From xen-announce-bounces@lists.xen.org Thu Sep 08 12:02:11 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 08 Sep 2016 12:02:11 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy0z-0008MH-He; Thu, 08 Sep 2016 12:01:09 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy0y-0008Ku-25; Thu, 08 Sep 2016 12:01:08 +0000 Received: from [193.109.254.147] by server-9.bemta-6.messagelabs.com id 04/AC-28857-30351D75; Thu, 08 Sep 2016 12:01:07 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrOIsWRWlGSWpSXmKPExsWS0XRdVZcp+GK 4wcPl7Ba3brYyWyz5uJjFYtXVA6wOzB5Hd/9mCmCMYs3MS8qvSGDN+LBwAkvBC9mKZd2tjA2M T6S6GLk4hASOM0o8PniaFcJZxChx48cb9i5GTg5mAVeJG/s2s0HYihIX7jWwgNi8AoISJ2c+A bMlBDQl7rxZBVYvIlAksfPcSzCbTUBPYu7ZSUwQvToSL/evBrI5OIQF4iXWrTaBGGMmceDEL1 YQm0VAVWLet17WCYw8s5BsnoVk8ywkm2cBTWIG2rx+lz6EKS2x/B8HRLW8xPa3c5ghbGuJ9q1 drBC2hcSHO0+YYSZO6X7IvoCRcxWjenFqUVlqka6lXlJRZnpGSW5iZo6uoYGZXm5qcXFiempO YlKxXnJ+7iZGYHAzAMEOxrubAg4xSnIwKYny+hRfCBfiS8pPqcxILM6ILyrNSS0+xCjDwaEkw bs88GK4kGBRanpqRVpmDjDOYNISHDxKIrwiQUBp3uKCxNzizHSI1ClGY44l06+tZeJYdPPxfi Yhlrz8vFQpcd5NIJMEQEozSvPgBsHi/xKjrJQwLyPQaUI8BalFuZklqPKvGMU5GJWEeZtBpvB k5pXA7XsFdAoT0ClCp86DnFKSiJCSamCU0HnlHpi2o2TbkmsupZolX9ym/ltavOqM0dPgqVfy 7my4Lvn4a2GGE0dCqLtQ8CyGM1vmbD5qc/4Jy7rVUfzC3u23ucs2iMzskZ9nInTle1/1C8Ytp T3z+Pe9t1JN2ZJy/S7fwhrD2gMtTw23b0w2Ed71aN21yxESK/j0syf26ISohVknePgrsRRnJB pqMRcVJwIABVq0//oCAAA= X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-27.messagelabs.com!1473336065!47920445!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 8.84; banners=-,-,- X-VirusChecked: Checked Received: (qmail 61146 invoked from network); 8 Sep 2016 12:01:06 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-8.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 8 Sep 2016 12:01:06 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy0n-0003Ln-01; Thu, 08 Sep 2016 12:00:57 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1bhy0m-0000vj-TN; Thu, 08 Sep 2016 12:00:56 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Thu, 08 Sep 2016 12:00:56 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 188 (CVE-2016-7154) - use after free in FIFO event channel code X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-7154 / XSA-188 version 3 use after free in FIFO event channel code UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= When the EVTCHNOP_init_control operation is called with a bad guest frame number, it takes an error path which frees a control structure without also clearing the corresponding pointer. Certain subsequent operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control), upon finding the non-NULL pointer, continue operation assuming it points to allocated memory. IMPACT ====== A malicious guest administrator can crash the host, leading to a DoS. Arbitrary code execution (and therefore privilege escalation), and information leaks, cannot be excluded. VULNERABLE SYSTEMS ================== Only Xen 4.4 is vulnerable. Xen versions 4.5 and later as well as Xen versions 4.3 and earlier are not vulnerable. MITIGATION ========== There is no mitigation available. CREDITS ======= This issue was discovered by Mikhail Gorobets of Advanced Threat Research, Intel Security. RESOLUTION ========== Applying the attached patch resolves this issue. xsa188.patch Xen 4.4.x $ sha256sum xsa188* 9f374c2e1437ad71369f41275e7b333e7b7691a783ba693ee567c899bd78c722 xsa188.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJX0VLuAAoJEIP+FMlX6CvZNjYH/RVxqYegZpfj0aiT5pai/a0i PgPSoMccGoSSVTXzivXUTZS3fTIqfTpd4SQHu2Q2dUqbb6zcPqd3NzF7Jl9IMwLk JHZwPYXOsZ0D6thFAMYFpjHOWXv7+1Mw7Np82PaA2yAUad+kxUORiJeL1RAE6zG/ xsAR7PTl2mK1Ae9lqDtKLijn0cnicAYoKiSlta8M0T5Sp79CT3xsfHiBbaWUBCcI gmOW76RUbfOwn2kmhFJ4X5bwSzEhM93pQu7hJCmuwAADc8ezEEFv2lsUm5W8hkmW a8V2nuqM+prbxY8JI3XbKJm5YrmHQpnX4FiBn13DZeUsaukT4Q1EltP1z/XvJto= =jzF5 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa188.patch" Content-Disposition: attachment; filename="xsa188.patch" Content-Transfer-Encoding: base64 ZXZ0Y2huLWZpZm86IHByZXZlbnQgdXNlIGFmdGVyIGZyZWUKCmV2dGNobl9m aWZvX2luaXRfY29udHJvbCgpIGNhbGxzIGV2dGNobl9maWZvX2Rlc3Ryb3ko KSBvbiBhbiBlcnJvcgpwYXRoLCBsZWFkaW5nIHRvIGNsZWFudXBfZXZlbnRf YXJyYXkoKSB3aGljaCBmcmVlcyBkLT5ldnRjaG5fZmlmbwp3aXRob3V0IGFs c28gY2xlYXJpbmcgdGhlIHBvaW50ZXIuIE90b2ggdGhlIGJ1bGsgb2YKZXZ0 Y2huX2ZpZm9faW5pdF9jb250cm9sKCkgaXMgZGVwZW5kZW50IG9uIGQtPmV2 dGNobl9maWZvIGJlaW5nIE5VTEwuCgpUaGlzIGlzIFhTQS0xODguCgpSZXBv cnRlZC1ieTogTWlraGFpbCBWIEdvcm9iZXRzIDxtaWtoYWlsLnYuZ29yb2Jl dHNAaW50ZWwuY29tPgpTdWdnZXN0ZWQtYnk6IE1pa2hhaWwgViBHb3JvYmV0 cyA8bWlraGFpbC52Lmdvcm9iZXRzQGludGVsLmNvbT4KU2lnbmVkLW9mZi1i eTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgoKLS0tIGEveGVu L2NvbW1vbi9ldmVudF9maWZvLmMKKysrIGIveGVuL2NvbW1vbi9ldmVudF9m aWZvLmMKQEAgLTQ4Miw2ICs0ODIsNyBAQCBzdGF0aWMgdm9pZCBjbGVhbnVw X2V2ZW50X2FycmF5KHN0cnVjdCBkCiAgICAgZm9yICggaSA9IDA7IGkgPCBF VlRDSE5fRklGT19NQVhfRVZFTlRfQVJSQVlfUEFHRVM7IGkrKyApCiAgICAg ICAgIHVubWFwX2d1ZXN0X3BhZ2UoZC0+ZXZ0Y2huX2ZpZm8tPmV2ZW50X2Fy cmF5W2ldKTsKICAgICB4ZnJlZShkLT5ldnRjaG5fZmlmbyk7CisgICAgZC0+ ZXZ0Y2huX2ZpZm8gPSBOVUxMOwogfQogCiBzdGF0aWMgdm9pZCBzZXR1cF9w b3J0cyhzdHJ1Y3QgZG9tYWluICpkKQo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Thu Sep 08 12:02:11 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 08 Sep 2016 12:02:11 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy0z-0008MH-He; Thu, 08 Sep 2016 12:01:09 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy0y-0008Ku-25; Thu, 08 Sep 2016 12:01:08 +0000 Received: from [193.109.254.147] by server-9.bemta-6.messagelabs.com id 04/AC-28857-30351D75; Thu, 08 Sep 2016 12:01:07 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrOIsWRWlGSWpSXmKPExsWS0XRdVZcp+GK 4wcPl7Ba3brYyWyz5uJjFYtXVA6wOzB5Hd/9mCmCMYs3MS8qvSGDN+LBwAkvBC9mKZd2tjA2M T6S6GLk4hASOM0o8PniaFcJZxChx48cb9i5GTg5mAVeJG/s2s0HYihIX7jWwgNi8AoISJ2c+A bMlBDQl7rxZBVYvIlAksfPcSzCbTUBPYu7ZSUwQvToSL/evBrI5OIQF4iXWrTaBGGMmceDEL1 YQm0VAVWLet17WCYw8s5BsnoVk8ywkm2cBTWIG2rx+lz6EKS2x/B8HRLW8xPa3c5ghbGuJ9q1 drBC2hcSHO0+YYSZO6X7IvoCRcxWjenFqUVlqka6lXlJRZnpGSW5iZo6uoYGZXm5qcXFiempO YlKxXnJ+7iZGYHAzAMEOxrubAg4xSnIwKYny+hRfCBfiS8pPqcxILM6ILyrNSS0+xCjDwaEkw bs88GK4kGBRanpqRVpmDjDOYNISHDxKIrwiQUBp3uKCxNzizHSI1ClGY44l06+tZeJYdPPxfi Yhlrz8vFQpcd5NIJMEQEozSvPgBsHi/xKjrJQwLyPQaUI8BalFuZklqPKvGMU5GJWEeZtBpvB k5pXA7XsFdAoT0ClCp86DnFKSiJCSamCU0HnlHpi2o2TbkmsupZolX9ym/ltavOqM0dPgqVfy 7my4Lvn4a2GGE0dCqLtQ8CyGM1vmbD5qc/4Jy7rVUfzC3u23ucs2iMzskZ9nInTle1/1C8Ytp T3z+Pe9t1JN2ZJy/S7fwhrD2gMtTw23b0w2Ed71aN21yxESK/j0syf26ISohVknePgrsRRnJB pqMRcVJwIABVq0//oCAAA= X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-27.messagelabs.com!1473336065!47920445!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 8.84; banners=-,-,- X-VirusChecked: Checked Received: (qmail 61146 invoked from network); 8 Sep 2016 12:01:06 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-8.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 8 Sep 2016 12:01:06 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy0n-0003Ln-01; Thu, 08 Sep 2016 12:00:57 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1bhy0m-0000vj-TN; Thu, 08 Sep 2016 12:00:56 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Thu, 08 Sep 2016 12:00:56 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 188 (CVE-2016-7154) - use after free in FIFO event channel code X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-7154 / XSA-188 version 3 use after free in FIFO event channel code UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= When the EVTCHNOP_init_control operation is called with a bad guest frame number, it takes an error path which frees a control structure without also clearing the corresponding pointer. Certain subsequent operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control), upon finding the non-NULL pointer, continue operation assuming it points to allocated memory. IMPACT ====== A malicious guest administrator can crash the host, leading to a DoS. Arbitrary code execution (and therefore privilege escalation), and information leaks, cannot be excluded. VULNERABLE SYSTEMS ================== Only Xen 4.4 is vulnerable. Xen versions 4.5 and later as well as Xen versions 4.3 and earlier are not vulnerable. MITIGATION ========== There is no mitigation available. CREDITS ======= This issue was discovered by Mikhail Gorobets of Advanced Threat Research, Intel Security. RESOLUTION ========== Applying the attached patch resolves this issue. xsa188.patch Xen 4.4.x $ sha256sum xsa188* 9f374c2e1437ad71369f41275e7b333e7b7691a783ba693ee567c899bd78c722 xsa188.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJX0VLuAAoJEIP+FMlX6CvZNjYH/RVxqYegZpfj0aiT5pai/a0i PgPSoMccGoSSVTXzivXUTZS3fTIqfTpd4SQHu2Q2dUqbb6zcPqd3NzF7Jl9IMwLk JHZwPYXOsZ0D6thFAMYFpjHOWXv7+1Mw7Np82PaA2yAUad+kxUORiJeL1RAE6zG/ xsAR7PTl2mK1Ae9lqDtKLijn0cnicAYoKiSlta8M0T5Sp79CT3xsfHiBbaWUBCcI gmOW76RUbfOwn2kmhFJ4X5bwSzEhM93pQu7hJCmuwAADc8ezEEFv2lsUm5W8hkmW a8V2nuqM+prbxY8JI3XbKJm5YrmHQpnX4FiBn13DZeUsaukT4Q1EltP1z/XvJto= =jzF5 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa188.patch" Content-Disposition: attachment; filename="xsa188.patch" Content-Transfer-Encoding: base64 ZXZ0Y2huLWZpZm86IHByZXZlbnQgdXNlIGFmdGVyIGZyZWUKCmV2dGNobl9m aWZvX2luaXRfY29udHJvbCgpIGNhbGxzIGV2dGNobl9maWZvX2Rlc3Ryb3ko KSBvbiBhbiBlcnJvcgpwYXRoLCBsZWFkaW5nIHRvIGNsZWFudXBfZXZlbnRf YXJyYXkoKSB3aGljaCBmcmVlcyBkLT5ldnRjaG5fZmlmbwp3aXRob3V0IGFs c28gY2xlYXJpbmcgdGhlIHBvaW50ZXIuIE90b2ggdGhlIGJ1bGsgb2YKZXZ0 Y2huX2ZpZm9faW5pdF9jb250cm9sKCkgaXMgZGVwZW5kZW50IG9uIGQtPmV2 dGNobl9maWZvIGJlaW5nIE5VTEwuCgpUaGlzIGlzIFhTQS0xODguCgpSZXBv cnRlZC1ieTogTWlraGFpbCBWIEdvcm9iZXRzIDxtaWtoYWlsLnYuZ29yb2Jl dHNAaW50ZWwuY29tPgpTdWdnZXN0ZWQtYnk6IE1pa2hhaWwgViBHb3JvYmV0 cyA8bWlraGFpbC52Lmdvcm9iZXRzQGludGVsLmNvbT4KU2lnbmVkLW9mZi1i eTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgoKLS0tIGEveGVu L2NvbW1vbi9ldmVudF9maWZvLmMKKysrIGIveGVuL2NvbW1vbi9ldmVudF9m aWZvLmMKQEAgLTQ4Miw2ICs0ODIsNyBAQCBzdGF0aWMgdm9pZCBjbGVhbnVw X2V2ZW50X2FycmF5KHN0cnVjdCBkCiAgICAgZm9yICggaSA9IDA7IGkgPCBF VlRDSE5fRklGT19NQVhfRVZFTlRfQVJSQVlfUEFHRVM7IGkrKyApCiAgICAg ICAgIHVubWFwX2d1ZXN0X3BhZ2UoZC0+ZXZ0Y2huX2ZpZm8tPmV2ZW50X2Fy cmF5W2ldKTsKICAgICB4ZnJlZShkLT5ldnRjaG5fZmlmbyk7CisgICAgZC0+ ZXZ0Y2huX2ZpZm8gPSBOVUxMOwogfQogCiBzdGF0aWMgdm9pZCBzZXR1cF9w b3J0cyhzdHJ1Y3QgZG9tYWluICpkKQo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Thu Sep 08 12:02:11 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 08 Sep 2016 12:02:11 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy0s-0008Jr-BR; Thu, 08 Sep 2016 12:01:02 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy0q-0008JS-Uk; Thu, 08 Sep 2016 12:01:01 +0000 Received: from [85.158.137.68] by server-12.bemta-3.messagelabs.com id 4F/90-09160-CF251D75; Thu, 08 Sep 2016 12:01:00 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrOIsWRWlGSWpSXmKPExsWS0XRdVfd30MV wgzmfBCxu3WxltljycTGLxaqrB1gdmD2O7v7NFMAYxZqZl5RfkcCacefUauaCD1oVT8/cYWxg XK3WxcjFISRwnFHix9IdjBDOIkaJtr39zF2MnBzMAq4SN/ZtZoOwFSUu3GtgAbF5BQQlTs58A mZLCGhK3Hmzih3EFhEokth57iWYzSagJzH37CQmiF4diZf7V4PZwgL5EgvmvWCCmGMmcXzGF7 A5LAKqEvP/nmKZwMgzC8nqWUhWz0KyehYjB1BcU2L9Ln0IU1pi+T8OiGp5ie1v5zBD2NYSn74 vZ4QosZB49jsRZuCU7ofsCxg5VzGqF6cWlaUW6ZrrJRVlpmeU5CZm5ugaGhjr5aYWFyemp+Yk JhXrJefnbmIEBjcDEOxgbPzudIhRkoNJSZTXp/hCuBBfUn5KZUZicUZ8UWlOavEhRhkODiUJ3 uWBF8OFBItS01Mr0jJzgHEGk5bg4FES4RUBxpoQb3FBYm5xZjpE6hSjMceS6dfWMnEsuvl4P5 MQS15+XqqUOO8mkEkCIKUZpXlwg2Dxf4lRVkqYlxHoNCGegtSi3MwSVPlXjOIcjErCvPYgC3k y80rg9r0COoUJ6BShU+dBTilJREhJNTDqXinhCZheup/Pbhr3s1dfz6zknCxRMp81Z/Wfwm2G F1f9+yKmd0/6icaJ7dJ5y2Os6mULq/c3Bd/b7TVJuVdgZXPCF3ubW8fP8sUbP3x1e+5m9rm1o beX6D/UOq7sJsEqJxRQs/jcj6ZtlzPmPmfbeWFi+rVQg4QNScUz4/ssmsOZTx/PtytTYinOSD TUYi4qTgQAIxS4BvoCAAA= X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-3.tower-31.messagelabs.com!1473336058!59621692!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 8.84; banners=-,-,- X-VirusChecked: Checked Received: (qmail 28652 invoked from network); 8 Sep 2016 12:00:59 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-3.tower-31.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 8 Sep 2016 12:00:59 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy0g-0003LA-Ku; Thu, 08 Sep 2016 12:00:50 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1bhy0g-0000t7-JQ; Thu, 08 Sep 2016 12:00:50 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Thu, 08 Sep 2016 12:00:50 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 185 (CVE-2016-7092) - x86: Disallow L3 recursive pagetable for 32-bit PV guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-7092 / XSA-185 version 3 x86: Disallow L3 recursive pagetable for 32-bit PV guests UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= On real hardware, a 32-bit PAE guest must leave the USER and RW bit clear in L3 pagetable entries, but the pagetable walk behaves as if they were set. (The L3 entries are cached in processor registers, and don't actually form part of the pagewalk.) When running a 32-bit PV guest on a 64-bit Xen, Xen must always OR in the USER and RW bits for L3 updates for the guest to observe architectural behaviour. This is unsafe in combination with recursive pagetables. As there is no way to construct an L3 recursive pagetable in native 32-bit PAE mode, disallow this option in 32-bit PV guests. IMPACT ====== A malicious 32-bit PV guest administrator can escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. Only 64-bit builds of the hypervisor are vulnerable. For Xen 4.3 and earlier, 32-bit builds of the hypervisor are not vulnerable. The vulnerability is only exposed to 32-bit PV guests on x86 hardware. The vulnerability is not exposed to 64-bit PV guests, x86 HVM guests, or ARM guests. MITIGATION ========== Running only 64-bit PV or HVM guests will avoid this vulnerability. CREDITS ======= This issue was found in parallel by multiple discoverers, who each disclosed it to the Xen Project Security Team. The first report to us was made by Jérémie Boutoille of Quarkslab. The second report, one working day later, by Shangcong Luan of Alibaba Cloud. RESOLUTION ========== Applying the attached patch resolves this issue. xsa185.patch xen-unstable - Xen 4.4 $ sha256sum xsa185* 3328a1953ecdf4de35462ea8396b0927171d718e95f73a87a7f651427bd8f8b4 xsa185.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJX0VLpAAoJEIP+FMlX6CvZ/koH/0hN8oXOpBPVgsr5d+ylYFBU We948VVN/0uthy9IgI1DBnjM2tjoGgy0w7c7dKWUD3ACTvdIq4hWZywA+6uMIwb5 aneB7hgZZ1i/ie1kAwMl96hdWgPGaXjL1r19WxslgOnr2TkH/9zlAaBvhFkbL+/c cw2lI+AOmhB/VOtNfXYd81qxdSUBUPz2DfiOEjgVx8e8E+q/S5dJO1L41kqRt1bM ENG8NtaxBrXAtZzilxOPVPmQmvSSegTjZMshGhx29wIgUy4R/HnsoYW7OklZQDhU 6DV7WUSlrUU5vlIhwQVIZidXpyhzLBLnR5GS0R4CKcYSb6pRQ8FO3TG81TmO/6Q= =NDX0 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa185.patch" Content-Disposition: attachment; filename="xsa185.patch" Content-Transfer-Encoding: base64 RnJvbSAzMGFiYTQ5OTJiMTgyNDVjNDM2ZjE2ZGY3MzI2YTE2YzAxYTUxNTcw IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKYW4gQmV1bGljaCA8 amJldWxpY2hAc3VzZS5jb20+CkRhdGU6IE1vbiwgOCBBdWcgMjAxNiAxMDo1 ODoxMiArMDEwMApTdWJqZWN0OiB4ODYvMzJvbjY0OiBkb24ndCBhbGxvdyBy ZWN1cnNpdmUgcGFnZSB0YWJsZXMgZnJvbSBMMwoKTDMgZW50cmllcyBhcmUg c3BlY2lhbCBpbiBQQUUgbW9kZSwgYW5kIGhlbmNlIGNhbid0IHJlYXNvbmFi bHkgYmUgdXNlZApmb3Igc2V0dGluZyB1cCByZWN1cnNpdmUgKGFuZCBoZW5j ZSBsaW5lYXIpIHBhZ2UgdGFibGUgbWFwcGluZ3MuIFNpbmNlCmFidXNlIGlz IHBvc3NpYmxlIHdoZW4gdGhlIGd1ZXN0IGluIGZhY3QgZ2V0cyBydW4gb24g NC1sZXZlbCBwYWdlCnRhYmxlcywgdGhpcyBuZWVkcyB0byBiZSBleGNsdWRl ZCBleHBsaWNpdGx5LgoKVGhpcyBpcyBYU0EtMTg1LgoKUmVwb3J0ZWQtYnk6 IErDqXLDqW1pZSBCb3V0b2lsbGUgPGpib3V0b2lsbGVAZXh0LnF1YXJrc2xh Yi5jb20+ClJlcG9ydGVkLWJ5OiDmoL7lsJrogaoo5aW96aOOKSA8c2hhbmdj b25nLmxzY0BhbGliYWJhLWluYy5jb20+ClNpZ25lZC1vZmYtYnk6IEphbiBC ZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEFuZHJl dyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+Ci0tLQogeGVu L2FyY2gveDg2L21tLmMgfCA0ICsrKy0KIDEgZmlsZSBjaGFuZ2VkLCAzIGlu c2VydGlvbnMoKyksIDEgZGVsZXRpb24oLSkKCmRpZmYgLS1naXQgYS94ZW4v YXJjaC94ODYvbW0uYyBiL3hlbi9hcmNoL3g4Ni9tbS5jCmluZGV4IDEwOWI4 YmUuLjY5YjhiOGQgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL3g4Ni9tbS5jCisr KyBiL3hlbi9hcmNoL3g4Ni9tbS5jCkBAIC0xMTIyLDcgKzExMjIsOSBAQCBn ZXRfcGFnZV9mcm9tX2wzZSgKIAogICAgIHJjID0gZ2V0X3BhZ2VfYW5kX3R5 cGVfZnJvbV9wYWdlbnIoCiAgICAgICAgIGwzZV9nZXRfcGZuKGwzZSksIFBH VF9sMl9wYWdlX3RhYmxlLCBkLCBwYXJ0aWFsLCAxKTsKLSAgICBpZiAoIHVu bGlrZWx5KHJjID09IC1FSU5WQUwpICYmIGdldF9sM19saW5lYXJfcGFnZXRh YmxlKGwzZSwgcGZuLCBkKSApCisgICAgaWYgKCB1bmxpa2VseShyYyA9PSAt RUlOVkFMKSAmJgorICAgICAgICAgIWlzX3B2XzMyYml0X2RvbWFpbihkKSAm JgorICAgICAgICAgZ2V0X2wzX2xpbmVhcl9wYWdldGFibGUobDNlLCBwZm4s IGQpICkKICAgICAgICAgcmMgPSAwOwogCiAgICAgcmV0dXJuIHJjOwotLSAK Mi4xLjQKCg== --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Thu Sep 08 12:02:11 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 08 Sep 2016 12:02:11 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy0z-0008M0-8Y; Thu, 08 Sep 2016 12:01:09 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy0x-0008Kr-Ty; Thu, 08 Sep 2016 12:01:08 +0000 Received: from [193.109.254.147] by server-10.bemta-6.messagelabs.com id 4B/CC-27438-30351D75; Thu, 08 Sep 2016 12:01:07 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrEKsWRWlGSWpSXmKPExsWS0XRdVZch+GK 4wdteG4tbN1uZLZZ8XMxiserqAVYHZo+ju38zBTBGsWbmJeVXJLBm7Dj3mKlgQlXFzgktLA2M h4u7GDk5hASOM0q8XKLUxcgFZC9ilDjdMoERJMEs4CpxY99mNghbUeLCvQYWEJtXQFDi5MwnY LaEgKbEnTer2EFsEYEiiZ3nXoLZbAJ6EnPPTmKC6NWReLl/NZgtLFAp8ejrOXaIOWYSza3bWE FsFgFViRPHW1kmMPLMQrJ6FpLVs5CsnsXIARTXlFi/Sx/ClJZY/o8DolpeYvvbOcwQdpnE/eU tTBB2scSXz68YYSZO6X7IDlOz6/pnNpia/YfusGKqqZC4N7sNak6pRM/ebczY1Nz8+p8R4pxS ia0vdJGVLGAUWsWoXpxaVJZapGupl1SUmZ5RkpuYmaNraGCml5taXJyYnpqTmFSsl5yfu4kRG LMMQLCD8e6mgEOMkhxMSqK8PsUXwoX4kvJTKjMSizPii0pzUosPMcpwcChJ8C4PvBguJFiUmp 5akZaZA0weMGkJDh4lEV6RIKA0b3FBYm5xZjpE6hSjMceS6dfWMnEsuvl4P5MQS15+XqqUOO8 mkEkCIKUZpXlwg2BJ7RKjrJQwLyPQaUI8BalFuZklqPKvGMU5GJWEeZtBpvBk5pXA7XsFdAoT 0ClCp86DnFKSiJCSamBkZc+t3x7Y3xzfZn8w0+px1ZyeBV4BHDNj9NmPcnyfzOp9xMWk5sxjf 9sDur9r77VZ32k4G9666GlXo0fsyT+CvyJW/THdznx4jc2EOw++f22fuz7mK+NxFW0etyw75X vLs5h52fPCzssk66q/4Aw9n2w9faPyp7x/+zampEicOvr8yRHvh8pKLMUZiYZazEXFiQAVBzd tZQMAAA== X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-27.messagelabs.com!1473336063!47920432!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 8.84; banners=-,-,- X-VirusChecked: Checked Received: (qmail 60746 invoked from network); 8 Sep 2016 12:01:04 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-8.