From xen-announce-bounces@lists.xen.org Mon Mar 02 15:02:53 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 02 Mar 2015 15:02:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YSRqj-00041X-DK; Mon, 02 Mar 2015 15:01:37 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YSRp9-0003ng-EI for xen-announce@lists.xenproject.org; Mon, 02 Mar 2015 14:59:59 +0000 Received: from [85.158.139.211] by server-5.bemta-5.messagelabs.com id 50/83-03164-EEA74F45; Mon, 02 Mar 2015 14:59:58 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-15.tower-206.messagelabs.com!1425308396!9012322!1 X-Originating-IP: [74.125.82.50] X-SpamReason: No, hits=1.8 required=7.0 tests=BODY_RANDOM_LONG, HTML_60_70,HTML_MESSAGE,HTML_TINY_FONT X-StarScan-Received: X-StarScan-Version: 6.13.4; banners=-,-,- X-VirusChecked: Checked Received: (qmail 6819 invoked from network); 2 Mar 2015 14:59:56 -0000 Received: from mail-wg0-f50.google.com (HELO mail-wg0-f50.google.com) (74.125.82.50) by server-15.tower-206.messagelabs.com with RC4-SHA encrypted SMTP; 2 Mar 2015 14:59:56 -0000 Received: by wggy19 with SMTP id y19so33933313wgg.10 for ; Mon, 02 Mar 2015 06:59:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:subject:message-id:date:to:mime-version; bh=UesMM5eUaCO6sIMcbmQfJvx/enWPJIHYAW0iDydvq5w=; b=lTH2/xOzCDBtpXBIaO4+ZtJGzVlhbYkYmWi2/Ha+FpgZ80mHrAOzlptxS9Vz2fnyKA blwFb3/HBRIhnCnTSOBtpBueP6q3HBLJjHqxnpeePJGxIujbHAb8V0S7Xjk/Q6dIOv1r Ch/PdbmIT5nqK+uMXG/EK4o91TR8tkHDznw6cKsN99pH6As4M0C0O2OeNWIEAXcE6tp4 AynELj/9Y1UjFt0IkIern6eFFwOytYbTUv0a2p70nvjz/XVvJg2Kn52nr2Hw6HMoWMye rw+SB42OHdTVAUkGtP5lg7yBHs0POxZg3wN+hxipfGtrqg6qU5+u5Ohd+UD96UuzVf4d K2VA== X-Received: by 10.180.218.71 with SMTP id pe7mr21103778wic.70.1425308395887; Mon, 02 Mar 2015 06:59:55 -0800 (PST) Received: from [192.168.0.12] (97e3cd44.skybroadband.com. [151.227.205.68]) by mx.google.com with ESMTPSA id bf8sm19564999wjb.37.2015.03.02.06.59.53 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 02 Mar 2015 06:59:53 -0800 (PST) From: Lars Kurth Message-Id: <742C9217-872C-40E5-853F-CBFFD9BB59B4@gmail.com> Date: Mon, 2 Mar 2015 14:59:51 +0000 To: xen-announce@lists.xenproject.org Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) X-Mailer: Apple Mail (2.2070.6) X-Mailman-Approved-At: Mon, 02 Mar 2015 15:01:36 +0000 Subject: [Xen-announce] Updates to Xen Project Security Process X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============4283592680591385758==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --===============4283592680591385758== Content-Type: multipart/alternative; boundary="Apple-Mail=_92FE02B7-3753-4850-A3CB-94468CDC793A" --Apple-Mail=_92FE02B7-3753-4850-A3CB-94468CDC793A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Dear Community Members, before Christmas, the Xen Project ran a community consultation = to refine its Security Problem Response Process = . We recently approved = changes that, in essence, are tweaks to our existing process, which is = based on the Responsible Disclosure = philosophy. Responsible Disclosure and our Security Problem Response Process are = important components of keeping users of Xen Project based products and = services safe from security exploits. Both ensure that products and = services can be patched by members of the pre-disclosure list before = details of a vulnerability are published andbefore said vulnerabilities = can be exploited by black hats.=20 The changes to our response process fall into a number of categories: Clarify whether security updates can be deployed on publicly hosted = systems (e.g. cloud or hosting providers) during embargo Sharing of information among pre-disclosure list members Applications procedure for pre-disclosure list membership The complete discussion leading to the changes, the concrete changes to = the process, and the voting records supporting the changes are tracked = in Bug #44 -Security policy ambiguities = . On February 11, 2015, the = proposed changes were approved in accordance with Xen Project = governance. Note that some process changes are already implemented, = whereas others are waiting for new tooling before they can fully be put = in place. We have however updated our Security Problem Response Process = as most tooling is = present today. Process Changes Already in Operation The updated policy makes explicit whether or not patches related to a = Xen Security Issue can be deployed by pre-disclosure list members. The = concrete policy changes can be found here = and = here = . In = practice, every Xen Security Advisory will contain a section such as: DEPLOYMENT DURING EMBARGO =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. This section will clarify whether deploying fixed versions of Xen during = the embargo is allowed. Any restrictions will also be stated in the = embargoed advisory. The Security Team will impose deployment = restrictions only to prevent the exposure of security vulnerability = technicalities, which present a significant risk of vulnerability = rediscovery (for example, by visible differences in behaviour). Such = situations have been, and are expected, to be rare. Changes to Application Procedure for Pre-disclosure List Membership We also made additional changes related to streamlining and simplifying = the process of applying for pre-disclosure list membership. Detailed = policy changes can be found here = and = here = . = Moving forward, future applications to become members of the Xen Project = pre-disclosure list have to be made publicly on the = predisclosure-applications = mailing list. This enables Xen Project community members to provide = additional information and also is in line with one of our community=E2=80= =99s core principles: transparency. In addition, we=E2=80=99ve clarified = our eligibility criteria to make it easier for the Xen Project Security = Team, as well as observers of the mailing list, to verify whether = applicants are eligible to become members of the list. Process Changes That Require Some Tooling Sharing of Information Among Pre-disclosure List Members Finally, members of the pre-disclosure list will be explicitly allowed = to share fixes to embargoed issues, analysis, and other relevant = information with the security teams of other pre-disclosure members. = Information sharing will happen on a private and secure mailing list = hosted by the Xen Project. More details here = .=20 Best Regards Lars --Apple-Mail=_92FE02B7-3753-4850-A3CB-94468CDC793A Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

Dear Community = Members,

before Christmas, the Xen Project ran a community consultation to refine = its Security = Problem Response Process.  We recently approved changes that, = in essence, are tweaks to our existing process, which is based on = the Responsible Disclosure philosophy.

Responsible Disclosure and our Security Problem Response = Process are important components of keeping users of Xen = Project based products and services safe from security exploits. Both = ensure that products and services can be patched by members of the = pre-disclosure list before details of a = vulnerability are published andbefore said = vulnerabilities can be exploited by black hats. 

The changes to our = response process fall into a number of categories:

  • Clarify whether security updates can be deployed = on publicly hosted systems (e.g. cloud or hosting providers) during = embargo
  • Sharing of = information among pre-disclosure list members
  • Applications procedure for pre-disclosure list = membership

The complete discussion leading to the changes, the concrete = changes to the process, and the voting records supporting the changes = are tracked in Bug #44 = -Security policy ambiguities. On February = 11, 2015, the proposed changes were approved in accordance = with Xen Project governance. Note that some process changes are = already implemented, whereas others are waiting for new tooling before = they can fully be put in place. We have however updated our Security Problem Response = Process as most tooling is present today.

Process = Changes Already in Operation

The updated policy = makes explicit whether or not patches related to a Xen Security Issue = can be deployed by pre-disclosure list members. The concrete policy = changes can be found here and here. = In practice, every Xen Security Advisory will contain a section such = as:

DEPLOYMENT DURING EMBARGO
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=


Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

This = section will clarify whether deploying fixed versions of Xen during the = embargo is allowed. Any restrictions will also be stated in the = embargoed advisory. The Security Team will impose deployment = restrictions only to prevent the exposure of security vulnerability = technicalities, which present a significant risk of vulnerability = rediscovery (for example, by visible differences in behaviour). Such = situations have been, and are expected, to be rare.

Changes to Application Procedure for Pre-disclosure = List Membership

We also made additional changes related to streamlining and = simplifying the process of applying for pre-disclosure list membership. = Detailed policy changes can be found here and here. = Moving forward, future applications to become members of the Xen Project = pre-disclosure list have to be made publicly on the predisclosure-applications mailing list. This = enables Xen Project community members to provide additional information = and also is in line with one of our community=E2=80=99s core = principles: transparency. In addition, = we=E2=80=99ve clarified our eligibility criteria to make it easier = for the Xen Project Security Team, as well as observers of the mailing = list, to verify whether applicants are eligible to become members of the = list.

Process Changes That Require Some Tooling

Sharing of Information Among Pre-disclosure List = Members

Finally, members of the pre-disclosure list will be = explicitly allowed to share fixes to embargoed issues, analysis, and = other relevant information with the security teams of other = pre-disclosure members. Information sharing will happen on a private and = secure mailing list hosted by the Xen Project.  More = details here

Best Regards

Lars


= --Apple-Mail=_92FE02B7-3753-4850-A3CB-94468CDC793A-- --===============4283592680591385758== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============4283592680591385758==-- From xen-announce-bounces@lists.xen.org Mon Mar 02 15:02:53 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 02 Mar 2015 15:02:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YSRqj-00041X-DK; Mon, 02 Mar 2015 15:01:37 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YSRp9-0003ng-EI for xen-announce@lists.xenproject.org; Mon, 02 Mar 2015 14:59:59 +0000 Received: from [85.158.139.211] by server-5.bemta-5.messagelabs.com id 50/83-03164-EEA74F45; Mon, 02 Mar 2015 14:59:58 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-15.tower-206.messagelabs.com!1425308396!9012322!1 X-Originating-IP: [74.125.82.50] X-SpamReason: No, hits=1.8 required=7.0 tests=BODY_RANDOM_LONG, HTML_60_70,HTML_MESSAGE,HTML_TINY_FONT X-StarScan-Received: X-StarScan-Version: 6.13.4; banners=-,-,- X-VirusChecked: Checked Received: (qmail 6819 invoked from network); 2 Mar 2015 14:59:56 -0000 Received: from mail-wg0-f50.google.com (HELO mail-wg0-f50.google.com) (74.125.82.50) by server-15.tower-206.messagelabs.com with RC4-SHA encrypted SMTP; 2 Mar 2015 14:59:56 -0000 Received: by wggy19 with SMTP id y19so33933313wgg.10 for ; Mon, 02 Mar 2015 06:59:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:subject:message-id:date:to:mime-version; bh=UesMM5eUaCO6sIMcbmQfJvx/enWPJIHYAW0iDydvq5w=; b=lTH2/xOzCDBtpXBIaO4+ZtJGzVlhbYkYmWi2/Ha+FpgZ80mHrAOzlptxS9Vz2fnyKA blwFb3/HBRIhnCnTSOBtpBueP6q3HBLJjHqxnpeePJGxIujbHAb8V0S7Xjk/Q6dIOv1r Ch/PdbmIT5nqK+uMXG/EK4o91TR8tkHDznw6cKsN99pH6As4M0C0O2OeNWIEAXcE6tp4 AynELj/9Y1UjFt0IkIern6eFFwOytYbTUv0a2p70nvjz/XVvJg2Kn52nr2Hw6HMoWMye rw+SB42OHdTVAUkGtP5lg7yBHs0POxZg3wN+hxipfGtrqg6qU5+u5Ohd+UD96UuzVf4d K2VA== X-Received: by 10.180.218.71 with SMTP id pe7mr21103778wic.70.1425308395887; Mon, 02 Mar 2015 06:59:55 -0800 (PST) Received: from [192.168.0.12] (97e3cd44.skybroadband.com. [151.227.205.68]) by mx.google.com with ESMTPSA id bf8sm19564999wjb.37.2015.03.02.06.59.53 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 02 Mar 2015 06:59:53 -0800 (PST) From: Lars Kurth Message-Id: <742C9217-872C-40E5-853F-CBFFD9BB59B4@gmail.com> Date: Mon, 2 Mar 2015 14:59:51 +0000 To: xen-announce@lists.xenproject.org Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) X-Mailer: Apple Mail (2.2070.6) X-Mailman-Approved-At: Mon, 02 Mar 2015 15:01:36 +0000 Subject: [Xen-announce] Updates to Xen Project Security Process X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============4283592680591385758==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --===============4283592680591385758== Content-Type: multipart/alternative; boundary="Apple-Mail=_92FE02B7-3753-4850-A3CB-94468CDC793A" --Apple-Mail=_92FE02B7-3753-4850-A3CB-94468CDC793A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Dear Community Members, before Christmas, the Xen Project ran a community consultation = to refine its Security Problem Response Process = . We recently approved = changes that, in essence, are tweaks to our existing process, which is = based on the Responsible Disclosure = philosophy. Responsible Disclosure and our Security Problem Response Process are = important components of keeping users of Xen Project based products and = services safe from security exploits. Both ensure that products and = services can be patched by members of the pre-disclosure list before = details of a vulnerability are published andbefore said vulnerabilities = can be exploited by black hats.=20 The changes to our response process fall into a number of categories: Clarify whether security updates can be deployed on publicly hosted = systems (e.g. cloud or hosting providers) during embargo Sharing of information among pre-disclosure list members Applications procedure for pre-disclosure list membership The complete discussion leading to the changes, the concrete changes to = the process, and the voting records supporting the changes are tracked = in Bug #44 -Security policy ambiguities = . On February 11, 2015, the = proposed changes were approved in accordance with Xen Project = governance. Note that some process changes are already implemented, = whereas others are waiting for new tooling before they can fully be put = in place. We have however updated our Security Problem Response Process = as most tooling is = present today. Process Changes Already in Operation The updated policy makes explicit whether or not patches related to a = Xen Security Issue can be deployed by pre-disclosure list members. The = concrete policy changes can be found here = and = here = . In = practice, every Xen Security Advisory will contain a section such as: DEPLOYMENT DURING EMBARGO =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. This section will clarify whether deploying fixed versions of Xen during = the embargo is allowed. Any restrictions will also be stated in the = embargoed advisory. The Security Team will impose deployment = restrictions only to prevent the exposure of security vulnerability = technicalities, which present a significant risk of vulnerability = rediscovery (for example, by visible differences in behaviour). Such = situations have been, and are expected, to be rare. Changes to Application Procedure for Pre-disclosure List Membership We also made additional changes related to streamlining and simplifying = the process of applying for pre-disclosure list membership. Detailed = policy changes can be found here = and = here = . = Moving forward, future applications to become members of the Xen Project = pre-disclosure list have to be made publicly on the = predisclosure-applications = mailing list. This enables Xen Project community members to provide = additional information and also is in line with one of our community=E2=80= =99s core principles: transparency. In addition, we=E2=80=99ve clarified = our eligibility criteria to make it easier for the Xen Project Security = Team, as well as observers of the mailing list, to verify whether = applicants are eligible to become members of the list. Process Changes That Require Some Tooling Sharing of Information Among Pre-disclosure List Members Finally, members of the pre-disclosure list will be explicitly allowed = to share fixes to embargoed issues, analysis, and other relevant = information with the security teams of other pre-disclosure members. = Information sharing will happen on a private and secure mailing list = hosted by the Xen Project. More details here = .=20 Best Regards Lars --Apple-Mail=_92FE02B7-3753-4850-A3CB-94468CDC793A Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

Dear Community = Members,

before Christmas, the Xen Project ran a community consultation to refine = its Security = Problem Response Process.  We recently approved changes that, = in essence, are tweaks to our existing process, which is based on = the Responsible Disclosure philosophy.

Responsible Disclosure and our Security Problem Response = Process are important components of keeping users of Xen = Project based products and services safe from security exploits. Both = ensure that products and services can be patched by members of the = pre-disclosure list before details of a = vulnerability are published andbefore said = vulnerabilities can be exploited by black hats. 

The changes to our = response process fall into a number of categories:

  • Clarify whether security updates can be deployed = on publicly hosted systems (e.g. cloud or hosting providers) during = embargo
  • Sharing of = information among pre-disclosure list members
  • Applications procedure for pre-disclosure list = membership

The complete discussion leading to the changes, the concrete = changes to the process, and the voting records supporting the changes = are tracked in Bug #44 = -Security policy ambiguities. On February = 11, 2015, the proposed changes were approved in accordance = with Xen Project governance. Note that some process changes are = already implemented, whereas others are waiting for new tooling before = they can fully be put in place. We have however updated our Security Problem Response = Process as most tooling is present today.

Process = Changes Already in Operation

The updated policy = makes explicit whether or not patches related to a Xen Security Issue = can be deployed by pre-disclosure list members. The concrete policy = changes can be found here and here. = In practice, every Xen Security Advisory will contain a section such = as:

DEPLOYMENT DURING EMBARGO
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=


Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

This = section will clarify whether deploying fixed versions of Xen during the = embargo is allowed. Any restrictions will also be stated in the = embargoed advisory. The Security Team will impose deployment = restrictions only to prevent the exposure of security vulnerability = technicalities, which present a significant risk of vulnerability = rediscovery (for example, by visible differences in behaviour). Such = situations have been, and are expected, to be rare.

Changes to Application Procedure for Pre-disclosure = List Membership

We also made additional changes related to streamlining and = simplifying the process of applying for pre-disclosure list membership. = Detailed policy changes can be found here and here. = Moving forward, future applications to become members of the Xen Project = pre-disclosure list have to be made publicly on the predisclosure-applications mailing list. This = enables Xen Project community members to provide additional information = and also is in line with one of our community=E2=80=99s core = principles: transparency. In addition, = we=E2=80=99ve clarified our eligibility criteria to make it easier = for the Xen Project Security Team, as well as observers of the mailing = list, to verify whether applicants are eligible to become members of the = list.

Process Changes That Require Some Tooling

Sharing of Information Among Pre-disclosure List = Members

Finally, members of the pre-disclosure list will be = explicitly allowed to share fixes to embargoed issues, analysis, and = other relevant information with the security teams of other = pre-disclosure members. Information sharing will happen on a private and = secure mailing list hosted by the Xen Project.  More = details here

