From xen-announce-bounces@lists.xen.org Thu Nov 05 10:12:26 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Thu, 05 Nov 2015 10:12:26 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1ZuHVQ-0002yb-S6; Thu, 05 Nov 2015 10:10:56 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <lars.kurth.xen@gmail.com>) id 1ZuHVG-0002yI-9T
	for xen-announce@lists.xenproject.org; Thu, 05 Nov 2015 10:10:46 +0000
Received: from [85.158.139.211] by server-17.bemta-5.messagelabs.com id
	79/D7-18107-52B2B365; Thu, 05 Nov 2015 10:10:45 +0000
X-Env-Sender: lars.kurth.xen@gmail.com
X-Msg-Ref: server-6.tower-206.messagelabs.com!1446718244!1199043!1
X-Originating-IP: [74.125.82.52]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 7.19.2; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 44235 invoked from network); 5 Nov 2015 10:10:44 -0000
Received: from mail-wm0-f52.google.com (HELO mail-wm0-f52.google.com)
	(74.125.82.52)
	by server-6.tower-206.messagelabs.com with AES128-GCM-SHA256 encrypted
	SMTP; 5 Nov 2015 10:10:44 -0000
Received: by wmll128 with SMTP id l128so8863444wml.0
	for <xen-announce@lists.xenproject.org>;
	Thu, 05 Nov 2015 02:10:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=from:content-type:content-transfer-encoding:subject:date:references
	:to:message-id:mime-version;
	bh=1IIlzKFaq1TFCrXd2Fve+yhH8cHkHUcbAMULlHSnku4=;
	b=uFS2QYZClFJFZNVmdKfV84QSnbx0yWBdHEVuYv3DeedzacYmTCa4kW3ppEzeZ9LtJn
	EYtx0ktZUOKIWYRzBHHPwKHRT7FwXgEj08mVbl4dJP7cvMpVH2plIovhPGc6OIBz6zEh
	pVQFfhBNhjMbm/chx2rs+K+vIv/ZSLSLv5AILvVLNySK5PwjfxyAsJH5+3ZjoDoGOYA2
	Xlst+thxD+BwoISVzrUwHOhKpRHSGkS1gFi/u3ExmHh4mf94jEzmk2hLx5jvSjDVN/FW
	3llhVrAe0bsiDHC3DG7H8K0lucDoK/9wfx+ud+RZ5LcKLDDlciELguTSxtc0rJi2GwLM
	4GTg==
X-Received: by 10.28.7.67 with SMTP id 64mr2398202wmh.70.1446718244582;
	Thu, 05 Nov 2015 02:10:44 -0800 (PST)
Received: from [192.168.0.9] (97e3cc8b.skybroadband.com. [151.227.204.139])
	by smtp.gmail.com with ESMTPSA id h4sm6111298wjx.41.2015.11.05.02.10.43
	for <xen-announce@lists.xenproject.org>
	(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
	Thu, 05 Nov 2015 02:10:43 -0800 (PST)
From: Lars Kurth <lars.kurth.xen@gmail.com>
Date: Thu, 5 Nov 2015 10:10:42 +0000
References: <563A2E8702000078000B1C4B@prv-mh.provo.novell.com>
To: xen-announce@lists.xenproject.org
Message-Id: <377D1FEC-277F-4B4F-B439-7D401A4A847C@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
X-Mailer: Apple Mail (2.2104)
X-Mailman-Approved-At: Thu, 05 Nov 2015 10:10:55 +0000
Subject: [Xen-announce] Xen 4.5.2 released
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org



> Begin forwarded message:
> 
> From: "Jan Beulich" <JBeulich@suse.com>
> Subject: [Xen-devel] Xen 4.5.2 released
> Date: 4 November 2015 15:12:55 GMT
> To: <xen-announce@lists.xenproject.org>
> Cc: xen-devel <xen-devel@lists.xenproject.org>
> 
> All,
> 
> I am pleased to announce the release of Xen 4.5.2. This is
> available immediately from its git repository
> http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.5 
> (tag RELEASE-4.5.2) or from the XenProject download page
> http://www.xenproject.org/downloads/xen-archives/xen-45-series/xen-452.html 
> (where a list of changes can also be found).
> 
> We recommend all users of the 4.5 stable series to update to this
> latest point release.
> 
> Regards, Jan
> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel


_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce

From xen-announce-bounces@lists.xen.org Thu Nov 05 10:12:26 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Thu, 05 Nov 2015 10:12:26 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1ZuHVQ-0002yb-S6; Thu, 05 Nov 2015 10:10:56 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <lars.kurth.xen@gmail.com>) id 1ZuHVG-0002yI-9T
	for xen-announce@lists.xenproject.org; Thu, 05 Nov 2015 10:10:46 +0000
Received: from [85.158.139.211] by server-17.bemta-5.messagelabs.com id
	79/D7-18107-52B2B365; Thu, 05 Nov 2015 10:10:45 +0000
X-Env-Sender: lars.kurth.xen@gmail.com
X-Msg-Ref: server-6.tower-206.messagelabs.com!1446718244!1199043!1
X-Originating-IP: [74.125.82.52]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 7.19.2; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 44235 invoked from network); 5 Nov 2015 10:10:44 -0000
Received: from mail-wm0-f52.google.com (HELO mail-wm0-f52.google.com)
	(74.125.82.52)
	by server-6.tower-206.messagelabs.com with AES128-GCM-SHA256 encrypted
	SMTP; 5 Nov 2015 10:10:44 -0000
Received: by wmll128 with SMTP id l128so8863444wml.0
	for <xen-announce@lists.xenproject.org>;
	Thu, 05 Nov 2015 02:10:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=from:content-type:content-transfer-encoding:subject:date:references
	:to:message-id:mime-version;
	bh=1IIlzKFaq1TFCrXd2Fve+yhH8cHkHUcbAMULlHSnku4=;
	b=uFS2QYZClFJFZNVmdKfV84QSnbx0yWBdHEVuYv3DeedzacYmTCa4kW3ppEzeZ9LtJn
	EYtx0ktZUOKIWYRzBHHPwKHRT7FwXgEj08mVbl4dJP7cvMpVH2plIovhPGc6OIBz6zEh
	pVQFfhBNhjMbm/chx2rs+K+vIv/ZSLSLv5AILvVLNySK5PwjfxyAsJH5+3ZjoDoGOYA2
	Xlst+thxD+BwoISVzrUwHOhKpRHSGkS1gFi/u3ExmHh4mf94jEzmk2hLx5jvSjDVN/FW
	3llhVrAe0bsiDHC3DG7H8K0lucDoK/9wfx+ud+RZ5LcKLDDlciELguTSxtc0rJi2GwLM
	4GTg==
X-Received: by 10.28.7.67 with SMTP id 64mr2398202wmh.70.1446718244582;
	Thu, 05 Nov 2015 02:10:44 -0800 (PST)
Received: from [192.168.0.9] (97e3cc8b.skybroadband.com. [151.227.204.139])
	by smtp.gmail.com with ESMTPSA id h4sm6111298wjx.41.2015.11.05.02.10.43
	for <xen-announce@lists.xenproject.org>
	(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
	Thu, 05 Nov 2015 02:10:43 -0800 (PST)
From: Lars Kurth <lars.kurth.xen@gmail.com>
Date: Thu, 5 Nov 2015 10:10:42 +0000
References: <563A2E8702000078000B1C4B@prv-mh.provo.novell.com>
To: xen-announce@lists.xenproject.org
Message-Id: <377D1FEC-277F-4B4F-B439-7D401A4A847C@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
X-Mailer: Apple Mail (2.2104)
X-Mailman-Approved-At: Thu, 05 Nov 2015 10:10:55 +0000
Subject: [Xen-announce] Xen 4.5.2 released
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org



> Begin forwarded message:
> 
> From: "Jan Beulich" <JBeulich@suse.com>
> Subject: [Xen-devel] Xen 4.5.2 released
> Date: 4 November 2015 15:12:55 GMT
> To: <xen-announce@lists.xenproject.org>
> Cc: xen-devel <xen-devel@lists.xenproject.org>
> 
> All,
> 
> I am pleased to announce the release of Xen 4.5.2. This is
> available immediately from its git repository
> http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.5 
> (tag RELEASE-4.5.2) or from the XenProject download page
> http://www.xenproject.org/downloads/xen-archives/xen-45-series/xen-452.html 
> (where a list of changes can also be found).
> 
> We recommend all users of the 4.5 stable series to update to this
> latest point release.
> 
> Regards, Jan
> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel


_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce

From xen-announce-bounces@lists.xen.org Tue Nov 10 00:09:48 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Tue, 10 Nov 2015 00:09:48 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1ZvwUO-0002fp-4a; Tue, 10 Nov 2015 00:08:44 +0000
Received: from mail6.bemta14.messagelabs.com ([193.109.254.103])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZvwUN-0002fO-B3; Tue, 10 Nov 2015 00:08:43 +0000
Received: from [193.109.254.147] by server-10.bemta-14.messagelabs.com id
	85/A3-01143-A8531465; Tue, 10 Nov 2015 00:08:42 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-14.tower-27.messagelabs.com!1447114120!1819163!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 7.19.2; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 53403 invoked from network); 10 Nov 2015 00:08:41 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-14.tower-27.messagelabs.com with AES256-SHA encrypted SMTP;
	10 Nov 2015 00:08:41 -0000
Received: from [50.57.170.242] (helo=xenbits.xen.org)
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZvwUC-0001PR-Q3; Tue, 10 Nov 2015 00:08:32 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZvwUB-00088G-IT; Tue, 10 Nov 2015 00:08:32 +0000
Date: Tue, 10 Nov 2015 00:08:31 +0000
Message-Id: <E1ZvwUB-00088G-IT@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 156 (CVE-2015-5307,
 CVE-2015-8104) - x86: CPU lockup during exception delivery
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Xen Security Advisory CVE-2015-5307,CVE-2015-8104 / XSA-156
                              version 2

              x86: CPU lockup during exception delivery

UPDATES IN VERSION 2
====================

Minor title and text adjustment.

CVE-2015-8104 has been assigned for the problem with #DB.
(The #AC issue remains CVE-2015-5307.)

Public release.

ISSUE DESCRIPTION
=================

When a benign exception occurs while delivering another benign
exception, it is architecturally specified that these would be
delivered sequentially. There are, however, cases where this results in
an infinite loop inside the CPU, which (in the virtualized case) can be
broken only by intercepting delivery of the respective exception.

Architecturally, at least some of these cases should also be
resolvable by an arriving NMI or external interrupt, but empirically
this has been determined to not be the case.

The cases affecting Xen are:

#AC (Alignment Check Exception, CVE-2015-5307): When a 32-bit guest
sets up the IDT entry corresponding to this exception to reference a
ring-3 handler, and when ring 3 code triggers the exception while
running with an unaligned stack pointer, delivering the exception will
re-encounter #AC, ending in an infinite loop.

#DB (Debug Exception, CVE-2015-8104): When a guest sets up a hardware
breakpoint covering a data structure involved in delivering #DB, upon
completion of the delivery of the first exception another #DB will
need to be delivered. The effects slightly differ depending on further
guest characteristics:

- - Guests running in 32-bit mode would be expected to sooner or later
  encounter another fault due to the stack pointer decreasing during
  each iteration of the loop. The most likely case would be #PF (Page
  Fault) due to running into unmapped virtual space. However, an
  infinite loop cannot be excluded (e.g. when the guest is running with
  paging disabled).

- - Guests running in long mode, but not using the IST (Interrupt Stack
  Table) feature for the IDT entry corresponding to #DB would behave
  similarly to guests running in 32-bit mode, just that the larger
  virtual address space allows for a much longer loop. The loop can't,
  however, be infinite, as eventually the stack pointer would move into
  non-canonical address space, causing #SS (Stack Fault) instead.

- - Guests running in long mode and using IST for the IDT entry
  corresponding to #DB would enter an infinite loop, as the stack
  pointer wouldn't change between #DB instances.

IMPACT
======

A malicious HVM guest administrator can cause a denial of service.
Specifically, prevent use of a physical CPU for a significant, perhaps
indefinite period.

If a host watchdog (Xen or dom0) is in use, this can lead to a
watchdog timeout and consequently a reboot of the host.  If another,
innocent, guest, is configured with a watchdog, this issue can lead to
a reboot of such a guest.

It is possible that a guest kernel might expose the #AC vulnerability
to malicious unprivileged guest users (by permitting #AC to be handled
in guest user mode).  However, we believe that almost all ordinary
operating system kernels do not permit this; we are not aware of any
exceptions.  (A guest kernel which exposed the #AC vulnerability to
guest userspace would be vulnerable when running on baremetal, without
Xen involved.)


VULNERABLE SYSTEMS
==================

The vulnerability is exposed to any x86 HVM guest.

ARM is not vulnerable.  x86 PV VMs are not vulnerable.

All versions of Xen are affected.

x86 CPUs from all manufacturers are affected.

MITIGATION
==========

Running only PV guests will avoid this issue.

Running only kernels which avoid exposing the #AC problem to userspace
(as discussed in Impact) will prevent untrusted guest users from
exploiting this issue.

With such good kernels, the vulnerability can be avoided altogether if
the guest kernel is controlled by the host rather than guest
administrator, provided that further steps are taken to prevent the
guest administrator from loading code into the kernel (e.g. by
disabling loadable modules etc) or from using other mechanisms which
allow them to run code at kernel privilege.  In Xen HVM, controlling
the guest's kernel would involve locking down the bootloader.


CREDITS
=======

These issues were discovered by Ben Serebrin from Google and
Jan Beulich from SUSE.

RESOLUTION
==========

To correctly support the intended uses of the relevant CPU features
would require architectural changes to the CPU specification, design
and implementation.  This is not practical as a security response.

Applying the appropriate attached patch works around the issue in
software.

xsa156.patch        xen-unstable, Xen 4.6.x
xsa156-4.5.patch    Xen 4.5.x
xsa156-4.4.patch    Xen 4.4.x
xsa156-4.3.patch    Xen 4.3.x

$ sha256sum xsa156*.patch
ffc8153cdf4e69ff2feced6ea4988b594b5cb724e9909300209f9ae35fe0e618  xsa156-4.3.patch
c2001aed46840b044a066b9ca79a8c53aca26fc637125016ccfebafa5ace5475  xsa156-4.4.patch
af8edc5cfb2fe54d8c195b8748e80ffad0f32c37c50a16fa5005fec461cdb6ff  xsa156-4.5.patch
d92729ca9174f7d1d8c6fd31321d1a58696c0630e87420539c32f7718b9e8ee8  xsa156.patch
$


NOTE REGARDING EMBARGO DURATION
===============================

We have released this advisory as soon as possible after we obtained
firm confirmation of the embargo end date from the discoverer.


DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJWQTU6AAoJEIP+FMlX6CvZpQMH/iNmCRPVz4H54WdWgiRJuNZV
PrJFEITwxfOeaD84bQhxd0dXWqGnQvzPVScG5+qmWM6Bn533Gh2gkjKALHF8nltf
usAuIgiXcHC0jv5m9/Z7+9t62mJkfnVhq0qdz/UEFO2VM8GbWCCArpUStvb/GetS
sY7Rh1HV8p4nA5LOgvUgQc0yjCHoSfooyxkCNBBy31t5A33H4Se65pnKH/aRPH10
o4nX9NXxw2jN6XZ9bjACzm1KNPjDn1P5y/Zx5ccoHDQZHVYYHXMEgVSVnKEgriFL
xPaFe0Att3RfBQtj9HAZJEE8YNy74m+28/GMIoCWU2FCwY6R86dDoVHU5hKiWRc=
=z+MW
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa156-4.3.patch"
Content-Disposition: attachment; filename="xsa156-4.3.patch"
Content-Transfer-Encoding: base64

eDg2L0hWTTogYWx3YXlzIGludGVyY2VwdCAjQUMgYW5kICNEQgoKQm90aCBi
ZWluZyBiZW5pZ24gZXhjZXB0aW9ucywgYW5kIGJvdGggYmVpbmcgcG9zc2li
bGUgdG8gZ2V0IHRyaWdnZXJlZApieSBleGNlcHRpb24gZGVsaXZlcnksIHRo
aXMgaXMgcmVxdWlyZWQgdG8gcHJldmVudCBhIGd1ZXN0IGZyb20gbG9ja2lu
Zwp1cCBhIENQVSAocmVzdWx0aW5nIGZyb20gbm8gb3RoZXIgVk0gZXhpdHMg
b2NjdXJyaW5nIG9uY2UgZ2V0dGluZyBpbnRvCnN1Y2ggYSBsb29wKS4KClRo
ZSBzcGVjaWZpYyBzY2VuYXJpb3M6CgoxKSAjQUMgbWF5IGJlIHJhaXNlZCBk
dXJpbmcgZXhjZXB0aW9uIGRlbGl2ZXJ5IGlmIHRoZSBoYW5kbGVyIGlzIHNl
dCB0bwpiZSBhIHJpbmctMyBvbmUgYnkgYSAzMi1iaXQgZ3Vlc3QsIGFuZCB0
aGUgc3RhY2sgaXMgbWlzYWxpZ25lZC4KCjIpICNEQiBtYXkgYmUgcmFpc2Vk
IGR1cmluZyBleGNlcHRpb24gZGVsaXZlcnkgd2hlbiBhIGJyZWFrcG9pbnQg
Z290CnBsYWNlZCBvbiBhIGRhdGEgc3RydWN0dXJlIGludm9sdmVkIGluIGRl
bGl2ZXJpbmcgdGhlIGV4Y2VwdGlvbi4gVGhpcwpjYW4gcmVzdWx0IGluIGFu
IGVuZGxlc3MgbG9vcCB3aGVuIGEgNjQtYml0IGd1ZXN0IHVzZXMgYSBub24t
emVybyBJU1QKZm9yIHRoZSB2ZWN0b3IgMSBJRFQgZW50cnksIGJ1dCBldmVu
IHdpdGhvdXQgdXNlIG9mIElTVCB0aGUgdGltZSBpdAp0YWtlcyB1bnRpbCBh
IGNvbnRyaWJ1dG9yeSBmYXVsdCB3b3VsZCBnZXQgcmFpc2VkIChyZXN1bHRz
IGRlcGVuZGluZwpvbiB0aGUgaGFuZGxlcikgbWF5IGJlIHF1aXRlIGxvbmcu
CgpUaGlzIGlzIFhTQS0xNTYuCgpSZXBvcnRlZC1ieTogQmVuamFtaW4gU2Vy
ZWJyaW4gPHNlcmVicmluQGdvb2dsZS5jb20+ClNpZ25lZC1vZmYtYnk6IEph
biBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEFu
ZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClRlc3Rl
ZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vc3ZtL3N2bS5jCisrKyBiL3hl
bi9hcmNoL3g4Ni9odm0vc3ZtL3N2bS5jCkBAIC05NDEsMTAgKzk0MSwxMSBA
QCBzdGF0aWMgdm9pZCBzdm1fZG9fcmVzdW1lKHN0cnVjdCB2Y3B1ICp2CiAg
ICAgICAgIHVubGlrZWx5KHYtPmFyY2guaHZtX3ZjcHUuZGVidWdfc3RhdGVf
bGF0Y2ggIT0gZGVidWdfc3RhdGUpICkKICAgICB7CiAgICAgICAgIHVpbnQz
Ml90IGludGVyY2VwdHMgPSB2bWNiX2dldF9leGNlcHRpb25faW50ZXJjZXB0
cyh2bWNiKTsKLSAgICAgICAgdWludDMyX3QgbWFzayA9ICgxVSA8PCBUUkFQ
X2RlYnVnKSB8ICgxVSA8PCBUUkFQX2ludDMpOworCiAgICAgICAgIHYtPmFy
Y2guaHZtX3ZjcHUuZGVidWdfc3RhdGVfbGF0Y2ggPSBkZWJ1Z19zdGF0ZTsK
ICAgICAgICAgdm1jYl9zZXRfZXhjZXB0aW9uX2ludGVyY2VwdHMoCi0gICAg
ICAgICAgICB2bWNiLCBkZWJ1Z19zdGF0ZSA/IChpbnRlcmNlcHRzIHwgbWFz
aykgOiAoaW50ZXJjZXB0cyAmIH5tYXNrKSk7CisgICAgICAgICAgICB2bWNi
LCBkZWJ1Z19zdGF0ZSA/IChpbnRlcmNlcHRzIHwgKDFVIDw8IFRSQVBfaW50
MykpCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA6IChpbnRlcmNl
cHRzICYgfigxVSA8PCBUUkFQX2ludDMpKSk7CiAgICAgfQogCiAgICAgaWYg
KCB2LT5hcmNoLmh2bV9zdm0ubGF1bmNoX2NvcmUgIT0gc21wX3Byb2Nlc3Nv
cl9pZCgpICkKQEAgLTIyMjMsOCArMjIyNCw5IEBAIHZvaWQgc3ZtX3ZtZXhp
dF9oYW5kbGVyKHN0cnVjdCBjcHVfdXNlcl8KIAogICAgIGNhc2UgVk1FWElU
X0VYQ0VQVElPTl9EQjoKICAgICAgICAgaWYgKCAhdi0+ZG9tYWluLT5kZWJ1
Z2dlcl9hdHRhY2hlZCApCi0gICAgICAgICAgICBnb3RvIHVuZXhwZWN0ZWRf
ZXhpdF90eXBlOwotICAgICAgICBkb21haW5fcGF1c2VfZm9yX2RlYnVnZ2Vy
KCk7CisgICAgICAgICAgICBodm1faW5qZWN0X2h3X2V4Y2VwdGlvbihUUkFQ
X2RlYnVnLCBIVk1fREVMSVZFUl9OT19FUlJPUl9DT0RFKTsKKyAgICAgICAg
ZWxzZQorICAgICAgICAgICAgZG9tYWluX3BhdXNlX2Zvcl9kZWJ1Z2dlcigp
OwogICAgICAgICBicmVhazsKIAogICAgIGNhc2UgVk1FWElUX0VYQ0VQVElP
Tl9CUDoKQEAgLTIyNzIsNiArMjI3NCwxMSBAQCB2b2lkIHN2bV92bWV4aXRf
aGFuZGxlcihzdHJ1Y3QgY3B1X3VzZXJfCiAgICAgICAgIGJyZWFrOwogICAg
IH0KIAorICAgIGNhc2UgVk1FWElUX0VYQ0VQVElPTl9BQzoKKyAgICAgICAg
SFZNVFJBQ0VfMUQoVFJBUCwgVFJBUF9hbGlnbm1lbnRfY2hlY2spOworICAg
ICAgICBodm1faW5qZWN0X2h3X2V4Y2VwdGlvbihUUkFQX2FsaWdubWVudF9j
aGVjaywgdm1jYi0+ZXhpdGluZm8xKTsKKyAgICAgICAgYnJlYWs7CisKICAg
ICBjYXNlIFZNRVhJVF9FWENFUFRJT05fVUQ6CiAgICAgICAgIHN2bV92bWV4
aXRfdWRfaW50ZXJjZXB0KHJlZ3MpOwogICAgICAgICBicmVhazsKLS0tIGEv
eGVuL2FyY2gveDg2L2h2bS92bXgvdm14LmMKKysrIGIveGVuL2FyY2gveDg2
L2h2bS92bXgvdm14LmMKQEAgLTExMjIsMTggKzExMjIsMTIgQEAgc3RhdGlj
IHZvaWQgdm14X3VwZGF0ZV9ob3N0X2NyMyhzdHJ1Y3QgdgogCiB2b2lkIHZt
eF91cGRhdGVfZGVidWdfc3RhdGUoc3RydWN0IHZjcHUgKnYpCiB7Ci0gICAg
dW5zaWduZWQgbG9uZyBtYXNrOwotCiAgICAgQVNTRVJUKHYgPT0gY3VycmVu
dCk7CiAKLSAgICBtYXNrID0gMXUgPDwgVFJBUF9pbnQzOwotICAgIGlmICgg
IWNwdV9oYXNfbW9uaXRvcl90cmFwX2ZsYWcgKQotICAgICAgICBtYXNrIHw9
IDF1IDw8IFRSQVBfZGVidWc7Ci0KICAgICBpZiAoIHYtPmFyY2guaHZtX3Zj
cHUuZGVidWdfc3RhdGVfbGF0Y2ggKQotICAgICAgICB2LT5hcmNoLmh2bV92
bXguZXhjZXB0aW9uX2JpdG1hcCB8PSBtYXNrOworICAgICAgICB2LT5hcmNo
Lmh2bV92bXguZXhjZXB0aW9uX2JpdG1hcCB8PSAxVSA8PCBUUkFQX2ludDM7
CiAgICAgZWxzZQotICAgICAgICB2LT5hcmNoLmh2bV92bXguZXhjZXB0aW9u
X2JpdG1hcCAmPSB+bWFzazsKKyAgICAgICAgdi0+YXJjaC5odm1fdm14LmV4
Y2VwdGlvbl9iaXRtYXAgJj0gfigxVSA8PCBUUkFQX2ludDMpOwogICAgIHZt
eF91cGRhdGVfZXhjZXB0aW9uX2JpdG1hcCh2KTsKIH0KIApAQCAtMjYxNiw5
ICsyNjEwLDEwIEBAIHZvaWQgdm14X3ZtZXhpdF9oYW5kbGVyKHN0cnVjdCBj
cHVfdXNlcl8KICAgICAgICAgICAgIGV4aXRfcXVhbGlmaWNhdGlvbiA9IF9f
dm1yZWFkKEVYSVRfUVVBTElGSUNBVElPTik7CiAgICAgICAgICAgICBIVk1U
UkFDRV8xRChUUkFQX0RFQlVHLCBleGl0X3F1YWxpZmljYXRpb24pOwogICAg
ICAgICAgICAgd3JpdGVfZGVidWdyZWcoNiwgZXhpdF9xdWFsaWZpY2F0aW9u
IHwgMHhmZmZmMGZmMCk7Ci0gICAgICAgICAgICBpZiAoICF2LT5kb21haW4t
PmRlYnVnZ2VyX2F0dGFjaGVkIHx8IGNwdV9oYXNfbW9uaXRvcl90cmFwX2Zs
YWcgKQotICAgICAgICAgICAgICAgIGdvdG8gZXhpdF9hbmRfY3Jhc2g7Ci0g
ICAgICAgICAgICBkb21haW5fcGF1c2VfZm9yX2RlYnVnZ2VyKCk7CisgICAg
ICAgICAgICBpZiAoICF2LT5kb21haW4tPmRlYnVnZ2VyX2F0dGFjaGVkICkK
KyAgICAgICAgICAgICAgICBodm1faW5qZWN0X2h3X2V4Y2VwdGlvbih2ZWN0
b3IsIEhWTV9ERUxJVkVSX05PX0VSUk9SX0NPREUpOworICAgICAgICAgICAg
ZWxzZQorICAgICAgICAgICAgICAgIGRvbWFpbl9wYXVzZV9mb3JfZGVidWdn
ZXIoKTsKICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICBjYXNlIFRSQVBf
aW50MzogCiAgICAgICAgIHsKQEAgLTI2NzksNiArMjY3NCwxMSBAQCB2b2lk
IHZteF92bWV4aXRfaGFuZGxlcihzdHJ1Y3QgY3B1X3VzZXJfCiAKICAgICAg
ICAgICAgIGh2bV9pbmplY3RfcGFnZV9mYXVsdChyZWdzLT5lcnJvcl9jb2Rl
LCBleGl0X3F1YWxpZmljYXRpb24pOwogICAgICAgICAgICAgYnJlYWs7Cisg
ICAgICAgIGNhc2UgVFJBUF9hbGlnbm1lbnRfY2hlY2s6CisgICAgICAgICAg
ICBIVk1UUkFDRV8xRChUUkFQLCB2ZWN0b3IpOworICAgICAgICAgICAgaHZt
X2luamVjdF9od19leGNlcHRpb24odmVjdG9yLAorICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgX192bXJlYWQoVk1fRVhJVF9JTlRSX0VS
Uk9SX0NPREUpKTsKKyAgICAgICAgICAgIGJyZWFrOwogICAgICAgICBjYXNl
IFRSQVBfbm1pOgogICAgICAgICAgICAgaWYgKCAoaW50cl9pbmZvICYgSU5U
Ul9JTkZPX0lOVFJfVFlQRV9NQVNLKSAhPQogICAgICAgICAgICAgICAgICAo
WDg2X0VWRU5UVFlQRV9OTUkgPDwgOCkgKQotLS0gYS94ZW4vaW5jbHVkZS9h
c20teDg2L2h2bS9odm0uaAorKysgYi94ZW4vaW5jbHVkZS9hc20teDg2L2h2
bS9odm0uaApAQCAtMzg5LDcgKzM4OSwxMCBAQCBzdGF0aWMgaW5saW5lIGJv
b2xfdCBodm1fdmNwdV9oYXNfc21lcCh2CiB9KQogCiAvKiBUaGVzZSBleGNl
cHRpb25zIG11c3QgYWx3YXlzIGJlIGludGVyY2VwdGVkLiAqLwotI2RlZmlu
ZSBIVk1fVFJBUF9NQVNLICgoMVUgPDwgVFJBUF9tYWNoaW5lX2NoZWNrKSB8
ICgxVSA8PCBUUkFQX2ludmFsaWRfb3ApKQorI2RlZmluZSBIVk1fVFJBUF9N
QVNLICgoMVUgPDwgVFJBUF9kZWJ1ZykgICAgICAgICAgIHwgXAorICAgICAg
ICAgICAgICAgICAgICAgICAoMVUgPDwgVFJBUF9pbnZhbGlkX29wKSAgICAg
IHwgXAorICAgICAgICAgICAgICAgICAgICAgICAoMVUgPDwgVFJBUF9hbGln
bm1lbnRfY2hlY2spIHwgXAorICAgICAgICAgICAgICAgICAgICAgICAoMVUg
PDwgVFJBUF9tYWNoaW5lX2NoZWNrKSkKIAogLyoKICAqIHg4NiBldmVudCB0
eXBlcy4gVGhpcyBlbnVtZXJhdGlvbiBpcyB2YWxpZCBmb3I6Cg==