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 8 Sep 2016 12:01:04 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy0k-0003LW-JF; Thu, 08 Sep 2016 12:00:54 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1bhy0k-0000uT-IV; Thu, 08 Sep 2016 12:00:54 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Thu, 08 Sep 2016 12:00:54 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 186 (CVE-2016-7093) - x86: Mishandling of instruction pointer truncation during emulation X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-7093 / XSA-186 version 4 x86: Mishandling of instruction pointer truncation during emulation UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= When emulating HVM instructions, Xen uses a small i-cache for fetches from guest memory. The code that handles cache misses does not check if the address from which it fetched lies within the cache before blindly writing to it. As such it is possible for the guest to overwrite hypervisor memory. It is currently believed that the only way to trigger this bug is to use the way that Xen currently incorrectly wraps CS:IP in 16 bit modes. The included patch prevents such wrapping. IMPACT ====== A malicious HVM guest administrator can escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== Xen versions 4.7.0 and later are vulnerable. Xen releases 4.6.3 and 4.5.3 are vulnerable. Xen releases 4.6.0 to 4.6.2 inclusive are NOT vulnerable. Xen releases 4.5.2 and earlier are NOT vulnerable. The vulnerability is only exposed to HVM guests on x86 hardware. The vulnerability is not exposed to x86 PV guests, or ARM guests. MITIGATION ========== Running only PV guests will avoid this vulnerability. CREDITS ======= This issue was discovered by Brian Marcotte. RESOLUTION ========== Applying the first patch will resolve the issue. Users wishing to independently verify the correctness of the fix may find the second patch helpful. The second patch makes it easier to use the "fep" (Force Emulation Prefix) feature to reproduce the erroneous condition in a test environment. The "fep" feature requires explicit enablement on the hypervisor command line, and is unsuitable for production systems. Accordingly, applying the second patch does not affect production systems and does not improve security. Xen version First patch Second patch xen-unstable: xsa186-0001-*.patch xsa186-0002-*.patch Xen 4.7.x: xsa186-0001-*.patch xsa186-4.7-0002-*.patch Xen 4.6.3: xsa186-0001-*.patch xsa186-4.6-0002-*.patch Xen 4.5.3: xsa186-0001-*.patch xsa186-4.6-0002-*.patch $ sha256sum xsa186* f2082a36d968a47e477bb5082d0e0aaa58e6cb3dc20b26389f043a9b7b595fa6 xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch 412fa58edcbd1c7fdbfec7e28898cf98585593e6a24ccfb088dc0b84715286a5 xsa186-0002-hvm-fep-Allow-testing-of-instructions-crossing-the-1.patch 7482a823c3443e26dee1111c4904162845eaa9f826aa7bf8348007406d91bddd xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch 5a826a32763d82ac83c924f8c89d12aae5f069a4cbc7d5193aa8413a02b6dc05 xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJX0VLsAAoJEIP+FMlX6CvZoUoIAMvgdMZRYdK5MaaRUAA1hDG3 UFSxZCH8zja6wZG6WPNj7VqvEkQ2350oqb05BGB8jTFCmqtNDDIyHK68WaMpwDMv EEeetosujnlHTtVV7N8e0HO7F497PzZtzfniTyZc/h2Lna552ohMy/UcADtA7xxP IK6qwvxpkx1aLzsDFpHIdrVcttDD/oZcVbBFwcCAqK33eGNC3S6BJvIibCAKfO8h YKiAtvWUNsX/o4L9Zs4M50/pK3TzWsaDjfK3IX5LJPtsrcrKklrALVnDUOpTz1WA 07UIk0BcrzicEuTvuATWSQ3nVxUXAH95io23PCniHHntBtYJHjGA5rIqX+tiN6w= =HT+K -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch" Content-Disposition: attachment; filename="xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch" Content-Transfer-Encoding: base64 RnJvbSBlOTM4YmUwMTNiYTczZmYwOGZhNGYxZDg2NzA1MDFhYWNlZmRlN2Zi IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBGcmksIDIyIEp1 bCAyMDE2IDE2OjAyOjU0ICswMDAwClN1YmplY3Q6IFtQQVRDSCAxLzJdIHg4 Ni9lbXVsYXRlOiBDb3JyZWN0IGJvdW5kYXJ5IGludGVyYWN0aW9ucyBvZiBl bXVsYXRlZAogaW5zdHJ1Y3Rpb25zCgpUaGlzIHJldmVydHMgbW9zdCBvZiBj L3MgMDY0MGZmYjYgIng4NmVtdWw6IGZpeCBySVAgaGFuZGxpbmciLgoKRXhw ZXJpbWVudGFsbHksIGluIGxvbmcgbW9kZSBwcm9jZXNzb3JzIHdpbGwgZXhl Y3V0ZSBhbiBpbnN0cnVjdGlvbiBzdHJlYW0Kd2hpY2ggY3Jvc3NlcyB0aGUg NjRiaXQgLTEgLT4gMCB2aXJ0dWFsIGJvdW5kYXJ5LCB3aGV0aGVyIHRoZSBp bnN0cnVjdGlvbgpib3VuZGFyeSBpcyBhbGlnbmVkIG9uIHRoZSB2aXJ0dWFs IGJvdW5kYXJ5LCBvciBpcyBtaXNhbGlnbmVkLgoKSW4gY29tcGF0aWJpbGl0 eSBtb2RlLCBJbnRlbCBwcm9jZXNzb3JzIHdpbGwgZXhlY3V0ZSBhbiBpbnN0 cnVjdGlvbiBzdHJlYW0Kd2hpY2ggY3Jvc3NlcyB0aGUgMzJiaXQgLTEgLT4g MCB2aXJ0dWFsIGJvdW5kYXJ5LCB3aGlsZSBBTUQgcHJvY2Vzc29ycyByYWlz ZSBhCnNlZ21lbnRhdGlvbiBmYXVsdC4gIFhlbidzIHNlZ21lbnRhdGlvbiBi ZWhhdmlvdXIgbWF0Y2hlcyBBTUQuCgpGb3IgMTZiaXQgY29kZSwgaGFyZHdh cmUgZG9lcyBub3QgZXZlciB0cnVuY2F0ZWQgJWlwLiAgJWVpcCBpcyBhbHdh eXMgdXNlZCBhbmQKYmVoYXZlcyBub3JtYWxseSBhcyBhIDMyYml0IHJlZ2lz dGVyLCBpbmNsdWRpbmcgaW4gMTZiaXQgcHJvdGVjdGVkIG1vZGUKc2VnbWVu dHMsIGFzIHdlbGwgYXMgaW4gUmVhbCBhbmQgVW5yZWFsIG1vZGUuCgpUaGlz IGlzIFhTQS0xODYKClJlcG9ydGVkLWJ5OiBCcmlhbiBNYXJjb3R0ZSA8bWFy Y290dGVAcGFuaXguY29tPgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdlZC1ieTogSmFu IEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgotLS0KIHhlbi9hcmNoL3g4 Ni94ODZfZW11bGF0ZS94ODZfZW11bGF0ZS5jIHwgMjIgKysrKy0tLS0tLS0t LS0tLS0tLS0tLQogMSBmaWxlIGNoYW5nZWQsIDQgaW5zZXJ0aW9ucygrKSwg MTggZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L3g4 Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMgYi94ZW4vYXJjaC94ODYveDg2X2Vt dWxhdGUveDg2X2VtdWxhdGUuYwppbmRleCBkNWE1NmNmLi5iZjM1MjlhIDEw MDY0NAotLS0gYS94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxh dGUuYworKysgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxh dGUuYwpAQCAtMTU3MCwxMCArMTU3MCw2IEBAIHg4Nl9lbXVsYXRlKAogI2Vu ZGlmCiAgICAgfQogCi0gICAgLyogVHJ1bmNhdGUgcklQIHRvIGRlZl9hZF9i eXRlcyAoMiBvciA0KSBpZiBuZWNlc3NhcnkuICovCi0gICAgaWYgKCBkZWZf YWRfYnl0ZXMgPCBzaXplb2YoX3JlZ3MuZWlwKSApCi0gICAgICAgIF9yZWdz LmVpcCAmPSAoMVVMIDw8IChkZWZfYWRfYnl0ZXMgKiA4KSkgLSAxOwotCiAg ICAgLyogUHJlZml4IGJ5dGVzLiAqLwogICAgIGZvciAoIDsgOyApCiAgICAg ewpAQCAtMzkwNiwyMSArMzkwMiwxMSBAQCB4ODZfZW11bGF0ZSgKIAogICAg IC8qIENvbW1pdCBzaGFkb3cgcmVnaXN0ZXIgc3RhdGUuICovCiAgICAgX3Jl Z3MuZWZsYWdzICY9IH5FRkxHX1JGOwotICAgIHN3aXRjaCAoIF9fYnVpbHRp bl9leHBlY3QoZGVmX2FkX2J5dGVzLCBzaXplb2YoX3JlZ3MuZWlwKSkgKQot ICAgIHsKLSAgICAgICAgdWludDE2X3QgaXA7CiAKLSAgICBjYXNlIDI6Ci0g ICAgICAgIGlwID0gX3JlZ3MuZWlwOwotICAgICAgICBfcmVncy5laXAgPSBj dHh0LT5yZWdzLT5laXA7Ci0gICAgICAgICoodWludDE2X3QgKikmX3JlZ3Mu ZWlwID0gaXA7Ci0gICAgICAgIGJyZWFrOwotI2lmZGVmIF9feDg2XzY0X18K LSAgICBjYXNlIDQ6Ci0gICAgICAgIF9yZWdzLnJpcCA9IF9yZWdzLl9laXA7 Ci0gICAgICAgIGJyZWFrOwotI2VuZGlmCi0gICAgfQorICAgIC8qIFplcm8g dGhlIHVwcGVyIDMyIGJpdHMgb2YgJXJpcCBpZiBub3QgaW4gbG9uZyBtb2Rl LiAqLworICAgIGlmICggZGVmX2FkX2J5dGVzIDwgc2l6ZW9mKF9yZWdzLmVp cCkgKQorICAgICAgICBfcmVncy5laXAgPSAodWludDMyX3QpX3JlZ3MuZWlw OworCiAgICAgKmN0eHQtPnJlZ3MgPSBfcmVnczsKIAogIGRvbmU6Ci0tIAoy LjEuNAoK --=separator Content-Type: application/octet-stream; name="xsa186-0002-hvm-fep-Allow-testing-of-instructions-crossing-the-1.patch" Content-Disposition: attachment; filename="xsa186-0002-hvm-fep-Allow-testing-of-instructions-crossing-the-1.patch" Content-Transfer-Encoding: base64 RnJvbSA0M2VlZWQzYThkYTQ2ZThmZDNhOTZhM2IwOTA5N2VjOTJkODM1ODQx IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBGcmksIDEyIEF1 ZyAyMDE2IDE0OjM1OjI4ICswMTAwClN1YmplY3Q6IFtQQVRDSCAyLzJdIGh2 bS9mZXA6IEFsbG93IHRlc3Rpbmcgb2YgaW5zdHJ1Y3Rpb25zIGNyb3NzaW5n IHRoZSAtMSAtPgogMCB2aXJ0dWFsIGJvdW5kYXJ5CgpUaGUgRm9yY2UgRW11 bGF0aW9uIFByZWZpeCBpcyBuYW1lZCB0byBmb2xsb3cgaXRzIFBWIGNvdW50 ZXJwYXJ0IGZvciBjcHVpZCBvcgpyZHRzYywgYnV0IGlzbid0IHJlYWxseSBh biBpbnN0cnVjdGlvbiBwcmVmaXguICBJdCBiZWhhdmVzIGFzIGEgYnJlYWst b3V0IGludG8KWGVuLCB3aXRoIHRoZSBwdXJwb3NlIG9mIGVtdWxhdGluZyB0 aGUgbmV4dCBpbnN0cnVjdGlvbiBpbiB0aGUgY3VycmVudCBzdGF0ZS4KCkl0 IGlzIGltcG9ydGFudCB0byBiZSBhYmxlIHRvIHRlc3QgbGVnYWwgc2l0dWF0 aW9ucyB3aGljaCBvY2N1ciBpbiByZWFsCmhhcmR3YXJlLCBpbmNsdWRpbmcg aW5zdHJ1Y3Rpb24gd2hpY2ggY3Jvc3MgY2VydGFpbiBib3VuZGFyaWVzLCBh bmQKaW5zdHJ1Y3Rpb25zIHN0YXJ0aW5nIGF0IDAuCgpSZXBvcnRlZC1ieTog QnJpYW4gTWFyY290dGUgPG1hcmNvdHRlQHBhbml4LmNvbT4KU2lnbmVkLW9m Zi1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KUmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNv bT4KLS0tCiB4ZW4vYXJjaC94ODYvaHZtL2h2bS5jIHwgMTQgKysrKysrLS0t LS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA2IGluc2VydGlvbnMoKyksIDggZGVs ZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L2h2bS9odm0u YyBiL3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKaW5kZXggODkzZWZmNi4uZWFi N2NjOSAxMDA2NDQKLS0tIGEveGVuL2FyY2gveDg2L2h2bS9odm0uYworKysg Yi94ZW4vYXJjaC94ODYvaHZtL2h2bS5jCkBAIC0zOTAwLDE1ICszOTAwLDgg QEAgdm9pZCBodm1fdWRfaW50ZXJjZXB0KHN0cnVjdCBjcHVfdXNlcl9yZWdz ICpyZWdzKQogICAgICAgICB1bnNpZ25lZCBsb25nIGFkZHI7CiAgICAgICAg IGNoYXIgc2lnWzVdOyAvKiB1ZDI7IC5hc2NpaSAieGVuIiAqLwogCi0gICAg ICAgIC8qCi0gICAgICAgICAqIE5vdGUgdGhhdCBpbiB0aGUgY2FsbCBiZWxv dyB3ZSBwYXNzIDEgbW9yZSB0aGFuIHRoZSBzaWduYXR1cmUKLSAgICAgICAg ICogc2l6ZSwgdG8gZ3VhcmQgYWdhaW5zdCB0aGUgb3ZlcmFsbCBjb2RlIHNl cXVlbmNlIHdyYXBwaW5nIGJldHdlZW4KLSAgICAgICAgICogInByZWZpeCIg YW5kIGFjdHVhbCBpbnN0cnVjdGlvbi4gVGhlcmUncyBuZWNlc3NhcmlseSBh dCBsZWFzdCBvbmUKLSAgICAgICAgICogYWN0dWFsIGluc3RydWN0aW9uIGJ5 dGUgcmVxdWlyZWQsIHNvIHRoaXMgd29uJ3QgY2F1c2UgZmFpbHVyZSBvbgot ICAgICAgICAgKiBsZWdpdGltYXRlIHVzZXMuCi0gICAgICAgICAqLwogICAg ICAgICBpZiAoIGh2bV92aXJ0dWFsX3RvX2xpbmVhcl9hZGRyKHg4Nl9zZWdf Y3MsIGNzLCByZWdzLT5laXAsCi0gICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgc2l6ZW9mKHNpZykgKyAxLCBodm1fYWNjZXNzX2lu c25fZmV0Y2gsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgc2l6ZW9mKHNpZyksIGh2bV9hY2Nlc3NfaW5zbl9mZXRjaCwKICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoaHZtX2xv bmdfbW9kZV9lbmFibGVkKGN1cikgJiYKICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgY3MtPmF0dHIuZmllbGRzLmwpID8gNjQg OgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNz LT5hdHRyLmZpZWxkcy5kYiA/IDMyIDogMTYsICZhZGRyKSAmJgpAQCAtMzkx OCw2ICszOTExLDExIEBAIHZvaWQgaHZtX3VkX2ludGVyY2VwdChzdHJ1Y3Qg Y3B1X3VzZXJfcmVncyAqcmVncykKICAgICAgICAgewogICAgICAgICAgICAg cmVncy0+ZWlwICs9IHNpemVvZihzaWcpOwogICAgICAgICAgICAgcmVncy0+ ZWZsYWdzICY9IH5YODZfRUZMQUdTX1JGOworCisgICAgICAgICAgICAvKiBa ZXJvIHRoZSB1cHBlciAzMiBiaXRzIG9mICVyaXAgaWYgbm90IGluIGxvbmcg bW9kZS4gKi8KKyAgICAgICAgICAgIGlmICggIShodm1fbG9uZ19tb2RlX2Vu YWJsZWQoY3VyKSAmJiBjcy0+YXR0ci5maWVsZHMubCkgKQorICAgICAgICAg ICAgICAgIHJlZ3MtPmVpcCA9IHJlZ3MtPl9laXA7CisKICAgICAgICAgICAg IGFkZF90YWludChUQUlOVF9IVk1fRkVQKTsKICAgICAgICAgfQogICAgIH0K LS0gCjIuMS40Cgo= --=separator Content-Type: application/octet-stream; name="xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch" Content-Disposition: attachment; filename="xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogaHZtL2ZlcDogQWxsb3cgdGVzdGluZyBvZiBpbnN0cnVj dGlvbnMgY3Jvc3NpbmcgdGhlIC0xIC0+IDAgdmlydHVhbCBib3VuZGFyeQoK VGhlIEZvcmNlIEVtdWxhdGlvbiBQcmVmaXggaXMgbmFtZWQgdG8gZm9sbG93 IGl0cyBQViBjb3VudGVycGFydCBmb3IgY3B1aWQgb3IKcmR0c2MsIGJ1dCBp c24ndCByZWFsbHkgYW4gaW5zdHJ1Y3Rpb24gcHJlZml4LiAgSXQgYmVoYXZl cyBhcyBhIGJyZWFrLW91dCBpbnRvClhlbiwgd2l0aCB0aGUgcHVycG9zZSBv ZiBlbXVsYXRpbmcgdGhlIG5leHQgaW5zdHJ1Y3Rpb24gaW4gdGhlIGN1cnJl bnQgc3RhdGUuCgpJdCBpcyBpbXBvcnRhbnQgdG8gYmUgYWJsZSB0byB0ZXN0 IGxlZ2FsIHNpdHVhdGlvbnMgd2hpY2ggb2NjdXIgaW4gcmVhbApoYXJkd2Fy ZSwgaW5jbHVkaW5nIGluc3RydWN0aW9uIHdoaWNoIGNyb3NzIGNlcnRhaW4g Ym91bmRhcmllcywgYW5kCmluc3RydWN0aW9ucyBzdGFydGluZyBhdCAwLgoK UmVwb3J0ZWQtYnk6IEJyaWFuIE1hcmNvdHRlIDxtYXJjb3R0ZUBwYW5peC5j b20+ClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29w ZXIzQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvaHZtL3N2bS9z dm0uYworKysgYi94ZW4vYXJjaC94ODYvaHZtL3N2bS9zdm0uYwpAQCAtMjEz OSw2ICsyMTM5LDEwIEBAIHN0YXRpYyB2b2lkIHN2bV92bWV4aXRfdWRfaW50 ZXJjZXB0KHN0cnUKICAgICAgICAgewogICAgICAgICAgICAgcmVncy0+ZWlw ICs9IHNpemVvZihzaWcpOwogICAgICAgICAgICAgcmVncy0+ZWZsYWdzICY9 IH5YODZfRUZMQUdTX1JGOworCisgICAgICAgICAgICAvKiBaZXJvIHRoZSB1 cHBlciAzMiBiaXRzIG9mICVyaXAgaWYgbm90IGluIGxvbmcgbW9kZS4gKi8K KyAgICAgICAgICAgIGlmICggc3ZtX2d1ZXN0X3g4Nl9tb2RlKGN1cnJlbnQp ICE9IDggKQorICAgICAgICAgICAgICAgIHJlZ3MtPmVpcCA9IHJlZ3MtPl9l aXA7CiAgICAgICAgIH0KICAgICB9CiAKLS0tIGEveGVuL2FyY2gveDg2L2h2 bS92bXgvdm14LmMKKysrIGIveGVuL2FyY2gveDg2L2h2bS92bXgvdm14LmMK QEAgLTI3NTcsNiArMjc1NywxMCBAQCBzdGF0aWMgdm9pZCB2bXhfdm1leGl0 X3VkX2ludGVyY2VwdChzdHJ1CiAgICAgICAgIHsKICAgICAgICAgICAgIHJl Z3MtPmVpcCArPSBzaXplb2Yoc2lnKTsKICAgICAgICAgICAgIHJlZ3MtPmVm bGFncyAmPSB+WDg2X0VGTEFHU19SRjsKKworICAgICAgICAgICAgLyogWmVy byB0aGUgdXBwZXIgMzIgYml0cyBvZiAlcmlwIGlmIG5vdCBpbiBsb25nIG1v ZGUuICovCisgICAgICAgICAgICBpZiAoIHZteF9ndWVzdF94ODZfbW9kZShj dXJyZW50KSAhPSA4ICkKKyAgICAgICAgICAgICAgICByZWdzLT5laXAgPSBy ZWdzLT5fZWlwOwogICAgICAgICB9CiAgICAgfQogCg== --=separator Content-Type: application/octet-stream; name="xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch" Content-Disposition: attachment; filename="xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogaHZtL2ZlcDogQWxsb3cgdGVzdGluZyBvZiBpbnN0cnVj dGlvbnMgY3Jvc3NpbmcgdGhlIC0xIC0+IDAgdmlydHVhbCBib3VuZGFyeQoK VGhlIEZvcmNlIEVtdWxhdGlvbiBQcmVmaXggaXMgbmFtZWQgdG8gZm9sbG93 IGl0cyBQViBjb3VudGVycGFydCBmb3IgY3B1aWQgb3IKcmR0c2MsIGJ1dCBp c24ndCByZWFsbHkgYW4gaW5zdHJ1Y3Rpb24gcHJlZml4LiAgSXQgYmVoYXZl cyBhcyBhIGJyZWFrLW91dCBpbnRvClhlbiwgd2l0aCB0aGUgcHVycG9zZSBv ZiBlbXVsYXRpbmcgdGhlIG5leHQgaW5zdHJ1Y3Rpb24gaW4gdGhlIGN1cnJl bnQgc3RhdGUuCgpJdCBpcyBpbXBvcnRhbnQgdG8gYmUgYWJsZSB0byB0ZXN0 IGxlZ2FsIHNpdHVhdGlvbnMgd2hpY2ggb2NjdXIgaW4gcmVhbApoYXJkd2Fy ZSwgaW5jbHVkaW5nIGluc3RydWN0aW9uIHdoaWNoIGNyb3NzIGNlcnRhaW4g Ym91bmRhcmllcywgYW5kCmluc3RydWN0aW9ucyBzdGFydGluZyBhdCAwLgoK UmVwb3J0ZWQtYnk6IEJyaWFuIE1hcmNvdHRlIDxtYXJjb3R0ZUBwYW5peC5j b20+ClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29w ZXIzQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5j CisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKQEAgLTM5MDUsNiArMzkw NSwxMCBAQCB2b2lkIGh2bV91ZF9pbnRlcmNlcHQoc3RydWN0IGNwdV91c2Vy X3JlCiAgICAgICAgIHsKICAgICAgICAgICAgIHJlZ3MtPmVpcCArPSBzaXpl b2Yoc2lnKTsKICAgICAgICAgICAgIHJlZ3MtPmVmbGFncyAmPSB+WDg2X0VG TEFHU19SRjsKKworICAgICAgICAgICAgLyogWmVybyB0aGUgdXBwZXIgMzIg Yml0cyBvZiAlcmlwIGlmIG5vdCBpbiBsb25nIG1vZGUuICovCisgICAgICAg ICAgICBpZiAoICEoaHZtX2xvbmdfbW9kZV9lbmFibGVkKGN1cikgJiYgY3Mu YXR0ci5maWVsZHMubCkgKQorICAgICAgICAgICAgICAgIHJlZ3MtPmVpcCA9 IHJlZ3MtPl9laXA7CiAgICAgICAgIH0KICAgICB9CiAK --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Thu Sep 08 12:02:11 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 08 Sep 2016 12:02:11 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy0s-0008Jr-BR; Thu, 08 Sep 2016 12:01:02 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy0q-0008JS-Uk; Thu, 08 Sep 2016 12:01:01 +0000 Received: from [85.158.137.68] by server-12.bemta-3.messagelabs.com id 4F/90-09160-CF251D75; Thu, 08 Sep 2016 12:01:00 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrOIsWRWlGSWpSXmKPExsWS0XRdVfd30MV wgzmfBCxu3WxltljycTGLxaqrB1gdmD2O7v7NFMAYxZqZl5RfkcCacefUauaCD1oVT8/cYWxg XK3WxcjFISRwnFHix9IdjBDOIkaJtr39zF2MnBzMAq4SN/ZtZoOwFSUu3GtgAbF5BQQlTs58A mZLCGhK3Hmzih3EFhEokth57iWYzSagJzH37CQmiF4diZf7V4PZwgL5EgvmvWCCmGMmcXzGF7 A5LAKqEvP/nmKZwMgzC8nqWUhWz0KyehYjB1BcU2L9Ln0IU1pi+T8OiGp5ie1v5zBD2NYSn74 vZ4QosZB49jsRZuCU7ofsCxg5VzGqF6cWlaUW6ZrrJRVlpmeU5CZm5ugaGhjr5aYWFyemp+Yk JhXrJefnbmIEBjcDEOxgbPzudIhRkoNJSZTXp/hCuBBfUn5KZUZicUZ8UWlOavEhRhkODiUJ3 uWBF8OFBItS01Mr0jJzgHEGk5bg4FES4RUBxpoQb3FBYm5xZjpE6hSjMceS6dfWMnEsuvl4P5 MQS15+XqqUOO8mkEkCIKUZpXlwg2Dxf4lRVkqYlxHoNCGegtSi3MwSVPlXjOIcjErCvPYgC3k y80rg9r0COoUJ6BShU+dBTilJREhJNTDqXinhCZheup/Pbhr3s1dfz6zknCxRMp81Z/Wfwm2G F1f9+yKmd0/6icaJ7dJ5y2Os6mULq/c3Bd/b7TVJuVdgZXPCF3ubW8fP8sUbP3x1e+5m9rm1o beX6D/UOq7sJsEqJxRQs/jcj6ZtlzPmPmfbeWFi+rVQg4QNScUz4/ssmsOZTx/PtytTYinOSD TUYi4qTgQAIxS4BvoCAAA= X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-3.tower-31.messagelabs.com!1473336058!59621692!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 8.84; banners=-,-,- X-VirusChecked: Checked Received: (qmail 28652 invoked from network); 8 Sep 2016 12:00:59 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-3.tower-31.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 8 Sep 2016 12:00:59 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy0g-0003LA-Ku; Thu, 08 Sep 2016 12:00:50 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1bhy0g-0000t7-JQ; Thu, 08 Sep 2016 12:00:50 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Thu, 08 Sep 2016 12:00:50 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 185 (CVE-2016-7092) - x86: Disallow L3 recursive pagetable for 32-bit PV guests X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-7092 / XSA-185 version 3 x86: Disallow L3 recursive pagetable for 32-bit PV guests UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= On real hardware, a 32-bit PAE guest must leave the USER and RW bit clear in L3 pagetable entries, but the pagetable walk behaves as if they were set. (The L3 entries are cached in processor registers, and don't actually form part of the pagewalk.) When running a 32-bit PV guest on a 64-bit Xen, Xen must always OR in the USER and RW bits for L3 updates for the guest to observe architectural behaviour. This is unsafe in combination with recursive pagetables. As there is no way to construct an L3 recursive pagetable in native 32-bit PAE mode, disallow this option in 32-bit PV guests. IMPACT ====== A malicious 32-bit PV guest administrator can escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. Only 64-bit builds of the hypervisor are vulnerable. For Xen 4.3 and earlier, 32-bit builds of the hypervisor are not vulnerable. The vulnerability is only exposed to 32-bit PV guests on x86 hardware. The vulnerability is not exposed to 64-bit PV guests, x86 HVM guests, or ARM guests. MITIGATION ========== Running only 64-bit PV or HVM guests will avoid this vulnerability. CREDITS ======= This issue was found in parallel by multiple discoverers, who each disclosed it to the Xen Project Security Team. The first report to us was made by Jérémie Boutoille of Quarkslab. The second report, one working day later, by Shangcong Luan of Alibaba Cloud. RESOLUTION ========== Applying the attached patch resolves this issue. xsa185.patch xen-unstable - Xen 4.4 $ sha256sum xsa185* 3328a1953ecdf4de35462ea8396b0927171d718e95f73a87a7f651427bd8f8b4 xsa185.