Best Regards

Lars


= --Apple-Mail=_92FE02B7-3753-4850-A3CB-94468CDC793A-- --===============4283592680591385758== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============4283592680591385758==-- From xen-announce-bounces@lists.xen.org Thu Mar 05 12:20:43 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 05 Mar 2015 12:20:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YTUkI-0008Vc-6c; Thu, 05 Mar 2015 12:19:18 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YTUkG-0008Ur-Ln; Thu, 05 Mar 2015 12:19:16 +0000 Received: from [193.109.254.147] by server-8.bemta-14.messagelabs.com id A2/09-03168-3C948F45; Thu, 05 Mar 2015 12:19:15 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-27.messagelabs.com!1425557954!14942428!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.13.4; banners=-,-,- X-VirusChecked: Checked Received: (qmail 18760 invoked from network); 5 Mar 2015 12:19:15 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 5 Mar 2015 12:19:15 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YTUk8-00089K-7q; Thu, 05 Mar 2015 12:19:08 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1YTUk8-00020t-62; Thu, 05 Mar 2015 12:19:08 +0000 Date: Thu, 05 Mar 2015 12:19:08 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 122 (CVE-2015-2045) - Information leak through version information hypercall X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2045 / XSA-122 version 3 Information leak through version information hypercall UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The code handling certain sub-operations of the HYPERVISOR_xen_version hypercall fails to fully initialize all fields of structures subsequently copied back to guest memory. Due to this hypervisor stack contents are copied into the destination of the operation, thus becoming visible to the guest. IMPACT ====== A malicious guest might be able to read sensitive data relating to other guests. VULNERABLE SYSTEMS ================== Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. MITIGATION ========== There is no mitigation available for this issue. CREDITS ======= This issue was discovered by Aaron Adams of NCC Group. RESOLUTION ========== Applying the attached patch resolves this issue. xsa122.patch xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa122*.patch 13404ef363ee347db1571ee91afaa962a68e616a7596c2441a29e26f6db9ec47 xsa122.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJU+EmQAAoJEIP+FMlX6CvZZxIIAJVuGIRZ1dEiX1VPY71dZ52t CSIBfHMpynwxT7oUwbw/Akk3d1M/uAV/8QvM1DoG9//U6hQgZfY5UVn3Ihp1k7Fy BitDKdDn3T10ys/URtotX+8+Alm1diM/6sIrAF5kG3IBf0VCkEaV5jVI0ZIuee5u AOHhj9HJN9bPRGSTlNlkRx0Tjlw8Worrluex2romagALxLEXYejOM8syuQl5qSFj VdqhNvmZV23664ZTrgSZxU17O+AajMNi+M9sYUFSPfAA8VHu42G7Ox4CqY7pxyg7 b9g2BgVVWRkZIhZPYeEr3RcxNP7wITAeFYP18c48VBd6gmHYK9sSwwSoXgYGuwE= =ddMG -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa122.patch" Content-Disposition: attachment; filename="xsa122.patch" Content-Transfer-Encoding: base64 cHJlLWZpbGwgc3RydWN0dXJlcyBmb3IgY2VydGFpbiBIWVBFUlZJU09SX3hl bl92ZXJzaW9uIHN1Yi1vcHMKCi4uLiBhdm9pZGluZyB0byBwYXNzIGh5cGVy dmlzb3Igc3RhY2sgY29udGVudHMgYmFjayB0byB0aGUgY2FsbGVyCnRocm91 Z2ggc3BhY2UgdW51c2VkIGJ5IHRoZSByZXNwZWN0aXZlIHN0cmluZ3MuCgpU aGlzIGlzIENWRS0yMDE1LTIwNDUgLyBYU0EtMTIyLgoKU2lnbmVkLW9mZi1i eTogQWFyb24gQWRhbXMgPEFhcm9uLkFkYW1zQG5jY2dyb3VwLmNvbT4KQWNr ZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KQWNrZWQt Ynk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+Cgot LS0gYS94ZW4vY29tbW9uL2tlcm5lbC5jCisrKyBiL3hlbi9jb21tb24va2Vy bmVsLmMKQEAgLTI0MCw2ICsyNDAsOCBAQCBETyh4ZW5fdmVyc2lvbikoaW50 IGNtZCwgWEVOX0dVRVNUX0hBTkRMCiAgICAgY2FzZSBYRU5WRVJfZXh0cmF2 ZXJzaW9uOgogICAgIHsKICAgICAgICAgeGVuX2V4dHJhdmVyc2lvbl90IGV4 dHJhdmVyc2lvbjsKKworICAgICAgICBtZW1zZXQoZXh0cmF2ZXJzaW9uLCAw LCBzaXplb2YoZXh0cmF2ZXJzaW9uKSk7CiAgICAgICAgIHNhZmVfc3RyY3B5 KGV4dHJhdmVyc2lvbiwgeGVuX2V4dHJhX3ZlcnNpb24oKSk7CiAgICAgICAg IGlmICggY29weV90b19ndWVzdChhcmcsIGV4dHJhdmVyc2lvbiwgQVJSQVlf U0laRShleHRyYXZlcnNpb24pKSApCiAgICAgICAgICAgICByZXR1cm4gLUVG QVVMVDsKQEAgLTI0OSw2ICsyNTEsOCBAQCBETyh4ZW5fdmVyc2lvbikoaW50 IGNtZCwgWEVOX0dVRVNUX0hBTkRMCiAgICAgY2FzZSBYRU5WRVJfY29tcGls ZV9pbmZvOgogICAgIHsKICAgICAgICAgc3RydWN0IHhlbl9jb21waWxlX2lu Zm8gaW5mbzsKKworICAgICAgICBtZW1zZXQoJmluZm8sIDAsIHNpemVvZihp bmZvKSk7CiAgICAgICAgIHNhZmVfc3RyY3B5KGluZm8uY29tcGlsZXIsICAg ICAgIHhlbl9jb21waWxlcigpKTsKICAgICAgICAgc2FmZV9zdHJjcHkoaW5m by5jb21waWxlX2J5LCAgICAgeGVuX2NvbXBpbGVfYnkoKSk7CiAgICAgICAg IHNhZmVfc3RyY3B5KGluZm8uY29tcGlsZV9kb21haW4sIHhlbl9jb21waWxl X2RvbWFpbigpKTsKQEAgLTI4NCw2ICsyODgsOCBAQCBETyh4ZW5fdmVyc2lv bikoaW50IGNtZCwgWEVOX0dVRVNUX0hBTkRMCiAgICAgY2FzZSBYRU5WRVJf Y2hhbmdlc2V0OgogICAgIHsKICAgICAgICAgeGVuX2NoYW5nZXNldF9pbmZv X3QgY2hnc2V0OworCisgICAgICAgIG1lbXNldChjaGdzZXQsIDAsIHNpemVv ZihjaGdzZXQpKTsKICAgICAgICAgc2FmZV9zdHJjcHkoY2hnc2V0LCB4ZW5f Y2hhbmdlc2V0KCkpOwogICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vlc3QoYXJn LCBjaGdzZXQsIEFSUkFZX1NJWkUoY2hnc2V0KSkgKQogICAgICAgICAgICAg cmV0dXJuIC1FRkFVTFQ7Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Mar 05 12:20:43 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 05 Mar 2015 12:20:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YTUkG-0008Ut-QG; Thu, 05 Mar 2015 12:19:16 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YTUkF-0008Ue-53; Thu, 05 Mar 2015 12:19:15 +0000 Received: from [85.158.139.211] by server-5.bemta-5.messagelabs.com id 02/FB-03164-2C948F45; Thu, 05 Mar 2015 12:19:14 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-206.messagelabs.com!1425557952!13209899!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.4; banners=-,-,- X-VirusChecked: Checked Received: (qmail 17876 invoked from network); 5 Mar 2015 12:19:13 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 5 Mar 2015 12:19:13 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YTUk5-00089A-8c; Thu, 05 Mar 2015 12:19:05 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1YTUk4-0001zw-QW; Thu, 05 Mar 2015 12:19:04 +0000 Date: Thu, 05 Mar 2015 12:19:04 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 121 (CVE-2015-2044) - Information leak via internal x86 system device emulation X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2044 / XSA-121 version 3 Information leak via internal x86 system device emulation UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Emulation routines in the hypervisor dealing with certain system devices check whether the access size by the guest is a supported one. When the access size is unsupported these routines failed to set the data to be returned to the guest for read accesses, so that hypervisor stack contents are copied into the destination of the operation, thus becoming visible to the guest. IMPACT ====== A malicious HVM guest might be able to read sensitive data relating to other guests. VULNERABLE SYSTEMS ================== Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. Only HVM guests can take advantage of this vulnerability. Only x86 systems are vulnerable. ARM systems are not vulnerable. MITIGATION ========== Running only PV guests will avoid this issue. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the attached patch resolves this issue. xsa121.patch xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa121*.patch e74afb34e8059e8ee25b803019c192aa47c29208af2c19fb81aa84b0d7c0d268 xsa121.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJU+EmOAAoJEIP+FMlX6CvZnU0IAJZE8lD0dqlM9RyIMopSOZwp CYEVhmk03UsTIpJci1zVg+QUs7owe/p6tamuy4B/XFG6tGs4vsqVeUk8lvs8/Gzs 6RsEkHvOdy1Np9r8vCp2SShKsom0dE13t3JwAY+mftJNHFN2QTPmHbfi8XpnVotm 1nsLXl+8FAWa+d3ZULQTZXKJw6f2dNuXu9NHIvaNzP+IffJ6zKLPr9b8Va71yztA 0MPuUziRxVoJ5xWtoceN4qEdsnIZo5N9JN90fZSGSdiR976Qh1lhMu1ak4aVcNJa qljKSQQPOmfyHjyKsULvLlCYUldonkIfBVaJ+5QmZEVPMCDxig36m49QMOCNwOg= =BATt -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa121.patch" Content-Disposition: attachment; filename="xsa121.patch" Content-Transfer-Encoding: base64 eDg2L0hWTTogcmV0dXJuIGFsbCBvbmVzIG9uIHdyb25nLXNpemVkIHJlYWRz IG9mIHN5c3RlbSBkZXZpY2UgSS9PIHBvcnRzCgpTbyBmYXIgdGhlIHZhbHVl IHByZXNlbnRlZCB0byB0aGUgZ3Vlc3QgcmVtYWluZWQgdW5pbml0aWFsaXpl ZC4KClRoaXMgaXMgQ1ZFLTIwMTUtMjA0NCAvIFhTQS0xMjEuCgpTaWduZWQt b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CkFja2Vk LWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgoK LS0tIGEveGVuL2FyY2gveDg2L2h2bS9pODI1NC5jCisrKyBiL3hlbi9hcmNo L3g4Ni9odm0vaTgyNTQuYwpAQCAtNDg2LDYgKzQ4Niw3IEBAIHN0YXRpYyBp bnQgaGFuZGxlX3BpdF9pbygKICAgICBpZiAoIGJ5dGVzICE9IDEgKQogICAg IHsKICAgICAgICAgZ2RwcmludGsoWEVOTE9HX1dBUk5JTkcsICJQSVQgYmFk IGFjY2Vzc1xuIik7CisgICAgICAgICp2YWwgPSB+MDsKICAgICAgICAgcmV0 dXJuIFg4NkVNVUxfT0tBWTsKICAgICB9CiAKLS0tIGEveGVuL2FyY2gveDg2 L2h2bS9wbXRpbWVyLmMKKysrIGIveGVuL2FyY2gveDg2L2h2bS9wbXRpbWVy LmMKQEAgLTIxMyw2ICsyMTMsNyBAQCBzdGF0aWMgaW50IGhhbmRsZV9wbXRf aW8oCiAgICAgaWYgKCBieXRlcyAhPSA0ICkKICAgICB7CiAgICAgICAgIGdk cHJpbnRrKFhFTkxPR19XQVJOSU5HLCAiSFZNX1BNVCBiYWQgYWNjZXNzXG4i KTsKKyAgICAgICAgKnZhbCA9IH4wOwogICAgICAgICByZXR1cm4gWDg2RU1V TF9PS0FZOwogICAgIH0KICAgICAKLS0tIGEveGVuL2FyY2gveDg2L2h2bS9y dGMuYworKysgYi94ZW4vYXJjaC94ODYvaHZtL3J0Yy5jCkBAIC03MDMsNyAr NzAzLDggQEAgc3RhdGljIGludCBoYW5kbGVfcnRjX2lvKAogCiAgICAgaWYg KCBieXRlcyAhPSAxICkKICAgICB7Ci0gICAgICAgIGdkcHJpbnRrKFhFTkxP R19XQVJOSU5HLCAiSFZNX1JUQyBiYXMgYWNjZXNzXG4iKTsKKyAgICAgICAg Z2RwcmludGsoWEVOTE9HX1dBUk5JTkcsICJIVk1fUlRDIGJhZCBhY2Nlc3Nc biIpOworICAgICAgICAqdmFsID0gfjA7CiAgICAgICAgIHJldHVybiBYODZF TVVMX09LQVk7CiAgICAgfQogICAgIAotLS0gYS94ZW4vYXJjaC94ODYvaHZt L3ZwaWMuYworKysgYi94ZW4vYXJjaC94ODYvaHZtL3ZwaWMuYwpAQCAtMzMx LDYgKzMzMSw3IEBAIHN0YXRpYyBpbnQgdnBpY19pbnRlcmNlcHRfcGljX2lv KAogICAgIGlmICggYnl0ZXMgIT0gMSApCiAgICAgewogICAgICAgICBnZHBy aW50ayhYRU5MT0dfV0FSTklORywgIlBJQ19JTyBiYWQgYWNjZXNzIHNpemUg JWRcbiIsIGJ5dGVzKTsKKyAgICAgICAgKnZhbCA9IH4wOwogICAgICAgICBy ZXR1cm4gWDg2RU1VTF9PS0FZOwogICAgIH0KIAo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Mar 05 12:20:43 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 05 Mar 2015 12:20:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YTUkI-0008Vc-6c; Thu, 05 Mar 2015 12:19:18 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YTUkG-0008Ur-Ln; Thu, 05 Mar 2015 12:19:16 +0000 Received: from [193.109.254.147] by server-8.bemta-14.messagelabs.com id A2/09-03168-3C948F45; Thu, 05 Mar 2015 12:19:15 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-27.messagelabs.com!1425557954!14942428!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.13.4; banners=-,-,- X-VirusChecked: Checked Received: (qmail 18760 invoked from network); 5 Mar 2015 12:19:15 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 5 Mar 2015 12:19:15 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YTUk8-00089K-7q; Thu, 05 Mar 2015 12:19:08 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1YTUk8-00020t-62; Thu, 05 Mar 2015 12:19:08 +0000 Date: Thu, 05 Mar 2015 12:19:08 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 122 (CVE-2015-2045) - Information leak through version information hypercall X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2045 / XSA-122 version 3 Information leak through version information hypercall UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The code handling certain sub-operations of the HYPERVISOR_xen_version hypercall fails to fully initialize all fields of structures subsequently copied back to guest memory. Due to this hypervisor stack contents are copied into the destination of the operation, thus becoming visible to the guest. IMPACT ====== A malicious guest might be able to read sensitive data relating to other guests. VULNERABLE SYSTEMS ================== Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. MITIGATION ========== There is no mitigation available for this issue. CREDITS ======= This issue was discovered by Aaron Adams of NCC Group. RESOLUTION ========== Applying the attached patch resolves this issue. xsa122.patch xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa122*.patch 13404ef363ee347db1571ee91afaa962a68e616a7596c2441a29e26f6db9ec47 xsa122.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJU+EmQAAoJEIP+FMlX6CvZZxIIAJVuGIRZ1dEiX1VPY71dZ52t CSIBfHMpynwxT7oUwbw/Akk3d1M/uAV/8QvM1DoG9//U6hQgZfY5UVn3Ihp1k7Fy BitDKdDn3T10ys/URtotX+8+Alm1diM/6sIrAF5kG3IBf0VCkEaV5jVI0ZIuee5u AOHhj9HJN9bPRGSTlNlkRx0Tjlw8Worrluex2romagALxLEXYejOM8syuQl5qSFj VdqhNvmZV23664ZTrgSZxU17O+AajMNi+M9sYUFSPfAA8VHu42G7Ox4CqY7pxyg7 b9g2BgVVWRkZIhZPYeEr3RcxNP7wITAeFYP18c48VBd6gmHYK9sSwwSoXgYGuwE= =ddMG -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa122.patch" Content-Disposition: attachment; filename="xsa122.patch" Content-Transfer-Encoding: base64 cHJlLWZpbGwgc3RydWN0dXJlcyBmb3IgY2VydGFpbiBIWVBFUlZJU09SX3hl bl92ZXJzaW9uIHN1Yi1vcHMKCi4uLiBhdm9pZGluZyB0byBwYXNzIGh5cGVy dmlzb3Igc3RhY2sgY29udGVudHMgYmFjayB0byB0aGUgY2FsbGVyCnRocm91 Z2ggc3BhY2UgdW51c2VkIGJ5IHRoZSByZXNwZWN0aXZlIHN0cmluZ3MuCgpU aGlzIGlzIENWRS0yMDE1LTIwNDUgLyBYU0EtMTIyLgoKU2lnbmVkLW9mZi1i eTogQWFyb24gQWRhbXMgPEFhcm9uLkFkYW1zQG5jY2dyb3VwLmNvbT4KQWNr ZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KQWNrZWQt Ynk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+Cgot LS0gYS94ZW4vY29tbW9uL2tlcm5lbC5jCisrKyBiL3hlbi9jb21tb24va2Vy bmVsLmMKQEAgLTI0MCw2ICsyNDAsOCBAQCBETyh4ZW5fdmVyc2lvbikoaW50 IGNtZCwgWEVOX0dVRVNUX0hBTkRMCiAgICAgY2FzZSBYRU5WRVJfZXh0cmF2 ZXJzaW9uOgogICAgIHsKICAgICAgICAgeGVuX2V4dHJhdmVyc2lvbl90IGV4 dHJhdmVyc2lvbjsKKworICAgICAgICBtZW1zZXQoZXh0cmF2ZXJzaW9uLCAw LCBzaXplb2YoZXh0cmF2ZXJzaW9uKSk7CiAgICAgICAgIHNhZmVfc3RyY3B5 KGV4dHJhdmVyc2lvbiwgeGVuX2V4dHJhX3ZlcnNpb24oKSk7CiAgICAgICAg IGlmICggY29weV90b19ndWVzdChhcmcsIGV4dHJhdmVyc2lvbiwgQVJSQVlf U0laRShleHRyYXZlcnNpb24pKSApCiAgICAgICAgICAgICByZXR1cm4gLUVG QVVMVDsKQEAgLTI0OSw2ICsyNTEsOCBAQCBETyh4ZW5fdmVyc2lvbikoaW50 IGNtZCwgWEVOX0dVRVNUX0hBTkRMCiAgICAgY2FzZSBYRU5WRVJfY29tcGls ZV9pbmZvOgogICAgIHsKICAgICAgICAgc3RydWN0IHhlbl9jb21waWxlX2lu Zm8gaW5mbzsKKworICAgICAgICBtZW1zZXQoJmluZm8sIDAsIHNpemVvZihp bmZvKSk7CiAgICAgICAgIHNhZmVfc3RyY3B5KGluZm8uY29tcGlsZXIsICAg ICAgIHhlbl9jb21waWxlcigpKTsKICAgICAgICAgc2FmZV9zdHJjcHkoaW5m by5jb21waWxlX2J5LCAgICAgeGVuX2NvbXBpbGVfYnkoKSk7CiAgICAgICAg IHNhZmVfc3RyY3B5KGluZm8uY29tcGlsZV9kb21haW4sIHhlbl9jb21waWxl X2RvbWFpbigpKTsKQEAgLTI4NCw2ICsyODgsOCBAQCBETyh4ZW5fdmVyc2lv bikoaW50IGNtZCwgWEVOX0dVRVNUX0hBTkRMCiAgICAgY2FzZSBYRU5WRVJf Y2hhbmdlc2V0OgogICAgIHsKICAgICAgICAgeGVuX2NoYW5nZXNldF9pbmZv X3QgY2hnc2V0OworCisgICAgICAgIG1lbXNldChjaGdzZXQsIDAsIHNpemVv ZihjaGdzZXQpKTsKICAgICAgICAgc2FmZV9zdHJjcHkoY2hnc2V0LCB4ZW5f Y2hhbmdlc2V0KCkpOwogICAgICAgICBpZiAoIGNvcHlfdG9fZ3Vlc3QoYXJn LCBjaGdzZXQsIEFSUkFZX1NJWkUoY2hnc2V0KSkgKQogICAgICAgICAgICAg cmV0dXJuIC1FRkFVTFQ7Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Mar 05 12:20:43 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 05 Mar 2015 12:20:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YTUkG-0008Ut-QG; Thu, 05 Mar 2015 12:19:16 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YTUkF-0008Ue-53; Thu, 05 Mar 2015 12:19:15 +0000 Received: from [85.158.139.211] by server-5.bemta-5.messagelabs.com id 02/FB-03164-2C948F45; Thu, 05 Mar 2015 12:19:14 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-206.messagelabs.com!1425557952!13209899!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.4; banners=-,-,- X-VirusChecked: Checked Received: (qmail 17876 invoked from network); 5 Mar 2015 12:19:13 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 5 Mar 2015 12:19:13 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YTUk5-00089A-8c; Thu, 05 Mar 2015 12:19:05 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1YTUk4-0001zw-QW; Thu, 05 Mar 2015 12:19:04 +0000 Date: Thu, 05 Mar 2015 12:19:04 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 121 (CVE-2015-2044) - Information leak via internal x86 system device emulation X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2044 / XSA-121 version 3 Information leak via internal x86 system device emulation UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Emulation routines in the hypervisor dealing with certain system devices check whether the access size by the guest is a supported one. When the access size is unsupported these routines failed to set the data to be returned to the guest for read accesses, so that hypervisor stack contents are copied into the destination of the operation, thus becoming visible to the guest. IMPACT ====== A malicious HVM guest might be able to read sensitive data relating to other guests. VULNERABLE SYSTEMS ================== Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. Only HVM guests can take advantage of this vulnerability. Only x86 systems are vulnerable. ARM systems are not vulnerable. MITIGATION ========== Running only PV guests will avoid this issue. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the attached patch resolves this issue. xsa121.patch xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa121*.patch e74afb34e8059e8ee25b803019c192aa47c29208af2c19fb81aa84b0d7c0d268 xsa121.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJU+EmOAAoJEIP+FMlX6CvZnU0IAJZE8lD0dqlM9RyIMopSOZwp CYEVhmk03UsTIpJci1zVg+QUs7owe/p6tamuy4B/XFG6tGs4vsqVeUk8lvs8/Gzs 6RsEkHvOdy1Np9r8vCp2SShKsom0dE13t3JwAY+mftJNHFN2QTPmHbfi8XpnVotm 1nsLXl+8FAWa+d3ZULQTZXKJw6f2dNuXu9NHIvaNzP+IffJ6zKLPr9b8Va71yztA 0MPuUziRxVoJ5xWtoceN4qEdsnIZo5N9JN90fZSGSdiR976Qh1lhMu1ak4aVcNJa qljKSQQPOmfyHjyKsULvLlCYUldonkIfBVaJ+5QmZEVPMCDxig36m49QMOCNwOg= =BATt -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa121.patch" Content-Disposition: attachment; filename="xsa121.patch" Content-Transfer-Encoding: base64 eDg2L0hWTTogcmV0dXJuIGFsbCBvbmVzIG9uIHdyb25nLXNpemVkIHJlYWRz IG9mIHN5c3RlbSBkZXZpY2UgSS9PIHBvcnRzCgpTbyBmYXIgdGhlIHZhbHVl IHByZXNlbnRlZCB0byB0aGUgZ3Vlc3QgcmVtYWluZWQgdW5pbml0aWFsaXpl ZC4KClRoaXMgaXMgQ1ZFLTIwMTUtMjA0NCAvIFhTQS0xMjEuCgpTaWduZWQt b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CkFja2Vk LWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgoK LS0tIGEveGVuL2FyY2gveDg2L2h2bS9pODI1NC5jCisrKyBiL3hlbi9hcmNo L3g4Ni9odm0vaTgyNTQuYwpAQCAtNDg2LDYgKzQ4Niw3IEBAIHN0YXRpYyBp bnQgaGFuZGxlX3BpdF9pbygKICAgICBpZiAoIGJ5dGVzICE9IDEgKQogICAg IHsKICAgICAgICAgZ2RwcmludGsoWEVOTE9HX1dBUk5JTkcsICJQSVQgYmFk IGFjY2Vzc1xuIik7CisgICAgICAgICp2YWwgPSB+MDsKICAgICAgICAgcmV0 dXJuIFg4NkVNVUxfT0tBWTsKICAgICB9CiAKLS0tIGEveGVuL2FyY2gveDg2 L2h2bS9wbXRpbWVyLmMKKysrIGIveGVuL2FyY2gveDg2L2h2bS9wbXRpbWVy LmMKQEAgLTIxMyw2ICsyMTMsNyBAQCBzdGF0aWMgaW50IGhhbmRsZV9wbXRf aW8oCiAgICAgaWYgKCBieXRlcyAhPSA0ICkKICAgICB7CiAgICAgICAgIGdk cHJpbnRrKFhFTkxPR19XQVJOSU5HLCAiSFZNX1BNVCBiYWQgYWNjZXNzXG4i KTsKKyAgICAgICAgKnZhbCA9IH4wOwogICAgICAgICByZXR1cm4gWDg2RU1V TF9PS0FZOwogICAgIH0KICAgICAKLS0tIGEveGVuL2FyY2gveDg2L2h2bS9y dGMuYworKysgYi94ZW4vYXJjaC94ODYvaHZtL3J0Yy5jCkBAIC03MDMsNyAr NzAzLDggQEAgc3RhdGljIGludCBoYW5kbGVfcnRjX2lvKAogCiAgICAgaWYg KCBieXRlcyAhPSAxICkKICAgICB7Ci0gICAgICAgIGdkcHJpbnRrKFhFTkxP R19XQVJOSU5HLCAiSFZNX1JUQyBiYXMgYWNjZXNzXG4iKTsKKyAgICAgICAg Z2RwcmludGsoWEVOTE9HX1dBUk5JTkcsICJIVk1fUlRDIGJhZCBhY2Nlc3Nc biIpOworICAgICAgICAqdmFsID0gfjA7CiAgICAgICAgIHJldHVybiBYODZF TVVMX09LQVk7CiAgICAgfQogICAgIAotLS0gYS94ZW4vYXJjaC94ODYvaHZt L3ZwaWMuYworKysgYi94ZW4vYXJjaC94ODYvaHZtL3ZwaWMuYwpAQCAtMzMx LDYgKzMzMSw3IEBAIHN0YXRpYyBpbnQgdnBpY19pbnRlcmNlcHRfcGljX2lv KAogICAgIGlmICggYnl0ZXMgIT0gMSApCiAgICAgewogICAgICAgICBnZHBy aW50ayhYRU5MT0dfV0FSTklORywgIlBJQ19JTyBiYWQgYWNjZXNzIHNpemUg JWRcbiIsIGJ5dGVzKTsKKyAgICAgICAgKnZhbCA9IH4wOwogICAgICAgICBy ZXR1cm4gWDg2RU1VTF9PS0FZOwogICAgIH0KIAo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Mar 10 12:02:22 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 10 Mar 2015 12:02:22 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YVIqj-00067e-Bk; Tue, 10 Mar 2015 12:01:25 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YVIqh-00067E-T0; Tue, 10 Mar 2015 12:01:24 +0000 Received: from [85.158.139.211] by server-11.bemta-5.messagelabs.com id 29/5E-22941-21DDEF45; Tue, 10 Mar 2015 12:01:22 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-206.messagelabs.com!1425988880!11445887!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.13.4; banners=-,-,- X-VirusChecked: Checked Received: (qmail 11240 invoked from network); 10 Mar 2015 12:01:21 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-16.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 10 Mar 2015 12:01:21 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YVIqZ-0001dS-ND; Tue, 10 Mar 2015 12:01:15 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1YVIqQ-0002vG-E4; Tue, 10 Mar 2015 12:01:14 +0000 Date: Tue, 10 Mar 2015 12:01:06 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 120 (CVE-2015-2150) - Non-maskable interrupts triggerable by guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2150 / XSA-120 version 4 Non-maskable interrupts triggerable by guests UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= Guests are currently permitted to modify all of the (writable) bits in the PCI command register of devices passed through to them. This in particular allows them to disable memory and I/O decoding on the device unless the device is an SR-IOV virtual function, in which case subsequent accesses to the respective MMIO or I/O port ranges would - - on PCI Express devices - lead to Unsupported Request responses. The treatmeant of such errors is platform specific. IMPACT ====== In the event that the platform surfaces aforementioned UR responses as Non-Maskable Interrupts, and either the OS is configured to treat NMIs as fatal or (e.g. via ACPI's APEI) the platform tells the OS to treat these errors as fatal, the host would crash, leading to a Denial of Service. VULNERABLE SYSTEMS ================== Xen versions 3.3 and onwards are vulnerable due to supporting PCI pass-through. Upstream Linux versions 3.1 and onwards are vulnerable due to supporting PCI backend functionality. Other Linux versions as well as other OS versions may be vulnerable too. Any domain which is given access to a non-SR-IOV virtual function PCI Express device can take advantage of this vulnerability. MITIGATION ========== This issue can be avoided by not assigning PCI Express devices other than SR-IOV virtual functions to untrusted guests. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue for the indicated versions of Linux, but only for ordinary PCI config space accesses by the guest. See XSA-124 for all other cases. xsa120.patch Linux 3.19 xsa120-classic.patch linux-2.6.18-xen.hg $ sha256sum xsa120*.patch ecd4568d418d6e275f1eebdba4867e7cfdc6a487292db0e9eff0e9e7e2c91826 xsa120-classic.patch 32441fd3930848f7533f74376648fbeb5e35870661e1259860fe10f9a1f67f88 xsa120.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJU/tzUAAoJEIP+FMlX6CvZcDcIALHGaamMEPKtOANKkWW7cxJz zWrgU+6cg/slx6wlgTnHB0/9N/zb9VPUZO3j7TS4VNL6z5zu3S1aTelo5w0F5j2N rbQrmnJ56P7iTGU0UwerueGPUzRAOqw5JNJK/i7Y2nZo/r7Y8IkwZub8nxpeBaPF YN3gqd7iTmq5IkM0mQNUuSmneLlMVX32dITSatKjaUNaBI54aH8byM+lUjdFyUYv tKjb6HJD0upo7e5MPmchC1+/1B+Jm7YfAIMJ6Mn168pHMSy9Zn0p0zFeVGCA41u7 L28yDiIVfu1XWcOLWryAQQ4e/rMv1Bpy7Q259SUUj4bUiQDmRdqOdZmaXHlO/Po= =H+jB -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa120-classic.patch" Content-Disposition: attachment; filename="xsa120-classic.patch" Content-Transfer-Encoding: base64 cGNpYmFjazogbGltaXQgZ3Vlc3QgY29udHJvbCBvZiBjb21tYW5kIHJlZ2lz dGVyCgpPdGhlcndpc2UgdGhlIGd1ZXN0IGNhbiBhYnVzZSB0aGF0IGNvbnRy b2wgdG8gY2F1c2UgZS5nLiBQQ0llClVuc3VwcG9ydGVkIFJlcXVlc3QgcmVz cG9uc2VzIChieSBkaXNhYmxpbmcgbWVtb3J5IGFuZC9vciBJL08gZGVjb2Rp bmcKYW5kIHN1YnNlcXVlbnRseSBjYXVzaW5nIFtDUFUgc2lkZV0gYWNjZXNz ZXMgdG8gdGhlIHJlc3BlY3RpdmUgYWRkcmVzcwpyYW5nZXMpLCB3aGljaCAo ZGVwZW5kaW5nIG9uIHN5c3RlbSBjb25maWd1cmF0aW9uKSBtYXkgYmUgZmF0 YWwgdG8gdGhlCmhvc3QuCgpUaGlzIGlzIENWRS0yMDE1LTIxNTAgLyBYU0Et MTIwLgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpSZXZpZXdlZC1ieTogS29ucmFkIFJ6ZXN6dXRlayBXaWxrIDxr b25yYWQud2lsa0BvcmFjbGUuY29tPgoKLS0tIGEvZHJpdmVycy94ZW4vcGNp YmFjay9jb25mX3NwYWNlLmMKKysrIGIvZHJpdmVycy94ZW4vcGNpYmFjay9j b25mX3NwYWNlLmMKQEAgLTE1LDcgKzE1LDcgQEAKICNpbmNsdWRlICJjb25m X3NwYWNlLmgiCiAjaW5jbHVkZSAiY29uZl9zcGFjZV9xdWlya3MuaCIKIAot c3RhdGljIGludCBwZXJtaXNzaXZlOworaW50IHBlcm1pc3NpdmU7CiBtb2R1 bGVfcGFyYW0ocGVybWlzc2l2ZSwgYm9vbCwgMDY0NCk7CiAKICNkZWZpbmUg REVGSU5FX1BDSV9DT05GSUcob3Asc2l6ZSx0eXBlKSAJCQlcCi0tLSBhL2Ry aXZlcnMveGVuL3BjaWJhY2svY29uZl9zcGFjZS5oCisrKyBiL2RyaXZlcnMv eGVuL3BjaWJhY2svY29uZl9zcGFjZS5oCkBAIC02NCw2ICs2NCw4IEBAIHN0 cnVjdCBjb25maWdfZmllbGRfZW50cnkgewogCXZvaWQgKmRhdGE7CiB9Owog CitleHRlcm4gaW50IHBlcm1pc3NpdmU7CisKICNkZWZpbmUgT0ZGU0VUKGNm Z19lbnRyeSkgKChjZmdfZW50cnkpLT5iYXNlX29mZnNldCsoY2ZnX2VudHJ5 KS0+ZmllbGQtPm9mZnNldCkKIAogLyogQWRkIGZpZWxkcyB0byBhIGRldmlj ZSAtIHRoZSBhZGRfZmllbGRzIG1hY3JvIGV4cGVjdHMgdG8gZ2V0IGEgcG9p bnRlciB0bwotLS0gYS9kcml2ZXJzL3hlbi9wY2liYWNrL2NvbmZfc3BhY2Vf aGVhZGVyLmMKKysrIGIvZHJpdmVycy94ZW4vcGNpYmFjay9jb25mX3NwYWNl X2hlYWRlci5jCkBAIC05LDYgKzksMTAgQEAKICNpbmNsdWRlICJwY2liYWNr LmgiCiAjaW5jbHVkZSAiY29uZl9zcGFjZS5oIgogCitzdHJ1Y3QgcGNpX2Nt ZF9pbmZvIHsKKwl1MTYgdmFsOworfTsKKwogc3RydWN0IHBjaV9iYXJfaW5m byB7CiAJdTMyIHZhbDsKIAl1MzIgbGVuX3ZhbDsKQEAgLTE4LDI4ICsyMiw0 NSBAQCBzdHJ1Y3QgcGNpX2Jhcl9pbmZvIHsKICNkZWZpbmUgaXNfZW5hYmxl X2NtZCh2YWx1ZSkgKCh2YWx1ZSkmKFBDSV9DT01NQU5EX01FTU9SWXxQQ0lf Q09NTUFORF9JTykpCiAjZGVmaW5lIGlzX21hc3Rlcl9jbWQodmFsdWUpICgo dmFsdWUpJlBDSV9DT01NQU5EX01BU1RFUikKIAotc3RhdGljIGludCBjb21t YW5kX3JlYWQoc3RydWN0IHBjaV9kZXYgKmRldiwgaW50IG9mZnNldCwgdTE2 ICp2YWx1ZSwgdm9pZCAqZGF0YSkKKy8qIEJpdHMgZ3Vlc3RzIGFyZSBhbGxv d2VkIHRvIGNvbnRyb2wgaW4gcGVybWlzc2l2ZSBtb2RlLiAqLworI2RlZmlu ZSBQQ0lfQ09NTUFORF9HVUVTVCAoUENJX0NPTU1BTkRfTUFTVEVSfFBDSV9D T01NQU5EX1NQRUNJQUx8IFwKKwkJCSAgIFBDSV9DT01NQU5EX0lOVkFMSURB VEV8UENJX0NPTU1BTkRfVkdBX1BBTEVUVEV8IFwKKwkJCSAgIFBDSV9DT01N QU5EX1dBSVR8UENJX0NPTU1BTkRfRkFTVF9CQUNLKQorCitzdGF0aWMgdm9p ZCAqY29tbWFuZF9pbml0KHN0cnVjdCBwY2lfZGV2ICpkZXYsIGludCBvZmZz ZXQpCiB7Ci0JaW50IGk7Ci0JaW50IHJldDsKKwlzdHJ1Y3QgcGNpX2NtZF9p bmZvICpjbWQgPSBrbWFsbG9jKHNpemVvZigqY21kKSwgR0ZQX0tFUk5FTCk7 CisJaW50IGVycjsKKworCWlmICghY21kKQorCQlyZXR1cm4gRVJSX1BUUigt RU5PTUVNKTsKIAotCXJldCA9IHBjaWJhY2tfcmVhZF9jb25maWdfd29yZChk ZXYsIG9mZnNldCwgdmFsdWUsIGRhdGEpOwotCWlmICghZGV2LT5pc19lbmFi bGVkKQotCQlyZXR1cm4gcmV0OwotCi0JZm9yIChpID0gMDsgaSA8IFBDSV9S T01fUkVTT1VSQ0U7IGkrKykgewotCQlpZiAoZGV2LT5yZXNvdXJjZVtpXS5m bGFncyAmIElPUkVTT1VSQ0VfSU8pCi0JCQkqdmFsdWUgfD0gUENJX0NPTU1B TkRfSU87Ci0JCWlmIChkZXYtPnJlc291cmNlW2ldLmZsYWdzICYgSU9SRVNP VVJDRV9NRU0pCi0JCQkqdmFsdWUgfD0gUENJX0NPTU1BTkRfTUVNT1JZOwor CWVyciA9IHBjaV9yZWFkX2NvbmZpZ193b3JkKGRldiwgUENJX0NPTU1BTkQs ICZjbWQtPnZhbCk7CisJaWYgKGVycikgeworCQlrZnJlZShjbWQpOworCQly ZXR1cm4gRVJSX1BUUihlcnIpOwogCX0KIAorCXJldHVybiBjbWQ7Cit9CisK K3N0YXRpYyBpbnQgY29tbWFuZF9yZWFkKHN0cnVjdCBwY2lfZGV2ICpkZXYs IGludCBvZmZzZXQsIHUxNiAqdmFsdWUsIHZvaWQgKmRhdGEpCit7CisJaW50 IHJldCA9IHBjaV9yZWFkX2NvbmZpZ193b3JkKGRldiwgb2Zmc2V0LCB2YWx1 ZSk7CisJY29uc3Qgc3RydWN0IHBjaV9jbWRfaW5mbyAqY21kID0gZGF0YTsK KworCSp2YWx1ZSAmPSBQQ0lfQ09NTUFORF9HVUVTVDsKKwkqdmFsdWUgfD0g Y21kLT52YWwgJiB+UENJX0NPTU1BTkRfR1VFU1Q7CisKIAlyZXR1cm4gcmV0 OwogfQogCiBzdGF0aWMgaW50IGNvbW1hbmRfd3JpdGUoc3RydWN0IHBjaV9k ZXYgKmRldiwgaW50IG9mZnNldCwgdTE2IHZhbHVlLCB2b2lkICpkYXRhKQog ewogCWludCBlcnI7CisJdTE2IHZhbDsKKwlzdHJ1Y3QgcGNpX2NtZF9pbmZv ICpjbWQgPSBkYXRhOworCXN0cnVjdCBwY2liYWNrX2Rldl9kYXRhICpkZXZf ZGF0YSA9IHBjaV9nZXRfZHJ2ZGF0YShkZXYpOwogCiAJaWYgKCFkZXYtPmlz X2VuYWJsZWQgJiYgaXNfZW5hYmxlX2NtZCh2YWx1ZSkpIHsKIAkJaWYgKHVu bGlrZWx5KHZlcmJvc2VfcmVxdWVzdCkpCkBAIC03Niw2ICs5NywxOCBAQCBz dGF0aWMgaW50IGNvbW1hbmRfd3JpdGUoc3RydWN0IHBjaV9kZXYgCiAJCX0K IAl9CiAKKwljbWQtPnZhbCA9IHZhbHVlOworCisJaWYgKCFwZXJtaXNzaXZl ICYmICghZGV2X2RhdGEgfHwgIWRldl9kYXRhLT5wZXJtaXNzaXZlKSkKKwkJ cmV0dXJuIDA7CisKKwkvKiBPbmx5IGFsbG93IHRoZSBndWVzdCB0byBjb250 cm9sIGNlcnRhaW4gYml0cy4gKi8KKwllcnIgPSBwY2lfcmVhZF9jb25maWdf d29yZChkZXYsIG9mZnNldCwgJnZhbCk7CisJaWYgKGVyciB8fCB2YWwgPT0g dmFsdWUpCisJCXJldHVybiBlcnI7CisJdmFsdWUgJj0gUENJX0NPTU1BTkRf R1VFU1Q7CisJdmFsdWUgfD0gdmFsICYgflBDSV9DT01NQU5EX0dVRVNUOwor CiAJcmV0dXJuIHBjaV93cml0ZV9jb25maWdfd29yZChkZXYsIG9mZnNldCwg dmFsdWUpOwogfQogCkBAIC0yNzUsNiArMzA4LDggQEAgc3RhdGljIGNvbnN0 IHN0cnVjdCBjb25maWdfZmllbGQgaGVhZGVyXwogCXsKIAkgLm9mZnNldCAg ICA9IFBDSV9DT01NQU5ELAogCSAuc2l6ZSAgICAgID0gMiwKKwkgLmluaXQg ICAgICA9IGNvbW1hbmRfaW5pdCwKKwkgLnJlbGVhc2UgICA9IGJhcl9yZWxl YXNlLAogCSAudS53LnJlYWQgID0gY29tbWFuZF9yZWFkLAogCSAudS53Lndy aXRlID0gY29tbWFuZF93cml0ZSwKIAl9LAo= --=separator Content-Type: application/octet-stream; name="xsa120.patch" Content-Disposition: attachment; filename="xsa120.patch" Content-Transfer-Encoding: base64 eGVuLXBjaWJhY2s6IGxpbWl0IGd1ZXN0IGNvbnRyb2wgb2YgY29tbWFuZCBy ZWdpc3RlcgoKT3RoZXJ3aXNlIHRoZSBndWVzdCBjYW4gYWJ1c2UgdGhhdCBj b250cm9sIHRvIGNhdXNlIGUuZy4gUENJZQpVbnN1cHBvcnRlZCBSZXF1ZXN0 IHJlc3BvbnNlcyAoYnkgZGlzYWJsaW5nIG1lbW9yeSBhbmQvb3IgSS9PIGRl Y29kaW5nCmFuZCBzdWJzZXF1ZW50bHkgY2F1c2luZyBbQ1BVIHNpZGVdIGFj Y2Vzc2VzIHRvIHRoZSByZXNwZWN0aXZlIGFkZHJlc3MKcmFuZ2VzKSwgd2hp Y2ggKGRlcGVuZGluZyBvbiBzeXN0ZW0gY29uZmlndXJhdGlvbikgbWF5IGJl IGZhdGFsIHRvIHRoZQpob3N0LgoKVGhpcyBpcyBDVkUtMjAxNS0yMTUwIC8g WFNBLTEyMC4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGlj aEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEtvbnJhZCBSemVzenV0ZWsgV2ls ayA8a29ucmFkLndpbGtAb3JhY2xlLmNvbT4KCi0tLSBhL2RyaXZlcnMveGVu L3hlbi1wY2liYWNrL2NvbmZfc3BhY2UuYworKysgYi9kcml2ZXJzL3hlbi94 ZW4tcGNpYmFjay9jb25mX3NwYWNlLmMKQEAgLTE2LDcgKzE2LDcgQEAKICNp bmNsdWRlICJjb25mX3NwYWNlLmgiCiAjaW5jbHVkZSAiY29uZl9zcGFjZV9x dWlya3MuaCIKIAotc3RhdGljIGJvb2wgcGVybWlzc2l2ZTsKK2Jvb2wgcGVy bWlzc2l2ZTsKIG1vZHVsZV9wYXJhbShwZXJtaXNzaXZlLCBib29sLCAwNjQ0 KTsKIAogLyogVGhpcyBpcyB3aGVyZSB4ZW5fcGNpYmtfcmVhZF9jb25maWdf Ynl0ZSwgeGVuX3BjaWJrX3JlYWRfY29uZmlnX3dvcmQsCi0tLSBhL2RyaXZl cnMveGVuL3hlbi1wY2liYWNrL2NvbmZfc3BhY2UuaAorKysgYi9kcml2ZXJz L3hlbi94ZW4tcGNpYmFjay9jb25mX3NwYWNlLmgKQEAgLTY0LDYgKzY0LDgg QEAgc3RydWN0IGNvbmZpZ19maWVsZF9lbnRyeSB7CiAJdm9pZCAqZGF0YTsK IH07CiAKK2V4dGVybiBib29sIHBlcm1pc3NpdmU7CisKICNkZWZpbmUgT0ZG U0VUKGNmZ19lbnRyeSkgKChjZmdfZW50cnkpLT5iYXNlX29mZnNldCsoY2Zn X2VudHJ5KS0+ZmllbGQtPm9mZnNldCkKIAogLyogQWRkIGZpZWxkcyB0byBh IGRldmljZSAtIHRoZSBhZGRfZmllbGRzIG1hY3JvIGV4cGVjdHMgdG8gZ2V0 IGEgcG9pbnRlciB0bwotLS0gYS9kcml2ZXJzL3hlbi94ZW4tcGNpYmFjay9j b25mX3NwYWNlX2hlYWRlci5jCisrKyBiL2RyaXZlcnMveGVuL3hlbi1wY2li YWNrL2NvbmZfc3BhY2VfaGVhZGVyLmMKQEAgLTExLDYgKzExLDEwIEBACiAj aW5jbHVkZSAicGNpYmFjay5oIgogI2luY2x1ZGUgImNvbmZfc3BhY2UuaCIK IAorc3RydWN0IHBjaV9jbWRfaW5mbyB7CisJdTE2IHZhbDsKK307CisKIHN0 cnVjdCBwY2lfYmFyX2luZm8gewogCXUzMiB2YWw7CiAJdTMyIGxlbl92YWw7 CkBAIC0yMCwyMiArMjQsMzYgQEAgc3RydWN0IHBjaV9iYXJfaW5mbyB7CiAj ZGVmaW5lIGlzX2VuYWJsZV9jbWQodmFsdWUpICgodmFsdWUpJihQQ0lfQ09N TUFORF9NRU1PUll8UENJX0NPTU1BTkRfSU8pKQogI2RlZmluZSBpc19tYXN0 ZXJfY21kKHZhbHVlKSAoKHZhbHVlKSZQQ0lfQ09NTUFORF9NQVNURVIpCiAK LXN0YXRpYyBpbnQgY29tbWFuZF9yZWFkKHN0cnVjdCBwY2lfZGV2ICpkZXYs IGludCBvZmZzZXQsIHUxNiAqdmFsdWUsIHZvaWQgKmRhdGEpCisvKiBCaXRz IGd1ZXN0cyBhcmUgYWxsb3dlZCB0byBjb250cm9sIGluIHBlcm1pc3NpdmUg bW9kZS4gKi8KKyNkZWZpbmUgUENJX0NPTU1BTkRfR1VFU1QgKFBDSV9DT01N QU5EX01BU1RFUnxQQ0lfQ09NTUFORF9TUEVDSUFMfCBcCisJCQkgICBQQ0lf Q09NTUFORF9JTlZBTElEQVRFfFBDSV9DT01NQU5EX1ZHQV9QQUxFVFRFfCBc CisJCQkgICBQQ0lfQ09NTUFORF9XQUlUfFBDSV9DT01NQU5EX0ZBU1RfQkFD SykKKworc3RhdGljIHZvaWQgKmNvbW1hbmRfaW5pdChzdHJ1Y3QgcGNpX2Rl diAqZGV2LCBpbnQgb2Zmc2V0KQogewotCWludCBpOwotCWludCByZXQ7CisJ c3RydWN0IHBjaV9jbWRfaW5mbyAqY21kID0ga21hbGxvYyhzaXplb2YoKmNt ZCksIEdGUF9LRVJORUwpOworCWludCBlcnI7CiAKLQlyZXQgPSB4ZW5fcGNp YmtfcmVhZF9jb25maWdfd29yZChkZXYsIG9mZnNldCwgdmFsdWUsIGRhdGEp OwotCWlmICghcGNpX2lzX2VuYWJsZWQoZGV2KSkKLQkJcmV0dXJuIHJldDsK LQotCWZvciAoaSA9IDA7IGkgPCBQQ0lfUk9NX1JFU09VUkNFOyBpKyspIHsK LQkJaWYgKGRldi0+cmVzb3VyY2VbaV0uZmxhZ3MgJiBJT1JFU09VUkNFX0lP KQotCQkJKnZhbHVlIHw9IFBDSV9DT01NQU5EX0lPOwotCQlpZiAoZGV2LT5y ZXNvdXJjZVtpXS5mbGFncyAmIElPUkVTT1VSQ0VfTUVNKQotCQkJKnZhbHVl IHw9IFBDSV9DT01NQU5EX01FTU9SWTsKKwlpZiAoIWNtZCkKKwkJcmV0dXJu IEVSUl9QVFIoLUVOT01FTSk7CisKKwllcnIgPSBwY2lfcmVhZF9jb25maWdf d29yZChkZXYsIFBDSV9DT01NQU5ELCAmY21kLT52YWwpOworCWlmIChlcnIp IHsKKwkJa2ZyZWUoY21kKTsKKwkJcmV0dXJuIEVSUl9QVFIoZXJyKTsKIAl9 CiAKKwlyZXR1cm4gY21kOworfQorCitzdGF0aWMgaW50IGNvbW1hbmRfcmVh ZChzdHJ1Y3QgcGNpX2RldiAqZGV2LCBpbnQgb2Zmc2V0LCB1MTYgKnZhbHVl LCB2b2lkICpkYXRhKQoreworCWludCByZXQgPSBwY2lfcmVhZF9jb25maWdf d29yZChkZXYsIG9mZnNldCwgdmFsdWUpOworCWNvbnN0IHN0cnVjdCBwY2lf Y21kX2luZm8gKmNtZCA9IGRhdGE7CisKKwkqdmFsdWUgJj0gUENJX0NPTU1B TkRfR1VFU1Q7CisJKnZhbHVlIHw9IGNtZC0+dmFsICYgflBDSV9DT01NQU5E X0dVRVNUOworCiAJcmV0dXJuIHJldDsKIH0KIApAQCAtNDMsNiArNjEsOCBA QCBzdGF0aWMgaW50IGNvbW1hbmRfd3JpdGUoc3RydWN0IHBjaV9kZXYgCiB7 CiAJc3RydWN0IHhlbl9wY2lia19kZXZfZGF0YSAqZGV2X2RhdGE7CiAJaW50 IGVycjsKKwl1MTYgdmFsOworCXN0cnVjdCBwY2lfY21kX2luZm8gKmNtZCA9 IGRhdGE7CiAKIAlkZXZfZGF0YSA9IHBjaV9nZXRfZHJ2ZGF0YShkZXYpOwog CWlmICghcGNpX2lzX2VuYWJsZWQoZGV2KSAmJiBpc19lbmFibGVfY21kKHZh bHVlKSkgewpAQCAtODMsNiArMTAxLDE4IEBAIHN0YXRpYyBpbnQgY29tbWFu ZF93cml0ZShzdHJ1Y3QgcGNpX2RldiAKIAkJfQogCX0KIAorCWNtZC0+dmFs ID0gdmFsdWU7CisKKwlpZiAoIXBlcm1pc3NpdmUgJiYgKCFkZXZfZGF0YSB8 fCAhZGV2X2RhdGEtPnBlcm1pc3NpdmUpKQorCQlyZXR1cm4gMDsKKworCS8q IE9ubHkgYWxsb3cgdGhlIGd1ZXN0IHRvIGNvbnRyb2wgY2VydGFpbiBiaXRz LiAqLworCWVyciA9IHBjaV9yZWFkX2NvbmZpZ193b3JkKGRldiwgb2Zmc2V0 LCAmdmFsKTsKKwlpZiAoZXJyIHx8IHZhbCA9PSB2YWx1ZSkKKwkJcmV0dXJu IGVycjsKKwl2YWx1ZSAmPSBQQ0lfQ09NTUFORF9HVUVTVDsKKwl2YWx1ZSB8 PSB2YWwgJiB+UENJX0NPTU1BTkRfR1VFU1Q7CisKIAlyZXR1cm4gcGNpX3dy aXRlX2NvbmZpZ193b3JkKGRldiwgb2Zmc2V0LCB2YWx1ZSk7CiB9CiAKQEAg LTI4Miw2ICszMTIsOCBAQCBzdGF0aWMgY29uc3Qgc3RydWN0IGNvbmZpZ19m aWVsZCBoZWFkZXJfCiAJewogCSAub2Zmc2V0ICAgID0gUENJX0NPTU1BTkQs CiAJIC5zaXplICAgICAgPSAyLAorCSAuaW5pdCAgICAgID0gY29tbWFuZF9p bml0LAorCSAucmVsZWFzZSAgID0gYmFyX3JlbGVhc2UsCiAJIC51LncucmVh ZCAgPSBjb21tYW5kX3JlYWQsCiAJIC51Lncud3JpdGUgPSBjb21tYW5kX3dy aXRlLAogCX0sCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Mar 10 12:02:22 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 10 Mar 2015 12:02:22 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YVIrL-0006Qp-Ve; Tue, 10 Mar 2015 12:02:03 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YVIrJ-0006PT-0b; Tue, 10 Mar 2015 12:02:01 +0000 Received: from [193.109.254.147] by server-12.bemta-14.messagelabs.com id A1/CD-02755-22DDEF45; Tue, 10 Mar 2015 12:01:38 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-12.tower-27.messagelabs.com!1425988887!16170012!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.4; banners=-,-,- X-VirusChecked: Checked Received: (qmail 9442 invoked from network); 10 Mar 2015 12:01:28 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-12.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 10 Mar 2015 12:01:28 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YVIqd-0001de-Rh; Tue, 10 Mar 2015 12:01:19 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1YVIqd-00033H-Pd; Tue, 10 Mar 2015 12:01:19 +0000 Date: Tue, 10 Mar 2015 12:01:19 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 123 (CVE-2015-2151) - Hypervisor memory corruption due to x86 emulator flaw X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2151 / XSA-123 version 4 Hypervisor memory corruption due to x86 emulator flaw UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= Instructions with register operands ignore eventual segment overrides encoded for them. Due to an insufficiently conditional assignment such a bogus segment override can, however, corrupt a pointer used subsequently to store the result of the instruction. IMPACT ====== A malicious guest might be able to read sensitive data relating to other guests, or to cause denial of service on the host. Arbitrary code execution, and therefore privilege escalation, cannot be excluded. VULNERABLE SYSTEMS ================== Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. Only x86 systems are vulnerable. ARM systems are not vulnerable. MITIGATION ========== There is no mitigation available for this issue. CREDITS ======= This issue was discovered by Felix Wilhelm of ERNW GmbH. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa123.patch xen-unstable, Xen 4.5.x, Xen 4.4.x xsa123-4.3-4.2.patch Xen 4.3.x, Xen 4.2.x $ sha256sum xsa123*.patch e6da3a2c35b50e163b15100ef28a48dca429160104f346fc82be4711fe60f64f xsa123-4.3-4.2.patch 994cf1487ec5c455fce4877168901e03283f0002062dcff8895a17ca30e010df xsa123.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJU/tzZAAoJEIP+FMlX6CvZV64IAJOsaNqXoLZQ0sAdfJpE6lnv KtYzXixzTTrP87cWmkYfkLTcuQdMJKUNe00xRoEP2ES1I2XUC4dy9MrlaTpHOJ27 hZ1OpDkiOOk6B8Scf1PI6pvXZXzpnoQITPRhxUgPawIBrtPW/OP8pdUbTeGsw3MJ hUjixTBT+Ok2Geq1U/Ki+aNe+lnLOjkuivH2nkZGsWYrRAm7Uypmtn9obQzZ4piB OGDAsuHSXtOPGgmtztj+NW8PJ+6oURkBi0ITtc12lUwJodQV9OIOsvqD3d+HW6OC 4K1gkSor+coTS6jmoU2YU1UnPBMy4irgmg1XojwWZb+FC7lHQDD24wMSs1LVJ7c= =E2Oh -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa123-4.3-4.2.patch" Content-Disposition: attachment; filename="xsa123-4.3-4.2.patch" Content-Transfer-Encoding: base64 eDg2ZW11bDogZnVsbHkgaWdub3JlIHNlZ21lbnQgb3ZlcnJpZGUgZm9yIHJl Z2lzdGVyLW9ubHkgb3BlcmF0aW9ucwoKRm9yIE1vZFJNIGVuY29kZWQgaW5z dHJ1Y3Rpb25zIHdpdGggcmVnaXN0ZXIgb3BlcmFuZHMgd2UgbXVzdCBub3QK b3ZlcndyaXRlIGVhLm1lbS5zZWcgKGlmIGEgLSBib2d1cyBpbiB0aGF0IGNh c2UgLSBzZWdtZW50IG92ZXJyaWRlIHdhcwpwcmVzZW50KSBhcyBpdCBhbGlh c2VzIHdpdGggZWEucmVnLgoKVGhpcyBpcyBDVkUtMjAxNS0yMTUxIC8gWFNB LTEyMy4KClJlcG9ydGVkLWJ5OiBGZWxpeCBXaWxoZWxtIDxmd2lsaGVsbUBl cm53LmRlPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA c3VzZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9y Zz4KUmV2aWV3ZWQtYnk6IEtlaXIgRnJhc2VyIDxrZWlyQHhlbi5vcmc+Cgot LS0gYS94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwor KysgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwpA QCAtMTY0MCw3ICsxNjQwLDcgQEAgeDg2X2VtdWxhdGUoCiAgICAgICAgIH0K ICAgICB9CiAKLSAgICBpZiAoIG92ZXJyaWRlX3NlZyAhPSAtMSApCisgICAg aWYgKCBvdmVycmlkZV9zZWcgIT0gLTEgJiYgZWEudHlwZSA9PSBPUF9NRU0g KQogICAgICAgICBlYS5tZW0uc2VnID0gb3ZlcnJpZGVfc2VnOwogCiAgICAg LyogRGVjb2RlIGFuZCBmZXRjaCB0aGUgc291cmNlIG9wZXJhbmQ6IHJlZ2lz dGVyLCBtZW1vcnkgb3IgaW1tZWRpYXRlLiAqLwo= --=separator Content-Type: application/octet-stream; name="xsa123.patch" Content-Disposition: attachment; filename="xsa123.patch" Content-Transfer-Encoding: base64 eDg2ZW11bDogZnVsbHkgaWdub3JlIHNlZ21lbnQgb3ZlcnJpZGUgZm9yIHJl Z2lzdGVyLW9ubHkgb3BlcmF0aW9ucwoKRm9yIE1vZFJNIGVuY29kZWQgaW5z dHJ1Y3Rpb25zIHdpdGggcmVnaXN0ZXIgb3BlcmFuZHMgd2UgbXVzdCBub3QK b3ZlcndyaXRlIGVhLm1lbS5zZWcgKGlmIGEgLSBib2d1cyBpbiB0aGF0IGNh c2UgLSBzZWdtZW50IG92ZXJyaWRlIHdhcwpwcmVzZW50KSBhcyBpdCBhbGlh c2VzIHdpdGggZWEucmVnLgoKVGhpcyBpcyBDVkUtMjAxNS0yMTUxIC8gWFNB LTEyMy4KClJlcG9ydGVkLWJ5OiBGZWxpeCBXaWxoZWxtIDxmd2lsaGVsbUBl cm53LmRlPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA c3VzZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9y Zz4KUmV2aWV3ZWQtYnk6IEtlaXIgRnJhc2VyIDxrZWlyQHhlbi5vcmc+Cgot LS0gYS94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwor KysgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwpA QCAtMTc1Nyw3ICsxNzU3LDcgQEAgeDg2X2VtdWxhdGUoCiAgICAgICAgIH0K ICAgICB9CiAKLSAgICBpZiAoIG92ZXJyaWRlX3NlZyAhPSAtMSApCisgICAg aWYgKCBvdmVycmlkZV9zZWcgIT0gLTEgJiYgZWEudHlwZSA9PSBPUF9NRU0g KQogICAgICAgICBlYS5tZW0uc2VnID0gb3ZlcnJpZGVfc2VnOwogCiAgICAg LyogRWFybHkgb3BlcmFuZCBhZGp1c3RtZW50cy4gKi8K --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Mar 10 12:02:22 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 10 Mar 2015 12:02:22 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YVIqa-00064i-TD; Tue, 10 Mar 2015 12:01:16 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YVIqZ-000611-QU; Tue, 10 Mar 2015 12:01:16 +0000 Received: from [85.158.137.68] by server-7.bemta-3.messagelabs.com id A9/25-03163-A0DDEF45; Tue, 10 Mar 2015 12:01:14 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-31.messagelabs.com!1425988871!14748458!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.4; banners=-,-,- X-VirusChecked: Checked Received: (qmail 27678 invoked from network); 10 Mar 2015 12:01:12 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-8.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 10 Mar 2015 12:01:12 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YVIqK-0001cj-4B; Tue, 10 Mar 2015 12:01:00 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1YVIqJ-0002tg-Jt; Tue, 10 Mar 2015 12:00:59 +0000 Date: Tue, 10 Mar 2015 12:00:59 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 124 - Non-standard PCI device functionality may render pass-through insecure X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-124 version 2 Non-standard PCI device functionality may render pass-through insecure UPDATES IN VERSION 2 ==================== Clarify scope. PCI config space backdoors are just one example. Provide more examples of potential problems. Provide some additional mitigation options. Public release. ISSUE DESCRIPTION ================= Devices with capabilities or defects that are undocumented or that virtualization software is unaware of may allow guests to control parts of the host that they shouldn't be in control of. Here are some examples of the kind of problem: * While XSA-120 deals with standard PCI config space accesses to the PCI control word, various devices have alternative methods to read and modify config space values. A guest which has been given such a device can definitely cause a host DoS; worse attacks cannot be ruled out. * Devices which are physically integrated into the system chipset might have undocumented direct access to memory or other resources (as well as the documented access via the IOMMU). A guest with such a device is likely to be able to gain control of the host. * Many devices permit (or require) the loading or updating of the firmware on the device. Bad firmware is likely to be able to violate the PCI protocols (depending on the physical circuitry on the device). The impact of such violations is difficult to assess in the abstract. Malicious firmware might also be able to cause electrical problems for the PCI bus, system power supply, and other circuitry. This could be used to mount fault-injection attacks, or even to cause damage to hardware. Again, this will depend on the details of the device, but in general defending against bad firmware would require additional electronics. Therefore the Xen Project Security Team expects that devices which support firmware loading are unlikely to be robust against malicious firmware unless that robustness has been specifically engineered. Since the details are device specific, special workarounds would need to be developed for any such device for which secure pass-through is desired. Developing such workarounds is a task presenting multiple challenges, particularly since the hardware details are often not officially documented, and is beyond the scope of normal security fixes. The Xen Project Security Team is therefore adopting an exceptional process for these kind of problems. See below for details of that exceptional process, and for the scope of the exception. IMPACT ====== Passing through a device providing such mechanisms, which bypass or subvert the software layers that ensure security and correctness, may expose the host to guest induced information leaks, host crashes, and privilege escalation. VULNERABLE SYSTEMS ================== Only systems where physical PCI devices are passed through to untrusted guests are affected. All hypervisors supporting PCI passthrough are exposed to this kind of problem; this includes all versions of Xen which support PCI passthrough. Only x86 Xen systems are currently affected. ARM systems are not currently affected when running Xen due to not supporting pass-through. However once this feature is implemented ARM systems will become vulnerable to this class of bugs and subject to the exceptional handling described in this advisory. Devices specifically designed and advertised for secure PCI passthrough (for example, SR-IOV virtual functions) are outside the scope of this advisory, and outside the process exception. We are not aware of problems with any such devices at the present time, and any vulnerabilities which we become aware of will be handled in the normal way. Any other PCI devices might cause vulnerablities, and are subject to the exception. Whether a specific system is actually vulnerable depends on the characteristics of the PCI device being passed through: * The device behaviour will usually depend on the specific firmware loaded onto the device itself; if such firmware is (or can be) loaded by guests, the device is probably vulnerable (unless its manufacturer has specifically advertised to the contrary). * Other devices should be assumed to be vulnerable unless the complete functionality is known, and has been reviewed in the context of PCI passthrough security. MITIGATION ========== Not passing through any physical devices to guests will avoid this vulnerability. This vulnerability can also be avoided by only passing through devices the entire scope of whose functionality is known and has been reviewed for PCI passthrough security and correctness, or only devices specifically and correctly designed to be passed through in a secure manner (for example, SR-IOV virtual functions). If the functionality of a PCI device needs to be exposed to an untrusted guest, PCI passthrough related vulnerabilities can be avoided by offering the guest that functionality via a higher-level protocol. For example: rather than PCI passthrough of a storage controller, offer the guest Xen paravirtualised block devices, or configure the guest as a client for a SAN protocol (such as NBD or iSCSI); rather than passing through a graphics controller, provide the guest with a Xen paravirtualised framebuffer, or have the guest export applications via a network terminal protocol (such as X11 or VNC). RESOLUTION ========== For affected devices, no reasonable resolution in software is possible. "Unreasonable" resolution might be possible for specific devices, where the complete scope of the device's functionality is known. In such a case it might be possible to write device-specific workaround code to eliminate the vulnerabilities. The Xen Project Security Team does not intend to develop software along those lines. NOTE REGARDING CVE ================== MITRE have provisionally concluded that this Xen Security Advisory does not describe a vulnerability for which they should issue a CVE Identifier. PROCESS FOR HARDWARE RELATED PASS-THROUGH VULNERABILITIES ========================================================= Unless affected hardware is specifically declared to be secure when used with PCI passthrough, the Xen Project Security Team intends (subject of course to the permission of anyone disclosing to us) to handle these and future hardware related PCI pass-through vulnerabilities in public, as if they were normal non-security-related bugs. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJU/tzbAAoJEIP+FMlX6CvZWdMH/13dCkBkpLSn4b3CM+637TmC sPGFiS40Q1n1bipGxiug1YoRUsSljDt1kUhGOlYEriPfISkR/XoH2O/3hTnntEKS FTqUt7KLdNKRNif17tyrSuBG9sZy3JHTH0b5tjlOulSUp7pY8UoalwJD0YJpPGv/ BFlP4aySZs9etTfIyN/yfv06zbl+8znZlA1AwTr0UVm7p4Dwz2pMUmfF5N5AVQXS ruWNqnjLjqTleGgG9ZTMLDgPXuylKuFab4BFPeOMqP7p0RoWd4gJV2O7LhHFM0c3 KxCcUtDJolu5QSSsEKq6arWpb1IzzvZ7vXTmaYyw5zdmUR8P5VvE/O2rY2PBM2Q= =bgFa -----END PGP SIGNATURE----- --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Mar 10 12:02:22 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 10 Mar 2015 12:02:22 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YVIqa-00064i-TD; Tue, 10 Mar 2015 12:01:16 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YVIqZ-000611-QU; Tue, 10 Mar 2015 12:01:16 +0000 Received: from [85.158.137.68] by server-7.bemta-3.messagelabs.com id A9/25-03163-A0DDEF45; Tue, 10 Mar 2015 12:01:14 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-31.messagelabs.com!1425988871!14748458!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.4; banners=-,-,- X-VirusChecked: Checked Received: (qmail 27678 invoked from network); 10 Mar 2015 12:01:12 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-8.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 10 Mar 2015 12:01:12 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YVIqK-0001cj-4B; Tue, 10 Mar 2015 12:01:00 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1YVIqJ-0002tg-Jt; Tue, 10 Mar 2015 12:00:59 +0000 Date: Tue, 10 Mar 2015 12:00:59 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 124 - Non-standard PCI device functionality may render pass-through insecure X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-124 version 2 Non-standard PCI device functionality may render pass-through insecure UPDATES IN VERSION 2 ==================== Clarify scope. PCI config space backdoors are just one example. Provide more examples of potential problems. Provide some additional mitigation options. Public release. ISSUE DESCRIPTION ================= Devices with capabilities or defects that are undocumented or that virtualization software is unaware of may allow guests to control parts of the host that they shouldn't be in control of. Here are some examples of the kind of problem: * While XSA-120 deals with standard PCI config space accesses to the PCI control word, various devices have alternative methods to read and modify config space values. A guest which has been given such a device can definitely cause a host DoS; worse attacks cannot be ruled out. * Devices which are physically integrated into the system chipset might have undocumented direct access to memory or other resources (as well as the documented access via the IOMMU). A guest with such a device is likely to be able to gain control of the host. * Many devices permit (or require) the loading or updating of the firmware on the device. Bad firmware is likely to be able to violate the PCI protocols (depending on the physical circuitry on the device). The impact of such violations is difficult to assess in the abstract. Malicious firmware might also be able to cause electrical problems for the PCI bus, system power supply, and other circuitry. This could be used to mount fault-injection attacks, or even to cause damage to hardware. Again, this will depend on the details of the device, but in general defending against bad firmware would require additional electronics. Therefore the Xen Project Security Team expects that devices which support firmware loading are unlikely to be robust against malicious firmware unless that robustness has been specifically engineered. Since the details are device specific, special workarounds would need to be developed for any such device for which secure pass-through is desired. Developing such workarounds is a task presenting multiple challenges, particularly since the hardware details are often not officially documented, and is beyond the scope of normal security fixes. The Xen Project Security Team is therefore adopting an exceptional process for these kind of problems. See below for details of that exceptional process, and for the scope of the exception. IMPACT ====== Passing through a device providing such mechanisms, which bypass or subvert the software layers that ensure security and correctness, may expose the host to guest induced information leaks, host crashes, and privilege escalation. VULNERABLE SYSTEMS ================== Only systems where physical PCI devices are passed through to untrusted guests are affected. All hypervisors supporting PCI passthrough are exposed to this kind of problem; this includes all versions of Xen which support PCI passthrough. Only x86 Xen systems are currently affected. ARM systems are not currently affected when running Xen due to not supporting pass-through. However once this feature is implemented ARM systems will become vulnerable to this class of bugs and subject to the exceptional handling described in this advisory. Devices specifically designed and advertised for secure PCI passthrough (for example, SR-IOV virtual functions) are outside the scope of this advisory, and outside the process exception. We are not aware of problems with any such devices at the present time, and any vulnerabilities which we become aware of will be handled in the normal way. Any other PCI devices might cause vulnerablities, and are subject to the exception. Whether a specific system is actually vulnerable depends on the characteristics of the PCI device being passed through: * The device behaviour will usually depend on the specific firmware loaded onto the device itself; if such firmware is (or can be) loaded by guests, the device is probably vulnerable (unless its manufacturer has specifically advertised to the contrary). * Other devices should be assumed to be vulnerable unless the complete functionality is known, and has been reviewed in the context of PCI passthrough security. MITIGATION ========== Not passing through any physical devices to guests will avoid this vulnerability. This vulnerability can also be avoided by only passing through devices the entire scope of whose functionality is known and has been reviewed for PCI passthrough security and correctness, or only devices specifically and correctly designed to be passed through in a secure manner (for example, SR-IOV virtual functions). If the functionality of a PCI device needs to be exposed to an untrusted guest, PCI passthrough related vulnerabilities can be avoided by offering the guest that functionality via a higher-level protocol. For example: rather than PCI passthrough of a storage controller, offer the guest Xen paravirtualised block devices, or configure the guest as a client for a SAN protocol (such as NBD or iSCSI); rather than passing through a graphics controller, provide the guest with a Xen paravirtualised framebuffer, or have the guest export applications via a network terminal protocol (such as X11 or VNC). RESOLUTION ========== For affected devices, no reasonable resolution in software is possible. "Unreasonable" resolution might be possible for specific devices, where the complete scope of the device's functionality is known. In such a case it might be possible to write device-specific workaround code to eliminate the vulnerabilities. The Xen Project Security Team does not intend to develop software along those lines. NOTE REGARDING CVE ================== MITRE have provisionally concluded that this Xen Security Advisory does not describe a vulnerability for which they should issue a CVE Identifier. PROCESS FOR HARDWARE RELATED PASS-THROUGH VULNERABILITIES ========================================================= Unless affected hardware is specifically declared to be secure when used with PCI passthrough, the Xen Project Security Team intends (subject of course to the permission of anyone disclosing to us) to handle these and future hardware related PCI pass-through vulnerabilities in public, as if they were normal non-security-related bugs. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJU/tzbAAoJEIP+FMlX6CvZWdMH/13dCkBkpLSn4b3CM+637TmC sPGFiS40Q1n1bipGxiug1YoRUsSljDt1kUhGOlYEriPfISkR/XoH2O/3hTnntEKS FTqUt7KLdNKRNif17tyrSuBG9sZy3JHTH0b5tjlOulSUp7pY8UoalwJD0YJpPGv/ BFlP4aySZs9etTfIyN/yfv06zbl+8znZlA1AwTr0UVm7p4Dwz2pMUmfF5N5AVQXS ruWNqnjLjqTleGgG9ZTMLDgPXuylKuFab4BFPeOMqP7p0RoWd4gJV2O7LhHFM0c3 KxCcUtDJolu5QSSsEKq6arWpb1IzzvZ7vXTmaYyw5zdmUR8P5VvE/O2rY2PBM2Q= =bgFa -----END PGP SIGNATURE----- --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Mar 10 12:02:22 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 10 Mar 2015 12:02:22 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YVIqj-00067e-Bk; Tue, 10 Mar 2015 12:01:25 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YVIqh-00067E-T0; Tue, 10 Mar 2015 12:01:24 +0000 Received: from [85.158.139.211] by server-11.bemta-5.messagelabs.com id 29/5E-22941-21DDEF45; Tue, 10 Mar 2015 12:01:22 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-16.tower-206.messagelabs.com!1425988880!11445887!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.13.4; banners=-,-,- X-VirusChecked: Checked Received: (qmail 11240 invoked from network); 10 Mar 2015 12:01:21 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-16.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 10 Mar 2015 12:01:21 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YVIqZ-0001dS-ND; Tue, 10 Mar 2015 12:01:15 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1YVIqQ-0002vG-E4; Tue, 10 Mar 2015 12:01:14 +0000 Date: Tue, 10 Mar 2015 12:01:06 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 120 (CVE-2015-2150) - Non-maskable interrupts triggerable by guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2150 / XSA-120 version 4 Non-maskable interrupts triggerable by guests UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= Guests are currently permitted to modify all of the (writable) bits in the PCI command register of devices passed through to them. This in particular allows them to disable memory and I/O decoding on the device unless the device is an SR-IOV virtual function, in which case subsequent accesses to the respective MMIO or I/O port ranges would - - on PCI Express devices - lead to Unsupported Request responses. The treatmeant of such errors is platform specific. IMPACT ====== In the event that the platform surfaces aforementioned UR responses as Non-Maskable Interrupts, and either the OS is configured to treat NMIs as fatal or (e.g. via ACPI's APEI) the platform tells the OS to treat these errors as fatal, the host would crash, leading to a Denial of Service. VULNERABLE SYSTEMS ================== Xen versions 3.3 and onwards are vulnerable due to supporting PCI pass-through. Upstream Linux versions 3.1 and onwards are vulnerable due to supporting PCI backend functionality. Other Linux versions as well as other OS versions may be vulnerable too. Any domain which is given access to a non-SR-IOV virtual function PCI Express device can take advantage of this vulnerability. MITIGATION ========== This issue can be avoided by not assigning PCI Express devices other than SR-IOV virtual functions to untrusted guests. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue for the indicated versions of Linux, but only for ordinary PCI config space accesses by the guest. See XSA-124 for all other cases. xsa120.patch Linux 3.19 xsa120-classic.patch linux-2.6.18-xen.hg $ sha256sum xsa120*.patch ecd4568d418d6e275f1eebdba4867e7cfdc6a487292db0e9eff0e9e7e2c91826 xsa120-classic.patch 32441fd3930848f7533f74376648fbeb5e35870661e1259860fe10f9a1f67f88 xsa120.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJU/tzUAAoJEIP+FMlX6CvZcDcIALHGaamMEPKtOANKkWW7cxJz zWrgU+6cg/slx6wlgTnHB0/9N/zb9VPUZO3j7TS4VNL6z5zu3S1aTelo5w0F5j2N rbQrmnJ56P7iTGU0UwerueGPUzRAOqw5JNJK/i7Y2nZo/r7Y8IkwZub8nxpeBaPF YN3gqd7iTmq5IkM0mQNUuSmneLlMVX32dITSatKjaUNaBI54aH8byM+lUjdFyUYv tKjb6HJD0upo7e5MPmchC1+/1B+Jm7YfAIMJ6Mn168pHMSy9Zn0p0zFeVGCA41u7 L28yDiIVfu1XWcOLWryAQQ4e/rMv1Bpy7Q259SUUj4bUiQDmRdqOdZmaXHlO/Po= =H+jB -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa120-classic.patch" Content-Disposition: attachment; filename="xsa120-classic.patch" Content-Transfer-Encoding: base64 cGNpYmFjazogbGltaXQgZ3Vlc3QgY29udHJvbCBvZiBjb21tYW5kIHJlZ2lz dGVyCgpPdGhlcndpc2UgdGhlIGd1ZXN0IGNhbiBhYnVzZSB0aGF0IGNvbnRy b2wgdG8gY2F1c2UgZS5nLiBQQ0llClVuc3VwcG9ydGVkIFJlcXVlc3QgcmVz cG9uc2VzIChieSBkaXNhYmxpbmcgbWVtb3J5IGFuZC9vciBJL08gZGVjb2Rp bmcKYW5kIHN1YnNlcXVlbnRseSBjYXVzaW5nIFtDUFUgc2lkZV0gYWNjZXNz ZXMgdG8gdGhlIHJlc3BlY3RpdmUgYWRkcmVzcwpyYW5nZXMpLCB3aGljaCAo ZGVwZW5kaW5nIG9uIHN5c3RlbSBjb25maWd1cmF0aW9uKSBtYXkgYmUgZmF0 YWwgdG8gdGhlCmhvc3QuCgpUaGlzIGlzIENWRS0yMDE1LTIxNTAgLyBYU0Et MTIwLgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpSZXZpZXdlZC1ieTogS29ucmFkIFJ6ZXN6dXRlayBXaWxrIDxr b25yYWQud2lsa0BvcmFjbGUuY29tPgoKLS0tIGEvZHJpdmVycy94ZW4vcGNp YmFjay9jb25mX3NwYWNlLmMKKysrIGIvZHJpdmVycy94ZW4vcGNpYmFjay9j b25mX3NwYWNlLmMKQEAgLTE1LDcgKzE1LDcgQEAKICNpbmNsdWRlICJjb25m X3NwYWNlLmgiCiAjaW5jbHVkZSAiY29uZl9zcGFjZV9xdWlya3MuaCIKIAot c3RhdGljIGludCBwZXJtaXNzaXZlOworaW50IHBlcm1pc3NpdmU7CiBtb2R1 bGVfcGFyYW0ocGVybWlzc2l2ZSwgYm9vbCwgMDY0NCk7CiAKICNkZWZpbmUg REVGSU5FX1BDSV9DT05GSUcob3Asc2l6ZSx0eXBlKSAJCQlcCi0tLSBhL2Ry aXZlcnMveGVuL3BjaWJhY2svY29uZl9zcGFjZS5oCisrKyBiL2RyaXZlcnMv eGVuL3BjaWJhY2svY29uZl9zcGFjZS5oCkBAIC02NCw2ICs2NCw4IEBAIHN0 cnVjdCBjb25maWdfZmllbGRfZW50cnkgewogCXZvaWQgKmRhdGE7CiB9Owog CitleHRlcm4gaW50IHBlcm1pc3NpdmU7CisKICNkZWZpbmUgT0ZGU0VUKGNm Z19lbnRyeSkgKChjZmdfZW50cnkpLT5iYXNlX29mZnNldCsoY2ZnX2VudHJ5 KS0+ZmllbGQtPm9mZnNldCkKIAogLyogQWRkIGZpZWxkcyB0byBhIGRldmlj ZSAtIHRoZSBhZGRfZmllbGRzIG1hY3JvIGV4cGVjdHMgdG8gZ2V0IGEgcG9p bnRlciB0bwotLS0gYS9kcml2ZXJzL3hlbi9wY2liYWNrL2NvbmZfc3BhY2Vf aGVhZGVyLmMKKysrIGIvZHJpdmVycy94ZW4vcGNpYmFjay9jb25mX3NwYWNl X2hlYWRlci5jCkBAIC05LDYgKzksMTAgQEAKICNpbmNsdWRlICJwY2liYWNr LmgiCiAjaW5jbHVkZSAiY29uZl9zcGFjZS5oIgogCitzdHJ1Y3QgcGNpX2Nt ZF9pbmZvIHsKKwl1MTYgdmFsOworfTsKKwogc3RydWN0IHBjaV9iYXJfaW5m byB7CiAJdTMyIHZhbDsKIAl1MzIgbGVuX3ZhbDsKQEAgLTE4LDI4ICsyMiw0 NSBAQCBzdHJ1Y3QgcGNpX2Jhcl9pbmZvIHsKICNkZWZpbmUgaXNfZW5hYmxl X2NtZCh2YWx1ZSkgKCh2YWx1ZSkmKFBDSV9DT01NQU5EX01FTU9SWXxQQ0lf Q09NTUFORF9JTykpCiAjZGVmaW5lIGlzX21hc3Rlcl9jbWQodmFsdWUpICgo dmFsdWUpJlBDSV9DT01NQU5EX01BU1RFUikKIAotc3RhdGljIGludCBjb21t YW5kX3JlYWQoc3RydWN0IHBjaV9kZXYgKmRldiwgaW50IG9mZnNldCwgdTE2 ICp2YWx1ZSwgdm9pZCAqZGF0YSkKKy8qIEJpdHMgZ3Vlc3RzIGFyZSBhbGxv d2VkIHRvIGNvbnRyb2wgaW4gcGVybWlzc2l2ZSBtb2RlLiAqLworI2RlZmlu ZSBQQ0lfQ09NTUFORF9HVUVTVCAoUENJX0NPTU1BTkRfTUFTVEVSfFBDSV9D T01NQU5EX1NQRUNJQUx8IFwKKwkJCSAgIFBDSV9DT01NQU5EX0lOVkFMSURB VEV8UENJX0NPTU1BTkRfVkdBX1BBTEVUVEV8IFwKKwkJCSAgIFBDSV9DT01N QU5EX1dBSVR8UENJX0NPTU1BTkRfRkFTVF9CQUNLKQorCitzdGF0aWMgdm9p ZCAqY29tbWFuZF9pbml0KHN0cnVjdCBwY2lfZGV2ICpkZXYsIGludCBvZmZz ZXQpCiB7Ci0JaW50IGk7Ci0JaW50IHJldDsKKwlzdHJ1Y3QgcGNpX2NtZF9p bmZvICpjbWQgPSBrbWFsbG9jKHNpemVvZigqY21kKSwgR0ZQX0tFUk5FTCk7 CisJaW50IGVycjsKKworCWlmICghY21kKQorCQlyZXR1cm4gRVJSX1BUUigt RU5PTUVNKTsKIAotCXJldCA9IHBjaWJhY2tfcmVhZF9jb25maWdfd29yZChk ZXYsIG9mZnNldCwgdmFsdWUsIGRhdGEpOwotCWlmICghZGV2LT5pc19lbmFi bGVkKQotCQlyZXR1cm4gcmV0OwotCi0JZm9yIChpID0gMDsgaSA8IFBDSV9S T01fUkVTT1VSQ0U7IGkrKykgewotCQlpZiAoZGV2LT5yZXNvdXJjZVtpXS5m bGFncyAmIElPUkVTT1VSQ0VfSU8pCi0JCQkqdmFsdWUgfD0gUENJX0NPTU1B TkRfSU87Ci0JCWlmIChkZXYtPnJlc291cmNlW2ldLmZsYWdzICYgSU9SRVNP VVJDRV9NRU0pCi0JCQkqdmFsdWUgfD0gUENJX0NPTU1BTkRfTUVNT1JZOwor CWVyciA9IHBjaV9yZWFkX2NvbmZpZ193b3JkKGRldiwgUENJX0NPTU1BTkQs ICZjbWQtPnZhbCk7CisJaWYgKGVycikgeworCQlrZnJlZShjbWQpOworCQly ZXR1cm4gRVJSX1BUUihlcnIpOwogCX0KIAorCXJldHVybiBjbWQ7Cit9CisK K3N0YXRpYyBpbnQgY29tbWFuZF9yZWFkKHN0cnVjdCBwY2lfZGV2ICpkZXYs IGludCBvZmZzZXQsIHUxNiAqdmFsdWUsIHZvaWQgKmRhdGEpCit7CisJaW50 IHJldCA9IHBjaV9yZWFkX2NvbmZpZ193b3JkKGRldiwgb2Zmc2V0LCB2YWx1 ZSk7CisJY29uc3Qgc3RydWN0IHBjaV9jbWRfaW5mbyAqY21kID0gZGF0YTsK KworCSp2YWx1ZSAmPSBQQ0lfQ09NTUFORF9HVUVTVDsKKwkqdmFsdWUgfD0g Y21kLT52YWwgJiB+UENJX0NPTU1BTkRfR1VFU1Q7CisKIAlyZXR1cm4gcmV0 OwogfQogCiBzdGF0aWMgaW50IGNvbW1hbmRfd3JpdGUoc3RydWN0IHBjaV9k ZXYgKmRldiwgaW50IG9mZnNldCwgdTE2IHZhbHVlLCB2b2lkICpkYXRhKQog ewogCWludCBlcnI7CisJdTE2IHZhbDsKKwlzdHJ1Y3QgcGNpX2NtZF9pbmZv ICpjbWQgPSBkYXRhOworCXN0cnVjdCBwY2liYWNrX2Rldl9kYXRhICpkZXZf ZGF0YSA9IHBjaV9nZXRfZHJ2ZGF0YShkZXYpOwogCiAJaWYgKCFkZXYtPmlz X2VuYWJsZWQgJiYgaXNfZW5hYmxlX2NtZCh2YWx1ZSkpIHsKIAkJaWYgKHVu bGlrZWx5KHZlcmJvc2VfcmVxdWVzdCkpCkBAIC03Niw2ICs5NywxOCBAQCBz dGF0aWMgaW50IGNvbW1hbmRfd3JpdGUoc3RydWN0IHBjaV9kZXYgCiAJCX0K IAl9CiAKKwljbWQtPnZhbCA9IHZhbHVlOworCisJaWYgKCFwZXJtaXNzaXZl ICYmICghZGV2X2RhdGEgfHwgIWRldl9kYXRhLT5wZXJtaXNzaXZlKSkKKwkJ cmV0dXJuIDA7CisKKwkvKiBPbmx5IGFsbG93IHRoZSBndWVzdCB0byBjb250 cm9sIGNlcnRhaW4gYml0cy4gKi8KKwllcnIgPSBwY2lfcmVhZF9jb25maWdf d29yZChkZXYsIG9mZnNldCwgJnZhbCk7CisJaWYgKGVyciB8fCB2YWwgPT0g dmFsdWUpCisJCXJldHVybiBlcnI7CisJdmFsdWUgJj0gUENJX0NPTU1BTkRf R1VFU1Q7CisJdmFsdWUgfD0gdmFsICYgflBDSV9DT01NQU5EX0dVRVNUOwor CiAJcmV0dXJuIHBjaV93cml0ZV9jb25maWdfd29yZChkZXYsIG9mZnNldCwg dmFsdWUpOwogfQogCkBAIC0yNzUsNiArMzA4LDggQEAgc3RhdGljIGNvbnN0 IHN0cnVjdCBjb25maWdfZmllbGQgaGVhZGVyXwogCXsKIAkgLm9mZnNldCAg ICA9IFBDSV9DT01NQU5ELAogCSAuc2l6ZSAgICAgID0gMiwKKwkgLmluaXQg ICAgICA9IGNvbW1hbmRfaW5pdCwKKwkgLnJlbGVhc2UgICA9IGJhcl9yZWxl YXNlLAogCSAudS53LnJlYWQgID0gY29tbWFuZF9yZWFkLAogCSAudS53Lndy aXRlID0gY29tbWFuZF93cml0ZSwKIAl9LAo= --=separator Content-Type: application/octet-stream; name="xsa120.patch" Content-Disposition: attachment; filename="xsa120.patch" Content-Transfer-Encoding: base64 eGVuLXBjaWJhY2s6IGxpbWl0IGd1ZXN0IGNvbnRyb2wgb2YgY29tbWFuZCBy ZWdpc3RlcgoKT3RoZXJ3aXNlIHRoZSBndWVzdCBjYW4gYWJ1c2UgdGhhdCBj b250cm9sIHRvIGNhdXNlIGUuZy4gUENJZQpVbnN1cHBvcnRlZCBSZXF1ZXN0 IHJlc3BvbnNlcyAoYnkgZGlzYWJsaW5nIG1lbW9yeSBhbmQvb3IgSS9PIGRl Y29kaW5nCmFuZCBzdWJzZXF1ZW50bHkgY2F1c2luZyBbQ1BVIHNpZGVdIGFj Y2Vzc2VzIHRvIHRoZSByZXNwZWN0aXZlIGFkZHJlc3MKcmFuZ2VzKSwgd2hp Y2ggKGRlcGVuZGluZyBvbiBzeXN0ZW0gY29uZmlndXJhdGlvbikgbWF5IGJl IGZhdGFsIHRvIHRoZQpob3N0LgoKVGhpcyBpcyBDVkUtMjAxNS0yMTUwIC8g WFNBLTEyMC4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGlj aEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEtvbnJhZCBSemVzenV0ZWsgV2ls ayA8a29ucmFkLndpbGtAb3JhY2xlLmNvbT4KCi0tLSBhL2RyaXZlcnMveGVu L3hlbi1wY2liYWNrL2NvbmZfc3BhY2UuYworKysgYi9kcml2ZXJzL3hlbi94 ZW4tcGNpYmFjay9jb25mX3NwYWNlLmMKQEAgLTE2LDcgKzE2LDcgQEAKICNp bmNsdWRlICJjb25mX3NwYWNlLmgiCiAjaW5jbHVkZSAiY29uZl9zcGFjZV9x dWlya3MuaCIKIAotc3RhdGljIGJvb2wgcGVybWlzc2l2ZTsKK2Jvb2wgcGVy bWlzc2l2ZTsKIG1vZHVsZV9wYXJhbShwZXJtaXNzaXZlLCBib29sLCAwNjQ0 KTsKIAogLyogVGhpcyBpcyB3aGVyZSB4ZW5fcGNpYmtfcmVhZF9jb25maWdf Ynl0ZSwgeGVuX3BjaWJrX3JlYWRfY29uZmlnX3dvcmQsCi0tLSBhL2RyaXZl cnMveGVuL3hlbi1wY2liYWNrL2NvbmZfc3BhY2UuaAorKysgYi9kcml2ZXJz L3hlbi94ZW4tcGNpYmFjay9jb25mX3NwYWNlLmgKQEAgLTY0LDYgKzY0LDgg QEAgc3RydWN0IGNvbmZpZ19maWVsZF9lbnRyeSB7CiAJdm9pZCAqZGF0YTsK IH07CiAKK2V4dGVybiBib29sIHBlcm1pc3NpdmU7CisKICNkZWZpbmUgT0ZG U0VUKGNmZ19lbnRyeSkgKChjZmdfZW50cnkpLT5iYXNlX29mZnNldCsoY2Zn X2VudHJ5KS0+ZmllbGQtPm9mZnNldCkKIAogLyogQWRkIGZpZWxkcyB0byBh IGRldmljZSAtIHRoZSBhZGRfZmllbGRzIG1hY3JvIGV4cGVjdHMgdG8gZ2V0 IGEgcG9pbnRlciB0bwotLS0gYS9kcml2ZXJzL3hlbi94ZW4tcGNpYmFjay9j b25mX3NwYWNlX2hlYWRlci5jCisrKyBiL2RyaXZlcnMveGVuL3hlbi1wY2li YWNrL2NvbmZfc3BhY2VfaGVhZGVyLmMKQEAgLTExLDYgKzExLDEwIEBACiAj aW5jbHVkZSAicGNpYmFjay5oIgogI2luY2x1ZGUgImNvbmZfc3BhY2UuaCIK IAorc3RydWN0IHBjaV9jbWRfaW5mbyB7CisJdTE2IHZhbDsKK307CisKIHN0 cnVjdCBwY2lfYmFyX2luZm8gewogCXUzMiB2YWw7CiAJdTMyIGxlbl92YWw7 CkBAIC0yMCwyMiArMjQsMzYgQEAgc3RydWN0IHBjaV9iYXJfaW5mbyB7CiAj ZGVmaW5lIGlzX2VuYWJsZV9jbWQodmFsdWUpICgodmFsdWUpJihQQ0lfQ09N TUFORF9NRU1PUll8UENJX0NPTU1BTkRfSU8pKQogI2RlZmluZSBpc19tYXN0 ZXJfY21kKHZhbHVlKSAoKHZhbHVlKSZQQ0lfQ09NTUFORF9NQVNURVIpCiAK LXN0YXRpYyBpbnQgY29tbWFuZF9yZWFkKHN0cnVjdCBwY2lfZGV2ICpkZXYs IGludCBvZmZzZXQsIHUxNiAqdmFsdWUsIHZvaWQgKmRhdGEpCisvKiBCaXRz IGd1ZXN0cyBhcmUgYWxsb3dlZCB0byBjb250cm9sIGluIHBlcm1pc3NpdmUg bW9kZS4gKi8KKyNkZWZpbmUgUENJX0NPTU1BTkRfR1VFU1QgKFBDSV9DT01N QU5EX01BU1RFUnxQQ0lfQ09NTUFORF9TUEVDSUFMfCBcCisJCQkgICBQQ0lf Q09NTUFORF9JTlZBTElEQVRFfFBDSV9DT01NQU5EX1ZHQV9QQUxFVFRFfCBc CisJCQkgICBQQ0lfQ09NTUFORF9XQUlUfFBDSV9DT01NQU5EX0ZBU1RfQkFD SykKKworc3RhdGljIHZvaWQgKmNvbW1hbmRfaW5pdChzdHJ1Y3QgcGNpX2Rl diAqZGV2LCBpbnQgb2Zmc2V0KQogewotCWludCBpOwotCWludCByZXQ7CisJ c3RydWN0IHBjaV9jbWRfaW5mbyAqY21kID0ga21hbGxvYyhzaXplb2YoKmNt ZCksIEdGUF9LRVJORUwpOworCWludCBlcnI7CiAKLQlyZXQgPSB4ZW5fcGNp YmtfcmVhZF9jb25maWdfd29yZChkZXYsIG9mZnNldCwgdmFsdWUsIGRhdGEp OwotCWlmICghcGNpX2lzX2VuYWJsZWQoZGV2KSkKLQkJcmV0dXJuIHJldDsK LQotCWZvciAoaSA9IDA7IGkgPCBQQ0lfUk9NX1JFU09VUkNFOyBpKyspIHsK LQkJaWYgKGRldi0+cmVzb3VyY2VbaV0uZmxhZ3MgJiBJT1JFU09VUkNFX0lP KQotCQkJKnZhbHVlIHw9IFBDSV9DT01NQU5EX0lPOwotCQlpZiAoZGV2LT5y ZXNvdXJjZVtpXS5mbGFncyAmIElPUkVTT1VSQ0VfTUVNKQotCQkJKnZhbHVl IHw9IFBDSV9DT01NQU5EX01FTU9SWTsKKwlpZiAoIWNtZCkKKwkJcmV0dXJu IEVSUl9QVFIoLUVOT01FTSk7CisKKwllcnIgPSBwY2lfcmVhZF9jb25maWdf d29yZChkZXYsIFBDSV9DT01NQU5ELCAmY21kLT52YWwpOworCWlmIChlcnIp IHsKKwkJa2ZyZWUoY21kKTsKKwkJcmV0dXJuIEVSUl9QVFIoZXJyKTsKIAl9 CiAKKwlyZXR1cm4gY21kOworfQorCitzdGF0aWMgaW50IGNvbW1hbmRfcmVh ZChzdHJ1Y3QgcGNpX2RldiAqZGV2LCBpbnQgb2Zmc2V0LCB1MTYgKnZhbHVl LCB2b2lkICpkYXRhKQoreworCWludCByZXQgPSBwY2lfcmVhZF9jb25maWdf d29yZChkZXYsIG9mZnNldCwgdmFsdWUpOworCWNvbnN0IHN0cnVjdCBwY2lf Y21kX2luZm8gKmNtZCA9IGRhdGE7CisKKwkqdmFsdWUgJj0gUENJX0NPTU1B TkRfR1VFU1Q7CisJKnZhbHVlIHw9IGNtZC0+dmFsICYgflBDSV9DT01NQU5E X0dVRVNUOworCiAJcmV0dXJuIHJldDsKIH0KIApAQCAtNDMsNiArNjEsOCBA QCBzdGF0aWMgaW50IGNvbW1hbmRfd3JpdGUoc3RydWN0IHBjaV9kZXYgCiB7 CiAJc3RydWN0IHhlbl9wY2lia19kZXZfZGF0YSAqZGV2X2RhdGE7CiAJaW50 IGVycjsKKwl1MTYgdmFsOworCXN0cnVjdCBwY2lfY21kX2luZm8gKmNtZCA9 IGRhdGE7CiAKIAlkZXZfZGF0YSA9IHBjaV9nZXRfZHJ2ZGF0YShkZXYpOwog CWlmICghcGNpX2lzX2VuYWJsZWQoZGV2KSAmJiBpc19lbmFibGVfY21kKHZh bHVlKSkgewpAQCAtODMsNiArMTAxLDE4IEBAIHN0YXRpYyBpbnQgY29tbWFu ZF93cml0ZShzdHJ1Y3QgcGNpX2RldiAKIAkJfQogCX0KIAorCWNtZC0+dmFs ID0gdmFsdWU7CisKKwlpZiAoIXBlcm1pc3NpdmUgJiYgKCFkZXZfZGF0YSB8 fCAhZGV2X2RhdGEtPnBlcm1pc3NpdmUpKQorCQlyZXR1cm4gMDsKKworCS8q IE9ubHkgYWxsb3cgdGhlIGd1ZXN0IHRvIGNvbnRyb2wgY2VydGFpbiBiaXRz LiAqLworCWVyciA9IHBjaV9yZWFkX2NvbmZpZ193b3JkKGRldiwgb2Zmc2V0 LCAmdmFsKTsKKwlpZiAoZXJyIHx8IHZhbCA9PSB2YWx1ZSkKKwkJcmV0dXJu IGVycjsKKwl2YWx1ZSAmPSBQQ0lfQ09NTUFORF9HVUVTVDsKKwl2YWx1ZSB8 PSB2YWwgJiB+UENJX0NPTU1BTkRfR1VFU1Q7CisKIAlyZXR1cm4gcGNpX3dy aXRlX2NvbmZpZ193b3JkKGRldiwgb2Zmc2V0LCB2YWx1ZSk7CiB9CiAKQEAg LTI4Miw2ICszMTIsOCBAQCBzdGF0aWMgY29uc3Qgc3RydWN0IGNvbmZpZ19m aWVsZCBoZWFkZXJfCiAJewogCSAub2Zmc2V0ICAgID0gUENJX0NPTU1BTkQs CiAJIC5zaXplICAgICAgPSAyLAorCSAuaW5pdCAgICAgID0gY29tbWFuZF9p bml0LAorCSAucmVsZWFzZSAgID0gYmFyX3JlbGVhc2UsCiAJIC51LncucmVh ZCAgPSBjb21tYW5kX3JlYWQsCiAJIC51Lncud3JpdGUgPSBjb21tYW5kX3dy aXRlLAogCX0sCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Mar 10 12:02:22 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 10 Mar 2015 12:02:22 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YVIrL-0006Qp-Ve; Tue, 10 Mar 2015 12:02:03 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YVIrJ-0006PT-0b; Tue, 10 Mar 2015 12:02:01 +0000 Received: from [193.109.254.147] by server-12.bemta-14.messagelabs.com id A1/CD-02755-22DDEF45; Tue, 10 Mar 2015 12:01:38 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-12.tower-27.messagelabs.com!1425988887!16170012!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.4; banners=-,-,- X-VirusChecked: Checked Received: (qmail 9442 invoked from network); 10 Mar 2015 12:01:28 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-12.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 10 Mar 2015 12:01:28 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YVIqd-0001de-Rh; Tue, 10 Mar 2015 12:01:19 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1YVIqd-00033H-Pd; Tue, 10 Mar 2015 12:01:19 +0000 Date: Tue, 10 Mar 2015 12:01:19 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 123 (CVE-2015-2151) - Hypervisor memory corruption due to x86 emulator flaw X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2151 / XSA-123 version 4 Hypervisor memory corruption due to x86 emulator flaw UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= Instructions with register operands ignore eventual segment overrides encoded for them. Due to an insufficiently conditional assignment such a bogus segment override can, however, corrupt a pointer used subsequently to store the result of the instruction. IMPACT ====== A malicious guest might be able to read sensitive data relating to other guests, or to cause denial of service on the host. Arbitrary code execution, and therefore privilege escalation, cannot be excluded. VULNERABLE SYSTEMS ================== Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. Only x86 systems are vulnerable. ARM systems are not vulnerable. MITIGATION ========== There is no mitigation available for this issue. CREDITS ======= This issue was discovered by Felix Wilhelm of ERNW GmbH. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa123.patch xen-unstable, Xen 4.5.x, Xen 4.4.x xsa123-4.3-4.2.patch Xen 4.3.x, Xen 4.2.x $ sha256sum xsa123*.patch e6da3a2c35b50e163b15100ef28a48dca429160104f346fc82be4711fe60f64f xsa123-4.3-4.2.patch 994cf1487ec5c455fce4877168901e03283f0002062dcff8895a17ca30e010df xsa123.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJU/tzZAAoJEIP+FMlX6CvZV64IAJOsaNqXoLZQ0sAdfJpE6lnv KtYzXixzTTrP87cWmkYfkLTcuQdMJKUNe00xRoEP2ES1I2XUC4dy9MrlaTpHOJ27 hZ1OpDkiOOk6B8Scf1PI6pvXZXzpnoQITPRhxUgPawIBrtPW/OP8pdUbTeGsw3MJ hUjixTBT+Ok2Geq1U/Ki+aNe+lnLOjkuivH2nkZGsWYrRAm7Uypmtn9obQzZ4piB OGDAsuHSXtOPGgmtztj+NW8PJ+6oURkBi0ITtc12lUwJodQV9OIOsvqD3d+HW6OC 4K1gkSor+coTS6jmoU2YU1UnPBMy4irgmg1XojwWZb+FC7lHQDD24wMSs1LVJ7c= =E2Oh -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa123-4.3-4.2.patch" Content-Disposition: attachment; filename="xsa123-4.3-4.2.patch" Content-Transfer-Encoding: base64 eDg2ZW11bDogZnVsbHkgaWdub3JlIHNlZ21lbnQgb3ZlcnJpZGUgZm9yIHJl Z2lzdGVyLW9ubHkgb3BlcmF0aW9ucwoKRm9yIE1vZFJNIGVuY29kZWQgaW5z dHJ1Y3Rpb25zIHdpdGggcmVnaXN0ZXIgb3BlcmFuZHMgd2UgbXVzdCBub3QK b3ZlcndyaXRlIGVhLm1lbS5zZWcgKGlmIGEgLSBib2d1cyBpbiB0aGF0IGNh c2UgLSBzZWdtZW50IG92ZXJyaWRlIHdhcwpwcmVzZW50KSBhcyBpdCBhbGlh c2VzIHdpdGggZWEucmVnLgoKVGhpcyBpcyBDVkUtMjAxNS0yMTUxIC8gWFNB LTEyMy4KClJlcG9ydGVkLWJ5OiBGZWxpeCBXaWxoZWxtIDxmd2lsaGVsbUBl cm53LmRlPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA c3VzZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9y Zz4KUmV2aWV3ZWQtYnk6IEtlaXIgRnJhc2VyIDxrZWlyQHhlbi5vcmc+Cgot LS0gYS94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwor KysgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwpA QCAtMTY0MCw3ICsxNjQwLDcgQEAgeDg2X2VtdWxhdGUoCiAgICAgICAgIH0K ICAgICB9CiAKLSAgICBpZiAoIG92ZXJyaWRlX3NlZyAhPSAtMSApCisgICAg aWYgKCBvdmVycmlkZV9zZWcgIT0gLTEgJiYgZWEudHlwZSA9PSBPUF9NRU0g KQogICAgICAgICBlYS5tZW0uc2VnID0gb3ZlcnJpZGVfc2VnOwogCiAgICAg LyogRGVjb2RlIGFuZCBmZXRjaCB0aGUgc291cmNlIG9wZXJhbmQ6IHJlZ2lz dGVyLCBtZW1vcnkgb3IgaW1tZWRpYXRlLiAqLwo= --=separator Content-Type: application/octet-stream; name="xsa123.patch" Content-Disposition: attachment; filename="xsa123.patch" Content-Transfer-Encoding: base64 eDg2ZW11bDogZnVsbHkgaWdub3JlIHNlZ21lbnQgb3ZlcnJpZGUgZm9yIHJl Z2lzdGVyLW9ubHkgb3BlcmF0aW9ucwoKRm9yIE1vZFJNIGVuY29kZWQgaW5z dHJ1Y3Rpb25zIHdpdGggcmVnaXN0ZXIgb3BlcmFuZHMgd2UgbXVzdCBub3QK b3ZlcndyaXRlIGVhLm1lbS5zZWcgKGlmIGEgLSBib2d1cyBpbiB0aGF0IGNh c2UgLSBzZWdtZW50IG92ZXJyaWRlIHdhcwpwcmVzZW50KSBhcyBpdCBhbGlh c2VzIHdpdGggZWEucmVnLgoKVGhpcyBpcyBDVkUtMjAxNS0yMTUxIC8gWFNB LTEyMy4KClJlcG9ydGVkLWJ5OiBGZWxpeCBXaWxoZWxtIDxmd2lsaGVsbUBl cm53LmRlPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA c3VzZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9y Zz4KUmV2aWV3ZWQtYnk6IEtlaXIgRnJhc2VyIDxrZWlyQHhlbi5vcmc+Cgot LS0gYS94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwor KysgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwpA QCAtMTc1Nyw3ICsxNzU3LDcgQEAgeDg2X2VtdWxhdGUoCiAgICAgICAgIH0K ICAgICB9CiAKLSAgICBpZiAoIG92ZXJyaWRlX3NlZyAhPSAtMSApCisgICAg aWYgKCBvdmVycmlkZV9zZWcgIT0gLTEgJiYgZWEudHlwZSA9PSBPUF9NRU0g KQogICAgICAgICBlYS5tZW0uc2VnID0gb3ZlcnJpZGVfc2VnOwogCiAgICAg LyogRWFybHkgb3BlcmFuZCBhZGp1c3RtZW50cy4gKi8K --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Mar 12 13:34:01 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Mar 2015 13:34:01 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YW3EQ-0000ZT-Bb; Thu, 12 Mar 2015 13:32:58 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YW3EO-0000ZH-Vt; Thu, 12 Mar 2015 13:32:57 +0000 Received: from [193.109.254.147] by server-15.bemta-14.messagelabs.com id B1/48-03047-88591055; Thu, 12 Mar 2015 13:32:56 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-13.tower-27.messagelabs.com!1426167173!12309179!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.4; banners=-,-,- X-VirusChecked: Checked Received: (qmail 1648 invoked from network); 12 Mar 2015 13:32:54 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-13.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 12 Mar 2015 13:32:54 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YW3EB-0008JM-QB; Thu, 12 Mar 2015 13:32:43 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1YW3EB-0003fb-3F; Thu, 12 Mar 2015 13:32:43 +0000 Date: Thu, 12 Mar 2015 13:32:43 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 119 (CVE-2015-2152) - HVM qemu unexpectedly enabling emulated VGA graphics backends X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2152 / XSA-119 version 3 HVM qemu unexpectedly enabling emulated VGA graphics backends UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= When instantiating an emulated VGA device for an x86 HVM guest qemu will by default enable a backend to expose that device, either SDL or VNC depending on the version of qemu and the build time configuration. The libxl toolstack library does not explicitly disable these default backends when they are not enabled, leading to an unexpected backend running. If either SDL or VNC is explicitly enabled in the guest configuration then only the expected backends will be enabled. This affects qemu-xen and qemu-xen-traditional differently. If qemu-xen was compiled with SDL support then this would result in an SDL window being opened if $DISPLAY is valid, or a failure to start the guest if not. If qemu-xen was compiled without SDL support then qemu would instead start a VNC server listening on ::1 (IPv6 localhost) or 127.0.0.1 (IPv4 localhost) with IPv6 preferred if available. A VNC password will not be configured even if one is present in the guest configuration. qemu-xen-traditional will never start a vnc backend unless explicitly configured. However by default it will start an SDL backend if it was built with SDL support and $DISPLAY is valid. IMPACT ====== For qemu-xen compiled without SDL support (unexpected VNC server): Any local user on the domain 0 hosting the VM will be able to access the guest's emulated VGA console. For any qemu compiled with SDL support (unexpected SDL backend): Users who are able to control the DISPLAY environment variable of the toolstack process which creates the VM will be able to direct the SDL output to an X server of their choosing and from there gain access to the guest's emulated console. This is a practical attack only on systems where arrangements have been made for lower-privileged users to execute Xen toolstack code via means which do not sufficiently launder the process environment. This would include some restricted sudo command configurations. In both cases unexpected access to the guest console may then, depending on the guest configuration, grant further privilege or opportunities for attack. Both cases also open up the qemu process to attacks via the VNC or X network protocols. The qemu monitor is not exposed via this means unless it is explicitly enabled in the guest configuration. VULNERABLE SYSTEMS ================== ARM systems are not vulnerable. PV domains are not vulnerable. Systems where either SDL or VNC is explicitly enabled in the guest configuration (eg `sdl=1' or `vnc=1' in the guest config file) are not vulnerable. Systems using qemu-xen-traditional, or systems using qemu-xen where SDL support is built into qemu-xen, are not vulnerable; unless the Xen toolstack code runs in a process environment partially controlled by potential attackers. x86 systems running HVM domains, configured to disable both SDL and VNC access to the emulated VGA device, may be vulnerable. Versions of Xen from 4.2 onwards are known to be affected. Older versions have not been inspected. MITIGATION ========== Running qemu in a stub domain will avoid this issue. Setting nographic to true on the domain (i.e. nographic=1 in an xl configuration file) will completely disable the emulated VGA device and therefore avoid this issue. (NB that publicly visible deployment of this mitigation during the embargo is forbidden.) In order to disable the backends while retaining the emulated VGA then prepending "-vnc none -display none" to the qemu-xen command-line or "-vnc none" to the qemu-xen-traditional command-line, using e.g. a wrapper script will avoid the issue. Note that the "extra_hvm" option exposed by the libxl library is not useful because it appends the given options making them ineffective in this case. CREDITS ======= This issue was discovered by Sander Eikelenboom. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa119-unstable.patch xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x xsa119-4.2.patch Xen 4.2.x $ sha256sum xsa119*.patch ee44c8f6a7cf3ca7b2d9886047b91690aaa2b091baf8629d8ab4c298022c6c47 xsa119-unstable.patch 5470eae3ca776a5100e8da9400ce15a2f4d855177f023430b2462f65e716128f xsa119-4.2.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. Deployment of a revised command qemu line which sets "-vnc none - -display none" or "-vnc none" (as applicable) is also permitted. Mitigation by passing `nographic=1' or equivalent guest configuration, is NOT permitted (except where all the guests are accessible only by members of the Xen Project Security Issues Predisclosure List). Specifically, deployment of such a mitigation on public cloud systems is NOT permitted. This is because the guest-visible configuration change (disappearance of the emulated VGA device as the response to a security issue) would suggest to attackers where to look for the vulnerability. Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVAZVQAAoJEIP+FMlX6CvZ04YIAJZ0goOAXAzc5OwrY/RyTeCp fGHhzkWQ5ZJ3GKR2x+A+uXTb5X+tpo07A/sIS9eGtUDTpzOmfNn/r+vXpicVip8j CW8KMCvNqiMu6BlrF13x7wrYTNSCudLdcg5ermUBasPXadbPspJoLsmEZVDejLEP 7Wp99VoeOJEfR/29JrSTDLAuZ5F5TL9T3TZZ9qnxpWxa4ag7qsKL3AS8akKAj8O5 JDHsCpPdPV0w4BNkLTa9zd9xWfSb1zhPvM1S7OeMwzY1Yv1uEI9vRHwHt2JfUQBD rpP1ED8dZphZfet0xqCzx5iyNLvYzNGenA+DnDslj/ORw07SmQ8vSRzq5SJx/uE= =QKUI -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa119-unstable.patch" Content-Disposition: attachment; filename="xsa119-unstable.patch" Content-Transfer-Encoding: base64 RnJvbSBmNDMzYmZhZmJhZjdkOGE0MWM0YzI3YWEzZThlNzhiMWFiOTAwYjY5 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBJYW4gQ2FtcGJlbGwg PGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpEYXRlOiBGcmksIDIwIEZlYiAy MDE1IDE0OjQxOjA5ICswMDAwClN1YmplY3Q6IFtQQVRDSF0gdG9vbHM6IGxp YnhsOiBFeHBsaWNpdGx5IGRpc2FibGUgZ3JhcGhpY3MgYmFja2VuZHMgb24g cWVtdQogY21kbGluZQoKQnkgZGVmYXVsdCBxZW11IHdpbGwgdHJ5IHRvIGNy ZWF0ZSBzb21lIHNvcnQgb2YgYmFja2VuZCBmb3IgdGhlCmVtdWxhdGVkIFZH QSBkZXZpY2UsIGVpdGhlciBTREwgb3IgVk5DLgoKSG93ZXZlciB3aGVuIHRo ZSB1c2VyIHNwZWNpZmllcyBzZGw9MCBhbmQgdm5jPTAgaW4gdGhlaXIgY29u ZmlndXJhdGlvbgpsaWJ4bCB3YXMgbm90IGV4cGxpY2l0bHkgZGlzYWJsaW5n IGVpdGhlciBiYWNrZW5kLCB3aGljaCBjb3VsZCBsZWFkIHRvCm9uZSB1bmV4 cGVjdGVkbHkgcnVubmluZy4KCklmIGVpdGhlciBzZGw9MSBvciB2bmM9MSBp cyBjb25maWd1cmVkIHRoZW4gYm90aCBiZWZvcmUgYW5kIGFmdGVyIHRoaXMK Y2hhbmdlIG9ubHkgdGhlIGJhY2tlbmRzIHdoaWNoIGFyZSBleHBsaWNpdGx5 IGVuYWJsZWQgYXJlIGNvbmZpZ3VyZWQsCmkuZS4gdGhpcyBpc3N1ZSBvbmx5 IG9jY3VycyB3aGVuIGFsbCBiYWNrZW5kcyBhcmUgc3VwcG9zZWQgdG8gaGF2 ZQpiZWVuIGRpc2FibGVkLgoKVGhpcyBhZmZlY3RzIHFlbXUteGVuIGFuZCBx ZW11LXhlbi10cmFkaXRpb25hbCBkaWZmZXJlbnRseS4KCklmIHFlbXUteGVu IHdhcyBjb21waWxlZCB3aXRoIFNETCBzdXBwb3J0IHRoZW4gdGhpcyB3b3Vs ZCByZXN1bHQgaW4gYW4KU0RMIHdpbmRvdyBiZWluZyBvcGVuZWQgaWYgJERJ U1BMQVkgaXMgdmFsaWQsIG9yIGEgZmFpbHVyZSB0byBzdGFydAp0aGUgZ3Vl c3QgaWYgbm90LiBQYXNzaW5nICItZGlzcGxheSBub25lIiB0byBxZW11IGJl Zm9yZSBhbnkgZnVydGhlcgotc2RsIG9wdGlvbnMgZGlzYWJsZXMgdGhpcyBk ZWZhdWx0IGJlaGF2aW91ciBhbmQgZW5zdXJlcyB0aGF0IFNETCBpcwpvbmx5 IHN0YXJ0ZWQgaWYgdGhlIGxpYnhsIGNvbmZpZ3VyYXRpb24gZGVtYW5kcyBp dC4KCklmIHFlbXUteGVuIHdhcyBjb21waWxlZCB3aXRob3V0IFNETCBzdXBw b3J0IHRoZW4gcWVtdSB3b3VsZCBpbnN0ZWFkCnN0YXJ0IGEgVk5DIHNlcnZl ciBsaXN0ZW5pbmcgb24gOjoxIChJUHY2IGxvY2FsaG9zdCkgb3IgMTI3LjAu MC4xCihJUHY0IGxvY2FsaG9zdCkgd2l0aCBJUHY2IHByZWZlcnJlZCBpZiBh dmFpbGFibGUuIEV4cGxpY2l0bHkgcGFzcwoiLXZuYyBub25lIiB3aGVuIHZu YyBpcyBub3QgZW5hYmxlZCBpbiB0aGUgbGlieGwgY29uZmlndXJhdGlvbiB0 bwpyZW1vdmUgdGhpcyBwb3NzaWJpbGl0eS4KCnFlbXUteGVuLXRyYWRpdGlv bmFsIHdvdWxkIG5ldmVyIHN0YXJ0IGEgdm5jIGJhY2tlbmQgdW5sZXNzIGFz a2VkLgpIb3dldmVyIGJ5IGRlZmF1bHQgaXQgd2lsbCBzdGFydCBhbiBTREwg YmFja2VuZCwgdGhlIHdheSB0byBkaXNhYmxlCnRoaXMgaXMgdG8gcGFzcyBh IC12bmMgb3B0aW9uLiBJbiBvdGhlciB3b3JkcyBwYXNzaW5nICItdm5jIG5v bmUiIHdpbGwKZGlzYWJsZSBib3RoIHZuYyBhbmQgc2RsIGJ5IGRlZmF1bHQu IHNkbCBjYW4gdGhlbiBiZSByZWVuYWJsZWQgaWYKY29uZmlndXJlZCBieSBz dWJzZXF1ZW50IHVzZSBvZiB0aGUgLXNkbCBvcHRpb24uCgpUZXN0ZWQgd2l0 aCBib3RoIHFlbXUteGVuIGFuZCBxZW11LXhlbi10cmFkaXRpb25hbCBidWls dCB3aXRoIFNETApzdXBwb3J0IGFuZDoKCXhsIGNyICMgZGVmYXVsdHMKCXhs IGNyIHNkbD0wIHZuYz0wCgl4bCBjciBzZGw9MSB2bmM9MAoJeGwgY3Igc2Rs PTAgdm5jPTEKCXhsIGNyIHNkbD0wIHZuYz0wIHZnYT1cIm5vbmVcIgoJeGwg Y3Igc2RsPTAgdm5jPTAgbm9ncmFwaGljPTEKd2l0aCBib3RoIHZhbGlkIGFu ZCBpbnZhbGlkICRESVNQTEFZLgoKVGhpcyBpcyBYU0EtMTE5LgoKUmVwb3J0 ZWQtYnk6IFNhbmRlciBFaWtlbGVuYm9vbSA8bGludXhAZWlrZWxlbmJvb20u aXQ+ClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxs QGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJYW4gSmFja3NvbiA8aWFuLmphY2tz b25AZXUuY2l0cml4LmNvbT4KLS0tCiB0b29scy9saWJ4bC9saWJ4bF9kbS5j IHwgMjEgKysrKysrKysrKysrKysrKysrKy0tCiAxIGZpbGUgY2hhbmdlZCwg MTkgaW5zZXJ0aW9ucygrKSwgMiBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQg YS90b29scy9saWJ4bC9saWJ4bF9kbS5jIGIvdG9vbHMvbGlieGwvbGlieGxf ZG0uYwppbmRleCA4NTk5YTZhLi4zYjkxOGM2IDEwMDY0NAotLS0gYS90b29s cy9saWJ4bC9saWJ4bF9kbS5jCisrKyBiL3Rvb2xzL2xpYnhsL2xpYnhsX2Rt LmMKQEAgLTE4MCw3ICsxODAsMTQgQEAgc3RhdGljIGNoYXIgKiogbGlieGxf X2J1aWxkX2RldmljZV9tb2RlbF9hcmdzX29sZChsaWJ4bF9fZ2MgKmdjLAog ICAgICAgICBpZiAobGlieGxfZGVmYm9vbF92YWwodm5jLT5maW5kdW51c2Vk KSkgewogICAgICAgICAgICAgZmxleGFycmF5X2FwcGVuZChkbV9hcmdzLCAi LXZuY3VudXNlZCIpOwogICAgICAgICB9Ci0gICAgfQorICAgIH0gZWxzZQor ICAgICAgICAvKgorICAgICAgICAgKiBWTkMgaXMgbm90IGVuYWJsZWQgYnkg ZGVmYXVsdCBieSBxZW11LXhlbi10cmFkaXRpb25hbCwKKyAgICAgICAgICog aG93ZXZlciBwYXNzaW5nIC12bmMgbm9uZSBjYXVzZXMgU0RMIHRvIG5vdCBi ZQorICAgICAgICAgKiAodW5leHBlY3RlZGx5KSBlbmFibGVkIGJ5IGRlZmF1 bHQuIFRoaXMgaXMgb3ZlcnJpZGRlbiBieQorICAgICAgICAgKiBleHBsaWNp dGx5IHBhc3NpbmcgLXNkbCBiZWxvdyBhcyByZXF1aXJlZC4KKyAgICAgICAg ICovCisgICAgICAgIGZsZXhhcnJheV9hcHBlbmRfcGFpcihkbV9hcmdzLCAi LXZuYyIsICJub25lIik7CiAKICAgICBpZiAoc2RsKSB7CiAgICAgICAgIGZs ZXhhcnJheV9hcHBlbmQoZG1fYXJncywgIi1zZGwiKTsKQEAgLTUyMiw3ICs1 MjksMTcgQEAgc3RhdGljIGNoYXIgKiogbGlieGxfX2J1aWxkX2RldmljZV9t b2RlbF9hcmdzX25ldyhsaWJ4bF9fZ2MgKmdjLAogICAgICAgICB9CiAKICAg ICAgICAgZmxleGFycmF5X2FwcGVuZChkbV9hcmdzLCB2bmNhcmcpOwotICAg IH0KKyAgICB9IGVsc2UKKyAgICAgICAgLyoKKyAgICAgICAgICogRW5zdXJl IHRoYXQgYnkgZGVmYXVsdCBubyB2bmMgc2VydmVyIGlzIGNyZWF0ZWQuCisg ICAgICAgICAqLworICAgICAgICBmbGV4YXJyYXlfYXBwZW5kX3BhaXIoZG1f YXJncywgIi12bmMiLCAibm9uZSIpOworCisgICAgLyoKKyAgICAgKiBFbnN1 cmUgdGhhdCBieSBkZWZhdWx0IG5vIGRpc3BsYXkgYmFja2VuZCBpcyBjcmVh dGVkLiBGdXJ0aGVyCisgICAgICogb3B0aW9ucyBnaXZlbiBiZWxvdyBtaWdo dCB0aGVuIGVuYWJsZSBtb3JlLgorICAgICAqLworICAgIGZsZXhhcnJheV9h cHBlbmRfcGFpcihkbV9hcmdzLCAiLWRpc3BsYXkiLCAibm9uZSIpOwogCiAg ICAgaWYgKHNkbCkgewogICAgICAgICBmbGV4YXJyYXlfYXBwZW5kKGRtX2Fy Z3MsICItc2RsIik7Ci0tIAoyLjEuNAoK --=separator Content-Type: application/octet-stream; name="xsa119-4.2.patch" Content-Disposition: attachment; filename="xsa119-4.2.patch" Content-Transfer-Encoding: base64 RnJvbSBiNmUzMjdmZGU2YzM2NTA4NjU5NGUyYjQ2ZWRmNDM1YWExNjcxYjFh IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBJYW4gQ2FtcGJlbGwg PGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpEYXRlOiBGcmksIDIwIEZlYiAy MDE1IDE0OjQxOjA5ICswMDAwClN1YmplY3Q6IFtQQVRDSF0gdG9vbHM6IGxp YnhsOiBFeHBsaWNpdGx5IGRpc2FibGUgZ3JhcGhpY3MgYmFja2VuZHMgb24g cWVtdQogY21kbGluZQoKQnkgZGVmYXVsdCBxZW11IHdpbGwgdHJ5IHRvIGNy ZWF0ZSBzb21lIHNvcnQgb2YgYmFja2VuZCBmb3IgdGhlCmVtdWxhdGVkIFZH QSBkZXZpY2UsIGVpdGhlciBTREwgb3IgVk5DLgoKSG93ZXZlciB3aGVuIHRo ZSB1c2VyIHNwZWNpZmllcyBzZGw9MCBhbmQgdm5jPTAgaW4gdGhlaXIgY29u ZmlndXJhdGlvbgpsaWJ4bCB3YXMgbm90IGV4cGxpY2l0bHkgZGlzYWJsaW5n IGVpdGhlciBiYWNrZW5kLCB3aGljaCBjb3VsZCBsZWFkIHRvCm9uZSB1bmV4 cGVjdGVkbHkgcnVubmluZy4KCklmIGVpdGhlciBzZGw9MSBvciB2bmM9MSBp cyBjb25maWd1cmVkIHRoZW4gYm90aCBiZWZvcmUgYW5kIGFmdGVyIHRoaXMK Y2hhbmdlIG9ubHkgdGhlIGJhY2tlbmRzIHdoaWNoIGFyZSBleHBsaWNpdGx5 IGVuYWJsZWQgYXJlIGNvbmZpZ3VyZWQsCmkuZS4gdGhpcyBpc3N1ZSBvbmx5 IG9jY3VycyB3aGVuIGFsbCBiYWNrZW5kcyBhcmUgc3VwcG9zZWQgdG8gaGF2 ZQpiZWVuIGRpc2FibGVkLgoKVGhpcyBhZmZlY3RzIHFlbXUteGVuIGFuZCBx ZW11LXhlbi10cmFkaXRpb25hbCBkaWZmZXJlbnRseS4KCklmIHFlbXUteGVu IHdhcyBjb21waWxlZCB3aXRoIFNETCBzdXBwb3J0IHRoZW4gdGhpcyB3b3Vs ZCByZXN1bHQgaW4gYW4KU0RMIHdpbmRvdyBiZWluZyBvcGVuZWQgaWYgJERJ U1BMQVkgaXMgdmFsaWQsIG9yIGEgZmFpbHVyZSB0byBzdGFydAp0aGUgZ3Vl c3QgaWYgbm90LiBQYXNzaW5nICItZGlzcGxheSBub25lIiB0byBxZW11IGJl Zm9yZSBhbnkgZnVydGhlcgotc2RsIG9wdGlvbnMgZGlzYWJsZXMgdGhpcyBk ZWZhdWx0IGJlaGF2aW91ciBhbmQgZW5zdXJlcyB0aGF0IFNETCBpcwpvbmx5 IHN0YXJ0ZWQgaWYgdGhlIGxpYnhsIGNvbmZpZ3VyYXRpb24gZGVtYW5kcyBp dC4KCklmIHFlbXUteGVuIHdhcyBjb21waWxlZCB3aXRob3V0IFNETCBzdXBw b3J0IHRoZW4gcWVtdSB3b3VsZCBpbnN0ZWFkCnN0YXJ0IGEgVk5DIHNlcnZl ciBsaXN0ZW5pbmcgb24gOjoxIChJUHY2IGxvY2FsaG9zdCkgb3IgMTI3LjAu MC4xCihJUHY0IGxvY2FsaG9zdCkgd2l0aCBJUHY2IHByZWZlcnJlZCBpZiBh dmFpbGFibGUuIEV4cGxpY2l0bHkgcGFzcwoiLXZuYyBub25lIiB3aGVuIHZu YyBpcyBub3QgZW5hYmxlZCBpbiB0aGUgbGlieGwgY29uZmlndXJhdGlvbiB0 bwpyZW1vdmUgdGhpcyBwb3NzaWJpbGl0eS4KCnFlbXUteGVuLXRyYWRpdGlv bmFsIHdvdWxkIG5ldmVyIHN0YXJ0IGEgdm5jIGJhY2tlbmQgdW5sZXNzIGFz a2VkLgpIb3dldmVyIGJ5IGRlZmF1bHQgaXQgd2lsbCBzdGFydCBhbiBTREwg YmFja2VuZCwgdGhlIHdheSB0byBkaXNhYmxlCnRoaXMgaXMgdG8gcGFzcyBh IC12bmMgb3B0aW9uLiBJbiBvdGhlciB3b3JkcyBwYXNzaW5nICItdm5jIG5v bmUiIHdpbGwKZGlzYWJsZSBib3RoIHZuYyBhbmQgc2RsIGJ5IGRlZmF1bHQu IHNkbCBjYW4gdGhlbiBiZSByZWVuYWJsZWQgaWYKY29uZmlndXJlZCBieSBz dWJzZXF1ZW50IHVzZSBvZiB0aGUgLXNkbCBvcHRpb24uCgpUZXN0ZWQgd2l0 aCBib3RoIHFlbXUteGVuIGFuZCBxZW11LXhlbi10cmFkaXRpb25hbCBidWls dCB3aXRoIFNETApzdXBwb3J0IGFuZDoKCXhsIGNyICMgZGVmYXVsdHMKCXhs IGNyIHNkbD0wIHZuYz0wCgl4bCBjciBzZGw9MSB2bmM9MAoJeGwgY3Igc2Rs PTAgdm5jPTEKCXhsIGNyIHNkbD0wIHZuYz0wIHZnYT1cIm5vbmVcIgoJeGwg Y3Igc2RsPTAgdm5jPTAgbm9ncmFwaGljPTEKd2l0aCBib3RoIHZhbGlkIGFu ZCBpbnZhbGlkICRESVNQTEFZLgoKVGhpcyBpcyBYU0EtMTE5LgoKUmVwb3J0 ZWQtYnk6IFNhbmRlciBFaWtlbGVuYm9vbSA8bGludXhAZWlrZWxlbmJvb20u aXQ+ClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxs QGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJYW4gSmFja3NvbiA8aWFuLmphY2tz b25AZXUuY2l0cml4LmNvbT4KLS0tCiB0b29scy9saWJ4bC9saWJ4bF9kbS5j IHwgMjMgKysrKysrKysrKysrKysrKysrKysrLS0KIDEgZmlsZSBjaGFuZ2Vk LCAyMSBpbnNlcnRpb25zKCspLCAyIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdp dCBhL3Rvb2xzL2xpYnhsL2xpYnhsX2RtLmMgYi90b29scy9saWJ4bC9saWJ4 bF9kbS5jCmluZGV4IDg4YTQ4OTQuLjZhMWI5MWYgMTAwNjQ0Ci0tLSBhL3Rv b2xzL2xpYnhsL2xpYnhsX2RtLmMKKysrIGIvdG9vbHMvbGlieGwvbGlieGxf ZG0uYwpAQCAtMTQ3LDcgKzE0NywxNSBAQCBzdGF0aWMgY2hhciAqKiBsaWJ4 bF9fYnVpbGRfZGV2aWNlX21vZGVsX2FyZ3Nfb2xkKGxpYnhsX19nYyAqZ2Ms CiAgICAgICAgIGlmIChsaWJ4bF9kZWZib29sX3ZhbCh2bmMtPmZpbmR1bnVz ZWQpKSB7CiAgICAgICAgICAgICBmbGV4YXJyYXlfYXBwZW5kKGRtX2FyZ3Ms ICItdm5jdW51c2VkIik7CiAgICAgICAgIH0KLSAgICB9CisgICAgfSBlbHNl CisgICAgICAgIC8qCisgICAgICAgICAqIFZOQyBpcyBub3QgZW5hYmxlZCBi eSBkZWZhdWx0IGJ5IHFlbXUteGVuLXRyYWRpdGlvbmFsLAorICAgICAgICAg KiBob3dldmVyIHBhc3NpbmcgLXZuYyBub25lIGNhdXNlcyBTREwgdG8gbm90 IGJlCisgICAgICAgICAqICh1bmV4cGVjdGVkbHkpIGVuYWJsZWQgYnkgZGVm YXVsdC4gVGhpcyBpcyBvdmVycmlkZGVuIGJ5CisgICAgICAgICAqIGV4cGxp Y2l0bHkgcGFzc2luZyAtc2RsIGJlbG93IGFzIHJlcXVpcmVkLgorICAgICAg ICAgKi8KKyAgICAgICAgZmxleGFycmF5X2FwcGVuZF9wYWlyKGRtX2FyZ3Ms ICItdm5jIiwgIm5vbmUiKTsKKwogICAgIGlmIChzZGwpIHsKICAgICAgICAg ZmxleGFycmF5X2FwcGVuZChkbV9hcmdzLCAiLXNkbCIpOwogICAgICAgICBp ZiAoIWxpYnhsX2RlZmJvb2xfdmFsKHNkbC0+b3BlbmdsKSkgewpAQCAtMzk0 LDcgKzQwMiwxOCBAQCBzdGF0aWMgY2hhciAqKiBsaWJ4bF9fYnVpbGRfZGV2 aWNlX21vZGVsX2FyZ3NfbmV3KGxpYnhsX19nYyAqZ2MsCiAgICAgICAgICAg ICB2bmNhcmcgPSBsaWJ4bF9fc3ByaW50ZihnYywgIiVzLHRvPTk5Iiwgdm5j YXJnKTsKICAgICAgICAgfQogICAgICAgICBmbGV4YXJyYXlfYXBwZW5kKGRt X2FyZ3MsIHZuY2FyZyk7Ci0gICAgfQorICAgIH0gZWxzZQorICAgICAgICAv KgorICAgICAgICAgKiBFbnN1cmUgdGhhdCBieSBkZWZhdWx0IG5vIHZuYyBz ZXJ2ZXIgaXMgY3JlYXRlZC4KKyAgICAgICAgICovCisgICAgICAgIGZsZXhh cnJheV9hcHBlbmRfcGFpcihkbV9hcmdzLCAiLXZuYyIsICJub25lIik7CisK KyAgICAvKgorICAgICAqIEVuc3VyZSB0aGF0IGJ5IGRlZmF1bHQgbm8gZGlz cGxheSBiYWNrZW5kIGlzIGNyZWF0ZWQuIEZ1cnRoZXIKKyAgICAgKiBvcHRp b25zIGdpdmVuIGJlbG93IG1pZ2h0IHRoZW4gZW5hYmxlIG1vcmUuCisgICAg ICovCisgICAgZmxleGFycmF5X2FwcGVuZF9wYWlyKGRtX2FyZ3MsICItZGlz cGxheSIsICJub25lIik7CisKICAgICBpZiAoc2RsKSB7CiAgICAgICAgIGZs ZXhhcnJheV9hcHBlbmQoZG1fYXJncywgIi1zZGwiKTsKICAgICAgICAgLyog WFhYIHNkbC0+e2Rpc3BsYXkseGF1dGhvcml0eX0gaW50byAkRElTUExBWS8k WEFVVEhPUklUWSAqLwotLSAKMi4xLjQKCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Mar 12 13:34:01 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 12 Mar 2015 13:34:01 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YW3EQ-0000ZT-Bb; Thu, 12 Mar 2015 13:32:58 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YW3EO-0000ZH-Vt; Thu, 12 Mar 2015 13:32:57 +0000 Received: from [193.109.254.147] by server-15.bemta-14.messagelabs.com id B1/48-03047-88591055; Thu, 12 Mar 2015 13:32:56 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-13.tower-27.messagelabs.com!1426167173!12309179!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.4; banners=-,-,- X-VirusChecked: Checked Received: (qmail 1648 invoked from network); 12 Mar 2015 13:32:54 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-13.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 12 Mar 2015 13:32:54 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YW3EB-0008JM-QB; Thu, 12 Mar 2015 13:32:43 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1YW3EB-0003fb-3F; Thu, 12 Mar 2015 13:32:43 +0000 Date: Thu, 12 Mar 2015 13:32:43 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 119 (CVE-2015-2152) - HVM qemu unexpectedly enabling emulated VGA graphics backends X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2152 / XSA-119 version 3 HVM qemu unexpectedly enabling emulated VGA graphics backends UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= When instantiating an emulated VGA device for an x86 HVM guest qemu will by default enable a backend to expose that device, either SDL or VNC depending on the version of qemu and the build time configuration. The libxl toolstack library does not explicitly disable these default backends when they are not enabled, leading to an unexpected backend running. If either SDL or VNC is explicitly enabled in the guest configuration then only the expected backends will be enabled. This affects qemu-xen and qemu-xen-traditional differently. If qemu-xen was compiled with SDL support then this would result in an SDL window being opened if $DISPLAY is valid, or a failure to start the guest if not. If qemu-xen was compiled without SDL support then qemu would instead start a VNC server listening on ::1 (IPv6 localhost) or 127.0.0.1 (IPv4 localhost) with IPv6 preferred if available. A VNC password will not be configured even if one is present in the guest configuration. qemu-xen-traditional will never start a vnc backend unless explicitly configured. However by default it will start an SDL backend if it was built with SDL support and $DISPLAY is valid. IMPACT ====== For qemu-xen compiled without SDL support (unexpected VNC server): Any local user on the domain 0 hosting the VM will be able to access the guest's emulated VGA console. For any qemu compiled with SDL support (unexpected SDL backend): Users who are able to control the DISPLAY environment variable of the toolstack process which creates the VM will be able to direct the SDL output to an X server of their choosing and from there gain access to the guest's emulated console. This is a practical attack only on systems where arrangements have been made for lower-privileged users to execute Xen toolstack code via means which do not sufficiently launder the process environment. This would include some restricted sudo command configurations. In both cases unexpected access to the guest console may then, depending on the guest configuration, grant further privilege or opportunities for attack. Both cases also open up the qemu process to attacks via the VNC or X network protocols. The qemu monitor is not exposed via this means unless it is explicitly enabled in the guest configuration. VULNERABLE SYSTEMS ================== ARM systems are not vulnerable. PV domains are not vulnerable. Systems where either SDL or VNC is explicitly enabled in the guest configuration (eg `sdl=1' or `vnc=1' in the guest config file) are not vulnerable. Systems using qemu-xen-traditional, or systems using qemu-xen where SDL support is built into qemu-xen, are not vulnerable; unless the Xen toolstack code runs in a process environment partially controlled by potential attackers. x86 systems running HVM domains, configured to disable both SDL and VNC access to the emulated VGA device, may be vulnerable. Versions of Xen from 4.2 onwards are known to be affected. Older versions have not been inspected. MITIGATION ========== Running qemu in a stub domain will avoid this issue. Setting nographic to true on the domain (i.e. nographic=1 in an xl configuration file) will completely disable the emulated VGA device and therefore avoid this issue. (NB that publicly visible deployment of this mitigation during the embargo is forbidden.) In order to disable the backends while retaining the emulated VGA then prepending "-vnc none -display none" to the qemu-xen command-line or "-vnc none" to the qemu-xen-traditional command-line, using e.g. a wrapper script will avoid the issue. Note that the "extra_hvm" option exposed by the libxl library is not useful because it appends the given options making them ineffective in this case. CREDITS ======= This issue was discovered by Sander Eikelenboom. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa119-unstable.patch xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x xsa119-4.2.patch Xen 4.2.x $ sha256sum xsa119*.patch ee44c8f6a7cf3ca7b2d9886047b91690aaa2b091baf8629d8ab4c298022c6c47 xsa119-unstable.patch 5470eae3ca776a5100e8da9400ce15a2f4d855177f023430b2462f65e716128f xsa119-4.2.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. Deployment of a revised command qemu line which sets "-vnc none - -display none" or "-vnc none" (as applicable) is also permitted. Mitigation by passing `nographic=1' or equivalent guest configuration, is NOT permitted (except where all the guests are accessible only by members of the Xen Project Security Issues Predisclosure List). Specifically, deployment of such a mitigation on public cloud systems is NOT permitted. This is because the guest-visible configuration change (disappearance of the emulated VGA device as the response to a security issue) would suggest to attackers where to look for the vulnerability. Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVAZVQAAoJEIP+FMlX6CvZ04YIAJZ0goOAXAzc5OwrY/RyTeCp fGHhzkWQ5ZJ3GKR2x+A+uXTb5X+tpo07A/sIS9eGtUDTpzOmfNn/r+vXpicVip8j CW8KMCvNqiMu6BlrF13x7wrYTNSCudLdcg5ermUBasPXadbPspJoLsmEZVDejLEP 7Wp99VoeOJEfR/29JrSTDLAuZ5F5TL9T3TZZ9qnxpWxa4ag7qsKL3AS8akKAj8O5 JDHsCpPdPV0w4BNkLTa9zd9xWfSb1zhPvM1S7OeMwzY1Yv1uEI9vRHwHt2JfUQBD rpP1ED8dZphZfet0xqCzx5iyNLvYzNGenA+DnDslj/ORw07SmQ8vSRzq5SJx/uE= =QKUI -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa119-unstable.patch" Content-Disposition: attachment; filename="xsa119-unstable.patch" Content-Transfer-Encoding: base64 RnJvbSBmNDMzYmZhZmJhZjdkOGE0MWM0YzI3YWEzZThlNzhiMWFiOTAwYjY5 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBJYW4gQ2FtcGJlbGwg PGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpEYXRlOiBGcmksIDIwIEZlYiAy MDE1IDE0OjQxOjA5ICswMDAwClN1YmplY3Q6IFtQQVRDSF0gdG9vbHM6IGxp YnhsOiBFeHBsaWNpdGx5IGRpc2FibGUgZ3JhcGhpY3MgYmFja2VuZHMgb24g cWVtdQogY21kbGluZQoKQnkgZGVmYXVsdCBxZW11IHdpbGwgdHJ5IHRvIGNy ZWF0ZSBzb21lIHNvcnQgb2YgYmFja2VuZCBmb3IgdGhlCmVtdWxhdGVkIFZH QSBkZXZpY2UsIGVpdGhlciBTREwgb3IgVk5DLgoKSG93ZXZlciB3aGVuIHRo ZSB1c2VyIHNwZWNpZmllcyBzZGw9MCBhbmQgdm5jPTAgaW4gdGhlaXIgY29u ZmlndXJhdGlvbgpsaWJ4bCB3YXMgbm90IGV4cGxpY2l0bHkgZGlzYWJsaW5n IGVpdGhlciBiYWNrZW5kLCB3aGljaCBjb3VsZCBsZWFkIHRvCm9uZSB1bmV4 cGVjdGVkbHkgcnVubmluZy4KCklmIGVpdGhlciBzZGw9MSBvciB2bmM9MSBp cyBjb25maWd1cmVkIHRoZW4gYm90aCBiZWZvcmUgYW5kIGFmdGVyIHRoaXMK Y2hhbmdlIG9ubHkgdGhlIGJhY2tlbmRzIHdoaWNoIGFyZSBleHBsaWNpdGx5 IGVuYWJsZWQgYXJlIGNvbmZpZ3VyZWQsCmkuZS4gdGhpcyBpc3N1ZSBvbmx5 IG9jY3VycyB3aGVuIGFsbCBiYWNrZW5kcyBhcmUgc3VwcG9zZWQgdG8gaGF2 ZQpiZWVuIGRpc2FibGVkLgoKVGhpcyBhZmZlY3RzIHFlbXUteGVuIGFuZCBx ZW11LXhlbi10cmFkaXRpb25hbCBkaWZmZXJlbnRseS4KCklmIHFlbXUteGVu IHdhcyBjb21waWxlZCB3aXRoIFNETCBzdXBwb3J0IHRoZW4gdGhpcyB3b3Vs ZCByZXN1bHQgaW4gYW4KU0RMIHdpbmRvdyBiZWluZyBvcGVuZWQgaWYgJERJ U1BMQVkgaXMgdmFsaWQsIG9yIGEgZmFpbHVyZSB0byBzdGFydAp0aGUgZ3Vl c3QgaWYgbm90LiBQYXNzaW5nICItZGlzcGxheSBub25lIiB0byBxZW11IGJl Zm9yZSBhbnkgZnVydGhlcgotc2RsIG9wdGlvbnMgZGlzYWJsZXMgdGhpcyBk ZWZhdWx0IGJlaGF2aW91ciBhbmQgZW5zdXJlcyB0aGF0IFNETCBpcwpvbmx5 IHN0YXJ0ZWQgaWYgdGhlIGxpYnhsIGNvbmZpZ3VyYXRpb24gZGVtYW5kcyBp dC4KCklmIHFlbXUteGVuIHdhcyBjb21waWxlZCB3aXRob3V0IFNETCBzdXBw b3J0IHRoZW4gcWVtdSB3b3VsZCBpbnN0ZWFkCnN0YXJ0IGEgVk5DIHNlcnZl ciBsaXN0ZW5pbmcgb24gOjoxIChJUHY2IGxvY2FsaG9zdCkgb3IgMTI3LjAu MC4xCihJUHY0IGxvY2FsaG9zdCkgd2l0aCBJUHY2IHByZWZlcnJlZCBpZiBh dmFpbGFibGUuIEV4cGxpY2l0bHkgcGFzcwoiLXZuYyBub25lIiB3aGVuIHZu YyBpcyBub3QgZW5hYmxlZCBpbiB0aGUgbGlieGwgY29uZmlndXJhdGlvbiB0 bwpyZW1vdmUgdGhpcyBwb3NzaWJpbGl0eS4KCnFlbXUteGVuLXRyYWRpdGlv bmFsIHdvdWxkIG5ldmVyIHN0YXJ0IGEgdm5jIGJhY2tlbmQgdW5sZXNzIGFz a2VkLgpIb3dldmVyIGJ5IGRlZmF1bHQgaXQgd2lsbCBzdGFydCBhbiBTREwg YmFja2VuZCwgdGhlIHdheSB0byBkaXNhYmxlCnRoaXMgaXMgdG8gcGFzcyBh IC12bmMgb3B0aW9uLiBJbiBvdGhlciB3b3JkcyBwYXNzaW5nICItdm5jIG5v bmUiIHdpbGwKZGlzYWJsZSBib3RoIHZuYyBhbmQgc2RsIGJ5IGRlZmF1bHQu IHNkbCBjYW4gdGhlbiBiZSByZWVuYWJsZWQgaWYKY29uZmlndXJlZCBieSBz dWJzZXF1ZW50IHVzZSBvZiB0aGUgLXNkbCBvcHRpb24uCgpUZXN0ZWQgd2l0 aCBib3RoIHFlbXUteGVuIGFuZCBxZW11LXhlbi10cmFkaXRpb25hbCBidWls dCB3aXRoIFNETApzdXBwb3J0IGFuZDoKCXhsIGNyICMgZGVmYXVsdHMKCXhs IGNyIHNkbD0wIHZuYz0wCgl4bCBjciBzZGw9MSB2bmM9MAoJeGwgY3Igc2Rs PTAgdm5jPTEKCXhsIGNyIHNkbD0wIHZuYz0wIHZnYT1cIm5vbmVcIgoJeGwg Y3Igc2RsPTAgdm5jPTAgbm9ncmFwaGljPTEKd2l0aCBib3RoIHZhbGlkIGFu ZCBpbnZhbGlkICRESVNQTEFZLgoKVGhpcyBpcyBYU0EtMTE5LgoKUmVwb3J0 ZWQtYnk6IFNhbmRlciBFaWtlbGVuYm9vbSA8bGludXhAZWlrZWxlbmJvb20u aXQ+ClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxs QGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJYW4gSmFja3NvbiA8aWFuLmphY2tz b25AZXUuY2l0cml4LmNvbT4KLS0tCiB0b29scy9saWJ4bC9saWJ4bF9kbS5j IHwgMjEgKysrKysrKysrKysrKysrKysrKy0tCiAxIGZpbGUgY2hhbmdlZCwg MTkgaW5zZXJ0aW9ucygrKSwgMiBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQg YS90b29scy9saWJ4bC9saWJ4bF9kbS5jIGIvdG9vbHMvbGlieGwvbGlieGxf ZG0uYwppbmRleCA4NTk5YTZhLi4zYjkxOGM2IDEwMDY0NAotLS0gYS90b29s cy9saWJ4bC9saWJ4bF9kbS5jCisrKyBiL3Rvb2xzL2xpYnhsL2xpYnhsX2Rt LmMKQEAgLTE4MCw3ICsxODAsMTQgQEAgc3RhdGljIGNoYXIgKiogbGlieGxf X2J1aWxkX2RldmljZV9tb2RlbF9hcmdzX29sZChsaWJ4bF9fZ2MgKmdjLAog ICAgICAgICBpZiAobGlieGxfZGVmYm9vbF92YWwodm5jLT5maW5kdW51c2Vk KSkgewogICAgICAgICAgICAgZmxleGFycmF5X2FwcGVuZChkbV9hcmdzLCAi LXZuY3VudXNlZCIpOwogICAgICAgICB9Ci0gICAgfQorICAgIH0gZWxzZQor ICAgICAgICAvKgorICAgICAgICAgKiBWTkMgaXMgbm90IGVuYWJsZWQgYnkg ZGVmYXVsdCBieSBxZW11LXhlbi10cmFkaXRpb25hbCwKKyAgICAgICAgICog aG93ZXZlciBwYXNzaW5nIC12bmMgbm9uZSBjYXVzZXMgU0RMIHRvIG5vdCBi ZQorICAgICAgICAgKiAodW5leHBlY3RlZGx5KSBlbmFibGVkIGJ5IGRlZmF1 bHQuIFRoaXMgaXMgb3ZlcnJpZGRlbiBieQorICAgICAgICAgKiBleHBsaWNp dGx5IHBhc3NpbmcgLXNkbCBiZWxvdyBhcyByZXF1aXJlZC4KKyAgICAgICAg ICovCisgICAgICAgIGZsZXhhcnJheV9hcHBlbmRfcGFpcihkbV9hcmdzLCAi LXZuYyIsICJub25lIik7CiAKICAgICBpZiAoc2RsKSB7CiAgICAgICAgIGZs ZXhhcnJheV9hcHBlbmQoZG1fYXJncywgIi1zZGwiKTsKQEAgLTUyMiw3ICs1 MjksMTcgQEAgc3RhdGljIGNoYXIgKiogbGlieGxfX2J1aWxkX2RldmljZV9t b2RlbF9hcmdzX25ldyhsaWJ4bF9fZ2MgKmdjLAogICAgICAgICB9CiAKICAg ICAgICAgZmxleGFycmF5X2FwcGVuZChkbV9hcmdzLCB2bmNhcmcpOwotICAg IH0KKyAgICB9IGVsc2UKKyAgICAgICAgLyoKKyAgICAgICAgICogRW5zdXJl IHRoYXQgYnkgZGVmYXVsdCBubyB2bmMgc2VydmVyIGlzIGNyZWF0ZWQuCisg ICAgICAgICAqLworICAgICAgICBmbGV4YXJyYXlfYXBwZW5kX3BhaXIoZG1f YXJncywgIi12bmMiLCAibm9uZSIpOworCisgICAgLyoKKyAgICAgKiBFbnN1 cmUgdGhhdCBieSBkZWZhdWx0IG5vIGRpc3BsYXkgYmFja2VuZCBpcyBjcmVh dGVkLiBGdXJ0aGVyCisgICAgICogb3B0aW9ucyBnaXZlbiBiZWxvdyBtaWdo dCB0aGVuIGVuYWJsZSBtb3JlLgorICAgICAqLworICAgIGZsZXhhcnJheV9h cHBlbmRfcGFpcihkbV9hcmdzLCAiLWRpc3BsYXkiLCAibm9uZSIpOwogCiAg ICAgaWYgKHNkbCkgewogICAgICAgICBmbGV4YXJyYXlfYXBwZW5kKGRtX2Fy Z3MsICItc2RsIik7Ci0tIAoyLjEuNAoK --=separator Content-Type: application/octet-stream; name="xsa119-4.2.patch" Content-Disposition: attachment; filename="xsa119-4.2.patch" Content-Transfer-Encoding: base64 RnJvbSBiNmUzMjdmZGU2YzM2NTA4NjU5NGUyYjQ2ZWRmNDM1YWExNjcxYjFh IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBJYW4gQ2FtcGJlbGwg PGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpEYXRlOiBGcmksIDIwIEZlYiAy MDE1IDE0OjQxOjA5ICswMDAwClN1YmplY3Q6IFtQQVRDSF0gdG9vbHM6IGxp YnhsOiBFeHBsaWNpdGx5IGRpc2FibGUgZ3JhcGhpY3MgYmFja2VuZHMgb24g cWVtdQogY21kbGluZQoKQnkgZGVmYXVsdCBxZW11IHdpbGwgdHJ5IHRvIGNy ZWF0ZSBzb21lIHNvcnQgb2YgYmFja2VuZCBmb3IgdGhlCmVtdWxhdGVkIFZH QSBkZXZpY2UsIGVpdGhlciBTREwgb3IgVk5DLgoKSG93ZXZlciB3aGVuIHRo ZSB1c2VyIHNwZWNpZmllcyBzZGw9MCBhbmQgdm5jPTAgaW4gdGhlaXIgY29u ZmlndXJhdGlvbgpsaWJ4bCB3YXMgbm90IGV4cGxpY2l0bHkgZGlzYWJsaW5n IGVpdGhlciBiYWNrZW5kLCB3aGljaCBjb3VsZCBsZWFkIHRvCm9uZSB1bmV4 cGVjdGVkbHkgcnVubmluZy4KCklmIGVpdGhlciBzZGw9MSBvciB2bmM9MSBp cyBjb25maWd1cmVkIHRoZW4gYm90aCBiZWZvcmUgYW5kIGFmdGVyIHRoaXMK Y2hhbmdlIG9ubHkgdGhlIGJhY2tlbmRzIHdoaWNoIGFyZSBleHBsaWNpdGx5 IGVuYWJsZWQgYXJlIGNvbmZpZ3VyZWQsCmkuZS4gdGhpcyBpc3N1ZSBvbmx5 IG9jY3VycyB3aGVuIGFsbCBiYWNrZW5kcyBhcmUgc3VwcG9zZWQgdG8gaGF2 ZQpiZWVuIGRpc2FibGVkLgoKVGhpcyBhZmZlY3RzIHFlbXUteGVuIGFuZCBx ZW11LXhlbi10cmFkaXRpb25hbCBkaWZmZXJlbnRseS4KCklmIHFlbXUteGVu IHdhcyBjb21waWxlZCB3aXRoIFNETCBzdXBwb3J0IHRoZW4gdGhpcyB3b3Vs ZCByZXN1bHQgaW4gYW4KU0RMIHdpbmRvdyBiZWluZyBvcGVuZWQgaWYgJERJ U1BMQVkgaXMgdmFsaWQsIG9yIGEgZmFpbHVyZSB0byBzdGFydAp0aGUgZ3Vl c3QgaWYgbm90LiBQYXNzaW5nICItZGlzcGxheSBub25lIiB0byBxZW11IGJl Zm9yZSBhbnkgZnVydGhlcgotc2RsIG9wdGlvbnMgZGlzYWJsZXMgdGhpcyBk ZWZhdWx0IGJlaGF2aW91ciBhbmQgZW5zdXJlcyB0aGF0IFNETCBpcwpvbmx5 IHN0YXJ0ZWQgaWYgdGhlIGxpYnhsIGNvbmZpZ3VyYXRpb24gZGVtYW5kcyBp dC4KCklmIHFlbXUteGVuIHdhcyBjb21waWxlZCB3aXRob3V0IFNETCBzdXBw b3J0IHRoZW4gcWVtdSB3b3VsZCBpbnN0ZWFkCnN0YXJ0IGEgVk5DIHNlcnZl ciBsaXN0ZW5pbmcgb24gOjoxIChJUHY2IGxvY2FsaG9zdCkgb3IgMTI3LjAu MC4xCihJUHY0IGxvY2FsaG9zdCkgd2l0aCBJUHY2IHByZWZlcnJlZCBpZiBh dmFpbGFibGUuIEV4cGxpY2l0bHkgcGFzcwoiLXZuYyBub25lIiB3aGVuIHZu YyBpcyBub3QgZW5hYmxlZCBpbiB0aGUgbGlieGwgY29uZmlndXJhdGlvbiB0 bwpyZW1vdmUgdGhpcyBwb3NzaWJpbGl0eS4KCnFlbXUteGVuLXRyYWRpdGlv bmFsIHdvdWxkIG5ldmVyIHN0YXJ0IGEgdm5jIGJhY2tlbmQgdW5sZXNzIGFz a2VkLgpIb3dldmVyIGJ5IGRlZmF1bHQgaXQgd2lsbCBzdGFydCBhbiBTREwg YmFja2VuZCwgdGhlIHdheSB0byBkaXNhYmxlCnRoaXMgaXMgdG8gcGFzcyBh IC12bmMgb3B0aW9uLiBJbiBvdGhlciB3b3JkcyBwYXNzaW5nICItdm5jIG5v bmUiIHdpbGwKZGlzYWJsZSBib3RoIHZuYyBhbmQgc2RsIGJ5IGRlZmF1bHQu IHNkbCBjYW4gdGhlbiBiZSByZWVuYWJsZWQgaWYKY29uZmlndXJlZCBieSBz dWJzZXF1ZW50IHVzZSBvZiB0aGUgLXNkbCBvcHRpb24uCgpUZXN0ZWQgd2l0 aCBib3RoIHFlbXUteGVuIGFuZCBxZW11LXhlbi10cmFkaXRpb25hbCBidWls dCB3aXRoIFNETApzdXBwb3J0IGFuZDoKCXhsIGNyICMgZGVmYXVsdHMKCXhs IGNyIHNkbD0wIHZuYz0wCgl4bCBjciBzZGw9MSB2bmM9MAoJeGwgY3Igc2Rs PTAgdm5jPTEKCXhsIGNyIHNkbD0wIHZuYz0wIHZnYT1cIm5vbmVcIgoJeGwg Y3Igc2RsPTAgdm5jPTAgbm9ncmFwaGljPTEKd2l0aCBib3RoIHZhbGlkIGFu ZCBpbnZhbGlkICRESVNQTEFZLgoKVGhpcyBpcyBYU0EtMTE5LgoKUmVwb3J0 ZWQtYnk6IFNhbmRlciBFaWtlbGVuYm9vbSA8bGludXhAZWlrZWxlbmJvb20u aXQ+ClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxs QGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJYW4gSmFja3NvbiA8aWFuLmphY2tz b25AZXUuY2l0cml4LmNvbT4KLS0tCiB0b29scy9saWJ4bC9saWJ4bF9kbS5j IHwgMjMgKysrKysrKysrKysrKysrKysrKysrLS0KIDEgZmlsZSBjaGFuZ2Vk LCAyMSBpbnNlcnRpb25zKCspLCAyIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdp dCBhL3Rvb2xzL2xpYnhsL2xpYnhsX2RtLmMgYi90b29scy9saWJ4bC9saWJ4 bF9kbS5jCmluZGV4IDg4YTQ4OTQuLjZhMWI5MWYgMTAwNjQ0Ci0tLSBhL3Rv b2xzL2xpYnhsL2xpYnhsX2RtLmMKKysrIGIvdG9vbHMvbGlieGwvbGlieGxf ZG0uYwpAQCAtMTQ3LDcgKzE0NywxNSBAQCBzdGF0aWMgY2hhciAqKiBsaWJ4 bF9fYnVpbGRfZGV2aWNlX21vZGVsX2FyZ3Nfb2xkKGxpYnhsX19nYyAqZ2Ms CiAgICAgICAgIGlmIChsaWJ4bF9kZWZib29sX3ZhbCh2bmMtPmZpbmR1bnVz ZWQpKSB7CiAgICAgICAgICAgICBmbGV4YXJyYXlfYXBwZW5kKGRtX2FyZ3Ms ICItdm5jdW51c2VkIik7CiAgICAgICAgIH0KLSAgICB9CisgICAgfSBlbHNl CisgICAgICAgIC8qCisgICAgICAgICAqIFZOQyBpcyBub3QgZW5hYmxlZCBi eSBkZWZhdWx0IGJ5IHFlbXUteGVuLXRyYWRpdGlvbmFsLAorICAgICAgICAg KiBob3dldmVyIHBhc3NpbmcgLXZuYyBub25lIGNhdXNlcyBTREwgdG8gbm90 IGJlCisgICAgICAgICAqICh1bmV4cGVjdGVkbHkpIGVuYWJsZWQgYnkgZGVm YXVsdC4gVGhpcyBpcyBvdmVycmlkZGVuIGJ5CisgICAgICAgICAqIGV4cGxp Y2l0bHkgcGFzc2luZyAtc2RsIGJlbG93IGFzIHJlcXVpcmVkLgorICAgICAg ICAgKi8KKyAgICAgICAgZmxleGFycmF5X2FwcGVuZF9wYWlyKGRtX2FyZ3Ms ICItdm5jIiwgIm5vbmUiKTsKKwogICAgIGlmIChzZGwpIHsKICAgICAgICAg ZmxleGFycmF5X2FwcGVuZChkbV9hcmdzLCAiLXNkbCIpOwogICAgICAgICBp ZiAoIWxpYnhsX2RlZmJvb2xfdmFsKHNkbC0+b3BlbmdsKSkgewpAQCAtMzk0 LDcgKzQwMiwxOCBAQCBzdGF0aWMgY2hhciAqKiBsaWJ4bF9fYnVpbGRfZGV2 aWNlX21vZGVsX2FyZ3NfbmV3KGxpYnhsX19nYyAqZ2MsCiAgICAgICAgICAg ICB2bmNhcmcgPSBsaWJ4bF9fc3ByaW50ZihnYywgIiVzLHRvPTk5Iiwgdm5j YXJnKTsKICAgICAgICAgfQogICAgICAgICBmbGV4YXJyYXlfYXBwZW5kKGRt X2FyZ3MsIHZuY2FyZyk7Ci0gICAgfQorICAgIH0gZWxzZQorICAgICAgICAv KgorICAgICAgICAgKiBFbnN1cmUgdGhhdCBieSBkZWZhdWx0IG5vIHZuYyBz ZXJ2ZXIgaXMgY3JlYXRlZC4KKyAgICAgICAgICovCisgICAgICAgIGZsZXhh cnJheV9hcHBlbmRfcGFpcihkbV9hcmdzLCAiLXZuYyIsICJub25lIik7CisK KyAgICAvKgorICAgICAqIEVuc3VyZSB0aGF0IGJ5IGRlZmF1bHQgbm8gZGlz cGxheSBiYWNrZW5kIGlzIGNyZWF0ZWQuIEZ1cnRoZXIKKyAgICAgKiBvcHRp b25zIGdpdmVuIGJlbG93IG1pZ2h0IHRoZW4gZW5hYmxlIG1vcmUuCisgICAg ICovCisgICAgZmxleGFycmF5X2FwcGVuZF9wYWlyKGRtX2FyZ3MsICItZGlz cGxheSIsICJub25lIik7CisKICAgICBpZiAoc2RsKSB7CiAgICAgICAgIGZs ZXhhcnJheV9hcHBlbmQoZG1fYXJncywgIi1zZGwiKTsKICAgICAgICAgLyog WFhYIHNkbC0+e2Rpc3BsYXkseGF1dGhvcml0eX0gaW50byAkRElTUExBWS8k WEFVVEhPUklUWSAqLwotLSAKMi4xLjQKCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Fri Mar 13 11:40:14 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 13 Mar 2015 11:40:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YWNvi-0005tA-5P; Fri, 13 Mar 2015 11:39:02 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YWNvg-0005sI-Nn; Fri, 13 Mar 2015 11:39:01 +0000 Received: from [85.158.137.68] by server-6.bemta-3.messagelabs.com id DC/48-18734-35CC2055; Fri, 13 Mar 2015 11:38:59 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-31.messagelabs.com!1426246737!11710755!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.4; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22459 invoked from network); 13 Mar 2015 11:38:58 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-4.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 13 Mar 2015 11:38:58 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YWNvW-0005uB-HU; Fri, 13 Mar 2015 11:38:50 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1YWNvV-00072K-Vq; Fri, 13 Mar 2015 11:38:50 +0000 Date: Fri, 13 Mar 2015 11:38:49 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 98 (CVE-2014-3969) - insufficient permissions checks accessing guest memory on ARM X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3969 / XSA-98 version 4 insufficient permissions checks accessing guest memory on ARM UPDATES IN VERSION 4 ==================== Supply an additional patch for arm64. The original patches had the permissions check backwards, meaning that a guest could read a write-only mapping and vice versa, rendering the original fix ineffective an inparticular not closing down the ability for a guest to write to a readonly page via the hypervisor. This issue was discussed on a public IRC channel and therefore it has been agreed with the discoverer that it should not subject to a new embargo. 32-bit ARM systems are not affected by this mistake; the original fix remains correct for 32-bit. ISSUE DESCRIPTION ================= When accessing guest memory Xen does not correctly perform permissions checks on the (possibly guest provided) virtual address: it only checks that the mapping is readable by the guest, even when writing on behalf of the guest. This allows a guest to write to memory which it should only be able to read. A guest running on a vulnerable system is able to write to memory which should be read-only. This includes supposedly read only foreign mappings established using the grant table mechanism. Such read-only mappings are commonly used as part of the paravirtualised I/O drivers (such as guest disk write and network transmit). In order to exploit this vulnerability the guest must have a mapping of the memory; it does not allow access to arbitrary addresses. In the event that a guest executes code from a page which has been shared read-only with another guest it would be possible to mount a take over attack on that guest. IMPACT ====== A domain which is deliberately exchanging data with another, malicious, domain, may be vulnerable to privilege escalation. The vulnerability depends on the precise behaviour of the victim domain. In a typical configuration this means that, depending on the behaviour of the toolstack or device driver domain, a malicious guest administrator might be able to escalate their privilege to that of the whole host. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward. MITIGATION ========== None. CREDITS ======= This issue was discovered by Julien Grall. RESOLUTION ========== Applying the appropriate pair of attached patches along with the additional update resolves this issue. xsa98-unstable-{01,02}.patch xen-unstable xsa98-4.4-{01,02}.patch Xen 4.4.x xsa98-update.patch Additional update for both unstable and 4.4 $ sha256sum xsa98*.patch b8535aad5ae969675d59781a81ce0b24491f1abc01aaf36c3620fd7fb6cc84eb xsa98-unstable-01.patch f5e8a93525a8905653da6377097f77681ff8121b973063ff6081e27547ceaa67 xsa98-unstable-02.patch 6f63bc2e0a0a39bbd9137513a5d130ae2c78d1fd2ebf9172bf49456f73f0a67b xsa98-4.4-01.patch b338472ecce3c31a55d1a936eebbd4e46cb3ad989b91a64d4b8c5d3ca80d875d xsa98-4.4-02.patch 8bb4a23174c0c9b1a23a41d4669900877483fd526d331d0c377c32845feb2eb8 xsa98-update.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVAswXAAoJEIP+FMlX6CvZHBQIAJGGvIhPc7ZKa1uVGvY/wpbX C3mjzLksdFVtIYfmMxTctuZytpA+s4DwrIRg2qfL1KA+2Qz/jjJP6HtzPM9Er8JJ zEz9UUFreccDNHVxZW2vmHxKJ4T3SIPlmx/E3dsr9kiHLGalW3XvKwCgRJ5ZceID nvasZuCPYK1zlTYnIQERQDjXVmUd2mipHBFI69o81dyZkLEtlB9OGXC+OZKPVE0A GdvkEXhca6GYSvdD3t1nEoDrpsqMwpi1bYpd0dPoQbSW6cY7DomzcT5f4zmOJRxB L/SYOqsl4SomH/FO0tYw1IrFQ1VVShmFlIre3EIeXWGa8LwAQUVt+qdYgvSPncc= =slo3 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa98-unstable-01.patch" Content-Disposition: attachment; filename="xsa98-unstable-01.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGNoZWNrIHBlcm1pc3Npb25zIHdoZW4gY29weWluZyB0by9m cm9tIGd1ZXN0IHZpcnR1YWwgYWRkcmVzc2VzCgpJbiBwYXJ0aWN1bGFyIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoZSBndWVzdCBoYXMgd3JpdGUgcGVybWlz c2lvbnMgdG8gYnVmZmVycwp3aGljaCBpdCBwYXNzZXMgYXMgb3V0cHV0IGJ1 ZmZlcnMgZm9yIGh5cGVyY2FsbHMsIG90aGVyd2lzZSB0aGUgZ3Vlc3QgY2Fu Cm92ZXJ3cml0ZSBtZW1vcnkgd2hpY2ggaXQgc2hvdWxkbid0IGJlIGFibGUg dG8gd3JpdGUgKGxpa2Ugci9vIGdyYW50IHRhYmxlCm1hcHBpbmdzKS4KClRo aXMgaXMgWFNBLTk4LgoKU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxp YW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBH cmFsbCA8anVsaWVuLmdyYWxsQGxpbmFyby5vcmc+CgpkaWZmIC0tZ2l0IGEv eGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jIGIveGVuL2FyY2gvYXJtL2Rv bWFpbl9idWlsZC5jCmluZGV4IGM0MjQ3OTMuLmQwNzk5ODIgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYworKysgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKQEAgLTEwMDUsNyArMTAwNSw3IEBAIHN0 YXRpYyB2b2lkIGluaXRyZF9sb2FkKHN0cnVjdCBrZXJuZWxfaW5mbyAqa2lu Zm8pCiAgICAgICAgIHMgPSBvZmZzICYgflBBR0VfTUFTSzsKICAgICAgICAg bCA9IG1pbihQQUdFX1NJWkUgLSBzLCBsZW4pOwogCi0gICAgICAgIHJjID0g Z3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hKTsKKyAgICAg ICAgcmMgPSBndmlydF90b19tYWRkcihsb2FkX2FkZHIgKyBvZmZzLCAmbWEs IEdWMk1fV1JJVEUpOwogICAgICAgICBpZiAoIHJjICkKICAgICAgICAgewog ICAgICAgICAgICAgcGFuaWMoIlVuYWJsZSB0byB0cmFuc2xhdGUgZ3Vlc3Qg YWRkcmVzcyIpOwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL2d1ZXN0Y29w eS5jIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCmluZGV4IGNlYTVmOTcu LmQxZmRkZWMgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL2FybS9ndWVzdGNvcHku YworKysgYi94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMKQEAgLTE3LDcgKzE3 LDcgQEAgc3RhdGljIHVuc2lnbmVkIGxvbmcgcmF3X2NvcHlfdG9fZ3Vlc3Rf aGVscGVyKHZvaWQgKnRvLCBjb25zdCB2b2lkICpmcm9tLAogICAgICAgICB2 b2lkICpwOwogICAgICAgICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVu c2lnbmVkKVBBR0VfU0laRSAtIG9mZnNldCk7CiAKLSAgICAgICAgaWYgKCBn dmlydF90b19tYWRkcigodmFkZHJfdCkgdG8sICZnKSApCisgICAgICAgIGlm ICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZywgR1YyTV9XUklU RSkgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAogICAgICAgICBwID0g bWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOwpAQCAtNjIsNyArNjIs NyBAQCB1bnNpZ25lZCBsb25nIHJhd19jbGVhcl9ndWVzdCh2b2lkICp0bywg dW5zaWduZWQgbGVuKQogICAgICAgICB2b2lkICpwOwogICAgICAgICB1bnNp Z25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0VfU0laRSAtIG9m ZnNldCk7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJf dCkgdG8sICZnKSApCisgICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZh ZGRyX3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQogICAgICAgICAgICAgcmV0 dXJuIGxlbjsKIAogICAgICAgICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBB R0VfU0hJRlQpOwpAQCAtOTIsNyArOTIsNyBAQCB1bnNpZ25lZCBsb25nIHJh d19jb3B5X2Zyb21fZ3Vlc3Qodm9pZCAqdG8sIGNvbnN0IHZvaWQgX191c2Vy ICpmcm9tLCB1bnNpZ25lZCBsZQogICAgICAgICB2b2lkICpwOwogICAgICAg ICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKShQQUdFX1NJ WkUgLSBvZmZzZXQpKTsKIAotICAgICAgICBpZiAoIGd2aXJ0X3RvX21hZGRy KCh2YWRkcl90KSBmcm9tICYgUEFHRV9NQVNLLCAmZykgKQorICAgICAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKCh2YWRkcl90KSBmcm9tICYgUEFHRV9NQVNL LCAmZywgR1YyTV9SRUFEKSApCiAgICAgICAgICAgICByZXR1cm4gbGVuOwog CiAgICAgICAgIHAgPSBtYXBfZG9tYWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7 CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0va2VybmVsLmMgYi94ZW4vYXJj aC9hcm0va2VybmVsLmMKaW5kZXggYzgyOTA2Zi4uNjkxODJlYyAxMDA2NDQK LS0tIGEveGVuL2FyY2gvYXJtL2tlcm5lbC5jCisrKyBiL3hlbi9hcmNoL2Fy bS9rZXJuZWwuYwpAQCAtMTcyLDcgKzE3Miw3IEBAIHN0YXRpYyB2b2lkIGtl cm5lbF96aW1hZ2VfbG9hZChzdHJ1Y3Qga2VybmVsX2luZm8gKmluZm8pCiAg ICAgICAgIHMgPSBvZmZzICYgflBBR0VfTUFTSzsKICAgICAgICAgbCA9IG1p bihQQUdFX1NJWkUgLSBzLCBsZW4pOwogCi0gICAgICAgIHJjID0gZ3ZpcnRf dG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hKTsKKyAgICAgICAgcmMg PSBndmlydF90b19tYWRkcihsb2FkX2FkZHIgKyBvZmZzLCAmbWEsIEdWMk1f V1JJVEUpOwogICAgICAgICBpZiAoIHJjICkKICAgICAgICAgewogICAgICAg ICAgICAgcGFuaWMoIlVuYWJsZSB0byBtYXAgdHJhbnNsYXRlIGd1ZXN0IGFk ZHJlc3MiKTsKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL2FybS90cmFwcy5jIGIv eGVuL2FyY2gvYXJtL3RyYXBzLmMKaW5kZXggMDNhM2RhNi4uZGY4NmZmZSAx MDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL3RyYXBzLmMKKysrIGIveGVuL2Fy Y2gvYXJtL3RyYXBzLmMKQEAgLTgzNyw3ICs4MzcsNyBAQCBzdGF0aWMgdm9p ZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1 X3VzZXJfcmVncyAqcmVncykKIAogICAgIHByaW50aygiR3Vlc3Qgc3RhY2sg dHJhY2UgZnJvbSBzcD0lIlBSSXZhZGRyIjpcbiAgIiwgc3ApOwogCi0gICAg aWYgKCBndmlydF90b19tYWRkcihzcCwgJnN0YWNrX3BoeXMpICkKKyAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKHNwLCAmc3RhY2tfcGh5cywgR1YyTV9SRUFE KSApCiAgICAgewogICAgICAgICBwcmludGsoIkZhaWxlZCB0byBjb252ZXJ0 IHN0YWNrIHRvIHBoeXNpY2FsIGFkZHJlc3NcbiIpOwogICAgICAgICByZXR1 cm47CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTMyL3Bh Z2UuaCBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtMzIvcGFnZS5oCmluZGV4 IDRhYmIyODEuLjk3NDA2NzIgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2Fz bS1hcm0vYXJtMzIvcGFnZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0v YXJtMzIvcGFnZS5oCkBAIC04NywxMSArODcsMTQgQEAgc3RhdGljIGlubGlu ZSB1aW50NjRfdCBfX3ZhX3RvX3Bhcih2YWRkcl90IHZhKQogfQogCiAvKiBB c2sgdGhlIE1NVSB0byB0cmFuc2xhdGUgYSBHdWVzdCBWQSBmb3IgdXMgKi8K LXN0YXRpYyBpbmxpbmUgdWludDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRkcl90 IHZhKQorc3RhdGljIGlubGluZSB1aW50NjRfdCBndmFfdG9fbWFfcGFyKHZh ZGRyX3QgdmEsIHVuc2lnbmVkIGludCBmbGFncykKIHsKICAgICB1aW50NjRf dCBwYXIsIHRtcDsKICAgICB0bXAgPSBSRUFEX0NQNjQoUEFSKTsKLSAgICBX UklURV9DUDMyKHZhLCBBVFMxMk5TT1BSKTsKKyAgICBpZiAoIChmbGFncyAm IEdWMk1fV1JJVEUpID09IEdWMk1fV1JJVEUgKQorICAgICAgICBXUklURV9D UDMyKHZhLCBBVFMxMk5TT1BXKTsKKyAgICBlbHNlCisgICAgICAgIFdSSVRF X0NQMzIodmEsIEFUUzEyTlNPUFIpOwogICAgIGlzYigpOyAvKiBFbnN1cmUg cmVzdWx0IGlzIGF2YWlsYWJsZS4gKi8KICAgICBwYXIgPSBSRUFEX0NQNjQo UEFSKTsKICAgICBXUklURV9DUDY0KHRtcCwgUEFSKTsKZGlmZiAtLWdpdCBh L3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5oIGIveGVuL2luY2x1 ZGUvYXNtLWFybS9hcm02NC9wYWdlLmgKaW5kZXggNzEzYmFmNi4uYmIxMDE2 NCAxMDA2NDQKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9hcm02NC9wYWdl LmgKKysrIGIveGVuL2luY2x1ZGUvYXNtLWFybS9hcm02NC9wYWdlLmgKQEAg LTgxLDExICs4MSwxNCBAQCBzdGF0aWMgaW5saW5lIHVpbnQ2NF90IF9fdmFf dG9fcGFyKHZhZGRyX3QgdmEpCiB9CiAKIC8qIEFzayB0aGUgTU1VIHRvIHRy YW5zbGF0ZSBhIEd1ZXN0IFZBIGZvciB1cyAqLwotc3RhdGljIGlubGluZSB1 aW50NjRfdCBndmFfdG9fbWFfcGFyKHZhZGRyX3QgdmEpCitzdGF0aWMgaW5s aW5lIHVpbnQ2NF90IGd2YV90b19tYV9wYXIodmFkZHJfdCB2YSwgdW5zaWdu ZWQgaW50IGZsYWdzKQogewogICAgIHVpbnQ2NF90IHBhciwgdG1wID0gUkVB RF9TWVNSRUc2NChQQVJfRUwxKTsKIAotICAgIGFzbSB2b2xhdGlsZSAoImF0 IHMxMmUxciwgJTA7IiA6IDogInIiICh2YSkpOworICAgIGlmICggKGZsYWdz ICYgR1YyTV9XUklURSkgPT0gR1YyTV9XUklURSApCisgICAgICAgIGFzbSB2 b2xhdGlsZSAoImF0IHMxMmUxciwgJTA7IiA6IDogInIiICh2YSkpOworICAg IGVsc2UKKyAgICAgICAgYXNtIHZvbGF0aWxlICgiYXQgczEyZTF3LCAlMDsi IDogOiAiciIgKHZhKSk7CiAgICAgaXNiKCk7CiAgICAgcGFyID0gUkVBRF9T WVNSRUc2NChQQVJfRUwxKTsKICAgICBXUklURV9TWVNSRUc2NCh0bXAsIFBB Ul9FTDEpOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5o IGIveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oCmluZGV4IGI4ZDRlN2QuLmQw ZTVjYjQgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAor KysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKQEAgLTIzMyw5ICsyMzMs OSBAQCBzdGF0aWMgaW5saW5lIHZvaWQgKm1hZGRyX3RvX3ZpcnQocGFkZHJf dCBtYSkKIH0KICNlbmRpZgogCi1zdGF0aWMgaW5saW5lIGludCBndmlydF90 b19tYWRkcih2YWRkcl90IHZhLCBwYWRkcl90ICpwYSkKK3N0YXRpYyBpbmxp bmUgaW50IGd2aXJ0X3RvX21hZGRyKHZhZGRyX3QgdmEsIHBhZGRyX3QgKnBh LCB1bnNpZ25lZCBpbnQgZmxhZ3MpCiB7Ci0gICAgdWludDY0X3QgcGFyID0g Z3ZhX3RvX21hX3Bhcih2YSk7CisgICAgdWludDY0X3QgcGFyID0gZ3ZhX3Rv X21hX3Bhcih2YSwgZmxhZ3MpOwogICAgIGlmICggcGFyICYgUEFSX0YgKQog ICAgICAgICByZXR1cm4gLUVGQVVMVDsKICAgICAqcGEgPSAocGFyICYgUEFE RFJfTUFTSyAmIFBBR0VfTUFTSykgfCAoKHVuc2lnbmVkIGxvbmcpIHZhICYg flBBR0VfTUFTSyk7CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJt L3BhZ2UuaCBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oCmluZGV4IGMz OGU5YzkuLmU3MjNlNWEgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1h cm0vcGFnZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oCkBA IC03Myw2ICs3MywxMCBAQAogI2RlZmluZSBNQVRUUl9ERVYgICAgIDB4MQog I2RlZmluZSBNQVRUUl9NRU0gICAgIDB4ZgogCisvKiBGbGFncyBmb3IgZ3Zp cnRfdG9fbWFkZHIgKi8KKyNkZWZpbmUgR1YyTV9SRUFEICAoMHU8PDApCisj ZGVmaW5lIEdWMk1fV1JJVEUgKDF1PDwwKQorCiAjaWZuZGVmIF9fQVNTRU1C TFlfXwogCiAjaW5jbHVkZSA8eGVuL3R5cGVzLmg+Cg== --=separator Content-Type: application/octet-stream; name="xsa98-unstable-02.patch" Content-Disposition: attachment; filename="xsa98-unstable-02.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGVuc3VyZSB3ZSBob2xkIGEgcmVmZXJlbmNlIHRvIGd1ZXN0 IHBhZ2VzIHdoaWxlIHdlIGNvcHkgdG8vZnJvbSB0aGVtCgpUaGlzIGF0IG9u Y2U6CiAtIHByZXZlbnRzIHRoZSBwYWdlIGZyb20gYmVpbmcgcmVhc3NpZ25l ZCB1bmRlciBvdXIgZmVldAogLSBlbnN1cmVzIHRoYXQgdGhlIGRvbWFpbiBv d25zIHRoZSBwYWdlLCB3aGljaCBzdG9wcyBhIGRvbWFpbiBmcm9tIGdpdmlu ZyBhCiAgIGdyYW50IG1hcHBpbmcsIE1NSU8gcmVnaW9uLCBvdGhlciBub24t UkFNIGFzIGEgaHlwZXJjYWxsIGlucHV0L291dHB1dC4KCldlIG5lZWQgdG8g aG9sZCB0aGUgcDJtIGxvY2sgd2hpbGUgZG9pbmcgdGhlIGxvb2t1cCB1bnRp bCB3ZSBoYXZlIHRoZQpyZWZlcmVuY2UuCgpUaGlzIGFsc28gcmVxdWlyZXMg dGhhdCBkdXJpbmcgZG9tYWluIDAgYnVpbGRpbmcgY3VycmVudCBpcyBzZXQg dG8gYW4gYWN0dWFsCmRvbTAgdmNwdSwgc28gdGFrZSBjYXJlIG9mIHRoaXMg YXQgdGhlIHNhbWUgdGltZSBhcyB0aGUgcDJtIGlzIHRlbXBvcmFyaWx5Cmxv YWRlZC4KCkxhc3RseSB3aGVuIGR1bXBpbmcgdGhlIGd1ZXN0IHN0YWNrIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoYXQgdGhlIGd1ZXN0IGhhc24ndApwb2lu dGVkIGl0cyBzcCBvZmYgaW50byB0aGUgd2VlZHMgYW5kL29yIG1pc2FsaWdu ZWQgaXQsIHdoaWNoIGNvdWxkIGxlYWQgdG8KaHlwZXJ2aXNvciB0cmFwcy4g U29sdmUgdGhpcyBieSB1c2luZyB0aGUgbmV3IGZ1bmN0aW9uIGFuZCBjaGVj a2luZyBhbGlnbm1lbnQKZmlyc3QuCgpTaWduZWQtb2ZmLWJ5OiBJYW4gQ2Ft cGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpSZXZpZXdlZC1ieTog SnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAbGluYXJvLm9yZz4KCmRpZmYg LS1naXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKaW5kZXggZDA3OTk4Mi4uNGRkMmQ4NCAx MDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jCisrKyBi L3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYwpAQCAtMTAyNCw2ICsxMDI0 LDcgQEAgc3RhdGljIHZvaWQgaW5pdHJkX2xvYWQoc3RydWN0IGtlcm5lbF9p bmZvICpraW5mbykKIGludCBjb25zdHJ1Y3RfZG9tMChzdHJ1Y3QgZG9tYWlu ICpkKQogewogICAgIHN0cnVjdCBrZXJuZWxfaW5mbyBraW5mbyA9IHt9Owor ICAgIHN0cnVjdCB2Y3B1ICpzYXZlZF9jdXJyZW50OwogICAgIGludCByYywg aSwgY3B1OwogCiAgICAgc3RydWN0IHZjcHUgKnYgPSBkLT52Y3B1WzBdOwpA QCAtMTA2MCw4ICsxMDYxLDEzIEBAIGludCBjb25zdHJ1Y3RfZG9tMChzdHJ1 Y3QgZG9tYWluICpkKQogICAgIGlmICggcmMgPCAwICkKICAgICAgICAgcmV0 dXJuIHJjOwogCi0gICAgLyogVGhlIGZvbGxvd2luZyBsb2FkcyB1c2UgdGhl IGRvbWFpbidzIHAybSAqLworICAgIC8qCisgICAgICogVGhlIGZvbGxvd2lu ZyBsb2FkcyB1c2UgdGhlIGRvbWFpbidzIHAybSBhbmQgcmVxdWlyZSBjdXJy ZW50IHRvCisgICAgICogYmUgYSB2Y3B1IG9mIHRoZSBkb21haW4sIHRlbXBv cmFyaWx5IHN3aXRjaAorICAgICAqLworICAgIHNhdmVkX2N1cnJlbnQgPSBj dXJyZW50OwogICAgIHAybV9yZXN0b3JlX3N0YXRlKHYpOworICAgIHNldF9j dXJyZW50KHYpOwogCiAgICAgLyoKICAgICAgKiBrZXJuZWxfbG9hZCB3aWxs IGRldGVybWluZSB0aGUgcGxhY2VtZW50IG9mIHRoZSBrZXJuZWwgYXMgd2Vs bApAQCAtMTA3Miw2ICsxMDc4LDEwIEBAIGludCBjb25zdHJ1Y3RfZG9tMChz dHJ1Y3QgZG9tYWluICpkKQogICAgIGluaXRyZF9sb2FkKCZraW5mbyk7CiAg ICAgZHRiX2xvYWQoJmtpbmZvKTsKIAorICAgIC8qIE5vdyB0aGF0IHdlIGFy ZSBkb25lIHJlc3RvcmUgdGhlIG9yaWdpbmFsIHAybSBhbmQgY3VycmVudC4g Ki8KKyAgICBzZXRfY3VycmVudChzYXZlZF9jdXJyZW50KTsKKyAgICBwMm1f cmVzdG9yZV9zdGF0ZShzYXZlZF9jdXJyZW50KTsKKwogICAgIGRpc2NhcmRf aW5pdGlhbF9tb2R1bGVzKCk7CiAKICAgICB2LT5pc19pbml0aWFsaXNlZCA9 IDE7CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMgYi94 ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMKaW5kZXggZDFmZGRlYy4uMDE3MzU5 NyAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCisrKyBi L3hlbi9hcmNoL2FybS9ndWVzdGNvcHkuYwpAQCAtMSw2ICsxLDggQEAKICNp bmNsdWRlIDx4ZW4vY29uZmlnLmg+CiAjaW5jbHVkZSA8eGVuL2xpYi5oPgog I2luY2x1ZGUgPHhlbi9kb21haW5fcGFnZS5oPgorI2luY2x1ZGUgPHhlbi9z Y2hlZC5oPgorI2luY2x1ZGUgPGFzbS9jdXJyZW50Lmg+CiAKICNpbmNsdWRl IDxhc20vbW0uaD4KICNpbmNsdWRlIDxhc20vZ3Vlc3RfYWNjZXNzLmg+CkBA IC0xMywyMCArMTUsMjIgQEAgc3RhdGljIHVuc2lnbmVkIGxvbmcgcmF3X2Nv cHlfdG9fZ3Vlc3RfaGVscGVyKHZvaWQgKnRvLCBjb25zdCB2b2lkICpmcm9t LAogCiAgICAgd2hpbGUgKCBsZW4gKQogICAgIHsKLSAgICAgICAgcGFkZHJf dCBnOwogICAgICAgICB2b2lkICpwOwogICAgICAgICB1bnNpZ25lZCBzaXpl ID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0VfU0laRSAtIG9mZnNldCk7Cisg ICAgICAgIHN0cnVjdCBwYWdlX2luZm8gKnBhZ2U7CiAKLSAgICAgICAgaWYg KCBndmlydF90b19tYWRkcigodmFkZHJfdCkgdG8sICZnLCBHVjJNX1dSSVRF KSApCisgICAgICAgIHBhZ2UgPSBnZXRfcGFnZV9mcm9tX2d2YShjdXJyZW50 LT5kb21haW4sICh2YWRkcl90KSB0bywgR1YyTV9XUklURSk7CisgICAgICAg IGlmICggcGFnZSA9PSBOVUxMICkKICAgICAgICAgICAgIHJldHVybiBsZW47 CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShnPj5QQUdFX1NISUZU KTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFpbl9wYWdlKHBhZ2UpOwogICAg ICAgICBwICs9IG9mZnNldDsKICAgICAgICAgbWVtY3B5KHAsIGZyb20sIHNp emUpOwogICAgICAgICBpZiAoIGZsdXNoX2RjYWNoZSApCiAgICAgICAgICAg ICBjbGVhbl94ZW5fZGNhY2hlX3ZhX3JhbmdlKHAsIHNpemUpOwogCiAgICAg ICAgIHVubWFwX2RvbWFpbl9wYWdlKHAgLSBvZmZzZXQpOworICAgICAgICBw dXRfcGFnZShwYWdlKTsKICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAg IGZyb20gKz0gc2l6ZTsKICAgICAgICAgdG8gKz0gc2l6ZTsKQEAgLTU4LDE4 ICs2MiwyMCBAQCB1bnNpZ25lZCBsb25nIHJhd19jbGVhcl9ndWVzdCh2b2lk ICp0bywgdW5zaWduZWQgbGVuKQogCiAgICAgd2hpbGUgKCBsZW4gKQogICAg IHsKLSAgICAgICAgcGFkZHJfdCBnOwogICAgICAgICB2b2lkICpwOwogICAg ICAgICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0Vf U0laRSAtIG9mZnNldCk7CisgICAgICAgIHN0cnVjdCBwYWdlX2luZm8gKnBh Z2U7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJfdCkg dG8sICZnLCBHVjJNX1dSSVRFKSApCisgICAgICAgIHBhZ2UgPSBnZXRfcGFn ZV9mcm9tX2d2YShjdXJyZW50LT5kb21haW4sICh2YWRkcl90KSB0bywgR1Yy TV9XUklURSk7CisgICAgICAgIGlmICggcGFnZSA9PSBOVUxMICkKICAgICAg ICAgICAgIHJldHVybiBsZW47CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5f cGFnZShnPj5QQUdFX1NISUZUKTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFp bl9wYWdlKHBhZ2UpOwogICAgICAgICBwICs9IG9mZnNldDsKICAgICAgICAg bWVtc2V0KHAsIDB4MDAsIHNpemUpOwogCiAgICAgICAgIHVubWFwX2RvbWFp bl9wYWdlKHAgLSBvZmZzZXQpOworICAgICAgICBwdXRfcGFnZShwYWdlKTsK ICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAgIHRvICs9IHNpemU7CiAg ICAgICAgIC8qCkBAIC04OCwxOSArOTQsMjEgQEAgdW5zaWduZWQgbG9uZyBy YXdfY29weV9mcm9tX2d1ZXN0KHZvaWQgKnRvLCBjb25zdCB2b2lkIF9fdXNl ciAqZnJvbSwgdW5zaWduZWQgbGUKIAogICAgIHdoaWxlICggbGVuICkKICAg ICB7Ci0gICAgICAgIHBhZGRyX3QgZzsKICAgICAgICAgdm9pZCAqcDsKICAg ICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZCkoUEFH RV9TSVpFIC0gb2Zmc2V0KSk7CisgICAgICAgIHN0cnVjdCBwYWdlX2luZm8g KnBhZ2U7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJf dCkgZnJvbSAmIFBBR0VfTUFTSywgJmcsIEdWMk1fUkVBRCkgKQorICAgICAg ICBwYWdlID0gZ2V0X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9tYWluLCAo dmFkZHJfdCkgZnJvbSwgR1YyTV9SRUFEKTsKKyAgICAgICAgaWYgKCBwYWdl ID09IE5VTEwgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAotICAgICAg ICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOworICAgICAg ICBwID0gX19tYXBfZG9tYWluX3BhZ2UocGFnZSk7CiAgICAgICAgIHAgKz0g KCh2YWRkcl90KWZyb20gJiAoflBBR0VfTUFTSykpOwogCiAgICAgICAgIG1l bWNweSh0bywgcCwgc2l6ZSk7CiAKICAgICAgICAgdW5tYXBfZG9tYWluX3Bh Z2UocCk7CisgICAgICAgIHB1dF9wYWdlKHBhZ2UpOwogICAgICAgICBsZW4g LT0gc2l6ZTsKICAgICAgICAgZnJvbSArPSBzaXplOwogICAgICAgICB0byAr PSBzaXplOwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL3AybS5jIGIveGVu L2FyY2gvYXJtL3AybS5jCmluZGV4IGI4NTE0M2IuLjVmYzVjYTYgMTAwNjQ0 Ci0tLSBhL3hlbi9hcmNoL2FybS9wMm0uYworKysgYi94ZW4vYXJjaC9hcm0v cDJtLmMKQEAgLTcwMSw2ICs3MDEsMzQgQEAgdW5zaWduZWQgbG9uZyBnbWZu X3RvX21mbihzdHJ1Y3QgZG9tYWluICpkLCB1bnNpZ25lZCBsb25nIGdwZm4p CiAgICAgcmV0dXJuIHAgPj4gUEFHRV9TSElGVDsKIH0KIAorc3RydWN0IHBh Z2VfaW5mbyAqZ2V0X3BhZ2VfZnJvbV9ndmEoc3RydWN0IGRvbWFpbiAqZCwg dmFkZHJfdCB2YSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIHVuc2lnbmVkIGxvbmcgZmxhZ3MpCit7CisgICAgc3RydWN0IHAybV9k b21haW4gKnAybSA9ICZkLT5hcmNoLnAybTsKKyAgICBzdHJ1Y3QgcGFnZV9p bmZvICpwYWdlID0gTlVMTDsKKyAgICBwYWRkcl90IG1hZGRyOworCisgICAg QVNTRVJUKGQgPT0gY3VycmVudC0+ZG9tYWluKTsKKworICAgIHNwaW5fbG9j aygmcDJtLT5sb2NrKTsKKworICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIodmEs ICZtYWRkciwgZmxhZ3MpICkKKyAgICAgICAgZ290byBlcnI7CisKKyAgICBp ZiAoICFtZm5fdmFsaWQobWFkZHIgPj4gUEFHRV9TSElGVCkgKQorICAgICAg ICBnb3RvIGVycjsKKworICAgIHBhZ2UgPSBtZm5fdG9fcGFnZShtYWRkciA+ PiBQQUdFX1NISUZUKTsKKyAgICBBU1NFUlQocGFnZSk7CisKKyAgICBpZiAo IHVubGlrZWx5KCFnZXRfcGFnZShwYWdlLCBkKSkgKQorICAgICAgICBwYWdl ID0gTlVMTDsKKworZXJyOgorICAgIHNwaW5fdW5sb2NrKCZwMm0tPmxvY2sp OworICAgIHJldHVybiBwYWdlOworfQorCiAvKgogICogTG9jYWwgdmFyaWFi bGVzOgogICogbW9kZTogQwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL3Ry YXBzLmMgYi94ZW4vYXJjaC9hcm0vdHJhcHMuYwppbmRleCBkZjg2ZmZlLi5k ODliNzVmIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vdHJhcHMuYworKysg Yi94ZW4vYXJjaC9hcm0vdHJhcHMuYwpAQCAtNzc3LDcgKzc3Nyw3IEBAIHN0 YXRpYyB2b2lkIHNob3dfZ3Vlc3Rfc3RhY2soc3RydWN0IHZjcHUgKnYsIHN0 cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQogewogICAgIGludCBpOwogICAg IHZhZGRyX3Qgc3A7Ci0gICAgcGFkZHJfdCBzdGFja19waHlzOworICAgIHN0 cnVjdCBwYWdlX2luZm8gKnBhZ2U7CiAgICAgdm9pZCAqbWFwcGVkOwogICAg IHVuc2lnbmVkIGxvbmcgKnN0YWNrLCBhZGRyOwogCkBAIC04MzcsMTMgKzgz NywyMCBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVjdCB2 Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKIAogICAgIHBy aW50aygiR3Vlc3Qgc3RhY2sgdHJhY2UgZnJvbSBzcD0lIlBSSXZhZGRyIjpc biAgIiwgc3ApOwogCi0gICAgaWYgKCBndmlydF90b19tYWRkcihzcCwgJnN0 YWNrX3BoeXMsIEdWMk1fUkVBRCkgKQorICAgIGlmICggc3AgJiAoIHNpemVv Zihsb25nKSAtIDEgKSApCisgICAgeworICAgICAgICBwcmludGsoIlN0YWNr IGlzIG1pc2FsaWduZWRcbiIpOworICAgICAgICByZXR1cm47CisgICAgfQor CisgICAgcGFnZSA9IGdldF9wYWdlX2Zyb21fZ3ZhKGN1cnJlbnQtPmRvbWFp biwgc3AsIEdWMk1fUkVBRCk7CisgICAgaWYgKCBwYWdlID09IE5VTEwgKQog ICAgIHsKICAgICAgICAgcHJpbnRrKCJGYWlsZWQgdG8gY29udmVydCBzdGFj ayB0byBwaHlzaWNhbCBhZGRyZXNzXG4iKTsKICAgICAgICAgcmV0dXJuOwog ICAgIH0KIAotICAgIG1hcHBlZCA9IG1hcF9kb21haW5fcGFnZShzdGFja19w aHlzID4+IFBBR0VfU0hJRlQpOworICAgIG1hcHBlZCA9IF9fbWFwX2RvbWFp bl9wYWdlKHBhZ2UpOwogCiAgICAgc3RhY2sgPSBtYXBwZWQgKyAoc3AgJiB+ UEFHRV9NQVNLKTsKIApAQCAtODYxLDcgKzg2OCw3IEBAIHN0YXRpYyB2b2lk IHNob3dfZ3Vlc3Rfc3RhY2soc3RydWN0IHZjcHUgKnYsIHN0cnVjdCBjcHVf dXNlcl9yZWdzICpyZWdzKQogICAgICAgICBwcmludGsoIlN0YWNrIGVtcHR5 LiIpOwogICAgIHByaW50aygiXG4iKTsKICAgICB1bm1hcF9kb21haW5fcGFn ZShtYXBwZWQpOwotCisgICAgcHV0X3BhZ2UocGFnZSk7CiB9CiAKICNkZWZp bmUgU1RBQ0tfQkVGT1JFX0VYQ0VQVElPTihyZWdzKSAoKHJlZ2lzdGVyX3Qq KShyZWdzKS0+c3ApCmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJt L21tLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKaW5kZXggZDBlNWNi NC4uOGJmMTc5ZCAxMDA2NDQKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9t bS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaApAQCAtMjczLDYg KzI3Myw5IEBAIHN0cnVjdCBkb21haW4gKnBhZ2VfZ2V0X293bmVyX2FuZF9y ZWZlcmVuY2Uoc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSk7CiB2b2lkIHB1dF9w YWdlKHN0cnVjdCBwYWdlX2luZm8gKnBhZ2UpOwogaW50ICBnZXRfcGFnZShz dHJ1Y3QgcGFnZV9pbmZvICpwYWdlLCBzdHJ1Y3QgZG9tYWluICpkb21haW4p OwogCitzdHJ1Y3QgcGFnZV9pbmZvICpnZXRfcGFnZV9mcm9tX2d2YShzdHJ1 Y3QgZG9tYWluICpkLCB2YWRkcl90IHZhLAorICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgdW5zaWduZWQgbG9uZyBmbGFncyk7CisKIC8q CiAgKiBUaGUgTVBUIChtYWNoaW5lLT5waHlzaWNhbCBtYXBwaW5nIHRhYmxl KSBpcyBhbiBhcnJheSBvZiB3b3JkLXNpemVkCiAgKiB2YWx1ZXMsIGluZGV4 ZWQgb24gbWFjaGluZSBmcmFtZSBudW1iZXIuIEl0IGlzIGV4cGVjdGVkIHRo YXQgZ3Vlc3QgT1NlcwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFy bS9wYWdlLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaAppbmRleCBl NzIzZTVhLi4xMTNiZTVhIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20t YXJtL3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaApA QCAtNzMsNyArNzMsNyBAQAogI2RlZmluZSBNQVRUUl9ERVYgICAgIDB4MQog I2RlZmluZSBNQVRUUl9NRU0gICAgIDB4ZgogCi0vKiBGbGFncyBmb3IgZ3Zp cnRfdG9fbWFkZHIgKi8KKy8qIEZsYWdzIGZvciBnZXRfcGFnZV9mcm9tX2d2 YSwgZ3ZpcnRfdG9fbWFkZHIgZXRjICovCiAjZGVmaW5lIEdWMk1fUkVBRCAg KDB1PDwwKQogI2RlZmluZSBHVjJNX1dSSVRFICgxdTw8MCkKIAo= --=separator Content-Type: application/octet-stream; name="xsa98-4.4-01.patch" Content-Disposition: attachment; filename="xsa98-4.4-01.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGNoZWNrIHBlcm1pc3Npb25zIHdoZW4gY29weWluZyB0by9m cm9tIGd1ZXN0IHZpcnR1YWwgYWRkcmVzc2VzCgpJbiBwYXJ0aWN1bGFyIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoZSBndWVzdCBoYXMgd3JpdGUgcGVybWlz c2lvbnMgdG8gYnVmZmVycwp3aGljaCBpdCBwYXNzZXMgYXMgb3V0cHV0IGJ1 ZmZlcnMgZm9yIGh5cGVyY2FsbHMsIG90aGVyd2lzZSB0aGUgZ3Vlc3QgY2Fu Cm92ZXJ3cml0ZSBtZW1vcnkgd2hpY2ggaXQgc2hvdWxkbid0IGJlIGFibGUg dG8gd3JpdGUgKGxpa2Ugci9vIGdyYW50IHRhYmxlCm1hcHBpbmdzKS4KClRo aXMgaXMgWFNBLTk4LgoKU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxp YW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBH cmFsbCA8anVsaWVuLmdyYWxsQGxpbmFyby5vcmc+CgpkaWZmIC0tZ2l0IGEv eGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jIGIveGVuL2FyY2gvYXJtL2Rv bWFpbl9idWlsZC5jCmluZGV4IDVjYTJmMTUuLjNkYTZiODMgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYworKysgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKQEAgLTk2Nyw3ICs5NjcsNyBAQCBzdGF0 aWMgdm9pZCBpbml0cmRfbG9hZChzdHJ1Y3Qga2VybmVsX2luZm8gKmtpbmZv KQogICAgICAgICBzID0gb2ZmcyAmIH5QQUdFX01BU0s7CiAgICAgICAgIGwg PSBtaW4oUEFHRV9TSVpFIC0gcywgbGVuKTsKIAotICAgICAgICByYyA9IGd2 aXJ0X3RvX21hZGRyKGxvYWRfYWRkciArIG9mZnMsICZtYSk7CisgICAgICAg IHJjID0gZ3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hLCBH VjJNX1dSSVRFKTsKICAgICAgICAgaWYgKCByYyApCiAgICAgICAgIHsKICAg ICAgICAgICAgIHBhbmljKCJVbmFibGUgdG8gdHJhbnNsYXRlIGd1ZXN0IGFk ZHJlc3MiKTsKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL2FybS9ndWVzdGNvcHku YyBiL3hlbi9hcmNoL2FybS9ndWVzdGNvcHkuYwppbmRleCBjZWE1Zjk3Li5k MWZkZGVjIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMK KysrIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCkBAIC0xNyw3ICsxNyw3 IEBAIHN0YXRpYyB1bnNpZ25lZCBsb25nIHJhd19jb3B5X3RvX2d1ZXN0X2hl bHBlcih2b2lkICp0bywgY29uc3Qgdm9pZCAqZnJvbSwKICAgICAgICAgdm9p ZCAqcDsKICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNp Z25lZClQQUdFX1NJWkUgLSBvZmZzZXQpOwogCi0gICAgICAgIGlmICggZ3Zp cnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZykgKQorICAgICAgICBpZiAo IGd2aXJ0X3RvX21hZGRyKCh2YWRkcl90KSB0bywgJmcsIEdWMk1fV1JJVEUp ICkKICAgICAgICAgICAgIHJldHVybiBsZW47CiAKICAgICAgICAgcCA9IG1h cF9kb21haW5fcGFnZShnPj5QQUdFX1NISUZUKTsKQEAgLTYyLDcgKzYyLDcg QEAgdW5zaWduZWQgbG9uZyByYXdfY2xlYXJfZ3Vlc3Qodm9pZCAqdG8sIHVu c2lnbmVkIGxlbikKICAgICAgICAgdm9pZCAqcDsKICAgICAgICAgdW5zaWdu ZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZClQQUdFX1NJWkUgLSBvZmZz ZXQpOwogCi0gICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3Qp IHRvLCAmZykgKQorICAgICAgICBpZiAoIGd2aXJ0X3RvX21hZGRyKCh2YWRk cl90KSB0bywgJmcsIEdWMk1fV1JJVEUpICkKICAgICAgICAgICAgIHJldHVy biBsZW47CiAKICAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShnPj5QQUdF X1NISUZUKTsKQEAgLTkyLDcgKzkyLDcgQEAgdW5zaWduZWQgbG9uZyByYXdf Y29weV9mcm9tX2d1ZXN0KHZvaWQgKnRvLCBjb25zdCB2b2lkIF9fdXNlciAq ZnJvbSwgdW5zaWduZWQgbGUKICAgICAgICAgdm9pZCAqcDsKICAgICAgICAg dW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZCkoUEFHRV9TSVpF IC0gb2Zmc2V0KSk7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigo dmFkZHJfdCkgZnJvbSAmIFBBR0VfTUFTSywgJmcpICkKKyAgICAgICAgaWYg KCBndmlydF90b19tYWRkcigodmFkZHJfdCkgZnJvbSAmIFBBR0VfTUFTSywg JmcsIEdWMk1fUkVBRCkgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAog ICAgICAgICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOwpk aWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL2tlcm5lbC5jIGIveGVuL2FyY2gv YXJtL2tlcm5lbC5jCmluZGV4IDFlMzEwN2QuLjY5YzdkNDMgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9rZXJuZWwuYworKysgYi94ZW4vYXJjaC9hcm0v a2VybmVsLmMKQEAgLTE0MSw3ICsxNDEsNyBAQCBzdGF0aWMgdm9pZCBrZXJu ZWxfemltYWdlX2xvYWQoc3RydWN0IGtlcm5lbF9pbmZvICppbmZvKQogICAg ICAgICBzID0gb2ZmcyAmIH5QQUdFX01BU0s7CiAgICAgICAgIGwgPSBtaW4o UEFHRV9TSVpFIC0gcywgbGVuKTsKIAotICAgICAgICByYyA9IGd2aXJ0X3Rv X21hZGRyKGxvYWRfYWRkciArIG9mZnMsICZtYSk7CisgICAgICAgIHJjID0g Z3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hLCBHVjJNX1dS SVRFKTsKICAgICAgICAgaWYgKCByYyApCiAgICAgICAgIHsKICAgICAgICAg ICAgIHBhbmljKCJVbmFibGUgdG8gbWFwIHRyYW5zbGF0ZSBndWVzdCBhZGRy ZXNzIik7CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vdHJhcHMuYyBiL3hl bi9hcmNoL2FybS90cmFwcy5jCmluZGV4IDNhMzRkMzMuLjJlNzQ1MWIgMTAw NjQ0Ci0tLSBhL3hlbi9hcmNoL2FybS90cmFwcy5jCisrKyBiL3hlbi9hcmNo L2FybS90cmFwcy5jCkBAIC04MzYsNyArODM2LDcgQEAgc3RhdGljIHZvaWQg c2hvd19ndWVzdF9zdGFjayhzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNwdV91 c2VyX3JlZ3MgKnJlZ3MpCiAKICAgICBwcmludGsoIkd1ZXN0IHN0YWNrIHRy YWNlIGZyb20gc3A9JSJQUkl2YWRkciI6XG4gICIsIHNwKTsKIAotICAgIGlm ICggZ3ZpcnRfdG9fbWFkZHIoc3AsICZzdGFja19waHlzKSApCisgICAgaWYg KCBndmlydF90b19tYWRkcihzcCwgJnN0YWNrX3BoeXMsIEdWMk1fUkVBRCkg KQogICAgIHsKICAgICAgICAgcHJpbnRrKCJGYWlsZWQgdG8gY29udmVydCBz dGFjayB0byBwaHlzaWNhbCBhZGRyZXNzXG4iKTsKICAgICAgICAgcmV0dXJu OwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9hcm0zMi9wYWdl LmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTMyL3BhZ2UuaAppbmRleCBi ODIyMWNhLi44MGQ1YzM2IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20t YXJtL2FybTMyL3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL2Fy bTMyL3BhZ2UuaApAQCAtOTAsMTEgKzkwLDE0IEBAIHN0YXRpYyBpbmxpbmUg dWludDY0X3QgX192YV90b19wYXIodmFkZHJfdCB2YSkKIH0KIAogLyogQXNr IHRoZSBNTVUgdG8gdHJhbnNsYXRlIGEgR3Vlc3QgVkEgZm9yIHVzICovCi1z dGF0aWMgaW5saW5lIHVpbnQ2NF90IGd2YV90b19tYV9wYXIodmFkZHJfdCB2 YSkKK3N0YXRpYyBpbmxpbmUgdWludDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRk cl90IHZhLCB1bnNpZ25lZCBpbnQgZmxhZ3MpCiB7CiAgICAgdWludDY0X3Qg cGFyLCB0bXA7CiAgICAgdG1wID0gUkVBRF9DUDY0KFBBUik7Ci0gICAgV1JJ VEVfQ1AzMih2YSwgQVRTMTJOU09QUik7CisgICAgaWYgKCAoZmxhZ3MgJiBH VjJNX1dSSVRFKSA9PSBHVjJNX1dSSVRFICkKKyAgICAgICAgV1JJVEVfQ1Az Mih2YSwgQVRTMTJOU09QVyk7CisgICAgZWxzZQorICAgICAgICBXUklURV9D UDMyKHZhLCBBVFMxMk5TT1BSKTsKICAgICBpc2IoKTsgLyogRW5zdXJlIHJl c3VsdCBpcyBhdmFpbGFibGUuICovCiAgICAgcGFyID0gUkVBRF9DUDY0KFBB Uik7CiAgICAgV1JJVEVfQ1A2NCh0bXAsIFBBUik7CmRpZmYgLS1naXQgYS94 ZW4vaW5jbHVkZS9hc20tYXJtL2FybTY0L3BhZ2UuaCBiL3hlbi9pbmNsdWRl L2FzbS1hcm0vYXJtNjQvcGFnZS5oCmluZGV4IDMzNTI4MjEuLjM5MjJkODcg MTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5o CisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5oCkBAIC04 MywxMSArODMsMTQgQEAgc3RhdGljIGlubGluZSB1aW50NjRfdCBfX3ZhX3Rv X3Bhcih2YWRkcl90IHZhKQogfQogCiAvKiBBc2sgdGhlIE1NVSB0byB0cmFu c2xhdGUgYSBHdWVzdCBWQSBmb3IgdXMgKi8KLXN0YXRpYyBpbmxpbmUgdWlu dDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRkcl90IHZhKQorc3RhdGljIGlubGlu ZSB1aW50NjRfdCBndmFfdG9fbWFfcGFyKHZhZGRyX3QgdmEsIHVuc2lnbmVk IGludCBmbGFncykKIHsKICAgICB1aW50NjRfdCBwYXIsIHRtcCA9IFJFQURf U1lTUkVHNjQoUEFSX0VMMSk7CiAKLSAgICBhc20gdm9sYXRpbGUgKCJhdCBz MTJlMXIsICUwOyIgOiA6ICJyIiAodmEpKTsKKyAgICBpZiAoIChmbGFncyAm IEdWMk1fV1JJVEUpID09IEdWMk1fV1JJVEUgKQorICAgICAgICBhc20gdm9s YXRpbGUgKCJhdCBzMTJlMXIsICUwOyIgOiA6ICJyIiAodmEpKTsKKyAgICBl bHNlCisgICAgICAgIGFzbSB2b2xhdGlsZSAoImF0IHMxMmUxdywgJTA7IiA6 IDogInIiICh2YSkpOwogICAgIGlzYigpOwogICAgIHBhciA9IFJFQURfU1lT UkVHNjQoUEFSX0VMMSk7CiAgICAgV1JJVEVfU1lTUkVHNjQodG1wLCBQQVJf RUwxKTsKZGlmZiAtLWdpdCBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaCBi L3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAppbmRleCBiOGQ0ZTdkLi5kMGU1 Y2I0IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKKysr IGIveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oCkBAIC0yMzMsOSArMjMzLDkg QEAgc3RhdGljIGlubGluZSB2b2lkICptYWRkcl90b192aXJ0KHBhZGRyX3Qg bWEpCiB9CiAjZW5kaWYKIAotc3RhdGljIGlubGluZSBpbnQgZ3ZpcnRfdG9f bWFkZHIodmFkZHJfdCB2YSwgcGFkZHJfdCAqcGEpCitzdGF0aWMgaW5saW5l IGludCBndmlydF90b19tYWRkcih2YWRkcl90IHZhLCBwYWRkcl90ICpwYSwg dW5zaWduZWQgaW50IGZsYWdzKQogewotICAgIHVpbnQ2NF90IHBhciA9IGd2 YV90b19tYV9wYXIodmEpOworICAgIHVpbnQ2NF90IHBhciA9IGd2YV90b19t YV9wYXIodmEsIGZsYWdzKTsKICAgICBpZiAoIHBhciAmIFBBUl9GICkKICAg ICAgICAgcmV0dXJuIC1FRkFVTFQ7CiAgICAgKnBhID0gKHBhciAmIFBBRERS X01BU0sgJiBQQUdFX01BU0spIHwgKCh1bnNpZ25lZCBsb25nKSB2YSAmIH5Q QUdFX01BU0spOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9w YWdlLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaAppbmRleCBlMDBi ZTllLi44NDU2MmVjIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20tYXJt L3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaApAQCAt NzMsNiArNzMsMTAgQEAKICNkZWZpbmUgTUFUVFJfREVWICAgICAweDEKICNk ZWZpbmUgTUFUVFJfTUVNICAgICAweGYKIAorLyogRmxhZ3MgZm9yIGd2aXJ0 X3RvX21hZGRyICovCisjZGVmaW5lIEdWMk1fUkVBRCAgKDB1PDwwKQorI2Rl ZmluZSBHVjJNX1dSSVRFICgxdTw8MCkKKwogI2lmbmRlZiBfX0FTU0VNQkxZ X18KIAogI2luY2x1ZGUgPHhlbi90eXBlcy5oPgo= --=separator Content-Type: application/octet-stream; name="xsa98-4.4-02.patch" Content-Disposition: attachment; filename="xsa98-4.4-02.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGVuc3VyZSB3ZSBob2xkIGEgcmVmZXJlbmNlIHRvIGd1ZXN0 IHBhZ2VzIHdoaWxlIHdlIGNvcHkgdG8vZnJvbSB0aGVtCgpUaGlzIGF0IG9u Y2U6CiAtIHByZXZlbnRzIHRoZSBwYWdlIGZyb20gYmVpbmcgcmVhc3NpZ25l ZCB1bmRlciBvdXIgZmVldAogLSBlbnN1cmVzIHRoYXQgdGhlIGRvbWFpbiBv d25zIHRoZSBwYWdlLCB3aGljaCBzdG9wcyBhIGRvbWFpbiBmcm9tIGdpdmlu ZyBhCiAgIGdyYW50IG1hcHBpbmcsIE1NSU8gcmVnaW9uLCBvdGhlciBub24t UkFNIGFzIGEgaHlwZXJjYWxsIGlucHV0L291dHB1dC4KCldlIG5lZWQgdG8g aG9sZCB0aGUgcDJtIGxvY2sgd2hpbGUgZG9pbmcgdGhlIGxvb2t1cCB1bnRp bCB3ZSBoYXZlIHRoZQpyZWZlcmVuY2UuCgpUaGlzIGFsc28gcmVxdWlyZXMg dGhhdCBkdXJpbmcgZG9tYWluIDAgYnVpbGRpbmcgY3VycmVudCBpcyBzZXQg dG8gYW4gYWN0dWFsCmRvbTAgdmNwdSwgc28gdGFrZSBjYXJlIG9mIHRoaXMg YXQgdGhlIHNhbWUgdGltZSBhcyB0aGUgcDJtIGlzIHRlbXBvcmFyaWx5Cmxv YWRlZC4KCkxhc3RseSB3aGVuIGR1bXBpbmcgdGhlIGd1ZXN0IHN0YWNrIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoYXQgdGhlIGd1ZXN0IGhhc24ndApwb2lu dGVkIGl0cyBzcCBvZmYgaW50byB0aGUgd2VlZHMgYW5kL29yIG1pc2FsaWdu ZWQgaXQsIHdoaWNoIGNvdWxkIGxlYWQgdG8KaHlwZXJ2aXNvciB0cmFwcy4g U29sdmUgdGhpcyBieSB1c2luZyB0aGUgbmV3IGZ1bmN0aW9uIGFuZCBjaGVj a2luZyBhbGlnbm1lbnQKZmlyc3QuCgpTaWduZWQtb2ZmLWJ5OiBJYW4gQ2Ft cGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpSZXZpZXdlZC1ieTog SnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAbGluYXJvLm9yZz4KWyBpamMg LS0gYmFja3BvcnRlZCB0byA0LjQsIHVzaW5nIHAybV9sb2FkX1ZUVEJSIF0K CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMgYi94 ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMKaW5kZXggM2RhNmI4My4uYzE0 OTdmOCAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5j CisrKyBiL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYwpAQCAtOTg2LDYg Kzk4Niw3IEBAIHN0YXRpYyB2b2lkIGluaXRyZF9sb2FkKHN0cnVjdCBrZXJu ZWxfaW5mbyAqa2luZm8pCiBpbnQgY29uc3RydWN0X2RvbTAoc3RydWN0IGRv bWFpbiAqZCkKIHsKICAgICBzdHJ1Y3Qga2VybmVsX2luZm8ga2luZm8gPSB7 fTsKKyAgICBzdHJ1Y3QgdmNwdSAqc2F2ZWRfY3VycmVudDsKICAgICBpbnQg cmMsIGksIGNwdTsKIAogICAgIHN0cnVjdCB2Y3B1ICp2ID0gZC0+dmNwdVsw XTsKQEAgLTEwMjEsNyArMTAyMiw5IEBAIGludCBjb25zdHJ1Y3RfZG9tMChz dHJ1Y3QgZG9tYWluICpkKQogICAgICAgICByZXR1cm4gcmM7CiAKICAgICAv KiBUaGUgZm9sbG93aW5nIGxvYWRzIHVzZSB0aGUgZG9tYWluJ3MgcDJtICov CisgICAgc2F2ZWRfY3VycmVudCA9IGN1cnJlbnQ7CiAgICAgcDJtX2xvYWRf VlRUQlIoZCk7CisgICAgc2V0X2N1cnJlbnQodik7CiAjaWZkZWYgQ09ORklH X0FSTV82NAogICAgIGQtPmFyY2gudHlwZSA9IGtpbmZvLnR5cGU7CiAgICAg aWYgKCBpc19wdjMyX2RvbWFpbihkKSApCkBAIC0xMDM5LDYgKzEwNDIsMTAg QEAgaW50IGNvbnN0cnVjdF9kb20wKHN0cnVjdCBkb21haW4gKmQpCiAgICAg aW5pdHJkX2xvYWQoJmtpbmZvKTsKICAgICBkdGJfbG9hZCgma2luZm8pOwog CisgICAgLyogTm93IHRoYXQgd2UgYXJlIGRvbmUgcmVzdG9yZSB0aGUgb3Jp Z2luYWwgcDJtIGFuZCBjdXJyZW50LiAqLworICAgIHNldF9jdXJyZW50KHNh dmVkX2N1cnJlbnQpOworICAgIHAybV9sb2FkX1ZUVEJSKGN1cnJlbnQtPmRv bWFpbik7CisKICAgICBkaXNjYXJkX2luaXRpYWxfbW9kdWxlcygpOwogCiAg ICAgdi0+aXNfaW5pdGlhbGlzZWQgPSAxOwpkaWZmIC0tZ2l0IGEveGVuL2Fy Y2gvYXJtL2d1ZXN0Y29weS5jIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5j CmluZGV4IGQxZmRkZWMuLjAxNzM1OTcgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNo L2FybS9ndWVzdGNvcHkuYworKysgYi94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5 LmMKQEAgLTEsNiArMSw4IEBACiAjaW5jbHVkZSA8eGVuL2NvbmZpZy5oPgog I2luY2x1ZGUgPHhlbi9saWIuaD4KICNpbmNsdWRlIDx4ZW4vZG9tYWluX3Bh Z2UuaD4KKyNpbmNsdWRlIDx4ZW4vc2NoZWQuaD4KKyNpbmNsdWRlIDxhc20v Y3VycmVudC5oPgogCiAjaW5jbHVkZSA8YXNtL21tLmg+CiAjaW5jbHVkZSA8 YXNtL2d1ZXN0X2FjY2Vzcy5oPgpAQCAtMTMsMjAgKzE1LDIyIEBAIHN0YXRp YyB1bnNpZ25lZCBsb25nIHJhd19jb3B5X3RvX2d1ZXN0X2hlbHBlcih2b2lk ICp0bywgY29uc3Qgdm9pZCAqZnJvbSwKIAogICAgIHdoaWxlICggbGVuICkK ICAgICB7Ci0gICAgICAgIHBhZGRyX3QgZzsKICAgICAgICAgdm9pZCAqcDsK ICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZClQ QUdFX1NJWkUgLSBvZmZzZXQpOworICAgICAgICBzdHJ1Y3QgcGFnZV9pbmZv ICpwYWdlOwogCi0gICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRy X3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQorICAgICAgICBwYWdlID0gZ2V0 X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9tYWluLCAodmFkZHJfdCkgdG8s IEdWMk1fV1JJVEUpOworICAgICAgICBpZiAoIHBhZ2UgPT0gTlVMTCApCiAg ICAgICAgICAgICByZXR1cm4gbGVuOwogCi0gICAgICAgIHAgPSBtYXBfZG9t YWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7CisgICAgICAgIHAgPSBfX21hcF9k b21haW5fcGFnZShwYWdlKTsKICAgICAgICAgcCArPSBvZmZzZXQ7CiAgICAg ICAgIG1lbWNweShwLCBmcm9tLCBzaXplKTsKICAgICAgICAgaWYgKCBmbHVz aF9kY2FjaGUgKQogICAgICAgICAgICAgY2xlYW5feGVuX2RjYWNoZV92YV9y YW5nZShwLCBzaXplKTsKIAogICAgICAgICB1bm1hcF9kb21haW5fcGFnZShw IC0gb2Zmc2V0KTsKKyAgICAgICAgcHV0X3BhZ2UocGFnZSk7CiAgICAgICAg IGxlbiAtPSBzaXplOwogICAgICAgICBmcm9tICs9IHNpemU7CiAgICAgICAg IHRvICs9IHNpemU7CkBAIC01OCwxOCArNjIsMjAgQEAgdW5zaWduZWQgbG9u ZyByYXdfY2xlYXJfZ3Vlc3Qodm9pZCAqdG8sIHVuc2lnbmVkIGxlbikKIAog ICAgIHdoaWxlICggbGVuICkKICAgICB7Ci0gICAgICAgIHBhZGRyX3QgZzsK ICAgICAgICAgdm9pZCAqcDsKICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1p bihsZW4sICh1bnNpZ25lZClQQUdFX1NJWkUgLSBvZmZzZXQpOworICAgICAg ICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwogCi0gICAgICAgIGlmICggZ3Zp cnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQor ICAgICAgICBwYWdlID0gZ2V0X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9t YWluLCAodmFkZHJfdCkgdG8sIEdWMk1fV1JJVEUpOworICAgICAgICBpZiAo IHBhZ2UgPT0gTlVMTCApCiAgICAgICAgICAgICByZXR1cm4gbGVuOwogCi0g ICAgICAgIHAgPSBtYXBfZG9tYWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7Cisg ICAgICAgIHAgPSBfX21hcF9kb21haW5fcGFnZShwYWdlKTsKICAgICAgICAg cCArPSBvZmZzZXQ7CiAgICAgICAgIG1lbXNldChwLCAweDAwLCBzaXplKTsK IAogICAgICAgICB1bm1hcF9kb21haW5fcGFnZShwIC0gb2Zmc2V0KTsKKyAg ICAgICAgcHV0X3BhZ2UocGFnZSk7CiAgICAgICAgIGxlbiAtPSBzaXplOwog ICAgICAgICB0byArPSBzaXplOwogICAgICAgICAvKgpAQCAtODgsMTkgKzk0 LDIxIEBAIHVuc2lnbmVkIGxvbmcgcmF3X2NvcHlfZnJvbV9ndWVzdCh2b2lk ICp0bywgY29uc3Qgdm9pZCBfX3VzZXIgKmZyb20sIHVuc2lnbmVkIGxlCiAK ICAgICB3aGlsZSAoIGxlbiApCiAgICAgewotICAgICAgICBwYWRkcl90IGc7 CiAgICAgICAgIHZvaWQgKnA7CiAgICAgICAgIHVuc2lnbmVkIHNpemUgPSBt aW4obGVuLCAodW5zaWduZWQpKFBBR0VfU0laRSAtIG9mZnNldCkpOworICAg ICAgICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwogCi0gICAgICAgIGlmICgg Z3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3QpIGZyb20gJiBQQUdFX01BU0ssICZn LCBHVjJNX1JFQUQpICkKKyAgICAgICAgcGFnZSA9IGdldF9wYWdlX2Zyb21f Z3ZhKGN1cnJlbnQtPmRvbWFpbiwgKHZhZGRyX3QpIGZyb20sIEdWMk1fUkVB RCk7CisgICAgICAgIGlmICggcGFnZSA9PSBOVUxMICkKICAgICAgICAgICAg IHJldHVybiBsZW47CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShn Pj5QQUdFX1NISUZUKTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFpbl9wYWdl KHBhZ2UpOwogICAgICAgICBwICs9ICgodmFkZHJfdClmcm9tICYgKH5QQUdF X01BU0spKTsKIAogICAgICAgICBtZW1jcHkodG8sIHAsIHNpemUpOwogCiAg ICAgICAgIHVubWFwX2RvbWFpbl9wYWdlKHApOworICAgICAgICBwdXRfcGFn ZShwYWdlKTsKICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAgIGZyb20g Kz0gc2l6ZTsKICAgICAgICAgdG8gKz0gc2l6ZTsKZGlmZiAtLWdpdCBhL3hl bi9hcmNoL2FybS9wMm0uYyBiL3hlbi9hcmNoL2FybS9wMm0uYwppbmRleCBk MDBjODgyLi43ZmQ1OTIwIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vcDJt LmMKKysrIGIveGVuL2FyY2gvYXJtL3AybS5jCkBAIC02NTUsNiArNjU1LDM0 IEBAIHVuc2lnbmVkIGxvbmcgZ21mbl90b19tZm4oc3RydWN0IGRvbWFpbiAq ZCwgdW5zaWduZWQgbG9uZyBncGZuKQogICAgIHJldHVybiBwID4+IFBBR0Vf U0hJRlQ7CiB9CiAKK3N0cnVjdCBwYWdlX2luZm8gKmdldF9wYWdlX2Zyb21f Z3ZhKHN0cnVjdCBkb21haW4gKmQsIHZhZGRyX3QgdmEsCisgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICB1bnNpZ25lZCBsb25nIGZsYWdz KQoreworICAgIHN0cnVjdCBwMm1fZG9tYWluICpwMm0gPSAmZC0+YXJjaC5w Mm07CisgICAgc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSA9IE5VTEw7CisgICAg cGFkZHJfdCBtYWRkcjsKKworICAgIEFTU0VSVChkID09IGN1cnJlbnQtPmRv bWFpbik7CisKKyAgICBzcGluX2xvY2soJnAybS0+bG9jayk7CisKKyAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKHZhLCAmbWFkZHIsIGZsYWdzKSApCisgICAg ICAgIGdvdG8gZXJyOworCisgICAgaWYgKCAhbWZuX3ZhbGlkKG1hZGRyID4+ IFBBR0VfU0hJRlQpICkKKyAgICAgICAgZ290byBlcnI7CisKKyAgICBwYWdl ID0gbWZuX3RvX3BhZ2UobWFkZHIgPj4gUEFHRV9TSElGVCk7CisgICAgQVNT RVJUKHBhZ2UpOworCisgICAgaWYgKCB1bmxpa2VseSghZ2V0X3BhZ2UocGFn ZSwgZCkpICkKKyAgICAgICAgcGFnZSA9IE5VTEw7CisKK2VycjoKKyAgICBz cGluX3VubG9jaygmcDJtLT5sb2NrKTsKKyAgICByZXR1cm4gcGFnZTsKK30K KwogLyoKICAqIExvY2FsIHZhcmlhYmxlczoKICAqIG1vZGU6IEMKZGlmZiAt LWdpdCBhL3hlbi9hcmNoL2FybS90cmFwcy5jIGIveGVuL2FyY2gvYXJtL3Ry YXBzLmMKaW5kZXggMmU3NDUxYi4uMDAwNzFhMyAxMDA2NDQKLS0tIGEveGVu L2FyY2gvYXJtL3RyYXBzLmMKKysrIGIveGVuL2FyY2gvYXJtL3RyYXBzLmMK QEAgLTc3Niw3ICs3NzYsNyBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0 YWNrKHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVn cykKIHsKICAgICBpbnQgaTsKICAgICB2YWRkcl90IHNwOwotICAgIHBhZGRy X3Qgc3RhY2tfcGh5czsKKyAgICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwog ICAgIHZvaWQgKm1hcHBlZDsKICAgICB1bnNpZ25lZCBsb25nICpzdGFjaywg YWRkcjsKIApAQCAtODM2LDEzICs4MzYsMjAgQEAgc3RhdGljIHZvaWQgc2hv d19ndWVzdF9zdGFjayhzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNwdV91c2Vy X3JlZ3MgKnJlZ3MpCiAKICAgICBwcmludGsoIkd1ZXN0IHN0YWNrIHRyYWNl IGZyb20gc3A9JSJQUkl2YWRkciI6XG4gICIsIHNwKTsKIAotICAgIGlmICgg Z3ZpcnRfdG9fbWFkZHIoc3AsICZzdGFja19waHlzLCBHVjJNX1JFQUQpICkK KyAgICBpZiAoIHNwICYgKCBzaXplb2YobG9uZykgLSAxICkgKQorICAgIHsK KyAgICAgICAgcHJpbnRrKCJTdGFjayBpcyBtaXNhbGlnbmVkXG4iKTsKKyAg ICAgICAgcmV0dXJuOworICAgIH0KKworICAgIHBhZ2UgPSBnZXRfcGFnZV9m cm9tX2d2YShjdXJyZW50LT5kb21haW4sIHNwLCBHVjJNX1JFQUQpOworICAg IGlmICggcGFnZSA9PSBOVUxMICkKICAgICB7CiAgICAgICAgIHByaW50aygi RmFpbGVkIHRvIGNvbnZlcnQgc3RhY2sgdG8gcGh5c2ljYWwgYWRkcmVzc1xu Iik7CiAgICAgICAgIHJldHVybjsKICAgICB9CiAKLSAgICBtYXBwZWQgPSBt YXBfZG9tYWluX3BhZ2Uoc3RhY2tfcGh5cyA+PiBQQUdFX1NISUZUKTsKKyAg ICBtYXBwZWQgPSBfX21hcF9kb21haW5fcGFnZShwYWdlKTsKIAogICAgIHN0 YWNrID0gbWFwcGVkICsgKHNwICYgflBBR0VfTUFTSyk7CiAKQEAgLTg2MCw3 ICs4NjcsNyBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVj dCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKICAgICAg ICAgcHJpbnRrKCJTdGFjayBlbXB0eS4iKTsKICAgICBwcmludGsoIlxuIik7 CiAgICAgdW5tYXBfZG9tYWluX3BhZ2UobWFwcGVkKTsKLQorICAgIHB1dF9w YWdlKHBhZ2UpOwogfQogCiAjZGVmaW5lIFNUQUNLX0JFRk9SRV9FWENFUFRJ T04ocmVncykgKChyZWdpc3Rlcl90KikocmVncyktPnNwKQpkaWZmIC0tZ2l0 IGEveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oIGIveGVuL2luY2x1ZGUvYXNt LWFybS9tbS5oCmluZGV4IGQwZTVjYjQuLjhiZjE3OWQgMTAwNjQ0Ci0tLSBh L3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAorKysgYi94ZW4vaW5jbHVkZS9h c20tYXJtL21tLmgKQEAgLTI3Myw2ICsyNzMsOSBAQCBzdHJ1Y3QgZG9tYWlu ICpwYWdlX2dldF9vd25lcl9hbmRfcmVmZXJlbmNlKHN0cnVjdCBwYWdlX2lu Zm8gKnBhZ2UpOwogdm9pZCBwdXRfcGFnZShzdHJ1Y3QgcGFnZV9pbmZvICpw YWdlKTsKIGludCAgZ2V0X3BhZ2Uoc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSwg c3RydWN0IGRvbWFpbiAqZG9tYWluKTsKIAorc3RydWN0IHBhZ2VfaW5mbyAq Z2V0X3BhZ2VfZnJvbV9ndmEoc3RydWN0IGRvbWFpbiAqZCwgdmFkZHJfdCB2 YSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVuc2ln bmVkIGxvbmcgZmxhZ3MpOworCiAvKgogICogVGhlIE1QVCAobWFjaGluZS0+ cGh5c2ljYWwgbWFwcGluZyB0YWJsZSkgaXMgYW4gYXJyYXkgb2Ygd29yZC1z aXplZAogICogdmFsdWVzLCBpbmRleGVkIG9uIG1hY2hpbmUgZnJhbWUgbnVt YmVyLiBJdCBpcyBleHBlY3RlZCB0aGF0IGd1ZXN0IE9TZXMKZGlmZiAtLWdp dCBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oIGIveGVuL2luY2x1ZGUv YXNtLWFybS9wYWdlLmgKaW5kZXggODQ1NjJlYy4uYzExODMwOSAxMDA2NDQK LS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9wYWdlLmgKKysrIGIveGVuL2lu Y2x1ZGUvYXNtLWFybS9wYWdlLmgKQEAgLTczLDcgKzczLDcgQEAKICNkZWZp bmUgTUFUVFJfREVWICAgICAweDEKICNkZWZpbmUgTUFUVFJfTUVNICAgICAw eGYKIAotLyogRmxhZ3MgZm9yIGd2aXJ0X3RvX21hZGRyICovCisvKiBGbGFn cyBmb3IgZ2V0X3BhZ2VfZnJvbV9ndmEsIGd2aXJ0X3RvX21hZGRyIGV0YyAq LwogI2RlZmluZSBHVjJNX1JFQUQgICgwdTw8MCkKICNkZWZpbmUgR1YyTV9X UklURSAoMXU8PDApCiAK --=separator Content-Type: application/octet-stream; name="xsa98-update.patch" Content-Disposition: attachment; filename="xsa98-update.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGNvcnJlY3QgYXJtNjQgdmVyc2lvbiBvZiBndmFfdG9fbWFf cGFyCgpUaGUgaW1wbGVtZW50YXRpb24gd2FzIGJhY2t3YXJkcyBhbmQgY2hl Y2tlZCB0aGF0IHRoZSBndWVzdCBjb3VsZApyZWFkIHdoZW4gYXNrZWQgYWJv dXQgd3JpdGUgYW5kIHZpY2UgdmVyc2EuCgpUaGlzIGlzIGFuIHVwZGF0ZSB0 byB0aGUgZml4IGZvciBYU0EtOTguCgpSZXBvcnRlZC1ieTogVGFtYXMgSyBM ZW5neWVsIDx0a2xlbmd5ZWxAc2VjLmluLnR1bS5kZT4KU2lnbmVkLW9mZi1i eTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KCmRp ZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTY0L3BhZ2UuaCBi L3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5oCmluZGV4IGJiMTAx NjQuLjM4NmU0MzQgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0v YXJtNjQvcGFnZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQv cGFnZS5oCkBAIC04Niw5ICs4Niw5IEBAIHN0YXRpYyBpbmxpbmUgdWludDY0 X3QgZ3ZhX3RvX21hX3Bhcih2YWRkcl90IHZhLCB1bnNpZ25lZCBpbnQgZmxh Z3MpCiAgICAgdWludDY0X3QgcGFyLCB0bXAgPSBSRUFEX1NZU1JFRzY0KFBB Ul9FTDEpOwogCiAgICAgaWYgKCAoZmxhZ3MgJiBHVjJNX1dSSVRFKSA9PSBH VjJNX1dSSVRFICkKLSAgICAgICAgYXNtIHZvbGF0aWxlICgiYXQgczEyZTFy LCAlMDsiIDogOiAiciIgKHZhKSk7Ci0gICAgZWxzZQogICAgICAgICBhc20g dm9sYXRpbGUgKCJhdCBzMTJlMXcsICUwOyIgOiA6ICJyIiAodmEpKTsKKyAg ICBlbHNlCisgICAgICAgIGFzbSB2b2xhdGlsZSAoImF0IHMxMmUxciwgJTA7 IiA6IDogInIiICh2YSkpOwogICAgIGlzYigpOwogICAgIHBhciA9IFJFQURf U1lTUkVHNjQoUEFSX0VMMSk7CiAgICAgV1JJVEVfU1lTUkVHNjQodG1wLCBQ QVJfRUwxKTsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Fri Mar 13 11:40:14 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 13 Mar 2015 11:40:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YWNvi-0005tA-5P; Fri, 13 Mar 2015 11:39:02 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YWNvg-0005sI-Nn; Fri, 13 Mar 2015 11:39:01 +0000 Received: from [85.158.137.68] by server-6.bemta-3.messagelabs.com id DC/48-18734-35CC2055; Fri, 13 Mar 2015 11:38:59 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-31.messagelabs.com!1426246737!11710755!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.4; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22459 invoked from network); 13 Mar 2015 11:38:58 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-4.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 13 Mar 2015 11:38:58 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YWNvW-0005uB-HU; Fri, 13 Mar 2015 11:38:50 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1YWNvV-00072K-Vq; Fri, 13 Mar 2015 11:38:50 +0000 Date: Fri, 13 Mar 2015 11:38:49 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 98 (CVE-2014-3969) - insufficient permissions checks accessing guest memory on ARM X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3969 / XSA-98 version 4 insufficient permissions checks accessing guest memory on ARM UPDATES IN VERSION 4 ==================== Supply an additional patch for arm64. The original patches had the permissions check backwards, meaning that a guest could read a write-only mapping and vice versa, rendering the original fix ineffective an inparticular not closing down the ability for a guest to write to a readonly page via the hypervisor. This issue was discussed on a public IRC channel and therefore it has been agreed with the discoverer that it should not subject to a new embargo. 32-bit ARM systems are not affected by this mistake; the original fix remains correct for 32-bit. ISSUE DESCRIPTION ================= When accessing guest memory Xen does not correctly perform permissions checks on the (possibly guest provided) virtual address: it only checks that the mapping is readable by the guest, even when writing on behalf of the guest. This allows a guest to write to memory which it should only be able to read. A guest running on a vulnerable system is able to write to memory which should be read-only. This includes supposedly read only foreign mappings established using the grant table mechanism. Such read-only mappings are commonly used as part of the paravirtualised I/O drivers (such as guest disk write and network transmit). In order to exploit this vulnerability the guest must have a mapping of the memory; it does not allow access to arbitrary addresses. In the event that a guest executes code from a page which has been shared read-only with another guest it would be possible to mount a take over attack on that guest. IMPACT ====== A domain which is deliberately exchanging data with another, malicious, domain, may be vulnerable to privilege escalation. The vulnerability depends on the precise behaviour of the victim domain. In a typical configuration this means that, depending on the behaviour of the toolstack or device driver domain, a malicious guest administrator might be able to escalate their privilege to that of the whole host. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward. MITIGATION ========== None. CREDITS ======= This issue was discovered by Julien Grall. RESOLUTION ========== Applying the appropriate pair of attached patches along with the additional update resolves this issue. xsa98-unstable-{01,02}.patch xen-unstable xsa98-4.4-{01,02}.patch Xen 4.4.x xsa98-update.patch Additional update for both unstable and 4.4 $ sha256sum xsa98*.patch b8535aad5ae969675d59781a81ce0b24491f1abc01aaf36c3620fd7fb6cc84eb xsa98-unstable-01.patch f5e8a93525a8905653da6377097f77681ff8121b973063ff6081e27547ceaa67 xsa98-unstable-02.patch 6f63bc2e0a0a39bbd9137513a5d130ae2c78d1fd2ebf9172bf49456f73f0a67b xsa98-4.4-01.patch b338472ecce3c31a55d1a936eebbd4e46cb3ad989b91a64d4b8c5d3ca80d875d xsa98-4.4-02.patch 8bb4a23174c0c9b1a23a41d4669900877483fd526d331d0c377c32845feb2eb8 xsa98-update.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVAswXAAoJEIP+FMlX6CvZHBQIAJGGvIhPc7ZKa1uVGvY/wpbX C3mjzLksdFVtIYfmMxTctuZytpA+s4DwrIRg2qfL1KA+2Qz/jjJP6HtzPM9Er8JJ zEz9UUFreccDNHVxZW2vmHxKJ4T3SIPlmx/E3dsr9kiHLGalW3XvKwCgRJ5ZceID nvasZuCPYK1zlTYnIQERQDjXVmUd2mipHBFI69o81dyZkLEtlB9OGXC+OZKPVE0A GdvkEXhca6GYSvdD3t1nEoDrpsqMwpi1bYpd0dPoQbSW6cY7DomzcT5f4zmOJRxB L/SYOqsl4SomH/FO0tYw1IrFQ1VVShmFlIre3EIeXWGa8LwAQUVt+qdYgvSPncc= =slo3 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa98-unstable-01.patch" Content-Disposition: attachment; filename="xsa98-unstable-01.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGNoZWNrIHBlcm1pc3Npb25zIHdoZW4gY29weWluZyB0by9m cm9tIGd1ZXN0IHZpcnR1YWwgYWRkcmVzc2VzCgpJbiBwYXJ0aWN1bGFyIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoZSBndWVzdCBoYXMgd3JpdGUgcGVybWlz c2lvbnMgdG8gYnVmZmVycwp3aGljaCBpdCBwYXNzZXMgYXMgb3V0cHV0IGJ1 ZmZlcnMgZm9yIGh5cGVyY2FsbHMsIG90aGVyd2lzZSB0aGUgZ3Vlc3QgY2Fu Cm92ZXJ3cml0ZSBtZW1vcnkgd2hpY2ggaXQgc2hvdWxkbid0IGJlIGFibGUg dG8gd3JpdGUgKGxpa2Ugci9vIGdyYW50IHRhYmxlCm1hcHBpbmdzKS4KClRo aXMgaXMgWFNBLTk4LgoKU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxp YW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBH cmFsbCA8anVsaWVuLmdyYWxsQGxpbmFyby5vcmc+CgpkaWZmIC0tZ2l0IGEv eGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jIGIveGVuL2FyY2gvYXJtL2Rv bWFpbl9idWlsZC5jCmluZGV4IGM0MjQ3OTMuLmQwNzk5ODIgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYworKysgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKQEAgLTEwMDUsNyArMTAwNSw3IEBAIHN0 YXRpYyB2b2lkIGluaXRyZF9sb2FkKHN0cnVjdCBrZXJuZWxfaW5mbyAqa2lu Zm8pCiAgICAgICAgIHMgPSBvZmZzICYgflBBR0VfTUFTSzsKICAgICAgICAg bCA9IG1pbihQQUdFX1NJWkUgLSBzLCBsZW4pOwogCi0gICAgICAgIHJjID0g Z3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hKTsKKyAgICAg ICAgcmMgPSBndmlydF90b19tYWRkcihsb2FkX2FkZHIgKyBvZmZzLCAmbWEs IEdWMk1fV1JJVEUpOwogICAgICAgICBpZiAoIHJjICkKICAgICAgICAgewog ICAgICAgICAgICAgcGFuaWMoIlVuYWJsZSB0byB0cmFuc2xhdGUgZ3Vlc3Qg YWRkcmVzcyIpOwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL2d1ZXN0Y29w eS5jIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCmluZGV4IGNlYTVmOTcu LmQxZmRkZWMgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL2FybS9ndWVzdGNvcHku YworKysgYi94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMKQEAgLTE3LDcgKzE3 LDcgQEAgc3RhdGljIHVuc2lnbmVkIGxvbmcgcmF3X2NvcHlfdG9fZ3Vlc3Rf aGVscGVyKHZvaWQgKnRvLCBjb25zdCB2b2lkICpmcm9tLAogICAgICAgICB2 b2lkICpwOwogICAgICAgICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVu c2lnbmVkKVBBR0VfU0laRSAtIG9mZnNldCk7CiAKLSAgICAgICAgaWYgKCBn dmlydF90b19tYWRkcigodmFkZHJfdCkgdG8sICZnKSApCisgICAgICAgIGlm ICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZywgR1YyTV9XUklU RSkgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAogICAgICAgICBwID0g bWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOwpAQCAtNjIsNyArNjIs NyBAQCB1bnNpZ25lZCBsb25nIHJhd19jbGVhcl9ndWVzdCh2b2lkICp0bywg dW5zaWduZWQgbGVuKQogICAgICAgICB2b2lkICpwOwogICAgICAgICB1bnNp Z25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0VfU0laRSAtIG9m ZnNldCk7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJf dCkgdG8sICZnKSApCisgICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZh ZGRyX3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQogICAgICAgICAgICAgcmV0 dXJuIGxlbjsKIAogICAgICAgICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBB R0VfU0hJRlQpOwpAQCAtOTIsNyArOTIsNyBAQCB1bnNpZ25lZCBsb25nIHJh d19jb3B5X2Zyb21fZ3Vlc3Qodm9pZCAqdG8sIGNvbnN0IHZvaWQgX191c2Vy ICpmcm9tLCB1bnNpZ25lZCBsZQogICAgICAgICB2b2lkICpwOwogICAgICAg ICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKShQQUdFX1NJ WkUgLSBvZmZzZXQpKTsKIAotICAgICAgICBpZiAoIGd2aXJ0X3RvX21hZGRy KCh2YWRkcl90KSBmcm9tICYgUEFHRV9NQVNLLCAmZykgKQorICAgICAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKCh2YWRkcl90KSBmcm9tICYgUEFHRV9NQVNL LCAmZywgR1YyTV9SRUFEKSApCiAgICAgICAgICAgICByZXR1cm4gbGVuOwog CiAgICAgICAgIHAgPSBtYXBfZG9tYWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7 CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0va2VybmVsLmMgYi94ZW4vYXJj aC9hcm0va2VybmVsLmMKaW5kZXggYzgyOTA2Zi4uNjkxODJlYyAxMDA2NDQK LS0tIGEveGVuL2FyY2gvYXJtL2tlcm5lbC5jCisrKyBiL3hlbi9hcmNoL2Fy bS9rZXJuZWwuYwpAQCAtMTcyLDcgKzE3Miw3IEBAIHN0YXRpYyB2b2lkIGtl cm5lbF96aW1hZ2VfbG9hZChzdHJ1Y3Qga2VybmVsX2luZm8gKmluZm8pCiAg ICAgICAgIHMgPSBvZmZzICYgflBBR0VfTUFTSzsKICAgICAgICAgbCA9IG1p bihQQUdFX1NJWkUgLSBzLCBsZW4pOwogCi0gICAgICAgIHJjID0gZ3ZpcnRf dG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hKTsKKyAgICAgICAgcmMg PSBndmlydF90b19tYWRkcihsb2FkX2FkZHIgKyBvZmZzLCAmbWEsIEdWMk1f V1JJVEUpOwogICAgICAgICBpZiAoIHJjICkKICAgICAgICAgewogICAgICAg ICAgICAgcGFuaWMoIlVuYWJsZSB0byBtYXAgdHJhbnNsYXRlIGd1ZXN0IGFk ZHJlc3MiKTsKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL2FybS90cmFwcy5jIGIv eGVuL2FyY2gvYXJtL3RyYXBzLmMKaW5kZXggMDNhM2RhNi4uZGY4NmZmZSAx MDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL3RyYXBzLmMKKysrIGIveGVuL2Fy Y2gvYXJtL3RyYXBzLmMKQEAgLTgzNyw3ICs4MzcsNyBAQCBzdGF0aWMgdm9p ZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1 X3VzZXJfcmVncyAqcmVncykKIAogICAgIHByaW50aygiR3Vlc3Qgc3RhY2sg dHJhY2UgZnJvbSBzcD0lIlBSSXZhZGRyIjpcbiAgIiwgc3ApOwogCi0gICAg aWYgKCBndmlydF90b19tYWRkcihzcCwgJnN0YWNrX3BoeXMpICkKKyAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKHNwLCAmc3RhY2tfcGh5cywgR1YyTV9SRUFE KSApCiAgICAgewogICAgICAgICBwcmludGsoIkZhaWxlZCB0byBjb252ZXJ0 IHN0YWNrIHRvIHBoeXNpY2FsIGFkZHJlc3NcbiIpOwogICAgICAgICByZXR1 cm47CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTMyL3Bh Z2UuaCBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtMzIvcGFnZS5oCmluZGV4 IDRhYmIyODEuLjk3NDA2NzIgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2Fz bS1hcm0vYXJtMzIvcGFnZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0v YXJtMzIvcGFnZS5oCkBAIC04NywxMSArODcsMTQgQEAgc3RhdGljIGlubGlu ZSB1aW50NjRfdCBfX3ZhX3RvX3Bhcih2YWRkcl90IHZhKQogfQogCiAvKiBB c2sgdGhlIE1NVSB0byB0cmFuc2xhdGUgYSBHdWVzdCBWQSBmb3IgdXMgKi8K LXN0YXRpYyBpbmxpbmUgdWludDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRkcl90 IHZhKQorc3RhdGljIGlubGluZSB1aW50NjRfdCBndmFfdG9fbWFfcGFyKHZh ZGRyX3QgdmEsIHVuc2lnbmVkIGludCBmbGFncykKIHsKICAgICB1aW50NjRf dCBwYXIsIHRtcDsKICAgICB0bXAgPSBSRUFEX0NQNjQoUEFSKTsKLSAgICBX UklURV9DUDMyKHZhLCBBVFMxMk5TT1BSKTsKKyAgICBpZiAoIChmbGFncyAm IEdWMk1fV1JJVEUpID09IEdWMk1fV1JJVEUgKQorICAgICAgICBXUklURV9D UDMyKHZhLCBBVFMxMk5TT1BXKTsKKyAgICBlbHNlCisgICAgICAgIFdSSVRF X0NQMzIodmEsIEFUUzEyTlNPUFIpOwogICAgIGlzYigpOyAvKiBFbnN1cmUg cmVzdWx0IGlzIGF2YWlsYWJsZS4gKi8KICAgICBwYXIgPSBSRUFEX0NQNjQo UEFSKTsKICAgICBXUklURV9DUDY0KHRtcCwgUEFSKTsKZGlmZiAtLWdpdCBh L3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5oIGIveGVuL2luY2x1 ZGUvYXNtLWFybS9hcm02NC9wYWdlLmgKaW5kZXggNzEzYmFmNi4uYmIxMDE2 NCAxMDA2NDQKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9hcm02NC9wYWdl LmgKKysrIGIveGVuL2luY2x1ZGUvYXNtLWFybS9hcm02NC9wYWdlLmgKQEAg LTgxLDExICs4MSwxNCBAQCBzdGF0aWMgaW5saW5lIHVpbnQ2NF90IF9fdmFf dG9fcGFyKHZhZGRyX3QgdmEpCiB9CiAKIC8qIEFzayB0aGUgTU1VIHRvIHRy YW5zbGF0ZSBhIEd1ZXN0IFZBIGZvciB1cyAqLwotc3RhdGljIGlubGluZSB1 aW50NjRfdCBndmFfdG9fbWFfcGFyKHZhZGRyX3QgdmEpCitzdGF0aWMgaW5s aW5lIHVpbnQ2NF90IGd2YV90b19tYV9wYXIodmFkZHJfdCB2YSwgdW5zaWdu ZWQgaW50IGZsYWdzKQogewogICAgIHVpbnQ2NF90IHBhciwgdG1wID0gUkVB RF9TWVNSRUc2NChQQVJfRUwxKTsKIAotICAgIGFzbSB2b2xhdGlsZSAoImF0 IHMxMmUxciwgJTA7IiA6IDogInIiICh2YSkpOworICAgIGlmICggKGZsYWdz ICYgR1YyTV9XUklURSkgPT0gR1YyTV9XUklURSApCisgICAgICAgIGFzbSB2 b2xhdGlsZSAoImF0IHMxMmUxciwgJTA7IiA6IDogInIiICh2YSkpOworICAg IGVsc2UKKyAgICAgICAgYXNtIHZvbGF0aWxlICgiYXQgczEyZTF3LCAlMDsi IDogOiAiciIgKHZhKSk7CiAgICAgaXNiKCk7CiAgICAgcGFyID0gUkVBRF9T WVNSRUc2NChQQVJfRUwxKTsKICAgICBXUklURV9TWVNSRUc2NCh0bXAsIFBB Ul9FTDEpOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5o IGIveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oCmluZGV4IGI4ZDRlN2QuLmQw ZTVjYjQgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAor KysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKQEAgLTIzMyw5ICsyMzMs OSBAQCBzdGF0aWMgaW5saW5lIHZvaWQgKm1hZGRyX3RvX3ZpcnQocGFkZHJf dCBtYSkKIH0KICNlbmRpZgogCi1zdGF0aWMgaW5saW5lIGludCBndmlydF90 b19tYWRkcih2YWRkcl90IHZhLCBwYWRkcl90ICpwYSkKK3N0YXRpYyBpbmxp bmUgaW50IGd2aXJ0X3RvX21hZGRyKHZhZGRyX3QgdmEsIHBhZGRyX3QgKnBh LCB1bnNpZ25lZCBpbnQgZmxhZ3MpCiB7Ci0gICAgdWludDY0X3QgcGFyID0g Z3ZhX3RvX21hX3Bhcih2YSk7CisgICAgdWludDY0X3QgcGFyID0gZ3ZhX3Rv X21hX3Bhcih2YSwgZmxhZ3MpOwogICAgIGlmICggcGFyICYgUEFSX0YgKQog ICAgICAgICByZXR1cm4gLUVGQVVMVDsKICAgICAqcGEgPSAocGFyICYgUEFE RFJfTUFTSyAmIFBBR0VfTUFTSykgfCAoKHVuc2lnbmVkIGxvbmcpIHZhICYg flBBR0VfTUFTSyk7CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJt L3BhZ2UuaCBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oCmluZGV4IGMz OGU5YzkuLmU3MjNlNWEgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1h cm0vcGFnZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oCkBA IC03Myw2ICs3MywxMCBAQAogI2RlZmluZSBNQVRUUl9ERVYgICAgIDB4MQog I2RlZmluZSBNQVRUUl9NRU0gICAgIDB4ZgogCisvKiBGbGFncyBmb3IgZ3Zp cnRfdG9fbWFkZHIgKi8KKyNkZWZpbmUgR1YyTV9SRUFEICAoMHU8PDApCisj ZGVmaW5lIEdWMk1fV1JJVEUgKDF1PDwwKQorCiAjaWZuZGVmIF9fQVNTRU1C TFlfXwogCiAjaW5jbHVkZSA8eGVuL3R5cGVzLmg+Cg== --=separator Content-Type: application/octet-stream; name="xsa98-unstable-02.patch" Content-Disposition: attachment; filename="xsa98-unstable-02.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGVuc3VyZSB3ZSBob2xkIGEgcmVmZXJlbmNlIHRvIGd1ZXN0 IHBhZ2VzIHdoaWxlIHdlIGNvcHkgdG8vZnJvbSB0aGVtCgpUaGlzIGF0IG9u Y2U6CiAtIHByZXZlbnRzIHRoZSBwYWdlIGZyb20gYmVpbmcgcmVhc3NpZ25l ZCB1bmRlciBvdXIgZmVldAogLSBlbnN1cmVzIHRoYXQgdGhlIGRvbWFpbiBv d25zIHRoZSBwYWdlLCB3aGljaCBzdG9wcyBhIGRvbWFpbiBmcm9tIGdpdmlu ZyBhCiAgIGdyYW50IG1hcHBpbmcsIE1NSU8gcmVnaW9uLCBvdGhlciBub24t UkFNIGFzIGEgaHlwZXJjYWxsIGlucHV0L291dHB1dC4KCldlIG5lZWQgdG8g aG9sZCB0aGUgcDJtIGxvY2sgd2hpbGUgZG9pbmcgdGhlIGxvb2t1cCB1bnRp bCB3ZSBoYXZlIHRoZQpyZWZlcmVuY2UuCgpUaGlzIGFsc28gcmVxdWlyZXMg dGhhdCBkdXJpbmcgZG9tYWluIDAgYnVpbGRpbmcgY3VycmVudCBpcyBzZXQg dG8gYW4gYWN0dWFsCmRvbTAgdmNwdSwgc28gdGFrZSBjYXJlIG9mIHRoaXMg YXQgdGhlIHNhbWUgdGltZSBhcyB0aGUgcDJtIGlzIHRlbXBvcmFyaWx5Cmxv YWRlZC4KCkxhc3RseSB3aGVuIGR1bXBpbmcgdGhlIGd1ZXN0IHN0YWNrIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoYXQgdGhlIGd1ZXN0IGhhc24ndApwb2lu dGVkIGl0cyBzcCBvZmYgaW50byB0aGUgd2VlZHMgYW5kL29yIG1pc2FsaWdu ZWQgaXQsIHdoaWNoIGNvdWxkIGxlYWQgdG8KaHlwZXJ2aXNvciB0cmFwcy4g U29sdmUgdGhpcyBieSB1c2luZyB0aGUgbmV3IGZ1bmN0aW9uIGFuZCBjaGVj a2luZyBhbGlnbm1lbnQKZmlyc3QuCgpTaWduZWQtb2ZmLWJ5OiBJYW4gQ2Ft cGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpSZXZpZXdlZC1ieTog SnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAbGluYXJvLm9yZz4KCmRpZmYg LS1naXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKaW5kZXggZDA3OTk4Mi4uNGRkMmQ4NCAx MDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jCisrKyBi L3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYwpAQCAtMTAyNCw2ICsxMDI0 LDcgQEAgc3RhdGljIHZvaWQgaW5pdHJkX2xvYWQoc3RydWN0IGtlcm5lbF9p bmZvICpraW5mbykKIGludCBjb25zdHJ1Y3RfZG9tMChzdHJ1Y3QgZG9tYWlu ICpkKQogewogICAgIHN0cnVjdCBrZXJuZWxfaW5mbyBraW5mbyA9IHt9Owor ICAgIHN0cnVjdCB2Y3B1ICpzYXZlZF9jdXJyZW50OwogICAgIGludCByYywg aSwgY3B1OwogCiAgICAgc3RydWN0IHZjcHUgKnYgPSBkLT52Y3B1WzBdOwpA QCAtMTA2MCw4ICsxMDYxLDEzIEBAIGludCBjb25zdHJ1Y3RfZG9tMChzdHJ1 Y3QgZG9tYWluICpkKQogICAgIGlmICggcmMgPCAwICkKICAgICAgICAgcmV0 dXJuIHJjOwogCi0gICAgLyogVGhlIGZvbGxvd2luZyBsb2FkcyB1c2UgdGhl IGRvbWFpbidzIHAybSAqLworICAgIC8qCisgICAgICogVGhlIGZvbGxvd2lu ZyBsb2FkcyB1c2UgdGhlIGRvbWFpbidzIHAybSBhbmQgcmVxdWlyZSBjdXJy ZW50IHRvCisgICAgICogYmUgYSB2Y3B1IG9mIHRoZSBkb21haW4sIHRlbXBv cmFyaWx5IHN3aXRjaAorICAgICAqLworICAgIHNhdmVkX2N1cnJlbnQgPSBj dXJyZW50OwogICAgIHAybV9yZXN0b3JlX3N0YXRlKHYpOworICAgIHNldF9j dXJyZW50KHYpOwogCiAgICAgLyoKICAgICAgKiBrZXJuZWxfbG9hZCB3aWxs IGRldGVybWluZSB0aGUgcGxhY2VtZW50IG9mIHRoZSBrZXJuZWwgYXMgd2Vs bApAQCAtMTA3Miw2ICsxMDc4LDEwIEBAIGludCBjb25zdHJ1Y3RfZG9tMChz dHJ1Y3QgZG9tYWluICpkKQogICAgIGluaXRyZF9sb2FkKCZraW5mbyk7CiAg ICAgZHRiX2xvYWQoJmtpbmZvKTsKIAorICAgIC8qIE5vdyB0aGF0IHdlIGFy ZSBkb25lIHJlc3RvcmUgdGhlIG9yaWdpbmFsIHAybSBhbmQgY3VycmVudC4g Ki8KKyAgICBzZXRfY3VycmVudChzYXZlZF9jdXJyZW50KTsKKyAgICBwMm1f cmVzdG9yZV9zdGF0ZShzYXZlZF9jdXJyZW50KTsKKwogICAgIGRpc2NhcmRf aW5pdGlhbF9tb2R1bGVzKCk7CiAKICAgICB2LT5pc19pbml0aWFsaXNlZCA9 IDE7CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMgYi94 ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMKaW5kZXggZDFmZGRlYy4uMDE3MzU5 NyAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCisrKyBi L3hlbi9hcmNoL2FybS9ndWVzdGNvcHkuYwpAQCAtMSw2ICsxLDggQEAKICNp bmNsdWRlIDx4ZW4vY29uZmlnLmg+CiAjaW5jbHVkZSA8eGVuL2xpYi5oPgog I2luY2x1ZGUgPHhlbi9kb21haW5fcGFnZS5oPgorI2luY2x1ZGUgPHhlbi9z Y2hlZC5oPgorI2luY2x1ZGUgPGFzbS9jdXJyZW50Lmg+CiAKICNpbmNsdWRl IDxhc20vbW0uaD4KICNpbmNsdWRlIDxhc20vZ3Vlc3RfYWNjZXNzLmg+CkBA IC0xMywyMCArMTUsMjIgQEAgc3RhdGljIHVuc2lnbmVkIGxvbmcgcmF3X2Nv cHlfdG9fZ3Vlc3RfaGVscGVyKHZvaWQgKnRvLCBjb25zdCB2b2lkICpmcm9t LAogCiAgICAgd2hpbGUgKCBsZW4gKQogICAgIHsKLSAgICAgICAgcGFkZHJf dCBnOwogICAgICAgICB2b2lkICpwOwogICAgICAgICB1bnNpZ25lZCBzaXpl ID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0VfU0laRSAtIG9mZnNldCk7Cisg ICAgICAgIHN0cnVjdCBwYWdlX2luZm8gKnBhZ2U7CiAKLSAgICAgICAgaWYg KCBndmlydF90b19tYWRkcigodmFkZHJfdCkgdG8sICZnLCBHVjJNX1dSSVRF KSApCisgICAgICAgIHBhZ2UgPSBnZXRfcGFnZV9mcm9tX2d2YShjdXJyZW50 LT5kb21haW4sICh2YWRkcl90KSB0bywgR1YyTV9XUklURSk7CisgICAgICAg IGlmICggcGFnZSA9PSBOVUxMICkKICAgICAgICAgICAgIHJldHVybiBsZW47 CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShnPj5QQUdFX1NISUZU KTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFpbl9wYWdlKHBhZ2UpOwogICAg ICAgICBwICs9IG9mZnNldDsKICAgICAgICAgbWVtY3B5KHAsIGZyb20sIHNp emUpOwogICAgICAgICBpZiAoIGZsdXNoX2RjYWNoZSApCiAgICAgICAgICAg ICBjbGVhbl94ZW5fZGNhY2hlX3ZhX3JhbmdlKHAsIHNpemUpOwogCiAgICAg ICAgIHVubWFwX2RvbWFpbl9wYWdlKHAgLSBvZmZzZXQpOworICAgICAgICBw dXRfcGFnZShwYWdlKTsKICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAg IGZyb20gKz0gc2l6ZTsKICAgICAgICAgdG8gKz0gc2l6ZTsKQEAgLTU4LDE4 ICs2MiwyMCBAQCB1bnNpZ25lZCBsb25nIHJhd19jbGVhcl9ndWVzdCh2b2lk ICp0bywgdW5zaWduZWQgbGVuKQogCiAgICAgd2hpbGUgKCBsZW4gKQogICAg IHsKLSAgICAgICAgcGFkZHJfdCBnOwogICAgICAgICB2b2lkICpwOwogICAg ICAgICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0Vf U0laRSAtIG9mZnNldCk7CisgICAgICAgIHN0cnVjdCBwYWdlX2luZm8gKnBh Z2U7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJfdCkg dG8sICZnLCBHVjJNX1dSSVRFKSApCisgICAgICAgIHBhZ2UgPSBnZXRfcGFn ZV9mcm9tX2d2YShjdXJyZW50LT5kb21haW4sICh2YWRkcl90KSB0bywgR1Yy TV9XUklURSk7CisgICAgICAgIGlmICggcGFnZSA9PSBOVUxMICkKICAgICAg ICAgICAgIHJldHVybiBsZW47CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5f cGFnZShnPj5QQUdFX1NISUZUKTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFp bl9wYWdlKHBhZ2UpOwogICAgICAgICBwICs9IG9mZnNldDsKICAgICAgICAg bWVtc2V0KHAsIDB4MDAsIHNpemUpOwogCiAgICAgICAgIHVubWFwX2RvbWFp bl9wYWdlKHAgLSBvZmZzZXQpOworICAgICAgICBwdXRfcGFnZShwYWdlKTsK ICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAgIHRvICs9IHNpemU7CiAg ICAgICAgIC8qCkBAIC04OCwxOSArOTQsMjEgQEAgdW5zaWduZWQgbG9uZyBy YXdfY29weV9mcm9tX2d1ZXN0KHZvaWQgKnRvLCBjb25zdCB2b2lkIF9fdXNl ciAqZnJvbSwgdW5zaWduZWQgbGUKIAogICAgIHdoaWxlICggbGVuICkKICAg ICB7Ci0gICAgICAgIHBhZGRyX3QgZzsKICAgICAgICAgdm9pZCAqcDsKICAg ICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZCkoUEFH RV9TSVpFIC0gb2Zmc2V0KSk7CisgICAgICAgIHN0cnVjdCBwYWdlX2luZm8g KnBhZ2U7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJf dCkgZnJvbSAmIFBBR0VfTUFTSywgJmcsIEdWMk1fUkVBRCkgKQorICAgICAg ICBwYWdlID0gZ2V0X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9tYWluLCAo dmFkZHJfdCkgZnJvbSwgR1YyTV9SRUFEKTsKKyAgICAgICAgaWYgKCBwYWdl ID09IE5VTEwgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAotICAgICAg ICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOworICAgICAg ICBwID0gX19tYXBfZG9tYWluX3BhZ2UocGFnZSk7CiAgICAgICAgIHAgKz0g KCh2YWRkcl90KWZyb20gJiAoflBBR0VfTUFTSykpOwogCiAgICAgICAgIG1l bWNweSh0bywgcCwgc2l6ZSk7CiAKICAgICAgICAgdW5tYXBfZG9tYWluX3Bh Z2UocCk7CisgICAgICAgIHB1dF9wYWdlKHBhZ2UpOwogICAgICAgICBsZW4g LT0gc2l6ZTsKICAgICAgICAgZnJvbSArPSBzaXplOwogICAgICAgICB0byAr PSBzaXplOwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL3AybS5jIGIveGVu L2FyY2gvYXJtL3AybS5jCmluZGV4IGI4NTE0M2IuLjVmYzVjYTYgMTAwNjQ0 Ci0tLSBhL3hlbi9hcmNoL2FybS9wMm0uYworKysgYi94ZW4vYXJjaC9hcm0v cDJtLmMKQEAgLTcwMSw2ICs3MDEsMzQgQEAgdW5zaWduZWQgbG9uZyBnbWZu X3RvX21mbihzdHJ1Y3QgZG9tYWluICpkLCB1bnNpZ25lZCBsb25nIGdwZm4p CiAgICAgcmV0dXJuIHAgPj4gUEFHRV9TSElGVDsKIH0KIAorc3RydWN0IHBh Z2VfaW5mbyAqZ2V0X3BhZ2VfZnJvbV9ndmEoc3RydWN0IGRvbWFpbiAqZCwg dmFkZHJfdCB2YSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIHVuc2lnbmVkIGxvbmcgZmxhZ3MpCit7CisgICAgc3RydWN0IHAybV9k b21haW4gKnAybSA9ICZkLT5hcmNoLnAybTsKKyAgICBzdHJ1Y3QgcGFnZV9p bmZvICpwYWdlID0gTlVMTDsKKyAgICBwYWRkcl90IG1hZGRyOworCisgICAg QVNTRVJUKGQgPT0gY3VycmVudC0+ZG9tYWluKTsKKworICAgIHNwaW5fbG9j aygmcDJtLT5sb2NrKTsKKworICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIodmEs ICZtYWRkciwgZmxhZ3MpICkKKyAgICAgICAgZ290byBlcnI7CisKKyAgICBp ZiAoICFtZm5fdmFsaWQobWFkZHIgPj4gUEFHRV9TSElGVCkgKQorICAgICAg ICBnb3RvIGVycjsKKworICAgIHBhZ2UgPSBtZm5fdG9fcGFnZShtYWRkciA+ PiBQQUdFX1NISUZUKTsKKyAgICBBU1NFUlQocGFnZSk7CisKKyAgICBpZiAo IHVubGlrZWx5KCFnZXRfcGFnZShwYWdlLCBkKSkgKQorICAgICAgICBwYWdl ID0gTlVMTDsKKworZXJyOgorICAgIHNwaW5fdW5sb2NrKCZwMm0tPmxvY2sp OworICAgIHJldHVybiBwYWdlOworfQorCiAvKgogICogTG9jYWwgdmFyaWFi bGVzOgogICogbW9kZTogQwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL3Ry YXBzLmMgYi94ZW4vYXJjaC9hcm0vdHJhcHMuYwppbmRleCBkZjg2ZmZlLi5k ODliNzVmIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vdHJhcHMuYworKysg Yi94ZW4vYXJjaC9hcm0vdHJhcHMuYwpAQCAtNzc3LDcgKzc3Nyw3IEBAIHN0 YXRpYyB2b2lkIHNob3dfZ3Vlc3Rfc3RhY2soc3RydWN0IHZjcHUgKnYsIHN0 cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQogewogICAgIGludCBpOwogICAg IHZhZGRyX3Qgc3A7Ci0gICAgcGFkZHJfdCBzdGFja19waHlzOworICAgIHN0 cnVjdCBwYWdlX2luZm8gKnBhZ2U7CiAgICAgdm9pZCAqbWFwcGVkOwogICAg IHVuc2lnbmVkIGxvbmcgKnN0YWNrLCBhZGRyOwogCkBAIC04MzcsMTMgKzgz NywyMCBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVjdCB2 Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKIAogICAgIHBy aW50aygiR3Vlc3Qgc3RhY2sgdHJhY2UgZnJvbSBzcD0lIlBSSXZhZGRyIjpc biAgIiwgc3ApOwogCi0gICAgaWYgKCBndmlydF90b19tYWRkcihzcCwgJnN0 YWNrX3BoeXMsIEdWMk1fUkVBRCkgKQorICAgIGlmICggc3AgJiAoIHNpemVv Zihsb25nKSAtIDEgKSApCisgICAgeworICAgICAgICBwcmludGsoIlN0YWNr IGlzIG1pc2FsaWduZWRcbiIpOworICAgICAgICByZXR1cm47CisgICAgfQor CisgICAgcGFnZSA9IGdldF9wYWdlX2Zyb21fZ3ZhKGN1cnJlbnQtPmRvbWFp biwgc3AsIEdWMk1fUkVBRCk7CisgICAgaWYgKCBwYWdlID09IE5VTEwgKQog ICAgIHsKICAgICAgICAgcHJpbnRrKCJGYWlsZWQgdG8gY29udmVydCBzdGFj ayB0byBwaHlzaWNhbCBhZGRyZXNzXG4iKTsKICAgICAgICAgcmV0dXJuOwog ICAgIH0KIAotICAgIG1hcHBlZCA9IG1hcF9kb21haW5fcGFnZShzdGFja19w aHlzID4+IFBBR0VfU0hJRlQpOworICAgIG1hcHBlZCA9IF9fbWFwX2RvbWFp bl9wYWdlKHBhZ2UpOwogCiAgICAgc3RhY2sgPSBtYXBwZWQgKyAoc3AgJiB+ UEFHRV9NQVNLKTsKIApAQCAtODYxLDcgKzg2OCw3IEBAIHN0YXRpYyB2b2lk IHNob3dfZ3Vlc3Rfc3RhY2soc3RydWN0IHZjcHUgKnYsIHN0cnVjdCBjcHVf dXNlcl9yZWdzICpyZWdzKQogICAgICAgICBwcmludGsoIlN0YWNrIGVtcHR5 LiIpOwogICAgIHByaW50aygiXG4iKTsKICAgICB1bm1hcF9kb21haW5fcGFn ZShtYXBwZWQpOwotCisgICAgcHV0X3BhZ2UocGFnZSk7CiB9CiAKICNkZWZp bmUgU1RBQ0tfQkVGT1JFX0VYQ0VQVElPTihyZWdzKSAoKHJlZ2lzdGVyX3Qq KShyZWdzKS0+c3ApCmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJt L21tLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKaW5kZXggZDBlNWNi NC4uOGJmMTc5ZCAxMDA2NDQKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9t bS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaApAQCAtMjczLDYg KzI3Myw5IEBAIHN0cnVjdCBkb21haW4gKnBhZ2VfZ2V0X293bmVyX2FuZF9y ZWZlcmVuY2Uoc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSk7CiB2b2lkIHB1dF9w YWdlKHN0cnVjdCBwYWdlX2luZm8gKnBhZ2UpOwogaW50ICBnZXRfcGFnZShz dHJ1Y3QgcGFnZV9pbmZvICpwYWdlLCBzdHJ1Y3QgZG9tYWluICpkb21haW4p OwogCitzdHJ1Y3QgcGFnZV9pbmZvICpnZXRfcGFnZV9mcm9tX2d2YShzdHJ1 Y3QgZG9tYWluICpkLCB2YWRkcl90IHZhLAorICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgdW5zaWduZWQgbG9uZyBmbGFncyk7CisKIC8q CiAgKiBUaGUgTVBUIChtYWNoaW5lLT5waHlzaWNhbCBtYXBwaW5nIHRhYmxl KSBpcyBhbiBhcnJheSBvZiB3b3JkLXNpemVkCiAgKiB2YWx1ZXMsIGluZGV4 ZWQgb24gbWFjaGluZSBmcmFtZSBudW1iZXIuIEl0IGlzIGV4cGVjdGVkIHRo YXQgZ3Vlc3QgT1NlcwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFy bS9wYWdlLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaAppbmRleCBl NzIzZTVhLi4xMTNiZTVhIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20t YXJtL3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaApA QCAtNzMsNyArNzMsNyBAQAogI2RlZmluZSBNQVRUUl9ERVYgICAgIDB4MQog I2RlZmluZSBNQVRUUl9NRU0gICAgIDB4ZgogCi0vKiBGbGFncyBmb3IgZ3Zp cnRfdG9fbWFkZHIgKi8KKy8qIEZsYWdzIGZvciBnZXRfcGFnZV9mcm9tX2d2 YSwgZ3ZpcnRfdG9fbWFkZHIgZXRjICovCiAjZGVmaW5lIEdWMk1fUkVBRCAg KDB1PDwwKQogI2RlZmluZSBHVjJNX1dSSVRFICgxdTw8MCkKIAo= --=separator Content-Type: application/octet-stream; name="xsa98-4.4-01.patch" Content-Disposition: attachment; filename="xsa98-4.4-01.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGNoZWNrIHBlcm1pc3Npb25zIHdoZW4gY29weWluZyB0by9m cm9tIGd1ZXN0IHZpcnR1YWwgYWRkcmVzc2VzCgpJbiBwYXJ0aWN1bGFyIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoZSBndWVzdCBoYXMgd3JpdGUgcGVybWlz c2lvbnMgdG8gYnVmZmVycwp3aGljaCBpdCBwYXNzZXMgYXMgb3V0cHV0IGJ1 ZmZlcnMgZm9yIGh5cGVyY2FsbHMsIG90aGVyd2lzZSB0aGUgZ3Vlc3QgY2Fu Cm92ZXJ3cml0ZSBtZW1vcnkgd2hpY2ggaXQgc2hvdWxkbid0IGJlIGFibGUg dG8gd3JpdGUgKGxpa2Ugci9vIGdyYW50IHRhYmxlCm1hcHBpbmdzKS4KClRo aXMgaXMgWFNBLTk4LgoKU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxp YW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBH cmFsbCA8anVsaWVuLmdyYWxsQGxpbmFyby5vcmc+CgpkaWZmIC0tZ2l0IGEv eGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jIGIveGVuL2FyY2gvYXJtL2Rv bWFpbl9idWlsZC5jCmluZGV4IDVjYTJmMTUuLjNkYTZiODMgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYworKysgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKQEAgLTk2Nyw3ICs5NjcsNyBAQCBzdGF0 aWMgdm9pZCBpbml0cmRfbG9hZChzdHJ1Y3Qga2VybmVsX2luZm8gKmtpbmZv KQogICAgICAgICBzID0gb2ZmcyAmIH5QQUdFX01BU0s7CiAgICAgICAgIGwg PSBtaW4oUEFHRV9TSVpFIC0gcywgbGVuKTsKIAotICAgICAgICByYyA9IGd2 aXJ0X3RvX21hZGRyKGxvYWRfYWRkciArIG9mZnMsICZtYSk7CisgICAgICAg IHJjID0gZ3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hLCBH VjJNX1dSSVRFKTsKICAgICAgICAgaWYgKCByYyApCiAgICAgICAgIHsKICAg ICAgICAgICAgIHBhbmljKCJVbmFibGUgdG8gdHJhbnNsYXRlIGd1ZXN0IGFk ZHJlc3MiKTsKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL2FybS9ndWVzdGNvcHku YyBiL3hlbi9hcmNoL2FybS9ndWVzdGNvcHkuYwppbmRleCBjZWE1Zjk3Li5k MWZkZGVjIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMK KysrIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCkBAIC0xNyw3ICsxNyw3 IEBAIHN0YXRpYyB1bnNpZ25lZCBsb25nIHJhd19jb3B5X3RvX2d1ZXN0X2hl bHBlcih2b2lkICp0bywgY29uc3Qgdm9pZCAqZnJvbSwKICAgICAgICAgdm9p ZCAqcDsKICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNp Z25lZClQQUdFX1NJWkUgLSBvZmZzZXQpOwogCi0gICAgICAgIGlmICggZ3Zp cnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZykgKQorICAgICAgICBpZiAo IGd2aXJ0X3RvX21hZGRyKCh2YWRkcl90KSB0bywgJmcsIEdWMk1fV1JJVEUp ICkKICAgICAgICAgICAgIHJldHVybiBsZW47CiAKICAgICAgICAgcCA9IG1h cF9kb21haW5fcGFnZShnPj5QQUdFX1NISUZUKTsKQEAgLTYyLDcgKzYyLDcg QEAgdW5zaWduZWQgbG9uZyByYXdfY2xlYXJfZ3Vlc3Qodm9pZCAqdG8sIHVu c2lnbmVkIGxlbikKICAgICAgICAgdm9pZCAqcDsKICAgICAgICAgdW5zaWdu ZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZClQQUdFX1NJWkUgLSBvZmZz ZXQpOwogCi0gICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3Qp IHRvLCAmZykgKQorICAgICAgICBpZiAoIGd2aXJ0X3RvX21hZGRyKCh2YWRk cl90KSB0bywgJmcsIEdWMk1fV1JJVEUpICkKICAgICAgICAgICAgIHJldHVy biBsZW47CiAKICAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShnPj5QQUdF X1NISUZUKTsKQEAgLTkyLDcgKzkyLDcgQEAgdW5zaWduZWQgbG9uZyByYXdf Y29weV9mcm9tX2d1ZXN0KHZvaWQgKnRvLCBjb25zdCB2b2lkIF9fdXNlciAq ZnJvbSwgdW5zaWduZWQgbGUKICAgICAgICAgdm9pZCAqcDsKICAgICAgICAg dW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZCkoUEFHRV9TSVpF IC0gb2Zmc2V0KSk7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigo dmFkZHJfdCkgZnJvbSAmIFBBR0VfTUFTSywgJmcpICkKKyAgICAgICAgaWYg KCBndmlydF90b19tYWRkcigodmFkZHJfdCkgZnJvbSAmIFBBR0VfTUFTSywg JmcsIEdWMk1fUkVBRCkgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAog ICAgICAgICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOwpk aWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL2tlcm5lbC5jIGIveGVuL2FyY2gv YXJtL2tlcm5lbC5jCmluZGV4IDFlMzEwN2QuLjY5YzdkNDMgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9rZXJuZWwuYworKysgYi94ZW4vYXJjaC9hcm0v a2VybmVsLmMKQEAgLTE0MSw3ICsxNDEsNyBAQCBzdGF0aWMgdm9pZCBrZXJu ZWxfemltYWdlX2xvYWQoc3RydWN0IGtlcm5lbF9pbmZvICppbmZvKQogICAg ICAgICBzID0gb2ZmcyAmIH5QQUdFX01BU0s7CiAgICAgICAgIGwgPSBtaW4o UEFHRV9TSVpFIC0gcywgbGVuKTsKIAotICAgICAgICByYyA9IGd2aXJ0X3Rv X21hZGRyKGxvYWRfYWRkciArIG9mZnMsICZtYSk7CisgICAgICAgIHJjID0g Z3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hLCBHVjJNX1dS SVRFKTsKICAgICAgICAgaWYgKCByYyApCiAgICAgICAgIHsKICAgICAgICAg ICAgIHBhbmljKCJVbmFibGUgdG8gbWFwIHRyYW5zbGF0ZSBndWVzdCBhZGRy ZXNzIik7CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vdHJhcHMuYyBiL3hl bi9hcmNoL2FybS90cmFwcy5jCmluZGV4IDNhMzRkMzMuLjJlNzQ1MWIgMTAw NjQ0Ci0tLSBhL3hlbi9hcmNoL2FybS90cmFwcy5jCisrKyBiL3hlbi9hcmNo L2FybS90cmFwcy5jCkBAIC04MzYsNyArODM2LDcgQEAgc3RhdGljIHZvaWQg c2hvd19ndWVzdF9zdGFjayhzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNwdV91 c2VyX3JlZ3MgKnJlZ3MpCiAKICAgICBwcmludGsoIkd1ZXN0IHN0YWNrIHRy YWNlIGZyb20gc3A9JSJQUkl2YWRkciI6XG4gICIsIHNwKTsKIAotICAgIGlm ICggZ3ZpcnRfdG9fbWFkZHIoc3AsICZzdGFja19waHlzKSApCisgICAgaWYg KCBndmlydF90b19tYWRkcihzcCwgJnN0YWNrX3BoeXMsIEdWMk1fUkVBRCkg KQogICAgIHsKICAgICAgICAgcHJpbnRrKCJGYWlsZWQgdG8gY29udmVydCBz dGFjayB0byBwaHlzaWNhbCBhZGRyZXNzXG4iKTsKICAgICAgICAgcmV0dXJu OwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9hcm0zMi9wYWdl LmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTMyL3BhZ2UuaAppbmRleCBi ODIyMWNhLi44MGQ1YzM2IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20t YXJtL2FybTMyL3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL2Fy bTMyL3BhZ2UuaApAQCAtOTAsMTEgKzkwLDE0IEBAIHN0YXRpYyBpbmxpbmUg dWludDY0X3QgX192YV90b19wYXIodmFkZHJfdCB2YSkKIH0KIAogLyogQXNr IHRoZSBNTVUgdG8gdHJhbnNsYXRlIGEgR3Vlc3QgVkEgZm9yIHVzICovCi1z dGF0aWMgaW5saW5lIHVpbnQ2NF90IGd2YV90b19tYV9wYXIodmFkZHJfdCB2 YSkKK3N0YXRpYyBpbmxpbmUgdWludDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRk cl90IHZhLCB1bnNpZ25lZCBpbnQgZmxhZ3MpCiB7CiAgICAgdWludDY0X3Qg cGFyLCB0bXA7CiAgICAgdG1wID0gUkVBRF9DUDY0KFBBUik7Ci0gICAgV1JJ VEVfQ1AzMih2YSwgQVRTMTJOU09QUik7CisgICAgaWYgKCAoZmxhZ3MgJiBH VjJNX1dSSVRFKSA9PSBHVjJNX1dSSVRFICkKKyAgICAgICAgV1JJVEVfQ1Az Mih2YSwgQVRTMTJOU09QVyk7CisgICAgZWxzZQorICAgICAgICBXUklURV9D UDMyKHZhLCBBVFMxMk5TT1BSKTsKICAgICBpc2IoKTsgLyogRW5zdXJlIHJl c3VsdCBpcyBhdmFpbGFibGUuICovCiAgICAgcGFyID0gUkVBRF9DUDY0KFBB Uik7CiAgICAgV1JJVEVfQ1A2NCh0bXAsIFBBUik7CmRpZmYgLS1naXQgYS94 ZW4vaW5jbHVkZS9hc20tYXJtL2FybTY0L3BhZ2UuaCBiL3hlbi9pbmNsdWRl L2FzbS1hcm0vYXJtNjQvcGFnZS5oCmluZGV4IDMzNTI4MjEuLjM5MjJkODcg MTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5o CisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5oCkBAIC04 MywxMSArODMsMTQgQEAgc3RhdGljIGlubGluZSB1aW50NjRfdCBfX3ZhX3Rv X3Bhcih2YWRkcl90IHZhKQogfQogCiAvKiBBc2sgdGhlIE1NVSB0byB0cmFu c2xhdGUgYSBHdWVzdCBWQSBmb3IgdXMgKi8KLXN0YXRpYyBpbmxpbmUgdWlu dDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRkcl90IHZhKQorc3RhdGljIGlubGlu ZSB1aW50NjRfdCBndmFfdG9fbWFfcGFyKHZhZGRyX3QgdmEsIHVuc2lnbmVk IGludCBmbGFncykKIHsKICAgICB1aW50NjRfdCBwYXIsIHRtcCA9IFJFQURf U1lTUkVHNjQoUEFSX0VMMSk7CiAKLSAgICBhc20gdm9sYXRpbGUgKCJhdCBz MTJlMXIsICUwOyIgOiA6ICJyIiAodmEpKTsKKyAgICBpZiAoIChmbGFncyAm IEdWMk1fV1JJVEUpID09IEdWMk1fV1JJVEUgKQorICAgICAgICBhc20gdm9s YXRpbGUgKCJhdCBzMTJlMXIsICUwOyIgOiA6ICJyIiAodmEpKTsKKyAgICBl bHNlCisgICAgICAgIGFzbSB2b2xhdGlsZSAoImF0IHMxMmUxdywgJTA7IiA6 IDogInIiICh2YSkpOwogICAgIGlzYigpOwogICAgIHBhciA9IFJFQURfU1lT UkVHNjQoUEFSX0VMMSk7CiAgICAgV1JJVEVfU1lTUkVHNjQodG1wLCBQQVJf RUwxKTsKZGlmZiAtLWdpdCBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaCBi L3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAppbmRleCBiOGQ0ZTdkLi5kMGU1 Y2I0IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKKysr IGIveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oCkBAIC0yMzMsOSArMjMzLDkg QEAgc3RhdGljIGlubGluZSB2b2lkICptYWRkcl90b192aXJ0KHBhZGRyX3Qg bWEpCiB9CiAjZW5kaWYKIAotc3RhdGljIGlubGluZSBpbnQgZ3ZpcnRfdG9f bWFkZHIodmFkZHJfdCB2YSwgcGFkZHJfdCAqcGEpCitzdGF0aWMgaW5saW5l IGludCBndmlydF90b19tYWRkcih2YWRkcl90IHZhLCBwYWRkcl90ICpwYSwg dW5zaWduZWQgaW50IGZsYWdzKQogewotICAgIHVpbnQ2NF90IHBhciA9IGd2 YV90b19tYV9wYXIodmEpOworICAgIHVpbnQ2NF90IHBhciA9IGd2YV90b19t YV9wYXIodmEsIGZsYWdzKTsKICAgICBpZiAoIHBhciAmIFBBUl9GICkKICAg ICAgICAgcmV0dXJuIC1FRkFVTFQ7CiAgICAgKnBhID0gKHBhciAmIFBBRERS X01BU0sgJiBQQUdFX01BU0spIHwgKCh1bnNpZ25lZCBsb25nKSB2YSAmIH5Q QUdFX01BU0spOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9w YWdlLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaAppbmRleCBlMDBi ZTllLi44NDU2MmVjIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20tYXJt L3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaApAQCAt NzMsNiArNzMsMTAgQEAKICNkZWZpbmUgTUFUVFJfREVWICAgICAweDEKICNk ZWZpbmUgTUFUVFJfTUVNICAgICAweGYKIAorLyogRmxhZ3MgZm9yIGd2aXJ0 X3RvX21hZGRyICovCisjZGVmaW5lIEdWMk1fUkVBRCAgKDB1PDwwKQorI2Rl ZmluZSBHVjJNX1dSSVRFICgxdTw8MCkKKwogI2lmbmRlZiBfX0FTU0VNQkxZ X18KIAogI2luY2x1ZGUgPHhlbi90eXBlcy5oPgo= --=separator Content-Type: application/octet-stream; name="xsa98-4.4-02.patch" Content-Disposition: attachment; filename="xsa98-4.4-02.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGVuc3VyZSB3ZSBob2xkIGEgcmVmZXJlbmNlIHRvIGd1ZXN0 IHBhZ2VzIHdoaWxlIHdlIGNvcHkgdG8vZnJvbSB0aGVtCgpUaGlzIGF0IG9u Y2U6CiAtIHByZXZlbnRzIHRoZSBwYWdlIGZyb20gYmVpbmcgcmVhc3NpZ25l ZCB1bmRlciBvdXIgZmVldAogLSBlbnN1cmVzIHRoYXQgdGhlIGRvbWFpbiBv d25zIHRoZSBwYWdlLCB3aGljaCBzdG9wcyBhIGRvbWFpbiBmcm9tIGdpdmlu ZyBhCiAgIGdyYW50IG1hcHBpbmcsIE1NSU8gcmVnaW9uLCBvdGhlciBub24t UkFNIGFzIGEgaHlwZXJjYWxsIGlucHV0L291dHB1dC4KCldlIG5lZWQgdG8g aG9sZCB0aGUgcDJtIGxvY2sgd2hpbGUgZG9pbmcgdGhlIGxvb2t1cCB1bnRp bCB3ZSBoYXZlIHRoZQpyZWZlcmVuY2UuCgpUaGlzIGFsc28gcmVxdWlyZXMg dGhhdCBkdXJpbmcgZG9tYWluIDAgYnVpbGRpbmcgY3VycmVudCBpcyBzZXQg dG8gYW4gYWN0dWFsCmRvbTAgdmNwdSwgc28gdGFrZSBjYXJlIG9mIHRoaXMg YXQgdGhlIHNhbWUgdGltZSBhcyB0aGUgcDJtIGlzIHRlbXBvcmFyaWx5Cmxv YWRlZC4KCkxhc3RseSB3aGVuIGR1bXBpbmcgdGhlIGd1ZXN0IHN0YWNrIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoYXQgdGhlIGd1ZXN0IGhhc24ndApwb2lu dGVkIGl0cyBzcCBvZmYgaW50byB0aGUgd2VlZHMgYW5kL29yIG1pc2FsaWdu ZWQgaXQsIHdoaWNoIGNvdWxkIGxlYWQgdG8KaHlwZXJ2aXNvciB0cmFwcy4g U29sdmUgdGhpcyBieSB1c2luZyB0aGUgbmV3IGZ1bmN0aW9uIGFuZCBjaGVj a2luZyBhbGlnbm1lbnQKZmlyc3QuCgpTaWduZWQtb2ZmLWJ5OiBJYW4gQ2Ft cGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpSZXZpZXdlZC1ieTog SnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAbGluYXJvLm9yZz4KWyBpamMg LS0gYmFja3BvcnRlZCB0byA0LjQsIHVzaW5nIHAybV9sb2FkX1ZUVEJSIF0K CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMgYi94 ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMKaW5kZXggM2RhNmI4My4uYzE0 OTdmOCAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5j CisrKyBiL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYwpAQCAtOTg2LDYg Kzk4Niw3IEBAIHN0YXRpYyB2b2lkIGluaXRyZF9sb2FkKHN0cnVjdCBrZXJu ZWxfaW5mbyAqa2luZm8pCiBpbnQgY29uc3RydWN0X2RvbTAoc3RydWN0IGRv bWFpbiAqZCkKIHsKICAgICBzdHJ1Y3Qga2VybmVsX2luZm8ga2luZm8gPSB7 fTsKKyAgICBzdHJ1Y3QgdmNwdSAqc2F2ZWRfY3VycmVudDsKICAgICBpbnQg cmMsIGksIGNwdTsKIAogICAgIHN0cnVjdCB2Y3B1ICp2ID0gZC0+dmNwdVsw XTsKQEAgLTEwMjEsNyArMTAyMiw5IEBAIGludCBjb25zdHJ1Y3RfZG9tMChz dHJ1Y3QgZG9tYWluICpkKQogICAgICAgICByZXR1cm4gcmM7CiAKICAgICAv KiBUaGUgZm9sbG93aW5nIGxvYWRzIHVzZSB0aGUgZG9tYWluJ3MgcDJtICov CisgICAgc2F2ZWRfY3VycmVudCA9IGN1cnJlbnQ7CiAgICAgcDJtX2xvYWRf VlRUQlIoZCk7CisgICAgc2V0X2N1cnJlbnQodik7CiAjaWZkZWYgQ09ORklH X0FSTV82NAogICAgIGQtPmFyY2gudHlwZSA9IGtpbmZvLnR5cGU7CiAgICAg aWYgKCBpc19wdjMyX2RvbWFpbihkKSApCkBAIC0xMDM5LDYgKzEwNDIsMTAg QEAgaW50IGNvbnN0cnVjdF9kb20wKHN0cnVjdCBkb21haW4gKmQpCiAgICAg aW5pdHJkX2xvYWQoJmtpbmZvKTsKICAgICBkdGJfbG9hZCgma2luZm8pOwog CisgICAgLyogTm93IHRoYXQgd2UgYXJlIGRvbmUgcmVzdG9yZSB0aGUgb3Jp Z2luYWwgcDJtIGFuZCBjdXJyZW50LiAqLworICAgIHNldF9jdXJyZW50KHNh dmVkX2N1cnJlbnQpOworICAgIHAybV9sb2FkX1ZUVEJSKGN1cnJlbnQtPmRv bWFpbik7CisKICAgICBkaXNjYXJkX2luaXRpYWxfbW9kdWxlcygpOwogCiAg ICAgdi0+aXNfaW5pdGlhbGlzZWQgPSAxOwpkaWZmIC0tZ2l0IGEveGVuL2Fy Y2gvYXJtL2d1ZXN0Y29weS5jIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5j CmluZGV4IGQxZmRkZWMuLjAxNzM1OTcgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNo L2FybS9ndWVzdGNvcHkuYworKysgYi94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5 LmMKQEAgLTEsNiArMSw4IEBACiAjaW5jbHVkZSA8eGVuL2NvbmZpZy5oPgog I2luY2x1ZGUgPHhlbi9saWIuaD4KICNpbmNsdWRlIDx4ZW4vZG9tYWluX3Bh Z2UuaD4KKyNpbmNsdWRlIDx4ZW4vc2NoZWQuaD4KKyNpbmNsdWRlIDxhc20v Y3VycmVudC5oPgogCiAjaW5jbHVkZSA8YXNtL21tLmg+CiAjaW5jbHVkZSA8 YXNtL2d1ZXN0X2FjY2Vzcy5oPgpAQCAtMTMsMjAgKzE1LDIyIEBAIHN0YXRp YyB1bnNpZ25lZCBsb25nIHJhd19jb3B5X3RvX2d1ZXN0X2hlbHBlcih2b2lk ICp0bywgY29uc3Qgdm9pZCAqZnJvbSwKIAogICAgIHdoaWxlICggbGVuICkK ICAgICB7Ci0gICAgICAgIHBhZGRyX3QgZzsKICAgICAgICAgdm9pZCAqcDsK ICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZClQ QUdFX1NJWkUgLSBvZmZzZXQpOworICAgICAgICBzdHJ1Y3QgcGFnZV9pbmZv ICpwYWdlOwogCi0gICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRy X3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQorICAgICAgICBwYWdlID0gZ2V0 X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9tYWluLCAodmFkZHJfdCkgdG8s IEdWMk1fV1JJVEUpOworICAgICAgICBpZiAoIHBhZ2UgPT0gTlVMTCApCiAg ICAgICAgICAgICByZXR1cm4gbGVuOwogCi0gICAgICAgIHAgPSBtYXBfZG9t YWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7CisgICAgICAgIHAgPSBfX21hcF9k b21haW5fcGFnZShwYWdlKTsKICAgICAgICAgcCArPSBvZmZzZXQ7CiAgICAg ICAgIG1lbWNweShwLCBmcm9tLCBzaXplKTsKICAgICAgICAgaWYgKCBmbHVz aF9kY2FjaGUgKQogICAgICAgICAgICAgY2xlYW5feGVuX2RjYWNoZV92YV9y YW5nZShwLCBzaXplKTsKIAogICAgICAgICB1bm1hcF9kb21haW5fcGFnZShw IC0gb2Zmc2V0KTsKKyAgICAgICAgcHV0X3BhZ2UocGFnZSk7CiAgICAgICAg IGxlbiAtPSBzaXplOwogICAgICAgICBmcm9tICs9IHNpemU7CiAgICAgICAg IHRvICs9IHNpemU7CkBAIC01OCwxOCArNjIsMjAgQEAgdW5zaWduZWQgbG9u ZyByYXdfY2xlYXJfZ3Vlc3Qodm9pZCAqdG8sIHVuc2lnbmVkIGxlbikKIAog ICAgIHdoaWxlICggbGVuICkKICAgICB7Ci0gICAgICAgIHBhZGRyX3QgZzsK ICAgICAgICAgdm9pZCAqcDsKICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1p bihsZW4sICh1bnNpZ25lZClQQUdFX1NJWkUgLSBvZmZzZXQpOworICAgICAg ICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwogCi0gICAgICAgIGlmICggZ3Zp cnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQor ICAgICAgICBwYWdlID0gZ2V0X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9t YWluLCAodmFkZHJfdCkgdG8sIEdWMk1fV1JJVEUpOworICAgICAgICBpZiAo IHBhZ2UgPT0gTlVMTCApCiAgICAgICAgICAgICByZXR1cm4gbGVuOwogCi0g ICAgICAgIHAgPSBtYXBfZG9tYWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7Cisg ICAgICAgIHAgPSBfX21hcF9kb21haW5fcGFnZShwYWdlKTsKICAgICAgICAg cCArPSBvZmZzZXQ7CiAgICAgICAgIG1lbXNldChwLCAweDAwLCBzaXplKTsK IAogICAgICAgICB1bm1hcF9kb21haW5fcGFnZShwIC0gb2Zmc2V0KTsKKyAg ICAgICAgcHV0X3BhZ2UocGFnZSk7CiAgICAgICAgIGxlbiAtPSBzaXplOwog ICAgICAgICB0byArPSBzaXplOwogICAgICAgICAvKgpAQCAtODgsMTkgKzk0 LDIxIEBAIHVuc2lnbmVkIGxvbmcgcmF3X2NvcHlfZnJvbV9ndWVzdCh2b2lk ICp0bywgY29uc3Qgdm9pZCBfX3VzZXIgKmZyb20sIHVuc2lnbmVkIGxlCiAK ICAgICB3aGlsZSAoIGxlbiApCiAgICAgewotICAgICAgICBwYWRkcl90IGc7 CiAgICAgICAgIHZvaWQgKnA7CiAgICAgICAgIHVuc2lnbmVkIHNpemUgPSBt aW4obGVuLCAodW5zaWduZWQpKFBBR0VfU0laRSAtIG9mZnNldCkpOworICAg ICAgICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwogCi0gICAgICAgIGlmICgg Z3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3QpIGZyb20gJiBQQUdFX01BU0ssICZn LCBHVjJNX1JFQUQpICkKKyAgICAgICAgcGFnZSA9IGdldF9wYWdlX2Zyb21f Z3ZhKGN1cnJlbnQtPmRvbWFpbiwgKHZhZGRyX3QpIGZyb20sIEdWMk1fUkVB RCk7CisgICAgICAgIGlmICggcGFnZSA9PSBOVUxMICkKICAgICAgICAgICAg IHJldHVybiBsZW47CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShn Pj5QQUdFX1NISUZUKTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFpbl9wYWdl KHBhZ2UpOwogICAgICAgICBwICs9ICgodmFkZHJfdClmcm9tICYgKH5QQUdF X01BU0spKTsKIAogICAgICAgICBtZW1jcHkodG8sIHAsIHNpemUpOwogCiAg ICAgICAgIHVubWFwX2RvbWFpbl9wYWdlKHApOworICAgICAgICBwdXRfcGFn ZShwYWdlKTsKICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAgIGZyb20g Kz0gc2l6ZTsKICAgICAgICAgdG8gKz0gc2l6ZTsKZGlmZiAtLWdpdCBhL3hl bi9hcmNoL2FybS9wMm0uYyBiL3hlbi9hcmNoL2FybS9wMm0uYwppbmRleCBk MDBjODgyLi43ZmQ1OTIwIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vcDJt LmMKKysrIGIveGVuL2FyY2gvYXJtL3AybS5jCkBAIC02NTUsNiArNjU1LDM0 IEBAIHVuc2lnbmVkIGxvbmcgZ21mbl90b19tZm4oc3RydWN0IGRvbWFpbiAq ZCwgdW5zaWduZWQgbG9uZyBncGZuKQogICAgIHJldHVybiBwID4+IFBBR0Vf U0hJRlQ7CiB9CiAKK3N0cnVjdCBwYWdlX2luZm8gKmdldF9wYWdlX2Zyb21f Z3ZhKHN0cnVjdCBkb21haW4gKmQsIHZhZGRyX3QgdmEsCisgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICB1bnNpZ25lZCBsb25nIGZsYWdz KQoreworICAgIHN0cnVjdCBwMm1fZG9tYWluICpwMm0gPSAmZC0+YXJjaC5w Mm07CisgICAgc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSA9IE5VTEw7CisgICAg cGFkZHJfdCBtYWRkcjsKKworICAgIEFTU0VSVChkID09IGN1cnJlbnQtPmRv bWFpbik7CisKKyAgICBzcGluX2xvY2soJnAybS0+bG9jayk7CisKKyAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKHZhLCAmbWFkZHIsIGZsYWdzKSApCisgICAg ICAgIGdvdG8gZXJyOworCisgICAgaWYgKCAhbWZuX3ZhbGlkKG1hZGRyID4+ IFBBR0VfU0hJRlQpICkKKyAgICAgICAgZ290byBlcnI7CisKKyAgICBwYWdl ID0gbWZuX3RvX3BhZ2UobWFkZHIgPj4gUEFHRV9TSElGVCk7CisgICAgQVNT RVJUKHBhZ2UpOworCisgICAgaWYgKCB1bmxpa2VseSghZ2V0X3BhZ2UocGFn ZSwgZCkpICkKKyAgICAgICAgcGFnZSA9IE5VTEw7CisKK2VycjoKKyAgICBz cGluX3VubG9jaygmcDJtLT5sb2NrKTsKKyAgICByZXR1cm4gcGFnZTsKK30K KwogLyoKICAqIExvY2FsIHZhcmlhYmxlczoKICAqIG1vZGU6IEMKZGlmZiAt LWdpdCBhL3hlbi9hcmNoL2FybS90cmFwcy5jIGIveGVuL2FyY2gvYXJtL3Ry YXBzLmMKaW5kZXggMmU3NDUxYi4uMDAwNzFhMyAxMDA2NDQKLS0tIGEveGVu L2FyY2gvYXJtL3RyYXBzLmMKKysrIGIveGVuL2FyY2gvYXJtL3RyYXBzLmMK QEAgLTc3Niw3ICs3NzYsNyBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0 YWNrKHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVn cykKIHsKICAgICBpbnQgaTsKICAgICB2YWRkcl90IHNwOwotICAgIHBhZGRy X3Qgc3RhY2tfcGh5czsKKyAgICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwog ICAgIHZvaWQgKm1hcHBlZDsKICAgICB1bnNpZ25lZCBsb25nICpzdGFjaywg YWRkcjsKIApAQCAtODM2LDEzICs4MzYsMjAgQEAgc3RhdGljIHZvaWQgc2hv d19ndWVzdF9zdGFjayhzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNwdV91c2Vy X3JlZ3MgKnJlZ3MpCiAKICAgICBwcmludGsoIkd1ZXN0IHN0YWNrIHRyYWNl IGZyb20gc3A9JSJQUkl2YWRkciI6XG4gICIsIHNwKTsKIAotICAgIGlmICgg Z3ZpcnRfdG9fbWFkZHIoc3AsICZzdGFja19waHlzLCBHVjJNX1JFQUQpICkK KyAgICBpZiAoIHNwICYgKCBzaXplb2YobG9uZykgLSAxICkgKQorICAgIHsK KyAgICAgICAgcHJpbnRrKCJTdGFjayBpcyBtaXNhbGlnbmVkXG4iKTsKKyAg ICAgICAgcmV0dXJuOworICAgIH0KKworICAgIHBhZ2UgPSBnZXRfcGFnZV9m cm9tX2d2YShjdXJyZW50LT5kb21haW4sIHNwLCBHVjJNX1JFQUQpOworICAg IGlmICggcGFnZSA9PSBOVUxMICkKICAgICB7CiAgICAgICAgIHByaW50aygi RmFpbGVkIHRvIGNvbnZlcnQgc3RhY2sgdG8gcGh5c2ljYWwgYWRkcmVzc1xu Iik7CiAgICAgICAgIHJldHVybjsKICAgICB9CiAKLSAgICBtYXBwZWQgPSBt YXBfZG9tYWluX3BhZ2Uoc3RhY2tfcGh5cyA+PiBQQUdFX1NISUZUKTsKKyAg ICBtYXBwZWQgPSBfX21hcF9kb21haW5fcGFnZShwYWdlKTsKIAogICAgIHN0 YWNrID0gbWFwcGVkICsgKHNwICYgflBBR0VfTUFTSyk7CiAKQEAgLTg2MCw3 ICs4NjcsNyBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVj dCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKICAgICAg ICAgcHJpbnRrKCJTdGFjayBlbXB0eS4iKTsKICAgICBwcmludGsoIlxuIik7 CiAgICAgdW5tYXBfZG9tYWluX3BhZ2UobWFwcGVkKTsKLQorICAgIHB1dF9w YWdlKHBhZ2UpOwogfQogCiAjZGVmaW5lIFNUQUNLX0JFRk9SRV9FWENFUFRJ T04ocmVncykgKChyZWdpc3Rlcl90KikocmVncyktPnNwKQpkaWZmIC0tZ2l0 IGEveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oIGIveGVuL2luY2x1ZGUvYXNt LWFybS9tbS5oCmluZGV4IGQwZTVjYjQuLjhiZjE3OWQgMTAwNjQ0Ci0tLSBh L3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAorKysgYi94ZW4vaW5jbHVkZS9h c20tYXJtL21tLmgKQEAgLTI3Myw2ICsyNzMsOSBAQCBzdHJ1Y3QgZG9tYWlu ICpwYWdlX2dldF9vd25lcl9hbmRfcmVmZXJlbmNlKHN0cnVjdCBwYWdlX2lu Zm8gKnBhZ2UpOwogdm9pZCBwdXRfcGFnZShzdHJ1Y3QgcGFnZV9pbmZvICpw YWdlKTsKIGludCAgZ2V0X3BhZ2Uoc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSwg c3RydWN0IGRvbWFpbiAqZG9tYWluKTsKIAorc3RydWN0IHBhZ2VfaW5mbyAq Z2V0X3BhZ2VfZnJvbV9ndmEoc3RydWN0IGRvbWFpbiAqZCwgdmFkZHJfdCB2 YSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVuc2ln bmVkIGxvbmcgZmxhZ3MpOworCiAvKgogICogVGhlIE1QVCAobWFjaGluZS0+ cGh5c2ljYWwgbWFwcGluZyB0YWJsZSkgaXMgYW4gYXJyYXkgb2Ygd29yZC1z aXplZAogICogdmFsdWVzLCBpbmRleGVkIG9uIG1hY2hpbmUgZnJhbWUgbnVt YmVyLiBJdCBpcyBleHBlY3RlZCB0aGF0IGd1ZXN0IE9TZXMKZGlmZiAtLWdp dCBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oIGIveGVuL2luY2x1ZGUv YXNtLWFybS9wYWdlLmgKaW5kZXggODQ1NjJlYy4uYzExODMwOSAxMDA2NDQK LS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9wYWdlLmgKKysrIGIveGVuL2lu Y2x1ZGUvYXNtLWFybS9wYWdlLmgKQEAgLTczLDcgKzczLDcgQEAKICNkZWZp bmUgTUFUVFJfREVWICAgICAweDEKICNkZWZpbmUgTUFUVFJfTUVNICAgICAw eGYKIAotLyogRmxhZ3MgZm9yIGd2aXJ0X3RvX21hZGRyICovCisvKiBGbGFn cyBmb3IgZ2V0X3BhZ2VfZnJvbV9ndmEsIGd2aXJ0X3RvX21hZGRyIGV0YyAq LwogI2RlZmluZSBHVjJNX1JFQUQgICgwdTw8MCkKICNkZWZpbmUgR1YyTV9X UklURSAoMXU8PDApCiAK --=separator Content-Type: application/octet-stream; name="xsa98-update.patch" Content-Disposition: attachment; filename="xsa98-update.