From xen-announce-bounces@lists.xen.org Wed Nov 02 16:38:17 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 02 Nov 2016 16:38:17 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c1yXN-00037f-8I; Wed, 02 Nov 2016 16:37:17 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c1yX6-00035F-Tx; Wed, 02 Nov 2016 16:37:01 +0000 Received: from [85.158.139.211] by server-3.bemta-5.messagelabs.com id AF/8A-04344-B261A185; Wed, 02 Nov 2016 16:36:59 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrJIsWRWlGSWpSXmKPExsXitHSDva62mFS EwarVChazN7YxW3zfMpnJ4t2+v8wOzB6HP1xhCWCMYs3MS8qvSGDNOHHoBkvBROaKPydCGhhv MXUxcnJICPhLvH7xmA3EZhFQkeh5fZYFxGYTUJb42dkLFhcRyJFonLSZFcRmFlCUOHV7BjOIL QxUc+7UFLB6XgE9iUfntzJC2IISJ2c+YYGo15FYsPsT0BwOIFtaYvk/DpCwKNCqKxPesoPYQg IKEh3TjzGBlEgIcEv87bafwMg7C8mgWUgGzUIYtICReRWjRnFqUVlqka6RiV5SUWZ6RkluYma OrqGBqV5uanFxYnpqTmJSsV5yfu4mRmCA1TMwMO5gvDnZ7xCjJAeTkijv56eSEUJ8SfkplRmJ xRnxRaU5qcWHGGU4OJQkeCeJSEUICRalpqdWpGXmAEMdJi3BwaMkwsspCpTmLS5IzC3OTIdIn WI05niz6+UDJo53m989YBJiycvPS5US590HMkkApDSjNA9uECwGLzHKSgnzMjIwMAjxFKQW5W aWoMq/YhTnYFQS5j0LMoUnM68Ebt8roFOYgE4xT5IAOaUkESEl1cC4bZLuUye95N1RjOdOXNo 6fUHcpm7p66VSExXSkhZKas7+P/nFgTPSfJ8POtmrTOC+LJSnLxvfeyfjBe+hx/NXXt1mJBJw 7/mx5T8u2F/6dd0ltt1+wpqdpifubL11aeHdC8+mP2M/n3Jic+ryOZ6n2VmSQi/c8igyZzD+9 bP9xWaen/Jz/+3aWKnEUpyRaKjFXFScCABB4E5ivAIAAA== X-Env-Sender: prvs=107ac9648=wei.liu2@citrix.com X-Msg-Ref: server-7.tower-206.messagelabs.com!1478104617!68026760!1 X-Originating-IP: [66.165.176.63] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 9.0.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 11294 invoked from network); 2 Nov 2016 16:36:59 -0000 Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63) by server-7.tower-206.messagelabs.com with RC4-SHA encrypted SMTP; 2 Nov 2016 16:36:59 -0000 X-IronPort-AV: E=Sophos;i="5.31,583,1473120000"; d="scan'208";a="396038107" Date: Wed, 2 Nov 2016 16:36:53 +0000 From: Wei Liu To: , , Message-ID: <20161102163653.GJ3543@citrix.com> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-DLP: MIA1 X-Mailman-Approved-At: Wed, 02 Nov 2016 16:37:15 +0000 Subject: [Xen-announce] [ANNOUNCEMENT] Xen 4.8 RC5 X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" SGkgYWxsCgpYZW4gNC44IHJjNSBpcyB0YWdnZWQuIFlvdSBjYW4gY2hlY2sgdGhhdCBvdXQgZnJv bSB4ZW4uZ2l0OgoKICBnaXQ6Ly94ZW5iaXRzLnhlbi5vcmcveGVuLmdpdCA0LjguMC1yYzUKCkZv ciB5b3UgY29udmVuaWVuY2UsIHBsZWFzZSBmaW5kIHRhcmJhbGwgYW5kIHNpZ25hdHVyZSBhdDoK Cmh0dHBzOi8vZG93bmxvYWRzLnhlbnByb2plY3Qub3JnL3JlbGVhc2UveGVuLzQuOC4wLXJjNS8K ClBsZWFzZSBzZW5kIGJ1ZyByZXBvcnRzIGFuZCB0ZXN0IHJlcG9ydHMgdG8KeGVuLWRldmVsQGxp c3RzLnhlbnByb2plY3Qub3JnLiBXaGVuIHNlbmRpbmcgcmVwb3J0cywgcGxlYXNlIENDIHJlbGV2 YW50Cm1haW50YWluZXJzIGFuZCBtZSAod2VpLmxpdTJAY2l0cml4LmNvbSkuCgpUaGFua3MKV2Vp LgoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFu bm91bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xp c3RzLnhlbi5vcmcveGVuLWFubm91bmNl From xen-announce-bounces@lists.xen.org Wed Nov 02 16:38:17 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 02 Nov 2016 16:38:17 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c1yXN-00037f-8I; Wed, 02 Nov 2016 16:37:17 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c1yX6-00035F-Tx; Wed, 02 Nov 2016 16:37:01 +0000 Received: from [85.158.139.211] by server-3.bemta-5.messagelabs.com id AF/8A-04344-B261A185; Wed, 02 Nov 2016 16:36:59 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrJIsWRWlGSWpSXmKPExsXitHSDva62mFS EwarVChazN7YxW3zfMpnJ4t2+v8wOzB6HP1xhCWCMYs3MS8qvSGDNOHHoBkvBROaKPydCGhhv MXUxcnJICPhLvH7xmA3EZhFQkeh5fZYFxGYTUJb42dkLFhcRyJFonLSZFcRmFlCUOHV7BjOIL QxUc+7UFLB6XgE9iUfntzJC2IISJ2c+YYGo15FYsPsT0BwOIFtaYvk/DpCwKNCqKxPesoPYQg IKEh3TjzGBlEgIcEv87bafwMg7C8mgWUgGzUIYtICReRWjRnFqUVlqka6RiV5SUWZ6RkluYma OrqGBqV5uanFxYnpqTmJSsV5yfu4mRmCA1TMwMO5gvDnZ7xCjJAeTkijv56eSEUJ8SfkplRmJ xRnxRaU5qcWHGGU4OJQkeCeJSEUICRalpqdWpGXmAEMdJi3BwaMkwsspCpTmLS5IzC3OTIdIn WI05niz6+UDJo53m989YBJiycvPS5US590HMkkApDSjNA9uECwGLzHKSgnzMjIwMAjxFKQW5W aWoMq/YhTnYFQS5j0LMoUnM68Ebt8roFOYgE4xT5IAOaUkESEl1cC4bZLuUye95N1RjOdOXNo 6fUHcpm7p66VSExXSkhZKas7+P/nFgTPSfJ8POtmrTOC+LJSnLxvfeyfjBe+hx/NXXt1mJBJw 7/mx5T8u2F/6dd0ltt1+wpqdpifubL11aeHdC8+mP2M/n3Jic+ryOZ6n2VmSQi/c8igyZzD+9 bP9xWaen/Jz/+3aWKnEUpyRaKjFXFScCABB4E5ivAIAAA== X-Env-Sender: prvs=107ac9648=wei.liu2@citrix.com X-Msg-Ref: server-7.tower-206.messagelabs.com!1478104617!68026760!1 X-Originating-IP: [66.165.176.63] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 9.0.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 11294 invoked from network); 2 Nov 2016 16:36:59 -0000 Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63) by server-7.tower-206.messagelabs.com with RC4-SHA encrypted SMTP; 2 Nov 2016 16:36:59 -0000 X-IronPort-AV: E=Sophos;i="5.31,583,1473120000"; d="scan'208";a="396038107" Date: Wed, 2 Nov 2016 16:36:53 +0000 From: Wei Liu To: , , Message-ID: <20161102163653.GJ3543@citrix.com> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-DLP: MIA1 X-Mailman-Approved-At: Wed, 02 Nov 2016 16:37:15 +0000 Subject: [Xen-announce] [ANNOUNCEMENT] Xen 4.8 RC5 X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" SGkgYWxsCgpYZW4gNC44IHJjNSBpcyB0YWdnZWQuIFlvdSBjYW4gY2hlY2sgdGhhdCBvdXQgZnJv bSB4ZW4uZ2l0OgoKICBnaXQ6Ly94ZW5iaXRzLnhlbi5vcmcveGVuLmdpdCA0LjguMC1yYzUKCkZv ciB5b3UgY29udmVuaWVuY2UsIHBsZWFzZSBmaW5kIHRhcmJhbGwgYW5kIHNpZ25hdHVyZSBhdDoK Cmh0dHBzOi8vZG93bmxvYWRzLnhlbnByb2plY3Qub3JnL3JlbGVhc2UveGVuLzQuOC4wLXJjNS8K ClBsZWFzZSBzZW5kIGJ1ZyByZXBvcnRzIGFuZCB0ZXN0IHJlcG9ydHMgdG8KeGVuLWRldmVsQGxp c3RzLnhlbnByb2plY3Qub3JnLiBXaGVuIHNlbmRpbmcgcmVwb3J0cywgcGxlYXNlIENDIHJlbGV2 YW50Cm1haW50YWluZXJzIGFuZCBtZSAod2VpLmxpdTJAY2l0cml4LmNvbSkuCgpUaGFua3MKV2Vp LgoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFu bm91bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xp c3RzLnhlbi5vcmcveGVuLWFubm91bmNl From xen-announce-bounces@lists.xen.org Mon Nov 07 16:08:27 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 07 Nov 2016 16:08:27 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c3mRr-00089F-G6; Mon, 07 Nov 2016 16:07:03 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c3lfF-0001iE-4K; Mon, 07 Nov 2016 15:16:49 +0000 Received: from [85.158.139.211] by server-2.bemta-5.messagelabs.com id 55/69-08512-0EA90285; Mon, 07 Nov 2016 15:16:48 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrIIsWRWlGSWpSXmKPExsXS6fjDS/f+LIU Igx0t5hazN7YxW3zfMpnJgcnj8IcrLAGMUayZeUn5FQmsGXc6rAueMFecmPWFuYFxGXMXIyeH kECeRGPHMVYQm1fATuLjhOOMILaEgKHE0/fX2UBsFgFViZNf54HF2QTUJdqebQerFwGym+fcB LI5OJgFDCTufjcBCQsLSEusuX2MESTMKyAo8XeHMEiYWUBL4uGvWywQtrbEsoWvmSE6pSWW/+ OYwMgzC6FhFpKGWUgaZiE0LGBkWcWoXpxaVJZapGuil1SUmZ5RkpuYmaNraGCql5taXJyYnpq TmFSsl5yfu4kRGFAMQLCD8Vaf8yFGSQ4mJVHeq7EKEUJ8SfkplRmJxRnxRaU5qcWHGGU4OJQk eA/OBMoJFqWmp1akZeYAQxsmLcHBoyTC+xAkzVtckJhbnJkOkTrFaMzxZtfLB0wc7za/e8Akx JKXn5cqJc67DqRUAKQ0ozQPbhAs5i4xykoJ8zICnSbEU5BalJtZgir/ilGcg1FJmHciyBSezL wSuH2vgE5hAjqlKgbslJJEhJRUA6NC7ypznb8frdfWnrHL3Dnx/Lc1n4+tXCkgs5jvaOiTAt3 PVZI5ohuFKv9Jm/8oLD2n/qDR190vdFL+b5s184IPympPdrTTz7vWel5rMnve5iezI5dfyNOc zXCoR1v63N8PM4JeHJVimWOyhq37dvdt91uXji5Tjjlz0/vAmftzJVnqP+47Js2nxFKckWiox VxUnAgAx5Uh5LQCAAA= X-Env-Sender: JBeulich@suse.com X-Msg-Ref: server-8.tower-206.messagelabs.com!1478531805!68798707!1 X-Originating-IP: [137.65.248.74] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.0.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 48711 invoked from network); 7 Nov 2016 15:16:47 -0000 Received: from prv-mh.provo.novell.com (HELO prv-mh.provo.novell.com) (137.65.248.74) by server-8.tower-206.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 7 Nov 2016 15:16:47 -0000 Received: from INET-PRV-MTA by prv-mh.provo.novell.com with Novell_GroupWise; Mon, 07 Nov 2016 08:16:45 -0700 Message-Id: <5820A8E9020000780011CBFC@prv-mh.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 14.2.1 Date: Mon, 07 Nov 2016 08:16:41 -0700 From: "Jan Beulich" To: Mime-Version: 1.0 Content-Disposition: inline X-Mailman-Approved-At: Mon, 07 Nov 2016 16:07:02 +0000 Cc: xen-devel Subject: [Xen-announce] Xen 4.7.1 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" QWxsLAoKSSBhbSBwbGVhc2VkIHRvIGFubm91bmNlIHRoZSByZWxlYXNlIG9mIFhlbiA0LjcuMS4g VGhpcyBpcwphdmFpbGFibGUgaW1tZWRpYXRlbHkgZnJvbSBpdHMgZ2l0IHJlcG9zaXRvcnkKaHR0 cDovL3hlbmJpdHMueGVuLm9yZy9naXR3ZWIvP3A9eGVuLmdpdDthPXNob3J0bG9nO2g9cmVmcy9o ZWFkcy9zdGFibGUtNC43IAoodGFnIFJFTEVBU0UtNC43LjEpIG9yIGZyb20gdGhlIFhlblByb2pl Y3QgZG93bmxvYWQgcGFnZQpodHRwOi8vd3d3LnhlbnByb2plY3Qub3JnL2Rvd25sb2Fkcy94ZW4t YXJjaGl2ZXMveGVuLTQ3LXNlcmllcy94ZW4tNDcxLmh0bWwgCih3aGVyZSBhIGxpc3Qgb2YgY2hh bmdlcyBjYW4gYWxzbyBiZSBmb3VuZCkuCgpXZSByZWNvbW1lbmQgYWxsIHVzZXJzIG9mIHRoZSA0 Ljcgc3RhYmxlIHNlcmllcyB0byB1cGRhdGUgdG8gdGhpcwpmaXJzdCBwb2ludCByZWxlYXNlLgoK UmVnYXJkcywgSmFuCgoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX18KWGVuLWFubm91bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9y ZwpodHRwczovL2xpc3RzLnhlbi5vcmcveGVuLWFubm91bmNl From xen-announce-bounces@lists.xen.org Mon Nov 07 16:08:27 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 07 Nov 2016 16:08:27 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c3mRr-00089Q-No; Mon, 07 Nov 2016 16:07:03 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c3lfW-0001jU-1K; Mon, 07 Nov 2016 15:17:06 +0000 Received: from [193.109.254.147] by server-3.bemta-6.messagelabs.com id 39/04-18083-1FA90285; Mon, 07 Nov 2016 15:17:05 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrEIsWRWlGSWpSXmKPExsXS6fjDS/fDLIU Ig64WdYvZG9uYLb5vmczkwORx+MMVlgDGKNbMvKT8igTWjJ5deQVPmSsWb1zC2sC4nLmLkZND SCBPYk5nAwuIzStgJ7G5bQcTiC0hYCjx9P11NhCbRUBVYs+D92A2m4C6RNuz7awgtgiQ3TznJ pDNwcEsYCBx97sJSFhYQFri37QPbCBhXgFBib87hEHCzAJaEg9/3WKBsLUlli18zQzRKS2x/B /HBEaeWQgNs5A0zELSMAuhYQEjyypGjeLUorLUIl1jA72kosz0jJLcxMwcXUMDM73c1OLixPT UnMSkYr3k/NxNjMCQYgCCHYx/1wYeYpTkYFIS5b0aqxAhxJeUn1KZkVicEV9UmpNafIhRhoND SYJXeyZQTrAoNT21Ii0zBxjcMGkJDh4lEd5MkDRvcUFibnFmOkTqFKMxx5tdLx8wcbzb/O4Bk xBLXn5eqpQ4rwpIqQBIaUZpHtwgWNRdYpSVEuZlBDpNiKcgtSg3swRV/hWjOAejkjBvJMgUns y8Erh9r4BOYQI6pSoG7JSSRISUVAPjwpbEuYZngk0XOLDPSPwWGLnuXwmP3DeOZQcv+szZ4Hg rtb2zUWTG3CCH44dnSJVsensyy7r8c05Tb8Tbn7Kz+bYXTbztVz9D+efypQt1XJyibSQMnhht XXv6xf2t11dEnZnwNX6HG6vEvhq2rWtWM56zPy39dVqKZBOvYVl8ymnbys+qB19tUGIpzkg01 GIuKk4EAExA0Ay1AgAA X-Env-Sender: JBeulich@suse.com X-Msg-Ref: server-8.tower-27.messagelabs.com!1478531822!59955005!1 X-Originating-IP: [137.65.248.74] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.0.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 20683 invoked from network); 7 Nov 2016 15:17:04 -0000 Received: from prv-mh.provo.novell.com (HELO prv-mh.provo.novell.com) (137.65.248.74) by server-8.tower-27.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 7 Nov 2016 15:17:04 -0000 Received: from INET-PRV-MTA by prv-mh.provo.novell.com with Novell_GroupWise; Mon, 07 Nov 2016 08:17:02 -0700 Message-Id: <5820A8F9020000780011CBFF@prv-mh.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 14.2.1 Date: Mon, 07 Nov 2016 08:16:57 -0700 From: "Jan Beulich" To: Mime-Version: 1.0 Content-Disposition: inline X-Mailman-Approved-At: Mon, 07 Nov 2016 16:07:02 +0000 Cc: xen-devel Subject: [Xen-announce] Xen 4.6.4 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" QWxsLAoKSSBhbSBwbGVhc2VkIHRvIGFubm91bmNlIHRoZSByZWxlYXNlIG9mIFhlbiA0LjYuNC4g VGhpcyBpcwphdmFpbGFibGUgaW1tZWRpYXRlbHkgZnJvbSBpdHMgZ2l0IHJlcG9zaXRvcnkKaHR0 cDovL3hlbmJpdHMueGVuLm9yZy9naXR3ZWIvP3A9eGVuLmdpdDthPXNob3J0bG9nO2g9cmVmcy9o ZWFkcy9zdGFibGUtNC42IAoodGFnIFJFTEVBU0UtNC42LjQpIG9yIGZyb20gdGhlIFhlblByb2pl Y3QgZG93bmxvYWQgcGFnZQpodHRwOi8vd3d3LnhlbnByb2plY3Qub3JnL2Rvd25sb2Fkcy94ZW4t YXJjaGl2ZXMveGVuLTQ2LXNlcmllcy94ZW4tNDY0Lmh0bWwgCih3aGVyZSBhIGxpc3Qgb2YgY2hh bmdlcyBjYW4gYWxzbyBiZSBmb3VuZCkuCgpXZSByZWNvbW1lbmQgYWxsIHVzZXJzIG9mIHRoZSA0 LjYgc3RhYmxlIHNlcmllcyB0byB1cGRhdGUgdG8gdGhpcwpsYXRlc3QgcG9pbnQgcmVsZWFzZS4K ClJlZ2FyZHMsIEphbgoKCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fClhlbi1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKWGVuLWFubm91bmNlQGxpc3RzLnhlbi5v cmcKaHR0cHM6Ly9saXN0cy54ZW4ub3JnL3hlbi1hbm5vdW5jZQ== From xen-announce-bounces@lists.xen.org Mon Nov 07 16:08:27 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 07 Nov 2016 16:08:27 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c3mRr-00089F-G6; Mon, 07 Nov 2016 16:07:03 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c3lfF-0001iE-4K; Mon, 07 Nov 2016 15:16:49 +0000 Received: from [85.158.139.211] by server-2.bemta-5.messagelabs.com id 55/69-08512-0EA90285; Mon, 07 Nov 2016 15:16:48 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrIIsWRWlGSWpSXmKPExsXS6fjDS/f+LIU Igx0t5hazN7YxW3zfMpnJgcnj8IcrLAGMUayZeUn5FQmsGXc6rAueMFecmPWFuYFxGXMXIyeH kECeRGPHMVYQm1fATuLjhOOMILaEgKHE0/fX2UBsFgFViZNf54HF2QTUJdqebQerFwGym+fcB LI5OJgFDCTufjcBCQsLSEusuX2MESTMKyAo8XeHMEiYWUBL4uGvWywQtrbEsoWvmSE6pSWW/+ OYwMgzC6FhFpKGWUgaZiE0LGBkWcWoXpxaVJZapGuil1SUmZ5RkpuYmaNraGCql5taXJyYnpq TmFSsl5yfu4kRGFAMQLCD8Vaf8yFGSQ4mJVHeq7EKEUJ8SfkplRmJxRnxRaU5qcWHGGU4OJQk eA/OBMoJFqWmp1akZeYAQxsmLcHBoyTC+xAkzVtckJhbnJkOkTrFaMzxZtfLB0wc7za/e8Akx JKXn5cqJc67DqRUAKQ0ozQPbhAs5i4xykoJ8zICnSbEU5BalJtZgir/ilGcg1FJmHciyBSezL wSuH2vgE5hAjqlKgbslJJEhJRUA6NC7ypznb8frdfWnrHL3Dnx/Lc1n4+tXCkgs5jvaOiTAt3 PVZI5ohuFKv9Jm/8oLD2n/qDR190vdFL+b5s184IPympPdrTTz7vWel5rMnve5iezI5dfyNOc zXCoR1v63N8PM4JeHJVimWOyhq37dvdt91uXji5Tjjlz0/vAmftzJVnqP+47Js2nxFKckWiox VxUnAgAx5Uh5LQCAAA= X-Env-Sender: JBeulich@suse.com X-Msg-Ref: server-8.tower-206.messagelabs.com!1478531805!68798707!1 X-Originating-IP: [137.65.248.74] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.0.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 48711 invoked from network); 7 Nov 2016 15:16:47 -0000 Received: from prv-mh.provo.novell.com (HELO prv-mh.provo.novell.com) (137.65.248.74) by server-8.tower-206.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 7 Nov 2016 15:16:47 -0000 Received: from INET-PRV-MTA by prv-mh.provo.novell.com with Novell_GroupWise; Mon, 07 Nov 2016 08:16:45 -0700 Message-Id: <5820A8E9020000780011CBFC@prv-mh.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 14.2.1 Date: Mon, 07 Nov 2016 08:16:41 -0700 From: "Jan Beulich" To: Mime-Version: 1.0 Content-Disposition: inline X-Mailman-Approved-At: Mon, 07 Nov 2016 16:07:02 +0000 Cc: xen-devel Subject: [Xen-announce] Xen 4.7.1 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" QWxsLAoKSSBhbSBwbGVhc2VkIHRvIGFubm91bmNlIHRoZSByZWxlYXNlIG9mIFhlbiA0LjcuMS4g VGhpcyBpcwphdmFpbGFibGUgaW1tZWRpYXRlbHkgZnJvbSBpdHMgZ2l0IHJlcG9zaXRvcnkKaHR0 cDovL3hlbmJpdHMueGVuLm9yZy9naXR3ZWIvP3A9eGVuLmdpdDthPXNob3J0bG9nO2g9cmVmcy9o ZWFkcy9zdGFibGUtNC43IAoodGFnIFJFTEVBU0UtNC43LjEpIG9yIGZyb20gdGhlIFhlblByb2pl Y3QgZG93bmxvYWQgcGFnZQpodHRwOi8vd3d3LnhlbnByb2plY3Qub3JnL2Rvd25sb2Fkcy94ZW4t YXJjaGl2ZXMveGVuLTQ3LXNlcmllcy94ZW4tNDcxLmh0bWwgCih3aGVyZSBhIGxpc3Qgb2YgY2hh bmdlcyBjYW4gYWxzbyBiZSBmb3VuZCkuCgpXZSByZWNvbW1lbmQgYWxsIHVzZXJzIG9mIHRoZSA0 Ljcgc3RhYmxlIHNlcmllcyB0byB1cGRhdGUgdG8gdGhpcwpmaXJzdCBwb2ludCByZWxlYXNlLgoK UmVnYXJkcywgSmFuCgoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX18KWGVuLWFubm91bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9y ZwpodHRwczovL2xpc3RzLnhlbi5vcmcveGVuLWFubm91bmNl From xen-announce-bounces@lists.xen.org Mon Nov 07 16:08:27 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 07 Nov 2016 16:08:27 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c3mRr-00089Q-No; Mon, 07 Nov 2016 16:07:03 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c3lfW-0001jU-1K; Mon, 07 Nov 2016 15:17:06 +0000 Received: from [193.109.254.147] by server-3.bemta-6.messagelabs.com id 39/04-18083-1FA90285; Mon, 07 Nov 2016 15:17:05 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrEIsWRWlGSWpSXmKPExsXS6fjDS/fDLIU Ig64WdYvZG9uYLb5vmczkwORx+MMVlgDGKNbMvKT8igTWjJ5deQVPmSsWb1zC2sC4nLmLkZND SCBPYk5nAwuIzStgJ7G5bQcTiC0hYCjx9P11NhCbRUBVYs+D92A2m4C6RNuz7awgtgiQ3TznJ pDNwcEsYCBx97sJSFhYQFri37QPbCBhXgFBib87hEHCzAJaEg9/3WKBsLUlli18zQzRKS2x/B /HBEaeWQgNs5A0zELSMAuhYQEjyypGjeLUorLUIl1jA72kosz0jJLcxMwcXUMDM73c1OLixPT UnMSkYr3k/NxNjMCQYgCCHYx/1wYeYpTkYFIS5b0aqxAhxJeUn1KZkVicEV9UmpNafIhRhoND SYJXeyZQTrAoNT21Ii0zBxjcMGkJDh4lEd5MkDRvcUFibnFmOkTqFKMxx5tdLx8wcbzb/O4Bk xBLXn5eqpQ4rwpIqQBIaUZpHtwgWNRdYpSVEuZlBDpNiKcgtSg3swRV/hWjOAejkjBvJMgUns y8Erh9r4BOYQI6pSoG7JSSRISUVAPjwpbEuYZngk0XOLDPSPwWGLnuXwmP3DeOZQcv+szZ4Hg rtb2zUWTG3CCH44dnSJVsensyy7r8c05Tb8Tbn7Kz+bYXTbztVz9D+efypQt1XJyibSQMnhht XXv6xf2t11dEnZnwNX6HG6vEvhq2rWtWM56zPy39dVqKZBOvYVl8ymnbys+qB19tUGIpzkg01 GIuKk4EAExA0Ay1AgAA X-Env-Sender: JBeulich@suse.com X-Msg-Ref: server-8.tower-27.messagelabs.com!1478531822!59955005!1 X-Originating-IP: [137.65.248.74] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.0.13; banners=-,-,- X-VirusChecked: Checked Received: (qmail 20683 invoked from network); 7 Nov 2016 15:17:04 -0000 Received: from prv-mh.provo.novell.com (HELO prv-mh.provo.novell.com) (137.65.248.74) by server-8.tower-27.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 7 Nov 2016 15:17:04 -0000 Received: from INET-PRV-MTA by prv-mh.provo.novell.com with Novell_GroupWise; Mon, 07 Nov 2016 08:17:02 -0700 Message-Id: <5820A8F9020000780011CBFF@prv-mh.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 14.2.1 Date: Mon, 07 Nov 2016 08:16:57 -0700 From: "Jan Beulich" To: Mime-Version: 1.0 Content-Disposition: inline X-Mailman-Approved-At: Mon, 07 Nov 2016 16:07:02 +0000 Cc: xen-devel Subject: [Xen-announce] Xen 4.6.4 released X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" QWxsLAoKSSBhbSBwbGVhc2VkIHRvIGFubm91bmNlIHRoZSByZWxlYXNlIG9mIFhlbiA0LjYuNC4g VGhpcyBpcwphdmFpbGFibGUgaW1tZWRpYXRlbHkgZnJvbSBpdHMgZ2l0IHJlcG9zaXRvcnkKaHR0 cDovL3hlbmJpdHMueGVuLm9yZy9naXR3ZWIvP3A9eGVuLmdpdDthPXNob3J0bG9nO2g9cmVmcy9o ZWFkcy9zdGFibGUtNC42IAoodGFnIFJFTEVBU0UtNC42LjQpIG9yIGZyb20gdGhlIFhlblByb2pl Y3QgZG93bmxvYWQgcGFnZQpodHRwOi8vd3d3LnhlbnByb2plY3Qub3JnL2Rvd25sb2Fkcy94ZW4t YXJjaGl2ZXMveGVuLTQ2LXNlcmllcy94ZW4tNDY0Lmh0bWwgCih3aGVyZSBhIGxpc3Qgb2YgY2hh bmdlcyBjYW4gYWxzbyBiZSBmb3VuZCkuCgpXZSByZWNvbW1lbmQgYWxsIHVzZXJzIG9mIHRoZSA0 LjYgc3RhYmxlIHNlcmllcyB0byB1cGRhdGUgdG8gdGhpcwpsYXRlc3QgcG9pbnQgcmVsZWFzZS4K ClJlZ2FyZHMsIEphbgoKCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fClhlbi1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKWGVuLWFubm91bmNlQGxpc3RzLnhlbi5v cmcKaHR0cHM6Ly9saXN0cy54ZW4ub3JnL3hlbi1hbm5vdW5jZQ== From xen-announce-bounces@lists.xen.org Tue Nov 15 16:28:54 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 15 Nov 2016 16:28:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c6gaP-0006O0-27; Tue, 15 Nov 2016 16:27:53 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c6gZL-0006Bc-Ga; Tue, 15 Nov 2016 16:26:47 +0000 Received: from [85.158.139.211] by server-6.bemta-5.messagelabs.com id EA/A0-14841-6473B285; Tue, 15 Nov 2016 16:26:46 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrJIsWRWlGSWpSXmKPExsXitHSDva6ruXa EwfnnHBazN7YxW3zfMpnJ4t2+v8wOzB6HP1xhCWCMYs3MS8qvSGDNeLbkEnNBP3PF/2PnGBsY bzB1MXJySAj4S/xbPBvMZhFQlZj47ywriM0moCzxs7OXDcQWEciRaJy0GSzOLKAocer2DOYuR g4OYaCas//tQcK8AnoSH/ufs0PYghInZz5hgSjXkViw+xMbSDmzgLTE8n8cIGFRARWJKxPegp ULCShIdEw/xgRSIiHALfG3234CI+8sJINmIRk0C2HQAkbmVYwaxalFZalFuoYWeklFmekZJbm JmTm6hgamermpxcWJ6ak5iUnFesn5uZsYgQHGAAQ7GJu2ex5ilORgUhLlnaujHSHEl5SfUpmR WJwRX1Sak1p8iFGGg0NJgneRKVBOsCg1PbUiLTMHGOowaQkOHiUR3lsgad7igsTc4sx0iNQpR mOON7tePmDieLf53QMmIZa8/LxUKXHeXSClAiClGaV5cINgMXiJUVZKmJcR6DQhnoLUotzMEl T5V4ziHIxKwrxvQabwZOaVwO17BXQKE9Apu8w1QE4pSURISTUw7j4qE/bOIfFS0SMvq0dC144 s25maXvPELLNQ6fn9XdGvLqw/q2mlXKzOcGxvSbKnhqfClaSm+sYw3Rt5K99Js9Ucec3+qn7X T6adcT+1RN+vSii6KOhyab/rtQLz7Sd1lN/Itt0vyZpdtpf3cuB7X8FKzQZnRsE9J2PDvCV/n gzeHO6f/3qHEktxRqKhFnNRcSIAQr0E87wCAAA= X-Env-Sender: prvs=120190253=wei.liu2@citrix.com X-Msg-Ref: server-3.tower-206.messagelabs.com!1479227203!66812005!1 X-Originating-IP: [66.165.176.63] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 8562 invoked from network); 15 Nov 2016 16:26:44 -0000 Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63) by server-3.tower-206.messagelabs.com with RC4-SHA encrypted SMTP; 15 Nov 2016 16:26:44 -0000 X-IronPort-AV: E=Sophos;i="5.31,495,1473120000"; d="scan'208";a="398314653" Date: Tue, 15 Nov 2016 16:26:41 +0000 From: Wei Liu To: , , Message-ID: <20161115162641.GA6301@citrix.com> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-DLP: MIA1 X-Mailman-Approved-At: Tue, 15 Nov 2016 16:27:51 +0000 Subject: [Xen-announce] [ANNOUNCEMENT] Xen 4.8 RC6 X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" SGkgYWxsCgpYZW4gNC44IFJDNiBpcyB0YWdnZWQuIFlvdSBjYW4gY2hlY2sgaXQgb3V0IGZyb20g eGVuLmdpdDoKCiAgZ2l0Oi8veGVuYml0cy54ZW4ub3JnL3hlbi5naXQgNC44LjAtcmM2CgpGb3Ig eW91IGNvbnZlbmllbmNlLCBwbGVhc2UgZmluZCB0YXJiYWxsIGFuZCBzaWduYXR1cmUgYXQ6Cgpo dHRwczovL2Rvd25sb2Fkcy54ZW5wcm9qZWN0Lm9yZy9yZWxlYXNlL3hlbi80LjguMC1yYzYvCgpQ bGVhc2Ugc2VuZCBidWcgcmVwb3J0cyBhbmQgdGVzdCByZXBvcnRzIHRvCnhlbi1kZXZlbEBsaXN0 cy54ZW5wcm9qZWN0Lm9yZy4gV2hlbiBzZW5kaW5nIHJlcG9ydHMsIHBsZWFzZSBDQyByZWxldmFu dAptYWludGFpbmVycyBhbmQgbWUgKHdlaS5saXUyQGNpdHJpeC5jb20pLgoKVGhhbmtzCldlaS4K Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fClhlbi1hbm5v dW5jZSBtYWlsaW5nIGxpc3QKWGVuLWFubm91bmNlQGxpc3RzLnhlbi5vcmcKaHR0cHM6Ly9saXN0 cy54ZW4ub3JnL3hlbi1hbm5vdW5jZQ== From xen-announce-bounces@lists.xen.org Tue Nov 15 16:28:54 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 15 Nov 2016 16:28:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c6gaP-0006O0-27; Tue, 15 Nov 2016 16:27:53 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c6gZL-0006Bc-Ga; Tue, 15 Nov 2016 16:26:47 +0000 Received: from [85.158.139.211] by server-6.bemta-5.messagelabs.com id EA/A0-14841-6473B285; Tue, 15 Nov 2016 16:26:46 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrJIsWRWlGSWpSXmKPExsXitHSDva6ruXa EwfnnHBazN7YxW3zfMpnJ4t2+v8wOzB6HP1xhCWCMYs3MS8qvSGDNeLbkEnNBP3PF/2PnGBsY bzB1MXJySAj4S/xbPBvMZhFQlZj47ywriM0moCzxs7OXDcQWEciRaJy0GSzOLKAocer2DOYuR g4OYaCas//tQcK8AnoSH/ufs0PYghInZz5hgSjXkViw+xMbSDmzgLTE8n8cIGFRARWJKxPegp ULCShIdEw/xgRSIiHALfG3234CI+8sJINmIRk0C2HQAkbmVYwaxalFZalFuoYWeklFmekZJbm JmTm6hgamermpxcWJ6ak5iUnFesn5uZsYgQHGAAQ7GJu2ex5ilORgUhLlnaujHSHEl5SfUpmR WJwRX1Sak1p8iFGGg0NJgneRKVBOsCg1PbUiLTMHGOowaQkOHiUR3lsgad7igsTc4sx0iNQpR mOON7tePmDieLf53QMmIZa8/LxUKXHeXSClAiClGaV5cINgMXiJUVZKmJcR6DQhnoLUotzMEl T5V4ziHIxKwrxvQabwZOaVwO17BXQKE9Apu8w1QE4pSURISTUw7j4qE/bOIfFS0SMvq0dC144 s25maXvPELLNQ6fn9XdGvLqw/q2mlXKzOcGxvSbKnhqfClaSm+sYw3Rt5K99Js9Ucec3+qn7X T6adcT+1RN+vSii6KOhyab/rtQLz7Sd1lN/Itt0vyZpdtpf3cuB7X8FKzQZnRsE9J2PDvCV/n gzeHO6f/3qHEktxRqKhFnNRcSIAQr0E87wCAAA= X-Env-Sender: prvs=120190253=wei.liu2@citrix.com X-Msg-Ref: server-3.tower-206.messagelabs.com!1479227203!66812005!1 X-Originating-IP: [66.165.176.63] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 8562 invoked from network); 15 Nov 2016 16:26:44 -0000 Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63) by server-3.tower-206.messagelabs.com with RC4-SHA encrypted SMTP; 15 Nov 2016 16:26:44 -0000 X-IronPort-AV: E=Sophos;i="5.31,495,1473120000"; d="scan'208";a="398314653" Date: Tue, 15 Nov 2016 16:26:41 +0000 From: Wei Liu To: , , Message-ID: <20161115162641.GA6301@citrix.com> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-DLP: MIA1 X-Mailman-Approved-At: Tue, 15 Nov 2016 16:27:51 +0000 Subject: [Xen-announce] [ANNOUNCEMENT] Xen 4.8 RC6 X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" SGkgYWxsCgpYZW4gNC44IFJDNiBpcyB0YWdnZWQuIFlvdSBjYW4gY2hlY2sgaXQgb3V0IGZyb20g eGVuLmdpdDoKCiAgZ2l0Oi8veGVuYml0cy54ZW4ub3JnL3hlbi5naXQgNC44LjAtcmM2CgpGb3Ig eW91IGNvbnZlbmllbmNlLCBwbGVhc2UgZmluZCB0YXJiYWxsIGFuZCBzaWduYXR1cmUgYXQ6Cgpo dHRwczovL2Rvd25sb2Fkcy54ZW5wcm9qZWN0Lm9yZy9yZWxlYXNlL3hlbi80LjguMC1yYzYvCgpQ bGVhc2Ugc2VuZCBidWcgcmVwb3J0cyBhbmQgdGVzdCByZXBvcnRzIHRvCnhlbi1kZXZlbEBsaXN0 cy54ZW5wcm9qZWN0Lm9yZy4gV2hlbiBzZW5kaW5nIHJlcG9ydHMsIHBsZWFzZSBDQyByZWxldmFu dAptYWludGFpbmVycyBhbmQgbWUgKHdlaS5saXUyQGNpdHJpeC5jb20pLgoKVGhhbmtzCldlaS4K Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fClhlbi1hbm5v dW5jZSBtYWlsaW5nIGxpc3QKWGVuLWFubm91bmNlQGxpc3RzLnhlbi5vcmcKaHR0cHM6Ly9saXN0 cy54ZW4ub3JnL3hlbi1hbm5vdW5jZQ== From xen-announce-bounces@lists.xen.org Tue Nov 22 12:03:24 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 22 Nov 2016 12:03:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mm-0008Fq-AD; Tue, 22 Nov 2016 12:02:52 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99ml-0008DB-5H; Tue, 22 Nov 2016 12:02:51 +0000 Received: from [85.158.143.35] by server-7.bemta-6.messagelabs.com id FF/10-29519-AE334385; Tue, 22 Nov 2016 12:02:50 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprIKsWRWlGSWpSXmKPExsWS0XRdVfelsUm EwZlzWha3brYyWyz5uJjFYtXVA6wOzB5Hd/9mCmCMYs3MS8qvSGDNeHdgKlPB5rSK0+1fWRsY DyR0MXJxCAmcY5RoWXafEcLZwCjx4vsKli5GTg5mAVeJG/s2s0HYihIX7jWAxXkFBCVOznwCZ ksIaErcebOKHcQWESiS2HnuJZjNJqAnMffsJCaIXh2Jl/tXg9nCAgUSUzd9Y4OYYyYxcf47Zh CbRUBV4tjOJYwTGHlmIVk9C8nqWUhWz2LkAIprSqzfpQ9hSkss/8cBUS0vsf3tHGaIcJnEyS3 2EGaxxMcndTDzpnQ/ZIew8yQeTOhmhLCzJV4vfMOErGYBI88qRo3i1KKy1CJdQwu9pKLM9IyS 3MTMHF1DAzO93NTi4sT01JzEpGK95PzcTYzAKGEAgh2MNzcGHGKU5GBSEuU9vNQoQogvKT+lM iOxOCO+qDQntfgQowwHh5IEr7yRSYSQYFFqempFWmYOMF5h0hIcPEoivFWGQGne4oLE3OLMdI jUKUZLjlsnnj9g4nj0+y2Q7Fj06QGTEEtefl6qlDhvMsg8AZCGjNI8uHGwlHKJUVZKmJcR6EA hnoLUotzMElT5V4ziHIxKwryFIFN4MvNK4La+AjqICeggyW/GIAeVJCKkpBoYza1uNL49XXuy Myq3qfq9kcDHDbd27e+4tyontK868HDwyT920dufuJrFRVitrIirivu84LnTFN9WyRLrt2wWS kU7fnd6uCq+4r6joXTs2+Gwifmnz77WvDZrcoy/qEvfK/Vjh/uYpjsuSYxovG/vvmzlm1Qbdv GDxtWGeRszbIWFxKyYoqyVWIozEg21mIuKEwGiVbTpJAMAAA== X-Env-Sender: andrewcoop@xenbits.xen.org X-Msg-Ref: server-7.tower-21.messagelabs.com!1479816168!44604965!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 13971 invoked from network); 22 Nov 2016 12:02:49 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-7.tower-21.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 22 Nov 2016 12:02:49 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mY-0004qo-Nw; Tue, 22 Nov 2016 12:02:38 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1c99mY-0008BI-Mf; Tue, 22 Nov 2016 12:02:38 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 22 Nov 2016 12:02:38 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 196 (CVE-2016-9377, CVE-2016-9378) - x86 software interrupt injection mis-handled X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-9377,CVE-2016-9378 / XSA-196 version 3 x86 software interrupt injection mis-handled UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= There are two closely-related bugs. When Xen emulates instructions which generate software interrupts it needs to perform a privilege check involving an IDT lookup. This check is sometimes erroneously conducted as if the IDT had the format for a 32-bit guest, when in fact it is in the 64-bit format. Xen will then read the wrong part of the IDT and interpret it in an unintended manner. (CVE-2016-9377) When Xen emulates instructions which generate software interrupts, and chooses to deliver the software interrupt, it may try to use the method intended for injecting exceptions. This is incorrect, and results in a guest crash. (CVE-2016-9378) These instructions are not ususally handled by the emulator. Exploiting the bug requires ability to force use of the emulator. IMPACT ====== An unprivileged guest user program may be able to crash the guest. VULNERABLE SYSTEMS ================== Xen versions 4.5 and newer are vulnerable. Older versions are not vulnerable. The vulnerability is only exposed on AMD hardware lacking the NRip feature. AMD hardware with the NRip feature, and all Intel hardware, is not vulnerable. Xen prints information about CPU features on boot. If you see this: (XEN) SVM: Supported advanced features: ... (XEN) - Next-RIP Saved on #VMEXIT then you are not vulnerable because you have an AMD CPU with NRip. If you see this: (XEN) VMX: Supported advanced features: then you are not vulnerable because you have an Intel CPU. The vulnerability is only exposed on HVM guests. ARM systems are NOT vulnerable. MITIGATION ========== Running only PV guests will avoid this issue. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the attached patches resolves this issue. xsa196-000*.patch xen-unstable, Xen 4.7.x, Xen 4.6.x, Xen 4.5.x $ sha256sum xsa196* c4122280f3786416231ae5f0660123446d29e9ac5cd3ffb92784ed36edeec8b7 xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch 25671c44c746d4d0e8f7e2b109926c013b440e0bf225156282052ec38536e347 xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYNDMVAAoJEIP+FMlX6CvZZ7MH/36KnwbAxmRHtUDIpQF/Syoh Lc8s6gNV1oOzcCpFgz+gSyIOMzp7KWieKQiVX1HbI0lnLYK/sRa77VNV/Y9bUt+Y y9b9QOZRDHoO92dZ4Ym/hzdtaNkdOQX/JAfy+E5pCGuqPtH/Jy5NuwVL8W7V8PNM QTHmvbgB4/Y2U6QqWpIP+S7oC0A9iuIf9eekd6ZTpqTadPFylTe2WX22mns1TEtN 3Z0NX737AjQLyUVnUoJ32sITCBk6tGutvvEmOc2Y+4eMrUvKSoafVy+5IZcTGwLp 3ke5sDNN1tOpzmqbXgWXBsVkpjWf2i0NW0dl5jh8/tN5FtrTuByd193dJGSKzEE= =IE45 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch" Content-Disposition: attachment; filename="xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L2VtdWw6IENvcnJlY3QgdGhlIElEVCBlbnRyeSBj YWxjdWxhdGlvbiBpbiBpbmplY3Rfc3dpbnQoKQoKVGhlIGxvZ2ljLCBhcyBp bnRyb2R1Y2VkIGluIGMvcyAzNmViZjE0ZWJlICJ4ODYvZW11bGF0ZTogc3Vw cG9ydCBmb3IgZW11bGF0aW5nCnNvZnR3YXJlIGV2ZW50IGluamVjdGlvbiIg aXMgYnVnZ3kuICBUaGUgc2l6ZSBvZiBhbiBJRFQgZW50cnkgZGVwZW5kcyBv biBsb25nCm1vZGUgYmVpbmcgYWN0aXZlLCBub3QgdGhlIHdpZHRoIG9mIHRo ZSBjb2RlIHNlZ21lbnQgY3VycmVudGx5IGluIHVzZS4KCkluIHBhcnRpY3Vs YXIsIHRoaXMgbWVhbnMgdGhhdCBhIGNvbXBhdGliaWxpdHkgY29kZSBzZWdt ZW50IHdoaWNoIGhpdHMKZW11bGF0aW9uIGZvciBzb2Z0d2FyZSBldmVudCBp bmplY3Rpb24gd2lsbCBlbmQgdXAgdXNpbmcgYW4gaW5jb3JyZWN0IG9mZnNl dAppbiB0aGUgSURUIGZvciBEUEwvUHJlc2VuY2UgY2hlY2tpbmcuICBJbiBw cmFjdGljZSwgdGhpcyBvbmx5IG9jY3VycyBvbiBvbGQKQU1EIGhhcmR3YXJl IGxhY2tpbmcgTlJpcCBzdXBwb3J0OyBhbGwgbmV3ZXIgQU1EIGhhcmR3YXJl LCBhbmQgYWxsIEludGVsCmhhcmR3YXJlIGJ5cGFzcyB0aGlzIHBhdGggaW4g dGhlIGVtdWxhdG9yLgoKV2hpbGUgaGVyZSwgZml4IGEgbWlub3IgaXNzdWUg d2l0aCByZWFkaW5nIHRoZSBJRFQgZW50cnkuICBUaGUgcmV0dXJuIHZhbHVl CmZyb20gb3BzLT5yZWFkKCkgd2Fzbid0IGNoZWNrZWQsIGJ1dCBpbiByZWFs aXR5IHRoZSBvbmx5IGZhaWx1cmUgY2FzZSBpcyBpZiBhCnBhZ2VmYXVsdCBv Y2N1cnMuICBUaGlzIGlzIG5vdCBhIHJlYWxpc3RpYyBwcm9ibGVtIGFzIHRo ZSBrZXJuZWwgd2lsbCBhbG1vc3QKY2VydGFpbmx5IGNyYXNoIHdpdGggYSBk b3VibGUgZmF1bHQgaWYgdGhpcyBzZXR1cCBhY3R1YWxseSBvY2N1cmVkLgoK VGhpcyBpcyBwYXJ0IG9mIFhTQS0xOTYuCgpTaWduZWQtb2ZmLWJ5OiBBbmRy ZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdl ZC1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgotLS0KIHhl bi9hcmNoL3g4Ni94ODZfZW11bGF0ZS94ODZfZW11bGF0ZS5jIHwgMTUgKysr KysrKysrKystLS0tCiAxIGZpbGUgY2hhbmdlZCwgMTEgaW5zZXJ0aW9ucygr KSwgNCBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94ODYv eDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYyBiL3hlbi9hcmNoL3g4Ni94ODZf ZW11bGF0ZS94ODZfZW11bGF0ZS5jCmluZGV4IDdhNzA3ZGMuLmY3NGFhOGYg MTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL3g4Ni94ODZfZW11bGF0ZS94ODZfZW11 bGF0ZS5jCisrKyBiL3hlbi9hcmNoL3g4Ni94ODZfZW11bGF0ZS94ODZfZW11 bGF0ZS5jCkBAIC0xNjMwLDEwICsxNjMwLDE2IEBAIHN0YXRpYyBpbnQgaW5q ZWN0X3N3aW50KGVudW0geDg2X3N3aW50X3R5cGUgdHlwZSwKICAgICB7CiAg ICAgICAgIGlmICggIWluX3JlYWxtb2RlKGN0eHQsIG9wcykgKQogICAgICAg ICB7Ci0gICAgICAgICAgICB1bnNpZ25lZCBpbnQgaWR0ZV9zaXplID0gKGN0 eHQtPmFkZHJfc2l6ZSA9PSA2NCkgPyAxNiA6IDg7Ci0gICAgICAgICAgICB1 bnNpZ25lZCBpbnQgaWR0ZV9vZmZzZXQgPSB2ZWN0b3IgKiBpZHRlX3NpemU7 CisgICAgICAgICAgICB1bnNpZ25lZCBpbnQgaWR0ZV9zaXplLCBpZHRlX29m ZnNldDsKICAgICAgICAgICAgIHN0cnVjdCBzZWdtZW50X3JlZ2lzdGVyIGlk dHI7CiAgICAgICAgICAgICB1aW50MzJfdCBpZHRlX2N0bDsKKyAgICAgICAg ICAgIGludCBsbSA9IGluX2xvbmdtb2RlKGN0eHQsIG9wcyk7CisKKyAgICAg ICAgICAgIGlmICggbG0gPCAwICkKKyAgICAgICAgICAgICAgICByZXR1cm4g WDg2RU1VTF9VTkhBTkRMRUFCTEU7CisKKyAgICAgICAgICAgIGlkdGVfc2l6 ZSA9IGxtID8gMTYgOiA4OworICAgICAgICAgICAgaWR0ZV9vZmZzZXQgPSB2 ZWN0b3IgKiBpZHRlX3NpemU7CiAKICAgICAgICAgICAgIC8qIGljZWJwIHNl dHMgdGhlIEV4dGVybmFsIEV2ZW50IGJpdCBkZXNwaXRlIGJlaW5nIGFuIGlu c3RydWN0aW9uLiAqLwogICAgICAgICAgICAgZXJyb3JfY29kZSA9ICh2ZWN0 b3IgPDwgMykgfCBFQ09ERV9JRFQgfApAQCAtMTY2MSw4ICsxNjY3LDkgQEAg c3RhdGljIGludCBpbmplY3Rfc3dpbnQoZW51bSB4ODZfc3dpbnRfdHlwZSB0 eXBlLAogICAgICAgICAgICAgICogU2hvdWxkIHN0cmljdGx5IHNwZWFraW5n IHJlYWQgYWxsIDgvMTYgYnl0ZXMgb2YgYW4gZW50cnksCiAgICAgICAgICAg ICAgKiBidXQgd2UgY3VycmVudGx5IG9ubHkgY2FyZSBhYm91dCB0aGUgZHBs IGFuZCBwcmVzZW50IGJpdHMuCiAgICAgICAgICAgICAgKi8KLSAgICAgICAg ICAgIG9wcy0+cmVhZCh4ODZfc2VnX25vbmUsIGlkdHIuYmFzZSArIGlkdGVf b2Zmc2V0ICsgNCwKLSAgICAgICAgICAgICAgICAgICAgICAmaWR0ZV9jdGws IHNpemVvZihpZHRlX2N0bCksIGN0eHQpOworICAgICAgICAgICAgaWYgKCAo cmMgPSBvcHMtPnJlYWQoeDg2X3NlZ19ub25lLCBpZHRyLmJhc2UgKyBpZHRl X29mZnNldCArIDQsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAmaWR0ZV9jdGwsIHNpemVvZihpZHRlX2N0bCksIGN0eHQpKSApCisgICAg ICAgICAgICAgICAgZ290byBkb25lOwogCiAgICAgICAgICAgICAvKiBJcyB0 aGlzIGVudHJ5IHByZXNlbnQ/ICovCiAgICAgICAgICAgICBpZiAoICEoaWR0 ZV9jdGwgJiAoMXUgPDwgMTUpKSApCg== --=separator Content-Type: application/octet-stream; name="xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch" Content-Disposition: attachment; filename="xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L3N2bTogRml4IGluamVjdGlvbiBvZiBzb2Z0d2Fy ZSBpbnRlcnJ1cHRzCgpUaGUgbm9uLU5leHRSaXAgbG9naWMgaW4gYy9zIDM2 ZWJmMTRlYiAieDg2L2VtdWxhdGU6IHN1cHBvcnQgZm9yIGVtdWxhdGluZwpz b2Z0d2FyZSBldmVudCBpbmplY3Rpb24iIHdhcyBiYXNlZCBvbiBhbiBvbGRl ciB2ZXJzaW9uIG9mIHRoZSBBTUQgc29mdHdhcmUKbWFudWFsLiAgVGhlIG1h bnVhbCB3YXMgbGF0ZXIgY29ycmVjdGVkLCBmb2xsb3dpbmcgZmluZGluZ3Mg ZnJvbSB0aGF0IHNlcmllcy4KCkkgdG9vayB0aGUgb3JpZ2luYWwgd29yZGlu ZyBvZiAibm90IHN1cHBvcnRlZCB3aXRob3V0IE5leHRSSVAiIHRvIG1lYW4g dGhhdApYODZfRVZFTlRUWVBFX1NXX0lOVEVSUlVQVCB3YXMgbm90IGVsaWdp YmxlIGZvciB1c2UuICBJdCB0dXJucyBvdXQgdGhhdCB0aGlzCmlzIG5vdCB0 aGUgY2FzZSwgYW5kIHRoZSBuZXcgd29yZGluZyBpcyBjbGVhcmVyIG9uIHRo ZSBtYXR0ZXIuCgpEZXNwaXRlIHRlc3RpbmcgdGhlIG9yaWdpbmFsIHBhdGNo IHNlcmllcyBvbiBub24tTlJpcCBoYXJkd2FyZSwgdGhlCnN3aW50LWVtdWxh dGlvbiBYVEYgdGVzdCBjYXNlIGZvY3VzZXMgb24gdGhlIGRlYnVnIHZlY3Rv cnM7IGl0IG5ldmVyIGVuZGVkIHVwCmV4ZWN1dGluZyBhbiBgaW50ICRuYCBp bnN0cnVjdGlvbiBmb3IgYSB2ZWN0b3Igd2hpY2ggd2Fzbid0IGFsc28gYW4g ZXhjZXB0aW9uLgoKRHVyaW5nIGEgdm1lbnRyeSwgdGhlIHVzZSBvZiBYODZf RVZFTlRUWVBFX0hXX0VYQ0VQVElPTiBjb21lcyB3aXRoIGEgdmVjdG9yCmNo ZWNrIHRvIGVuc3VyZSB0aGF0IGl0IGlzIG9ubHkgdXNlZCB3aXRoIGV4Y2Vw dGlvbiB2ZWN0b3JzLiAgWGVuJ3MgdXNlIG9mClg4Nl9FVkVOVFRZUEVfSFdf RVhDRVBUSU9OIGZvciBgaW50ICRuYCBpbmplY3Rpb24gaGFzIGFsd2F5cyBi ZWVuIGJ1Z2d5IG9uIEFNRApoYXJkd2FyZS4KCkZpeCB0aGlzIGJ5IGFsd2F5 cyB1c2luZyBYODZfRVZFTlRUWVBFX1NXX0lOVEVSUlVQVC4KClByaW50IGFu ZCBkZWNvZGUgdGhlIGV2ZW50aW5qIGluZm9ybWF0aW9uIGluIHN2bV92bWNi X2R1bXAoKSwgYXMgaXQgaGFzCnNldmVyYWwgaW52YWxpZCBjb21iaW5hdGlv bnMgd2hpY2ggY2F1c2Ugdm1lbnRyeSBmYWlsdXJlcy4KClRoaXMgaXMgcGFy dCBvZiBYU0EtMTk2LgoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8 YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEphbiBC ZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KLS0tCiB4ZW4vYXJjaC94ODYv aHZtL3N2bS9zdm0uYyAgICAgIHwgMTMgKysrKystLS0tLS0tLQogeGVuL2Fy Y2gveDg2L2h2bS9zdm0vc3ZtZGVidWcuYyB8ICA0ICsrKysKIDIgZmlsZXMg Y2hhbmdlZCwgOSBpbnNlcnRpb25zKCspLCA4IGRlbGV0aW9ucygtKQoKZGlm ZiAtLWdpdCBhL3hlbi9hcmNoL3g4Ni9odm0vc3ZtL3N2bS5jIGIveGVuL2Fy Y2gveDg2L2h2bS9zdm0vc3ZtLmMKaW5kZXggNDM5MTc0NC4uNzZlZmMzZSAx MDA2NDQKLS0tIGEveGVuL2FyY2gveDg2L2h2bS9zdm0vc3ZtLmMKKysrIGIv eGVuL2FyY2gveDg2L2h2bS9zdm0vc3ZtLmMKQEAgLTEyMzEsMTcgKzEyMzEs MTQgQEAgc3RhdGljIHZvaWQgc3ZtX2luamVjdF90cmFwKGNvbnN0IHN0cnVj dCBodm1fdHJhcCAqdHJhcCkKICAgICB7CiAgICAgY2FzZSBYODZfRVZFTlRU WVBFX1NXX0lOVEVSUlVQVDogLyogaW50ICRuICovCiAgICAgICAgIC8qCi0g ICAgICAgICAqIEluamVjdGlvbiB0eXBlIDQgKHNvZnR3YXJlIGludGVycnVw dCkgaXMgb25seSBzdXBwb3J0ZWQgd2l0aAotICAgICAgICAgKiBOZXh0UklQ IHN1cHBvcnQuICBXaXRob3V0IE5leHRSSVAsIHRoZSBlbXVsYXRvciB3aWxs IGhhdmUgcGVyZm9ybWVkCi0gICAgICAgICAqIERQTCBhbmQgcHJlc2VuY2Ug Y2hlY2tzIGZvciB1cy4KKyAgICAgICAgICogU29mdHdhcmUgaW50ZXJydXB0 cyAodHlwZSA0KSBjYW5ub3QgYmUgcHJvcGVybHkgaW5qZWN0ZWQgaWYgdGhl CisgICAgICAgICAqIHByb2Nlc3NvciBkb2Vzbid0IHN1cHBvcnQgTmV4dFJJ UC4gIFdpdGhvdXQgTmV4dFJJUCwgdGhlIGVtdWxhdG9yCisgICAgICAgICAq IHdpbGwgaGF2ZSBwZXJmb3JtZWQgRFBMIGFuZCBwcmVzZW5jZSBjaGVja3Mg Zm9yIHVzLCBhbmQgd2lsbCBoYXZlCisgICAgICAgICAqIG1vdmVkIGVpcCBm b3J3YXJkIGlmIGFwcHJvcHJpYXRlLgogICAgICAgICAgKi8KICAgICAgICAg aWYgKCBjcHVfaGFzX3N2bV9ucmlwcyApCi0gICAgICAgIHsKICAgICAgICAg ICAgIHZtY2ItPm5leHRyaXAgPSByZWdzLT5laXAgKyBfdHJhcC5pbnNuX2xl bjsKLSAgICAgICAgICAgIGV2ZW50LmZpZWxkcy50eXBlID0gWDg2X0VWRU5U VFlQRV9TV19JTlRFUlJVUFQ7Ci0gICAgICAgIH0KLSAgICAgICAgZWxzZQot ICAgICAgICAgICAgZXZlbnQuZmllbGRzLnR5cGUgPSBYODZfRVZFTlRUWVBF X0hXX0VYQ0VQVElPTjsKKyAgICAgICAgZXZlbnQuZmllbGRzLnR5cGUgPSBY ODZfRVZFTlRUWVBFX1NXX0lOVEVSUlVQVDsKICAgICAgICAgYnJlYWs7CiAK ICAgICBjYXNlIFg4Nl9FVkVOVFRZUEVfUFJJX1NXX0VYQ0VQVElPTjogLyog aWNlYnAgKi8KZGlmZiAtLWdpdCBhL3hlbi9hcmNoL3g4Ni9odm0vc3ZtL3N2 bWRlYnVnLmMgYi94ZW4vYXJjaC94ODYvaHZtL3N2bS9zdm1kZWJ1Zy5jCmlu ZGV4IGRlZDVkMTkuLmY5M2RmZWQgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL3g4 Ni9odm0vc3ZtL3N2bWRlYnVnLmMKKysrIGIveGVuL2FyY2gveDg2L2h2bS9z dm0vc3ZtZGVidWcuYwpAQCAtNDgsNiArNDgsMTAgQEAgdm9pZCBzdm1fdm1j Yl9kdW1wKGNvbnN0IGNoYXIgKmZyb20sIHN0cnVjdCB2bWNiX3N0cnVjdCAq dm1jYikKICAgICAgICAgICAgdm1jYi0+dGxiX2NvbnRyb2wsCiAgICAgICAg ICAgICh1bnNpZ25lZCBsb25nIGxvbmcpdm1jYi0+X3ZpbnRyLmJ5dGVzLAog ICAgICAgICAgICAodW5zaWduZWQgbG9uZyBsb25nKXZtY2ItPmludGVycnVw dF9zaGFkb3cpOworICAgIHByaW50aygiZXZlbnRpbmogJTAxNiJQUkl4NjQi LCB2YWxpZD8gJWQsIGVjPyAlZCwgdHlwZSAldSwgdmVjdG9yICUjeFxuIiwK KyAgICAgICAgICAgdm1jYi0+ZXZlbnRpbmouYnl0ZXMsIHZtY2ItPmV2ZW50 aW5qLmZpZWxkcy52LAorICAgICAgICAgICB2bWNiLT5ldmVudGluai5maWVs ZHMuZXYsIHZtY2ItPmV2ZW50aW5qLmZpZWxkcy50eXBlLAorICAgICAgICAg ICB2bWNiLT5ldmVudGluai5maWVsZHMudmVjdG9yKTsKICAgICBwcmludGso ImV4aXRjb2RlID0gJSNMeCBleGl0aW50aW5mbyA9ICUjTHhcbiIsCiAgICAg ICAgICAgICh1bnNpZ25lZCBsb25nIGxvbmcpdm1jYi0+ZXhpdGNvZGUsCiAg ICAgICAgICAgICh1bnNpZ25lZCBsb25nIGxvbmcpdm1jYi0+ZXhpdGludGlu Zm8uYnl0ZXMpOwo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 22 12:03:24 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 22 Nov 2016 12:03:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mt-0008Pg-91; Tue, 22 Nov 2016 12:02:59 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99ms-0008Ny-7j; Tue, 22 Nov 2016 12:02:58 +0000 Received: from [85.158.143.35] by server-9.bemta-6.messagelabs.com id 6D/71-28694-1F334385; Tue, 22 Nov 2016 12:02:57 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprDJsWRWlGSWpSXmKPExsWS0XRdVfeDsUm EwcpGLotbN1uZLZZ8XMxiserqAVYHZo+ju38zBTBGsWbmJeVXJLBmPNi+j7ng6CrGitvvJrA0 MG5YxNjFyMUhJHCOUWLO1z1QzgZGibsr3rJ1MXJyMAu4StzYtxnKVpS4cK+BBcTmFRCUODnzC ZgtIaApcefNKnYQW0SgSGLnuZdgNpuAnsTcs5OYIHp1JF7uXw1mCwskSRyb1skEMcdMon/tI1 YQm0VAVWLnjzbWCYw8s5CsnoVk9Swkq2cxcgDFNSXW79KHMKUllv/jgKiWl9j+dg4zzJS+x5N ZIUqcJG5v0IEZOKX7ITtMSdPuXhaYkpWLk7ApWff5FCOE7STxvmMrEzY1nas3MMGMudBSianE UWL/1x9QrXYSve+a2LCpWfb6AVxNy9rZKFYtYJRYxahRnFpUllqka2ipl1SUmZ5RkpuYmaNra GCml5taXJyYnpqTmFSsl5yfu4kRmEYYgGAH449lAYcYJTmYlER5Dy81ihDiS8pPqcxILM6ILy rNSS0+xCjDwaEkwSsATEtCgkWp6akVaZk5wIQGk5bg4FES4Y0DSfMWFyTmFmemQ6ROMRpz3Dr x/AETx6Pfbx8wCbHk5eelSonzXjQCKhUAKc0ozYMbBEu0lxhlpYR5GYFOE+IpSC3KzSxBlX/F KM7BqCTMqwKykCczrwRu3yugU5iATpH8ZgxySkkiQkqqgXHVffWnIve+CB7q51l9IHpxRsyyg O9blJNiFWY9dnR/WpYm0t4Rfig01WPTjkWhC6+9efbeqvtx8InXand9bp3qmDp3t3TP+UgRqQ 2Ja5yW98jPfM+8bfX5whnPVK44vuuXkLMqNN8RKHHx59TMbIZ0/YW1iw7ertSQ4KvYNt3k+/I ztw5NmKepxFKckWioxVxUnAgALxxIAq8DAAA= X-Env-Sender: andrewcoop@xenbits.xen.org X-Msg-Ref: server-15.tower-21.messagelabs.com!1479816175!44448227!