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJX0VLpAAoJEIP+FMlX6CvZ/koH/0hN8oXOpBPVgsr5d+ylYFBU We948VVN/0uthy9IgI1DBnjM2tjoGgy0w7c7dKWUD3ACTvdIq4hWZywA+6uMIwb5 aneB7hgZZ1i/ie1kAwMl96hdWgPGaXjL1r19WxslgOnr2TkH/9zlAaBvhFkbL+/c cw2lI+AOmhB/VOtNfXYd81qxdSUBUPz2DfiOEjgVx8e8E+q/S5dJO1L41kqRt1bM ENG8NtaxBrXAtZzilxOPVPmQmvSSegTjZMshGhx29wIgUy4R/HnsoYW7OklZQDhU 6DV7WUSlrUU5vlIhwQVIZidXpyhzLBLnR5GS0R4CKcYSb6pRQ8FO3TG81TmO/6Q= =NDX0 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa185.patch" Content-Disposition: attachment; filename="xsa185.patch" Content-Transfer-Encoding: base64 RnJvbSAzMGFiYTQ5OTJiMTgyNDVjNDM2ZjE2ZGY3MzI2YTE2YzAxYTUxNTcw IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKYW4gQmV1bGljaCA8 amJldWxpY2hAc3VzZS5jb20+CkRhdGU6IE1vbiwgOCBBdWcgMjAxNiAxMDo1 ODoxMiArMDEwMApTdWJqZWN0OiB4ODYvMzJvbjY0OiBkb24ndCBhbGxvdyBy ZWN1cnNpdmUgcGFnZSB0YWJsZXMgZnJvbSBMMwoKTDMgZW50cmllcyBhcmUg c3BlY2lhbCBpbiBQQUUgbW9kZSwgYW5kIGhlbmNlIGNhbid0IHJlYXNvbmFi bHkgYmUgdXNlZApmb3Igc2V0dGluZyB1cCByZWN1cnNpdmUgKGFuZCBoZW5j ZSBsaW5lYXIpIHBhZ2UgdGFibGUgbWFwcGluZ3MuIFNpbmNlCmFidXNlIGlz IHBvc3NpYmxlIHdoZW4gdGhlIGd1ZXN0IGluIGZhY3QgZ2V0cyBydW4gb24g NC1sZXZlbCBwYWdlCnRhYmxlcywgdGhpcyBuZWVkcyB0byBiZSBleGNsdWRl ZCBleHBsaWNpdGx5LgoKVGhpcyBpcyBYU0EtMTg1LgoKUmVwb3J0ZWQtYnk6 IErDqXLDqW1pZSBCb3V0b2lsbGUgPGpib3V0b2lsbGVAZXh0LnF1YXJrc2xh Yi5jb20+ClJlcG9ydGVkLWJ5OiDmoL7lsJrogaoo5aW96aOOKSA8c2hhbmdj b25nLmxzY0BhbGliYWJhLWluYy5jb20+ClNpZ25lZC1vZmYtYnk6IEphbiBC ZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEFuZHJl dyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+Ci0tLQogeGVu L2FyY2gveDg2L21tLmMgfCA0ICsrKy0KIDEgZmlsZSBjaGFuZ2VkLCAzIGlu c2VydGlvbnMoKyksIDEgZGVsZXRpb24oLSkKCmRpZmYgLS1naXQgYS94ZW4v YXJjaC94ODYvbW0uYyBiL3hlbi9hcmNoL3g4Ni9tbS5jCmluZGV4IDEwOWI4 YmUuLjY5YjhiOGQgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL3g4Ni9tbS5jCisr KyBiL3hlbi9hcmNoL3g4Ni9tbS5jCkBAIC0xMTIyLDcgKzExMjIsOSBAQCBn ZXRfcGFnZV9mcm9tX2wzZSgKIAogICAgIHJjID0gZ2V0X3BhZ2VfYW5kX3R5 cGVfZnJvbV9wYWdlbnIoCiAgICAgICAgIGwzZV9nZXRfcGZuKGwzZSksIFBH VF9sMl9wYWdlX3RhYmxlLCBkLCBwYXJ0aWFsLCAxKTsKLSAgICBpZiAoIHVu bGlrZWx5KHJjID09IC1FSU5WQUwpICYmIGdldF9sM19saW5lYXJfcGFnZXRh YmxlKGwzZSwgcGZuLCBkKSApCisgICAgaWYgKCB1bmxpa2VseShyYyA9PSAt RUlOVkFMKSAmJgorICAgICAgICAgIWlzX3B2XzMyYml0X2RvbWFpbihkKSAm JgorICAgICAgICAgZ2V0X2wzX2xpbmVhcl9wYWdldGFibGUobDNlLCBwZm4s IGQpICkKICAgICAgICAgcmMgPSAwOwogCiAgICAgcmV0dXJuIHJjOwotLSAK Mi4xLjQKCg== --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Thu Sep 08 12:02:11 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 08 Sep 2016 12:02:11 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy0z-0008M0-8Y; Thu, 08 Sep 2016 12:01:09 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy0x-0008Kr-Ty; Thu, 08 Sep 2016 12:01:08 +0000 Received: from [193.109.254.147] by server-10.bemta-6.messagelabs.com id 4B/CC-27438-30351D75; Thu, 08 Sep 2016 12:01:07 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrEKsWRWlGSWpSXmKPExsWS0XRdVZch+GK 4wdteG4tbN1uZLZZ8XMxiserqAVYHZo+ju38zBTBGsWbmJeVXJLBm7Dj3mKlgQlXFzgktLA2M h4u7GDk5hASOM0q8XKLUxcgFZC9ilDjdMoERJMEs4CpxY99mNghbUeLCvQYWEJtXQFDi5MwnY LaEgKbEnTer2EFsEYEiiZ3nXoLZbAJ6EnPPTmKC6NWReLl/NZgtLFAp8ejrOXaIOWYSza3bWE FsFgFViRPHW1kmMPLMQrJ6FpLVs5CsnsXIARTXlFi/Sx/ClJZY/o8DolpeYvvbOcwQdpnE/eU tTBB2scSXz68YYSZO6X7IDlOz6/pnNpia/YfusGKqqZC4N7sNak6pRM/ebczY1Nz8+p8R4pxS ia0vdJGVLGAUWsWoXpxaVJZapGupl1SUmZ5RkpuYmaNraGCml5taXJyYnpqTmFSsl5yfu4kRG LMMQLCD8e6mgEOMkhxMSqK8PsUXwoX4kvJTKjMSizPii0pzUosPMcpwcChJ8C4PvBguJFiUmp 5akZaZA0weMGkJDh4lEV6RIKA0b3FBYm5xZjpE6hSjMceS6dfWMnEsuvl4P5MQS15+XqqUOO8 mkEkCIKUZpXlwg2BJ7RKjrJQwLyPQaUI8BalFuZklqPKvGMU5GJWEeZtBpvBk5pXA7XsFdAoT 0ClCp86DnFKSiJCSamBkZc+t3x7Y3xzfZn8w0+px1ZyeBV4BHDNj9NmPcnyfzOp9xMWk5sxjf 9sDur9r77VZ32k4G9666GlXo0fsyT+CvyJW/THdznx4jc2EOw++f22fuz7mK+NxFW0etyw75X vLs5h52fPCzssk66q/4Aw9n2w9faPyp7x/+zampEicOvr8yRHvh8pKLMUZiYZazEXFiQAVBzd tZQMAAA== X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-8.tower-27.messagelabs.com!1473336063!47920432!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 8.84; banners=-,-,- X-VirusChecked: Checked Received: (qmail 60746 invoked from network); 8 Sep 2016 12:01:04 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-8.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 8 Sep 2016 12:01:04 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy0k-0003LW-JF; Thu, 08 Sep 2016 12:00:54 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1bhy0k-0000uT-IV; Thu, 08 Sep 2016 12:00:54 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Thu, 08 Sep 2016 12:00:54 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 186 (CVE-2016-7093) - x86: Mishandling of instruction pointer truncation during emulation X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-7093 / XSA-186 version 4 x86: Mishandling of instruction pointer truncation during emulation UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= When emulating HVM instructions, Xen uses a small i-cache for fetches from guest memory. The code that handles cache misses does not check if the address from which it fetched lies within the cache before blindly writing to it. As such it is possible for the guest to overwrite hypervisor memory. It is currently believed that the only way to trigger this bug is to use the way that Xen currently incorrectly wraps CS:IP in 16 bit modes. The included patch prevents such wrapping. IMPACT ====== A malicious HVM guest administrator can escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== Xen versions 4.7.0 and later are vulnerable. Xen releases 4.6.3 and 4.5.3 are vulnerable. Xen releases 4.6.0 to 4.6.2 inclusive are NOT vulnerable. Xen releases 4.5.2 and earlier are NOT vulnerable. The vulnerability is only exposed to HVM guests on x86 hardware. The vulnerability is not exposed to x86 PV guests, or ARM guests. MITIGATION ========== Running only PV guests will avoid this vulnerability. CREDITS ======= This issue was discovered by Brian Marcotte. RESOLUTION ========== Applying the first patch will resolve the issue. Users wishing to independently verify the correctness of the fix may find the second patch helpful. The second patch makes it easier to use the "fep" (Force Emulation Prefix) feature to reproduce the erroneous condition in a test environment. The "fep" feature requires explicit enablement on the hypervisor command line, and is unsuitable for production systems. Accordingly, applying the second patch does not affect production systems and does not improve security. Xen version First patch Second patch xen-unstable: xsa186-0001-*.patch xsa186-0002-*.patch Xen 4.7.x: xsa186-0001-*.patch xsa186-4.7-0002-*.patch Xen 4.6.3: xsa186-0001-*.patch xsa186-4.6-0002-*.patch Xen 4.5.3: xsa186-0001-*.patch xsa186-4.6-0002-*.patch $ sha256sum xsa186* f2082a36d968a47e477bb5082d0e0aaa58e6cb3dc20b26389f043a9b7b595fa6 xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch 412fa58edcbd1c7fdbfec7e28898cf98585593e6a24ccfb088dc0b84715286a5 xsa186-0002-hvm-fep-Allow-testing-of-instructions-crossing-the-1.patch 7482a823c3443e26dee1111c4904162845eaa9f826aa7bf8348007406d91bddd xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch 5a826a32763d82ac83c924f8c89d12aae5f069a4cbc7d5193aa8413a02b6dc05 xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJX0VLsAAoJEIP+FMlX6CvZoUoIAMvgdMZRYdK5MaaRUAA1hDG3 UFSxZCH8zja6wZG6WPNj7VqvEkQ2350oqb05BGB8jTFCmqtNDDIyHK68WaMpwDMv EEeetosujnlHTtVV7N8e0HO7F497PzZtzfniTyZc/h2Lna552ohMy/UcADtA7xxP IK6qwvxpkx1aLzsDFpHIdrVcttDD/oZcVbBFwcCAqK33eGNC3S6BJvIibCAKfO8h YKiAtvWUNsX/o4L9Zs4M50/pK3TzWsaDjfK3IX5LJPtsrcrKklrALVnDUOpTz1WA 07UIk0BcrzicEuTvuATWSQ3nVxUXAH95io23PCniHHntBtYJHjGA5rIqX+tiN6w= =HT+K -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch" Content-Disposition: attachment; filename="xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch" Content-Transfer-Encoding: base64 RnJvbSBlOTM4YmUwMTNiYTczZmYwOGZhNGYxZDg2NzA1MDFhYWNlZmRlN2Zi IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBGcmksIDIyIEp1 bCAyMDE2IDE2OjAyOjU0ICswMDAwClN1YmplY3Q6IFtQQVRDSCAxLzJdIHg4 Ni9lbXVsYXRlOiBDb3JyZWN0IGJvdW5kYXJ5IGludGVyYWN0aW9ucyBvZiBl bXVsYXRlZAogaW5zdHJ1Y3Rpb25zCgpUaGlzIHJldmVydHMgbW9zdCBvZiBj L3MgMDY0MGZmYjYgIng4NmVtdWw6IGZpeCBySVAgaGFuZGxpbmciLgoKRXhw ZXJpbWVudGFsbHksIGluIGxvbmcgbW9kZSBwcm9jZXNzb3JzIHdpbGwgZXhl Y3V0ZSBhbiBpbnN0cnVjdGlvbiBzdHJlYW0Kd2hpY2ggY3Jvc3NlcyB0aGUg NjRiaXQgLTEgLT4gMCB2aXJ0dWFsIGJvdW5kYXJ5LCB3aGV0aGVyIHRoZSBp bnN0cnVjdGlvbgpib3VuZGFyeSBpcyBhbGlnbmVkIG9uIHRoZSB2aXJ0dWFs IGJvdW5kYXJ5LCBvciBpcyBtaXNhbGlnbmVkLgoKSW4gY29tcGF0aWJpbGl0 eSBtb2RlLCBJbnRlbCBwcm9jZXNzb3JzIHdpbGwgZXhlY3V0ZSBhbiBpbnN0 cnVjdGlvbiBzdHJlYW0Kd2hpY2ggY3Jvc3NlcyB0aGUgMzJiaXQgLTEgLT4g MCB2aXJ0dWFsIGJvdW5kYXJ5LCB3aGlsZSBBTUQgcHJvY2Vzc29ycyByYWlz ZSBhCnNlZ21lbnRhdGlvbiBmYXVsdC4gIFhlbidzIHNlZ21lbnRhdGlvbiBi ZWhhdmlvdXIgbWF0Y2hlcyBBTUQuCgpGb3IgMTZiaXQgY29kZSwgaGFyZHdh cmUgZG9lcyBub3QgZXZlciB0cnVuY2F0ZWQgJWlwLiAgJWVpcCBpcyBhbHdh eXMgdXNlZCBhbmQKYmVoYXZlcyBub3JtYWxseSBhcyBhIDMyYml0IHJlZ2lz dGVyLCBpbmNsdWRpbmcgaW4gMTZiaXQgcHJvdGVjdGVkIG1vZGUKc2VnbWVu dHMsIGFzIHdlbGwgYXMgaW4gUmVhbCBhbmQgVW5yZWFsIG1vZGUuCgpUaGlz IGlzIFhTQS0xODYKClJlcG9ydGVkLWJ5OiBCcmlhbiBNYXJjb3R0ZSA8bWFy Y290dGVAcGFuaXguY29tPgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdlZC1ieTogSmFu IEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgotLS0KIHhlbi9hcmNoL3g4 Ni94ODZfZW11bGF0ZS94ODZfZW11bGF0ZS5jIHwgMjIgKysrKy0tLS0tLS0t LS0tLS0tLS0tLQogMSBmaWxlIGNoYW5nZWQsIDQgaW5zZXJ0aW9ucygrKSwg MTggZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L3g4 Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMgYi94ZW4vYXJjaC94ODYveDg2X2Vt dWxhdGUveDg2X2VtdWxhdGUuYwppbmRleCBkNWE1NmNmLi5iZjM1MjlhIDEw MDY0NAotLS0gYS94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxh dGUuYworKysgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxh dGUuYwpAQCAtMTU3MCwxMCArMTU3MCw2IEBAIHg4Nl9lbXVsYXRlKAogI2Vu ZGlmCiAgICAgfQogCi0gICAgLyogVHJ1bmNhdGUgcklQIHRvIGRlZl9hZF9i eXRlcyAoMiBvciA0KSBpZiBuZWNlc3NhcnkuICovCi0gICAgaWYgKCBkZWZf YWRfYnl0ZXMgPCBzaXplb2YoX3JlZ3MuZWlwKSApCi0gICAgICAgIF9yZWdz LmVpcCAmPSAoMVVMIDw8IChkZWZfYWRfYnl0ZXMgKiA4KSkgLSAxOwotCiAg ICAgLyogUHJlZml4IGJ5dGVzLiAqLwogICAgIGZvciAoIDsgOyApCiAgICAg ewpAQCAtMzkwNiwyMSArMzkwMiwxMSBAQCB4ODZfZW11bGF0ZSgKIAogICAg IC8qIENvbW1pdCBzaGFkb3cgcmVnaXN0ZXIgc3RhdGUuICovCiAgICAgX3Jl Z3MuZWZsYWdzICY9IH5FRkxHX1JGOwotICAgIHN3aXRjaCAoIF9fYnVpbHRp bl9leHBlY3QoZGVmX2FkX2J5dGVzLCBzaXplb2YoX3JlZ3MuZWlwKSkgKQot ICAgIHsKLSAgICAgICAgdWludDE2X3QgaXA7CiAKLSAgICBjYXNlIDI6Ci0g ICAgICAgIGlwID0gX3JlZ3MuZWlwOwotICAgICAgICBfcmVncy5laXAgPSBj dHh0LT5yZWdzLT5laXA7Ci0gICAgICAgICoodWludDE2X3QgKikmX3JlZ3Mu ZWlwID0gaXA7Ci0gICAgICAgIGJyZWFrOwotI2lmZGVmIF9feDg2XzY0X18K LSAgICBjYXNlIDQ6Ci0gICAgICAgIF9yZWdzLnJpcCA9IF9yZWdzLl9laXA7 Ci0gICAgICAgIGJyZWFrOwotI2VuZGlmCi0gICAgfQorICAgIC8qIFplcm8g dGhlIHVwcGVyIDMyIGJpdHMgb2YgJXJpcCBpZiBub3QgaW4gbG9uZyBtb2Rl LiAqLworICAgIGlmICggZGVmX2FkX2J5dGVzIDwgc2l6ZW9mKF9yZWdzLmVp cCkgKQorICAgICAgICBfcmVncy5laXAgPSAodWludDMyX3QpX3JlZ3MuZWlw OworCiAgICAgKmN0eHQtPnJlZ3MgPSBfcmVnczsKIAogIGRvbmU6Ci0tIAoy LjEuNAoK --=separator Content-Type: application/octet-stream; name="xsa186-0002-hvm-fep-Allow-testing-of-instructions-crossing-the-1.patch" Content-Disposition: attachment; filename="xsa186-0002-hvm-fep-Allow-testing-of-instructions-crossing-the-1.patch" Content-Transfer-Encoding: base64 RnJvbSA0M2VlZWQzYThkYTQ2ZThmZDNhOTZhM2IwOTA5N2VjOTJkODM1ODQx IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBGcmksIDEyIEF1 ZyAyMDE2IDE0OjM1OjI4ICswMTAwClN1YmplY3Q6IFtQQVRDSCAyLzJdIGh2 bS9mZXA6IEFsbG93IHRlc3Rpbmcgb2YgaW5zdHJ1Y3Rpb25zIGNyb3NzaW5n IHRoZSAtMSAtPgogMCB2aXJ0dWFsIGJvdW5kYXJ5CgpUaGUgRm9yY2UgRW11 bGF0aW9uIFByZWZpeCBpcyBuYW1lZCB0byBmb2xsb3cgaXRzIFBWIGNvdW50 ZXJwYXJ0IGZvciBjcHVpZCBvcgpyZHRzYywgYnV0IGlzbid0IHJlYWxseSBh biBpbnN0cnVjdGlvbiBwcmVmaXguICBJdCBiZWhhdmVzIGFzIGEgYnJlYWst b3V0IGludG8KWGVuLCB3aXRoIHRoZSBwdXJwb3NlIG9mIGVtdWxhdGluZyB0 aGUgbmV4dCBpbnN0cnVjdGlvbiBpbiB0aGUgY3VycmVudCBzdGF0ZS4KCkl0 IGlzIGltcG9ydGFudCB0byBiZSBhYmxlIHRvIHRlc3QgbGVnYWwgc2l0dWF0 aW9ucyB3aGljaCBvY2N1ciBpbiByZWFsCmhhcmR3YXJlLCBpbmNsdWRpbmcg aW5zdHJ1Y3Rpb24gd2hpY2ggY3Jvc3MgY2VydGFpbiBib3VuZGFyaWVzLCBh bmQKaW5zdHJ1Y3Rpb25zIHN0YXJ0aW5nIGF0IDAuCgpSZXBvcnRlZC1ieTog QnJpYW4gTWFyY290dGUgPG1hcmNvdHRlQHBhbml4LmNvbT4KU2lnbmVkLW9m Zi1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KUmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNv bT4KLS0tCiB4ZW4vYXJjaC94ODYvaHZtL2h2bS5jIHwgMTQgKysrKysrLS0t LS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA2IGluc2VydGlvbnMoKyksIDggZGVs ZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L2h2bS9odm0u YyBiL3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKaW5kZXggODkzZWZmNi4uZWFi N2NjOSAxMDA2NDQKLS0tIGEveGVuL2FyY2gveDg2L2h2bS9odm0uYworKysg Yi94ZW4vYXJjaC94ODYvaHZtL2h2bS5jCkBAIC0zOTAwLDE1ICszOTAwLDgg QEAgdm9pZCBodm1fdWRfaW50ZXJjZXB0KHN0cnVjdCBjcHVfdXNlcl9yZWdz ICpyZWdzKQogICAgICAgICB1bnNpZ25lZCBsb25nIGFkZHI7CiAgICAgICAg IGNoYXIgc2lnWzVdOyAvKiB1ZDI7IC5hc2NpaSAieGVuIiAqLwogCi0gICAg ICAgIC8qCi0gICAgICAgICAqIE5vdGUgdGhhdCBpbiB0aGUgY2FsbCBiZWxv dyB3ZSBwYXNzIDEgbW9yZSB0aGFuIHRoZSBzaWduYXR1cmUKLSAgICAgICAg ICogc2l6ZSwgdG8gZ3VhcmQgYWdhaW5zdCB0aGUgb3ZlcmFsbCBjb2RlIHNl cXVlbmNlIHdyYXBwaW5nIGJldHdlZW4KLSAgICAgICAgICogInByZWZpeCIg YW5kIGFjdHVhbCBpbnN0cnVjdGlvbi4gVGhlcmUncyBuZWNlc3NhcmlseSBh dCBsZWFzdCBvbmUKLSAgICAgICAgICogYWN0dWFsIGluc3RydWN0aW9uIGJ5 dGUgcmVxdWlyZWQsIHNvIHRoaXMgd29uJ3QgY2F1c2UgZmFpbHVyZSBvbgot ICAgICAgICAgKiBsZWdpdGltYXRlIHVzZXMuCi0gICAgICAgICAqLwogICAg ICAgICBpZiAoIGh2bV92aXJ0dWFsX3RvX2xpbmVhcl9hZGRyKHg4Nl9zZWdf Y3MsIGNzLCByZWdzLT5laXAsCi0gICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgc2l6ZW9mKHNpZykgKyAxLCBodm1fYWNjZXNzX2lu c25fZmV0Y2gsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgc2l6ZW9mKHNpZyksIGh2bV9hY2Nlc3NfaW5zbl9mZXRjaCwKICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoaHZtX2xv bmdfbW9kZV9lbmFibGVkKGN1cikgJiYKICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgY3MtPmF0dHIuZmllbGRzLmwpID8gNjQg OgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNz LT5hdHRyLmZpZWxkcy5kYiA/IDMyIDogMTYsICZhZGRyKSAmJgpAQCAtMzkx OCw2ICszOTExLDExIEBAIHZvaWQgaHZtX3VkX2ludGVyY2VwdChzdHJ1Y3Qg Y3B1X3VzZXJfcmVncyAqcmVncykKICAgICAgICAgewogICAgICAgICAgICAg cmVncy0+ZWlwICs9IHNpemVvZihzaWcpOwogICAgICAgICAgICAgcmVncy0+ ZWZsYWdzICY9IH5YODZfRUZMQUdTX1JGOworCisgICAgICAgICAgICAvKiBa ZXJvIHRoZSB1cHBlciAzMiBiaXRzIG9mICVyaXAgaWYgbm90IGluIGxvbmcg bW9kZS4gKi8KKyAgICAgICAgICAgIGlmICggIShodm1fbG9uZ19tb2RlX2Vu YWJsZWQoY3VyKSAmJiBjcy0+YXR0ci5maWVsZHMubCkgKQorICAgICAgICAg ICAgICAgIHJlZ3MtPmVpcCA9IHJlZ3MtPl9laXA7CisKICAgICAgICAgICAg IGFkZF90YWludChUQUlOVF9IVk1fRkVQKTsKICAgICAgICAgfQogICAgIH0K LS0gCjIuMS40Cgo= --=separator Content-Type: application/octet-stream; name="xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch" Content-Disposition: attachment; filename="xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogaHZtL2ZlcDogQWxsb3cgdGVzdGluZyBvZiBpbnN0cnVj dGlvbnMgY3Jvc3NpbmcgdGhlIC0xIC0+IDAgdmlydHVhbCBib3VuZGFyeQoK VGhlIEZvcmNlIEVtdWxhdGlvbiBQcmVmaXggaXMgbmFtZWQgdG8gZm9sbG93 IGl0cyBQViBjb3VudGVycGFydCBmb3IgY3B1aWQgb3IKcmR0c2MsIGJ1dCBp c24ndCByZWFsbHkgYW4gaW5zdHJ1Y3Rpb24gcHJlZml4LiAgSXQgYmVoYXZl cyBhcyBhIGJyZWFrLW91dCBpbnRvClhlbiwgd2l0aCB0aGUgcHVycG9zZSBv ZiBlbXVsYXRpbmcgdGhlIG5leHQgaW5zdHJ1Y3Rpb24gaW4gdGhlIGN1cnJl bnQgc3RhdGUuCgpJdCBpcyBpbXBvcnRhbnQgdG8gYmUgYWJsZSB0byB0ZXN0 IGxlZ2FsIHNpdHVhdGlvbnMgd2hpY2ggb2NjdXIgaW4gcmVhbApoYXJkd2Fy ZSwgaW5jbHVkaW5nIGluc3RydWN0aW9uIHdoaWNoIGNyb3NzIGNlcnRhaW4g Ym91bmRhcmllcywgYW5kCmluc3RydWN0aW9ucyBzdGFydGluZyBhdCAwLgoK UmVwb3J0ZWQtYnk6IEJyaWFuIE1hcmNvdHRlIDxtYXJjb3R0ZUBwYW5peC5j b20+ClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29w ZXIzQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvaHZtL3N2bS9z dm0uYworKysgYi94ZW4vYXJjaC94ODYvaHZtL3N2bS9zdm0uYwpAQCAtMjEz OSw2ICsyMTM5LDEwIEBAIHN0YXRpYyB2b2lkIHN2bV92bWV4aXRfdWRfaW50 ZXJjZXB0KHN0cnUKICAgICAgICAgewogICAgICAgICAgICAgcmVncy0+ZWlw ICs9IHNpemVvZihzaWcpOwogICAgICAgICAgICAgcmVncy0+ZWZsYWdzICY9 IH5YODZfRUZMQUdTX1JGOworCisgICAgICAgICAgICAvKiBaZXJvIHRoZSB1 cHBlciAzMiBiaXRzIG9mICVyaXAgaWYgbm90IGluIGxvbmcgbW9kZS4gKi8K KyAgICAgICAgICAgIGlmICggc3ZtX2d1ZXN0X3g4Nl9tb2RlKGN1cnJlbnQp ICE9IDggKQorICAgICAgICAgICAgICAgIHJlZ3MtPmVpcCA9IHJlZ3MtPl9l aXA7CiAgICAgICAgIH0KICAgICB9CiAKLS0tIGEveGVuL2FyY2gveDg2L2h2 bS92bXgvdm14LmMKKysrIGIveGVuL2FyY2gveDg2L2h2bS92bXgvdm14LmMK QEAgLTI3NTcsNiArMjc1NywxMCBAQCBzdGF0aWMgdm9pZCB2bXhfdm1leGl0 X3VkX2ludGVyY2VwdChzdHJ1CiAgICAgICAgIHsKICAgICAgICAgICAgIHJl Z3MtPmVpcCArPSBzaXplb2Yoc2lnKTsKICAgICAgICAgICAgIHJlZ3MtPmVm bGFncyAmPSB+WDg2X0VGTEFHU19SRjsKKworICAgICAgICAgICAgLyogWmVy byB0aGUgdXBwZXIgMzIgYml0cyBvZiAlcmlwIGlmIG5vdCBpbiBsb25nIG1v ZGUuICovCisgICAgICAgICAgICBpZiAoIHZteF9ndWVzdF94ODZfbW9kZShj dXJyZW50KSAhPSA4ICkKKyAgICAgICAgICAgICAgICByZWdzLT5laXAgPSBy ZWdzLT5fZWlwOwogICAgICAgICB9CiAgICAgfQogCg== --=separator Content-Type: application/octet-stream; name="xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch" Content-Disposition: attachment; filename="xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogaHZtL2ZlcDogQWxsb3cgdGVzdGluZyBvZiBpbnN0cnVj dGlvbnMgY3Jvc3NpbmcgdGhlIC0xIC0+IDAgdmlydHVhbCBib3VuZGFyeQoK VGhlIEZvcmNlIEVtdWxhdGlvbiBQcmVmaXggaXMgbmFtZWQgdG8gZm9sbG93 IGl0cyBQViBjb3VudGVycGFydCBmb3IgY3B1aWQgb3IKcmR0c2MsIGJ1dCBp c24ndCByZWFsbHkgYW4gaW5zdHJ1Y3Rpb24gcHJlZml4LiAgSXQgYmVoYXZl cyBhcyBhIGJyZWFrLW91dCBpbnRvClhlbiwgd2l0aCB0aGUgcHVycG9zZSBv ZiBlbXVsYXRpbmcgdGhlIG5leHQgaW5zdHJ1Y3Rpb24gaW4gdGhlIGN1cnJl bnQgc3RhdGUuCgpJdCBpcyBpbXBvcnRhbnQgdG8gYmUgYWJsZSB0byB0ZXN0 IGxlZ2FsIHNpdHVhdGlvbnMgd2hpY2ggb2NjdXIgaW4gcmVhbApoYXJkd2Fy ZSwgaW5jbHVkaW5nIGluc3RydWN0aW9uIHdoaWNoIGNyb3NzIGNlcnRhaW4g Ym91bmRhcmllcywgYW5kCmluc3RydWN0aW9ucyBzdGFydGluZyBhdCAwLgoK UmVwb3J0ZWQtYnk6IEJyaWFuIE1hcmNvdHRlIDxtYXJjb3R0ZUBwYW5peC5j b20+ClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29w ZXIzQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJl dWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5j CisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKQEAgLTM5MDUsNiArMzkw NSwxMCBAQCB2b2lkIGh2bV91ZF9pbnRlcmNlcHQoc3RydWN0IGNwdV91c2Vy X3JlCiAgICAgICAgIHsKICAgICAgICAgICAgIHJlZ3MtPmVpcCArPSBzaXpl b2Yoc2lnKTsKICAgICAgICAgICAgIHJlZ3MtPmVmbGFncyAmPSB+WDg2X0VG TEFHU19SRjsKKworICAgICAgICAgICAgLyogWmVybyB0aGUgdXBwZXIgMzIg Yml0cyBvZiAlcmlwIGlmIG5vdCBpbiBsb25nIG1vZGUuICovCisgICAgICAg ICAgICBpZiAoICEoaHZtX2xvbmdfbW9kZV9lbmFibGVkKGN1cikgJiYgY3Mu YXR0ci5maWVsZHMubCkgKQorICAgICAgICAgICAgICAgIHJlZ3MtPmVpcCA9 IHJlZ3MtPl9laXA7CiAgICAgICAgIH0KICAgICB9CiAK --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Thu Sep 08 12:06:21 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 08 Sep 2016 12:06:21 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy4u-00017C-Mm; Thu, 08 Sep 2016 12:05:12 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy4s-00016U-Dj; Thu, 08 Sep 2016 12:05:10 +0000 Received: from [85.158.139.211] by server-3.bemta-5.messagelabs.com id F7/86-01957-5F351D75; Thu, 08 Sep 2016 12:05:09 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprLJsWRWlGSWpSXmKPExsWS0XRdVfdL8MV wg0PH5C1u3WxltljycTGLxaqrB1gdmD2O7v7NFMAYxZqZl5RfkcCa8fHZMbaCtaeZKro/vGdt YNy7n6mLkYtDSOA4o0TDjZ1sEM4iRomba1pYuhg5OZgFXCVu7NvMBmErSly41wAW5xUQlDg58 wmYLSGgKXHnzSp2EFtEoEhi57mXYDabgJ7E3LOTmCB6dSRe7l8NZgsLxEqcWj2FFWKOmcTWk1 /BbBYBVYlZG46zTWDkmYVk9Swkq2chWT2LkQMorimxfpc+hCktsfwfB0S1vMT2t3OYIew8iSd XOqDsbInOjUtYYSZO6X7IDmGXSSy+vJcNYkyxxMQHoZhKKiR+H3nGBGGXSjy4/JURm5oL7VuY YWr2nj/NhqkmT2LK73lw5+xpnYrVnOYPx1hg5rQuPMiMrGYBo8QqRvXi1KKy1CJdM72kosz0j JLcxMwcXUMDU73c1OLixPTUnMSkYr3k/NxNjMBEwgAEOxinNjgfYpTkYFIS5fUpvhAuxJeUn1 KZkVicEV9UmpNafIhRhoNDSYK3P+hiuJBgUWp6akVaZg4wpcGkJTh4lER4PUDSvMUFibnFmek QqVOMxhxLpl9by8Sx6Obj/UxCLHn5ealS4rxbQUoFQEozSvPgBsFS7SVGWSlhXkag04R4ClKL cjNLUOVfMYpzMCoJ824CmcKTmVcCt+8V0ClMQKcInToPckpJIkJKqoGRYfXWqTdEtVYU83kYW HfePr47pbXS6dtXM99JZ45zPp7rvmJatHV6Ubrdudzr7wJELFd838SoJJ//U1x8qfTuXvGK3d faXk+6bzZTWtdgf6GVaZ2/9AnpZc58oUHLpSVCiufNz7+9NfORbMhF3Sllx3dWWMgVvv05yTR qUej7sKy1miuzTc4rsRRnJBpqMRcVJwIASr2oT7ADAAA= X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-2.tower-206.messagelabs.com!1473336307!42485637!