--=separator
Content-Type: application/octet-stream; name="xsa156-4.4.patch"
Content-Disposition: attachment; filename="xsa156-4.4.patch"
Content-Transfer-Encoding: base64

eDg2L0hWTTogYWx3YXlzIGludGVyY2VwdCAjQUMgYW5kICNEQgoKQm90aCBi
ZWluZyBiZW5pZ24gZXhjZXB0aW9ucywgYW5kIGJvdGggYmVpbmcgcG9zc2li
bGUgdG8gZ2V0IHRyaWdnZXJlZApieSBleGNlcHRpb24gZGVsaXZlcnksIHRo
aXMgaXMgcmVxdWlyZWQgdG8gcHJldmVudCBhIGd1ZXN0IGZyb20gbG9ja2lu
Zwp1cCBhIENQVSAocmVzdWx0aW5nIGZyb20gbm8gb3RoZXIgVk0gZXhpdHMg
b2NjdXJyaW5nIG9uY2UgZ2V0dGluZyBpbnRvCnN1Y2ggYSBsb29wKS4KClRo
ZSBzcGVjaWZpYyBzY2VuYXJpb3M6CgoxKSAjQUMgbWF5IGJlIHJhaXNlZCBk
dXJpbmcgZXhjZXB0aW9uIGRlbGl2ZXJ5IGlmIHRoZSBoYW5kbGVyIGlzIHNl
dCB0bwpiZSBhIHJpbmctMyBvbmUgYnkgYSAzMi1iaXQgZ3Vlc3QsIGFuZCB0
aGUgc3RhY2sgaXMgbWlzYWxpZ25lZC4KCjIpICNEQiBtYXkgYmUgcmFpc2Vk
IGR1cmluZyBleGNlcHRpb24gZGVsaXZlcnkgd2hlbiBhIGJyZWFrcG9pbnQg
Z290CnBsYWNlZCBvbiBhIGRhdGEgc3RydWN0dXJlIGludm9sdmVkIGluIGRl
bGl2ZXJpbmcgdGhlIGV4Y2VwdGlvbi4gVGhpcwpjYW4gcmVzdWx0IGluIGFu
IGVuZGxlc3MgbG9vcCB3aGVuIGEgNjQtYml0IGd1ZXN0IHVzZXMgYSBub24t
emVybyBJU1QKZm9yIHRoZSB2ZWN0b3IgMSBJRFQgZW50cnksIGJ1dCBldmVu
IHdpdGhvdXQgdXNlIG9mIElTVCB0aGUgdGltZSBpdAp0YWtlcyB1bnRpbCBh
IGNvbnRyaWJ1dG9yeSBmYXVsdCB3b3VsZCBnZXQgcmFpc2VkIChyZXN1bHRz
IGRlcGVuZGluZwpvbiB0aGUgaGFuZGxlcikgbWF5IGJlIHF1aXRlIGxvbmcu
CgpUaGlzIGlzIFhTQS0xNTYuCgpSZXBvcnRlZC1ieTogQmVuamFtaW4gU2Vy
ZWJyaW4gPHNlcmVicmluQGdvb2dsZS5jb20+ClNpZ25lZC1vZmYtYnk6IEph
biBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEFu
ZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClRlc3Rl
ZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vc3ZtL3N2bS5jCisrKyBiL3hl
bi9hcmNoL3g4Ni9odm0vc3ZtL3N2bS5jCkBAIC05NDEsMTAgKzk0MSwxMSBA
QCBzdGF0aWMgdm9pZCBub3JldHVybiBzdm1fZG9fcmVzdW1lKHN0cnVjCiAg
ICAgICAgIHVubGlrZWx5KHYtPmFyY2guaHZtX3ZjcHUuZGVidWdfc3RhdGVf
bGF0Y2ggIT0gZGVidWdfc3RhdGUpICkKICAgICB7CiAgICAgICAgIHVpbnQz
Ml90IGludGVyY2VwdHMgPSB2bWNiX2dldF9leGNlcHRpb25faW50ZXJjZXB0
cyh2bWNiKTsKLSAgICAgICAgdWludDMyX3QgbWFzayA9ICgxVSA8PCBUUkFQ
X2RlYnVnKSB8ICgxVSA8PCBUUkFQX2ludDMpOworCiAgICAgICAgIHYtPmFy
Y2guaHZtX3ZjcHUuZGVidWdfc3RhdGVfbGF0Y2ggPSBkZWJ1Z19zdGF0ZTsK
ICAgICAgICAgdm1jYl9zZXRfZXhjZXB0aW9uX2ludGVyY2VwdHMoCi0gICAg
ICAgICAgICB2bWNiLCBkZWJ1Z19zdGF0ZSA/IChpbnRlcmNlcHRzIHwgbWFz
aykgOiAoaW50ZXJjZXB0cyAmIH5tYXNrKSk7CisgICAgICAgICAgICB2bWNi
LCBkZWJ1Z19zdGF0ZSA/IChpbnRlcmNlcHRzIHwgKDFVIDw8IFRSQVBfaW50
MykpCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA6IChpbnRlcmNl
cHRzICYgfigxVSA8PCBUUkFQX2ludDMpKSk7CiAgICAgfQogCiAgICAgaWYg
KCB2LT5hcmNoLmh2bV9zdm0ubGF1bmNoX2NvcmUgIT0gc21wX3Byb2Nlc3Nv
cl9pZCgpICkKQEAgLTIyMjUsOCArMjIyNiw5IEBAIHZvaWQgc3ZtX3ZtZXhp
dF9oYW5kbGVyKHN0cnVjdCBjcHVfdXNlcl8KIAogICAgIGNhc2UgVk1FWElU
X0VYQ0VQVElPTl9EQjoKICAgICAgICAgaWYgKCAhdi0+ZG9tYWluLT5kZWJ1
Z2dlcl9hdHRhY2hlZCApCi0gICAgICAgICAgICBnb3RvIHVuZXhwZWN0ZWRf
ZXhpdF90eXBlOwotICAgICAgICBkb21haW5fcGF1c2VfZm9yX2RlYnVnZ2Vy
KCk7CisgICAgICAgICAgICBodm1faW5qZWN0X2h3X2V4Y2VwdGlvbihUUkFQ
X2RlYnVnLCBIVk1fREVMSVZFUl9OT19FUlJPUl9DT0RFKTsKKyAgICAgICAg
ZWxzZQorICAgICAgICAgICAgZG9tYWluX3BhdXNlX2Zvcl9kZWJ1Z2dlcigp
OwogICAgICAgICBicmVhazsKIAogICAgIGNhc2UgVk1FWElUX0VYQ0VQVElP
Tl9CUDoKQEAgLTIyNzQsNiArMjI3NiwxMSBAQCB2b2lkIHN2bV92bWV4aXRf
aGFuZGxlcihzdHJ1Y3QgY3B1X3VzZXJfCiAgICAgICAgIGJyZWFrOwogICAg
IH0KIAorICAgIGNhc2UgVk1FWElUX0VYQ0VQVElPTl9BQzoKKyAgICAgICAg
SFZNVFJBQ0VfMUQoVFJBUCwgVFJBUF9hbGlnbm1lbnRfY2hlY2spOworICAg
ICAgICBodm1faW5qZWN0X2h3X2V4Y2VwdGlvbihUUkFQX2FsaWdubWVudF9j
aGVjaywgdm1jYi0+ZXhpdGluZm8xKTsKKyAgICAgICAgYnJlYWs7CisKICAg
ICBjYXNlIFZNRVhJVF9FWENFUFRJT05fVUQ6CiAgICAgICAgIHN2bV92bWV4
aXRfdWRfaW50ZXJjZXB0KHJlZ3MpOwogICAgICAgICBicmVhazsKLS0tIGEv
eGVuL2FyY2gveDg2L2h2bS92bXgvdm14LmMKKysrIGIveGVuL2FyY2gveDg2
L2h2bS92bXgvdm14LmMKQEAgLTExMzIsMTYgKzExMzIsMTAgQEAgc3RhdGlj
IHZvaWQgdm14X3VwZGF0ZV9ob3N0X2NyMyhzdHJ1Y3QgdgogCiB2b2lkIHZt
eF91cGRhdGVfZGVidWdfc3RhdGUoc3RydWN0IHZjcHUgKnYpCiB7Ci0gICAg
dW5zaWduZWQgbG9uZyBtYXNrOwotCi0gICAgbWFzayA9IDF1IDw8IFRSQVBf
aW50MzsKLSAgICBpZiAoICFjcHVfaGFzX21vbml0b3JfdHJhcF9mbGFnICkK
LSAgICAgICAgbWFzayB8PSAxdSA8PCBUUkFQX2RlYnVnOwotCiAgICAgaWYg
KCB2LT5hcmNoLmh2bV92Y3B1LmRlYnVnX3N0YXRlX2xhdGNoICkKLSAgICAg
ICAgdi0+YXJjaC5odm1fdm14LmV4Y2VwdGlvbl9iaXRtYXAgfD0gbWFzazsK
KyAgICAgICAgdi0+YXJjaC5odm1fdm14LmV4Y2VwdGlvbl9iaXRtYXAgfD0g
MVUgPDwgVFJBUF9pbnQzOwogICAgIGVsc2UKLSAgICAgICAgdi0+YXJjaC5o
dm1fdm14LmV4Y2VwdGlvbl9iaXRtYXAgJj0gfm1hc2s7CisgICAgICAgIHYt
PmFyY2guaHZtX3ZteC5leGNlcHRpb25fYml0bWFwICY9IH4oMVUgPDwgVFJB
UF9pbnQzKTsKIAogICAgIHZteF92bWNzX2VudGVyKHYpOwogICAgIHZteF91
cGRhdGVfZXhjZXB0aW9uX2JpdG1hcCh2KTsKQEAgLTI2NzgsOSArMjY3Miwx
MCBAQCB2b2lkIHZteF92bWV4aXRfaGFuZGxlcihzdHJ1Y3QgY3B1X3VzZXJf
CiAgICAgICAgICAgICBfX3ZtcmVhZChFWElUX1FVQUxJRklDQVRJT04sICZl
eGl0X3F1YWxpZmljYXRpb24pOwogICAgICAgICAgICAgSFZNVFJBQ0VfMUQo
VFJBUF9ERUJVRywgZXhpdF9xdWFsaWZpY2F0aW9uKTsKICAgICAgICAgICAg
IHdyaXRlX2RlYnVncmVnKDYsIGV4aXRfcXVhbGlmaWNhdGlvbiB8IDB4ZmZm
ZjBmZjApOwotICAgICAgICAgICAgaWYgKCAhdi0+ZG9tYWluLT5kZWJ1Z2dl
cl9hdHRhY2hlZCB8fCBjcHVfaGFzX21vbml0b3JfdHJhcF9mbGFnICkKLSAg
ICAgICAgICAgICAgICBnb3RvIGV4aXRfYW5kX2NyYXNoOwotICAgICAgICAg
ICAgZG9tYWluX3BhdXNlX2Zvcl9kZWJ1Z2dlcigpOworICAgICAgICAgICAg
aWYgKCAhdi0+ZG9tYWluLT5kZWJ1Z2dlcl9hdHRhY2hlZCApCisgICAgICAg
ICAgICAgICAgaHZtX2luamVjdF9od19leGNlcHRpb24odmVjdG9yLCBIVk1f
REVMSVZFUl9OT19FUlJPUl9DT0RFKTsKKyAgICAgICAgICAgIGVsc2UKKyAg
ICAgICAgICAgICAgICBkb21haW5fcGF1c2VfZm9yX2RlYnVnZ2VyKCk7CiAg
ICAgICAgICAgICBicmVhazsKICAgICAgICAgY2FzZSBUUkFQX2ludDM6IAog
ICAgICAgICB7CkBAIC0yNzQ1LDYgKzI3NDAsMTEgQEAgdm9pZCB2bXhfdm1l
eGl0X2hhbmRsZXIoc3RydWN0IGNwdV91c2VyXwogCiAgICAgICAgICAgICBo
dm1faW5qZWN0X3BhZ2VfZmF1bHQocmVncy0+ZXJyb3JfY29kZSwgZXhpdF9x
dWFsaWZpY2F0aW9uKTsKICAgICAgICAgICAgIGJyZWFrOworICAgICAgICBj
YXNlIFRSQVBfYWxpZ25tZW50X2NoZWNrOgorICAgICAgICAgICAgSFZNVFJB
Q0VfMUQoVFJBUCwgdmVjdG9yKTsKKyAgICAgICAgICAgIF9fdm1yZWFkKFZN
X0VYSVRfSU5UUl9FUlJPUl9DT0RFLCAmZWNvZGUpOworICAgICAgICAgICAg
aHZtX2luamVjdF9od19leGNlcHRpb24odmVjdG9yLCBlY29kZSk7CisgICAg
ICAgICAgICBicmVhazsKICAgICAgICAgY2FzZSBUUkFQX25taToKICAgICAg
ICAgICAgIGlmICggKGludHJfaW5mbyAmIElOVFJfSU5GT19JTlRSX1RZUEVf
TUFTSykgIT0KICAgICAgICAgICAgICAgICAgKFg4Nl9FVkVOVFRZUEVfTk1J
IDw8IDgpICkKLS0tIGEveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0vaHZtLmgK
KysrIGIveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0vaHZtLmgKQEAgLTM5Myw3
ICszOTMsMTAgQEAgc3RhdGljIGlubGluZSBpbnQgaHZtX2V2ZW50X3BlbmRp
bmcoc3RydQogfSkKIAogLyogVGhlc2UgZXhjZXB0aW9ucyBtdXN0IGFsd2F5
cyBiZSBpbnRlcmNlcHRlZC4gKi8KLSNkZWZpbmUgSFZNX1RSQVBfTUFTSyAo
KDFVIDw8IFRSQVBfbWFjaGluZV9jaGVjaykgfCAoMVUgPDwgVFJBUF9pbnZh
bGlkX29wKSkKKyNkZWZpbmUgSFZNX1RSQVBfTUFTSyAoKDFVIDw8IFRSQVBf
ZGVidWcpICAgICAgICAgICB8IFwKKyAgICAgICAgICAgICAgICAgICAgICAg
KDFVIDw8IFRSQVBfaW52YWxpZF9vcCkgICAgICB8IFwKKyAgICAgICAgICAg
ICAgICAgICAgICAgKDFVIDw8IFRSQVBfYWxpZ25tZW50X2NoZWNrKSB8IFwK
KyAgICAgICAgICAgICAgICAgICAgICAgKDFVIDw8IFRSQVBfbWFjaGluZV9j
aGVjaykpCiAKIC8qCiAgKiB4ODYgZXZlbnQgdHlwZXMuIFRoaXMgZW51bWVy
YXRpb24gaXMgdmFsaWQgZm9yOgo=

--=separator
Content-Type: application/octet-stream; name="xsa156-4.5.patch"
Content-Disposition: attachment; filename="xsa156-4.5.patch"
Content-Transfer-Encoding: base64