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 64487 invoked from network); 22 Nov 2016 12:02:55 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-15.tower-21.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 22 Nov 2016 12:02:55 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mc-0004rB-IE; Tue, 22 Nov 2016 12:02:42 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1c99mc-0008Ck-Ee; Tue, 22 Nov 2016 12:02:42 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 22 Nov 2016 12:02:42 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 197 (CVE-2016-9381) - qemu incautious about shared ring processing X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-9381 / XSA-197 version 3 qemu incautious about shared ring processing UPDATES IN VERSION 3 ==================== Added email header syntax to patches, for e.g. git-am. Public release. ISSUE DESCRIPTION ================= The compiler can emit optimizations in qemu which can lead to double fetch vulnerabilities. Specifically data on the rings shared between qemu and the hypervisor (which the guest under control can obtain mappings of) can be fetched twice (during which time the guest can alter the contents) possibly leading to arbitrary code execution in qemu. IMPACT ====== Malicious administrators can exploit this vulnerability to take over the qemu process, elevating its privilege to that of the qemu process. In a system not using a device model stub domain (or other techniques for deprivileging qemu), malicious guest administrators can thus elevate their privilege to that of the host. VULNERABLE SYSTEMS ================== All Xen versions with all flavors of qemu are affected. Only x86 HVM guests expose the vulnerability. x86 PV guests do not expose the vulnerability. ARM systems are not vulnerable. MITIGATION ========== Running only PV guests will avoid the vulnerability. Enabling stubdomains will mitigate this issue, by reducing the escalation to only those privileges accorded to the service domain. In a usual configuration, a service domain has only the privilege of the guest, so this eliminates the vulnerability. The vulnerability can be avoided if the guest kernel is controlled by the host rather than guest administrator, provided that further steps are taken to prevent the guest administrator from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. CREDITS ======= This issue was discovered by yanghongke of Huawei Security Test Team. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa197-qemuu.patch qemu-upstream xen-unstable, Xen 4.7.x xsa197-qemut.patch qemu-traditional xen-unstable, Xen 4.7.x, Xen 4.6.x xsa197-4.6-qemuu.patch qemu-upstream Xen 4.6.x xsa197-4.5-qemuu.patch qemu-upstream Xen 4.5.x xsa197-4.5-qemut.patch qemu-traditional Xen 4.5.x, Xen 4.4.x xsa197-4.4-qemuu.patch qemu-upstream Xen 4.4.x $ sha256sum xsa197* a7d63958e3d3afc21c0585ec4690886a3191f01127583b4a29766c45fe4dd611 xsa197-4.4-qemuu.patch 56d037b3eaa0c3f5a7c474ad5087d8a41c2769d0d8b39c8f64699215a33e17a6 xsa197-4.5-qemut.patch 902836f0e5c6c46193c06f7c133a3bdd59f902ee490b962857640a6cd73e4be7 xsa197-4.5-qemuu.patch 20a418606f5536ac4fb009f21548a28b1b32dfb08fc97a259c40240d37a2abe8 xsa197-4.6-qemuu.patch 266996b2b5ac65ded76af63b3d57d4972ab95522b517e7bc9c5ff554d8c2d5e0 xsa197-qemut.patch cd08b149c97b3f94dcda14b1f280dbb92911d93ffcd5dbcf5ee5ab2bebdc7878 xsa197-qemuu.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patch described above (or others which are substantially similar) and the PV guest mitigation are permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. HOWEVER deployment of the stubdomain mitigation described above is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because in that case the configuration change may be visible to the guest which could lead to the rediscovery of the vulnerability. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYNDNLAAoJEIP+FMlX6CvZTvUIALi45XVEJv4ZqNsB1kX3mXIF 5ocmSFCrSDDIcKEg2xQ49PKwqE/ZwMLhKuX0dFi/inidqx7FynYknziaR3svIeir ALTDP6Emsk/OB7T4epjGnuFW05RTfkQmwzEyY/XCAJVrJlkzKGh3WYVtwk+/PELT 3ab9dMEcziaUM+Ax3phJ4PHi315If2rLS4gNfqGO5jv/gnMyXk4DHQ8QZUHIGs4F 8tA/ATPaZxNK8OIwGEIz32PlLxwWHsQQz6JEAtvNwGDTNMDwlx3RzHSvjJSLOIKB Aap6qw4c9olK172LQbvBqvP09Eupi3YSevx3AD0gmqKVwj8ql/lNUSNBf9CSfPc= =SBVo -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa197-4.4-qemuu.patch" Content-Disposition: attachment; filename="xsa197-4.4-qemuu.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ZW46IGZpeCBpb3JlcSBoYW5kbGluZwoKQXZvaWQgZG91YmxlIGZldGNo ZXMgYW5kIGJvdW5kcyBjaGVjayBzaXplIHRvIGF2b2lkIG92ZXJmbG93aW5n CmludGVybmFsIHZhcmlhYmxlcy4KClRoaXMgaXMgWFNBLTE5Ny4KClJlcG9y dGVkLWJ5OiB5YW5naG9uZ2tlIDx5YW5naG9uZ2tlQGh1YXdlaS5jb20+ClNp Z25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K UmV2aWV3ZWQtYnk6IFN0ZWZhbm8gU3RhYmVsbGluaSA8c3N0YWJlbGxpbmlA a2VybmVsLm9yZz4KCi0tLSBhL3hlbi1hbGwuYworKysgYi94ZW4tYWxsLmMK QEAgLTcwNSw2ICs3MDUsMTAgQEAgc3RhdGljIHZvaWQgY3B1X2lvcmVxX3Bp byhpb3JlcV90ICpyZXEpCiB7CiAgICAgdWludDMyX3QgaTsKIAorICAgIGlm IChyZXEtPnNpemUgPiBzaXplb2YodWludDMyX3QpKSB7CisgICAgICAgIGh3 X2Vycm9yKCJQSU86IGJhZCBzaXplICgldSkiLCByZXEtPnNpemUpOworICAg IH0KKwogICAgIGlmIChyZXEtPmRpciA9PSBJT1JFUV9SRUFEKSB7CiAgICAg ICAgIGlmICghcmVxLT5kYXRhX2lzX3B0cikgewogICAgICAgICAgICAgcmVx LT5kYXRhID0gZG9faW5wKHJlcS0+YWRkciwgcmVxLT5zaXplKTsKQEAgLTcz NCw2ICs3MzgsMTAgQEAgc3RhdGljIHZvaWQgY3B1X2lvcmVxX21vdmUoaW9y ZXFfdCAqcmVxKQogewogICAgIHVpbnQzMl90IGk7CiAKKyAgICBpZiAocmVx LT5zaXplID4gc2l6ZW9mKHJlcS0+ZGF0YSkpIHsKKyAgICAgICAgaHdfZXJy b3IoIk1NSU86IGJhZCBzaXplICgldSkiLCByZXEtPnNpemUpOworICAgIH0K KwogICAgIGlmICghcmVxLT5kYXRhX2lzX3B0cikgewogICAgICAgICBpZiAo cmVxLT5kaXIgPT0gSU9SRVFfUkVBRCkgewogICAgICAgICAgICAgZm9yIChp ID0gMDsgaSA8IHJlcS0+Y291bnQ7IGkrKykgewpAQCAtODA5LDExICs4MTcs MTMgQEAgc3RhdGljIGludCBoYW5kbGVfYnVmZmVyZWRfaW9wYWdlKFhlbklP UwogICAgICAgICByZXEuZGYgPSAxOwogICAgICAgICByZXEudHlwZSA9IGJ1 Zl9yZXEtPnR5cGU7CiAgICAgICAgIHJlcS5kYXRhX2lzX3B0ciA9IDA7Cisg ICAgICAgIHhlbl9ybWIoKTsKICAgICAgICAgcXcgPSAocmVxLnNpemUgPT0g OCk7CiAgICAgICAgIGlmIChxdykgewogICAgICAgICAgICAgYnVmX3JlcSA9 ICZzdGF0ZS0+YnVmZmVyZWRfaW9fcGFnZS0+YnVmX2lvcmVxWwogICAgICAg ICAgICAgICAgIChzdGF0ZS0+YnVmZmVyZWRfaW9fcGFnZS0+cmVhZF9wb2lu dGVyICsgMSkgJSBJT1JFUV9CVUZGRVJfU0xPVF9OVU1dOwogICAgICAgICAg ICAgcmVxLmRhdGEgfD0gKCh1aW50NjRfdClidWZfcmVxLT5kYXRhKSA8PCAz MjsKKyAgICAgICAgICAgIHhlbl9ybWIoKTsKICAgICAgICAgfQogCiAgICAg ICAgIGhhbmRsZV9pb3JlcSgmcmVxKTsKQEAgLTg0NSw3ICs4NTUsMTEgQEAg c3RhdGljIHZvaWQgY3B1X2hhbmRsZV9pb3JlcSh2b2lkICpvcGFxdQogCiAg ICAgaGFuZGxlX2J1ZmZlcmVkX2lvcGFnZShzdGF0ZSk7CiAgICAgaWYgKHJl cSkgewotICAgICAgICBoYW5kbGVfaW9yZXEocmVxKTsKKyAgICAgICAgaW9y ZXFfdCBjb3B5ID0gKnJlcTsKKworICAgICAgICB4ZW5fcm1iKCk7CisgICAg ICAgIGhhbmRsZV9pb3JlcSgmY29weSk7CisgICAgICAgIHJlcS0+ZGF0YSA9 IGNvcHkuZGF0YTsKIAogICAgICAgICBpZiAocmVxLT5zdGF0ZSAhPSBTVEFU RV9JT1JFUV9JTlBST0NFU1MpIHsKICAgICAgICAgICAgIGZwcmludGYoc3Rk ZXJyLCAiQmFkbmVzcyBpbiBJL08gcmVxdWVzdCAuLi4gbm90IGluIHNlcnZp Y2U/ITogIgo= --=separator Content-Type: application/octet-stream; name="xsa197-4.5-qemut.patch" Content-Disposition: attachment; filename="xsa197-4.5-qemut.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ZW46IGZpeCBpb3JlcSBoYW5kbGluZwoKQXZvaWQgZG91YmxlIGZldGNo ZXMgYW5kIGJvdW5kcyBjaGVjayBzaXplIHRvIGF2b2lkIG92ZXJmbG93aW5n CmludGVybmFsIHZhcmlhYmxlcy4KClRoaXMgaXMgWFNBLTE5Ny4KClJlcG9y dGVkLWJ5OiB5YW5naG9uZ2tlIDx5YW5naG9uZ2tlQGh1YXdlaS5jb20+ClNp Z25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K UmV2aWV3ZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3NvbkBldS5jaXRy aXguY29tPgoKLS0tIGEvaTM4Ni1kbS9oZWxwZXIyLmMKKysrIGIvaTM4Ni1k bS9oZWxwZXIyLmMKQEAgLTM3NCw2ICszNzQsMTEgQEAgc3RhdGljIHZvaWQg Y3B1X2lvcmVxX3BpbyhDUFVTdGF0ZSAqZW52LAogewogICAgIHVpbnQzMl90 IGk7CiAKKyAgICBpZiAocmVxLT5zaXplID4gc2l6ZW9mKHVuc2lnbmVkIGxv bmcpKSB7CisgICAgICAgIGZwcmludGYoc3RkZXJyLCAiUElPOiBiYWQgc2l6 ZSAoJXUpXG4iLCByZXEtPnNpemUpOworICAgICAgICBleGl0KC0xKTsKKyAg ICB9CisKICAgICBpZiAocmVxLT5kaXIgPT0gSU9SRVFfUkVBRCkgewogICAg ICAgICBpZiAoIXJlcS0+ZGF0YV9pc19wdHIpIHsKICAgICAgICAgICAgIHJl cS0+ZGF0YSA9IGRvX2lucChlbnYsIHJlcS0+YWRkciwgcmVxLT5zaXplKTsK QEAgLTQwMyw2ICs0MDgsMTEgQEAgc3RhdGljIHZvaWQgY3B1X2lvcmVxX21v dmUoQ1BVU3RhdGUgKmVudgogewogICAgIHVpbnQzMl90IGk7CiAKKyAgICBp ZiAocmVxLT5zaXplID4gc2l6ZW9mKHJlcS0+ZGF0YSkpIHsKKyAgICAgICAg ZnByaW50ZihzdGRlcnIsICJNTUlPOiBiYWQgc2l6ZSAoJXUpXG4iLCByZXEt PnNpemUpOworICAgICAgICBleGl0KC0xKTsKKyAgICB9CisKICAgICBpZiAo IXJlcS0+ZGF0YV9pc19wdHIpIHsKICAgICAgICAgaWYgKHJlcS0+ZGlyID09 IElPUkVRX1JFQUQpIHsKICAgICAgICAgICAgIGZvciAoaSA9IDA7IGkgPCBy ZXEtPmNvdW50OyBpKyspIHsKQEAgLTUwNiwxMSArNTE2LDEzIEBAIHN0YXRp YyBpbnQgX19oYW5kbGVfYnVmZmVyZWRfaW9wYWdlKENQVVMKICAgICAgICAg cmVxLmRmID0gMTsKICAgICAgICAgcmVxLnR5cGUgPSBidWZfcmVxLT50eXBl OwogICAgICAgICByZXEuZGF0YV9pc19wdHIgPSAwOworICAgICAgICB4ZW5f cm1iKCk7CiAgICAgICAgIHF3ID0gKHJlcS5zaXplID09IDgpOwogICAgICAg ICBpZiAocXcpIHsKICAgICAgICAgICAgIGJ1Zl9yZXEgPSAmYnVmZmVyZWRf aW9fcGFnZS0+YnVmX2lvcmVxWwogICAgICAgICAgICAgICAgIChidWZmZXJl ZF9pb19wYWdlLT5yZWFkX3BvaW50ZXIrMSkgJSBJT1JFUV9CVUZGRVJfU0xP VF9OVU1dOwogICAgICAgICAgICAgcmVxLmRhdGEgfD0gKCh1aW50NjRfdCli dWZfcmVxLT5kYXRhKSA8PCAzMjsKKyAgICAgICAgICAgIHhlbl9ybWIoKTsK ICAgICAgICAgfQogCiAgICAgICAgIF9faGFuZGxlX2lvcmVxKGVudiwgJnJl cSk7CkBAIC01NDMsNyArNTU1LDExIEBAIHN0YXRpYyB2b2lkIGNwdV9oYW5k bGVfaW9yZXEodm9pZCAqb3BhcXUKIAogICAgIF9faGFuZGxlX2J1ZmZlcmVk X2lvcGFnZShlbnYpOwogICAgIGlmIChyZXEpIHsKLSAgICAgICAgX19oYW5k bGVfaW9yZXEoZW52LCByZXEpOworICAgICAgICBpb3JlcV90IGNvcHkgPSAq cmVxOworCisgICAgICAgIHhlbl9ybWIoKTsKKyAgICAgICAgX19oYW5kbGVf aW9yZXEoZW52LCAmY29weSk7CisgICAgICAgIHJlcS0+ZGF0YSA9IGNvcHku ZGF0YTsKIAogICAgICAgICBpZiAocmVxLT5zdGF0ZSAhPSBTVEFURV9JT1JF UV9JTlBST0NFU1MpIHsKICAgICAgICAgICAgIGZwcmludGYobG9nZmlsZSwg IkJhZG5lc3MgaW4gSS9PIHJlcXVlc3QgLi4uIG5vdCBpbiBzZXJ2aWNlPyE6 ICIK --=separator Content-Type: application/octet-stream; name="xsa197-4.5-qemuu.patch" Content-Disposition: attachment; filename="xsa197-4.5-qemuu.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ZW46IGZpeCBpb3JlcSBoYW5kbGluZwoKQXZvaWQgZG91YmxlIGZldGNo ZXMgYW5kIGJvdW5kcyBjaGVjayBzaXplIHRvIGF2b2lkIG92ZXJmbG93aW5n CmludGVybmFsIHZhcmlhYmxlcy4KClRoaXMgaXMgWFNBLTE5Ny4KClJlcG9y dGVkLWJ5OiB5YW5naG9uZ2tlIDx5YW5naG9uZ2tlQGh1YXdlaS5jb20+ClNp Z25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K UmV2aWV3ZWQtYnk6IFN0ZWZhbm8gU3RhYmVsbGluaSA8c3N0YWJlbGxpbmlA a2VybmVsLm9yZz4KCi0tLSBhL3hlbi1odm0uYworKysgYi94ZW4taHZtLmMK QEAgLTcyMiw2ICs3MjIsMTAgQEAgc3RhdGljIHZvaWQgY3B1X2lvcmVxX3Bp byhpb3JlcV90ICpyZXEpCiB7CiAgICAgdWludDMyX3QgaTsKIAorICAgIGlm IChyZXEtPnNpemUgPiBzaXplb2YodWludDMyX3QpKSB7CisgICAgICAgIGh3 X2Vycm9yKCJQSU86IGJhZCBzaXplICgldSkiLCByZXEtPnNpemUpOworICAg IH0KKwogICAgIGlmIChyZXEtPmRpciA9PSBJT1JFUV9SRUFEKSB7CiAgICAg ICAgIGlmICghcmVxLT5kYXRhX2lzX3B0cikgewogICAgICAgICAgICAgcmVx LT5kYXRhID0gZG9faW5wKHJlcS0+YWRkciwgcmVxLT5zaXplKTsKQEAgLTc1 MSw2ICs3NTUsMTAgQEAgc3RhdGljIHZvaWQgY3B1X2lvcmVxX21vdmUoaW9y ZXFfdCAqcmVxKQogewogICAgIHVpbnQzMl90IGk7CiAKKyAgICBpZiAocmVx LT5zaXplID4gc2l6ZW9mKHJlcS0+ZGF0YSkpIHsKKyAgICAgICAgaHdfZXJy b3IoIk1NSU86IGJhZCBzaXplICgldSkiLCByZXEtPnNpemUpOworICAgIH0K KwogICAgIGlmICghcmVxLT5kYXRhX2lzX3B0cikgewogICAgICAgICBpZiAo cmVxLT5kaXIgPT0gSU9SRVFfUkVBRCkgewogICAgICAgICAgICAgZm9yIChp ID0gMDsgaSA8IHJlcS0+Y291bnQ7IGkrKykgewpAQCAtODI2LDExICs4MzQs MTMgQEAgc3RhdGljIGludCBoYW5kbGVfYnVmZmVyZWRfaW9wYWdlKFhlbklP UwogICAgICAgICByZXEuZGYgPSAxOwogICAgICAgICByZXEudHlwZSA9IGJ1 Zl9yZXEtPnR5cGU7CiAgICAgICAgIHJlcS5kYXRhX2lzX3B0ciA9IDA7Cisg ICAgICAgIHhlbl9ybWIoKTsKICAgICAgICAgcXcgPSAocmVxLnNpemUgPT0g OCk7CiAgICAgICAgIGlmIChxdykgewogICAgICAgICAgICAgYnVmX3JlcSA9 ICZzdGF0ZS0+YnVmZmVyZWRfaW9fcGFnZS0+YnVmX2lvcmVxWwogICAgICAg ICAgICAgICAgIChzdGF0ZS0+YnVmZmVyZWRfaW9fcGFnZS0+cmVhZF9wb2lu dGVyICsgMSkgJSBJT1JFUV9CVUZGRVJfU0xPVF9OVU1dOwogICAgICAgICAg ICAgcmVxLmRhdGEgfD0gKCh1aW50NjRfdClidWZfcmVxLT5kYXRhKSA8PCAz MjsKKyAgICAgICAgICAgIHhlbl9ybWIoKTsKICAgICAgICAgfQogCiAgICAg ICAgIGhhbmRsZV9pb3JlcSgmcmVxKTsKQEAgLTg2Miw3ICs4NzIsMTEgQEAg c3RhdGljIHZvaWQgY3B1X2hhbmRsZV9pb3JlcSh2b2lkICpvcGFxdQogCiAg ICAgaGFuZGxlX2J1ZmZlcmVkX2lvcGFnZShzdGF0ZSk7CiAgICAgaWYgKHJl cSkgewotICAgICAgICBoYW5kbGVfaW9yZXEocmVxKTsKKyAgICAgICAgaW9y ZXFfdCBjb3B5ID0gKnJlcTsKKworICAgICAgICB4ZW5fcm1iKCk7CisgICAg ICAgIGhhbmRsZV9pb3JlcSgmY29weSk7CisgICAgICAgIHJlcS0+ZGF0YSA9 IGNvcHkuZGF0YTsKIAogICAgICAgICBpZiAocmVxLT5zdGF0ZSAhPSBTVEFU RV9JT1JFUV9JTlBST0NFU1MpIHsKICAgICAgICAgICAgIGZwcmludGYoc3Rk ZXJyLCAiQmFkbmVzcyBpbiBJL08gcmVxdWVzdCAuLi4gbm90IGluIHNlcnZp Y2U/ITogIgo= --=separator Content-Type: application/octet-stream; name="xsa197-4.6-qemuu.patch" Content-Disposition: attachment; filename="xsa197-4.6-qemuu.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ZW46IGZpeCBpb3JlcSBoYW5kbGluZwoKQXZvaWQgZG91YmxlIGZldGNo ZXMgYW5kIGJvdW5kcyBjaGVjayBzaXplIHRvIGF2b2lkIG92ZXJmbG93aW5n CmludGVybmFsIHZhcmlhYmxlcy4KClRoaXMgaXMgWFNBLTE5Ny4KClJlcG9y dGVkLWJ5OiB5YW5naG9uZ2tlIDx5YW5naG9uZ2tlQGh1YXdlaS5jb20+ClNp Z25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K UmV2aWV3ZWQtYnk6IFN0ZWZhbm8gU3RhYmVsbGluaSA8c3N0YWJlbGxpbmlA a2VybmVsLm9yZz4KCi0tLSBhL3hlbi1odm0uYworKysgYi94ZW4taHZtLmMK QEAgLTgxNyw2ICs4MTcsMTAgQEAgc3RhdGljIHZvaWQgY3B1X2lvcmVxX3Bp byhpb3JlcV90ICpyZXEpCiB7CiAgICAgdWludDMyX3QgaTsKIAorICAgIGlm IChyZXEtPnNpemUgPiBzaXplb2YodWludDMyX3QpKSB7CisgICAgICAgIGh3 X2Vycm9yKCJQSU86IGJhZCBzaXplICgldSkiLCByZXEtPnNpemUpOworICAg IH0KKwogICAgIGlmIChyZXEtPmRpciA9PSBJT1JFUV9SRUFEKSB7CiAgICAg ICAgIGlmICghcmVxLT5kYXRhX2lzX3B0cikgewogICAgICAgICAgICAgcmVx LT5kYXRhID0gZG9faW5wKHJlcS0+YWRkciwgcmVxLT5zaXplKTsKQEAgLTg0 Niw2ICs4NTAsMTAgQEAgc3RhdGljIHZvaWQgY3B1X2lvcmVxX21vdmUoaW9y ZXFfdCAqcmVxKQogewogICAgIHVpbnQzMl90IGk7CiAKKyAgICBpZiAocmVx LT5zaXplID4gc2l6ZW9mKHJlcS0+ZGF0YSkpIHsKKyAgICAgICAgaHdfZXJy b3IoIk1NSU86IGJhZCBzaXplICgldSkiLCByZXEtPnNpemUpOworICAgIH0K KwogICAgIGlmICghcmVxLT5kYXRhX2lzX3B0cikgewogICAgICAgICBpZiAo cmVxLT5kaXIgPT0gSU9SRVFfUkVBRCkgewogICAgICAgICAgICAgZm9yIChp ID0gMDsgaSA8IHJlcS0+Y291bnQ7IGkrKykgewpAQCAtOTk5LDExICsxMDA3 LDEzIEBAIHN0YXRpYyBpbnQgaGFuZGxlX2J1ZmZlcmVkX2lvcGFnZShYZW5J T1MKICAgICAgICAgcmVxLmRmID0gMTsKICAgICAgICAgcmVxLnR5cGUgPSBi dWZfcmVxLT50eXBlOwogICAgICAgICByZXEuZGF0YV9pc19wdHIgPSAwOwor ICAgICAgICB4ZW5fcm1iKCk7CiAgICAgICAgIHF3ID0gKHJlcS5zaXplID09 IDgpOwogICAgICAgICBpZiAocXcpIHsKICAgICAgICAgICAgIGJ1Zl9yZXEg PSAmYnVmX3BhZ2UtPmJ1Zl9pb3JlcVsocmRwdHIgKyAxKSAlCiAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSU9SRVFfQlVG RkVSX1NMT1RfTlVNXTsKICAgICAgICAgICAgIHJlcS5kYXRhIHw9ICgodWlu dDY0X3QpYnVmX3JlcS0+ZGF0YSkgPDwgMzI7CisgICAgICAgICAgICB4ZW5f cm1iKCk7CiAgICAgICAgIH0KIAogICAgICAgICBoYW5kbGVfaW9yZXEoc3Rh dGUsICZyZXEpOwpAQCAtMTAzNCw3ICsxMDQ0LDExIEBAIHN0YXRpYyB2b2lk IGNwdV9oYW5kbGVfaW9yZXEodm9pZCAqb3BhcXUKIAogICAgIGhhbmRsZV9i dWZmZXJlZF9pb3BhZ2Uoc3RhdGUpOwogICAgIGlmIChyZXEpIHsKLSAgICAg ICAgaGFuZGxlX2lvcmVxKHN0YXRlLCByZXEpOworICAgICAgICBpb3JlcV90 IGNvcHkgPSAqcmVxOworCisgICAgICAgIHhlbl9ybWIoKTsKKyAgICAgICAg aGFuZGxlX2lvcmVxKHN0YXRlLCAmY29weSk7CisgICAgICAgIHJlcS0+ZGF0 YSA9IGNvcHkuZGF0YTsKIAogICAgICAgICBpZiAocmVxLT5zdGF0ZSAhPSBT VEFURV9JT1JFUV9JTlBST0NFU1MpIHsKICAgICAgICAgICAgIGZwcmludGYo c3RkZXJyLCAiQmFkbmVzcyBpbiBJL08gcmVxdWVzdCAuLi4gbm90IGluIHNl cnZpY2U/ITogIgo= --=separator Content-Type: application/octet-stream; name="xsa197-qemut.patch" Content-Disposition: attachment; filename="xsa197-qemut.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ZW46IGZpeCBpb3JlcSBoYW5kbGluZwoKQXZvaWQgZG91YmxlIGZldGNo ZXMgYW5kIGJvdW5kcyBjaGVjayBzaXplIHRvIGF2b2lkIG92ZXJmbG93aW5n CmludGVybmFsIHZhcmlhYmxlcy4KClRoaXMgaXMgWFNBLTE5Ny4KClJlcG9y dGVkLWJ5OiB5YW5naG9uZ2tlIDx5YW5naG9uZ2tlQGh1YXdlaS5jb20+ClNp Z25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K UmV2aWV3ZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3NvbkBldS5jaXRy aXguY29tPgoKLS0tIGEvaTM4Ni1kbS9oZWxwZXIyLmMKKysrIGIvaTM4Ni1k bS9oZWxwZXIyLmMKQEAgLTM3NSw2ICszNzUsMTEgQEAgc3RhdGljIHZvaWQg Y3B1X2lvcmVxX3BpbyhDUFVTdGF0ZSAqZW52LAogewogICAgIHVpbnQzMl90 IGk7CiAKKyAgICBpZiAocmVxLT5zaXplID4gc2l6ZW9mKHVuc2lnbmVkIGxv bmcpKSB7CisgICAgICAgIGZwcmludGYoc3RkZXJyLCAiUElPOiBiYWQgc2l6 ZSAoJXUpXG4iLCByZXEtPnNpemUpOworICAgICAgICBleGl0KC0xKTsKKyAg ICB9CisKICAgICBpZiAocmVxLT5kaXIgPT0gSU9SRVFfUkVBRCkgewogICAg ICAgICBpZiAoIXJlcS0+ZGF0YV9pc19wdHIpIHsKICAgICAgICAgICAgIHJl cS0+ZGF0YSA9IGRvX2lucChlbnYsIHJlcS0+YWRkciwgcmVxLT5zaXplKTsK QEAgLTQwNCw2ICs0MDksMTEgQEAgc3RhdGljIHZvaWQgY3B1X2lvcmVxX21v dmUoQ1BVU3RhdGUgKmVudgogewogICAgIHVpbnQzMl90IGk7CiAKKyAgICBp ZiAocmVxLT5zaXplID4gc2l6ZW9mKHJlcS0+ZGF0YSkpIHsKKyAgICAgICAg ZnByaW50ZihzdGRlcnIsICJNTUlPOiBiYWQgc2l6ZSAoJXUpXG4iLCByZXEt PnNpemUpOworICAgICAgICBleGl0KC0xKTsKKyAgICB9CisKICAgICBpZiAo IXJlcS0+ZGF0YV9pc19wdHIpIHsKICAgICAgICAgaWYgKHJlcS0+ZGlyID09 IElPUkVRX1JFQUQpIHsKICAgICAgICAgICAgIGZvciAoaSA9IDA7IGkgPCBy ZXEtPmNvdW50OyBpKyspIHsKQEAgLTUxNiwxMSArNTI2LDEzIEBAIHN0YXRp YyBpbnQgX19oYW5kbGVfYnVmZmVyZWRfaW9wYWdlKENQVVMKICAgICAgICAg cmVxLmRmID0gMTsKICAgICAgICAgcmVxLnR5cGUgPSBidWZfcmVxLT50eXBl OwogICAgICAgICByZXEuZGF0YV9pc19wdHIgPSAwOworICAgICAgICB4ZW5f cm1iKCk7CiAgICAgICAgIHF3ID0gKHJlcS5zaXplID09IDgpOwogICAgICAg ICBpZiAocXcpIHsKICAgICAgICAgICAgIGJ1Zl9yZXEgPSAmYnVmZmVyZWRf aW9fcGFnZS0+YnVmX2lvcmVxWyhyZHB0ciArIDEpICUKICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElPUkVR X0JVRkZFUl9TTE9UX05VTV07CiAgICAgICAgICAgICByZXEuZGF0YSB8PSAo KHVpbnQ2NF90KWJ1Zl9yZXEtPmRhdGEpIDw8IDMyOworICAgICAgICAgICAg eGVuX3JtYigpOwogICAgICAgICB9CiAKICAgICAgICAgX19oYW5kbGVfaW9y ZXEoZW52LCAmcmVxKTsKQEAgLTU1Miw3ICs1NjQsMTEgQEAgc3RhdGljIHZv aWQgY3B1X2hhbmRsZV9pb3JlcSh2b2lkICpvcGFxdQogCiAgICAgX19oYW5k bGVfYnVmZmVyZWRfaW9wYWdlKGVudik7CiAgICAgaWYgKHJlcSkgewotICAg ICAgICBfX2hhbmRsZV9pb3JlcShlbnYsIHJlcSk7CisgICAgICAgIGlvcmVx X3QgY29weSA9ICpyZXE7CisKKyAgICAgICAgeGVuX3JtYigpOworICAgICAg ICBfX2hhbmRsZV9pb3JlcShlbnYsICZjb3B5KTsKKyAgICAgICAgcmVxLT5k YXRhID0gY29weS5kYXRhOwogCiAgICAgICAgIGlmIChyZXEtPnN0YXRlICE9 IFNUQVRFX0lPUkVRX0lOUFJPQ0VTUykgewogICAgICAgICAgICAgZnByaW50 Zihsb2dmaWxlLCAiQmFkbmVzcyBpbiBJL08gcmVxdWVzdCAuLi4gbm90IGlu IHNlcnZpY2U/ITogIgo= --=separator Content-Type: application/octet-stream; name="xsa197-qemuu.patch" Content-Disposition: attachment; filename="xsa197-qemuu.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ZW46IGZpeCBpb3JlcSBoYW5kbGluZwoKQXZvaWQgZG91YmxlIGZldGNo ZXMgYW5kIGJvdW5kcyBjaGVjayBzaXplIHRvIGF2b2lkIG92ZXJmbG93aW5n CmludGVybmFsIHZhcmlhYmxlcy4KClRoaXMgaXMgWFNBLTE5Ny4KClJlcG9y dGVkLWJ5OiB5YW5naG9uZ2tlIDx5YW5naG9uZ2tlQGh1YXdlaS5jb20+ClNp Z25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K UmV2aWV3ZWQtYnk6IFN0ZWZhbm8gU3RhYmVsbGluaSA8c3N0YWJlbGxpbmlA a2VybmVsLm9yZz4KCi0tLSBhL3hlbi1odm0uYworKysgYi94ZW4taHZtLmMK QEAgLTgxMCw2ICs4MTAsMTAgQEAgc3RhdGljIHZvaWQgY3B1X2lvcmVxX3Bp byhpb3JlcV90ICpyZXEpCiAgICAgdHJhY2VfY3B1X2lvcmVxX3BpbyhyZXEs IHJlcS0+ZGlyLCByZXEtPmRmLCByZXEtPmRhdGFfaXNfcHRyLCByZXEtPmFk ZHIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgcmVxLT5kYXRhLCByZXEt PmNvdW50LCByZXEtPnNpemUpOwogCisgICAgaWYgKHJlcS0+c2l6ZSA+IHNp emVvZih1aW50MzJfdCkpIHsKKyAgICAgICAgaHdfZXJyb3IoIlBJTzogYmFk IHNpemUgKCV1KSIsIHJlcS0+c2l6ZSk7CisgICAgfQorCiAgICAgaWYgKHJl cS0+ZGlyID09IElPUkVRX1JFQUQpIHsKICAgICAgICAgaWYgKCFyZXEtPmRh dGFfaXNfcHRyKSB7CiAgICAgICAgICAgICByZXEtPmRhdGEgPSBkb19pbnAo cmVxLT5hZGRyLCByZXEtPnNpemUpOwpAQCAtODQ2LDYgKzg1MCwxMCBAQCBz dGF0aWMgdm9pZCBjcHVfaW9yZXFfbW92ZShpb3JlcV90ICpyZXEpCiAgICAg dHJhY2VfY3B1X2lvcmVxX21vdmUocmVxLCByZXEtPmRpciwgcmVxLT5kZiwg cmVxLT5kYXRhX2lzX3B0ciwgcmVxLT5hZGRyLAogICAgICAgICAgICAgICAg ICAgICAgICAgIHJlcS0+ZGF0YSwgcmVxLT5jb3VudCwgcmVxLT5zaXplKTsK IAorICAgIGlmIChyZXEtPnNpemUgPiBzaXplb2YocmVxLT5kYXRhKSkgewor ICAgICAgICBod19lcnJvcigiTU1JTzogYmFkIHNpemUgKCV1KSIsIHJlcS0+ c2l6ZSk7CisgICAgfQorCiAgICAgaWYgKCFyZXEtPmRhdGFfaXNfcHRyKSB7 CiAgICAgICAgIGlmIChyZXEtPmRpciA9PSBJT1JFUV9SRUFEKSB7CiAgICAg ICAgICAgICBmb3IgKGkgPSAwOyBpIDwgcmVxLT5jb3VudDsgaSsrKSB7CkBA IC0xMDEwLDExICsxMDE4LDEzIEBAIHN0YXRpYyBpbnQgaGFuZGxlX2J1ZmZl cmVkX2lvcGFnZShYZW5JT1MKICAgICAgICAgcmVxLmRmID0gMTsKICAgICAg ICAgcmVxLnR5cGUgPSBidWZfcmVxLT50eXBlOwogICAgICAgICByZXEuZGF0 YV9pc19wdHIgPSAwOworICAgICAgICB4ZW5fcm1iKCk7CiAgICAgICAgIHF3 ID0gKHJlcS5zaXplID09IDgpOwogICAgICAgICBpZiAocXcpIHsKICAgICAg ICAgICAgIGJ1Zl9yZXEgPSAmYnVmX3BhZ2UtPmJ1Zl9pb3JlcVsocmRwdHIg KyAxKSAlCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgSU9SRVFfQlVGRkVSX1NMT1RfTlVNXTsKICAgICAgICAgICAgIHJl cS5kYXRhIHw9ICgodWludDY0X3QpYnVmX3JlcS0+ZGF0YSkgPDwgMzI7Cisg ICAgICAgICAgICB4ZW5fcm1iKCk7CiAgICAgICAgIH0KIAogICAgICAgICBo YW5kbGVfaW9yZXEoc3RhdGUsICZyZXEpOwpAQCAtMTA0NSw3ICsxMDU1LDEx IEBAIHN0YXRpYyB2b2lkIGNwdV9oYW5kbGVfaW9yZXEodm9pZCAqb3BhcXUK IAogICAgIGhhbmRsZV9idWZmZXJlZF9pb3BhZ2Uoc3RhdGUpOwogICAgIGlm IChyZXEpIHsKLSAgICAgICAgaGFuZGxlX2lvcmVxKHN0YXRlLCByZXEpOwor ICAgICAgICBpb3JlcV90IGNvcHkgPSAqcmVxOworCisgICAgICAgIHhlbl9y bWIoKTsKKyAgICAgICAgaGFuZGxlX2lvcmVxKHN0YXRlLCAmY29weSk7Cisg ICAgICAgIHJlcS0+ZGF0YSA9IGNvcHkuZGF0YTsKIAogICAgICAgICBpZiAo cmVxLT5zdGF0ZSAhPSBTVEFURV9JT1JFUV9JTlBST0NFU1MpIHsKICAgICAg ICAgICAgIGZwcmludGYoc3RkZXJyLCAiQmFkbmVzcyBpbiBJL08gcmVxdWVz dCAuLi4gbm90IGluIHNlcnZpY2U/ITogIgo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 22 12:03:24 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 22 Nov 2016 12:03:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mu-0008Ta-Ol; Tue, 22 Nov 2016 12:03:00 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99ms-0008O6-Tn; Tue, 22 Nov 2016 12:02:59 +0000 Received: from [85.158.139.211] by server-5.bemta-5.messagelabs.com id 40/37-02084-1F334385; Tue, 22 Nov 2016 12:02:57 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrJIsWRWlGSWpSXmKPExsWS0XRdVfeDsUm Ewf8mQ4tbN1uZLZZ8XMxiserqAVYHZo+ju38zBTBGsWbmJeVXJLBmdLxvZCqYbF+xu/cmawPj O4suRi4OIYFzjBLHLu9ngXA2MEq07F3B1MXIycEs4CpxY99mNghbUeLCvQYWEJtXQFDi5MwnY LaEgKbEnTer2EFsEYEiiZ3nXoLZbAJ6EnPPToKaoyPxcv9qMFtYoFDi6olVjBBzzCSaL+0Fm8 MioCqxs7+PdQIjzywkq2chWT0LyepZjBxAcU2J9bv0IUxpieX/OCCq5SW2v53DDGFbS1yY3cs KYVtI3Pr0kBlm4pTuh+wLGDlXMWoUpxaVpRbpGhnpJRVlpmeU5CZm5ugaGpjq5aYWFyemp+Yk JhXrJefnbmIEBng9AwPjDsY97X6HGCU5mJREeQ8vNYoQ4kvKT6nMSCzOiC8qzUktPsQow8GhJ MG73MgkQkiwKDU9tSItMwcYazBpCQ4eJRHexyBp3uKCxNzizHSI1ClGY45bJ54/YOJ49PvtAy Yhlrz8vFQpcd6LIKUCIKUZpXlwg2Ap4BKjrJQwLyMDA4MQT0FqUW5mCar8K0ZxDkYlYd41IFN 4MvNK4Pa9AjqFCegUyW/GIKeUJCKkpBoYm5kUHt41/uCmefBkV8453Tt7GFQ/861obFs3yfC9 /C3X4imdjE+eSVcu0BFn/bvxyqM/Wxf0CodK+3c/UlEyCZ9m+jTey/RBbeUSt8zvmf4/p9QGT ztRtb9mh2jA3B1s1q2Cj+4lC83n2nOIQ33HMR6mtcfuqO/W+33r4BYhHfY5iRfYVI1OKrEUZy QaajEXFScCAF5SESn8AgAA X-Env-Sender: andrewcoop@xenbits.xen.org X-Msg-Ref: server-2.tower-206.messagelabs.com!1479816171!53082491!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 25368 invoked from network); 22 Nov 2016 12:02:53 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-2.tower-206.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 22 Nov 2016 12:02:53 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mf-0004re-Ud; Tue, 22 Nov 2016 12:02:45 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1c99mf-0008E2-TQ; Tue, 22 Nov 2016 12:02:45 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 22 Nov 2016 12:02:45 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 198 (CVE-2016-9379, CVE-2016-9380) - delimiter injection vulnerabilities in pygrub X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-9379,CVE-2016-9380 / XSA-198 version 3 delimiter injection vulnerabilities in pygrub UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= pygrub, the boot loader emulator, fails to quote (or sanity check) its results when reporting them to its caller. pygrub supports a number of output formats. When the S-expression output format is requested, putting string quotes and S-expressions in the bootloader configuration file can produce incorrect output. (CVE-2016-9379) When the nul-delimited output format is requested, nul bytes in the bootloader configuration file can produce an ambiguous or confusing output file, which is interpreted by libxl in a vulnerable way. (CVE-2016-9380) The existing bootloader config interpreters all read input in a line-based way from their bootloaders, and none of them support any kind of escaping. So the newline-delimited output format is safe. The attacker can use this to cause the toolstack to treat any file accessible to the toolstack as if it were the guest's initial ramdisk file. The file contents are provided to the guest kernel; also, normally, these files are deleted by the toolstack as the guest starts to boot; alternatively they may be deleted later. IMPACT ====== A malicious guest administrator can obtain the contents of sensitive host files (an information leak). Additionally, a malicious guest administrator can cause files on the host to be removed, causing a denial of service. In some unusual host configurations, ability to remove certain files may be useable for privilege escalation. VULNERABLE SYSTEMS ================== Xen versions 2.0 and later are vulnerable. The vulnerability is only exposed to guests configured by the host administrator to boot using pygrub. In the xl and xm domain configuration file, this is typically achieved with bootloader="pygrub" On x86 this would typically apply only to PV domains. All systems using xl, libxl, or libvirt are vulnerable to pygrub-using guests. Systems using other (third-party) toolstacks may or may not be vulnerable, depending on whether pygrub is configured, and what pygrub output format they use. Please consult your toolstack provider. MITIGATION ========== Configuring guests not to use pygrub will avoid the vulnerability. For x86 PV guests currently using pygrub, booting the guest as HVM is often a practical option to avoid pygrub. CREDITS ======= This issue was discovered by Daniel Richman and Gábor Szarka of the Cambridge University Student-Run Computing Facility. RESOLUTION ========== Applying the attached patch resolves this issue. xsa198.patch All Xen versions (at least Xen 4.4 and later) $ sha256sum xsa198* 0e4533ad2157c03ab309bd12a54f5ff325f03edbe97f23c60a16a3f378c75eae xsa198.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patch described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. Deployment of the mitigations is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because switching away from the use of pygrub would reveal where the vulnerability lies. Deployment of mitigations is permitted only AFTER the embargo ends. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYNDN4AAoJEIP+FMlX6CvZX8AH/1FL3pw4RbbuFd/b23Qmo25U F7qELx001C4C+uXtlxaIg6MT467pRphihSkLcLQ2vgIp57iVTXhufc4TVqhdADgp bL3h1zd7Ot4f+iA5RYlGIJ4is3I2A6lNvLwydi2PIGgmalSad5B3Ed0vrvRwfLKY qpsVm0LrM24aFX2IaygmmziQIQVeXSYpmKmVebOEAFL0uj9g8D3VhgWIMtZxW+9K A6c2NTrt01ZbsVRx2wTcRdRhEJLeFbBZOPS9RrbjJzbuFcAzsGR8m/pS4hJBhik/ 9MG4b7FBMYZTaBd4wcbbHM81py1KkcoreC2jL1qb1JMG7BQVP1USdz21rJ05DY8= =P2XT -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa198.patch" Content-Disposition: attachment; filename="xsa198.patch" Content-Transfer-Encoding: base64 RnJvbSA3MWEzODlhZTk0MGJjNTJiZjg5N2E2ZTViZWNkNzNmZDhlZGU5NGM1 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBJYW4gSmFja3NvbiA8 aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KRGF0ZTogVGh1LCAzIE5vdiAy MDE2IDE2OjM3OjQwICswMDAwClN1YmplY3Q6IFtQQVRDSF0gcHlncnViOiBQ cm9wZXJseSBxdW90ZSByZXN1bHRzLCB3aGVuIHJldHVybmluZyB0aGVtIHRv IHRoZQogY2FsbGVyOgoKKiBXaGVuIHRoZSBjYWxsZXIgd2FudHMgc2V4cHIg b3V0cHV0LCB1c2UgYHJlcHIoKScKICBUaGlzIGlzIHdoYXQgWGVuZCBleHBl Y3RzLgoKICBUaGUgcmV0dXJuZWQgUy1leHByZXNzaW9ucyBhcmUgbm93IGVz Y2FwZWQgYW5kIHF1b3RlZCBieSBQeXRob24sCiAgZ2VuZXJhbGx5IHVzaW5n ICcuLi4nLiAgUHJldmlvdXNseSBrZXJuZWwgYW5kIHJhbWRpc2sgd2VyZSB1 bnF1b3RlZAogIGFuZCBhcmdzIHdhcyBxdW90ZWQgd2l0aCAiLi4uIiBidXQg d2l0aG91dCBwcm9wZXIgZXNjYXBpbmcuICBUaGlzCiAgY2hhbmdlIG1heSBi cmVhayB0b29sc3RhY2tzIHdoaWNoIGRvIG5vdCBwcm9wZXJseSBkZXF1b3Rl IHRoZQogIHJldHVybmVkIFMtZXhwcmVzc2lvbnMuCgoqIFdoZW4gdGhlIGNh bGxlciB3YW50cyAic2ltcGxlIiBvdXRwdXQsIGNyYXNoIGlmIHRoZSBkZWxp bWl0ZXIgaXMKICBjb250YWluZWQgaW4gdGhlIHJldHVybmVkIHZhbHVlLgoK ICBXaXRoIC0tb3V0cHV0LWZvcm1hdD1zaW1wbGUgaXQgZG9lcyBub3Qgc2Vl bSBsaWtlIHRoaXMgY291bGQgZXZlcgogIGhhcHBlbiwgYmVjYXVzZSB0aGUg Ym9vdGxvYWRlciBjb25maWcgcGFyc2VycyBhbGwgdGFrZSBsaW5lLWJhc2Vk CiAgaW5wdXQgZnJvbSB0aGUgdmFyaW91cyBib290bG9hZGVyIGNvbmZpZyBm aWxlcy4KCiAgV2l0aCAtLW91dHB1dC1mb3JtYXQ9c2ltcGxlMCwgdGhpcyBj YW4gaGFwcGVuIGlmIHRoZSBib290bG9hZGVyCiAgY29uZmlnIGZpbGUgY29u dGFpbnMgbnVsIGJ5dGVzLgoKVGhpcyBpcyBYU0EtMTk4LgoKU2lnbmVkLW9m Zi1ieTogSWFuIEphY2tzb24gPElhbi5KYWNrc29uQGV1LmNpdHJpeC5jb20+ ClRlc3RlZC1ieTogSWFuIEphY2tzb24gPElhbi5KYWNrc29uQGV1LmNpdHJp eC5jb20+ClJldmlld2VkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29v cGVyM0BjaXRyaXguY29tPgotLS0KIHRvb2xzL3B5Z3J1Yi9zcmMvcHlncnVi IHwgOSArKysrKystLS0KIDEgZmlsZSBjaGFuZ2VkLCA2IGluc2VydGlvbnMo KyksIDMgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvdG9vbHMvcHlncnVi L3NyYy9weWdydWIgYi90b29scy9weWdydWIvc3JjL3B5Z3J1YgppbmRleCA0 MGY5NTg0Li5kZDBjOGY3IDEwMDc1NQotLS0gYS90b29scy9weWdydWIvc3Jj L3B5Z3J1YgorKysgYi90b29scy9weWdydWIvc3JjL3B5Z3J1YgpAQCAtNzIx LDE0ICs3MjEsMTcgQEAgZGVmIHNuaWZmX25ldHdhcmUoZnMsIGNmZyk6CiAg ICAgcmV0dXJuIGNmZwogCiBkZWYgZm9ybWF0X3N4cChrZXJuZWwsIHJhbWRp c2ssIGFyZ3MpOgotICAgIHMgPSAibGludXggKGtlcm5lbCAlcykiICUga2Vy bmVsCisgICAgcyA9ICJsaW51eCAoa2VybmVsICVzKSIgJSByZXByKGtlcm5l bCkKICAgICBpZiByYW1kaXNrOgotICAgICAgICBzICs9ICIocmFtZGlzayAl cykiICUgcmFtZGlzaworICAgICAgICBzICs9ICIocmFtZGlzayAlcykiICUg cmVwcihyYW1kaXNrKQogICAgIGlmIGFyZ3M6Ci0gICAgICAgIHMgKz0gIihh cmdzIFwiJXNcIikiICUgYXJncworICAgICAgICBzICs9ICIoYXJncyAlcyki ICUgcmVwcihhcmdzKQogICAgIHJldHVybiBzCiAgICAgICAgICAgICAgICAg CiBkZWYgZm9ybWF0X3NpbXBsZShrZXJuZWwsIHJhbWRpc2ssIGFyZ3MsIHNl cCk6CisgICAgZm9yIGNoZWNrIGluIChrZXJuZWwsIHJhbWRpc2ssIGFyZ3Mp OgorICAgICAgICBpZiBjaGVjayBpcyBub3QgTm9uZSBhbmQgc2VwIGluIGNo ZWNrOgorICAgICAgICAgICAgcmFpc2UgUnVudGltZUVycm9yLCAic2ltcGxl IGZvcm1hdCBjYW5ub3QgcmVwcmVzZW50IGRlbGltaXRlci1jb250YWluaW5n IHZhbHVlIgogICAgIHMgPSAoImtlcm5lbCAlcyIgJSBrZXJuZWwpICsgc2Vw CiAgICAgaWYgcmFtZGlzazoKICAgICAgICAgcyArPSAoInJhbWRpc2sgJXMi ICUgcmFtZGlzaykgKyBzZXAKLS0gCjIuMS40Cgo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 22 12:03:24 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 22 Nov 2016 12:03:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mU-00080O-7i; Tue, 22 Nov 2016 12:02:34 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mT-0007zm-Ii; Tue, 22 Nov 2016 12:02:33 +0000 Received: from [193.109.254.147] by server-9.bemta-6.messagelabs.com id 49/AF-28694-8D334385; Tue, 22 Nov 2016 12:02:32 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrIKsWRWlGSWpSXmKPExsWS0XRdVfe6sUm Ewcfb6ha3brYyWyz5uJjFYtXVA6wOzB5Hd/9mCmCMYs3MS8qvSGDNmPGwnbVgd3XF/G0n2RoY b5d2MXJxCAmcY5Q4uvEaO4SzgVFi4aNtTF2MnBzMAq4SN/ZtZoOwFSUu3GtgAbF5BQQlTs58A mZLCGhK3Hmzih3EFhEokth57iWYzSagJzH37CSoOToSL/evBrOFBcolJp69xgoxx0xixeT1YP NZBFQlWq7OZJ/AyDMLyepZSFbPQrJ6FiMHUFxTYv0ufQhTWmL5Pw6IanmJ7W/nMEPY1hL7Vvy AmmIh8eP0B2aYiVO6H7JD2PYSZyZeZIGwbSQmNK7CqubC1H64mr1NN1iR1Sxg5F/FqFGcWlSW WqRrbKyXVJSZnlGSm5iZo2toYKaXm1pcnJiempOYVKyXnJ+7iREYcQxAsINx5/rAQ4ySHExKo ryHlxpFCPEl5adUZiQWZ8QXleakFh9ilOHgUJLgXW5kEiEkWJSanlqRlpkDjH2YtAQHj5IIRJ q3uCAxtzgzHSJ1itGY49aJ5w+YOB79fvuASYglLz8vVUqc9yJIqQBIaUZpHtwgWEq6xCgrJcz LCHSaEE9BalFuZgmq/CtGcQ5GJWFea5ApPJl5JXD7XgGdwgR0iuQ3Y5BTShIRUlINjH4bgk9m BWrb/meYZfFDII7fb++0+xLVz5tjpRuvhe9eKfXwd1GUsOqV7QZblY7MU3ee8uF/zBHtVKGYB 9sKskzutu0z9Ba2S1+26JlU/uwbBdc9/Mxb1bd83Xvv8JTd3FpqG+cZLri674dxrJvoxjdldx +lGOy79bOoY0/24kS5268E4tnVlyuxFGckGmoxFxUnAgCZ+whuRAMAAA== X-Env-Sender: andrewcoop@xenbits.xen.org X-Msg-Ref: server-16.tower-27.messagelabs.com!1479816150!72955157!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 24741 invoked from network); 22 Nov 2016 12:02:31 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-16.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 22 Nov 2016 12:02:31 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mI-0004om-DB; Tue, 22 Nov 2016 12:02:22 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1c99mI-00086a-9W; Tue, 22 Nov 2016 12:02:22 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 22 Nov 2016 12:02:22 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 193 (CVE-2016-9385) - x86 segment base write emulation lacking canonical address checks X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-9385 / XSA-193 version 3 x86 segment base write emulation lacking canonical address checks UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Both writes to the FS and GS register base MSRs as well as the WRFSBASE and WRGSBASE instructions require their input values to be canonical, or a #GP fault will be raised. When the use of those instructions by the hypervisor was enabled, the previous guard against #GP faults (having recovery code attached) was accidentally removed. IMPACT ====== A malicious guest administrator can crash the host, leading to a DoS. VULNERABLE SYSTEMS ================== Xen versions 4.4 and onwards are affected. Xen versions 4.3 and earlier are not affected. The vulnerability is only exposed to x86 PV guests. The vulnerability is NOT exposed to x86 HVM guests. ARM systems are NOT vulnerable. MITIGATION ========== Running only HVM guests will avoid this vulnerability. For PV guests the vulnerability can be avoided if the guest kernel is controlled by the host rather than guest administrator, provided that further steps are taken to prevent the guest administrator from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa193.patch xen-unstable xsa193-4.7.patch Xen 4.7.x, Xen 4.6.x xsa193-4.5.patch Xen 4.5.x, Xen 4.4.x $ sha256sum xsa193* 401df29b462a3430403a4f5bb36fd7824e692c9b5bac650e1a9d70bd440a55a1 xsa193.patch b3494b1fe5fefc0d032bd603340e364c880ec0d3ae3fb8aa3a773038e956f955 xsa193-4.5.patch f1b0092c585ebffe83d6ed7df94885ec5dfcb4227bdb33f421bad9febb8135a1 xsa193-4.7.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYNDK2AAoJEIP+FMlX6CvZswsIAI17sWqaGeP8GvtddxR08G2J 3Nb7Lnb/4cq8Hdc5XmUnX/zuDqobT5AGJEgKAuhRc9zs2TOv8FwcABc+/odKG6ak tcMAaLThMcKbB0b0ZYEkcrU+jaCDDVE3rYVGjKv0hHKZNRY/SmWOdl180xcHksXG pj5OQn6/+db6nqMlhyOcOyjM3w1/1AUe/O0EDsdUSNrY1mZi4/MjUXlDaJTZbDCc KW9XUeRSq66iZELawBaosViTenOm/R+8DJGiR8fmJlXx+gzpEywtsEUCrxeKlTDo tT68gwy0aHdlqKbIthkKr5qaT5FtKPyX0UpIXu7qtldbdEZG61iIlNOEG8tyPhU= =fjbt -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa193.patch" Content-Disposition: attachment; filename="xsa193.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvUFY6IHdyaXRlcyBvZiAlZnMgYW5kICVncyBiYXNlIE1TUnMgcmVx dWlyZSBjYW5vbmljYWwgYWRkcmVzc2VzCgpDb21taXQgYzQyNDk0YWNiMiAo Ing4NjogZml4IEZTL0dTIGJhc2UgaGFuZGxpbmcgd2hlbiB1c2luZyB0aGUK ZnNnc2Jhc2UgZmVhdHVyZSIpIHJlcGxhY2VkIHRoZSB1c2Ugb2Ygd3Jtc3Jf c2FmZSgpIG9uIHRoZXNlIHBhdGhzCndpdGhvdXQgcmVjb2duaXppbmcgdGhh dCB3cntmLGd9c2Jhc2UoKSB1c2UganVzdCB3cm1zcmwoKSBhbmQgdGhhdCB0 aGUKV1J7RixHfVNCQVNFIGluc3RydWN0aW9ucyBhbHNvIHJhaXNlICNHUCBm b3Igbm9uLWNhbm9uaWNhbCBpbnB1dC4KClNpbWlsYXJseSBhcmNoX3NldF9p bmZvX2d1ZXN0KCkgbmVlZHMgdG8gcHJldmVudCBub24tY2Fub25pY2FsCmFk ZHJlc3NlcyBmcm9tIGdldHRpbmcgc3RvcmVkIGludG8gc3RhdGUgbGF0ZXIg dG8gYmUgbG9hZGVkIGJ5IGNvbnRleHQKc3dpdGNoIGNvZGUuIEZvciBjb25z aXN0ZW5jeSBhbHNvIGNoZWNrIHN0YWNrIHBvaW50ZXJzIGFuZCBMRFQgYmFz ZS4KRFIwLi4zLCBvdG9oLCBhbHJlYWR5IGdldCBwcm9wZXJseSBjaGVja2Vk IGluIHNldF9kZWJ1Z3JlZygpIChhbGJlaXQKd2UgZGlzY2FyZCB0aGUgZXJy b3IgdGhlcmUpLgoKVGhlIFNIQURPV19HU19CQVNFIGNoZWNrIGlzbid0IHN0 cmljdGx5IG5lY2Vzc2FyeSwgYnV0IEkgdGhpbmsgd2UKYmV0dGVyIGF2b2lk IHRyeWluZyB0aGUgV1JNU1IgaWYgd2Uga25vdyBpdCdzIGdvaW5nIHRvIGZh aWwuCgpUaGlzIGlzIFhTQS0xOTMuCgpSZXBvcnRlZC1ieTogQW5kcmV3IENv b3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KU2lnbmVkLW9mZi1i eTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpSZXZpZXdlZC1i eTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4K Ci0tLSBhL3hlbi9hcmNoL3g4Ni9kb21haW4uYworKysgYi94ZW4vYXJjaC94 ODYvZG9tYWluLmMKQEAgLTg5Nyw3ICs4OTcsMTMgQEAgaW50IGFyY2hfc2V0 X2luZm9fZ3Vlc3QoCiAgICAgewogICAgICAgICBpZiAoICFjb21wYXQgKQog ICAgICAgICB7Ci0gICAgICAgICAgICBpZiAoICFpc19jYW5vbmljYWxfYWRk cmVzcyhjLm5hdC0+dXNlcl9yZWdzLmVpcCkgfHwKKyAgICAgICAgICAgIGlm ICggIWlzX2Nhbm9uaWNhbF9hZGRyZXNzKGMubmF0LT51c2VyX3JlZ3Mucmlw KSB8fAorICAgICAgICAgICAgICAgICAhaXNfY2Fub25pY2FsX2FkZHJlc3Mo Yy5uYXQtPnVzZXJfcmVncy5yc3ApIHx8CisgICAgICAgICAgICAgICAgICFp c19jYW5vbmljYWxfYWRkcmVzcyhjLm5hdC0+a2VybmVsX3NwKSB8fAorICAg ICAgICAgICAgICAgICAoYy5uYXQtPmxkdF9lbnRzICYmICFpc19jYW5vbmlj YWxfYWRkcmVzcyhjLm5hdC0+bGR0X2Jhc2UpKSB8fAorICAgICAgICAgICAg ICAgICAhaXNfY2Fub25pY2FsX2FkZHJlc3MoYy5uYXQtPmZzX2Jhc2UpIHx8 CisgICAgICAgICAgICAgICAgICFpc19jYW5vbmljYWxfYWRkcmVzcyhjLm5h dC0+Z3NfYmFzZV9rZXJuZWwpIHx8CisgICAgICAgICAgICAgICAgICFpc19j YW5vbmljYWxfYWRkcmVzcyhjLm5hdC0+Z3NfYmFzZV91c2VyKSB8fAogICAg ICAgICAgICAgICAgICAhaXNfY2Fub25pY2FsX2FkZHJlc3MoYy5uYXQtPmV2 ZW50X2NhbGxiYWNrX2VpcCkgfHwKICAgICAgICAgICAgICAgICAgIWlzX2Nh bm9uaWNhbF9hZGRyZXNzKGMubmF0LT5zeXNjYWxsX2NhbGxiYWNrX2VpcCkg fHwKICAgICAgICAgICAgICAgICAgIWlzX2Nhbm9uaWNhbF9hZGRyZXNzKGMu bmF0LT5mYWlsc2FmZV9jYWxsYmFja19laXApICkKLS0tIGEveGVuL2FyY2gv eDg2L3RyYXBzLmMKKysrIGIveGVuL2FyY2gveDg2L3RyYXBzLmMKQEAgLTI1 NjAsMjEgKzI1NjAsMjEgQEAgc3RhdGljIGludCBwcml2X29wX3dyaXRlX21z cih1bnNpZ25lZCBpbgogICAgICAgICBpbnQgcmM7CiAKICAgICBjYXNlIE1T Ul9GU19CQVNFOgotICAgICAgICBpZiAoIGlzX3B2XzMyYml0X2RvbWFpbihj dXJyZCkgKQorICAgICAgICBpZiAoIGlzX3B2XzMyYml0X2RvbWFpbihjdXJy ZCkgfHwgIWlzX2Nhbm9uaWNhbF9hZGRyZXNzKHZhbCkgKQogICAgICAgICAg ICAgYnJlYWs7CiAgICAgICAgIHdyZnNiYXNlKHZhbCk7CiAgICAgICAgIGN1 cnItPmFyY2gucHZfdmNwdS5mc19iYXNlID0gdmFsOwogICAgICAgICByZXR1 cm4gWDg2RU1VTF9PS0FZOwogCiAgICAgY2FzZSBNU1JfR1NfQkFTRToKLSAg ICAgICAgaWYgKCBpc19wdl8zMmJpdF9kb21haW4oY3VycmQpICkKKyAgICAg ICAgaWYgKCBpc19wdl8zMmJpdF9kb21haW4oY3VycmQpIHx8ICFpc19jYW5v bmljYWxfYWRkcmVzcyh2YWwpICkKICAgICAgICAgICAgIGJyZWFrOwogICAg ICAgICB3cmdzYmFzZSh2YWwpOwogICAgICAgICBjdXJyLT5hcmNoLnB2X3Zj cHUuZ3NfYmFzZV9rZXJuZWwgPSB2YWw7CiAgICAgICAgIHJldHVybiBYODZF TVVMX09LQVk7CiAKICAgICBjYXNlIE1TUl9TSEFET1dfR1NfQkFTRToKLSAg ICAgICAgaWYgKCBpc19wdl8zMmJpdF9kb21haW4oY3VycmQpIHx8CisgICAg ICAgIGlmICggaXNfcHZfMzJiaXRfZG9tYWluKGN1cnJkKSB8fCAhaXNfY2Fu b25pY2FsX2FkZHJlc3ModmFsKSB8fAogICAgICAgICAgICAgIHdybXNyX3Nh ZmUoTVNSX1NIQURPV19HU19CQVNFLCB2YWwpICkKICAgICAgICAgICAgIGJy ZWFrOwogICAgICAgICBjdXJyLT5hcmNoLnB2X3ZjcHUuZ3NfYmFzZV91c2Vy ID0gdmFsOwo= --=separator Content-Type: application/octet-stream; name="xsa193-4.5.patch" Content-Disposition: attachment; filename="xsa193-4.5.