From xen-announce-bounces@lists.xen.org Tue Jun 03 12:26:03 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 03 Jun 2014 12:26:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Wrnlo-0002mm-WA; Tue, 03 Jun 2014 12:24:48 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Wrnln-0002mS-Vp; Tue, 03 Jun 2014 12:24:48 +0000 Received: from [85.158.137.68:8107] by server-7.bemta-3.messagelabs.com id DB/6C-04151-E8EBD835; Tue, 03 Jun 2014 12:24:46 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-31.messagelabs.com!1401798284!7758739!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 13356 invoked from network); 3 Jun 2014 12:24:46 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-8.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 3 Jun 2014 12:24:46 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WrnlR-0001nH-Ff; Tue, 03 Jun 2014 12:24:25 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WrnlP-0000qv-HL; Tue, 03 Jun 2014 12:24:23 +0000 Date: Tue, 03 Jun 2014 12:24:23 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 54 (CVE-2013-2078) - Hypervisor crash due to missing exception recovery on XSETBV X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-2078 / XSA-54 version 4 Hypervisor crash due to missing exception recovery on XSETBV UPDATES IN VERSION 4 ==================== Reduce vulnerable range of versions to 4.1 and onwards. ISSUE DESCRIPTION ================= Processors do certain validity checks on the register values passed to XSETBV. For the PV emulation path for that instruction the hypervisor code didn't check for certain invalid bit combinations, thus exposing itself to a fault occurring when invoking that instruction on behalf of the guest. IMPACT ====== Malicious or buggy unprivileged user space can cause the entire host to crash. VULNERABLE SYSTEMS ================== Xen 4.1 and onwards are vulnerable when run on systems with processors supporting XSAVE. Only PV guests can exploit the vulnerability. In Xen 4.1 XSAVE support is disabled by default; therefore systems running these versions are not vulnerable unless support is explicitly enabled using the "xsave" hypervisor command line option. Systems using processors not supporting XSAVE are not vulnerable. Xen 3.x and earlier are not vulnerable. In particular, Xen 4.0.x is not vulnerable because XSAVE support there covers only HVM guests. MITIGATION ========== Turning off XSAVE support via the "no-xsave" hypervisor command line option will avoid the vulnerability. RESOLUTION ========== Applying the attached patch resolves this issue. xsa54.patch Xen 4.1.x, Xen 4.2.x, xen-unstable $ sha256sum xsa54-*.patch 5d94946b3c9cba52aae2bffd4b0ebb11d09181650b5322a3c85170674a05f6b7 xsa54.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTjb4yAAoJEIP+FMlX6CvZTvcIAJW1kkoJDpYy3m2CUFux5FeN rft9S+iPrh45/B67VuHOnaEfpcBQ/71+jKEjJQ8kJdJnWmP6i+kAuoVKma/PkY9x VkeNM//9gM1UKp581p0yQp61Yw46hiREWDkue+VsnMIl88w/EV2Yv5R2LQaPMinZ TM08EdK/lgERYQ2LSdkc55kE/jHoenBMBYjnCJPBYJY1jPdgJo488ZTpol/opqaM o99/ziUPfa30KXHFtgq1iQs7qu+boMEv/QfRSC3xQS1tTSaXqnuPVDlz6tXBkrW9 AI5Mx1cJMSrd02KBMsaZvjQVaDjVO3L1svfEXvjeUmbGuE+hx0jvglblS6+i2Z4= =SnXC -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa54.patch" Content-Disposition: attachment; filename="xsa54.patch" Content-Transfer-Encoding: base64 eDg2L3hzYXZlOiBwcm9wZXJseSBjaGVjayBndWVzdCBpbnB1dCB0byBYU0VU QlYKCk90aGVyIHRoYW4gdGhlIEhWTSBlbXVsYXRpb24gcGF0aCwgdGhlIFBW IGNhc2Ugc28gZmFyIGZhaWxlZCB0byBjaGVjawp0aGF0IFlNTSBzdGF0ZSBy ZXF1aXJlcyBTU0Ugc3RhdGUgdG8gYmUgZW5hYmxlZCwgYWxsb3dpbmcgZm9y IGEgI0dQIHRvCm9jY3VyIHVwb24gcGFzc2luZyB0aGUgaW5wdXRzIHRvIFhT RVRCViBpbnNpZGUgdGhlIGh5cGVydmlzb3IuCgpUaGlzIGlzIENWRS0yMDEz LTIwNzggLyBYU0EtNTQuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8 amJldWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvdHJhcHMu YworKysgYi94ZW4vYXJjaC94ODYvdHJhcHMuYwpAQCAtMjIwNSw2ICsyMjA1 LDExIEBAIHN0YXRpYyBpbnQgZW11bGF0ZV9wcml2aWxlZ2VkX29wKHN0cnVj dCAKICAgICAgICAgICAgICAgICAgICAgaWYgKCAhKG5ld194ZmVhdHVyZSAm IFhTVEFURV9GUCkgfHwgKG5ld194ZmVhdHVyZSAmIH54ZmVhdHVyZV9tYXNr KSApCiAgICAgICAgICAgICAgICAgICAgICAgICBnb3RvIGZhaWw7CiAKKyAg ICAgICAgICAgICAgICAgICAgLyogWU1NIHN0YXRlIHRha2VzIFNTRSBzdGF0 ZSBhcyBwcmVyZXF1aXNpdGUuICovCisgICAgICAgICAgICAgICAgICAgIGlm ICggKHhmZWF0dXJlX21hc2sgJiBuZXdfeGZlYXR1cmUgJiBYU1RBVEVfWU1N KSAmJgorICAgICAgICAgICAgICAgICAgICAgICAgICEobmV3X3hmZWF0dXJl ICYgWFNUQVRFX1NTRSkgKQorICAgICAgICAgICAgICAgICAgICAgICAgZ290 byBmYWlsOworCiAgICAgICAgICAgICAgICAgICAgIHYtPmFyY2gueGNyMCA9 IG5ld194ZmVhdHVyZTsKICAgICAgICAgICAgICAgICAgICAgdi0+YXJjaC54 Y3IwX2FjY3VtIHw9IG5ld194ZmVhdHVyZTsKICAgICAgICAgICAgICAgICAg ICAgc2V0X3hjcjAobmV3X3hmZWF0dXJlKTsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Jun 03 12:26:03 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 03 Jun 2014 12:26:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Wrnlt-0002oJ-LO; Tue, 03 Jun 2014 12:24:53 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Wrnlr-0002ng-Pn; Tue, 03 Jun 2014 12:24:51 +0000 Received: from [85.158.143.35:16704] by server-3.bemta-4.messagelabs.com id DC/2D-13602-29EBD835; Tue, 03 Jun 2014 12:24:50 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-7.tower-21.messagelabs.com!1401798289!8945186!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 9431 invoked from network); 3 Jun 2014 12:24:50 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-7.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 3 Jun 2014 12:24:50 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Wrnlb-0001nR-9W; Tue, 03 Jun 2014 12:24:35 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WrnlZ-0000ry-NR; Tue, 03 Jun 2014 12:24:33 +0000 Date: Tue, 03 Jun 2014 12:24:33 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 96 - Vulnerabilities in HVM MSI injection X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-96 version 2 Vulnerabilities in HVM MSI injection UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The implementation of the HVM control operation HVMOP_inject_msi, while checking whether a particular IRQ was already set up in the necessary way, fails to properly check all respective conditions. In particular it doesn't check the returned pointer for being non-NULL before de- referencing it. Furthermore that same code also handles certain errors by logging messages, without (under default settings) at least making these messages subject to rate limiting. IMPACT ====== The NULL pointer de-reference would lead to a host crash, and hence a denial of service would result. Since host and guest page tables are fully separated for HVM guests, the guest would not be able to leverage the vulnerability for other kinds of attacks (privilege escalation or information leak). The spamming of the hypervisor log could similarly lead to a denial of service. In a configuration where device models run with limited privilege (for example, stubdom device models), a guest attacker who successfully finds and exploits an unfixed security flaw in qemu-dm could leverage the other flaw into a Denial of Service affecting the whole host. In the more general case, in more abstract terms: a malicious administrator of a domain privileged with regard to an HVM guest can cause Xen to become unresponsive leading to a Denial of Service. VULNERABLE SYSTEMS ================== All Xen versions from 4.2 onwards are vulnerable. The vulnerability is only exposed to service domains for HVM guests which have privilege over the guest. In a usual configuration that means only device model emulators (qemu-dm). In the case of HVM guests whose device model is running in an unrestricted dom0 process, qemu-dm already has the ability to cause problems for the whole system. So in that case the vulnerability is not applicable. The situation is more subtle for an HVM guest with a stub qemu-dm. That is, where the device model runs in a separate domain (in the case of xl, as requested by "device_model_stubdomain_override=1" in the xl domain configuration file). The same applies with a qemu-dm in a dom0 process subjected to some kind kernel-based process privilege limitation (eg the chroot technique as found in some versions of XCP/XenServer). In those latter situations this issue means that the extra isolation does not provide as good a defence (against denial of service) as intended. That is the essence of this vulnerability. However, the security is still better than with a qemu-dm running as an unrestricted dom0 process. Therefore users with these configurations should not switch to an unrestricted dom0 qemu-dm. Finally, in a radically disaggregated system: where the HVM service domain software (probably, the device model domain image) is not always supplied by the host administrator, a malicious service domain administrator can exercise this vulnerability. MITIGATION ========== Running only PV guests will avoid this vulnerability. In a radically disaggregated system, restricting HVM service domains to software images approved by the host administrator will avoid the vulnerability. CREDITS ======= This issue was discovered by Jan Beulich. RESOLUTION ========== Applying the attached patch resolves this issue. xsa96.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa96*.patch 1b64beddf8f6e9c08af24676551c18fd778a8db65a6c24fec07cc7e95531e2af xsa96.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTjb4eAAoJEIP+FMlX6CvZQkQIALjKap2DRMbpr8GPUp91zMoL DdDqVnmgQo1GD8zF/CE0PBDXlIhU28tJ2XZmeePcwA4cRnacxxJTQhb3bp2ZJd6F hJ82UxDGUZy1uZV7IA+ji2pdECBg30r2i7Ukj4kX3FZHM+PZjcxHowVxEXVMxF// 8HGWwvB3b56HqbCZ7donLvU+uaG1voPF6zV9Dutu4UwC5tTkqdJ8qNqz/kfn69Ug Abn5uNOJQXRjY7kcegTO4uFB9iL5+LUDfWdUTghVYxITlfGSRF18IbhUk8P61u+H v75OEk/tO5kMORpMRgnhqTMyPaWEaCHUeZU+5lBxZvHYGbabAuvuW06zr9vXG3s= =ZSzI -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa96.patch" Content-Disposition: attachment; filename="xsa96.patch" Content-Transfer-Encoding: base64 eDg2L0hWTTogZWxpbWluYXRlIHZ1bG5lcmFiaWxpdGllcyBmcm9tIGh2bV9p bmplY3RfbXNpKCkKCi0gcGlycV9pbmZvKCkgcmV0dXJucyBOVUxMIGZvciBh IG5vbi1hbGxvY2F0ZWQgcElSUSwgYW5kIGhlbmNlIHdlCiAgbXVzdG4ndCB1 bmNvbmRpdGlvbmFsbHkgZGUtcmVmZXJlbmNlIGl0LCBhbmQgd2UgbmVlZCB0 byBpbnZva2UgaXQKICBhbm90aGVyIHRpbWUgYWZ0ZXIgaGF2aW5nIGNhbGxl ZCBtYXBfZG9tYWluX2VtdWlycV9waXJxKCkKLSBkb24ndCB1c2UgcHJpbnRr KCksIG5hbWVseSB3aXRob3V0IFhFTkxPR19HVUVTVCwgZm9yIGVycm9yIHJl cG9ydGluZwoKVGhpcyBpcyBYU0EtOTYuCgpTaWduZWQtb2ZmLWJ5OiBKYW4g QmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4vYXJjaC94 ODYvaHZtL2lycS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vaXJxLmMKQEAg LTI4OSwyMCArMjg5LDE4IEBAIHZvaWQgaHZtX2luamVjdF9tc2koc3RydWN0 IGRvbWFpbiAqZCwgdWkKICAgICAgICAgICAgIHN0cnVjdCBwaXJxICppbmZv ID0gcGlycV9pbmZvKGQsIHBpcnEpOwogCiAgICAgICAgICAgICAvKiBpZiBp dCBpcyB0aGUgZmlyc3QgdGltZSwgYWxsb2NhdGUgdGhlIHBpcnEgKi8KLSAg ICAgICAgICAgIGlmIChpbmZvLT5hcmNoLmh2bS5lbXVpcnEgPT0gSVJRX1VO Qk9VTkQpCisgICAgICAgICAgICBpZiAoICFpbmZvIHx8IGluZm8tPmFyY2gu aHZtLmVtdWlycSA9PSBJUlFfVU5CT1VORCApCiAgICAgICAgICAgICB7CiAg ICAgICAgICAgICAgICAgc3Bpbl9sb2NrKCZkLT5ldmVudF9sb2NrKTsKICAg ICAgICAgICAgICAgICBtYXBfZG9tYWluX2VtdWlycV9waXJxKGQsIHBpcnEs IElSUV9NU0lfRU1VKTsKICAgICAgICAgICAgICAgICBzcGluX3VubG9jaygm ZC0+ZXZlbnRfbG9jayk7CisgICAgICAgICAgICAgICAgaW5mbyA9IHBpcnFf aW5mbyhkLCBwaXJxKTsKKyAgICAgICAgICAgICAgICBpZiAoICFpbmZvICkK KyAgICAgICAgICAgICAgICAgICAgcmV0dXJuOwogICAgICAgICAgICAgfSBl bHNlIGlmIChpbmZvLT5hcmNoLmh2bS5lbXVpcnEgIT0gSVJRX01TSV9FTVUp Ci0gICAgICAgICAgICB7Ci0gICAgICAgICAgICAgICAgcHJpbnRrKCIlczog cGlycSAlZCBkb2VzIG5vdCBjb3JyZXNwb25kIHRvIGFuIGVtdWxhdGVkIE1T SVxuIiwgX19mdW5jX18sIHBpcnEpOwogICAgICAgICAgICAgICAgIHJldHVy bjsKLSAgICAgICAgICAgIH0KICAgICAgICAgICAgIHNlbmRfZ3Vlc3RfcGly cShkLCBpbmZvKTsKICAgICAgICAgICAgIHJldHVybjsKLSAgICAgICAgfSBl bHNlIHsKLSAgICAgICAgICAgIHByaW50aygiJXM6IGVycm9yIGdldHRpbmcg cGlycSBmcm9tIE1TSTogcGlycSA9ICVkXG4iLCBfX2Z1bmNfXywgcGlycSk7 CiAgICAgICAgIH0KICAgICB9CiAK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Jun 03 12:26:03 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 03 Jun 2014 12:26:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Wrnlo-0002mm-WA; Tue, 03 Jun 2014 12:24:48 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Wrnln-0002mS-Vp; Tue, 03 Jun 2014 12:24:48 +0000 Received: from [85.158.137.68:8107] by server-7.bemta-3.messagelabs.com id DB/6C-04151-E8EBD835; Tue, 03 Jun 2014 12:24:46 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-31.messagelabs.com!1401798284!7758739!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 13356 invoked from network); 3 Jun 2014 12:24:46 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-8.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 3 Jun 2014 12:24:46 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WrnlR-0001nH-Ff; Tue, 03 Jun 2014 12:24:25 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WrnlP-0000qv-HL; Tue, 03 Jun 2014 12:24:23 +0000 Date: Tue, 03 Jun 2014 12:24:23 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 54 (CVE-2013-2078) - Hypervisor crash due to missing exception recovery on XSETBV X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-2078 / XSA-54 version 4 Hypervisor crash due to missing exception recovery on XSETBV UPDATES IN VERSION 4 ==================== Reduce vulnerable range of versions to 4.1 and onwards. ISSUE DESCRIPTION ================= Processors do certain validity checks on the register values passed to XSETBV. For the PV emulation path for that instruction the hypervisor code didn't check for certain invalid bit combinations, thus exposing itself to a fault occurring when invoking that instruction on behalf of the guest. IMPACT ====== Malicious or buggy unprivileged user space can cause the entire host to crash. VULNERABLE SYSTEMS ================== Xen 4.1 and onwards are vulnerable when run on systems with processors supporting XSAVE. Only PV guests can exploit the vulnerability. In Xen 4.1 XSAVE support is disabled by default; therefore systems running these versions are not vulnerable unless support is explicitly enabled using the "xsave" hypervisor command line option. Systems using processors not supporting XSAVE are not vulnerable. Xen 3.x and earlier are not vulnerable. In particular, Xen 4.0.x is not vulnerable because XSAVE support there covers only HVM guests. MITIGATION ========== Turning off XSAVE support via the "no-xsave" hypervisor command line option will avoid the vulnerability. RESOLUTION ========== Applying the attached patch resolves this issue. xsa54.patch Xen 4.1.x, Xen 4.2.x, xen-unstable $ sha256sum xsa54-*.patch 5d94946b3c9cba52aae2bffd4b0ebb11d09181650b5322a3c85170674a05f6b7 xsa54.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTjb4yAAoJEIP+FMlX6CvZTvcIAJW1kkoJDpYy3m2CUFux5FeN rft9S+iPrh45/B67VuHOnaEfpcBQ/71+jKEjJQ8kJdJnWmP6i+kAuoVKma/PkY9x VkeNM//9gM1UKp581p0yQp61Yw46hiREWDkue+VsnMIl88w/EV2Yv5R2LQaPMinZ TM08EdK/lgERYQ2LSdkc55kE/jHoenBMBYjnCJPBYJY1jPdgJo488ZTpol/opqaM o99/ziUPfa30KXHFtgq1iQs7qu+boMEv/QfRSC3xQS1tTSaXqnuPVDlz6tXBkrW9 AI5Mx1cJMSrd02KBMsaZvjQVaDjVO3L1svfEXvjeUmbGuE+hx0jvglblS6+i2Z4= =SnXC -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa54.patch" Content-Disposition: attachment; filename="xsa54.patch" Content-Transfer-Encoding: base64 eDg2L3hzYXZlOiBwcm9wZXJseSBjaGVjayBndWVzdCBpbnB1dCB0byBYU0VU QlYKCk90aGVyIHRoYW4gdGhlIEhWTSBlbXVsYXRpb24gcGF0aCwgdGhlIFBW IGNhc2Ugc28gZmFyIGZhaWxlZCB0byBjaGVjawp0aGF0IFlNTSBzdGF0ZSBy ZXF1aXJlcyBTU0Ugc3RhdGUgdG8gYmUgZW5hYmxlZCwgYWxsb3dpbmcgZm9y IGEgI0dQIHRvCm9jY3VyIHVwb24gcGFzc2luZyB0aGUgaW5wdXRzIHRvIFhT RVRCViBpbnNpZGUgdGhlIGh5cGVydmlzb3IuCgpUaGlzIGlzIENWRS0yMDEz LTIwNzggLyBYU0EtNTQuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8 amJldWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvdHJhcHMu YworKysgYi94ZW4vYXJjaC94ODYvdHJhcHMuYwpAQCAtMjIwNSw2ICsyMjA1 LDExIEBAIHN0YXRpYyBpbnQgZW11bGF0ZV9wcml2aWxlZ2VkX29wKHN0cnVj dCAKICAgICAgICAgICAgICAgICAgICAgaWYgKCAhKG5ld194ZmVhdHVyZSAm IFhTVEFURV9GUCkgfHwgKG5ld194ZmVhdHVyZSAmIH54ZmVhdHVyZV9tYXNr KSApCiAgICAgICAgICAgICAgICAgICAgICAgICBnb3RvIGZhaWw7CiAKKyAg ICAgICAgICAgICAgICAgICAgLyogWU1NIHN0YXRlIHRha2VzIFNTRSBzdGF0 ZSBhcyBwcmVyZXF1aXNpdGUuICovCisgICAgICAgICAgICAgICAgICAgIGlm ICggKHhmZWF0dXJlX21hc2sgJiBuZXdfeGZlYXR1cmUgJiBYU1RBVEVfWU1N KSAmJgorICAgICAgICAgICAgICAgICAgICAgICAgICEobmV3X3hmZWF0dXJl ICYgWFNUQVRFX1NTRSkgKQorICAgICAgICAgICAgICAgICAgICAgICAgZ290 byBmYWlsOworCiAgICAgICAgICAgICAgICAgICAgIHYtPmFyY2gueGNyMCA9 IG5ld194ZmVhdHVyZTsKICAgICAgICAgICAgICAgICAgICAgdi0+YXJjaC54 Y3IwX2FjY3VtIHw9IG5ld194ZmVhdHVyZTsKICAgICAgICAgICAgICAgICAg ICAgc2V0X3hjcjAobmV3X3hmZWF0dXJlKTsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Jun 03 12:26:03 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 03 Jun 2014 12:26:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Wrnlt-0002oJ-LO; Tue, 03 Jun 2014 12:24:53 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Wrnlr-0002ng-Pn; Tue, 03 Jun 2014 12:24:51 +0000 Received: from [85.158.143.35:16704] by server-3.bemta-4.messagelabs.com id DC/2D-13602-29EBD835; Tue, 03 Jun 2014 12:24:50 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-7.tower-21.messagelabs.com!1401798289!8945186!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 9431 invoked from network); 3 Jun 2014 12:24:50 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-7.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 3 Jun 2014 12:24:50 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Wrnlb-0001nR-9W; Tue, 03 Jun 2014 12:24:35 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WrnlZ-0000ry-NR; Tue, 03 Jun 2014 12:24:33 +0000 Date: Tue, 03 Jun 2014 12:24:33 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 96 - Vulnerabilities in HVM MSI injection X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-96 version 2 Vulnerabilities in HVM MSI injection UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The implementation of the HVM control operation HVMOP_inject_msi, while checking whether a particular IRQ was already set up in the necessary way, fails to properly check all respective conditions. In particular it doesn't check the returned pointer for being non-NULL before de- referencing it. Furthermore that same code also handles certain errors by logging messages, without (under default settings) at least making these messages subject to rate limiting. IMPACT ====== The NULL pointer de-reference would lead to a host crash, and hence a denial of service would result. Since host and guest page tables are fully separated for HVM guests, the guest would not be able to leverage the vulnerability for other kinds of attacks (privilege escalation or information leak). The spamming of the hypervisor log could similarly lead to a denial of service. In a configuration where device models run with limited privilege (for example, stubdom device models), a guest attacker who successfully finds and exploits an unfixed security flaw in qemu-dm could leverage the other flaw into a Denial of Service affecting the whole host. In the more general case, in more abstract terms: a malicious administrator of a domain privileged with regard to an HVM guest can cause Xen to become unresponsive leading to a Denial of Service. VULNERABLE SYSTEMS ================== All Xen versions from 4.2 onwards are vulnerable. The vulnerability is only exposed to service domains for HVM guests which have privilege over the guest. In a usual configuration that means only device model emulators (qemu-dm). In the case of HVM guests whose device model is running in an unrestricted dom0 process, qemu-dm already has the ability to cause problems for the whole system. So in that case the vulnerability is not applicable. The situation is more subtle for an HVM guest with a stub qemu-dm. That is, where the device model runs in a separate domain (in the case of xl, as requested by "device_model_stubdomain_override=1" in the xl domain configuration file). The same applies with a qemu-dm in a dom0 process subjected to some kind kernel-based process privilege limitation (eg the chroot technique as found in some versions of XCP/XenServer). In those latter situations this issue means that the extra isolation does not provide as good a defence (against denial of service) as intended. That is the essence of this vulnerability. However, the security is still better than with a qemu-dm running as an unrestricted dom0 process. Therefore users with these configurations should not switch to an unrestricted dom0 qemu-dm. Finally, in a radically disaggregated system: where the HVM service domain software (probably, the device model domain image) is not always supplied by the host administrator, a malicious service domain administrator can exercise this vulnerability. MITIGATION ========== Running only PV guests will avoid this vulnerability. In a radically disaggregated system, restricting HVM service domains to software images approved by the host administrator will avoid the vulnerability. CREDITS ======= This issue was discovered by Jan Beulich. RESOLUTION ========== Applying the attached patch resolves this issue. xsa96.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa96*.patch 1b64beddf8f6e9c08af24676551c18fd778a8db65a6c24fec07cc7e95531e2af xsa96.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTjb4eAAoJEIP+FMlX6CvZQkQIALjKap2DRMbpr8GPUp91zMoL DdDqVnmgQo1GD8zF/CE0PBDXlIhU28tJ2XZmeePcwA4cRnacxxJTQhb3bp2ZJd6F hJ82UxDGUZy1uZV7IA+ji2pdECBg30r2i7Ukj4kX3FZHM+PZjcxHowVxEXVMxF// 8HGWwvB3b56HqbCZ7donLvU+uaG1voPF6zV9Dutu4UwC5tTkqdJ8qNqz/kfn69Ug Abn5uNOJQXRjY7kcegTO4uFB9iL5+LUDfWdUTghVYxITlfGSRF18IbhUk8P61u+H v75OEk/tO5kMORpMRgnhqTMyPaWEaCHUeZU+5lBxZvHYGbabAuvuW06zr9vXG3s= =ZSzI -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa96.patch" Content-Disposition: attachment; filename="xsa96.patch" Content-Transfer-Encoding: base64 eDg2L0hWTTogZWxpbWluYXRlIHZ1bG5lcmFiaWxpdGllcyBmcm9tIGh2bV9p bmplY3RfbXNpKCkKCi0gcGlycV9pbmZvKCkgcmV0dXJucyBOVUxMIGZvciBh IG5vbi1hbGxvY2F0ZWQgcElSUSwgYW5kIGhlbmNlIHdlCiAgbXVzdG4ndCB1 bmNvbmRpdGlvbmFsbHkgZGUtcmVmZXJlbmNlIGl0LCBhbmQgd2UgbmVlZCB0 byBpbnZva2UgaXQKICBhbm90aGVyIHRpbWUgYWZ0ZXIgaGF2aW5nIGNhbGxl ZCBtYXBfZG9tYWluX2VtdWlycV9waXJxKCkKLSBkb24ndCB1c2UgcHJpbnRr KCksIG5hbWVseSB3aXRob3V0IFhFTkxPR19HVUVTVCwgZm9yIGVycm9yIHJl cG9ydGluZwoKVGhpcyBpcyBYU0EtOTYuCgpTaWduZWQtb2ZmLWJ5OiBKYW4g QmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4vYXJjaC94 ODYvaHZtL2lycS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vaXJxLmMKQEAg LTI4OSwyMCArMjg5LDE4IEBAIHZvaWQgaHZtX2luamVjdF9tc2koc3RydWN0 IGRvbWFpbiAqZCwgdWkKICAgICAgICAgICAgIHN0cnVjdCBwaXJxICppbmZv ID0gcGlycV9pbmZvKGQsIHBpcnEpOwogCiAgICAgICAgICAgICAvKiBpZiBp dCBpcyB0aGUgZmlyc3QgdGltZSwgYWxsb2NhdGUgdGhlIHBpcnEgKi8KLSAg ICAgICAgICAgIGlmIChpbmZvLT5hcmNoLmh2bS5lbXVpcnEgPT0gSVJRX1VO Qk9VTkQpCisgICAgICAgICAgICBpZiAoICFpbmZvIHx8IGluZm8tPmFyY2gu aHZtLmVtdWlycSA9PSBJUlFfVU5CT1VORCApCiAgICAgICAgICAgICB7CiAg ICAgICAgICAgICAgICAgc3Bpbl9sb2NrKCZkLT5ldmVudF9sb2NrKTsKICAg ICAgICAgICAgICAgICBtYXBfZG9tYWluX2VtdWlycV9waXJxKGQsIHBpcnEs IElSUV9NU0lfRU1VKTsKICAgICAgICAgICAgICAgICBzcGluX3VubG9jaygm ZC0+ZXZlbnRfbG9jayk7CisgICAgICAgICAgICAgICAgaW5mbyA9IHBpcnFf aW5mbyhkLCBwaXJxKTsKKyAgICAgICAgICAgICAgICBpZiAoICFpbmZvICkK KyAgICAgICAgICAgICAgICAgICAgcmV0dXJuOwogICAgICAgICAgICAgfSBl bHNlIGlmIChpbmZvLT5hcmNoLmh2bS5lbXVpcnEgIT0gSVJRX01TSV9FTVUp Ci0gICAgICAgICAgICB7Ci0gICAgICAgICAgICAgICAgcHJpbnRrKCIlczog cGlycSAlZCBkb2VzIG5vdCBjb3JyZXNwb25kIHRvIGFuIGVtdWxhdGVkIE1T SVxuIiwgX19mdW5jX18sIHBpcnEpOwogICAgICAgICAgICAgICAgIHJldHVy bjsKLSAgICAgICAgICAgIH0KICAgICAgICAgICAgIHNlbmRfZ3Vlc3RfcGly cShkLCBpbmZvKTsKICAgICAgICAgICAgIHJldHVybjsKLSAgICAgICAgfSBl bHNlIHsKLSAgICAgICAgICAgIHByaW50aygiJXM6IGVycm9yIGdldHRpbmcg cGlycSBmcm9tIE1TSTogcGlycSA9ICVkXG4iLCBfX2Z1bmNfXywgcGlycSk7 CiAgICAgICAgIH0KICAgICB9CiAK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jun 04 13:46:52 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 04 Jun 2014 13:46:52 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WsBVP-0003ij-KO; Wed, 04 Jun 2014 13:45:27 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WsBVO-0003hD-0m; Wed, 04 Jun 2014 13:45:26 +0000 Received: from [85.158.139.211:49929] by server-7.bemta-5.messagelabs.com id A8/C0-20531-5F22F835; Wed, 04 Jun 2014 13:45:25 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-206.messagelabs.com!1401889523!8055673!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 28171 invoked from network); 4 Jun 2014 13:45:24 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 4 Jun 2014 13:45:24 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WsBVG-0001Ao-5v; Wed, 04 Jun 2014 13:45:18 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WsBVA-0008GF-7u; Wed, 04 Jun 2014 13:45:12 +0000 Date: Wed, 04 Jun 2014 13:45:12 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 98 - insufficient permissions checks accessing guest memory on ARM X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-98 version 2 insufficient permissions checks accessing guest memory on ARM UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When accessing guest memory Xen does not correctly perform permissions checks on the (possibly guest provided) virtual address: it only checks that the mapping is readable by the guest, even when writing on behalf of the guest. This allows a guest to write to memory which it should only be able to read. A guest running on a vulnerable system is able to write to memory which should be read-only. This includes supposedly read only foreign mappings established using the grant table mechanism. Such read-only mappings are commonly used as part of the paravirtualised I/O drivers (such as guest disk write and network transmit). In order to exploit this vulnerability the guest must have a mapping of the memory; it does not allow access to arbitrary addresses. In the event that a guest executes code from a page which has been shared read-only with another guest it would be possible to mount a take over attack on that guest. IMPACT ====== A domain which is deliberately exchanging data with another, malicious, domain, may be vulnerable to privilege escalation. The vulnerability depends on the precise behaviour of the victim domain. In a typical configuration this means that, depending on the behaviour of the toolstack or device driver domain, a malicious guest administrator might be able to escalate their privilege to that of the whole host. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward. MITIGATION ========== None. CREDITS ======= This issue was discovered by Julien Grall. RESOLUTION ========== Applying the appropriate pair of attached patches resolves this issue. xsa98-unstable-{01,02}.patch xen-unstable xsa98-4.4-{01,02}.patch Xen 4.4.x $ sha256sum xsa98*.patch 6f63bc2e0a0a39bbd9137513a5d130ae2c78d1fd2ebf9172bf49456f73f0a67b xsa98-4.4-01.patch b338472ecce3c31a55d1a936eebbd4e46cb3ad989b91a64d4b8c5d3ca80d875d xsa98-4.4-02.patch b8535aad5ae969675d59781a81ce0b24491f1abc01aaf36c3620fd7fb6cc84eb xsa98-unstable-01.patch f5e8a93525a8905653da6377097f77681ff8121b973063ff6081e27547ceaa67 xsa98-unstable-02.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTjyK/AAoJEIP+FMlX6CvZfcAIALcaI5AdccPTHVJjTFqAly6A ZJ787YT7utUjaHTuqo+rFn7UkQLfXtqGXoLmxX4I6kTWSasiN89MCUiMMEhAKz/p WAyHPxOgbU/67hE6K6G9Xfon+Oi0NmQyaT8yiq2tgNMA5BT0TLRa1hVP70ixvXGd bC1MTMKLHynrMByK2S7NKt3YZLg0t8yTtCAYQ/BbjiS+2WYA552HEI7xrFPNhZ7Y WMykHUp+G6xBj3E1xxHnuvmixr/8mAgZmfkqLdzb66wUxuxev6ZhACS5JkjFGI8S lFMGZ52W/JiinqxtXs9WPGPiaBmW0+AmfCr6OjMfPsOzeZavrmFMAsz9AUehDag= =96+i -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa98-4.4-01.patch" Content-Disposition: attachment; filename="xsa98-4.4-01.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGNoZWNrIHBlcm1pc3Npb25zIHdoZW4gY29weWluZyB0by9m cm9tIGd1ZXN0IHZpcnR1YWwgYWRkcmVzc2VzCgpJbiBwYXJ0aWN1bGFyIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoZSBndWVzdCBoYXMgd3JpdGUgcGVybWlz c2lvbnMgdG8gYnVmZmVycwp3aGljaCBpdCBwYXNzZXMgYXMgb3V0cHV0IGJ1 ZmZlcnMgZm9yIGh5cGVyY2FsbHMsIG90aGVyd2lzZSB0aGUgZ3Vlc3QgY2Fu Cm92ZXJ3cml0ZSBtZW1vcnkgd2hpY2ggaXQgc2hvdWxkbid0IGJlIGFibGUg dG8gd3JpdGUgKGxpa2Ugci9vIGdyYW50IHRhYmxlCm1hcHBpbmdzKS4KClRo aXMgaXMgWFNBLTk4LgoKU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxp YW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBH cmFsbCA8anVsaWVuLmdyYWxsQGxpbmFyby5vcmc+CgpkaWZmIC0tZ2l0IGEv eGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jIGIveGVuL2FyY2gvYXJtL2Rv bWFpbl9idWlsZC5jCmluZGV4IDVjYTJmMTUuLjNkYTZiODMgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYworKysgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKQEAgLTk2Nyw3ICs5NjcsNyBAQCBzdGF0 aWMgdm9pZCBpbml0cmRfbG9hZChzdHJ1Y3Qga2VybmVsX2luZm8gKmtpbmZv KQogICAgICAgICBzID0gb2ZmcyAmIH5QQUdFX01BU0s7CiAgICAgICAgIGwg PSBtaW4oUEFHRV9TSVpFIC0gcywgbGVuKTsKIAotICAgICAgICByYyA9IGd2 aXJ0X3RvX21hZGRyKGxvYWRfYWRkciArIG9mZnMsICZtYSk7CisgICAgICAg IHJjID0gZ3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hLCBH VjJNX1dSSVRFKTsKICAgICAgICAgaWYgKCByYyApCiAgICAgICAgIHsKICAg ICAgICAgICAgIHBhbmljKCJVbmFibGUgdG8gdHJhbnNsYXRlIGd1ZXN0IGFk ZHJlc3MiKTsKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL2FybS9ndWVzdGNvcHku YyBiL3hlbi9hcmNoL2FybS9ndWVzdGNvcHkuYwppbmRleCBjZWE1Zjk3Li5k MWZkZGVjIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMK KysrIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCkBAIC0xNyw3ICsxNyw3 IEBAIHN0YXRpYyB1bnNpZ25lZCBsb25nIHJhd19jb3B5X3RvX2d1ZXN0X2hl bHBlcih2b2lkICp0bywgY29uc3Qgdm9pZCAqZnJvbSwKICAgICAgICAgdm9p ZCAqcDsKICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNp Z25lZClQQUdFX1NJWkUgLSBvZmZzZXQpOwogCi0gICAgICAgIGlmICggZ3Zp cnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZykgKQorICAgICAgICBpZiAo IGd2aXJ0X3RvX21hZGRyKCh2YWRkcl90KSB0bywgJmcsIEdWMk1fV1JJVEUp ICkKICAgICAgICAgICAgIHJldHVybiBsZW47CiAKICAgICAgICAgcCA9IG1h cF9kb21haW5fcGFnZShnPj5QQUdFX1NISUZUKTsKQEAgLTYyLDcgKzYyLDcg QEAgdW5zaWduZWQgbG9uZyByYXdfY2xlYXJfZ3Vlc3Qodm9pZCAqdG8sIHVu c2lnbmVkIGxlbikKICAgICAgICAgdm9pZCAqcDsKICAgICAgICAgdW5zaWdu ZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZClQQUdFX1NJWkUgLSBvZmZz ZXQpOwogCi0gICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3Qp IHRvLCAmZykgKQorICAgICAgICBpZiAoIGd2aXJ0X3RvX21hZGRyKCh2YWRk cl90KSB0bywgJmcsIEdWMk1fV1JJVEUpICkKICAgICAgICAgICAgIHJldHVy biBsZW47CiAKICAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShnPj5QQUdF X1NISUZUKTsKQEAgLTkyLDcgKzkyLDcgQEAgdW5zaWduZWQgbG9uZyByYXdf Y29weV9mcm9tX2d1ZXN0KHZvaWQgKnRvLCBjb25zdCB2b2lkIF9fdXNlciAq ZnJvbSwgdW5zaWduZWQgbGUKICAgICAgICAgdm9pZCAqcDsKICAgICAgICAg dW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZCkoUEFHRV9TSVpF IC0gb2Zmc2V0KSk7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigo dmFkZHJfdCkgZnJvbSAmIFBBR0VfTUFTSywgJmcpICkKKyAgICAgICAgaWYg KCBndmlydF90b19tYWRkcigodmFkZHJfdCkgZnJvbSAmIFBBR0VfTUFTSywg JmcsIEdWMk1fUkVBRCkgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAog ICAgICAgICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOwpk aWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL2tlcm5lbC5jIGIveGVuL2FyY2gv YXJtL2tlcm5lbC5jCmluZGV4IDFlMzEwN2QuLjY5YzdkNDMgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9rZXJuZWwuYworKysgYi94ZW4vYXJjaC9hcm0v a2VybmVsLmMKQEAgLTE0MSw3ICsxNDEsNyBAQCBzdGF0aWMgdm9pZCBrZXJu ZWxfemltYWdlX2xvYWQoc3RydWN0IGtlcm5lbF9pbmZvICppbmZvKQogICAg ICAgICBzID0gb2ZmcyAmIH5QQUdFX01BU0s7CiAgICAgICAgIGwgPSBtaW4o UEFHRV9TSVpFIC0gcywgbGVuKTsKIAotICAgICAgICByYyA9IGd2aXJ0X3Rv X21hZGRyKGxvYWRfYWRkciArIG9mZnMsICZtYSk7CisgICAgICAgIHJjID0g Z3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hLCBHVjJNX1dS SVRFKTsKICAgICAgICAgaWYgKCByYyApCiAgICAgICAgIHsKICAgICAgICAg ICAgIHBhbmljKCJVbmFibGUgdG8gbWFwIHRyYW5zbGF0ZSBndWVzdCBhZGRy ZXNzIik7CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vdHJhcHMuYyBiL3hl bi9hcmNoL2FybS90cmFwcy5jCmluZGV4IDNhMzRkMzMuLjJlNzQ1MWIgMTAw NjQ0Ci0tLSBhL3hlbi9hcmNoL2FybS90cmFwcy5jCisrKyBiL3hlbi9hcmNo L2FybS90cmFwcy5jCkBAIC04MzYsNyArODM2LDcgQEAgc3RhdGljIHZvaWQg c2hvd19ndWVzdF9zdGFjayhzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNwdV91 c2VyX3JlZ3MgKnJlZ3MpCiAKICAgICBwcmludGsoIkd1ZXN0IHN0YWNrIHRy YWNlIGZyb20gc3A9JSJQUkl2YWRkciI6XG4gICIsIHNwKTsKIAotICAgIGlm ICggZ3ZpcnRfdG9fbWFkZHIoc3AsICZzdGFja19waHlzKSApCisgICAgaWYg KCBndmlydF90b19tYWRkcihzcCwgJnN0YWNrX3BoeXMsIEdWMk1fUkVBRCkg KQogICAgIHsKICAgICAgICAgcHJpbnRrKCJGYWlsZWQgdG8gY29udmVydCBz dGFjayB0byBwaHlzaWNhbCBhZGRyZXNzXG4iKTsKICAgICAgICAgcmV0dXJu OwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9hcm0zMi9wYWdl LmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTMyL3BhZ2UuaAppbmRleCBi ODIyMWNhLi44MGQ1YzM2IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20t YXJtL2FybTMyL3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL2Fy bTMyL3BhZ2UuaApAQCAtOTAsMTEgKzkwLDE0IEBAIHN0YXRpYyBpbmxpbmUg dWludDY0X3QgX192YV90b19wYXIodmFkZHJfdCB2YSkKIH0KIAogLyogQXNr IHRoZSBNTVUgdG8gdHJhbnNsYXRlIGEgR3Vlc3QgVkEgZm9yIHVzICovCi1z dGF0aWMgaW5saW5lIHVpbnQ2NF90IGd2YV90b19tYV9wYXIodmFkZHJfdCB2 YSkKK3N0YXRpYyBpbmxpbmUgdWludDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRk cl90IHZhLCB1bnNpZ25lZCBpbnQgZmxhZ3MpCiB7CiAgICAgdWludDY0X3Qg cGFyLCB0bXA7CiAgICAgdG1wID0gUkVBRF9DUDY0KFBBUik7Ci0gICAgV1JJ VEVfQ1AzMih2YSwgQVRTMTJOU09QUik7CisgICAgaWYgKCAoZmxhZ3MgJiBH VjJNX1dSSVRFKSA9PSBHVjJNX1dSSVRFICkKKyAgICAgICAgV1JJVEVfQ1Az Mih2YSwgQVRTMTJOU09QVyk7CisgICAgZWxzZQorICAgICAgICBXUklURV9D UDMyKHZhLCBBVFMxMk5TT1BSKTsKICAgICBpc2IoKTsgLyogRW5zdXJlIHJl c3VsdCBpcyBhdmFpbGFibGUuICovCiAgICAgcGFyID0gUkVBRF9DUDY0KFBB Uik7CiAgICAgV1JJVEVfQ1A2NCh0bXAsIFBBUik7CmRpZmYgLS1naXQgYS94 ZW4vaW5jbHVkZS9hc20tYXJtL2FybTY0L3BhZ2UuaCBiL3hlbi9pbmNsdWRl L2FzbS1hcm0vYXJtNjQvcGFnZS5oCmluZGV4IDMzNTI4MjEuLjM5MjJkODcg MTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5o CisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5oCkBAIC04 MywxMSArODMsMTQgQEAgc3RhdGljIGlubGluZSB1aW50NjRfdCBfX3ZhX3Rv X3Bhcih2YWRkcl90IHZhKQogfQogCiAvKiBBc2sgdGhlIE1NVSB0byB0cmFu c2xhdGUgYSBHdWVzdCBWQSBmb3IgdXMgKi8KLXN0YXRpYyBpbmxpbmUgdWlu dDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRkcl90IHZhKQorc3RhdGljIGlubGlu ZSB1aW50NjRfdCBndmFfdG9fbWFfcGFyKHZhZGRyX3QgdmEsIHVuc2lnbmVk IGludCBmbGFncykKIHsKICAgICB1aW50NjRfdCBwYXIsIHRtcCA9IFJFQURf U1lTUkVHNjQoUEFSX0VMMSk7CiAKLSAgICBhc20gdm9sYXRpbGUgKCJhdCBz MTJlMXIsICUwOyIgOiA6ICJyIiAodmEpKTsKKyAgICBpZiAoIChmbGFncyAm IEdWMk1fV1JJVEUpID09IEdWMk1fV1JJVEUgKQorICAgICAgICBhc20gdm9s YXRpbGUgKCJhdCBzMTJlMXIsICUwOyIgOiA6ICJyIiAodmEpKTsKKyAgICBl bHNlCisgICAgICAgIGFzbSB2b2xhdGlsZSAoImF0IHMxMmUxdywgJTA7IiA6 IDogInIiICh2YSkpOwogICAgIGlzYigpOwogICAgIHBhciA9IFJFQURfU1lT UkVHNjQoUEFSX0VMMSk7CiAgICAgV1JJVEVfU1lTUkVHNjQodG1wLCBQQVJf RUwxKTsKZGlmZiAtLWdpdCBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaCBi L3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAppbmRleCBiOGQ0ZTdkLi5kMGU1 Y2I0IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKKysr IGIveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oCkBAIC0yMzMsOSArMjMzLDkg QEAgc3RhdGljIGlubGluZSB2b2lkICptYWRkcl90b192aXJ0KHBhZGRyX3Qg bWEpCiB9CiAjZW5kaWYKIAotc3RhdGljIGlubGluZSBpbnQgZ3ZpcnRfdG9f bWFkZHIodmFkZHJfdCB2YSwgcGFkZHJfdCAqcGEpCitzdGF0aWMgaW5saW5l IGludCBndmlydF90b19tYWRkcih2YWRkcl90IHZhLCBwYWRkcl90ICpwYSwg dW5zaWduZWQgaW50IGZsYWdzKQogewotICAgIHVpbnQ2NF90IHBhciA9IGd2 YV90b19tYV9wYXIodmEpOworICAgIHVpbnQ2NF90IHBhciA9IGd2YV90b19t YV9wYXIodmEsIGZsYWdzKTsKICAgICBpZiAoIHBhciAmIFBBUl9GICkKICAg ICAgICAgcmV0dXJuIC1FRkFVTFQ7CiAgICAgKnBhID0gKHBhciAmIFBBRERS X01BU0sgJiBQQUdFX01BU0spIHwgKCh1bnNpZ25lZCBsb25nKSB2YSAmIH5Q QUdFX01BU0spOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9w YWdlLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaAppbmRleCBlMDBi ZTllLi44NDU2MmVjIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20tYXJt L3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaApAQCAt NzMsNiArNzMsMTAgQEAKICNkZWZpbmUgTUFUVFJfREVWICAgICAweDEKICNk ZWZpbmUgTUFUVFJfTUVNICAgICAweGYKIAorLyogRmxhZ3MgZm9yIGd2aXJ0 X3RvX21hZGRyICovCisjZGVmaW5lIEdWMk1fUkVBRCAgKDB1PDwwKQorI2Rl ZmluZSBHVjJNX1dSSVRFICgxdTw8MCkKKwogI2lmbmRlZiBfX0FTU0VNQkxZ X18KIAogI2luY2x1ZGUgPHhlbi90eXBlcy5oPgo= --=separator Content-Type: application/octet-stream; name="xsa98-4.4-02.patch" Content-Disposition: attachment; filename="xsa98-4.4-02.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGVuc3VyZSB3ZSBob2xkIGEgcmVmZXJlbmNlIHRvIGd1ZXN0 IHBhZ2VzIHdoaWxlIHdlIGNvcHkgdG8vZnJvbSB0aGVtCgpUaGlzIGF0IG9u Y2U6CiAtIHByZXZlbnRzIHRoZSBwYWdlIGZyb20gYmVpbmcgcmVhc3NpZ25l ZCB1bmRlciBvdXIgZmVldAogLSBlbnN1cmVzIHRoYXQgdGhlIGRvbWFpbiBv d25zIHRoZSBwYWdlLCB3aGljaCBzdG9wcyBhIGRvbWFpbiBmcm9tIGdpdmlu ZyBhCiAgIGdyYW50IG1hcHBpbmcsIE1NSU8gcmVnaW9uLCBvdGhlciBub24t UkFNIGFzIGEgaHlwZXJjYWxsIGlucHV0L291dHB1dC4KCldlIG5lZWQgdG8g aG9sZCB0aGUgcDJtIGxvY2sgd2hpbGUgZG9pbmcgdGhlIGxvb2t1cCB1bnRp bCB3ZSBoYXZlIHRoZQpyZWZlcmVuY2UuCgpUaGlzIGFsc28gcmVxdWlyZXMg dGhhdCBkdXJpbmcgZG9tYWluIDAgYnVpbGRpbmcgY3VycmVudCBpcyBzZXQg dG8gYW4gYWN0dWFsCmRvbTAgdmNwdSwgc28gdGFrZSBjYXJlIG9mIHRoaXMg YXQgdGhlIHNhbWUgdGltZSBhcyB0aGUgcDJtIGlzIHRlbXBvcmFyaWx5Cmxv YWRlZC4KCkxhc3RseSB3aGVuIGR1bXBpbmcgdGhlIGd1ZXN0IHN0YWNrIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoYXQgdGhlIGd1ZXN0IGhhc24ndApwb2lu dGVkIGl0cyBzcCBvZmYgaW50byB0aGUgd2VlZHMgYW5kL29yIG1pc2FsaWdu ZWQgaXQsIHdoaWNoIGNvdWxkIGxlYWQgdG8KaHlwZXJ2aXNvciB0cmFwcy4g U29sdmUgdGhpcyBieSB1c2luZyB0aGUgbmV3IGZ1bmN0aW9uIGFuZCBjaGVj a2luZyBhbGlnbm1lbnQKZmlyc3QuCgpTaWduZWQtb2ZmLWJ5OiBJYW4gQ2Ft cGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpSZXZpZXdlZC1ieTog SnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAbGluYXJvLm9yZz4KWyBpamMg LS0gYmFja3BvcnRlZCB0byA0LjQsIHVzaW5nIHAybV9sb2FkX1ZUVEJSIF0K CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMgYi94 ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMKaW5kZXggM2RhNmI4My4uYzE0 OTdmOCAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5j CisrKyBiL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYwpAQCAtOTg2LDYg Kzk4Niw3IEBAIHN0YXRpYyB2b2lkIGluaXRyZF9sb2FkKHN0cnVjdCBrZXJu ZWxfaW5mbyAqa2luZm8pCiBpbnQgY29uc3RydWN0X2RvbTAoc3RydWN0IGRv bWFpbiAqZCkKIHsKICAgICBzdHJ1Y3Qga2VybmVsX2luZm8ga2luZm8gPSB7 fTsKKyAgICBzdHJ1Y3QgdmNwdSAqc2F2ZWRfY3VycmVudDsKICAgICBpbnQg cmMsIGksIGNwdTsKIAogICAgIHN0cnVjdCB2Y3B1ICp2ID0gZC0+dmNwdVsw XTsKQEAgLTEwMjEsNyArMTAyMiw5IEBAIGludCBjb25zdHJ1Y3RfZG9tMChz dHJ1Y3QgZG9tYWluICpkKQogICAgICAgICByZXR1cm4gcmM7CiAKICAgICAv KiBUaGUgZm9sbG93aW5nIGxvYWRzIHVzZSB0aGUgZG9tYWluJ3MgcDJtICov CisgICAgc2F2ZWRfY3VycmVudCA9IGN1cnJlbnQ7CiAgICAgcDJtX2xvYWRf VlRUQlIoZCk7CisgICAgc2V0X2N1cnJlbnQodik7CiAjaWZkZWYgQ09ORklH X0FSTV82NAogICAgIGQtPmFyY2gudHlwZSA9IGtpbmZvLnR5cGU7CiAgICAg aWYgKCBpc19wdjMyX2RvbWFpbihkKSApCkBAIC0xMDM5LDYgKzEwNDIsMTAg QEAgaW50IGNvbnN0cnVjdF9kb20wKHN0cnVjdCBkb21haW4gKmQpCiAgICAg aW5pdHJkX2xvYWQoJmtpbmZvKTsKICAgICBkdGJfbG9hZCgma2luZm8pOwog CisgICAgLyogTm93IHRoYXQgd2UgYXJlIGRvbmUgcmVzdG9yZSB0aGUgb3Jp Z2luYWwgcDJtIGFuZCBjdXJyZW50LiAqLworICAgIHNldF9jdXJyZW50KHNh dmVkX2N1cnJlbnQpOworICAgIHAybV9sb2FkX1ZUVEJSKGN1cnJlbnQtPmRv bWFpbik7CisKICAgICBkaXNjYXJkX2luaXRpYWxfbW9kdWxlcygpOwogCiAg ICAgdi0+aXNfaW5pdGlhbGlzZWQgPSAxOwpkaWZmIC0tZ2l0IGEveGVuL2Fy Y2gvYXJtL2d1ZXN0Y29weS5jIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5j CmluZGV4IGQxZmRkZWMuLjAxNzM1OTcgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNo L2FybS9ndWVzdGNvcHkuYworKysgYi94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5 LmMKQEAgLTEsNiArMSw4IEBACiAjaW5jbHVkZSA8eGVuL2NvbmZpZy5oPgog I2luY2x1ZGUgPHhlbi9saWIuaD4KICNpbmNsdWRlIDx4ZW4vZG9tYWluX3Bh Z2UuaD4KKyNpbmNsdWRlIDx4ZW4vc2NoZWQuaD4KKyNpbmNsdWRlIDxhc20v Y3VycmVudC5oPgogCiAjaW5jbHVkZSA8YXNtL21tLmg+CiAjaW5jbHVkZSA8 YXNtL2d1ZXN0X2FjY2Vzcy5oPgpAQCAtMTMsMjAgKzE1LDIyIEBAIHN0YXRp YyB1bnNpZ25lZCBsb25nIHJhd19jb3B5X3RvX2d1ZXN0X2hlbHBlcih2b2lk ICp0bywgY29uc3Qgdm9pZCAqZnJvbSwKIAogICAgIHdoaWxlICggbGVuICkK ICAgICB7Ci0gICAgICAgIHBhZGRyX3QgZzsKICAgICAgICAgdm9pZCAqcDsK ICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZClQ QUdFX1NJWkUgLSBvZmZzZXQpOworICAgICAgICBzdHJ1Y3QgcGFnZV9pbmZv ICpwYWdlOwogCi0gICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRy X3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQorICAgICAgICBwYWdlID0gZ2V0 X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9tYWluLCAodmFkZHJfdCkgdG8s IEdWMk1fV1JJVEUpOworICAgICAgICBpZiAoIHBhZ2UgPT0gTlVMTCApCiAg ICAgICAgICAgICByZXR1cm4gbGVuOwogCi0gICAgICAgIHAgPSBtYXBfZG9t YWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7CisgICAgICAgIHAgPSBfX21hcF9k b21haW5fcGFnZShwYWdlKTsKICAgICAgICAgcCArPSBvZmZzZXQ7CiAgICAg ICAgIG1lbWNweShwLCBmcm9tLCBzaXplKTsKICAgICAgICAgaWYgKCBmbHVz aF9kY2FjaGUgKQogICAgICAgICAgICAgY2xlYW5feGVuX2RjYWNoZV92YV9y YW5nZShwLCBzaXplKTsKIAogICAgICAgICB1bm1hcF9kb21haW5fcGFnZShw IC0gb2Zmc2V0KTsKKyAgICAgICAgcHV0X3BhZ2UocGFnZSk7CiAgICAgICAg IGxlbiAtPSBzaXplOwogICAgICAgICBmcm9tICs9IHNpemU7CiAgICAgICAg IHRvICs9IHNpemU7CkBAIC01OCwxOCArNjIsMjAgQEAgdW5zaWduZWQgbG9u ZyByYXdfY2xlYXJfZ3Vlc3Qodm9pZCAqdG8sIHVuc2lnbmVkIGxlbikKIAog ICAgIHdoaWxlICggbGVuICkKICAgICB7Ci0gICAgICAgIHBhZGRyX3QgZzsK ICAgICAgICAgdm9pZCAqcDsKICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1p bihsZW4sICh1bnNpZ25lZClQQUdFX1NJWkUgLSBvZmZzZXQpOworICAgICAg ICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwogCi0gICAgICAgIGlmICggZ3Zp cnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQor ICAgICAgICBwYWdlID0gZ2V0X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9t YWluLCAodmFkZHJfdCkgdG8sIEdWMk1fV1JJVEUpOworICAgICAgICBpZiAo IHBhZ2UgPT0gTlVMTCApCiAgICAgICAgICAgICByZXR1cm4gbGVuOwogCi0g ICAgICAgIHAgPSBtYXBfZG9tYWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7Cisg ICAgICAgIHAgPSBfX21hcF9kb21haW5fcGFnZShwYWdlKTsKICAgICAgICAg cCArPSBvZmZzZXQ7CiAgICAgICAgIG1lbXNldChwLCAweDAwLCBzaXplKTsK IAogICAgICAgICB1bm1hcF9kb21haW5fcGFnZShwIC0gb2Zmc2V0KTsKKyAg ICAgICAgcHV0X3BhZ2UocGFnZSk7CiAgICAgICAgIGxlbiAtPSBzaXplOwog ICAgICAgICB0byArPSBzaXplOwogICAgICAgICAvKgpAQCAtODgsMTkgKzk0 LDIxIEBAIHVuc2lnbmVkIGxvbmcgcmF3X2NvcHlfZnJvbV9ndWVzdCh2b2lk ICp0bywgY29uc3Qgdm9pZCBfX3VzZXIgKmZyb20sIHVuc2lnbmVkIGxlCiAK ICAgICB3aGlsZSAoIGxlbiApCiAgICAgewotICAgICAgICBwYWRkcl90IGc7 CiAgICAgICAgIHZvaWQgKnA7CiAgICAgICAgIHVuc2lnbmVkIHNpemUgPSBt aW4obGVuLCAodW5zaWduZWQpKFBBR0VfU0laRSAtIG9mZnNldCkpOworICAg ICAgICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwogCi0gICAgICAgIGlmICgg Z3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3QpIGZyb20gJiBQQUdFX01BU0ssICZn LCBHVjJNX1JFQUQpICkKKyAgICAgICAgcGFnZSA9IGdldF9wYWdlX2Zyb21f Z3ZhKGN1cnJlbnQtPmRvbWFpbiwgKHZhZGRyX3QpIGZyb20sIEdWMk1fUkVB RCk7CisgICAgICAgIGlmICggcGFnZSA9PSBOVUxMICkKICAgICAgICAgICAg IHJldHVybiBsZW47CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShn Pj5QQUdFX1NISUZUKTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFpbl9wYWdl KHBhZ2UpOwogICAgICAgICBwICs9ICgodmFkZHJfdClmcm9tICYgKH5QQUdF X01BU0spKTsKIAogICAgICAgICBtZW1jcHkodG8sIHAsIHNpemUpOwogCiAg ICAgICAgIHVubWFwX2RvbWFpbl9wYWdlKHApOworICAgICAgICBwdXRfcGFn ZShwYWdlKTsKICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAgIGZyb20g Kz0gc2l6ZTsKICAgICAgICAgdG8gKz0gc2l6ZTsKZGlmZiAtLWdpdCBhL3hl bi9hcmNoL2FybS9wMm0uYyBiL3hlbi9hcmNoL2FybS9wMm0uYwppbmRleCBk MDBjODgyLi43ZmQ1OTIwIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vcDJt LmMKKysrIGIveGVuL2FyY2gvYXJtL3AybS5jCkBAIC02NTUsNiArNjU1LDM0 IEBAIHVuc2lnbmVkIGxvbmcgZ21mbl90b19tZm4oc3RydWN0IGRvbWFpbiAq ZCwgdW5zaWduZWQgbG9uZyBncGZuKQogICAgIHJldHVybiBwID4+IFBBR0Vf U0hJRlQ7CiB9CiAKK3N0cnVjdCBwYWdlX2luZm8gKmdldF9wYWdlX2Zyb21f Z3ZhKHN0cnVjdCBkb21haW4gKmQsIHZhZGRyX3QgdmEsCisgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICB1bnNpZ25lZCBsb25nIGZsYWdz KQoreworICAgIHN0cnVjdCBwMm1fZG9tYWluICpwMm0gPSAmZC0+YXJjaC5w Mm07CisgICAgc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSA9IE5VTEw7CisgICAg cGFkZHJfdCBtYWRkcjsKKworICAgIEFTU0VSVChkID09IGN1cnJlbnQtPmRv bWFpbik7CisKKyAgICBzcGluX2xvY2soJnAybS0+bG9jayk7CisKKyAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKHZhLCAmbWFkZHIsIGZsYWdzKSApCisgICAg ICAgIGdvdG8gZXJyOworCisgICAgaWYgKCAhbWZuX3ZhbGlkKG1hZGRyID4+ IFBBR0VfU0hJRlQpICkKKyAgICAgICAgZ290byBlcnI7CisKKyAgICBwYWdl ID0gbWZuX3RvX3BhZ2UobWFkZHIgPj4gUEFHRV9TSElGVCk7CisgICAgQVNT RVJUKHBhZ2UpOworCisgICAgaWYgKCB1bmxpa2VseSghZ2V0X3BhZ2UocGFn ZSwgZCkpICkKKyAgICAgICAgcGFnZSA9IE5VTEw7CisKK2VycjoKKyAgICBz cGluX3VubG9jaygmcDJtLT5sb2NrKTsKKyAgICByZXR1cm4gcGFnZTsKK30K KwogLyoKICAqIExvY2FsIHZhcmlhYmxlczoKICAqIG1vZGU6IEMKZGlmZiAt LWdpdCBhL3hlbi9hcmNoL2FybS90cmFwcy5jIGIveGVuL2FyY2gvYXJtL3Ry YXBzLmMKaW5kZXggMmU3NDUxYi4uMDAwNzFhMyAxMDA2NDQKLS0tIGEveGVu L2FyY2gvYXJtL3RyYXBzLmMKKysrIGIveGVuL2FyY2gvYXJtL3RyYXBzLmMK QEAgLTc3Niw3ICs3NzYsNyBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0 YWNrKHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVn cykKIHsKICAgICBpbnQgaTsKICAgICB2YWRkcl90IHNwOwotICAgIHBhZGRy X3Qgc3RhY2tfcGh5czsKKyAgICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwog ICAgIHZvaWQgKm1hcHBlZDsKICAgICB1bnNpZ25lZCBsb25nICpzdGFjaywg YWRkcjsKIApAQCAtODM2LDEzICs4MzYsMjAgQEAgc3RhdGljIHZvaWQgc2hv d19ndWVzdF9zdGFjayhzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNwdV91c2Vy X3JlZ3MgKnJlZ3MpCiAKICAgICBwcmludGsoIkd1ZXN0IHN0YWNrIHRyYWNl IGZyb20gc3A9JSJQUkl2YWRkciI6XG4gICIsIHNwKTsKIAotICAgIGlmICgg Z3ZpcnRfdG9fbWFkZHIoc3AsICZzdGFja19waHlzLCBHVjJNX1JFQUQpICkK KyAgICBpZiAoIHNwICYgKCBzaXplb2YobG9uZykgLSAxICkgKQorICAgIHsK KyAgICAgICAgcHJpbnRrKCJTdGFjayBpcyBtaXNhbGlnbmVkXG4iKTsKKyAg ICAgICAgcmV0dXJuOworICAgIH0KKworICAgIHBhZ2UgPSBnZXRfcGFnZV9m cm9tX2d2YShjdXJyZW50LT5kb21haW4sIHNwLCBHVjJNX1JFQUQpOworICAg IGlmICggcGFnZSA9PSBOVUxMICkKICAgICB7CiAgICAgICAgIHByaW50aygi RmFpbGVkIHRvIGNvbnZlcnQgc3RhY2sgdG8gcGh5c2ljYWwgYWRkcmVzc1xu Iik7CiAgICAgICAgIHJldHVybjsKICAgICB9CiAKLSAgICBtYXBwZWQgPSBt YXBfZG9tYWluX3BhZ2Uoc3RhY2tfcGh5cyA+PiBQQUdFX1NISUZUKTsKKyAg ICBtYXBwZWQgPSBfX21hcF9kb21haW5fcGFnZShwYWdlKTsKIAogICAgIHN0 YWNrID0gbWFwcGVkICsgKHNwICYgflBBR0VfTUFTSyk7CiAKQEAgLTg2MCw3 ICs4NjcsNyBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVj dCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKICAgICAg ICAgcHJpbnRrKCJTdGFjayBlbXB0eS4iKTsKICAgICBwcmludGsoIlxuIik7 CiAgICAgdW5tYXBfZG9tYWluX3BhZ2UobWFwcGVkKTsKLQorICAgIHB1dF9w YWdlKHBhZ2UpOwogfQogCiAjZGVmaW5lIFNUQUNLX0JFRk9SRV9FWENFUFRJ T04ocmVncykgKChyZWdpc3Rlcl90KikocmVncyktPnNwKQpkaWZmIC0tZ2l0 IGEveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oIGIveGVuL2luY2x1ZGUvYXNt LWFybS9tbS5oCmluZGV4IGQwZTVjYjQuLjhiZjE3OWQgMTAwNjQ0Ci0tLSBh L3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAorKysgYi94ZW4vaW5jbHVkZS9h c20tYXJtL21tLmgKQEAgLTI3Myw2ICsyNzMsOSBAQCBzdHJ1Y3QgZG9tYWlu ICpwYWdlX2dldF9vd25lcl9hbmRfcmVmZXJlbmNlKHN0cnVjdCBwYWdlX2lu Zm8gKnBhZ2UpOwogdm9pZCBwdXRfcGFnZShzdHJ1Y3QgcGFnZV9pbmZvICpw YWdlKTsKIGludCAgZ2V0X3BhZ2Uoc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSwg c3RydWN0IGRvbWFpbiAqZG9tYWluKTsKIAorc3RydWN0IHBhZ2VfaW5mbyAq Z2V0X3BhZ2VfZnJvbV9ndmEoc3RydWN0IGRvbWFpbiAqZCwgdmFkZHJfdCB2 YSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVuc2ln bmVkIGxvbmcgZmxhZ3MpOworCiAvKgogICogVGhlIE1QVCAobWFjaGluZS0+ cGh5c2ljYWwgbWFwcGluZyB0YWJsZSkgaXMgYW4gYXJyYXkgb2Ygd29yZC1z aXplZAogICogdmFsdWVzLCBpbmRleGVkIG9uIG1hY2hpbmUgZnJhbWUgbnVt YmVyLiBJdCBpcyBleHBlY3RlZCB0aGF0IGd1ZXN0IE9TZXMKZGlmZiAtLWdp dCBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oIGIveGVuL2luY2x1ZGUv YXNtLWFybS9wYWdlLmgKaW5kZXggODQ1NjJlYy4uYzExODMwOSAxMDA2NDQK LS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9wYWdlLmgKKysrIGIveGVuL2lu Y2x1ZGUvYXNtLWFybS9wYWdlLmgKQEAgLTczLDcgKzczLDcgQEAKICNkZWZp bmUgTUFUVFJfREVWICAgICAweDEKICNkZWZpbmUgTUFUVFJfTUVNICAgICAw eGYKIAotLyogRmxhZ3MgZm9yIGd2aXJ0X3RvX21hZGRyICovCisvKiBGbGFn cyBmb3IgZ2V0X3BhZ2VfZnJvbV9ndmEsIGd2aXJ0X3RvX21hZGRyIGV0YyAq LwogI2RlZmluZSBHVjJNX1JFQUQgICgwdTw8MCkKICNkZWZpbmUgR1YyTV9X UklURSAoMXU8PDApCiAK --=separator Content-Type: application/octet-stream; name="xsa98-unstable-01.patch" Content-Disposition: attachment; filename="xsa98-unstable-01.