eDg2L0hWTTogYWx3YXlzIGludGVyY2VwdCAjQUMgYW5kICNEQgoKQm90aCBi
ZWluZyBiZW5pZ24gZXhjZXB0aW9ucywgYW5kIGJvdGggYmVpbmcgcG9zc2li
bGUgdG8gZ2V0IHRyaWdnZXJlZApieSBleGNlcHRpb24gZGVsaXZlcnksIHRo
aXMgaXMgcmVxdWlyZWQgdG8gcHJldmVudCBhIGd1ZXN0IGZyb20gbG9ja2lu
Zwp1cCBhIENQVSAocmVzdWx0aW5nIGZyb20gbm8gb3RoZXIgVk0gZXhpdHMg
b2NjdXJyaW5nIG9uY2UgZ2V0dGluZyBpbnRvCnN1Y2ggYSBsb29wKS4KClRo
ZSBzcGVjaWZpYyBzY2VuYXJpb3M6CgoxKSAjQUMgbWF5IGJlIHJhaXNlZCBk
dXJpbmcgZXhjZXB0aW9uIGRlbGl2ZXJ5IGlmIHRoZSBoYW5kbGVyIGlzIHNl
dCB0bwpiZSBhIHJpbmctMyBvbmUgYnkgYSAzMi1iaXQgZ3Vlc3QsIGFuZCB0
aGUgc3RhY2sgaXMgbWlzYWxpZ25lZC4KCjIpICNEQiBtYXkgYmUgcmFpc2Vk
IGR1cmluZyBleGNlcHRpb24gZGVsaXZlcnkgd2hlbiBhIGJyZWFrcG9pbnQg
Z290CnBsYWNlZCBvbiBhIGRhdGEgc3RydWN0dXJlIGludm9sdmVkIGluIGRl
bGl2ZXJpbmcgdGhlIGV4Y2VwdGlvbi4gVGhpcwpjYW4gcmVzdWx0IGluIGFu
IGVuZGxlc3MgbG9vcCB3aGVuIGEgNjQtYml0IGd1ZXN0IHVzZXMgYSBub24t
emVybyBJU1QKZm9yIHRoZSB2ZWN0b3IgMSBJRFQgZW50cnksIGJ1dCBldmVu
IHdpdGhvdXQgdXNlIG9mIElTVCB0aGUgdGltZSBpdAp0YWtlcyB1bnRpbCBh
IGNvbnRyaWJ1dG9yeSBmYXVsdCB3b3VsZCBnZXQgcmFpc2VkIChyZXN1bHRz
IGRlcGVuZGluZwpvbiB0aGUgaGFuZGxlcikgbWF5IGJlIHF1aXRlIGxvbmcu
CgpUaGlzIGlzIFhTQS0xNTYuCgpSZXBvcnRlZC1ieTogQmVuamFtaW4gU2Vy
ZWJyaW4gPHNlcmVicmluQGdvb2dsZS5jb20+ClNpZ25lZC1vZmYtYnk6IEph
biBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEFu
ZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClRlc3Rl
ZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vc3ZtL3N2bS5jCisrKyBiL3hl
bi9hcmNoL3g4Ni9odm0vc3ZtL3N2bS5jCkBAIC0xMDQ1LDEwICsxMDQ1LDEx
IEBAIHN0YXRpYyB2b2lkIG5vcmV0dXJuIHN2bV9kb19yZXN1bWUoc3RydWMK
ICAgICAgICAgdW5saWtlbHkodi0+YXJjaC5odm1fdmNwdS5kZWJ1Z19zdGF0
ZV9sYXRjaCAhPSBkZWJ1Z19zdGF0ZSkgKQogICAgIHsKICAgICAgICAgdWlu
dDMyX3QgaW50ZXJjZXB0cyA9IHZtY2JfZ2V0X2V4Y2VwdGlvbl9pbnRlcmNl
cHRzKHZtY2IpOwotICAgICAgICB1aW50MzJfdCBtYXNrID0gKDFVIDw8IFRS
QVBfZGVidWcpIHwgKDFVIDw8IFRSQVBfaW50Myk7CisKICAgICAgICAgdi0+
YXJjaC5odm1fdmNwdS5kZWJ1Z19zdGF0ZV9sYXRjaCA9IGRlYnVnX3N0YXRl
OwogICAgICAgICB2bWNiX3NldF9leGNlcHRpb25faW50ZXJjZXB0cygKLSAg
ICAgICAgICAgIHZtY2IsIGRlYnVnX3N0YXRlID8gKGludGVyY2VwdHMgfCBt
YXNrKSA6IChpbnRlcmNlcHRzICYgfm1hc2spKTsKKyAgICAgICAgICAgIHZt
Y2IsIGRlYnVnX3N0YXRlID8gKGludGVyY2VwdHMgfCAoMVUgPDwgVFJBUF9p
bnQzKSkKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDogKGludGVy
Y2VwdHMgJiB+KDFVIDw8IFRSQVBfaW50MykpKTsKICAgICB9CiAKICAgICBp
ZiAoIHYtPmFyY2guaHZtX3N2bS5sYXVuY2hfY29yZSAhPSBzbXBfcHJvY2Vz
c29yX2lkKCkgKQpAQCAtMjQzNSw4ICsyNDM2LDkgQEAgdm9pZCBzdm1fdm1l
eGl0X2hhbmRsZXIoc3RydWN0IGNwdV91c2VyXwogCiAgICAgY2FzZSBWTUVY
SVRfRVhDRVBUSU9OX0RCOgogICAgICAgICBpZiAoICF2LT5kb21haW4tPmRl
YnVnZ2VyX2F0dGFjaGVkICkKLSAgICAgICAgICAgIGdvdG8gdW5leHBlY3Rl
ZF9leGl0X3R5cGU7Ci0gICAgICAgIGRvbWFpbl9wYXVzZV9mb3JfZGVidWdn
ZXIoKTsKKyAgICAgICAgICAgIGh2bV9pbmplY3RfaHdfZXhjZXB0aW9uKFRS
QVBfZGVidWcsIEhWTV9ERUxJVkVSX05PX0VSUk9SX0NPREUpOworICAgICAg
ICBlbHNlCisgICAgICAgICAgICBkb21haW5fcGF1c2VfZm9yX2RlYnVnZ2Vy
KCk7CiAgICAgICAgIGJyZWFrOwogCiAgICAgY2FzZSBWTUVYSVRfRVhDRVBU
SU9OX0JQOgpAQCAtMjQ4NCw2ICsyNDg2LDExIEBAIHZvaWQgc3ZtX3ZtZXhp
dF9oYW5kbGVyKHN0cnVjdCBjcHVfdXNlcl8KICAgICAgICAgYnJlYWs7CiAg
ICAgfQogCisgICAgY2FzZSBWTUVYSVRfRVhDRVBUSU9OX0FDOgorICAgICAg
ICBIVk1UUkFDRV8xRChUUkFQLCBUUkFQX2FsaWdubWVudF9jaGVjayk7Cisg
ICAgICAgIGh2bV9pbmplY3RfaHdfZXhjZXB0aW9uKFRSQVBfYWxpZ25tZW50
X2NoZWNrLCB2bWNiLT5leGl0aW5mbzEpOworICAgICAgICBicmVhazsKKwog
ICAgIGNhc2UgVk1FWElUX0VYQ0VQVElPTl9VRDoKICAgICAgICAgc3ZtX3Zt
ZXhpdF91ZF9pbnRlcmNlcHQocmVncyk7CiAgICAgICAgIGJyZWFrOwotLS0g
YS94ZW4vYXJjaC94ODYvaHZtL3ZteC92bXguYworKysgYi94ZW4vYXJjaC94
ODYvaHZtL3ZteC92bXguYwpAQCAtMTE4NiwxNiArMTE4NiwxMCBAQCBzdGF0
aWMgdm9pZCB2bXhfdXBkYXRlX2hvc3RfY3IzKHN0cnVjdCB2CiAKIHZvaWQg
dm14X3VwZGF0ZV9kZWJ1Z19zdGF0ZShzdHJ1Y3QgdmNwdSAqdikKIHsKLSAg
ICB1bnNpZ25lZCBsb25nIG1hc2s7Ci0KLSAgICBtYXNrID0gMXUgPDwgVFJB
UF9pbnQzOwotICAgIGlmICggIWNwdV9oYXNfbW9uaXRvcl90cmFwX2ZsYWcg
KQotICAgICAgICBtYXNrIHw9IDF1IDw8IFRSQVBfZGVidWc7Ci0KICAgICBp
ZiAoIHYtPmFyY2guaHZtX3ZjcHUuZGVidWdfc3RhdGVfbGF0Y2ggKQotICAg
ICAgICB2LT5hcmNoLmh2bV92bXguZXhjZXB0aW9uX2JpdG1hcCB8PSBtYXNr
OworICAgICAgICB2LT5hcmNoLmh2bV92bXguZXhjZXB0aW9uX2JpdG1hcCB8
PSAxVSA8PCBUUkFQX2ludDM7CiAgICAgZWxzZQotICAgICAgICB2LT5hcmNo
Lmh2bV92bXguZXhjZXB0aW9uX2JpdG1hcCAmPSB+bWFzazsKKyAgICAgICAg
di0+YXJjaC5odm1fdm14LmV4Y2VwdGlvbl9iaXRtYXAgJj0gfigxVSA8PCBU
UkFQX2ludDMpOwogCiAgICAgdm14X3ZtY3NfZW50ZXIodik7CiAgICAgdm14
X3VwZGF0ZV9leGNlcHRpb25fYml0bWFwKHYpOwpAQCAtMjgwMSw5ICsyNzk1
LDEwIEBAIHZvaWQgdm14X3ZtZXhpdF9oYW5kbGVyKHN0cnVjdCBjcHVfdXNl
cl8KICAgICAgICAgICAgIF9fdm1yZWFkKEVYSVRfUVVBTElGSUNBVElPTiwg
JmV4aXRfcXVhbGlmaWNhdGlvbik7CiAgICAgICAgICAgICBIVk1UUkFDRV8x
RChUUkFQX0RFQlVHLCBleGl0X3F1YWxpZmljYXRpb24pOwogICAgICAgICAg
ICAgd3JpdGVfZGVidWdyZWcoNiwgZXhpdF9xdWFsaWZpY2F0aW9uIHwgMHhm
ZmZmMGZmMCk7Ci0gICAgICAgICAgICBpZiAoICF2LT5kb21haW4tPmRlYnVn
Z2VyX2F0dGFjaGVkIHx8IGNwdV9oYXNfbW9uaXRvcl90cmFwX2ZsYWcgKQot
ICAgICAgICAgICAgICAgIGdvdG8gZXhpdF9hbmRfY3Jhc2g7Ci0gICAgICAg
ICAgICBkb21haW5fcGF1c2VfZm9yX2RlYnVnZ2VyKCk7CisgICAgICAgICAg
ICBpZiAoICF2LT5kb21haW4tPmRlYnVnZ2VyX2F0dGFjaGVkICkKKyAgICAg
ICAgICAgICAgICBodm1faW5qZWN0X2h3X2V4Y2VwdGlvbih2ZWN0b3IsIEhW
TV9ERUxJVkVSX05PX0VSUk9SX0NPREUpOworICAgICAgICAgICAgZWxzZQor
ICAgICAgICAgICAgICAgIGRvbWFpbl9wYXVzZV9mb3JfZGVidWdnZXIoKTsK
ICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICBjYXNlIFRSQVBfaW50Mzog
CiAgICAgICAgIHsKQEAgLTI4NjgsNiArMjg2MywxMSBAQCB2b2lkIHZteF92
bWV4aXRfaGFuZGxlcihzdHJ1Y3QgY3B1X3VzZXJfCiAKICAgICAgICAgICAg
IGh2bV9pbmplY3RfcGFnZV9mYXVsdChyZWdzLT5lcnJvcl9jb2RlLCBleGl0
X3F1YWxpZmljYXRpb24pOwogICAgICAgICAgICAgYnJlYWs7CisgICAgICAg
IGNhc2UgVFJBUF9hbGlnbm1lbnRfY2hlY2s6CisgICAgICAgICAgICBIVk1U
UkFDRV8xRChUUkFQLCB2ZWN0b3IpOworICAgICAgICAgICAgX192bXJlYWQo
Vk1fRVhJVF9JTlRSX0VSUk9SX0NPREUsICZlY29kZSk7CisgICAgICAgICAg
ICBodm1faW5qZWN0X2h3X2V4Y2VwdGlvbih2ZWN0b3IsIGVjb2RlKTsKKyAg
ICAgICAgICAgIGJyZWFrOwogICAgICAgICBjYXNlIFRSQVBfbm1pOgogICAg
ICAgICAgICAgaWYgKCAoaW50cl9pbmZvICYgSU5UUl9JTkZPX0lOVFJfVFlQ
RV9NQVNLKSAhPQogICAgICAgICAgICAgICAgICAoWDg2X0VWRU5UVFlQRV9O
TUkgPDwgOCkgKQotLS0gYS94ZW4vaW5jbHVkZS9hc20teDg2L2h2bS9odm0u
aAorKysgYi94ZW4vaW5jbHVkZS9hc20teDg2L2h2bS9odm0uaApAQCAtMzc4
LDcgKzM3OCwxMCBAQCBzdGF0aWMgaW5saW5lIGludCBodm1fZXZlbnRfcGVu
ZGluZyhzdHJ1CiAgICAgKFg4Nl9DUjRfVk1YRSB8IFg4Nl9DUjRfUEFFIHwg
WDg2X0NSNF9NQ0UpKQogCiAvKiBUaGVzZSBleGNlcHRpb25zIG11c3QgYWx3
YXlzIGJlIGludGVyY2VwdGVkLiAqLwotI2RlZmluZSBIVk1fVFJBUF9NQVNL
ICgoMVUgPDwgVFJBUF9tYWNoaW5lX2NoZWNrKSB8ICgxVSA8PCBUUkFQX2lu
dmFsaWRfb3ApKQorI2RlZmluZSBIVk1fVFJBUF9NQVNLICgoMVUgPDwgVFJB
UF9kZWJ1ZykgICAgICAgICAgIHwgXAorICAgICAgICAgICAgICAgICAgICAg
ICAoMVUgPDwgVFJBUF9pbnZhbGlkX29wKSAgICAgIHwgXAorICAgICAgICAg
ICAgICAgICAgICAgICAoMVUgPDwgVFJBUF9hbGlnbm1lbnRfY2hlY2spIHwg
XAorICAgICAgICAgICAgICAgICAgICAgICAoMVUgPDwgVFJBUF9tYWNoaW5l
X2NoZWNrKSkKIAogLyoKICAqIHg4NiBldmVudCB0eXBlcy4gVGhpcyBlbnVt
ZXJhdGlvbiBpcyB2YWxpZCBmb3I6Cg==

--=separator
Content-Type: application/octet-stream; name="xsa156.patch"
Content-Disposition: attachment; filename="xsa156.patch"
Content-Transfer-Encoding: base64

eDg2L0hWTTogYWx3YXlzIGludGVyY2VwdCAjQUMgYW5kICNEQgoKQm90aCBi
ZWluZyBiZW5pZ24gZXhjZXB0aW9ucywgYW5kIGJvdGggYmVpbmcgcG9zc2li
bGUgdG8gZ2V0IHRyaWdnZXJlZApieSBleGNlcHRpb24gZGVsaXZlcnksIHRo
aXMgaXMgcmVxdWlyZWQgdG8gcHJldmVudCBhIGd1ZXN0IGZyb20gbG9ja2lu
Zwp1cCBhIENQVSAocmVzdWx0aW5nIGZyb20gbm8gb3RoZXIgVk0gZXhpdHMg
b2NjdXJyaW5nIG9uY2UgZ2V0dGluZyBpbnRvCnN1Y2ggYSBsb29wKS4KClRo
ZSBzcGVjaWZpYyBzY2VuYXJpb3M6CgoxKSAjQUMgbWF5IGJlIHJhaXNlZCBk
dXJpbmcgZXhjZXB0aW9uIGRlbGl2ZXJ5IGlmIHRoZSBoYW5kbGVyIGlzIHNl
dCB0bwpiZSBhIHJpbmctMyBvbmUgYnkgYSAzMi1iaXQgZ3Vlc3QsIGFuZCB0
aGUgc3RhY2sgaXMgbWlzYWxpZ25lZC4KCjIpICNEQiBtYXkgYmUgcmFpc2Vk
IGR1cmluZyBleGNlcHRpb24gZGVsaXZlcnkgd2hlbiBhIGJyZWFrcG9pbnQg
Z290CnBsYWNlZCBvbiBhIGRhdGEgc3RydWN0dXJlIGludm9sdmVkIGluIGRl
bGl2ZXJpbmcgdGhlIGV4Y2VwdGlvbi4gVGhpcwpjYW4gcmVzdWx0IGluIGFu
IGVuZGxlc3MgbG9vcCB3aGVuIGEgNjQtYml0IGd1ZXN0IHVzZXMgYSBub24t
emVybyBJU1QKZm9yIHRoZSB2ZWN0b3IgMSBJRFQgZW50cnksIGJ1dCBldmVu
IHdpdGhvdXQgdXNlIG9mIElTVCB0aGUgdGltZSBpdAp0YWtlcyB1bnRpbCBh
IGNvbnRyaWJ1dG9yeSBmYXVsdCB3b3VsZCBnZXQgcmFpc2VkIChyZXN1bHRz
IGRlcGVuZGluZwpvbiB0aGUgaGFuZGxlcikgbWF5IGJlIHF1aXRlIGxvbmcu
CgpUaGlzIGlzIFhTQS0xNTYuCgpSZXBvcnRlZC1ieTogQmVuamFtaW4gU2Vy
ZWJyaW4gPHNlcmVicmluQGdvb2dsZS5jb20+ClNpZ25lZC1vZmYtYnk6IEph
biBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEFu
ZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClRlc3Rl
ZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vc3ZtL3N2bS5jCisrKyBiL3hl
bi9hcmNoL3g4Ni9odm0vc3ZtL3N2bS5jCkBAIC0xMDQzLDEwICsxMDQzLDEx
IEBAIHN0YXRpYyB2b2lkIG5vcmV0dXJuIHN2bV9kb19yZXN1bWUoc3RydWMK
ICAgICAgICAgdW5saWtlbHkodi0+YXJjaC5odm1fdmNwdS5kZWJ1Z19zdGF0
ZV9sYXRjaCAhPSBkZWJ1Z19zdGF0ZSkgKQogICAgIHsKICAgICAgICAgdWlu
dDMyX3QgaW50ZXJjZXB0cyA9IHZtY2JfZ2V0X2V4Y2VwdGlvbl9pbnRlcmNl
cHRzKHZtY2IpOwotICAgICAgICB1aW50MzJfdCBtYXNrID0gKDFVIDw8IFRS
QVBfZGVidWcpIHwgKDFVIDw8IFRSQVBfaW50Myk7CisKICAgICAgICAgdi0+
YXJjaC5odm1fdmNwdS5kZWJ1Z19zdGF0ZV9sYXRjaCA9IGRlYnVnX3N0YXRl
OwogICAgICAgICB2bWNiX3NldF9leGNlcHRpb25faW50ZXJjZXB0cygKLSAg
ICAgICAgICAgIHZtY2IsIGRlYnVnX3N0YXRlID8gKGludGVyY2VwdHMgfCBt
YXNrKSA6IChpbnRlcmNlcHRzICYgfm1hc2spKTsKKyAgICAgICAgICAgIHZt
Y2IsIGRlYnVnX3N0YXRlID8gKGludGVyY2VwdHMgfCAoMVUgPDwgVFJBUF9p
bnQzKSkKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDogKGludGVy
Y2VwdHMgJiB+KDFVIDw8IFRSQVBfaW50MykpKTsKICAgICB9CiAKICAgICBp
ZiAoIHYtPmFyY2guaHZtX3N2bS5sYXVuY2hfY29yZSAhPSBzbXBfcHJvY2Vz
c29yX2lkKCkgKQpAQCAtMjQzNCw4ICsyNDM1LDkgQEAgdm9pZCBzdm1fdm1l
eGl0X2hhbmRsZXIoc3RydWN0IGNwdV91c2VyXwogCiAgICAgY2FzZSBWTUVY
SVRfRVhDRVBUSU9OX0RCOgogICAgICAgICBpZiAoICF2LT5kb21haW4tPmRl
YnVnZ2VyX2F0dGFjaGVkICkKLSAgICAgICAgICAgIGdvdG8gdW5leHBlY3Rl
ZF9leGl0X3R5cGU7Ci0gICAgICAgIGRvbWFpbl9wYXVzZV9mb3JfZGVidWdn
ZXIoKTsKKyAgICAgICAgICAgIGh2bV9pbmplY3RfaHdfZXhjZXB0aW9uKFRS
QVBfZGVidWcsIEhWTV9ERUxJVkVSX05PX0VSUk9SX0NPREUpOworICAgICAg
ICBlbHNlCisgICAgICAgICAgICBkb21haW5fcGF1c2VfZm9yX2RlYnVnZ2Vy
KCk7CiAgICAgICAgIGJyZWFrOwogCiAgICAgY2FzZSBWTUVYSVRfRVhDRVBU
SU9OX0JQOgpAQCAtMjQ4Myw2ICsyNDg1LDExIEBAIHZvaWQgc3ZtX3ZtZXhp
dF9oYW5kbGVyKHN0cnVjdCBjcHVfdXNlcl8KICAgICAgICAgYnJlYWs7CiAg
ICAgfQogCisgICAgY2FzZSBWTUVYSVRfRVhDRVBUSU9OX0FDOgorICAgICAg
ICBIVk1UUkFDRV8xRChUUkFQLCBUUkFQX2FsaWdubWVudF9jaGVjayk7Cisg
ICAgICAgIGh2bV9pbmplY3RfaHdfZXhjZXB0aW9uKFRSQVBfYWxpZ25tZW50
X2NoZWNrLCB2bWNiLT5leGl0aW5mbzEpOworICAgICAgICBicmVhazsKKwog
ICAgIGNhc2UgVk1FWElUX0VYQ0VQVElPTl9VRDoKICAgICAgICAgc3ZtX3Zt
ZXhpdF91ZF9pbnRlcmNlcHQocmVncyk7CiAgICAgICAgIGJyZWFrOwotLS0g
YS94ZW4vYXJjaC94ODYvaHZtL3ZteC92bXguYworKysgYi94ZW4vYXJjaC94
ODYvaHZtL3ZteC92bXguYwpAQCAtMTIyNCwxNiArMTIyNCwxMCBAQCBzdGF0
aWMgdm9pZCB2bXhfdXBkYXRlX2hvc3RfY3IzKHN0cnVjdCB2CiAKIHZvaWQg
dm14X3VwZGF0ZV9kZWJ1Z19zdGF0ZShzdHJ1Y3QgdmNwdSAqdikKIHsKLSAg
ICB1bnNpZ25lZCBsb25nIG1hc2s7Ci0KLSAgICBtYXNrID0gMXUgPDwgVFJB
UF9pbnQzOwotICAgIGlmICggIWNwdV9oYXNfbW9uaXRvcl90cmFwX2ZsYWcg
KQotICAgICAgICBtYXNrIHw9IDF1IDw8IFRSQVBfZGVidWc7Ci0KICAgICBp
ZiAoIHYtPmFyY2guaHZtX3ZjcHUuZGVidWdfc3RhdGVfbGF0Y2ggKQotICAg
ICAgICB2LT5hcmNoLmh2bV92bXguZXhjZXB0aW9uX2JpdG1hcCB8PSBtYXNr
OworICAgICAgICB2LT5hcmNoLmh2bV92bXguZXhjZXB0aW9uX2JpdG1hcCB8
PSAxVSA8PCBUUkFQX2ludDM7CiAgICAgZWxzZQotICAgICAgICB2LT5hcmNo
Lmh2bV92bXguZXhjZXB0aW9uX2JpdG1hcCAmPSB+bWFzazsKKyAgICAgICAg
di0+YXJjaC5odm1fdm14LmV4Y2VwdGlvbl9iaXRtYXAgJj0gfigxVSA8PCBU
UkFQX2ludDMpOwogCiAgICAgdm14X3ZtY3NfZW50ZXIodik7CiAgICAgdm14
X3VwZGF0ZV9leGNlcHRpb25fYml0bWFwKHYpOwpAQCAtMzA2MCw5ICszMDU0
LDEwIEBAIHZvaWQgdm14X3ZtZXhpdF9oYW5kbGVyKHN0cnVjdCBjcHVfdXNl
cl8KICAgICAgICAgICAgIF9fdm1yZWFkKEVYSVRfUVVBTElGSUNBVElPTiwg
JmV4aXRfcXVhbGlmaWNhdGlvbik7CiAgICAgICAgICAgICBIVk1UUkFDRV8x
RChUUkFQX0RFQlVHLCBleGl0X3F1YWxpZmljYXRpb24pOwogICAgICAgICAg
ICAgd3JpdGVfZGVidWdyZWcoNiwgZXhpdF9xdWFsaWZpY2F0aW9uIHwgRFJf
U1RBVFVTX1JFU0VSVkVEX09ORSk7Ci0gICAgICAgICAgICBpZiAoICF2LT5k
b21haW4tPmRlYnVnZ2VyX2F0dGFjaGVkIHx8IGNwdV9oYXNfbW9uaXRvcl90
cmFwX2ZsYWcgKQotICAgICAgICAgICAgICAgIGdvdG8gZXhpdF9hbmRfY3Jh
c2g7Ci0gICAgICAgICAgICBkb21haW5fcGF1c2VfZm9yX2RlYnVnZ2VyKCk7
CisgICAgICAgICAgICBpZiAoICF2LT5kb21haW4tPmRlYnVnZ2VyX2F0dGFj
aGVkICkKKyAgICAgICAgICAgICAgICBodm1faW5qZWN0X2h3X2V4Y2VwdGlv
bih2ZWN0b3IsIEhWTV9ERUxJVkVSX05PX0VSUk9SX0NPREUpOworICAgICAg
ICAgICAgZWxzZQorICAgICAgICAgICAgICAgIGRvbWFpbl9wYXVzZV9mb3Jf
ZGVidWdnZXIoKTsKICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICBjYXNl
IFRSQVBfaW50MzogCiAgICAgICAgIHsKQEAgLTMxMjcsNiArMzEyMiwxMSBA
QCB2b2lkIHZteF92bWV4aXRfaGFuZGxlcihzdHJ1Y3QgY3B1X3VzZXJfCiAK
ICAgICAgICAgICAgIGh2bV9pbmplY3RfcGFnZV9mYXVsdChyZWdzLT5lcnJv
cl9jb2RlLCBleGl0X3F1YWxpZmljYXRpb24pOwogICAgICAgICAgICAgYnJl
YWs7CisgICAgICAgIGNhc2UgVFJBUF9hbGlnbm1lbnRfY2hlY2s6CisgICAg
ICAgICAgICBIVk1UUkFDRV8xRChUUkFQLCB2ZWN0b3IpOworICAgICAgICAg
ICAgX192bXJlYWQoVk1fRVhJVF9JTlRSX0VSUk9SX0NPREUsICZlY29kZSk7
CisgICAgICAgICAgICBodm1faW5qZWN0X2h3X2V4Y2VwdGlvbih2ZWN0b3Is
IGVjb2RlKTsKKyAgICAgICAgICAgIGJyZWFrOwogICAgICAgICBjYXNlIFRS
QVBfbm1pOgogICAgICAgICAgICAgaWYgKCBNQVNLX0VYVFIoaW50cl9pbmZv
LCBJTlRSX0lORk9fSU5UUl9UWVBFX01BU0spICE9CiAgICAgICAgICAgICAg
ICAgIFg4Nl9FVkVOVFRZUEVfTk1JICkKLS0tIGEveGVuL2luY2x1ZGUvYXNt
LXg4Ni9odm0vaHZtLmgKKysrIGIveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0v
aHZtLmgKQEAgLTM4NSw3ICszODUsMTAgQEAgc3RhdGljIGlubGluZSBpbnQg
aHZtX2V2ZW50X3BlbmRpbmcoc3RydQogICAgIChYODZfQ1I0X1ZNWEUgfCBY
ODZfQ1I0X1BBRSB8IFg4Nl9DUjRfTUNFKSkKIAogLyogVGhlc2UgZXhjZXB0
aW9ucyBtdXN0IGFsd2F5cyBiZSBpbnRlcmNlcHRlZC4gKi8KLSNkZWZpbmUg
SFZNX1RSQVBfTUFTSyAoKDFVIDw8IFRSQVBfbWFjaGluZV9jaGVjaykgfCAo
MVUgPDwgVFJBUF9pbnZhbGlkX29wKSkKKyNkZWZpbmUgSFZNX1RSQVBfTUFT
SyAoKDFVIDw8IFRSQVBfZGVidWcpICAgICAgICAgICB8IFwKKyAgICAgICAg
ICAgICAgICAgICAgICAgKDFVIDw8IFRSQVBfaW52YWxpZF9vcCkgICAgICB8
IFwKKyAgICAgICAgICAgICAgICAgICAgICAgKDFVIDw8IFRSQVBfYWxpZ25t
ZW50X2NoZWNrKSB8IFwKKyAgICAgICAgICAgICAgICAgICAgICAgKDFVIDw8
IFRSQVBfbWFjaGluZV9jaGVjaykpCiAKIC8qCiAgKiB4ODYgZXZlbnQgdHlw
ZXMuIFRoaXMgZW51bWVyYXRpb24gaXMgdmFsaWQgZm9yOgo=

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Tue Nov 10 00:09:48 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Tue, 10 Nov 2015 00:09:48 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1ZvwUO-0002fp-4a; Tue, 10 Nov 2015 00:08:44 +0000
Received: from mail6.bemta14.messagelabs.com ([193.109.254.103])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZvwUN-0002fO-B3; Tue, 10 Nov 2015 00:08:43 +0000
Received: from [193.109.254.147] by server-10.bemta-14.messagelabs.com id
	85/A3-01143-A8531465; Tue, 10 Nov 2015 00:08:42 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-14.tower-27.messagelabs.com!1447114120!1819163!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 7.19.2; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 53403 invoked from network); 10 Nov 2015 00:08:41 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-14.tower-27.messagelabs.com with AES256-SHA encrypted SMTP;
	10 Nov 2015 00:08:41 -0000
Received: from [50.57.170.242] (helo=xenbits.xen.org)
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZvwUC-0001PR-Q3; Tue, 10 Nov 2015 00:08:32 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZvwUB-00088G-IT; Tue, 10 Nov 2015 00:08:32 +0000
Date: Tue, 10 Nov 2015 00:08:31 +0000
Message-Id: <E1ZvwUB-00088G-IT@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 156 (CVE-2015-5307,
 CVE-2015-8104) - x86: CPU lockup during exception delivery
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Xen Security Advisory CVE-2015-5307,CVE-2015-8104 / XSA-156
                              version 2

              x86: CPU lockup during exception delivery

UPDATES IN VERSION 2
====================

Minor title and text adjustment.

CVE-2015-8104 has been assigned for the problem with #DB.
(The #AC issue remains CVE-2015-5307.)

Public release.

ISSUE DESCRIPTION
=================

When a benign exception occurs while delivering another benign
exception, it is architecturally specified that these would be
delivered sequentially. There are, however, cases where this results in
an infinite loop inside the CPU, which (in the virtualized case) can be
broken only by intercepting delivery of the respective exception.

Architecturally, at least some of these cases should also be
resolvable by an arriving NMI or external interrupt, but empirically
this has been determined to not be the case.

The cases affecting Xen are:

#AC (Alignment Check Exception, CVE-2015-5307): When a 32-bit guest
sets up the IDT entry corresponding to this exception to reference a
ring-3 handler, and when ring 3 code triggers the exception while
running with an unaligned stack pointer, delivering the exception will
re-encounter #AC, ending in an infinite loop.

#DB (Debug Exception, CVE-2015-8104): When a guest sets up a hardware
breakpoint covering a data structure involved in delivering #DB, upon
completion of the delivery of the first exception another #DB will
need to be delivered. The effects slightly differ depending on further
guest characteristics:

- - Guests running in 32-bit mode would be expected to sooner or later
  encounter another fault due to the stack pointer decreasing during
  each iteration of the loop. The most likely case would be #PF (Page
  Fault) due to running into unmapped virtual space. However, an
  infinite loop cannot be excluded (e.g. when the guest is running with
  paging disabled).

- - Guests running in long mode, but not using the IST (Interrupt Stack
  Table) feature for the IDT entry corresponding to #DB would behave
  similarly to guests running in 32-bit mode, just that the larger
  virtual address space allows for a much longer loop. The loop can't,
  however, be infinite, as eventually the stack pointer would move into
  non-canonical address space, causing #SS (Stack Fault) instead.