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvUFY6IHdyaXRlcyBvZiAlZnMgYW5kICVncyBiYXNlIE1TUnMgcmVx dWlyZSBjYW5vbmljYWwgYWRkcmVzc2VzCgpDb21taXQgYzQyNDk0YWNiMiAo Ing4NjogZml4IEZTL0dTIGJhc2UgaGFuZGxpbmcgd2hlbiB1c2luZyB0aGUK ZnNnc2Jhc2UgZmVhdHVyZSIpIHJlcGxhY2VkIHRoZSB1c2Ugb2Ygd3Jtc3Jf c2FmZSgpIG9uIHRoZXNlIHBhdGhzCndpdGhvdXQgcmVjb2duaXppbmcgdGhh dCB3cntmLGd9c2Jhc2UoKSB1c2UganVzdCB3cm1zcmwoKSBhbmQgdGhhdCB0 aGUKV1J7RixHfVNCQVNFIGluc3RydWN0aW9ucyBhbHNvIHJhaXNlICNHUCBm b3Igbm9uLWNhbm9uaWNhbCBpbnB1dC4KClNpbWlsYXJseSBhcmNoX3NldF9p bmZvX2d1ZXN0KCkgbmVlZHMgdG8gcHJldmVudCBub24tY2Fub25pY2FsCmFk ZHJlc3NlcyBmcm9tIGdldHRpbmcgc3RvcmVkIGludG8gc3RhdGUgbGF0ZXIg dG8gYmUgbG9hZGVkIGJ5IGNvbnRleHQKc3dpdGNoIGNvZGUuIEZvciBjb25z aXN0ZW5jeSBhbHNvIGNoZWNrIHN0YWNrIHBvaW50ZXJzIGFuZCBMRFQgYmFz ZS4KRFIwLi4zLCBvdG9oLCBhbHJlYWR5IGdldCBwcm9wZXJseSBjaGVja2Vk IGluIHNldF9kZWJ1Z3JlZygpIChhbGJlaXQKd2UgZGlzY2FyZCB0aGUgZXJy b3IgdGhlcmUpLgoKVGhlIFNIQURPV19HU19CQVNFIGNoZWNrIGlzbid0IHN0 cmljdGx5IG5lY2Vzc2FyeSwgYnV0IEkgdGhpbmsgd2UKYmV0dGVyIGF2b2lk IHRyeWluZyB0aGUgV1JNU1IgaWYgd2Uga25vdyBpdCdzIGdvaW5nIHRvIGZh aWwuCgpUaGlzIGlzIFhTQS0xOTMuCgpSZXBvcnRlZC1ieTogQW5kcmV3IENv b3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KU2lnbmVkLW9mZi1i eTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpSZXZpZXdlZC1i eTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4K Ci0tLSBhL3hlbi9hcmNoL3g4Ni9kb21haW4uYworKysgYi94ZW4vYXJjaC94 ODYvZG9tYWluLmMKQEAgLTc0MSw3ICs3NDEsMTMgQEAgaW50IGFyY2hfc2V0 X2luZm9fZ3Vlc3QoCiAgICAgewogICAgICAgICBpZiAoICFjb21wYXQgKQog ICAgICAgICB7Ci0gICAgICAgICAgICBpZiAoICFpc19jYW5vbmljYWxfYWRk cmVzcyhjLm5hdC0+dXNlcl9yZWdzLmVpcCkgfHwKKyAgICAgICAgICAgIGlm ICggIWlzX2Nhbm9uaWNhbF9hZGRyZXNzKGMubmF0LT51c2VyX3JlZ3Mucmlw KSB8fAorICAgICAgICAgICAgICAgICAhaXNfY2Fub25pY2FsX2FkZHJlc3Mo Yy5uYXQtPnVzZXJfcmVncy5yc3ApIHx8CisgICAgICAgICAgICAgICAgICFp c19jYW5vbmljYWxfYWRkcmVzcyhjLm5hdC0+a2VybmVsX3NwKSB8fAorICAg ICAgICAgICAgICAgICAoYy5uYXQtPmxkdF9lbnRzICYmICFpc19jYW5vbmlj YWxfYWRkcmVzcyhjLm5hdC0+bGR0X2Jhc2UpKSB8fAorICAgICAgICAgICAg ICAgICAhaXNfY2Fub25pY2FsX2FkZHJlc3MoYy5uYXQtPmZzX2Jhc2UpIHx8 CisgICAgICAgICAgICAgICAgICFpc19jYW5vbmljYWxfYWRkcmVzcyhjLm5h dC0+Z3NfYmFzZV9rZXJuZWwpIHx8CisgICAgICAgICAgICAgICAgICFpc19j YW5vbmljYWxfYWRkcmVzcyhjLm5hdC0+Z3NfYmFzZV91c2VyKSB8fAogICAg ICAgICAgICAgICAgICAhaXNfY2Fub25pY2FsX2FkZHJlc3MoYy5uYXQtPmV2 ZW50X2NhbGxiYWNrX2VpcCkgfHwKICAgICAgICAgICAgICAgICAgIWlzX2Nh bm9uaWNhbF9hZGRyZXNzKGMubmF0LT5zeXNjYWxsX2NhbGxiYWNrX2VpcCkg fHwKICAgICAgICAgICAgICAgICAgIWlzX2Nhbm9uaWNhbF9hZGRyZXNzKGMu bmF0LT5mYWlsc2FmZV9jYWxsYmFja19laXApICkKLS0tIGEveGVuL2FyY2gv eDg2L3RyYXBzLmMKKysrIGIveGVuL2FyY2gveDg2L3RyYXBzLmMKQEAgLTI0 MzksMTkgKzI0MzksMTkgQEAgc3RhdGljIGludCBlbXVsYXRlX3ByaXZpbGVn ZWRfb3Aoc3RydWN0CiAgICAgICAgIHN3aXRjaCAoICh1MzIpcmVncy0+ZWN4 ICkKICAgICAgICAgewogICAgICAgICBjYXNlIE1TUl9GU19CQVNFOgotICAg ICAgICAgICAgaWYgKCBpc19wdl8zMm9uNjRfdmNwdSh2KSApCisgICAgICAg ICAgICBpZiAoIGlzX3B2XzMyb242NF92Y3B1KHYpIHx8ICFpc19jYW5vbmlj YWxfYWRkcmVzcyhtc3JfY29udGVudCkgKQogICAgICAgICAgICAgICAgIGdv dG8gZmFpbDsKICAgICAgICAgICAgIHdyZnNiYXNlKG1zcl9jb250ZW50KTsK ICAgICAgICAgICAgIHYtPmFyY2gucHZfdmNwdS5mc19iYXNlID0gbXNyX2Nv bnRlbnQ7CiAgICAgICAgICAgICBicmVhazsKICAgICAgICAgY2FzZSBNU1Jf R1NfQkFTRToKLSAgICAgICAgICAgIGlmICggaXNfcHZfMzJvbjY0X3ZjcHUo dikgKQorICAgICAgICAgICAgaWYgKCBpc19wdl8zMm9uNjRfdmNwdSh2KSB8 fCAhaXNfY2Fub25pY2FsX2FkZHJlc3MobXNyX2NvbnRlbnQpICkKICAgICAg ICAgICAgICAgICBnb3RvIGZhaWw7CiAgICAgICAgICAgICB3cmdzYmFzZSht c3JfY29udGVudCk7CiAgICAgICAgICAgICB2LT5hcmNoLnB2X3ZjcHUuZ3Nf YmFzZV9rZXJuZWwgPSBtc3JfY29udGVudDsKICAgICAgICAgICAgIGJyZWFr OwogICAgICAgICBjYXNlIE1TUl9TSEFET1dfR1NfQkFTRToKLSAgICAgICAg ICAgIGlmICggaXNfcHZfMzJvbjY0X3ZjcHUodikgKQorICAgICAgICAgICAg aWYgKCBpc19wdl8zMm9uNjRfdmNwdSh2KSB8fCAhaXNfY2Fub25pY2FsX2Fk ZHJlc3MobXNyX2NvbnRlbnQpICkKICAgICAgICAgICAgICAgICBnb3RvIGZh aWw7CiAgICAgICAgICAgICBpZiAoIHdybXNyX3NhZmUoTVNSX1NIQURPV19H U19CQVNFLCBtc3JfY29udGVudCkgKQogICAgICAgICAgICAgICAgIGdvdG8g ZmFpbDsK --=separator Content-Type: application/octet-stream; name="xsa193-4.7.patch" Content-Disposition: attachment; filename="xsa193-4.7.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvUFY6IHdyaXRlcyBvZiAlZnMgYW5kICVncyBiYXNlIE1TUnMgcmVx dWlyZSBjYW5vbmljYWwgYWRkcmVzc2VzCgpDb21taXQgYzQyNDk0YWNiMiAo Ing4NjogZml4IEZTL0dTIGJhc2UgaGFuZGxpbmcgd2hlbiB1c2luZyB0aGUK ZnNnc2Jhc2UgZmVhdHVyZSIpIHJlcGxhY2VkIHRoZSB1c2Ugb2Ygd3Jtc3Jf c2FmZSgpIG9uIHRoZXNlIHBhdGhzCndpdGhvdXQgcmVjb2duaXppbmcgdGhh dCB3cntmLGd9c2Jhc2UoKSB1c2UganVzdCB3cm1zcmwoKSBhbmQgdGhhdCB0 aGUKV1J7RixHfVNCQVNFIGluc3RydWN0aW9ucyBhbHNvIHJhaXNlICNHUCBm b3Igbm9uLWNhbm9uaWNhbCBpbnB1dC4KClNpbWlsYXJseSBhcmNoX3NldF9p bmZvX2d1ZXN0KCkgbmVlZHMgdG8gcHJldmVudCBub24tY2Fub25pY2FsCmFk ZHJlc3NlcyBmcm9tIGdldHRpbmcgc3RvcmVkIGludG8gc3RhdGUgbGF0ZXIg dG8gYmUgbG9hZGVkIGJ5IGNvbnRleHQKc3dpdGNoIGNvZGUuIEZvciBjb25z aXN0ZW5jeSBhbHNvIGNoZWNrIHN0YWNrIHBvaW50ZXJzIGFuZCBMRFQgYmFz ZS4KRFIwLi4zLCBvdG9oLCBhbHJlYWR5IGdldCBwcm9wZXJseSBjaGVja2Vk IGluIHNldF9kZWJ1Z3JlZygpIChhbGJlaXQKd2UgZGlzY2FyZCB0aGUgZXJy b3IgdGhlcmUpLgoKVGhlIFNIQURPV19HU19CQVNFIGNoZWNrIGlzbid0IHN0 cmljdGx5IG5lY2Vzc2FyeSwgYnV0IEkgdGhpbmsgd2UKYmV0dGVyIGF2b2lk IHRyeWluZyB0aGUgV1JNU1IgaWYgd2Uga25vdyBpdCdzIGdvaW5nIHRvIGZh aWwuCgpUaGlzIGlzIFhTQS0xOTMuCgpSZXBvcnRlZC1ieTogQW5kcmV3IENv b3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KU2lnbmVkLW9mZi1i eTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpSZXZpZXdlZC1i eTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4K Ci0tLSBhL3hlbi9hcmNoL3g4Ni9kb21haW4uYworKysgYi94ZW4vYXJjaC94 ODYvZG9tYWluLmMKQEAgLTg5MCw3ICs4OTAsMTMgQEAgaW50IGFyY2hfc2V0 X2luZm9fZ3Vlc3QoCiAgICAgewogICAgICAgICBpZiAoICFjb21wYXQgKQog ICAgICAgICB7Ci0gICAgICAgICAgICBpZiAoICFpc19jYW5vbmljYWxfYWRk cmVzcyhjLm5hdC0+dXNlcl9yZWdzLmVpcCkgfHwKKyAgICAgICAgICAgIGlm ICggIWlzX2Nhbm9uaWNhbF9hZGRyZXNzKGMubmF0LT51c2VyX3JlZ3Mucmlw KSB8fAorICAgICAgICAgICAgICAgICAhaXNfY2Fub25pY2FsX2FkZHJlc3Mo Yy5uYXQtPnVzZXJfcmVncy5yc3ApIHx8CisgICAgICAgICAgICAgICAgICFp c19jYW5vbmljYWxfYWRkcmVzcyhjLm5hdC0+a2VybmVsX3NwKSB8fAorICAg ICAgICAgICAgICAgICAoYy5uYXQtPmxkdF9lbnRzICYmICFpc19jYW5vbmlj YWxfYWRkcmVzcyhjLm5hdC0+bGR0X2Jhc2UpKSB8fAorICAgICAgICAgICAg ICAgICAhaXNfY2Fub25pY2FsX2FkZHJlc3MoYy5uYXQtPmZzX2Jhc2UpIHx8 CisgICAgICAgICAgICAgICAgICFpc19jYW5vbmljYWxfYWRkcmVzcyhjLm5h dC0+Z3NfYmFzZV9rZXJuZWwpIHx8CisgICAgICAgICAgICAgICAgICFpc19j YW5vbmljYWxfYWRkcmVzcyhjLm5hdC0+Z3NfYmFzZV91c2VyKSB8fAogICAg ICAgICAgICAgICAgICAhaXNfY2Fub25pY2FsX2FkZHJlc3MoYy5uYXQtPmV2 ZW50X2NhbGxiYWNrX2VpcCkgfHwKICAgICAgICAgICAgICAgICAgIWlzX2Nh bm9uaWNhbF9hZGRyZXNzKGMubmF0LT5zeXNjYWxsX2NhbGxiYWNrX2VpcCkg fHwKICAgICAgICAgICAgICAgICAgIWlzX2Nhbm9uaWNhbF9hZGRyZXNzKGMu bmF0LT5mYWlsc2FmZV9jYWxsYmFja19laXApICkKLS0tIGEveGVuL2FyY2gv eDg2L3RyYXBzLmMKKysrIGIveGVuL2FyY2gveDg2L3RyYXBzLmMKQEAgLTI3 MjMsMTkgKzI3MjMsMjIgQEAgc3RhdGljIGludCBlbXVsYXRlX3ByaXZpbGVn ZWRfb3Aoc3RydWN0CiAgICAgICAgIHN3aXRjaCAoIHJlZ3MtPl9lY3ggKQog ICAgICAgICB7CiAgICAgICAgIGNhc2UgTVNSX0ZTX0JBU0U6Ci0gICAgICAg ICAgICBpZiAoIGlzX3B2XzMyYml0X2RvbWFpbihjdXJyZCkgKQorICAgICAg ICAgICAgaWYgKCBpc19wdl8zMmJpdF9kb21haW4oY3VycmQpIHx8CisgICAg ICAgICAgICAgICAgICFpc19jYW5vbmljYWxfYWRkcmVzcyhtc3JfY29udGVu dCkgKQogICAgICAgICAgICAgICAgIGdvdG8gZmFpbDsKICAgICAgICAgICAg IHdyZnNiYXNlKG1zcl9jb250ZW50KTsKICAgICAgICAgICAgIHYtPmFyY2gu cHZfdmNwdS5mc19iYXNlID0gbXNyX2NvbnRlbnQ7CiAgICAgICAgICAgICBi cmVhazsKICAgICAgICAgY2FzZSBNU1JfR1NfQkFTRToKLSAgICAgICAgICAg IGlmICggaXNfcHZfMzJiaXRfZG9tYWluKGN1cnJkKSApCisgICAgICAgICAg ICBpZiAoIGlzX3B2XzMyYml0X2RvbWFpbihjdXJyZCkgfHwKKyAgICAgICAg ICAgICAgICAgIWlzX2Nhbm9uaWNhbF9hZGRyZXNzKG1zcl9jb250ZW50KSAp CiAgICAgICAgICAgICAgICAgZ290byBmYWlsOwogICAgICAgICAgICAgd3Jn c2Jhc2UobXNyX2NvbnRlbnQpOwogICAgICAgICAgICAgdi0+YXJjaC5wdl92 Y3B1LmdzX2Jhc2Vfa2VybmVsID0gbXNyX2NvbnRlbnQ7CiAgICAgICAgICAg ICBicmVhazsKICAgICAgICAgY2FzZSBNU1JfU0hBRE9XX0dTX0JBU0U6Ci0g ICAgICAgICAgICBpZiAoIGlzX3B2XzMyYml0X2RvbWFpbihjdXJyZCkgKQor ICAgICAgICAgICAgaWYgKCBpc19wdl8zMmJpdF9kb21haW4oY3VycmQpIHx8 CisgICAgICAgICAgICAgICAgICFpc19jYW5vbmljYWxfYWRkcmVzcyhtc3Jf Y29udGVudCkgKQogICAgICAgICAgICAgICAgIGdvdG8gZmFpbDsKICAgICAg ICAgICAgIGlmICggd3Jtc3Jfc2FmZShNU1JfU0hBRE9XX0dTX0JBU0UsIG1z cl9jb250ZW50KSApCiAgICAgICAgICAgICAgICAgZ290byBmYWlsOwo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 22 12:03:24 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 22 Nov 2016 12:03:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mM-0007va-B6; Tue, 22 Nov 2016 12:02:26 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mK-0007vG-KH; Tue, 22 Nov 2016 12:02:24 +0000 Received: from [193.109.254.147] by server-7.bemta-6.messagelabs.com id 97/FD-29519-FC334385; Tue, 22 Nov 2016 12:02:23 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuphleJIrShJLcpLzFFi42LJaLquqnve2CT C4HaFxa2brcwWSz4uZrFYdfUAqwOzx9Hdv5kCGKNYM/OS8isSWDOe3rzBXrDYv+LH1beMDYxz vLoYuTiEBM4xSry5+ZwdwtnAKLFix3+2LkZODmYBV4kb+zZD2YoSF+41sIDYvAKCEidnPgGzJ QQ0Je68WcUOYosIFEnsPPcSzGYT0JOYe3YSE0SvjsTL/avBbGGBOImTrbuYIOaYSax9tQCsnk VAVWLGnQssExh5ZiFZPQvJ6llIVs9i5ACKa0qs36UPYUpLLP/HAVEtL7H97RxmCNta4mP/bxY I20Li1KPJTDATp3Q/ZIew7SWWPHkNVW8jcf/mX3ZkNQsYeVYxahSnFpWlFukaGeklFWWmZ5Tk Jmbm6BoamOnlphYXJ6an5iQmFesl5+duYgTGCQMQ7GBcMz/wEKMkB5OSKO/hpUYRQnxJ+SmVG YnFGfFFpTmpxYcYZTg4lCR4lxuZRAgJFqWmp1akZeYAIxYmLcHBoyQCkeYtLkjMLc5Mh0idYj TmuHXi+QMmjke/3z5gEmLJy89LlRLnTQYpFQApzSjNgxsESySXGGWlhHkZgU4T4ilILcrNLEG Vf8UozsGoJMxbCDKFJzOvBG7fK6BTmIBOkfxmDHJKSSJCSqqBUb9Wo9GqXWgW04R8u+09YT7f znCyXWxVDHixpKfov5Pbkj/7hSS3hzPyffro1Hd/0ZXM3TuqfOI1MmJUHnRcNWZ9se+Rd6jSi X/3HYvikxLUFjQaicqXrH74KOdEZvRl4QsB52/vTQu21thq3rv+oI/z8WerfEI9P86uXuel28 Bjap9jEByixFKckWioxVxUnAgAuLoICR8DAAA= X-Env-Sender: andrewcoop@xenbits.xen.org X-Msg-Ref: server-3.tower-27.messagelabs.com!1479816141!73004021!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 65175 invoked from network); 22 Nov 2016 12:02:22 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-3.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 22 Nov 2016 12:02:22 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99m9-0004oG-1Z; Tue, 22 Nov 2016 12:02:13 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1c99m8-00085A-U9; Tue, 22 Nov 2016 12:02:12 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 22 Nov 2016 12:02:12 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 192 (CVE-2016-9382) - x86 task switch to VM86 mode mis-handled X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-9382 / XSA-192 version 3 x86 task switch to VM86 mode mis-handled UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= LDTR, just like TR, is purely a protected mode facility. Hence even when switching to a VM86 mode task, LDTR loading needs to follow protected mode semantics. This was violated by the code. IMPACT ====== On SVM (AMD hardware): a malicious unprivileged guest process can escalate its privilege to that of the guest operating system. On both SVM and VMX (Intel hardware): a malicious unprivileged guest process can crash the guest. VULNERABLE SYSTEMS ================== Only 32-bit x86 HVM guests are vulnerable. Furthermore, only guest operating systems which actually make use of hardware task switching, and allow a new task to start in VM86 mode, are vulnerable. We are not aware of any such operating systems. The vulnerability is NOT exposed on any PV guests. The vulnerability is NOT exposed on any 64-bit guests, ARM systems are NOT vulnerable. Xen versions from 4.0 onwards are affected. Xen versions 3.4 and earlier are not affected. MITIGATION ========== For guests which are affected, the vulnerability could possibly be mitigated by disabling access to VM86 mode by unprivileged guest programs. Details would depend on the (so far hypothetical) vulnerable guest kernel. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa192.patch xen-unstable, Xen 4.7.x, Xen 4.6.x xsa192-4.5.patch Xen 4.5.x, Xen 4.4.x $ sha256sum xsa192* 687b0216eefd5ecef8a3135cc6f542cb3d9ff35e8e9696a157703e84656c35e8 xsa192.patch bb0c6622c6f5c5eb9a680020d865802069446830b4a170bcb82336f6c3b77f55 xsa192-4.5.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYNDJ9AAoJEIP+FMlX6CvZy5gIALU7weBZNJeQzBUMoQn6fAG/ KNP3Br3BDYHC/MMbyIAkkEyHTfsR1xFNAHHb2Tb/Wl7v081owV7JwO3bkf0FJ88w K8RXFeUbt1z5rAdt1B088CbZA4/KkGRBd32vicUIE7+9EnkgSOlLc8abjind+yQ9 2CtOHwDL0LVbjjGF6VdME9pooDZf2ZT1fHfClUbwPFsfTMKjUeJcfoVFqenifmYR wTYPtw6z+cCrjBlPyleglh/2uAc6ncTIQAC8Ee2dJyKv4wMqP60u97ANylnN3DpZ DTl+VUYdNsy78R9/xbqF7dT5gCeDV9y1rDoqHQwwtSGL/lvjU0ujbEtG7XS2/7M= =chON -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa192.patch" Content-Disposition: attachment; filename="xsa192.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvSFZNOiBkb24ndCBsb2FkIExEVFIgd2l0aCBWTTg2IG1vZGUgYXR0 cnMgZHVyaW5nIHRhc2sgc3dpdGNoCgpKdXN0IGxpa2UgVFIsIExEVFIgaXMg cHVyZWx5IGEgcHJvdGVjdGVkIG1vZGUgZmFjaWxpdHkgYW5kIGhlbmNlIG5l ZWRzCnRvIGJlIGxvYWRlZCBhY2NvcmRpbmdseS4gQWxzbyBtb3ZlIGl0cyBs b2FkaW5nIHRvIHdoZXJlIGl0CmFyY2hpdGVjdXJhbGx5IGJlbG9uZ3MuCgpU aGlzIGlzIFhTQS0xOTIuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8 amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpUZXN0ZWQtYnk6IEFuZHJl dyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CgotLS0gYS94 ZW4vYXJjaC94ODYvaHZtL2h2bS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0v aHZtLmMKQEAgLTI3MjgsMTcgKzI3MjgsMTYgQEAgc3RhdGljIHZvaWQgaHZt X3VubWFwX2VudHJ5KHZvaWQgKnApCiB9CiAKIHN0YXRpYyBpbnQgaHZtX2xv YWRfc2VnbWVudF9zZWxlY3RvcigKLSAgICBlbnVtIHg4Nl9zZWdtZW50IHNl ZywgdWludDE2X3Qgc2VsKQorICAgIGVudW0geDg2X3NlZ21lbnQgc2VnLCB1 aW50MTZfdCBzZWwsIHVuc2lnbmVkIGludCBlZmxhZ3MpCiB7CiAgICAgc3Ry dWN0IHNlZ21lbnRfcmVnaXN0ZXIgZGVzY3RhYiwgY3MsIHNlZ3I7CiAgICAg c3RydWN0IGRlc2Nfc3RydWN0ICpwZGVzYywgZGVzYzsKICAgICB1OCBkcGws IHJwbCwgY3BsOwogICAgIGJvb2xfdCB3cml0YWJsZTsKICAgICBpbnQgZmF1 bHRfdHlwZSA9IFRSQVBfaW52YWxpZF90c3M7Ci0gICAgc3RydWN0IGNwdV91 c2VyX3JlZ3MgKnJlZ3MgPSBndWVzdF9jcHVfdXNlcl9yZWdzKCk7CiAgICAg c3RydWN0IHZjcHUgKnYgPSBjdXJyZW50OwogCi0gICAgaWYgKCByZWdzLT5l ZmxhZ3MgJiBYODZfRUZMQUdTX1ZNICkKKyAgICBpZiAoIGVmbGFncyAmIFg4 Nl9FRkxBR1NfVk0gKQogICAgIHsKICAgICAgICAgc2Vnci5zZWwgPSBzZWw7 CiAgICAgICAgIHNlZ3IuYmFzZSA9ICh1aW50MzJfdClzZWwgPDwgNDsKQEAg LTI5ODYsNiArMjk4NSw4IEBAIHZvaWQgaHZtX3Rhc2tfc3dpdGNoKAogICAg IGlmICggcmMgIT0gSFZNQ09QWV9va2F5ICkKICAgICAgICAgZ290byBvdXQ7 CiAKKyAgICBpZiAoIGh2bV9sb2FkX3NlZ21lbnRfc2VsZWN0b3IoeDg2X3Nl Z19sZHRyLCB0c3MubGR0LCAwKSApCisgICAgICAgIGdvdG8gb3V0OwogCiAg ICAgaWYgKCBodm1fc2V0X2NyMyh0c3MuY3IzLCAxKSApCiAgICAgICAgIGdv dG8gb3V0OwpAQCAtMzAwOCwxMyArMzAwOSwxMiBAQCB2b2lkIGh2bV90YXNr X3N3aXRjaCgKICAgICB9CiAKICAgICBleG5fcmFpc2VkID0gMDsKLSAgICBp ZiAoIGh2bV9sb2FkX3NlZ21lbnRfc2VsZWN0b3IoeDg2X3NlZ19sZHRyLCB0 c3MubGR0KSB8fAotICAgICAgICAgaHZtX2xvYWRfc2VnbWVudF9zZWxlY3Rv cih4ODZfc2VnX2VzLCB0c3MuZXMpIHx8Ci0gICAgICAgICBodm1fbG9hZF9z ZWdtZW50X3NlbGVjdG9yKHg4Nl9zZWdfY3MsIHRzcy5jcykgfHwKLSAgICAg ICAgIGh2bV9sb2FkX3NlZ21lbnRfc2VsZWN0b3IoeDg2X3NlZ19zcywgdHNz LnNzKSB8fAotICAgICAgICAgaHZtX2xvYWRfc2VnbWVudF9zZWxlY3Rvcih4 ODZfc2VnX2RzLCB0c3MuZHMpIHx8Ci0gICAgICAgICBodm1fbG9hZF9zZWdt ZW50X3NlbGVjdG9yKHg4Nl9zZWdfZnMsIHRzcy5mcykgfHwKLSAgICAgICAg IGh2bV9sb2FkX3NlZ21lbnRfc2VsZWN0b3IoeDg2X3NlZ19ncywgdHNzLmdz KSApCisgICAgaWYgKCBodm1fbG9hZF9zZWdtZW50X3NlbGVjdG9yKHg4Nl9z ZWdfZXMsIHRzcy5lcywgdHNzLmVmbGFncykgfHwKKyAgICAgICAgIGh2bV9s b2FkX3NlZ21lbnRfc2VsZWN0b3IoeDg2X3NlZ19jcywgdHNzLmNzLCB0c3Mu ZWZsYWdzKSB8fAorICAgICAgICAgaHZtX2xvYWRfc2VnbWVudF9zZWxlY3Rv cih4ODZfc2VnX3NzLCB0c3Muc3MsIHRzcy5lZmxhZ3MpIHx8CisgICAgICAg ICBodm1fbG9hZF9zZWdtZW50X3NlbGVjdG9yKHg4Nl9zZWdfZHMsIHRzcy5k cywgdHNzLmVmbGFncykgfHwKKyAgICAgICAgIGh2bV9sb2FkX3NlZ21lbnRf c2VsZWN0b3IoeDg2X3NlZ19mcywgdHNzLmZzLCB0c3MuZWZsYWdzKSB8fAor ICAgICAgICAgaHZtX2xvYWRfc2VnbWVudF9zZWxlY3Rvcih4ODZfc2VnX2dz LCB0c3MuZ3MsIHRzcy5lZmxhZ3MpICkKICAgICAgICAgZXhuX3JhaXNlZCA9 IDE7CiAKICAgICByYyA9IGh2bV9jb3B5X3RvX2d1ZXN0X3ZpcnQoCg== --=separator Content-Type: application/octet-stream; name="xsa192-4.5.patch" Content-Disposition: attachment; filename="xsa192-4.5.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvSFZNOiBkb24ndCBsb2FkIExEVFIgd2l0aCBWTTg2IG1vZGUgYXR0 cnMgZHVyaW5nIHRhc2sgc3dpdGNoCgpKdXN0IGxpa2UgVFIsIExEVFIgaXMg cHVyZWx5IGEgcHJvdGVjdGVkIG1vZGUgZmFjaWxpdHkgYW5kIGhlbmNlIG5l ZWRzCnRvIGJlIGxvYWRlZCBhY2NvcmRpbmdseS4gQWxzbyBtb3ZlIGl0cyBs b2FkaW5nIHRvIHdoZXJlIGl0CmFyY2hpdGVjdXJhbGx5IGJlbG9uZ3MuCgpU aGlzIGlzIFhTQS0xOTIuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8 amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpUZXN0ZWQtYnk6IEFuZHJl dyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CgotLS0gYS94 ZW4vYXJjaC94ODYvaHZtL2h2bS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0v aHZtLmMKQEAgLTM1NzcsMTYgKzM1NzcsMTUgQEAgc3RhdGljIHZvaWQgaHZt X3VubWFwX2VudHJ5KHZvaWQgKnApCiB9CiAKIHN0YXRpYyBpbnQgaHZtX2xv YWRfc2VnbWVudF9zZWxlY3RvcigKLSAgICBlbnVtIHg4Nl9zZWdtZW50IHNl ZywgdWludDE2X3Qgc2VsKQorICAgIGVudW0geDg2X3NlZ21lbnQgc2VnLCB1 aW50MTZfdCBzZWwsIHVuc2lnbmVkIGludCBlZmxhZ3MpCiB7CiAgICAgc3Ry dWN0IHNlZ21lbnRfcmVnaXN0ZXIgZGVzY3RhYiwgY3MsIHNlZ3I7CiAgICAg c3RydWN0IGRlc2Nfc3RydWN0ICpwZGVzYywgZGVzYzsKICAgICB1OCBkcGws IHJwbCwgY3BsOwogICAgIGludCBmYXVsdF90eXBlID0gVFJBUF9pbnZhbGlk X3RzczsKLSAgICBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncyA9IGd1ZXN0 X2NwdV91c2VyX3JlZ3MoKTsKICAgICBzdHJ1Y3QgdmNwdSAqdiA9IGN1cnJl bnQ7CiAKLSAgICBpZiAoIHJlZ3MtPmVmbGFncyAmIFg4Nl9FRkxBR1NfVk0g KQorICAgIGlmICggZWZsYWdzICYgWDg2X0VGTEFHU19WTSApCiAgICAgewog ICAgICAgICBzZWdyLnNlbCA9IHNlbDsKICAgICAgICAgc2Vnci5iYXNlID0g KHVpbnQzMl90KXNlbCA8PCA0OwpAQCAtMzgyOSw2ICszODI4LDggQEAgdm9p ZCBodm1fdGFza19zd2l0Y2goCiAgICAgaWYgKCByYyAhPSBIVk1DT1BZX29r YXkgKQogICAgICAgICBnb3RvIG91dDsKIAorICAgIGlmICggaHZtX2xvYWRf c2VnbWVudF9zZWxlY3Rvcih4ODZfc2VnX2xkdHIsIHRzcy5sZHQsIDApICkK KyAgICAgICAgZ290byBvdXQ7CiAKICAgICBpZiAoIGh2bV9zZXRfY3IzKHRz cy5jcjMpICkKICAgICAgICAgZ290byBvdXQ7CkBAIC0zODUxLDEzICszODUy LDEyIEBAIHZvaWQgaHZtX3Rhc2tfc3dpdGNoKAogICAgIH0KIAogICAgIGV4 bl9yYWlzZWQgPSAwOwotICAgIGlmICggaHZtX2xvYWRfc2VnbWVudF9zZWxl Y3Rvcih4ODZfc2VnX2xkdHIsIHRzcy5sZHQpIHx8Ci0gICAgICAgICBodm1f bG9hZF9zZWdtZW50X3NlbGVjdG9yKHg4Nl9zZWdfZXMsIHRzcy5lcykgfHwK LSAgICAgICAgIGh2bV9sb2FkX3NlZ21lbnRfc2VsZWN0b3IoeDg2X3NlZ19j cywgdHNzLmNzKSB8fAotICAgICAgICAgaHZtX2xvYWRfc2VnbWVudF9zZWxl Y3Rvcih4ODZfc2VnX3NzLCB0c3Muc3MpIHx8Ci0gICAgICAgICBodm1fbG9h ZF9zZWdtZW50X3NlbGVjdG9yKHg4Nl9zZWdfZHMsIHRzcy5kcykgfHwKLSAg ICAgICAgIGh2bV9sb2FkX3NlZ21lbnRfc2VsZWN0b3IoeDg2X3NlZ19mcywg dHNzLmZzKSB8fAotICAgICAgICAgaHZtX2xvYWRfc2VnbWVudF9zZWxlY3Rv cih4ODZfc2VnX2dzLCB0c3MuZ3MpICkKKyAgICBpZiAoIGh2bV9sb2FkX3Nl Z21lbnRfc2VsZWN0b3IoeDg2X3NlZ19lcywgdHNzLmVzLCB0c3MuZWZsYWdz KSB8fAorICAgICAgICAgaHZtX2xvYWRfc2VnbWVudF9zZWxlY3Rvcih4ODZf c2VnX2NzLCB0c3MuY3MsIHRzcy5lZmxhZ3MpIHx8CisgICAgICAgICBodm1f bG9hZF9zZWdtZW50X3NlbGVjdG9yKHg4Nl9zZWdfc3MsIHRzcy5zcywgdHNz LmVmbGFncykgfHwKKyAgICAgICAgIGh2bV9sb2FkX3NlZ21lbnRfc2VsZWN0 b3IoeDg2X3NlZ19kcywgdHNzLmRzLCB0c3MuZWZsYWdzKSB8fAorICAgICAg ICAgaHZtX2xvYWRfc2VnbWVudF9zZWxlY3Rvcih4ODZfc2VnX2ZzLCB0c3Mu ZnMsIHRzcy5lZmxhZ3MpIHx8CisgICAgICAgICBodm1fbG9hZF9zZWdtZW50 X3NlbGVjdG9yKHg4Nl9zZWdfZ3MsIHRzcy5ncywgdHNzLmVmbGFncykgKQog ICAgICAgICBleG5fcmFpc2VkID0gMTsKIAogICAgIHJjID0gaHZtX2NvcHlf dG9fZ3Vlc3RfdmlydCgK --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 22 12:03:24 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 22 Nov 2016 12:03:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99ml-0008E1-Bz; Tue, 22 Nov 2016 12:02:51 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mj-0008C4-J9; Tue, 22 Nov 2016 12:02:49 +0000 Received: from [85.158.139.211] by server-15.bemta-5.messagelabs.com id 0A/19-13537-8E334385; Tue, 22 Nov 2016 12:02:48 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrKIsWRWlGSWpSXmKPExsWS0XRdVfe5sUm EwcyfBha3brYyWyz5uJjFYtXVA6wOzB5Hd/9mCmCMYs3MS8qvSGDNOHYzraDVpOLtVPcGxmd6 XYxcHEIC5xglLh/4zgLhbGCU+H9yLlsXIycHs4CrxI19m6FsRYkL9xpYQGxeAUGJkzOfgNkSA poSd96sYgexRQSKJHaeewlmswnoScw9O4kJoldH4uX+1WC2sECaxJdVC5kh5phJrD++Dmw+i4 CqxJodl5kmMPLMQrJ6FpLVs5CsnsXIARTXlFi/Sx/ClJZY/o8DolpeYvvbOcwQtrXE+qfr2SB KLCQWzmaCGTil+yH7AkbOVYzqxalFZalFukZ6SUWZ6RkluYmZObqGBqZ6uanFxYnpqTmJScV6 yfm5mxiBgc0ABDsYv/9xOsQoycGkJMp7eKlRhBBfUn5KZUZicUZ8UWlOavEhRhkODiUJ3uVGJ hFCgkWp6akVaZk5wBiDSUtw8CiJ8D4GSfMWFyTmFmemQ6ROMRpz3Drx/AETx6Pfbx8wCbHk5e elSonzXgQpFQApzSjNgxsEi/1LjLJSwryMQKcJ8RSkFuVmlqDKv2IU52BUEuZ9ATKFJzOvBG7 fK6BTmIBOkfxmDHJKSSJCSqqB0XvNLffYrO77Ncu2FJSKd2qmHHmqcUjo6TejkkPVAYaumYrb blwMf91yxGI6Rz/jnKq3cXveXlDmZ6xP/f19c97fXXrWm2oVSh1l2n6bCq7edOGJtVHSv0JmG 0PpzPzFlTytzqGnZ70X+1BsuHyuwevduf43TgXutQhOe5t0f1re1e/e53pLlFiKMxINtZiLih MBji+MzvgCAAA= X-Env-Sender: andrewcoop@xenbits.xen.org X-Msg-Ref: server-6.tower-206.messagelabs.com!1479816166!71371063!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 39394 invoked from network); 22 Nov 2016 12:02:47 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-6.tower-206.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 22 Nov 2016 12:02:47 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mW-0004pc-11; Tue, 22 Nov 2016 12:02:36 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1c99mV-00089H-W1; Tue, 22 Nov 2016 12:02:35 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 22 Nov 2016 12:02:35 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 195 (CVE-2016-9383) - x86 64-bit bit test instruction emulation broken X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-9383 / XSA-195 version 3 x86 64-bit bit test instruction emulation broken UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The x86 instructions BT, BTC, BTR, and BTS, when used with a destination memory operand and a source register rather than an immediate operand, access a memory location offset from that specified by the memory operand as specified by the high bits of the register source. When Xen needs to emulate such an instruction, to efficiently handle the emulation, the memory address and register operand are recalculated internally to Xen. In this process, the high bits of an intermediate expression were discarded, leading to both the memory location and the register operand being wrong. The wrong memory location would have only a guest local effect (either access to an unintended location, or a fault delivered to the guest), whereas the wrong register value could lead to either a host crash or an unintended host memory access. IMPACT ====== A malicious guest can modify arbitrary memory, allowing for arbitrary code execution (and therefore privilege escalation affecting the whole host), a crash of the host (leading to a DoS), or information leaks. The vulnerability is sometimes exploitable by unprivileged guest user processes. VULNERABLE SYSTEMS ================== All Xen versions are affected. The vulnerability is only exposed to x86 guests running in 64-bit mode. On Xen 4.6 and earlier the vulnerability is exposed to all guest user processes, including unprivileged processes, in such guests. On Xen 4.7 and later, the vulnerability is exposed only to guest user processes granted a degree of privilege (such as direct hardware access) by the guest administrator; or, to all user processes when the when the VM has been explicitly configured with a non-default cpu vendor string (in xm/xl, this would be done with a `cpuid=' domain config option). The vulnerability is not exposed to 32-bit PV guests. ARM systems are not vulnerable. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by George Dunlap of Citrix, using American Fuzzy Lop v2.35b. RESOLUTION ========== Applying the attached patch resolves this issue. xsa195.patch xen-unstable, Xen 4.7.x, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x $ sha256sum xsa195* 6ab5f13b81e3bbf6096020f4c3beeffaff67a075cab67e033ba27d199b41cec1 xsa195.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYNDL4AAoJEIP+FMlX6CvZnzYH/RtmqS8kpqLKShvrQx5Ueh+M LaHBWJiU0z1m9FaF9RvEgfvWpUCcD/qyC4rLHmkwhkyS6aIToh2XVXzQyebIqw/7 CCDXaY8TkYlLPYRdNseX5X5blpu1EnqW5yQMJz6QkgDK+Qu4F1jDimSd5JffrFkJ WkpWwsoppNHwYyaENq59lg7R1WxNq0uSLxMPTnk/RpMmizKyU8gK7RrQWHJNoy6n l3vSTKx9sCDo+AgMQgbDMdpvv1l1It+QcRXXBrBp7qAdz+0H7VRkUFOnBUFMQQo3 OjmjStKxnE9E7Uh6+373xj2Z6Nts+wkD72vRHHg/1KTZ5FN5XnS2CvPDNuGZD50= =AtOu -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa195.patch" Content-Disposition: attachment; filename="xsa195.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODZlbXVsOiBmaXggaHVnZSBiaXQgb2Zmc2V0IGhhbmRsaW5nCgpXZSBt dXN0IG5ldmVyIGNob3Agb2ZmIHRoZSBoaWdoIDMyIGJpdHMuCgpUaGlzIGlz IFhTQS0xOTUuCgpSZXBvcnRlZC1ieTogR2VvcmdlIER1bmxhcCA8Z2Vvcmdl LmR1bmxhcEBjaXRyaXguY29tPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGlj aCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2Fy Y2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMKKysrIGIveGVuL2Fy Y2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMKQEAgLTI1NDksNiAr MjU0OSwxMiBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgZWxzZQogICAgICAg ICB7CiAgICAgICAgICAgICAvKgorICAgICAgICAgICAgICogSW5zdHJ1Y3Rp b25zIHN1Y2ggYXMgYnQgY2FuIHJlZmVyZW5jZSBhbiBhcmJpdHJhcnkgb2Zm c2V0IGZyb20KKyAgICAgICAgICAgICAqIHRoZWlyIG1lbW9yeSBvcGVyYW5k LCBidXQgdGhlIGluc3RydWN0aW9uIGRvaW5nIHRoZSBhY3R1YWwKKyAgICAg ICAgICAgICAqIGVtdWxhdGlvbiBuZWVkcyB0aGUgYXBwcm9wcmlhdGUgb3Bf Ynl0ZXMgcmVhZCBmcm9tIG1lbW9yeS4KKyAgICAgICAgICAgICAqIEFkanVz dCBib3RoIHRoZSBzb3VyY2UgcmVnaXN0ZXIgYW5kIG1lbW9yeSBvcGVyYW5k IHRvIG1ha2UgYW4KKyAgICAgICAgICAgICAqIGVxdWl2YWxlbnQgaW5zdHJ1 Y3Rpb24uCisgICAgICAgICAgICAgKgogICAgICAgICAgICAgICogRUEgICAg ICAgKz0gQml0T2Zmc2V0IERJViBvcF9ieXRlcyo4CiAgICAgICAgICAgICAg KiBCaXRPZmZzZXQgPSBCaXRPZmZzZXQgTU9EIG9wX2J5dGVzKjgKICAgICAg ICAgICAgICAqIERJViB0cnVuY2F0ZXMgdG93YXJkcyBuZWdhdGl2ZSBpbmZp bml0eS4KQEAgLTI1NjAsMTQgKzI1NjYsMTUgQEAgeDg2X2VtdWxhdGUoCiAg ICAgICAgICAgICAgICAgc3JjLnZhbCA9IChpbnQzMl90KXNyYy52YWw7CiAg ICAgICAgICAgICBpZiAoIChsb25nKXNyYy52YWwgPCAwICkKICAgICAgICAg ICAgIHsKLSAgICAgICAgICAgICAgICB1bnNpZ25lZCBsb25nIGJ5dGVfb2Zm c2V0OwotICAgICAgICAgICAgICAgIGJ5dGVfb2Zmc2V0ID0gb3BfYnl0ZXMg KyAoKCgtc3JjLnZhbC0xKSA+PiAzKSAmIH4ob3BfYnl0ZXMtMSkpOworICAg ICAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgYnl0ZV9vZmZzZXQgPQorICAg ICAgICAgICAgICAgICAgICBvcF9ieXRlcyArICgoKC1zcmMudmFsIC0gMSkg Pj4gMykgJiB+KG9wX2J5dGVzIC0gMUwpKTsKKwogICAgICAgICAgICAgICAg IGVhLm1lbS5vZmYgLT0gYnl0ZV9vZmZzZXQ7CiAgICAgICAgICAgICAgICAg c3JjLnZhbCA9IChieXRlX29mZnNldCA8PCAzKSArIHNyYy52YWw7CiAgICAg ICAgICAgICB9CiAgICAgICAgICAgICBlbHNlCiAgICAgICAgICAgICB7Ci0g ICAgICAgICAgICAgICAgZWEubWVtLm9mZiArPSAoc3JjLnZhbCA+PiAzKSAm IH4ob3BfYnl0ZXMgLSAxKTsKKyAgICAgICAgICAgICAgICBlYS5tZW0ub2Zm ICs9IChzcmMudmFsID4+IDMpICYgfihvcF9ieXRlcyAtIDFMKTsKICAgICAg ICAgICAgICAgICBzcmMudmFsICY9IChvcF9ieXRlcyA8PCAzKSAtIDE7CiAg ICAgICAgICAgICB9CiAgICAgICAgIH0K --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 22 12:03:24 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 22 Nov 2016 12:03:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mM-0007va-B6; Tue, 22 Nov 2016 12:02:26 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mK-0007vG-KH; Tue, 22 Nov 2016 12:02:24 +0000 Received: from [193.109.254.147] by server-7.bemta-6.messagelabs.com id 97/FD-29519-FC334385; Tue, 22 Nov 2016 12:02:23 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuphleJIrShJLcpLzFFi42LJaLquqnve2CT C4HaFxa2brcwWSz4uZrFYdfUAqwOzx9Hdv5kCGKNYM/OS8isSWDOe3rzBXrDYv+LH1beMDYxz vLoYuTiEBM4xSry5+ZwdwtnAKLFix3+2LkZODmYBV4kb+zZD2YoSF+41sIDYvAKCEidnPgGzJ QQ0Je68WcUOYosIFEnsPPcSzGYT0JOYe3YSE0SvjsTL/avBbGGBOImTrbuYIOaYSax9tQCsnk VAVWLGnQssExh5ZiFZPQvJ6llIVs9i5ACKa0qs36UPYUpLLP/HAVEtL7H97RxmCNta4mP/bxY I20Li1KPJTDATp3Q/ZIew7SWWPHkNVW8jcf/mX3ZkNQsYeVYxahSnFpWlFukaGeklFWWmZ5Tk Jmbm6BoamOnlphYXJ6an5iQmFesl5+duYgTGCQMQ7GBcMz/wEKMkB5OSKO/hpUYRQnxJ+SmVG YnFGfFFpTmpxYcYZTg4lCR4lxuZRAgJFqWmp1akZeYAIxYmLcHBoyQCkeYtLkjMLc5Mh0idYj TmuHXi+QMmjke/3z5gEmLJy89LlRLnTQYpFQApzSjNgxsESySXGGWlhHkZgU4T4ilILcrNLEG Vf8UozsGoJMxbCDKFJzOvBG7fK6BTmIBOkfxmDHJKSSJCSqqBUb9Wo9GqXWgW04R8u+09YT7f znCyXWxVDHixpKfov5Pbkj/7hSS3hzPyffro1Hd/0ZXM3TuqfOI1MmJUHnRcNWZ9se+Rd6jSi X/3HYvikxLUFjQaicqXrH74KOdEZvRl4QsB52/vTQu21thq3rv+oI/z8WerfEI9P86uXuel28 Bjap9jEByixFKckWioxVxUnAgAuLoICR8DAAA= X-Env-Sender: andrewcoop@xenbits.xen.org X-Msg-Ref: server-3.tower-27.messagelabs.com!1479816141!73004021!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 65175 invoked from network); 22 Nov 2016 12:02:22 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-3.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 22 Nov 2016 12:02:22 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99m9-0004oG-1Z; Tue, 22 Nov 2016 12:02:13 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1c99m8-00085A-U9; Tue, 22 Nov 2016 12:02:12 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 22 Nov 2016 12:02:12 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 192 (CVE-2016-9382) - x86 task switch to VM86 mode mis-handled X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-9382 / XSA-192 version 3 x86 task switch to VM86 mode mis-handled UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= LDTR, just like TR, is purely a protected mode facility. Hence even when switching to a VM86 mode task, LDTR loading needs to follow protected mode semantics. This was violated by the code. IMPACT ====== On SVM (AMD hardware): a malicious unprivileged guest process can escalate its privilege to that of the guest operating system. On both SVM and VMX (Intel hardware): a malicious unprivileged guest process can crash the guest. VULNERABLE SYSTEMS ================== Only 32-bit x86 HVM guests are vulnerable. Furthermore, only guest operating systems which actually make use of hardware task switching, and allow a new task to start in VM86 mode, are vulnerable. We are not aware of any such operating systems. The vulnerability is NOT exposed on any PV guests. The vulnerability is NOT exposed on any 64-bit guests, ARM systems are NOT vulnerable. Xen versions from 4.0 onwards are affected. Xen versions 3.4 and earlier are not affected. MITIGATION ========== For guests which are affected, the vulnerability could possibly be mitigated by disabling access to VM86 mode by unprivileged guest programs. Details would depend on the (so far hypothetical) vulnerable guest kernel. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa192.patch xen-unstable, Xen 4.7.x, Xen 4.6.x xsa192-4.5.patch Xen 4.5.x, Xen 4.4.x $ sha256sum xsa192* 687b0216eefd5ecef8a3135cc6f542cb3d9ff35e8e9696a157703e84656c35e8 xsa192.patch bb0c6622c6f5c5eb9a680020d865802069446830b4a170bcb82336f6c3b77f55 xsa192-4.5.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYNDJ9AAoJEIP+FMlX6CvZy5gIALU7weBZNJeQzBUMoQn6fAG/ KNP3Br3BDYHC/MMbyIAkkEyHTfsR1xFNAHHb2Tb/Wl7v081owV7JwO3bkf0FJ88w K8RXFeUbt1z5rAdt1B088CbZA4/KkGRBd32vicUIE7+9EnkgSOlLc8abjind+yQ9 2CtOHwDL0LVbjjGF6VdME9pooDZf2ZT1fHfClUbwPFsfTMKjUeJcfoVFqenifmYR wTYPtw6z+cCrjBlPyleglh/2uAc6ncTIQAC8Ee2dJyKv4wMqP60u97ANylnN3DpZ DTl+VUYdNsy78R9/xbqF7dT5gCeDV9y1rDoqHQwwtSGL/lvjU0ujbEtG7XS2/7M= =chON -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa192.patch" Content-Disposition: attachment; filename="xsa192.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvSFZNOiBkb24ndCBsb2FkIExEVFIgd2l0aCBWTTg2IG1vZGUgYXR0 cnMgZHVyaW5nIHRhc2sgc3dpdGNoCgpKdXN0IGxpa2UgVFIsIExEVFIgaXMg cHVyZWx5IGEgcHJvdGVjdGVkIG1vZGUgZmFjaWxpdHkgYW5kIGhlbmNlIG5l ZWRzCnRvIGJlIGxvYWRlZCBhY2NvcmRpbmdseS4gQWxzbyBtb3ZlIGl0cyBs b2FkaW5nIHRvIHdoZXJlIGl0CmFyY2hpdGVjdXJhbGx5IGJlbG9uZ3MuCgpU aGlzIGlzIFhTQS0xOTIuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8 amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpUZXN0ZWQtYnk6IEFuZHJl dyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CgotLS0gYS94 ZW4vYXJjaC94ODYvaHZtL2h2bS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0v aHZtLmMKQEAgLTI3MjgsMTcgKzI3MjgsMTYgQEAgc3RhdGljIHZvaWQgaHZt X3VubWFwX2VudHJ5KHZvaWQgKnApCiB9CiAKIHN0YXRpYyBpbnQgaHZtX2xv YWRfc2VnbWVudF9zZWxlY3RvcigKLSAgICBlbnVtIHg4Nl9zZWdtZW50IHNl ZywgdWludDE2X3Qgc2VsKQorICAgIGVudW0geDg2X3NlZ21lbnQgc2VnLCB1 aW50MTZfdCBzZWwsIHVuc2lnbmVkIGludCBlZmxhZ3MpCiB7CiAgICAgc3Ry dWN0IHNlZ21lbnRfcmVnaXN0ZXIgZGVzY3RhYiwgY3MsIHNlZ3I7CiAgICAg c3RydWN0IGRlc2Nfc3RydWN0ICpwZGVzYywgZGVzYzsKICAgICB1OCBkcGws IHJwbCwgY3BsOwogICAgIGJvb2xfdCB3cml0YWJsZTsKICAgICBpbnQgZmF1 bHRfdHlwZSA9IFRSQVBfaW52YWxpZF90c3M7Ci0gICAgc3RydWN0IGNwdV91 c2VyX3JlZ3MgKnJlZ3MgPSBndWVzdF9jcHVfdXNlcl9yZWdzKCk7CiAgICAg c3RydWN0IHZjcHUgKnYgPSBjdXJyZW50OwogCi0gICAgaWYgKCByZWdzLT5l ZmxhZ3MgJiBYODZfRUZMQUdTX1ZNICkKKyAgICBpZiAoIGVmbGFncyAmIFg4 Nl9FRkxBR1NfVk0gKQogICAgIHsKICAgICAgICAgc2Vnci5zZWwgPSBzZWw7 CiAgICAgICAgIHNlZ3IuYmFzZSA9ICh1aW50MzJfdClzZWwgPDwgNDsKQEAg LTI5ODYsNiArMjk4NSw4IEBAIHZvaWQgaHZtX3Rhc2tfc3dpdGNoKAogICAg IGlmICggcmMgIT0gSFZNQ09QWV9va2F5ICkKICAgICAgICAgZ290byBvdXQ7 CiAKKyAgICBpZiAoIGh2bV9sb2FkX3NlZ21lbnRfc2VsZWN0b3IoeDg2X3Nl Z19sZHRyLCB0c3MubGR0LCAwKSApCisgICAgICAgIGdvdG8gb3V0OwogCiAg ICAgaWYgKCBodm1fc2V0X2NyMyh0c3MuY3IzLCAxKSApCiAgICAgICAgIGdv dG8gb3V0OwpAQCAtMzAwOCwxMyArMzAwOSwxMiBAQCB2b2lkIGh2bV90YXNr X3N3aXRjaCgKICAgICB9CiAKICAgICBleG5fcmFpc2VkID0gMDsKLSAgICBp ZiAoIGh2bV9sb2FkX3NlZ21lbnRfc2VsZWN0b3IoeDg2X3NlZ19sZHRyLCB0 c3MubGR0KSB8fAotICAgICAgICAgaHZtX2xvYWRfc2VnbWVudF9zZWxlY3Rv cih4ODZfc2VnX2VzLCB0c3MuZXMpIHx8Ci0gICAgICAgICBodm1fbG9hZF9z ZWdtZW50X3NlbGVjdG9yKHg4Nl9zZWdfY3MsIHRzcy5jcykgfHwKLSAgICAg ICAgIGh2bV9sb2FkX3NlZ21lbnRfc2VsZWN0b3IoeDg2X3NlZ19zcywgdHNz LnNzKSB8fAotICAgICAgICAgaHZtX2xvYWRfc2VnbWVudF9zZWxlY3Rvcih4 ODZfc2VnX2RzLCB0c3MuZHMpIHx8Ci0gICAgICAgICBodm1fbG9hZF9zZWdt ZW50X3NlbGVjdG9yKHg4Nl9zZWdfZnMsIHRzcy5mcykgfHwKLSAgICAgICAg IGh2bV9sb2FkX3NlZ21lbnRfc2VsZWN0b3IoeDg2X3NlZ19ncywgdHNzLmdz KSApCisgICAgaWYgKCBodm1fbG9hZF9zZWdtZW50X3NlbGVjdG9yKHg4Nl9z ZWdfZXMsIHRzcy5lcywgdHNzLmVmbGFncykgfHwKKyAgICAgICAgIGh2bV9s b2FkX3NlZ21lbnRfc2VsZWN0b3IoeDg2X3NlZ19jcywgdHNzLmNzLCB0c3Mu ZWZsYWdzKSB8fAorICAgICAgICAgaHZtX2xvYWRfc2VnbWVudF9zZWxlY3Rv cih4ODZfc2VnX3NzLCB0c3Muc3MsIHRzcy5lZmxhZ3MpIHx8CisgICAgICAg ICBodm1fbG9hZF9zZWdtZW50X3NlbGVjdG9yKHg4Nl9zZWdfZHMsIHRzcy5k cywgdHNzLmVmbGFncykgfHwKKyAgICAgICAgIGh2bV9sb2FkX3NlZ21lbnRf c2VsZWN0b3IoeDg2X3NlZ19mcywgdHNzLmZzLCB0c3MuZWZsYWdzKSB8fAor ICAgICAgICAgaHZtX2xvYWRfc2VnbWVudF9zZWxlY3Rvcih4ODZfc2VnX2dz LCB0c3MuZ3MsIHRzcy5lZmxhZ3MpICkKICAgICAgICAgZXhuX3JhaXNlZCA9 IDE7CiAKICAgICByYyA9IGh2bV9jb3B5X3RvX2d1ZXN0X3ZpcnQoCg== --=separator Content-Type: application/octet-stream; name="xsa192-4.5.patch" Content-Disposition: attachment; filename="xsa192-4.5.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvSFZNOiBkb24ndCBsb2FkIExEVFIgd2l0aCBWTTg2IG1vZGUgYXR0 cnMgZHVyaW5nIHRhc2sgc3dpdGNoCgpKdXN0IGxpa2UgVFIsIExEVFIgaXMg cHVyZWx5IGEgcHJvdGVjdGVkIG1vZGUgZmFjaWxpdHkgYW5kIGhlbmNlIG5l ZWRzCnRvIGJlIGxvYWRlZCBhY2NvcmRpbmdseS4gQWxzbyBtb3ZlIGl0cyBs b2FkaW5nIHRvIHdoZXJlIGl0CmFyY2hpdGVjdXJhbGx5IGJlbG9uZ3MuCgpU aGlzIGlzIFhTQS0xOTIuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8 amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpUZXN0ZWQtYnk6IEFuZHJl dyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CgotLS0gYS94 ZW4vYXJjaC94ODYvaHZtL2h2bS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0v aHZtLmMKQEAgLTM1NzcsMTYgKzM1NzcsMTUgQEAgc3RhdGljIHZvaWQgaHZt X3VubWFwX2VudHJ5KHZvaWQgKnApCiB9CiAKIHN0YXRpYyBpbnQgaHZtX2xv YWRfc2VnbWVudF9zZWxlY3RvcigKLSAgICBlbnVtIHg4Nl9zZWdtZW50IHNl ZywgdWludDE2X3Qgc2VsKQorICAgIGVudW0geDg2X3NlZ21lbnQgc2VnLCB1 aW50MTZfdCBzZWwsIHVuc2lnbmVkIGludCBlZmxhZ3MpCiB7CiAgICAgc3Ry dWN0IHNlZ21lbnRfcmVnaXN0ZXIgZGVzY3RhYiwgY3MsIHNlZ3I7CiAgICAg c3RydWN0IGRlc2Nfc3RydWN0ICpwZGVzYywgZGVzYzsKICAgICB1OCBkcGws IHJwbCwgY3BsOwogICAgIGludCBmYXVsdF90eXBlID0gVFJBUF9pbnZhbGlk X3RzczsKLSAgICBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncyA9IGd1ZXN0 X2NwdV91c2VyX3JlZ3MoKTsKICAgICBzdHJ1Y3QgdmNwdSAqdiA9IGN1cnJl bnQ7CiAKLSAgICBpZiAoIHJlZ3MtPmVmbGFncyAmIFg4Nl9FRkxBR1NfVk0g KQorICAgIGlmICggZWZsYWdzICYgWDg2X0VGTEFHU19WTSApCiAgICAgewog ICAgICAgICBzZWdyLnNlbCA9IHNlbDsKICAgICAgICAgc2Vnci5iYXNlID0g KHVpbnQzMl90KXNlbCA8PCA0OwpAQCAtMzgyOSw2ICszODI4LDggQEAgdm9p ZCBodm1fdGFza19zd2l0Y2goCiAgICAgaWYgKCByYyAhPSBIVk1DT1BZX29r YXkgKQogICAgICAgICBnb3RvIG91dDsKIAorICAgIGlmICggaHZtX2xvYWRf c2VnbWVudF9zZWxlY3Rvcih4ODZfc2VnX2xkdHIsIHRzcy5sZHQsIDApICkK KyAgICAgICAgZ290byBvdXQ7CiAKICAgICBpZiAoIGh2bV9zZXRfY3IzKHRz cy5jcjMpICkKICAgICAgICAgZ290byBvdXQ7CkBAIC0zODUxLDEzICszODUy LDEyIEBAIHZvaWQgaHZtX3Rhc2tfc3dpdGNoKAogICAgIH0KIAogICAgIGV4 bl9yYWlzZWQgPSAwOwotICAgIGlmICggaHZtX2xvYWRfc2VnbWVudF9zZWxl Y3Rvcih4ODZfc2VnX2xkdHIsIHRzcy5sZHQpIHx8Ci0gICAgICAgICBodm1f bG9hZF9zZWdtZW50X3NlbGVjdG9yKHg4Nl9zZWdfZXMsIHRzcy5lcykgfHwK LSAgICAgICAgIGh2bV9sb2FkX3NlZ21lbnRfc2VsZWN0b3IoeDg2X3NlZ19j cywgdHNzLmNzKSB8fAotICAgICAgICAgaHZtX2xvYWRfc2VnbWVudF9zZWxl Y3Rvcih4ODZfc2VnX3NzLCB0c3Muc3MpIHx8Ci0gICAgICAgICBodm1fbG9h ZF9zZWdtZW50X3NlbGVjdG9yKHg4Nl9zZWdfZHMsIHRzcy5kcykgfHwKLSAg ICAgICAgIGh2bV9sb2FkX3NlZ21lbnRfc2VsZWN0b3IoeDg2X3NlZ19mcywg dHNzLmZzKSB8fAotICAgICAgICAgaHZtX2xvYWRfc2VnbWVudF9zZWxlY3Rv cih4ODZfc2VnX2dzLCB0c3MuZ3MpICkKKyAgICBpZiAoIGh2bV9sb2FkX3Nl Z21lbnRfc2VsZWN0b3IoeDg2X3NlZ19lcywgdHNzLmVzLCB0c3MuZWZsYWdz KSB8fAorICAgICAgICAgaHZtX2xvYWRfc2VnbWVudF9zZWxlY3Rvcih4ODZf c2VnX2NzLCB0c3MuY3MsIHRzcy5lZmxhZ3MpIHx8CisgICAgICAgICBodm1f bG9hZF9zZWdtZW50X3NlbGVjdG9yKHg4Nl9zZWdfc3MsIHRzcy5zcywgdHNz LmVmbGFncykgfHwKKyAgICAgICAgIGh2bV9sb2FkX3NlZ21lbnRfc2VsZWN0 b3IoeDg2X3NlZ19kcywgdHNzLmRzLCB0c3MuZWZsYWdzKSB8fAorICAgICAg ICAgaHZtX2xvYWRfc2VnbWVudF9zZWxlY3Rvcih4ODZfc2VnX2ZzLCB0c3Mu ZnMsIHRzcy5lZmxhZ3MpIHx8CisgICAgICAgICBodm1fbG9hZF9zZWdtZW50 X3NlbGVjdG9yKHg4Nl9zZWdfZ3MsIHRzcy5ncywgdHNzLmVmbGFncykgKQog ICAgICAgICBleG5fcmFpc2VkID0gMTsKIAogICAgIHJjID0gaHZtX2NvcHlf dG9fZ3Vlc3RfdmlydCgK --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 22 12:03:24 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 22 Nov 2016 12:03:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mu-0008Ta-Ol; Tue, 22 Nov 2016 12:03:00 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99ms-0008O6-Tn; Tue, 22 Nov 2016 12:02:59 +0000 Received: from [85.158.139.211] by server-5.bemta-5.messagelabs.com id 40/37-02084-1F334385; Tue, 22 Nov 2016 12:02:57 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrJIsWRWlGSWpSXmKPExsWS0XRdVfeDsUm Ewf8mQ4tbN1uZLZZ8XMxiserqAVYHZo+ju38zBTBGsWbmJeVXJLBmdLxvZCqYbF+xu/cmawPj O4suRi4OIYFzjBLHLu9ngXA2MEq07F3B1MXIycEs4CpxY99mNghbUeLCvQYWEJtXQFDi5MwnY LaEgKbEnTer2EFsEYEiiZ3nXoLZbAJ6EnPPToKaoyPxcv9qMFtYoFDi6olVjBBzzCSaL+0Fm8 MioCqxs7+PdQIjzywkq2chWT0LyepZjBxAcU2J9bv0IUxpieX/OCCq5SW2v53DDGFbS1yY3cs KYVtI3Pr0kBlm4pTuh+wLGDlXMWoUpxaVpRbpGhnpJRVlpmeU5CZm5ugaGpjq5aYWFyemp+Yk JhXrJefnbmIEBng9AwPjDsY97X6HGCU5mJREeQ8vNYoQ4kvKT6nMSCzOiC8qzUktPsQow8GhJ MG73MgkQkiwKDU9tSItMwcYazBpCQ4eJRHexyBp3uKCxNzizHSI1ClGY45bJ54/YOJ49PvtAy Yhlrz8vFQpcd6LIKUCIKUZpXlwg2Ap4BKjrJQwLyMDA4MQT0FqUW5mCar8K0ZxDkYlYd41IFN 4MvNK4Pa9AjqFCegUyW/GIKeUJCKkpBoYm5kUHt41/uCmefBkV8453Tt7GFQ/861obFs3yfC9 /C3X4imdjE+eSVcu0BFn/bvxyqM/Wxf0CodK+3c/UlEyCZ9m+jTey/RBbeUSt8zvmf4/p9QGT ztRtb9mh2jA3B1s1q2Cj+4lC83n2nOIQ33HMR6mtcfuqO/W+33r4BYhHfY5iRfYVI1OKrEUZy QaajEXFScCAF5SESn8AgAA X-Env-Sender: andrewcoop@xenbits.xen.org X-Msg-Ref: server-2.tower-206.messagelabs.com!1479816171!53082491!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 25368 invoked from network); 22 Nov 2016 12:02:53 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-2.tower-206.