixes to nested virtualization Regards, Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --------------090008090304030501030804 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit

-------- Original Message --------
Subject: [Xen-devel] [ANNOUNCE] Xen 4.2.2 released
Date: Thu, 25 Apr 2013 10:56:02 +0100
From: Jan Beulich <JBeulich@suse.com>
To: xen-devel <xen-devel@lists.xen.org> 


All,

I am pleased to announce the release of Xen 4.2.2. This is
available immediately from its git repository
http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.2
(tag RELEASE-4.2.2) or from the XenProject download page
http://www.xenproject.org/downloads/xen-archives/supported-xen-42-series/xen-422.html

This fixes the following critical vulnerabilities:
 * CVE-2012-5634 / XSA-33:
    VT-d interrupt remapping source validation flaw
 * CVE-2013-0151 / XSA-34:
    nested virtualization on 32-bit exposes host crash
 * CVE-2013-0152 / XSA-35:
    Nested HVM exposes host to being driven out of memory by guest
 * CVE-2013-0153 / XSA-36:
    interrupt remap entries shared and old ones not cleared on AMD IOMMUs
 * CVE-2013-0154 / XSA-37:
    Hypervisor crash due to incorrect ASSERT (debug build only)
 * CVE-2013-0215 / XSA-38:
    oxenstored incorrect handling of certain Xenbus ring states
 * CVE-2012-6075 / XSA-41:
    qemu (e1000 device driver): Buffer overflow when processing large packets
 * CVE-2013-1917 / XSA-44:
    Xen PV DoS vulnerability with SYSENTER
 * CVE-2013-1919 / XSA-46:
    Several access permission issues with IRQs for unprivileged guests
 * CVE-2013-1920 / XSA-47:
    Potential use of freed memory in event channel operations
 * CVE-2013-1922 / XSA-48:
    qemu-nbd format-guessing due to missing format specification

We recommend all users of the 4.2 stable series to update to this
point release.

Among many bug fixes and improvements (around 100 since Xen 4.2.1):
 * ACPI APEI/ERST finally working on production systems
 * Bug fixes for other low level system state handling
 * Bug fixes and improvements to the libxl tool stack
 * Bug fixes to nested virtualization

Regards,
Jan



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel




--------------090008090304030501030804-- --===============5915725113315646620== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============5915725113315646620==-- From xen-announce-bounces@lists.xen.org Thu Apr 25 10:45:14 2013 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 25 Apr 2013 10:45:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1UVJdX-00068A-Js; Thu, 25 Apr 2013 10:42:47 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1UVJd1-00065w-LE for xen-announce@lists.xen.org; Thu, 25 Apr 2013 10:42:15 +0000 Received: from [193.109.254.147:31790] by server-16.bemta-14.messagelabs.com id 86/D3-29589-68809715; Thu, 25 Apr 2013 10:42:14 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-16.tower-27.messagelabs.com!1366886530!9179382!1 X-Originating-IP: [209.85.215.173] X-SpamReason: No, hits=0.6 required=7.0 tests=HTML_40_50,HTML_MESSAGE X-StarScan-Received: X-StarScan-Version: 6.8.6.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 19687 invoked from network); 25 Apr 2013 10:42:11 -0000 Received: from mail-ea0-f173.google.com (HELO mail-ea0-f173.google.com) (209.85.215.173) by server-16.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 25 Apr 2013 10:42:11 -0000 Received: by mail-ea0-f173.google.com with SMTP id m14so1197956eaj.32 for ; Thu, 25 Apr 2013 03:42:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:sender:message-id:date:from:reply-to:user-agent :mime-version:to:subject:references:in-reply-to :x-forwarded-message-id:content-type; bh=uTP4zhS1UCGbydIBXEXyDDGxRMQ2Va0HJbSyDSyqZMU=; b=aYdQ5Uk+lLQX/AEwHJ/gHPC9XQbohRWPG1vca4q6wIq8rXlx/pIvdhnlrIBog8bclO xKScl4Ykeqf2nUCNw9uWaOfHtdeAdee94u3Meo4PKBvehOD9jX3kHT2WArwTCsaKChAT AlOTJJHYCndCIy5FLYbsWOr9Xcgs/Z3G1BH2k3SELphQYFIrodp1wsgMEPrPkuargSuR Nd5X4gUQurvgv92BcT2Z7/7Cq+YqUHcGevz5LWIk4I2dTS0fmMZYmNk8qPvDGKbPA14Q OzbhdbNGqDSrlXR/D5RkZvrb+/cWh0jGsh/HDyZOXlE9QFjXvJBqogR1VtH2UjFyauaR Hssg== X-Received: by 10.15.95.74 with SMTP id bc50mr49038328eeb.36.1366886530506; Thu, 25 Apr 2013 03:42:10 -0700 (PDT) Received: from [172.16.26.11] ([151.226.27.255]) by mx.google.com with ESMTPSA id n48sm9610790eeg.12.2013.04.25.03.42.08 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 25 Apr 2013 03:42:09 -0700 (PDT) Message-ID: <5179087E.7010401@xen.org> Date: Thu, 25 Apr 2013 11:42:06 +0100 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130328 Thunderbird/17.0.5 MIME-Version: 1.0 To: xen-announce@lists.xen.org References: <5179019D.6000805@xen.org> In-Reply-To: <5179019D.6000805@xen.org> X-Forwarded-Message-Id: <5179019D.6000805@xen.org> X-Mailman-Approved-At: Thu, 25 Apr 2013 10:42:46 +0000 Subject: [Xen-announce] Xen 4.2.2 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============5915725113315646620==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org This is a multi-part message in MIME format. --===============5915725113315646620== Content-Type: multipart/alternative; boundary="------------090008090304030501030804" This is a multi-part message in MIME format. --------------090008090304030501030804 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit -------- Original Message -------- Subject: [Xen-devel] [ANNOUNCE] Xen 4.2.2 released Date: Thu, 25 Apr 2013 10:56:02 +0100 From: Jan Beulich To: xen-devel All, I am pleased to announce the release of Xen 4.2.2. This is available immediately from its git repository http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.2 (tag RELEASE-4.2.2) or from the XenProject download page http://www.xenproject.org/downloads/xen-archives/supported-xen-42-series/xen-422.html This fixes the following critical vulnerabilities: * CVE-2012-5634 / XSA-33: VT-d interrupt remapping source validation flaw * CVE-2013-0151 / XSA-34: nested virtualization on 32-bit exposes host crash * CVE-2013-0152 / XSA-35: Nested HVM exposes host to being driven out of memory by guest * CVE-2013-0153 / XSA-36: interrupt remap entries shared and old ones not cleared on AMD IOMMUs * CVE-2013-0154 / XSA-37: Hypervisor crash due to incorrect ASSERT (debug build only) * CVE-2013-0215 / XSA-38: oxenstored incorrect handling of certain Xenbus ring states * CVE-2012-6075 / XSA-41: qemu (e1000 device driver): Buffer overflow when processing large packets * CVE-2013-1917 / XSA-44: Xen PV DoS vulnerability with SYSENTER * CVE-2013-1919 / XSA-46: Several access permission issues with IRQs for unprivileged guests * CVE-2013-1920 / XSA-47: Potential use of freed memory in event channel operations * CVE-2013-1922 / XSA-48: qemu-nbd format-guessing due to missing format specification We recommend all users of the 4.2 stable series to update to this point release. Among many bug fixes and improvements (around 100 since Xen 4.2.1): * ACPI APEI/ERST finally working on production systems * Bug fixes for other low level system state handling * Bug fixes and improvements to the libxl tool stack * Bug fixes to nested virtualization Regards, Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --------------090008090304030501030804 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit

-------- Original Message --------
Subject: [Xen-devel] [ANNOUNCE] Xen 4.2.2 released
Date: Thu, 25 Apr 2013 10:56:02 +0100
From: Jan Beulich <JBeulich@suse.com>
To: xen-devel <xen-devel@lists.xen.org> 


All,

I am pleased to announce the release of Xen 4.2.2. This is
available immediately from its git repository
http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.2
(tag RELEASE-4.2.2) or from the XenProject download page
http://www.xenproject.org/downloads/xen-archives/supported-xen-42-series/xen-422.html

This fixes the following critical vulnerabilities:
 * CVE-2012-5634 / XSA-33:
    VT-d interrupt remapping source validation flaw
 * CVE-2013-0151 / XSA-34:
    nested virtualization on 32-bit exposes host crash
 * CVE-2013-0152 / XSA-35:
    Nested HVM exposes host to being driven out of memory by guest
 * CVE-2013-0153 / XSA-36:
    interrupt remap entries shared and old ones not cleared on AMD IOMMUs
 * CVE-2013-0154 / XSA-37:
    Hypervisor crash due to incorrect ASSERT (debug build only)
 * CVE-2013-0215 / XSA-38:
    oxenstored incorrect handling of certain Xenbus ring states
 * CVE-2012-6075 / XSA-41:
    qemu (e1000 device driver): Buffer overflow when processing large packets
 * CVE-2013-1917 / XSA-44:
    Xen PV DoS vulnerability with SYSENTER
 * CVE-2013-1919 / XSA-46:
    Several access permission issues with IRQs for unprivileged guests
 * CVE-2013-1920 / XSA-47:
    Potential use of freed memory in event channel operations
 * CVE-2013-1922 / XSA-48:
    qemu-nbd format-guessing due to missing format specification

We recommend all users of the 4.2 stable series to update to this
point release.

Among many bug fixes and improvements (around 100 since Xen 4.2.1):
 * ACPI APEI/ERST finally working on production systems
 * Bug fixes for other low level system state handling
 * Bug fixes and improvements to the libxl tool stack
 * Bug fixes to nested virtualization

Regards,
Jan



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel




--------------090008090304030501030804-- --===============5915725113315646620== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============5915725113315646620==--