- - Guests running in long mode and using IST for the IDT entry
  corresponding to #DB would enter an infinite loop, as the stack
  pointer wouldn't change between #DB instances.

IMPACT
======

A malicious HVM guest administrator can cause a denial of service.
Specifically, prevent use of a physical CPU for a significant, perhaps
indefinite period.

If a host watchdog (Xen or dom0) is in use, this can lead to a
watchdog timeout and consequently a reboot of the host.  If another,
innocent, guest, is configured with a watchdog, this issue can lead to
a reboot of such a guest.

It is possible that a guest kernel might expose the #AC vulnerability
to malicious unprivileged guest users (by permitting #AC to be handled
in guest user mode).  However, we believe that almost all ordinary
operating system kernels do not permit this; we are not aware of any
exceptions.  (A guest kernel which exposed the #AC vulnerability to
guest userspace would be vulnerable when running on baremetal, without
Xen involved.)


VULNERABLE SYSTEMS
==================

The vulnerability is exposed to any x86 HVM guest.

ARM is not vulnerable.  x86 PV VMs are not vulnerable.

All versions of Xen are affected.

x86 CPUs from all manufacturers are affected.

MITIGATION
==========

Running only PV guests will avoid this issue.

Running only kernels which avoid exposing the #AC problem to userspace
(as discussed in Impact) will prevent untrusted guest users from
exploiting this issue.

With such good kernels, the vulnerability can be avoided altogether if
the guest kernel is controlled by the host rather than guest
administrator, provided that further steps are taken to prevent the
guest administrator from loading code into the kernel (e.g. by
disabling loadable modules etc) or from using other mechanisms which
allow them to run code at kernel privilege.  In Xen HVM, controlling
the guest's kernel would involve locking down the bootloader.


CREDITS
=======

These issues were discovered by Ben Serebrin from Google and
Jan Beulich from SUSE.

RESOLUTION
==========

To correctly support the intended uses of the relevant CPU features
would require architectural changes to the CPU specification, design
and implementation.  This is not practical as a security response.

Applying the appropriate attached patch works around the issue in
software.

xsa156.patch        xen-unstable, Xen 4.6.x
xsa156-4.5.patch    Xen 4.5.x
xsa156-4.4.patch    Xen 4.4.x
xsa156-4.3.patch    Xen 4.3.x

$ sha256sum xsa156*.patch
ffc8153cdf4e69ff2feced6ea4988b594b5cb724e9909300209f9ae35fe0e618  xsa156-4.3.patch
c2001aed46840b044a066b9ca79a8c53aca26fc637125016ccfebafa5ace5475  xsa156-4.4.patch
af8edc5cfb2fe54d8c195b8748e80ffad0f32c37c50a16fa5005fec461cdb6ff  xsa156-4.5.patch
d92729ca9174f7d1d8c6fd31321d1a58696c0630e87420539c32f7718b9e8ee8  xsa156.patch
$


NOTE REGARDING EMBARGO DURATION
===============================

We have released this advisory as soon as possible after we obtained
firm confirmation of the embargo end date from the discoverer.


DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJWQTU6AAoJEIP+FMlX6CvZpQMH/iNmCRPVz4H54WdWgiRJuNZV
PrJFEITwxfOeaD84bQhxd0dXWqGnQvzPVScG5+qmWM6Bn533Gh2gkjKALHF8nltf
usAuIgiXcHC0jv5m9/Z7+9t62mJkfnVhq0qdz/UEFO2VM8GbWCCArpUStvb/GetS
sY7Rh1HV8p4nA5LOgvUgQc0yjCHoSfooyxkCNBBy31t5A33H4Se65pnKH/aRPH10
o4nX9NXxw2jN6XZ9bjACzm1KNPjDn1P5y/Zx5ccoHDQZHVYYHXMEgVSVnKEgriFL
xPaFe0Att3RfBQtj9HAZJEE8YNy74m+28/GMIoCWU2FCwY6R86dDoVHU5hKiWRc=
=z+MW
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa156-4.3.patch"
Content-Disposition: attachment; filename="xsa156-4.3.patch"
Content-Transfer-Encoding: base64

eDg2L0hWTTogYWx3YXlzIGludGVyY2VwdCAjQUMgYW5kICNEQgoKQm90aCBi
ZWluZyBiZW5pZ24gZXhjZXB0aW9ucywgYW5kIGJvdGggYmVpbmcgcG9zc2li
bGUgdG8gZ2V0IHRyaWdnZXJlZApieSBleGNlcHRpb24gZGVsaXZlcnksIHRo
aXMgaXMgcmVxdWlyZWQgdG8gcHJldmVudCBhIGd1ZXN0IGZyb20gbG9ja2lu
Zwp1cCBhIENQVSAocmVzdWx0aW5nIGZyb20gbm8gb3RoZXIgVk0gZXhpdHMg
b2NjdXJyaW5nIG9uY2UgZ2V0dGluZyBpbnRvCnN1Y2ggYSBsb29wKS4KClRo
ZSBzcGVjaWZpYyBzY2VuYXJpb3M6CgoxKSAjQUMgbWF5IGJlIHJhaXNlZCBk
dXJpbmcgZXhjZXB0aW9uIGRlbGl2ZXJ5IGlmIHRoZSBoYW5kbGVyIGlzIHNl
dCB0bwpiZSBhIHJpbmctMyBvbmUgYnkgYSAzMi1iaXQgZ3Vlc3QsIGFuZCB0
aGUgc3RhY2sgaXMgbWlzYWxpZ25lZC4KCjIpICNEQiBtYXkgYmUgcmFpc2Vk
IGR1cmluZyBleGNlcHRpb24gZGVsaXZlcnkgd2hlbiBhIGJyZWFrcG9pbnQg
Z290CnBsYWNlZCBvbiBhIGRhdGEgc3RydWN0dXJlIGludm9sdmVkIGluIGRl
bGl2ZXJpbmcgdGhlIGV4Y2VwdGlvbi4gVGhpcwpjYW4gcmVzdWx0IGluIGFu
IGVuZGxlc3MgbG9vcCB3aGVuIGEgNjQtYml0IGd1ZXN0IHVzZXMgYSBub24t
emVybyBJU1QKZm9yIHRoZSB2ZWN0b3IgMSBJRFQgZW50cnksIGJ1dCBldmVu
IHdpdGhvdXQgdXNlIG9mIElTVCB0aGUgdGltZSBpdAp0YWtlcyB1bnRpbCBh
IGNvbnRyaWJ1dG9yeSBmYXVsdCB3b3VsZCBnZXQgcmFpc2VkIChyZXN1bHRz
IGRlcGVuZGluZwpvbiB0aGUgaGFuZGxlcikgbWF5IGJlIHF1aXRlIGxvbmcu
CgpUaGlzIGlzIFhTQS0xNTYuCgpSZXBvcnRlZC1ieTogQmVuamFtaW4gU2Vy
ZWJyaW4gPHNlcmVicmluQGdvb2dsZS5jb20+ClNpZ25lZC1vZmYtYnk6IEph
biBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEFu
ZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClRlc3Rl
ZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vc3ZtL3N2bS5jCisrKyBiL3hl
bi9hcmNoL3g4Ni9odm0vc3ZtL3N2bS5jCkBAIC05NDEsMTAgKzk0MSwxMSBA
QCBzdGF0aWMgdm9pZCBzdm1fZG9fcmVzdW1lKHN0cnVjdCB2Y3B1ICp2CiAg
ICAgICAgIHVubGlrZWx5KHYtPmFyY2guaHZtX3ZjcHUuZGVidWdfc3RhdGVf
bGF0Y2ggIT0gZGVidWdfc3RhdGUpICkKICAgICB7CiAgICAgICAgIHVpbnQz
Ml90IGludGVyY2VwdHMgPSB2bWNiX2dldF9leGNlcHRpb25faW50ZXJjZXB0
cyh2bWNiKTsKLSAgICAgICAgdWludDMyX3QgbWFzayA9ICgxVSA8PCBUUkFQ
X2RlYnVnKSB8ICgxVSA8PCBUUkFQX2ludDMpOworCiAgICAgICAgIHYtPmFy
Y2guaHZtX3ZjcHUuZGVidWdfc3RhdGVfbGF0Y2ggPSBkZWJ1Z19zdGF0ZTsK
ICAgICAgICAgdm1jYl9zZXRfZXhjZXB0aW9uX2ludGVyY2VwdHMoCi0gICAg
ICAgICAgICB2bWNiLCBkZWJ1Z19zdGF0ZSA/IChpbnRlcmNlcHRzIHwgbWFz
aykgOiAoaW50ZXJjZXB0cyAmIH5tYXNrKSk7CisgICAgICAgICAgICB2bWNi
LCBkZWJ1Z19zdGF0ZSA/IChpbnRlcmNlcHRzIHwgKDFVIDw8IFRSQVBfaW50
MykpCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA6IChpbnRlcmNl
cHRzICYgfigxVSA8PCBUUkFQX2ludDMpKSk7CiAgICAgfQogCiAgICAgaWYg
KCB2LT5hcmNoLmh2bV9zdm0ubGF1bmNoX2NvcmUgIT0gc21wX3Byb2Nlc3Nv
cl9pZCgpICkKQEAgLTIyMjMsOCArMjIyNCw5IEBAIHZvaWQgc3ZtX3ZtZXhp
dF9oYW5kbGVyKHN0cnVjdCBjcHVfdXNlcl8KIAogICAgIGNhc2UgVk1FWElU
X0VYQ0VQVElPTl9EQjoKICAgICAgICAgaWYgKCAhdi0+ZG9tYWluLT5kZWJ1
Z2dlcl9hdHRhY2hlZCApCi0gICAgICAgICAgICBnb3RvIHVuZXhwZWN0ZWRf
ZXhpdF90eXBlOwotICAgICAgICBkb21haW5fcGF1c2VfZm9yX2RlYnVnZ2Vy
KCk7CisgICAgICAgICAgICBodm1faW5qZWN0X2h3X2V4Y2VwdGlvbihUUkFQ
X2RlYnVnLCBIVk1fREVMSVZFUl9OT19FUlJPUl9DT0RFKTsKKyAgICAgICAg
ZWxzZQorICAgICAgICAgICAgZG9tYWluX3BhdXNlX2Zvcl9kZWJ1Z2dlcigp
OwogICAgICAgICBicmVhazsKIAogICAgIGNhc2UgVk1FWElUX0VYQ0VQVElP
Tl9CUDoKQEAgLTIyNzIsNiArMjI3NCwxMSBAQCB2b2lkIHN2bV92bWV4aXRf
aGFuZGxlcihzdHJ1Y3QgY3B1X3VzZXJfCiAgICAgICAgIGJyZWFrOwogICAg
IH0KIAorICAgIGNhc2UgVk1FWElUX0VYQ0VQVElPTl9BQzoKKyAgICAgICAg
SFZNVFJBQ0VfMUQoVFJBUCwgVFJBUF9hbGlnbm1lbnRfY2hlY2spOworICAg
ICAgICBodm1faW5qZWN0X2h3X2V4Y2VwdGlvbihUUkFQX2FsaWdubWVudF9j
aGVjaywgdm1jYi0+ZXhpdGluZm8xKTsKKyAgICAgICAgYnJlYWs7CisKICAg
ICBjYXNlIFZNRVhJVF9FWENFUFRJT05fVUQ6CiAgICAgICAgIHN2bV92bWV4
aXRfdWRfaW50ZXJjZXB0KHJlZ3MpOwogICAgICAgICBicmVhazsKLS0tIGEv
eGVuL2FyY2gveDg2L2h2bS92bXgvdm14LmMKKysrIGIveGVuL2FyY2gveDg2
L2h2bS92bXgvdm14LmMKQEAgLTExMjIsMTggKzExMjIsMTIgQEAgc3RhdGlj
IHZvaWQgdm14X3VwZGF0ZV9ob3N0X2NyMyhzdHJ1Y3QgdgogCiB2b2lkIHZt
eF91cGRhdGVfZGVidWdfc3RhdGUoc3RydWN0IHZjcHUgKnYpCiB7Ci0gICAg
dW5zaWduZWQgbG9uZyBtYXNrOwotCiAgICAgQVNTRVJUKHYgPT0gY3VycmVu
dCk7CiAKLSAgICBtYXNrID0gMXUgPDwgVFJBUF9pbnQzOwotICAgIGlmICgg
IWNwdV9oYXNfbW9uaXRvcl90cmFwX2ZsYWcgKQotICAgICAgICBtYXNrIHw9
IDF1IDw8IFRSQVBfZGVidWc7Ci0KICAgICBpZiAoIHYtPmFyY2guaHZtX3Zj
cHUuZGVidWdfc3RhdGVfbGF0Y2ggKQotICAgICAgICB2LT5hcmNoLmh2bV92
bXguZXhjZXB0aW9uX2JpdG1hcCB8PSBtYXNrOworICAgICAgICB2LT5hcmNo
Lmh2bV92bXguZXhjZXB0aW9uX2JpdG1hcCB8PSAxVSA8PCBUUkFQX2ludDM7
CiAgICAgZWxzZQotICAgICAgICB2LT5hcmNoLmh2bV92bXguZXhjZXB0aW9u
X2JpdG1hcCAmPSB+bWFzazsKKyAgICAgICAgdi0+YXJjaC5odm1fdm14LmV4
Y2VwdGlvbl9iaXRtYXAgJj0gfigxVSA8PCBUUkFQX2ludDMpOwogICAgIHZt
eF91cGRhdGVfZXhjZXB0aW9uX2JpdG1hcCh2KTsKIH0KIApAQCAtMjYxNiw5
ICsyNjEwLDEwIEBAIHZvaWQgdm14X3ZtZXhpdF9oYW5kbGVyKHN0cnVjdCBj
cHVfdXNlcl8KICAgICAgICAgICAgIGV4aXRfcXVhbGlmaWNhdGlvbiA9IF9f
dm1yZWFkKEVYSVRfUVVBTElGSUNBVElPTik7CiAgICAgICAgICAgICBIVk1U
UkFDRV8xRChUUkFQX0RFQlVHLCBleGl0X3F1YWxpZmljYXRpb24pOwogICAg
ICAgICAgICAgd3JpdGVfZGVidWdyZWcoNiwgZXhpdF9xdWFsaWZpY2F0aW9u
IHwgMHhmZmZmMGZmMCk7Ci0gICAgICAgICAgICBpZiAoICF2LT5kb21haW4t
PmRlYnVnZ2VyX2F0dGFjaGVkIHx8IGNwdV9oYXNfbW9uaXRvcl90cmFwX2Zs
YWcgKQotICAgICAgICAgICAgICAgIGdvdG8gZXhpdF9hbmRfY3Jhc2g7Ci0g
ICAgICAgICAgICBkb21haW5fcGF1c2VfZm9yX2RlYnVnZ2VyKCk7CisgICAg
ICAgICAgICBpZiAoICF2LT5kb21haW4tPmRlYnVnZ2VyX2F0dGFjaGVkICkK
KyAgICAgICAgICAgICAgICBodm1faW5qZWN0X2h3X2V4Y2VwdGlvbih2ZWN0
b3IsIEhWTV9ERUxJVkVSX05PX0VSUk9SX0NPREUpOworICAgICAgICAgICAg
ZWxzZQorICAgICAgICAgICAgICAgIGRvbWFpbl9wYXVzZV9mb3JfZGVidWdn
ZXIoKTsKICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICBjYXNlIFRSQVBf
aW50MzogCiAgICAgICAgIHsKQEAgLTI2NzksNiArMjY3NCwxMSBAQCB2b2lk
IHZteF92bWV4aXRfaGFuZGxlcihzdHJ1Y3QgY3B1X3VzZXJfCiAKICAgICAg
ICAgICAgIGh2bV9pbmplY3RfcGFnZV9mYXVsdChyZWdzLT5lcnJvcl9jb2Rl
LCBleGl0X3F1YWxpZmljYXRpb24pOwogICAgICAgICAgICAgYnJlYWs7Cisg
ICAgICAgIGNhc2UgVFJBUF9hbGlnbm1lbnRfY2hlY2s6CisgICAgICAgICAg
ICBIVk1UUkFDRV8xRChUUkFQLCB2ZWN0b3IpOworICAgICAgICAgICAgaHZt
X2luamVjdF9od19leGNlcHRpb24odmVjdG9yLAorICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgX192bXJlYWQoVk1fRVhJVF9JTlRSX0VS
Uk9SX0NPREUpKTsKKyAgICAgICAgICAgIGJyZWFrOwogICAgICAgICBjYXNl
IFRSQVBfbm1pOgogICAgICAgICAgICAgaWYgKCAoaW50cl9pbmZvICYgSU5U
Ul9JTkZPX0lOVFJfVFlQRV9NQVNLKSAhPQogICAgICAgICAgICAgICAgICAo
WDg2X0VWRU5UVFlQRV9OTUkgPDwgOCkgKQotLS0gYS94ZW4vaW5jbHVkZS9h
c20teDg2L2h2bS9odm0uaAorKysgYi94ZW4vaW5jbHVkZS9hc20teDg2L2h2
bS9odm0uaApAQCAtMzg5LDcgKzM4OSwxMCBAQCBzdGF0aWMgaW5saW5lIGJv
b2xfdCBodm1fdmNwdV9oYXNfc21lcCh2CiB9KQogCiAvKiBUaGVzZSBleGNl
cHRpb25zIG11c3QgYWx3YXlzIGJlIGludGVyY2VwdGVkLiAqLwotI2RlZmlu
ZSBIVk1fVFJBUF9NQVNLICgoMVUgPDwgVFJBUF9tYWNoaW5lX2NoZWNrKSB8
ICgxVSA8PCBUUkFQX2ludmFsaWRfb3ApKQorI2RlZmluZSBIVk1fVFJBUF9N
QVNLICgoMVUgPDwgVFJBUF9kZWJ1ZykgICAgICAgICAgIHwgXAorICAgICAg
ICAgICAgICAgICAgICAgICAoMVUgPDwgVFJBUF9pbnZhbGlkX29wKSAgICAg
IHwgXAorICAgICAgICAgICAgICAgICAgICAgICAoMVUgPDwgVFJBUF9hbGln
bm1lbnRfY2hlY2spIHwgXAorICAgICAgICAgICAgICAgICAgICAgICAoMVUg
PDwgVFJBUF9tYWNoaW5lX2NoZWNrKSkKIAogLyoKICAqIHg4NiBldmVudCB0
eXBlcy4gVGhpcyBlbnVtZXJhdGlvbiBpcyB2YWxpZCBmb3I6Cg==

--=separator
Content-Type: application/octet-stream; name="xsa156-4.4.patch"
Content-Disposition: attachment; filename="xsa156-4.4.patch"
Content-Transfer-Encoding: base64

eDg2L0hWTTogYWx3YXlzIGludGVyY2VwdCAjQUMgYW5kICNEQgoKQm90aCBi
ZWluZyBiZW5pZ24gZXhjZXB0aW9ucywgYW5kIGJvdGggYmVpbmcgcG9zc2li
bGUgdG8gZ2V0IHRyaWdnZXJlZApieSBleGNlcHRpb24gZGVsaXZlcnksIHRo
aXMgaXMgcmVxdWlyZWQgdG8gcHJldmVudCBhIGd1ZXN0IGZyb20gbG9ja2lu
Zwp1cCBhIENQVSAocmVzdWx0aW5nIGZyb20gbm8gb3RoZXIgVk0gZXhpdHMg
b2NjdXJyaW5nIG9uY2UgZ2V0dGluZyBpbnRvCnN1Y2ggYSBsb29wKS4KClRo
ZSBzcGVjaWZpYyBzY2VuYXJpb3M6CgoxKSAjQUMgbWF5IGJlIHJhaXNlZCBk
dXJpbmcgZXhjZXB0aW9uIGRlbGl2ZXJ5IGlmIHRoZSBoYW5kbGVyIGlzIHNl
dCB0bwpiZSBhIHJpbmctMyBvbmUgYnkgYSAzMi1iaXQgZ3Vlc3QsIGFuZCB0
aGUgc3RhY2sgaXMgbWlzYWxpZ25lZC4KCjIpICNEQiBtYXkgYmUgcmFpc2Vk
IGR1cmluZyBleGNlcHRpb24gZGVsaXZlcnkgd2hlbiBhIGJyZWFrcG9pbnQg
Z290CnBsYWNlZCBvbiBhIGRhdGEgc3RydWN0dXJlIGludm9sdmVkIGluIGRl
bGl2ZXJpbmcgdGhlIGV4Y2VwdGlvbi4gVGhpcwpjYW4gcmVzdWx0IGluIGFu
IGVuZGxlc3MgbG9vcCB3aGVuIGEgNjQtYml0IGd1ZXN0IHVzZXMgYSBub24t
emVybyBJU1QKZm9yIHRoZSB2ZWN0b3IgMSBJRFQgZW50cnksIGJ1dCBldmVu
IHdpdGhvdXQgdXNlIG9mIElTVCB0aGUgdGltZSBpdAp0YWtlcyB1bnRpbCBh
IGNvbnRyaWJ1dG9yeSBmYXVsdCB3b3VsZCBnZXQgcmFpc2VkIChyZXN1bHRz
IGRlcGVuZGluZwpvbiB0aGUgaGFuZGxlcikgbWF5IGJlIHF1aXRlIGxvbmcu
CgpUaGlzIGlzIFhTQS0xNTYuCgpSZXBvcnRlZC1ieTogQmVuamFtaW4gU2Vy
ZWJyaW4gPHNlcmVicmluQGdvb2dsZS5jb20+ClNpZ25lZC1vZmYtYnk6IEph
biBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEFu
ZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClRlc3Rl
ZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vc3ZtL3N2bS5jCisrKyBiL3hl
bi9hcmNoL3g4Ni9odm0vc3ZtL3N2bS5jCkBAIC05NDEsMTAgKzk0MSwxMSBA
QCBzdGF0aWMgdm9pZCBub3JldHVybiBzdm1fZG9fcmVzdW1lKHN0cnVjCiAg
ICAgICAgIHVubGlrZWx5KHYtPmFyY2guaHZtX3ZjcHUuZGVidWdfc3RhdGVf
bGF0Y2ggIT0gZGVidWdfc3RhdGUpICkKICAgICB7CiAgICAgICAgIHVpbnQz
Ml90IGludGVyY2VwdHMgPSB2bWNiX2dldF9leGNlcHRpb25faW50ZXJjZXB0
cyh2bWNiKTsKLSAgICAgICAgdWludDMyX3QgbWFzayA9ICgxVSA8PCBUUkFQ
X2RlYnVnKSB8ICgxVSA8PCBUUkFQX2ludDMpOworCiAgICAgICAgIHYtPmFy
Y2guaHZtX3ZjcHUuZGVidWdfc3RhdGVfbGF0Y2ggPSBkZWJ1Z19zdGF0ZTsK
ICAgICAgICAgdm1jYl9zZXRfZXhjZXB0aW9uX2ludGVyY2VwdHMoCi0gICAg
ICAgICAgICB2bWNiLCBkZWJ1Z19zdGF0ZSA/IChpbnRlcmNlcHRzIHwgbWFz
aykgOiAoaW50ZXJjZXB0cyAmIH5tYXNrKSk7CisgICAgICAgICAgICB2bWNi
LCBkZWJ1Z19zdGF0ZSA/IChpbnRlcmNlcHRzIHwgKDFVIDw8IFRSQVBfaW50
MykpCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA6IChpbnRlcmNl
cHRzICYgfigxVSA8PCBUUkFQX2ludDMpKSk7CiAgICAgfQogCiAgICAgaWYg
KCB2LT5hcmNoLmh2bV9zdm0ubGF1bmNoX2NvcmUgIT0gc21wX3Byb2Nlc3Nv
cl9pZCgpICkKQEAgLTIyMjUsOCArMjIyNiw5IEBAIHZvaWQgc3ZtX3ZtZXhp
dF9oYW5kbGVyKHN0cnVjdCBjcHVfdXNlcl8KIAogICAgIGNhc2UgVk1FWElU
X0VYQ0VQVElPTl9EQjoKICAgICAgICAgaWYgKCAhdi0+ZG9tYWluLT5kZWJ1
Z2dlcl9hdHRhY2hlZCApCi0gICAgICAgICAgICBnb3RvIHVuZXhwZWN0ZWRf
ZXhpdF90eXBlOwotICAgICAgICBkb21haW5fcGF1c2VfZm9yX2RlYnVnZ2Vy
KCk7CisgICAgICAgICAgICBodm1faW5qZWN0X2h3X2V4Y2VwdGlvbihUUkFQ
X2RlYnVnLCBIVk1fREVMSVZFUl9OT19FUlJPUl9DT0RFKTsKKyAgICAgICAg
ZWxzZQorICAgICAgICAgICAgZG9tYWluX3BhdXNlX2Zvcl9kZWJ1Z2dlcigp
OwogICAgICAgICBicmVhazsKIAogICAgIGNhc2UgVk1FWElUX0VYQ0VQVElP
Tl9CUDoKQEAgLTIyNzQsNiArMjI3NiwxMSBAQCB2b2lkIHN2bV92bWV4aXRf
aGFuZGxlcihzdHJ1Y3QgY3B1X3VzZXJfCiAgICAgICAgIGJyZWFrOwogICAg
IH0KIAorICAgIGNhc2UgVk1FWElUX0VYQ0VQVElPTl9BQzoKKyAgICAgICAg
SFZNVFJBQ0VfMUQoVFJBUCwgVFJBUF9hbGlnbm1lbnRfY2hlY2spOworICAg
ICAgICBodm1faW5qZWN0X2h3X2V4Y2VwdGlvbihUUkFQX2FsaWdubWVudF9j
aGVjaywgdm1jYi0+ZXhpdGluZm8xKTsKKyAgICAgICAgYnJlYWs7CisKICAg
ICBjYXNlIFZNRVhJVF9FWENFUFRJT05fVUQ6CiAgICAgICAgIHN2bV92bWV4
aXRfdWRfaW50ZXJjZXB0KHJlZ3MpOwogICAgICAgICBicmVhazsKLS0tIGEv
eGVuL2FyY2gveDg2L2h2bS92bXgvdm14LmMKKysrIGIveGVuL2FyY2gveDg2
L2h2bS92bXgvdm14LmMKQEAgLTExMzIsMTYgKzExMzIsMTAgQEAgc3RhdGlj
IHZvaWQgdm14X3VwZGF0ZV9ob3N0X2NyMyhzdHJ1Y3QgdgogCiB2b2lkIHZt
eF91cGRhdGVfZGVidWdfc3RhdGUoc3RydWN0IHZjcHUgKnYpCiB7Ci0gICAg
dW5zaWduZWQgbG9uZyBtYXNrOwotCi0gICAgbWFzayA9IDF1IDw8IFRSQVBf
aW50MzsKLSAgICBpZiAoICFjcHVfaGFzX21vbml0b3JfdHJhcF9mbGFnICkK
LSAgICAgICAgbWFzayB8PSAxdSA8PCBUUkFQX2RlYnVnOwotCiAgICAgaWYg
KCB2LT5hcmNoLmh2bV92Y3B1LmRlYnVnX3N0YXRlX2xhdGNoICkKLSAgICAg
ICAgdi0+YXJjaC5odm1fdm14LmV4Y2VwdGlvbl9iaXRtYXAgfD0gbWFzazsK
KyAgICAgICAgdi0+YXJjaC5odm1fdm14LmV4Y2VwdGlvbl9iaXRtYXAgfD0g
MVUgPDwgVFJBUF9pbnQzOwogICAgIGVsc2UKLSAgICAgICAgdi0+YXJjaC5o
dm1fdm14LmV4Y2VwdGlvbl9iaXRtYXAgJj0gfm1hc2s7CisgICAgICAgIHYt
PmFyY2guaHZtX3ZteC5leGNlcHRpb25fYml0bWFwICY9IH4oMVUgPDwgVFJB
UF9pbnQzKTsKIAogICAgIHZteF92bWNzX2VudGVyKHYpOwogICAgIHZteF91
cGRhdGVfZXhjZXB0aW9uX2JpdG1hcCh2KTsKQEAgLTI2NzgsOSArMjY3Miwx
MCBAQCB2b2lkIHZteF92bWV4aXRfaGFuZGxlcihzdHJ1Y3QgY3B1X3VzZXJf
CiAgICAgICAgICAgICBfX3ZtcmVhZChFWElUX1FVQUxJRklDQVRJT04sICZl
eGl0X3F1YWxpZmljYXRpb24pOwogICAgICAgICAgICAgSFZNVFJBQ0VfMUQo
VFJBUF9ERUJVRywgZXhpdF9xdWFsaWZpY2F0aW9uKTsKICAgICAgICAgICAg
IHdyaXRlX2RlYnVncmVnKDYsIGV4aXRfcXVhbGlmaWNhdGlvbiB8IDB4ZmZm
ZjBmZjApOwotICAgICAgICAgICAgaWYgKCAhdi0+ZG9tYWluLT5kZWJ1Z2dl
cl9hdHRhY2hlZCB8fCBjcHVfaGFzX21vbml0b3JfdHJhcF9mbGFnICkKLSAg
ICAgICAgICAgICAgICBnb3RvIGV4aXRfYW5kX2NyYXNoOwotICAgICAgICAg
ICAgZG9tYWluX3BhdXNlX2Zvcl9kZWJ1Z2dlcigpOworICAgICAgICAgICAg
aWYgKCAhdi0+ZG9tYWluLT5kZWJ1Z2dlcl9hdHRhY2hlZCApCisgICAgICAg
ICAgICAgICAgaHZtX2luamVjdF9od19leGNlcHRpb24odmVjdG9yLCBIVk1f
REVMSVZFUl9OT19FUlJPUl9DT0RFKTsKKyAgICAgICAgICAgIGVsc2UKKyAg
ICAgICAgICAgICAgICBkb21haW5fcGF1c2VfZm9yX2RlYnVnZ2VyKCk7CiAg
ICAgICAgICAgICBicmVhazsKICAgICAgICAgY2FzZSBUUkFQX2ludDM6IAog
ICAgICAgICB7CkBAIC0yNzQ1LDYgKzI3NDAsMTEgQEAgdm9pZCB2bXhfdm1l
eGl0X2hhbmRsZXIoc3RydWN0IGNwdV91c2VyXwogCiAgICAgICAgICAgICBo
dm1faW5qZWN0X3BhZ2VfZmF1bHQocmVncy0+ZXJyb3JfY29kZSwgZXhpdF9x
dWFsaWZpY2F0aW9uKTsKICAgICAgICAgICAgIGJyZWFrOworICAgICAgICBj
YXNlIFRSQVBfYWxpZ25tZW50X2NoZWNrOgorICAgICAgICAgICAgSFZNVFJB
Q0VfMUQoVFJBUCwgdmVjdG9yKTsKKyAgICAgICAgICAgIF9fdm1yZWFkKFZN
X0VYSVRfSU5UUl9FUlJPUl9DT0RFLCAmZWNvZGUpOworICAgICAgICAgICAg
aHZtX2luamVjdF9od19leGNlcHRpb24odmVjdG9yLCBlY29kZSk7CisgICAg
ICAgICAgICBicmVhazsKICAgICAgICAgY2FzZSBUUkFQX25taToKICAgICAg
ICAgICAgIGlmICggKGludHJfaW5mbyAmIElOVFJfSU5GT19JTlRSX1RZUEVf
TUFTSykgIT0KICAgICAgICAgICAgICAgICAgKFg4Nl9FVkVOVFRZUEVfTk1J
IDw8IDgpICkKLS0tIGEveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0vaHZtLmgK
KysrIGIveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0vaHZtLmgKQEAgLTM5Myw3
ICszOTMsMTAgQEAgc3RhdGljIGlubGluZSBpbnQgaHZtX2V2ZW50X3BlbmRp
bmcoc3RydQogfSkKIAogLyogVGhlc2UgZXhjZXB0aW9ucyBtdXN0IGFsd2F5
cyBiZSBpbnRlcmNlcHRlZC4gKi8KLSNkZWZpbmUgSFZNX1RSQVBfTUFTSyAo
KDFVIDw8IFRSQVBfbWFjaGluZV9jaGVjaykgfCAoMVUgPDwgVFJBUF9pbnZh
bGlkX29wKSkKKyNkZWZpbmUgSFZNX1RSQVBfTUFTSyAoKDFVIDw8IFRSQVBf
ZGVidWcpICAgICAgICAgICB8IFwKKyAgICAgICAgICAgICAgICAgICAgICAg
KDFVIDw8IFRSQVBfaW52YWxpZF9vcCkgICAgICB8IFwKKyAgICAgICAgICAg
ICAgICAgICAgICAgKDFVIDw8IFRSQVBfYWxpZ25tZW50X2NoZWNrKSB8IFwK
KyAgICAgICAgICAgICAgICAgICAgICAgKDFVIDw8IFRSQVBfbWFjaGluZV9j
aGVjaykpCiAKIC8qCiAgKiB4ODYgZXZlbnQgdHlwZXMuIFRoaXMgZW51bWVy
YXRpb24gaXMgdmFsaWQgZm9yOgo=