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 22 Nov 2016 12:02:53 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mf-0004re-Ud; Tue, 22 Nov 2016 12:02:45 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1c99mf-0008E2-TQ; Tue, 22 Nov 2016 12:02:45 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 22 Nov 2016 12:02:45 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 198 (CVE-2016-9379, CVE-2016-9380) - delimiter injection vulnerabilities in pygrub X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-9379,CVE-2016-9380 / XSA-198 version 3 delimiter injection vulnerabilities in pygrub UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= pygrub, the boot loader emulator, fails to quote (or sanity check) its results when reporting them to its caller. pygrub supports a number of output formats. When the S-expression output format is requested, putting string quotes and S-expressions in the bootloader configuration file can produce incorrect output. (CVE-2016-9379) When the nul-delimited output format is requested, nul bytes in the bootloader configuration file can produce an ambiguous or confusing output file, which is interpreted by libxl in a vulnerable way. (CVE-2016-9380) The existing bootloader config interpreters all read input in a line-based way from their bootloaders, and none of them support any kind of escaping. So the newline-delimited output format is safe. The attacker can use this to cause the toolstack to treat any file accessible to the toolstack as if it were the guest's initial ramdisk file. The file contents are provided to the guest kernel; also, normally, these files are deleted by the toolstack as the guest starts to boot; alternatively they may be deleted later. IMPACT ====== A malicious guest administrator can obtain the contents of sensitive host files (an information leak). Additionally, a malicious guest administrator can cause files on the host to be removed, causing a denial of service. In some unusual host configurations, ability to remove certain files may be useable for privilege escalation. VULNERABLE SYSTEMS ================== Xen versions 2.0 and later are vulnerable. The vulnerability is only exposed to guests configured by the host administrator to boot using pygrub. In the xl and xm domain configuration file, this is typically achieved with bootloader="pygrub" On x86 this would typically apply only to PV domains. All systems using xl, libxl, or libvirt are vulnerable to pygrub-using guests. Systems using other (third-party) toolstacks may or may not be vulnerable, depending on whether pygrub is configured, and what pygrub output format they use. Please consult your toolstack provider. MITIGATION ========== Configuring guests not to use pygrub will avoid the vulnerability. For x86 PV guests currently using pygrub, booting the guest as HVM is often a practical option to avoid pygrub. CREDITS ======= This issue was discovered by Daniel Richman and Gábor Szarka of the Cambridge University Student-Run Computing Facility. RESOLUTION ========== Applying the attached patch resolves this issue. xsa198.patch All Xen versions (at least Xen 4.4 and later) $ sha256sum xsa198* 0e4533ad2157c03ab309bd12a54f5ff325f03edbe97f23c60a16a3f378c75eae xsa198.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patch described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. Deployment of the mitigations is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because switching away from the use of pygrub would reveal where the vulnerability lies. Deployment of mitigations is permitted only AFTER the embargo ends. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYNDN4AAoJEIP+FMlX6CvZX8AH/1FL3pw4RbbuFd/b23Qmo25U F7qELx001C4C+uXtlxaIg6MT467pRphihSkLcLQ2vgIp57iVTXhufc4TVqhdADgp bL3h1zd7Ot4f+iA5RYlGIJ4is3I2A6lNvLwydi2PIGgmalSad5B3Ed0vrvRwfLKY qpsVm0LrM24aFX2IaygmmziQIQVeXSYpmKmVebOEAFL0uj9g8D3VhgWIMtZxW+9K A6c2NTrt01ZbsVRx2wTcRdRhEJLeFbBZOPS9RrbjJzbuFcAzsGR8m/pS4hJBhik/ 9MG4b7FBMYZTaBd4wcbbHM81py1KkcoreC2jL1qb1JMG7BQVP1USdz21rJ05DY8= =P2XT -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa198.patch" Content-Disposition: attachment; filename="xsa198.patch" Content-Transfer-Encoding: base64 RnJvbSA3MWEzODlhZTk0MGJjNTJiZjg5N2E2ZTViZWNkNzNmZDhlZGU5NGM1 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBJYW4gSmFja3NvbiA8 aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KRGF0ZTogVGh1LCAzIE5vdiAy MDE2IDE2OjM3OjQwICswMDAwClN1YmplY3Q6IFtQQVRDSF0gcHlncnViOiBQ cm9wZXJseSBxdW90ZSByZXN1bHRzLCB3aGVuIHJldHVybmluZyB0aGVtIHRv IHRoZQogY2FsbGVyOgoKKiBXaGVuIHRoZSBjYWxsZXIgd2FudHMgc2V4cHIg b3V0cHV0LCB1c2UgYHJlcHIoKScKICBUaGlzIGlzIHdoYXQgWGVuZCBleHBl Y3RzLgoKICBUaGUgcmV0dXJuZWQgUy1leHByZXNzaW9ucyBhcmUgbm93IGVz Y2FwZWQgYW5kIHF1b3RlZCBieSBQeXRob24sCiAgZ2VuZXJhbGx5IHVzaW5n ICcuLi4nLiAgUHJldmlvdXNseSBrZXJuZWwgYW5kIHJhbWRpc2sgd2VyZSB1 bnF1b3RlZAogIGFuZCBhcmdzIHdhcyBxdW90ZWQgd2l0aCAiLi4uIiBidXQg d2l0aG91dCBwcm9wZXIgZXNjYXBpbmcuICBUaGlzCiAgY2hhbmdlIG1heSBi cmVhayB0b29sc3RhY2tzIHdoaWNoIGRvIG5vdCBwcm9wZXJseSBkZXF1b3Rl IHRoZQogIHJldHVybmVkIFMtZXhwcmVzc2lvbnMuCgoqIFdoZW4gdGhlIGNh bGxlciB3YW50cyAic2ltcGxlIiBvdXRwdXQsIGNyYXNoIGlmIHRoZSBkZWxp bWl0ZXIgaXMKICBjb250YWluZWQgaW4gdGhlIHJldHVybmVkIHZhbHVlLgoK ICBXaXRoIC0tb3V0cHV0LWZvcm1hdD1zaW1wbGUgaXQgZG9lcyBub3Qgc2Vl bSBsaWtlIHRoaXMgY291bGQgZXZlcgogIGhhcHBlbiwgYmVjYXVzZSB0aGUg Ym9vdGxvYWRlciBjb25maWcgcGFyc2VycyBhbGwgdGFrZSBsaW5lLWJhc2Vk CiAgaW5wdXQgZnJvbSB0aGUgdmFyaW91cyBib290bG9hZGVyIGNvbmZpZyBm aWxlcy4KCiAgV2l0aCAtLW91dHB1dC1mb3JtYXQ9c2ltcGxlMCwgdGhpcyBj YW4gaGFwcGVuIGlmIHRoZSBib290bG9hZGVyCiAgY29uZmlnIGZpbGUgY29u dGFpbnMgbnVsIGJ5dGVzLgoKVGhpcyBpcyBYU0EtMTk4LgoKU2lnbmVkLW9m Zi1ieTogSWFuIEphY2tzb24gPElhbi5KYWNrc29uQGV1LmNpdHJpeC5jb20+ ClRlc3RlZC1ieTogSWFuIEphY2tzb24gPElhbi5KYWNrc29uQGV1LmNpdHJp eC5jb20+ClJldmlld2VkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29v cGVyM0BjaXRyaXguY29tPgotLS0KIHRvb2xzL3B5Z3J1Yi9zcmMvcHlncnVi IHwgOSArKysrKystLS0KIDEgZmlsZSBjaGFuZ2VkLCA2IGluc2VydGlvbnMo KyksIDMgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvdG9vbHMvcHlncnVi L3NyYy9weWdydWIgYi90b29scy9weWdydWIvc3JjL3B5Z3J1YgppbmRleCA0 MGY5NTg0Li5kZDBjOGY3IDEwMDc1NQotLS0gYS90b29scy9weWdydWIvc3Jj L3B5Z3J1YgorKysgYi90b29scy9weWdydWIvc3JjL3B5Z3J1YgpAQCAtNzIx LDE0ICs3MjEsMTcgQEAgZGVmIHNuaWZmX25ldHdhcmUoZnMsIGNmZyk6CiAg ICAgcmV0dXJuIGNmZwogCiBkZWYgZm9ybWF0X3N4cChrZXJuZWwsIHJhbWRp c2ssIGFyZ3MpOgotICAgIHMgPSAibGludXggKGtlcm5lbCAlcykiICUga2Vy bmVsCisgICAgcyA9ICJsaW51eCAoa2VybmVsICVzKSIgJSByZXByKGtlcm5l bCkKICAgICBpZiByYW1kaXNrOgotICAgICAgICBzICs9ICIocmFtZGlzayAl cykiICUgcmFtZGlzaworICAgICAgICBzICs9ICIocmFtZGlzayAlcykiICUg cmVwcihyYW1kaXNrKQogICAgIGlmIGFyZ3M6Ci0gICAgICAgIHMgKz0gIihh cmdzIFwiJXNcIikiICUgYXJncworICAgICAgICBzICs9ICIoYXJncyAlcyki ICUgcmVwcihhcmdzKQogICAgIHJldHVybiBzCiAgICAgICAgICAgICAgICAg CiBkZWYgZm9ybWF0X3NpbXBsZShrZXJuZWwsIHJhbWRpc2ssIGFyZ3MsIHNl cCk6CisgICAgZm9yIGNoZWNrIGluIChrZXJuZWwsIHJhbWRpc2ssIGFyZ3Mp OgorICAgICAgICBpZiBjaGVjayBpcyBub3QgTm9uZSBhbmQgc2VwIGluIGNo ZWNrOgorICAgICAgICAgICAgcmFpc2UgUnVudGltZUVycm9yLCAic2ltcGxl IGZvcm1hdCBjYW5ub3QgcmVwcmVzZW50IGRlbGltaXRlci1jb250YWluaW5n IHZhbHVlIgogICAgIHMgPSAoImtlcm5lbCAlcyIgJSBrZXJuZWwpICsgc2Vw CiAgICAgaWYgcmFtZGlzazoKICAgICAgICAgcyArPSAoInJhbWRpc2sgJXMi ICUgcmFtZGlzaykgKyBzZXAKLS0gCjIuMS40Cgo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 22 12:03:24 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 22 Nov 2016 12:03:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mm-0008Fq-AD; Tue, 22 Nov 2016 12:02:52 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99ml-0008DB-5H; Tue, 22 Nov 2016 12:02:51 +0000 Received: from [85.158.143.35] by server-7.bemta-6.messagelabs.com id FF/10-29519-AE334385; Tue, 22 Nov 2016 12:02:50 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprIKsWRWlGSWpSXmKPExsWS0XRdVfelsUm EwZlzWha3brYyWyz5uJjFYtXVA6wOzB5Hd/9mCmCMYs3MS8qvSGDNeHdgKlPB5rSK0+1fWRsY DyR0MXJxCAmcY5RoWXafEcLZwCjx4vsKli5GTg5mAVeJG/s2s0HYihIX7jWAxXkFBCVOznwCZ ksIaErcebOKHcQWESiS2HnuJZjNJqAnMffsJCaIXh2Jl/tXg9nCAgUSUzd9Y4OYYyYxcf47Zh CbRUBV4tjOJYwTGHlmIVk9C8nqWUhWz2LkAIprSqzfpQ9hSkss/8cBUS0vsf3tHGaIcJnEyS3 2EGaxxMcndTDzpnQ/ZIew8yQeTOhmhLCzJV4vfMOErGYBI88qRo3i1KKy1CJdQwu9pKLM9IyS 3MTMHF1DAzO93NTi4sT01JzEpGK95PzcTYzAKGEAgh2MNzcGHGKU5GBSEuU9vNQoQogvKT+lM iOxOCO+qDQntfgQowwHh5IEr7yRSYSQYFFqempFWmYOMF5h0hIcPEoivFWGQGne4oLE3OLMdI jUKUZLjlsnnj9g4nj0+y2Q7Fj06QGTEEtefl6qlDhvMsg8AZCGjNI8uHGwlHKJUVZKmJcR6EA hnoLUotzMElT5V4ziHIxKwryFIFN4MvNK4La+AjqICeggyW/GIAeVJCKkpBoYza1uNL49XXuy Myq3qfq9kcDHDbd27e+4tyontK868HDwyT920dufuJrFRVitrIirivu84LnTFN9WyRLrt2wWS kU7fnd6uCq+4r6joXTs2+Gwifmnz77WvDZrcoy/qEvfK/Vjh/uYpjsuSYxovG/vvmzlm1Qbdv GDxtWGeRszbIWFxKyYoqyVWIozEg21mIuKEwGiVbTpJAMAAA== X-Env-Sender: andrewcoop@xenbits.xen.org X-Msg-Ref: server-7.tower-21.messagelabs.com!1479816168!44604965!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 13971 invoked from network); 22 Nov 2016 12:02:49 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-7.tower-21.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 22 Nov 2016 12:02:49 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mY-0004qo-Nw; Tue, 22 Nov 2016 12:02:38 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1c99mY-0008BI-Mf; Tue, 22 Nov 2016 12:02:38 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 22 Nov 2016 12:02:38 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 196 (CVE-2016-9377, CVE-2016-9378) - x86 software interrupt injection mis-handled X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-9377,CVE-2016-9378 / XSA-196 version 3 x86 software interrupt injection mis-handled UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= There are two closely-related bugs. When Xen emulates instructions which generate software interrupts it needs to perform a privilege check involving an IDT lookup. This check is sometimes erroneously conducted as if the IDT had the format for a 32-bit guest, when in fact it is in the 64-bit format. Xen will then read the wrong part of the IDT and interpret it in an unintended manner. (CVE-2016-9377) When Xen emulates instructions which generate software interrupts, and chooses to deliver the software interrupt, it may try to use the method intended for injecting exceptions. This is incorrect, and results in a guest crash. (CVE-2016-9378) These instructions are not ususally handled by the emulator. Exploiting the bug requires ability to force use of the emulator. IMPACT ====== An unprivileged guest user program may be able to crash the guest. VULNERABLE SYSTEMS ================== Xen versions 4.5 and newer are vulnerable. Older versions are not vulnerable. The vulnerability is only exposed on AMD hardware lacking the NRip feature. AMD hardware with the NRip feature, and all Intel hardware, is not vulnerable. Xen prints information about CPU features on boot. If you see this: (XEN) SVM: Supported advanced features: ... (XEN) - Next-RIP Saved on #VMEXIT then you are not vulnerable because you have an AMD CPU with NRip. If you see this: (XEN) VMX: Supported advanced features: then you are not vulnerable because you have an Intel CPU. The vulnerability is only exposed on HVM guests. ARM systems are NOT vulnerable. MITIGATION ========== Running only PV guests will avoid this issue. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the attached patches resolves this issue. xsa196-000*.patch xen-unstable, Xen 4.7.x, Xen 4.6.x, Xen 4.5.x $ sha256sum xsa196* c4122280f3786416231ae5f0660123446d29e9ac5cd3ffb92784ed36edeec8b7 xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch 25671c44c746d4d0e8f7e2b109926c013b440e0bf225156282052ec38536e347 xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYNDMVAAoJEIP+FMlX6CvZZ7MH/36KnwbAxmRHtUDIpQF/Syoh Lc8s6gNV1oOzcCpFgz+gSyIOMzp7KWieKQiVX1HbI0lnLYK/sRa77VNV/Y9bUt+Y y9b9QOZRDHoO92dZ4Ym/hzdtaNkdOQX/JAfy+E5pCGuqPtH/Jy5NuwVL8W7V8PNM QTHmvbgB4/Y2U6QqWpIP+S7oC0A9iuIf9eekd6ZTpqTadPFylTe2WX22mns1TEtN 3Z0NX737AjQLyUVnUoJ32sITCBk6tGutvvEmOc2Y+4eMrUvKSoafVy+5IZcTGwLp 3ke5sDNN1tOpzmqbXgWXBsVkpjWf2i0NW0dl5jh8/tN5FtrTuByd193dJGSKzEE= =IE45 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch" Content-Disposition: attachment; filename="xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L2VtdWw6IENvcnJlY3QgdGhlIElEVCBlbnRyeSBj YWxjdWxhdGlvbiBpbiBpbmplY3Rfc3dpbnQoKQoKVGhlIGxvZ2ljLCBhcyBp bnRyb2R1Y2VkIGluIGMvcyAzNmViZjE0ZWJlICJ4ODYvZW11bGF0ZTogc3Vw cG9ydCBmb3IgZW11bGF0aW5nCnNvZnR3YXJlIGV2ZW50IGluamVjdGlvbiIg aXMgYnVnZ3kuICBUaGUgc2l6ZSBvZiBhbiBJRFQgZW50cnkgZGVwZW5kcyBv biBsb25nCm1vZGUgYmVpbmcgYWN0aXZlLCBub3QgdGhlIHdpZHRoIG9mIHRo ZSBjb2RlIHNlZ21lbnQgY3VycmVudGx5IGluIHVzZS4KCkluIHBhcnRpY3Vs YXIsIHRoaXMgbWVhbnMgdGhhdCBhIGNvbXBhdGliaWxpdHkgY29kZSBzZWdt ZW50IHdoaWNoIGhpdHMKZW11bGF0aW9uIGZvciBzb2Z0d2FyZSBldmVudCBp bmplY3Rpb24gd2lsbCBlbmQgdXAgdXNpbmcgYW4gaW5jb3JyZWN0IG9mZnNl dAppbiB0aGUgSURUIGZvciBEUEwvUHJlc2VuY2UgY2hlY2tpbmcuICBJbiBw cmFjdGljZSwgdGhpcyBvbmx5IG9jY3VycyBvbiBvbGQKQU1EIGhhcmR3YXJl IGxhY2tpbmcgTlJpcCBzdXBwb3J0OyBhbGwgbmV3ZXIgQU1EIGhhcmR3YXJl LCBhbmQgYWxsIEludGVsCmhhcmR3YXJlIGJ5cGFzcyB0aGlzIHBhdGggaW4g dGhlIGVtdWxhdG9yLgoKV2hpbGUgaGVyZSwgZml4IGEgbWlub3IgaXNzdWUg d2l0aCByZWFkaW5nIHRoZSBJRFQgZW50cnkuICBUaGUgcmV0dXJuIHZhbHVl CmZyb20gb3BzLT5yZWFkKCkgd2Fzbid0IGNoZWNrZWQsIGJ1dCBpbiByZWFs aXR5IHRoZSBvbmx5IGZhaWx1cmUgY2FzZSBpcyBpZiBhCnBhZ2VmYXVsdCBv Y2N1cnMuICBUaGlzIGlzIG5vdCBhIHJlYWxpc3RpYyBwcm9ibGVtIGFzIHRo ZSBrZXJuZWwgd2lsbCBhbG1vc3QKY2VydGFpbmx5IGNyYXNoIHdpdGggYSBk b3VibGUgZmF1bHQgaWYgdGhpcyBzZXR1cCBhY3R1YWxseSBvY2N1cmVkLgoK VGhpcyBpcyBwYXJ0IG9mIFhTQS0xOTYuCgpTaWduZWQtb2ZmLWJ5OiBBbmRy ZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdl ZC1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgotLS0KIHhl bi9hcmNoL3g4Ni94ODZfZW11bGF0ZS94ODZfZW11bGF0ZS5jIHwgMTUgKysr KysrKysrKystLS0tCiAxIGZpbGUgY2hhbmdlZCwgMTEgaW5zZXJ0aW9ucygr KSwgNCBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94ODYv eDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYyBiL3hlbi9hcmNoL3g4Ni94ODZf ZW11bGF0ZS94ODZfZW11bGF0ZS5jCmluZGV4IDdhNzA3ZGMuLmY3NGFhOGYg MTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL3g4Ni94ODZfZW11bGF0ZS94ODZfZW11 bGF0ZS5jCisrKyBiL3hlbi9hcmNoL3g4Ni94ODZfZW11bGF0ZS94ODZfZW11 bGF0ZS5jCkBAIC0xNjMwLDEwICsxNjMwLDE2IEBAIHN0YXRpYyBpbnQgaW5q ZWN0X3N3aW50KGVudW0geDg2X3N3aW50X3R5cGUgdHlwZSwKICAgICB7CiAg ICAgICAgIGlmICggIWluX3JlYWxtb2RlKGN0eHQsIG9wcykgKQogICAgICAg ICB7Ci0gICAgICAgICAgICB1bnNpZ25lZCBpbnQgaWR0ZV9zaXplID0gKGN0 eHQtPmFkZHJfc2l6ZSA9PSA2NCkgPyAxNiA6IDg7Ci0gICAgICAgICAgICB1 bnNpZ25lZCBpbnQgaWR0ZV9vZmZzZXQgPSB2ZWN0b3IgKiBpZHRlX3NpemU7 CisgICAgICAgICAgICB1bnNpZ25lZCBpbnQgaWR0ZV9zaXplLCBpZHRlX29m ZnNldDsKICAgICAgICAgICAgIHN0cnVjdCBzZWdtZW50X3JlZ2lzdGVyIGlk dHI7CiAgICAgICAgICAgICB1aW50MzJfdCBpZHRlX2N0bDsKKyAgICAgICAg ICAgIGludCBsbSA9IGluX2xvbmdtb2RlKGN0eHQsIG9wcyk7CisKKyAgICAg ICAgICAgIGlmICggbG0gPCAwICkKKyAgICAgICAgICAgICAgICByZXR1cm4g WDg2RU1VTF9VTkhBTkRMRUFCTEU7CisKKyAgICAgICAgICAgIGlkdGVfc2l6 ZSA9IGxtID8gMTYgOiA4OworICAgICAgICAgICAgaWR0ZV9vZmZzZXQgPSB2 ZWN0b3IgKiBpZHRlX3NpemU7CiAKICAgICAgICAgICAgIC8qIGljZWJwIHNl dHMgdGhlIEV4dGVybmFsIEV2ZW50IGJpdCBkZXNwaXRlIGJlaW5nIGFuIGlu c3RydWN0aW9uLiAqLwogICAgICAgICAgICAgZXJyb3JfY29kZSA9ICh2ZWN0 b3IgPDwgMykgfCBFQ09ERV9JRFQgfApAQCAtMTY2MSw4ICsxNjY3LDkgQEAg c3RhdGljIGludCBpbmplY3Rfc3dpbnQoZW51bSB4ODZfc3dpbnRfdHlwZSB0 eXBlLAogICAgICAgICAgICAgICogU2hvdWxkIHN0cmljdGx5IHNwZWFraW5n IHJlYWQgYWxsIDgvMTYgYnl0ZXMgb2YgYW4gZW50cnksCiAgICAgICAgICAg ICAgKiBidXQgd2UgY3VycmVudGx5IG9ubHkgY2FyZSBhYm91dCB0aGUgZHBs IGFuZCBwcmVzZW50IGJpdHMuCiAgICAgICAgICAgICAgKi8KLSAgICAgICAg ICAgIG9wcy0+cmVhZCh4ODZfc2VnX25vbmUsIGlkdHIuYmFzZSArIGlkdGVf b2Zmc2V0ICsgNCwKLSAgICAgICAgICAgICAgICAgICAgICAmaWR0ZV9jdGws IHNpemVvZihpZHRlX2N0bCksIGN0eHQpOworICAgICAgICAgICAgaWYgKCAo cmMgPSBvcHMtPnJlYWQoeDg2X3NlZ19ub25lLCBpZHRyLmJhc2UgKyBpZHRl X29mZnNldCArIDQsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAmaWR0ZV9jdGwsIHNpemVvZihpZHRlX2N0bCksIGN0eHQpKSApCisgICAg ICAgICAgICAgICAgZ290byBkb25lOwogCiAgICAgICAgICAgICAvKiBJcyB0 aGlzIGVudHJ5IHByZXNlbnQ/ICovCiAgICAgICAgICAgICBpZiAoICEoaWR0 ZV9jdGwgJiAoMXUgPDwgMTUpKSApCg== --=separator Content-Type: application/octet-stream; name="xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch" Content-Disposition: attachment; filename="xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L3N2bTogRml4IGluamVjdGlvbiBvZiBzb2Z0d2Fy ZSBpbnRlcnJ1cHRzCgpUaGUgbm9uLU5leHRSaXAgbG9naWMgaW4gYy9zIDM2 ZWJmMTRlYiAieDg2L2VtdWxhdGU6IHN1cHBvcnQgZm9yIGVtdWxhdGluZwpz b2Z0d2FyZSBldmVudCBpbmplY3Rpb24iIHdhcyBiYXNlZCBvbiBhbiBvbGRl ciB2ZXJzaW9uIG9mIHRoZSBBTUQgc29mdHdhcmUKbWFudWFsLiAgVGhlIG1h bnVhbCB3YXMgbGF0ZXIgY29ycmVjdGVkLCBmb2xsb3dpbmcgZmluZGluZ3Mg ZnJvbSB0aGF0IHNlcmllcy4KCkkgdG9vayB0aGUgb3JpZ2luYWwgd29yZGlu ZyBvZiAibm90IHN1cHBvcnRlZCB3aXRob3V0IE5leHRSSVAiIHRvIG1lYW4g dGhhdApYODZfRVZFTlRUWVBFX1NXX0lOVEVSUlVQVCB3YXMgbm90IGVsaWdp YmxlIGZvciB1c2UuICBJdCB0dXJucyBvdXQgdGhhdCB0aGlzCmlzIG5vdCB0 aGUgY2FzZSwgYW5kIHRoZSBuZXcgd29yZGluZyBpcyBjbGVhcmVyIG9uIHRo ZSBtYXR0ZXIuCgpEZXNwaXRlIHRlc3RpbmcgdGhlIG9yaWdpbmFsIHBhdGNo IHNlcmllcyBvbiBub24tTlJpcCBoYXJkd2FyZSwgdGhlCnN3aW50LWVtdWxh dGlvbiBYVEYgdGVzdCBjYXNlIGZvY3VzZXMgb24gdGhlIGRlYnVnIHZlY3Rv cnM7IGl0IG5ldmVyIGVuZGVkIHVwCmV4ZWN1dGluZyBhbiBgaW50ICRuYCBp bnN0cnVjdGlvbiBmb3IgYSB2ZWN0b3Igd2hpY2ggd2Fzbid0IGFsc28gYW4g ZXhjZXB0aW9uLgoKRHVyaW5nIGEgdm1lbnRyeSwgdGhlIHVzZSBvZiBYODZf RVZFTlRUWVBFX0hXX0VYQ0VQVElPTiBjb21lcyB3aXRoIGEgdmVjdG9yCmNo ZWNrIHRvIGVuc3VyZSB0aGF0IGl0IGlzIG9ubHkgdXNlZCB3aXRoIGV4Y2Vw dGlvbiB2ZWN0b3JzLiAgWGVuJ3MgdXNlIG9mClg4Nl9FVkVOVFRZUEVfSFdf RVhDRVBUSU9OIGZvciBgaW50ICRuYCBpbmplY3Rpb24gaGFzIGFsd2F5cyBi ZWVuIGJ1Z2d5IG9uIEFNRApoYXJkd2FyZS4KCkZpeCB0aGlzIGJ5IGFsd2F5 cyB1c2luZyBYODZfRVZFTlRUWVBFX1NXX0lOVEVSUlVQVC4KClByaW50IGFu ZCBkZWNvZGUgdGhlIGV2ZW50aW5qIGluZm9ybWF0aW9uIGluIHN2bV92bWNi X2R1bXAoKSwgYXMgaXQgaGFzCnNldmVyYWwgaW52YWxpZCBjb21iaW5hdGlv bnMgd2hpY2ggY2F1c2Ugdm1lbnRyeSBmYWlsdXJlcy4KClRoaXMgaXMgcGFy dCBvZiBYU0EtMTk2LgoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8 YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEphbiBC ZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KLS0tCiB4ZW4vYXJjaC94ODYv aHZtL3N2bS9zdm0uYyAgICAgIHwgMTMgKysrKystLS0tLS0tLQogeGVuL2Fy Y2gveDg2L2h2bS9zdm0vc3ZtZGVidWcuYyB8ICA0ICsrKysKIDIgZmlsZXMg Y2hhbmdlZCwgOSBpbnNlcnRpb25zKCspLCA4IGRlbGV0aW9ucygtKQoKZGlm ZiAtLWdpdCBhL3hlbi9hcmNoL3g4Ni9odm0vc3ZtL3N2bS5jIGIveGVuL2Fy Y2gveDg2L2h2bS9zdm0vc3ZtLmMKaW5kZXggNDM5MTc0NC4uNzZlZmMzZSAx MDA2NDQKLS0tIGEveGVuL2FyY2gveDg2L2h2bS9zdm0vc3ZtLmMKKysrIGIv eGVuL2FyY2gveDg2L2h2bS9zdm0vc3ZtLmMKQEAgLTEyMzEsMTcgKzEyMzEs MTQgQEAgc3RhdGljIHZvaWQgc3ZtX2luamVjdF90cmFwKGNvbnN0IHN0cnVj dCBodm1fdHJhcCAqdHJhcCkKICAgICB7CiAgICAgY2FzZSBYODZfRVZFTlRU WVBFX1NXX0lOVEVSUlVQVDogLyogaW50ICRuICovCiAgICAgICAgIC8qCi0g ICAgICAgICAqIEluamVjdGlvbiB0eXBlIDQgKHNvZnR3YXJlIGludGVycnVw dCkgaXMgb25seSBzdXBwb3J0ZWQgd2l0aAotICAgICAgICAgKiBOZXh0UklQ IHN1cHBvcnQuICBXaXRob3V0IE5leHRSSVAsIHRoZSBlbXVsYXRvciB3aWxs IGhhdmUgcGVyZm9ybWVkCi0gICAgICAgICAqIERQTCBhbmQgcHJlc2VuY2Ug Y2hlY2tzIGZvciB1cy4KKyAgICAgICAgICogU29mdHdhcmUgaW50ZXJydXB0 cyAodHlwZSA0KSBjYW5ub3QgYmUgcHJvcGVybHkgaW5qZWN0ZWQgaWYgdGhl CisgICAgICAgICAqIHByb2Nlc3NvciBkb2Vzbid0IHN1cHBvcnQgTmV4dFJJ UC4gIFdpdGhvdXQgTmV4dFJJUCwgdGhlIGVtdWxhdG9yCisgICAgICAgICAq IHdpbGwgaGF2ZSBwZXJmb3JtZWQgRFBMIGFuZCBwcmVzZW5jZSBjaGVja3Mg Zm9yIHVzLCBhbmQgd2lsbCBoYXZlCisgICAgICAgICAqIG1vdmVkIGVpcCBm b3J3YXJkIGlmIGFwcHJvcHJpYXRlLgogICAgICAgICAgKi8KICAgICAgICAg aWYgKCBjcHVfaGFzX3N2bV9ucmlwcyApCi0gICAgICAgIHsKICAgICAgICAg ICAgIHZtY2ItPm5leHRyaXAgPSByZWdzLT5laXAgKyBfdHJhcC5pbnNuX2xl bjsKLSAgICAgICAgICAgIGV2ZW50LmZpZWxkcy50eXBlID0gWDg2X0VWRU5U VFlQRV9TV19JTlRFUlJVUFQ7Ci0gICAgICAgIH0KLSAgICAgICAgZWxzZQot ICAgICAgICAgICAgZXZlbnQuZmllbGRzLnR5cGUgPSBYODZfRVZFTlRUWVBF X0hXX0VYQ0VQVElPTjsKKyAgICAgICAgZXZlbnQuZmllbGRzLnR5cGUgPSBY ODZfRVZFTlRUWVBFX1NXX0lOVEVSUlVQVDsKICAgICAgICAgYnJlYWs7CiAK ICAgICBjYXNlIFg4Nl9FVkVOVFRZUEVfUFJJX1NXX0VYQ0VQVElPTjogLyog aWNlYnAgKi8KZGlmZiAtLWdpdCBhL3hlbi9hcmNoL3g4Ni9odm0vc3ZtL3N2 bWRlYnVnLmMgYi94ZW4vYXJjaC94ODYvaHZtL3N2bS9zdm1kZWJ1Zy5jCmlu ZGV4IGRlZDVkMTkuLmY5M2RmZWQgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL3g4 Ni9odm0vc3ZtL3N2bWRlYnVnLmMKKysrIGIveGVuL2FyY2gveDg2L2h2bS9z dm0vc3ZtZGVidWcuYwpAQCAtNDgsNiArNDgsMTAgQEAgdm9pZCBzdm1fdm1j Yl9kdW1wKGNvbnN0IGNoYXIgKmZyb20sIHN0cnVjdCB2bWNiX3N0cnVjdCAq dm1jYikKICAgICAgICAgICAgdm1jYi0+dGxiX2NvbnRyb2wsCiAgICAgICAg ICAgICh1bnNpZ25lZCBsb25nIGxvbmcpdm1jYi0+X3ZpbnRyLmJ5dGVzLAog ICAgICAgICAgICAodW5zaWduZWQgbG9uZyBsb25nKXZtY2ItPmludGVycnVw dF9zaGFkb3cpOworICAgIHByaW50aygiZXZlbnRpbmogJTAxNiJQUkl4NjQi LCB2YWxpZD8gJWQsIGVjPyAlZCwgdHlwZSAldSwgdmVjdG9yICUjeFxuIiwK KyAgICAgICAgICAgdm1jYi0+ZXZlbnRpbmouYnl0ZXMsIHZtY2ItPmV2ZW50 aW5qLmZpZWxkcy52LAorICAgICAgICAgICB2bWNiLT5ldmVudGluai5maWVs ZHMuZXYsIHZtY2ItPmV2ZW50aW5qLmZpZWxkcy50eXBlLAorICAgICAgICAg ICB2bWNiLT5ldmVudGluai5maWVsZHMudmVjdG9yKTsKICAgICBwcmludGso ImV4aXRjb2RlID0gJSNMeCBleGl0aW50aW5mbyA9ICUjTHhcbiIsCiAgICAg ICAgICAgICh1bnNpZ25lZCBsb25nIGxvbmcpdm1jYi0+ZXhpdGNvZGUsCiAg ICAgICAgICAgICh1bnNpZ25lZCBsb25nIGxvbmcpdm1jYi0+ZXhpdGludGlu Zm8uYnl0ZXMpOwo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 22 12:03:24 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 22 Nov 2016 12:03:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mR-0007xZ-3w; Tue, 22 Nov 2016 12:02:31 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mQ-0007wt-BZ; Tue, 22 Nov 2016 12:02:30 +0000 Received: from [85.158.137.68] by server-1.bemta-3.messagelabs.com id D2/8E-23231-5D334385; Tue, 22 Nov 2016 12:02:29 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupnleJIrShJLcpLzFFi42LJaLquqnvG2CT C4N0eMYtbN1uZLZZ8XMxiserqAVYHZo+ju38zBTBGsWbmJeVXJLBmTPo4g7Fg8zTGivWbe1ka GJ/2M3YxcnEICZxjlLi08DEzhLOBUaK9ey5TFyMnB7OAq8SNfZvZIGxFiQv3GlhAbF4BQYmTM 5+A2RICmhJ33qxiB7FFBIokdp57CWazCehJzD07CWqOjsTL/avBbGGBNIm9Uy6wQcwxk5h9/z 4ziM0ioCpxt30T0wRGnllIVs9CsnoWktWzGDmA4poS63fpQ5jSEsv/cUBUy0tsfzuHGcK2ljg ws5UVwraQOPD2MiPMxCndD9khbHuJhw9fQNXYSGydOY0dWc0CRp5VjBrFqUVlqUW6RgZ6SUWZ 6RkluYmZObqGBsZ6uanFxYnpqTmJScV6yfm5mxiB0VLPwMC4g7H5hN8hRkkOJiVR3sNLjSKE+ JLyUyozEosz4otKc1KLDzHKcHAoSfAuNzKJEBIsSk1PrUjLzAHGLUxagoNHSQQizVtckJhbnJ kOkTrFaMxx68TzB0wcj36/fcAkxJKXn5cqJc57EaRUAKQ0ozQPbhAsnVxilJUS5mVkYGAQ4il ILcrNLEGVf8UozsGoJMxbCDKFJzOvBG7fK6BTmIBOkfxmDHJKSSJCSqqBUefizGVX4sNmPDwX fL6t0WzThOrohVs2xYmfmnT4r2nuXks967ZL0+qfSu3v/2YnxsGok+gfohPhoc9+5d7OPx5st W7MUYnH12gfzdwlpiIq8vZY9ObrAVPn7ZV4VVL0SmtrXuEXxad/Px1ui0lYZ9st8cnc29LHUE fp02ZOviq9KlaHj/WHlViKMxINtZiLihMB1BQkLSIDAAA= X-Env-Sender: andrewcoop@xenbits.xen.org X-Msg-Ref: server-7.tower-31.messagelabs.com!1479816139!64721645!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 10942 invoked from network); 22 Nov 2016 12:02:20 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-7.tower-31.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 22 Nov 2016 12:02:20 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99m1-0004nz-HE; Tue, 22 Nov 2016 12:02:05 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1c99m1-00083i-DF; Tue, 22 Nov 2016 12:02:05 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 22 Nov 2016 12:02:05 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 191 (CVE-2016-9386) - x86 null segments not always treated as unusable X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-9386 / XSA-191 version 3 x86 null segments not always treated as unusable UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The Xen x86 emulator erroneously failed to consider the unusability of segments when performing memory accesses. The intended behaviour is as follows: The user data segment (%ds, %es, %fs and %gs) selectors may be NULL in 32-bit to prevent access. In 64-bit, NULL has a special meaning for user segments, and there is no way of preventing access. However, in both 32-bit and 64-bit, a NULL LDT system segment is intended to prevent access. On Intel hardware, loading a NULL selector zeros the base as well as most attributes, but sets the limit field to its largest possible value. On AMD hardware, loading a NULL selector zeros the attributes, leaving the stale base and limit intact. Xen may erroneously permit the access using unexpected base/limit values. Ability to exploit this vulnerability on Intel is easy, but on AMD depends in a complicated way on how the guest kernel manages LDTs. IMPACT ====== An unprivileged guest user program may be able to elevate its privilege to that of the guest operating system. VULNERABLE SYSTEMS ================== The vulnerability is only exposed to HVM guests. ARM systems are NOT vulnerable. All versions of Xen are affected. However, we believe that the vulnerability cannot be exploited on Xen 4.7 by completely unprivileged guest processes, unless the VM has been explicitly configured with a non-default cpu vendor string (in xm/xl, this would be done with a `cpuid=' domain config option). MITIGATION ========== Running only PV guests will avoid this issue. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa191.patch xen-unstable, Xen 4.7.x xsa191-4.6.patch Xen 4.6.x, Xen 4.5.x, Xen 4.4.x $ sha256sum xsa191* dca534cf4d3711ea8797846a18238ca16cc9e7a24a887300db22c3ba3d95c199 xsa191.patch d95a1f0dd5c45497ca56e2e1390fc688bf0a4a7a7fd10c65ae25b4bbb3353b69 xsa191-4.6.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYNDIWAAoJEIP+FMlX6CvZ4qQH/jlfd6BV63CSggCQVd0sB3a4 j7MgRZ8h0aFrCLl+0tj3QwsiW0TRDsKiTNy2xY1kxkLsQdIAeYjBddyYiJ2nbCr9 kCR2WLcWB3csf4So/85q8OMfsob7H+8PR/OsT3iY6Fo/5PzNy5wvWtU/+TRaoZIy t9OvybZ0HYhtvQ/YHv5njKZ3nyHo6MRwGpPOrzSn8UN7p+sr3DDGiuw9LNjtnepb dijO0c9artbWCjVkRlbe1w5514FH1vPleopGmXjTz/Wy5zNHWZL1RaVzh4N36ahP V1joPxt+C75iRArp6y0ncloyKjgx8pMfOzCcLp9VS6dwF3zwZ5rxxtFynlRjg94= =pUW4 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa191.patch" Content-Disposition: attachment; filename="xsa191.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L2h2bTogRml4IHRoZSBoYW5kbGluZyBvZiBub24t cHJlc2VudCBzZWdtZW50cwoKSW4gMzJiaXQsIHRoZSBkYXRhIHNlZ21lbnRz IG1heSBiZSBOVUxMIHRvIGluZGljYXRlIHRoYXQgdGhlIHNlZ21lbnQgaXMK aW5lbGlnaWJsZSBmb3IgdXNlLiAgSW4gYm90aCAzMmJpdCBhbmQgNjRiaXQs IHRoZSBMRFQgc2VsZWN0b3IgbWF5IGJlIE5VTEwgdG8KaW5kaWNhdGUgdGhh dCB0aGUgZW50aXJlIExEVCBpcyBpbmVsaWdpYmxlIGZvciB1c2UuICBIb3dl dmVyLCBub3RoaW5nIGluIFhlbgphY3R1YWxseSBjaGVja3MgZm9yIHRoaXMg Y29uZGl0aW9uIHdoZW4gcGVyZm9ybWluZyBvdGhlciBzZWdtZW50YXRpb24K Y2hlY2tzLiAgKE5vdGUgaG93ZXZlciB0aGF0IGxpbWl0IGFuZCB3cml0ZWFi aWxpdHkgY2hlY2tzIGFyZSBjb3JyZWN0bHkKcGVyZm9ybWVkKS4KCk5laXRo ZXIgSW50ZWwgbm9yIEFNRCBzcGVjaWZ5IHRoZSBleGFjdCBiZWhhdmlvdXIg b2YgbG9hZGluZyBhIE5VTEwgc2VnbWVudC4KRXhwZXJpbWVudGFsbHksIEFN RCB6ZXJvZXMgYWxsIGF0dHJpYnV0ZXMgYnV0IGxlYXZlcyB0aGUgYmFzZSBh bmQgbGltaXQKdW5tb2RpZmllZC4gIEludGVsIHplcm9lcyB0aGUgYmFzZSwg c2V0cyB0aGUgbGltaXQgdG8gMHhmZmZmZmZmIGFuZCByZXNldHMgdGhlCmF0 dHJpYnV0ZXMgdG8ganVzdCAuRyBhbmQgLkQvQi4KClRoZSB1c2Ugb2YgdGhl IHNlZ21lbnQgaW5mb3JtYXRpb24gaW4gdGhlIFZNQ0IvVk1DUyBpcyBlcXVp dmFsZW50IHRvIGEgbmF0aXZlCnBpcGVsaW5lIGludGVyYWN0aW5nIHdpdGgg dGhlIHNlZ21lbnQgY2FjaGUuICBUaGUgcHJlc2VudCBiaXQgY2FuIHRoZXJl Zm9yZQpoYXZlIGEgc3VidGx5IGRpZmZlcmVudCBtZWFuaW5nLCBhbmQgaXQg aXMgbm93IGNvb2tlZCB0byB1bmlmb3JtbHkgaW5kaWNhdGUKd2hldGhlciB0 aGUgc2VnbWVudCBpcyB1c2FibGUgb3Igbm90LgoKR0RUUiBhbmQgSURUUiBk b24ndCBoYXZlIGFjY2VzcyByaWdodHMgbGlrZSB0aGUgb3RoZXIgc2VnbWVu dHMsIGJ1dCBmb3IKY29uc2lzdGVuY3ksIHRoZXkgYXJlIHRyZWF0ZWQgYXMg YmVpbmcgcHJlc2VudCBzbyBubyBzcGVjaWFsIGNhc2luZyBpcyBuZWVkZWQK ZWxzZXdoZXJlIGluIHRoZSBzZWdtZW50YXRpb24gbG9naWMuCgpBTUQgaGFy ZHdhcmUgZG9lcyBub3QgY29uc2lkZXIgdGhlIHByZXNlbnQgYml0IGZvciAl Y3MgYW5kICV0ciwgYW5kIHdpbGwKZnVuY3Rpb24gYXMgaWYgdGhleSB3ZXJl IHByZXNlbnQuICBUaGV5IGFyZSB0aGVyZWZvcmUgdW5jb25kaXRpb25hbGx5 IHNldCB0bwpwcmVzZW50IHdoZW4gcmVhZGluZyBpbmZvcm1hdGlvbiBmcm9t IHRoZSBWTUNCLCB0byBtYWludGFpbiB0aGUgbmV3IG1lYW5pbmcgb2YKdXNh YmlsaXR5LgoKSW50ZWwgaGFyZHdhcmUgaGFzIGEgc2VwYXJhdGUgdW51c2Fi bGUgYml0IGluIHRoZSBWTUNTIHNlZ21lbnQgYXR0cmlidXRlcy4KVGhpcyBi aXQgaXMgaW52ZXJ0ZWQgYW5kIHN0b3JlZCBpbiB0aGUgcHJlc2VudCBmaWVs ZCwgc28gdGhlIGh2bSBjb2RlIGNhbiB3b3JrCndpdGggYXJjaGl0ZWN0dXJh bGx5LWNvbW1vbiBzdGF0ZS4KClRoaXMgaXMgWFNBLTE5MS4KClNpZ25lZC1v ZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5j b20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5j b20+Ci0tLQogeGVuL2FyY2gveDg2L2h2bS9odm0uYyAgICAgICAgICAgICAg ICAgfCAgOCArKysrKysrKwogeGVuL2FyY2gveDg2L2h2bS9zdm0vc3ZtLmMg ICAgICAgICAgICAgfCAgNCArKysrCiB4ZW4vYXJjaC94ODYvaHZtL3ZteC92 bXguYyAgICAgICAgICAgICB8IDIwICsrKysrKysrKysrLS0tLS0tLS0tCiB4 ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYyB8ICA0ICsr KysKIDQgZmlsZXMgY2hhbmdlZCwgMjcgaW5zZXJ0aW9ucygrKSwgOSBkZWxl dGlvbnMoLSkKCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5j IGIveGVuL2FyY2gveDg2L2h2bS9odm0uYwppbmRleCA3MDRmZDY0Li5kZWIx NzgzIDEwMDY0NAotLS0gYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jCisrKyBi L3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKQEAgLTI1MTIsNiArMjUxMiwxMCBA QCBib29sX3QgaHZtX3ZpcnR1YWxfdG9fbGluZWFyX2FkZHIoCiAgICAgICAg ICAqLwogICAgICAgICBhZGRyID0gKHVpbnQzMl90KShhZGRyICsgcmVnLT5i YXNlKTsKIAorICAgICAgICAvKiBTZWdtZW50IG5vdCB2YWxpZCBmb3IgdXNl IChjb29rZWQgbWVhbmluZyBvZiAucCk/ICovCisgICAgICAgIGlmICggIXJl Zy0+YXR0ci5maWVsZHMucCApCisgICAgICAgICAgICBnb3RvIG91dDsKKwog ICAgICAgICBzd2l0Y2ggKCBhY2Nlc3NfdHlwZSApCiAgICAgICAgIHsKICAg ICAgICAgY2FzZSBodm1fYWNjZXNzX3JlYWQ6CkBAIC0yNzY3LDYgKzI3NzEs MTAgQEAgc3RhdGljIGludCBodm1fbG9hZF9zZWdtZW50X3NlbGVjdG9yKAog ICAgIGh2bV9nZXRfc2VnbWVudF9yZWdpc3RlcigKICAgICAgICAgdiwgKHNl bCAmIDQpID8geDg2X3NlZ19sZHRyIDogeDg2X3NlZ19nZHRyLCAmZGVzY3Rh Yik7CiAKKyAgICAvKiBTZWdtZW50IG5vdCB2YWxpZCBmb3IgdXNlIChjb29r ZWQgbWVhbmluZyBvZiAucCk/ICovCisgICAgaWYgKCAhZGVzY3RhYi5hdHRy LmZpZWxkcy5wICkKKyAgICAgICAgZ290byBmYWlsOworCiAgICAgLyogQ2hl Y2sgYWdhaW5zdCBkZXNjcmlwdG9yIHRhYmxlIGxpbWl0LiAqLwogICAgIGlm ICggKChzZWwgJiAweGZmZjgpICsgNykgPiBkZXNjdGFiLmxpbWl0ICkKICAg ICAgICAgZ290byBmYWlsOwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L2h2 bS9zdm0vc3ZtLmMgYi94ZW4vYXJjaC94ODYvaHZtL3N2bS9zdm0uYwppbmRl eCAxNjQyN2Y2Li40Y2JhNDA2IDEwMDY0NAotLS0gYS94ZW4vYXJjaC94ODYv aHZtL3N2bS9zdm0uYworKysgYi94ZW4vYXJjaC94ODYvaHZtL3N2bS9zdm0u YwpAQCAtNjI3LDYgKzYyNyw3IEBAIHN0YXRpYyB2b2lkIHN2bV9nZXRfc2Vn bWVudF9yZWdpc3RlcihzdHJ1Y3QgdmNwdSAqdiwgZW51bSB4ODZfc2VnbWVu dCBzZWcsCiAgICAgewogICAgIGNhc2UgeDg2X3NlZ19jczoKICAgICAgICAg bWVtY3B5KHJlZywgJnZtY2ItPmNzLCBzaXplb2YoKnJlZykpOworICAgICAg ICByZWctPmF0dHIuZmllbGRzLnAgPSAxOwogICAgICAgICByZWctPmF0dHIu ZmllbGRzLmcgPSByZWctPmxpbWl0ID4gMHhGRkZGRjsKICAgICAgICAgYnJl YWs7CiAgICAgY2FzZSB4ODZfc2VnX2RzOgpAQCAtNjYwLDEzICs2NjEsMTYg QEAgc3RhdGljIHZvaWQgc3ZtX2dldF9zZWdtZW50X3JlZ2lzdGVyKHN0cnVj dCB2Y3B1ICp2LCBlbnVtIHg4Nl9zZWdtZW50IHNlZywKICAgICBjYXNlIHg4 Nl9zZWdfdHI6CiAgICAgICAgIHN2bV9zeW5jX3ZtY2Iodik7CiAgICAgICAg IG1lbWNweShyZWcsICZ2bWNiLT50ciwgc2l6ZW9mKCpyZWcpKTsKKyAgICAg ICAgcmVnLT5hdHRyLmZpZWxkcy5wID0gMTsKICAgICAgICAgcmVnLT5hdHRy LmZpZWxkcy50eXBlIHw9IDB4MjsKICAgICAgICAgYnJlYWs7CiAgICAgY2Fz ZSB4ODZfc2VnX2dkdHI6CiAgICAgICAgIG1lbWNweShyZWcsICZ2bWNiLT5n ZHRyLCBzaXplb2YoKnJlZykpOworICAgICAgICByZWctPmF0dHIuYnl0ZXMg PSAweDgwOwogICAgICAgICBicmVhazsKICAgICBjYXNlIHg4Nl9zZWdfaWR0 cjoKICAgICAgICAgbWVtY3B5KHJlZywgJnZtY2ItPmlkdHIsIHNpemVvZigq cmVnKSk7CisgICAgICAgIHJlZy0+YXR0ci5ieXRlcyA9IDB4ODA7CiAgICAg ICAgIGJyZWFrOwogICAgIGNhc2UgeDg2X3NlZ19sZHRyOgogICAgICAgICBz dm1fc3luY192bWNiKHYpOwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L2h2 bS92bXgvdm14LmMgYi94ZW4vYXJjaC94ODYvaHZtL3ZteC92bXguYwppbmRl eCA5YThmNjk0Li5hNjUyYzUyIDEwMDY0NAotLS0gYS94ZW4vYXJjaC94ODYv aHZtL3ZteC92bXguYworKysgYi94ZW4vYXJjaC94ODYvaHZtL3ZteC92bXgu YwpAQCAtMTAzNSwxMCArMTAzNSwxMiBAQCB2b2lkIHZteF9nZXRfc2VnbWVu dF9yZWdpc3RlcihzdHJ1Y3QgdmNwdSAqdiwgZW51bSB4ODZfc2VnbWVudCBz ZWcsCiAgICAgcmVnLT5zZWwgPSBzZWw7CiAgICAgcmVnLT5saW1pdCA9IGxp bWl0OwogCi0gICAgcmVnLT5hdHRyLmJ5dGVzID0gKGF0dHIgJiAweGZmKSB8 ICgoYXR0ciA+PiA0KSAmIDB4ZjAwKTsKLSAgICAvKiBVbnVzYWJsZSBmbGFn IGlzIGZvbGRlZCBpbnRvIFByZXNlbnQgZmxhZy4gKi8KLSAgICBpZiAoIGF0 dHIgJiAoMXU8PDE2KSApCi0gICAgICAgIHJlZy0+YXR0ci5maWVsZHMucCA9 IDA7CisgICAgLyoKKyAgICAgKiBGb2xkIFZULXggcmVwcmVzZW50YXRpb24g aW50byBYZW4ncyByZXByZXNlbnRhdGlvbi4gIFRoZSBQcmVzZW50IGJpdCBp cworICAgICAqIHVuY29uZGl0aW9uYWxseSBzZXQgdG8gdGhlIGludmVyc2Ug b2YgdW51c2FibGUuCisgICAgICovCisgICAgcmVnLT5hdHRyLmJ5dGVzID0K KyAgICAgICAgKCEoYXR0ciAmICgxdSA8PCAxNikpIDw8IDcpIHwgKGF0dHIg JiAweDdmKSB8ICgoYXR0ciA+PiA0KSAmIDB4ZjAwKTsKIAogICAgIC8qIEFk anVzdCBmb3IgdmlydHVhbCA4MDg2IG1vZGUgKi8KICAgICBpZiAoIHYtPmFy Y2guaHZtX3ZteC52bXhfcmVhbG1vZGUgJiYgc2VnIDw9IHg4Nl9zZWdfdHIg CkBAIC0xMTE4LDExICsxMTIwLDExIEBAIHN0YXRpYyB2b2lkIHZteF9zZXRf c2VnbWVudF9yZWdpc3RlcihzdHJ1Y3QgdmNwdSAqdiwgZW51bSB4ODZfc2Vn bWVudCBzZWcsCiAgICAgICAgIH0KICAgICB9CiAKLSAgICBhdHRyID0gKChh dHRyICYgMHhmMDApIDw8IDQpIHwgKGF0dHIgJiAweGZmKTsKLQotICAgIC8q IE5vdC1wcmVzZW50IG11c3QgbWVhbiB1bnVzYWJsZS4gKi8KLSAgICBpZiAo ICFyZWctPmF0dHIuZmllbGRzLnAgKQotICAgICAgICBhdHRyIHw9ICgxdSA8 PCAxNik7CisgICAgLyoKKyAgICAgKiBVbmZvbGQgWGVuIHJlcHJlc2VudGF0 aW9uIGludG8gVlQteCByZXByZXNlbnRhdGlvbi4gIFRoZSB1bnVzYWJsZSBi aXQKKyAgICAgKiBpcyB1bmNvbmRpdGlvbmFsbHkgc2V0IHRvIHRoZSBpbnZl cnNlIG9mIHByZXNlbnQuCisgICAgICovCisgICAgYXR0ciA9ICghKGF0dHIg JiAoMXUgPDwgNykpIDw8IDE2KSB8ICgoYXR0ciAmIDB4ZjAwKSA8PCA0KSB8 IChhdHRyICYgMHhmZik7CiAKICAgICAvKiBWTVggaGFzIHN0cmljdCBjb25z aXN0ZW5jeSByZXF1aXJlbWVudCBmb3IgZmxhZyBHLiAqLwogICAgIGF0dHIg fD0gISEobGltaXQgPj4gMjApIDw8IDE1OwpkaWZmIC0tZ2l0IGEveGVuL2Fy Y2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMgYi94ZW4vYXJjaC94 ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwppbmRleCA3YTcwN2RjLi43 Y2I2Zjk4IDEwMDY0NAotLS0gYS94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUv eDg2X2VtdWxhdGUuYworKysgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUv eDg2X2VtdWxhdGUuYwpAQCAtMTM2Nyw2ICsxMzY3LDEwIEBAIHByb3Rtb2Rl X2xvYWRfc2VnKAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg JmRlc2N0YWIsIGN0eHQpKSApCiAgICAgICAgIHJldHVybiByYzsKIAorICAg IC8qIFNlZ21lbnQgbm90IHZhbGlkIGZvciB1c2UgKGNvb2tlZCBtZWFuaW5n IG9mIC5wKT8gKi8KKyAgICBpZiAoICFkZXNjdGFiLmF0dHIuZmllbGRzLnAg KQorICAgICAgICBnb3RvIHJhaXNlX2V4bjsKKwogICAgIC8qIENoZWNrIGFn YWluc3QgZGVzY3JpcHRvciB0YWJsZSBsaW1pdC4gKi8KICAgICBpZiAoICgo c2VsICYgMHhmZmY4KSArIDcpID4gZGVzY3RhYi5saW1pdCApCiAgICAgICAg IGdvdG8gcmFpc2VfZXhuOwo= --=separator Content-Type: application/octet-stream; name="xsa191-4.6.patch" Content-Disposition: attachment; filename="xsa191-4.6.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L2h2bTogRml4IHRoZSBoYW5kbGluZyBvZiBub24t cHJlc2VudCBzZWdtZW50cwoKSW4gMzJiaXQsIHRoZSBkYXRhIHNlZ21lbnRz IG1heSBiZSBOVUxMIHRvIGluZGljYXRlIHRoYXQgdGhlIHNlZ21lbnQgaXMK aW5lbGlnaWJsZSBmb3IgdXNlLiAgSW4gYm90aCAzMmJpdCBhbmQgNjRiaXQs IHRoZSBMRFQgc2VsZWN0b3IgbWF5IGJlIE5VTEwgdG8KaW5kaWNhdGUgdGhh dCB0aGUgZW50aXJlIExEVCBpcyBpbmVsaWdpYmxlIGZvciB1c2UuICBIb3dl dmVyLCBub3RoaW5nIGluIFhlbgphY3R1YWxseSBjaGVja3MgZm9yIHRoaXMg Y29uZGl0aW9uIHdoZW4gcGVyZm9ybWluZyBvdGhlciBzZWdtZW50YXRpb24K Y2hlY2tzLiAgKE5vdGUgaG93ZXZlciB0aGF0IGxpbWl0IGFuZCB3cml0ZWFi aWxpdHkgY2hlY2tzIGFyZSBjb3JyZWN0bHkKcGVyZm9ybWVkKS4KCk5laXRo ZXIgSW50ZWwgbm9yIEFNRCBzcGVjaWZ5IHRoZSBleGFjdCBiZWhhdmlvdXIg b2YgbG9hZGluZyBhIE5VTEwgc2VnbWVudC4KRXhwZXJpbWVudGFsbHksIEFN RCB6ZXJvZXMgYWxsIGF0dHJpYnV0ZXMgYnV0IGxlYXZlcyB0aGUgYmFzZSBh bmQgbGltaXQKdW5tb2RpZmllZC4gIEludGVsIHplcm9lcyB0aGUgYmFzZSwg c2V0cyB0aGUgbGltaXQgdG8gMHhmZmZmZmZmIGFuZCByZXNldHMgdGhlCmF0 dHJpYnV0ZXMgdG8ganVzdCAuRyBhbmQgLkQvQi4KClRoZSB1c2Ugb2YgdGhl IHNlZ21lbnQgaW5mb3JtYXRpb24gaW4gdGhlIFZNQ0IvVk1DUyBpcyBlcXVp dmFsZW50IHRvIGEgbmF0aXZlCnBpcGVsaW5lIGludGVyYWN0aW5nIHdpdGgg dGhlIHNlZ21lbnQgY2FjaGUuICBUaGUgcHJlc2VudCBiaXQgY2FuIHRoZXJl Zm9yZQpoYXZlIGEgc3VidGx5IGRpZmZlcmVudCBtZWFuaW5nLCBhbmQgaXQg aXMgbm93IGNvb2tlZCB0byB1bmlmb3JtbHkgaW5kaWNhdGUKd2hldGhlciB0 aGUgc2VnbWVudCBpcyB1c2FibGUgb3Igbm90LgoKR0RUUiBhbmQgSURUUiBk b24ndCBoYXZlIGFjY2VzcyByaWdodHMgbGlrZSB0aGUgb3RoZXIgc2VnbWVu dHMsIGJ1dCBmb3IKY29uc2lzdGVuY3ksIHRoZXkgYXJlIHRyZWF0ZWQgYXMg YmVpbmcgcHJlc2VudCBzbyBubyBzcGVjaWFsIGNhc2luZyBpcyBuZWVkZWQK ZWxzZXdoZXJlIGluIHRoZSBzZWdtZW50YXRpb24gbG9naWMuCgpBTUQgaGFy ZHdhcmUgZG9lcyBub3QgY29uc2lkZXIgdGhlIHByZXNlbnQgYml0IGZvciAl Y3MgYW5kICV0ciwgYW5kIHdpbGwKZnVuY3Rpb24gYXMgaWYgdGhleSB3ZXJl IHByZXNlbnQuICBUaGV5IGFyZSB0aGVyZWZvcmUgdW5jb25kaXRpb25hbGx5 IHNldCB0bwpwcmVzZW50IHdoZW4gcmVhZGluZyBpbmZvcm1hdGlvbiBmcm9t IHRoZSBWTUNCLCB0byBtYWludGFpbiB0aGUgbmV3IG1lYW5pbmcgb2YKdXNh YmlsaXR5LgoKSW50ZWwgaGFyZHdhcmUgaGFzIGEgc2VwYXJhdGUgdW51c2Fi bGUgYml0IGluIHRoZSBWTUNTIHNlZ21lbnQgYXR0cmlidXRlcy4KVGhpcyBi aXQgaXMgaW52ZXJ0ZWQgYW5kIHN0b3JlZCBpbiB0aGUgcHJlc2VudCBmaWVs ZCwgc28gdGhlIGh2bSBjb2RlIGNhbiB3b3JrCndpdGggYXJjaGl0ZWN0dXJh bGx5LWNvbW1vbiBzdGF0ZS4KClRoaXMgaXMgWFNBLTE5MS4KClNpZ25lZC1v ZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5j b20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5j b20+CgotLS0gYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jCisrKyBiL3hlbi9h cmNoL3g4Ni9odm0vaHZtLmMKQEAgLTM2NjYsNiArMzY2NiwxMCBAQCBpbnQg aHZtX3ZpcnR1YWxfdG9fbGluZWFyX2FkZHIoCiAgICAgICAgICAqIENPTVBB VElCSUxJVFkgTU9ERTogQXBwbHkgc2VnbWVudCBjaGVja3MgYW5kIGFkZCBi YXNlLgogICAgICAgICAgKi8KIAorICAgICAgICAvKiBTZWdtZW50IG5vdCB2 YWxpZCBmb3IgdXNlIChjb29rZWQgbWVhbmluZyBvZiAucCk/ICovCisgICAg ICAgIGlmICggIXJlZy0+YXR0ci5maWVsZHMucCApCisgICAgICAgICAgICBy ZXR1cm4gMDsKKwogICAgICAgICBzd2l0Y2ggKCBhY2Nlc3NfdHlwZSApCiAg ICAgICAgIHsKICAgICAgICAgY2FzZSBodm1fYWNjZXNzX3JlYWQ6CkBAIC0z ODcxLDYgKzM4NzUsMTAgQEAgc3RhdGljIGludCBodm1fbG9hZF9zZWdtZW50 X3NlbGVjdG9yKAogICAgIGh2bV9nZXRfc2VnbWVudF9yZWdpc3RlcigKICAg ICAgICAgdiwgKHNlbCAmIDQpID8geDg2X3NlZ19sZHRyIDogeDg2X3NlZ19n ZHRyLCAmZGVzY3RhYik7CiAKKyAgICAvKiBTZWdtZW50IG5vdCB2YWxpZCBm b3IgdXNlIChjb29rZWQgbWVhbmluZyBvZiAucCk/ICovCisgICAgaWYgKCAh ZGVzY3RhYi5hdHRyLmZpZWxkcy5wICkKKyAgICAgICAgZ290byBmYWlsOwor CiAgICAgLyogQ2hlY2sgYWdhaW5zdCBkZXNjcmlwdG9yIHRhYmxlIGxpbWl0 LiAqLwogICAgIGlmICggKChzZWwgJiAweGZmZjgpICsgNykgPiBkZXNjdGFi LmxpbWl0ICkKICAgICAgICAgZ290byBmYWlsOwotLS0gYS94ZW4vYXJjaC94 ODYvaHZtL3N2bS9zdm0uYworKysgYi94ZW4vYXJjaC94ODYvaHZtL3N2bS9z dm0uYwpAQCAtNjIwLDYgKzYyMCw3IEBAIHN0YXRpYyB2b2lkIHN2bV9nZXRf c2VnbWVudF9yZWdpc3RlcihzdHIKICAgICB7CiAgICAgY2FzZSB4ODZfc2Vn X2NzOgogICAgICAgICBtZW1jcHkocmVnLCAmdm1jYi0+Y3MsIHNpemVvZigq cmVnKSk7CisgICAgICAgIHJlZy0+YXR0ci5maWVsZHMucCA9IDE7CiAgICAg ICAgIHJlZy0+YXR0ci5maWVsZHMuZyA9IHJlZy0+bGltaXQgPiAweEZGRkZG OwogICAgICAgICBicmVhazsKICAgICBjYXNlIHg4Nl9zZWdfZHM6CkBAIC02 NTMsMTMgKzY1NCwxNiBAQCBzdGF0aWMgdm9pZCBzdm1fZ2V0X3NlZ21lbnRf cmVnaXN0ZXIoc3RyCiAgICAgY2FzZSB4ODZfc2VnX3RyOgogICAgICAgICBz dm1fc3luY192bWNiKHYpOwogICAgICAgICBtZW1jcHkocmVnLCAmdm1jYi0+ dHIsIHNpemVvZigqcmVnKSk7CisgICAgICAgIHJlZy0+YXR0ci5maWVsZHMu cCA9IDE7CiAgICAgICAgIHJlZy0+YXR0ci5maWVsZHMudHlwZSB8PSAweDI7 CiAgICAgICAgIGJyZWFrOwogICAgIGNhc2UgeDg2X3NlZ19nZHRyOgogICAg ICAgICBtZW1jcHkocmVnLCAmdm1jYi0+Z2R0ciwgc2l6ZW9mKCpyZWcpKTsK KyAgICAgICAgcmVnLT5hdHRyLmJ5dGVzID0gMHg4MDsKICAgICAgICAgYnJl YWs7CiAgICAgY2FzZSB4ODZfc2VnX2lkdHI6CiAgICAgICAgIG1lbWNweShy ZWcsICZ2bWNiLT5pZHRyLCBzaXplb2YoKnJlZykpOworICAgICAgICByZWct PmF0dHIuYnl0ZXMgPSAweDgwOwogICAgICAgICBicmVhazsKICAgICBjYXNl IHg4Nl9zZWdfbGR0cjoKICAgICAgICAgc3ZtX3N5bmNfdm1jYih2KTsKLS0t IGEveGVuL2FyY2gveDg2L2h2bS92bXgvdm14LmMKKysrIGIveGVuL2FyY2gv eDg2L2h2bS92bXgvdm14LmMKQEAgLTg2NywxMCArODY3LDEyIEBAIHZvaWQg dm14X2dldF9zZWdtZW50X3JlZ2lzdGVyKHN0cnVjdCB2Y3AKICAgICByZWct PnNlbCA9IHNlbDsKICAgICByZWctPmxpbWl0ID0gbGltaXQ7CiAKLSAgICBy ZWctPmF0dHIuYnl0ZXMgPSAoYXR0ciAmIDB4ZmYpIHwgKChhdHRyID4+IDQp ICYgMHhmMDApOwotICAgIC8qIFVudXNhYmxlIGZsYWcgaXMgZm9sZGVkIGlu dG8gUHJlc2VudCBmbGFnLiAqLwotICAgIGlmICggYXR0ciAmICgxdTw8MTYp ICkKLSAgICAgICAgcmVnLT5hdHRyLmZpZWxkcy5wID0gMDsKKyAgICAvKgor ICAgICAqIEZvbGQgVlQteCByZXByZXNlbnRhdGlvbiBpbnRvIFhlbidzIHJl cHJlc2VudGF0aW9uLiAgVGhlIFByZXNlbnQgYml0IGlzCisgICAgICogdW5j b25kaXRpb25hbGx5IHNldCB0byB0aGUgaW52ZXJzZSBvZiB1bnVzYWJsZS4K KyAgICAgKi8KKyAgICByZWctPmF0dHIuYnl0ZXMgPQorICAgICAgICAoIShh dHRyICYgKDF1IDw8IDE2KSkgPDwgNykgfCAoYXR0ciAmIDB4N2YpIHwgKChh dHRyID4+IDQpICYgMHhmMDApOwogCiAgICAgLyogQWRqdXN0IGZvciB2aXJ0 dWFsIDgwODYgbW9kZSAqLwogICAgIGlmICggdi0+YXJjaC5odm1fdm14LnZt eF9yZWFsbW9kZSAmJiBzZWcgPD0geDg2X3NlZ190ciAKQEAgLTk1MCwxMSAr OTUyLDExIEBAIHN0YXRpYyB2b2lkIHZteF9zZXRfc2VnbWVudF9yZWdpc3Rl cihzdHIKICAgICAgICAgfQogICAgIH0KIAotICAgIGF0dHIgPSAoKGF0dHIg JiAweGYwMCkgPDwgNCkgfCAoYXR0ciAmIDB4ZmYpOwotCi0gICAgLyogTm90 LXByZXNlbnQgbXVzdCBtZWFuIHVudXNhYmxlLiAqLwotICAgIGlmICggIXJl Zy0+YXR0ci5maWVsZHMucCApCi0gICAgICAgIGF0dHIgfD0gKDF1IDw8IDE2 KTsKKyAgICAvKgorICAgICAqIFVuZm9sZCBYZW4gcmVwcmVzZW50YXRpb24g aW50byBWVC14IHJlcHJlc2VudGF0aW9uLiAgVGhlIHVudXNhYmxlIGJpdAor ICAgICAqIGlzIHVuY29uZGl0aW9uYWxseSBzZXQgdG8gdGhlIGludmVyc2Ug b2YgcHJlc2VudC4KKyAgICAgKi8KKyAgICBhdHRyID0gKCEoYXR0ciAmICgx dSA8PCA3KSkgPDwgMTYpIHwgKChhdHRyICYgMHhmMDApIDw8IDQpIHwgKGF0 dHIgJiAweGZmKTsKIAogICAgIC8qIFZNWCBoYXMgc3RyaWN0IGNvbnNpc3Rl bmN5IHJlcXVpcmVtZW50IGZvciBmbGFnIEcuICovCiAgICAgYXR0ciB8PSAh IShsaW1pdCA+PiAyMCkgPDwgMTU7Ci0tLSBhL3hlbi9hcmNoL3g4Ni94ODZf ZW11bGF0ZS94ODZfZW11bGF0ZS5jCisrKyBiL3hlbi9hcmNoL3g4Ni94ODZf ZW11bGF0ZS94ODZfZW11bGF0ZS5jCkBAIC0xMjA5LDYgKzEyMDksMTAgQEAg cHJvdG1vZGVfbG9hZF9zZWcoCiAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAmZGVzY3RhYiwgY3R4dCkpICkKICAgICAgICAgcmV0dXJuIHJj OwogCisgICAgLyogU2VnbWVudCBub3QgdmFsaWQgZm9yIHVzZSAoY29va2Vk IG1lYW5pbmcgb2YgLnApPyAqLworICAgIGlmICggIWRlc2N0YWIuYXR0ci5m aWVsZHMucCApCisgICAgICAgIGdvdG8gcmFpc2VfZXhuOworCiAgICAgLyog Q2hlY2sgYWdhaW5zdCBkZXNjcmlwdG9yIHRhYmxlIGxpbWl0LiAqLwogICAg IGlmICggKChzZWwgJiAweGZmZjgpICsgNykgPiBkZXNjdGFiLmxpbWl0ICkK ICAgICAgICAgZ290byByYWlzZV9leG47Cg== --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 22 12:03:24 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 22 Nov 2016 12:03:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99ml-0008E1-Bz; Tue, 22 Nov 2016 12:02:51 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mj-0008C4-J9; Tue, 22 Nov 2016 12:02:49 +0000 Received: from [85.158.139.211] by server-15.bemta-5.messagelabs.com id 0A/19-13537-8E334385; Tue, 22 Nov 2016 12:02:48 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrKIsWRWlGSWpSXmKPExsWS0XRdVfe5sUm EwcyfBha3brYyWyz5uJjFYtXVA6wOzB5Hd/9mCmCMYs3MS8qvSGDNOHYzraDVpOLtVPcGxmd6 XYxcHEIC5xglLh/4zgLhbGCU+H9yLlsXIycHs4CrxI19m6FsRYkL9xpYQGxeAUGJkzOfgNkSA poSd96sYgexRQSKJHaeewlmswnoScw9O4kJoldH4uX+1WC2sECaxJdVC5kh5phJrD++Dmw+i4 CqxJodl5kmMPLMQrJ6FpLVs5CsnsXIARTXlFi/Sx/ClJZY/o8DolpeYvvbOcwQtrXE+qfr2SB KLCQWzmaCGTil+yH7AkbOVYzqxalFZalFukZ6SUWZ6RkluYmZObqGBqZ6uanFxYnpqTmJScV6 yfm5mxiBgc0ABDsYv/9xOsQoycGkJMp7eKlRhBBfUn5KZUZicUZ8UWlOavEhRhkODiUJ3uVGJ hFCgkWp6akVaZk5wBiDSUtw8CiJ8D4GSfMWFyTmFmemQ6ROMRpz3Drx/AETx6Pfbx8wCbHk5e elSonzXgQpFQApzSjNgxsEi/1LjLJSwryMQKcJ8RSkFuVmlqDKv2IU52BUEuZ9ATKFJzOvBG7 fK6BTmIBOkfxmDHJKSSJCSqqB0XvNLffYrO77Ncu2FJSKd2qmHHmqcUjo6TejkkPVAYaumYrb blwMf91yxGI6Rz/jnKq3cXveXlDmZ6xP/f19c97fXXrWm2oVSh1l2n6bCq7edOGJtVHSv0JmG 0PpzPzFlTytzqGnZ70X+1BsuHyuwevduf43TgXutQhOe5t0f1re1e/e53pLlFiKMxINtZiLih MBji+MzvgCAAA= X-Env-Sender: andrewcoop@xenbits.xen.org X-Msg-Ref: server-6.tower-206.messagelabs.com!1479816166!71371063!