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGNoZWNrIHBlcm1pc3Npb25zIHdoZW4gY29weWluZyB0by9m cm9tIGd1ZXN0IHZpcnR1YWwgYWRkcmVzc2VzCgpJbiBwYXJ0aWN1bGFyIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoZSBndWVzdCBoYXMgd3JpdGUgcGVybWlz c2lvbnMgdG8gYnVmZmVycwp3aGljaCBpdCBwYXNzZXMgYXMgb3V0cHV0IGJ1 ZmZlcnMgZm9yIGh5cGVyY2FsbHMsIG90aGVyd2lzZSB0aGUgZ3Vlc3QgY2Fu Cm92ZXJ3cml0ZSBtZW1vcnkgd2hpY2ggaXQgc2hvdWxkbid0IGJlIGFibGUg dG8gd3JpdGUgKGxpa2Ugci9vIGdyYW50IHRhYmxlCm1hcHBpbmdzKS4KClRo aXMgaXMgWFNBLTk4LgoKU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxp YW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBH cmFsbCA8anVsaWVuLmdyYWxsQGxpbmFyby5vcmc+CgpkaWZmIC0tZ2l0IGEv eGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jIGIveGVuL2FyY2gvYXJtL2Rv bWFpbl9idWlsZC5jCmluZGV4IGM0MjQ3OTMuLmQwNzk5ODIgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYworKysgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKQEAgLTEwMDUsNyArMTAwNSw3IEBAIHN0 YXRpYyB2b2lkIGluaXRyZF9sb2FkKHN0cnVjdCBrZXJuZWxfaW5mbyAqa2lu Zm8pCiAgICAgICAgIHMgPSBvZmZzICYgflBBR0VfTUFTSzsKICAgICAgICAg bCA9IG1pbihQQUdFX1NJWkUgLSBzLCBsZW4pOwogCi0gICAgICAgIHJjID0g Z3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hKTsKKyAgICAg ICAgcmMgPSBndmlydF90b19tYWRkcihsb2FkX2FkZHIgKyBvZmZzLCAmbWEs IEdWMk1fV1JJVEUpOwogICAgICAgICBpZiAoIHJjICkKICAgICAgICAgewog ICAgICAgICAgICAgcGFuaWMoIlVuYWJsZSB0byB0cmFuc2xhdGUgZ3Vlc3Qg YWRkcmVzcyIpOwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL2d1ZXN0Y29w eS5jIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCmluZGV4IGNlYTVmOTcu LmQxZmRkZWMgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL2FybS9ndWVzdGNvcHku YworKysgYi94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMKQEAgLTE3LDcgKzE3 LDcgQEAgc3RhdGljIHVuc2lnbmVkIGxvbmcgcmF3X2NvcHlfdG9fZ3Vlc3Rf aGVscGVyKHZvaWQgKnRvLCBjb25zdCB2b2lkICpmcm9tLAogICAgICAgICB2 b2lkICpwOwogICAgICAgICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVu c2lnbmVkKVBBR0VfU0laRSAtIG9mZnNldCk7CiAKLSAgICAgICAgaWYgKCBn dmlydF90b19tYWRkcigodmFkZHJfdCkgdG8sICZnKSApCisgICAgICAgIGlm ICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZywgR1YyTV9XUklU RSkgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAogICAgICAgICBwID0g bWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOwpAQCAtNjIsNyArNjIs NyBAQCB1bnNpZ25lZCBsb25nIHJhd19jbGVhcl9ndWVzdCh2b2lkICp0bywg dW5zaWduZWQgbGVuKQogICAgICAgICB2b2lkICpwOwogICAgICAgICB1bnNp Z25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0VfU0laRSAtIG9m ZnNldCk7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJf dCkgdG8sICZnKSApCisgICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZh ZGRyX3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQogICAgICAgICAgICAgcmV0 dXJuIGxlbjsKIAogICAgICAgICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBB R0VfU0hJRlQpOwpAQCAtOTIsNyArOTIsNyBAQCB1bnNpZ25lZCBsb25nIHJh d19jb3B5X2Zyb21fZ3Vlc3Qodm9pZCAqdG8sIGNvbnN0IHZvaWQgX191c2Vy ICpmcm9tLCB1bnNpZ25lZCBsZQogICAgICAgICB2b2lkICpwOwogICAgICAg ICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKShQQUdFX1NJ WkUgLSBvZmZzZXQpKTsKIAotICAgICAgICBpZiAoIGd2aXJ0X3RvX21hZGRy KCh2YWRkcl90KSBmcm9tICYgUEFHRV9NQVNLLCAmZykgKQorICAgICAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKCh2YWRkcl90KSBmcm9tICYgUEFHRV9NQVNL LCAmZywgR1YyTV9SRUFEKSApCiAgICAgICAgICAgICByZXR1cm4gbGVuOwog CiAgICAgICAgIHAgPSBtYXBfZG9tYWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7 CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0va2VybmVsLmMgYi94ZW4vYXJj aC9hcm0va2VybmVsLmMKaW5kZXggYzgyOTA2Zi4uNjkxODJlYyAxMDA2NDQK LS0tIGEveGVuL2FyY2gvYXJtL2tlcm5lbC5jCisrKyBiL3hlbi9hcmNoL2Fy bS9rZXJuZWwuYwpAQCAtMTcyLDcgKzE3Miw3IEBAIHN0YXRpYyB2b2lkIGtl cm5lbF96aW1hZ2VfbG9hZChzdHJ1Y3Qga2VybmVsX2luZm8gKmluZm8pCiAg ICAgICAgIHMgPSBvZmZzICYgflBBR0VfTUFTSzsKICAgICAgICAgbCA9IG1p bihQQUdFX1NJWkUgLSBzLCBsZW4pOwogCi0gICAgICAgIHJjID0gZ3ZpcnRf dG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hKTsKKyAgICAgICAgcmMg PSBndmlydF90b19tYWRkcihsb2FkX2FkZHIgKyBvZmZzLCAmbWEsIEdWMk1f V1JJVEUpOwogICAgICAgICBpZiAoIHJjICkKICAgICAgICAgewogICAgICAg ICAgICAgcGFuaWMoIlVuYWJsZSB0byBtYXAgdHJhbnNsYXRlIGd1ZXN0IGFk ZHJlc3MiKTsKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL2FybS90cmFwcy5jIGIv eGVuL2FyY2gvYXJtL3RyYXBzLmMKaW5kZXggMDNhM2RhNi4uZGY4NmZmZSAx MDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL3RyYXBzLmMKKysrIGIveGVuL2Fy Y2gvYXJtL3RyYXBzLmMKQEAgLTgzNyw3ICs4MzcsNyBAQCBzdGF0aWMgdm9p ZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1 X3VzZXJfcmVncyAqcmVncykKIAogICAgIHByaW50aygiR3Vlc3Qgc3RhY2sg dHJhY2UgZnJvbSBzcD0lIlBSSXZhZGRyIjpcbiAgIiwgc3ApOwogCi0gICAg aWYgKCBndmlydF90b19tYWRkcihzcCwgJnN0YWNrX3BoeXMpICkKKyAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKHNwLCAmc3RhY2tfcGh5cywgR1YyTV9SRUFE KSApCiAgICAgewogICAgICAgICBwcmludGsoIkZhaWxlZCB0byBjb252ZXJ0 IHN0YWNrIHRvIHBoeXNpY2FsIGFkZHJlc3NcbiIpOwogICAgICAgICByZXR1 cm47CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTMyL3Bh Z2UuaCBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtMzIvcGFnZS5oCmluZGV4 IDRhYmIyODEuLjk3NDA2NzIgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2Fz bS1hcm0vYXJtMzIvcGFnZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0v YXJtMzIvcGFnZS5oCkBAIC04NywxMSArODcsMTQgQEAgc3RhdGljIGlubGlu ZSB1aW50NjRfdCBfX3ZhX3RvX3Bhcih2YWRkcl90IHZhKQogfQogCiAvKiBB c2sgdGhlIE1NVSB0byB0cmFuc2xhdGUgYSBHdWVzdCBWQSBmb3IgdXMgKi8K LXN0YXRpYyBpbmxpbmUgdWludDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRkcl90 IHZhKQorc3RhdGljIGlubGluZSB1aW50NjRfdCBndmFfdG9fbWFfcGFyKHZh ZGRyX3QgdmEsIHVuc2lnbmVkIGludCBmbGFncykKIHsKICAgICB1aW50NjRf dCBwYXIsIHRtcDsKICAgICB0bXAgPSBSRUFEX0NQNjQoUEFSKTsKLSAgICBX UklURV9DUDMyKHZhLCBBVFMxMk5TT1BSKTsKKyAgICBpZiAoIChmbGFncyAm IEdWMk1fV1JJVEUpID09IEdWMk1fV1JJVEUgKQorICAgICAgICBXUklURV9D UDMyKHZhLCBBVFMxMk5TT1BXKTsKKyAgICBlbHNlCisgICAgICAgIFdSSVRF X0NQMzIodmEsIEFUUzEyTlNPUFIpOwogICAgIGlzYigpOyAvKiBFbnN1cmUg cmVzdWx0IGlzIGF2YWlsYWJsZS4gKi8KICAgICBwYXIgPSBSRUFEX0NQNjQo UEFSKTsKICAgICBXUklURV9DUDY0KHRtcCwgUEFSKTsKZGlmZiAtLWdpdCBh L3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5oIGIveGVuL2luY2x1 ZGUvYXNtLWFybS9hcm02NC9wYWdlLmgKaW5kZXggNzEzYmFmNi4uYmIxMDE2 NCAxMDA2NDQKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9hcm02NC9wYWdl LmgKKysrIGIveGVuL2luY2x1ZGUvYXNtLWFybS9hcm02NC9wYWdlLmgKQEAg LTgxLDExICs4MSwxNCBAQCBzdGF0aWMgaW5saW5lIHVpbnQ2NF90IF9fdmFf dG9fcGFyKHZhZGRyX3QgdmEpCiB9CiAKIC8qIEFzayB0aGUgTU1VIHRvIHRy YW5zbGF0ZSBhIEd1ZXN0IFZBIGZvciB1cyAqLwotc3RhdGljIGlubGluZSB1 aW50NjRfdCBndmFfdG9fbWFfcGFyKHZhZGRyX3QgdmEpCitzdGF0aWMgaW5s aW5lIHVpbnQ2NF90IGd2YV90b19tYV9wYXIodmFkZHJfdCB2YSwgdW5zaWdu ZWQgaW50IGZsYWdzKQogewogICAgIHVpbnQ2NF90IHBhciwgdG1wID0gUkVB RF9TWVNSRUc2NChQQVJfRUwxKTsKIAotICAgIGFzbSB2b2xhdGlsZSAoImF0 IHMxMmUxciwgJTA7IiA6IDogInIiICh2YSkpOworICAgIGlmICggKGZsYWdz ICYgR1YyTV9XUklURSkgPT0gR1YyTV9XUklURSApCisgICAgICAgIGFzbSB2 b2xhdGlsZSAoImF0IHMxMmUxciwgJTA7IiA6IDogInIiICh2YSkpOworICAg IGVsc2UKKyAgICAgICAgYXNtIHZvbGF0aWxlICgiYXQgczEyZTF3LCAlMDsi IDogOiAiciIgKHZhKSk7CiAgICAgaXNiKCk7CiAgICAgcGFyID0gUkVBRF9T WVNSRUc2NChQQVJfRUwxKTsKICAgICBXUklURV9TWVNSRUc2NCh0bXAsIFBB Ul9FTDEpOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5o IGIveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oCmluZGV4IGI4ZDRlN2QuLmQw ZTVjYjQgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAor KysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKQEAgLTIzMyw5ICsyMzMs OSBAQCBzdGF0aWMgaW5saW5lIHZvaWQgKm1hZGRyX3RvX3ZpcnQocGFkZHJf dCBtYSkKIH0KICNlbmRpZgogCi1zdGF0aWMgaW5saW5lIGludCBndmlydF90 b19tYWRkcih2YWRkcl90IHZhLCBwYWRkcl90ICpwYSkKK3N0YXRpYyBpbmxp bmUgaW50IGd2aXJ0X3RvX21hZGRyKHZhZGRyX3QgdmEsIHBhZGRyX3QgKnBh LCB1bnNpZ25lZCBpbnQgZmxhZ3MpCiB7Ci0gICAgdWludDY0X3QgcGFyID0g Z3ZhX3RvX21hX3Bhcih2YSk7CisgICAgdWludDY0X3QgcGFyID0gZ3ZhX3Rv X21hX3Bhcih2YSwgZmxhZ3MpOwogICAgIGlmICggcGFyICYgUEFSX0YgKQog ICAgICAgICByZXR1cm4gLUVGQVVMVDsKICAgICAqcGEgPSAocGFyICYgUEFE RFJfTUFTSyAmIFBBR0VfTUFTSykgfCAoKHVuc2lnbmVkIGxvbmcpIHZhICYg flBBR0VfTUFTSyk7CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJt L3BhZ2UuaCBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oCmluZGV4IGMz OGU5YzkuLmU3MjNlNWEgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1h cm0vcGFnZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oCkBA IC03Myw2ICs3MywxMCBAQAogI2RlZmluZSBNQVRUUl9ERVYgICAgIDB4MQog I2RlZmluZSBNQVRUUl9NRU0gICAgIDB4ZgogCisvKiBGbGFncyBmb3IgZ3Zp cnRfdG9fbWFkZHIgKi8KKyNkZWZpbmUgR1YyTV9SRUFEICAoMHU8PDApCisj ZGVmaW5lIEdWMk1fV1JJVEUgKDF1PDwwKQorCiAjaWZuZGVmIF9fQVNTRU1C TFlfXwogCiAjaW5jbHVkZSA8eGVuL3R5cGVzLmg+Cg== --=separator Content-Type: application/octet-stream; name="xsa98-unstable-02.patch" Content-Disposition: attachment; filename="xsa98-unstable-02.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGVuc3VyZSB3ZSBob2xkIGEgcmVmZXJlbmNlIHRvIGd1ZXN0 IHBhZ2VzIHdoaWxlIHdlIGNvcHkgdG8vZnJvbSB0aGVtCgpUaGlzIGF0IG9u Y2U6CiAtIHByZXZlbnRzIHRoZSBwYWdlIGZyb20gYmVpbmcgcmVhc3NpZ25l ZCB1bmRlciBvdXIgZmVldAogLSBlbnN1cmVzIHRoYXQgdGhlIGRvbWFpbiBv d25zIHRoZSBwYWdlLCB3aGljaCBzdG9wcyBhIGRvbWFpbiBmcm9tIGdpdmlu ZyBhCiAgIGdyYW50IG1hcHBpbmcsIE1NSU8gcmVnaW9uLCBvdGhlciBub24t UkFNIGFzIGEgaHlwZXJjYWxsIGlucHV0L291dHB1dC4KCldlIG5lZWQgdG8g aG9sZCB0aGUgcDJtIGxvY2sgd2hpbGUgZG9pbmcgdGhlIGxvb2t1cCB1bnRp bCB3ZSBoYXZlIHRoZQpyZWZlcmVuY2UuCgpUaGlzIGFsc28gcmVxdWlyZXMg dGhhdCBkdXJpbmcgZG9tYWluIDAgYnVpbGRpbmcgY3VycmVudCBpcyBzZXQg dG8gYW4gYWN0dWFsCmRvbTAgdmNwdSwgc28gdGFrZSBjYXJlIG9mIHRoaXMg YXQgdGhlIHNhbWUgdGltZSBhcyB0aGUgcDJtIGlzIHRlbXBvcmFyaWx5Cmxv YWRlZC4KCkxhc3RseSB3aGVuIGR1bXBpbmcgdGhlIGd1ZXN0IHN0YWNrIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoYXQgdGhlIGd1ZXN0IGhhc24ndApwb2lu dGVkIGl0cyBzcCBvZmYgaW50byB0aGUgd2VlZHMgYW5kL29yIG1pc2FsaWdu ZWQgaXQsIHdoaWNoIGNvdWxkIGxlYWQgdG8KaHlwZXJ2aXNvciB0cmFwcy4g U29sdmUgdGhpcyBieSB1c2luZyB0aGUgbmV3IGZ1bmN0aW9uIGFuZCBjaGVj a2luZyBhbGlnbm1lbnQKZmlyc3QuCgpTaWduZWQtb2ZmLWJ5OiBJYW4gQ2Ft cGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpSZXZpZXdlZC1ieTog SnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAbGluYXJvLm9yZz4KCmRpZmYg LS1naXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKaW5kZXggZDA3OTk4Mi4uNGRkMmQ4NCAx MDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jCisrKyBi L3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYwpAQCAtMTAyNCw2ICsxMDI0 LDcgQEAgc3RhdGljIHZvaWQgaW5pdHJkX2xvYWQoc3RydWN0IGtlcm5lbF9p bmZvICpraW5mbykKIGludCBjb25zdHJ1Y3RfZG9tMChzdHJ1Y3QgZG9tYWlu ICpkKQogewogICAgIHN0cnVjdCBrZXJuZWxfaW5mbyBraW5mbyA9IHt9Owor ICAgIHN0cnVjdCB2Y3B1ICpzYXZlZF9jdXJyZW50OwogICAgIGludCByYywg aSwgY3B1OwogCiAgICAgc3RydWN0IHZjcHUgKnYgPSBkLT52Y3B1WzBdOwpA QCAtMTA2MCw4ICsxMDYxLDEzIEBAIGludCBjb25zdHJ1Y3RfZG9tMChzdHJ1 Y3QgZG9tYWluICpkKQogICAgIGlmICggcmMgPCAwICkKICAgICAgICAgcmV0 dXJuIHJjOwogCi0gICAgLyogVGhlIGZvbGxvd2luZyBsb2FkcyB1c2UgdGhl IGRvbWFpbidzIHAybSAqLworICAgIC8qCisgICAgICogVGhlIGZvbGxvd2lu ZyBsb2FkcyB1c2UgdGhlIGRvbWFpbidzIHAybSBhbmQgcmVxdWlyZSBjdXJy ZW50IHRvCisgICAgICogYmUgYSB2Y3B1IG9mIHRoZSBkb21haW4sIHRlbXBv cmFyaWx5IHN3aXRjaAorICAgICAqLworICAgIHNhdmVkX2N1cnJlbnQgPSBj dXJyZW50OwogICAgIHAybV9yZXN0b3JlX3N0YXRlKHYpOworICAgIHNldF9j dXJyZW50KHYpOwogCiAgICAgLyoKICAgICAgKiBrZXJuZWxfbG9hZCB3aWxs IGRldGVybWluZSB0aGUgcGxhY2VtZW50IG9mIHRoZSBrZXJuZWwgYXMgd2Vs bApAQCAtMTA3Miw2ICsxMDc4LDEwIEBAIGludCBjb25zdHJ1Y3RfZG9tMChz dHJ1Y3QgZG9tYWluICpkKQogICAgIGluaXRyZF9sb2FkKCZraW5mbyk7CiAg ICAgZHRiX2xvYWQoJmtpbmZvKTsKIAorICAgIC8qIE5vdyB0aGF0IHdlIGFy ZSBkb25lIHJlc3RvcmUgdGhlIG9yaWdpbmFsIHAybSBhbmQgY3VycmVudC4g Ki8KKyAgICBzZXRfY3VycmVudChzYXZlZF9jdXJyZW50KTsKKyAgICBwMm1f cmVzdG9yZV9zdGF0ZShzYXZlZF9jdXJyZW50KTsKKwogICAgIGRpc2NhcmRf aW5pdGlhbF9tb2R1bGVzKCk7CiAKICAgICB2LT5pc19pbml0aWFsaXNlZCA9 IDE7CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMgYi94 ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMKaW5kZXggZDFmZGRlYy4uMDE3MzU5 NyAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCisrKyBi L3hlbi9hcmNoL2FybS9ndWVzdGNvcHkuYwpAQCAtMSw2ICsxLDggQEAKICNp bmNsdWRlIDx4ZW4vY29uZmlnLmg+CiAjaW5jbHVkZSA8eGVuL2xpYi5oPgog I2luY2x1ZGUgPHhlbi9kb21haW5fcGFnZS5oPgorI2luY2x1ZGUgPHhlbi9z Y2hlZC5oPgorI2luY2x1ZGUgPGFzbS9jdXJyZW50Lmg+CiAKICNpbmNsdWRl IDxhc20vbW0uaD4KICNpbmNsdWRlIDxhc20vZ3Vlc3RfYWNjZXNzLmg+CkBA IC0xMywyMCArMTUsMjIgQEAgc3RhdGljIHVuc2lnbmVkIGxvbmcgcmF3X2Nv cHlfdG9fZ3Vlc3RfaGVscGVyKHZvaWQgKnRvLCBjb25zdCB2b2lkICpmcm9t LAogCiAgICAgd2hpbGUgKCBsZW4gKQogICAgIHsKLSAgICAgICAgcGFkZHJf dCBnOwogICAgICAgICB2b2lkICpwOwogICAgICAgICB1bnNpZ25lZCBzaXpl ID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0VfU0laRSAtIG9mZnNldCk7Cisg ICAgICAgIHN0cnVjdCBwYWdlX2luZm8gKnBhZ2U7CiAKLSAgICAgICAgaWYg KCBndmlydF90b19tYWRkcigodmFkZHJfdCkgdG8sICZnLCBHVjJNX1dSSVRF KSApCisgICAgICAgIHBhZ2UgPSBnZXRfcGFnZV9mcm9tX2d2YShjdXJyZW50 LT5kb21haW4sICh2YWRkcl90KSB0bywgR1YyTV9XUklURSk7CisgICAgICAg IGlmICggcGFnZSA9PSBOVUxMICkKICAgICAgICAgICAgIHJldHVybiBsZW47 CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShnPj5QQUdFX1NISUZU KTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFpbl9wYWdlKHBhZ2UpOwogICAg ICAgICBwICs9IG9mZnNldDsKICAgICAgICAgbWVtY3B5KHAsIGZyb20sIHNp emUpOwogICAgICAgICBpZiAoIGZsdXNoX2RjYWNoZSApCiAgICAgICAgICAg ICBjbGVhbl94ZW5fZGNhY2hlX3ZhX3JhbmdlKHAsIHNpemUpOwogCiAgICAg ICAgIHVubWFwX2RvbWFpbl9wYWdlKHAgLSBvZmZzZXQpOworICAgICAgICBw dXRfcGFnZShwYWdlKTsKICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAg IGZyb20gKz0gc2l6ZTsKICAgICAgICAgdG8gKz0gc2l6ZTsKQEAgLTU4LDE4 ICs2MiwyMCBAQCB1bnNpZ25lZCBsb25nIHJhd19jbGVhcl9ndWVzdCh2b2lk ICp0bywgdW5zaWduZWQgbGVuKQogCiAgICAgd2hpbGUgKCBsZW4gKQogICAg IHsKLSAgICAgICAgcGFkZHJfdCBnOwogICAgICAgICB2b2lkICpwOwogICAg ICAgICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0Vf U0laRSAtIG9mZnNldCk7CisgICAgICAgIHN0cnVjdCBwYWdlX2luZm8gKnBh Z2U7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJfdCkg dG8sICZnLCBHVjJNX1dSSVRFKSApCisgICAgICAgIHBhZ2UgPSBnZXRfcGFn ZV9mcm9tX2d2YShjdXJyZW50LT5kb21haW4sICh2YWRkcl90KSB0bywgR1Yy TV9XUklURSk7CisgICAgICAgIGlmICggcGFnZSA9PSBOVUxMICkKICAgICAg ICAgICAgIHJldHVybiBsZW47CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5f cGFnZShnPj5QQUdFX1NISUZUKTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFp bl9wYWdlKHBhZ2UpOwogICAgICAgICBwICs9IG9mZnNldDsKICAgICAgICAg bWVtc2V0KHAsIDB4MDAsIHNpemUpOwogCiAgICAgICAgIHVubWFwX2RvbWFp bl9wYWdlKHAgLSBvZmZzZXQpOworICAgICAgICBwdXRfcGFnZShwYWdlKTsK ICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAgIHRvICs9IHNpemU7CiAg ICAgICAgIC8qCkBAIC04OCwxOSArOTQsMjEgQEAgdW5zaWduZWQgbG9uZyBy YXdfY29weV9mcm9tX2d1ZXN0KHZvaWQgKnRvLCBjb25zdCB2b2lkIF9fdXNl ciAqZnJvbSwgdW5zaWduZWQgbGUKIAogICAgIHdoaWxlICggbGVuICkKICAg ICB7Ci0gICAgICAgIHBhZGRyX3QgZzsKICAgICAgICAgdm9pZCAqcDsKICAg ICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZCkoUEFH RV9TSVpFIC0gb2Zmc2V0KSk7CisgICAgICAgIHN0cnVjdCBwYWdlX2luZm8g KnBhZ2U7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJf dCkgZnJvbSAmIFBBR0VfTUFTSywgJmcsIEdWMk1fUkVBRCkgKQorICAgICAg ICBwYWdlID0gZ2V0X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9tYWluLCAo dmFkZHJfdCkgZnJvbSwgR1YyTV9SRUFEKTsKKyAgICAgICAgaWYgKCBwYWdl ID09IE5VTEwgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAotICAgICAg ICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOworICAgICAg ICBwID0gX19tYXBfZG9tYWluX3BhZ2UocGFnZSk7CiAgICAgICAgIHAgKz0g KCh2YWRkcl90KWZyb20gJiAoflBBR0VfTUFTSykpOwogCiAgICAgICAgIG1l bWNweSh0bywgcCwgc2l6ZSk7CiAKICAgICAgICAgdW5tYXBfZG9tYWluX3Bh Z2UocCk7CisgICAgICAgIHB1dF9wYWdlKHBhZ2UpOwogICAgICAgICBsZW4g LT0gc2l6ZTsKICAgICAgICAgZnJvbSArPSBzaXplOwogICAgICAgICB0byAr PSBzaXplOwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL3AybS5jIGIveGVu L2FyY2gvYXJtL3AybS5jCmluZGV4IGI4NTE0M2IuLjVmYzVjYTYgMTAwNjQ0 Ci0tLSBhL3hlbi9hcmNoL2FybS9wMm0uYworKysgYi94ZW4vYXJjaC9hcm0v cDJtLmMKQEAgLTcwMSw2ICs3MDEsMzQgQEAgdW5zaWduZWQgbG9uZyBnbWZu X3RvX21mbihzdHJ1Y3QgZG9tYWluICpkLCB1bnNpZ25lZCBsb25nIGdwZm4p CiAgICAgcmV0dXJuIHAgPj4gUEFHRV9TSElGVDsKIH0KIAorc3RydWN0IHBh Z2VfaW5mbyAqZ2V0X3BhZ2VfZnJvbV9ndmEoc3RydWN0IGRvbWFpbiAqZCwg dmFkZHJfdCB2YSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIHVuc2lnbmVkIGxvbmcgZmxhZ3MpCit7CisgICAgc3RydWN0IHAybV9k b21haW4gKnAybSA9ICZkLT5hcmNoLnAybTsKKyAgICBzdHJ1Y3QgcGFnZV9p bmZvICpwYWdlID0gTlVMTDsKKyAgICBwYWRkcl90IG1hZGRyOworCisgICAg QVNTRVJUKGQgPT0gY3VycmVudC0+ZG9tYWluKTsKKworICAgIHNwaW5fbG9j aygmcDJtLT5sb2NrKTsKKworICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIodmEs ICZtYWRkciwgZmxhZ3MpICkKKyAgICAgICAgZ290byBlcnI7CisKKyAgICBp ZiAoICFtZm5fdmFsaWQobWFkZHIgPj4gUEFHRV9TSElGVCkgKQorICAgICAg ICBnb3RvIGVycjsKKworICAgIHBhZ2UgPSBtZm5fdG9fcGFnZShtYWRkciA+ PiBQQUdFX1NISUZUKTsKKyAgICBBU1NFUlQocGFnZSk7CisKKyAgICBpZiAo IHVubGlrZWx5KCFnZXRfcGFnZShwYWdlLCBkKSkgKQorICAgICAgICBwYWdl ID0gTlVMTDsKKworZXJyOgorICAgIHNwaW5fdW5sb2NrKCZwMm0tPmxvY2sp OworICAgIHJldHVybiBwYWdlOworfQorCiAvKgogICogTG9jYWwgdmFyaWFi bGVzOgogICogbW9kZTogQwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL3Ry YXBzLmMgYi94ZW4vYXJjaC9hcm0vdHJhcHMuYwppbmRleCBkZjg2ZmZlLi5k ODliNzVmIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vdHJhcHMuYworKysg Yi94ZW4vYXJjaC9hcm0vdHJhcHMuYwpAQCAtNzc3LDcgKzc3Nyw3IEBAIHN0 YXRpYyB2b2lkIHNob3dfZ3Vlc3Rfc3RhY2soc3RydWN0IHZjcHUgKnYsIHN0 cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQogewogICAgIGludCBpOwogICAg IHZhZGRyX3Qgc3A7Ci0gICAgcGFkZHJfdCBzdGFja19waHlzOworICAgIHN0 cnVjdCBwYWdlX2luZm8gKnBhZ2U7CiAgICAgdm9pZCAqbWFwcGVkOwogICAg IHVuc2lnbmVkIGxvbmcgKnN0YWNrLCBhZGRyOwogCkBAIC04MzcsMTMgKzgz NywyMCBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVjdCB2 Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKIAogICAgIHBy aW50aygiR3Vlc3Qgc3RhY2sgdHJhY2UgZnJvbSBzcD0lIlBSSXZhZGRyIjpc biAgIiwgc3ApOwogCi0gICAgaWYgKCBndmlydF90b19tYWRkcihzcCwgJnN0 YWNrX3BoeXMsIEdWMk1fUkVBRCkgKQorICAgIGlmICggc3AgJiAoIHNpemVv Zihsb25nKSAtIDEgKSApCisgICAgeworICAgICAgICBwcmludGsoIlN0YWNr IGlzIG1pc2FsaWduZWRcbiIpOworICAgICAgICByZXR1cm47CisgICAgfQor CisgICAgcGFnZSA9IGdldF9wYWdlX2Zyb21fZ3ZhKGN1cnJlbnQtPmRvbWFp biwgc3AsIEdWMk1fUkVBRCk7CisgICAgaWYgKCBwYWdlID09IE5VTEwgKQog ICAgIHsKICAgICAgICAgcHJpbnRrKCJGYWlsZWQgdG8gY29udmVydCBzdGFj ayB0byBwaHlzaWNhbCBhZGRyZXNzXG4iKTsKICAgICAgICAgcmV0dXJuOwog ICAgIH0KIAotICAgIG1hcHBlZCA9IG1hcF9kb21haW5fcGFnZShzdGFja19w aHlzID4+IFBBR0VfU0hJRlQpOworICAgIG1hcHBlZCA9IF9fbWFwX2RvbWFp bl9wYWdlKHBhZ2UpOwogCiAgICAgc3RhY2sgPSBtYXBwZWQgKyAoc3AgJiB+ UEFHRV9NQVNLKTsKIApAQCAtODYxLDcgKzg2OCw3IEBAIHN0YXRpYyB2b2lk IHNob3dfZ3Vlc3Rfc3RhY2soc3RydWN0IHZjcHUgKnYsIHN0cnVjdCBjcHVf dXNlcl9yZWdzICpyZWdzKQogICAgICAgICBwcmludGsoIlN0YWNrIGVtcHR5 LiIpOwogICAgIHByaW50aygiXG4iKTsKICAgICB1bm1hcF9kb21haW5fcGFn ZShtYXBwZWQpOwotCisgICAgcHV0X3BhZ2UocGFnZSk7CiB9CiAKICNkZWZp bmUgU1RBQ0tfQkVGT1JFX0VYQ0VQVElPTihyZWdzKSAoKHJlZ2lzdGVyX3Qq KShyZWdzKS0+c3ApCmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJt L21tLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKaW5kZXggZDBlNWNi NC4uOGJmMTc5ZCAxMDA2NDQKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9t bS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaApAQCAtMjczLDYg KzI3Myw5IEBAIHN0cnVjdCBkb21haW4gKnBhZ2VfZ2V0X293bmVyX2FuZF9y ZWZlcmVuY2Uoc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSk7CiB2b2lkIHB1dF9w YWdlKHN0cnVjdCBwYWdlX2luZm8gKnBhZ2UpOwogaW50ICBnZXRfcGFnZShz dHJ1Y3QgcGFnZV9pbmZvICpwYWdlLCBzdHJ1Y3QgZG9tYWluICpkb21haW4p OwogCitzdHJ1Y3QgcGFnZV9pbmZvICpnZXRfcGFnZV9mcm9tX2d2YShzdHJ1 Y3QgZG9tYWluICpkLCB2YWRkcl90IHZhLAorICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgdW5zaWduZWQgbG9uZyBmbGFncyk7CisKIC8q CiAgKiBUaGUgTVBUIChtYWNoaW5lLT5waHlzaWNhbCBtYXBwaW5nIHRhYmxl KSBpcyBhbiBhcnJheSBvZiB3b3JkLXNpemVkCiAgKiB2YWx1ZXMsIGluZGV4 ZWQgb24gbWFjaGluZSBmcmFtZSBudW1iZXIuIEl0IGlzIGV4cGVjdGVkIHRo YXQgZ3Vlc3QgT1NlcwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFy bS9wYWdlLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaAppbmRleCBl NzIzZTVhLi4xMTNiZTVhIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20t YXJtL3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaApA QCAtNzMsNyArNzMsNyBAQAogI2RlZmluZSBNQVRUUl9ERVYgICAgIDB4MQog I2RlZmluZSBNQVRUUl9NRU0gICAgIDB4ZgogCi0vKiBGbGFncyBmb3IgZ3Zp cnRfdG9fbWFkZHIgKi8KKy8qIEZsYWdzIGZvciBnZXRfcGFnZV9mcm9tX2d2 YSwgZ3ZpcnRfdG9fbWFkZHIgZXRjICovCiAjZGVmaW5lIEdWMk1fUkVBRCAg KDB1PDwwKQogI2RlZmluZSBHVjJNX1dSSVRFICgxdTw8MCkKIAo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jun 04 13:46:52 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 04 Jun 2014 13:46:52 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WsBVP-0003ij-KO; Wed, 04 Jun 2014 13:45:27 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WsBVO-0003hD-0m; Wed, 04 Jun 2014 13:45:26 +0000 Received: from [85.158.139.211:49929] by server-7.bemta-5.messagelabs.com id A8/C0-20531-5F22F835; Wed, 04 Jun 2014 13:45:25 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-206.messagelabs.com!1401889523!8055673!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 28171 invoked from network); 4 Jun 2014 13:45:24 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 4 Jun 2014 13:45:24 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WsBVG-0001Ao-5v; Wed, 04 Jun 2014 13:45:18 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WsBVA-0008GF-7u; Wed, 04 Jun 2014 13:45:12 +0000 Date: Wed, 04 Jun 2014 13:45:12 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 98 - insufficient permissions checks accessing guest memory on ARM X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-98 version 2 insufficient permissions checks accessing guest memory on ARM UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When accessing guest memory Xen does not correctly perform permissions checks on the (possibly guest provided) virtual address: it only checks that the mapping is readable by the guest, even when writing on behalf of the guest. This allows a guest to write to memory which it should only be able to read. A guest running on a vulnerable system is able to write to memory which should be read-only. This includes supposedly read only foreign mappings established using the grant table mechanism. Such read-only mappings are commonly used as part of the paravirtualised I/O drivers (such as guest disk write and network transmit). In order to exploit this vulnerability the guest must have a mapping of the memory; it does not allow access to arbitrary addresses. In the event that a guest executes code from a page which has been shared read-only with another guest it would be possible to mount a take over attack on that guest. IMPACT ====== A domain which is deliberately exchanging data with another, malicious, domain, may be vulnerable to privilege escalation. The vulnerability depends on the precise behaviour of the victim domain. In a typical configuration this means that, depending on the behaviour of the toolstack or device driver domain, a malicious guest administrator might be able to escalate their privilege to that of the whole host. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward. MITIGATION ========== None. CREDITS ======= This issue was discovered by Julien Grall. RESOLUTION ========== Applying the appropriate pair of attached patches resolves this issue. xsa98-unstable-{01,02}.patch xen-unstable xsa98-4.4-{01,02}.patch Xen 4.4.x $ sha256sum xsa98*.patch 6f63bc2e0a0a39bbd9137513a5d130ae2c78d1fd2ebf9172bf49456f73f0a67b xsa98-4.4-01.patch b338472ecce3c31a55d1a936eebbd4e46cb3ad989b91a64d4b8c5d3ca80d875d xsa98-4.4-02.patch b8535aad5ae969675d59781a81ce0b24491f1abc01aaf36c3620fd7fb6cc84eb xsa98-unstable-01.patch f5e8a93525a8905653da6377097f77681ff8121b973063ff6081e27547ceaa67 xsa98-unstable-02.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTjyK/AAoJEIP+FMlX6CvZfcAIALcaI5AdccPTHVJjTFqAly6A ZJ787YT7utUjaHTuqo+rFn7UkQLfXtqGXoLmxX4I6kTWSasiN89MCUiMMEhAKz/p WAyHPxOgbU/67hE6K6G9Xfon+Oi0NmQyaT8yiq2tgNMA5BT0TLRa1hVP70ixvXGd bC1MTMKLHynrMByK2S7NKt3YZLg0t8yTtCAYQ/BbjiS+2WYA552HEI7xrFPNhZ7Y WMykHUp+G6xBj3E1xxHnuvmixr/8mAgZmfkqLdzb66wUxuxev6ZhACS5JkjFGI8S lFMGZ52W/JiinqxtXs9WPGPiaBmW0+AmfCr6OjMfPsOzeZavrmFMAsz9AUehDag= =96+i -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa98-4.4-01.patch" Content-Disposition: attachment; filename="xsa98-4.4-01.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGNoZWNrIHBlcm1pc3Npb25zIHdoZW4gY29weWluZyB0by9m cm9tIGd1ZXN0IHZpcnR1YWwgYWRkcmVzc2VzCgpJbiBwYXJ0aWN1bGFyIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoZSBndWVzdCBoYXMgd3JpdGUgcGVybWlz c2lvbnMgdG8gYnVmZmVycwp3aGljaCBpdCBwYXNzZXMgYXMgb3V0cHV0IGJ1 ZmZlcnMgZm9yIGh5cGVyY2FsbHMsIG90aGVyd2lzZSB0aGUgZ3Vlc3QgY2Fu Cm92ZXJ3cml0ZSBtZW1vcnkgd2hpY2ggaXQgc2hvdWxkbid0IGJlIGFibGUg dG8gd3JpdGUgKGxpa2Ugci9vIGdyYW50IHRhYmxlCm1hcHBpbmdzKS4KClRo aXMgaXMgWFNBLTk4LgoKU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxp YW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBH cmFsbCA8anVsaWVuLmdyYWxsQGxpbmFyby5vcmc+CgpkaWZmIC0tZ2l0IGEv eGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jIGIveGVuL2FyY2gvYXJtL2Rv bWFpbl9idWlsZC5jCmluZGV4IDVjYTJmMTUuLjNkYTZiODMgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYworKysgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKQEAgLTk2Nyw3ICs5NjcsNyBAQCBzdGF0 aWMgdm9pZCBpbml0cmRfbG9hZChzdHJ1Y3Qga2VybmVsX2luZm8gKmtpbmZv KQogICAgICAgICBzID0gb2ZmcyAmIH5QQUdFX01BU0s7CiAgICAgICAgIGwg PSBtaW4oUEFHRV9TSVpFIC0gcywgbGVuKTsKIAotICAgICAgICByYyA9IGd2 aXJ0X3RvX21hZGRyKGxvYWRfYWRkciArIG9mZnMsICZtYSk7CisgICAgICAg IHJjID0gZ3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hLCBH VjJNX1dSSVRFKTsKICAgICAgICAgaWYgKCByYyApCiAgICAgICAgIHsKICAg ICAgICAgICAgIHBhbmljKCJVbmFibGUgdG8gdHJhbnNsYXRlIGd1ZXN0IGFk ZHJlc3MiKTsKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL2FybS9ndWVzdGNvcHku YyBiL3hlbi9hcmNoL2FybS9ndWVzdGNvcHkuYwppbmRleCBjZWE1Zjk3Li5k MWZkZGVjIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMK KysrIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCkBAIC0xNyw3ICsxNyw3 IEBAIHN0YXRpYyB1bnNpZ25lZCBsb25nIHJhd19jb3B5X3RvX2d1ZXN0X2hl bHBlcih2b2lkICp0bywgY29uc3Qgdm9pZCAqZnJvbSwKICAgICAgICAgdm9p ZCAqcDsKICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNp Z25lZClQQUdFX1NJWkUgLSBvZmZzZXQpOwogCi0gICAgICAgIGlmICggZ3Zp cnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZykgKQorICAgICAgICBpZiAo IGd2aXJ0X3RvX21hZGRyKCh2YWRkcl90KSB0bywgJmcsIEdWMk1fV1JJVEUp ICkKICAgICAgICAgICAgIHJldHVybiBsZW47CiAKICAgICAgICAgcCA9IG1h cF9kb21haW5fcGFnZShnPj5QQUdFX1NISUZUKTsKQEAgLTYyLDcgKzYyLDcg QEAgdW5zaWduZWQgbG9uZyByYXdfY2xlYXJfZ3Vlc3Qodm9pZCAqdG8sIHVu c2lnbmVkIGxlbikKICAgICAgICAgdm9pZCAqcDsKICAgICAgICAgdW5zaWdu ZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZClQQUdFX1NJWkUgLSBvZmZz ZXQpOwogCi0gICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3Qp IHRvLCAmZykgKQorICAgICAgICBpZiAoIGd2aXJ0X3RvX21hZGRyKCh2YWRk cl90KSB0bywgJmcsIEdWMk1fV1JJVEUpICkKICAgICAgICAgICAgIHJldHVy biBsZW47CiAKICAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShnPj5QQUdF X1NISUZUKTsKQEAgLTkyLDcgKzkyLDcgQEAgdW5zaWduZWQgbG9uZyByYXdf Y29weV9mcm9tX2d1ZXN0KHZvaWQgKnRvLCBjb25zdCB2b2lkIF9fdXNlciAq ZnJvbSwgdW5zaWduZWQgbGUKICAgICAgICAgdm9pZCAqcDsKICAgICAgICAg dW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZCkoUEFHRV9TSVpF IC0gb2Zmc2V0KSk7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigo dmFkZHJfdCkgZnJvbSAmIFBBR0VfTUFTSywgJmcpICkKKyAgICAgICAgaWYg KCBndmlydF90b19tYWRkcigodmFkZHJfdCkgZnJvbSAmIFBBR0VfTUFTSywg JmcsIEdWMk1fUkVBRCkgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAog ICAgICAgICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOwpk aWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL2tlcm5lbC5jIGIveGVuL2FyY2gv YXJtL2tlcm5lbC5jCmluZGV4IDFlMzEwN2QuLjY5YzdkNDMgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9rZXJuZWwuYworKysgYi94ZW4vYXJjaC9hcm0v a2VybmVsLmMKQEAgLTE0MSw3ICsxNDEsNyBAQCBzdGF0aWMgdm9pZCBrZXJu ZWxfemltYWdlX2xvYWQoc3RydWN0IGtlcm5lbF9pbmZvICppbmZvKQogICAg ICAgICBzID0gb2ZmcyAmIH5QQUdFX01BU0s7CiAgICAgICAgIGwgPSBtaW4o UEFHRV9TSVpFIC0gcywgbGVuKTsKIAotICAgICAgICByYyA9IGd2aXJ0X3Rv X21hZGRyKGxvYWRfYWRkciArIG9mZnMsICZtYSk7CisgICAgICAgIHJjID0g Z3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hLCBHVjJNX1dS SVRFKTsKICAgICAgICAgaWYgKCByYyApCiAgICAgICAgIHsKICAgICAgICAg ICAgIHBhbmljKCJVbmFibGUgdG8gbWFwIHRyYW5zbGF0ZSBndWVzdCBhZGRy ZXNzIik7CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vdHJhcHMuYyBiL3hl bi9hcmNoL2FybS90cmFwcy5jCmluZGV4IDNhMzRkMzMuLjJlNzQ1MWIgMTAw NjQ0Ci0tLSBhL3hlbi9hcmNoL2FybS90cmFwcy5jCisrKyBiL3hlbi9hcmNo L2FybS90cmFwcy5jCkBAIC04MzYsNyArODM2LDcgQEAgc3RhdGljIHZvaWQg c2hvd19ndWVzdF9zdGFjayhzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNwdV91 c2VyX3JlZ3MgKnJlZ3MpCiAKICAgICBwcmludGsoIkd1ZXN0IHN0YWNrIHRy YWNlIGZyb20gc3A9JSJQUkl2YWRkciI6XG4gICIsIHNwKTsKIAotICAgIGlm ICggZ3ZpcnRfdG9fbWFkZHIoc3AsICZzdGFja19waHlzKSApCisgICAgaWYg KCBndmlydF90b19tYWRkcihzcCwgJnN0YWNrX3BoeXMsIEdWMk1fUkVBRCkg KQogICAgIHsKICAgICAgICAgcHJpbnRrKCJGYWlsZWQgdG8gY29udmVydCBz dGFjayB0byBwaHlzaWNhbCBhZGRyZXNzXG4iKTsKICAgICAgICAgcmV0dXJu OwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9hcm0zMi9wYWdl LmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTMyL3BhZ2UuaAppbmRleCBi ODIyMWNhLi44MGQ1YzM2IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20t YXJtL2FybTMyL3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL2Fy bTMyL3BhZ2UuaApAQCAtOTAsMTEgKzkwLDE0IEBAIHN0YXRpYyBpbmxpbmUg dWludDY0X3QgX192YV90b19wYXIodmFkZHJfdCB2YSkKIH0KIAogLyogQXNr IHRoZSBNTVUgdG8gdHJhbnNsYXRlIGEgR3Vlc3QgVkEgZm9yIHVzICovCi1z dGF0aWMgaW5saW5lIHVpbnQ2NF90IGd2YV90b19tYV9wYXIodmFkZHJfdCB2 YSkKK3N0YXRpYyBpbmxpbmUgdWludDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRk cl90IHZhLCB1bnNpZ25lZCBpbnQgZmxhZ3MpCiB7CiAgICAgdWludDY0X3Qg cGFyLCB0bXA7CiAgICAgdG1wID0gUkVBRF9DUDY0KFBBUik7Ci0gICAgV1JJ VEVfQ1AzMih2YSwgQVRTMTJOU09QUik7CisgICAgaWYgKCAoZmxhZ3MgJiBH VjJNX1dSSVRFKSA9PSBHVjJNX1dSSVRFICkKKyAgICAgICAgV1JJVEVfQ1Az Mih2YSwgQVRTMTJOU09QVyk7CisgICAgZWxzZQorICAgICAgICBXUklURV9D UDMyKHZhLCBBVFMxMk5TT1BSKTsKICAgICBpc2IoKTsgLyogRW5zdXJlIHJl c3VsdCBpcyBhdmFpbGFibGUuICovCiAgICAgcGFyID0gUkVBRF9DUDY0KFBB Uik7CiAgICAgV1JJVEVfQ1A2NCh0bXAsIFBBUik7CmRpZmYgLS1naXQgYS94 ZW4vaW5jbHVkZS9hc20tYXJtL2FybTY0L3BhZ2UuaCBiL3hlbi9pbmNsdWRl L2FzbS1hcm0vYXJtNjQvcGFnZS5oCmluZGV4IDMzNTI4MjEuLjM5MjJkODcg MTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5o CisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5oCkBAIC04 MywxMSArODMsMTQgQEAgc3RhdGljIGlubGluZSB1aW50NjRfdCBfX3ZhX3Rv X3Bhcih2YWRkcl90IHZhKQogfQogCiAvKiBBc2sgdGhlIE1NVSB0byB0cmFu c2xhdGUgYSBHdWVzdCBWQSBmb3IgdXMgKi8KLXN0YXRpYyBpbmxpbmUgdWlu dDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRkcl90IHZhKQorc3RhdGljIGlubGlu ZSB1aW50NjRfdCBndmFfdG9fbWFfcGFyKHZhZGRyX3QgdmEsIHVuc2lnbmVk IGludCBmbGFncykKIHsKICAgICB1aW50NjRfdCBwYXIsIHRtcCA9IFJFQURf U1lTUkVHNjQoUEFSX0VMMSk7CiAKLSAgICBhc20gdm9sYXRpbGUgKCJhdCBz MTJlMXIsICUwOyIgOiA6ICJyIiAodmEpKTsKKyAgICBpZiAoIChmbGFncyAm IEdWMk1fV1JJVEUpID09IEdWMk1fV1JJVEUgKQorICAgICAgICBhc20gdm9s YXRpbGUgKCJhdCBzMTJlMXIsICUwOyIgOiA6ICJyIiAodmEpKTsKKyAgICBl bHNlCisgICAgICAgIGFzbSB2b2xhdGlsZSAoImF0IHMxMmUxdywgJTA7IiA6 IDogInIiICh2YSkpOwogICAgIGlzYigpOwogICAgIHBhciA9IFJFQURfU1lT UkVHNjQoUEFSX0VMMSk7CiAgICAgV1JJVEVfU1lTUkVHNjQodG1wLCBQQVJf RUwxKTsKZGlmZiAtLWdpdCBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaCBi L3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAppbmRleCBiOGQ0ZTdkLi5kMGU1 Y2I0IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKKysr IGIveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oCkBAIC0yMzMsOSArMjMzLDkg QEAgc3RhdGljIGlubGluZSB2b2lkICptYWRkcl90b192aXJ0KHBhZGRyX3Qg bWEpCiB9CiAjZW5kaWYKIAotc3RhdGljIGlubGluZSBpbnQgZ3ZpcnRfdG9f bWFkZHIodmFkZHJfdCB2YSwgcGFkZHJfdCAqcGEpCitzdGF0aWMgaW5saW5l IGludCBndmlydF90b19tYWRkcih2YWRkcl90IHZhLCBwYWRkcl90ICpwYSwg dW5zaWduZWQgaW50IGZsYWdzKQogewotICAgIHVpbnQ2NF90IHBhciA9IGd2 YV90b19tYV9wYXIodmEpOworICAgIHVpbnQ2NF90IHBhciA9IGd2YV90b19t YV9wYXIodmEsIGZsYWdzKTsKICAgICBpZiAoIHBhciAmIFBBUl9GICkKICAg ICAgICAgcmV0dXJuIC1FRkFVTFQ7CiAgICAgKnBhID0gKHBhciAmIFBBRERS X01BU0sgJiBQQUdFX01BU0spIHwgKCh1bnNpZ25lZCBsb25nKSB2YSAmIH5Q QUdFX01BU0spOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9w YWdlLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaAppbmRleCBlMDBi ZTllLi44NDU2MmVjIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20tYXJt L3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaApAQCAt NzMsNiArNzMsMTAgQEAKICNkZWZpbmUgTUFUVFJfREVWICAgICAweDEKICNk ZWZpbmUgTUFUVFJfTUVNICAgICAweGYKIAorLyogRmxhZ3MgZm9yIGd2aXJ0 X3RvX21hZGRyICovCisjZGVmaW5lIEdWMk1fUkVBRCAgKDB1PDwwKQorI2Rl ZmluZSBHVjJNX1dSSVRFICgxdTw8MCkKKwogI2lmbmRlZiBfX0FTU0VNQkxZ X18KIAogI2luY2x1ZGUgPHhlbi90eXBlcy5oPgo= --=separator Content-Type: application/octet-stream; name="xsa98-4.4-02.patch" Content-Disposition: attachment; filename="xsa98-4.4-02.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGVuc3VyZSB3ZSBob2xkIGEgcmVmZXJlbmNlIHRvIGd1ZXN0 IHBhZ2VzIHdoaWxlIHdlIGNvcHkgdG8vZnJvbSB0aGVtCgpUaGlzIGF0IG9u Y2U6CiAtIHByZXZlbnRzIHRoZSBwYWdlIGZyb20gYmVpbmcgcmVhc3NpZ25l ZCB1bmRlciBvdXIgZmVldAogLSBlbnN1cmVzIHRoYXQgdGhlIGRvbWFpbiBv d25zIHRoZSBwYWdlLCB3aGljaCBzdG9wcyBhIGRvbWFpbiBmcm9tIGdpdmlu ZyBhCiAgIGdyYW50IG1hcHBpbmcsIE1NSU8gcmVnaW9uLCBvdGhlciBub24t UkFNIGFzIGEgaHlwZXJjYWxsIGlucHV0L291dHB1dC4KCldlIG5lZWQgdG8g aG9sZCB0aGUgcDJtIGxvY2sgd2hpbGUgZG9pbmcgdGhlIGxvb2t1cCB1bnRp bCB3ZSBoYXZlIHRoZQpyZWZlcmVuY2UuCgpUaGlzIGFsc28gcmVxdWlyZXMg dGhhdCBkdXJpbmcgZG9tYWluIDAgYnVpbGRpbmcgY3VycmVudCBpcyBzZXQg dG8gYW4gYWN0dWFsCmRvbTAgdmNwdSwgc28gdGFrZSBjYXJlIG9mIHRoaXMg YXQgdGhlIHNhbWUgdGltZSBhcyB0aGUgcDJtIGlzIHRlbXBvcmFyaWx5Cmxv YWRlZC4KCkxhc3RseSB3aGVuIGR1bXBpbmcgdGhlIGd1ZXN0IHN0YWNrIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoYXQgdGhlIGd1ZXN0IGhhc24ndApwb2lu dGVkIGl0cyBzcCBvZmYgaW50byB0aGUgd2VlZHMgYW5kL29yIG1pc2FsaWdu ZWQgaXQsIHdoaWNoIGNvdWxkIGxlYWQgdG8KaHlwZXJ2aXNvciB0cmFwcy4g U29sdmUgdGhpcyBieSB1c2luZyB0aGUgbmV3IGZ1bmN0aW9uIGFuZCBjaGVj a2luZyBhbGlnbm1lbnQKZmlyc3QuCgpTaWduZWQtb2ZmLWJ5OiBJYW4gQ2Ft cGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpSZXZpZXdlZC1ieTog SnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAbGluYXJvLm9yZz4KWyBpamMg LS0gYmFja3BvcnRlZCB0byA0LjQsIHVzaW5nIHAybV9sb2FkX1ZUVEJSIF0K CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMgYi94 ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMKaW5kZXggM2RhNmI4My4uYzE0 OTdmOCAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5j CisrKyBiL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYwpAQCAtOTg2LDYg Kzk4Niw3IEBAIHN0YXRpYyB2b2lkIGluaXRyZF9sb2FkKHN0cnVjdCBrZXJu ZWxfaW5mbyAqa2luZm8pCiBpbnQgY29uc3RydWN0X2RvbTAoc3RydWN0IGRv bWFpbiAqZCkKIHsKICAgICBzdHJ1Y3Qga2VybmVsX2luZm8ga2luZm8gPSB7 fTsKKyAgICBzdHJ1Y3QgdmNwdSAqc2F2ZWRfY3VycmVudDsKICAgICBpbnQg cmMsIGksIGNwdTsKIAogICAgIHN0cnVjdCB2Y3B1ICp2ID0gZC0+dmNwdVsw XTsKQEAgLTEwMjEsNyArMTAyMiw5IEBAIGludCBjb25zdHJ1Y3RfZG9tMChz dHJ1Y3QgZG9tYWluICpkKQogICAgICAgICByZXR1cm4gcmM7CiAKICAgICAv KiBUaGUgZm9sbG93aW5nIGxvYWRzIHVzZSB0aGUgZG9tYWluJ3MgcDJtICov CisgICAgc2F2ZWRfY3VycmVudCA9IGN1cnJlbnQ7CiAgICAgcDJtX2xvYWRf VlRUQlIoZCk7CisgICAgc2V0X2N1cnJlbnQodik7CiAjaWZkZWYgQ09ORklH X0FSTV82NAogICAgIGQtPmFyY2gudHlwZSA9IGtpbmZvLnR5cGU7CiAgICAg aWYgKCBpc19wdjMyX2RvbWFpbihkKSApCkBAIC0xMDM5LDYgKzEwNDIsMTAg QEAgaW50IGNvbnN0cnVjdF9kb20wKHN0cnVjdCBkb21haW4gKmQpCiAgICAg aW5pdHJkX2xvYWQoJmtpbmZvKTsKICAgICBkdGJfbG9hZCgma2luZm8pOwog CisgICAgLyogTm93IHRoYXQgd2UgYXJlIGRvbmUgcmVzdG9yZSB0aGUgb3Jp Z2luYWwgcDJtIGFuZCBjdXJyZW50LiAqLworICAgIHNldF9jdXJyZW50KHNh dmVkX2N1cnJlbnQpOworICAgIHAybV9sb2FkX1ZUVEJSKGN1cnJlbnQtPmRv bWFpbik7CisKICAgICBkaXNjYXJkX2luaXRpYWxfbW9kdWxlcygpOwogCiAg ICAgdi0+aXNfaW5pdGlhbGlzZWQgPSAxOwpkaWZmIC0tZ2l0IGEveGVuL2Fy Y2gvYXJtL2d1ZXN0Y29weS5jIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5j CmluZGV4IGQxZmRkZWMuLjAxNzM1OTcgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNo L2FybS9ndWVzdGNvcHkuYworKysgYi94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5 LmMKQEAgLTEsNiArMSw4IEBACiAjaW5jbHVkZSA8eGVuL2NvbmZpZy5oPgog I2luY2x1ZGUgPHhlbi9saWIuaD4KICNpbmNsdWRlIDx4ZW4vZG9tYWluX3Bh Z2UuaD4KKyNpbmNsdWRlIDx4ZW4vc2NoZWQuaD4KKyNpbmNsdWRlIDxhc20v Y3VycmVudC5oPgogCiAjaW5jbHVkZSA8YXNtL21tLmg+CiAjaW5jbHVkZSA8 YXNtL2d1ZXN0X2FjY2Vzcy5oPgpAQCAtMTMsMjAgKzE1LDIyIEBAIHN0YXRp YyB1bnNpZ25lZCBsb25nIHJhd19jb3B5X3RvX2d1ZXN0X2hlbHBlcih2b2lk ICp0bywgY29uc3Qgdm9pZCAqZnJvbSwKIAogICAgIHdoaWxlICggbGVuICkK ICAgICB7Ci0gICAgICAgIHBhZGRyX3QgZzsKICAgICAgICAgdm9pZCAqcDsK ICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZClQ QUdFX1NJWkUgLSBvZmZzZXQpOworICAgICAgICBzdHJ1Y3QgcGFnZV9pbmZv ICpwYWdlOwogCi0gICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRy X3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQorICAgICAgICBwYWdlID0gZ2V0 X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9tYWluLCAodmFkZHJfdCkgdG8s IEdWMk1fV1JJVEUpOworICAgICAgICBpZiAoIHBhZ2UgPT0gTlVMTCApCiAg ICAgICAgICAgICByZXR1cm4gbGVuOwogCi0gICAgICAgIHAgPSBtYXBfZG9t YWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7CisgICAgICAgIHAgPSBfX21hcF9k b21haW5fcGFnZShwYWdlKTsKICAgICAgICAgcCArPSBvZmZzZXQ7CiAgICAg ICAgIG1lbWNweShwLCBmcm9tLCBzaXplKTsKICAgICAgICAgaWYgKCBmbHVz aF9kY2FjaGUgKQogICAgICAgICAgICAgY2xlYW5feGVuX2RjYWNoZV92YV9y YW5nZShwLCBzaXplKTsKIAogICAgICAgICB1bm1hcF9kb21haW5fcGFnZShw IC0gb2Zmc2V0KTsKKyAgICAgICAgcHV0X3BhZ2UocGFnZSk7CiAgICAgICAg IGxlbiAtPSBzaXplOwogICAgICAgICBmcm9tICs9IHNpemU7CiAgICAgICAg IHRvICs9IHNpemU7CkBAIC01OCwxOCArNjIsMjAgQEAgdW5zaWduZWQgbG9u ZyByYXdfY2xlYXJfZ3Vlc3Qodm9pZCAqdG8sIHVuc2lnbmVkIGxlbikKIAog ICAgIHdoaWxlICggbGVuICkKICAgICB7Ci0gICAgICAgIHBhZGRyX3QgZzsK ICAgICAgICAgdm9pZCAqcDsKICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1p bihsZW4sICh1bnNpZ25lZClQQUdFX1NJWkUgLSBvZmZzZXQpOworICAgICAg ICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwogCi0gICAgICAgIGlmICggZ3Zp cnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQor ICAgICAgICBwYWdlID0gZ2V0X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9t YWluLCAodmFkZHJfdCkgdG8sIEdWMk1fV1JJVEUpOworICAgICAgICBpZiAo IHBhZ2UgPT0gTlVMTCApCiAgICAgICAgICAgICByZXR1cm4gbGVuOwogCi0g ICAgICAgIHAgPSBtYXBfZG9tYWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7Cisg ICAgICAgIHAgPSBfX21hcF9kb21haW5fcGFnZShwYWdlKTsKICAgICAgICAg cCArPSBvZmZzZXQ7CiAgICAgICAgIG1lbXNldChwLCAweDAwLCBzaXplKTsK IAogICAgICAgICB1bm1hcF9kb21haW5fcGFnZShwIC0gb2Zmc2V0KTsKKyAg ICAgICAgcHV0X3BhZ2UocGFnZSk7CiAgICAgICAgIGxlbiAtPSBzaXplOwog ICAgICAgICB0byArPSBzaXplOwogICAgICAgICAvKgpAQCAtODgsMTkgKzk0 LDIxIEBAIHVuc2lnbmVkIGxvbmcgcmF3X2NvcHlfZnJvbV9ndWVzdCh2b2lk ICp0bywgY29uc3Qgdm9pZCBfX3VzZXIgKmZyb20sIHVuc2lnbmVkIGxlCiAK ICAgICB3aGlsZSAoIGxlbiApCiAgICAgewotICAgICAgICBwYWRkcl90IGc7 CiAgICAgICAgIHZvaWQgKnA7CiAgICAgICAgIHVuc2lnbmVkIHNpemUgPSBt aW4obGVuLCAodW5zaWduZWQpKFBBR0VfU0laRSAtIG9mZnNldCkpOworICAg ICAgICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwogCi0gICAgICAgIGlmICgg Z3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3QpIGZyb20gJiBQQUdFX01BU0ssICZn LCBHVjJNX1JFQUQpICkKKyAgICAgICAgcGFnZSA9IGdldF9wYWdlX2Zyb21f Z3ZhKGN1cnJlbnQtPmRvbWFpbiwgKHZhZGRyX3QpIGZyb20sIEdWMk1fUkVB RCk7CisgICAgICAgIGlmICggcGFnZSA9PSBOVUxMICkKICAgICAgICAgICAg IHJldHVybiBsZW47CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShn Pj5QQUdFX1NISUZUKTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFpbl9wYWdl KHBhZ2UpOwogICAgICAgICBwICs9ICgodmFkZHJfdClmcm9tICYgKH5QQUdF X01BU0spKTsKIAogICAgICAgICBtZW1jcHkodG8sIHAsIHNpemUpOwogCiAg ICAgICAgIHVubWFwX2RvbWFpbl9wYWdlKHApOworICAgICAgICBwdXRfcGFn ZShwYWdlKTsKICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAgIGZyb20g Kz0gc2l6ZTsKICAgICAgICAgdG8gKz0gc2l6ZTsKZGlmZiAtLWdpdCBhL3hl bi9hcmNoL2FybS9wMm0uYyBiL3hlbi9hcmNoL2FybS9wMm0uYwppbmRleCBk MDBjODgyLi43ZmQ1OTIwIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vcDJt LmMKKysrIGIveGVuL2FyY2gvYXJtL3AybS5jCkBAIC02NTUsNiArNjU1LDM0 IEBAIHVuc2lnbmVkIGxvbmcgZ21mbl90b19tZm4oc3RydWN0IGRvbWFpbiAq ZCwgdW5zaWduZWQgbG9uZyBncGZuKQogICAgIHJldHVybiBwID4+IFBBR0Vf U0hJRlQ7CiB9CiAKK3N0cnVjdCBwYWdlX2luZm8gKmdldF9wYWdlX2Zyb21f Z3ZhKHN0cnVjdCBkb21haW4gKmQsIHZhZGRyX3QgdmEsCisgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICB1bnNpZ25lZCBsb25nIGZsYWdz KQoreworICAgIHN0cnVjdCBwMm1fZG9tYWluICpwMm0gPSAmZC0+YXJjaC5w Mm07CisgICAgc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSA9IE5VTEw7CisgICAg cGFkZHJfdCBtYWRkcjsKKworICAgIEFTU0VSVChkID09IGN1cnJlbnQtPmRv bWFpbik7CisKKyAgICBzcGluX2xvY2soJnAybS0+bG9jayk7CisKKyAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKHZhLCAmbWFkZHIsIGZsYWdzKSApCisgICAg ICAgIGdvdG8gZXJyOworCisgICAgaWYgKCAhbWZuX3ZhbGlkKG1hZGRyID4+ IFBBR0VfU0hJRlQpICkKKyAgICAgICAgZ290byBlcnI7CisKKyAgICBwYWdl ID0gbWZuX3RvX3BhZ2UobWFkZHIgPj4gUEFHRV9TSElGVCk7CisgICAgQVNT RVJUKHBhZ2UpOworCisgICAgaWYgKCB1bmxpa2VseSghZ2V0X3BhZ2UocGFn ZSwgZCkpICkKKyAgICAgICAgcGFnZSA9IE5VTEw7CisKK2VycjoKKyAgICBz cGluX3VubG9jaygmcDJtLT5sb2NrKTsKKyAgICByZXR1cm4gcGFnZTsKK30K KwogLyoKICAqIExvY2FsIHZhcmlhYmxlczoKICAqIG1vZGU6IEMKZGlmZiAt LWdpdCBhL3hlbi9hcmNoL2FybS90cmFwcy5jIGIveGVuL2FyY2gvYXJtL3Ry YXBzLmMKaW5kZXggMmU3NDUxYi4uMDAwNzFhMyAxMDA2NDQKLS0tIGEveGVu L2FyY2gvYXJtL3RyYXBzLmMKKysrIGIveGVuL2FyY2gvYXJtL3RyYXBzLmMK QEAgLTc3Niw3ICs3NzYsNyBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0 YWNrKHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVn cykKIHsKICAgICBpbnQgaTsKICAgICB2YWRkcl90IHNwOwotICAgIHBhZGRy X3Qgc3RhY2tfcGh5czsKKyAgICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwog ICAgIHZvaWQgKm1hcHBlZDsKICAgICB1bnNpZ25lZCBsb25nICpzdGFjaywg YWRkcjsKIApAQCAtODM2LDEzICs4MzYsMjAgQEAgc3RhdGljIHZvaWQgc2hv d19ndWVzdF9zdGFjayhzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNwdV91c2Vy X3JlZ3MgKnJlZ3MpCiAKICAgICBwcmludGsoIkd1ZXN0IHN0YWNrIHRyYWNl IGZyb20gc3A9JSJQUkl2YWRkciI6XG4gICIsIHNwKTsKIAotICAgIGlmICgg Z3ZpcnRfdG9fbWFkZHIoc3AsICZzdGFja19waHlzLCBHVjJNX1JFQUQpICkK KyAgICBpZiAoIHNwICYgKCBzaXplb2YobG9uZykgLSAxICkgKQorICAgIHsK KyAgICAgICAgcHJpbnRrKCJTdGFjayBpcyBtaXNhbGlnbmVkXG4iKTsKKyAg ICAgICAgcmV0dXJuOworICAgIH0KKworICAgIHBhZ2UgPSBnZXRfcGFnZV9m cm9tX2d2YShjdXJyZW50LT5kb21haW4sIHNwLCBHVjJNX1JFQUQpOworICAg IGlmICggcGFnZSA9PSBOVUxMICkKICAgICB7CiAgICAgICAgIHByaW50aygi RmFpbGVkIHRvIGNvbnZlcnQgc3RhY2sgdG8gcGh5c2ljYWwgYWRkcmVzc1xu Iik7CiAgICAgICAgIHJldHVybjsKICAgICB9CiAKLSAgICBtYXBwZWQgPSBt YXBfZG9tYWluX3BhZ2Uoc3RhY2tfcGh5cyA+PiBQQUdFX1NISUZUKTsKKyAg ICBtYXBwZWQgPSBfX21hcF9kb21haW5fcGFnZShwYWdlKTsKIAogICAgIHN0 YWNrID0gbWFwcGVkICsgKHNwICYgflBBR0VfTUFTSyk7CiAKQEAgLTg2MCw3 ICs4NjcsNyBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVj dCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKICAgICAg ICAgcHJpbnRrKCJTdGFjayBlbXB0eS4iKTsKICAgICBwcmludGsoIlxuIik7 CiAgICAgdW5tYXBfZG9tYWluX3BhZ2UobWFwcGVkKTsKLQorICAgIHB1dF9w YWdlKHBhZ2UpOwogfQogCiAjZGVmaW5lIFNUQUNLX0JFRk9SRV9FWENFUFRJ T04ocmVncykgKChyZWdpc3Rlcl90KikocmVncyktPnNwKQpkaWZmIC0tZ2l0 IGEveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oIGIveGVuL2luY2x1ZGUvYXNt LWFybS9tbS5oCmluZGV4IGQwZTVjYjQuLjhiZjE3OWQgMTAwNjQ0Ci0tLSBh L3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAorKysgYi94ZW4vaW5jbHVkZS9h c20tYXJtL21tLmgKQEAgLTI3Myw2ICsyNzMsOSBAQCBzdHJ1Y3QgZG9tYWlu ICpwYWdlX2dldF9vd25lcl9hbmRfcmVmZXJlbmNlKHN0cnVjdCBwYWdlX2lu Zm8gKnBhZ2UpOwogdm9pZCBwdXRfcGFnZShzdHJ1Y3QgcGFnZV9pbmZvICpw YWdlKTsKIGludCAgZ2V0X3BhZ2Uoc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSwg c3RydWN0IGRvbWFpbiAqZG9tYWluKTsKIAorc3RydWN0IHBhZ2VfaW5mbyAq Z2V0X3BhZ2VfZnJvbV9ndmEoc3RydWN0IGRvbWFpbiAqZCwgdmFkZHJfdCB2 YSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVuc2ln bmVkIGxvbmcgZmxhZ3MpOworCiAvKgogICogVGhlIE1QVCAobWFjaGluZS0+ cGh5c2ljYWwgbWFwcGluZyB0YWJsZSkgaXMgYW4gYXJyYXkgb2Ygd29yZC1z aXplZAogICogdmFsdWVzLCBpbmRleGVkIG9uIG1hY2hpbmUgZnJhbWUgbnVt YmVyLiBJdCBpcyBleHBlY3RlZCB0aGF0IGd1ZXN0IE9TZXMKZGlmZiAtLWdp dCBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oIGIveGVuL2luY2x1ZGUv YXNtLWFybS9wYWdlLmgKaW5kZXggODQ1NjJlYy4uYzExODMwOSAxMDA2NDQK LS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9wYWdlLmgKKysrIGIveGVuL2lu Y2x1ZGUvYXNtLWFybS9wYWdlLmgKQEAgLTczLDcgKzczLDcgQEAKICNkZWZp bmUgTUFUVFJfREVWICAgICAweDEKICNkZWZpbmUgTUFUVFJfTUVNICAgICAw eGYKIAotLyogRmxhZ3MgZm9yIGd2aXJ0X3RvX21hZGRyICovCisvKiBGbGFn cyBmb3IgZ2V0X3BhZ2VfZnJvbV9ndmEsIGd2aXJ0X3RvX21hZGRyIGV0YyAq LwogI2RlZmluZSBHVjJNX1JFQUQgICgwdTw8MCkKICNkZWZpbmUgR1YyTV9X UklURSAoMXU8PDApCiAK --=separator Content-Type: application/octet-stream; name="xsa98-unstable-01.patch" Content-Disposition: attachment; filename="xsa98-unstable-01.