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 8.84; banners=-,-,- X-VirusChecked: Checked Received: (qmail 44657 invoked from network); 8 Sep 2016 12:05:08 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-2.tower-206.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 8 Sep 2016 12:05:08 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy4i-0003TQ-IT; Thu, 08 Sep 2016 12:05:00 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1bhy4i-0001oa-Fi; Thu, 08 Sep 2016 12:05:00 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Thu, 08 Sep 2016 12:05:00 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 187 (CVE-2016-7094) - x86 HVM: Overflow of sh_ctxt->seg_reg[] X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-7094 / XSA-187 version 3 x86 HVM: Overflow of sh_ctxt->seg_reg[] UPDATES IN VERSION 3 ==================== Fix the backports xsa187-4.6-0002-*.patch and xsa187-4.4-0002-*.patch. In v1 and v2 these did not compile in debug builds. (Debug builds should not be used in production.) Public release. ISSUE DESCRIPTION ================= x86 HVM guests running with shadow paging use a subset of the x86 emulator to handle the guest writing to its own pagetables. There are situations a guest can provoke which result in exceeding the space allocated for internal state. IMPACT ====== A malicious HVM guest administrator can cause Xen to fail a bug check, causing a denial of service to the host. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. The vulnerability is only exposed to HVM guests on x86 hardware, which are configured to run with shadow paging. The vulnerability is not exposed to x86 PV guests, x86 HVM guests running with hardware assisted paging, or ARM guests. x86 HVM guests run in HAP mode by default on modern CPUs. To discover whether your HVM guests are using HAP, or shadow page tables: request debug key `q' (from the Xen console, or with `xl debug-keys q'). This will print (to the console, and visible in `xl dmesg'), debug information for every domain, containing something like this: (XEN) General information for domain 2: (XEN) refcnt=1 dying=2 pause_count=2 (XEN) nr_pages=2 xenheap_pages=0 shared_pages=0 paged_pages=0 dirty_cpus={} max_pages=262400 (XEN) handle=ef58ef1a-784d-4e59-8079-42bdee87f219 vm_assist=00000000 (XEN) paging assistance: hap refcounts translate external ^^^ The presence of `hap' here indicates that the host is not vulnerable to this domain. For an HVM domain the presence of `shadow' indicates that the domain can exploit the vulnerability. MITIGATION ========== Running only PV guests will avoid this vulnerability. On hardware which supports Hardware Assisted Paging, configuring the guests to not run with shadow paging will avoid this vulnerability. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the first patch will resolve this issue. The second patch provides additional assurance that the vulnerability is truly eliminated and that there are no related problems. If hotpatching, applying only the first patch is recommended since the second patch is awkward for hotpatching. If deploying new builds, applying both patches is recommended. Xen version First patch Second patch xen-unstable: xsa187-0001-*.patch xsa187-0002-*.patch Xen 4.7.x: xsa187-4.7-0001-*.patch xsa187-4.7-0002-*.patch Xen 4.6.x: xsa187-4.7-0001-*.patch xsa187-4.6-0002-*.patch Xen 4.5.x: xsa187-4.7-0001-*.patch xsa187-4.6-0002-*.patch Xen 4.4.x: xsa187-4.7-0001-*.patch xsa187-4.4-0002-*.patch $ sha256sum xsa187* 65205ee195699d65884af04083ffb86c6ddbc96cbca3141c87f6b2d671de45a3 xsa187-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg_reg.patch f90e6d13385fb9219e1e26e3a148d1670aefc7130e0639415d08bbb6a1d9efee xsa187-0002-x86-segment-Bounds-check-accesses-to-emulation-ctxt-.patch 727b18ae83001f7ea04613aa7199ada3e6a84939aa44516f7c426e609d383b2a xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch b96731379ea77d49ffff31d969f4742dde985ef7a86af9422dcac8327c2a1916 xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch be9fe85d36c2c1fbca246c1f4d834c3ef11b6ab3d5467da0ac8c079aa5a68de9 xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch 36b22d6a168be39f31a1c1304f708269a2a10fe5105f7da4a06877d6059f1cd6 xsa187-4.7-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the "reconfigure to use HAP" MITIGATION is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because the mitigation result in guest-visible changes. Deployment of this mitigation is permitted only AFTER the embargo ends. Deployment of the PATCHES described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJX0VPlAAoJEIP+FMlX6CvZeIQIALJEH1stiHZLs2Kc8AKTTbUh ZM3pGSUYC9AFMpn3ovuXgOJjYfX1YY89nAOKlDKuiPaaUz01mmqWXGBDBmqZ1IU0 9BjPfnnMYoqeHcrjz0+KajSO6kf/iepUdUx1IiduA48k/7VUvqU8P/s/UiutXerF YvHcc+a6lLIPPcXjWW6ftSEagGHUmB+qcHh4aptxVq/xEdIQysAGtUU7MMG9ihsN VY3MN6aQiIFRr56ICZJ7K+s9Rw+xWfOVXj8FZAoq2mDPns6pQT0obyCrIbfQcywA 6GMXWXVf4vSR/dgQm8xD95/3gFPd1IfuwxjOvHkfJlqxxCfa8JT6oVsQfZskhhs= =/Mbl -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa187-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg_reg.patch" Content-Disposition: attachment; filename="xsa187-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg_reg.patch" Content-Transfer-Encoding: base64 RnJvbSA1ZWI3YmRjMTU5OGY4ZmRkNmQ1M2VjOGU1NGVlNWFjODk0MTkyZTI1 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBGcmksIDEgSnVs IDIwMTYgMDE6MDI6MDQgKzAxMDAKU3ViamVjdDogW1BBVENIIDEvMl0geDg2 L3NoYWRvdzogQXZvaWQgb3ZlcmZsb3dpbmcgc2hfY3R4dC0+c2VnX3JlZ1td Cgpodm1fZ2V0X3NlZ19yZWcoKSBkb2VzIG5vdCBwZXJmb3JtIGEgcmFuZ2Ug Y2hlY2sgb24gaXRzIGlucHV0IHNlZ21lbnQsIGNhbGxzCmh2bV9nZXRfc2Vn bWVudF9yZWdpc3RlcigpIGFuZCB3cml0ZXMgc3RyYWlnaHQgaW50byBzaF9j dHh0LT5zZWdfcmVnW10uCgp4ODZfc2VnX25vbmUgaXMgb3V0c2lkZSB0aGUg Ym91bmRzIG9mIHNoX2N0eHQtPnNlZ19yZWdbXSwgYW5kIHdpbGwgaGl0IGEg QlVHKCkKaW4ge3ZteCxzdm19X2dldF9zZWdtZW50X3JlZ2lzdGVyKCkuCgpI Vk0gZ3Vlc3RzIHJ1bm5pbmcgd2l0aCBzaGFkb3cgcGFnaW5nIGNhbiBlbmQg dXAgcGVyZm9ybWluZyBhIHZpcnR1YWwgdG8KbGluZWFyIHRyYW5zbGF0aW9u IHdpdGggeDg2X3NlZ19ub25lLiAgVGhpcyBpcyB1c2VkIGZvciBhZGRyZXNz ZXMgd2hpY2ggYXJlCmFscmVhZHkgbGluZWFyLiAgSG93ZXZlciwgbm9uZSBv ZiB0aGlzIGlzIGEgbGVnaXRpbWF0ZSBwYWdldGFibGUgdXBkYXRlLCBzbwpm YWlsIHRoZSBlbXVsYXRpb24gaW4gc3VjaCBhIGNhc2UuCgpUaGlzIGlzIFhT QS0xODcKClJlcG9ydGVkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29v cGVyM0BjaXRyaXguY29tPgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdlZC1ieTogVGlt IERlZWdhbiA8dGltQHhlbi5vcmc+Ci0tLQogeGVuL2FyY2gveDg2L21tL3No YWRvdy9jb21tb24uYyB8IDExICsrKysrKysrKystCiAxIGZpbGUgY2hhbmdl ZCwgMTAgaW5zZXJ0aW9ucygrKSwgMSBkZWxldGlvbigtKQoKZGlmZiAtLWdp dCBhL3hlbi9hcmNoL3g4Ni9tbS9zaGFkb3cvY29tbW9uLmMgYi94ZW4vYXJj aC94ODYvbW0vc2hhZG93L2NvbW1vbi5jCmluZGV4IGMyMjM2MmYuLmI0MGJm NzEgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL3g4Ni9tbS9zaGFkb3cvY29tbW9u LmMKKysrIGIveGVuL2FyY2gveDg2L21tL3NoYWRvdy9jb21tb24uYwpAQCAt MTQwLDkgKzE0MCwxOCBAQCBzdGF0aWMgaW50IGh2bV90cmFuc2xhdGVfbGlu ZWFyX2FkZHIoCiAgICAgc3RydWN0IHNoX2VtdWxhdGVfY3R4dCAqc2hfY3R4 dCwKICAgICB1bnNpZ25lZCBsb25nICpwYWRkcikKIHsKLSAgICBzdHJ1Y3Qg c2VnbWVudF9yZWdpc3RlciAqcmVnID0gaHZtX2dldF9zZWdfcmVnKHNlZywg c2hfY3R4dCk7CisgICAgY29uc3Qgc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIg KnJlZzsKICAgICBpbnQgb2theTsKIAorICAgIC8qCisgICAgICogQ2FuIGFy cml2ZSBoZXJlIHdpdGggbm9uLXVzZXIgc2VnbWVudHMuICBIb3dldmVyLCBu byBzdWNoIGNpcnVjbXN0YW5jZQorICAgICAqIGlzIHBhcnQgb2YgYSBsZWdp dGltYXRlIHBhZ2V0YWJsZSB1cGRhdGUsIHNvIGZhaWwgdGhlIGVtdWxhdGlv bi4KKyAgICAgKi8KKyAgICBpZiAoICFpc194ODZfdXNlcl9zZWdtZW50KHNl ZykgKQorICAgICAgICByZXR1cm4gWDg2RU1VTF9VTkhBTkRMRUFCTEU7CisK KyAgICByZWcgPSBodm1fZ2V0X3NlZ19yZWcoc2VnLCBzaF9jdHh0KTsKKwog ICAgIG9rYXkgPSBodm1fdmlydHVhbF90b19saW5lYXJfYWRkcigKICAgICAg ICAgc2VnLCByZWcsIG9mZnNldCwgYnl0ZXMsIGFjY2Vzc190eXBlLCBzaF9j dHh0LT5jdHh0LmFkZHJfc2l6ZSwgcGFkZHIpOwogCi0tIAoyLjEuNAoK --=separator Content-Type: application/octet-stream; name="xsa187-0002-x86-segment-Bounds-check-accesses-to-emulation-ctxt-.patch" Content-Disposition: attachment; filename="xsa187-0002-x86-segment-Bounds-check-accesses-to-emulation-ctxt-.patch" Content-Transfer-Encoding: base64 RnJvbSBkZGY5YjFiZjI2YTFhNDQyYjYxZjI5YTE3MzQzNzQ1ZDZkZGRiNGRl IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBGcmksIDEgSnVs IDIwMTYgMDE6MDI6MDQgKzAxMDAKU3ViamVjdDogW1BBVENIIDIvMl0geDg2 L3NlZ21lbnQ6IEJvdW5kcyBjaGVjayBhY2Nlc3NlcyB0byBlbXVsYXRpb24K IGN0eHQtPnNlZ19yZWdbXQoKSFZNIEhBUCBjb2RlcGF0aHMgaGF2ZSBzcGFj ZSBmb3IgYWxsIHNlZ21lbnQgcmVnaXN0ZXJzIGluIHRoZSBzZWdfcmVnW10K Y2FjaGUgKHdpdGggeDg2X3NlZ19ub25lIHN0aWxsIHJpc2tpbmcgYW4gYXJy YXkgb3ZlcnJ1biksIHdoaWxlIHRoZSBzaGFkb3cKY29kZXBhdGhzIG9ubHkg aGF2ZSBzcGFjZSBmb3IgdGhlIHVzZXIgc2VnbWVudHMuCgpSYW5nZSBjaGVj ayB0aGUgaW5wdXQgc2VnbWVudCBvZiAqX2dldF9zZWdfcmVnKCkgYWdhaW5z dCB0aGUgc2l6ZSBvZiB0aGUgYXJyYXkKdXNlZCB0byBjYWNoZSB0aGUgcmVz dWx0cywgdG8gYXZvaWQgb3ZlcnJ1bnMgaW4gdGhlIGNhc2UgdGhhdCB0aGUg Y2FsbGVycwpkb24ndCBmaWx0ZXIgdGhlaXIgaW5wdXQgc3VpdGFibHkuCgpT dWJzdW1lIHRoZSBpc194ODZfdXNlcl9zZWdtZW50KHNlZykgY2hlY2tzIGZy b20gdGhlIHNoYWRvdyBjb2RlLCB3aGljaCB3ZXJlCmFuIGluY29tcGxldGUg YXR0ZW1wdCBhdCByYW5nZSBjaGVja2luZywgYW5kIGFyZSBub3cgc3VwZXJj ZWVkZWQuICBNYWtlCmh2bV9nZXRfc2VnX3JlZygpIHN0YXRpYywgYXMgaXQg aXMgbm90IHVzZWQgb3V0c2lkZSBvZiBzaGFkb3cvY29tbW9uLmMKCk5vIGZ1 bmN0aW9uYWwgY2hhbmdlLCBidXQgZmFyIGVhc2llciB0byByZWFzb24gdGhh dCBubyBvdmVyZmxvdyBpcyBwb3NzaWJsZS4KClJlcG9ydGVkLWJ5OiBBbmRy ZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpTaWduZWQt b2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXgu Y29tPgpBY2tlZC1ieTogVGltIERlZWdhbiA8dGltQHhlbi5vcmc+CkFja2Vk LWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+Ci0tLQogeGVu L2FyY2gveDg2L2h2bS9lbXVsYXRlLmMgICAgICAgIHwgMTYgKysrKysrKysr KysrKysrKwogeGVuL2FyY2gveDg2L21tL3NoYWRvdy9jb21tb24uYyAgIHwg MjcgKysrKysrKysrKysrKystLS0tLS0tLS0tLS0tCiB4ZW4vYXJjaC94ODYv bW0vc2hhZG93L3ByaXZhdGUuaCAgfCAgMiAtLQogeGVuL2luY2x1ZGUvYXNt LXg4Ni9odm0vZW11bGF0ZS5oIHwgIDEgKwogNCBmaWxlcyBjaGFuZ2VkLCAz MSBpbnNlcnRpb25zKCspLCAxNSBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQg YS94ZW4vYXJjaC94ODYvaHZtL2VtdWxhdGUuYyBiL3hlbi9hcmNoL3g4Ni9o dm0vZW11bGF0ZS5jCmluZGV4IGM1NWFkN2IuLjBlYjdhNGQgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL3g4Ni9odm0vZW11bGF0ZS5jCisrKyBiL3hlbi9hcmNo L3g4Ni9odm0vZW11bGF0ZS5jCkBAIC01MzUsNiArNTM1LDggQEAgc3RhdGlj IGludCBodm1lbXVsX3ZpcnR1YWxfdG9fbGluZWFyKAogICAgICpyZXBzID0g bWluX3QodW5zaWduZWQgbG9uZywgKnJlcHMsIG1heF9yZXBzKTsKIAogICAg IHJlZyA9IGh2bWVtdWxfZ2V0X3NlZ19yZWcoc2VnLCBodm1lbXVsX2N0eHQp OworICAgIGlmICggSVNfRVJSKHJlZykgKQorICAgICAgICByZXR1cm4gLVBU Ul9FUlIocmVnKTsKIAogICAgIGlmICggKGh2bWVtdWxfY3R4dC0+Y3R4dC5y ZWdzLT5lZmxhZ3MgJiBYODZfRUZMQUdTX0RGKSAmJiAoKnJlcHMgPiAxKSAp CiAgICAgewpAQCAtMTQzMCw2ICsxNDMyLDEwIEBAIHN0YXRpYyBpbnQgaHZt ZW11bF9yZWFkX3NlZ21lbnQoCiAgICAgc3RydWN0IGh2bV9lbXVsYXRlX2N0 eHQgKmh2bWVtdWxfY3R4dCA9CiAgICAgICAgIGNvbnRhaW5lcl9vZihjdHh0 LCBzdHJ1Y3QgaHZtX2VtdWxhdGVfY3R4dCwgY3R4dCk7CiAgICAgc3RydWN0 IHNlZ21lbnRfcmVnaXN0ZXIgKnNyZWcgPSBodm1lbXVsX2dldF9zZWdfcmVn KHNlZywgaHZtZW11bF9jdHh0KTsKKworICAgIGlmICggSVNfRVJSKHNyZWcp ICkKKyAgICAgICAgIHJldHVybiAtUFRSX0VSUihzcmVnKTsKKwogICAgIG1l bWNweShyZWcsIHNyZWcsIHNpemVvZihzdHJ1Y3Qgc2VnbWVudF9yZWdpc3Rl cikpOwogICAgIHJldHVybiBYODZFTVVMX09LQVk7CiB9CkBAIC0xNDQzLDYg KzE0NDksOSBAQCBzdGF0aWMgaW50IGh2bWVtdWxfd3JpdGVfc2VnbWVudCgK ICAgICAgICAgY29udGFpbmVyX29mKGN0eHQsIHN0cnVjdCBodm1fZW11bGF0 ZV9jdHh0LCBjdHh0KTsKICAgICBzdHJ1Y3Qgc2VnbWVudF9yZWdpc3RlciAq c3JlZyA9IGh2bWVtdWxfZ2V0X3NlZ19yZWcoc2VnLCBodm1lbXVsX2N0eHQp OwogCisgICAgaWYgKCBJU19FUlIoc3JlZykgKQorICAgICAgICAgcmV0dXJu IC1QVFJfRVJSKHNyZWcpOworCiAgICAgbWVtY3B5KHNyZWcsIHJlZywgc2l6 ZW9mKHN0cnVjdCBzZWdtZW50X3JlZ2lzdGVyKSk7CiAgICAgX19zZXRfYml0 KHNlZywgJmh2bWVtdWxfY3R4dC0+c2VnX3JlZ19kaXJ0eSk7CiAKQEAgLTE5 OTUsMTAgKzIwMDQsMTcgQEAgdm9pZCBodm1fZW11bGF0ZV93cml0ZWJhY2so CiAgICAgfQogfQogCisvKgorICogQ2FsbGVycyB3aGljaCBwYXNzIGEga25v d24gaW4tcmFuZ2UgeDg2X3NlZ21lbnQgY2FuIHJlbHkgb24gdGhlIHJldHVy bgorICogcG9pbnRlciBiZWluZyB2YWxpZC4gIE90aGVyIGNhbGxlcnMgbXVz dCBleHBsaWNpdGx5IGNoZWNrIGZvciBlcnJvcnMuCisgKi8KIHN0cnVjdCBz ZWdtZW50X3JlZ2lzdGVyICpodm1lbXVsX2dldF9zZWdfcmVnKAogICAgIGVu dW0geDg2X3NlZ21lbnQgc2VnLAogICAgIHN0cnVjdCBodm1fZW11bGF0ZV9j dHh0ICpodm1lbXVsX2N0eHQpCiB7CisgICAgaWYgKCBzZWcgPCAwIHx8IHNl ZyA+PSBBUlJBWV9TSVpFKGh2bWVtdWxfY3R4dC0+c2VnX3JlZykgKQorICAg ICAgICByZXR1cm4gRVJSX1BUUigtWDg2RU1VTF9VTkhBTkRMRUFCTEUpOwor CiAgICAgaWYgKCAhX190ZXN0X2FuZF9zZXRfYml0KHNlZywgJmh2bWVtdWxf Y3R4dC0+c2VnX3JlZ19hY2Nlc3NlZCkgKQogICAgICAgICBodm1fZ2V0X3Nl Z21lbnRfcmVnaXN0ZXIoY3VycmVudCwgc2VnLCAmaHZtZW11bF9jdHh0LT5z ZWdfcmVnW3NlZ10pOwogICAgIHJldHVybiAmaHZtZW11bF9jdHh0LT5zZWdf cmVnW3NlZ107CmRpZmYgLS1naXQgYS94ZW4vYXJjaC94ODYvbW0vc2hhZG93 L2NvbW1vbi5jIGIveGVuL2FyY2gveDg2L21tL3NoYWRvdy9jb21tb24uYwpp bmRleCBiNDBiZjcxLi45MWMxMTRkIDEwMDY0NAotLS0gYS94ZW4vYXJjaC94 ODYvbW0vc2hhZG93L2NvbW1vbi5jCisrKyBiL3hlbi9hcmNoL3g4Ni9tbS9z aGFkb3cvY29tbW9uLmMKQEAgLTEyMywxMCArMTIzLDE5IEBAIF9faW5pdGNh bGwoc2hhZG93X2F1ZGl0X2tleV9pbml0KTsKIC8qIHg4NiBlbXVsYXRvciBz dXBwb3J0IGZvciB0aGUgc2hhZG93IGNvZGUKICAqLwogCi1zdHJ1Y3Qgc2Vn bWVudF9yZWdpc3RlciAqaHZtX2dldF9zZWdfcmVnKAorLyoKKyAqIENhbGxl cnMgd2hpY2ggcGFzcyBhIGtub3duIGluLXJhbmdlIHg4Nl9zZWdtZW50IGNh biByZWx5IG9uIHRoZSByZXR1cm4KKyAqIHBvaW50ZXIgYmVpbmcgdmFsaWQu ICBPdGhlciBjYWxsZXJzIG11c3QgZXhwbGljaXRseSBjaGVjayBmb3IgZXJy b3JzLgorICovCitzdGF0aWMgc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIgKmh2 bV9nZXRfc2VnX3JlZygKICAgICBlbnVtIHg4Nl9zZWdtZW50IHNlZywgc3Ry dWN0IHNoX2VtdWxhdGVfY3R4dCAqc2hfY3R4dCkKIHsKLSAgICBzdHJ1Y3Qg c2VnbWVudF9yZWdpc3RlciAqc2VnX3JlZyA9ICZzaF9jdHh0LT5zZWdfcmVn W3NlZ107CisgICAgc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIgKnNlZ19yZWc7 CisKKyAgICBpZiAoIHNlZyA8IDAgfHwgc2VnID49IEFSUkFZX1NJWkUoc2hf Y3R4dC0+c2VnX3JlZykgKQorICAgICAgICByZXR1cm4gRVJSX1BUUigtWDg2 RU1VTF9VTkhBTkRMRUFCTEUpOworCisgICAgc2VnX3JlZyA9ICZzaF9jdHh0 LT5zZWdfcmVnW3NlZ107CiAgICAgaWYgKCAhX190ZXN0X2FuZF9zZXRfYml0 KHNlZywgJnNoX2N0eHQtPnZhbGlkX3NlZ19yZWdzKSApCiAgICAgICAgIGh2 bV9nZXRfc2VnbWVudF9yZWdpc3RlcihjdXJyZW50LCBzZWcsIHNlZ19yZWcp OwogICAgIHJldHVybiBzZWdfcmVnOwpAQCAtMTQzLDE0ICsxNTIsOSBAQCBz dGF0aWMgaW50IGh2bV90cmFuc2xhdGVfbGluZWFyX2FkZHIoCiAgICAgY29u c3Qgc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIgKnJlZzsKICAgICBpbnQgb2th eTsKIAotICAgIC8qCi0gICAgICogQ2FuIGFycml2ZSBoZXJlIHdpdGggbm9u LXVzZXIgc2VnbWVudHMuICBIb3dldmVyLCBubyBzdWNoIGNpcnVjbXN0YW5j ZQotICAgICAqIGlzIHBhcnQgb2YgYSBsZWdpdGltYXRlIHBhZ2V0YWJsZSB1 cGRhdGUsIHNvIGZhaWwgdGhlIGVtdWxhdGlvbi4KLSAgICAgKi8KLSAgICBp ZiAoICFpc194ODZfdXNlcl9zZWdtZW50KHNlZykgKQotICAgICAgICByZXR1 cm4gWDg2RU1VTF9VTkhBTkRMRUFCTEU7Ci0KICAgICByZWcgPSBodm1fZ2V0 X3NlZ19yZWcoc2VnLCBzaF9jdHh0KTsKKyAgICBpZiAoIElTX0VSUihyZWcp ICkKKyAgICAgICAgcmV0dXJuIC1QVFJfRVJSKHJlZyk7CiAKICAgICBva2F5 ID0gaHZtX3ZpcnR1YWxfdG9fbGluZWFyX2FkZHIoCiAgICAgICAgIHNlZywg cmVnLCBvZmZzZXQsIGJ5dGVzLCBhY2Nlc3NfdHlwZSwgc2hfY3R4dC0+Y3R4 dC5hZGRyX3NpemUsIHBhZGRyKTsKQEAgLTI1Myw5ICsyNTcsNiBAQCBodm1f ZW11bGF0ZV93cml0ZShlbnVtIHg4Nl9zZWdtZW50IHNlZywKICAgICB1bnNp Z25lZCBsb25nIGFkZHI7CiAgICAgaW50IHJjOwogCi0gICAgaWYgKCAhaXNf eDg2X3VzZXJfc2VnbWVudChzZWcpICkKLSAgICAgICAgcmV0dXJuIFg4NkVN VUxfVU5IQU5ETEVBQkxFOwotCiAgICAgLyogSG93IG1hbnkgZW11bGF0aW9u cyBjb3VsZCB3ZSBzYXZlIGlmIHdlIHVuc2hhZG93ZWQgb24gc3RhY2sgd3Jp dGVzPyAqLwogICAgIGlmICggc2VnID09IHg4Nl9zZWdfc3MgKQogICAgICAg ICBwZXJmY19pbmNyKHNoYWRvd19mYXVsdF9lbXVsYXRlX3N0YWNrKTsKQEAg LTI4Myw3ICsyODQsNyBAQCBodm1fZW11bGF0ZV9jbXB4Y2hnKGVudW0geDg2 X3NlZ21lbnQgc2VnLAogICAgIHVuc2lnbmVkIGxvbmcgYWRkciwgb2xkLCBu ZXc7CiAgICAgaW50IHJjOwogCi0gICAgaWYgKCAhaXNfeDg2X3VzZXJfc2Vn bWVudChzZWcpIHx8IGJ5dGVzID4gc2l6ZW9mKGxvbmcpICkKKyAgICBpZiAo IGJ5dGVzID4gc2l6ZW9mKGxvbmcpICkKICAgICAgICAgcmV0dXJuIFg4NkVN VUxfVU5IQU5ETEVBQkxFOwogCiAgICAgcmMgPSBodm1fdHJhbnNsYXRlX2xp bmVhcl9hZGRyKApkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L21tL3NoYWRv dy9wcml2YXRlLmggYi94ZW4vYXJjaC94ODYvbW0vc2hhZG93L3ByaXZhdGUu aAppbmRleCA4MjQ3OTZmLi5mMGIwZWQ0IDEwMDY0NAotLS0gYS94ZW4vYXJj aC94ODYvbW0vc2hhZG93L3ByaXZhdGUuaAorKysgYi94ZW4vYXJjaC94ODYv bW0vc2hhZG93L3ByaXZhdGUuaApAQCAtNzQwLDggKzc0MCw2IEBAIGNvbnN0 IHN0cnVjdCB4ODZfZW11bGF0ZV9vcHMgKnNoYWRvd19pbml0X2VtdWxhdGlv bigKICAgICBzdHJ1Y3Qgc2hfZW11bGF0ZV9jdHh0ICpzaF9jdHh0LCBzdHJ1 Y3QgY3B1X3VzZXJfcmVncyAqcmVncyk7CiB2b2lkIHNoYWRvd19jb250aW51 ZV9lbXVsYXRpb24oCiAgICAgc3RydWN0IHNoX2VtdWxhdGVfY3R4dCAqc2hf Y3R4dCwgc3RydWN0IGNwdV91c2VyX3JlZ3MgKnJlZ3MpOwotc3RydWN0IHNl Z21lbnRfcmVnaXN0ZXIgKmh2bV9nZXRfc2VnX3JlZygKLSAgICBlbnVtIHg4 Nl9zZWdtZW50IHNlZywgc3RydWN0IHNoX2VtdWxhdGVfY3R4dCAqc2hfY3R4 dCk7CiAKICNpZiAoU0hBRE9XX09QVElNSVpBVElPTlMgJiBTSE9QVF9WSVJU VUFMX1RMQikKIC8qKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKi8KZGlm ZiAtLWdpdCBhL3hlbi9pbmNsdWRlL2FzbS14ODYvaHZtL2VtdWxhdGUuaCBi L3hlbi9pbmNsdWRlL2FzbS14ODYvaHZtL2VtdWxhdGUuaAppbmRleCAxNDJk MWI2Li4zYWFiY2JlIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20teDg2 L2h2bS9lbXVsYXRlLmgKKysrIGIveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0v ZW11bGF0ZS5oCkBAIC0xMyw2ICsxMyw3IEBACiAjZGVmaW5lIF9fQVNNX1g4 Nl9IVk1fRU1VTEFURV9IX18KIAogI2luY2x1ZGUgPHhlbi9jb25maWcuaD4K KyNpbmNsdWRlIDx4ZW4vZXJyLmg+CiAjaW5jbHVkZSA8YXNtL2h2bS9odm0u aD4KICNpbmNsdWRlIDxhc20veDg2X2VtdWxhdGUuaD4KIAotLSAKMi4xLjQK Cg== --=separator Content-Type: application/octet-stream; name="xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch" Content-Disposition: attachment; filename="xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L3NlZ21lbnQ6IEJvdW5kcyBjaGVjayBhY2Nlc3Nl cyB0byBlbXVsYXRpb24gY3R4dC0+c2VnX3JlZ1tdCgpIVk0gSEFQIGNvZGVw YXRocyBoYXZlIHNwYWNlIGZvciBhbGwgc2VnbWVudCByZWdpc3RlcnMgaW4g dGhlIHNlZ19yZWdbXQpjYWNoZSAod2l0aCB4ODZfc2VnX25vbmUgc3RpbGwg cmlza2luZyBhbiBhcnJheSBvdmVycnVuKSwgd2hpbGUgdGhlIHNoYWRvdwpj b2RlcGF0aHMgb25seSBoYXZlIHNwYWNlIGZvciB0aGUgdXNlciBzZWdtZW50 cy4KClJhbmdlIGNoZWNrIHRoZSBpbnB1dCBzZWdtZW50IG9mICpfZ2V0X3Nl Z19yZWcoKSBhZ2FpbnN0IHRoZSBzaXplIG9mIHRoZSBhcnJheQp1c2VkIHRv