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 39394 invoked from network); 22 Nov 2016 12:02:47 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-6.tower-206.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 22 Nov 2016 12:02:47 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mW-0004pc-11; Tue, 22 Nov 2016 12:02:36 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1c99mV-00089H-W1; Tue, 22 Nov 2016 12:02:35 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 22 Nov 2016 12:02:35 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 195 (CVE-2016-9383) - x86 64-bit bit test instruction emulation broken X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-9383 / XSA-195 version 3 x86 64-bit bit test instruction emulation broken UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The x86 instructions BT, BTC, BTR, and BTS, when used with a destination memory operand and a source register rather than an immediate operand, access a memory location offset from that specified by the memory operand as specified by the high bits of the register source. When Xen needs to emulate such an instruction, to efficiently handle the emulation, the memory address and register operand are recalculated internally to Xen. In this process, the high bits of an intermediate expression were discarded, leading to both the memory location and the register operand being wrong. The wrong memory location would have only a guest local effect (either access to an unintended location, or a fault delivered to the guest), whereas the wrong register value could lead to either a host crash or an unintended host memory access. IMPACT ====== A malicious guest can modify arbitrary memory, allowing for arbitrary code execution (and therefore privilege escalation affecting the whole host), a crash of the host (leading to a DoS), or information leaks. The vulnerability is sometimes exploitable by unprivileged guest user processes. VULNERABLE SYSTEMS ================== All Xen versions are affected. The vulnerability is only exposed to x86 guests running in 64-bit mode. On Xen 4.6 and earlier the vulnerability is exposed to all guest user processes, including unprivileged processes, in such guests. On Xen 4.7 and later, the vulnerability is exposed only to guest user processes granted a degree of privilege (such as direct hardware access) by the guest administrator; or, to all user processes when the when the VM has been explicitly configured with a non-default cpu vendor string (in xm/xl, this would be done with a `cpuid=' domain config option). The vulnerability is not exposed to 32-bit PV guests. ARM systems are not vulnerable. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by George Dunlap of Citrix, using American Fuzzy Lop v2.35b. RESOLUTION ========== Applying the attached patch resolves this issue. xsa195.patch xen-unstable, Xen 4.7.x, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x $ sha256sum xsa195* 6ab5f13b81e3bbf6096020f4c3beeffaff67a075cab67e033ba27d199b41cec1 xsa195.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYNDL4AAoJEIP+FMlX6CvZnzYH/RtmqS8kpqLKShvrQx5Ueh+M LaHBWJiU0z1m9FaF9RvEgfvWpUCcD/qyC4rLHmkwhkyS6aIToh2XVXzQyebIqw/7 CCDXaY8TkYlLPYRdNseX5X5blpu1EnqW5yQMJz6QkgDK+Qu4F1jDimSd5JffrFkJ WkpWwsoppNHwYyaENq59lg7R1WxNq0uSLxMPTnk/RpMmizKyU8gK7RrQWHJNoy6n l3vSTKx9sCDo+AgMQgbDMdpvv1l1It+QcRXXBrBp7qAdz+0H7VRkUFOnBUFMQQo3 OjmjStKxnE9E7Uh6+373xj2Z6Nts+wkD72vRHHg/1KTZ5FN5XnS2CvPDNuGZD50= =AtOu -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa195.patch" Content-Disposition: attachment; filename="xsa195.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODZlbXVsOiBmaXggaHVnZSBiaXQgb2Zmc2V0IGhhbmRsaW5nCgpXZSBt dXN0IG5ldmVyIGNob3Agb2ZmIHRoZSBoaWdoIDMyIGJpdHMuCgpUaGlzIGlz IFhTQS0xOTUuCgpSZXBvcnRlZC1ieTogR2VvcmdlIER1bmxhcCA8Z2Vvcmdl LmR1bmxhcEBjaXRyaXguY29tPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGlj aCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2Fy Y2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMKKysrIGIveGVuL2Fy Y2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMKQEAgLTI1NDksNiAr MjU0OSwxMiBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAgZWxzZQogICAgICAg ICB7CiAgICAgICAgICAgICAvKgorICAgICAgICAgICAgICogSW5zdHJ1Y3Rp b25zIHN1Y2ggYXMgYnQgY2FuIHJlZmVyZW5jZSBhbiBhcmJpdHJhcnkgb2Zm c2V0IGZyb20KKyAgICAgICAgICAgICAqIHRoZWlyIG1lbW9yeSBvcGVyYW5k LCBidXQgdGhlIGluc3RydWN0aW9uIGRvaW5nIHRoZSBhY3R1YWwKKyAgICAg ICAgICAgICAqIGVtdWxhdGlvbiBuZWVkcyB0aGUgYXBwcm9wcmlhdGUgb3Bf Ynl0ZXMgcmVhZCBmcm9tIG1lbW9yeS4KKyAgICAgICAgICAgICAqIEFkanVz dCBib3RoIHRoZSBzb3VyY2UgcmVnaXN0ZXIgYW5kIG1lbW9yeSBvcGVyYW5k IHRvIG1ha2UgYW4KKyAgICAgICAgICAgICAqIGVxdWl2YWxlbnQgaW5zdHJ1 Y3Rpb24uCisgICAgICAgICAgICAgKgogICAgICAgICAgICAgICogRUEgICAg ICAgKz0gQml0T2Zmc2V0IERJViBvcF9ieXRlcyo4CiAgICAgICAgICAgICAg KiBCaXRPZmZzZXQgPSBCaXRPZmZzZXQgTU9EIG9wX2J5dGVzKjgKICAgICAg ICAgICAgICAqIERJViB0cnVuY2F0ZXMgdG93YXJkcyBuZWdhdGl2ZSBpbmZp bml0eS4KQEAgLTI1NjAsMTQgKzI1NjYsMTUgQEAgeDg2X2VtdWxhdGUoCiAg ICAgICAgICAgICAgICAgc3JjLnZhbCA9IChpbnQzMl90KXNyYy52YWw7CiAg ICAgICAgICAgICBpZiAoIChsb25nKXNyYy52YWwgPCAwICkKICAgICAgICAg ICAgIHsKLSAgICAgICAgICAgICAgICB1bnNpZ25lZCBsb25nIGJ5dGVfb2Zm c2V0OwotICAgICAgICAgICAgICAgIGJ5dGVfb2Zmc2V0ID0gb3BfYnl0ZXMg KyAoKCgtc3JjLnZhbC0xKSA+PiAzKSAmIH4ob3BfYnl0ZXMtMSkpOworICAg ICAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgYnl0ZV9vZmZzZXQgPQorICAg ICAgICAgICAgICAgICAgICBvcF9ieXRlcyArICgoKC1zcmMudmFsIC0gMSkg Pj4gMykgJiB+KG9wX2J5dGVzIC0gMUwpKTsKKwogICAgICAgICAgICAgICAg IGVhLm1lbS5vZmYgLT0gYnl0ZV9vZmZzZXQ7CiAgICAgICAgICAgICAgICAg c3JjLnZhbCA9IChieXRlX29mZnNldCA8PCAzKSArIHNyYy52YWw7CiAgICAg ICAgICAgICB9CiAgICAgICAgICAgICBlbHNlCiAgICAgICAgICAgICB7Ci0g ICAgICAgICAgICAgICAgZWEubWVtLm9mZiArPSAoc3JjLnZhbCA+PiAzKSAm IH4ob3BfYnl0ZXMgLSAxKTsKKyAgICAgICAgICAgICAgICBlYS5tZW0ub2Zm ICs9IChzcmMudmFsID4+IDMpICYgfihvcF9ieXRlcyAtIDFMKTsKICAgICAg ICAgICAgICAgICBzcmMudmFsICY9IChvcF9ieXRlcyA8PCAzKSAtIDE7CiAg ICAgICAgICAgICB9CiAgICAgICAgIH0K --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 22 12:03:24 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 22 Nov 2016 12:03:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mU-00080O-7i; Tue, 22 Nov 2016 12:02:34 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mT-0007zm-Ii; Tue, 22 Nov 2016 12:02:33 +0000 Received: from [193.109.254.147] by server-9.bemta-6.messagelabs.com id 49/AF-28694-8D334385; Tue, 22 Nov 2016 12:02:32 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrIKsWRWlGSWpSXmKPExsWS0XRdVfe6sUm Ewcfb6ha3brYyWyz5uJjFYtXVA6wOzB5Hd/9mCmCMYs3MS8qvSGDNmPGwnbVgd3XF/G0n2RoY b5d2MXJxCAmcY5Q4uvEaO4SzgVFi4aNtTF2MnBzMAq4SN/ZtZoOwFSUu3GtgAbF5BQQlTs58A mZLCGhK3Hmzih3EFhEokth57iWYzSagJzH37CSoOToSL/evBrOFBcolJp69xgoxx0xixeT1YP NZBFQlWq7OZJ/AyDMLyepZSFbPQrJ6FiMHUFxTYv0ufQhTWmL5Pw6IanmJ7W/nMEPY1hL7Vvy AmmIh8eP0B2aYiVO6H7JD2PYSZyZeZIGwbSQmNK7CqubC1H64mr1NN1iR1Sxg5F/FqFGcWlSW WqRrbKyXVJSZnlGSm5iZo2toYKaXm1pcnJiempOYVKyXnJ+7iREYcQxAsINx5/rAQ4ySHExKo ryHlxpFCPEl5adUZiQWZ8QXleakFh9ilOHgUJLgXW5kEiEkWJSanlqRlpkDjH2YtAQHj5IIRJ q3uCAxtzgzHSJ1itGY49aJ5w+YOB79fvuASYglLz8vVUqc9yJIqQBIaUZpHtwgWEq6xCgrJcz LCHSaEE9BalFuZgmq/CtGcQ5GJWFea5ApPJl5JXD7XgGdwgR0iuQ3Y5BTShIRUlINjH4bgk9m BWrb/meYZfFDII7fb++0+xLVz5tjpRuvhe9eKfXwd1GUsOqV7QZblY7MU3ee8uF/zBHtVKGYB 9sKskzutu0z9Ba2S1+26JlU/uwbBdc9/Mxb1bd83Xvv8JTd3FpqG+cZLri674dxrJvoxjdldx +lGOy79bOoY0/24kS5268E4tnVlyuxFGckGmoxFxUnAgCZ+whuRAMAAA== X-Env-Sender: andrewcoop@xenbits.xen.org X-Msg-Ref: server-16.tower-27.messagelabs.com!1479816150!72955157!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 24741 invoked from network); 22 Nov 2016 12:02:31 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-16.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 22 Nov 2016 12:02:31 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mI-0004om-DB; Tue, 22 Nov 2016 12:02:22 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1c99mI-00086a-9W; Tue, 22 Nov 2016 12:02:22 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 22 Nov 2016 12:02:22 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 193 (CVE-2016-9385) - x86 segment base write emulation lacking canonical address checks X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-9385 / XSA-193 version 3 x86 segment base write emulation lacking canonical address checks UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Both writes to the FS and GS register base MSRs as well as the WRFSBASE and WRGSBASE instructions require their input values to be canonical, or a #GP fault will be raised. When the use of those instructions by the hypervisor was enabled, the previous guard against #GP faults (having recovery code attached) was accidentally removed. IMPACT ====== A malicious guest administrator can crash the host, leading to a DoS. VULNERABLE SYSTEMS ================== Xen versions 4.4 and onwards are affected. Xen versions 4.3 and earlier are not affected. The vulnerability is only exposed to x86 PV guests. The vulnerability is NOT exposed to x86 HVM guests. ARM systems are NOT vulnerable. MITIGATION ========== Running only HVM guests will avoid this vulnerability. For PV guests the vulnerability can be avoided if the guest kernel is controlled by the host rather than guest administrator, provided that further steps are taken to prevent the guest administrator from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa193.patch xen-unstable xsa193-4.7.patch Xen 4.7.x, Xen 4.6.x xsa193-4.5.patch Xen 4.5.x, Xen 4.4.x $ sha256sum xsa193* 401df29b462a3430403a4f5bb36fd7824e692c9b5bac650e1a9d70bd440a55a1 xsa193.patch b3494b1fe5fefc0d032bd603340e364c880ec0d3ae3fb8aa3a773038e956f955 xsa193-4.5.patch f1b0092c585ebffe83d6ed7df94885ec5dfcb4227bdb33f421bad9febb8135a1 xsa193-4.7.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYNDK2AAoJEIP+FMlX6CvZswsIAI17sWqaGeP8GvtddxR08G2J 3Nb7Lnb/4cq8Hdc5XmUnX/zuDqobT5AGJEgKAuhRc9zs2TOv8FwcABc+/odKG6ak tcMAaLThMcKbB0b0ZYEkcrU+jaCDDVE3rYVGjKv0hHKZNRY/SmWOdl180xcHksXG pj5OQn6/+db6nqMlhyOcOyjM3w1/1AUe/O0EDsdUSNrY1mZi4/MjUXlDaJTZbDCc KW9XUeRSq66iZELawBaosViTenOm/R+8DJGiR8fmJlXx+gzpEywtsEUCrxeKlTDo tT68gwy0aHdlqKbIthkKr5qaT5FtKPyX0UpIXu7qtldbdEZG61iIlNOEG8tyPhU= =fjbt -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa193.patch" Content-Disposition: attachment; filename="xsa193.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvUFY6IHdyaXRlcyBvZiAlZnMgYW5kICVncyBiYXNlIE1TUnMgcmVx dWlyZSBjYW5vbmljYWwgYWRkcmVzc2VzCgpDb21taXQgYzQyNDk0YWNiMiAo Ing4NjogZml4IEZTL0dTIGJhc2UgaGFuZGxpbmcgd2hlbiB1c2luZyB0aGUK ZnNnc2Jhc2UgZmVhdHVyZSIpIHJlcGxhY2VkIHRoZSB1c2Ugb2Ygd3Jtc3Jf c2FmZSgpIG9uIHRoZXNlIHBhdGhzCndpdGhvdXQgcmVjb2duaXppbmcgdGhh dCB3cntmLGd9c2Jhc2UoKSB1c2UganVzdCB3cm1zcmwoKSBhbmQgdGhhdCB0 aGUKV1J7RixHfVNCQVNFIGluc3RydWN0aW9ucyBhbHNvIHJhaXNlICNHUCBm b3Igbm9uLWNhbm9uaWNhbCBpbnB1dC4KClNpbWlsYXJseSBhcmNoX3NldF9p bmZvX2d1ZXN0KCkgbmVlZHMgdG8gcHJldmVudCBub24tY2Fub25pY2FsCmFk ZHJlc3NlcyBmcm9tIGdldHRpbmcgc3RvcmVkIGludG8gc3RhdGUgbGF0ZXIg dG8gYmUgbG9hZGVkIGJ5IGNvbnRleHQKc3dpdGNoIGNvZGUuIEZvciBjb25z aXN0ZW5jeSBhbHNvIGNoZWNrIHN0YWNrIHBvaW50ZXJzIGFuZCBMRFQgYmFz ZS4KRFIwLi4zLCBvdG9oLCBhbHJlYWR5IGdldCBwcm9wZXJseSBjaGVja2Vk IGluIHNldF9kZWJ1Z3JlZygpIChhbGJlaXQKd2UgZGlzY2FyZCB0aGUgZXJy b3IgdGhlcmUpLgoKVGhlIFNIQURPV19HU19CQVNFIGNoZWNrIGlzbid0IHN0 cmljdGx5IG5lY2Vzc2FyeSwgYnV0IEkgdGhpbmsgd2UKYmV0dGVyIGF2b2lk IHRyeWluZyB0aGUgV1JNU1IgaWYgd2Uga25vdyBpdCdzIGdvaW5nIHRvIGZh aWwuCgpUaGlzIGlzIFhTQS0xOTMuCgpSZXBvcnRlZC1ieTogQW5kcmV3IENv b3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KU2lnbmVkLW9mZi1i eTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpSZXZpZXdlZC1i eTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4K Ci0tLSBhL3hlbi9hcmNoL3g4Ni9kb21haW4uYworKysgYi94ZW4vYXJjaC94 ODYvZG9tYWluLmMKQEAgLTg5Nyw3ICs4OTcsMTMgQEAgaW50IGFyY2hfc2V0 X2luZm9fZ3Vlc3QoCiAgICAgewogICAgICAgICBpZiAoICFjb21wYXQgKQog ICAgICAgICB7Ci0gICAgICAgICAgICBpZiAoICFpc19jYW5vbmljYWxfYWRk cmVzcyhjLm5hdC0+dXNlcl9yZWdzLmVpcCkgfHwKKyAgICAgICAgICAgIGlm ICggIWlzX2Nhbm9uaWNhbF9hZGRyZXNzKGMubmF0LT51c2VyX3JlZ3Mucmlw KSB8fAorICAgICAgICAgICAgICAgICAhaXNfY2Fub25pY2FsX2FkZHJlc3Mo Yy5uYXQtPnVzZXJfcmVncy5yc3ApIHx8CisgICAgICAgICAgICAgICAgICFp c19jYW5vbmljYWxfYWRkcmVzcyhjLm5hdC0+a2VybmVsX3NwKSB8fAorICAg ICAgICAgICAgICAgICAoYy5uYXQtPmxkdF9lbnRzICYmICFpc19jYW5vbmlj YWxfYWRkcmVzcyhjLm5hdC0+bGR0X2Jhc2UpKSB8fAorICAgICAgICAgICAg ICAgICAhaXNfY2Fub25pY2FsX2FkZHJlc3MoYy5uYXQtPmZzX2Jhc2UpIHx8 CisgICAgICAgICAgICAgICAgICFpc19jYW5vbmljYWxfYWRkcmVzcyhjLm5h dC0+Z3NfYmFzZV9rZXJuZWwpIHx8CisgICAgICAgICAgICAgICAgICFpc19j YW5vbmljYWxfYWRkcmVzcyhjLm5hdC0+Z3NfYmFzZV91c2VyKSB8fAogICAg ICAgICAgICAgICAgICAhaXNfY2Fub25pY2FsX2FkZHJlc3MoYy5uYXQtPmV2 ZW50X2NhbGxiYWNrX2VpcCkgfHwKICAgICAgICAgICAgICAgICAgIWlzX2Nh bm9uaWNhbF9hZGRyZXNzKGMubmF0LT5zeXNjYWxsX2NhbGxiYWNrX2VpcCkg fHwKICAgICAgICAgICAgICAgICAgIWlzX2Nhbm9uaWNhbF9hZGRyZXNzKGMu bmF0LT5mYWlsc2FmZV9jYWxsYmFja19laXApICkKLS0tIGEveGVuL2FyY2gv eDg2L3RyYXBzLmMKKysrIGIveGVuL2FyY2gveDg2L3RyYXBzLmMKQEAgLTI1 NjAsMjEgKzI1NjAsMjEgQEAgc3RhdGljIGludCBwcml2X29wX3dyaXRlX21z cih1bnNpZ25lZCBpbgogICAgICAgICBpbnQgcmM7CiAKICAgICBjYXNlIE1T Ul9GU19CQVNFOgotICAgICAgICBpZiAoIGlzX3B2XzMyYml0X2RvbWFpbihj dXJyZCkgKQorICAgICAgICBpZiAoIGlzX3B2XzMyYml0X2RvbWFpbihjdXJy ZCkgfHwgIWlzX2Nhbm9uaWNhbF9hZGRyZXNzKHZhbCkgKQogICAgICAgICAg ICAgYnJlYWs7CiAgICAgICAgIHdyZnNiYXNlKHZhbCk7CiAgICAgICAgIGN1 cnItPmFyY2gucHZfdmNwdS5mc19iYXNlID0gdmFsOwogICAgICAgICByZXR1 cm4gWDg2RU1VTF9PS0FZOwogCiAgICAgY2FzZSBNU1JfR1NfQkFTRToKLSAg ICAgICAgaWYgKCBpc19wdl8zMmJpdF9kb21haW4oY3VycmQpICkKKyAgICAg ICAgaWYgKCBpc19wdl8zMmJpdF9kb21haW4oY3VycmQpIHx8ICFpc19jYW5v bmljYWxfYWRkcmVzcyh2YWwpICkKICAgICAgICAgICAgIGJyZWFrOwogICAg ICAgICB3cmdzYmFzZSh2YWwpOwogICAgICAgICBjdXJyLT5hcmNoLnB2X3Zj cHUuZ3NfYmFzZV9rZXJuZWwgPSB2YWw7CiAgICAgICAgIHJldHVybiBYODZF TVVMX09LQVk7CiAKICAgICBjYXNlIE1TUl9TSEFET1dfR1NfQkFTRToKLSAg ICAgICAgaWYgKCBpc19wdl8zMmJpdF9kb21haW4oY3VycmQpIHx8CisgICAg ICAgIGlmICggaXNfcHZfMzJiaXRfZG9tYWluKGN1cnJkKSB8fCAhaXNfY2Fu b25pY2FsX2FkZHJlc3ModmFsKSB8fAogICAgICAgICAgICAgIHdybXNyX3Nh ZmUoTVNSX1NIQURPV19HU19CQVNFLCB2YWwpICkKICAgICAgICAgICAgIGJy ZWFrOwogICAgICAgICBjdXJyLT5hcmNoLnB2X3ZjcHUuZ3NfYmFzZV91c2Vy ID0gdmFsOwo= --=separator Content-Type: application/octet-stream; name="xsa193-4.5.patch" Content-Disposition: attachment; filename="xsa193-4.5.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvUFY6IHdyaXRlcyBvZiAlZnMgYW5kICVncyBiYXNlIE1TUnMgcmVx dWlyZSBjYW5vbmljYWwgYWRkcmVzc2VzCgpDb21taXQgYzQyNDk0YWNiMiAo Ing4NjogZml4IEZTL0dTIGJhc2UgaGFuZGxpbmcgd2hlbiB1c2luZyB0aGUK ZnNnc2Jhc2UgZmVhdHVyZSIpIHJlcGxhY2VkIHRoZSB1c2Ugb2Ygd3Jtc3Jf c2FmZSgpIG9uIHRoZXNlIHBhdGhzCndpdGhvdXQgcmVjb2duaXppbmcgdGhh dCB3cntmLGd9c2Jhc2UoKSB1c2UganVzdCB3cm1zcmwoKSBhbmQgdGhhdCB0 aGUKV1J7RixHfVNCQVNFIGluc3RydWN0aW9ucyBhbHNvIHJhaXNlICNHUCBm b3Igbm9uLWNhbm9uaWNhbCBpbnB1dC4KClNpbWlsYXJseSBhcmNoX3NldF9p bmZvX2d1ZXN0KCkgbmVlZHMgdG8gcHJldmVudCBub24tY2Fub25pY2FsCmFk ZHJlc3NlcyBmcm9tIGdldHRpbmcgc3RvcmVkIGludG8gc3RhdGUgbGF0ZXIg dG8gYmUgbG9hZGVkIGJ5IGNvbnRleHQKc3dpdGNoIGNvZGUuIEZvciBjb25z aXN0ZW5jeSBhbHNvIGNoZWNrIHN0YWNrIHBvaW50ZXJzIGFuZCBMRFQgYmFz ZS4KRFIwLi4zLCBvdG9oLCBhbHJlYWR5IGdldCBwcm9wZXJseSBjaGVja2Vk IGluIHNldF9kZWJ1Z3JlZygpIChhbGJlaXQKd2UgZGlzY2FyZCB0aGUgZXJy b3IgdGhlcmUpLgoKVGhlIFNIQURPV19HU19CQVNFIGNoZWNrIGlzbid0IHN0 cmljdGx5IG5lY2Vzc2FyeSwgYnV0IEkgdGhpbmsgd2UKYmV0dGVyIGF2b2lk IHRyeWluZyB0aGUgV1JNU1IgaWYgd2Uga25vdyBpdCdzIGdvaW5nIHRvIGZh aWwuCgpUaGlzIGlzIFhTQS0xOTMuCgpSZXBvcnRlZC1ieTogQW5kcmV3IENv b3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KU2lnbmVkLW9mZi1i eTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpSZXZpZXdlZC1i eTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4K Ci0tLSBhL3hlbi9hcmNoL3g4Ni9kb21haW4uYworKysgYi94ZW4vYXJjaC94 ODYvZG9tYWluLmMKQEAgLTc0MSw3ICs3NDEsMTMgQEAgaW50IGFyY2hfc2V0 X2luZm9fZ3Vlc3QoCiAgICAgewogICAgICAgICBpZiAoICFjb21wYXQgKQog ICAgICAgICB7Ci0gICAgICAgICAgICBpZiAoICFpc19jYW5vbmljYWxfYWRk cmVzcyhjLm5hdC0+dXNlcl9yZWdzLmVpcCkgfHwKKyAgICAgICAgICAgIGlm ICggIWlzX2Nhbm9uaWNhbF9hZGRyZXNzKGMubmF0LT51c2VyX3JlZ3Mucmlw KSB8fAorICAgICAgICAgICAgICAgICAhaXNfY2Fub25pY2FsX2FkZHJlc3Mo Yy5uYXQtPnVzZXJfcmVncy5yc3ApIHx8CisgICAgICAgICAgICAgICAgICFp c19jYW5vbmljYWxfYWRkcmVzcyhjLm5hdC0+a2VybmVsX3NwKSB8fAorICAg ICAgICAgICAgICAgICAoYy5uYXQtPmxkdF9lbnRzICYmICFpc19jYW5vbmlj YWxfYWRkcmVzcyhjLm5hdC0+bGR0X2Jhc2UpKSB8fAorICAgICAgICAgICAg ICAgICAhaXNfY2Fub25pY2FsX2FkZHJlc3MoYy5uYXQtPmZzX2Jhc2UpIHx8 CisgICAgICAgICAgICAgICAgICFpc19jYW5vbmljYWxfYWRkcmVzcyhjLm5h dC0+Z3NfYmFzZV9rZXJuZWwpIHx8CisgICAgICAgICAgICAgICAgICFpc19j YW5vbmljYWxfYWRkcmVzcyhjLm5hdC0+Z3NfYmFzZV91c2VyKSB8fAogICAg ICAgICAgICAgICAgICAhaXNfY2Fub25pY2FsX2FkZHJlc3MoYy5uYXQtPmV2 ZW50X2NhbGxiYWNrX2VpcCkgfHwKICAgICAgICAgICAgICAgICAgIWlzX2Nh bm9uaWNhbF9hZGRyZXNzKGMubmF0LT5zeXNjYWxsX2NhbGxiYWNrX2VpcCkg fHwKICAgICAgICAgICAgICAgICAgIWlzX2Nhbm9uaWNhbF9hZGRyZXNzKGMu bmF0LT5mYWlsc2FmZV9jYWxsYmFja19laXApICkKLS0tIGEveGVuL2FyY2gv eDg2L3RyYXBzLmMKKysrIGIveGVuL2FyY2gveDg2L3RyYXBzLmMKQEAgLTI0 MzksMTkgKzI0MzksMTkgQEAgc3RhdGljIGludCBlbXVsYXRlX3ByaXZpbGVn ZWRfb3Aoc3RydWN0CiAgICAgICAgIHN3aXRjaCAoICh1MzIpcmVncy0+ZWN4 ICkKICAgICAgICAgewogICAgICAgICBjYXNlIE1TUl9GU19CQVNFOgotICAg ICAgICAgICAgaWYgKCBpc19wdl8zMm9uNjRfdmNwdSh2KSApCisgICAgICAg ICAgICBpZiAoIGlzX3B2XzMyb242NF92Y3B1KHYpIHx8ICFpc19jYW5vbmlj YWxfYWRkcmVzcyhtc3JfY29udGVudCkgKQogICAgICAgICAgICAgICAgIGdv dG8gZmFpbDsKICAgICAgICAgICAgIHdyZnNiYXNlKG1zcl9jb250ZW50KTsK ICAgICAgICAgICAgIHYtPmFyY2gucHZfdmNwdS5mc19iYXNlID0gbXNyX2Nv bnRlbnQ7CiAgICAgICAgICAgICBicmVhazsKICAgICAgICAgY2FzZSBNU1Jf R1NfQkFTRToKLSAgICAgICAgICAgIGlmICggaXNfcHZfMzJvbjY0X3ZjcHUo dikgKQorICAgICAgICAgICAgaWYgKCBpc19wdl8zMm9uNjRfdmNwdSh2KSB8 fCAhaXNfY2Fub25pY2FsX2FkZHJlc3MobXNyX2NvbnRlbnQpICkKICAgICAg ICAgICAgICAgICBnb3RvIGZhaWw7CiAgICAgICAgICAgICB3cmdzYmFzZSht c3JfY29udGVudCk7CiAgICAgICAgICAgICB2LT5hcmNoLnB2X3ZjcHUuZ3Nf YmFzZV9rZXJuZWwgPSBtc3JfY29udGVudDsKICAgICAgICAgICAgIGJyZWFr OwogICAgICAgICBjYXNlIE1TUl9TSEFET1dfR1NfQkFTRToKLSAgICAgICAg ICAgIGlmICggaXNfcHZfMzJvbjY0X3ZjcHUodikgKQorICAgICAgICAgICAg aWYgKCBpc19wdl8zMm9uNjRfdmNwdSh2KSB8fCAhaXNfY2Fub25pY2FsX2Fk ZHJlc3MobXNyX2NvbnRlbnQpICkKICAgICAgICAgICAgICAgICBnb3RvIGZh aWw7CiAgICAgICAgICAgICBpZiAoIHdybXNyX3NhZmUoTVNSX1NIQURPV19H U19CQVNFLCBtc3JfY29udGVudCkgKQogICAgICAgICAgICAgICAgIGdvdG8g ZmFpbDsK --=separator Content-Type: application/octet-stream; name="xsa193-4.7.patch" Content-Disposition: attachment; filename="xsa193-4.7.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvUFY6IHdyaXRlcyBvZiAlZnMgYW5kICVncyBiYXNlIE1TUnMgcmVx dWlyZSBjYW5vbmljYWwgYWRkcmVzc2VzCgpDb21taXQgYzQyNDk0YWNiMiAo Ing4NjogZml4IEZTL0dTIGJhc2UgaGFuZGxpbmcgd2hlbiB1c2luZyB0aGUK ZnNnc2Jhc2UgZmVhdHVyZSIpIHJlcGxhY2VkIHRoZSB1c2Ugb2Ygd3Jtc3Jf c2FmZSgpIG9uIHRoZXNlIHBhdGhzCndpdGhvdXQgcmVjb2duaXppbmcgdGhh dCB3cntmLGd9c2Jhc2UoKSB1c2UganVzdCB3cm1zcmwoKSBhbmQgdGhhdCB0 aGUKV1J7RixHfVNCQVNFIGluc3RydWN0aW9ucyBhbHNvIHJhaXNlICNHUCBm b3Igbm9uLWNhbm9uaWNhbCBpbnB1dC4KClNpbWlsYXJseSBhcmNoX3NldF9p bmZvX2d1ZXN0KCkgbmVlZHMgdG8gcHJldmVudCBub24tY2Fub25pY2FsCmFk ZHJlc3NlcyBmcm9tIGdldHRpbmcgc3RvcmVkIGludG8gc3RhdGUgbGF0ZXIg dG8gYmUgbG9hZGVkIGJ5IGNvbnRleHQKc3dpdGNoIGNvZGUuIEZvciBjb25z aXN0ZW5jeSBhbHNvIGNoZWNrIHN0YWNrIHBvaW50ZXJzIGFuZCBMRFQgYmFz ZS4KRFIwLi4zLCBvdG9oLCBhbHJlYWR5IGdldCBwcm9wZXJseSBjaGVja2Vk IGluIHNldF9kZWJ1Z3JlZygpIChhbGJlaXQKd2UgZGlzY2FyZCB0aGUgZXJy b3IgdGhlcmUpLgoKVGhlIFNIQURPV19HU19CQVNFIGNoZWNrIGlzbid0IHN0 cmljdGx5IG5lY2Vzc2FyeSwgYnV0IEkgdGhpbmsgd2UKYmV0dGVyIGF2b2lk IHRyeWluZyB0aGUgV1JNU1IgaWYgd2Uga25vdyBpdCdzIGdvaW5nIHRvIGZh aWwuCgpUaGlzIGlzIFhTQS0xOTMuCgpSZXBvcnRlZC1ieTogQW5kcmV3IENv b3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KU2lnbmVkLW9mZi1i eTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpSZXZpZXdlZC1i eTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4K Ci0tLSBhL3hlbi9hcmNoL3g4Ni9kb21haW4uYworKysgYi94ZW4vYXJjaC94 ODYvZG9tYWluLmMKQEAgLTg5MCw3ICs4OTAsMTMgQEAgaW50IGFyY2hfc2V0 X2luZm9fZ3Vlc3QoCiAgICAgewogICAgICAgICBpZiAoICFjb21wYXQgKQog ICAgICAgICB7Ci0gICAgICAgICAgICBpZiAoICFpc19jYW5vbmljYWxfYWRk cmVzcyhjLm5hdC0+dXNlcl9yZWdzLmVpcCkgfHwKKyAgICAgICAgICAgIGlm ICggIWlzX2Nhbm9uaWNhbF9hZGRyZXNzKGMubmF0LT51c2VyX3JlZ3Mucmlw KSB8fAorICAgICAgICAgICAgICAgICAhaXNfY2Fub25pY2FsX2FkZHJlc3Mo Yy5uYXQtPnVzZXJfcmVncy5yc3ApIHx8CisgICAgICAgICAgICAgICAgICFp c19jYW5vbmljYWxfYWRkcmVzcyhjLm5hdC0+a2VybmVsX3NwKSB8fAorICAg ICAgICAgICAgICAgICAoYy5uYXQtPmxkdF9lbnRzICYmICFpc19jYW5vbmlj YWxfYWRkcmVzcyhjLm5hdC0+bGR0X2Jhc2UpKSB8fAorICAgICAgICAgICAg ICAgICAhaXNfY2Fub25pY2FsX2FkZHJlc3MoYy5uYXQtPmZzX2Jhc2UpIHx8 CisgICAgICAgICAgICAgICAgICFpc19jYW5vbmljYWxfYWRkcmVzcyhjLm5h dC0+Z3NfYmFzZV9rZXJuZWwpIHx8CisgICAgICAgICAgICAgICAgICFpc19j YW5vbmljYWxfYWRkcmVzcyhjLm5hdC0+Z3NfYmFzZV91c2VyKSB8fAogICAg ICAgICAgICAgICAgICAhaXNfY2Fub25pY2FsX2FkZHJlc3MoYy5uYXQtPmV2 ZW50X2NhbGxiYWNrX2VpcCkgfHwKICAgICAgICAgICAgICAgICAgIWlzX2Nh bm9uaWNhbF9hZGRyZXNzKGMubmF0LT5zeXNjYWxsX2NhbGxiYWNrX2VpcCkg fHwKICAgICAgICAgICAgICAgICAgIWlzX2Nhbm9uaWNhbF9hZGRyZXNzKGMu bmF0LT5mYWlsc2FmZV9jYWxsYmFja19laXApICkKLS0tIGEveGVuL2FyY2gv eDg2L3RyYXBzLmMKKysrIGIveGVuL2FyY2gveDg2L3RyYXBzLmMKQEAgLTI3 MjMsMTkgKzI3MjMsMjIgQEAgc3RhdGljIGludCBlbXVsYXRlX3ByaXZpbGVn ZWRfb3Aoc3RydWN0CiAgICAgICAgIHN3aXRjaCAoIHJlZ3MtPl9lY3ggKQog ICAgICAgICB7CiAgICAgICAgIGNhc2UgTVNSX0ZTX0JBU0U6Ci0gICAgICAg ICAgICBpZiAoIGlzX3B2XzMyYml0X2RvbWFpbihjdXJyZCkgKQorICAgICAg ICAgICAgaWYgKCBpc19wdl8zMmJpdF9kb21haW4oY3VycmQpIHx8CisgICAg ICAgICAgICAgICAgICFpc19jYW5vbmljYWxfYWRkcmVzcyhtc3JfY29udGVu dCkgKQogICAgICAgICAgICAgICAgIGdvdG8gZmFpbDsKICAgICAgICAgICAg IHdyZnNiYXNlKG1zcl9jb250ZW50KTsKICAgICAgICAgICAgIHYtPmFyY2gu cHZfdmNwdS5mc19iYXNlID0gbXNyX2NvbnRlbnQ7CiAgICAgICAgICAgICBi cmVhazsKICAgICAgICAgY2FzZSBNU1JfR1NfQkFTRToKLSAgICAgICAgICAg IGlmICggaXNfcHZfMzJiaXRfZG9tYWluKGN1cnJkKSApCisgICAgICAgICAg ICBpZiAoIGlzX3B2XzMyYml0X2RvbWFpbihjdXJyZCkgfHwKKyAgICAgICAg ICAgICAgICAgIWlzX2Nhbm9uaWNhbF9hZGRyZXNzKG1zcl9jb250ZW50KSAp CiAgICAgICAgICAgICAgICAgZ290byBmYWlsOwogICAgICAgICAgICAgd3Jn c2Jhc2UobXNyX2NvbnRlbnQpOwogICAgICAgICAgICAgdi0+YXJjaC5wdl92 Y3B1LmdzX2Jhc2Vfa2VybmVsID0gbXNyX2NvbnRlbnQ7CiAgICAgICAgICAg ICBicmVhazsKICAgICAgICAgY2FzZSBNU1JfU0hBRE9XX0dTX0JBU0U6Ci0g ICAgICAgICAgICBpZiAoIGlzX3B2XzMyYml0X2RvbWFpbihjdXJyZCkgKQor ICAgICAgICAgICAgaWYgKCBpc19wdl8zMmJpdF9kb21haW4oY3VycmQpIHx8 CisgICAgICAgICAgICAgICAgICFpc19jYW5vbmljYWxfYWRkcmVzcyhtc3Jf Y29udGVudCkgKQogICAgICAgICAgICAgICAgIGdvdG8gZmFpbDsKICAgICAg ICAgICAgIGlmICggd3Jtc3Jfc2FmZShNU1JfU0hBRE9XX0dTX0JBU0UsIG1z cl9jb250ZW50KSApCiAgICAgICAgICAgICAgICAgZ290byBmYWlsOwo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 22 12:03:24 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 22 Nov 2016 12:03:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mt-0008Pg-91; Tue, 22 Nov 2016 12:02:59 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99ms-0008Ny-7j; Tue, 22 Nov 2016 12:02:58 +0000 Received: from [85.158.143.35] by server-9.bemta-6.messagelabs.com id 6D/71-28694-1F334385; Tue, 22 Nov 2016 12:02:57 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprDJsWRWlGSWpSXmKPExsWS0XRdVfeDsUm EwcpGLotbN1uZLZZ8XMxiserqAVYHZo+ju38zBTBGsWbmJeVXJLBmPNi+j7ng6CrGitvvJrA0 MG5YxNjFyMUhJHCOUWLO1z1QzgZGibsr3rJ1MXJyMAu4StzYtxnKVpS4cK+BBcTmFRCUODnzC ZgtIaApcefNKnYQW0SgSGLnuZdgNpuAnsTcs5OYIHp1JF7uXw1mCwskSRyb1skEMcdMon/tI1 YQm0VAVWLnjzbWCYw8s5CsnoVk9Swkq2cxcgDFNSXW79KHMKUllv/jgKiWl9j+dg4zzJS+x5N ZIUqcJG5v0IEZOKX7ITtMSdPuXhaYkpWLk7ApWff5FCOE7STxvmMrEzY1nas3MMGMudBSianE UWL/1x9QrXYSve+a2LCpWfb6AVxNy9rZKFYtYJRYxahRnFpUllqka2ipl1SUmZ5RkpuYmaNra GCml5taXJyYnpqTmFSsl5yfu4kRmEYYgGAH449lAYcYJTmYlER5Dy81ihDiS8pPqcxILM6ILy rNSS0+xCjDwaEkwSsATEtCgkWp6akVaZk5wIQGk5bg4FES4Y0DSfMWFyTmFmemQ6ROMRpz3Dr x/AETx6Pfbx8wCbHk5eelSonzXjQCKhUAKc0ozYMbBEu0lxhlpYR5GYFOE+IpSC3KzSxBlX/F KM7BqCTMqwKykCczrwRu3yugU5iATpH8ZgxySkkiQkqqgXHVffWnIve+CB7q51l9IHpxRsyyg O9blJNiFWY9dnR/WpYm0t4Rfig01WPTjkWhC6+9efbeqvtx8InXand9bp3qmDp3t3TP+UgRqQ 2Ja5yW98jPfM+8bfX5whnPVK44vuuXkLMqNN8RKHHx59TMbIZ0/YW1iw7ertSQ4KvYNt3k+/I ztw5NmKepxFKckWioxVxUnAgALxxIAq8DAAA= X-Env-Sender: andrewcoop@xenbits.xen.org X-Msg-Ref: server-15.tower-21.messagelabs.com!1479816175!44448227!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 64487 invoked from network); 22 Nov 2016 12:02:55 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-15.tower-21.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 22 Nov 2016 12:02:55 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mc-0004rB-IE; Tue, 22 Nov 2016 12:02:42 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1c99mc-0008Ck-Ee; Tue, 22 Nov 2016 12:02:42 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 22 Nov 2016 12:02:42 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 197 (CVE-2016-9381) - qemu incautious about shared ring processing X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-9381 / XSA-197 version 3 qemu incautious about shared ring processing UPDATES IN VERSION 3 ==================== Added email header syntax to patches, for e.g. git-am. Public release. ISSUE DESCRIPTION ================= The compiler can emit optimizations in qemu which can lead to double fetch vulnerabilities. Specifically data on the rings shared between qemu and the hypervisor (which the guest under control can obtain mappings of) can be fetched twice (during which time the guest can alter the contents) possibly leading to arbitrary code execution in qemu. IMPACT ====== Malicious administrators can exploit this vulnerability to take over the qemu process, elevating its privilege to that of the qemu process. In a system not using a device model stub domain (or other techniques for deprivileging qemu), malicious guest administrators can thus elevate their privilege to that of the host. VULNERABLE SYSTEMS ================== All Xen versions with all flavors of qemu are affected. Only x86 HVM guests expose the vulnerability. x86 PV guests do not expose the vulnerability. ARM systems are not vulnerable. MITIGATION ========== Running only PV guests will avoid the vulnerability. Enabling stubdomains will mitigate this issue, by reducing the escalation to only those privileges accorded to the service domain. In a usual configuration, a service domain has only the privilege of the guest, so this eliminates the vulnerability. The vulnerability can be avoided if the guest kernel is controlled by the host rather than guest administrator, provided that further steps are taken to prevent the guest administrator from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. CREDITS ======= This issue was discovered by yanghongke of Huawei Security Test Team. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa197-qemuu.patch qemu-upstream xen-unstable, Xen 4.7.x xsa197-qemut.patch qemu-traditional xen-unstable, Xen 4.7.x, Xen 4.6.x xsa197-4.6-qemuu.patch qemu-upstream Xen 4.6.x xsa197-4.5-qemuu.patch qemu-upstream Xen 4.5.x xsa197-4.5-qemut.patch qemu-traditional Xen 4.5.x, Xen 4.4.x xsa197-4.4-qemuu.patch qemu-upstream Xen 4.4.x $ sha256sum xsa197* a7d63958e3d3afc21c0585ec4690886a3191f01127583b4a29766c45fe4dd611 xsa197-4.4-qemuu.patch 56d037b3eaa0c3f5a7c474ad5087d8a41c2769d0d8b39c8f64699215a33e17a6 xsa197-4.5-qemut.patch 902836f0e5c6c46193c06f7c133a3bdd59f902ee490b962857640a6cd73e4be7 xsa197-4.5-qemuu.patch 20a418606f5536ac4fb009f21548a28b1b32dfb08fc97a259c40240d37a2abe8 xsa197-4.6-qemuu.patch 266996b2b5ac65ded76af63b3d57d4972ab95522b517e7bc9c5ff554d8c2d5e0 xsa197-qemut.patch cd08b149c97b3f94dcda14b1f280dbb92911d93ffcd5dbcf5ee5ab2bebdc7878 xsa197-qemuu.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patch described above (or others which are substantially similar) and the PV guest mitigation are permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. HOWEVER deployment of the stubdomain mitigation described above is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because in that case the configuration change may be visible to the guest which could lead to the rediscovery of the vulnerability. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYNDNLAAoJEIP+FMlX6CvZTvUIALi45XVEJv4ZqNsB1kX3mXIF 5ocmSFCrSDDIcKEg2xQ49PKwqE/ZwMLhKuX0dFi/inidqx7FynYknziaR3svIeir ALTDP6Emsk/OB7T4epjGnuFW05RTfkQmwzEyY/XCAJVrJlkzKGh3WYVtwk+/PELT 3ab9dMEcziaUM+Ax3phJ4PHi315If2rLS4gNfqGO5jv/gnMyXk4DHQ8QZUHIGs4F 8tA/ATPaZxNK8OIwGEIz32PlLxwWHsQQz6JEAtvNwGDTNMDwlx3RzHSvjJSLOIKB Aap6qw4c9olK172LQbvBqvP09Eupi3YSevx3AD0gmqKVwj8ql/lNUSNBf9CSfPc= =SBVo -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa197-4.4-qemuu.patch" Content-Disposition: attachment; filename="xsa197-4.4-qemuu.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ZW46IGZpeCBpb3JlcSBoYW5kbGluZwoKQXZvaWQgZG91YmxlIGZldGNo ZXMgYW5kIGJvdW5kcyBjaGVjayBzaXplIHRvIGF2b2lkIG92ZXJmbG93aW5n CmludGVybmFsIHZhcmlhYmxlcy4KClRoaXMgaXMgWFNBLTE5Ny4KClJlcG9y dGVkLWJ5OiB5YW5naG9uZ2tlIDx5YW5naG9uZ2tlQGh1YXdlaS5jb20+ClNp Z25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K UmV2aWV3ZWQtYnk6IFN0ZWZhbm8gU3RhYmVsbGluaSA8c3N0YWJlbGxpbmlA a2VybmVsLm9yZz4KCi0tLSBhL3hlbi1hbGwuYworKysgYi94ZW4tYWxsLmMK QEAgLTcwNSw2ICs3MDUsMTAgQEAgc3RhdGljIHZvaWQgY3B1X2lvcmVxX3Bp byhpb3JlcV90ICpyZXEpCiB7CiAgICAgdWludDMyX3QgaTsKIAorICAgIGlm IChyZXEtPnNpemUgPiBzaXplb2YodWludDMyX3QpKSB7CisgICAgICAgIGh3 X2Vycm9yKCJQSU86IGJhZCBzaXplICgldSkiLCByZXEtPnNpemUpOworICAg IH0KKwogICAgIGlmIChyZXEtPmRpciA9PSBJT1JFUV9SRUFEKSB7CiAgICAg ICAgIGlmICghcmVxLT5kYXRhX2lzX3B0cikgewogICAgICAgICAgICAgcmVx LT5kYXRhID0gZG9faW5wKHJlcS0+YWRkciwgcmVxLT5zaXplKTsKQEAgLTcz NCw2ICs3MzgsMTAgQEAgc3RhdGljIHZvaWQgY3B1X2lvcmVxX21vdmUoaW9y ZXFfdCAqcmVxKQogewogICAgIHVpbnQzMl90IGk7CiAKKyAgICBpZiAocmVx LT5zaXplID4gc2l6ZW9mKHJlcS0+ZGF0YSkpIHsKKyAgICAgICAgaHdfZXJy b3IoIk1NSU86IGJhZCBzaXplICgldSkiLCByZXEtPnNpemUpOworICAgIH0K KwogICAgIGlmICghcmVxLT5kYXRhX2lzX3B0cikgewogICAgICAgICBpZiAo cmVxLT5kaXIgPT0gSU9SRVFfUkVBRCkgewogICAgICAgICAgICAgZm9yIChp ID0gMDsgaSA8IHJlcS0+Y291bnQ7IGkrKykgewpAQCAtODA5LDExICs4MTcs MTMgQEAgc3RhdGljIGludCBoYW5kbGVfYnVmZmVyZWRfaW9wYWdlKFhlbklP UwogICAgICAgICByZXEuZGYgPSAxOwogICAgICAgICByZXEudHlwZSA9IGJ1 Zl9yZXEtPnR5cGU7CiAgICAgICAgIHJlcS5kYXRhX2lzX3B0ciA9IDA7Cisg ICAgICAgIHhlbl9ybWIoKTsKICAgICAgICAgcXcgPSAocmVxLnNpemUgPT0g OCk7CiAgICAgICAgIGlmIChxdykgewogICAgICAgICAgICAgYnVmX3JlcSA9 ICZzdGF0ZS0+YnVmZmVyZWRfaW9fcGFnZS0+YnVmX2lvcmVxWwogICAgICAg ICAgICAgICAgIChzdGF0ZS0+YnVmZmVyZWRfaW9fcGFnZS0+cmVhZF9wb2lu dGVyICsgMSkgJSBJT1JFUV9CVUZGRVJfU0xPVF9OVU1dOwogICAgICAgICAg ICAgcmVxLmRhdGEgfD0gKCh1aW50NjRfdClidWZfcmVxLT5kYXRhKSA8PCAz MjsKKyAgICAgICAgICAgIHhlbl9ybWIoKTsKICAgICAgICAgfQogCiAgICAg ICAgIGhhbmRsZV9pb3JlcSgmcmVxKTsKQEAgLTg0NSw3ICs4NTUsMTEgQEAg c3RhdGljIHZvaWQgY3B1X2hhbmRsZV9pb3JlcSh2b2lkICpvcGFxdQogCiAg ICAgaGFuZGxlX2J1ZmZlcmVkX2lvcGFnZShzdGF0ZSk7CiAgICAgaWYgKHJl cSkgewotICAgICAgICBoYW5kbGVfaW9yZXEocmVxKTsKKyAgICAgICAgaW9y ZXFfdCBjb3B5ID0gKnJlcTsKKworICAgICAgICB4ZW5fcm1iKCk7CisgICAg ICAgIGhhbmRsZV9pb3JlcSgmY29weSk7CisgICAgICAgIHJlcS0+ZGF0YSA9 IGNvcHkuZGF0YTsKIAogICAgICAgICBpZiAocmVxLT5zdGF0ZSAhPSBTVEFU RV9JT1JFUV9JTlBST0NFU1MpIHsKICAgICAgICAgICAgIGZwcmludGYoc3Rk ZXJyLCAiQmFkbmVzcyBpbiBJL08gcmVxdWVzdCAuLi4gbm90IGluIHNlcnZp Y2U/ITogIgo= --=separator Content-Type: application/octet-stream; name="xsa197-4.5-qemut.patch" Content-Disposition: attachment; filename="xsa197-4.5-qemut.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ZW46IGZpeCBpb3JlcSBoYW5kbGluZwoKQXZvaWQgZG91YmxlIGZldGNo ZXMgYW5kIGJvdW5kcyBjaGVjayBzaXplIHRvIGF2b2lkIG92ZXJmbG93aW5n CmludGVybmFsIHZhcmlhYmxlcy4KClRoaXMgaXMgWFNBLTE5Ny4KClJlcG9y dGVkLWJ5OiB5YW5naG9uZ2tlIDx5YW5naG9uZ2tlQGh1YXdlaS5jb20+ClNp Z25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K UmV2aWV3ZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3NvbkBldS5jaXRy aXguY29tPgoKLS0tIGEvaTM4Ni1kbS9oZWxwZXIyLmMKKysrIGIvaTM4Ni1k bS9oZWxwZXIyLmMKQEAgLTM3NCw2ICszNzQsMTEgQEAgc3RhdGljIHZvaWQg Y3B1X2lvcmVxX3BpbyhDUFVTdGF0ZSAqZW52LAogewogICAgIHVpbnQzMl90 IGk7CiAKKyAgICBpZiAocmVxLT5zaXplID4gc2l6ZW9mKHVuc2lnbmVkIGxv bmcpKSB7CisgICAgICAgIGZwcmludGYoc3RkZXJyLCAiUElPOiBiYWQgc2l6 ZSAoJXUpXG4iLCByZXEtPnNpemUpOworICAgICAgICBleGl0KC0xKTsKKyAg ICB9CisKICAgICBpZiAocmVxLT5kaXIgPT0gSU9SRVFfUkVBRCkgewogICAg ICAgICBpZiAoIXJlcS0+ZGF0YV9pc19wdHIpIHsKICAgICAgICAgICAgIHJl cS0+ZGF0YSA9IGRvX2lucChlbnYsIHJlcS0+YWRkciwgcmVxLT5zaXplKTsK QEAgLTQwMyw2ICs0MDgsMTEgQEAgc3RhdGljIHZvaWQgY3B1X2lvcmVxX21v dmUoQ1BVU3RhdGUgKmVudgogewogICAgIHVpbnQzMl90IGk7CiAKKyAgICBp ZiAocmVxLT5zaXplID4gc2l6ZW9mKHJlcS0+ZGF0YSkpIHsKKyAgICAgICAg ZnByaW50ZihzdGRlcnIsICJNTUlPOiBiYWQgc2l6ZSAoJXUpXG4iLCByZXEt PnNpemUpOworICAgICAgICBleGl0KC0xKTsKKyAgICB9CisKICAgICBpZiAo IXJlcS0+ZGF0YV9pc19wdHIpIHsKICAgICAgICAgaWYgKHJlcS0+ZGlyID09 IElPUkVRX1JFQUQpIHsKICAgICAgICAgICAgIGZvciAoaSA9IDA7IGkgPCBy ZXEtPmNvdW50OyBpKyspIHsKQEAgLTUwNiwxMSArNTE2LDEzIEBAIHN0YXRp YyBpbnQgX19oYW5kbGVfYnVmZmVyZWRfaW9wYWdlKENQVVMKICAgICAgICAg cmVxLmRmID0gMTsKICAgICAgICAgcmVxLnR5cGUgPSBidWZfcmVxLT50eXBl OwogICAgICAgICByZXEuZGF0YV9pc19wdHIgPSAwOworICAgICAgICB4ZW5f cm1iKCk7CiAgICAgICAgIHF3ID0gKHJlcS5zaXplID09IDgpOwogICAgICAg ICBpZiAocXcpIHsKICAgICAgICAgICAgIGJ1Zl9yZXEgPSAmYnVmZmVyZWRf aW9fcGFnZS0+YnVmX2lvcmVxWwogICAgICAgICAgICAgICAgIChidWZmZXJl ZF9pb19wYWdlLT5yZWFkX3BvaW50ZXIrMSkgJSBJT1JFUV9CVUZGRVJfU0xP VF9OVU1dOwogICAgICAgICAgICAgcmVxLmRhdGEgfD0gKCh1aW50NjRfdCli dWZfcmVxLT5kYXRhKSA8PCAzMjsKKyAgICAgICAgICAgIHhlbl9ybWIoKTsK ICAgICAgICAgfQogCiAgICAgICAgIF9faGFuZGxlX2lvcmVxKGVudiwgJnJl cSk7CkBAIC01NDMsNyArNTU1LDExIEBAIHN0YXRpYyB2b2lkIGNwdV9oYW5k bGVfaW9yZXEodm9pZCAqb3BhcXUKIAogICAgIF9faGFuZGxlX2J1ZmZlcmVk X2lvcGFnZShlbnYpOwogICAgIGlmIChyZXEpIHsKLSAgICAgICAgX19oYW5k bGVfaW9yZXEoZW52LCByZXEpOworICAgICAgICBpb3JlcV90IGNvcHkgPSAq cmVxOworCisgICAgICAgIHhlbl9ybWIoKTsKKyAgICAgICAgX19oYW5kbGVf aW9yZXEoZW52LCAmY29weSk7CisgICAgICAgIHJlcS0+ZGF0YSA9IGNvcHku ZGF0YTsKIAogICAgICAgICBpZiAocmVxLT5zdGF0ZSAhPSBTVEFURV9JT1JF UV9JTlBST0NFU1MpIHsKICAgICAgICAgICAgIGZwcmludGYobG9nZmlsZSwg IkJhZG5lc3MgaW4gSS9PIHJlcXVlc3QgLi4uIG5vdCBpbiBzZXJ2aWNlPyE6 ICIK --=separator Content-Type: application/octet-stream; name="xsa197-4.5-qemuu.patch" Content-Disposition: attachment; filename="xsa197-4.5-qemuu.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ZW46IGZpeCBpb3JlcSBoYW5kbGluZwoKQXZvaWQgZG91YmxlIGZldGNo ZXMgYW5kIGJvdW5kcyBjaGVjayBzaXplIHRvIGF2b2lkIG92ZXJmbG93aW5n CmludGVybmFsIHZhcmlhYmxlcy4KClRoaXMgaXMgWFNBLTE5Ny4KClJlcG9y dGVkLWJ5OiB5YW5naG9uZ2tlIDx5YW5naG9uZ2tlQGh1YXdlaS5jb20+ClNp Z25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K UmV2aWV3ZWQtYnk6IFN0ZWZhbm8gU3RhYmVsbGluaSA8c3N0YWJlbGxpbmlA a2VybmVsLm9yZz4KCi0tLSBhL3hlbi1odm0uYworKysgYi94ZW4taHZtLmMK QEAgLTcyMiw2ICs3MjIsMTAgQEAgc3RhdGljIHZvaWQgY3B1X2lvcmVxX3Bp byhpb3JlcV90ICpyZXEpCiB7CiAgICAgdWludDMyX3QgaTsKIAorICAgIGlm IChyZXEtPnNpemUgPiBzaXplb2YodWludDMyX3QpKSB7CisgICAgICAgIGh3 X2Vycm9yKCJQSU86IGJhZCBzaXplICgldSkiLCByZXEtPnNpemUpOworICAg IH0KKwogICAgIGlmIChyZXEtPmRpciA9PSBJT1JFUV9SRUFEKSB7CiAgICAg ICAgIGlmICghcmVxLT5kYXRhX2lzX3B0cikgewogICAgICAgICAgICAgcmVx LT5kYXRhID0gZG9faW5wKHJlcS0+YWRkciwgcmVxLT5zaXplKTsKQEAgLTc1 MSw2ICs3NTUsMTAgQEAgc3RhdGljIHZvaWQgY3B1X2lvcmVxX21vdmUoaW9y ZXFfdCAqcmVxKQogewogICAgIHVpbnQzMl90IGk7CiAKKyAgICBpZiAocmVx LT5zaXplID4gc2l6ZW9mKHJlcS0+ZGF0YSkpIHsKKyAgICAgICAgaHdfZXJy b3IoIk1NSU86IGJhZCBzaXplICgldSkiLCByZXEtPnNpemUpOworICAgIH0K KwogICAgIGlmICghcmVxLT5kYXRhX2lzX3B0cikgewogICAgICAgICBpZiAo cmVxLT5kaXIgPT0gSU9SRVFfUkVBRCkgewogICAgICAgICAgICAgZm9yIChp ID0gMDsgaSA8IHJlcS0+Y291bnQ7IGkrKykgewpAQCAtODI2LDExICs4MzQs MTMgQEAgc3RhdGljIGludCBoYW5kbGVfYnVmZmVyZWRfaW9wYWdlKFhlbklP UwogICAgICAgICByZXEuZGYgPSAxOwogICAgICAgICByZXEudHlwZSA9IGJ1 Zl9yZXEtPnR5cGU7CiAgICAgICAgIHJlcS5kYXRhX2lzX3B0ciA9IDA7Cisg ICAgICAgIHhlbl9ybWIoKTsKICAgICAgICAgcXcgPSAocmVxLnNpemUgPT0g OCk7CiAgICAgICAgIGlmIChxdykgewogICAgICAgICAgICAgYnVmX3JlcSA9 ICZzdGF0ZS0+YnVmZmVyZWRfaW9fcGFnZS0+YnVmX2lvcmVxWwogICAgICAg ICAgICAgICAgIChzdGF0ZS0+YnVmZmVyZWRfaW9fcGFnZS0+cmVhZF9wb2lu dGVyICsgMSkgJSBJT1JFUV9CVUZGRVJfU0xPVF9OVU1dOwogICAgICAgICAg ICAgcmVxLmRhdGEgfD0gKCh1aW50NjRfdClidWZfcmVxLT5kYXRhKSA8PCAz MjsKKyAgICAgICAgICAgIHhlbl9ybWIoKTsKICAgICAgICAgfQogCiAgICAg ICAgIGhhbmRsZV9pb3JlcSgmcmVxKTsKQEAgLTg2Miw3ICs4NzIsMTEgQEAg c3RhdGljIHZvaWQgY3B1X2hhbmRsZV9pb3JlcSh2b2lkICpvcGFxdQogCiAg ICAgaGFuZGxlX2J1ZmZlcmVkX2lvcGFnZShzdGF0ZSk7CiAgICAgaWYgKHJl cSkgewotICAgICAgICBoYW5kbGVfaW9yZXEocmVxKTsKKyAgICAgICAgaW9y ZXFfdCBjb3B5ID0gKnJlcTsKKworICAgICAgICB4ZW5fcm1iKCk7CisgICAg ICAgIGhhbmRsZV9pb3JlcSgmY29weSk7CisgICAgICAgIHJlcS0+ZGF0YSA9 IGNvcHkuZGF0YTsKIAogICAgICAgICBpZiAocmVxLT5zdGF0ZSAhPSBTVEFU RV9JT1JFUV9JTlBST0NFU1MpIHsKICAgICAgICAgICAgIGZwcmludGYoc3Rk ZXJyLCAiQmFkbmVzcyBpbiBJL08gcmVxdWVzdCAuLi4gbm90IGluIHNlcnZp Y2U/ITogIgo= --=separator Content-Type: application/octet-stream; name="xsa197-4.6-qemuu.patch" Content-Disposition: attachment; filename="xsa197-4.6-qemuu.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ZW46IGZpeCBpb3JlcSBoYW5kbGluZwoKQXZvaWQgZG91YmxlIGZldGNo ZXMgYW5kIGJvdW5kcyBjaGVjayBzaXplIHRvIGF2b2lkIG92ZXJmbG93aW5n CmludGVybmFsIHZhcmlhYmxlcy4KClRoaXMgaXMgWFNBLTE5Ny4KClJlcG9y dGVkLWJ5OiB5YW5naG9uZ2tlIDx5YW5naG9uZ2tlQGh1YXdlaS5jb20+ClNp Z25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K UmV2aWV3ZWQtYnk6IFN0ZWZhbm8gU3RhYmVsbGluaSA8c3N0YWJlbGxpbmlA a2VybmVsLm9yZz4KCi0tLSBhL3hlbi1odm0uYworKysgYi94ZW4taHZtLmMK QEAgLTgxNyw2ICs4MTcsMTAgQEAgc3RhdGljIHZvaWQgY3B1X2lvcmVxX3Bp byhpb3JlcV90ICpyZXEpCiB7CiAgICAgdWludDMyX3QgaTsKIAorICAgIGlm IChyZXEtPnNpemUgPiBzaXplb2YodWludDMyX3QpKSB7CisgICAgICAgIGh3 X2Vycm9yKCJQSU86IGJhZCBzaXplICgldSkiLCByZXEtPnNpemUpOworICAg IH0KKwogICAgIGlmIChyZXEtPmRpciA9PSBJT1JFUV9SRUFEKSB7CiAgICAg ICAgIGlmICghcmVxLT5kYXRhX2lzX3B0cikgewogICAgICAgICAgICAgcmVx LT5kYXRhID0gZG9faW5wKHJlcS0+YWRkciwgcmVxLT5zaXplKTsKQEAgLTg0 Niw2ICs4NTAsMTAgQEAgc3RhdGljIHZvaWQgY3B1X2lvcmVxX21vdmUoaW9y ZXFfdCAqcmVxKQogewogICAgIHVpbnQzMl90IGk7CiAKKyAgICBpZiAocmVx LT5zaXplID4gc2l6ZW9mKHJlcS0+ZGF0YSkpIHsKKyAgICAgICAgaHdfZXJy b3IoIk1NSU86IGJhZCBzaXplICgldSkiLCByZXEtPnNpemUpOworICAgIH0K KwogICAgIGlmICghcmVxLT5kYXRhX2lzX3B0cikgewogICAgICAgICBpZiAo cmVxLT5kaXIgPT0gSU9SRVFfUkVBRCkgewogICAgICAgICAgICAgZm9yIChp ID0gMDsgaSA8IHJlcS0+Y291bnQ7IGkrKykgewpAQCAtOTk5LDExICsxMDA3 LDEzIEBAIHN0YXRpYyBpbnQgaGFuZGxlX2J1ZmZlcmVkX2lvcGFnZShYZW5J T1MKICAgICAgICAgcmVxLmRmID0gMTsKICAgICAgICAgcmVxLnR5cGUgPSBi dWZfcmVxLT50eXBlOwogICAgICAgICByZXEuZGF0YV9pc19wdHIgPSAwOwor ICAgICAgICB4ZW5fcm1iKCk7CiAgICAgICAgIHF3ID0gKHJlcS5zaXplID09 IDgpOwogICAgICAgICBpZiAocXcpIHsKICAgICAgICAgICAgIGJ1Zl9yZXEg PSAmYnVmX3BhZ2UtPmJ1Zl9pb3JlcVsocmRwdHIgKyAxKSAlCiAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSU9SRVFfQlVG RkVSX1NMT1RfTlVNXTsKICAgICAgICAgICAgIHJlcS5kYXRhIHw9ICgodWlu dDY0X3QpYnVmX3JlcS0+ZGF0YSkgPDwgMzI7CisgICAgICAgICAgICB4ZW5f cm1iKCk7CiAgICAgICAgIH0KIAogICAgICAgICBoYW5kbGVfaW9yZXEoc3Rh dGUsICZyZXEpOwpAQCAtMTAzNCw3ICsxMDQ0LDExIEBAIHN0YXRpYyB2b2lk IGNwdV9oYW5kbGVfaW9yZXEodm9pZCAqb3BhcXUKIAogICAgIGhhbmRsZV9i dWZmZXJlZF9pb3BhZ2Uoc3RhdGUpOwogICAgIGlmIChyZXEpIHsKLSAgICAg ICAgaGFuZGxlX2lvcmVxKHN0YXRlLCByZXEpOworICAgICAgICBpb3JlcV90 IGNvcHkgPSAqcmVxOworCisgICAgICAgIHhlbl9ybWIoKTsKKyAgICAgICAg aGFuZGxlX2lvcmVxKHN0YXRlLCAmY29weSk7CisgICAgICAgIHJlcS0+ZGF0 YSA9IGNvcHkuZGF0YTsKIAogICAgICAgICBpZiAocmVxLT5zdGF0ZSAhPSBT VEFURV9JT1JFUV9JTlBST0NFU1MpIHsKICAgICAgICAgICAgIGZwcmludGYo c3RkZXJyLCAiQmFkbmVzcyBpbiBJL08gcmVxdWVzdCAuLi4gbm90IGluIHNl cnZpY2U/ITogIgo= --=separator Content-Type: application/octet-stream; name="xsa197-qemut.patch" Content-Disposition: attachment; filename="xsa197-qemut.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ZW46IGZpeCBpb3JlcSBoYW5kbGluZwoKQXZvaWQgZG91YmxlIGZldGNo ZXMgYW5kIGJvdW5kcyBjaGVjayBzaXplIHRvIGF2b2lkIG92ZXJmbG93aW5n CmludGVybmFsIHZhcmlhYmxlcy4KClRoaXMgaXMgWFNBLTE5Ny4KClJlcG9y dGVkLWJ5OiB5YW5naG9uZ2tlIDx5YW5naG9uZ2tlQGh1YXdlaS5jb20+ClNp Z25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K UmV2aWV3ZWQtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3NvbkBldS5jaXRy aXguY29tPgoKLS0tIGEvaTM4Ni1kbS9oZWxwZXIyLmMKKysrIGIvaTM4Ni1k bS9oZWxwZXIyLmMKQEAgLTM3NSw2ICszNzUsMTEgQEAgc3RhdGljIHZvaWQg Y3B1X2lvcmVxX3BpbyhDUFVTdGF0ZSAqZW52LAogewogICAgIHVpbnQzMl90 IGk7CiAKKyAgICBpZiAocmVxLT5zaXplID4gc2l6ZW9mKHVuc2lnbmVkIGxv bmcpKSB7CisgICAgICAgIGZwcmludGYoc3RkZXJyLCAiUElPOiBiYWQgc2l6 ZSAoJXUpXG4iLCByZXEtPnNpemUpOworICAgICAgICBleGl0KC0xKTsKKyAg ICB9CisKICAgICBpZiAocmVxLT5kaXIgPT0gSU9SRVFfUkVBRCkgewogICAg ICAgICBpZiAoIXJlcS0+ZGF0YV9pc19wdHIpIHsKICAgICAgICAgICAgIHJl cS0+ZGF0YSA9IGRvX2lucChlbnYsIHJlcS0+YWRkciwgcmVxLT5zaXplKTsK QEAgLTQwNCw2ICs0MDksMTEgQEAgc3RhdGljIHZvaWQgY3B1X2lvcmVxX21v dmUoQ1BVU3RhdGUgKmVudgogewogICAgIHVpbnQzMl90IGk7CiAKKyAgICBp ZiAocmVxLT5zaXplID4gc2l6ZW9mKHJlcS0+ZGF0YSkpIHsKKyAgICAgICAg ZnByaW50ZihzdGRlcnIsICJNTUlPOiBiYWQgc2l6ZSAoJXUpXG4iLCByZXEt PnNpemUpOworICAgICAgICBleGl0KC0xKTsKKyAgICB9CisKICAgICBpZiAo IXJlcS0+ZGF0YV9pc19wdHIpIHsKICAgICAgICAgaWYgKHJlcS0+ZGlyID09 IElPUkVRX1JFQUQpIHsKICAgICAgICAgICAgIGZvciAoaSA9IDA7IGkgPCBy ZXEtPmNvdW50OyBpKyspIHsKQEAgLTUxNiwxMSArNTI2LDEzIEBAIHN0YXRp YyBpbnQgX19oYW5kbGVfYnVmZmVyZWRfaW9wYWdlKENQVVMKICAgICAgICAg cmVxLmRmID0gMTsKICAgICAgICAgcmVxLnR5cGUgPSBidWZfcmVxLT50eXBl OwogICAgICAgICByZXEuZGF0YV9pc19wdHIgPSAwOworICAgICAgICB4ZW5f cm1iKCk7CiAgICAgICAgIHF3ID0gKHJlcS5zaXplID09IDgpOwogICAgICAg ICBpZiAocXcpIHsKICAgICAgICAgICAgIGJ1Zl9yZXEgPSAmYnVmZmVyZWRf aW9fcGFnZS0+YnVmX2lvcmVxWyhyZHB0ciArIDEpICUKICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElPUkVR X0JVRkZFUl9TTE9UX05VTV07CiAgICAgICAgICAgICByZXEuZGF0YSB8PSAo KHVpbnQ2NF90KWJ1Zl9yZXEtPmRhdGEpIDw8IDMyOworICAgICAgICAgICAg eGVuX3JtYigpOwogICAgICAgICB9CiAKICAgICAgICAgX19oYW5kbGVfaW9y ZXEoZW52LCAmcmVxKTsKQEAgLTU1Miw3ICs1NjQsMTEgQEAgc3RhdGljIHZv aWQgY3B1X2hhbmRsZV9pb3JlcSh2b2lkICpvcGFxdQogCiAgICAgX19oYW5k bGVfYnVmZmVyZWRfaW9wYWdlKGVudik7CiAgICAgaWYgKHJlcSkgewotICAg ICAgICBfX2hhbmRsZV9pb3JlcShlbnYsIHJlcSk7CisgICAgICAgIGlvcmVx X3QgY29weSA9ICpyZXE7CisKKyAgICAgICAgeGVuX3JtYigpOworICAgICAg ICBfX2hhbmRsZV9pb3JlcShlbnYsICZjb3B5KTsKKyAgICAgICAgcmVxLT5k YXRhID0gY29weS5kYXRhOwogCiAgICAgICAgIGlmIChyZXEtPnN0YXRlICE9 IFNUQVRFX0lPUkVRX0lOUFJPQ0VTUykgewogICAgICAgICAgICAgZnByaW50 Zihsb2dmaWxlLCAiQmFkbmVzcyBpbiBJL08gcmVxdWVzdCAuLi4gbm90IGlu IHNlcnZpY2U/ITogIgo= --=separator Content-Type: application/octet-stream; name="xsa197-qemuu.patch" Content-Disposition: attachment; filename="xsa197-qemuu.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ZW46IGZpeCBpb3JlcSBoYW5kbGluZwoKQXZvaWQgZG91YmxlIGZldGNo ZXMgYW5kIGJvdW5kcyBjaGVjayBzaXplIHRvIGF2b2lkIG92ZXJmbG93aW5n CmludGVybmFsIHZhcmlhYmxlcy4KClRoaXMgaXMgWFNBLTE5Ny4KClJlcG9y dGVkLWJ5OiB5YW5naG9uZ2tlIDx5YW5naG9uZ2tlQGh1YXdlaS5jb20+ClNp Z25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4K UmV2aWV3ZWQtYnk6IFN0ZWZhbm8gU3RhYmVsbGluaSA8c3N0YWJlbGxpbmlA a2VybmVsLm9yZz4KCi0tLSBhL3hlbi1odm0uYworKysgYi94ZW4taHZtLmMK QEAgLTgxMCw2ICs4MTAsMTAgQEAgc3RhdGljIHZvaWQgY3B1X2lvcmVxX3Bp byhpb3JlcV90ICpyZXEpCiAgICAgdHJhY2VfY3B1X2lvcmVxX3BpbyhyZXEs IHJlcS0+ZGlyLCByZXEtPmRmLCByZXEtPmRhdGFfaXNfcHRyLCByZXEtPmFk ZHIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgcmVxLT5kYXRhLCByZXEt PmNvdW50LCByZXEtPnNpemUpOwogCisgICAgaWYgKHJlcS0+c2l6ZSA+IHNp emVvZih1aW50MzJfdCkpIHsKKyAgICAgICAgaHdfZXJyb3IoIlBJTzogYmFk IHNpemUgKCV1KSIsIHJlcS0+c2l6ZSk7CisgICAgfQorCiAgICAgaWYgKHJl cS0+ZGlyID09IElPUkVRX1JFQUQpIHsKICAgICAgICAgaWYgKCFyZXEtPmRh dGFfaXNfcHRyKSB7CiAgICAgICAgICAgICByZXEtPmRhdGEgPSBkb19pbnAo cmVxLT5hZGRyLCByZXEtPnNpemUpOwpAQCAtODQ2LDYgKzg1MCwxMCBAQCBz dGF0aWMgdm9pZCBjcHVfaW9yZXFfbW92ZShpb3JlcV90ICpyZXEpCiAgICAg dHJhY2VfY3B1X2lvcmVxX21vdmUocmVxLCByZXEtPmRpciwgcmVxLT5kZiwg cmVxLT5kYXRhX2lzX3B0ciwgcmVxLT5hZGRyLAogICAgICAgICAgICAgICAg ICAgICAgICAgIHJlcS0+ZGF0YSwgcmVxLT5jb3VudCwgcmVxLT5zaXplKTsK IAorICAgIGlmIChyZXEtPnNpemUgPiBzaXplb2YocmVxLT5kYXRhKSkgewor ICAgICAgICBod19lcnJvcigiTU1JTzogYmFkIHNpemUgKCV1KSIsIHJlcS0+ c2l6ZSk7CisgICAgfQorCiAgICAgaWYgKCFyZXEtPmRhdGFfaXNfcHRyKSB7 CiAgICAgICAgIGlmIChyZXEtPmRpciA9PSBJT1JFUV9SRUFEKSB7CiAgICAg ICAgICAgICBmb3IgKGkgPSAwOyBpIDwgcmVxLT5jb3VudDsgaSsrKSB7CkBA IC0xMDEwLDExICsxMDE4LDEzIEBAIHN0YXRpYyBpbnQgaGFuZGxlX2J1ZmZl cmVkX2lvcGFnZShYZW5JT1MKICAgICAgICAgcmVxLmRmID0gMTsKICAgICAg ICAgcmVxLnR5cGUgPSBidWZfcmVxLT50eXBlOwogICAgICAgICByZXEuZGF0 YV9pc19wdHIgPSAwOworICAgICAgICB4ZW5fcm1iKCk7CiAgICAgICAgIHF3 ID0gKHJlcS5zaXplID09IDgpOwogICAgICAgICBpZiAocXcpIHsKICAgICAg ICAgICAgIGJ1Zl9yZXEgPSAmYnVmX3BhZ2UtPmJ1Zl9pb3JlcVsocmRwdHIg KyAxKSAlCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgSU9SRVFfQlVGRkVSX1NMT1RfTlVNXTsKICAgICAgICAgICAgIHJl cS5kYXRhIHw9ICgodWludDY0X3QpYnVmX3JlcS0+ZGF0YSkgPDwgMzI7Cisg ICAgICAgICAgICB4ZW5fcm1iKCk7CiAgICAgICAgIH0KIAogICAgICAgICBo YW5kbGVfaW9yZXEoc3RhdGUsICZyZXEpOwpAQCAtMTA0NSw3ICsxMDU1LDEx IEBAIHN0YXRpYyB2b2lkIGNwdV9oYW5kbGVfaW9yZXEodm9pZCAqb3BhcXUK IAogICAgIGhhbmRsZV9idWZmZXJlZF9pb3BhZ2Uoc3RhdGUpOwogICAgIGlm IChyZXEpIHsKLSAgICAgICAgaGFuZGxlX2lvcmVxKHN0YXRlLCByZXEpOwor ICAgICAgICBpb3JlcV90IGNvcHkgPSAqcmVxOworCisgICAgICAgIHhlbl9y bWIoKTsKKyAgICAgICAgaGFuZGxlX2lvcmVxKHN0YXRlLCAmY29weSk7Cisg ICAgICAgIHJlcS0+ZGF0YSA9IGNvcHkuZGF0YTsKIAogICAgICAgICBpZiAo cmVxLT5zdGF0ZSAhPSBTVEFURV9JT1JFUV9JTlBST0NFU1MpIHsKICAgICAg ICAgICAgIGZwcmludGYoc3RkZXJyLCAiQmFkbmVzcyBpbiBJL08gcmVxdWVz dCAuLi4gbm90IGluIHNlcnZpY2U/ITogIgo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 22 12:03:24 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 22 Nov 2016 12:03:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mf-00087i-5a; Tue, 22 Nov 2016 12:02:45 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99md-00086C-QQ; Tue, 22 Nov 2016 12:02:43 +0000 Received: from [85.158.139.211] by server-9.bemta-5.messagelabs.com id 33/59-01928-1E334385; Tue, 22 Nov 2016 12:02:41 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrOIsWRWlGSWpSXmKPExsWS0XRdVfe+sUm EwdRLhha3brYyWyz5uJjFYtXVA6wOzB5Hd/9mCmCMYs3MS8qvSGDN2Lx2G2PB/LCKa4vusTcw ngvsYuTiEBI4xyjxcsNfRghnA6NEz96t7F2MnBzMAq4SN/ZtZoOwFSUu3GtgAbF5BQQlTs58A mZLCGhK3HmzCqxeRKBIYue5l2A2m4CexNyzk5ggenUkXu5fDWYLC2RJ/L6zAGqOmcSRXftZQW wWAVWJ2Vtmsk9g5JmFZPUsJKtnIVk9i5EDKK4psX6XPoQpLbH8HwdEtbzE9rdzmCFsa4l3Mx4 wQ5RYSJxZXAIzcEr3Q/YFjJyrGNWLU4vKUot0zfSSijLTM0pyEzNzdA0NTPVyU4uLE9NTcxKT ivWS83M3MQKDmwEIdjBObXA+xCjJwaQkynt4qVGEEF9SfkplRmJxRnxRaU5q8SFGGQ4OJQne5 UYmEUKCRanpqRVpmTnAOINJS3DwKInwPgZJ8xYXJOYWZ6ZDpE4xGnPcOvH8ARPHo99vHzAJse Tl56VKifNeBCkVACnNKM2DGwSL/0uMslLCvIxApwnxFKQW5WaWoMq/YhTnYFQS5l0DMoUnM68 Ebt8roFOYgE6R/GYMckpJIkJKqoFxq5Pc7va413d/CrluFyve//qjaPWBtpsFr477eWZorXzy T6i+o/bauquerpfC1nl63Z3a8Pr6lwLJ6lVzlkqvielsZYh74qXaJLIoNz26+vocv+sxsxPmn Y9/t/zhJpXbljtX7stfdi9Ovu7aJd/arqXzHnE4qE0+n3p0Z/+X2jzLlQeenLl7T4mlOCPRUI u5qDgRALV8gN76AgAA X-Env-Sender: andrewcoop@xenbits.xen.org X-Msg-Ref: server-3.tower-206.messagelabs.com!1479816158!67955773!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 26721 invoked from network); 22 Nov 2016 12:02:39 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-3.tower-206.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 22 Nov 2016 12:02:39 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mQ-0004p6-7y; Tue, 22 Nov 2016 12:02:30 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1c99mQ-00087x-6f; Tue, 22 Nov 2016 12:02:30 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 22 Nov 2016 12:02:30 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 194 (CVE-2016-9384) - guest 32-bit ELF symbol table load leaking host data X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-9384 / XSA-194 version 3 guest 32-bit ELF symbol table load leaking host data UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Along with their main kernel binary, unprivileged guests may arrange to have their Xen environment load (kernel) symbol tables for their use. The ELF image metadata created for this purpose has a few unused bytes when the symbol table binary is in 32-bit ELF format. These unused bytes were not properly cleared during symbol table loading. IMPACT ====== A malicious unprivileged guest may be able to obtain sensitive information from the host. The information leak is small and not under the control of the guest, so effectively exploiting this vulnerability is probably difficult. VULNERABLE SYSTEMS ================== Only Xen version 4.7 is affected. Xen versions 4.6 and earlier are not affected. The vulnerability is not exposed to x86 HVM guests, unless the host toolstack has configured to load the guest with a non-default loader, rather than hvmloader. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by Roger Pau Monné of Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa194.patch xen-unstable, Xen 4.7.x $ sha256sum xsa194* 4dad65417d9ff3c86e763d3c88cf8de79b58a9981d531f641ae0dd0dcedce911 xsa194.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYNDLYAAoJEIP+FMlX6CvZqAoH/39GSWwDpYnflz3TcFyQUViM j36XzzStWya71ewaXiguUbTHHg6mK47pK4EA/3zFwerczz/5yQzhlToitPkP/8WE 5Qbg9Wyg4STylzeKaiTvLzqUK6XSiJ4oKZwLsnU7tFPLcb6FBMm9t3bzg9NECaft /6zYj1SVCvoLJB/gtgbwrz2MCjVZQZ9Q2+mpirvu0ePQRD73M0cwfj1ncqjUkFd9 ZNdk14gmxOk1/wWAm/oD1QKUWmjpzByT5dbGcMV3OxGs1V2Px+o4c1u1t/agldr0 wC2LvCK9IED9JcBaH/M85TTAGR7GqfU8l9x3ep97GkrUpquX4OGFt7na28M1YUQ= =Gc8O -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa194.patch" Content-Disposition: attachment; filename="xsa194.patch" Content-Transfer-Encoding: base64 RnJvbSA3MTA5NmIwMTZmN2ZkNTRhNzJhZjczNTc2OTQ4Y2IyNWNmNDJlYmNi IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBSb2dlciBQYXUgTW9u bsOpIDxyb2dlci5wYXVAY2l0cml4LmNvbT5EYXRlOiBXZWQsIDIgTm92IDIw MTYgMTU6MDI6MDAgKzAwMDAKU3ViamVjdDogW1BBVENIXSBsaWJlbGY6IGZp eCBzdGFjayBtZW1vcnkgbGVhayB3aGVuIGxvYWRpbmcgMzIgYml0IHN5bWJv bAogdGFibGVzCgpUaGUgMzIgYml0IEVsZiBzdHJ1Y3RzIGFyZSBzbWFsbGVy IHRoYW4gdGhlIDY0IGJpdCBvbmVzLCB3aGljaCBtZWFucyB0aGF0CndoZW4g bG9hZGluZyB0aGVtIHRoZXJlJ3Mgc29tZSBwYWRkaW5nIGxlZnQgdW5pbml0 aWFsaXplZCBhdCB0aGUgZW5kIG9mIGVhY2gKc3RydWN0IChiZWNhdXNlIHRo ZSBzaXplIGluZGljYXRlZCBpbiBlX2Voc2l6ZSBhbmQgZV9zaGVudHNpemUg aXMKc21hbGxlciB0aGFuIHRoZSBzaXplIG9mIGVsZl9laGRyIGFuZCBlbGZf c2hkcikuCgpGaXggdGhpcyBieSBpbnRyb2R1Y2luZyBhIG5ldyBoZWxwZXIg dGhhdCBpcyB1c2VkIHRvIHNldApbY2FsbGVyX114ZGVzdF97YmFzZS9zaXpl fSBhbmQgdGhhdCB0YWtlcyBjYXJlIG9mIHBlcmZvcm1pbmcgdGhlIGFwcHJv cHJpYXRlCm1lbXNldCBvZiB0aGUgcmVnaW9uLiBUaGlzIG5ld2x5IGludHJv ZHVjZWQgaGVscGVyIGlzIHRoZW4gdXNlZCB0byBzZXQgYW5kCnVuc2V0IHhk ZXN0X3tiYXNlL3NpemV9IGluIGVsZl9sb2FkX2JzZHN5bXMuIE5vdyB0aGF0 IHRoZSBmdWxsIHN0cnVjdAppcyB6ZXJvZWQsIHRoZXJlJ3Mgbm8gbmVlZCB0 byBzcGVjaWZpY2FsbHkgemVybyB0aGUgdW5kZWZpbmVkIHNlY3Rpb24uCgpU aGlzIGlzIFhTQS0xOTQuCgpTdWdnZXN0ZWQtYnk6IElhbiBKYWNrc29uIDxp YW4uamFja3NvbkBldS5jaXRyaXguY29tPgoKQWxzbyByZW1vdmUgdGhlIG9w ZW4gY29kZWQgKGFuZCByZWR1bmRhbnQgd2l0aCB0aGUgZWFybGllcgplbGZf bWVtc2V0X3VuY2hlY2tlZCgpKSB1c2Ugb2YgY2FsbGVyX3hkZXN0XyogZnJv bSBlbGZfaW5pdCgpLgoKU2lnbmVkLW9mZi1ieTogUm9nZXIgUGF1IE1vbm7D qSA8cm9nZXIucGF1QGNpdHJpeC5jb20+ClNpZ25lZC1vZmYtYnk6IEphbiBC ZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KU2lnbmVkLW9mZi1ieTogSWFu IEphY2tzb24gPElhbi5KYWNrc29uQGV1LmNpdHJpeC5jb20+Ci0tLQogeGVu L2NvbW1vbi9saWJlbGYvbGliZWxmLWxvYWRlci5jIHwgMTQgKysrLS0tLS0t LS0tLS0KIHhlbi9jb21tb24vbGliZWxmL2xpYmVsZi10b29scy5jICB8IDEx ICsrKysrKysrKy0tCiB4ZW4vaW5jbHVkZS94ZW4vbGliZWxmLmggICAgICAg ICAgfCAxNSArKysrKysrKystLS0tLS0KIDMgZmlsZXMgY2hhbmdlZCwgMjEg aW5zZXJ0aW9ucygrKSwgMTkgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEv eGVuL2NvbW1vbi9saWJlbGYvbGliZWxmLWxvYWRlci5jIGIveGVuL2NvbW1v bi9saWJlbGYvbGliZWxmLWxvYWRlci5jCmluZGV4IDRkM2FlNGQuLmJjMWY4 N2IgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24vbGliZWxmL2xpYmVsZi1sb2Fk ZXIuYworKysgYi94ZW4vY29tbW9uL2xpYmVsZi9saWJlbGYtbG9hZGVyLmMK QEAgLTQzLDggKzQzLDYgQEAgZWxmX2Vycm9yc3RhdHVzIGVsZl9pbml0KHN0 cnVjdCBlbGZfYmluYXJ5ICplbGYsIGNvbnN0IGNoYXIgKmltYWdlX2lucHV0 LCBzaXplX3QKICAgICBlbGYtPmVoZHIgPSBFTEZfTUFLRV9IQU5ETEUoZWxm X2VoZHIsIChlbGZfcHRydmFsKWltYWdlX2lucHV0KTsKICAgICBlbGYtPmNs YXNzID0gZWxmX3V2YWxfMzI2NChlbGYsIGVsZi0+ZWhkciwgZTMyLmVfaWRl bnRbRUlfQ0xBU1NdKTsKICAgICBlbGYtPmRhdGEgPSBlbGZfdXZhbF8zMjY0 KGVsZiwgZWxmLT5laGRyLCBlMzIuZV9pZGVudFtFSV9EQVRBXSk7Ci0gICAg ZWxmLT5jYWxsZXJfeGRlc3RfYmFzZSA9IE5VTEw7Ci0gICAgZWxmLT5jYWxs ZXJfeGRlc3Rfc2l6ZSA9IDA7CiAKICAgICAvKiBTYW5pdHkgY2hlY2sgcGhk ci4gKi8KICAgICBvZmZzZXQgPSBlbGZfdXZhbChlbGYsIGVsZi0+ZWhkciwg ZV9waG9mZikgKwpAQCAtMjg0LDkgKzI4Miw4IEBAIGRvIHsgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgXAogI2RlZmluZSBTWU1UQUJfSU5ERVggICAgMQogI2RlZmlu ZSBTVFJUQUJfSU5ERVggICAgMgogCi0gICAgLyogQWxsb3cgZWxmX21lbWNw eV9zYWZlIHRvIHdyaXRlIHRvIHN5bWJvbF9oZWFkZXIuICovCi0gICAgZWxm LT5jYWxsZXJfeGRlc3RfYmFzZSA9ICZoZWFkZXI7Ci0gICAgZWxmLT5jYWxs ZXJfeGRlc3Rfc2l6ZSA9IHNpemVvZihoZWFkZXIpOworICAgIC8qIEFsbG93 IGVsZl9tZW1jcHlfc2FmZSB0byB3cml0ZSB0byBoZWFkZXIuICovCisgICAg ZWxmX3NldF94ZGVzdChlbGYsICZoZWFkZXIsIHNpemVvZihoZWFkZXIpKTsK IAogICAgIC8qCiAgICAgICogQ2FsY3VsYXRlIHRoZSBwb3NpdGlvbiBvZiB0 aGUgdmFyaW91cyBlbGVtZW50cyBpbiBHVUVTVCBNRU1PUlkgU1BBQ0UuCkBA IC0zMTksMTEgKzMxNiw3IEBAIGRvIHsgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAog ICAgIGVsZl9zdG9yZV9maWVsZF9iaXRuZXNzKGVsZiwgaGVhZGVyX2hhbmRs ZSwgZV9waGVudHNpemUsIDApOwogICAgIGVsZl9zdG9yZV9maWVsZF9iaXRu ZXNzKGVsZiwgaGVhZGVyX2hhbmRsZSwgZV9waG51bSwgMCk7CiAKLSAgICAv KiBaZXJvIHRoZSB1bmRlZmluZWQgc2VjdGlvbi4gKi8KLSAgICBzZWN0aW9u X2hhbmRsZSA9IEVMRl9NQUtFX0hBTkRMRShlbGZfc2hkciwKLSAgICAgICAg ICAgICAgICAgICAgIEVMRl9SRUFMUFRSMlBUUlZBTCgmaGVhZGVyLmVsZl9o ZWFkZXIuc2VjdGlvbltTSE5fVU5ERUZdKSk7CiAgICAgc2hkcl9zaXplID0g ZWxmX3V2YWwoZWxmLCBlbGYtPmVoZHIsIGVfc2hlbnRzaXplKTsKLSAgICBl bGZfbWVtc2V0X3NhZmUoZWxmLCBFTEZfSEFORExFX1BUUlZBTChzZWN0aW9u X2hhbmRsZSksIDAsIHNoZHJfc2l6ZSk7CiAKICAgICAvKgogICAgICAqIFRo ZSBzeW10YWIgc2VjdGlvbiBoZWFkZXIgaXMgZ29pbmcgdG8gcmVzaWRlIGlu IHNlY3Rpb25bU1lNVEFCX0lOREVYXSwKQEAgLTQwNCw4ICszOTcsNyBAQCBk byB7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIFwKICAgICB9CiAKICAgICAvKiBSZW1v dmUgcGVybWlzc2lvbnMgZnJvbSBlbGZfbWVtY3B5X3NhZmUuICovCi0gICAg ZWxmLT5jYWxsZXJfeGRlc3RfYmFzZSA9IE5VTEw7Ci0gICAgZWxmLT5jYWxs ZXJfeGRlc3Rfc2l6ZSA9IDA7CisgICAgZWxmX3NldF94ZGVzdChlbGYsIE5V TEwsIDApOwogCiAjdW5kZWYgU1lNVEFCX0lOREVYCiAjdW5kZWYgU1RSVEFC X0lOREVYCmRpZmYgLS1naXQgYS94ZW4vY29tbW9uL2xpYmVsZi9saWJlbGYt dG9vbHMuYyBiL3hlbi9jb21tb24vbGliZWxmL2xpYmVsZi10b29scy5jCmlu ZGV4IDVhNDc1N2IuLmU3M2U3MjkgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24v bGliZWxmL2xpYmVsZi10b29scy5jCisrKyBiL3hlbi9jb21tb24vbGliZWxm L2xpYmVsZi10b29scy5jCkBAIC01OSw4ICs1OSw3IEBAIGJvb2wgZWxmX2Fj Y2Vzc19vayhzdHJ1Y3QgZWxmX2JpbmFyeSAqIGVsZiwKICAgICAgICAgcmV0 dXJuIDE7CiAgICAgaWYgKCBlbGZfcHRydmFsX2luX3JhbmdlKHB0cnZhbCwg c2l6ZSwgZWxmLT5kZXN0X2Jhc2UsIGVsZi0+ZGVzdF9zaXplKSApCiAgICAg ICAgIHJldHVybiAxOwotICAgIGlmICggZWxmX3B0cnZhbF9pbl9yYW5nZShw dHJ2YWwsIHNpemUsCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVs Zi0+Y2FsbGVyX3hkZXN0X2Jhc2UsIGVsZi0+Y2FsbGVyX3hkZXN0X3NpemUp ICkKKyAgICBpZiAoIGVsZl9wdHJ2YWxfaW5fcmFuZ2UocHRydmFsLCBzaXpl LCBlbGYtPnhkZXN0X2Jhc2UsIGVsZi0+eGRlc3Rfc2l6ZSkgKQogICAgICAg ICByZXR1cm4gMTsKICAgICBlbGZfbWFya19icm9rZW4oZWxmLCAib3V0IG9m IHJhbmdlIGFjY2VzcyIpOwogICAgIHJldHVybiAwOwpAQCAtMzczLDYgKzM3 MiwxNCBAQCBib29sIGVsZl9waGRyX2lzX2xvYWRhYmxlKHN0cnVjdCBlbGZf YmluYXJ5ICplbGYsIEVMRl9IQU5ETEVfREVDTChlbGZfcGhkcikgcGhkcgog ICAgIHJldHVybiAoKHBfdHlwZSA9PSBQVF9MT0FEKSAmJiAocF9mbGFncyAm IChQRl9SIHwgUEZfVyB8IFBGX1gpKSAhPSAwKTsKIH0KIAordm9pZCBlbGZf c2V0X3hkZXN0KHN0cnVjdCBlbGZfYmluYXJ5ICplbGYsIHZvaWQgKmFkZHIs IHVpbnQ2NF90IHNpemUpCit7CisgICAgZWxmLT54ZGVzdF9iYXNlID0gYWRk cjsKKyAgICBlbGYtPnhkZXN0X3NpemUgPSBzaXplOworICAgIGlmICggYWRk ciAhPSBOVUxMICkKKyAgICAgICAgZWxmX21lbXNldF9zYWZlKGVsZiwgRUxG X1JFQUxQVFIyUFRSVkFMKGFkZHIpLCAwLCBzaXplKTsKK30KKwogLyoKICAq IExvY2FsIHZhcmlhYmxlczoKICAqIG1vZGU6IEMKZGlmZiAtLWdpdCBhL3hl bi9pbmNsdWRlL3hlbi9saWJlbGYuaCBiL3hlbi9pbmNsdWRlL3hlbi9saWJl bGYuaAppbmRleCA5NWI1MzcwLi5jZjYyYmM3IDEwMDY0NAotLS0gYS94ZW4v aW5jbHVkZS94ZW4vbGliZWxmLmgKKysrIGIveGVuL2luY2x1ZGUveGVuL2xp YmVsZi5oCkBAIC0yMTAsMTMgKzIxMCwxMSBAQCBzdHJ1Y3QgZWxmX2JpbmFy eSB7CiAgICAgdWludDY0X3QgYnNkX3N5bXRhYl9wZW5kOwogCiAgICAgLyoK LSAgICAgKiBjYWxsZXIncyBvdGhlciBhY2NlcHRhYmxlIGRlc3RpbmF0aW9u Ci0gICAgICoKLSAgICAgKiBBZ2FpbiwgdGhlc2UgYXJlIHRydXN0ZWQgYW5k IG11c3QgYmUgdmFsaWQgKG9yIDApIHNvIGxvbmcKLSAgICAgKiBhcyB0aGUg c3RydWN0IGVsZl9iaW5hcnkgaXMgaW4gdXNlLgorICAgICAqIGNhbGxlcidz IG90aGVyIGFjY2VwdGFibGUgZGVzdGluYXRpb24uCisgICAgICogU2V0IGJ5 IGVsZl9zZXRfeGRlc3QuICBEbyBub3Qgc2V0IHRoZXNlIGRpcmVjdGx5Lgog ICAgICAqLwotICAgIHZvaWQgKmNhbGxlcl94ZGVzdF9iYXNlOwotICAgIHVp bnQ2NF90IGNhbGxlcl94ZGVzdF9zaXplOworICAgIHZvaWQgKnhkZXN0X2Jh c2U7CisgICAgdWludDY0X3QgeGRlc3Rfc2l6ZTsKIAogI2lmbmRlZiBfX1hF Tl9fCiAgICAgLyogbWlzYyAqLwpAQCAtNDk0LDUgKzQ5MiwxMCBAQCBzdGF0 aWMgaW5saW5lIHZvaWQgRUxGX0FEVkFOQ0VfREVTVChzdHJ1Y3QgZWxmX2Jp bmFyeSAqZWxmLCB1aW50NjRfdCBhbW91bnQpCiAgICAgfQogfQogCisvKiBT cGVjaWZ5IGEgKHNpbmdsZSkgYWRkaXRpb25hbCBkZXN0aW5hdGlvbiwgdG8g d2hpY2ggdGhlIGltYWdlIG1heQorICogY2F1c2Ugd3JpdGVzLiAgQXMgd2l0 aCBkZXN0X2Jhc2UgYW5kIGRlc3Rfc2l6ZSwgdGhlIHZhbHVlcyBwcm92aWRl ZAorICogYXJlIHRydXN0ZWQgYW5kIG11c3QgYmUgdmFsaWQgc28gbG9uZyBh cyB0aGUgc3RydWN0IGVsZl9iaW5hcnkKKyAqIGlzIGluIHVzZSBvciB1bnRp bCBlbGZfc2V0X3hkZXN0KCwwLDApIGlzIGNhbGxlZC4gKi8KK3ZvaWQgZWxm X3NldF94ZGVzdChzdHJ1Y3QgZWxmX2JpbmFyeSAqZWxmLCB2b2lkICphZGRy LCB1aW50NjRfdCBzaXplKTsKIAogI2VuZGlmIC8qIF9fWEVOX0xJQkVMRl9I X18gKi8KLS0gCjIuMS40Cgo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 22 12:03:24 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 22 Nov 2016 12:03:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mR-0007xZ-3w; Tue, 22 Nov 2016 12:02:31 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mQ-0007wt-BZ; Tue, 22 Nov 2016 12:02:30 +0000 Received: from [85.158.137.68] by server-1.bemta-3.messagelabs.com id D2/8E-23231-5D334385; Tue, 22 Nov 2016 12:02:29 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupnleJIrShJLcpLzFFi42LJaLquqnvG2CT C4N0eMYtbN1uZLZZ8XMxiserqAVYHZo+ju38zBTBGsWbmJeVXJLBmTPo4g7Fg8zTGivWbe1ka GJ/2M3YxcnEICZxjlLi08DEzhLOBUaK9ey5TFyMnB7OAq8SNfZvZIGxFiQv3GlhAbF4BQYmTM 5+A2RICmhJ33qxiB7FFBIokdp57CWazCehJzD07CWqOjsTL/avBbGGBNIm9Uy6wQcwxk5h9/z 4ziM0ioCpxt30T0wRGnllIVs9CsnoWktWzGDmA4poS63fpQ5jSEsv/cUBUy0tsfzuHGcK2ljg ws5UVwraQOPD2MiPMxCndD9khbHuJhw9fQNXYSGydOY0dWc0CRp5VjBrFqUVlqUW6RgZ6SUWZ 6RkluYmZObqGBsZ6uanFxYnpqTmJScV6yfm5mxiB0VLPwMC4g7H5hN8hRkkOJiVR3sNLjSKE+ JLyUyozEosz4otKc1KLDzHKcHAoSfAuNzKJEBIsSk1PrUjLzAHGLUxagoNHSQQizVtckJhbnJ kOkTrFaMxx68TzB0wcj36/fcAkxJKXn5cqJc57EaRUAKQ0ozQPbhAsnVxilJUS5mVkYGAQ4il ILcrNLEGVf8UozsGoJMxbCDKFJzOvBG7fK6BTmIBOkfxmDHJKSSJCSqqBUefizGVX4sNmPDwX fL6t0WzThOrohVs2xYmfmnT4r2nuXks967ZL0+qfSu3v/2YnxsGok+gfohPhoc9+5d7OPx5st W7MUYnH12gfzdwlpiIq8vZY9ObrAVPn7ZV4VVL0SmtrXuEXxad/Px1ui0lYZ9st8cnc29LHUE fp02ZOviq9KlaHj/WHlViKMxINtZiLihMB1BQkLSIDAAA= X-Env-Sender: andrewcoop@xenbits.xen.org X-Msg-Ref: server-7.tower-31.messagelabs.com!1479816139!64721645!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 10942 invoked from network); 22 Nov 2016 12:02:20 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-7.tower-31.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 22 Nov 2016 12:02:20 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99m1-0004nz-HE; Tue, 22 Nov 2016 12:02:05 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1c99m1-00083i-DF; Tue, 22 Nov 2016 12:02:05 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 22 Nov 2016 12:02:05 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 191 (CVE-2016-9386) - x86 null segments not always treated as unusable X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-9386 / XSA-191 version 3 x86 null segments not always treated as unusable UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The Xen x86 emulator erroneously failed to consider the unusability of segments when performing memory accesses. The intended behaviour is as follows: The user data segment (%ds, %es, %fs and %gs) selectors may be NULL in 32-bit to prevent access. In 64-bit, NULL has a special meaning for user segments, and there is no way of preventing access. However, in both 32-bit and 64-bit, a NULL LDT system segment is intended to prevent access. On Intel hardware, loading a NULL selector zeros the base as well as most attributes, but sets the limit field to its largest possible value. On AMD hardware, loading a NULL selector zeros the attributes, leaving the stale base and limit intact. Xen may erroneously permit the access using unexpected base/limit values. Ability to exploit this vulnerability on Intel is easy, but on AMD depends in a complicated way on how the guest kernel manages LDTs. IMPACT ====== An unprivileged guest user program may be able to elevate its privilege to that of the guest operating system. VULNERABLE SYSTEMS ================== The vulnerability is only exposed to HVM guests. ARM systems are NOT vulnerable. All versions of Xen are affected. However, we believe that the vulnerability cannot be exploited on Xen 4.7 by completely unprivileged guest processes, unless the VM has been explicitly configured with a non-default cpu vendor string (in xm/xl, this would be done with a `cpuid=' domain config option). MITIGATION ========== Running only PV guests will avoid this issue. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa191.patch xen-unstable, Xen 4.7.x xsa191-4.6.patch Xen 4.6.x, Xen 4.5.x, Xen 4.4.x $ sha256sum xsa191* dca534cf4d3711ea8797846a18238ca16cc9e7a24a887300db22c3ba3d95c199 xsa191.patch d95a1f0dd5c45497ca56e2e1390fc688bf0a4a7a7fd10c65ae25b4bbb3353b69 xsa191-4.6.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYNDIWAAoJEIP+FMlX6CvZ4qQH/jlfd6BV63CSggCQVd0sB3a4 j7MgRZ8h0aFrCLl+0tj3QwsiW0TRDsKiTNy2xY1kxkLsQdIAeYjBddyYiJ2nbCr9 kCR2WLcWB3csf4So/85q8OMfsob7H+8PR/OsT3iY6Fo/5PzNy5wvWtU/+TRaoZIy t9OvybZ0HYhtvQ/YHv5njKZ3nyHo6MRwGpPOrzSn8UN7p+sr3DDGiuw9LNjtnepb dijO0c9artbWCjVkRlbe1w5514FH1vPleopGmXjTz/Wy5zNHWZL1RaVzh4N36ahP V1joPxt+C75iRArp6y0ncloyKjgx8pMfOzCcLp9VS6dwF3zwZ5rxxtFynlRjg94= =pUW4 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa191.patch" Content-Disposition: attachment; filename="xsa191.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L2h2bTogRml4IHRoZSBoYW5kbGluZyBvZiBub24t cHJlc2VudCBzZWdtZW50cwoKSW4gMzJiaXQsIHRoZSBkYXRhIHNlZ21lbnRz IG1heSBiZSBOVUxMIHRvIGluZGljYXRlIHRoYXQgdGhlIHNlZ21lbnQgaXMK aW5lbGlnaWJsZSBmb3IgdXNlLiAgSW4gYm90aCAzMmJpdCBhbmQgNjRiaXQs IHRoZSBMRFQgc2VsZWN0b3IgbWF5IGJlIE5VTEwgdG8KaW5kaWNhdGUgdGhh dCB0aGUgZW50aXJlIExEVCBpcyBpbmVsaWdpYmxlIGZvciB1c2UuICBIb3dl dmVyLCBub3RoaW5nIGluIFhlbgphY3R1YWxseSBjaGVja3MgZm9yIHRoaXMg Y29uZGl0aW9uIHdoZW4gcGVyZm9ybWluZyBvdGhlciBzZWdtZW50YXRpb24K Y2hlY2tzLiAgKE5vdGUgaG93ZXZlciB0aGF0IGxpbWl0IGFuZCB3cml0ZWFi aWxpdHkgY2hlY2tzIGFyZSBjb3JyZWN0bHkKcGVyZm9ybWVkKS4KCk5laXRo ZXIgSW50ZWwgbm9yIEFNRCBzcGVjaWZ5IHRoZSBleGFjdCBiZWhhdmlvdXIg b2YgbG9hZGluZyBhIE5VTEwgc2VnbWVudC4KRXhwZXJpbWVudGFsbHksIEFN RCB6ZXJvZXMgYWxsIGF0dHJpYnV0ZXMgYnV0IGxlYXZlcyB0aGUgYmFzZSBh bmQgbGltaXQKdW5tb2RpZmllZC4gIEludGVsIHplcm9lcyB0aGUgYmFzZSwg c2V0cyB0aGUgbGltaXQgdG8gMHhmZmZmZmZmIGFuZCByZXNldHMgdGhlCmF0 dHJpYnV0ZXMgdG8ganVzdCAuRyBhbmQgLkQvQi4KClRoZSB1c2Ugb2YgdGhl IHNlZ21lbnQgaW5mb3JtYXRpb24gaW4gdGhlIFZNQ0IvVk1DUyBpcyBlcXVp dmFsZW50IHRvIGEgbmF0aXZlCnBpcGVsaW5lIGludGVyYWN0aW5nIHdpdGgg dGhlIHNlZ21lbnQgY2FjaGUuICBUaGUgcHJlc2VudCBiaXQgY2FuIHRoZXJl Zm9yZQpoYXZlIGEgc3VidGx5IGRpZmZlcmVudCBtZWFuaW5nLCBhbmQgaXQg aXMgbm93IGNvb2tlZCB0byB1bmlmb3JtbHkgaW5kaWNhdGUKd2hldGhlciB0 aGUgc2VnbWVudCBpcyB1c2FibGUgb3Igbm90LgoKR0RUUiBhbmQgSURUUiBk b24ndCBoYXZlIGFjY2VzcyByaWdodHMgbGlrZSB0aGUgb3RoZXIgc2VnbWVu dHMsIGJ1dCBmb3IKY29uc2lzdGVuY3ksIHRoZXkgYXJlIHRyZWF0ZWQgYXMg YmVpbmcgcHJlc2VudCBzbyBubyBzcGVjaWFsIGNhc2luZyBpcyBuZWVkZWQK ZWxzZXdoZXJlIGluIHRoZSBzZWdtZW50YXRpb24gbG9naWMuCgpBTUQgaGFy ZHdhcmUgZG9lcyBub3QgY29uc2lkZXIgdGhlIHByZXNlbnQgYml0IGZvciAl Y3MgYW5kICV0ciwgYW5kIHdpbGwKZnVuY3Rpb24gYXMgaWYgdGhleSB3ZXJl IHByZXNlbnQuICBUaGV5IGFyZSB0aGVyZWZvcmUgdW5jb25kaXRpb25hbGx5 IHNldCB0bwpwcmVzZW50IHdoZW4gcmVhZGluZyBpbmZvcm1hdGlvbiBmcm9t IHRoZSBWTUNCLCB0byBtYWludGFpbiB0aGUgbmV3IG1lYW5pbmcgb2YKdXNh YmlsaXR5LgoKSW50ZWwgaGFyZHdhcmUgaGFzIGEgc2VwYXJhdGUgdW51c2Fi bGUgYml0IGluIHRoZSBWTUNTIHNlZ21lbnQgYXR0cmlidXRlcy4KVGhpcyBi aXQgaXMgaW52ZXJ0ZWQgYW5kIHN0b3JlZCBpbiB0aGUgcHJlc2VudCBmaWVs ZCwgc28gdGhlIGh2bSBjb2RlIGNhbiB3b3JrCndpdGggYXJjaGl0ZWN0dXJh bGx5LWNvbW1vbiBzdGF0ZS4KClRoaXMgaXMgWFNBLTE5MS4KClNpZ25lZC1v ZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5j b20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5j b20+Ci0tLQogeGVuL2FyY2gveDg2L2h2bS9odm0uYyAgICAgICAgICAgICAg ICAgfCAgOCArKysrKysrKwogeGVuL2FyY2gveDg2L2h2bS9zdm0vc3ZtLmMg ICAgICAgICAgICAgfCAgNCArKysrCiB4ZW4vYXJjaC94ODYvaHZtL3ZteC92 bXguYyAgICAgICAgICAgICB8IDIwICsrKysrKysrKysrLS0tLS0tLS0tCiB4 ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYyB8ICA0ICsr KysKIDQgZmlsZXMgY2hhbmdlZCwgMjcgaW5zZXJ0aW9ucygrKSwgOSBkZWxl dGlvbnMoLSkKCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5j IGIveGVuL2FyY2gveDg2L2h2bS9odm0uYwppbmRleCA3MDRmZDY0Li5kZWIx NzgzIDEwMDY0NAotLS0gYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jCisrKyBi L3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKQEAgLTI1MTIsNiArMjUxMiwxMCBA QCBib29sX3QgaHZtX3ZpcnR1YWxfdG9fbGluZWFyX2FkZHIoCiAgICAgICAg ICAqLwogICAgICAgICBhZGRyID0gKHVpbnQzMl90KShhZGRyICsgcmVnLT5i YXNlKTsKIAorICAgICAgICAvKiBTZWdtZW50IG5vdCB2YWxpZCBmb3IgdXNl IChjb29rZWQgbWVhbmluZyBvZiAucCk/ICovCisgICAgICAgIGlmICggIXJl Zy0+YXR0ci5maWVsZHMucCApCisgICAgICAgICAgICBnb3RvIG91dDsKKwog ICAgICAgICBzd2l0Y2ggKCBhY2Nlc3NfdHlwZSApCiAgICAgICAgIHsKICAg ICAgICAgY2FzZSBodm1fYWNjZXNzX3JlYWQ6CkBAIC0yNzY3LDYgKzI3NzEs MTAgQEAgc3RhdGljIGludCBodm1fbG9hZF9zZWdtZW50X3NlbGVjdG9yKAog ICAgIGh2bV9nZXRfc2VnbWVudF9yZWdpc3RlcigKICAgICAgICAgdiwgKHNl bCAmIDQpID8geDg2X3NlZ19sZHRyIDogeDg2X3NlZ19nZHRyLCAmZGVzY3Rh Yik7CiAKKyAgICAvKiBTZWdtZW50IG5vdCB2YWxpZCBmb3IgdXNlIChjb29r ZWQgbWVhbmluZyBvZiAucCk/ICovCisgICAgaWYgKCAhZGVzY3RhYi5hdHRy LmZpZWxkcy5wICkKKyAgICAgICAgZ290byBmYWlsOworCiAgICAgLyogQ2hl Y2sgYWdhaW5zdCBkZXNjcmlwdG9yIHRhYmxlIGxpbWl0LiAqLwogICAgIGlm ICggKChzZWwgJiAweGZmZjgpICsgNykgPiBkZXNjdGFiLmxpbWl0ICkKICAg ICAgICAgZ290byBmYWlsOwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L2h2 bS9zdm0vc3ZtLmMgYi94ZW4vYXJjaC94ODYvaHZtL3N2bS9zdm0uYwppbmRl eCAxNjQyN2Y2Li40Y2JhNDA2IDEwMDY0NAotLS0gYS94ZW4vYXJjaC94ODYv aHZtL3N2bS9zdm0uYworKysgYi94ZW4vYXJjaC94ODYvaHZtL3N2bS9zdm0u YwpAQCAtNjI3LDYgKzYyNyw3IEBAIHN0YXRpYyB2b2lkIHN2bV9nZXRfc2Vn bWVudF9yZWdpc3RlcihzdHJ1Y3QgdmNwdSAqdiwgZW51bSB4ODZfc2VnbWVu dCBzZWcsCiAgICAgewogICAgIGNhc2UgeDg2X3NlZ19jczoKICAgICAgICAg bWVtY3B5KHJlZywgJnZtY2ItPmNzLCBzaXplb2YoKnJlZykpOworICAgICAg ICByZWctPmF0dHIuZmllbGRzLnAgPSAxOwogICAgICAgICByZWctPmF0dHIu ZmllbGRzLmcgPSByZWctPmxpbWl0ID4gMHhGRkZGRjsKICAgICAgICAgYnJl YWs7CiAgICAgY2FzZSB4ODZfc2VnX2RzOgpAQCAtNjYwLDEzICs2NjEsMTYg QEAgc3RhdGljIHZvaWQgc3ZtX2dldF9zZWdtZW50X3JlZ2lzdGVyKHN0cnVj dCB2Y3B1ICp2LCBlbnVtIHg4Nl9zZWdtZW50IHNlZywKICAgICBjYXNlIHg4 Nl9zZWdfdHI6CiAgICAgICAgIHN2bV9zeW5jX3ZtY2Iodik7CiAgICAgICAg IG1lbWNweShyZWcsICZ2bWNiLT50ciwgc2l6ZW9mKCpyZWcpKTsKKyAgICAg ICAgcmVnLT5hdHRyLmZpZWxkcy5wID0gMTsKICAgICAgICAgcmVnLT5hdHRy LmZpZWxkcy50eXBlIHw9IDB4MjsKICAgICAgICAgYnJlYWs7CiAgICAgY2Fz ZSB4ODZfc2VnX2dkdHI6CiAgICAgICAgIG1lbWNweShyZWcsICZ2bWNiLT5n ZHRyLCBzaXplb2YoKnJlZykpOworICAgICAgICByZWctPmF0dHIuYnl0ZXMg PSAweDgwOwogICAgICAgICBicmVhazsKICAgICBjYXNlIHg4Nl9zZWdfaWR0 cjoKICAgICAgICAgbWVtY3B5KHJlZywgJnZtY2ItPmlkdHIsIHNpemVvZigq cmVnKSk7CisgICAgICAgIHJlZy0+YXR0ci5ieXRlcyA9IDB4ODA7CiAgICAg ICAgIGJyZWFrOwogICAgIGNhc2UgeDg2X3NlZ19sZHRyOgogICAgICAgICBz dm1fc3luY192bWNiKHYpOwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L2h2 bS92bXgvdm14LmMgYi94ZW4vYXJjaC94ODYvaHZtL3ZteC92bXguYwppbmRl eCA5YThmNjk0Li5hNjUyYzUyIDEwMDY0NAotLS0gYS94ZW4vYXJjaC94ODYv aHZtL3ZteC92bXguYworKysgYi94ZW4vYXJjaC94ODYvaHZtL3ZteC92bXgu YwpAQCAtMTAzNSwxMCArMTAzNSwxMiBAQCB2b2lkIHZteF9nZXRfc2VnbWVu dF9yZWdpc3RlcihzdHJ1Y3QgdmNwdSAqdiwgZW51bSB4ODZfc2VnbWVudCBz ZWcsCiAgICAgcmVnLT5zZWwgPSBzZWw7CiAgICAgcmVnLT5saW1pdCA9IGxp bWl0OwogCi0gICAgcmVnLT5hdHRyLmJ5dGVzID0gKGF0dHIgJiAweGZmKSB8 ICgoYXR0ciA+PiA0KSAmIDB4ZjAwKTsKLSAgICAvKiBVbnVzYWJsZSBmbGFn IGlzIGZvbGRlZCBpbnRvIFByZXNlbnQgZmxhZy4gKi8KLSAgICBpZiAoIGF0 dHIgJiAoMXU8PDE2KSApCi0gICAgICAgIHJlZy0+YXR0ci5maWVsZHMucCA9 IDA7CisgICAgLyoKKyAgICAgKiBGb2xkIFZULXggcmVwcmVzZW50YXRpb24g aW50byBYZW4ncyByZXByZXNlbnRhdGlvbi4gIFRoZSBQcmVzZW50IGJpdCBp cworICAgICAqIHVuY29uZGl0aW9uYWxseSBzZXQgdG8gdGhlIGludmVyc2Ug b2YgdW51c2FibGUuCisgICAgICovCisgICAgcmVnLT5hdHRyLmJ5dGVzID0K KyAgICAgICAgKCEoYXR0ciAmICgxdSA8PCAxNikpIDw8IDcpIHwgKGF0dHIg JiAweDdmKSB8ICgoYXR0ciA+PiA0KSAmIDB4ZjAwKTsKIAogICAgIC8qIEFk anVzdCBmb3IgdmlydHVhbCA4MDg2IG1vZGUgKi8KICAgICBpZiAoIHYtPmFy Y2guaHZtX3ZteC52bXhfcmVhbG1vZGUgJiYgc2VnIDw9IHg4Nl9zZWdfdHIg CkBAIC0xMTE4LDExICsxMTIwLDExIEBAIHN0YXRpYyB2b2lkIHZteF9zZXRf c2VnbWVudF9yZWdpc3RlcihzdHJ1Y3QgdmNwdSAqdiwgZW51bSB4ODZfc2Vn bWVudCBzZWcsCiAgICAgICAgIH0KICAgICB9CiAKLSAgICBhdHRyID0gKChh dHRyICYgMHhmMDApIDw8IDQpIHwgKGF0dHIgJiAweGZmKTsKLQotICAgIC8q IE5vdC1wcmVzZW50IG11c3QgbWVhbiB1bnVzYWJsZS4gKi8KLSAgICBpZiAo ICFyZWctPmF0dHIuZmllbGRzLnAgKQotICAgICAgICBhdHRyIHw9ICgxdSA8 PCAxNik7CisgICAgLyoKKyAgICAgKiBVbmZvbGQgWGVuIHJlcHJlc2VudGF0 aW9uIGludG8gVlQteCByZXByZXNlbnRhdGlvbi4gIFRoZSB1bnVzYWJsZSBi aXQKKyAgICAgKiBpcyB1bmNvbmRpdGlvbmFsbHkgc2V0IHRvIHRoZSBpbnZl cnNlIG9mIHByZXNlbnQuCisgICAgICovCisgICAgYXR0ciA9ICghKGF0dHIg JiAoMXUgPDwgNykpIDw8IDE2KSB8ICgoYXR0ciAmIDB4ZjAwKSA8PCA0KSB8 IChhdHRyICYgMHhmZik7CiAKICAgICAvKiBWTVggaGFzIHN0cmljdCBjb25z aXN0ZW5jeSByZXF1aXJlbWVudCBmb3IgZmxhZyBHLiAqLwogICAgIGF0dHIg fD0gISEobGltaXQgPj4gMjApIDw8IDE1OwpkaWZmIC0tZ2l0IGEveGVuL2Fy Y2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMgYi94ZW4vYXJjaC94 ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwppbmRleCA3YTcwN2RjLi43 Y2I2Zjk4IDEwMDY0NAotLS0gYS94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUv eDg2X2VtdWxhdGUuYworKysgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUv eDg2X2VtdWxhdGUuYwpAQCAtMTM2Nyw2ICsxMzY3LDEwIEBAIHByb3Rtb2Rl X2xvYWRfc2VnKAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg JmRlc2N0YWIsIGN0eHQpKSApCiAgICAgICAgIHJldHVybiByYzsKIAorICAg IC8qIFNlZ21lbnQgbm90IHZhbGlkIGZvciB1c2UgKGNvb2tlZCBtZWFuaW5n IG9mIC5wKT8gKi8KKyAgICBpZiAoICFkZXNjdGFiLmF0dHIuZmllbGRzLnAg KQorICAgICAgICBnb3RvIHJhaXNlX2V4bjsKKwogICAgIC8qIENoZWNrIGFn YWluc3QgZGVzY3JpcHRvciB0YWJsZSBsaW1pdC4gKi8KICAgICBpZiAoICgo c2VsICYgMHhmZmY4KSArIDcpID4gZGVzY3RhYi5saW1pdCApCiAgICAgICAg IGdvdG8gcmFpc2VfZXhuOwo= --=separator Content-Type: application/octet-stream; name="xsa191-4.6.patch" Content-Disposition: attachment; filename="xsa191-4.6.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L2h2bTogRml4IHRoZSBoYW5kbGluZyBvZiBub24t cHJlc2VudCBzZWdtZW50cwoKSW4gMzJiaXQsIHRoZSBkYXRhIHNlZ21lbnRz IG1heSBiZSBOVUxMIHRvIGluZGljYXRlIHRoYXQgdGhlIHNlZ21lbnQgaXMK aW5lbGlnaWJsZSBmb3IgdXNlLiAgSW4gYm90aCAzMmJpdCBhbmQgNjRiaXQs IHRoZSBMRFQgc2VsZWN0b3IgbWF5IGJlIE5VTEwgdG8KaW5kaWNhdGUgdGhh dCB0aGUgZW50aXJlIExEVCBpcyBpbmVsaWdpYmxlIGZvciB1c2UuICBIb3dl dmVyLCBub3RoaW5nIGluIFhlbgphY3R1YWxseSBjaGVja3MgZm9yIHRoaXMg Y29uZGl0aW9uIHdoZW4gcGVyZm9ybWluZyBvdGhlciBzZWdtZW50YXRpb24K Y2hlY2tzLiAgKE5vdGUgaG93ZXZlciB0aGF0IGxpbWl0IGFuZCB3cml0ZWFi aWxpdHkgY2hlY2tzIGFyZSBjb3JyZWN0bHkKcGVyZm9ybWVkKS4KCk5laXRo ZXIgSW50ZWwgbm9yIEFNRCBzcGVjaWZ5IHRoZSBleGFjdCBiZWhhdmlvdXIg b2YgbG9hZGluZyBhIE5VTEwgc2VnbWVudC4KRXhwZXJpbWVudGFsbHksIEFN RCB6ZXJvZXMgYWxsIGF0dHJpYnV0ZXMgYnV0IGxlYXZlcyB0aGUgYmFzZSBh bmQgbGltaXQKdW5tb2RpZmllZC4gIEludGVsIHplcm9lcyB0aGUgYmFzZSwg c2V0cyB0aGUgbGltaXQgdG8gMHhmZmZmZmZmIGFuZCByZXNldHMgdGhlCmF0 dHJpYnV0ZXMgdG8ganVzdCAuRyBhbmQgLkQvQi4KClRoZSB1c2Ugb2YgdGhl IHNlZ21lbnQgaW5mb3JtYXRpb24gaW4gdGhlIFZNQ0IvVk1DUyBpcyBlcXVp dmFsZW50IHRvIGEgbmF0aXZlCnBpcGVsaW5lIGludGVyYWN0aW5nIHdpdGgg dGhlIHNlZ21lbnQgY2FjaGUuICBUaGUgcHJlc2VudCBiaXQgY2FuIHRoZXJl Zm9yZQpoYXZlIGEgc3VidGx5IGRpZmZlcmVudCBtZWFuaW5nLCBhbmQgaXQg aXMgbm93IGNvb2tlZCB0byB1bmlmb3JtbHkgaW5kaWNhdGUKd2hldGhlciB0 aGUgc2VnbWVudCBpcyB1c2FibGUgb3Igbm90LgoKR0RUUiBhbmQgSURUUiBk b24ndCBoYXZlIGFjY2VzcyByaWdodHMgbGlrZSB0aGUgb3RoZXIgc2VnbWVu dHMsIGJ1dCBmb3IKY29uc2lzdGVuY3ksIHRoZXkgYXJlIHRyZWF0ZWQgYXMg YmVpbmcgcHJlc2VudCBzbyBubyBzcGVjaWFsIGNhc2luZyBpcyBuZWVkZWQK ZWxzZXdoZXJlIGluIHRoZSBzZWdtZW50YXRpb24gbG9naWMuCgpBTUQgaGFy ZHdhcmUgZG9lcyBub3QgY29uc2lkZXIgdGhlIHByZXNlbnQgYml0IGZvciAl Y3MgYW5kICV0ciwgYW5kIHdpbGwKZnVuY3Rpb24gYXMgaWYgdGhleSB3ZXJl IHByZXNlbnQuICBUaGV5IGFyZSB0aGVyZWZvcmUgdW5jb25kaXRpb25hbGx5 IHNldCB0bwpwcmVzZW50IHdoZW4gcmVhZGluZyBpbmZvcm1hdGlvbiBmcm9t IHRoZSBWTUNCLCB0byBtYWludGFpbiB0aGUgbmV3IG1lYW5pbmcgb2YKdXNh YmlsaXR5LgoKSW50ZWwgaGFyZHdhcmUgaGFzIGEgc2VwYXJhdGUgdW51c2Fi bGUgYml0IGluIHRoZSBWTUNTIHNlZ21lbnQgYXR0cmlidXRlcy4KVGhpcyBi aXQgaXMgaW52ZXJ0ZWQgYW5kIHN0b3JlZCBpbiB0aGUgcHJlc2VudCBmaWVs ZCwgc28gdGhlIGh2bSBjb2RlIGNhbiB3b3JrCndpdGggYXJjaGl0ZWN0dXJh bGx5LWNvbW1vbiBzdGF0ZS4KClRoaXMgaXMgWFNBLTE5MS4KClNpZ25lZC1v ZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5j b20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5j b20+CgotLS0gYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jCisrKyBiL3hlbi9h cmNoL3g4Ni9odm0vaHZtLmMKQEAgLTM2NjYsNiArMzY2NiwxMCBAQCBpbnQg aHZtX3ZpcnR1YWxfdG9fbGluZWFyX2FkZHIoCiAgICAgICAgICAqIENPTVBB VElCSUxJVFkgTU9ERTogQXBwbHkgc2VnbWVudCBjaGVja3MgYW5kIGFkZCBi YXNlLgogICAgICAgICAgKi8KIAorICAgICAgICAvKiBTZWdtZW50IG5vdCB2 YWxpZCBmb3IgdXNlIChjb29rZWQgbWVhbmluZyBvZiAucCk/ICovCisgICAg ICAgIGlmICggIXJlZy0+YXR0ci5maWVsZHMucCApCisgICAgICAgICAgICBy ZXR1cm4gMDsKKwogICAgICAgICBzd2l0Y2ggKCBhY2Nlc3NfdHlwZSApCiAg ICAgICAgIHsKICAgICAgICAgY2FzZSBodm1fYWNjZXNzX3JlYWQ6CkBAIC0z ODcxLDYgKzM4NzUsMTAgQEAgc3RhdGljIGludCBodm1fbG9hZF9zZWdtZW50 X3NlbGVjdG9yKAogICAgIGh2bV9nZXRfc2VnbWVudF9yZWdpc3RlcigKICAg ICAgICAgdiwgKHNlbCAmIDQpID8geDg2X3NlZ19sZHRyIDogeDg2X3NlZ19n ZHRyLCAmZGVzY3RhYik7CiAKKyAgICAvKiBTZWdtZW50IG5vdCB2YWxpZCBm b3IgdXNlIChjb29rZWQgbWVhbmluZyBvZiAucCk/ICovCisgICAgaWYgKCAh ZGVzY3RhYi5hdHRyLmZpZWxkcy5wICkKKyAgICAgICAgZ290byBmYWlsOwor CiAgICAgLyogQ2hlY2sgYWdhaW5zdCBkZXNjcmlwdG9yIHRhYmxlIGxpbWl0 LiAqLwogICAgIGlmICggKChzZWwgJiAweGZmZjgpICsgNykgPiBkZXNjdGFi LmxpbWl0ICkKICAgICAgICAgZ290byBmYWlsOwotLS0gYS94ZW4vYXJjaC94 ODYvaHZtL3N2bS9zdm0uYworKysgYi94ZW4vYXJjaC94ODYvaHZtL3N2bS9z dm0uYwpAQCAtNjIwLDYgKzYyMCw3IEBAIHN0YXRpYyB2b2lkIHN2bV9nZXRf c2VnbWVudF9yZWdpc3RlcihzdHIKICAgICB7CiAgICAgY2FzZSB4ODZfc2Vn X2NzOgogICAgICAgICBtZW1jcHkocmVnLCAmdm1jYi0+Y3MsIHNpemVvZigq cmVnKSk7CisgICAgICAgIHJlZy0+YXR0ci5maWVsZHMucCA9IDE7CiAgICAg ICAgIHJlZy0+YXR0ci5maWVsZHMuZyA9IHJlZy0+bGltaXQgPiAweEZGRkZG OwogICAgICAgICBicmVhazsKICAgICBjYXNlIHg4Nl9zZWdfZHM6CkBAIC02 NTMsMTMgKzY1NCwxNiBAQCBzdGF0aWMgdm9pZCBzdm1fZ2V0X3NlZ21lbnRf cmVnaXN0ZXIoc3RyCiAgICAgY2FzZSB4ODZfc2VnX3RyOgogICAgICAgICBz dm1fc3luY192bWNiKHYpOwogICAgICAgICBtZW1jcHkocmVnLCAmdm1jYi0+ dHIsIHNpemVvZigqcmVnKSk7CisgICAgICAgIHJlZy0+YXR0ci5maWVsZHMu cCA9IDE7CiAgICAgICAgIHJlZy0+YXR0ci5maWVsZHMudHlwZSB8PSAweDI7 CiAgICAgICAgIGJyZWFrOwogICAgIGNhc2UgeDg2X3NlZ19nZHRyOgogICAg ICAgICBtZW1jcHkocmVnLCAmdm1jYi0+Z2R0ciwgc2l6ZW9mKCpyZWcpKTsK KyAgICAgICAgcmVnLT5hdHRyLmJ5dGVzID0gMHg4MDsKICAgICAgICAgYnJl YWs7CiAgICAgY2FzZSB4ODZfc2VnX2lkdHI6CiAgICAgICAgIG1lbWNweShy ZWcsICZ2bWNiLT5pZHRyLCBzaXplb2YoKnJlZykpOworICAgICAgICByZWct PmF0dHIuYnl0ZXMgPSAweDgwOwogICAgICAgICBicmVhazsKICAgICBjYXNl IHg4Nl9zZWdfbGR0cjoKICAgICAgICAgc3ZtX3N5bmNfdm1jYih2KTsKLS0t IGEveGVuL2FyY2gveDg2L2h2bS92bXgvdm14LmMKKysrIGIveGVuL2FyY2gv eDg2L2h2bS92bXgvdm14LmMKQEAgLTg2NywxMCArODY3LDEyIEBAIHZvaWQg dm14X2dldF9zZWdtZW50X3JlZ2lzdGVyKHN0cnVjdCB2Y3AKICAgICByZWct PnNlbCA9IHNlbDsKICAgICByZWctPmxpbWl0ID0gbGltaXQ7CiAKLSAgICBy ZWctPmF0dHIuYnl0ZXMgPSAoYXR0ciAmIDB4ZmYpIHwgKChhdHRyID4+IDQp ICYgMHhmMDApOwotICAgIC8qIFVudXNhYmxlIGZsYWcgaXMgZm9sZGVkIGlu dG8gUHJlc2VudCBmbGFnLiAqLwotICAgIGlmICggYXR0ciAmICgxdTw8MTYp ICkKLSAgICAgICAgcmVnLT5hdHRyLmZpZWxkcy5wID0gMDsKKyAgICAvKgor ICAgICAqIEZvbGQgVlQteCByZXByZXNlbnRhdGlvbiBpbnRvIFhlbidzIHJl cHJlc2VudGF0aW9uLiAgVGhlIFByZXNlbnQgYml0IGlzCisgICAgICogdW5j b25kaXRpb25hbGx5IHNldCB0byB0aGUgaW52ZXJzZSBvZiB1bnVzYWJsZS4K KyAgICAgKi8KKyAgICByZWctPmF0dHIuYnl0ZXMgPQorICAgICAgICAoIShh dHRyICYgKDF1IDw8IDE2KSkgPDwgNykgfCAoYXR0ciAmIDB4N2YpIHwgKChh dHRyID4+IDQpICYgMHhmMDApOwogCiAgICAgLyogQWRqdXN0IGZvciB2aXJ0 dWFsIDgwODYgbW9kZSAqLwogICAgIGlmICggdi0+YXJjaC5odm1fdm14LnZt eF9yZWFsbW9kZSAmJiBzZWcgPD0geDg2X3NlZ190ciAKQEAgLTk1MCwxMSAr OTUyLDExIEBAIHN0YXRpYyB2b2lkIHZteF9zZXRfc2VnbWVudF9yZWdpc3Rl cihzdHIKICAgICAgICAgfQogICAgIH0KIAotICAgIGF0dHIgPSAoKGF0dHIg JiAweGYwMCkgPDwgNCkgfCAoYXR0ciAmIDB4ZmYpOwotCi0gICAgLyogTm90 LXByZXNlbnQgbXVzdCBtZWFuIHVudXNhYmxlLiAqLwotICAgIGlmICggIXJl Zy0+YXR0ci5maWVsZHMucCApCi0gICAgICAgIGF0dHIgfD0gKDF1IDw8IDE2 KTsKKyAgICAvKgorICAgICAqIFVuZm9sZCBYZW4gcmVwcmVzZW50YXRpb24g aW50byBWVC14IHJlcHJlc2VudGF0aW9uLiAgVGhlIHVudXNhYmxlIGJpdAor ICAgICAqIGlzIHVuY29uZGl0aW9uYWxseSBzZXQgdG8gdGhlIGludmVyc2Ug b2YgcHJlc2VudC4KKyAgICAgKi8KKyAgICBhdHRyID0gKCEoYXR0ciAmICgx dSA8PCA3KSkgPDwgMTYpIHwgKChhdHRyICYgMHhmMDApIDw8IDQpIHwgKGF0 dHIgJiAweGZmKTsKIAogICAgIC8qIFZNWCBoYXMgc3RyaWN0IGNvbnNpc3Rl bmN5IHJlcXVpcmVtZW50IGZvciBmbGFnIEcuICovCiAgICAgYXR0ciB8PSAh IShsaW1pdCA+PiAyMCkgPDwgMTU7Ci0tLSBhL3hlbi9hcmNoL3g4Ni94ODZf ZW11bGF0ZS94ODZfZW11bGF0ZS5jCisrKyBiL3hlbi9hcmNoL3g4Ni94ODZf ZW11bGF0ZS94ODZfZW11bGF0ZS5jCkBAIC0xMjA5LDYgKzEyMDksMTAgQEAg cHJvdG1vZGVfbG9hZF9zZWcoCiAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAmZGVzY3RhYiwgY3R4dCkpICkKICAgICAgICAgcmV0dXJuIHJj OwogCisgICAgLyogU2VnbWVudCBub3QgdmFsaWQgZm9yIHVzZSAoY29va2Vk IG1lYW5pbmcgb2YgLnApPyAqLworICAgIGlmICggIWRlc2N0YWIuYXR0ci5m aWVsZHMucCApCisgICAgICAgIGdvdG8gcmFpc2VfZXhuOworCiAgICAgLyog Q2hlY2sgYWdhaW5zdCBkZXNjcmlwdG9yIHRhYmxlIGxpbWl0LiAqLwogICAg IGlmICggKChzZWwgJiAweGZmZjgpICsgNykgPiBkZXNjdGFiLmxpbWl0ICkK ICAgICAgICAgZ290byByYWlzZV9leG47Cg== --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 22 12:03:24 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 22 Nov 2016 12:03:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mf-00087i-5a; Tue, 22 Nov 2016 12:02:45 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99md-00086C-QQ; Tue, 22 Nov 2016 12:02:43 +0000 Received: from [85.158.139.211] by server-9.bemta-5.messagelabs.com id 33/59-01928-1E334385; Tue, 22 Nov 2016 12:02:41 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrOIsWRWlGSWpSXmKPExsWS0XRdVfe+sUm EwdRLhha3brYyWyz5uJjFYtXVA6wOzB5Hd/9mCmCMYs3MS8qvSGDN2Lx2G2PB/LCKa4vusTcw ngvsYuTiEBI4xyjxcsNfRghnA6NEz96t7F2MnBzMAq4SN/ZtZoOwFSUu3GtgAbF5BQQlTs58A mZLCGhK3HmzCqxeRKBIYue5l2A2m4CexNyzk5ggenUkXu5fDWYLC2RJ/L6zAGqOmcSRXftZQW wWAVWJ2Vtmsk9g5JmFZPUsJKtnIVk9i5EDKK4psX6XPoQpLbH8HwdEtbzE9rdzmCFsa4l3Mx4 wQ5RYSJxZXAIzcEr3Q/YFjJyrGNWLU4vKUot0zfSSijLTM0pyEzNzdA0NTPVyU4uLE9NTcxKT ivWS83M3MQKDmwEIdjBObXA+xCjJwaQkynt4qVGEEF9SfkplRmJxRnxRaU5q8SFGGQ4OJQne5 UYmEUKCRanpqRVpmTnAOINJS3DwKInwPgZJ8xYXJOYWZ6ZDpE4xGnPcOvH8ARPHo99vHzAJse Tl56VKifNeBCkVACnNKM2DGwSL/0uMslLCvIxApwnxFKQW5WaWoMq/YhTnYFQS5l0DMoUnM68 Ebt8roFOYgE6R/GYMckpJIkJKqoFxq5Pc7va413d/CrluFyve//qjaPWBtpsFr477eWZorXzy T6i+o/bauquerpfC1nl63Z3a8Pr6lwLJ6lVzlkqvielsZYh74qXaJLIoNz26+vocv+sxsxPmn Y9/t/zhJpXbljtX7stfdi9Ovu7aJd/arqXzHnE4qE0+n3p0Z/+X2jzLlQeenLl7T4mlOCPRUI u5qDgRALV8gN76AgAA X-Env-Sender: andrewcoop@xenbits.xen.org X-Msg-Ref: server-3.tower-206.messagelabs.com!1479816158!67955773!