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGNoZWNrIHBlcm1pc3Npb25zIHdoZW4gY29weWluZyB0by9m cm9tIGd1ZXN0IHZpcnR1YWwgYWRkcmVzc2VzCgpJbiBwYXJ0aWN1bGFyIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoZSBndWVzdCBoYXMgd3JpdGUgcGVybWlz c2lvbnMgdG8gYnVmZmVycwp3aGljaCBpdCBwYXNzZXMgYXMgb3V0cHV0IGJ1 ZmZlcnMgZm9yIGh5cGVyY2FsbHMsIG90aGVyd2lzZSB0aGUgZ3Vlc3QgY2Fu Cm92ZXJ3cml0ZSBtZW1vcnkgd2hpY2ggaXQgc2hvdWxkbid0IGJlIGFibGUg dG8gd3JpdGUgKGxpa2Ugci9vIGdyYW50IHRhYmxlCm1hcHBpbmdzKS4KClRo aXMgaXMgWFNBLTk4LgoKU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxp YW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBH cmFsbCA8anVsaWVuLmdyYWxsQGxpbmFyby5vcmc+CgpkaWZmIC0tZ2l0IGEv eGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jIGIveGVuL2FyY2gvYXJtL2Rv bWFpbl9idWlsZC5jCmluZGV4IGM0MjQ3OTMuLmQwNzk5ODIgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYworKysgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKQEAgLTEwMDUsNyArMTAwNSw3IEBAIHN0 YXRpYyB2b2lkIGluaXRyZF9sb2FkKHN0cnVjdCBrZXJuZWxfaW5mbyAqa2lu Zm8pCiAgICAgICAgIHMgPSBvZmZzICYgflBBR0VfTUFTSzsKICAgICAgICAg bCA9IG1pbihQQUdFX1NJWkUgLSBzLCBsZW4pOwogCi0gICAgICAgIHJjID0g Z3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hKTsKKyAgICAg ICAgcmMgPSBndmlydF90b19tYWRkcihsb2FkX2FkZHIgKyBvZmZzLCAmbWEs IEdWMk1fV1JJVEUpOwogICAgICAgICBpZiAoIHJjICkKICAgICAgICAgewog ICAgICAgICAgICAgcGFuaWMoIlVuYWJsZSB0byB0cmFuc2xhdGUgZ3Vlc3Qg YWRkcmVzcyIpOwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL2d1ZXN0Y29w eS5jIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCmluZGV4IGNlYTVmOTcu LmQxZmRkZWMgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL2FybS9ndWVzdGNvcHku YworKysgYi94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMKQEAgLTE3LDcgKzE3 LDcgQEAgc3RhdGljIHVuc2lnbmVkIGxvbmcgcmF3X2NvcHlfdG9fZ3Vlc3Rf aGVscGVyKHZvaWQgKnRvLCBjb25zdCB2b2lkICpmcm9tLAogICAgICAgICB2 b2lkICpwOwogICAgICAgICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVu c2lnbmVkKVBBR0VfU0laRSAtIG9mZnNldCk7CiAKLSAgICAgICAgaWYgKCBn dmlydF90b19tYWRkcigodmFkZHJfdCkgdG8sICZnKSApCisgICAgICAgIGlm ICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZywgR1YyTV9XUklU RSkgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAogICAgICAgICBwID0g bWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOwpAQCAtNjIsNyArNjIs NyBAQCB1bnNpZ25lZCBsb25nIHJhd19jbGVhcl9ndWVzdCh2b2lkICp0bywg dW5zaWduZWQgbGVuKQogICAgICAgICB2b2lkICpwOwogICAgICAgICB1bnNp Z25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0VfU0laRSAtIG9m ZnNldCk7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJf dCkgdG8sICZnKSApCisgICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZh ZGRyX3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQogICAgICAgICAgICAgcmV0 dXJuIGxlbjsKIAogICAgICAgICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBB R0VfU0hJRlQpOwpAQCAtOTIsNyArOTIsNyBAQCB1bnNpZ25lZCBsb25nIHJh d19jb3B5X2Zyb21fZ3Vlc3Qodm9pZCAqdG8sIGNvbnN0IHZvaWQgX191c2Vy ICpmcm9tLCB1bnNpZ25lZCBsZQogICAgICAgICB2b2lkICpwOwogICAgICAg ICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKShQQUdFX1NJ WkUgLSBvZmZzZXQpKTsKIAotICAgICAgICBpZiAoIGd2aXJ0X3RvX21hZGRy KCh2YWRkcl90KSBmcm9tICYgUEFHRV9NQVNLLCAmZykgKQorICAgICAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKCh2YWRkcl90KSBmcm9tICYgUEFHRV9NQVNL LCAmZywgR1YyTV9SRUFEKSApCiAgICAgICAgICAgICByZXR1cm4gbGVuOwog CiAgICAgICAgIHAgPSBtYXBfZG9tYWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7 CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0va2VybmVsLmMgYi94ZW4vYXJj aC9hcm0va2VybmVsLmMKaW5kZXggYzgyOTA2Zi4uNjkxODJlYyAxMDA2NDQK LS0tIGEveGVuL2FyY2gvYXJtL2tlcm5lbC5jCisrKyBiL3hlbi9hcmNoL2Fy bS9rZXJuZWwuYwpAQCAtMTcyLDcgKzE3Miw3IEBAIHN0YXRpYyB2b2lkIGtl cm5lbF96aW1hZ2VfbG9hZChzdHJ1Y3Qga2VybmVsX2luZm8gKmluZm8pCiAg ICAgICAgIHMgPSBvZmZzICYgflBBR0VfTUFTSzsKICAgICAgICAgbCA9IG1p bihQQUdFX1NJWkUgLSBzLCBsZW4pOwogCi0gICAgICAgIHJjID0gZ3ZpcnRf dG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hKTsKKyAgICAgICAgcmMg PSBndmlydF90b19tYWRkcihsb2FkX2FkZHIgKyBvZmZzLCAmbWEsIEdWMk1f V1JJVEUpOwogICAgICAgICBpZiAoIHJjICkKICAgICAgICAgewogICAgICAg ICAgICAgcGFuaWMoIlVuYWJsZSB0byBtYXAgdHJhbnNsYXRlIGd1ZXN0IGFk ZHJlc3MiKTsKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL2FybS90cmFwcy5jIGIv eGVuL2FyY2gvYXJtL3RyYXBzLmMKaW5kZXggMDNhM2RhNi4uZGY4NmZmZSAx MDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL3RyYXBzLmMKKysrIGIveGVuL2Fy Y2gvYXJtL3RyYXBzLmMKQEAgLTgzNyw3ICs4MzcsNyBAQCBzdGF0aWMgdm9p ZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1 X3VzZXJfcmVncyAqcmVncykKIAogICAgIHByaW50aygiR3Vlc3Qgc3RhY2sg dHJhY2UgZnJvbSBzcD0lIlBSSXZhZGRyIjpcbiAgIiwgc3ApOwogCi0gICAg aWYgKCBndmlydF90b19tYWRkcihzcCwgJnN0YWNrX3BoeXMpICkKKyAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKHNwLCAmc3RhY2tfcGh5cywgR1YyTV9SRUFE KSApCiAgICAgewogICAgICAgICBwcmludGsoIkZhaWxlZCB0byBjb252ZXJ0 IHN0YWNrIHRvIHBoeXNpY2FsIGFkZHJlc3NcbiIpOwogICAgICAgICByZXR1 cm47CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTMyL3Bh Z2UuaCBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtMzIvcGFnZS5oCmluZGV4 IDRhYmIyODEuLjk3NDA2NzIgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2Fz bS1hcm0vYXJtMzIvcGFnZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0v YXJtMzIvcGFnZS5oCkBAIC04NywxMSArODcsMTQgQEAgc3RhdGljIGlubGlu ZSB1aW50NjRfdCBfX3ZhX3RvX3Bhcih2YWRkcl90IHZhKQogfQogCiAvKiBB c2sgdGhlIE1NVSB0byB0cmFuc2xhdGUgYSBHdWVzdCBWQSBmb3IgdXMgKi8K LXN0YXRpYyBpbmxpbmUgdWludDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRkcl90 IHZhKQorc3RhdGljIGlubGluZSB1aW50NjRfdCBndmFfdG9fbWFfcGFyKHZh ZGRyX3QgdmEsIHVuc2lnbmVkIGludCBmbGFncykKIHsKICAgICB1aW50NjRf dCBwYXIsIHRtcDsKICAgICB0bXAgPSBSRUFEX0NQNjQoUEFSKTsKLSAgICBX UklURV9DUDMyKHZhLCBBVFMxMk5TT1BSKTsKKyAgICBpZiAoIChmbGFncyAm IEdWMk1fV1JJVEUpID09IEdWMk1fV1JJVEUgKQorICAgICAgICBXUklURV9D UDMyKHZhLCBBVFMxMk5TT1BXKTsKKyAgICBlbHNlCisgICAgICAgIFdSSVRF X0NQMzIodmEsIEFUUzEyTlNPUFIpOwogICAgIGlzYigpOyAvKiBFbnN1cmUg cmVzdWx0IGlzIGF2YWlsYWJsZS4gKi8KICAgICBwYXIgPSBSRUFEX0NQNjQo UEFSKTsKICAgICBXUklURV9DUDY0KHRtcCwgUEFSKTsKZGlmZiAtLWdpdCBh L3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5oIGIveGVuL2luY2x1 ZGUvYXNtLWFybS9hcm02NC9wYWdlLmgKaW5kZXggNzEzYmFmNi4uYmIxMDE2 NCAxMDA2NDQKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9hcm02NC9wYWdl LmgKKysrIGIveGVuL2luY2x1ZGUvYXNtLWFybS9hcm02NC9wYWdlLmgKQEAg LTgxLDExICs4MSwxNCBAQCBzdGF0aWMgaW5saW5lIHVpbnQ2NF90IF9fdmFf dG9fcGFyKHZhZGRyX3QgdmEpCiB9CiAKIC8qIEFzayB0aGUgTU1VIHRvIHRy YW5zbGF0ZSBhIEd1ZXN0IFZBIGZvciB1cyAqLwotc3RhdGljIGlubGluZSB1 aW50NjRfdCBndmFfdG9fbWFfcGFyKHZhZGRyX3QgdmEpCitzdGF0aWMgaW5s aW5lIHVpbnQ2NF90IGd2YV90b19tYV9wYXIodmFkZHJfdCB2YSwgdW5zaWdu ZWQgaW50IGZsYWdzKQogewogICAgIHVpbnQ2NF90IHBhciwgdG1wID0gUkVB RF9TWVNSRUc2NChQQVJfRUwxKTsKIAotICAgIGFzbSB2b2xhdGlsZSAoImF0 IHMxMmUxciwgJTA7IiA6IDogInIiICh2YSkpOworICAgIGlmICggKGZsYWdz ICYgR1YyTV9XUklURSkgPT0gR1YyTV9XUklURSApCisgICAgICAgIGFzbSB2 b2xhdGlsZSAoImF0IHMxMmUxciwgJTA7IiA6IDogInIiICh2YSkpOworICAg IGVsc2UKKyAgICAgICAgYXNtIHZvbGF0aWxlICgiYXQgczEyZTF3LCAlMDsi IDogOiAiciIgKHZhKSk7CiAgICAgaXNiKCk7CiAgICAgcGFyID0gUkVBRF9T WVNSRUc2NChQQVJfRUwxKTsKICAgICBXUklURV9TWVNSRUc2NCh0bXAsIFBB Ul9FTDEpOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5o IGIveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oCmluZGV4IGI4ZDRlN2QuLmQw ZTVjYjQgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAor KysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKQEAgLTIzMyw5ICsyMzMs OSBAQCBzdGF0aWMgaW5saW5lIHZvaWQgKm1hZGRyX3RvX3ZpcnQocGFkZHJf dCBtYSkKIH0KICNlbmRpZgogCi1zdGF0aWMgaW5saW5lIGludCBndmlydF90 b19tYWRkcih2YWRkcl90IHZhLCBwYWRkcl90ICpwYSkKK3N0YXRpYyBpbmxp bmUgaW50IGd2aXJ0X3RvX21hZGRyKHZhZGRyX3QgdmEsIHBhZGRyX3QgKnBh LCB1bnNpZ25lZCBpbnQgZmxhZ3MpCiB7Ci0gICAgdWludDY0X3QgcGFyID0g Z3ZhX3RvX21hX3Bhcih2YSk7CisgICAgdWludDY0X3QgcGFyID0gZ3ZhX3Rv X21hX3Bhcih2YSwgZmxhZ3MpOwogICAgIGlmICggcGFyICYgUEFSX0YgKQog ICAgICAgICByZXR1cm4gLUVGQVVMVDsKICAgICAqcGEgPSAocGFyICYgUEFE RFJfTUFTSyAmIFBBR0VfTUFTSykgfCAoKHVuc2lnbmVkIGxvbmcpIHZhICYg flBBR0VfTUFTSyk7CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJt L3BhZ2UuaCBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oCmluZGV4IGMz OGU5YzkuLmU3MjNlNWEgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1h cm0vcGFnZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oCkBA IC03Myw2ICs3MywxMCBAQAogI2RlZmluZSBNQVRUUl9ERVYgICAgIDB4MQog I2RlZmluZSBNQVRUUl9NRU0gICAgIDB4ZgogCisvKiBGbGFncyBmb3IgZ3Zp cnRfdG9fbWFkZHIgKi8KKyNkZWZpbmUgR1YyTV9SRUFEICAoMHU8PDApCisj ZGVmaW5lIEdWMk1fV1JJVEUgKDF1PDwwKQorCiAjaWZuZGVmIF9fQVNTRU1C TFlfXwogCiAjaW5jbHVkZSA8eGVuL3R5cGVzLmg+Cg== --=separator Content-Type: application/octet-stream; name="xsa98-unstable-02.patch" Content-Disposition: attachment; filename="xsa98-unstable-02.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGVuc3VyZSB3ZSBob2xkIGEgcmVmZXJlbmNlIHRvIGd1ZXN0 IHBhZ2VzIHdoaWxlIHdlIGNvcHkgdG8vZnJvbSB0aGVtCgpUaGlzIGF0IG9u Y2U6CiAtIHByZXZlbnRzIHRoZSBwYWdlIGZyb20gYmVpbmcgcmVhc3NpZ25l ZCB1bmRlciBvdXIgZmVldAogLSBlbnN1cmVzIHRoYXQgdGhlIGRvbWFpbiBv d25zIHRoZSBwYWdlLCB3aGljaCBzdG9wcyBhIGRvbWFpbiBmcm9tIGdpdmlu ZyBhCiAgIGdyYW50IG1hcHBpbmcsIE1NSU8gcmVnaW9uLCBvdGhlciBub24t UkFNIGFzIGEgaHlwZXJjYWxsIGlucHV0L291dHB1dC4KCldlIG5lZWQgdG8g aG9sZCB0aGUgcDJtIGxvY2sgd2hpbGUgZG9pbmcgdGhlIGxvb2t1cCB1bnRp bCB3ZSBoYXZlIHRoZQpyZWZlcmVuY2UuCgpUaGlzIGFsc28gcmVxdWlyZXMg dGhhdCBkdXJpbmcgZG9tYWluIDAgYnVpbGRpbmcgY3VycmVudCBpcyBzZXQg dG8gYW4gYWN0dWFsCmRvbTAgdmNwdSwgc28gdGFrZSBjYXJlIG9mIHRoaXMg YXQgdGhlIHNhbWUgdGltZSBhcyB0aGUgcDJtIGlzIHRlbXBvcmFyaWx5Cmxv YWRlZC4KCkxhc3RseSB3aGVuIGR1bXBpbmcgdGhlIGd1ZXN0IHN0YWNrIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoYXQgdGhlIGd1ZXN0IGhhc24ndApwb2lu dGVkIGl0cyBzcCBvZmYgaW50byB0aGUgd2VlZHMgYW5kL29yIG1pc2FsaWdu ZWQgaXQsIHdoaWNoIGNvdWxkIGxlYWQgdG8KaHlwZXJ2aXNvciB0cmFwcy4g U29sdmUgdGhpcyBieSB1c2luZyB0aGUgbmV3IGZ1bmN0aW9uIGFuZCBjaGVj a2luZyBhbGlnbm1lbnQKZmlyc3QuCgpTaWduZWQtb2ZmLWJ5OiBJYW4gQ2Ft cGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpSZXZpZXdlZC1ieTog SnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAbGluYXJvLm9yZz4KCmRpZmYg LS1naXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKaW5kZXggZDA3OTk4Mi4uNGRkMmQ4NCAx MDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jCisrKyBi L3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYwpAQCAtMTAyNCw2ICsxMDI0 LDcgQEAgc3RhdGljIHZvaWQgaW5pdHJkX2xvYWQoc3RydWN0IGtlcm5lbF9p bmZvICpraW5mbykKIGludCBjb25zdHJ1Y3RfZG9tMChzdHJ1Y3QgZG9tYWlu ICpkKQogewogICAgIHN0cnVjdCBrZXJuZWxfaW5mbyBraW5mbyA9IHt9Owor ICAgIHN0cnVjdCB2Y3B1ICpzYXZlZF9jdXJyZW50OwogICAgIGludCByYywg aSwgY3B1OwogCiAgICAgc3RydWN0IHZjcHUgKnYgPSBkLT52Y3B1WzBdOwpA QCAtMTA2MCw4ICsxMDYxLDEzIEBAIGludCBjb25zdHJ1Y3RfZG9tMChzdHJ1 Y3QgZG9tYWluICpkKQogICAgIGlmICggcmMgPCAwICkKICAgICAgICAgcmV0 dXJuIHJjOwogCi0gICAgLyogVGhlIGZvbGxvd2luZyBsb2FkcyB1c2UgdGhl IGRvbWFpbidzIHAybSAqLworICAgIC8qCisgICAgICogVGhlIGZvbGxvd2lu ZyBsb2FkcyB1c2UgdGhlIGRvbWFpbidzIHAybSBhbmQgcmVxdWlyZSBjdXJy ZW50IHRvCisgICAgICogYmUgYSB2Y3B1IG9mIHRoZSBkb21haW4sIHRlbXBv cmFyaWx5IHN3aXRjaAorICAgICAqLworICAgIHNhdmVkX2N1cnJlbnQgPSBj dXJyZW50OwogICAgIHAybV9yZXN0b3JlX3N0YXRlKHYpOworICAgIHNldF9j dXJyZW50KHYpOwogCiAgICAgLyoKICAgICAgKiBrZXJuZWxfbG9hZCB3aWxs IGRldGVybWluZSB0aGUgcGxhY2VtZW50IG9mIHRoZSBrZXJuZWwgYXMgd2Vs bApAQCAtMTA3Miw2ICsxMDc4LDEwIEBAIGludCBjb25zdHJ1Y3RfZG9tMChz dHJ1Y3QgZG9tYWluICpkKQogICAgIGluaXRyZF9sb2FkKCZraW5mbyk7CiAg ICAgZHRiX2xvYWQoJmtpbmZvKTsKIAorICAgIC8qIE5vdyB0aGF0IHdlIGFy ZSBkb25lIHJlc3RvcmUgdGhlIG9yaWdpbmFsIHAybSBhbmQgY3VycmVudC4g Ki8KKyAgICBzZXRfY3VycmVudChzYXZlZF9jdXJyZW50KTsKKyAgICBwMm1f cmVzdG9yZV9zdGF0ZShzYXZlZF9jdXJyZW50KTsKKwogICAgIGRpc2NhcmRf aW5pdGlhbF9tb2R1bGVzKCk7CiAKICAgICB2LT5pc19pbml0aWFsaXNlZCA9 IDE7CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMgYi94 ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMKaW5kZXggZDFmZGRlYy4uMDE3MzU5 NyAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCisrKyBi L3hlbi9hcmNoL2FybS9ndWVzdGNvcHkuYwpAQCAtMSw2ICsxLDggQEAKICNp bmNsdWRlIDx4ZW4vY29uZmlnLmg+CiAjaW5jbHVkZSA8eGVuL2xpYi5oPgog I2luY2x1ZGUgPHhlbi9kb21haW5fcGFnZS5oPgorI2luY2x1ZGUgPHhlbi9z Y2hlZC5oPgorI2luY2x1ZGUgPGFzbS9jdXJyZW50Lmg+CiAKICNpbmNsdWRl IDxhc20vbW0uaD4KICNpbmNsdWRlIDxhc20vZ3Vlc3RfYWNjZXNzLmg+CkBA IC0xMywyMCArMTUsMjIgQEAgc3RhdGljIHVuc2lnbmVkIGxvbmcgcmF3X2Nv cHlfdG9fZ3Vlc3RfaGVscGVyKHZvaWQgKnRvLCBjb25zdCB2b2lkICpmcm9t LAogCiAgICAgd2hpbGUgKCBsZW4gKQogICAgIHsKLSAgICAgICAgcGFkZHJf dCBnOwogICAgICAgICB2b2lkICpwOwogICAgICAgICB1bnNpZ25lZCBzaXpl ID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0VfU0laRSAtIG9mZnNldCk7Cisg ICAgICAgIHN0cnVjdCBwYWdlX2luZm8gKnBhZ2U7CiAKLSAgICAgICAgaWYg KCBndmlydF90b19tYWRkcigodmFkZHJfdCkgdG8sICZnLCBHVjJNX1dSSVRF KSApCisgICAgICAgIHBhZ2UgPSBnZXRfcGFnZV9mcm9tX2d2YShjdXJyZW50 LT5kb21haW4sICh2YWRkcl90KSB0bywgR1YyTV9XUklURSk7CisgICAgICAg IGlmICggcGFnZSA9PSBOVUxMICkKICAgICAgICAgICAgIHJldHVybiBsZW47 CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShnPj5QQUdFX1NISUZU KTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFpbl9wYWdlKHBhZ2UpOwogICAg ICAgICBwICs9IG9mZnNldDsKICAgICAgICAgbWVtY3B5KHAsIGZyb20sIHNp emUpOwogICAgICAgICBpZiAoIGZsdXNoX2RjYWNoZSApCiAgICAgICAgICAg ICBjbGVhbl94ZW5fZGNhY2hlX3ZhX3JhbmdlKHAsIHNpemUpOwogCiAgICAg ICAgIHVubWFwX2RvbWFpbl9wYWdlKHAgLSBvZmZzZXQpOworICAgICAgICBw dXRfcGFnZShwYWdlKTsKICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAg IGZyb20gKz0gc2l6ZTsKICAgICAgICAgdG8gKz0gc2l6ZTsKQEAgLTU4LDE4 ICs2MiwyMCBAQCB1bnNpZ25lZCBsb25nIHJhd19jbGVhcl9ndWVzdCh2b2lk ICp0bywgdW5zaWduZWQgbGVuKQogCiAgICAgd2hpbGUgKCBsZW4gKQogICAg IHsKLSAgICAgICAgcGFkZHJfdCBnOwogICAgICAgICB2b2lkICpwOwogICAg ICAgICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0Vf U0laRSAtIG9mZnNldCk7CisgICAgICAgIHN0cnVjdCBwYWdlX2luZm8gKnBh Z2U7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJfdCkg dG8sICZnLCBHVjJNX1dSSVRFKSApCisgICAgICAgIHBhZ2UgPSBnZXRfcGFn ZV9mcm9tX2d2YShjdXJyZW50LT5kb21haW4sICh2YWRkcl90KSB0bywgR1Yy TV9XUklURSk7CisgICAgICAgIGlmICggcGFnZSA9PSBOVUxMICkKICAgICAg ICAgICAgIHJldHVybiBsZW47CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5f cGFnZShnPj5QQUdFX1NISUZUKTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFp bl9wYWdlKHBhZ2UpOwogICAgICAgICBwICs9IG9mZnNldDsKICAgICAgICAg bWVtc2V0KHAsIDB4MDAsIHNpemUpOwogCiAgICAgICAgIHVubWFwX2RvbWFp bl9wYWdlKHAgLSBvZmZzZXQpOworICAgICAgICBwdXRfcGFnZShwYWdlKTsK ICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAgIHRvICs9IHNpemU7CiAg ICAgICAgIC8qCkBAIC04OCwxOSArOTQsMjEgQEAgdW5zaWduZWQgbG9uZyBy YXdfY29weV9mcm9tX2d1ZXN0KHZvaWQgKnRvLCBjb25zdCB2b2lkIF9fdXNl ciAqZnJvbSwgdW5zaWduZWQgbGUKIAogICAgIHdoaWxlICggbGVuICkKICAg ICB7Ci0gICAgICAgIHBhZGRyX3QgZzsKICAgICAgICAgdm9pZCAqcDsKICAg ICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZCkoUEFH RV9TSVpFIC0gb2Zmc2V0KSk7CisgICAgICAgIHN0cnVjdCBwYWdlX2luZm8g KnBhZ2U7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJf dCkgZnJvbSAmIFBBR0VfTUFTSywgJmcsIEdWMk1fUkVBRCkgKQorICAgICAg ICBwYWdlID0gZ2V0X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9tYWluLCAo dmFkZHJfdCkgZnJvbSwgR1YyTV9SRUFEKTsKKyAgICAgICAgaWYgKCBwYWdl ID09IE5VTEwgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAotICAgICAg ICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOworICAgICAg ICBwID0gX19tYXBfZG9tYWluX3BhZ2UocGFnZSk7CiAgICAgICAgIHAgKz0g KCh2YWRkcl90KWZyb20gJiAoflBBR0VfTUFTSykpOwogCiAgICAgICAgIG1l bWNweSh0bywgcCwgc2l6ZSk7CiAKICAgICAgICAgdW5tYXBfZG9tYWluX3Bh Z2UocCk7CisgICAgICAgIHB1dF9wYWdlKHBhZ2UpOwogICAgICAgICBsZW4g LT0gc2l6ZTsKICAgICAgICAgZnJvbSArPSBzaXplOwogICAgICAgICB0byAr PSBzaXplOwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL3AybS5jIGIveGVu L2FyY2gvYXJtL3AybS5jCmluZGV4IGI4NTE0M2IuLjVmYzVjYTYgMTAwNjQ0 Ci0tLSBhL3hlbi9hcmNoL2FybS9wMm0uYworKysgYi94ZW4vYXJjaC9hcm0v cDJtLmMKQEAgLTcwMSw2ICs3MDEsMzQgQEAgdW5zaWduZWQgbG9uZyBnbWZu X3RvX21mbihzdHJ1Y3QgZG9tYWluICpkLCB1bnNpZ25lZCBsb25nIGdwZm4p CiAgICAgcmV0dXJuIHAgPj4gUEFHRV9TSElGVDsKIH0KIAorc3RydWN0IHBh Z2VfaW5mbyAqZ2V0X3BhZ2VfZnJvbV9ndmEoc3RydWN0IGRvbWFpbiAqZCwg dmFkZHJfdCB2YSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIHVuc2lnbmVkIGxvbmcgZmxhZ3MpCit7CisgICAgc3RydWN0IHAybV9k b21haW4gKnAybSA9ICZkLT5hcmNoLnAybTsKKyAgICBzdHJ1Y3QgcGFnZV9p bmZvICpwYWdlID0gTlVMTDsKKyAgICBwYWRkcl90IG1hZGRyOworCisgICAg QVNTRVJUKGQgPT0gY3VycmVudC0+ZG9tYWluKTsKKworICAgIHNwaW5fbG9j aygmcDJtLT5sb2NrKTsKKworICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIodmEs ICZtYWRkciwgZmxhZ3MpICkKKyAgICAgICAgZ290byBlcnI7CisKKyAgICBp ZiAoICFtZm5fdmFsaWQobWFkZHIgPj4gUEFHRV9TSElGVCkgKQorICAgICAg ICBnb3RvIGVycjsKKworICAgIHBhZ2UgPSBtZm5fdG9fcGFnZShtYWRkciA+ PiBQQUdFX1NISUZUKTsKKyAgICBBU1NFUlQocGFnZSk7CisKKyAgICBpZiAo IHVubGlrZWx5KCFnZXRfcGFnZShwYWdlLCBkKSkgKQorICAgICAgICBwYWdl ID0gTlVMTDsKKworZXJyOgorICAgIHNwaW5fdW5sb2NrKCZwMm0tPmxvY2sp OworICAgIHJldHVybiBwYWdlOworfQorCiAvKgogICogTG9jYWwgdmFyaWFi bGVzOgogICogbW9kZTogQwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL3Ry YXBzLmMgYi94ZW4vYXJjaC9hcm0vdHJhcHMuYwppbmRleCBkZjg2ZmZlLi5k ODliNzVmIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vdHJhcHMuYworKysg Yi94ZW4vYXJjaC9hcm0vdHJhcHMuYwpAQCAtNzc3LDcgKzc3Nyw3IEBAIHN0 YXRpYyB2b2lkIHNob3dfZ3Vlc3Rfc3RhY2soc3RydWN0IHZjcHUgKnYsIHN0 cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQogewogICAgIGludCBpOwogICAg IHZhZGRyX3Qgc3A7Ci0gICAgcGFkZHJfdCBzdGFja19waHlzOworICAgIHN0 cnVjdCBwYWdlX2luZm8gKnBhZ2U7CiAgICAgdm9pZCAqbWFwcGVkOwogICAg IHVuc2lnbmVkIGxvbmcgKnN0YWNrLCBhZGRyOwogCkBAIC04MzcsMTMgKzgz NywyMCBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVjdCB2 Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKIAogICAgIHBy aW50aygiR3Vlc3Qgc3RhY2sgdHJhY2UgZnJvbSBzcD0lIlBSSXZhZGRyIjpc biAgIiwgc3ApOwogCi0gICAgaWYgKCBndmlydF90b19tYWRkcihzcCwgJnN0 YWNrX3BoeXMsIEdWMk1fUkVBRCkgKQorICAgIGlmICggc3AgJiAoIHNpemVv Zihsb25nKSAtIDEgKSApCisgICAgeworICAgICAgICBwcmludGsoIlN0YWNr IGlzIG1pc2FsaWduZWRcbiIpOworICAgICAgICByZXR1cm47CisgICAgfQor CisgICAgcGFnZSA9IGdldF9wYWdlX2Zyb21fZ3ZhKGN1cnJlbnQtPmRvbWFp biwgc3AsIEdWMk1fUkVBRCk7CisgICAgaWYgKCBwYWdlID09IE5VTEwgKQog ICAgIHsKICAgICAgICAgcHJpbnRrKCJGYWlsZWQgdG8gY29udmVydCBzdGFj ayB0byBwaHlzaWNhbCBhZGRyZXNzXG4iKTsKICAgICAgICAgcmV0dXJuOwog ICAgIH0KIAotICAgIG1hcHBlZCA9IG1hcF9kb21haW5fcGFnZShzdGFja19w aHlzID4+IFBBR0VfU0hJRlQpOworICAgIG1hcHBlZCA9IF9fbWFwX2RvbWFp bl9wYWdlKHBhZ2UpOwogCiAgICAgc3RhY2sgPSBtYXBwZWQgKyAoc3AgJiB+ UEFHRV9NQVNLKTsKIApAQCAtODYxLDcgKzg2OCw3IEBAIHN0YXRpYyB2b2lk IHNob3dfZ3Vlc3Rfc3RhY2soc3RydWN0IHZjcHUgKnYsIHN0cnVjdCBjcHVf dXNlcl9yZWdzICpyZWdzKQogICAgICAgICBwcmludGsoIlN0YWNrIGVtcHR5 LiIpOwogICAgIHByaW50aygiXG4iKTsKICAgICB1bm1hcF9kb21haW5fcGFn ZShtYXBwZWQpOwotCisgICAgcHV0X3BhZ2UocGFnZSk7CiB9CiAKICNkZWZp bmUgU1RBQ0tfQkVGT1JFX0VYQ0VQVElPTihyZWdzKSAoKHJlZ2lzdGVyX3Qq KShyZWdzKS0+c3ApCmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJt L21tLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKaW5kZXggZDBlNWNi NC4uOGJmMTc5ZCAxMDA2NDQKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9t bS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaApAQCAtMjczLDYg KzI3Myw5IEBAIHN0cnVjdCBkb21haW4gKnBhZ2VfZ2V0X293bmVyX2FuZF9y ZWZlcmVuY2Uoc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSk7CiB2b2lkIHB1dF9w YWdlKHN0cnVjdCBwYWdlX2luZm8gKnBhZ2UpOwogaW50ICBnZXRfcGFnZShz dHJ1Y3QgcGFnZV9pbmZvICpwYWdlLCBzdHJ1Y3QgZG9tYWluICpkb21haW4p OwogCitzdHJ1Y3QgcGFnZV9pbmZvICpnZXRfcGFnZV9mcm9tX2d2YShzdHJ1 Y3QgZG9tYWluICpkLCB2YWRkcl90IHZhLAorICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgdW5zaWduZWQgbG9uZyBmbGFncyk7CisKIC8q CiAgKiBUaGUgTVBUIChtYWNoaW5lLT5waHlzaWNhbCBtYXBwaW5nIHRhYmxl KSBpcyBhbiBhcnJheSBvZiB3b3JkLXNpemVkCiAgKiB2YWx1ZXMsIGluZGV4 ZWQgb24gbWFjaGluZSBmcmFtZSBudW1iZXIuIEl0IGlzIGV4cGVjdGVkIHRo YXQgZ3Vlc3QgT1NlcwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFy bS9wYWdlLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaAppbmRleCBl NzIzZTVhLi4xMTNiZTVhIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20t YXJtL3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaApA QCAtNzMsNyArNzMsNyBAQAogI2RlZmluZSBNQVRUUl9ERVYgICAgIDB4MQog I2RlZmluZSBNQVRUUl9NRU0gICAgIDB4ZgogCi0vKiBGbGFncyBmb3IgZ3Zp cnRfdG9fbWFkZHIgKi8KKy8qIEZsYWdzIGZvciBnZXRfcGFnZV9mcm9tX2d2 YSwgZ3ZpcnRfdG9fbWFkZHIgZXRjICovCiAjZGVmaW5lIEdWMk1fUkVBRCAg KDB1PDwwKQogI2RlZmluZSBHVjJNX1dSSVRFICgxdTw8MCkKIAo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jun 04 16:06:06 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 04 Jun 2014 16:06:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WsDfw-0004Wx-CW; Wed, 04 Jun 2014 16:04:28 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WsDfu-0004WL-OB; Wed, 04 Jun 2014 16:04:27 +0000 Received: from [85.158.143.35:30312] by server-1.bemta-4.messagelabs.com id DC/24-09853-9834F835; Wed, 04 Jun 2014 16:04:25 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-21.messagelabs.com!1401897863!9211187!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 3102 invoked from network); 4 Jun 2014 16:04:24 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-4.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 4 Jun 2014 16:04:24 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WsDfn-0003AP-33; Wed, 04 Jun 2014 16:04:19 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WsDfm-0004kR-Qv; Wed, 04 Jun 2014 16:04:18 +0000 Date: Wed, 04 Jun 2014 16:04:18 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 98 (CVE-2014-3969) - insufficient permissions checks accessing guest memory on ARM X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3969 / XSA-98 version 3 insufficient permissions checks accessing guest memory on ARM UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= When accessing guest memory Xen does not correctly perform permissions checks on the (possibly guest provided) virtual address: it only checks that the mapping is readable by the guest, even when writing on behalf of the guest. This allows a guest to write to memory which it should only be able to read. A guest running on a vulnerable system is able to write to memory which should be read-only. This includes supposedly read only foreign mappings established using the grant table mechanism. Such read-only mappings are commonly used as part of the paravirtualised I/O drivers (such as guest disk write and network transmit). In order to exploit this vulnerability the guest must have a mapping of the memory; it does not allow access to arbitrary addresses. In the event that a guest executes code from a page which has been shared read-only with another guest it would be possible to mount a take over attack on that guest. IMPACT ====== A domain which is deliberately exchanging data with another, malicious, domain, may be vulnerable to privilege escalation. The vulnerability depends on the precise behaviour of the victim domain. In a typical configuration this means that, depending on the behaviour of the toolstack or device driver domain, a malicious guest administrator might be able to escalate their privilege to that of the whole host. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward. MITIGATION ========== None. CREDITS ======= This issue was discovered by Julien Grall. RESOLUTION ========== Applying the appropriate pair of attached patches resolves this issue. xsa98-unstable-{01,02}.patch xen-unstable xsa98-4.4-{01,02}.patch Xen 4.4.x $ sha256sum xsa98*.patch 6f63bc2e0a0a39bbd9137513a5d130ae2c78d1fd2ebf9172bf49456f73f0a67b xsa98-4.4-01.patch b338472ecce3c31a55d1a936eebbd4e46cb3ad989b91a64d4b8c5d3ca80d875d xsa98-4.4-02.patch b8535aad5ae969675d59781a81ce0b24491f1abc01aaf36c3620fd7fb6cc84eb xsa98-unstable-01.patch f5e8a93525a8905653da6377097f77681ff8121b973063ff6081e27547ceaa67 xsa98-unstable-02.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTj0N1AAoJEIP+FMlX6CvZYRsH/3PPF+SBphp/IOcJmcoUBI0Y SZumMMtaH3jU49/0V/azYOpKET2VtCHBilBajUAB7kNx+EGHv5NZf6Vn7FMBDCVl gk7Hq39tR0axBTpp4FhK8MJQIEsMUvsohokRFiMsDmhKtWOEKPfmNrgLz6cEvo5H ci46UH0JzPhMVY4tXhd7jo9Vuyae8df+b0yYFZ2QyVdWN3AShlrp62JAXb1lJT8E LO/67uDud7bhuODA+CWmL0jHq7xsJoRitp5gJph9QmSNbkXGJfPy6Sow4qzatnsR Vb9lgJq5MHRodkaie9z4UeANysAJ1J+USvARyMx+xnQ64ETzFIm6pUotzySZWEU= =vyB+ -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa98-4.4-01.patch" Content-Disposition: attachment; filename="xsa98-4.4-01.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGNoZWNrIHBlcm1pc3Npb25zIHdoZW4gY29weWluZyB0by9m cm9tIGd1ZXN0IHZpcnR1YWwgYWRkcmVzc2VzCgpJbiBwYXJ0aWN1bGFyIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoZSBndWVzdCBoYXMgd3JpdGUgcGVybWlz c2lvbnMgdG8gYnVmZmVycwp3aGljaCBpdCBwYXNzZXMgYXMgb3V0cHV0IGJ1 ZmZlcnMgZm9yIGh5cGVyY2FsbHMsIG90aGVyd2lzZSB0aGUgZ3Vlc3QgY2Fu Cm92ZXJ3cml0ZSBtZW1vcnkgd2hpY2ggaXQgc2hvdWxkbid0IGJlIGFibGUg dG8gd3JpdGUgKGxpa2Ugci9vIGdyYW50IHRhYmxlCm1hcHBpbmdzKS4KClRo aXMgaXMgWFNBLTk4LgoKU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxp YW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBH cmFsbCA8anVsaWVuLmdyYWxsQGxpbmFyby5vcmc+CgpkaWZmIC0tZ2l0IGEv eGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jIGIveGVuL2FyY2gvYXJtL2Rv bWFpbl9idWlsZC5jCmluZGV4IDVjYTJmMTUuLjNkYTZiODMgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYworKysgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKQEAgLTk2Nyw3ICs5NjcsNyBAQCBzdGF0 aWMgdm9pZCBpbml0cmRfbG9hZChzdHJ1Y3Qga2VybmVsX2luZm8gKmtpbmZv KQogICAgICAgICBzID0gb2ZmcyAmIH5QQUdFX01BU0s7CiAgICAgICAgIGwg PSBtaW4oUEFHRV9TSVpFIC0gcywgbGVuKTsKIAotICAgICAgICByYyA9IGd2 aXJ0X3RvX21hZGRyKGxvYWRfYWRkciArIG9mZnMsICZtYSk7CisgICAgICAg IHJjID0gZ3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hLCBH VjJNX1dSSVRFKTsKICAgICAgICAgaWYgKCByYyApCiAgICAgICAgIHsKICAg ICAgICAgICAgIHBhbmljKCJVbmFibGUgdG8gdHJhbnNsYXRlIGd1ZXN0IGFk ZHJlc3MiKTsKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL2FybS9ndWVzdGNvcHku YyBiL3hlbi9hcmNoL2FybS9ndWVzdGNvcHkuYwppbmRleCBjZWE1Zjk3Li5k MWZkZGVjIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMK KysrIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCkBAIC0xNyw3ICsxNyw3 IEBAIHN0YXRpYyB1bnNpZ25lZCBsb25nIHJhd19jb3B5X3RvX2d1ZXN0X2hl bHBlcih2b2lkICp0bywgY29uc3Qgdm9pZCAqZnJvbSwKICAgICAgICAgdm9p ZCAqcDsKICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNp Z25lZClQQUdFX1NJWkUgLSBvZmZzZXQpOwogCi0gICAgICAgIGlmICggZ3Zp cnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZykgKQorICAgICAgICBpZiAo IGd2aXJ0X3RvX21hZGRyKCh2YWRkcl90KSB0bywgJmcsIEdWMk1fV1JJVEUp ICkKICAgICAgICAgICAgIHJldHVybiBsZW47CiAKICAgICAgICAgcCA9IG1h cF9kb21haW5fcGFnZShnPj5QQUdFX1NISUZUKTsKQEAgLTYyLDcgKzYyLDcg QEAgdW5zaWduZWQgbG9uZyByYXdfY2xlYXJfZ3Vlc3Qodm9pZCAqdG8sIHVu c2lnbmVkIGxlbikKICAgICAgICAgdm9pZCAqcDsKICAgICAgICAgdW5zaWdu ZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZClQQUdFX1NJWkUgLSBvZmZz ZXQpOwogCi0gICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3Qp IHRvLCAmZykgKQorICAgICAgICBpZiAoIGd2aXJ0X3RvX21hZGRyKCh2YWRk cl90KSB0bywgJmcsIEdWMk1fV1JJVEUpICkKICAgICAgICAgICAgIHJldHVy biBsZW47CiAKICAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShnPj5QQUdF X1NISUZUKTsKQEAgLTkyLDcgKzkyLDcgQEAgdW5zaWduZWQgbG9uZyByYXdf Y29weV9mcm9tX2d1ZXN0KHZvaWQgKnRvLCBjb25zdCB2b2lkIF9fdXNlciAq ZnJvbSwgdW5zaWduZWQgbGUKICAgICAgICAgdm9pZCAqcDsKICAgICAgICAg dW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZCkoUEFHRV9TSVpF IC0gb2Zmc2V0KSk7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigo dmFkZHJfdCkgZnJvbSAmIFBBR0VfTUFTSywgJmcpICkKKyAgICAgICAgaWYg KCBndmlydF90b19tYWRkcigodmFkZHJfdCkgZnJvbSAmIFBBR0VfTUFTSywg JmcsIEdWMk1fUkVBRCkgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAog ICAgICAgICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOwpk aWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL2tlcm5lbC5jIGIveGVuL2FyY2gv YXJtL2tlcm5lbC5jCmluZGV4IDFlMzEwN2QuLjY5YzdkNDMgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9rZXJuZWwuYworKysgYi94ZW4vYXJjaC9hcm0v a2VybmVsLmMKQEAgLTE0MSw3ICsxNDEsNyBAQCBzdGF0aWMgdm9pZCBrZXJu ZWxfemltYWdlX2xvYWQoc3RydWN0IGtlcm5lbF9pbmZvICppbmZvKQogICAg ICAgICBzID0gb2ZmcyAmIH5QQUdFX01BU0s7CiAgICAgICAgIGwgPSBtaW4o UEFHRV9TSVpFIC0gcywgbGVuKTsKIAotICAgICAgICByYyA9IGd2aXJ0X3Rv X21hZGRyKGxvYWRfYWRkciArIG9mZnMsICZtYSk7CisgICAgICAgIHJjID0g Z3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hLCBHVjJNX1dS SVRFKTsKICAgICAgICAgaWYgKCByYyApCiAgICAgICAgIHsKICAgICAgICAg ICAgIHBhbmljKCJVbmFibGUgdG8gbWFwIHRyYW5zbGF0ZSBndWVzdCBhZGRy ZXNzIik7CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vdHJhcHMuYyBiL3hl bi9hcmNoL2FybS90cmFwcy5jCmluZGV4IDNhMzRkMzMuLjJlNzQ1MWIgMTAw NjQ0Ci0tLSBhL3hlbi9hcmNoL2FybS90cmFwcy5jCisrKyBiL3hlbi9hcmNo L2FybS90cmFwcy5jCkBAIC04MzYsNyArODM2LDcgQEAgc3RhdGljIHZvaWQg c2hvd19ndWVzdF9zdGFjayhzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNwdV91 c2VyX3JlZ3MgKnJlZ3MpCiAKICAgICBwcmludGsoIkd1ZXN0IHN0YWNrIHRy YWNlIGZyb20gc3A9JSJQUkl2YWRkciI6XG4gICIsIHNwKTsKIAotICAgIGlm ICggZ3ZpcnRfdG9fbWFkZHIoc3AsICZzdGFja19waHlzKSApCisgICAgaWYg KCBndmlydF90b19tYWRkcihzcCwgJnN0YWNrX3BoeXMsIEdWMk1fUkVBRCkg KQogICAgIHsKICAgICAgICAgcHJpbnRrKCJGYWlsZWQgdG8gY29udmVydCBz dGFjayB0byBwaHlzaWNhbCBhZGRyZXNzXG4iKTsKICAgICAgICAgcmV0dXJu OwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9hcm0zMi9wYWdl LmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTMyL3BhZ2UuaAppbmRleCBi ODIyMWNhLi44MGQ1YzM2IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20t YXJtL2FybTMyL3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL2Fy bTMyL3BhZ2UuaApAQCAtOTAsMTEgKzkwLDE0IEBAIHN0YXRpYyBpbmxpbmUg dWludDY0X3QgX192YV90b19wYXIodmFkZHJfdCB2YSkKIH0KIAogLyogQXNr IHRoZSBNTVUgdG8gdHJhbnNsYXRlIGEgR3Vlc3QgVkEgZm9yIHVzICovCi1z dGF0aWMgaW5saW5lIHVpbnQ2NF90IGd2YV90b19tYV9wYXIodmFkZHJfdCB2 YSkKK3N0YXRpYyBpbmxpbmUgdWludDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRk cl90IHZhLCB1bnNpZ25lZCBpbnQgZmxhZ3MpCiB7CiAgICAgdWludDY0X3Qg cGFyLCB0bXA7CiAgICAgdG1wID0gUkVBRF9DUDY0KFBBUik7Ci0gICAgV1JJ VEVfQ1AzMih2YSwgQVRTMTJOU09QUik7CisgICAgaWYgKCAoZmxhZ3MgJiBH VjJNX1dSSVRFKSA9PSBHVjJNX1dSSVRFICkKKyAgICAgICAgV1JJVEVfQ1Az Mih2YSwgQVRTMTJOU09QVyk7CisgICAgZWxzZQorICAgICAgICBXUklURV9D UDMyKHZhLCBBVFMxMk5TT1BSKTsKICAgICBpc2IoKTsgLyogRW5zdXJlIHJl c3VsdCBpcyBhdmFpbGFibGUuICovCiAgICAgcGFyID0gUkVBRF9DUDY0KFBB Uik7CiAgICAgV1JJVEVfQ1A2NCh0bXAsIFBBUik7CmRpZmYgLS1naXQgYS94 ZW4vaW5jbHVkZS9hc20tYXJtL2FybTY0L3BhZ2UuaCBiL3hlbi9pbmNsdWRl L2FzbS1hcm0vYXJtNjQvcGFnZS5oCmluZGV4IDMzNTI4MjEuLjM5MjJkODcg MTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5o CisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5oCkBAIC04 MywxMSArODMsMTQgQEAgc3RhdGljIGlubGluZSB1aW50NjRfdCBfX3ZhX3Rv X3Bhcih2YWRkcl90IHZhKQogfQogCiAvKiBBc2sgdGhlIE1NVSB0byB0cmFu c2xhdGUgYSBHdWVzdCBWQSBmb3IgdXMgKi8KLXN0YXRpYyBpbmxpbmUgdWlu dDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRkcl90IHZhKQorc3RhdGljIGlubGlu ZSB1aW50NjRfdCBndmFfdG9fbWFfcGFyKHZhZGRyX3QgdmEsIHVuc2lnbmVk IGludCBmbGFncykKIHsKICAgICB1aW50NjRfdCBwYXIsIHRtcCA9IFJFQURf U1lTUkVHNjQoUEFSX0VMMSk7CiAKLSAgICBhc20gdm9sYXRpbGUgKCJhdCBz MTJlMXIsICUwOyIgOiA6ICJyIiAodmEpKTsKKyAgICBpZiAoIChmbGFncyAm IEdWMk1fV1JJVEUpID09IEdWMk1fV1JJVEUgKQorICAgICAgICBhc20gdm9s YXRpbGUgKCJhdCBzMTJlMXIsICUwOyIgOiA6ICJyIiAodmEpKTsKKyAgICBl bHNlCisgICAgICAgIGFzbSB2b2xhdGlsZSAoImF0IHMxMmUxdywgJTA7IiA6 IDogInIiICh2YSkpOwogICAgIGlzYigpOwogICAgIHBhciA9IFJFQURfU1lT UkVHNjQoUEFSX0VMMSk7CiAgICAgV1JJVEVfU1lTUkVHNjQodG1wLCBQQVJf RUwxKTsKZGlmZiAtLWdpdCBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaCBi L3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAppbmRleCBiOGQ0ZTdkLi5kMGU1 Y2I0IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKKysr IGIveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oCkBAIC0yMzMsOSArMjMzLDkg QEAgc3RhdGljIGlubGluZSB2b2lkICptYWRkcl90b192aXJ0KHBhZGRyX3Qg bWEpCiB9CiAjZW5kaWYKIAotc3RhdGljIGlubGluZSBpbnQgZ3ZpcnRfdG9f bWFkZHIodmFkZHJfdCB2YSwgcGFkZHJfdCAqcGEpCitzdGF0aWMgaW5saW5l IGludCBndmlydF90b19tYWRkcih2YWRkcl90IHZhLCBwYWRkcl90ICpwYSwg dW5zaWduZWQgaW50IGZsYWdzKQogewotICAgIHVpbnQ2NF90IHBhciA9IGd2 YV90b19tYV9wYXIodmEpOworICAgIHVpbnQ2NF90IHBhciA9IGd2YV90b19t YV9wYXIodmEsIGZsYWdzKTsKICAgICBpZiAoIHBhciAmIFBBUl9GICkKICAg ICAgICAgcmV0dXJuIC1FRkFVTFQ7CiAgICAgKnBhID0gKHBhciAmIFBBRERS X01BU0sgJiBQQUdFX01BU0spIHwgKCh1bnNpZ25lZCBsb25nKSB2YSAmIH5Q QUdFX01BU0spOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9w YWdlLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaAppbmRleCBlMDBi ZTllLi44NDU2MmVjIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20tYXJt L3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaApAQCAt NzMsNiArNzMsMTAgQEAKICNkZWZpbmUgTUFUVFJfREVWICAgICAweDEKICNk ZWZpbmUgTUFUVFJfTUVNICAgICAweGYKIAorLyogRmxhZ3MgZm9yIGd2aXJ0 X3RvX21hZGRyICovCisjZGVmaW5lIEdWMk1fUkVBRCAgKDB1PDwwKQorI2Rl ZmluZSBHVjJNX1dSSVRFICgxdTw8MCkKKwogI2lmbmRlZiBfX0FTU0VNQkxZ X18KIAogI2luY2x1ZGUgPHhlbi90eXBlcy5oPgo= --=separator Content-Type: application/octet-stream; name="xsa98-4.4-02.patch" Content-Disposition: attachment; filename="xsa98-4.4-02.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGVuc3VyZSB3ZSBob2xkIGEgcmVmZXJlbmNlIHRvIGd1ZXN0 IHBhZ2VzIHdoaWxlIHdlIGNvcHkgdG8vZnJvbSB0aGVtCgpUaGlzIGF0IG9u Y2U6CiAtIHByZXZlbnRzIHRoZSBwYWdlIGZyb20gYmVpbmcgcmVhc3NpZ25l ZCB1bmRlciBvdXIgZmVldAogLSBlbnN1cmVzIHRoYXQgdGhlIGRvbWFpbiBv d25zIHRoZSBwYWdlLCB3aGljaCBzdG9wcyBhIGRvbWFpbiBmcm9tIGdpdmlu ZyBhCiAgIGdyYW50IG1hcHBpbmcsIE1NSU8gcmVnaW9uLCBvdGhlciBub24t UkFNIGFzIGEgaHlwZXJjYWxsIGlucHV0L291dHB1dC4KCldlIG5lZWQgdG8g aG9sZCB0aGUgcDJtIGxvY2sgd2hpbGUgZG9pbmcgdGhlIGxvb2t1cCB1bnRp bCB3ZSBoYXZlIHRoZQpyZWZlcmVuY2UuCgpUaGlzIGFsc28gcmVxdWlyZXMg dGhhdCBkdXJpbmcgZG9tYWluIDAgYnVpbGRpbmcgY3VycmVudCBpcyBzZXQg dG8gYW4gYWN0dWFsCmRvbTAgdmNwdSwgc28gdGFrZSBjYXJlIG9mIHRoaXMg YXQgdGhlIHNhbWUgdGltZSBhcyB0aGUgcDJtIGlzIHRlbXBvcmFyaWx5Cmxv YWRlZC4KCkxhc3RseSB3aGVuIGR1bXBpbmcgdGhlIGd1ZXN0IHN0YWNrIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoYXQgdGhlIGd1ZXN0IGhhc24ndApwb2lu dGVkIGl0cyBzcCBvZmYgaW50byB0aGUgd2VlZHMgYW5kL29yIG1pc2FsaWdu ZWQgaXQsIHdoaWNoIGNvdWxkIGxlYWQgdG8KaHlwZXJ2aXNvciB0cmFwcy4g U29sdmUgdGhpcyBieSB1c2luZyB0aGUgbmV3IGZ1bmN0aW9uIGFuZCBjaGVj a2luZyBhbGlnbm1lbnQKZmlyc3QuCgpTaWduZWQtb2ZmLWJ5OiBJYW4gQ2Ft cGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpSZXZpZXdlZC1ieTog SnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAbGluYXJvLm9yZz4KWyBpamMg LS0gYmFja3BvcnRlZCB0byA0LjQsIHVzaW5nIHAybV9sb2FkX1ZUVEJSIF0K CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMgYi94 ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMKaW5kZXggM2RhNmI4My4uYzE0 OTdmOCAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5j CisrKyBiL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYwpAQCAtOTg2LDYg Kzk4Niw3IEBAIHN0YXRpYyB2b2lkIGluaXRyZF9sb2FkKHN0cnVjdCBrZXJu ZWxfaW5mbyAqa2luZm8pCiBpbnQgY29uc3RydWN0X2RvbTAoc3RydWN0IGRv bWFpbiAqZCkKIHsKICAgICBzdHJ1Y3Qga2VybmVsX2luZm8ga2luZm8gPSB7 fTsKKyAgICBzdHJ1Y3QgdmNwdSAqc2F2ZWRfY3VycmVudDsKICAgICBpbnQg cmMsIGksIGNwdTsKIAogICAgIHN0cnVjdCB2Y3B1ICp2ID0gZC0+dmNwdVsw XTsKQEAgLTEwMjEsNyArMTAyMiw5IEBAIGludCBjb25zdHJ1Y3RfZG9tMChz dHJ1Y3QgZG9tYWluICpkKQogICAgICAgICByZXR1cm4gcmM7CiAKICAgICAv KiBUaGUgZm9sbG93aW5nIGxvYWRzIHVzZSB0aGUgZG9tYWluJ3MgcDJtICov CisgICAgc2F2ZWRfY3VycmVudCA9IGN1cnJlbnQ7CiAgICAgcDJtX2xvYWRf VlRUQlIoZCk7CisgICAgc2V0X2N1cnJlbnQodik7CiAjaWZkZWYgQ09ORklH X0FSTV82NAogICAgIGQtPmFyY2gudHlwZSA9IGtpbmZvLnR5cGU7CiAgICAg aWYgKCBpc19wdjMyX2RvbWFpbihkKSApCkBAIC0xMDM5LDYgKzEwNDIsMTAg QEAgaW50IGNvbnN0cnVjdF9kb20wKHN0cnVjdCBkb21haW4gKmQpCiAgICAg aW5pdHJkX2xvYWQoJmtpbmZvKTsKICAgICBkdGJfbG9hZCgma2luZm8pOwog CisgICAgLyogTm93IHRoYXQgd2UgYXJlIGRvbmUgcmVzdG9yZSB0aGUgb3Jp Z2luYWwgcDJtIGFuZCBjdXJyZW50LiAqLworICAgIHNldF9jdXJyZW50KHNh dmVkX2N1cnJlbnQpOworICAgIHAybV9sb2FkX1ZUVEJSKGN1cnJlbnQtPmRv bWFpbik7CisKICAgICBkaXNjYXJkX2luaXRpYWxfbW9kdWxlcygpOwogCiAg ICAgdi0+aXNfaW5pdGlhbGlzZWQgPSAxOwpkaWZmIC0tZ2l0IGEveGVuL2Fy Y2gvYXJtL2d1ZXN0Y29weS5jIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5j CmluZGV4IGQxZmRkZWMuLjAxNzM1OTcgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNo L2FybS9ndWVzdGNvcHkuYworKysgYi94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5 LmMKQEAgLTEsNiArMSw4IEBACiAjaW5jbHVkZSA8eGVuL2NvbmZpZy5oPgog I2luY2x1ZGUgPHhlbi9saWIuaD4KICNpbmNsdWRlIDx4ZW4vZG9tYWluX3Bh Z2UuaD4KKyNpbmNsdWRlIDx4ZW4vc2NoZWQuaD4KKyNpbmNsdWRlIDxhc20v Y3VycmVudC5oPgogCiAjaW5jbHVkZSA8YXNtL21tLmg+CiAjaW5jbHVkZSA8 YXNtL2d1ZXN0X2FjY2Vzcy5oPgpAQCAtMTMsMjAgKzE1LDIyIEBAIHN0YXRp YyB1bnNpZ25lZCBsb25nIHJhd19jb3B5X3RvX2d1ZXN0X2hlbHBlcih2b2lk ICp0bywgY29uc3Qgdm9pZCAqZnJvbSwKIAogICAgIHdoaWxlICggbGVuICkK ICAgICB7Ci0gICAgICAgIHBhZGRyX3QgZzsKICAgICAgICAgdm9pZCAqcDsK ICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZClQ QUdFX1NJWkUgLSBvZmZzZXQpOworICAgICAgICBzdHJ1Y3QgcGFnZV9pbmZv ICpwYWdlOwogCi0gICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRy X3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQorICAgICAgICBwYWdlID0gZ2V0 X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9tYWluLCAodmFkZHJfdCkgdG8s IEdWMk1fV1JJVEUpOworICAgICAgICBpZiAoIHBhZ2UgPT0gTlVMTCApCiAg ICAgICAgICAgICByZXR1cm4gbGVuOwogCi0gICAgICAgIHAgPSBtYXBfZG9t YWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7CisgICAgICAgIHAgPSBfX21hcF9k b21haW5fcGFnZShwYWdlKTsKICAgICAgICAgcCArPSBvZmZzZXQ7CiAgICAg ICAgIG1lbWNweShwLCBmcm9tLCBzaXplKTsKICAgICAgICAgaWYgKCBmbHVz aF9kY2FjaGUgKQogICAgICAgICAgICAgY2xlYW5feGVuX2RjYWNoZV92YV9y YW5nZShwLCBzaXplKTsKIAogICAgICAgICB1bm1hcF9kb21haW5fcGFnZShw IC0gb2Zmc2V0KTsKKyAgICAgICAgcHV0X3BhZ2UocGFnZSk7CiAgICAgICAg IGxlbiAtPSBzaXplOwogICAgICAgICBmcm9tICs9IHNpemU7CiAgICAgICAg IHRvICs9IHNpemU7CkBAIC01OCwxOCArNjIsMjAgQEAgdW5zaWduZWQgbG9u ZyByYXdfY2xlYXJfZ3Vlc3Qodm9pZCAqdG8sIHVuc2lnbmVkIGxlbikKIAog ICAgIHdoaWxlICggbGVuICkKICAgICB7Ci0gICAgICAgIHBhZGRyX3QgZzsK ICAgICAgICAgdm9pZCAqcDsKICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1p bihsZW4sICh1bnNpZ25lZClQQUdFX1NJWkUgLSBvZmZzZXQpOworICAgICAg ICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwogCi0gICAgICAgIGlmICggZ3Zp cnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQor ICAgICAgICBwYWdlID0gZ2V0X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9t YWluLCAodmFkZHJfdCkgdG8sIEdWMk1fV1JJVEUpOworICAgICAgICBpZiAo IHBhZ2UgPT0gTlVMTCApCiAgICAgICAgICAgICByZXR1cm4gbGVuOwogCi0g ICAgICAgIHAgPSBtYXBfZG9tYWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7Cisg ICAgICAgIHAgPSBfX21hcF9kb21haW5fcGFnZShwYWdlKTsKICAgICAgICAg cCArPSBvZmZzZXQ7CiAgICAgICAgIG1lbXNldChwLCAweDAwLCBzaXplKTsK IAogICAgICAgICB1bm1hcF9kb21haW5fcGFnZShwIC0gb2Zmc2V0KTsKKyAg ICAgICAgcHV0X3BhZ2UocGFnZSk7CiAgICAgICAgIGxlbiAtPSBzaXplOwog ICAgICAgICB0byArPSBzaXplOwogICAgICAgICAvKgpAQCAtODgsMTkgKzk0 LDIxIEBAIHVuc2lnbmVkIGxvbmcgcmF3X2NvcHlfZnJvbV9ndWVzdCh2b2lk ICp0bywgY29uc3Qgdm9pZCBfX3VzZXIgKmZyb20sIHVuc2lnbmVkIGxlCiAK ICAgICB3aGlsZSAoIGxlbiApCiAgICAgewotICAgICAgICBwYWRkcl90IGc7 CiAgICAgICAgIHZvaWQgKnA7CiAgICAgICAgIHVuc2lnbmVkIHNpemUgPSBt aW4obGVuLCAodW5zaWduZWQpKFBBR0VfU0laRSAtIG9mZnNldCkpOworICAg ICAgICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwogCi0gICAgICAgIGlmICgg Z3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3QpIGZyb20gJiBQQUdFX01BU0ssICZn LCBHVjJNX1JFQUQpICkKKyAgICAgICAgcGFnZSA9IGdldF9wYWdlX2Zyb21f Z3ZhKGN1cnJlbnQtPmRvbWFpbiwgKHZhZGRyX3QpIGZyb20sIEdWMk1fUkVB RCk7CisgICAgICAgIGlmICggcGFnZSA9PSBOVUxMICkKICAgICAgICAgICAg IHJldHVybiBsZW47CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShn Pj5QQUdFX1NISUZUKTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFpbl9wYWdl KHBhZ2UpOwogICAgICAgICBwICs9ICgodmFkZHJfdClmcm9tICYgKH5QQUdF X01BU0spKTsKIAogICAgICAgICBtZW1jcHkodG8sIHAsIHNpemUpOwogCiAg ICAgICAgIHVubWFwX2RvbWFpbl9wYWdlKHApOworICAgICAgICBwdXRfcGFn ZShwYWdlKTsKICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAgIGZyb20g Kz0gc2l6ZTsKICAgICAgICAgdG8gKz0gc2l6ZTsKZGlmZiAtLWdpdCBhL3hl bi9hcmNoL2FybS9wMm0uYyBiL3hlbi9hcmNoL2FybS9wMm0uYwppbmRleCBk MDBjODgyLi43ZmQ1OTIwIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vcDJt LmMKKysrIGIveGVuL2FyY2gvYXJtL3AybS5jCkBAIC02NTUsNiArNjU1LDM0 IEBAIHVuc2lnbmVkIGxvbmcgZ21mbl90b19tZm4oc3RydWN0IGRvbWFpbiAq ZCwgdW5zaWduZWQgbG9uZyBncGZuKQogICAgIHJldHVybiBwID4+IFBBR0Vf U0hJRlQ7CiB9CiAKK3N0cnVjdCBwYWdlX2luZm8gKmdldF9wYWdlX2Zyb21f Z3ZhKHN0cnVjdCBkb21haW4gKmQsIHZhZGRyX3QgdmEsCisgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICB1bnNpZ25lZCBsb25nIGZsYWdz KQoreworICAgIHN0cnVjdCBwMm1fZG9tYWluICpwMm0gPSAmZC0+YXJjaC5w Mm07CisgICAgc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSA9IE5VTEw7CisgICAg cGFkZHJfdCBtYWRkcjsKKworICAgIEFTU0VSVChkID09IGN1cnJlbnQtPmRv bWFpbik7CisKKyAgICBzcGluX2xvY2soJnAybS0+bG9jayk7CisKKyAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKHZhLCAmbWFkZHIsIGZsYWdzKSApCisgICAg ICAgIGdvdG8gZXJyOworCisgICAgaWYgKCAhbWZuX3ZhbGlkKG1hZGRyID4+ IFBBR0VfU0hJRlQpICkKKyAgICAgICAgZ290byBlcnI7CisKKyAgICBwYWdl ID0gbWZuX3RvX3BhZ2UobWFkZHIgPj4gUEFHRV9TSElGVCk7CisgICAgQVNT RVJUKHBhZ2UpOworCisgICAgaWYgKCB1bmxpa2VseSghZ2V0X3BhZ2UocGFn ZSwgZCkpICkKKyAgICAgICAgcGFnZSA9IE5VTEw7CisKK2VycjoKKyAgICBz cGluX3VubG9jaygmcDJtLT5sb2NrKTsKKyAgICByZXR1cm4gcGFnZTsKK30K KwogLyoKICAqIExvY2FsIHZhcmlhYmxlczoKICAqIG1vZGU6IEMKZGlmZiAt LWdpdCBhL3hlbi9hcmNoL2FybS90cmFwcy5jIGIveGVuL2FyY2gvYXJtL3Ry YXBzLmMKaW5kZXggMmU3NDUxYi4uMDAwNzFhMyAxMDA2NDQKLS0tIGEveGVu L2FyY2gvYXJtL3RyYXBzLmMKKysrIGIveGVuL2FyY2gvYXJtL3RyYXBzLmMK QEAgLTc3Niw3ICs3NzYsNyBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0 YWNrKHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVn cykKIHsKICAgICBpbnQgaTsKICAgICB2YWRkcl90IHNwOwotICAgIHBhZGRy X3Qgc3RhY2tfcGh5czsKKyAgICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwog ICAgIHZvaWQgKm1hcHBlZDsKICAgICB1bnNpZ25lZCBsb25nICpzdGFjaywg YWRkcjsKIApAQCAtODM2LDEzICs4MzYsMjAgQEAgc3RhdGljIHZvaWQgc2hv d19ndWVzdF9zdGFjayhzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNwdV91c2Vy X3JlZ3MgKnJlZ3MpCiAKICAgICBwcmludGsoIkd1ZXN0IHN0YWNrIHRyYWNl IGZyb20gc3A9JSJQUkl2YWRkciI6XG4gICIsIHNwKTsKIAotICAgIGlmICgg Z3ZpcnRfdG9fbWFkZHIoc3AsICZzdGFja19waHlzLCBHVjJNX1JFQUQpICkK KyAgICBpZiAoIHNwICYgKCBzaXplb2YobG9uZykgLSAxICkgKQorICAgIHsK KyAgICAgICAgcHJpbnRrKCJTdGFjayBpcyBtaXNhbGlnbmVkXG4iKTsKKyAg ICAgICAgcmV0dXJuOworICAgIH0KKworICAgIHBhZ2UgPSBnZXRfcGFnZV9m cm9tX2d2YShjdXJyZW50LT5kb21haW4sIHNwLCBHVjJNX1JFQUQpOworICAg IGlmICggcGFnZSA9PSBOVUxMICkKICAgICB7CiAgICAgICAgIHByaW50aygi RmFpbGVkIHRvIGNvbnZlcnQgc3RhY2sgdG8gcGh5c2ljYWwgYWRkcmVzc1xu Iik7CiAgICAgICAgIHJldHVybjsKICAgICB9CiAKLSAgICBtYXBwZWQgPSBt YXBfZG9tYWluX3BhZ2Uoc3RhY2tfcGh5cyA+PiBQQUdFX1NISUZUKTsKKyAg ICBtYXBwZWQgPSBfX21hcF9kb21haW5fcGFnZShwYWdlKTsKIAogICAgIHN0 YWNrID0gbWFwcGVkICsgKHNwICYgflBBR0VfTUFTSyk7CiAKQEAgLTg2MCw3 ICs4NjcsNyBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVj dCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKICAgICAg ICAgcHJpbnRrKCJTdGFjayBlbXB0eS4iKTsKICAgICBwcmludGsoIlxuIik7 CiAgICAgdW5tYXBfZG9tYWluX3BhZ2UobWFwcGVkKTsKLQorICAgIHB1dF9w YWdlKHBhZ2UpOwogfQogCiAjZGVmaW5lIFNUQUNLX0JFRk9SRV9FWENFUFRJ T04ocmVncykgKChyZWdpc3Rlcl90KikocmVncyktPnNwKQpkaWZmIC0tZ2l0 IGEveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oIGIveGVuL2luY2x1ZGUvYXNt LWFybS9tbS5oCmluZGV4IGQwZTVjYjQuLjhiZjE3OWQgMTAwNjQ0Ci0tLSBh L3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAorKysgYi94ZW4vaW5jbHVkZS9h c20tYXJtL21tLmgKQEAgLTI3Myw2ICsyNzMsOSBAQCBzdHJ1Y3QgZG9tYWlu ICpwYWdlX2dldF9vd25lcl9hbmRfcmVmZXJlbmNlKHN0cnVjdCBwYWdlX2lu Zm8gKnBhZ2UpOwogdm9pZCBwdXRfcGFnZShzdHJ1Y3QgcGFnZV9pbmZvICpw YWdlKTsKIGludCAgZ2V0X3BhZ2Uoc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSwg c3RydWN0IGRvbWFpbiAqZG9tYWluKTsKIAorc3RydWN0IHBhZ2VfaW5mbyAq Z2V0X3BhZ2VfZnJvbV9ndmEoc3RydWN0IGRvbWFpbiAqZCwgdmFkZHJfdCB2 YSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVuc2ln bmVkIGxvbmcgZmxhZ3MpOworCiAvKgogICogVGhlIE1QVCAobWFjaGluZS0+ cGh5c2ljYWwgbWFwcGluZyB0YWJsZSkgaXMgYW4gYXJyYXkgb2Ygd29yZC1z aXplZAogICogdmFsdWVzLCBpbmRleGVkIG9uIG1hY2hpbmUgZnJhbWUgbnVt YmVyLiBJdCBpcyBleHBlY3RlZCB0aGF0IGd1ZXN0IE9TZXMKZGlmZiAtLWdp dCBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oIGIveGVuL2luY2x1ZGUv YXNtLWFybS9wYWdlLmgKaW5kZXggODQ1NjJlYy4uYzExODMwOSAxMDA2NDQK LS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9wYWdlLmgKKysrIGIveGVuL2lu Y2x1ZGUvYXNtLWFybS9wYWdlLmgKQEAgLTczLDcgKzczLDcgQEAKICNkZWZp bmUgTUFUVFJfREVWICAgICAweDEKICNkZWZpbmUgTUFUVFJfTUVNICAgICAw eGYKIAotLyogRmxhZ3MgZm9yIGd2aXJ0X3RvX21hZGRyICovCisvKiBGbGFn cyBmb3IgZ2V0X3BhZ2VfZnJvbV9ndmEsIGd2aXJ0X3RvX21hZGRyIGV0YyAq LwogI2RlZmluZSBHVjJNX1JFQUQgICgwdTw8MCkKICNkZWZpbmUgR1YyTV9X UklURSAoMXU8PDApCiAK --=separator Content-Type: application/octet-stream; name="xsa98-unstable-01.patch" Content-Disposition: attachment; filename="xsa98-unstable-01.