IGNhY2hlIHRoZSByZXN1bHRzLCB0byBhdm9pZCBvdmVycnVucyBpbiB0aGUg Y2FzZSB0aGF0IHRoZSBjYWxsZXJzCmRvbid0IGZpbHRlciB0aGVpciBpbnB1 dCBzdWl0YWJseS4KClN1YnN1bWUgdGhlIGlzX3g4Nl91c2VyX3NlZ21lbnQo c2VnKSBjaGVja3MgZnJvbSB0aGUgc2hhZG93IGNvZGUsIHdoaWNoIHdlcmUK YW4gaW5jb21wbGV0ZSBhdHRlbXB0IGF0IHJhbmdlIGNoZWNraW5nLCBhbmQg YXJlIG5vdyBzdXBlcmNlZWRlZC4gIE1ha2UKaHZtX2dldF9zZWdfcmVnKCkg c3RhdGljLCBhcyBpdCBpcyBub3QgdXNlZCBvdXRzaWRlIG9mIHNoYWRvdy9j b21tb24uYwoKTm8gZnVuY3Rpb25hbCBjaGFuZ2UsIGJ1dCBmYXIgZWFzaWVy IHRvIHJlYXNvbiB0aGF0IG5vIG92ZXJmbG93IGlzIHBvc3NpYmxlLgoKUmVw b3J0ZWQtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJp eC5jb20+ClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5j b29wZXIzQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1A eGVuLm9yZz4KQWNrZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNl LmNvbT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vZW11bGF0ZS5jCisrKyBi L3hlbi9hcmNoL3g4Ni9odm0vZW11bGF0ZS5jCkBAIC00MzYsNiArNDM2LDgg QEAgc3RhdGljIGludCBodm1lbXVsX3ZpcnR1YWxfdG9fbGluZWFyKAogICAg ICpyZXBzID0gbWluX3QodW5zaWduZWQgbG9uZywgKnJlcHMsIDQwOTYpOwog CiAgICAgcmVnID0gaHZtZW11bF9nZXRfc2VnX3JlZyhzZWcsIGh2bWVtdWxf Y3R4dCk7CisgICAgaWYgKCBJU19FUlIocmVnKSApCisgICAgICAgIHJldHVy biAtUFRSX0VSUihyZWcpOwogCiAgICAgaWYgKCAoaHZtZW11bF9jdHh0LT5j dHh0LnJlZ3MtPmVmbGFncyAmIFg4Nl9FRkxBR1NfREYpICYmICgqcmVwcyA+ IDEpICkKICAgICB7CkBAIC05MjYsNiArOTI4LDEwIEBAIHN0YXRpYyBpbnQg aHZtZW11bF9yZWFkX3NlZ21lbnQoCiAgICAgc3RydWN0IGh2bV9lbXVsYXRl X2N0eHQgKmh2bWVtdWxfY3R4dCA9CiAgICAgICAgIGNvbnRhaW5lcl9vZihj dHh0LCBzdHJ1Y3QgaHZtX2VtdWxhdGVfY3R4dCwgY3R4dCk7CiAgICAgc3Ry dWN0IHNlZ21lbnRfcmVnaXN0ZXIgKnNyZWcgPSBodm1lbXVsX2dldF9zZWdf cmVnKHNlZywgaHZtZW11bF9jdHh0KTsKKworICAgIGlmICggSVNfRVJSKHNy ZWcpICkKKyAgICAgICAgIHJldHVybiAtUFRSX0VSUihzcmVnKTsKKwogICAg IG1lbWNweShyZWcsIHNyZWcsIHNpemVvZihzdHJ1Y3Qgc2VnbWVudF9yZWdp c3RlcikpOwogICAgIHJldHVybiBYODZFTVVMX09LQVk7CiB9CkBAIC05Mzks NiArOTQ1LDkgQEAgc3RhdGljIGludCBodm1lbXVsX3dyaXRlX3NlZ21lbnQo CiAgICAgICAgIGNvbnRhaW5lcl9vZihjdHh0LCBzdHJ1Y3QgaHZtX2VtdWxh dGVfY3R4dCwgY3R4dCk7CiAgICAgc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIg KnNyZWcgPSBodm1lbXVsX2dldF9zZWdfcmVnKHNlZywgaHZtZW11bF9jdHh0 KTsKIAorICAgIGlmICggSVNfRVJSKHNyZWcpICkKKyAgICAgICAgIHJldHVy biAtUFRSX0VSUihzcmVnKTsKKwogICAgIG1lbWNweShzcmVnLCByZWcsIHNp emVvZihzdHJ1Y3Qgc2VnbWVudF9yZWdpc3RlcikpOwogICAgIF9fc2V0X2Jp dChzZWcsICZodm1lbXVsX2N0eHQtPnNlZ19yZWdfZGlydHkpOwogCkBAIC0x MzAyLDEwICsxMzExLDE3IEBAIHZvaWQgaHZtX2VtdWxhdGVfd3JpdGViYWNr KAogICAgIH0KIH0KIAorLyoKKyAqIENhbGxlcnMgd2hpY2ggcGFzcyBhIGtu b3duIGluLXJhbmdlIHg4Nl9zZWdtZW50IGNhbiByZWx5IG9uIHRoZSByZXR1 cm4KKyAqIHBvaW50ZXIgYmVpbmcgdmFsaWQuICBPdGhlciBjYWxsZXJzIG11 c3QgZXhwbGljaXRseSBjaGVjayBmb3IgZXJyb3JzLgorICovCiBzdHJ1Y3Qg c2VnbWVudF9yZWdpc3RlciAqaHZtZW11bF9nZXRfc2VnX3JlZygKICAgICBl bnVtIHg4Nl9zZWdtZW50IHNlZywKICAgICBzdHJ1Y3QgaHZtX2VtdWxhdGVf Y3R4dCAqaHZtZW11bF9jdHh0KQogeworICAgIGlmICggc2VnIDwgMCB8fCBz ZWcgPj0gQVJSQVlfU0laRShodm1lbXVsX2N0eHQtPnNlZ19yZWcpICkKKyAg ICAgICAgcmV0dXJuIEVSUl9QVFIoLVg4NkVNVUxfVU5IQU5ETEVBQkxFKTsK KwogICAgIGlmICggIV9fdGVzdF9hbmRfc2V0X2JpdChzZWcsICZodm1lbXVs X2N0eHQtPnNlZ19yZWdfYWNjZXNzZWQpICkKICAgICAgICAgaHZtX2dldF9z ZWdtZW50X3JlZ2lzdGVyKGN1cnJlbnQsIHNlZywgJmh2bWVtdWxfY3R4dC0+ c2VnX3JlZ1tzZWddKTsKICAgICByZXR1cm4gJmh2bWVtdWxfY3R4dC0+c2Vn X3JlZ1tzZWddOwotLS0gYS94ZW4vYXJjaC94ODYvbW0vc2hhZG93L2NvbW1v bi5jCisrKyBiL3hlbi9hcmNoL3g4Ni9tbS9zaGFkb3cvY29tbW9uLmMKQEAg LTEyMCwxMCArMTIwLDE5IEBAIF9faW5pdGNhbGwoc2hhZG93X2F1ZGl0X2tl eV9pbml0KTsKIC8qIHg4NiBlbXVsYXRvciBzdXBwb3J0IGZvciB0aGUgc2hh ZG93IGNvZGUKICAqLwogCisvKgorICogQ2FsbGVycyB3aGljaCBwYXNzIGEg a25vd24gaW4tcmFuZ2UgeDg2X3NlZ21lbnQgY2FuIHJlbHkgb24gdGhlIHJl dHVybgorICogcG9pbnRlciBiZWluZyB2YWxpZC4gIE90aGVyIGNhbGxlcnMg bXVzdCBleHBsaWNpdGx5IGNoZWNrIGZvciBlcnJvcnMuCisgKi8KIHN0cnVj dCBzZWdtZW50X3JlZ2lzdGVyICpodm1fZ2V0X3NlZ19yZWcoCiAgICAgZW51 bSB4ODZfc2VnbWVudCBzZWcsIHN0cnVjdCBzaF9lbXVsYXRlX2N0eHQgKnNo X2N0eHQpCiB7Ci0gICAgc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIgKnNlZ19y ZWcgPSAmc2hfY3R4dC0+c2VnX3JlZ1tzZWddOworICAgIHN0cnVjdCBzZWdt ZW50X3JlZ2lzdGVyICpzZWdfcmVnOworCisgICAgaWYgKCBzZWcgPCAwIHx8 IHNlZyA+PSBBUlJBWV9TSVpFKHNoX2N0eHQtPnNlZ19yZWcpICkKKyAgICAg ICAgcmV0dXJuIEVSUl9QVFIoLVg4NkVNVUxfVU5IQU5ETEVBQkxFKTsKKwor ICAgIHNlZ19yZWcgPSAmc2hfY3R4dC0+c2VnX3JlZ1tzZWddOwogICAgIGlm ICggIV9fdGVzdF9hbmRfc2V0X2JpdChzZWcsICZzaF9jdHh0LT52YWxpZF9z ZWdfcmVncykgKQogICAgICAgICBodm1fZ2V0X3NlZ21lbnRfcmVnaXN0ZXIo Y3VycmVudCwgc2VnLCBzZWdfcmVnKTsKICAgICByZXR1cm4gc2VnX3JlZzsK QEAgLTE0MCwxNCArMTQ5LDkgQEAgc3RhdGljIGludCBodm1fdHJhbnNsYXRl X2xpbmVhcl9hZGRyKAogICAgIHN0cnVjdCBzZWdtZW50X3JlZ2lzdGVyICpy ZWc7CiAgICAgaW50IG9rYXk7CiAKLSAgICAvKgotICAgICAqIENhbiBhcnJp dmUgaGVyZSB3aXRoIG5vbi11c2VyIHNlZ21lbnRzLiAgSG93ZXZlciwgbm8g c3VjaCBjaXJ1Y21zdGFuY2UKLSAgICAgKiBpcyBwYXJ0IG9mIGEgbGVnaXRp bWF0ZSBwYWdldGFibGUgdXBkYXRlLCBzbyBmYWlsIHRoZSBlbXVsYXRpb24u Ci0gICAgICovCi0gICAgaWYgKCAhaXNfeDg2X3VzZXJfc2VnbWVudChzZWcp ICkKLSAgICAgICAgcmV0dXJuIFg4NkVNVUxfVU5IQU5ETEVBQkxFOwotCiAg ICAgcmVnID0gaHZtX2dldF9zZWdfcmVnKHNlZywgc2hfY3R4dCk7CisgICAg aWYgKCBJU19FUlIocmVnKSApCisgICAgICAgIHJldHVybiAtUFRSX0VSUihy ZWcpOwogCiAgICAgb2theSA9IGh2bV92aXJ0dWFsX3RvX2xpbmVhcl9hZGRy KAogICAgICAgICBzZWcsIHJlZywgb2Zmc2V0LCBieXRlcywgYWNjZXNzX3R5 cGUsIHNoX2N0eHQtPmN0eHQuYWRkcl9zaXplLCBwYWRkcik7CkBAIC0yNDks OSArMjUzLDYgQEAgaHZtX2VtdWxhdGVfd3JpdGUoZW51bSB4ODZfc2VnbWVu dCBzZWcsCiAgICAgdW5zaWduZWQgbG9uZyBhZGRyOwogICAgIGludCByYzsK IAotICAgIGlmICggIWlzX3g4Nl91c2VyX3NlZ21lbnQoc2VnKSApCi0gICAg ICAgIHJldHVybiBYODZFTVVMX1VOSEFORExFQUJMRTsKLQogICAgIC8qIEhv dyBtYW55IGVtdWxhdGlvbnMgY291bGQgd2Ugc2F2ZSBpZiB3ZSB1bnNoYWRv d2VkIG9uIHN0YWNrIHdyaXRlcz8gKi8KICAgICBpZiAoIHNlZyA9PSB4ODZf c2VnX3NzICkKICAgICAgICAgcGVyZmNfaW5jcihzaGFkb3dfZmF1bHRfZW11 bGF0ZV9zdGFjayk7CkBAIC0yNzksOSArMjgwLDYgQEAgaHZtX2VtdWxhdGVf Y21weGNoZyhlbnVtIHg4Nl9zZWdtZW50IHNlZwogICAgIHVuc2lnbmVkIGxv bmcgYWRkciwgb2xkWzJdLCBuZXdbMl07CiAgICAgaW50IHJjOwogCi0gICAg aWYgKCAhaXNfeDg2X3VzZXJfc2VnbWVudChzZWcpICkKLSAgICAgICAgcmV0 dXJuIFg4NkVNVUxfVU5IQU5ETEVBQkxFOwotCiAgICAgcmMgPSBodm1fdHJh bnNsYXRlX2xpbmVhcl9hZGRyKAogICAgICAgICBzZWcsIG9mZnNldCwgYnl0 ZXMsIGh2bV9hY2Nlc3Nfd3JpdGUsIHNoX2N0eHQsICZhZGRyKTsKICAgICBp ZiAoIHJjICkKLS0tIGEveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0vZW11bGF0 ZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS14ODYvaHZtL2VtdWxhdGUuaApA QCAtMTMsNiArMTMsNyBAQAogI2RlZmluZSBfX0FTTV9YODZfSFZNX0VNVUxB VEVfSF9fCiAKICNpbmNsdWRlIDx4ZW4vY29uZmlnLmg+CisjaW5jbHVkZSA8 eGVuL2Vyci5oPgogI2luY2x1ZGUgPGFzbS94ODZfZW11bGF0ZS5oPgogCiBz dHJ1Y3QgaHZtX2VtdWxhdGVfY3R4dCB7Cg== --=separator Content-Type: application/octet-stream; name="xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch" Content-Disposition: attachment; filename="xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L3NlZ21lbnQ6IEJvdW5kcyBjaGVjayBhY2Nlc3Nl cyB0byBlbXVsYXRpb24gY3R4dC0+c2VnX3JlZ1tdCgpIVk0gSEFQIGNvZGVw YXRocyBoYXZlIHNwYWNlIGZvciBhbGwgc2VnbWVudCByZWdpc3RlcnMgaW4g dGhlIHNlZ19yZWdbXQpjYWNoZSAod2l0aCB4ODZfc2VnX25vbmUgc3RpbGwg cmlza2luZyBhbiBhcnJheSBvdmVycnVuKSwgd2hpbGUgdGhlIHNoYWRvdwpj b2RlcGF0aHMgb25seSBoYXZlIHNwYWNlIGZvciB0aGUgdXNlciBzZWdtZW50 cy4KClJhbmdlIGNoZWNrIHRoZSBpbnB1dCBzZWdtZW50IG9mICpfZ2V0X3Nl Z19yZWcoKSBhZ2FpbnN0IHRoZSBzaXplIG9mIHRoZSBhcnJheQp1c2VkIHRv IGNhY2hlIHRoZSByZXN1bHRzLCB0byBhdm9pZCBvdmVycnVucyBpbiB0aGUg Y2FzZSB0aGF0IHRoZSBjYWxsZXJzCmRvbid0IGZpbHRlciB0aGVpciBpbnB1 dCBzdWl0YWJseS4KClN1YnN1bWUgdGhlIGlzX3g4Nl91c2VyX3NlZ21lbnQo c2VnKSBjaGVja3MgZnJvbSB0aGUgc2hhZG93IGNvZGUsIHdoaWNoIHdlcmUK YW4gaW5jb21wbGV0ZSBhdHRlbXB0IGF0IHJhbmdlIGNoZWNraW5nLCBhbmQg YXJlIG5vdyBzdXBlcmNlZWRlZC4gIE1ha2UKaHZtX2dldF9zZWdfcmVnKCkg c3RhdGljLCBhcyBpdCBpcyBub3QgdXNlZCBvdXRzaWRlIG9mIHNoYWRvdy9j b21tb24uYwoKTm8gZnVuY3Rpb25hbCBjaGFuZ2UsIGJ1dCBmYXIgZWFzaWVy IHRvIHJlYXNvbiB0aGF0IG5vIG92ZXJmbG93IGlzIHBvc3NpYmxlLgoKUmVw b3J0ZWQtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJp eC5jb20+ClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5j b29wZXIzQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1A eGVuLm9yZz4KQWNrZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNl LmNvbT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vZW11bGF0ZS5jCisrKyBi L3hlbi9hcmNoL3g4Ni9odm0vZW11bGF0ZS5jCkBAIC01MjYsNiArNTI2LDgg QEAgc3RhdGljIGludCBodm1lbXVsX3ZpcnR1YWxfdG9fbGluZWFyKAogICAg ICAgICAgICAgICAgICAgICAgICAgICAgPyAxIDogNDA5Nik7CiAKICAgICBy ZWcgPSBodm1lbXVsX2dldF9zZWdfcmVnKHNlZywgaHZtZW11bF9jdHh0KTsK KyAgICBpZiAoIElTX0VSUihyZWcpICkKKyAgICAgICAgcmV0dXJuIC1QVFJf RVJSKHJlZyk7CiAKICAgICBpZiAoIChodm1lbXVsX2N0eHQtPmN0eHQucmVn cy0+ZWZsYWdzICYgWDg2X0VGTEFHU19ERikgJiYgKCpyZXBzID4gMSkgKQog ICAgIHsKQEAgLTEzNjAsNiArMTM2MiwxMCBAQCBzdGF0aWMgaW50IGh2bWVt dWxfcmVhZF9zZWdtZW50KAogICAgIHN0cnVjdCBodm1fZW11bGF0ZV9jdHh0 ICpodm1lbXVsX2N0eHQgPQogICAgICAgICBjb250YWluZXJfb2YoY3R4dCwg c3RydWN0IGh2bV9lbXVsYXRlX2N0eHQsIGN0eHQpOwogICAgIHN0cnVjdCBz ZWdtZW50X3JlZ2lzdGVyICpzcmVnID0gaHZtZW11bF9nZXRfc2VnX3JlZyhz ZWcsIGh2bWVtdWxfY3R4dCk7CisKKyAgICBpZiAoIElTX0VSUihzcmVnKSAp CisgICAgICAgICByZXR1cm4gLVBUUl9FUlIoc3JlZyk7CisKICAgICBtZW1j cHkocmVnLCBzcmVnLCBzaXplb2Yoc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIp KTsKICAgICByZXR1cm4gWDg2RU1VTF9PS0FZOwogfQpAQCAtMTM3Myw2ICsx Mzc5LDkgQEAgc3RhdGljIGludCBodm1lbXVsX3dyaXRlX3NlZ21lbnQoCiAg ICAgICAgIGNvbnRhaW5lcl9vZihjdHh0LCBzdHJ1Y3QgaHZtX2VtdWxhdGVf Y3R4dCwgY3R4dCk7CiAgICAgc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIgKnNy ZWcgPSBodm1lbXVsX2dldF9zZWdfcmVnKHNlZywgaHZtZW11bF9jdHh0KTsK IAorICAgIGlmICggSVNfRVJSKHNyZWcpICkKKyAgICAgICAgIHJldHVybiAt UFRSX0VSUihzcmVnKTsKKwogICAgIG1lbWNweShzcmVnLCByZWcsIHNpemVv ZihzdHJ1Y3Qgc2VnbWVudF9yZWdpc3RlcikpOwogICAgIF9fc2V0X2JpdChz ZWcsICZodm1lbXVsX2N0eHQtPnNlZ19yZWdfZGlydHkpOwogCkBAIC0xOTEx LDEwICsxOTIwLDE3IEBAIHZvaWQgaHZtX2VtdWxhdGVfd3JpdGViYWNrKAog ICAgIH0KIH0KIAorLyoKKyAqIENhbGxlcnMgd2hpY2ggcGFzcyBhIGtub3du IGluLXJhbmdlIHg4Nl9zZWdtZW50IGNhbiByZWx5IG9uIHRoZSByZXR1cm4K KyAqIHBvaW50ZXIgYmVpbmcgdmFsaWQuICBPdGhlciBjYWxsZXJzIG11c3Qg ZXhwbGljaXRseSBjaGVjayBmb3IgZXJyb3JzLgorICovCiBzdHJ1Y3Qgc2Vn bWVudF9yZWdpc3RlciAqaHZtZW11bF9nZXRfc2VnX3JlZygKICAgICBlbnVt IHg4Nl9zZWdtZW50IHNlZywKICAgICBzdHJ1Y3QgaHZtX2VtdWxhdGVfY3R4 dCAqaHZtZW11bF9jdHh0KQogeworICAgIGlmICggc2VnIDwgMCB8fCBzZWcg Pj0gQVJSQVlfU0laRShodm1lbXVsX2N0eHQtPnNlZ19yZWcpICkKKyAgICAg ICAgcmV0dXJuIEVSUl9QVFIoLVg4NkVNVUxfVU5IQU5ETEVBQkxFKTsKKwog ICAgIGlmICggIV9fdGVzdF9hbmRfc2V0X2JpdChzZWcsICZodm1lbXVsX2N0 eHQtPnNlZ19yZWdfYWNjZXNzZWQpICkKICAgICAgICAgaHZtX2dldF9zZWdt ZW50X3JlZ2lzdGVyKGN1cnJlbnQsIHNlZywgJmh2bWVtdWxfY3R4dC0+c2Vn X3JlZ1tzZWddKTsKICAgICByZXR1cm4gJmh2bWVtdWxfY3R4dC0+c2VnX3Jl Z1tzZWddOwotLS0gYS94ZW4vYXJjaC94ODYvbW0vc2hhZG93L2NvbW1vbi5j CisrKyBiL3hlbi9hcmNoL3g4Ni9tbS9zaGFkb3cvY29tbW9uLmMKQEAgLTEy NSwxMCArMTI1LDE5IEBAIF9faW5pdGNhbGwoc2hhZG93X2F1ZGl0X2tleV9p bml0KTsKIC8qIHg4NiBlbXVsYXRvciBzdXBwb3J0IGZvciB0aGUgc2hhZG93 IGNvZGUKICAqLwogCisvKgorICogQ2FsbGVycyB3aGljaCBwYXNzIGEga25v d24gaW4tcmFuZ2UgeDg2X3NlZ21lbnQgY2FuIHJlbHkgb24gdGhlIHJldHVy bgorICogcG9pbnRlciBiZWluZyB2YWxpZC4gIE90aGVyIGNhbGxlcnMgbXVz dCBleHBsaWNpdGx5IGNoZWNrIGZvciBlcnJvcnMuCisgKi8KIHN0cnVjdCBz ZWdtZW50X3JlZ2lzdGVyICpodm1fZ2V0X3NlZ19yZWcoCiAgICAgZW51bSB4 ODZfc2VnbWVudCBzZWcsIHN0cnVjdCBzaF9lbXVsYXRlX2N0eHQgKnNoX2N0 eHQpCiB7Ci0gICAgc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIgKnNlZ19yZWcg PSAmc2hfY3R4dC0+c2VnX3JlZ1tzZWddOworICAgIHN0cnVjdCBzZWdtZW50 X3JlZ2lzdGVyICpzZWdfcmVnOworCisgICAgaWYgKCBzZWcgPCAwIHx8IHNl ZyA+PSBBUlJBWV9TSVpFKHNoX2N0eHQtPnNlZ19yZWcpICkKKyAgICAgICAg cmV0dXJuIEVSUl9QVFIoLVg4NkVNVUxfVU5IQU5ETEVBQkxFKTsKKworICAg IHNlZ19yZWcgPSAmc2hfY3R4dC0+c2VnX3JlZ1tzZWddOwogICAgIGlmICgg IV9fdGVzdF9hbmRfc2V0X2JpdChzZWcsICZzaF9jdHh0LT52YWxpZF9zZWdf cmVncykgKQogICAgICAgICBodm1fZ2V0X3NlZ21lbnRfcmVnaXN0ZXIoY3Vy cmVudCwgc2VnLCBzZWdfcmVnKTsKICAgICByZXR1cm4gc2VnX3JlZzsKQEAg LTE0NSwxNCArMTU0LDkgQEAgc3RhdGljIGludCBodm1fdHJhbnNsYXRlX2xp bmVhcl9hZGRyKAogICAgIHN0cnVjdCBzZWdtZW50X3JlZ2lzdGVyICpyZWc7 CiAgICAgaW50IG9rYXk7CiAKLSAgICAvKgotICAgICAqIENhbiBhcnJpdmUg aGVyZSB3aXRoIG5vbi11c2VyIHNlZ21lbnRzLiAgSG93ZXZlciwgbm8gc3Vj aCBjaXJ1Y21zdGFuY2UKLSAgICAgKiBpcyBwYXJ0IG9mIGEgbGVnaXRpbWF0 ZSBwYWdldGFibGUgdXBkYXRlLCBzbyBmYWlsIHRoZSBlbXVsYXRpb24uCi0g ICAgICovCi0gICAgaWYgKCAhaXNfeDg2X3VzZXJfc2VnbWVudChzZWcpICkK LSAgICAgICAgcmV0dXJuIFg4NkVNVUxfVU5IQU5ETEVBQkxFOwotCiAgICAg cmVnID0gaHZtX2dldF9zZWdfcmVnKHNlZywgc2hfY3R4dCk7CisgICAgaWYg KCBJU19FUlIocmVnKSApCisgICAgICAgIHJldHVybiAtUFRSX0VSUihyZWcp OwogCiAgICAgb2theSA9IGh2bV92aXJ0dWFsX3RvX2xpbmVhcl9hZGRyKAog ICAgICAgICBzZWcsIHJlZywgb2Zmc2V0LCBieXRlcywgYWNjZXNzX3R5cGUs IHNoX2N0eHQtPmN0eHQuYWRkcl9zaXplLCBwYWRkcik7CkBAIC0yNTQsOSAr MjU4LDYgQEAgaHZtX2VtdWxhdGVfd3JpdGUoZW51bSB4ODZfc2VnbWVudCBz ZWcsCiAgICAgdW5zaWduZWQgbG9uZyBhZGRyOwogICAgIGludCByYzsKIAot ICAgIGlmICggIWlzX3g4Nl91c2VyX3NlZ21lbnQoc2VnKSApCi0gICAgICAg IHJldHVybiBYODZFTVVMX1VOSEFORExFQUJMRTsKLQogICAgIC8qIEhvdyBt YW55IGVtdWxhdGlvbnMgY291bGQgd2Ugc2F2ZSBpZiB3ZSB1bnNoYWRvd2Vk IG9uIHN0YWNrIHdyaXRlcz8gKi8KICAgICBpZiAoIHNlZyA9PSB4ODZfc2Vn X3NzICkKICAgICAgICAgcGVyZmNfaW5jcihzaGFkb3dfZmF1bHRfZW11bGF0 ZV9zdGFjayk7CkBAIC0yODQsOSArMjg1LDYgQEAgaHZtX2VtdWxhdGVfY21w eGNoZyhlbnVtIHg4Nl9zZWdtZW50IHNlZwogICAgIHVuc2lnbmVkIGxvbmcg YWRkciwgb2xkWzJdLCBuZXdbMl07CiAgICAgaW50IHJjOwogCi0gICAgaWYg KCAhaXNfeDg2X3VzZXJfc2VnbWVudChzZWcpICkKLSAgICAgICAgcmV0dXJu IFg4NkVNVUxfVU5IQU5ETEVBQkxFOwotCiAgICAgcmMgPSBodm1fdHJhbnNs YXRlX2xpbmVhcl9hZGRyKAogICAgICAgICBzZWcsIG9mZnNldCwgYnl0ZXMs IGh2bV9hY2Nlc3Nfd3JpdGUsIHNoX2N0eHQsICZhZGRyKTsKICAgICBpZiAo IHJjICkKLS0tIGEveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0vZW11bGF0ZS5o CisrKyBiL3hlbi9pbmNsdWRlL2FzbS14ODYvaHZtL2VtdWxhdGUuaApAQCAt MTMsNiArMTMsNyBAQAogI2RlZmluZSBfX0FTTV9YODZfSFZNX0VNVUxBVEVf SF9fCiAKICNpbmNsdWRlIDx4ZW4vY29uZmlnLmg+CisjaW5jbHVkZSA8eGVu L2Vyci5oPgogI2luY2x1ZGUgPGFzbS9odm0vaHZtLmg+CiAjaW5jbHVkZSA8 YXNtL3g4Nl9lbXVsYXRlLmg+CiAK --=separator Content-Type: application/octet-stream; name="xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch" Content-Disposition: attachment; filename="xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L3NoYWRvdzogQXZvaWQgb3ZlcmZsb3dpbmcgc2hf Y3R4dC0+c2VnX3JlZ1tdCgpodm1fZ2V0X3NlZ19yZWcoKSBkb2VzIG5vdCBw ZXJmb3JtIGEgcmFuZ2UgY2hlY2sgb24gaXRzIGlucHV0IHNlZ21lbnQsIGNh bGxzCmh2bV9nZXRfc2VnbWVudF9yZWdpc3RlcigpIGFuZCB3cml0ZXMgc3Ry YWlnaHQgaW50byBzaF9jdHh0LT5zZWdfcmVnW10uCgp4ODZfc2VnX25vbmUg aXMgb3V0c2lkZSB0aGUgYm91bmRzIG9mIHNoX2N0eHQtPnNlZ19yZWdbXSwg YW5kIHdpbGwgaGl0IGEgQlVHKCkKaW4ge3ZteCxzdm19X2dldF9zZWdtZW50 X3JlZ2lzdGVyKCkuCgpIVk0gZ3Vlc3RzIHJ1bm5pbmcgd2l0aCBzaGFkb3cg cGFnaW5nIGNhbiBlbmQgdXAgcGVyZm9ybWluZyBhIHZpcnR1YWwgdG8KbGlu ZWFyIHRyYW5zbGF0aW9uIHdpdGggeDg2X3NlZ19ub25lLiAgVGhpcyBpcyB1 c2VkIGZvciBhZGRyZXNzZXMgd2hpY2ggYXJlCmFscmVhZHkgbGluZWFyLiAg SG93ZXZlciwgbm9uZSBvZiB0aGlzIGlzIGEgbGVnaXRpbWF0ZSBwYWdldGFi bGUgdXBkYXRlLCBzbwpmYWlsIHRoZSBlbXVsYXRpb24gaW4gc3VjaCBhIGNh c2UuCgpUaGlzIGlzIFhTQS0xODcKClJlcG9ydGVkLWJ5OiBBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpTaWduZWQtb2ZmLWJ5 OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpS ZXZpZXdlZC1ieTogVGltIERlZWdhbiA8dGltQHhlbi5vcmc+CgotLS0gYS94 ZW4vYXJjaC94ODYvbW0vc2hhZG93L2NvbW1vbi5jCisrKyBiL3hlbi9hcmNo L3g4Ni9tbS9zaGFkb3cvY29tbW9uLmMKQEAgLTE0MCw5ICsxNDAsMTggQEAg c3RhdGljIGludCBodm1fdHJhbnNsYXRlX2xpbmVhcl9hZGRyKAogICAgIHN0 cnVjdCBzaF9lbXVsYXRlX2N0eHQgKnNoX2N0eHQsCiAgICAgdW5zaWduZWQg bG9uZyAqcGFkZHIpCiB7Ci0gICAgc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIg KnJlZyA9IGh2bV9nZXRfc2VnX3JlZyhzZWcsIHNoX2N0eHQpOworICAgIHN0 cnVjdCBzZWdtZW50X3JlZ2lzdGVyICpyZWc7CiAgICAgaW50IG9rYXk7CiAK KyAgICAvKgorICAgICAqIENhbiBhcnJpdmUgaGVyZSB3aXRoIG5vbi11c2Vy IHNlZ21lbnRzLiAgSG93ZXZlciwgbm8gc3VjaCBjaXJ1Y21zdGFuY2UKKyAg ICAgKiBpcyBwYXJ0IG9mIGEgbGVnaXRpbWF0ZSBwYWdldGFibGUgdXBkYXRl LCBzbyBmYWlsIHRoZSBlbXVsYXRpb24uCisgICAgICovCisgICAgaWYgKCAh aXNfeDg2X3VzZXJfc2VnbWVudChzZWcpICkKKyAgICAgICAgcmV0dXJuIFg4 NkVNVUxfVU5IQU5ETEVBQkxFOworCisgICAgcmVnID0gaHZtX2dldF9zZWdf cmVnKHNlZywgc2hfY3R4dCk7CisKICAgICBva2F5ID0gaHZtX3ZpcnR1YWxf dG9fbGluZWFyX2FkZHIoCiAgICAgICAgIHNlZywgcmVnLCBvZmZzZXQsIGJ5 dGVzLCBhY2Nlc3NfdHlwZSwgc2hfY3R4dC0+Y3R4dC5hZGRyX3NpemUsIHBh ZGRyKTsKIAo= --=separator Content-Type: application/octet-stream; name="xsa187-4.7-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch" Content-Disposition: attachment; filename="xsa187-4.7-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L3NlZ21lbnQ6IEJvdW5kcyBjaGVjayBhY2Nlc3Nl cyB0byBlbXVsYXRpb24gY3R4dC0+c2VnX3JlZ1tdCgpIVk0gSEFQIGNvZGVw YXRocyBoYXZlIHNwYWNlIGZvciBhbGwgc2VnbWVudCByZWdpc3RlcnMgaW4g dGhlIHNlZ19yZWdbXQpjYWNoZSAod2l0aCB4ODZfc2VnX25vbmUgc3RpbGwg cmlza2luZyBhbiBhcnJheSBvdmVycnVuKSwgd2hpbGUgdGhlIHNoYWRvdwpj b2RlcGF0aHMgb25seSBoYXZlIHNwYWNlIGZvciB0aGUgdXNlciBzZWdtZW50 cy4KClJhbmdlIGNoZWNrIHRoZSBpbnB1dCBzZWdtZW50IG9mICpfZ2V0X3Nl Z19yZWcoKSBhZ2FpbnN0IHRoZSBzaXplIG9mIHRoZSBhcnJheQp1c2VkIHRv IGNhY2hlIHRoZSByZXN1bHRzLCB0byBhdm9pZCBvdmVycnVucyBpbiB0aGUg Y2FzZSB0aGF0IHRoZSBjYWxsZXJzCmRvbid0IGZpbHRlciB0aGVpciBpbnB1 dCBzdWl0YWJseS4KClN1YnN1bWUgdGhlIGlzX3g4Nl91c2VyX3NlZ21lbnQo c2VnKSBjaGVja3MgZnJvbSB0aGUgc2hhZG93IGNvZGUsIHdoaWNoIHdlcmUK YW4gaW5jb21wbGV0ZSBhdHRlbXB0IGF0IHJhbmdlIGNoZWNraW5nLCBhbmQg YXJlIG5vdyBzdXBlcmNlZWRlZC4gIE1ha2UKaHZtX2dldF9zZWdfcmVnKCkg c3RhdGljLCBhcyBpdCBpcyBub3QgdXNlZCBvdXRzaWRlIG9mIHNoYWRvdy9j b21tb24uYwoKTm8gZnVuY3Rpb25hbCBjaGFuZ2UsIGJ1dCBmYXIgZWFzaWVy IHRvIHJlYXNvbiB0aGF0IG5vIG92ZXJmbG93IGlzIHBvc3NpYmxlLgoKUmVw b3J0ZWQtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJp eC5jb20+ClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5j b29wZXIzQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1A eGVuLm9yZz4KQWNrZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNl LmNvbT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vZW11bGF0ZS5jCisrKyBi L3hlbi9hcmNoL3g4Ni9odm0vZW11bGF0ZS5jCkBAIC01MzQsNiArNTM0LDgg QEAgc3RhdGljIGludCBodm1lbXVsX3ZpcnR1YWxfdG9fbGluZWFyKAogICAg ICpyZXBzID0gbWluX3QodW5zaWduZWQgbG9uZywgKnJlcHMsIG1heF9yZXBz KTsKIAogICAgIHJlZyA9IGh2bWVtdWxfZ2V0X3NlZ19yZWcoc2VnLCBodm1l bXVsX2N0eHQpOworICAgIGlmICggSVNfRVJSKHJlZykgKQorICAgICAgICBy ZXR1cm4gLVBUUl9FUlIocmVnKTsKIAogICAgIGlmICggKGh2bWVtdWxfY3R4 dC0+Y3R4dC5yZWdzLT5lZmxhZ3MgJiBYODZfRUZMQUdTX0RGKSAmJiAoKnJl cHMgPiAxKSApCiAgICAgewpAQCAtMTM2OSw2ICsxMzcxLDEwIEBAIHN0YXRp YyBpbnQgaHZtZW11bF9yZWFkX3NlZ21lbnQoCiAgICAgc3RydWN0IGh2bV9l bXVsYXRlX2N0eHQgKmh2bWVtdWxfY3R4dCA9CiAgICAgICAgIGNvbnRhaW5l cl9vZihjdHh0LCBzdHJ1Y3QgaHZtX2VtdWxhdGVfY3R4dCwgY3R4dCk7CiAg ICAgc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIgKnNyZWcgPSBodm1lbXVsX2dl dF9zZWdfcmVnKHNlZywgaHZtZW11bF9jdHh0KTsKKworICAgIGlmICggSVNf RVJSKHNyZWcpICkKKyAgICAgICAgIHJldHVybiAtUFRSX0VSUihzcmVnKTsK KwogICAgIG1lbWNweShyZWcsIHNyZWcsIHNpemVvZihzdHJ1Y3Qgc2VnbWVu dF9yZWdpc3RlcikpOwogICAgIHJldHVybiBYODZFTVVMX09LQVk7CiB9CkBA IC0xMzgyLDYgKzEzODgsOSBAQCBzdGF0aWMgaW50IGh2bWVtdWxfd3JpdGVf c2VnbWVudCgKICAgICAgICAgY29udGFpbmVyX29mKGN0eHQsIHN0cnVjdCBo dm1fZW11bGF0ZV9jdHh0LCBjdHh0KTsKICAgICBzdHJ1Y3Qgc2VnbWVudF9y ZWdpc3RlciAqc3JlZyA9IGh2bWVtdWxfZ2V0X3NlZ19yZWcoc2VnLCBodm1l bXVsX2N0eHQpOwogCisgICAgaWYgKCBJU19FUlIoc3JlZykgKQorICAgICAg ICAgcmV0dXJuIC1QVFJfRVJSKHNyZWcpOworCiAgICAgbWVtY3B5KHNyZWcs IHJlZywgc2l6ZW9mKHN0cnVjdCBzZWdtZW50X3JlZ2lzdGVyKSk7CiAgICAg X19zZXRfYml0KHNlZywgJmh2bWVtdWxfY3R4dC0+c2VnX3JlZ19kaXJ0eSk7 CiAKQEAgLTE5MzQsMTAgKzE5NDMsMTcgQEAgdm9pZCBodm1fZW11bGF0ZV93 cml0ZWJhY2soCiAgICAgfQogfQogCisvKgorICogQ2FsbGVycyB3aGljaCBw YXNzIGEga25vd24gaW4tcmFuZ2UgeDg2X3NlZ21lbnQgY2FuIHJlbHkgb24g dGhlIHJldHVybgorICogcG9pbnRlciBiZWluZyB2YWxpZC4gIE90aGVyIGNh bGxlcnMgbXVzdCBleHBsaWNpdGx5IGNoZWNrIGZvciBlcnJvcnMuCisgKi8K IHN0cnVjdCBzZWdtZW50X3JlZ2lzdGVyICpodm1lbXVsX2dldF9zZWdfcmVn KAogICAgIGVudW0geDg2X3NlZ21lbnQgc2VnLAogICAgIHN0cnVjdCBodm1f ZW11bGF0ZV9jdHh0ICpodm1lbXVsX2N0eHQpCiB7CisgICAgaWYgKCBzZWcg PCAwIHx8IHNlZyA+PSBBUlJBWV9TSVpFKGh2bWVtdWxfY3R4dC0+c2VnX3Jl ZykgKQorICAgICAgICByZXR1cm4gRVJSX1BUUigtWDg2RU1VTF9VTkhBTkRM RUFCTEUpOworCiAgICAgaWYgKCAhX190ZXN0X2FuZF9zZXRfYml0KHNlZywg Jmh2bWVtdWxfY3R4dC0+c2VnX3JlZ19hY2Nlc3NlZCkgKQogICAgICAgICBo dm1fZ2V0X3NlZ21lbnRfcmVnaXN0ZXIoY3VycmVudCwgc2VnLCAmaHZtZW11 bF9jdHh0LT5zZWdfcmVnW3NlZ10pOwogICAgIHJldHVybiAmaHZtZW11bF9j dHh0LT5zZWdfcmVnW3NlZ107Ci0tLSBhL3hlbi9hcmNoL3g4Ni9tbS9zaGFk b3cvY29tbW9uLmMKKysrIGIveGVuL2FyY2gveDg2L21tL3NoYWRvdy9jb21t b24uYwpAQCAtMTIzLDEwICsxMjMsMTkgQEAgX19pbml0Y2FsbChzaGFkb3df YXVkaXRfa2V5X2luaXQpOwogLyogeDg2IGVtdWxhdG9yIHN1cHBvcnQgZm9y IHRoZSBzaGFkb3cgY29kZQogICovCiAKLXN0cnVjdCBzZWdtZW50X3JlZ2lz dGVyICpodm1fZ2V0X3NlZ19yZWcoCisvKgorICogQ2FsbGVycyB3aGljaCBw YXNzIGEga25vd24gaW4tcmFuZ2UgeDg2X3NlZ21lbnQgY2FuIHJlbHkgb24g dGhlIHJldHVybgorICogcG9pbnRlciBiZWluZyB2YWxpZC4gIE90aGVyIGNh bGxlcnMgbXVzdCBleHBsaWNpdGx5IGNoZWNrIGZvciBlcnJvcnMuCisgKi8K K3N0YXRpYyBzdHJ1Y3Qgc2VnbWVudF9yZWdpc3RlciAqaHZtX2dldF9zZWdf cmVnKAogICAgIGVudW0geDg2X3NlZ21lbnQgc2VnLCBzdHJ1Y3Qgc2hfZW11 bGF0ZV9jdHh0ICpzaF9jdHh0KQogewotICAgIHN0cnVjdCBzZWdtZW50X3Jl Z2lzdGVyICpzZWdfcmVnID0gJnNoX2N0eHQtPnNlZ19yZWdbc2VnXTsKKyAg ICBzdHJ1Y3Qgc2VnbWVudF9yZWdpc3RlciAqc2VnX3JlZzsKKworICAgIGlm ICggc2VnIDwgMCB8fCBzZWcgPj0gQVJSQVlfU0laRShzaF9jdHh0LT5zZWdf cmVnKSApCisgICAgICAgIHJldHVybiBFUlJfUFRSKC1YODZFTVVMX1VOSEFO RExFQUJMRSk7CisKKyAgICBzZWdfcmVnID0gJnNoX2N0eHQtPnNlZ19yZWdb c2VnXTsKICAgICBpZiAoICFfX3Rlc3RfYW5kX3NldF9iaXQoc2VnLCAmc2hf Y3R4dC0+dmFsaWRfc2VnX3JlZ3MpICkKICAgICAgICAgaHZtX2dldF9zZWdt ZW50X3JlZ2lzdGVyKGN1cnJlbnQsIHNlZywgc2VnX3JlZyk7CiAgICAgcmV0 dXJuIHNlZ19yZWc7CkBAIC0xNDMsMTQgKzE1Miw5IEBAIHN0YXRpYyBpbnQg aHZtX3RyYW5zbGF0ZV9saW5lYXJfYWRkcigKICAgICBzdHJ1Y3Qgc2VnbWVu dF9yZWdpc3RlciAqcmVnOwogICAgIGludCBva2F5OwogCi0gICAgLyoKLSAg ICAgKiBDYW4gYXJyaXZlIGhlcmUgd2l0aCBub24tdXNlciBzZWdtZW50cy4g IEhvd2V2ZXIsIG5vIHN1Y2ggY2lydWNtc3RhbmNlCi0gICAgICogaXMgcGFy dCBvZiBhIGxlZ2l0aW1hdGUgcGFnZXRhYmxlIHVwZGF0ZSwgc28gZmFpbCB0 aGUgZW11bGF0aW9uLgotICAgICAqLwotICAgIGlmICggIWlzX3g4Nl91c2Vy X3NlZ21lbnQoc2VnKSApCi0gICAgICAgIHJldHVybiBYODZFTVVMX1VOSEFO RExFQUJMRTsKLQogICAgIHJlZyA9IGh2bV9nZXRfc2VnX3JlZyhzZWcsIHNo X2N0eHQpOworICAgIGlmICggSVNfRVJSKHJlZykgKQorICAgICAgICByZXR1 cm4gLVBUUl9FUlIocmVnKTsKIAogICAgIG9rYXkgPSBodm1fdmlydHVhbF90 b19saW5lYXJfYWRkcigKICAgICAgICAgc2VnLCByZWcsIG9mZnNldCwgYnl0 ZXMsIGFjY2Vzc190eXBlLCBzaF9jdHh0LT5jdHh0LmFkZHJfc2l6ZSwgcGFk ZHIpOwpAQCAtMjUzLDkgKzI1Nyw2IEBAIGh2bV9lbXVsYXRlX3dyaXRlKGVu dW0geDg2X3NlZ21lbnQgc2VnLAogICAgIHVuc2lnbmVkIGxvbmcgYWRkcjsK ICAgICBpbnQgcmM7CiAKLSAgICBpZiAoICFpc194ODZfdXNlcl9zZWdtZW50 KHNlZykgKQotICAgICAgICByZXR1cm4gWDg2RU1VTF9VTkhBTkRMRUFCTEU7 Ci0KICAgICAvKiBIb3cgbWFueSBlbXVsYXRpb25zIGNvdWxkIHdlIHNhdmUg aWYgd2UgdW5zaGFkb3dlZCBvbiBzdGFjayB3cml0ZXM/ICovCiAgICAgaWYg KCBzZWcgPT0geDg2X3NlZ19zcyApCiAgICAgICAgIHBlcmZjX2luY3Ioc2hh ZG93X2ZhdWx0X2VtdWxhdGVfc3RhY2spOwpAQCAtMjgzLDcgKzI4NCw3IEBA IGh2bV9lbXVsYXRlX2NtcHhjaGcoZW51bSB4ODZfc2VnbWVudCBzZWcKICAg ICB1bnNpZ25lZCBsb25nIGFkZHIsIG9sZCwgbmV3OwogICAgIGludCByYzsK IAotICAgIGlmICggIWlzX3g4Nl91c2VyX3NlZ21lbnQoc2VnKSB8fCBieXRl cyA+IHNpemVvZihsb25nKSApCisgICAgaWYgKCBieXRlcyA+IHNpemVvZihs b25nKSApCiAgICAgICAgIHJldHVybiBYODZFTVVMX1VOSEFORExFQUJMRTsK IAogICAgIHJjID0gaHZtX3RyYW5zbGF0ZV9saW5lYXJfYWRkcigKLS0tIGEv eGVuL2FyY2gveDg2L21tL3NoYWRvdy9wcml2YXRlLmgKKysrIGIveGVuL2Fy Y2gveDg2L21tL3NoYWRvdy9wcml2YXRlLmgKQEAgLTc0MCw4ICs3NDAsNiBA QCBjb25zdCBzdHJ1Y3QgeDg2X2VtdWxhdGVfb3BzICpzaGFkb3dfaW5pCiAg ICAgc3RydWN0IHNoX2VtdWxhdGVfY3R4dCAqc2hfY3R4dCwgc3RydWN0IGNw dV91c2VyX3JlZ3MgKnJlZ3MpOwogdm9pZCBzaGFkb3dfY29udGludWVfZW11 bGF0aW9uKAogICAgIHN0cnVjdCBzaF9lbXVsYXRlX2N0eHQgKnNoX2N0eHQs IHN0cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKTsKLXN0cnVjdCBzZWdtZW50 X3JlZ2lzdGVyICpodm1fZ2V0X3NlZ19yZWcoCi0gICAgZW51bSB4ODZfc2Vn bWVudCBzZWcsIHN0cnVjdCBzaF9lbXVsYXRlX2N0eHQgKnNoX2N0eHQpOwog CiAjaWYgKFNIQURPV19PUFRJTUlaQVRJT05TICYgU0hPUFRfVklSVFVBTF9U TEIpCiAvKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKiovCi0tLSBhL3hl bi9pbmNsdWRlL2FzbS14ODYvaHZtL2VtdWxhdGUuaAorKysgYi94ZW4vaW5j bHVkZS9hc20teDg2L2h2bS9lbXVsYXRlLmgKQEAgLTEzLDYgKzEzLDcgQEAK ICNkZWZpbmUgX19BU01fWDg2X0hWTV9FTVVMQVRFX0hfXwogCiAjaW5jbHVk ZSA8eGVuL2NvbmZpZy5oPgorI2luY2x1ZGUgPHhlbi9lcnIuaD4KICNpbmNs dWRlIDxhc20vaHZtL2h2bS5oPgogI2luY2x1ZGUgPGFzbS94ODZfZW11bGF0 ZS5oPgogCg== --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Thu Sep 08 12:06:21 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 08 Sep 2016 12:06:21 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy4u-00017C-Mm; Thu, 08 Sep 2016 12:05:12 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy4s-00016U-Dj; Thu, 08 Sep 2016 12:05:10 +0000 Received: from [85.158.139.211] by server-3.bemta-5.messagelabs.com id F7/86-01957-5F351D75; Thu, 08 Sep 2016 12:05:09 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprLJsWRWlGSWpSXmKPExsWS0XRdVfdL8MV wg0PH5C1u3WxltljycTGLxaqrB1gdmD2O7v7NFMAYxZqZl5RfkcCa8fHZMbaCtaeZKro/vGdt YNy7n6mLkYtDSOA4o0TDjZ1sEM4iRomba1pYuhg5OZgFXCVu7NvMBmErSly41wAW5xUQlDg58 wmYLSGgKXHnzSp2EFtEoEhi57mXYDabgJ7E3LOTmCB6dSRe7l8NZgsLxEqcWj2FFWKOmcTWk1 /BbBYBVYlZG46zTWDkmYVk9Swkq2chWT2LkQMorimxfpc+hCktsfwfB0S1vMT2t3OYIew8iSd XOqDsbInOjUtYYSZO6X7IDmGXSSy+vJcNYkyxxMQHoZhKKiR+H3nGBGGXSjy4/JURm5oL7VuY YWr2nj/NhqkmT2LK73lw5+xpnYrVnOYPx1hg5rQuPMiMrGYBo8QqRvXi1KKy1CJdM72kosz0j JLcxMwcXUMDU73c1OLixPTUnMSkYr3k/NxNjMBEwgAEOxinNjgfYpTkYFIS5fUpvhAuxJeUn1 KZkVicEV9UmpNafIhRhoNDSYK3P+hiuJBgUWp6akVaZg4wpcGkJTh4lER4PUDSvMUFibnFmek QqVOMxhxLpl9by8Sx6Obj/UxCLHn5ealS4rxbQUoFQEozSvPgBsFS7SVGWSlhXkag04R4ClKL cjNLUOVfMYpzMCoJ824CmcKTmVcCt+8V0ClMQKcInToPckpJIkJKqoGRYfXWqTdEtVYU83kYW HfePr47pbXS6dtXM99JZ45zPp7rvmJatHV6Ubrdudzr7wJELFd838SoJJ//U1x8qfTuXvGK3d faXk+6bzZTWtdgf6GVaZ2/9AnpZc58oUHLpSVCiufNz7+9NfORbMhF3Sllx3dWWMgVvv05yTR qUej7sKy1miuzTc4rsRRnJBpqMRcVJwIASr2oT7ADAAA= X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-2.tower-206.messagelabs.com!1473336307!42485637!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 8.84; banners=-,-,- X-VirusChecked: Checked Received: (qmail 44657 invoked from network); 8 Sep 2016 12:05:08 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-2.tower-206.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 8 Sep 2016 12:05:08 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bhy4i-0003TQ-IT; Thu, 08 Sep 2016 12:05:00 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1bhy4i-0001oa-Fi; Thu, 08 Sep 2016 12:05:00 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Thu, 08 Sep 2016 12:05:00 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 187 (CVE-2016-7094) - x86 HVM: Overflow of sh_ctxt->seg_reg[] X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-7094 / XSA-187 version 3 x86 HVM: Overflow of sh_ctxt->seg_reg[] UPDATES IN VERSION 3 ==================== Fix the backports xsa187-4.6-0002-*.patch and xsa187-4.4-0002-*.patch. In v1 and v2 these did not compile in debug builds. (Debug builds should not be used in production.) Public release. ISSUE DESCRIPTION ================= x86 HVM guests running with shadow paging use a subset of the x86 emulator to handle the guest writing to its own pagetables. There are situations a guest can provoke which result in exceeding the space allocated for internal state. IMPACT ====== A malicious HVM guest administrator can cause Xen to fail a bug check, causing a denial of service to the host. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. The vulnerability is only exposed to HVM guests on x86 hardware, which are configured to run with shadow paging. The vulnerability is not exposed to x86 PV guests, x86 HVM guests running with hardware assisted paging, or ARM guests. x86 HVM guests run in HAP mode by default on modern CPUs. To discover whether your HVM guests are using HAP, or shadow page tables: request debug key `q' (from the Xen console, or with `xl debug-keys q'). This will print (to the console, and visible in `xl dmesg'), debug information for every domain, containing something like this: (XEN) General information for domain 2: (XEN) refcnt=1 dying=2 pause_count=2 (XEN) nr_pages=2 xenheap_pages=0 shared_pages=0 paged_pages=0 dirty_cpus={} max_pages=262400 (XEN) handle=ef58ef1a-784d-4e59-8079-42bdee87f219 vm_assist=00000000 (XEN) paging assistance: hap refcounts translate external ^^^ The presence of `hap' here indicates that the host is not vulnerable to this domain. For an HVM domain the presence of `shadow' indicates that the domain can exploit the vulnerability. MITIGATION ========== Running only PV guests will avoid this vulnerability. On hardware which supports Hardware Assisted Paging, configuring the guests to not run with shadow paging will avoid this vulnerability. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the first patch will resolve this issue. The second patch provides additional assurance that the vulnerability is truly eliminated and that there are no related problems. If hotpatching, applying only the first patch is recommended since the second patch is awkward for hotpatching. If deploying new builds, applying both patches is recommended. Xen version First patch Second patch xen-unstable: xsa187-0001-*.patch xsa187-0002-*.patch Xen 4.7.x: xsa187-4.7-0001-*.patch xsa187-4.7-0002-*.patch Xen 4.6.x: xsa187-4.7-0001-*.patch xsa187-4.6-0002-*.patch Xen 4.5.x: xsa187-4.7-0001-*.patch xsa187-4.6-0002-*.patch Xen 4.4.x: xsa187-4.7-0001-*.patch xsa187-4.4-0002-*.patch $ sha256sum xsa187* 65205ee195699d65884af04083ffb86c6ddbc96cbca3141c87f6b2d671de45a3 xsa187-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg_reg.patch f90e6d13385fb9219e1e26e3a148d1670aefc7130e0639415d08bbb6a1d9efee xsa187-0002-x86-segment-Bounds-check-accesses-to-emulation-ctxt-.patch 727b18ae83001f7ea04613aa7199ada3e6a84939aa44516f7c426e609d383b2a xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch b96731379ea77d49ffff31d969f4742dde985ef7a86af9422dcac8327c2a1916 xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch be9fe85d36c2c1fbca246c1f4d834c3ef11b6ab3d5467da0ac8c079aa5a68de9 xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch 36b22d6a168be39f31a1c1304f708269a2a10fe5105f7da4a06877d6059f1cd6 xsa187-4.7-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the "reconfigure to use HAP" MITIGATION is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because the mitigation result in guest-visible changes. Deployment of this mitigation is permitted only AFTER the embargo ends. Deployment of the PATCHES described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJX0VPlAAoJEIP+FMlX6CvZeIQIALJEH1stiHZLs2Kc8AKTTbUh ZM3pGSUYC9AFMpn3ovuXgOJjYfX1YY89nAOKlDKuiPaaUz01mmqWXGBDBmqZ1IU0 9BjPfnnMYoqeHcrjz0+KajSO6kf/iepUdUx1IiduA48k/7VUvqU8P/s/UiutXerF YvHcc+a6lLIPPcXjWW6ftSEagGHUmB+qcHh4aptxVq/xEdIQysAGtUU7MMG9ihsN VY3MN6aQiIFRr56ICZJ7K+s9Rw+xWfOVXj8FZAoq2mDPns6pQT0obyCrIbfQcywA 6GMXWXVf4vSR/dgQm8xD95/3gFPd1IfuwxjOvHkfJlqxxCfa8JT6oVsQfZskhhs= =/Mbl -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa187-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg_reg.patch" Content-Disposition: attachment; filename="xsa187-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg_reg.patch" Content-Transfer-Encoding: base64 RnJvbSA1ZWI3YmRjMTU5OGY4ZmRkNmQ1M2VjOGU1NGVlNWFjODk0MTkyZTI1 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBGcmksIDEgSnVs IDIwMTYgMDE6MDI6MDQgKzAxMDAKU3ViamVjdDogW1BBVENIIDEvMl0geDg2 L3NoYWRvdzogQXZvaWQgb3ZlcmZsb3dpbmcgc2hfY3R4dC0+c2VnX3JlZ1td Cgpodm1fZ2V0X3NlZ19yZWcoKSBkb2VzIG5vdCBwZXJmb3JtIGEgcmFuZ2Ug Y2hlY2sgb24gaXRzIGlucHV0IHNlZ21lbnQsIGNhbGxzCmh2bV9nZXRfc2Vn bWVudF9yZWdpc3RlcigpIGFuZCB3cml0ZXMgc3RyYWlnaHQgaW50byBzaF9j dHh0LT5zZWdfcmVnW10uCgp4ODZfc2VnX25vbmUgaXMgb3V0c2lkZSB0aGUg Ym91bmRzIG9mIHNoX2N0eHQtPnNlZ19yZWdbXSwgYW5kIHdpbGwgaGl0IGEg QlVHKCkKaW4ge3ZteCxzdm19X2dldF9zZWdtZW50X3JlZ2lzdGVyKCkuCgpI Vk0gZ3Vlc3RzIHJ1bm5pbmcgd2l0aCBzaGFkb3cgcGFnaW5nIGNhbiBlbmQg dXAgcGVyZm9ybWluZyBhIHZpcnR1YWwgdG8KbGluZWFyIHRyYW5zbGF0aW9u IHdpdGggeDg2X3NlZ19ub25lLiAgVGhpcyBpcyB1c2VkIGZvciBhZGRyZXNz ZXMgd2hpY2ggYXJlCmFscmVhZHkgbGluZWFyLiAgSG93ZXZlciwgbm9uZSBv ZiB0aGlzIGlzIGEgbGVnaXRpbWF0ZSBwYWdldGFibGUgdXBkYXRlLCBzbwpm YWlsIHRoZSBlbXVsYXRpb24gaW4gc3VjaCBhIGNhc2UuCgpUaGlzIGlzIFhT QS0xODcKClJlcG9ydGVkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29v cGVyM0BjaXRyaXguY29tPgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdlZC1ieTogVGlt IERlZWdhbiA8dGltQHhlbi5vcmc+Ci0tLQogeGVuL2FyY2gveDg2L21tL3No YWRvdy9jb21tb24uYyB8IDExICsrKysrKysrKystCiAxIGZpbGUgY2hhbmdl ZCwgMTAgaW5zZXJ0aW9ucygrKSwgMSBkZWxldGlvbigtKQoKZGlmZiAtLWdp dCBhL3hlbi9hcmNoL3g4Ni9tbS9zaGFkb3cvY29tbW9uLmMgYi94ZW4vYXJj aC94ODYvbW0vc2hhZG93L2NvbW1vbi5jCmluZGV4IGMyMjM2MmYuLmI0MGJm NzEgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL3g4Ni9tbS9zaGFkb3cvY29tbW9u LmMKKysrIGIveGVuL2FyY2gveDg2L21tL3NoYWRvdy9jb21tb24uYwpAQCAt MTQwLDkgKzE0MCwxOCBAQCBzdGF0aWMgaW50IGh2bV90cmFuc2xhdGVfbGlu ZWFyX2FkZHIoCiAgICAgc3RydWN0IHNoX2VtdWxhdGVfY3R4dCAqc2hfY3R4 dCwKICAgICB1bnNpZ25lZCBsb25nICpwYWRkcikKIHsKLSAgICBzdHJ1Y3Qg c2VnbWVudF9yZWdpc3RlciAqcmVnID0gaHZtX2dldF9zZWdfcmVnKHNlZywg c2hfY3R4dCk7CisgICAgY29uc3Qgc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIg KnJlZzsKICAgICBpbnQgb2theTsKIAorICAgIC8qCisgICAgICogQ2FuIGFy cml2ZSBoZXJlIHdpdGggbm9uLXVzZXIgc2VnbWVudHMuICBIb3dldmVyLCBu byBzdWNoIGNpcnVjbXN0YW5jZQorICAgICAqIGlzIHBhcnQgb2YgYSBsZWdp dGltYXRlIHBhZ2V0YWJsZSB1cGRhdGUsIHNvIGZhaWwgdGhlIGVtdWxhdGlv bi4KKyAgICAgKi8KKyAgICBpZiAoICFpc194ODZfdXNlcl9zZWdtZW50KHNl ZykgKQorICAgICAgICByZXR1cm4gWDg2RU1VTF9VTkhBTkRMRUFCTEU7CisK KyAgICByZWcgPSBodm1fZ2V0X3NlZ19yZWcoc2VnLCBzaF9jdHh0KTsKKwog ICAgIG9rYXkgPSBodm1fdmlydHVhbF90b19saW5lYXJfYWRkcigKICAgICAg ICAgc2VnLCByZWcsIG9mZnNldCwgYnl0ZXMsIGFjY2Vzc190eXBlLCBzaF9j dHh0LT5jdHh0LmFkZHJfc2l6ZSwgcGFkZHIpOwogCi0tIAoyLjEuNAoK --=separator Content-Type: application/octet-stream; name="xsa187-0002-x86-segment-Bounds-check-accesses-to-emulation-ctxt-.patch" Content-Disposition: attachment; filename="xsa187-0002-x86-segment-Bounds-check-accesses-to-emulation-ctxt-.patch" Content-Transfer-Encoding: base64 RnJvbSBkZGY5YjFiZjI2YTFhNDQyYjYxZjI5YTE3MzQzNzQ1ZDZkZGRiNGRl IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBGcmksIDEgSnVs IDIwMTYgMDE6MDI6MDQgKzAxMDAKU3ViamVjdDogW1BBVENIIDIvMl0geDg2 L3NlZ21lbnQ6IEJvdW5kcyBjaGVjayBhY2Nlc3NlcyB0byBlbXVsYXRpb24K IGN0eHQtPnNlZ19yZWdbXQoKSFZNIEhBUCBjb2RlcGF0aHMgaGF2ZSBzcGFj ZSBmb3IgYWxsIHNlZ21lbnQgcmVnaXN0ZXJzIGluIHRoZSBzZWdfcmVnW10K Y2FjaGUgKHdpdGggeDg2X3NlZ19ub25lIHN0aWxsIHJpc2tpbmcgYW4gYXJy YXkgb3ZlcnJ1biksIHdoaWxlIHRoZSBzaGFkb3cKY29kZXBhdGhzIG9ubHkg aGF2ZSBzcGFjZSBmb3IgdGhlIHVzZXIgc2VnbWVudHMuCgpSYW5nZSBjaGVj ayB0aGUgaW5wdXQgc2VnbWVudCBvZiAqX2dldF9zZWdfcmVnKCkgYWdhaW5z dCB0aGUgc2l6ZSBvZiB0aGUgYXJyYXkKdXNlZCB0byBjYWNoZSB0aGUgcmVz dWx0cywgdG8gYXZvaWQgb3ZlcnJ1bnMgaW4gdGhlIGNhc2UgdGhhdCB0aGUg Y2FsbGVycwpkb24ndCBmaWx0ZXIgdGhlaXIgaW5wdXQgc3VpdGFibHkuCgpT dWJzdW1lIHRoZSBpc194ODZfdXNlcl9zZWdtZW50KHNlZykgY2hlY2tzIGZy b20gdGhlIHNoYWRvdyBjb2RlLCB3aGljaCB3ZXJlCmFuIGluY29tcGxldGUg YXR0ZW1wdCBhdCByYW5nZSBjaGVja2luZywgYW5kIGFyZSBub3cgc3VwZXJj ZWVkZWQuICBNYWtlCmh2bV9nZXRfc2VnX3JlZygpIHN0YXRpYywgYXMgaXQg aXMgbm90IHVzZWQgb3V0c2lkZSBvZiBzaGFkb3cvY29tbW9uLmMKCk5vIGZ1 bmN0aW9uYWwgY2hhbmdlLCBidXQgZmFyIGVhc2llciB0byByZWFzb24gdGhh dCBubyBvdmVyZmxvdyBpcyBwb3NzaWJsZS4KClJlcG9ydGVkLWJ5OiBBbmRy ZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpTaWduZWQt b2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXgu Y29tPgpBY2tlZC1ieTogVGltIERlZWdhbiA8dGltQHhlbi5vcmc+CkFja2Vk LWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+Ci0tLQogeGVu L2FyY2gveDg2L2h2bS9lbXVsYXRlLmMgICAgICAgIHwgMTYgKysrKysrKysr KysrKysrKwogeGVuL2FyY2gveDg2L21tL3NoYWRvdy9jb21tb24uYyAgIHwg MjcgKysrKysrKysrKysrKystLS0tLS0tLS0tLS0tCiB4ZW4vYXJjaC94ODYv bW0vc2hhZG93L3ByaXZhdGUuaCAgfCAgMiAtLQogeGVuL2luY2x1ZGUvYXNt LXg4Ni9odm0vZW11bGF0ZS5oIHwgIDEgKwogNCBmaWxlcyBjaGFuZ2VkLCAz MSBpbnNlcnRpb25zKCspLCAxNSBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQg YS94ZW4vYXJjaC94ODYvaHZtL2VtdWxhdGUuYyBiL3hlbi9hcmNoL3g4Ni9o dm0vZW11bGF0ZS5jCmluZGV4IGM1NWFkN2IuLjBlYjdhNGQgMTAwNjQ0Ci0t LSBhL3hlbi9hcmNoL3g4Ni9odm0vZW11bGF0ZS5jCisrKyBiL3hlbi9hcmNo L3g4Ni9odm0vZW11bGF0ZS5jCkBAIC01MzUsNiArNTM1LDggQEAgc3RhdGlj IGludCBodm1lbXVsX3ZpcnR1YWxfdG9fbGluZWFyKAogICAgICpyZXBzID0g bWluX3QodW5zaWduZWQgbG9uZywgKnJlcHMsIG1heF9yZXBzKTsKIAogICAg IHJlZyA9IGh2bWVtdWxfZ2V0X3NlZ19yZWcoc2VnLCBodm1lbXVsX2N0eHQp OworICAgIGlmICggSVNfRVJSKHJlZykgKQorICAgICAgICByZXR1cm4gLVBU Ul9FUlIocmVnKTsKIAogICAgIGlmICggKGh2bWVtdWxfY3R4dC0+Y3R4dC5y ZWdzLT5lZmxhZ3MgJiBYODZfRUZMQUdTX0RGKSAmJiAoKnJlcHMgPiAxKSAp CiAgICAgewpAQCAtMTQzMCw2ICsxNDMyLDEwIEBAIHN0YXRpYyBpbnQgaHZt ZW11bF9yZWFkX3NlZ21lbnQoCiAgICAgc3RydWN0IGh2bV9lbXVsYXRlX2N0 eHQgKmh2bWVtdWxfY3R4dCA9CiAgICAgICAgIGNvbnRhaW5lcl9vZihjdHh0 LCBzdHJ1Y3QgaHZtX2VtdWxhdGVfY3R4dCwgY3R4dCk7CiAgICAgc3RydWN0 IHNlZ21lbnRfcmVnaXN0ZXIgKnNyZWcgPSBodm1lbXVsX2dldF9zZWdfcmVn KHNlZywgaHZtZW11bF9jdHh0KTsKKworICAgIGlmICggSVNfRVJSKHNyZWcp ICkKKyAgICAgICAgIHJldHVybiAtUFRSX0VSUihzcmVnKTsKKwogICAgIG1l bWNweShyZWcsIHNyZWcsIHNpemVvZihzdHJ1Y3Qgc2VnbWVudF9yZWdpc3Rl cikpOwogICAgIHJldHVybiBYODZFTVVMX09LQVk7CiB9CkBAIC0xNDQzLDYg KzE0NDksOSBAQCBzdGF0aWMgaW50IGh2bWVtdWxfd3JpdGVfc2VnbWVudCgK ICAgICAgICAgY29udGFpbmVyX29mKGN0eHQsIHN0cnVjdCBodm1fZW11bGF0 ZV9jdHh0LCBjdHh0KTsKICAgICBzdHJ1Y3Qgc2VnbWVudF9yZWdpc3RlciAq c3JlZyA9IGh2bWVtdWxfZ2V0X3NlZ19yZWcoc2VnLCBodm1lbXVsX2N0eHQp OwogCisgICAgaWYgKCBJU19FUlIoc3JlZykgKQorICAgICAgICAgcmV0dXJu IC1QVFJfRVJSKHNyZWcpOworCiAgICAgbWVtY3B5KHNyZWcsIHJlZywgc2l6 ZW9mKHN0cnVjdCBzZWdtZW50X3JlZ2lzdGVyKSk7CiAgICAgX19zZXRfYml0 KHNlZywgJmh2bWVtdWxfY3R4dC0+c2VnX3JlZ19kaXJ0eSk7CiAKQEAgLTE5 OTUsMTAgKzIwMDQsMTcgQEAgdm9pZCBodm1fZW11bGF0ZV93cml0ZWJhY2so CiAgICAgfQogfQogCisvKgorICogQ2FsbGVycyB3aGljaCBwYXNzIGEga25v d24gaW4tcmFuZ2UgeDg2X3NlZ21lbnQgY2FuIHJlbHkgb24gdGhlIHJldHVy bgorICogcG9pbnRlciBiZWluZyB2YWxpZC4gIE90aGVyIGNhbGxlcnMgbXVz dCBleHBsaWNpdGx5IGNoZWNrIGZvciBlcnJvcnMuCisgKi8KIHN0cnVjdCBz ZWdtZW50X3JlZ2lzdGVyICpodm1lbXVsX2dldF9zZWdfcmVnKAogICAgIGVu dW0geDg2X3NlZ21lbnQgc2VnLAogICAgIHN0cnVjdCBodm1fZW11bGF0ZV9j dHh0ICpodm1lbXVsX2N0eHQpCiB7CisgICAgaWYgKCBzZWcgPCAwIHx8IHNl ZyA+PSBBUlJBWV9TSVpFKGh2bWVtdWxfY3R4dC0+c2VnX3JlZykgKQorICAg ICAgICByZXR1cm4gRVJSX1BUUigtWDg2RU1VTF9VTkhBTkRMRUFCTEUpOwor CiAgICAgaWYgKCAhX190ZXN0X2FuZF9zZXRfYml0KHNlZywgJmh2bWVtdWxf Y3R4dC0+c2VnX3JlZ19hY2Nlc3NlZCkgKQogICAgICAgICBodm1fZ2V0X3Nl Z21lbnRfcmVnaXN0ZXIoY3VycmVudCwgc2VnLCAmaHZtZW11bF9jdHh0LT5z ZWdfcmVnW3NlZ10pOwogICAgIHJldHVybiAmaHZtZW11bF9jdHh0LT5zZWdf cmVnW3NlZ107CmRpZmYgLS1naXQgYS94ZW4vYXJjaC94ODYvbW0vc2hhZG93 L2NvbW1vbi5jIGIveGVuL2FyY2gveDg2L21tL3NoYWRvdy9jb21tb24uYwpp bmRleCBiNDBiZjcxLi45MWMxMTRkIDEwMDY0NAotLS0gYS94ZW4vYXJjaC94 ODYvbW0vc2hhZG93L2NvbW1vbi5jCisrKyBiL3hlbi9hcmNoL3g4Ni9tbS9z aGFkb3cvY29tbW9uLmMKQEAgLTEyMywxMCArMTIzLDE5IEBAIF9faW5pdGNh bGwoc2hhZG93X2F1ZGl0X2tleV9pbml0KTsKIC8qIHg4NiBlbXVsYXRvciBz dXBwb3J0IGZvciB0aGUgc2hhZG93IGNvZGUKICAqLwogCi1zdHJ1Y3Qgc2Vn bWVudF9yZWdpc3RlciAqaHZtX2dldF9zZWdfcmVnKAorLyoKKyAqIENhbGxl cnMgd2hpY2ggcGFzcyBhIGtub3duIGluLXJhbmdlIHg4Nl9zZWdtZW50IGNh biByZWx5IG9uIHRoZSByZXR1cm4KKyAqIHBvaW50ZXIgYmVpbmcgdmFsaWQu ICBPdGhlciBjYWxsZXJzIG11c3QgZXhwbGljaXRseSBjaGVjayBmb3IgZXJy b3JzLgorICovCitzdGF0aWMgc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIgKmh2 bV9nZXRfc2VnX3JlZygKICAgICBlbnVtIHg4Nl9zZWdtZW50IHNlZywgc3Ry dWN0IHNoX2VtdWxhdGVfY3R4dCAqc2hfY3R4dCkKIHsKLSAgICBzdHJ1Y3Qg c2VnbWVudF9yZWdpc3RlciAqc2VnX3JlZyA9ICZzaF9jdHh0LT5zZWdfcmVn W3NlZ107CisgICAgc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIgKnNlZ19yZWc7 CisKKyAgICBpZiAoIHNlZyA8IDAgfHwgc2VnID49IEFSUkFZX1NJWkUoc2hf Y3R4dC0+c2VnX3JlZykgKQorICAgICAgICByZXR1cm4gRVJSX1BUUigtWDg2 RU1VTF9VTkhBTkRMRUFCTEUpOworCisgICAgc2VnX3JlZyA9ICZzaF9jdHh0 LT5zZWdfcmVnW3NlZ107CiAgICAgaWYgKCAhX190ZXN0X2FuZF9zZXRfYml0 KHNlZywgJnNoX2N0eHQtPnZhbGlkX3NlZ19yZWdzKSApCiAgICAgICAgIGh2 bV9nZXRfc2VnbWVudF9yZWdpc3RlcihjdXJyZW50LCBzZWcsIHNlZ19yZWcp OwogICAgIHJldHVybiBzZWdfcmVnOwpAQCAtMTQzLDE0ICsxNTIsOSBAQCBz dGF0aWMgaW50IGh2bV90cmFuc2xhdGVfbGluZWFyX2FkZHIoCiAgICAgY29u c3Qgc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIgKnJlZzsKICAgICBpbnQgb2th eTsKIAotICAgIC8qCi0gICAgICogQ2FuIGFycml2ZSBoZXJlIHdpdGggbm9u LXVzZXIgc2VnbWVudHMuICBIb3dldmVyLCBubyBzdWNoIGNpcnVjbXN0YW5j ZQotICAgICAqIGlzIHBhcnQgb2YgYSBsZWdpdGltYXRlIHBhZ2V0YWJsZSB1 cGRhdGUsIHNvIGZhaWwgdGhlIGVtdWxhdGlvbi4KLSAgICAgKi8KLSAgICBp ZiAoICFpc194ODZfdXNlcl9zZWdtZW50KHNlZykgKQotICAgICAgICByZXR1 cm4gWDg2RU1VTF9VTkhBTkRMRUFCTEU7Ci0KICAgICByZWcgPSBodm1fZ2V0 X3NlZ19yZWcoc2VnLCBzaF9jdHh0KTsKKyAgICBpZiAoIElTX0VSUihyZWcp ICkKKyAgICAgICAgcmV0dXJuIC1QVFJfRVJSKHJlZyk7CiAKICAgICBva2F5 ID0gaHZtX3ZpcnR1YWxfdG9fbGluZWFyX2FkZHIoCiAgICAgICAgIHNlZywg cmVnLCBvZmZzZXQsIGJ5dGVzLCBhY2Nlc3NfdHlwZSwgc2hfY3R4dC0+Y3R4 dC5hZGRyX3NpemUsIHBhZGRyKTsKQEAgLTI1Myw5ICsyNTcsNiBAQCBodm1f ZW11bGF0ZV93cml0ZShlbnVtIHg4Nl9zZWdtZW50IHNlZywKICAgICB1bnNp Z25lZCBsb25nIGFkZHI7CiAgICAgaW50IHJjOwogCi0gICAgaWYgKCAhaXNf eDg2X3VzZXJfc2VnbWVudChzZWcpICkKLSAgICAgICAgcmV0dXJuIFg4NkVN VUxfVU5IQU5ETEVBQkxFOwotCiAgICAgLyogSG93IG1hbnkgZW11bGF0aW9u cyBjb3VsZCB3ZSBzYXZlIGlmIHdlIHVuc2hhZG93ZWQgb24gc3RhY2sgd3Jp dGVzPyAqLwogICAgIGlmICggc2VnID09IHg4Nl9zZWdfc3MgKQogICAgICAg ICBwZXJmY19pbmNyKHNoYWRvd19mYXVsdF9lbXVsYXRlX3N0YWNrKTsKQEAg LTI4Myw3ICsyODQsNyBAQCBodm1fZW11bGF0ZV9jbXB4Y2hnKGVudW0geDg2 X3NlZ21lbnQgc2VnLAogICAgIHVuc2lnbmVkIGxvbmcgYWRkciwgb2xkLCBu ZXc7CiAgICAgaW50IHJjOwogCi0gICAgaWYgKCAhaXNfeDg2X3VzZXJfc2Vn bWVudChzZWcpIHx8IGJ5dGVzID4gc2l6ZW9mKGxvbmcpICkKKyAgICBpZiAo IGJ5dGVzID4gc2l6ZW9mKGxvbmcpICkKICAgICAgICAgcmV0dXJuIFg4NkVN VUxfVU5IQU5ETEVBQkxFOwogCiAgICAgcmMgPSBodm1fdHJhbnNsYXRlX2xp bmVhcl9hZGRyKApkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L21tL3NoYWRv dy9wcml2YXRlLmggYi94ZW4vYXJjaC94ODYvbW0vc2hhZG93L3ByaXZhdGUu aAppbmRleCA4MjQ3OTZmLi5mMGIwZWQ0IDEwMDY0NAotLS0gYS94ZW4vYXJj aC94ODYvbW0vc2hhZG93L3ByaXZhdGUuaAorKysgYi94ZW4vYXJjaC94ODYv bW0vc2hhZG93L3ByaXZhdGUuaApAQCAtNzQwLDggKzc0MCw2IEBAIGNvbnN0 IHN0cnVjdCB4ODZfZW11bGF0ZV9vcHMgKnNoYWRvd19pbml0X2VtdWxhdGlv bigKICAgICBzdHJ1Y3Qgc2hfZW11bGF0ZV9jdHh0ICpzaF9jdHh0LCBzdHJ1 Y3QgY3B1X3VzZXJfcmVncyAqcmVncyk7CiB2b2lkIHNoYWRvd19jb250aW51 ZV9lbXVsYXRpb24oCiAgICAgc3RydWN0IHNoX2VtdWxhdGVfY3R4dCAqc2hf Y3R4dCwgc3RydWN0IGNwdV91c2VyX3JlZ3MgKnJlZ3MpOwotc3RydWN0IHNl Z21lbnRfcmVnaXN0ZXIgKmh2bV9nZXRfc2VnX3JlZygKLSAgICBlbnVtIHg4 Nl9zZWdtZW50IHNlZywgc3RydWN0IHNoX2VtdWxhdGVfY3R4dCAqc2hfY3R4 dCk7CiAKICNpZiAoU0hBRE9XX09QVElNSVpBVElPTlMgJiBTSE9QVF9WSVJU VUFMX1RMQikKIC8qKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKi8KZGlm ZiAtLWdpdCBhL3hlbi9pbmNsdWRlL2FzbS14ODYvaHZtL2VtdWxhdGUuaCBi L3hlbi9pbmNsdWRlL2FzbS14ODYvaHZtL2VtdWxhdGUuaAppbmRleCAxNDJk MWI2Li4zYWFiY2JlIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9hc20teDg2 L2h2bS9lbXVsYXRlLmgKKysrIGIveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0v ZW11bGF0ZS5oCkBAIC0xMyw2ICsxMyw3IEBACiAjZGVmaW5lIF9fQVNNX1g4 Nl9IVk1fRU1VTEFURV9IX18KIAogI2luY2x1ZGUgPHhlbi9jb25maWcuaD4K KyNpbmNsdWRlIDx4ZW4vZXJyLmg+CiAjaW5jbHVkZSA8YXNtL2h2bS9odm0u aD4KICNpbmNsdWRlIDxhc20veDg2X2VtdWxhdGUuaD4KIAotLSAKMi4xLjQK Cg== --=separator Content-Type: application/octet-stream; name="xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch" Content-Disposition: attachment; filename="xsa187-4.4-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L3NlZ21lbnQ6IEJvdW5kcyBjaGVjayBhY2Nlc3Nl cyB0byBlbXVsYXRpb24gY3R4dC0+c2VnX3JlZ1tdCgpIVk0gSEFQIGNvZGVw YXRocyBoYXZlIHNwYWNlIGZvciBhbGwgc2VnbWVudCByZWdpc3RlcnMgaW4g dGhlIHNlZ19yZWdbXQpjYWNoZSAod2l0aCB4ODZfc2VnX25vbmUgc3RpbGwg cmlza2luZyBhbiBhcnJheSBvdmVycnVuKSwgd2hpbGUgdGhlIHNoYWRvdwpj b2RlcGF0aHMgb25seSBoYXZlIHNwYWNlIGZvciB0aGUgdXNlciBzZWdtZW50 cy4KClJhbmdlIGNoZWNrIHRoZSBpbnB1dCBzZWdtZW50IG9mICpfZ2V0X3Nl Z19yZWcoKSBhZ2FpbnN0IHRoZSBzaXplIG9mIHRoZSBhcnJheQp1c2VkIHRv IGNhY2hlIHRoZSByZXN1bHRzLCB0byBhdm9pZCBvdmVycnVucyBpbiB0aGUg Y2FzZSB0aGF0IHRoZSBjYWxsZXJzCmRvbid0IGZpbHRlciB0aGVpciBpbnB1 dCBzdWl0YWJseS4KClN1YnN1bWUgdGhlIGlzX3g4Nl91c2VyX3NlZ21lbnQo c2VnKSBjaGVja3MgZnJvbSB0aGUgc2hhZG93IGNvZGUsIHdoaWNoIHdlcmUK YW4gaW5jb21wbGV0ZSBhdHRlbXB0IGF0IHJhbmdlIGNoZWNraW5nLCBhbmQg YXJlIG5vdyBzdXBlcmNlZWRlZC4gIE1ha2UKaHZtX2dldF9zZWdfcmVnKCkg c3RhdGljLCBhcyBpdCBpcyBub3QgdXNlZCBvdXRzaWRlIG9mIHNoYWRvdy9j b21tb24uYwoKTm8gZnVuY3Rpb25hbCBjaGFuZ2UsIGJ1dCBmYXIgZWFzaWVy IHRvIHJlYXNvbiB0aGF0IG5vIG92ZXJmbG93IGlzIHBvc3NpYmxlLgoKUmVw b3J0ZWQtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJp eC5jb20+ClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5j b29wZXIzQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1A eGVuLm9yZz4KQWNrZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNl LmNvbT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vZW11bGF0ZS5jCisrKyBi L3hlbi9hcmNoL3g4Ni9odm0vZW11bGF0ZS5jCkBAIC00MzYsNiArNDM2LDgg QEAgc3RhdGljIGludCBodm1lbXVsX3ZpcnR1YWxfdG9fbGluZWFyKAogICAg ICpyZXBzID0gbWluX3QodW5zaWduZWQgbG9uZywgKnJlcHMsIDQwOTYpOwog CiAgICAgcmVnID0gaHZtZW11bF9nZXRfc2VnX3JlZyhzZWcsIGh2bWVtdWxf Y3R4dCk7CisgICAgaWYgKCBJU19FUlIocmVnKSApCisgICAgICAgIHJldHVy biAtUFRSX0VSUihyZWcpOwogCiAgICAgaWYgKCAoaHZtZW11bF9jdHh0LT5j dHh0LnJlZ3MtPmVmbGFncyAmIFg4Nl9FRkxBR1NfREYpICYmICgqcmVwcyA+ IDEpICkKICAgICB7CkBAIC05MjYsNiArOTI4LDEwIEBAIHN0YXRpYyBpbnQg aHZtZW11bF9yZWFkX3NlZ21lbnQoCiAgICAgc3RydWN0IGh2bV9lbXVsYXRl X2N0eHQgKmh2bWVtdWxfY3R4dCA9CiAgICAgICAgIGNvbnRhaW5lcl9vZihj dHh0LCBzdHJ1Y3QgaHZtX2VtdWxhdGVfY3R4dCwgY3R4dCk7CiAgICAgc3Ry dWN0IHNlZ21lbnRfcmVnaXN0ZXIgKnNyZWcgPSBodm1lbXVsX2dldF9zZWdf cmVnKHNlZywgaHZtZW11bF9jdHh0KTsKKworICAgIGlmICggSVNfRVJSKHNy ZWcpICkKKyAgICAgICAgIHJldHVybiAtUFRSX0VSUihzcmVnKTsKKwogICAg IG1lbWNweShyZWcsIHNyZWcsIHNpemVvZihzdHJ1Y3Qgc2VnbWVudF9yZWdp c3RlcikpOwogICAgIHJldHVybiBYODZFTVVMX09LQVk7CiB9CkBAIC05Mzks NiArOTQ1LDkgQEAgc3RhdGljIGludCBodm1lbXVsX3dyaXRlX3NlZ21lbnQo CiAgICAgICAgIGNvbnRhaW5lcl9vZihjdHh0LCBzdHJ1Y3QgaHZtX2VtdWxh dGVfY3R4dCwgY3R4dCk7CiAgICAgc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIg KnNyZWcgPSBodm1lbXVsX2dldF9zZWdfcmVnKHNlZywgaHZtZW11bF9jdHh0 KTsKIAorICAgIGlmICggSVNfRVJSKHNyZWcpICkKKyAgICAgICAgIHJldHVy biAtUFRSX0VSUihzcmVnKTsKKwogICAgIG1lbWNweShzcmVnLCByZWcsIHNp emVvZihzdHJ1Y3Qgc2VnbWVudF9yZWdpc3RlcikpOwogICAgIF9fc2V0X2Jp dChzZWcsICZodm1lbXVsX2N0eHQtPnNlZ19yZWdfZGlydHkpOwogCkBAIC0x MzAyLDEwICsxMzExLDE3IEBAIHZvaWQgaHZtX2VtdWxhdGVfd3JpdGViYWNr KAogICAgIH0KIH0KIAorLyoKKyAqIENhbGxlcnMgd2hpY2ggcGFzcyBhIGtu b3duIGluLXJhbmdlIHg4Nl9zZWdtZW50IGNhbiByZWx5IG9uIHRoZSByZXR1 cm4KKyAqIHBvaW50ZXIgYmVpbmcgdmFsaWQuICBPdGhlciBjYWxsZXJzIG11 c3QgZXhwbGljaXRseSBjaGVjayBmb3IgZXJyb3JzLgorICovCiBzdHJ1Y3Qg c2VnbWVudF9yZWdpc3RlciAqaHZtZW11bF9nZXRfc2VnX3JlZygKICAgICBl bnVtIHg4Nl9zZWdtZW50IHNlZywKICAgICBzdHJ1Y3QgaHZtX2VtdWxhdGVf Y3R4dCAqaHZtZW11bF9jdHh0KQogeworICAgIGlmICggc2VnIDwgMCB8fCBz ZWcgPj0gQVJSQVlfU0laRShodm1lbXVsX2N0eHQtPnNlZ19yZWcpICkKKyAg ICAgICAgcmV0dXJuIEVSUl9QVFIoLVg4NkVNVUxfVU5IQU5ETEVBQkxFKTsK KwogICAgIGlmICggIV9fdGVzdF9hbmRfc2V0X2JpdChzZWcsICZodm1lbXVs X2N0eHQtPnNlZ19yZWdfYWNjZXNzZWQpICkKICAgICAgICAgaHZtX2dldF9z ZWdtZW50X3JlZ2lzdGVyKGN1cnJlbnQsIHNlZywgJmh2bWVtdWxfY3R4dC0+ c2VnX3JlZ1tzZWddKTsKICAgICByZXR1cm4gJmh2bWVtdWxfY3R4dC0+c2Vn X3JlZ1tzZWddOwotLS0gYS94ZW4vYXJjaC94ODYvbW0vc2hhZG93L2NvbW1v bi5jCisrKyBiL3hlbi9hcmNoL3g4Ni9tbS9zaGFkb3cvY29tbW9uLmMKQEAg LTEyMCwxMCArMTIwLDE5IEBAIF9faW5pdGNhbGwoc2hhZG93X2F1ZGl0X2tl eV9pbml0KTsKIC8qIHg4NiBlbXVsYXRvciBzdXBwb3J0IGZvciB0aGUgc2hh ZG93IGNvZGUKICAqLwogCisvKgorICogQ2FsbGVycyB3aGljaCBwYXNzIGEg a25vd24gaW4tcmFuZ2UgeDg2X3NlZ21lbnQgY2FuIHJlbHkgb24gdGhlIHJl dHVybgorICogcG9pbnRlciBiZWluZyB2YWxpZC4gIE90aGVyIGNhbGxlcnMg bXVzdCBleHBsaWNpdGx5IGNoZWNrIGZvciBlcnJvcnMuCisgKi8KIHN0cnVj dCBzZWdtZW50X3JlZ2lzdGVyICpodm1fZ2V0X3NlZ19yZWcoCiAgICAgZW51 bSB4ODZfc2VnbWVudCBzZWcsIHN0cnVjdCBzaF9lbXVsYXRlX2N0eHQgKnNo X2N0eHQpCiB7Ci0gICAgc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIgKnNlZ19y ZWcgPSAmc2hfY3R4dC0+c2VnX3JlZ1tzZWddOworICAgIHN0cnVjdCBzZWdt ZW50X3JlZ2lzdGVyICpzZWdfcmVnOworCisgICAgaWYgKCBzZWcgPCAwIHx8 IHNlZyA+PSBBUlJBWV9TSVpFKHNoX2N0eHQtPnNlZ19yZWcpICkKKyAgICAg ICAgcmV0dXJuIEVSUl9QVFIoLVg4NkVNVUxfVU5IQU5ETEVBQkxFKTsKKwor ICAgIHNlZ19yZWcgPSAmc2hfY3R4dC0+c2VnX3JlZ1tzZWddOwogICAgIGlm ICggIV9fdGVzdF9hbmRfc2V0X2JpdChzZWcsICZzaF9jdHh0LT52YWxpZF9z ZWdfcmVncykgKQogICAgICAgICBodm1fZ2V0X3NlZ21lbnRfcmVnaXN0ZXIo Y3VycmVudCwgc2VnLCBzZWdfcmVnKTsKICAgICByZXR1cm4gc2VnX3JlZzsK QEAgLTE0MCwxNCArMTQ5LDkgQEAgc3RhdGljIGludCBodm1fdHJhbnNsYXRl X2xpbmVhcl9hZGRyKAogICAgIHN0cnVjdCBzZWdtZW50X3JlZ2lzdGVyICpy ZWc7CiAgICAgaW50IG9rYXk7CiAKLSAgICAvKgotICAgICAqIENhbiBhcnJp dmUgaGVyZSB3aXRoIG5vbi11c2VyIHNlZ21lbnRzLiAgSG93ZXZlciwgbm8g c3VjaCBjaXJ1Y21zdGFuY2UKLSAgICAgKiBpcyBwYXJ0IG9mIGEgbGVnaXRp bWF0ZSBwYWdldGFibGUgdXBkYXRlLCBzbyBmYWlsIHRoZSBlbXVsYXRpb24u Ci0gICAgICovCi0gICAgaWYgKCAhaXNfeDg2X3VzZXJfc2VnbWVudChzZWcp ICkKLSAgICAgICAgcmV0dXJuIFg4NkVNVUxfVU5IQU5ETEVBQkxFOwotCiAg ICAgcmVnID0gaHZtX2dldF9zZWdfcmVnKHNlZywgc2hfY3R4dCk7CisgICAg aWYgKCBJU19FUlIocmVnKSApCisgICAgICAgIHJldHVybiAtUFRSX0VSUihy ZWcpOwogCiAgICAgb2theSA9IGh2bV92aXJ0dWFsX3RvX2xpbmVhcl9hZGRy KAogICAgICAgICBzZWcsIHJlZywgb2Zmc2V0LCBieXRlcywgYWNjZXNzX3R5 cGUsIHNoX2N0eHQtPmN0eHQuYWRkcl9zaXplLCBwYWRkcik7CkBAIC0yNDks OSArMjUzLDYgQEAgaHZtX2VtdWxhdGVfd3JpdGUoZW51bSB4ODZfc2VnbWVu dCBzZWcsCiAgICAgdW5zaWduZWQgbG9uZyBhZGRyOwogICAgIGludCByYzsK IAotICAgIGlmICggIWlzX3g4Nl91c2VyX3NlZ21lbnQoc2VnKSApCi0gICAg ICAgIHJldHVybiBYODZFTVVMX1VOSEFORExFQUJMRTsKLQogICAgIC8qIEhv dyBtYW55IGVtdWxhdGlvbnMgY291bGQgd2Ugc2F2ZSBpZiB3ZSB1bnNoYWRv d2VkIG9uIHN0YWNrIHdyaXRlcz8gKi8KICAgICBpZiAoIHNlZyA9PSB4ODZf c2VnX3NzICkKICAgICAgICAgcGVyZmNfaW5jcihzaGFkb3dfZmF1bHRfZW11 bGF0ZV9zdGFjayk7CkBAIC0yNzksOSArMjgwLDYgQEAgaHZtX2VtdWxhdGVf Y21weGNoZyhlbnVtIHg4Nl9zZWdtZW50IHNlZwogICAgIHVuc2lnbmVkIGxv bmcgYWRkciwgb2xkWzJdLCBuZXdbMl07CiAgICAgaW50IHJjOwogCi0gICAg aWYgKCAhaXNfeDg2X3VzZXJfc2VnbWVudChzZWcpICkKLSAgICAgICAgcmV0 dXJuIFg4NkVNVUxfVU5IQU5ETEVBQkxFOwotCiAgICAgcmMgPSBodm1fdHJh bnNsYXRlX2xpbmVhcl9hZGRyKAogICAgICAgICBzZWcsIG9mZnNldCwgYnl0 ZXMsIGh2bV9hY2Nlc3Nfd3JpdGUsIHNoX2N0eHQsICZhZGRyKTsKICAgICBp ZiAoIHJjICkKLS0tIGEveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0vZW11bGF0 ZS5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS14ODYvaHZtL2VtdWxhdGUuaApA QCAtMTMsNiArMTMsNyBAQAogI2RlZmluZSBfX0FTTV9YODZfSFZNX0VNVUxB VEVfSF9fCiAKICNpbmNsdWRlIDx4ZW4vY29uZmlnLmg+CisjaW5jbHVkZSA8 eGVuL2Vyci5oPgogI2luY2x1ZGUgPGFzbS94ODZfZW11bGF0ZS5oPgogCiBz dHJ1Y3QgaHZtX2VtdWxhdGVfY3R4dCB7Cg== --=separator Content-Type: application/octet-stream; name="xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch" Content-Disposition: attachment; filename="xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L3NlZ21lbnQ6IEJvdW5kcyBjaGVjayBhY2Nlc3Nl cyB0byBlbXVsYXRpb24gY3R4dC0+c2VnX3JlZ1tdCgpIVk0gSEFQIGNvZGVw YXRocyBoYXZlIHNwYWNlIGZvciBhbGwgc2VnbWVudCByZWdpc3RlcnMgaW4g dGhlIHNlZ19yZWdbXQpjYWNoZSAod2l0aCB4ODZfc2VnX25vbmUgc3RpbGwg cmlza2luZyBhbiBhcnJheSBvdmVycnVuKSwgd2hpbGUgdGhlIHNoYWRvdwpj b2RlcGF0aHMgb25seSBoYXZlIHNwYWNlIGZvciB0aGUgdXNlciBzZWdtZW50 cy4KClJhbmdlIGNoZWNrIHRoZSBpbnB1dCBzZWdtZW50IG9mICpfZ2V0X3Nl Z19yZWcoKSBhZ2FpbnN0IHRoZSBzaXplIG9mIHRoZSBhcnJheQp1c2VkIHRv IGNhY2hlIHRoZSByZXN1bHRzLCB0byBhdm9pZCBvdmVycnVucyBpbiB0aGUg Y2FzZSB0aGF0IHRoZSBjYWxsZXJzCmRvbid0IGZpbHRlciB0aGVpciBpbnB1 dCBzdWl0YWJseS4KClN1YnN1bWUgdGhlIGlzX3g4Nl91c2VyX3NlZ21lbnQo c2VnKSBjaGVja3MgZnJvbSB0aGUgc2hhZG93IGNvZGUsIHdoaWNoIHdlcmUK YW4gaW5jb21wbGV0ZSBhdHRlbXB0IGF0IHJhbmdlIGNoZWNraW5nLCBhbmQg YXJlIG5vdyBzdXBlcmNlZWRlZC4gIE1ha2UKaHZtX2dldF9zZWdfcmVnKCkg c3RhdGljLCBhcyBpdCBpcyBub3QgdXNlZCBvdXRzaWRlIG9mIHNoYWRvdy9j b21tb24uYwoKTm8gZnVuY3Rpb25hbCBjaGFuZ2UsIGJ1dCBmYXIgZWFzaWVy IHRvIHJlYXNvbiB0aGF0IG5vIG92ZXJmbG93IGlzIHBvc3NpYmxlLgoKUmVw b3J0ZWQtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJp eC5jb20+ClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5j b29wZXIzQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1A eGVuLm9yZz4KQWNrZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNl LmNvbT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vZW11bGF0ZS5jCisrKyBi L3hlbi9hcmNoL3g4Ni9odm0vZW11bGF0ZS5jCkBAIC01MjYsNiArNTI2LDgg QEAgc3RhdGljIGludCBodm1lbXVsX3ZpcnR1YWxfdG9fbGluZWFyKAogICAg ICAgICAgICAgICAgICAgICAgICAgICAgPyAxIDogNDA5Nik7CiAKICAgICBy ZWcgPSBodm1lbXVsX2dldF9zZWdfcmVnKHNlZywgaHZtZW11bF9jdHh0KTsK KyAgICBpZiAoIElTX0VSUihyZWcpICkKKyAgICAgICAgcmV0dXJuIC1QVFJf RVJSKHJlZyk7CiAKICAgICBpZiAoIChodm1lbXVsX2N0eHQtPmN0eHQucmVn cy0+ZWZsYWdzICYgWDg2X0VGTEFHU19ERikgJiYgKCpyZXBzID4gMSkgKQog ICAgIHsKQEAgLTEzNjAsNiArMTM2MiwxMCBAQCBzdGF0aWMgaW50IGh2bWVt dWxfcmVhZF9zZWdtZW50KAogICAgIHN0cnVjdCBodm1fZW11bGF0ZV9jdHh0 ICpodm1lbXVsX2N0eHQgPQogICAgICAgICBjb250YWluZXJfb2YoY3R4dCwg c3RydWN0IGh2bV9lbXVsYXRlX2N0eHQsIGN0eHQpOwogICAgIHN0cnVjdCBz ZWdtZW50X3JlZ2lzdGVyICpzcmVnID0gaHZtZW11bF9nZXRfc2VnX3JlZyhz ZWcsIGh2bWVtdWxfY3R4dCk7CisKKyAgICBpZiAoIElTX0VSUihzcmVnKSAp CisgICAgICAgICByZXR1cm4gLVBUUl9FUlIoc3JlZyk7CisKICAgICBtZW1j cHkocmVnLCBzcmVnLCBzaXplb2Yoc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIp KTsKICAgICByZXR1cm4gWDg2RU1VTF9PS0FZOwogfQpAQCAtMTM3Myw2ICsx Mzc5LDkgQEAgc3RhdGljIGludCBodm1lbXVsX3dyaXRlX3NlZ21lbnQoCiAg ICAgICAgIGNvbnRhaW5lcl9vZihjdHh0LCBzdHJ1Y3QgaHZtX2VtdWxhdGVf Y3R4dCwgY3R4dCk7CiAgICAgc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIgKnNy ZWcgPSBodm1lbXVsX2dldF9zZWdfcmVnKHNlZywgaHZtZW11bF9jdHh0KTsK IAorICAgIGlmICggSVNfRVJSKHNyZWcpICkKKyAgICAgICAgIHJldHVybiAt UFRSX0VSUihzcmVnKTsKKwogICAgIG1lbWNweShzcmVnLCByZWcsIHNpemVv ZihzdHJ1Y3Qgc2VnbWVudF9yZWdpc3RlcikpOwogICAgIF9fc2V0X2JpdChz ZWcsICZodm1lbXVsX2N0eHQtPnNlZ19yZWdfZGlydHkpOwogCkBAIC0xOTEx LDEwICsxOTIwLDE3IEBAIHZvaWQgaHZtX2VtdWxhdGVfd3JpdGViYWNrKAog ICAgIH0KIH0KIAorLyoKKyAqIENhbGxlcnMgd2hpY2ggcGFzcyBhIGtub3du IGluLXJhbmdlIHg4Nl9zZWdtZW50IGNhbiByZWx5IG9uIHRoZSByZXR1cm4K KyAqIHBvaW50ZXIgYmVpbmcgdmFsaWQuICBPdGhlciBjYWxsZXJzIG11c3Qg ZXhwbGljaXRseSBjaGVjayBmb3IgZXJyb3JzLgorICovCiBzdHJ1Y3Qgc2Vn bWVudF9yZWdpc3RlciAqaHZtZW11bF9nZXRfc2VnX3JlZygKICAgICBlbnVt IHg4Nl9zZWdtZW50IHNlZywKICAgICBzdHJ1Y3QgaHZtX2VtdWxhdGVfY3R4 dCAqaHZtZW11bF9jdHh0KQogeworICAgIGlmICggc2VnIDwgMCB8fCBzZWcg Pj0gQVJSQVlfU0laRShodm1lbXVsX2N0eHQtPnNlZ19yZWcpICkKKyAgICAg ICAgcmV0dXJuIEVSUl9QVFIoLVg4NkVNVUxfVU5IQU5ETEVBQkxFKTsKKwog ICAgIGlmICggIV9fdGVzdF9hbmRfc2V0X2JpdChzZWcsICZodm1lbXVsX2N0 eHQtPnNlZ19yZWdfYWNjZXNzZWQpICkKICAgICAgICAgaHZtX2dldF9zZWdt ZW50X3JlZ2lzdGVyKGN1cnJlbnQsIHNlZywgJmh2bWVtdWxfY3R4dC0+c2Vn X3JlZ1tzZWddKTsKICAgICByZXR1cm4gJmh2bWVtdWxfY3R4dC0+c2VnX3Jl Z1tzZWddOwotLS0gYS94ZW4vYXJjaC94ODYvbW0vc2hhZG93L2NvbW1vbi5j CisrKyBiL3hlbi9hcmNoL3g4Ni9tbS9zaGFkb3cvY29tbW9uLmMKQEAgLTEy NSwxMCArMTI1LDE5IEBAIF9faW5pdGNhbGwoc2hhZG93X2F1ZGl0X2tleV9p bml0KTsKIC8qIHg4NiBlbXVsYXRvciBzdXBwb3J0IGZvciB0aGUgc2hhZG93 IGNvZGUKICAqLwogCisvKgorICogQ2FsbGVycyB3aGljaCBwYXNzIGEga25v d24gaW4tcmFuZ2UgeDg2X3NlZ21lbnQgY2FuIHJlbHkgb24gdGhlIHJldHVy bgorICogcG9pbnRlciBiZWluZyB2YWxpZC4gIE90aGVyIGNhbGxlcnMgbXVz dCBleHBsaWNpdGx5IGNoZWNrIGZvciBlcnJvcnMuCisgKi8KIHN0cnVjdCBz ZWdtZW50X3JlZ2lzdGVyICpodm1fZ2V0X3NlZ19yZWcoCiAgICAgZW51bSB4 ODZfc2VnbWVudCBzZWcsIHN0cnVjdCBzaF9lbXVsYXRlX2N0eHQgKnNoX2N0 eHQpCiB7Ci0gICAgc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIgKnNlZ19yZWcg PSAmc2hfY3R4dC0+c2VnX3JlZ1tzZWddOworICAgIHN0cnVjdCBzZWdtZW50 X3JlZ2lzdGVyICpzZWdfcmVnOworCisgICAgaWYgKCBzZWcgPCAwIHx8IHNl ZyA+PSBBUlJBWV9TSVpFKHNoX2N0eHQtPnNlZ19yZWcpICkKKyAgICAgICAg cmV0dXJuIEVSUl9QVFIoLVg4NkVNVUxfVU5IQU5ETEVBQkxFKTsKKworICAg IHNlZ19yZWcgPSAmc2hfY3R4dC0+c2VnX3JlZ1tzZWddOwogICAgIGlmICgg IV9fdGVzdF9hbmRfc2V0X2JpdChzZWcsICZzaF9jdHh0LT52YWxpZF9zZWdf cmVncykgKQogICAgICAgICBodm1fZ2V0X3NlZ21lbnRfcmVnaXN0ZXIoY3Vy cmVudCwgc2VnLCBzZWdfcmVnKTsKICAgICByZXR1cm4gc2VnX3JlZzsKQEAg LTE0NSwxNCArMTU0LDkgQEAgc3RhdGljIGludCBodm1fdHJhbnNsYXRlX2xp bmVhcl9hZGRyKAogICAgIHN0cnVjdCBzZWdtZW50X3JlZ2lzdGVyICpyZWc7 CiAgICAgaW50IG9rYXk7CiAKLSAgICAvKgotICAgICAqIENhbiBhcnJpdmUg aGVyZSB3aXRoIG5vbi11c2VyIHNlZ21lbnRzLiAgSG93ZXZlciwgbm8gc3Vj aCBjaXJ1Y21zdGFuY2UKLSAgICAgKiBpcyBwYXJ0IG9mIGEgbGVnaXRpbWF0 ZSBwYWdldGFibGUgdXBkYXRlLCBzbyBmYWlsIHRoZSBlbXVsYXRpb24uCi0g ICAgICovCi0gICAgaWYgKCAhaXNfeDg2X3VzZXJfc2VnbWVudChzZWcpICkK LSAgICAgICAgcmV0dXJuIFg4NkVNVUxfVU5IQU5ETEVBQkxFOwotCiAgICAg cmVnID0gaHZtX2dldF9zZWdfcmVnKHNlZywgc2hfY3R4dCk7CisgICAgaWYg KCBJU19FUlIocmVnKSApCisgICAgICAgIHJldHVybiAtUFRSX0VSUihyZWcp OwogCiAgICAgb2theSA9IGh2bV92aXJ0dWFsX3RvX2xpbmVhcl9hZGRyKAog ICAgICAgICBzZWcsIHJlZywgb2Zmc2V0LCBieXRlcywgYWNjZXNzX3R5cGUs IHNoX2N0eHQtPmN0eHQuYWRkcl9zaXplLCBwYWRkcik7CkBAIC0yNTQsOSAr MjU4LDYgQEAgaHZtX2VtdWxhdGVfd3JpdGUoZW51bSB4ODZfc2VnbWVudCBz ZWcsCiAgICAgdW5zaWduZWQgbG9uZyBhZGRyOwogICAgIGludCByYzsKIAot ICAgIGlmICggIWlzX3g4Nl91c2VyX3NlZ21lbnQoc2VnKSApCi0gICAgICAg IHJldHVybiBYODZFTVVMX1VOSEFORExFQUJMRTsKLQogICAgIC8qIEhvdyBt YW55IGVtdWxhdGlvbnMgY291bGQgd2Ugc2F2ZSBpZiB3ZSB1bnNoYWRvd2Vk IG9uIHN0YWNrIHdyaXRlcz8gKi8KICAgICBpZiAoIHNlZyA9PSB4ODZfc2Vn X3NzICkKICAgICAgICAgcGVyZmNfaW5jcihzaGFkb3dfZmF1bHRfZW11bGF0 ZV9zdGFjayk7CkBAIC0yODQsOSArMjg1LDYgQEAgaHZtX2VtdWxhdGVfY21w eGNoZyhlbnVtIHg4Nl9zZWdtZW50IHNlZwogICAgIHVuc2lnbmVkIGxvbmcg YWRkciwgb2xkWzJdLCBuZXdbMl07CiAgICAgaW50IHJjOwogCi0gICAgaWYg KCAhaXNfeDg2X3VzZXJfc2VnbWVudChzZWcpICkKLSAgICAgICAgcmV0dXJu IFg4NkVNVUxfVU5IQU5ETEVBQkxFOwotCiAgICAgcmMgPSBodm1fdHJhbnNs YXRlX2xpbmVhcl9hZGRyKAogICAgICAgICBzZWcsIG9mZnNldCwgYnl0ZXMs IGh2bV9hY2Nlc3Nfd3JpdGUsIHNoX2N0eHQsICZhZGRyKTsKICAgICBpZiAo IHJjICkKLS0tIGEveGVuL2luY2x1ZGUvYXNtLXg4Ni9odm0vZW11bGF0ZS5o CisrKyBiL3hlbi9pbmNsdWRlL2FzbS14ODYvaHZtL2VtdWxhdGUuaApAQCAt MTMsNiArMTMsNyBAQAogI2RlZmluZSBfX0FTTV9YODZfSFZNX0VNVUxBVEVf SF9fCiAKICNpbmNsdWRlIDx4ZW4vY29uZmlnLmg+CisjaW5jbHVkZSA8eGVu L2Vyci5oPgogI2luY2x1ZGUgPGFzbS9odm0vaHZtLmg+CiAjaW5jbHVkZSA8 YXNtL3g4Nl9lbXVsYXRlLmg+CiAK --=separator Content-Type: application/octet-stream; name="xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch" Content-Disposition: attachment; filename="xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L3NoYWRvdzogQXZvaWQgb3ZlcmZsb3dpbmcgc2hf Y3R4dC0+c2VnX3JlZ1tdCgpodm1fZ2V0X3NlZ19yZWcoKSBkb2VzIG5vdCBw ZXJmb3JtIGEgcmFuZ2UgY2hlY2sgb24gaXRzIGlucHV0IHNlZ21lbnQsIGNh bGxzCmh2bV9nZXRfc2VnbWVudF9yZWdpc3RlcigpIGFuZCB3cml0ZXMgc3Ry YWlnaHQgaW50byBzaF9jdHh0LT5zZWdfcmVnW10uCgp4ODZfc2VnX25vbmUg aXMgb3V0c2lkZSB0aGUgYm91bmRzIG9mIHNoX2N0eHQtPnNlZ19yZWdbXSwg YW5kIHdpbGwgaGl0IGEgQlVHKCkKaW4ge3ZteCxzdm19X2dldF9zZWdtZW50 X3JlZ2lzdGVyKCkuCgpIVk0gZ3Vlc3RzIHJ1bm5pbmcgd2l0aCBzaGFkb3cg cGFnaW5nIGNhbiBlbmQgdXAgcGVyZm9ybWluZyBhIHZpcnR1YWwgdG8KbGlu ZWFyIHRyYW5zbGF0aW9uIHdpdGggeDg2X3NlZ19ub25lLiAgVGhpcyBpcyB1 c2VkIGZvciBhZGRyZXNzZXMgd2hpY2ggYXJlCmFscmVhZHkgbGluZWFyLiAg SG93ZXZlciwgbm9uZSBvZiB0aGlzIGlzIGEgbGVnaXRpbWF0ZSBwYWdldGFi bGUgdXBkYXRlLCBzbwpmYWlsIHRoZSBlbXVsYXRpb24gaW4gc3VjaCBhIGNh c2UuCgpUaGlzIGlzIFhTQS0xODcKClJlcG9ydGVkLWJ5OiBBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpTaWduZWQtb2ZmLWJ5 OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpS ZXZpZXdlZC1ieTogVGltIERlZWdhbiA8dGltQHhlbi5vcmc+CgotLS0gYS94 ZW4vYXJjaC94ODYvbW0vc2hhZG93L2NvbW1vbi5jCisrKyBiL3hlbi9hcmNo L3g4Ni9tbS9zaGFkb3cvY29tbW9uLmMKQEAgLTE0MCw5ICsxNDAsMTggQEAg c3RhdGljIGludCBodm1fdHJhbnNsYXRlX2xpbmVhcl9hZGRyKAogICAgIHN0 cnVjdCBzaF9lbXVsYXRlX2N0eHQgKnNoX2N0eHQsCiAgICAgdW5zaWduZWQg bG9uZyAqcGFkZHIpCiB7Ci0gICAgc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIg KnJlZyA9IGh2bV9nZXRfc2VnX3JlZyhzZWcsIHNoX2N0eHQpOworICAgIHN0 cnVjdCBzZWdtZW50X3JlZ2lzdGVyICpyZWc7CiAgICAgaW50IG9rYXk7CiAK KyAgICAvKgorICAgICAqIENhbiBhcnJpdmUgaGVyZSB3aXRoIG5vbi11c2Vy IHNlZ21lbnRzLiAgSG93ZXZlciwgbm8gc3VjaCBjaXJ1Y21zdGFuY2UKKyAg ICAgKiBpcyBwYXJ0IG9mIGEgbGVnaXRpbWF0ZSBwYWdldGFibGUgdXBkYXRl LCBzbyBmYWlsIHRoZSBlbXVsYXRpb24uCisgICAgICovCisgICAgaWYgKCAh aXNfeDg2X3VzZXJfc2VnbWVudChzZWcpICkKKyAgICAgICAgcmV0dXJuIFg4 NkVNVUxfVU5IQU5ETEVBQkxFOworCisgICAgcmVnID0gaHZtX2dldF9zZWdf cmVnKHNlZywgc2hfY3R4dCk7CisKICAgICBva2F5ID0gaHZtX3ZpcnR1YWxf dG9fbGluZWFyX2FkZHIoCiAgICAgICAgIHNlZywgcmVnLCBvZmZzZXQsIGJ5 dGVzLCBhY2Nlc3NfdHlwZSwgc2hfY3R4dC0+Y3R4dC5hZGRyX3NpemUsIHBh ZGRyKTsKIAo= --=separator Content-Type: application/octet-stream; name="xsa187-4.7-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch" Content-Disposition: attachment; filename="xsa187-4.7-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L3NlZ21lbnQ6IEJvdW5kcyBjaGVjayBhY2Nlc3Nl cyB0byBlbXVsYXRpb24gY3R4dC0+c2VnX3JlZ1tdCgpIVk0gSEFQIGNvZGVw YXRocyBoYXZlIHNwYWNlIGZvciBhbGwgc2VnbWVudCByZWdpc3RlcnMgaW4g dGhlIHNlZ19yZWdbXQpjYWNoZSAod2l0aCB4ODZfc2VnX25vbmUgc3RpbGwg cmlza2luZyBhbiBhcnJheSBvdmVycnVuKSwgd2hpbGUgdGhlIHNoYWRvdwpj b2RlcGF0aHMgb25seSBoYXZlIHNwYWNlIGZvciB0aGUgdXNlciBzZWdtZW50 cy4KClJhbmdlIGNoZWNrIHRoZSBpbnB1dCBzZWdtZW50IG9mICpfZ2V0X3Nl Z19yZWcoKSBhZ2FpbnN0IHRoZSBzaXplIG9mIHRoZSBhcnJheQp1c2VkIHRv IGNhY2hlIHRoZSByZXN1bHRzLCB0byBhdm9pZCBvdmVycnVucyBpbiB0aGUg Y2FzZSB0aGF0IHRoZSBjYWxsZXJzCmRvbid0IGZpbHRlciB0aGVpciBpbnB1 dCBzdWl0YWJseS4KClN1YnN1bWUgdGhlIGlzX3g4Nl91c2VyX3NlZ21lbnQo c2VnKSBjaGVja3MgZnJvbSB0aGUgc2hhZG93IGNvZGUsIHdoaWNoIHdlcmUK YW4gaW5jb21wbGV0ZSBhdHRlbXB0IGF0IHJhbmdlIGNoZWNraW5nLCBhbmQg YXJlIG5vdyBzdXBlcmNlZWRlZC4gIE1ha2UKaHZtX2dldF9zZWdfcmVnKCkg c3RhdGljLCBhcyBpdCBpcyBub3QgdXNlZCBvdXRzaWRlIG9mIHNoYWRvdy9j b21tb24uYwoKTm8gZnVuY3Rpb25hbCBjaGFuZ2UsIGJ1dCBmYXIgZWFzaWVy IHRvIHJlYXNvbiB0aGF0IG5vIG92ZXJmbG93IGlzIHBvc3NpYmxlLgoKUmVw b3J0ZWQtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJp eC5jb20+ClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5j b29wZXIzQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1A eGVuLm9yZz4KQWNrZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNl LmNvbT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vZW11bGF0ZS5jCisrKyBi L3hlbi9hcmNoL3g4Ni9odm0vZW11bGF0ZS5jCkBAIC01MzQsNiArNTM0LDgg QEAgc3RhdGljIGludCBodm1lbXVsX3ZpcnR1YWxfdG9fbGluZWFyKAogICAg ICpyZXBzID0gbWluX3QodW5zaWduZWQgbG9uZywgKnJlcHMsIG1heF9yZXBz KTsKIAogICAgIHJlZyA9IGh2bWVtdWxfZ2V0X3NlZ19yZWcoc2VnLCBodm1l bXVsX2N0eHQpOworICAgIGlmICggSVNfRVJSKHJlZykgKQorICAgICAgICBy ZXR1cm4gLVBUUl9FUlIocmVnKTsKIAogICAgIGlmICggKGh2bWVtdWxfY3R4 dC0+Y3R4dC5yZWdzLT5lZmxhZ3MgJiBYODZfRUZMQUdTX0RGKSAmJiAoKnJl cHMgPiAxKSApCiAgICAgewpAQCAtMTM2OSw2ICsxMzcxLDEwIEBAIHN0YXRp YyBpbnQgaHZtZW11bF9yZWFkX3NlZ21lbnQoCiAgICAgc3RydWN0IGh2bV9l bXVsYXRlX2N0eHQgKmh2bWVtdWxfY3R4dCA9CiAgICAgICAgIGNvbnRhaW5l cl9vZihjdHh0LCBzdHJ1Y3QgaHZtX2VtdWxhdGVfY3R4dCwgY3R4dCk7CiAg ICAgc3RydWN0IHNlZ21lbnRfcmVnaXN0ZXIgKnNyZWcgPSBodm1lbXVsX2dl dF9zZWdfcmVnKHNlZywgaHZtZW11bF9jdHh0KTsKKworICAgIGlmICggSVNf RVJSKHNyZWcpICkKKyAgICAgICAgIHJldHVybiAtUFRSX0VSUihzcmVnKTsK KwogICAgIG1lbWNweShyZWcsIHNyZWcsIHNpemVvZihzdHJ1Y3Qgc2VnbWVu dF9yZWdpc3RlcikpOwogICAgIHJldHVybiBYODZFTVVMX09LQVk7CiB9CkBA IC0xMzgyLDYgKzEzODgsOSBAQCBzdGF0aWMgaW50IGh2bWVtdWxfd3JpdGVf c2VnbWVudCgKICAgICAgICAgY29udGFpbmVyX29mKGN0eHQsIHN0cnVjdCBo dm1fZW11bGF0ZV9jdHh0LCBjdHh0KTsKICAgICBzdHJ1Y3Qgc2VnbWVudF9y ZWdpc3RlciAqc3JlZyA9IGh2bWVtdWxfZ2V0X3NlZ19yZWcoc2VnLCBodm1l bXVsX2N0eHQpOwogCisgICAgaWYgKCBJU19FUlIoc3JlZykgKQorICAgICAg ICAgcmV0dXJuIC1QVFJfRVJSKHNyZWcpOworCiAgICAgbWVtY3B5KHNyZWcs IHJlZywgc2l6ZW9mKHN0cnVjdCBzZWdtZW50X3JlZ2lzdGVyKSk7CiAgICAg X19zZXRfYml0KHNlZywgJmh2bWVtdWxfY3R4dC0+c2VnX3JlZ19kaXJ0eSk7 CiAKQEAgLTE5MzQsMTAgKzE5NDMsMTcgQEAgdm9pZCBodm1fZW11bGF0ZV93 cml0ZWJhY2soCiAgICAgfQogfQogCisvKgorICogQ2FsbGVycyB3aGljaCBw YXNzIGEga25vd24gaW4tcmFuZ2UgeDg2X3NlZ21lbnQgY2FuIHJlbHkgb24g dGhlIHJldHVybgorICogcG9pbnRlciBiZWluZyB2YWxpZC4gIE90aGVyIGNh bGxlcnMgbXVzdCBleHBsaWNpdGx5IGNoZWNrIGZvciBlcnJvcnMuCisgKi8K IHN0cnVjdCBzZWdtZW50X3JlZ2lzdGVyICpodm1lbXVsX2dldF9zZWdfcmVn KAogICAgIGVudW0geDg2X3NlZ21lbnQgc2VnLAogICAgIHN0cnVjdCBodm1f ZW11bGF0ZV9jdHh0ICpodm1lbXVsX2N0eHQpCiB7CisgICAgaWYgKCBzZWcg PCAwIHx8IHNlZyA+PSBBUlJBWV9TSVpFKGh2bWVtdWxfY3R4dC0+c2VnX3Jl ZykgKQorICAgICAgICByZXR1cm4gRVJSX1BUUigtWDg2RU1VTF9VTkhBTkRM RUFCTEUpOworCiAgICAgaWYgKCAhX190ZXN0X2FuZF9zZXRfYml0KHNlZywg Jmh2bWVtdWxfY3R4dC0+c2VnX3JlZ19hY2Nlc3NlZCkgKQogICAgICAgICBo dm1fZ2V0X3NlZ21lbnRfcmVnaXN0ZXIoY3VycmVudCwgc2VnLCAmaHZtZW11 bF9jdHh0LT5zZWdfcmVnW3NlZ10pOwogICAgIHJldHVybiAmaHZtZW11bF9j dHh0LT5zZWdfcmVnW3NlZ107Ci0tLSBhL3hlbi9hcmNoL3g4Ni9tbS9zaGFk b3cvY29tbW9uLmMKKysrIGIveGVuL2FyY2gveDg2L21tL3NoYWRvdy9jb21t b24uYwpAQCAtMTIzLDEwICsxMjMsMTkgQEAgX19pbml0Y2FsbChzaGFkb3df YXVkaXRfa2V5X2luaXQpOwogLyogeDg2IGVtdWxhdG9yIHN1cHBvcnQgZm9y IHRoZSBzaGFkb3cgY29kZQogICovCiAKLXN0cnVjdCBzZWdtZW50X3JlZ2lz dGVyICpodm1fZ2V0X3NlZ19yZWcoCisvKgorICogQ2FsbGVycyB3aGljaCBw YXNzIGEga25vd24gaW4tcmFuZ2UgeDg2X3NlZ21lbnQgY2FuIHJlbHkgb24g dGhlIHJldHVybgorICogcG9pbnRlciBiZWluZyB2YWxpZC4gIE90aGVyIGNh bGxlcnMgbXVzdCBleHBsaWNpdGx5IGNoZWNrIGZvciBlcnJvcnMuCisgKi8K K3N0YXRpYyBzdHJ1Y3Qgc2VnbWVudF9yZWdpc3RlciAqaHZtX2dldF9zZWdf cmVnKAogICAgIGVudW0geDg2X3NlZ21lbnQgc2VnLCBzdHJ1Y3Qgc2hfZW11 bGF0ZV9jdHh0ICpzaF9jdHh0KQogewotICAgIHN0cnVjdCBzZWdtZW50X3Jl Z2lzdGVyICpzZWdfcmVnID0gJnNoX2N0eHQtPnNlZ19yZWdbc2VnXTsKKyAg ICBzdHJ1Y3Qgc2VnbWVudF9yZWdpc3RlciAqc2VnX3JlZzsKKworICAgIGlm ICggc2VnIDwgMCB8fCBzZWcgPj0gQVJSQVlfU0laRShzaF9jdHh0LT5zZWdf cmVnKSApCisgICAgICAgIHJldHVybiBFUlJfUFRSKC1YODZFTVVMX1VOSEFO RExFQUJMRSk7CisKKyAgICBzZWdfcmVnID0gJnNoX2N0eHQtPnNlZ19yZWdb c2VnXTsKICAgICBpZiAoICFfX3Rlc3RfYW5kX3NldF9iaXQoc2VnLCAmc2hf Y3R4dC0+dmFsaWRfc2VnX3JlZ3MpICkKICAgICAgICAgaHZtX2dldF9zZWdt ZW50X3JlZ2lzdGVyKGN1cnJlbnQsIHNlZywgc2VnX3JlZyk7CiAgICAgcmV0 dXJuIHNlZ19yZWc7CkBAIC0xNDMsMTQgKzE1Miw5IEBAIHN0YXRpYyBpbnQg aHZtX3RyYW5zbGF0ZV9saW5lYXJfYWRkcigKICAgICBzdHJ1Y3Qgc2VnbWVu dF9yZWdpc3RlciAqcmVnOwogICAgIGludCBva2F5OwogCi0gICAgLyoKLSAg ICAgKiBDYW4gYXJyaXZlIGhlcmUgd2l0aCBub24tdXNlciBzZWdtZW50cy4g IEhvd2V2ZXIsIG5vIHN1Y2ggY2lydWNtc3RhbmNlCi0gICAgICogaXMgcGFy dCBvZiBhIGxlZ2l0aW1hdGUgcGFnZXRhYmxlIHVwZGF0ZSwgc28gZmFpbCB0 aGUgZW11bGF0aW9uLgotICAgICAqLwotICAgIGlmICggIWlzX3g4Nl91c2Vy X3NlZ21lbnQoc2VnKSApCi0gICAgICAgIHJldHVybiBYODZFTVVMX1VOSEFO RExFQUJMRTsKLQogICAgIHJlZyA9IGh2bV9nZXRfc2VnX3JlZyhzZWcsIHNo X2N0eHQpOworICAgIGlmICggSVNfRVJSKHJlZykgKQorICAgICAgICByZXR1 cm4gLVBUUl9FUlIocmVnKTsKIAogICAgIG9rYXkgPSBodm1fdmlydHVhbF90 b19saW5lYXJfYWRkcigKICAgICAgICAgc2VnLCByZWcsIG9mZnNldCwgYnl0 ZXMsIGFjY2Vzc190eXBlLCBzaF9jdHh0LT5jdHh0LmFkZHJfc2l6ZSwgcGFk ZHIpOwpAQCAtMjUzLDkgKzI1Nyw2IEBAIGh2bV9lbXVsYXRlX3dyaXRlKGVu dW0geDg2X3NlZ21lbnQgc2VnLAogICAgIHVuc2lnbmVkIGxvbmcgYWRkcjsK ICAgICBpbnQgcmM7CiAKLSAgICBpZiAoICFpc194ODZfdXNlcl9zZWdtZW50 KHNlZykgKQotICAgICAgICByZXR1cm4gWDg2RU1VTF9VTkhBTkRMRUFCTEU7 Ci0KICAgICAvKiBIb3cgbWFueSBlbXVsYXRpb25zIGNvdWxkIHdlIHNhdmUg aWYgd2UgdW5zaGFkb3dlZCBvbiBzdGFjayB3cml0ZXM/ICovCiAgICAgaWYg KCBzZWcgPT0geDg2X3NlZ19zcyApCiAgICAgICAgIHBlcmZjX2luY3Ioc2hh ZG93X2ZhdWx0X2VtdWxhdGVfc3RhY2spOwpAQCAtMjgzLDcgKzI4NCw3IEBA IGh2bV9lbXVsYXRlX2NtcHhjaGcoZW51bSB4ODZfc2VnbWVudCBzZWcKICAg ICB1bnNpZ25lZCBsb25nIGFkZHIsIG9sZCwgbmV3OwogICAgIGludCByYzsK IAotICAgIGlmICggIWlzX3g4Nl91c2VyX3NlZ21lbnQoc2VnKSB8fCBieXRl cyA+IHNpemVvZihsb25nKSApCisgICAgaWYgKCBieXRlcyA+IHNpemVvZihs b25nKSApCiAgICAgICAgIHJldHVybiBYODZFTVVMX1VOSEFORExFQUJMRTsK IAogICAgIHJjID0gaHZtX3RyYW5zbGF0ZV9saW5lYXJfYWRkcigKLS0tIGEv eGVuL2FyY2gveDg2L21tL3NoYWRvdy9wcml2YXRlLmgKKysrIGIveGVuL2Fy Y2gveDg2L21tL3NoYWRvdy9wcml2YXRlLmgKQEAgLTc0MCw4ICs3NDAsNiBA QCBjb25zdCBzdHJ1Y3QgeDg2X2VtdWxhdGVfb3BzICpzaGFkb3dfaW5pCiAg ICAgc3RydWN0IHNoX2VtdWxhdGVfY3R4dCAqc2hfY3R4dCwgc3RydWN0IGNw dV91c2VyX3JlZ3MgKnJlZ3MpOwogdm9pZCBzaGFkb3dfY29udGludWVfZW11 bGF0aW9uKAogICAgIHN0cnVjdCBzaF9lbXVsYXRlX2N0eHQgKnNoX2N0eHQs IHN0cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKTsKLXN0cnVjdCBzZWdtZW50 X3JlZ2lzdGVyICpodm1fZ2V0X3NlZ19yZWcoCi0gICAgZW51bSB4ODZfc2Vn bWVudCBzZWcsIHN0cnVjdCBzaF9lbXVsYXRlX2N0eHQgKnNoX2N0eHQpOwog CiAjaWYgKFNIQURPV19PUFRJTUlaQVRJT05TICYgU0hPUFRfVklSVFVBTF9U TEIpCiAvKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKiovCi0tLSBhL3hl bi9pbmNsdWRlL2FzbS14ODYvaHZtL2VtdWxhdGUuaAorKysgYi94ZW4vaW5j bHVkZS9hc20teDg2L2h2bS9lbXVsYXRlLmgKQEAgLTEzLDYgKzEzLDcgQEAK ICNkZWZpbmUgX19BU01fWDg2X0hWTV9FTVVMQVRFX0hfXwogCiAjaW5jbHVk ZSA8eGVuL2NvbmZpZy5oPgorI2luY2x1ZGUgPHhlbi9lcnIuaD4KICNpbmNs dWRlIDxhc20vaHZtL2h2bS5oPgogI2luY2x1ZGUgPGFzbS94ODZfZW11bGF0 ZS5oPgogCg== --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Wed Sep 21 15:30:22 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 21 Sep 2016 15:30:22 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bmjSW-0000vX-FP; Wed, 21 Sep 2016 15:29:16 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bmdbx-00013Y-E2; Wed, 21 Sep 2016 09:14:37 +0000 Received: from [85.158.137.68] by server-4.bemta-3.messagelabs.com id 15/D9-15788-C7F42E75; Wed, 21 Sep 2016 09:14:36 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrBIsWRWlGSWpSXmKPExsXS6fjDS7fa/1G 4wdU2M4vZG9uYLb5vmczkwORx+MMVlgDGKNbMvKT8igTWjP1f5rIWXGSruPZ4HVsD4xXWLkYO DiGBPIkPvSVdjJwcvAJ2EqvuXGYGsSUEDCWevr/OBmKzCKhKTHrSwQhiswmoS7Q9284KYosA2 c1zboKNYRYwkLj73QQkLCwgLXH/wxWgMVxA05cxSlzd1MQCUsMrICjxd4cwSA2zgJbEw1+3WC BsbYllC18zQ4yRllj+j2MCI+8shIZZSBpmIWmYhdCwgJFlFaN6cWpRWWqRrqFeUlFmekZJbmJ mjq6hgbFebmpxcWJ6ak5iUrFecn7uJkZgqDEAwQ7G5R+dDjFKcjApifI+d3wULsSXlJ9SmZFY nBFfVJqTWnyIUYaDQ0mCN8IPKCdYlJqeWpGWmQMMepi0BAePkgjvRpA0b3FBYm5xZjpE6hSjL seCH7fXMgmx5OXnpUqJ83aCFAmAFGWU5sGNgEXgJUZZKWFeRqCjhHgKUotyM0tQ5V8xinMwKg nzloBM4cnMK4Hb9AroCCagI7b8fAByREkiQkqqgXGOm/wq/fX7P9w/zGBeOaGanaVi4sKzKro aavo6zXe/MnodPSqSmTnzns8HVZ2pyyeJtd/du/xj5XemHJunS4K1dzbYKy878jDEbqq3p1mB 6b2kzOc8NvvTZ7LvF9Bbcshnn1ThXouJ/+s3f5wTpH0wZb2I17v3F1UORVxXTk63y20yCI05v ESJpTgj0VCLuag4EQAb0+7NuwIAAA== X-Env-Sender: JBeulich@suse.com X-Msg-Ref: server-9.tower-31.messagelabs.com!1474449273!14403406!1 X-Originating-IP: [137.65.248.74] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 8.84; banners=-,-,- X-VirusChecked: Checked Received: (qmail 57243 invoked from network); 21 Sep 2016 09:14:35 -0000 Received: from prv-mh.provo.novell.com (HELO prv-mh.provo.novell.com) (137.65.248.74) by server-9.tower-31.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 21 Sep 2016 09:14:35 -0000 Received: from INET-PRV-MTA by prv-mh.provo.novell.com with Novell_GroupWise; Wed, 21 Sep 2016 03:14:33 -0600 Message-Id: <57E26B970200007800110EA1@prv-mh.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 14.2.1 Date: Wed, 21 Sep 2016 03:14:31 -0600 From: "Jan Beulich" To: References: <57E026CF020000780011037F@prv-mh.provo.novell.com> <57E2673E0200007800110E69@prv-mh.provo.novell.com> <57E26B970200007800110EA1@prv-mh.provo.novell.com> Mime-Version: 1.0 Content-Disposition: inline X-Mailman-Approved-At: Wed, 21 Sep 2016 15:29:15 +0000 Cc: xen-devel Subject: [Xen-announce] Xen 4.5.5 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" QWxsLAoKSSBhbSBwbGVhc2VkIHRvIGFubm91bmNlIHRoZSByZWxlYXNlIG9mIFhlbiA0LjUuNS4g VGhpcyBpcwphdmFpbGFibGUgaW1tZWRpYXRlbHkgZnJvbSBpdHMgZ2l0IHJlcG9zaXRvcnkKaHR0 cHM6Ly94ZW5iaXRzLnhlbi5vcmcvZ2l0d2ViLz9wPXhlbi5naXQ7YT1zaG9ydGxvZztoPXJlZnMv aGVhZHMvc3RhYmxlLTQuNSAKKHRhZyBSRUxFQVNFLTQuNS41KSBvciBmcm9tIHRoZSBYZW5Qcm9q ZWN0IGRvd25sb2FkIHBhZ2UKaHR0cHM6Ly93d3cueGVucHJvamVjdC5vcmcvZG93bmxvYWRzL3hl bi1hcmNoaXZlcy94ZW4tNDUtc2VyaWVzL3hlbi00NTUuaHRtbCAKKHdoZXJlIGEgbGlzdCBvZiBj aGFuZ2VzIGNhbiBhbHNvIGJlIGZvdW5kKS4KCk5vdGUgdGhhdCB0aGlzIGlzIHRoZSBsYXN0IFhl blByb2plY3QgY29vcmRpbmF0ZWQgcmVsZWFzZSBvZiB0aGUgNC41CnN0YWJsZSBzZXJpZXMuIFRo ZSB0cmVlIHdpbGwgYmUgc3dpdGNoZWQgdG8gc2VjdXJpdHkgb25seSBtYWludGVuYW5jZQptb2Rl IGFmdGVyIHRoaXMgcmVsZWFzZS4KCldlIHJlY29tbWVuZCBhbGwgdXNlcnMgb2YgdGhlIDQuNSBz dGFibGUgc2VyaWVzIHRvIHVwZGF0ZSB0byB0aGlzCmxhc3QgcG9pbnQgcmVsZWFzZS4KCk5vdGUg cmVnYXJkaW5nIDQuNS40OiBBbiBpc3N1ZSB3YXMgZm91bmQgbGF0ZSBpbiB0aGUgcmVsZWFzZSBw cm9jZXNzLAphZnRlciB0aGUgdmFyaW91cyB0cmVlcyB3ZXJlIGFscmVhZHkgdGFnZ2VkIChpbiBm YWN0LCBvbmUgb2YgdGhvc2UKdGFncyB3YXMgd3JvbmcpLiBXZSB0aGVyZWZvcmUgZGVjaWRlZCB0 byBza2lwIHZlcnNpb24gNC41LjQuCgpSZWdhcmRzLCBKYW4KCgpfX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fXwpYZW4tYW5ub3VuY2UgbWFpbGluZyBsaXN0Clhl bi1hbm5vdW5jZUBsaXN0cy54ZW4ub3JnCmh0dHBzOi8vbGlzdHMueGVuLm9yZy94ZW4tYW5ub3Vu Y2U= From xen-announce-bounces@lists.xen.org Wed Sep 21 15:30:22 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 21 Sep 2016 15:30:22 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bmjSW-0000vX-FP; Wed, 21 Sep 2016 15:29:16 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bmdbx-00013Y-E2; Wed, 21 Sep 2016 09:14:37 +0000 Received: from [85.158.137.68] by server-4.bemta-3.messagelabs.com id 15/D9-15788-C7F42E75; Wed, 21 Sep 2016 09:14:36 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrBIsWRWlGSWpSXmKPExsXS6fjDS7fa/1G 4wdU2M4vZG9uYLb5vmczkwORx+MMVlgDGKNbMvKT8igTWjP1f5rIWXGSruPZ4HVsD4xXWLkYO DiGBPIkPvSVdjJwcvAJ2EqvuXGYGsSUEDCWevr/OBmKzCKhKTHrSwQhiswmoS7Q9284KYosA2 c1zboKNYRYwkLj73QQkLCwgLXH/wxWgMVxA05cxSlzd1MQCUsMrICjxd4cwSA2zgJbEw1+3WC BsbYllC18zQ4yRllj+j2MCI+8shIZZSBpmIWmYhdCwgJFlFaN6cWpRWWqRrqFeUlFmekZJbmJ mjq6hgbFebmpxcWJ6ak5iUrFecn7uJkZgqDEAwQ7G5R+dDjFKcjApifI+d3wULsSXlJ9SmZFY nBFfVJqTWnyIUYaDQ0mCN8IPKCdYlJqeWpGWmQMMepi0BAePkgjvRpA0b3FBYm5xZjpE6hSjL seCH7fXMgmx5OXnpUqJ83aCFAmAFGWU5sGNgEXgJUZZKWFeRqCjhHgKUotyM0tQ5V8xinMwKg nzloBM4cnMK4Hb9AroCCagI7b8fAByREkiQkqqgXGOm/wq/fX7P9w/zGBeOaGanaVi4sKzKro aavo6zXe/MnodPSqSmTnzns8HVZ2pyyeJtd/du/xj5XemHJunS4K1dzbYKy878jDEbqq3p1mB 6b2kzOc8NvvTZ7LvF9Bbcshnn1ThXouJ/+s3f5wTpH0wZb2I17v3F1UORVxXTk63y20yCI05v ESJpTgj0VCLuag4EQAb0+7NuwIAAA== X-Env-Sender: JBeulich@suse.com X-Msg-Ref: server-9.tower-31.messagelabs.com!1474449273!14403406!1 X-Originating-IP: [137.65.248.74] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 8.84; banners=-,-,- X-VirusChecked: Checked Received: (qmail 57243 invoked from network); 21 Sep 2016 09:14:35 -0000 Received: from prv-mh.provo.novell.com (HELO prv-mh.provo.novell.com) (137.65.248.74) by server-9.tower-31.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 21 Sep 2016 09:14:35 -0000 Received: from INET-PRV-MTA by prv-mh.provo.novell.com with Novell_GroupWise; Wed, 21 Sep 2016 03:14:33 -0600 Message-Id: <57E26B970200007800110EA1@prv-mh.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 14.2.1 Date: Wed, 21 Sep 2016 03:14:31 -0600 From: "Jan Beulich" To: References: <57E026CF020000780011037F@prv-mh.provo.novell.com> <57E2673E0200007800110E69@prv-mh.provo.novell.com> <57E26B970200007800110EA1@prv-mh.provo.novell.com> Mime-Version: 1.0 Content-Disposition: inline X-Mailman-Approved-At: Wed, 21 Sep 2016 15:29:15 +0000 Cc: xen-devel Subject: [Xen-announce] Xen 4.5.5 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" QWxsLAoKSSBhbSBwbGVhc2VkIHRvIGFubm91bmNlIHRoZSByZWxlYXNlIG9mIFhlbiA0LjUuNS4g VGhpcyBpcwphdmFpbGFibGUgaW1tZWRpYXRlbHkgZnJvbSBpdHMgZ2l0IHJlcG9zaXRvcnkKaHR0 cHM6Ly94ZW5iaXRzLnhlbi5vcmcvZ2l0d2ViLz9wPXhlbi5naXQ7YT1zaG9ydGxvZztoPXJlZnMv aGVhZHMvc3RhYmxlLTQuNSAKKHRhZyBSRUxFQVNFLTQuNS41KSBvciBmcm9tIHRoZSBYZW5Qcm9q ZWN0IGRvd25sb2FkIHBhZ2UKaHR0cHM6Ly93d3cueGVucHJvamVjdC5vcmcvZG93bmxvYWRzL3hl bi1hcmNoaXZlcy94ZW4tNDUtc2VyaWVzL3hlbi00NTUuaHRtbCAKKHdoZXJlIGEgbGlzdCBvZiBj aGFuZ2VzIGNhbiBhbHNvIGJlIGZvdW5kKS4KCk5vdGUgdGhhdCB0aGlzIGlzIHRoZSBsYXN0IFhl blByb2plY3QgY29vcmRpbmF0ZWQgcmVsZWFzZSBvZiB0aGUgNC41CnN0YWJsZSBzZXJpZXMuIFRo ZSB0cmVlIHdpbGwgYmUgc3dpdGNoZWQgdG8gc2VjdXJpdHkgb25seSBtYWludGVuYW5jZQptb2Rl IGFmdGVyIHRoaXMgcmVsZWFzZS4KCldlIHJlY29tbWVuZCBhbGwgdXNlcnMgb2YgdGhlIDQuNSBz dGFibGUgc2VyaWVzIHRvIHVwZGF0ZSB0byB0aGlzCmxhc3QgcG9pbnQgcmVsZWFzZS4KCk5vdGUg cmVnYXJkaW5nIDQuNS40OiBBbiBpc3N1ZSB3YXMgZm91bmQgbGF0ZSBpbiB0aGUgcmVsZWFzZSBw cm9jZXNzLAphZnRlciB0aGUgdmFyaW91cyB0cmVlcyB3ZXJlIGFscmVhZHkgdGFnZ2VkIChpbiBm YWN0LCBvbmUgb2YgdGhvc2UKdGFncyB3YXMgd3JvbmcpLiBXZSB0aGVyZWZvcmUgZGVjaWRlZCB0 byBza2lwIHZlcnNpb24gNC41LjQuCgpSZWdhcmRzLCBKYW4KCgpfX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fXwpYZW4tYW5ub3VuY2UgbWFpbGluZyBsaXN0Clhl bi1hbm5vdW5jZUBsaXN0cy54ZW4ub3JnCmh0dHBzOi8vbGlzdHMueGVuLm9yZy94ZW4tYW5ub3Vu Y2U=