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 26721 invoked from network); 22 Nov 2016 12:02:39 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-3.tower-206.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 22 Nov 2016 12:02:39 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c99mQ-0004p6-7y; Tue, 22 Nov 2016 12:02:30 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1c99mQ-00087x-6f; Tue, 22 Nov 2016 12:02:30 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 22 Nov 2016 12:02:30 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 194 (CVE-2016-9384) - guest 32-bit ELF symbol table load leaking host data X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-9384 / XSA-194 version 3 guest 32-bit ELF symbol table load leaking host data UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Along with their main kernel binary, unprivileged guests may arrange to have their Xen environment load (kernel) symbol tables for their use. The ELF image metadata created for this purpose has a few unused bytes when the symbol table binary is in 32-bit ELF format. These unused bytes were not properly cleared during symbol table loading. IMPACT ====== A malicious unprivileged guest may be able to obtain sensitive information from the host. The information leak is small and not under the control of the guest, so effectively exploiting this vulnerability is probably difficult. VULNERABLE SYSTEMS ================== Only Xen version 4.7 is affected. Xen versions 4.6 and earlier are not affected. The vulnerability is not exposed to x86 HVM guests, unless the host toolstack has configured to load the guest with a non-default loader, rather than hvmloader. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by Roger Pau Monné of Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa194.patch xen-unstable, Xen 4.7.x $ sha256sum xsa194* 4dad65417d9ff3c86e763d3c88cf8de79b58a9981d531f641ae0dd0dcedce911 xsa194.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYNDLYAAoJEIP+FMlX6CvZqAoH/39GSWwDpYnflz3TcFyQUViM j36XzzStWya71ewaXiguUbTHHg6mK47pK4EA/3zFwerczz/5yQzhlToitPkP/8WE 5Qbg9Wyg4STylzeKaiTvLzqUK6XSiJ4oKZwLsnU7tFPLcb6FBMm9t3bzg9NECaft /6zYj1SVCvoLJB/gtgbwrz2MCjVZQZ9Q2+mpirvu0ePQRD73M0cwfj1ncqjUkFd9 ZNdk14gmxOk1/wWAm/oD1QKUWmjpzByT5dbGcMV3OxGs1V2Px+o4c1u1t/agldr0 wC2LvCK9IED9JcBaH/M85TTAGR7GqfU8l9x3ep97GkrUpquX4OGFt7na28M1YUQ= =Gc8O -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa194.patch" Content-Disposition: attachment; filename="xsa194.patch" Content-Transfer-Encoding: base64 RnJvbSA3MTA5NmIwMTZmN2ZkNTRhNzJhZjczNTc2OTQ4Y2IyNWNmNDJlYmNi IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBSb2dlciBQYXUgTW9u bsOpIDxyb2dlci5wYXVAY2l0cml4LmNvbT5EYXRlOiBXZWQsIDIgTm92IDIw MTYgMTU6MDI6MDAgKzAwMDAKU3ViamVjdDogW1BBVENIXSBsaWJlbGY6IGZp eCBzdGFjayBtZW1vcnkgbGVhayB3aGVuIGxvYWRpbmcgMzIgYml0IHN5bWJv bAogdGFibGVzCgpUaGUgMzIgYml0IEVsZiBzdHJ1Y3RzIGFyZSBzbWFsbGVy IHRoYW4gdGhlIDY0IGJpdCBvbmVzLCB3aGljaCBtZWFucyB0aGF0CndoZW4g bG9hZGluZyB0aGVtIHRoZXJlJ3Mgc29tZSBwYWRkaW5nIGxlZnQgdW5pbml0 aWFsaXplZCBhdCB0aGUgZW5kIG9mIGVhY2gKc3RydWN0IChiZWNhdXNlIHRo ZSBzaXplIGluZGljYXRlZCBpbiBlX2Voc2l6ZSBhbmQgZV9zaGVudHNpemUg aXMKc21hbGxlciB0aGFuIHRoZSBzaXplIG9mIGVsZl9laGRyIGFuZCBlbGZf c2hkcikuCgpGaXggdGhpcyBieSBpbnRyb2R1Y2luZyBhIG5ldyBoZWxwZXIg dGhhdCBpcyB1c2VkIHRvIHNldApbY2FsbGVyX114ZGVzdF97YmFzZS9zaXpl fSBhbmQgdGhhdCB0YWtlcyBjYXJlIG9mIHBlcmZvcm1pbmcgdGhlIGFwcHJv cHJpYXRlCm1lbXNldCBvZiB0aGUgcmVnaW9uLiBUaGlzIG5ld2x5IGludHJv ZHVjZWQgaGVscGVyIGlzIHRoZW4gdXNlZCB0byBzZXQgYW5kCnVuc2V0IHhk ZXN0X3tiYXNlL3NpemV9IGluIGVsZl9sb2FkX2JzZHN5bXMuIE5vdyB0aGF0 IHRoZSBmdWxsIHN0cnVjdAppcyB6ZXJvZWQsIHRoZXJlJ3Mgbm8gbmVlZCB0 byBzcGVjaWZpY2FsbHkgemVybyB0aGUgdW5kZWZpbmVkIHNlY3Rpb24uCgpU aGlzIGlzIFhTQS0xOTQuCgpTdWdnZXN0ZWQtYnk6IElhbiBKYWNrc29uIDxp YW4uamFja3NvbkBldS5jaXRyaXguY29tPgoKQWxzbyByZW1vdmUgdGhlIG9w ZW4gY29kZWQgKGFuZCByZWR1bmRhbnQgd2l0aCB0aGUgZWFybGllcgplbGZf bWVtc2V0X3VuY2hlY2tlZCgpKSB1c2Ugb2YgY2FsbGVyX3hkZXN0XyogZnJv bSBlbGZfaW5pdCgpLgoKU2lnbmVkLW9mZi1ieTogUm9nZXIgUGF1IE1vbm7D qSA8cm9nZXIucGF1QGNpdHJpeC5jb20+ClNpZ25lZC1vZmYtYnk6IEphbiBC ZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KU2lnbmVkLW9mZi1ieTogSWFu IEphY2tzb24gPElhbi5KYWNrc29uQGV1LmNpdHJpeC5jb20+Ci0tLQogeGVu L2NvbW1vbi9saWJlbGYvbGliZWxmLWxvYWRlci5jIHwgMTQgKysrLS0tLS0t LS0tLS0KIHhlbi9jb21tb24vbGliZWxmL2xpYmVsZi10b29scy5jICB8IDEx ICsrKysrKysrKy0tCiB4ZW4vaW5jbHVkZS94ZW4vbGliZWxmLmggICAgICAg ICAgfCAxNSArKysrKysrKystLS0tLS0KIDMgZmlsZXMgY2hhbmdlZCwgMjEg aW5zZXJ0aW9ucygrKSwgMTkgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEv eGVuL2NvbW1vbi9saWJlbGYvbGliZWxmLWxvYWRlci5jIGIveGVuL2NvbW1v bi9saWJlbGYvbGliZWxmLWxvYWRlci5jCmluZGV4IDRkM2FlNGQuLmJjMWY4 N2IgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24vbGliZWxmL2xpYmVsZi1sb2Fk ZXIuYworKysgYi94ZW4vY29tbW9uL2xpYmVsZi9saWJlbGYtbG9hZGVyLmMK QEAgLTQzLDggKzQzLDYgQEAgZWxmX2Vycm9yc3RhdHVzIGVsZl9pbml0KHN0 cnVjdCBlbGZfYmluYXJ5ICplbGYsIGNvbnN0IGNoYXIgKmltYWdlX2lucHV0 LCBzaXplX3QKICAgICBlbGYtPmVoZHIgPSBFTEZfTUFLRV9IQU5ETEUoZWxm X2VoZHIsIChlbGZfcHRydmFsKWltYWdlX2lucHV0KTsKICAgICBlbGYtPmNs YXNzID0gZWxmX3V2YWxfMzI2NChlbGYsIGVsZi0+ZWhkciwgZTMyLmVfaWRl bnRbRUlfQ0xBU1NdKTsKICAgICBlbGYtPmRhdGEgPSBlbGZfdXZhbF8zMjY0 KGVsZiwgZWxmLT5laGRyLCBlMzIuZV9pZGVudFtFSV9EQVRBXSk7Ci0gICAg ZWxmLT5jYWxsZXJfeGRlc3RfYmFzZSA9IE5VTEw7Ci0gICAgZWxmLT5jYWxs ZXJfeGRlc3Rfc2l6ZSA9IDA7CiAKICAgICAvKiBTYW5pdHkgY2hlY2sgcGhk ci4gKi8KICAgICBvZmZzZXQgPSBlbGZfdXZhbChlbGYsIGVsZi0+ZWhkciwg ZV9waG9mZikgKwpAQCAtMjg0LDkgKzI4Miw4IEBAIGRvIHsgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgXAogI2RlZmluZSBTWU1UQUJfSU5ERVggICAgMQogI2RlZmlu ZSBTVFJUQUJfSU5ERVggICAgMgogCi0gICAgLyogQWxsb3cgZWxmX21lbWNw eV9zYWZlIHRvIHdyaXRlIHRvIHN5bWJvbF9oZWFkZXIuICovCi0gICAgZWxm LT5jYWxsZXJfeGRlc3RfYmFzZSA9ICZoZWFkZXI7Ci0gICAgZWxmLT5jYWxs ZXJfeGRlc3Rfc2l6ZSA9IHNpemVvZihoZWFkZXIpOworICAgIC8qIEFsbG93 IGVsZl9tZW1jcHlfc2FmZSB0byB3cml0ZSB0byBoZWFkZXIuICovCisgICAg ZWxmX3NldF94ZGVzdChlbGYsICZoZWFkZXIsIHNpemVvZihoZWFkZXIpKTsK IAogICAgIC8qCiAgICAgICogQ2FsY3VsYXRlIHRoZSBwb3NpdGlvbiBvZiB0 aGUgdmFyaW91cyBlbGVtZW50cyBpbiBHVUVTVCBNRU1PUlkgU1BBQ0UuCkBA IC0zMTksMTEgKzMxNiw3IEBAIGRvIHsgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAog ICAgIGVsZl9zdG9yZV9maWVsZF9iaXRuZXNzKGVsZiwgaGVhZGVyX2hhbmRs ZSwgZV9waGVudHNpemUsIDApOwogICAgIGVsZl9zdG9yZV9maWVsZF9iaXRu ZXNzKGVsZiwgaGVhZGVyX2hhbmRsZSwgZV9waG51bSwgMCk7CiAKLSAgICAv KiBaZXJvIHRoZSB1bmRlZmluZWQgc2VjdGlvbi4gKi8KLSAgICBzZWN0aW9u X2hhbmRsZSA9IEVMRl9NQUtFX0hBTkRMRShlbGZfc2hkciwKLSAgICAgICAg ICAgICAgICAgICAgIEVMRl9SRUFMUFRSMlBUUlZBTCgmaGVhZGVyLmVsZl9o ZWFkZXIuc2VjdGlvbltTSE5fVU5ERUZdKSk7CiAgICAgc2hkcl9zaXplID0g ZWxmX3V2YWwoZWxmLCBlbGYtPmVoZHIsIGVfc2hlbnRzaXplKTsKLSAgICBl bGZfbWVtc2V0X3NhZmUoZWxmLCBFTEZfSEFORExFX1BUUlZBTChzZWN0aW9u X2hhbmRsZSksIDAsIHNoZHJfc2l6ZSk7CiAKICAgICAvKgogICAgICAqIFRo ZSBzeW10YWIgc2VjdGlvbiBoZWFkZXIgaXMgZ29pbmcgdG8gcmVzaWRlIGlu IHNlY3Rpb25bU1lNVEFCX0lOREVYXSwKQEAgLTQwNCw4ICszOTcsNyBAQCBk byB7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIFwKICAgICB9CiAKICAgICAvKiBSZW1v dmUgcGVybWlzc2lvbnMgZnJvbSBlbGZfbWVtY3B5X3NhZmUuICovCi0gICAg ZWxmLT5jYWxsZXJfeGRlc3RfYmFzZSA9IE5VTEw7Ci0gICAgZWxmLT5jYWxs ZXJfeGRlc3Rfc2l6ZSA9IDA7CisgICAgZWxmX3NldF94ZGVzdChlbGYsIE5V TEwsIDApOwogCiAjdW5kZWYgU1lNVEFCX0lOREVYCiAjdW5kZWYgU1RSVEFC X0lOREVYCmRpZmYgLS1naXQgYS94ZW4vY29tbW9uL2xpYmVsZi9saWJlbGYt dG9vbHMuYyBiL3hlbi9jb21tb24vbGliZWxmL2xpYmVsZi10b29scy5jCmlu ZGV4IDVhNDc1N2IuLmU3M2U3MjkgMTAwNjQ0Ci0tLSBhL3hlbi9jb21tb24v bGliZWxmL2xpYmVsZi10b29scy5jCisrKyBiL3hlbi9jb21tb24vbGliZWxm L2xpYmVsZi10b29scy5jCkBAIC01OSw4ICs1OSw3IEBAIGJvb2wgZWxmX2Fj Y2Vzc19vayhzdHJ1Y3QgZWxmX2JpbmFyeSAqIGVsZiwKICAgICAgICAgcmV0 dXJuIDE7CiAgICAgaWYgKCBlbGZfcHRydmFsX2luX3JhbmdlKHB0cnZhbCwg c2l6ZSwgZWxmLT5kZXN0X2Jhc2UsIGVsZi0+ZGVzdF9zaXplKSApCiAgICAg ICAgIHJldHVybiAxOwotICAgIGlmICggZWxmX3B0cnZhbF9pbl9yYW5nZShw dHJ2YWwsIHNpemUsCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVs Zi0+Y2FsbGVyX3hkZXN0X2Jhc2UsIGVsZi0+Y2FsbGVyX3hkZXN0X3NpemUp ICkKKyAgICBpZiAoIGVsZl9wdHJ2YWxfaW5fcmFuZ2UocHRydmFsLCBzaXpl LCBlbGYtPnhkZXN0X2Jhc2UsIGVsZi0+eGRlc3Rfc2l6ZSkgKQogICAgICAg ICByZXR1cm4gMTsKICAgICBlbGZfbWFya19icm9rZW4oZWxmLCAib3V0IG9m IHJhbmdlIGFjY2VzcyIpOwogICAgIHJldHVybiAwOwpAQCAtMzczLDYgKzM3 MiwxNCBAQCBib29sIGVsZl9waGRyX2lzX2xvYWRhYmxlKHN0cnVjdCBlbGZf YmluYXJ5ICplbGYsIEVMRl9IQU5ETEVfREVDTChlbGZfcGhkcikgcGhkcgog ICAgIHJldHVybiAoKHBfdHlwZSA9PSBQVF9MT0FEKSAmJiAocF9mbGFncyAm IChQRl9SIHwgUEZfVyB8IFBGX1gpKSAhPSAwKTsKIH0KIAordm9pZCBlbGZf c2V0X3hkZXN0KHN0cnVjdCBlbGZfYmluYXJ5ICplbGYsIHZvaWQgKmFkZHIs IHVpbnQ2NF90IHNpemUpCit7CisgICAgZWxmLT54ZGVzdF9iYXNlID0gYWRk cjsKKyAgICBlbGYtPnhkZXN0X3NpemUgPSBzaXplOworICAgIGlmICggYWRk ciAhPSBOVUxMICkKKyAgICAgICAgZWxmX21lbXNldF9zYWZlKGVsZiwgRUxG X1JFQUxQVFIyUFRSVkFMKGFkZHIpLCAwLCBzaXplKTsKK30KKwogLyoKICAq IExvY2FsIHZhcmlhYmxlczoKICAqIG1vZGU6IEMKZGlmZiAtLWdpdCBhL3hl bi9pbmNsdWRlL3hlbi9saWJlbGYuaCBiL3hlbi9pbmNsdWRlL3hlbi9saWJl bGYuaAppbmRleCA5NWI1MzcwLi5jZjYyYmM3IDEwMDY0NAotLS0gYS94ZW4v aW5jbHVkZS94ZW4vbGliZWxmLmgKKysrIGIveGVuL2luY2x1ZGUveGVuL2xp YmVsZi5oCkBAIC0yMTAsMTMgKzIxMCwxMSBAQCBzdHJ1Y3QgZWxmX2JpbmFy eSB7CiAgICAgdWludDY0X3QgYnNkX3N5bXRhYl9wZW5kOwogCiAgICAgLyoK LSAgICAgKiBjYWxsZXIncyBvdGhlciBhY2NlcHRhYmxlIGRlc3RpbmF0aW9u Ci0gICAgICoKLSAgICAgKiBBZ2FpbiwgdGhlc2UgYXJlIHRydXN0ZWQgYW5k IG11c3QgYmUgdmFsaWQgKG9yIDApIHNvIGxvbmcKLSAgICAgKiBhcyB0aGUg c3RydWN0IGVsZl9iaW5hcnkgaXMgaW4gdXNlLgorICAgICAqIGNhbGxlcidz IG90aGVyIGFjY2VwdGFibGUgZGVzdGluYXRpb24uCisgICAgICogU2V0IGJ5 IGVsZl9zZXRfeGRlc3QuICBEbyBub3Qgc2V0IHRoZXNlIGRpcmVjdGx5Lgog ICAgICAqLwotICAgIHZvaWQgKmNhbGxlcl94ZGVzdF9iYXNlOwotICAgIHVp bnQ2NF90IGNhbGxlcl94ZGVzdF9zaXplOworICAgIHZvaWQgKnhkZXN0X2Jh c2U7CisgICAgdWludDY0X3QgeGRlc3Rfc2l6ZTsKIAogI2lmbmRlZiBfX1hF Tl9fCiAgICAgLyogbWlzYyAqLwpAQCAtNDk0LDUgKzQ5MiwxMCBAQCBzdGF0 aWMgaW5saW5lIHZvaWQgRUxGX0FEVkFOQ0VfREVTVChzdHJ1Y3QgZWxmX2Jp bmFyeSAqZWxmLCB1aW50NjRfdCBhbW91bnQpCiAgICAgfQogfQogCisvKiBT cGVjaWZ5IGEgKHNpbmdsZSkgYWRkaXRpb25hbCBkZXN0aW5hdGlvbiwgdG8g d2hpY2ggdGhlIGltYWdlIG1heQorICogY2F1c2Ugd3JpdGVzLiAgQXMgd2l0 aCBkZXN0X2Jhc2UgYW5kIGRlc3Rfc2l6ZSwgdGhlIHZhbHVlcyBwcm92aWRl ZAorICogYXJlIHRydXN0ZWQgYW5kIG11c3QgYmUgdmFsaWQgc28gbG9uZyBh cyB0aGUgc3RydWN0IGVsZl9iaW5hcnkKKyAqIGlzIGluIHVzZSBvciB1bnRp bCBlbGZfc2V0X3hkZXN0KCwwLDApIGlzIGNhbGxlZC4gKi8KK3ZvaWQgZWxm X3NldF94ZGVzdChzdHJ1Y3QgZWxmX2JpbmFyeSAqZWxmLCB2b2lkICphZGRy LCB1aW50NjRfdCBzaXplKTsKIAogI2VuZGlmIC8qIF9fWEVOX0xJQkVMRl9I X18gKi8KLS0gCjIuMS40Cgo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 29 14:49:42 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 29 Nov 2016 14:49:42 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cBjhy-0005UF-E5; Tue, 29 Nov 2016 14:48:34 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cBjhx-0005Tt-E6; Tue, 29 Nov 2016 14:48:33 +0000 Received: from [85.158.137.68] by server-6.bemta-3.messagelabs.com id 4A/F6-25811-0459D385; Tue, 29 Nov 2016 14:48:32 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrJKsWRWlGSWpSXmKPExsWS0XRdVdd+qm2 EwYqVSha3brYyWyz5uJjFYtXVA6wOzB5Hd/9mCmCMYs3MS8qvSGDNOPtuClvBzKuMFY8O/mdu YDxxjrGLkYtDSOA4o8SeB6vZIJxFjBKb999i7WLk5GAWcJW4sW8zG4StKHHhXgMLiM0rIChxc uYTMFtCQFPizptV7CC2iECRxM5zL8FsNgE9iblnJzFB9OpIvNy/GswWFgiW+LfpFNQcM4lP03 6A2SwCqhITNm5lmsDIMwvJ6llIVs9CsnoWIwdQXFNi/S59CFNaYvk/DohqeYntb+cwQ4RtJc6 t1YcIW0nc/N7MBDNwSvdDdgjbVuLRtyuMMDV/n25nRlUDMeb+N2GYkvbne1kwjXGU6HlxBSpu J7Fh4zJmbFYtOb+WBWbOyffPGZHVLGAUXcWoUZxaVJZapGtsoJdUlJmeUZKbmJmja2hgrJebW lycmJ6ak5hUrJecn7uJEZgA6hkYGHcwdp7wO8QoycGkJMo73c0mQogvKT+lMiOxOCO+qDQntf gQowwHh5IE74/JthFCgkWp6akVaZk5wFQEk5bg4FES4TWcApTmLS5IzC3OTIdInWI05rh14vk DJo5Hv98+YBJiycvPS5US53UGKRUAKc0ozYMbBEuRlxhlpYR5GRkYGIR4ClKLcjNLUOVfMYpz MCoJQ0zhycwrgdv3CugUJqBT3r62BjmlJBEhJdXAmLr6sfHRw9L1by5Vbnz/xVLsn/IRR4Ea5 /Ubs1W8P8WyBc6boOW8jkVshmTogwNeNv9DmfSclmx0dP0Q/e/6nPxWvVaDh/tfrlSSat8kfi B2Kqfe7Gumj1V7vjf8LQ8U2tV2MfsJR83rdQLBUXG2e8+VeWg8z5n4uNjeU+JOVE/o9XkxjHJ blViKMxINtZiLihMBAQKId4wDAAA= X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-14.tower-31.messagelabs.com!1480430910!73527183!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 63073 invoked from network); 29 Nov 2016 14:48:31 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-14.tower-31.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 29 Nov 2016 14:48:31 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cBjhk-0008WM-GG; Tue, 29 Nov 2016 14:48:20 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1cBjhk-0000Fg-Ct; Tue, 29 Nov 2016 14:48:20 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 29 Nov 2016 14:48:20 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 201 - ARM guests may induce host asynchronous abort X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-201 ARM guests may induce host asynchronous abort ISSUE DESCRIPTION ================= Depending on how the hardware and firmware have been integrated, guest-triggered asynchronous aborts (SError on ARMv8) may be received by the hypervisor. The current action is to crash the host. A guest might trigger an asynchronous abort when accessing memory mapped hardware in a non-conventional way. Even if device pass-through has not been configured, the hypervisor may give the guest access to memory mapped hardware in order to take advantage of hardware virtualization. IMPACT ====== A malicious guest may be able to crash the host. VULNERABLE SYSTEMS ================== All Xen versions which support ARM are potentially affected. Whether a particular ARM systems is affected depends on technical details of the hardware and/or firmware. x86 systems are not affected. MITIGATION ========== On systems where the guest kernel is controlled by the host rather than guest administrator, running only kernels which do not expose MMIO to userspace will prevent untrusted guest users from exploiting this issue. However untrusted guest administrators can still trigger it unless further steps are taken to prevent them from loading code into the kernel (e.g by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. NOTE REGARDING LACK OF EMBARGO ============================== The issue was discussed publicly (and has been fixed already in KVM in public trees). CREDITS ======= This issue was discovered by ARM engineering personnel. RESOLUTION ========== Applying the appropriate set of attached patched resolves this issue. xsa201-[1234].patch Xen-unstable xsa201-[12].patch } xsa201-3-4.7.patch } Xen 4.7.x, Xen 4.6.x xsa201-4.patch } $ sha256sum xsa201* ffdefdaa67748df7fccbc82011202724c622ca432cd121853ecab45ff4657406 xsa201-1.patch 0665eb575b056f98d5330ef23f497b2b3de1a15319e2012005890a17df32a7ed xsa201-2.patch 4486d5efb59c1f1fff04a3cb697f948d5bf680e2a1c0d76cd44382ad8fa9095e xsa201-3.patch ca82c82acd51bf3cb8114d1843519c28e3df26243bd45eb712ff10ba11061b93 xsa201-3-4.7.patch 1de6ddb4b5b46ae390ec4587e588c00a706f4a68365d379db7ad54234f770d48 xsa201-4.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYPZSoAAoJEIP+FMlX6CvZ2zoH/ivzE70xsLHYJUxveoBiFuiU KHFzF0X63G681FjLyU4SY2GkH5K9YutJ1uaakp+peD96fQqCXBHxWUMPAfblnd7t YueMYuFqcz3mE2ypJjBh/fdI8a4UrKHHg3z6Hw6X91p+SRmPsnt9v7OzytoYOiE4 fDeaATwl1LxB+Z/yJETlo/JMgwrtuYZ9EZM9gIzxdOVw+QbQyEYHmuIyni8BNRvZ +biRRQo37K5+jLY3f/RoXKcpqnHqjKOOmfjkxJJAsxqpdTSw5fRJqSZE4G5oUVs2 AAvSKhLObFahMlPqtoNXSC6lG5Gbd3e/h+6N2N/96TXs6Wr+d0VuC+lkYUjwcJk= =KEYF -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa201-1.patch" Content-Disposition: attachment; filename="xsa201-1.patch" Content-Transfer-Encoding: base64 RnJvbTogV2VpIENoZW4gPFdlaS5DaGVuQGFybS5jb20+ClN1YmplY3Q6IGFy bTY0OiBoYW5kbGUgZ3Vlc3QtZ2VuZXJhdGVkIEVMMSBhc3luY2hyb25vdXMg YWJvcnQKCkluIGN1cnJlbnQgY29kZSwgd2hlbiB0aGUgaHlwZXJ2aXNvciBy ZWNlaXZlcyBhbiBhc3luY2hyb25vdXMgYWJvcnQKZnJvbSBhIGd1ZXN0LCB0 aGUgaHlwZXJ2aXNvciB3aWxsIGRvIHBhbmljLCB0aGUgaG9zdCB3aWxsIGJl IGRvd24uCldlIGhhdmUgdG8gcHJldmVudCBzdWNoIHNlY3VyaXR5IGlzc3Vl LCBzbywgaW4gdGhpcyBwYXRjaCB3ZSBjcmFzaAp0aGUgZ3Vlc3QsIHdoZW4g dGhlIGh5cGVydmlzb3IgcmVjZWl2ZXMgYW4gYXN5bmNocm9ub3VzIGFib3J0 IGZyb20KdGhlIGd1ZXN0LgoKVGhpcyBpcyBwYXJ0IG9mIFhTQS0yMDEuCgpT aWduZWQtb2ZmLWJ5OiBXZWkgQ2hlbiA8V2VpLkNoZW5AYXJtLmNvbT4KUmV2 aWV3ZWQtYnk6IFN0ZWZhbm8gU3RhYmVsbGluaSA8c3N0YWJlbGxpbmlAa2Vy bmVsLm9yZz4KUmV2aWV3ZWQtYnk6IFN0ZXZlIENhcHBlciA8c3RldmUuY2Fw cGVyQGFybS5jb20+ClJldmlld2VkLWJ5OiBKdWxpZW4gR3JhbGwgPEp1bGll bi5HcmFsbEBhcm0uY29tPgoKLS0tIGEveGVuL2FyY2gvYXJtL2FybTY0L2Vu dHJ5LlMKKysrIGIveGVuL2FyY2gvYXJtL2FybTY0L2VudHJ5LlMKQEAgLTIw NCw5ICsyMDQsMTIgQEAgZ3Vlc3RfZmlxX2ludmFsaWQ6CiAgICAgICAgIGVu dHJ5ICAgaHlwPTAsIGNvbXBhdD0wCiAgICAgICAgIGludmFsaWQgQkFEX0ZJ UQoKLWd1ZXN0X2Vycm9yX2ludmFsaWQ6CitndWVzdF9lcnJvcjoKICAgICAg ICAgZW50cnkgICBoeXA9MCwgY29tcGF0PTAKLSAgICAgICAgaW52YWxpZCBC QURfRVJST1IKKyAgICAgICAgbXNyICAgICBkYWlmY2xyLCAjMgorICAgICAg ICBtb3YgICAgIHgwLCBzcAorICAgICAgICBibCAgICAgIGRvX3RyYXBfZ3Vl c3RfZXJyb3IKKyAgICAgICAgZXhpdCAgICBoeXA9MCwgY29tcGF0PTAKCiBn dWVzdF9zeW5jX2NvbXBhdDoKICAgICAgICAgZW50cnkgICBoeXA9MCwgY29t cGF0PTEKQEAgLTIyNSw5ICsyMjgsMTIgQEAgZ3Vlc3RfZmlxX2ludmFsaWRf Y29tcGF0OgogICAgICAgICBlbnRyeSAgIGh5cD0wLCBjb21wYXQ9MQogICAg ICAgICBpbnZhbGlkIEJBRF9GSVEKCi1ndWVzdF9lcnJvcl9pbnZhbGlkX2Nv bXBhdDoKK2d1ZXN0X2Vycm9yX2NvbXBhdDoKICAgICAgICAgZW50cnkgICBo eXA9MCwgY29tcGF0PTEKLSAgICAgICAgaW52YWxpZCBCQURfRVJST1IKKyAg ICAgICAgbXNyICAgICBkYWlmY2xyLCAjMgorICAgICAgICBtb3YgICAgIHgw LCBzcAorICAgICAgICBibCAgICAgIGRvX3RyYXBfZ3Vlc3RfZXJyb3IKKyAg ICAgICAgZXhpdCAgICBoeXA9MCwgY29tcGF0PTEKCiBFTlRSWShyZXR1cm5f dG9fbmV3X3ZjcHUzMikKICAgICAgICAgZXhpdCAgICBoeXA9MCwgY29tcGF0 PTEKQEAgLTI4NiwxMiArMjkyLDEyIEBAIEVOVFJZKGh5cF90cmFwc192ZWN0 b3IpCiAgICAgICAgIHZlbnRyeSAgZ3Vlc3Rfc3luYyAgICAgICAgICAgICAg ICAgICAgICAvLyBTeW5jaHJvbm91cyA2NC1iaXQgRUwwL0VMMQogICAgICAg ICB2ZW50cnkgIGd1ZXN0X2lycSAgICAgICAgICAgICAgICAgICAgICAgLy8g SVJRIDY0LWJpdCBFTDAvRUwxCiAgICAgICAgIHZlbnRyeSAgZ3Vlc3RfZmlx X2ludmFsaWQgICAgICAgICAgICAgICAvLyBGSVEgNjQtYml0IEVMMC9FTDEK LSAgICAgICAgdmVudHJ5ICBndWVzdF9lcnJvcl9pbnZhbGlkICAgICAgICAg ICAgIC8vIEVycm9yIDY0LWJpdCBFTDAvRUwxCisgICAgICAgIHZlbnRyeSAg Z3Vlc3RfZXJyb3IgICAgICAgICAgICAgICAgICAgICAvLyBFcnJvciA2NC1i aXQgRUwwL0VMMQoKICAgICAgICAgdmVudHJ5ICBndWVzdF9zeW5jX2NvbXBh dCAgICAgICAgICAgICAgIC8vIFN5bmNocm9ub3VzIDMyLWJpdCBFTDAvRUwx CiAgICAgICAgIHZlbnRyeSAgZ3Vlc3RfaXJxX2NvbXBhdCAgICAgICAgICAg ICAgICAvLyBJUlEgMzItYml0IEVMMC9FTDEKICAgICAgICAgdmVudHJ5ICBn dWVzdF9maXFfaW52YWxpZF9jb21wYXQgICAgICAgIC8vIEZJUSAzMi1iaXQg RUwwL0VMMQotICAgICAgICB2ZW50cnkgIGd1ZXN0X2Vycm9yX2ludmFsaWRf Y29tcGF0ICAgICAgLy8gRXJyb3IgMzItYml0IEVMMC9FTDEKKyAgICAgICAg dmVudHJ5ICBndWVzdF9lcnJvcl9jb21wYXQgICAgICAgICAgICAgIC8vIEVy cm9yIDMyLWJpdCBFTDAvRUwxCgogLyoKICAqIHN0cnVjdCB2Y3B1ICpfX2Nv bnRleHRfc3dpdGNoKHN0cnVjdCB2Y3B1ICpwcmV2LCBzdHJ1Y3QgdmNwdSAq bmV4dCkKLS0tIGEveGVuL2FyY2gvYXJtL3RyYXBzLmMKKysrIGIveGVuL2Fy Y2gvYXJtL3RyYXBzLmMKQEAgLTI3MjMsNiArMjcyMywyMSBAQCBhc21saW5r YWdlIHZvaWQgZG9fdHJhcF9oeXBlcnZpc29yKHN0cnVjdCBjcHVfdXNlcl9y ZWdzICpyZWdzKQogICAgIH0KIH0KCithc21saW5rYWdlIHZvaWQgZG9fdHJh cF9ndWVzdF9lcnJvcihzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKK3sK KyAgICBlbnRlcl9oeXBlcnZpc29yX2hlYWQocmVncyk7CisKKyAgICAvKgor ICAgICAqIEN1cnJlbnRseSwgdG8gZW5zdXJlIGh5cGVydmlzb3Igc2FmZXR5 LCB3aGVuIHdlIHJlY2VpdmVkIGEKKyAgICAgKiBndWVzdC1nZW5lcmF0ZWQg dlNlcnJvci92QWJvcnQsIHdlIGp1c3QgY3Jhc2ggdGhlIGd1ZXN0IHRvIHBy b3RlY3QKKyAgICAgKiB0aGUgaHlwZXJ2aXNvci4gSW4gZnV0dXJlIHdlIGNh biBiZXR0ZXIgaGFuZGxlIHRoaXMgYnkgaW5qZWN0aW5nCisgICAgICogYSB2 U2Vycm9yL3ZBYm9ydCB0byB0aGUgZ3Vlc3QuCisgICAgICovCisgICAgZ2Rw cmludGsoWEVOTE9HX1dBUk5JTkcsICJHdWVzdChEb20tJXUpIHdpbGwgYmUg Y3Jhc2hlZCBieSB2U0Vycm9yXG4iLAorICAgICAgICAgICAgIGN1cnJlbnQt PmRvbWFpbi0+ZG9tYWluX2lkKTsKKyAgICBkb21haW5fY3Jhc2hfc3luY2hy b25vdXMoKTsKK30KKwogYXNtbGlua2FnZSB2b2lkIGRvX3RyYXBfaXJxKHN0 cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQogewogICAgIGVudGVyX2h5cGVy dmlzb3JfaGVhZChyZWdzKTsK --=separator Content-Type: application/octet-stream; name="xsa201-2.patch" Content-Disposition: attachment; filename="xsa201-2.patch" Content-Transfer-Encoding: base64 RnJvbTogV2VpIENoZW4gPFdlaS5DaGVuQGFybS5jb20+ClN1YmplY3Q6IGFy bTY0OiBoYW5kbGUgYXN5bmMgYWJvcnRzIGRlbGl2ZXJlZCB3aGlsZSBhdCBF TDIKCklmIEVMMSBnZW5lcmF0ZXMgYW4gYXN5bmNocm9ub3VzIGFib3J0IGFu ZCB0aGVuIHRyYXBzIGludG8gRUwyCihieSBIVkMgb3IgSVJRKSBiZWZvcmUg dGhlIGFib3J0IGhhcyBiZWVuIGRlbGl2ZXJlZCwgdGhlIGh5cGVydmlzb3IK Y291bGQgbm90IGNhdGNoIGl0LCBiZWNhdXNlIHRoZSBQU1RBVEUuQSBiaXQg aXMgbWFza2VkIGFsbCB0aGUgdGltZQppbiBoeXBlcnZpc29yLiBTbyB0aGlz IGFzeW5jaHJvbm91cyBhYm9ydCBtYXkgYmUgc2xpcHBlZCB0byBuZXh0CnJ1 bm5pbmcgZ3Vlc3Qgd2l0aCBQU1RBVEUuQSBiaXQgdW5tYXNrZWQuCgpJbiBv cmRlciB0byBhdm9pZCB0aGlzLCBpdCBpcyBuZWNlc3NhcnkgdG8gdGFrZSB0 aGUgYWJvcnQgYXQgRUwyLCBieQpjbGVhcmluZyB0aGUgUFNUQVRFLkEgYml0 LiBJbiB0aGlzIHBhdGNoLCB3ZSB1bm1hc2sgdGhlIFBTVEFURS5BIGJpdAp0 byBvcGVuIGEgd2luZG93IHRvIGNhdGNoIGd1ZXN0LWdlbmVyYXRlZCBhc3lu Y2hyb25vdXMgYWJvcnQgaW4gYWxsCkVMMSAtPiBFTDIgc3dpY2ggcGF0aHMu IElmIHdlIGNhdGNoZWQgc3VjaCBhc3luY2hyb25vdXMgYWJvcnQgaW4KY2hl Y2tpbmcgd2luZG93LCB0aGUgaHlwX2Vycm9yIGV4Y2VwdGlvbiB3aWxsIGJl IHRyaWdnZXJlZCBhbmQgdGhlCmFib3J0IHNvdXJjZSBndWVzdCB3aWxsIGJl IGNyYXNoZWQuCgpUaGlzIGlzIHBhcnQgb2YgWFNBLTIwMS4KClNpZ25lZC1v ZmYtYnk6IFdlaSBDaGVuIDxXZWkuQ2hlbkBhcm0uY29tPgpSZXZpZXdlZC1i eTogSnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAYXJtLmNvbT4KCi0tLSBh L3hlbi9hcmNoL2FybS9hcm02NC9lbnRyeS5TCisrKyBiL3hlbi9hcmNoL2Fy bS9hcm02NC9lbnRyeS5TCkBAIC0xNzMsNiArMTczLDQzIEBAIGh5cF9lcnJv cl9pbnZhbGlkOgogICAgICAgICBlbnRyeSAgIGh5cD0xCiAgICAgICAgIGlu dmFsaWQgQkFEX0VSUk9SCgoraHlwX2Vycm9yOgorICAgICAgICAvKgorICAg ICAgICAgKiBPbmx5IHR3byBwb3NzaWJpbGl0aWVzOgorICAgICAgICAgKiAx KSBFaXRoZXIgd2UgY29tZSBmcm9tIHRoZSBleGl0IHBhdGgsIGhhdmluZyBq dXN0IHVubWFza2VkCisgICAgICAgICAqICAgIFBTVEFURS5BOiBjaGFuZ2Ug dGhlIHJldHVybiBjb2RlIHRvIGFuIEVMMiBmYXVsdCwgYW5kCisgICAgICAg ICAqICAgIGNhcnJ5IG9uLCBhcyB3ZSdyZSBhbHJlYWR5IGluIGEgc2FuZSBz dGF0ZSB0byBoYW5kbGUgaXQuCisgICAgICAgICAqIDIpIE9yIHdlIGNvbWUg ZnJvbSBhbnl3aGVyZSBlbHNlLCBhbmQgdGhhdCdzIGEgYnVnOiB3ZSBwYW5p Yy4KKyAgICAgICAgICovCisgICAgICAgIGVudHJ5ICAgaHlwPTEKKyAgICAg ICAgbXNyICAgICBkYWlmY2xyLCAjMgorCisgICAgICAgIC8qCisgICAgICAg ICAqIFRoZSBFTFJfRUwyIG1heSBiZSBtb2RpZmllZCBieSBhbiBpbnRlcnJ1 cHQsIHNvIHdlIGhhdmUgdG8gdXNlIHRoZQorICAgICAgICAgKiBzYXZlZCB2 YWx1ZSBpbiBjcHVfdXNlcl9yZWdzIHRvIGNoZWNrIHdoZXRoZXIgd2UgY29t ZSBmcm9tIDEpIG9yCisgICAgICAgICAqIG5vdC4KKyAgICAgICAgICovCisg ICAgICAgIGxkciAgICAgeDAsIFtzcCwgI1VSRUdTX1BDXQorICAgICAgICBh ZHIgICAgIHgxLCBhYm9ydF9ndWVzdF9leGl0X3N0YXJ0CisgICAgICAgIGNt cCAgICAgeDAsIHgxCisgICAgICAgIGFkciAgICAgeDEsIGFib3J0X2d1ZXN0 X2V4aXRfZW5kCisgICAgICAgIGNjbXAgICAgeDAsIHgxLCAjNCwgbmUKKyAg ICAgICAgbW92ICAgICB4MCwgc3AKKyAgICAgICAgbW92ICAgICB4MSwgI0JB RF9FUlJPUgorCisgICAgICAgIC8qCisgICAgICAgICAqIE5vdCBlcXVhbCwg dGhlIGV4Y2VwdGlvbiBjb21lIGZyb20gMikuIEl0J3MgYSBidWcsIHdlIGhh dmUgdG8KKyAgICAgICAgICogcGFuaWMgdGhlIGh5cGVydmlzb3IuCisgICAg ICAgICAqLworICAgICAgICBiLm5lICAgIGRvX2JhZF9tb2RlCisKKyAgICAg ICAgLyoKKyAgICAgICAgICogT3RoZXJ3aXNlLCB0aGUgZXhjZXB0aW9uIGNv bWUgZnJvbSAxKS4gSXQgaGFwcGVuZWQgYmVjYXVzZSBvZgorICAgICAgICAg KiB0aGUgZ3Vlc3QuIENyYXNoIHRoaXMgZ3Vlc3QuCisgICAgICAgICAqLwor ICAgICAgICBibCAgICAgIGRvX3RyYXBfZ3Vlc3RfZXJyb3IKKyAgICAgICAg ZXhpdCAgICBoeXA9MQorCiAvKiBUcmFwcyB0YWtlbiBpbiBDdXJyZW50IEVM IHdpdGggU1BfRUx4ICovCiBoeXBfc3luYzoKICAgICAgICAgZW50cnkgICBo eXA9MQpAQCAtMTg5LDE1ICsyMjYsMjkgQEAgaHlwX2lycToKCiBndWVzdF9z eW5jOgogICAgICAgICBlbnRyeSAgIGh5cD0wLCBjb21wYXQ9MAorICAgICAg ICBibCAgICAgIGNoZWNrX3BlbmRpbmdfdnNlcnJvcgorICAgICAgICAvKgor ICAgICAgICAgKiBJZiB4MCBpcyBOb24temVybywgYSB2U0Vycm9yIHRvb2sg cGxhY2UsIHRoZSBpbml0aWFsIGV4Y2VwdGlvbgorICAgICAgICAgKiBkb2Vz bid0IGhhdmUgYW55IHNpZ25pZmljYW5jZSB0byBiZSBoYW5kbGVkLiBFeGl0 IEFTQVAKKyAgICAgICAgICovCisgICAgICAgIGNibnogICAgeDAsIDFmCiAg ICAgICAgIG1zciAgICAgZGFpZmNsciwgIzIKICAgICAgICAgbW92ICAgICB4 MCwgc3AKICAgICAgICAgYmwgICAgICBkb190cmFwX2h5cGVydmlzb3IKKzE6 CiAgICAgICAgIGV4aXQgICAgaHlwPTAsIGNvbXBhdD0wCgogZ3Vlc3RfaXJx OgogICAgICAgICBlbnRyeSAgIGh5cD0wLCBjb21wYXQ9MAorICAgICAgICBi bCAgICAgIGNoZWNrX3BlbmRpbmdfdnNlcnJvcgorICAgICAgICAvKgorICAg ICAgICAgKiBJZiB4MCBpcyBOb24temVybywgYSB2U0Vycm9yIHRvb2sgcGxh Y2UsIHRoZSBpbml0aWFsIGV4Y2VwdGlvbgorICAgICAgICAgKiBkb2Vzbid0 IGhhdmUgYW55IHNpZ25pZmljYW5jZSB0byBiZSBoYW5kbGVkLiBFeGl0IEFT QVAKKyAgICAgICAgICovCisgICAgICAgIGNibnogICAgeDAsIDFmCiAgICAg ICAgIG1vdiAgICAgeDAsIHNwCiAgICAgICAgIGJsICAgICAgZG9fdHJhcF9p cnEKKzE6CiAgICAgICAgIGV4aXQgICAgaHlwPTAsIGNvbXBhdD0wCgogZ3Vl c3RfZmlxX2ludmFsaWQ6CkBAIC0yMTMsMTUgKzI2NCwyOSBAQCBndWVzdF9l cnJvcjoKCiBndWVzdF9zeW5jX2NvbXBhdDoKICAgICAgICAgZW50cnkgICBo eXA9MCwgY29tcGF0PTEKKyAgICAgICAgYmwgICAgICBjaGVja19wZW5kaW5n X3ZzZXJyb3IKKyAgICAgICAgLyoKKyAgICAgICAgICogSWYgeDAgaXMgTm9u LXplcm8sIGEgdlNFcnJvciB0b29rIHBsYWNlLCB0aGUgaW5pdGlhbCBleGNl cHRpb24KKyAgICAgICAgICogZG9lc24ndCBoYXZlIGFueSBzaWduaWZpY2Fu Y2UgdG8gYmUgaGFuZGxlZC4gRXhpdCBBU0FQCisgICAgICAgICAqLworICAg ICAgICBjYm56ICAgIHgwLCAxZgogICAgICAgICBtc3IgICAgIGRhaWZjbHIs ICMyCiAgICAgICAgIG1vdiAgICAgeDAsIHNwCiAgICAgICAgIGJsICAgICAg ZG9fdHJhcF9oeXBlcnZpc29yCisxOgogICAgICAgICBleGl0ICAgIGh5cD0w LCBjb21wYXQ9MQoKIGd1ZXN0X2lycV9jb21wYXQ6CiAgICAgICAgIGVudHJ5 ICAgaHlwPTAsIGNvbXBhdD0xCisgICAgICAgIGJsICAgICAgY2hlY2tfcGVu ZGluZ192c2Vycm9yCisgICAgICAgIC8qCisgICAgICAgICAqIElmIHgwIGlz IE5vbi16ZXJvLCBhIHZTRXJyb3IgdG9vayBwbGFjZSwgdGhlIGluaXRpYWwg ZXhjZXB0aW9uCisgICAgICAgICAqIGRvZXNuJ3QgaGF2ZSBhbnkgc2lnbmlm aWNhbmNlIHRvIGJlIGhhbmRsZWQuIEV4aXQgQVNBUAorICAgICAgICAgKi8K KyAgICAgICAgY2JueiAgICB4MCwgMWYKICAgICAgICAgbW92ICAgICB4MCwg c3AKICAgICAgICAgYmwgICAgICBkb190cmFwX2lycQorMToKICAgICAgICAg ZXhpdCAgICBoeXA9MCwgY29tcGF0PTEKCiBndWVzdF9maXFfaW52YWxpZF9j b21wYXQ6CkBAIC0yNzAsNiArMzM1LDYyIEBAIHJldHVybl9mcm9tX3RyYXA6 CiAgICAgICAgIGVyZXQKCiAvKgorICogVGhpcyBmdW5jdGlvbiBpcyB1c2Vk IHRvIGNoZWNrIHBlbmRpbmcgdmlydHVhbCBTRXJyb3IgaW4gdGhlIGdhcCBv ZgorICogRUwxIC0+IEVMMiB3b3JsZCBzd2l0Y2guCisgKiBUaGUgeDAgcmVn aXN0ZXIgd2lsbCBiZSB1c2VkIHRvIGluZGljYXRlIHRoZSByZXN1bHRzIG9m IGRldGVjdGlvbi4KKyAqIHgwIC0tIE5vbi16ZXJvIGluZGljYXRlcyBhIHBl bmRpbmcgdmlydHVhbCBTRXJyb3IgdG9vayBwbGFjZS4KKyAqIHgwIC0tIFpl cm8gaW5kaWNhdGVzIG5vIHBlbmRpbmcgdmlydHVhbCBTRXJyb3IgdG9vayBw bGFjZS4KKyAqLworY2hlY2tfcGVuZGluZ192c2Vycm9yOgorICAgICAgICAv KgorICAgICAgICAgKiBTYXZlIGVscl9lbDIgdG8gY2hlY2sgd2hldGhlciB0 aGUgcGVuZGluZyBTRXJyb3IgZXhjZXB0aW9uIHRha2VzCisgICAgICAgICAq IHBsYWNlIHdoaWxlIHdlIGFyZSBkb2luZyB0aGlzIHN5bmMgZXhjZXB0aW9u LgorICAgICAgICAgKi8KKyAgICAgICAgbXJzICAgICB4MCwgZWxyX2VsMgor CisgICAgICAgIC8qIFN5bmNocm9uaXplIGFnYWluc3QgaW4tZmxpZ2h0IGxk L3N0ICovCisgICAgICAgIGRzYiAgICAgc3kKKworICAgICAgICAvKgorICAg ICAgICAgKiBVbm1hc2sgUFNUQVRFIGFzeW5jaHJvbm91cyBhYm9ydCBiaXQu IElmIHRoZXJlIGlzIGEgcGVuZGluZworICAgICAgICAgKiBTRXJyb3IsIHRo ZSBFTDIgZXJyb3IgZXhjZXB0aW9uIHdpbGwgaGFwcGVuIGFmdGVyIFBTVEFU RS5BCisgICAgICAgICAqIGlzIGNsZWFyZWQuCisgICAgICAgICAqLworICAg ICAgICBtc3IgICAgIGRhaWZjbHIsICM0CisKKyAgICAgICAgLyoKKyAgICAg ICAgICogVGhpcyBpcyBvdXIgc2luZ2xlIGluc3RydWN0aW9uIGV4Y2VwdGlv biB3aW5kb3cuIEEgcGVuZGluZworICAgICAgICAgKiBTRXJyb3IgaXMgZ3Vh cmFudGVlZCB0byBvY2N1ciBhdCB0aGUgZWFybGllc3Qgd2hlbiB3ZSB1bm1h c2sKKyAgICAgICAgICogaXQsIGFuZCBhdCB0aGUgbGF0ZXN0IGp1c3QgYWZ0 ZXIgdGhlIElTQi4KKyAgICAgICAgICoKKyAgICAgICAgICogSWYgYSBwZW5k aW5nIFNFcnJvciBvY2N1cnMsIHRoZSBwcm9ncmFtIHdpbGwganVtcCB0byBF TDIgZXJyb3IKKyAgICAgICAgICogZXhjZXB0aW9uIGhhbmRsZXIsIGFuZCB0 aGUgZWxyX2VsMiB3aWxsIGJlIHNldCB0bworICAgICAgICAgKiBhYm9ydF9n dWVzdF9leGl0X3N0YXJ0IG9yIGFib3J0X2d1ZXN0X2V4aXRfZW5kLgorICAg ICAgICAgKi8KK2Fib3J0X2d1ZXN0X2V4aXRfc3RhcnQ6CisKKyAgICAgICAg aXNiCisKK2Fib3J0X2d1ZXN0X2V4aXRfZW5kOgorICAgICAgICAvKiBNYXNr IFBTVEFURSBhc3luY2hyb25vdXMgYWJvcnQgYml0LCBjbG9zZSB0aGUgY2hl Y2tpbmcgd2luZG93LiAqLworICAgICAgICBtc3IgICAgIGRhaWZzZXQsICM0 CisKKyAgICAgICAgLyoKKyAgICAgICAgICogQ29tcGFyZSBlbHJfZWwyIGFu ZCB0aGUgc2F2ZWQgdmFsdWUgdG8gY2hlY2sgd2hldGhlciB3ZSBhcmUKKyAg ICAgICAgICogcmV0dXJuaW5nIGZyb20gYSB2YWxpZCBleGNlcHRpb24gY2F1 c2VkIGJ5IHBlbmRpbmcgU0Vycm9yLgorICAgICAgICAgKi8KKyAgICAgICAg bXJzICAgICB4MSwgZWxyX2VsMgorICAgICAgICBjbXAgICAgIHgwLCB4MQor CisgICAgICAgIC8qCisgICAgICAgICAqIE5vdCBlcXVhbCwgdGhlIHBlbmRp bmcgU0Vycm9yIGV4Y2VwdGlvbiB0b29rIHBsYWNlLCBzZXQKKyAgICAgICAg ICogeDAgdG8gbm9uLXplcm8uCisgICAgICAgICAqLworICAgICAgICBjc2V0 ICAgIHgwLCBuZQorCisgICAgICAgIHJldAorCisvKgogICogRXhjZXB0aW9u IHZlY3RvcnMuCiAgKi8KICAgICAgICAgLm1hY3JvICB2ZW50cnkgIGxhYmVs CkBAIC0yODcsNyArNDA4LDcgQEAgRU5UUlkoaHlwX3RyYXBzX3ZlY3RvcikK ICAgICAgICAgdmVudHJ5ICBoeXBfc3luYyAgICAgICAgICAgICAgICAgICAg ICAgIC8vIFN5bmNocm9ub3VzIEVMMmgKICAgICAgICAgdmVudHJ5ICBoeXBf aXJxICAgICAgICAgICAgICAgICAgICAgICAgIC8vIElSUSBFTDJoCiAgICAg ICAgIHZlbnRyeSAgaHlwX2ZpcV9pbnZhbGlkICAgICAgICAgICAgICAgICAv LyBGSVEgRUwyaAotICAgICAgICB2ZW50cnkgIGh5cF9lcnJvcl9pbnZhbGlk ICAgICAgICAgICAgICAgLy8gRXJyb3IgRUwyaAorICAgICAgICB2ZW50cnkg IGh5cF9lcnJvciAgICAgICAgICAgICAgICAgICAgICAgLy8gRXJyb3IgRUwy aAoKICAgICAgICAgdmVudHJ5ICBndWVzdF9zeW5jICAgICAgICAgICAgICAg ICAgICAgIC8vIFN5bmNocm9ub3VzIDY0LWJpdCBFTDAvRUwxCiAgICAgICAg IHZlbnRyeSAgZ3Vlc3RfaXJxICAgICAgICAgICAgICAgICAgICAgICAvLyBJ UlEgNjQtYml0IEVMMC9FTDEK --=separator Content-Type: application/octet-stream; name="xsa201-3.patch" Content-Disposition: attachment; filename="xsa201-3.patch" Content-Transfer-Encoding: base64 RnJvbTogV2VpIENoZW4gPFdlaS5DaGVuQGFybS5jb20+ClN1YmplY3Q6IGFy bTogY3Jhc2ggdGhlIGd1ZXN0IHdoZW4gaXQgdHJhcHMgb24gZXh0ZXJuYWwg YWJvcnQKCklmIHdlIHNwb3QgYSBkYXRhIG9yIHByZWZldGNoIGFib3J0IGJl YXJpbmcgdGhlIEVTUl9FTDIuRUEgYml0IHNldCwgd2UKa25vdyB0aGF0IHRo aXMgaXMgYW4gZXh0ZXJuYWwgYWJvcnQsIGFuZCB0aGF0IHNob3VsZCBjcmFz aCB0aGUgZ3Vlc3QuCgpUaGlzIGlzIHBhcnQgb2YgWFNBLTIwMS4KClNpZ25l ZC1vZmYtYnk6IFdlaSBDaGVuIDxXZWkuQ2hlbkBhcm0uY29tPgpSZXZpZXdl ZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3RhYmVsbGluaUBrZXJuZWwu b3JnPgpSZXZpZXdlZC1ieTogU3RldmUgQ2FwcGVyIDxzdGV2ZS5jYXBwZXJA YXJtLmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBHcmFsbCA8SnVsaWVuLkdy YWxsQGFybS5jb20+CgotLS0gYS94ZW4vYXJjaC9hcm0vdHJhcHMuYworKysg Yi94ZW4vYXJjaC9hcm0vdHJhcHMuYwpAQCAtMjQwOSw2ICsyNDA5LDE1IEBA IHN0YXRpYyB2b2lkIGRvX3RyYXBfaW5zdHJfYWJvcnRfZ3Vlc3Qoc3RydWN0 IGNwdV91c2VyX3JlZ3MgKnJlZ3MsCiAgICAgcGFkZHJfdCBncGE7CiAgICAg bWZuX3QgbWZuOwoKKyAgICAvKgorICAgICAqIElmIHRoaXMgYml0IGhhcyBi ZWVuIHNldCwgaXQgbWVhbnMgdGhhdCB0aGlzIGluc3RydWN0aW9uIGFib3J0 IGlzIGNhdXNlZAorICAgICAqIGJ5IGEgZ3Vlc3QgZXh0ZXJuYWwgYWJvcnQu IEN1cnJlbnRseSB3ZSBjcmFzaCB0aGUgZ3Vlc3QgdG8gcHJvdGVjdCB0aGUK KyAgICAgKiBoeXBlcnZpc29yLiBJbiBmdXR1cmUgb25lIGNhbiBiZXR0ZXIg aGFuZGxlIHRoaXMgYnkgaW5qZWN0aW5nIGEgdmlydHVhbAorICAgICAqIGFi b3J0IHRvIHRoZSBndWVzdC4KKyAgICAgKi8KKyAgICBpZiAoIGhzci5pYWJ0 LmVhdCApCisgICAgICAgIGRvbWFpbl9jcmFzaF9zeW5jaHJvbm91cygpOwor CiAgICAgaWYgKCBocGZhcl9pc192YWxpZChoc3IuaWFidC5zMXB0dywgZnNj KSApCiAgICAgICAgIGdwYSA9IGdldF9mYXVsdGluZ19pcGEoZ3ZhKTsKICAg ICBlbHNlCkBAIC0yNTAzLDYgKzI1MTIsMTUgQEAgc3RhdGljIHZvaWQgZG9f dHJhcF9kYXRhX2Fib3J0X2d1ZXN0KHN0cnVjdCBjcHVfdXNlcl9yZWdzICpy ZWdzLAogICAgIHVpbnQ4X3QgZnNjID0gaHNyLmRhYnQuZGZzYyAmIH5GU0Nf TExfTUFTSzsKICAgICBtZm5fdCBtZm47CgorICAgIC8qCisgICAgICogSWYg dGhpcyBiaXQgaGFzIGJlZW4gc2V0LCBpdCBtZWFucyB0aGF0IHRoaXMgZGF0 YSBhYm9ydCBpcyBjYXVzZWQKKyAgICAgKiBieSBhIGd1ZXN0IGV4dGVybmFs IGFib3J0LiBDdXJyZW50bHkgd2UgY3Jhc2ggdGhlIGd1ZXN0IHRvIHByb3Rl Y3QgdGhlCisgICAgICogaHlwZXJ2aXNvci4gSW4gZnV0dXJlIG9uZSBjYW4g YmV0dGVyIGhhbmRsZSB0aGlzIGJ5IGluamVjdGluZyBhIHZpcnR1YWwKKyAg ICAgKiBhYm9ydCB0byB0aGUgZ3Vlc3QuCisgICAgICovCisgICAgaWYgKCBk YWJ0LmVhdCApCisgICAgICAgIGRvbWFpbl9jcmFzaF9zeW5jaHJvbm91cygp OworCiAgICAgaW5mby5kYWJ0ID0gZGFidDsKICNpZmRlZiBDT05GSUdfQVJN XzMyCiAgICAgaW5mby5ndmEgPSBSRUFEX0NQMzIoSERGQVIpOwo= --=separator Content-Type: application/octet-stream; name="xsa201-3-4.7.patch" Content-Disposition: attachment; filename="xsa201-3-4.7.patch" Content-Transfer-Encoding: base64 RnJvbTogV2VpIENoZW4gPFdlaS5DaGVuQGFybS5jb20+ClN1YmplY3Q6IGFy bTogY3Jhc2ggdGhlIGd1ZXN0IHdoZW4gaXQgdHJhcHMgb24gZXh0ZXJuYWwg YWJvcnQKCklmIHdlIHNwb3QgYSBkYXRhIG9yIHByZWZldGNoIGFib3J0IGJl YXJpbmcgdGhlIEVTUl9FTDIuRUEgYml0IHNldCwgd2UKa25vdyB0aGF0IHRo aXMgaXMgYW4gZXh0ZXJuYWwgYWJvcnQsIGFuZCB0aGF0IHNob3VsZCBjcmFz aCB0aGUgZ3Vlc3QuCgpUaGlzIGlzIHBhcnQgb2YgWFNBLTIwMS4KClNpZ25l ZC1vZmYtYnk6IFdlaSBDaGVuIDxXZWkuQ2hlbkBhcm0uY29tPgpSZXZpZXdl ZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3RhYmVsbGluaUBrZXJuZWwu b3JnPgpSZXZpZXdlZC1ieTogU3RldmUgQ2FwcGVyIDxzdGV2ZS5jYXBwZXJA YXJtLmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBHcmFsbCA8SnVsaWVuLkdy YWxsQGFybS5jb20+CgotLS0gYS94ZW4vYXJjaC9hcm0vdHJhcHMuYworKysg Yi94ZW4vYXJjaC9hcm0vdHJhcHMuYwpAQCAtMjM4Myw2ICsyMzgzLDE1IEBA IHN0YXRpYyB2b2lkIGRvX3RyYXBfaW5zdHJfYWJvcnRfZ3Vlc3Qoc3RydWN0 IGNwdV91c2VyX3JlZ3MgKnJlZ3MsCiAgICAgaW50IHJjOwogICAgIHJlZ2lz dGVyX3QgZ3ZhID0gUkVBRF9TWVNSRUcoRkFSX0VMMik7CiAKKyAgICAvKgor ICAgICAqIElmIHRoaXMgYml0IGhhcyBiZWVuIHNldCwgaXQgbWVhbnMgdGhh dCB0aGlzIGluc3RydWN0aW9uIGFib3J0IGlzIGNhdXNlZAorICAgICAqIGJ5 IGEgZ3Vlc3QgZXh0ZXJuYWwgYWJvcnQuIEN1cnJlbnRseSB3ZSBjcmFzaCB0 aGUgZ3Vlc3QgdG8gcHJvdGVjdCB0aGUKKyAgICAgKiBoeXBlcnZpc29yLiBJ biBmdXR1cmUgb25lIGNhbiBiZXR0ZXIgaGFuZGxlIHRoaXMgYnkgaW5qZWN0 aW5nIGEgdmlydHVhbAorICAgICAqIGFib3J0IHRvIHRoZSBndWVzdC4KKyAg ICAgKi8KKyAgICBpZiAoIGhzci5pYWJ0LmVhdCApCisgICAgICAgIGRvbWFp bl9jcmFzaF9zeW5jaHJvbm91cygpOworCiAgICAgc3dpdGNoICggaHNyLmlh YnQuaWZzYyAmIDB4M2YgKQogICAgIHsKICAgICBjYXNlIEZTQ19GTFRfUEVS TSAuLi4gRlNDX0ZMVF9QRVJNICsgMzoKQEAgLTI0MzcsNiArMjQ0NiwxNSBA QCBzdGF0aWMgdm9pZCBkb190cmFwX2RhdGFfYWJvcnRfZ3Vlc3Qoc3RydWN0 IGNwdV91c2VyX3JlZ3MgKnJlZ3MsCiAgICAgICAgIHJldHVybjsKICAgICB9 CiAKKyAgICAvKgorICAgICAqIElmIHRoaXMgYml0IGhhcyBiZWVuIHNldCwg aXQgbWVhbnMgdGhhdCB0aGlzIGRhdGEgYWJvcnQgaXMgY2F1c2VkCisgICAg ICogYnkgYSBndWVzdCBleHRlcm5hbCBhYm9ydC4gQ3VycmVudGx5IHdlIGNy YXNoIHRoZSBndWVzdCB0byBwcm90ZWN0IHRoZQorICAgICAqIGh5cGVydmlz b3IuIEluIGZ1dHVyZSBvbmUgY2FuIGJldHRlciBoYW5kbGUgdGhpcyBieSBp bmplY3RpbmcgYSB2aXJ0dWFsCisgICAgICogYWJvcnQgdG8gdGhlIGd1ZXN0 LgorICAgICAqLworICAgIGlmICggZGFidC5lYXQgKQorICAgICAgICBkb21h aW5fY3Jhc2hfc3luY2hyb25vdXMoKTsKKwogICAgIGluZm8uZGFidCA9IGRh YnQ7CiAjaWZkZWYgQ09ORklHX0FSTV8zMgogICAgIGluZm8uZ3ZhID0gUkVB RF9DUDMyKEhERkFSKTsK --=separator Content-Type: application/octet-stream; name="xsa201-4.patch" Content-Disposition: attachment; filename="xsa201-4.patch" Content-Transfer-Encoding: base64 RnJvbTogV2VpIENoZW4gPFdlaS5DaGVuQGFybS5jb20+ClN1YmplY3Q6IGFy bTMyOiBoYW5kbGUgYXN5bmMgYWJvcnRzIGRlbGl2ZXJlZCB3aGlsZSBhdCBI WVAKCklmIGd1ZXN0IGdlbmVyYXRlcyBhbiBhc3luY2hyb25vdXMgYWJvcnQg YW5kIHRoZW4gdHJhcHMgaW50byBIWVAKKGJ5IEhWQyBvciBJUlEpIGJlZm9y ZSB0aGUgYWJvcnQgaGFzIGJlZW4gZGVsaXZlcmVkLCB0aGUgaHlwZXJ2aXNv cgpjb3VsZCBub3QgY2F0Y2ggaXQsIGJlY2F1c2UgdGhlIFBTVEFURS5BIGJp dCBpcyBtYXNrZWQgYWxsIHRoZSB0aW1lCmluIGh5cGVydmlzb3IuIFNvIHRo aXMgYXN5bmNocm9ub3VzIGFib3J0IG1heSBiZSBzbGlwcGVkIHRvIG5leHQK cnVubmluZyBndWVzdCB3aXRoIFBTVEFURS5BIGJpdCB1bm1hc2tlZC4KCklu IG9yZGVyIHRvIGF2b2lkIHRoaXMsIGl0IGlzIG5lY2Vzc2FyeSB0byB0YWtl IHRoZSBhYm9ydCBhdCBIWVAsIGJ5CmNsZWFyaW5nIHRoZSBQU1RBVEUuQSBi aXQuIEluIHRoaXMgcGF0Y2gsIHdlIHVubWFzayB0aGUgUFNUQVRFLkEgYml0 CnRvIG9wZW4gYSB3aW5kb3cgdG8gY2F0Y2ggZ3Vlc3QtZ2VuZXJhdGVkIGFz eW5jaHJvbm91cyBhYm9ydCBpbiBhbGwKR3Vlc3QgLT4gSFlQIHN3aXRjaCBw YXRocy4gSWYgd2UgY2F1Z2h0IHN1Y2ggYXN5bmNocm9ub3VzIGFib3J0IGlu CmNoZWNraW5nIHdpbmRvdywgdGhlIEhZUCBkYXRhIGFib3J0IGV4Y2VwdGlv biB3aWxsIGJlIHRyaWdnZXJlZCBhbmQKdGhlIGFib3J0IHNvdXJjZSBndWVz dCB3aWxsIGJlIGNyYXNoZWQuCgpUaGlzIGlzIHBhcnQgb2YgWFNBLTIwMS4K ClNpZ25lZC1vZmYtYnk6IFdlaSBDaGVuIDxXZWkuQ2hlbkBhcm0uY29tPgpS ZXZpZXdlZC1ieTogSnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAYXJtLmNv bT4KCi0tLSBhL3hlbi9hcmNoL2FybS9hcm0zMi9lbnRyeS5TCisrKyBiL3hl bi9hcmNoL2FybS9hcm0zMi9lbnRyeS5TCkBAIC00Miw2ICs0Miw2MSBAQCBz YXZlX2d1ZXN0X3JlZ3M6CiAgICAgICAgIFNBVkVfQkFOS0VEKGZpcSkKICAg ICAgICAgU0FWRV9PTkVfQkFOS0VEKFI4X2ZpcSk7IFNBVkVfT05FX0JBTktF RChSOV9maXEpOyBTQVZFX09ORV9CQU5LRUQoUjEwX2ZpcSkKICAgICAgICAg U0FWRV9PTkVfQkFOS0VEKFIxMV9maXEpOyBTQVZFX09ORV9CQU5LRUQoUjEy X2ZpcSk7CisgICAgICAgIC8qCisgICAgICAgICAqIFN0YXJ0IHRvIGNoZWNr IHBlbmRpbmcgdmlydHVhbCBhYm9ydCBpbiB0aGUgZ2FwIG9mIEd1ZXN0IC0+ IEhZUAorICAgICAgICAgKiB3b3JsZCBzd2l0Y2guCisgICAgICAgICAqCisg ICAgICAgICAqIFNhdmUgRUxSX2h5cCB0byBjaGVjayB3aGV0aGVyIHRoZSBw ZW5kaW5nIHZpcnR1YWwgYWJvcnQgZXhjZXB0aW9uCisgICAgICAgICAqIHRh a2VzIHBsYWNlIHdoaWxlIHdlIGFyZSBkb2luZyB0aGlzIHRyYXAgZXhjZXB0 aW9uLgorICAgICAgICAgKi8KKyAgICAgICAgbXJzIHIxLCBFTFJfaHlwCisK KyAgICAgICAgLyoKKyAgICAgICAgICogRm9yY2UgbG9hZHMgYW5kIHN0b3Jl cyB0byBjb21wbGV0ZSBiZWZvcmUgdW5tYXNraW5nIGFzeW5jaHJvbm91cwor ICAgICAgICAgKiBhYm9ydHMgYW5kIGZvcmNpbmcgdGhlIGRlbGl2ZXJ5IG9m IHRoZSBleGNlcHRpb24uCisgICAgICAgICAqLworICAgICAgICBkc2Igc3kK KworICAgICAgICAvKgorICAgICAgICAgKiBVbm1hc2sgYXN5bmNocm9ub3Vz IGFib3J0IGJpdC4gSWYgdGhlcmUgaXMgYSBwZW5kaW5nIGFzeW5jaHJvbm91 cworICAgICAgICAgKiBhYm9ydCwgdGhlIGRhdGFfYWJvcnQgZXhjZXB0aW9u IHdpbGwgaGFwcGVuIGFmdGVyIEEgYml0IGlzIGNsZWFyZWQuCisgICAgICAg ICAqLworICAgICAgICBjcHNpZSBhCisKKyAgICAgICAgLyoKKyAgICAgICAg ICogVGhpcyBpcyBvdXIgc2luZ2xlIGluc3RydWN0aW9uIGV4Y2VwdGlvbiB3 aW5kb3cuIEEgcGVuZGluZworICAgICAgICAgKiBhc3luY2hyb25vdXMgYWJv cnQgaXMgZ3VhcmFudGVlZCB0byBvY2N1ciBhdCB0aGUgZWFybGllc3Qgd2hl biB3ZQorICAgICAgICAgKiB1bm1hc2sgaXQsIGFuZCBhdCB0aGUgbGF0ZXN0 IGp1c3QgYWZ0ZXIgdGhlIElTQi4KKyAgICAgICAgICoKKyAgICAgICAgICog SWYgYSBwZW5kaW5nIGFib3J0IG9jY3VycywgdGhlIHByb2dyYW0gd2lsbCBq dW1wIHRvIGRhdGFfYWJvcnQKKyAgICAgICAgICogZXhjZXB0aW9uIGhhbmRs ZXIsIGFuZCB0aGUgRUxSX2h5cCB3aWxsIGJlIHNldCB0bworICAgICAgICAg KiBhYm9ydF9ndWVzdF9leGl0X3N0YXJ0IG9yIGFib3J0X2d1ZXN0X2V4aXRf ZW5kLgorICAgICAgICAgKi8KKyAgICAgICAgLmdsb2JhbCBhYm9ydF9ndWVz dF9leGl0X3N0YXJ0CithYm9ydF9ndWVzdF9leGl0X3N0YXJ0OgorCisgICAg ICAgIGlzYgorCisgICAgICAgIC5nbG9iYWwgYWJvcnRfZ3Vlc3RfZXhpdF9l bmQKK2Fib3J0X2d1ZXN0X2V4aXRfZW5kOgorICAgICAgICAvKiBNYXNrIENQ U1IgYXN5bmNocm9ub3VzIGFib3J0IGJpdCwgY2xvc2UgdGhlIGNoZWNraW5n IHdpbmRvdy4gKi8KKyAgICAgICAgY3BzaWQgYQorCisgICAgICAgIC8qCisg ICAgICAgICAqIENvbXBhcmUgRUxSX2h5cCBhbmQgdGhlIHNhdmVkIHZhbHVl IHRvIGNoZWNrIHdoZXRoZXIgd2UgYXJlCisgICAgICAgICAqIHJldHVybmlu ZyBmcm9tIGEgdmFsaWQgZXhjZXB0aW9uIGNhdXNlZCBieSBwZW5kaW5nIHZp cnR1YWwKKyAgICAgICAgICogYWJvcnQuCisgICAgICAgICAqLworICAgICAg ICBtcnMgcjIsIEVMUl9oeXAKKyAgICAgICAgY21wIHIxLCByMgorCisgICAg ICAgIC8qCisgICAgICAgICAqIE5vdCBlcXVhbCwgdGhlIHBlbmRpbmcgdmly dHVhbCBhYm9ydCBleGNlcHRpb24gdG9vayBwbGFjZSwgdGhlCisgICAgICAg ICAqIGluaXRpYWwgZXhjZXB0aW9uIGRvZXMgbm90IGhhdmUgYW55IHNpZ25p ZmljYW5jZSB0byBiZSBoYW5kbGVkLgorICAgICAgICAgKiBFeGl0IEFTQVAu CisgICAgICAgICAqLworICAgICAgICBibmUgcmV0dXJuX2Zyb21fdHJhcAor CiAgICAgICAgIG1vdiBwYywgbHIKCiAjZGVmaW5lIERFRklORV9UUkFQX0VO VFJZKHRyYXApICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICBcCi0tLSBhL3hlbi9hcmNoL2FybS9hcm0zMi90cmFwcy5jCisrKyBi L3hlbi9hcmNoL2FybS9hcm0zMi90cmFwcy5jCkBAIC02Myw3ICs2MywxMCBA QCBhc21saW5rYWdlIHZvaWQgZG9fdHJhcF9wcmVmZXRjaF9hYm9ydChzdHJ1 Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKCiBhc21saW5rYWdlIHZvaWQgZG9f dHJhcF9kYXRhX2Fib3J0KHN0cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQog ewotICAgIGRvX3VuZXhwZWN0ZWRfdHJhcCgiRGF0YSBBYm9ydCIsIHJlZ3Mp OworICAgIGlmICggVkFCT1JUX0dFTl9CWV9HVUVTVChyZWdzKSApCisgICAg ICAgIGRvX3RyYXBfZ3Vlc3RfZXJyb3IocmVncyk7CisgICAgZWxzZQorICAg ICAgICBkb191bmV4cGVjdGVkX3RyYXAoIkRhdGEgQWJvcnQiLCByZWdzKTsK IH0KCiAvKgotLS0gYS94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTMyL3Byb2Nl c3Nvci5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtMzIvcHJvY2Vz c29yLmgKQEAgLTU1LDYgKzU1LDE3IEBAIHN0cnVjdCBjcHVfdXNlcl9yZWdz CgogICAgIHVpbnQzMl90IHBhZDE7IC8qIERvdWJsZXdvcmQtYWxpZ24gdGhl IHVzZXIgaGFsZiBvZiB0aGUgZnJhbWUgKi8KIH07CisKKy8qIEZ1bmN0aW9u cyBmb3IgcGVuZGluZyB2aXJ0dWFsIGFib3J0IGNoZWNraW5nIHdpbmRvdy4g Ki8KK3ZvaWQgYWJvcnRfZ3Vlc3RfZXhpdF9zdGFydCh2b2lkKTsKK3ZvaWQg YWJvcnRfZ3Vlc3RfZXhpdF9lbmQodm9pZCk7CisKKyNkZWZpbmUgVkFCT1JU X0dFTl9CWV9HVUVTVChyKSAgXAorKCBcCisgICAgKCAodW5zaWduZWQgbG9u ZylhYm9ydF9ndWVzdF9leGl0X3N0YXJ0ID09IChyKS0+cGMgKSB8fCBcCisg ICAgKCAodW5zaWduZWQgbG9uZylhYm9ydF9ndWVzdF9leGl0X2VuZCA9PSAo ciktPnBjICkgXAorKQorCiAjZW5kaWYKCiAvKiBMYXlvdXQgYXMgdXNlZCBp biBhc3NlbWJseSwgd2l0aCBzcmMvZGVzdCByZWdpc3RlcnMgbWl4ZWQgaW4g Ki8KLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9wcm9jZXNzb3IuaAorKysg Yi94ZW4vaW5jbHVkZS9hc20tYXJtL3Byb2Nlc3Nvci5oCkBAIC02OTAsNiAr NjkwLDggQEAgdm9pZCB2Y3B1X3JlZ3NfdXNlcl90b19oeXAoc3RydWN0IHZj cHUgKnZjcHUsCiBpbnQgY2FsbF9zbWMocmVnaXN0ZXJfdCBmdW5jdGlvbl9p ZCwgcmVnaXN0ZXJfdCBhcmcwLCByZWdpc3Rlcl90IGFyZzEsCiAgICAgICAg ICAgICAgcmVnaXN0ZXJfdCBhcmcyKTsKCit2b2lkIGRvX3RyYXBfZ3Vlc3Rf ZXJyb3Ioc3RydWN0IGNwdV91c2VyX3JlZ3MgKnJlZ3MpOworCiAjZW5kaWYg LyogX19BU1NFTUJMWV9fICovCiAjZW5kaWYgLyogX19BU01fQVJNX1BST0NF U1NPUl9IICovCiAvKgo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 29 14:49:42 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 29 Nov 2016 14:49:42 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cBjhy-0005UF-E5; Tue, 29 Nov 2016 14:48:34 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cBjhx-0005Tt-E6; Tue, 29 Nov 2016 14:48:33 +0000 Received: from [85.158.137.68] by server-6.bemta-3.messagelabs.com id 4A/F6-25811-0459D385; Tue, 29 Nov 2016 14:48:32 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrJKsWRWlGSWpSXmKPExsWS0XRdVdd+qm2 EwYqVSha3brYyWyz5uJjFYtXVA6wOzB5Hd/9mCmCMYs3MS8qvSGDNOPtuClvBzKuMFY8O/mdu YDxxjrGLkYtDSOA4o8SeB6vZIJxFjBKb999i7WLk5GAWcJW4sW8zG4StKHHhXgMLiM0rIChxc uYTMFtCQFPizptV7CC2iECRxM5zL8FsNgE9iblnJzFB9OpIvNy/GswWFgiW+LfpFNQcM4lP03 6A2SwCqhITNm5lmsDIMwvJ6llIVs9CsnoWIwdQXFNi/S59CFNaYvk/DohqeYntb+cwQ4RtJc6 t1YcIW0nc/N7MBDNwSvdDdgjbVuLRtyuMMDV/n25nRlUDMeb+N2GYkvbne1kwjXGU6HlxBSpu J7Fh4zJmbFYtOb+WBWbOyffPGZHVLGAUXcWoUZxaVJZapGtsoJdUlJmeUZKbmJmja2hgrJebW lycmJ6ak5hUrJecn7uJEZgA6hkYGHcwdp7wO8QoycGkJMo73c0mQogvKT+lMiOxOCO+qDQntf gQowwHh5IE74/JthFCgkWp6akVaZk5wFQEk5bg4FES4TWcApTmLS5IzC3OTIdInWI05rh14vk DJo5Hv98+YBJiycvPS5US53UGKRUAKc0ozYMbBEuRlxhlpYR5GRkYGIR4ClKLcjNLUOVfMYpz MCoJQ0zhycwrgdv3CugUJqBT3r62BjmlJBEhJdXAmLr6sfHRw9L1by5Vbnz/xVLsn/IRR4Ea5 /Ubs1W8P8WyBc6boOW8jkVshmTogwNeNv9DmfSclmx0dP0Q/e/6nPxWvVaDh/tfrlSSat8kfi B2Kqfe7Gumj1V7vjf8LQ8U2tV2MfsJR83rdQLBUXG2e8+VeWg8z5n4uNjeU+JOVE/o9XkxjHJ blViKMxINtZiLihMBAQKId4wDAAA= X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-14.tower-31.messagelabs.com!1480430910!73527183!1 X-Originating-IP: [104.130.215.37] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 63073 invoked from network); 29 Nov 2016 14:48:31 -0000 Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37) by server-14.tower-31.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 29 Nov 2016 14:48:31 -0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cBjhk-0008WM-GG; Tue, 29 Nov 2016 14:48:20 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1cBjhk-0000Fg-Ct; Tue, 29 Nov 2016 14:48:20 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 29 Nov 2016 14:48:20 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 201 - ARM guests may induce host asynchronous abort X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-201 ARM guests may induce host asynchronous abort ISSUE DESCRIPTION ================= Depending on how the hardware and firmware have been integrated, guest-triggered asynchronous aborts (SError on ARMv8) may be received by the hypervisor. The current action is to crash the host. A guest might trigger an asynchronous abort when accessing memory mapped hardware in a non-conventional way. Even if device pass-through has not been configured, the hypervisor may give the guest access to memory mapped hardware in order to take advantage of hardware virtualization. IMPACT ====== A malicious guest may be able to crash the host. VULNERABLE SYSTEMS ================== All Xen versions which support ARM are potentially affected. Whether a particular ARM systems is affected depends on technical details of the hardware and/or firmware. x86 systems are not affected. MITIGATION ========== On systems where the guest kernel is controlled by the host rather than guest administrator, running only kernels which do not expose MMIO to userspace will prevent untrusted guest users from exploiting this issue. However untrusted guest administrators can still trigger it unless further steps are taken to prevent them from loading code into the kernel (e.g by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. NOTE REGARDING LACK OF EMBARGO ============================== The issue was discussed publicly (and has been fixed already in KVM in public trees). CREDITS ======= This issue was discovered by ARM engineering personnel. RESOLUTION ========== Applying the appropriate set of attached patched resolves this issue. xsa201-[1234].patch Xen-unstable xsa201-[12].patch } xsa201-3-4.7.patch } Xen 4.7.x, Xen 4.6.x xsa201-4.patch } $ sha256sum xsa201* ffdefdaa67748df7fccbc82011202724c622ca432cd121853ecab45ff4657406 xsa201-1.patch 0665eb575b056f98d5330ef23f497b2b3de1a15319e2012005890a17df32a7ed xsa201-2.patch 4486d5efb59c1f1fff04a3cb697f948d5bf680e2a1c0d76cd44382ad8fa9095e xsa201-3.patch ca82c82acd51bf3cb8114d1843519c28e3df26243bd45eb712ff10ba11061b93 xsa201-3-4.7.patch 1de6ddb4b5b46ae390ec4587e588c00a706f4a68365d379db7ad54234f770d48 xsa201-4.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYPZSoAAoJEIP+FMlX6CvZ2zoH/ivzE70xsLHYJUxveoBiFuiU KHFzF0X63G681FjLyU4SY2GkH5K9YutJ1uaakp+peD96fQqCXBHxWUMPAfblnd7t YueMYuFqcz3mE2ypJjBh/fdI8a4UrKHHg3z6Hw6X91p+SRmPsnt9v7OzytoYOiE4 fDeaATwl1LxB+Z/yJETlo/JMgwrtuYZ9EZM9gIzxdOVw+QbQyEYHmuIyni8BNRvZ +biRRQo37K5+jLY3f/RoXKcpqnHqjKOOmfjkxJJAsxqpdTSw5fRJqSZE4G5oUVs2 AAvSKhLObFahMlPqtoNXSC6lG5Gbd3e/h+6N2N/96TXs6Wr+d0VuC+lkYUjwcJk= =KEYF -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa201-1.patch" Content-Disposition: attachment; filename="xsa201-1.patch" Content-Transfer-Encoding: base64 RnJvbTogV2VpIENoZW4gPFdlaS5DaGVuQGFybS5jb20+ClN1YmplY3Q6IGFy bTY0OiBoYW5kbGUgZ3Vlc3QtZ2VuZXJhdGVkIEVMMSBhc3luY2hyb25vdXMg YWJvcnQKCkluIGN1cnJlbnQgY29kZSwgd2hlbiB0aGUgaHlwZXJ2aXNvciBy ZWNlaXZlcyBhbiBhc3luY2hyb25vdXMgYWJvcnQKZnJvbSBhIGd1ZXN0LCB0 aGUgaHlwZXJ2aXNvciB3aWxsIGRvIHBhbmljLCB0aGUgaG9zdCB3aWxsIGJl IGRvd24uCldlIGhhdmUgdG8gcHJldmVudCBzdWNoIHNlY3VyaXR5IGlzc3Vl LCBzbywgaW4gdGhpcyBwYXRjaCB3ZSBjcmFzaAp0aGUgZ3Vlc3QsIHdoZW4g dGhlIGh5cGVydmlzb3IgcmVjZWl2ZXMgYW4gYXN5bmNocm9ub3VzIGFib3J0 IGZyb20KdGhlIGd1ZXN0LgoKVGhpcyBpcyBwYXJ0IG9mIFhTQS0yMDEuCgpT aWduZWQtb2ZmLWJ5OiBXZWkgQ2hlbiA8V2VpLkNoZW5AYXJtLmNvbT4KUmV2 aWV3ZWQtYnk6IFN0ZWZhbm8gU3RhYmVsbGluaSA8c3N0YWJlbGxpbmlAa2Vy bmVsLm9yZz4KUmV2aWV3ZWQtYnk6IFN0ZXZlIENhcHBlciA8c3RldmUuY2Fw cGVyQGFybS5jb20+ClJldmlld2VkLWJ5OiBKdWxpZW4gR3JhbGwgPEp1bGll bi5HcmFsbEBhcm0uY29tPgoKLS0tIGEveGVuL2FyY2gvYXJtL2FybTY0L2Vu dHJ5LlMKKysrIGIveGVuL2FyY2gvYXJtL2FybTY0L2VudHJ5LlMKQEAgLTIw NCw5ICsyMDQsMTIgQEAgZ3Vlc3RfZmlxX2ludmFsaWQ6CiAgICAgICAgIGVu dHJ5ICAgaHlwPTAsIGNvbXBhdD0wCiAgICAgICAgIGludmFsaWQgQkFEX0ZJ UQoKLWd1ZXN0X2Vycm9yX2ludmFsaWQ6CitndWVzdF9lcnJvcjoKICAgICAg ICAgZW50cnkgICBoeXA9MCwgY29tcGF0PTAKLSAgICAgICAgaW52YWxpZCBC QURfRVJST1IKKyAgICAgICAgbXNyICAgICBkYWlmY2xyLCAjMgorICAgICAg ICBtb3YgICAgIHgwLCBzcAorICAgICAgICBibCAgICAgIGRvX3RyYXBfZ3Vl c3RfZXJyb3IKKyAgICAgICAgZXhpdCAgICBoeXA9MCwgY29tcGF0PTAKCiBn dWVzdF9zeW5jX2NvbXBhdDoKICAgICAgICAgZW50cnkgICBoeXA9MCwgY29t cGF0PTEKQEAgLTIyNSw5ICsyMjgsMTIgQEAgZ3Vlc3RfZmlxX2ludmFsaWRf Y29tcGF0OgogICAgICAgICBlbnRyeSAgIGh5cD0wLCBjb21wYXQ9MQogICAg ICAgICBpbnZhbGlkIEJBRF9GSVEKCi1ndWVzdF9lcnJvcl9pbnZhbGlkX2Nv bXBhdDoKK2d1ZXN0X2Vycm9yX2NvbXBhdDoKICAgICAgICAgZW50cnkgICBo eXA9MCwgY29tcGF0PTEKLSAgICAgICAgaW52YWxpZCBCQURfRVJST1IKKyAg ICAgICAgbXNyICAgICBkYWlmY2xyLCAjMgorICAgICAgICBtb3YgICAgIHgw LCBzcAorICAgICAgICBibCAgICAgIGRvX3RyYXBfZ3Vlc3RfZXJyb3IKKyAg ICAgICAgZXhpdCAgICBoeXA9MCwgY29tcGF0PTEKCiBFTlRSWShyZXR1cm5f dG9fbmV3X3ZjcHUzMikKICAgICAgICAgZXhpdCAgICBoeXA9MCwgY29tcGF0 PTEKQEAgLTI4NiwxMiArMjkyLDEyIEBAIEVOVFJZKGh5cF90cmFwc192ZWN0 b3IpCiAgICAgICAgIHZlbnRyeSAgZ3Vlc3Rfc3luYyAgICAgICAgICAgICAg ICAgICAgICAvLyBTeW5jaHJvbm91cyA2NC1iaXQgRUwwL0VMMQogICAgICAg ICB2ZW50cnkgIGd1ZXN0X2lycSAgICAgICAgICAgICAgICAgICAgICAgLy8g SVJRIDY0LWJpdCBFTDAvRUwxCiAgICAgICAgIHZlbnRyeSAgZ3Vlc3RfZmlx X2ludmFsaWQgICAgICAgICAgICAgICAvLyBGSVEgNjQtYml0IEVMMC9FTDEK LSAgICAgICAgdmVudHJ5ICBndWVzdF9lcnJvcl9pbnZhbGlkICAgICAgICAg ICAgIC8vIEVycm9yIDY0LWJpdCBFTDAvRUwxCisgICAgICAgIHZlbnRyeSAg Z3Vlc3RfZXJyb3IgICAgICAgICAgICAgICAgICAgICAvLyBFcnJvciA2NC1i aXQgRUwwL0VMMQoKICAgICAgICAgdmVudHJ5ICBndWVzdF9zeW5jX2NvbXBh dCAgICAgICAgICAgICAgIC8vIFN5bmNocm9ub3VzIDMyLWJpdCBFTDAvRUwx CiAgICAgICAgIHZlbnRyeSAgZ3Vlc3RfaXJxX2NvbXBhdCAgICAgICAgICAg ICAgICAvLyBJUlEgMzItYml0IEVMMC9FTDEKICAgICAgICAgdmVudHJ5ICBn dWVzdF9maXFfaW52YWxpZF9jb21wYXQgICAgICAgIC8vIEZJUSAzMi1iaXQg RUwwL0VMMQotICAgICAgICB2ZW50cnkgIGd1ZXN0X2Vycm9yX2ludmFsaWRf Y29tcGF0ICAgICAgLy8gRXJyb3IgMzItYml0IEVMMC9FTDEKKyAgICAgICAg dmVudHJ5ICBndWVzdF9lcnJvcl9jb21wYXQgICAgICAgICAgICAgIC8vIEVy cm9yIDMyLWJpdCBFTDAvRUwxCgogLyoKICAqIHN0cnVjdCB2Y3B1ICpfX2Nv bnRleHRfc3dpdGNoKHN0cnVjdCB2Y3B1ICpwcmV2LCBzdHJ1Y3QgdmNwdSAq bmV4dCkKLS0tIGEveGVuL2FyY2gvYXJtL3RyYXBzLmMKKysrIGIveGVuL2Fy Y2gvYXJtL3RyYXBzLmMKQEAgLTI3MjMsNiArMjcyMywyMSBAQCBhc21saW5r YWdlIHZvaWQgZG9fdHJhcF9oeXBlcnZpc29yKHN0cnVjdCBjcHVfdXNlcl9y ZWdzICpyZWdzKQogICAgIH0KIH0KCithc21saW5rYWdlIHZvaWQgZG9fdHJh cF9ndWVzdF9lcnJvcihzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKK3sK KyAgICBlbnRlcl9oeXBlcnZpc29yX2hlYWQocmVncyk7CisKKyAgICAvKgor ICAgICAqIEN1cnJlbnRseSwgdG8gZW5zdXJlIGh5cGVydmlzb3Igc2FmZXR5 LCB3aGVuIHdlIHJlY2VpdmVkIGEKKyAgICAgKiBndWVzdC1nZW5lcmF0ZWQg dlNlcnJvci92QWJvcnQsIHdlIGp1c3QgY3Jhc2ggdGhlIGd1ZXN0IHRvIHBy b3RlY3QKKyAgICAgKiB0aGUgaHlwZXJ2aXNvci4gSW4gZnV0dXJlIHdlIGNh biBiZXR0ZXIgaGFuZGxlIHRoaXMgYnkgaW5qZWN0aW5nCisgICAgICogYSB2 U2Vycm9yL3ZBYm9ydCB0byB0aGUgZ3Vlc3QuCisgICAgICovCisgICAgZ2Rw cmludGsoWEVOTE9HX1dBUk5JTkcsICJHdWVzdChEb20tJXUpIHdpbGwgYmUg Y3Jhc2hlZCBieSB2U0Vycm9yXG4iLAorICAgICAgICAgICAgIGN1cnJlbnQt PmRvbWFpbi0+ZG9tYWluX2lkKTsKKyAgICBkb21haW5fY3Jhc2hfc3luY2hy b25vdXMoKTsKK30KKwogYXNtbGlua2FnZSB2b2lkIGRvX3RyYXBfaXJxKHN0 cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQogewogICAgIGVudGVyX2h5cGVy dmlzb3JfaGVhZChyZWdzKTsK --=separator Content-Type: application/octet-stream; name="xsa201-2.patch" Content-Disposition: attachment; filename="xsa201-2.patch" Content-Transfer-Encoding: base64 RnJvbTogV2VpIENoZW4gPFdlaS5DaGVuQGFybS5jb20+ClN1YmplY3Q6IGFy bTY0OiBoYW5kbGUgYXN5bmMgYWJvcnRzIGRlbGl2ZXJlZCB3aGlsZSBhdCBF TDIKCklmIEVMMSBnZW5lcmF0ZXMgYW4gYXN5bmNocm9ub3VzIGFib3J0IGFu ZCB0aGVuIHRyYXBzIGludG8gRUwyCihieSBIVkMgb3IgSVJRKSBiZWZvcmUg dGhlIGFib3J0IGhhcyBiZWVuIGRlbGl2ZXJlZCwgdGhlIGh5cGVydmlzb3IK Y291bGQgbm90IGNhdGNoIGl0LCBiZWNhdXNlIHRoZSBQU1RBVEUuQSBiaXQg aXMgbWFza2VkIGFsbCB0aGUgdGltZQppbiBoeXBlcnZpc29yLiBTbyB0aGlz IGFzeW5jaHJvbm91cyBhYm9ydCBtYXkgYmUgc2xpcHBlZCB0byBuZXh0CnJ1 bm5pbmcgZ3Vlc3Qgd2l0aCBQU1RBVEUuQSBiaXQgdW5tYXNrZWQuCgpJbiBv cmRlciB0byBhdm9pZCB0aGlzLCBpdCBpcyBuZWNlc3NhcnkgdG8gdGFrZSB0 aGUgYWJvcnQgYXQgRUwyLCBieQpjbGVhcmluZyB0aGUgUFNUQVRFLkEgYml0 LiBJbiB0aGlzIHBhdGNoLCB3ZSB1bm1hc2sgdGhlIFBTVEFURS5BIGJpdAp0 byBvcGVuIGEgd2luZG93IHRvIGNhdGNoIGd1ZXN0LWdlbmVyYXRlZCBhc3lu Y2hyb25vdXMgYWJvcnQgaW4gYWxsCkVMMSAtPiBFTDIgc3dpY2ggcGF0aHMu IElmIHdlIGNhdGNoZWQgc3VjaCBhc3luY2hyb25vdXMgYWJvcnQgaW4KY2hl Y2tpbmcgd2luZG93LCB0aGUgaHlwX2Vycm9yIGV4Y2VwdGlvbiB3aWxsIGJl IHRyaWdnZXJlZCBhbmQgdGhlCmFib3J0IHNvdXJjZSBndWVzdCB3aWxsIGJl IGNyYXNoZWQuCgpUaGlzIGlzIHBhcnQgb2YgWFNBLTIwMS4KClNpZ25lZC1v ZmYtYnk6IFdlaSBDaGVuIDxXZWkuQ2hlbkBhcm0uY29tPgpSZXZpZXdlZC1i eTogSnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAYXJtLmNvbT4KCi0tLSBh L3hlbi9hcmNoL2FybS9hcm02NC9lbnRyeS5TCisrKyBiL3hlbi9hcmNoL2Fy bS9hcm02NC9lbnRyeS5TCkBAIC0xNzMsNiArMTczLDQzIEBAIGh5cF9lcnJv cl9pbnZhbGlkOgogICAgICAgICBlbnRyeSAgIGh5cD0xCiAgICAgICAgIGlu dmFsaWQgQkFEX0VSUk9SCgoraHlwX2Vycm9yOgorICAgICAgICAvKgorICAg ICAgICAgKiBPbmx5IHR3byBwb3NzaWJpbGl0aWVzOgorICAgICAgICAgKiAx KSBFaXRoZXIgd2UgY29tZSBmcm9tIHRoZSBleGl0IHBhdGgsIGhhdmluZyBq dXN0IHVubWFza2VkCisgICAgICAgICAqICAgIFBTVEFURS5BOiBjaGFuZ2Ug dGhlIHJldHVybiBjb2RlIHRvIGFuIEVMMiBmYXVsdCwgYW5kCisgICAgICAg ICAqICAgIGNhcnJ5IG9uLCBhcyB3ZSdyZSBhbHJlYWR5IGluIGEgc2FuZSBz dGF0ZSB0byBoYW5kbGUgaXQuCisgICAgICAgICAqIDIpIE9yIHdlIGNvbWUg ZnJvbSBhbnl3aGVyZSBlbHNlLCBhbmQgdGhhdCdzIGEgYnVnOiB3ZSBwYW5p Yy4KKyAgICAgICAgICovCisgICAgICAgIGVudHJ5ICAgaHlwPTEKKyAgICAg ICAgbXNyICAgICBkYWlmY2xyLCAjMgorCisgICAgICAgIC8qCisgICAgICAg ICAqIFRoZSBFTFJfRUwyIG1heSBiZSBtb2RpZmllZCBieSBhbiBpbnRlcnJ1 cHQsIHNvIHdlIGhhdmUgdG8gdXNlIHRoZQorICAgICAgICAgKiBzYXZlZCB2 YWx1ZSBpbiBjcHVfdXNlcl9yZWdzIHRvIGNoZWNrIHdoZXRoZXIgd2UgY29t ZSBmcm9tIDEpIG9yCisgICAgICAgICAqIG5vdC4KKyAgICAgICAgICovCisg ICAgICAgIGxkciAgICAgeDAsIFtzcCwgI1VSRUdTX1BDXQorICAgICAgICBh ZHIgICAgIHgxLCBhYm9ydF9ndWVzdF9leGl0X3N0YXJ0CisgICAgICAgIGNt cCAgICAgeDAsIHgxCisgICAgICAgIGFkciAgICAgeDEsIGFib3J0X2d1ZXN0 X2V4aXRfZW5kCisgICAgICAgIGNjbXAgICAgeDAsIHgxLCAjNCwgbmUKKyAg ICAgICAgbW92ICAgICB4MCwgc3AKKyAgICAgICAgbW92ICAgICB4MSwgI0JB RF9FUlJPUgorCisgICAgICAgIC8qCisgICAgICAgICAqIE5vdCBlcXVhbCwg dGhlIGV4Y2VwdGlvbiBjb21lIGZyb20gMikuIEl0J3MgYSBidWcsIHdlIGhh dmUgdG8KKyAgICAgICAgICogcGFuaWMgdGhlIGh5cGVydmlzb3IuCisgICAg ICAgICAqLworICAgICAgICBiLm5lICAgIGRvX2JhZF9tb2RlCisKKyAgICAg ICAgLyoKKyAgICAgICAgICogT3RoZXJ3aXNlLCB0aGUgZXhjZXB0aW9uIGNv bWUgZnJvbSAxKS4gSXQgaGFwcGVuZWQgYmVjYXVzZSBvZgorICAgICAgICAg KiB0aGUgZ3Vlc3QuIENyYXNoIHRoaXMgZ3Vlc3QuCisgICAgICAgICAqLwor ICAgICAgICBibCAgICAgIGRvX3RyYXBfZ3Vlc3RfZXJyb3IKKyAgICAgICAg ZXhpdCAgICBoeXA9MQorCiAvKiBUcmFwcyB0YWtlbiBpbiBDdXJyZW50IEVM IHdpdGggU1BfRUx4ICovCiBoeXBfc3luYzoKICAgICAgICAgZW50cnkgICBo eXA9MQpAQCAtMTg5LDE1ICsyMjYsMjkgQEAgaHlwX2lycToKCiBndWVzdF9z eW5jOgogICAgICAgICBlbnRyeSAgIGh5cD0wLCBjb21wYXQ9MAorICAgICAg ICBibCAgICAgIGNoZWNrX3BlbmRpbmdfdnNlcnJvcgorICAgICAgICAvKgor ICAgICAgICAgKiBJZiB4MCBpcyBOb24temVybywgYSB2U0Vycm9yIHRvb2sg cGxhY2UsIHRoZSBpbml0aWFsIGV4Y2VwdGlvbgorICAgICAgICAgKiBkb2Vz bid0IGhhdmUgYW55IHNpZ25pZmljYW5jZSB0byBiZSBoYW5kbGVkLiBFeGl0 IEFTQVAKKyAgICAgICAgICovCisgICAgICAgIGNibnogICAgeDAsIDFmCiAg ICAgICAgIG1zciAgICAgZGFpZmNsciwgIzIKICAgICAgICAgbW92ICAgICB4 MCwgc3AKICAgICAgICAgYmwgICAgICBkb190cmFwX2h5cGVydmlzb3IKKzE6 CiAgICAgICAgIGV4aXQgICAgaHlwPTAsIGNvbXBhdD0wCgogZ3Vlc3RfaXJx OgogICAgICAgICBlbnRyeSAgIGh5cD0wLCBjb21wYXQ9MAorICAgICAgICBi bCAgICAgIGNoZWNrX3BlbmRpbmdfdnNlcnJvcgorICAgICAgICAvKgorICAg ICAgICAgKiBJZiB4MCBpcyBOb24temVybywgYSB2U0Vycm9yIHRvb2sgcGxh Y2UsIHRoZSBpbml0aWFsIGV4Y2VwdGlvbgorICAgICAgICAgKiBkb2Vzbid0 IGhhdmUgYW55IHNpZ25pZmljYW5jZSB0byBiZSBoYW5kbGVkLiBFeGl0IEFT QVAKKyAgICAgICAgICovCisgICAgICAgIGNibnogICAgeDAsIDFmCiAgICAg ICAgIG1vdiAgICAgeDAsIHNwCiAgICAgICAgIGJsICAgICAgZG9fdHJhcF9p cnEKKzE6CiAgICAgICAgIGV4aXQgICAgaHlwPTAsIGNvbXBhdD0wCgogZ3Vl c3RfZmlxX2ludmFsaWQ6CkBAIC0yMTMsMTUgKzI2NCwyOSBAQCBndWVzdF9l cnJvcjoKCiBndWVzdF9zeW5jX2NvbXBhdDoKICAgICAgICAgZW50cnkgICBo eXA9MCwgY29tcGF0PTEKKyAgICAgICAgYmwgICAgICBjaGVja19wZW5kaW5n X3ZzZXJyb3IKKyAgICAgICAgLyoKKyAgICAgICAgICogSWYgeDAgaXMgTm9u LXplcm8sIGEgdlNFcnJvciB0b29rIHBsYWNlLCB0aGUgaW5pdGlhbCBleGNl cHRpb24KKyAgICAgICAgICogZG9lc24ndCBoYXZlIGFueSBzaWduaWZpY2Fu Y2UgdG8gYmUgaGFuZGxlZC4gRXhpdCBBU0FQCisgICAgICAgICAqLworICAg ICAgICBjYm56ICAgIHgwLCAxZgogICAgICAgICBtc3IgICAgIGRhaWZjbHIs ICMyCiAgICAgICAgIG1vdiAgICAgeDAsIHNwCiAgICAgICAgIGJsICAgICAg ZG9fdHJhcF9oeXBlcnZpc29yCisxOgogICAgICAgICBleGl0ICAgIGh5cD0w LCBjb21wYXQ9MQoKIGd1ZXN0X2lycV9jb21wYXQ6CiAgICAgICAgIGVudHJ5 ICAgaHlwPTAsIGNvbXBhdD0xCisgICAgICAgIGJsICAgICAgY2hlY2tfcGVu ZGluZ192c2Vycm9yCisgICAgICAgIC8qCisgICAgICAgICAqIElmIHgwIGlz IE5vbi16ZXJvLCBhIHZTRXJyb3IgdG9vayBwbGFjZSwgdGhlIGluaXRpYWwg ZXhjZXB0aW9uCisgICAgICAgICAqIGRvZXNuJ3QgaGF2ZSBhbnkgc2lnbmlm aWNhbmNlIHRvIGJlIGhhbmRsZWQuIEV4aXQgQVNBUAorICAgICAgICAgKi8K KyAgICAgICAgY2JueiAgICB4MCwgMWYKICAgICAgICAgbW92ICAgICB4MCwg c3AKICAgICAgICAgYmwgICAgICBkb190cmFwX2lycQorMToKICAgICAgICAg ZXhpdCAgICBoeXA9MCwgY29tcGF0PTEKCiBndWVzdF9maXFfaW52YWxpZF9j b21wYXQ6CkBAIC0yNzAsNiArMzM1LDYyIEBAIHJldHVybl9mcm9tX3RyYXA6 CiAgICAgICAgIGVyZXQKCiAvKgorICogVGhpcyBmdW5jdGlvbiBpcyB1c2Vk IHRvIGNoZWNrIHBlbmRpbmcgdmlydHVhbCBTRXJyb3IgaW4gdGhlIGdhcCBv ZgorICogRUwxIC0+IEVMMiB3b3JsZCBzd2l0Y2guCisgKiBUaGUgeDAgcmVn aXN0ZXIgd2lsbCBiZSB1c2VkIHRvIGluZGljYXRlIHRoZSByZXN1bHRzIG9m IGRldGVjdGlvbi4KKyAqIHgwIC0tIE5vbi16ZXJvIGluZGljYXRlcyBhIHBl bmRpbmcgdmlydHVhbCBTRXJyb3IgdG9vayBwbGFjZS4KKyAqIHgwIC0tIFpl cm8gaW5kaWNhdGVzIG5vIHBlbmRpbmcgdmlydHVhbCBTRXJyb3IgdG9vayBw bGFjZS4KKyAqLworY2hlY2tfcGVuZGluZ192c2Vycm9yOgorICAgICAgICAv KgorICAgICAgICAgKiBTYXZlIGVscl9lbDIgdG8gY2hlY2sgd2hldGhlciB0 aGUgcGVuZGluZyBTRXJyb3IgZXhjZXB0aW9uIHRha2VzCisgICAgICAgICAq IHBsYWNlIHdoaWxlIHdlIGFyZSBkb2luZyB0aGlzIHN5bmMgZXhjZXB0aW9u LgorICAgICAgICAgKi8KKyAgICAgICAgbXJzICAgICB4MCwgZWxyX2VsMgor CisgICAgICAgIC8qIFN5bmNocm9uaXplIGFnYWluc3QgaW4tZmxpZ2h0IGxk L3N0ICovCisgICAgICAgIGRzYiAgICAgc3kKKworICAgICAgICAvKgorICAg ICAgICAgKiBVbm1hc2sgUFNUQVRFIGFzeW5jaHJvbm91cyBhYm9ydCBiaXQu IElmIHRoZXJlIGlzIGEgcGVuZGluZworICAgICAgICAgKiBTRXJyb3IsIHRo ZSBFTDIgZXJyb3IgZXhjZXB0aW9uIHdpbGwgaGFwcGVuIGFmdGVyIFBTVEFU RS5BCisgICAgICAgICAqIGlzIGNsZWFyZWQuCisgICAgICAgICAqLworICAg ICAgICBtc3IgICAgIGRhaWZjbHIsICM0CisKKyAgICAgICAgLyoKKyAgICAg ICAgICogVGhpcyBpcyBvdXIgc2luZ2xlIGluc3RydWN0aW9uIGV4Y2VwdGlv biB3aW5kb3cuIEEgcGVuZGluZworICAgICAgICAgKiBTRXJyb3IgaXMgZ3Vh cmFudGVlZCB0byBvY2N1ciBhdCB0aGUgZWFybGllc3Qgd2hlbiB3ZSB1bm1h c2sKKyAgICAgICAgICogaXQsIGFuZCBhdCB0aGUgbGF0ZXN0IGp1c3QgYWZ0 ZXIgdGhlIElTQi4KKyAgICAgICAgICoKKyAgICAgICAgICogSWYgYSBwZW5k aW5nIFNFcnJvciBvY2N1cnMsIHRoZSBwcm9ncmFtIHdpbGwganVtcCB0byBF TDIgZXJyb3IKKyAgICAgICAgICogZXhjZXB0aW9uIGhhbmRsZXIsIGFuZCB0 aGUgZWxyX2VsMiB3aWxsIGJlIHNldCB0bworICAgICAgICAgKiBhYm9ydF9n dWVzdF9leGl0X3N0YXJ0IG9yIGFib3J0X2d1ZXN0X2V4aXRfZW5kLgorICAg ICAgICAgKi8KK2Fib3J0X2d1ZXN0X2V4aXRfc3RhcnQ6CisKKyAgICAgICAg aXNiCisKK2Fib3J0X2d1ZXN0X2V4aXRfZW5kOgorICAgICAgICAvKiBNYXNr IFBTVEFURSBhc3luY2hyb25vdXMgYWJvcnQgYml0LCBjbG9zZSB0aGUgY2hl Y2tpbmcgd2luZG93LiAqLworICAgICAgICBtc3IgICAgIGRhaWZzZXQsICM0 CisKKyAgICAgICAgLyoKKyAgICAgICAgICogQ29tcGFyZSBlbHJfZWwyIGFu ZCB0aGUgc2F2ZWQgdmFsdWUgdG8gY2hlY2sgd2hldGhlciB3ZSBhcmUKKyAg ICAgICAgICogcmV0dXJuaW5nIGZyb20gYSB2YWxpZCBleGNlcHRpb24gY2F1 c2VkIGJ5IHBlbmRpbmcgU0Vycm9yLgorICAgICAgICAgKi8KKyAgICAgICAg bXJzICAgICB4MSwgZWxyX2VsMgorICAgICAgICBjbXAgICAgIHgwLCB4MQor CisgICAgICAgIC8qCisgICAgICAgICAqIE5vdCBlcXVhbCwgdGhlIHBlbmRp bmcgU0Vycm9yIGV4Y2VwdGlvbiB0b29rIHBsYWNlLCBzZXQKKyAgICAgICAg ICogeDAgdG8gbm9uLXplcm8uCisgICAgICAgICAqLworICAgICAgICBjc2V0 ICAgIHgwLCBuZQorCisgICAgICAgIHJldAorCisvKgogICogRXhjZXB0aW9u IHZlY3RvcnMuCiAgKi8KICAgICAgICAgLm1hY3JvICB2ZW50cnkgIGxhYmVs CkBAIC0yODcsNyArNDA4LDcgQEAgRU5UUlkoaHlwX3RyYXBzX3ZlY3RvcikK ICAgICAgICAgdmVudHJ5ICBoeXBfc3luYyAgICAgICAgICAgICAgICAgICAg ICAgIC8vIFN5bmNocm9ub3VzIEVMMmgKICAgICAgICAgdmVudHJ5ICBoeXBf aXJxICAgICAgICAgICAgICAgICAgICAgICAgIC8vIElSUSBFTDJoCiAgICAg ICAgIHZlbnRyeSAgaHlwX2ZpcV9pbnZhbGlkICAgICAgICAgICAgICAgICAv LyBGSVEgRUwyaAotICAgICAgICB2ZW50cnkgIGh5cF9lcnJvcl9pbnZhbGlk ICAgICAgICAgICAgICAgLy8gRXJyb3IgRUwyaAorICAgICAgICB2ZW50cnkg IGh5cF9lcnJvciAgICAgICAgICAgICAgICAgICAgICAgLy8gRXJyb3IgRUwy aAoKICAgICAgICAgdmVudHJ5ICBndWVzdF9zeW5jICAgICAgICAgICAgICAg ICAgICAgIC8vIFN5bmNocm9ub3VzIDY0LWJpdCBFTDAvRUwxCiAgICAgICAg IHZlbnRyeSAgZ3Vlc3RfaXJxICAgICAgICAgICAgICAgICAgICAgICAvLyBJ UlEgNjQtYml0IEVMMC9FTDEK --=separator Content-Type: application/octet-stream; name="xsa201-3.patch" Content-Disposition: attachment; filename="xsa201-3.patch" Content-Transfer-Encoding: base64 RnJvbTogV2VpIENoZW4gPFdlaS5DaGVuQGFybS5jb20+ClN1YmplY3Q6IGFy bTogY3Jhc2ggdGhlIGd1ZXN0IHdoZW4gaXQgdHJhcHMgb24gZXh0ZXJuYWwg YWJvcnQKCklmIHdlIHNwb3QgYSBkYXRhIG9yIHByZWZldGNoIGFib3J0IGJl YXJpbmcgdGhlIEVTUl9FTDIuRUEgYml0IHNldCwgd2UKa25vdyB0aGF0IHRo aXMgaXMgYW4gZXh0ZXJuYWwgYWJvcnQsIGFuZCB0aGF0IHNob3VsZCBjcmFz aCB0aGUgZ3Vlc3QuCgpUaGlzIGlzIHBhcnQgb2YgWFNBLTIwMS4KClNpZ25l ZC1vZmYtYnk6IFdlaSBDaGVuIDxXZWkuQ2hlbkBhcm0uY29tPgpSZXZpZXdl ZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3RhYmVsbGluaUBrZXJuZWwu b3JnPgpSZXZpZXdlZC1ieTogU3RldmUgQ2FwcGVyIDxzdGV2ZS5jYXBwZXJA YXJtLmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBHcmFsbCA8SnVsaWVuLkdy YWxsQGFybS5jb20+CgotLS0gYS94ZW4vYXJjaC9hcm0vdHJhcHMuYworKysg Yi94ZW4vYXJjaC9hcm0vdHJhcHMuYwpAQCAtMjQwOSw2ICsyNDA5LDE1IEBA IHN0YXRpYyB2b2lkIGRvX3RyYXBfaW5zdHJfYWJvcnRfZ3Vlc3Qoc3RydWN0 IGNwdV91c2VyX3JlZ3MgKnJlZ3MsCiAgICAgcGFkZHJfdCBncGE7CiAgICAg bWZuX3QgbWZuOwoKKyAgICAvKgorICAgICAqIElmIHRoaXMgYml0IGhhcyBi ZWVuIHNldCwgaXQgbWVhbnMgdGhhdCB0aGlzIGluc3RydWN0aW9uIGFib3J0 IGlzIGNhdXNlZAorICAgICAqIGJ5IGEgZ3Vlc3QgZXh0ZXJuYWwgYWJvcnQu IEN1cnJlbnRseSB3ZSBjcmFzaCB0aGUgZ3Vlc3QgdG8gcHJvdGVjdCB0aGUK KyAgICAgKiBoeXBlcnZpc29yLiBJbiBmdXR1cmUgb25lIGNhbiBiZXR0ZXIg aGFuZGxlIHRoaXMgYnkgaW5qZWN0aW5nIGEgdmlydHVhbAorICAgICAqIGFi b3J0IHRvIHRoZSBndWVzdC4KKyAgICAgKi8KKyAgICBpZiAoIGhzci5pYWJ0 LmVhdCApCisgICAgICAgIGRvbWFpbl9jcmFzaF9zeW5jaHJvbm91cygpOwor CiAgICAgaWYgKCBocGZhcl9pc192YWxpZChoc3IuaWFidC5zMXB0dywgZnNj KSApCiAgICAgICAgIGdwYSA9IGdldF9mYXVsdGluZ19pcGEoZ3ZhKTsKICAg ICBlbHNlCkBAIC0yNTAzLDYgKzI1MTIsMTUgQEAgc3RhdGljIHZvaWQgZG9f dHJhcF9kYXRhX2Fib3J0X2d1ZXN0KHN0cnVjdCBjcHVfdXNlcl9yZWdzICpy ZWdzLAogICAgIHVpbnQ4X3QgZnNjID0gaHNyLmRhYnQuZGZzYyAmIH5GU0Nf TExfTUFTSzsKICAgICBtZm5fdCBtZm47CgorICAgIC8qCisgICAgICogSWYg dGhpcyBiaXQgaGFzIGJlZW4gc2V0LCBpdCBtZWFucyB0aGF0IHRoaXMgZGF0 YSBhYm9ydCBpcyBjYXVzZWQKKyAgICAgKiBieSBhIGd1ZXN0IGV4dGVybmFs IGFib3J0LiBDdXJyZW50bHkgd2UgY3Jhc2ggdGhlIGd1ZXN0IHRvIHByb3Rl Y3QgdGhlCisgICAgICogaHlwZXJ2aXNvci4gSW4gZnV0dXJlIG9uZSBjYW4g YmV0dGVyIGhhbmRsZSB0aGlzIGJ5IGluamVjdGluZyBhIHZpcnR1YWwKKyAg ICAgKiBhYm9ydCB0byB0aGUgZ3Vlc3QuCisgICAgICovCisgICAgaWYgKCBk YWJ0LmVhdCApCisgICAgICAgIGRvbWFpbl9jcmFzaF9zeW5jaHJvbm91cygp OworCiAgICAgaW5mby5kYWJ0ID0gZGFidDsKICNpZmRlZiBDT05GSUdfQVJN XzMyCiAgICAgaW5mby5ndmEgPSBSRUFEX0NQMzIoSERGQVIpOwo= --=separator Content-Type: application/octet-stream; name="xsa201-3-4.7.patch" Content-Disposition: attachment; filename="xsa201-3-4.7.patch" Content-Transfer-Encoding: base64 RnJvbTogV2VpIENoZW4gPFdlaS5DaGVuQGFybS5jb20+ClN1YmplY3Q6IGFy bTogY3Jhc2ggdGhlIGd1ZXN0IHdoZW4gaXQgdHJhcHMgb24gZXh0ZXJuYWwg YWJvcnQKCklmIHdlIHNwb3QgYSBkYXRhIG9yIHByZWZldGNoIGFib3J0IGJl YXJpbmcgdGhlIEVTUl9FTDIuRUEgYml0IHNldCwgd2UKa25vdyB0aGF0IHRo aXMgaXMgYW4gZXh0ZXJuYWwgYWJvcnQsIGFuZCB0aGF0IHNob3VsZCBjcmFz aCB0aGUgZ3Vlc3QuCgpUaGlzIGlzIHBhcnQgb2YgWFNBLTIwMS4KClNpZ25l ZC1vZmYtYnk6IFdlaSBDaGVuIDxXZWkuQ2hlbkBhcm0uY29tPgpSZXZpZXdl ZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3RhYmVsbGluaUBrZXJuZWwu b3JnPgpSZXZpZXdlZC1ieTogU3RldmUgQ2FwcGVyIDxzdGV2ZS5jYXBwZXJA YXJtLmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBHcmFsbCA8SnVsaWVuLkdy YWxsQGFybS5jb20+CgotLS0gYS94ZW4vYXJjaC9hcm0vdHJhcHMuYworKysg Yi94ZW4vYXJjaC9hcm0vdHJhcHMuYwpAQCAtMjM4Myw2ICsyMzgzLDE1IEBA IHN0YXRpYyB2b2lkIGRvX3RyYXBfaW5zdHJfYWJvcnRfZ3Vlc3Qoc3RydWN0 IGNwdV91c2VyX3JlZ3MgKnJlZ3MsCiAgICAgaW50IHJjOwogICAgIHJlZ2lz dGVyX3QgZ3ZhID0gUkVBRF9TWVNSRUcoRkFSX0VMMik7CiAKKyAgICAvKgor ICAgICAqIElmIHRoaXMgYml0IGhhcyBiZWVuIHNldCwgaXQgbWVhbnMgdGhh dCB0aGlzIGluc3RydWN0aW9uIGFib3J0IGlzIGNhdXNlZAorICAgICAqIGJ5 IGEgZ3Vlc3QgZXh0ZXJuYWwgYWJvcnQuIEN1cnJlbnRseSB3ZSBjcmFzaCB0 aGUgZ3Vlc3QgdG8gcHJvdGVjdCB0aGUKKyAgICAgKiBoeXBlcnZpc29yLiBJ biBmdXR1cmUgb25lIGNhbiBiZXR0ZXIgaGFuZGxlIHRoaXMgYnkgaW5qZWN0 aW5nIGEgdmlydHVhbAorICAgICAqIGFib3J0IHRvIHRoZSBndWVzdC4KKyAg ICAgKi8KKyAgICBpZiAoIGhzci5pYWJ0LmVhdCApCisgICAgICAgIGRvbWFp bl9jcmFzaF9zeW5jaHJvbm91cygpOworCiAgICAgc3dpdGNoICggaHNyLmlh YnQuaWZzYyAmIDB4M2YgKQogICAgIHsKICAgICBjYXNlIEZTQ19GTFRfUEVS TSAuLi4gRlNDX0ZMVF9QRVJNICsgMzoKQEAgLTI0MzcsNiArMjQ0NiwxNSBA QCBzdGF0aWMgdm9pZCBkb190cmFwX2RhdGFfYWJvcnRfZ3Vlc3Qoc3RydWN0 IGNwdV91c2VyX3JlZ3MgKnJlZ3MsCiAgICAgICAgIHJldHVybjsKICAgICB9 CiAKKyAgICAvKgorICAgICAqIElmIHRoaXMgYml0IGhhcyBiZWVuIHNldCwg aXQgbWVhbnMgdGhhdCB0aGlzIGRhdGEgYWJvcnQgaXMgY2F1c2VkCisgICAg ICogYnkgYSBndWVzdCBleHRlcm5hbCBhYm9ydC4gQ3VycmVudGx5IHdlIGNy YXNoIHRoZSBndWVzdCB0byBwcm90ZWN0IHRoZQorICAgICAqIGh5cGVydmlz b3IuIEluIGZ1dHVyZSBvbmUgY2FuIGJldHRlciBoYW5kbGUgdGhpcyBieSBp bmplY3RpbmcgYSB2aXJ0dWFsCisgICAgICogYWJvcnQgdG8gdGhlIGd1ZXN0 LgorICAgICAqLworICAgIGlmICggZGFidC5lYXQgKQorICAgICAgICBkb21h aW5fY3Jhc2hfc3luY2hyb25vdXMoKTsKKwogICAgIGluZm8uZGFidCA9IGRh YnQ7CiAjaWZkZWYgQ09ORklHX0FSTV8zMgogICAgIGluZm8uZ3ZhID0gUkVB RF9DUDMyKEhERkFSKTsK --=separator Content-Type: application/octet-stream; name="xsa201-4.patch" Content-Disposition: attachment; filename="xsa201-4.patch" Content-Transfer-Encoding: base64 RnJvbTogV2VpIENoZW4gPFdlaS5DaGVuQGFybS5jb20+ClN1YmplY3Q6IGFy bTMyOiBoYW5kbGUgYXN5bmMgYWJvcnRzIGRlbGl2ZXJlZCB3aGlsZSBhdCBI WVAKCklmIGd1ZXN0IGdlbmVyYXRlcyBhbiBhc3luY2hyb25vdXMgYWJvcnQg YW5kIHRoZW4gdHJhcHMgaW50byBIWVAKKGJ5IEhWQyBvciBJUlEpIGJlZm9y ZSB0aGUgYWJvcnQgaGFzIGJlZW4gZGVsaXZlcmVkLCB0aGUgaHlwZXJ2aXNv cgpjb3VsZCBub3QgY2F0Y2ggaXQsIGJlY2F1c2UgdGhlIFBTVEFURS5BIGJp dCBpcyBtYXNrZWQgYWxsIHRoZSB0aW1lCmluIGh5cGVydmlzb3IuIFNvIHRo aXMgYXN5bmNocm9ub3VzIGFib3J0IG1heSBiZSBzbGlwcGVkIHRvIG5leHQK cnVubmluZyBndWVzdCB3aXRoIFBTVEFURS5BIGJpdCB1bm1hc2tlZC4KCklu IG9yZGVyIHRvIGF2b2lkIHRoaXMsIGl0IGlzIG5lY2Vzc2FyeSB0byB0YWtl IHRoZSBhYm9ydCBhdCBIWVAsIGJ5CmNsZWFyaW5nIHRoZSBQU1RBVEUuQSBi aXQuIEluIHRoaXMgcGF0Y2gsIHdlIHVubWFzayB0aGUgUFNUQVRFLkEgYml0 CnRvIG9wZW4gYSB3aW5kb3cgdG8gY2F0Y2ggZ3Vlc3QtZ2VuZXJhdGVkIGFz eW5jaHJvbm91cyBhYm9ydCBpbiBhbGwKR3Vlc3QgLT4gSFlQIHN3aXRjaCBw YXRocy4gSWYgd2UgY2F1Z2h0IHN1Y2ggYXN5bmNocm9ub3VzIGFib3J0IGlu CmNoZWNraW5nIHdpbmRvdywgdGhlIEhZUCBkYXRhIGFib3J0IGV4Y2VwdGlv biB3aWxsIGJlIHRyaWdnZXJlZCBhbmQKdGhlIGFib3J0IHNvdXJjZSBndWVz dCB3aWxsIGJlIGNyYXNoZWQuCgpUaGlzIGlzIHBhcnQgb2YgWFNBLTIwMS4K ClNpZ25lZC1vZmYtYnk6IFdlaSBDaGVuIDxXZWkuQ2hlbkBhcm0uY29tPgpS ZXZpZXdlZC1ieTogSnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAYXJtLmNv bT4KCi0tLSBhL3hlbi9hcmNoL2FybS9hcm0zMi9lbnRyeS5TCisrKyBiL3hl bi9hcmNoL2FybS9hcm0zMi9lbnRyeS5TCkBAIC00Miw2ICs0Miw2MSBAQCBz YXZlX2d1ZXN0X3JlZ3M6CiAgICAgICAgIFNBVkVfQkFOS0VEKGZpcSkKICAg ICAgICAgU0FWRV9PTkVfQkFOS0VEKFI4X2ZpcSk7IFNBVkVfT05FX0JBTktF RChSOV9maXEpOyBTQVZFX09ORV9CQU5LRUQoUjEwX2ZpcSkKICAgICAgICAg U0FWRV9PTkVfQkFOS0VEKFIxMV9maXEpOyBTQVZFX09ORV9CQU5LRUQoUjEy X2ZpcSk7CisgICAgICAgIC8qCisgICAgICAgICAqIFN0YXJ0IHRvIGNoZWNr IHBlbmRpbmcgdmlydHVhbCBhYm9ydCBpbiB0aGUgZ2FwIG9mIEd1ZXN0IC0+ IEhZUAorICAgICAgICAgKiB3b3JsZCBzd2l0Y2guCisgICAgICAgICAqCisg ICAgICAgICAqIFNhdmUgRUxSX2h5cCB0byBjaGVjayB3aGV0aGVyIHRoZSBw ZW5kaW5nIHZpcnR1YWwgYWJvcnQgZXhjZXB0aW9uCisgICAgICAgICAqIHRh a2VzIHBsYWNlIHdoaWxlIHdlIGFyZSBkb2luZyB0aGlzIHRyYXAgZXhjZXB0 aW9uLgorICAgICAgICAgKi8KKyAgICAgICAgbXJzIHIxLCBFTFJfaHlwCisK KyAgICAgICAgLyoKKyAgICAgICAgICogRm9yY2UgbG9hZHMgYW5kIHN0b3Jl cyB0byBjb21wbGV0ZSBiZWZvcmUgdW5tYXNraW5nIGFzeW5jaHJvbm91cwor ICAgICAgICAgKiBhYm9ydHMgYW5kIGZvcmNpbmcgdGhlIGRlbGl2ZXJ5IG9m IHRoZSBleGNlcHRpb24uCisgICAgICAgICAqLworICAgICAgICBkc2Igc3kK KworICAgICAgICAvKgorICAgICAgICAgKiBVbm1hc2sgYXN5bmNocm9ub3Vz IGFib3J0IGJpdC4gSWYgdGhlcmUgaXMgYSBwZW5kaW5nIGFzeW5jaHJvbm91 cworICAgICAgICAgKiBhYm9ydCwgdGhlIGRhdGFfYWJvcnQgZXhjZXB0aW9u IHdpbGwgaGFwcGVuIGFmdGVyIEEgYml0IGlzIGNsZWFyZWQuCisgICAgICAg ICAqLworICAgICAgICBjcHNpZSBhCisKKyAgICAgICAgLyoKKyAgICAgICAg ICogVGhpcyBpcyBvdXIgc2luZ2xlIGluc3RydWN0aW9uIGV4Y2VwdGlvbiB3 aW5kb3cuIEEgcGVuZGluZworICAgICAgICAgKiBhc3luY2hyb25vdXMgYWJv cnQgaXMgZ3VhcmFudGVlZCB0byBvY2N1ciBhdCB0aGUgZWFybGllc3Qgd2hl biB3ZQorICAgICAgICAgKiB1bm1hc2sgaXQsIGFuZCBhdCB0aGUgbGF0ZXN0 IGp1c3QgYWZ0ZXIgdGhlIElTQi4KKyAgICAgICAgICoKKyAgICAgICAgICog SWYgYSBwZW5kaW5nIGFib3J0IG9jY3VycywgdGhlIHByb2dyYW0gd2lsbCBq dW1wIHRvIGRhdGFfYWJvcnQKKyAgICAgICAgICogZXhjZXB0aW9uIGhhbmRs ZXIsIGFuZCB0aGUgRUxSX2h5cCB3aWxsIGJlIHNldCB0bworICAgICAgICAg KiBhYm9ydF9ndWVzdF9leGl0X3N0YXJ0IG9yIGFib3J0X2d1ZXN0X2V4aXRf ZW5kLgorICAgICAgICAgKi8KKyAgICAgICAgLmdsb2JhbCBhYm9ydF9ndWVz dF9leGl0X3N0YXJ0CithYm9ydF9ndWVzdF9leGl0X3N0YXJ0OgorCisgICAg ICAgIGlzYgorCisgICAgICAgIC5nbG9iYWwgYWJvcnRfZ3Vlc3RfZXhpdF9l bmQKK2Fib3J0X2d1ZXN0X2V4aXRfZW5kOgorICAgICAgICAvKiBNYXNrIENQ U1IgYXN5bmNocm9ub3VzIGFib3J0IGJpdCwgY2xvc2UgdGhlIGNoZWNraW5n IHdpbmRvdy4gKi8KKyAgICAgICAgY3BzaWQgYQorCisgICAgICAgIC8qCisg ICAgICAgICAqIENvbXBhcmUgRUxSX2h5cCBhbmQgdGhlIHNhdmVkIHZhbHVl IHRvIGNoZWNrIHdoZXRoZXIgd2UgYXJlCisgICAgICAgICAqIHJldHVybmlu ZyBmcm9tIGEgdmFsaWQgZXhjZXB0aW9uIGNhdXNlZCBieSBwZW5kaW5nIHZp cnR1YWwKKyAgICAgICAgICogYWJvcnQuCisgICAgICAgICAqLworICAgICAg ICBtcnMgcjIsIEVMUl9oeXAKKyAgICAgICAgY21wIHIxLCByMgorCisgICAg ICAgIC8qCisgICAgICAgICAqIE5vdCBlcXVhbCwgdGhlIHBlbmRpbmcgdmly dHVhbCBhYm9ydCBleGNlcHRpb24gdG9vayBwbGFjZSwgdGhlCisgICAgICAg ICAqIGluaXRpYWwgZXhjZXB0aW9uIGRvZXMgbm90IGhhdmUgYW55IHNpZ25p ZmljYW5jZSB0byBiZSBoYW5kbGVkLgorICAgICAgICAgKiBFeGl0IEFTQVAu CisgICAgICAgICAqLworICAgICAgICBibmUgcmV0dXJuX2Zyb21fdHJhcAor CiAgICAgICAgIG1vdiBwYywgbHIKCiAjZGVmaW5lIERFRklORV9UUkFQX0VO VFJZKHRyYXApICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICBcCi0tLSBhL3hlbi9hcmNoL2FybS9hcm0zMi90cmFwcy5jCisrKyBi L3hlbi9hcmNoL2FybS9hcm0zMi90cmFwcy5jCkBAIC02Myw3ICs2MywxMCBA QCBhc21saW5rYWdlIHZvaWQgZG9fdHJhcF9wcmVmZXRjaF9hYm9ydChzdHJ1 Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKCiBhc21saW5rYWdlIHZvaWQgZG9f dHJhcF9kYXRhX2Fib3J0KHN0cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQog ewotICAgIGRvX3VuZXhwZWN0ZWRfdHJhcCgiRGF0YSBBYm9ydCIsIHJlZ3Mp OworICAgIGlmICggVkFCT1JUX0dFTl9CWV9HVUVTVChyZWdzKSApCisgICAg ICAgIGRvX3RyYXBfZ3Vlc3RfZXJyb3IocmVncyk7CisgICAgZWxzZQorICAg ICAgICBkb191bmV4cGVjdGVkX3RyYXAoIkRhdGEgQWJvcnQiLCByZWdzKTsK IH0KCiAvKgotLS0gYS94ZW4vaW5jbHVkZS9hc20tYXJtL2FybTMyL3Byb2Nl c3Nvci5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vYXJtMzIvcHJvY2Vz c29yLmgKQEAgLTU1LDYgKzU1LDE3IEBAIHN0cnVjdCBjcHVfdXNlcl9yZWdz CgogICAgIHVpbnQzMl90IHBhZDE7IC8qIERvdWJsZXdvcmQtYWxpZ24gdGhl IHVzZXIgaGFsZiBvZiB0aGUgZnJhbWUgKi8KIH07CisKKy8qIEZ1bmN0aW9u cyBmb3IgcGVuZGluZyB2aXJ0dWFsIGFib3J0IGNoZWNraW5nIHdpbmRvdy4g Ki8KK3ZvaWQgYWJvcnRfZ3Vlc3RfZXhpdF9zdGFydCh2b2lkKTsKK3ZvaWQg YWJvcnRfZ3Vlc3RfZXhpdF9lbmQodm9pZCk7CisKKyNkZWZpbmUgVkFCT1JU X0dFTl9CWV9HVUVTVChyKSAgXAorKCBcCisgICAgKCAodW5zaWduZWQgbG9u ZylhYm9ydF9ndWVzdF9leGl0X3N0YXJ0ID09IChyKS0+cGMgKSB8fCBcCisg ICAgKCAodW5zaWduZWQgbG9uZylhYm9ydF9ndWVzdF9leGl0X2VuZCA9PSAo ciktPnBjICkgXAorKQorCiAjZW5kaWYKCiAvKiBMYXlvdXQgYXMgdXNlZCBp biBhc3NlbWJseSwgd2l0aCBzcmMvZGVzdCByZWdpc3RlcnMgbWl4ZWQgaW4g Ki8KLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9wcm9jZXNzb3IuaAorKysg Yi94ZW4vaW5jbHVkZS9hc20tYXJtL3Byb2Nlc3Nvci5oCkBAIC02OTAsNiAr NjkwLDggQEAgdm9pZCB2Y3B1X3JlZ3NfdXNlcl90b19oeXAoc3RydWN0IHZj cHUgKnZjcHUsCiBpbnQgY2FsbF9zbWMocmVnaXN0ZXJfdCBmdW5jdGlvbl9p ZCwgcmVnaXN0ZXJfdCBhcmcwLCByZWdpc3Rlcl90IGFyZzEsCiAgICAgICAg ICAgICAgcmVnaXN0ZXJfdCBhcmcyKTsKCit2b2lkIGRvX3RyYXBfZ3Vlc3Rf ZXJyb3Ioc3RydWN0IGNwdV91c2VyX3JlZ3MgKnJlZ3MpOworCiAjZW5kaWYg LyogX19BU1NFTUJMWV9fICovCiAjZW5kaWYgLyogX19BU01fQVJNX1BST0NF U1NPUl9IICovCiAvKgo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz Lnhlbi5vcmcveGVuLWFubm91bmNl --=separator-- From xen-announce-bounces@lists.xen.org Tue Nov 29 17:16:21 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 29 Nov 2016 17:16:21 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cBm06-0004xK-Jd; Tue, 29 Nov 2016 17:15:26 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cBlzi-0004tv-VY; Tue, 29 Nov 2016 17:15:03 +0000 Received: from [193.109.254.147] by server-6.bemta-6.messagelabs.com id EB/DE-28843-697BD385; Tue, 29 Nov 2016 17:15:02 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprHIsWRWlGSWpSXmKPExsXitHRDpO7U7bY RBpM+alvM3tjGbPF9y2Qmi3f7/jI7MHsc/nCFJYAxijUzLym/IoE148vay6wF/cwV9+48YWpg vMHUxcjJISHgL/F+Th8ziM0ioCqx6s96NhCbTUBZ4mdnL5gtIpAj0ThpMyuIzSygKHHq9gyge g4OYaCaG8fEQMK8AvoSby88ZIGwBSVOznzCAlGuI7Fg9yc2kHJmAWmJ5f84QMKiAioSVya8ZQ exhQQUJDqmH2OawMgzC0n3LCTdsxC6FzAyr2LUKE4tKkst0jWy0EsqykzPKMlNzMzRNTQw08t NLS5OTE/NSUwq1kvOz93ECAwlBiDYwXh+beAhRkkOJiVR3uluNhFCfEn5KZUZicUZ8UWlOanF hxhlODiUJHj5t9lGCAkWpaanVqRl5gCDGiYtwcGjJMLbvxUozVtckJhbnJkOkTrFaMzxZtfLB 0wc7za/e8AkxJKXn5cqJc5bDDJJAKQ0ozQPbhAs2i4xykoJ8zICnSbEU5BalJtZgir/ilGcg1 FJmHcSyBSezLwSuH2vgE5hAjrl7WtrkFNKEhFSUg2MMrcXB93WzfKwc9m6oMa6cNWRzLdKxZs sd1rrei1S5GQrfyCWyVfdfXvDD9/YL3NnnLl258P+ZV+ZN7xzVbD69vsSj8TJWxtvyHmxB/Co lD3STy9ImnuNNWGldpDXPnXJqw8mNuzWLit99Hvu+5Pc/F+39LbXTzY59N3qWnwo29X9X19ez Ml7pcRSnJFoqMVcVJwIAMh43OGxAgAA X-Env-Sender: prvs=134d4c8fe=wei.liu2@citrix.com X-Msg-Ref: server-12.tower-27.messagelabs.com!1480439700!73225420!1 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n,received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 13341 invoked from network); 29 Nov 2016 17:15:01 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-12.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 29 Nov 2016 17:15:01 -0000 X-IronPort-AV: E=Sophos;i="5.31,717,1473120000"; d="scan'208";a="391975303" Date: Tue, 29 Nov 2016 17:14:58 +0000 From: Wei Liu To: , , Message-ID: <20161129171458.GW11640@citrix.com> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-Mailman-Approved-At: Tue, 29 Nov 2016 17:15:25 +0000 Subject: [Xen-announce] [ANNOUNCEMENT] Xen 4.8 RC7 X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" SGkgYWxsCgpYZW4gNC44IFJDNyBpcyB0YWdnZWQuIFlvdSBjYW4gY2hlY2sgaXQgb3V0IGZyb20g eGVuLmdpdDoKCiAgZ2l0Oi8veGVuYml0cy54ZW4ub3JnL3hlbi5naXQgNC44LjAtcmM3CgpGb3Ig eW91IGNvbnZlbmllbmNlLCBwbGVhc2UgZmluZCB0YXJiYWxsIGFuZCBzaWduYXR1cmUgYXQ6Cgpo dHRwczovL2Rvd25sb2Fkcy54ZW5wcm9qZWN0Lm9yZy9yZWxlYXNlL3hlbi80LjguMC1yYzcvCgpQ bGVhc2Ugc2VuZCBidWcgcmVwb3J0cyBhbmQgdGVzdCByZXBvcnRzIHRvCnhlbi1kZXZlbEBsaXN0 cy54ZW5wcm9qZWN0Lm9yZy4gV2hlbiBzZW5kaW5nIHJlcG9ydHMsIHBsZWFzZSBDQyByZWxldmFu dAptYWludGFpbmVycyBhbmQgbWUgKHdlaS5saXUyQGNpdHJpeC5jb20pLgoKVGhhbmtzCldlaS4K Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fClhlbi1hbm5v dW5jZSBtYWlsaW5nIGxpc3QKWGVuLWFubm91bmNlQGxpc3RzLnhlbi5vcmcKaHR0cHM6Ly9saXN0 cy54ZW4ub3JnL3hlbi1hbm5vdW5jZQ== From xen-announce-bounces@lists.xen.org Tue Nov 29 17:16:21 2016 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 29 Nov 2016 17:16:21 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cBm06-0004xK-Jd; Tue, 29 Nov 2016 17:15:26 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cBlzi-0004tv-VY; Tue, 29 Nov 2016 17:15:03 +0000 Received: from [193.109.254.147] by server-6.bemta-6.messagelabs.com id EB/DE-28843-697BD385; Tue, 29 Nov 2016 17:15:02 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprHIsWRWlGSWpSXmKPExsXitHRDpO7U7bY RBpM+alvM3tjGbPF9y2Qmi3f7/jI7MHsc/nCFJYAxijUzLym/IoE148vay6wF/cwV9+48YWpg vMHUxcjJISHgL/F+Th8ziM0ioCqx6s96NhCbTUBZ4mdnL5gtIpAj0ThpMyuIzSygKHHq9gyge g4OYaCaG8fEQMK8AvoSby88ZIGwBSVOznzCAlGuI7Fg9yc2kHJmAWmJ5f84QMKiAioSVya8ZQ exhQQUJDqmH2OawMgzC0n3LCTdsxC6FzAyr2LUKE4tKkst0jWy0EsqykzPKMlNzMzRNTQw08t NLS5OTE/NSUwq1kvOz93ECAwlBiDYwXh+beAhRkkOJiVR3uluNhFCfEn5KZUZicUZ8UWlOanF hxhlODiUJHj5t9lGCAkWpaanVqRl5gCDGiYtwcGjJMLbvxUozVtckJhbnJkOkTrFaMzxZtfLB 0wc7za/e8AkxJKXn5cqJc5bDDJJAKQ0ozQPbhAs2i4xykoJ8zICnSbEU5BalJtZgir/ilGcg1 FJmHcSyBSezLwSuH2vgE5hAjrl7WtrkFNKEhFSUg2MMrcXB93WzfKwc9m6oMa6cNWRzLdKxZs sd1rrei1S5GQrfyCWyVfdfXvDD9/YL3NnnLl258P+ZV+ZN7xzVbD69vsSj8TJWxtvyHmxB/Co lD3STy9ImnuNNWGldpDXPnXJqw8mNuzWLit99Hvu+5Pc/F+39LbXTzY59N3qWnwo29X9X19ez Ml7pcRSnJFoqMVcVJwIAMh43OGxAgAA X-Env-Sender: prvs=134d4c8fe=wei.liu2@citrix.com X-Msg-Ref: server-12.tower-27.messagelabs.com!1480439700!73225420!1 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n,received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 9.0.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 13341 invoked from network); 29 Nov 2016 17:15:01 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-12.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 29 Nov 2016 17:15:01 -0000 X-IronPort-AV: E=Sophos;i="5.31,717,1473120000"; d="scan'208";a="391975303" Date: Tue, 29 Nov 2016 17:14:58 +0000 From: Wei Liu To: , , Message-ID: <20161129171458.GW11640@citrix.com> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-Mailman-Approved-At: Tue, 29 Nov 2016 17:15:25 +0000 Subject: [Xen-announce] [ANNOUNCEMENT] Xen 4.8 RC7 X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-announce-bounces@lists.xen.org Sender: "Xen-announce" SGkgYWxsCgpYZW4gNC44IFJDNyBpcyB0YWdnZWQuIFlvdSBjYW4gY2hlY2sgaXQgb3V0IGZyb20g eGVuLmdpdDoKCiAgZ2l0Oi8veGVuYml0cy54ZW4ub3JnL3hlbi5naXQgNC44LjAtcmM3CgpGb3Ig eW91IGNvbnZlbmllbmNlLCBwbGVhc2UgZmluZCB0YXJiYWxsIGFuZCBzaWduYXR1cmUgYXQ6Cgpo dHRwczovL2Rvd25sb2Fkcy54ZW5wcm9qZWN0Lm9yZy9yZWxlYXNlL3hlbi80LjguMC1yYzcvCgpQ bGVhc2Ugc2VuZCBidWcgcmVwb3J0cyBhbmQgdGVzdCByZXBvcnRzIHRvCnhlbi1kZXZlbEBsaXN0 cy54ZW5wcm9qZWN0Lm9yZy4gV2hlbiBzZW5kaW5nIHJlcG9ydHMsIHBsZWFzZSBDQyByZWxldmFu dAptYWludGFpbmVycyBhbmQgbWUgKHdlaS5saXUyQGNpdHJpeC5jb20pLgoKVGhhbmtzCldlaS4K Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fClhlbi1hbm5v dW5jZSBtYWlsaW5nIGxpc3QKWGVuLWFubm91bmNlQGxpc3RzLnhlbi5vcmcKaHR0cHM6Ly9saXN0 cy54ZW4ub3JnL3hlbi1hbm5vdW5jZQ==