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGNoZWNrIHBlcm1pc3Npb25zIHdoZW4gY29weWluZyB0by9m cm9tIGd1ZXN0IHZpcnR1YWwgYWRkcmVzc2VzCgpJbiBwYXJ0aWN1bGFyIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoZSBndWVzdCBoYXMgd3JpdGUgcGVybWlz c2lvbnMgdG8gYnVmZmVycwp3aGljaCBpdCBwYXNzZXMgYXMgb3V0cHV0IGJ1 ZmZlcnMgZm9yIGh5cGVyY2FsbHMsIG90aGVyd2lzZSB0aGUgZ3Vlc3QgY2Fu Cm92ZXJ3cml0ZSBtZW1vcnkgd2hpY2ggaXQgc2hvdWxkbid0IGJlIGFibGUg dG8gd3JpdGUgKGxpa2Ugci9vIGdyYW50IHRhYmxlCm1hcHBpbmdzKS4KClRo aXMgaXMgWFNBLTk4LgoKU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxp YW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBH cmFsbCA8anVsaWVuLmdyYWxsQGxpbmFyby5vcmc+CgpkaWZmIC0tZ2l0IGEv eGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jIGIveGVuL2FyY2gvYXJtL2Rv bWFpbl9idWlsZC5jCmluZGV4IGM0MjQ3OTMuLmQwNzk5ODIgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYworKysgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKQEAgLTEwMDUsNyArMTAwNSw3IEBAIHN0 YXRpYyB2b2lkIGluaXRyZF9sb2FkKHN0cnVjdCBrZXJuZWxfaW5mbyAqa2lu Zm8pCiAgICAgICAgIHMgPSBvZmZzICYgflBBR0VfTUFTSzsKICAgICAgICAg bCA9IG1pbihQQUdFX1NJWkUgLSBzLCBsZW4pOwogCi0gICAgICAgIHJjID0g Z3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hKTsKKyAgICAg ICAgcmMgPSBndmlydF90b19tYWRkcihsb2FkX2FkZHIgKyBvZmZzLCAmbWEs IEdWMk1fV1JJVEUpOwogICAgICAgICBpZiAoIHJjICkKICAgICAgICAgewog ICAgICAgICAgICAgcGFuaWMoIlVuYWJsZSB0byB0cmFuc2xhdGUgZ3Vlc3Qg YWRkcmVzcyIpOwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL2d1ZXN0Y29w eS5jIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCmluZGV4IGNlYTVmOTcu LmQxZmRkZWMgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL2FybS9ndWVzdGNvcHku YworKysgYi94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMKQEAgLTE3LDcgKzE3 LDcgQEAgc3RhdGljIHVuc2lnbmVkIGxvbmcgcmF3X2NvcHlfdG9fZ3Vlc3Rf aGVscGVyKHZvaWQgKnRvLCBjb25zdCB2b2lkICpmcm9tLAogICAgICAgICB2 b2lkICpwOwogICAgICAgICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVu c2lnbmVkKVBBR0VfU0laRSAtIG9mZnNldCk7CiAKLSAgICAgICAgaWYgKCBn dmlydF90b19tYWRkcigodmFkZHJfdCkgdG8sICZnKSApCisgICAgICAgIGlm ICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZywgR1YyTV9XUklU RSkgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAogICAgICAgICBwID0g bWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOwpAQCAtNjIsNyArNjIs NyBAQCB1bnNpZ25lZCBsb25nIHJhd19jbGVhcl9ndWVzdCh2b2lkICp0bywg dW5zaWduZWQgbGVuKQogICAgICAgICB2b2lkICpwOwogICAgICAgICB1bnNp Z25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0VfU0laRSAtIG9m ZnNldCk7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJf dCkgdG8sICZnKSApCisgICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZh ZGRyX3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQogICAgICAgICAgICAgcmV0 dXJuIGxlbjsKIAogICAgICAgICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBB R0VfU0hJRlQpOwpAQCAtOTIsNyArOTIsNyBAQCB1bnNpZ25lZCBsb25nIHJh d19jb3B5X2Zyb21fZ3Vlc3Qodm9pZCAqdG8sIGNvbnN0IHZvaWQgX191c2Vy ICpmcm9tLCB1bnNpZ25lZCBsZQogICAgICAgICB2b2lkICpwOwogICAgICAg ICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKShQQUdFX1NJ WkUgLSBvZmZzZXQpKTsKIAotICAgICAgICBpZiAoIGd2aXJ0X3RvX21hZGRy KCh2YWRkcl90KSBmcm9tICYgUEFHRV9NQVNLLCAmZykgKQorICAgICAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKCh2YWRkcl90KSBmcm9tICYgUEFHRV9NQVNL LCAmZywgR1YyTV9SRUFEKSApCiAgICAgICAgICAgICByZXR1cm4gbGVuOwog CiAgICAgICAgIHAgPSBtYXBfZG9tYWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7 CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0va2VybmVsLmMgYi94ZW4vYXJj aC9hcm0va2VybmVsLmMKaW5kZXggYzgyOTA2Zi4uNjkxODJlYyAxMDA2NDQK LS0tIGEveGVuL2FyY2gvYXJtL2tlcm5lbC5jCisrKyBiL3hlbi9hcmNoL2Fy bS9rZXJuZWwuYwpAQCAtMTcyLDcgKzE3Miw3IEBAIHN0YXRpYyB2b2lkIGtl cm5lbF96aW1hZ2VfbG9hZChzdHJ1Y3Qga2VybmVsX2luZm8gKmluZm8pCiAg ICAgICAgIHMgPSBvZmZzICYgflBBR0VfTUFTSzsKICAgICAgICAgbCA9IG1p bihQQUdFX1NJWkUgLSBzLCBsZW4pOwogCi0gICAgICAgIHJjID0gZ3ZpcnRf dG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hKTsKKyAgICAgICAgcmMg PSBndmlydF90b19tYWRkcihsb2FkX2FkZHIgKyBvZmZzLCAmbWEsIEdWMk1f V1JJVEUpOwogICAgICAgICBpZiAoIHJjICkKICAgICAgICAgewogICAgICAg ICAgICAgcGFuaWMoIlVuYWJsZSB0byBtYXAgdHJhbnNsYXRlIGd1ZXN0IGFk ZHJlc3MiKTsKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL2FybS90cmFwcy5jIGIv eGVuL2FyY2gvYXJtL3RyYXBzLmMKaW5kZXggMDNhM2RhNi4uZGY4NmZmZSAx MDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL3RyYXBzLmMKKysrIGIveGVuL2Fy Y2gvYXJtL3RyYXBzLmMKQEAgLTgzNyw3ICs4MzcsNyBAQCBzdGF0aWMgdm9p ZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1 X3VzZXJfcmVncyAqcmVncykKIAogICAgIHByaW50aygiR3Vlc3Qgc3RhY2sg dHJhY2UgZnJvbSBzcD0lIlBSSXZhZGRyIjpcbiAgIiwgc3ApOwogCi0gICAg aWYgKCBndmlydF90b19tYWRkcihzcCwgJnN0YWNrX3BoeXMpICkKKyAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKHNwLCAmc3RhY2tfcGh5cywgR1YyTV9SRUFE KSApCiAgICAgewogICAgICAgICBwcmludGsoIkZhaWxlZCB0byBjb252ZXJ0 IHN0YWNrIHRvIHBoeXNpY2FsIGFkZHJlc3NcbiIpOwogICAgICAgICByZXR1 cm47CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTMyL3Bh Z2UuaCBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtMzIvcGFnZS5oCmluZGV4 IDRhYmIyODEuLjk3NDA2NzIgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2Fz bS1hcm0vYXJtMzIvcGFnZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0v YXJtMzIvcGFnZS5oCkBAIC04NywxMSArODcsMTQgQEAgc3RhdGljIGlubGlu ZSB1aW50NjRfdCBfX3ZhX3RvX3Bhcih2YWRkcl90IHZhKQogfQogCiAvKiBB c2sgdGhlIE1NVSB0byB0cmFuc2xhdGUgYSBHdWVzdCBWQSBmb3IgdXMgKi8K LXN0YXRpYyBpbmxpbmUgdWludDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRkcl90 IHZhKQorc3RhdGljIGlubGluZSB1aW50NjRfdCBndmFfdG9fbWFfcGFyKHZh ZGRyX3QgdmEsIHVuc2lnbmVkIGludCBmbGFncykKIHsKICAgICB1aW50NjRf dCBwYXIsIHRtcDsKICAgICB0bXAgPSBSRUFEX0NQNjQoUEFSKTsKLSAgICBX UklURV9DUDMyKHZhLCBBVFMxMk5TT1BSKTsKKyAgICBpZiAoIChmbGFncyAm IEdWMk1fV1JJVEUpID09IEdWMk1fV1JJVEUgKQorICAgICAgICBXUklURV9D UDMyKHZhLCBBVFMxMk5TT1BXKTsKKyAgICBlbHNlCisgICAgICAgIFdSSVRF X0NQMzIodmEsIEFUUzEyTlNPUFIpOwogICAgIGlzYigpOyAvKiBFbnN1cmUg cmVzdWx0IGlzIGF2YWlsYWJsZS4gKi8KICAgICBwYXIgPSBSRUFEX0NQNjQo UEFSKTsKICAgICBXUklURV9DUDY0KHRtcCwgUEFSKTsKZGlmZiAtLWdpdCBh L3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5oIGIveGVuL2luY2x1 ZGUvYXNtLWFybS9hcm02NC9wYWdlLmgKaW5kZXggNzEzYmFmNi4uYmIxMDE2 NCAxMDA2NDQKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9hcm02NC9wYWdl LmgKKysrIGIveGVuL2luY2x1ZGUvYXNtLWFybS9hcm02NC9wYWdlLmgKQEAg LTgxLDExICs4MSwxNCBAQCBzdGF0aWMgaW5saW5lIHVpbnQ2NF90IF9fdmFf dG9fcGFyKHZhZGRyX3QgdmEpCiB9CiAKIC8qIEFzayB0aGUgTU1VIHRvIHRy YW5zbGF0ZSBhIEd1ZXN0IFZBIGZvciB1cyAqLwotc3RhdGljIGlubGluZSB1 aW50NjRfdCBndmFfdG9fbWFfcGFyKHZhZGRyX3QgdmEpCitzdGF0aWMgaW5s aW5lIHVpbnQ2NF90IGd2YV90b19tYV9wYXIodmFkZHJfdCB2YSwgdW5zaWdu ZWQgaW50IGZsYWdzKQogewogICAgIHVpbnQ2NF90IHBhciwgdG1wID0gUkVB RF9TWVNSRUc2NChQQVJfRUwxKTsKIAotICAgIGFzbSB2b2xhdGlsZSAoImF0 IHMxMmUxciwgJTA7IiA6IDogInIiICh2YSkpOworICAgIGlmICggKGZsYWdz ICYgR1YyTV9XUklURSkgPT0gR1YyTV9XUklURSApCisgICAgICAgIGFzbSB2 b2xhdGlsZSAoImF0IHMxMmUxciwgJTA7IiA6IDogInIiICh2YSkpOworICAg IGVsc2UKKyAgICAgICAgYXNtIHZvbGF0aWxlICgiYXQgczEyZTF3LCAlMDsi IDogOiAiciIgKHZhKSk7CiAgICAgaXNiKCk7CiAgICAgcGFyID0gUkVBRF9T WVNSRUc2NChQQVJfRUwxKTsKICAgICBXUklURV9TWVNSRUc2NCh0bXAsIFBB Ul9FTDEpOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5o IGIveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oCmluZGV4IGI4ZDRlN2QuLmQw ZTVjYjQgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAor KysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKQEAgLTIzMyw5ICsyMzMs OSBAQCBzdGF0aWMgaW5saW5lIHZvaWQgKm1hZGRyX3RvX3ZpcnQocGFkZHJf dCBtYSkKIH0KICNlbmRpZgogCi1zdGF0aWMgaW5saW5lIGludCBndmlydF90 b19tYWRkcih2YWRkcl90IHZhLCBwYWRkcl90ICpwYSkKK3N0YXRpYyBpbmxp bmUgaW50IGd2aXJ0X3RvX21hZGRyKHZhZGRyX3QgdmEsIHBhZGRyX3QgKnBh LCB1bnNpZ25lZCBpbnQgZmxhZ3MpCiB7Ci0gICAgdWludDY0X3QgcGFyID0g Z3ZhX3RvX21hX3Bhcih2YSk7CisgICAgdWludDY0X3QgcGFyID0gZ3ZhX3Rv X21hX3Bhcih2YSwgZmxhZ3MpOwogICAgIGlmICggcGFyICYgUEFSX0YgKQog ICAgICAgICByZXR1cm4gLUVGQVVMVDsKICAgICAqcGEgPSAocGFyICYgUEFE RFJfTUFTSyAmIFBBR0VfTUFTSykgfCAoKHVuc2lnbmVkIGxvbmcpIHZhICYg flBBR0VfTUFTSyk7CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJt L3BhZ2UuaCBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oCmluZGV4IGMz OGU5YzkuLmU3MjNlNWEgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1h cm0vcGFnZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oCkBA IC03Myw2ICs3MywxMCBAQAogI2RlZmluZSBNQVRUUl9ERVYgICAgIDB4MQog I2RlZmluZSBNQVRUUl9NRU0gICAgIDB4ZgogCisvKiBGbGFncyBmb3IgZ3Zp cnRfdG9fbWFkZHIgKi8KKyNkZWZpbmUgR1YyTV9SRUFEICAoMHU8PDApCisj ZGVmaW5lIEdWMk1fV1JJVEUgKDF1PDwwKQorCiAjaWZuZGVmIF9fQVNTRU1C TFlfXwogCiAjaW5jbHVkZSA8eGVuL3R5cGVzLmg+Cg== --=separator Content-Type: application/octet-stream; name="xsa98-unstable-02.patch" Content-Disposition: attachment; filename="xsa98-unstable-02.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGVuc3VyZSB3ZSBob2xkIGEgcmVmZXJlbmNlIHRvIGd1ZXN0 IHBhZ2VzIHdoaWxlIHdlIGNvcHkgdG8vZnJvbSB0aGVtCgpUaGlzIGF0IG9u Y2U6CiAtIHByZXZlbnRzIHRoZSBwYWdlIGZyb20gYmVpbmcgcmVhc3NpZ25l ZCB1bmRlciBvdXIgZmVldAogLSBlbnN1cmVzIHRoYXQgdGhlIGRvbWFpbiBv d25zIHRoZSBwYWdlLCB3aGljaCBzdG9wcyBhIGRvbWFpbiBmcm9tIGdpdmlu ZyBhCiAgIGdyYW50IG1hcHBpbmcsIE1NSU8gcmVnaW9uLCBvdGhlciBub24t UkFNIGFzIGEgaHlwZXJjYWxsIGlucHV0L291dHB1dC4KCldlIG5lZWQgdG8g aG9sZCB0aGUgcDJtIGxvY2sgd2hpbGUgZG9pbmcgdGhlIGxvb2t1cCB1bnRp bCB3ZSBoYXZlIHRoZQpyZWZlcmVuY2UuCgpUaGlzIGFsc28gcmVxdWlyZXMg dGhhdCBkdXJpbmcgZG9tYWluIDAgYnVpbGRpbmcgY3VycmVudCBpcyBzZXQg dG8gYW4gYWN0dWFsCmRvbTAgdmNwdSwgc28gdGFrZSBjYXJlIG9mIHRoaXMg YXQgdGhlIHNhbWUgdGltZSBhcyB0aGUgcDJtIGlzIHRlbXBvcmFyaWx5Cmxv YWRlZC4KCkxhc3RseSB3aGVuIGR1bXBpbmcgdGhlIGd1ZXN0IHN0YWNrIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoYXQgdGhlIGd1ZXN0IGhhc24ndApwb2lu dGVkIGl0cyBzcCBvZmYgaW50byB0aGUgd2VlZHMgYW5kL29yIG1pc2FsaWdu ZWQgaXQsIHdoaWNoIGNvdWxkIGxlYWQgdG8KaHlwZXJ2aXNvciB0cmFwcy4g U29sdmUgdGhpcyBieSB1c2luZyB0aGUgbmV3IGZ1bmN0aW9uIGFuZCBjaGVj a2luZyBhbGlnbm1lbnQKZmlyc3QuCgpTaWduZWQtb2ZmLWJ5OiBJYW4gQ2Ft cGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpSZXZpZXdlZC1ieTog SnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAbGluYXJvLm9yZz4KCmRpZmYg LS1naXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKaW5kZXggZDA3OTk4Mi4uNGRkMmQ4NCAx MDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jCisrKyBi L3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYwpAQCAtMTAyNCw2ICsxMDI0 LDcgQEAgc3RhdGljIHZvaWQgaW5pdHJkX2xvYWQoc3RydWN0IGtlcm5lbF9p bmZvICpraW5mbykKIGludCBjb25zdHJ1Y3RfZG9tMChzdHJ1Y3QgZG9tYWlu ICpkKQogewogICAgIHN0cnVjdCBrZXJuZWxfaW5mbyBraW5mbyA9IHt9Owor ICAgIHN0cnVjdCB2Y3B1ICpzYXZlZF9jdXJyZW50OwogICAgIGludCByYywg aSwgY3B1OwogCiAgICAgc3RydWN0IHZjcHUgKnYgPSBkLT52Y3B1WzBdOwpA QCAtMTA2MCw4ICsxMDYxLDEzIEBAIGludCBjb25zdHJ1Y3RfZG9tMChzdHJ1 Y3QgZG9tYWluICpkKQogICAgIGlmICggcmMgPCAwICkKICAgICAgICAgcmV0 dXJuIHJjOwogCi0gICAgLyogVGhlIGZvbGxvd2luZyBsb2FkcyB1c2UgdGhl IGRvbWFpbidzIHAybSAqLworICAgIC8qCisgICAgICogVGhlIGZvbGxvd2lu ZyBsb2FkcyB1c2UgdGhlIGRvbWFpbidzIHAybSBhbmQgcmVxdWlyZSBjdXJy ZW50IHRvCisgICAgICogYmUgYSB2Y3B1IG9mIHRoZSBkb21haW4sIHRlbXBv cmFyaWx5IHN3aXRjaAorICAgICAqLworICAgIHNhdmVkX2N1cnJlbnQgPSBj dXJyZW50OwogICAgIHAybV9yZXN0b3JlX3N0YXRlKHYpOworICAgIHNldF9j dXJyZW50KHYpOwogCiAgICAgLyoKICAgICAgKiBrZXJuZWxfbG9hZCB3aWxs IGRldGVybWluZSB0aGUgcGxhY2VtZW50IG9mIHRoZSBrZXJuZWwgYXMgd2Vs bApAQCAtMTA3Miw2ICsxMDc4LDEwIEBAIGludCBjb25zdHJ1Y3RfZG9tMChz dHJ1Y3QgZG9tYWluICpkKQogICAgIGluaXRyZF9sb2FkKCZraW5mbyk7CiAg ICAgZHRiX2xvYWQoJmtpbmZvKTsKIAorICAgIC8qIE5vdyB0aGF0IHdlIGFy ZSBkb25lIHJlc3RvcmUgdGhlIG9yaWdpbmFsIHAybSBhbmQgY3VycmVudC4g Ki8KKyAgICBzZXRfY3VycmVudChzYXZlZF9jdXJyZW50KTsKKyAgICBwMm1f cmVzdG9yZV9zdGF0ZShzYXZlZF9jdXJyZW50KTsKKwogICAgIGRpc2NhcmRf aW5pdGlhbF9tb2R1bGVzKCk7CiAKICAgICB2LT5pc19pbml0aWFsaXNlZCA9 IDE7CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMgYi94 ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMKaW5kZXggZDFmZGRlYy4uMDE3MzU5 NyAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCisrKyBi L3hlbi9hcmNoL2FybS9ndWVzdGNvcHkuYwpAQCAtMSw2ICsxLDggQEAKICNp bmNsdWRlIDx4ZW4vY29uZmlnLmg+CiAjaW5jbHVkZSA8eGVuL2xpYi5oPgog I2luY2x1ZGUgPHhlbi9kb21haW5fcGFnZS5oPgorI2luY2x1ZGUgPHhlbi9z Y2hlZC5oPgorI2luY2x1ZGUgPGFzbS9jdXJyZW50Lmg+CiAKICNpbmNsdWRl IDxhc20vbW0uaD4KICNpbmNsdWRlIDxhc20vZ3Vlc3RfYWNjZXNzLmg+CkBA IC0xMywyMCArMTUsMjIgQEAgc3RhdGljIHVuc2lnbmVkIGxvbmcgcmF3X2Nv cHlfdG9fZ3Vlc3RfaGVscGVyKHZvaWQgKnRvLCBjb25zdCB2b2lkICpmcm9t LAogCiAgICAgd2hpbGUgKCBsZW4gKQogICAgIHsKLSAgICAgICAgcGFkZHJf dCBnOwogICAgICAgICB2b2lkICpwOwogICAgICAgICB1bnNpZ25lZCBzaXpl ID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0VfU0laRSAtIG9mZnNldCk7Cisg ICAgICAgIHN0cnVjdCBwYWdlX2luZm8gKnBhZ2U7CiAKLSAgICAgICAgaWYg KCBndmlydF90b19tYWRkcigodmFkZHJfdCkgdG8sICZnLCBHVjJNX1dSSVRF KSApCisgICAgICAgIHBhZ2UgPSBnZXRfcGFnZV9mcm9tX2d2YShjdXJyZW50 LT5kb21haW4sICh2YWRkcl90KSB0bywgR1YyTV9XUklURSk7CisgICAgICAg IGlmICggcGFnZSA9PSBOVUxMICkKICAgICAgICAgICAgIHJldHVybiBsZW47 CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShnPj5QQUdFX1NISUZU KTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFpbl9wYWdlKHBhZ2UpOwogICAg ICAgICBwICs9IG9mZnNldDsKICAgICAgICAgbWVtY3B5KHAsIGZyb20sIHNp emUpOwogICAgICAgICBpZiAoIGZsdXNoX2RjYWNoZSApCiAgICAgICAgICAg ICBjbGVhbl94ZW5fZGNhY2hlX3ZhX3JhbmdlKHAsIHNpemUpOwogCiAgICAg ICAgIHVubWFwX2RvbWFpbl9wYWdlKHAgLSBvZmZzZXQpOworICAgICAgICBw dXRfcGFnZShwYWdlKTsKICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAg IGZyb20gKz0gc2l6ZTsKICAgICAgICAgdG8gKz0gc2l6ZTsKQEAgLTU4LDE4 ICs2MiwyMCBAQCB1bnNpZ25lZCBsb25nIHJhd19jbGVhcl9ndWVzdCh2b2lk ICp0bywgdW5zaWduZWQgbGVuKQogCiAgICAgd2hpbGUgKCBsZW4gKQogICAg IHsKLSAgICAgICAgcGFkZHJfdCBnOwogICAgICAgICB2b2lkICpwOwogICAg ICAgICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0Vf U0laRSAtIG9mZnNldCk7CisgICAgICAgIHN0cnVjdCBwYWdlX2luZm8gKnBh Z2U7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJfdCkg dG8sICZnLCBHVjJNX1dSSVRFKSApCisgICAgICAgIHBhZ2UgPSBnZXRfcGFn ZV9mcm9tX2d2YShjdXJyZW50LT5kb21haW4sICh2YWRkcl90KSB0bywgR1Yy TV9XUklURSk7CisgICAgICAgIGlmICggcGFnZSA9PSBOVUxMICkKICAgICAg ICAgICAgIHJldHVybiBsZW47CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5f cGFnZShnPj5QQUdFX1NISUZUKTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFp bl9wYWdlKHBhZ2UpOwogICAgICAgICBwICs9IG9mZnNldDsKICAgICAgICAg bWVtc2V0KHAsIDB4MDAsIHNpemUpOwogCiAgICAgICAgIHVubWFwX2RvbWFp bl9wYWdlKHAgLSBvZmZzZXQpOworICAgICAgICBwdXRfcGFnZShwYWdlKTsK ICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAgIHRvICs9IHNpemU7CiAg ICAgICAgIC8qCkBAIC04OCwxOSArOTQsMjEgQEAgdW5zaWduZWQgbG9uZyBy YXdfY29weV9mcm9tX2d1ZXN0KHZvaWQgKnRvLCBjb25zdCB2b2lkIF9fdXNl ciAqZnJvbSwgdW5zaWduZWQgbGUKIAogICAgIHdoaWxlICggbGVuICkKICAg ICB7Ci0gICAgICAgIHBhZGRyX3QgZzsKICAgICAgICAgdm9pZCAqcDsKICAg ICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZCkoUEFH RV9TSVpFIC0gb2Zmc2V0KSk7CisgICAgICAgIHN0cnVjdCBwYWdlX2luZm8g KnBhZ2U7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJf dCkgZnJvbSAmIFBBR0VfTUFTSywgJmcsIEdWMk1fUkVBRCkgKQorICAgICAg ICBwYWdlID0gZ2V0X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9tYWluLCAo dmFkZHJfdCkgZnJvbSwgR1YyTV9SRUFEKTsKKyAgICAgICAgaWYgKCBwYWdl ID09IE5VTEwgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAotICAgICAg ICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOworICAgICAg ICBwID0gX19tYXBfZG9tYWluX3BhZ2UocGFnZSk7CiAgICAgICAgIHAgKz0g KCh2YWRkcl90KWZyb20gJiAoflBBR0VfTUFTSykpOwogCiAgICAgICAgIG1l bWNweSh0bywgcCwgc2l6ZSk7CiAKICAgICAgICAgdW5tYXBfZG9tYWluX3Bh Z2UocCk7CisgICAgICAgIHB1dF9wYWdlKHBhZ2UpOwogICAgICAgICBsZW4g LT0gc2l6ZTsKICAgICAgICAgZnJvbSArPSBzaXplOwogICAgICAgICB0byAr PSBzaXplOwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL3AybS5jIGIveGVu L2FyY2gvYXJtL3AybS5jCmluZGV4IGI4NTE0M2IuLjVmYzVjYTYgMTAwNjQ0 Ci0tLSBhL3hlbi9hcmNoL2FybS9wMm0uYworKysgYi94ZW4vYXJjaC9hcm0v cDJtLmMKQEAgLTcwMSw2ICs3MDEsMzQgQEAgdW5zaWduZWQgbG9uZyBnbWZu X3RvX21mbihzdHJ1Y3QgZG9tYWluICpkLCB1bnNpZ25lZCBsb25nIGdwZm4p CiAgICAgcmV0dXJuIHAgPj4gUEFHRV9TSElGVDsKIH0KIAorc3RydWN0IHBh Z2VfaW5mbyAqZ2V0X3BhZ2VfZnJvbV9ndmEoc3RydWN0IGRvbWFpbiAqZCwg dmFkZHJfdCB2YSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIHVuc2lnbmVkIGxvbmcgZmxhZ3MpCit7CisgICAgc3RydWN0IHAybV9k b21haW4gKnAybSA9ICZkLT5hcmNoLnAybTsKKyAgICBzdHJ1Y3QgcGFnZV9p bmZvICpwYWdlID0gTlVMTDsKKyAgICBwYWRkcl90IG1hZGRyOworCisgICAg QVNTRVJUKGQgPT0gY3VycmVudC0+ZG9tYWluKTsKKworICAgIHNwaW5fbG9j aygmcDJtLT5sb2NrKTsKKworICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIodmEs ICZtYWRkciwgZmxhZ3MpICkKKyAgICAgICAgZ290byBlcnI7CisKKyAgICBp ZiAoICFtZm5fdmFsaWQobWFkZHIgPj4gUEFHRV9TSElGVCkgKQorICAgICAg ICBnb3RvIGVycjsKKworICAgIHBhZ2UgPSBtZm5fdG9fcGFnZShtYWRkciA+ PiBQQUdFX1NISUZUKTsKKyAgICBBU1NFUlQocGFnZSk7CisKKyAgICBpZiAo IHVubGlrZWx5KCFnZXRfcGFnZShwYWdlLCBkKSkgKQorICAgICAgICBwYWdl ID0gTlVMTDsKKworZXJyOgorICAgIHNwaW5fdW5sb2NrKCZwMm0tPmxvY2sp OworICAgIHJldHVybiBwYWdlOworfQorCiAvKgogICogTG9jYWwgdmFyaWFi bGVzOgogICogbW9kZTogQwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL3Ry YXBzLmMgYi94ZW4vYXJjaC9hcm0vdHJhcHMuYwppbmRleCBkZjg2ZmZlLi5k ODliNzVmIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vdHJhcHMuYworKysg Yi94ZW4vYXJjaC9hcm0vdHJhcHMuYwpAQCAtNzc3LDcgKzc3Nyw3IEBAIHN0 YXRpYyB2b2lkIHNob3dfZ3Vlc3Rfc3RhY2soc3RydWN0IHZjcHUgKnYsIHN0 cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQogewogICAgIGludCBpOwogICAg IHZhZGRyX3Qgc3A7Ci0gICAgcGFkZHJfdCBzdGFja19waHlzOworICAgIHN0 cnVjdCBwYWdlX2luZm8gKnBhZ2U7CiAgICAgdm9pZCAqbWFwcGVkOwogICAg IHVuc2lnbmVkIGxvbmcgKnN0YWNrLCBhZGRyOwogCkBAIC04MzcsMTMgKzgz NywyMCBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVjdCB2 Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKIAogICAgIHBy aW50aygiR3Vlc3Qgc3RhY2sgdHJhY2UgZnJvbSBzcD0lIlBSSXZhZGRyIjpc biAgIiwgc3ApOwogCi0gICAgaWYgKCBndmlydF90b19tYWRkcihzcCwgJnN0 YWNrX3BoeXMsIEdWMk1fUkVBRCkgKQorICAgIGlmICggc3AgJiAoIHNpemVv Zihsb25nKSAtIDEgKSApCisgICAgeworICAgICAgICBwcmludGsoIlN0YWNr IGlzIG1pc2FsaWduZWRcbiIpOworICAgICAgICByZXR1cm47CisgICAgfQor CisgICAgcGFnZSA9IGdldF9wYWdlX2Zyb21fZ3ZhKGN1cnJlbnQtPmRvbWFp biwgc3AsIEdWMk1fUkVBRCk7CisgICAgaWYgKCBwYWdlID09IE5VTEwgKQog ICAgIHsKICAgICAgICAgcHJpbnRrKCJGYWlsZWQgdG8gY29udmVydCBzdGFj ayB0byBwaHlzaWNhbCBhZGRyZXNzXG4iKTsKICAgICAgICAgcmV0dXJuOwog ICAgIH0KIAotICAgIG1hcHBlZCA9IG1hcF9kb21haW5fcGFnZShzdGFja19w aHlzID4+IFBBR0VfU0hJRlQpOworICAgIG1hcHBlZCA9IF9fbWFwX2RvbWFp bl9wYWdlKHBhZ2UpOwogCiAgICAgc3RhY2sgPSBtYXBwZWQgKyAoc3AgJiB+ UEFHRV9NQVNLKTsKIApAQCAtODYxLDcgKzg2OCw3IEBAIHN0YXRpYyB2b2lk IHNob3dfZ3Vlc3Rfc3RhY2soc3RydWN0IHZjcHUgKnYsIHN0cnVjdCBjcHVf dXNlcl9yZWdzICpyZWdzKQogICAgICAgICBwcmludGsoIlN0YWNrIGVtcHR5 LiIpOwogICAgIHByaW50aygiXG4iKTsKICAgICB1bm1hcF9kb21haW5fcGFn ZShtYXBwZWQpOwotCisgICAgcHV0X3BhZ2UocGFnZSk7CiB9CiAKICNkZWZp bmUgU1RBQ0tfQkVGT1JFX0VYQ0VQVElPTihyZWdzKSAoKHJlZ2lzdGVyX3Qq KShyZWdzKS0+c3ApCmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJt L21tLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKaW5kZXggZDBlNWNi NC4uOGJmMTc5ZCAxMDA2NDQKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9t bS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaApAQCAtMjczLDYg KzI3Myw5IEBAIHN0cnVjdCBkb21haW4gKnBhZ2VfZ2V0X293bmVyX2FuZF9y ZWZlcmVuY2Uoc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSk7CiB2b2lkIHB1dF9w YWdlKHN0cnVjdCBwYWdlX2luZm8gKnBhZ2UpOwogaW50ICBnZXRfcGFnZShz dHJ1Y3QgcGFnZV9pbmZvICpwYWdlLCBzdHJ1Y3QgZG9tYWluICpkb21haW4p OwogCitzdHJ1Y3QgcGFnZV9pbmZvICpnZXRfcGFnZV9mcm9tX2d2YShzdHJ1 Y3QgZG9tYWluICpkLCB2YWRkcl90IHZhLAorICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgdW5zaWduZWQgbG9uZyBmbGFncyk7CisKIC8q CiAgKiBUaGUgTVBUIChtYWNoaW5lLT5waHlzaWNhbCBtYXBwaW5nIHRhYmxl KSBpcyBhbiBhcnJheSBvZiB3b3JkLXNpemVkCiAgKiB2YWx1ZXMsIGluZGV4 ZWQgb24gbWFjaGluZSBmcmFtZSBudW1iZXIuIEl0IGlzIGV4cGVjdGVkIHRo YXQgZ3Vlc3QgT1NlcwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFy bS9wYWdlLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaAppbmRleCBl NzIzZTVhLi4xMTNiZTVhIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20t YXJtL3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaApA QCAtNzMsNyArNzMsNyBAQAogI2RlZmluZSBNQVRUUl9ERVYgICAgIDB4MQog I2RlZmluZSBNQVRUUl9NRU0gICAgIDB4ZgogCi0vKiBGbGFncyBmb3IgZ3Zp cnRfdG9fbWFkZHIgKi8KKy8qIEZsYWdzIGZvciBnZXRfcGFnZV9mcm9tX2d2 YSwgZ3ZpcnRfdG9fbWFkZHIgZXRjICovCiAjZGVmaW5lIEdWMk1fUkVBRCAg KDB1PDwwKQogI2RlZmluZSBHVjJNX1dSSVRFICgxdTw8MCkKIAo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jun 04 16:06:06 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 04 Jun 2014 16:06:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WsDfZ-0004Tm-QX; Wed, 04 Jun 2014 16:04:05 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WsDfX-0004TL-Pv; Wed, 04 Jun 2014 16:04:04 +0000 Received: from [193.109.254.147:15767] by server-2.bemta-14.messagelabs.com id 6C/32-21684-2734F835; Wed, 04 Jun 2014 16:04:02 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-27.messagelabs.com!1401897839!9156716!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 25843 invoked from network); 4 Jun 2014 16:04:00 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-8.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 4 Jun 2014 16:04:00 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WsDfN-00039Y-6a; Wed, 04 Jun 2014 16:03:53 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WsDfM-0004Nu-RA; Wed, 04 Jun 2014 16:03:53 +0000 Date: Wed, 04 Jun 2014 16:03:52 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 96 (CVE-2014-3967, CVE-2014-3968) - Vulnerabilities in HVM MSI injection X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3967,CVE-2014-3968 / XSA-96 version 3 Vulnerabilities in HVM MSI injection UPDATES IN VERSION 3 ==================== CVEs assigned. ISSUE DESCRIPTION ================= The implementation of the HVM control operation HVMOP_inject_msi, while checking whether a particular IRQ was already set up in the necessary way, fails to properly check all respective conditions. In particular it doesn't check the returned pointer for being non-NULL before de- referencing it. (CVE-2014-3967) Furthermore that same code also handles certain errors by logging messages, without (under default settings) at least making these messages subject to rate limiting. (CVE-2014-3968) IMPACT ====== The NULL pointer de-reference would lead to a host crash, and hence a denial of service would result. Since host and guest page tables are fully separated for HVM guests, the guest would not be able to leverage the vulnerability for other kinds of attacks (privilege escalation or information leak). The spamming of the hypervisor log could similarly lead to a denial of service. In a configuration where device models run with limited privilege (for example, stubdom device models), a guest attacker who successfully finds and exploits an unfixed security flaw in qemu-dm could leverage the other flaw into a Denial of Service affecting the whole host. In the more general case, in more abstract terms: a malicious administrator of a domain privileged with regard to an HVM guest can cause Xen to become unresponsive leading to a Denial of Service. VULNERABLE SYSTEMS ================== All Xen versions from 4.2 onwards are vulnerable. The vulnerability is only exposed to service domains for HVM guests which have privilege over the guest. In a usual configuration that means only device model emulators (qemu-dm). In the case of HVM guests whose device model is running in an unrestricted dom0 process, qemu-dm already has the ability to cause problems for the whole system. So in that case the vulnerability is not applicable. The situation is more subtle for an HVM guest with a stub qemu-dm. That is, where the device model runs in a separate domain (in the case of xl, as requested by "device_model_stubdomain_override=1" in the xl domain configuration file). The same applies with a qemu-dm in a dom0 process subjected to some kind kernel-based process privilege limitation (eg the chroot technique as found in some versions of XCP/XenServer). In those latter situations this issue means that the extra isolation does not provide as good a defence (against denial of service) as intended. That is the essence of this vulnerability. However, the security is still better than with a qemu-dm running as an unrestricted dom0 process. Therefore users with these configurations should not switch to an unrestricted dom0 qemu-dm. Finally, in a radically disaggregated system: where the HVM service domain software (probably, the device model domain image) is not always supplied by the host administrator, a malicious service domain administrator can exercise this vulnerability. MITIGATION ========== Running only PV guests will avoid this vulnerability. In a radically disaggregated system, restricting HVM service domains to software images approved by the host administrator will avoid the vulnerability. CREDITS ======= This issue was discovered by Jan Beulich. RESOLUTION ========== Applying the attached patch resolves this issue. xsa96.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa96*.patch 1b64beddf8f6e9c08af24676551c18fd778a8db65a6c24fec07cc7e95531e2af xsa96.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTj0MHAAoJEIP+FMlX6CvZY04H/1Udj8OzkKHHxaCLQWxAUo6w SCSV37MNRQcsJJly4KAUjsO+yyfNPnVQBUsVsBcSnKURElbkYf1IaBGSPWbiiTZY ubtQgT/rF8y0cShvDiCVXP7giwHN270F3YIXAvZPn/ZvM0a6Wad6VbBEgIo6vUeU vqb10LnrKy7S7h8sVaQCIuM5/6ysjtJAyDtlFyDN55J4socHD+oYTtU+HNbZZFvs UytIy56dtO5TSkazKgCZR936BWreYl4izOy1+elLM+r8k0qz8SdTdcVzVqNqYkMK QxjwiM7cy4fZxi1R+N/mwXgyr2tv2r/6AsdCX3vuZreg/Dp4Fi+7lDnj/sfBSGg= =fTzY -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa96.patch" Content-Disposition: attachment; filename="xsa96.patch" Content-Transfer-Encoding: base64 eDg2L0hWTTogZWxpbWluYXRlIHZ1bG5lcmFiaWxpdGllcyBmcm9tIGh2bV9p bmplY3RfbXNpKCkKCi0gcGlycV9pbmZvKCkgcmV0dXJucyBOVUxMIGZvciBh IG5vbi1hbGxvY2F0ZWQgcElSUSwgYW5kIGhlbmNlIHdlCiAgbXVzdG4ndCB1 bmNvbmRpdGlvbmFsbHkgZGUtcmVmZXJlbmNlIGl0LCBhbmQgd2UgbmVlZCB0 byBpbnZva2UgaXQKICBhbm90aGVyIHRpbWUgYWZ0ZXIgaGF2aW5nIGNhbGxl ZCBtYXBfZG9tYWluX2VtdWlycV9waXJxKCkKLSBkb24ndCB1c2UgcHJpbnRr KCksIG5hbWVseSB3aXRob3V0IFhFTkxPR19HVUVTVCwgZm9yIGVycm9yIHJl cG9ydGluZwoKVGhpcyBpcyBYU0EtOTYuCgpTaWduZWQtb2ZmLWJ5OiBKYW4g QmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4vYXJjaC94 ODYvaHZtL2lycS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vaXJxLmMKQEAg LTI4OSwyMCArMjg5LDE4IEBAIHZvaWQgaHZtX2luamVjdF9tc2koc3RydWN0 IGRvbWFpbiAqZCwgdWkKICAgICAgICAgICAgIHN0cnVjdCBwaXJxICppbmZv ID0gcGlycV9pbmZvKGQsIHBpcnEpOwogCiAgICAgICAgICAgICAvKiBpZiBp dCBpcyB0aGUgZmlyc3QgdGltZSwgYWxsb2NhdGUgdGhlIHBpcnEgKi8KLSAg ICAgICAgICAgIGlmIChpbmZvLT5hcmNoLmh2bS5lbXVpcnEgPT0gSVJRX1VO Qk9VTkQpCisgICAgICAgICAgICBpZiAoICFpbmZvIHx8IGluZm8tPmFyY2gu aHZtLmVtdWlycSA9PSBJUlFfVU5CT1VORCApCiAgICAgICAgICAgICB7CiAg ICAgICAgICAgICAgICAgc3Bpbl9sb2NrKCZkLT5ldmVudF9sb2NrKTsKICAg ICAgICAgICAgICAgICBtYXBfZG9tYWluX2VtdWlycV9waXJxKGQsIHBpcnEs IElSUV9NU0lfRU1VKTsKICAgICAgICAgICAgICAgICBzcGluX3VubG9jaygm ZC0+ZXZlbnRfbG9jayk7CisgICAgICAgICAgICAgICAgaW5mbyA9IHBpcnFf aW5mbyhkLCBwaXJxKTsKKyAgICAgICAgICAgICAgICBpZiAoICFpbmZvICkK KyAgICAgICAgICAgICAgICAgICAgcmV0dXJuOwogICAgICAgICAgICAgfSBl bHNlIGlmIChpbmZvLT5hcmNoLmh2bS5lbXVpcnEgIT0gSVJRX01TSV9FTVUp Ci0gICAgICAgICAgICB7Ci0gICAgICAgICAgICAgICAgcHJpbnRrKCIlczog cGlycSAlZCBkb2VzIG5vdCBjb3JyZXNwb25kIHRvIGFuIGVtdWxhdGVkIE1T SVxuIiwgX19mdW5jX18sIHBpcnEpOwogICAgICAgICAgICAgICAgIHJldHVy bjsKLSAgICAgICAgICAgIH0KICAgICAgICAgICAgIHNlbmRfZ3Vlc3RfcGly cShkLCBpbmZvKTsKICAgICAgICAgICAgIHJldHVybjsKLSAgICAgICAgfSBl bHNlIHsKLSAgICAgICAgICAgIHByaW50aygiJXM6IGVycm9yIGdldHRpbmcg cGlycSBmcm9tIE1TSTogcGlycSA9ICVkXG4iLCBfX2Z1bmNfXywgcGlycSk7 CiAgICAgICAgIH0KICAgICB9CiAK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jun 04 16:06:06 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 04 Jun 2014 16:06:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WsDfw-0004Wx-CW; Wed, 04 Jun 2014 16:04:28 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WsDfu-0004WL-OB; Wed, 04 Jun 2014 16:04:27 +0000 Received: from [85.158.143.35:30312] by server-1.bemta-4.messagelabs.com id DC/24-09853-9834F835; Wed, 04 Jun 2014 16:04:25 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-21.messagelabs.com!1401897863!9211187!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 3102 invoked from network); 4 Jun 2014 16:04:24 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-4.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 4 Jun 2014 16:04:24 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WsDfn-0003AP-33; Wed, 04 Jun 2014 16:04:19 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WsDfm-0004kR-Qv; Wed, 04 Jun 2014 16:04:18 +0000 Date: Wed, 04 Jun 2014 16:04:18 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 98 (CVE-2014-3969) - insufficient permissions checks accessing guest memory on ARM X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3969 / XSA-98 version 3 insufficient permissions checks accessing guest memory on ARM UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= When accessing guest memory Xen does not correctly perform permissions checks on the (possibly guest provided) virtual address: it only checks that the mapping is readable by the guest, even when writing on behalf of the guest. This allows a guest to write to memory which it should only be able to read. A guest running on a vulnerable system is able to write to memory which should be read-only. This includes supposedly read only foreign mappings established using the grant table mechanism. Such read-only mappings are commonly used as part of the paravirtualised I/O drivers (such as guest disk write and network transmit). In order to exploit this vulnerability the guest must have a mapping of the memory; it does not allow access to arbitrary addresses. In the event that a guest executes code from a page which has been shared read-only with another guest it would be possible to mount a take over attack on that guest. IMPACT ====== A domain which is deliberately exchanging data with another, malicious, domain, may be vulnerable to privilege escalation. The vulnerability depends on the precise behaviour of the victim domain. In a typical configuration this means that, depending on the behaviour of the toolstack or device driver domain, a malicious guest administrator might be able to escalate their privilege to that of the whole host. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward. MITIGATION ========== None. CREDITS ======= This issue was discovered by Julien Grall. RESOLUTION ========== Applying the appropriate pair of attached patches resolves this issue. xsa98-unstable-{01,02}.patch xen-unstable xsa98-4.4-{01,02}.patch Xen 4.4.x $ sha256sum xsa98*.patch 6f63bc2e0a0a39bbd9137513a5d130ae2c78d1fd2ebf9172bf49456f73f0a67b xsa98-4.4-01.patch b338472ecce3c31a55d1a936eebbd4e46cb3ad989b91a64d4b8c5d3ca80d875d xsa98-4.4-02.patch b8535aad5ae969675d59781a81ce0b24491f1abc01aaf36c3620fd7fb6cc84eb xsa98-unstable-01.patch f5e8a93525a8905653da6377097f77681ff8121b973063ff6081e27547ceaa67 xsa98-unstable-02.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTj0N1AAoJEIP+FMlX6CvZYRsH/3PPF+SBphp/IOcJmcoUBI0Y SZumMMtaH3jU49/0V/azYOpKET2VtCHBilBajUAB7kNx+EGHv5NZf6Vn7FMBDCVl gk7Hq39tR0axBTpp4FhK8MJQIEsMUvsohokRFiMsDmhKtWOEKPfmNrgLz6cEvo5H ci46UH0JzPhMVY4tXhd7jo9Vuyae8df+b0yYFZ2QyVdWN3AShlrp62JAXb1lJT8E LO/67uDud7bhuODA+CWmL0jHq7xsJoRitp5gJph9QmSNbkXGJfPy6Sow4qzatnsR Vb9lgJq5MHRodkaie9z4UeANysAJ1J+USvARyMx+xnQ64ETzFIm6pUotzySZWEU= =vyB+ -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa98-4.4-01.patch" Content-Disposition: attachment; filename="xsa98-4.4-01.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGNoZWNrIHBlcm1pc3Npb25zIHdoZW4gY29weWluZyB0by9m cm9tIGd1ZXN0IHZpcnR1YWwgYWRkcmVzc2VzCgpJbiBwYXJ0aWN1bGFyIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoZSBndWVzdCBoYXMgd3JpdGUgcGVybWlz c2lvbnMgdG8gYnVmZmVycwp3aGljaCBpdCBwYXNzZXMgYXMgb3V0cHV0IGJ1 ZmZlcnMgZm9yIGh5cGVyY2FsbHMsIG90aGVyd2lzZSB0aGUgZ3Vlc3QgY2Fu Cm92ZXJ3cml0ZSBtZW1vcnkgd2hpY2ggaXQgc2hvdWxkbid0IGJlIGFibGUg dG8gd3JpdGUgKGxpa2Ugci9vIGdyYW50IHRhYmxlCm1hcHBpbmdzKS4KClRo aXMgaXMgWFNBLTk4LgoKU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxp YW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBH cmFsbCA8anVsaWVuLmdyYWxsQGxpbmFyby5vcmc+CgpkaWZmIC0tZ2l0IGEv eGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jIGIveGVuL2FyY2gvYXJtL2Rv bWFpbl9idWlsZC5jCmluZGV4IDVjYTJmMTUuLjNkYTZiODMgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYworKysgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKQEAgLTk2Nyw3ICs5NjcsNyBAQCBzdGF0 aWMgdm9pZCBpbml0cmRfbG9hZChzdHJ1Y3Qga2VybmVsX2luZm8gKmtpbmZv KQogICAgICAgICBzID0gb2ZmcyAmIH5QQUdFX01BU0s7CiAgICAgICAgIGwg PSBtaW4oUEFHRV9TSVpFIC0gcywgbGVuKTsKIAotICAgICAgICByYyA9IGd2 aXJ0X3RvX21hZGRyKGxvYWRfYWRkciArIG9mZnMsICZtYSk7CisgICAgICAg IHJjID0gZ3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hLCBH VjJNX1dSSVRFKTsKICAgICAgICAgaWYgKCByYyApCiAgICAgICAgIHsKICAg ICAgICAgICAgIHBhbmljKCJVbmFibGUgdG8gdHJhbnNsYXRlIGd1ZXN0IGFk ZHJlc3MiKTsKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL2FybS9ndWVzdGNvcHku YyBiL3hlbi9hcmNoL2FybS9ndWVzdGNvcHkuYwppbmRleCBjZWE1Zjk3Li5k MWZkZGVjIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMK KysrIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCkBAIC0xNyw3ICsxNyw3 IEBAIHN0YXRpYyB1bnNpZ25lZCBsb25nIHJhd19jb3B5X3RvX2d1ZXN0X2hl bHBlcih2b2lkICp0bywgY29uc3Qgdm9pZCAqZnJvbSwKICAgICAgICAgdm9p ZCAqcDsKICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNp Z25lZClQQUdFX1NJWkUgLSBvZmZzZXQpOwogCi0gICAgICAgIGlmICggZ3Zp cnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZykgKQorICAgICAgICBpZiAo IGd2aXJ0X3RvX21hZGRyKCh2YWRkcl90KSB0bywgJmcsIEdWMk1fV1JJVEUp ICkKICAgICAgICAgICAgIHJldHVybiBsZW47CiAKICAgICAgICAgcCA9IG1h cF9kb21haW5fcGFnZShnPj5QQUdFX1NISUZUKTsKQEAgLTYyLDcgKzYyLDcg QEAgdW5zaWduZWQgbG9uZyByYXdfY2xlYXJfZ3Vlc3Qodm9pZCAqdG8sIHVu c2lnbmVkIGxlbikKICAgICAgICAgdm9pZCAqcDsKICAgICAgICAgdW5zaWdu ZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZClQQUdFX1NJWkUgLSBvZmZz ZXQpOwogCi0gICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3Qp IHRvLCAmZykgKQorICAgICAgICBpZiAoIGd2aXJ0X3RvX21hZGRyKCh2YWRk cl90KSB0bywgJmcsIEdWMk1fV1JJVEUpICkKICAgICAgICAgICAgIHJldHVy biBsZW47CiAKICAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShnPj5QQUdF X1NISUZUKTsKQEAgLTkyLDcgKzkyLDcgQEAgdW5zaWduZWQgbG9uZyByYXdf Y29weV9mcm9tX2d1ZXN0KHZvaWQgKnRvLCBjb25zdCB2b2lkIF9fdXNlciAq ZnJvbSwgdW5zaWduZWQgbGUKICAgICAgICAgdm9pZCAqcDsKICAgICAgICAg dW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZCkoUEFHRV9TSVpF IC0gb2Zmc2V0KSk7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigo dmFkZHJfdCkgZnJvbSAmIFBBR0VfTUFTSywgJmcpICkKKyAgICAgICAgaWYg KCBndmlydF90b19tYWRkcigodmFkZHJfdCkgZnJvbSAmIFBBR0VfTUFTSywg JmcsIEdWMk1fUkVBRCkgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAog ICAgICAgICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOwpk aWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL2tlcm5lbC5jIGIveGVuL2FyY2gv YXJtL2tlcm5lbC5jCmluZGV4IDFlMzEwN2QuLjY5YzdkNDMgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9rZXJuZWwuYworKysgYi94ZW4vYXJjaC9hcm0v a2VybmVsLmMKQEAgLTE0MSw3ICsxNDEsNyBAQCBzdGF0aWMgdm9pZCBrZXJu ZWxfemltYWdlX2xvYWQoc3RydWN0IGtlcm5lbF9pbmZvICppbmZvKQogICAg ICAgICBzID0gb2ZmcyAmIH5QQUdFX01BU0s7CiAgICAgICAgIGwgPSBtaW4o UEFHRV9TSVpFIC0gcywgbGVuKTsKIAotICAgICAgICByYyA9IGd2aXJ0X3Rv X21hZGRyKGxvYWRfYWRkciArIG9mZnMsICZtYSk7CisgICAgICAgIHJjID0g Z3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hLCBHVjJNX1dS SVRFKTsKICAgICAgICAgaWYgKCByYyApCiAgICAgICAgIHsKICAgICAgICAg ICAgIHBhbmljKCJVbmFibGUgdG8gbWFwIHRyYW5zbGF0ZSBndWVzdCBhZGRy ZXNzIik7CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vdHJhcHMuYyBiL3hl bi9hcmNoL2FybS90cmFwcy5jCmluZGV4IDNhMzRkMzMuLjJlNzQ1MWIgMTAw NjQ0Ci0tLSBhL3hlbi9hcmNoL2FybS90cmFwcy5jCisrKyBiL3hlbi9hcmNo L2FybS90cmFwcy5jCkBAIC04MzYsNyArODM2LDcgQEAgc3RhdGljIHZvaWQg c2hvd19ndWVzdF9zdGFjayhzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNwdV91 c2VyX3JlZ3MgKnJlZ3MpCiAKICAgICBwcmludGsoIkd1ZXN0IHN0YWNrIHRy YWNlIGZyb20gc3A9JSJQUkl2YWRkciI6XG4gICIsIHNwKTsKIAotICAgIGlm ICggZ3ZpcnRfdG9fbWFkZHIoc3AsICZzdGFja19waHlzKSApCisgICAgaWYg KCBndmlydF90b19tYWRkcihzcCwgJnN0YWNrX3BoeXMsIEdWMk1fUkVBRCkg KQogICAgIHsKICAgICAgICAgcHJpbnRrKCJGYWlsZWQgdG8gY29udmVydCBz dGFjayB0byBwaHlzaWNhbCBhZGRyZXNzXG4iKTsKICAgICAgICAgcmV0dXJu OwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9hcm0zMi9wYWdl LmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTMyL3BhZ2UuaAppbmRleCBi ODIyMWNhLi44MGQ1YzM2IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20t YXJtL2FybTMyL3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL2Fy bTMyL3BhZ2UuaApAQCAtOTAsMTEgKzkwLDE0IEBAIHN0YXRpYyBpbmxpbmUg dWludDY0X3QgX192YV90b19wYXIodmFkZHJfdCB2YSkKIH0KIAogLyogQXNr IHRoZSBNTVUgdG8gdHJhbnNsYXRlIGEgR3Vlc3QgVkEgZm9yIHVzICovCi1z dGF0aWMgaW5saW5lIHVpbnQ2NF90IGd2YV90b19tYV9wYXIodmFkZHJfdCB2 YSkKK3N0YXRpYyBpbmxpbmUgdWludDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRk cl90IHZhLCB1bnNpZ25lZCBpbnQgZmxhZ3MpCiB7CiAgICAgdWludDY0X3Qg cGFyLCB0bXA7CiAgICAgdG1wID0gUkVBRF9DUDY0KFBBUik7Ci0gICAgV1JJ VEVfQ1AzMih2YSwgQVRTMTJOU09QUik7CisgICAgaWYgKCAoZmxhZ3MgJiBH VjJNX1dSSVRFKSA9PSBHVjJNX1dSSVRFICkKKyAgICAgICAgV1JJVEVfQ1Az Mih2YSwgQVRTMTJOU09QVyk7CisgICAgZWxzZQorICAgICAgICBXUklURV9D UDMyKHZhLCBBVFMxMk5TT1BSKTsKICAgICBpc2IoKTsgLyogRW5zdXJlIHJl c3VsdCBpcyBhdmFpbGFibGUuICovCiAgICAgcGFyID0gUkVBRF9DUDY0KFBB Uik7CiAgICAgV1JJVEVfQ1A2NCh0bXAsIFBBUik7CmRpZmYgLS1naXQgYS94 ZW4vaW5jbHVkZS9hc20tYXJtL2FybTY0L3BhZ2UuaCBiL3hlbi9pbmNsdWRl L2FzbS1hcm0vYXJtNjQvcGFnZS5oCmluZGV4IDMzNTI4MjEuLjM5MjJkODcg MTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5o CisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5oCkBAIC04 MywxMSArODMsMTQgQEAgc3RhdGljIGlubGluZSB1aW50NjRfdCBfX3ZhX3Rv X3Bhcih2YWRkcl90IHZhKQogfQogCiAvKiBBc2sgdGhlIE1NVSB0byB0cmFu c2xhdGUgYSBHdWVzdCBWQSBmb3IgdXMgKi8KLXN0YXRpYyBpbmxpbmUgdWlu dDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRkcl90IHZhKQorc3RhdGljIGlubGlu ZSB1aW50NjRfdCBndmFfdG9fbWFfcGFyKHZhZGRyX3QgdmEsIHVuc2lnbmVk IGludCBmbGFncykKIHsKICAgICB1aW50NjRfdCBwYXIsIHRtcCA9IFJFQURf U1lTUkVHNjQoUEFSX0VMMSk7CiAKLSAgICBhc20gdm9sYXRpbGUgKCJhdCBz MTJlMXIsICUwOyIgOiA6ICJyIiAodmEpKTsKKyAgICBpZiAoIChmbGFncyAm IEdWMk1fV1JJVEUpID09IEdWMk1fV1JJVEUgKQorICAgICAgICBhc20gdm9s YXRpbGUgKCJhdCBzMTJlMXIsICUwOyIgOiA6ICJyIiAodmEpKTsKKyAgICBl bHNlCisgICAgICAgIGFzbSB2b2xhdGlsZSAoImF0IHMxMmUxdywgJTA7IiA6 IDogInIiICh2YSkpOwogICAgIGlzYigpOwogICAgIHBhciA9IFJFQURfU1lT UkVHNjQoUEFSX0VMMSk7CiAgICAgV1JJVEVfU1lTUkVHNjQodG1wLCBQQVJf RUwxKTsKZGlmZiAtLWdpdCBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaCBi L3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAppbmRleCBiOGQ0ZTdkLi5kMGU1 Y2I0IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKKysr IGIveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oCkBAIC0yMzMsOSArMjMzLDkg QEAgc3RhdGljIGlubGluZSB2b2lkICptYWRkcl90b192aXJ0KHBhZGRyX3Qg bWEpCiB9CiAjZW5kaWYKIAotc3RhdGljIGlubGluZSBpbnQgZ3ZpcnRfdG9f bWFkZHIodmFkZHJfdCB2YSwgcGFkZHJfdCAqcGEpCitzdGF0aWMgaW5saW5l IGludCBndmlydF90b19tYWRkcih2YWRkcl90IHZhLCBwYWRkcl90ICpwYSwg dW5zaWduZWQgaW50IGZsYWdzKQogewotICAgIHVpbnQ2NF90IHBhciA9IGd2 YV90b19tYV9wYXIodmEpOworICAgIHVpbnQ2NF90IHBhciA9IGd2YV90b19t YV9wYXIodmEsIGZsYWdzKTsKICAgICBpZiAoIHBhciAmIFBBUl9GICkKICAg ICAgICAgcmV0dXJuIC1FRkFVTFQ7CiAgICAgKnBhID0gKHBhciAmIFBBRERS X01BU0sgJiBQQUdFX01BU0spIHwgKCh1bnNpZ25lZCBsb25nKSB2YSAmIH5Q QUdFX01BU0spOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9w YWdlLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaAppbmRleCBlMDBi ZTllLi44NDU2MmVjIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20tYXJt L3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaApAQCAt NzMsNiArNzMsMTAgQEAKICNkZWZpbmUgTUFUVFJfREVWICAgICAweDEKICNk ZWZpbmUgTUFUVFJfTUVNICAgICAweGYKIAorLyogRmxhZ3MgZm9yIGd2aXJ0 X3RvX21hZGRyICovCisjZGVmaW5lIEdWMk1fUkVBRCAgKDB1PDwwKQorI2Rl ZmluZSBHVjJNX1dSSVRFICgxdTw8MCkKKwogI2lmbmRlZiBfX0FTU0VNQkxZ X18KIAogI2luY2x1ZGUgPHhlbi90eXBlcy5oPgo= --=separator Content-Type: application/octet-stream; name="xsa98-4.4-02.patch" Content-Disposition: attachment; filename="xsa98-4.4-02.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGVuc3VyZSB3ZSBob2xkIGEgcmVmZXJlbmNlIHRvIGd1ZXN0 IHBhZ2VzIHdoaWxlIHdlIGNvcHkgdG8vZnJvbSB0aGVtCgpUaGlzIGF0IG9u Y2U6CiAtIHByZXZlbnRzIHRoZSBwYWdlIGZyb20gYmVpbmcgcmVhc3NpZ25l ZCB1bmRlciBvdXIgZmVldAogLSBlbnN1cmVzIHRoYXQgdGhlIGRvbWFpbiBv d25zIHRoZSBwYWdlLCB3aGljaCBzdG9wcyBhIGRvbWFpbiBmcm9tIGdpdmlu ZyBhCiAgIGdyYW50IG1hcHBpbmcsIE1NSU8gcmVnaW9uLCBvdGhlciBub24t UkFNIGFzIGEgaHlwZXJjYWxsIGlucHV0L291dHB1dC4KCldlIG5lZWQgdG8g aG9sZCB0aGUgcDJtIGxvY2sgd2hpbGUgZG9pbmcgdGhlIGxvb2t1cCB1bnRp bCB3ZSBoYXZlIHRoZQpyZWZlcmVuY2UuCgpUaGlzIGFsc28gcmVxdWlyZXMg dGhhdCBkdXJpbmcgZG9tYWluIDAgYnVpbGRpbmcgY3VycmVudCBpcyBzZXQg dG8gYW4gYWN0dWFsCmRvbTAgdmNwdSwgc28gdGFrZSBjYXJlIG9mIHRoaXMg YXQgdGhlIHNhbWUgdGltZSBhcyB0aGUgcDJtIGlzIHRlbXBvcmFyaWx5Cmxv YWRlZC4KCkxhc3RseSB3aGVuIGR1bXBpbmcgdGhlIGd1ZXN0IHN0YWNrIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoYXQgdGhlIGd1ZXN0IGhhc24ndApwb2lu dGVkIGl0cyBzcCBvZmYgaW50byB0aGUgd2VlZHMgYW5kL29yIG1pc2FsaWdu ZWQgaXQsIHdoaWNoIGNvdWxkIGxlYWQgdG8KaHlwZXJ2aXNvciB0cmFwcy4g U29sdmUgdGhpcyBieSB1c2luZyB0aGUgbmV3IGZ1bmN0aW9uIGFuZCBjaGVj a2luZyBhbGlnbm1lbnQKZmlyc3QuCgpTaWduZWQtb2ZmLWJ5OiBJYW4gQ2Ft cGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpSZXZpZXdlZC1ieTog SnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAbGluYXJvLm9yZz4KWyBpamMg LS0gYmFja3BvcnRlZCB0byA0LjQsIHVzaW5nIHAybV9sb2FkX1ZUVEJSIF0K CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMgYi94 ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMKaW5kZXggM2RhNmI4My4uYzE0 OTdmOCAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5j CisrKyBiL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYwpAQCAtOTg2LDYg Kzk4Niw3IEBAIHN0YXRpYyB2b2lkIGluaXRyZF9sb2FkKHN0cnVjdCBrZXJu ZWxfaW5mbyAqa2luZm8pCiBpbnQgY29uc3RydWN0X2RvbTAoc3RydWN0IGRv bWFpbiAqZCkKIHsKICAgICBzdHJ1Y3Qga2VybmVsX2luZm8ga2luZm8gPSB7 fTsKKyAgICBzdHJ1Y3QgdmNwdSAqc2F2ZWRfY3VycmVudDsKICAgICBpbnQg cmMsIGksIGNwdTsKIAogICAgIHN0cnVjdCB2Y3B1ICp2ID0gZC0+dmNwdVsw XTsKQEAgLTEwMjEsNyArMTAyMiw5IEBAIGludCBjb25zdHJ1Y3RfZG9tMChz dHJ1Y3QgZG9tYWluICpkKQogICAgICAgICByZXR1cm4gcmM7CiAKICAgICAv KiBUaGUgZm9sbG93aW5nIGxvYWRzIHVzZSB0aGUgZG9tYWluJ3MgcDJtICov CisgICAgc2F2ZWRfY3VycmVudCA9IGN1cnJlbnQ7CiAgICAgcDJtX2xvYWRf VlRUQlIoZCk7CisgICAgc2V0X2N1cnJlbnQodik7CiAjaWZkZWYgQ09ORklH X0FSTV82NAogICAgIGQtPmFyY2gudHlwZSA9IGtpbmZvLnR5cGU7CiAgICAg aWYgKCBpc19wdjMyX2RvbWFpbihkKSApCkBAIC0xMDM5LDYgKzEwNDIsMTAg QEAgaW50IGNvbnN0cnVjdF9kb20wKHN0cnVjdCBkb21haW4gKmQpCiAgICAg aW5pdHJkX2xvYWQoJmtpbmZvKTsKICAgICBkdGJfbG9hZCgma2luZm8pOwog CisgICAgLyogTm93IHRoYXQgd2UgYXJlIGRvbmUgcmVzdG9yZSB0aGUgb3Jp Z2luYWwgcDJtIGFuZCBjdXJyZW50LiAqLworICAgIHNldF9jdXJyZW50KHNh dmVkX2N1cnJlbnQpOworICAgIHAybV9sb2FkX1ZUVEJSKGN1cnJlbnQtPmRv bWFpbik7CisKICAgICBkaXNjYXJkX2luaXRpYWxfbW9kdWxlcygpOwogCiAg ICAgdi0+aXNfaW5pdGlhbGlzZWQgPSAxOwpkaWZmIC0tZ2l0IGEveGVuL2Fy Y2gvYXJtL2d1ZXN0Y29weS5jIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5j CmluZGV4IGQxZmRkZWMuLjAxNzM1OTcgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNo L2FybS9ndWVzdGNvcHkuYworKysgYi94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5 LmMKQEAgLTEsNiArMSw4IEBACiAjaW5jbHVkZSA8eGVuL2NvbmZpZy5oPgog I2luY2x1ZGUgPHhlbi9saWIuaD4KICNpbmNsdWRlIDx4ZW4vZG9tYWluX3Bh Z2UuaD4KKyNpbmNsdWRlIDx4ZW4vc2NoZWQuaD4KKyNpbmNsdWRlIDxhc20v Y3VycmVudC5oPgogCiAjaW5jbHVkZSA8YXNtL21tLmg+CiAjaW5jbHVkZSA8 YXNtL2d1ZXN0X2FjY2Vzcy5oPgpAQCAtMTMsMjAgKzE1LDIyIEBAIHN0YXRp YyB1bnNpZ25lZCBsb25nIHJhd19jb3B5X3RvX2d1ZXN0X2hlbHBlcih2b2lk ICp0bywgY29uc3Qgdm9pZCAqZnJvbSwKIAogICAgIHdoaWxlICggbGVuICkK ICAgICB7Ci0gICAgICAgIHBhZGRyX3QgZzsKICAgICAgICAgdm9pZCAqcDsK ICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZClQ QUdFX1NJWkUgLSBvZmZzZXQpOworICAgICAgICBzdHJ1Y3QgcGFnZV9pbmZv ICpwYWdlOwogCi0gICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRy X3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQorICAgICAgICBwYWdlID0gZ2V0 X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9tYWluLCAodmFkZHJfdCkgdG8s IEdWMk1fV1JJVEUpOworICAgICAgICBpZiAoIHBhZ2UgPT0gTlVMTCApCiAg ICAgICAgICAgICByZXR1cm4gbGVuOwogCi0gICAgICAgIHAgPSBtYXBfZG9t YWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7CisgICAgICAgIHAgPSBfX21hcF9k b21haW5fcGFnZShwYWdlKTsKICAgICAgICAgcCArPSBvZmZzZXQ7CiAgICAg ICAgIG1lbWNweShwLCBmcm9tLCBzaXplKTsKICAgICAgICAgaWYgKCBmbHVz aF9kY2FjaGUgKQogICAgICAgICAgICAgY2xlYW5feGVuX2RjYWNoZV92YV9y YW5nZShwLCBzaXplKTsKIAogICAgICAgICB1bm1hcF9kb21haW5fcGFnZShw IC0gb2Zmc2V0KTsKKyAgICAgICAgcHV0X3BhZ2UocGFnZSk7CiAgICAgICAg IGxlbiAtPSBzaXplOwogICAgICAgICBmcm9tICs9IHNpemU7CiAgICAgICAg IHRvICs9IHNpemU7CkBAIC01OCwxOCArNjIsMjAgQEAgdW5zaWduZWQgbG9u ZyByYXdfY2xlYXJfZ3Vlc3Qodm9pZCAqdG8sIHVuc2lnbmVkIGxlbikKIAog ICAgIHdoaWxlICggbGVuICkKICAgICB7Ci0gICAgICAgIHBhZGRyX3QgZzsK ICAgICAgICAgdm9pZCAqcDsKICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1p bihsZW4sICh1bnNpZ25lZClQQUdFX1NJWkUgLSBvZmZzZXQpOworICAgICAg ICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwogCi0gICAgICAgIGlmICggZ3Zp cnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQor ICAgICAgICBwYWdlID0gZ2V0X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9t YWluLCAodmFkZHJfdCkgdG8sIEdWMk1fV1JJVEUpOworICAgICAgICBpZiAo IHBhZ2UgPT0gTlVMTCApCiAgICAgICAgICAgICByZXR1cm4gbGVuOwogCi0g ICAgICAgIHAgPSBtYXBfZG9tYWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7Cisg ICAgICAgIHAgPSBfX21hcF9kb21haW5fcGFnZShwYWdlKTsKICAgICAgICAg cCArPSBvZmZzZXQ7CiAgICAgICAgIG1lbXNldChwLCAweDAwLCBzaXplKTsK IAogICAgICAgICB1bm1hcF9kb21haW5fcGFnZShwIC0gb2Zmc2V0KTsKKyAg ICAgICAgcHV0X3BhZ2UocGFnZSk7CiAgICAgICAgIGxlbiAtPSBzaXplOwog ICAgICAgICB0byArPSBzaXplOwogICAgICAgICAvKgpAQCAtODgsMTkgKzk0 LDIxIEBAIHVuc2lnbmVkIGxvbmcgcmF3X2NvcHlfZnJvbV9ndWVzdCh2b2lk ICp0bywgY29uc3Qgdm9pZCBfX3VzZXIgKmZyb20sIHVuc2lnbmVkIGxlCiAK ICAgICB3aGlsZSAoIGxlbiApCiAgICAgewotICAgICAgICBwYWRkcl90IGc7 CiAgICAgICAgIHZvaWQgKnA7CiAgICAgICAgIHVuc2lnbmVkIHNpemUgPSBt aW4obGVuLCAodW5zaWduZWQpKFBBR0VfU0laRSAtIG9mZnNldCkpOworICAg ICAgICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwogCi0gICAgICAgIGlmICgg Z3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3QpIGZyb20gJiBQQUdFX01BU0ssICZn LCBHVjJNX1JFQUQpICkKKyAgICAgICAgcGFnZSA9IGdldF9wYWdlX2Zyb21f Z3ZhKGN1cnJlbnQtPmRvbWFpbiwgKHZhZGRyX3QpIGZyb20sIEdWMk1fUkVB RCk7CisgICAgICAgIGlmICggcGFnZSA9PSBOVUxMICkKICAgICAgICAgICAg IHJldHVybiBsZW47CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShn Pj5QQUdFX1NISUZUKTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFpbl9wYWdl KHBhZ2UpOwogICAgICAgICBwICs9ICgodmFkZHJfdClmcm9tICYgKH5QQUdF X01BU0spKTsKIAogICAgICAgICBtZW1jcHkodG8sIHAsIHNpemUpOwogCiAg ICAgICAgIHVubWFwX2RvbWFpbl9wYWdlKHApOworICAgICAgICBwdXRfcGFn ZShwYWdlKTsKICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAgIGZyb20g Kz0gc2l6ZTsKICAgICAgICAgdG8gKz0gc2l6ZTsKZGlmZiAtLWdpdCBhL3hl bi9hcmNoL2FybS9wMm0uYyBiL3hlbi9hcmNoL2FybS9wMm0uYwppbmRleCBk MDBjODgyLi43ZmQ1OTIwIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vcDJt LmMKKysrIGIveGVuL2FyY2gvYXJtL3AybS5jCkBAIC02NTUsNiArNjU1LDM0 IEBAIHVuc2lnbmVkIGxvbmcgZ21mbl90b19tZm4oc3RydWN0IGRvbWFpbiAq ZCwgdW5zaWduZWQgbG9uZyBncGZuKQogICAgIHJldHVybiBwID4+IFBBR0Vf U0hJRlQ7CiB9CiAKK3N0cnVjdCBwYWdlX2luZm8gKmdldF9wYWdlX2Zyb21f Z3ZhKHN0cnVjdCBkb21haW4gKmQsIHZhZGRyX3QgdmEsCisgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICB1bnNpZ25lZCBsb25nIGZsYWdz KQoreworICAgIHN0cnVjdCBwMm1fZG9tYWluICpwMm0gPSAmZC0+YXJjaC5w Mm07CisgICAgc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSA9IE5VTEw7CisgICAg cGFkZHJfdCBtYWRkcjsKKworICAgIEFTU0VSVChkID09IGN1cnJlbnQtPmRv bWFpbik7CisKKyAgICBzcGluX2xvY2soJnAybS0+bG9jayk7CisKKyAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKHZhLCAmbWFkZHIsIGZsYWdzKSApCisgICAg ICAgIGdvdG8gZXJyOworCisgICAgaWYgKCAhbWZuX3ZhbGlkKG1hZGRyID4+ IFBBR0VfU0hJRlQpICkKKyAgICAgICAgZ290byBlcnI7CisKKyAgICBwYWdl ID0gbWZuX3RvX3BhZ2UobWFkZHIgPj4gUEFHRV9TSElGVCk7CisgICAgQVNT RVJUKHBhZ2UpOworCisgICAgaWYgKCB1bmxpa2VseSghZ2V0X3BhZ2UocGFn ZSwgZCkpICkKKyAgICAgICAgcGFnZSA9IE5VTEw7CisKK2VycjoKKyAgICBz cGluX3VubG9jaygmcDJtLT5sb2NrKTsKKyAgICByZXR1cm4gcGFnZTsKK30K KwogLyoKICAqIExvY2FsIHZhcmlhYmxlczoKICAqIG1vZGU6IEMKZGlmZiAt LWdpdCBhL3hlbi9hcmNoL2FybS90cmFwcy5jIGIveGVuL2FyY2gvYXJtL3Ry YXBzLmMKaW5kZXggMmU3NDUxYi4uMDAwNzFhMyAxMDA2NDQKLS0tIGEveGVu L2FyY2gvYXJtL3RyYXBzLmMKKysrIGIveGVuL2FyY2gvYXJtL3RyYXBzLmMK QEAgLTc3Niw3ICs3NzYsNyBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0 YWNrKHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVn cykKIHsKICAgICBpbnQgaTsKICAgICB2YWRkcl90IHNwOwotICAgIHBhZGRy X3Qgc3RhY2tfcGh5czsKKyAgICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwog ICAgIHZvaWQgKm1hcHBlZDsKICAgICB1bnNpZ25lZCBsb25nICpzdGFjaywg YWRkcjsKIApAQCAtODM2LDEzICs4MzYsMjAgQEAgc3RhdGljIHZvaWQgc2hv d19ndWVzdF9zdGFjayhzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNwdV91c2Vy X3JlZ3MgKnJlZ3MpCiAKICAgICBwcmludGsoIkd1ZXN0IHN0YWNrIHRyYWNl IGZyb20gc3A9JSJQUkl2YWRkciI6XG4gICIsIHNwKTsKIAotICAgIGlmICgg Z3ZpcnRfdG9fbWFkZHIoc3AsICZzdGFja19waHlzLCBHVjJNX1JFQUQpICkK KyAgICBpZiAoIHNwICYgKCBzaXplb2YobG9uZykgLSAxICkgKQorICAgIHsK KyAgICAgICAgcHJpbnRrKCJTdGFjayBpcyBtaXNhbGlnbmVkXG4iKTsKKyAg ICAgICAgcmV0dXJuOworICAgIH0KKworICAgIHBhZ2UgPSBnZXRfcGFnZV9m cm9tX2d2YShjdXJyZW50LT5kb21haW4sIHNwLCBHVjJNX1JFQUQpOworICAg IGlmICggcGFnZSA9PSBOVUxMICkKICAgICB7CiAgICAgICAgIHByaW50aygi RmFpbGVkIHRvIGNvbnZlcnQgc3RhY2sgdG8gcGh5c2ljYWwgYWRkcmVzc1xu Iik7CiAgICAgICAgIHJldHVybjsKICAgICB9CiAKLSAgICBtYXBwZWQgPSBt YXBfZG9tYWluX3BhZ2Uoc3RhY2tfcGh5cyA+PiBQQUdFX1NISUZUKTsKKyAg ICBtYXBwZWQgPSBfX21hcF9kb21haW5fcGFnZShwYWdlKTsKIAogICAgIHN0 YWNrID0gbWFwcGVkICsgKHNwICYgflBBR0VfTUFTSyk7CiAKQEAgLTg2MCw3 ICs4NjcsNyBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVj dCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKICAgICAg ICAgcHJpbnRrKCJTdGFjayBlbXB0eS4iKTsKICAgICBwcmludGsoIlxuIik7 CiAgICAgdW5tYXBfZG9tYWluX3BhZ2UobWFwcGVkKTsKLQorICAgIHB1dF9w YWdlKHBhZ2UpOwogfQogCiAjZGVmaW5lIFNUQUNLX0JFRk9SRV9FWENFUFRJ T04ocmVncykgKChyZWdpc3Rlcl90KikocmVncyktPnNwKQpkaWZmIC0tZ2l0 IGEveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oIGIveGVuL2luY2x1ZGUvYXNt LWFybS9tbS5oCmluZGV4IGQwZTVjYjQuLjhiZjE3OWQgMTAwNjQ0Ci0tLSBh L3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAorKysgYi94ZW4vaW5jbHVkZS9h c20tYXJtL21tLmgKQEAgLTI3Myw2ICsyNzMsOSBAQCBzdHJ1Y3QgZG9tYWlu ICpwYWdlX2dldF9vd25lcl9hbmRfcmVmZXJlbmNlKHN0cnVjdCBwYWdlX2lu Zm8gKnBhZ2UpOwogdm9pZCBwdXRfcGFnZShzdHJ1Y3QgcGFnZV9pbmZvICpw YWdlKTsKIGludCAgZ2V0X3BhZ2Uoc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSwg c3RydWN0IGRvbWFpbiAqZG9tYWluKTsKIAorc3RydWN0IHBhZ2VfaW5mbyAq Z2V0X3BhZ2VfZnJvbV9ndmEoc3RydWN0IGRvbWFpbiAqZCwgdmFkZHJfdCB2 YSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVuc2ln bmVkIGxvbmcgZmxhZ3MpOworCiAvKgogICogVGhlIE1QVCAobWFjaGluZS0+ cGh5c2ljYWwgbWFwcGluZyB0YWJsZSkgaXMgYW4gYXJyYXkgb2Ygd29yZC1z aXplZAogICogdmFsdWVzLCBpbmRleGVkIG9uIG1hY2hpbmUgZnJhbWUgbnVt YmVyLiBJdCBpcyBleHBlY3RlZCB0aGF0IGd1ZXN0IE9TZXMKZGlmZiAtLWdp dCBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oIGIveGVuL2luY2x1ZGUv YXNtLWFybS9wYWdlLmgKaW5kZXggODQ1NjJlYy4uYzExODMwOSAxMDA2NDQK LS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9wYWdlLmgKKysrIGIveGVuL2lu Y2x1ZGUvYXNtLWFybS9wYWdlLmgKQEAgLTczLDcgKzczLDcgQEAKICNkZWZp bmUgTUFUVFJfREVWICAgICAweDEKICNkZWZpbmUgTUFUVFJfTUVNICAgICAw eGYKIAotLyogRmxhZ3MgZm9yIGd2aXJ0X3RvX21hZGRyICovCisvKiBGbGFn cyBmb3IgZ2V0X3BhZ2VfZnJvbV9ndmEsIGd2aXJ0X3RvX21hZGRyIGV0YyAq LwogI2RlZmluZSBHVjJNX1JFQUQgICgwdTw8MCkKICNkZWZpbmUgR1YyTV9X UklURSAoMXU8PDApCiAK --=separator Content-Type: application/octet-stream; name="xsa98-unstable-01.patch" Content-Disposition: attachment; filename="xsa98-unstable-01.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGNoZWNrIHBlcm1pc3Npb25zIHdoZW4gY29weWluZyB0by9m cm9tIGd1ZXN0IHZpcnR1YWwgYWRkcmVzc2VzCgpJbiBwYXJ0aWN1bGFyIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoZSBndWVzdCBoYXMgd3JpdGUgcGVybWlz c2lvbnMgdG8gYnVmZmVycwp3aGljaCBpdCBwYXNzZXMgYXMgb3V0cHV0IGJ1 ZmZlcnMgZm9yIGh5cGVyY2FsbHMsIG90aGVyd2lzZSB0aGUgZ3Vlc3QgY2Fu Cm92ZXJ3cml0ZSBtZW1vcnkgd2hpY2ggaXQgc2hvdWxkbid0IGJlIGFibGUg dG8gd3JpdGUgKGxpa2Ugci9vIGdyYW50IHRhYmxlCm1hcHBpbmdzKS4KClRo aXMgaXMgWFNBLTk4LgoKU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxp YW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBH cmFsbCA8anVsaWVuLmdyYWxsQGxpbmFyby5vcmc+CgpkaWZmIC0tZ2l0IGEv eGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jIGIveGVuL2FyY2gvYXJtL2Rv bWFpbl9idWlsZC5jCmluZGV4IGM0MjQ3OTMuLmQwNzk5ODIgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYworKysgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKQEAgLTEwMDUsNyArMTAwNSw3IEBAIHN0 YXRpYyB2b2lkIGluaXRyZF9sb2FkKHN0cnVjdCBrZXJuZWxfaW5mbyAqa2lu Zm8pCiAgICAgICAgIHMgPSBvZmZzICYgflBBR0VfTUFTSzsKICAgICAgICAg bCA9IG1pbihQQUdFX1NJWkUgLSBzLCBsZW4pOwogCi0gICAgICAgIHJjID0g Z3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hKTsKKyAgICAg ICAgcmMgPSBndmlydF90b19tYWRkcihsb2FkX2FkZHIgKyBvZmZzLCAmbWEs IEdWMk1fV1JJVEUpOwogICAgICAgICBpZiAoIHJjICkKICAgICAgICAgewog ICAgICAgICAgICAgcGFuaWMoIlVuYWJsZSB0byB0cmFuc2xhdGUgZ3Vlc3Qg YWRkcmVzcyIpOwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL2d1ZXN0Y29w eS5jIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCmluZGV4IGNlYTVmOTcu LmQxZmRkZWMgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL2FybS9ndWVzdGNvcHku YworKysgYi94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMKQEAgLTE3LDcgKzE3 LDcgQEAgc3RhdGljIHVuc2lnbmVkIGxvbmcgcmF3X2NvcHlfdG9fZ3Vlc3Rf aGVscGVyKHZvaWQgKnRvLCBjb25zdCB2b2lkICpmcm9tLAogICAgICAgICB2 b2lkICpwOwogICAgICAgICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVu c2lnbmVkKVBBR0VfU0laRSAtIG9mZnNldCk7CiAKLSAgICAgICAgaWYgKCBn dmlydF90b19tYWRkcigodmFkZHJfdCkgdG8sICZnKSApCisgICAgICAgIGlm ICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZywgR1YyTV9XUklU RSkgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAogICAgICAgICBwID0g bWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOwpAQCAtNjIsNyArNjIs NyBAQCB1bnNpZ25lZCBsb25nIHJhd19jbGVhcl9ndWVzdCh2b2lkICp0bywg dW5zaWduZWQgbGVuKQogICAgICAgICB2b2lkICpwOwogICAgICAgICB1bnNp Z25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0VfU0laRSAtIG9m ZnNldCk7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJf dCkgdG8sICZnKSApCisgICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZh ZGRyX3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQogICAgICAgICAgICAgcmV0 dXJuIGxlbjsKIAogICAgICAgICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBB R0VfU0hJRlQpOwpAQCAtOTIsNyArOTIsNyBAQCB1bnNpZ25lZCBsb25nIHJh d19jb3B5X2Zyb21fZ3Vlc3Qodm9pZCAqdG8sIGNvbnN0IHZvaWQgX191c2Vy ICpmcm9tLCB1bnNpZ25lZCBsZQogICAgICAgICB2b2lkICpwOwogICAgICAg ICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKShQQUdFX1NJ WkUgLSBvZmZzZXQpKTsKIAotICAgICAgICBpZiAoIGd2aXJ0X3RvX21hZGRy KCh2YWRkcl90KSBmcm9tICYgUEFHRV9NQVNLLCAmZykgKQorICAgICAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKCh2YWRkcl90KSBmcm9tICYgUEFHRV9NQVNL LCAmZywgR1YyTV9SRUFEKSApCiAgICAgICAgICAgICByZXR1cm4gbGVuOwog CiAgICAgICAgIHAgPSBtYXBfZG9tYWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7 CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0va2VybmVsLmMgYi94ZW4vYXJj aC9hcm0va2VybmVsLmMKaW5kZXggYzgyOTA2Zi4uNjkxODJlYyAxMDA2NDQK LS0tIGEveGVuL2FyY2gvYXJtL2tlcm5lbC5jCisrKyBiL3hlbi9hcmNoL2Fy bS9rZXJuZWwuYwpAQCAtMTcyLDcgKzE3Miw3IEBAIHN0YXRpYyB2b2lkIGtl cm5lbF96aW1hZ2VfbG9hZChzdHJ1Y3Qga2VybmVsX2luZm8gKmluZm8pCiAg ICAgICAgIHMgPSBvZmZzICYgflBBR0VfTUFTSzsKICAgICAgICAgbCA9IG1p bihQQUdFX1NJWkUgLSBzLCBsZW4pOwogCi0gICAgICAgIHJjID0gZ3ZpcnRf dG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hKTsKKyAgICAgICAgcmMg PSBndmlydF90b19tYWRkcihsb2FkX2FkZHIgKyBvZmZzLCAmbWEsIEdWMk1f V1JJVEUpOwogICAgICAgICBpZiAoIHJjICkKICAgICAgICAgewogICAgICAg ICAgICAgcGFuaWMoIlVuYWJsZSB0byBtYXAgdHJhbnNsYXRlIGd1ZXN0IGFk ZHJlc3MiKTsKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL2FybS90cmFwcy5jIGIv eGVuL2FyY2gvYXJtL3RyYXBzLmMKaW5kZXggMDNhM2RhNi4uZGY4NmZmZSAx MDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL3RyYXBzLmMKKysrIGIveGVuL2Fy Y2gvYXJtL3RyYXBzLmMKQEAgLTgzNyw3ICs4MzcsNyBAQCBzdGF0aWMgdm9p ZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1 X3VzZXJfcmVncyAqcmVncykKIAogICAgIHByaW50aygiR3Vlc3Qgc3RhY2sg dHJhY2UgZnJvbSBzcD0lIlBSSXZhZGRyIjpcbiAgIiwgc3ApOwogCi0gICAg aWYgKCBndmlydF90b19tYWRkcihzcCwgJnN0YWNrX3BoeXMpICkKKyAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKHNwLCAmc3RhY2tfcGh5cywgR1YyTV9SRUFE KSApCiAgICAgewogICAgICAgICBwcmludGsoIkZhaWxlZCB0byBjb252ZXJ0 IHN0YWNrIHRvIHBoeXNpY2FsIGFkZHJlc3NcbiIpOwogICAgICAgICByZXR1 cm47CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTMyL3Bh Z2UuaCBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtMzIvcGFnZS5oCmluZGV4 IDRhYmIyODEuLjk3NDA2NzIgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2Fz bS1hcm0vYXJtMzIvcGFnZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0v YXJtMzIvcGFnZS5oCkBAIC04NywxMSArODcsMTQgQEAgc3RhdGljIGlubGlu ZSB1aW50NjRfdCBfX3ZhX3RvX3Bhcih2YWRkcl90IHZhKQogfQogCiAvKiBB c2sgdGhlIE1NVSB0byB0cmFuc2xhdGUgYSBHdWVzdCBWQSBmb3IgdXMgKi8K LXN0YXRpYyBpbmxpbmUgdWludDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRkcl90 IHZhKQorc3RhdGljIGlubGluZSB1aW50NjRfdCBndmFfdG9fbWFfcGFyKHZh ZGRyX3QgdmEsIHVuc2lnbmVkIGludCBmbGFncykKIHsKICAgICB1aW50NjRf dCBwYXIsIHRtcDsKICAgICB0bXAgPSBSRUFEX0NQNjQoUEFSKTsKLSAgICBX UklURV9DUDMyKHZhLCBBVFMxMk5TT1BSKTsKKyAgICBpZiAoIChmbGFncyAm IEdWMk1fV1JJVEUpID09IEdWMk1fV1JJVEUgKQorICAgICAgICBXUklURV9D UDMyKHZhLCBBVFMxMk5TT1BXKTsKKyAgICBlbHNlCisgICAgICAgIFdSSVRF X0NQMzIodmEsIEFUUzEyTlNPUFIpOwogICAgIGlzYigpOyAvKiBFbnN1cmUg cmVzdWx0IGlzIGF2YWlsYWJsZS4gKi8KICAgICBwYXIgPSBSRUFEX0NQNjQo UEFSKTsKICAgICBXUklURV9DUDY0KHRtcCwgUEFSKTsKZGlmZiAtLWdpdCBh L3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5oIGIveGVuL2luY2x1 ZGUvYXNtLWFybS9hcm02NC9wYWdlLmgKaW5kZXggNzEzYmFmNi4uYmIxMDE2 NCAxMDA2NDQKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9hcm02NC9wYWdl LmgKKysrIGIveGVuL2luY2x1ZGUvYXNtLWFybS9hcm02NC9wYWdlLmgKQEAg LTgxLDExICs4MSwxNCBAQCBzdGF0aWMgaW5saW5lIHVpbnQ2NF90IF9fdmFf dG9fcGFyKHZhZGRyX3QgdmEpCiB9CiAKIC8qIEFzayB0aGUgTU1VIHRvIHRy YW5zbGF0ZSBhIEd1ZXN0IFZBIGZvciB1cyAqLwotc3RhdGljIGlubGluZSB1 aW50NjRfdCBndmFfdG9fbWFfcGFyKHZhZGRyX3QgdmEpCitzdGF0aWMgaW5s aW5lIHVpbnQ2NF90IGd2YV90b19tYV9wYXIodmFkZHJfdCB2YSwgdW5zaWdu ZWQgaW50IGZsYWdzKQogewogICAgIHVpbnQ2NF90IHBhciwgdG1wID0gUkVB RF9TWVNSRUc2NChQQVJfRUwxKTsKIAotICAgIGFzbSB2b2xhdGlsZSAoImF0 IHMxMmUxciwgJTA7IiA6IDogInIiICh2YSkpOworICAgIGlmICggKGZsYWdz ICYgR1YyTV9XUklURSkgPT0gR1YyTV9XUklURSApCisgICAgICAgIGFzbSB2 b2xhdGlsZSAoImF0IHMxMmUxciwgJTA7IiA6IDogInIiICh2YSkpOworICAg IGVsc2UKKyAgICAgICAgYXNtIHZvbGF0aWxlICgiYXQgczEyZTF3LCAlMDsi IDogOiAiciIgKHZhKSk7CiAgICAgaXNiKCk7CiAgICAgcGFyID0gUkVBRF9T WVNSRUc2NChQQVJfRUwxKTsKICAgICBXUklURV9TWVNSRUc2NCh0bXAsIFBB Ul9FTDEpOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5o IGIveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oCmluZGV4IGI4ZDRlN2QuLmQw ZTVjYjQgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAor KysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKQEAgLTIzMyw5ICsyMzMs OSBAQCBzdGF0aWMgaW5saW5lIHZvaWQgKm1hZGRyX3RvX3ZpcnQocGFkZHJf dCBtYSkKIH0KICNlbmRpZgogCi1zdGF0aWMgaW5saW5lIGludCBndmlydF90 b19tYWRkcih2YWRkcl90IHZhLCBwYWRkcl90ICpwYSkKK3N0YXRpYyBpbmxp bmUgaW50IGd2aXJ0X3RvX21hZGRyKHZhZGRyX3QgdmEsIHBhZGRyX3QgKnBh LCB1bnNpZ25lZCBpbnQgZmxhZ3MpCiB7Ci0gICAgdWludDY0X3QgcGFyID0g Z3ZhX3RvX21hX3Bhcih2YSk7CisgICAgdWludDY0X3QgcGFyID0gZ3ZhX3Rv X21hX3Bhcih2YSwgZmxhZ3MpOwogICAgIGlmICggcGFyICYgUEFSX0YgKQog ICAgICAgICByZXR1cm4gLUVGQVVMVDsKICAgICAqcGEgPSAocGFyICYgUEFE RFJfTUFTSyAmIFBBR0VfTUFTSykgfCAoKHVuc2lnbmVkIGxvbmcpIHZhICYg flBBR0VfTUFTSyk7CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJt L3BhZ2UuaCBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oCmluZGV4IGMz OGU5YzkuLmU3MjNlNWEgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1h cm0vcGFnZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oCkBA IC03Myw2ICs3MywxMCBAQAogI2RlZmluZSBNQVRUUl9ERVYgICAgIDB4MQog I2RlZmluZSBNQVRUUl9NRU0gICAgIDB4ZgogCisvKiBGbGFncyBmb3IgZ3Zp cnRfdG9fbWFkZHIgKi8KKyNkZWZpbmUgR1YyTV9SRUFEICAoMHU8PDApCisj ZGVmaW5lIEdWMk1fV1JJVEUgKDF1PDwwKQorCiAjaWZuZGVmIF9fQVNTRU1C TFlfXwogCiAjaW5jbHVkZSA8eGVuL3R5cGVzLmg+Cg== --=separator Content-Type: application/octet-stream; name="xsa98-unstable-02.patch" Content-Disposition: attachment; filename="xsa98-unstable-02.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGVuc3VyZSB3ZSBob2xkIGEgcmVmZXJlbmNlIHRvIGd1ZXN0 IHBhZ2VzIHdoaWxlIHdlIGNvcHkgdG8vZnJvbSB0aGVtCgpUaGlzIGF0IG9u Y2U6CiAtIHByZXZlbnRzIHRoZSBwYWdlIGZyb20gYmVpbmcgcmVhc3NpZ25l ZCB1bmRlciBvdXIgZmVldAogLSBlbnN1cmVzIHRoYXQgdGhlIGRvbWFpbiBv d25zIHRoZSBwYWdlLCB3aGljaCBzdG9wcyBhIGRvbWFpbiBmcm9tIGdpdmlu ZyBhCiAgIGdyYW50IG1hcHBpbmcsIE1NSU8gcmVnaW9uLCBvdGhlciBub24t UkFNIGFzIGEgaHlwZXJjYWxsIGlucHV0L291dHB1dC4KCldlIG5lZWQgdG8g aG9sZCB0aGUgcDJtIGxvY2sgd2hpbGUgZG9pbmcgdGhlIGxvb2t1cCB1bnRp bCB3ZSBoYXZlIHRoZQpyZWZlcmVuY2UuCgpUaGlzIGFsc28gcmVxdWlyZXMg dGhhdCBkdXJpbmcgZG9tYWluIDAgYnVpbGRpbmcgY3VycmVudCBpcyBzZXQg dG8gYW4gYWN0dWFsCmRvbTAgdmNwdSwgc28gdGFrZSBjYXJlIG9mIHRoaXMg YXQgdGhlIHNhbWUgdGltZSBhcyB0aGUgcDJtIGlzIHRlbXBvcmFyaWx5Cmxv YWRlZC4KCkxhc3RseSB3aGVuIGR1bXBpbmcgdGhlIGd1ZXN0IHN0YWNrIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoYXQgdGhlIGd1ZXN0IGhhc24ndApwb2lu dGVkIGl0cyBzcCBvZmYgaW50byB0aGUgd2VlZHMgYW5kL29yIG1pc2FsaWdu ZWQgaXQsIHdoaWNoIGNvdWxkIGxlYWQgdG8KaHlwZXJ2aXNvciB0cmFwcy4g U29sdmUgdGhpcyBieSB1c2luZyB0aGUgbmV3IGZ1bmN0aW9uIGFuZCBjaGVj a2luZyBhbGlnbm1lbnQKZmlyc3QuCgpTaWduZWQtb2ZmLWJ5OiBJYW4gQ2Ft cGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpSZXZpZXdlZC1ieTog SnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAbGluYXJvLm9yZz4KCmRpZmYg LS1naXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKaW5kZXggZDA3OTk4Mi4uNGRkMmQ4NCAx MDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jCisrKyBi L3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYwpAQCAtMTAyNCw2ICsxMDI0 LDcgQEAgc3RhdGljIHZvaWQgaW5pdHJkX2xvYWQoc3RydWN0IGtlcm5lbF9p bmZvICpraW5mbykKIGludCBjb25zdHJ1Y3RfZG9tMChzdHJ1Y3QgZG9tYWlu ICpkKQogewogICAgIHN0cnVjdCBrZXJuZWxfaW5mbyBraW5mbyA9IHt9Owor ICAgIHN0cnVjdCB2Y3B1ICpzYXZlZF9jdXJyZW50OwogICAgIGludCByYywg aSwgY3B1OwogCiAgICAgc3RydWN0IHZjcHUgKnYgPSBkLT52Y3B1WzBdOwpA QCAtMTA2MCw4ICsxMDYxLDEzIEBAIGludCBjb25zdHJ1Y3RfZG9tMChzdHJ1 Y3QgZG9tYWluICpkKQogICAgIGlmICggcmMgPCAwICkKICAgICAgICAgcmV0 dXJuIHJjOwogCi0gICAgLyogVGhlIGZvbGxvd2luZyBsb2FkcyB1c2UgdGhl IGRvbWFpbidzIHAybSAqLworICAgIC8qCisgICAgICogVGhlIGZvbGxvd2lu ZyBsb2FkcyB1c2UgdGhlIGRvbWFpbidzIHAybSBhbmQgcmVxdWlyZSBjdXJy ZW50IHRvCisgICAgICogYmUgYSB2Y3B1IG9mIHRoZSBkb21haW4sIHRlbXBv cmFyaWx5IHN3aXRjaAorICAgICAqLworICAgIHNhdmVkX2N1cnJlbnQgPSBj dXJyZW50OwogICAgIHAybV9yZXN0b3JlX3N0YXRlKHYpOworICAgIHNldF9j dXJyZW50KHYpOwogCiAgICAgLyoKICAgICAgKiBrZXJuZWxfbG9hZCB3aWxs IGRldGVybWluZSB0aGUgcGxhY2VtZW50IG9mIHRoZSBrZXJuZWwgYXMgd2Vs bApAQCAtMTA3Miw2ICsxMDc4LDEwIEBAIGludCBjb25zdHJ1Y3RfZG9tMChz dHJ1Y3QgZG9tYWluICpkKQogICAgIGluaXRyZF9sb2FkKCZraW5mbyk7CiAg ICAgZHRiX2xvYWQoJmtpbmZvKTsKIAorICAgIC8qIE5vdyB0aGF0IHdlIGFy ZSBkb25lIHJlc3RvcmUgdGhlIG9yaWdpbmFsIHAybSBhbmQgY3VycmVudC4g Ki8KKyAgICBzZXRfY3VycmVudChzYXZlZF9jdXJyZW50KTsKKyAgICBwMm1f cmVzdG9yZV9zdGF0ZShzYXZlZF9jdXJyZW50KTsKKwogICAgIGRpc2NhcmRf aW5pdGlhbF9tb2R1bGVzKCk7CiAKICAgICB2LT5pc19pbml0aWFsaXNlZCA9 IDE7CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMgYi94 ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMKaW5kZXggZDFmZGRlYy4uMDE3MzU5 NyAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCisrKyBi L3hlbi9hcmNoL2FybS9ndWVzdGNvcHkuYwpAQCAtMSw2ICsxLDggQEAKICNp bmNsdWRlIDx4ZW4vY29uZmlnLmg+CiAjaW5jbHVkZSA8eGVuL2xpYi5oPgog I2luY2x1ZGUgPHhlbi9kb21haW5fcGFnZS5oPgorI2luY2x1ZGUgPHhlbi9z Y2hlZC5oPgorI2luY2x1ZGUgPGFzbS9jdXJyZW50Lmg+CiAKICNpbmNsdWRl IDxhc20vbW0uaD4KICNpbmNsdWRlIDxhc20vZ3Vlc3RfYWNjZXNzLmg+CkBA IC0xMywyMCArMTUsMjIgQEAgc3RhdGljIHVuc2lnbmVkIGxvbmcgcmF3X2Nv cHlfdG9fZ3Vlc3RfaGVscGVyKHZvaWQgKnRvLCBjb25zdCB2b2lkICpmcm9t LAogCiAgICAgd2hpbGUgKCBsZW4gKQogICAgIHsKLSAgICAgICAgcGFkZHJf dCBnOwogICAgICAgICB2b2lkICpwOwogICAgICAgICB1bnNpZ25lZCBzaXpl ID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0VfU0laRSAtIG9mZnNldCk7Cisg ICAgICAgIHN0cnVjdCBwYWdlX2luZm8gKnBhZ2U7CiAKLSAgICAgICAgaWYg KCBndmlydF90b19tYWRkcigodmFkZHJfdCkgdG8sICZnLCBHVjJNX1dSSVRF KSApCisgICAgICAgIHBhZ2UgPSBnZXRfcGFnZV9mcm9tX2d2YShjdXJyZW50 LT5kb21haW4sICh2YWRkcl90KSB0bywgR1YyTV9XUklURSk7CisgICAgICAg IGlmICggcGFnZSA9PSBOVUxMICkKICAgICAgICAgICAgIHJldHVybiBsZW47 CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShnPj5QQUdFX1NISUZU KTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFpbl9wYWdlKHBhZ2UpOwogICAg ICAgICBwICs9IG9mZnNldDsKICAgICAgICAgbWVtY3B5KHAsIGZyb20sIHNp emUpOwogICAgICAgICBpZiAoIGZsdXNoX2RjYWNoZSApCiAgICAgICAgICAg ICBjbGVhbl94ZW5fZGNhY2hlX3ZhX3JhbmdlKHAsIHNpemUpOwogCiAgICAg ICAgIHVubWFwX2RvbWFpbl9wYWdlKHAgLSBvZmZzZXQpOworICAgICAgICBw dXRfcGFnZShwYWdlKTsKICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAg IGZyb20gKz0gc2l6ZTsKICAgICAgICAgdG8gKz0gc2l6ZTsKQEAgLTU4LDE4 ICs2MiwyMCBAQCB1bnNpZ25lZCBsb25nIHJhd19jbGVhcl9ndWVzdCh2b2lk ICp0bywgdW5zaWduZWQgbGVuKQogCiAgICAgd2hpbGUgKCBsZW4gKQogICAg IHsKLSAgICAgICAgcGFkZHJfdCBnOwogICAgICAgICB2b2lkICpwOwogICAg ICAgICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0Vf U0laRSAtIG9mZnNldCk7CisgICAgICAgIHN0cnVjdCBwYWdlX2luZm8gKnBh Z2U7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJfdCkg dG8sICZnLCBHVjJNX1dSSVRFKSApCisgICAgICAgIHBhZ2UgPSBnZXRfcGFn ZV9mcm9tX2d2YShjdXJyZW50LT5kb21haW4sICh2YWRkcl90KSB0bywgR1Yy TV9XUklURSk7CisgICAgICAgIGlmICggcGFnZSA9PSBOVUxMICkKICAgICAg ICAgICAgIHJldHVybiBsZW47CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5f cGFnZShnPj5QQUdFX1NISUZUKTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFp bl9wYWdlKHBhZ2UpOwogICAgICAgICBwICs9IG9mZnNldDsKICAgICAgICAg bWVtc2V0KHAsIDB4MDAsIHNpemUpOwogCiAgICAgICAgIHVubWFwX2RvbWFp bl9wYWdlKHAgLSBvZmZzZXQpOworICAgICAgICBwdXRfcGFnZShwYWdlKTsK ICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAgIHRvICs9IHNpemU7CiAg ICAgICAgIC8qCkBAIC04OCwxOSArOTQsMjEgQEAgdW5zaWduZWQgbG9uZyBy YXdfY29weV9mcm9tX2d1ZXN0KHZvaWQgKnRvLCBjb25zdCB2b2lkIF9fdXNl ciAqZnJvbSwgdW5zaWduZWQgbGUKIAogICAgIHdoaWxlICggbGVuICkKICAg ICB7Ci0gICAgICAgIHBhZGRyX3QgZzsKICAgICAgICAgdm9pZCAqcDsKICAg ICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZCkoUEFH RV9TSVpFIC0gb2Zmc2V0KSk7CisgICAgICAgIHN0cnVjdCBwYWdlX2luZm8g KnBhZ2U7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJf dCkgZnJvbSAmIFBBR0VfTUFTSywgJmcsIEdWMk1fUkVBRCkgKQorICAgICAg ICBwYWdlID0gZ2V0X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9tYWluLCAo dmFkZHJfdCkgZnJvbSwgR1YyTV9SRUFEKTsKKyAgICAgICAgaWYgKCBwYWdl ID09IE5VTEwgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAotICAgICAg ICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOworICAgICAg ICBwID0gX19tYXBfZG9tYWluX3BhZ2UocGFnZSk7CiAgICAgICAgIHAgKz0g KCh2YWRkcl90KWZyb20gJiAoflBBR0VfTUFTSykpOwogCiAgICAgICAgIG1l bWNweSh0bywgcCwgc2l6ZSk7CiAKICAgICAgICAgdW5tYXBfZG9tYWluX3Bh Z2UocCk7CisgICAgICAgIHB1dF9wYWdlKHBhZ2UpOwogICAgICAgICBsZW4g LT0gc2l6ZTsKICAgICAgICAgZnJvbSArPSBzaXplOwogICAgICAgICB0byAr PSBzaXplOwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL3AybS5jIGIveGVu L2FyY2gvYXJtL3AybS5jCmluZGV4IGI4NTE0M2IuLjVmYzVjYTYgMTAwNjQ0 Ci0tLSBhL3hlbi9hcmNoL2FybS9wMm0uYworKysgYi94ZW4vYXJjaC9hcm0v cDJtLmMKQEAgLTcwMSw2ICs3MDEsMzQgQEAgdW5zaWduZWQgbG9uZyBnbWZu X3RvX21mbihzdHJ1Y3QgZG9tYWluICpkLCB1bnNpZ25lZCBsb25nIGdwZm4p CiAgICAgcmV0dXJuIHAgPj4gUEFHRV9TSElGVDsKIH0KIAorc3RydWN0IHBh Z2VfaW5mbyAqZ2V0X3BhZ2VfZnJvbV9ndmEoc3RydWN0IGRvbWFpbiAqZCwg dmFkZHJfdCB2YSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIHVuc2lnbmVkIGxvbmcgZmxhZ3MpCit7CisgICAgc3RydWN0IHAybV9k b21haW4gKnAybSA9ICZkLT5hcmNoLnAybTsKKyAgICBzdHJ1Y3QgcGFnZV9p bmZvICpwYWdlID0gTlVMTDsKKyAgICBwYWRkcl90IG1hZGRyOworCisgICAg QVNTRVJUKGQgPT0gY3VycmVudC0+ZG9tYWluKTsKKworICAgIHNwaW5fbG9j aygmcDJtLT5sb2NrKTsKKworICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIodmEs ICZtYWRkciwgZmxhZ3MpICkKKyAgICAgICAgZ290byBlcnI7CisKKyAgICBp ZiAoICFtZm5fdmFsaWQobWFkZHIgPj4gUEFHRV9TSElGVCkgKQorICAgICAg ICBnb3RvIGVycjsKKworICAgIHBhZ2UgPSBtZm5fdG9fcGFnZShtYWRkciA+ PiBQQUdFX1NISUZUKTsKKyAgICBBU1NFUlQocGFnZSk7CisKKyAgICBpZiAo IHVubGlrZWx5KCFnZXRfcGFnZShwYWdlLCBkKSkgKQorICAgICAgICBwYWdl ID0gTlVMTDsKKworZXJyOgorICAgIHNwaW5fdW5sb2NrKCZwMm0tPmxvY2sp OworICAgIHJldHVybiBwYWdlOworfQorCiAvKgogICogTG9jYWwgdmFyaWFi bGVzOgogICogbW9kZTogQwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL3Ry YXBzLmMgYi94ZW4vYXJjaC9hcm0vdHJhcHMuYwppbmRleCBkZjg2ZmZlLi5k ODliNzVmIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vdHJhcHMuYworKysg Yi94ZW4vYXJjaC9hcm0vdHJhcHMuYwpAQCAtNzc3LDcgKzc3Nyw3IEBAIHN0 YXRpYyB2b2lkIHNob3dfZ3Vlc3Rfc3RhY2soc3RydWN0IHZjcHUgKnYsIHN0 cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQogewogICAgIGludCBpOwogICAg IHZhZGRyX3Qgc3A7Ci0gICAgcGFkZHJfdCBzdGFja19waHlzOworICAgIHN0 cnVjdCBwYWdlX2luZm8gKnBhZ2U7CiAgICAgdm9pZCAqbWFwcGVkOwogICAg IHVuc2lnbmVkIGxvbmcgKnN0YWNrLCBhZGRyOwogCkBAIC04MzcsMTMgKzgz NywyMCBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVjdCB2 Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKIAogICAgIHBy aW50aygiR3Vlc3Qgc3RhY2sgdHJhY2UgZnJvbSBzcD0lIlBSSXZhZGRyIjpc biAgIiwgc3ApOwogCi0gICAgaWYgKCBndmlydF90b19tYWRkcihzcCwgJnN0 YWNrX3BoeXMsIEdWMk1fUkVBRCkgKQorICAgIGlmICggc3AgJiAoIHNpemVv Zihsb25nKSAtIDEgKSApCisgICAgeworICAgICAgICBwcmludGsoIlN0YWNr IGlzIG1pc2FsaWduZWRcbiIpOworICAgICAgICByZXR1cm47CisgICAgfQor CisgICAgcGFnZSA9IGdldF9wYWdlX2Zyb21fZ3ZhKGN1cnJlbnQtPmRvbWFp biwgc3AsIEdWMk1fUkVBRCk7CisgICAgaWYgKCBwYWdlID09IE5VTEwgKQog ICAgIHsKICAgICAgICAgcHJpbnRrKCJGYWlsZWQgdG8gY29udmVydCBzdGFj ayB0byBwaHlzaWNhbCBhZGRyZXNzXG4iKTsKICAgICAgICAgcmV0dXJuOwog ICAgIH0KIAotICAgIG1hcHBlZCA9IG1hcF9kb21haW5fcGFnZShzdGFja19w aHlzID4+IFBBR0VfU0hJRlQpOworICAgIG1hcHBlZCA9IF9fbWFwX2RvbWFp bl9wYWdlKHBhZ2UpOwogCiAgICAgc3RhY2sgPSBtYXBwZWQgKyAoc3AgJiB+ UEFHRV9NQVNLKTsKIApAQCAtODYxLDcgKzg2OCw3IEBAIHN0YXRpYyB2b2lk IHNob3dfZ3Vlc3Rfc3RhY2soc3RydWN0IHZjcHUgKnYsIHN0cnVjdCBjcHVf dXNlcl9yZWdzICpyZWdzKQogICAgICAgICBwcmludGsoIlN0YWNrIGVtcHR5 LiIpOwogICAgIHByaW50aygiXG4iKTsKICAgICB1bm1hcF9kb21haW5fcGFn ZShtYXBwZWQpOwotCisgICAgcHV0X3BhZ2UocGFnZSk7CiB9CiAKICNkZWZp bmUgU1RBQ0tfQkVGT1JFX0VYQ0VQVElPTihyZWdzKSAoKHJlZ2lzdGVyX3Qq KShyZWdzKS0+c3ApCmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJt L21tLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKaW5kZXggZDBlNWNi NC4uOGJmMTc5ZCAxMDA2NDQKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9t bS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaApAQCAtMjczLDYg KzI3Myw5IEBAIHN0cnVjdCBkb21haW4gKnBhZ2VfZ2V0X293bmVyX2FuZF9y ZWZlcmVuY2Uoc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSk7CiB2b2lkIHB1dF9w YWdlKHN0cnVjdCBwYWdlX2luZm8gKnBhZ2UpOwogaW50ICBnZXRfcGFnZShz dHJ1Y3QgcGFnZV9pbmZvICpwYWdlLCBzdHJ1Y3QgZG9tYWluICpkb21haW4p OwogCitzdHJ1Y3QgcGFnZV9pbmZvICpnZXRfcGFnZV9mcm9tX2d2YShzdHJ1 Y3QgZG9tYWluICpkLCB2YWRkcl90IHZhLAorICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgdW5zaWduZWQgbG9uZyBmbGFncyk7CisKIC8q CiAgKiBUaGUgTVBUIChtYWNoaW5lLT5waHlzaWNhbCBtYXBwaW5nIHRhYmxl KSBpcyBhbiBhcnJheSBvZiB3b3JkLXNpemVkCiAgKiB2YWx1ZXMsIGluZGV4 ZWQgb24gbWFjaGluZSBmcmFtZSBudW1iZXIuIEl0IGlzIGV4cGVjdGVkIHRo YXQgZ3Vlc3QgT1NlcwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFy bS9wYWdlLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaAppbmRleCBl NzIzZTVhLi4xMTNiZTVhIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20t YXJtL3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaApA QCAtNzMsNyArNzMsNyBAQAogI2RlZmluZSBNQVRUUl9ERVYgICAgIDB4MQog I2RlZmluZSBNQVRUUl9NRU0gICAgIDB4ZgogCi0vKiBGbGFncyBmb3IgZ3Zp cnRfdG9fbWFkZHIgKi8KKy8qIEZsYWdzIGZvciBnZXRfcGFnZV9mcm9tX2d2 YSwgZ3ZpcnRfdG9fbWFkZHIgZXRjICovCiAjZGVmaW5lIEdWMk1fUkVBRCAg KDB1PDwwKQogI2RlZmluZSBHVjJNX1dSSVRFICgxdTw8MCkKIAo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jun 04 16:06:06 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 04 Jun 2014 16:06:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WsDfZ-0004Tm-QX; Wed, 04 Jun 2014 16:04:05 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WsDfX-0004TL-Pv; Wed, 04 Jun 2014 16:04:04 +0000 Received: from [193.109.254.147:15767] by server-2.bemta-14.messagelabs.com id 6C/32-21684-2734F835; Wed, 04 Jun 2014 16:04:02 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-27.messagelabs.com!1401897839!9156716!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 25843 invoked from network); 4 Jun 2014 16:04:00 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-8.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 4 Jun 2014 16:04:00 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WsDfN-00039Y-6a; Wed, 04 Jun 2014 16:03:53 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WsDfM-0004Nu-RA; Wed, 04 Jun 2014 16:03:53 +0000 Date: Wed, 04 Jun 2014 16:03:52 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 96 (CVE-2014-3967, CVE-2014-3968) - Vulnerabilities in HVM MSI injection X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3967,CVE-2014-3968 / XSA-96 version 3 Vulnerabilities in HVM MSI injection UPDATES IN VERSION 3 ==================== CVEs assigned. ISSUE DESCRIPTION ================= The implementation of the HVM control operation HVMOP_inject_msi, while checking whether a particular IRQ was already set up in the necessary way, fails to properly check all respective conditions. In particular it doesn't check the returned pointer for being non-NULL before de- referencing it. (CVE-2014-3967) Furthermore that same code also handles certain errors by logging messages, without (under default settings) at least making these messages subject to rate limiting. (CVE-2014-3968) IMPACT ====== The NULL pointer de-reference would lead to a host crash, and hence a denial of service would result. Since host and guest page tables are fully separated for HVM guests, the guest would not be able to leverage the vulnerability for other kinds of attacks (privilege escalation or information leak). The spamming of the hypervisor log could similarly lead to a denial of service. In a configuration where device models run with limited privilege (for example, stubdom device models), a guest attacker who successfully finds and exploits an unfixed security flaw in qemu-dm could leverage the other flaw into a Denial of Service affecting the whole host. In the more general case, in more abstract terms: a malicious administrator of a domain privileged with regard to an HVM guest can cause Xen to become unresponsive leading to a Denial of Service. VULNERABLE SYSTEMS ================== All Xen versions from 4.2 onwards are vulnerable. The vulnerability is only exposed to service domains for HVM guests which have privilege over the guest. In a usual configuration that means only device model emulators (qemu-dm). In the case of HVM guests whose device model is running in an unrestricted dom0 process, qemu-dm already has the ability to cause problems for the whole system. So in that case the vulnerability is not applicable. The situation is more subtle for an HVM guest with a stub qemu-dm. That is, where the device model runs in a separate domain (in the case of xl, as requested by "device_model_stubdomain_override=1" in the xl domain configuration file). The same applies with a qemu-dm in a dom0 process subjected to some kind kernel-based process privilege limitation (eg the chroot technique as found in some versions of XCP/XenServer). In those latter situations this issue means that the extra isolation does not provide as good a defence (against denial of service) as intended. That is the essence of this vulnerability. However, the security is still better than with a qemu-dm running as an unrestricted dom0 process. Therefore users with these configurations should not switch to an unrestricted dom0 qemu-dm. Finally, in a radically disaggregated system: where the HVM service domain software (probably, the device model domain image) is not always supplied by the host administrator, a malicious service domain administrator can exercise this vulnerability. MITIGATION ========== Running only PV guests will avoid this vulnerability. In a radically disaggregated system, restricting HVM service domains to software images approved by the host administrator will avoid the vulnerability. CREDITS ======= This issue was discovered by Jan Beulich. RESOLUTION ========== Applying the attached patch resolves this issue. xsa96.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa96*.patch 1b64beddf8f6e9c08af24676551c18fd778a8db65a6c24fec07cc7e95531e2af xsa96.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTj0MHAAoJEIP+FMlX6CvZY04H/1Udj8OzkKHHxaCLQWxAUo6w SCSV37MNRQcsJJly4KAUjsO+yyfNPnVQBUsVsBcSnKURElbkYf1IaBGSPWbiiTZY ubtQgT/rF8y0cShvDiCVXP7giwHN270F3YIXAvZPn/ZvM0a6Wad6VbBEgIo6vUeU vqb10LnrKy7S7h8sVaQCIuM5/6ysjtJAyDtlFyDN55J4socHD+oYTtU+HNbZZFvs UytIy56dtO5TSkazKgCZR936BWreYl4izOy1+elLM+r8k0qz8SdTdcVzVqNqYkMK QxjwiM7cy4fZxi1R+N/mwXgyr2tv2r/6AsdCX3vuZreg/Dp4Fi+7lDnj/sfBSGg= =fTzY -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa96.patch" Content-Disposition: attachment; filename="xsa96.patch" Content-Transfer-Encoding: base64 eDg2L0hWTTogZWxpbWluYXRlIHZ1bG5lcmFiaWxpdGllcyBmcm9tIGh2bV9p bmplY3RfbXNpKCkKCi0gcGlycV9pbmZvKCkgcmV0dXJucyBOVUxMIGZvciBh IG5vbi1hbGxvY2F0ZWQgcElSUSwgYW5kIGhlbmNlIHdlCiAgbXVzdG4ndCB1 bmNvbmRpdGlvbmFsbHkgZGUtcmVmZXJlbmNlIGl0LCBhbmQgd2UgbmVlZCB0 byBpbnZva2UgaXQKICBhbm90aGVyIHRpbWUgYWZ0ZXIgaGF2aW5nIGNhbGxl ZCBtYXBfZG9tYWluX2VtdWlycV9waXJxKCkKLSBkb24ndCB1c2UgcHJpbnRr KCksIG5hbWVseSB3aXRob3V0IFhFTkxPR19HVUVTVCwgZm9yIGVycm9yIHJl cG9ydGluZwoKVGhpcyBpcyBYU0EtOTYuCgpTaWduZWQtb2ZmLWJ5OiBKYW4g QmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4vYXJjaC94 ODYvaHZtL2lycS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vaXJxLmMKQEAg LTI4OSwyMCArMjg5LDE4IEBAIHZvaWQgaHZtX2luamVjdF9tc2koc3RydWN0 IGRvbWFpbiAqZCwgdWkKICAgICAgICAgICAgIHN0cnVjdCBwaXJxICppbmZv ID0gcGlycV9pbmZvKGQsIHBpcnEpOwogCiAgICAgICAgICAgICAvKiBpZiBp dCBpcyB0aGUgZmlyc3QgdGltZSwgYWxsb2NhdGUgdGhlIHBpcnEgKi8KLSAg ICAgICAgICAgIGlmIChpbmZvLT5hcmNoLmh2bS5lbXVpcnEgPT0gSVJRX1VO Qk9VTkQpCisgICAgICAgICAgICBpZiAoICFpbmZvIHx8IGluZm8tPmFyY2gu aHZtLmVtdWlycSA9PSBJUlFfVU5CT1VORCApCiAgICAgICAgICAgICB7CiAg ICAgICAgICAgICAgICAgc3Bpbl9sb2NrKCZkLT5ldmVudF9sb2NrKTsKICAg ICAgICAgICAgICAgICBtYXBfZG9tYWluX2VtdWlycV9waXJxKGQsIHBpcnEs IElSUV9NU0lfRU1VKTsKICAgICAgICAgICAgICAgICBzcGluX3VubG9jaygm ZC0+ZXZlbnRfbG9jayk7CisgICAgICAgICAgICAgICAgaW5mbyA9IHBpcnFf aW5mbyhkLCBwaXJxKTsKKyAgICAgICAgICAgICAgICBpZiAoICFpbmZvICkK KyAgICAgICAgICAgICAgICAgICAgcmV0dXJuOwogICAgICAgICAgICAgfSBl bHNlIGlmIChpbmZvLT5hcmNoLmh2bS5lbXVpcnEgIT0gSVJRX01TSV9FTVUp Ci0gICAgICAgICAgICB7Ci0gICAgICAgICAgICAgICAgcHJpbnRrKCIlczog cGlycSAlZCBkb2VzIG5vdCBjb3JyZXNwb25kIHRvIGFuIGVtdWxhdGVkIE1T SVxuIiwgX19mdW5jX18sIHBpcnEpOwogICAgICAgICAgICAgICAgIHJldHVy bjsKLSAgICAgICAgICAgIH0KICAgICAgICAgICAgIHNlbmRfZ3Vlc3RfcGly cShkLCBpbmZvKTsKICAgICAgICAgICAgIHJldHVybjsKLSAgICAgICAgfSBl bHNlIHsKLSAgICAgICAgICAgIHByaW50aygiJXM6IGVycm9yIGdldHRpbmcg cGlycSBmcm9tIE1TSTogcGlycSA9ICVkXG4iLCBfX2Z1bmNfXywgcGlycSk7 CiAgICAgICAgIH0KICAgICB9CiAK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jun 11 09:58:10 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Jun 2014 09:58:10 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WufGw-00087L-DI; Wed, 11 Jun 2014 09:56:46 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WufCL-0007mt-9w for xen-announce@lists.xen.org; Wed, 11 Jun 2014 09:52:01 +0000 Received: from [85.158.137.68:16198] by server-7.bemta-3.messagelabs.com id A0/47-04151-0C628935; Wed, 11 Jun 2014 09:52:00 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-9.tower-31.messagelabs.com!1402480318!5650148!1 X-Originating-IP: [74.125.82.45] X-SpamReason: No, hits=0.8 required=7.0 tests=BODY_RANDOM_LONG, HTML_60_70,HTML_MESSAGE X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22686 invoked from network); 11 Jun 2014 09:51:59 -0000 Received: from mail-wg0-f45.google.com (HELO mail-wg0-f45.google.com) (74.125.82.45) by server-9.tower-31.messagelabs.com with RC4-SHA encrypted SMTP; 11 Jun 2014 09:51:59 -0000 Received: by mail-wg0-f45.google.com with SMTP id l18so2680074wgh.28 for ; Wed, 11 Jun 2014 02:51:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:reply-to:user-agent:mime-version:to :subject:content-type; bh=KdJ1v3eU2oWynqYLjK8Hg1IbJxy53Y5QkWFMaLuzLkQ=; b=UhQ+oinHoSvRXFznA7NKaA3b/lfxqLhiKxB28R7BVA5BQYrx4UmlGpKJGFrgolj583 PTdA0JkHng7NLNkptZ9uy2o4GSrCurUJVv031pOZ6iSSejK4yZKsCndLxsBpLtRouqjS vn4T2YA3g/RbhsEW3NoTIp78Flx51yn3Z3bvSjVQ5gtubLFettL8CA3It+SkAQbXYK64 ydDMAJyOqADNJlbCuvVy3KZDyjSaVR6sAyAKxAtND3lLVJtwUcvQ5lGhx8xOIX2e8BTN nthL7Sw8Ak8i1du0+0kCeohPiCmxN5rVw58stflMINy3oeoYcWaTfA3HgqP4KOA69FAf 2IfQ== X-Received: by 10.180.38.38 with SMTP id d6mr46453937wik.12.1402480318801; Wed, 11 Jun 2014 02:51:58 -0700 (PDT) Received: from [172.16.25.10] (97e5a5cd.skybroadband.com. [151.229.165.205]) by mx.google.com with ESMTPSA id a6sm625116wic.13.2014.06.11.02.51.57 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 11 Jun 2014 02:51:58 -0700 (PDT) Message-ID: <539826BD.2040608@xen.org> Date: Wed, 11 Jun 2014 10:51:57 +0100 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: xen-announce@lists.xen.org X-Mailman-Approved-At: Wed, 11 Jun 2014 09:56:43 +0000 Subject: [Xen-announce] Xen Project Developer Summit Line-Up Announced X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============6163966624478317178==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org This is a multi-part message in MIME format. --===============6163966624478317178== Content-Type: multipart/alternative; boundary="------------040400040401070102060601" This is a multi-part message in MIME format. --------------040400040401070102060601 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Dear xen-announce list subscriber, I am pleased to announce theschedule of the Xen Project Developer Summit. The event will take place in Chicago on August 18-19, 2014. The Project's second annual developer event highlights best practices, user testimonials and advancements with the industry-leading open source hypervisor. Powering many of the world's largest clouds in production today, Xen Project developers are also leading the way in server density, million-node data centers, graphic-intensive workloads, cloud operating systems and sophisticated enterprise security. This year's summit will present the most relevant topics to Xen Project developers and users who are pushing the limits on virtualization, ranging from typical server virtualization and cloud computing on x86 servers to new developments with ARM servers, networking, automotive, cloud operating systems, enterprise security and mobility. Following is a sampling of confirmed speakers and presentations to be discussed in Chicago: * James Bielman, Research and Engineering at Galois, XenStore Mandatory Access Control --- proposes additional security access features for Xen Project software; * Mihai Dont,u, Technical Project Manager at Bitdefender, Zero-Footprint Guest Memory Introspection from Xen --- discusses how the introspection API in the Xen Project hypervisor can be used to detect, prevent and take action on several categories of malware attacks; * James Fehlig, Software Engineer at SUSE Linux, libvirt support for libxenlight -- covers the status of Xen Project libvirt integration and outlines planned improvements; * Lars Kurth, Xen Project Advisory Board Chairman, State of Xen Project Software -- gives an overview of the Xen Project development community and community at large; * Jun Nakajima, Principal Engineer at Intel Open Source Technology Center, Xen as a High-Performance Network Functions Virtualization (NFV) Platform -- introduces Xen as a NFV platform and outlines solutions to remove challenges for deploying the Xen Project hypervisor for NFV applications as well as shares best practices; * Nathan Studer, Technical Lead at DornerWorks, Xen and The Art of Certification -- gives an overview of certification requirements in emerging use-cases such as automotive, medical, and avionics and lays out a path toward certifying Xen Project technology in these industries; * Don Slutz, Software Architect at Verizon Terremark, Overview of Verizon Cloud Architecture -- presents Verizon Cloud's architecture, design goals and planned contributions to the Xen Project community; and * Stefano Stabellini, Senior Principal Software Engineer at Citrix and Xen Project Contributor, Xen on ARM Status Update and Performance Benchmarks --- gives the latest developments with the Xen Project hypervisor on ARM architecture. Birds of a Feather session and Discussions Besides presentations, the developer summit will also provide an opportunity for in-depth interactive discussions (Birds of a Feather sessions), which allow deep interaction and collaboration between Xen Project developers and community members. These will happen in a second track alongside the main event. To/submit a BoF/, please go to theBoF submission page. For more information about Xen Project Developer Summit 2014, including how to register and to view the complete schedule, visit:events.linuxfoundation.org/events/xen-project-developer-summit . Best Regards Lars --------------040400040401070102060601 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit

Dear xen-announce list subscriber,

I am pleased to announce the schedule of the Xen Project Developer Summit. The event will take place in Chicago on August 18-19, 2014.

The Project’s second annual developer event highlights best practices, user testimonials and advancements with the industry-leading open source hypervisor. Powering many of the world’s largest clouds in production today, Xen Project developers are also leading the way in server density, million-node data centers, graphic-intensive workloads, cloud operating systems and sophisticated enterprise security.

This year’s summit will present the most relevant topics to Xen Project developers and users who are pushing the limits on virtualization, ranging from typical server virtualization and cloud computing on x86 servers to new developments with ARM servers, networking, automotive, cloud operating systems, enterprise security and mobility.

Following is a sampling of confirmed speakers and presentations to be discussed in Chicago:

  • James Bielman, Research and Engineering at Galois, XenStore Mandatory Access Control — proposes additional security access features for Xen Project software;
  • Mihai Donțu, Technical Project Manager at Bitdefender, Zero-Footprint Guest Memory Introspection from Xen — discusses how the introspection API in the Xen Project hypervisor can be used to detect, prevent and take action on several categories of malware attacks;
  • James Fehlig, Software Engineer at SUSE Linux, libvirt support for libxenlight – covers the status of Xen Project libvirt integration and outlines planned improvements;
  • Lars Kurth, Xen Project Advisory Board Chairman, State of Xen Project Software – gives an overview of the Xen Project development community and community at large;
  • Jun Nakajima, Principal Engineer at Intel Open Source Technology Center, Xen as a High-Performance Network Functions Virtualization (NFV) Platform – introduces Xen as a NFV platform and outlines solutions to remove challenges for deploying the Xen Project hypervisor for NFV applications as well as shares best practices;
  • Nathan Studer, Technical Lead at DornerWorks, Xen and The Art of Certification – gives an overview of certification requirements in emerging use-cases such as automotive, medical, and avionics and lays out a path toward certifying Xen Project technology in these industries;
  • Don Slutz, Software Architect at Verizon Terremark, Overview of Verizon Cloud Architecture – presents Verizon Cloud’s architecture, design goals and planned contributions to the Xen Project community; and
  • Stefano Stabellini, Senior Principal Software Engineer at Citrix and Xen Project Contributor, Xen on ARM Status Update and Performance Benchmarks — gives the latest developments with the Xen Project hypervisor on ARM architecture.

Birds of a Feather session and Discussions

Besides presentations, the developer summit will also provide an opportunity for in-depth interactive discussions (Birds of a Feather sessions), which allow deep interaction and collaboration between Xen Project developers and community members. These will happen in a second track alongside the main event. To submit a BoF, please go to the BoF submission page.

For more information about Xen Project Developer Summit 2014, including how to register and to view the complete schedule, visit: events.linuxfoundation.org/events/xen-project-developer-summit.

Best Regards
Lars

--------------040400040401070102060601-- --===============6163966624478317178== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============6163966624478317178==-- From xen-announce-bounces@lists.xen.org Wed Jun 11 09:58:10 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 11 Jun 2014 09:58:10 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WufGw-00087L-DI; Wed, 11 Jun 2014 09:56:46 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WufCL-0007mt-9w for xen-announce@lists.xen.org; Wed, 11 Jun 2014 09:52:01 +0000 Received: from [85.158.137.68:16198] by server-7.bemta-3.messagelabs.com id A0/47-04151-0C628935; Wed, 11 Jun 2014 09:52:00 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-9.tower-31.messagelabs.com!1402480318!5650148!1 X-Originating-IP: [74.125.82.45] X-SpamReason: No, hits=0.8 required=7.0 tests=BODY_RANDOM_LONG, HTML_60_70,HTML_MESSAGE X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22686 invoked from network); 11 Jun 2014 09:51:59 -0000 Received: from mail-wg0-f45.google.com (HELO mail-wg0-f45.google.com) (74.125.82.45) by server-9.tower-31.messagelabs.com with RC4-SHA encrypted SMTP; 11 Jun 2014 09:51:59 -0000 Received: by mail-wg0-f45.google.com with SMTP id l18so2680074wgh.28 for ; Wed, 11 Jun 2014 02:51:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:reply-to:user-agent:mime-version:to :subject:content-type; bh=KdJ1v3eU2oWynqYLjK8Hg1IbJxy53Y5QkWFMaLuzLkQ=; b=UhQ+oinHoSvRXFznA7NKaA3b/lfxqLhiKxB28R7BVA5BQYrx4UmlGpKJGFrgolj583 PTdA0JkHng7NLNkptZ9uy2o4GSrCurUJVv031pOZ6iSSejK4yZKsCndLxsBpLtRouqjS vn4T2YA3g/RbhsEW3NoTIp78Flx51yn3Z3bvSjVQ5gtubLFettL8CA3It+SkAQbXYK64 ydDMAJyOqADNJlbCuvVy3KZDyjSaVR6sAyAKxAtND3lLVJtwUcvQ5lGhx8xOIX2e8BTN nthL7Sw8Ak8i1du0+0kCeohPiCmxN5rVw58stflMINy3oeoYcWaTfA3HgqP4KOA69FAf 2IfQ== X-Received: by 10.180.38.38 with SMTP id d6mr46453937wik.12.1402480318801; Wed, 11 Jun 2014 02:51:58 -0700 (PDT) Received: from [172.16.25.10] (97e5a5cd.skybroadband.com. [151.229.165.205]) by mx.google.com with ESMTPSA id a6sm625116wic.13.2014.06.11.02.51.57 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 11 Jun 2014 02:51:58 -0700 (PDT) Message-ID: <539826BD.2040608@xen.org> Date: Wed, 11 Jun 2014 10:51:57 +0100 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: xen-announce@lists.xen.org X-Mailman-Approved-At: Wed, 11 Jun 2014 09:56:43 +0000 Subject: [Xen-announce] Xen Project Developer Summit Line-Up Announced X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============6163966624478317178==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org This is a multi-part message in MIME format. --===============6163966624478317178== Content-Type: multipart/alternative; boundary="------------040400040401070102060601" This is a multi-part message in MIME format. --------------040400040401070102060601 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Dear xen-announce list subscriber, I am pleased to announce theschedule of the Xen Project Developer Summit. The event will take place in Chicago on August 18-19, 2014. The Project's second annual developer event highlights best practices, user testimonials and advancements with the industry-leading open source hypervisor. Powering many of the world's largest clouds in production today, Xen Project developers are also leading the way in server density, million-node data centers, graphic-intensive workloads, cloud operating systems and sophisticated enterprise security. This year's summit will present the most relevant topics to Xen Project developers and users who are pushing the limits on virtualization, ranging from typical server virtualization and cloud computing on x86 servers to new developments with ARM servers, networking, automotive, cloud operating systems, enterprise security and mobility. Following is a sampling of confirmed speakers and presentations to be discussed in Chicago: * James Bielman, Research and Engineering at Galois, XenStore Mandatory Access Control --- proposes additional security access features for Xen Project software; * Mihai Dont,u, Technical Project Manager at Bitdefender, Zero-Footprint Guest Memory Introspection from Xen --- discusses how the introspection API in the Xen Project hypervisor can be used to detect, prevent and take action on several categories of malware attacks; * James Fehlig, Software Engineer at SUSE Linux, libvirt support for libxenlight -- covers the status of Xen Project libvirt integration and outlines planned improvements; * Lars Kurth, Xen Project Advisory Board Chairman, State of Xen Project Software -- gives an overview of the Xen Project development community and community at large; * Jun Nakajima, Principal Engineer at Intel Open Source Technology Center, Xen as a High-Performance Network Functions Virtualization (NFV) Platform -- introduces Xen as a NFV platform and outlines solutions to remove challenges for deploying the Xen Project hypervisor for NFV applications as well as shares best practices; * Nathan Studer, Technical Lead at DornerWorks, Xen and The Art of Certification -- gives an overview of certification requirements in emerging use-cases such as automotive, medical, and avionics and lays out a path toward certifying Xen Project technology in these industries; * Don Slutz, Software Architect at Verizon Terremark, Overview of Verizon Cloud Architecture -- presents Verizon Cloud's architecture, design goals and planned contributions to the Xen Project community; and * Stefano Stabellini, Senior Principal Software Engineer at Citrix and Xen Project Contributor, Xen on ARM Status Update and Performance Benchmarks --- gives the latest developments with the Xen Project hypervisor on ARM architecture. Birds of a Feather session and Discussions Besides presentations, the developer summit will also provide an opportunity for in-depth interactive discussions (Birds of a Feather sessions), which allow deep interaction and collaboration between Xen Project developers and community members. These will happen in a second track alongside the main event. To/submit a BoF/, please go to theBoF submission page. For more information about Xen Project Developer Summit 2014, including how to register and to view the complete schedule, visit:events.linuxfoundation.org/events/xen-project-developer-summit . Best Regards Lars --------------040400040401070102060601 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit

Dear xen-announce list subscriber,

I am pleased to announce the schedule of the Xen Project Developer Summit. The event will take place in Chicago on August 18-19, 2014.

The Project’s second annual developer event highlights best practices, user testimonials and advancements with the industry-leading open source hypervisor. Powering many of the world’s largest clouds in production today, Xen Project developers are also leading the way in server density, million-node data centers, graphic-intensive workloads, cloud operating systems and sophisticated enterprise security.

This year’s summit will present the most relevant topics to Xen Project developers and users who are pushing the limits on virtualization, ranging from typical server virtualization and cloud computing on x86 servers to new developments with ARM servers, networking, automotive, cloud operating systems, enterprise security and mobility.

Following is a sampling of confirmed speakers and presentations to be discussed in Chicago:

  • James Bielman, Research and Engineering at Galois, XenStore Mandatory Access Control — proposes additional security access features for Xen Project software;
  • Mihai Donțu, Technical Project Manager at Bitdefender, Zero-Footprint Guest Memory Introspection from Xen — discusses how the introspection API in the Xen Project hypervisor can be used to detect, prevent and take action on several categories of malware attacks;
  • James Fehlig, Software Engineer at SUSE Linux, libvirt support for libxenlight – covers the status of Xen Project libvirt integration and outlines planned improvements;
  • Lars Kurth, Xen Project Advisory Board Chairman, State of Xen Project Software – gives an overview of the Xen Project development community and community at large;
  • Jun Nakajima, Principal Engineer at Intel Open Source Technology Center, Xen as a High-Performance Network Functions Virtualization (NFV) Platform – introduces Xen as a NFV platform and outlines solutions to remove challenges for deploying the Xen Project hypervisor for NFV applications as well as shares best practices;
  • Nathan Studer, Technical Lead at DornerWorks, Xen and The Art of Certification – gives an overview of certification requirements in emerging use-cases such as automotive, medical, and avionics and lays out a path toward certifying Xen Project technology in these industries;
  • Don Slutz, Software Architect at Verizon Terremark, Overview of Verizon Cloud Architecture – presents Verizon Cloud’s architecture, design goals and planned contributions to the Xen Project community; and
  • Stefano Stabellini, Senior Principal Software Engineer at Citrix and Xen Project Contributor, Xen on ARM Status Update and Performance Benchmarks — gives the latest developments with the Xen Project hypervisor on ARM architecture.

Birds of a Feather session and Discussions

Besides presentations, the developer summit will also provide an opportunity for in-depth interactive discussions (Birds of a Feather sessions), which allow deep interaction and collaboration between Xen Project developers and community members. These will happen in a second track alongside the main event. To submit a BoF, please go to the BoF submission page.

For more information about Xen Project Developer Summit 2014, including how to register and to view the complete schedule, visit: events.linuxfoundation.org/events/xen-project-developer-summit.

Best Regards
Lars

--------------040400040401070102060601-- --===============6163966624478317178== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============6163966624478317178==-- From xen-announce-bounces@lists.xen.org Tue Jun 17 12:18:14 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 17 Jun 2014 12:18:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsK0-0001sm-Kt; Tue, 17 Jun 2014 12:17:04 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsJy-0001s8-P5; Tue, 17 Jun 2014 12:17:03 +0000 Received: from [193.109.254.147:26109] by server-2.bemta-14.messagelabs.com id 56/DB-21684-DB130A35; Tue, 17 Jun 2014 12:17:01 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-27.messagelabs.com!1403007419!7186111!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 30584 invoked from network); 17 Jun 2014 12:17:00 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 17 Jun 2014 12:17:00 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsJm-00053a-EX; Tue, 17 Jun 2014 12:16:50 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WwsJm-00080M-3v; Tue, 17 Jun 2014 12:16:50 +0000 Date: Tue, 17 Jun 2014 12:16:50 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 99 - unexpected pitfall in xenaccess API X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-99 version 2 unexpected pitfall in xenaccess API UPDATES IN VERSION 2 ==================== Public Release. Added note regarding CVE. ISSUE DESCRIPTION ================= A test/example program, for exercising the Xen memaccess API, does not take all necessary precautions against hostile guest behaviour. As a result, software developers using it as an example or template might have written and deployed vulnerable code. See the patch for technical details of the problem. IMPACT ====== Deployments of software inspired by, or derived from, xen.git/tools/tests/xen-access/xen-access.c, may be vulnerable to privilege escalation by a malicious guest administrator. xen-access is a test/example program and is not, without modification, useful in production. It is not built or installed by default. VULNERABLE SYSTEMS ================== Unmodified Xen installations (including installations as provided by typical Free Software distributions) are not vulnerable. The following toolstacks/libraries do not use memaccess, so systems using Xen only via the following are not vulnerable: libxl; xl; xend; xm; libvirt In general, Xen installations which make no use of the Xen memory access API (xc_mem_access_..., "XENMEM_access_...", XEN_DOMCTL_MEM_EVENT_OP_ACCESS_ENABLE) are not vulnerable. Systems using the Xen hypervisor 4.1 or earlier are not vulnerable. ARM systems are not vulnerable. AMD systems are not vulnerable. Intel x86 systems without EPT are not vulnerable. Software developers who have based their efforts on xen-access.c may have constructed vulnerable systems. Such developers should examine their software, and communicate with their own downstreams, as applicable. Users of Xen-derived systems, whose vulnerability is not excluded above, should consult their vendor for information about the applicability of this vulnerability. MITIGATION ========== Disabling whatever functionality uses the memaccess API will avoid the vulnerability. NOTE REGARDING CVE ================== The CVE assignment team at the MITRE CVE Numbering Authority have told us that type of issue is typically considered site-specific and is not eligible for a CVE ID: The scope of CVE does not include issues where a vulnerable program can be present after a customer modifies shipped source code or modifies the build process. The primary purpose of this guideline is to avoid CVE assignments where, for example, the vulnerability exists only when a customer enables experimental code and then recompiles. A secondary purpose of this guideline is to avoid CVE assignments for example code that wasn't intended to be used as-is. Software developers who have based production code on xen-access.c should obtain their own CVE number(s). CREDITS ======= This vulnerability was discovered by Ian Campbell of Citrix. RESOLUTION ========== The attached patch repairs the test/example utility provided in the Xen Project source tree. To resolve the issue in production software, appropriate changes will have to be be made by its developers. $ sha256sum xsa99*.patch d6496699d9952bbfe1cd86e0ba84182e455a5dc4626654d387f92390d9680cd4 xsa99.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJToCn/AAoJEIP+FMlX6CvZBp8H/Az39oLQiAIyrZRD+IktvGuB mCLRcoyTJxxfE+9bAFltypelGNwq5NT/JUwub82whapbPW/e/rtGbln43FkdkoLu oFlddcteOzJMTLsLXxe50zrgb4QaUEt4lxQ2zEyFpL6PYz32pO24NLK8QzG480Ol 4u1UlBJeYM61Z4JPuCy0h5vMy0eU6G3yry6B09s4Dmdfvd6AU7BprFT4/aW+noQ0 84w11iL8Y53ddnidTgaXNkyvcq+5m57RL9uHvrRz7mViqhazkVkxGZHVKsUYuRPb wkBpSaa+cJkeF8AnDue/QuW0pWYpfrPoniD86SwgzsYYj5bN0EnQ4CTzVIAx284= =9myT -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa99.patch" Content-Disposition: attachment; filename="xsa99.patch" Content-Transfer-Encoding: base64 RnJvbTogQXJhdmluZGggUHV0aGl5YXBhcmFtYmlsIDxhcmF2aW5kcEBjaXNj by5jb20+CkRhdGU6IFR1ZSBNYXkgMjAgMTY6MzU6NDQgMjAxNCAtMDcwMAoK bWVtX2FjY2VzczogQWRkIGhlbHBlciBBUEkgdG8gc2V0dXAgcmluZyBhbmQg ZW5hYmxlIG1lbV9hY2Nlc3MKCnRvb2xzL2xpYnhjOiBBZGQgaGVscGVyIGZ1 bmN0aW9uIHRvIHNldHVwIHJpbmcgZm9yIG1lbSBldmVudHMKVGhpcyBwYXRj aCBhZGRzIGEgaGVscGVyIGZ1bmN0aW9uIHRoYXQgbWFwcyB0aGUgcmluZywg ZW5hYmxlcyBtZW1fZXZlbnQKYW5kIHJlbW92ZXMgdGhlIHJpbmcgZnJvbSB0 aGUgZ3Vlc3QgcGh5c21hcCB3aGlsZSB0aGUgZG9tYWluIGlzIHBhdXNlZC4K VGhpcyBjYW4gYmUgdXNlZCBieSBhbGwgbWVtX2V2ZW50cyBidXQgaXMgb25s eSBlbmFibGVkIGZvciBtZW1fYWNjZXNzIGF0CnRoZSBtb21lbnQuCgp0ZXN0 cy94ZW4tYWNjZXNzOiBVc2UgaGVscGVyIEFQSSB0byBzZXR1cCByaW5nIGFu ZCBlbmFibGUgbWVtX2FjY2VzcwpQcmlvciB0byB0aGlzIHBhdGNoLCB4ZW4t YWNjZXNzIHdhcyBzZXR0aW5nIHVwIHRoZSByaW5nIHBhZ2UgaW4gYSB3YXkK dGhhdCB3b3VsZCBnaXZlIGEgbWFsaWNvdXMgZ3Vlc3QgYSB3aW5kb3cgdG8g d3JpdGUgaW4gdG8gdGhlIHNoYXJlZCByaW5nCnBhZ2UuIFRoaXMgcGF0Y2gg Zml4ZXMgdGhpcyBieSB1c2luZyB0aGUgaGVscGVyIEFQSSB0aGF0IGRvZXMg aXQgc2FmZWx5Cm9uIGJlaGFsZiBvZiB4ZW4tYWNjZXNzLgoKVGhpcyBpcyBY U0EtOTkuCgpTaWduZWQtb2ZmLWJ5OiBBcmF2aW5kaCBQdXRoaXlhcGFyYW1i aWwgPGFyYXZpbmRwQGNpc2NvLmNvbT4KUmV2aWV3ZWQtYnk6IEphbiBCZXVs aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KCmRpZmYgLS1naXQgYS90b29scy9s aWJ4Yy94Y19tZW1fYWNjZXNzLmMgYi90b29scy9saWJ4Yy94Y19tZW1fYWNj ZXNzLmMKaW5kZXggZjQzNmU2OS4uNDYxZjBlOSAxMDA2NDQKLS0tIGEvdG9v bHMvbGlieGMveGNfbWVtX2FjY2Vzcy5jCisrKyBiL3Rvb2xzL2xpYnhjL3hj X21lbV9hY2Nlc3MuYwpAQCAtMjQsMTkgKzI0LDkgQEAKICNpbmNsdWRlICJ4 Y19wcml2YXRlLmgiCiAjaW5jbHVkZSA8eGVuL21lbW9yeS5oPgogCi1pbnQg eGNfbWVtX2FjY2Vzc19lbmFibGUoeGNfaW50ZXJmYWNlICp4Y2gsIGRvbWlk X3QgZG9tYWluX2lkLAotICAgICAgICAgICAgICAgICAgICAgICAgIHVpbnQz Ml90ICpwb3J0KQordm9pZCAqeGNfbWVtX2FjY2Vzc19lbmFibGUoeGNfaW50 ZXJmYWNlICp4Y2gsIGRvbWlkX3QgZG9tYWluX2lkLCB1aW50MzJfdCAqcG9y dCkKIHsKLSAgICBpZiAoICFwb3J0ICkKLSAgICB7Ci0gICAgICAgIGVycm5v ID0gRUlOVkFMOwotICAgICAgICByZXR1cm4gLTE7Ci0gICAgfQotCi0gICAg cmV0dXJuIHhjX21lbV9ldmVudF9jb250cm9sKHhjaCwgZG9tYWluX2lkLAot ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYRU5fRE9NQ1RMX01F TV9FVkVOVF9PUF9BQ0NFU1NfRU5BQkxFLAotICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICBYRU5fRE9NQ1RMX01FTV9FVkVOVF9PUF9BQ0NFU1Ms Ci0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBvcnQpOworICAg IHJldHVybiB4Y19tZW1fZXZlbnRfZW5hYmxlKHhjaCwgZG9tYWluX2lkLCBI Vk1fUEFSQU1fQUNDRVNTX1JJTkdfUEZOLCBwb3J0KTsKIH0KIAogaW50IHhj X21lbV9hY2Nlc3NfZGlzYWJsZSh4Y19pbnRlcmZhY2UgKnhjaCwgZG9taWRf dCBkb21haW5faWQpCmRpZmYgLS1naXQgYS90b29scy9saWJ4Yy94Y19tZW1f ZXZlbnQuYyBiL3Rvb2xzL2xpYnhjL3hjX21lbV9ldmVudC5jCmluZGV4IGQ0 M2EwYWYuLmJlN2M2M2QgMTAwNjQ0Ci0tLSBhL3Rvb2xzL2xpYnhjL3hjX21l bV9ldmVudC5jCisrKyBiL3Rvb2xzL2xpYnhjL3hjX21lbV9ldmVudC5jCkBA IC01NiwzICs1NiwxMTggQEAgaW50IHhjX21lbV9ldmVudF9tZW1vcCh4Y19p bnRlcmZhY2UgKnhjaCwgZG9taWRfdCBkb21haW5faWQsCiAgICAgcmV0dXJu IGRvX21lbW9yeV9vcCh4Y2gsIG1vZGUsICZtZW8sIHNpemVvZihtZW8pKTsK IH0KIAordm9pZCAqeGNfbWVtX2V2ZW50X2VuYWJsZSh4Y19pbnRlcmZhY2Ug KnhjaCwgZG9taWRfdCBkb21haW5faWQsIGludCBwYXJhbSwKKyAgICAgICAg ICAgICAgICAgICAgICAgICAgdWludDMyX3QgKnBvcnQpCit7CisgICAgdm9p ZCAqcmluZ19wYWdlID0gTlVMTDsKKyAgICB1bnNpZ25lZCBsb25nIHJpbmdf cGZuLCBtbWFwX3BmbjsKKyAgICB1bnNpZ25lZCBpbnQgb3AsIG1vZGU7Cisg ICAgaW50IHJjMSwgcmMyLCBzYXZlZF9lcnJubzsKKworICAgIGlmICggIXBv cnQgKQorICAgIHsKKyAgICAgICAgZXJybm8gPSBFSU5WQUw7CisgICAgICAg IHJldHVybiBOVUxMOworICAgIH0KKworICAgIC8qIFBhdXNlIHRoZSBkb21h aW4gZm9yIHJpbmcgcGFnZSBzZXR1cCAqLworICAgIHJjMSA9IHhjX2RvbWFp bl9wYXVzZSh4Y2gsIGRvbWFpbl9pZCk7CisgICAgaWYgKCByYzEgIT0gMCAp CisgICAgeworICAgICAgICBQRVJST1IoIlVuYWJsZSB0byBwYXVzZSBkb21h aW5cbiIpOworICAgICAgICByZXR1cm4gTlVMTDsKKyAgICB9CisKKyAgICAv KiBHZXQgdGhlIHBmbiBvZiB0aGUgcmluZyBwYWdlICovCisgICAgcmMxID0g eGNfZ2V0X2h2bV9wYXJhbSh4Y2gsIGRvbWFpbl9pZCwgcGFyYW0sICZyaW5n X3Bmbik7CisgICAgaWYgKCByYzEgIT0gMCApCisgICAgeworICAgICAgICBQ RVJST1IoIkZhaWxlZCB0byBnZXQgcGZuIG9mIHJpbmcgcGFnZVxuIik7Cisg ICAgICAgIGdvdG8gb3V0OworICAgIH0KKworICAgIG1tYXBfcGZuID0gcmlu Z19wZm47CisgICAgcmluZ19wYWdlID0geGNfbWFwX2ZvcmVpZ25fYmF0Y2go eGNoLCBkb21haW5faWQsIFBST1RfUkVBRCB8IFBST1RfV1JJVEUsCisgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJm1tYXBfcGZuLCAx KTsKKyAgICBpZiAoIG1tYXBfcGZuICYgWEVOX0RPTUNUTF9QRklORk9fWFRB QiApCisgICAgeworICAgICAgICAvKiBNYXAgZmFpbGVkLCBwb3B1bGF0ZSBy aW5nIHBhZ2UgKi8KKyAgICAgICAgcmMxID0geGNfZG9tYWluX3BvcHVsYXRl X3BoeXNtYXBfZXhhY3QoeGNoLCBkb21haW5faWQsIDEsIDAsIDAsCisgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJnJp bmdfcGZuKTsKKyAgICAgICAgaWYgKCByYzEgIT0gMCApCisgICAgICAgIHsK KyAgICAgICAgICAgIFBFUlJPUigiRmFpbGVkIHRvIHBvcHVsYXRlIHJpbmcg cGZuXG4iKTsKKyAgICAgICAgICAgIGdvdG8gb3V0OworICAgICAgICB9CisK KyAgICAgICAgbW1hcF9wZm4gPSByaW5nX3BmbjsKKyAgICAgICAgcmluZ19w YWdlID0geGNfbWFwX2ZvcmVpZ25fYmF0Y2goeGNoLCBkb21haW5faWQsIFBS T1RfUkVBRCB8IFBST1RfV1JJVEUsCisgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICZtbWFwX3BmbiwgMSk7CisgICAgICAgIGlm ICggbW1hcF9wZm4gJiBYRU5fRE9NQ1RMX1BGSU5GT19YVEFCICkKKyAgICAg ICAgeworICAgICAgICAgICAgUEVSUk9SKCJDb3VsZCBub3QgbWFwIHRoZSBy aW5nIHBhZ2VcbiIpOworICAgICAgICAgICAgZ290byBvdXQ7CisgICAgICAg IH0KKyAgICB9CisKKyAgICBzd2l0Y2ggKCBwYXJhbSApCisgICAgeworICAg IGNhc2UgSFZNX1BBUkFNX1BBR0lOR19SSU5HX1BGTjoKKyAgICAgICAgb3Ag PSBYRU5fRE9NQ1RMX01FTV9FVkVOVF9PUF9QQUdJTkdfRU5BQkxFOworICAg ICAgICBtb2RlID0gWEVOX0RPTUNUTF9NRU1fRVZFTlRfT1BfUEFHSU5HOwor ICAgICAgICBicmVhazsKKworICAgIGNhc2UgSFZNX1BBUkFNX0FDQ0VTU19S SU5HX1BGTjoKKyAgICAgICAgb3AgPSBYRU5fRE9NQ1RMX01FTV9FVkVOVF9P UF9BQ0NFU1NfRU5BQkxFOworICAgICAgICBtb2RlID0gWEVOX0RPTUNUTF9N RU1fRVZFTlRfT1BfQUNDRVNTOworICAgICAgICBicmVhazsKKworICAgIGNh c2UgSFZNX1BBUkFNX1NIQVJJTkdfUklOR19QRk46CisgICAgICAgIG9wID0g WEVOX0RPTUNUTF9NRU1fRVZFTlRfT1BfU0hBUklOR19FTkFCTEU7CisgICAg ICAgIG1vZGUgPSBYRU5fRE9NQ1RMX01FTV9FVkVOVF9PUF9TSEFSSU5HOwor ICAgICAgICBicmVhazsKKworICAgIC8qCisgICAgICogVGhpcyBpcyBmb3Ig dGhlIG91dHNpZGUgY2hhbmNlIHRoYXQgdGhlIEhWTV9QQVJBTSBpcyB2YWxp ZCBidXQgaXMgaW52YWxpZAorICAgICAqIGFzIGZhciBhcyBtZW1fZXZlbnQg Z29lcy4KKyAgICAgKi8KKyAgICBkZWZhdWx0OgorICAgICAgICBlcnJubyA9 IEVJTlZBTDsKKyAgICAgICAgcmMxID0gLTE7CisgICAgICAgIGdvdG8gb3V0 OworICAgIH0KKworICAgIHJjMSA9IHhjX21lbV9ldmVudF9jb250cm9sKHhj aCwgZG9tYWluX2lkLCBvcCwgbW9kZSwgcG9ydCk7CisgICAgaWYgKCByYzEg IT0gMCApCisgICAgeworICAgICAgICBQRVJST1IoIkZhaWxlZCB0byBlbmFi bGUgbWVtX2V2ZW50XG4iKTsKKyAgICAgICAgZ290byBvdXQ7CisgICAgfQor CisgICAgLyogUmVtb3ZlIHRoZSByaW5nX3BmbiBmcm9tIHRoZSBndWVzdCdz IHBoeXNtYXAgKi8KKyAgICByYzEgPSB4Y19kb21haW5fZGVjcmVhc2VfcmVz ZXJ2YXRpb25fZXhhY3QoeGNoLCBkb21haW5faWQsIDEsIDAsICZyaW5nX3Bm bik7CisgICAgaWYgKCByYzEgIT0gMCApCisgICAgICAgIFBFUlJPUigiRmFp bGVkIHRvIHJlbW92ZSByaW5nIHBhZ2UgZnJvbSBndWVzdCBwaHlzbWFwIik7 CisKKyBvdXQ6CisgICAgc2F2ZWRfZXJybm8gPSBlcnJubzsKKworICAgIHJj MiA9IHhjX2RvbWFpbl91bnBhdXNlKHhjaCwgZG9tYWluX2lkKTsKKyAgICBp ZiAoIHJjMSAhPSAwIHx8IHJjMiAhPSAwICkKKyAgICB7CisgICAgICAgIGlm ICggcmMyICE9IDAgKQorICAgICAgICB7CisgICAgICAgICAgICBpZiAoIHJj MSA9PSAwICkKKyAgICAgICAgICAgICAgICBzYXZlZF9lcnJubyA9IGVycm5v OworICAgICAgICAgICAgUEVSUk9SKCJVbmFibGUgdG8gdW5wYXVzZSBkb21h aW4iKTsKKyAgICAgICAgfQorCisgICAgICAgIGlmICggcmluZ19wYWdlICkK KyAgICAgICAgICAgIG11bm1hcChyaW5nX3BhZ2UsIFhDX1BBR0VfU0laRSk7 CisgICAgICAgIHJpbmdfcGFnZSA9IE5VTEw7CisKKyAgICAgICAgZXJybm8g PSBzYXZlZF9lcnJubzsKKyAgICB9CisKKyAgICByZXR1cm4gcmluZ19wYWdl OworfQpkaWZmIC0tZ2l0IGEvdG9vbHMvbGlieGMveGVuY3RybC5oIGIvdG9v bHMvbGlieGMveGVuY3RybC5oCmluZGV4IDAyMTI5ZjcuLjM0Njc4ZDggMTAw NjQ0Ci0tLSBhL3Rvb2xzL2xpYnhjL3hlbmN0cmwuaAorKysgYi90b29scy9s aWJ4Yy94ZW5jdHJsLmgKQEAgLTIwMjMsNiArMjAyMywxMiBAQCBpbnQgeGNf bWVtX2V2ZW50X2NvbnRyb2woeGNfaW50ZXJmYWNlICp4Y2gsIGRvbWlkX3Qg ZG9tYWluX2lkLCB1bnNpZ25lZCBpbnQgb3AsCiBpbnQgeGNfbWVtX2V2ZW50 X21lbW9wKHhjX2ludGVyZmFjZSAqeGNoLCBkb21pZF90IGRvbWFpbl9pZCwg CiAgICAgICAgICAgICAgICAgICAgICAgICB1bnNpZ25lZCBpbnQgb3AsIHVu c2lnbmVkIGludCBtb2RlLAogICAgICAgICAgICAgICAgICAgICAgICAgdWlu dDY0X3QgZ2ZuLCB2b2lkICpidWZmZXIpOworLyoKKyAqIEVuYWJsZXMgbWVt X2V2ZW50IGFuZCByZXR1cm5zIHRoZSBtYXBwZWQgcmluZyBwYWdlIGluZGlj YXRlZCBieSBwYXJhbS4KKyAqIHBhcmFtIGNhbiBiZSBIVk1fUEFSQU1fUEFH SU5HL0FDQ0VTUy9TSEFSSU5HX1JJTkdfUEZOCisgKi8KK3ZvaWQgKnhjX21l bV9ldmVudF9lbmFibGUoeGNfaW50ZXJmYWNlICp4Y2gsIGRvbWlkX3QgZG9t YWluX2lkLCBpbnQgcGFyYW0sCisgICAgICAgICAgICAgICAgICAgICAgICAg IHVpbnQzMl90ICpwb3J0KTsKIAogLyoqIAogICogTWVtIHBhZ2luZyBvcGVy YXRpb25zLgpAQCAtMjA0Myw3ICsyMDQ5LDEzIEBAIGludCB4Y19tZW1fcGFn aW5nX2xvYWQoeGNfaW50ZXJmYWNlICp4Y2gsIGRvbWlkX3QgZG9tYWluX2lk LAogICogQWNjZXNzIHRyYWNraW5nIG9wZXJhdGlvbnMuCiAgKiBTdXBwb3J0 ZWQgb25seSBvbiBJbnRlbCBFUFQgNjQgYml0IHByb2Nlc3NvcnMuCiAgKi8K LWludCB4Y19tZW1fYWNjZXNzX2VuYWJsZSh4Y19pbnRlcmZhY2UgKnhjaCwg ZG9taWRfdCBkb21haW5faWQsIHVpbnQzMl90ICpwb3J0KTsKKworLyoKKyAq IEVuYWJsZXMgbWVtX2FjY2VzcyBhbmQgcmV0dXJucyB0aGUgbWFwcGVkIHJp bmcgcGFnZS4KKyAqIFdpbGwgcmV0dXJuIE5VTEwgb24gZXJyb3IuCisgKiBD YWxsZXIgaGFzIHRvIHVubWFwIHRoaXMgcGFnZSB3aGVuIGRvbmUuCisgKi8K K3ZvaWQgKnhjX21lbV9hY2Nlc3NfZW5hYmxlKHhjX2ludGVyZmFjZSAqeGNo LCBkb21pZF90IGRvbWFpbl9pZCwgdWludDMyX3QgKnBvcnQpOwogaW50IHhj X21lbV9hY2Nlc3NfZGlzYWJsZSh4Y19pbnRlcmZhY2UgKnhjaCwgZG9taWRf dCBkb21haW5faWQpOwogaW50IHhjX21lbV9hY2Nlc3NfcmVzdW1lKHhjX2lu dGVyZmFjZSAqeGNoLCBkb21pZF90IGRvbWFpbl9pZCk7CiAKZGlmZiAtLWdp dCBhL3Rvb2xzL3Rlc3RzL3hlbi1hY2Nlc3MveGVuLWFjY2Vzcy5jIGIvdG9v bHMvdGVzdHMveGVuLWFjY2Vzcy94ZW4tYWNjZXNzLmMKaW5kZXggMGE4NGJk NS4uNTcyYWI2MyAxMDA2NDQKLS0tIGEvdG9vbHMvdGVzdHMveGVuLWFjY2Vz cy94ZW4tYWNjZXNzLmMKKysrIGIvdG9vbHMvdGVzdHMveGVuLWFjY2Vzcy94 ZW4tYWNjZXNzLmMKQEAgLTIyMyw3ICsyMjMsNiBAQCB4ZW5hY2Nlc3NfdCAq eGVuYWNjZXNzX2luaXQoeGNfaW50ZXJmYWNlICoqeGNoX3IsIGRvbWlkX3Qg ZG9tYWluX2lkKQogICAgIHhlbmFjY2Vzc190ICp4ZW5hY2Nlc3MgPSAwOwog ICAgIHhjX2ludGVyZmFjZSAqeGNoOwogICAgIGludCByYzsKLSAgICB1bnNp Z25lZCBsb25nIHJpbmdfcGZuLCBtbWFwX3BmbjsKIAogICAgIHhjaCA9IHhj X2ludGVyZmFjZV9vcGVuKE5VTEwsIE5VTEwsIDApOwogICAgIGlmICggIXhj aCApCkBAIC0yNDUsNDAgKzI0NCwxMiBAQCB4ZW5hY2Nlc3NfdCAqeGVuYWNj ZXNzX2luaXQoeGNfaW50ZXJmYWNlICoqeGNoX3IsIGRvbWlkX3QgZG9tYWlu X2lkKQogICAgIC8qIEluaXRpYWxpc2UgbG9jayAqLwogICAgIG1lbV9ldmVu dF9yaW5nX2xvY2tfaW5pdCgmeGVuYWNjZXNzLT5tZW1fZXZlbnQpOwogCi0g ICAgLyogTWFwIHRoZSByaW5nIHBhZ2UgKi8KLSAgICB4Y19nZXRfaHZtX3Bh cmFtKHhjaCwgeGVuYWNjZXNzLT5tZW1fZXZlbnQuZG9tYWluX2lkLCAKLSAg ICAgICAgICAgICAgICAgICAgICAgIEhWTV9QQVJBTV9BQ0NFU1NfUklOR19Q Rk4sICZyaW5nX3Bmbik7Ci0gICAgbW1hcF9wZm4gPSByaW5nX3BmbjsKLSAg ICB4ZW5hY2Nlc3MtPm1lbV9ldmVudC5yaW5nX3BhZ2UgPSAKLSAgICAgICAg eGNfbWFwX2ZvcmVpZ25fYmF0Y2goeGNoLCB4ZW5hY2Nlc3MtPm1lbV9ldmVu dC5kb21haW5faWQsIAotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICBQUk9UX1JFQUQgfCBQUk9UX1dSSVRFLCAmbW1hcF9wZm4sIDEpOwotICAg IGlmICggbW1hcF9wZm4gJiBYRU5fRE9NQ1RMX1BGSU5GT19YVEFCICkKLSAg ICB7Ci0gICAgICAgIC8qIE1hcCBmYWlsZWQsIHBvcHVsYXRlIHJpbmcgcGFn ZSAqLwotICAgICAgICByYyA9IHhjX2RvbWFpbl9wb3B1bGF0ZV9waHlzbWFw X2V4YWN0KHhlbmFjY2Vzcy0+eGNfaGFuZGxlLCAKLSAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4ZW5hY2Nlc3MtPm1l bV9ldmVudC5kb21haW5faWQsCi0gICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgMSwgMCwgMCwgJnJpbmdfcGZuKTsKLSAg ICAgICAgaWYgKCByYyAhPSAwICkKLSAgICAgICAgewotICAgICAgICAgICAg UEVSUk9SKCJGYWlsZWQgdG8gcG9wdWxhdGUgcmluZyBnZm5cbiIpOwotICAg ICAgICAgICAgZ290byBlcnI7Ci0gICAgICAgIH0KLQotICAgICAgICBtbWFw X3BmbiA9IHJpbmdfcGZuOwotICAgICAgICB4ZW5hY2Nlc3MtPm1lbV9ldmVu dC5yaW5nX3BhZ2UgPSAKLSAgICAgICAgICAgIHhjX21hcF9mb3JlaWduX2Jh dGNoKHhjaCwgeGVuYWNjZXNzLT5tZW1fZXZlbnQuZG9tYWluX2lkLCAKLSAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBST1RfUkVBRCB8 IFBST1RfV1JJVEUsICZtbWFwX3BmbiwgMSk7Ci0gICAgICAgIGlmICggbW1h cF9wZm4gJiBYRU5fRE9NQ1RMX1BGSU5GT19YVEFCICkKLSAgICAgICAgewot ICAgICAgICAgICAgUEVSUk9SKCJDb3VsZCBub3QgbWFwIHRoZSByaW5nIHBh Z2VcbiIpOwotICAgICAgICAgICAgZ290byBlcnI7Ci0gICAgICAgIH0KLSAg ICB9Ci0KLSAgICAvKiBJbml0aWFsaXNlIFhlbiAqLwotICAgIHJjID0geGNf bWVtX2FjY2Vzc19lbmFibGUoeGVuYWNjZXNzLT54Y19oYW5kbGUsIHhlbmFj Y2Vzcy0+bWVtX2V2ZW50LmRvbWFpbl9pZCwKLSAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgJnhlbmFjY2Vzcy0+bWVtX2V2ZW50LmV2dGNobl9wb3J0 KTsKLSAgICBpZiAoIHJjICE9IDAgKQorICAgIC8qIEVuYWJsZSBtZW1fYWNj ZXNzICovCisgICAgeGVuYWNjZXNzLT5tZW1fZXZlbnQucmluZ19wYWdlID0K KyAgICAgICAgICAgIHhjX21lbV9hY2Nlc3NfZW5hYmxlKHhlbmFjY2Vzcy0+ eGNfaGFuZGxlLAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg eGVuYWNjZXNzLT5tZW1fZXZlbnQuZG9tYWluX2lkLAorICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgJnhlbmFjY2Vzcy0+bWVtX2V2ZW50LmV2 dGNobl9wb3J0KTsKKyAgICBpZiAoIHhlbmFjY2Vzcy0+bWVtX2V2ZW50LnJp bmdfcGFnZSA9PSBOVUxMICkKICAgICB7CiAgICAgICAgIHN3aXRjaCAoIGVy cm5vICkgewogICAgICAgICAgICAgY2FzZSBFQlVTWToKQEAgLTI4OCw3ICsy NTksNyBAQCB4ZW5hY2Nlc3NfdCAqeGVuYWNjZXNzX2luaXQoeGNfaW50ZXJm YWNlICoqeGNoX3IsIGRvbWlkX3QgZG9tYWluX2lkKQogICAgICAgICAgICAg ICAgIEVSUk9SKCJFUFQgbm90IHN1cHBvcnRlZCBmb3IgdGhpcyBndWVzdCIp OwogICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgZGVmYXVs dDoKLSAgICAgICAgICAgICAgICBwZXJyb3IoIkVycm9yIGluaXRpYWxpc2lu ZyBzaGFyZWQgcGFnZSIpOworICAgICAgICAgICAgICAgIHBlcnJvcigiRXJy b3IgZW5hYmxpbmcgbWVtX2FjY2VzcyIpOwogICAgICAgICAgICAgICAgIGJy ZWFrOwogICAgICAgICB9CiAgICAgICAgIGdvdG8gZXJyOwpAQCAtMzIyLDEx ICsyOTMsNiBAQCB4ZW5hY2Nlc3NfdCAqeGVuYWNjZXNzX2luaXQoeGNfaW50 ZXJmYWNlICoqeGNoX3IsIGRvbWlkX3QgZG9tYWluX2lkKQogICAgICAgICAg ICAgICAgICAgIChtZW1fZXZlbnRfc3JpbmdfdCAqKXhlbmFjY2Vzcy0+bWVt X2V2ZW50LnJpbmdfcGFnZSwKICAgICAgICAgICAgICAgICAgICBYQ19QQUdF X1NJWkUpOwogCi0gICAgLyogTm93IHRoYXQgdGhlIHJpbmcgaXMgc2V0LCBy ZW1vdmUgaXQgZnJvbSB0aGUgZ3Vlc3QncyBwaHlzbWFwICovCi0gICAgaWYg KCB4Y19kb21haW5fZGVjcmVhc2VfcmVzZXJ2YXRpb25fZXhhY3QoeGNoLCAK LSAgICAgICAgICAgICAgICAgICAgeGVuYWNjZXNzLT5tZW1fZXZlbnQuZG9t YWluX2lkLCAxLCAwLCAmcmluZ19wZm4pICkKLSAgICAgICAgUEVSUk9SKCJG YWlsZWQgdG8gcmVtb3ZlIHJpbmcgZnJvbSBndWVzdCBwaHlzbWFwIik7Ci0K ICAgICAvKiBHZXQgZG9tYWluaW5mbyAqLwogICAgIHhlbmFjY2Vzcy0+ZG9t YWluX2luZm8gPSBtYWxsb2Moc2l6ZW9mKHhjX2RvbWFpbmluZm9fdCkpOwog ICAgIGlmICggeGVuYWNjZXNzLT5kb21haW5faW5mbyA9PSBOVUxMICkK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Jun 17 12:18:14 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 17 Jun 2014 12:18:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsK2-0001tN-3O; Tue, 17 Jun 2014 12:17:06 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsJz-0001sA-5o; Tue, 17 Jun 2014 12:17:03 +0000 Received: from [85.158.143.35:61543] by server-1.bemta-4.messagelabs.com id DC/04-09496-EB130A35; Tue, 17 Jun 2014 12:17:02 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-21.messagelabs.com!1403007420!11944421!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 30447 invoked from network); 17 Jun 2014 12:17:01 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 17 Jun 2014 12:17:01 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsJr-00053k-48; Tue, 17 Jun 2014 12:16:55 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WwsJr-00081P-1v; Tue, 17 Jun 2014 12:16:55 +0000 Date: Tue, 17 Jun 2014 12:16:55 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 100 (CVE-2014-4021) - Hypervisor heap contents leaked to guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-4021 / XSA-100 version 3 Hypervisor heap contents leaked to guests UPDATES IN VERSION 3 ==================== Public Release. CVE assigned. ISSUE DESCRIPTION ================= While memory pages recovered from dying guests are being cleaned to avoid leaking sensitive information to other guests, memory pages that were in use by the hypervisor and are eligible to be allocated to guests weren't being properly cleaned. Such exposure of information would happen through memory pages freshly allocated to or by the guest. Normally the leaked data is administrative information of limited value to an attacker. However, scenarios exist where guest CPU register state and hypercall arguments might be leaked. IMPACT ====== A malicious guest might be able to read data relating to other guests or the hypervisor itself. Data at rest in guest memory or storage (filesystems) is not affected. However, it is possible for an attacker to obtain modest amounts of in-flight and in-use data, which might contain passwords or cryptographic keys. VULNERABLE SYSTEMS ================== Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. MITIGATION ========== No comprehensive mitigation is available. An attacker will find it easier obtain sensitive data from a victim guest if the attacker is able to initiate domain management operations and lifecycle events for that guest. This includes a situation where the attacker can cause the victim guest to crash. Therefore the risk from this vulnerability can be somewhat reduced by restricting management (such as migration or resource adjustment) to fully trusted guest or host administrators, and by eliminating any Denial of Service vulnerabilities against potential victim guests. CREDITS ======= This issue was discovered by Jan Beulich. RESOLUTION ========== Applying the attached patch resolves this issue. xsa100.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x Note that to avoid a regression on systems with AMD IOMMU, on 4.2.x and later additionally commit 6b4d71d0 ("AMD IOMMU: don't free page table prematurely") found at http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=6b4d71d028f445cba7426a144751fddc8bfdd67b will be required if not already in place in the respective tree. $ sha256sum xsa100*.patch 2cbd3a52bb8d32d00a19e2ce48e3157034b484b4a7b7282cae0d108ffb4ddca0 xsa100.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJToCoFAAoJEIP+FMlX6CvZ8p0H/1RPfzKOIQVvjJrAPiOH8cDr /QR8hAhKqIs97+fxSFO5LCsfBwKga/rLz6sjveQYlvJOq9qSc2vTWxpQLNrh7M1q NagTSVJoxcxVn+LHgHAczfRfNwK5BWFHz5/R3k1SLSjLy15aBDr5rW42H/WjKXI3 0UnLfpLkaDfocpQOYAz1a4cTAxbK07omhSlnCdcvPmWLDPvWy03BF7jZvTDYdiO1 OjU/3HUwMv7Ii6By3QvjO3Z4h9qkest/iIeaeCTwNwSJa9rW+8KLZjzdJCMJOUeu J608R94x4vyj7wc+JVPwD59K0XkXzmsASC8q0ivohXGDTloKcdN7vdmR37g4fJ0= =WnYZ -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa100.patch" Content-Disposition: attachment; filename="xsa100.patch" Content-Transfer-Encoding: base64 cGFnZS1hbGxvYzogc2NydWIgcGFnZXMgdXNlZCBieSBoeXBlcnZpc29yIHVw b24gZnJlZWluZwoKLi4uIHVubGVzcyB0aGV5J3JlIHBhcnQgb2YgYSBmdWxs eSBzZXBhcmF0ZSBwb29sIChhbmQgaGVuY2UgY2FuJ3QgZXZlcgpiZSB1c2Vk IGZvciBndWVzdCBhbGxvY2F0aW9ucykuCgpUaGlzIGlzIFhTQS0xMDAuCgpT aWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ ClJldmlld2VkLWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRy aXguY29tPgpBY2tlZC1ieTogS2VpciBGcmFzZXIgPGtlaXJAeGVuLm9yZz4K Ci0tLSBhL3hlbi9jb21tb24vcGFnZV9hbGxvYy5jCisrKyBiL3hlbi9jb21t b24vcGFnZV9hbGxvYy5jCkBAIC0xNDA5LDcgKzE0MDksMTAgQEAgdm9pZCBm cmVlX3hlbmhlYXBfcGFnZXModm9pZCAqdiwgdW5zaWduZQogICAgIHBnID0g dmlydF90b19wYWdlKHYpOwogCiAgICAgZm9yICggaSA9IDA7IGkgPCAoMXUg PDwgb3JkZXIpOyBpKysgKQorICAgIHsKKyAgICAgICAgc2NydWJfb25lX3Bh Z2UoJnBnW2ldKTsKICAgICAgICAgcGdbaV0uY291bnRfaW5mbyAmPSB+UEdD X3hlbl9oZWFwOworICAgIH0KIAogICAgIGZyZWVfaGVhcF9wYWdlcyhwZywg b3JkZXIpOwogfQpAQCAtMTU3OSw2ICsxNTgyLDggQEAgdm9pZCBmcmVlX2Rv bWhlYXBfcGFnZXMoc3RydWN0IHBhZ2VfaW5mbwogICAgIGVsc2UKICAgICB7 CiAgICAgICAgIC8qIEZyZWVpbmcgYW5vbnltb3VzIGRvbWFpbi1oZWFwIHBh Z2VzLiAqLworICAgICAgICBmb3IgKCBpID0gMDsgaSA8ICgxIDw8IG9yZGVy KTsgaSsrICkKKyAgICAgICAgICAgIHNjcnViX29uZV9wYWdlKCZwZ1tpXSk7 CiAgICAgICAgIGZyZWVfaGVhcF9wYWdlcyhwZywgb3JkZXIpOwogICAgICAg ICBkcm9wX2RvbV9yZWYgPSAwOwogICAgIH0K --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Jun 17 12:18:14 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 17 Jun 2014 12:18:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsK2-0001tN-3O; Tue, 17 Jun 2014 12:17:06 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsJz-0001sA-5o; Tue, 17 Jun 2014 12:17:03 +0000 Received: from [85.158.143.35:61543] by server-1.bemta-4.messagelabs.com id DC/04-09496-EB130A35; Tue, 17 Jun 2014 12:17:02 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-21.messagelabs.com!1403007420!11944421!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 30447 invoked from network); 17 Jun 2014 12:17:01 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 17 Jun 2014 12:17:01 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsJr-00053k-48; Tue, 17 Jun 2014 12:16:55 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WwsJr-00081P-1v; Tue, 17 Jun 2014 12:16:55 +0000 Date: Tue, 17 Jun 2014 12:16:55 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 100 (CVE-2014-4021) - Hypervisor heap contents leaked to guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-4021 / XSA-100 version 3 Hypervisor heap contents leaked to guests UPDATES IN VERSION 3 ==================== Public Release. CVE assigned. ISSUE DESCRIPTION ================= While memory pages recovered from dying guests are being cleaned to avoid leaking sensitive information to other guests, memory pages that were in use by the hypervisor and are eligible to be allocated to guests weren't being properly cleaned. Such exposure of information would happen through memory pages freshly allocated to or by the guest. Normally the leaked data is administrative information of limited value to an attacker. However, scenarios exist where guest CPU register state and hypercall arguments might be leaked. IMPACT ====== A malicious guest might be able to read data relating to other guests or the hypervisor itself. Data at rest in guest memory or storage (filesystems) is not affected. However, it is possible for an attacker to obtain modest amounts of in-flight and in-use data, which might contain passwords or cryptographic keys. VULNERABLE SYSTEMS ================== Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. MITIGATION ========== No comprehensive mitigation is available. An attacker will find it easier obtain sensitive data from a victim guest if the attacker is able to initiate domain management operations and lifecycle events for that guest. This includes a situation where the attacker can cause the victim guest to crash. Therefore the risk from this vulnerability can be somewhat reduced by restricting management (such as migration or resource adjustment) to fully trusted guest or host administrators, and by eliminating any Denial of Service vulnerabilities against potential victim guests. CREDITS ======= This issue was discovered by Jan Beulich. RESOLUTION ========== Applying the attached patch resolves this issue. xsa100.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x Note that to avoid a regression on systems with AMD IOMMU, on 4.2.x and later additionally commit 6b4d71d0 ("AMD IOMMU: don't free page table prematurely") found at http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=6b4d71d028f445cba7426a144751fddc8bfdd67b will be required if not already in place in the respective tree. $ sha256sum xsa100*.patch 2cbd3a52bb8d32d00a19e2ce48e3157034b484b4a7b7282cae0d108ffb4ddca0 xsa100.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJToCoFAAoJEIP+FMlX6CvZ8p0H/1RPfzKOIQVvjJrAPiOH8cDr /QR8hAhKqIs97+fxSFO5LCsfBwKga/rLz6sjveQYlvJOq9qSc2vTWxpQLNrh7M1q NagTSVJoxcxVn+LHgHAczfRfNwK5BWFHz5/R3k1SLSjLy15aBDr5rW42H/WjKXI3 0UnLfpLkaDfocpQOYAz1a4cTAxbK07omhSlnCdcvPmWLDPvWy03BF7jZvTDYdiO1 OjU/3HUwMv7Ii6By3QvjO3Z4h9qkest/iIeaeCTwNwSJa9rW+8KLZjzdJCMJOUeu J608R94x4vyj7wc+JVPwD59K0XkXzmsASC8q0ivohXGDTloKcdN7vdmR37g4fJ0= =WnYZ -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa100.patch" Content-Disposition: attachment; filename="xsa100.patch" Content-Transfer-Encoding: base64 cGFnZS1hbGxvYzogc2NydWIgcGFnZXMgdXNlZCBieSBoeXBlcnZpc29yIHVw b24gZnJlZWluZwoKLi4uIHVubGVzcyB0aGV5J3JlIHBhcnQgb2YgYSBmdWxs eSBzZXBhcmF0ZSBwb29sIChhbmQgaGVuY2UgY2FuJ3QgZXZlcgpiZSB1c2Vk IGZvciBndWVzdCBhbGxvY2F0aW9ucykuCgpUaGlzIGlzIFhTQS0xMDAuCgpT aWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ ClJldmlld2VkLWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRy aXguY29tPgpBY2tlZC1ieTogS2VpciBGcmFzZXIgPGtlaXJAeGVuLm9yZz4K Ci0tLSBhL3hlbi9jb21tb24vcGFnZV9hbGxvYy5jCisrKyBiL3hlbi9jb21t b24vcGFnZV9hbGxvYy5jCkBAIC0xNDA5LDcgKzE0MDksMTAgQEAgdm9pZCBm cmVlX3hlbmhlYXBfcGFnZXModm9pZCAqdiwgdW5zaWduZQogICAgIHBnID0g dmlydF90b19wYWdlKHYpOwogCiAgICAgZm9yICggaSA9IDA7IGkgPCAoMXUg PDwgb3JkZXIpOyBpKysgKQorICAgIHsKKyAgICAgICAgc2NydWJfb25lX3Bh Z2UoJnBnW2ldKTsKICAgICAgICAgcGdbaV0uY291bnRfaW5mbyAmPSB+UEdD X3hlbl9oZWFwOworICAgIH0KIAogICAgIGZyZWVfaGVhcF9wYWdlcyhwZywg b3JkZXIpOwogfQpAQCAtMTU3OSw2ICsxNTgyLDggQEAgdm9pZCBmcmVlX2Rv bWhlYXBfcGFnZXMoc3RydWN0IHBhZ2VfaW5mbwogICAgIGVsc2UKICAgICB7 CiAgICAgICAgIC8qIEZyZWVpbmcgYW5vbnltb3VzIGRvbWFpbi1oZWFwIHBh Z2VzLiAqLworICAgICAgICBmb3IgKCBpID0gMDsgaSA8ICgxIDw8IG9yZGVy KTsgaSsrICkKKyAgICAgICAgICAgIHNjcnViX29uZV9wYWdlKCZwZ1tpXSk7 CiAgICAgICAgIGZyZWVfaGVhcF9wYWdlcyhwZywgb3JkZXIpOwogICAgICAg ICBkcm9wX2RvbV9yZWYgPSAwOwogICAgIH0K --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Jun 17 12:18:14 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 17 Jun 2014 12:18:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsK0-0001sm-Kt; Tue, 17 Jun 2014 12:17:04 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsJy-0001s8-P5; Tue, 17 Jun 2014 12:17:03 +0000 Received: from [193.109.254.147:26109] by server-2.bemta-14.messagelabs.com id 56/DB-21684-DB130A35; Tue, 17 Jun 2014 12:17:01 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-27.messagelabs.com!1403007419!7186111!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 30584 invoked from network); 17 Jun 2014 12:17:00 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 17 Jun 2014 12:17:00 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsJm-00053a-EX; Tue, 17 Jun 2014 12:16:50 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WwsJm-00080M-3v; Tue, 17 Jun 2014 12:16:50 +0000 Date: Tue, 17 Jun 2014 12:16:50 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 99 - unexpected pitfall in xenaccess API X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-99 version 2 unexpected pitfall in xenaccess API UPDATES IN VERSION 2 ==================== Public Release. Added note regarding CVE. ISSUE DESCRIPTION ================= A test/example program, for exercising the Xen memaccess API, does not take all necessary precautions against hostile guest behaviour. As a result, software developers using it as an example or template might have written and deployed vulnerable code. See the patch for technical details of the problem. IMPACT ====== Deployments of software inspired by, or derived from, xen.git/tools/tests/xen-access/xen-access.c, may be vulnerable to privilege escalation by a malicious guest administrator. xen-access is a test/example program and is not, without modification, useful in production. It is not built or installed by default. VULNERABLE SYSTEMS ================== Unmodified Xen installations (including installations as provided by typical Free Software distributions) are not vulnerable. The following toolstacks/libraries do not use memaccess, so systems using Xen only via the following are not vulnerable: libxl; xl; xend; xm; libvirt In general, Xen installations which make no use of the Xen memory access API (xc_mem_access_..., "XENMEM_access_...", XEN_DOMCTL_MEM_EVENT_OP_ACCESS_ENABLE) are not vulnerable. Systems using the Xen hypervisor 4.1 or earlier are not vulnerable. ARM systems are not vulnerable. AMD systems are not vulnerable. Intel x86 systems without EPT are not vulnerable. Software developers who have based their efforts on xen-access.c may have constructed vulnerable systems. Such developers should examine their software, and communicate with their own downstreams, as applicable. Users of Xen-derived systems, whose vulnerability is not excluded above, should consult their vendor for information about the applicability of this vulnerability. MITIGATION ========== Disabling whatever functionality uses the memaccess API will avoid the vulnerability. NOTE REGARDING CVE ================== The CVE assignment team at the MITRE CVE Numbering Authority have told us that type of issue is typically considered site-specific and is not eligible for a CVE ID: The scope of CVE does not include issues where a vulnerable program can be present after a customer modifies shipped source code or modifies the build process. The primary purpose of this guideline is to avoid CVE assignments where, for example, the vulnerability exists only when a customer enables experimental code and then recompiles. A secondary purpose of this guideline is to avoid CVE assignments for example code that wasn't intended to be used as-is. Software developers who have based production code on xen-access.c should obtain their own CVE number(s). CREDITS ======= This vulnerability was discovered by Ian Campbell of Citrix. RESOLUTION ========== The attached patch repairs the test/example utility provided in the Xen Project source tree. To resolve the issue in production software, appropriate changes will have to be be made by its developers. $ sha256sum xsa99*.patch d6496699d9952bbfe1cd86e0ba84182e455a5dc4626654d387f92390d9680cd4 xsa99.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJToCn/AAoJEIP+FMlX6CvZBp8H/Az39oLQiAIyrZRD+IktvGuB mCLRcoyTJxxfE+9bAFltypelGNwq5NT/JUwub82whapbPW/e/rtGbln43FkdkoLu oFlddcteOzJMTLsLXxe50zrgb4QaUEt4lxQ2zEyFpL6PYz32pO24NLK8QzG480Ol 4u1UlBJeYM61Z4JPuCy0h5vMy0eU6G3yry6B09s4Dmdfvd6AU7BprFT4/aW+noQ0 84w11iL8Y53ddnidTgaXNkyvcq+5m57RL9uHvrRz7mViqhazkVkxGZHVKsUYuRPb wkBpSaa+cJkeF8AnDue/QuW0pWYpfrPoniD86SwgzsYYj5bN0EnQ4CTzVIAx284= =9myT -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa99.patch" Content-Disposition: attachment; filename="xsa99.patch" Content-Transfer-Encoding: base64 RnJvbTogQXJhdmluZGggUHV0aGl5YXBhcmFtYmlsIDxhcmF2aW5kcEBjaXNj by5jb20+CkRhdGU6IFR1ZSBNYXkgMjAgMTY6MzU6NDQgMjAxNCAtMDcwMAoK bWVtX2FjY2VzczogQWRkIGhlbHBlciBBUEkgdG8gc2V0dXAgcmluZyBhbmQg ZW5hYmxlIG1lbV9hY2Nlc3MKCnRvb2xzL2xpYnhjOiBBZGQgaGVscGVyIGZ1 bmN0aW9uIHRvIHNldHVwIHJpbmcgZm9yIG1lbSBldmVudHMKVGhpcyBwYXRj aCBhZGRzIGEgaGVscGVyIGZ1bmN0aW9uIHRoYXQgbWFwcyB0aGUgcmluZywg ZW5hYmxlcyBtZW1fZXZlbnQKYW5kIHJlbW92ZXMgdGhlIHJpbmcgZnJvbSB0 aGUgZ3Vlc3QgcGh5c21hcCB3aGlsZSB0aGUgZG9tYWluIGlzIHBhdXNlZC4K VGhpcyBjYW4gYmUgdXNlZCBieSBhbGwgbWVtX2V2ZW50cyBidXQgaXMgb25s eSBlbmFibGVkIGZvciBtZW1fYWNjZXNzIGF0CnRoZSBtb21lbnQuCgp0ZXN0 cy94ZW4tYWNjZXNzOiBVc2UgaGVscGVyIEFQSSB0byBzZXR1cCByaW5nIGFu ZCBlbmFibGUgbWVtX2FjY2VzcwpQcmlvciB0byB0aGlzIHBhdGNoLCB4ZW4t YWNjZXNzIHdhcyBzZXR0aW5nIHVwIHRoZSByaW5nIHBhZ2UgaW4gYSB3YXkK dGhhdCB3b3VsZCBnaXZlIGEgbWFsaWNvdXMgZ3Vlc3QgYSB3aW5kb3cgdG8g d3JpdGUgaW4gdG8gdGhlIHNoYXJlZCByaW5nCnBhZ2UuIFRoaXMgcGF0Y2gg Zml4ZXMgdGhpcyBieSB1c2luZyB0aGUgaGVscGVyIEFQSSB0aGF0IGRvZXMg aXQgc2FmZWx5Cm9uIGJlaGFsZiBvZiB4ZW4tYWNjZXNzLgoKVGhpcyBpcyBY U0EtOTkuCgpTaWduZWQtb2ZmLWJ5OiBBcmF2aW5kaCBQdXRoaXlhcGFyYW1i aWwgPGFyYXZpbmRwQGNpc2NvLmNvbT4KUmV2aWV3ZWQtYnk6IEphbiBCZXVs aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KCmRpZmYgLS1naXQgYS90b29scy9s aWJ4Yy94Y19tZW1fYWNjZXNzLmMgYi90b29scy9saWJ4Yy94Y19tZW1fYWNj ZXNzLmMKaW5kZXggZjQzNmU2OS4uNDYxZjBlOSAxMDA2NDQKLS0tIGEvdG9v bHMvbGlieGMveGNfbWVtX2FjY2Vzcy5jCisrKyBiL3Rvb2xzL2xpYnhjL3hj X21lbV9hY2Nlc3MuYwpAQCAtMjQsMTkgKzI0LDkgQEAKICNpbmNsdWRlICJ4 Y19wcml2YXRlLmgiCiAjaW5jbHVkZSA8eGVuL21lbW9yeS5oPgogCi1pbnQg eGNfbWVtX2FjY2Vzc19lbmFibGUoeGNfaW50ZXJmYWNlICp4Y2gsIGRvbWlk X3QgZG9tYWluX2lkLAotICAgICAgICAgICAgICAgICAgICAgICAgIHVpbnQz Ml90ICpwb3J0KQordm9pZCAqeGNfbWVtX2FjY2Vzc19lbmFibGUoeGNfaW50 ZXJmYWNlICp4Y2gsIGRvbWlkX3QgZG9tYWluX2lkLCB1aW50MzJfdCAqcG9y dCkKIHsKLSAgICBpZiAoICFwb3J0ICkKLSAgICB7Ci0gICAgICAgIGVycm5v ID0gRUlOVkFMOwotICAgICAgICByZXR1cm4gLTE7Ci0gICAgfQotCi0gICAg cmV0dXJuIHhjX21lbV9ldmVudF9jb250cm9sKHhjaCwgZG9tYWluX2lkLAot ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYRU5fRE9NQ1RMX01F TV9FVkVOVF9PUF9BQ0NFU1NfRU5BQkxFLAotICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICBYRU5fRE9NQ1RMX01FTV9FVkVOVF9PUF9BQ0NFU1Ms Ci0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBvcnQpOworICAg IHJldHVybiB4Y19tZW1fZXZlbnRfZW5hYmxlKHhjaCwgZG9tYWluX2lkLCBI Vk1fUEFSQU1fQUNDRVNTX1JJTkdfUEZOLCBwb3J0KTsKIH0KIAogaW50IHhj X21lbV9hY2Nlc3NfZGlzYWJsZSh4Y19pbnRlcmZhY2UgKnhjaCwgZG9taWRf dCBkb21haW5faWQpCmRpZmYgLS1naXQgYS90b29scy9saWJ4Yy94Y19tZW1f ZXZlbnQuYyBiL3Rvb2xzL2xpYnhjL3hjX21lbV9ldmVudC5jCmluZGV4IGQ0 M2EwYWYuLmJlN2M2M2QgMTAwNjQ0Ci0tLSBhL3Rvb2xzL2xpYnhjL3hjX21l bV9ldmVudC5jCisrKyBiL3Rvb2xzL2xpYnhjL3hjX21lbV9ldmVudC5jCkBA IC01NiwzICs1NiwxMTggQEAgaW50IHhjX21lbV9ldmVudF9tZW1vcCh4Y19p bnRlcmZhY2UgKnhjaCwgZG9taWRfdCBkb21haW5faWQsCiAgICAgcmV0dXJu IGRvX21lbW9yeV9vcCh4Y2gsIG1vZGUsICZtZW8sIHNpemVvZihtZW8pKTsK IH0KIAordm9pZCAqeGNfbWVtX2V2ZW50X2VuYWJsZSh4Y19pbnRlcmZhY2Ug KnhjaCwgZG9taWRfdCBkb21haW5faWQsIGludCBwYXJhbSwKKyAgICAgICAg ICAgICAgICAgICAgICAgICAgdWludDMyX3QgKnBvcnQpCit7CisgICAgdm9p ZCAqcmluZ19wYWdlID0gTlVMTDsKKyAgICB1bnNpZ25lZCBsb25nIHJpbmdf cGZuLCBtbWFwX3BmbjsKKyAgICB1bnNpZ25lZCBpbnQgb3AsIG1vZGU7Cisg ICAgaW50IHJjMSwgcmMyLCBzYXZlZF9lcnJubzsKKworICAgIGlmICggIXBv cnQgKQorICAgIHsKKyAgICAgICAgZXJybm8gPSBFSU5WQUw7CisgICAgICAg IHJldHVybiBOVUxMOworICAgIH0KKworICAgIC8qIFBhdXNlIHRoZSBkb21h aW4gZm9yIHJpbmcgcGFnZSBzZXR1cCAqLworICAgIHJjMSA9IHhjX2RvbWFp bl9wYXVzZSh4Y2gsIGRvbWFpbl9pZCk7CisgICAgaWYgKCByYzEgIT0gMCAp CisgICAgeworICAgICAgICBQRVJST1IoIlVuYWJsZSB0byBwYXVzZSBkb21h aW5cbiIpOworICAgICAgICByZXR1cm4gTlVMTDsKKyAgICB9CisKKyAgICAv KiBHZXQgdGhlIHBmbiBvZiB0aGUgcmluZyBwYWdlICovCisgICAgcmMxID0g eGNfZ2V0X2h2bV9wYXJhbSh4Y2gsIGRvbWFpbl9pZCwgcGFyYW0sICZyaW5n X3Bmbik7CisgICAgaWYgKCByYzEgIT0gMCApCisgICAgeworICAgICAgICBQ RVJST1IoIkZhaWxlZCB0byBnZXQgcGZuIG9mIHJpbmcgcGFnZVxuIik7Cisg ICAgICAgIGdvdG8gb3V0OworICAgIH0KKworICAgIG1tYXBfcGZuID0gcmlu Z19wZm47CisgICAgcmluZ19wYWdlID0geGNfbWFwX2ZvcmVpZ25fYmF0Y2go eGNoLCBkb21haW5faWQsIFBST1RfUkVBRCB8IFBST1RfV1JJVEUsCisgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJm1tYXBfcGZuLCAx KTsKKyAgICBpZiAoIG1tYXBfcGZuICYgWEVOX0RPTUNUTF9QRklORk9fWFRB QiApCisgICAgeworICAgICAgICAvKiBNYXAgZmFpbGVkLCBwb3B1bGF0ZSBy aW5nIHBhZ2UgKi8KKyAgICAgICAgcmMxID0geGNfZG9tYWluX3BvcHVsYXRl X3BoeXNtYXBfZXhhY3QoeGNoLCBkb21haW5faWQsIDEsIDAsIDAsCisgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJnJp bmdfcGZuKTsKKyAgICAgICAgaWYgKCByYzEgIT0gMCApCisgICAgICAgIHsK KyAgICAgICAgICAgIFBFUlJPUigiRmFpbGVkIHRvIHBvcHVsYXRlIHJpbmcg cGZuXG4iKTsKKyAgICAgICAgICAgIGdvdG8gb3V0OworICAgICAgICB9CisK KyAgICAgICAgbW1hcF9wZm4gPSByaW5nX3BmbjsKKyAgICAgICAgcmluZ19w YWdlID0geGNfbWFwX2ZvcmVpZ25fYmF0Y2goeGNoLCBkb21haW5faWQsIFBS T1RfUkVBRCB8IFBST1RfV1JJVEUsCisgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICZtbWFwX3BmbiwgMSk7CisgICAgICAgIGlm ICggbW1hcF9wZm4gJiBYRU5fRE9NQ1RMX1BGSU5GT19YVEFCICkKKyAgICAg ICAgeworICAgICAgICAgICAgUEVSUk9SKCJDb3VsZCBub3QgbWFwIHRoZSBy aW5nIHBhZ2VcbiIpOworICAgICAgICAgICAgZ290byBvdXQ7CisgICAgICAg IH0KKyAgICB9CisKKyAgICBzd2l0Y2ggKCBwYXJhbSApCisgICAgeworICAg IGNhc2UgSFZNX1BBUkFNX1BBR0lOR19SSU5HX1BGTjoKKyAgICAgICAgb3Ag PSBYRU5fRE9NQ1RMX01FTV9FVkVOVF9PUF9QQUdJTkdfRU5BQkxFOworICAg ICAgICBtb2RlID0gWEVOX0RPTUNUTF9NRU1fRVZFTlRfT1BfUEFHSU5HOwor ICAgICAgICBicmVhazsKKworICAgIGNhc2UgSFZNX1BBUkFNX0FDQ0VTU19S SU5HX1BGTjoKKyAgICAgICAgb3AgPSBYRU5fRE9NQ1RMX01FTV9FVkVOVF9P UF9BQ0NFU1NfRU5BQkxFOworICAgICAgICBtb2RlID0gWEVOX0RPTUNUTF9N RU1fRVZFTlRfT1BfQUNDRVNTOworICAgICAgICBicmVhazsKKworICAgIGNh c2UgSFZNX1BBUkFNX1NIQVJJTkdfUklOR19QRk46CisgICAgICAgIG9wID0g WEVOX0RPTUNUTF9NRU1fRVZFTlRfT1BfU0hBUklOR19FTkFCTEU7CisgICAg ICAgIG1vZGUgPSBYRU5fRE9NQ1RMX01FTV9FVkVOVF9PUF9TSEFSSU5HOwor ICAgICAgICBicmVhazsKKworICAgIC8qCisgICAgICogVGhpcyBpcyBmb3Ig dGhlIG91dHNpZGUgY2hhbmNlIHRoYXQgdGhlIEhWTV9QQVJBTSBpcyB2YWxp ZCBidXQgaXMgaW52YWxpZAorICAgICAqIGFzIGZhciBhcyBtZW1fZXZlbnQg Z29lcy4KKyAgICAgKi8KKyAgICBkZWZhdWx0OgorICAgICAgICBlcnJubyA9 IEVJTlZBTDsKKyAgICAgICAgcmMxID0gLTE7CisgICAgICAgIGdvdG8gb3V0 OworICAgIH0KKworICAgIHJjMSA9IHhjX21lbV9ldmVudF9jb250cm9sKHhj aCwgZG9tYWluX2lkLCBvcCwgbW9kZSwgcG9ydCk7CisgICAgaWYgKCByYzEg IT0gMCApCisgICAgeworICAgICAgICBQRVJST1IoIkZhaWxlZCB0byBlbmFi bGUgbWVtX2V2ZW50XG4iKTsKKyAgICAgICAgZ290byBvdXQ7CisgICAgfQor CisgICAgLyogUmVtb3ZlIHRoZSByaW5nX3BmbiBmcm9tIHRoZSBndWVzdCdz IHBoeXNtYXAgKi8KKyAgICByYzEgPSB4Y19kb21haW5fZGVjcmVhc2VfcmVz ZXJ2YXRpb25fZXhhY3QoeGNoLCBkb21haW5faWQsIDEsIDAsICZyaW5nX3Bm bik7CisgICAgaWYgKCByYzEgIT0gMCApCisgICAgICAgIFBFUlJPUigiRmFp bGVkIHRvIHJlbW92ZSByaW5nIHBhZ2UgZnJvbSBndWVzdCBwaHlzbWFwIik7 CisKKyBvdXQ6CisgICAgc2F2ZWRfZXJybm8gPSBlcnJubzsKKworICAgIHJj MiA9IHhjX2RvbWFpbl91bnBhdXNlKHhjaCwgZG9tYWluX2lkKTsKKyAgICBp ZiAoIHJjMSAhPSAwIHx8IHJjMiAhPSAwICkKKyAgICB7CisgICAgICAgIGlm ICggcmMyICE9IDAgKQorICAgICAgICB7CisgICAgICAgICAgICBpZiAoIHJj MSA9PSAwICkKKyAgICAgICAgICAgICAgICBzYXZlZF9lcnJubyA9IGVycm5v OworICAgICAgICAgICAgUEVSUk9SKCJVbmFibGUgdG8gdW5wYXVzZSBkb21h aW4iKTsKKyAgICAgICAgfQorCisgICAgICAgIGlmICggcmluZ19wYWdlICkK KyAgICAgICAgICAgIG11bm1hcChyaW5nX3BhZ2UsIFhDX1BBR0VfU0laRSk7 CisgICAgICAgIHJpbmdfcGFnZSA9IE5VTEw7CisKKyAgICAgICAgZXJybm8g PSBzYXZlZF9lcnJubzsKKyAgICB9CisKKyAgICByZXR1cm4gcmluZ19wYWdl OworfQpkaWZmIC0tZ2l0IGEvdG9vbHMvbGlieGMveGVuY3RybC5oIGIvdG9v bHMvbGlieGMveGVuY3RybC5oCmluZGV4IDAyMTI5ZjcuLjM0Njc4ZDggMTAw NjQ0Ci0tLSBhL3Rvb2xzL2xpYnhjL3hlbmN0cmwuaAorKysgYi90b29scy9s aWJ4Yy94ZW5jdHJsLmgKQEAgLTIwMjMsNiArMjAyMywxMiBAQCBpbnQgeGNf bWVtX2V2ZW50X2NvbnRyb2woeGNfaW50ZXJmYWNlICp4Y2gsIGRvbWlkX3Qg ZG9tYWluX2lkLCB1bnNpZ25lZCBpbnQgb3AsCiBpbnQgeGNfbWVtX2V2ZW50 X21lbW9wKHhjX2ludGVyZmFjZSAqeGNoLCBkb21pZF90IGRvbWFpbl9pZCwg CiAgICAgICAgICAgICAgICAgICAgICAgICB1bnNpZ25lZCBpbnQgb3AsIHVu c2lnbmVkIGludCBtb2RlLAogICAgICAgICAgICAgICAgICAgICAgICAgdWlu dDY0X3QgZ2ZuLCB2b2lkICpidWZmZXIpOworLyoKKyAqIEVuYWJsZXMgbWVt X2V2ZW50IGFuZCByZXR1cm5zIHRoZSBtYXBwZWQgcmluZyBwYWdlIGluZGlj YXRlZCBieSBwYXJhbS4KKyAqIHBhcmFtIGNhbiBiZSBIVk1fUEFSQU1fUEFH SU5HL0FDQ0VTUy9TSEFSSU5HX1JJTkdfUEZOCisgKi8KK3ZvaWQgKnhjX21l bV9ldmVudF9lbmFibGUoeGNfaW50ZXJmYWNlICp4Y2gsIGRvbWlkX3QgZG9t YWluX2lkLCBpbnQgcGFyYW0sCisgICAgICAgICAgICAgICAgICAgICAgICAg IHVpbnQzMl90ICpwb3J0KTsKIAogLyoqIAogICogTWVtIHBhZ2luZyBvcGVy YXRpb25zLgpAQCAtMjA0Myw3ICsyMDQ5LDEzIEBAIGludCB4Y19tZW1fcGFn aW5nX2xvYWQoeGNfaW50ZXJmYWNlICp4Y2gsIGRvbWlkX3QgZG9tYWluX2lk LAogICogQWNjZXNzIHRyYWNraW5nIG9wZXJhdGlvbnMuCiAgKiBTdXBwb3J0 ZWQgb25seSBvbiBJbnRlbCBFUFQgNjQgYml0IHByb2Nlc3NvcnMuCiAgKi8K LWludCB4Y19tZW1fYWNjZXNzX2VuYWJsZSh4Y19pbnRlcmZhY2UgKnhjaCwg ZG9taWRfdCBkb21haW5faWQsIHVpbnQzMl90ICpwb3J0KTsKKworLyoKKyAq IEVuYWJsZXMgbWVtX2FjY2VzcyBhbmQgcmV0dXJucyB0aGUgbWFwcGVkIHJp bmcgcGFnZS4KKyAqIFdpbGwgcmV0dXJuIE5VTEwgb24gZXJyb3IuCisgKiBD YWxsZXIgaGFzIHRvIHVubWFwIHRoaXMgcGFnZSB3aGVuIGRvbmUuCisgKi8K K3ZvaWQgKnhjX21lbV9hY2Nlc3NfZW5hYmxlKHhjX2ludGVyZmFjZSAqeGNo LCBkb21pZF90IGRvbWFpbl9pZCwgdWludDMyX3QgKnBvcnQpOwogaW50IHhj X21lbV9hY2Nlc3NfZGlzYWJsZSh4Y19pbnRlcmZhY2UgKnhjaCwgZG9taWRf dCBkb21haW5faWQpOwogaW50IHhjX21lbV9hY2Nlc3NfcmVzdW1lKHhjX2lu dGVyZmFjZSAqeGNoLCBkb21pZF90IGRvbWFpbl9pZCk7CiAKZGlmZiAtLWdp dCBhL3Rvb2xzL3Rlc3RzL3hlbi1hY2Nlc3MveGVuLWFjY2Vzcy5jIGIvdG9v bHMvdGVzdHMveGVuLWFjY2Vzcy94ZW4tYWNjZXNzLmMKaW5kZXggMGE4NGJk NS4uNTcyYWI2MyAxMDA2NDQKLS0tIGEvdG9vbHMvdGVzdHMveGVuLWFjY2Vz cy94ZW4tYWNjZXNzLmMKKysrIGIvdG9vbHMvdGVzdHMveGVuLWFjY2Vzcy94 ZW4tYWNjZXNzLmMKQEAgLTIyMyw3ICsyMjMsNiBAQCB4ZW5hY2Nlc3NfdCAq eGVuYWNjZXNzX2luaXQoeGNfaW50ZXJmYWNlICoqeGNoX3IsIGRvbWlkX3Qg ZG9tYWluX2lkKQogICAgIHhlbmFjY2Vzc190ICp4ZW5hY2Nlc3MgPSAwOwog ICAgIHhjX2ludGVyZmFjZSAqeGNoOwogICAgIGludCByYzsKLSAgICB1bnNp Z25lZCBsb25nIHJpbmdfcGZuLCBtbWFwX3BmbjsKIAogICAgIHhjaCA9IHhj X2ludGVyZmFjZV9vcGVuKE5VTEwsIE5VTEwsIDApOwogICAgIGlmICggIXhj aCApCkBAIC0yNDUsNDAgKzI0NCwxMiBAQCB4ZW5hY2Nlc3NfdCAqeGVuYWNj ZXNzX2luaXQoeGNfaW50ZXJmYWNlICoqeGNoX3IsIGRvbWlkX3QgZG9tYWlu X2lkKQogICAgIC8qIEluaXRpYWxpc2UgbG9jayAqLwogICAgIG1lbV9ldmVu dF9yaW5nX2xvY2tfaW5pdCgmeGVuYWNjZXNzLT5tZW1fZXZlbnQpOwogCi0g ICAgLyogTWFwIHRoZSByaW5nIHBhZ2UgKi8KLSAgICB4Y19nZXRfaHZtX3Bh cmFtKHhjaCwgeGVuYWNjZXNzLT5tZW1fZXZlbnQuZG9tYWluX2lkLCAKLSAg ICAgICAgICAgICAgICAgICAgICAgIEhWTV9QQVJBTV9BQ0NFU1NfUklOR19Q Rk4sICZyaW5nX3Bmbik7Ci0gICAgbW1hcF9wZm4gPSByaW5nX3BmbjsKLSAg ICB4ZW5hY2Nlc3MtPm1lbV9ldmVudC5yaW5nX3BhZ2UgPSAKLSAgICAgICAg eGNfbWFwX2ZvcmVpZ25fYmF0Y2goeGNoLCB4ZW5hY2Nlc3MtPm1lbV9ldmVu dC5kb21haW5faWQsIAotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICBQUk9UX1JFQUQgfCBQUk9UX1dSSVRFLCAmbW1hcF9wZm4sIDEpOwotICAg IGlmICggbW1hcF9wZm4gJiBYRU5fRE9NQ1RMX1BGSU5GT19YVEFCICkKLSAg ICB7Ci0gICAgICAgIC8qIE1hcCBmYWlsZWQsIHBvcHVsYXRlIHJpbmcgcGFn ZSAqLwotICAgICAgICByYyA9IHhjX2RvbWFpbl9wb3B1bGF0ZV9waHlzbWFw X2V4YWN0KHhlbmFjY2Vzcy0+eGNfaGFuZGxlLCAKLSAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4ZW5hY2Nlc3MtPm1l bV9ldmVudC5kb21haW5faWQsCi0gICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgMSwgMCwgMCwgJnJpbmdfcGZuKTsKLSAg ICAgICAgaWYgKCByYyAhPSAwICkKLSAgICAgICAgewotICAgICAgICAgICAg UEVSUk9SKCJGYWlsZWQgdG8gcG9wdWxhdGUgcmluZyBnZm5cbiIpOwotICAg ICAgICAgICAgZ290byBlcnI7Ci0gICAgICAgIH0KLQotICAgICAgICBtbWFw X3BmbiA9IHJpbmdfcGZuOwotICAgICAgICB4ZW5hY2Nlc3MtPm1lbV9ldmVu dC5yaW5nX3BhZ2UgPSAKLSAgICAgICAgICAgIHhjX21hcF9mb3JlaWduX2Jh dGNoKHhjaCwgeGVuYWNjZXNzLT5tZW1fZXZlbnQuZG9tYWluX2lkLCAKLSAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBST1RfUkVBRCB8 IFBST1RfV1JJVEUsICZtbWFwX3BmbiwgMSk7Ci0gICAgICAgIGlmICggbW1h cF9wZm4gJiBYRU5fRE9NQ1RMX1BGSU5GT19YVEFCICkKLSAgICAgICAgewot ICAgICAgICAgICAgUEVSUk9SKCJDb3VsZCBub3QgbWFwIHRoZSByaW5nIHBh Z2VcbiIpOwotICAgICAgICAgICAgZ290byBlcnI7Ci0gICAgICAgIH0KLSAg ICB9Ci0KLSAgICAvKiBJbml0aWFsaXNlIFhlbiAqLwotICAgIHJjID0geGNf bWVtX2FjY2Vzc19lbmFibGUoeGVuYWNjZXNzLT54Y19oYW5kbGUsIHhlbmFj Y2Vzcy0+bWVtX2V2ZW50LmRvbWFpbl9pZCwKLSAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgJnhlbmFjY2Vzcy0+bWVtX2V2ZW50LmV2dGNobl9wb3J0 KTsKLSAgICBpZiAoIHJjICE9IDAgKQorICAgIC8qIEVuYWJsZSBtZW1fYWNj ZXNzICovCisgICAgeGVuYWNjZXNzLT5tZW1fZXZlbnQucmluZ19wYWdlID0K KyAgICAgICAgICAgIHhjX21lbV9hY2Nlc3NfZW5hYmxlKHhlbmFjY2Vzcy0+ eGNfaGFuZGxlLAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg eGVuYWNjZXNzLT5tZW1fZXZlbnQuZG9tYWluX2lkLAorICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgJnhlbmFjY2Vzcy0+bWVtX2V2ZW50LmV2 dGNobl9wb3J0KTsKKyAgICBpZiAoIHhlbmFjY2Vzcy0+bWVtX2V2ZW50LnJp bmdfcGFnZSA9PSBOVUxMICkKICAgICB7CiAgICAgICAgIHN3aXRjaCAoIGVy cm5vICkgewogICAgICAgICAgICAgY2FzZSBFQlVTWToKQEAgLTI4OCw3ICsy NTksNyBAQCB4ZW5hY2Nlc3NfdCAqeGVuYWNjZXNzX2luaXQoeGNfaW50ZXJm YWNlICoqeGNoX3IsIGRvbWlkX3QgZG9tYWluX2lkKQogICAgICAgICAgICAg ICAgIEVSUk9SKCJFUFQgbm90IHN1cHBvcnRlZCBmb3IgdGhpcyBndWVzdCIp OwogICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgZGVmYXVs dDoKLSAgICAgICAgICAgICAgICBwZXJyb3IoIkVycm9yIGluaXRpYWxpc2lu ZyBzaGFyZWQgcGFnZSIpOworICAgICAgICAgICAgICAgIHBlcnJvcigiRXJy b3IgZW5hYmxpbmcgbWVtX2FjY2VzcyIpOwogICAgICAgICAgICAgICAgIGJy ZWFrOwogICAgICAgICB9CiAgICAgICAgIGdvdG8gZXJyOwpAQCAtMzIyLDEx ICsyOTMsNiBAQCB4ZW5hY2Nlc3NfdCAqeGVuYWNjZXNzX2luaXQoeGNfaW50 ZXJmYWNlICoqeGNoX3IsIGRvbWlkX3QgZG9tYWluX2lkKQogICAgICAgICAg ICAgICAgICAgIChtZW1fZXZlbnRfc3JpbmdfdCAqKXhlbmFjY2Vzcy0+bWVt X2V2ZW50LnJpbmdfcGFnZSwKICAgICAgICAgICAgICAgICAgICBYQ19QQUdF X1NJWkUpOwogCi0gICAgLyogTm93IHRoYXQgdGhlIHJpbmcgaXMgc2V0LCBy ZW1vdmUgaXQgZnJvbSB0aGUgZ3Vlc3QncyBwaHlzbWFwICovCi0gICAgaWYg KCB4Y19kb21haW5fZGVjcmVhc2VfcmVzZXJ2YXRpb25fZXhhY3QoeGNoLCAK LSAgICAgICAgICAgICAgICAgICAgeGVuYWNjZXNzLT5tZW1fZXZlbnQuZG9t YWluX2lkLCAxLCAwLCAmcmluZ19wZm4pICkKLSAgICAgICAgUEVSUk9SKCJG YWlsZWQgdG8gcmVtb3ZlIHJpbmcgZnJvbSBndWVzdCBwaHlzbWFwIik7Ci0K ICAgICAvKiBHZXQgZG9tYWluaW5mbyAqLwogICAgIHhlbmFjY2Vzcy0+ZG9t YWluX2luZm8gPSBtYWxsb2Moc2l6ZW9mKHhjX2RvbWFpbmluZm9fdCkpOwog ICAgIGlmICggeGVuYWNjZXNzLT5kb21haW5faW5mbyA9PSBOVUxMICkK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-devel-bounces@lists.xen.org Tue Jun 17 12:33:27 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 17 Jun 2014 12:33:27 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsZp-0004Og-RP; Tue, 17 Jun 2014 12:33:25 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsZn-0004OB-Ln; Tue, 17 Jun 2014 12:33:23 +0000 Received: from [85.158.143.35:37840] by server-2.bemta-4.messagelabs.com id 51/6B-06539-29530A35; Tue, 17 Jun 2014 12:33:22 +0000 X-Env-Sender: security@xen.org X-Msg-Ref: server-6.tower-21.messagelabs.com!1403008401!11874356!1 X-Originating-IP: [92.243.22.65] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG, UNPARSEABLE_RELAY X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 15152 invoked from network); 17 Jun 2014 12:33:21 -0000 Received: from gandi1.proaut.org (HELO gandi1.proaut.org) (92.243.22.65) by server-6.tower-21.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 17 Jun 2014 12:33:21 -0000 Received: from mailgate1.proaut.com (ip-195-098-027-159.static.nextra.sk [195.98.27.159]) by gandi1.proaut.org (8.14.3/8.14.3/Debian-9.4) with ESMTP id s5HCX2Uu031771; Tue, 17 Jun 2014 14:33:04 +0200 Received: by mailgate1.proaut.com (Postfix, from userid 0) id 3gt82Q3DyfzCt1p; Tue, 17 Jun 2014 14:33:02 +0200 (CEST) Delivered-To: unknown Received: from 10.220.0.25 (10.220.0.25:993) by mailgate1.proaut.com with IMAP4-SSL; 17 Jun 2014 12:33:02 -0000 Delivered-To: mailcollector@proaut.lan Received: from mailgate1.proaut.com (unknown [10.220.0.26]) by mail1.proaut.lan (Postfix) with ESMTPS id 71E5EA00DA for ; Tue, 17 Jun 2014 14:18:17 +0200 (CEST) Received: from lists.xen.org (lists.xen.org [50.57.142.19]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailgate1.proaut.com (Postfix) with ESMTPS id 3gt7kb249lzCsTF for ; Tue, 17 Jun 2014 14:19:19 +0200 (CEST) Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsK2-0001tN-3O; Tue, 17 Jun 2014 12:17:06 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsJz-0001sA-5o; Tue, 17 Jun 2014 12:17:03 +0000 Received: from [85.158.143.35:61543] by server-1.bemta-4.messagelabs.com id DC/04-09496-EB130A35; Tue, 17 Jun 2014 12:17:02 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-21.messagelabs.com!1403007420!11944421!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 30447 invoked from network); 17 Jun 2014 12:17:01 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 17 Jun 2014 12:17:01 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsJr-00053k-48; Tue, 17 Jun 2014 12:16:55 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WwsJr-00081P-1v; Tue, 17 Jun 2014 12:16:55 +0000 Date: Tue, 17 Jun 2014 12:16:55 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: "Xen.org security team" X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Cc: "Xen.org security team" Subject: [Xen-devel] [Xen-announce] Xen Security Advisory 100 (CVE-2014-4021) - Hypervisor heap contents leaked to guests X-BeenThere: xen-devel@lists.xen.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-4021 / XSA-100 version 3 Hypervisor heap contents leaked to guests UPDATES IN VERSION 3 ==================== Public Release. CVE assigned. ISSUE DESCRIPTION ================= While memory pages recovered from dying guests are being cleaned to avoid leaking sensitive information to other guests, memory pages that were in use by the hypervisor and are eligible to be allocated to guests weren't being properly cleaned. Such exposure of information would happen through memory pages freshly allocated to or by the guest. Normally the leaked data is administrative information of limited value to an attacker. However, scenarios exist where guest CPU register state and hypercall arguments might be leaked. IMPACT ====== A malicious guest might be able to read data relating to other guests or the hypervisor itself. Data at rest in guest memory or storage (filesystems) is not affected. However, it is possible for an attacker to obtain modest amounts of in-flight and in-use data, which might contain passwords or cryptographic keys. VULNERABLE SYSTEMS ================== Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. MITIGATION ========== No comprehensive mitigation is available. An attacker will find it easier obtain sensitive data from a victim guest if the attacker is able to initiate domain management operations and lifecycle events for that guest. This includes a situation where the attacker can cause the victim guest to crash. Therefore the risk from this vulnerability can be somewhat reduced by restricting management (such as migration or resource adjustment) to fully trusted guest or host administrators, and by eliminating any Denial of Service vulnerabilities against potential victim guests. CREDITS ======= This issue was discovered by Jan Beulich. RESOLUTION ========== Applying the attached patch resolves this issue. xsa100.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x Note that to avoid a regression on systems with AMD IOMMU, on 4.2.x and later additionally commit 6b4d71d0 ("AMD IOMMU: don't free page table prematurely") found at http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=6b4d71d028f445cba7426a144751fddc8bfdd67b will be required if not already in place in the respective tree. $ sha256sum xsa100*.patch 2cbd3a52bb8d32d00a19e2ce48e3157034b484b4a7b7282cae0d108ffb4ddca0 xsa100.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJToCoFAAoJEIP+FMlX6CvZ8p0H/1RPfzKOIQVvjJrAPiOH8cDr /QR8hAhKqIs97+fxSFO5LCsfBwKga/rLz6sjveQYlvJOq9qSc2vTWxpQLNrh7M1q NagTSVJoxcxVn+LHgHAczfRfNwK5BWFHz5/R3k1SLSjLy15aBDr5rW42H/WjKXI3 0UnLfpLkaDfocpQOYAz1a4cTAxbK07omhSlnCdcvPmWLDPvWy03BF7jZvTDYdiO1 OjU/3HUwMv7Ii6By3QvjO3Z4h9qkest/iIeaeCTwNwSJa9rW+8KLZjzdJCMJOUeu J608R94x4vyj7wc+JVPwD59K0XkXzmsASC8q0ivohXGDTloKcdN7vdmR37g4fJ0= =WnYZ -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa100.patch" Content-Disposition: attachment; filename="xsa100.patch" Content-Transfer-Encoding: base64 cGFnZS1hbGxvYzogc2NydWIgcGFnZXMgdXNlZCBieSBoeXBlcnZpc29yIHVw b24gZnJlZWluZwoKLi4uIHVubGVzcyB0aGV5J3JlIHBhcnQgb2YgYSBmdWxs eSBzZXBhcmF0ZSBwb29sIChhbmQgaGVuY2UgY2FuJ3QgZXZlcgpiZSB1c2Vk IGZvciBndWVzdCBhbGxvY2F0aW9ucykuCgpUaGlzIGlzIFhTQS0xMDAuCgpT aWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ ClJldmlld2VkLWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRy aXguY29tPgpBY2tlZC1ieTogS2VpciBGcmFzZXIgPGtlaXJAeGVuLm9yZz4K Ci0tLSBhL3hlbi9jb21tb24vcGFnZV9hbGxvYy5jCisrKyBiL3hlbi9jb21t b24vcGFnZV9hbGxvYy5jCkBAIC0xNDA5LDcgKzE0MDksMTAgQEAgdm9pZCBm cmVlX3hlbmhlYXBfcGFnZXModm9pZCAqdiwgdW5zaWduZQogICAgIHBnID0g dmlydF90b19wYWdlKHYpOwogCiAgICAgZm9yICggaSA9IDA7IGkgPCAoMXUg PDwgb3JkZXIpOyBpKysgKQorICAgIHsKKyAgICAgICAgc2NydWJfb25lX3Bh Z2UoJnBnW2ldKTsKICAgICAgICAgcGdbaV0uY291bnRfaW5mbyAmPSB+UEdD X3hlbl9oZWFwOworICAgIH0KIAogICAgIGZyZWVfaGVhcF9wYWdlcyhwZywg b3JkZXIpOwogfQpAQCAtMTU3OSw2ICsxNTgyLDggQEAgdm9pZCBmcmVlX2Rv bWhlYXBfcGFnZXMoc3RydWN0IHBhZ2VfaW5mbwogICAgIGVsc2UKICAgICB7 CiAgICAgICAgIC8qIEZyZWVpbmcgYW5vbnltb3VzIGRvbWFpbi1oZWFwIHBh Z2VzLiAqLworICAgICAgICBmb3IgKCBpID0gMDsgaSA8ICgxIDw8IG9yZGVy KTsgaSsrICkKKyAgICAgICAgICAgIHNjcnViX29uZV9wYWdlKCZwZ1tpXSk7 CiAgICAgICAgIGZyZWVfaGVhcF9wYWdlcyhwZywgb3JkZXIpOwogICAgICAg ICBkcm9wX2RvbV9yZWYgPSAwOwogICAgIH0K --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --=separator-- From xen-devel-bounces@lists.xen.org Tue Jun 17 12:33:27 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 17 Jun 2014 12:33:27 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsZp-0004Og-RP; Tue, 17 Jun 2014 12:33:25 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsZn-0004OB-Ln; Tue, 17 Jun 2014 12:33:23 +0000 Received: from [85.158.143.35:37840] by server-2.bemta-4.messagelabs.com id 51/6B-06539-29530A35; Tue, 17 Jun 2014 12:33:22 +0000 X-Env-Sender: security@xen.org X-Msg-Ref: server-6.tower-21.messagelabs.com!1403008401!11874356!1 X-Originating-IP: [92.243.22.65] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG, UNPARSEABLE_RELAY X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 15152 invoked from network); 17 Jun 2014 12:33:21 -0000 Received: from gandi1.proaut.org (HELO gandi1.proaut.org) (92.243.22.65) by server-6.tower-21.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 17 Jun 2014 12:33:21 -0000 Received: from mailgate1.proaut.com (ip-195-098-027-159.static.nextra.sk [195.98.27.159]) by gandi1.proaut.org (8.14.3/8.14.3/Debian-9.4) with ESMTP id s5HCX2Uu031771; Tue, 17 Jun 2014 14:33:04 +0200 Received: by mailgate1.proaut.com (Postfix, from userid 0) id 3gt82Q3DyfzCt1p; Tue, 17 Jun 2014 14:33:02 +0200 (CEST) Delivered-To: unknown Received: from 10.220.0.25 (10.220.0.25:993) by mailgate1.proaut.com with IMAP4-SSL; 17 Jun 2014 12:33:02 -0000 Delivered-To: mailcollector@proaut.lan Received: from mailgate1.proaut.com (unknown [10.220.0.26]) by mail1.proaut.lan (Postfix) with ESMTPS id 71E5EA00DA for ; Tue, 17 Jun 2014 14:18:17 +0200 (CEST) Received: from lists.xen.org (lists.xen.org [50.57.142.19]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailgate1.proaut.com (Postfix) with ESMTPS id 3gt7kb249lzCsTF for ; Tue, 17 Jun 2014 14:19:19 +0200 (CEST) Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsK2-0001tN-3O; Tue, 17 Jun 2014 12:17:06 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsJz-0001sA-5o; Tue, 17 Jun 2014 12:17:03 +0000 Received: from [85.158.143.35:61543] by server-1.bemta-4.messagelabs.com id DC/04-09496-EB130A35; Tue, 17 Jun 2014 12:17:02 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-21.messagelabs.com!1403007420!11944421!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 30447 invoked from network); 17 Jun 2014 12:17:01 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 17 Jun 2014 12:17:01 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsJr-00053k-48; Tue, 17 Jun 2014 12:16:55 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WwsJr-00081P-1v; Tue, 17 Jun 2014 12:16:55 +0000 Date: Tue, 17 Jun 2014 12:16:55 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: "Xen.org security team" X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Cc: "Xen.org security team" Subject: [Xen-devel] [Xen-announce] Xen Security Advisory 100 (CVE-2014-4021) - Hypervisor heap contents leaked to guests X-BeenThere: xen-devel@lists.xen.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-4021 / XSA-100 version 3 Hypervisor heap contents leaked to guests UPDATES IN VERSION 3 ==================== Public Release. CVE assigned. ISSUE DESCRIPTION ================= While memory pages recovered from dying guests are being cleaned to avoid leaking sensitive information to other guests, memory pages that were in use by the hypervisor and are eligible to be allocated to guests weren't being properly cleaned. Such exposure of information would happen through memory pages freshly allocated to or by the guest. Normally the leaked data is administrative information of limited value to an attacker. However, scenarios exist where guest CPU register state and hypercall arguments might be leaked. IMPACT ====== A malicious guest might be able to read data relating to other guests or the hypervisor itself. Data at rest in guest memory or storage (filesystems) is not affected. However, it is possible for an attacker to obtain modest amounts of in-flight and in-use data, which might contain passwords or cryptographic keys. VULNERABLE SYSTEMS ================== Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. MITIGATION ========== No comprehensive mitigation is available. An attacker will find it easier obtain sensitive data from a victim guest if the attacker is able to initiate domain management operations and lifecycle events for that guest. This includes a situation where the attacker can cause the victim guest to crash. Therefore the risk from this vulnerability can be somewhat reduced by restricting management (such as migration or resource adjustment) to fully trusted guest or host administrators, and by eliminating any Denial of Service vulnerabilities against potential victim guests. CREDITS ======= This issue was discovered by Jan Beulich. RESOLUTION ========== Applying the attached patch resolves this issue. xsa100.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x Note that to avoid a regression on systems with AMD IOMMU, on 4.2.x and later additionally commit 6b4d71d0 ("AMD IOMMU: don't free page table prematurely") found at http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=6b4d71d028f445cba7426a144751fddc8bfdd67b will be required if not already in place in the respective tree. $ sha256sum xsa100*.patch 2cbd3a52bb8d32d00a19e2ce48e3157034b484b4a7b7282cae0d108ffb4ddca0 xsa100.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJToCoFAAoJEIP+FMlX6CvZ8p0H/1RPfzKOIQVvjJrAPiOH8cDr /QR8hAhKqIs97+fxSFO5LCsfBwKga/rLz6sjveQYlvJOq9qSc2vTWxpQLNrh7M1q NagTSVJoxcxVn+LHgHAczfRfNwK5BWFHz5/R3k1SLSjLy15aBDr5rW42H/WjKXI3 0UnLfpLkaDfocpQOYAz1a4cTAxbK07omhSlnCdcvPmWLDPvWy03BF7jZvTDYdiO1 OjU/3HUwMv7Ii6By3QvjO3Z4h9qkest/iIeaeCTwNwSJa9rW+8KLZjzdJCMJOUeu J608R94x4vyj7wc+JVPwD59K0XkXzmsASC8q0ivohXGDTloKcdN7vdmR37g4fJ0= =WnYZ -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa100.patch" Content-Disposition: attachment; filename="xsa100.patch" Content-Transfer-Encoding: base64 cGFnZS1hbGxvYzogc2NydWIgcGFnZXMgdXNlZCBieSBoeXBlcnZpc29yIHVw b24gZnJlZWluZwoKLi4uIHVubGVzcyB0aGV5J3JlIHBhcnQgb2YgYSBmdWxs eSBzZXBhcmF0ZSBwb29sIChhbmQgaGVuY2UgY2FuJ3QgZXZlcgpiZSB1c2Vk IGZvciBndWVzdCBhbGxvY2F0aW9ucykuCgpUaGlzIGlzIFhTQS0xMDAuCgpT aWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ ClJldmlld2VkLWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRy aXguY29tPgpBY2tlZC1ieTogS2VpciBGcmFzZXIgPGtlaXJAeGVuLm9yZz4K Ci0tLSBhL3hlbi9jb21tb24vcGFnZV9hbGxvYy5jCisrKyBiL3hlbi9jb21t b24vcGFnZV9hbGxvYy5jCkBAIC0xNDA5LDcgKzE0MDksMTAgQEAgdm9pZCBm cmVlX3hlbmhlYXBfcGFnZXModm9pZCAqdiwgdW5zaWduZQogICAgIHBnID0g dmlydF90b19wYWdlKHYpOwogCiAgICAgZm9yICggaSA9IDA7IGkgPCAoMXUg PDwgb3JkZXIpOyBpKysgKQorICAgIHsKKyAgICAgICAgc2NydWJfb25lX3Bh Z2UoJnBnW2ldKTsKICAgICAgICAgcGdbaV0uY291bnRfaW5mbyAmPSB+UEdD X3hlbl9oZWFwOworICAgIH0KIAogICAgIGZyZWVfaGVhcF9wYWdlcyhwZywg b3JkZXIpOwogfQpAQCAtMTU3OSw2ICsxNTgyLDggQEAgdm9pZCBmcmVlX2Rv bWhlYXBfcGFnZXMoc3RydWN0IHBhZ2VfaW5mbwogICAgIGVsc2UKICAgICB7 CiAgICAgICAgIC8qIEZyZWVpbmcgYW5vbnltb3VzIGRvbWFpbi1oZWFwIHBh Z2VzLiAqLworICAgICAgICBmb3IgKCBpID0gMDsgaSA8ICgxIDw8IG9yZGVy KTsgaSsrICkKKyAgICAgICAgICAgIHNjcnViX29uZV9wYWdlKCZwZ1tpXSk7 CiAgICAgICAgIGZyZWVfaGVhcF9wYWdlcyhwZywgb3JkZXIpOwogICAgICAg ICBkcm9wX2RvbV9yZWYgPSAwOwogICAgIH0K --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --=separator-- From xen-users-bounces@lists.xen.org Tue Jun 17 12:34:28 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 17 Jun 2014 12:34:28 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsZq-0004Ot-9r; Tue, 17 Jun 2014 12:33:26 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsZn-0004OB-Ln; Tue, 17 Jun 2014 12:33:23 +0000 Received: from [85.158.143.35:37840] by server-2.bemta-4.messagelabs.com id 51/6B-06539-29530A35; Tue, 17 Jun 2014 12:33:22 +0000 X-Env-Sender: security@xen.org X-Msg-Ref: server-6.tower-21.messagelabs.com!1403008401!11874356!1 X-Originating-IP: [92.243.22.65] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG, UNPARSEABLE_RELAY X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 15152 invoked from network); 17 Jun 2014 12:33:21 -0000 Received: from gandi1.proaut.org (HELO gandi1.proaut.org) (92.243.22.65) by server-6.tower-21.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 17 Jun 2014 12:33:21 -0000 Received: from mailgate1.proaut.com (ip-195-098-027-159.static.nextra.sk [195.98.27.159]) by gandi1.proaut.org (8.14.3/8.14.3/Debian-9.4) with ESMTP id s5HCX2Uu031771; Tue, 17 Jun 2014 14:33:04 +0200 Received: by mailgate1.proaut.com (Postfix, from userid 0) id 3gt82Q3DyfzCt1p; Tue, 17 Jun 2014 14:33:02 +0200 (CEST) Delivered-To: unknown Received: from 10.220.0.25 (10.220.0.25:993) by mailgate1.proaut.com with IMAP4-SSL; 17 Jun 2014 12:33:02 -0000 Delivered-To: mailcollector@proaut.lan Received: from mailgate1.proaut.com (unknown [10.220.0.26]) by mail1.proaut.lan (Postfix) with ESMTPS id 71E5EA00DA for ; Tue, 17 Jun 2014 14:18:17 +0200 (CEST) Received: from lists.xen.org (lists.xen.org [50.57.142.19]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailgate1.proaut.com (Postfix) with ESMTPS id 3gt7kb249lzCsTF for ; Tue, 17 Jun 2014 14:19:19 +0200 (CEST) Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsK2-0001tN-3O; Tue, 17 Jun 2014 12:17:06 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsJz-0001sA-5o; Tue, 17 Jun 2014 12:17:03 +0000 Received: from [85.158.143.35:61543] by server-1.bemta-4.messagelabs.com id DC/04-09496-EB130A35; Tue, 17 Jun 2014 12:17:02 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-21.messagelabs.com!1403007420!11944421!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 30447 invoked from network); 17 Jun 2014 12:17:01 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 17 Jun 2014 12:17:01 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsJr-00053k-48; Tue, 17 Jun 2014 12:16:55 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WwsJr-00081P-1v; Tue, 17 Jun 2014 12:16:55 +0000 Date: Tue, 17 Jun 2014 12:16:55 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: "Xen.org security team" X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Cc: "Xen.org security team" Subject: [Xen-users] [Xen-announce] Xen Security Advisory 100 (CVE-2014-4021) - Hypervisor heap contents leaked to guests X-BeenThere: xen-users@lists.xen.org List-Id: Xen user discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-users-bounces@lists.xen.org Errors-To: xen-users-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-4021 / XSA-100 version 3 Hypervisor heap contents leaked to guests UPDATES IN VERSION 3 ==================== Public Release. CVE assigned. ISSUE DESCRIPTION ================= While memory pages recovered from dying guests are being cleaned to avoid leaking sensitive information to other guests, memory pages that were in use by the hypervisor and are eligible to be allocated to guests weren't being properly cleaned. Such exposure of information would happen through memory pages freshly allocated to or by the guest. Normally the leaked data is administrative information of limited value to an attacker. However, scenarios exist where guest CPU register state and hypercall arguments might be leaked. IMPACT ====== A malicious guest might be able to read data relating to other guests or the hypervisor itself. Data at rest in guest memory or storage (filesystems) is not affected. However, it is possible for an attacker to obtain modest amounts of in-flight and in-use data, which might contain passwords or cryptographic keys. VULNERABLE SYSTEMS ================== Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. MITIGATION ========== No comprehensive mitigation is available. An attacker will find it easier obtain sensitive data from a victim guest if the attacker is able to initiate domain management operations and lifecycle events for that guest. This includes a situation where the attacker can cause the victim guest to crash. Therefore the risk from this vulnerability can be somewhat reduced by restricting management (such as migration or resource adjustment) to fully trusted guest or host administrators, and by eliminating any Denial of Service vulnerabilities against potential victim guests. CREDITS ======= This issue was discovered by Jan Beulich. RESOLUTION ========== Applying the attached patch resolves this issue. xsa100.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x Note that to avoid a regression on systems with AMD IOMMU, on 4.2.x and later additionally commit 6b4d71d0 ("AMD IOMMU: don't free page table prematurely") found at http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=6b4d71d028f445cba7426a144751fddc8bfdd67b will be required if not already in place in the respective tree. $ sha256sum xsa100*.patch 2cbd3a52bb8d32d00a19e2ce48e3157034b484b4a7b7282cae0d108ffb4ddca0 xsa100.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJToCoFAAoJEIP+FMlX6CvZ8p0H/1RPfzKOIQVvjJrAPiOH8cDr /QR8hAhKqIs97+fxSFO5LCsfBwKga/rLz6sjveQYlvJOq9qSc2vTWxpQLNrh7M1q NagTSVJoxcxVn+LHgHAczfRfNwK5BWFHz5/R3k1SLSjLy15aBDr5rW42H/WjKXI3 0UnLfpLkaDfocpQOYAz1a4cTAxbK07omhSlnCdcvPmWLDPvWy03BF7jZvTDYdiO1 OjU/3HUwMv7Ii6By3QvjO3Z4h9qkest/iIeaeCTwNwSJa9rW+8KLZjzdJCMJOUeu J608R94x4vyj7wc+JVPwD59K0XkXzmsASC8q0ivohXGDTloKcdN7vdmR37g4fJ0= =WnYZ -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa100.patch" Content-Disposition: attachment; filename="xsa100.patch" Content-Transfer-Encoding: base64 cGFnZS1hbGxvYzogc2NydWIgcGFnZXMgdXNlZCBieSBoeXBlcnZpc29yIHVw b24gZnJlZWluZwoKLi4uIHVubGVzcyB0aGV5J3JlIHBhcnQgb2YgYSBmdWxs eSBzZXBhcmF0ZSBwb29sIChhbmQgaGVuY2UgY2FuJ3QgZXZlcgpiZSB1c2Vk IGZvciBndWVzdCBhbGxvY2F0aW9ucykuCgpUaGlzIGlzIFhTQS0xMDAuCgpT aWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ ClJldmlld2VkLWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRy aXguY29tPgpBY2tlZC1ieTogS2VpciBGcmFzZXIgPGtlaXJAeGVuLm9yZz4K Ci0tLSBhL3hlbi9jb21tb24vcGFnZV9hbGxvYy5jCisrKyBiL3hlbi9jb21t b24vcGFnZV9hbGxvYy5jCkBAIC0xNDA5LDcgKzE0MDksMTAgQEAgdm9pZCBm cmVlX3hlbmhlYXBfcGFnZXModm9pZCAqdiwgdW5zaWduZQogICAgIHBnID0g dmlydF90b19wYWdlKHYpOwogCiAgICAgZm9yICggaSA9IDA7IGkgPCAoMXUg PDwgb3JkZXIpOyBpKysgKQorICAgIHsKKyAgICAgICAgc2NydWJfb25lX3Bh Z2UoJnBnW2ldKTsKICAgICAgICAgcGdbaV0uY291bnRfaW5mbyAmPSB+UEdD X3hlbl9oZWFwOworICAgIH0KIAogICAgIGZyZWVfaGVhcF9wYWdlcyhwZywg b3JkZXIpOwogfQpAQCAtMTU3OSw2ICsxNTgyLDggQEAgdm9pZCBmcmVlX2Rv bWhlYXBfcGFnZXMoc3RydWN0IHBhZ2VfaW5mbwogICAgIGVsc2UKICAgICB7 CiAgICAgICAgIC8qIEZyZWVpbmcgYW5vbnltb3VzIGRvbWFpbi1oZWFwIHBh Z2VzLiAqLworICAgICAgICBmb3IgKCBpID0gMDsgaSA8ICgxIDw8IG9yZGVy KTsgaSsrICkKKyAgICAgICAgICAgIHNjcnViX29uZV9wYWdlKCZwZ1tpXSk7 CiAgICAgICAgIGZyZWVfaGVhcF9wYWdlcyhwZywgb3JkZXIpOwogICAgICAg ICBkcm9wX2RvbV9yZWYgPSAwOwogICAgIH0K --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users --=separator-- From xen-users-bounces@lists.xen.org Tue Jun 17 12:34:28 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 17 Jun 2014 12:34:28 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsZq-0004Ot-9r; Tue, 17 Jun 2014 12:33:26 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsZn-0004OB-Ln; Tue, 17 Jun 2014 12:33:23 +0000 Received: from [85.158.143.35:37840] by server-2.bemta-4.messagelabs.com id 51/6B-06539-29530A35; Tue, 17 Jun 2014 12:33:22 +0000 X-Env-Sender: security@xen.org X-Msg-Ref: server-6.tower-21.messagelabs.com!1403008401!11874356!1 X-Originating-IP: [92.243.22.65] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG, UNPARSEABLE_RELAY X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 15152 invoked from network); 17 Jun 2014 12:33:21 -0000 Received: from gandi1.proaut.org (HELO gandi1.proaut.org) (92.243.22.65) by server-6.tower-21.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 17 Jun 2014 12:33:21 -0000 Received: from mailgate1.proaut.com (ip-195-098-027-159.static.nextra.sk [195.98.27.159]) by gandi1.proaut.org (8.14.3/8.14.3/Debian-9.4) with ESMTP id s5HCX2Uu031771; Tue, 17 Jun 2014 14:33:04 +0200 Received: by mailgate1.proaut.com (Postfix, from userid 0) id 3gt82Q3DyfzCt1p; Tue, 17 Jun 2014 14:33:02 +0200 (CEST) Delivered-To: unknown Received: from 10.220.0.25 (10.220.0.25:993) by mailgate1.proaut.com with IMAP4-SSL; 17 Jun 2014 12:33:02 -0000 Delivered-To: mailcollector@proaut.lan Received: from mailgate1.proaut.com (unknown [10.220.0.26]) by mail1.proaut.lan (Postfix) with ESMTPS id 71E5EA00DA for ; Tue, 17 Jun 2014 14:18:17 +0200 (CEST) Received: from lists.xen.org (lists.xen.org [50.57.142.19]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailgate1.proaut.com (Postfix) with ESMTPS id 3gt7kb249lzCsTF for ; Tue, 17 Jun 2014 14:19:19 +0200 (CEST) Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsK2-0001tN-3O; Tue, 17 Jun 2014 12:17:06 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsJz-0001sA-5o; Tue, 17 Jun 2014 12:17:03 +0000 Received: from [85.158.143.35:61543] by server-1.bemta-4.messagelabs.com id DC/04-09496-EB130A35; Tue, 17 Jun 2014 12:17:02 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-21.messagelabs.com!1403007420!11944421!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 30447 invoked from network); 17 Jun 2014 12:17:01 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 17 Jun 2014 12:17:01 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwsJr-00053k-48; Tue, 17 Jun 2014 12:16:55 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WwsJr-00081P-1v; Tue, 17 Jun 2014 12:16:55 +0000 Date: Tue, 17 Jun 2014 12:16:55 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: "Xen.org security team" X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Cc: "Xen.org security team" Subject: [Xen-users] [Xen-announce] Xen Security Advisory 100 (CVE-2014-4021) - Hypervisor heap contents leaked to guests X-BeenThere: xen-users@lists.xen.org List-Id: Xen user discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-users-bounces@lists.xen.org Errors-To: xen-users-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-4021 / XSA-100 version 3 Hypervisor heap contents leaked to guests UPDATES IN VERSION 3 ==================== Public Release. CVE assigned. ISSUE DESCRIPTION ================= While memory pages recovered from dying guests are being cleaned to avoid leaking sensitive information to other guests, memory pages that were in use by the hypervisor and are eligible to be allocated to guests weren't being properly cleaned. Such exposure of information would happen through memory pages freshly allocated to or by the guest. Normally the leaked data is administrative information of limited value to an attacker. However, scenarios exist where guest CPU register state and hypercall arguments might be leaked. IMPACT ====== A malicious guest might be able to read data relating to other guests or the hypervisor itself. Data at rest in guest memory or storage (filesystems) is not affected. However, it is possible for an attacker to obtain modest amounts of in-flight and in-use data, which might contain passwords or cryptographic keys. VULNERABLE SYSTEMS ================== Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. MITIGATION ========== No comprehensive mitigation is available. An attacker will find it easier obtain sensitive data from a victim guest if the attacker is able to initiate domain management operations and lifecycle events for that guest. This includes a situation where the attacker can cause the victim guest to crash. Therefore the risk from this vulnerability can be somewhat reduced by restricting management (such as migration or resource adjustment) to fully trusted guest or host administrators, and by eliminating any Denial of Service vulnerabilities against potential victim guests. CREDITS ======= This issue was discovered by Jan Beulich. RESOLUTION ========== Applying the attached patch resolves this issue. xsa100.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x Note that to avoid a regression on systems with AMD IOMMU, on 4.2.x and later additionally commit 6b4d71d0 ("AMD IOMMU: don't free page table prematurely") found at http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=6b4d71d028f445cba7426a144751fddc8bfdd67b will be required if not already in place in the respective tree. $ sha256sum xsa100*.patch 2cbd3a52bb8d32d00a19e2ce48e3157034b484b4a7b7282cae0d108ffb4ddca0 xsa100.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJToCoFAAoJEIP+FMlX6CvZ8p0H/1RPfzKOIQVvjJrAPiOH8cDr /QR8hAhKqIs97+fxSFO5LCsfBwKga/rLz6sjveQYlvJOq9qSc2vTWxpQLNrh7M1q NagTSVJoxcxVn+LHgHAczfRfNwK5BWFHz5/R3k1SLSjLy15aBDr5rW42H/WjKXI3 0UnLfpLkaDfocpQOYAz1a4cTAxbK07omhSlnCdcvPmWLDPvWy03BF7jZvTDYdiO1 OjU/3HUwMv7Ii6By3QvjO3Z4h9qkest/iIeaeCTwNwSJa9rW+8KLZjzdJCMJOUeu J608R94x4vyj7wc+JVPwD59K0XkXzmsASC8q0ivohXGDTloKcdN7vdmR37g4fJ0= =WnYZ -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa100.patch" Content-Disposition: attachment; filename="xsa100.patch" Content-Transfer-Encoding: base64 cGFnZS1hbGxvYzogc2NydWIgcGFnZXMgdXNlZCBieSBoeXBlcnZpc29yIHVw b24gZnJlZWluZwoKLi4uIHVubGVzcyB0aGV5J3JlIHBhcnQgb2YgYSBmdWxs eSBzZXBhcmF0ZSBwb29sIChhbmQgaGVuY2UgY2FuJ3QgZXZlcgpiZSB1c2Vk IGZvciBndWVzdCBhbGxvY2F0aW9ucykuCgpUaGlzIGlzIFhTQS0xMDAuCgpT aWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ ClJldmlld2VkLWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRy aXguY29tPgpBY2tlZC1ieTogS2VpciBGcmFzZXIgPGtlaXJAeGVuLm9yZz4K Ci0tLSBhL3hlbi9jb21tb24vcGFnZV9hbGxvYy5jCisrKyBiL3hlbi9jb21t b24vcGFnZV9hbGxvYy5jCkBAIC0xNDA5LDcgKzE0MDksMTAgQEAgdm9pZCBm cmVlX3hlbmhlYXBfcGFnZXModm9pZCAqdiwgdW5zaWduZQogICAgIHBnID0g dmlydF90b19wYWdlKHYpOwogCiAgICAgZm9yICggaSA9IDA7IGkgPCAoMXUg PDwgb3JkZXIpOyBpKysgKQorICAgIHsKKyAgICAgICAgc2NydWJfb25lX3Bh Z2UoJnBnW2ldKTsKICAgICAgICAgcGdbaV0uY291bnRfaW5mbyAmPSB+UEdD X3hlbl9oZWFwOworICAgIH0KIAogICAgIGZyZWVfaGVhcF9wYWdlcyhwZywg b3JkZXIpOwogfQpAQCAtMTU3OSw2ICsxNTgyLDggQEAgdm9pZCBmcmVlX2Rv bWhlYXBfcGFnZXMoc3RydWN0IHBhZ2VfaW5mbwogICAgIGVsc2UKICAgICB7 CiAgICAgICAgIC8qIEZyZWVpbmcgYW5vbnltb3VzIGRvbWFpbi1oZWFwIHBh Z2VzLiAqLworICAgICAgICBmb3IgKCBpID0gMDsgaSA8ICgxIDw8IG9yZGVy KTsgaSsrICkKKyAgICAgICAgICAgIHNjcnViX29uZV9wYWdlKCZwZ1tpXSk7 CiAgICAgICAgIGZyZWVfaGVhcF9wYWdlcyhwZywgb3JkZXIpOwogICAgICAg ICBkcm9wX2RvbV9yZWYgPSAwOwogICAgIH0K --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users --=separator-- From xen-announce-bounces@lists.xen.org Wed Jun 25 12:38:42 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 25 Jun 2014 12:38:42 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WzmSA-0002OC-TE; Wed, 25 Jun 2014 12:37:30 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WzmS9-0002O0-KQ; Wed, 25 Jun 2014 12:37:29 +0000 Received: from [85.158.139.211:65187] by server-17.bemta-5.messagelabs.com id 2A/F5-08711-882CAA35; Wed, 25 Jun 2014 12:37:28 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-14.tower-206.messagelabs.com!1403699847!6534171!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22448 invoked from network); 25 Jun 2014 12:37:28 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-14.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 25 Jun 2014 12:37:28 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WzmS0-0003TW-Le; Wed, 25 Jun 2014 12:37:20 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WzmS0-0008Jz-0c; Wed, 25 Jun 2014 12:37:20 +0000 Date: Wed, 25 Jun 2014 12:37:20 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 101 - information leak via gnttab_setup_table on ARM X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-101 version 2 information leak via gnttab_setup_table on ARM UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When initialising an internal data structure on ARM platform Xen was not correctly initialising the memory containing the list of a domain's grant table pages. This list is returned by the GNTTABOP_setup_table subhypercall, leading to an information leak. IMPACT ====== Malicious guest administrators can obtain some of the memory contents of other domains: Up to 8*max_nr_grant_frames bytes of uninitialised memory can be leaked to the calling domain. This memory may have been previously used by either the hypervisor or other guests. The default max_nr_grant_frames is 32, hence by default 256 bytes may be leaked in this way. However this can be overridden via the "gnttab_max_nr_frames" hypervisor command line option. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward. MITIGATION ========== None. CREDITS ======= This issue was discovered by Julien Grall. RESOLUTION ========== Applying the attached patch resolves this issue. xsa101.patch xen-unstable, Xen 4.4.x $ sha256sum xsa101*.patch 12ea475265a0804a3a42f620d7065a7408a5ae4b017c871847424c7247c204e9 xsa101.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTqsJaAAoJEIP+FMlX6CvZ0MkIALeL89QbVy7yAsLQ/JY6HhZA Y61HLh7VX9rwZd2pQJoJC3dSPtMCfeo25yd8ryDB4QEQci5qSk/P5gnBkXMUjDTL PbLHimTvGXdAOI3+TYGC6H/dHfqkMeOr/w9cNuS3GuvmpYGpDnb3iE14x5I+JKJJ JPY1tMwettCU3aWmMd1DHzM3cY2qUxQBPN5Itwev6AjPu9w4eFUBV2/u1CsRIQKT 2UBl7uFPm70MmYAzhr30RHOZRQD70ixFDbs1RH1vQsIbF+J8dTOsuzRd03CwVe4A ib0CUm6Emd8zvnGAFU7WZdY6roIukp/Qk5T4mdtlmFtKXuVfBhlCPuc45cBvwyM= =uOne -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa101.patch" Content-Disposition: attachment; filename="xsa101.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGluaXRpYWxpc2UgdGhlIGdyYW50X3RhYmxlX2dwZm4gYXJy YXkgb24gYWxsb2NhdGlvbgoKQXZvaWRzIGxlYWtpbmcgdW5pbml0aWFsaXNl ZCBtZW1vcnkgdmlhIHRoZSBncmFudCB0YWJsZSBzZXR1cCBoeXBlcmNhbGwu CgpUaGlzIGlzIFhTQS0xMDEuCgpSZXBvcnRlZC1ieTogSnVsaWVuIEdyYWxs IDxqdWxpZW4uZ3JhbGxAbGluYXJvLm9yZz4KU2lnbmVkLW9mZi1ieTogSWFu IENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KCmRpZmYgLS1n aXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluLmMgYi94ZW4vYXJjaC9hcm0vZG9t YWluLmMKaW5kZXggMDRkMGNkMC4uMjhlY2IxMyAxMDA2NDQKLS0tIGEveGVu L2FyY2gvYXJtL2RvbWFpbi5jCisrKyBiL3hlbi9hcmNoL2FybS9kb21haW4u YwpAQCAtMzk0LDcgKzM5NCw3IEBAIHN0cnVjdCBkb21haW4gKmFsbG9jX2Rv bWFpbl9zdHJ1Y3Qodm9pZCkKICAgICAgICAgcmV0dXJuIE5VTEw7CiAKICAg ICBjbGVhcl9wYWdlKGQpOwotICAgIGQtPmFyY2guZ3JhbnRfdGFibGVfZ3Bm biA9IHhtYWxsb2NfYXJyYXkoeGVuX3Bmbl90LCBtYXhfbnJfZ3JhbnRfZnJh bWVzKTsKKyAgICBkLT5hcmNoLmdyYW50X3RhYmxlX2dwZm4gPSB4emFsbG9j X2FycmF5KHhlbl9wZm5fdCwgbWF4X25yX2dyYW50X2ZyYW1lcyk7CiAgICAg cmV0dXJuIGQ7CiB9CiAK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Jun 25 12:38:42 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 25 Jun 2014 12:38:42 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WzmSA-0002OC-TE; Wed, 25 Jun 2014 12:37:30 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WzmS9-0002O0-KQ; Wed, 25 Jun 2014 12:37:29 +0000 Received: from [85.158.139.211:65187] by server-17.bemta-5.messagelabs.com id 2A/F5-08711-882CAA35; Wed, 25 Jun 2014 12:37:28 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-14.tower-206.messagelabs.com!1403699847!6534171!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22448 invoked from network); 25 Jun 2014 12:37:28 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-14.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 25 Jun 2014 12:37:28 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WzmS0-0003TW-Le; Wed, 25 Jun 2014 12:37:20 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1WzmS0-0008Jz-0c; Wed, 25 Jun 2014 12:37:20 +0000 Date: Wed, 25 Jun 2014 12:37:20 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 101 - information leak via gnttab_setup_table on ARM X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-101 version 2 information leak via gnttab_setup_table on ARM UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When initialising an internal data structure on ARM platform Xen was not correctly initialising the memory containing the list of a domain's grant table pages. This list is returned by the GNTTABOP_setup_table subhypercall, leading to an information leak. IMPACT ====== Malicious guest administrators can obtain some of the memory contents of other domains: Up to 8*max_nr_grant_frames bytes of uninitialised memory can be leaked to the calling domain. This memory may have been previously used by either the hypervisor or other guests. The default max_nr_grant_frames is 32, hence by default 256 bytes may be leaked in this way. However this can be overridden via the "gnttab_max_nr_frames" hypervisor command line option. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward. MITIGATION ========== None. CREDITS ======= This issue was discovered by Julien Grall. RESOLUTION ========== Applying the attached patch resolves this issue. xsa101.patch xen-unstable, Xen 4.4.x $ sha256sum xsa101*.patch 12ea475265a0804a3a42f620d7065a7408a5ae4b017c871847424c7247c204e9 xsa101.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTqsJaAAoJEIP+FMlX6CvZ0MkIALeL89QbVy7yAsLQ/JY6HhZA Y61HLh7VX9rwZd2pQJoJC3dSPtMCfeo25yd8ryDB4QEQci5qSk/P5gnBkXMUjDTL PbLHimTvGXdAOI3+TYGC6H/dHfqkMeOr/w9cNuS3GuvmpYGpDnb3iE14x5I+JKJJ JPY1tMwettCU3aWmMd1DHzM3cY2qUxQBPN5Itwev6AjPu9w4eFUBV2/u1CsRIQKT 2UBl7uFPm70MmYAzhr30RHOZRQD70ixFDbs1RH1vQsIbF+J8dTOsuzRd03CwVe4A ib0CUm6Emd8zvnGAFU7WZdY6roIukp/Qk5T4mdtlmFtKXuVfBhlCPuc45cBvwyM= =uOne -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa101.patch" Content-Disposition: attachment; filename="xsa101.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGluaXRpYWxpc2UgdGhlIGdyYW50X3RhYmxlX2dwZm4gYXJy YXkgb24gYWxsb2NhdGlvbgoKQXZvaWRzIGxlYWtpbmcgdW5pbml0aWFsaXNl ZCBtZW1vcnkgdmlhIHRoZSBncmFudCB0YWJsZSBzZXR1cCBoeXBlcmNhbGwu CgpUaGlzIGlzIFhTQS0xMDEuCgpSZXBvcnRlZC1ieTogSnVsaWVuIEdyYWxs IDxqdWxpZW4uZ3JhbGxAbGluYXJvLm9yZz4KU2lnbmVkLW9mZi1ieTogSWFu IENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KCmRpZmYgLS1n aXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluLmMgYi94ZW4vYXJjaC9hcm0vZG9t YWluLmMKaW5kZXggMDRkMGNkMC4uMjhlY2IxMyAxMDA2NDQKLS0tIGEveGVu L2FyY2gvYXJtL2RvbWFpbi5jCisrKyBiL3hlbi9hcmNoL2FybS9kb21haW4u YwpAQCAtMzk0LDcgKzM5NCw3IEBAIHN0cnVjdCBkb21haW4gKmFsbG9jX2Rv bWFpbl9zdHJ1Y3Qodm9pZCkKICAgICAgICAgcmV0dXJuIE5VTEw7CiAKICAg ICBjbGVhcl9wYWdlKGQpOwotICAgIGQtPmFyY2guZ3JhbnRfdGFibGVfZ3Bm biA9IHhtYWxsb2NfYXJyYXkoeGVuX3Bmbl90LCBtYXhfbnJfZ3JhbnRfZnJh bWVzKTsKKyAgICBkLT5hcmNoLmdyYW50X3RhYmxlX2dwZm4gPSB4emFsbG9j X2FycmF5KHhlbl9wZm5fdCwgbWF4X25yX2dyYW50X2ZyYW1lcyk7CiAgICAg cmV0dXJuIGQ7CiB9CiAK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Jun 30 14:24:15 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 30 Jun 2014 14:24:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1X1cTy-0001xB-UP; Mon, 30 Jun 2014 14:22:58 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1X1cTx-0001wr-AY; Mon, 30 Jun 2014 14:22:57 +0000 Received: from [193.109.254.147:2885] by server-13.bemta-14.messagelabs.com id 7F/62-23211-0C271B35; Mon, 30 Jun 2014 14:22:56 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-27.messagelabs.com!1404138175!14585506!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 1184 invoked from network); 30 Jun 2014 14:22:55 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 30 Jun 2014 14:22:55 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1X1cTp-0004hO-T0; Mon, 30 Jun 2014 14:22:49 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1X1cTp-0007jI-7D; Mon, 30 Jun 2014 14:22:49 +0000 Date: Mon, 30 Jun 2014 14:22:49 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 101 (CVE-2014-4022) - information leak via gnttab_setup_table on ARM X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-4022 / XSA-101 version 3 information leak via gnttab_setup_table on ARM UPDATES IN VERSION 3 ==================== Provide the CVE. ISSUE DESCRIPTION ================= When initialising an internal data structure on ARM platform Xen was not correctly initialising the memory containing the list of a domain's grant table pages. This list is returned by the GNTTABOP_setup_table subhypercall, leading to an information leak. IMPACT ====== Malicious guest administrators can obtain some of the memory contents of other domains: Up to 8*max_nr_grant_frames bytes of uninitialised memory can be leaked to the calling domain. This memory may have been previously used by either the hypervisor or other guests. The default max_nr_grant_frames is 32, hence by default 256 bytes may be leaked in this way. However this can be overridden via the "gnttab_max_nr_frames" hypervisor command line option. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward. MITIGATION ========== None. CREDITS ======= This issue was discovered by Julien Grall. RESOLUTION ========== Applying the attached patch resolves this issue. xsa101.patch xen-unstable, Xen 4.4.x $ sha256sum xsa101*.patch 12ea475265a0804a3a42f620d7065a7408a5ae4b017c871847424c7247c204e9 xsa101.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTsXKlAAoJEIP+FMlX6CvZAXwH/0Km16VstdF5P72chl3u9BsE aWLe8Xdb9lmPXiIWM+q2NN+Jp8tL08Ia4fyD1OC5zJqtf6TReI9qsBkzo2O6EfjF QdTluXrfYgkob0THsDW1Nd86wxy8UBLlz1dwu+jfKkYp9gMQgTtV1NNyrXEOwn1f vepA/V2kOVss7U5+OXqe10HOm+bK4Qs0vYwu1HnG/y6/I39eP2FXw8jMDSB1pKcJ 1/zBll+R+LVXsQbJbKA6vS9RJiOeMXY1b8y6ThduVuW+bq/RydyqoTb25XPqhHcV 6FaDe3JlncXvpJp4OEaAiHPyBqPRvNgr3WWW16lFGTtlLJdc+43/24WkrLfok6o= =srxg -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa101.patch" Content-Disposition: attachment; filename="xsa101.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGluaXRpYWxpc2UgdGhlIGdyYW50X3RhYmxlX2dwZm4gYXJy YXkgb24gYWxsb2NhdGlvbgoKQXZvaWRzIGxlYWtpbmcgdW5pbml0aWFsaXNl ZCBtZW1vcnkgdmlhIHRoZSBncmFudCB0YWJsZSBzZXR1cCBoeXBlcmNhbGwu CgpUaGlzIGlzIFhTQS0xMDEuCgpSZXBvcnRlZC1ieTogSnVsaWVuIEdyYWxs IDxqdWxpZW4uZ3JhbGxAbGluYXJvLm9yZz4KU2lnbmVkLW9mZi1ieTogSWFu IENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KCmRpZmYgLS1n aXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluLmMgYi94ZW4vYXJjaC9hcm0vZG9t YWluLmMKaW5kZXggMDRkMGNkMC4uMjhlY2IxMyAxMDA2NDQKLS0tIGEveGVu L2FyY2gvYXJtL2RvbWFpbi5jCisrKyBiL3hlbi9hcmNoL2FybS9kb21haW4u YwpAQCAtMzk0LDcgKzM5NCw3IEBAIHN0cnVjdCBkb21haW4gKmFsbG9jX2Rv bWFpbl9zdHJ1Y3Qodm9pZCkKICAgICAgICAgcmV0dXJuIE5VTEw7CiAKICAg ICBjbGVhcl9wYWdlKGQpOwotICAgIGQtPmFyY2guZ3JhbnRfdGFibGVfZ3Bm biA9IHhtYWxsb2NfYXJyYXkoeGVuX3Bmbl90LCBtYXhfbnJfZ3JhbnRfZnJh bWVzKTsKKyAgICBkLT5hcmNoLmdyYW50X3RhYmxlX2dwZm4gPSB4emFsbG9j X2FycmF5KHhlbl9wZm5fdCwgbWF4X25yX2dyYW50X2ZyYW1lcyk7CiAgICAg cmV0dXJuIGQ7CiB9CiAK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Jun 30 14:24:15 2014 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 30 Jun 2014 14:24:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1X1cTy-0001xB-UP; Mon, 30 Jun 2014 14:22:58 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1X1cTx-0001wr-AY; Mon, 30 Jun 2014 14:22:57 +0000 Received: from [193.109.254.147:2885] by server-13.bemta-14.messagelabs.com id 7F/62-23211-0C271B35; Mon, 30 Jun 2014 14:22:56 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-27.messagelabs.com!1404138175!14585506!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.11.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 1184 invoked from network); 30 Jun 2014 14:22:55 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 30 Jun 2014 14:22:55 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1X1cTp-0004hO-T0; Mon, 30 Jun 2014 14:22:49 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1X1cTp-0007jI-7D; Mon, 30 Jun 2014 14:22:49 +0000 Date: Mon, 30 Jun 2014 14:22:49 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 101 (CVE-2014-4022) - information leak via gnttab_setup_table on ARM X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-4022 / XSA-101 version 3 information leak via gnttab_setup_table on ARM UPDATES IN VERSION 3 ==================== Provide the CVE. ISSUE DESCRIPTION ================= When initialising an internal data structure on ARM platform Xen was not correctly initialising the memory containing the list of a domain's grant table pages. This list is returned by the GNTTABOP_setup_table subhypercall, leading to an information leak. IMPACT ====== Malicious guest administrators can obtain some of the memory contents of other domains: Up to 8*max_nr_grant_frames bytes of uninitialised memory can be leaked to the calling domain. This memory may have been previously used by either the hypervisor or other guests. The default max_nr_grant_frames is 32, hence by default 256 bytes may be leaked in this way. However this can be overridden via the "gnttab_max_nr_frames" hypervisor command line option. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward. MITIGATION ========== None. CREDITS ======= This issue was discovered by Julien Grall. RESOLUTION ========== Applying the attached patch resolves this issue. xsa101.patch xen-unstable, Xen 4.4.x $ sha256sum xsa101*.patch 12ea475265a0804a3a42f620d7065a7408a5ae4b017c871847424c7247c204e9 xsa101.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTsXKlAAoJEIP+FMlX6CvZAXwH/0Km16VstdF5P72chl3u9BsE aWLe8Xdb9lmPXiIWM+q2NN+Jp8tL08Ia4fyD1OC5zJqtf6TReI9qsBkzo2O6EfjF QdTluXrfYgkob0THsDW1Nd86wxy8UBLlz1dwu+jfKkYp9gMQgTtV1NNyrXEOwn1f vepA/V2kOVss7U5+OXqe10HOm+bK4Qs0vYwu1HnG/y6/I39eP2FXw8jMDSB1pKcJ 1/zBll+R+LVXsQbJbKA6vS9RJiOeMXY1b8y6ThduVuW+bq/RydyqoTb25XPqhHcV 6FaDe3JlncXvpJp4OEaAiHPyBqPRvNgr3WWW16lFGTtlLJdc+43/24WkrLfok6o= =srxg -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa101.patch" Content-Disposition: attachment; filename="xsa101.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGluaXRpYWxpc2UgdGhlIGdyYW50X3RhYmxlX2dwZm4gYXJy YXkgb24gYWxsb2NhdGlvbgoKQXZvaWRzIGxlYWtpbmcgdW5pbml0aWFsaXNl ZCBtZW1vcnkgdmlhIHRoZSBncmFudCB0YWJsZSBzZXR1cCBoeXBlcmNhbGwu CgpUaGlzIGlzIFhTQS0xMDEuCgpSZXBvcnRlZC1ieTogSnVsaWVuIEdyYWxs IDxqdWxpZW4uZ3JhbGxAbGluYXJvLm9yZz4KU2lnbmVkLW9mZi1ieTogSWFu IENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KCmRpZmYgLS1n aXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluLmMgYi94ZW4vYXJjaC9hcm0vZG9t YWluLmMKaW5kZXggMDRkMGNkMC4uMjhlY2IxMyAxMDA2NDQKLS0tIGEveGVu L2FyY2gvYXJtL2RvbWFpbi5jCisrKyBiL3hlbi9hcmNoL2FybS9kb21haW4u YwpAQCAtMzk0LDcgKzM5NCw3IEBAIHN0cnVjdCBkb21haW4gKmFsbG9jX2Rv bWFpbl9zdHJ1Y3Qodm9pZCkKICAgICAgICAgcmV0dXJuIE5VTEw7CiAKICAg ICBjbGVhcl9wYWdlKGQpOwotICAgIGQtPmFyY2guZ3JhbnRfdGFibGVfZ3Bm biA9IHhtYWxsb2NfYXJyYXkoeGVuX3Bmbl90LCBtYXhfbnJfZ3JhbnRfZnJh bWVzKTsKKyAgICBkLT5hcmNoLmdyYW50X3RhYmxlX2dwZm4gPSB4emFsbG9j X2FycmF5KHhlbl9wZm5fdCwgbWF4X25yX2dyYW50X2ZyYW1lcyk7CiAgICAg cmV0dXJuIGQ7CiB9CiAK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator--