From xen-announce-bounces@lists.xen.org Tue Nov 11 17:04:25 2014
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Tue, 11 Nov 2014 17:04:25 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1XoEq5-0000lV-AO; Tue, 11 Nov 2014 17:02:45 +0000
Received: from mail6.bemta14.messagelabs.com ([193.109.254.103])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <russell.pavlicek.xen@gmail.com>)
	id 1XoEd2-0008Cr-GF; Tue, 11 Nov 2014 16:49:16 +0000
Received: from [193.109.254.147] by server-2.bemta-14.messagelabs.com id
	31/BE-02984-B0E32645; Tue, 11 Nov 2014 16:49:15 +0000
X-Env-Sender: russell.pavlicek.xen@gmail.com
X-Msg-Ref: server-3.tower-27.messagelabs.com!1415724554!11763563!1
X-Originating-IP: [209.85.215.41]
X-SpamReason: No, hits=2.5 required=7.0 tests=RCVD_BY_IP,
  SUSPICIOUS_RECIPS
X-StarScan-Received: 
X-StarScan-Version: 6.12.4; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 24453 invoked from network); 11 Nov 2014 16:49:14 -0000
Received: from mail-la0-f41.google.com (HELO mail-la0-f41.google.com)
	(209.85.215.41)
	by server-3.tower-27.messagelabs.com with RC4-SHA encrypted SMTP;
	11 Nov 2014 16:49:14 -0000
Received: by mail-la0-f41.google.com with SMTP id s18so9866675lam.14
	for <multiple recipients>; Tue, 11 Nov 2014 08:49:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:sender:date:message-id:subject:from:to:content-type;
	bh=3/ob64fYO835zsD3Ny3mCP9n1D2adwrACwqj9F9AFoY=;
	b=qcAG/+T9NM9OPvNmGqNAdMXBzZTtyPlush2G/YWhdp5XSWGfm/pcCagniPpVAHdXav
	FCwKD0IhvxfepuODPc4jNzymGjHNqJLDv/Slo/oSQMu1rhi5yAuwWkSTslwnQbmAfUfC
	cyTPbJ4VDEXor37fPnPnNvhAA4+FeHdK/9239af2Q0p73RPLRm2vLGTZEaPjVU78NSZd
	lKIcez5R0ddeRQYmlDJuMprav3ydDNa+Yb7P6mD/wjKdRwwRQq+ALm70URgIAJxVZuPF
	2jEDEq9jF6qckiV/egvC8VgZX54nMG5q+XXcSfNgWD9bT9YlpkAyFV5yG9HaYY28PzGx
	seOQ==
MIME-Version: 1.0
X-Received: by 10.152.116.102 with SMTP id jv6mr17293588lab.40.1415724554031; 
	Tue, 11 Nov 2014 08:49:14 -0800 (PST)
Received: by 10.112.225.11 with HTTP; Tue, 11 Nov 2014 08:49:13 -0800 (PST)
Date: Tue, 11 Nov 2014 11:49:13 -0500
X-Google-Sender-Auth: agbyrR8dhEIcJtXpoLv-kNJscso
Message-ID: <CAHehzX0ZS_U95-6TdgS9qz4vxpcSLfeNFmR+EZArkvj0qB35iQ@mail.gmail.com>
From: Russ Pavlicek <russell.pavlicek@xenproject.org>
To: "xen-users@lists.xen.org" <xen-users@lists.xen.org>,
	xen-devel@lists.xen.org, xen-api@lists.xen.org, 
	xen-announce@lists.xenproject.org, xs-devel@lists.xenserver.org, 
	mirageos-devel@lists.xenproject.org
X-Mailman-Approved-At: Tue, 11 Nov 2014 17:02:43 +0000
Subject: [Xen-announce] Announcing Xen Project Test Day for 4.5 RC2 on
	November 13
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org

Folks,

This Thursday, November 13, is our second Test Day for the 4.5 release
cycle. Release Candidate 2 is now available for assessment.  Now is
the time to see if the upcoming release of the Xen Project Hypervisor
will work in your environment.

Information about testing this release can be found here:
http://wiki.xenproject.org/wiki/Xen_4.5_RC2_test_instructions

To learn more about Test Days, check out:
http://wiki.xenproject.org/wiki/Xen_Project_Test_Days

See you in #xentest on IRC this Thursday for Test Day!

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce

From xen-announce-bounces@lists.xen.org Tue Nov 11 17:04:25 2014
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Tue, 11 Nov 2014 17:04:25 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1XoEq5-0000lV-AO; Tue, 11 Nov 2014 17:02:45 +0000
Received: from mail6.bemta14.messagelabs.com ([193.109.254.103])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <russell.pavlicek.xen@gmail.com>)
	id 1XoEd2-0008Cr-GF; Tue, 11 Nov 2014 16:49:16 +0000
Received: from [193.109.254.147] by server-2.bemta-14.messagelabs.com id
	31/BE-02984-B0E32645; Tue, 11 Nov 2014 16:49:15 +0000
X-Env-Sender: russell.pavlicek.xen@gmail.com
X-Msg-Ref: server-3.tower-27.messagelabs.com!1415724554!11763563!1
X-Originating-IP: [209.85.215.41]
X-SpamReason: No, hits=2.5 required=7.0 tests=RCVD_BY_IP,
  SUSPICIOUS_RECIPS
X-StarScan-Received: 
X-StarScan-Version: 6.12.4; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 24453 invoked from network); 11 Nov 2014 16:49:14 -0000
Received: from mail-la0-f41.google.com (HELO mail-la0-f41.google.com)
	(209.85.215.41)
	by server-3.tower-27.messagelabs.com with RC4-SHA encrypted SMTP;
	11 Nov 2014 16:49:14 -0000
Received: by mail-la0-f41.google.com with SMTP id s18so9866675lam.14
	for <multiple recipients>; Tue, 11 Nov 2014 08:49:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:sender:date:message-id:subject:from:to:content-type;
	bh=3/ob64fYO835zsD3Ny3mCP9n1D2adwrACwqj9F9AFoY=;
	b=qcAG/+T9NM9OPvNmGqNAdMXBzZTtyPlush2G/YWhdp5XSWGfm/pcCagniPpVAHdXav
	FCwKD0IhvxfepuODPc4jNzymGjHNqJLDv/Slo/oSQMu1rhi5yAuwWkSTslwnQbmAfUfC
	cyTPbJ4VDEXor37fPnPnNvhAA4+FeHdK/9239af2Q0p73RPLRm2vLGTZEaPjVU78NSZd
	lKIcez5R0ddeRQYmlDJuMprav3ydDNa+Yb7P6mD/wjKdRwwRQq+ALm70URgIAJxVZuPF
	2jEDEq9jF6qckiV/egvC8VgZX54nMG5q+XXcSfNgWD9bT9YlpkAyFV5yG9HaYY28PzGx
	seOQ==
MIME-Version: 1.0
X-Received: by 10.152.116.102 with SMTP id jv6mr17293588lab.40.1415724554031; 
	Tue, 11 Nov 2014 08:49:14 -0800 (PST)
Received: by 10.112.225.11 with HTTP; Tue, 11 Nov 2014 08:49:13 -0800 (PST)
Date: Tue, 11 Nov 2014 11:49:13 -0500
X-Google-Sender-Auth: agbyrR8dhEIcJtXpoLv-kNJscso
Message-ID: <CAHehzX0ZS_U95-6TdgS9qz4vxpcSLfeNFmR+EZArkvj0qB35iQ@mail.gmail.com>
From: Russ Pavlicek <russell.pavlicek@xenproject.org>
To: "xen-users@lists.xen.org" <xen-users@lists.xen.org>,
	xen-devel@lists.xen.org, xen-api@lists.xen.org, 
	xen-announce@lists.xenproject.org, xs-devel@lists.xenserver.org, 
	mirageos-devel@lists.xenproject.org
X-Mailman-Approved-At: Tue, 11 Nov 2014 17:02:43 +0000
Subject: [Xen-announce] Announcing Xen Project Test Day for 4.5 RC2 on
	November 13
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org

Folks,

This Thursday, November 13, is our second Test Day for the 4.5 release
cycle. Release Candidate 2 is now available for assessment.  Now is
the time to see if the upcoming release of the Xen Project Hypervisor
will work in your environment.

Information about testing this release can be found here:
http://wiki.xenproject.org/wiki/Xen_4.5_RC2_test_instructions

To learn more about Test Days, check out:
http://wiki.xenproject.org/wiki/Xen_Project_Test_Days

See you in #xentest on IRC this Thursday for Test Day!

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce

From xen-announce-bounces@lists.xen.org Tue Nov 18 12:25:59 2014
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Tue, 18 Nov 2014 12:25:59 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1Xqhpy-0006RM-Vv; Tue, 18 Nov 2014 12:24:50 +0000
Received: from mail6.bemta4.messagelabs.com ([85.158.143.247])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1Xqhpw-0006Qf-7P; Tue, 18 Nov 2014 12:24:48 +0000
Received: from [85.158.143.35] by server-2.bemta-4.messagelabs.com id
	4E/26-25276-F8A3B645; Tue, 18 Nov 2014 12:24:47 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-11.tower-21.messagelabs.com!1416313485!13552852!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 6.12.4; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 29542 invoked from network); 18 Nov 2014 12:24:46 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-11.tower-21.messagelabs.com with AES256-SHA encrypted SMTP;
	18 Nov 2014 12:24:46 -0000
Received: from xenbits.xen.org ([50.57.170.242])
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XqhpL-0000LT-DX; Tue, 18 Nov 2014 12:24:11 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XqhpL-0003SX-7Z; Tue, 18 Nov 2014 12:24:11 +0000
Date: Tue, 18 Nov 2014 12:24:11 +0000
Message-Id: <E1XqhpL-0003SX-7Z@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 110 (CVE-2014-8595) - Missing
 privilege level checks in x86 emulation of far branches
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2014-8595 / XSA-110
                              version 3

    Missing privilege level checks in x86 emulation of far branches

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The emulation of far branch instructions (CALL, JMP, and RETF in Intel
assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax)
incompletely performs privilege checks.

However these instructions are not usually handled by the emulator.
Exceptions to this are
- - when a memory operand lives in (emulated or passed through) memory
  mapped IO space,
- - in the case of guests running in 32-bit PAE mode, when such an
  instruction is (in execution flow) within four instructions of one
  doing a page table update,
- - when an Invalid Opcode exception gets raised by a guest instruction,
  and the guest then (likely maliciously) alters the instruction to
  become one of the affected ones,
- - when the guest is in real mode (in which case there are no privilege
  checks anyway).

IMPACT
======

Malicious HVM guest user mode code may be able to elevate its
privileges to guest supervisor mode, or to crash the guest.

VULNERABLE SYSTEMS
==================

Xen 3.2.1 and onward are vulnerable on x86 systems.

ARM systems are not vulnerable.

Only user processes in x86 HVM guests can take advantage of this
vulnerability.

MITIGATION
==========

Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa110-unstable.patch        xen-unstable, Xen 4.4.x
xsa110-4.3-and-4.2.patch     Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa110*.patch
a114ba586d18125b368112527a077abfe309826ad47aca8cc80ba4549c5f9ae2  xsa110-4.3-and-4.2.patch
eac4691848dcd093903e0a0f5fd7ab15be15d0f10b98575379911e91e5dcbd70  xsa110.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUazojAAoJEIP+FMlX6CvZF18H/1/G49MGk6/Fq6CtpvoEvQsl
u7Q0UHoMuwqN119fRKJOorAh+MPKWDaPBjZoNmfJxIKEHD5tpA1Kr97y67Ye/dtz
UfXxQPiIYpOe/Z59E3erKGDyzC5TLlPfa7fZBvZdeStIWsC+d2pUWDTRBioDHBGZ
IeNnXkrLuhLrjGOs9a4ZNdP/jTFkJQ7vKJXF8nFhcEpK8XZx9D8e2xExTWZ2BJ/N
u6KbWgMAf01M10hcQze99Wm3Fuva/HkVhiza8Rj5cgsV9SD4ZrQMhH9Mm86/YG52
AEwT6j8KWd83zZz8WZjFS30edZ4/eIXW+2e3KuaUFKBiei88tlF6CYWq6upS/5U=
=u7Zi
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa110-4.3-and-4.2.patch"
Content-Disposition: attachment; filename="xsa110-4.3-and-4.2.patch"
Content-Transfer-Encoding: base64

eDg2ZW11bDogZW5mb3JjZSBwcml2aWxlZ2UgbGV2ZWwgcmVzdHJpY3Rpb25z
IHdoZW4gbG9hZGluZyBDUwoKUHJpdmlsZWdlIGxldmVsIGNoZWNrcyB3ZXJl
IGJhc2ljYWxseSBtaXNzaW5nIGZvciB0aGUgQ1MgY2FzZSwgdGhlCm9ubHkg
Y2hlY2sgdGhhdCB3YXMgZG9uZSAoUlBMID09IERQTCBmb3Igbm9uY29uZm9y
bWluZyBzZWdtZW50cykKd2FzIHNvbGVseSBjb3ZlcmluZyBhIHNpbmdsZSBz
cGVjaWFsIGNhc2UgKHJldHVybiB0byBub24tY29uZm9ybWluZwpzZWdtZW50
KS4KCkFkZGl0aW9uYWxseSBpbiBsb25nIG1vZGUgdGhlIEwgYml0IHNldCBy
ZXF1aXJlcyB0aGUgRCBiaXQgdG8gYmUgY2xlYXIsCmFzIHdhcyByZWNlbnRs
eSBwb2ludGVkIG91dCBmb3IgS1ZNIGJ5IE5hZGF2IEFtaXQKPG5hbWl0QGNz
LnRlY2huaW9uLmFjLmlsPi4KCkZpbmFsbHkgd2UgYWxzbyBuZWVkIHRvIGZv
cmNlIHRoZSBsb2FkZWQgc2VsZWN0b3IncyBSUEwgdG8gQ1BMIChhdApsZWFz
dCBhcyBsb25nIGFzIGxyZXQvcmV0ZiBlbXVsYXRpb24gZG9lc24ndCBzdXBw
b3J0IHByaXZpbGVnZSBsZXZlbApjaGFuZ2VzKS4KClRoaXMgaXMgWFNBLTEx
MC4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNl
LmNvbT4KUmV2aWV3ZWQtYnk6IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoK
LS0tIGEveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMK
KysrIGIveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMK
QEAgLTExMDcsNyArMTEwNyw3IEBAIHJlYWxtb2RlX2xvYWRfc2VnKAogc3Rh
dGljIGludAogcHJvdG1vZGVfbG9hZF9zZWcoCiAgICAgZW51bSB4ODZfc2Vn
bWVudCBzZWcsCi0gICAgdWludDE2X3Qgc2VsLAorICAgIHVpbnQxNl90IHNl
bCwgYm9vbF90IGlzX3JldCwKICAgICBzdHJ1Y3QgeDg2X2VtdWxhdGVfY3R4
dCAqY3R4dCwKICAgICBjb25zdCBzdHJ1Y3QgeDg2X2VtdWxhdGVfb3BzICpv
cHMpCiB7CkBAIC0xMTc5LDkgKzExNzksMjMgQEAgcHJvdG1vZGVfbG9hZF9z
ZWcoCiAgICAgICAgIC8qIENvZGUgc2VnbWVudD8gKi8KICAgICAgICAgaWYg
KCAhKGRlc2MuYiAmICgxdTw8MTEpKSApCiAgICAgICAgICAgICBnb3RvIHJh
aXNlX2V4bjsKLSAgICAgICAgLyogTm9uLWNvbmZvcm1pbmcgc2VnbWVudDog
Y2hlY2sgRFBMIGFnYWluc3QgUlBMLiAqLwotICAgICAgICBpZiAoICgoZGVz
Yy5iICYgKDZ1PDw5KSkgIT0gKDZ1PDw5KSkgJiYgKGRwbCAhPSBycGwpICkK
KyAgICAgICAgaWYgKCBpc19yZXQKKyAgICAgICAgICAgICA/IC8qCisgICAg
ICAgICAgICAgICAgKiBSZWFsbHkgcnBsIDwgY3BsLCBidXQgb3VyIHNvbGUg
Y2FsbGVyIGRvZXNuJ3QgaGFuZGxlCisgICAgICAgICAgICAgICAgKiBwcml2
aWxlZ2UgbGV2ZWwgY2hhbmdlcy4KKyAgICAgICAgICAgICAgICAqLworICAg
ICAgICAgICAgICAgcnBsICE9IGNwbCB8fCAoZGVzYy5iICYgKDEgPDwgMTAp
ID8gZHBsID4gcnBsIDogZHBsICE9IHJwbCkKKyAgICAgICAgICAgICA6IGRl
c2MuYiAmICgxIDw8IDEwKQorICAgICAgICAgICAgICAgLyogQ29uZm9ybWlu
ZyBzZWdtZW50OiBjaGVjayBEUEwgYWdhaW5zdCBDUEwuICovCisgICAgICAg
ICAgICAgICA/IGRwbCA+IGNwbAorICAgICAgICAgICAgICAgLyogTm9uLWNv
bmZvcm1pbmcgc2VnbWVudDogY2hlY2sgUlBMIGFuZCBEUEwgYWdhaW5zdCBD
UEwuICovCisgICAgICAgICAgICAgICA6IHJwbCA+IGNwbCB8fCBkcGwgIT0g
Y3BsICkKICAgICAgICAgICAgIGdvdG8gcmFpc2VfZXhuOworICAgICAgICAv
KiA2NC1iaXQgY29kZSBzZWdtZW50cyAoTCBiaXQgc2V0KSBtdXN0IGhhdmUg
RCBiaXQgY2xlYXIuICovCisgICAgICAgIGlmICggaW5fbG9uZ21vZGUoY3R4
dCwgb3BzKSAmJgorICAgICAgICAgICAgIChkZXNjLmIgJiAoMSA8PCAyMSkp
ICYmIChkZXNjLmIgJiAoMSA8PCAyMikpICkKKyAgICAgICAgICAgIGdvdG8g
cmFpc2VfZXhuOworICAgICAgICBzZWwgPSAoc2VsIF4gcnBsKSB8IGNwbDsK
ICAgICAgICAgYnJlYWs7CiAgICAgY2FzZSB4ODZfc2VnX3NzOgogICAgICAg
ICAvKiBXcml0YWJsZSBkYXRhIHNlZ21lbnQ/ICovCkBAIC0xMjQ2LDcgKzEy
NjAsNyBAQCBwcm90bW9kZV9sb2FkX3NlZygKIHN0YXRpYyBpbnQKIGxvYWRf
c2VnKAogICAgIGVudW0geDg2X3NlZ21lbnQgc2VnLAotICAgIHVpbnQxNl90
IHNlbCwKKyAgICB1aW50MTZfdCBzZWwsIGJvb2xfdCBpc19yZXQsCiAgICAg
c3RydWN0IHg4Nl9lbXVsYXRlX2N0eHQgKmN0eHQsCiAgICAgY29uc3Qgc3Ry
dWN0IHg4Nl9lbXVsYXRlX29wcyAqb3BzKQogewpAQCAtMTI1NSw3ICsxMjY5
LDcgQEAgbG9hZF9zZWcoCiAgICAgICAgIHJldHVybiBYODZFTVVMX1VOSEFO
RExFQUJMRTsKIAogICAgIGlmICggaW5fcHJvdG1vZGUoY3R4dCwgb3BzKSAp
Ci0gICAgICAgIHJldHVybiBwcm90bW9kZV9sb2FkX3NlZyhzZWcsIHNlbCwg
Y3R4dCwgb3BzKTsKKyAgICAgICAgcmV0dXJuIHByb3Rtb2RlX2xvYWRfc2Vn
KHNlZywgc2VsLCBpc19yZXQsIGN0eHQsIG9wcyk7CiAKICAgICByZXR1cm4g
cmVhbG1vZGVfbG9hZF9zZWcoc2VnLCBzZWwsIGN0eHQsIG9wcyk7CiB9CkBA
IC0xODUyLDcgKzE4NjYsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgaWYg
KCAocmMgPSByZWFkX3Vsb25nKHg4Nl9zZWdfc3MsIHNwX3Bvc3RfaW5jKG9w
X2J5dGVzKSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZkc3Qu
dmFsLCBvcF9ieXRlcywgY3R4dCwgb3BzKSkgIT0gMCApCiAgICAgICAgICAg
ICBnb3RvIGRvbmU7Ci0gICAgICAgIGlmICggKHJjID0gbG9hZF9zZWcoc3Jj
LnZhbCwgKHVpbnQxNl90KWRzdC52YWwsIGN0eHQsIG9wcykpICE9IDAgKQor
ICAgICAgICBpZiAoIChyYyA9IGxvYWRfc2VnKHNyYy52YWwsIGRzdC52YWws
IDAsIGN0eHQsIG9wcykpICE9IDAgKQogICAgICAgICAgICAgcmV0dXJuIHJj
OwogICAgICAgICBicmVhazsKIApAQCAtMjIyMiw3ICsyMjM2LDcgQEAgeDg2
X2VtdWxhdGUoCiAgICAgICAgIGVudW0geDg2X3NlZ21lbnQgc2VnID0gZGVj
b2RlX3NlZ21lbnQobW9kcm1fcmVnKTsKICAgICAgICAgZ2VuZXJhdGVfZXhj
ZXB0aW9uX2lmKHNlZyA9PSBkZWNvZGVfc2VnbWVudF9mYWlsZWQsIEVYQ19V
RCwgLTEpOwogICAgICAgICBnZW5lcmF0ZV9leGNlcHRpb25faWYoc2VnID09
IHg4Nl9zZWdfY3MsIEVYQ19VRCwgLTEpOwotICAgICAgICBpZiAoIChyYyA9
IGxvYWRfc2VnKHNlZywgKHVpbnQxNl90KXNyYy52YWwsIGN0eHQsIG9wcykp
ICE9IDAgKQorICAgICAgICBpZiAoIChyYyA9IGxvYWRfc2VnKHNlZywgc3Jj
LnZhbCwgMCwgY3R4dCwgb3BzKSkgIT0gMCApCiAgICAgICAgICAgICBnb3Rv
IGRvbmU7CiAgICAgICAgIGlmICggc2VnID09IHg4Nl9zZWdfc3MgKQogICAg
ICAgICAgICAgY3R4dC0+cmV0aXJlLmZsYWdzLm1vdl9zcyA9IDE7CkBAIC0y
MzAzLDcgKzIzMTcsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICZfcmVncy5laXAsIG9wX2J5dGVzLCBjdHh0KSkg
KQogICAgICAgICAgICAgZ290byBkb25lOwogCi0gICAgICAgIGlmICggKHJj
ID0gbG9hZF9zZWcoeDg2X3NlZ19jcywgc2VsLCBjdHh0LCBvcHMpKSAhPSAw
ICkKKyAgICAgICAgaWYgKCAocmMgPSBsb2FkX3NlZyh4ODZfc2VnX2NzLCBz
ZWwsIDAsIGN0eHQsIG9wcykpICE9IDAgKQogICAgICAgICAgICAgZ290byBk
b25lOwogICAgICAgICBfcmVncy5laXAgPSBlaXA7CiAgICAgICAgIGJyZWFr
OwpAQCAtMjUyNiw3ICsyNTQwLDcgQEAgeDg2X2VtdWxhdGUoCiAgICAgICAg
IGlmICggKHJjID0gcmVhZF91bG9uZyhzcmMubWVtLnNlZywgc3JjLm1lbS5v
ZmYgKyBzcmMuYnl0ZXMsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAmc2VsLCAyLCBjdHh0LCBvcHMpKSAhPSAwICkKICAgICAgICAgICAgIGdv
dG8gZG9uZTsKLSAgICAgICAgaWYgKCAocmMgPSBsb2FkX3NlZyhkc3QudmFs
LCAodWludDE2X3Qpc2VsLCBjdHh0LCBvcHMpKSAhPSAwICkKKyAgICAgICAg
aWYgKCAocmMgPSBsb2FkX3NlZyhkc3QudmFsLCBzZWwsIDAsIGN0eHQsIG9w
cykpICE9IDAgKQogICAgICAgICAgICAgZ290byBkb25lOwogICAgICAgICBk
c3QudmFsID0gc3JjLnZhbDsKICAgICAgICAgYnJlYWs7CkBAIC0yNjAwLDcg
KzI2MTQsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICZkc3QudmFsLCBvcF9ieXRlcywgY3R4dCwgb3BzKSkgfHwK
ICAgICAgICAgICAgICAocmMgPSByZWFkX3Vsb25nKHg4Nl9zZWdfc3MsIHNw
X3Bvc3RfaW5jKG9wX2J5dGVzICsgb2Zmc2V0KSwKICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICZzcmMudmFsLCBvcF9ieXRlcywgY3R4dCwgb3Bz
KSkgfHwKLSAgICAgICAgICAgICAocmMgPSBsb2FkX3NlZyh4ODZfc2VnX2Nz
LCAodWludDE2X3Qpc3JjLnZhbCwgY3R4dCwgb3BzKSkgKQorICAgICAgICAg
ICAgIChyYyA9IGxvYWRfc2VnKHg4Nl9zZWdfY3MsIHNyYy52YWwsIDEsIGN0
eHQsIG9wcykpICkKICAgICAgICAgICAgIGdvdG8gZG9uZTsKICAgICAgICAg
X3JlZ3MuZWlwID0gZHN0LnZhbDsKICAgICAgICAgYnJlYWs7CkBAIC0yNjQ3
LDcgKzI2NjEsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgX3JlZ3MuZWZs
YWdzICY9IG1hc2s7CiAgICAgICAgIF9yZWdzLmVmbGFncyB8PSAodWludDMy
X3QpKGVmbGFncyAmIH5tYXNrKSB8IDB4MDI7CiAgICAgICAgIF9yZWdzLmVp
cCA9IGVpcDsKLSAgICAgICAgaWYgKCAocmMgPSBsb2FkX3NlZyh4ODZfc2Vn
X2NzLCAodWludDE2X3QpY3MsIGN0eHQsIG9wcykpICE9IDAgKQorICAgICAg
ICBpZiAoIChyYyA9IGxvYWRfc2VnKHg4Nl9zZWdfY3MsIGNzLCAxLCBjdHh0
LCBvcHMpKSAhPSAwICkKICAgICAgICAgICAgIGdvdG8gZG9uZTsKICAgICAg
ICAgYnJlYWs7CiAgICAgfQpAQCAtMzI3Nyw3ICszMjkxLDcgQEAgeDg2X2Vt
dWxhdGUoCiAgICAgICAgIGdlbmVyYXRlX2V4Y2VwdGlvbl9pZihtb2RlXzY0
Yml0KCksIEVYQ19VRCwgLTEpOwogICAgICAgICBlaXAgPSBpbnNuX2ZldGNo
X2J5dGVzKG9wX2J5dGVzKTsKICAgICAgICAgc2VsID0gaW5zbl9mZXRjaF90
eXBlKHVpbnQxNl90KTsKLSAgICAgICAgaWYgKCAocmMgPSBsb2FkX3NlZyh4
ODZfc2VnX2NzLCBzZWwsIGN0eHQsIG9wcykpICE9IDAgKQorICAgICAgICBp
ZiAoIChyYyA9IGxvYWRfc2VnKHg4Nl9zZWdfY3MsIHNlbCwgMCwgY3R4dCwg
b3BzKSkgIT0gMCApCiAgICAgICAgICAgICBnb3RvIGRvbmU7CiAgICAgICAg
IF9yZWdzLmVpcCA9IGVpcDsKICAgICAgICAgYnJlYWs7CkBAIC0zNTkwLDcg
KzM2MDQsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgICAgICAgICAgICAg
Z290byBkb25lOwogICAgICAgICAgICAgfQogCi0gICAgICAgICAgICBpZiAo
IChyYyA9IGxvYWRfc2VnKHg4Nl9zZWdfY3MsIHNlbCwgY3R4dCwgb3BzKSkg
IT0gMCApCisgICAgICAgICAgICBpZiAoIChyYyA9IGxvYWRfc2VnKHg4Nl9z
ZWdfY3MsIHNlbCwgMCwgY3R4dCwgb3BzKSkgIT0gMCApCiAgICAgICAgICAg
ICAgICAgZ290byBkb25lOwogICAgICAgICAgICAgX3JlZ3MuZWlwID0gZHN0
LnZhbDsKIApAQCAtMzY3MSw3ICszNjg1LDcgQEAgeDg2X2VtdWxhdGUoCiAg
ICAgICAgIGdlbmVyYXRlX2V4Y2VwdGlvbl9pZighaW5fcHJvdG1vZGUoY3R4
dCwgb3BzKSwgRVhDX1VELCAtMSk7CiAgICAgICAgIGdlbmVyYXRlX2V4Y2Vw
dGlvbl9pZighbW9kZV9yaW5nMCgpLCBFWENfR1AsIDApOwogICAgICAgICBp
ZiAoIChyYyA9IGxvYWRfc2VnKChtb2RybV9yZWcgJiAxKSA/IHg4Nl9zZWdf
dHIgOiB4ODZfc2VnX2xkdHIsCi0gICAgICAgICAgICAgICAgICAgICAgICAg
ICAgc3JjLnZhbCwgY3R4dCwgb3BzKSkgIT0gMCApCisgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgc3JjLnZhbCwgMCwgY3R4dCwgb3BzKSkgIT0gMCAp
CiAgICAgICAgICAgICBnb3RvIGRvbmU7CiAgICAgICAgIGJyZWFrOwogCg==

--=separator
Content-Type: application/octet-stream; name="xsa110.patch"
Content-Disposition: attachment; filename="xsa110.patch"
Content-Transfer-Encoding: base64

eDg2ZW11bDogZW5mb3JjZSBwcml2aWxlZ2UgbGV2ZWwgcmVzdHJpY3Rpb25z
IHdoZW4gbG9hZGluZyBDUwoKUHJpdmlsZWdlIGxldmVsIGNoZWNrcyB3ZXJl
IGJhc2ljYWxseSBtaXNzaW5nIGZvciB0aGUgQ1MgY2FzZSwgdGhlCm9ubHkg
Y2hlY2sgdGhhdCB3YXMgZG9uZSAoUlBMID09IERQTCBmb3Igbm9uY29uZm9y
bWluZyBzZWdtZW50cykKd2FzIHNvbGVseSBjb3ZlcmluZyBhIHNpbmdsZSBz
cGVjaWFsIGNhc2UgKHJldHVybiB0byBub24tY29uZm9ybWluZwpzZWdtZW50
KS4KCkFkZGl0aW9uYWxseSBpbiBsb25nIG1vZGUgdGhlIEwgYml0IHNldCBy
ZXF1aXJlcyB0aGUgRCBiaXQgdG8gYmUgY2xlYXIsCmFzIHdhcyByZWNlbnRs
eSBwb2ludGVkIG91dCBmb3IgS1ZNIGJ5IE5hZGF2IEFtaXQKPG5hbWl0QGNz
LnRlY2huaW9uLmFjLmlsPi4KCkZpbmFsbHkgd2UgYWxzbyBuZWVkIHRvIGZv
cmNlIHRoZSBsb2FkZWQgc2VsZWN0b3IncyBSUEwgdG8gQ1BMIChhdApsZWFz
dCBhcyBsb25nIGFzIGxyZXQvcmV0ZiBlbXVsYXRpb24gZG9lc24ndCBzdXBw
b3J0IHByaXZpbGVnZSBsZXZlbApjaGFuZ2VzKS4KClRoaXMgaXMgWFNBLTEx
MC4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNl
LmNvbT4KUmV2aWV3ZWQtYnk6IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoK
LS0tIGEveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMK
KysrIGIveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMK
QEAgLTExMTksNyArMTExOSw3IEBAIHJlYWxtb2RlX2xvYWRfc2VnKAogc3Rh
dGljIGludAogcHJvdG1vZGVfbG9hZF9zZWcoCiAgICAgZW51bSB4ODZfc2Vn
bWVudCBzZWcsCi0gICAgdWludDE2X3Qgc2VsLAorICAgIHVpbnQxNl90IHNl
bCwgYm9vbF90IGlzX3JldCwKICAgICBzdHJ1Y3QgeDg2X2VtdWxhdGVfY3R4
dCAqY3R4dCwKICAgICBjb25zdCBzdHJ1Y3QgeDg2X2VtdWxhdGVfb3BzICpv
cHMpCiB7CkBAIC0xMTg1LDkgKzExODUsMjMgQEAgcHJvdG1vZGVfbG9hZF9z
ZWcoCiAgICAgICAgIC8qIENvZGUgc2VnbWVudD8gKi8KICAgICAgICAgaWYg
KCAhKGRlc2MuYiAmICgxdTw8MTEpKSApCiAgICAgICAgICAgICBnb3RvIHJh
aXNlX2V4bjsKLSAgICAgICAgLyogTm9uLWNvbmZvcm1pbmcgc2VnbWVudDog
Y2hlY2sgRFBMIGFnYWluc3QgUlBMLiAqLwotICAgICAgICBpZiAoICgoZGVz
Yy5iICYgKDZ1PDw5KSkgIT0gKDZ1PDw5KSkgJiYgKGRwbCAhPSBycGwpICkK
KyAgICAgICAgaWYgKCBpc19yZXQKKyAgICAgICAgICAgICA/IC8qCisgICAg
ICAgICAgICAgICAgKiBSZWFsbHkgcnBsIDwgY3BsLCBidXQgb3VyIHNvbGUg
Y2FsbGVyIGRvZXNuJ3QgaGFuZGxlCisgICAgICAgICAgICAgICAgKiBwcml2
aWxlZ2UgbGV2ZWwgY2hhbmdlcy4KKyAgICAgICAgICAgICAgICAqLworICAg
ICAgICAgICAgICAgcnBsICE9IGNwbCB8fCAoZGVzYy5iICYgKDEgPDwgMTAp
ID8gZHBsID4gcnBsIDogZHBsICE9IHJwbCkKKyAgICAgICAgICAgICA6IGRl
c2MuYiAmICgxIDw8IDEwKQorICAgICAgICAgICAgICAgLyogQ29uZm9ybWlu
ZyBzZWdtZW50OiBjaGVjayBEUEwgYWdhaW5zdCBDUEwuICovCisgICAgICAg
ICAgICAgICA/IGRwbCA+IGNwbAorICAgICAgICAgICAgICAgLyogTm9uLWNv
bmZvcm1pbmcgc2VnbWVudDogY2hlY2sgUlBMIGFuZCBEUEwgYWdhaW5zdCBD
UEwuICovCisgICAgICAgICAgICAgICA6IHJwbCA+IGNwbCB8fCBkcGwgIT0g
Y3BsICkKICAgICAgICAgICAgIGdvdG8gcmFpc2VfZXhuOworICAgICAgICAv
KiA2NC1iaXQgY29kZSBzZWdtZW50cyAoTCBiaXQgc2V0KSBtdXN0IGhhdmUg
RCBiaXQgY2xlYXIuICovCisgICAgICAgIGlmICggaW5fbG9uZ21vZGUoY3R4
dCwgb3BzKSAmJgorICAgICAgICAgICAgIChkZXNjLmIgJiAoMSA8PCAyMSkp
ICYmIChkZXNjLmIgJiAoMSA8PCAyMikpICkKKyAgICAgICAgICAgIGdvdG8g
cmFpc2VfZXhuOworICAgICAgICBzZWwgPSAoc2VsIF4gcnBsKSB8IGNwbDsK
ICAgICAgICAgYnJlYWs7CiAgICAgY2FzZSB4ODZfc2VnX3NzOgogICAgICAg
ICAvKiBXcml0YWJsZSBkYXRhIHNlZ21lbnQ/ICovCkBAIC0xMjUyLDcgKzEy
NjYsNyBAQCBwcm90bW9kZV9sb2FkX3NlZygKIHN0YXRpYyBpbnQKIGxvYWRf
c2VnKAogICAgIGVudW0geDg2X3NlZ21lbnQgc2VnLAotICAgIHVpbnQxNl90
IHNlbCwKKyAgICB1aW50MTZfdCBzZWwsIGJvb2xfdCBpc19yZXQsCiAgICAg
c3RydWN0IHg4Nl9lbXVsYXRlX2N0eHQgKmN0eHQsCiAgICAgY29uc3Qgc3Ry
dWN0IHg4Nl9lbXVsYXRlX29wcyAqb3BzKQogewpAQCAtMTI2MSw3ICsxMjc1
LDcgQEAgbG9hZF9zZWcoCiAgICAgICAgIHJldHVybiBYODZFTVVMX1VOSEFO
RExFQUJMRTsKIAogICAgIGlmICggaW5fcHJvdG1vZGUoY3R4dCwgb3BzKSAp
Ci0gICAgICAgIHJldHVybiBwcm90bW9kZV9sb2FkX3NlZyhzZWcsIHNlbCwg
Y3R4dCwgb3BzKTsKKyAgICAgICAgcmV0dXJuIHByb3Rtb2RlX2xvYWRfc2Vn
KHNlZywgc2VsLCBpc19yZXQsIGN0eHQsIG9wcyk7CiAKICAgICByZXR1cm4g
cmVhbG1vZGVfbG9hZF9zZWcoc2VnLCBzZWwsIGN0eHQsIG9wcyk7CiB9CkBA
IC0yMDAzLDcgKzIwMTcsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgaWYg
KCAocmMgPSByZWFkX3Vsb25nKHg4Nl9zZWdfc3MsIHNwX3Bvc3RfaW5jKG9w
X2J5dGVzKSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZkc3Qu
dmFsLCBvcF9ieXRlcywgY3R4dCwgb3BzKSkgIT0gMCApCiAgICAgICAgICAg
ICBnb3RvIGRvbmU7Ci0gICAgICAgIGlmICggKHJjID0gbG9hZF9zZWcoc3Jj
LnZhbCwgKHVpbnQxNl90KWRzdC52YWwsIGN0eHQsIG9wcykpICE9IDAgKQor
ICAgICAgICBpZiAoIChyYyA9IGxvYWRfc2VnKHNyYy52YWwsIGRzdC52YWws
IDAsIGN0eHQsIG9wcykpICE9IDAgKQogICAgICAgICAgICAgcmV0dXJuIHJj
OwogICAgICAgICBicmVhazsKIApAQCAtMjM1Nyw3ICsyMzcxLDcgQEAgeDg2
X2VtdWxhdGUoCiAgICAgICAgIGVudW0geDg2X3NlZ21lbnQgc2VnID0gZGVj
b2RlX3NlZ21lbnQobW9kcm1fcmVnKTsKICAgICAgICAgZ2VuZXJhdGVfZXhj
ZXB0aW9uX2lmKHNlZyA9PSBkZWNvZGVfc2VnbWVudF9mYWlsZWQsIEVYQ19V
RCwgLTEpOwogICAgICAgICBnZW5lcmF0ZV9leGNlcHRpb25faWYoc2VnID09
IHg4Nl9zZWdfY3MsIEVYQ19VRCwgLTEpOwotICAgICAgICBpZiAoIChyYyA9
IGxvYWRfc2VnKHNlZywgKHVpbnQxNl90KXNyYy52YWwsIGN0eHQsIG9wcykp
ICE9IDAgKQorICAgICAgICBpZiAoIChyYyA9IGxvYWRfc2VnKHNlZywgc3Jj
LnZhbCwgMCwgY3R4dCwgb3BzKSkgIT0gMCApCiAgICAgICAgICAgICBnb3Rv
IGRvbmU7CiAgICAgICAgIGlmICggc2VnID09IHg4Nl9zZWdfc3MgKQogICAg
ICAgICAgICAgY3R4dC0+cmV0aXJlLmZsYWdzLm1vdl9zcyA9IDE7CkBAIC0y
NDM4LDcgKzI0NTIsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICZfcmVncy5laXAsIG9wX2J5dGVzLCBjdHh0KSkg
KQogICAgICAgICAgICAgZ290byBkb25lOwogCi0gICAgICAgIGlmICggKHJj
ID0gbG9hZF9zZWcoeDg2X3NlZ19jcywgc2VsLCBjdHh0LCBvcHMpKSAhPSAw
ICkKKyAgICAgICAgaWYgKCAocmMgPSBsb2FkX3NlZyh4ODZfc2VnX2NzLCBz
ZWwsIDAsIGN0eHQsIG9wcykpICE9IDAgKQogICAgICAgICAgICAgZ290byBk
b25lOwogICAgICAgICBfcmVncy5laXAgPSBlaXA7CiAgICAgICAgIGJyZWFr
OwpAQCAtMjY2Miw3ICsyNjc2LDcgQEAgeDg2X2VtdWxhdGUoCiAgICAgICAg
IGlmICggKHJjID0gcmVhZF91bG9uZyhzcmMubWVtLnNlZywgc3JjLm1lbS5v
ZmYgKyBzcmMuYnl0ZXMsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAmc2VsLCAyLCBjdHh0LCBvcHMpKSAhPSAwICkKICAgICAgICAgICAgIGdv
dG8gZG9uZTsKLSAgICAgICAgaWYgKCAocmMgPSBsb2FkX3NlZyhkc3QudmFs
LCAodWludDE2X3Qpc2VsLCBjdHh0LCBvcHMpKSAhPSAwICkKKyAgICAgICAg
aWYgKCAocmMgPSBsb2FkX3NlZyhkc3QudmFsLCBzZWwsIDAsIGN0eHQsIG9w
cykpICE9IDAgKQogICAgICAgICAgICAgZ290byBkb25lOwogICAgICAgICBk
c3QudmFsID0gc3JjLnZhbDsKICAgICAgICAgYnJlYWs7CkBAIC0yNzM2LDcg
KzI3NTAsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICZkc3QudmFsLCBvcF9ieXRlcywgY3R4dCwgb3BzKSkgfHwK
ICAgICAgICAgICAgICAocmMgPSByZWFkX3Vsb25nKHg4Nl9zZWdfc3MsIHNw
X3Bvc3RfaW5jKG9wX2J5dGVzICsgb2Zmc2V0KSwKICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICZzcmMudmFsLCBvcF9ieXRlcywgY3R4dCwgb3Bz
KSkgfHwKLSAgICAgICAgICAgICAocmMgPSBsb2FkX3NlZyh4ODZfc2VnX2Nz
LCAodWludDE2X3Qpc3JjLnZhbCwgY3R4dCwgb3BzKSkgKQorICAgICAgICAg
ICAgIChyYyA9IGxvYWRfc2VnKHg4Nl9zZWdfY3MsIHNyYy52YWwsIDEsIGN0
eHQsIG9wcykpICkKICAgICAgICAgICAgIGdvdG8gZG9uZTsKICAgICAgICAg
X3JlZ3MuZWlwID0gZHN0LnZhbDsKICAgICAgICAgYnJlYWs7CkBAIC0yNzg1
LDcgKzI3OTksNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgX3JlZ3MuZWZs
YWdzICY9IG1hc2s7CiAgICAgICAgIF9yZWdzLmVmbGFncyB8PSAodWludDMy
X3QpKGVmbGFncyAmIH5tYXNrKSB8IDB4MDI7CiAgICAgICAgIF9yZWdzLmVp
cCA9IGVpcDsKLSAgICAgICAgaWYgKCAocmMgPSBsb2FkX3NlZyh4ODZfc2Vn
X2NzLCAodWludDE2X3QpY3MsIGN0eHQsIG9wcykpICE9IDAgKQorICAgICAg
ICBpZiAoIChyYyA9IGxvYWRfc2VnKHg4Nl9zZWdfY3MsIGNzLCAxLCBjdHh0
LCBvcHMpKSAhPSAwICkKICAgICAgICAgICAgIGdvdG8gZG9uZTsKICAgICAg
ICAgYnJlYWs7CiAgICAgfQpAQCAtMzQxNSw3ICszNDI5LDcgQEAgeDg2X2Vt
dWxhdGUoCiAgICAgICAgIGdlbmVyYXRlX2V4Y2VwdGlvbl9pZihtb2RlXzY0
Yml0KCksIEVYQ19VRCwgLTEpOwogICAgICAgICBlaXAgPSBpbnNuX2ZldGNo
X2J5dGVzKG9wX2J5dGVzKTsKICAgICAgICAgc2VsID0gaW5zbl9mZXRjaF90
eXBlKHVpbnQxNl90KTsKLSAgICAgICAgaWYgKCAocmMgPSBsb2FkX3NlZyh4
ODZfc2VnX2NzLCBzZWwsIGN0eHQsIG9wcykpICE9IDAgKQorICAgICAgICBp
ZiAoIChyYyA9IGxvYWRfc2VnKHg4Nl9zZWdfY3MsIHNlbCwgMCwgY3R4dCwg
b3BzKSkgIT0gMCApCiAgICAgICAgICAgICBnb3RvIGRvbmU7CiAgICAgICAg
IF9yZWdzLmVpcCA9IGVpcDsKICAgICAgICAgYnJlYWs7CkBAIC0zNzE0LDcg
KzM3MjgsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgICAgICAgICAgICAg
Z290byBkb25lOwogICAgICAgICAgICAgfQogCi0gICAgICAgICAgICBpZiAo
IChyYyA9IGxvYWRfc2VnKHg4Nl9zZWdfY3MsIHNlbCwgY3R4dCwgb3BzKSkg
IT0gMCApCisgICAgICAgICAgICBpZiAoIChyYyA9IGxvYWRfc2VnKHg4Nl9z
ZWdfY3MsIHNlbCwgMCwgY3R4dCwgb3BzKSkgIT0gMCApCiAgICAgICAgICAg
ICAgICAgZ290byBkb25lOwogICAgICAgICAgICAgX3JlZ3MuZWlwID0gc3Jj
LnZhbDsKIApAQCAtMzc4MSw3ICszNzk1LDcgQEAgeDg2X2VtdWxhdGUoCiAg
ICAgICAgIGdlbmVyYXRlX2V4Y2VwdGlvbl9pZighaW5fcHJvdG1vZGUoY3R4
dCwgb3BzKSwgRVhDX1VELCAtMSk7CiAgICAgICAgIGdlbmVyYXRlX2V4Y2Vw
dGlvbl9pZighbW9kZV9yaW5nMCgpLCBFWENfR1AsIDApOwogICAgICAgICBp
ZiAoIChyYyA9IGxvYWRfc2VnKChtb2RybV9yZWcgJiAxKSA/IHg4Nl9zZWdf
dHIgOiB4ODZfc2VnX2xkdHIsCi0gICAgICAgICAgICAgICAgICAgICAgICAg
ICAgc3JjLnZhbCwgY3R4dCwgb3BzKSkgIT0gMCApCisgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgc3JjLnZhbCwgMCwgY3R4dCwgb3BzKSkgIT0gMCAp
CiAgICAgICAgICAgICBnb3RvIGRvbmU7CiAgICAgICAgIGJyZWFrOwogCg==

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Tue Nov 18 12:25:59 2014
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Tue, 18 Nov 2014 12:25:59 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1Xqhpy-0006RA-DS; Tue, 18 Nov 2014 12:24:50 +0000
Received: from mail6.bemta14.messagelabs.com ([193.109.254.103])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1Xqhpw-0006Qe-5w; Tue, 18 Nov 2014 12:24:48 +0000
Received: from [193.109.254.147] by server-11.bemta-14.messagelabs.com id
	46/DC-02696-F8A3B645; Tue, 18 Nov 2014 12:24:47 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-12.tower-27.messagelabs.com!1416313485!13298519!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 6.12.4; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 10912 invoked from network); 18 Nov 2014 12:24:46 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-12.tower-27.messagelabs.com with AES256-SHA encrypted SMTP;
	18 Nov 2014 12:24:46 -0000
Received: from xenbits.xen.org ([50.57.170.242])
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XqhpC-0000LH-Km; Tue, 18 Nov 2014 12:24:05 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XqhpC-0003RN-5U; Tue, 18 Nov 2014 12:24:02 +0000
Date: Tue, 18 Nov 2014 12:24:02 +0000
Message-Id: <E1XqhpC-0003RN-5U@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 109 (CVE-2014-8594) -
 Insufficient restrictions on certain MMU update hypercalls
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2014-8594 / XSA-109
                               version 3

        Insufficient restrictions on certain MMU update hypercalls

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

MMU update operations targeting page tables are intended to be used on
PV guests only. The lack of a respective check made it possible for
such operations to access certain function pointers which remain NULL
when the target guest is using Hardware Assisted Paging (HAP).

IMPACT
======

Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.

Only PV domains with privilege over other guests can exploit this
vulnerability; and only when those other guests are HVM using HAP, or
PVH.  The vulnerability is therefore exposed to PV domains providing
hardware emulation services to HVM guests.

VULNERABLE SYSTEMS
==================

Xen 4.0 and onward are vulnerable.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

The vulnerability is only exposed to PV service domains for HVM or
PVH guests which have privilege over the guest.  In a usual
configuration that means only device model emulators (qemu-dm).

In the case of HVM guests whose device model is running in an
unrestricted dom0 process, qemu-dm already has the ability to cause
problems for the whole system.  So in that case the vulnerability is
not applicable.

The situation is more subtle for an HVM guest with a stub qemu-dm.
That is, where the device model runs in a separate domain (in the case
of xl, as requested by "device_model_stubdomain_override=1" in the xl
domain configuration file).  The same applies with a qemu-dm in a dom0
process subjected to some kind kernel-based process privilege
limitation (eg the chroot technique as found in some versions of
XCP/XenServer).

In those latter situations this issue means that the extra isolation
does not provide as good a defence (against denial of service) as
intended.  That is the essence of this vulnerability.

However, the security is still better than with a qemu-dm running as
an unrestricted dom0 process.  Therefore users with these
configurations should not switch to an unrestricted dom0 qemu-dm.

Finally, in a radically disaggregated system: where the HVM or PVH
service domain software (probably, the device model domain image in the
HVM case) is not always supplied by the host administrator, a malicious
service domain administrator can exercise this vulnerability.

MITIGATION
==========

Running only PV guests or HVM guests with shadow paging enabled will
avoid this issue.

In a radically disaggregated system, restricting HVM service domains
to software images approved by the host administrator will avoid the
vulnerability.

CREDITS
=======

This issue was discovered by Roger Pau Monné of Citrix and Jan Beulich
of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa109.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x
xsa109-4.2.patch    Xen 4.2.x

$ sha256sum xsa109*.patch
759d1b8cb8c17e53d17ad045ab89c5aaf52cb85fd93eef07e7acbe230365c56d  xsa109-4.2.patch
729b87c2b9979fbda47c96e934db6fcfaeb10e07b4cfd66bb1e9f746a908576b  xsa109.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUazogAAoJEIP+FMlX6CvZ5NQH/25lTqtBGu5Xt0JwHnLenfv0
z0gVJ5o8YB6aqzV+GHWei0QV/PtCLteykm/K8LJK4my9OtDqI/WPzusyrGB6aNhD
xCQUhRF5/j2c++u4UCBitibttSwKK/CCrswBMWZYqEI/1fJazVw3huyyFv56Wt+K
32geEcIUnWs6lJD+z97W8LPPNLoaF/m6uSh4I2LrT3uBnvEFq5oGgzdWNtEKkSGC
fAuga2m1NhfbCsMD6JSv9/EDSKHTiByZ5Z/zicWrButHfRp4fmGO/pPMwPFkERs1
T/FX/UAfnvisS1SjgMwqufWlzIka5JDzi/Nc5Utgcvo9+9EsI1PCJDzYTJpOSa8=
=yb1z
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa109-4.2.patch"
Content-Disposition: attachment; filename="xsa109-4.2.patch"
Content-Transfer-Encoding: base64

eDg2OiBkb24ndCBhbGxvdyBwYWdlIHRhYmxlIHVwZGF0ZXMgb24gbm9uLVBW
IHBhZ2UgdGFibGVzIGluIGRvX21tdV91cGRhdGUoKQoKcGFnaW5nX3dyaXRl
X2d1ZXN0X2VudHJ5KCkgYW5kIHBhZ2luZ19jbXB4Y2hnX2d1ZXN0X2VudHJ5
KCkgYXJlbid0CmNvbnNpc3RlbnRseSBzdXBwb3J0ZWQgZm9yIG5vbi1QViBn
dWVzdHMgKHRoZXknZCBkZXJlZiBOVUxMIGZvciBQVkggb3IKbm9uLUhBUCBI
Vk0gb25lcykuIERvbid0IGFsbG93IHJlc3BlY3RpdmUgTU1VXyogb3BlcmF0
aW9ucyBvbiB0aGUKcGFnZSB0YWJsZXMgb2Ygc3VjaCBkb21haW5zLgoKVGhp
cyBpcyBYU0EtMTA5LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpi
ZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogVGltIERlZWdhbiA8dGltQHhl
bi5vcmc+CgotLS0gYS94ZW4vYXJjaC94ODYvbW0uYworKysgYi94ZW4vYXJj
aC94ODYvbW0uYwpAQCAtMzgwMCw2ICszODAwLDEwIEBAIGxvbmcgZG9fbW11
X3VwZGF0ZSgKICAgICAgICAgewogICAgICAgICAgICAgcDJtX3R5cGVfdCBw
Mm10OwogCisgICAgICAgICAgICByYyA9IC1FT1BOT1RTVVBQOworICAgICAg
ICAgICAgaWYgKCB1bmxpa2VseShwYWdpbmdfbW9kZV9yZWZjb3VudHMocHRf
b3duZXIpKSApCisgICAgICAgICAgICAgICAgYnJlYWs7CisKICAgICAgICAg
ICAgIHJjID0geHNtX21tdV9ub3JtYWxfdXBkYXRlKGQsIHB0X293bmVyLCBw
Z19vd25lciwgcmVxLnZhbCk7CiAgICAgICAgICAgICBpZiAoIHJjICkKICAg
ICAgICAgICAgICAgICBicmVhazsK

--=separator
Content-Type: application/octet-stream; name="xsa109.patch"
Content-Disposition: attachment; filename="xsa109.patch"
Content-Transfer-Encoding: base64

eDg2OiBkb24ndCBhbGxvdyBwYWdlIHRhYmxlIHVwZGF0ZXMgb24gbm9uLVBW
IHBhZ2UgdGFibGVzIGluIGRvX21tdV91cGRhdGUoKQoKcGFnaW5nX3dyaXRl
X2d1ZXN0X2VudHJ5KCkgYW5kIHBhZ2luZ19jbXB4Y2hnX2d1ZXN0X2VudHJ5
KCkgYXJlbid0CmNvbnNpc3RlbnRseSBzdXBwb3J0ZWQgZm9yIG5vbi1QViBn
dWVzdHMgKHRoZXknZCBkZXJlZiBOVUxMIGZvciBQVkggb3IKbm9uLUhBUCBI
Vk0gb25lcykuIERvbid0IGFsbG93IHJlc3BlY3RpdmUgTU1VXyogb3BlcmF0
aW9ucyBvbiB0aGUKcGFnZSB0YWJsZXMgb2Ygc3VjaCBkb21haW5zLgoKVGhp
cyBpcyBYU0EtMTA5LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpi
ZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogVGltIERlZWdhbiA8dGltQHhl
bi5vcmc+CgotLS0gYS94ZW4vYXJjaC94ODYvbW0uYworKysgYi94ZW4vYXJj
aC94ODYvbW0uYwpAQCAtMzQ5Myw2ICszNDkzLDEwIEBAIGxvbmcgZG9fbW11
X3VwZGF0ZSgKICAgICAgICAgewogICAgICAgICAgICAgcDJtX3R5cGVfdCBw
Mm10OwogCisgICAgICAgICAgICByYyA9IC1FT1BOT1RTVVBQOworICAgICAg
ICAgICAgaWYgKCB1bmxpa2VseShwYWdpbmdfbW9kZV9yZWZjb3VudHMocHRf
b3duZXIpKSApCisgICAgICAgICAgICAgICAgYnJlYWs7CisKICAgICAgICAg
ICAgIHhzbV9uZWVkZWQgfD0gWFNNX01NVV9OT1JNQUxfVVBEQVRFOwogICAg
ICAgICAgICAgaWYgKCBnZXRfcHRlX2ZsYWdzKHJlcS52YWwpICYgX1BBR0Vf
UFJFU0VOVCApCiAgICAgICAgICAgICB7Cg==

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Tue Nov 18 12:25:59 2014
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Tue, 18 Nov 2014 12:25:59 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1Xqhpy-0006RM-Vv; Tue, 18 Nov 2014 12:24:50 +0000
Received: from mail6.bemta4.messagelabs.com ([85.158.143.247])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1Xqhpw-0006Qf-7P; Tue, 18 Nov 2014 12:24:48 +0000
Received: from [85.158.143.35] by server-2.bemta-4.messagelabs.com id
	4E/26-25276-F8A3B645; Tue, 18 Nov 2014 12:24:47 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-11.tower-21.messagelabs.com!1416313485!13552852!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 6.12.4; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 29542 invoked from network); 18 Nov 2014 12:24:46 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-11.tower-21.messagelabs.com with AES256-SHA encrypted SMTP;
	18 Nov 2014 12:24:46 -0000
Received: from xenbits.xen.org ([50.57.170.242])
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XqhpL-0000LT-DX; Tue, 18 Nov 2014 12:24:11 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XqhpL-0003SX-7Z; Tue, 18 Nov 2014 12:24:11 +0000
Date: Tue, 18 Nov 2014 12:24:11 +0000
Message-Id: <E1XqhpL-0003SX-7Z@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 110 (CVE-2014-8595) - Missing
 privilege level checks in x86 emulation of far branches
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2014-8595 / XSA-110
                              version 3

    Missing privilege level checks in x86 emulation of far branches

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The emulation of far branch instructions (CALL, JMP, and RETF in Intel
assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax)
incompletely performs privilege checks.

However these instructions are not usually handled by the emulator.
Exceptions to this are
- - when a memory operand lives in (emulated or passed through) memory
  mapped IO space,
- - in the case of guests running in 32-bit PAE mode, when such an
  instruction is (in execution flow) within four instructions of one
  doing a page table update,
- - when an Invalid Opcode exception gets raised by a guest instruction,
  and the guest then (likely maliciously) alters the instruction to
  become one of the affected ones,
- - when the guest is in real mode (in which case there are no privilege
  checks anyway).

IMPACT
======

Malicious HVM guest user mode code may be able to elevate its
privileges to guest supervisor mode, or to crash the guest.

VULNERABLE SYSTEMS
==================

Xen 3.2.1 and onward are vulnerable on x86 systems.

ARM systems are not vulnerable.

Only user processes in x86 HVM guests can take advantage of this
vulnerability.

MITIGATION
==========

Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa110-unstable.patch        xen-unstable, Xen 4.4.x
xsa110-4.3-and-4.2.patch     Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa110*.patch
a114ba586d18125b368112527a077abfe309826ad47aca8cc80ba4549c5f9ae2  xsa110-4.3-and-4.2.patch
eac4691848dcd093903e0a0f5fd7ab15be15d0f10b98575379911e91e5dcbd70  xsa110.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUazojAAoJEIP+FMlX6CvZF18H/1/G49MGk6/Fq6CtpvoEvQsl
u7Q0UHoMuwqN119fRKJOorAh+MPKWDaPBjZoNmfJxIKEHD5tpA1Kr97y67Ye/dtz
UfXxQPiIYpOe/Z59E3erKGDyzC5TLlPfa7fZBvZdeStIWsC+d2pUWDTRBioDHBGZ
IeNnXkrLuhLrjGOs9a4ZNdP/jTFkJQ7vKJXF8nFhcEpK8XZx9D8e2xExTWZ2BJ/N
u6KbWgMAf01M10hcQze99Wm3Fuva/HkVhiza8Rj5cgsV9SD4ZrQMhH9Mm86/YG52
AEwT6j8KWd83zZz8WZjFS30edZ4/eIXW+2e3KuaUFKBiei88tlF6CYWq6upS/5U=
=u7Zi
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa110-4.3-and-4.2.patch"
Content-Disposition: attachment; filename="xsa110-4.3-and-4.2.patch"
Content-Transfer-Encoding: base64

eDg2ZW11bDogZW5mb3JjZSBwcml2aWxlZ2UgbGV2ZWwgcmVzdHJpY3Rpb25z
IHdoZW4gbG9hZGluZyBDUwoKUHJpdmlsZWdlIGxldmVsIGNoZWNrcyB3ZXJl
IGJhc2ljYWxseSBtaXNzaW5nIGZvciB0aGUgQ1MgY2FzZSwgdGhlCm9ubHkg
Y2hlY2sgdGhhdCB3YXMgZG9uZSAoUlBMID09IERQTCBmb3Igbm9uY29uZm9y
bWluZyBzZWdtZW50cykKd2FzIHNvbGVseSBjb3ZlcmluZyBhIHNpbmdsZSBz
cGVjaWFsIGNhc2UgKHJldHVybiB0byBub24tY29uZm9ybWluZwpzZWdtZW50
KS4KCkFkZGl0aW9uYWxseSBpbiBsb25nIG1vZGUgdGhlIEwgYml0IHNldCBy
ZXF1aXJlcyB0aGUgRCBiaXQgdG8gYmUgY2xlYXIsCmFzIHdhcyByZWNlbnRs
eSBwb2ludGVkIG91dCBmb3IgS1ZNIGJ5IE5hZGF2IEFtaXQKPG5hbWl0QGNz
LnRlY2huaW9uLmFjLmlsPi4KCkZpbmFsbHkgd2UgYWxzbyBuZWVkIHRvIGZv
cmNlIHRoZSBsb2FkZWQgc2VsZWN0b3IncyBSUEwgdG8gQ1BMIChhdApsZWFz
dCBhcyBsb25nIGFzIGxyZXQvcmV0ZiBlbXVsYXRpb24gZG9lc24ndCBzdXBw
b3J0IHByaXZpbGVnZSBsZXZlbApjaGFuZ2VzKS4KClRoaXMgaXMgWFNBLTEx
MC4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNl
LmNvbT4KUmV2aWV3ZWQtYnk6IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoK
LS0tIGEveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMK
KysrIGIveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMK
QEAgLTExMDcsNyArMTEwNyw3IEBAIHJlYWxtb2RlX2xvYWRfc2VnKAogc3Rh
dGljIGludAogcHJvdG1vZGVfbG9hZF9zZWcoCiAgICAgZW51bSB4ODZfc2Vn
bWVudCBzZWcsCi0gICAgdWludDE2X3Qgc2VsLAorICAgIHVpbnQxNl90IHNl
bCwgYm9vbF90IGlzX3JldCwKICAgICBzdHJ1Y3QgeDg2X2VtdWxhdGVfY3R4
dCAqY3R4dCwKICAgICBjb25zdCBzdHJ1Y3QgeDg2X2VtdWxhdGVfb3BzICpv
cHMpCiB7CkBAIC0xMTc5LDkgKzExNzksMjMgQEAgcHJvdG1vZGVfbG9hZF9z
ZWcoCiAgICAgICAgIC8qIENvZGUgc2VnbWVudD8gKi8KICAgICAgICAgaWYg
KCAhKGRlc2MuYiAmICgxdTw8MTEpKSApCiAgICAgICAgICAgICBnb3RvIHJh
aXNlX2V4bjsKLSAgICAgICAgLyogTm9uLWNvbmZvcm1pbmcgc2VnbWVudDog
Y2hlY2sgRFBMIGFnYWluc3QgUlBMLiAqLwotICAgICAgICBpZiAoICgoZGVz
Yy5iICYgKDZ1PDw5KSkgIT0gKDZ1PDw5KSkgJiYgKGRwbCAhPSBycGwpICkK
KyAgICAgICAgaWYgKCBpc19yZXQKKyAgICAgICAgICAgICA/IC8qCisgICAg
ICAgICAgICAgICAgKiBSZWFsbHkgcnBsIDwgY3BsLCBidXQgb3VyIHNvbGUg
Y2FsbGVyIGRvZXNuJ3QgaGFuZGxlCisgICAgICAgICAgICAgICAgKiBwcml2
aWxlZ2UgbGV2ZWwgY2hhbmdlcy4KKyAgICAgICAgICAgICAgICAqLworICAg
ICAgICAgICAgICAgcnBsICE9IGNwbCB8fCAoZGVzYy5iICYgKDEgPDwgMTAp
ID8gZHBsID4gcnBsIDogZHBsICE9IHJwbCkKKyAgICAgICAgICAgICA6IGRl
c2MuYiAmICgxIDw8IDEwKQorICAgICAgICAgICAgICAgLyogQ29uZm9ybWlu
ZyBzZWdtZW50OiBjaGVjayBEUEwgYWdhaW5zdCBDUEwuICovCisgICAgICAg
ICAgICAgICA/IGRwbCA+IGNwbAorICAgICAgICAgICAgICAgLyogTm9uLWNv
bmZvcm1pbmcgc2VnbWVudDogY2hlY2sgUlBMIGFuZCBEUEwgYWdhaW5zdCBD
UEwuICovCisgICAgICAgICAgICAgICA6IHJwbCA+IGNwbCB8fCBkcGwgIT0g
Y3BsICkKICAgICAgICAgICAgIGdvdG8gcmFpc2VfZXhuOworICAgICAgICAv
KiA2NC1iaXQgY29kZSBzZWdtZW50cyAoTCBiaXQgc2V0KSBtdXN0IGhhdmUg
RCBiaXQgY2xlYXIuICovCisgICAgICAgIGlmICggaW5fbG9uZ21vZGUoY3R4
dCwgb3BzKSAmJgorICAgICAgICAgICAgIChkZXNjLmIgJiAoMSA8PCAyMSkp
ICYmIChkZXNjLmIgJiAoMSA8PCAyMikpICkKKyAgICAgICAgICAgIGdvdG8g
cmFpc2VfZXhuOworICAgICAgICBzZWwgPSAoc2VsIF4gcnBsKSB8IGNwbDsK
ICAgICAgICAgYnJlYWs7CiAgICAgY2FzZSB4ODZfc2VnX3NzOgogICAgICAg
ICAvKiBXcml0YWJsZSBkYXRhIHNlZ21lbnQ/ICovCkBAIC0xMjQ2LDcgKzEy
NjAsNyBAQCBwcm90bW9kZV9sb2FkX3NlZygKIHN0YXRpYyBpbnQKIGxvYWRf
c2VnKAogICAgIGVudW0geDg2X3NlZ21lbnQgc2VnLAotICAgIHVpbnQxNl90
IHNlbCwKKyAgICB1aW50MTZfdCBzZWwsIGJvb2xfdCBpc19yZXQsCiAgICAg
c3RydWN0IHg4Nl9lbXVsYXRlX2N0eHQgKmN0eHQsCiAgICAgY29uc3Qgc3Ry
dWN0IHg4Nl9lbXVsYXRlX29wcyAqb3BzKQogewpAQCAtMTI1NSw3ICsxMjY5
LDcgQEAgbG9hZF9zZWcoCiAgICAgICAgIHJldHVybiBYODZFTVVMX1VOSEFO
RExFQUJMRTsKIAogICAgIGlmICggaW5fcHJvdG1vZGUoY3R4dCwgb3BzKSAp
Ci0gICAgICAgIHJldHVybiBwcm90bW9kZV9sb2FkX3NlZyhzZWcsIHNlbCwg
Y3R4dCwgb3BzKTsKKyAgICAgICAgcmV0dXJuIHByb3Rtb2RlX2xvYWRfc2Vn
KHNlZywgc2VsLCBpc19yZXQsIGN0eHQsIG9wcyk7CiAKICAgICByZXR1cm4g
cmVhbG1vZGVfbG9hZF9zZWcoc2VnLCBzZWwsIGN0eHQsIG9wcyk7CiB9CkBA
IC0xODUyLDcgKzE4NjYsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgaWYg
KCAocmMgPSByZWFkX3Vsb25nKHg4Nl9zZWdfc3MsIHNwX3Bvc3RfaW5jKG9w
X2J5dGVzKSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZkc3Qu
dmFsLCBvcF9ieXRlcywgY3R4dCwgb3BzKSkgIT0gMCApCiAgICAgICAgICAg
ICBnb3RvIGRvbmU7Ci0gICAgICAgIGlmICggKHJjID0gbG9hZF9zZWcoc3Jj
LnZhbCwgKHVpbnQxNl90KWRzdC52YWwsIGN0eHQsIG9wcykpICE9IDAgKQor
ICAgICAgICBpZiAoIChyYyA9IGxvYWRfc2VnKHNyYy52YWwsIGRzdC52YWws
IDAsIGN0eHQsIG9wcykpICE9IDAgKQogICAgICAgICAgICAgcmV0dXJuIHJj
OwogICAgICAgICBicmVhazsKIApAQCAtMjIyMiw3ICsyMjM2LDcgQEAgeDg2
X2VtdWxhdGUoCiAgICAgICAgIGVudW0geDg2X3NlZ21lbnQgc2VnID0gZGVj
b2RlX3NlZ21lbnQobW9kcm1fcmVnKTsKICAgICAgICAgZ2VuZXJhdGVfZXhj
ZXB0aW9uX2lmKHNlZyA9PSBkZWNvZGVfc2VnbWVudF9mYWlsZWQsIEVYQ19V
RCwgLTEpOwogICAgICAgICBnZW5lcmF0ZV9leGNlcHRpb25faWYoc2VnID09
IHg4Nl9zZWdfY3MsIEVYQ19VRCwgLTEpOwotICAgICAgICBpZiAoIChyYyA9
IGxvYWRfc2VnKHNlZywgKHVpbnQxNl90KXNyYy52YWwsIGN0eHQsIG9wcykp
ICE9IDAgKQorICAgICAgICBpZiAoIChyYyA9IGxvYWRfc2VnKHNlZywgc3Jj
LnZhbCwgMCwgY3R4dCwgb3BzKSkgIT0gMCApCiAgICAgICAgICAgICBnb3Rv
IGRvbmU7CiAgICAgICAgIGlmICggc2VnID09IHg4Nl9zZWdfc3MgKQogICAg
ICAgICAgICAgY3R4dC0+cmV0aXJlLmZsYWdzLm1vdl9zcyA9IDE7CkBAIC0y
MzAzLDcgKzIzMTcsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICZfcmVncy5laXAsIG9wX2J5dGVzLCBjdHh0KSkg
KQogICAgICAgICAgICAgZ290byBkb25lOwogCi0gICAgICAgIGlmICggKHJj
ID0gbG9hZF9zZWcoeDg2X3NlZ19jcywgc2VsLCBjdHh0LCBvcHMpKSAhPSAw
ICkKKyAgICAgICAgaWYgKCAocmMgPSBsb2FkX3NlZyh4ODZfc2VnX2NzLCBz
ZWwsIDAsIGN0eHQsIG9wcykpICE9IDAgKQogICAgICAgICAgICAgZ290byBk
b25lOwogICAgICAgICBfcmVncy5laXAgPSBlaXA7CiAgICAgICAgIGJyZWFr
OwpAQCAtMjUyNiw3ICsyNTQwLDcgQEAgeDg2X2VtdWxhdGUoCiAgICAgICAg
IGlmICggKHJjID0gcmVhZF91bG9uZyhzcmMubWVtLnNlZywgc3JjLm1lbS5v
ZmYgKyBzcmMuYnl0ZXMsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAmc2VsLCAyLCBjdHh0LCBvcHMpKSAhPSAwICkKICAgICAgICAgICAgIGdv
dG8gZG9uZTsKLSAgICAgICAgaWYgKCAocmMgPSBsb2FkX3NlZyhkc3QudmFs
LCAodWludDE2X3Qpc2VsLCBjdHh0LCBvcHMpKSAhPSAwICkKKyAgICAgICAg
aWYgKCAocmMgPSBsb2FkX3NlZyhkc3QudmFsLCBzZWwsIDAsIGN0eHQsIG9w
cykpICE9IDAgKQogICAgICAgICAgICAgZ290byBkb25lOwogICAgICAgICBk
c3QudmFsID0gc3JjLnZhbDsKICAgICAgICAgYnJlYWs7CkBAIC0yNjAwLDcg
KzI2MTQsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICZkc3QudmFsLCBvcF9ieXRlcywgY3R4dCwgb3BzKSkgfHwK
ICAgICAgICAgICAgICAocmMgPSByZWFkX3Vsb25nKHg4Nl9zZWdfc3MsIHNw
X3Bvc3RfaW5jKG9wX2J5dGVzICsgb2Zmc2V0KSwKICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICZzcmMudmFsLCBvcF9ieXRlcywgY3R4dCwgb3Bz
KSkgfHwKLSAgICAgICAgICAgICAocmMgPSBsb2FkX3NlZyh4ODZfc2VnX2Nz
LCAodWludDE2X3Qpc3JjLnZhbCwgY3R4dCwgb3BzKSkgKQorICAgICAgICAg
ICAgIChyYyA9IGxvYWRfc2VnKHg4Nl9zZWdfY3MsIHNyYy52YWwsIDEsIGN0
eHQsIG9wcykpICkKICAgICAgICAgICAgIGdvdG8gZG9uZTsKICAgICAgICAg
X3JlZ3MuZWlwID0gZHN0LnZhbDsKICAgICAgICAgYnJlYWs7CkBAIC0yNjQ3
LDcgKzI2NjEsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgX3JlZ3MuZWZs
YWdzICY9IG1hc2s7CiAgICAgICAgIF9yZWdzLmVmbGFncyB8PSAodWludDMy
X3QpKGVmbGFncyAmIH5tYXNrKSB8IDB4MDI7CiAgICAgICAgIF9yZWdzLmVp
cCA9IGVpcDsKLSAgICAgICAgaWYgKCAocmMgPSBsb2FkX3NlZyh4ODZfc2Vn
X2NzLCAodWludDE2X3QpY3MsIGN0eHQsIG9wcykpICE9IDAgKQorICAgICAg
ICBpZiAoIChyYyA9IGxvYWRfc2VnKHg4Nl9zZWdfY3MsIGNzLCAxLCBjdHh0
LCBvcHMpKSAhPSAwICkKICAgICAgICAgICAgIGdvdG8gZG9uZTsKICAgICAg
ICAgYnJlYWs7CiAgICAgfQpAQCAtMzI3Nyw3ICszMjkxLDcgQEAgeDg2X2Vt
dWxhdGUoCiAgICAgICAgIGdlbmVyYXRlX2V4Y2VwdGlvbl9pZihtb2RlXzY0
Yml0KCksIEVYQ19VRCwgLTEpOwogICAgICAgICBlaXAgPSBpbnNuX2ZldGNo
X2J5dGVzKG9wX2J5dGVzKTsKICAgICAgICAgc2VsID0gaW5zbl9mZXRjaF90
eXBlKHVpbnQxNl90KTsKLSAgICAgICAgaWYgKCAocmMgPSBsb2FkX3NlZyh4
ODZfc2VnX2NzLCBzZWwsIGN0eHQsIG9wcykpICE9IDAgKQorICAgICAgICBp
ZiAoIChyYyA9IGxvYWRfc2VnKHg4Nl9zZWdfY3MsIHNlbCwgMCwgY3R4dCwg
b3BzKSkgIT0gMCApCiAgICAgICAgICAgICBnb3RvIGRvbmU7CiAgICAgICAg
IF9yZWdzLmVpcCA9IGVpcDsKICAgICAgICAgYnJlYWs7CkBAIC0zNTkwLDcg
KzM2MDQsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgICAgICAgICAgICAg
Z290byBkb25lOwogICAgICAgICAgICAgfQogCi0gICAgICAgICAgICBpZiAo
IChyYyA9IGxvYWRfc2VnKHg4Nl9zZWdfY3MsIHNlbCwgY3R4dCwgb3BzKSkg
IT0gMCApCisgICAgICAgICAgICBpZiAoIChyYyA9IGxvYWRfc2VnKHg4Nl9z
ZWdfY3MsIHNlbCwgMCwgY3R4dCwgb3BzKSkgIT0gMCApCiAgICAgICAgICAg
ICAgICAgZ290byBkb25lOwogICAgICAgICAgICAgX3JlZ3MuZWlwID0gZHN0
LnZhbDsKIApAQCAtMzY3MSw3ICszNjg1LDcgQEAgeDg2X2VtdWxhdGUoCiAg
ICAgICAgIGdlbmVyYXRlX2V4Y2VwdGlvbl9pZighaW5fcHJvdG1vZGUoY3R4
dCwgb3BzKSwgRVhDX1VELCAtMSk7CiAgICAgICAgIGdlbmVyYXRlX2V4Y2Vw
dGlvbl9pZighbW9kZV9yaW5nMCgpLCBFWENfR1AsIDApOwogICAgICAgICBp
ZiAoIChyYyA9IGxvYWRfc2VnKChtb2RybV9yZWcgJiAxKSA/IHg4Nl9zZWdf
dHIgOiB4ODZfc2VnX2xkdHIsCi0gICAgICAgICAgICAgICAgICAgICAgICAg
ICAgc3JjLnZhbCwgY3R4dCwgb3BzKSkgIT0gMCApCisgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgc3JjLnZhbCwgMCwgY3R4dCwgb3BzKSkgIT0gMCAp
CiAgICAgICAgICAgICBnb3RvIGRvbmU7CiAgICAgICAgIGJyZWFrOwogCg==

--=separator
Content-Type: application/octet-stream; name="xsa110.patch"
Content-Disposition: attachment; filename="xsa110.patch"
Content-Transfer-Encoding: base64

eDg2ZW11bDogZW5mb3JjZSBwcml2aWxlZ2UgbGV2ZWwgcmVzdHJpY3Rpb25z
IHdoZW4gbG9hZGluZyBDUwoKUHJpdmlsZWdlIGxldmVsIGNoZWNrcyB3ZXJl
IGJhc2ljYWxseSBtaXNzaW5nIGZvciB0aGUgQ1MgY2FzZSwgdGhlCm9ubHkg
Y2hlY2sgdGhhdCB3YXMgZG9uZSAoUlBMID09IERQTCBmb3Igbm9uY29uZm9y
bWluZyBzZWdtZW50cykKd2FzIHNvbGVseSBjb3ZlcmluZyBhIHNpbmdsZSBz
cGVjaWFsIGNhc2UgKHJldHVybiB0byBub24tY29uZm9ybWluZwpzZWdtZW50
KS4KCkFkZGl0aW9uYWxseSBpbiBsb25nIG1vZGUgdGhlIEwgYml0IHNldCBy
ZXF1aXJlcyB0aGUgRCBiaXQgdG8gYmUgY2xlYXIsCmFzIHdhcyByZWNlbnRs
eSBwb2ludGVkIG91dCBmb3IgS1ZNIGJ5IE5hZGF2IEFtaXQKPG5hbWl0QGNz
LnRlY2huaW9uLmFjLmlsPi4KCkZpbmFsbHkgd2UgYWxzbyBuZWVkIHRvIGZv
cmNlIHRoZSBsb2FkZWQgc2VsZWN0b3IncyBSUEwgdG8gQ1BMIChhdApsZWFz
dCBhcyBsb25nIGFzIGxyZXQvcmV0ZiBlbXVsYXRpb24gZG9lc24ndCBzdXBw
b3J0IHByaXZpbGVnZSBsZXZlbApjaGFuZ2VzKS4KClRoaXMgaXMgWFNBLTEx
MC4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNl
LmNvbT4KUmV2aWV3ZWQtYnk6IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoK
LS0tIGEveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMK
KysrIGIveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMK
QEAgLTExMTksNyArMTExOSw3IEBAIHJlYWxtb2RlX2xvYWRfc2VnKAogc3Rh
dGljIGludAogcHJvdG1vZGVfbG9hZF9zZWcoCiAgICAgZW51bSB4ODZfc2Vn
bWVudCBzZWcsCi0gICAgdWludDE2X3Qgc2VsLAorICAgIHVpbnQxNl90IHNl
bCwgYm9vbF90IGlzX3JldCwKICAgICBzdHJ1Y3QgeDg2X2VtdWxhdGVfY3R4
dCAqY3R4dCwKICAgICBjb25zdCBzdHJ1Y3QgeDg2X2VtdWxhdGVfb3BzICpv
cHMpCiB7CkBAIC0xMTg1LDkgKzExODUsMjMgQEAgcHJvdG1vZGVfbG9hZF9z
ZWcoCiAgICAgICAgIC8qIENvZGUgc2VnbWVudD8gKi8KICAgICAgICAgaWYg
KCAhKGRlc2MuYiAmICgxdTw8MTEpKSApCiAgICAgICAgICAgICBnb3RvIHJh
aXNlX2V4bjsKLSAgICAgICAgLyogTm9uLWNvbmZvcm1pbmcgc2VnbWVudDog
Y2hlY2sgRFBMIGFnYWluc3QgUlBMLiAqLwotICAgICAgICBpZiAoICgoZGVz
Yy5iICYgKDZ1PDw5KSkgIT0gKDZ1PDw5KSkgJiYgKGRwbCAhPSBycGwpICkK
KyAgICAgICAgaWYgKCBpc19yZXQKKyAgICAgICAgICAgICA/IC8qCisgICAg
ICAgICAgICAgICAgKiBSZWFsbHkgcnBsIDwgY3BsLCBidXQgb3VyIHNvbGUg
Y2FsbGVyIGRvZXNuJ3QgaGFuZGxlCisgICAgICAgICAgICAgICAgKiBwcml2
aWxlZ2UgbGV2ZWwgY2hhbmdlcy4KKyAgICAgICAgICAgICAgICAqLworICAg
ICAgICAgICAgICAgcnBsICE9IGNwbCB8fCAoZGVzYy5iICYgKDEgPDwgMTAp
ID8gZHBsID4gcnBsIDogZHBsICE9IHJwbCkKKyAgICAgICAgICAgICA6IGRl
c2MuYiAmICgxIDw8IDEwKQorICAgICAgICAgICAgICAgLyogQ29uZm9ybWlu
ZyBzZWdtZW50OiBjaGVjayBEUEwgYWdhaW5zdCBDUEwuICovCisgICAgICAg
ICAgICAgICA/IGRwbCA+IGNwbAorICAgICAgICAgICAgICAgLyogTm9uLWNv
bmZvcm1pbmcgc2VnbWVudDogY2hlY2sgUlBMIGFuZCBEUEwgYWdhaW5zdCBD
UEwuICovCisgICAgICAgICAgICAgICA6IHJwbCA+IGNwbCB8fCBkcGwgIT0g
Y3BsICkKICAgICAgICAgICAgIGdvdG8gcmFpc2VfZXhuOworICAgICAgICAv
KiA2NC1iaXQgY29kZSBzZWdtZW50cyAoTCBiaXQgc2V0KSBtdXN0IGhhdmUg
RCBiaXQgY2xlYXIuICovCisgICAgICAgIGlmICggaW5fbG9uZ21vZGUoY3R4
dCwgb3BzKSAmJgorICAgICAgICAgICAgIChkZXNjLmIgJiAoMSA8PCAyMSkp
ICYmIChkZXNjLmIgJiAoMSA8PCAyMikpICkKKyAgICAgICAgICAgIGdvdG8g
cmFpc2VfZXhuOworICAgICAgICBzZWwgPSAoc2VsIF4gcnBsKSB8IGNwbDsK
ICAgICAgICAgYnJlYWs7CiAgICAgY2FzZSB4ODZfc2VnX3NzOgogICAgICAg
ICAvKiBXcml0YWJsZSBkYXRhIHNlZ21lbnQ/ICovCkBAIC0xMjUyLDcgKzEy
NjYsNyBAQCBwcm90bW9kZV9sb2FkX3NlZygKIHN0YXRpYyBpbnQKIGxvYWRf
c2VnKAogICAgIGVudW0geDg2X3NlZ21lbnQgc2VnLAotICAgIHVpbnQxNl90
IHNlbCwKKyAgICB1aW50MTZfdCBzZWwsIGJvb2xfdCBpc19yZXQsCiAgICAg
c3RydWN0IHg4Nl9lbXVsYXRlX2N0eHQgKmN0eHQsCiAgICAgY29uc3Qgc3Ry
dWN0IHg4Nl9lbXVsYXRlX29wcyAqb3BzKQogewpAQCAtMTI2MSw3ICsxMjc1
LDcgQEAgbG9hZF9zZWcoCiAgICAgICAgIHJldHVybiBYODZFTVVMX1VOSEFO
RExFQUJMRTsKIAogICAgIGlmICggaW5fcHJvdG1vZGUoY3R4dCwgb3BzKSAp
Ci0gICAgICAgIHJldHVybiBwcm90bW9kZV9sb2FkX3NlZyhzZWcsIHNlbCwg
Y3R4dCwgb3BzKTsKKyAgICAgICAgcmV0dXJuIHByb3Rtb2RlX2xvYWRfc2Vn
KHNlZywgc2VsLCBpc19yZXQsIGN0eHQsIG9wcyk7CiAKICAgICByZXR1cm4g
cmVhbG1vZGVfbG9hZF9zZWcoc2VnLCBzZWwsIGN0eHQsIG9wcyk7CiB9CkBA
IC0yMDAzLDcgKzIwMTcsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgaWYg
KCAocmMgPSByZWFkX3Vsb25nKHg4Nl9zZWdfc3MsIHNwX3Bvc3RfaW5jKG9w
X2J5dGVzKSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZkc3Qu
dmFsLCBvcF9ieXRlcywgY3R4dCwgb3BzKSkgIT0gMCApCiAgICAgICAgICAg
ICBnb3RvIGRvbmU7Ci0gICAgICAgIGlmICggKHJjID0gbG9hZF9zZWcoc3Jj
LnZhbCwgKHVpbnQxNl90KWRzdC52YWwsIGN0eHQsIG9wcykpICE9IDAgKQor
ICAgICAgICBpZiAoIChyYyA9IGxvYWRfc2VnKHNyYy52YWwsIGRzdC52YWws
IDAsIGN0eHQsIG9wcykpICE9IDAgKQogICAgICAgICAgICAgcmV0dXJuIHJj
OwogICAgICAgICBicmVhazsKIApAQCAtMjM1Nyw3ICsyMzcxLDcgQEAgeDg2
X2VtdWxhdGUoCiAgICAgICAgIGVudW0geDg2X3NlZ21lbnQgc2VnID0gZGVj
b2RlX3NlZ21lbnQobW9kcm1fcmVnKTsKICAgICAgICAgZ2VuZXJhdGVfZXhj
ZXB0aW9uX2lmKHNlZyA9PSBkZWNvZGVfc2VnbWVudF9mYWlsZWQsIEVYQ19V
RCwgLTEpOwogICAgICAgICBnZW5lcmF0ZV9leGNlcHRpb25faWYoc2VnID09
IHg4Nl9zZWdfY3MsIEVYQ19VRCwgLTEpOwotICAgICAgICBpZiAoIChyYyA9
IGxvYWRfc2VnKHNlZywgKHVpbnQxNl90KXNyYy52YWwsIGN0eHQsIG9wcykp
ICE9IDAgKQorICAgICAgICBpZiAoIChyYyA9IGxvYWRfc2VnKHNlZywgc3Jj
LnZhbCwgMCwgY3R4dCwgb3BzKSkgIT0gMCApCiAgICAgICAgICAgICBnb3Rv
IGRvbmU7CiAgICAgICAgIGlmICggc2VnID09IHg4Nl9zZWdfc3MgKQogICAg
ICAgICAgICAgY3R4dC0+cmV0aXJlLmZsYWdzLm1vdl9zcyA9IDE7CkBAIC0y
NDM4LDcgKzI0NTIsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICZfcmVncy5laXAsIG9wX2J5dGVzLCBjdHh0KSkg
KQogICAgICAgICAgICAgZ290byBkb25lOwogCi0gICAgICAgIGlmICggKHJj
ID0gbG9hZF9zZWcoeDg2X3NlZ19jcywgc2VsLCBjdHh0LCBvcHMpKSAhPSAw
ICkKKyAgICAgICAgaWYgKCAocmMgPSBsb2FkX3NlZyh4ODZfc2VnX2NzLCBz
ZWwsIDAsIGN0eHQsIG9wcykpICE9IDAgKQogICAgICAgICAgICAgZ290byBk
b25lOwogICAgICAgICBfcmVncy5laXAgPSBlaXA7CiAgICAgICAgIGJyZWFr
OwpAQCAtMjY2Miw3ICsyNjc2LDcgQEAgeDg2X2VtdWxhdGUoCiAgICAgICAg
IGlmICggKHJjID0gcmVhZF91bG9uZyhzcmMubWVtLnNlZywgc3JjLm1lbS5v
ZmYgKyBzcmMuYnl0ZXMsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAmc2VsLCAyLCBjdHh0LCBvcHMpKSAhPSAwICkKICAgICAgICAgICAgIGdv
dG8gZG9uZTsKLSAgICAgICAgaWYgKCAocmMgPSBsb2FkX3NlZyhkc3QudmFs
LCAodWludDE2X3Qpc2VsLCBjdHh0LCBvcHMpKSAhPSAwICkKKyAgICAgICAg
aWYgKCAocmMgPSBsb2FkX3NlZyhkc3QudmFsLCBzZWwsIDAsIGN0eHQsIG9w
cykpICE9IDAgKQogICAgICAgICAgICAgZ290byBkb25lOwogICAgICAgICBk
c3QudmFsID0gc3JjLnZhbDsKICAgICAgICAgYnJlYWs7CkBAIC0yNzM2LDcg
KzI3NTAsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICZkc3QudmFsLCBvcF9ieXRlcywgY3R4dCwgb3BzKSkgfHwK
ICAgICAgICAgICAgICAocmMgPSByZWFkX3Vsb25nKHg4Nl9zZWdfc3MsIHNw
X3Bvc3RfaW5jKG9wX2J5dGVzICsgb2Zmc2V0KSwKICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICZzcmMudmFsLCBvcF9ieXRlcywgY3R4dCwgb3Bz
KSkgfHwKLSAgICAgICAgICAgICAocmMgPSBsb2FkX3NlZyh4ODZfc2VnX2Nz
LCAodWludDE2X3Qpc3JjLnZhbCwgY3R4dCwgb3BzKSkgKQorICAgICAgICAg
ICAgIChyYyA9IGxvYWRfc2VnKHg4Nl9zZWdfY3MsIHNyYy52YWwsIDEsIGN0
eHQsIG9wcykpICkKICAgICAgICAgICAgIGdvdG8gZG9uZTsKICAgICAgICAg
X3JlZ3MuZWlwID0gZHN0LnZhbDsKICAgICAgICAgYnJlYWs7CkBAIC0yNzg1
LDcgKzI3OTksNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgX3JlZ3MuZWZs
YWdzICY9IG1hc2s7CiAgICAgICAgIF9yZWdzLmVmbGFncyB8PSAodWludDMy
X3QpKGVmbGFncyAmIH5tYXNrKSB8IDB4MDI7CiAgICAgICAgIF9yZWdzLmVp
cCA9IGVpcDsKLSAgICAgICAgaWYgKCAocmMgPSBsb2FkX3NlZyh4ODZfc2Vn
X2NzLCAodWludDE2X3QpY3MsIGN0eHQsIG9wcykpICE9IDAgKQorICAgICAg
ICBpZiAoIChyYyA9IGxvYWRfc2VnKHg4Nl9zZWdfY3MsIGNzLCAxLCBjdHh0
LCBvcHMpKSAhPSAwICkKICAgICAgICAgICAgIGdvdG8gZG9uZTsKICAgICAg
ICAgYnJlYWs7CiAgICAgfQpAQCAtMzQxNSw3ICszNDI5LDcgQEAgeDg2X2Vt
dWxhdGUoCiAgICAgICAgIGdlbmVyYXRlX2V4Y2VwdGlvbl9pZihtb2RlXzY0
Yml0KCksIEVYQ19VRCwgLTEpOwogICAgICAgICBlaXAgPSBpbnNuX2ZldGNo
X2J5dGVzKG9wX2J5dGVzKTsKICAgICAgICAgc2VsID0gaW5zbl9mZXRjaF90
eXBlKHVpbnQxNl90KTsKLSAgICAgICAgaWYgKCAocmMgPSBsb2FkX3NlZyh4
ODZfc2VnX2NzLCBzZWwsIGN0eHQsIG9wcykpICE9IDAgKQorICAgICAgICBp
ZiAoIChyYyA9IGxvYWRfc2VnKHg4Nl9zZWdfY3MsIHNlbCwgMCwgY3R4dCwg
b3BzKSkgIT0gMCApCiAgICAgICAgICAgICBnb3RvIGRvbmU7CiAgICAgICAg
IF9yZWdzLmVpcCA9IGVpcDsKICAgICAgICAgYnJlYWs7CkBAIC0zNzE0LDcg
KzM3MjgsNyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgICAgICAgICAgICAg
Z290byBkb25lOwogICAgICAgICAgICAgfQogCi0gICAgICAgICAgICBpZiAo
IChyYyA9IGxvYWRfc2VnKHg4Nl9zZWdfY3MsIHNlbCwgY3R4dCwgb3BzKSkg
IT0gMCApCisgICAgICAgICAgICBpZiAoIChyYyA9IGxvYWRfc2VnKHg4Nl9z
ZWdfY3MsIHNlbCwgMCwgY3R4dCwgb3BzKSkgIT0gMCApCiAgICAgICAgICAg
ICAgICAgZ290byBkb25lOwogICAgICAgICAgICAgX3JlZ3MuZWlwID0gc3Jj
LnZhbDsKIApAQCAtMzc4MSw3ICszNzk1LDcgQEAgeDg2X2VtdWxhdGUoCiAg
ICAgICAgIGdlbmVyYXRlX2V4Y2VwdGlvbl9pZighaW5fcHJvdG1vZGUoY3R4
dCwgb3BzKSwgRVhDX1VELCAtMSk7CiAgICAgICAgIGdlbmVyYXRlX2V4Y2Vw
dGlvbl9pZighbW9kZV9yaW5nMCgpLCBFWENfR1AsIDApOwogICAgICAgICBp
ZiAoIChyYyA9IGxvYWRfc2VnKChtb2RybV9yZWcgJiAxKSA/IHg4Nl9zZWdf
dHIgOiB4ODZfc2VnX2xkdHIsCi0gICAgICAgICAgICAgICAgICAgICAgICAg
ICAgc3JjLnZhbCwgY3R4dCwgb3BzKSkgIT0gMCApCisgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgc3JjLnZhbCwgMCwgY3R4dCwgb3BzKSkgIT0gMCAp
CiAgICAgICAgICAgICBnb3RvIGRvbmU7CiAgICAgICAgIGJyZWFrOwogCg==

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Tue Nov 18 12:25:59 2014
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Tue, 18 Nov 2014 12:25:59 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1Xqhpy-0006RA-DS; Tue, 18 Nov 2014 12:24:50 +0000
Received: from mail6.bemta14.messagelabs.com ([193.109.254.103])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1Xqhpw-0006Qe-5w; Tue, 18 Nov 2014 12:24:48 +0000
Received: from [193.109.254.147] by server-11.bemta-14.messagelabs.com id
	46/DC-02696-F8A3B645; Tue, 18 Nov 2014 12:24:47 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-12.tower-27.messagelabs.com!1416313485!13298519!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 6.12.4; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 10912 invoked from network); 18 Nov 2014 12:24:46 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-12.tower-27.messagelabs.com with AES256-SHA encrypted SMTP;
	18 Nov 2014 12:24:46 -0000
Received: from xenbits.xen.org ([50.57.170.242])
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XqhpC-0000LH-Km; Tue, 18 Nov 2014 12:24:05 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XqhpC-0003RN-5U; Tue, 18 Nov 2014 12:24:02 +0000
Date: Tue, 18 Nov 2014 12:24:02 +0000
Message-Id: <E1XqhpC-0003RN-5U@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 109 (CVE-2014-8594) -
 Insufficient restrictions on certain MMU update hypercalls
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2014-8594 / XSA-109
                               version 3

        Insufficient restrictions on certain MMU update hypercalls

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

MMU update operations targeting page tables are intended to be used on
PV guests only. The lack of a respective check made it possible for
such operations to access certain function pointers which remain NULL
when the target guest is using Hardware Assisted Paging (HAP).

IMPACT
======

Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.

Only PV domains with privilege over other guests can exploit this
vulnerability; and only when those other guests are HVM using HAP, or
PVH.  The vulnerability is therefore exposed to PV domains providing
hardware emulation services to HVM guests.

VULNERABLE SYSTEMS
==================

Xen 4.0 and onward are vulnerable.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

The vulnerability is only exposed to PV service domains for HVM or
PVH guests which have privilege over the guest.  In a usual
configuration that means only device model emulators (qemu-dm).

In the case of HVM guests whose device model is running in an
unrestricted dom0 process, qemu-dm already has the ability to cause
problems for the whole system.  So in that case the vulnerability is
not applicable.

The situation is more subtle for an HVM guest with a stub qemu-dm.
That is, where the device model runs in a separate domain (in the case
of xl, as requested by "device_model_stubdomain_override=1" in the xl
domain configuration file).  The same applies with a qemu-dm in a dom0
process subjected to some kind kernel-based process privilege
limitation (eg the chroot technique as found in some versions of
XCP/XenServer).

In those latter situations this issue means that the extra isolation
does not provide as good a defence (against denial of service) as
intended.  That is the essence of this vulnerability.

However, the security is still better than with a qemu-dm running as
an unrestricted dom0 process.  Therefore users with these
configurations should not switch to an unrestricted dom0 qemu-dm.

Finally, in a radically disaggregated system: where the HVM or PVH
service domain software (probably, the device model domain image in the
HVM case) is not always supplied by the host administrator, a malicious
service domain administrator can exercise this vulnerability.

MITIGATION
==========

Running only PV guests or HVM guests with shadow paging enabled will
avoid this issue.

In a radically disaggregated system, restricting HVM service domains
to software images approved by the host administrator will avoid the
vulnerability.

CREDITS
=======

This issue was discovered by Roger Pau Monné of Citrix and Jan Beulich
of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa109.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x
xsa109-4.2.patch    Xen 4.2.x

$ sha256sum xsa109*.patch
759d1b8cb8c17e53d17ad045ab89c5aaf52cb85fd93eef07e7acbe230365c56d  xsa109-4.2.patch
729b87c2b9979fbda47c96e934db6fcfaeb10e07b4cfd66bb1e9f746a908576b  xsa109.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUazogAAoJEIP+FMlX6CvZ5NQH/25lTqtBGu5Xt0JwHnLenfv0
z0gVJ5o8YB6aqzV+GHWei0QV/PtCLteykm/K8LJK4my9OtDqI/WPzusyrGB6aNhD
xCQUhRF5/j2c++u4UCBitibttSwKK/CCrswBMWZYqEI/1fJazVw3huyyFv56Wt+K
32geEcIUnWs6lJD+z97W8LPPNLoaF/m6uSh4I2LrT3uBnvEFq5oGgzdWNtEKkSGC
fAuga2m1NhfbCsMD6JSv9/EDSKHTiByZ5Z/zicWrButHfRp4fmGO/pPMwPFkERs1
T/FX/UAfnvisS1SjgMwqufWlzIka5JDzi/Nc5Utgcvo9+9EsI1PCJDzYTJpOSa8=
=yb1z
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa109-4.2.patch"
Content-Disposition: attachment; filename="xsa109-4.2.patch"
Content-Transfer-Encoding: base64

eDg2OiBkb24ndCBhbGxvdyBwYWdlIHRhYmxlIHVwZGF0ZXMgb24gbm9uLVBW
IHBhZ2UgdGFibGVzIGluIGRvX21tdV91cGRhdGUoKQoKcGFnaW5nX3dyaXRl
X2d1ZXN0X2VudHJ5KCkgYW5kIHBhZ2luZ19jbXB4Y2hnX2d1ZXN0X2VudHJ5
KCkgYXJlbid0CmNvbnNpc3RlbnRseSBzdXBwb3J0ZWQgZm9yIG5vbi1QViBn
dWVzdHMgKHRoZXknZCBkZXJlZiBOVUxMIGZvciBQVkggb3IKbm9uLUhBUCBI
Vk0gb25lcykuIERvbid0IGFsbG93IHJlc3BlY3RpdmUgTU1VXyogb3BlcmF0
aW9ucyBvbiB0aGUKcGFnZSB0YWJsZXMgb2Ygc3VjaCBkb21haW5zLgoKVGhp
cyBpcyBYU0EtMTA5LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpi
ZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogVGltIERlZWdhbiA8dGltQHhl
bi5vcmc+CgotLS0gYS94ZW4vYXJjaC94ODYvbW0uYworKysgYi94ZW4vYXJj
aC94ODYvbW0uYwpAQCAtMzgwMCw2ICszODAwLDEwIEBAIGxvbmcgZG9fbW11
X3VwZGF0ZSgKICAgICAgICAgewogICAgICAgICAgICAgcDJtX3R5cGVfdCBw
Mm10OwogCisgICAgICAgICAgICByYyA9IC1FT1BOT1RTVVBQOworICAgICAg
ICAgICAgaWYgKCB1bmxpa2VseShwYWdpbmdfbW9kZV9yZWZjb3VudHMocHRf
b3duZXIpKSApCisgICAgICAgICAgICAgICAgYnJlYWs7CisKICAgICAgICAg
ICAgIHJjID0geHNtX21tdV9ub3JtYWxfdXBkYXRlKGQsIHB0X293bmVyLCBw
Z19vd25lciwgcmVxLnZhbCk7CiAgICAgICAgICAgICBpZiAoIHJjICkKICAg
ICAgICAgICAgICAgICBicmVhazsK

--=separator
Content-Type: application/octet-stream; name="xsa109.patch"
Content-Disposition: attachment; filename="xsa109.patch"
Content-Transfer-Encoding: base64

eDg2OiBkb24ndCBhbGxvdyBwYWdlIHRhYmxlIHVwZGF0ZXMgb24gbm9uLVBW
IHBhZ2UgdGFibGVzIGluIGRvX21tdV91cGRhdGUoKQoKcGFnaW5nX3dyaXRl
X2d1ZXN0X2VudHJ5KCkgYW5kIHBhZ2luZ19jbXB4Y2hnX2d1ZXN0X2VudHJ5
KCkgYXJlbid0CmNvbnNpc3RlbnRseSBzdXBwb3J0ZWQgZm9yIG5vbi1QViBn
dWVzdHMgKHRoZXknZCBkZXJlZiBOVUxMIGZvciBQVkggb3IKbm9uLUhBUCBI
Vk0gb25lcykuIERvbid0IGFsbG93IHJlc3BlY3RpdmUgTU1VXyogb3BlcmF0
aW9ucyBvbiB0aGUKcGFnZSB0YWJsZXMgb2Ygc3VjaCBkb21haW5zLgoKVGhp
cyBpcyBYU0EtMTA5LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpi
ZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogVGltIERlZWdhbiA8dGltQHhl
bi5vcmc+CgotLS0gYS94ZW4vYXJjaC94ODYvbW0uYworKysgYi94ZW4vYXJj
aC94ODYvbW0uYwpAQCAtMzQ5Myw2ICszNDkzLDEwIEBAIGxvbmcgZG9fbW11
X3VwZGF0ZSgKICAgICAgICAgewogICAgICAgICAgICAgcDJtX3R5cGVfdCBw
Mm10OwogCisgICAgICAgICAgICByYyA9IC1FT1BOT1RTVVBQOworICAgICAg
ICAgICAgaWYgKCB1bmxpa2VseShwYWdpbmdfbW9kZV9yZWZjb3VudHMocHRf
b3duZXIpKSApCisgICAgICAgICAgICAgICAgYnJlYWs7CisKICAgICAgICAg
ICAgIHhzbV9uZWVkZWQgfD0gWFNNX01NVV9OT1JNQUxfVVBEQVRFOwogICAg
ICAgICAgICAgaWYgKCBnZXRfcHRlX2ZsYWdzKHJlcS52YWwpICYgX1BBR0Vf
UFJFU0VOVCApCiAgICAgICAgICAgICB7Cg==

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Thu Nov 20 16:28:16 2014
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Thu, 20 Nov 2014 16:28:16 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1XrUZR-0000tn-Bh; Thu, 20 Nov 2014 16:27:01 +0000
Received: from mail6.bemta4.messagelabs.com ([85.158.143.247])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XrUZQ-0000tL-2w; Thu, 20 Nov 2014 16:27:00 +0000
Received: from [85.158.143.35] by server-2.bemta-4.messagelabs.com id
	7E/35-25276-3561E645; Thu, 20 Nov 2014 16:26:59 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-5.tower-21.messagelabs.com!1416500817!14192340!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 6.12.4; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 17932 invoked from network); 20 Nov 2014 16:26:58 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-5.tower-21.messagelabs.com with AES256-SHA encrypted SMTP;
	20 Nov 2014 16:26:58 -0000
Received: from xenbits.xen.org ([50.57.170.242])
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XrUZD-0000KI-84; Thu, 20 Nov 2014 16:26:47 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XrUZC-0008CI-Rd; Thu, 20 Nov 2014 16:26:46 +0000
Date: Thu, 20 Nov 2014 16:26:46 +0000
Message-Id: <E1XrUZC-0008CI-Rd@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 113 - Guest effectable page
 reference leak in MMU_MACHPHYS_UPDATE handling
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-113

  Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling

ISSUE DESCRIPTION
=================

An error handling path in the processing of MMU_MACHPHYS_UPDATE failed
to drop a page reference which was acquired in an earlier processing
step.

IMPACT
======

Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.

Only domains controlling HVM guests can exploit this vulnerability.
(This includes domains providing hardware emulation services to HVM
guests.)

VULNERABLE SYSTEMS
==================

Xen versions from at least 3.2.x onwards are vulnerable on x86 systems.
Older versions have not been inspected.  ARM systems are not vulnerable.

This vulnerability is only applicable to Xen systems using stub domains
or other forms of disaggregation of control domains for HVM guests.

MITIGATION
==========

Running only PV guests will avoid this issue.

(The security of a Xen system using stub domains is still better than
with a qemu-dm running as an unrestricted dom0 process.  Therefore
users with these configurations should not switch to an unrestricted
dom0 qemu-dm.)

NOTE REGARDING LACK OF EMBARGO
==============================

A draft of this advisory was mistakenly sent to xen-devel.  The Xen
Project Security Team apologises for this error.  We are working to
share best working practices amongst the team to reduce the risks of
recurrance.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa113.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa113*.patch
a0f2b792a6b4648151f85fe13961b0bf309a568ed03e1b1d4ea01e4eabf1b18e  xsa113.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUbhNoAAoJEIP+FMlX6CvZ5v8H/0cwnDOmSUZQ5Wm6ULUQH0w+
Jbsf6JPBRyDch1nCv/d8X27vSfmB8JH0m+LclEH0F1XSUiu5p4y46ZKk7Zfm4+gD
xq6/eKyXKwCXinAwEcLtvfONrajQQvzk2y4XZpE+g9U00AwvsBXM3AdqPup8cyQl
OLQO9Oq+xiqusCXIQeCb/KnoVUGS9PqlG/RT3rKKorYzuQjG7VURU3uKA1Vju7oD
ITzbNCjTjnA7cFVSk6g9ZG6k40nGkVKIv+pPFfZAE6/UqiCF91oNzVAYVnA0X0oL
YoAFxvVFOHp78192jW/7S8uacG+bskJNAr+NYIuaBlykka6Vbef6esWOW3UZEhA=
=LDjw
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa113.patch"
Content-Disposition: attachment; filename="xsa113.patch"
Content-Transfer-Encoding: base64

eDg2L21tOiBmaXggYSByZWZlcmVuY2UgY291bnRpbmcgZXJyb3IgaW4gTU1V
X01BQ0hQSFlTX1VQREFURQoKQW55IGRvbWFpbiB3aGljaCBjYW4gcGFzcyB0
aGUgWFNNIGNoZWNrIGFnYWluc3QgYSB0cmFuc2xhdGVkIGd1ZXN0IGNhbiBj
YXVzZSBhCnBhZ2UgcmVmZXJlbmNlIHRvIGJlIGxlYWtlZC4KCldoaWxlIHNo
dWZmbGluZyB0aGUgb3JkZXIgb2YgY2hlY2tzLCBkcm9wIHRoZSBxdWl0ZS1w
b2ludGxlc3MgTUVNX0xPRygpLiAgVGhpcwpicmluZ3MgdGhlIGNoZWNrIGlu
IGxpbmUgd2l0aCBzaW1pbGFyIGNoZWNrcyBpbiB0aGUgdmljaW5pdHkuCgpE
aXNjb3ZlcmVkIHdoaWxlIHJldmlld2luZyB0aGUgWFNBLTEwOS8xMTAgZm9s
bG93dXAgc2VyaWVzLgoKVGhpcyBpcyBYU0EtMTEzLgoKU2lnbmVkLW9mZi1i
eTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4K
UmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K
UmV2aWV3ZWQtYnk6IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoKLS0tIGEv
eGVuL2FyY2gveDg2L21tLmMKKysrIGIveGVuL2FyY2gveDg2L21tLmMKQEAg
LTM2MTksNiArMzYxOSwxMiBAQCBsb25nIGRvX21tdV91cGRhdGUoCiAKICAg
ICAgICAgY2FzZSBNTVVfTUFDSFBIWVNfVVBEQVRFOgogCisgICAgICAgICAg
ICBpZiAoIHVubGlrZWx5KHBhZ2luZ19tb2RlX3RyYW5zbGF0ZShwZ19vd25l
cikpICkKKyAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICByYyA9IC1F
SU5WQUw7CisgICAgICAgICAgICAgICAgYnJlYWs7CisgICAgICAgICAgICB9
CisKICAgICAgICAgICAgIG1mbiA9IHJlcS5wdHIgPj4gUEFHRV9TSElGVDsK
ICAgICAgICAgICAgIGdwZm4gPSByZXEudmFsOwogCkBAIC0zNjM4LDEzICsz
NjQ0LDYgQEAgbG9uZyBkb19tbXVfdXBkYXRlKAogICAgICAgICAgICAgICAg
IGJyZWFrOwogICAgICAgICAgICAgfQogCi0gICAgICAgICAgICBpZiAoIHVu
bGlrZWx5KHBhZ2luZ19tb2RlX3RyYW5zbGF0ZShwZ19vd25lcikpICkKLSAg
ICAgICAgICAgIHsKLSAgICAgICAgICAgICAgICBNRU1fTE9HKCJNYWNoLXBo
eXMgdXBkYXRlIG9uIGF1dG8tdHJhbnNsYXRlIGd1ZXN0Iik7Ci0gICAgICAg
ICAgICAgICAgcmMgPSAtRUlOVkFMOwotICAgICAgICAgICAgICAgIGJyZWFr
OwotICAgICAgICAgICAgfQotCiAgICAgICAgICAgICBzZXRfZ3Bmbl9mcm9t
X21mbihtZm4sIGdwZm4pOwogCiAgICAgICAgICAgICBwYWdpbmdfbWFya19k
aXJ0eShwZ19vd25lciwgbWZuKTsK

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Thu Nov 20 16:28:16 2014
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Thu, 20 Nov 2014 16:28:16 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1XrUZR-0000tn-Bh; Thu, 20 Nov 2014 16:27:01 +0000
Received: from mail6.bemta4.messagelabs.com ([85.158.143.247])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XrUZQ-0000tL-2w; Thu, 20 Nov 2014 16:27:00 +0000
Received: from [85.158.143.35] by server-2.bemta-4.messagelabs.com id
	7E/35-25276-3561E645; Thu, 20 Nov 2014 16:26:59 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-5.tower-21.messagelabs.com!1416500817!14192340!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 6.12.4; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 17932 invoked from network); 20 Nov 2014 16:26:58 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-5.tower-21.messagelabs.com with AES256-SHA encrypted SMTP;
	20 Nov 2014 16:26:58 -0000
Received: from xenbits.xen.org ([50.57.170.242])
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XrUZD-0000KI-84; Thu, 20 Nov 2014 16:26:47 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XrUZC-0008CI-Rd; Thu, 20 Nov 2014 16:26:46 +0000
Date: Thu, 20 Nov 2014 16:26:46 +0000
Message-Id: <E1XrUZC-0008CI-Rd@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 113 - Guest effectable page
 reference leak in MMU_MACHPHYS_UPDATE handling
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-113

  Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling

ISSUE DESCRIPTION
=================

An error handling path in the processing of MMU_MACHPHYS_UPDATE failed
to drop a page reference which was acquired in an earlier processing
step.

IMPACT
======

Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.

Only domains controlling HVM guests can exploit this vulnerability.
(This includes domains providing hardware emulation services to HVM
guests.)

VULNERABLE SYSTEMS
==================

Xen versions from at least 3.2.x onwards are vulnerable on x86 systems.
Older versions have not been inspected.  ARM systems are not vulnerable.

This vulnerability is only applicable to Xen systems using stub domains
or other forms of disaggregation of control domains for HVM guests.

MITIGATION
==========

Running only PV guests will avoid this issue.

(The security of a Xen system using stub domains is still better than
with a qemu-dm running as an unrestricted dom0 process.  Therefore
users with these configurations should not switch to an unrestricted
dom0 qemu-dm.)

NOTE REGARDING LACK OF EMBARGO
==============================

A draft of this advisory was mistakenly sent to xen-devel.  The Xen
Project Security Team apologises for this error.  We are working to
share best working practices amongst the team to reduce the risks of
recurrance.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa113.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa113*.patch
a0f2b792a6b4648151f85fe13961b0bf309a568ed03e1b1d4ea01e4eabf1b18e  xsa113.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUbhNoAAoJEIP+FMlX6CvZ5v8H/0cwnDOmSUZQ5Wm6ULUQH0w+
Jbsf6JPBRyDch1nCv/d8X27vSfmB8JH0m+LclEH0F1XSUiu5p4y46ZKk7Zfm4+gD
xq6/eKyXKwCXinAwEcLtvfONrajQQvzk2y4XZpE+g9U00AwvsBXM3AdqPup8cyQl
OLQO9Oq+xiqusCXIQeCb/KnoVUGS9PqlG/RT3rKKorYzuQjG7VURU3uKA1Vju7oD
ITzbNCjTjnA7cFVSk6g9ZG6k40nGkVKIv+pPFfZAE6/UqiCF91oNzVAYVnA0X0oL
YoAFxvVFOHp78192jW/7S8uacG+bskJNAr+NYIuaBlykka6Vbef6esWOW3UZEhA=
=LDjw
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa113.patch"
Content-Disposition: attachment; filename="xsa113.patch"
Content-Transfer-Encoding: base64

eDg2L21tOiBmaXggYSByZWZlcmVuY2UgY291bnRpbmcgZXJyb3IgaW4gTU1V
X01BQ0hQSFlTX1VQREFURQoKQW55IGRvbWFpbiB3aGljaCBjYW4gcGFzcyB0
aGUgWFNNIGNoZWNrIGFnYWluc3QgYSB0cmFuc2xhdGVkIGd1ZXN0IGNhbiBj
YXVzZSBhCnBhZ2UgcmVmZXJlbmNlIHRvIGJlIGxlYWtlZC4KCldoaWxlIHNo
dWZmbGluZyB0aGUgb3JkZXIgb2YgY2hlY2tzLCBkcm9wIHRoZSBxdWl0ZS1w
b2ludGxlc3MgTUVNX0xPRygpLiAgVGhpcwpicmluZ3MgdGhlIGNoZWNrIGlu
IGxpbmUgd2l0aCBzaW1pbGFyIGNoZWNrcyBpbiB0aGUgdmljaW5pdHkuCgpE
aXNjb3ZlcmVkIHdoaWxlIHJldmlld2luZyB0aGUgWFNBLTEwOS8xMTAgZm9s
bG93dXAgc2VyaWVzLgoKVGhpcyBpcyBYU0EtMTEzLgoKU2lnbmVkLW9mZi1i
eTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4K
UmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K
UmV2aWV3ZWQtYnk6IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoKLS0tIGEv
eGVuL2FyY2gveDg2L21tLmMKKysrIGIveGVuL2FyY2gveDg2L21tLmMKQEAg
LTM2MTksNiArMzYxOSwxMiBAQCBsb25nIGRvX21tdV91cGRhdGUoCiAKICAg
ICAgICAgY2FzZSBNTVVfTUFDSFBIWVNfVVBEQVRFOgogCisgICAgICAgICAg
ICBpZiAoIHVubGlrZWx5KHBhZ2luZ19tb2RlX3RyYW5zbGF0ZShwZ19vd25l
cikpICkKKyAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICByYyA9IC1F
SU5WQUw7CisgICAgICAgICAgICAgICAgYnJlYWs7CisgICAgICAgICAgICB9
CisKICAgICAgICAgICAgIG1mbiA9IHJlcS5wdHIgPj4gUEFHRV9TSElGVDsK
ICAgICAgICAgICAgIGdwZm4gPSByZXEudmFsOwogCkBAIC0zNjM4LDEzICsz
NjQ0LDYgQEAgbG9uZyBkb19tbXVfdXBkYXRlKAogICAgICAgICAgICAgICAg
IGJyZWFrOwogICAgICAgICAgICAgfQogCi0gICAgICAgICAgICBpZiAoIHVu
bGlrZWx5KHBhZ2luZ19tb2RlX3RyYW5zbGF0ZShwZ19vd25lcikpICkKLSAg
ICAgICAgICAgIHsKLSAgICAgICAgICAgICAgICBNRU1fTE9HKCJNYWNoLXBo
eXMgdXBkYXRlIG9uIGF1dG8tdHJhbnNsYXRlIGd1ZXN0Iik7Ci0gICAgICAg
ICAgICAgICAgcmMgPSAtRUlOVkFMOwotICAgICAgICAgICAgICAgIGJyZWFr
OwotICAgICAgICAgICAgfQotCiAgICAgICAgICAgICBzZXRfZ3Bmbl9mcm9t
X21mbihtZm4sIGdwZm4pOwogCiAgICAgICAgICAgICBwYWdpbmdfbWFya19k
aXJ0eShwZ19vd25lciwgbWZuKTsK

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Fri Nov 21 12:27:51 2014
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Fri, 21 Nov 2014 12:27:51 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1XrnIN-0005Ku-0G; Fri, 21 Nov 2014 12:26:39 +0000
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XrnIL-0005KF-Jn; Fri, 21 Nov 2014 12:26:37 +0000
Received: from [85.158.137.68] by server-4.bemta-3.messagelabs.com id
	CE/BA-23865-C7F2F645; Fri, 21 Nov 2014 12:26:36 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-14.tower-31.messagelabs.com!1416572794!10503069!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 6.12.4; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 9611 invoked from network); 21 Nov 2014 12:26:35 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-14.tower-31.messagelabs.com with AES256-SHA encrypted SMTP;
	21 Nov 2014 12:26:35 -0000
Received: from xenbits.xen.org ([50.57.170.242])
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XrnHq-0004T8-3k; Fri, 21 Nov 2014 12:26:06 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XrnHp-00011b-Fj; Fri, 21 Nov 2014 12:26:05 +0000
Date: Fri, 21 Nov 2014 12:26:05 +0000
Message-Id: <E1XrnHp-00011b-Fj@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 113 (CVE-2014-9030) - Guest
 effectable page reference leak in MMU_MACHPHYS_UPDATE handling
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2014-9030 / XSA-113
                              version 2

  Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling

UPDATES IN VERSION 2
====================

CVE assigned.

ISSUE DESCRIPTION
=================

An error handling path in the processing of MMU_MACHPHYS_UPDATE failed
to drop a page reference which was acquired in an earlier processing
step.

IMPACT
======

Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.

Only domains controlling HVM guests can exploit this vulnerability.
(This includes domains providing hardware emulation services to HVM
guests.)

VULNERABLE SYSTEMS
==================

Xen versions from at least 3.2.x onwards are vulnerable on x86 systems.
Older versions have not been inspected.  ARM systems are not vulnerable.

This vulnerability is only applicable to Xen systems using stub domains
or other forms of disaggregation of control domains for HVM guests.

MITIGATION
==========

Running only PV guests will avoid this issue.

(The security of a Xen system using stub domains is still better than
with a qemu-dm running as an unrestricted dom0 process.  Therefore
users with these configurations should not switch to an unrestricted
dom0 qemu-dm.)

NOTE REGARDING LACK OF EMBARGO
==============================

A draft of this advisory was mistakenly sent to xen-devel.  The Xen
Project Security Team apologises for this error.  We are working to
share best working practices amongst the team to reduce the risks of
recurrance.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa113.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa113*.patch
a0f2b792a6b4648151f85fe13961b0bf309a568ed03e1b1d4ea01e4eabf1b18e  xsa113.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUby8sAAoJEIP+FMlX6CvZgTMH+gJVBouqw0FL2njjs3SCvAeh
ntGmK31VE5a0dt98UCI6oPXpHJAN40M4Ib2dsubpGpyeA/bpakfu2RUnZhzvVuah
7d5pXt08HiZHOeDfBdrcnZ8rFS77w50ZBY9R6jpF6h/ABBKtVobT6jTxmh2xoGFw
YqzsDxaA2bgytyDCNcAcYGWQYFy06tmzuaMX9h1Ozxt/YTxxhkNTPTJNVoUQppMc
zD/BixwfYLe7o0jo+/3k12e1/tXEvtyW/r9uyvhhE+HgRT68JA3tluqlsd1IbYhP
C2u7C9z/Mlf2fe2ONyEqEBXofikV5oahmMKWxkKNQ2Y6i9LJaLuoz1SBX1m8OKg=
=BwdT
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa113.patch"
Content-Disposition: attachment; filename="xsa113.patch"
Content-Transfer-Encoding: base64

eDg2L21tOiBmaXggYSByZWZlcmVuY2UgY291bnRpbmcgZXJyb3IgaW4gTU1V
X01BQ0hQSFlTX1VQREFURQoKQW55IGRvbWFpbiB3aGljaCBjYW4gcGFzcyB0
aGUgWFNNIGNoZWNrIGFnYWluc3QgYSB0cmFuc2xhdGVkIGd1ZXN0IGNhbiBj
YXVzZSBhCnBhZ2UgcmVmZXJlbmNlIHRvIGJlIGxlYWtlZC4KCldoaWxlIHNo
dWZmbGluZyB0aGUgb3JkZXIgb2YgY2hlY2tzLCBkcm9wIHRoZSBxdWl0ZS1w
b2ludGxlc3MgTUVNX0xPRygpLiAgVGhpcwpicmluZ3MgdGhlIGNoZWNrIGlu
IGxpbmUgd2l0aCBzaW1pbGFyIGNoZWNrcyBpbiB0aGUgdmljaW5pdHkuCgpE
aXNjb3ZlcmVkIHdoaWxlIHJldmlld2luZyB0aGUgWFNBLTEwOS8xMTAgZm9s
bG93dXAgc2VyaWVzLgoKVGhpcyBpcyBYU0EtMTEzLgoKU2lnbmVkLW9mZi1i
eTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4K
UmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K
UmV2aWV3ZWQtYnk6IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoKLS0tIGEv
eGVuL2FyY2gveDg2L21tLmMKKysrIGIveGVuL2FyY2gveDg2L21tLmMKQEAg
LTM2MTksNiArMzYxOSwxMiBAQCBsb25nIGRvX21tdV91cGRhdGUoCiAKICAg
ICAgICAgY2FzZSBNTVVfTUFDSFBIWVNfVVBEQVRFOgogCisgICAgICAgICAg
ICBpZiAoIHVubGlrZWx5KHBhZ2luZ19tb2RlX3RyYW5zbGF0ZShwZ19vd25l
cikpICkKKyAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICByYyA9IC1F
SU5WQUw7CisgICAgICAgICAgICAgICAgYnJlYWs7CisgICAgICAgICAgICB9
CisKICAgICAgICAgICAgIG1mbiA9IHJlcS5wdHIgPj4gUEFHRV9TSElGVDsK
ICAgICAgICAgICAgIGdwZm4gPSByZXEudmFsOwogCkBAIC0zNjM4LDEzICsz
NjQ0LDYgQEAgbG9uZyBkb19tbXVfdXBkYXRlKAogICAgICAgICAgICAgICAg
IGJyZWFrOwogICAgICAgICAgICAgfQogCi0gICAgICAgICAgICBpZiAoIHVu
bGlrZWx5KHBhZ2luZ19tb2RlX3RyYW5zbGF0ZShwZ19vd25lcikpICkKLSAg
ICAgICAgICAgIHsKLSAgICAgICAgICAgICAgICBNRU1fTE9HKCJNYWNoLXBo
eXMgdXBkYXRlIG9uIGF1dG8tdHJhbnNsYXRlIGd1ZXN0Iik7Ci0gICAgICAg
ICAgICAgICAgcmMgPSAtRUlOVkFMOwotICAgICAgICAgICAgICAgIGJyZWFr
OwotICAgICAgICAgICAgfQotCiAgICAgICAgICAgICBzZXRfZ3Bmbl9mcm9t
X21mbihtZm4sIGdwZm4pOwogCiAgICAgICAgICAgICBwYWdpbmdfbWFya19k
aXJ0eShwZ19vd25lciwgbWZuKTsK

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Fri Nov 21 12:27:51 2014
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Fri, 21 Nov 2014 12:27:51 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1XrnIN-0005Ku-0G; Fri, 21 Nov 2014 12:26:39 +0000
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XrnIL-0005KF-Jn; Fri, 21 Nov 2014 12:26:37 +0000
Received: from [85.158.137.68] by server-4.bemta-3.messagelabs.com id
	CE/BA-23865-C7F2F645; Fri, 21 Nov 2014 12:26:36 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-14.tower-31.messagelabs.com!1416572794!10503069!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 6.12.4; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 9611 invoked from network); 21 Nov 2014 12:26:35 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-14.tower-31.messagelabs.com with AES256-SHA encrypted SMTP;
	21 Nov 2014 12:26:35 -0000
Received: from xenbits.xen.org ([50.57.170.242])
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XrnHq-0004T8-3k; Fri, 21 Nov 2014 12:26:06 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XrnHp-00011b-Fj; Fri, 21 Nov 2014 12:26:05 +0000
Date: Fri, 21 Nov 2014 12:26:05 +0000
Message-Id: <E1XrnHp-00011b-Fj@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 113 (CVE-2014-9030) - Guest
 effectable page reference leak in MMU_MACHPHYS_UPDATE handling
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2014-9030 / XSA-113
                              version 2

  Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling

UPDATES IN VERSION 2
====================

CVE assigned.

ISSUE DESCRIPTION
=================

An error handling path in the processing of MMU_MACHPHYS_UPDATE failed
to drop a page reference which was acquired in an earlier processing
step.

IMPACT
======

Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.

Only domains controlling HVM guests can exploit this vulnerability.
(This includes domains providing hardware emulation services to HVM
guests.)

VULNERABLE SYSTEMS
==================

Xen versions from at least 3.2.x onwards are vulnerable on x86 systems.
Older versions have not been inspected.  ARM systems are not vulnerable.

This vulnerability is only applicable to Xen systems using stub domains
or other forms of disaggregation of control domains for HVM guests.

MITIGATION
==========

Running only PV guests will avoid this issue.

(The security of a Xen system using stub domains is still better than
with a qemu-dm running as an unrestricted dom0 process.  Therefore
users with these configurations should not switch to an unrestricted
dom0 qemu-dm.)

NOTE REGARDING LACK OF EMBARGO
==============================

A draft of this advisory was mistakenly sent to xen-devel.  The Xen
Project Security Team apologises for this error.  We are working to
share best working practices amongst the team to reduce the risks of
recurrance.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa113.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa113*.patch
a0f2b792a6b4648151f85fe13961b0bf309a568ed03e1b1d4ea01e4eabf1b18e  xsa113.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUby8sAAoJEIP+FMlX6CvZgTMH+gJVBouqw0FL2njjs3SCvAeh
ntGmK31VE5a0dt98UCI6oPXpHJAN40M4Ib2dsubpGpyeA/bpakfu2RUnZhzvVuah
7d5pXt08HiZHOeDfBdrcnZ8rFS77w50ZBY9R6jpF6h/ABBKtVobT6jTxmh2xoGFw
YqzsDxaA2bgytyDCNcAcYGWQYFy06tmzuaMX9h1Ozxt/YTxxhkNTPTJNVoUQppMc
zD/BixwfYLe7o0jo+/3k12e1/tXEvtyW/r9uyvhhE+HgRT68JA3tluqlsd1IbYhP
C2u7C9z/Mlf2fe2ONyEqEBXofikV5oahmMKWxkKNQ2Y6i9LJaLuoz1SBX1m8OKg=
=BwdT
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa113.patch"
Content-Disposition: attachment; filename="xsa113.patch"
Content-Transfer-Encoding: base64

eDg2L21tOiBmaXggYSByZWZlcmVuY2UgY291bnRpbmcgZXJyb3IgaW4gTU1V
X01BQ0hQSFlTX1VQREFURQoKQW55IGRvbWFpbiB3aGljaCBjYW4gcGFzcyB0
aGUgWFNNIGNoZWNrIGFnYWluc3QgYSB0cmFuc2xhdGVkIGd1ZXN0IGNhbiBj
YXVzZSBhCnBhZ2UgcmVmZXJlbmNlIHRvIGJlIGxlYWtlZC4KCldoaWxlIHNo
dWZmbGluZyB0aGUgb3JkZXIgb2YgY2hlY2tzLCBkcm9wIHRoZSBxdWl0ZS1w
b2ludGxlc3MgTUVNX0xPRygpLiAgVGhpcwpicmluZ3MgdGhlIGNoZWNrIGlu
IGxpbmUgd2l0aCBzaW1pbGFyIGNoZWNrcyBpbiB0aGUgdmljaW5pdHkuCgpE
aXNjb3ZlcmVkIHdoaWxlIHJldmlld2luZyB0aGUgWFNBLTEwOS8xMTAgZm9s
bG93dXAgc2VyaWVzLgoKVGhpcyBpcyBYU0EtMTEzLgoKU2lnbmVkLW9mZi1i
eTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4K
UmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K
UmV2aWV3ZWQtYnk6IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoKLS0tIGEv
eGVuL2FyY2gveDg2L21tLmMKKysrIGIveGVuL2FyY2gveDg2L21tLmMKQEAg
LTM2MTksNiArMzYxOSwxMiBAQCBsb25nIGRvX21tdV91cGRhdGUoCiAKICAg
ICAgICAgY2FzZSBNTVVfTUFDSFBIWVNfVVBEQVRFOgogCisgICAgICAgICAg
ICBpZiAoIHVubGlrZWx5KHBhZ2luZ19tb2RlX3RyYW5zbGF0ZShwZ19vd25l
cikpICkKKyAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICByYyA9IC1F
SU5WQUw7CisgICAgICAgICAgICAgICAgYnJlYWs7CisgICAgICAgICAgICB9
CisKICAgICAgICAgICAgIG1mbiA9IHJlcS5wdHIgPj4gUEFHRV9TSElGVDsK
ICAgICAgICAgICAgIGdwZm4gPSByZXEudmFsOwogCkBAIC0zNjM4LDEzICsz
NjQ0LDYgQEAgbG9uZyBkb19tbXVfdXBkYXRlKAogICAgICAgICAgICAgICAg
IGJyZWFrOwogICAgICAgICAgICAgfQogCi0gICAgICAgICAgICBpZiAoIHVu
bGlrZWx5KHBhZ2luZ19tb2RlX3RyYW5zbGF0ZShwZ19vd25lcikpICkKLSAg
ICAgICAgICAgIHsKLSAgICAgICAgICAgICAgICBNRU1fTE9HKCJNYWNoLXBo
eXMgdXBkYXRlIG9uIGF1dG8tdHJhbnNsYXRlIGd1ZXN0Iik7Ci0gICAgICAg
ICAgICAgICAgcmMgPSAtRUlOVkFMOwotICAgICAgICAgICAgICAgIGJyZWFr
OwotICAgICAgICAgICAgfQotCiAgICAgICAgICAgICBzZXRfZ3Bmbl9mcm9t
X21mbihtZm4sIGdwZm4pOwogCiAgICAgICAgICAgICBwYWdpbmdfbWFya19k
aXJ0eShwZ19vd25lciwgbWZuKTsK

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Thu Nov 27 12:08:08 2014
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Thu, 27 Nov 2014 12:08:08 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1XtxqI-0002Wl-1F; Thu, 27 Nov 2014 12:06:38 +0000
Received: from mail6.bemta4.messagelabs.com ([85.158.143.247])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XtxqG-0002WR-DF; Thu, 27 Nov 2014 12:06:36 +0000
Received: from [85.158.143.35] by server-1.bemta-4.messagelabs.com id
	86/CE-09842-BC317745; Thu, 27 Nov 2014 12:06:35 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-6.tower-21.messagelabs.com!1417089993!11772121!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 6.12.5; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 4188 invoked from network); 27 Nov 2014 12:06:34 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-6.tower-21.messagelabs.com with AES256-SHA encrypted SMTP;
	27 Nov 2014 12:06:34 -0000
Received: from xenbits.xen.org ([50.57.170.242])
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1Xtxq3-0003UD-Jb; Thu, 27 Nov 2014 12:06:23 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1Xtxq3-0008Rw-1V; Thu, 27 Nov 2014 12:06:23 +0000
Date: Thu, 27 Nov 2014 12:06:23 +0000
Message-Id: <E1Xtxq3-0008Rw-1V@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 111 (CVE-2014-8866) -
 Excessive checking in compatibility mode hypercall argument translation
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2014-8866 / XSA-111
                              version 3

   Excessive checking in compatibility mode hypercall argument translation

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The hypercall argument translation needed for 32-bit guests running on
64-bit hypervisors performs checks on the final register state.  These
checks cover all registers potentially holding hypercall arguments,
not just the ones actually doing so for the hypercall being processed,
since the code was originally intended for use only by PV guests.

While this is not a problem for PV guests (as they can't enter 64-bit
mode and hence can't alter the high halves of any of the registers),
the subsequent reuse of the same functionality for HVM guests exposed
those checks to values (specifically, unexpected values for the high
halves of registers not holding hypercall arguments) controlled by
guest software.

IMPACT
======

A buggy or malicious HVM guest can crash the host.

VULNERABLE SYSTEMS
==================

Xen 3.3 and onward are vulnerable.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests on any version of Xen
so far released by xenproject.org.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa111-unstable.patch        xen-unstable, Xen 4.4.x
xsa111-4.3.patch             Xen 4.3.x
xsa111-4.2.patch             Xen 4.2.x

$ sha256sum xsa111*.patch
f6e1bf166ebed6235802e4e42853430d2f5b456c1837908a4f7ed6d4d150e4b4  xsa111-4.2.patch
e9b03a4443a40142cc5c21848dc9589770620dde8924344c4a00028c4dace9f2  xsa111-4.3.patch
3c418f065cd452c225af34c3cccf9bdbc37efb6c6a5fc5940fd83ad8620510d3  xsa111.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUdwoTAAoJEIP+FMlX6CvZ/jIH/01d45vOe9bUokjixu+sv93n
FPxm2XC9IZEAuDU4h4RXAkzI0L4vuCAnJq0Rr3quizukQ/oqtPPdbYGC/VgQ15LU
0XE3J2U8BbwsweEDIADinJZ76UvvIWtT4/llQT2WCI/g7nRiW7lZAUkhR9nXL2gg
pw48QIdBkgEGZO7JlWEmrA60OwFcAAdG66/IWNjWbUPrscr/DLG0gimrqqAtG9lY
jTpDrOgC+xARbES9iRBt0IU4duMUiCjwy+y8jeq/Ka5d6QIrcaeTO9Y3d6jf2CCE
Z7TC22OGO4XMg6j+abceao3geS29ezsDQttSh7rGjwqMaNqJbIiitKIq4svAtS4=
=Gtqx
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa111-4.2.patch"
Content-Disposition: attachment; filename="xsa111-4.2.patch"
Content-Transfer-Encoding: base64

eDg2OiBsaW1pdCBjaGVja3MgaW4gaHlwZXJjYWxsX3hsYXRfY29udGludWF0
aW9uKCkgdG8gYWN0dWFsIGFyZ3VtZW50cwoKSFZNL1BWSCBndWVzdHMgY2Fu
IG90aGVyd2lzZSB0cmlnZ2VyIHRoZSBmaW5hbCBCVUdfT04oKSBpbiB0aGF0
CmZ1bmN0aW9uIGJ5IGVudGVyaW5nIDY0LWJpdCBtb2RlLCBzZXR0aW5nIHRo
ZSBoaWdoIGhhbHZlcyBvZiBhZmZlY3RlZApyZWdpc3RlcnMgdG8gbm9uLXpl
cm8gdmFsdWVzLCBsZWF2aW5nIDY0LWJpdCBtb2RlLCBhbmQgaXNzdWluZyBh
Cmh5cGVyY2FsbCB0aGF0IG1pZ2h0IGdldCBwcmVlbXB0ZWQgYW5kIGhlbmNl
IGJlY29tZSBzdWJqZWN0IHRvCmNvbnRpbnVhdGlvbiBhcmd1bWVudCB0cmFu
c2xhdGlvbiAoSFlQRVJWSVNPUl9tZW1vcnlfb3AgYmVpbmcgdGhlIG9ubHkK
b25lIHBvc3NpYmxlIGZvciBIVk0sIFBWSCBhbHNvIGhhdmluZyB0aGUgb3B0
aW9uIG9mIHVzaW5nCkhZUEVSVklTT1JfbW11ZXh0X29wKS4gVGhpcyBpc3N1
ZSBnb3QgaW50cm9kdWNlZCB3aGVuIEhWTSBjb2RlIHdhcwpzd2l0Y2hlZCB0
byB1c2UgY29tcGF0X21lbW9yeV9vcCgpIC0gbmVpdGhlciB0aGF0IG5vcgpo
eXBlcmNhbGxfeGxhdF9jb250aW51YXRpb24oKSB3ZXJlIG9yaWdpbmFsbHkg
aW50ZW5kZWQgdG8gYmUgdXNlZCBieQpvdGhlciB0aGFuIFBWIGd1ZXN0cyAo
d2hpY2ggY2FuJ3QgZW50ZXIgNjQtYml0IG1vZGUgYW5kIGhlbmNlIGhhdmUg
bm8Kd2F5IHRvIGFsdGVyIHRoZSBoaWdoIGhhbHZlcyBvZiA2NC1iaXQgcmVn
aXN0ZXJzKS4KClRoaXMgaXMgWFNBLTExMS4KClNpZ25lZC1vZmYtYnk6IEph
biBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IFRp
bSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoKLS0tIGEveGVuL2FyY2gveDg2L2Rv
bWFpbi5jCisrKyBiL3hlbi9hcmNoL3g4Ni9kb21haW4uYwpAQCAtMTkyMSw3
ICsxOTIxLDggQEAgdW5zaWduZWQgbG9uZyBoeXBlcmNhbGxfY3JlYXRlX2Nv
bnRpbnVhdAogfQogCiAjaWZkZWYgQ09ORklHX0NPTVBBVAotaW50IGh5cGVy
Y2FsbF94bGF0X2NvbnRpbnVhdGlvbih1bnNpZ25lZCBpbnQgKmlkLCB1bnNp
Z25lZCBpbnQgbWFzaywgLi4uKQoraW50IGh5cGVyY2FsbF94bGF0X2NvbnRp
bnVhdGlvbih1bnNpZ25lZCBpbnQgKmlkLCB1bnNpZ25lZCBpbnQgbnIsCisg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVuc2lnbmVkIGludCBt
YXNrLCAuLi4pCiB7CiAgICAgaW50IHJjID0gMDsKICAgICBzdHJ1Y3QgbWNf
c3RhdGUgKm1jcyA9ICZjdXJyZW50LT5tY19zdGF0ZTsKQEAgLTE5MzAsNyAr
MTkzMSwxMCBAQCBpbnQgaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKHVu
c2lnbmVkCiAgICAgdW5zaWduZWQgbG9uZyBudmFsID0gMDsKICAgICB2YV9s
aXN0IGFyZ3M7CiAKLSAgICBCVUdfT04oaWQgJiYgKmlkID4gNSk7CisgICAg
QVNTRVJUKG5yIDw9IEFSUkFZX1NJWkUobWNzLT5jYWxsLmFyZ3MpKTsKKyAg
ICBBU1NFUlQoIShtYXNrID4+IG5yKSk7CisKKyAgICBCVUdfT04oaWQgJiYg
KmlkID49IG5yKTsKICAgICBCVUdfT04oaWQgJiYgKG1hc2sgJiAoMVUgPDwg
KmlkKSkpOwogCiAgICAgdmFfc3RhcnQoYXJncywgbWFzayk7CkBAIC0xOTM5
LDcgKzE5NDMsNyBAQCBpbnQgaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9u
KHVuc2lnbmVkCiAgICAgewogICAgICAgICBpZiAoICF0ZXN0X2JpdChfTUNT
Rl9jYWxsX3ByZWVtcHRlZCwgJm1jcy0+ZmxhZ3MpICkKICAgICAgICAgICAg
IHJldHVybiAwOwotICAgICAgICBmb3IgKCBpID0gMDsgaSA8IDY7ICsraSwg
bWFzayA+Pj0gMSApCisgICAgICAgIGZvciAoIGkgPSAwOyBpIDwgbnI7ICsr
aSwgbWFzayA+Pj0gMSApCiAgICAgICAgIHsKICAgICAgICAgICAgIGlmICgg
bWFzayAmIDEgKQogICAgICAgICAgICAgewpAQCAtMTk2Nyw3ICsxOTcxLDcg
QEAgaW50IGh5cGVyY2FsbF94bGF0X2NvbnRpbnVhdGlvbih1bnNpZ25lZAog
ICAgIGVsc2UKICAgICB7CiAgICAgICAgIHJlZ3MgPSBndWVzdF9jcHVfdXNl
cl9yZWdzKCk7Ci0gICAgICAgIGZvciAoIGkgPSAwOyBpIDwgNjsgKytpLCBt
YXNrID4+PSAxICkKKyAgICAgICAgZm9yICggaSA9IDA7IGkgPCBucjsgKytp
LCBtYXNrID4+PSAxICkKICAgICAgICAgewogICAgICAgICAgICAgdW5zaWdu
ZWQgbG9uZyAqcmVnOwogCi0tLSBhL3hlbi9hcmNoL3g4Ni94ODZfNjQvY29t
cGF0L21tLmMKKysrIGIveGVuL2FyY2gveDg2L3g4Nl82NC9jb21wYXQvbW0u
YwpAQCAtNzgsNyArNzgsNyBAQCBpbnQgY29tcGF0X2FyY2hfbWVtb3J5X29w
KGludCBvcCwgWEVOX0dVCiAgICAgICAgIH0KIAogICAgICAgICBpZiAoIHJj
ID09IF9fSFlQRVJWSVNPUl9tZW1vcnlfb3AgKQotICAgICAgICAgICAgaHlw
ZXJjYWxsX3hsYXRfY29udGludWF0aW9uKE5VTEwsIDB4MiwgbmF0LCBhcmcp
OworICAgICAgICAgICAgaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKE5V
TEwsIDIsIDB4MiwgbmF0LCBhcmcpOwogCiAgICAgICAgIGJyZWFrOwogICAg
IH0KQEAgLTE0NCw3ICsxNDQsNyBAQCBpbnQgY29tcGF0X2FyY2hfbWVtb3J5
X29wKGludCBvcCwgWEVOX0dVCiAgICAgICAgICAgICBicmVhazsKIAogICAg
ICAgICBpZiAoIHJjID09IF9fSFlQRVJWSVNPUl9tZW1vcnlfb3AgKQotICAg
ICAgICAgICAgaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKE5VTEwsIDB4
MiwgbmF0LCBhcmcpOworICAgICAgICAgICAgaHlwZXJjYWxsX3hsYXRfY29u
dGludWF0aW9uKE5VTEwsIDIsIDB4MiwgbmF0LCBhcmcpOwogCiAgICAgICAg
IFhMQVRfcG9kX3RhcmdldCgmY21wLCBuYXQpOwogCkBAIC0zNzksNyArMzc5
LDcgQEAgaW50IGNvbXBhdF9tbXVleHRfb3AoWEVOX0dVRVNUX0hBTkRMRSht
bQogICAgICAgICAgICAgICAgIGxlZnQgPSAxOwogICAgICAgICAgICAgICAg
IGlmICggYXJnMSAhPSBNTVVfVVBEQVRFX1BSRUVNUFRFRCApCiAgICAgICAg
ICAgICAgICAgewotICAgICAgICAgICAgICAgICAgICBCVUdfT04oIWh5cGVy
Y2FsbF94bGF0X2NvbnRpbnVhdGlvbigmbGVmdCwgMHgwMSwgbmF0X29wcywK
KyAgICAgICAgICAgICAgICAgICAgQlVHX09OKCFoeXBlcmNhbGxfeGxhdF9j
b250aW51YXRpb24oJmxlZnQsIDQsIDB4MDEsIG5hdF9vcHMsCiAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgIGNtcF91b3BzKSk7CiAgICAgICAgICAgICAgICAgICAgIGlmICggIXRl
c3RfYml0KF9NQ1NGX2luX211bHRpY2FsbCwgJm1jcy0+ZmxhZ3MpICkKICAg
ICAgICAgICAgICAgICAgICAgICAgIHJlZ3MtPl9lY3ggKz0gY291bnQgLSBp
OwpAQCAtMzg3LDcgKzM4Nyw3IEBAIGludCBjb21wYXRfbW11ZXh0X29wKFhF
Tl9HVUVTVF9IQU5ETEUobW0KICAgICAgICAgICAgICAgICAgICAgICAgIG1j
cy0+Y29tcGF0X2NhbGwuYXJnc1sxXSArPSBjb3VudCAtIGk7CiAgICAgICAg
ICAgICAgICAgfQogICAgICAgICAgICAgICAgIGVsc2UKLSAgICAgICAgICAg
ICAgICAgICAgQlVHX09OKGh5cGVyY2FsbF94bGF0X2NvbnRpbnVhdGlvbigm
bGVmdCwgMCkpOworICAgICAgICAgICAgICAgICAgICBCVUdfT04oaHlwZXJj
YWxsX3hsYXRfY29udGludWF0aW9uKCZsZWZ0LCA0LCAwKSk7CiAgICAgICAg
ICAgICAgICAgQlVHX09OKGxlZnQgIT0gYXJnMSk7CiAgICAgICAgICAgICB9
CiAgICAgICAgICAgICBlbHNlCi0tLSBhL3hlbi9jb21tb24vY29tcGF0L21l
bW9yeS5jCisrKyBiL3hlbi9jb21tb24vY29tcGF0L21lbW9yeS5jCkBAIC0y
MDgsNyArMjA4LDcgQEAgaW50IGNvbXBhdF9tZW1vcnlfb3AodW5zaWduZWQg
aW50IGNtZCwgWAogICAgICAgICAgICAgYnJlYWs7CiAKICAgICAgICAgY21k
ID0gMDsKLSAgICAgICAgaWYgKCBoeXBlcmNhbGxfeGxhdF9jb250aW51YXRp
b24oJmNtZCwgMHgwMiwgbmF0LmhuZCwgY29tcGF0KSApCisgICAgICAgIGlm
ICggaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKCZjbWQsIDIsIDB4MDIs
IG5hdC5obmQsIGNvbXBhdCkgKQogICAgICAgICB7CiAgICAgICAgICAgICBC
VUdfT04ocmMgIT0gX19IWVBFUlZJU09SX21lbW9yeV9vcCk7CiAgICAgICAg
ICAgICBCVUdfT04oKGNtZCAmIE1FTU9QX0NNRF9NQVNLKSAhPSBvcCk7Ci0t
LSBhL3hlbi9pbmNsdWRlL3hlbi9jb21wYXQuaAorKysgYi94ZW4vaW5jbHVk
ZS94ZW4vY29tcGF0LmgKQEAgLTE5Miw2ICsxOTIsOCBAQCBzdGF0aWMgaW5s
aW5lIGludCBuYW1lKGsgeGVuXyAjIyBuICp4LCBrCiAgKiBUaGlzIG9wdGlv
biBpcyB1c2VmdWwgZm9yIGV4dHJhY3RpbmcgdGhlICJvcCIgYXJndW1lbnQg
b3Igc2ltaWxhciBmcm9tIHRoZQogICogaHlwZXJjYWxsIHRvIGVuYWJsZSBm
dXJ0aGVyIHhsYXQgcHJvY2Vzc2luZy4KICAqCisgKiBucjogVG90YWwgbnVt
YmVyIG9mIGFyZ3VtZW50cyB0aGUgaHlwZXJjYWxsIGhhcy4KKyAqCiAgKiBt
YXNrOiBTcGVjaWZpZXMgd2hpY2ggb2YgdGhlIGh5cGVyY2FsbCBhcmd1bWVu
dHMgcmVxdWlyZSBjb21wYXQgdHJhbnNsYXRpb24uCiAgKiBiaXQgMCBpbmRp
Y2F0ZXMgdGhhdCB0aGUgMCd0aCBhcmd1bWVudCByZXF1aXJlcyB0cmFuc2xh
dGlvbiwgYml0IDEgaW5kaWNhdGVzCiAgKiB0aGF0IHRoZSBmaXJzdCBhcmd1
bWVudCByZXF1aXJlcyB0cmFuc2xhdGlvbiBhbmQgc28gb24uIE5hdGl2ZSBh
bmQgY29tcGF0CkBAIC0yMTEsNyArMjEzLDggQEAgc3RhdGljIGlubGluZSBp
bnQgbmFtZShrIHhlbl8gIyMgbiAqeCwgawogICoKICAqIFJldHVybjogTnVt
YmVyIG9mIGFyZ3VtZW50cyB3aGljaCB3ZXJlIGFjdHVhbGx5IHRyYW5zbGF0
ZWQuCiAgKi8KLWludCBoeXBlcmNhbGxfeGxhdF9jb250aW51YXRpb24odW5z
aWduZWQgaW50ICppZCwgdW5zaWduZWQgaW50IG1hc2ssIC4uLik7CitpbnQg
aHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKHVuc2lnbmVkIGludCAqaWQs
IHVuc2lnbmVkIGludCBuciwKKyAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgdW5zaWduZWQgaW50IG1hc2ssIC4uLik7CiAKIC8qIEluLXBsYWNl
IHRyYW5zbGF0aW9uIGZ1bmN0b25zOiAqLwogc3RydWN0IHN0YXJ0X2luZm87
Cg==

--=separator
Content-Type: application/octet-stream; name="xsa111-4.3.patch"
Content-Disposition: attachment; filename="xsa111-4.3.patch"
Content-Transfer-Encoding: base64

eDg2OiBsaW1pdCBjaGVja3MgaW4gaHlwZXJjYWxsX3hsYXRfY29udGludWF0
aW9uKCkgdG8gYWN0dWFsIGFyZ3VtZW50cwoKSFZNL1BWSCBndWVzdHMgY2Fu
IG90aGVyd2lzZSB0cmlnZ2VyIHRoZSBmaW5hbCBCVUdfT04oKSBpbiB0aGF0
CmZ1bmN0aW9uIGJ5IGVudGVyaW5nIDY0LWJpdCBtb2RlLCBzZXR0aW5nIHRo
ZSBoaWdoIGhhbHZlcyBvZiBhZmZlY3RlZApyZWdpc3RlcnMgdG8gbm9uLXpl
cm8gdmFsdWVzLCBsZWF2aW5nIDY0LWJpdCBtb2RlLCBhbmQgaXNzdWluZyBh
Cmh5cGVyY2FsbCB0aGF0IG1pZ2h0IGdldCBwcmVlbXB0ZWQgYW5kIGhlbmNl
IGJlY29tZSBzdWJqZWN0IHRvCmNvbnRpbnVhdGlvbiBhcmd1bWVudCB0cmFu
c2xhdGlvbiAoSFlQRVJWSVNPUl9tZW1vcnlfb3AgYmVpbmcgdGhlIG9ubHkK
b25lIHBvc3NpYmxlIGZvciBIVk0sIFBWSCBhbHNvIGhhdmluZyB0aGUgb3B0
aW9uIG9mIHVzaW5nCkhZUEVSVklTT1JfbW11ZXh0X29wKS4gVGhpcyBpc3N1
ZSBnb3QgaW50cm9kdWNlZCB3aGVuIEhWTSBjb2RlIHdhcwpzd2l0Y2hlZCB0
byB1c2UgY29tcGF0X21lbW9yeV9vcCgpIC0gbmVpdGhlciB0aGF0IG5vcgpo
eXBlcmNhbGxfeGxhdF9jb250aW51YXRpb24oKSB3ZXJlIG9yaWdpbmFsbHkg
aW50ZW5kZWQgdG8gYmUgdXNlZCBieQpvdGhlciB0aGFuIFBWIGd1ZXN0cyAo
d2hpY2ggY2FuJ3QgZW50ZXIgNjQtYml0IG1vZGUgYW5kIGhlbmNlIGhhdmUg
bm8Kd2F5IHRvIGFsdGVyIHRoZSBoaWdoIGhhbHZlcyBvZiA2NC1iaXQgcmVn
aXN0ZXJzKS4KClRoaXMgaXMgWFNBLTExMS4KClNpZ25lZC1vZmYtYnk6IEph
biBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IFRp
bSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoKLS0tIGEveGVuL2FyY2gveDg2L2Rv
bWFpbi5jCisrKyBiL3hlbi9hcmNoL3g4Ni9kb21haW4uYwpAQCAtMTY1Myw3
ICsxNjUzLDggQEAgdW5zaWduZWQgbG9uZyBoeXBlcmNhbGxfY3JlYXRlX2Nv
bnRpbnVhdAogICAgIHJldHVybiBvcDsKIH0KIAotaW50IGh5cGVyY2FsbF94
bGF0X2NvbnRpbnVhdGlvbih1bnNpZ25lZCBpbnQgKmlkLCB1bnNpZ25lZCBp
bnQgbWFzaywgLi4uKQoraW50IGh5cGVyY2FsbF94bGF0X2NvbnRpbnVhdGlv
bih1bnNpZ25lZCBpbnQgKmlkLCB1bnNpZ25lZCBpbnQgbnIsCisgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgIHVuc2lnbmVkIGludCBtYXNrLCAu
Li4pCiB7CiAgICAgaW50IHJjID0gMDsKICAgICBzdHJ1Y3QgbWNfc3RhdGUg
Km1jcyA9ICZjdXJyZW50LT5tY19zdGF0ZTsKQEAgLTE2NjIsNyArMTY2Mywx
MCBAQCBpbnQgaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKHVuc2lnbmVk
CiAgICAgdW5zaWduZWQgbG9uZyBudmFsID0gMDsKICAgICB2YV9saXN0IGFy
Z3M7CiAKLSAgICBCVUdfT04oaWQgJiYgKmlkID4gNSk7CisgICAgQVNTRVJU
KG5yIDw9IEFSUkFZX1NJWkUobWNzLT5jYWxsLmFyZ3MpKTsKKyAgICBBU1NF
UlQoIShtYXNrID4+IG5yKSk7CisKKyAgICBCVUdfT04oaWQgJiYgKmlkID49
IG5yKTsKICAgICBCVUdfT04oaWQgJiYgKG1hc2sgJiAoMVUgPDwgKmlkKSkp
OwogCiAgICAgdmFfc3RhcnQoYXJncywgbWFzayk7CkBAIC0xNjcxLDcgKzE2
NzUsNyBAQCBpbnQgaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKHVuc2ln
bmVkCiAgICAgewogICAgICAgICBpZiAoICF0ZXN0X2JpdChfTUNTRl9jYWxs
X3ByZWVtcHRlZCwgJm1jcy0+ZmxhZ3MpICkKICAgICAgICAgICAgIHJldHVy
biAwOwotICAgICAgICBmb3IgKCBpID0gMDsgaSA8IDY7ICsraSwgbWFzayA+
Pj0gMSApCisgICAgICAgIGZvciAoIGkgPSAwOyBpIDwgbnI7ICsraSwgbWFz
ayA+Pj0gMSApCiAgICAgICAgIHsKICAgICAgICAgICAgIGlmICggbWFzayAm
IDEgKQogICAgICAgICAgICAgewpAQCAtMTY5OSw3ICsxNzAzLDcgQEAgaW50
IGh5cGVyY2FsbF94bGF0X2NvbnRpbnVhdGlvbih1bnNpZ25lZAogICAgIGVs
c2UKICAgICB7CiAgICAgICAgIHJlZ3MgPSBndWVzdF9jcHVfdXNlcl9yZWdz
KCk7Ci0gICAgICAgIGZvciAoIGkgPSAwOyBpIDwgNjsgKytpLCBtYXNrID4+
PSAxICkKKyAgICAgICAgZm9yICggaSA9IDA7IGkgPCBucjsgKytpLCBtYXNr
ID4+PSAxICkKICAgICAgICAgewogICAgICAgICAgICAgdW5zaWduZWQgbG9u
ZyAqcmVnOwogCi0tLSBhL3hlbi9hcmNoL3g4Ni94ODZfNjQvY29tcGF0L21t
LmMKKysrIGIveGVuL2FyY2gveDg2L3g4Nl82NC9jb21wYXQvbW0uYwpAQCAt
NzgsNyArNzgsNyBAQCBpbnQgY29tcGF0X2FyY2hfbWVtb3J5X29wKGludCBv
cCwgWEVOX0dVCiAgICAgICAgIH0KIAogICAgICAgICBpZiAoIHJjID09IF9f
SFlQRVJWSVNPUl9tZW1vcnlfb3AgKQotICAgICAgICAgICAgaHlwZXJjYWxs
X3hsYXRfY29udGludWF0aW9uKE5VTEwsIDB4MiwgbmF0LCBhcmcpOworICAg
ICAgICAgICAgaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKE5VTEwsIDIs
IDB4MiwgbmF0LCBhcmcpOwogCiAgICAgICAgIGJyZWFrOwogICAgIH0KQEAg
LTE0NCw3ICsxNDQsNyBAQCBpbnQgY29tcGF0X2FyY2hfbWVtb3J5X29wKGlu
dCBvcCwgWEVOX0dVCiAgICAgICAgICAgICBicmVhazsKIAogICAgICAgICBp
ZiAoIHJjID09IF9fSFlQRVJWSVNPUl9tZW1vcnlfb3AgKQotICAgICAgICAg
ICAgaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKE5VTEwsIDB4MiwgbmF0
LCBhcmcpOworICAgICAgICAgICAgaHlwZXJjYWxsX3hsYXRfY29udGludWF0
aW9uKE5VTEwsIDIsIDB4MiwgbmF0LCBhcmcpOwogCiAgICAgICAgIFhMQVRf
cG9kX3RhcmdldCgmY21wLCBuYXQpOwogCkBAIC0zNzksNyArMzc5LDcgQEAg
aW50IGNvbXBhdF9tbXVleHRfb3AoWEVOX0dVRVNUX0hBTkRMRV9QQQogICAg
ICAgICAgICAgICAgIGxlZnQgPSAxOwogICAgICAgICAgICAgICAgIGlmICgg
YXJnMSAhPSBNTVVfVVBEQVRFX1BSRUVNUFRFRCApCiAgICAgICAgICAgICAg
ICAgewotICAgICAgICAgICAgICAgICAgICBCVUdfT04oIWh5cGVyY2FsbF94
bGF0X2NvbnRpbnVhdGlvbigmbGVmdCwgMHgwMSwgbmF0X29wcywKKyAgICAg
ICAgICAgICAgICAgICAgQlVHX09OKCFoeXBlcmNhbGxfeGxhdF9jb250aW51
YXRpb24oJmxlZnQsIDQsIDB4MDEsIG5hdF9vcHMsCiAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNt
cF91b3BzKSk7CiAgICAgICAgICAgICAgICAgICAgIGlmICggIXRlc3RfYml0
KF9NQ1NGX2luX211bHRpY2FsbCwgJm1jcy0+ZmxhZ3MpICkKICAgICAgICAg
ICAgICAgICAgICAgICAgIHJlZ3MtPl9lY3ggKz0gY291bnQgLSBpOwpAQCAt
Mzg3LDcgKzM4Nyw3IEBAIGludCBjb21wYXRfbW11ZXh0X29wKFhFTl9HVUVT
VF9IQU5ETEVfUEEKICAgICAgICAgICAgICAgICAgICAgICAgIG1jcy0+Y29t
cGF0X2NhbGwuYXJnc1sxXSArPSBjb3VudCAtIGk7CiAgICAgICAgICAgICAg
ICAgfQogICAgICAgICAgICAgICAgIGVsc2UKLSAgICAgICAgICAgICAgICAg
ICAgQlVHX09OKGh5cGVyY2FsbF94bGF0X2NvbnRpbnVhdGlvbigmbGVmdCwg
MCkpOworICAgICAgICAgICAgICAgICAgICBCVUdfT04oaHlwZXJjYWxsX3hs
YXRfY29udGludWF0aW9uKCZsZWZ0LCA0LCAwKSk7CiAgICAgICAgICAgICAg
ICAgQlVHX09OKGxlZnQgIT0gYXJnMSk7CiAgICAgICAgICAgICB9CiAgICAg
ICAgICAgICBlbHNlCi0tLSBhL3hlbi9jb21tb24vY29tcGF0L21lbW9yeS5j
CisrKyBiL3hlbi9jb21tb24vY29tcGF0L21lbW9yeS5jCkBAIC0yMDgsNyAr
MjA4LDcgQEAgaW50IGNvbXBhdF9tZW1vcnlfb3AodW5zaWduZWQgaW50IGNt
ZCwgWAogICAgICAgICAgICAgYnJlYWs7CiAKICAgICAgICAgY21kID0gMDsK
LSAgICAgICAgaWYgKCBoeXBlcmNhbGxfeGxhdF9jb250aW51YXRpb24oJmNt
ZCwgMHgwMiwgbmF0LmhuZCwgY29tcGF0KSApCisgICAgICAgIGlmICggaHlw
ZXJjYWxsX3hsYXRfY29udGludWF0aW9uKCZjbWQsIDIsIDB4MDIsIG5hdC5o
bmQsIGNvbXBhdCkgKQogICAgICAgICB7CiAgICAgICAgICAgICBCVUdfT04o
cmMgIT0gX19IWVBFUlZJU09SX21lbW9yeV9vcCk7CiAgICAgICAgICAgICBC
VUdfT04oKGNtZCAmIE1FTU9QX0NNRF9NQVNLKSAhPSBvcCk7Ci0tLSBhL3hl
bi9pbmNsdWRlL3hlbi9jb21wYXQuaAorKysgYi94ZW4vaW5jbHVkZS94ZW4v
Y29tcGF0LmgKQEAgLTE5NSw2ICsxOTUsOCBAQCBzdGF0aWMgaW5saW5lIGlu
dCBuYW1lKGsgeGVuXyAjIyBuICp4LCBrCiAgKiBUaGlzIG9wdGlvbiBpcyB1
c2VmdWwgZm9yIGV4dHJhY3RpbmcgdGhlICJvcCIgYXJndW1lbnQgb3Igc2lt
aWxhciBmcm9tIHRoZQogICogaHlwZXJjYWxsIHRvIGVuYWJsZSBmdXJ0aGVy
IHhsYXQgcHJvY2Vzc2luZy4KICAqCisgKiBucjogVG90YWwgbnVtYmVyIG9m
IGFyZ3VtZW50cyB0aGUgaHlwZXJjYWxsIGhhcy4KKyAqCiAgKiBtYXNrOiBT
cGVjaWZpZXMgd2hpY2ggb2YgdGhlIGh5cGVyY2FsbCBhcmd1bWVudHMgcmVx
dWlyZSBjb21wYXQgdHJhbnNsYXRpb24uCiAgKiBiaXQgMCBpbmRpY2F0ZXMg
dGhhdCB0aGUgMCd0aCBhcmd1bWVudCByZXF1aXJlcyB0cmFuc2xhdGlvbiwg
Yml0IDEgaW5kaWNhdGVzCiAgKiB0aGF0IHRoZSBmaXJzdCBhcmd1bWVudCBy
ZXF1aXJlcyB0cmFuc2xhdGlvbiBhbmQgc28gb24uIE5hdGl2ZSBhbmQgY29t
cGF0CkBAIC0yMTQsNyArMjE2LDggQEAgc3RhdGljIGlubGluZSBpbnQgbmFt
ZShrIHhlbl8gIyMgbiAqeCwgawogICoKICAqIFJldHVybjogTnVtYmVyIG9m
IGFyZ3VtZW50cyB3aGljaCB3ZXJlIGFjdHVhbGx5IHRyYW5zbGF0ZWQuCiAg
Ki8KLWludCBoeXBlcmNhbGxfeGxhdF9jb250aW51YXRpb24odW5zaWduZWQg
aW50ICppZCwgdW5zaWduZWQgaW50IG1hc2ssIC4uLik7CitpbnQgaHlwZXJj
YWxsX3hsYXRfY29udGludWF0aW9uKHVuc2lnbmVkIGludCAqaWQsIHVuc2ln
bmVkIGludCBuciwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
dW5zaWduZWQgaW50IG1hc2ssIC4uLik7CiAKIC8qIEluLXBsYWNlIHRyYW5z
bGF0aW9uIGZ1bmN0b25zOiAqLwogc3RydWN0IHN0YXJ0X2luZm87Cg==

--=separator
Content-Type: application/octet-stream; name="xsa111.patch"
Content-Disposition: attachment; filename="xsa111.patch"
Content-Transfer-Encoding: base64

eDg2OiBsaW1pdCBjaGVja3MgaW4gaHlwZXJjYWxsX3hsYXRfY29udGludWF0
aW9uKCkgdG8gYWN0dWFsIGFyZ3VtZW50cwoKSFZNL1BWSCBndWVzdHMgY2Fu
IG90aGVyd2lzZSB0cmlnZ2VyIHRoZSBmaW5hbCBCVUdfT04oKSBpbiB0aGF0
CmZ1bmN0aW9uIGJ5IGVudGVyaW5nIDY0LWJpdCBtb2RlLCBzZXR0aW5nIHRo
ZSBoaWdoIGhhbHZlcyBvZiBhZmZlY3RlZApyZWdpc3RlcnMgdG8gbm9uLXpl
cm8gdmFsdWVzLCBsZWF2aW5nIDY0LWJpdCBtb2RlLCBhbmQgaXNzdWluZyBh
Cmh5cGVyY2FsbCB0aGF0IG1pZ2h0IGdldCBwcmVlbXB0ZWQgYW5kIGhlbmNl
IGJlY29tZSBzdWJqZWN0IHRvCmNvbnRpbnVhdGlvbiBhcmd1bWVudCB0cmFu
c2xhdGlvbiAoSFlQRVJWSVNPUl9tZW1vcnlfb3AgYmVpbmcgdGhlIG9ubHkK
b25lIHBvc3NpYmxlIGZvciBIVk0sIFBWSCBhbHNvIGhhdmluZyB0aGUgb3B0
aW9uIG9mIHVzaW5nCkhZUEVSVklTT1JfbW11ZXh0X29wKS4gVGhpcyBpc3N1
ZSBnb3QgaW50cm9kdWNlZCB3aGVuIEhWTSBjb2RlIHdhcwpzd2l0Y2hlZCB0
byB1c2UgY29tcGF0X21lbW9yeV9vcCgpIC0gbmVpdGhlciB0aGF0IG5vcgpo
eXBlcmNhbGxfeGxhdF9jb250aW51YXRpb24oKSB3ZXJlIG9yaWdpbmFsbHkg
aW50ZW5kZWQgdG8gYmUgdXNlZCBieQpvdGhlciB0aGFuIFBWIGd1ZXN0cyAo
d2hpY2ggY2FuJ3QgZW50ZXIgNjQtYml0IG1vZGUgYW5kIGhlbmNlIGhhdmUg
bm8Kd2F5IHRvIGFsdGVyIHRoZSBoaWdoIGhhbHZlcyBvZiA2NC1iaXQgcmVn
aXN0ZXJzKS4KClRoaXMgaXMgWFNBLTExMS4KClNpZ25lZC1vZmYtYnk6IEph
biBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IFRp
bSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoKLS0tIGEveGVuL2FyY2gveDg2L2Rv
bWFpbi5jCisrKyBiL3hlbi9hcmNoL3g4Ni9kb21haW4uYwpAQCAtMTc1MCw3
ICsxNzUwLDggQEAgdW5zaWduZWQgbG9uZyBoeXBlcmNhbGxfY3JlYXRlX2Nv
bnRpbnVhdAogICAgIHJldHVybiBvcDsKIH0KIAotaW50IGh5cGVyY2FsbF94
bGF0X2NvbnRpbnVhdGlvbih1bnNpZ25lZCBpbnQgKmlkLCB1bnNpZ25lZCBp
bnQgbWFzaywgLi4uKQoraW50IGh5cGVyY2FsbF94bGF0X2NvbnRpbnVhdGlv
bih1bnNpZ25lZCBpbnQgKmlkLCB1bnNpZ25lZCBpbnQgbnIsCisgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgIHVuc2lnbmVkIGludCBtYXNrLCAu
Li4pCiB7CiAgICAgaW50IHJjID0gMDsKICAgICBzdHJ1Y3QgbWNfc3RhdGUg
Km1jcyA9ICZjdXJyZW50LT5tY19zdGF0ZTsKQEAgLTE3NTksNyArMTc2MCwx
MCBAQCBpbnQgaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKHVuc2lnbmVk
CiAgICAgdW5zaWduZWQgbG9uZyBudmFsID0gMDsKICAgICB2YV9saXN0IGFy
Z3M7CiAKLSAgICBCVUdfT04oaWQgJiYgKmlkID4gNSk7CisgICAgQVNTRVJU
KG5yIDw9IEFSUkFZX1NJWkUobWNzLT5jYWxsLmFyZ3MpKTsKKyAgICBBU1NF
UlQoIShtYXNrID4+IG5yKSk7CisKKyAgICBCVUdfT04oaWQgJiYgKmlkID49
IG5yKTsKICAgICBCVUdfT04oaWQgJiYgKG1hc2sgJiAoMVUgPDwgKmlkKSkp
OwogCiAgICAgdmFfc3RhcnQoYXJncywgbWFzayk7CkBAIC0xNzcyLDcgKzE3
NzYsNyBAQCBpbnQgaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKHVuc2ln
bmVkCiAgICAgICAgICAgICByZXR1cm4gMDsKICAgICAgICAgfQogCi0gICAg
ICAgIGZvciAoIGkgPSAwOyBpIDwgNjsgKytpLCBtYXNrID4+PSAxICkKKyAg
ICAgICAgZm9yICggaSA9IDA7IGkgPCBucjsgKytpLCBtYXNrID4+PSAxICkK
ICAgICAgICAgewogICAgICAgICAgICAgaWYgKCBtYXNrICYgMSApCiAgICAg
ICAgICAgICB7CkBAIC0xODAwLDcgKzE4MDQsNyBAQCBpbnQgaHlwZXJjYWxs
X3hsYXRfY29udGludWF0aW9uKHVuc2lnbmVkCiAgICAgZWxzZQogICAgIHsK
ICAgICAgICAgcmVncyA9IGd1ZXN0X2NwdV91c2VyX3JlZ3MoKTsKLSAgICAg
ICAgZm9yICggaSA9IDA7IGkgPCA2OyArK2ksIG1hc2sgPj49IDEgKQorICAg
ICAgICBmb3IgKCBpID0gMDsgaSA8IG5yOyArK2ksIG1hc2sgPj49IDEgKQog
ICAgICAgICB7CiAgICAgICAgICAgICB1bnNpZ25lZCBsb25nICpyZWc7CiAK
LS0tIGEveGVuL2FyY2gveDg2L3g4Nl82NC9jb21wYXQvbW0uYworKysgYi94
ZW4vYXJjaC94ODYveDg2XzY0L2NvbXBhdC9tbS5jCkBAIC0xMTgsNyArMTE4
LDcgQEAgaW50IGNvbXBhdF9hcmNoX21lbW9yeV9vcCh1bnNpZ25lZCBsb25n
IAogICAgICAgICAgICAgYnJlYWs7CiAKICAgICAgICAgaWYgKCByYyA9PSBf
X0hZUEVSVklTT1JfbWVtb3J5X29wICkKLSAgICAgICAgICAgIGh5cGVyY2Fs
bF94bGF0X2NvbnRpbnVhdGlvbihOVUxMLCAweDIsIG5hdCwgYXJnKTsKKyAg
ICAgICAgICAgIGh5cGVyY2FsbF94bGF0X2NvbnRpbnVhdGlvbihOVUxMLCAy
LCAweDIsIG5hdCwgYXJnKTsKIAogICAgICAgICBYTEFUX3BvZF90YXJnZXQo
JmNtcCwgbmF0KTsKIApAQCAtMzU0LDcgKzM1NCw3IEBAIGludCBjb21wYXRf
bW11ZXh0X29wKFhFTl9HVUVTVF9IQU5ETEVfUEEKICAgICAgICAgICAgICAg
ICBsZWZ0ID0gMTsKICAgICAgICAgICAgICAgICBpZiAoIGFyZzEgIT0gTU1V
X1VQREFURV9QUkVFTVBURUQgKQogICAgICAgICAgICAgICAgIHsKLSAgICAg
ICAgICAgICAgICAgICAgQlVHX09OKCFoeXBlcmNhbGxfeGxhdF9jb250aW51
YXRpb24oJmxlZnQsIDB4MDEsIG5hdF9vcHMsCisgICAgICAgICAgICAgICAg
ICAgIEJVR19PTighaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKCZsZWZ0
LCA0LCAweDAxLCBuYXRfb3BzLAogICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjbXBfdW9wcykpOwog
ICAgICAgICAgICAgICAgICAgICBpZiAoICF0ZXN0X2JpdChfTUNTRl9pbl9t
dWx0aWNhbGwsICZtY3MtPmZsYWdzKSApCiAgICAgICAgICAgICAgICAgICAg
ICAgICByZWdzLT5fZWN4ICs9IGNvdW50IC0gaTsKQEAgLTM2Miw3ICszNjIs
NyBAQCBpbnQgY29tcGF0X21tdWV4dF9vcChYRU5fR1VFU1RfSEFORExFX1BB
CiAgICAgICAgICAgICAgICAgICAgICAgICBtY3MtPmNvbXBhdF9jYWxsLmFy
Z3NbMV0gKz0gY291bnQgLSBpOwogICAgICAgICAgICAgICAgIH0KICAgICAg
ICAgICAgICAgICBlbHNlCi0gICAgICAgICAgICAgICAgICAgIEJVR19PTiho
eXBlcmNhbGxfeGxhdF9jb250aW51YXRpb24oJmxlZnQsIDApKTsKKyAgICAg
ICAgICAgICAgICAgICAgQlVHX09OKGh5cGVyY2FsbF94bGF0X2NvbnRpbnVh
dGlvbigmbGVmdCwgNCwgMCkpOwogICAgICAgICAgICAgICAgIEJVR19PTihs
ZWZ0ICE9IGFyZzEpOwogICAgICAgICAgICAgfQogICAgICAgICAgICAgZWxz
ZQotLS0gYS94ZW4vY29tbW9uL2NvbXBhdC9tZW1vcnkuYworKysgYi94ZW4v
Y29tbW9uL2NvbXBhdC9tZW1vcnkuYwpAQCAtMjgyLDcgKzI4Miw3IEBAIGlu
dCBjb21wYXRfbWVtb3J5X29wKHVuc2lnbmVkIGludCBjbWQsIFgKICAgICAg
ICAgICAgIGJyZWFrOwogCiAgICAgICAgIGNtZCA9IDA7Ci0gICAgICAgIGlm
ICggaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKCZjbWQsIDB4MDIsIG5h
dC5obmQsIGNvbXBhdCkgKQorICAgICAgICBpZiAoIGh5cGVyY2FsbF94bGF0
X2NvbnRpbnVhdGlvbigmY21kLCAyLCAweDAyLCBuYXQuaG5kLCBjb21wYXQp
ICkKICAgICAgICAgewogICAgICAgICAgICAgQlVHX09OKHJjICE9IF9fSFlQ
RVJWSVNPUl9tZW1vcnlfb3ApOwogICAgICAgICAgICAgQlVHX09OKChjbWQg
JiBNRU1PUF9DTURfTUFTSykgIT0gb3ApOwotLS0gYS94ZW4vaW5jbHVkZS94
ZW4vY29tcGF0LmgKKysrIGIveGVuL2luY2x1ZGUveGVuL2NvbXBhdC5oCkBA
IC0xOTUsNiArMTk1LDggQEAgc3RhdGljIGlubGluZSBpbnQgbmFtZShrIHhl
bl8gIyMgbiAqeCwgawogICogVGhpcyBvcHRpb24gaXMgdXNlZnVsIGZvciBl
eHRyYWN0aW5nIHRoZSAib3AiIGFyZ3VtZW50IG9yIHNpbWlsYXIgZnJvbSB0
aGUKICAqIGh5cGVyY2FsbCB0byBlbmFibGUgZnVydGhlciB4bGF0IHByb2Nl
c3NpbmcuCiAgKgorICogbnI6IFRvdGFsIG51bWJlciBvZiBhcmd1bWVudHMg
dGhlIGh5cGVyY2FsbCBoYXMuCisgKgogICogbWFzazogU3BlY2lmaWVzIHdo
aWNoIG9mIHRoZSBoeXBlcmNhbGwgYXJndW1lbnRzIHJlcXVpcmUgY29tcGF0
IHRyYW5zbGF0aW9uLgogICogYml0IDAgaW5kaWNhdGVzIHRoYXQgdGhlIDAn
dGggYXJndW1lbnQgcmVxdWlyZXMgdHJhbnNsYXRpb24sIGJpdCAxIGluZGlj
YXRlcwogICogdGhhdCB0aGUgZmlyc3QgYXJndW1lbnQgcmVxdWlyZXMgdHJh
bnNsYXRpb24gYW5kIHNvIG9uLiBOYXRpdmUgYW5kIGNvbXBhdApAQCAtMjE0
LDcgKzIxNiw4IEBAIHN0YXRpYyBpbmxpbmUgaW50IG5hbWUoayB4ZW5fICMj
IG4gKngsIGsKICAqCiAgKiBSZXR1cm46IE51bWJlciBvZiBhcmd1bWVudHMg
d2hpY2ggd2VyZSBhY3R1YWxseSB0cmFuc2xhdGVkLgogICovCi1pbnQgaHlw
ZXJjYWxsX3hsYXRfY29udGludWF0aW9uKHVuc2lnbmVkIGludCAqaWQsIHVu
c2lnbmVkIGludCBtYXNrLCAuLi4pOworaW50IGh5cGVyY2FsbF94bGF0X2Nv
bnRpbnVhdGlvbih1bnNpZ25lZCBpbnQgKmlkLCB1bnNpZ25lZCBpbnQgbnIs
CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVuc2lnbmVkIGlu
dCBtYXNrLCAuLi4pOwogCiAvKiBJbi1wbGFjZSB0cmFuc2xhdGlvbiBmdW5j
dG9uczogKi8KIHN0cnVjdCBzdGFydF9pbmZvOwo=

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Thu Nov 27 12:08:08 2014
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Thu, 27 Nov 2014 12:08:08 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1XtxqI-0002Wl-1F; Thu, 27 Nov 2014 12:06:38 +0000
Received: from mail6.bemta4.messagelabs.com ([85.158.143.247])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XtxqG-0002WR-DF; Thu, 27 Nov 2014 12:06:36 +0000
Received: from [85.158.143.35] by server-1.bemta-4.messagelabs.com id
	86/CE-09842-BC317745; Thu, 27 Nov 2014 12:06:35 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-6.tower-21.messagelabs.com!1417089993!11772121!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 6.12.5; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 4188 invoked from network); 27 Nov 2014 12:06:34 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-6.tower-21.messagelabs.com with AES256-SHA encrypted SMTP;
	27 Nov 2014 12:06:34 -0000
Received: from xenbits.xen.org ([50.57.170.242])
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1Xtxq3-0003UD-Jb; Thu, 27 Nov 2014 12:06:23 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1Xtxq3-0008Rw-1V; Thu, 27 Nov 2014 12:06:23 +0000
Date: Thu, 27 Nov 2014 12:06:23 +0000
Message-Id: <E1Xtxq3-0008Rw-1V@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 111 (CVE-2014-8866) -
 Excessive checking in compatibility mode hypercall argument translation
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2014-8866 / XSA-111
                              version 3

   Excessive checking in compatibility mode hypercall argument translation

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The hypercall argument translation needed for 32-bit guests running on
64-bit hypervisors performs checks on the final register state.  These
checks cover all registers potentially holding hypercall arguments,
not just the ones actually doing so for the hypercall being processed,
since the code was originally intended for use only by PV guests.

While this is not a problem for PV guests (as they can't enter 64-bit
mode and hence can't alter the high halves of any of the registers),
the subsequent reuse of the same functionality for HVM guests exposed
those checks to values (specifically, unexpected values for the high
halves of registers not holding hypercall arguments) controlled by
guest software.

IMPACT
======

A buggy or malicious HVM guest can crash the host.

VULNERABLE SYSTEMS
==================

Xen 3.3 and onward are vulnerable.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests on any version of Xen
so far released by xenproject.org.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa111-unstable.patch        xen-unstable, Xen 4.4.x
xsa111-4.3.patch             Xen 4.3.x
xsa111-4.2.patch             Xen 4.2.x

$ sha256sum xsa111*.patch
f6e1bf166ebed6235802e4e42853430d2f5b456c1837908a4f7ed6d4d150e4b4  xsa111-4.2.patch
e9b03a4443a40142cc5c21848dc9589770620dde8924344c4a00028c4dace9f2  xsa111-4.3.patch
3c418f065cd452c225af34c3cccf9bdbc37efb6c6a5fc5940fd83ad8620510d3  xsa111.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUdwoTAAoJEIP+FMlX6CvZ/jIH/01d45vOe9bUokjixu+sv93n
FPxm2XC9IZEAuDU4h4RXAkzI0L4vuCAnJq0Rr3quizukQ/oqtPPdbYGC/VgQ15LU
0XE3J2U8BbwsweEDIADinJZ76UvvIWtT4/llQT2WCI/g7nRiW7lZAUkhR9nXL2gg
pw48QIdBkgEGZO7JlWEmrA60OwFcAAdG66/IWNjWbUPrscr/DLG0gimrqqAtG9lY
jTpDrOgC+xARbES9iRBt0IU4duMUiCjwy+y8jeq/Ka5d6QIrcaeTO9Y3d6jf2CCE
Z7TC22OGO4XMg6j+abceao3geS29ezsDQttSh7rGjwqMaNqJbIiitKIq4svAtS4=
=Gtqx
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa111-4.2.patch"
Content-Disposition: attachment; filename="xsa111-4.2.patch"
Content-Transfer-Encoding: base64

eDg2OiBsaW1pdCBjaGVja3MgaW4gaHlwZXJjYWxsX3hsYXRfY29udGludWF0
aW9uKCkgdG8gYWN0dWFsIGFyZ3VtZW50cwoKSFZNL1BWSCBndWVzdHMgY2Fu
IG90aGVyd2lzZSB0cmlnZ2VyIHRoZSBmaW5hbCBCVUdfT04oKSBpbiB0aGF0
CmZ1bmN0aW9uIGJ5IGVudGVyaW5nIDY0LWJpdCBtb2RlLCBzZXR0aW5nIHRo
ZSBoaWdoIGhhbHZlcyBvZiBhZmZlY3RlZApyZWdpc3RlcnMgdG8gbm9uLXpl
cm8gdmFsdWVzLCBsZWF2aW5nIDY0LWJpdCBtb2RlLCBhbmQgaXNzdWluZyBh
Cmh5cGVyY2FsbCB0aGF0IG1pZ2h0IGdldCBwcmVlbXB0ZWQgYW5kIGhlbmNl
IGJlY29tZSBzdWJqZWN0IHRvCmNvbnRpbnVhdGlvbiBhcmd1bWVudCB0cmFu
c2xhdGlvbiAoSFlQRVJWSVNPUl9tZW1vcnlfb3AgYmVpbmcgdGhlIG9ubHkK
b25lIHBvc3NpYmxlIGZvciBIVk0sIFBWSCBhbHNvIGhhdmluZyB0aGUgb3B0
aW9uIG9mIHVzaW5nCkhZUEVSVklTT1JfbW11ZXh0X29wKS4gVGhpcyBpc3N1
ZSBnb3QgaW50cm9kdWNlZCB3aGVuIEhWTSBjb2RlIHdhcwpzd2l0Y2hlZCB0
byB1c2UgY29tcGF0X21lbW9yeV9vcCgpIC0gbmVpdGhlciB0aGF0IG5vcgpo
eXBlcmNhbGxfeGxhdF9jb250aW51YXRpb24oKSB3ZXJlIG9yaWdpbmFsbHkg
aW50ZW5kZWQgdG8gYmUgdXNlZCBieQpvdGhlciB0aGFuIFBWIGd1ZXN0cyAo
d2hpY2ggY2FuJ3QgZW50ZXIgNjQtYml0IG1vZGUgYW5kIGhlbmNlIGhhdmUg
bm8Kd2F5IHRvIGFsdGVyIHRoZSBoaWdoIGhhbHZlcyBvZiA2NC1iaXQgcmVn
aXN0ZXJzKS4KClRoaXMgaXMgWFNBLTExMS4KClNpZ25lZC1vZmYtYnk6IEph
biBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IFRp
bSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoKLS0tIGEveGVuL2FyY2gveDg2L2Rv
bWFpbi5jCisrKyBiL3hlbi9hcmNoL3g4Ni9kb21haW4uYwpAQCAtMTkyMSw3
ICsxOTIxLDggQEAgdW5zaWduZWQgbG9uZyBoeXBlcmNhbGxfY3JlYXRlX2Nv
bnRpbnVhdAogfQogCiAjaWZkZWYgQ09ORklHX0NPTVBBVAotaW50IGh5cGVy
Y2FsbF94bGF0X2NvbnRpbnVhdGlvbih1bnNpZ25lZCBpbnQgKmlkLCB1bnNp
Z25lZCBpbnQgbWFzaywgLi4uKQoraW50IGh5cGVyY2FsbF94bGF0X2NvbnRp
bnVhdGlvbih1bnNpZ25lZCBpbnQgKmlkLCB1bnNpZ25lZCBpbnQgbnIsCisg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVuc2lnbmVkIGludCBt
YXNrLCAuLi4pCiB7CiAgICAgaW50IHJjID0gMDsKICAgICBzdHJ1Y3QgbWNf
c3RhdGUgKm1jcyA9ICZjdXJyZW50LT5tY19zdGF0ZTsKQEAgLTE5MzAsNyAr
MTkzMSwxMCBAQCBpbnQgaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKHVu
c2lnbmVkCiAgICAgdW5zaWduZWQgbG9uZyBudmFsID0gMDsKICAgICB2YV9s
aXN0IGFyZ3M7CiAKLSAgICBCVUdfT04oaWQgJiYgKmlkID4gNSk7CisgICAg
QVNTRVJUKG5yIDw9IEFSUkFZX1NJWkUobWNzLT5jYWxsLmFyZ3MpKTsKKyAg
ICBBU1NFUlQoIShtYXNrID4+IG5yKSk7CisKKyAgICBCVUdfT04oaWQgJiYg
KmlkID49IG5yKTsKICAgICBCVUdfT04oaWQgJiYgKG1hc2sgJiAoMVUgPDwg
KmlkKSkpOwogCiAgICAgdmFfc3RhcnQoYXJncywgbWFzayk7CkBAIC0xOTM5
LDcgKzE5NDMsNyBAQCBpbnQgaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9u
KHVuc2lnbmVkCiAgICAgewogICAgICAgICBpZiAoICF0ZXN0X2JpdChfTUNT
Rl9jYWxsX3ByZWVtcHRlZCwgJm1jcy0+ZmxhZ3MpICkKICAgICAgICAgICAg
IHJldHVybiAwOwotICAgICAgICBmb3IgKCBpID0gMDsgaSA8IDY7ICsraSwg
bWFzayA+Pj0gMSApCisgICAgICAgIGZvciAoIGkgPSAwOyBpIDwgbnI7ICsr
aSwgbWFzayA+Pj0gMSApCiAgICAgICAgIHsKICAgICAgICAgICAgIGlmICgg
bWFzayAmIDEgKQogICAgICAgICAgICAgewpAQCAtMTk2Nyw3ICsxOTcxLDcg
QEAgaW50IGh5cGVyY2FsbF94bGF0X2NvbnRpbnVhdGlvbih1bnNpZ25lZAog
ICAgIGVsc2UKICAgICB7CiAgICAgICAgIHJlZ3MgPSBndWVzdF9jcHVfdXNl
cl9yZWdzKCk7Ci0gICAgICAgIGZvciAoIGkgPSAwOyBpIDwgNjsgKytpLCBt
YXNrID4+PSAxICkKKyAgICAgICAgZm9yICggaSA9IDA7IGkgPCBucjsgKytp
LCBtYXNrID4+PSAxICkKICAgICAgICAgewogICAgICAgICAgICAgdW5zaWdu
ZWQgbG9uZyAqcmVnOwogCi0tLSBhL3hlbi9hcmNoL3g4Ni94ODZfNjQvY29t
cGF0L21tLmMKKysrIGIveGVuL2FyY2gveDg2L3g4Nl82NC9jb21wYXQvbW0u
YwpAQCAtNzgsNyArNzgsNyBAQCBpbnQgY29tcGF0X2FyY2hfbWVtb3J5X29w
KGludCBvcCwgWEVOX0dVCiAgICAgICAgIH0KIAogICAgICAgICBpZiAoIHJj
ID09IF9fSFlQRVJWSVNPUl9tZW1vcnlfb3AgKQotICAgICAgICAgICAgaHlw
ZXJjYWxsX3hsYXRfY29udGludWF0aW9uKE5VTEwsIDB4MiwgbmF0LCBhcmcp
OworICAgICAgICAgICAgaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKE5V
TEwsIDIsIDB4MiwgbmF0LCBhcmcpOwogCiAgICAgICAgIGJyZWFrOwogICAg
IH0KQEAgLTE0NCw3ICsxNDQsNyBAQCBpbnQgY29tcGF0X2FyY2hfbWVtb3J5
X29wKGludCBvcCwgWEVOX0dVCiAgICAgICAgICAgICBicmVhazsKIAogICAg
ICAgICBpZiAoIHJjID09IF9fSFlQRVJWSVNPUl9tZW1vcnlfb3AgKQotICAg
ICAgICAgICAgaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKE5VTEwsIDB4
MiwgbmF0LCBhcmcpOworICAgICAgICAgICAgaHlwZXJjYWxsX3hsYXRfY29u
dGludWF0aW9uKE5VTEwsIDIsIDB4MiwgbmF0LCBhcmcpOwogCiAgICAgICAg
IFhMQVRfcG9kX3RhcmdldCgmY21wLCBuYXQpOwogCkBAIC0zNzksNyArMzc5
LDcgQEAgaW50IGNvbXBhdF9tbXVleHRfb3AoWEVOX0dVRVNUX0hBTkRMRSht
bQogICAgICAgICAgICAgICAgIGxlZnQgPSAxOwogICAgICAgICAgICAgICAg
IGlmICggYXJnMSAhPSBNTVVfVVBEQVRFX1BSRUVNUFRFRCApCiAgICAgICAg
ICAgICAgICAgewotICAgICAgICAgICAgICAgICAgICBCVUdfT04oIWh5cGVy
Y2FsbF94bGF0X2NvbnRpbnVhdGlvbigmbGVmdCwgMHgwMSwgbmF0X29wcywK
KyAgICAgICAgICAgICAgICAgICAgQlVHX09OKCFoeXBlcmNhbGxfeGxhdF9j
b250aW51YXRpb24oJmxlZnQsIDQsIDB4MDEsIG5hdF9vcHMsCiAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgIGNtcF91b3BzKSk7CiAgICAgICAgICAgICAgICAgICAgIGlmICggIXRl
c3RfYml0KF9NQ1NGX2luX211bHRpY2FsbCwgJm1jcy0+ZmxhZ3MpICkKICAg
ICAgICAgICAgICAgICAgICAgICAgIHJlZ3MtPl9lY3ggKz0gY291bnQgLSBp
OwpAQCAtMzg3LDcgKzM4Nyw3IEBAIGludCBjb21wYXRfbW11ZXh0X29wKFhF
Tl9HVUVTVF9IQU5ETEUobW0KICAgICAgICAgICAgICAgICAgICAgICAgIG1j
cy0+Y29tcGF0X2NhbGwuYXJnc1sxXSArPSBjb3VudCAtIGk7CiAgICAgICAg
ICAgICAgICAgfQogICAgICAgICAgICAgICAgIGVsc2UKLSAgICAgICAgICAg
ICAgICAgICAgQlVHX09OKGh5cGVyY2FsbF94bGF0X2NvbnRpbnVhdGlvbigm
bGVmdCwgMCkpOworICAgICAgICAgICAgICAgICAgICBCVUdfT04oaHlwZXJj
YWxsX3hsYXRfY29udGludWF0aW9uKCZsZWZ0LCA0LCAwKSk7CiAgICAgICAg
ICAgICAgICAgQlVHX09OKGxlZnQgIT0gYXJnMSk7CiAgICAgICAgICAgICB9
CiAgICAgICAgICAgICBlbHNlCi0tLSBhL3hlbi9jb21tb24vY29tcGF0L21l
bW9yeS5jCisrKyBiL3hlbi9jb21tb24vY29tcGF0L21lbW9yeS5jCkBAIC0y
MDgsNyArMjA4LDcgQEAgaW50IGNvbXBhdF9tZW1vcnlfb3AodW5zaWduZWQg
aW50IGNtZCwgWAogICAgICAgICAgICAgYnJlYWs7CiAKICAgICAgICAgY21k
ID0gMDsKLSAgICAgICAgaWYgKCBoeXBlcmNhbGxfeGxhdF9jb250aW51YXRp
b24oJmNtZCwgMHgwMiwgbmF0LmhuZCwgY29tcGF0KSApCisgICAgICAgIGlm
ICggaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKCZjbWQsIDIsIDB4MDIs
IG5hdC5obmQsIGNvbXBhdCkgKQogICAgICAgICB7CiAgICAgICAgICAgICBC
VUdfT04ocmMgIT0gX19IWVBFUlZJU09SX21lbW9yeV9vcCk7CiAgICAgICAg
ICAgICBCVUdfT04oKGNtZCAmIE1FTU9QX0NNRF9NQVNLKSAhPSBvcCk7Ci0t
LSBhL3hlbi9pbmNsdWRlL3hlbi9jb21wYXQuaAorKysgYi94ZW4vaW5jbHVk
ZS94ZW4vY29tcGF0LmgKQEAgLTE5Miw2ICsxOTIsOCBAQCBzdGF0aWMgaW5s
aW5lIGludCBuYW1lKGsgeGVuXyAjIyBuICp4LCBrCiAgKiBUaGlzIG9wdGlv
biBpcyB1c2VmdWwgZm9yIGV4dHJhY3RpbmcgdGhlICJvcCIgYXJndW1lbnQg
b3Igc2ltaWxhciBmcm9tIHRoZQogICogaHlwZXJjYWxsIHRvIGVuYWJsZSBm
dXJ0aGVyIHhsYXQgcHJvY2Vzc2luZy4KICAqCisgKiBucjogVG90YWwgbnVt
YmVyIG9mIGFyZ3VtZW50cyB0aGUgaHlwZXJjYWxsIGhhcy4KKyAqCiAgKiBt
YXNrOiBTcGVjaWZpZXMgd2hpY2ggb2YgdGhlIGh5cGVyY2FsbCBhcmd1bWVu
dHMgcmVxdWlyZSBjb21wYXQgdHJhbnNsYXRpb24uCiAgKiBiaXQgMCBpbmRp
Y2F0ZXMgdGhhdCB0aGUgMCd0aCBhcmd1bWVudCByZXF1aXJlcyB0cmFuc2xh
dGlvbiwgYml0IDEgaW5kaWNhdGVzCiAgKiB0aGF0IHRoZSBmaXJzdCBhcmd1
bWVudCByZXF1aXJlcyB0cmFuc2xhdGlvbiBhbmQgc28gb24uIE5hdGl2ZSBh
bmQgY29tcGF0CkBAIC0yMTEsNyArMjEzLDggQEAgc3RhdGljIGlubGluZSBp
bnQgbmFtZShrIHhlbl8gIyMgbiAqeCwgawogICoKICAqIFJldHVybjogTnVt
YmVyIG9mIGFyZ3VtZW50cyB3aGljaCB3ZXJlIGFjdHVhbGx5IHRyYW5zbGF0
ZWQuCiAgKi8KLWludCBoeXBlcmNhbGxfeGxhdF9jb250aW51YXRpb24odW5z
aWduZWQgaW50ICppZCwgdW5zaWduZWQgaW50IG1hc2ssIC4uLik7CitpbnQg
aHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKHVuc2lnbmVkIGludCAqaWQs
IHVuc2lnbmVkIGludCBuciwKKyAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgdW5zaWduZWQgaW50IG1hc2ssIC4uLik7CiAKIC8qIEluLXBsYWNl
IHRyYW5zbGF0aW9uIGZ1bmN0b25zOiAqLwogc3RydWN0IHN0YXJ0X2luZm87
Cg==

--=separator
Content-Type: application/octet-stream; name="xsa111-4.3.patch"
Content-Disposition: attachment; filename="xsa111-4.3.patch"
Content-Transfer-Encoding: base64

eDg2OiBsaW1pdCBjaGVja3MgaW4gaHlwZXJjYWxsX3hsYXRfY29udGludWF0
aW9uKCkgdG8gYWN0dWFsIGFyZ3VtZW50cwoKSFZNL1BWSCBndWVzdHMgY2Fu
IG90aGVyd2lzZSB0cmlnZ2VyIHRoZSBmaW5hbCBCVUdfT04oKSBpbiB0aGF0
CmZ1bmN0aW9uIGJ5IGVudGVyaW5nIDY0LWJpdCBtb2RlLCBzZXR0aW5nIHRo
ZSBoaWdoIGhhbHZlcyBvZiBhZmZlY3RlZApyZWdpc3RlcnMgdG8gbm9uLXpl
cm8gdmFsdWVzLCBsZWF2aW5nIDY0LWJpdCBtb2RlLCBhbmQgaXNzdWluZyBh
Cmh5cGVyY2FsbCB0aGF0IG1pZ2h0IGdldCBwcmVlbXB0ZWQgYW5kIGhlbmNl
IGJlY29tZSBzdWJqZWN0IHRvCmNvbnRpbnVhdGlvbiBhcmd1bWVudCB0cmFu
c2xhdGlvbiAoSFlQRVJWSVNPUl9tZW1vcnlfb3AgYmVpbmcgdGhlIG9ubHkK
b25lIHBvc3NpYmxlIGZvciBIVk0sIFBWSCBhbHNvIGhhdmluZyB0aGUgb3B0
aW9uIG9mIHVzaW5nCkhZUEVSVklTT1JfbW11ZXh0X29wKS4gVGhpcyBpc3N1
ZSBnb3QgaW50cm9kdWNlZCB3aGVuIEhWTSBjb2RlIHdhcwpzd2l0Y2hlZCB0
byB1c2UgY29tcGF0X21lbW9yeV9vcCgpIC0gbmVpdGhlciB0aGF0IG5vcgpo
eXBlcmNhbGxfeGxhdF9jb250aW51YXRpb24oKSB3ZXJlIG9yaWdpbmFsbHkg
aW50ZW5kZWQgdG8gYmUgdXNlZCBieQpvdGhlciB0aGFuIFBWIGd1ZXN0cyAo
d2hpY2ggY2FuJ3QgZW50ZXIgNjQtYml0IG1vZGUgYW5kIGhlbmNlIGhhdmUg
bm8Kd2F5IHRvIGFsdGVyIHRoZSBoaWdoIGhhbHZlcyBvZiA2NC1iaXQgcmVn
aXN0ZXJzKS4KClRoaXMgaXMgWFNBLTExMS4KClNpZ25lZC1vZmYtYnk6IEph
biBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IFRp
bSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoKLS0tIGEveGVuL2FyY2gveDg2L2Rv
bWFpbi5jCisrKyBiL3hlbi9hcmNoL3g4Ni9kb21haW4uYwpAQCAtMTY1Myw3
ICsxNjUzLDggQEAgdW5zaWduZWQgbG9uZyBoeXBlcmNhbGxfY3JlYXRlX2Nv
bnRpbnVhdAogICAgIHJldHVybiBvcDsKIH0KIAotaW50IGh5cGVyY2FsbF94
bGF0X2NvbnRpbnVhdGlvbih1bnNpZ25lZCBpbnQgKmlkLCB1bnNpZ25lZCBp
bnQgbWFzaywgLi4uKQoraW50IGh5cGVyY2FsbF94bGF0X2NvbnRpbnVhdGlv
bih1bnNpZ25lZCBpbnQgKmlkLCB1bnNpZ25lZCBpbnQgbnIsCisgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgIHVuc2lnbmVkIGludCBtYXNrLCAu
Li4pCiB7CiAgICAgaW50IHJjID0gMDsKICAgICBzdHJ1Y3QgbWNfc3RhdGUg
Km1jcyA9ICZjdXJyZW50LT5tY19zdGF0ZTsKQEAgLTE2NjIsNyArMTY2Mywx
MCBAQCBpbnQgaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKHVuc2lnbmVk
CiAgICAgdW5zaWduZWQgbG9uZyBudmFsID0gMDsKICAgICB2YV9saXN0IGFy
Z3M7CiAKLSAgICBCVUdfT04oaWQgJiYgKmlkID4gNSk7CisgICAgQVNTRVJU
KG5yIDw9IEFSUkFZX1NJWkUobWNzLT5jYWxsLmFyZ3MpKTsKKyAgICBBU1NF
UlQoIShtYXNrID4+IG5yKSk7CisKKyAgICBCVUdfT04oaWQgJiYgKmlkID49
IG5yKTsKICAgICBCVUdfT04oaWQgJiYgKG1hc2sgJiAoMVUgPDwgKmlkKSkp
OwogCiAgICAgdmFfc3RhcnQoYXJncywgbWFzayk7CkBAIC0xNjcxLDcgKzE2
NzUsNyBAQCBpbnQgaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKHVuc2ln
bmVkCiAgICAgewogICAgICAgICBpZiAoICF0ZXN0X2JpdChfTUNTRl9jYWxs
X3ByZWVtcHRlZCwgJm1jcy0+ZmxhZ3MpICkKICAgICAgICAgICAgIHJldHVy
biAwOwotICAgICAgICBmb3IgKCBpID0gMDsgaSA8IDY7ICsraSwgbWFzayA+
Pj0gMSApCisgICAgICAgIGZvciAoIGkgPSAwOyBpIDwgbnI7ICsraSwgbWFz
ayA+Pj0gMSApCiAgICAgICAgIHsKICAgICAgICAgICAgIGlmICggbWFzayAm
IDEgKQogICAgICAgICAgICAgewpAQCAtMTY5OSw3ICsxNzAzLDcgQEAgaW50
IGh5cGVyY2FsbF94bGF0X2NvbnRpbnVhdGlvbih1bnNpZ25lZAogICAgIGVs
c2UKICAgICB7CiAgICAgICAgIHJlZ3MgPSBndWVzdF9jcHVfdXNlcl9yZWdz
KCk7Ci0gICAgICAgIGZvciAoIGkgPSAwOyBpIDwgNjsgKytpLCBtYXNrID4+
PSAxICkKKyAgICAgICAgZm9yICggaSA9IDA7IGkgPCBucjsgKytpLCBtYXNr
ID4+PSAxICkKICAgICAgICAgewogICAgICAgICAgICAgdW5zaWduZWQgbG9u
ZyAqcmVnOwogCi0tLSBhL3hlbi9hcmNoL3g4Ni94ODZfNjQvY29tcGF0L21t
LmMKKysrIGIveGVuL2FyY2gveDg2L3g4Nl82NC9jb21wYXQvbW0uYwpAQCAt
NzgsNyArNzgsNyBAQCBpbnQgY29tcGF0X2FyY2hfbWVtb3J5X29wKGludCBv
cCwgWEVOX0dVCiAgICAgICAgIH0KIAogICAgICAgICBpZiAoIHJjID09IF9f
SFlQRVJWSVNPUl9tZW1vcnlfb3AgKQotICAgICAgICAgICAgaHlwZXJjYWxs
X3hsYXRfY29udGludWF0aW9uKE5VTEwsIDB4MiwgbmF0LCBhcmcpOworICAg
ICAgICAgICAgaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKE5VTEwsIDIs
IDB4MiwgbmF0LCBhcmcpOwogCiAgICAgICAgIGJyZWFrOwogICAgIH0KQEAg
LTE0NCw3ICsxNDQsNyBAQCBpbnQgY29tcGF0X2FyY2hfbWVtb3J5X29wKGlu
dCBvcCwgWEVOX0dVCiAgICAgICAgICAgICBicmVhazsKIAogICAgICAgICBp
ZiAoIHJjID09IF9fSFlQRVJWSVNPUl9tZW1vcnlfb3AgKQotICAgICAgICAg
ICAgaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKE5VTEwsIDB4MiwgbmF0
LCBhcmcpOworICAgICAgICAgICAgaHlwZXJjYWxsX3hsYXRfY29udGludWF0
aW9uKE5VTEwsIDIsIDB4MiwgbmF0LCBhcmcpOwogCiAgICAgICAgIFhMQVRf
cG9kX3RhcmdldCgmY21wLCBuYXQpOwogCkBAIC0zNzksNyArMzc5LDcgQEAg
aW50IGNvbXBhdF9tbXVleHRfb3AoWEVOX0dVRVNUX0hBTkRMRV9QQQogICAg
ICAgICAgICAgICAgIGxlZnQgPSAxOwogICAgICAgICAgICAgICAgIGlmICgg
YXJnMSAhPSBNTVVfVVBEQVRFX1BSRUVNUFRFRCApCiAgICAgICAgICAgICAg
ICAgewotICAgICAgICAgICAgICAgICAgICBCVUdfT04oIWh5cGVyY2FsbF94
bGF0X2NvbnRpbnVhdGlvbigmbGVmdCwgMHgwMSwgbmF0X29wcywKKyAgICAg
ICAgICAgICAgICAgICAgQlVHX09OKCFoeXBlcmNhbGxfeGxhdF9jb250aW51
YXRpb24oJmxlZnQsIDQsIDB4MDEsIG5hdF9vcHMsCiAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNt
cF91b3BzKSk7CiAgICAgICAgICAgICAgICAgICAgIGlmICggIXRlc3RfYml0
KF9NQ1NGX2luX211bHRpY2FsbCwgJm1jcy0+ZmxhZ3MpICkKICAgICAgICAg
ICAgICAgICAgICAgICAgIHJlZ3MtPl9lY3ggKz0gY291bnQgLSBpOwpAQCAt
Mzg3LDcgKzM4Nyw3IEBAIGludCBjb21wYXRfbW11ZXh0X29wKFhFTl9HVUVT
VF9IQU5ETEVfUEEKICAgICAgICAgICAgICAgICAgICAgICAgIG1jcy0+Y29t
cGF0X2NhbGwuYXJnc1sxXSArPSBjb3VudCAtIGk7CiAgICAgICAgICAgICAg
ICAgfQogICAgICAgICAgICAgICAgIGVsc2UKLSAgICAgICAgICAgICAgICAg
ICAgQlVHX09OKGh5cGVyY2FsbF94bGF0X2NvbnRpbnVhdGlvbigmbGVmdCwg
MCkpOworICAgICAgICAgICAgICAgICAgICBCVUdfT04oaHlwZXJjYWxsX3hs
YXRfY29udGludWF0aW9uKCZsZWZ0LCA0LCAwKSk7CiAgICAgICAgICAgICAg
ICAgQlVHX09OKGxlZnQgIT0gYXJnMSk7CiAgICAgICAgICAgICB9CiAgICAg
ICAgICAgICBlbHNlCi0tLSBhL3hlbi9jb21tb24vY29tcGF0L21lbW9yeS5j
CisrKyBiL3hlbi9jb21tb24vY29tcGF0L21lbW9yeS5jCkBAIC0yMDgsNyAr
MjA4LDcgQEAgaW50IGNvbXBhdF9tZW1vcnlfb3AodW5zaWduZWQgaW50IGNt
ZCwgWAogICAgICAgICAgICAgYnJlYWs7CiAKICAgICAgICAgY21kID0gMDsK
LSAgICAgICAgaWYgKCBoeXBlcmNhbGxfeGxhdF9jb250aW51YXRpb24oJmNt
ZCwgMHgwMiwgbmF0LmhuZCwgY29tcGF0KSApCisgICAgICAgIGlmICggaHlw
ZXJjYWxsX3hsYXRfY29udGludWF0aW9uKCZjbWQsIDIsIDB4MDIsIG5hdC5o
bmQsIGNvbXBhdCkgKQogICAgICAgICB7CiAgICAgICAgICAgICBCVUdfT04o
cmMgIT0gX19IWVBFUlZJU09SX21lbW9yeV9vcCk7CiAgICAgICAgICAgICBC
VUdfT04oKGNtZCAmIE1FTU9QX0NNRF9NQVNLKSAhPSBvcCk7Ci0tLSBhL3hl
bi9pbmNsdWRlL3hlbi9jb21wYXQuaAorKysgYi94ZW4vaW5jbHVkZS94ZW4v
Y29tcGF0LmgKQEAgLTE5NSw2ICsxOTUsOCBAQCBzdGF0aWMgaW5saW5lIGlu
dCBuYW1lKGsgeGVuXyAjIyBuICp4LCBrCiAgKiBUaGlzIG9wdGlvbiBpcyB1
c2VmdWwgZm9yIGV4dHJhY3RpbmcgdGhlICJvcCIgYXJndW1lbnQgb3Igc2lt
aWxhciBmcm9tIHRoZQogICogaHlwZXJjYWxsIHRvIGVuYWJsZSBmdXJ0aGVy
IHhsYXQgcHJvY2Vzc2luZy4KICAqCisgKiBucjogVG90YWwgbnVtYmVyIG9m
IGFyZ3VtZW50cyB0aGUgaHlwZXJjYWxsIGhhcy4KKyAqCiAgKiBtYXNrOiBT
cGVjaWZpZXMgd2hpY2ggb2YgdGhlIGh5cGVyY2FsbCBhcmd1bWVudHMgcmVx
dWlyZSBjb21wYXQgdHJhbnNsYXRpb24uCiAgKiBiaXQgMCBpbmRpY2F0ZXMg
dGhhdCB0aGUgMCd0aCBhcmd1bWVudCByZXF1aXJlcyB0cmFuc2xhdGlvbiwg
Yml0IDEgaW5kaWNhdGVzCiAgKiB0aGF0IHRoZSBmaXJzdCBhcmd1bWVudCBy
ZXF1aXJlcyB0cmFuc2xhdGlvbiBhbmQgc28gb24uIE5hdGl2ZSBhbmQgY29t
cGF0CkBAIC0yMTQsNyArMjE2LDggQEAgc3RhdGljIGlubGluZSBpbnQgbmFt
ZShrIHhlbl8gIyMgbiAqeCwgawogICoKICAqIFJldHVybjogTnVtYmVyIG9m
IGFyZ3VtZW50cyB3aGljaCB3ZXJlIGFjdHVhbGx5IHRyYW5zbGF0ZWQuCiAg
Ki8KLWludCBoeXBlcmNhbGxfeGxhdF9jb250aW51YXRpb24odW5zaWduZWQg
aW50ICppZCwgdW5zaWduZWQgaW50IG1hc2ssIC4uLik7CitpbnQgaHlwZXJj
YWxsX3hsYXRfY29udGludWF0aW9uKHVuc2lnbmVkIGludCAqaWQsIHVuc2ln
bmVkIGludCBuciwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
dW5zaWduZWQgaW50IG1hc2ssIC4uLik7CiAKIC8qIEluLXBsYWNlIHRyYW5z
bGF0aW9uIGZ1bmN0b25zOiAqLwogc3RydWN0IHN0YXJ0X2luZm87Cg==

--=separator
Content-Type: application/octet-stream; name="xsa111.patch"
Content-Disposition: attachment; filename="xsa111.patch"
Content-Transfer-Encoding: base64

eDg2OiBsaW1pdCBjaGVja3MgaW4gaHlwZXJjYWxsX3hsYXRfY29udGludWF0
aW9uKCkgdG8gYWN0dWFsIGFyZ3VtZW50cwoKSFZNL1BWSCBndWVzdHMgY2Fu
IG90aGVyd2lzZSB0cmlnZ2VyIHRoZSBmaW5hbCBCVUdfT04oKSBpbiB0aGF0
CmZ1bmN0aW9uIGJ5IGVudGVyaW5nIDY0LWJpdCBtb2RlLCBzZXR0aW5nIHRo
ZSBoaWdoIGhhbHZlcyBvZiBhZmZlY3RlZApyZWdpc3RlcnMgdG8gbm9uLXpl
cm8gdmFsdWVzLCBsZWF2aW5nIDY0LWJpdCBtb2RlLCBhbmQgaXNzdWluZyBh
Cmh5cGVyY2FsbCB0aGF0IG1pZ2h0IGdldCBwcmVlbXB0ZWQgYW5kIGhlbmNl
IGJlY29tZSBzdWJqZWN0IHRvCmNvbnRpbnVhdGlvbiBhcmd1bWVudCB0cmFu
c2xhdGlvbiAoSFlQRVJWSVNPUl9tZW1vcnlfb3AgYmVpbmcgdGhlIG9ubHkK
b25lIHBvc3NpYmxlIGZvciBIVk0sIFBWSCBhbHNvIGhhdmluZyB0aGUgb3B0
aW9uIG9mIHVzaW5nCkhZUEVSVklTT1JfbW11ZXh0X29wKS4gVGhpcyBpc3N1
ZSBnb3QgaW50cm9kdWNlZCB3aGVuIEhWTSBjb2RlIHdhcwpzd2l0Y2hlZCB0
byB1c2UgY29tcGF0X21lbW9yeV9vcCgpIC0gbmVpdGhlciB0aGF0IG5vcgpo
eXBlcmNhbGxfeGxhdF9jb250aW51YXRpb24oKSB3ZXJlIG9yaWdpbmFsbHkg
aW50ZW5kZWQgdG8gYmUgdXNlZCBieQpvdGhlciB0aGFuIFBWIGd1ZXN0cyAo
d2hpY2ggY2FuJ3QgZW50ZXIgNjQtYml0IG1vZGUgYW5kIGhlbmNlIGhhdmUg
bm8Kd2F5IHRvIGFsdGVyIHRoZSBoaWdoIGhhbHZlcyBvZiA2NC1iaXQgcmVn
aXN0ZXJzKS4KClRoaXMgaXMgWFNBLTExMS4KClNpZ25lZC1vZmYtYnk6IEph
biBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IFRp
bSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoKLS0tIGEveGVuL2FyY2gveDg2L2Rv
bWFpbi5jCisrKyBiL3hlbi9hcmNoL3g4Ni9kb21haW4uYwpAQCAtMTc1MCw3
ICsxNzUwLDggQEAgdW5zaWduZWQgbG9uZyBoeXBlcmNhbGxfY3JlYXRlX2Nv
bnRpbnVhdAogICAgIHJldHVybiBvcDsKIH0KIAotaW50IGh5cGVyY2FsbF94
bGF0X2NvbnRpbnVhdGlvbih1bnNpZ25lZCBpbnQgKmlkLCB1bnNpZ25lZCBp
bnQgbWFzaywgLi4uKQoraW50IGh5cGVyY2FsbF94bGF0X2NvbnRpbnVhdGlv
bih1bnNpZ25lZCBpbnQgKmlkLCB1bnNpZ25lZCBpbnQgbnIsCisgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgIHVuc2lnbmVkIGludCBtYXNrLCAu
Li4pCiB7CiAgICAgaW50IHJjID0gMDsKICAgICBzdHJ1Y3QgbWNfc3RhdGUg
Km1jcyA9ICZjdXJyZW50LT5tY19zdGF0ZTsKQEAgLTE3NTksNyArMTc2MCwx
MCBAQCBpbnQgaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKHVuc2lnbmVk
CiAgICAgdW5zaWduZWQgbG9uZyBudmFsID0gMDsKICAgICB2YV9saXN0IGFy
Z3M7CiAKLSAgICBCVUdfT04oaWQgJiYgKmlkID4gNSk7CisgICAgQVNTRVJU
KG5yIDw9IEFSUkFZX1NJWkUobWNzLT5jYWxsLmFyZ3MpKTsKKyAgICBBU1NF
UlQoIShtYXNrID4+IG5yKSk7CisKKyAgICBCVUdfT04oaWQgJiYgKmlkID49
IG5yKTsKICAgICBCVUdfT04oaWQgJiYgKG1hc2sgJiAoMVUgPDwgKmlkKSkp
OwogCiAgICAgdmFfc3RhcnQoYXJncywgbWFzayk7CkBAIC0xNzcyLDcgKzE3
NzYsNyBAQCBpbnQgaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKHVuc2ln
bmVkCiAgICAgICAgICAgICByZXR1cm4gMDsKICAgICAgICAgfQogCi0gICAg
ICAgIGZvciAoIGkgPSAwOyBpIDwgNjsgKytpLCBtYXNrID4+PSAxICkKKyAg
ICAgICAgZm9yICggaSA9IDA7IGkgPCBucjsgKytpLCBtYXNrID4+PSAxICkK
ICAgICAgICAgewogICAgICAgICAgICAgaWYgKCBtYXNrICYgMSApCiAgICAg
ICAgICAgICB7CkBAIC0xODAwLDcgKzE4MDQsNyBAQCBpbnQgaHlwZXJjYWxs
X3hsYXRfY29udGludWF0aW9uKHVuc2lnbmVkCiAgICAgZWxzZQogICAgIHsK
ICAgICAgICAgcmVncyA9IGd1ZXN0X2NwdV91c2VyX3JlZ3MoKTsKLSAgICAg
ICAgZm9yICggaSA9IDA7IGkgPCA2OyArK2ksIG1hc2sgPj49IDEgKQorICAg
ICAgICBmb3IgKCBpID0gMDsgaSA8IG5yOyArK2ksIG1hc2sgPj49IDEgKQog
ICAgICAgICB7CiAgICAgICAgICAgICB1bnNpZ25lZCBsb25nICpyZWc7CiAK
LS0tIGEveGVuL2FyY2gveDg2L3g4Nl82NC9jb21wYXQvbW0uYworKysgYi94
ZW4vYXJjaC94ODYveDg2XzY0L2NvbXBhdC9tbS5jCkBAIC0xMTgsNyArMTE4
LDcgQEAgaW50IGNvbXBhdF9hcmNoX21lbW9yeV9vcCh1bnNpZ25lZCBsb25n
IAogICAgICAgICAgICAgYnJlYWs7CiAKICAgICAgICAgaWYgKCByYyA9PSBf
X0hZUEVSVklTT1JfbWVtb3J5X29wICkKLSAgICAgICAgICAgIGh5cGVyY2Fs
bF94bGF0X2NvbnRpbnVhdGlvbihOVUxMLCAweDIsIG5hdCwgYXJnKTsKKyAg
ICAgICAgICAgIGh5cGVyY2FsbF94bGF0X2NvbnRpbnVhdGlvbihOVUxMLCAy
LCAweDIsIG5hdCwgYXJnKTsKIAogICAgICAgICBYTEFUX3BvZF90YXJnZXQo
JmNtcCwgbmF0KTsKIApAQCAtMzU0LDcgKzM1NCw3IEBAIGludCBjb21wYXRf
bW11ZXh0X29wKFhFTl9HVUVTVF9IQU5ETEVfUEEKICAgICAgICAgICAgICAg
ICBsZWZ0ID0gMTsKICAgICAgICAgICAgICAgICBpZiAoIGFyZzEgIT0gTU1V
X1VQREFURV9QUkVFTVBURUQgKQogICAgICAgICAgICAgICAgIHsKLSAgICAg
ICAgICAgICAgICAgICAgQlVHX09OKCFoeXBlcmNhbGxfeGxhdF9jb250aW51
YXRpb24oJmxlZnQsIDB4MDEsIG5hdF9vcHMsCisgICAgICAgICAgICAgICAg
ICAgIEJVR19PTighaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKCZsZWZ0
LCA0LCAweDAxLCBuYXRfb3BzLAogICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjbXBfdW9wcykpOwog
ICAgICAgICAgICAgICAgICAgICBpZiAoICF0ZXN0X2JpdChfTUNTRl9pbl9t
dWx0aWNhbGwsICZtY3MtPmZsYWdzKSApCiAgICAgICAgICAgICAgICAgICAg
ICAgICByZWdzLT5fZWN4ICs9IGNvdW50IC0gaTsKQEAgLTM2Miw3ICszNjIs
NyBAQCBpbnQgY29tcGF0X21tdWV4dF9vcChYRU5fR1VFU1RfSEFORExFX1BB
CiAgICAgICAgICAgICAgICAgICAgICAgICBtY3MtPmNvbXBhdF9jYWxsLmFy
Z3NbMV0gKz0gY291bnQgLSBpOwogICAgICAgICAgICAgICAgIH0KICAgICAg
ICAgICAgICAgICBlbHNlCi0gICAgICAgICAgICAgICAgICAgIEJVR19PTiho
eXBlcmNhbGxfeGxhdF9jb250aW51YXRpb24oJmxlZnQsIDApKTsKKyAgICAg
ICAgICAgICAgICAgICAgQlVHX09OKGh5cGVyY2FsbF94bGF0X2NvbnRpbnVh
dGlvbigmbGVmdCwgNCwgMCkpOwogICAgICAgICAgICAgICAgIEJVR19PTihs
ZWZ0ICE9IGFyZzEpOwogICAgICAgICAgICAgfQogICAgICAgICAgICAgZWxz
ZQotLS0gYS94ZW4vY29tbW9uL2NvbXBhdC9tZW1vcnkuYworKysgYi94ZW4v
Y29tbW9uL2NvbXBhdC9tZW1vcnkuYwpAQCAtMjgyLDcgKzI4Miw3IEBAIGlu
dCBjb21wYXRfbWVtb3J5X29wKHVuc2lnbmVkIGludCBjbWQsIFgKICAgICAg
ICAgICAgIGJyZWFrOwogCiAgICAgICAgIGNtZCA9IDA7Ci0gICAgICAgIGlm
ICggaHlwZXJjYWxsX3hsYXRfY29udGludWF0aW9uKCZjbWQsIDB4MDIsIG5h
dC5obmQsIGNvbXBhdCkgKQorICAgICAgICBpZiAoIGh5cGVyY2FsbF94bGF0
X2NvbnRpbnVhdGlvbigmY21kLCAyLCAweDAyLCBuYXQuaG5kLCBjb21wYXQp
ICkKICAgICAgICAgewogICAgICAgICAgICAgQlVHX09OKHJjICE9IF9fSFlQ
RVJWSVNPUl9tZW1vcnlfb3ApOwogICAgICAgICAgICAgQlVHX09OKChjbWQg
JiBNRU1PUF9DTURfTUFTSykgIT0gb3ApOwotLS0gYS94ZW4vaW5jbHVkZS94
ZW4vY29tcGF0LmgKKysrIGIveGVuL2luY2x1ZGUveGVuL2NvbXBhdC5oCkBA
IC0xOTUsNiArMTk1LDggQEAgc3RhdGljIGlubGluZSBpbnQgbmFtZShrIHhl
bl8gIyMgbiAqeCwgawogICogVGhpcyBvcHRpb24gaXMgdXNlZnVsIGZvciBl
eHRyYWN0aW5nIHRoZSAib3AiIGFyZ3VtZW50IG9yIHNpbWlsYXIgZnJvbSB0
aGUKICAqIGh5cGVyY2FsbCB0byBlbmFibGUgZnVydGhlciB4bGF0IHByb2Nl
c3NpbmcuCiAgKgorICogbnI6IFRvdGFsIG51bWJlciBvZiBhcmd1bWVudHMg
dGhlIGh5cGVyY2FsbCBoYXMuCisgKgogICogbWFzazogU3BlY2lmaWVzIHdo
aWNoIG9mIHRoZSBoeXBlcmNhbGwgYXJndW1lbnRzIHJlcXVpcmUgY29tcGF0
IHRyYW5zbGF0aW9uLgogICogYml0IDAgaW5kaWNhdGVzIHRoYXQgdGhlIDAn
dGggYXJndW1lbnQgcmVxdWlyZXMgdHJhbnNsYXRpb24sIGJpdCAxIGluZGlj
YXRlcwogICogdGhhdCB0aGUgZmlyc3QgYXJndW1lbnQgcmVxdWlyZXMgdHJh
bnNsYXRpb24gYW5kIHNvIG9uLiBOYXRpdmUgYW5kIGNvbXBhdApAQCAtMjE0
LDcgKzIxNiw4IEBAIHN0YXRpYyBpbmxpbmUgaW50IG5hbWUoayB4ZW5fICMj
IG4gKngsIGsKICAqCiAgKiBSZXR1cm46IE51bWJlciBvZiBhcmd1bWVudHMg
d2hpY2ggd2VyZSBhY3R1YWxseSB0cmFuc2xhdGVkLgogICovCi1pbnQgaHlw
ZXJjYWxsX3hsYXRfY29udGludWF0aW9uKHVuc2lnbmVkIGludCAqaWQsIHVu
c2lnbmVkIGludCBtYXNrLCAuLi4pOworaW50IGh5cGVyY2FsbF94bGF0X2Nv
bnRpbnVhdGlvbih1bnNpZ25lZCBpbnQgKmlkLCB1bnNpZ25lZCBpbnQgbnIs
CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVuc2lnbmVkIGlu
dCBtYXNrLCAuLi4pOwogCiAvKiBJbi1wbGFjZSB0cmFuc2xhdGlvbiBmdW5j
dG9uczogKi8KIHN0cnVjdCBzdGFydF9pbmZvOwo=

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Thu Nov 27 12:10:25 2014
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Thu, 27 Nov 2014 12:10:25 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1Xtxsd-0002nE-VR; Thu, 27 Nov 2014 12:09:03 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1Xtxsc-0002mo-Sz; Thu, 27 Nov 2014 12:09:03 +0000
Received: from [85.158.139.211] by server-7.bemta-5.messagelabs.com id
	C5/08-31453-D5417745; Thu, 27 Nov 2014 12:09:01 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-16.tower-206.messagelabs.com!1417090139!10757292!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 6.12.4; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 32394 invoked from network); 27 Nov 2014 12:09:00 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-16.tower-206.messagelabs.com with AES256-SHA encrypted SMTP;
	27 Nov 2014 12:09:00 -0000
Received: from xenbits.xen.org ([50.57.170.242])
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XtxsT-0003WD-CG; Thu, 27 Nov 2014 12:08:53 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XtxsT-0000TV-4i; Thu, 27 Nov 2014 12:08:53 +0000
Date: Thu, 27 Nov 2014 12:08:53 +0000
Message-Id: <E1XtxsT-0000TV-4i@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 112 (CVE-2014-8867) -
 Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2014-8867 / XSA-112
                              version 5

  Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor

UPDATES IN VERSION 5
====================

Public release.

ISSUE DESCRIPTION
=================

Acceleration support for the "REP MOVS" instruction, when the first
iteration accesses memory mapped I/O emulated internally in the
hypervisor, incorrectly assumes that the whole range accessed is
handled by the same hypervisor sub-component.

IMPACT
======

A buggy or malicious HVM guest can crash the host.

VULNERABLE SYSTEMS
==================

Xen versions from at least 3.2.x onwards are vulnerable on x86 systems.
Older versions have not been inspected.  ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa112-unstable.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x
xsa112-4.2.patch             Xen 4.2.x

$ sha256sum xsa112*.patch
cf01a1acd258e7cbb3586e543ba3668c1ee7fb05cba19b8b5369a3e101a2288f  xsa112-4.2.patch
cc39a4cdcb52929ed36ab696807d2405aa552177a6f029d8a1a52041ca1ed519  xsa112.patch
$

We have been told that this patch is not sufficient on Xen 3.3.x and
earlier without also backporting b1b6362f (git commit id).

Note that while we are happy to share information we receive about
earlier Xen versions, the earliest Xen branch for which the Xen
Project offers security support is 4.2.x.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUdwoNAAoJEIP+FMlX6CvZfekIAMBq3ynRyuyqvukMhSBaFj2O
SBX747HJPKRmoODGZGe9EJ0pAJhckQ00RaKFulxSLzFeu4Oi6M3GrvNCvST0sR54
bLTmeNeBOhLef4ylDqAWOSY4C7AJW/jC1ngtSy3wd6zuwFD0bzPYb7nk94PD32ie
9LYTt+FSkoo/3j3IviCqNVXTlMmhmdjP0U3+xXgxQZ9y47zTT8gsX4KoplC/i1Wq
uhla/ZYI+Ro/ejYVHsKDDhfA1mgAGDoOLhmNEBLHPzTyGs4VOSaXzX7wce8JWpBi
oXdnN5HW80mmkZ6qI42/bnvpSHTqm+QVFD0v1Uz0cSrBYJGq6LULBAmaJHGldDA=
=8eF1
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa112-4.2.patch"
Content-Disposition: attachment; filename="xsa112-4.2.patch"
Content-Transfer-Encoding: base64

eDg2L0hWTTogY29uZmluZSBpbnRlcm5hbGx5IGhhbmRsZWQgTU1JTyB0byBz
b2xpdGFyeSByZWdpb25zCgpXaGlsZSBpdCBpcyBnZW5lcmFsbHkgd3Jvbmcg
dG8gY3Jvc3MgcmVnaW9uIGJvdW5kYXJpZXMgd2hlbiBkZWFsaW5nCndpdGgg
TU1JTyBhY2Nlc3NlcyBvZiByZXBlYXRlZCBzdHJpbmcgaW5zdHJ1Y3Rpb25z
IChjdXJyZW50bHkgb25seQpNT1ZTKSBhcyB0aGF0IHdvdWxkIGRvIHRoaW5n
cyBhIGd1ZXN0IGRvZXNuJ3QgZXhwZWN0IChsZWF2aW5nIGFzaWRlCnRoYXQg
bm9uZSBvZiB0aGVzZSByZWdpb25zIHdvdWxkIG5vcm1hbGx5IGJlIGFjY2Vz
c2VkIHdpdGggcmVwZWF0ZWQKc3RyaW5nIGluc3RydWN0aW9ucyBpbiB0aGUg
Zmlyc3QgcGxhY2UpLCB0aGlzIGlzIGV2ZW4gbW9yZSBvZiBhIHByb2JsZW0K
Zm9yIGFsbCB2aXJ0dWFsIE1TSS1YIHBhZ2UgYWNjZXNzZXMgKGJvdGggbXNp
eHRibF97cmVhZCx3cml0ZX0oKSBjYW4gYmUKbWFkZSBkZXJlZmVyZW5jZSBO
VUxMICJlbnRyeSIgcG9pbnRlcnMgdGhpcyB3YXkpIGFzIHdlbGwgYXMgdW5k
ZXJzaXplZAooMS0gb3IgMi1ieXRlKSBMQVBJQyB3cml0ZXMgKGNhdXNpbmcg
dmxhcGljX3JlYWRfYWxpZ25lZCgpIHRvIGFjY2VzcwpzcGFjZSBiZXlvbmQg
dGhlIG9uZSBtZW1vcnkgcGFnZSBzZXQgdXAgZm9yIGhvbGRpbmcgTEFQSUMg
cmVnaXN0ZXIKdmFsdWVzKS4KClNpbmNlIHRob3NlIGZ1bmN0aW9ucyB2YWxp
ZGx5IGFzc3VtZSB0byBiZSBjYWxsZWQgb25seSB3aXRoIGFkZHJlc3Nlcwp0
aGVpciByZXNwZWN0aXZlIGNoZWNraW5nIGZ1bmN0aW9ucyBpbmRpY2F0ZWQg
dG8gYmUgb2theSwgaXQgaXMgZ2VuZXJpYwpjb2RlIHRoYXQgbmVlZHMgdG8g
YmUgZml4ZWQgdG8gY2xpcCB0aGUgcmVwZXRpdGlvbiBjb3VudC4KClRvIGJl
IG9uIHRoZSBzYWZlIHNpZGUgKGFuZCBjb25zaXN0ZW50KSwgYWxzbyBkbyB0
aGUgc2FtZSBmb3IgYnVmZmVyZWQKSS9PIGludGVyY2VwdHMsIGV2ZW4gaWYg
dGhlaXIgb25seSBjbGllbnQgKHN0ZHZnYSkgZG9lc24ndCBwdXQgdGhlCmh5
cGVydmlzb3IgYXQgcmlzayAoaS5lLiAib25seSIgZ3Vlc3QgbWlzYmVoYXZp
b3Igd291bGQgcmVzdWx0KS4KClRoaXMgaXMgQ1ZFLTIwMTQtODg2NyAvIFhT
QS0xMTIuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA
c3VzZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9y
Zz4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaW50ZXJjZXB0LmMKKysrIGIv
eGVuL2FyY2gveDg2L2h2bS9pbnRlcmNlcHQuYwpAQCAtMTMxLDExICsxMzEs
MjQgQEAgaW50IGh2bV9tbWlvX2ludGVyY2VwdChpb3JlcV90ICpwKQogICAg
IGludCBpOwogCiAgICAgZm9yICggaSA9IDA7IGkgPCBIVk1fTU1JT19IQU5E
TEVSX05SOyBpKysgKQotICAgICAgICBpZiAoIGh2bV9tbWlvX2hhbmRsZXJz
W2ldLT5jaGVja19oYW5kbGVyKHYsIHAtPmFkZHIpICkKKyAgICB7CisgICAg
ICAgIGh2bV9tbWlvX2NoZWNrX3QgY2hlY2tfaGFuZGxlciA9CisgICAgICAg
ICAgICBodm1fbW1pb19oYW5kbGVyc1tpXS0+Y2hlY2tfaGFuZGxlcjsKKwor
ICAgICAgICBpZiAoIGNoZWNrX2hhbmRsZXIodiwgcC0+YWRkcikgKQorICAg
ICAgICB7CisgICAgICAgICAgICBpZiAoIHVubGlrZWx5KHAtPmNvdW50ID4g
MSkgJiYKKyAgICAgICAgICAgICAgICAgIWNoZWNrX2hhbmRsZXIodiwgdW5s
aWtlbHkocC0+ZGYpCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgID8gcC0+YWRkciAtIChwLT5jb3VudCAtIDFMTCkgKiBwLT5zaXplCisg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDogcC0+YWRkciAr
IChwLT5jb3VudCAtIDFMTCkgKiBwLT5zaXplKSApCisgICAgICAgICAgICAg
ICAgcC0+Y291bnQgPSAxOworCiAgICAgICAgICAgICByZXR1cm4gaHZtX21t
aW9fYWNjZXNzKAogICAgICAgICAgICAgICAgIHYsIHAsCiAgICAgICAgICAg
ICAgICAgaHZtX21taW9faGFuZGxlcnNbaV0tPnJlYWRfaGFuZGxlciwKICAg
ICAgICAgICAgICAgICBodm1fbW1pb19oYW5kbGVyc1tpXS0+d3JpdGVfaGFu
ZGxlcik7CisgICAgICAgIH0KKyAgICB9CiAKICAgICByZXR1cm4gWDg2RU1V
TF9VTkhBTkRMRUFCTEU7CiB9CkBAIC0yNDMsNiArMjU2LDEzIEBAIGludCBo
dm1faW9faW50ZXJjZXB0KGlvcmVxX3QgKnAsIGludCB0eXAKICAgICAgICAg
ICAgIGlmICggdHlwZSA9PSBIVk1fUE9SVElPICkKICAgICAgICAgICAgICAg
ICByZXR1cm4gcHJvY2Vzc19wb3J0aW9faW50ZXJjZXB0KAogICAgICAgICAg
ICAgICAgICAgICBoYW5kbGVyLT5oZGxfbGlzdFtpXS5hY3Rpb24ucG9ydGlv
LCBwKTsKKworICAgICAgICAgICAgaWYgKCB1bmxpa2VseShwLT5jb3VudCA+
IDEpICYmCisgICAgICAgICAgICAgICAgICh1bmxpa2VseShwLT5kZikKKyAg
ICAgICAgICAgICAgICAgID8gcC0+YWRkciAtIChwLT5jb3VudCAtIDFMTCkg
KiBwLT5zaXplIDwgYWRkcgorICAgICAgICAgICAgICAgICAgOiBwLT5hZGRy
ICsgcC0+Y291bnQgKiAxTEwgKiBwLT5zaXplIC0gMSA+PSBhZGRyICsgc2l6
ZSkgKQorICAgICAgICAgICAgICAgIHAtPmNvdW50ID0gMTsKKwogICAgICAg
ICAgICAgcmV0dXJuIGhhbmRsZXItPmhkbF9saXN0W2ldLmFjdGlvbi5tbWlv
KHApOwogICAgICAgICB9CiAgICAgfQotLS0gYS94ZW4vYXJjaC94ODYvaHZt
L3Ztc2kuYworKysgYi94ZW4vYXJjaC94ODYvaHZtL3Ztc2kuYwpAQCAtMjM2
LDYgKzIzNiw4IEBAIHN0YXRpYyBpbnQgbXNpeHRibF9yZWFkKAogICAgIHJj
dV9yZWFkX2xvY2soJm1zaXh0YmxfcmN1X2xvY2spOwogCiAgICAgZW50cnkg
PSBtc2l4dGJsX2ZpbmRfZW50cnkodiwgYWRkcmVzcyk7CisgICAgaWYgKCAh
ZW50cnkgKQorICAgICAgICBnb3RvIG91dDsKICAgICBvZmZzZXQgPSBhZGRy
ZXNzICYgKFBDSV9NU0lYX0VOVFJZX1NJWkUgLSAxKTsKIAogICAgIGlmICgg
b2Zmc2V0ICE9IFBDSV9NU0lYX0VOVFJZX1ZFQ1RPUl9DVFJMX09GRlNFVCAp
CkBAIC0yNzgsNiArMjgwLDggQEAgc3RhdGljIGludCBtc2l4dGJsX3dyaXRl
KHN0cnVjdCB2Y3B1ICp2LAogICAgIHJjdV9yZWFkX2xvY2soJm1zaXh0Ymxf
cmN1X2xvY2spOwogCiAgICAgZW50cnkgPSBtc2l4dGJsX2ZpbmRfZW50cnko
diwgYWRkcmVzcyk7CisgICAgaWYgKCAhZW50cnkgKQorICAgICAgICBnb3Rv
IG91dDsKICAgICBucl9lbnRyeSA9IChhZGRyZXNzIC0gZW50cnktPmd0YWJs
ZSkgLyBQQ0lfTVNJWF9FTlRSWV9TSVpFOwogCiAgICAgb2Zmc2V0ID0gYWRk
cmVzcyAmIChQQ0lfTVNJWF9FTlRSWV9TSVpFIC0gMSk7Cg==

--=separator
Content-Type: application/octet-stream; name="xsa112.patch"
Content-Disposition: attachment; filename="xsa112.patch"
Content-Transfer-Encoding: base64

eDg2L0hWTTogY29uZmluZSBpbnRlcm5hbGx5IGhhbmRsZWQgTU1JTyB0byBz
b2xpdGFyeSByZWdpb25zCgpXaGlsZSBpdCBpcyBnZW5lcmFsbHkgd3Jvbmcg
dG8gY3Jvc3MgcmVnaW9uIGJvdW5kYXJpZXMgd2hlbiBkZWFsaW5nCndpdGgg
TU1JTyBhY2Nlc3NlcyBvZiByZXBlYXRlZCBzdHJpbmcgaW5zdHJ1Y3Rpb25z
IChjdXJyZW50bHkgb25seQpNT1ZTKSBhcyB0aGF0IHdvdWxkIGRvIHRoaW5n
cyBhIGd1ZXN0IGRvZXNuJ3QgZXhwZWN0IChsZWF2aW5nIGFzaWRlCnRoYXQg
bm9uZSBvZiB0aGVzZSByZWdpb25zIHdvdWxkIG5vcm1hbGx5IGJlIGFjY2Vz
c2VkIHdpdGggcmVwZWF0ZWQKc3RyaW5nIGluc3RydWN0aW9ucyBpbiB0aGUg
Zmlyc3QgcGxhY2UpLCB0aGlzIGlzIGV2ZW4gbW9yZSBvZiBhIHByb2JsZW0K
Zm9yIGFsbCB2aXJ0dWFsIE1TSS1YIHBhZ2UgYWNjZXNzZXMgKGJvdGggbXNp
eHRibF97cmVhZCx3cml0ZX0oKSBjYW4gYmUKbWFkZSBkZXJlZmVyZW5jZSBO
VUxMICJlbnRyeSIgcG9pbnRlcnMgdGhpcyB3YXkpIGFzIHdlbGwgYXMgdW5k
ZXJzaXplZAooMS0gb3IgMi1ieXRlKSBMQVBJQyB3cml0ZXMgKGNhdXNpbmcg
dmxhcGljX3JlYWRfYWxpZ25lZCgpIHRvIGFjY2VzcwpzcGFjZSBiZXlvbmQg
dGhlIG9uZSBtZW1vcnkgcGFnZSBzZXQgdXAgZm9yIGhvbGRpbmcgTEFQSUMg
cmVnaXN0ZXIKdmFsdWVzKS4KClNpbmNlIHRob3NlIGZ1bmN0aW9ucyB2YWxp
ZGx5IGFzc3VtZSB0byBiZSBjYWxsZWQgb25seSB3aXRoIGFkZHJlc3Nlcwp0
aGVpciByZXNwZWN0aXZlIGNoZWNraW5nIGZ1bmN0aW9ucyBpbmRpY2F0ZWQg
dG8gYmUgb2theSwgaXQgaXMgZ2VuZXJpYwpjb2RlIHRoYXQgbmVlZHMgdG8g
YmUgZml4ZWQgdG8gY2xpcCB0aGUgcmVwZXRpdGlvbiBjb3VudC4KClRvIGJl
IG9uIHRoZSBzYWZlIHNpZGUgKGFuZCBjb25zaXN0ZW50KSwgYWxzbyBkbyB0
aGUgc2FtZSBmb3IgYnVmZmVyZWQKSS9PIGludGVyY2VwdHMsIGV2ZW4gaWYg
dGhlaXIgb25seSBjbGllbnQgKHN0ZHZnYSkgZG9lc24ndCBwdXQgdGhlCmh5
cGVydmlzb3IgYXQgcmlzayAoaS5lLiAib25seSIgZ3Vlc3QgbWlzYmVoYXZp
b3Igd291bGQgcmVzdWx0KS4KClRoaXMgaXMgQ1ZFLTIwMTQtODg2NyAvIFhT
QS0xMTIuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA
c3VzZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9y
Zz4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaW50ZXJjZXB0LmMKKysrIGIv
eGVuL2FyY2gveDg2L2h2bS9pbnRlcmNlcHQuYwpAQCAtMTgxLDExICsxODEs
MjQgQEAgaW50IGh2bV9tbWlvX2ludGVyY2VwdChpb3JlcV90ICpwKQogICAg
IGludCBpOwogCiAgICAgZm9yICggaSA9IDA7IGkgPCBIVk1fTU1JT19IQU5E
TEVSX05SOyBpKysgKQotICAgICAgICBpZiAoIGh2bV9tbWlvX2hhbmRsZXJz
W2ldLT5jaGVja19oYW5kbGVyKHYsIHAtPmFkZHIpICkKKyAgICB7CisgICAg
ICAgIGh2bV9tbWlvX2NoZWNrX3QgY2hlY2tfaGFuZGxlciA9CisgICAgICAg
ICAgICBodm1fbW1pb19oYW5kbGVyc1tpXS0+Y2hlY2tfaGFuZGxlcjsKKwor
ICAgICAgICBpZiAoIGNoZWNrX2hhbmRsZXIodiwgcC0+YWRkcikgKQorICAg
ICAgICB7CisgICAgICAgICAgICBpZiAoIHVubGlrZWx5KHAtPmNvdW50ID4g
MSkgJiYKKyAgICAgICAgICAgICAgICAgIWNoZWNrX2hhbmRsZXIodiwgdW5s
aWtlbHkocC0+ZGYpCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgID8gcC0+YWRkciAtIChwLT5jb3VudCAtIDFMKSAqIHAtPnNpemUKKyAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgOiBwLT5hZGRyICsg
KHAtPmNvdW50IC0gMUwpICogcC0+c2l6ZSkgKQorICAgICAgICAgICAgICAg
IHAtPmNvdW50ID0gMTsKKwogICAgICAgICAgICAgcmV0dXJuIGh2bV9tbWlv
X2FjY2VzcygKICAgICAgICAgICAgICAgICB2LCBwLAogICAgICAgICAgICAg
ICAgIGh2bV9tbWlvX2hhbmRsZXJzW2ldLT5yZWFkX2hhbmRsZXIsCiAgICAg
ICAgICAgICAgICAgaHZtX21taW9faGFuZGxlcnNbaV0tPndyaXRlX2hhbmRs
ZXIpOworICAgICAgICB9CisgICAgfQogCiAgICAgcmV0dXJuIFg4NkVNVUxf
VU5IQU5ETEVBQkxFOwogfQpAQCAtMzQyLDYgKzM1NSwxMyBAQCBpbnQgaHZt
X2lvX2ludGVyY2VwdChpb3JlcV90ICpwLCBpbnQgdHlwCiAgICAgICAgICAg
ICBpZiAoIHR5cGUgPT0gSFZNX1BPUlRJTyApCiAgICAgICAgICAgICAgICAg
cmV0dXJuIHByb2Nlc3NfcG9ydGlvX2ludGVyY2VwdCgKICAgICAgICAgICAg
ICAgICAgICAgaGFuZGxlci0+aGRsX2xpc3RbaV0uYWN0aW9uLnBvcnRpbywg
cCk7CisKKyAgICAgICAgICAgIGlmICggdW5saWtlbHkocC0+Y291bnQgPiAx
KSAmJgorICAgICAgICAgICAgICAgICAodW5saWtlbHkocC0+ZGYpCisgICAg
ICAgICAgICAgICAgICA/IHAtPmFkZHIgLSAocC0+Y291bnQgLSAxTCkgKiBw
LT5zaXplIDwgYWRkcgorICAgICAgICAgICAgICAgICAgOiBwLT5hZGRyICsg
cC0+Y291bnQgKiAxTCAqIHAtPnNpemUgLSAxID49IGFkZHIgKyBzaXplKSAp
CisgICAgICAgICAgICAgICAgcC0+Y291bnQgPSAxOworCiAgICAgICAgICAg
ICByZXR1cm4gaGFuZGxlci0+aGRsX2xpc3RbaV0uYWN0aW9uLm1taW8ocCk7
CiAgICAgICAgIH0KICAgICB9Ci0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vdm1z
aS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vdm1zaS5jCkBAIC0yMjYsNiAr
MjI2LDggQEAgc3RhdGljIGludCBtc2l4dGJsX3JlYWQoCiAgICAgcmN1X3Jl
YWRfbG9jaygmbXNpeHRibF9yY3VfbG9jayk7CiAKICAgICBlbnRyeSA9IG1z
aXh0YmxfZmluZF9lbnRyeSh2LCBhZGRyZXNzKTsKKyAgICBpZiAoICFlbnRy
eSApCisgICAgICAgIGdvdG8gb3V0OwogICAgIG9mZnNldCA9IGFkZHJlc3Mg
JiAoUENJX01TSVhfRU5UUllfU0laRSAtIDEpOwogCiAgICAgaWYgKCBvZmZz
ZXQgIT0gUENJX01TSVhfRU5UUllfVkVDVE9SX0NUUkxfT0ZGU0VUICkKQEAg
LTI2OCw2ICsyNzAsOCBAQCBzdGF0aWMgaW50IG1zaXh0Ymxfd3JpdGUoc3Ry
dWN0IHZjcHUgKnYsCiAgICAgcmN1X3JlYWRfbG9jaygmbXNpeHRibF9yY3Vf
bG9jayk7CiAKICAgICBlbnRyeSA9IG1zaXh0YmxfZmluZF9lbnRyeSh2LCBh
ZGRyZXNzKTsKKyAgICBpZiAoICFlbnRyeSApCisgICAgICAgIGdvdG8gb3V0
OwogICAgIG5yX2VudHJ5ID0gKGFkZHJlc3MgLSBlbnRyeS0+Z3RhYmxlKSAv
IFBDSV9NU0lYX0VOVFJZX1NJWkU7CiAKICAgICBvZmZzZXQgPSBhZGRyZXNz
ICYgKFBDSV9NU0lYX0VOVFJZX1NJWkUgLSAxKTsK

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Thu Nov 27 12:10:25 2014
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Thu, 27 Nov 2014 12:10:25 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1Xtxsd-0002nE-VR; Thu, 27 Nov 2014 12:09:03 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1Xtxsc-0002mo-Sz; Thu, 27 Nov 2014 12:09:03 +0000
Received: from [85.158.139.211] by server-7.bemta-5.messagelabs.com id
	C5/08-31453-D5417745; Thu, 27 Nov 2014 12:09:01 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-16.tower-206.messagelabs.com!1417090139!10757292!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 6.12.4; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 32394 invoked from network); 27 Nov 2014 12:09:00 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-16.tower-206.messagelabs.com with AES256-SHA encrypted SMTP;
	27 Nov 2014 12:09:00 -0000
Received: from xenbits.xen.org ([50.57.170.242])
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XtxsT-0003WD-CG; Thu, 27 Nov 2014 12:08:53 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1XtxsT-0000TV-4i; Thu, 27 Nov 2014 12:08:53 +0000
Date: Thu, 27 Nov 2014 12:08:53 +0000
Message-Id: <E1XtxsT-0000TV-4i@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 112 (CVE-2014-8867) -
 Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2014-8867 / XSA-112
                              version 5

  Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor

UPDATES IN VERSION 5
====================

Public release.

ISSUE DESCRIPTION
=================

Acceleration support for the "REP MOVS" instruction, when the first
iteration accesses memory mapped I/O emulated internally in the
hypervisor, incorrectly assumes that the whole range accessed is
handled by the same hypervisor sub-component.

IMPACT
======

A buggy or malicious HVM guest can crash the host.

VULNERABLE SYSTEMS
==================

Xen versions from at least 3.2.x onwards are vulnerable on x86 systems.
Older versions have not been inspected.  ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa112-unstable.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x
xsa112-4.2.patch             Xen 4.2.x

$ sha256sum xsa112*.patch
cf01a1acd258e7cbb3586e543ba3668c1ee7fb05cba19b8b5369a3e101a2288f  xsa112-4.2.patch
cc39a4cdcb52929ed36ab696807d2405aa552177a6f029d8a1a52041ca1ed519  xsa112.patch
$

We have been told that this patch is not sufficient on Xen 3.3.x and
earlier without also backporting b1b6362f (git commit id).

Note that while we are happy to share information we receive about
earlier Xen versions, the earliest Xen branch for which the Xen
Project offers security support is 4.2.x.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUdwoNAAoJEIP+FMlX6CvZfekIAMBq3ynRyuyqvukMhSBaFj2O
SBX747HJPKRmoODGZGe9EJ0pAJhckQ00RaKFulxSLzFeu4Oi6M3GrvNCvST0sR54
bLTmeNeBOhLef4ylDqAWOSY4C7AJW/jC1ngtSy3wd6zuwFD0bzPYb7nk94PD32ie
9LYTt+FSkoo/3j3IviCqNVXTlMmhmdjP0U3+xXgxQZ9y47zTT8gsX4KoplC/i1Wq
uhla/ZYI+Ro/ejYVHsKDDhfA1mgAGDoOLhmNEBLHPzTyGs4VOSaXzX7wce8JWpBi
oXdnN5HW80mmkZ6qI42/bnvpSHTqm+QVFD0v1Uz0cSrBYJGq6LULBAmaJHGldDA=
=8eF1
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa112-4.2.patch"
Content-Disposition: attachment; filename="xsa112-4.2.patch"
Content-Transfer-Encoding: base64

eDg2L0hWTTogY29uZmluZSBpbnRlcm5hbGx5IGhhbmRsZWQgTU1JTyB0byBz
b2xpdGFyeSByZWdpb25zCgpXaGlsZSBpdCBpcyBnZW5lcmFsbHkgd3Jvbmcg
dG8gY3Jvc3MgcmVnaW9uIGJvdW5kYXJpZXMgd2hlbiBkZWFsaW5nCndpdGgg
TU1JTyBhY2Nlc3NlcyBvZiByZXBlYXRlZCBzdHJpbmcgaW5zdHJ1Y3Rpb25z
IChjdXJyZW50bHkgb25seQpNT1ZTKSBhcyB0aGF0IHdvdWxkIGRvIHRoaW5n
cyBhIGd1ZXN0IGRvZXNuJ3QgZXhwZWN0IChsZWF2aW5nIGFzaWRlCnRoYXQg
bm9uZSBvZiB0aGVzZSByZWdpb25zIHdvdWxkIG5vcm1hbGx5IGJlIGFjY2Vz
c2VkIHdpdGggcmVwZWF0ZWQKc3RyaW5nIGluc3RydWN0aW9ucyBpbiB0aGUg
Zmlyc3QgcGxhY2UpLCB0aGlzIGlzIGV2ZW4gbW9yZSBvZiBhIHByb2JsZW0K
Zm9yIGFsbCB2aXJ0dWFsIE1TSS1YIHBhZ2UgYWNjZXNzZXMgKGJvdGggbXNp
eHRibF97cmVhZCx3cml0ZX0oKSBjYW4gYmUKbWFkZSBkZXJlZmVyZW5jZSBO
VUxMICJlbnRyeSIgcG9pbnRlcnMgdGhpcyB3YXkpIGFzIHdlbGwgYXMgdW5k
ZXJzaXplZAooMS0gb3IgMi1ieXRlKSBMQVBJQyB3cml0ZXMgKGNhdXNpbmcg
dmxhcGljX3JlYWRfYWxpZ25lZCgpIHRvIGFjY2VzcwpzcGFjZSBiZXlvbmQg
dGhlIG9uZSBtZW1vcnkgcGFnZSBzZXQgdXAgZm9yIGhvbGRpbmcgTEFQSUMg
cmVnaXN0ZXIKdmFsdWVzKS4KClNpbmNlIHRob3NlIGZ1bmN0aW9ucyB2YWxp
ZGx5IGFzc3VtZSB0byBiZSBjYWxsZWQgb25seSB3aXRoIGFkZHJlc3Nlcwp0
aGVpciByZXNwZWN0aXZlIGNoZWNraW5nIGZ1bmN0aW9ucyBpbmRpY2F0ZWQg
dG8gYmUgb2theSwgaXQgaXMgZ2VuZXJpYwpjb2RlIHRoYXQgbmVlZHMgdG8g
YmUgZml4ZWQgdG8gY2xpcCB0aGUgcmVwZXRpdGlvbiBjb3VudC4KClRvIGJl
IG9uIHRoZSBzYWZlIHNpZGUgKGFuZCBjb25zaXN0ZW50KSwgYWxzbyBkbyB0
aGUgc2FtZSBmb3IgYnVmZmVyZWQKSS9PIGludGVyY2VwdHMsIGV2ZW4gaWYg
dGhlaXIgb25seSBjbGllbnQgKHN0ZHZnYSkgZG9lc24ndCBwdXQgdGhlCmh5
cGVydmlzb3IgYXQgcmlzayAoaS5lLiAib25seSIgZ3Vlc3QgbWlzYmVoYXZp
b3Igd291bGQgcmVzdWx0KS4KClRoaXMgaXMgQ1ZFLTIwMTQtODg2NyAvIFhT
QS0xMTIuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA
c3VzZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9y
Zz4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaW50ZXJjZXB0LmMKKysrIGIv
eGVuL2FyY2gveDg2L2h2bS9pbnRlcmNlcHQuYwpAQCAtMTMxLDExICsxMzEs
MjQgQEAgaW50IGh2bV9tbWlvX2ludGVyY2VwdChpb3JlcV90ICpwKQogICAg
IGludCBpOwogCiAgICAgZm9yICggaSA9IDA7IGkgPCBIVk1fTU1JT19IQU5E
TEVSX05SOyBpKysgKQotICAgICAgICBpZiAoIGh2bV9tbWlvX2hhbmRsZXJz
W2ldLT5jaGVja19oYW5kbGVyKHYsIHAtPmFkZHIpICkKKyAgICB7CisgICAg
ICAgIGh2bV9tbWlvX2NoZWNrX3QgY2hlY2tfaGFuZGxlciA9CisgICAgICAg
ICAgICBodm1fbW1pb19oYW5kbGVyc1tpXS0+Y2hlY2tfaGFuZGxlcjsKKwor
ICAgICAgICBpZiAoIGNoZWNrX2hhbmRsZXIodiwgcC0+YWRkcikgKQorICAg
ICAgICB7CisgICAgICAgICAgICBpZiAoIHVubGlrZWx5KHAtPmNvdW50ID4g
MSkgJiYKKyAgICAgICAgICAgICAgICAgIWNoZWNrX2hhbmRsZXIodiwgdW5s
aWtlbHkocC0+ZGYpCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgID8gcC0+YWRkciAtIChwLT5jb3VudCAtIDFMTCkgKiBwLT5zaXplCisg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDogcC0+YWRkciAr
IChwLT5jb3VudCAtIDFMTCkgKiBwLT5zaXplKSApCisgICAgICAgICAgICAg
ICAgcC0+Y291bnQgPSAxOworCiAgICAgICAgICAgICByZXR1cm4gaHZtX21t
aW9fYWNjZXNzKAogICAgICAgICAgICAgICAgIHYsIHAsCiAgICAgICAgICAg
ICAgICAgaHZtX21taW9faGFuZGxlcnNbaV0tPnJlYWRfaGFuZGxlciwKICAg
ICAgICAgICAgICAgICBodm1fbW1pb19oYW5kbGVyc1tpXS0+d3JpdGVfaGFu
ZGxlcik7CisgICAgICAgIH0KKyAgICB9CiAKICAgICByZXR1cm4gWDg2RU1V
TF9VTkhBTkRMRUFCTEU7CiB9CkBAIC0yNDMsNiArMjU2LDEzIEBAIGludCBo
dm1faW9faW50ZXJjZXB0KGlvcmVxX3QgKnAsIGludCB0eXAKICAgICAgICAg
ICAgIGlmICggdHlwZSA9PSBIVk1fUE9SVElPICkKICAgICAgICAgICAgICAg
ICByZXR1cm4gcHJvY2Vzc19wb3J0aW9faW50ZXJjZXB0KAogICAgICAgICAg
ICAgICAgICAgICBoYW5kbGVyLT5oZGxfbGlzdFtpXS5hY3Rpb24ucG9ydGlv
LCBwKTsKKworICAgICAgICAgICAgaWYgKCB1bmxpa2VseShwLT5jb3VudCA+
IDEpICYmCisgICAgICAgICAgICAgICAgICh1bmxpa2VseShwLT5kZikKKyAg
ICAgICAgICAgICAgICAgID8gcC0+YWRkciAtIChwLT5jb3VudCAtIDFMTCkg
KiBwLT5zaXplIDwgYWRkcgorICAgICAgICAgICAgICAgICAgOiBwLT5hZGRy
ICsgcC0+Y291bnQgKiAxTEwgKiBwLT5zaXplIC0gMSA+PSBhZGRyICsgc2l6
ZSkgKQorICAgICAgICAgICAgICAgIHAtPmNvdW50ID0gMTsKKwogICAgICAg
ICAgICAgcmV0dXJuIGhhbmRsZXItPmhkbF9saXN0W2ldLmFjdGlvbi5tbWlv
KHApOwogICAgICAgICB9CiAgICAgfQotLS0gYS94ZW4vYXJjaC94ODYvaHZt
L3Ztc2kuYworKysgYi94ZW4vYXJjaC94ODYvaHZtL3Ztc2kuYwpAQCAtMjM2
LDYgKzIzNiw4IEBAIHN0YXRpYyBpbnQgbXNpeHRibF9yZWFkKAogICAgIHJj
dV9yZWFkX2xvY2soJm1zaXh0YmxfcmN1X2xvY2spOwogCiAgICAgZW50cnkg
PSBtc2l4dGJsX2ZpbmRfZW50cnkodiwgYWRkcmVzcyk7CisgICAgaWYgKCAh
ZW50cnkgKQorICAgICAgICBnb3RvIG91dDsKICAgICBvZmZzZXQgPSBhZGRy
ZXNzICYgKFBDSV9NU0lYX0VOVFJZX1NJWkUgLSAxKTsKIAogICAgIGlmICgg
b2Zmc2V0ICE9IFBDSV9NU0lYX0VOVFJZX1ZFQ1RPUl9DVFJMX09GRlNFVCAp
CkBAIC0yNzgsNiArMjgwLDggQEAgc3RhdGljIGludCBtc2l4dGJsX3dyaXRl
KHN0cnVjdCB2Y3B1ICp2LAogICAgIHJjdV9yZWFkX2xvY2soJm1zaXh0Ymxf
cmN1X2xvY2spOwogCiAgICAgZW50cnkgPSBtc2l4dGJsX2ZpbmRfZW50cnko
diwgYWRkcmVzcyk7CisgICAgaWYgKCAhZW50cnkgKQorICAgICAgICBnb3Rv
IG91dDsKICAgICBucl9lbnRyeSA9IChhZGRyZXNzIC0gZW50cnktPmd0YWJs
ZSkgLyBQQ0lfTVNJWF9FTlRSWV9TSVpFOwogCiAgICAgb2Zmc2V0ID0gYWRk
cmVzcyAmIChQQ0lfTVNJWF9FTlRSWV9TSVpFIC0gMSk7Cg==

--=separator
Content-Type: application/octet-stream; name="xsa112.patch"
Content-Disposition: attachment; filename="xsa112.patch"
Content-Transfer-Encoding: base64

eDg2L0hWTTogY29uZmluZSBpbnRlcm5hbGx5IGhhbmRsZWQgTU1JTyB0byBz
b2xpdGFyeSByZWdpb25zCgpXaGlsZSBpdCBpcyBnZW5lcmFsbHkgd3Jvbmcg
dG8gY3Jvc3MgcmVnaW9uIGJvdW5kYXJpZXMgd2hlbiBkZWFsaW5nCndpdGgg
TU1JTyBhY2Nlc3NlcyBvZiByZXBlYXRlZCBzdHJpbmcgaW5zdHJ1Y3Rpb25z
IChjdXJyZW50bHkgb25seQpNT1ZTKSBhcyB0aGF0IHdvdWxkIGRvIHRoaW5n
cyBhIGd1ZXN0IGRvZXNuJ3QgZXhwZWN0IChsZWF2aW5nIGFzaWRlCnRoYXQg
bm9uZSBvZiB0aGVzZSByZWdpb25zIHdvdWxkIG5vcm1hbGx5IGJlIGFjY2Vz
c2VkIHdpdGggcmVwZWF0ZWQKc3RyaW5nIGluc3RydWN0aW9ucyBpbiB0aGUg
Zmlyc3QgcGxhY2UpLCB0aGlzIGlzIGV2ZW4gbW9yZSBvZiBhIHByb2JsZW0K
Zm9yIGFsbCB2aXJ0dWFsIE1TSS1YIHBhZ2UgYWNjZXNzZXMgKGJvdGggbXNp
eHRibF97cmVhZCx3cml0ZX0oKSBjYW4gYmUKbWFkZSBkZXJlZmVyZW5jZSBO
VUxMICJlbnRyeSIgcG9pbnRlcnMgdGhpcyB3YXkpIGFzIHdlbGwgYXMgdW5k
ZXJzaXplZAooMS0gb3IgMi1ieXRlKSBMQVBJQyB3cml0ZXMgKGNhdXNpbmcg
dmxhcGljX3JlYWRfYWxpZ25lZCgpIHRvIGFjY2VzcwpzcGFjZSBiZXlvbmQg
dGhlIG9uZSBtZW1vcnkgcGFnZSBzZXQgdXAgZm9yIGhvbGRpbmcgTEFQSUMg
cmVnaXN0ZXIKdmFsdWVzKS4KClNpbmNlIHRob3NlIGZ1bmN0aW9ucyB2YWxp
ZGx5IGFzc3VtZSB0byBiZSBjYWxsZWQgb25seSB3aXRoIGFkZHJlc3Nlcwp0
aGVpciByZXNwZWN0aXZlIGNoZWNraW5nIGZ1bmN0aW9ucyBpbmRpY2F0ZWQg
dG8gYmUgb2theSwgaXQgaXMgZ2VuZXJpYwpjb2RlIHRoYXQgbmVlZHMgdG8g
YmUgZml4ZWQgdG8gY2xpcCB0aGUgcmVwZXRpdGlvbiBjb3VudC4KClRvIGJl
IG9uIHRoZSBzYWZlIHNpZGUgKGFuZCBjb25zaXN0ZW50KSwgYWxzbyBkbyB0
aGUgc2FtZSBmb3IgYnVmZmVyZWQKSS9PIGludGVyY2VwdHMsIGV2ZW4gaWYg
dGhlaXIgb25seSBjbGllbnQgKHN0ZHZnYSkgZG9lc24ndCBwdXQgdGhlCmh5
cGVydmlzb3IgYXQgcmlzayAoaS5lLiAib25seSIgZ3Vlc3QgbWlzYmVoYXZp
b3Igd291bGQgcmVzdWx0KS4KClRoaXMgaXMgQ1ZFLTIwMTQtODg2NyAvIFhT
QS0xMTIuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA
c3VzZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9y
Zz4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaW50ZXJjZXB0LmMKKysrIGIv
eGVuL2FyY2gveDg2L2h2bS9pbnRlcmNlcHQuYwpAQCAtMTgxLDExICsxODEs
MjQgQEAgaW50IGh2bV9tbWlvX2ludGVyY2VwdChpb3JlcV90ICpwKQogICAg
IGludCBpOwogCiAgICAgZm9yICggaSA9IDA7IGkgPCBIVk1fTU1JT19IQU5E
TEVSX05SOyBpKysgKQotICAgICAgICBpZiAoIGh2bV9tbWlvX2hhbmRsZXJz
W2ldLT5jaGVja19oYW5kbGVyKHYsIHAtPmFkZHIpICkKKyAgICB7CisgICAg
ICAgIGh2bV9tbWlvX2NoZWNrX3QgY2hlY2tfaGFuZGxlciA9CisgICAgICAg
ICAgICBodm1fbW1pb19oYW5kbGVyc1tpXS0+Y2hlY2tfaGFuZGxlcjsKKwor
ICAgICAgICBpZiAoIGNoZWNrX2hhbmRsZXIodiwgcC0+YWRkcikgKQorICAg
ICAgICB7CisgICAgICAgICAgICBpZiAoIHVubGlrZWx5KHAtPmNvdW50ID4g
MSkgJiYKKyAgICAgICAgICAgICAgICAgIWNoZWNrX2hhbmRsZXIodiwgdW5s
aWtlbHkocC0+ZGYpCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgID8gcC0+YWRkciAtIChwLT5jb3VudCAtIDFMKSAqIHAtPnNpemUKKyAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgOiBwLT5hZGRyICsg
KHAtPmNvdW50IC0gMUwpICogcC0+c2l6ZSkgKQorICAgICAgICAgICAgICAg
IHAtPmNvdW50ID0gMTsKKwogICAgICAgICAgICAgcmV0dXJuIGh2bV9tbWlv
X2FjY2VzcygKICAgICAgICAgICAgICAgICB2LCBwLAogICAgICAgICAgICAg
ICAgIGh2bV9tbWlvX2hhbmRsZXJzW2ldLT5yZWFkX2hhbmRsZXIsCiAgICAg
ICAgICAgICAgICAgaHZtX21taW9faGFuZGxlcnNbaV0tPndyaXRlX2hhbmRs
ZXIpOworICAgICAgICB9CisgICAgfQogCiAgICAgcmV0dXJuIFg4NkVNVUxf
VU5IQU5ETEVBQkxFOwogfQpAQCAtMzQyLDYgKzM1NSwxMyBAQCBpbnQgaHZt
X2lvX2ludGVyY2VwdChpb3JlcV90ICpwLCBpbnQgdHlwCiAgICAgICAgICAg
ICBpZiAoIHR5cGUgPT0gSFZNX1BPUlRJTyApCiAgICAgICAgICAgICAgICAg
cmV0dXJuIHByb2Nlc3NfcG9ydGlvX2ludGVyY2VwdCgKICAgICAgICAgICAg
ICAgICAgICAgaGFuZGxlci0+aGRsX2xpc3RbaV0uYWN0aW9uLnBvcnRpbywg
cCk7CisKKyAgICAgICAgICAgIGlmICggdW5saWtlbHkocC0+Y291bnQgPiAx
KSAmJgorICAgICAgICAgICAgICAgICAodW5saWtlbHkocC0+ZGYpCisgICAg
ICAgICAgICAgICAgICA/IHAtPmFkZHIgLSAocC0+Y291bnQgLSAxTCkgKiBw
LT5zaXplIDwgYWRkcgorICAgICAgICAgICAgICAgICAgOiBwLT5hZGRyICsg
cC0+Y291bnQgKiAxTCAqIHAtPnNpemUgLSAxID49IGFkZHIgKyBzaXplKSAp
CisgICAgICAgICAgICAgICAgcC0+Y291bnQgPSAxOworCiAgICAgICAgICAg
ICByZXR1cm4gaGFuZGxlci0+aGRsX2xpc3RbaV0uYWN0aW9uLm1taW8ocCk7
CiAgICAgICAgIH0KICAgICB9Ci0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vdm1z
aS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vdm1zaS5jCkBAIC0yMjYsNiAr
MjI2LDggQEAgc3RhdGljIGludCBtc2l4dGJsX3JlYWQoCiAgICAgcmN1X3Jl
YWRfbG9jaygmbXNpeHRibF9yY3VfbG9jayk7CiAKICAgICBlbnRyeSA9IG1z
aXh0YmxfZmluZF9lbnRyeSh2LCBhZGRyZXNzKTsKKyAgICBpZiAoICFlbnRy
eSApCisgICAgICAgIGdvdG8gb3V0OwogICAgIG9mZnNldCA9IGFkZHJlc3Mg
JiAoUENJX01TSVhfRU5UUllfU0laRSAtIDEpOwogCiAgICAgaWYgKCBvZmZz
ZXQgIT0gUENJX01TSVhfRU5UUllfVkVDVE9SX0NUUkxfT0ZGU0VUICkKQEAg
LTI2OCw2ICsyNzAsOCBAQCBzdGF0aWMgaW50IG1zaXh0Ymxfd3JpdGUoc3Ry
dWN0IHZjcHUgKnYsCiAgICAgcmN1X3JlYWRfbG9jaygmbXNpeHRibF9yY3Vf
bG9jayk7CiAKICAgICBlbnRyeSA9IG1zaXh0YmxfZmluZF9lbnRyeSh2LCBh
ZGRyZXNzKTsKKyAgICBpZiAoICFlbnRyeSApCisgICAgICAgIGdvdG8gb3V0
OwogICAgIG5yX2VudHJ5ID0gKGFkZHJlc3MgLSBlbnRyeS0+Z3RhYmxlKSAv
IFBDSV9NU0lYX0VOVFJZX1NJWkU7CiAKICAgICBvZmZzZXQgPSBhZGRyZXNz
ICYgKFBDSV9NU0lYX0VOVFJZX1NJWkUgLSAxKTsK

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--