--=separator
Content-Type: application/octet-stream; name="xsa156-4.5.patch"
Content-Disposition: attachment; filename="xsa156-4.5.patch"
Content-Transfer-Encoding: base64

eDg2L0hWTTogYWx3YXlzIGludGVyY2VwdCAjQUMgYW5kICNEQgoKQm90aCBi
ZWluZyBiZW5pZ24gZXhjZXB0aW9ucywgYW5kIGJvdGggYmVpbmcgcG9zc2li
bGUgdG8gZ2V0IHRyaWdnZXJlZApieSBleGNlcHRpb24gZGVsaXZlcnksIHRo
aXMgaXMgcmVxdWlyZWQgdG8gcHJldmVudCBhIGd1ZXN0IGZyb20gbG9ja2lu
Zwp1cCBhIENQVSAocmVzdWx0aW5nIGZyb20gbm8gb3RoZXIgVk0gZXhpdHMg
b2NjdXJyaW5nIG9uY2UgZ2V0dGluZyBpbnRvCnN1Y2ggYSBsb29wKS4KClRo
ZSBzcGVjaWZpYyBzY2VuYXJpb3M6CgoxKSAjQUMgbWF5IGJlIHJhaXNlZCBk
dXJpbmcgZXhjZXB0aW9uIGRlbGl2ZXJ5IGlmIHRoZSBoYW5kbGVyIGlzIHNl
dCB0bwpiZSBhIHJpbmctMyBvbmUgYnkgYSAzMi1iaXQgZ3Vlc3QsIGFuZCB0
aGUgc3RhY2sgaXMgbWlzYWxpZ25lZC4KCjIpICNEQiBtYXkgYmUgcmFpc2Vk
IGR1cmluZyBleGNlcHRpb24gZGVsaXZlcnkgd2hlbiBhIGJyZWFrcG9pbnQg
Z290CnBsYWNlZCBvbiBhIGRhdGEgc3RydWN0dXJlIGludm9sdmVkIGluIGRl
bGl2ZXJpbmcgdGhlIGV4Y2VwdGlvbi4gVGhpcwpjYW4gcmVzdWx0IGluIGFu
IGVuZGxlc3MgbG9vcCB3aGVuIGEgNjQtYml0IGd1ZXN0IHVzZXMgYSBub24t
emVybyBJU1QKZm9yIHRoZSB2ZWN0b3IgMSBJRFQgZW50cnksIGJ1dCBldmVu
IHdpdGhvdXQgdXNlIG9mIElTVCB0aGUgdGltZSBpdAp0YWtlcyB1bnRpbCBh
IGNvbnRyaWJ1dG9yeSBmYXVsdCB3b3VsZCBnZXQgcmFpc2VkIChyZXN1bHRz
IGRlcGVuZGluZwpvbiB0aGUgaGFuZGxlcikgbWF5IGJlIHF1aXRlIGxvbmcu
CgpUaGlzIGlzIFhTQS0xNTYuCgpSZXBvcnRlZC1ieTogQmVuamFtaW4gU2Vy
ZWJyaW4gPHNlcmVicmluQGdvb2dsZS5jb20+ClNpZ25lZC1vZmYtYnk6IEph
biBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEFu
ZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClRlc3Rl
ZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vc3ZtL3N2bS5jCisrKyBiL3hl
bi9hcmNoL3g4Ni9odm0vc3ZtL3N2bS5jCkBAIC0xMDQ1LDEwICsxMDQ1LDEx
IEBAIHN0YXRpYyB2b2lkIG5vcmV0dXJuIHN2bV9kb19yZXN1bWUoc3RydWMK
ICAgICAgICAgdW5saWtlbHkodi0+YXJjaC5odm1fdmNwdS5kZWJ1Z19zdGF0
ZV9sYXRjaCAhPSBkZWJ1Z19zdGF0ZSkgKQogICAgIHsKICAgICAgICAgdWlu
dDMyX3QgaW50ZXJjZXB0cyA9IHZtY2JfZ2V0X2V4Y2VwdGlvbl9pbnRlcmNl
cHRzKHZtY2IpOwotICAgICAgICB1aW50MzJfdCBtYXNrID0gKDFVIDw8IFRS
QVBfZGVidWcpIHwgKDFVIDw8IFRSQVBfaW50Myk7CisKICAgICAgICAgdi0+
YXJjaC5odm1fdmNwdS5kZWJ1Z19zdGF0ZV9sYXRjaCA9IGRlYnVnX3N0YXRl
OwogICAgICAgICB2bWNiX3NldF9leGNlcHRpb25faW50ZXJjZXB0cygKLSAg
ICAgICAgICAgIHZtY2IsIGRlYnVnX3N0YXRlID8gKGludGVyY2VwdHMgfCBt
YXNrKSA6IChpbnRlcmNlcHRzICYgfm1hc2spKTsKKyAgICAgICAgICAgIHZt
Y2IsIGRlYnVnX3N0YXRlID8gKGludGVyY2VwdHMgfCAoMVUgPDwgVFJBUF9p
bnQzKSkKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDogKGludGVy
Y2VwdHMgJiB+KDFVIDw8IFRSQVBfaW50MykpKTsKICAgICB9CiAKICAgICBp
ZiAoIHYtPmFyY2guaHZtX3N2bS5sYXVuY2hfY29yZSAhPSBzbXBfcHJvY2Vz
c29yX2lkKCkgKQpAQCAtMjQzNSw4ICsyNDM2LDkgQEAgdm9pZCBzdm1fdm1l
eGl0X2hhbmRsZXIoc3RydWN0IGNwdV91c2VyXwogCiAgICAgY2FzZSBWTUVY
SVRfRVhDRVBUSU9OX0RCOgogICAgICAgICBpZiAoICF2LT5kb21haW4tPmRl
YnVnZ2VyX2F0dGFjaGVkICkKLSAgICAgICAgICAgIGdvdG8gdW5leHBlY3Rl
ZF9leGl0X3R5cGU7Ci0gICAgICAgIGRvbWFpbl9wYXVzZV9mb3JfZGVidWdn
ZXIoKTsKKyAgICAgICAgICAgIGh2bV9pbmplY3RfaHdfZXhjZXB0aW9uKFRS
QVBfZGVidWcsIEhWTV9ERUxJVkVSX05PX0VSUk9SX0NPREUpOworICAgICAg
ICBlbHNlCisgICAgICAgICAgICBkb21haW5fcGF1c2VfZm9yX2RlYnVnZ2Vy
KCk7CiAgICAgICAgIGJyZWFrOwogCiAgICAgY2FzZSBWTUVYSVRfRVhDRVBU
SU9OX0JQOgpAQCAtMjQ4NCw2ICsyNDg2LDExIEBAIHZvaWQgc3ZtX3ZtZXhp
dF9oYW5kbGVyKHN0cnVjdCBjcHVfdXNlcl8KICAgICAgICAgYnJlYWs7CiAg
ICAgfQogCisgICAgY2FzZSBWTUVYSVRfRVhDRVBUSU9OX0FDOgorICAgICAg
ICBIVk1UUkFDRV8xRChUUkFQLCBUUkFQX2FsaWdubWVudF9jaGVjayk7Cisg
ICAgICAgIGh2bV9pbmplY3RfaHdfZXhjZXB0aW9uKFRSQVBfYWxpZ25tZW50
X2NoZWNrLCB2bWNiLT5leGl0aW5mbzEpOworICAgICAgICBicmVhazsKKwog
ICAgIGNhc2UgVk1FWElUX0VYQ0VQVElPTl9VRDoKICAgICAgICAgc3ZtX3Zt
ZXhpdF91ZF9pbnRlcmNlcHQocmVncyk7CiAgICAgICAgIGJyZWFrOwotLS0g
YS94ZW4vYXJjaC94ODYvaHZtL3ZteC92bXguYworKysgYi94ZW4vYXJjaC94
ODYvaHZtL3ZteC92bXguYwpAQCAtMTE4NiwxNiArMTE4NiwxMCBAQCBzdGF0
aWMgdm9pZCB2bXhfdXBkYXRlX2hvc3RfY3IzKHN0cnVjdCB2CiAKIHZvaWQg
dm14X3VwZGF0ZV9kZWJ1Z19zdGF0ZShzdHJ1Y3QgdmNwdSAqdikKIHsKLSAg
ICB1bnNpZ25lZCBsb25nIG1hc2s7Ci0KLSAgICBtYXNrID0gMXUgPDwgVFJB
UF9pbnQzOwotICAgIGlmICggIWNwdV9oYXNfbW9uaXRvcl90cmFwX2ZsYWcg
KQotICAgICAgICBtYXNrIHw9IDF1IDw8IFRSQVBfZGVidWc7Ci0KICAgICBp
ZiAoIHYtPmFyY2guaHZtX3ZjcHUuZGVidWdfc3RhdGVfbGF0Y2ggKQotICAg
ICAgICB2LT5hcmNoLmh2bV92bXguZXhjZXB0aW9uX2JpdG1hcCB8PSBtYXNr
OworICAgICAgICB2LT5hcmNoLmh2bV92bXguZXhjZXB0aW9uX2JpdG1hcCB8
PSAxVSA8PCBUUkFQX2ludDM7CiAgICAgZWxzZQotICAgICAgICB2LT5hcmNo
Lmh2bV92bXguZXhjZXB0aW9uX2JpdG1hcCAmPSB+bWFzazsKKyAgICAgICAg
di0+YXJjaC5odm1fdm14LmV4Y2VwdGlvbl9iaXRtYXAgJj0gfigxVSA8PCBU
UkFQX2ludDMpOwogCiAgICAgdm14X3ZtY3NfZW50ZXIodik7CiAgICAgdm14
X3VwZGF0ZV9leGNlcHRpb25fYml0bWFwKHYpOwpAQCAtMjgwMSw5ICsyNzk1
LDEwIEBAIHZvaWQgdm14X3ZtZXhpdF9oYW5kbGVyKHN0cnVjdCBjcHVfdXNl
cl8KICAgICAgICAgICAgIF9fdm1yZWFkKEVYSVRfUVVBTElGSUNBVElPTiwg
JmV4aXRfcXVhbGlmaWNhdGlvbik7CiAgICAgICAgICAgICBIVk1UUkFDRV8x
RChUUkFQX0RFQlVHLCBleGl0X3F1YWxpZmljYXRpb24pOwogICAgICAgICAg
ICAgd3JpdGVfZGVidWdyZWcoNiwgZXhpdF9xdWFsaWZpY2F0aW9uIHwgMHhm
ZmZmMGZmMCk7Ci0gICAgICAgICAgICBpZiAoICF2LT5kb21haW4tPmRlYnVn
Z2VyX2F0dGFjaGVkIHx8IGNwdV9oYXNfbW9uaXRvcl90cmFwX2ZsYWcgKQot
ICAgICAgICAgICAgICAgIGdvdG8gZXhpdF9hbmRfY3Jhc2g7Ci0gICAgICAg
ICAgICBkb21haW5fcGF1c2VfZm9yX2RlYnVnZ2VyKCk7CisgICAgICAgICAg
ICBpZiAoICF2LT5kb21haW4tPmRlYnVnZ2VyX2F0dGFjaGVkICkKKyAgICAg
ICAgICAgICAgICBodm1faW5qZWN0X2h3X2V4Y2VwdGlvbih2ZWN0b3IsIEhW
TV9ERUxJVkVSX05PX0VSUk9SX0NPREUpOworICAgICAgICAgICAgZWxzZQor
ICAgICAgICAgICAgICAgIGRvbWFpbl9wYXVzZV9mb3JfZGVidWdnZXIoKTsK
ICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICBjYXNlIFRSQVBfaW50Mzog
CiAgICAgICAgIHsKQEAgLTI4NjgsNiArMjg2MywxMSBAQCB2b2lkIHZteF92
bWV4aXRfaGFuZGxlcihzdHJ1Y3QgY3B1X3VzZXJfCiAKICAgICAgICAgICAg
IGh2bV9pbmplY3RfcGFnZV9mYXVsdChyZWdzLT5lcnJvcl9jb2RlLCBleGl0
X3F1YWxpZmljYXRpb24pOwogICAgICAgICAgICAgYnJlYWs7CisgICAgICAg
IGNhc2UgVFJBUF9hbGlnbm1lbnRfY2hlY2s6CisgICAgICAgICAgICBIVk1U
UkFDRV8xRChUUkFQLCB2ZWN0b3IpOworICAgICAgICAgICAgX192bXJlYWQo
Vk1fRVhJVF9JTlRSX0VSUk9SX0NPREUsICZlY29kZSk7CisgICAgICAgICAg
ICBodm1faW5qZWN0X2h3X2V4Y2VwdGlvbih2ZWN0b3IsIGVjb2RlKTsKKyAg
ICAgICAgICAgIGJyZWFrOwogICAgICAgICBjYXNlIFRSQVBfbm1pOgogICAg
ICAgICAgICAgaWYgKCAoaW50cl9pbmZvICYgSU5UUl9JTkZPX0lOVFJfVFlQ
RV9NQVNLKSAhPQogICAgICAgICAgICAgICAgICAoWDg2X0VWRU5UVFlQRV9O
TUkgPDwgOCkgKQotLS0gYS94ZW4vaW5jbHVkZS9hc20teDg2L2h2bS9odm0u
aAorKysgYi94ZW4vaW5jbHVkZS9hc20teDg2L2h2bS9odm0uaApAQCAtMzc4
LDcgKzM3OCwxMCBAQCBzdGF0aWMgaW5saW5lIGludCBodm1fZXZlbnRfcGVu
ZGluZyhzdHJ1CiAgICAgKFg4Nl9DUjRfVk1YRSB8IFg4Nl9DUjRfUEFFIHwg
WDg2X0NSNF9NQ0UpKQogCiAvKiBUaGVzZSBleGNlcHRpb25zIG11c3QgYWx3
YXlzIGJlIGludGVyY2VwdGVkLiAqLwotI2RlZmluZSBIVk1fVFJBUF9NQVNL
ICgoMVUgPDwgVFJBUF9tYWNoaW5lX2NoZWNrKSB8ICgxVSA8PCBUUkFQX2lu
dmFsaWRfb3ApKQorI2RlZmluZSBIVk1fVFJBUF9NQVNLICgoMVUgPDwgVFJB
UF9kZWJ1ZykgICAgICAgICAgIHwgXAorICAgICAgICAgICAgICAgICAgICAg
ICAoMVUgPDwgVFJBUF9pbnZhbGlkX29wKSAgICAgIHwgXAorICAgICAgICAg
ICAgICAgICAgICAgICAoMVUgPDwgVFJBUF9hbGlnbm1lbnRfY2hlY2spIHwg
XAorICAgICAgICAgICAgICAgICAgICAgICAoMVUgPDwgVFJBUF9tYWNoaW5l
X2NoZWNrKSkKIAogLyoKICAqIHg4NiBldmVudCB0eXBlcy4gVGhpcyBlbnVt
ZXJhdGlvbiBpcyB2YWxpZCBmb3I6Cg==

--=separator
Content-Type: application/octet-stream; name="xsa156.patch"
Content-Disposition: attachment; filename="xsa156.patch"
Content-Transfer-Encoding: base64

eDg2L0hWTTogYWx3YXlzIGludGVyY2VwdCAjQUMgYW5kICNEQgoKQm90aCBi
ZWluZyBiZW5pZ24gZXhjZXB0aW9ucywgYW5kIGJvdGggYmVpbmcgcG9zc2li
bGUgdG8gZ2V0IHRyaWdnZXJlZApieSBleGNlcHRpb24gZGVsaXZlcnksIHRo
aXMgaXMgcmVxdWlyZWQgdG8gcHJldmVudCBhIGd1ZXN0IGZyb20gbG9ja2lu
Zwp1cCBhIENQVSAocmVzdWx0aW5nIGZyb20gbm8gb3RoZXIgVk0gZXhpdHMg
b2NjdXJyaW5nIG9uY2UgZ2V0dGluZyBpbnRvCnN1Y2ggYSBsb29wKS4KClRo
ZSBzcGVjaWZpYyBzY2VuYXJpb3M6CgoxKSAjQUMgbWF5IGJlIHJhaXNlZCBk
dXJpbmcgZXhjZXB0aW9uIGRlbGl2ZXJ5IGlmIHRoZSBoYW5kbGVyIGlzIHNl
dCB0bwpiZSBhIHJpbmctMyBvbmUgYnkgYSAzMi1iaXQgZ3Vlc3QsIGFuZCB0
aGUgc3RhY2sgaXMgbWlzYWxpZ25lZC4KCjIpICNEQiBtYXkgYmUgcmFpc2Vk
IGR1cmluZyBleGNlcHRpb24gZGVsaXZlcnkgd2hlbiBhIGJyZWFrcG9pbnQg
Z290CnBsYWNlZCBvbiBhIGRhdGEgc3RydWN0dXJlIGludm9sdmVkIGluIGRl
bGl2ZXJpbmcgdGhlIGV4Y2VwdGlvbi4gVGhpcwpjYW4gcmVzdWx0IGluIGFu
IGVuZGxlc3MgbG9vcCB3aGVuIGEgNjQtYml0IGd1ZXN0IHVzZXMgYSBub24t
emVybyBJU1QKZm9yIHRoZSB2ZWN0b3IgMSBJRFQgZW50cnksIGJ1dCBldmVu
IHdpdGhvdXQgdXNlIG9mIElTVCB0aGUgdGltZSBpdAp0YWtlcyB1bnRpbCBh
IGNvbnRyaWJ1dG9yeSBmYXVsdCB3b3VsZCBnZXQgcmFpc2VkIChyZXN1bHRz
IGRlcGVuZGluZwpvbiB0aGUgaGFuZGxlcikgbWF5IGJlIHF1aXRlIGxvbmcu
CgpUaGlzIGlzIFhTQS0xNTYuCgpSZXBvcnRlZC1ieTogQmVuamFtaW4gU2Vy
ZWJyaW4gPHNlcmVicmluQGdvb2dsZS5jb20+ClNpZ25lZC1vZmYtYnk6IEph
biBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEFu
ZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClRlc3Rl
ZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vc3ZtL3N2bS5jCisrKyBiL3hl
bi9hcmNoL3g4Ni9odm0vc3ZtL3N2bS5jCkBAIC0xMDQzLDEwICsxMDQzLDEx
IEBAIHN0YXRpYyB2b2lkIG5vcmV0dXJuIHN2bV9kb19yZXN1bWUoc3RydWMK
ICAgICAgICAgdW5saWtlbHkodi0+YXJjaC5odm1fdmNwdS5kZWJ1Z19zdGF0
ZV9sYXRjaCAhPSBkZWJ1Z19zdGF0ZSkgKQogICAgIHsKICAgICAgICAgdWlu
dDMyX3QgaW50ZXJjZXB0cyA9IHZtY2JfZ2V0X2V4Y2VwdGlvbl9pbnRlcmNl
cHRzKHZtY2IpOwotICAgICAgICB1aW50MzJfdCBtYXNrID0gKDFVIDw8IFRS
QVBfZGVidWcpIHwgKDFVIDw8IFRSQVBfaW50Myk7CisKICAgICAgICAgdi0+
YXJjaC5odm1fdmNwdS5kZWJ1Z19zdGF0ZV9sYXRjaCA9IGRlYnVnX3N0YXRl
OwogICAgICAgICB2bWNiX3NldF9leGNlcHRpb25faW50ZXJjZXB0cygKLSAg
ICAgICAgICAgIHZtY2IsIGRlYnVnX3N0YXRlID8gKGludGVyY2VwdHMgfCBt
YXNrKSA6IChpbnRlcmNlcHRzICYgfm1hc2spKTsKKyAgICAgICAgICAgIHZt
Y2IsIGRlYnVnX3N0YXRlID8gKGludGVyY2VwdHMgfCAoMVUgPDwgVFJBUF9p
bnQzKSkKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDogKGludGVy
Y2VwdHMgJiB+KDFVIDw8IFRSQVBfaW50MykpKTsKICAgICB9CiAKICAgICBp
ZiAoIHYtPmFyY2guaHZtX3N2bS5sYXVuY2hfY29yZSAhPSBzbXBfcHJvY2Vz
c29yX2lkKCkgKQpAQCAtMjQzNCw4ICsyNDM1LDkgQEAgdm9pZCBzdm1fdm1l
eGl0X2hhbmRsZXIoc3RydWN0IGNwdV91c2VyXwogCiAgICAgY2FzZSBWTUVY
SVRfRVhDRVBUSU9OX0RCOgogICAgICAgICBpZiAoICF2LT5kb21haW4tPmRl
YnVnZ2VyX2F0dGFjaGVkICkKLSAgICAgICAgICAgIGdvdG8gdW5leHBlY3Rl
ZF9leGl0X3R5cGU7Ci0gICAgICAgIGRvbWFpbl9wYXVzZV9mb3JfZGVidWdn
ZXIoKTsKKyAgICAgICAgICAgIGh2bV9pbmplY3RfaHdfZXhjZXB0aW9uKFRS
QVBfZGVidWcsIEhWTV9ERUxJVkVSX05PX0VSUk9SX0NPREUpOworICAgICAg
ICBlbHNlCisgICAgICAgICAgICBkb21haW5fcGF1c2VfZm9yX2RlYnVnZ2Vy
KCk7CiAgICAgICAgIGJyZWFrOwogCiAgICAgY2FzZSBWTUVYSVRfRVhDRVBU
SU9OX0JQOgpAQCAtMjQ4Myw2ICsyNDg1LDExIEBAIHZvaWQgc3ZtX3ZtZXhp
dF9oYW5kbGVyKHN0cnVjdCBjcHVfdXNlcl8KICAgICAgICAgYnJlYWs7CiAg
ICAgfQogCisgICAgY2FzZSBWTUVYSVRfRVhDRVBUSU9OX0FDOgorICAgICAg
ICBIVk1UUkFDRV8xRChUUkFQLCBUUkFQX2FsaWdubWVudF9jaGVjayk7Cisg
ICAgICAgIGh2bV9pbmplY3RfaHdfZXhjZXB0aW9uKFRSQVBfYWxpZ25tZW50
X2NoZWNrLCB2bWNiLT5leGl0aW5mbzEpOworICAgICAgICBicmVhazsKKwog
ICAgIGNhc2UgVk1FWElUX0VYQ0VQVElPTl9VRDoKICAgICAgICAgc3ZtX3Zt
ZXhpdF91ZF9pbnRlcmNlcHQocmVncyk7CiAgICAgICAgIGJyZWFrOwotLS0g
YS94ZW4vYXJjaC94ODYvaHZtL3ZteC92bXguYworKysgYi94ZW4vYXJjaC94
ODYvaHZtL3ZteC92bXguYwpAQCAtMTIyNCwxNiArMTIyNCwxMCBAQCBzdGF0
aWMgdm9pZCB2bXhfdXBkYXRlX2hvc3RfY3IzKHN0cnVjdCB2CiAKIHZvaWQg
dm14X3VwZGF0ZV9kZWJ1Z19zdGF0ZShzdHJ1Y3QgdmNwdSAqdikKIHsKLSAg
ICB1bnNpZ25lZCBsb25nIG1hc2s7Ci0KLSAgICBtYXNrID0gMXUgPDwgVFJB
UF9pbnQzOwotICAgIGlmICggIWNwdV9oYXNfbW9uaXRvcl90cmFwX2ZsYWcg
KQotICAgICAgICBtYXNrIHw9IDF1IDw8IFRSQVBfZGVidWc7Ci0KICAgICBp
ZiAoIHYtPmFyY2guaHZtX3ZjcHUuZGVidWdfc3RhdGVfbGF0Y2ggKQotICAg
ICAgICB2LT5hcmNoLmh2bV92bXguZXhjZXB0aW9uX2JpdG1hcCB8PSBtYXNr
OworICAgICAgICB2LT5hcmNoLmh2bV92bXguZXhjZXB0aW9uX2JpdG1hcCB8
PSAxVSA8PCBUUkFQX2ludDM7CiAgICAgZWxzZQotICAgICAgICB2LT5hcmNo
Lmh2bV92bXguZXhjZXB0aW9uX2JpdG1hcCAmPSB+bWFzazsKKyAgICAgICAg
di0+YXJjaC5odm1fdm14LmV4Y2VwdGlvbl9iaXRtYXAgJj0gfigxVSA8PCBU
UkFQX2ludDMpOwogCiAgICAgdm14X3ZtY3NfZW50ZXIodik7CiAgICAgdm14
X3VwZGF0ZV9leGNlcHRpb25fYml0bWFwKHYpOwpAQCAtMzA2MCw5ICszMDU0
LDEwIEBAIHZvaWQgdm14X3ZtZXhpdF9oYW5kbGVyKHN0cnVjdCBjcHVfdXNl
cl8KICAgICAgICAgICAgIF9fdm1yZWFkKEVYSVRfUVVBTElGSUNBVElPTiwg
JmV4aXRfcXVhbGlmaWNhdGlvbik7CiAgICAgICAgICAgICBIVk1UUkFDRV8x
RChUUkFQX0RFQlVHLCBleGl0X3F1YWxpZmljYXRpb24pOwogICAgICAgICAg
ICAgd3JpdGVfZGVidWdyZWcoNiwgZXhpdF9xdWFsaWZpY2F0aW9uIHwgRFJf
U1RBVFVTX1JFU0VSVkVEX09ORSk7Ci0gICAgICAgICAgICBpZiAoICF2LT5k
b21haW4tPmRlYnVnZ2VyX2F0dGFjaGVkIHx8IGNwdV9oYXNfbW9uaXRvcl90
cmFwX2ZsYWcgKQotICAgICAgICAgICAgICAgIGdvdG8gZXhpdF9hbmRfY3Jh
c2g7Ci0gICAgICAgICAgICBkb21haW5fcGF1c2VfZm9yX2RlYnVnZ2VyKCk7
CisgICAgICAgICAgICBpZiAoICF2LT5kb21haW4tPmRlYnVnZ2VyX2F0dGFj
aGVkICkKKyAgICAgICAgICAgICAgICBodm1faW5qZWN0X2h3X2V4Y2VwdGlv
bih2ZWN0b3IsIEhWTV9ERUxJVkVSX05PX0VSUk9SX0NPREUpOworICAgICAg
ICAgICAgZWxzZQorICAgICAgICAgICAgICAgIGRvbWFpbl9wYXVzZV9mb3Jf
ZGVidWdnZXIoKTsKICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICBjYXNl
IFRSQVBfaW50MzogCiAgICAgICAgIHsKQEAgLTMxMjcsNiArMzEyMiwxMSBA
QCB2b2lkIHZteF92bWV4aXRfaGFuZGxlcihzdHJ1Y3QgY3B1X3VzZXJfCiAK
ICAgICAgICAgICAgIGh2bV9pbmplY3RfcGFnZV9mYXVsdChyZWdzLT5lcnJv
cl9jb2RlLCBleGl0X3F1YWxpZmljYXRpb24pOwogICAgICAgICAgICAgYnJl
YWs7CisgICAgICAgIGNhc2UgVFJBUF9hbGlnbm1lbnRfY2hlY2s6CisgICAg
ICAgICAgICBIVk1UUkFDRV8xRChUUkFQLCB2ZWN0b3IpOworICAgICAgICAg
ICAgX192bXJlYWQoVk1fRVhJVF9JTlRSX0VSUk9SX0NPREUsICZlY29kZSk7
CisgICAgICAgICAgICBodm1faW5qZWN0X2h3X2V4Y2VwdGlvbih2ZWN0b3Is
IGVjb2RlKTsKKyAgICAgICAgICAgIGJyZWFrOwogICAgICAgICBjYXNlIFRS
QVBfbm1pOgogICAgICAgICAgICAgaWYgKCBNQVNLX0VYVFIoaW50cl9pbmZv
LCBJTlRSX0lORk9fSU5UUl9UWVBFX01BU0spICE9CiAgICAgICAgICAgICAg
ICAgIFg4Nl9FVkVOVFRZUEVfTk1JICkKLS0tIGEveGVuL2luY2x1ZGUvYXNt
LXg4Ni9odm0vaHZtLmgKKysrIGIveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0v
aHZtLmgKQEAgLTM4NSw3ICszODUsMTAgQEAgc3RhdGljIGlubGluZSBpbnQg
aHZtX2V2ZW50X3BlbmRpbmcoc3RydQogICAgIChYODZfQ1I0X1ZNWEUgfCBY
ODZfQ1I0X1BBRSB8IFg4Nl9DUjRfTUNFKSkKIAogLyogVGhlc2UgZXhjZXB0
aW9ucyBtdXN0IGFsd2F5cyBiZSBpbnRlcmNlcHRlZC4gKi8KLSNkZWZpbmUg
SFZNX1RSQVBfTUFTSyAoKDFVIDw8IFRSQVBfbWFjaGluZV9jaGVjaykgfCAo
MVUgPDwgVFJBUF9pbnZhbGlkX29wKSkKKyNkZWZpbmUgSFZNX1RSQVBfTUFT
SyAoKDFVIDw8IFRSQVBfZGVidWcpICAgICAgICAgICB8IFwKKyAgICAgICAg
ICAgICAgICAgICAgICAgKDFVIDw8IFRSQVBfaW52YWxpZF9vcCkgICAgICB8
IFwKKyAgICAgICAgICAgICAgICAgICAgICAgKDFVIDw8IFRSQVBfYWxpZ25t
ZW50X2NoZWNrKSB8IFwKKyAgICAgICAgICAgICAgICAgICAgICAgKDFVIDw8
IFRSQVBfbWFjaGluZV9jaGVjaykpCiAKIC8qCiAgKiB4ODYgZXZlbnQgdHlw
ZXMuIFRoaXMgZW51bWVyYXRpb24gaXMgdmFsaWQgZm9yOgo=

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Tue Nov 24 17:14:52 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Tue, 24 Nov 2015 17:14:52 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1a1HA3-00044A-Fr; Tue, 24 Nov 2015 17:13:47 +0000
Received: from mail6.bemta14.messagelabs.com ([193.109.254.103])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1a1HA2-00043g-43; Tue, 24 Nov 2015 17:13:46 +0000
Received: from [193.109.254.147] by server-1.bemta-14.messagelabs.com id
	04/9D-28791-9CA94565; Tue, 24 Nov 2015 17:13:45 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-13.tower-27.messagelabs.com!1448385223!5950768!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 7.19.2; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 52142 invoked from network); 24 Nov 2015 17:13:44 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-13.tower-27.messagelabs.com with AES256-SHA encrypted SMTP;
	24 Nov 2015 17:13:44 -0000
Received: from xenbits.xenproject.org ([50.57.170.242] helo=xenbits.xen.org)
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1a1H9s-0004g2-1W; Tue, 24 Nov 2015 17:13:36 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1a1H9q-0000wL-6j; Tue, 24 Nov 2015 17:13:34 +0000
Date: Tue, 24 Nov 2015 17:13:34 +0000
Message-Id: <E1a1H9q-0000wL-6j@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 163 - virtual PMU is
	unsupported
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-163

                      virtual PMU is unsupported

ISSUE DESCRIPTION
=================

The Virtual Performance Measurement Unit feature has been documented
as unsupported, so far only on Intel CPUs.  Further issues have been
found or are suspected which would also (or exclusively) affect AMD
CPUs.  We believe that the functionality is mostly intended for
non-production use anyway.  Therefore this functionality is hereby
documented as generally unsupported security-wise.

IMPACT
======

Use of the feature may have unknown effects, ranging from information
leaks through Denial of Service to privilege escalation.

VULNERABLE SYSTEMS
==================

Only systems which enable the VPMU feature are affected.  That is,
only systems with a `vpmu' setting on the hypervisor command line.

Xen versions from 3.3 onwards are affected.

Only x86 systems are affected.  ARM systems do not currently implement
vPMU and are therefore currently unaffected; should this functionality
be added to ARM in the future it would be covered by this exclusion.

In Xen versions prior to 4.6 only HVM guests can take advantage of
this unsupported functionality.  In Xen versions from 4.6 onwards all
guest kinds can use this unsupported functionality.

MITIGATION
==========

Not enabling vPMU support (by omitting the "vpmu" hypervisor command
line option) will avoid using and exposing the unsupported
functionality.

RESOLUTION
==========

Applying the attached patch documents the situation.  The patch does
not fix any security issues.

xsa163.patch           xen-unstable

$ sha256sum xsa163*
b9185a45a41f31e7c2f85b79a669b8b1dbf00c6b40a79b00c779b344ccab45b7  xsa163.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJWVJqRAAoJEIP+FMlX6CvZba8H/23BreIs2Gxkh+9Jty8EEMdp
nk3hSpEgxIb101XsbZ4JNwMO8QqBoTi1Bt0+k4bnjdRsU1G/vImacaN9LlefmLJc
jn3n4Ce9ODGQvCEp1LPwWQusduFhMUIaUK6cwB2LclYxUnxCgUpLBFReOp9QIbgZ
Bv+rrw9gcNb8zUKT53FZ7bOApRoU28rSFX1XE72ELPDdGbpTVXxlvQZtKsQY7N7O
Se1COml0MDhufWRf3SNxO2MmqZsg43fsjvJaJgGoXE+4gslcLBMjiwgoUDX2k9CG
Pi4M5uLNLxXJZkgbo1qi8ueQB9yck6tMg+o6f3wDFz28SFfu8/D2szXGOblpE5w=
=2Wqz
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa163.patch"
Content-Disposition: attachment; filename="xsa163.patch"
Content-Transfer-Encoding: base64

eDg2L3ZQTVU6IGRvY3VtZW50IGFzIHVuc3VwcG9ydGVkCgpUaGlzIGlzIFhT
QS0xNjMuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA
c3VzZS5jb20+Ci0tLQpOb3RlIHRoYXQgdGhlIHJlZmVyZW5jZWQgbGluayB3
aWxsIG9ubHkgYmVjb21lIGFjdGl2ZSBhZnRlciBwdWJsaWMKZGlzY2xvc3Vy
ZS4KCi0tLSBhL2RvY3MvbWlzYy94ZW4tY29tbWFuZC1saW5lLm1hcmtkb3du
CisrKyBiL2RvY3MvbWlzYy94ZW4tY29tbWFuZC1saW5lLm1hcmtkb3duCkBA
IC0xNDgyLDggKzE0ODIsOSBAQCBmZWF0dXJlIGlzIHN3aXRjaGVkIG9uIG9u
IEludGVsIHByb2Nlc3NvCiBOb3RlIHRoYXQgaWYgKip3YXRjaGRvZyoqIG9w
dGlvbiBpcyBhbHNvIHNwZWNpZmllZCB2cG11IHdpbGwgYmUgdHVybmVkIG9m
Zi4KIAogKldhcm5pbmc6KgotQXMgdGhlIEJUUyB2aXJ0dWFsaXNhdGlvbiBp
cyBub3QgMTAwJSBzYWZlIGFuZCBiZWNhdXNlIG9mIHRoZSBuZWhhbGVtIHF1
aXJrCi1kb24ndCB1c2UgdGhlIHZwbXUgZmxhZyBvbiBwcm9kdWN0aW9uIHN5
c3RlbXMgd2l0aCBJbnRlbCBjcHVzIQorQXMgdGhlIHZpcnR1YWxpc2F0aW9u
IGlzIG5vdCAxMDAlIHNhZmUsIGRvbid0IHVzZSB0aGUgdnBtdSBmbGFnIG9u
Citwcm9kdWN0aW9uIHN5c3RlbXMgKHNlZSBYZW4gU2VjdXJpdHkgQWR2aXNv
cnkgMTYzLAoraHR0cDovL3hlbmJpdHMueGVuLm9yZy94c2EvYWR2aXNvcnkt
MTYzLmh0bWwpIQogCiAjIyMgd2F0Y2hkb2cKID4gYD0gZm9yY2UgfCA8Ym9v
bGVhbj5gCg==

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Tue Nov 24 17:14:52 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Tue, 24 Nov 2015 17:14:52 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1a1HA3-00044A-Fr; Tue, 24 Nov 2015 17:13:47 +0000
Received: from mail6.bemta14.messagelabs.com ([193.109.254.103])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1a1HA2-00043g-43; Tue, 24 Nov 2015 17:13:46 +0000
Received: from [193.109.254.147] by server-1.bemta-14.messagelabs.com id
	04/9D-28791-9CA94565; Tue, 24 Nov 2015 17:13:45 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-13.tower-27.messagelabs.com!1448385223!5950768!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 7.19.2; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 52142 invoked from network); 24 Nov 2015 17:13:44 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-13.tower-27.messagelabs.com with AES256-SHA encrypted SMTP;
	24 Nov 2015 17:13:44 -0000
Received: from xenbits.xenproject.org ([50.57.170.242] helo=xenbits.xen.org)
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1a1H9s-0004g2-1W; Tue, 24 Nov 2015 17:13:36 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1a1H9q-0000wL-6j; Tue, 24 Nov 2015 17:13:34 +0000
Date: Tue, 24 Nov 2015 17:13:34 +0000
Message-Id: <E1a1H9q-0000wL-6j@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 163 - virtual PMU is
	unsupported
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-163

                      virtual PMU is unsupported

ISSUE DESCRIPTION
=================

The Virtual Performance Measurement Unit feature has been documented
as unsupported, so far only on Intel CPUs.  Further issues have been
found or are suspected which would also (or exclusively) affect AMD
CPUs.  We believe that the functionality is mostly intended for
non-production use anyway.  Therefore this functionality is hereby
documented as generally unsupported security-wise.

IMPACT
======

Use of the feature may have unknown effects, ranging from information
leaks through Denial of Service to privilege escalation.

VULNERABLE SYSTEMS
==================

Only systems which enable the VPMU feature are affected.  That is,
only systems with a `vpmu' setting on the hypervisor command line.

Xen versions from 3.3 onwards are affected.

Only x86 systems are affected.  ARM systems do not currently implement
vPMU and are therefore currently unaffected; should this functionality
be added to ARM in the future it would be covered by this exclusion.

In Xen versions prior to 4.6 only HVM guests can take advantage of
this unsupported functionality.  In Xen versions from 4.6 onwards all
guest kinds can use this unsupported functionality.

MITIGATION
==========

Not enabling vPMU support (by omitting the "vpmu" hypervisor command
line option) will avoid using and exposing the unsupported
functionality.

RESOLUTION
==========

Applying the attached patch documents the situation.  The patch does
not fix any security issues.

xsa163.patch           xen-unstable

$ sha256sum xsa163*
b9185a45a41f31e7c2f85b79a669b8b1dbf00c6b40a79b00c779b344ccab45b7  xsa163.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJWVJqRAAoJEIP+FMlX6CvZba8H/23BreIs2Gxkh+9Jty8EEMdp
nk3hSpEgxIb101XsbZ4JNwMO8QqBoTi1Bt0+k4bnjdRsU1G/vImacaN9LlefmLJc
jn3n4Ce9ODGQvCEp1LPwWQusduFhMUIaUK6cwB2LclYxUnxCgUpLBFReOp9QIbgZ
Bv+rrw9gcNb8zUKT53FZ7bOApRoU28rSFX1XE72ELPDdGbpTVXxlvQZtKsQY7N7O
Se1COml0MDhufWRf3SNxO2MmqZsg43fsjvJaJgGoXE+4gslcLBMjiwgoUDX2k9CG
Pi4M5uLNLxXJZkgbo1qi8ueQB9yck6tMg+o6f3wDFz28SFfu8/D2szXGOblpE5w=
=2Wqz
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa163.patch"
Content-Disposition: attachment; filename="xsa163.patch"
Content-Transfer-Encoding: base64

eDg2L3ZQTVU6IGRvY3VtZW50IGFzIHVuc3VwcG9ydGVkCgpUaGlzIGlzIFhT
QS0xNjMuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA
c3VzZS5jb20+Ci0tLQpOb3RlIHRoYXQgdGhlIHJlZmVyZW5jZWQgbGluayB3
aWxsIG9ubHkgYmVjb21lIGFjdGl2ZSBhZnRlciBwdWJsaWMKZGlzY2xvc3Vy
ZS4KCi0tLSBhL2RvY3MvbWlzYy94ZW4tY29tbWFuZC1saW5lLm1hcmtkb3du
CisrKyBiL2RvY3MvbWlzYy94ZW4tY29tbWFuZC1saW5lLm1hcmtkb3duCkBA
IC0xNDgyLDggKzE0ODIsOSBAQCBmZWF0dXJlIGlzIHN3aXRjaGVkIG9uIG9u
IEludGVsIHByb2Nlc3NvCiBOb3RlIHRoYXQgaWYgKip3YXRjaGRvZyoqIG9w
dGlvbiBpcyBhbHNvIHNwZWNpZmllZCB2cG11IHdpbGwgYmUgdHVybmVkIG9m
Zi4KIAogKldhcm5pbmc6KgotQXMgdGhlIEJUUyB2aXJ0dWFsaXNhdGlvbiBp
cyBub3QgMTAwJSBzYWZlIGFuZCBiZWNhdXNlIG9mIHRoZSBuZWhhbGVtIHF1
aXJrCi1kb24ndCB1c2UgdGhlIHZwbXUgZmxhZyBvbiBwcm9kdWN0aW9uIHN5
c3RlbXMgd2l0aCBJbnRlbCBjcHVzIQorQXMgdGhlIHZpcnR1YWxpc2F0aW9u
IGlzIG5vdCAxMDAlIHNhZmUsIGRvbid0IHVzZSB0aGUgdnBtdSBmbGFnIG9u
Citwcm9kdWN0aW9uIHN5c3RlbXMgKHNlZSBYZW4gU2VjdXJpdHkgQWR2aXNv
cnkgMTYzLAoraHR0cDovL3hlbmJpdHMueGVuLm9yZy94c2EvYWR2aXNvcnkt
MTYzLmh0bWwpIQogCiAjIyMgd2F0Y2hkb2cKID4gYD0gZm9yY2UgfCA8Ym9v
bGVhbj5gCg==

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Wed Nov 25 15:33:22 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Wed, 25 Nov 2015 15:33:22 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1a1c34-0002qM-Ts; Wed, 25 Nov 2015 15:31:58 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1a1c33-0002pX-3f; Wed, 25 Nov 2015 15:31:57 +0000
Received: from [85.158.139.211] by server-17.bemta-5.messagelabs.com id
	4E/F6-18107-C64D5565; Wed, 25 Nov 2015 15:31:56 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-11.tower-206.messagelabs.com!1448465514!6446191!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 7.19.2; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 55121 invoked from network); 25 Nov 2015 15:31:55 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-11.tower-206.messagelabs.com with AES256-SHA encrypted SMTP;
	25 Nov 2015 15:31:55 -0000
Received: from xenbits.xenproject.org ([50.57.170.242] helo=xenbits.xen.org)
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1a1c2t-0001P6-Ek; Wed, 25 Nov 2015 15:31:47 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1a1c2t-0003tJ-CN; Wed, 25 Nov 2015 15:31:47 +0000
Date: Wed, 25 Nov 2015 15:31:47 +0000
Message-Id: <E1a1c2t-0003tJ-CN@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 161 - WITHDRAWN: missing
 XSETBV intercept privilege check on AMD SVM
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-161
                              version 2

    WITHDRAWN: missing XSETBV intercept privilege check on AMD SVM

UPDATES IN VERSION 2
====================

Upon further inspection the necessary privilege level check is present
in the generic code which handles XSETBV and therefore there is no
vulnerability in any version of Xen.

This advisory is therefore withdrawn. The previous text is retained
below for reference.

Thanks to Andrew Cooper for pointing out this oversight.

ISSUE DESCRIPTION
=================

*** NOTE: This advisory has been withdrawn ***

XSETBV is a privileged instruction, i.e. should result in #GP when
issued by code running at other than the most privileged level (CPL 0).
Unlike other privileged and intercepted instructions in AMD SVM, XSETBV
has the privilege level check done after the intercept check, resulting
in the need for software to do the checking instead. This software
check was missing.

IMPACT
======

*** NOTE: This advisory has been withdrawn ***

User mode code of HVM guests running on AVX-capable AMD hardware may
effect changes to the set of enabled AVX sub-features in the guest,
potentially confusing the guest kernel, likely resulting in crash and
hence a Denial of Service to the guest. Other attacks, namely privilege
escalation (again inside the guest only), cannot be ruled out.

VULNERABLE SYSTEMS
==================

*** NOTE: This advisory has been withdrawn, no versions are vulnerable ***

Xen versions from 4.1 onwards are affected.

Only x86 AMD systems supporting AVX are affected. Intel systems as
well as ARM ones are unaffected.

Only HVM guest user mode code can leverage this vulnerability.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

Running HVM guests on only Intel hardware will also avoid this
vulnerability.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa161.patch         xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x

$ sha256sum xsa161*
aa205960410c2feaa2a45127a1837a64212dd322d8edf884aa3231dd10c8a884  xsa161.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJWVdPmAAoJEIP+FMlX6CvZ6IgH/RNKOBcIYc2BTxacwhIh/9Uj
lxXT1XfR3xksFzsW1T7rp6OAYQ1Lpsh+yAQLF8qAEEE+jUi7TWTb1U87K6tS9yYp
ppqwWfp6YS63uhtTu0SiMdvM0hOHTHC2ZfNehpX/iAtzpsdzqcYeWkIjjMBq6z95
isxXnuJq1EmfaI+Sx56c8yRntJwAqDx4twD7gJWC1feRltJn+kSR+pyGpcw4IeM3
ThfgW5Q1s2N4IX/yHlvPGhWDjBwfCP13de23UvUQwiSzLF6m42OnDtSLozvA/h56
yA7JDi/RYDsyL30qYllHKpW8lfrlsq6Xkyakrkw49sm1cJvaYu4vjLDZ9byVvmU=
=wPwa
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa161.patch"
Content-Disposition: attachment; filename="xsa161.patch"
Content-Transfer-Encoding: base64

RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0
OiB4ODYvU1ZNOiBYU0VUQlYgaW50ZXJjZXB0IG5lZWRzIHRvIGNoZWNrIENQ
TAoKT3RoZXIgdGhhbiBtb3N0IChhbGw/KSBvdGhlciBpbnRlcmNlcHRzLCBi
YXNpYyBjaGVja3MgLSBuYW1lbHkgdGhlIENQTApvbmUgLSBkb24ndCBnZXQg
ZG9uZSBiZWZvcmUgY2hlY2tpbmcgZm9yIHRoZSBpbnRlcmNlcHQgdG8gYmUg
ZW5hYmxlZC4KClRoaXMgaXMgWFNBLTE2MS4KClNpZ25lZC1vZmYtYnk6IEph
biBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KCi0tLSBhL3hlbi9hcmNo
L3g4Ni9odm0vc3ZtL3N2bS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vc3Zt
L3N2bS5jCkBAIC0yNjA5LDEwICsyNjA5LDExIEBAIHZvaWQgc3ZtX3ZtZXhp
dF9oYW5kbGVyKHN0cnVjdCBjcHVfdXNlcl8KICAgICAgICAgYnJlYWs7CiAK
ICAgICBjYXNlIFZNRVhJVF9YU0VUQlY6Ci0gICAgICAgIGlmICggKGluc3Rf
bGVuID0gX19nZXRfaW5zdHJ1Y3Rpb25fbGVuZ3RoKGN1cnJlbnQsIElOU1RS
X1hTRVRCVikpPT0wICkKLSAgICAgICAgICAgIGJyZWFrOwotICAgICAgICBp
ZiAoIGh2bV9oYW5kbGVfeHNldGJ2KHJlZ3MtPmVjeCwKLSAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAocmVncy0+cmR4IDw8IDMyKSB8IHJlZ3Mt
Pl9lYXgpID09IDAgKQorICAgICAgICBpZiAoIHZtY2JfZ2V0X2NwbCh2bWNi
KSApCisgICAgICAgICAgICBodm1faW5qZWN0X2h3X2V4Y2VwdGlvbihUUkFQ
X2dwX2ZhdWx0LCAwKTsKKyAgICAgICAgZWxzZSBpZiAoIChpbnN0X2xlbiA9
IF9fZ2V0X2luc3RydWN0aW9uX2xlbmd0aCh2LCBJTlNUUl9YU0VUQlYpKSAm
JgorICAgICAgICAgICAgICAgICAgaHZtX2hhbmRsZV94c2V0YnYocmVncy0+
ZWN4LAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKHJl
Z3MtPnJkeCA8PCAzMikgfCByZWdzLT5fZWF4KSA9PSAwICkKICAgICAgICAg
ICAgIF9fdXBkYXRlX2d1ZXN0X2VpcChyZWdzLCBpbnN0X2xlbik7CiAgICAg
ICAgIGJyZWFrOwogCg==

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Wed Nov 25 15:33:22 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Wed, 25 Nov 2015 15:33:22 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1a1c34-0002qM-Ts; Wed, 25 Nov 2015 15:31:58 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1a1c33-0002pX-3f; Wed, 25 Nov 2015 15:31:57 +0000
Received: from [85.158.139.211] by server-17.bemta-5.messagelabs.com id
	4E/F6-18107-C64D5565; Wed, 25 Nov 2015 15:31:56 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-11.tower-206.messagelabs.com!1448465514!6446191!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 7.19.2; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 55121 invoked from network); 25 Nov 2015 15:31:55 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-11.tower-206.messagelabs.com with AES256-SHA encrypted SMTP;
	25 Nov 2015 15:31:55 -0000
Received: from xenbits.xenproject.org ([50.57.170.242] helo=xenbits.xen.org)
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1a1c2t-0001P6-Ek; Wed, 25 Nov 2015 15:31:47 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1a1c2t-0003tJ-CN; Wed, 25 Nov 2015 15:31:47 +0000
Date: Wed, 25 Nov 2015 15:31:47 +0000
Message-Id: <E1a1c2t-0003tJ-CN@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 161 - WITHDRAWN: missing
 XSETBV intercept privilege check on AMD SVM
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-161
                              version 2

    WITHDRAWN: missing XSETBV intercept privilege check on AMD SVM

UPDATES IN VERSION 2
====================

Upon further inspection the necessary privilege level check is present
in the generic code which handles XSETBV and therefore there is no
vulnerability in any version of Xen.

This advisory is therefore withdrawn. The previous text is retained
below for reference.

Thanks to Andrew Cooper for pointing out this oversight.

ISSUE DESCRIPTION
=================

*** NOTE: This advisory has been withdrawn ***

XSETBV is a privileged instruction, i.e. should result in #GP when
issued by code running at other than the most privileged level (CPL 0).
Unlike other privileged and intercepted instructions in AMD SVM, XSETBV
has the privilege level check done after the intercept check, resulting
in the need for software to do the checking instead. This software
check was missing.

IMPACT
======

*** NOTE: This advisory has been withdrawn ***

User mode code of HVM guests running on AVX-capable AMD hardware may
effect changes to the set of enabled AVX sub-features in the guest,
potentially confusing the guest kernel, likely resulting in crash and
hence a Denial of Service to the guest. Other attacks, namely privilege
escalation (again inside the guest only), cannot be ruled out.

VULNERABLE SYSTEMS
==================

*** NOTE: This advisory has been withdrawn, no versions are vulnerable ***

Xen versions from 4.1 onwards are affected.

Only x86 AMD systems supporting AVX are affected. Intel systems as
well as ARM ones are unaffected.

Only HVM guest user mode code can leverage this vulnerability.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

Running HVM guests on only Intel hardware will also avoid this
vulnerability.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa161.patch         xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x

$ sha256sum xsa161*
aa205960410c2feaa2a45127a1837a64212dd322d8edf884aa3231dd10c8a884  xsa161.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJWVdPmAAoJEIP+FMlX6CvZ6IgH/RNKOBcIYc2BTxacwhIh/9Uj
lxXT1XfR3xksFzsW1T7rp6OAYQ1Lpsh+yAQLF8qAEEE+jUi7TWTb1U87K6tS9yYp
ppqwWfp6YS63uhtTu0SiMdvM0hOHTHC2ZfNehpX/iAtzpsdzqcYeWkIjjMBq6z95
isxXnuJq1EmfaI+Sx56c8yRntJwAqDx4twD7gJWC1feRltJn+kSR+pyGpcw4IeM3
ThfgW5Q1s2N4IX/yHlvPGhWDjBwfCP13de23UvUQwiSzLF6m42OnDtSLozvA/h56
yA7JDi/RYDsyL30qYllHKpW8lfrlsq6Xkyakrkw49sm1cJvaYu4vjLDZ9byVvmU=
=wPwa
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa161.patch"
Content-Disposition: attachment; filename="xsa161.patch"
Content-Transfer-Encoding: base64

RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0
OiB4ODYvU1ZNOiBYU0VUQlYgaW50ZXJjZXB0IG5lZWRzIHRvIGNoZWNrIENQ
TAoKT3RoZXIgdGhhbiBtb3N0IChhbGw/KSBvdGhlciBpbnRlcmNlcHRzLCBi
YXNpYyBjaGVja3MgLSBuYW1lbHkgdGhlIENQTApvbmUgLSBkb24ndCBnZXQg
ZG9uZSBiZWZvcmUgY2hlY2tpbmcgZm9yIHRoZSBpbnRlcmNlcHQgdG8gYmUg
ZW5hYmxlZC4KClRoaXMgaXMgWFNBLTE2MS4KClNpZ25lZC1vZmYtYnk6IEph
biBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KCi0tLSBhL3hlbi9hcmNo
L3g4Ni9odm0vc3ZtL3N2bS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vc3Zt
L3N2bS5jCkBAIC0yNjA5LDEwICsyNjA5LDExIEBAIHZvaWQgc3ZtX3ZtZXhp
dF9oYW5kbGVyKHN0cnVjdCBjcHVfdXNlcl8KICAgICAgICAgYnJlYWs7CiAK
ICAgICBjYXNlIFZNRVhJVF9YU0VUQlY6Ci0gICAgICAgIGlmICggKGluc3Rf
bGVuID0gX19nZXRfaW5zdHJ1Y3Rpb25fbGVuZ3RoKGN1cnJlbnQsIElOU1RS
X1hTRVRCVikpPT0wICkKLSAgICAgICAgICAgIGJyZWFrOwotICAgICAgICBp
ZiAoIGh2bV9oYW5kbGVfeHNldGJ2KHJlZ3MtPmVjeCwKLSAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAocmVncy0+cmR4IDw8IDMyKSB8IHJlZ3Mt
Pl9lYXgpID09IDAgKQorICAgICAgICBpZiAoIHZtY2JfZ2V0X2NwbCh2bWNi
KSApCisgICAgICAgICAgICBodm1faW5qZWN0X2h3X2V4Y2VwdGlvbihUUkFQ
X2dwX2ZhdWx0LCAwKTsKKyAgICAgICAgZWxzZSBpZiAoIChpbnN0X2xlbiA9
IF9fZ2V0X2luc3RydWN0aW9uX2xlbmd0aCh2LCBJTlNUUl9YU0VUQlYpKSAm
JgorICAgICAgICAgICAgICAgICAgaHZtX2hhbmRsZV94c2V0YnYocmVncy0+
ZWN4LAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKHJl
Z3MtPnJkeCA8PCAzMikgfCByZWdzLT5fZWF4KSA9PSAwICkKICAgICAgICAg
ICAgIF9fdXBkYXRlX2d1ZXN0X2VpcChyZWdzLCBpbnN0X2xlbik7CiAgICAg
ICAgIGJyZWFrOwogCg==

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Mon Nov 30 10:55:30 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Mon, 30 Nov 2015 10:55:30 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1a3M6D-0002rh-8L; Mon, 30 Nov 2015 10:54:25 +0000
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1a3M6B-0002r3-2A; Mon, 30 Nov 2015 10:54:23 +0000
Received: from [85.158.137.68] by server-4.bemta-3.messagelabs.com id
	76/B4-09570-EDA2C565; Mon, 30 Nov 2015 10:54:22 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-5.tower-31.messagelabs.com!1448880859!7618608!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 7.35; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 27754 invoked from network); 30 Nov 2015 10:54:20 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-5.tower-31.messagelabs.com with AES256-SHA encrypted SMTP;
	30 Nov 2015 10:54:20 -0000
Received: from xenbits.xenproject.org ([50.57.170.242] helo=xenbits.xen.org)
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1a3M5y-00035D-UZ; Mon, 30 Nov 2015 10:54:10 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1a3M5y-0007wE-6R; Mon, 30 Nov 2015 10:54:10 +0000
Date: Mon, 30 Nov 2015 10:54:10 +0000
Message-Id: <E1a3M5y-0007wE-6R@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 162 (CVE-2015-7504) - heap
 buffer overflow vulnerability in pcnet emulator
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2015-7504 / XSA-162
                              version 2

         heap buffer overflow vulnerability in pcnet emulator

UPDATES IN VERSION 2
====================

Public release.

Correct cut and paste reference to bootloaders in "DEPLOYMENT DURING
EMBARGO" section, which should have instead referred to the
configuration changes.

ISSUE DESCRIPTION
=================

The QEMU security team has predisclosed the following advisory:

    The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving
    packets in loopback mode, appends CRC code to the receive
    buffer. If the data size given is same as the buffer size(4096),
    the appended CRC code overwrites 4 bytes after the s->buffer,
    making the adjacent 's->irq' object point to a new location.

IMPACT
======

A guest which has access to an emulated PCNET network device
(e.g. with "model=pcnet" in their VIF configuration) can exploit this
vulnerability to take over the qemu process elevating its privilege to
that of the qemu process.

VULNERABLE SYSTEMS
==================

All Xen systems running x86 HVM guests without stubdomains which have
been configured to use the PCNET emulated driver model are
vulnerable.

The default configuration is NOT vulnerable (because it does not
emulate PCNET NICs).

Systems running only PV guests are NOT vulnerable.

Systems using qemu-dm stubdomain device models (for example, by
specifying "device_model_stubdomain_override=1" in xl's domain
configuration files) are NOT vulnerable.

Both the traditional "qemu-xen" or upstream qemu device models are
potentially vulnerable.

ARM systems are NOT vulnerable.

MITIGATION
==========

Avoiding the use of emulated network devices altogether, by specifying
a PV only VIF in the domain configuration file will avoid this
issue.

Avoiding the use of the PCNET device in favour of other emulations
will also avoid this issue.

Enabling stubdomains will mitigate this issue, by reducing the
escalation to only those privileges accorded to the service domain.

qemu-dm stubdomains are only available with the traditional "qemu-xen"
version.

RESOLUTION
==========

The QEMU security team have supplied the attached xsa162-qemuu.patch
which it is believed will resolve the issue. However this patch has
not undergone the usual reviews and has not yet been accepted by QEMU
upstream.

The backports were created by the Xen Project security team on the same
basis.

xsa162-qemuu.patch           qemu upstream, Xen unstable, 4.6.x, 4.5.x, 4.4.x
xsa162-qemuu-4.3.patch       Xen 4.3.x
xsa162-qemut-4.3.patch       qemu-xen-traditional, Xen unstable, 4.5.x, 4.4.x, 4.3.x

$ sha256sum xsa162*
5844debcfdf606030aaa98f32a5920bc64c659dfae6062f24ab98e9008d8bf86  xsa162-qemut.patch
73e5857570b7464a2118a3ae6a8f424e01effd684c67773fada22a8411199238  xsa162-qemuu.patch
4a0ded68cc20d64752ef72e12983b20a4b14fef9b14e8774d889cfa34201909d  xsa162-qemuu-4.3.patch
$


CREDITS
=======

This issue was discovered by Qinghao Tang of the Qihoo 360 Marvel
Team.


DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patch described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

However deployment of the mitigations described above is not permitted
(except where all the affected systems and VMs are administered and
used only by organisations which are members of the Xen Project
Security Issues Predisclosure List).  Specifically, deployment on
public cloud systems is NOT permitted.

This is because in all cases the configuration change may be visible
to the guest which could lead to the rediscovery of the vulnerability.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJWXCrJAAoJEIP+FMlX6CvZEtkIAJJYN60maax4jOLKUNGJZcmO
MLTxucr4P2ffw5sNyNYJDHo7Ui5qTdx62uPQHAuYc8mt7x7g9+zhWH39XfFe/9KR
ZVqWAQeoFVT030dQXkuWQkr1ryXzWF/xIUzFsD4F0d3pXY3WNxTH5hKjmXxCUQzT
jM3h3hc4a2+BdTxL527liAiiG31z0sLMqop2V7346yqM5g+HK83DxN2hNackFWZx
PijuBIFO/L9FZiXvcsMtBllaHVko089MBtTF7nnOav1hJefn4yGDBdoj0D+r8PiB
6376dASIwznXV6YZcg62N2HxbKn4tnjr6HumM5kWlXUM7+f2eG3kfM4re7A3ry8=
=6xNZ
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa162-qemut.patch"
Content-Disposition: attachment; filename="xsa162-qemut.patch"
Content-Transfer-Encoding: base64

bmV0OiBwY25ldDogYWRkIGNoZWNrIHRvIHZhbGlkYXRlIHJlY2VpdmUgZGF0
YSBzaXplKENWRS0yMDE1LTc1MDQpCgpJbiBsb29wYmFjayBtb2RlLCBwY25l
dF9yZWNlaXZlIHJvdXRpbmUgYXBwZW5kcyBDUkMgY29kZSB0byB0aGUKcmVj
ZWl2ZSBidWZmZXIuIElmIHRoZSBkYXRhIHNpemUgZ2l2ZW4gaXMgc2FtZSBh
cyB0aGUgYnVmZmVyIHNpemUsCnRoZSBhcHBlbmRlZCBDUkMgY29kZSBvdmVy
d3JpdGVzIDQgYnl0ZXMgYWZ0ZXIgcy0+YnVmZmVyLiBBZGRlZCBhCmNoZWNr
IHRvIGF2b2lkIHRoYXQuCgpSZXBvcnRlZC1ieTogUWluZ2hhbyBUYW5nIDxs
dW9kYWxvbmdkZUBnbWFpbC5jb20+ClNpZ25lZC1vZmYtYnk6IFByYXNhZCBK
IFBhbmRpdCA8cGpwQGZlZG9yYXByb2plY3Qub3JnPgotLS0KIGh3L25ldC9w
Y25ldC5jIHwgMTAgKysrKysrLS0tLQogMSBmaWxlIGNoYW5nZWQsIDYgaW5z
ZXJ0aW9ucygrKSwgNCBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9ody9w
Y25ldC5jIGIvaHcvcGNuZXQuYwppbmRleCA0ZTgxMjY3Li42YTEwMWYyIDEw
MDY0NAotLS0gYS9ody9wY25ldC5jCisrKyBiL2h3L3BjbmV0LmMKQEAgLTEx
NTMsNyArMTE1Myw3IEBAIHN0YXRpYyB2b2lkIHBjbmV0X3JlY2VpdmUodm9p
ZCAqb3BhcXVlLCBjb25zdCB1aW50OF90ICpidWYsIGludCBzaXplKQogICAg
ICAgICAgICAgICAgIHVpbnQzMl90IGZjcyA9IH4wOwogICAgICAgICAgICAg
ICAgIHVpbnQ4X3QgKnAgPSBzcmM7CiAKLSAgICAgICAgICAgICAgICB3aGls
ZSAocCAhPSAmc3JjW3NpemUtNF0pCisgICAgICAgICAgICAgICAgd2hpbGUg
KHAgIT0gJnNyY1tzaXplXSkKICAgICAgICAgICAgICAgICAgICAgQ1JDKGZj
cywgKnArKyk7CiAgICAgICAgICAgICAgICAgY3JjX2VyciA9ICgqKHVpbnQz
Ml90ICopcCAhPSBodG9ubChmY3MpKTsKICAgICAgICAgICAgIH0KQEAgLTEy
ODQsMTIgKzEyODQsMTMgQEAgc3RhdGljIHZvaWQgcGNuZXRfdHJhbnNtaXQo
UENOZXRTdGF0ZSAqcykKICAgICAgICAgYmNudCA9IDQwOTYgLSBHRVRfRklF
TEQodG1kLmxlbmd0aCwgVE1ETCwgQkNOVCk7CiAKICAgICAgICAgLyogaWYg
bXVsdGktdG1kIHBhY2tldCBvdXRzaXplcyBzLT5idWZmZXIgdGhlbiBza2lw
IGl0IHNpbGVudGx5LgotICAgICAgICAgICBOb3RlOiB0aGlzIGlzIG5vdCB3
aGF0IHJlYWwgaHcgZG9lcyAqLwotICAgICAgICBpZiAocy0+eG1pdF9wb3Mg
KyBiY250ID4gc2l6ZW9mKHMtPmJ1ZmZlcikpIHsKLSAgICAgICAgICAgcy0+
eG1pdF9wb3MgPSAtMTsKLSAgICAgICAgICAgZ290byB0eGRvbmU7CisgICAg
ICAgICAqIE5vdGU6IHRoaXMgaXMgbm90IHdoYXQgcmVhbCBodyBkb2VzLgor
ICAgICAgICAgKiBMYXN0IGZvdXIgYnl0ZXMgb2Ygcy0+YnVmZmVyIGFyZSB1
c2VkIHRvIHN0b3JlIENSQyBGQ1MgY29kZS4KKyAgICAgICAgICovCisgICAg
ICAgIGlmIChzLT54bWl0X3BvcyArIGJjbnQgPiBzaXplb2Yocy0+YnVmZmVy
KSAtIDQpIHsKKyAgICAgICAgICAgIHMtPnhtaXRfcG9zID0gLTE7CisgICAg
ICAgICAgICBnb3RvIHR4ZG9uZTsKICAgICAgICAgfQotCiAgICAgICAgIHMt
PnBoeXNfbWVtX3JlYWQocy0+ZG1hX29wYXF1ZSwgUEhZU0FERFIocywgdG1k
LnRiYWRyKSwKICAgICAgICAgICAgICAgICAgICAgICAgICBzLT5idWZmZXIg
KyBzLT54bWl0X3BvcywgYmNudCwgQ1NSX0JTV1AocykpOwogICAgICAgICBz
LT54bWl0X3BvcyArPSBiY250OwotLS0gCi0yLjQuMwotCg==

--=separator
Content-Type: application/octet-stream; name="xsa162-qemuu.patch"
Content-Disposition: attachment; filename="xsa162-qemuu.patch"
Content-Transfer-Encoding: base64

bmV0OiBwY25ldDogYWRkIGNoZWNrIHRvIHZhbGlkYXRlIHJlY2VpdmUgZGF0
YSBzaXplKENWRS0yMDE1LTc1MDQpCgpJbiBsb29wYmFjayBtb2RlLCBwY25l
dF9yZWNlaXZlIHJvdXRpbmUgYXBwZW5kcyBDUkMgY29kZSB0byB0aGUKcmVj
ZWl2ZSBidWZmZXIuIElmIHRoZSBkYXRhIHNpemUgZ2l2ZW4gaXMgc2FtZSBh
cyB0aGUgYnVmZmVyIHNpemUsCnRoZSBhcHBlbmRlZCBDUkMgY29kZSBvdmVy
d3JpdGVzIDQgYnl0ZXMgYWZ0ZXIgcy0+YnVmZmVyLiBBZGRlZCBhCmNoZWNr
IHRvIGF2b2lkIHRoYXQuCgpSZXBvcnRlZC1ieTogUWluZ2hhbyBUYW5nIDxs
dW9kYWxvbmdkZUBnbWFpbC5jb20+ClNpZ25lZC1vZmYtYnk6IFByYXNhZCBK
IFBhbmRpdCA8cGpwQGZlZG9yYXByb2plY3Qub3JnPgotLS0KIGh3L25ldC9w
Y25ldC5jIHwgMTAgKysrKysrLS0tLQogMSBmaWxlIGNoYW5nZWQsIDYgaW5z
ZXJ0aW9ucygrKSwgNCBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9ody9u
ZXQvcGNuZXQuYyBiL2h3L25ldC9wY25ldC5jCmluZGV4IDM0MzczNzYuLjVm
NTU1OTEgMTAwNjQ0Ci0tLSBhL2h3L25ldC9wY25ldC5jCisrKyBiL2h3L25l
dC9wY25ldC5jCkBAIC0xMDg1LDcgKzEwODUsNyBAQCBzc2l6ZV90IHBjbmV0
X3JlY2VpdmUoTmV0Q2xpZW50U3RhdGUgKm5jLCBjb25zdCB1aW50OF90ICpi
dWYsIHNpemVfdCBzaXplXykKICAgICAgICAgICAgICAgICB1aW50MzJfdCBm
Y3MgPSB+MDsKICAgICAgICAgICAgICAgICB1aW50OF90ICpwID0gc3JjOwog
Ci0gICAgICAgICAgICAgICAgd2hpbGUgKHAgIT0gJnNyY1tzaXplLTRdKQor
ICAgICAgICAgICAgICAgIHdoaWxlIChwICE9ICZzcmNbc2l6ZV0pCiAgICAg
ICAgICAgICAgICAgICAgIENSQyhmY3MsICpwKyspOwogICAgICAgICAgICAg
ICAgIGNyY19lcnIgPSAoKih1aW50MzJfdCAqKXAgIT0gaHRvbmwoZmNzKSk7
CiAgICAgICAgICAgICB9CkBAIC0xMjM0LDggKzEyMzQsMTAgQEAgc3RhdGlj
IHZvaWQgcGNuZXRfdHJhbnNtaXQoUENOZXRTdGF0ZSAqcykKICAgICAgICAg
YmNudCA9IDQwOTYgLSBHRVRfRklFTEQodG1kLmxlbmd0aCwgVE1ETCwgQkNO
VCk7CiAKICAgICAgICAgLyogaWYgbXVsdGktdG1kIHBhY2tldCBvdXRzaXpl
cyBzLT5idWZmZXIgdGhlbiBza2lwIGl0IHNpbGVudGx5LgotICAgICAgICAg
ICBOb3RlOiB0aGlzIGlzIG5vdCB3aGF0IHJlYWwgaHcgZG9lcyAqLwotICAg
ICAgICBpZiAocy0+eG1pdF9wb3MgKyBiY250ID4gc2l6ZW9mKHMtPmJ1ZmZl
cikpIHsKKyAgICAgICAgICogTm90ZTogdGhpcyBpcyBub3Qgd2hhdCByZWFs
IGh3IGRvZXMuCisgICAgICAgICAqIExhc3QgZm91ciBieXRlcyBvZiBzLT5i
dWZmZXIgYXJlIHVzZWQgdG8gc3RvcmUgQ1JDIEZDUyBjb2RlLgorICAgICAg
ICAgKi8KKyAgICAgICAgaWYgKHMtPnhtaXRfcG9zICsgYmNudCA+IHNpemVv
ZihzLT5idWZmZXIpIC0gNCkgewogICAgICAgICAgICAgcy0+eG1pdF9wb3Mg
PSAtMTsKICAgICAgICAgICAgIGdvdG8gdHhkb25lOwogICAgICAgICB9Ci0t
IAoyLjQuMwoK

--=separator
Content-Type: application/octet-stream; name="xsa162-qemuu-4.3.patch"
Content-Disposition: attachment; filename="xsa162-qemuu-4.3.patch"
Content-Transfer-Encoding: base64

bmV0OiBwY25ldDogYWRkIGNoZWNrIHRvIHZhbGlkYXRlIHJlY2VpdmUgZGF0
YSBzaXplKENWRS0yMDE1LTc1MDQpCgpJbiBsb29wYmFjayBtb2RlLCBwY25l
dF9yZWNlaXZlIHJvdXRpbmUgYXBwZW5kcyBDUkMgY29kZSB0byB0aGUKcmVj
ZWl2ZSBidWZmZXIuIElmIHRoZSBkYXRhIHNpemUgZ2l2ZW4gaXMgc2FtZSBh
cyB0aGUgYnVmZmVyIHNpemUsCnRoZSBhcHBlbmRlZCBDUkMgY29kZSBvdmVy
d3JpdGVzIDQgYnl0ZXMgYWZ0ZXIgcy0+YnVmZmVyLiBBZGRlZCBhCmNoZWNr
IHRvIGF2b2lkIHRoYXQuCgpSZXBvcnRlZC1ieTogUWluZ2hhbyBUYW5nIDxs
dW9kYWxvbmdkZUBnbWFpbC5jb20+ClNpZ25lZC1vZmYtYnk6IFByYXNhZCBK
IFBhbmRpdCA8cGpwQGZlZG9yYXByb2plY3Qub3JnPgotLS0KIGh3L25ldC9w
Y25ldC5jIHwgMTAgKysrKysrLS0tLQogMSBmaWxlIGNoYW5nZWQsIDYgaW5z
ZXJ0aW9ucygrKSwgNCBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9ody9u
ZXQvcGNuZXQuYyBiL2h3L25ldC9wY25ldC5jCmluZGV4IDM0MzczNzYuLjVm
NTU1OTEgMTAwNjQ0Ci0tLSBhL2h3L3BjbmV0LmMKKysrIGIvaHcvcGNuZXQu
YwpAQCAtMTA4NSw3ICsxMDg1LDcgQEAgc3NpemVfdCBwY25ldF9yZWNlaXZl
KE5ldENsaWVudFN0YXRlICpuYywgY29uc3QgdWludDhfdCAqYnVmLCBzaXpl
X3Qgc2l6ZV8pCiAgICAgICAgICAgICAgICAgdWludDMyX3QgZmNzID0gfjA7
CiAgICAgICAgICAgICAgICAgdWludDhfdCAqcCA9IHNyYzsKIAotICAgICAg
ICAgICAgICAgIHdoaWxlIChwICE9ICZzcmNbc2l6ZS00XSkKKyAgICAgICAg
ICAgICAgICB3aGlsZSAocCAhPSAmc3JjW3NpemVdKQogICAgICAgICAgICAg
ICAgICAgICBDUkMoZmNzLCAqcCsrKTsKICAgICAgICAgICAgICAgICBjcmNf
ZXJyID0gKCoodWludDMyX3QgKilwICE9IGh0b25sKGZjcykpOwogICAgICAg
ICAgICAgfQpAQCAtMTIzNCw4ICsxMjM0LDEwIEBAIHN0YXRpYyB2b2lkIHBj
bmV0X3RyYW5zbWl0KFBDTmV0U3RhdGUgKnMpCiAgICAgICAgIGJjbnQgPSA0
MDk2IC0gR0VUX0ZJRUxEKHRtZC5sZW5ndGgsIFRNREwsIEJDTlQpOwogCiAg
ICAgICAgIC8qIGlmIG11bHRpLXRtZCBwYWNrZXQgb3V0c2l6ZXMgcy0+YnVm
ZmVyIHRoZW4gc2tpcCBpdCBzaWxlbnRseS4KLSAgICAgICAgICAgTm90ZTog
dGhpcyBpcyBub3Qgd2hhdCByZWFsIGh3IGRvZXMgKi8KLSAgICAgICAgaWYg
KHMtPnhtaXRfcG9zICsgYmNudCA+IHNpemVvZihzLT5idWZmZXIpKSB7Cisg
ICAgICAgICAqIE5vdGU6IHRoaXMgaXMgbm90IHdoYXQgcmVhbCBodyBkb2Vz
LgorICAgICAgICAgKiBMYXN0IGZvdXIgYnl0ZXMgb2Ygcy0+YnVmZmVyIGFy
ZSB1c2VkIHRvIHN0b3JlIENSQyBGQ1MgY29kZS4KKyAgICAgICAgICovCisg
ICAgICAgIGlmIChzLT54bWl0X3BvcyArIGJjbnQgPiBzaXplb2Yocy0+YnVm
ZmVyKSAtIDQpIHsKICAgICAgICAgICAgIHMtPnhtaXRfcG9zID0gLTE7CiAg
ICAgICAgICAgICBnb3RvIHR4ZG9uZTsKICAgICAgICAgfQotLSAKMi40LjMK
Cg==

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Mon Nov 30 10:55:30 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Mon, 30 Nov 2015 10:55:30 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1a3M6D-0002rh-8L; Mon, 30 Nov 2015 10:54:25 +0000
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1a3M6B-0002r3-2A; Mon, 30 Nov 2015 10:54:23 +0000
Received: from [85.158.137.68] by server-4.bemta-3.messagelabs.com id
	76/B4-09570-EDA2C565; Mon, 30 Nov 2015 10:54:22 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-5.tower-31.messagelabs.com!1448880859!7618608!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 7.35; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 27754 invoked from network); 30 Nov 2015 10:54:20 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-5.tower-31.messagelabs.com with AES256-SHA encrypted SMTP;
	30 Nov 2015 10:54:20 -0000
Received: from xenbits.xenproject.org ([50.57.170.242] helo=xenbits.xen.org)
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1a3M5y-00035D-UZ; Mon, 30 Nov 2015 10:54:10 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1a3M5y-0007wE-6R; Mon, 30 Nov 2015 10:54:10 +0000
Date: Mon, 30 Nov 2015 10:54:10 +0000
Message-Id: <E1a3M5y-0007wE-6R@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 162 (CVE-2015-7504) - heap
 buffer overflow vulnerability in pcnet emulator
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2015-7504 / XSA-162
                              version 2

         heap buffer overflow vulnerability in pcnet emulator

UPDATES IN VERSION 2
====================

Public release.

Correct cut and paste reference to bootloaders in "DEPLOYMENT DURING
EMBARGO" section, which should have instead referred to the
configuration changes.

ISSUE DESCRIPTION
=================

The QEMU security team has predisclosed the following advisory:

    The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving
    packets in loopback mode, appends CRC code to the receive
    buffer. If the data size given is same as the buffer size(4096),
    the appended CRC code overwrites 4 bytes after the s->buffer,
    making the adjacent 's->irq' object point to a new location.

IMPACT
======

A guest which has access to an emulated PCNET network device
(e.g. with "model=pcnet" in their VIF configuration) can exploit this
vulnerability to take over the qemu process elevating its privilege to
that of the qemu process.

VULNERABLE SYSTEMS
==================

All Xen systems running x86 HVM guests without stubdomains which have
been configured to use the PCNET emulated driver model are
vulnerable.

The default configuration is NOT vulnerable (because it does not
emulate PCNET NICs).

Systems running only PV guests are NOT vulnerable.

Systems using qemu-dm stubdomain device models (for example, by
specifying "device_model_stubdomain_override=1" in xl's domain
configuration files) are NOT vulnerable.

Both the traditional "qemu-xen" or upstream qemu device models are
potentially vulnerable.

ARM systems are NOT vulnerable.

MITIGATION
==========

Avoiding the use of emulated network devices altogether, by specifying
a PV only VIF in the domain configuration file will avoid this
issue.

Avoiding the use of the PCNET device in favour of other emulations
will also avoid this issue.

Enabling stubdomains will mitigate this issue, by reducing the
escalation to only those privileges accorded to the service domain.

qemu-dm stubdomains are only available with the traditional "qemu-xen"
version.

RESOLUTION
==========

The QEMU security team have supplied the attached xsa162-qemuu.patch
which it is believed will resolve the issue. However this patch has
not undergone the usual reviews and has not yet been accepted by QEMU
upstream.

The backports were created by the Xen Project security team on the same
basis.

xsa162-qemuu.patch           qemu upstream, Xen unstable, 4.6.x, 4.5.x, 4.4.x
xsa162-qemuu-4.3.patch       Xen 4.3.x
xsa162-qemut-4.3.patch       qemu-xen-traditional, Xen unstable, 4.5.x, 4.4.x, 4.3.x

$ sha256sum xsa162*
5844debcfdf606030aaa98f32a5920bc64c659dfae6062f24ab98e9008d8bf86  xsa162-qemut.patch
73e5857570b7464a2118a3ae6a8f424e01effd684c67773fada22a8411199238  xsa162-qemuu.patch
4a0ded68cc20d64752ef72e12983b20a4b14fef9b14e8774d889cfa34201909d  xsa162-qemuu-4.3.patch
$


CREDITS
=======

This issue was discovered by Qinghao Tang of the Qihoo 360 Marvel
Team.


DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patch described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

However deployment of the mitigations described above is not permitted
(except where all the affected systems and VMs are administered and
used only by organisations which are members of the Xen Project
Security Issues Predisclosure List).  Specifically, deployment on
public cloud systems is NOT permitted.

This is because in all cases the configuration change may be visible
to the guest which could lead to the rediscovery of the vulnerability.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJWXCrJAAoJEIP+FMlX6CvZEtkIAJJYN60maax4jOLKUNGJZcmO
MLTxucr4P2ffw5sNyNYJDHo7Ui5qTdx62uPQHAuYc8mt7x7g9+zhWH39XfFe/9KR
ZVqWAQeoFVT030dQXkuWQkr1ryXzWF/xIUzFsD4F0d3pXY3WNxTH5hKjmXxCUQzT
jM3h3hc4a2+BdTxL527liAiiG31z0sLMqop2V7346yqM5g+HK83DxN2hNackFWZx
PijuBIFO/L9FZiXvcsMtBllaHVko089MBtTF7nnOav1hJefn4yGDBdoj0D+r8PiB
6376dASIwznXV6YZcg62N2HxbKn4tnjr6HumM5kWlXUM7+f2eG3kfM4re7A3ry8=
=6xNZ
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa162-qemut.patch"
Content-Disposition: attachment; filename="xsa162-qemut.patch"
Content-Transfer-Encoding: base64

bmV0OiBwY25ldDogYWRkIGNoZWNrIHRvIHZhbGlkYXRlIHJlY2VpdmUgZGF0
YSBzaXplKENWRS0yMDE1LTc1MDQpCgpJbiBsb29wYmFjayBtb2RlLCBwY25l
dF9yZWNlaXZlIHJvdXRpbmUgYXBwZW5kcyBDUkMgY29kZSB0byB0aGUKcmVj
ZWl2ZSBidWZmZXIuIElmIHRoZSBkYXRhIHNpemUgZ2l2ZW4gaXMgc2FtZSBh
cyB0aGUgYnVmZmVyIHNpemUsCnRoZSBhcHBlbmRlZCBDUkMgY29kZSBvdmVy
d3JpdGVzIDQgYnl0ZXMgYWZ0ZXIgcy0+YnVmZmVyLiBBZGRlZCBhCmNoZWNr
IHRvIGF2b2lkIHRoYXQuCgpSZXBvcnRlZC1ieTogUWluZ2hhbyBUYW5nIDxs
dW9kYWxvbmdkZUBnbWFpbC5jb20+ClNpZ25lZC1vZmYtYnk6IFByYXNhZCBK
IFBhbmRpdCA8cGpwQGZlZG9yYXByb2plY3Qub3JnPgotLS0KIGh3L25ldC9w
Y25ldC5jIHwgMTAgKysrKysrLS0tLQogMSBmaWxlIGNoYW5nZWQsIDYgaW5z
ZXJ0aW9ucygrKSwgNCBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9ody9w
Y25ldC5jIGIvaHcvcGNuZXQuYwppbmRleCA0ZTgxMjY3Li42YTEwMWYyIDEw
MDY0NAotLS0gYS9ody9wY25ldC5jCisrKyBiL2h3L3BjbmV0LmMKQEAgLTEx
NTMsNyArMTE1Myw3IEBAIHN0YXRpYyB2b2lkIHBjbmV0X3JlY2VpdmUodm9p
ZCAqb3BhcXVlLCBjb25zdCB1aW50OF90ICpidWYsIGludCBzaXplKQogICAg
ICAgICAgICAgICAgIHVpbnQzMl90IGZjcyA9IH4wOwogICAgICAgICAgICAg
ICAgIHVpbnQ4X3QgKnAgPSBzcmM7CiAKLSAgICAgICAgICAgICAgICB3aGls
ZSAocCAhPSAmc3JjW3NpemUtNF0pCisgICAgICAgICAgICAgICAgd2hpbGUg
KHAgIT0gJnNyY1tzaXplXSkKICAgICAgICAgICAgICAgICAgICAgQ1JDKGZj
cywgKnArKyk7CiAgICAgICAgICAgICAgICAgY3JjX2VyciA9ICgqKHVpbnQz
Ml90ICopcCAhPSBodG9ubChmY3MpKTsKICAgICAgICAgICAgIH0KQEAgLTEy
ODQsMTIgKzEyODQsMTMgQEAgc3RhdGljIHZvaWQgcGNuZXRfdHJhbnNtaXQo
UENOZXRTdGF0ZSAqcykKICAgICAgICAgYmNudCA9IDQwOTYgLSBHRVRfRklF
TEQodG1kLmxlbmd0aCwgVE1ETCwgQkNOVCk7CiAKICAgICAgICAgLyogaWYg
bXVsdGktdG1kIHBhY2tldCBvdXRzaXplcyBzLT5idWZmZXIgdGhlbiBza2lw
IGl0IHNpbGVudGx5LgotICAgICAgICAgICBOb3RlOiB0aGlzIGlzIG5vdCB3
aGF0IHJlYWwgaHcgZG9lcyAqLwotICAgICAgICBpZiAocy0+eG1pdF9wb3Mg
KyBiY250ID4gc2l6ZW9mKHMtPmJ1ZmZlcikpIHsKLSAgICAgICAgICAgcy0+
eG1pdF9wb3MgPSAtMTsKLSAgICAgICAgICAgZ290byB0eGRvbmU7CisgICAg
ICAgICAqIE5vdGU6IHRoaXMgaXMgbm90IHdoYXQgcmVhbCBodyBkb2VzLgor
ICAgICAgICAgKiBMYXN0IGZvdXIgYnl0ZXMgb2Ygcy0+YnVmZmVyIGFyZSB1
c2VkIHRvIHN0b3JlIENSQyBGQ1MgY29kZS4KKyAgICAgICAgICovCisgICAg
ICAgIGlmIChzLT54bWl0X3BvcyArIGJjbnQgPiBzaXplb2Yocy0+YnVmZmVy
KSAtIDQpIHsKKyAgICAgICAgICAgIHMtPnhtaXRfcG9zID0gLTE7CisgICAg
ICAgICAgICBnb3RvIHR4ZG9uZTsKICAgICAgICAgfQotCiAgICAgICAgIHMt
PnBoeXNfbWVtX3JlYWQocy0+ZG1hX29wYXF1ZSwgUEhZU0FERFIocywgdG1k
LnRiYWRyKSwKICAgICAgICAgICAgICAgICAgICAgICAgICBzLT5idWZmZXIg
KyBzLT54bWl0X3BvcywgYmNudCwgQ1NSX0JTV1AocykpOwogICAgICAgICBz
LT54bWl0X3BvcyArPSBiY250OwotLS0gCi0yLjQuMwotCg==

--=separator
Content-Type: application/octet-stream; name="xsa162-qemuu.patch"
Content-Disposition: attachment; filename="xsa162-qemuu.patch"
Content-Transfer-Encoding: base64

bmV0OiBwY25ldDogYWRkIGNoZWNrIHRvIHZhbGlkYXRlIHJlY2VpdmUgZGF0
YSBzaXplKENWRS0yMDE1LTc1MDQpCgpJbiBsb29wYmFjayBtb2RlLCBwY25l
dF9yZWNlaXZlIHJvdXRpbmUgYXBwZW5kcyBDUkMgY29kZSB0byB0aGUKcmVj
ZWl2ZSBidWZmZXIuIElmIHRoZSBkYXRhIHNpemUgZ2l2ZW4gaXMgc2FtZSBh
cyB0aGUgYnVmZmVyIHNpemUsCnRoZSBhcHBlbmRlZCBDUkMgY29kZSBvdmVy
d3JpdGVzIDQgYnl0ZXMgYWZ0ZXIgcy0+YnVmZmVyLiBBZGRlZCBhCmNoZWNr
IHRvIGF2b2lkIHRoYXQuCgpSZXBvcnRlZC1ieTogUWluZ2hhbyBUYW5nIDxs
dW9kYWxvbmdkZUBnbWFpbC5jb20+ClNpZ25lZC1vZmYtYnk6IFByYXNhZCBK
IFBhbmRpdCA8cGpwQGZlZG9yYXByb2plY3Qub3JnPgotLS0KIGh3L25ldC9w
Y25ldC5jIHwgMTAgKysrKysrLS0tLQogMSBmaWxlIGNoYW5nZWQsIDYgaW5z
ZXJ0aW9ucygrKSwgNCBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9ody9u
ZXQvcGNuZXQuYyBiL2h3L25ldC9wY25ldC5jCmluZGV4IDM0MzczNzYuLjVm
NTU1OTEgMTAwNjQ0Ci0tLSBhL2h3L25ldC9wY25ldC5jCisrKyBiL2h3L25l
dC9wY25ldC5jCkBAIC0xMDg1LDcgKzEwODUsNyBAQCBzc2l6ZV90IHBjbmV0
X3JlY2VpdmUoTmV0Q2xpZW50U3RhdGUgKm5jLCBjb25zdCB1aW50OF90ICpi
dWYsIHNpemVfdCBzaXplXykKICAgICAgICAgICAgICAgICB1aW50MzJfdCBm
Y3MgPSB+MDsKICAgICAgICAgICAgICAgICB1aW50OF90ICpwID0gc3JjOwog
Ci0gICAgICAgICAgICAgICAgd2hpbGUgKHAgIT0gJnNyY1tzaXplLTRdKQor
ICAgICAgICAgICAgICAgIHdoaWxlIChwICE9ICZzcmNbc2l6ZV0pCiAgICAg
ICAgICAgICAgICAgICAgIENSQyhmY3MsICpwKyspOwogICAgICAgICAgICAg
ICAgIGNyY19lcnIgPSAoKih1aW50MzJfdCAqKXAgIT0gaHRvbmwoZmNzKSk7
CiAgICAgICAgICAgICB9CkBAIC0xMjM0LDggKzEyMzQsMTAgQEAgc3RhdGlj
IHZvaWQgcGNuZXRfdHJhbnNtaXQoUENOZXRTdGF0ZSAqcykKICAgICAgICAg
YmNudCA9IDQwOTYgLSBHRVRfRklFTEQodG1kLmxlbmd0aCwgVE1ETCwgQkNO
VCk7CiAKICAgICAgICAgLyogaWYgbXVsdGktdG1kIHBhY2tldCBvdXRzaXpl
cyBzLT5idWZmZXIgdGhlbiBza2lwIGl0IHNpbGVudGx5LgotICAgICAgICAg
ICBOb3RlOiB0aGlzIGlzIG5vdCB3aGF0IHJlYWwgaHcgZG9lcyAqLwotICAg
ICAgICBpZiAocy0+eG1pdF9wb3MgKyBiY250ID4gc2l6ZW9mKHMtPmJ1ZmZl
cikpIHsKKyAgICAgICAgICogTm90ZTogdGhpcyBpcyBub3Qgd2hhdCByZWFs
IGh3IGRvZXMuCisgICAgICAgICAqIExhc3QgZm91ciBieXRlcyBvZiBzLT5i
dWZmZXIgYXJlIHVzZWQgdG8gc3RvcmUgQ1JDIEZDUyBjb2RlLgorICAgICAg
ICAgKi8KKyAgICAgICAgaWYgKHMtPnhtaXRfcG9zICsgYmNudCA+IHNpemVv
ZihzLT5idWZmZXIpIC0gNCkgewogICAgICAgICAgICAgcy0+eG1pdF9wb3Mg
PSAtMTsKICAgICAgICAgICAgIGdvdG8gdHhkb25lOwogICAgICAgICB9Ci0t
IAoyLjQuMwoK

--=separator
Content-Type: application/octet-stream; name="xsa162-qemuu-4.3.patch"
Content-Disposition: attachment; filename="xsa162-qemuu-4.3.patch"
Content-Transfer-Encoding: base64

bmV0OiBwY25ldDogYWRkIGNoZWNrIHRvIHZhbGlkYXRlIHJlY2VpdmUgZGF0
YSBzaXplKENWRS0yMDE1LTc1MDQpCgpJbiBsb29wYmFjayBtb2RlLCBwY25l
dF9yZWNlaXZlIHJvdXRpbmUgYXBwZW5kcyBDUkMgY29kZSB0byB0aGUKcmVj
ZWl2ZSBidWZmZXIuIElmIHRoZSBkYXRhIHNpemUgZ2l2ZW4gaXMgc2FtZSBh
cyB0aGUgYnVmZmVyIHNpemUsCnRoZSBhcHBlbmRlZCBDUkMgY29kZSBvdmVy
d3JpdGVzIDQgYnl0ZXMgYWZ0ZXIgcy0+YnVmZmVyLiBBZGRlZCBhCmNoZWNr
IHRvIGF2b2lkIHRoYXQuCgpSZXBvcnRlZC1ieTogUWluZ2hhbyBUYW5nIDxs
dW9kYWxvbmdkZUBnbWFpbC5jb20+ClNpZ25lZC1vZmYtYnk6IFByYXNhZCBK
IFBhbmRpdCA8cGpwQGZlZG9yYXByb2plY3Qub3JnPgotLS0KIGh3L25ldC9w
Y25ldC5jIHwgMTAgKysrKysrLS0tLQogMSBmaWxlIGNoYW5nZWQsIDYgaW5z
ZXJ0aW9ucygrKSwgNCBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9ody9u
ZXQvcGNuZXQuYyBiL2h3L25ldC9wY25ldC5jCmluZGV4IDM0MzczNzYuLjVm
NTU1OTEgMTAwNjQ0Ci0tLSBhL2h3L3BjbmV0LmMKKysrIGIvaHcvcGNuZXQu
YwpAQCAtMTA4NSw3ICsxMDg1LDcgQEAgc3NpemVfdCBwY25ldF9yZWNlaXZl
KE5ldENsaWVudFN0YXRlICpuYywgY29uc3QgdWludDhfdCAqYnVmLCBzaXpl
X3Qgc2l6ZV8pCiAgICAgICAgICAgICAgICAgdWludDMyX3QgZmNzID0gfjA7
CiAgICAgICAgICAgICAgICAgdWludDhfdCAqcCA9IHNyYzsKIAotICAgICAg
ICAgICAgICAgIHdoaWxlIChwICE9ICZzcmNbc2l6ZS00XSkKKyAgICAgICAg
ICAgICAgICB3aGlsZSAocCAhPSAmc3JjW3NpemVdKQogICAgICAgICAgICAg
ICAgICAgICBDUkMoZmNzLCAqcCsrKTsKICAgICAgICAgICAgICAgICBjcmNf
ZXJyID0gKCoodWludDMyX3QgKilwICE9IGh0b25sKGZjcykpOwogICAgICAg
ICAgICAgfQpAQCAtMTIzNCw4ICsxMjM0LDEwIEBAIHN0YXRpYyB2b2lkIHBj
bmV0X3RyYW5zbWl0KFBDTmV0U3RhdGUgKnMpCiAgICAgICAgIGJjbnQgPSA0
MDk2IC0gR0VUX0ZJRUxEKHRtZC5sZW5ndGgsIFRNREwsIEJDTlQpOwogCiAg
ICAgICAgIC8qIGlmIG11bHRpLXRtZCBwYWNrZXQgb3V0c2l6ZXMgcy0+YnVm
ZmVyIHRoZW4gc2tpcCBpdCBzaWxlbnRseS4KLSAgICAgICAgICAgTm90ZTog
dGhpcyBpcyBub3Qgd2hhdCByZWFsIGh3IGRvZXMgKi8KLSAgICAgICAgaWYg
KHMtPnhtaXRfcG9zICsgYmNudCA+IHNpemVvZihzLT5idWZmZXIpKSB7Cisg
ICAgICAgICAqIE5vdGU6IHRoaXMgaXMgbm90IHdoYXQgcmVhbCBodyBkb2Vz
LgorICAgICAgICAgKiBMYXN0IGZvdXIgYnl0ZXMgb2Ygcy0+YnVmZmVyIGFy
ZSB1c2VkIHRvIHN0b3JlIENSQyBGQ1MgY29kZS4KKyAgICAgICAgICovCisg
ICAgICAgIGlmIChzLT54bWl0X3BvcyArIGJjbnQgPiBzaXplb2Yocy0+YnVm
ZmVyKSAtIDQpIHsKICAgICAgICAgICAgIHMtPnhtaXRfcG9zID0gLTE7CiAg
ICAgICAgICAgICBnb3RvIHR4ZG9uZTsKICAgICAgICAgfQotLSAKMi40LjMK
Cg==

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--