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGNvcnJlY3QgYXJtNjQgdmVyc2lvbiBvZiBndmFfdG9fbWFf cGFyCgpUaGUgaW1wbGVtZW50YXRpb24gd2FzIGJhY2t3YXJkcyBhbmQgY2hl Y2tlZCB0aGF0IHRoZSBndWVzdCBjb3VsZApyZWFkIHdoZW4gYXNrZWQgYWJv dXQgd3JpdGUgYW5kIHZpY2UgdmVyc2EuCgpUaGlzIGlzIGFuIHVwZGF0ZSB0 byB0aGUgZml4IGZvciBYU0EtOTguCgpSZXBvcnRlZC1ieTogVGFtYXMgSyBM ZW5neWVsIDx0a2xlbmd5ZWxAc2VjLmluLnR1bS5kZT4KU2lnbmVkLW9mZi1i eTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KCmRp ZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTY0L3BhZ2UuaCBi L3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5oCmluZGV4IGJiMTAx NjQuLjM4NmU0MzQgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0v YXJtNjQvcGFnZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQv cGFnZS5oCkBAIC04Niw5ICs4Niw5IEBAIHN0YXRpYyBpbmxpbmUgdWludDY0 X3QgZ3ZhX3RvX21hX3Bhcih2YWRkcl90IHZhLCB1bnNpZ25lZCBpbnQgZmxh Z3MpCiAgICAgdWludDY0X3QgcGFyLCB0bXAgPSBSRUFEX1NZU1JFRzY0KFBB Ul9FTDEpOwogCiAgICAgaWYgKCAoZmxhZ3MgJiBHVjJNX1dSSVRFKSA9PSBH VjJNX1dSSVRFICkKLSAgICAgICAgYXNtIHZvbGF0aWxlICgiYXQgczEyZTFy LCAlMDsiIDogOiAiciIgKHZhKSk7Ci0gICAgZWxzZQogICAgICAgICBhc20g dm9sYXRpbGUgKCJhdCBzMTJlMXcsICUwOyIgOiA6ICJyIiAodmEpKTsKKyAg ICBlbHNlCisgICAgICAgIGFzbSB2b2xhdGlsZSAoImF0IHMxMmUxciwgJTA7 IiA6IDogInIiICh2YSkpOwogICAgIGlzYigpOwogICAgIHBhciA9IFJFQURf U1lTUkVHNjQoUEFSX0VMMSk7CiAgICAgV1JJVEVfU1lTUkVHNjQodG1wLCBQ QVJfRUwxKTsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Fri Mar 13 16:00:50 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 13 Mar 2015 16:00:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YWRzy-0006lx-My; Fri, 13 Mar 2015 15:59:42 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YWRzx-0006ku-FE; Fri, 13 Mar 2015 15:59:41 +0000 Received: from [85.158.137.68] by server-2.bemta-3.messagelabs.com id 4C/53-01923-C6903055; Fri, 13 Mar 2015 15:59:40 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-31.messagelabs.com!1426262378!11826489!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.4; banners=-,-,- X-VirusChecked: Checked Received: (qmail 11527 invoked from network); 13 Mar 2015 15:59:39 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 13 Mar 2015 15:59:39 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YWRzm-0000Iy-Jg; Fri, 13 Mar 2015 15:59:30 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1YWRzm-0008Az-7I; Fri, 13 Mar 2015 15:59:30 +0000 Date: Fri, 13 Mar 2015 15:59:30 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 98 (CVE-2014-3969) - insufficient permissions checks accessing guest memory on ARM X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3969 / XSA-98 version 5 insufficient permissions checks accessing guest memory on ARM UPDATES IN VERSION 5 ==================== The issue described in update 4 also affects Xen 4.5 which was not released at the time of the original advisory. The extra patch supplied with version 4 of this advisory is for Xen 4.5.x (as well as 4.4.x and xen-unstable). Added credits for updated issue. UPDATES IN VERSION 4 ==================== Supply an additional patch for arm64. The original patches had the permissions check backwards, meaning that a guest could read a write-only mapping and vice versa, rendering the original fix ineffective an inparticular not closing down the ability for a guest to write to a readonly page via the hypervisor. This issue was discussed on a public IRC channel and therefore it has been agreed with the discoverer that it should not subject to a new embargo. 32-bit ARM systems are not affected by this mistake; the original fix remains correct for 32-bit. ISSUE DESCRIPTION ================= When accessing guest memory Xen does not correctly perform permissions checks on the (possibly guest provided) virtual address: it only checks that the mapping is readable by the guest, even when writing on behalf of the guest. This allows a guest to write to memory which it should only be able to read. A guest running on a vulnerable system is able to write to memory which should be read-only. This includes supposedly read only foreign mappings established using the grant table mechanism. Such read-only mappings are commonly used as part of the paravirtualised I/O drivers (such as guest disk write and network transmit). In order to exploit this vulnerability the guest must have a mapping of the memory; it does not allow access to arbitrary addresses. In the event that a guest executes code from a page which has been shared read-only with another guest it would be possible to mount a take over attack on that guest. IMPACT ====== A domain which is deliberately exchanging data with another, malicious, domain, may be vulnerable to privilege escalation. The vulnerability depends on the precise behaviour of the victim domain. In a typical configuration this means that, depending on the behaviour of the toolstack or device driver domain, a malicious guest administrator might be able to escalate their privilege to that of the whole host. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward. MITIGATION ========== None. CREDITS ======= This issue was discovered by Julien Grall. The additional issue reported in update 4 was discovered by Tamas K Lengyel. RESOLUTION ========== Applying the appropriate pair of attached patches along with the additional update resolves this issue. xsa98-unstable-{01,02}.patch xen-unstable xsa98-4.4-{01,02}.patch Xen 4.4.x xsa98-update.patch Additional update for unstable, 4.5.x and 4.4.x $ sha256sum xsa98*.patch b8535aad5ae969675d59781a81ce0b24491f1abc01aaf36c3620fd7fb6cc84eb xsa98-unstable-01.patch f5e8a93525a8905653da6377097f77681ff8121b973063ff6081e27547ceaa67 xsa98-unstable-02.patch 6f63bc2e0a0a39bbd9137513a5d130ae2c78d1fd2ebf9172bf49456f73f0a67b xsa98-4.4-01.patch b338472ecce3c31a55d1a936eebbd4e46cb3ad989b91a64d4b8c5d3ca80d875d xsa98-4.4-02.patch 8bb4a23174c0c9b1a23a41d4669900877483fd526d331d0c377c32845feb2eb8 xsa98-update.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVAwlFAAoJEIP+FMlX6CvZBGMH/1qZuF20x5mfSn9TPDXJZrU4 dc6Jab7VDISnfy2CkLPsyLeaOolWm34HgP0a+vggInuxtKmo7TIvoJBUVi6ndsJI mqSWsoUvOl6PthAB1/4WNH2e/wySxBLFEwQWnUZRXxW32LrQzb+rVcJvvHjZiYKR p7NYKYklCZDKhmX5DdANjO1RDg561UnenEMsgUbOdyjsk2s8o+/ni927ZUzhnxQe NY9LqpgOyjBLb+5tStq2v03A+ax7mgzRMQLYlWsuY+Vt08HQsPuEPxN9JNkpmEwb A46OICRNMEwzKmt6ZKpYJSibiffHAMm5aeRd2SalpUjlIAg67H/LHf0vV/4bJ9o= =igf6 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa98-unstable-01.patch" Content-Disposition: attachment; filename="xsa98-unstable-01.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGNoZWNrIHBlcm1pc3Npb25zIHdoZW4gY29weWluZyB0by9m cm9tIGd1ZXN0IHZpcnR1YWwgYWRkcmVzc2VzCgpJbiBwYXJ0aWN1bGFyIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoZSBndWVzdCBoYXMgd3JpdGUgcGVybWlz c2lvbnMgdG8gYnVmZmVycwp3aGljaCBpdCBwYXNzZXMgYXMgb3V0cHV0IGJ1 ZmZlcnMgZm9yIGh5cGVyY2FsbHMsIG90aGVyd2lzZSB0aGUgZ3Vlc3QgY2Fu Cm92ZXJ3cml0ZSBtZW1vcnkgd2hpY2ggaXQgc2hvdWxkbid0IGJlIGFibGUg dG8gd3JpdGUgKGxpa2Ugci9vIGdyYW50IHRhYmxlCm1hcHBpbmdzKS4KClRo aXMgaXMgWFNBLTk4LgoKU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxp YW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBH cmFsbCA8anVsaWVuLmdyYWxsQGxpbmFyby5vcmc+CgpkaWZmIC0tZ2l0IGEv eGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jIGIveGVuL2FyY2gvYXJtL2Rv bWFpbl9idWlsZC5jCmluZGV4IGM0MjQ3OTMuLmQwNzk5ODIgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYworKysgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKQEAgLTEwMDUsNyArMTAwNSw3IEBAIHN0 YXRpYyB2b2lkIGluaXRyZF9sb2FkKHN0cnVjdCBrZXJuZWxfaW5mbyAqa2lu Zm8pCiAgICAgICAgIHMgPSBvZmZzICYgflBBR0VfTUFTSzsKICAgICAgICAg bCA9IG1pbihQQUdFX1NJWkUgLSBzLCBsZW4pOwogCi0gICAgICAgIHJjID0g Z3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hKTsKKyAgICAg ICAgcmMgPSBndmlydF90b19tYWRkcihsb2FkX2FkZHIgKyBvZmZzLCAmbWEs IEdWMk1fV1JJVEUpOwogICAgICAgICBpZiAoIHJjICkKICAgICAgICAgewog ICAgICAgICAgICAgcGFuaWMoIlVuYWJsZSB0byB0cmFuc2xhdGUgZ3Vlc3Qg YWRkcmVzcyIpOwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL2d1ZXN0Y29w eS5jIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCmluZGV4IGNlYTVmOTcu LmQxZmRkZWMgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL2FybS9ndWVzdGNvcHku YworKysgYi94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMKQEAgLTE3LDcgKzE3 LDcgQEAgc3RhdGljIHVuc2lnbmVkIGxvbmcgcmF3X2NvcHlfdG9fZ3Vlc3Rf aGVscGVyKHZvaWQgKnRvLCBjb25zdCB2b2lkICpmcm9tLAogICAgICAgICB2 b2lkICpwOwogICAgICAgICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVu c2lnbmVkKVBBR0VfU0laRSAtIG9mZnNldCk7CiAKLSAgICAgICAgaWYgKCBn dmlydF90b19tYWRkcigodmFkZHJfdCkgdG8sICZnKSApCisgICAgICAgIGlm ICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZywgR1YyTV9XUklU RSkgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAogICAgICAgICBwID0g bWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOwpAQCAtNjIsNyArNjIs NyBAQCB1bnNpZ25lZCBsb25nIHJhd19jbGVhcl9ndWVzdCh2b2lkICp0bywg dW5zaWduZWQgbGVuKQogICAgICAgICB2b2lkICpwOwogICAgICAgICB1bnNp Z25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0VfU0laRSAtIG9m ZnNldCk7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJf dCkgdG8sICZnKSApCisgICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZh ZGRyX3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQogICAgICAgICAgICAgcmV0 dXJuIGxlbjsKIAogICAgICAgICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBB R0VfU0hJRlQpOwpAQCAtOTIsNyArOTIsNyBAQCB1bnNpZ25lZCBsb25nIHJh d19jb3B5X2Zyb21fZ3Vlc3Qodm9pZCAqdG8sIGNvbnN0IHZvaWQgX191c2Vy ICpmcm9tLCB1bnNpZ25lZCBsZQogICAgICAgICB2b2lkICpwOwogICAgICAg ICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKShQQUdFX1NJ WkUgLSBvZmZzZXQpKTsKIAotICAgICAgICBpZiAoIGd2aXJ0X3RvX21hZGRy KCh2YWRkcl90KSBmcm9tICYgUEFHRV9NQVNLLCAmZykgKQorICAgICAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKCh2YWRkcl90KSBmcm9tICYgUEFHRV9NQVNL LCAmZywgR1YyTV9SRUFEKSApCiAgICAgICAgICAgICByZXR1cm4gbGVuOwog CiAgICAgICAgIHAgPSBtYXBfZG9tYWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7 CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0va2VybmVsLmMgYi94ZW4vYXJj aC9hcm0va2VybmVsLmMKaW5kZXggYzgyOTA2Zi4uNjkxODJlYyAxMDA2NDQK LS0tIGEveGVuL2FyY2gvYXJtL2tlcm5lbC5jCisrKyBiL3hlbi9hcmNoL2Fy bS9rZXJuZWwuYwpAQCAtMTcyLDcgKzE3Miw3IEBAIHN0YXRpYyB2b2lkIGtl cm5lbF96aW1hZ2VfbG9hZChzdHJ1Y3Qga2VybmVsX2luZm8gKmluZm8pCiAg ICAgICAgIHMgPSBvZmZzICYgflBBR0VfTUFTSzsKICAgICAgICAgbCA9IG1p bihQQUdFX1NJWkUgLSBzLCBsZW4pOwogCi0gICAgICAgIHJjID0gZ3ZpcnRf dG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hKTsKKyAgICAgICAgcmMg PSBndmlydF90b19tYWRkcihsb2FkX2FkZHIgKyBvZmZzLCAmbWEsIEdWMk1f V1JJVEUpOwogICAgICAgICBpZiAoIHJjICkKICAgICAgICAgewogICAgICAg ICAgICAgcGFuaWMoIlVuYWJsZSB0byBtYXAgdHJhbnNsYXRlIGd1ZXN0IGFk ZHJlc3MiKTsKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL2FybS90cmFwcy5jIGIv eGVuL2FyY2gvYXJtL3RyYXBzLmMKaW5kZXggMDNhM2RhNi4uZGY4NmZmZSAx MDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL3RyYXBzLmMKKysrIGIveGVuL2Fy Y2gvYXJtL3RyYXBzLmMKQEAgLTgzNyw3ICs4MzcsNyBAQCBzdGF0aWMgdm9p ZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1 X3VzZXJfcmVncyAqcmVncykKIAogICAgIHByaW50aygiR3Vlc3Qgc3RhY2sg dHJhY2UgZnJvbSBzcD0lIlBSSXZhZGRyIjpcbiAgIiwgc3ApOwogCi0gICAg aWYgKCBndmlydF90b19tYWRkcihzcCwgJnN0YWNrX3BoeXMpICkKKyAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKHNwLCAmc3RhY2tfcGh5cywgR1YyTV9SRUFE KSApCiAgICAgewogICAgICAgICBwcmludGsoIkZhaWxlZCB0byBjb252ZXJ0 IHN0YWNrIHRvIHBoeXNpY2FsIGFkZHJlc3NcbiIpOwogICAgICAgICByZXR1 cm47CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTMyL3Bh Z2UuaCBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtMzIvcGFnZS5oCmluZGV4 IDRhYmIyODEuLjk3NDA2NzIgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2Fz bS1hcm0vYXJtMzIvcGFnZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0v YXJtMzIvcGFnZS5oCkBAIC04NywxMSArODcsMTQgQEAgc3RhdGljIGlubGlu ZSB1aW50NjRfdCBfX3ZhX3RvX3Bhcih2YWRkcl90IHZhKQogfQogCiAvKiBB c2sgdGhlIE1NVSB0byB0cmFuc2xhdGUgYSBHdWVzdCBWQSBmb3IgdXMgKi8K LXN0YXRpYyBpbmxpbmUgdWludDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRkcl90 IHZhKQorc3RhdGljIGlubGluZSB1aW50NjRfdCBndmFfdG9fbWFfcGFyKHZh ZGRyX3QgdmEsIHVuc2lnbmVkIGludCBmbGFncykKIHsKICAgICB1aW50NjRf dCBwYXIsIHRtcDsKICAgICB0bXAgPSBSRUFEX0NQNjQoUEFSKTsKLSAgICBX UklURV9DUDMyKHZhLCBBVFMxMk5TT1BSKTsKKyAgICBpZiAoIChmbGFncyAm IEdWMk1fV1JJVEUpID09IEdWMk1fV1JJVEUgKQorICAgICAgICBXUklURV9D UDMyKHZhLCBBVFMxMk5TT1BXKTsKKyAgICBlbHNlCisgICAgICAgIFdSSVRF X0NQMzIodmEsIEFUUzEyTlNPUFIpOwogICAgIGlzYigpOyAvKiBFbnN1cmUg cmVzdWx0IGlzIGF2YWlsYWJsZS4gKi8KICAgICBwYXIgPSBSRUFEX0NQNjQo UEFSKTsKICAgICBXUklURV9DUDY0KHRtcCwgUEFSKTsKZGlmZiAtLWdpdCBh L3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5oIGIveGVuL2luY2x1 ZGUvYXNtLWFybS9hcm02NC9wYWdlLmgKaW5kZXggNzEzYmFmNi4uYmIxMDE2 NCAxMDA2NDQKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9hcm02NC9wYWdl LmgKKysrIGIveGVuL2luY2x1ZGUvYXNtLWFybS9hcm02NC9wYWdlLmgKQEAg LTgxLDExICs4MSwxNCBAQCBzdGF0aWMgaW5saW5lIHVpbnQ2NF90IF9fdmFf dG9fcGFyKHZhZGRyX3QgdmEpCiB9CiAKIC8qIEFzayB0aGUgTU1VIHRvIHRy YW5zbGF0ZSBhIEd1ZXN0IFZBIGZvciB1cyAqLwotc3RhdGljIGlubGluZSB1 aW50NjRfdCBndmFfdG9fbWFfcGFyKHZhZGRyX3QgdmEpCitzdGF0aWMgaW5s aW5lIHVpbnQ2NF90IGd2YV90b19tYV9wYXIodmFkZHJfdCB2YSwgdW5zaWdu ZWQgaW50IGZsYWdzKQogewogICAgIHVpbnQ2NF90IHBhciwgdG1wID0gUkVB RF9TWVNSRUc2NChQQVJfRUwxKTsKIAotICAgIGFzbSB2b2xhdGlsZSAoImF0 IHMxMmUxciwgJTA7IiA6IDogInIiICh2YSkpOworICAgIGlmICggKGZsYWdz ICYgR1YyTV9XUklURSkgPT0gR1YyTV9XUklURSApCisgICAgICAgIGFzbSB2 b2xhdGlsZSAoImF0IHMxMmUxciwgJTA7IiA6IDogInIiICh2YSkpOworICAg IGVsc2UKKyAgICAgICAgYXNtIHZvbGF0aWxlICgiYXQgczEyZTF3LCAlMDsi IDogOiAiciIgKHZhKSk7CiAgICAgaXNiKCk7CiAgICAgcGFyID0gUkVBRF9T WVNSRUc2NChQQVJfRUwxKTsKICAgICBXUklURV9TWVNSRUc2NCh0bXAsIFBB Ul9FTDEpOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5o IGIveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oCmluZGV4IGI4ZDRlN2QuLmQw ZTVjYjQgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAor KysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKQEAgLTIzMyw5ICsyMzMs OSBAQCBzdGF0aWMgaW5saW5lIHZvaWQgKm1hZGRyX3RvX3ZpcnQocGFkZHJf dCBtYSkKIH0KICNlbmRpZgogCi1zdGF0aWMgaW5saW5lIGludCBndmlydF90 b19tYWRkcih2YWRkcl90IHZhLCBwYWRkcl90ICpwYSkKK3N0YXRpYyBpbmxp bmUgaW50IGd2aXJ0X3RvX21hZGRyKHZhZGRyX3QgdmEsIHBhZGRyX3QgKnBh LCB1bnNpZ25lZCBpbnQgZmxhZ3MpCiB7Ci0gICAgdWludDY0X3QgcGFyID0g Z3ZhX3RvX21hX3Bhcih2YSk7CisgICAgdWludDY0X3QgcGFyID0gZ3ZhX3Rv X21hX3Bhcih2YSwgZmxhZ3MpOwogICAgIGlmICggcGFyICYgUEFSX0YgKQog ICAgICAgICByZXR1cm4gLUVGQVVMVDsKICAgICAqcGEgPSAocGFyICYgUEFE RFJfTUFTSyAmIFBBR0VfTUFTSykgfCAoKHVuc2lnbmVkIGxvbmcpIHZhICYg flBBR0VfTUFTSyk7CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJt L3BhZ2UuaCBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oCmluZGV4IGMz OGU5YzkuLmU3MjNlNWEgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1h cm0vcGFnZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oCkBA IC03Myw2ICs3MywxMCBAQAogI2RlZmluZSBNQVRUUl9ERVYgICAgIDB4MQog I2RlZmluZSBNQVRUUl9NRU0gICAgIDB4ZgogCisvKiBGbGFncyBmb3IgZ3Zp cnRfdG9fbWFkZHIgKi8KKyNkZWZpbmUgR1YyTV9SRUFEICAoMHU8PDApCisj ZGVmaW5lIEdWMk1fV1JJVEUgKDF1PDwwKQorCiAjaWZuZGVmIF9fQVNTRU1C TFlfXwogCiAjaW5jbHVkZSA8eGVuL3R5cGVzLmg+Cg== --=separator Content-Type: application/octet-stream; name="xsa98-unstable-02.patch" Content-Disposition: attachment; filename="xsa98-unstable-02.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGVuc3VyZSB3ZSBob2xkIGEgcmVmZXJlbmNlIHRvIGd1ZXN0 IHBhZ2VzIHdoaWxlIHdlIGNvcHkgdG8vZnJvbSB0aGVtCgpUaGlzIGF0IG9u Y2U6CiAtIHByZXZlbnRzIHRoZSBwYWdlIGZyb20gYmVpbmcgcmVhc3NpZ25l ZCB1bmRlciBvdXIgZmVldAogLSBlbnN1cmVzIHRoYXQgdGhlIGRvbWFpbiBv d25zIHRoZSBwYWdlLCB3aGljaCBzdG9wcyBhIGRvbWFpbiBmcm9tIGdpdmlu ZyBhCiAgIGdyYW50IG1hcHBpbmcsIE1NSU8gcmVnaW9uLCBvdGhlciBub24t UkFNIGFzIGEgaHlwZXJjYWxsIGlucHV0L291dHB1dC4KCldlIG5lZWQgdG8g aG9sZCB0aGUgcDJtIGxvY2sgd2hpbGUgZG9pbmcgdGhlIGxvb2t1cCB1bnRp bCB3ZSBoYXZlIHRoZQpyZWZlcmVuY2UuCgpUaGlzIGFsc28gcmVxdWlyZXMg dGhhdCBkdXJpbmcgZG9tYWluIDAgYnVpbGRpbmcgY3VycmVudCBpcyBzZXQg dG8gYW4gYWN0dWFsCmRvbTAgdmNwdSwgc28gdGFrZSBjYXJlIG9mIHRoaXMg YXQgdGhlIHNhbWUgdGltZSBhcyB0aGUgcDJtIGlzIHRlbXBvcmFyaWx5Cmxv YWRlZC4KCkxhc3RseSB3aGVuIGR1bXBpbmcgdGhlIGd1ZXN0IHN0YWNrIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoYXQgdGhlIGd1ZXN0IGhhc24ndApwb2lu dGVkIGl0cyBzcCBvZmYgaW50byB0aGUgd2VlZHMgYW5kL29yIG1pc2FsaWdu ZWQgaXQsIHdoaWNoIGNvdWxkIGxlYWQgdG8KaHlwZXJ2aXNvciB0cmFwcy4g U29sdmUgdGhpcyBieSB1c2luZyB0aGUgbmV3IGZ1bmN0aW9uIGFuZCBjaGVj a2luZyBhbGlnbm1lbnQKZmlyc3QuCgpTaWduZWQtb2ZmLWJ5OiBJYW4gQ2Ft cGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpSZXZpZXdlZC1ieTog SnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAbGluYXJvLm9yZz4KCmRpZmYg LS1naXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKaW5kZXggZDA3OTk4Mi4uNGRkMmQ4NCAx MDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jCisrKyBi L3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYwpAQCAtMTAyNCw2ICsxMDI0 LDcgQEAgc3RhdGljIHZvaWQgaW5pdHJkX2xvYWQoc3RydWN0IGtlcm5lbF9p bmZvICpraW5mbykKIGludCBjb25zdHJ1Y3RfZG9tMChzdHJ1Y3QgZG9tYWlu ICpkKQogewogICAgIHN0cnVjdCBrZXJuZWxfaW5mbyBraW5mbyA9IHt9Owor ICAgIHN0cnVjdCB2Y3B1ICpzYXZlZF9jdXJyZW50OwogICAgIGludCByYywg aSwgY3B1OwogCiAgICAgc3RydWN0IHZjcHUgKnYgPSBkLT52Y3B1WzBdOwpA QCAtMTA2MCw4ICsxMDYxLDEzIEBAIGludCBjb25zdHJ1Y3RfZG9tMChzdHJ1 Y3QgZG9tYWluICpkKQogICAgIGlmICggcmMgPCAwICkKICAgICAgICAgcmV0 dXJuIHJjOwogCi0gICAgLyogVGhlIGZvbGxvd2luZyBsb2FkcyB1c2UgdGhl IGRvbWFpbidzIHAybSAqLworICAgIC8qCisgICAgICogVGhlIGZvbGxvd2lu ZyBsb2FkcyB1c2UgdGhlIGRvbWFpbidzIHAybSBhbmQgcmVxdWlyZSBjdXJy ZW50IHRvCisgICAgICogYmUgYSB2Y3B1IG9mIHRoZSBkb21haW4sIHRlbXBv cmFyaWx5IHN3aXRjaAorICAgICAqLworICAgIHNhdmVkX2N1cnJlbnQgPSBj dXJyZW50OwogICAgIHAybV9yZXN0b3JlX3N0YXRlKHYpOworICAgIHNldF9j dXJyZW50KHYpOwogCiAgICAgLyoKICAgICAgKiBrZXJuZWxfbG9hZCB3aWxs IGRldGVybWluZSB0aGUgcGxhY2VtZW50IG9mIHRoZSBrZXJuZWwgYXMgd2Vs bApAQCAtMTA3Miw2ICsxMDc4LDEwIEBAIGludCBjb25zdHJ1Y3RfZG9tMChz dHJ1Y3QgZG9tYWluICpkKQogICAgIGluaXRyZF9sb2FkKCZraW5mbyk7CiAg ICAgZHRiX2xvYWQoJmtpbmZvKTsKIAorICAgIC8qIE5vdyB0aGF0IHdlIGFy ZSBkb25lIHJlc3RvcmUgdGhlIG9yaWdpbmFsIHAybSBhbmQgY3VycmVudC4g Ki8KKyAgICBzZXRfY3VycmVudChzYXZlZF9jdXJyZW50KTsKKyAgICBwMm1f cmVzdG9yZV9zdGF0ZShzYXZlZF9jdXJyZW50KTsKKwogICAgIGRpc2NhcmRf aW5pdGlhbF9tb2R1bGVzKCk7CiAKICAgICB2LT5pc19pbml0aWFsaXNlZCA9 IDE7CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMgYi94 ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMKaW5kZXggZDFmZGRlYy4uMDE3MzU5 NyAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCisrKyBi L3hlbi9hcmNoL2FybS9ndWVzdGNvcHkuYwpAQCAtMSw2ICsxLDggQEAKICNp bmNsdWRlIDx4ZW4vY29uZmlnLmg+CiAjaW5jbHVkZSA8eGVuL2xpYi5oPgog I2luY2x1ZGUgPHhlbi9kb21haW5fcGFnZS5oPgorI2luY2x1ZGUgPHhlbi9z Y2hlZC5oPgorI2luY2x1ZGUgPGFzbS9jdXJyZW50Lmg+CiAKICNpbmNsdWRl IDxhc20vbW0uaD4KICNpbmNsdWRlIDxhc20vZ3Vlc3RfYWNjZXNzLmg+CkBA IC0xMywyMCArMTUsMjIgQEAgc3RhdGljIHVuc2lnbmVkIGxvbmcgcmF3X2Nv cHlfdG9fZ3Vlc3RfaGVscGVyKHZvaWQgKnRvLCBjb25zdCB2b2lkICpmcm9t LAogCiAgICAgd2hpbGUgKCBsZW4gKQogICAgIHsKLSAgICAgICAgcGFkZHJf dCBnOwogICAgICAgICB2b2lkICpwOwogICAgICAgICB1bnNpZ25lZCBzaXpl ID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0VfU0laRSAtIG9mZnNldCk7Cisg ICAgICAgIHN0cnVjdCBwYWdlX2luZm8gKnBhZ2U7CiAKLSAgICAgICAgaWYg KCBndmlydF90b19tYWRkcigodmFkZHJfdCkgdG8sICZnLCBHVjJNX1dSSVRF KSApCisgICAgICAgIHBhZ2UgPSBnZXRfcGFnZV9mcm9tX2d2YShjdXJyZW50 LT5kb21haW4sICh2YWRkcl90KSB0bywgR1YyTV9XUklURSk7CisgICAgICAg IGlmICggcGFnZSA9PSBOVUxMICkKICAgICAgICAgICAgIHJldHVybiBsZW47 CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShnPj5QQUdFX1NISUZU KTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFpbl9wYWdlKHBhZ2UpOwogICAg ICAgICBwICs9IG9mZnNldDsKICAgICAgICAgbWVtY3B5KHAsIGZyb20sIHNp emUpOwogICAgICAgICBpZiAoIGZsdXNoX2RjYWNoZSApCiAgICAgICAgICAg ICBjbGVhbl94ZW5fZGNhY2hlX3ZhX3JhbmdlKHAsIHNpemUpOwogCiAgICAg ICAgIHVubWFwX2RvbWFpbl9wYWdlKHAgLSBvZmZzZXQpOworICAgICAgICBw dXRfcGFnZShwYWdlKTsKICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAg IGZyb20gKz0gc2l6ZTsKICAgICAgICAgdG8gKz0gc2l6ZTsKQEAgLTU4LDE4 ICs2MiwyMCBAQCB1bnNpZ25lZCBsb25nIHJhd19jbGVhcl9ndWVzdCh2b2lk ICp0bywgdW5zaWduZWQgbGVuKQogCiAgICAgd2hpbGUgKCBsZW4gKQogICAg IHsKLSAgICAgICAgcGFkZHJfdCBnOwogICAgICAgICB2b2lkICpwOwogICAg ICAgICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0Vf U0laRSAtIG9mZnNldCk7CisgICAgICAgIHN0cnVjdCBwYWdlX2luZm8gKnBh Z2U7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJfdCkg dG8sICZnLCBHVjJNX1dSSVRFKSApCisgICAgICAgIHBhZ2UgPSBnZXRfcGFn ZV9mcm9tX2d2YShjdXJyZW50LT5kb21haW4sICh2YWRkcl90KSB0bywgR1Yy TV9XUklURSk7CisgICAgICAgIGlmICggcGFnZSA9PSBOVUxMICkKICAgICAg ICAgICAgIHJldHVybiBsZW47CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5f cGFnZShnPj5QQUdFX1NISUZUKTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFp bl9wYWdlKHBhZ2UpOwogICAgICAgICBwICs9IG9mZnNldDsKICAgICAgICAg bWVtc2V0KHAsIDB4MDAsIHNpemUpOwogCiAgICAgICAgIHVubWFwX2RvbWFp bl9wYWdlKHAgLSBvZmZzZXQpOworICAgICAgICBwdXRfcGFnZShwYWdlKTsK ICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAgIHRvICs9IHNpemU7CiAg ICAgICAgIC8qCkBAIC04OCwxOSArOTQsMjEgQEAgdW5zaWduZWQgbG9uZyBy YXdfY29weV9mcm9tX2d1ZXN0KHZvaWQgKnRvLCBjb25zdCB2b2lkIF9fdXNl ciAqZnJvbSwgdW5zaWduZWQgbGUKIAogICAgIHdoaWxlICggbGVuICkKICAg ICB7Ci0gICAgICAgIHBhZGRyX3QgZzsKICAgICAgICAgdm9pZCAqcDsKICAg ICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZCkoUEFH RV9TSVpFIC0gb2Zmc2V0KSk7CisgICAgICAgIHN0cnVjdCBwYWdlX2luZm8g KnBhZ2U7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJf dCkgZnJvbSAmIFBBR0VfTUFTSywgJmcsIEdWMk1fUkVBRCkgKQorICAgICAg ICBwYWdlID0gZ2V0X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9tYWluLCAo dmFkZHJfdCkgZnJvbSwgR1YyTV9SRUFEKTsKKyAgICAgICAgaWYgKCBwYWdl ID09IE5VTEwgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAotICAgICAg ICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOworICAgICAg ICBwID0gX19tYXBfZG9tYWluX3BhZ2UocGFnZSk7CiAgICAgICAgIHAgKz0g KCh2YWRkcl90KWZyb20gJiAoflBBR0VfTUFTSykpOwogCiAgICAgICAgIG1l bWNweSh0bywgcCwgc2l6ZSk7CiAKICAgICAgICAgdW5tYXBfZG9tYWluX3Bh Z2UocCk7CisgICAgICAgIHB1dF9wYWdlKHBhZ2UpOwogICAgICAgICBsZW4g LT0gc2l6ZTsKICAgICAgICAgZnJvbSArPSBzaXplOwogICAgICAgICB0byAr PSBzaXplOwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL3AybS5jIGIveGVu L2FyY2gvYXJtL3AybS5jCmluZGV4IGI4NTE0M2IuLjVmYzVjYTYgMTAwNjQ0 Ci0tLSBhL3hlbi9hcmNoL2FybS9wMm0uYworKysgYi94ZW4vYXJjaC9hcm0v cDJtLmMKQEAgLTcwMSw2ICs3MDEsMzQgQEAgdW5zaWduZWQgbG9uZyBnbWZu X3RvX21mbihzdHJ1Y3QgZG9tYWluICpkLCB1bnNpZ25lZCBsb25nIGdwZm4p CiAgICAgcmV0dXJuIHAgPj4gUEFHRV9TSElGVDsKIH0KIAorc3RydWN0IHBh Z2VfaW5mbyAqZ2V0X3BhZ2VfZnJvbV9ndmEoc3RydWN0IGRvbWFpbiAqZCwg dmFkZHJfdCB2YSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIHVuc2lnbmVkIGxvbmcgZmxhZ3MpCit7CisgICAgc3RydWN0IHAybV9k b21haW4gKnAybSA9ICZkLT5hcmNoLnAybTsKKyAgICBzdHJ1Y3QgcGFnZV9p bmZvICpwYWdlID0gTlVMTDsKKyAgICBwYWRkcl90IG1hZGRyOworCisgICAg QVNTRVJUKGQgPT0gY3VycmVudC0+ZG9tYWluKTsKKworICAgIHNwaW5fbG9j aygmcDJtLT5sb2NrKTsKKworICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIodmEs ICZtYWRkciwgZmxhZ3MpICkKKyAgICAgICAgZ290byBlcnI7CisKKyAgICBp ZiAoICFtZm5fdmFsaWQobWFkZHIgPj4gUEFHRV9TSElGVCkgKQorICAgICAg ICBnb3RvIGVycjsKKworICAgIHBhZ2UgPSBtZm5fdG9fcGFnZShtYWRkciA+ PiBQQUdFX1NISUZUKTsKKyAgICBBU1NFUlQocGFnZSk7CisKKyAgICBpZiAo IHVubGlrZWx5KCFnZXRfcGFnZShwYWdlLCBkKSkgKQorICAgICAgICBwYWdl ID0gTlVMTDsKKworZXJyOgorICAgIHNwaW5fdW5sb2NrKCZwMm0tPmxvY2sp OworICAgIHJldHVybiBwYWdlOworfQorCiAvKgogICogTG9jYWwgdmFyaWFi bGVzOgogICogbW9kZTogQwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL3Ry YXBzLmMgYi94ZW4vYXJjaC9hcm0vdHJhcHMuYwppbmRleCBkZjg2ZmZlLi5k ODliNzVmIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vdHJhcHMuYworKysg Yi94ZW4vYXJjaC9hcm0vdHJhcHMuYwpAQCAtNzc3LDcgKzc3Nyw3IEBAIHN0 YXRpYyB2b2lkIHNob3dfZ3Vlc3Rfc3RhY2soc3RydWN0IHZjcHUgKnYsIHN0 cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQogewogICAgIGludCBpOwogICAg IHZhZGRyX3Qgc3A7Ci0gICAgcGFkZHJfdCBzdGFja19waHlzOworICAgIHN0 cnVjdCBwYWdlX2luZm8gKnBhZ2U7CiAgICAgdm9pZCAqbWFwcGVkOwogICAg IHVuc2lnbmVkIGxvbmcgKnN0YWNrLCBhZGRyOwogCkBAIC04MzcsMTMgKzgz NywyMCBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVjdCB2 Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKIAogICAgIHBy aW50aygiR3Vlc3Qgc3RhY2sgdHJhY2UgZnJvbSBzcD0lIlBSSXZhZGRyIjpc biAgIiwgc3ApOwogCi0gICAgaWYgKCBndmlydF90b19tYWRkcihzcCwgJnN0 YWNrX3BoeXMsIEdWMk1fUkVBRCkgKQorICAgIGlmICggc3AgJiAoIHNpemVv Zihsb25nKSAtIDEgKSApCisgICAgeworICAgICAgICBwcmludGsoIlN0YWNr IGlzIG1pc2FsaWduZWRcbiIpOworICAgICAgICByZXR1cm47CisgICAgfQor CisgICAgcGFnZSA9IGdldF9wYWdlX2Zyb21fZ3ZhKGN1cnJlbnQtPmRvbWFp biwgc3AsIEdWMk1fUkVBRCk7CisgICAgaWYgKCBwYWdlID09IE5VTEwgKQog ICAgIHsKICAgICAgICAgcHJpbnRrKCJGYWlsZWQgdG8gY29udmVydCBzdGFj ayB0byBwaHlzaWNhbCBhZGRyZXNzXG4iKTsKICAgICAgICAgcmV0dXJuOwog ICAgIH0KIAotICAgIG1hcHBlZCA9IG1hcF9kb21haW5fcGFnZShzdGFja19w aHlzID4+IFBBR0VfU0hJRlQpOworICAgIG1hcHBlZCA9IF9fbWFwX2RvbWFp bl9wYWdlKHBhZ2UpOwogCiAgICAgc3RhY2sgPSBtYXBwZWQgKyAoc3AgJiB+ UEFHRV9NQVNLKTsKIApAQCAtODYxLDcgKzg2OCw3IEBAIHN0YXRpYyB2b2lk IHNob3dfZ3Vlc3Rfc3RhY2soc3RydWN0IHZjcHUgKnYsIHN0cnVjdCBjcHVf dXNlcl9yZWdzICpyZWdzKQogICAgICAgICBwcmludGsoIlN0YWNrIGVtcHR5 LiIpOwogICAgIHByaW50aygiXG4iKTsKICAgICB1bm1hcF9kb21haW5fcGFn ZShtYXBwZWQpOwotCisgICAgcHV0X3BhZ2UocGFnZSk7CiB9CiAKICNkZWZp bmUgU1RBQ0tfQkVGT1JFX0VYQ0VQVElPTihyZWdzKSAoKHJlZ2lzdGVyX3Qq KShyZWdzKS0+c3ApCmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJt L21tLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKaW5kZXggZDBlNWNi NC4uOGJmMTc5ZCAxMDA2NDQKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9t bS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaApAQCAtMjczLDYg KzI3Myw5IEBAIHN0cnVjdCBkb21haW4gKnBhZ2VfZ2V0X293bmVyX2FuZF9y ZWZlcmVuY2Uoc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSk7CiB2b2lkIHB1dF9w YWdlKHN0cnVjdCBwYWdlX2luZm8gKnBhZ2UpOwogaW50ICBnZXRfcGFnZShz dHJ1Y3QgcGFnZV9pbmZvICpwYWdlLCBzdHJ1Y3QgZG9tYWluICpkb21haW4p OwogCitzdHJ1Y3QgcGFnZV9pbmZvICpnZXRfcGFnZV9mcm9tX2d2YShzdHJ1 Y3QgZG9tYWluICpkLCB2YWRkcl90IHZhLAorICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgdW5zaWduZWQgbG9uZyBmbGFncyk7CisKIC8q CiAgKiBUaGUgTVBUIChtYWNoaW5lLT5waHlzaWNhbCBtYXBwaW5nIHRhYmxl KSBpcyBhbiBhcnJheSBvZiB3b3JkLXNpemVkCiAgKiB2YWx1ZXMsIGluZGV4 ZWQgb24gbWFjaGluZSBmcmFtZSBudW1iZXIuIEl0IGlzIGV4cGVjdGVkIHRo YXQgZ3Vlc3QgT1NlcwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFy bS9wYWdlLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaAppbmRleCBl NzIzZTVhLi4xMTNiZTVhIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20t YXJtL3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaApA QCAtNzMsNyArNzMsNyBAQAogI2RlZmluZSBNQVRUUl9ERVYgICAgIDB4MQog I2RlZmluZSBNQVRUUl9NRU0gICAgIDB4ZgogCi0vKiBGbGFncyBmb3IgZ3Zp cnRfdG9fbWFkZHIgKi8KKy8qIEZsYWdzIGZvciBnZXRfcGFnZV9mcm9tX2d2 YSwgZ3ZpcnRfdG9fbWFkZHIgZXRjICovCiAjZGVmaW5lIEdWMk1fUkVBRCAg KDB1PDwwKQogI2RlZmluZSBHVjJNX1dSSVRFICgxdTw8MCkKIAo= --=separator Content-Type: application/octet-stream; name="xsa98-4.4-01.patch" Content-Disposition: attachment; filename="xsa98-4.4-01.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGNoZWNrIHBlcm1pc3Npb25zIHdoZW4gY29weWluZyB0by9m cm9tIGd1ZXN0IHZpcnR1YWwgYWRkcmVzc2VzCgpJbiBwYXJ0aWN1bGFyIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoZSBndWVzdCBoYXMgd3JpdGUgcGVybWlz c2lvbnMgdG8gYnVmZmVycwp3aGljaCBpdCBwYXNzZXMgYXMgb3V0cHV0IGJ1 ZmZlcnMgZm9yIGh5cGVyY2FsbHMsIG90aGVyd2lzZSB0aGUgZ3Vlc3QgY2Fu Cm92ZXJ3cml0ZSBtZW1vcnkgd2hpY2ggaXQgc2hvdWxkbid0IGJlIGFibGUg dG8gd3JpdGUgKGxpa2Ugci9vIGdyYW50IHRhYmxlCm1hcHBpbmdzKS4KClRo aXMgaXMgWFNBLTk4LgoKU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxp YW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBH cmFsbCA8anVsaWVuLmdyYWxsQGxpbmFyby5vcmc+CgpkaWZmIC0tZ2l0IGEv eGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jIGIveGVuL2FyY2gvYXJtL2Rv bWFpbl9idWlsZC5jCmluZGV4IDVjYTJmMTUuLjNkYTZiODMgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYworKysgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKQEAgLTk2Nyw3ICs5NjcsNyBAQCBzdGF0 aWMgdm9pZCBpbml0cmRfbG9hZChzdHJ1Y3Qga2VybmVsX2luZm8gKmtpbmZv KQogICAgICAgICBzID0gb2ZmcyAmIH5QQUdFX01BU0s7CiAgICAgICAgIGwg PSBtaW4oUEFHRV9TSVpFIC0gcywgbGVuKTsKIAotICAgICAgICByYyA9IGd2 aXJ0X3RvX21hZGRyKGxvYWRfYWRkciArIG9mZnMsICZtYSk7CisgICAgICAg IHJjID0gZ3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hLCBH VjJNX1dSSVRFKTsKICAgICAgICAgaWYgKCByYyApCiAgICAgICAgIHsKICAg ICAgICAgICAgIHBhbmljKCJVbmFibGUgdG8gdHJhbnNsYXRlIGd1ZXN0IGFk ZHJlc3MiKTsKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL2FybS9ndWVzdGNvcHku YyBiL3hlbi9hcmNoL2FybS9ndWVzdGNvcHkuYwppbmRleCBjZWE1Zjk3Li5k MWZkZGVjIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMK KysrIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCkBAIC0xNyw3ICsxNyw3 IEBAIHN0YXRpYyB1bnNpZ25lZCBsb25nIHJhd19jb3B5X3RvX2d1ZXN0X2hl bHBlcih2b2lkICp0bywgY29uc3Qgdm9pZCAqZnJvbSwKICAgICAgICAgdm9p ZCAqcDsKICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNp Z25lZClQQUdFX1NJWkUgLSBvZmZzZXQpOwogCi0gICAgICAgIGlmICggZ3Zp cnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZykgKQorICAgICAgICBpZiAo IGd2aXJ0X3RvX21hZGRyKCh2YWRkcl90KSB0bywgJmcsIEdWMk1fV1JJVEUp ICkKICAgICAgICAgICAgIHJldHVybiBsZW47CiAKICAgICAgICAgcCA9IG1h cF9kb21haW5fcGFnZShnPj5QQUdFX1NISUZUKTsKQEAgLTYyLDcgKzYyLDcg QEAgdW5zaWduZWQgbG9uZyByYXdfY2xlYXJfZ3Vlc3Qodm9pZCAqdG8sIHVu c2lnbmVkIGxlbikKICAgICAgICAgdm9pZCAqcDsKICAgICAgICAgdW5zaWdu ZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZClQQUdFX1NJWkUgLSBvZmZz ZXQpOwogCi0gICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3Qp IHRvLCAmZykgKQorICAgICAgICBpZiAoIGd2aXJ0X3RvX21hZGRyKCh2YWRk cl90KSB0bywgJmcsIEdWMk1fV1JJVEUpICkKICAgICAgICAgICAgIHJldHVy biBsZW47CiAKICAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShnPj5QQUdF X1NISUZUKTsKQEAgLTkyLDcgKzkyLDcgQEAgdW5zaWduZWQgbG9uZyByYXdf Y29weV9mcm9tX2d1ZXN0KHZvaWQgKnRvLCBjb25zdCB2b2lkIF9fdXNlciAq ZnJvbSwgdW5zaWduZWQgbGUKICAgICAgICAgdm9pZCAqcDsKICAgICAgICAg dW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZCkoUEFHRV9TSVpF IC0gb2Zmc2V0KSk7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigo dmFkZHJfdCkgZnJvbSAmIFBBR0VfTUFTSywgJmcpICkKKyAgICAgICAgaWYg KCBndmlydF90b19tYWRkcigodmFkZHJfdCkgZnJvbSAmIFBBR0VfTUFTSywg JmcsIEdWMk1fUkVBRCkgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAog ICAgICAgICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOwpk aWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL2tlcm5lbC5jIGIveGVuL2FyY2gv YXJtL2tlcm5lbC5jCmluZGV4IDFlMzEwN2QuLjY5YzdkNDMgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9rZXJuZWwuYworKysgYi94ZW4vYXJjaC9hcm0v a2VybmVsLmMKQEAgLTE0MSw3ICsxNDEsNyBAQCBzdGF0aWMgdm9pZCBrZXJu ZWxfemltYWdlX2xvYWQoc3RydWN0IGtlcm5lbF9pbmZvICppbmZvKQogICAg ICAgICBzID0gb2ZmcyAmIH5QQUdFX01BU0s7CiAgICAgICAgIGwgPSBtaW4o UEFHRV9TSVpFIC0gcywgbGVuKTsKIAotICAgICAgICByYyA9IGd2aXJ0X3Rv X21hZGRyKGxvYWRfYWRkciArIG9mZnMsICZtYSk7CisgICAgICAgIHJjID0g Z3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hLCBHVjJNX1dS SVRFKTsKICAgICAgICAgaWYgKCByYyApCiAgICAgICAgIHsKICAgICAgICAg ICAgIHBhbmljKCJVbmFibGUgdG8gbWFwIHRyYW5zbGF0ZSBndWVzdCBhZGRy ZXNzIik7CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vdHJhcHMuYyBiL3hl bi9hcmNoL2FybS90cmFwcy5jCmluZGV4IDNhMzRkMzMuLjJlNzQ1MWIgMTAw NjQ0Ci0tLSBhL3hlbi9hcmNoL2FybS90cmFwcy5jCisrKyBiL3hlbi9hcmNo L2FybS90cmFwcy5jCkBAIC04MzYsNyArODM2LDcgQEAgc3RhdGljIHZvaWQg c2hvd19ndWVzdF9zdGFjayhzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNwdV91 c2VyX3JlZ3MgKnJlZ3MpCiAKICAgICBwcmludGsoIkd1ZXN0IHN0YWNrIHRy YWNlIGZyb20gc3A9JSJQUkl2YWRkciI6XG4gICIsIHNwKTsKIAotICAgIGlm ICggZ3ZpcnRfdG9fbWFkZHIoc3AsICZzdGFja19waHlzKSApCisgICAgaWYg KCBndmlydF90b19tYWRkcihzcCwgJnN0YWNrX3BoeXMsIEdWMk1fUkVBRCkg KQogICAgIHsKICAgICAgICAgcHJpbnRrKCJGYWlsZWQgdG8gY29udmVydCBz dGFjayB0byBwaHlzaWNhbCBhZGRyZXNzXG4iKTsKICAgICAgICAgcmV0dXJu OwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9hcm0zMi9wYWdl LmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTMyL3BhZ2UuaAppbmRleCBi ODIyMWNhLi44MGQ1YzM2IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20t YXJtL2FybTMyL3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL2Fy bTMyL3BhZ2UuaApAQCAtOTAsMTEgKzkwLDE0IEBAIHN0YXRpYyBpbmxpbmUg dWludDY0X3QgX192YV90b19wYXIodmFkZHJfdCB2YSkKIH0KIAogLyogQXNr IHRoZSBNTVUgdG8gdHJhbnNsYXRlIGEgR3Vlc3QgVkEgZm9yIHVzICovCi1z dGF0aWMgaW5saW5lIHVpbnQ2NF90IGd2YV90b19tYV9wYXIodmFkZHJfdCB2 YSkKK3N0YXRpYyBpbmxpbmUgdWludDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRk cl90IHZhLCB1bnNpZ25lZCBpbnQgZmxhZ3MpCiB7CiAgICAgdWludDY0X3Qg cGFyLCB0bXA7CiAgICAgdG1wID0gUkVBRF9DUDY0KFBBUik7Ci0gICAgV1JJ VEVfQ1AzMih2YSwgQVRTMTJOU09QUik7CisgICAgaWYgKCAoZmxhZ3MgJiBH VjJNX1dSSVRFKSA9PSBHVjJNX1dSSVRFICkKKyAgICAgICAgV1JJVEVfQ1Az Mih2YSwgQVRTMTJOU09QVyk7CisgICAgZWxzZQorICAgICAgICBXUklURV9D UDMyKHZhLCBBVFMxMk5TT1BSKTsKICAgICBpc2IoKTsgLyogRW5zdXJlIHJl c3VsdCBpcyBhdmFpbGFibGUuICovCiAgICAgcGFyID0gUkVBRF9DUDY0KFBB Uik7CiAgICAgV1JJVEVfQ1A2NCh0bXAsIFBBUik7CmRpZmYgLS1naXQgYS94 ZW4vaW5jbHVkZS9hc20tYXJtL2FybTY0L3BhZ2UuaCBiL3hlbi9pbmNsdWRl L2FzbS1hcm0vYXJtNjQvcGFnZS5oCmluZGV4IDMzNTI4MjEuLjM5MjJkODcg MTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5o CisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5oCkBAIC04 MywxMSArODMsMTQgQEAgc3RhdGljIGlubGluZSB1aW50NjRfdCBfX3ZhX3Rv X3Bhcih2YWRkcl90IHZhKQogfQogCiAvKiBBc2sgdGhlIE1NVSB0byB0cmFu c2xhdGUgYSBHdWVzdCBWQSBmb3IgdXMgKi8KLXN0YXRpYyBpbmxpbmUgdWlu dDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRkcl90IHZhKQorc3RhdGljIGlubGlu ZSB1aW50NjRfdCBndmFfdG9fbWFfcGFyKHZhZGRyX3QgdmEsIHVuc2lnbmVk IGludCBmbGFncykKIHsKICAgICB1aW50NjRfdCBwYXIsIHRtcCA9IFJFQURf U1lTUkVHNjQoUEFSX0VMMSk7CiAKLSAgICBhc20gdm9sYXRpbGUgKCJhdCBz MTJlMXIsICUwOyIgOiA6ICJyIiAodmEpKTsKKyAgICBpZiAoIChmbGFncyAm IEdWMk1fV1JJVEUpID09IEdWMk1fV1JJVEUgKQorICAgICAgICBhc20gdm9s YXRpbGUgKCJhdCBzMTJlMXIsICUwOyIgOiA6ICJyIiAodmEpKTsKKyAgICBl bHNlCisgICAgICAgIGFzbSB2b2xhdGlsZSAoImF0IHMxMmUxdywgJTA7IiA6 IDogInIiICh2YSkpOwogICAgIGlzYigpOwogICAgIHBhciA9IFJFQURfU1lT UkVHNjQoUEFSX0VMMSk7CiAgICAgV1JJVEVfU1lTUkVHNjQodG1wLCBQQVJf RUwxKTsKZGlmZiAtLWdpdCBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaCBi L3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAppbmRleCBiOGQ0ZTdkLi5kMGU1 Y2I0IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKKysr IGIveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oCkBAIC0yMzMsOSArMjMzLDkg QEAgc3RhdGljIGlubGluZSB2b2lkICptYWRkcl90b192aXJ0KHBhZGRyX3Qg bWEpCiB9CiAjZW5kaWYKIAotc3RhdGljIGlubGluZSBpbnQgZ3ZpcnRfdG9f bWFkZHIodmFkZHJfdCB2YSwgcGFkZHJfdCAqcGEpCitzdGF0aWMgaW5saW5l IGludCBndmlydF90b19tYWRkcih2YWRkcl90IHZhLCBwYWRkcl90ICpwYSwg dW5zaWduZWQgaW50IGZsYWdzKQogewotICAgIHVpbnQ2NF90IHBhciA9IGd2 YV90b19tYV9wYXIodmEpOworICAgIHVpbnQ2NF90IHBhciA9IGd2YV90b19t YV9wYXIodmEsIGZsYWdzKTsKICAgICBpZiAoIHBhciAmIFBBUl9GICkKICAg ICAgICAgcmV0dXJuIC1FRkFVTFQ7CiAgICAgKnBhID0gKHBhciAmIFBBRERS X01BU0sgJiBQQUdFX01BU0spIHwgKCh1bnNpZ25lZCBsb25nKSB2YSAmIH5Q QUdFX01BU0spOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9w YWdlLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaAppbmRleCBlMDBi ZTllLi44NDU2MmVjIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20tYXJt L3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaApAQCAt NzMsNiArNzMsMTAgQEAKICNkZWZpbmUgTUFUVFJfREVWICAgICAweDEKICNk ZWZpbmUgTUFUVFJfTUVNICAgICAweGYKIAorLyogRmxhZ3MgZm9yIGd2aXJ0 X3RvX21hZGRyICovCisjZGVmaW5lIEdWMk1fUkVBRCAgKDB1PDwwKQorI2Rl ZmluZSBHVjJNX1dSSVRFICgxdTw8MCkKKwogI2lmbmRlZiBfX0FTU0VNQkxZ X18KIAogI2luY2x1ZGUgPHhlbi90eXBlcy5oPgo= --=separator Content-Type: application/octet-stream; name="xsa98-4.4-02.patch" Content-Disposition: attachment; filename="xsa98-4.4-02.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGVuc3VyZSB3ZSBob2xkIGEgcmVmZXJlbmNlIHRvIGd1ZXN0 IHBhZ2VzIHdoaWxlIHdlIGNvcHkgdG8vZnJvbSB0aGVtCgpUaGlzIGF0IG9u Y2U6CiAtIHByZXZlbnRzIHRoZSBwYWdlIGZyb20gYmVpbmcgcmVhc3NpZ25l ZCB1bmRlciBvdXIgZmVldAogLSBlbnN1cmVzIHRoYXQgdGhlIGRvbWFpbiBv d25zIHRoZSBwYWdlLCB3aGljaCBzdG9wcyBhIGRvbWFpbiBmcm9tIGdpdmlu ZyBhCiAgIGdyYW50IG1hcHBpbmcsIE1NSU8gcmVnaW9uLCBvdGhlciBub24t UkFNIGFzIGEgaHlwZXJjYWxsIGlucHV0L291dHB1dC4KCldlIG5lZWQgdG8g aG9sZCB0aGUgcDJtIGxvY2sgd2hpbGUgZG9pbmcgdGhlIGxvb2t1cCB1bnRp bCB3ZSBoYXZlIHRoZQpyZWZlcmVuY2UuCgpUaGlzIGFsc28gcmVxdWlyZXMg dGhhdCBkdXJpbmcgZG9tYWluIDAgYnVpbGRpbmcgY3VycmVudCBpcyBzZXQg dG8gYW4gYWN0dWFsCmRvbTAgdmNwdSwgc28gdGFrZSBjYXJlIG9mIHRoaXMg YXQgdGhlIHNhbWUgdGltZSBhcyB0aGUgcDJtIGlzIHRlbXBvcmFyaWx5Cmxv YWRlZC4KCkxhc3RseSB3aGVuIGR1bXBpbmcgdGhlIGd1ZXN0IHN0YWNrIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoYXQgdGhlIGd1ZXN0IGhhc24ndApwb2lu dGVkIGl0cyBzcCBvZmYgaW50byB0aGUgd2VlZHMgYW5kL29yIG1pc2FsaWdu ZWQgaXQsIHdoaWNoIGNvdWxkIGxlYWQgdG8KaHlwZXJ2aXNvciB0cmFwcy4g U29sdmUgdGhpcyBieSB1c2luZyB0aGUgbmV3IGZ1bmN0aW9uIGFuZCBjaGVj a2luZyBhbGlnbm1lbnQKZmlyc3QuCgpTaWduZWQtb2ZmLWJ5OiBJYW4gQ2Ft cGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpSZXZpZXdlZC1ieTog SnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAbGluYXJvLm9yZz4KWyBpamMg LS0gYmFja3BvcnRlZCB0byA0LjQsIHVzaW5nIHAybV9sb2FkX1ZUVEJSIF0K CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMgYi94 ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMKaW5kZXggM2RhNmI4My4uYzE0 OTdmOCAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5j CisrKyBiL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYwpAQCAtOTg2LDYg Kzk4Niw3IEBAIHN0YXRpYyB2b2lkIGluaXRyZF9sb2FkKHN0cnVjdCBrZXJu ZWxfaW5mbyAqa2luZm8pCiBpbnQgY29uc3RydWN0X2RvbTAoc3RydWN0IGRv bWFpbiAqZCkKIHsKICAgICBzdHJ1Y3Qga2VybmVsX2luZm8ga2luZm8gPSB7 fTsKKyAgICBzdHJ1Y3QgdmNwdSAqc2F2ZWRfY3VycmVudDsKICAgICBpbnQg cmMsIGksIGNwdTsKIAogICAgIHN0cnVjdCB2Y3B1ICp2ID0gZC0+dmNwdVsw XTsKQEAgLTEwMjEsNyArMTAyMiw5IEBAIGludCBjb25zdHJ1Y3RfZG9tMChz dHJ1Y3QgZG9tYWluICpkKQogICAgICAgICByZXR1cm4gcmM7CiAKICAgICAv KiBUaGUgZm9sbG93aW5nIGxvYWRzIHVzZSB0aGUgZG9tYWluJ3MgcDJtICov CisgICAgc2F2ZWRfY3VycmVudCA9IGN1cnJlbnQ7CiAgICAgcDJtX2xvYWRf VlRUQlIoZCk7CisgICAgc2V0X2N1cnJlbnQodik7CiAjaWZkZWYgQ09ORklH X0FSTV82NAogICAgIGQtPmFyY2gudHlwZSA9IGtpbmZvLnR5cGU7CiAgICAg aWYgKCBpc19wdjMyX2RvbWFpbihkKSApCkBAIC0xMDM5LDYgKzEwNDIsMTAg QEAgaW50IGNvbnN0cnVjdF9kb20wKHN0cnVjdCBkb21haW4gKmQpCiAgICAg aW5pdHJkX2xvYWQoJmtpbmZvKTsKICAgICBkdGJfbG9hZCgma2luZm8pOwog CisgICAgLyogTm93IHRoYXQgd2UgYXJlIGRvbmUgcmVzdG9yZSB0aGUgb3Jp Z2luYWwgcDJtIGFuZCBjdXJyZW50LiAqLworICAgIHNldF9jdXJyZW50KHNh dmVkX2N1cnJlbnQpOworICAgIHAybV9sb2FkX1ZUVEJSKGN1cnJlbnQtPmRv bWFpbik7CisKICAgICBkaXNjYXJkX2luaXRpYWxfbW9kdWxlcygpOwogCiAg ICAgdi0+aXNfaW5pdGlhbGlzZWQgPSAxOwpkaWZmIC0tZ2l0IGEveGVuL2Fy Y2gvYXJtL2d1ZXN0Y29weS5jIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5j CmluZGV4IGQxZmRkZWMuLjAxNzM1OTcgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNo L2FybS9ndWVzdGNvcHkuYworKysgYi94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5 LmMKQEAgLTEsNiArMSw4IEBACiAjaW5jbHVkZSA8eGVuL2NvbmZpZy5oPgog I2luY2x1ZGUgPHhlbi9saWIuaD4KICNpbmNsdWRlIDx4ZW4vZG9tYWluX3Bh Z2UuaD4KKyNpbmNsdWRlIDx4ZW4vc2NoZWQuaD4KKyNpbmNsdWRlIDxhc20v Y3VycmVudC5oPgogCiAjaW5jbHVkZSA8YXNtL21tLmg+CiAjaW5jbHVkZSA8 YXNtL2d1ZXN0X2FjY2Vzcy5oPgpAQCAtMTMsMjAgKzE1LDIyIEBAIHN0YXRp YyB1bnNpZ25lZCBsb25nIHJhd19jb3B5X3RvX2d1ZXN0X2hlbHBlcih2b2lk ICp0bywgY29uc3Qgdm9pZCAqZnJvbSwKIAogICAgIHdoaWxlICggbGVuICkK ICAgICB7Ci0gICAgICAgIHBhZGRyX3QgZzsKICAgICAgICAgdm9pZCAqcDsK ICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZClQ QUdFX1NJWkUgLSBvZmZzZXQpOworICAgICAgICBzdHJ1Y3QgcGFnZV9pbmZv ICpwYWdlOwogCi0gICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRy X3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQorICAgICAgICBwYWdlID0gZ2V0 X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9tYWluLCAodmFkZHJfdCkgdG8s IEdWMk1fV1JJVEUpOworICAgICAgICBpZiAoIHBhZ2UgPT0gTlVMTCApCiAg ICAgICAgICAgICByZXR1cm4gbGVuOwogCi0gICAgICAgIHAgPSBtYXBfZG9t YWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7CisgICAgICAgIHAgPSBfX21hcF9k b21haW5fcGFnZShwYWdlKTsKICAgICAgICAgcCArPSBvZmZzZXQ7CiAgICAg ICAgIG1lbWNweShwLCBmcm9tLCBzaXplKTsKICAgICAgICAgaWYgKCBmbHVz aF9kY2FjaGUgKQogICAgICAgICAgICAgY2xlYW5feGVuX2RjYWNoZV92YV9y YW5nZShwLCBzaXplKTsKIAogICAgICAgICB1bm1hcF9kb21haW5fcGFnZShw IC0gb2Zmc2V0KTsKKyAgICAgICAgcHV0X3BhZ2UocGFnZSk7CiAgICAgICAg IGxlbiAtPSBzaXplOwogICAgICAgICBmcm9tICs9IHNpemU7CiAgICAgICAg IHRvICs9IHNpemU7CkBAIC01OCwxOCArNjIsMjAgQEAgdW5zaWduZWQgbG9u ZyByYXdfY2xlYXJfZ3Vlc3Qodm9pZCAqdG8sIHVuc2lnbmVkIGxlbikKIAog ICAgIHdoaWxlICggbGVuICkKICAgICB7Ci0gICAgICAgIHBhZGRyX3QgZzsK ICAgICAgICAgdm9pZCAqcDsKICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1p bihsZW4sICh1bnNpZ25lZClQQUdFX1NJWkUgLSBvZmZzZXQpOworICAgICAg ICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwogCi0gICAgICAgIGlmICggZ3Zp cnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQor ICAgICAgICBwYWdlID0gZ2V0X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9t YWluLCAodmFkZHJfdCkgdG8sIEdWMk1fV1JJVEUpOworICAgICAgICBpZiAo IHBhZ2UgPT0gTlVMTCApCiAgICAgICAgICAgICByZXR1cm4gbGVuOwogCi0g ICAgICAgIHAgPSBtYXBfZG9tYWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7Cisg ICAgICAgIHAgPSBfX21hcF9kb21haW5fcGFnZShwYWdlKTsKICAgICAgICAg cCArPSBvZmZzZXQ7CiAgICAgICAgIG1lbXNldChwLCAweDAwLCBzaXplKTsK IAogICAgICAgICB1bm1hcF9kb21haW5fcGFnZShwIC0gb2Zmc2V0KTsKKyAg ICAgICAgcHV0X3BhZ2UocGFnZSk7CiAgICAgICAgIGxlbiAtPSBzaXplOwog ICAgICAgICB0byArPSBzaXplOwogICAgICAgICAvKgpAQCAtODgsMTkgKzk0 LDIxIEBAIHVuc2lnbmVkIGxvbmcgcmF3X2NvcHlfZnJvbV9ndWVzdCh2b2lk ICp0bywgY29uc3Qgdm9pZCBfX3VzZXIgKmZyb20sIHVuc2lnbmVkIGxlCiAK ICAgICB3aGlsZSAoIGxlbiApCiAgICAgewotICAgICAgICBwYWRkcl90IGc7 CiAgICAgICAgIHZvaWQgKnA7CiAgICAgICAgIHVuc2lnbmVkIHNpemUgPSBt aW4obGVuLCAodW5zaWduZWQpKFBBR0VfU0laRSAtIG9mZnNldCkpOworICAg ICAgICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwogCi0gICAgICAgIGlmICgg Z3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3QpIGZyb20gJiBQQUdFX01BU0ssICZn LCBHVjJNX1JFQUQpICkKKyAgICAgICAgcGFnZSA9IGdldF9wYWdlX2Zyb21f Z3ZhKGN1cnJlbnQtPmRvbWFpbiwgKHZhZGRyX3QpIGZyb20sIEdWMk1fUkVB RCk7CisgICAgICAgIGlmICggcGFnZSA9PSBOVUxMICkKICAgICAgICAgICAg IHJldHVybiBsZW47CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShn Pj5QQUdFX1NISUZUKTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFpbl9wYWdl KHBhZ2UpOwogICAgICAgICBwICs9ICgodmFkZHJfdClmcm9tICYgKH5QQUdF X01BU0spKTsKIAogICAgICAgICBtZW1jcHkodG8sIHAsIHNpemUpOwogCiAg ICAgICAgIHVubWFwX2RvbWFpbl9wYWdlKHApOworICAgICAgICBwdXRfcGFn ZShwYWdlKTsKICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAgIGZyb20g Kz0gc2l6ZTsKICAgICAgICAgdG8gKz0gc2l6ZTsKZGlmZiAtLWdpdCBhL3hl bi9hcmNoL2FybS9wMm0uYyBiL3hlbi9hcmNoL2FybS9wMm0uYwppbmRleCBk MDBjODgyLi43ZmQ1OTIwIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vcDJt LmMKKysrIGIveGVuL2FyY2gvYXJtL3AybS5jCkBAIC02NTUsNiArNjU1LDM0 IEBAIHVuc2lnbmVkIGxvbmcgZ21mbl90b19tZm4oc3RydWN0IGRvbWFpbiAq ZCwgdW5zaWduZWQgbG9uZyBncGZuKQogICAgIHJldHVybiBwID4+IFBBR0Vf U0hJRlQ7CiB9CiAKK3N0cnVjdCBwYWdlX2luZm8gKmdldF9wYWdlX2Zyb21f Z3ZhKHN0cnVjdCBkb21haW4gKmQsIHZhZGRyX3QgdmEsCisgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICB1bnNpZ25lZCBsb25nIGZsYWdz KQoreworICAgIHN0cnVjdCBwMm1fZG9tYWluICpwMm0gPSAmZC0+YXJjaC5w Mm07CisgICAgc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSA9IE5VTEw7CisgICAg cGFkZHJfdCBtYWRkcjsKKworICAgIEFTU0VSVChkID09IGN1cnJlbnQtPmRv bWFpbik7CisKKyAgICBzcGluX2xvY2soJnAybS0+bG9jayk7CisKKyAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKHZhLCAmbWFkZHIsIGZsYWdzKSApCisgICAg ICAgIGdvdG8gZXJyOworCisgICAgaWYgKCAhbWZuX3ZhbGlkKG1hZGRyID4+ IFBBR0VfU0hJRlQpICkKKyAgICAgICAgZ290byBlcnI7CisKKyAgICBwYWdl ID0gbWZuX3RvX3BhZ2UobWFkZHIgPj4gUEFHRV9TSElGVCk7CisgICAgQVNT RVJUKHBhZ2UpOworCisgICAgaWYgKCB1bmxpa2VseSghZ2V0X3BhZ2UocGFn ZSwgZCkpICkKKyAgICAgICAgcGFnZSA9IE5VTEw7CisKK2VycjoKKyAgICBz cGluX3VubG9jaygmcDJtLT5sb2NrKTsKKyAgICByZXR1cm4gcGFnZTsKK30K KwogLyoKICAqIExvY2FsIHZhcmlhYmxlczoKICAqIG1vZGU6IEMKZGlmZiAt LWdpdCBhL3hlbi9hcmNoL2FybS90cmFwcy5jIGIveGVuL2FyY2gvYXJtL3Ry YXBzLmMKaW5kZXggMmU3NDUxYi4uMDAwNzFhMyAxMDA2NDQKLS0tIGEveGVu L2FyY2gvYXJtL3RyYXBzLmMKKysrIGIveGVuL2FyY2gvYXJtL3RyYXBzLmMK QEAgLTc3Niw3ICs3NzYsNyBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0 YWNrKHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVn cykKIHsKICAgICBpbnQgaTsKICAgICB2YWRkcl90IHNwOwotICAgIHBhZGRy X3Qgc3RhY2tfcGh5czsKKyAgICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwog ICAgIHZvaWQgKm1hcHBlZDsKICAgICB1bnNpZ25lZCBsb25nICpzdGFjaywg YWRkcjsKIApAQCAtODM2LDEzICs4MzYsMjAgQEAgc3RhdGljIHZvaWQgc2hv d19ndWVzdF9zdGFjayhzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNwdV91c2Vy X3JlZ3MgKnJlZ3MpCiAKICAgICBwcmludGsoIkd1ZXN0IHN0YWNrIHRyYWNl IGZyb20gc3A9JSJQUkl2YWRkciI6XG4gICIsIHNwKTsKIAotICAgIGlmICgg Z3ZpcnRfdG9fbWFkZHIoc3AsICZzdGFja19waHlzLCBHVjJNX1JFQUQpICkK KyAgICBpZiAoIHNwICYgKCBzaXplb2YobG9uZykgLSAxICkgKQorICAgIHsK KyAgICAgICAgcHJpbnRrKCJTdGFjayBpcyBtaXNhbGlnbmVkXG4iKTsKKyAg ICAgICAgcmV0dXJuOworICAgIH0KKworICAgIHBhZ2UgPSBnZXRfcGFnZV9m cm9tX2d2YShjdXJyZW50LT5kb21haW4sIHNwLCBHVjJNX1JFQUQpOworICAg IGlmICggcGFnZSA9PSBOVUxMICkKICAgICB7CiAgICAgICAgIHByaW50aygi RmFpbGVkIHRvIGNvbnZlcnQgc3RhY2sgdG8gcGh5c2ljYWwgYWRkcmVzc1xu Iik7CiAgICAgICAgIHJldHVybjsKICAgICB9CiAKLSAgICBtYXBwZWQgPSBt YXBfZG9tYWluX3BhZ2Uoc3RhY2tfcGh5cyA+PiBQQUdFX1NISUZUKTsKKyAg ICBtYXBwZWQgPSBfX21hcF9kb21haW5fcGFnZShwYWdlKTsKIAogICAgIHN0 YWNrID0gbWFwcGVkICsgKHNwICYgflBBR0VfTUFTSyk7CiAKQEAgLTg2MCw3 ICs4NjcsNyBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVj dCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKICAgICAg ICAgcHJpbnRrKCJTdGFjayBlbXB0eS4iKTsKICAgICBwcmludGsoIlxuIik7 CiAgICAgdW5tYXBfZG9tYWluX3BhZ2UobWFwcGVkKTsKLQorICAgIHB1dF9w YWdlKHBhZ2UpOwogfQogCiAjZGVmaW5lIFNUQUNLX0JFRk9SRV9FWENFUFRJ T04ocmVncykgKChyZWdpc3Rlcl90KikocmVncyktPnNwKQpkaWZmIC0tZ2l0 IGEveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oIGIveGVuL2luY2x1ZGUvYXNt LWFybS9tbS5oCmluZGV4IGQwZTVjYjQuLjhiZjE3OWQgMTAwNjQ0Ci0tLSBh L3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAorKysgYi94ZW4vaW5jbHVkZS9h c20tYXJtL21tLmgKQEAgLTI3Myw2ICsyNzMsOSBAQCBzdHJ1Y3QgZG9tYWlu ICpwYWdlX2dldF9vd25lcl9hbmRfcmVmZXJlbmNlKHN0cnVjdCBwYWdlX2lu Zm8gKnBhZ2UpOwogdm9pZCBwdXRfcGFnZShzdHJ1Y3QgcGFnZV9pbmZvICpw YWdlKTsKIGludCAgZ2V0X3BhZ2Uoc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSwg c3RydWN0IGRvbWFpbiAqZG9tYWluKTsKIAorc3RydWN0IHBhZ2VfaW5mbyAq Z2V0X3BhZ2VfZnJvbV9ndmEoc3RydWN0IGRvbWFpbiAqZCwgdmFkZHJfdCB2 YSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVuc2ln bmVkIGxvbmcgZmxhZ3MpOworCiAvKgogICogVGhlIE1QVCAobWFjaGluZS0+ cGh5c2ljYWwgbWFwcGluZyB0YWJsZSkgaXMgYW4gYXJyYXkgb2Ygd29yZC1z aXplZAogICogdmFsdWVzLCBpbmRleGVkIG9uIG1hY2hpbmUgZnJhbWUgbnVt YmVyLiBJdCBpcyBleHBlY3RlZCB0aGF0IGd1ZXN0IE9TZXMKZGlmZiAtLWdp dCBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oIGIveGVuL2luY2x1ZGUv YXNtLWFybS9wYWdlLmgKaW5kZXggODQ1NjJlYy4uYzExODMwOSAxMDA2NDQK LS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9wYWdlLmgKKysrIGIveGVuL2lu Y2x1ZGUvYXNtLWFybS9wYWdlLmgKQEAgLTczLDcgKzczLDcgQEAKICNkZWZp bmUgTUFUVFJfREVWICAgICAweDEKICNkZWZpbmUgTUFUVFJfTUVNICAgICAw eGYKIAotLyogRmxhZ3MgZm9yIGd2aXJ0X3RvX21hZGRyICovCisvKiBGbGFn cyBmb3IgZ2V0X3BhZ2VfZnJvbV9ndmEsIGd2aXJ0X3RvX21hZGRyIGV0YyAq LwogI2RlZmluZSBHVjJNX1JFQUQgICgwdTw8MCkKICNkZWZpbmUgR1YyTV9X UklURSAoMXU8PDApCiAK --=separator Content-Type: application/octet-stream; name="xsa98-update.patch" Content-Disposition: attachment; filename="xsa98-update.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGNvcnJlY3QgYXJtNjQgdmVyc2lvbiBvZiBndmFfdG9fbWFf cGFyCgpUaGUgaW1wbGVtZW50YXRpb24gd2FzIGJhY2t3YXJkcyBhbmQgY2hl Y2tlZCB0aGF0IHRoZSBndWVzdCBjb3VsZApyZWFkIHdoZW4gYXNrZWQgYWJv dXQgd3JpdGUgYW5kIHZpY2UgdmVyc2EuCgpUaGlzIGlzIGFuIHVwZGF0ZSB0 byB0aGUgZml4IGZvciBYU0EtOTguCgpSZXBvcnRlZC1ieTogVGFtYXMgSyBM ZW5neWVsIDx0a2xlbmd5ZWxAc2VjLmluLnR1bS5kZT4KU2lnbmVkLW9mZi1i eTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KCmRp ZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTY0L3BhZ2UuaCBi L3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5oCmluZGV4IGJiMTAx NjQuLjM4NmU0MzQgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0v YXJtNjQvcGFnZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQv cGFnZS5oCkBAIC04Niw5ICs4Niw5IEBAIHN0YXRpYyBpbmxpbmUgdWludDY0 X3QgZ3ZhX3RvX21hX3Bhcih2YWRkcl90IHZhLCB1bnNpZ25lZCBpbnQgZmxh Z3MpCiAgICAgdWludDY0X3QgcGFyLCB0bXAgPSBSRUFEX1NZU1JFRzY0KFBB Ul9FTDEpOwogCiAgICAgaWYgKCAoZmxhZ3MgJiBHVjJNX1dSSVRFKSA9PSBH VjJNX1dSSVRFICkKLSAgICAgICAgYXNtIHZvbGF0aWxlICgiYXQgczEyZTFy LCAlMDsiIDogOiAiciIgKHZhKSk7Ci0gICAgZWxzZQogICAgICAgICBhc20g dm9sYXRpbGUgKCJhdCBzMTJlMXcsICUwOyIgOiA6ICJyIiAodmEpKTsKKyAg ICBlbHNlCisgICAgICAgIGFzbSB2b2xhdGlsZSAoImF0IHMxMmUxciwgJTA7 IiA6IDogInIiICh2YSkpOwogICAgIGlzYigpOwogICAgIHBhciA9IFJFQURf U1lTUkVHNjQoUEFSX0VMMSk7CiAgICAgV1JJVEVfU1lTUkVHNjQodG1wLCBQ QVJfRUwxKTsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Fri Mar 13 16:00:50 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 13 Mar 2015 16:00:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YWRzy-0006lx-My; Fri, 13 Mar 2015 15:59:42 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YWRzx-0006ku-FE; Fri, 13 Mar 2015 15:59:41 +0000 Received: from [85.158.137.68] by server-2.bemta-3.messagelabs.com id 4C/53-01923-C6903055; Fri, 13 Mar 2015 15:59:40 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-10.tower-31.messagelabs.com!1426262378!11826489!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.4; banners=-,-,- X-VirusChecked: Checked Received: (qmail 11527 invoked from network); 13 Mar 2015 15:59:39 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-10.tower-31.messagelabs.com with AES256-SHA encrypted SMTP; 13 Mar 2015 15:59:39 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YWRzm-0000Iy-Jg; Fri, 13 Mar 2015 15:59:30 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1YWRzm-0008Az-7I; Fri, 13 Mar 2015 15:59:30 +0000 Date: Fri, 13 Mar 2015 15:59:30 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 98 (CVE-2014-3969) - insufficient permissions checks accessing guest memory on ARM X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3969 / XSA-98 version 5 insufficient permissions checks accessing guest memory on ARM UPDATES IN VERSION 5 ==================== The issue described in update 4 also affects Xen 4.5 which was not released at the time of the original advisory. The extra patch supplied with version 4 of this advisory is for Xen 4.5.x (as well as 4.4.x and xen-unstable). Added credits for updated issue. UPDATES IN VERSION 4 ==================== Supply an additional patch for arm64. The original patches had the permissions check backwards, meaning that a guest could read a write-only mapping and vice versa, rendering the original fix ineffective an inparticular not closing down the ability for a guest to write to a readonly page via the hypervisor. This issue was discussed on a public IRC channel and therefore it has been agreed with the discoverer that it should not subject to a new embargo. 32-bit ARM systems are not affected by this mistake; the original fix remains correct for 32-bit. ISSUE DESCRIPTION ================= When accessing guest memory Xen does not correctly perform permissions checks on the (possibly guest provided) virtual address: it only checks that the mapping is readable by the guest, even when writing on behalf of the guest. This allows a guest to write to memory which it should only be able to read. A guest running on a vulnerable system is able to write to memory which should be read-only. This includes supposedly read only foreign mappings established using the grant table mechanism. Such read-only mappings are commonly used as part of the paravirtualised I/O drivers (such as guest disk write and network transmit). In order to exploit this vulnerability the guest must have a mapping of the memory; it does not allow access to arbitrary addresses. In the event that a guest executes code from a page which has been shared read-only with another guest it would be possible to mount a take over attack on that guest. IMPACT ====== A domain which is deliberately exchanging data with another, malicious, domain, may be vulnerable to privilege escalation. The vulnerability depends on the precise behaviour of the victim domain. In a typical configuration this means that, depending on the behaviour of the toolstack or device driver domain, a malicious guest administrator might be able to escalate their privilege to that of the whole host. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward. MITIGATION ========== None. CREDITS ======= This issue was discovered by Julien Grall. The additional issue reported in update 4 was discovered by Tamas K Lengyel. RESOLUTION ========== Applying the appropriate pair of attached patches along with the additional update resolves this issue. xsa98-unstable-{01,02}.patch xen-unstable xsa98-4.4-{01,02}.patch Xen 4.4.x xsa98-update.patch Additional update for unstable, 4.5.x and 4.4.x $ sha256sum xsa98*.patch b8535aad5ae969675d59781a81ce0b24491f1abc01aaf36c3620fd7fb6cc84eb xsa98-unstable-01.patch f5e8a93525a8905653da6377097f77681ff8121b973063ff6081e27547ceaa67 xsa98-unstable-02.patch 6f63bc2e0a0a39bbd9137513a5d130ae2c78d1fd2ebf9172bf49456f73f0a67b xsa98-4.4-01.patch b338472ecce3c31a55d1a936eebbd4e46cb3ad989b91a64d4b8c5d3ca80d875d xsa98-4.4-02.patch 8bb4a23174c0c9b1a23a41d4669900877483fd526d331d0c377c32845feb2eb8 xsa98-update.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVAwlFAAoJEIP+FMlX6CvZBGMH/1qZuF20x5mfSn9TPDXJZrU4 dc6Jab7VDISnfy2CkLPsyLeaOolWm34HgP0a+vggInuxtKmo7TIvoJBUVi6ndsJI mqSWsoUvOl6PthAB1/4WNH2e/wySxBLFEwQWnUZRXxW32LrQzb+rVcJvvHjZiYKR p7NYKYklCZDKhmX5DdANjO1RDg561UnenEMsgUbOdyjsk2s8o+/ni927ZUzhnxQe NY9LqpgOyjBLb+5tStq2v03A+ax7mgzRMQLYlWsuY+Vt08HQsPuEPxN9JNkpmEwb A46OICRNMEwzKmt6ZKpYJSibiffHAMm5aeRd2SalpUjlIAg67H/LHf0vV/4bJ9o= =igf6 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa98-unstable-01.patch" Content-Disposition: attachment; filename="xsa98-unstable-01.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGNoZWNrIHBlcm1pc3Npb25zIHdoZW4gY29weWluZyB0by9m cm9tIGd1ZXN0IHZpcnR1YWwgYWRkcmVzc2VzCgpJbiBwYXJ0aWN1bGFyIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoZSBndWVzdCBoYXMgd3JpdGUgcGVybWlz c2lvbnMgdG8gYnVmZmVycwp3aGljaCBpdCBwYXNzZXMgYXMgb3V0cHV0IGJ1 ZmZlcnMgZm9yIGh5cGVyY2FsbHMsIG90aGVyd2lzZSB0aGUgZ3Vlc3QgY2Fu Cm92ZXJ3cml0ZSBtZW1vcnkgd2hpY2ggaXQgc2hvdWxkbid0IGJlIGFibGUg dG8gd3JpdGUgKGxpa2Ugci9vIGdyYW50IHRhYmxlCm1hcHBpbmdzKS4KClRo aXMgaXMgWFNBLTk4LgoKU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxp YW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBH cmFsbCA8anVsaWVuLmdyYWxsQGxpbmFyby5vcmc+CgpkaWZmIC0tZ2l0IGEv eGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jIGIveGVuL2FyY2gvYXJtL2Rv bWFpbl9idWlsZC5jCmluZGV4IGM0MjQ3OTMuLmQwNzk5ODIgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYworKysgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKQEAgLTEwMDUsNyArMTAwNSw3IEBAIHN0 YXRpYyB2b2lkIGluaXRyZF9sb2FkKHN0cnVjdCBrZXJuZWxfaW5mbyAqa2lu Zm8pCiAgICAgICAgIHMgPSBvZmZzICYgflBBR0VfTUFTSzsKICAgICAgICAg bCA9IG1pbihQQUdFX1NJWkUgLSBzLCBsZW4pOwogCi0gICAgICAgIHJjID0g Z3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hKTsKKyAgICAg ICAgcmMgPSBndmlydF90b19tYWRkcihsb2FkX2FkZHIgKyBvZmZzLCAmbWEs IEdWMk1fV1JJVEUpOwogICAgICAgICBpZiAoIHJjICkKICAgICAgICAgewog ICAgICAgICAgICAgcGFuaWMoIlVuYWJsZSB0byB0cmFuc2xhdGUgZ3Vlc3Qg YWRkcmVzcyIpOwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL2d1ZXN0Y29w eS5jIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCmluZGV4IGNlYTVmOTcu LmQxZmRkZWMgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL2FybS9ndWVzdGNvcHku YworKysgYi94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMKQEAgLTE3LDcgKzE3 LDcgQEAgc3RhdGljIHVuc2lnbmVkIGxvbmcgcmF3X2NvcHlfdG9fZ3Vlc3Rf aGVscGVyKHZvaWQgKnRvLCBjb25zdCB2b2lkICpmcm9tLAogICAgICAgICB2 b2lkICpwOwogICAgICAgICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVu c2lnbmVkKVBBR0VfU0laRSAtIG9mZnNldCk7CiAKLSAgICAgICAgaWYgKCBn dmlydF90b19tYWRkcigodmFkZHJfdCkgdG8sICZnKSApCisgICAgICAgIGlm ICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZywgR1YyTV9XUklU RSkgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAogICAgICAgICBwID0g bWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOwpAQCAtNjIsNyArNjIs NyBAQCB1bnNpZ25lZCBsb25nIHJhd19jbGVhcl9ndWVzdCh2b2lkICp0bywg dW5zaWduZWQgbGVuKQogICAgICAgICB2b2lkICpwOwogICAgICAgICB1bnNp Z25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0VfU0laRSAtIG9m ZnNldCk7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJf dCkgdG8sICZnKSApCisgICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZh ZGRyX3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQogICAgICAgICAgICAgcmV0 dXJuIGxlbjsKIAogICAgICAgICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBB R0VfU0hJRlQpOwpAQCAtOTIsNyArOTIsNyBAQCB1bnNpZ25lZCBsb25nIHJh d19jb3B5X2Zyb21fZ3Vlc3Qodm9pZCAqdG8sIGNvbnN0IHZvaWQgX191c2Vy ICpmcm9tLCB1bnNpZ25lZCBsZQogICAgICAgICB2b2lkICpwOwogICAgICAg ICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKShQQUdFX1NJ WkUgLSBvZmZzZXQpKTsKIAotICAgICAgICBpZiAoIGd2aXJ0X3RvX21hZGRy KCh2YWRkcl90KSBmcm9tICYgUEFHRV9NQVNLLCAmZykgKQorICAgICAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKCh2YWRkcl90KSBmcm9tICYgUEFHRV9NQVNL LCAmZywgR1YyTV9SRUFEKSApCiAgICAgICAgICAgICByZXR1cm4gbGVuOwog CiAgICAgICAgIHAgPSBtYXBfZG9tYWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7 CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0va2VybmVsLmMgYi94ZW4vYXJj aC9hcm0va2VybmVsLmMKaW5kZXggYzgyOTA2Zi4uNjkxODJlYyAxMDA2NDQK LS0tIGEveGVuL2FyY2gvYXJtL2tlcm5lbC5jCisrKyBiL3hlbi9hcmNoL2Fy bS9rZXJuZWwuYwpAQCAtMTcyLDcgKzE3Miw3IEBAIHN0YXRpYyB2b2lkIGtl cm5lbF96aW1hZ2VfbG9hZChzdHJ1Y3Qga2VybmVsX2luZm8gKmluZm8pCiAg ICAgICAgIHMgPSBvZmZzICYgflBBR0VfTUFTSzsKICAgICAgICAgbCA9IG1p bihQQUdFX1NJWkUgLSBzLCBsZW4pOwogCi0gICAgICAgIHJjID0gZ3ZpcnRf dG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hKTsKKyAgICAgICAgcmMg PSBndmlydF90b19tYWRkcihsb2FkX2FkZHIgKyBvZmZzLCAmbWEsIEdWMk1f V1JJVEUpOwogICAgICAgICBpZiAoIHJjICkKICAgICAgICAgewogICAgICAg ICAgICAgcGFuaWMoIlVuYWJsZSB0byBtYXAgdHJhbnNsYXRlIGd1ZXN0IGFk ZHJlc3MiKTsKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL2FybS90cmFwcy5jIGIv eGVuL2FyY2gvYXJtL3RyYXBzLmMKaW5kZXggMDNhM2RhNi4uZGY4NmZmZSAx MDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL3RyYXBzLmMKKysrIGIveGVuL2Fy Y2gvYXJtL3RyYXBzLmMKQEAgLTgzNyw3ICs4MzcsNyBAQCBzdGF0aWMgdm9p ZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1 X3VzZXJfcmVncyAqcmVncykKIAogICAgIHByaW50aygiR3Vlc3Qgc3RhY2sg dHJhY2UgZnJvbSBzcD0lIlBSSXZhZGRyIjpcbiAgIiwgc3ApOwogCi0gICAg aWYgKCBndmlydF90b19tYWRkcihzcCwgJnN0YWNrX3BoeXMpICkKKyAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKHNwLCAmc3RhY2tfcGh5cywgR1YyTV9SRUFE KSApCiAgICAgewogICAgICAgICBwcmludGsoIkZhaWxlZCB0byBjb252ZXJ0 IHN0YWNrIHRvIHBoeXNpY2FsIGFkZHJlc3NcbiIpOwogICAgICAgICByZXR1 cm47CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTMyL3Bh Z2UuaCBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtMzIvcGFnZS5oCmluZGV4 IDRhYmIyODEuLjk3NDA2NzIgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2Fz bS1hcm0vYXJtMzIvcGFnZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0v YXJtMzIvcGFnZS5oCkBAIC04NywxMSArODcsMTQgQEAgc3RhdGljIGlubGlu ZSB1aW50NjRfdCBfX3ZhX3RvX3Bhcih2YWRkcl90IHZhKQogfQogCiAvKiBB c2sgdGhlIE1NVSB0byB0cmFuc2xhdGUgYSBHdWVzdCBWQSBmb3IgdXMgKi8K LXN0YXRpYyBpbmxpbmUgdWludDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRkcl90 IHZhKQorc3RhdGljIGlubGluZSB1aW50NjRfdCBndmFfdG9fbWFfcGFyKHZh ZGRyX3QgdmEsIHVuc2lnbmVkIGludCBmbGFncykKIHsKICAgICB1aW50NjRf dCBwYXIsIHRtcDsKICAgICB0bXAgPSBSRUFEX0NQNjQoUEFSKTsKLSAgICBX UklURV9DUDMyKHZhLCBBVFMxMk5TT1BSKTsKKyAgICBpZiAoIChmbGFncyAm IEdWMk1fV1JJVEUpID09IEdWMk1fV1JJVEUgKQorICAgICAgICBXUklURV9D UDMyKHZhLCBBVFMxMk5TT1BXKTsKKyAgICBlbHNlCisgICAgICAgIFdSSVRF X0NQMzIodmEsIEFUUzEyTlNPUFIpOwogICAgIGlzYigpOyAvKiBFbnN1cmUg cmVzdWx0IGlzIGF2YWlsYWJsZS4gKi8KICAgICBwYXIgPSBSRUFEX0NQNjQo UEFSKTsKICAgICBXUklURV9DUDY0KHRtcCwgUEFSKTsKZGlmZiAtLWdpdCBh L3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5oIGIveGVuL2luY2x1 ZGUvYXNtLWFybS9hcm02NC9wYWdlLmgKaW5kZXggNzEzYmFmNi4uYmIxMDE2 NCAxMDA2NDQKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9hcm02NC9wYWdl LmgKKysrIGIveGVuL2luY2x1ZGUvYXNtLWFybS9hcm02NC9wYWdlLmgKQEAg LTgxLDExICs4MSwxNCBAQCBzdGF0aWMgaW5saW5lIHVpbnQ2NF90IF9fdmFf dG9fcGFyKHZhZGRyX3QgdmEpCiB9CiAKIC8qIEFzayB0aGUgTU1VIHRvIHRy YW5zbGF0ZSBhIEd1ZXN0IFZBIGZvciB1cyAqLwotc3RhdGljIGlubGluZSB1 aW50NjRfdCBndmFfdG9fbWFfcGFyKHZhZGRyX3QgdmEpCitzdGF0aWMgaW5s aW5lIHVpbnQ2NF90IGd2YV90b19tYV9wYXIodmFkZHJfdCB2YSwgdW5zaWdu ZWQgaW50IGZsYWdzKQogewogICAgIHVpbnQ2NF90IHBhciwgdG1wID0gUkVB RF9TWVNSRUc2NChQQVJfRUwxKTsKIAotICAgIGFzbSB2b2xhdGlsZSAoImF0 IHMxMmUxciwgJTA7IiA6IDogInIiICh2YSkpOworICAgIGlmICggKGZsYWdz ICYgR1YyTV9XUklURSkgPT0gR1YyTV9XUklURSApCisgICAgICAgIGFzbSB2 b2xhdGlsZSAoImF0IHMxMmUxciwgJTA7IiA6IDogInIiICh2YSkpOworICAg IGVsc2UKKyAgICAgICAgYXNtIHZvbGF0aWxlICgiYXQgczEyZTF3LCAlMDsi IDogOiAiciIgKHZhKSk7CiAgICAgaXNiKCk7CiAgICAgcGFyID0gUkVBRF9T WVNSRUc2NChQQVJfRUwxKTsKICAgICBXUklURV9TWVNSRUc2NCh0bXAsIFBB Ul9FTDEpOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5o IGIveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oCmluZGV4IGI4ZDRlN2QuLmQw ZTVjYjQgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAor KysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKQEAgLTIzMyw5ICsyMzMs OSBAQCBzdGF0aWMgaW5saW5lIHZvaWQgKm1hZGRyX3RvX3ZpcnQocGFkZHJf dCBtYSkKIH0KICNlbmRpZgogCi1zdGF0aWMgaW5saW5lIGludCBndmlydF90 b19tYWRkcih2YWRkcl90IHZhLCBwYWRkcl90ICpwYSkKK3N0YXRpYyBpbmxp bmUgaW50IGd2aXJ0X3RvX21hZGRyKHZhZGRyX3QgdmEsIHBhZGRyX3QgKnBh LCB1bnNpZ25lZCBpbnQgZmxhZ3MpCiB7Ci0gICAgdWludDY0X3QgcGFyID0g Z3ZhX3RvX21hX3Bhcih2YSk7CisgICAgdWludDY0X3QgcGFyID0gZ3ZhX3Rv X21hX3Bhcih2YSwgZmxhZ3MpOwogICAgIGlmICggcGFyICYgUEFSX0YgKQog ICAgICAgICByZXR1cm4gLUVGQVVMVDsKICAgICAqcGEgPSAocGFyICYgUEFE RFJfTUFTSyAmIFBBR0VfTUFTSykgfCAoKHVuc2lnbmVkIGxvbmcpIHZhICYg flBBR0VfTUFTSyk7CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJt L3BhZ2UuaCBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oCmluZGV4IGMz OGU5YzkuLmU3MjNlNWEgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1h cm0vcGFnZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oCkBA IC03Myw2ICs3MywxMCBAQAogI2RlZmluZSBNQVRUUl9ERVYgICAgIDB4MQog I2RlZmluZSBNQVRUUl9NRU0gICAgIDB4ZgogCisvKiBGbGFncyBmb3IgZ3Zp cnRfdG9fbWFkZHIgKi8KKyNkZWZpbmUgR1YyTV9SRUFEICAoMHU8PDApCisj ZGVmaW5lIEdWMk1fV1JJVEUgKDF1PDwwKQorCiAjaWZuZGVmIF9fQVNTRU1C TFlfXwogCiAjaW5jbHVkZSA8eGVuL3R5cGVzLmg+Cg== --=separator Content-Type: application/octet-stream; name="xsa98-unstable-02.patch" Content-Disposition: attachment; filename="xsa98-unstable-02.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGVuc3VyZSB3ZSBob2xkIGEgcmVmZXJlbmNlIHRvIGd1ZXN0 IHBhZ2VzIHdoaWxlIHdlIGNvcHkgdG8vZnJvbSB0aGVtCgpUaGlzIGF0IG9u Y2U6CiAtIHByZXZlbnRzIHRoZSBwYWdlIGZyb20gYmVpbmcgcmVhc3NpZ25l ZCB1bmRlciBvdXIgZmVldAogLSBlbnN1cmVzIHRoYXQgdGhlIGRvbWFpbiBv d25zIHRoZSBwYWdlLCB3aGljaCBzdG9wcyBhIGRvbWFpbiBmcm9tIGdpdmlu ZyBhCiAgIGdyYW50IG1hcHBpbmcsIE1NSU8gcmVnaW9uLCBvdGhlciBub24t UkFNIGFzIGEgaHlwZXJjYWxsIGlucHV0L291dHB1dC4KCldlIG5lZWQgdG8g aG9sZCB0aGUgcDJtIGxvY2sgd2hpbGUgZG9pbmcgdGhlIGxvb2t1cCB1bnRp bCB3ZSBoYXZlIHRoZQpyZWZlcmVuY2UuCgpUaGlzIGFsc28gcmVxdWlyZXMg dGhhdCBkdXJpbmcgZG9tYWluIDAgYnVpbGRpbmcgY3VycmVudCBpcyBzZXQg dG8gYW4gYWN0dWFsCmRvbTAgdmNwdSwgc28gdGFrZSBjYXJlIG9mIHRoaXMg YXQgdGhlIHNhbWUgdGltZSBhcyB0aGUgcDJtIGlzIHRlbXBvcmFyaWx5Cmxv YWRlZC4KCkxhc3RseSB3aGVuIGR1bXBpbmcgdGhlIGd1ZXN0IHN0YWNrIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoYXQgdGhlIGd1ZXN0IGhhc24ndApwb2lu dGVkIGl0cyBzcCBvZmYgaW50byB0aGUgd2VlZHMgYW5kL29yIG1pc2FsaWdu ZWQgaXQsIHdoaWNoIGNvdWxkIGxlYWQgdG8KaHlwZXJ2aXNvciB0cmFwcy4g U29sdmUgdGhpcyBieSB1c2luZyB0aGUgbmV3IGZ1bmN0aW9uIGFuZCBjaGVj a2luZyBhbGlnbm1lbnQKZmlyc3QuCgpTaWduZWQtb2ZmLWJ5OiBJYW4gQ2Ft cGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpSZXZpZXdlZC1ieTog SnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAbGluYXJvLm9yZz4KCmRpZmYg LS1naXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKaW5kZXggZDA3OTk4Mi4uNGRkMmQ4NCAx MDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jCisrKyBi L3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYwpAQCAtMTAyNCw2ICsxMDI0 LDcgQEAgc3RhdGljIHZvaWQgaW5pdHJkX2xvYWQoc3RydWN0IGtlcm5lbF9p bmZvICpraW5mbykKIGludCBjb25zdHJ1Y3RfZG9tMChzdHJ1Y3QgZG9tYWlu ICpkKQogewogICAgIHN0cnVjdCBrZXJuZWxfaW5mbyBraW5mbyA9IHt9Owor ICAgIHN0cnVjdCB2Y3B1ICpzYXZlZF9jdXJyZW50OwogICAgIGludCByYywg aSwgY3B1OwogCiAgICAgc3RydWN0IHZjcHUgKnYgPSBkLT52Y3B1WzBdOwpA QCAtMTA2MCw4ICsxMDYxLDEzIEBAIGludCBjb25zdHJ1Y3RfZG9tMChzdHJ1 Y3QgZG9tYWluICpkKQogICAgIGlmICggcmMgPCAwICkKICAgICAgICAgcmV0 dXJuIHJjOwogCi0gICAgLyogVGhlIGZvbGxvd2luZyBsb2FkcyB1c2UgdGhl IGRvbWFpbidzIHAybSAqLworICAgIC8qCisgICAgICogVGhlIGZvbGxvd2lu ZyBsb2FkcyB1c2UgdGhlIGRvbWFpbidzIHAybSBhbmQgcmVxdWlyZSBjdXJy ZW50IHRvCisgICAgICogYmUgYSB2Y3B1IG9mIHRoZSBkb21haW4sIHRlbXBv cmFyaWx5IHN3aXRjaAorICAgICAqLworICAgIHNhdmVkX2N1cnJlbnQgPSBj dXJyZW50OwogICAgIHAybV9yZXN0b3JlX3N0YXRlKHYpOworICAgIHNldF9j dXJyZW50KHYpOwogCiAgICAgLyoKICAgICAgKiBrZXJuZWxfbG9hZCB3aWxs IGRldGVybWluZSB0aGUgcGxhY2VtZW50IG9mIHRoZSBrZXJuZWwgYXMgd2Vs bApAQCAtMTA3Miw2ICsxMDc4LDEwIEBAIGludCBjb25zdHJ1Y3RfZG9tMChz dHJ1Y3QgZG9tYWluICpkKQogICAgIGluaXRyZF9sb2FkKCZraW5mbyk7CiAg ICAgZHRiX2xvYWQoJmtpbmZvKTsKIAorICAgIC8qIE5vdyB0aGF0IHdlIGFy ZSBkb25lIHJlc3RvcmUgdGhlIG9yaWdpbmFsIHAybSBhbmQgY3VycmVudC4g Ki8KKyAgICBzZXRfY3VycmVudChzYXZlZF9jdXJyZW50KTsKKyAgICBwMm1f cmVzdG9yZV9zdGF0ZShzYXZlZF9jdXJyZW50KTsKKwogICAgIGRpc2NhcmRf aW5pdGlhbF9tb2R1bGVzKCk7CiAKICAgICB2LT5pc19pbml0aWFsaXNlZCA9 IDE7CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMgYi94 ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMKaW5kZXggZDFmZGRlYy4uMDE3MzU5 NyAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCisrKyBi L3hlbi9hcmNoL2FybS9ndWVzdGNvcHkuYwpAQCAtMSw2ICsxLDggQEAKICNp bmNsdWRlIDx4ZW4vY29uZmlnLmg+CiAjaW5jbHVkZSA8eGVuL2xpYi5oPgog I2luY2x1ZGUgPHhlbi9kb21haW5fcGFnZS5oPgorI2luY2x1ZGUgPHhlbi9z Y2hlZC5oPgorI2luY2x1ZGUgPGFzbS9jdXJyZW50Lmg+CiAKICNpbmNsdWRl IDxhc20vbW0uaD4KICNpbmNsdWRlIDxhc20vZ3Vlc3RfYWNjZXNzLmg+CkBA IC0xMywyMCArMTUsMjIgQEAgc3RhdGljIHVuc2lnbmVkIGxvbmcgcmF3X2Nv cHlfdG9fZ3Vlc3RfaGVscGVyKHZvaWQgKnRvLCBjb25zdCB2b2lkICpmcm9t LAogCiAgICAgd2hpbGUgKCBsZW4gKQogICAgIHsKLSAgICAgICAgcGFkZHJf dCBnOwogICAgICAgICB2b2lkICpwOwogICAgICAgICB1bnNpZ25lZCBzaXpl ID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0VfU0laRSAtIG9mZnNldCk7Cisg ICAgICAgIHN0cnVjdCBwYWdlX2luZm8gKnBhZ2U7CiAKLSAgICAgICAgaWYg KCBndmlydF90b19tYWRkcigodmFkZHJfdCkgdG8sICZnLCBHVjJNX1dSSVRF KSApCisgICAgICAgIHBhZ2UgPSBnZXRfcGFnZV9mcm9tX2d2YShjdXJyZW50 LT5kb21haW4sICh2YWRkcl90KSB0bywgR1YyTV9XUklURSk7CisgICAgICAg IGlmICggcGFnZSA9PSBOVUxMICkKICAgICAgICAgICAgIHJldHVybiBsZW47 CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShnPj5QQUdFX1NISUZU KTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFpbl9wYWdlKHBhZ2UpOwogICAg ICAgICBwICs9IG9mZnNldDsKICAgICAgICAgbWVtY3B5KHAsIGZyb20sIHNp emUpOwogICAgICAgICBpZiAoIGZsdXNoX2RjYWNoZSApCiAgICAgICAgICAg ICBjbGVhbl94ZW5fZGNhY2hlX3ZhX3JhbmdlKHAsIHNpemUpOwogCiAgICAg ICAgIHVubWFwX2RvbWFpbl9wYWdlKHAgLSBvZmZzZXQpOworICAgICAgICBw dXRfcGFnZShwYWdlKTsKICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAg IGZyb20gKz0gc2l6ZTsKICAgICAgICAgdG8gKz0gc2l6ZTsKQEAgLTU4LDE4 ICs2MiwyMCBAQCB1bnNpZ25lZCBsb25nIHJhd19jbGVhcl9ndWVzdCh2b2lk ICp0bywgdW5zaWduZWQgbGVuKQogCiAgICAgd2hpbGUgKCBsZW4gKQogICAg IHsKLSAgICAgICAgcGFkZHJfdCBnOwogICAgICAgICB2b2lkICpwOwogICAg ICAgICB1bnNpZ25lZCBzaXplID0gbWluKGxlbiwgKHVuc2lnbmVkKVBBR0Vf U0laRSAtIG9mZnNldCk7CisgICAgICAgIHN0cnVjdCBwYWdlX2luZm8gKnBh Z2U7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJfdCkg dG8sICZnLCBHVjJNX1dSSVRFKSApCisgICAgICAgIHBhZ2UgPSBnZXRfcGFn ZV9mcm9tX2d2YShjdXJyZW50LT5kb21haW4sICh2YWRkcl90KSB0bywgR1Yy TV9XUklURSk7CisgICAgICAgIGlmICggcGFnZSA9PSBOVUxMICkKICAgICAg ICAgICAgIHJldHVybiBsZW47CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5f cGFnZShnPj5QQUdFX1NISUZUKTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFp bl9wYWdlKHBhZ2UpOwogICAgICAgICBwICs9IG9mZnNldDsKICAgICAgICAg bWVtc2V0KHAsIDB4MDAsIHNpemUpOwogCiAgICAgICAgIHVubWFwX2RvbWFp bl9wYWdlKHAgLSBvZmZzZXQpOworICAgICAgICBwdXRfcGFnZShwYWdlKTsK ICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAgIHRvICs9IHNpemU7CiAg ICAgICAgIC8qCkBAIC04OCwxOSArOTQsMjEgQEAgdW5zaWduZWQgbG9uZyBy YXdfY29weV9mcm9tX2d1ZXN0KHZvaWQgKnRvLCBjb25zdCB2b2lkIF9fdXNl ciAqZnJvbSwgdW5zaWduZWQgbGUKIAogICAgIHdoaWxlICggbGVuICkKICAg ICB7Ci0gICAgICAgIHBhZGRyX3QgZzsKICAgICAgICAgdm9pZCAqcDsKICAg ICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZCkoUEFH RV9TSVpFIC0gb2Zmc2V0KSk7CisgICAgICAgIHN0cnVjdCBwYWdlX2luZm8g KnBhZ2U7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigodmFkZHJf dCkgZnJvbSAmIFBBR0VfTUFTSywgJmcsIEdWMk1fUkVBRCkgKQorICAgICAg ICBwYWdlID0gZ2V0X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9tYWluLCAo dmFkZHJfdCkgZnJvbSwgR1YyTV9SRUFEKTsKKyAgICAgICAgaWYgKCBwYWdl ID09IE5VTEwgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAotICAgICAg ICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOworICAgICAg ICBwID0gX19tYXBfZG9tYWluX3BhZ2UocGFnZSk7CiAgICAgICAgIHAgKz0g KCh2YWRkcl90KWZyb20gJiAoflBBR0VfTUFTSykpOwogCiAgICAgICAgIG1l bWNweSh0bywgcCwgc2l6ZSk7CiAKICAgICAgICAgdW5tYXBfZG9tYWluX3Bh Z2UocCk7CisgICAgICAgIHB1dF9wYWdlKHBhZ2UpOwogICAgICAgICBsZW4g LT0gc2l6ZTsKICAgICAgICAgZnJvbSArPSBzaXplOwogICAgICAgICB0byAr PSBzaXplOwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL3AybS5jIGIveGVu L2FyY2gvYXJtL3AybS5jCmluZGV4IGI4NTE0M2IuLjVmYzVjYTYgMTAwNjQ0 Ci0tLSBhL3hlbi9hcmNoL2FybS9wMm0uYworKysgYi94ZW4vYXJjaC9hcm0v cDJtLmMKQEAgLTcwMSw2ICs3MDEsMzQgQEAgdW5zaWduZWQgbG9uZyBnbWZu X3RvX21mbihzdHJ1Y3QgZG9tYWluICpkLCB1bnNpZ25lZCBsb25nIGdwZm4p CiAgICAgcmV0dXJuIHAgPj4gUEFHRV9TSElGVDsKIH0KIAorc3RydWN0IHBh Z2VfaW5mbyAqZ2V0X3BhZ2VfZnJvbV9ndmEoc3RydWN0IGRvbWFpbiAqZCwg dmFkZHJfdCB2YSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIHVuc2lnbmVkIGxvbmcgZmxhZ3MpCit7CisgICAgc3RydWN0IHAybV9k b21haW4gKnAybSA9ICZkLT5hcmNoLnAybTsKKyAgICBzdHJ1Y3QgcGFnZV9p bmZvICpwYWdlID0gTlVMTDsKKyAgICBwYWRkcl90IG1hZGRyOworCisgICAg QVNTRVJUKGQgPT0gY3VycmVudC0+ZG9tYWluKTsKKworICAgIHNwaW5fbG9j aygmcDJtLT5sb2NrKTsKKworICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIodmEs ICZtYWRkciwgZmxhZ3MpICkKKyAgICAgICAgZ290byBlcnI7CisKKyAgICBp ZiAoICFtZm5fdmFsaWQobWFkZHIgPj4gUEFHRV9TSElGVCkgKQorICAgICAg ICBnb3RvIGVycjsKKworICAgIHBhZ2UgPSBtZm5fdG9fcGFnZShtYWRkciA+ PiBQQUdFX1NISUZUKTsKKyAgICBBU1NFUlQocGFnZSk7CisKKyAgICBpZiAo IHVubGlrZWx5KCFnZXRfcGFnZShwYWdlLCBkKSkgKQorICAgICAgICBwYWdl ID0gTlVMTDsKKworZXJyOgorICAgIHNwaW5fdW5sb2NrKCZwMm0tPmxvY2sp OworICAgIHJldHVybiBwYWdlOworfQorCiAvKgogICogTG9jYWwgdmFyaWFi bGVzOgogICogbW9kZTogQwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL3Ry YXBzLmMgYi94ZW4vYXJjaC9hcm0vdHJhcHMuYwppbmRleCBkZjg2ZmZlLi5k ODliNzVmIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vdHJhcHMuYworKysg Yi94ZW4vYXJjaC9hcm0vdHJhcHMuYwpAQCAtNzc3LDcgKzc3Nyw3IEBAIHN0 YXRpYyB2b2lkIHNob3dfZ3Vlc3Rfc3RhY2soc3RydWN0IHZjcHUgKnYsIHN0 cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQogewogICAgIGludCBpOwogICAg IHZhZGRyX3Qgc3A7Ci0gICAgcGFkZHJfdCBzdGFja19waHlzOworICAgIHN0 cnVjdCBwYWdlX2luZm8gKnBhZ2U7CiAgICAgdm9pZCAqbWFwcGVkOwogICAg IHVuc2lnbmVkIGxvbmcgKnN0YWNrLCBhZGRyOwogCkBAIC04MzcsMTMgKzgz NywyMCBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVjdCB2 Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKIAogICAgIHBy aW50aygiR3Vlc3Qgc3RhY2sgdHJhY2UgZnJvbSBzcD0lIlBSSXZhZGRyIjpc biAgIiwgc3ApOwogCi0gICAgaWYgKCBndmlydF90b19tYWRkcihzcCwgJnN0 YWNrX3BoeXMsIEdWMk1fUkVBRCkgKQorICAgIGlmICggc3AgJiAoIHNpemVv Zihsb25nKSAtIDEgKSApCisgICAgeworICAgICAgICBwcmludGsoIlN0YWNr IGlzIG1pc2FsaWduZWRcbiIpOworICAgICAgICByZXR1cm47CisgICAgfQor CisgICAgcGFnZSA9IGdldF9wYWdlX2Zyb21fZ3ZhKGN1cnJlbnQtPmRvbWFp biwgc3AsIEdWMk1fUkVBRCk7CisgICAgaWYgKCBwYWdlID09IE5VTEwgKQog ICAgIHsKICAgICAgICAgcHJpbnRrKCJGYWlsZWQgdG8gY29udmVydCBzdGFj ayB0byBwaHlzaWNhbCBhZGRyZXNzXG4iKTsKICAgICAgICAgcmV0dXJuOwog ICAgIH0KIAotICAgIG1hcHBlZCA9IG1hcF9kb21haW5fcGFnZShzdGFja19w aHlzID4+IFBBR0VfU0hJRlQpOworICAgIG1hcHBlZCA9IF9fbWFwX2RvbWFp bl9wYWdlKHBhZ2UpOwogCiAgICAgc3RhY2sgPSBtYXBwZWQgKyAoc3AgJiB+ UEFHRV9NQVNLKTsKIApAQCAtODYxLDcgKzg2OCw3IEBAIHN0YXRpYyB2b2lk IHNob3dfZ3Vlc3Rfc3RhY2soc3RydWN0IHZjcHUgKnYsIHN0cnVjdCBjcHVf dXNlcl9yZWdzICpyZWdzKQogICAgICAgICBwcmludGsoIlN0YWNrIGVtcHR5 LiIpOwogICAgIHByaW50aygiXG4iKTsKICAgICB1bm1hcF9kb21haW5fcGFn ZShtYXBwZWQpOwotCisgICAgcHV0X3BhZ2UocGFnZSk7CiB9CiAKICNkZWZp bmUgU1RBQ0tfQkVGT1JFX0VYQ0VQVElPTihyZWdzKSAoKHJlZ2lzdGVyX3Qq KShyZWdzKS0+c3ApCmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJt L21tLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKaW5kZXggZDBlNWNi NC4uOGJmMTc5ZCAxMDA2NDQKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9t bS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaApAQCAtMjczLDYg KzI3Myw5IEBAIHN0cnVjdCBkb21haW4gKnBhZ2VfZ2V0X293bmVyX2FuZF9y ZWZlcmVuY2Uoc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSk7CiB2b2lkIHB1dF9w YWdlKHN0cnVjdCBwYWdlX2luZm8gKnBhZ2UpOwogaW50ICBnZXRfcGFnZShz dHJ1Y3QgcGFnZV9pbmZvICpwYWdlLCBzdHJ1Y3QgZG9tYWluICpkb21haW4p OwogCitzdHJ1Y3QgcGFnZV9pbmZvICpnZXRfcGFnZV9mcm9tX2d2YShzdHJ1 Y3QgZG9tYWluICpkLCB2YWRkcl90IHZhLAorICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgdW5zaWduZWQgbG9uZyBmbGFncyk7CisKIC8q CiAgKiBUaGUgTVBUIChtYWNoaW5lLT5waHlzaWNhbCBtYXBwaW5nIHRhYmxl KSBpcyBhbiBhcnJheSBvZiB3b3JkLXNpemVkCiAgKiB2YWx1ZXMsIGluZGV4 ZWQgb24gbWFjaGluZSBmcmFtZSBudW1iZXIuIEl0IGlzIGV4cGVjdGVkIHRo YXQgZ3Vlc3QgT1NlcwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFy bS9wYWdlLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaAppbmRleCBl NzIzZTVhLi4xMTNiZTVhIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20t YXJtL3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaApA QCAtNzMsNyArNzMsNyBAQAogI2RlZmluZSBNQVRUUl9ERVYgICAgIDB4MQog I2RlZmluZSBNQVRUUl9NRU0gICAgIDB4ZgogCi0vKiBGbGFncyBmb3IgZ3Zp cnRfdG9fbWFkZHIgKi8KKy8qIEZsYWdzIGZvciBnZXRfcGFnZV9mcm9tX2d2 YSwgZ3ZpcnRfdG9fbWFkZHIgZXRjICovCiAjZGVmaW5lIEdWMk1fUkVBRCAg KDB1PDwwKQogI2RlZmluZSBHVjJNX1dSSVRFICgxdTw8MCkKIAo= --=separator Content-Type: application/octet-stream; name="xsa98-4.4-01.patch" Content-Disposition: attachment; filename="xsa98-4.4-01.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGNoZWNrIHBlcm1pc3Npb25zIHdoZW4gY29weWluZyB0by9m cm9tIGd1ZXN0IHZpcnR1YWwgYWRkcmVzc2VzCgpJbiBwYXJ0aWN1bGFyIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoZSBndWVzdCBoYXMgd3JpdGUgcGVybWlz c2lvbnMgdG8gYnVmZmVycwp3aGljaCBpdCBwYXNzZXMgYXMgb3V0cHV0IGJ1 ZmZlcnMgZm9yIGh5cGVyY2FsbHMsIG90aGVyd2lzZSB0aGUgZ3Vlc3QgY2Fu Cm92ZXJ3cml0ZSBtZW1vcnkgd2hpY2ggaXQgc2hvdWxkbid0IGJlIGFibGUg dG8gd3JpdGUgKGxpa2Ugci9vIGdyYW50IHRhYmxlCm1hcHBpbmdzKS4KClRo aXMgaXMgWFNBLTk4LgoKU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxp YW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBH cmFsbCA8anVsaWVuLmdyYWxsQGxpbmFyby5vcmc+CgpkaWZmIC0tZ2l0IGEv eGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5jIGIveGVuL2FyY2gvYXJtL2Rv bWFpbl9idWlsZC5jCmluZGV4IDVjYTJmMTUuLjNkYTZiODMgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYworKysgYi94ZW4vYXJj aC9hcm0vZG9tYWluX2J1aWxkLmMKQEAgLTk2Nyw3ICs5NjcsNyBAQCBzdGF0 aWMgdm9pZCBpbml0cmRfbG9hZChzdHJ1Y3Qga2VybmVsX2luZm8gKmtpbmZv KQogICAgICAgICBzID0gb2ZmcyAmIH5QQUdFX01BU0s7CiAgICAgICAgIGwg PSBtaW4oUEFHRV9TSVpFIC0gcywgbGVuKTsKIAotICAgICAgICByYyA9IGd2 aXJ0X3RvX21hZGRyKGxvYWRfYWRkciArIG9mZnMsICZtYSk7CisgICAgICAg IHJjID0gZ3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hLCBH VjJNX1dSSVRFKTsKICAgICAgICAgaWYgKCByYyApCiAgICAgICAgIHsKICAg ICAgICAgICAgIHBhbmljKCJVbmFibGUgdG8gdHJhbnNsYXRlIGd1ZXN0IGFk ZHJlc3MiKTsKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL2FybS9ndWVzdGNvcHku YyBiL3hlbi9hcmNoL2FybS9ndWVzdGNvcHkuYwppbmRleCBjZWE1Zjk3Li5k MWZkZGVjIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5LmMK KysrIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5jCkBAIC0xNyw3ICsxNyw3 IEBAIHN0YXRpYyB1bnNpZ25lZCBsb25nIHJhd19jb3B5X3RvX2d1ZXN0X2hl bHBlcih2b2lkICp0bywgY29uc3Qgdm9pZCAqZnJvbSwKICAgICAgICAgdm9p ZCAqcDsKICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNp Z25lZClQQUdFX1NJWkUgLSBvZmZzZXQpOwogCi0gICAgICAgIGlmICggZ3Zp cnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZykgKQorICAgICAgICBpZiAo IGd2aXJ0X3RvX21hZGRyKCh2YWRkcl90KSB0bywgJmcsIEdWMk1fV1JJVEUp ICkKICAgICAgICAgICAgIHJldHVybiBsZW47CiAKICAgICAgICAgcCA9IG1h cF9kb21haW5fcGFnZShnPj5QQUdFX1NISUZUKTsKQEAgLTYyLDcgKzYyLDcg QEAgdW5zaWduZWQgbG9uZyByYXdfY2xlYXJfZ3Vlc3Qodm9pZCAqdG8sIHVu c2lnbmVkIGxlbikKICAgICAgICAgdm9pZCAqcDsKICAgICAgICAgdW5zaWdu ZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZClQQUdFX1NJWkUgLSBvZmZz ZXQpOwogCi0gICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3Qp IHRvLCAmZykgKQorICAgICAgICBpZiAoIGd2aXJ0X3RvX21hZGRyKCh2YWRk cl90KSB0bywgJmcsIEdWMk1fV1JJVEUpICkKICAgICAgICAgICAgIHJldHVy biBsZW47CiAKICAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShnPj5QQUdF X1NISUZUKTsKQEAgLTkyLDcgKzkyLDcgQEAgdW5zaWduZWQgbG9uZyByYXdf Y29weV9mcm9tX2d1ZXN0KHZvaWQgKnRvLCBjb25zdCB2b2lkIF9fdXNlciAq ZnJvbSwgdW5zaWduZWQgbGUKICAgICAgICAgdm9pZCAqcDsKICAgICAgICAg dW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZCkoUEFHRV9TSVpF IC0gb2Zmc2V0KSk7CiAKLSAgICAgICAgaWYgKCBndmlydF90b19tYWRkcigo dmFkZHJfdCkgZnJvbSAmIFBBR0VfTUFTSywgJmcpICkKKyAgICAgICAgaWYg KCBndmlydF90b19tYWRkcigodmFkZHJfdCkgZnJvbSAmIFBBR0VfTUFTSywg JmcsIEdWMk1fUkVBRCkgKQogICAgICAgICAgICAgcmV0dXJuIGxlbjsKIAog ICAgICAgICBwID0gbWFwX2RvbWFpbl9wYWdlKGc+PlBBR0VfU0hJRlQpOwpk aWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL2tlcm5lbC5jIGIveGVuL2FyY2gv YXJtL2tlcm5lbC5jCmluZGV4IDFlMzEwN2QuLjY5YzdkNDMgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL2FybS9rZXJuZWwuYworKysgYi94ZW4vYXJjaC9hcm0v a2VybmVsLmMKQEAgLTE0MSw3ICsxNDEsNyBAQCBzdGF0aWMgdm9pZCBrZXJu ZWxfemltYWdlX2xvYWQoc3RydWN0IGtlcm5lbF9pbmZvICppbmZvKQogICAg ICAgICBzID0gb2ZmcyAmIH5QQUdFX01BU0s7CiAgICAgICAgIGwgPSBtaW4o UEFHRV9TSVpFIC0gcywgbGVuKTsKIAotICAgICAgICByYyA9IGd2aXJ0X3Rv X21hZGRyKGxvYWRfYWRkciArIG9mZnMsICZtYSk7CisgICAgICAgIHJjID0g Z3ZpcnRfdG9fbWFkZHIobG9hZF9hZGRyICsgb2ZmcywgJm1hLCBHVjJNX1dS SVRFKTsKICAgICAgICAgaWYgKCByYyApCiAgICAgICAgIHsKICAgICAgICAg ICAgIHBhbmljKCJVbmFibGUgdG8gbWFwIHRyYW5zbGF0ZSBndWVzdCBhZGRy ZXNzIik7CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vdHJhcHMuYyBiL3hl bi9hcmNoL2FybS90cmFwcy5jCmluZGV4IDNhMzRkMzMuLjJlNzQ1MWIgMTAw NjQ0Ci0tLSBhL3hlbi9hcmNoL2FybS90cmFwcy5jCisrKyBiL3hlbi9hcmNo L2FybS90cmFwcy5jCkBAIC04MzYsNyArODM2LDcgQEAgc3RhdGljIHZvaWQg c2hvd19ndWVzdF9zdGFjayhzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNwdV91 c2VyX3JlZ3MgKnJlZ3MpCiAKICAgICBwcmludGsoIkd1ZXN0IHN0YWNrIHRy YWNlIGZyb20gc3A9JSJQUkl2YWRkciI6XG4gICIsIHNwKTsKIAotICAgIGlm ICggZ3ZpcnRfdG9fbWFkZHIoc3AsICZzdGFja19waHlzKSApCisgICAgaWYg KCBndmlydF90b19tYWRkcihzcCwgJnN0YWNrX3BoeXMsIEdWMk1fUkVBRCkg KQogICAgIHsKICAgICAgICAgcHJpbnRrKCJGYWlsZWQgdG8gY29udmVydCBz dGFjayB0byBwaHlzaWNhbCBhZGRyZXNzXG4iKTsKICAgICAgICAgcmV0dXJu OwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9hcm0zMi9wYWdl LmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTMyL3BhZ2UuaAppbmRleCBi ODIyMWNhLi44MGQ1YzM2IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20t YXJtL2FybTMyL3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL2Fy bTMyL3BhZ2UuaApAQCAtOTAsMTEgKzkwLDE0IEBAIHN0YXRpYyBpbmxpbmUg dWludDY0X3QgX192YV90b19wYXIodmFkZHJfdCB2YSkKIH0KIAogLyogQXNr IHRoZSBNTVUgdG8gdHJhbnNsYXRlIGEgR3Vlc3QgVkEgZm9yIHVzICovCi1z dGF0aWMgaW5saW5lIHVpbnQ2NF90IGd2YV90b19tYV9wYXIodmFkZHJfdCB2 YSkKK3N0YXRpYyBpbmxpbmUgdWludDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRk cl90IHZhLCB1bnNpZ25lZCBpbnQgZmxhZ3MpCiB7CiAgICAgdWludDY0X3Qg cGFyLCB0bXA7CiAgICAgdG1wID0gUkVBRF9DUDY0KFBBUik7Ci0gICAgV1JJ VEVfQ1AzMih2YSwgQVRTMTJOU09QUik7CisgICAgaWYgKCAoZmxhZ3MgJiBH VjJNX1dSSVRFKSA9PSBHVjJNX1dSSVRFICkKKyAgICAgICAgV1JJVEVfQ1Az Mih2YSwgQVRTMTJOU09QVyk7CisgICAgZWxzZQorICAgICAgICBXUklURV9D UDMyKHZhLCBBVFMxMk5TT1BSKTsKICAgICBpc2IoKTsgLyogRW5zdXJlIHJl c3VsdCBpcyBhdmFpbGFibGUuICovCiAgICAgcGFyID0gUkVBRF9DUDY0KFBB Uik7CiAgICAgV1JJVEVfQ1A2NCh0bXAsIFBBUik7CmRpZmYgLS1naXQgYS94 ZW4vaW5jbHVkZS9hc20tYXJtL2FybTY0L3BhZ2UuaCBiL3hlbi9pbmNsdWRl L2FzbS1hcm0vYXJtNjQvcGFnZS5oCmluZGV4IDMzNTI4MjEuLjM5MjJkODcg MTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5o CisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5oCkBAIC04 MywxMSArODMsMTQgQEAgc3RhdGljIGlubGluZSB1aW50NjRfdCBfX3ZhX3Rv X3Bhcih2YWRkcl90IHZhKQogfQogCiAvKiBBc2sgdGhlIE1NVSB0byB0cmFu c2xhdGUgYSBHdWVzdCBWQSBmb3IgdXMgKi8KLXN0YXRpYyBpbmxpbmUgdWlu dDY0X3QgZ3ZhX3RvX21hX3Bhcih2YWRkcl90IHZhKQorc3RhdGljIGlubGlu ZSB1aW50NjRfdCBndmFfdG9fbWFfcGFyKHZhZGRyX3QgdmEsIHVuc2lnbmVk IGludCBmbGFncykKIHsKICAgICB1aW50NjRfdCBwYXIsIHRtcCA9IFJFQURf U1lTUkVHNjQoUEFSX0VMMSk7CiAKLSAgICBhc20gdm9sYXRpbGUgKCJhdCBz MTJlMXIsICUwOyIgOiA6ICJyIiAodmEpKTsKKyAgICBpZiAoIChmbGFncyAm IEdWMk1fV1JJVEUpID09IEdWMk1fV1JJVEUgKQorICAgICAgICBhc20gdm9s YXRpbGUgKCJhdCBzMTJlMXIsICUwOyIgOiA6ICJyIiAodmEpKTsKKyAgICBl bHNlCisgICAgICAgIGFzbSB2b2xhdGlsZSAoImF0IHMxMmUxdywgJTA7IiA6 IDogInIiICh2YSkpOwogICAgIGlzYigpOwogICAgIHBhciA9IFJFQURfU1lT UkVHNjQoUEFSX0VMMSk7CiAgICAgV1JJVEVfU1lTUkVHNjQodG1wLCBQQVJf RUwxKTsKZGlmZiAtLWdpdCBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaCBi L3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAppbmRleCBiOGQ0ZTdkLi5kMGU1 Y2I0IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20tYXJtL21tLmgKKysr IGIveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oCkBAIC0yMzMsOSArMjMzLDkg QEAgc3RhdGljIGlubGluZSB2b2lkICptYWRkcl90b192aXJ0KHBhZGRyX3Qg bWEpCiB9CiAjZW5kaWYKIAotc3RhdGljIGlubGluZSBpbnQgZ3ZpcnRfdG9f bWFkZHIodmFkZHJfdCB2YSwgcGFkZHJfdCAqcGEpCitzdGF0aWMgaW5saW5l IGludCBndmlydF90b19tYWRkcih2YWRkcl90IHZhLCBwYWRkcl90ICpwYSwg dW5zaWduZWQgaW50IGZsYWdzKQogewotICAgIHVpbnQ2NF90IHBhciA9IGd2 YV90b19tYV9wYXIodmEpOworICAgIHVpbnQ2NF90IHBhciA9IGd2YV90b19t YV9wYXIodmEsIGZsYWdzKTsKICAgICBpZiAoIHBhciAmIFBBUl9GICkKICAg ICAgICAgcmV0dXJuIC1FRkFVTFQ7CiAgICAgKnBhID0gKHBhciAmIFBBRERS X01BU0sgJiBQQUdFX01BU0spIHwgKCh1bnNpZ25lZCBsb25nKSB2YSAmIH5Q QUdFX01BU0spOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUvYXNtLWFybS9w YWdlLmggYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaAppbmRleCBlMDBi ZTllLi44NDU2MmVjIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20tYXJt L3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL3BhZ2UuaApAQCAt NzMsNiArNzMsMTAgQEAKICNkZWZpbmUgTUFUVFJfREVWICAgICAweDEKICNk ZWZpbmUgTUFUVFJfTUVNICAgICAweGYKIAorLyogRmxhZ3MgZm9yIGd2aXJ0 X3RvX21hZGRyICovCisjZGVmaW5lIEdWMk1fUkVBRCAgKDB1PDwwKQorI2Rl ZmluZSBHVjJNX1dSSVRFICgxdTw8MCkKKwogI2lmbmRlZiBfX0FTU0VNQkxZ X18KIAogI2luY2x1ZGUgPHhlbi90eXBlcy5oPgo= --=separator Content-Type: application/octet-stream; name="xsa98-4.4-02.patch" Content-Disposition: attachment; filename="xsa98-4.4-02.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGVuc3VyZSB3ZSBob2xkIGEgcmVmZXJlbmNlIHRvIGd1ZXN0 IHBhZ2VzIHdoaWxlIHdlIGNvcHkgdG8vZnJvbSB0aGVtCgpUaGlzIGF0IG9u Y2U6CiAtIHByZXZlbnRzIHRoZSBwYWdlIGZyb20gYmVpbmcgcmVhc3NpZ25l ZCB1bmRlciBvdXIgZmVldAogLSBlbnN1cmVzIHRoYXQgdGhlIGRvbWFpbiBv d25zIHRoZSBwYWdlLCB3aGljaCBzdG9wcyBhIGRvbWFpbiBmcm9tIGdpdmlu ZyBhCiAgIGdyYW50IG1hcHBpbmcsIE1NSU8gcmVnaW9uLCBvdGhlciBub24t UkFNIGFzIGEgaHlwZXJjYWxsIGlucHV0L291dHB1dC4KCldlIG5lZWQgdG8g aG9sZCB0aGUgcDJtIGxvY2sgd2hpbGUgZG9pbmcgdGhlIGxvb2t1cCB1bnRp bCB3ZSBoYXZlIHRoZQpyZWZlcmVuY2UuCgpUaGlzIGFsc28gcmVxdWlyZXMg dGhhdCBkdXJpbmcgZG9tYWluIDAgYnVpbGRpbmcgY3VycmVudCBpcyBzZXQg dG8gYW4gYWN0dWFsCmRvbTAgdmNwdSwgc28gdGFrZSBjYXJlIG9mIHRoaXMg YXQgdGhlIHNhbWUgdGltZSBhcyB0aGUgcDJtIGlzIHRlbXBvcmFyaWx5Cmxv YWRlZC4KCkxhc3RseSB3aGVuIGR1bXBpbmcgdGhlIGd1ZXN0IHN0YWNrIHdl IG5lZWQgdG8gbWFrZSBzdXJlIHRoYXQgdGhlIGd1ZXN0IGhhc24ndApwb2lu dGVkIGl0cyBzcCBvZmYgaW50byB0aGUgd2VlZHMgYW5kL29yIG1pc2FsaWdu ZWQgaXQsIHdoaWNoIGNvdWxkIGxlYWQgdG8KaHlwZXJ2aXNvciB0cmFwcy4g U29sdmUgdGhpcyBieSB1c2luZyB0aGUgbmV3IGZ1bmN0aW9uIGFuZCBjaGVj a2luZyBhbGlnbm1lbnQKZmlyc3QuCgpTaWduZWQtb2ZmLWJ5OiBJYW4gQ2Ft cGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpSZXZpZXdlZC1ieTog SnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAbGluYXJvLm9yZz4KWyBpamMg LS0gYmFja3BvcnRlZCB0byA0LjQsIHVzaW5nIHAybV9sb2FkX1ZUVEJSIF0K CmRpZmYgLS1naXQgYS94ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMgYi94 ZW4vYXJjaC9hcm0vZG9tYWluX2J1aWxkLmMKaW5kZXggM2RhNmI4My4uYzE0 OTdmOCAxMDA2NDQKLS0tIGEveGVuL2FyY2gvYXJtL2RvbWFpbl9idWlsZC5j CisrKyBiL3hlbi9hcmNoL2FybS9kb21haW5fYnVpbGQuYwpAQCAtOTg2LDYg Kzk4Niw3IEBAIHN0YXRpYyB2b2lkIGluaXRyZF9sb2FkKHN0cnVjdCBrZXJu ZWxfaW5mbyAqa2luZm8pCiBpbnQgY29uc3RydWN0X2RvbTAoc3RydWN0IGRv bWFpbiAqZCkKIHsKICAgICBzdHJ1Y3Qga2VybmVsX2luZm8ga2luZm8gPSB7 fTsKKyAgICBzdHJ1Y3QgdmNwdSAqc2F2ZWRfY3VycmVudDsKICAgICBpbnQg cmMsIGksIGNwdTsKIAogICAgIHN0cnVjdCB2Y3B1ICp2ID0gZC0+dmNwdVsw XTsKQEAgLTEwMjEsNyArMTAyMiw5IEBAIGludCBjb25zdHJ1Y3RfZG9tMChz dHJ1Y3QgZG9tYWluICpkKQogICAgICAgICByZXR1cm4gcmM7CiAKICAgICAv KiBUaGUgZm9sbG93aW5nIGxvYWRzIHVzZSB0aGUgZG9tYWluJ3MgcDJtICov CisgICAgc2F2ZWRfY3VycmVudCA9IGN1cnJlbnQ7CiAgICAgcDJtX2xvYWRf VlRUQlIoZCk7CisgICAgc2V0X2N1cnJlbnQodik7CiAjaWZkZWYgQ09ORklH X0FSTV82NAogICAgIGQtPmFyY2gudHlwZSA9IGtpbmZvLnR5cGU7CiAgICAg aWYgKCBpc19wdjMyX2RvbWFpbihkKSApCkBAIC0xMDM5LDYgKzEwNDIsMTAg QEAgaW50IGNvbnN0cnVjdF9kb20wKHN0cnVjdCBkb21haW4gKmQpCiAgICAg aW5pdHJkX2xvYWQoJmtpbmZvKTsKICAgICBkdGJfbG9hZCgma2luZm8pOwog CisgICAgLyogTm93IHRoYXQgd2UgYXJlIGRvbmUgcmVzdG9yZSB0aGUgb3Jp Z2luYWwgcDJtIGFuZCBjdXJyZW50LiAqLworICAgIHNldF9jdXJyZW50KHNh dmVkX2N1cnJlbnQpOworICAgIHAybV9sb2FkX1ZUVEJSKGN1cnJlbnQtPmRv bWFpbik7CisKICAgICBkaXNjYXJkX2luaXRpYWxfbW9kdWxlcygpOwogCiAg ICAgdi0+aXNfaW5pdGlhbGlzZWQgPSAxOwpkaWZmIC0tZ2l0IGEveGVuL2Fy Y2gvYXJtL2d1ZXN0Y29weS5jIGIveGVuL2FyY2gvYXJtL2d1ZXN0Y29weS5j CmluZGV4IGQxZmRkZWMuLjAxNzM1OTcgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNo L2FybS9ndWVzdGNvcHkuYworKysgYi94ZW4vYXJjaC9hcm0vZ3Vlc3Rjb3B5 LmMKQEAgLTEsNiArMSw4IEBACiAjaW5jbHVkZSA8eGVuL2NvbmZpZy5oPgog I2luY2x1ZGUgPHhlbi9saWIuaD4KICNpbmNsdWRlIDx4ZW4vZG9tYWluX3Bh Z2UuaD4KKyNpbmNsdWRlIDx4ZW4vc2NoZWQuaD4KKyNpbmNsdWRlIDxhc20v Y3VycmVudC5oPgogCiAjaW5jbHVkZSA8YXNtL21tLmg+CiAjaW5jbHVkZSA8 YXNtL2d1ZXN0X2FjY2Vzcy5oPgpAQCAtMTMsMjAgKzE1LDIyIEBAIHN0YXRp YyB1bnNpZ25lZCBsb25nIHJhd19jb3B5X3RvX2d1ZXN0X2hlbHBlcih2b2lk ICp0bywgY29uc3Qgdm9pZCAqZnJvbSwKIAogICAgIHdoaWxlICggbGVuICkK ICAgICB7Ci0gICAgICAgIHBhZGRyX3QgZzsKICAgICAgICAgdm9pZCAqcDsK ICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1pbihsZW4sICh1bnNpZ25lZClQ QUdFX1NJWkUgLSBvZmZzZXQpOworICAgICAgICBzdHJ1Y3QgcGFnZV9pbmZv ICpwYWdlOwogCi0gICAgICAgIGlmICggZ3ZpcnRfdG9fbWFkZHIoKHZhZGRy X3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQorICAgICAgICBwYWdlID0gZ2V0 X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9tYWluLCAodmFkZHJfdCkgdG8s IEdWMk1fV1JJVEUpOworICAgICAgICBpZiAoIHBhZ2UgPT0gTlVMTCApCiAg ICAgICAgICAgICByZXR1cm4gbGVuOwogCi0gICAgICAgIHAgPSBtYXBfZG9t YWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7CisgICAgICAgIHAgPSBfX21hcF9k b21haW5fcGFnZShwYWdlKTsKICAgICAgICAgcCArPSBvZmZzZXQ7CiAgICAg ICAgIG1lbWNweShwLCBmcm9tLCBzaXplKTsKICAgICAgICAgaWYgKCBmbHVz aF9kY2FjaGUgKQogICAgICAgICAgICAgY2xlYW5feGVuX2RjYWNoZV92YV9y YW5nZShwLCBzaXplKTsKIAogICAgICAgICB1bm1hcF9kb21haW5fcGFnZShw IC0gb2Zmc2V0KTsKKyAgICAgICAgcHV0X3BhZ2UocGFnZSk7CiAgICAgICAg IGxlbiAtPSBzaXplOwogICAgICAgICBmcm9tICs9IHNpemU7CiAgICAgICAg IHRvICs9IHNpemU7CkBAIC01OCwxOCArNjIsMjAgQEAgdW5zaWduZWQgbG9u ZyByYXdfY2xlYXJfZ3Vlc3Qodm9pZCAqdG8sIHVuc2lnbmVkIGxlbikKIAog ICAgIHdoaWxlICggbGVuICkKICAgICB7Ci0gICAgICAgIHBhZGRyX3QgZzsK ICAgICAgICAgdm9pZCAqcDsKICAgICAgICAgdW5zaWduZWQgc2l6ZSA9IG1p bihsZW4sICh1bnNpZ25lZClQQUdFX1NJWkUgLSBvZmZzZXQpOworICAgICAg ICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwogCi0gICAgICAgIGlmICggZ3Zp cnRfdG9fbWFkZHIoKHZhZGRyX3QpIHRvLCAmZywgR1YyTV9XUklURSkgKQor ICAgICAgICBwYWdlID0gZ2V0X3BhZ2VfZnJvbV9ndmEoY3VycmVudC0+ZG9t YWluLCAodmFkZHJfdCkgdG8sIEdWMk1fV1JJVEUpOworICAgICAgICBpZiAo IHBhZ2UgPT0gTlVMTCApCiAgICAgICAgICAgICByZXR1cm4gbGVuOwogCi0g ICAgICAgIHAgPSBtYXBfZG9tYWluX3BhZ2UoZz4+UEFHRV9TSElGVCk7Cisg ICAgICAgIHAgPSBfX21hcF9kb21haW5fcGFnZShwYWdlKTsKICAgICAgICAg cCArPSBvZmZzZXQ7CiAgICAgICAgIG1lbXNldChwLCAweDAwLCBzaXplKTsK IAogICAgICAgICB1bm1hcF9kb21haW5fcGFnZShwIC0gb2Zmc2V0KTsKKyAg ICAgICAgcHV0X3BhZ2UocGFnZSk7CiAgICAgICAgIGxlbiAtPSBzaXplOwog ICAgICAgICB0byArPSBzaXplOwogICAgICAgICAvKgpAQCAtODgsMTkgKzk0 LDIxIEBAIHVuc2lnbmVkIGxvbmcgcmF3X2NvcHlfZnJvbV9ndWVzdCh2b2lk ICp0bywgY29uc3Qgdm9pZCBfX3VzZXIgKmZyb20sIHVuc2lnbmVkIGxlCiAK ICAgICB3aGlsZSAoIGxlbiApCiAgICAgewotICAgICAgICBwYWRkcl90IGc7 CiAgICAgICAgIHZvaWQgKnA7CiAgICAgICAgIHVuc2lnbmVkIHNpemUgPSBt aW4obGVuLCAodW5zaWduZWQpKFBBR0VfU0laRSAtIG9mZnNldCkpOworICAg ICAgICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwogCi0gICAgICAgIGlmICgg Z3ZpcnRfdG9fbWFkZHIoKHZhZGRyX3QpIGZyb20gJiBQQUdFX01BU0ssICZn LCBHVjJNX1JFQUQpICkKKyAgICAgICAgcGFnZSA9IGdldF9wYWdlX2Zyb21f Z3ZhKGN1cnJlbnQtPmRvbWFpbiwgKHZhZGRyX3QpIGZyb20sIEdWMk1fUkVB RCk7CisgICAgICAgIGlmICggcGFnZSA9PSBOVUxMICkKICAgICAgICAgICAg IHJldHVybiBsZW47CiAKLSAgICAgICAgcCA9IG1hcF9kb21haW5fcGFnZShn Pj5QQUdFX1NISUZUKTsKKyAgICAgICAgcCA9IF9fbWFwX2RvbWFpbl9wYWdl KHBhZ2UpOwogICAgICAgICBwICs9ICgodmFkZHJfdClmcm9tICYgKH5QQUdF X01BU0spKTsKIAogICAgICAgICBtZW1jcHkodG8sIHAsIHNpemUpOwogCiAg ICAgICAgIHVubWFwX2RvbWFpbl9wYWdlKHApOworICAgICAgICBwdXRfcGFn ZShwYWdlKTsKICAgICAgICAgbGVuIC09IHNpemU7CiAgICAgICAgIGZyb20g Kz0gc2l6ZTsKICAgICAgICAgdG8gKz0gc2l6ZTsKZGlmZiAtLWdpdCBhL3hl bi9hcmNoL2FybS9wMm0uYyBiL3hlbi9hcmNoL2FybS9wMm0uYwppbmRleCBk MDBjODgyLi43ZmQ1OTIwIDEwMDY0NAotLS0gYS94ZW4vYXJjaC9hcm0vcDJt LmMKKysrIGIveGVuL2FyY2gvYXJtL3AybS5jCkBAIC02NTUsNiArNjU1LDM0 IEBAIHVuc2lnbmVkIGxvbmcgZ21mbl90b19tZm4oc3RydWN0IGRvbWFpbiAq ZCwgdW5zaWduZWQgbG9uZyBncGZuKQogICAgIHJldHVybiBwID4+IFBBR0Vf U0hJRlQ7CiB9CiAKK3N0cnVjdCBwYWdlX2luZm8gKmdldF9wYWdlX2Zyb21f Z3ZhKHN0cnVjdCBkb21haW4gKmQsIHZhZGRyX3QgdmEsCisgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICB1bnNpZ25lZCBsb25nIGZsYWdz KQoreworICAgIHN0cnVjdCBwMm1fZG9tYWluICpwMm0gPSAmZC0+YXJjaC5w Mm07CisgICAgc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSA9IE5VTEw7CisgICAg cGFkZHJfdCBtYWRkcjsKKworICAgIEFTU0VSVChkID09IGN1cnJlbnQtPmRv bWFpbik7CisKKyAgICBzcGluX2xvY2soJnAybS0+bG9jayk7CisKKyAgICBp ZiAoIGd2aXJ0X3RvX21hZGRyKHZhLCAmbWFkZHIsIGZsYWdzKSApCisgICAg ICAgIGdvdG8gZXJyOworCisgICAgaWYgKCAhbWZuX3ZhbGlkKG1hZGRyID4+ IFBBR0VfU0hJRlQpICkKKyAgICAgICAgZ290byBlcnI7CisKKyAgICBwYWdl ID0gbWZuX3RvX3BhZ2UobWFkZHIgPj4gUEFHRV9TSElGVCk7CisgICAgQVNT RVJUKHBhZ2UpOworCisgICAgaWYgKCB1bmxpa2VseSghZ2V0X3BhZ2UocGFn ZSwgZCkpICkKKyAgICAgICAgcGFnZSA9IE5VTEw7CisKK2VycjoKKyAgICBz cGluX3VubG9jaygmcDJtLT5sb2NrKTsKKyAgICByZXR1cm4gcGFnZTsKK30K KwogLyoKICAqIExvY2FsIHZhcmlhYmxlczoKICAqIG1vZGU6IEMKZGlmZiAt LWdpdCBhL3hlbi9hcmNoL2FybS90cmFwcy5jIGIveGVuL2FyY2gvYXJtL3Ry YXBzLmMKaW5kZXggMmU3NDUxYi4uMDAwNzFhMyAxMDA2NDQKLS0tIGEveGVu L2FyY2gvYXJtL3RyYXBzLmMKKysrIGIveGVuL2FyY2gvYXJtL3RyYXBzLmMK QEAgLTc3Niw3ICs3NzYsNyBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0 YWNrKHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVn cykKIHsKICAgICBpbnQgaTsKICAgICB2YWRkcl90IHNwOwotICAgIHBhZGRy X3Qgc3RhY2tfcGh5czsKKyAgICBzdHJ1Y3QgcGFnZV9pbmZvICpwYWdlOwog ICAgIHZvaWQgKm1hcHBlZDsKICAgICB1bnNpZ25lZCBsb25nICpzdGFjaywg YWRkcjsKIApAQCAtODM2LDEzICs4MzYsMjAgQEAgc3RhdGljIHZvaWQgc2hv d19ndWVzdF9zdGFjayhzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNwdV91c2Vy X3JlZ3MgKnJlZ3MpCiAKICAgICBwcmludGsoIkd1ZXN0IHN0YWNrIHRyYWNl IGZyb20gc3A9JSJQUkl2YWRkciI6XG4gICIsIHNwKTsKIAotICAgIGlmICgg Z3ZpcnRfdG9fbWFkZHIoc3AsICZzdGFja19waHlzLCBHVjJNX1JFQUQpICkK KyAgICBpZiAoIHNwICYgKCBzaXplb2YobG9uZykgLSAxICkgKQorICAgIHsK KyAgICAgICAgcHJpbnRrKCJTdGFjayBpcyBtaXNhbGlnbmVkXG4iKTsKKyAg ICAgICAgcmV0dXJuOworICAgIH0KKworICAgIHBhZ2UgPSBnZXRfcGFnZV9m cm9tX2d2YShjdXJyZW50LT5kb21haW4sIHNwLCBHVjJNX1JFQUQpOworICAg IGlmICggcGFnZSA9PSBOVUxMICkKICAgICB7CiAgICAgICAgIHByaW50aygi RmFpbGVkIHRvIGNvbnZlcnQgc3RhY2sgdG8gcGh5c2ljYWwgYWRkcmVzc1xu Iik7CiAgICAgICAgIHJldHVybjsKICAgICB9CiAKLSAgICBtYXBwZWQgPSBt YXBfZG9tYWluX3BhZ2Uoc3RhY2tfcGh5cyA+PiBQQUdFX1NISUZUKTsKKyAg ICBtYXBwZWQgPSBfX21hcF9kb21haW5fcGFnZShwYWdlKTsKIAogICAgIHN0 YWNrID0gbWFwcGVkICsgKHNwICYgflBBR0VfTUFTSyk7CiAKQEAgLTg2MCw3 ICs4NjcsNyBAQCBzdGF0aWMgdm9pZCBzaG93X2d1ZXN0X3N0YWNrKHN0cnVj dCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKICAgICAg ICAgcHJpbnRrKCJTdGFjayBlbXB0eS4iKTsKICAgICBwcmludGsoIlxuIik7 CiAgICAgdW5tYXBfZG9tYWluX3BhZ2UobWFwcGVkKTsKLQorICAgIHB1dF9w YWdlKHBhZ2UpOwogfQogCiAjZGVmaW5lIFNUQUNLX0JFRk9SRV9FWENFUFRJ T04ocmVncykgKChyZWdpc3Rlcl90KikocmVncyktPnNwKQpkaWZmIC0tZ2l0 IGEveGVuL2luY2x1ZGUvYXNtLWFybS9tbS5oIGIveGVuL2luY2x1ZGUvYXNt LWFybS9tbS5oCmluZGV4IGQwZTVjYjQuLjhiZjE3OWQgMTAwNjQ0Ci0tLSBh L3hlbi9pbmNsdWRlL2FzbS1hcm0vbW0uaAorKysgYi94ZW4vaW5jbHVkZS9h c20tYXJtL21tLmgKQEAgLTI3Myw2ICsyNzMsOSBAQCBzdHJ1Y3QgZG9tYWlu ICpwYWdlX2dldF9vd25lcl9hbmRfcmVmZXJlbmNlKHN0cnVjdCBwYWdlX2lu Zm8gKnBhZ2UpOwogdm9pZCBwdXRfcGFnZShzdHJ1Y3QgcGFnZV9pbmZvICpw YWdlKTsKIGludCAgZ2V0X3BhZ2Uoc3RydWN0IHBhZ2VfaW5mbyAqcGFnZSwg c3RydWN0IGRvbWFpbiAqZG9tYWluKTsKIAorc3RydWN0IHBhZ2VfaW5mbyAq Z2V0X3BhZ2VfZnJvbV9ndmEoc3RydWN0IGRvbWFpbiAqZCwgdmFkZHJfdCB2 YSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVuc2ln bmVkIGxvbmcgZmxhZ3MpOworCiAvKgogICogVGhlIE1QVCAobWFjaGluZS0+ cGh5c2ljYWwgbWFwcGluZyB0YWJsZSkgaXMgYW4gYXJyYXkgb2Ygd29yZC1z aXplZAogICogdmFsdWVzLCBpbmRleGVkIG9uIG1hY2hpbmUgZnJhbWUgbnVt YmVyLiBJdCBpcyBleHBlY3RlZCB0aGF0IGd1ZXN0IE9TZXMKZGlmZiAtLWdp dCBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vcGFnZS5oIGIveGVuL2luY2x1ZGUv YXNtLWFybS9wYWdlLmgKaW5kZXggODQ1NjJlYy4uYzExODMwOSAxMDA2NDQK LS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9wYWdlLmgKKysrIGIveGVuL2lu Y2x1ZGUvYXNtLWFybS9wYWdlLmgKQEAgLTczLDcgKzczLDcgQEAKICNkZWZp bmUgTUFUVFJfREVWICAgICAweDEKICNkZWZpbmUgTUFUVFJfTUVNICAgICAw eGYKIAotLyogRmxhZ3MgZm9yIGd2aXJ0X3RvX21hZGRyICovCisvKiBGbGFn cyBmb3IgZ2V0X3BhZ2VfZnJvbV9ndmEsIGd2aXJ0X3RvX21hZGRyIGV0YyAq LwogI2RlZmluZSBHVjJNX1JFQUQgICgwdTw8MCkKICNkZWZpbmUgR1YyTV9X UklURSAoMXU8PDApCiAK --=separator Content-Type: application/octet-stream; name="xsa98-update.patch" Content-Disposition: attachment; filename="xsa98-update.patch" Content-Transfer-Encoding: base64 eGVuOiBhcm06IGNvcnJlY3QgYXJtNjQgdmVyc2lvbiBvZiBndmFfdG9fbWFf cGFyCgpUaGUgaW1wbGVtZW50YXRpb24gd2FzIGJhY2t3YXJkcyBhbmQgY2hl Y2tlZCB0aGF0IHRoZSBndWVzdCBjb3VsZApyZWFkIHdoZW4gYXNrZWQgYWJv dXQgd3JpdGUgYW5kIHZpY2UgdmVyc2EuCgpUaGlzIGlzIGFuIHVwZGF0ZSB0 byB0aGUgZml4IGZvciBYU0EtOTguCgpSZXBvcnRlZC1ieTogVGFtYXMgSyBM ZW5neWVsIDx0a2xlbmd5ZWxAc2VjLmluLnR1bS5kZT4KU2lnbmVkLW9mZi1i eTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4LmNvbT4KCmRp ZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTY0L3BhZ2UuaCBi L3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQvcGFnZS5oCmluZGV4IGJiMTAx NjQuLjM4NmU0MzQgMTAwNjQ0Ci0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0v YXJtNjQvcGFnZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtNjQv cGFnZS5oCkBAIC04Niw5ICs4Niw5IEBAIHN0YXRpYyBpbmxpbmUgdWludDY0 X3QgZ3ZhX3RvX21hX3Bhcih2YWRkcl90IHZhLCB1bnNpZ25lZCBpbnQgZmxh Z3MpCiAgICAgdWludDY0X3QgcGFyLCB0bXAgPSBSRUFEX1NZU1JFRzY0KFBB Ul9FTDEpOwogCiAgICAgaWYgKCAoZmxhZ3MgJiBHVjJNX1dSSVRFKSA9PSBH VjJNX1dSSVRFICkKLSAgICAgICAgYXNtIHZvbGF0aWxlICgiYXQgczEyZTFy LCAlMDsiIDogOiAiciIgKHZhKSk7Ci0gICAgZWxzZQogICAgICAgICBhc20g dm9sYXRpbGUgKCJhdCBzMTJlMXcsICUwOyIgOiA6ICJyIiAodmEpKTsKKyAg ICBlbHNlCisgICAgICAgIGFzbSB2b2xhdGlsZSAoImF0IHMxMmUxciwgJTA7 IiA6IDogInIiICh2YSkpOwogICAgIGlzYigpOwogICAgIHBhciA9IFJFQURf U1lTUkVHNjQoUEFSX0VMMSk7CiAgICAgV1JJVEVfU1lTUkVHNjQodG1wLCBQ QVJfRUwxKTsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Mar 23 15:20:41 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 23 Mar 2015 15:20:41 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ya48J-0008JJ-Uj; Mon, 23 Mar 2015 15:19:15 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ya47t-00087d-52 for xen-announce@lists.xenproject.org; Mon, 23 Mar 2015 15:18:49 +0000 Received: from [85.158.137.68] by server-1.bemta-3.messagelabs.com id 27/78-02005-8DE20155; Mon, 23 Mar 2015 15:18:48 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-11.tower-31.messagelabs.com!1427123923!14721822!1 X-Originating-IP: [74.125.82.41] X-SpamReason: No, hits=0.1 required=7.0 tests=HTML_30_40,HTML_MESSAGE X-StarScan-Received: X-StarScan-Version: 6.13.4; banners=-,-,- X-VirusChecked: Checked Received: (qmail 11249 invoked from network); 23 Mar 2015 15:18:43 -0000 Received: from mail-wg0-f41.google.com (HELO mail-wg0-f41.google.com) (74.125.82.41) by server-11.tower-31.messagelabs.com with RC4-SHA encrypted SMTP; 23 Mar 2015 15:18:43 -0000 Received: by wgs2 with SMTP id 2so41727304wgs.1 for ; Mon, 23 Mar 2015 08:18:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:subject:message-id:date:to:mime-version; bh=HVBb1V6b9LH/eaCtqebL9JpzKiD3f+Fji6CYkgF1aAc=; b=Yu4TsvF/WET9f0XrZEyTPv0DmJEMyED91nZKiskWbsMWffuAhsKe0rKS4IgElLtOdW REcwpthTHdOESRM5twEyzAPb8/ohguDu0E4sii5DmQpxUKBbmz7/KQFAz1hDa9ib6y+i qweOl4baBqjk6Hs13OqyppuvrJ9qkpih9sNffDYi2gFL2KiGOZrliYGqOXaJeNoQoieI Vt9fqsgcPLmf6/bx7IHWoVJw43GE/HkBv4uKGgVvEU3m1u1r7aHr+4jNfREfZVVP7NRv SfhzdHdNcR4ro7PPcqMh6wmHcQhmcSsZVBufP++hhNbXxGMznrZwUe1NcWleT6+bhvT8 ea3g== X-Received: by 10.180.96.136 with SMTP id ds8mr19894431wib.47.1427123923124; Mon, 23 Mar 2015 08:18:43 -0700 (PDT) Received: from [192.168.0.8] (97e5522d.skybroadband.com. [151.229.82.45]) by mx.google.com with ESMTPSA id u16sm1856987wjr.5.2015.03.23.08.18.41 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 23 Mar 2015 08:18:42 -0700 (PDT) From: Lars Kurth Message-Id: <5BB42675-3821-4B33-A7EB-36214B54F3D7@gmail.com> Date: Mon, 23 Mar 2015 15:18:40 +0000 To: xen-announce@lists.xenproject.org Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) X-Mailer: Apple Mail (2.2070.6) X-Mailman-Approved-At: Mon, 23 Mar 2015 15:19:13 +0000 Subject: [Xen-announce] Xen 4.3.4 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0689354752595236003==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --===============0689354752595236003== Content-Type: multipart/alternative; boundary="Apple-Mail=_5F74E7FC-03C1-45DD-A2A1-2E0C2E91CA97" --Apple-Mail=_5F74E7FC-03C1-45DD-A2A1-2E0C2E91CA97 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii [Sent on behalf of Jan Beulich] I am pleased to announce the release of Xen 4.3.4. This is available immediately from its git repository = http://xenbits.xen.org/gitweb/?p=3Dxen.git;a=3Dshortlog;h=3Drefs/heads/sta= ble-4.3 = =20 (tag RELEASE-4.3.4) or from the XenProject download page = http://www.xenproject.org/downloads/xen-archives/xen-43-series/xen-434.htm= l = =20 Note that this is expected to be the last release of the 4.3 stable series. The tree will be switched to security only maintenance mode after this release. This fixes the following critical vulnerabilities: * CVE-2014-5146, CVE-2014-5149 / XSA-97 Long latency virtual-mmu operations are not preemptible * CVE-2014-7154 / XSA-104 Race condition in HVMOP_track_dirty_vram * CVE-2014-7155 / XSA-105 Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW = emulation * CVE-2014-7156 / XSA-106 Missing privilege level checks in x86 emulation of software interrupts * CVE-2014-7188 / XSA-108 Improper MSR range used for x2APIC emulation * CVE-2014-8594 / XSA-109 Insufficient restrictions on certain MMU update hypercalls * CVE-2014-8595 / XSA-110 Missing privilege level checks in x86 emulation of far branches * CVE-2014-8866 / XSA-111 Excessive checking in compatibility mode hypercall argument = translation * CVE-2014-8867 / XSA-112 Insufficient bounding of "REP MOVS" to MMIO emulated inside the = hypervisor * CVE-2014-9030 / XSA-113 Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling * CVE-2014-9065, CVE-2014-9066 / XSA-114 p2m lock starvation * CVE-2015-0361 / XSA-116 xen crash due to use after free on hvm guest teardown * CVE-2015-2152 / XSA-119 HVM qemu unexpectedly enabling emulated VGA graphics backends * CVE-2015-2044 / XSA-121 Information leak via internal x86 system device emulation * CVE-2015-2045 / XSA-122 Information leak through version information hypercall * CVE-2015-2151 / XSA-123 Hypervisor memory corruption due to x86 emulator flaw Sadly the workaround for CVE-2013-3495 / XSA-59 (Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts) still can't be guaranteed to cover all affected chipsets; Intel continues to be working on providing us with a complete list. Apart from those there are many further bug fixes and improvements. We recommend all users of the 4.3 stable series to update to this latest point release. Regards, Jan= --Apple-Mail=_5F74E7FC-03C1-45DD-A2A1-2E0C2E91CA97 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
[Sent on behalf of Jan Beulich]

I am pleased to announce the release of = Xen 4.3.4. This is
available immediately from its git = repository
http://xenbits.xen.org/gitweb/?p=3Dxen.git;a=3Dshortlog;h=3Dref= s/heads/stable-4.3 
(tag RELEASE-4.3.4) or from = the XenProject download page
http://www.xenproject.org/downloads/xen-archives/xen-43-series/= xen-434.html 

Note that this is = expected to be the last release of the 4.3 stable
series. = The tree will be switched to security only maintenance mode
after this release.

This fixes = the following critical vulnerabilities:
* CVE-2014-5146, = CVE-2014-5149 / XSA-97
  Long latency = virtual-mmu operations are not preemptible
* CVE-2014-7154 = / XSA-104
  Race condition in = HVMOP_track_dirty_vram
* CVE-2014-7155 / XSA-105
  Missing privilege level checks in x86 HLT, LGDT, = LIDT, and LMSW emulation
* CVE-2014-7156 / XSA-106
  Missing privilege level checks in x86 emulation = of software interrupts
* CVE-2014-7188 / XSA-108
  Improper MSR range used for x2APIC emulation
* CVE-2014-8594 / XSA-109
  Insufficient restrictions on certain MMU update = hypercalls
* CVE-2014-8595 / XSA-110
  Missing privilege level checks in x86 emulation = of far branches
* CVE-2014-8866 / XSA-111
  Excessive checking in compatibility mode = hypercall argument translation
* CVE-2014-8867 / = XSA-112
  Insufficient bounding of "REP MOVS" to = MMIO emulated inside the hypervisor
* CVE-2014-9030 / = XSA-113
  Guest effectable page reference leak = in MMU_MACHPHYS_UPDATE handling
* CVE-2014-9065, = CVE-2014-9066 / XSA-114
  p2m lock starvation
* CVE-2015-0361 / XSA-116
  xen crash = due to use after free on hvm guest teardown
* = CVE-2015-2152 / XSA-119
  HVM qemu unexpectedly = enabling emulated VGA graphics backends
* CVE-2015-2044 / = XSA-121
  Information leak via internal x86 = system device emulation
* CVE-2015-2045 / XSA-122
  Information leak through version information = hypercall
* CVE-2015-2151 / XSA-123
  Hypervisor memory corruption due to x86 emulator = flaw

Sadly the workaround for CVE-2013-3495 = / XSA-59 (Intel VT-d
Interrupt Remapping engines can be = evaded by native NMI
interrupts) still can't be guaranteed = to cover all affected chipsets;
Intel continues to be = working on providing us with a complete list.

Apart from those there are many further bug fixes and = improvements.

We recommend all users of the = 4.3 stable series to update to this
latest point = release.

Regards,
Jan= --Apple-Mail=_5F74E7FC-03C1-45DD-A2A1-2E0C2E91CA97-- --===============0689354752595236003== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============0689354752595236003==-- From xen-announce-bounces@lists.xen.org Mon Mar 23 15:20:41 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 23 Mar 2015 15:20:41 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ya48J-0008JJ-Uj; Mon, 23 Mar 2015 15:19:15 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ya47t-00087d-52 for xen-announce@lists.xenproject.org; Mon, 23 Mar 2015 15:18:49 +0000 Received: from [85.158.137.68] by server-1.bemta-3.messagelabs.com id 27/78-02005-8DE20155; Mon, 23 Mar 2015 15:18:48 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-11.tower-31.messagelabs.com!1427123923!14721822!1 X-Originating-IP: [74.125.82.41] X-SpamReason: No, hits=0.1 required=7.0 tests=HTML_30_40,HTML_MESSAGE X-StarScan-Received: X-StarScan-Version: 6.13.4; banners=-,-,- X-VirusChecked: Checked Received: (qmail 11249 invoked from network); 23 Mar 2015 15:18:43 -0000 Received: from mail-wg0-f41.google.com (HELO mail-wg0-f41.google.com) (74.125.82.41) by server-11.tower-31.messagelabs.com with RC4-SHA encrypted SMTP; 23 Mar 2015 15:18:43 -0000 Received: by wgs2 with SMTP id 2so41727304wgs.1 for ; Mon, 23 Mar 2015 08:18:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:subject:message-id:date:to:mime-version; bh=HVBb1V6b9LH/eaCtqebL9JpzKiD3f+Fji6CYkgF1aAc=; b=Yu4TsvF/WET9f0XrZEyTPv0DmJEMyED91nZKiskWbsMWffuAhsKe0rKS4IgElLtOdW REcwpthTHdOESRM5twEyzAPb8/ohguDu0E4sii5DmQpxUKBbmz7/KQFAz1hDa9ib6y+i qweOl4baBqjk6Hs13OqyppuvrJ9qkpih9sNffDYi2gFL2KiGOZrliYGqOXaJeNoQoieI Vt9fqsgcPLmf6/bx7IHWoVJw43GE/HkBv4uKGgVvEU3m1u1r7aHr+4jNfREfZVVP7NRv SfhzdHdNcR4ro7PPcqMh6wmHcQhmcSsZVBufP++hhNbXxGMznrZwUe1NcWleT6+bhvT8 ea3g== X-Received: by 10.180.96.136 with SMTP id ds8mr19894431wib.47.1427123923124; Mon, 23 Mar 2015 08:18:43 -0700 (PDT) Received: from [192.168.0.8] (97e5522d.skybroadband.com. [151.229.82.45]) by mx.google.com with ESMTPSA id u16sm1856987wjr.5.2015.03.23.08.18.41 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 23 Mar 2015 08:18:42 -0700 (PDT) From: Lars Kurth Message-Id: <5BB42675-3821-4B33-A7EB-36214B54F3D7@gmail.com> Date: Mon, 23 Mar 2015 15:18:40 +0000 To: xen-announce@lists.xenproject.org Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) X-Mailer: Apple Mail (2.2070.6) X-Mailman-Approved-At: Mon, 23 Mar 2015 15:19:13 +0000 Subject: [Xen-announce] Xen 4.3.4 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0689354752595236003==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --===============0689354752595236003== Content-Type: multipart/alternative; boundary="Apple-Mail=_5F74E7FC-03C1-45DD-A2A1-2E0C2E91CA97" --Apple-Mail=_5F74E7FC-03C1-45DD-A2A1-2E0C2E91CA97 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii [Sent on behalf of Jan Beulich] I am pleased to announce the release of Xen 4.3.4. This is available immediately from its git repository = http://xenbits.xen.org/gitweb/?p=3Dxen.git;a=3Dshortlog;h=3Drefs/heads/sta= ble-4.3 = =20 (tag RELEASE-4.3.4) or from the XenProject download page = http://www.xenproject.org/downloads/xen-archives/xen-43-series/xen-434.htm= l = =20 Note that this is expected to be the last release of the 4.3 stable series. The tree will be switched to security only maintenance mode after this release. This fixes the following critical vulnerabilities: * CVE-2014-5146, CVE-2014-5149 / XSA-97 Long latency virtual-mmu operations are not preemptible * CVE-2014-7154 / XSA-104 Race condition in HVMOP_track_dirty_vram * CVE-2014-7155 / XSA-105 Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW = emulation * CVE-2014-7156 / XSA-106 Missing privilege level checks in x86 emulation of software interrupts * CVE-2014-7188 / XSA-108 Improper MSR range used for x2APIC emulation * CVE-2014-8594 / XSA-109 Insufficient restrictions on certain MMU update hypercalls * CVE-2014-8595 / XSA-110 Missing privilege level checks in x86 emulation of far branches * CVE-2014-8866 / XSA-111 Excessive checking in compatibility mode hypercall argument = translation * CVE-2014-8867 / XSA-112 Insufficient bounding of "REP MOVS" to MMIO emulated inside the = hypervisor * CVE-2014-9030 / XSA-113 Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling * CVE-2014-9065, CVE-2014-9066 / XSA-114 p2m lock starvation * CVE-2015-0361 / XSA-116 xen crash due to use after free on hvm guest teardown * CVE-2015-2152 / XSA-119 HVM qemu unexpectedly enabling emulated VGA graphics backends * CVE-2015-2044 / XSA-121 Information leak via internal x86 system device emulation * CVE-2015-2045 / XSA-122 Information leak through version information hypercall * CVE-2015-2151 / XSA-123 Hypervisor memory corruption due to x86 emulator flaw Sadly the workaround for CVE-2013-3495 / XSA-59 (Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts) still can't be guaranteed to cover all affected chipsets; Intel continues to be working on providing us with a complete list. Apart from those there are many further bug fixes and improvements. We recommend all users of the 4.3 stable series to update to this latest point release. Regards, Jan= --Apple-Mail=_5F74E7FC-03C1-45DD-A2A1-2E0C2E91CA97 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
[Sent on behalf of Jan Beulich]

I am pleased to announce the release of = Xen 4.3.4. This is
available immediately from its git = repository
http://xenbits.xen.org/gitweb/?p=3Dxen.git;a=3Dshortlog;h=3Dref= s/heads/stable-4.3 
(tag RELEASE-4.3.4) or from = the XenProject download page
http://www.xenproject.org/downloads/xen-archives/xen-43-series/= xen-434.html 

Note that this is = expected to be the last release of the 4.3 stable
series. = The tree will be switched to security only maintenance mode
after this release.

This fixes = the following critical vulnerabilities:
* CVE-2014-5146, = CVE-2014-5149 / XSA-97
  Long latency = virtual-mmu operations are not preemptible
* CVE-2014-7154 = / XSA-104
  Race condition in = HVMOP_track_dirty_vram
* CVE-2014-7155 / XSA-105
  Missing privilege level checks in x86 HLT, LGDT, = LIDT, and LMSW emulation
* CVE-2014-7156 / XSA-106
  Missing privilege level checks in x86 emulation = of software interrupts
* CVE-2014-7188 / XSA-108
  Improper MSR range used for x2APIC emulation
* CVE-2014-8594 / XSA-109
  Insufficient restrictions on certain MMU update = hypercalls
* CVE-2014-8595 / XSA-110
  Missing privilege level checks in x86 emulation = of far branches
* CVE-2014-8866 / XSA-111
  Excessive checking in compatibility mode = hypercall argument translation
* CVE-2014-8867 / = XSA-112
  Insufficient bounding of "REP MOVS" to = MMIO emulated inside the hypervisor
* CVE-2014-9030 / = XSA-113
  Guest effectable page reference leak = in MMU_MACHPHYS_UPDATE handling
* CVE-2014-9065, = CVE-2014-9066 / XSA-114
  p2m lock starvation
* CVE-2015-0361 / XSA-116
  xen crash = due to use after free on hvm guest teardown
* = CVE-2015-2152 / XSA-119
  HVM qemu unexpectedly = enabling emulated VGA graphics backends
* CVE-2015-2044 / = XSA-121
  Information leak via internal x86 = system device emulation
* CVE-2015-2045 / XSA-122
  Information leak through version information = hypercall
* CVE-2015-2151 / XSA-123
  Hypervisor memory corruption due to x86 emulator = flaw

Sadly the workaround for CVE-2013-3495 = / XSA-59 (Intel VT-d
Interrupt Remapping engines can be = evaded by native NMI
interrupts) still can't be guaranteed = to cover all affected chipsets;
Intel continues to be = working on providing us with a complete list.

Apart from those there are many further bug fixes and = improvements.

We recommend all users of the = 4.3 stable series to update to this
latest point = release.

Regards,
Jan= --Apple-Mail=_5F74E7FC-03C1-45DD-A2A1-2E0C2E91CA97-- --===============0689354752595236003== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============0689354752595236003==-- From xen-announce-bounces@lists.xen.org Mon Mar 23 15:20:41 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 23 Mar 2015 15:20:41 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ya48J-0008JD-I1; Mon, 23 Mar 2015 15:19:15 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ya46c-00080A-LU for xen-announce@lists.xenproject.org; Mon, 23 Mar 2015 15:17:30 +0000 Received: from [85.158.139.211] by server-10.bemta-5.messagelabs.com id 71/01-10587-98E20155; Mon, 23 Mar 2015 15:17:29 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-13.tower-206.messagelabs.com!1427123846!10967968!1 X-Originating-IP: [74.125.82.46] X-SpamReason: No, hits=0.1 required=7.0 tests=HTML_30_40,HTML_MESSAGE X-StarScan-Received: X-StarScan-Version: 6.13.6; banners=-,-,- X-VirusChecked: Checked Received: (qmail 3428 invoked from network); 23 Mar 2015 15:17:27 -0000 Received: from mail-wg0-f46.google.com (HELO mail-wg0-f46.google.com) (74.125.82.46) by server-13.tower-206.messagelabs.com with RC4-SHA encrypted SMTP; 23 Mar 2015 15:17:27 -0000 Received: by wgs2 with SMTP id 2so41696711wgs.1 for ; Mon, 23 Mar 2015 08:17:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:subject:message-id:date:to:mime-version; bh=Xdof6B3hsB8c9SG+f1LIiIksPNPNC/6IoUUOV2WXcJ4=; b=xwadWIcLdFl4/3dZQ76JIf2Parh0kwJbRRSftbkUOU79z0FaT23hqDgprxgluScIXT MD8Daw8LN8f7Yj697M519piBtk14od+4yv0Z/lS2VCJtNnDRt2M+3QFNkf2uTmtyZtfz kLlHtjYyP3bZDjzsgPfujgOvEpmzrumHyP7E64YE8OPpevCAF4jgprVAcBahJTT/WSYN fIvN/NL+te1zGD+Cfz91v/jkQGAJK89FMR282N4tjMyeCTkC2ZcrZ5vpJEmbN/7gy342 jhvfl0uTjyXy7/RalMH0S7n0ml6rzI+8B5yj1OxqQPlNHdbYuMyaXwQOM+dRNJz2sEfg noKg== X-Received: by 10.194.59.112 with SMTP id y16mr190936171wjq.36.1427123846691; Mon, 23 Mar 2015 08:17:26 -0700 (PDT) Received: from [192.168.0.8] (97e5522d.skybroadband.com. [151.229.82.45]) by mx.google.com with ESMTPSA id p1sm11554285wib.23.2015.03.23.08.17.25 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 23 Mar 2015 08:17:25 -0700 (PDT) From: Lars Kurth Message-Id: Date: Mon, 23 Mar 2015 15:17:22 +0000 To: xen-announce@lists.xenproject.org Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) X-Mailer: Apple Mail (2.2070.6) X-Mailman-Approved-At: Mon, 23 Mar 2015 15:19:13 +0000 Subject: [Xen-announce] Xen 4.4.2 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============7080023603008349433==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --===============7080023603008349433== Content-Type: multipart/alternative; boundary="Apple-Mail=_9279BD29-FFFA-436F-9618-534F2D9ACA4F" --Apple-Mail=_9279BD29-FFFA-436F-9618-534F2D9ACA4F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii [Sent on behalf of Jan Beulich] All, I am pleased to announce the release of Xen 4.4.2. This is available immediately from its git repository = http://xenbits.xen.org/gitweb/?p=3Dxen.git;a=3Dshortlog;h=3Drefs/heads/sta= ble-4.4 = =20 (tag RELEASE-4.4.2) or from the XenProject download page = http://www.xenproject.org/downloads/xen-archives/xen-44-series/xen-442.htm= l = =20 This fixes the following critical vulnerabilities: * CVE-2014-5146, CVE-2014-5149 / XSA-97 Long latency virtual-mmu operations are not preemptible * CVE-2014-7154 / XSA-104 Race condition in HVMOP_track_dirty_vram * CVE-2014-7155 / XSA-105 Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW = emulation * CVE-2014-7156 / XSA-106 Missing privilege level checks in x86 emulation of software interrupts * CVE-2014-6268 / XSA-107 Mishandling of uninitialised FIFO-based event channel control blocks * CVE-2014-7188 / XSA-108 Improper MSR range used for x2APIC emulation * CVE-2014-8594 / XSA-109 Insufficient restrictions on certain MMU update hypercalls * CVE-2014-8595 / XSA-110 Missing privilege level checks in x86 emulation of far branches * CVE-2014-8866 / XSA-111 Excessive checking in compatibility mode hypercall argument = translation * CVE-2014-8867 / XSA-112 Insufficient bounding of "REP MOVS" to MMIO emulated inside the = hypervisor * CVE-2014-9030 / XSA-113 Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling * CVE-2014-9065, CVE-2014-9066 / XSA-114 p2m lock starvation * CVE-2015-0361 / XSA-116 xen crash due to use after free on hvm guest teardown * CVE-2015-1563 / XSA-118 arm: vgic: incorrect rate limiting of guest triggered logging * CVE-2015-2152 / XSA-119 HVM qemu unexpectedly enabling emulated VGA graphics backends * CVE-2015-2044 / XSA-121 Information leak via internal x86 system device emulation * CVE-2015-2045 / XSA-122 Information leak through version information hypercall * CVE-2015-2151 / XSA-123 Hypervisor memory corruption due to x86 emulator flaw Additionally a bug in the fix for CVE-2014-3969 / CVE-2015-2290 / XSA-98 (which got assigned CVE-2015-2290) got addressed. Sadly the workaround for CVE-2013-3495 / XSA-59 (Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts) still can't be guaranteed to cover all affected chipsets; Intel continues to be working on providing us with a complete list. Apart from those there are many further bug fixes and improvements. We recommend all users of the 4.4 stable series to update to this first point release. Regards, Jan --Apple-Mail=_9279BD29-FFFA-436F-9618-534F2D9ACA4F Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
[Sent on behalf of Jan Beulich]

All,

I am = pleased to announce the release of Xen 4.4.2. This is
available immediately from its git repository
http://xenbits.xen.org/gitweb/?p=3Dxen.git;a=3Dshortlog;h=3Dref= s/heads/stable-4.4 
(tag RELEASE-4.4.2) or from = the XenProject download page
http://www.xenproject.org/downloads/xen-archives/xen-44-series/= xen-442.html 

This fixes the = following critical vulnerabilities:

* = CVE-2014-5146, CVE-2014-5149 / XSA-97
  Long = latency virtual-mmu operations are not preemptible
* = CVE-2014-7154 / XSA-104
  Race condition in = HVMOP_track_dirty_vram
* CVE-2014-7155 / XSA-105
  Missing privilege level checks in x86 HLT, LGDT, = LIDT, and LMSW emulation
* CVE-2014-7156 / XSA-106
  Missing privilege level checks in x86 emulation = of software interrupts
* CVE-2014-6268 / XSA-107
 Mishandling of uninitialised FIFO-based event channel = control blocks
* CVE-2014-7188 / XSA-108
  Improper MSR range used for x2APIC emulation
* CVE-2014-8594 / XSA-109
  Insufficient restrictions on certain MMU update = hypercalls
* CVE-2014-8595 / XSA-110
  Missing privilege level checks in x86 emulation = of far branches
* CVE-2014-8866 / XSA-111
  Excessive checking in compatibility mode = hypercall argument translation
* CVE-2014-8867 / = XSA-112
  Insufficient bounding of "REP MOVS" to = MMIO emulated inside the hypervisor
* CVE-2014-9030 / = XSA-113
  Guest effectable page reference leak = in MMU_MACHPHYS_UPDATE handling
* CVE-2014-9065, = CVE-2014-9066 / XSA-114
  p2m lock starvation
* CVE-2015-0361 / XSA-116
  xen crash = due to use after free on hvm guest teardown
* = CVE-2015-1563 / XSA-118
  arm: vgic: incorrect = rate limiting of guest triggered logging
* CVE-2015-2152 / = XSA-119
  HVM qemu unexpectedly enabling = emulated VGA graphics backends
* CVE-2015-2044 / = XSA-121
  Information leak via internal x86 = system device emulation
* CVE-2015-2045 / XSA-122
  Information leak through version information = hypercall
* CVE-2015-2151 / XSA-123
  Hypervisor memory corruption due to x86 emulator = flaw

Additionally a bug in the fix for = CVE-2014-3969 / CVE-2015-2290 /
XSA-98 (which got assigned = CVE-2015-2290) got addressed.

Sadly the = workaround for CVE-2013-3495 / XSA-59 (Intel VT-d
Interrupt = Remapping engines can be evaded by native NMI
interrupts) = still can't be guaranteed to cover all affected chipsets;
Intel continues to be working on providing us with a complete = list.

Apart from those there are many = further bug fixes and improvements.

We = recommend all users of the 4.4 stable series to update to this
first point release.

Regards,
Jan
= --Apple-Mail=_9279BD29-FFFA-436F-9618-534F2D9ACA4F-- --===============7080023603008349433== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============7080023603008349433==-- From xen-announce-bounces@lists.xen.org Mon Mar 23 15:20:41 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 23 Mar 2015 15:20:41 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ya48J-0008JD-I1; Mon, 23 Mar 2015 15:19:15 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ya46c-00080A-LU for xen-announce@lists.xenproject.org; Mon, 23 Mar 2015 15:17:30 +0000 Received: from [85.158.139.211] by server-10.bemta-5.messagelabs.com id 71/01-10587-98E20155; Mon, 23 Mar 2015 15:17:29 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-13.tower-206.messagelabs.com!1427123846!10967968!1 X-Originating-IP: [74.125.82.46] X-SpamReason: No, hits=0.1 required=7.0 tests=HTML_30_40,HTML_MESSAGE X-StarScan-Received: X-StarScan-Version: 6.13.6; banners=-,-,- X-VirusChecked: Checked Received: (qmail 3428 invoked from network); 23 Mar 2015 15:17:27 -0000 Received: from mail-wg0-f46.google.com (HELO mail-wg0-f46.google.com) (74.125.82.46) by server-13.tower-206.messagelabs.com with RC4-SHA encrypted SMTP; 23 Mar 2015 15:17:27 -0000 Received: by wgs2 with SMTP id 2so41696711wgs.1 for ; Mon, 23 Mar 2015 08:17:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:subject:message-id:date:to:mime-version; bh=Xdof6B3hsB8c9SG+f1LIiIksPNPNC/6IoUUOV2WXcJ4=; b=xwadWIcLdFl4/3dZQ76JIf2Parh0kwJbRRSftbkUOU79z0FaT23hqDgprxgluScIXT MD8Daw8LN8f7Yj697M519piBtk14od+4yv0Z/lS2VCJtNnDRt2M+3QFNkf2uTmtyZtfz kLlHtjYyP3bZDjzsgPfujgOvEpmzrumHyP7E64YE8OPpevCAF4jgprVAcBahJTT/WSYN fIvN/NL+te1zGD+Cfz91v/jkQGAJK89FMR282N4tjMyeCTkC2ZcrZ5vpJEmbN/7gy342 jhvfl0uTjyXy7/RalMH0S7n0ml6rzI+8B5yj1OxqQPlNHdbYuMyaXwQOM+dRNJz2sEfg noKg== X-Received: by 10.194.59.112 with SMTP id y16mr190936171wjq.36.1427123846691; Mon, 23 Mar 2015 08:17:26 -0700 (PDT) Received: from [192.168.0.8] (97e5522d.skybroadband.com. [151.229.82.45]) by mx.google.com with ESMTPSA id p1sm11554285wib.23.2015.03.23.08.17.25 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 23 Mar 2015 08:17:25 -0700 (PDT) From: Lars Kurth Message-Id: Date: Mon, 23 Mar 2015 15:17:22 +0000 To: xen-announce@lists.xenproject.org Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) X-Mailer: Apple Mail (2.2070.6) X-Mailman-Approved-At: Mon, 23 Mar 2015 15:19:13 +0000 Subject: [Xen-announce] Xen 4.4.2 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============7080023603008349433==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --===============7080023603008349433== Content-Type: multipart/alternative; boundary="Apple-Mail=_9279BD29-FFFA-436F-9618-534F2D9ACA4F" --Apple-Mail=_9279BD29-FFFA-436F-9618-534F2D9ACA4F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii [Sent on behalf of Jan Beulich] All, I am pleased to announce the release of Xen 4.4.2. This is available immediately from its git repository = http://xenbits.xen.org/gitweb/?p=3Dxen.git;a=3Dshortlog;h=3Drefs/heads/sta= ble-4.4 = =20 (tag RELEASE-4.4.2) or from the XenProject download page = http://www.xenproject.org/downloads/xen-archives/xen-44-series/xen-442.htm= l = =20 This fixes the following critical vulnerabilities: * CVE-2014-5146, CVE-2014-5149 / XSA-97 Long latency virtual-mmu operations are not preemptible * CVE-2014-7154 / XSA-104 Race condition in HVMOP_track_dirty_vram * CVE-2014-7155 / XSA-105 Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW = emulation * CVE-2014-7156 / XSA-106 Missing privilege level checks in x86 emulation of software interrupts * CVE-2014-6268 / XSA-107 Mishandling of uninitialised FIFO-based event channel control blocks * CVE-2014-7188 / XSA-108 Improper MSR range used for x2APIC emulation * CVE-2014-8594 / XSA-109 Insufficient restrictions on certain MMU update hypercalls * CVE-2014-8595 / XSA-110 Missing privilege level checks in x86 emulation of far branches * CVE-2014-8866 / XSA-111 Excessive checking in compatibility mode hypercall argument = translation * CVE-2014-8867 / XSA-112 Insufficient bounding of "REP MOVS" to MMIO emulated inside the = hypervisor * CVE-2014-9030 / XSA-113 Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling * CVE-2014-9065, CVE-2014-9066 / XSA-114 p2m lock starvation * CVE-2015-0361 / XSA-116 xen crash due to use after free on hvm guest teardown * CVE-2015-1563 / XSA-118 arm: vgic: incorrect rate limiting of guest triggered logging * CVE-2015-2152 / XSA-119 HVM qemu unexpectedly enabling emulated VGA graphics backends * CVE-2015-2044 / XSA-121 Information leak via internal x86 system device emulation * CVE-2015-2045 / XSA-122 Information leak through version information hypercall * CVE-2015-2151 / XSA-123 Hypervisor memory corruption due to x86 emulator flaw Additionally a bug in the fix for CVE-2014-3969 / CVE-2015-2290 / XSA-98 (which got assigned CVE-2015-2290) got addressed. Sadly the workaround for CVE-2013-3495 / XSA-59 (Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts) still can't be guaranteed to cover all affected chipsets; Intel continues to be working on providing us with a complete list. Apart from those there are many further bug fixes and improvements. We recommend all users of the 4.4 stable series to update to this first point release. Regards, Jan --Apple-Mail=_9279BD29-FFFA-436F-9618-534F2D9ACA4F Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
[Sent on behalf of Jan Beulich]

All,

I am = pleased to announce the release of Xen 4.4.2. This is
available immediately from its git repository
http://xenbits.xen.org/gitweb/?p=3Dxen.git;a=3Dshortlog;h=3Dref= s/heads/stable-4.4 
(tag RELEASE-4.4.2) or from = the XenProject download page
http://www.xenproject.org/downloads/xen-archives/xen-44-series/= xen-442.html 

This fixes the = following critical vulnerabilities:

* = CVE-2014-5146, CVE-2014-5149 / XSA-97
  Long = latency virtual-mmu operations are not preemptible
* = CVE-2014-7154 / XSA-104
  Race condition in = HVMOP_track_dirty_vram
* CVE-2014-7155 / XSA-105
  Missing privilege level checks in x86 HLT, LGDT, = LIDT, and LMSW emulation
* CVE-2014-7156 / XSA-106
  Missing privilege level checks in x86 emulation = of software interrupts
* CVE-2014-6268 / XSA-107
 Mishandling of uninitialised FIFO-based event channel = control blocks
* CVE-2014-7188 / XSA-108
  Improper MSR range used for x2APIC emulation
* CVE-2014-8594 / XSA-109
  Insufficient restrictions on certain MMU update = hypercalls
* CVE-2014-8595 / XSA-110
  Missing privilege level checks in x86 emulation = of far branches
* CVE-2014-8866 / XSA-111
  Excessive checking in compatibility mode = hypercall argument translation
* CVE-2014-8867 / = XSA-112
  Insufficient bounding of "REP MOVS" to = MMIO emulated inside the hypervisor
* CVE-2014-9030 / = XSA-113
  Guest effectable page reference leak = in MMU_MACHPHYS_UPDATE handling
* CVE-2014-9065, = CVE-2014-9066 / XSA-114
  p2m lock starvation
* CVE-2015-0361 / XSA-116
  xen crash = due to use after free on hvm guest teardown
* = CVE-2015-1563 / XSA-118
  arm: vgic: incorrect = rate limiting of guest triggered logging
* CVE-2015-2152 / = XSA-119
  HVM qemu unexpectedly enabling = emulated VGA graphics backends
* CVE-2015-2044 / = XSA-121
  Information leak via internal x86 = system device emulation
* CVE-2015-2045 / XSA-122
  Information leak through version information = hypercall
* CVE-2015-2151 / XSA-123
  Hypervisor memory corruption due to x86 emulator = flaw

Additionally a bug in the fix for = CVE-2014-3969 / CVE-2015-2290 /
XSA-98 (which got assigned = CVE-2015-2290) got addressed.

Sadly the = workaround for CVE-2013-3495 / XSA-59 (Intel VT-d
Interrupt = Remapping engines can be evaded by native NMI
interrupts) = still can't be guaranteed to cover all affected chipsets;
Intel continues to be working on providing us with a complete = list.

Apart from those there are many = further bug fixes and improvements.

We = recommend all users of the 4.4 stable series to update to this
first point release.

Regards,
Jan
= --Apple-Mail=_9279BD29-FFFA-436F-9618-534F2D9ACA4F-- --===============7080023603008349433== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============7080023603008349433==-- From xen-announce-bounces@lists.xen.org Tue Mar 31 12:11:10 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 31 Mar 2015 12:11:10 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ycuzs-00006x-Ms; Tue, 31 Mar 2015 12:10:20 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ycuzq-000050-Uu; Tue, 31 Mar 2015 12:10:19 +0000 Received: from [193.109.254.147] by server-3.bemta-14.messagelabs.com id B2/44-23827-AAE8A155; Tue, 31 Mar 2015 12:10:18 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-27.messagelabs.com!1427803815!9920727!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.6; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22988 invoked from network); 31 Mar 2015 12:10:16 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 31 Mar 2015 12:10:16 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ycuzb-0006xd-QX; Tue, 31 Mar 2015 12:10:03 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Ycuzb-0005NW-CJ; Tue, 31 Mar 2015 12:10:03 +0000 Date: Tue, 31 Mar 2015 12:10:03 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 126 (CVE-2015-2756) - Unmediated PCI command register access in qemu X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2756 / XSA-126 version 3 Unmediated PCI command register access in qemu UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= HVM guests are currently permitted to modify the memory and I/O decode bits in the PCI command register of devices passed through to them. Unless the device is an SR-IOV virtual function, after disabling one or both of these bits subsequent accesses to the MMIO or I/O port ranges would - on PCI Express devices - lead to Unsupported Request responses. The treatment of such errors is platform specific. Furthermore (at least) devices under control of the Linux pciback driver in the host are handed to guests with the aforementioned bits turned off. This means that such accesses can similarly lead to Unsupported Request responses until these flags are set as needed by the guest. IMPACT ====== In the event that the platform surfaces aforementioned UR responses as Non-Maskable Interrupts, and either the OS is configured to treat NMIs as fatal or (e.g. via ACPI's APEI) the platform tells the OS to treat these errors as fatal, the host would crash, leading to a Denial of Service. VULNERABLE SYSTEMS ================== Xen versions 3.3 and onwards are vulnerable due to supporting PCI pass-through. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only HVM guests with their device model run in Dom0 can take advantage of this vulnerability. Any domain which is given access to a non-SR-IOV virtual function PCI Express device can take advantage of this vulnerability. MITIGATION ========== This issue can be avoided by not assigning PCI Express devices other than SR-IOV virtual functions to untrusted HVM guests. This issue can also be avoided by only using PV guests or HVM guests with their device model run in a separate (stub) domain. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa126-qemuu.patch qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x xsa126-qemuu-4.3.patch qemu-upstream-unstable, Xen 4.3.x xsa126-qemut.patch qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x For those already having the original patch in place, applying the appropriate attached incremental patch addresses the regression. xsa126-qemuu-incr.patch qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x xsa126-qemuu-4.3-incr.patch qemu-upstream-unstable, Xen 4.3.x xsa126-qemut-incr.patch qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa126*.patch bd69a0d18127793a9aa2097062ecaef76df6e6b8f729406d7d52cf66519e3b0d xsa126-qemut-incr.patch 2a9b8f73b2a4f0cfb6b724c9a0a72dbf08cae87cd382f61f563218c32d1036a7 xsa126-qemut.patch 658bc483d1110e4e04de2d70fba1cdb20c5cecdc2f419db2d82bddc3ae1690b6 xsa126-qemuu-4.3-incr.patch 090d9262a9e9d24f0f4eca35cb0d56831d5cec6a6ba38b4c7e276d767de660c1 xsa126-qemuu-4.3.patch 3f7b6737c08ff7e119bec16c8c3b3cb832429f1410e687edf622fab57a22842e xsa126-qemuu-incr.patch eb5b93600267639b2cda1c5e2f937ddbecbf6c8cbd19dbb355224c39c2e40d3e xsa126-qemuu.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVGo5NAAoJEIP+FMlX6CvZvt4IAIeNbTd6EQJE4CnuU6fH9lA3 0fO7FrUEMn7cfiptLy86y01C0d7YqF1MCbO3TKfJ0NJSjvl5CQ/WDuPwjdbD28eW Zi2NZFRRy0JnLM3bgHxYB5Ik7voO6QPm4+BSZxM9rdiOhKwOY1LLyDbRlC5GvsVr 5J87gm1tfcQVHNDkVZp6ZlzQh5Kl3iSFp6KvzwsIagoJucsPVEHsoBWF84I+3peu miT3gQqPeZg3PxplKNBkFZOr4hfE1vkYEmopnPY+ClSqsIB0XWM8XSbr8IByXI/E VBAAsssFYV3mwNSoVrip+CWumi32ocikfxly+GlZxNWiMO4T57La6CJcmjQqaEE= =wvTM -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa126-qemut-incr.patch" Content-Disposition: attachment; filename="xsa126-qemut-incr.patch" Content-Transfer-Encoding: base64 eGVuOiBlbmFibGUgbWVtb3J5IGFuZCBJL08gZGVjb2RpbmcgYmVmb3JlIHBh c3NpbmcgUENJIGRldmljZSB0byBndWVzdAoKT3RoZXJ3aXNlLCB3aXRoIHYx IG9mIHRoZSBYU0EtMTI2IGZpeCBpbiBwbGFjZSwgbm90aGluZyB3aWxsIGRv IHRoaXMsCmxlYXZpbmcgdGhlIGRldmljZSB1bnVzYWJsZSBleGNlcHQgZm9y IG1hbGljaW91cyBwdXJwb3Nlcy4KClRoaXMgaXMgcGFydCBvZiBDVkUtMjAx NS0yNzU2IC8gWFNBLTEyNi4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNo IDxqYmV1bGljaEBzdXNlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8 aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CgotLS0gYS9ody9wYXNzLXRocm91 Z2guYworKysgYi9ody9wYXNzLXRocm91Z2guYwpAQCAtMTkwNSw3ICsxOTA1 LDcgQEAgc3RhdGljIGludCBwdF9kZXZfaXNfdmlydGZuKHN0cnVjdCBwY2lf ZAogICAgIHJldHVybiByYzsKIH0KIAotc3RhdGljIGludCBwdF9yZWdpc3Rl cl9yZWdpb25zKHN0cnVjdCBwdF9kZXYgKmFzc2lnbmVkX2RldmljZSkKK3N0 YXRpYyBpbnQgcHRfcmVnaXN0ZXJfcmVnaW9ucyhzdHJ1Y3QgcHRfZGV2ICph c3NpZ25lZF9kZXZpY2UsIHVpbnQxNl90ICpjbWQpCiB7CiAgICAgaW50IGkg PSAwOwogICAgIHVpbnQzMl90IGJhcl9kYXRhID0gMDsKQEAgLTE5MjUsMTcg KzE5MjUsMjYgQEAgc3RhdGljIGludCBwdF9yZWdpc3Rlcl9yZWdpb25zKHN0 cnVjdCBwdAogCiAgICAgICAgICAgICAvKiBSZWdpc3RlciBjdXJyZW50IHJl Z2lvbiAqLwogICAgICAgICAgICAgaWYgKCBwY2lfZGV2LT5iYXNlX2FkZHJb aV0gJiBQQ0lfQUREUkVTU19TUEFDRV9JTyApCisgICAgICAgICAgICB7CiAg ICAgICAgICAgICAgICAgcGNpX3JlZ2lzdGVyX2lvX3JlZ2lvbigoUENJRGV2 aWNlICopYXNzaWduZWRfZGV2aWNlLCBpLAogICAgICAgICAgICAgICAgICAg ICAodWludDMyX3QpcGNpX2Rldi0+c2l6ZVtpXSwgUENJX0FERFJFU1NfU1BB Q0VfSU8sCiAgICAgICAgICAgICAgICAgICAgIHB0X2lvcG9ydF9tYXApOwor ICAgICAgICAgICAgICAgICpjbWQgfD0gUENJX0NPTU1BTkRfSU87CisgICAg ICAgICAgICB9CiAgICAgICAgICAgICBlbHNlIGlmICggcGNpX2Rldi0+YmFz ZV9hZGRyW2ldICYgUENJX0FERFJFU1NfU1BBQ0VfTUVNX1BSRUZFVENIICkK KyAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICBwY2lfcmVnaXN0ZXJf aW9fcmVnaW9uKChQQ0lEZXZpY2UgKilhc3NpZ25lZF9kZXZpY2UsIGksCiAg ICAgICAgICAgICAgICAgICAgICh1aW50MzJfdClwY2lfZGV2LT5zaXplW2ld LCBQQ0lfQUREUkVTU19TUEFDRV9NRU1fUFJFRkVUQ0gsCiAgICAgICAgICAg ICAgICAgICAgIHB0X2lvbWVtX21hcCk7CisgICAgICAgICAgICAgICAgKmNt ZCB8PSBQQ0lfQ09NTUFORF9NRU1PUlk7CisgICAgICAgICAgICB9CiAgICAg ICAgICAgICBlbHNlCisgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAg cGNpX3JlZ2lzdGVyX2lvX3JlZ2lvbigoUENJRGV2aWNlICopYXNzaWduZWRf ZGV2aWNlLCBpLAogICAgICAgICAgICAgICAgICAgICAodWludDMyX3QpcGNp X2Rldi0+c2l6ZVtpXSwgUENJX0FERFJFU1NfU1BBQ0VfTUVNLAogICAgICAg ICAgICAgICAgICAgICBwdF9pb21lbV9tYXApOworICAgICAgICAgICAgICAg ICpjbWQgfD0gUENJX0NPTU1BTkRfTUVNT1JZOworICAgICAgICAgICAgfQog CiAgICAgICAgICAgICBQVF9MT0coIklPIHJlZ2lvbiByZWdpc3RlcmVkIChz aXplPTB4JTA4eCBiYXNlX2FkZHI9MHglMDh4KVxuIiwKICAgICAgICAgICAg ICAgICAodWludDMyX3QpKHBjaV9kZXYtPnNpemVbaV0pLApAQCAtNDIxMSw2 ICs0MjIwLDcgQEAgc3RhdGljIHN0cnVjdCBwdF9kZXYgKiByZWdpc3Rlcl9y ZWFsX2RldgogICAgIHN0cnVjdCBwdF9kZXYgKmFzc2lnbmVkX2RldmljZSA9 IE5VTEw7CiAgICAgc3RydWN0IHBjaV9kZXYgKnBjaV9kZXY7CiAgICAgdWlu dDhfdCBlX2RldmljZSwgZV9pbnR4OworICAgIHVpbnQxNl90IGNtZCA9IDA7 CiAgICAgY2hhciAqa2V5LCAqdmFsOwogICAgIGludCBtc2lfdHJhbnNsYXRl LCBwb3dlcl9tZ210OwogCkBAIC00MzAwLDcgKzQzMTAsNyBAQCBzdGF0aWMg c3RydWN0IHB0X2RldiAqIHJlZ2lzdGVyX3JlYWxfZGV2CiAgICAgICAgIGFz c2lnbmVkX2RldmljZS0+ZGV2LmNvbmZpZ1tpXSA9IHBjaV9yZWFkX2J5dGUo cGNpX2RldiwgaSk7CiAKICAgICAvKiBIYW5kbGUgcmVhbCBkZXZpY2UncyBN TUlPL1BJTyBCQVJzICovCi0gICAgcHRfcmVnaXN0ZXJfcmVnaW9ucyhhc3Np Z25lZF9kZXZpY2UpOworICAgIHB0X3JlZ2lzdGVyX3JlZ2lvbnMoYXNzaWdu ZWRfZGV2aWNlLCAmY21kKTsKIAogICAgIC8qIFNldHVwIFZHQSBiaW9zIGZv ciBwYXNzdGhyb3VnaGVkIGdmeCAqLwogICAgIGlmICggc2V0dXBfdmdhX3B0 KGFzc2lnbmVkX2RldmljZSkgPCAwICkKQEAgLTQzNzgsNiArNDM4OCwxMCBA QCBzdGF0aWMgc3RydWN0IHB0X2RldiAqIHJlZ2lzdGVyX3JlYWxfZGV2CiAg ICAgfQogCiBvdXQ6CisgICAgaWYgKGNtZCkKKyAgICAgICAgcGNpX3dyaXRl X3dvcmQocGNpX2RldiwgUENJX0NPTU1BTkQsCisgICAgICAgICAgICAqKHVp bnQxNl90ICopKCZhc3NpZ25lZF9kZXZpY2UtPmRldi5jb25maWdbUENJX0NP TU1BTkRdKSB8IGNtZCk7CisKICAgICBQVF9MT0coIlJlYWwgcGh5c2ljYWwg ZGV2aWNlICUwMng6JTAyeC4leCByZWdpc3RlcmVkIHN1Y2Nlc3NmdWx5IVxu IgogICAgICAgICAgICAiSVJRIHR5cGUgPSAlc1xuIiwgcl9idXMsIHJfZGV2 LCByX2Z1bmMsCiAgICAgICAgICAgIGFzc2lnbmVkX2RldmljZS0+bXNpX3Ry YW5zX2VuPyAiTVNJLUlOVHgiOiJJTlR4Iik7Cg== --=separator Content-Type: application/octet-stream; name="xsa126-qemut.patch" Content-Disposition: attachment; filename="xsa126-qemut.patch" Content-Transfer-Encoding: base64 eGVuOiBsaW1pdCBndWVzdCBjb250cm9sIG9mIFBDSSBjb21tYW5kIHJlZ2lz dGVyCgpPdGhlcndpc2UgdGhlIGd1ZXN0IGNhbiBhYnVzZSB0aGF0IGNvbnRy b2wgdG8gY2F1c2UgZS5nLiBQQ0llClVuc3VwcG9ydGVkIFJlcXVlc3QgcmVz cG9uc2VzIChieSBkaXNhYmxpbmcgbWVtb3J5IGFuZC9vciBJL08gZGVjb2Rp bmcKYW5kIHN1YnNlcXVlbnRseSBjYXVzaW5nIFtDUFUgc2lkZV0gYWNjZXNz ZXMgdG8gdGhlIHJlc3BlY3RpdmUgYWRkcmVzcwpyYW5nZXMpLCB3aGljaCAo ZGVwZW5kaW5nIG9uIHN5c3RlbSBjb25maWd1cmF0aW9uKSBtYXkgYmUgZmF0 YWwgdG8gdGhlCmhvc3QuCgpUaGlzIGlzIENWRS0yMDE1LTI3NTYgLyBYU0Et MTI2LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpSZXZpZXdlZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzdGVm YW5vLnN0YWJlbGxpbmlAZXUuY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBD YW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CgotLS0gYS9ody9w YXNzLXRocm91Z2guYworKysgYi9ody9wYXNzLXRocm91Z2guYwpAQCAtMTcy LDkgKzE3Miw2IEBAIHN0YXRpYyBpbnQgcHRfd29yZF9yZWdfcmVhZChzdHJ1 Y3QgcHRfZGUKIHN0YXRpYyBpbnQgcHRfbG9uZ19yZWdfcmVhZChzdHJ1Y3Qg cHRfZGV2ICpwdGRldiwKICAgICBzdHJ1Y3QgcHRfcmVnX3RibCAqY2ZnX2Vu dHJ5LAogICAgIHVpbnQzMl90ICp2YWx1ZSwgdWludDMyX3QgdmFsaWRfbWFz ayk7Ci1zdGF0aWMgaW50IHB0X2NtZF9yZWdfcmVhZChzdHJ1Y3QgcHRfZGV2 ICpwdGRldiwKLSAgICBzdHJ1Y3QgcHRfcmVnX3RibCAqY2ZnX2VudHJ5LAot ICAgIHVpbnQxNl90ICp2YWx1ZSwgdWludDE2X3QgdmFsaWRfbWFzayk7CiBz dGF0aWMgaW50IHB0X2Jhcl9yZWdfcmVhZChzdHJ1Y3QgcHRfZGV2ICpwdGRl diwKICAgICBzdHJ1Y3QgcHRfcmVnX3RibCAqY2ZnX2VudHJ5LAogICAgIHVp bnQzMl90ICp2YWx1ZSwgdWludDMyX3QgdmFsaWRfbWFzayk7CkBAIC0yODYs OSArMjgzLDkgQEAgc3RhdGljIHN0cnVjdCBwdF9yZWdfaW5mb190YmwgcHRf ZW11X3JlZwogICAgICAgICAuc2l6ZSAgICAgICA9IDIsCiAgICAgICAgIC5p bml0X3ZhbCAgID0gMHgwMDAwLAogICAgICAgICAucm9fbWFzayAgICA9IDB4 Rjg4MCwKLSAgICAgICAgLmVtdV9tYXNrICAgPSAweDA3NDAsCisgICAgICAg IC5lbXVfbWFzayAgID0gMHgwNzQzLAogICAgICAgICAuaW5pdCAgICAgICA9 IHB0X2NvbW1vbl9yZWdfaW5pdCwKLSAgICAgICAgLnUudy5yZWFkICAgPSBw dF9jbWRfcmVnX3JlYWQsCisgICAgICAgIC51LncucmVhZCAgID0gcHRfd29y ZF9yZWdfcmVhZCwKICAgICAgICAgLnUudy53cml0ZSAgPSBwdF9jbWRfcmVn X3dyaXRlLAogICAgICAgICAudS53LnJlc3RvcmUgID0gcHRfY21kX3JlZ19y ZXN0b3JlLAogICAgIH0sCkBAIC0xOTA1LDcgKzE5MDIsNyBAQCBzdGF0aWMg aW50IHB0X2Rldl9pc192aXJ0Zm4oc3RydWN0IHBjaV9kCiAgICAgcmV0dXJu IHJjOwogfQogCi1zdGF0aWMgaW50IHB0X3JlZ2lzdGVyX3JlZ2lvbnMoc3Ry dWN0IHB0X2RldiAqYXNzaWduZWRfZGV2aWNlKQorc3RhdGljIGludCBwdF9y ZWdpc3Rlcl9yZWdpb25zKHN0cnVjdCBwdF9kZXYgKmFzc2lnbmVkX2Rldmlj ZSwgdWludDE2X3QgKmNtZCkKIHsKICAgICBpbnQgaSA9IDA7CiAgICAgdWlu dDMyX3QgYmFyX2RhdGEgPSAwOwpAQCAtMTkyNSwxNyArMTkyMiwyNiBAQCBz dGF0aWMgaW50IHB0X3JlZ2lzdGVyX3JlZ2lvbnMoc3RydWN0IHB0CiAKICAg ICAgICAgICAgIC8qIFJlZ2lzdGVyIGN1cnJlbnQgcmVnaW9uICovCiAgICAg ICAgICAgICBpZiAoIHBjaV9kZXYtPmJhc2VfYWRkcltpXSAmIFBDSV9BRERS RVNTX1NQQUNFX0lPICkKKyAgICAgICAgICAgIHsKICAgICAgICAgICAgICAg ICBwY2lfcmVnaXN0ZXJfaW9fcmVnaW9uKChQQ0lEZXZpY2UgKilhc3NpZ25l ZF9kZXZpY2UsIGksCiAgICAgICAgICAgICAgICAgICAgICh1aW50MzJfdClw Y2lfZGV2LT5zaXplW2ldLCBQQ0lfQUREUkVTU19TUEFDRV9JTywKICAgICAg ICAgICAgICAgICAgICAgcHRfaW9wb3J0X21hcCk7CisgICAgICAgICAgICAg ICAgKmNtZCB8PSBQQ0lfQ09NTUFORF9JTzsKKyAgICAgICAgICAgIH0KICAg ICAgICAgICAgIGVsc2UgaWYgKCBwY2lfZGV2LT5iYXNlX2FkZHJbaV0gJiBQ Q0lfQUREUkVTU19TUEFDRV9NRU1fUFJFRkVUQ0ggKQorICAgICAgICAgICAg ewogICAgICAgICAgICAgICAgIHBjaV9yZWdpc3Rlcl9pb19yZWdpb24oKFBD SURldmljZSAqKWFzc2lnbmVkX2RldmljZSwgaSwKICAgICAgICAgICAgICAg ICAgICAgKHVpbnQzMl90KXBjaV9kZXYtPnNpemVbaV0sIFBDSV9BRERSRVNT X1NQQUNFX01FTV9QUkVGRVRDSCwKICAgICAgICAgICAgICAgICAgICAgcHRf aW9tZW1fbWFwKTsKKyAgICAgICAgICAgICAgICAqY21kIHw9IFBDSV9DT01N QU5EX01FTU9SWTsKKyAgICAgICAgICAgIH0KICAgICAgICAgICAgIGVsc2UK KyAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICBwY2lfcmVnaXN0ZXJf aW9fcmVnaW9uKChQQ0lEZXZpY2UgKilhc3NpZ25lZF9kZXZpY2UsIGksCiAg ICAgICAgICAgICAgICAgICAgICh1aW50MzJfdClwY2lfZGV2LT5zaXplW2ld LCBQQ0lfQUREUkVTU19TUEFDRV9NRU0sCiAgICAgICAgICAgICAgICAgICAg IHB0X2lvbWVtX21hcCk7CisgICAgICAgICAgICAgICAgKmNtZCB8PSBQQ0lf Q09NTUFORF9NRU1PUlk7CisgICAgICAgICAgICB9CiAKICAgICAgICAgICAg IFBUX0xPRygiSU8gcmVnaW9uIHJlZ2lzdGVyZWQgKHNpemU9MHglMDh4IGJh c2VfYWRkcj0weCUwOHgpXG4iLAogICAgICAgICAgICAgICAgICh1aW50MzJf dCkocGNpX2Rldi0+c2l6ZVtpXSksCkBAIC0zMjYzLDI3ICszMjY5LDYgQEAg c3RhdGljIGludCBwdF9sb25nX3JlZ19yZWFkKHN0cnVjdCBwdF9kZQogICAg cmV0dXJuIDA7CiB9CiAKLS8qIHJlYWQgQ29tbWFuZCByZWdpc3RlciAqLwot c3RhdGljIGludCBwdF9jbWRfcmVnX3JlYWQoc3RydWN0IHB0X2RldiAqcHRk ZXYsCi0gICAgICAgIHN0cnVjdCBwdF9yZWdfdGJsICpjZmdfZW50cnksCi0g ICAgICAgIHVpbnQxNl90ICp2YWx1ZSwgdWludDE2X3QgdmFsaWRfbWFzaykK LXsKLSAgICBzdHJ1Y3QgcHRfcmVnX2luZm9fdGJsICpyZWcgPSBjZmdfZW50 cnktPnJlZzsKLSAgICB1aW50MTZfdCB2YWxpZF9lbXVfbWFzayA9IDA7Ci0g ICAgdWludDE2X3QgZW11X21hc2sgPSByZWctPmVtdV9tYXNrOwotCi0gICAg aWYgKCBwdGRldi0+aXNfdmlydGZuICkKLSAgICAgICAgZW11X21hc2sgfD0g UENJX0NPTU1BTkRfTUVNT1JZOwotICAgIGlmICggcHRfaXNfaW9tdWwocHRk ZXYpICkKLSAgICAgICAgZW11X21hc2sgfD0gUENJX0NPTU1BTkRfSU87Ci0K LSAgICAvKiBlbXVsYXRlIHdvcmQgcmVnaXN0ZXIgKi8KLSAgICB2YWxpZF9l bXVfbWFzayA9IGVtdV9tYXNrICYgdmFsaWRfbWFzazsKLSAgICAqdmFsdWUg PSBQVF9NRVJHRV9WQUxVRSgqdmFsdWUsIGNmZ19lbnRyeS0+ZGF0YSwgfnZh bGlkX2VtdV9tYXNrKTsKLQotICAgIHJldHVybiAwOwotfQotCiAvKiByZWFk IEJBUiAqLwogc3RhdGljIGludCBwdF9iYXJfcmVnX3JlYWQoc3RydWN0IHB0 X2RldiAqcHRkZXYsCiAgICAgICAgIHN0cnVjdCBwdF9yZWdfdGJsICpjZmdf ZW50cnksCkBAIC0zNDE4LDE5ICszNDAzLDEzIEBAIHN0YXRpYyBpbnQgcHRf Y21kX3JlZ193cml0ZShzdHJ1Y3QgcHRfZGUKICAgICB1aW50MTZfdCB3cml0 YWJsZV9tYXNrID0gMDsKICAgICB1aW50MTZfdCB0aHJvdWdoYWJsZV9tYXNr ID0gMDsKICAgICB1aW50MTZfdCB3cl92YWx1ZSA9ICp2YWx1ZTsKLSAgICB1 aW50MTZfdCBlbXVfbWFzayA9IHJlZy0+ZW11X21hc2s7Ci0KLSAgICBpZiAo IHB0ZGV2LT5pc192aXJ0Zm4gKQotICAgICAgICBlbXVfbWFzayB8PSBQQ0lf Q09NTUFORF9NRU1PUlk7Ci0gICAgaWYgKCBwdF9pc19pb211bChwdGRldikg KQotICAgICAgICBlbXVfbWFzayB8PSBQQ0lfQ09NTUFORF9JTzsKIAogICAg IC8qIG1vZGlmeSBlbXVsYXRlIHJlZ2lzdGVyICovCiAgICAgd3JpdGFibGVf bWFzayA9IH5yZWctPnJvX21hc2sgJiB2YWxpZF9tYXNrOwogICAgIGNmZ19l bnRyeS0+ZGF0YSA9IFBUX01FUkdFX1ZBTFVFKCp2YWx1ZSwgY2ZnX2VudHJ5 LT5kYXRhLCB3cml0YWJsZV9tYXNrKTsKIAogICAgIC8qIGNyZWF0ZSB2YWx1 ZSBmb3Igd3JpdGluZyB0byBJL08gZGV2aWNlIHJlZ2lzdGVyICovCi0gICAg dGhyb3VnaGFibGVfbWFzayA9IH5lbXVfbWFzayAmIHZhbGlkX21hc2s7Cisg ICAgdGhyb3VnaGFibGVfbWFzayA9IH5yZWctPmVtdV9tYXNrICYgdmFsaWRf bWFzazsKIAogICAgIGlmICgqdmFsdWUgJiBQQ0lfQ09NTUFORF9ESVNBQkxF X0lOVHgpCiAgICAgewpAQCAtNDIxMSw2ICs0MTkwLDcgQEAgc3RhdGljIHN0 cnVjdCBwdF9kZXYgKiByZWdpc3Rlcl9yZWFsX2RldgogICAgIHN0cnVjdCBw dF9kZXYgKmFzc2lnbmVkX2RldmljZSA9IE5VTEw7CiAgICAgc3RydWN0IHBj aV9kZXYgKnBjaV9kZXY7CiAgICAgdWludDhfdCBlX2RldmljZSwgZV9pbnR4 OworICAgIHVpbnQxNl90IGNtZCA9IDA7CiAgICAgY2hhciAqa2V5LCAqdmFs OwogICAgIGludCBtc2lfdHJhbnNsYXRlLCBwb3dlcl9tZ210OwogCkBAIC00 MzAwLDcgKzQyODAsNyBAQCBzdGF0aWMgc3RydWN0IHB0X2RldiAqIHJlZ2lz dGVyX3JlYWxfZGV2CiAgICAgICAgIGFzc2lnbmVkX2RldmljZS0+ZGV2LmNv bmZpZ1tpXSA9IHBjaV9yZWFkX2J5dGUocGNpX2RldiwgaSk7CiAKICAgICAv KiBIYW5kbGUgcmVhbCBkZXZpY2UncyBNTUlPL1BJTyBCQVJzICovCi0gICAg cHRfcmVnaXN0ZXJfcmVnaW9ucyhhc3NpZ25lZF9kZXZpY2UpOworICAgIHB0 X3JlZ2lzdGVyX3JlZ2lvbnMoYXNzaWduZWRfZGV2aWNlLCAmY21kKTsKIAog ICAgIC8qIFNldHVwIFZHQSBiaW9zIGZvciBwYXNzdGhyb3VnaGVkIGdmeCAq LwogICAgIGlmICggc2V0dXBfdmdhX3B0KGFzc2lnbmVkX2RldmljZSkgPCAw ICkKQEAgLTQzNzgsNiArNDM1OCwxMCBAQCBzdGF0aWMgc3RydWN0IHB0X2Rl diAqIHJlZ2lzdGVyX3JlYWxfZGV2CiAgICAgfQogCiBvdXQ6CisgICAgaWYg KGNtZCkKKyAgICAgICAgcGNpX3dyaXRlX3dvcmQocGNpX2RldiwgUENJX0NP TU1BTkQsCisgICAgICAgICAgICAqKHVpbnQxNl90ICopKCZhc3NpZ25lZF9k ZXZpY2UtPmRldi5jb25maWdbUENJX0NPTU1BTkRdKSB8IGNtZCk7CisKICAg ICBQVF9MT0coIlJlYWwgcGh5c2ljYWwgZGV2aWNlICUwMng6JTAyeC4leCBy ZWdpc3RlcmVkIHN1Y2Nlc3NmdWx5IVxuIgogICAgICAgICAgICAiSVJRIHR5 cGUgPSAlc1xuIiwgcl9idXMsIHJfZGV2LCByX2Z1bmMsCiAgICAgICAgICAg IGFzc2lnbmVkX2RldmljZS0+bXNpX3RyYW5zX2VuPyAiTVNJLUlOVHgiOiJJ TlR4Iik7Cg== --=separator Content-Type: application/octet-stream; name="xsa126-qemuu-4.3-incr.patch" Content-Disposition: attachment; filename="xsa126-qemuu-4.3-incr.patch" Content-Transfer-Encoding: base64 eGVuOiBlbmFibGUgbWVtb3J5IGFuZCBJL08gZGVjb2RpbmcgYmVmb3JlIHBh c3NpbmcgUENJIGRldmljZSB0byBndWVzdAoKT3RoZXJ3aXNlLCB3aXRoIHYx IG9mIHRoZSBYU0EtMTI2IGZpeCBpbiBwbGFjZSwgbm90aGluZyB3aWxsIGRv IHRoaXMsCmxlYXZpbmcgdGhlIGRldmljZSB1bnVzYWJsZSBleGNlcHQgZm9y IG1hbGljaW91cyBwdXJwb3Nlcy4KClRoaXMgaXMgcGFydCBvZiBDVkUtMjAx NS0yNzU2IC8gWFNBLTEyNi4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNo IDxqYmV1bGljaEBzdXNlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8 aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CgotLS0gYS9ody94ZW5fcHQuYwor KysgYi9ody94ZW5fcHQuYwpAQCAtMzg4LDcgKzM4OCw3IEBAIHN0YXRpYyBj b25zdCBNZW1vcnlSZWdpb25PcHMgb3BzID0gewogICAgIC53cml0ZSA9IHhl bl9wdF9iYXJfd3JpdGUsCiB9OwogCi1zdGF0aWMgaW50IHhlbl9wdF9yZWdp c3Rlcl9yZWdpb25zKFhlblBDSVBhc3N0aHJvdWdoU3RhdGUgKnMpCitzdGF0 aWMgaW50IHhlbl9wdF9yZWdpc3Rlcl9yZWdpb25zKFhlblBDSVBhc3N0aHJv dWdoU3RhdGUgKnMsIHVpbnQxNl90ICpjbWQpCiB7CiAgICAgaW50IGkgPSAw OwogICAgIFhlbkhvc3RQQ0lEZXZpY2UgKmQgPSAmcy0+cmVhbF9kZXZpY2U7 CkBAIC00MDYsNiArNDA2LDcgQEAgc3RhdGljIGludCB4ZW5fcHRfcmVnaXN0 ZXJfcmVnaW9ucyhYZW5QQwogCiAgICAgICAgIGlmIChyLT50eXBlICYgWEVO X0hPU1RfUENJX1JFR0lPTl9UWVBFX0lPKSB7CiAgICAgICAgICAgICB0eXBl ID0gUENJX0JBU0VfQUREUkVTU19TUEFDRV9JTzsKKyAgICAgICAgICAgICpj bWQgfD0gUENJX0NPTU1BTkRfSU87CiAgICAgICAgIH0gZWxzZSB7CiAgICAg ICAgICAgICB0eXBlID0gUENJX0JBU0VfQUREUkVTU19TUEFDRV9NRU1PUlk7 CiAgICAgICAgICAgICBpZiAoci0+dHlwZSAmIFhFTl9IT1NUX1BDSV9SRUdJ T05fVFlQRV9QUkVGRVRDSCkgewpAQCAtNDE0LDYgKzQxNSw3IEBAIHN0YXRp YyBpbnQgeGVuX3B0X3JlZ2lzdGVyX3JlZ2lvbnMoWGVuUEMKICAgICAgICAg ICAgIGlmIChyLT50eXBlICYgWEVOX0hPU1RfUENJX1JFR0lPTl9UWVBFX01F TV82NCkgewogICAgICAgICAgICAgICAgIHR5cGUgfD0gUENJX0JBU0VfQURE UkVTU19NRU1fVFlQRV82NDsKICAgICAgICAgICAgIH0KKyAgICAgICAgICAg ICpjbWQgfD0gUENJX0NPTU1BTkRfTUVNT1JZOwogICAgICAgICB9CiAKICAg ICAgICAgbWVtb3J5X3JlZ2lvbl9pbml0X2lvKCZzLT5iYXJbaV0sICZvcHMs ICZzLT5kZXYsCkBAIC02NTIsNiArNjU0LDcgQEAgc3RhdGljIGludCB4ZW5f cHRfaW5pdGZuKFBDSURldmljZSAqZCkKICAgICBYZW5QQ0lQYXNzdGhyb3Vn aFN0YXRlICpzID0gRE9fVVBDQVNUKFhlblBDSVBhc3N0aHJvdWdoU3RhdGUs IGRldiwgZCk7CiAgICAgaW50IHJjID0gMDsKICAgICB1aW50OF90IG1hY2hp bmVfaXJxID0gMDsKKyAgICB1aW50MTZfdCBjbWQgPSAwOwogICAgIGludCBw aXJxID0gWEVOX1BUX1VOQVNTSUdORURfUElSUTsKIAogICAgIC8qIHJlZ2lz dGVyIHJlYWwgZGV2aWNlICovCkBAIC02ODYsNyArNjg5LDcgQEAgc3RhdGlj IGludCB4ZW5fcHRfaW5pdGZuKFBDSURldmljZSAqZCkKICAgICBzLT5pb19s aXN0ZW5lciA9IHhlbl9wdF9pb19saXN0ZW5lcjsKIAogICAgIC8qIEhhbmRs ZSByZWFsIGRldmljZSdzIE1NSU8vUElPIEJBUnMgKi8KLSAgICB4ZW5fcHRf cmVnaXN0ZXJfcmVnaW9ucyhzKTsKKyAgICB4ZW5fcHRfcmVnaXN0ZXJfcmVn aW9ucyhzLCAmY21kKTsKIAogICAgIC8qIHJlaW5pdGlhbGl6ZSBlYWNoIGNv bmZpZyByZWdpc3RlciB0byBiZSBlbXVsYXRlZCAqLwogICAgIGlmICh4ZW5f cHRfY29uZmlnX2luaXQocykpIHsKQEAgLTc1MCw2ICs3NTMsMTEgQEAgc3Rh dGljIGludCB4ZW5fcHRfaW5pdGZuKFBDSURldmljZSAqZCkKICAgICB9CiAK IG91dDoKKyAgICBpZiAoY21kKSB7CisgICAgICAgIHhlbl9ob3N0X3BjaV9z ZXRfd29yZCgmcy0+cmVhbF9kZXZpY2UsIFBDSV9DT01NQU5ELAorICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgcGNpX2dldF93b3JkKGQtPmNvbmZp ZyArIFBDSV9DT01NQU5EKSB8IGNtZCk7CisgICAgfQorCiAgICAgbWVtb3J5 X2xpc3RlbmVyX3JlZ2lzdGVyKCZzLT5tZW1vcnlfbGlzdGVuZXIsICZhZGRy ZXNzX3NwYWNlX21lbW9yeSk7CiAgICAgbWVtb3J5X2xpc3RlbmVyX3JlZ2lz dGVyKCZzLT5pb19saXN0ZW5lciwgJmFkZHJlc3Nfc3BhY2VfaW8pOwogICAg IFhFTl9QVF9MT0coZCwgIlJlYWwgcGh5c2ljYWwgZGV2aWNlICUwMng6JTAy eC4lZCByZWdpc3RlcmVkIHN1Y2Nlc3NmdWx5IVxuIiwK --=separator Content-Type: application/octet-stream; name="xsa126-qemuu-4.3.patch" Content-Disposition: attachment; filename="xsa126-qemuu-4.3.patch" Content-Transfer-Encoding: base64 eGVuOiBsaW1pdCBndWVzdCBjb250cm9sIG9mIFBDSSBjb21tYW5kIHJlZ2lz dGVyCgpPdGhlcndpc2UgdGhlIGd1ZXN0IGNhbiBhYnVzZSB0aGF0IGNvbnRy b2wgdG8gY2F1c2UgZS5nLiBQQ0llClVuc3VwcG9ydGVkIFJlcXVlc3QgcmVz cG9uc2VzIChieSBkaXNhYmxpbmcgbWVtb3J5IGFuZC9vciBJL08gZGVjb2Rp bmcKYW5kIHN1YnNlcXVlbnRseSBjYXVzaW5nIFtDUFUgc2lkZV0gYWNjZXNz ZXMgdG8gdGhlIHJlc3BlY3RpdmUgYWRkcmVzcwpyYW5nZXMpLCB3aGljaCAo ZGVwZW5kaW5nIG9uIHN5c3RlbSBjb25maWd1cmF0aW9uKSBtYXkgYmUgZmF0 YWwgdG8gdGhlCmhvc3QuCgpUaGlzIGlzIENWRS0yMDE1LTI3NTYgLyBYU0Et MTI2LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpSZXZpZXdlZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzdGVm YW5vLnN0YWJlbGxpbmlAZXUuY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBD YW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CgotLS0gYS9ody94 ZW5fcHQuYworKysgYi9ody94ZW5fcHQuYwpAQCAtMzg4LDcgKzM4OCw3IEBA IHN0YXRpYyBjb25zdCBNZW1vcnlSZWdpb25PcHMgb3BzID0gewogICAgIC53 cml0ZSA9IHhlbl9wdF9iYXJfd3JpdGUsCiB9OwogCi1zdGF0aWMgaW50IHhl bl9wdF9yZWdpc3Rlcl9yZWdpb25zKFhlblBDSVBhc3N0aHJvdWdoU3RhdGUg KnMpCitzdGF0aWMgaW50IHhlbl9wdF9yZWdpc3Rlcl9yZWdpb25zKFhlblBD SVBhc3N0aHJvdWdoU3RhdGUgKnMsIHVpbnQxNl90ICpjbWQpCiB7CiAgICAg aW50IGkgPSAwOwogICAgIFhlbkhvc3RQQ0lEZXZpY2UgKmQgPSAmcy0+cmVh bF9kZXZpY2U7CkBAIC00MDYsNiArNDA2LDcgQEAgc3RhdGljIGludCB4ZW5f cHRfcmVnaXN0ZXJfcmVnaW9ucyhYZW5QQwogCiAgICAgICAgIGlmIChyLT50 eXBlICYgWEVOX0hPU1RfUENJX1JFR0lPTl9UWVBFX0lPKSB7CiAgICAgICAg ICAgICB0eXBlID0gUENJX0JBU0VfQUREUkVTU19TUEFDRV9JTzsKKyAgICAg ICAgICAgICpjbWQgfD0gUENJX0NPTU1BTkRfSU87CiAgICAgICAgIH0gZWxz ZSB7CiAgICAgICAgICAgICB0eXBlID0gUENJX0JBU0VfQUREUkVTU19TUEFD RV9NRU1PUlk7CiAgICAgICAgICAgICBpZiAoci0+dHlwZSAmIFhFTl9IT1NU X1BDSV9SRUdJT05fVFlQRV9QUkVGRVRDSCkgewpAQCAtNDE0LDYgKzQxNSw3 IEBAIHN0YXRpYyBpbnQgeGVuX3B0X3JlZ2lzdGVyX3JlZ2lvbnMoWGVuUEMK ICAgICAgICAgICAgIGlmIChyLT50eXBlICYgWEVOX0hPU1RfUENJX1JFR0lP Tl9UWVBFX01FTV82NCkgewogICAgICAgICAgICAgICAgIHR5cGUgfD0gUENJ X0JBU0VfQUREUkVTU19NRU1fVFlQRV82NDsKICAgICAgICAgICAgIH0KKyAg ICAgICAgICAgICpjbWQgfD0gUENJX0NPTU1BTkRfTUVNT1JZOwogICAgICAg ICB9CiAKICAgICAgICAgbWVtb3J5X3JlZ2lvbl9pbml0X2lvKCZzLT5iYXJb aV0sICZvcHMsICZzLT5kZXYsCkBAIC02NTIsNiArNjU0LDcgQEAgc3RhdGlj IGludCB4ZW5fcHRfaW5pdGZuKFBDSURldmljZSAqZCkKICAgICBYZW5QQ0lQ YXNzdGhyb3VnaFN0YXRlICpzID0gRE9fVVBDQVNUKFhlblBDSVBhc3N0aHJv dWdoU3RhdGUsIGRldiwgZCk7CiAgICAgaW50IHJjID0gMDsKICAgICB1aW50 OF90IG1hY2hpbmVfaXJxID0gMDsKKyAgICB1aW50MTZfdCBjbWQgPSAwOwog ICAgIGludCBwaXJxID0gWEVOX1BUX1VOQVNTSUdORURfUElSUTsKIAogICAg IC8qIHJlZ2lzdGVyIHJlYWwgZGV2aWNlICovCkBAIC02ODYsNyArNjg5LDcg QEAgc3RhdGljIGludCB4ZW5fcHRfaW5pdGZuKFBDSURldmljZSAqZCkKICAg ICBzLT5pb19saXN0ZW5lciA9IHhlbl9wdF9pb19saXN0ZW5lcjsKIAogICAg IC8qIEhhbmRsZSByZWFsIGRldmljZSdzIE1NSU8vUElPIEJBUnMgKi8KLSAg ICB4ZW5fcHRfcmVnaXN0ZXJfcmVnaW9ucyhzKTsKKyAgICB4ZW5fcHRfcmVn aXN0ZXJfcmVnaW9ucyhzLCAmY21kKTsKIAogICAgIC8qIHJlaW5pdGlhbGl6 ZSBlYWNoIGNvbmZpZyByZWdpc3RlciB0byBiZSBlbXVsYXRlZCAqLwogICAg IGlmICh4ZW5fcHRfY29uZmlnX2luaXQocykpIHsKQEAgLTc1MCw2ICs3NTMs MTEgQEAgc3RhdGljIGludCB4ZW5fcHRfaW5pdGZuKFBDSURldmljZSAqZCkK ICAgICB9CiAKIG91dDoKKyAgICBpZiAoY21kKSB7CisgICAgICAgIHhlbl9o b3N0X3BjaV9zZXRfd29yZCgmcy0+cmVhbF9kZXZpY2UsIFBDSV9DT01NQU5E LAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcGNpX2dldF93b3Jk KGQtPmNvbmZpZyArIFBDSV9DT01NQU5EKSB8IGNtZCk7CisgICAgfQorCiAg ICAgbWVtb3J5X2xpc3RlbmVyX3JlZ2lzdGVyKCZzLT5tZW1vcnlfbGlzdGVu ZXIsICZhZGRyZXNzX3NwYWNlX21lbW9yeSk7CiAgICAgbWVtb3J5X2xpc3Rl bmVyX3JlZ2lzdGVyKCZzLT5pb19saXN0ZW5lciwgJmFkZHJlc3Nfc3BhY2Vf aW8pOwogICAgIFhFTl9QVF9MT0coZCwgIlJlYWwgcGh5c2ljYWwgZGV2aWNl ICUwMng6JTAyeC4lZCByZWdpc3RlcmVkIHN1Y2Nlc3NmdWx5IVxuIiwKLS0t IGEvaHcveGVuX3B0X2NvbmZpZ19pbml0LmMKKysrIGIvaHcveGVuX3B0X2Nv bmZpZ19pbml0LmMKQEAgLTI4NiwyMyArMjg2LDYgQEAgc3RhdGljIGludCB4 ZW5fcHRfaXJxcGluX3JlZ19pbml0KFhlblBDSQogfQogCiAvKiBDb21tYW5k IHJlZ2lzdGVyICovCi1zdGF0aWMgaW50IHhlbl9wdF9jbWRfcmVnX3JlYWQo WGVuUENJUGFzc3Rocm91Z2hTdGF0ZSAqcywgWGVuUFRSZWcgKmNmZ19lbnRy eSwKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1aW50MTZfdCAq dmFsdWUsIHVpbnQxNl90IHZhbGlkX21hc2spCi17Ci0gICAgWGVuUFRSZWdJ bmZvICpyZWcgPSBjZmdfZW50cnktPnJlZzsKLSAgICB1aW50MTZfdCB2YWxp ZF9lbXVfbWFzayA9IDA7Ci0gICAgdWludDE2X3QgZW11X21hc2sgPSByZWct PmVtdV9tYXNrOwotCi0gICAgaWYgKHMtPmlzX3ZpcnRmbikgewotICAgICAg ICBlbXVfbWFzayB8PSBQQ0lfQ09NTUFORF9NRU1PUlk7Ci0gICAgfQotCi0g ICAgLyogZW11bGF0ZSB3b3JkIHJlZ2lzdGVyICovCi0gICAgdmFsaWRfZW11 X21hc2sgPSBlbXVfbWFzayAmIHZhbGlkX21hc2s7Ci0gICAgKnZhbHVlID0g WEVOX1BUX01FUkdFX1ZBTFVFKCp2YWx1ZSwgY2ZnX2VudHJ5LT5kYXRhLCB+ dmFsaWRfZW11X21hc2spOwotCi0gICAgcmV0dXJuIDA7Ci19CiBzdGF0aWMg aW50IHhlbl9wdF9jbWRfcmVnX3dyaXRlKFhlblBDSVBhc3N0aHJvdWdoU3Rh dGUgKnMsIFhlblBUUmVnICpjZmdfZW50cnksCiAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIHVpbnQxNl90ICp2YWwsIHVpbnQxNl90IGRldl92 YWx1ZSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdWludDE2 X3QgdmFsaWRfbWFzaykKQEAgLTMxMCwxOCArMjkzLDEzIEBAIHN0YXRpYyBp bnQgeGVuX3B0X2NtZF9yZWdfd3JpdGUoWGVuUENJUGEKICAgICBYZW5QVFJl Z0luZm8gKnJlZyA9IGNmZ19lbnRyeS0+cmVnOwogICAgIHVpbnQxNl90IHdy aXRhYmxlX21hc2sgPSAwOwogICAgIHVpbnQxNl90IHRocm91Z2hhYmxlX21h c2sgPSAwOwotICAgIHVpbnQxNl90IGVtdV9tYXNrID0gcmVnLT5lbXVfbWFz azsKLQotICAgIGlmIChzLT5pc192aXJ0Zm4pIHsKLSAgICAgICAgZW11X21h c2sgfD0gUENJX0NPTU1BTkRfTUVNT1JZOwotICAgIH0KIAogICAgIC8qIG1v ZGlmeSBlbXVsYXRlIHJlZ2lzdGVyICovCiAgICAgd3JpdGFibGVfbWFzayA9 IH5yZWctPnJvX21hc2sgJiB2YWxpZF9tYXNrOwogICAgIGNmZ19lbnRyeS0+ ZGF0YSA9IFhFTl9QVF9NRVJHRV9WQUxVRSgqdmFsLCBjZmdfZW50cnktPmRh dGEsIHdyaXRhYmxlX21hc2spOwogCiAgICAgLyogY3JlYXRlIHZhbHVlIGZv ciB3cml0aW5nIHRvIEkvTyBkZXZpY2UgcmVnaXN0ZXIgKi8KLSAgICB0aHJv dWdoYWJsZV9tYXNrID0gfmVtdV9tYXNrICYgdmFsaWRfbWFzazsKKyAgICB0 aHJvdWdoYWJsZV9tYXNrID0gfnJlZy0+ZW11X21hc2sgJiB2YWxpZF9tYXNr OwogCiAgICAgaWYgKCp2YWwgJiBQQ0lfQ09NTUFORF9JTlRYX0RJU0FCTEUp IHsKICAgICAgICAgdGhyb3VnaGFibGVfbWFzayB8PSBQQ0lfQ09NTUFORF9J TlRYX0RJU0FCTEU7CkBAIC02MDUsOSArNTgzLDkgQEAgc3RhdGljIFhlblBU UmVnSW5mbyB4ZW5fcHRfZW11X3JlZ19oZWFkZQogICAgICAgICAuc2l6ZSAg ICAgICA9IDIsCiAgICAgICAgIC5pbml0X3ZhbCAgID0gMHgwMDAwLAogICAg ICAgICAucm9fbWFzayAgICA9IDB4Rjg4MCwKLSAgICAgICAgLmVtdV9tYXNr ICAgPSAweDA3NDAsCisgICAgICAgIC5lbXVfbWFzayAgID0gMHgwNzQzLAog ICAgICAgICAuaW5pdCAgICAgICA9IHhlbl9wdF9jb21tb25fcmVnX2luaXQs Ci0gICAgICAgIC51LncucmVhZCAgID0geGVuX3B0X2NtZF9yZWdfcmVhZCwK KyAgICAgICAgLnUudy5yZWFkICAgPSB4ZW5fcHRfd29yZF9yZWdfcmVhZCwK ICAgICAgICAgLnUudy53cml0ZSAgPSB4ZW5fcHRfY21kX3JlZ193cml0ZSwK ICAgICB9LAogICAgIC8qIENhcGFiaWxpdGllcyBQb2ludGVyIHJlZyAqLwo= --=separator Content-Type: application/octet-stream; name="xsa126-qemuu-incr.patch" Content-Disposition: attachment; filename="xsa126-qemuu-incr.patch" Content-Transfer-Encoding: base64 eGVuOiBlbmFibGUgbWVtb3J5IGFuZCBJL08gZGVjb2RpbmcgYmVmb3JlIHBh c3NpbmcgUENJIGRldmljZSB0byBndWVzdAoKT3RoZXJ3aXNlLCB3aXRoIHYx IG9mIHRoZSBYU0EtMTI2IGZpeCBpbiBwbGFjZSwgbm90aGluZyB3aWxsIGRv IHRoaXMsCmxlYXZpbmcgdGhlIGRldmljZSB1bnVzYWJsZSBleGNlcHQgZm9y IG1hbGljaW91cyBwdXJwb3Nlcy4KClRoaXMgaXMgcGFydCBvZiBDVkUtMjAx NS0yNzU2IC8gWFNBLTEyNi4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNo IDxqYmV1bGljaEBzdXNlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8 aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CgotLS0gYS9ody94ZW4veGVuX3B0 LmMKKysrIGIvaHcveGVuL3hlbl9wdC5jCkBAIC0zODgsNyArMzg4LDcgQEAg c3RhdGljIGNvbnN0IE1lbW9yeVJlZ2lvbk9wcyBvcHMgPSB7CiAgICAgLndy aXRlID0geGVuX3B0X2Jhcl93cml0ZSwKIH07CiAKLXN0YXRpYyBpbnQgeGVu X3B0X3JlZ2lzdGVyX3JlZ2lvbnMoWGVuUENJUGFzc3Rocm91Z2hTdGF0ZSAq cykKK3N0YXRpYyBpbnQgeGVuX3B0X3JlZ2lzdGVyX3JlZ2lvbnMoWGVuUENJ UGFzc3Rocm91Z2hTdGF0ZSAqcywgdWludDE2X3QgKmNtZCkKIHsKICAgICBp bnQgaSA9IDA7CiAgICAgWGVuSG9zdFBDSURldmljZSAqZCA9ICZzLT5yZWFs X2RldmljZTsKQEAgLTQwNiw2ICs0MDYsNyBAQCBzdGF0aWMgaW50IHhlbl9w dF9yZWdpc3Rlcl9yZWdpb25zKFhlblBDCiAKICAgICAgICAgaWYgKHItPnR5 cGUgJiBYRU5fSE9TVF9QQ0lfUkVHSU9OX1RZUEVfSU8pIHsKICAgICAgICAg ICAgIHR5cGUgPSBQQ0lfQkFTRV9BRERSRVNTX1NQQUNFX0lPOworICAgICAg ICAgICAgKmNtZCB8PSBQQ0lfQ09NTUFORF9JTzsKICAgICAgICAgfSBlbHNl IHsKICAgICAgICAgICAgIHR5cGUgPSBQQ0lfQkFTRV9BRERSRVNTX1NQQUNF X01FTU9SWTsKICAgICAgICAgICAgIGlmIChyLT50eXBlICYgWEVOX0hPU1Rf UENJX1JFR0lPTl9UWVBFX1BSRUZFVENIKSB7CkBAIC00MTQsNiArNDE1LDcg QEAgc3RhdGljIGludCB4ZW5fcHRfcmVnaXN0ZXJfcmVnaW9ucyhYZW5QQwog ICAgICAgICAgICAgaWYgKHItPnR5cGUgJiBYRU5fSE9TVF9QQ0lfUkVHSU9O X1RZUEVfTUVNXzY0KSB7CiAgICAgICAgICAgICAgICAgdHlwZSB8PSBQQ0lf QkFTRV9BRERSRVNTX01FTV9UWVBFXzY0OwogICAgICAgICAgICAgfQorICAg ICAgICAgICAgKmNtZCB8PSBQQ0lfQ09NTUFORF9NRU1PUlk7CiAgICAgICAg IH0KIAogICAgICAgICBtZW1vcnlfcmVnaW9uX2luaXRfaW8oJnMtPmJhcltp XSwgT0JKRUNUKHMpLCAmb3BzLCAmcy0+ZGV2LApAQCAtNjM4LDYgKzY0MCw3 IEBAIHN0YXRpYyBpbnQgeGVuX3B0X2luaXRmbihQQ0lEZXZpY2UgKmQpCiAg ICAgWGVuUENJUGFzc3Rocm91Z2hTdGF0ZSAqcyA9IERPX1VQQ0FTVChYZW5Q Q0lQYXNzdGhyb3VnaFN0YXRlLCBkZXYsIGQpOwogICAgIGludCByYyA9IDA7 CiAgICAgdWludDhfdCBtYWNoaW5lX2lycSA9IDA7CisgICAgdWludDE2X3Qg Y21kID0gMDsKICAgICBpbnQgcGlycSA9IFhFTl9QVF9VTkFTU0lHTkVEX1BJ UlE7CiAKICAgICAvKiByZWdpc3RlciByZWFsIGRldmljZSAqLwpAQCAtNjcy LDcgKzY3NSw3IEBAIHN0YXRpYyBpbnQgeGVuX3B0X2luaXRmbihQQ0lEZXZp Y2UgKmQpCiAgICAgcy0+aW9fbGlzdGVuZXIgPSB4ZW5fcHRfaW9fbGlzdGVu ZXI7CiAKICAgICAvKiBIYW5kbGUgcmVhbCBkZXZpY2UncyBNTUlPL1BJTyBC QVJzICovCi0gICAgeGVuX3B0X3JlZ2lzdGVyX3JlZ2lvbnMocyk7CisgICAg eGVuX3B0X3JlZ2lzdGVyX3JlZ2lvbnMocywgJmNtZCk7CiAKICAgICAvKiBy ZWluaXRpYWxpemUgZWFjaCBjb25maWcgcmVnaXN0ZXIgdG8gYmUgZW11bGF0 ZWQgKi8KICAgICBpZiAoeGVuX3B0X2NvbmZpZ19pbml0KHMpKSB7CkBAIC03 MzYsNiArNzM5LDExIEBAIHN0YXRpYyBpbnQgeGVuX3B0X2luaXRmbihQQ0lE ZXZpY2UgKmQpCiAgICAgfQogCiBvdXQ6CisgICAgaWYgKGNtZCkgeworICAg ICAgICB4ZW5faG9zdF9wY2lfc2V0X3dvcmQoJnMtPnJlYWxfZGV2aWNlLCBQ Q0lfQ09NTUFORCwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBj aV9nZXRfd29yZChkLT5jb25maWcgKyBQQ0lfQ09NTUFORCkgfCBjbWQpOwor ICAgIH0KKwogICAgIG1lbW9yeV9saXN0ZW5lcl9yZWdpc3Rlcigmcy0+bWVt b3J5X2xpc3RlbmVyLCAmYWRkcmVzc19zcGFjZV9tZW1vcnkpOwogICAgIG1l bW9yeV9saXN0ZW5lcl9yZWdpc3Rlcigmcy0+aW9fbGlzdGVuZXIsICZhZGRy ZXNzX3NwYWNlX2lvKTsKICAgICBYRU5fUFRfTE9HKGQsCg== --=separator Content-Type: application/octet-stream; name="xsa126-qemuu.patch" Content-Disposition: attachment; filename="xsa126-qemuu.patch" Content-Transfer-Encoding: base64 eGVuOiBsaW1pdCBndWVzdCBjb250cm9sIG9mIFBDSSBjb21tYW5kIHJlZ2lz dGVyCgpPdGhlcndpc2UgdGhlIGd1ZXN0IGNhbiBhYnVzZSB0aGF0IGNvbnRy b2wgdG8gY2F1c2UgZS5nLiBQQ0llClVuc3VwcG9ydGVkIFJlcXVlc3QgcmVz cG9uc2VzIChieSBkaXNhYmxpbmcgbWVtb3J5IGFuZC9vciBJL08gZGVjb2Rp bmcKYW5kIHN1YnNlcXVlbnRseSBjYXVzaW5nIFtDUFUgc2lkZV0gYWNjZXNz ZXMgdG8gdGhlIHJlc3BlY3RpdmUgYWRkcmVzcwpyYW5nZXMpLCB3aGljaCAo ZGVwZW5kaW5nIG9uIHN5c3RlbSBjb25maWd1cmF0aW9uKSBtYXkgYmUgZmF0 YWwgdG8gdGhlCmhvc3QuCgpUaGlzIGlzIENWRS0yMDE1LTI3NTYgLyBYU0Et MTI2LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpSZXZpZXdlZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzdGVm YW5vLnN0YWJlbGxpbmlAZXUuY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBD YW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CgotLS0gYS9ody94 ZW4veGVuX3B0LmMKKysrIGIvaHcveGVuL3hlbl9wdC5jCkBAIC0zODgsNyAr Mzg4LDcgQEAgc3RhdGljIGNvbnN0IE1lbW9yeVJlZ2lvbk9wcyBvcHMgPSB7 CiAgICAgLndyaXRlID0geGVuX3B0X2Jhcl93cml0ZSwKIH07CiAKLXN0YXRp YyBpbnQgeGVuX3B0X3JlZ2lzdGVyX3JlZ2lvbnMoWGVuUENJUGFzc3Rocm91 Z2hTdGF0ZSAqcykKK3N0YXRpYyBpbnQgeGVuX3B0X3JlZ2lzdGVyX3JlZ2lv bnMoWGVuUENJUGFzc3Rocm91Z2hTdGF0ZSAqcywgdWludDE2X3QgKmNtZCkK IHsKICAgICBpbnQgaSA9IDA7CiAgICAgWGVuSG9zdFBDSURldmljZSAqZCA9 ICZzLT5yZWFsX2RldmljZTsKQEAgLTQwNiw2ICs0MDYsNyBAQCBzdGF0aWMg aW50IHhlbl9wdF9yZWdpc3Rlcl9yZWdpb25zKFhlblBDCiAKICAgICAgICAg aWYgKHItPnR5cGUgJiBYRU5fSE9TVF9QQ0lfUkVHSU9OX1RZUEVfSU8pIHsK ICAgICAgICAgICAgIHR5cGUgPSBQQ0lfQkFTRV9BRERSRVNTX1NQQUNFX0lP OworICAgICAgICAgICAgKmNtZCB8PSBQQ0lfQ09NTUFORF9JTzsKICAgICAg ICAgfSBlbHNlIHsKICAgICAgICAgICAgIHR5cGUgPSBQQ0lfQkFTRV9BRERS RVNTX1NQQUNFX01FTU9SWTsKICAgICAgICAgICAgIGlmIChyLT50eXBlICYg WEVOX0hPU1RfUENJX1JFR0lPTl9UWVBFX1BSRUZFVENIKSB7CkBAIC00MTQs NiArNDE1LDcgQEAgc3RhdGljIGludCB4ZW5fcHRfcmVnaXN0ZXJfcmVnaW9u cyhYZW5QQwogICAgICAgICAgICAgaWYgKHItPnR5cGUgJiBYRU5fSE9TVF9Q Q0lfUkVHSU9OX1RZUEVfTUVNXzY0KSB7CiAgICAgICAgICAgICAgICAgdHlw ZSB8PSBQQ0lfQkFTRV9BRERSRVNTX01FTV9UWVBFXzY0OwogICAgICAgICAg ICAgfQorICAgICAgICAgICAgKmNtZCB8PSBQQ0lfQ09NTUFORF9NRU1PUlk7 CiAgICAgICAgIH0KIAogICAgICAgICBtZW1vcnlfcmVnaW9uX2luaXRfaW8o JnMtPmJhcltpXSwgT0JKRUNUKHMpLCAmb3BzLCAmcy0+ZGV2LApAQCAtNjM4 LDYgKzY0MCw3IEBAIHN0YXRpYyBpbnQgeGVuX3B0X2luaXRmbihQQ0lEZXZp Y2UgKmQpCiAgICAgWGVuUENJUGFzc3Rocm91Z2hTdGF0ZSAqcyA9IERPX1VQ Q0FTVChYZW5QQ0lQYXNzdGhyb3VnaFN0YXRlLCBkZXYsIGQpOwogICAgIGlu dCByYyA9IDA7CiAgICAgdWludDhfdCBtYWNoaW5lX2lycSA9IDA7CisgICAg dWludDE2X3QgY21kID0gMDsKICAgICBpbnQgcGlycSA9IFhFTl9QVF9VTkFT U0lHTkVEX1BJUlE7CiAKICAgICAvKiByZWdpc3RlciByZWFsIGRldmljZSAq LwpAQCAtNjcyLDcgKzY3NSw3IEBAIHN0YXRpYyBpbnQgeGVuX3B0X2luaXRm bihQQ0lEZXZpY2UgKmQpCiAgICAgcy0+aW9fbGlzdGVuZXIgPSB4ZW5fcHRf aW9fbGlzdGVuZXI7CiAKICAgICAvKiBIYW5kbGUgcmVhbCBkZXZpY2UncyBN TUlPL1BJTyBCQVJzICovCi0gICAgeGVuX3B0X3JlZ2lzdGVyX3JlZ2lvbnMo cyk7CisgICAgeGVuX3B0X3JlZ2lzdGVyX3JlZ2lvbnMocywgJmNtZCk7CiAK ICAgICAvKiByZWluaXRpYWxpemUgZWFjaCBjb25maWcgcmVnaXN0ZXIgdG8g YmUgZW11bGF0ZWQgKi8KICAgICBpZiAoeGVuX3B0X2NvbmZpZ19pbml0KHMp KSB7CkBAIC03MzYsNiArNzM5LDExIEBAIHN0YXRpYyBpbnQgeGVuX3B0X2lu aXRmbihQQ0lEZXZpY2UgKmQpCiAgICAgfQogCiBvdXQ6CisgICAgaWYgKGNt ZCkgeworICAgICAgICB4ZW5faG9zdF9wY2lfc2V0X3dvcmQoJnMtPnJlYWxf ZGV2aWNlLCBQQ0lfQ09NTUFORCwKKyAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIHBjaV9nZXRfd29yZChkLT5jb25maWcgKyBQQ0lfQ09NTUFORCkg fCBjbWQpOworICAgIH0KKwogICAgIG1lbW9yeV9saXN0ZW5lcl9yZWdpc3Rl cigmcy0+bWVtb3J5X2xpc3RlbmVyLCAmYWRkcmVzc19zcGFjZV9tZW1vcnkp OwogICAgIG1lbW9yeV9saXN0ZW5lcl9yZWdpc3Rlcigmcy0+aW9fbGlzdGVu ZXIsICZhZGRyZXNzX3NwYWNlX2lvKTsKICAgICBYRU5fUFRfTE9HKGQsCi0t LSBhL2h3L3hlbi94ZW5fcHRfY29uZmlnX2luaXQuYworKysgYi9ody94ZW4v eGVuX3B0X2NvbmZpZ19pbml0LmMKQEAgLTI4NiwyMyArMjg2LDYgQEAgc3Rh dGljIGludCB4ZW5fcHRfaXJxcGluX3JlZ19pbml0KFhlblBDSQogfQogCiAv KiBDb21tYW5kIHJlZ2lzdGVyICovCi1zdGF0aWMgaW50IHhlbl9wdF9jbWRf cmVnX3JlYWQoWGVuUENJUGFzc3Rocm91Z2hTdGF0ZSAqcywgWGVuUFRSZWcg KmNmZ19lbnRyeSwKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1 aW50MTZfdCAqdmFsdWUsIHVpbnQxNl90IHZhbGlkX21hc2spCi17Ci0gICAg WGVuUFRSZWdJbmZvICpyZWcgPSBjZmdfZW50cnktPnJlZzsKLSAgICB1aW50 MTZfdCB2YWxpZF9lbXVfbWFzayA9IDA7Ci0gICAgdWludDE2X3QgZW11X21h c2sgPSByZWctPmVtdV9tYXNrOwotCi0gICAgaWYgKHMtPmlzX3ZpcnRmbikg ewotICAgICAgICBlbXVfbWFzayB8PSBQQ0lfQ09NTUFORF9NRU1PUlk7Ci0g ICAgfQotCi0gICAgLyogZW11bGF0ZSB3b3JkIHJlZ2lzdGVyICovCi0gICAg dmFsaWRfZW11X21hc2sgPSBlbXVfbWFzayAmIHZhbGlkX21hc2s7Ci0gICAg KnZhbHVlID0gWEVOX1BUX01FUkdFX1ZBTFVFKCp2YWx1ZSwgY2ZnX2VudHJ5 LT5kYXRhLCB+dmFsaWRfZW11X21hc2spOwotCi0gICAgcmV0dXJuIDA7Ci19 CiBzdGF0aWMgaW50IHhlbl9wdF9jbWRfcmVnX3dyaXRlKFhlblBDSVBhc3N0 aHJvdWdoU3RhdGUgKnMsIFhlblBUUmVnICpjZmdfZW50cnksCiAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIHVpbnQxNl90ICp2YWwsIHVpbnQx Nl90IGRldl92YWx1ZSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgdWludDE2X3QgdmFsaWRfbWFzaykKQEAgLTMxMCwxOCArMjkzLDEzIEBA IHN0YXRpYyBpbnQgeGVuX3B0X2NtZF9yZWdfd3JpdGUoWGVuUENJUGEKICAg ICBYZW5QVFJlZ0luZm8gKnJlZyA9IGNmZ19lbnRyeS0+cmVnOwogICAgIHVp bnQxNl90IHdyaXRhYmxlX21hc2sgPSAwOwogICAgIHVpbnQxNl90IHRocm91 Z2hhYmxlX21hc2sgPSAwOwotICAgIHVpbnQxNl90IGVtdV9tYXNrID0gcmVn LT5lbXVfbWFzazsKLQotICAgIGlmIChzLT5pc192aXJ0Zm4pIHsKLSAgICAg ICAgZW11X21hc2sgfD0gUENJX0NPTU1BTkRfTUVNT1JZOwotICAgIH0KIAog ICAgIC8qIG1vZGlmeSBlbXVsYXRlIHJlZ2lzdGVyICovCiAgICAgd3JpdGFi bGVfbWFzayA9IH5yZWctPnJvX21hc2sgJiB2YWxpZF9tYXNrOwogICAgIGNm Z19lbnRyeS0+ZGF0YSA9IFhFTl9QVF9NRVJHRV9WQUxVRSgqdmFsLCBjZmdf ZW50cnktPmRhdGEsIHdyaXRhYmxlX21hc2spOwogCiAgICAgLyogY3JlYXRl IHZhbHVlIGZvciB3cml0aW5nIHRvIEkvTyBkZXZpY2UgcmVnaXN0ZXIgKi8K LSAgICB0aHJvdWdoYWJsZV9tYXNrID0gfmVtdV9tYXNrICYgdmFsaWRfbWFz azsKKyAgICB0aHJvdWdoYWJsZV9tYXNrID0gfnJlZy0+ZW11X21hc2sgJiB2 YWxpZF9tYXNrOwogCiAgICAgaWYgKCp2YWwgJiBQQ0lfQ09NTUFORF9JTlRY X0RJU0FCTEUpIHsKICAgICAgICAgdGhyb3VnaGFibGVfbWFzayB8PSBQQ0lf Q09NTUFORF9JTlRYX0RJU0FCTEU7CkBAIC02MDUsOSArNTgzLDkgQEAgc3Rh dGljIFhlblBUUmVnSW5mbyB4ZW5fcHRfZW11X3JlZ19oZWFkZQogICAgICAg ICAuc2l6ZSAgICAgICA9IDIsCiAgICAgICAgIC5pbml0X3ZhbCAgID0gMHgw MDAwLAogICAgICAgICAucm9fbWFzayAgICA9IDB4Rjg4MCwKLSAgICAgICAg LmVtdV9tYXNrICAgPSAweDA3NDAsCisgICAgICAgIC5lbXVfbWFzayAgID0g MHgwNzQzLAogICAgICAgICAuaW5pdCAgICAgICA9IHhlbl9wdF9jb21tb25f cmVnX2luaXQsCi0gICAgICAgIC51LncucmVhZCAgID0geGVuX3B0X2NtZF9y ZWdfcmVhZCwKKyAgICAgICAgLnUudy5yZWFkICAgPSB4ZW5fcHRfd29yZF9y ZWdfcmVhZCwKICAgICAgICAgLnUudy53cml0ZSAgPSB4ZW5fcHRfY21kX3Jl Z193cml0ZSwKICAgICB9LAogICAgIC8qIENhcGFiaWxpdGllcyBQb2ludGVy IHJlZyAqLwo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Mar 31 12:11:10 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 31 Mar 2015 12:11:10 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ycuzc-0008RZ-RE; Tue, 31 Mar 2015 12:10:04 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ycuzb-0008R7-9g; Tue, 31 Mar 2015 12:10:03 +0000 Received: from [85.158.139.211] by server-3.bemta-5.messagelabs.com id 7B/4B-30545-A9E8A155; Tue, 31 Mar 2015 12:10:02 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-9.tower-206.messagelabs.com!1427803800!12875847!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.13.6; banners=-,-,- X-VirusChecked: Checked Received: (qmail 23725 invoked from network); 31 Mar 2015 12:10:00 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-9.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 31 Mar 2015 12:10:00 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YcuzR-0006wt-3j; Tue, 31 Mar 2015 12:09:53 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1YcuzQ-0005LQ-PR; Tue, 31 Mar 2015 12:09:52 +0000 Date: Tue, 31 Mar 2015 12:09:52 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 125 (CVE-2015-2752) - Long latency MMIO mapping operations are not preemptible X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2752 / XSA-125 version 3 Long latency MMIO mapping operations are not preemptible UPDATES IN VERSION 3 ==================== CVE assigned. Public release. ISSUE DESCRIPTION ================= The XEN_DOMCTL_memory_mapping hypercall allows long running operations without implementing preemption. This hypercall is used by the device model as part of the emulation associated with configuration of PCI devices passed through to HVM guests and is therefore indirectly exposed to those guests. This can cause a physical CPU to become busy for a significant period, leading to a host denial of service in some cases. If a host denial of service is not triggered then it may instead be possible to deny service to the domain running the device model, e.g. domain 0. This hypercall is also exposed more generally to all toolstacks. However the uses of it in libxl based toolstacks are not believed to open up any avenue of attack from an untrusted guest. Other toolstacks may be vulnerable however. IMPACT ====== The vulnerability is exposed via HVM guests which have a PCI device assigned to them. A malicious HVM guest in such a configuration can mount a denial of service attack affecting the whole system via its associated device model (qemu-dm). A guest is able to trigger this hypercall via operations which it is legitimately expected to perform, therefore running the device model as a stub domain does not offer protection against the host denial of service issue. However it does offer some protection against secondary issues such as denial of service against dom0. VULNERABLE SYSTEMS ================== The issue is exposed via x86 HVM VMs which have been assigned a PCI device. x86 PV domains, x86 HVM domains without passthrough devices and ARM domains do not expose this vulnerability. Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. MITIGATION ========== Running only PV guests will avoid this issue. This issue can be avoided by not assigning devices with large MMIO regions to untrusted HVM guests. CREDITS ======= This issue was discovered by Konrad Rzeszutek Wilk of Oracle. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa125.patch Xen 4.5.x, xen-unstable xsa125-4.4.patch Xen 4.4.x xsa125-4.3.patch Xen 4.3.x xsa125-4.2.patch Xen 4.2.x $ sha256sum xsa125*.patch be0c7cceb1af4b7b1341f37c1e20cf804ea3ac7d3c2ca2e5599f936479d5e0de xsa125.patch 5f081407c2955787c6e40daa847f3c4131694dff3bb0bc0ee55495f555c7bb52 xsa125-4.2.patch 3b0641ef2a23f12872267940c408097cb353e57a6e0396a64cdf13592a14f65b xsa125-4.3.patch 2180e657b34d8628d4e0157adf2a36904bb6feaf55d53338e4457ef77d867a31 xsa125-4.4.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVGo5JAAoJEIP+FMlX6CvZlEAIAMdSMKpxum+J9IbUFCqcHFa4 F8zQDkz2hMCY3OjTAq9+n6KR2LLyKDn2hGDP0Mspbo67lRBEjSkp7KEXCoDrA294 YsVuJn8y0T3yPH9du3m0f2vi49MrhnxnUZLNyKCpkxTiClrC/7JX3OZxQTQIGpzf EIsjYP+/w9ava5XYbGKorwlLvGpjRmnZpCDTrZlqKV2bK2O6pWzyvp5zD99FORcJ YVRIGebKu8szbSHZs9ectt4xkZwYrzSjj0+PtryvwLSpSYi0zTWIu9rrgd/ZCXfL tgD+i9zoc2E1ydPlvdKRXEdRHY9gGcaimfbTqYn1ttJ6qQcnbMoRQor4X+v92NU= =m83F -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa125.patch" Content-Disposition: attachment; filename="xsa125.patch" Content-Transfer-Encoding: base64 RnJvbSA5ODY3MGFjYzk4Y2FkNWFlZTBlMDcxNDY5NGE2NGQzYjk2Njc1YzM2 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBLb25yYWQgUnplc3p1 dGVrIFdpbGsgPGtvbnJhZC53aWxrQG9yYWNsZS5jb20+CkRhdGU6IFdlZCwg MTkgTm92IDIwMTQgMTI6NTc6MTEgLTA1MDAKU3ViamVjdDogW1BBVENIXSBM aW1pdCBYRU5fRE9NQ1RMX21lbW9yeV9tYXBwaW5nIGh5cGVyY2FsbCB0byBv bmx5IHByb2Nlc3MgdXAKIHRvIDY0IEdGTnMgKG9yIGxlc3MpCgpTYWlkIGh5 cGVyY2FsbCBmb3IgbGFyZ2UgQkFScyBjYW4gdGFrZSBxdWl0ZSBhIHdoaWxl LiBBcyBzdWNoCndlIGNhbiByZXF1aXJlIHRoYXQgdGhlIGh5cGVyY2FsbCBN VVNUIGJyZWFrIHVwIHRoZSByZXF1ZXN0CmluIHNtYWxsZXIgdmFsdWVzLgoK QW5vdGhlciBhcHByb2FjaCBpcyB0byBhZGQgcHJlZW1wdGlvbiB0byBpdCAt IHdoZXRoZXIgd2UgZG8gdGhlCnByZWVtcHRpb24gdXNpbmcgaHlwZXJjYWxs X2NyZWF0ZV9jb250aW51YXRpb24gb3IgcmV0dXJuaW5nCkVBR0FJTiB0byB1 c2Vyc3BhY2UgKGFuZCBoYXZlIGl0IHJlLWludm9jYXRlIHRoZSBjYWxsKSAt IGVpdGhlcgp3YXkgdGhlIGlzc3VlIHdlIGNhbm5vdCBlYXNpbHkgc29sdmUg aXMgdGhhdCBpbiAnbWFwX21taW9fcmVnaW9ucycKaWYgd2UgZW5jb3VudGVy IGFuIGVycm9yIHdlIE1VU1QgY2FsbCAndW5tYXBfbW1pb19yZWdpb25zJyBm b3IgdGhlCndob2xlIEJBUiByZWdpb24uCgpTaW5jZSB0aGUgcHJlZW1wdGlv biB3b3VsZCByZS11c2UgaW5wdXQgZmllbGRzIHN1Y2ggYXMgbnJfbWZucywK Zmlyc3RfZ2ZuLCBmaXJzdF9tZm4gLSB3ZSB3b3VsZCBsb3NlIHRoZSBvcmln aW5hbCB2YWx1ZXMgLQphbmQgb25seSB1bmRvIHdoYXQgd2FzIGRvbmUgaW4g dGhlIGN1cnJlbnQgcm91bmQgKGkuZS4gaWdub3JpbmcKYW55dGhpbmcgdGhh dCB3YXMgZG9uZSBwcmlvciB0byBlYXJsaWVyIHByZWVtcHRpb25zKS4KClVu bGVzcyB3ZSByZS11c2VkIHRoZSByZXR1cm4gdmFsdWUgYXMgJ0VBR0FJTnxu cl9tZm5zX2RvbmU8PDEwJyBidXQKdGhhdCBwdXRzIGEgbGltaXQgKHNpbmNl IHRoZSByZXR1cm4gdmFsdWUgaXMgYSBsb25nKSBvbiB0aGUgYW1vdW50Cm9m IG5yX21mbnMgdGhhdCBjYW4gcHJvdmlkZWQuCgpUaGlzIHBhdGNoIHNpZGVz dGVwcyB0aGlzIHByb2JsZW0gYnk6CiAtIFNldHRpbmcgYW4gaGFyZCBsaW1p dCBvZiBucl9tZm5zIGhhdmluZyB0byBiZSA2NCBvciBsZXNzLgogLSBUb29s c3RhY2sgYWRqdXN0cyBjb3JyZXNwb25kaW5nbHkgdG8gdGhlIG5yX21mbiBs aW1pdC4KIC0gSWYgdGhlIHRoZXJlIGlzIGFuIGVycm9yIHdoZW4gYWRkaW5n IHRoZSB0b29sc3RhY2sgd2lsbCBjYWxsIHRoZQogICByZW1vdmUgb3BlcmF0 aW9uIHRvIHJlbW92ZSB0aGUgd2hvbGUgcmVnaW9uLgoKVGhlIG5lZWQgdG8g YnJlYWsgdGhpcyBoeXBlcmNhbGwgZG93biBpcyBmb3IgbGFyZ2UgQkFScyBj YW4gdGFrZQptb3JlIHRoYW4gdGhlIGd1ZXN0IChpbml0aWFsIGRvbWFpbiB1 c3VhbGx5KSB0aW1lLXNsaWNlLiBUaGlzIGhhcwp0aGUgbmVnYXRpdmUgcmVz dWx0IGluIHRoYXQgdGhlIGd1ZXN0IGlzIGxvY2tlZCBvdXQgZm9yIGEgbG9u ZwpkdXJhdGlvbiBhbmQgaXMgdW5hYmxlIHRvIGFjdCBvbiBhbnkgcGVuZGlu ZyBldmVudHMuCgpXZSBhbHNvIGF1Z21lbnQgdGhlIGNvZGUgdG8gcmV0dXJu IHplcm8gaWYgbnJfbWZucyBpbnN0ZWFkCm9mIHRyeWluZyB0byB0aGUgaHlw ZXJjYWxsLgoKU3VnZ2VzdGVkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA c3VzZS5jb20+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3Vz ZS5jb20+ClNpZ25lZC1vZmYtYnk6IEtvbnJhZCBSemVzenV0ZWsgV2lsayA8 a29ucmFkLndpbGtAb3JhY2xlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+Ci0tLQpbdjUwOiBTaW1wbGlm eSBsb29wXQpbdjUxOiBJZiBtYXhfYmF0Y2hfc3ogMSAob3IgbGVzcykgd2Ug d291bGQgcmV0dXJuIHplcm8uIEZpeCB0aGF0XQpbdjUyOiBIYW5kbGUgbnJf bWZucyBiZWluZyB6ZXJvXQpbdjUzOiBGaXggdXAgcmV0dXJuIHZhbHVlXQot LS0KIHRvb2xzL2xpYnhjL3hjX2RvbWFpbi5jICAgICB8IDQ2ICsrKysrKysr KysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrLS0tLQogeGVuL2Nv bW1vbi9kb21jdGwuYyAgICAgICAgIHwgIDUgKysrKysKIHhlbi9pbmNsdWRl L3B1YmxpYy9kb21jdGwuaCB8ICAxICsKIDMgZmlsZXMgY2hhbmdlZCwgNDgg aW5zZXJ0aW9ucygrKSwgNCBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS90 b29scy9saWJ4Yy94Y19kb21haW4uYyBiL3Rvb2xzL2xpYnhjL3hjX2RvbWFp bi5jCmluZGV4IDg0NWQxZDcuLmJiYTc2NzIgMTAwNjQ0Ci0tLSBhL3Rvb2xz L2xpYnhjL3hjX2RvbWFpbi5jCisrKyBiL3Rvb2xzL2xpYnhjL3hjX2RvbWFp bi5jCkBAIC0xOTg4LDYgKzE5ODgsOCBAQCBpbnQgeGNfZG9tYWluX21lbW9y eV9tYXBwaW5nKAogewogICAgIERFQ0xBUkVfRE9NQ1RMOwogICAgIHhjX2Rv bWluZm9fdCBpbmZvOworICAgIGludCByZXQgPSAwLCBlcnI7CisgICAgdW5z aWduZWQgbG9uZyBkb25lID0gMCwgbnIsIG1heF9iYXRjaF9zejsKIAogICAg IGlmICggeGNfZG9tYWluX2dldGluZm8oeGNoLCBkb21pZCwgMSwgJmluZm8p ICE9IDEgfHwKICAgICAgICAgIGluZm8uZG9taWQgIT0gZG9taWQgKQpAQCAt MTk5OCwxNCArMjAwMCw1MCBAQCBpbnQgeGNfZG9tYWluX21lbW9yeV9tYXBw aW5nKAogICAgIGlmICggIXhjX2NvcmVfYXJjaF9hdXRvX3RyYW5zbGF0ZWRf cGh5c21hcCgmaW5mbykgKQogICAgICAgICByZXR1cm4gMDsKIAorICAgIGlm ICggIW5yX21mbnMgKQorICAgICAgICByZXR1cm4gMDsKKwogICAgIGRvbWN0 bC5jbWQgPSBYRU5fRE9NQ1RMX21lbW9yeV9tYXBwaW5nOwogICAgIGRvbWN0 bC5kb21haW4gPSBkb21pZDsKLSAgICBkb21jdGwudS5tZW1vcnlfbWFwcGlu Zy5maXJzdF9nZm4gPSBmaXJzdF9nZm47Ci0gICAgZG9tY3RsLnUubWVtb3J5 X21hcHBpbmcuZmlyc3RfbWZuID0gZmlyc3RfbWZuOwotICAgIGRvbWN0bC51 Lm1lbW9yeV9tYXBwaW5nLm5yX21mbnMgPSBucl9tZm5zOwogICAgIGRvbWN0 bC51Lm1lbW9yeV9tYXBwaW5nLmFkZF9tYXBwaW5nID0gYWRkX21hcHBpbmc7 CisgICAgbWF4X2JhdGNoX3N6ID0gbnJfbWZuczsKKyAgICBkbworICAgIHsK KyAgICAgICAgbnIgPSBtaW4obnJfbWZucyAtIGRvbmUsIG1heF9iYXRjaF9z eik7CisgICAgICAgIGRvbWN0bC51Lm1lbW9yeV9tYXBwaW5nLm5yX21mbnMg PSBucjsKKyAgICAgICAgZG9tY3RsLnUubWVtb3J5X21hcHBpbmcuZmlyc3Rf Z2ZuID0gZmlyc3RfZ2ZuICsgZG9uZTsKKyAgICAgICAgZG9tY3RsLnUubWVt b3J5X21hcHBpbmcuZmlyc3RfbWZuID0gZmlyc3RfbWZuICsgZG9uZTsKKyAg ICAgICAgZXJyID0gZG9fZG9tY3RsKHhjaCwgJmRvbWN0bCk7CisgICAgICAg IGlmICggZXJyICYmIGVycm5vID09IEUyQklHICkKKyAgICAgICAgeworICAg ICAgICAgICAgaWYgKCBtYXhfYmF0Y2hfc3ogPD0gMSApCisgICAgICAgICAg ICAgICAgYnJlYWs7CisgICAgICAgICAgICBtYXhfYmF0Y2hfc3ogPj49IDE7 CisgICAgICAgICAgICBjb250aW51ZTsKKyAgICAgICAgfQorICAgICAgICAv KiBTYXZlIHRoZSBmaXJzdCBlcnJvci4uLiAqLworICAgICAgICBpZiAoICFy ZXQgKQorICAgICAgICAgICAgcmV0ID0gZXJyOworICAgICAgICAvKiAuLiBh bmQgaWdub3JlIHRoZSByZXN0IG9mIHRoZW0gd2hlbiByZW1vdmluZy4gKi8K KyAgICAgICAgaWYgKCBlcnIgJiYgYWRkX21hcHBpbmcgIT0gRFBDSV9SRU1P VkVfTUFQUElORyApCisgICAgICAgICAgICBicmVhazsKIAotICAgIHJldHVy biBkb19kb21jdGwoeGNoLCAmZG9tY3RsKTsKKyAgICAgICAgZG9uZSArPSBu cjsKKyAgICB9IHdoaWxlICggZG9uZSA8IG5yX21mbnMgKTsKKworICAgIC8q CisgICAgICogVW5kbyB3aGF0IHdlIGhhdmUgZG9uZSB1bmxlc3MgdW5tYXBw aW5nLCBieSB1bm1hcHBpbmcgdGhlIGVudGlyZSByZWdpb24uCisgICAgICog RXJyb3JzIGhlcmUgYXJlIGlnbm9yZWQuCisgICAgICovCisgICAgaWYgKCBy ZXQgJiYgYWRkX21hcHBpbmcgIT0gRFBDSV9SRU1PVkVfTUFQUElORyApCisg ICAgICAgIHhjX2RvbWFpbl9tZW1vcnlfbWFwcGluZyh4Y2gsIGRvbWlkLCBm aXJzdF9nZm4sIGZpcnN0X21mbiwgbnJfbWZucywKKyAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIERQQ0lfUkVNT1ZFX01BUFBJTkcpOworCisg ICAgLyogV2UgbWlnaHQgZ2V0IEUyQklHIHNvIG1hbnkgdGltZXMgdGhhdCB3 ZSBuZXZlciBhZHZhbmNlLiAqLworICAgIGlmICggIWRvbmUgJiYgIXJldCAp CisgICAgICAgIHJldCA9IC0xOworCisgICAgcmV0dXJuIHJldDsKIH0KIAog aW50IHhjX2RvbWFpbl9pb3BvcnRfbWFwcGluZygKZGlmZiAtLWdpdCBhL3hl bi9jb21tb24vZG9tY3RsLmMgYi94ZW4vY29tbW9uL2RvbWN0bC5jCmluZGV4 IGQzOTZjYzQuLmMyZTYwYTcgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24vZG9t Y3RsLmMKKysrIGIveGVuL2NvbW1vbi9kb21jdGwuYwpAQCAtMTAyNyw2ICsx MDI3LDExIEBAIGxvbmcgZG9fZG9tY3RsKFhFTl9HVUVTVF9IQU5ETEVfUEFS QU0oeGVuX2RvbWN0bF90KSB1X2RvbWN0bCkKICAgICAgICAgICAgICAoZ2Zu ICsgbnJfbWZucyAtIDEpIDwgZ2ZuICkgLyogd3JhcD8gKi8KICAgICAgICAg ICAgIGJyZWFrOwogCisgICAgICAgIHJldCA9IC1FMkJJRzsKKyAgICAgICAg LyogTXVzdCBicmVhayBoeXBlcmNhbGwgdXAgYXMgdGhpcyBjb3VsZCB0YWtl IGEgd2hpbGUuICovCisgICAgICAgIGlmICggbnJfbWZucyA+IDY0ICkKKyAg ICAgICAgICAgIGJyZWFrOworCiAgICAgICAgIHJldCA9IC1FUEVSTTsKICAg ICAgICAgaWYgKCAhaW9tZW1fYWNjZXNzX3Blcm1pdHRlZChjdXJyZW50LT5k b21haW4sIG1mbiwgbWZuX2VuZCkgfHwKICAgICAgICAgICAgICAhaW9tZW1f YWNjZXNzX3Blcm1pdHRlZChkLCBtZm4sIG1mbl9lbmQpICkKZGlmZiAtLWdp dCBhL3hlbi9pbmNsdWRlL3B1YmxpYy9kb21jdGwuaCBiL3hlbi9pbmNsdWRl L3B1YmxpYy9kb21jdGwuaAppbmRleCBjYTBlNTFlLi4wYzlmNDc0IDEwMDY0 NAotLS0gYS94ZW4vaW5jbHVkZS9wdWJsaWMvZG9tY3RsLmgKKysrIGIveGVu L2luY2x1ZGUvcHVibGljL2RvbWN0bC5oCkBAIC01NDMsNiArNTQzLDcgQEAg REVGSU5FX1hFTl9HVUVTVF9IQU5ETEUoeGVuX2RvbWN0bF9iaW5kX3B0X2ly cV90KTsKIAogCiAvKiBCaW5kIG1hY2hpbmUgSS9PIGFkZHJlc3MgcmFuZ2Ug LT4gSFZNIGFkZHJlc3MgcmFuZ2UuICovCisvKiBJZiB0aGlzIHJldHVybnMg LUUyQklHIGxvd2VyIG5yX21mbnMgdmFsdWUuICovCiAvKiBYRU5fRE9NQ1RM X21lbW9yeV9tYXBwaW5nICovCiAjZGVmaW5lIERQQ0lfQUREX01BUFBJTkcg ICAgICAgICAxCiAjZGVmaW5lIERQQ0lfUkVNT1ZFX01BUFBJTkcgICAgICAw Ci0tIAoyLjEuMAoK --=separator Content-Type: application/octet-stream; name="xsa125-4.2.patch" Content-Disposition: attachment; filename="xsa125-4.2.patch" Content-Transfer-Encoding: base64 TGltaXQgWEVOX0RPTUNUTF9tZW1vcnlfbWFwcGluZyBoeXBlcmNhbGwgdG8g b25seSBwcm9jZXNzIHVwIHRvIDY0IEdGTnMgKG9yIGxlc3MpCgpTYWlkIGh5 cGVyY2FsbCBmb3IgbGFyZ2UgQkFScyBjYW4gdGFrZSBxdWl0ZSBhIHdoaWxl LiBBcyBzdWNoCndlIGNhbiByZXF1aXJlIHRoYXQgdGhlIGh5cGVyY2FsbCBN VVNUIGJyZWFrIHVwIHRoZSByZXF1ZXN0CmluIHNtYWxsZXIgdmFsdWVzLgoK QW5vdGhlciBhcHByb2FjaCBpcyB0byBhZGQgcHJlZW1wdGlvbiB0byBpdCAt IHdoZXRoZXIgd2UgZG8gdGhlCnByZWVtcHRpb24gdXNpbmcgaHlwZXJjYWxs X2NyZWF0ZV9jb250aW51YXRpb24gb3IgcmV0dXJuaW5nCkVBR0FJTiB0byB1 c2Vyc3BhY2UgKGFuZCBoYXZlIGl0IHJlLWludm9jYXRlIHRoZSBjYWxsKSAt IGVpdGhlcgp3YXkgdGhlIGlzc3VlIHdlIGNhbm5vdCBlYXNpbHkgc29sdmUg aXMgdGhhdCBpbiAnbWFwX21taW9fcmVnaW9ucycKaWYgd2UgZW5jb3VudGVy IGFuIGVycm9yIHdlIE1VU1QgY2FsbCAndW5tYXBfbW1pb19yZWdpb25zJyBm b3IgdGhlCndob2xlIEJBUiByZWdpb24uCgpTaW5jZSB0aGUgcHJlZW1wdGlv biB3b3VsZCByZS11c2UgaW5wdXQgZmllbGRzIHN1Y2ggYXMgbnJfbWZucywK Zmlyc3RfZ2ZuLCBmaXJzdF9tZm4gLSB3ZSB3b3VsZCBsb3NlIHRoZSBvcmln aW5hbCB2YWx1ZXMgLQphbmQgb25seSB1bmRvIHdoYXQgd2FzIGRvbmUgaW4g dGhlIGN1cnJlbnQgcm91bmQgKGkuZS4gaWdub3JpbmcKYW55dGhpbmcgdGhh dCB3YXMgZG9uZSBwcmlvciB0byBlYXJsaWVyIHByZWVtcHRpb25zKS4KClVu bGVzcyB3ZSByZS11c2VkIHRoZSByZXR1cm4gdmFsdWUgYXMgJ0VBR0FJTnxu cl9tZm5zX2RvbmU8PDEwJyBidXQKdGhhdCBwdXRzIGEgbGltaXQgKHNpbmNl IHRoZSByZXR1cm4gdmFsdWUgaXMgYSBsb25nKSBvbiB0aGUgYW1vdW50Cm9m IG5yX21mbnMgdGhhdCBjYW4gcHJvdmlkZWQuCgpUaGlzIHBhdGNoIHNpZGVz dGVwcyB0aGlzIHByb2JsZW0gYnk6CiAtIFNldHRpbmcgYW4gaGFyZCBsaW1p dCBvZiBucl9tZm5zIGhhdmluZyB0byBiZSA2NCBvciBsZXNzLgogLSBUb29s c3RhY2sgYWRqdXN0cyBjb3JyZXNwb25kaW5nbHkgdG8gdGhlIG5yX21mbiBs aW1pdC4KIC0gSWYgdGhlIHRoZXJlIGlzIGFuIGVycm9yIHdoZW4gYWRkaW5n IHRoZSB0b29sc3RhY2sgd2lsbCBjYWxsIHRoZQogICByZW1vdmUgb3BlcmF0 aW9uIHRvIHJlbW92ZSB0aGUgd2hvbGUgcmVnaW9uLgoKVGhlIG5lZWQgdG8g YnJlYWsgdGhpcyBoeXBlcmNhbGwgZG93biBpcyBmb3IgbGFyZ2UgQkFScyBj YW4gdGFrZQptb3JlIHRoYW4gdGhlIGd1ZXN0IChpbml0aWFsIGRvbWFpbiB1 c3VhbGx5KSB0aW1lLXNsaWNlLiBUaGlzIGhhcwp0aGUgbmVnYXRpdmUgcmVz dWx0IGluIHRoYXQgdGhlIGd1ZXN0IGlzIGxvY2tlZCBvdXQgZm9yIGEgbG9u ZwpkdXJhdGlvbiBhbmQgaXMgdW5hYmxlIHRvIGFjdCBvbiBhbnkgcGVuZGlu ZyBldmVudHMuCgpXZSBhbHNvIGF1Z21lbnQgdGhlIGNvZGUgdG8gcmV0dXJu IHplcm8gaWYgbnJfbWZucyBpbnN0ZWFkCm9mIHRyeWluZyB0byB0aGUgaHlw ZXJjYWxsLgoKU3VnZ2VzdGVkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA c3VzZS5jb20+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3Vz ZS5jb20+ClNpZ25lZC1vZmYtYnk6IEtvbnJhZCBSemVzenV0ZWsgV2lsayA8 a29ucmFkLndpbGtAb3JhY2xlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CgpkaWZmIC0tZ2l0IGEvdG9v bHMvbGlieGMveGNfZG9tYWluLmMgYi90b29scy9saWJ4Yy94Y19kb21haW4u YwppbmRleCBkOThlNjhiLi42MGY3MTM3IDEwMDY0NAotLS0gYS90b29scy9s aWJ4Yy94Y19kb21haW4uYworKysgYi90b29scy9saWJ4Yy94Y19kb21haW4u YwpAQCAtMTM1Miw2ICsxMzUyLDEzIEBAIGludCB4Y19kb21haW5fYmluZF9w dF9pc2FfaXJxKAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IFBUX0lSUV9UWVBFX0lTQSwgMCwgMCwgMCwgbWFjaGluZV9pcnEpKTsKIH0K IAorI2lmbmRlZiBtaW4KKyNkZWZpbmUgbWluKFgsIFkpICh7ICAgICAgICAg ICAgICAgICAgICAgICAgICAgICBcCisgICAgICAgICAgICBjb25zdCB0eXBl b2YgKFgpIF94ID0gKFgpOyAgICAgICAgICAgXAorICAgICAgICAgICAgY29u c3QgdHlwZW9mIChZKSBfeSA9IChZKTsgICAgICAgICAgIFwKKyAgICAgICAg ICAgICh2b2lkKSAoJl94ID09ICZfeSk7ICAgICAgICAgICAgICAgICBcCisg ICAgICAgICAgICAoX3ggPCBfeSkgPyBfeCA6IF95OyB9KQorI2VuZGlmCiBp bnQgeGNfZG9tYWluX21lbW9yeV9tYXBwaW5nKAogICAgIHhjX2ludGVyZmFj ZSAqeGNoLAogICAgIHVpbnQzMl90IGRvbWlkLApAQCAtMTM2MSwxNyArMTM2 OCw1NSBAQCBpbnQgeGNfZG9tYWluX21lbW9yeV9tYXBwaW5nKAogICAgIHVp bnQzMl90IGFkZF9tYXBwaW5nKQogewogICAgIERFQ0xBUkVfRE9NQ1RMOwor ICAgIGludCByZXQgPSAwLCBlcnI7CisgICAgdW5zaWduZWQgbG9uZyBkb25l ID0gMCwgbnIsIG1heF9iYXRjaF9zejsKKworICAgIGlmICggIW5yX21mbnMg KQorICAgICAgICByZXR1cm4gMDsKIAogICAgIGRvbWN0bC5jbWQgPSBYRU5f RE9NQ1RMX21lbW9yeV9tYXBwaW5nOwogICAgIGRvbWN0bC5kb21haW4gPSBk b21pZDsKLSAgICBkb21jdGwudS5tZW1vcnlfbWFwcGluZy5maXJzdF9nZm4g PSBmaXJzdF9nZm47Ci0gICAgZG9tY3RsLnUubWVtb3J5X21hcHBpbmcuZmly c3RfbWZuID0gZmlyc3RfbWZuOwotICAgIGRvbWN0bC51Lm1lbW9yeV9tYXBw aW5nLm5yX21mbnMgPSBucl9tZm5zOwogICAgIGRvbWN0bC51Lm1lbW9yeV9t YXBwaW5nLmFkZF9tYXBwaW5nID0gYWRkX21hcHBpbmc7CisgICAgbWF4X2Jh dGNoX3N6ID0gbnJfbWZuczsKKyAgICBkbworICAgIHsKKyAgICAgICAgbnIg PSBtaW4obnJfbWZucyAtIGRvbmUsIG1heF9iYXRjaF9zeik7CisgICAgICAg IGRvbWN0bC51Lm1lbW9yeV9tYXBwaW5nLm5yX21mbnMgPSBucjsKKyAgICAg ICAgZG9tY3RsLnUubWVtb3J5X21hcHBpbmcuZmlyc3RfZ2ZuID0gZmlyc3Rf Z2ZuICsgZG9uZTsKKyAgICAgICAgZG9tY3RsLnUubWVtb3J5X21hcHBpbmcu Zmlyc3RfbWZuID0gZmlyc3RfbWZuICsgZG9uZTsKKyAgICAgICAgZXJyID0g ZG9fZG9tY3RsKHhjaCwgJmRvbWN0bCk7CisgICAgICAgIGlmICggZXJyICYm IGVycm5vID09IEUyQklHICkKKyAgICAgICAgeworICAgICAgICAgICAgaWYg KCBtYXhfYmF0Y2hfc3ogPD0gMSApCisgICAgICAgICAgICAgICAgYnJlYWs7 CisgICAgICAgICAgICBtYXhfYmF0Y2hfc3ogPj49IDE7CisgICAgICAgICAg ICBjb250aW51ZTsKKyAgICAgICAgfQorICAgICAgICAvKiBTYXZlIHRoZSBm aXJzdCBlcnJvci4uLiAqLworICAgICAgICBpZiAoICFyZXQgKQorICAgICAg ICAgICAgcmV0ID0gZXJyOworICAgICAgICAvKiAuLiBhbmQgaWdub3JlIHRo ZSByZXN0IG9mIHRoZW0gd2hlbiByZW1vdmluZy4gKi8KKyAgICAgICAgaWYg KCBlcnIgJiYgYWRkX21hcHBpbmcgIT0gRFBDSV9SRU1PVkVfTUFQUElORyAp CisgICAgICAgICAgICBicmVhazsKIAotICAgIHJldHVybiBkb19kb21jdGwo eGNoLCAmZG9tY3RsKTsKLX0KKyAgICAgICAgZG9uZSArPSBucjsKKyAgICB9 IHdoaWxlICggZG9uZSA8IG5yX21mbnMgKTsKIAorICAgIC8qCisgICAgICog VW5kbyB3aGF0IHdlIGhhdmUgZG9uZSB1bmxlc3MgdW5tYXBwaW5nLCBieSB1 bm1hcHBpbmcgdGhlIGVudGlyZSByZWdpb24uCisgICAgICogRXJyb3JzIGhl cmUgYXJlIGlnbm9yZWQuCisgICAgICovCisgICAgaWYgKCByZXQgJiYgYWRk X21hcHBpbmcgIT0gRFBDSV9SRU1PVkVfTUFQUElORyApCisgICAgICAgIHhj X2RvbWFpbl9tZW1vcnlfbWFwcGluZyh4Y2gsIGRvbWlkLCBmaXJzdF9nZm4s IGZpcnN0X21mbiwgbnJfbWZucywKKyAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIERQQ0lfUkVNT1ZFX01BUFBJTkcpOworCisgICAgLyogV2Ug bWlnaHQgZ2V0IEUyQklHIHNvIG1hbnkgdGltZXMgdGhhdCB3ZSBuZXZlciBh ZHZhbmNlLiAqLworICAgIGlmICggIWRvbmUgJiYgIXJldCApCisgICAgICAg IHJldCA9IC0xOworCisgICAgcmV0dXJuIHJldDsKK30KKyN1bmRlZiBtaW4K IGludCB4Y19kb21haW5faW9wb3J0X21hcHBpbmcoCiAgICAgeGNfaW50ZXJm YWNlICp4Y2gsCiAgICAgdWludDMyX3QgZG9taWQsCmRpZmYgLS1naXQgYS94 ZW4vYXJjaC94ODYvZG9tY3RsLmMgYi94ZW4vYXJjaC94ODYvZG9tY3RsLmMK aW5kZXggOGJmOGYwOS4uYzlhOTdjOSAxMDA2NDQKLS0tIGEveGVuL2FyY2gv eDg2L2RvbWN0bC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9kb21jdGwuYwpAQCAt ODY3LDYgKzg2NywxMSBAQCBsb25nIGFyY2hfZG9fZG9tY3RsKAogICAgICAg ICAgICAgIChnZm4gKyBucl9tZm5zIC0gMSkgPCBnZm4gKSAvKiB3cmFwPyAq LwogICAgICAgICAgICAgYnJlYWs7CiAKKyAgICAgICAgcmV0ID0gLUUyQklH OworICAgICAgICAvKiBNdXN0IGJyZWFrIGh5cGVyY2FsbCB1cCBhcyB0aGlz IGNvdWxkIHRha2UgYSB3aGlsZS4gKi8KKyAgICAgICAgaWYgKCBucl9tZm5z ID4gNjQgKQorICAgICAgICAgICAgYnJlYWs7CisKICAgICAgICAgcmV0ID0g LUVQRVJNOwogICAgICAgICBpZiAoICFJU19QUklWKGN1cnJlbnQtPmRvbWFp bikgJiYKICAgICAgICAgICAgICAhaW9tZW1fYWNjZXNzX3Blcm1pdHRlZChj dXJyZW50LT5kb21haW4sIG1mbiwgbWZuICsgbnJfbWZucyAtIDEpICkKZGlm ZiAtLWdpdCBhL3hlbi9pbmNsdWRlL3B1YmxpYy9kb21jdGwuaCBiL3hlbi9p bmNsdWRlL3B1YmxpYy9kb21jdGwuaAppbmRleCAyNDBjZWI5Li5iNDU5MTFl IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9wdWJsaWMvZG9tY3RsLmgKKysr IGIveGVuL2luY2x1ZGUvcHVibGljL2RvbWN0bC5oCkBAIC01MDcsNiArNTA3 LDcgQEAgREVGSU5FX1hFTl9HVUVTVF9IQU5ETEUoeGVuX2RvbWN0bF9iaW5k X3B0X2lycV90KTsKIAogCiAvKiBCaW5kIG1hY2hpbmUgSS9PIGFkZHJlc3Mg cmFuZ2UgLT4gSFZNIGFkZHJlc3MgcmFuZ2UuICovCisvKiBJZiB0aGlzIHJl dHVybnMgLUUyQklHIGxvd2VyIG5yX21mbnMgdmFsdWUuICovCiAvKiBYRU5f RE9NQ1RMX21lbW9yeV9tYXBwaW5nICovCiAjZGVmaW5lIERQQ0lfQUREX01B UFBJTkcgICAgICAgICAxCiAjZGVmaW5lIERQQ0lfUkVNT1ZFX01BUFBJTkcg ICAgICAwCg== --=separator Content-Type: application/octet-stream; name="xsa125-4.3.patch" Content-Disposition: attachment; filename="xsa125-4.3.patch" Content-Transfer-Encoding: base64 TGltaXQgWEVOX0RPTUNUTF9tZW1vcnlfbWFwcGluZyBoeXBlcmNhbGwgdG8g b25seSBwcm9jZXNzIHVwIHRvIDY0IEdGTnMgKG9yIGxlc3MpCgpTYWlkIGh5 cGVyY2FsbCBmb3IgbGFyZ2UgQkFScyBjYW4gdGFrZSBxdWl0ZSBhIHdoaWxl LiBBcyBzdWNoCndlIGNhbiByZXF1aXJlIHRoYXQgdGhlIGh5cGVyY2FsbCBN VVNUIGJyZWFrIHVwIHRoZSByZXF1ZXN0CmluIHNtYWxsZXIgdmFsdWVzLgoK QW5vdGhlciBhcHByb2FjaCBpcyB0byBhZGQgcHJlZW1wdGlvbiB0byBpdCAt IHdoZXRoZXIgd2UgZG8gdGhlCnByZWVtcHRpb24gdXNpbmcgaHlwZXJjYWxs X2NyZWF0ZV9jb250aW51YXRpb24gb3IgcmV0dXJuaW5nCkVBR0FJTiB0byB1 c2Vyc3BhY2UgKGFuZCBoYXZlIGl0IHJlLWludm9jYXRlIHRoZSBjYWxsKSAt IGVpdGhlcgp3YXkgdGhlIGlzc3VlIHdlIGNhbm5vdCBlYXNpbHkgc29sdmUg aXMgdGhhdCBpbiAnbWFwX21taW9fcmVnaW9ucycKaWYgd2UgZW5jb3VudGVy IGFuIGVycm9yIHdlIE1VU1QgY2FsbCAndW5tYXBfbW1pb19yZWdpb25zJyBm b3IgdGhlCndob2xlIEJBUiByZWdpb24uCgpTaW5jZSB0aGUgcHJlZW1wdGlv biB3b3VsZCByZS11c2UgaW5wdXQgZmllbGRzIHN1Y2ggYXMgbnJfbWZucywK Zmlyc3RfZ2ZuLCBmaXJzdF9tZm4gLSB3ZSB3b3VsZCBsb3NlIHRoZSBvcmln aW5hbCB2YWx1ZXMgLQphbmQgb25seSB1bmRvIHdoYXQgd2FzIGRvbmUgaW4g dGhlIGN1cnJlbnQgcm91bmQgKGkuZS4gaWdub3JpbmcKYW55dGhpbmcgdGhh dCB3YXMgZG9uZSBwcmlvciB0byBlYXJsaWVyIHByZWVtcHRpb25zKS4KClVu bGVzcyB3ZSByZS11c2VkIHRoZSByZXR1cm4gdmFsdWUgYXMgJ0VBR0FJTnxu cl9tZm5zX2RvbmU8PDEwJyBidXQKdGhhdCBwdXRzIGEgbGltaXQgKHNpbmNl IHRoZSByZXR1cm4gdmFsdWUgaXMgYSBsb25nKSBvbiB0aGUgYW1vdW50Cm9m IG5yX21mbnMgdGhhdCBjYW4gcHJvdmlkZWQuCgpUaGlzIHBhdGNoIHNpZGVz dGVwcyB0aGlzIHByb2JsZW0gYnk6CiAtIFNldHRpbmcgYW4gaGFyZCBsaW1p dCBvZiBucl9tZm5zIGhhdmluZyB0byBiZSA2NCBvciBsZXNzLgogLSBUb29s c3RhY2sgYWRqdXN0cyBjb3JyZXNwb25kaW5nbHkgdG8gdGhlIG5yX21mbiBs aW1pdC4KIC0gSWYgdGhlIHRoZXJlIGlzIGFuIGVycm9yIHdoZW4gYWRkaW5n IHRoZSB0b29sc3RhY2sgd2lsbCBjYWxsIHRoZQogICByZW1vdmUgb3BlcmF0 aW9uIHRvIHJlbW92ZSB0aGUgd2hvbGUgcmVnaW9uLgoKVGhlIG5lZWQgdG8g YnJlYWsgdGhpcyBoeXBlcmNhbGwgZG93biBpcyBmb3IgbGFyZ2UgQkFScyBj YW4gdGFrZQptb3JlIHRoYW4gdGhlIGd1ZXN0IChpbml0aWFsIGRvbWFpbiB1 c3VhbGx5KSB0aW1lLXNsaWNlLiBUaGlzIGhhcwp0aGUgbmVnYXRpdmUgcmVz dWx0IGluIHRoYXQgdGhlIGd1ZXN0IGlzIGxvY2tlZCBvdXQgZm9yIGEgbG9u ZwpkdXJhdGlvbiBhbmQgaXMgdW5hYmxlIHRvIGFjdCBvbiBhbnkgcGVuZGlu ZyBldmVudHMuCgpXZSBhbHNvIGF1Z21lbnQgdGhlIGNvZGUgdG8gcmV0dXJu IHplcm8gaWYgbnJfbWZucyBpbnN0ZWFkCm9mIHRyeWluZyB0byB0aGUgaHlw ZXJjYWxsLgoKU3VnZ2VzdGVkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA c3VzZS5jb20+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3Vz ZS5jb20+ClNpZ25lZC1vZmYtYnk6IEtvbnJhZCBSemVzenV0ZWsgV2lsayA8 a29ucmFkLndpbGtAb3JhY2xlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CgpkaWZmIC0tZ2l0IGEvdG9v bHMvbGlieGMveGNfZG9tYWluLmMgYi90b29scy9saWJ4Yy94Y19kb21haW4u YwppbmRleCAzMjU3ZTJhLi43Mzg2ZTU4IDEwMDY0NAotLS0gYS90b29scy9s aWJ4Yy94Y19kb21haW4uYworKysgYi90b29scy9saWJ4Yy94Y19kb21haW4u YwpAQCAtMTQ2Nyw2ICsxNDY3LDEzIEBAIGludCB4Y19kb21haW5fYmluZF9w dF9pc2FfaXJxKAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IFBUX0lSUV9UWVBFX0lTQSwgMCwgMCwgMCwgbWFjaGluZV9pcnEpKTsKIH0K IAorI2lmbmRlZiBtaW4KKyNkZWZpbmUgbWluKFgsIFkpICh7ICAgICAgICAg ICAgICAgICAgICAgICAgICAgICBcCisgICAgICAgICAgICBjb25zdCB0eXBl b2YgKFgpIF94ID0gKFgpOyAgICAgICAgICAgXAorICAgICAgICAgICAgY29u c3QgdHlwZW9mIChZKSBfeSA9IChZKTsgICAgICAgICAgIFwKKyAgICAgICAg ICAgICh2b2lkKSAoJl94ID09ICZfeSk7ICAgICAgICAgICAgICAgICBcCisg ICAgICAgICAgICAoX3ggPCBfeSkgPyBfeCA6IF95OyB9KQorI2VuZGlmCiBp bnQgeGNfZG9tYWluX21lbW9yeV9tYXBwaW5nKAogICAgIHhjX2ludGVyZmFj ZSAqeGNoLAogICAgIHVpbnQzMl90IGRvbWlkLApAQCAtMTQ3NiwxNyArMTQ4 Myw1NSBAQCBpbnQgeGNfZG9tYWluX21lbW9yeV9tYXBwaW5nKAogICAgIHVp bnQzMl90IGFkZF9tYXBwaW5nKQogewogICAgIERFQ0xBUkVfRE9NQ1RMOwor ICAgIGludCByZXQgPSAwLCBlcnI7CisgICAgdW5zaWduZWQgbG9uZyBkb25l ID0gMCwgbnIsIG1heF9iYXRjaF9zejsKKworICAgIGlmICggIW5yX21mbnMg KQorICAgICAgICByZXR1cm4gMDsKIAogICAgIGRvbWN0bC5jbWQgPSBYRU5f RE9NQ1RMX21lbW9yeV9tYXBwaW5nOwogICAgIGRvbWN0bC5kb21haW4gPSBk b21pZDsKLSAgICBkb21jdGwudS5tZW1vcnlfbWFwcGluZy5maXJzdF9nZm4g PSBmaXJzdF9nZm47Ci0gICAgZG9tY3RsLnUubWVtb3J5X21hcHBpbmcuZmly c3RfbWZuID0gZmlyc3RfbWZuOwotICAgIGRvbWN0bC51Lm1lbW9yeV9tYXBw aW5nLm5yX21mbnMgPSBucl9tZm5zOwogICAgIGRvbWN0bC51Lm1lbW9yeV9t YXBwaW5nLmFkZF9tYXBwaW5nID0gYWRkX21hcHBpbmc7CisgICAgbWF4X2Jh dGNoX3N6ID0gbnJfbWZuczsKKyAgICBkbworICAgIHsKKyAgICAgICAgbnIg PSBtaW4obnJfbWZucyAtIGRvbmUsIG1heF9iYXRjaF9zeik7CisgICAgICAg IGRvbWN0bC51Lm1lbW9yeV9tYXBwaW5nLm5yX21mbnMgPSBucjsKKyAgICAg ICAgZG9tY3RsLnUubWVtb3J5X21hcHBpbmcuZmlyc3RfZ2ZuID0gZmlyc3Rf Z2ZuICsgZG9uZTsKKyAgICAgICAgZG9tY3RsLnUubWVtb3J5X21hcHBpbmcu Zmlyc3RfbWZuID0gZmlyc3RfbWZuICsgZG9uZTsKKyAgICAgICAgZXJyID0g ZG9fZG9tY3RsKHhjaCwgJmRvbWN0bCk7CisgICAgICAgIGlmICggZXJyICYm IGVycm5vID09IEUyQklHICkKKyAgICAgICAgeworICAgICAgICAgICAgaWYg KCBtYXhfYmF0Y2hfc3ogPD0gMSApCisgICAgICAgICAgICAgICAgYnJlYWs7 CisgICAgICAgICAgICBtYXhfYmF0Y2hfc3ogPj49IDE7CisgICAgICAgICAg ICBjb250aW51ZTsKKyAgICAgICAgfQorICAgICAgICAvKiBTYXZlIHRoZSBm aXJzdCBlcnJvci4uLiAqLworICAgICAgICBpZiAoICFyZXQgKQorICAgICAg ICAgICAgcmV0ID0gZXJyOworICAgICAgICAvKiAuLiBhbmQgaWdub3JlIHRo ZSByZXN0IG9mIHRoZW0gd2hlbiByZW1vdmluZy4gKi8KKyAgICAgICAgaWYg KCBlcnIgJiYgYWRkX21hcHBpbmcgIT0gRFBDSV9SRU1PVkVfTUFQUElORyAp CisgICAgICAgICAgICBicmVhazsKIAotICAgIHJldHVybiBkb19kb21jdGwo eGNoLCAmZG9tY3RsKTsKLX0KKyAgICAgICAgZG9uZSArPSBucjsKKyAgICB9 IHdoaWxlICggZG9uZSA8IG5yX21mbnMgKTsKIAorICAgIC8qCisgICAgICog VW5kbyB3aGF0IHdlIGhhdmUgZG9uZSB1bmxlc3MgdW5tYXBwaW5nLCBieSB1 bm1hcHBpbmcgdGhlIGVudGlyZSByZWdpb24uCisgICAgICogRXJyb3JzIGhl cmUgYXJlIGlnbm9yZWQuCisgICAgICovCisgICAgaWYgKCByZXQgJiYgYWRk X21hcHBpbmcgIT0gRFBDSV9SRU1PVkVfTUFQUElORyApCisgICAgICAgIHhj X2RvbWFpbl9tZW1vcnlfbWFwcGluZyh4Y2gsIGRvbWlkLCBmaXJzdF9nZm4s IGZpcnN0X21mbiwgbnJfbWZucywKKyAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIERQQ0lfUkVNT1ZFX01BUFBJTkcpOworCisgICAgLyogV2Ug bWlnaHQgZ2V0IEUyQklHIHNvIG1hbnkgdGltZXMgdGhhdCB3ZSBuZXZlciBh ZHZhbmNlLiAqLworICAgIGlmICggIWRvbmUgJiYgIXJldCApCisgICAgICAg IHJldCA9IC0xOworCisgICAgcmV0dXJuIHJldDsKK30KKyN1bmRlZiBtaW4K IGludCB4Y19kb21haW5faW9wb3J0X21hcHBpbmcoCiAgICAgeGNfaW50ZXJm YWNlICp4Y2gsCiAgICAgdWludDMyX3QgZG9taWQsCmRpZmYgLS1naXQgYS94 ZW4vYXJjaC94ODYvZG9tY3RsLmMgYi94ZW4vYXJjaC94ODYvZG9tY3RsLmMK aW5kZXggMTczYmYwMS4uMzA2Mjk3YSAxMDA2NDQKLS0tIGEveGVuL2FyY2gv eDg2L2RvbWN0bC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9kb21jdGwuYwpAQCAt NjU1LDYgKzY1NSwxMSBAQCBsb25nIGFyY2hfZG9fZG9tY3RsKAogICAgICAg ICAgICAgIChnZm4gKyBucl9tZm5zIC0gMSkgPCBnZm4gKSAvKiB3cmFwPyAq LwogICAgICAgICAgICAgYnJlYWs7CiAKKyAgICAgICAgcmV0ID0gLUUyQklH OworICAgICAgICAvKiBNdXN0IGJyZWFrIGh5cGVyY2FsbCB1cCBhcyB0aGlz IGNvdWxkIHRha2UgYSB3aGlsZS4gKi8KKyAgICAgICAgaWYgKCBucl9tZm5z ID4gNjQgKQorICAgICAgICAgICAgYnJlYWs7CisKICAgICAgICAgcmV0ID0g LUVQRVJNOwogICAgICAgICBpZiAoICFpb21lbV9hY2Nlc3NfcGVybWl0dGVk KGN1cnJlbnQtPmRvbWFpbiwgbWZuLCBtZm4gKyBucl9tZm5zIC0gMSkgKQog ICAgICAgICAgICAgYnJlYWs7CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9w dWJsaWMvZG9tY3RsLmggYi94ZW4vaW5jbHVkZS9wdWJsaWMvZG9tY3RsLmgK aW5kZXggZDM4MTkwMy4uOGY5ZDVjMCAxMDA2NDQKLS0tIGEveGVuL2luY2x1 ZGUvcHVibGljL2RvbWN0bC5oCisrKyBiL3hlbi9pbmNsdWRlL3B1YmxpYy9k b21jdGwuaApAQCAtNTEzLDYgKzUxMyw3IEBAIERFRklORV9YRU5fR1VFU1Rf SEFORExFKHhlbl9kb21jdGxfYmluZF9wdF9pcnFfdCk7CiAKIAogLyogQmlu ZCBtYWNoaW5lIEkvTyBhZGRyZXNzIHJhbmdlIC0+IEhWTSBhZGRyZXNzIHJh bmdlLiAqLworLyogSWYgdGhpcyByZXR1cm5zIC1FMkJJRyBsb3dlciBucl9t Zm5zIHZhbHVlLiAqLwogLyogWEVOX0RPTUNUTF9tZW1vcnlfbWFwcGluZyAq LwogI2RlZmluZSBEUENJX0FERF9NQVBQSU5HICAgICAgICAgMQogI2RlZmlu ZSBEUENJX1JFTU9WRV9NQVBQSU5HICAgICAgMAo= --=separator Content-Type: application/octet-stream; name="xsa125-4.4.patch" Content-Disposition: attachment; filename="xsa125-4.4.patch" Content-Transfer-Encoding: base64 RnJvbSBkZjI5MjJjZTY3MmNjMzU1MDBlMmYzYmEwNDE0NDEwMjFmNDRiNDFj IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBLb25yYWQgUnplc3p1 dGVrIFdpbGsgPGtvbnJhZC53aWxrQG9yYWNsZS5jb20+CkRhdGU6IFdlZCwg MTkgTm92IDIwMTQgMTI6NTc6MTEgLTA1MDAKU3ViamVjdDogW1BBVENIXSBM aW1pdCBYRU5fRE9NQ1RMX21lbW9yeV9tYXBwaW5nIGh5cGVyY2FsbCB0byBv bmx5IHByb2Nlc3MgdXAKIHRvIDY0IEdGTnMgKG9yIGxlc3MpCgpTYWlkIGh5 cGVyY2FsbCBmb3IgbGFyZ2UgQkFScyBjYW4gdGFrZSBxdWl0ZSBhIHdoaWxl LiBBcyBzdWNoCndlIGNhbiByZXF1aXJlIHRoYXQgdGhlIGh5cGVyY2FsbCBN VVNUIGJyZWFrIHVwIHRoZSByZXF1ZXN0CmluIHNtYWxsZXIgdmFsdWVzLgoK QW5vdGhlciBhcHByb2FjaCBpcyB0byBhZGQgcHJlZW1wdGlvbiB0byBpdCAt IHdoZXRoZXIgd2UgZG8gdGhlCnByZWVtcHRpb24gdXNpbmcgaHlwZXJjYWxs X2NyZWF0ZV9jb250aW51YXRpb24gb3IgcmV0dXJuaW5nCkVBR0FJTiB0byB1 c2Vyc3BhY2UgKGFuZCBoYXZlIGl0IHJlLWludm9jYXRlIHRoZSBjYWxsKSAt IGVpdGhlcgp3YXkgdGhlIGlzc3VlIHdlIGNhbm5vdCBlYXNpbHkgc29sdmUg aXMgdGhhdCBpbiAnbWFwX21taW9fcmVnaW9ucycKaWYgd2UgZW5jb3VudGVy IGFuIGVycm9yIHdlIE1VU1QgY2FsbCAndW5tYXBfbW1pb19yZWdpb25zJyBm b3IgdGhlCndob2xlIEJBUiByZWdpb24uCgpTaW5jZSB0aGUgcHJlZW1wdGlv biB3b3VsZCByZS11c2UgaW5wdXQgZmllbGRzIHN1Y2ggYXMgbnJfbWZucywK Zmlyc3RfZ2ZuLCBmaXJzdF9tZm4gLSB3ZSB3b3VsZCBsb3NlIHRoZSBvcmln aW5hbCB2YWx1ZXMgLQphbmQgb25seSB1bmRvIHdoYXQgd2FzIGRvbmUgaW4g dGhlIGN1cnJlbnQgcm91bmQgKGkuZS4gaWdub3JpbmcKYW55dGhpbmcgdGhh dCB3YXMgZG9uZSBwcmlvciB0byBlYXJsaWVyIHByZWVtcHRpb25zKS4KClVu bGVzcyB3ZSByZS11c2VkIHRoZSByZXR1cm4gdmFsdWUgYXMgJ0VBR0FJTnxu cl9tZm5zX2RvbmU8PDEwJyBidXQKdGhhdCBwdXRzIGEgbGltaXQgKHNpbmNl IHRoZSByZXR1cm4gdmFsdWUgaXMgYSBsb25nKSBvbiB0aGUgYW1vdW50Cm9m IG5yX21mbnMgdGhhdCBjYW4gcHJvdmlkZWQuCgpUaGlzIHBhdGNoIHNpZGVz dGVwcyB0aGlzIHByb2JsZW0gYnk6CiAtIFNldHRpbmcgYW4gaGFyZCBsaW1p dCBvZiBucl9tZm5zIGhhdmluZyB0byBiZSA2NCBvciBsZXNzLgogLSBUb29s c3RhY2sgYWRqdXN0cyBjb3JyZXNwb25kaW5nbHkgdG8gdGhlIG5yX21mbiBs aW1pdC4KIC0gSWYgdGhlIHRoZXJlIGlzIGFuIGVycm9yIHdoZW4gYWRkaW5n IHRoZSB0b29sc3RhY2sgd2lsbCBjYWxsIHRoZQogICByZW1vdmUgb3BlcmF0 aW9uIHRvIHJlbW92ZSB0aGUgd2hvbGUgcmVnaW9uLgoKVGhlIG5lZWQgdG8g YnJlYWsgdGhpcyBoeXBlcmNhbGwgZG93biBpcyBmb3IgbGFyZ2UgQkFScyBj YW4gdGFrZQptb3JlIHRoYW4gdGhlIGd1ZXN0IChpbml0aWFsIGRvbWFpbiB1 c3VhbGx5KSB0aW1lLXNsaWNlLiBUaGlzIGhhcwp0aGUgbmVnYXRpdmUgcmVz dWx0IGluIHRoYXQgdGhlIGd1ZXN0IGlzIGxvY2tlZCBvdXQgZm9yIGEgbG9u ZwpkdXJhdGlvbiBhbmQgaXMgdW5hYmxlIHRvIGFjdCBvbiBhbnkgcGVuZGlu ZyBldmVudHMuCgpXZSBhbHNvIGF1Z21lbnQgdGhlIGNvZGUgdG8gcmV0dXJu IHplcm8gaWYgbnJfbWZucyBpbnN0ZWFkCm9mIHRyeWluZyB0byB0aGUgaHlw ZXJjYWxsLgoKU3VnZ2VzdGVkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA c3VzZS5jb20+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3Vz ZS5jb20+ClNpZ25lZC1vZmYtYnk6IEtvbnJhZCBSemVzenV0ZWsgV2lsayA8 a29ucmFkLndpbGtAb3JhY2xlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+Ci0tLQogdG9vbHMvbGlieGMv eGNfZG9tYWluLmMgICAgIHwgNTUgKysrKysrKysrKysrKysrKysrKysrKysr KysrKysrKysrKysrKysrKy0tLS0tCiB4ZW4vYXJjaC94ODYvZG9tY3RsLmMg ICAgICAgfCAgNSArKysrKwogeGVuL2luY2x1ZGUvcHVibGljL2RvbWN0bC5o IHwgIDEgKwogMyBmaWxlcyBjaGFuZ2VkLCA1NiBpbnNlcnRpb25zKCspLCA1 IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL3Rvb2xzL2xpYnhjL3hjX2Rv bWFpbi5jIGIvdG9vbHMvbGlieGMveGNfZG9tYWluLmMKaW5kZXggMzY5YzNm My4uNDBjYTc3MSAxMDA2NDQKLS0tIGEvdG9vbHMvbGlieGMveGNfZG9tYWlu LmMKKysrIGIvdG9vbHMvbGlieGMveGNfZG9tYWluLmMKQEAgLTE2NDEsNiAr MTY0MSwxMyBAQCBmYWlsZWQ6CiAgICAgcmV0dXJuIC0xOwogfQogCisjaWZu ZGVmIG1pbgorI2RlZmluZSBtaW4oWCwgWSkgKHsgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIFwKKyAgICAgICAgICAgIGNvbnN0IHR5cGVvZiAoWCkg X3ggPSAoWCk7ICAgICAgICAgICBcCisgICAgICAgICAgICBjb25zdCB0eXBl b2YgKFkpIF95ID0gKFkpOyAgICAgICAgICAgXAorICAgICAgICAgICAgKHZv aWQpICgmX3ggPT0gJl95KTsgICAgICAgICAgICAgICAgIFwKKyAgICAgICAg ICAgIChfeCA8IF95KSA/IF94IDogX3k7IH0pCisjZW5kaWYKIGludCB4Y19k b21haW5fbWVtb3J5X21hcHBpbmcoCiAgICAgeGNfaW50ZXJmYWNlICp4Y2gs CiAgICAgdWludDMyX3QgZG9taWQsCkBAIC0xNjUwLDE3ICsxNjU3LDU1IEBA IGludCB4Y19kb21haW5fbWVtb3J5X21hcHBpbmcoCiAgICAgdWludDMyX3Qg YWRkX21hcHBpbmcpCiB7CiAgICAgREVDTEFSRV9ET01DVEw7CisgICAgaW50 IHJldCA9IDAsIGVycjsKKyAgICB1bnNpZ25lZCBsb25nIGRvbmUgPSAwLCBu ciwgbWF4X2JhdGNoX3N6OworCisgICAgaWYgKCAhbnJfbWZucyApCisgICAg ICAgIHJldHVybiAwOwogCiAgICAgZG9tY3RsLmNtZCA9IFhFTl9ET01DVExf bWVtb3J5X21hcHBpbmc7CiAgICAgZG9tY3RsLmRvbWFpbiA9IGRvbWlkOwot ICAgIGRvbWN0bC51Lm1lbW9yeV9tYXBwaW5nLmZpcnN0X2dmbiA9IGZpcnN0 X2dmbjsKLSAgICBkb21jdGwudS5tZW1vcnlfbWFwcGluZy5maXJzdF9tZm4g PSBmaXJzdF9tZm47Ci0gICAgZG9tY3RsLnUubWVtb3J5X21hcHBpbmcubnJf bWZucyA9IG5yX21mbnM7CiAgICAgZG9tY3RsLnUubWVtb3J5X21hcHBpbmcu YWRkX21hcHBpbmcgPSBhZGRfbWFwcGluZzsKKyAgICBtYXhfYmF0Y2hfc3og PSBucl9tZm5zOworICAgIGRvCisgICAgeworICAgICAgICBuciA9IG1pbihu cl9tZm5zIC0gZG9uZSwgbWF4X2JhdGNoX3N6KTsKKyAgICAgICAgZG9tY3Rs LnUubWVtb3J5X21hcHBpbmcubnJfbWZucyA9IG5yOworICAgICAgICBkb21j dGwudS5tZW1vcnlfbWFwcGluZy5maXJzdF9nZm4gPSBmaXJzdF9nZm4gKyBk b25lOworICAgICAgICBkb21jdGwudS5tZW1vcnlfbWFwcGluZy5maXJzdF9t Zm4gPSBmaXJzdF9tZm4gKyBkb25lOworICAgICAgICBlcnIgPSBkb19kb21j dGwoeGNoLCAmZG9tY3RsKTsKKyAgICAgICAgaWYgKCBlcnIgJiYgZXJybm8g PT0gRTJCSUcgKQorICAgICAgICB7CisgICAgICAgICAgICBpZiAoIG1heF9i YXRjaF9zeiA8PSAxICkKKyAgICAgICAgICAgICAgICBicmVhazsKKyAgICAg ICAgICAgIG1heF9iYXRjaF9zeiA+Pj0gMTsKKyAgICAgICAgICAgIGNvbnRp bnVlOworICAgICAgICB9CisgICAgICAgIC8qIFNhdmUgdGhlIGZpcnN0IGVy cm9yLi4uICovCisgICAgICAgIGlmICggIXJldCApCisgICAgICAgICAgICBy ZXQgPSBlcnI7CisgICAgICAgIC8qIC4uIGFuZCBpZ25vcmUgdGhlIHJlc3Qg b2YgdGhlbSB3aGVuIHJlbW92aW5nLiAqLworICAgICAgICBpZiAoIGVyciAm JiBhZGRfbWFwcGluZyAhPSBEUENJX1JFTU9WRV9NQVBQSU5HICkKKyAgICAg ICAgICAgIGJyZWFrOwogCi0gICAgcmV0dXJuIGRvX2RvbWN0bCh4Y2gsICZk b21jdGwpOwotfQorICAgICAgICBkb25lICs9IG5yOworICAgIH0gd2hpbGUg KCBkb25lIDwgbnJfbWZucyApOwogCisgICAgLyoKKyAgICAgKiBVbmRvIHdo YXQgd2UgaGF2ZSBkb25lIHVubGVzcyB1bm1hcHBpbmcsIGJ5IHVubWFwcGlu ZyB0aGUgZW50aXJlIHJlZ2lvbi4KKyAgICAgKiBFcnJvcnMgaGVyZSBhcmUg aWdub3JlZC4KKyAgICAgKi8KKyAgICBpZiAoIHJldCAmJiBhZGRfbWFwcGlu ZyAhPSBEUENJX1JFTU9WRV9NQVBQSU5HICkKKyAgICAgICAgeGNfZG9tYWlu X21lbW9yeV9tYXBwaW5nKHhjaCwgZG9taWQsIGZpcnN0X2dmbiwgZmlyc3Rf bWZuLCBucl9tZm5zLAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgRFBDSV9SRU1PVkVfTUFQUElORyk7CisKKyAgICAvKiBXZSBtaWdodCBn ZXQgRTJCSUcgc28gbWFueSB0aW1lcyB0aGF0IHdlIG5ldmVyIGFkdmFuY2Uu ICovCisgICAgaWYgKCAhZG9uZSAmJiAhcmV0ICkKKyAgICAgICAgcmV0ID0g LTE7CisKKyAgICByZXR1cm4gcmV0OworfQorI3VuZGVmIG1pbgogaW50IHhj X2RvbWFpbl9pb3BvcnRfbWFwcGluZygKICAgICB4Y19pbnRlcmZhY2UgKnhj aCwKICAgICB1aW50MzJfdCBkb21pZCwKZGlmZiAtLWdpdCBhL3hlbi9hcmNo L3g4Ni9kb21jdGwuYyBiL3hlbi9hcmNoL3g4Ni9kb21jdGwuYwppbmRleCBh OTY3YjY1Li45YjcyYzIyIDEwMDY0NAotLS0gYS94ZW4vYXJjaC94ODYvZG9t Y3RsLmMKKysrIGIveGVuL2FyY2gveDg2L2RvbWN0bC5jCkBAIC02NTMsNiAr NjUzLDExIEBAIGxvbmcgYXJjaF9kb19kb21jdGwoCiAgICAgICAgICAgICAg KGdmbiArIG5yX21mbnMgLSAxKSA8IGdmbiApIC8qIHdyYXA/ICovCiAgICAg ICAgICAgICBicmVhazsKIAorICAgICAgICByZXQgPSAtRTJCSUc7CisgICAg ICAgIC8qIE11c3QgYnJlYWsgaHlwZXJjYWxsIHVwIGFzIHRoaXMgY291bGQg dGFrZSBhIHdoaWxlLiAqLworICAgICAgICBpZiAoIG5yX21mbnMgPiA2NCAp CisgICAgICAgICAgICBicmVhazsKKwogICAgICAgICByZXQgPSAtRVBFUk07 CiAgICAgICAgIGlmICggIWlvbWVtX2FjY2Vzc19wZXJtaXR0ZWQoY3VycmVu dC0+ZG9tYWluLCBtZm4sIG1mbiArIG5yX21mbnMgLSAxKSApCiAgICAgICAg ICAgICBicmVhazsKZGlmZiAtLWdpdCBhL3hlbi9pbmNsdWRlL3B1YmxpYy9k b21jdGwuaCBiL3hlbi9pbmNsdWRlL3B1YmxpYy9kb21jdGwuaAppbmRleCBm MjJmZTJlLi5jNDViYzU5IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9wdWJs aWMvZG9tY3RsLmgKKysrIGIveGVuL2luY2x1ZGUvcHVibGljL2RvbWN0bC5o CkBAIC01MTgsNiArNTE4LDcgQEAgREVGSU5FX1hFTl9HVUVTVF9IQU5ETEUo eGVuX2RvbWN0bF9iaW5kX3B0X2lycV90KTsKIAogCiAvKiBCaW5kIG1hY2hp bmUgSS9PIGFkZHJlc3MgcmFuZ2UgLT4gSFZNIGFkZHJlc3MgcmFuZ2UuICov CisvKiBJZiB0aGlzIHJldHVybnMgLUUyQklHIGxvd2VyIG5yX21mbnMgdmFs dWUuICovCiAvKiBYRU5fRE9NQ1RMX21lbW9yeV9tYXBwaW5nICovCiAjZGVm aW5lIERQQ0lfQUREX01BUFBJTkcgICAgICAgICAxCiAjZGVmaW5lIERQQ0lf UkVNT1ZFX01BUFBJTkcgICAgICAwCi0tIAoyLjEuMAoK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Mar 31 12:11:10 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 31 Mar 2015 12:11:10 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ycuzq-00004q-6u; Tue, 31 Mar 2015 12:10:18 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ycuzo-0008VU-SU; Tue, 31 Mar 2015 12:10:17 +0000 Received: from [193.109.254.147] by server-2.bemta-14.messagelabs.com id 2C/46-14319-7AE8A155; Tue, 31 Mar 2015 12:10:15 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-27.messagelabs.com!1427803814!9920721!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.6; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22798 invoked from network); 31 Mar 2015 12:10:15 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 31 Mar 2015 12:10:15 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ycuzf-0006xl-GJ; Tue, 31 Mar 2015 12:10:07 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Ycuzf-0005TY-Ao; Tue, 31 Mar 2015 12:10:07 +0000 Date: Tue, 31 Mar 2015 12:10:07 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 127 (CVE-2015-2751) - Certain domctl operations may be abused to lock up the host X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2751 / XSA-127 version 2 Certain domctl operations may be abused to lock up the host UPDATES IN VERSION 2 ==================== CVE assigned. Public release. ISSUE DESCRIPTION ================= XSA-77 put the majority of the domctl operations on a list excepting them from having security advisories issued for them if any effects their use might have could hamper security. Subsequently some of them got declared disaggregation safe, but for a small subset this was not really correct: Their (mis-)use may result in host lockups. As a result, the potential security benefits of toolstack disaggregation are not always fully realised. IMPACT ====== Domains deliberately given partial management control may be able to deny service to the entire host. As a result, in a system designed to enhance security by radically disaggregating the management, the security may be reduced. But, the security will be no worse than a non-disaggregated design. VULNERABLE SYSTEMS ================== Xen versions 4.3 onwards are vulnerable. Xen versions 4.2 and earlier do not have the described disaggregation functionality and hence are not vulnerable. MITIGATION ========== The issues discussed in this advisory are themselves bugs in features used for a security risk mitigation. There is no further mitigation available, beyond general measures to try to avoid parts of the system management becoming controlled by attackers. Those are the kind of measures which we expect any users of radical disaggregation to have already deployed. Switching from disaggregated to a non-disaggregated operation does NOT mitigate these vulnerabilities. Rather, it simply recategorises the vulnerability to hostile management code, regarding it "as designed"; thus it merely reclassifies these issues as "not a bug". Users and vendors of disaggregated systems should not change their configuration. The robustness benefits of disaggregation are unaffected, and (depending on system design) security benefits are likely to remain despite the vulnerabilities. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa127-unstable.patch xen-unstable xsa127-4.x.patch Xen 4.5.x, Xen 4.4.x, Xen 4.3.x $ sha256sum xsa127*.patch 5b98280738a205c40f56d0a7feb6ea6cd867da7ac1e0d9f4fc4620bae2c09171 xsa127.patch e5fd3c126ae10fe45283e6eb1a4216b75057f1772d869d2b3a26398b0984c7bd xsa127-4.x.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVGo5PAAoJEIP+FMlX6CvZMhoH/0zH/JpvOk+dTQHVBN5uYjDB hkW5+/K4NfqRpnxQmTNJ6F5j0gcjbPCusf1yjdwjsAkToX2Y3TmqQAulpzkpT1z2 vvnIl8nYvD92fL1C8U9EBAXj62QmxN/IoX8rSl+g8byhoSO4WmUkbqseOb6LlcV3 wq/H15ZFfE6FjDQQGaFasbYyDOgBQiWFEmrBo2Zx7Qkendv5lt0YV/6/j3m1R8Hm D9fEchB07zKO49YkKnRrucDSf/9JTJI8W8M4Hmm9ykXncdUVI7xTSa66/XDOegcL ArBl9aXvuN9jMETS/JJBkEwqvULTQMy+Ac4NxBJE2W0allkKZxCcHMq50oSq3t0= =qqy0 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa127.patch" Content-Disposition: attachment; filename="xsa127.patch" Content-Transfer-Encoding: base64 ZG9tY3RsOiBkb24ndCBhbGxvdyBhIHRvb2xzdGFjayBkb21haW4gdG8gY2Fs bCBkb21haW5fcGF1c2UoKSBvbiBpdHNlbGYKClRoZXNlIERPTUNUTCBzdWJv cHMgd2VyZSBhY2NpZGVudGFsbHkgZGVjbGFyZWQgc2FmZSBmb3IgZGlzYWdn cmVnYXRpb24KaW4gdGhlIHdha2Ugb2YgWFNBLTc3LgoKVGhpcyBpcyBYU0Et MTI3LgoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNv b3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNoIDxq YmV1bGljaEBzdXNlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFu LmNhbXBiZWxsQGNpdHJpeC5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvZG9t Y3RsLmMKKysrIGIveGVuL2FyY2gveDg2L2RvbWN0bC5jCkBAIC04ODQsNiAr ODg0LDEwIEBAIGxvbmcgYXJjaF9kb19kb21jdGwoCiAgICAgewogICAgICAg ICB4ZW5fZ3Vlc3RfdHNjX2luZm9fdCBpbmZvOwogCisgICAgICAgIHJldCA9 IC1FSU5WQUw7CisgICAgICAgIGlmICggZCA9PSBjdXJyZW50LT5kb21haW4g KSAvKiBubyBkb21haW5fcGF1c2UoKSAqLworICAgICAgICAgICAgYnJlYWs7 CisKICAgICAgICAgZG9tYWluX3BhdXNlKGQpOwogICAgICAgICB0c2NfZ2V0 X2luZm8oZCwgJmluZm8udHNjX21vZGUsCiAgICAgICAgICAgICAgICAgICAg ICAgICAmaW5mby5lbGFwc2VkX25zZWMsCkBAIC04OTksNiArOTAzLDEwIEBA IGxvbmcgYXJjaF9kb19kb21jdGwoCiAKICAgICBjYXNlIFhFTl9ET01DVExf c2V0dHNjaW5mbzoKICAgICB7CisgICAgICAgIHJldCA9IC1FSU5WQUw7Cisg ICAgICAgIGlmICggZCA9PSBjdXJyZW50LT5kb21haW4gKSAvKiBubyBkb21h aW5fcGF1c2UoKSAqLworICAgICAgICAgICAgYnJlYWs7CisKICAgICAgICAg ZG9tYWluX3BhdXNlKGQpOwogICAgICAgICB0c2Nfc2V0X2luZm8oZCwgZG9t Y3RsLT51LnRzY19pbmZvLmluZm8udHNjX21vZGUsCiAgICAgICAgICAgICAg ICAgICAgICBkb21jdGwtPnUudHNjX2luZm8uaW5mby5lbGFwc2VkX25zZWMs Ci0tLSBhL3hlbi9jb21tb24vZG9tY3RsLmMKKysrIGIveGVuL2NvbW1vbi9k b21jdGwuYwpAQCAtNTMxLDcgKzUzMSwxMCBAQCBsb25nIGRvX2RvbWN0bChY RU5fR1VFU1RfSEFORExFX1BBUkFNKHhlCiAgICAgICAgIGJyZWFrOwogCiAg ICAgY2FzZSBYRU5fRE9NQ1RMX3Jlc3VtZWRvbWFpbjoKLSAgICAgICAgZG9t YWluX3Jlc3VtZShkKTsKKyAgICAgICAgaWYgKCBkID09IGN1cnJlbnQtPmRv bWFpbiApIC8qIG5vIGRvbWFpbl9wYXVzZSgpICovCisgICAgICAgICAgICBy ZXQgPSAtRUlOVkFMOworICAgICAgICBlbHNlCisgICAgICAgICAgICBkb21h aW5fcmVzdW1lKGQpOwogICAgICAgICBicmVhazsKIAogICAgIGNhc2UgWEVO X0RPTUNUTF9jcmVhdGVkb21haW46Cg== --=separator Content-Type: application/octet-stream; name="xsa127-4.x.patch" Content-Disposition: attachment; filename="xsa127-4.x.patch" Content-Transfer-Encoding: base64 ZG9tY3RsOiBkb24ndCBhbGxvdyBhIHRvb2xzdGFjayBkb21haW4gdG8gY2Fs bCBkb21haW5fcGF1c2UoKSBvbiBpdHNlbGYKClRoZXNlIERPTUNUTCBzdWJv cHMgd2VyZSBhY2NpZGVudGFsbHkgZGVjbGFyZWQgc2FmZSBmb3IgZGlzYWdn cmVnYXRpb24KaW4gdGhlIHdha2Ugb2YgWFNBLTc3LgoKVGhpcyBpcyBYU0Et MTI3LgoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNv b3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNoIDxq YmV1bGljaEBzdXNlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFu LmNhbXBiZWxsQGNpdHJpeC5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvZG9t Y3RsLmMKKysrIGIveGVuL2FyY2gveDg2L2RvbWN0bC5jCkBAIC04ODgsNiAr ODg4LDEwIEBAIGxvbmcgYXJjaF9kb19kb21jdGwoCiAgICAgewogICAgICAg ICB4ZW5fZ3Vlc3RfdHNjX2luZm9fdCBpbmZvOwogCisgICAgICAgIHJldCA9 IC1FSU5WQUw7CisgICAgICAgIGlmICggZCA9PSBjdXJyZW50LT5kb21haW4g KSAvKiBubyBkb21haW5fcGF1c2UoKSAqLworICAgICAgICAgICAgYnJlYWs7 CisKICAgICAgICAgZG9tYWluX3BhdXNlKGQpOwogICAgICAgICB0c2NfZ2V0 X2luZm8oZCwgJmluZm8udHNjX21vZGUsCiAgICAgICAgICAgICAgICAgICAg ICAgICAmaW5mby5lbGFwc2VkX25zZWMsCkBAIC05MDMsNiArOTA3LDEwIEBA IGxvbmcgYXJjaF9kb19kb21jdGwoCiAKICAgICBjYXNlIFhFTl9ET01DVExf c2V0dHNjaW5mbzoKICAgICB7CisgICAgICAgIHJldCA9IC1FSU5WQUw7Cisg ICAgICAgIGlmICggZCA9PSBjdXJyZW50LT5kb21haW4gKSAvKiBubyBkb21h aW5fcGF1c2UoKSAqLworICAgICAgICAgICAgYnJlYWs7CisKICAgICAgICAg ZG9tYWluX3BhdXNlKGQpOwogICAgICAgICB0c2Nfc2V0X2luZm8oZCwgZG9t Y3RsLT51LnRzY19pbmZvLmluZm8udHNjX21vZGUsCiAgICAgICAgICAgICAg ICAgICAgICBkb21jdGwtPnUudHNjX2luZm8uaW5mby5lbGFwc2VkX25zZWMs Ci0tLSBhL3hlbi9jb21tb24vZG9tY3RsLmMKKysrIGIveGVuL2NvbW1vbi9k b21jdGwuYwpAQCAtNTIyLDggKzUyMiwxMCBAQCBsb25nIGRvX2RvbWN0bChY RU5fR1VFU1RfSEFORExFX1BBUkFNKHhlCiAKICAgICBjYXNlIFhFTl9ET01D VExfcmVzdW1lZG9tYWluOgogICAgIHsKLSAgICAgICAgZG9tYWluX3Jlc3Vt ZShkKTsKLSAgICAgICAgcmV0ID0gMDsKKyAgICAgICAgaWYgKCBkID09IGN1 cnJlbnQtPmRvbWFpbiApIC8qIG5vIGRvbWFpbl9wYXVzZSgpICovCisgICAg ICAgICAgICByZXQgPSAtRUlOVkFMOworICAgICAgICBlbHNlCisgICAgICAg ICAgICBkb21haW5fcmVzdW1lKGQpOwogICAgIH0KICAgICBicmVhazsKIAo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Mar 31 12:11:10 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 31 Mar 2015 12:11:10 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ycuzc-0008RZ-RE; Tue, 31 Mar 2015 12:10:04 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ycuzb-0008R7-9g; Tue, 31 Mar 2015 12:10:03 +0000 Received: from [85.158.139.211] by server-3.bemta-5.messagelabs.com id 7B/4B-30545-A9E8A155; Tue, 31 Mar 2015 12:10:02 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-9.tower-206.messagelabs.com!1427803800!12875847!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.13.6; banners=-,-,- X-VirusChecked: Checked Received: (qmail 23725 invoked from network); 31 Mar 2015 12:10:00 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-9.tower-206.messagelabs.com with AES256-SHA encrypted SMTP; 31 Mar 2015 12:10:00 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YcuzR-0006wt-3j; Tue, 31 Mar 2015 12:09:53 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1YcuzQ-0005LQ-PR; Tue, 31 Mar 2015 12:09:52 +0000 Date: Tue, 31 Mar 2015 12:09:52 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 125 (CVE-2015-2752) - Long latency MMIO mapping operations are not preemptible X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2752 / XSA-125 version 3 Long latency MMIO mapping operations are not preemptible UPDATES IN VERSION 3 ==================== CVE assigned. Public release. ISSUE DESCRIPTION ================= The XEN_DOMCTL_memory_mapping hypercall allows long running operations without implementing preemption. This hypercall is used by the device model as part of the emulation associated with configuration of PCI devices passed through to HVM guests and is therefore indirectly exposed to those guests. This can cause a physical CPU to become busy for a significant period, leading to a host denial of service in some cases. If a host denial of service is not triggered then it may instead be possible to deny service to the domain running the device model, e.g. domain 0. This hypercall is also exposed more generally to all toolstacks. However the uses of it in libxl based toolstacks are not believed to open up any avenue of attack from an untrusted guest. Other toolstacks may be vulnerable however. IMPACT ====== The vulnerability is exposed via HVM guests which have a PCI device assigned to them. A malicious HVM guest in such a configuration can mount a denial of service attack affecting the whole system via its associated device model (qemu-dm). A guest is able to trigger this hypercall via operations which it is legitimately expected to perform, therefore running the device model as a stub domain does not offer protection against the host denial of service issue. However it does offer some protection against secondary issues such as denial of service against dom0. VULNERABLE SYSTEMS ================== The issue is exposed via x86 HVM VMs which have been assigned a PCI device. x86 PV domains, x86 HVM domains without passthrough devices and ARM domains do not expose this vulnerability. Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. MITIGATION ========== Running only PV guests will avoid this issue. This issue can be avoided by not assigning devices with large MMIO regions to untrusted HVM guests. CREDITS ======= This issue was discovered by Konrad Rzeszutek Wilk of Oracle. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa125.patch Xen 4.5.x, xen-unstable xsa125-4.4.patch Xen 4.4.x xsa125-4.3.patch Xen 4.3.x xsa125-4.2.patch Xen 4.2.x $ sha256sum xsa125*.patch be0c7cceb1af4b7b1341f37c1e20cf804ea3ac7d3c2ca2e5599f936479d5e0de xsa125.patch 5f081407c2955787c6e40daa847f3c4131694dff3bb0bc0ee55495f555c7bb52 xsa125-4.2.patch 3b0641ef2a23f12872267940c408097cb353e57a6e0396a64cdf13592a14f65b xsa125-4.3.patch 2180e657b34d8628d4e0157adf2a36904bb6feaf55d53338e4457ef77d867a31 xsa125-4.4.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVGo5JAAoJEIP+FMlX6CvZlEAIAMdSMKpxum+J9IbUFCqcHFa4 F8zQDkz2hMCY3OjTAq9+n6KR2LLyKDn2hGDP0Mspbo67lRBEjSkp7KEXCoDrA294 YsVuJn8y0T3yPH9du3m0f2vi49MrhnxnUZLNyKCpkxTiClrC/7JX3OZxQTQIGpzf EIsjYP+/w9ava5XYbGKorwlLvGpjRmnZpCDTrZlqKV2bK2O6pWzyvp5zD99FORcJ YVRIGebKu8szbSHZs9ectt4xkZwYrzSjj0+PtryvwLSpSYi0zTWIu9rrgd/ZCXfL tgD+i9zoc2E1ydPlvdKRXEdRHY9gGcaimfbTqYn1ttJ6qQcnbMoRQor4X+v92NU= =m83F -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa125.patch" Content-Disposition: attachment; filename="xsa125.patch" Content-Transfer-Encoding: base64 RnJvbSA5ODY3MGFjYzk4Y2FkNWFlZTBlMDcxNDY5NGE2NGQzYjk2Njc1YzM2 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBLb25yYWQgUnplc3p1 dGVrIFdpbGsgPGtvbnJhZC53aWxrQG9yYWNsZS5jb20+CkRhdGU6IFdlZCwg MTkgTm92IDIwMTQgMTI6NTc6MTEgLTA1MDAKU3ViamVjdDogW1BBVENIXSBM aW1pdCBYRU5fRE9NQ1RMX21lbW9yeV9tYXBwaW5nIGh5cGVyY2FsbCB0byBv bmx5IHByb2Nlc3MgdXAKIHRvIDY0IEdGTnMgKG9yIGxlc3MpCgpTYWlkIGh5 cGVyY2FsbCBmb3IgbGFyZ2UgQkFScyBjYW4gdGFrZSBxdWl0ZSBhIHdoaWxl LiBBcyBzdWNoCndlIGNhbiByZXF1aXJlIHRoYXQgdGhlIGh5cGVyY2FsbCBN VVNUIGJyZWFrIHVwIHRoZSByZXF1ZXN0CmluIHNtYWxsZXIgdmFsdWVzLgoK QW5vdGhlciBhcHByb2FjaCBpcyB0byBhZGQgcHJlZW1wdGlvbiB0byBpdCAt IHdoZXRoZXIgd2UgZG8gdGhlCnByZWVtcHRpb24gdXNpbmcgaHlwZXJjYWxs X2NyZWF0ZV9jb250aW51YXRpb24gb3IgcmV0dXJuaW5nCkVBR0FJTiB0byB1 c2Vyc3BhY2UgKGFuZCBoYXZlIGl0IHJlLWludm9jYXRlIHRoZSBjYWxsKSAt IGVpdGhlcgp3YXkgdGhlIGlzc3VlIHdlIGNhbm5vdCBlYXNpbHkgc29sdmUg aXMgdGhhdCBpbiAnbWFwX21taW9fcmVnaW9ucycKaWYgd2UgZW5jb3VudGVy IGFuIGVycm9yIHdlIE1VU1QgY2FsbCAndW5tYXBfbW1pb19yZWdpb25zJyBm b3IgdGhlCndob2xlIEJBUiByZWdpb24uCgpTaW5jZSB0aGUgcHJlZW1wdGlv biB3b3VsZCByZS11c2UgaW5wdXQgZmllbGRzIHN1Y2ggYXMgbnJfbWZucywK Zmlyc3RfZ2ZuLCBmaXJzdF9tZm4gLSB3ZSB3b3VsZCBsb3NlIHRoZSBvcmln aW5hbCB2YWx1ZXMgLQphbmQgb25seSB1bmRvIHdoYXQgd2FzIGRvbmUgaW4g dGhlIGN1cnJlbnQgcm91bmQgKGkuZS4gaWdub3JpbmcKYW55dGhpbmcgdGhh dCB3YXMgZG9uZSBwcmlvciB0byBlYXJsaWVyIHByZWVtcHRpb25zKS4KClVu bGVzcyB3ZSByZS11c2VkIHRoZSByZXR1cm4gdmFsdWUgYXMgJ0VBR0FJTnxu cl9tZm5zX2RvbmU8PDEwJyBidXQKdGhhdCBwdXRzIGEgbGltaXQgKHNpbmNl IHRoZSByZXR1cm4gdmFsdWUgaXMgYSBsb25nKSBvbiB0aGUgYW1vdW50Cm9m IG5yX21mbnMgdGhhdCBjYW4gcHJvdmlkZWQuCgpUaGlzIHBhdGNoIHNpZGVz dGVwcyB0aGlzIHByb2JsZW0gYnk6CiAtIFNldHRpbmcgYW4gaGFyZCBsaW1p dCBvZiBucl9tZm5zIGhhdmluZyB0byBiZSA2NCBvciBsZXNzLgogLSBUb29s c3RhY2sgYWRqdXN0cyBjb3JyZXNwb25kaW5nbHkgdG8gdGhlIG5yX21mbiBs aW1pdC4KIC0gSWYgdGhlIHRoZXJlIGlzIGFuIGVycm9yIHdoZW4gYWRkaW5n IHRoZSB0b29sc3RhY2sgd2lsbCBjYWxsIHRoZQogICByZW1vdmUgb3BlcmF0 aW9uIHRvIHJlbW92ZSB0aGUgd2hvbGUgcmVnaW9uLgoKVGhlIG5lZWQgdG8g YnJlYWsgdGhpcyBoeXBlcmNhbGwgZG93biBpcyBmb3IgbGFyZ2UgQkFScyBj YW4gdGFrZQptb3JlIHRoYW4gdGhlIGd1ZXN0IChpbml0aWFsIGRvbWFpbiB1 c3VhbGx5KSB0aW1lLXNsaWNlLiBUaGlzIGhhcwp0aGUgbmVnYXRpdmUgcmVz dWx0IGluIHRoYXQgdGhlIGd1ZXN0IGlzIGxvY2tlZCBvdXQgZm9yIGEgbG9u ZwpkdXJhdGlvbiBhbmQgaXMgdW5hYmxlIHRvIGFjdCBvbiBhbnkgcGVuZGlu ZyBldmVudHMuCgpXZSBhbHNvIGF1Z21lbnQgdGhlIGNvZGUgdG8gcmV0dXJu IHplcm8gaWYgbnJfbWZucyBpbnN0ZWFkCm9mIHRyeWluZyB0byB0aGUgaHlw ZXJjYWxsLgoKU3VnZ2VzdGVkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA c3VzZS5jb20+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3Vz ZS5jb20+ClNpZ25lZC1vZmYtYnk6IEtvbnJhZCBSemVzenV0ZWsgV2lsayA8 a29ucmFkLndpbGtAb3JhY2xlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+Ci0tLQpbdjUwOiBTaW1wbGlm eSBsb29wXQpbdjUxOiBJZiBtYXhfYmF0Y2hfc3ogMSAob3IgbGVzcykgd2Ug d291bGQgcmV0dXJuIHplcm8uIEZpeCB0aGF0XQpbdjUyOiBIYW5kbGUgbnJf bWZucyBiZWluZyB6ZXJvXQpbdjUzOiBGaXggdXAgcmV0dXJuIHZhbHVlXQot LS0KIHRvb2xzL2xpYnhjL3hjX2RvbWFpbi5jICAgICB8IDQ2ICsrKysrKysr KysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrLS0tLQogeGVuL2Nv bW1vbi9kb21jdGwuYyAgICAgICAgIHwgIDUgKysrKysKIHhlbi9pbmNsdWRl L3B1YmxpYy9kb21jdGwuaCB8ICAxICsKIDMgZmlsZXMgY2hhbmdlZCwgNDgg aW5zZXJ0aW9ucygrKSwgNCBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS90 b29scy9saWJ4Yy94Y19kb21haW4uYyBiL3Rvb2xzL2xpYnhjL3hjX2RvbWFp bi5jCmluZGV4IDg0NWQxZDcuLmJiYTc2NzIgMTAwNjQ0Ci0tLSBhL3Rvb2xz L2xpYnhjL3hjX2RvbWFpbi5jCisrKyBiL3Rvb2xzL2xpYnhjL3hjX2RvbWFp bi5jCkBAIC0xOTg4LDYgKzE5ODgsOCBAQCBpbnQgeGNfZG9tYWluX21lbW9y eV9tYXBwaW5nKAogewogICAgIERFQ0xBUkVfRE9NQ1RMOwogICAgIHhjX2Rv bWluZm9fdCBpbmZvOworICAgIGludCByZXQgPSAwLCBlcnI7CisgICAgdW5z aWduZWQgbG9uZyBkb25lID0gMCwgbnIsIG1heF9iYXRjaF9zejsKIAogICAg IGlmICggeGNfZG9tYWluX2dldGluZm8oeGNoLCBkb21pZCwgMSwgJmluZm8p ICE9IDEgfHwKICAgICAgICAgIGluZm8uZG9taWQgIT0gZG9taWQgKQpAQCAt MTk5OCwxNCArMjAwMCw1MCBAQCBpbnQgeGNfZG9tYWluX21lbW9yeV9tYXBw aW5nKAogICAgIGlmICggIXhjX2NvcmVfYXJjaF9hdXRvX3RyYW5zbGF0ZWRf cGh5c21hcCgmaW5mbykgKQogICAgICAgICByZXR1cm4gMDsKIAorICAgIGlm ICggIW5yX21mbnMgKQorICAgICAgICByZXR1cm4gMDsKKwogICAgIGRvbWN0 bC5jbWQgPSBYRU5fRE9NQ1RMX21lbW9yeV9tYXBwaW5nOwogICAgIGRvbWN0 bC5kb21haW4gPSBkb21pZDsKLSAgICBkb21jdGwudS5tZW1vcnlfbWFwcGlu Zy5maXJzdF9nZm4gPSBmaXJzdF9nZm47Ci0gICAgZG9tY3RsLnUubWVtb3J5 X21hcHBpbmcuZmlyc3RfbWZuID0gZmlyc3RfbWZuOwotICAgIGRvbWN0bC51 Lm1lbW9yeV9tYXBwaW5nLm5yX21mbnMgPSBucl9tZm5zOwogICAgIGRvbWN0 bC51Lm1lbW9yeV9tYXBwaW5nLmFkZF9tYXBwaW5nID0gYWRkX21hcHBpbmc7 CisgICAgbWF4X2JhdGNoX3N6ID0gbnJfbWZuczsKKyAgICBkbworICAgIHsK KyAgICAgICAgbnIgPSBtaW4obnJfbWZucyAtIGRvbmUsIG1heF9iYXRjaF9z eik7CisgICAgICAgIGRvbWN0bC51Lm1lbW9yeV9tYXBwaW5nLm5yX21mbnMg PSBucjsKKyAgICAgICAgZG9tY3RsLnUubWVtb3J5X21hcHBpbmcuZmlyc3Rf Z2ZuID0gZmlyc3RfZ2ZuICsgZG9uZTsKKyAgICAgICAgZG9tY3RsLnUubWVt b3J5X21hcHBpbmcuZmlyc3RfbWZuID0gZmlyc3RfbWZuICsgZG9uZTsKKyAg ICAgICAgZXJyID0gZG9fZG9tY3RsKHhjaCwgJmRvbWN0bCk7CisgICAgICAg IGlmICggZXJyICYmIGVycm5vID09IEUyQklHICkKKyAgICAgICAgeworICAg ICAgICAgICAgaWYgKCBtYXhfYmF0Y2hfc3ogPD0gMSApCisgICAgICAgICAg ICAgICAgYnJlYWs7CisgICAgICAgICAgICBtYXhfYmF0Y2hfc3ogPj49IDE7 CisgICAgICAgICAgICBjb250aW51ZTsKKyAgICAgICAgfQorICAgICAgICAv KiBTYXZlIHRoZSBmaXJzdCBlcnJvci4uLiAqLworICAgICAgICBpZiAoICFy ZXQgKQorICAgICAgICAgICAgcmV0ID0gZXJyOworICAgICAgICAvKiAuLiBh bmQgaWdub3JlIHRoZSByZXN0IG9mIHRoZW0gd2hlbiByZW1vdmluZy4gKi8K KyAgICAgICAgaWYgKCBlcnIgJiYgYWRkX21hcHBpbmcgIT0gRFBDSV9SRU1P VkVfTUFQUElORyApCisgICAgICAgICAgICBicmVhazsKIAotICAgIHJldHVy biBkb19kb21jdGwoeGNoLCAmZG9tY3RsKTsKKyAgICAgICAgZG9uZSArPSBu cjsKKyAgICB9IHdoaWxlICggZG9uZSA8IG5yX21mbnMgKTsKKworICAgIC8q CisgICAgICogVW5kbyB3aGF0IHdlIGhhdmUgZG9uZSB1bmxlc3MgdW5tYXBw aW5nLCBieSB1bm1hcHBpbmcgdGhlIGVudGlyZSByZWdpb24uCisgICAgICog RXJyb3JzIGhlcmUgYXJlIGlnbm9yZWQuCisgICAgICovCisgICAgaWYgKCBy ZXQgJiYgYWRkX21hcHBpbmcgIT0gRFBDSV9SRU1PVkVfTUFQUElORyApCisg ICAgICAgIHhjX2RvbWFpbl9tZW1vcnlfbWFwcGluZyh4Y2gsIGRvbWlkLCBm aXJzdF9nZm4sIGZpcnN0X21mbiwgbnJfbWZucywKKyAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIERQQ0lfUkVNT1ZFX01BUFBJTkcpOworCisg ICAgLyogV2UgbWlnaHQgZ2V0IEUyQklHIHNvIG1hbnkgdGltZXMgdGhhdCB3 ZSBuZXZlciBhZHZhbmNlLiAqLworICAgIGlmICggIWRvbmUgJiYgIXJldCAp CisgICAgICAgIHJldCA9IC0xOworCisgICAgcmV0dXJuIHJldDsKIH0KIAog aW50IHhjX2RvbWFpbl9pb3BvcnRfbWFwcGluZygKZGlmZiAtLWdpdCBhL3hl bi9jb21tb24vZG9tY3RsLmMgYi94ZW4vY29tbW9uL2RvbWN0bC5jCmluZGV4 IGQzOTZjYzQuLmMyZTYwYTcgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24vZG9t Y3RsLmMKKysrIGIveGVuL2NvbW1vbi9kb21jdGwuYwpAQCAtMTAyNyw2ICsx MDI3LDExIEBAIGxvbmcgZG9fZG9tY3RsKFhFTl9HVUVTVF9IQU5ETEVfUEFS QU0oeGVuX2RvbWN0bF90KSB1X2RvbWN0bCkKICAgICAgICAgICAgICAoZ2Zu ICsgbnJfbWZucyAtIDEpIDwgZ2ZuICkgLyogd3JhcD8gKi8KICAgICAgICAg ICAgIGJyZWFrOwogCisgICAgICAgIHJldCA9IC1FMkJJRzsKKyAgICAgICAg LyogTXVzdCBicmVhayBoeXBlcmNhbGwgdXAgYXMgdGhpcyBjb3VsZCB0YWtl IGEgd2hpbGUuICovCisgICAgICAgIGlmICggbnJfbWZucyA+IDY0ICkKKyAg ICAgICAgICAgIGJyZWFrOworCiAgICAgICAgIHJldCA9IC1FUEVSTTsKICAg ICAgICAgaWYgKCAhaW9tZW1fYWNjZXNzX3Blcm1pdHRlZChjdXJyZW50LT5k b21haW4sIG1mbiwgbWZuX2VuZCkgfHwKICAgICAgICAgICAgICAhaW9tZW1f YWNjZXNzX3Blcm1pdHRlZChkLCBtZm4sIG1mbl9lbmQpICkKZGlmZiAtLWdp dCBhL3hlbi9pbmNsdWRlL3B1YmxpYy9kb21jdGwuaCBiL3hlbi9pbmNsdWRl L3B1YmxpYy9kb21jdGwuaAppbmRleCBjYTBlNTFlLi4wYzlmNDc0IDEwMDY0 NAotLS0gYS94ZW4vaW5jbHVkZS9wdWJsaWMvZG9tY3RsLmgKKysrIGIveGVu L2luY2x1ZGUvcHVibGljL2RvbWN0bC5oCkBAIC01NDMsNiArNTQzLDcgQEAg REVGSU5FX1hFTl9HVUVTVF9IQU5ETEUoeGVuX2RvbWN0bF9iaW5kX3B0X2ly cV90KTsKIAogCiAvKiBCaW5kIG1hY2hpbmUgSS9PIGFkZHJlc3MgcmFuZ2Ug LT4gSFZNIGFkZHJlc3MgcmFuZ2UuICovCisvKiBJZiB0aGlzIHJldHVybnMg LUUyQklHIGxvd2VyIG5yX21mbnMgdmFsdWUuICovCiAvKiBYRU5fRE9NQ1RM X21lbW9yeV9tYXBwaW5nICovCiAjZGVmaW5lIERQQ0lfQUREX01BUFBJTkcg ICAgICAgICAxCiAjZGVmaW5lIERQQ0lfUkVNT1ZFX01BUFBJTkcgICAgICAw Ci0tIAoyLjEuMAoK --=separator Content-Type: application/octet-stream; name="xsa125-4.2.patch" Content-Disposition: attachment; filename="xsa125-4.2.patch" Content-Transfer-Encoding: base64 TGltaXQgWEVOX0RPTUNUTF9tZW1vcnlfbWFwcGluZyBoeXBlcmNhbGwgdG8g b25seSBwcm9jZXNzIHVwIHRvIDY0IEdGTnMgKG9yIGxlc3MpCgpTYWlkIGh5 cGVyY2FsbCBmb3IgbGFyZ2UgQkFScyBjYW4gdGFrZSBxdWl0ZSBhIHdoaWxl LiBBcyBzdWNoCndlIGNhbiByZXF1aXJlIHRoYXQgdGhlIGh5cGVyY2FsbCBN VVNUIGJyZWFrIHVwIHRoZSByZXF1ZXN0CmluIHNtYWxsZXIgdmFsdWVzLgoK QW5vdGhlciBhcHByb2FjaCBpcyB0byBhZGQgcHJlZW1wdGlvbiB0byBpdCAt IHdoZXRoZXIgd2UgZG8gdGhlCnByZWVtcHRpb24gdXNpbmcgaHlwZXJjYWxs X2NyZWF0ZV9jb250aW51YXRpb24gb3IgcmV0dXJuaW5nCkVBR0FJTiB0byB1 c2Vyc3BhY2UgKGFuZCBoYXZlIGl0IHJlLWludm9jYXRlIHRoZSBjYWxsKSAt IGVpdGhlcgp3YXkgdGhlIGlzc3VlIHdlIGNhbm5vdCBlYXNpbHkgc29sdmUg aXMgdGhhdCBpbiAnbWFwX21taW9fcmVnaW9ucycKaWYgd2UgZW5jb3VudGVy IGFuIGVycm9yIHdlIE1VU1QgY2FsbCAndW5tYXBfbW1pb19yZWdpb25zJyBm b3IgdGhlCndob2xlIEJBUiByZWdpb24uCgpTaW5jZSB0aGUgcHJlZW1wdGlv biB3b3VsZCByZS11c2UgaW5wdXQgZmllbGRzIHN1Y2ggYXMgbnJfbWZucywK Zmlyc3RfZ2ZuLCBmaXJzdF9tZm4gLSB3ZSB3b3VsZCBsb3NlIHRoZSBvcmln aW5hbCB2YWx1ZXMgLQphbmQgb25seSB1bmRvIHdoYXQgd2FzIGRvbmUgaW4g dGhlIGN1cnJlbnQgcm91bmQgKGkuZS4gaWdub3JpbmcKYW55dGhpbmcgdGhh dCB3YXMgZG9uZSBwcmlvciB0byBlYXJsaWVyIHByZWVtcHRpb25zKS4KClVu bGVzcyB3ZSByZS11c2VkIHRoZSByZXR1cm4gdmFsdWUgYXMgJ0VBR0FJTnxu cl9tZm5zX2RvbmU8PDEwJyBidXQKdGhhdCBwdXRzIGEgbGltaXQgKHNpbmNl IHRoZSByZXR1cm4gdmFsdWUgaXMgYSBsb25nKSBvbiB0aGUgYW1vdW50Cm9m IG5yX21mbnMgdGhhdCBjYW4gcHJvdmlkZWQuCgpUaGlzIHBhdGNoIHNpZGVz dGVwcyB0aGlzIHByb2JsZW0gYnk6CiAtIFNldHRpbmcgYW4gaGFyZCBsaW1p dCBvZiBucl9tZm5zIGhhdmluZyB0byBiZSA2NCBvciBsZXNzLgogLSBUb29s c3RhY2sgYWRqdXN0cyBjb3JyZXNwb25kaW5nbHkgdG8gdGhlIG5yX21mbiBs aW1pdC4KIC0gSWYgdGhlIHRoZXJlIGlzIGFuIGVycm9yIHdoZW4gYWRkaW5n IHRoZSB0b29sc3RhY2sgd2lsbCBjYWxsIHRoZQogICByZW1vdmUgb3BlcmF0 aW9uIHRvIHJlbW92ZSB0aGUgd2hvbGUgcmVnaW9uLgoKVGhlIG5lZWQgdG8g YnJlYWsgdGhpcyBoeXBlcmNhbGwgZG93biBpcyBmb3IgbGFyZ2UgQkFScyBj YW4gdGFrZQptb3JlIHRoYW4gdGhlIGd1ZXN0IChpbml0aWFsIGRvbWFpbiB1 c3VhbGx5KSB0aW1lLXNsaWNlLiBUaGlzIGhhcwp0aGUgbmVnYXRpdmUgcmVz dWx0IGluIHRoYXQgdGhlIGd1ZXN0IGlzIGxvY2tlZCBvdXQgZm9yIGEgbG9u ZwpkdXJhdGlvbiBhbmQgaXMgdW5hYmxlIHRvIGFjdCBvbiBhbnkgcGVuZGlu ZyBldmVudHMuCgpXZSBhbHNvIGF1Z21lbnQgdGhlIGNvZGUgdG8gcmV0dXJu IHplcm8gaWYgbnJfbWZucyBpbnN0ZWFkCm9mIHRyeWluZyB0byB0aGUgaHlw ZXJjYWxsLgoKU3VnZ2VzdGVkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA c3VzZS5jb20+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3Vz ZS5jb20+ClNpZ25lZC1vZmYtYnk6IEtvbnJhZCBSemVzenV0ZWsgV2lsayA8 a29ucmFkLndpbGtAb3JhY2xlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CgpkaWZmIC0tZ2l0IGEvdG9v bHMvbGlieGMveGNfZG9tYWluLmMgYi90b29scy9saWJ4Yy94Y19kb21haW4u YwppbmRleCBkOThlNjhiLi42MGY3MTM3IDEwMDY0NAotLS0gYS90b29scy9s aWJ4Yy94Y19kb21haW4uYworKysgYi90b29scy9saWJ4Yy94Y19kb21haW4u YwpAQCAtMTM1Miw2ICsxMzUyLDEzIEBAIGludCB4Y19kb21haW5fYmluZF9w dF9pc2FfaXJxKAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IFBUX0lSUV9UWVBFX0lTQSwgMCwgMCwgMCwgbWFjaGluZV9pcnEpKTsKIH0K IAorI2lmbmRlZiBtaW4KKyNkZWZpbmUgbWluKFgsIFkpICh7ICAgICAgICAg ICAgICAgICAgICAgICAgICAgICBcCisgICAgICAgICAgICBjb25zdCB0eXBl b2YgKFgpIF94ID0gKFgpOyAgICAgICAgICAgXAorICAgICAgICAgICAgY29u c3QgdHlwZW9mIChZKSBfeSA9IChZKTsgICAgICAgICAgIFwKKyAgICAgICAg ICAgICh2b2lkKSAoJl94ID09ICZfeSk7ICAgICAgICAgICAgICAgICBcCisg ICAgICAgICAgICAoX3ggPCBfeSkgPyBfeCA6IF95OyB9KQorI2VuZGlmCiBp bnQgeGNfZG9tYWluX21lbW9yeV9tYXBwaW5nKAogICAgIHhjX2ludGVyZmFj ZSAqeGNoLAogICAgIHVpbnQzMl90IGRvbWlkLApAQCAtMTM2MSwxNyArMTM2 OCw1NSBAQCBpbnQgeGNfZG9tYWluX21lbW9yeV9tYXBwaW5nKAogICAgIHVp bnQzMl90IGFkZF9tYXBwaW5nKQogewogICAgIERFQ0xBUkVfRE9NQ1RMOwor ICAgIGludCByZXQgPSAwLCBlcnI7CisgICAgdW5zaWduZWQgbG9uZyBkb25l ID0gMCwgbnIsIG1heF9iYXRjaF9zejsKKworICAgIGlmICggIW5yX21mbnMg KQorICAgICAgICByZXR1cm4gMDsKIAogICAgIGRvbWN0bC5jbWQgPSBYRU5f RE9NQ1RMX21lbW9yeV9tYXBwaW5nOwogICAgIGRvbWN0bC5kb21haW4gPSBk b21pZDsKLSAgICBkb21jdGwudS5tZW1vcnlfbWFwcGluZy5maXJzdF9nZm4g PSBmaXJzdF9nZm47Ci0gICAgZG9tY3RsLnUubWVtb3J5X21hcHBpbmcuZmly c3RfbWZuID0gZmlyc3RfbWZuOwotICAgIGRvbWN0bC51Lm1lbW9yeV9tYXBw aW5nLm5yX21mbnMgPSBucl9tZm5zOwogICAgIGRvbWN0bC51Lm1lbW9yeV9t YXBwaW5nLmFkZF9tYXBwaW5nID0gYWRkX21hcHBpbmc7CisgICAgbWF4X2Jh dGNoX3N6ID0gbnJfbWZuczsKKyAgICBkbworICAgIHsKKyAgICAgICAgbnIg PSBtaW4obnJfbWZucyAtIGRvbmUsIG1heF9iYXRjaF9zeik7CisgICAgICAg IGRvbWN0bC51Lm1lbW9yeV9tYXBwaW5nLm5yX21mbnMgPSBucjsKKyAgICAg ICAgZG9tY3RsLnUubWVtb3J5X21hcHBpbmcuZmlyc3RfZ2ZuID0gZmlyc3Rf Z2ZuICsgZG9uZTsKKyAgICAgICAgZG9tY3RsLnUubWVtb3J5X21hcHBpbmcu Zmlyc3RfbWZuID0gZmlyc3RfbWZuICsgZG9uZTsKKyAgICAgICAgZXJyID0g ZG9fZG9tY3RsKHhjaCwgJmRvbWN0bCk7CisgICAgICAgIGlmICggZXJyICYm IGVycm5vID09IEUyQklHICkKKyAgICAgICAgeworICAgICAgICAgICAgaWYg KCBtYXhfYmF0Y2hfc3ogPD0gMSApCisgICAgICAgICAgICAgICAgYnJlYWs7 CisgICAgICAgICAgICBtYXhfYmF0Y2hfc3ogPj49IDE7CisgICAgICAgICAg ICBjb250aW51ZTsKKyAgICAgICAgfQorICAgICAgICAvKiBTYXZlIHRoZSBm aXJzdCBlcnJvci4uLiAqLworICAgICAgICBpZiAoICFyZXQgKQorICAgICAg ICAgICAgcmV0ID0gZXJyOworICAgICAgICAvKiAuLiBhbmQgaWdub3JlIHRo ZSByZXN0IG9mIHRoZW0gd2hlbiByZW1vdmluZy4gKi8KKyAgICAgICAgaWYg KCBlcnIgJiYgYWRkX21hcHBpbmcgIT0gRFBDSV9SRU1PVkVfTUFQUElORyAp CisgICAgICAgICAgICBicmVhazsKIAotICAgIHJldHVybiBkb19kb21jdGwo eGNoLCAmZG9tY3RsKTsKLX0KKyAgICAgICAgZG9uZSArPSBucjsKKyAgICB9 IHdoaWxlICggZG9uZSA8IG5yX21mbnMgKTsKIAorICAgIC8qCisgICAgICog VW5kbyB3aGF0IHdlIGhhdmUgZG9uZSB1bmxlc3MgdW5tYXBwaW5nLCBieSB1 bm1hcHBpbmcgdGhlIGVudGlyZSByZWdpb24uCisgICAgICogRXJyb3JzIGhl cmUgYXJlIGlnbm9yZWQuCisgICAgICovCisgICAgaWYgKCByZXQgJiYgYWRk X21hcHBpbmcgIT0gRFBDSV9SRU1PVkVfTUFQUElORyApCisgICAgICAgIHhj X2RvbWFpbl9tZW1vcnlfbWFwcGluZyh4Y2gsIGRvbWlkLCBmaXJzdF9nZm4s IGZpcnN0X21mbiwgbnJfbWZucywKKyAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIERQQ0lfUkVNT1ZFX01BUFBJTkcpOworCisgICAgLyogV2Ug bWlnaHQgZ2V0IEUyQklHIHNvIG1hbnkgdGltZXMgdGhhdCB3ZSBuZXZlciBh ZHZhbmNlLiAqLworICAgIGlmICggIWRvbmUgJiYgIXJldCApCisgICAgICAg IHJldCA9IC0xOworCisgICAgcmV0dXJuIHJldDsKK30KKyN1bmRlZiBtaW4K IGludCB4Y19kb21haW5faW9wb3J0X21hcHBpbmcoCiAgICAgeGNfaW50ZXJm YWNlICp4Y2gsCiAgICAgdWludDMyX3QgZG9taWQsCmRpZmYgLS1naXQgYS94 ZW4vYXJjaC94ODYvZG9tY3RsLmMgYi94ZW4vYXJjaC94ODYvZG9tY3RsLmMK aW5kZXggOGJmOGYwOS4uYzlhOTdjOSAxMDA2NDQKLS0tIGEveGVuL2FyY2gv eDg2L2RvbWN0bC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9kb21jdGwuYwpAQCAt ODY3LDYgKzg2NywxMSBAQCBsb25nIGFyY2hfZG9fZG9tY3RsKAogICAgICAg ICAgICAgIChnZm4gKyBucl9tZm5zIC0gMSkgPCBnZm4gKSAvKiB3cmFwPyAq LwogICAgICAgICAgICAgYnJlYWs7CiAKKyAgICAgICAgcmV0ID0gLUUyQklH OworICAgICAgICAvKiBNdXN0IGJyZWFrIGh5cGVyY2FsbCB1cCBhcyB0aGlz IGNvdWxkIHRha2UgYSB3aGlsZS4gKi8KKyAgICAgICAgaWYgKCBucl9tZm5z ID4gNjQgKQorICAgICAgICAgICAgYnJlYWs7CisKICAgICAgICAgcmV0ID0g LUVQRVJNOwogICAgICAgICBpZiAoICFJU19QUklWKGN1cnJlbnQtPmRvbWFp bikgJiYKICAgICAgICAgICAgICAhaW9tZW1fYWNjZXNzX3Blcm1pdHRlZChj dXJyZW50LT5kb21haW4sIG1mbiwgbWZuICsgbnJfbWZucyAtIDEpICkKZGlm ZiAtLWdpdCBhL3hlbi9pbmNsdWRlL3B1YmxpYy9kb21jdGwuaCBiL3hlbi9p bmNsdWRlL3B1YmxpYy9kb21jdGwuaAppbmRleCAyNDBjZWI5Li5iNDU5MTFl IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9wdWJsaWMvZG9tY3RsLmgKKysr IGIveGVuL2luY2x1ZGUvcHVibGljL2RvbWN0bC5oCkBAIC01MDcsNiArNTA3 LDcgQEAgREVGSU5FX1hFTl9HVUVTVF9IQU5ETEUoeGVuX2RvbWN0bF9iaW5k X3B0X2lycV90KTsKIAogCiAvKiBCaW5kIG1hY2hpbmUgSS9PIGFkZHJlc3Mg cmFuZ2UgLT4gSFZNIGFkZHJlc3MgcmFuZ2UuICovCisvKiBJZiB0aGlzIHJl dHVybnMgLUUyQklHIGxvd2VyIG5yX21mbnMgdmFsdWUuICovCiAvKiBYRU5f RE9NQ1RMX21lbW9yeV9tYXBwaW5nICovCiAjZGVmaW5lIERQQ0lfQUREX01B UFBJTkcgICAgICAgICAxCiAjZGVmaW5lIERQQ0lfUkVNT1ZFX01BUFBJTkcg ICAgICAwCg== --=separator Content-Type: application/octet-stream; name="xsa125-4.3.patch" Content-Disposition: attachment; filename="xsa125-4.3.patch" Content-Transfer-Encoding: base64 TGltaXQgWEVOX0RPTUNUTF9tZW1vcnlfbWFwcGluZyBoeXBlcmNhbGwgdG8g b25seSBwcm9jZXNzIHVwIHRvIDY0IEdGTnMgKG9yIGxlc3MpCgpTYWlkIGh5 cGVyY2FsbCBmb3IgbGFyZ2UgQkFScyBjYW4gdGFrZSBxdWl0ZSBhIHdoaWxl LiBBcyBzdWNoCndlIGNhbiByZXF1aXJlIHRoYXQgdGhlIGh5cGVyY2FsbCBN VVNUIGJyZWFrIHVwIHRoZSByZXF1ZXN0CmluIHNtYWxsZXIgdmFsdWVzLgoK QW5vdGhlciBhcHByb2FjaCBpcyB0byBhZGQgcHJlZW1wdGlvbiB0byBpdCAt IHdoZXRoZXIgd2UgZG8gdGhlCnByZWVtcHRpb24gdXNpbmcgaHlwZXJjYWxs X2NyZWF0ZV9jb250aW51YXRpb24gb3IgcmV0dXJuaW5nCkVBR0FJTiB0byB1 c2Vyc3BhY2UgKGFuZCBoYXZlIGl0IHJlLWludm9jYXRlIHRoZSBjYWxsKSAt IGVpdGhlcgp3YXkgdGhlIGlzc3VlIHdlIGNhbm5vdCBlYXNpbHkgc29sdmUg aXMgdGhhdCBpbiAnbWFwX21taW9fcmVnaW9ucycKaWYgd2UgZW5jb3VudGVy IGFuIGVycm9yIHdlIE1VU1QgY2FsbCAndW5tYXBfbW1pb19yZWdpb25zJyBm b3IgdGhlCndob2xlIEJBUiByZWdpb24uCgpTaW5jZSB0aGUgcHJlZW1wdGlv biB3b3VsZCByZS11c2UgaW5wdXQgZmllbGRzIHN1Y2ggYXMgbnJfbWZucywK Zmlyc3RfZ2ZuLCBmaXJzdF9tZm4gLSB3ZSB3b3VsZCBsb3NlIHRoZSBvcmln aW5hbCB2YWx1ZXMgLQphbmQgb25seSB1bmRvIHdoYXQgd2FzIGRvbmUgaW4g dGhlIGN1cnJlbnQgcm91bmQgKGkuZS4gaWdub3JpbmcKYW55dGhpbmcgdGhh dCB3YXMgZG9uZSBwcmlvciB0byBlYXJsaWVyIHByZWVtcHRpb25zKS4KClVu bGVzcyB3ZSByZS11c2VkIHRoZSByZXR1cm4gdmFsdWUgYXMgJ0VBR0FJTnxu cl9tZm5zX2RvbmU8PDEwJyBidXQKdGhhdCBwdXRzIGEgbGltaXQgKHNpbmNl IHRoZSByZXR1cm4gdmFsdWUgaXMgYSBsb25nKSBvbiB0aGUgYW1vdW50Cm9m IG5yX21mbnMgdGhhdCBjYW4gcHJvdmlkZWQuCgpUaGlzIHBhdGNoIHNpZGVz dGVwcyB0aGlzIHByb2JsZW0gYnk6CiAtIFNldHRpbmcgYW4gaGFyZCBsaW1p dCBvZiBucl9tZm5zIGhhdmluZyB0byBiZSA2NCBvciBsZXNzLgogLSBUb29s c3RhY2sgYWRqdXN0cyBjb3JyZXNwb25kaW5nbHkgdG8gdGhlIG5yX21mbiBs aW1pdC4KIC0gSWYgdGhlIHRoZXJlIGlzIGFuIGVycm9yIHdoZW4gYWRkaW5n IHRoZSB0b29sc3RhY2sgd2lsbCBjYWxsIHRoZQogICByZW1vdmUgb3BlcmF0 aW9uIHRvIHJlbW92ZSB0aGUgd2hvbGUgcmVnaW9uLgoKVGhlIG5lZWQgdG8g YnJlYWsgdGhpcyBoeXBlcmNhbGwgZG93biBpcyBmb3IgbGFyZ2UgQkFScyBj YW4gdGFrZQptb3JlIHRoYW4gdGhlIGd1ZXN0IChpbml0aWFsIGRvbWFpbiB1 c3VhbGx5KSB0aW1lLXNsaWNlLiBUaGlzIGhhcwp0aGUgbmVnYXRpdmUgcmVz dWx0IGluIHRoYXQgdGhlIGd1ZXN0IGlzIGxvY2tlZCBvdXQgZm9yIGEgbG9u ZwpkdXJhdGlvbiBhbmQgaXMgdW5hYmxlIHRvIGFjdCBvbiBhbnkgcGVuZGlu ZyBldmVudHMuCgpXZSBhbHNvIGF1Z21lbnQgdGhlIGNvZGUgdG8gcmV0dXJu IHplcm8gaWYgbnJfbWZucyBpbnN0ZWFkCm9mIHRyeWluZyB0byB0aGUgaHlw ZXJjYWxsLgoKU3VnZ2VzdGVkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA c3VzZS5jb20+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3Vz ZS5jb20+ClNpZ25lZC1vZmYtYnk6IEtvbnJhZCBSemVzenV0ZWsgV2lsayA8 a29ucmFkLndpbGtAb3JhY2xlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CgpkaWZmIC0tZ2l0IGEvdG9v bHMvbGlieGMveGNfZG9tYWluLmMgYi90b29scy9saWJ4Yy94Y19kb21haW4u YwppbmRleCAzMjU3ZTJhLi43Mzg2ZTU4IDEwMDY0NAotLS0gYS90b29scy9s aWJ4Yy94Y19kb21haW4uYworKysgYi90b29scy9saWJ4Yy94Y19kb21haW4u YwpAQCAtMTQ2Nyw2ICsxNDY3LDEzIEBAIGludCB4Y19kb21haW5fYmluZF9w dF9pc2FfaXJxKAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IFBUX0lSUV9UWVBFX0lTQSwgMCwgMCwgMCwgbWFjaGluZV9pcnEpKTsKIH0K IAorI2lmbmRlZiBtaW4KKyNkZWZpbmUgbWluKFgsIFkpICh7ICAgICAgICAg ICAgICAgICAgICAgICAgICAgICBcCisgICAgICAgICAgICBjb25zdCB0eXBl b2YgKFgpIF94ID0gKFgpOyAgICAgICAgICAgXAorICAgICAgICAgICAgY29u c3QgdHlwZW9mIChZKSBfeSA9IChZKTsgICAgICAgICAgIFwKKyAgICAgICAg ICAgICh2b2lkKSAoJl94ID09ICZfeSk7ICAgICAgICAgICAgICAgICBcCisg ICAgICAgICAgICAoX3ggPCBfeSkgPyBfeCA6IF95OyB9KQorI2VuZGlmCiBp bnQgeGNfZG9tYWluX21lbW9yeV9tYXBwaW5nKAogICAgIHhjX2ludGVyZmFj ZSAqeGNoLAogICAgIHVpbnQzMl90IGRvbWlkLApAQCAtMTQ3NiwxNyArMTQ4 Myw1NSBAQCBpbnQgeGNfZG9tYWluX21lbW9yeV9tYXBwaW5nKAogICAgIHVp bnQzMl90IGFkZF9tYXBwaW5nKQogewogICAgIERFQ0xBUkVfRE9NQ1RMOwor ICAgIGludCByZXQgPSAwLCBlcnI7CisgICAgdW5zaWduZWQgbG9uZyBkb25l ID0gMCwgbnIsIG1heF9iYXRjaF9zejsKKworICAgIGlmICggIW5yX21mbnMg KQorICAgICAgICByZXR1cm4gMDsKIAogICAgIGRvbWN0bC5jbWQgPSBYRU5f RE9NQ1RMX21lbW9yeV9tYXBwaW5nOwogICAgIGRvbWN0bC5kb21haW4gPSBk b21pZDsKLSAgICBkb21jdGwudS5tZW1vcnlfbWFwcGluZy5maXJzdF9nZm4g PSBmaXJzdF9nZm47Ci0gICAgZG9tY3RsLnUubWVtb3J5X21hcHBpbmcuZmly c3RfbWZuID0gZmlyc3RfbWZuOwotICAgIGRvbWN0bC51Lm1lbW9yeV9tYXBw aW5nLm5yX21mbnMgPSBucl9tZm5zOwogICAgIGRvbWN0bC51Lm1lbW9yeV9t YXBwaW5nLmFkZF9tYXBwaW5nID0gYWRkX21hcHBpbmc7CisgICAgbWF4X2Jh dGNoX3N6ID0gbnJfbWZuczsKKyAgICBkbworICAgIHsKKyAgICAgICAgbnIg PSBtaW4obnJfbWZucyAtIGRvbmUsIG1heF9iYXRjaF9zeik7CisgICAgICAg IGRvbWN0bC51Lm1lbW9yeV9tYXBwaW5nLm5yX21mbnMgPSBucjsKKyAgICAg ICAgZG9tY3RsLnUubWVtb3J5X21hcHBpbmcuZmlyc3RfZ2ZuID0gZmlyc3Rf Z2ZuICsgZG9uZTsKKyAgICAgICAgZG9tY3RsLnUubWVtb3J5X21hcHBpbmcu Zmlyc3RfbWZuID0gZmlyc3RfbWZuICsgZG9uZTsKKyAgICAgICAgZXJyID0g ZG9fZG9tY3RsKHhjaCwgJmRvbWN0bCk7CisgICAgICAgIGlmICggZXJyICYm IGVycm5vID09IEUyQklHICkKKyAgICAgICAgeworICAgICAgICAgICAgaWYg KCBtYXhfYmF0Y2hfc3ogPD0gMSApCisgICAgICAgICAgICAgICAgYnJlYWs7 CisgICAgICAgICAgICBtYXhfYmF0Y2hfc3ogPj49IDE7CisgICAgICAgICAg ICBjb250aW51ZTsKKyAgICAgICAgfQorICAgICAgICAvKiBTYXZlIHRoZSBm aXJzdCBlcnJvci4uLiAqLworICAgICAgICBpZiAoICFyZXQgKQorICAgICAg ICAgICAgcmV0ID0gZXJyOworICAgICAgICAvKiAuLiBhbmQgaWdub3JlIHRo ZSByZXN0IG9mIHRoZW0gd2hlbiByZW1vdmluZy4gKi8KKyAgICAgICAgaWYg KCBlcnIgJiYgYWRkX21hcHBpbmcgIT0gRFBDSV9SRU1PVkVfTUFQUElORyAp CisgICAgICAgICAgICBicmVhazsKIAotICAgIHJldHVybiBkb19kb21jdGwo eGNoLCAmZG9tY3RsKTsKLX0KKyAgICAgICAgZG9uZSArPSBucjsKKyAgICB9 IHdoaWxlICggZG9uZSA8IG5yX21mbnMgKTsKIAorICAgIC8qCisgICAgICog VW5kbyB3aGF0IHdlIGhhdmUgZG9uZSB1bmxlc3MgdW5tYXBwaW5nLCBieSB1 bm1hcHBpbmcgdGhlIGVudGlyZSByZWdpb24uCisgICAgICogRXJyb3JzIGhl cmUgYXJlIGlnbm9yZWQuCisgICAgICovCisgICAgaWYgKCByZXQgJiYgYWRk X21hcHBpbmcgIT0gRFBDSV9SRU1PVkVfTUFQUElORyApCisgICAgICAgIHhj X2RvbWFpbl9tZW1vcnlfbWFwcGluZyh4Y2gsIGRvbWlkLCBmaXJzdF9nZm4s IGZpcnN0X21mbiwgbnJfbWZucywKKyAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIERQQ0lfUkVNT1ZFX01BUFBJTkcpOworCisgICAgLyogV2Ug bWlnaHQgZ2V0IEUyQklHIHNvIG1hbnkgdGltZXMgdGhhdCB3ZSBuZXZlciBh ZHZhbmNlLiAqLworICAgIGlmICggIWRvbmUgJiYgIXJldCApCisgICAgICAg IHJldCA9IC0xOworCisgICAgcmV0dXJuIHJldDsKK30KKyN1bmRlZiBtaW4K IGludCB4Y19kb21haW5faW9wb3J0X21hcHBpbmcoCiAgICAgeGNfaW50ZXJm YWNlICp4Y2gsCiAgICAgdWludDMyX3QgZG9taWQsCmRpZmYgLS1naXQgYS94 ZW4vYXJjaC94ODYvZG9tY3RsLmMgYi94ZW4vYXJjaC94ODYvZG9tY3RsLmMK aW5kZXggMTczYmYwMS4uMzA2Mjk3YSAxMDA2NDQKLS0tIGEveGVuL2FyY2gv eDg2L2RvbWN0bC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9kb21jdGwuYwpAQCAt NjU1LDYgKzY1NSwxMSBAQCBsb25nIGFyY2hfZG9fZG9tY3RsKAogICAgICAg ICAgICAgIChnZm4gKyBucl9tZm5zIC0gMSkgPCBnZm4gKSAvKiB3cmFwPyAq LwogICAgICAgICAgICAgYnJlYWs7CiAKKyAgICAgICAgcmV0ID0gLUUyQklH OworICAgICAgICAvKiBNdXN0IGJyZWFrIGh5cGVyY2FsbCB1cCBhcyB0aGlz IGNvdWxkIHRha2UgYSB3aGlsZS4gKi8KKyAgICAgICAgaWYgKCBucl9tZm5z ID4gNjQgKQorICAgICAgICAgICAgYnJlYWs7CisKICAgICAgICAgcmV0ID0g LUVQRVJNOwogICAgICAgICBpZiAoICFpb21lbV9hY2Nlc3NfcGVybWl0dGVk KGN1cnJlbnQtPmRvbWFpbiwgbWZuLCBtZm4gKyBucl9tZm5zIC0gMSkgKQog ICAgICAgICAgICAgYnJlYWs7CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9w dWJsaWMvZG9tY3RsLmggYi94ZW4vaW5jbHVkZS9wdWJsaWMvZG9tY3RsLmgK aW5kZXggZDM4MTkwMy4uOGY5ZDVjMCAxMDA2NDQKLS0tIGEveGVuL2luY2x1 ZGUvcHVibGljL2RvbWN0bC5oCisrKyBiL3hlbi9pbmNsdWRlL3B1YmxpYy9k b21jdGwuaApAQCAtNTEzLDYgKzUxMyw3IEBAIERFRklORV9YRU5fR1VFU1Rf SEFORExFKHhlbl9kb21jdGxfYmluZF9wdF9pcnFfdCk7CiAKIAogLyogQmlu ZCBtYWNoaW5lIEkvTyBhZGRyZXNzIHJhbmdlIC0+IEhWTSBhZGRyZXNzIHJh bmdlLiAqLworLyogSWYgdGhpcyByZXR1cm5zIC1FMkJJRyBsb3dlciBucl9t Zm5zIHZhbHVlLiAqLwogLyogWEVOX0RPTUNUTF9tZW1vcnlfbWFwcGluZyAq LwogI2RlZmluZSBEUENJX0FERF9NQVBQSU5HICAgICAgICAgMQogI2RlZmlu ZSBEUENJX1JFTU9WRV9NQVBQSU5HICAgICAgMAo= --=separator Content-Type: application/octet-stream; name="xsa125-4.4.patch" Content-Disposition: attachment; filename="xsa125-4.4.patch" Content-Transfer-Encoding: base64 RnJvbSBkZjI5MjJjZTY3MmNjMzU1MDBlMmYzYmEwNDE0NDEwMjFmNDRiNDFj IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBLb25yYWQgUnplc3p1 dGVrIFdpbGsgPGtvbnJhZC53aWxrQG9yYWNsZS5jb20+CkRhdGU6IFdlZCwg MTkgTm92IDIwMTQgMTI6NTc6MTEgLTA1MDAKU3ViamVjdDogW1BBVENIXSBM aW1pdCBYRU5fRE9NQ1RMX21lbW9yeV9tYXBwaW5nIGh5cGVyY2FsbCB0byBv bmx5IHByb2Nlc3MgdXAKIHRvIDY0IEdGTnMgKG9yIGxlc3MpCgpTYWlkIGh5 cGVyY2FsbCBmb3IgbGFyZ2UgQkFScyBjYW4gdGFrZSBxdWl0ZSBhIHdoaWxl LiBBcyBzdWNoCndlIGNhbiByZXF1aXJlIHRoYXQgdGhlIGh5cGVyY2FsbCBN VVNUIGJyZWFrIHVwIHRoZSByZXF1ZXN0CmluIHNtYWxsZXIgdmFsdWVzLgoK QW5vdGhlciBhcHByb2FjaCBpcyB0byBhZGQgcHJlZW1wdGlvbiB0byBpdCAt IHdoZXRoZXIgd2UgZG8gdGhlCnByZWVtcHRpb24gdXNpbmcgaHlwZXJjYWxs X2NyZWF0ZV9jb250aW51YXRpb24gb3IgcmV0dXJuaW5nCkVBR0FJTiB0byB1 c2Vyc3BhY2UgKGFuZCBoYXZlIGl0IHJlLWludm9jYXRlIHRoZSBjYWxsKSAt IGVpdGhlcgp3YXkgdGhlIGlzc3VlIHdlIGNhbm5vdCBlYXNpbHkgc29sdmUg aXMgdGhhdCBpbiAnbWFwX21taW9fcmVnaW9ucycKaWYgd2UgZW5jb3VudGVy IGFuIGVycm9yIHdlIE1VU1QgY2FsbCAndW5tYXBfbW1pb19yZWdpb25zJyBm b3IgdGhlCndob2xlIEJBUiByZWdpb24uCgpTaW5jZSB0aGUgcHJlZW1wdGlv biB3b3VsZCByZS11c2UgaW5wdXQgZmllbGRzIHN1Y2ggYXMgbnJfbWZucywK Zmlyc3RfZ2ZuLCBmaXJzdF9tZm4gLSB3ZSB3b3VsZCBsb3NlIHRoZSBvcmln aW5hbCB2YWx1ZXMgLQphbmQgb25seSB1bmRvIHdoYXQgd2FzIGRvbmUgaW4g dGhlIGN1cnJlbnQgcm91bmQgKGkuZS4gaWdub3JpbmcKYW55dGhpbmcgdGhh dCB3YXMgZG9uZSBwcmlvciB0byBlYXJsaWVyIHByZWVtcHRpb25zKS4KClVu bGVzcyB3ZSByZS11c2VkIHRoZSByZXR1cm4gdmFsdWUgYXMgJ0VBR0FJTnxu cl9tZm5zX2RvbmU8PDEwJyBidXQKdGhhdCBwdXRzIGEgbGltaXQgKHNpbmNl IHRoZSByZXR1cm4gdmFsdWUgaXMgYSBsb25nKSBvbiB0aGUgYW1vdW50Cm9m IG5yX21mbnMgdGhhdCBjYW4gcHJvdmlkZWQuCgpUaGlzIHBhdGNoIHNpZGVz dGVwcyB0aGlzIHByb2JsZW0gYnk6CiAtIFNldHRpbmcgYW4gaGFyZCBsaW1p dCBvZiBucl9tZm5zIGhhdmluZyB0byBiZSA2NCBvciBsZXNzLgogLSBUb29s c3RhY2sgYWRqdXN0cyBjb3JyZXNwb25kaW5nbHkgdG8gdGhlIG5yX21mbiBs aW1pdC4KIC0gSWYgdGhlIHRoZXJlIGlzIGFuIGVycm9yIHdoZW4gYWRkaW5n IHRoZSB0b29sc3RhY2sgd2lsbCBjYWxsIHRoZQogICByZW1vdmUgb3BlcmF0 aW9uIHRvIHJlbW92ZSB0aGUgd2hvbGUgcmVnaW9uLgoKVGhlIG5lZWQgdG8g YnJlYWsgdGhpcyBoeXBlcmNhbGwgZG93biBpcyBmb3IgbGFyZ2UgQkFScyBj YW4gdGFrZQptb3JlIHRoYW4gdGhlIGd1ZXN0IChpbml0aWFsIGRvbWFpbiB1 c3VhbGx5KSB0aW1lLXNsaWNlLiBUaGlzIGhhcwp0aGUgbmVnYXRpdmUgcmVz dWx0IGluIHRoYXQgdGhlIGd1ZXN0IGlzIGxvY2tlZCBvdXQgZm9yIGEgbG9u ZwpkdXJhdGlvbiBhbmQgaXMgdW5hYmxlIHRvIGFjdCBvbiBhbnkgcGVuZGlu ZyBldmVudHMuCgpXZSBhbHNvIGF1Z21lbnQgdGhlIGNvZGUgdG8gcmV0dXJu IHplcm8gaWYgbnJfbWZucyBpbnN0ZWFkCm9mIHRyeWluZyB0byB0aGUgaHlw ZXJjYWxsLgoKU3VnZ2VzdGVkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA c3VzZS5jb20+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3Vz ZS5jb20+ClNpZ25lZC1vZmYtYnk6IEtvbnJhZCBSemVzenV0ZWsgV2lsayA8 a29ucmFkLndpbGtAb3JhY2xlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+Ci0tLQogdG9vbHMvbGlieGMv eGNfZG9tYWluLmMgICAgIHwgNTUgKysrKysrKysrKysrKysrKysrKysrKysr KysrKysrKysrKysrKysrKy0tLS0tCiB4ZW4vYXJjaC94ODYvZG9tY3RsLmMg ICAgICAgfCAgNSArKysrKwogeGVuL2luY2x1ZGUvcHVibGljL2RvbWN0bC5o IHwgIDEgKwogMyBmaWxlcyBjaGFuZ2VkLCA1NiBpbnNlcnRpb25zKCspLCA1 IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL3Rvb2xzL2xpYnhjL3hjX2Rv bWFpbi5jIGIvdG9vbHMvbGlieGMveGNfZG9tYWluLmMKaW5kZXggMzY5YzNm My4uNDBjYTc3MSAxMDA2NDQKLS0tIGEvdG9vbHMvbGlieGMveGNfZG9tYWlu LmMKKysrIGIvdG9vbHMvbGlieGMveGNfZG9tYWluLmMKQEAgLTE2NDEsNiAr MTY0MSwxMyBAQCBmYWlsZWQ6CiAgICAgcmV0dXJuIC0xOwogfQogCisjaWZu ZGVmIG1pbgorI2RlZmluZSBtaW4oWCwgWSkgKHsgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIFwKKyAgICAgICAgICAgIGNvbnN0IHR5cGVvZiAoWCkg X3ggPSAoWCk7ICAgICAgICAgICBcCisgICAgICAgICAgICBjb25zdCB0eXBl b2YgKFkpIF95ID0gKFkpOyAgICAgICAgICAgXAorICAgICAgICAgICAgKHZv aWQpICgmX3ggPT0gJl95KTsgICAgICAgICAgICAgICAgIFwKKyAgICAgICAg ICAgIChfeCA8IF95KSA/IF94IDogX3k7IH0pCisjZW5kaWYKIGludCB4Y19k b21haW5fbWVtb3J5X21hcHBpbmcoCiAgICAgeGNfaW50ZXJmYWNlICp4Y2gs CiAgICAgdWludDMyX3QgZG9taWQsCkBAIC0xNjUwLDE3ICsxNjU3LDU1IEBA IGludCB4Y19kb21haW5fbWVtb3J5X21hcHBpbmcoCiAgICAgdWludDMyX3Qg YWRkX21hcHBpbmcpCiB7CiAgICAgREVDTEFSRV9ET01DVEw7CisgICAgaW50 IHJldCA9IDAsIGVycjsKKyAgICB1bnNpZ25lZCBsb25nIGRvbmUgPSAwLCBu ciwgbWF4X2JhdGNoX3N6OworCisgICAgaWYgKCAhbnJfbWZucyApCisgICAg ICAgIHJldHVybiAwOwogCiAgICAgZG9tY3RsLmNtZCA9IFhFTl9ET01DVExf bWVtb3J5X21hcHBpbmc7CiAgICAgZG9tY3RsLmRvbWFpbiA9IGRvbWlkOwot ICAgIGRvbWN0bC51Lm1lbW9yeV9tYXBwaW5nLmZpcnN0X2dmbiA9IGZpcnN0 X2dmbjsKLSAgICBkb21jdGwudS5tZW1vcnlfbWFwcGluZy5maXJzdF9tZm4g PSBmaXJzdF9tZm47Ci0gICAgZG9tY3RsLnUubWVtb3J5X21hcHBpbmcubnJf bWZucyA9IG5yX21mbnM7CiAgICAgZG9tY3RsLnUubWVtb3J5X21hcHBpbmcu YWRkX21hcHBpbmcgPSBhZGRfbWFwcGluZzsKKyAgICBtYXhfYmF0Y2hfc3og PSBucl9tZm5zOworICAgIGRvCisgICAgeworICAgICAgICBuciA9IG1pbihu cl9tZm5zIC0gZG9uZSwgbWF4X2JhdGNoX3N6KTsKKyAgICAgICAgZG9tY3Rs LnUubWVtb3J5X21hcHBpbmcubnJfbWZucyA9IG5yOworICAgICAgICBkb21j dGwudS5tZW1vcnlfbWFwcGluZy5maXJzdF9nZm4gPSBmaXJzdF9nZm4gKyBk b25lOworICAgICAgICBkb21jdGwudS5tZW1vcnlfbWFwcGluZy5maXJzdF9t Zm4gPSBmaXJzdF9tZm4gKyBkb25lOworICAgICAgICBlcnIgPSBkb19kb21j dGwoeGNoLCAmZG9tY3RsKTsKKyAgICAgICAgaWYgKCBlcnIgJiYgZXJybm8g PT0gRTJCSUcgKQorICAgICAgICB7CisgICAgICAgICAgICBpZiAoIG1heF9i YXRjaF9zeiA8PSAxICkKKyAgICAgICAgICAgICAgICBicmVhazsKKyAgICAg ICAgICAgIG1heF9iYXRjaF9zeiA+Pj0gMTsKKyAgICAgICAgICAgIGNvbnRp bnVlOworICAgICAgICB9CisgICAgICAgIC8qIFNhdmUgdGhlIGZpcnN0IGVy cm9yLi4uICovCisgICAgICAgIGlmICggIXJldCApCisgICAgICAgICAgICBy ZXQgPSBlcnI7CisgICAgICAgIC8qIC4uIGFuZCBpZ25vcmUgdGhlIHJlc3Qg b2YgdGhlbSB3aGVuIHJlbW92aW5nLiAqLworICAgICAgICBpZiAoIGVyciAm JiBhZGRfbWFwcGluZyAhPSBEUENJX1JFTU9WRV9NQVBQSU5HICkKKyAgICAg ICAgICAgIGJyZWFrOwogCi0gICAgcmV0dXJuIGRvX2RvbWN0bCh4Y2gsICZk b21jdGwpOwotfQorICAgICAgICBkb25lICs9IG5yOworICAgIH0gd2hpbGUg KCBkb25lIDwgbnJfbWZucyApOwogCisgICAgLyoKKyAgICAgKiBVbmRvIHdo YXQgd2UgaGF2ZSBkb25lIHVubGVzcyB1bm1hcHBpbmcsIGJ5IHVubWFwcGlu ZyB0aGUgZW50aXJlIHJlZ2lvbi4KKyAgICAgKiBFcnJvcnMgaGVyZSBhcmUg aWdub3JlZC4KKyAgICAgKi8KKyAgICBpZiAoIHJldCAmJiBhZGRfbWFwcGlu ZyAhPSBEUENJX1JFTU9WRV9NQVBQSU5HICkKKyAgICAgICAgeGNfZG9tYWlu X21lbW9yeV9tYXBwaW5nKHhjaCwgZG9taWQsIGZpcnN0X2dmbiwgZmlyc3Rf bWZuLCBucl9tZm5zLAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgRFBDSV9SRU1PVkVfTUFQUElORyk7CisKKyAgICAvKiBXZSBtaWdodCBn ZXQgRTJCSUcgc28gbWFueSB0aW1lcyB0aGF0IHdlIG5ldmVyIGFkdmFuY2Uu ICovCisgICAgaWYgKCAhZG9uZSAmJiAhcmV0ICkKKyAgICAgICAgcmV0ID0g LTE7CisKKyAgICByZXR1cm4gcmV0OworfQorI3VuZGVmIG1pbgogaW50IHhj X2RvbWFpbl9pb3BvcnRfbWFwcGluZygKICAgICB4Y19pbnRlcmZhY2UgKnhj aCwKICAgICB1aW50MzJfdCBkb21pZCwKZGlmZiAtLWdpdCBhL3hlbi9hcmNo L3g4Ni9kb21jdGwuYyBiL3hlbi9hcmNoL3g4Ni9kb21jdGwuYwppbmRleCBh OTY3YjY1Li45YjcyYzIyIDEwMDY0NAotLS0gYS94ZW4vYXJjaC94ODYvZG9t Y3RsLmMKKysrIGIveGVuL2FyY2gveDg2L2RvbWN0bC5jCkBAIC02NTMsNiAr NjUzLDExIEBAIGxvbmcgYXJjaF9kb19kb21jdGwoCiAgICAgICAgICAgICAg KGdmbiArIG5yX21mbnMgLSAxKSA8IGdmbiApIC8qIHdyYXA/ICovCiAgICAg ICAgICAgICBicmVhazsKIAorICAgICAgICByZXQgPSAtRTJCSUc7CisgICAg ICAgIC8qIE11c3QgYnJlYWsgaHlwZXJjYWxsIHVwIGFzIHRoaXMgY291bGQg dGFrZSBhIHdoaWxlLiAqLworICAgICAgICBpZiAoIG5yX21mbnMgPiA2NCAp CisgICAgICAgICAgICBicmVhazsKKwogICAgICAgICByZXQgPSAtRVBFUk07 CiAgICAgICAgIGlmICggIWlvbWVtX2FjY2Vzc19wZXJtaXR0ZWQoY3VycmVu dC0+ZG9tYWluLCBtZm4sIG1mbiArIG5yX21mbnMgLSAxKSApCiAgICAgICAg ICAgICBicmVhazsKZGlmZiAtLWdpdCBhL3hlbi9pbmNsdWRlL3B1YmxpYy9k b21jdGwuaCBiL3hlbi9pbmNsdWRlL3B1YmxpYy9kb21jdGwuaAppbmRleCBm MjJmZTJlLi5jNDViYzU5IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9wdWJs aWMvZG9tY3RsLmgKKysrIGIveGVuL2luY2x1ZGUvcHVibGljL2RvbWN0bC5o CkBAIC01MTgsNiArNTE4LDcgQEAgREVGSU5FX1hFTl9HVUVTVF9IQU5ETEUo eGVuX2RvbWN0bF9iaW5kX3B0X2lycV90KTsKIAogCiAvKiBCaW5kIG1hY2hp bmUgSS9PIGFkZHJlc3MgcmFuZ2UgLT4gSFZNIGFkZHJlc3MgcmFuZ2UuICov CisvKiBJZiB0aGlzIHJldHVybnMgLUUyQklHIGxvd2VyIG5yX21mbnMgdmFs dWUuICovCiAvKiBYRU5fRE9NQ1RMX21lbW9yeV9tYXBwaW5nICovCiAjZGVm aW5lIERQQ0lfQUREX01BUFBJTkcgICAgICAgICAxCiAjZGVmaW5lIERQQ0lf UkVNT1ZFX01BUFBJTkcgICAgICAwCi0tIAoyLjEuMAoK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Mar 31 12:11:10 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 31 Mar 2015 12:11:10 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ycuzs-00006x-Ms; Tue, 31 Mar 2015 12:10:20 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ycuzq-000050-Uu; Tue, 31 Mar 2015 12:10:19 +0000 Received: from [193.109.254.147] by server-3.bemta-14.messagelabs.com id B2/44-23827-AAE8A155; Tue, 31 Mar 2015 12:10:18 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-27.messagelabs.com!1427803815!9920727!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.6; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22988 invoked from network); 31 Mar 2015 12:10:16 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 31 Mar 2015 12:10:16 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ycuzb-0006xd-QX; Tue, 31 Mar 2015 12:10:03 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Ycuzb-0005NW-CJ; Tue, 31 Mar 2015 12:10:03 +0000 Date: Tue, 31 Mar 2015 12:10:03 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 126 (CVE-2015-2756) - Unmediated PCI command register access in qemu X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2756 / XSA-126 version 3 Unmediated PCI command register access in qemu UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= HVM guests are currently permitted to modify the memory and I/O decode bits in the PCI command register of devices passed through to them. Unless the device is an SR-IOV virtual function, after disabling one or both of these bits subsequent accesses to the MMIO or I/O port ranges would - on PCI Express devices - lead to Unsupported Request responses. The treatment of such errors is platform specific. Furthermore (at least) devices under control of the Linux pciback driver in the host are handed to guests with the aforementioned bits turned off. This means that such accesses can similarly lead to Unsupported Request responses until these flags are set as needed by the guest. IMPACT ====== In the event that the platform surfaces aforementioned UR responses as Non-Maskable Interrupts, and either the OS is configured to treat NMIs as fatal or (e.g. via ACPI's APEI) the platform tells the OS to treat these errors as fatal, the host would crash, leading to a Denial of Service. VULNERABLE SYSTEMS ================== Xen versions 3.3 and onwards are vulnerable due to supporting PCI pass-through. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only HVM guests with their device model run in Dom0 can take advantage of this vulnerability. Any domain which is given access to a non-SR-IOV virtual function PCI Express device can take advantage of this vulnerability. MITIGATION ========== This issue can be avoided by not assigning PCI Express devices other than SR-IOV virtual functions to untrusted HVM guests. This issue can also be avoided by only using PV guests or HVM guests with their device model run in a separate (stub) domain. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa126-qemuu.patch qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x xsa126-qemuu-4.3.patch qemu-upstream-unstable, Xen 4.3.x xsa126-qemut.patch qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x For those already having the original patch in place, applying the appropriate attached incremental patch addresses the regression. xsa126-qemuu-incr.patch qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x xsa126-qemuu-4.3-incr.patch qemu-upstream-unstable, Xen 4.3.x xsa126-qemut-incr.patch qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa126*.patch bd69a0d18127793a9aa2097062ecaef76df6e6b8f729406d7d52cf66519e3b0d xsa126-qemut-incr.patch 2a9b8f73b2a4f0cfb6b724c9a0a72dbf08cae87cd382f61f563218c32d1036a7 xsa126-qemut.patch 658bc483d1110e4e04de2d70fba1cdb20c5cecdc2f419db2d82bddc3ae1690b6 xsa126-qemuu-4.3-incr.patch 090d9262a9e9d24f0f4eca35cb0d56831d5cec6a6ba38b4c7e276d767de660c1 xsa126-qemuu-4.3.patch 3f7b6737c08ff7e119bec16c8c3b3cb832429f1410e687edf622fab57a22842e xsa126-qemuu-incr.patch eb5b93600267639b2cda1c5e2f937ddbecbf6c8cbd19dbb355224c39c2e40d3e xsa126-qemuu.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVGo5NAAoJEIP+FMlX6CvZvt4IAIeNbTd6EQJE4CnuU6fH9lA3 0fO7FrUEMn7cfiptLy86y01C0d7YqF1MCbO3TKfJ0NJSjvl5CQ/WDuPwjdbD28eW Zi2NZFRRy0JnLM3bgHxYB5Ik7voO6QPm4+BSZxM9rdiOhKwOY1LLyDbRlC5GvsVr 5J87gm1tfcQVHNDkVZp6ZlzQh5Kl3iSFp6KvzwsIagoJucsPVEHsoBWF84I+3peu miT3gQqPeZg3PxplKNBkFZOr4hfE1vkYEmopnPY+ClSqsIB0XWM8XSbr8IByXI/E VBAAsssFYV3mwNSoVrip+CWumi32ocikfxly+GlZxNWiMO4T57La6CJcmjQqaEE= =wvTM -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa126-qemut-incr.patch" Content-Disposition: attachment; filename="xsa126-qemut-incr.patch" Content-Transfer-Encoding: base64 eGVuOiBlbmFibGUgbWVtb3J5IGFuZCBJL08gZGVjb2RpbmcgYmVmb3JlIHBh c3NpbmcgUENJIGRldmljZSB0byBndWVzdAoKT3RoZXJ3aXNlLCB3aXRoIHYx IG9mIHRoZSBYU0EtMTI2IGZpeCBpbiBwbGFjZSwgbm90aGluZyB3aWxsIGRv IHRoaXMsCmxlYXZpbmcgdGhlIGRldmljZSB1bnVzYWJsZSBleGNlcHQgZm9y IG1hbGljaW91cyBwdXJwb3Nlcy4KClRoaXMgaXMgcGFydCBvZiBDVkUtMjAx NS0yNzU2IC8gWFNBLTEyNi4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNo IDxqYmV1bGljaEBzdXNlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8 aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CgotLS0gYS9ody9wYXNzLXRocm91 Z2guYworKysgYi9ody9wYXNzLXRocm91Z2guYwpAQCAtMTkwNSw3ICsxOTA1 LDcgQEAgc3RhdGljIGludCBwdF9kZXZfaXNfdmlydGZuKHN0cnVjdCBwY2lf ZAogICAgIHJldHVybiByYzsKIH0KIAotc3RhdGljIGludCBwdF9yZWdpc3Rl cl9yZWdpb25zKHN0cnVjdCBwdF9kZXYgKmFzc2lnbmVkX2RldmljZSkKK3N0 YXRpYyBpbnQgcHRfcmVnaXN0ZXJfcmVnaW9ucyhzdHJ1Y3QgcHRfZGV2ICph c3NpZ25lZF9kZXZpY2UsIHVpbnQxNl90ICpjbWQpCiB7CiAgICAgaW50IGkg PSAwOwogICAgIHVpbnQzMl90IGJhcl9kYXRhID0gMDsKQEAgLTE5MjUsMTcg KzE5MjUsMjYgQEAgc3RhdGljIGludCBwdF9yZWdpc3Rlcl9yZWdpb25zKHN0 cnVjdCBwdAogCiAgICAgICAgICAgICAvKiBSZWdpc3RlciBjdXJyZW50IHJl Z2lvbiAqLwogICAgICAgICAgICAgaWYgKCBwY2lfZGV2LT5iYXNlX2FkZHJb aV0gJiBQQ0lfQUREUkVTU19TUEFDRV9JTyApCisgICAgICAgICAgICB7CiAg ICAgICAgICAgICAgICAgcGNpX3JlZ2lzdGVyX2lvX3JlZ2lvbigoUENJRGV2 aWNlICopYXNzaWduZWRfZGV2aWNlLCBpLAogICAgICAgICAgICAgICAgICAg ICAodWludDMyX3QpcGNpX2Rldi0+c2l6ZVtpXSwgUENJX0FERFJFU1NfU1BB Q0VfSU8sCiAgICAgICAgICAgICAgICAgICAgIHB0X2lvcG9ydF9tYXApOwor ICAgICAgICAgICAgICAgICpjbWQgfD0gUENJX0NPTU1BTkRfSU87CisgICAg ICAgICAgICB9CiAgICAgICAgICAgICBlbHNlIGlmICggcGNpX2Rldi0+YmFz ZV9hZGRyW2ldICYgUENJX0FERFJFU1NfU1BBQ0VfTUVNX1BSRUZFVENIICkK KyAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICBwY2lfcmVnaXN0ZXJf aW9fcmVnaW9uKChQQ0lEZXZpY2UgKilhc3NpZ25lZF9kZXZpY2UsIGksCiAg ICAgICAgICAgICAgICAgICAgICh1aW50MzJfdClwY2lfZGV2LT5zaXplW2ld LCBQQ0lfQUREUkVTU19TUEFDRV9NRU1fUFJFRkVUQ0gsCiAgICAgICAgICAg ICAgICAgICAgIHB0X2lvbWVtX21hcCk7CisgICAgICAgICAgICAgICAgKmNt ZCB8PSBQQ0lfQ09NTUFORF9NRU1PUlk7CisgICAgICAgICAgICB9CiAgICAg ICAgICAgICBlbHNlCisgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAg cGNpX3JlZ2lzdGVyX2lvX3JlZ2lvbigoUENJRGV2aWNlICopYXNzaWduZWRf ZGV2aWNlLCBpLAogICAgICAgICAgICAgICAgICAgICAodWludDMyX3QpcGNp X2Rldi0+c2l6ZVtpXSwgUENJX0FERFJFU1NfU1BBQ0VfTUVNLAogICAgICAg ICAgICAgICAgICAgICBwdF9pb21lbV9tYXApOworICAgICAgICAgICAgICAg ICpjbWQgfD0gUENJX0NPTU1BTkRfTUVNT1JZOworICAgICAgICAgICAgfQog CiAgICAgICAgICAgICBQVF9MT0coIklPIHJlZ2lvbiByZWdpc3RlcmVkIChz aXplPTB4JTA4eCBiYXNlX2FkZHI9MHglMDh4KVxuIiwKICAgICAgICAgICAg ICAgICAodWludDMyX3QpKHBjaV9kZXYtPnNpemVbaV0pLApAQCAtNDIxMSw2 ICs0MjIwLDcgQEAgc3RhdGljIHN0cnVjdCBwdF9kZXYgKiByZWdpc3Rlcl9y ZWFsX2RldgogICAgIHN0cnVjdCBwdF9kZXYgKmFzc2lnbmVkX2RldmljZSA9 IE5VTEw7CiAgICAgc3RydWN0IHBjaV9kZXYgKnBjaV9kZXY7CiAgICAgdWlu dDhfdCBlX2RldmljZSwgZV9pbnR4OworICAgIHVpbnQxNl90IGNtZCA9IDA7 CiAgICAgY2hhciAqa2V5LCAqdmFsOwogICAgIGludCBtc2lfdHJhbnNsYXRl LCBwb3dlcl9tZ210OwogCkBAIC00MzAwLDcgKzQzMTAsNyBAQCBzdGF0aWMg c3RydWN0IHB0X2RldiAqIHJlZ2lzdGVyX3JlYWxfZGV2CiAgICAgICAgIGFz c2lnbmVkX2RldmljZS0+ZGV2LmNvbmZpZ1tpXSA9IHBjaV9yZWFkX2J5dGUo cGNpX2RldiwgaSk7CiAKICAgICAvKiBIYW5kbGUgcmVhbCBkZXZpY2UncyBN TUlPL1BJTyBCQVJzICovCi0gICAgcHRfcmVnaXN0ZXJfcmVnaW9ucyhhc3Np Z25lZF9kZXZpY2UpOworICAgIHB0X3JlZ2lzdGVyX3JlZ2lvbnMoYXNzaWdu ZWRfZGV2aWNlLCAmY21kKTsKIAogICAgIC8qIFNldHVwIFZHQSBiaW9zIGZv ciBwYXNzdGhyb3VnaGVkIGdmeCAqLwogICAgIGlmICggc2V0dXBfdmdhX3B0 KGFzc2lnbmVkX2RldmljZSkgPCAwICkKQEAgLTQzNzgsNiArNDM4OCwxMCBA QCBzdGF0aWMgc3RydWN0IHB0X2RldiAqIHJlZ2lzdGVyX3JlYWxfZGV2CiAg ICAgfQogCiBvdXQ6CisgICAgaWYgKGNtZCkKKyAgICAgICAgcGNpX3dyaXRl X3dvcmQocGNpX2RldiwgUENJX0NPTU1BTkQsCisgICAgICAgICAgICAqKHVp bnQxNl90ICopKCZhc3NpZ25lZF9kZXZpY2UtPmRldi5jb25maWdbUENJX0NP TU1BTkRdKSB8IGNtZCk7CisKICAgICBQVF9MT0coIlJlYWwgcGh5c2ljYWwg ZGV2aWNlICUwMng6JTAyeC4leCByZWdpc3RlcmVkIHN1Y2Nlc3NmdWx5IVxu IgogICAgICAgICAgICAiSVJRIHR5cGUgPSAlc1xuIiwgcl9idXMsIHJfZGV2 LCByX2Z1bmMsCiAgICAgICAgICAgIGFzc2lnbmVkX2RldmljZS0+bXNpX3Ry YW5zX2VuPyAiTVNJLUlOVHgiOiJJTlR4Iik7Cg== --=separator Content-Type: application/octet-stream; name="xsa126-qemut.patch" Content-Disposition: attachment; filename="xsa126-qemut.patch" Content-Transfer-Encoding: base64 eGVuOiBsaW1pdCBndWVzdCBjb250cm9sIG9mIFBDSSBjb21tYW5kIHJlZ2lz dGVyCgpPdGhlcndpc2UgdGhlIGd1ZXN0IGNhbiBhYnVzZSB0aGF0IGNvbnRy b2wgdG8gY2F1c2UgZS5nLiBQQ0llClVuc3VwcG9ydGVkIFJlcXVlc3QgcmVz cG9uc2VzIChieSBkaXNhYmxpbmcgbWVtb3J5IGFuZC9vciBJL08gZGVjb2Rp bmcKYW5kIHN1YnNlcXVlbnRseSBjYXVzaW5nIFtDUFUgc2lkZV0gYWNjZXNz ZXMgdG8gdGhlIHJlc3BlY3RpdmUgYWRkcmVzcwpyYW5nZXMpLCB3aGljaCAo ZGVwZW5kaW5nIG9uIHN5c3RlbSBjb25maWd1cmF0aW9uKSBtYXkgYmUgZmF0 YWwgdG8gdGhlCmhvc3QuCgpUaGlzIGlzIENWRS0yMDE1LTI3NTYgLyBYU0Et MTI2LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpSZXZpZXdlZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzdGVm YW5vLnN0YWJlbGxpbmlAZXUuY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBD YW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CgotLS0gYS9ody9w YXNzLXRocm91Z2guYworKysgYi9ody9wYXNzLXRocm91Z2guYwpAQCAtMTcy LDkgKzE3Miw2IEBAIHN0YXRpYyBpbnQgcHRfd29yZF9yZWdfcmVhZChzdHJ1 Y3QgcHRfZGUKIHN0YXRpYyBpbnQgcHRfbG9uZ19yZWdfcmVhZChzdHJ1Y3Qg cHRfZGV2ICpwdGRldiwKICAgICBzdHJ1Y3QgcHRfcmVnX3RibCAqY2ZnX2Vu dHJ5LAogICAgIHVpbnQzMl90ICp2YWx1ZSwgdWludDMyX3QgdmFsaWRfbWFz ayk7Ci1zdGF0aWMgaW50IHB0X2NtZF9yZWdfcmVhZChzdHJ1Y3QgcHRfZGV2 ICpwdGRldiwKLSAgICBzdHJ1Y3QgcHRfcmVnX3RibCAqY2ZnX2VudHJ5LAot ICAgIHVpbnQxNl90ICp2YWx1ZSwgdWludDE2X3QgdmFsaWRfbWFzayk7CiBz dGF0aWMgaW50IHB0X2Jhcl9yZWdfcmVhZChzdHJ1Y3QgcHRfZGV2ICpwdGRl diwKICAgICBzdHJ1Y3QgcHRfcmVnX3RibCAqY2ZnX2VudHJ5LAogICAgIHVp bnQzMl90ICp2YWx1ZSwgdWludDMyX3QgdmFsaWRfbWFzayk7CkBAIC0yODYs OSArMjgzLDkgQEAgc3RhdGljIHN0cnVjdCBwdF9yZWdfaW5mb190YmwgcHRf ZW11X3JlZwogICAgICAgICAuc2l6ZSAgICAgICA9IDIsCiAgICAgICAgIC5p bml0X3ZhbCAgID0gMHgwMDAwLAogICAgICAgICAucm9fbWFzayAgICA9IDB4 Rjg4MCwKLSAgICAgICAgLmVtdV9tYXNrICAgPSAweDA3NDAsCisgICAgICAg IC5lbXVfbWFzayAgID0gMHgwNzQzLAogICAgICAgICAuaW5pdCAgICAgICA9 IHB0X2NvbW1vbl9yZWdfaW5pdCwKLSAgICAgICAgLnUudy5yZWFkICAgPSBw dF9jbWRfcmVnX3JlYWQsCisgICAgICAgIC51LncucmVhZCAgID0gcHRfd29y ZF9yZWdfcmVhZCwKICAgICAgICAgLnUudy53cml0ZSAgPSBwdF9jbWRfcmVn X3dyaXRlLAogICAgICAgICAudS53LnJlc3RvcmUgID0gcHRfY21kX3JlZ19y ZXN0b3JlLAogICAgIH0sCkBAIC0xOTA1LDcgKzE5MDIsNyBAQCBzdGF0aWMg aW50IHB0X2Rldl9pc192aXJ0Zm4oc3RydWN0IHBjaV9kCiAgICAgcmV0dXJu IHJjOwogfQogCi1zdGF0aWMgaW50IHB0X3JlZ2lzdGVyX3JlZ2lvbnMoc3Ry dWN0IHB0X2RldiAqYXNzaWduZWRfZGV2aWNlKQorc3RhdGljIGludCBwdF9y ZWdpc3Rlcl9yZWdpb25zKHN0cnVjdCBwdF9kZXYgKmFzc2lnbmVkX2Rldmlj ZSwgdWludDE2X3QgKmNtZCkKIHsKICAgICBpbnQgaSA9IDA7CiAgICAgdWlu dDMyX3QgYmFyX2RhdGEgPSAwOwpAQCAtMTkyNSwxNyArMTkyMiwyNiBAQCBz dGF0aWMgaW50IHB0X3JlZ2lzdGVyX3JlZ2lvbnMoc3RydWN0IHB0CiAKICAg ICAgICAgICAgIC8qIFJlZ2lzdGVyIGN1cnJlbnQgcmVnaW9uICovCiAgICAg ICAgICAgICBpZiAoIHBjaV9kZXYtPmJhc2VfYWRkcltpXSAmIFBDSV9BRERS RVNTX1NQQUNFX0lPICkKKyAgICAgICAgICAgIHsKICAgICAgICAgICAgICAg ICBwY2lfcmVnaXN0ZXJfaW9fcmVnaW9uKChQQ0lEZXZpY2UgKilhc3NpZ25l ZF9kZXZpY2UsIGksCiAgICAgICAgICAgICAgICAgICAgICh1aW50MzJfdClw Y2lfZGV2LT5zaXplW2ldLCBQQ0lfQUREUkVTU19TUEFDRV9JTywKICAgICAg ICAgICAgICAgICAgICAgcHRfaW9wb3J0X21hcCk7CisgICAgICAgICAgICAg ICAgKmNtZCB8PSBQQ0lfQ09NTUFORF9JTzsKKyAgICAgICAgICAgIH0KICAg ICAgICAgICAgIGVsc2UgaWYgKCBwY2lfZGV2LT5iYXNlX2FkZHJbaV0gJiBQ Q0lfQUREUkVTU19TUEFDRV9NRU1fUFJFRkVUQ0ggKQorICAgICAgICAgICAg ewogICAgICAgICAgICAgICAgIHBjaV9yZWdpc3Rlcl9pb19yZWdpb24oKFBD SURldmljZSAqKWFzc2lnbmVkX2RldmljZSwgaSwKICAgICAgICAgICAgICAg ICAgICAgKHVpbnQzMl90KXBjaV9kZXYtPnNpemVbaV0sIFBDSV9BRERSRVNT X1NQQUNFX01FTV9QUkVGRVRDSCwKICAgICAgICAgICAgICAgICAgICAgcHRf aW9tZW1fbWFwKTsKKyAgICAgICAgICAgICAgICAqY21kIHw9IFBDSV9DT01N QU5EX01FTU9SWTsKKyAgICAgICAgICAgIH0KICAgICAgICAgICAgIGVsc2UK KyAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICBwY2lfcmVnaXN0ZXJf aW9fcmVnaW9uKChQQ0lEZXZpY2UgKilhc3NpZ25lZF9kZXZpY2UsIGksCiAg ICAgICAgICAgICAgICAgICAgICh1aW50MzJfdClwY2lfZGV2LT5zaXplW2ld LCBQQ0lfQUREUkVTU19TUEFDRV9NRU0sCiAgICAgICAgICAgICAgICAgICAg IHB0X2lvbWVtX21hcCk7CisgICAgICAgICAgICAgICAgKmNtZCB8PSBQQ0lf Q09NTUFORF9NRU1PUlk7CisgICAgICAgICAgICB9CiAKICAgICAgICAgICAg IFBUX0xPRygiSU8gcmVnaW9uIHJlZ2lzdGVyZWQgKHNpemU9MHglMDh4IGJh c2VfYWRkcj0weCUwOHgpXG4iLAogICAgICAgICAgICAgICAgICh1aW50MzJf dCkocGNpX2Rldi0+c2l6ZVtpXSksCkBAIC0zMjYzLDI3ICszMjY5LDYgQEAg c3RhdGljIGludCBwdF9sb25nX3JlZ19yZWFkKHN0cnVjdCBwdF9kZQogICAg cmV0dXJuIDA7CiB9CiAKLS8qIHJlYWQgQ29tbWFuZCByZWdpc3RlciAqLwot c3RhdGljIGludCBwdF9jbWRfcmVnX3JlYWQoc3RydWN0IHB0X2RldiAqcHRk ZXYsCi0gICAgICAgIHN0cnVjdCBwdF9yZWdfdGJsICpjZmdfZW50cnksCi0g ICAgICAgIHVpbnQxNl90ICp2YWx1ZSwgdWludDE2X3QgdmFsaWRfbWFzaykK LXsKLSAgICBzdHJ1Y3QgcHRfcmVnX2luZm9fdGJsICpyZWcgPSBjZmdfZW50 cnktPnJlZzsKLSAgICB1aW50MTZfdCB2YWxpZF9lbXVfbWFzayA9IDA7Ci0g ICAgdWludDE2X3QgZW11X21hc2sgPSByZWctPmVtdV9tYXNrOwotCi0gICAg aWYgKCBwdGRldi0+aXNfdmlydGZuICkKLSAgICAgICAgZW11X21hc2sgfD0g UENJX0NPTU1BTkRfTUVNT1JZOwotICAgIGlmICggcHRfaXNfaW9tdWwocHRk ZXYpICkKLSAgICAgICAgZW11X21hc2sgfD0gUENJX0NPTU1BTkRfSU87Ci0K LSAgICAvKiBlbXVsYXRlIHdvcmQgcmVnaXN0ZXIgKi8KLSAgICB2YWxpZF9l bXVfbWFzayA9IGVtdV9tYXNrICYgdmFsaWRfbWFzazsKLSAgICAqdmFsdWUg PSBQVF9NRVJHRV9WQUxVRSgqdmFsdWUsIGNmZ19lbnRyeS0+ZGF0YSwgfnZh bGlkX2VtdV9tYXNrKTsKLQotICAgIHJldHVybiAwOwotfQotCiAvKiByZWFk IEJBUiAqLwogc3RhdGljIGludCBwdF9iYXJfcmVnX3JlYWQoc3RydWN0IHB0 X2RldiAqcHRkZXYsCiAgICAgICAgIHN0cnVjdCBwdF9yZWdfdGJsICpjZmdf ZW50cnksCkBAIC0zNDE4LDE5ICszNDAzLDEzIEBAIHN0YXRpYyBpbnQgcHRf Y21kX3JlZ193cml0ZShzdHJ1Y3QgcHRfZGUKICAgICB1aW50MTZfdCB3cml0 YWJsZV9tYXNrID0gMDsKICAgICB1aW50MTZfdCB0aHJvdWdoYWJsZV9tYXNr ID0gMDsKICAgICB1aW50MTZfdCB3cl92YWx1ZSA9ICp2YWx1ZTsKLSAgICB1 aW50MTZfdCBlbXVfbWFzayA9IHJlZy0+ZW11X21hc2s7Ci0KLSAgICBpZiAo IHB0ZGV2LT5pc192aXJ0Zm4gKQotICAgICAgICBlbXVfbWFzayB8PSBQQ0lf Q09NTUFORF9NRU1PUlk7Ci0gICAgaWYgKCBwdF9pc19pb211bChwdGRldikg KQotICAgICAgICBlbXVfbWFzayB8PSBQQ0lfQ09NTUFORF9JTzsKIAogICAg IC8qIG1vZGlmeSBlbXVsYXRlIHJlZ2lzdGVyICovCiAgICAgd3JpdGFibGVf bWFzayA9IH5yZWctPnJvX21hc2sgJiB2YWxpZF9tYXNrOwogICAgIGNmZ19l bnRyeS0+ZGF0YSA9IFBUX01FUkdFX1ZBTFVFKCp2YWx1ZSwgY2ZnX2VudHJ5 LT5kYXRhLCB3cml0YWJsZV9tYXNrKTsKIAogICAgIC8qIGNyZWF0ZSB2YWx1 ZSBmb3Igd3JpdGluZyB0byBJL08gZGV2aWNlIHJlZ2lzdGVyICovCi0gICAg dGhyb3VnaGFibGVfbWFzayA9IH5lbXVfbWFzayAmIHZhbGlkX21hc2s7Cisg ICAgdGhyb3VnaGFibGVfbWFzayA9IH5yZWctPmVtdV9tYXNrICYgdmFsaWRf bWFzazsKIAogICAgIGlmICgqdmFsdWUgJiBQQ0lfQ09NTUFORF9ESVNBQkxF X0lOVHgpCiAgICAgewpAQCAtNDIxMSw2ICs0MTkwLDcgQEAgc3RhdGljIHN0 cnVjdCBwdF9kZXYgKiByZWdpc3Rlcl9yZWFsX2RldgogICAgIHN0cnVjdCBw dF9kZXYgKmFzc2lnbmVkX2RldmljZSA9IE5VTEw7CiAgICAgc3RydWN0IHBj aV9kZXYgKnBjaV9kZXY7CiAgICAgdWludDhfdCBlX2RldmljZSwgZV9pbnR4 OworICAgIHVpbnQxNl90IGNtZCA9IDA7CiAgICAgY2hhciAqa2V5LCAqdmFs OwogICAgIGludCBtc2lfdHJhbnNsYXRlLCBwb3dlcl9tZ210OwogCkBAIC00 MzAwLDcgKzQyODAsNyBAQCBzdGF0aWMgc3RydWN0IHB0X2RldiAqIHJlZ2lz dGVyX3JlYWxfZGV2CiAgICAgICAgIGFzc2lnbmVkX2RldmljZS0+ZGV2LmNv bmZpZ1tpXSA9IHBjaV9yZWFkX2J5dGUocGNpX2RldiwgaSk7CiAKICAgICAv KiBIYW5kbGUgcmVhbCBkZXZpY2UncyBNTUlPL1BJTyBCQVJzICovCi0gICAg cHRfcmVnaXN0ZXJfcmVnaW9ucyhhc3NpZ25lZF9kZXZpY2UpOworICAgIHB0 X3JlZ2lzdGVyX3JlZ2lvbnMoYXNzaWduZWRfZGV2aWNlLCAmY21kKTsKIAog ICAgIC8qIFNldHVwIFZHQSBiaW9zIGZvciBwYXNzdGhyb3VnaGVkIGdmeCAq LwogICAgIGlmICggc2V0dXBfdmdhX3B0KGFzc2lnbmVkX2RldmljZSkgPCAw ICkKQEAgLTQzNzgsNiArNDM1OCwxMCBAQCBzdGF0aWMgc3RydWN0IHB0X2Rl diAqIHJlZ2lzdGVyX3JlYWxfZGV2CiAgICAgfQogCiBvdXQ6CisgICAgaWYg KGNtZCkKKyAgICAgICAgcGNpX3dyaXRlX3dvcmQocGNpX2RldiwgUENJX0NP TU1BTkQsCisgICAgICAgICAgICAqKHVpbnQxNl90ICopKCZhc3NpZ25lZF9k ZXZpY2UtPmRldi5jb25maWdbUENJX0NPTU1BTkRdKSB8IGNtZCk7CisKICAg ICBQVF9MT0coIlJlYWwgcGh5c2ljYWwgZGV2aWNlICUwMng6JTAyeC4leCBy ZWdpc3RlcmVkIHN1Y2Nlc3NmdWx5IVxuIgogICAgICAgICAgICAiSVJRIHR5 cGUgPSAlc1xuIiwgcl9idXMsIHJfZGV2LCByX2Z1bmMsCiAgICAgICAgICAg IGFzc2lnbmVkX2RldmljZS0+bXNpX3RyYW5zX2VuPyAiTVNJLUlOVHgiOiJJ TlR4Iik7Cg== --=separator Content-Type: application/octet-stream; name="xsa126-qemuu-4.3-incr.patch" Content-Disposition: attachment; filename="xsa126-qemuu-4.3-incr.patch" Content-Transfer-Encoding: base64 eGVuOiBlbmFibGUgbWVtb3J5IGFuZCBJL08gZGVjb2RpbmcgYmVmb3JlIHBh c3NpbmcgUENJIGRldmljZSB0byBndWVzdAoKT3RoZXJ3aXNlLCB3aXRoIHYx IG9mIHRoZSBYU0EtMTI2IGZpeCBpbiBwbGFjZSwgbm90aGluZyB3aWxsIGRv IHRoaXMsCmxlYXZpbmcgdGhlIGRldmljZSB1bnVzYWJsZSBleGNlcHQgZm9y IG1hbGljaW91cyBwdXJwb3Nlcy4KClRoaXMgaXMgcGFydCBvZiBDVkUtMjAx NS0yNzU2IC8gWFNBLTEyNi4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNo IDxqYmV1bGljaEBzdXNlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8 aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CgotLS0gYS9ody94ZW5fcHQuYwor KysgYi9ody94ZW5fcHQuYwpAQCAtMzg4LDcgKzM4OCw3IEBAIHN0YXRpYyBj b25zdCBNZW1vcnlSZWdpb25PcHMgb3BzID0gewogICAgIC53cml0ZSA9IHhl bl9wdF9iYXJfd3JpdGUsCiB9OwogCi1zdGF0aWMgaW50IHhlbl9wdF9yZWdp c3Rlcl9yZWdpb25zKFhlblBDSVBhc3N0aHJvdWdoU3RhdGUgKnMpCitzdGF0 aWMgaW50IHhlbl9wdF9yZWdpc3Rlcl9yZWdpb25zKFhlblBDSVBhc3N0aHJv dWdoU3RhdGUgKnMsIHVpbnQxNl90ICpjbWQpCiB7CiAgICAgaW50IGkgPSAw OwogICAgIFhlbkhvc3RQQ0lEZXZpY2UgKmQgPSAmcy0+cmVhbF9kZXZpY2U7 CkBAIC00MDYsNiArNDA2LDcgQEAgc3RhdGljIGludCB4ZW5fcHRfcmVnaXN0 ZXJfcmVnaW9ucyhYZW5QQwogCiAgICAgICAgIGlmIChyLT50eXBlICYgWEVO X0hPU1RfUENJX1JFR0lPTl9UWVBFX0lPKSB7CiAgICAgICAgICAgICB0eXBl ID0gUENJX0JBU0VfQUREUkVTU19TUEFDRV9JTzsKKyAgICAgICAgICAgICpj bWQgfD0gUENJX0NPTU1BTkRfSU87CiAgICAgICAgIH0gZWxzZSB7CiAgICAg ICAgICAgICB0eXBlID0gUENJX0JBU0VfQUREUkVTU19TUEFDRV9NRU1PUlk7 CiAgICAgICAgICAgICBpZiAoci0+dHlwZSAmIFhFTl9IT1NUX1BDSV9SRUdJ T05fVFlQRV9QUkVGRVRDSCkgewpAQCAtNDE0LDYgKzQxNSw3IEBAIHN0YXRp YyBpbnQgeGVuX3B0X3JlZ2lzdGVyX3JlZ2lvbnMoWGVuUEMKICAgICAgICAg ICAgIGlmIChyLT50eXBlICYgWEVOX0hPU1RfUENJX1JFR0lPTl9UWVBFX01F TV82NCkgewogICAgICAgICAgICAgICAgIHR5cGUgfD0gUENJX0JBU0VfQURE UkVTU19NRU1fVFlQRV82NDsKICAgICAgICAgICAgIH0KKyAgICAgICAgICAg ICpjbWQgfD0gUENJX0NPTU1BTkRfTUVNT1JZOwogICAgICAgICB9CiAKICAg ICAgICAgbWVtb3J5X3JlZ2lvbl9pbml0X2lvKCZzLT5iYXJbaV0sICZvcHMs ICZzLT5kZXYsCkBAIC02NTIsNiArNjU0LDcgQEAgc3RhdGljIGludCB4ZW5f cHRfaW5pdGZuKFBDSURldmljZSAqZCkKICAgICBYZW5QQ0lQYXNzdGhyb3Vn aFN0YXRlICpzID0gRE9fVVBDQVNUKFhlblBDSVBhc3N0aHJvdWdoU3RhdGUs IGRldiwgZCk7CiAgICAgaW50IHJjID0gMDsKICAgICB1aW50OF90IG1hY2hp bmVfaXJxID0gMDsKKyAgICB1aW50MTZfdCBjbWQgPSAwOwogICAgIGludCBw aXJxID0gWEVOX1BUX1VOQVNTSUdORURfUElSUTsKIAogICAgIC8qIHJlZ2lz dGVyIHJlYWwgZGV2aWNlICovCkBAIC02ODYsNyArNjg5LDcgQEAgc3RhdGlj IGludCB4ZW5fcHRfaW5pdGZuKFBDSURldmljZSAqZCkKICAgICBzLT5pb19s aXN0ZW5lciA9IHhlbl9wdF9pb19saXN0ZW5lcjsKIAogICAgIC8qIEhhbmRs ZSByZWFsIGRldmljZSdzIE1NSU8vUElPIEJBUnMgKi8KLSAgICB4ZW5fcHRf cmVnaXN0ZXJfcmVnaW9ucyhzKTsKKyAgICB4ZW5fcHRfcmVnaXN0ZXJfcmVn aW9ucyhzLCAmY21kKTsKIAogICAgIC8qIHJlaW5pdGlhbGl6ZSBlYWNoIGNv bmZpZyByZWdpc3RlciB0byBiZSBlbXVsYXRlZCAqLwogICAgIGlmICh4ZW5f cHRfY29uZmlnX2luaXQocykpIHsKQEAgLTc1MCw2ICs3NTMsMTEgQEAgc3Rh dGljIGludCB4ZW5fcHRfaW5pdGZuKFBDSURldmljZSAqZCkKICAgICB9CiAK IG91dDoKKyAgICBpZiAoY21kKSB7CisgICAgICAgIHhlbl9ob3N0X3BjaV9z ZXRfd29yZCgmcy0+cmVhbF9kZXZpY2UsIFBDSV9DT01NQU5ELAorICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgcGNpX2dldF93b3JkKGQtPmNvbmZp ZyArIFBDSV9DT01NQU5EKSB8IGNtZCk7CisgICAgfQorCiAgICAgbWVtb3J5 X2xpc3RlbmVyX3JlZ2lzdGVyKCZzLT5tZW1vcnlfbGlzdGVuZXIsICZhZGRy ZXNzX3NwYWNlX21lbW9yeSk7CiAgICAgbWVtb3J5X2xpc3RlbmVyX3JlZ2lz dGVyKCZzLT5pb19saXN0ZW5lciwgJmFkZHJlc3Nfc3BhY2VfaW8pOwogICAg IFhFTl9QVF9MT0coZCwgIlJlYWwgcGh5c2ljYWwgZGV2aWNlICUwMng6JTAy eC4lZCByZWdpc3RlcmVkIHN1Y2Nlc3NmdWx5IVxuIiwK --=separator Content-Type: application/octet-stream; name="xsa126-qemuu-4.3.patch" Content-Disposition: attachment; filename="xsa126-qemuu-4.3.patch" Content-Transfer-Encoding: base64 eGVuOiBsaW1pdCBndWVzdCBjb250cm9sIG9mIFBDSSBjb21tYW5kIHJlZ2lz dGVyCgpPdGhlcndpc2UgdGhlIGd1ZXN0IGNhbiBhYnVzZSB0aGF0IGNvbnRy b2wgdG8gY2F1c2UgZS5nLiBQQ0llClVuc3VwcG9ydGVkIFJlcXVlc3QgcmVz cG9uc2VzIChieSBkaXNhYmxpbmcgbWVtb3J5IGFuZC9vciBJL08gZGVjb2Rp bmcKYW5kIHN1YnNlcXVlbnRseSBjYXVzaW5nIFtDUFUgc2lkZV0gYWNjZXNz ZXMgdG8gdGhlIHJlc3BlY3RpdmUgYWRkcmVzcwpyYW5nZXMpLCB3aGljaCAo ZGVwZW5kaW5nIG9uIHN5c3RlbSBjb25maWd1cmF0aW9uKSBtYXkgYmUgZmF0 YWwgdG8gdGhlCmhvc3QuCgpUaGlzIGlzIENWRS0yMDE1LTI3NTYgLyBYU0Et MTI2LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpSZXZpZXdlZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzdGVm YW5vLnN0YWJlbGxpbmlAZXUuY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBD YW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CgotLS0gYS9ody94 ZW5fcHQuYworKysgYi9ody94ZW5fcHQuYwpAQCAtMzg4LDcgKzM4OCw3IEBA IHN0YXRpYyBjb25zdCBNZW1vcnlSZWdpb25PcHMgb3BzID0gewogICAgIC53 cml0ZSA9IHhlbl9wdF9iYXJfd3JpdGUsCiB9OwogCi1zdGF0aWMgaW50IHhl bl9wdF9yZWdpc3Rlcl9yZWdpb25zKFhlblBDSVBhc3N0aHJvdWdoU3RhdGUg KnMpCitzdGF0aWMgaW50IHhlbl9wdF9yZWdpc3Rlcl9yZWdpb25zKFhlblBD SVBhc3N0aHJvdWdoU3RhdGUgKnMsIHVpbnQxNl90ICpjbWQpCiB7CiAgICAg aW50IGkgPSAwOwogICAgIFhlbkhvc3RQQ0lEZXZpY2UgKmQgPSAmcy0+cmVh bF9kZXZpY2U7CkBAIC00MDYsNiArNDA2LDcgQEAgc3RhdGljIGludCB4ZW5f cHRfcmVnaXN0ZXJfcmVnaW9ucyhYZW5QQwogCiAgICAgICAgIGlmIChyLT50 eXBlICYgWEVOX0hPU1RfUENJX1JFR0lPTl9UWVBFX0lPKSB7CiAgICAgICAg ICAgICB0eXBlID0gUENJX0JBU0VfQUREUkVTU19TUEFDRV9JTzsKKyAgICAg ICAgICAgICpjbWQgfD0gUENJX0NPTU1BTkRfSU87CiAgICAgICAgIH0gZWxz ZSB7CiAgICAgICAgICAgICB0eXBlID0gUENJX0JBU0VfQUREUkVTU19TUEFD RV9NRU1PUlk7CiAgICAgICAgICAgICBpZiAoci0+dHlwZSAmIFhFTl9IT1NU X1BDSV9SRUdJT05fVFlQRV9QUkVGRVRDSCkgewpAQCAtNDE0LDYgKzQxNSw3 IEBAIHN0YXRpYyBpbnQgeGVuX3B0X3JlZ2lzdGVyX3JlZ2lvbnMoWGVuUEMK ICAgICAgICAgICAgIGlmIChyLT50eXBlICYgWEVOX0hPU1RfUENJX1JFR0lP Tl9UWVBFX01FTV82NCkgewogICAgICAgICAgICAgICAgIHR5cGUgfD0gUENJ X0JBU0VfQUREUkVTU19NRU1fVFlQRV82NDsKICAgICAgICAgICAgIH0KKyAg ICAgICAgICAgICpjbWQgfD0gUENJX0NPTU1BTkRfTUVNT1JZOwogICAgICAg ICB9CiAKICAgICAgICAgbWVtb3J5X3JlZ2lvbl9pbml0X2lvKCZzLT5iYXJb aV0sICZvcHMsICZzLT5kZXYsCkBAIC02NTIsNiArNjU0LDcgQEAgc3RhdGlj IGludCB4ZW5fcHRfaW5pdGZuKFBDSURldmljZSAqZCkKICAgICBYZW5QQ0lQ YXNzdGhyb3VnaFN0YXRlICpzID0gRE9fVVBDQVNUKFhlblBDSVBhc3N0aHJv dWdoU3RhdGUsIGRldiwgZCk7CiAgICAgaW50IHJjID0gMDsKICAgICB1aW50 OF90IG1hY2hpbmVfaXJxID0gMDsKKyAgICB1aW50MTZfdCBjbWQgPSAwOwog ICAgIGludCBwaXJxID0gWEVOX1BUX1VOQVNTSUdORURfUElSUTsKIAogICAg IC8qIHJlZ2lzdGVyIHJlYWwgZGV2aWNlICovCkBAIC02ODYsNyArNjg5LDcg QEAgc3RhdGljIGludCB4ZW5fcHRfaW5pdGZuKFBDSURldmljZSAqZCkKICAg ICBzLT5pb19saXN0ZW5lciA9IHhlbl9wdF9pb19saXN0ZW5lcjsKIAogICAg IC8qIEhhbmRsZSByZWFsIGRldmljZSdzIE1NSU8vUElPIEJBUnMgKi8KLSAg ICB4ZW5fcHRfcmVnaXN0ZXJfcmVnaW9ucyhzKTsKKyAgICB4ZW5fcHRfcmVn aXN0ZXJfcmVnaW9ucyhzLCAmY21kKTsKIAogICAgIC8qIHJlaW5pdGlhbGl6 ZSBlYWNoIGNvbmZpZyByZWdpc3RlciB0byBiZSBlbXVsYXRlZCAqLwogICAg IGlmICh4ZW5fcHRfY29uZmlnX2luaXQocykpIHsKQEAgLTc1MCw2ICs3NTMs MTEgQEAgc3RhdGljIGludCB4ZW5fcHRfaW5pdGZuKFBDSURldmljZSAqZCkK ICAgICB9CiAKIG91dDoKKyAgICBpZiAoY21kKSB7CisgICAgICAgIHhlbl9o b3N0X3BjaV9zZXRfd29yZCgmcy0+cmVhbF9kZXZpY2UsIFBDSV9DT01NQU5E LAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcGNpX2dldF93b3Jk KGQtPmNvbmZpZyArIFBDSV9DT01NQU5EKSB8IGNtZCk7CisgICAgfQorCiAg ICAgbWVtb3J5X2xpc3RlbmVyX3JlZ2lzdGVyKCZzLT5tZW1vcnlfbGlzdGVu ZXIsICZhZGRyZXNzX3NwYWNlX21lbW9yeSk7CiAgICAgbWVtb3J5X2xpc3Rl bmVyX3JlZ2lzdGVyKCZzLT5pb19saXN0ZW5lciwgJmFkZHJlc3Nfc3BhY2Vf aW8pOwogICAgIFhFTl9QVF9MT0coZCwgIlJlYWwgcGh5c2ljYWwgZGV2aWNl ICUwMng6JTAyeC4lZCByZWdpc3RlcmVkIHN1Y2Nlc3NmdWx5IVxuIiwKLS0t IGEvaHcveGVuX3B0X2NvbmZpZ19pbml0LmMKKysrIGIvaHcveGVuX3B0X2Nv bmZpZ19pbml0LmMKQEAgLTI4NiwyMyArMjg2LDYgQEAgc3RhdGljIGludCB4 ZW5fcHRfaXJxcGluX3JlZ19pbml0KFhlblBDSQogfQogCiAvKiBDb21tYW5k IHJlZ2lzdGVyICovCi1zdGF0aWMgaW50IHhlbl9wdF9jbWRfcmVnX3JlYWQo WGVuUENJUGFzc3Rocm91Z2hTdGF0ZSAqcywgWGVuUFRSZWcgKmNmZ19lbnRy eSwKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1aW50MTZfdCAq dmFsdWUsIHVpbnQxNl90IHZhbGlkX21hc2spCi17Ci0gICAgWGVuUFRSZWdJ bmZvICpyZWcgPSBjZmdfZW50cnktPnJlZzsKLSAgICB1aW50MTZfdCB2YWxp ZF9lbXVfbWFzayA9IDA7Ci0gICAgdWludDE2X3QgZW11X21hc2sgPSByZWct PmVtdV9tYXNrOwotCi0gICAgaWYgKHMtPmlzX3ZpcnRmbikgewotICAgICAg ICBlbXVfbWFzayB8PSBQQ0lfQ09NTUFORF9NRU1PUlk7Ci0gICAgfQotCi0g ICAgLyogZW11bGF0ZSB3b3JkIHJlZ2lzdGVyICovCi0gICAgdmFsaWRfZW11 X21hc2sgPSBlbXVfbWFzayAmIHZhbGlkX21hc2s7Ci0gICAgKnZhbHVlID0g WEVOX1BUX01FUkdFX1ZBTFVFKCp2YWx1ZSwgY2ZnX2VudHJ5LT5kYXRhLCB+ dmFsaWRfZW11X21hc2spOwotCi0gICAgcmV0dXJuIDA7Ci19CiBzdGF0aWMg aW50IHhlbl9wdF9jbWRfcmVnX3dyaXRlKFhlblBDSVBhc3N0aHJvdWdoU3Rh dGUgKnMsIFhlblBUUmVnICpjZmdfZW50cnksCiAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIHVpbnQxNl90ICp2YWwsIHVpbnQxNl90IGRldl92 YWx1ZSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdWludDE2 X3QgdmFsaWRfbWFzaykKQEAgLTMxMCwxOCArMjkzLDEzIEBAIHN0YXRpYyBp bnQgeGVuX3B0X2NtZF9yZWdfd3JpdGUoWGVuUENJUGEKICAgICBYZW5QVFJl Z0luZm8gKnJlZyA9IGNmZ19lbnRyeS0+cmVnOwogICAgIHVpbnQxNl90IHdy aXRhYmxlX21hc2sgPSAwOwogICAgIHVpbnQxNl90IHRocm91Z2hhYmxlX21h c2sgPSAwOwotICAgIHVpbnQxNl90IGVtdV9tYXNrID0gcmVnLT5lbXVfbWFz azsKLQotICAgIGlmIChzLT5pc192aXJ0Zm4pIHsKLSAgICAgICAgZW11X21h c2sgfD0gUENJX0NPTU1BTkRfTUVNT1JZOwotICAgIH0KIAogICAgIC8qIG1v ZGlmeSBlbXVsYXRlIHJlZ2lzdGVyICovCiAgICAgd3JpdGFibGVfbWFzayA9 IH5yZWctPnJvX21hc2sgJiB2YWxpZF9tYXNrOwogICAgIGNmZ19lbnRyeS0+ ZGF0YSA9IFhFTl9QVF9NRVJHRV9WQUxVRSgqdmFsLCBjZmdfZW50cnktPmRh dGEsIHdyaXRhYmxlX21hc2spOwogCiAgICAgLyogY3JlYXRlIHZhbHVlIGZv ciB3cml0aW5nIHRvIEkvTyBkZXZpY2UgcmVnaXN0ZXIgKi8KLSAgICB0aHJv dWdoYWJsZV9tYXNrID0gfmVtdV9tYXNrICYgdmFsaWRfbWFzazsKKyAgICB0 aHJvdWdoYWJsZV9tYXNrID0gfnJlZy0+ZW11X21hc2sgJiB2YWxpZF9tYXNr OwogCiAgICAgaWYgKCp2YWwgJiBQQ0lfQ09NTUFORF9JTlRYX0RJU0FCTEUp IHsKICAgICAgICAgdGhyb3VnaGFibGVfbWFzayB8PSBQQ0lfQ09NTUFORF9J TlRYX0RJU0FCTEU7CkBAIC02MDUsOSArNTgzLDkgQEAgc3RhdGljIFhlblBU UmVnSW5mbyB4ZW5fcHRfZW11X3JlZ19oZWFkZQogICAgICAgICAuc2l6ZSAg ICAgICA9IDIsCiAgICAgICAgIC5pbml0X3ZhbCAgID0gMHgwMDAwLAogICAg ICAgICAucm9fbWFzayAgICA9IDB4Rjg4MCwKLSAgICAgICAgLmVtdV9tYXNr ICAgPSAweDA3NDAsCisgICAgICAgIC5lbXVfbWFzayAgID0gMHgwNzQzLAog ICAgICAgICAuaW5pdCAgICAgICA9IHhlbl9wdF9jb21tb25fcmVnX2luaXQs Ci0gICAgICAgIC51LncucmVhZCAgID0geGVuX3B0X2NtZF9yZWdfcmVhZCwK KyAgICAgICAgLnUudy5yZWFkICAgPSB4ZW5fcHRfd29yZF9yZWdfcmVhZCwK ICAgICAgICAgLnUudy53cml0ZSAgPSB4ZW5fcHRfY21kX3JlZ193cml0ZSwK ICAgICB9LAogICAgIC8qIENhcGFiaWxpdGllcyBQb2ludGVyIHJlZyAqLwo= --=separator Content-Type: application/octet-stream; name="xsa126-qemuu-incr.patch" Content-Disposition: attachment; filename="xsa126-qemuu-incr.patch" Content-Transfer-Encoding: base64 eGVuOiBlbmFibGUgbWVtb3J5IGFuZCBJL08gZGVjb2RpbmcgYmVmb3JlIHBh c3NpbmcgUENJIGRldmljZSB0byBndWVzdAoKT3RoZXJ3aXNlLCB3aXRoIHYx IG9mIHRoZSBYU0EtMTI2IGZpeCBpbiBwbGFjZSwgbm90aGluZyB3aWxsIGRv IHRoaXMsCmxlYXZpbmcgdGhlIGRldmljZSB1bnVzYWJsZSBleGNlcHQgZm9y IG1hbGljaW91cyBwdXJwb3Nlcy4KClRoaXMgaXMgcGFydCBvZiBDVkUtMjAx NS0yNzU2IC8gWFNBLTEyNi4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNo IDxqYmV1bGljaEBzdXNlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8 aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CgotLS0gYS9ody94ZW4veGVuX3B0 LmMKKysrIGIvaHcveGVuL3hlbl9wdC5jCkBAIC0zODgsNyArMzg4LDcgQEAg c3RhdGljIGNvbnN0IE1lbW9yeVJlZ2lvbk9wcyBvcHMgPSB7CiAgICAgLndy aXRlID0geGVuX3B0X2Jhcl93cml0ZSwKIH07CiAKLXN0YXRpYyBpbnQgeGVu X3B0X3JlZ2lzdGVyX3JlZ2lvbnMoWGVuUENJUGFzc3Rocm91Z2hTdGF0ZSAq cykKK3N0YXRpYyBpbnQgeGVuX3B0X3JlZ2lzdGVyX3JlZ2lvbnMoWGVuUENJ UGFzc3Rocm91Z2hTdGF0ZSAqcywgdWludDE2X3QgKmNtZCkKIHsKICAgICBp bnQgaSA9IDA7CiAgICAgWGVuSG9zdFBDSURldmljZSAqZCA9ICZzLT5yZWFs X2RldmljZTsKQEAgLTQwNiw2ICs0MDYsNyBAQCBzdGF0aWMgaW50IHhlbl9w dF9yZWdpc3Rlcl9yZWdpb25zKFhlblBDCiAKICAgICAgICAgaWYgKHItPnR5 cGUgJiBYRU5fSE9TVF9QQ0lfUkVHSU9OX1RZUEVfSU8pIHsKICAgICAgICAg ICAgIHR5cGUgPSBQQ0lfQkFTRV9BRERSRVNTX1NQQUNFX0lPOworICAgICAg ICAgICAgKmNtZCB8PSBQQ0lfQ09NTUFORF9JTzsKICAgICAgICAgfSBlbHNl IHsKICAgICAgICAgICAgIHR5cGUgPSBQQ0lfQkFTRV9BRERSRVNTX1NQQUNF X01FTU9SWTsKICAgICAgICAgICAgIGlmIChyLT50eXBlICYgWEVOX0hPU1Rf UENJX1JFR0lPTl9UWVBFX1BSRUZFVENIKSB7CkBAIC00MTQsNiArNDE1LDcg QEAgc3RhdGljIGludCB4ZW5fcHRfcmVnaXN0ZXJfcmVnaW9ucyhYZW5QQwog ICAgICAgICAgICAgaWYgKHItPnR5cGUgJiBYRU5fSE9TVF9QQ0lfUkVHSU9O X1RZUEVfTUVNXzY0KSB7CiAgICAgICAgICAgICAgICAgdHlwZSB8PSBQQ0lf QkFTRV9BRERSRVNTX01FTV9UWVBFXzY0OwogICAgICAgICAgICAgfQorICAg ICAgICAgICAgKmNtZCB8PSBQQ0lfQ09NTUFORF9NRU1PUlk7CiAgICAgICAg IH0KIAogICAgICAgICBtZW1vcnlfcmVnaW9uX2luaXRfaW8oJnMtPmJhcltp XSwgT0JKRUNUKHMpLCAmb3BzLCAmcy0+ZGV2LApAQCAtNjM4LDYgKzY0MCw3 IEBAIHN0YXRpYyBpbnQgeGVuX3B0X2luaXRmbihQQ0lEZXZpY2UgKmQpCiAg ICAgWGVuUENJUGFzc3Rocm91Z2hTdGF0ZSAqcyA9IERPX1VQQ0FTVChYZW5Q Q0lQYXNzdGhyb3VnaFN0YXRlLCBkZXYsIGQpOwogICAgIGludCByYyA9IDA7 CiAgICAgdWludDhfdCBtYWNoaW5lX2lycSA9IDA7CisgICAgdWludDE2X3Qg Y21kID0gMDsKICAgICBpbnQgcGlycSA9IFhFTl9QVF9VTkFTU0lHTkVEX1BJ UlE7CiAKICAgICAvKiByZWdpc3RlciByZWFsIGRldmljZSAqLwpAQCAtNjcy LDcgKzY3NSw3IEBAIHN0YXRpYyBpbnQgeGVuX3B0X2luaXRmbihQQ0lEZXZp Y2UgKmQpCiAgICAgcy0+aW9fbGlzdGVuZXIgPSB4ZW5fcHRfaW9fbGlzdGVu ZXI7CiAKICAgICAvKiBIYW5kbGUgcmVhbCBkZXZpY2UncyBNTUlPL1BJTyBC QVJzICovCi0gICAgeGVuX3B0X3JlZ2lzdGVyX3JlZ2lvbnMocyk7CisgICAg eGVuX3B0X3JlZ2lzdGVyX3JlZ2lvbnMocywgJmNtZCk7CiAKICAgICAvKiBy ZWluaXRpYWxpemUgZWFjaCBjb25maWcgcmVnaXN0ZXIgdG8gYmUgZW11bGF0 ZWQgKi8KICAgICBpZiAoeGVuX3B0X2NvbmZpZ19pbml0KHMpKSB7CkBAIC03 MzYsNiArNzM5LDExIEBAIHN0YXRpYyBpbnQgeGVuX3B0X2luaXRmbihQQ0lE ZXZpY2UgKmQpCiAgICAgfQogCiBvdXQ6CisgICAgaWYgKGNtZCkgeworICAg ICAgICB4ZW5faG9zdF9wY2lfc2V0X3dvcmQoJnMtPnJlYWxfZGV2aWNlLCBQ Q0lfQ09NTUFORCwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBj aV9nZXRfd29yZChkLT5jb25maWcgKyBQQ0lfQ09NTUFORCkgfCBjbWQpOwor ICAgIH0KKwogICAgIG1lbW9yeV9saXN0ZW5lcl9yZWdpc3Rlcigmcy0+bWVt b3J5X2xpc3RlbmVyLCAmYWRkcmVzc19zcGFjZV9tZW1vcnkpOwogICAgIG1l bW9yeV9saXN0ZW5lcl9yZWdpc3Rlcigmcy0+aW9fbGlzdGVuZXIsICZhZGRy ZXNzX3NwYWNlX2lvKTsKICAgICBYRU5fUFRfTE9HKGQsCg== --=separator Content-Type: application/octet-stream; name="xsa126-qemuu.patch" Content-Disposition: attachment; filename="xsa126-qemuu.patch" Content-Transfer-Encoding: base64 eGVuOiBsaW1pdCBndWVzdCBjb250cm9sIG9mIFBDSSBjb21tYW5kIHJlZ2lz dGVyCgpPdGhlcndpc2UgdGhlIGd1ZXN0IGNhbiBhYnVzZSB0aGF0IGNvbnRy b2wgdG8gY2F1c2UgZS5nLiBQQ0llClVuc3VwcG9ydGVkIFJlcXVlc3QgcmVz cG9uc2VzIChieSBkaXNhYmxpbmcgbWVtb3J5IGFuZC9vciBJL08gZGVjb2Rp bmcKYW5kIHN1YnNlcXVlbnRseSBjYXVzaW5nIFtDUFUgc2lkZV0gYWNjZXNz ZXMgdG8gdGhlIHJlc3BlY3RpdmUgYWRkcmVzcwpyYW5nZXMpLCB3aGljaCAo ZGVwZW5kaW5nIG9uIHN5c3RlbSBjb25maWd1cmF0aW9uKSBtYXkgYmUgZmF0 YWwgdG8gdGhlCmhvc3QuCgpUaGlzIGlzIENWRS0yMDE1LTI3NTYgLyBYU0Et MTI2LgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpSZXZpZXdlZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzdGVm YW5vLnN0YWJlbGxpbmlAZXUuY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBD YW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CgotLS0gYS9ody94 ZW4veGVuX3B0LmMKKysrIGIvaHcveGVuL3hlbl9wdC5jCkBAIC0zODgsNyAr Mzg4LDcgQEAgc3RhdGljIGNvbnN0IE1lbW9yeVJlZ2lvbk9wcyBvcHMgPSB7 CiAgICAgLndyaXRlID0geGVuX3B0X2Jhcl93cml0ZSwKIH07CiAKLXN0YXRp YyBpbnQgeGVuX3B0X3JlZ2lzdGVyX3JlZ2lvbnMoWGVuUENJUGFzc3Rocm91 Z2hTdGF0ZSAqcykKK3N0YXRpYyBpbnQgeGVuX3B0X3JlZ2lzdGVyX3JlZ2lv bnMoWGVuUENJUGFzc3Rocm91Z2hTdGF0ZSAqcywgdWludDE2X3QgKmNtZCkK IHsKICAgICBpbnQgaSA9IDA7CiAgICAgWGVuSG9zdFBDSURldmljZSAqZCA9 ICZzLT5yZWFsX2RldmljZTsKQEAgLTQwNiw2ICs0MDYsNyBAQCBzdGF0aWMg aW50IHhlbl9wdF9yZWdpc3Rlcl9yZWdpb25zKFhlblBDCiAKICAgICAgICAg aWYgKHItPnR5cGUgJiBYRU5fSE9TVF9QQ0lfUkVHSU9OX1RZUEVfSU8pIHsK ICAgICAgICAgICAgIHR5cGUgPSBQQ0lfQkFTRV9BRERSRVNTX1NQQUNFX0lP OworICAgICAgICAgICAgKmNtZCB8PSBQQ0lfQ09NTUFORF9JTzsKICAgICAg ICAgfSBlbHNlIHsKICAgICAgICAgICAgIHR5cGUgPSBQQ0lfQkFTRV9BRERS RVNTX1NQQUNFX01FTU9SWTsKICAgICAgICAgICAgIGlmIChyLT50eXBlICYg WEVOX0hPU1RfUENJX1JFR0lPTl9UWVBFX1BSRUZFVENIKSB7CkBAIC00MTQs NiArNDE1LDcgQEAgc3RhdGljIGludCB4ZW5fcHRfcmVnaXN0ZXJfcmVnaW9u cyhYZW5QQwogICAgICAgICAgICAgaWYgKHItPnR5cGUgJiBYRU5fSE9TVF9Q Q0lfUkVHSU9OX1RZUEVfTUVNXzY0KSB7CiAgICAgICAgICAgICAgICAgdHlw ZSB8PSBQQ0lfQkFTRV9BRERSRVNTX01FTV9UWVBFXzY0OwogICAgICAgICAg ICAgfQorICAgICAgICAgICAgKmNtZCB8PSBQQ0lfQ09NTUFORF9NRU1PUlk7 CiAgICAgICAgIH0KIAogICAgICAgICBtZW1vcnlfcmVnaW9uX2luaXRfaW8o JnMtPmJhcltpXSwgT0JKRUNUKHMpLCAmb3BzLCAmcy0+ZGV2LApAQCAtNjM4 LDYgKzY0MCw3IEBAIHN0YXRpYyBpbnQgeGVuX3B0X2luaXRmbihQQ0lEZXZp Y2UgKmQpCiAgICAgWGVuUENJUGFzc3Rocm91Z2hTdGF0ZSAqcyA9IERPX1VQ Q0FTVChYZW5QQ0lQYXNzdGhyb3VnaFN0YXRlLCBkZXYsIGQpOwogICAgIGlu dCByYyA9IDA7CiAgICAgdWludDhfdCBtYWNoaW5lX2lycSA9IDA7CisgICAg dWludDE2X3QgY21kID0gMDsKICAgICBpbnQgcGlycSA9IFhFTl9QVF9VTkFT U0lHTkVEX1BJUlE7CiAKICAgICAvKiByZWdpc3RlciByZWFsIGRldmljZSAq LwpAQCAtNjcyLDcgKzY3NSw3IEBAIHN0YXRpYyBpbnQgeGVuX3B0X2luaXRm bihQQ0lEZXZpY2UgKmQpCiAgICAgcy0+aW9fbGlzdGVuZXIgPSB4ZW5fcHRf aW9fbGlzdGVuZXI7CiAKICAgICAvKiBIYW5kbGUgcmVhbCBkZXZpY2UncyBN TUlPL1BJTyBCQVJzICovCi0gICAgeGVuX3B0X3JlZ2lzdGVyX3JlZ2lvbnMo cyk7CisgICAgeGVuX3B0X3JlZ2lzdGVyX3JlZ2lvbnMocywgJmNtZCk7CiAK ICAgICAvKiByZWluaXRpYWxpemUgZWFjaCBjb25maWcgcmVnaXN0ZXIgdG8g YmUgZW11bGF0ZWQgKi8KICAgICBpZiAoeGVuX3B0X2NvbmZpZ19pbml0KHMp KSB7CkBAIC03MzYsNiArNzM5LDExIEBAIHN0YXRpYyBpbnQgeGVuX3B0X2lu aXRmbihQQ0lEZXZpY2UgKmQpCiAgICAgfQogCiBvdXQ6CisgICAgaWYgKGNt ZCkgeworICAgICAgICB4ZW5faG9zdF9wY2lfc2V0X3dvcmQoJnMtPnJlYWxf ZGV2aWNlLCBQQ0lfQ09NTUFORCwKKyAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIHBjaV9nZXRfd29yZChkLT5jb25maWcgKyBQQ0lfQ09NTUFORCkg fCBjbWQpOworICAgIH0KKwogICAgIG1lbW9yeV9saXN0ZW5lcl9yZWdpc3Rl cigmcy0+bWVtb3J5X2xpc3RlbmVyLCAmYWRkcmVzc19zcGFjZV9tZW1vcnkp OwogICAgIG1lbW9yeV9saXN0ZW5lcl9yZWdpc3Rlcigmcy0+aW9fbGlzdGVu ZXIsICZhZGRyZXNzX3NwYWNlX2lvKTsKICAgICBYRU5fUFRfTE9HKGQsCi0t LSBhL2h3L3hlbi94ZW5fcHRfY29uZmlnX2luaXQuYworKysgYi9ody94ZW4v eGVuX3B0X2NvbmZpZ19pbml0LmMKQEAgLTI4NiwyMyArMjg2LDYgQEAgc3Rh dGljIGludCB4ZW5fcHRfaXJxcGluX3JlZ19pbml0KFhlblBDSQogfQogCiAv KiBDb21tYW5kIHJlZ2lzdGVyICovCi1zdGF0aWMgaW50IHhlbl9wdF9jbWRf cmVnX3JlYWQoWGVuUENJUGFzc3Rocm91Z2hTdGF0ZSAqcywgWGVuUFRSZWcg KmNmZ19lbnRyeSwKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1 aW50MTZfdCAqdmFsdWUsIHVpbnQxNl90IHZhbGlkX21hc2spCi17Ci0gICAg WGVuUFRSZWdJbmZvICpyZWcgPSBjZmdfZW50cnktPnJlZzsKLSAgICB1aW50 MTZfdCB2YWxpZF9lbXVfbWFzayA9IDA7Ci0gICAgdWludDE2X3QgZW11X21h c2sgPSByZWctPmVtdV9tYXNrOwotCi0gICAgaWYgKHMtPmlzX3ZpcnRmbikg ewotICAgICAgICBlbXVfbWFzayB8PSBQQ0lfQ09NTUFORF9NRU1PUlk7Ci0g ICAgfQotCi0gICAgLyogZW11bGF0ZSB3b3JkIHJlZ2lzdGVyICovCi0gICAg dmFsaWRfZW11X21hc2sgPSBlbXVfbWFzayAmIHZhbGlkX21hc2s7Ci0gICAg KnZhbHVlID0gWEVOX1BUX01FUkdFX1ZBTFVFKCp2YWx1ZSwgY2ZnX2VudHJ5 LT5kYXRhLCB+dmFsaWRfZW11X21hc2spOwotCi0gICAgcmV0dXJuIDA7Ci19 CiBzdGF0aWMgaW50IHhlbl9wdF9jbWRfcmVnX3dyaXRlKFhlblBDSVBhc3N0 aHJvdWdoU3RhdGUgKnMsIFhlblBUUmVnICpjZmdfZW50cnksCiAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIHVpbnQxNl90ICp2YWwsIHVpbnQx Nl90IGRldl92YWx1ZSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgdWludDE2X3QgdmFsaWRfbWFzaykKQEAgLTMxMCwxOCArMjkzLDEzIEBA IHN0YXRpYyBpbnQgeGVuX3B0X2NtZF9yZWdfd3JpdGUoWGVuUENJUGEKICAg ICBYZW5QVFJlZ0luZm8gKnJlZyA9IGNmZ19lbnRyeS0+cmVnOwogICAgIHVp bnQxNl90IHdyaXRhYmxlX21hc2sgPSAwOwogICAgIHVpbnQxNl90IHRocm91 Z2hhYmxlX21hc2sgPSAwOwotICAgIHVpbnQxNl90IGVtdV9tYXNrID0gcmVn LT5lbXVfbWFzazsKLQotICAgIGlmIChzLT5pc192aXJ0Zm4pIHsKLSAgICAg ICAgZW11X21hc2sgfD0gUENJX0NPTU1BTkRfTUVNT1JZOwotICAgIH0KIAog ICAgIC8qIG1vZGlmeSBlbXVsYXRlIHJlZ2lzdGVyICovCiAgICAgd3JpdGFi bGVfbWFzayA9IH5yZWctPnJvX21hc2sgJiB2YWxpZF9tYXNrOwogICAgIGNm Z19lbnRyeS0+ZGF0YSA9IFhFTl9QVF9NRVJHRV9WQUxVRSgqdmFsLCBjZmdf ZW50cnktPmRhdGEsIHdyaXRhYmxlX21hc2spOwogCiAgICAgLyogY3JlYXRl IHZhbHVlIGZvciB3cml0aW5nIHRvIEkvTyBkZXZpY2UgcmVnaXN0ZXIgKi8K LSAgICB0aHJvdWdoYWJsZV9tYXNrID0gfmVtdV9tYXNrICYgdmFsaWRfbWFz azsKKyAgICB0aHJvdWdoYWJsZV9tYXNrID0gfnJlZy0+ZW11X21hc2sgJiB2 YWxpZF9tYXNrOwogCiAgICAgaWYgKCp2YWwgJiBQQ0lfQ09NTUFORF9JTlRY X0RJU0FCTEUpIHsKICAgICAgICAgdGhyb3VnaGFibGVfbWFzayB8PSBQQ0lf Q09NTUFORF9JTlRYX0RJU0FCTEU7CkBAIC02MDUsOSArNTgzLDkgQEAgc3Rh dGljIFhlblBUUmVnSW5mbyB4ZW5fcHRfZW11X3JlZ19oZWFkZQogICAgICAg ICAuc2l6ZSAgICAgICA9IDIsCiAgICAgICAgIC5pbml0X3ZhbCAgID0gMHgw MDAwLAogICAgICAgICAucm9fbWFzayAgICA9IDB4Rjg4MCwKLSAgICAgICAg LmVtdV9tYXNrICAgPSAweDA3NDAsCisgICAgICAgIC5lbXVfbWFzayAgID0g MHgwNzQzLAogICAgICAgICAuaW5pdCAgICAgICA9IHhlbl9wdF9jb21tb25f cmVnX2luaXQsCi0gICAgICAgIC51LncucmVhZCAgID0geGVuX3B0X2NtZF9y ZWdfcmVhZCwKKyAgICAgICAgLnUudy5yZWFkICAgPSB4ZW5fcHRfd29yZF9y ZWdfcmVhZCwKICAgICAgICAgLnUudy53cml0ZSAgPSB4ZW5fcHRfY21kX3Jl Z193cml0ZSwKICAgICB9LAogICAgIC8qIENhcGFiaWxpdGllcyBQb2ludGVy IHJlZyAqLwo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Mar 31 12:11:10 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 31 Mar 2015 12:11:10 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ycuzq-00004q-6u; Tue, 31 Mar 2015 12:10:18 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ycuzo-0008VU-SU; Tue, 31 Mar 2015 12:10:17 +0000 Received: from [193.109.254.147] by server-2.bemta-14.messagelabs.com id 2C/46-14319-7AE8A155; Tue, 31 Mar 2015 12:10:15 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-27.messagelabs.com!1427803814!9920721!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.6; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22798 invoked from network); 31 Mar 2015 12:10:15 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 31 Mar 2015 12:10:15 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Ycuzf-0006xl-GJ; Tue, 31 Mar 2015 12:10:07 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1Ycuzf-0005TY-Ao; Tue, 31 Mar 2015 12:10:07 +0000 Date: Tue, 31 Mar 2015 12:10:07 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 127 (CVE-2015-2751) - Certain domctl operations may be abused to lock up the host X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2751 / XSA-127 version 2 Certain domctl operations may be abused to lock up the host UPDATES IN VERSION 2 ==================== CVE assigned. Public release. ISSUE DESCRIPTION ================= XSA-77 put the majority of the domctl operations on a list excepting them from having security advisories issued for them if any effects their use might have could hamper security. Subsequently some of them got declared disaggregation safe, but for a small subset this was not really correct: Their (mis-)use may result in host lockups. As a result, the potential security benefits of toolstack disaggregation are not always fully realised. IMPACT ====== Domains deliberately given partial management control may be able to deny service to the entire host. As a result, in a system designed to enhance security by radically disaggregating the management, the security may be reduced. But, the security will be no worse than a non-disaggregated design. VULNERABLE SYSTEMS ================== Xen versions 4.3 onwards are vulnerable. Xen versions 4.2 and earlier do not have the described disaggregation functionality and hence are not vulnerable. MITIGATION ========== The issues discussed in this advisory are themselves bugs in features used for a security risk mitigation. There is no further mitigation available, beyond general measures to try to avoid parts of the system management becoming controlled by attackers. Those are the kind of measures which we expect any users of radical disaggregation to have already deployed. Switching from disaggregated to a non-disaggregated operation does NOT mitigate these vulnerabilities. Rather, it simply recategorises the vulnerability to hostile management code, regarding it "as designed"; thus it merely reclassifies these issues as "not a bug". Users and vendors of disaggregated systems should not change their configuration. The robustness benefits of disaggregation are unaffected, and (depending on system design) security benefits are likely to remain despite the vulnerabilities. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa127-unstable.patch xen-unstable xsa127-4.x.patch Xen 4.5.x, Xen 4.4.x, Xen 4.3.x $ sha256sum xsa127*.patch 5b98280738a205c40f56d0a7feb6ea6cd867da7ac1e0d9f4fc4620bae2c09171 xsa127.patch e5fd3c126ae10fe45283e6eb1a4216b75057f1772d869d2b3a26398b0984c7bd xsa127-4.x.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVGo5PAAoJEIP+FMlX6CvZMhoH/0zH/JpvOk+dTQHVBN5uYjDB hkW5+/K4NfqRpnxQmTNJ6F5j0gcjbPCusf1yjdwjsAkToX2Y3TmqQAulpzkpT1z2 vvnIl8nYvD92fL1C8U9EBAXj62QmxN/IoX8rSl+g8byhoSO4WmUkbqseOb6LlcV3 wq/H15ZFfE6FjDQQGaFasbYyDOgBQiWFEmrBo2Zx7Qkendv5lt0YV/6/j3m1R8Hm D9fEchB07zKO49YkKnRrucDSf/9JTJI8W8M4Hmm9ykXncdUVI7xTSa66/XDOegcL ArBl9aXvuN9jMETS/JJBkEwqvULTQMy+Ac4NxBJE2W0allkKZxCcHMq50oSq3t0= =qqy0 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa127.patch" Content-Disposition: attachment; filename="xsa127.patch" Content-Transfer-Encoding: base64 ZG9tY3RsOiBkb24ndCBhbGxvdyBhIHRvb2xzdGFjayBkb21haW4gdG8gY2Fs bCBkb21haW5fcGF1c2UoKSBvbiBpdHNlbGYKClRoZXNlIERPTUNUTCBzdWJv cHMgd2VyZSBhY2NpZGVudGFsbHkgZGVjbGFyZWQgc2FmZSBmb3IgZGlzYWdn cmVnYXRpb24KaW4gdGhlIHdha2Ugb2YgWFNBLTc3LgoKVGhpcyBpcyBYU0Et MTI3LgoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNv b3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNoIDxq YmV1bGljaEBzdXNlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFu LmNhbXBiZWxsQGNpdHJpeC5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvZG9t Y3RsLmMKKysrIGIveGVuL2FyY2gveDg2L2RvbWN0bC5jCkBAIC04ODQsNiAr ODg0LDEwIEBAIGxvbmcgYXJjaF9kb19kb21jdGwoCiAgICAgewogICAgICAg ICB4ZW5fZ3Vlc3RfdHNjX2luZm9fdCBpbmZvOwogCisgICAgICAgIHJldCA9 IC1FSU5WQUw7CisgICAgICAgIGlmICggZCA9PSBjdXJyZW50LT5kb21haW4g KSAvKiBubyBkb21haW5fcGF1c2UoKSAqLworICAgICAgICAgICAgYnJlYWs7 CisKICAgICAgICAgZG9tYWluX3BhdXNlKGQpOwogICAgICAgICB0c2NfZ2V0 X2luZm8oZCwgJmluZm8udHNjX21vZGUsCiAgICAgICAgICAgICAgICAgICAg ICAgICAmaW5mby5lbGFwc2VkX25zZWMsCkBAIC04OTksNiArOTAzLDEwIEBA IGxvbmcgYXJjaF9kb19kb21jdGwoCiAKICAgICBjYXNlIFhFTl9ET01DVExf c2V0dHNjaW5mbzoKICAgICB7CisgICAgICAgIHJldCA9IC1FSU5WQUw7Cisg ICAgICAgIGlmICggZCA9PSBjdXJyZW50LT5kb21haW4gKSAvKiBubyBkb21h aW5fcGF1c2UoKSAqLworICAgICAgICAgICAgYnJlYWs7CisKICAgICAgICAg ZG9tYWluX3BhdXNlKGQpOwogICAgICAgICB0c2Nfc2V0X2luZm8oZCwgZG9t Y3RsLT51LnRzY19pbmZvLmluZm8udHNjX21vZGUsCiAgICAgICAgICAgICAg ICAgICAgICBkb21jdGwtPnUudHNjX2luZm8uaW5mby5lbGFwc2VkX25zZWMs Ci0tLSBhL3hlbi9jb21tb24vZG9tY3RsLmMKKysrIGIveGVuL2NvbW1vbi9k b21jdGwuYwpAQCAtNTMxLDcgKzUzMSwxMCBAQCBsb25nIGRvX2RvbWN0bChY RU5fR1VFU1RfSEFORExFX1BBUkFNKHhlCiAgICAgICAgIGJyZWFrOwogCiAg ICAgY2FzZSBYRU5fRE9NQ1RMX3Jlc3VtZWRvbWFpbjoKLSAgICAgICAgZG9t YWluX3Jlc3VtZShkKTsKKyAgICAgICAgaWYgKCBkID09IGN1cnJlbnQtPmRv bWFpbiApIC8qIG5vIGRvbWFpbl9wYXVzZSgpICovCisgICAgICAgICAgICBy ZXQgPSAtRUlOVkFMOworICAgICAgICBlbHNlCisgICAgICAgICAgICBkb21h aW5fcmVzdW1lKGQpOwogICAgICAgICBicmVhazsKIAogICAgIGNhc2UgWEVO X0RPTUNUTF9jcmVhdGVkb21haW46Cg== --=separator Content-Type: application/octet-stream; name="xsa127-4.x.patch" Content-Disposition: attachment; filename="xsa127-4.x.patch" Content-Transfer-Encoding: base64 ZG9tY3RsOiBkb24ndCBhbGxvdyBhIHRvb2xzdGFjayBkb21haW4gdG8gY2Fs bCBkb21haW5fcGF1c2UoKSBvbiBpdHNlbGYKClRoZXNlIERPTUNUTCBzdWJv cHMgd2VyZSBhY2NpZGVudGFsbHkgZGVjbGFyZWQgc2FmZSBmb3IgZGlzYWdn cmVnYXRpb24KaW4gdGhlIHdha2Ugb2YgWFNBLTc3LgoKVGhpcyBpcyBYU0Et MTI3LgoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNv b3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNoIDxq YmV1bGljaEBzdXNlLmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFu LmNhbXBiZWxsQGNpdHJpeC5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvZG9t Y3RsLmMKKysrIGIveGVuL2FyY2gveDg2L2RvbWN0bC5jCkBAIC04ODgsNiAr ODg4LDEwIEBAIGxvbmcgYXJjaF9kb19kb21jdGwoCiAgICAgewogICAgICAg ICB4ZW5fZ3Vlc3RfdHNjX2luZm9fdCBpbmZvOwogCisgICAgICAgIHJldCA9 IC1FSU5WQUw7CisgICAgICAgIGlmICggZCA9PSBjdXJyZW50LT5kb21haW4g KSAvKiBubyBkb21haW5fcGF1c2UoKSAqLworICAgICAgICAgICAgYnJlYWs7 CisKICAgICAgICAgZG9tYWluX3BhdXNlKGQpOwogICAgICAgICB0c2NfZ2V0 X2luZm8oZCwgJmluZm8udHNjX21vZGUsCiAgICAgICAgICAgICAgICAgICAg ICAgICAmaW5mby5lbGFwc2VkX25zZWMsCkBAIC05MDMsNiArOTA3LDEwIEBA IGxvbmcgYXJjaF9kb19kb21jdGwoCiAKICAgICBjYXNlIFhFTl9ET01DVExf c2V0dHNjaW5mbzoKICAgICB7CisgICAgICAgIHJldCA9IC1FSU5WQUw7Cisg ICAgICAgIGlmICggZCA9PSBjdXJyZW50LT5kb21haW4gKSAvKiBubyBkb21h aW5fcGF1c2UoKSAqLworICAgICAgICAgICAgYnJlYWs7CisKICAgICAgICAg ZG9tYWluX3BhdXNlKGQpOwogICAgICAgICB0c2Nfc2V0X2luZm8oZCwgZG9t Y3RsLT51LnRzY19pbmZvLmluZm8udHNjX21vZGUsCiAgICAgICAgICAgICAg ICAgICAgICBkb21jdGwtPnUudHNjX2luZm8uaW5mby5lbGFwc2VkX25zZWMs Ci0tLSBhL3hlbi9jb21tb24vZG9tY3RsLmMKKysrIGIveGVuL2NvbW1vbi9k b21jdGwuYwpAQCAtNTIyLDggKzUyMiwxMCBAQCBsb25nIGRvX2RvbWN0bChY RU5fR1VFU1RfSEFORExFX1BBUkFNKHhlCiAKICAgICBjYXNlIFhFTl9ET01D VExfcmVzdW1lZG9tYWluOgogICAgIHsKLSAgICAgICAgZG9tYWluX3Jlc3Vt ZShkKTsKLSAgICAgICAgcmV0ID0gMDsKKyAgICAgICAgaWYgKCBkID09IGN1 cnJlbnQtPmRvbWFpbiApIC8qIG5vIGRvbWFpbl9wYXVzZSgpICovCisgICAg ICAgICAgICByZXQgPSAtRUlOVkFMOworICAgICAgICBlbHNlCisgICAgICAg ICAgICBkb21haW5fcmVzdW1lKGQpOwogICAgIH0KICAgICBicmVhazsKIAo= --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Mar 31 16:15:01 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 31 Mar 2015 16:15:01 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YcynZ-00070a-2D; Tue, 31 Mar 2015 16:13:53 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YcynW-0006zA-VA; Tue, 31 Mar 2015 16:13:51 +0000 Received: from [193.109.254.147] by server-12.bemta-14.messagelabs.com id 22/9D-24420-EB7CA155; Tue, 31 Mar 2015 16:13:50 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-27.messagelabs.com!1427818428!14661190!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.6; banners=-,-,- X-VirusChecked: Checked Received: (qmail 27374 invoked from network); 31 Mar 2015 16:13:49 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-4.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 31 Mar 2015 16:13:49 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YcynL-0001kp-OP; Tue, 31 Mar 2015 16:13:39 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1YcynL-0007ma-7c; Tue, 31 Mar 2015 16:13:39 +0000 Date: Tue, 31 Mar 2015 16:13:39 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 120 (CVE-2015-2150) - Non-maskable interrupts triggerable by guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2150 / XSA-120 version 5 Non-maskable interrupts triggerable by guests UPDATES IN VERSION 5 ==================== The original patches were incomplete: although they eliminated the possibility that the guest might disable memory and I/O decoding, they did not ensure that these bits were set at start of day. The result was that a malicious guest could simply avoid enabling them and continue to exploit the vulnerability. Well behaved guests would normally enable decoding and therefore would not normally suffer a regression. Additional patches are now supplied to resolve this issue. ISSUE DESCRIPTION ================= Guests are currently permitted to modify all of the (writable) bits in the PCI command register of devices passed through to them. This in particular allows them to disable memory and I/O decoding on the device unless the device is an SR-IOV virtual function, in which case subsequent accesses to the respective MMIO or I/O port ranges would - - on PCI Express devices - lead to Unsupported Request responses. The treatment of such errors is platform specific. IMPACT ====== In the event that the platform surfaces aforementioned UR responses as Non-Maskable Interrupts, and either the OS is configured to treat NMIs as fatal or (e.g. via ACPI's APEI) the platform tells the OS to treat these errors as fatal, the host would crash, leading to a Denial of Service. VULNERABLE SYSTEMS ================== Xen versions 3.3 and onwards are vulnerable due to supporting PCI pass-through. Upstream Linux versions 3.1 and onwards are vulnerable due to supporting PCI backend functionality. Other Linux versions as well as other OS versions may be vulnerable too. Any domain which is given access to a non-SR-IOV virtual function PCI Express device can take advantage of this vulnerability. MITIGATION ========== This issue can be avoided by not assigning PCI Express devices other than SR-IOV virtual functions to untrusted guests. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patches resolves this issue for the indicated versions of Linux, but only for ordinary PCI config space accesses by the guest. See XSA-124 for all other cases. xsa120.patch Linux 3.19 xsa120-addendum.patch Linux 3.19 xsa120-classic.patch linux-2.6.18-xen.hg xsa120-classic-addendum.patch linux-2.6.18-xen.hg $ sha256sum xsa120*.patch 32441fd3930848f7533f74376648fbeb5e35870661e1259860fe10f9a1f67f88 xsa120.patch 32be0b76f5585e9258ebaed348b40b57014ee5163c313a0523fd46f55ac05210 xsa120-addendum.patch ecd4568d418d6e275f1eebdba4867e7cfdc6a487292db0e9eff0e9e7e2c91826 xsa120-classic.patch 8b377abe56bebf5030587030bf231c2d5bc1f695e21cc4dfbbd348e9b616849c xsa120-classic-addendum.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVGseNAAoJEIP+FMlX6CvZcR4H/RGyM4VV4/1LLFkERmVe6jCq KhPGTWw72ZMt+iTGLZYOWGu3CTwpG2RSMWwRUNE9dBinUyq5j8GYW+dpAmtBFCT/ muEW3k+cw4BnhOIi6ny3bcCsxnm7SesrpWAmRvwgZRWljZMA0tHhperl1ioovMG0 +jf7ktNU91li7jTm0BSba7FoWIhfSsY5K+hU0/xMrKOUkzdpYzhu8Uzj9exhijHC 5AJ05XDi88ZuZfR7ZPnVvTOaIJaXsVeiM4rfSpp+SsqTyOZW4+ORpd5ecEp93O/N LNtcHsUjqwm/ezkwM8oHrGQqYWf7Ms4mRuykIE2X/voG/Cf+kvDQE7fOj++3Db0= =La+E -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa120.patch" Content-Disposition: attachment; filename="xsa120.patch" Content-Transfer-Encoding: base64 eGVuLXBjaWJhY2s6IGxpbWl0IGd1ZXN0IGNvbnRyb2wgb2YgY29tbWFuZCBy ZWdpc3RlcgoKT3RoZXJ3aXNlIHRoZSBndWVzdCBjYW4gYWJ1c2UgdGhhdCBj b250cm9sIHRvIGNhdXNlIGUuZy4gUENJZQpVbnN1cHBvcnRlZCBSZXF1ZXN0 IHJlc3BvbnNlcyAoYnkgZGlzYWJsaW5nIG1lbW9yeSBhbmQvb3IgSS9PIGRl Y29kaW5nCmFuZCBzdWJzZXF1ZW50bHkgY2F1c2luZyBbQ1BVIHNpZGVdIGFj Y2Vzc2VzIHRvIHRoZSByZXNwZWN0aXZlIGFkZHJlc3MKcmFuZ2VzKSwgd2hp Y2ggKGRlcGVuZGluZyBvbiBzeXN0ZW0gY29uZmlndXJhdGlvbikgbWF5IGJl IGZhdGFsIHRvIHRoZQpob3N0LgoKVGhpcyBpcyBDVkUtMjAxNS0yMTUwIC8g WFNBLTEyMC4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGlj aEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEtvbnJhZCBSemVzenV0ZWsgV2ls ayA8a29ucmFkLndpbGtAb3JhY2xlLmNvbT4KCi0tLSBhL2RyaXZlcnMveGVu L3hlbi1wY2liYWNrL2NvbmZfc3BhY2UuYworKysgYi9kcml2ZXJzL3hlbi94 ZW4tcGNpYmFjay9jb25mX3NwYWNlLmMKQEAgLTE2LDcgKzE2LDcgQEAKICNp bmNsdWRlICJjb25mX3NwYWNlLmgiCiAjaW5jbHVkZSAiY29uZl9zcGFjZV9x dWlya3MuaCIKIAotc3RhdGljIGJvb2wgcGVybWlzc2l2ZTsKK2Jvb2wgcGVy bWlzc2l2ZTsKIG1vZHVsZV9wYXJhbShwZXJtaXNzaXZlLCBib29sLCAwNjQ0 KTsKIAogLyogVGhpcyBpcyB3aGVyZSB4ZW5fcGNpYmtfcmVhZF9jb25maWdf Ynl0ZSwgeGVuX3BjaWJrX3JlYWRfY29uZmlnX3dvcmQsCi0tLSBhL2RyaXZl cnMveGVuL3hlbi1wY2liYWNrL2NvbmZfc3BhY2UuaAorKysgYi9kcml2ZXJz L3hlbi94ZW4tcGNpYmFjay9jb25mX3NwYWNlLmgKQEAgLTY0LDYgKzY0LDgg QEAgc3RydWN0IGNvbmZpZ19maWVsZF9lbnRyeSB7CiAJdm9pZCAqZGF0YTsK IH07CiAKK2V4dGVybiBib29sIHBlcm1pc3NpdmU7CisKICNkZWZpbmUgT0ZG U0VUKGNmZ19lbnRyeSkgKChjZmdfZW50cnkpLT5iYXNlX29mZnNldCsoY2Zn X2VudHJ5KS0+ZmllbGQtPm9mZnNldCkKIAogLyogQWRkIGZpZWxkcyB0byBh IGRldmljZSAtIHRoZSBhZGRfZmllbGRzIG1hY3JvIGV4cGVjdHMgdG8gZ2V0 IGEgcG9pbnRlciB0bwotLS0gYS9kcml2ZXJzL3hlbi94ZW4tcGNpYmFjay9j b25mX3NwYWNlX2hlYWRlci5jCisrKyBiL2RyaXZlcnMveGVuL3hlbi1wY2li YWNrL2NvbmZfc3BhY2VfaGVhZGVyLmMKQEAgLTExLDYgKzExLDEwIEBACiAj aW5jbHVkZSAicGNpYmFjay5oIgogI2luY2x1ZGUgImNvbmZfc3BhY2UuaCIK IAorc3RydWN0IHBjaV9jbWRfaW5mbyB7CisJdTE2IHZhbDsKK307CisKIHN0 cnVjdCBwY2lfYmFyX2luZm8gewogCXUzMiB2YWw7CiAJdTMyIGxlbl92YWw7 CkBAIC0yMCwyMiArMjQsMzYgQEAgc3RydWN0IHBjaV9iYXJfaW5mbyB7CiAj ZGVmaW5lIGlzX2VuYWJsZV9jbWQodmFsdWUpICgodmFsdWUpJihQQ0lfQ09N TUFORF9NRU1PUll8UENJX0NPTU1BTkRfSU8pKQogI2RlZmluZSBpc19tYXN0 ZXJfY21kKHZhbHVlKSAoKHZhbHVlKSZQQ0lfQ09NTUFORF9NQVNURVIpCiAK LXN0YXRpYyBpbnQgY29tbWFuZF9yZWFkKHN0cnVjdCBwY2lfZGV2ICpkZXYs IGludCBvZmZzZXQsIHUxNiAqdmFsdWUsIHZvaWQgKmRhdGEpCisvKiBCaXRz IGd1ZXN0cyBhcmUgYWxsb3dlZCB0byBjb250cm9sIGluIHBlcm1pc3NpdmUg bW9kZS4gKi8KKyNkZWZpbmUgUENJX0NPTU1BTkRfR1VFU1QgKFBDSV9DT01N QU5EX01BU1RFUnxQQ0lfQ09NTUFORF9TUEVDSUFMfCBcCisJCQkgICBQQ0lf Q09NTUFORF9JTlZBTElEQVRFfFBDSV9DT01NQU5EX1ZHQV9QQUxFVFRFfCBc CisJCQkgICBQQ0lfQ09NTUFORF9XQUlUfFBDSV9DT01NQU5EX0ZBU1RfQkFD SykKKworc3RhdGljIHZvaWQgKmNvbW1hbmRfaW5pdChzdHJ1Y3QgcGNpX2Rl diAqZGV2LCBpbnQgb2Zmc2V0KQogewotCWludCBpOwotCWludCByZXQ7CisJ c3RydWN0IHBjaV9jbWRfaW5mbyAqY21kID0ga21hbGxvYyhzaXplb2YoKmNt ZCksIEdGUF9LRVJORUwpOworCWludCBlcnI7CiAKLQlyZXQgPSB4ZW5fcGNp YmtfcmVhZF9jb25maWdfd29yZChkZXYsIG9mZnNldCwgdmFsdWUsIGRhdGEp OwotCWlmICghcGNpX2lzX2VuYWJsZWQoZGV2KSkKLQkJcmV0dXJuIHJldDsK LQotCWZvciAoaSA9IDA7IGkgPCBQQ0lfUk9NX1JFU09VUkNFOyBpKyspIHsK LQkJaWYgKGRldi0+cmVzb3VyY2VbaV0uZmxhZ3MgJiBJT1JFU09VUkNFX0lP KQotCQkJKnZhbHVlIHw9IFBDSV9DT01NQU5EX0lPOwotCQlpZiAoZGV2LT5y ZXNvdXJjZVtpXS5mbGFncyAmIElPUkVTT1VSQ0VfTUVNKQotCQkJKnZhbHVl IHw9IFBDSV9DT01NQU5EX01FTU9SWTsKKwlpZiAoIWNtZCkKKwkJcmV0dXJu IEVSUl9QVFIoLUVOT01FTSk7CisKKwllcnIgPSBwY2lfcmVhZF9jb25maWdf d29yZChkZXYsIFBDSV9DT01NQU5ELCAmY21kLT52YWwpOworCWlmIChlcnIp IHsKKwkJa2ZyZWUoY21kKTsKKwkJcmV0dXJuIEVSUl9QVFIoZXJyKTsKIAl9 CiAKKwlyZXR1cm4gY21kOworfQorCitzdGF0aWMgaW50IGNvbW1hbmRfcmVh ZChzdHJ1Y3QgcGNpX2RldiAqZGV2LCBpbnQgb2Zmc2V0LCB1MTYgKnZhbHVl LCB2b2lkICpkYXRhKQoreworCWludCByZXQgPSBwY2lfcmVhZF9jb25maWdf d29yZChkZXYsIG9mZnNldCwgdmFsdWUpOworCWNvbnN0IHN0cnVjdCBwY2lf Y21kX2luZm8gKmNtZCA9IGRhdGE7CisKKwkqdmFsdWUgJj0gUENJX0NPTU1B TkRfR1VFU1Q7CisJKnZhbHVlIHw9IGNtZC0+dmFsICYgflBDSV9DT01NQU5E X0dVRVNUOworCiAJcmV0dXJuIHJldDsKIH0KIApAQCAtNDMsNiArNjEsOCBA QCBzdGF0aWMgaW50IGNvbW1hbmRfd3JpdGUoc3RydWN0IHBjaV9kZXYgCiB7 CiAJc3RydWN0IHhlbl9wY2lia19kZXZfZGF0YSAqZGV2X2RhdGE7CiAJaW50 IGVycjsKKwl1MTYgdmFsOworCXN0cnVjdCBwY2lfY21kX2luZm8gKmNtZCA9 IGRhdGE7CiAKIAlkZXZfZGF0YSA9IHBjaV9nZXRfZHJ2ZGF0YShkZXYpOwog CWlmICghcGNpX2lzX2VuYWJsZWQoZGV2KSAmJiBpc19lbmFibGVfY21kKHZh bHVlKSkgewpAQCAtODMsNiArMTAxLDE4IEBAIHN0YXRpYyBpbnQgY29tbWFu ZF93cml0ZShzdHJ1Y3QgcGNpX2RldiAKIAkJfQogCX0KIAorCWNtZC0+dmFs ID0gdmFsdWU7CisKKwlpZiAoIXBlcm1pc3NpdmUgJiYgKCFkZXZfZGF0YSB8 fCAhZGV2X2RhdGEtPnBlcm1pc3NpdmUpKQorCQlyZXR1cm4gMDsKKworCS8q IE9ubHkgYWxsb3cgdGhlIGd1ZXN0IHRvIGNvbnRyb2wgY2VydGFpbiBiaXRz LiAqLworCWVyciA9IHBjaV9yZWFkX2NvbmZpZ193b3JkKGRldiwgb2Zmc2V0 LCAmdmFsKTsKKwlpZiAoZXJyIHx8IHZhbCA9PSB2YWx1ZSkKKwkJcmV0dXJu IGVycjsKKwl2YWx1ZSAmPSBQQ0lfQ09NTUFORF9HVUVTVDsKKwl2YWx1ZSB8 PSB2YWwgJiB+UENJX0NPTU1BTkRfR1VFU1Q7CisKIAlyZXR1cm4gcGNpX3dy aXRlX2NvbmZpZ193b3JkKGRldiwgb2Zmc2V0LCB2YWx1ZSk7CiB9CiAKQEAg LTI4Miw2ICszMTIsOCBAQCBzdGF0aWMgY29uc3Qgc3RydWN0IGNvbmZpZ19m aWVsZCBoZWFkZXJfCiAJewogCSAub2Zmc2V0ICAgID0gUENJX0NPTU1BTkQs CiAJIC5zaXplICAgICAgPSAyLAorCSAuaW5pdCAgICAgID0gY29tbWFuZF9p bml0LAorCSAucmVsZWFzZSAgID0gYmFyX3JlbGVhc2UsCiAJIC51LncucmVh ZCAgPSBjb21tYW5kX3JlYWQsCiAJIC51Lncud3JpdGUgPSBjb21tYW5kX3dy aXRlLAogCX0sCg== --=separator Content-Type: application/octet-stream; name="xsa120-addendum.patch" Content-Disposition: attachment; filename="xsa120-addendum.patch" Content-Transfer-Encoding: base64 RnJvbSAyNDdhYjc5MjM0NjMxYjY2MjgzYzQ3MDI5ZWI4OTVhOGUzNjYzZTcw IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBLb25yYWQgUnplc3p1 dGVrIFdpbGsgPGtvbnJhZC53aWxrQG9yYWNsZS5jb20+CkRhdGU6IEZyaSwg MjcgTWFyIDIwMTUgMTM6MzE6MTEgLTA0MDAKU3ViamVjdDogW1BBVENIIDEv Ml0geGVuL3BjaWJhY2s6IERvbid0IGRpc2FibGUgUENJX0NPTU1BTkQgb24g UENJIGRldmljZQogcmVzZXQuCgpUaGVyZSBpcyBubyBuZWVkIGZvciB0aGlz IGF0IGFsbC4gV29yc3QgaXQgbWVhbnMgdGhhdCBpZgp0aGUgZ3Vlc3QgdHJp ZXMgdG8gd3JpdGUgdG8gQkFScyBpdCBjb3VsZCBsZWFkIChvbiBjZXJ0YWlu CnBsYXRmb3JtcykgdG8gUENJIFNFUlIgZXJyb3JzLgoKUGxlYXNlIG5vdGUg dGhhdCB3aXRoIGFmNmZjODU4YTM1YjkwZTg5ZWE3YTdlZTU4ZTY2NjI4YzU1 Yzc3NmIKInhlbi1wY2liYWNrOiBsaW1pdCBndWVzdCBjb250cm9sIG9mIGNv bW1hbmQgcmVnaXN0ZXIiCmEgZ3Vlc3QgaXMgc3RpbGwgYWxsb3dlZCB0byBl bmFibGUgdGhvc2UgY29udHJvbCBiaXRzIChzYWZlbHkpLCBidXQKaXMgbm90 IGFsbG93ZWQgdG8gZGlzYWJsZSB0aGVtIGFuZCB0aGF0IHRoZXJlZm9yZSBh IHdlbGwgYmVoYXZlZApmcm9udGVuZCB3aGljaCBlbmFibGVzIHRoaW5ncyBi ZWZvcmUgdXNpbmcgdGhlbSB3aWxsIHN0aWxsCmZ1bmN0aW9uIGNvcnJlY3Rs eS4KClRoaXMgaXMgZG9uZSB2aWEgYW4gd3JpdGUgdG8gdGhlIGNvbmZpZ3Vy YXRpb24gcmVnaXN0ZXIgMHg0IHdoaWNoCnRyaWdnZXJzIG9uIHRoZSBiYWNr ZW5kIHNpZGU6CmNvbW1hbmRfd3JpdGUKICBcLSBwY2lfZW5hYmxlX2Rldmlj ZQogICAgIFwtIHBjaV9lbmFibGVfZGV2aWNlX2ZsYWdzCiAgICAgICAgXC0g ZG9fcGNpX2VuYWJsZV9kZXZpY2UKICAgICAgICAgICBcLSBwY2liaW9zX2Vu YWJsZV9kZXZpY2UKICAgICAgICAgICAgICBcLXBjaV9lbmFibGVfcmVzb3Vy Y2VzcwogICAgICAgICAgICAgICAgW3doaWNoIGVuYWJsZXMgdGhlIFBDSV9D T01NQU5EX01FTU9SWXxQQ0lfQ09NTUFORF9JT10KCkhvd2V2ZXIgZ3Vlc3Rz IChhbmQgZHJpdmVycykgd2hpY2ggZG9uJ3QgZG8gdGhpcyBjb3VsZCBjYXVz ZQpwcm9ibGVtcywgaW5jbHVkaW5nIHRoZSBzZWN1cml0eSBpc3N1ZXMgd2hp Y2ggWFNBLTEyMCBzb3VnaHQKdG8gYWRkcmVzcy4KClJlcG9ydGVkLWJ5OiBK YW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClNpZ25lZC1vZmYtYnk6 IEtvbnJhZCBSemVzenV0ZWsgV2lsayA8a29ucmFkLndpbGtAb3JhY2xlLmNv bT4KLS0tCiBkcml2ZXJzL3hlbi94ZW4tcGNpYmFjay9wY2liYWNrX29wcy5j IHwgMiAtLQogMSBmaWxlIGNoYW5nZWQsIDIgZGVsZXRpb25zKC0pCgpkaWZm IC0tZ2l0IGEvZHJpdmVycy94ZW4veGVuLXBjaWJhY2svcGNpYmFja19vcHMu YyBiL2RyaXZlcnMveGVuL3hlbi1wY2liYWNrL3BjaWJhY2tfb3BzLmMKaW5k ZXggYzRhMDY2Ni4uMjZlNjUxMyAxMDA2NDQKLS0tIGEvZHJpdmVycy94ZW4v eGVuLXBjaWJhY2svcGNpYmFja19vcHMuYworKysgYi9kcml2ZXJzL3hlbi94 ZW4tcGNpYmFjay9wY2liYWNrX29wcy5jCkBAIC0xMTksOCArMTE5LDYgQEAg dm9pZCB4ZW5fcGNpYmtfcmVzZXRfZGV2aWNlKHN0cnVjdCBwY2lfZGV2ICpk ZXYpCiAJCWlmIChwY2lfaXNfZW5hYmxlZChkZXYpKQogCQkJcGNpX2Rpc2Fi bGVfZGV2aWNlKGRldik7CiAKLQkJcGNpX3dyaXRlX2NvbmZpZ193b3JkKGRl diwgUENJX0NPTU1BTkQsIDApOwotCiAJCWRldi0+aXNfYnVzbWFzdGVyID0g MDsKIAl9IGVsc2UgewogCQlwY2lfcmVhZF9jb25maWdfd29yZChkZXYsIFBD SV9DT01NQU5ELCAmY21kKTsKLS0gCjIuMS4wCgo= --=separator Content-Type: application/octet-stream; name="xsa120-classic.patch" Content-Disposition: attachment; filename="xsa120-classic.patch" Content-Transfer-Encoding: base64 cGNpYmFjazogbGltaXQgZ3Vlc3QgY29udHJvbCBvZiBjb21tYW5kIHJlZ2lz dGVyCgpPdGhlcndpc2UgdGhlIGd1ZXN0IGNhbiBhYnVzZSB0aGF0IGNvbnRy b2wgdG8gY2F1c2UgZS5nLiBQQ0llClVuc3VwcG9ydGVkIFJlcXVlc3QgcmVz cG9uc2VzIChieSBkaXNhYmxpbmcgbWVtb3J5IGFuZC9vciBJL08gZGVjb2Rp bmcKYW5kIHN1YnNlcXVlbnRseSBjYXVzaW5nIFtDUFUgc2lkZV0gYWNjZXNz ZXMgdG8gdGhlIHJlc3BlY3RpdmUgYWRkcmVzcwpyYW5nZXMpLCB3aGljaCAo ZGVwZW5kaW5nIG9uIHN5c3RlbSBjb25maWd1cmF0aW9uKSBtYXkgYmUgZmF0 YWwgdG8gdGhlCmhvc3QuCgpUaGlzIGlzIENWRS0yMDE1LTIxNTAgLyBYU0Et MTIwLgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpSZXZpZXdlZC1ieTogS29ucmFkIFJ6ZXN6dXRlayBXaWxrIDxr b25yYWQud2lsa0BvcmFjbGUuY29tPgoKLS0tIGEvZHJpdmVycy94ZW4vcGNp YmFjay9jb25mX3NwYWNlLmMKKysrIGIvZHJpdmVycy94ZW4vcGNpYmFjay9j b25mX3NwYWNlLmMKQEAgLTE1LDcgKzE1LDcgQEAKICNpbmNsdWRlICJjb25m X3NwYWNlLmgiCiAjaW5jbHVkZSAiY29uZl9zcGFjZV9xdWlya3MuaCIKIAot c3RhdGljIGludCBwZXJtaXNzaXZlOworaW50IHBlcm1pc3NpdmU7CiBtb2R1 bGVfcGFyYW0ocGVybWlzc2l2ZSwgYm9vbCwgMDY0NCk7CiAKICNkZWZpbmUg REVGSU5FX1BDSV9DT05GSUcob3Asc2l6ZSx0eXBlKSAJCQlcCi0tLSBhL2Ry aXZlcnMveGVuL3BjaWJhY2svY29uZl9zcGFjZS5oCisrKyBiL2RyaXZlcnMv eGVuL3BjaWJhY2svY29uZl9zcGFjZS5oCkBAIC02NCw2ICs2NCw4IEBAIHN0 cnVjdCBjb25maWdfZmllbGRfZW50cnkgewogCXZvaWQgKmRhdGE7CiB9Owog CitleHRlcm4gaW50IHBlcm1pc3NpdmU7CisKICNkZWZpbmUgT0ZGU0VUKGNm Z19lbnRyeSkgKChjZmdfZW50cnkpLT5iYXNlX29mZnNldCsoY2ZnX2VudHJ5 KS0+ZmllbGQtPm9mZnNldCkKIAogLyogQWRkIGZpZWxkcyB0byBhIGRldmlj ZSAtIHRoZSBhZGRfZmllbGRzIG1hY3JvIGV4cGVjdHMgdG8gZ2V0IGEgcG9p bnRlciB0bwotLS0gYS9kcml2ZXJzL3hlbi9wY2liYWNrL2NvbmZfc3BhY2Vf aGVhZGVyLmMKKysrIGIvZHJpdmVycy94ZW4vcGNpYmFjay9jb25mX3NwYWNl X2hlYWRlci5jCkBAIC05LDYgKzksMTAgQEAKICNpbmNsdWRlICJwY2liYWNr LmgiCiAjaW5jbHVkZSAiY29uZl9zcGFjZS5oIgogCitzdHJ1Y3QgcGNpX2Nt ZF9pbmZvIHsKKwl1MTYgdmFsOworfTsKKwogc3RydWN0IHBjaV9iYXJfaW5m byB7CiAJdTMyIHZhbDsKIAl1MzIgbGVuX3ZhbDsKQEAgLTE4LDI4ICsyMiw0 NSBAQCBzdHJ1Y3QgcGNpX2Jhcl9pbmZvIHsKICNkZWZpbmUgaXNfZW5hYmxl X2NtZCh2YWx1ZSkgKCh2YWx1ZSkmKFBDSV9DT01NQU5EX01FTU9SWXxQQ0lf Q09NTUFORF9JTykpCiAjZGVmaW5lIGlzX21hc3Rlcl9jbWQodmFsdWUpICgo dmFsdWUpJlBDSV9DT01NQU5EX01BU1RFUikKIAotc3RhdGljIGludCBjb21t YW5kX3JlYWQoc3RydWN0IHBjaV9kZXYgKmRldiwgaW50IG9mZnNldCwgdTE2 ICp2YWx1ZSwgdm9pZCAqZGF0YSkKKy8qIEJpdHMgZ3Vlc3RzIGFyZSBhbGxv d2VkIHRvIGNvbnRyb2wgaW4gcGVybWlzc2l2ZSBtb2RlLiAqLworI2RlZmlu ZSBQQ0lfQ09NTUFORF9HVUVTVCAoUENJX0NPTU1BTkRfTUFTVEVSfFBDSV9D T01NQU5EX1NQRUNJQUx8IFwKKwkJCSAgIFBDSV9DT01NQU5EX0lOVkFMSURB VEV8UENJX0NPTU1BTkRfVkdBX1BBTEVUVEV8IFwKKwkJCSAgIFBDSV9DT01N QU5EX1dBSVR8UENJX0NPTU1BTkRfRkFTVF9CQUNLKQorCitzdGF0aWMgdm9p ZCAqY29tbWFuZF9pbml0KHN0cnVjdCBwY2lfZGV2ICpkZXYsIGludCBvZmZz ZXQpCiB7Ci0JaW50IGk7Ci0JaW50IHJldDsKKwlzdHJ1Y3QgcGNpX2NtZF9p bmZvICpjbWQgPSBrbWFsbG9jKHNpemVvZigqY21kKSwgR0ZQX0tFUk5FTCk7 CisJaW50IGVycjsKKworCWlmICghY21kKQorCQlyZXR1cm4gRVJSX1BUUigt RU5PTUVNKTsKIAotCXJldCA9IHBjaWJhY2tfcmVhZF9jb25maWdfd29yZChk ZXYsIG9mZnNldCwgdmFsdWUsIGRhdGEpOwotCWlmICghZGV2LT5pc19lbmFi bGVkKQotCQlyZXR1cm4gcmV0OwotCi0JZm9yIChpID0gMDsgaSA8IFBDSV9S T01fUkVTT1VSQ0U7IGkrKykgewotCQlpZiAoZGV2LT5yZXNvdXJjZVtpXS5m bGFncyAmIElPUkVTT1VSQ0VfSU8pCi0JCQkqdmFsdWUgfD0gUENJX0NPTU1B TkRfSU87Ci0JCWlmIChkZXYtPnJlc291cmNlW2ldLmZsYWdzICYgSU9SRVNP VVJDRV9NRU0pCi0JCQkqdmFsdWUgfD0gUENJX0NPTU1BTkRfTUVNT1JZOwor CWVyciA9IHBjaV9yZWFkX2NvbmZpZ193b3JkKGRldiwgUENJX0NPTU1BTkQs ICZjbWQtPnZhbCk7CisJaWYgKGVycikgeworCQlrZnJlZShjbWQpOworCQly ZXR1cm4gRVJSX1BUUihlcnIpOwogCX0KIAorCXJldHVybiBjbWQ7Cit9CisK K3N0YXRpYyBpbnQgY29tbWFuZF9yZWFkKHN0cnVjdCBwY2lfZGV2ICpkZXYs IGludCBvZmZzZXQsIHUxNiAqdmFsdWUsIHZvaWQgKmRhdGEpCit7CisJaW50 IHJldCA9IHBjaV9yZWFkX2NvbmZpZ193b3JkKGRldiwgb2Zmc2V0LCB2YWx1 ZSk7CisJY29uc3Qgc3RydWN0IHBjaV9jbWRfaW5mbyAqY21kID0gZGF0YTsK KworCSp2YWx1ZSAmPSBQQ0lfQ09NTUFORF9HVUVTVDsKKwkqdmFsdWUgfD0g Y21kLT52YWwgJiB+UENJX0NPTU1BTkRfR1VFU1Q7CisKIAlyZXR1cm4gcmV0 OwogfQogCiBzdGF0aWMgaW50IGNvbW1hbmRfd3JpdGUoc3RydWN0IHBjaV9k ZXYgKmRldiwgaW50IG9mZnNldCwgdTE2IHZhbHVlLCB2b2lkICpkYXRhKQog ewogCWludCBlcnI7CisJdTE2IHZhbDsKKwlzdHJ1Y3QgcGNpX2NtZF9pbmZv ICpjbWQgPSBkYXRhOworCXN0cnVjdCBwY2liYWNrX2Rldl9kYXRhICpkZXZf ZGF0YSA9IHBjaV9nZXRfZHJ2ZGF0YShkZXYpOwogCiAJaWYgKCFkZXYtPmlz X2VuYWJsZWQgJiYgaXNfZW5hYmxlX2NtZCh2YWx1ZSkpIHsKIAkJaWYgKHVu bGlrZWx5KHZlcmJvc2VfcmVxdWVzdCkpCkBAIC03Niw2ICs5NywxOCBAQCBz dGF0aWMgaW50IGNvbW1hbmRfd3JpdGUoc3RydWN0IHBjaV9kZXYgCiAJCX0K IAl9CiAKKwljbWQtPnZhbCA9IHZhbHVlOworCisJaWYgKCFwZXJtaXNzaXZl ICYmICghZGV2X2RhdGEgfHwgIWRldl9kYXRhLT5wZXJtaXNzaXZlKSkKKwkJ cmV0dXJuIDA7CisKKwkvKiBPbmx5IGFsbG93IHRoZSBndWVzdCB0byBjb250 cm9sIGNlcnRhaW4gYml0cy4gKi8KKwllcnIgPSBwY2lfcmVhZF9jb25maWdf d29yZChkZXYsIG9mZnNldCwgJnZhbCk7CisJaWYgKGVyciB8fCB2YWwgPT0g dmFsdWUpCisJCXJldHVybiBlcnI7CisJdmFsdWUgJj0gUENJX0NPTU1BTkRf R1VFU1Q7CisJdmFsdWUgfD0gdmFsICYgflBDSV9DT01NQU5EX0dVRVNUOwor CiAJcmV0dXJuIHBjaV93cml0ZV9jb25maWdfd29yZChkZXYsIG9mZnNldCwg dmFsdWUpOwogfQogCkBAIC0yNzUsNiArMzA4LDggQEAgc3RhdGljIGNvbnN0 IHN0cnVjdCBjb25maWdfZmllbGQgaGVhZGVyXwogCXsKIAkgLm9mZnNldCAg ICA9IFBDSV9DT01NQU5ELAogCSAuc2l6ZSAgICAgID0gMiwKKwkgLmluaXQg ICAgICA9IGNvbW1hbmRfaW5pdCwKKwkgLnJlbGVhc2UgICA9IGJhcl9yZWxl YXNlLAogCSAudS53LnJlYWQgID0gY29tbWFuZF9yZWFkLAogCSAudS53Lndy aXRlID0gY29tbWFuZF93cml0ZSwKIAl9LAo= --=separator Content-Type: application/octet-stream; name="xsa120-classic-addendum.patch" Content-Disposition: attachment; filename="xsa120-classic-addendum.patch" Content-Transfer-Encoding: base64 IyBIRyBjaGFuZ2VzZXQgcGF0Y2gKIyBVc2VyIEtvbnJhZCBSemVzenV0ZWsg V2lsayA8a29ucmFkLndpbGtAb3JhY2xlLmNvbT4KIyBEYXRlIDE0Mjc4MTQ5 NDkgMTQ0MDAKIyAgICAgIFR1ZSBNYXIgMzEgMTE6MTU6NDkgMjAxNSAtMDQw MAojIE5vZGUgSUQgMmQyNGM1OWY5YTRhMDc5ZDEyNzMzOWQwYzAyNWQzZTVi OTkxNGMwZQojIFBhcmVudCAgYWZlMmFjNTEzN2I4YzI0N2RlYTg4NmM3MzJk MDk3OTFmZTQ0YWM5MQp4ZW4vcGNpYmFjazogRG9uJ3QgZGlzYWJsZSBQQ0lf Q09NTUFORCBvbiBQQ0kgZGV2aWNlIHJlc2V0LgoKVGhlcmUgaXMgbm8gbmVl ZCBmb3IgdGhpcyBhdCBhbGwuIFdvcnN0IGl0IG1lYW5zIHRoYXQgaWYKdGhl IGd1ZXN0IHRyaWVzIHRvIHdyaXRlIHRvIEJBUnMgaXQgY291bGQgbGVhZCAo b24gY2VydGFpbgpwbGF0Zm9ybXMpIHRvIFBDSSBTRVJSIGVycm9ycy4KClBs ZWFzZSBub3RlIHRoYXQgd2l0aCBhZjZmYzg1OGEzNWI5MGU4OWVhN2E3ZWU1 OGU2NjYyOGM1NWM3NzZiCiJ4ZW4tcGNpYmFjazogbGltaXQgZ3Vlc3QgY29u dHJvbCBvZiBjb21tYW5kIHJlZ2lzdGVyIgphIGd1ZXN0IGlzIHN0aWxsIGFs bG93ZWQgdG8gZW5hYmxlIHRob3NlIGNvbnRyb2wgYml0cyAoc2FmZWx5KSwg YnV0CmlzIG5vdCBhbGxvd2VkIHRvIGRpc2FibGUgdGhlbSBhbmQgdGhhdCB0 aGVyZWZvcmUgYSB3ZWxsIGJlaGF2ZWQKZnJvbnRlbmQgd2hpY2ggZW5hYmxl cyB0aGluZ3MgYmVmb3JlIHVzaW5nIHRoZW0gd2lsbCBzdGlsbApmdW5jdGlv biBjb3JyZWN0bHkuCgpUaGlzIGlzIGRvbmUgdmlhIGFuIHdyaXRlIHRvIHRo ZSBjb25maWd1cmF0aW9uIHJlZ2lzdGVyIDB4NCB3aGljaAp0cmlnZ2VycyBv biB0aGUgYmFja2VuZCBzaWRlOgpjb21tYW5kX3dyaXRlCiAgXC0gcGNpX2Vu YWJsZV9kZXZpY2UKICAgICBcLSBwY2lfZW5hYmxlX2RldmljZV9mbGFncwog ICAgICAgIFwtIGRvX3BjaV9lbmFibGVfZGV2aWNlCiAgICAgICAgICAgXC0g cGNpYmlvc19lbmFibGVfZGV2aWNlCiAgICAgICAgICAgICAgXC1wY2lfZW5h YmxlX3Jlc291cmNlc3MKICAgICAgICAgICAgICAgIFt3aGljaCBlbmFibGVz IHRoZSBQQ0lfQ09NTUFORF9NRU1PUll8UENJX0NPTU1BTkRfSU9dCgpIb3dl dmVyIGd1ZXN0cyAoYW5kIGRyaXZlcnMpIHdoaWNoIGRvbid0IGRvIHRoaXMg Y291bGQgY2F1c2UKcHJvYmxlbXMsIGluY2x1ZGluZyB0aGUgc2VjdXJpdHkg aXNzdWVzIHdoaWNoIFhTQS0xMjAgc291Z2h0CnRvIGFkZHJlc3MuCgpSZXBv cnRlZC1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTaWdu ZWQtb2ZmLWJ5OiBLb25yYWQgUnplc3p1dGVrIFdpbGsgPGtvbnJhZC53aWxr QG9yYWNsZS5jb20+CgpkaWZmIC1yIGFmZTJhYzUxMzdiOCAtciAyZDI0YzU5 ZjlhNGEgZHJpdmVycy94ZW4vcGNpYmFjay9wY2liYWNrX29wcy5jCi0tLSBh L2RyaXZlcnMveGVuL3BjaWJhY2svcGNpYmFja19vcHMuYwlUdWUgTWFyIDEw IDE0OjM4OjM5IDIwMTUgKzAxMDAKKysrIGIvZHJpdmVycy94ZW4vcGNpYmFj ay9wY2liYWNrX29wcy5jCVR1ZSBNYXIgMzEgMTE6MTU6NDkgMjAxNSAtMDQw MApAQCAtMzIsOCArMzIsNiBAQAogI2VuZGlmCiAJCXBjaV9kaXNhYmxlX2Rl dmljZShkZXYpOwogCi0JCXBjaV93cml0ZV9jb25maWdfd29yZChkZXYsIFBD SV9DT01NQU5ELCAwKTsKLQogCQlkZXYtPmlzX2VuYWJsZWQgPSAwOwogCQlk ZXYtPmlzX2J1c21hc3RlciA9IDA7CiAJfSBlbHNlIHsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Tue Mar 31 16:15:01 2015 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 31 Mar 2015 16:15:01 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YcynZ-00070a-2D; Tue, 31 Mar 2015 16:13:53 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YcynW-0006zA-VA; Tue, 31 Mar 2015 16:13:51 +0000 Received: from [193.109.254.147] by server-12.bemta-14.messagelabs.com id 22/9D-24420-EB7CA155; Tue, 31 Mar 2015 16:13:50 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-27.messagelabs.com!1427818428!14661190!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.13.6; banners=-,-,- X-VirusChecked: Checked Received: (qmail 27374 invoked from network); 31 Mar 2015 16:13:49 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-4.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 31 Mar 2015 16:13:49 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YcynL-0001kp-OP; Tue, 31 Mar 2015 16:13:39 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1YcynL-0007ma-7c; Tue, 31 Mar 2015 16:13:39 +0000 Date: Tue, 31 Mar 2015 16:13:39 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 120 (CVE-2015-2150) - Non-maskable interrupts triggerable by guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2150 / XSA-120 version 5 Non-maskable interrupts triggerable by guests UPDATES IN VERSION 5 ==================== The original patches were incomplete: although they eliminated the possibility that the guest might disable memory and I/O decoding, they did not ensure that these bits were set at start of day. The result was that a malicious guest could simply avoid enabling them and continue to exploit the vulnerability. Well behaved guests would normally enable decoding and therefore would not normally suffer a regression. Additional patches are now supplied to resolve this issue. ISSUE DESCRIPTION ================= Guests are currently permitted to modify all of the (writable) bits in the PCI command register of devices passed through to them. This in particular allows them to disable memory and I/O decoding on the device unless the device is an SR-IOV virtual function, in which case subsequent accesses to the respective MMIO or I/O port ranges would - - on PCI Express devices - lead to Unsupported Request responses. The treatment of such errors is platform specific. IMPACT ====== In the event that the platform surfaces aforementioned UR responses as Non-Maskable Interrupts, and either the OS is configured to treat NMIs as fatal or (e.g. via ACPI's APEI) the platform tells the OS to treat these errors as fatal, the host would crash, leading to a Denial of Service. VULNERABLE SYSTEMS ================== Xen versions 3.3 and onwards are vulnerable due to supporting PCI pass-through. Upstream Linux versions 3.1 and onwards are vulnerable due to supporting PCI backend functionality. Other Linux versions as well as other OS versions may be vulnerable too. Any domain which is given access to a non-SR-IOV virtual function PCI Express device can take advantage of this vulnerability. MITIGATION ========== This issue can be avoided by not assigning PCI Express devices other than SR-IOV virtual functions to untrusted guests. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patches resolves this issue for the indicated versions of Linux, but only for ordinary PCI config space accesses by the guest. See XSA-124 for all other cases. xsa120.patch Linux 3.19 xsa120-addendum.patch Linux 3.19 xsa120-classic.patch linux-2.6.18-xen.hg xsa120-classic-addendum.patch linux-2.6.18-xen.hg $ sha256sum xsa120*.patch 32441fd3930848f7533f74376648fbeb5e35870661e1259860fe10f9a1f67f88 xsa120.patch 32be0b76f5585e9258ebaed348b40b57014ee5163c313a0523fd46f55ac05210 xsa120-addendum.patch ecd4568d418d6e275f1eebdba4867e7cfdc6a487292db0e9eff0e9e7e2c91826 xsa120-classic.patch 8b377abe56bebf5030587030bf231c2d5bc1f695e21cc4dfbbd348e9b616849c xsa120-classic-addendum.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVGseNAAoJEIP+FMlX6CvZcR4H/RGyM4VV4/1LLFkERmVe6jCq KhPGTWw72ZMt+iTGLZYOWGu3CTwpG2RSMWwRUNE9dBinUyq5j8GYW+dpAmtBFCT/ muEW3k+cw4BnhOIi6ny3bcCsxnm7SesrpWAmRvwgZRWljZMA0tHhperl1ioovMG0 +jf7ktNU91li7jTm0BSba7FoWIhfSsY5K+hU0/xMrKOUkzdpYzhu8Uzj9exhijHC 5AJ05XDi88ZuZfR7ZPnVvTOaIJaXsVeiM4rfSpp+SsqTyOZW4+ORpd5ecEp93O/N LNtcHsUjqwm/ezkwM8oHrGQqYWf7Ms4mRuykIE2X/voG/Cf+kvDQE7fOj++3Db0= =La+E -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa120.patch" Content-Disposition: attachment; filename="xsa120.patch" Content-Transfer-Encoding: base64 eGVuLXBjaWJhY2s6IGxpbWl0IGd1ZXN0IGNvbnRyb2wgb2YgY29tbWFuZCBy ZWdpc3RlcgoKT3RoZXJ3aXNlIHRoZSBndWVzdCBjYW4gYWJ1c2UgdGhhdCBj b250cm9sIHRvIGNhdXNlIGUuZy4gUENJZQpVbnN1cHBvcnRlZCBSZXF1ZXN0 IHJlc3BvbnNlcyAoYnkgZGlzYWJsaW5nIG1lbW9yeSBhbmQvb3IgSS9PIGRl Y29kaW5nCmFuZCBzdWJzZXF1ZW50bHkgY2F1c2luZyBbQ1BVIHNpZGVdIGFj Y2Vzc2VzIHRvIHRoZSByZXNwZWN0aXZlIGFkZHJlc3MKcmFuZ2VzKSwgd2hp Y2ggKGRlcGVuZGluZyBvbiBzeXN0ZW0gY29uZmlndXJhdGlvbikgbWF5IGJl IGZhdGFsIHRvIHRoZQpob3N0LgoKVGhpcyBpcyBDVkUtMjAxNS0yMTUwIC8g WFNBLTEyMC4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGlj aEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEtvbnJhZCBSemVzenV0ZWsgV2ls ayA8a29ucmFkLndpbGtAb3JhY2xlLmNvbT4KCi0tLSBhL2RyaXZlcnMveGVu L3hlbi1wY2liYWNrL2NvbmZfc3BhY2UuYworKysgYi9kcml2ZXJzL3hlbi94 ZW4tcGNpYmFjay9jb25mX3NwYWNlLmMKQEAgLTE2LDcgKzE2LDcgQEAKICNp bmNsdWRlICJjb25mX3NwYWNlLmgiCiAjaW5jbHVkZSAiY29uZl9zcGFjZV9x dWlya3MuaCIKIAotc3RhdGljIGJvb2wgcGVybWlzc2l2ZTsKK2Jvb2wgcGVy bWlzc2l2ZTsKIG1vZHVsZV9wYXJhbShwZXJtaXNzaXZlLCBib29sLCAwNjQ0 KTsKIAogLyogVGhpcyBpcyB3aGVyZSB4ZW5fcGNpYmtfcmVhZF9jb25maWdf Ynl0ZSwgeGVuX3BjaWJrX3JlYWRfY29uZmlnX3dvcmQsCi0tLSBhL2RyaXZl cnMveGVuL3hlbi1wY2liYWNrL2NvbmZfc3BhY2UuaAorKysgYi9kcml2ZXJz L3hlbi94ZW4tcGNpYmFjay9jb25mX3NwYWNlLmgKQEAgLTY0LDYgKzY0LDgg QEAgc3RydWN0IGNvbmZpZ19maWVsZF9lbnRyeSB7CiAJdm9pZCAqZGF0YTsK IH07CiAKK2V4dGVybiBib29sIHBlcm1pc3NpdmU7CisKICNkZWZpbmUgT0ZG U0VUKGNmZ19lbnRyeSkgKChjZmdfZW50cnkpLT5iYXNlX29mZnNldCsoY2Zn X2VudHJ5KS0+ZmllbGQtPm9mZnNldCkKIAogLyogQWRkIGZpZWxkcyB0byBh IGRldmljZSAtIHRoZSBhZGRfZmllbGRzIG1hY3JvIGV4cGVjdHMgdG8gZ2V0 IGEgcG9pbnRlciB0bwotLS0gYS9kcml2ZXJzL3hlbi94ZW4tcGNpYmFjay9j b25mX3NwYWNlX2hlYWRlci5jCisrKyBiL2RyaXZlcnMveGVuL3hlbi1wY2li YWNrL2NvbmZfc3BhY2VfaGVhZGVyLmMKQEAgLTExLDYgKzExLDEwIEBACiAj aW5jbHVkZSAicGNpYmFjay5oIgogI2luY2x1ZGUgImNvbmZfc3BhY2UuaCIK IAorc3RydWN0IHBjaV9jbWRfaW5mbyB7CisJdTE2IHZhbDsKK307CisKIHN0 cnVjdCBwY2lfYmFyX2luZm8gewogCXUzMiB2YWw7CiAJdTMyIGxlbl92YWw7 CkBAIC0yMCwyMiArMjQsMzYgQEAgc3RydWN0IHBjaV9iYXJfaW5mbyB7CiAj ZGVmaW5lIGlzX2VuYWJsZV9jbWQodmFsdWUpICgodmFsdWUpJihQQ0lfQ09N TUFORF9NRU1PUll8UENJX0NPTU1BTkRfSU8pKQogI2RlZmluZSBpc19tYXN0 ZXJfY21kKHZhbHVlKSAoKHZhbHVlKSZQQ0lfQ09NTUFORF9NQVNURVIpCiAK LXN0YXRpYyBpbnQgY29tbWFuZF9yZWFkKHN0cnVjdCBwY2lfZGV2ICpkZXYs IGludCBvZmZzZXQsIHUxNiAqdmFsdWUsIHZvaWQgKmRhdGEpCisvKiBCaXRz IGd1ZXN0cyBhcmUgYWxsb3dlZCB0byBjb250cm9sIGluIHBlcm1pc3NpdmUg bW9kZS4gKi8KKyNkZWZpbmUgUENJX0NPTU1BTkRfR1VFU1QgKFBDSV9DT01N QU5EX01BU1RFUnxQQ0lfQ09NTUFORF9TUEVDSUFMfCBcCisJCQkgICBQQ0lf Q09NTUFORF9JTlZBTElEQVRFfFBDSV9DT01NQU5EX1ZHQV9QQUxFVFRFfCBc CisJCQkgICBQQ0lfQ09NTUFORF9XQUlUfFBDSV9DT01NQU5EX0ZBU1RfQkFD SykKKworc3RhdGljIHZvaWQgKmNvbW1hbmRfaW5pdChzdHJ1Y3QgcGNpX2Rl diAqZGV2LCBpbnQgb2Zmc2V0KQogewotCWludCBpOwotCWludCByZXQ7CisJ c3RydWN0IHBjaV9jbWRfaW5mbyAqY21kID0ga21hbGxvYyhzaXplb2YoKmNt ZCksIEdGUF9LRVJORUwpOworCWludCBlcnI7CiAKLQlyZXQgPSB4ZW5fcGNp YmtfcmVhZF9jb25maWdfd29yZChkZXYsIG9mZnNldCwgdmFsdWUsIGRhdGEp OwotCWlmICghcGNpX2lzX2VuYWJsZWQoZGV2KSkKLQkJcmV0dXJuIHJldDsK LQotCWZvciAoaSA9IDA7IGkgPCBQQ0lfUk9NX1JFU09VUkNFOyBpKyspIHsK LQkJaWYgKGRldi0+cmVzb3VyY2VbaV0uZmxhZ3MgJiBJT1JFU09VUkNFX0lP KQotCQkJKnZhbHVlIHw9IFBDSV9DT01NQU5EX0lPOwotCQlpZiAoZGV2LT5y ZXNvdXJjZVtpXS5mbGFncyAmIElPUkVTT1VSQ0VfTUVNKQotCQkJKnZhbHVl IHw9IFBDSV9DT01NQU5EX01FTU9SWTsKKwlpZiAoIWNtZCkKKwkJcmV0dXJu IEVSUl9QVFIoLUVOT01FTSk7CisKKwllcnIgPSBwY2lfcmVhZF9jb25maWdf d29yZChkZXYsIFBDSV9DT01NQU5ELCAmY21kLT52YWwpOworCWlmIChlcnIp IHsKKwkJa2ZyZWUoY21kKTsKKwkJcmV0dXJuIEVSUl9QVFIoZXJyKTsKIAl9 CiAKKwlyZXR1cm4gY21kOworfQorCitzdGF0aWMgaW50IGNvbW1hbmRfcmVh ZChzdHJ1Y3QgcGNpX2RldiAqZGV2LCBpbnQgb2Zmc2V0LCB1MTYgKnZhbHVl LCB2b2lkICpkYXRhKQoreworCWludCByZXQgPSBwY2lfcmVhZF9jb25maWdf d29yZChkZXYsIG9mZnNldCwgdmFsdWUpOworCWNvbnN0IHN0cnVjdCBwY2lf Y21kX2luZm8gKmNtZCA9IGRhdGE7CisKKwkqdmFsdWUgJj0gUENJX0NPTU1B TkRfR1VFU1Q7CisJKnZhbHVlIHw9IGNtZC0+dmFsICYgflBDSV9DT01NQU5E X0dVRVNUOworCiAJcmV0dXJuIHJldDsKIH0KIApAQCAtNDMsNiArNjEsOCBA QCBzdGF0aWMgaW50IGNvbW1hbmRfd3JpdGUoc3RydWN0IHBjaV9kZXYgCiB7 CiAJc3RydWN0IHhlbl9wY2lia19kZXZfZGF0YSAqZGV2X2RhdGE7CiAJaW50 IGVycjsKKwl1MTYgdmFsOworCXN0cnVjdCBwY2lfY21kX2luZm8gKmNtZCA9 IGRhdGE7CiAKIAlkZXZfZGF0YSA9IHBjaV9nZXRfZHJ2ZGF0YShkZXYpOwog CWlmICghcGNpX2lzX2VuYWJsZWQoZGV2KSAmJiBpc19lbmFibGVfY21kKHZh bHVlKSkgewpAQCAtODMsNiArMTAxLDE4IEBAIHN0YXRpYyBpbnQgY29tbWFu ZF93cml0ZShzdHJ1Y3QgcGNpX2RldiAKIAkJfQogCX0KIAorCWNtZC0+dmFs ID0gdmFsdWU7CisKKwlpZiAoIXBlcm1pc3NpdmUgJiYgKCFkZXZfZGF0YSB8 fCAhZGV2X2RhdGEtPnBlcm1pc3NpdmUpKQorCQlyZXR1cm4gMDsKKworCS8q IE9ubHkgYWxsb3cgdGhlIGd1ZXN0IHRvIGNvbnRyb2wgY2VydGFpbiBiaXRz LiAqLworCWVyciA9IHBjaV9yZWFkX2NvbmZpZ193b3JkKGRldiwgb2Zmc2V0 LCAmdmFsKTsKKwlpZiAoZXJyIHx8IHZhbCA9PSB2YWx1ZSkKKwkJcmV0dXJu IGVycjsKKwl2YWx1ZSAmPSBQQ0lfQ09NTUFORF9HVUVTVDsKKwl2YWx1ZSB8 PSB2YWwgJiB+UENJX0NPTU1BTkRfR1VFU1Q7CisKIAlyZXR1cm4gcGNpX3dy aXRlX2NvbmZpZ193b3JkKGRldiwgb2Zmc2V0LCB2YWx1ZSk7CiB9CiAKQEAg LTI4Miw2ICszMTIsOCBAQCBzdGF0aWMgY29uc3Qgc3RydWN0IGNvbmZpZ19m aWVsZCBoZWFkZXJfCiAJewogCSAub2Zmc2V0ICAgID0gUENJX0NPTU1BTkQs CiAJIC5zaXplICAgICAgPSAyLAorCSAuaW5pdCAgICAgID0gY29tbWFuZF9p bml0LAorCSAucmVsZWFzZSAgID0gYmFyX3JlbGVhc2UsCiAJIC51LncucmVh ZCAgPSBjb21tYW5kX3JlYWQsCiAJIC51Lncud3JpdGUgPSBjb21tYW5kX3dy aXRlLAogCX0sCg== --=separator Content-Type: application/octet-stream; name="xsa120-addendum.patch" Content-Disposition: attachment; filename="xsa120-addendum.patch" Content-Transfer-Encoding: base64 RnJvbSAyNDdhYjc5MjM0NjMxYjY2MjgzYzQ3MDI5ZWI4OTVhOGUzNjYzZTcw IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBLb25yYWQgUnplc3p1 dGVrIFdpbGsgPGtvbnJhZC53aWxrQG9yYWNsZS5jb20+CkRhdGU6IEZyaSwg MjcgTWFyIDIwMTUgMTM6MzE6MTEgLTA0MDAKU3ViamVjdDogW1BBVENIIDEv Ml0geGVuL3BjaWJhY2s6IERvbid0IGRpc2FibGUgUENJX0NPTU1BTkQgb24g UENJIGRldmljZQogcmVzZXQuCgpUaGVyZSBpcyBubyBuZWVkIGZvciB0aGlz IGF0IGFsbC4gV29yc3QgaXQgbWVhbnMgdGhhdCBpZgp0aGUgZ3Vlc3QgdHJp ZXMgdG8gd3JpdGUgdG8gQkFScyBpdCBjb3VsZCBsZWFkIChvbiBjZXJ0YWlu CnBsYXRmb3JtcykgdG8gUENJIFNFUlIgZXJyb3JzLgoKUGxlYXNlIG5vdGUg dGhhdCB3aXRoIGFmNmZjODU4YTM1YjkwZTg5ZWE3YTdlZTU4ZTY2NjI4YzU1 Yzc3NmIKInhlbi1wY2liYWNrOiBsaW1pdCBndWVzdCBjb250cm9sIG9mIGNv bW1hbmQgcmVnaXN0ZXIiCmEgZ3Vlc3QgaXMgc3RpbGwgYWxsb3dlZCB0byBl bmFibGUgdGhvc2UgY29udHJvbCBiaXRzIChzYWZlbHkpLCBidXQKaXMgbm90 IGFsbG93ZWQgdG8gZGlzYWJsZSB0aGVtIGFuZCB0aGF0IHRoZXJlZm9yZSBh IHdlbGwgYmVoYXZlZApmcm9udGVuZCB3aGljaCBlbmFibGVzIHRoaW5ncyBi ZWZvcmUgdXNpbmcgdGhlbSB3aWxsIHN0aWxsCmZ1bmN0aW9uIGNvcnJlY3Rs eS4KClRoaXMgaXMgZG9uZSB2aWEgYW4gd3JpdGUgdG8gdGhlIGNvbmZpZ3Vy YXRpb24gcmVnaXN0ZXIgMHg0IHdoaWNoCnRyaWdnZXJzIG9uIHRoZSBiYWNr ZW5kIHNpZGU6CmNvbW1hbmRfd3JpdGUKICBcLSBwY2lfZW5hYmxlX2Rldmlj ZQogICAgIFwtIHBjaV9lbmFibGVfZGV2aWNlX2ZsYWdzCiAgICAgICAgXC0g ZG9fcGNpX2VuYWJsZV9kZXZpY2UKICAgICAgICAgICBcLSBwY2liaW9zX2Vu YWJsZV9kZXZpY2UKICAgICAgICAgICAgICBcLXBjaV9lbmFibGVfcmVzb3Vy Y2VzcwogICAgICAgICAgICAgICAgW3doaWNoIGVuYWJsZXMgdGhlIFBDSV9D T01NQU5EX01FTU9SWXxQQ0lfQ09NTUFORF9JT10KCkhvd2V2ZXIgZ3Vlc3Rz IChhbmQgZHJpdmVycykgd2hpY2ggZG9uJ3QgZG8gdGhpcyBjb3VsZCBjYXVz ZQpwcm9ibGVtcywgaW5jbHVkaW5nIHRoZSBzZWN1cml0eSBpc3N1ZXMgd2hp Y2ggWFNBLTEyMCBzb3VnaHQKdG8gYWRkcmVzcy4KClJlcG9ydGVkLWJ5OiBK YW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClNpZ25lZC1vZmYtYnk6 IEtvbnJhZCBSemVzenV0ZWsgV2lsayA8a29ucmFkLndpbGtAb3JhY2xlLmNv bT4KLS0tCiBkcml2ZXJzL3hlbi94ZW4tcGNpYmFjay9wY2liYWNrX29wcy5j IHwgMiAtLQogMSBmaWxlIGNoYW5nZWQsIDIgZGVsZXRpb25zKC0pCgpkaWZm IC0tZ2l0IGEvZHJpdmVycy94ZW4veGVuLXBjaWJhY2svcGNpYmFja19vcHMu YyBiL2RyaXZlcnMveGVuL3hlbi1wY2liYWNrL3BjaWJhY2tfb3BzLmMKaW5k ZXggYzRhMDY2Ni4uMjZlNjUxMyAxMDA2NDQKLS0tIGEvZHJpdmVycy94ZW4v eGVuLXBjaWJhY2svcGNpYmFja19vcHMuYworKysgYi9kcml2ZXJzL3hlbi94 ZW4tcGNpYmFjay9wY2liYWNrX29wcy5jCkBAIC0xMTksOCArMTE5LDYgQEAg dm9pZCB4ZW5fcGNpYmtfcmVzZXRfZGV2aWNlKHN0cnVjdCBwY2lfZGV2ICpk ZXYpCiAJCWlmIChwY2lfaXNfZW5hYmxlZChkZXYpKQogCQkJcGNpX2Rpc2Fi bGVfZGV2aWNlKGRldik7CiAKLQkJcGNpX3dyaXRlX2NvbmZpZ193b3JkKGRl diwgUENJX0NPTU1BTkQsIDApOwotCiAJCWRldi0+aXNfYnVzbWFzdGVyID0g MDsKIAl9IGVsc2UgewogCQlwY2lfcmVhZF9jb25maWdfd29yZChkZXYsIFBD SV9DT01NQU5ELCAmY21kKTsKLS0gCjIuMS4wCgo= --=separator Content-Type: application/octet-stream; name="xsa120-classic.patch" Content-Disposition: attachment; filename="xsa120-classic.patch" Content-Transfer-Encoding: base64 cGNpYmFjazogbGltaXQgZ3Vlc3QgY29udHJvbCBvZiBjb21tYW5kIHJlZ2lz dGVyCgpPdGhlcndpc2UgdGhlIGd1ZXN0IGNhbiBhYnVzZSB0aGF0IGNvbnRy b2wgdG8gY2F1c2UgZS5nLiBQQ0llClVuc3VwcG9ydGVkIFJlcXVlc3QgcmVz cG9uc2VzIChieSBkaXNhYmxpbmcgbWVtb3J5IGFuZC9vciBJL08gZGVjb2Rp bmcKYW5kIHN1YnNlcXVlbnRseSBjYXVzaW5nIFtDUFUgc2lkZV0gYWNjZXNz ZXMgdG8gdGhlIHJlc3BlY3RpdmUgYWRkcmVzcwpyYW5nZXMpLCB3aGljaCAo ZGVwZW5kaW5nIG9uIHN5c3RlbSBjb25maWd1cmF0aW9uKSBtYXkgYmUgZmF0 YWwgdG8gdGhlCmhvc3QuCgpUaGlzIGlzIENWRS0yMDE1LTIxNTAgLyBYU0Et MTIwLgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgpSZXZpZXdlZC1ieTogS29ucmFkIFJ6ZXN6dXRlayBXaWxrIDxr b25yYWQud2lsa0BvcmFjbGUuY29tPgoKLS0tIGEvZHJpdmVycy94ZW4vcGNp YmFjay9jb25mX3NwYWNlLmMKKysrIGIvZHJpdmVycy94ZW4vcGNpYmFjay9j b25mX3NwYWNlLmMKQEAgLTE1LDcgKzE1LDcgQEAKICNpbmNsdWRlICJjb25m X3NwYWNlLmgiCiAjaW5jbHVkZSAiY29uZl9zcGFjZV9xdWlya3MuaCIKIAot c3RhdGljIGludCBwZXJtaXNzaXZlOworaW50IHBlcm1pc3NpdmU7CiBtb2R1 bGVfcGFyYW0ocGVybWlzc2l2ZSwgYm9vbCwgMDY0NCk7CiAKICNkZWZpbmUg REVGSU5FX1BDSV9DT05GSUcob3Asc2l6ZSx0eXBlKSAJCQlcCi0tLSBhL2Ry aXZlcnMveGVuL3BjaWJhY2svY29uZl9zcGFjZS5oCisrKyBiL2RyaXZlcnMv eGVuL3BjaWJhY2svY29uZl9zcGFjZS5oCkBAIC02NCw2ICs2NCw4IEBAIHN0 cnVjdCBjb25maWdfZmllbGRfZW50cnkgewogCXZvaWQgKmRhdGE7CiB9Owog CitleHRlcm4gaW50IHBlcm1pc3NpdmU7CisKICNkZWZpbmUgT0ZGU0VUKGNm Z19lbnRyeSkgKChjZmdfZW50cnkpLT5iYXNlX29mZnNldCsoY2ZnX2VudHJ5 KS0+ZmllbGQtPm9mZnNldCkKIAogLyogQWRkIGZpZWxkcyB0byBhIGRldmlj ZSAtIHRoZSBhZGRfZmllbGRzIG1hY3JvIGV4cGVjdHMgdG8gZ2V0IGEgcG9p bnRlciB0bwotLS0gYS9kcml2ZXJzL3hlbi9wY2liYWNrL2NvbmZfc3BhY2Vf aGVhZGVyLmMKKysrIGIvZHJpdmVycy94ZW4vcGNpYmFjay9jb25mX3NwYWNl X2hlYWRlci5jCkBAIC05LDYgKzksMTAgQEAKICNpbmNsdWRlICJwY2liYWNr LmgiCiAjaW5jbHVkZSAiY29uZl9zcGFjZS5oIgogCitzdHJ1Y3QgcGNpX2Nt ZF9pbmZvIHsKKwl1MTYgdmFsOworfTsKKwogc3RydWN0IHBjaV9iYXJfaW5m byB7CiAJdTMyIHZhbDsKIAl1MzIgbGVuX3ZhbDsKQEAgLTE4LDI4ICsyMiw0 NSBAQCBzdHJ1Y3QgcGNpX2Jhcl9pbmZvIHsKICNkZWZpbmUgaXNfZW5hYmxl X2NtZCh2YWx1ZSkgKCh2YWx1ZSkmKFBDSV9DT01NQU5EX01FTU9SWXxQQ0lf Q09NTUFORF9JTykpCiAjZGVmaW5lIGlzX21hc3Rlcl9jbWQodmFsdWUpICgo dmFsdWUpJlBDSV9DT01NQU5EX01BU1RFUikKIAotc3RhdGljIGludCBjb21t YW5kX3JlYWQoc3RydWN0IHBjaV9kZXYgKmRldiwgaW50IG9mZnNldCwgdTE2 ICp2YWx1ZSwgdm9pZCAqZGF0YSkKKy8qIEJpdHMgZ3Vlc3RzIGFyZSBhbGxv d2VkIHRvIGNvbnRyb2wgaW4gcGVybWlzc2l2ZSBtb2RlLiAqLworI2RlZmlu ZSBQQ0lfQ09NTUFORF9HVUVTVCAoUENJX0NPTU1BTkRfTUFTVEVSfFBDSV9D T01NQU5EX1NQRUNJQUx8IFwKKwkJCSAgIFBDSV9DT01NQU5EX0lOVkFMSURB VEV8UENJX0NPTU1BTkRfVkdBX1BBTEVUVEV8IFwKKwkJCSAgIFBDSV9DT01N QU5EX1dBSVR8UENJX0NPTU1BTkRfRkFTVF9CQUNLKQorCitzdGF0aWMgdm9p ZCAqY29tbWFuZF9pbml0KHN0cnVjdCBwY2lfZGV2ICpkZXYsIGludCBvZmZz ZXQpCiB7Ci0JaW50IGk7Ci0JaW50IHJldDsKKwlzdHJ1Y3QgcGNpX2NtZF9p bmZvICpjbWQgPSBrbWFsbG9jKHNpemVvZigqY21kKSwgR0ZQX0tFUk5FTCk7 CisJaW50IGVycjsKKworCWlmICghY21kKQorCQlyZXR1cm4gRVJSX1BUUigt RU5PTUVNKTsKIAotCXJldCA9IHBjaWJhY2tfcmVhZF9jb25maWdfd29yZChk ZXYsIG9mZnNldCwgdmFsdWUsIGRhdGEpOwotCWlmICghZGV2LT5pc19lbmFi bGVkKQotCQlyZXR1cm4gcmV0OwotCi0JZm9yIChpID0gMDsgaSA8IFBDSV9S T01fUkVTT1VSQ0U7IGkrKykgewotCQlpZiAoZGV2LT5yZXNvdXJjZVtpXS5m bGFncyAmIElPUkVTT1VSQ0VfSU8pCi0JCQkqdmFsdWUgfD0gUENJX0NPTU1B TkRfSU87Ci0JCWlmIChkZXYtPnJlc291cmNlW2ldLmZsYWdzICYgSU9SRVNP VVJDRV9NRU0pCi0JCQkqdmFsdWUgfD0gUENJX0NPTU1BTkRfTUVNT1JZOwor CWVyciA9IHBjaV9yZWFkX2NvbmZpZ193b3JkKGRldiwgUENJX0NPTU1BTkQs ICZjbWQtPnZhbCk7CisJaWYgKGVycikgeworCQlrZnJlZShjbWQpOworCQly ZXR1cm4gRVJSX1BUUihlcnIpOwogCX0KIAorCXJldHVybiBjbWQ7Cit9CisK K3N0YXRpYyBpbnQgY29tbWFuZF9yZWFkKHN0cnVjdCBwY2lfZGV2ICpkZXYs IGludCBvZmZzZXQsIHUxNiAqdmFsdWUsIHZvaWQgKmRhdGEpCit7CisJaW50 IHJldCA9IHBjaV9yZWFkX2NvbmZpZ193b3JkKGRldiwgb2Zmc2V0LCB2YWx1 ZSk7CisJY29uc3Qgc3RydWN0IHBjaV9jbWRfaW5mbyAqY21kID0gZGF0YTsK KworCSp2YWx1ZSAmPSBQQ0lfQ09NTUFORF9HVUVTVDsKKwkqdmFsdWUgfD0g Y21kLT52YWwgJiB+UENJX0NPTU1BTkRfR1VFU1Q7CisKIAlyZXR1cm4gcmV0 OwogfQogCiBzdGF0aWMgaW50IGNvbW1hbmRfd3JpdGUoc3RydWN0IHBjaV9k ZXYgKmRldiwgaW50IG9mZnNldCwgdTE2IHZhbHVlLCB2b2lkICpkYXRhKQog ewogCWludCBlcnI7CisJdTE2IHZhbDsKKwlzdHJ1Y3QgcGNpX2NtZF9pbmZv ICpjbWQgPSBkYXRhOworCXN0cnVjdCBwY2liYWNrX2Rldl9kYXRhICpkZXZf ZGF0YSA9IHBjaV9nZXRfZHJ2ZGF0YShkZXYpOwogCiAJaWYgKCFkZXYtPmlz X2VuYWJsZWQgJiYgaXNfZW5hYmxlX2NtZCh2YWx1ZSkpIHsKIAkJaWYgKHVu bGlrZWx5KHZlcmJvc2VfcmVxdWVzdCkpCkBAIC03Niw2ICs5NywxOCBAQCBz dGF0aWMgaW50IGNvbW1hbmRfd3JpdGUoc3RydWN0IHBjaV9kZXYgCiAJCX0K IAl9CiAKKwljbWQtPnZhbCA9IHZhbHVlOworCisJaWYgKCFwZXJtaXNzaXZl ICYmICghZGV2X2RhdGEgfHwgIWRldl9kYXRhLT5wZXJtaXNzaXZlKSkKKwkJ cmV0dXJuIDA7CisKKwkvKiBPbmx5IGFsbG93IHRoZSBndWVzdCB0byBjb250 cm9sIGNlcnRhaW4gYml0cy4gKi8KKwllcnIgPSBwY2lfcmVhZF9jb25maWdf d29yZChkZXYsIG9mZnNldCwgJnZhbCk7CisJaWYgKGVyciB8fCB2YWwgPT0g dmFsdWUpCisJCXJldHVybiBlcnI7CisJdmFsdWUgJj0gUENJX0NPTU1BTkRf R1VFU1Q7CisJdmFsdWUgfD0gdmFsICYgflBDSV9DT01NQU5EX0dVRVNUOwor CiAJcmV0dXJuIHBjaV93cml0ZV9jb25maWdfd29yZChkZXYsIG9mZnNldCwg dmFsdWUpOwogfQogCkBAIC0yNzUsNiArMzA4LDggQEAgc3RhdGljIGNvbnN0 IHN0cnVjdCBjb25maWdfZmllbGQgaGVhZGVyXwogCXsKIAkgLm9mZnNldCAg ICA9IFBDSV9DT01NQU5ELAogCSAuc2l6ZSAgICAgID0gMiwKKwkgLmluaXQg ICAgICA9IGNvbW1hbmRfaW5pdCwKKwkgLnJlbGVhc2UgICA9IGJhcl9yZWxl YXNlLAogCSAudS53LnJlYWQgID0gY29tbWFuZF9yZWFkLAogCSAudS53Lndy aXRlID0gY29tbWFuZF93cml0ZSwKIAl9LAo= --=separator Content-Type: application/octet-stream; name="xsa120-classic-addendum.patch" Content-Disposition: attachment; filename="xsa120-classic-addendum.patch" Content-Transfer-Encoding: base64 IyBIRyBjaGFuZ2VzZXQgcGF0Y2gKIyBVc2VyIEtvbnJhZCBSemVzenV0ZWsg V2lsayA8a29ucmFkLndpbGtAb3JhY2xlLmNvbT4KIyBEYXRlIDE0Mjc4MTQ5 NDkgMTQ0MDAKIyAgICAgIFR1ZSBNYXIgMzEgMTE6MTU6NDkgMjAxNSAtMDQw MAojIE5vZGUgSUQgMmQyNGM1OWY5YTRhMDc5ZDEyNzMzOWQwYzAyNWQzZTVi OTkxNGMwZQojIFBhcmVudCAgYWZlMmFjNTEzN2I4YzI0N2RlYTg4NmM3MzJk MDk3OTFmZTQ0YWM5MQp4ZW4vcGNpYmFjazogRG9uJ3QgZGlzYWJsZSBQQ0lf Q09NTUFORCBvbiBQQ0kgZGV2aWNlIHJlc2V0LgoKVGhlcmUgaXMgbm8gbmVl ZCBmb3IgdGhpcyBhdCBhbGwuIFdvcnN0IGl0IG1lYW5zIHRoYXQgaWYKdGhl IGd1ZXN0IHRyaWVzIHRvIHdyaXRlIHRvIEJBUnMgaXQgY291bGQgbGVhZCAo b24gY2VydGFpbgpwbGF0Zm9ybXMpIHRvIFBDSSBTRVJSIGVycm9ycy4KClBs ZWFzZSBub3RlIHRoYXQgd2l0aCBhZjZmYzg1OGEzNWI5MGU4OWVhN2E3ZWU1 OGU2NjYyOGM1NWM3NzZiCiJ4ZW4tcGNpYmFjazogbGltaXQgZ3Vlc3QgY29u dHJvbCBvZiBjb21tYW5kIHJlZ2lzdGVyIgphIGd1ZXN0IGlzIHN0aWxsIGFs bG93ZWQgdG8gZW5hYmxlIHRob3NlIGNvbnRyb2wgYml0cyAoc2FmZWx5KSwg YnV0CmlzIG5vdCBhbGxvd2VkIHRvIGRpc2FibGUgdGhlbSBhbmQgdGhhdCB0 aGVyZWZvcmUgYSB3ZWxsIGJlaGF2ZWQKZnJvbnRlbmQgd2hpY2ggZW5hYmxl cyB0aGluZ3MgYmVmb3JlIHVzaW5nIHRoZW0gd2lsbCBzdGlsbApmdW5jdGlv biBjb3JyZWN0bHkuCgpUaGlzIGlzIGRvbmUgdmlhIGFuIHdyaXRlIHRvIHRo ZSBjb25maWd1cmF0aW9uIHJlZ2lzdGVyIDB4NCB3aGljaAp0cmlnZ2VycyBv biB0aGUgYmFja2VuZCBzaWRlOgpjb21tYW5kX3dyaXRlCiAgXC0gcGNpX2Vu YWJsZV9kZXZpY2UKICAgICBcLSBwY2lfZW5hYmxlX2RldmljZV9mbGFncwog ICAgICAgIFwtIGRvX3BjaV9lbmFibGVfZGV2aWNlCiAgICAgICAgICAgXC0g cGNpYmlvc19lbmFibGVfZGV2aWNlCiAgICAgICAgICAgICAgXC1wY2lfZW5h YmxlX3Jlc291cmNlc3MKICAgICAgICAgICAgICAgIFt3aGljaCBlbmFibGVz IHRoZSBQQ0lfQ09NTUFORF9NRU1PUll8UENJX0NPTU1BTkRfSU9dCgpIb3dl dmVyIGd1ZXN0cyAoYW5kIGRyaXZlcnMpIHdoaWNoIGRvbid0IGRvIHRoaXMg Y291bGQgY2F1c2UKcHJvYmxlbXMsIGluY2x1ZGluZyB0aGUgc2VjdXJpdHkg aXNzdWVzIHdoaWNoIFhTQS0xMjAgc291Z2h0CnRvIGFkZHJlc3MuCgpSZXBv cnRlZC1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTaWdu ZWQtb2ZmLWJ5OiBLb25yYWQgUnplc3p1dGVrIFdpbGsgPGtvbnJhZC53aWxr QG9yYWNsZS5jb20+CgpkaWZmIC1yIGFmZTJhYzUxMzdiOCAtciAyZDI0YzU5 ZjlhNGEgZHJpdmVycy94ZW4vcGNpYmFjay9wY2liYWNrX29wcy5jCi0tLSBh L2RyaXZlcnMveGVuL3BjaWJhY2svcGNpYmFja19vcHMuYwlUdWUgTWFyIDEw IDE0OjM4OjM5IDIwMTUgKzAxMDAKKysrIGIvZHJpdmVycy94ZW4vcGNpYmFj ay9wY2liYWNrX29wcy5jCVR1ZSBNYXIgMzEgMTE6MTU6NDkgMjAxNSAtMDQw MApAQCAtMzIsOCArMzIsNiBAQAogI2VuZGlmCiAJCXBjaV9kaXNhYmxlX2Rl dmljZShkZXYpOwogCi0JCXBjaV93cml0ZV9jb25maWdfd29yZChkZXYsIFBD SV9DT01NQU5ELCAwKTsKLQogCQlkZXYtPmlzX2VuYWJsZWQgPSAwOwogCQlk ZXYtPmlzX2J1c21hc3RlciA9IDA7CiAJfSBlbHNlIHsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator--