From xen-announce-bounces@lists.xen.org Thu Dec 01 17:45:44 2016
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Thu, 01 Dec 2016 17:45:44 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1cCVPD-0003Tk-D4; Thu, 01 Dec 2016 17:44:23 +0000
Received: from mail6.bemta6.messagelabs.com ([193.109.254.103])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <prvs=136b0be12=Ian.Jackson@citrix.com>)
 id 1cCVPB-0003Te-UK
 for xen-announce@lists.xenproject.org; Thu, 01 Dec 2016 17:44:22 +0000
Received: from [193.109.254.147] by server-4.bemta-6.messagelabs.com id
 B0/EC-28568-57160485; Thu, 01 Dec 2016 17:44:21 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrKIsWRWlGSWpSXmKPExsXitHRDpG5JokO
 EwenHuhazN7YxOzB6HP5whSWAMYo1My8pvyKBNWPGkgaWgn3MFXc2TWNsYPzD1MXIySEh4C8x
 7/gadhBbSMBd4uuO78wQtrbE8/mHoeJ6Eg23/oHZvAKCEidnPmEBsZkFdCQW7P7EBmHLS2x/O
 wesl01AV6Jpy1+wuIhAtsSBy9fA6oUFlCW6dq5kgdl79cF8VgjbROLtwp1A9RxAu0wk5vfrQq
 zykOh99IwJIqwmMXd9PEiYRUBFYtGHLewTGAVmITloFpKDZiE5aAEj8ypGjeLUorLUIl1DU72
 kosz0jJLcxMwcXUMDM73c1OLixPTUnMSkYr3k/NxNjMDAZACCHYzflgUcYpTkYFIS5X2k5xAh
 xJeUn1KZkVicEV9UmpNafIhRhoNDSYI3MAEoJ1iUmp5akZaZA4wRmLQEB4+SCK8MSJq3uCAxt
 zgzHSJ1itGYY9qzxU+ZOA68X/GUSYglLz8vVUqcNx+kVACkNKM0D24QLHYvMcpKCfMyAp0mxF
 OQWpSbWYIq/4pRnINRSZg3AWQKT2ZeCdy+V0CnMAGd0nHdHuSUkkSElFQDY/efq4wFCj+OROW
 u75LZvUD4U/uF4B/Kh69qFjGrvPNhOLTRcvuLJ9+lFlntSG1SLneaUa6UE3H390LLvyvVTj/Z
 e2vF8pzt2xfpmK471Ld1Z4V587w1fZwhyjujO5+d3tX5b372jPMB+4z6H78QYI06V26UM+/i1
 aVT1jk4HmowPPZHcZqVuKcSS3FGoqEWc1FxIgDB8ZI42AIAAA==
X-Env-Sender: prvs=136b0be12=Ian.Jackson@citrix.com
X-Msg-Ref: server-8.tower-27.messagelabs.com!1480614259!64882680!1
X-Originating-IP: [66.165.176.89]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: 
 VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n,received_headers: No 
 Received headers
X-StarScan-Received: 
X-StarScan-Version: 9.0.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 62271 invoked from network); 1 Dec 2016 17:44:20 -0000
Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89)
 by server-8.tower-27.messagelabs.com with RC4-SHA encrypted SMTP;
 1 Dec 2016 17:44:20 -0000
X-IronPort-AV: E=Sophos;i="5.33,282,1477958400"; d="scan'208";a="392532942"
Resent-Message-ID: <22592.24934.828331.616742@mariner.uk.xensource.com>
Resent-Date: Thu, 1 Dec 2016 17:44:06 +0000
Resent-To: <xen-announce@lists.xenproject.org>
MIME-Version: 1.0
From: Ian Jackson <ian.jackson@eu.citrix.com>
To: <xen-devel@lists.xenproject.org>, <xen-anounce@lists.xenproject.org>,
 <xen-users@lists.xenproject.org>
X-IronPort-AV: E=Sophos;i="5.33,282,1477958400"; d="scan'208";a="392526021"
X-Mailer: VM 8.2.0b under 24.4.1 (i586-pc-linux-gnu)
Resent-From: Ian Jackson <Ian.Jackson@eu.citrix.com>
Message-ID: <cf86e49bd096452aa19729c284339d20@FTLPEX02CAS01.citrite.net>
Date: Thu, 1 Dec 2016 12:44:18 -0500
Subject: [Xen-announce] [ANNOUNCEMENT] Xen 4.8 RC8
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: xen-announce-bounces@lists.xen.org
Sender: "Xen-announce" <xen-announce-bounces@lists.xen.org>

SGkuCgpYZW4gNC44LjAgUkM4IGlzIHRhZ2dlZC4gIFlvdSBjYW4gY2hlY2sgaXQgb3V0IGZyb20g
eGVuLmdpdCwgd2hlcmUKdGhlcmUgaXMgYSBzaWduZWQgdGFnOgoKICBnaXQ6Ly94ZW5iaXRzLnhl
bi5vcmcveGVuLmdpdCA0LjguMC1yYzgKCkZvciB5b3UgY29udmVuaWVuY2UsIHBsZWFzZSBmaW5k
IHRhcmJhbGwgYW5kIHNpZ25hdHVyZSBhdDoKCiAgaHR0cHM6Ly9kb3dubG9hZHMueGVucHJvamVj
dC5vcmcvcmVsZWFzZS94ZW4vNC44LjAtcmM4LwoKUGxlYXNlIHNlbmQgYnVnIHJlcG9ydHMgYW5k
IHRlc3QgcmVwb3J0cyB0bwp4ZW4tZGV2ZWxAbGlzdHMueGVucHJvamVjdC5vcmcuIFdoZW4gc2Vu
ZGluZyByZXBvcnRzLCBwbGVhc2UgQ0MKcmVsZXZhbnQgbWFpbnRhaW5lcnMgYW5kIHRoZSBSZWxl
YXNlIE1hbmFnZXIsIHdlaS5saXUyQGNpdHJpeC5jb20KCkVuam95IQoKSWFuLgoKX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91bmNlIG1haWxp
bmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3RzLnhlbi5vcmcv
eGVuLWFubm91bmNl

From xen-announce-bounces@lists.xen.org Thu Dec 01 17:45:44 2016
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Thu, 01 Dec 2016 17:45:44 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1cCVPD-0003Tk-D4; Thu, 01 Dec 2016 17:44:23 +0000
Received: from mail6.bemta6.messagelabs.com ([193.109.254.103])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <prvs=136b0be12=Ian.Jackson@citrix.com>)
 id 1cCVPB-0003Te-UK
 for xen-announce@lists.xenproject.org; Thu, 01 Dec 2016 17:44:22 +0000
Received: from [193.109.254.147] by server-4.bemta-6.messagelabs.com id
 B0/EC-28568-57160485; Thu, 01 Dec 2016 17:44:21 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrKIsWRWlGSWpSXmKPExsXitHRDpG5JokO
 EwenHuhazN7YxOzB6HP5whSWAMYo1My8pvyKBNWPGkgaWgn3MFXc2TWNsYPzD1MXIySEh4C8x
 7/gadhBbSMBd4uuO78wQtrbE8/mHoeJ6Eg23/oHZvAKCEidnPmEBsZkFdCQW7P7EBmHLS2x/O
 wesl01AV6Jpy1+wuIhAtsSBy9fA6oUFlCW6dq5kgdl79cF8VgjbROLtwp1A9RxAu0wk5vfrQq
 zykOh99IwJIqwmMXd9PEiYRUBFYtGHLewTGAVmITloFpKDZiE5aAEj8ypGjeLUorLUIl1DU72
 kosz0jJLcxMwcXUMDM73c1OLixPTUnMSkYr3k/NxNjMDAZACCHYzflgUcYpTkYFIS5X2k5xAh
 xJeUn1KZkVicEV9UmpNafIhRhoNDSYI3MAEoJ1iUmp5akZaZA4wRmLQEB4+SCK8MSJq3uCAxt
 zgzHSJ1itGYY9qzxU+ZOA68X/GUSYglLz8vVUqcNx+kVACkNKM0D24QLHYvMcpKCfMyAp0mxF
 OQWpSbWYIq/4pRnINRSZg3AWQKT2ZeCdy+V0CnMAGd0nHdHuSUkkSElFQDY/efq4wFCj+OROW
 u75LZvUD4U/uF4B/Kh69qFjGrvPNhOLTRcvuLJ9+lFlntSG1SLneaUa6UE3H390LLvyvVTj/Z
 e2vF8pzt2xfpmK471Ld1Z4V587w1fZwhyjujO5+d3tX5b372jPMB+4z6H78QYI06V26UM+/i1
 aVT1jk4HmowPPZHcZqVuKcSS3FGoqEWc1FxIgDB8ZI42AIAAA==
X-Env-Sender: prvs=136b0be12=Ian.Jackson@citrix.com
X-Msg-Ref: server-8.tower-27.messagelabs.com!1480614259!64882680!1
X-Originating-IP: [66.165.176.89]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: 
 VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n,received_headers: No 
 Received headers
X-StarScan-Received: 
X-StarScan-Version: 9.0.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 62271 invoked from network); 1 Dec 2016 17:44:20 -0000
Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89)
 by server-8.tower-27.messagelabs.com with RC4-SHA encrypted SMTP;
 1 Dec 2016 17:44:20 -0000
X-IronPort-AV: E=Sophos;i="5.33,282,1477958400"; d="scan'208";a="392532942"
Resent-Message-ID: <22592.24934.828331.616742@mariner.uk.xensource.com>
Resent-Date: Thu, 1 Dec 2016 17:44:06 +0000
Resent-To: <xen-announce@lists.xenproject.org>
MIME-Version: 1.0
From: Ian Jackson <ian.jackson@eu.citrix.com>
To: <xen-devel@lists.xenproject.org>, <xen-anounce@lists.xenproject.org>,
 <xen-users@lists.xenproject.org>
X-IronPort-AV: E=Sophos;i="5.33,282,1477958400"; d="scan'208";a="392526021"
X-Mailer: VM 8.2.0b under 24.4.1 (i586-pc-linux-gnu)
Resent-From: Ian Jackson <Ian.Jackson@eu.citrix.com>
Message-ID: <cf86e49bd096452aa19729c284339d20@FTLPEX02CAS01.citrite.net>
Date: Thu, 1 Dec 2016 12:44:18 -0500
Subject: [Xen-announce] [ANNOUNCEMENT] Xen 4.8 RC8
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: xen-announce-bounces@lists.xen.org
Sender: "Xen-announce" <xen-announce-bounces@lists.xen.org>

SGkuCgpYZW4gNC44LjAgUkM4IGlzIHRhZ2dlZC4gIFlvdSBjYW4gY2hlY2sgaXQgb3V0IGZyb20g
eGVuLmdpdCwgd2hlcmUKdGhlcmUgaXMgYSBzaWduZWQgdGFnOgoKICBnaXQ6Ly94ZW5iaXRzLnhl
bi5vcmcveGVuLmdpdCA0LjguMC1yYzgKCkZvciB5b3UgY29udmVuaWVuY2UsIHBsZWFzZSBmaW5k
IHRhcmJhbGwgYW5kIHNpZ25hdHVyZSBhdDoKCiAgaHR0cHM6Ly9kb3dubG9hZHMueGVucHJvamVj
dC5vcmcvcmVsZWFzZS94ZW4vNC44LjAtcmM4LwoKUGxlYXNlIHNlbmQgYnVnIHJlcG9ydHMgYW5k
IHRlc3QgcmVwb3J0cyB0bwp4ZW4tZGV2ZWxAbGlzdHMueGVucHJvamVjdC5vcmcuIFdoZW4gc2Vu
ZGluZyByZXBvcnRzLCBwbGVhc2UgQ0MKcmVsZXZhbnQgbWFpbnRhaW5lcnMgYW5kIHRoZSBSZWxl
YXNlIE1hbmFnZXIsIHdlaS5saXUyQGNpdHJpeC5jb20KCkVuam95IQoKSWFuLgoKX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91bmNlIG1haWxp
bmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3RzLnhlbi5vcmcv
eGVuLWFubm91bmNl

From xen-announce-bounces@lists.xen.org Tue Dec 06 12:13:27 2016
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Tue, 06 Dec 2016 12:13:27 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1cEEbh-0004pP-5t; Tue, 06 Dec 2016 12:12:25 +0000
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cEEbf-0004p9-Ef; Tue, 06 Dec 2016 12:12:23 +0000
Received: from [85.158.137.68] by server-17.bemta-3.messagelabs.com id
 CD/22-31715-62BA6485; Tue, 06 Dec 2016 12:12:22 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRWlGSWpSXmKPExsWS0XRdVVd1tVu
 EwfdGcYtbN1uZLZZ8XMxiserqAVYHZo+ju38zBTBGsWbmJeVXJLBm/L2vVzDVt6Jr6Qf2Bsb7
 zl2MXBxCAscZJbY/usrSxcgJ5CxilLi3yg7EZhZwlbixbzMbhK0oceFeA1gNr4CgxMmZT8BsC
 QFNiTtvVrGD2CICRRI7z70Es9kE9CTmnp3EBNGrI/Fy/2owW1ggQOLc6QVQc8wkTp17AWRzcL
 AIqEqc3CExgZFnFpLNs5BsnoVk8yygDmagzet36UOY0hLL/3FAVMtLbH87hxnCdpB433KJFcK
 2lbhwey0zzMQp3Q/ZFzByrmJUL04tKkst0jXWSyrKTM8oyU3MzNE1NDDWy00tLk5MT81JTCrW
 S87P3cQIDGwGINjB2PzF6RCjJAeTkiiviqVbhBBfUn5KZUZicUZ8UWlOavEhRhkODiUJXpNVQ
 DnBotT01Iq0zBxgjMGkJTh4lER4VVcCpXmLCxJzizPTIVKnGC05Jrxd+JSJY9qzxUByzvYVT5
 mEWPLy81KlxHnngjQIgDRklObBjYOlgUuMslLCvIxABwrxFKQW5WaWoMq/YhTnYFQS5v0BMoU
 nM68EbusroIOYgA46cdwZ5KCSRISUVANjU/vbtD+passYWUR0Olas4+ib2dAq/JrDxLDtzuQX
 L26tO526IWVD+j6pGfO+d91lWGp74/wBk/Q6ldfPDs8/7b/4TlpraO7d765390XfsFEsXZuf8
 qsnaN7BtvimulcZGTwWW9Q0F628wupqc6qRnyVQoK/ufOrMyQbHaqe7rZt+tTFWv85LiaU4I9
 FQi7moOBEARM+1WP4CAAA=
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-4.tower-31.messagelabs.com!1481026339!16610877!1
X-Originating-IP: [104.130.215.37]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 9.0.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 8524 invoked from network); 6 Dec 2016 12:12:21 -0000
Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37)
 by server-4.tower-31.messagelabs.com with AES128-GCM-SHA256
 encrypted SMTP; 6 Dec 2016 12:12:21 -0000
Received: from xenbits.xenproject.org ([104.239.192.120])
 by mail.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cEEbG-0002eT-36; Tue, 06 Dec 2016 12:11:58 +0000
Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cEEbF-0001Jx-UJ; Tue, 06 Dec 2016 12:11:57 +0000
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
 xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Message-Id: <E1cEEbF-0001Jx-UJ@xenbits.xenproject.org>
Date: Tue, 06 Dec 2016 12:11:57 +0000
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 199 (CVE-2016-9637) - qemu
 ioport array overflow
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Errors-To: xen-announce-bounces@lists.xen.org
Sender: "Xen-announce" <xen-announce-bounces@lists.xen.org>

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2016-9637 / XSA-199
                              version 3

                      qemu ioport array overflow

UPDATES IN VERSION 3
====================

Clarify the IMPACT description, by escalating privilege to that of the
qemu process, not necesserily the host.

Public release.

ISSUE DESCRIPTION
=================

The code in qemu which implements ioport read/write looks up the
specified ioport address in a dispatch table.  The argument to the
dispatch function is a uint32_t, and is used without a range check,
even though the table has entries for only 2^16 ioports.

When qemu is used as a standalone emulator, ioport accesses are
generated only from cpu instructions emulated by qemu, and are
therefore necessarily 16-bit, so there is no vulnerability.

When qemu is used as a device model within Xen, io requests are
generated by the hypervisor and read by qemu from a shared ring.  The
entries in this ring use a common structure, including a 64-bit
address field, for various accesses, including ioport addresses.

Xen will write only 16-bit address ioport accesses.  However,
depending on the Xen and qemu version, the ring may be writeable by
the guest.  If so, the guest can generate out-of-range ioport
accesses, resulting in wild pointer accesses within qemu.


IMPACT
======

A malicious guest administrator can escalate their privilege to that
of the qemu process.


VULNERABLE SYSTEMS
==================

PV guests cannot exploit the vulnerability.

ARM systems are not vulnerable.

HVM domains run with QEMU stub domains cannot exploit the
vulnerability.  (A QEMU stub domain is used if xl's domain
configuration file contains "device_model_stubdomain_override=1".)

Guests using the modern "qemu-xen" device model, with a qemu version
of at least 1.6.0 (for example, as provided by the Xen Project in its
Xen 4.4.0 and later releases), cannot exploit the vulnerability.

x86 HVM guests, not configured with qemu stub domains, using a version
of qemu older than qemu upstream 1.6.0, can exploit the vulnerability.

x86 HVM guests using the traditional "qemu-xen-traditional", not
configured with qemu stub domains, can therefore exploit the
vulnerability.

In tabular form:

  Guest      Xen       QEMU    QEMU "traditional"            Status
  type       version   stub      and/or qemu version

  ARM        any       n/a     n/a         any               OK
  x86 PV     any       n/a     n/a         any               OK

  x86 HVM    any       yes     qemu-xen-traditional          OK

  x86 HVM    any       no      qemu-xen*   >= 1.6.0          OK
  x86 HVM    >= 4.4    no      qemu-xen*   Xen supplied      OK

  x86 HVM    any       no      qemu-xen*   < 1.6.0           Vulnerable
  x86 HVM    <= 4.3    no      qemu-xen*   Xen supplied      Vulnerable

  x86 HVM    any       no      qemu-xen-traditional          Vulnerable

[*] qemu-xen is the default when qemu stub domains are not in
    use, since Xen 4.3.


MITIGATION
==========

Enabling stubdomains will mitigate this issue, by reducing the
escalation to only those privileges accorded to the service domain.
In a usual configuration, a service domain has only the privilege of
the guest, so this eliminates the vulnerability.

Running HVM guests with the default upstream device model, in Xen 4.4
and later, will also avoid this vulnerability.


CREDITS
=======

This issue was discovered by yanghongke@huawei.com of the Huawei
Security Test Team.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa199-trad.patch      qemu-xen-traditional, all versions

$ sha256sum xsa199*
35c6a7d0d51c2347b46a9acf22e034ca328ca62b0ce4ad868a94c190b2e14d36  xsa199-trad.patch
$


DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patch described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

However deployment of the mitigations described above is NOT permitted
(except where all the affected systems and VMs are administered and
used only by organisations which are members of the Xen Project
Security Issues Predisclosure List).  Specifically, deployment on
public cloud systems is NOT permitted.

This is because in all cases the configuration change may be visible
to the guest which could lead to the rediscovery of the vulnerability.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYRqr8AAoJEIP+FMlX6CvZ3tQIAKrYJRz+GjkoilWBFoUDNqrA
ruzFuDBa4RSxlQlGo4o1TiuDSCq7Fl46wLqdGmQh8NBtCSjcSTDY3vDwJH6ns8co
L7tM3DQt4EuP82jCxiNtLmiuzyTPkFUbYtIhciPyd6D4M6DffveD2OEpOYowK4Oo
9BRxuVb4lq6Xeke2X2S0sU1groFocfvf7Q6lWkpApWHVSx6wWCW+dewJ6x26lzn6
FmtQiAjWoF/zDox/nOL6uq2FEqa4wAZQGHkdyWR+yLnfEwhedUuLEiMWiUSSCPN3
erSXtqWnEVfiJevKZXhvV0YHm6WGDCj29nDvatVBDVuwmPF/BOCHBTSzb2lMfE4=
=FtuL
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa199-trad.patch"
Content-Disposition: attachment; filename="xsa199-trad.patch"
Content-Transfer-Encoding: base64

RnJvbSBiNzNiZDFlZGMwNWQxYmFkNWMwMTgyMjgxNDY5MzBkNzkzMTVhNWRh
IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBJYW4gSmFja3NvbiA8
aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KRGF0ZTogTW9uLCAxNCBOb3Yg
MjAxNiAxNzoxOTo0NiArMDAwMApTdWJqZWN0OiBbUEFUQ0hdIHFlbXU6IGlv
cG9ydF9yZWFkLCBpb3BvcnRfd3JpdGU6IGJlIGRlZmVuc2l2ZSBhYm91dCAz
Mi1iaXQKIGFkZHJlc3NlcwoKT24geDg2LCBpb3BvcnQgYWRkcmVzc2VzIGFy
ZSAxNi1iaXQuICBUaGF0IHRoZXNlIGZ1bmN0aW9ucyB0YWtlIDMyLWJpdAph
cmd1bWVudHMgaXMgYSBtaXN0YWtlLiAgQ2hhbmdpbmcgdGhlIGFyZ3VtZW50
IHR5cGUgdG8gMTYtYml0IHdpbGwKZGlzY2FyZCB0aGUgdG9wIGJpdHMgb2Yg
YW55IGVycm9uZW91cyB2YWx1ZXMgZnJvbSBlbHNld2hlcmUgaW4gcWVtdS4K
CkFsc28sIGNoZWNrIGp1c3QgYmVmb3JlIHVzZSB0aGF0IHRoZSB2YWx1ZSBp
cyBpbiByYW5nZS4gIChUaGlzIHR1cm5zCmFuIGlsbC1hZHZpc2VkIGNoYW5n
ZSB0byBNQVhfSU9QT1JUUyBpbnRvIGEgcG9zc2libGUgZ3Vlc3QgY3Jhc2gK
cmF0aGVyIHRoYW4gYSBwcml2aWxlZ2UgZXNjYWxhdGlvbiB2dWxuZXJhYmls
aXR5LikKCkFuZCwgaW4gdGhlIFhlbiBpb3JlcSBwcm9jZXNzb3IsIGNsYW1w
IGluY29taW5nIGlvcG9ydCBhZGRyZXNzZXMgdG8KMTYtYml0IHZhbHVlcy4g
IFhlbiB3aWxsIG5ldmVyIHdyaXRlID4xNi1iaXQgdmFsdWVzIGJ1dCB0aGUg
Z3Vlc3QgbWF5CmhhdmUgYWNjZXNzIHRvIHRoZSBpb3JlcSByaW5nLiAgV2Ug
d2FudCB0byBkZWZlbmQgdGhlIHJlc3Qgb2YgdGhlIHFlbXUKY29kZSBmcm9t
IHdyb25nIHZhbHVlcy4KClRoaXMgaXMgWFNBLTE5OS4KClJlcG9ydGVkLWJ5
OiB5YW5naG9uZ2tlIDx5YW5naG9uZ2tlQGh1YXdlaS5jb20+ClNpZ25lZC1v
ZmYtYnk6IElhbiBKYWNrc29uIDxJYW4uSmFja3NvbkBldS5jaXRyaXguY29t
PgotLS0KIGkzODYtZG0vaGVscGVyMi5jIHwgMiArKwogdmwuYyAgICAgICAg
ICAgICAgfCA5ICsrKysrKystLQogMiBmaWxlcyBjaGFuZ2VkLCA5IGluc2Vy
dGlvbnMoKyksIDIgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvaTM4Ni1k
bS9oZWxwZXIyLmMgYi9pMzg2LWRtL2hlbHBlcjIuYwppbmRleCAyNzA2ZjJl
Li41ZDI3NmJiIDEwMDY0NAotLS0gYS9pMzg2LWRtL2hlbHBlcjIuYworKysg
Yi9pMzg2LWRtL2hlbHBlcjIuYwpAQCAtMzc1LDYgKzM3NSw4IEBAIHN0YXRp
YyB2b2lkIGNwdV9pb3JlcV9waW8oQ1BVU3RhdGUgKmVudiwgaW9yZXFfdCAq
cmVxKQogewogICAgIHVpbnQzMl90IGk7CiAKKyAgICByZXEtPmFkZHIgJj0g
MHgwZmZmZlU7CisKICAgICBpZiAocmVxLT5kaXIgPT0gSU9SRVFfUkVBRCkg
ewogICAgICAgICBpZiAoIXJlcS0+ZGF0YV9pc19wdHIpIHsKICAgICAgICAg
ICAgIHJlcS0+ZGF0YSA9IGRvX2lucChlbnYsIHJlcS0+YWRkciwgcmVxLT5z
aXplKTsKZGlmZiAtLWdpdCBhL3ZsLmMgYi92bC5jCmluZGV4IGY5YzRkN2Uu
LmMzYzVkNjMgMTAwNjQ0Ci0tLSBhL3ZsLmMKKysrIGIvdmwuYwpAQCAtNTIs
NiArNTIsNyBAQAogCiAjaW5jbHVkZSA8eGVuL2h2bS9odm1faW5mb190YWJs
ZS5oPgogCisjaW5jbHVkZSA8YXNzZXJ0Lmg+CiAjaW5jbHVkZSA8dW5pc3Rk
Lmg+CiAjaW5jbHVkZSA8ZmNudGwuaD4KICNpbmNsdWRlIDxzaWduYWwuaD4K
QEAgLTI5MCwyNiArMjkxLDMwIEBAIFBpY1N0YXRlMiAqaXNhX3BpYzsKIHN0
YXRpYyBJT1BvcnRSZWFkRnVuYyBkZWZhdWx0X2lvcG9ydF9yZWFkYiwgZGVm
YXVsdF9pb3BvcnRfcmVhZHcsIGRlZmF1bHRfaW9wb3J0X3JlYWRsOwogc3Rh
dGljIElPUG9ydFdyaXRlRnVuYyBkZWZhdWx0X2lvcG9ydF93cml0ZWIsIGRl
ZmF1bHRfaW9wb3J0X3dyaXRldywgZGVmYXVsdF9pb3BvcnRfd3JpdGVsOwog
Ci1zdGF0aWMgdWludDMyX3QgaW9wb3J0X3JlYWQoaW50IGluZGV4LCB1aW50
MzJfdCBhZGRyZXNzKQorc3RhdGljIHVpbnQzMl90IGlvcG9ydF9yZWFkKGlu
dCBpbmRleCwgdWludDE2X3QgYWRkcmVzcykKIHsKICAgICBzdGF0aWMgSU9Q
b3J0UmVhZEZ1bmMgKmRlZmF1bHRfZnVuY1szXSA9IHsKICAgICAgICAgZGVm
YXVsdF9pb3BvcnRfcmVhZGIsCiAgICAgICAgIGRlZmF1bHRfaW9wb3J0X3Jl
YWR3LAogICAgICAgICBkZWZhdWx0X2lvcG9ydF9yZWFkbAogICAgIH07Cisg
ICAgaWYgKGFkZHJlc3MgPj0gTUFYX0lPUE9SVFMpCisgICAgICAgIGFib3J0
KCk7CiAgICAgSU9Qb3J0UmVhZEZ1bmMgKmZ1bmMgPSBpb3BvcnRfcmVhZF90
YWJsZVtpbmRleF1bYWRkcmVzc107CiAgICAgaWYgKCFmdW5jKQogICAgICAg
ICBmdW5jID0gZGVmYXVsdF9mdW5jW2luZGV4XTsKICAgICByZXR1cm4gZnVu
Yyhpb3BvcnRfb3BhcXVlW2FkZHJlc3NdLCBhZGRyZXNzKTsKIH0KIAotc3Rh
dGljIHZvaWQgaW9wb3J0X3dyaXRlKGludCBpbmRleCwgdWludDMyX3QgYWRk
cmVzcywgdWludDMyX3QgZGF0YSkKK3N0YXRpYyB2b2lkIGlvcG9ydF93cml0
ZShpbnQgaW5kZXgsIHVpbnQxNl90IGFkZHJlc3MsIHVpbnQzMl90IGRhdGEp
CiB7CiAgICAgc3RhdGljIElPUG9ydFdyaXRlRnVuYyAqZGVmYXVsdF9mdW5j
WzNdID0gewogICAgICAgICBkZWZhdWx0X2lvcG9ydF93cml0ZWIsCiAgICAg
ICAgIGRlZmF1bHRfaW9wb3J0X3dyaXRldywKICAgICAgICAgZGVmYXVsdF9p
b3BvcnRfd3JpdGVsCiAgICAgfTsKKyAgICBpZiAoYWRkcmVzcyA+PSBNQVhf
SU9QT1JUUykKKyAgICAgICAgYWJvcnQoKTsKICAgICBJT1BvcnRXcml0ZUZ1
bmMgKmZ1bmMgPSBpb3BvcnRfd3JpdGVfdGFibGVbaW5kZXhdW2FkZHJlc3Nd
OwogICAgIGlmICghZnVuYykKICAgICAgICAgZnVuYyA9IGRlZmF1bHRfZnVu
Y1tpbmRleF07Ci0tIAoyLjEuNAoK

--=separator
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91
bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz
Lnhlbi5vcmcveGVuLWFubm91bmNl

--=separator--


From xen-announce-bounces@lists.xen.org Tue Dec 06 12:13:27 2016
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Tue, 06 Dec 2016 12:13:27 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1cEEbh-0004pP-5t; Tue, 06 Dec 2016 12:12:25 +0000
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cEEbf-0004p9-Ef; Tue, 06 Dec 2016 12:12:23 +0000
Received: from [85.158.137.68] by server-17.bemta-3.messagelabs.com id
 CD/22-31715-62BA6485; Tue, 06 Dec 2016 12:12:22 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRWlGSWpSXmKPExsWS0XRdVVd1tVu
 EwfdGcYtbN1uZLZZ8XMxiserqAVYHZo+ju38zBTBGsWbmJeVXJLBm/L2vVzDVt6Jr6Qf2Bsb7
 zl2MXBxCAscZJbY/usrSxcgJ5CxilLi3yg7EZhZwlbixbzMbhK0oceFeA1gNr4CgxMmZT8BsC
 QFNiTtvVrGD2CICRRI7z70Es9kE9CTmnp3EBNGrI/Fy/2owW1ggQOLc6QVQc8wkTp17AWRzcL
 AIqEqc3CExgZFnFpLNs5BsnoVk8yygDmagzet36UOY0hLL/3FAVMtLbH87hxnCdpB433KJFcK
 2lbhwey0zzMQp3Q/ZFzByrmJUL04tKkst0jXWSyrKTM8oyU3MzNE1NDDWy00tLk5MT81JTCrW
 S87P3cQIDGwGINjB2PzF6RCjJAeTkiiviqVbhBBfUn5KZUZicUZ8UWlOavEhRhkODiUJXpNVQ
 DnBotT01Iq0zBxgjMGkJTh4lER4VVcCpXmLCxJzizPTIVKnGC05Jrxd+JSJY9qzxUByzvYVT5
 mEWPLy81KlxHnngjQIgDRklObBjYOlgUuMslLCvIxABwrxFKQW5WaWoMq/YhTnYFQS5v0BMoU
 nM68EbusroIOYgA46cdwZ5KCSRISUVANjU/vbtD+passYWUR0Olas4+ib2dAq/JrDxLDtzuQX
 L26tO526IWVD+j6pGfO+d91lWGp74/wBk/Q6ldfPDs8/7b/4TlpraO7d765390XfsFEsXZuf8
 qsnaN7BtvimulcZGTwWW9Q0F628wupqc6qRnyVQoK/ufOrMyQbHaqe7rZt+tTFWv85LiaU4I9
 FQi7moOBEARM+1WP4CAAA=
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-4.tower-31.messagelabs.com!1481026339!16610877!1
X-Originating-IP: [104.130.215.37]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 9.0.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 8524 invoked from network); 6 Dec 2016 12:12:21 -0000
Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37)
 by server-4.tower-31.messagelabs.com with AES128-GCM-SHA256
 encrypted SMTP; 6 Dec 2016 12:12:21 -0000
Received: from xenbits.xenproject.org ([104.239.192.120])
 by mail.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cEEbG-0002eT-36; Tue, 06 Dec 2016 12:11:58 +0000
Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cEEbF-0001Jx-UJ; Tue, 06 Dec 2016 12:11:57 +0000
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
 xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Message-Id: <E1cEEbF-0001Jx-UJ@xenbits.xenproject.org>
Date: Tue, 06 Dec 2016 12:11:57 +0000
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 199 (CVE-2016-9637) - qemu
 ioport array overflow
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Errors-To: xen-announce-bounces@lists.xen.org
Sender: "Xen-announce" <xen-announce-bounces@lists.xen.org>

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2016-9637 / XSA-199
                              version 3

                      qemu ioport array overflow

UPDATES IN VERSION 3
====================

Clarify the IMPACT description, by escalating privilege to that of the
qemu process, not necesserily the host.

Public release.

ISSUE DESCRIPTION
=================

The code in qemu which implements ioport read/write looks up the
specified ioport address in a dispatch table.  The argument to the
dispatch function is a uint32_t, and is used without a range check,
even though the table has entries for only 2^16 ioports.

When qemu is used as a standalone emulator, ioport accesses are
generated only from cpu instructions emulated by qemu, and are
therefore necessarily 16-bit, so there is no vulnerability.

When qemu is used as a device model within Xen, io requests are
generated by the hypervisor and read by qemu from a shared ring.  The
entries in this ring use a common structure, including a 64-bit
address field, for various accesses, including ioport addresses.

Xen will write only 16-bit address ioport accesses.  However,
depending on the Xen and qemu version, the ring may be writeable by
the guest.  If so, the guest can generate out-of-range ioport
accesses, resulting in wild pointer accesses within qemu.


IMPACT
======

A malicious guest administrator can escalate their privilege to that
of the qemu process.


VULNERABLE SYSTEMS
==================

PV guests cannot exploit the vulnerability.

ARM systems are not vulnerable.

HVM domains run with QEMU stub domains cannot exploit the
vulnerability.  (A QEMU stub domain is used if xl's domain
configuration file contains "device_model_stubdomain_override=1".)

Guests using the modern "qemu-xen" device model, with a qemu version
of at least 1.6.0 (for example, as provided by the Xen Project in its
Xen 4.4.0 and later releases), cannot exploit the vulnerability.

x86 HVM guests, not configured with qemu stub domains, using a version
of qemu older than qemu upstream 1.6.0, can exploit the vulnerability.

x86 HVM guests using the traditional "qemu-xen-traditional", not
configured with qemu stub domains, can therefore exploit the
vulnerability.

In tabular form:

  Guest      Xen       QEMU    QEMU "traditional"            Status
  type       version   stub      and/or qemu version

  ARM        any       n/a     n/a         any               OK
  x86 PV     any       n/a     n/a         any               OK

  x86 HVM    any       yes     qemu-xen-traditional          OK

  x86 HVM    any       no      qemu-xen*   >= 1.6.0          OK
  x86 HVM    >= 4.4    no      qemu-xen*   Xen supplied      OK

  x86 HVM    any       no      qemu-xen*   < 1.6.0           Vulnerable
  x86 HVM    <= 4.3    no      qemu-xen*   Xen supplied      Vulnerable

  x86 HVM    any       no      qemu-xen-traditional          Vulnerable

[*] qemu-xen is the default when qemu stub domains are not in
    use, since Xen 4.3.


MITIGATION
==========

Enabling stubdomains will mitigate this issue, by reducing the
escalation to only those privileges accorded to the service domain.
In a usual configuration, a service domain has only the privilege of
the guest, so this eliminates the vulnerability.

Running HVM guests with the default upstream device model, in Xen 4.4
and later, will also avoid this vulnerability.


CREDITS
=======

This issue was discovered by yanghongke@huawei.com of the Huawei
Security Test Team.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa199-trad.patch      qemu-xen-traditional, all versions

$ sha256sum xsa199*
35c6a7d0d51c2347b46a9acf22e034ca328ca62b0ce4ad868a94c190b2e14d36  xsa199-trad.patch
$


DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patch described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

However deployment of the mitigations described above is NOT permitted
(except where all the affected systems and VMs are administered and
used only by organisations which are members of the Xen Project
Security Issues Predisclosure List).  Specifically, deployment on
public cloud systems is NOT permitted.

This is because in all cases the configuration change may be visible
to the guest which could lead to the rediscovery of the vulnerability.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYRqr8AAoJEIP+FMlX6CvZ3tQIAKrYJRz+GjkoilWBFoUDNqrA
ruzFuDBa4RSxlQlGo4o1TiuDSCq7Fl46wLqdGmQh8NBtCSjcSTDY3vDwJH6ns8co
L7tM3DQt4EuP82jCxiNtLmiuzyTPkFUbYtIhciPyd6D4M6DffveD2OEpOYowK4Oo
9BRxuVb4lq6Xeke2X2S0sU1groFocfvf7Q6lWkpApWHVSx6wWCW+dewJ6x26lzn6
FmtQiAjWoF/zDox/nOL6uq2FEqa4wAZQGHkdyWR+yLnfEwhedUuLEiMWiUSSCPN3
erSXtqWnEVfiJevKZXhvV0YHm6WGDCj29nDvatVBDVuwmPF/BOCHBTSzb2lMfE4=
=FtuL
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa199-trad.patch"
Content-Disposition: attachment; filename="xsa199-trad.patch"
Content-Transfer-Encoding: base64

RnJvbSBiNzNiZDFlZGMwNWQxYmFkNWMwMTgyMjgxNDY5MzBkNzkzMTVhNWRh
IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBJYW4gSmFja3NvbiA8
aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KRGF0ZTogTW9uLCAxNCBOb3Yg
MjAxNiAxNzoxOTo0NiArMDAwMApTdWJqZWN0OiBbUEFUQ0hdIHFlbXU6IGlv
cG9ydF9yZWFkLCBpb3BvcnRfd3JpdGU6IGJlIGRlZmVuc2l2ZSBhYm91dCAz
Mi1iaXQKIGFkZHJlc3NlcwoKT24geDg2LCBpb3BvcnQgYWRkcmVzc2VzIGFy
ZSAxNi1iaXQuICBUaGF0IHRoZXNlIGZ1bmN0aW9ucyB0YWtlIDMyLWJpdAph
cmd1bWVudHMgaXMgYSBtaXN0YWtlLiAgQ2hhbmdpbmcgdGhlIGFyZ3VtZW50
IHR5cGUgdG8gMTYtYml0IHdpbGwKZGlzY2FyZCB0aGUgdG9wIGJpdHMgb2Yg
YW55IGVycm9uZW91cyB2YWx1ZXMgZnJvbSBlbHNld2hlcmUgaW4gcWVtdS4K
CkFsc28sIGNoZWNrIGp1c3QgYmVmb3JlIHVzZSB0aGF0IHRoZSB2YWx1ZSBp
cyBpbiByYW5nZS4gIChUaGlzIHR1cm5zCmFuIGlsbC1hZHZpc2VkIGNoYW5n
ZSB0byBNQVhfSU9QT1JUUyBpbnRvIGEgcG9zc2libGUgZ3Vlc3QgY3Jhc2gK
cmF0aGVyIHRoYW4gYSBwcml2aWxlZ2UgZXNjYWxhdGlvbiB2dWxuZXJhYmls
aXR5LikKCkFuZCwgaW4gdGhlIFhlbiBpb3JlcSBwcm9jZXNzb3IsIGNsYW1w
IGluY29taW5nIGlvcG9ydCBhZGRyZXNzZXMgdG8KMTYtYml0IHZhbHVlcy4g
IFhlbiB3aWxsIG5ldmVyIHdyaXRlID4xNi1iaXQgdmFsdWVzIGJ1dCB0aGUg
Z3Vlc3QgbWF5CmhhdmUgYWNjZXNzIHRvIHRoZSBpb3JlcSByaW5nLiAgV2Ug
d2FudCB0byBkZWZlbmQgdGhlIHJlc3Qgb2YgdGhlIHFlbXUKY29kZSBmcm9t
IHdyb25nIHZhbHVlcy4KClRoaXMgaXMgWFNBLTE5OS4KClJlcG9ydGVkLWJ5
OiB5YW5naG9uZ2tlIDx5YW5naG9uZ2tlQGh1YXdlaS5jb20+ClNpZ25lZC1v
ZmYtYnk6IElhbiBKYWNrc29uIDxJYW4uSmFja3NvbkBldS5jaXRyaXguY29t
PgotLS0KIGkzODYtZG0vaGVscGVyMi5jIHwgMiArKwogdmwuYyAgICAgICAg
ICAgICAgfCA5ICsrKysrKystLQogMiBmaWxlcyBjaGFuZ2VkLCA5IGluc2Vy
dGlvbnMoKyksIDIgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvaTM4Ni1k
bS9oZWxwZXIyLmMgYi9pMzg2LWRtL2hlbHBlcjIuYwppbmRleCAyNzA2ZjJl
Li41ZDI3NmJiIDEwMDY0NAotLS0gYS9pMzg2LWRtL2hlbHBlcjIuYworKysg
Yi9pMzg2LWRtL2hlbHBlcjIuYwpAQCAtMzc1LDYgKzM3NSw4IEBAIHN0YXRp
YyB2b2lkIGNwdV9pb3JlcV9waW8oQ1BVU3RhdGUgKmVudiwgaW9yZXFfdCAq
cmVxKQogewogICAgIHVpbnQzMl90IGk7CiAKKyAgICByZXEtPmFkZHIgJj0g
MHgwZmZmZlU7CisKICAgICBpZiAocmVxLT5kaXIgPT0gSU9SRVFfUkVBRCkg
ewogICAgICAgICBpZiAoIXJlcS0+ZGF0YV9pc19wdHIpIHsKICAgICAgICAg
ICAgIHJlcS0+ZGF0YSA9IGRvX2lucChlbnYsIHJlcS0+YWRkciwgcmVxLT5z
aXplKTsKZGlmZiAtLWdpdCBhL3ZsLmMgYi92bC5jCmluZGV4IGY5YzRkN2Uu
LmMzYzVkNjMgMTAwNjQ0Ci0tLSBhL3ZsLmMKKysrIGIvdmwuYwpAQCAtNTIs
NiArNTIsNyBAQAogCiAjaW5jbHVkZSA8eGVuL2h2bS9odm1faW5mb190YWJs
ZS5oPgogCisjaW5jbHVkZSA8YXNzZXJ0Lmg+CiAjaW5jbHVkZSA8dW5pc3Rk
Lmg+CiAjaW5jbHVkZSA8ZmNudGwuaD4KICNpbmNsdWRlIDxzaWduYWwuaD4K
QEAgLTI5MCwyNiArMjkxLDMwIEBAIFBpY1N0YXRlMiAqaXNhX3BpYzsKIHN0
YXRpYyBJT1BvcnRSZWFkRnVuYyBkZWZhdWx0X2lvcG9ydF9yZWFkYiwgZGVm
YXVsdF9pb3BvcnRfcmVhZHcsIGRlZmF1bHRfaW9wb3J0X3JlYWRsOwogc3Rh
dGljIElPUG9ydFdyaXRlRnVuYyBkZWZhdWx0X2lvcG9ydF93cml0ZWIsIGRl
ZmF1bHRfaW9wb3J0X3dyaXRldywgZGVmYXVsdF9pb3BvcnRfd3JpdGVsOwog
Ci1zdGF0aWMgdWludDMyX3QgaW9wb3J0X3JlYWQoaW50IGluZGV4LCB1aW50
MzJfdCBhZGRyZXNzKQorc3RhdGljIHVpbnQzMl90IGlvcG9ydF9yZWFkKGlu
dCBpbmRleCwgdWludDE2X3QgYWRkcmVzcykKIHsKICAgICBzdGF0aWMgSU9Q
b3J0UmVhZEZ1bmMgKmRlZmF1bHRfZnVuY1szXSA9IHsKICAgICAgICAgZGVm
YXVsdF9pb3BvcnRfcmVhZGIsCiAgICAgICAgIGRlZmF1bHRfaW9wb3J0X3Jl
YWR3LAogICAgICAgICBkZWZhdWx0X2lvcG9ydF9yZWFkbAogICAgIH07Cisg
ICAgaWYgKGFkZHJlc3MgPj0gTUFYX0lPUE9SVFMpCisgICAgICAgIGFib3J0
KCk7CiAgICAgSU9Qb3J0UmVhZEZ1bmMgKmZ1bmMgPSBpb3BvcnRfcmVhZF90
YWJsZVtpbmRleF1bYWRkcmVzc107CiAgICAgaWYgKCFmdW5jKQogICAgICAg
ICBmdW5jID0gZGVmYXVsdF9mdW5jW2luZGV4XTsKICAgICByZXR1cm4gZnVu
Yyhpb3BvcnRfb3BhcXVlW2FkZHJlc3NdLCBhZGRyZXNzKTsKIH0KIAotc3Rh
dGljIHZvaWQgaW9wb3J0X3dyaXRlKGludCBpbmRleCwgdWludDMyX3QgYWRk
cmVzcywgdWludDMyX3QgZGF0YSkKK3N0YXRpYyB2b2lkIGlvcG9ydF93cml0
ZShpbnQgaW5kZXgsIHVpbnQxNl90IGFkZHJlc3MsIHVpbnQzMl90IGRhdGEp
CiB7CiAgICAgc3RhdGljIElPUG9ydFdyaXRlRnVuYyAqZGVmYXVsdF9mdW5j
WzNdID0gewogICAgICAgICBkZWZhdWx0X2lvcG9ydF93cml0ZWIsCiAgICAg
ICAgIGRlZmF1bHRfaW9wb3J0X3dyaXRldywKICAgICAgICAgZGVmYXVsdF9p
b3BvcnRfd3JpdGVsCiAgICAgfTsKKyAgICBpZiAoYWRkcmVzcyA+PSBNQVhf
SU9QT1JUUykKKyAgICAgICAgYWJvcnQoKTsKICAgICBJT1BvcnRXcml0ZUZ1
bmMgKmZ1bmMgPSBpb3BvcnRfd3JpdGVfdGFibGVbaW5kZXhdW2FkZHJlc3Nd
OwogICAgIGlmICghZnVuYykKICAgICAgICAgZnVuYyA9IGRlZmF1bHRfZnVu
Y1tpbmRleF07Ci0tIAoyLjEuNAoK

--=separator
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91
bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz
Lnhlbi5vcmcveGVuLWFubm91bmNl

--=separator--


From xen-announce-bounces@lists.xen.org Wed Dec 07 10:34:01 2016
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Wed, 07 Dec 2016 10:34:01 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1cEZWx-0005RP-4H; Wed, 07 Dec 2016 10:32:55 +0000
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cEZWv-0005RD-N9; Wed, 07 Dec 2016 10:32:53 +0000
Received: from [85.158.137.68] by server-13.bemta-3.messagelabs.com id
 58/4A-23854-455E7485; Wed, 07 Dec 2016 10:32:52 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrPKsWRWlGSWpSXmKPExsWS0XRdVTf4qXu
 EwbZWKYtbN1uZLZZ8XMxiserqAVYHZo+ju38zBTBGsWbmJeVXJLBm9L76xlKw6gZjxfJ+3QbG
 BRcZuxi5OIQEjjNKTO9bzwrhLGKUeNL5HMjh5GAWcJW4sW8zG4StKHHhXgMLiM0rIChxcuYTM
 FtCQFPizptV7CC2iECRxM5zL8FsNgE9iblnJzFB9OpIvNy/mglkgbBAL6PE4707WSEGmUl861
 8DNohFQFVi4+btrBMYeWYh2T0Lye5ZSHbPYuQAimtKrN+lD2FKSyz/xwFRLS+x/e0cZoiwrcS
 5tfoQYSuJm9+bmWAGTul+yA5h20o8+naFEabm79PtzKhqIMbc/yYMU9L+fC8LpjGOEj0vrkDF
 7SQ2bFzGjM2qJefXssDMOfn+OSOymgWMoqsYNYpTi8pSi3SNjPSSijLTM0pyEzNzdA0NjPVyU
 4uLE9NTcxKTivWS83M3MQITQD0DA+MOxqkn/A4xSnIwKYny7prgHiHEl5SfUpmRWJwRX1Sak1
 p8iFGGg0NJgtfjCVBOsCg1PbUiLTMHmIpg0hIcPEoivLUgad7igsTc4sx0iNQpRkuOCW8XPmX
 imPZsMZCcs33FUyYhlrz8vFQpcV5lkAYBkIaM0jy4cbB0eYlRVkqYl5GBgUGIpyC1KDezBFX+
 FaM4B6OSMG8fyBSezLwSuK2vgA5iAjpo3g2wg0oSEVJSDYxeixbufeuh922KRML0eSqZFxtqT
 8eIlwYciLoiefmoVrnmo/7GkwXG+9gnr/9t0Hdtx0EzAZefh0L8H9wLkbdSXtzpe3Ct5Owutc
 7zUc+lC5UFb5g945yhxSh3VuztPoYdAdxCf5+ePZT3487Kqxr7WhjL9a66RXn1G4vtZJrYP3P
 riqtfPh1UYinOSDTUYi4qTgQAC6lZkZIDAAA=
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-5.tower-31.messagelabs.com!1481106770!71658946!1
X-Originating-IP: [104.130.215.37]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 9.0.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 25267 invoked from network); 7 Dec 2016 10:32:50 -0000
Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37)
 by server-5.tower-31.messagelabs.com with AES128-GCM-SHA256
 encrypted SMTP; 7 Dec 2016 10:32:50 -0000
Received: from xenbits.xenproject.org ([104.239.192.120])
 by mail.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cEZWj-0005kA-UV; Wed, 07 Dec 2016 10:32:41 +0000
Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cEZWj-0004yO-QN; Wed, 07 Dec 2016 10:32:41 +0000
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
 xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Message-Id: <E1cEZWj-0004yO-QN@xenbits.xenproject.org>
Date: Wed, 07 Dec 2016 10:32:41 +0000
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 201 (CVE-2016-9815,
 CVE-2016-9816, CVE-2016-9817,
 CVE-2016-9818) - ARM guests may induce host asynchronous abort
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Errors-To: xen-announce-bounces@lists.xen.org
Sender: "Xen-announce" <xen-announce-bounces@lists.xen.org>

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 Xen Security Advisory CVE-2016-9815,CVE-2016-9816,CVE-2016-9817,CVE-2016-9818 / XSA-201
                              version 2

             ARM guests may induce host asynchronous abort

UPDATES IN VERSION 2
====================

CVEs assigned.

ISSUE DESCRIPTION
=================

Depending on how the hardware and firmware have been integrated,
guest-triggered asynchronous aborts (SError on ARMv8) may be received
by the hypervisor.  The current action is to crash the host.

A guest might trigger an asynchronous abort when accessing memory
mapped hardware in a non-conventional way.  Even if device
pass-through has not been configured, the hypervisor may give the
guest access to memory mapped hardware in order to take advantage of
hardware virtualization.

The CVEs are as follows:
 xsa201-1.patch     CVE-2016-9815
 xsa201-2.patch     CVE-2016-9816
 xsa201-3-*.patch   CVE-2016-9817
 xsa201-4.patch     CVE-2016-9818

IMPACT
======

A malicious guest may be able to crash the host.

VULNERABLE SYSTEMS
==================

All Xen versions which support ARM are potentially affected.

Whether a particular ARM systems is affected depends on technical
details of the hardware and/or firmware.

x86 systems are not affected.

MITIGATION
==========

On systems where the guest kernel is controlled by the host rather than
guest administrator, running only kernels which do not expose MMIO to
userspace will prevent untrusted guest users from exploiting this issue.
However untrusted guest administrators can still trigger it unless
further steps are taken to prevent them from loading code into the
kernel (e.g by disabling loadable modules etc) or from using other
mechanisms which allow them to run code at kernel privilege.

NOTE REGARDING LACK OF EMBARGO
==============================

The issue was discussed publicly (and has been fixed already in KVM in
public trees).

CREDITS
=======

This issue was discovered by ARM engineering personnel.

RESOLUTION
==========

Applying the appropriate set of attached patched resolves this issue.

xsa201-[1234].patch       Xen-unstable

xsa201-[12].patch         }
xsa201-3-4.7.patch        } Xen 4.7.x, Xen 4.6.x
xsa201-4.patch            }

$ sha256sum xsa201*
163aeb9ae3ffce28e0bc95bdfff490d2df6f6f0b85ac1d4f447bea921f0a0dda  xsa201-1.patch
0ba570ed7df172475bc745e02b89670608251634895e5279edcf534619d6d81b  xsa201-2.patch
4045e046473f069c51e5fd579f63563862aa497d945b183c768481ef11885744  xsa201-3.patch
a9cf56564d020675c0f2f1ea15009a712f172be3d53ea8ddf2f48adaac392e76  xsa201-3-4.7.patch
388d548cd4e30883ae100863d33e792869e7dbd86054299a91b64db6d6599919  xsa201-4.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYR+VFAAoJEIP+FMlX6CvZVZkIAKygymoB/4TYWHSQCDaekqe7
oqs0SrOZwAiaXDDtNEq5oUmWzw852p6ewHzeHkuFrpXSTg9NZqE3ve/Ygy4z2lwQ
jlrQblTl1wopoJDKFfvVqnGX4sEQvDqsOKAYpX0LbtjiIOAisKNT5f40J9X3L2Oz
dzEdMuKDNvCDO6hPbDXprDDP9qETO4+Wopsj14F6rraYICrMl1P1LKabwr12936s
XuegVU25S777YJ3CXpJVSCGns6zZzJm345l1VdgQ5M+KmMQkb4P+v5do7rMHMZFU
LvYqxT9M+V6EDylByNp1HuYJWFQU7jgH/oK4k0M3EHAuovN5GZKp7SdGywVEEwY=
=t4pk
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa201-1.patch"
Content-Disposition: attachment; filename="xsa201-1.patch"
Content-Transfer-Encoding: base64

RnJvbTogV2VpIENoZW4gPFdlaS5DaGVuQGFybS5jb20+ClN1YmplY3Q6IGFy
bTY0OiBoYW5kbGUgZ3Vlc3QtZ2VuZXJhdGVkIEVMMSBhc3luY2hyb25vdXMg
YWJvcnQKCkluIGN1cnJlbnQgY29kZSwgd2hlbiB0aGUgaHlwZXJ2aXNvciBy
ZWNlaXZlcyBhbiBhc3luY2hyb25vdXMgYWJvcnQKZnJvbSBhIGd1ZXN0LCB0
aGUgaHlwZXJ2aXNvciB3aWxsIGRvIHBhbmljLCB0aGUgaG9zdCB3aWxsIGJl
IGRvd24uCldlIGhhdmUgdG8gcHJldmVudCBzdWNoIHNlY3VyaXR5IGlzc3Vl
LCBzbywgaW4gdGhpcyBwYXRjaCB3ZSBjcmFzaAp0aGUgZ3Vlc3QsIHdoZW4g
dGhlIGh5cGVydmlzb3IgcmVjZWl2ZXMgYW4gYXN5bmNocm9ub3VzIGFib3J0
IGZyb20KdGhlIGd1ZXN0LgoKVGhpcyBpcyBDVkUtMjAxNi05ODE1LCBwYXJ0
IG9mIFhTQS0yMDEuCgpTaWduZWQtb2ZmLWJ5OiBXZWkgQ2hlbiA8V2VpLkNo
ZW5AYXJtLmNvbT4KUmV2aWV3ZWQtYnk6IFN0ZWZhbm8gU3RhYmVsbGluaSA8
c3N0YWJlbGxpbmlAa2VybmVsLm9yZz4KUmV2aWV3ZWQtYnk6IFN0ZXZlIENh
cHBlciA8c3RldmUuY2FwcGVyQGFybS5jb20+ClJldmlld2VkLWJ5OiBKdWxp
ZW4gR3JhbGwgPEp1bGllbi5HcmFsbEBhcm0uY29tPgoKLS0tIGEveGVuL2Fy
Y2gvYXJtL2FybTY0L2VudHJ5LlMKKysrIGIveGVuL2FyY2gvYXJtL2FybTY0
L2VudHJ5LlMKQEAgLTIwNCw5ICsyMDQsMTIgQEAgZ3Vlc3RfZmlxX2ludmFs
aWQ6CiAgICAgICAgIGVudHJ5ICAgaHlwPTAsIGNvbXBhdD0wCiAgICAgICAg
IGludmFsaWQgQkFEX0ZJUQoKLWd1ZXN0X2Vycm9yX2ludmFsaWQ6CitndWVz
dF9lcnJvcjoKICAgICAgICAgZW50cnkgICBoeXA9MCwgY29tcGF0PTAKLSAg
ICAgICAgaW52YWxpZCBCQURfRVJST1IKKyAgICAgICAgbXNyICAgICBkYWlm
Y2xyLCAjMgorICAgICAgICBtb3YgICAgIHgwLCBzcAorICAgICAgICBibCAg
ICAgIGRvX3RyYXBfZ3Vlc3RfZXJyb3IKKyAgICAgICAgZXhpdCAgICBoeXA9
MCwgY29tcGF0PTAKCiBndWVzdF9zeW5jX2NvbXBhdDoKICAgICAgICAgZW50
cnkgICBoeXA9MCwgY29tcGF0PTEKQEAgLTIyNSw5ICsyMjgsMTIgQEAgZ3Vl
c3RfZmlxX2ludmFsaWRfY29tcGF0OgogICAgICAgICBlbnRyeSAgIGh5cD0w
LCBjb21wYXQ9MQogICAgICAgICBpbnZhbGlkIEJBRF9GSVEKCi1ndWVzdF9l
cnJvcl9pbnZhbGlkX2NvbXBhdDoKK2d1ZXN0X2Vycm9yX2NvbXBhdDoKICAg
ICAgICAgZW50cnkgICBoeXA9MCwgY29tcGF0PTEKLSAgICAgICAgaW52YWxp
ZCBCQURfRVJST1IKKyAgICAgICAgbXNyICAgICBkYWlmY2xyLCAjMgorICAg
ICAgICBtb3YgICAgIHgwLCBzcAorICAgICAgICBibCAgICAgIGRvX3RyYXBf
Z3Vlc3RfZXJyb3IKKyAgICAgICAgZXhpdCAgICBoeXA9MCwgY29tcGF0PTEK
CiBFTlRSWShyZXR1cm5fdG9fbmV3X3ZjcHUzMikKICAgICAgICAgZXhpdCAg
ICBoeXA9MCwgY29tcGF0PTEKQEAgLTI4NiwxMiArMjkyLDEyIEBAIEVOVFJZ
KGh5cF90cmFwc192ZWN0b3IpCiAgICAgICAgIHZlbnRyeSAgZ3Vlc3Rfc3lu
YyAgICAgICAgICAgICAgICAgICAgICAvLyBTeW5jaHJvbm91cyA2NC1iaXQg
RUwwL0VMMQogICAgICAgICB2ZW50cnkgIGd1ZXN0X2lycSAgICAgICAgICAg
ICAgICAgICAgICAgLy8gSVJRIDY0LWJpdCBFTDAvRUwxCiAgICAgICAgIHZl
bnRyeSAgZ3Vlc3RfZmlxX2ludmFsaWQgICAgICAgICAgICAgICAvLyBGSVEg
NjQtYml0IEVMMC9FTDEKLSAgICAgICAgdmVudHJ5ICBndWVzdF9lcnJvcl9p
bnZhbGlkICAgICAgICAgICAgIC8vIEVycm9yIDY0LWJpdCBFTDAvRUwxCisg
ICAgICAgIHZlbnRyeSAgZ3Vlc3RfZXJyb3IgICAgICAgICAgICAgICAgICAg
ICAvLyBFcnJvciA2NC1iaXQgRUwwL0VMMQoKICAgICAgICAgdmVudHJ5ICBn
dWVzdF9zeW5jX2NvbXBhdCAgICAgICAgICAgICAgIC8vIFN5bmNocm9ub3Vz
IDMyLWJpdCBFTDAvRUwxCiAgICAgICAgIHZlbnRyeSAgZ3Vlc3RfaXJxX2Nv
bXBhdCAgICAgICAgICAgICAgICAvLyBJUlEgMzItYml0IEVMMC9FTDEKICAg
ICAgICAgdmVudHJ5ICBndWVzdF9maXFfaW52YWxpZF9jb21wYXQgICAgICAg
IC8vIEZJUSAzMi1iaXQgRUwwL0VMMQotICAgICAgICB2ZW50cnkgIGd1ZXN0
X2Vycm9yX2ludmFsaWRfY29tcGF0ICAgICAgLy8gRXJyb3IgMzItYml0IEVM
MC9FTDEKKyAgICAgICAgdmVudHJ5ICBndWVzdF9lcnJvcl9jb21wYXQgICAg
ICAgICAgICAgIC8vIEVycm9yIDMyLWJpdCBFTDAvRUwxCgogLyoKICAqIHN0
cnVjdCB2Y3B1ICpfX2NvbnRleHRfc3dpdGNoKHN0cnVjdCB2Y3B1ICpwcmV2
LCBzdHJ1Y3QgdmNwdSAqbmV4dCkKLS0tIGEveGVuL2FyY2gvYXJtL3RyYXBz
LmMKKysrIGIveGVuL2FyY2gvYXJtL3RyYXBzLmMKQEAgLTI3MjMsNiArMjcy
MywyMSBAQCBhc21saW5rYWdlIHZvaWQgZG9fdHJhcF9oeXBlcnZpc29yKHN0
cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQogICAgIH0KIH0KCithc21saW5r
YWdlIHZvaWQgZG9fdHJhcF9ndWVzdF9lcnJvcihzdHJ1Y3QgY3B1X3VzZXJf
cmVncyAqcmVncykKK3sKKyAgICBlbnRlcl9oeXBlcnZpc29yX2hlYWQocmVn
cyk7CisKKyAgICAvKgorICAgICAqIEN1cnJlbnRseSwgdG8gZW5zdXJlIGh5
cGVydmlzb3Igc2FmZXR5LCB3aGVuIHdlIHJlY2VpdmVkIGEKKyAgICAgKiBn
dWVzdC1nZW5lcmF0ZWQgdlNlcnJvci92QWJvcnQsIHdlIGp1c3QgY3Jhc2gg
dGhlIGd1ZXN0IHRvIHByb3RlY3QKKyAgICAgKiB0aGUgaHlwZXJ2aXNvci4g
SW4gZnV0dXJlIHdlIGNhbiBiZXR0ZXIgaGFuZGxlIHRoaXMgYnkgaW5qZWN0
aW5nCisgICAgICogYSB2U2Vycm9yL3ZBYm9ydCB0byB0aGUgZ3Vlc3QuCisg
ICAgICovCisgICAgZ2RwcmludGsoWEVOTE9HX1dBUk5JTkcsICJHdWVzdChE
b20tJXUpIHdpbGwgYmUgY3Jhc2hlZCBieSB2U0Vycm9yXG4iLAorICAgICAg
ICAgICAgIGN1cnJlbnQtPmRvbWFpbi0+ZG9tYWluX2lkKTsKKyAgICBkb21h
aW5fY3Jhc2hfc3luY2hyb25vdXMoKTsKK30KKwogYXNtbGlua2FnZSB2b2lk
IGRvX3RyYXBfaXJxKHN0cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQogewog
ICAgIGVudGVyX2h5cGVydmlzb3JfaGVhZChyZWdzKTsK

--=separator
Content-Type: application/octet-stream; name="xsa201-2.patch"
Content-Disposition: attachment; filename="xsa201-2.patch"
Content-Transfer-Encoding: base64

RnJvbTogV2VpIENoZW4gPFdlaS5DaGVuQGFybS5jb20+ClN1YmplY3Q6IGFy
bTY0OiBoYW5kbGUgYXN5bmMgYWJvcnRzIGRlbGl2ZXJlZCB3aGlsZSBhdCBF
TDIKCklmIEVMMSBnZW5lcmF0ZXMgYW4gYXN5bmNocm9ub3VzIGFib3J0IGFu
ZCB0aGVuIHRyYXBzIGludG8gRUwyCihieSBIVkMgb3IgSVJRKSBiZWZvcmUg
dGhlIGFib3J0IGhhcyBiZWVuIGRlbGl2ZXJlZCwgdGhlIGh5cGVydmlzb3IK
Y291bGQgbm90IGNhdGNoIGl0LCBiZWNhdXNlIHRoZSBQU1RBVEUuQSBiaXQg
aXMgbWFza2VkIGFsbCB0aGUgdGltZQppbiBoeXBlcnZpc29yLiBTbyB0aGlz
IGFzeW5jaHJvbm91cyBhYm9ydCBtYXkgYmUgc2xpcHBlZCB0byBuZXh0CnJ1
bm5pbmcgZ3Vlc3Qgd2l0aCBQU1RBVEUuQSBiaXQgdW5tYXNrZWQuCgpJbiBv
cmRlciB0byBhdm9pZCB0aGlzLCBpdCBpcyBuZWNlc3NhcnkgdG8gdGFrZSB0
aGUgYWJvcnQgYXQgRUwyLCBieQpjbGVhcmluZyB0aGUgUFNUQVRFLkEgYml0
LiBJbiB0aGlzIHBhdGNoLCB3ZSB1bm1hc2sgdGhlIFBTVEFURS5BIGJpdAp0
byBvcGVuIGEgd2luZG93IHRvIGNhdGNoIGd1ZXN0LWdlbmVyYXRlZCBhc3lu
Y2hyb25vdXMgYWJvcnQgaW4gYWxsCkVMMSAtPiBFTDIgc3dpY2ggcGF0aHMu
IElmIHdlIGNhdGNoZWQgc3VjaCBhc3luY2hyb25vdXMgYWJvcnQgaW4KY2hl
Y2tpbmcgd2luZG93LCB0aGUgaHlwX2Vycm9yIGV4Y2VwdGlvbiB3aWxsIGJl
IHRyaWdnZXJlZCBhbmQgdGhlCmFib3J0IHNvdXJjZSBndWVzdCB3aWxsIGJl
IGNyYXNoZWQuCgpUaGlzIGlzIENWRS0yMDE2LTk4MTYsIHBhcnQgb2YgWFNB
LTIwMS4KClNpZ25lZC1vZmYtYnk6IFdlaSBDaGVuIDxXZWkuQ2hlbkBhcm0u
Y29tPgpSZXZpZXdlZC1ieTogSnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxA
YXJtLmNvbT4KCi0tLSBhL3hlbi9hcmNoL2FybS9hcm02NC9lbnRyeS5TCisr
KyBiL3hlbi9hcmNoL2FybS9hcm02NC9lbnRyeS5TCkBAIC0xNzMsNiArMTcz
LDQzIEBAIGh5cF9lcnJvcl9pbnZhbGlkOgogICAgICAgICBlbnRyeSAgIGh5
cD0xCiAgICAgICAgIGludmFsaWQgQkFEX0VSUk9SCgoraHlwX2Vycm9yOgor
ICAgICAgICAvKgorICAgICAgICAgKiBPbmx5IHR3byBwb3NzaWJpbGl0aWVz
OgorICAgICAgICAgKiAxKSBFaXRoZXIgd2UgY29tZSBmcm9tIHRoZSBleGl0
IHBhdGgsIGhhdmluZyBqdXN0IHVubWFza2VkCisgICAgICAgICAqICAgIFBT
VEFURS5BOiBjaGFuZ2UgdGhlIHJldHVybiBjb2RlIHRvIGFuIEVMMiBmYXVs
dCwgYW5kCisgICAgICAgICAqICAgIGNhcnJ5IG9uLCBhcyB3ZSdyZSBhbHJl
YWR5IGluIGEgc2FuZSBzdGF0ZSB0byBoYW5kbGUgaXQuCisgICAgICAgICAq
IDIpIE9yIHdlIGNvbWUgZnJvbSBhbnl3aGVyZSBlbHNlLCBhbmQgdGhhdCdz
IGEgYnVnOiB3ZSBwYW5pYy4KKyAgICAgICAgICovCisgICAgICAgIGVudHJ5
ICAgaHlwPTEKKyAgICAgICAgbXNyICAgICBkYWlmY2xyLCAjMgorCisgICAg
ICAgIC8qCisgICAgICAgICAqIFRoZSBFTFJfRUwyIG1heSBiZSBtb2RpZmll
ZCBieSBhbiBpbnRlcnJ1cHQsIHNvIHdlIGhhdmUgdG8gdXNlIHRoZQorICAg
ICAgICAgKiBzYXZlZCB2YWx1ZSBpbiBjcHVfdXNlcl9yZWdzIHRvIGNoZWNr
IHdoZXRoZXIgd2UgY29tZSBmcm9tIDEpIG9yCisgICAgICAgICAqIG5vdC4K
KyAgICAgICAgICovCisgICAgICAgIGxkciAgICAgeDAsIFtzcCwgI1VSRUdT
X1BDXQorICAgICAgICBhZHIgICAgIHgxLCBhYm9ydF9ndWVzdF9leGl0X3N0
YXJ0CisgICAgICAgIGNtcCAgICAgeDAsIHgxCisgICAgICAgIGFkciAgICAg
eDEsIGFib3J0X2d1ZXN0X2V4aXRfZW5kCisgICAgICAgIGNjbXAgICAgeDAs
IHgxLCAjNCwgbmUKKyAgICAgICAgbW92ICAgICB4MCwgc3AKKyAgICAgICAg
bW92ICAgICB4MSwgI0JBRF9FUlJPUgorCisgICAgICAgIC8qCisgICAgICAg
ICAqIE5vdCBlcXVhbCwgdGhlIGV4Y2VwdGlvbiBjb21lIGZyb20gMikuIEl0
J3MgYSBidWcsIHdlIGhhdmUgdG8KKyAgICAgICAgICogcGFuaWMgdGhlIGh5
cGVydmlzb3IuCisgICAgICAgICAqLworICAgICAgICBiLm5lICAgIGRvX2Jh
ZF9tb2RlCisKKyAgICAgICAgLyoKKyAgICAgICAgICogT3RoZXJ3aXNlLCB0
aGUgZXhjZXB0aW9uIGNvbWUgZnJvbSAxKS4gSXQgaGFwcGVuZWQgYmVjYXVz
ZSBvZgorICAgICAgICAgKiB0aGUgZ3Vlc3QuIENyYXNoIHRoaXMgZ3Vlc3Qu
CisgICAgICAgICAqLworICAgICAgICBibCAgICAgIGRvX3RyYXBfZ3Vlc3Rf
ZXJyb3IKKyAgICAgICAgZXhpdCAgICBoeXA9MQorCiAvKiBUcmFwcyB0YWtl
biBpbiBDdXJyZW50IEVMIHdpdGggU1BfRUx4ICovCiBoeXBfc3luYzoKICAg
ICAgICAgZW50cnkgICBoeXA9MQpAQCAtMTg5LDE1ICsyMjYsMjkgQEAgaHlw
X2lycToKCiBndWVzdF9zeW5jOgogICAgICAgICBlbnRyeSAgIGh5cD0wLCBj
b21wYXQ9MAorICAgICAgICBibCAgICAgIGNoZWNrX3BlbmRpbmdfdnNlcnJv
cgorICAgICAgICAvKgorICAgICAgICAgKiBJZiB4MCBpcyBOb24temVybywg
YSB2U0Vycm9yIHRvb2sgcGxhY2UsIHRoZSBpbml0aWFsIGV4Y2VwdGlvbgor
ICAgICAgICAgKiBkb2Vzbid0IGhhdmUgYW55IHNpZ25pZmljYW5jZSB0byBi
ZSBoYW5kbGVkLiBFeGl0IEFTQVAKKyAgICAgICAgICovCisgICAgICAgIGNi
bnogICAgeDAsIDFmCiAgICAgICAgIG1zciAgICAgZGFpZmNsciwgIzIKICAg
ICAgICAgbW92ICAgICB4MCwgc3AKICAgICAgICAgYmwgICAgICBkb190cmFw
X2h5cGVydmlzb3IKKzE6CiAgICAgICAgIGV4aXQgICAgaHlwPTAsIGNvbXBh
dD0wCgogZ3Vlc3RfaXJxOgogICAgICAgICBlbnRyeSAgIGh5cD0wLCBjb21w
YXQ9MAorICAgICAgICBibCAgICAgIGNoZWNrX3BlbmRpbmdfdnNlcnJvcgor
ICAgICAgICAvKgorICAgICAgICAgKiBJZiB4MCBpcyBOb24temVybywgYSB2
U0Vycm9yIHRvb2sgcGxhY2UsIHRoZSBpbml0aWFsIGV4Y2VwdGlvbgorICAg
ICAgICAgKiBkb2Vzbid0IGhhdmUgYW55IHNpZ25pZmljYW5jZSB0byBiZSBo
YW5kbGVkLiBFeGl0IEFTQVAKKyAgICAgICAgICovCisgICAgICAgIGNibnog
ICAgeDAsIDFmCiAgICAgICAgIG1vdiAgICAgeDAsIHNwCiAgICAgICAgIGJs
ICAgICAgZG9fdHJhcF9pcnEKKzE6CiAgICAgICAgIGV4aXQgICAgaHlwPTAs
IGNvbXBhdD0wCgogZ3Vlc3RfZmlxX2ludmFsaWQ6CkBAIC0yMTMsMTUgKzI2
NCwyOSBAQCBndWVzdF9lcnJvcjoKCiBndWVzdF9zeW5jX2NvbXBhdDoKICAg
ICAgICAgZW50cnkgICBoeXA9MCwgY29tcGF0PTEKKyAgICAgICAgYmwgICAg
ICBjaGVja19wZW5kaW5nX3ZzZXJyb3IKKyAgICAgICAgLyoKKyAgICAgICAg
ICogSWYgeDAgaXMgTm9uLXplcm8sIGEgdlNFcnJvciB0b29rIHBsYWNlLCB0
aGUgaW5pdGlhbCBleGNlcHRpb24KKyAgICAgICAgICogZG9lc24ndCBoYXZl
IGFueSBzaWduaWZpY2FuY2UgdG8gYmUgaGFuZGxlZC4gRXhpdCBBU0FQCisg
ICAgICAgICAqLworICAgICAgICBjYm56ICAgIHgwLCAxZgogICAgICAgICBt
c3IgICAgIGRhaWZjbHIsICMyCiAgICAgICAgIG1vdiAgICAgeDAsIHNwCiAg
ICAgICAgIGJsICAgICAgZG9fdHJhcF9oeXBlcnZpc29yCisxOgogICAgICAg
ICBleGl0ICAgIGh5cD0wLCBjb21wYXQ9MQoKIGd1ZXN0X2lycV9jb21wYXQ6
CiAgICAgICAgIGVudHJ5ICAgaHlwPTAsIGNvbXBhdD0xCisgICAgICAgIGJs
ICAgICAgY2hlY2tfcGVuZGluZ192c2Vycm9yCisgICAgICAgIC8qCisgICAg
ICAgICAqIElmIHgwIGlzIE5vbi16ZXJvLCBhIHZTRXJyb3IgdG9vayBwbGFj
ZSwgdGhlIGluaXRpYWwgZXhjZXB0aW9uCisgICAgICAgICAqIGRvZXNuJ3Qg
aGF2ZSBhbnkgc2lnbmlmaWNhbmNlIHRvIGJlIGhhbmRsZWQuIEV4aXQgQVNB
UAorICAgICAgICAgKi8KKyAgICAgICAgY2JueiAgICB4MCwgMWYKICAgICAg
ICAgbW92ICAgICB4MCwgc3AKICAgICAgICAgYmwgICAgICBkb190cmFwX2ly
cQorMToKICAgICAgICAgZXhpdCAgICBoeXA9MCwgY29tcGF0PTEKCiBndWVz
dF9maXFfaW52YWxpZF9jb21wYXQ6CkBAIC0yNzAsNiArMzM1LDYyIEBAIHJl
dHVybl9mcm9tX3RyYXA6CiAgICAgICAgIGVyZXQKCiAvKgorICogVGhpcyBm
dW5jdGlvbiBpcyB1c2VkIHRvIGNoZWNrIHBlbmRpbmcgdmlydHVhbCBTRXJy
b3IgaW4gdGhlIGdhcCBvZgorICogRUwxIC0+IEVMMiB3b3JsZCBzd2l0Y2gu
CisgKiBUaGUgeDAgcmVnaXN0ZXIgd2lsbCBiZSB1c2VkIHRvIGluZGljYXRl
IHRoZSByZXN1bHRzIG9mIGRldGVjdGlvbi4KKyAqIHgwIC0tIE5vbi16ZXJv
IGluZGljYXRlcyBhIHBlbmRpbmcgdmlydHVhbCBTRXJyb3IgdG9vayBwbGFj
ZS4KKyAqIHgwIC0tIFplcm8gaW5kaWNhdGVzIG5vIHBlbmRpbmcgdmlydHVh
bCBTRXJyb3IgdG9vayBwbGFjZS4KKyAqLworY2hlY2tfcGVuZGluZ192c2Vy
cm9yOgorICAgICAgICAvKgorICAgICAgICAgKiBTYXZlIGVscl9lbDIgdG8g
Y2hlY2sgd2hldGhlciB0aGUgcGVuZGluZyBTRXJyb3IgZXhjZXB0aW9uIHRh
a2VzCisgICAgICAgICAqIHBsYWNlIHdoaWxlIHdlIGFyZSBkb2luZyB0aGlz
IHN5bmMgZXhjZXB0aW9uLgorICAgICAgICAgKi8KKyAgICAgICAgbXJzICAg
ICB4MCwgZWxyX2VsMgorCisgICAgICAgIC8qIFN5bmNocm9uaXplIGFnYWlu
c3QgaW4tZmxpZ2h0IGxkL3N0ICovCisgICAgICAgIGRzYiAgICAgc3kKKwor
ICAgICAgICAvKgorICAgICAgICAgKiBVbm1hc2sgUFNUQVRFIGFzeW5jaHJv
bm91cyBhYm9ydCBiaXQuIElmIHRoZXJlIGlzIGEgcGVuZGluZworICAgICAg
ICAgKiBTRXJyb3IsIHRoZSBFTDIgZXJyb3IgZXhjZXB0aW9uIHdpbGwgaGFw
cGVuIGFmdGVyIFBTVEFURS5BCisgICAgICAgICAqIGlzIGNsZWFyZWQuCisg
ICAgICAgICAqLworICAgICAgICBtc3IgICAgIGRhaWZjbHIsICM0CisKKyAg
ICAgICAgLyoKKyAgICAgICAgICogVGhpcyBpcyBvdXIgc2luZ2xlIGluc3Ry
dWN0aW9uIGV4Y2VwdGlvbiB3aW5kb3cuIEEgcGVuZGluZworICAgICAgICAg
KiBTRXJyb3IgaXMgZ3VhcmFudGVlZCB0byBvY2N1ciBhdCB0aGUgZWFybGll
c3Qgd2hlbiB3ZSB1bm1hc2sKKyAgICAgICAgICogaXQsIGFuZCBhdCB0aGUg
bGF0ZXN0IGp1c3QgYWZ0ZXIgdGhlIElTQi4KKyAgICAgICAgICoKKyAgICAg
ICAgICogSWYgYSBwZW5kaW5nIFNFcnJvciBvY2N1cnMsIHRoZSBwcm9ncmFt
IHdpbGwganVtcCB0byBFTDIgZXJyb3IKKyAgICAgICAgICogZXhjZXB0aW9u
IGhhbmRsZXIsIGFuZCB0aGUgZWxyX2VsMiB3aWxsIGJlIHNldCB0bworICAg
ICAgICAgKiBhYm9ydF9ndWVzdF9leGl0X3N0YXJ0IG9yIGFib3J0X2d1ZXN0
X2V4aXRfZW5kLgorICAgICAgICAgKi8KK2Fib3J0X2d1ZXN0X2V4aXRfc3Rh
cnQ6CisKKyAgICAgICAgaXNiCisKK2Fib3J0X2d1ZXN0X2V4aXRfZW5kOgor
ICAgICAgICAvKiBNYXNrIFBTVEFURSBhc3luY2hyb25vdXMgYWJvcnQgYml0
LCBjbG9zZSB0aGUgY2hlY2tpbmcgd2luZG93LiAqLworICAgICAgICBtc3Ig
ICAgIGRhaWZzZXQsICM0CisKKyAgICAgICAgLyoKKyAgICAgICAgICogQ29t
cGFyZSBlbHJfZWwyIGFuZCB0aGUgc2F2ZWQgdmFsdWUgdG8gY2hlY2sgd2hl
dGhlciB3ZSBhcmUKKyAgICAgICAgICogcmV0dXJuaW5nIGZyb20gYSB2YWxp
ZCBleGNlcHRpb24gY2F1c2VkIGJ5IHBlbmRpbmcgU0Vycm9yLgorICAgICAg
ICAgKi8KKyAgICAgICAgbXJzICAgICB4MSwgZWxyX2VsMgorICAgICAgICBj
bXAgICAgIHgwLCB4MQorCisgICAgICAgIC8qCisgICAgICAgICAqIE5vdCBl
cXVhbCwgdGhlIHBlbmRpbmcgU0Vycm9yIGV4Y2VwdGlvbiB0b29rIHBsYWNl
LCBzZXQKKyAgICAgICAgICogeDAgdG8gbm9uLXplcm8uCisgICAgICAgICAq
LworICAgICAgICBjc2V0ICAgIHgwLCBuZQorCisgICAgICAgIHJldAorCisv
KgogICogRXhjZXB0aW9uIHZlY3RvcnMuCiAgKi8KICAgICAgICAgLm1hY3Jv
ICB2ZW50cnkgIGxhYmVsCkBAIC0yODcsNyArNDA4LDcgQEAgRU5UUlkoaHlw
X3RyYXBzX3ZlY3RvcikKICAgICAgICAgdmVudHJ5ICBoeXBfc3luYyAgICAg
ICAgICAgICAgICAgICAgICAgIC8vIFN5bmNocm9ub3VzIEVMMmgKICAgICAg
ICAgdmVudHJ5ICBoeXBfaXJxICAgICAgICAgICAgICAgICAgICAgICAgIC8v
IElSUSBFTDJoCiAgICAgICAgIHZlbnRyeSAgaHlwX2ZpcV9pbnZhbGlkICAg
ICAgICAgICAgICAgICAvLyBGSVEgRUwyaAotICAgICAgICB2ZW50cnkgIGh5
cF9lcnJvcl9pbnZhbGlkICAgICAgICAgICAgICAgLy8gRXJyb3IgRUwyaAor
ICAgICAgICB2ZW50cnkgIGh5cF9lcnJvciAgICAgICAgICAgICAgICAgICAg
ICAgLy8gRXJyb3IgRUwyaAoKICAgICAgICAgdmVudHJ5ICBndWVzdF9zeW5j
ICAgICAgICAgICAgICAgICAgICAgIC8vIFN5bmNocm9ub3VzIDY0LWJpdCBF
TDAvRUwxCiAgICAgICAgIHZlbnRyeSAgZ3Vlc3RfaXJxICAgICAgICAgICAg
ICAgICAgICAgICAvLyBJUlEgNjQtYml0IEVMMC9FTDEK

--=separator
Content-Type: application/octet-stream; name="xsa201-3.patch"
Content-Disposition: attachment; filename="xsa201-3.patch"
Content-Transfer-Encoding: base64

RnJvbTogV2VpIENoZW4gPFdlaS5DaGVuQGFybS5jb20+ClN1YmplY3Q6IGFy
bTogY3Jhc2ggdGhlIGd1ZXN0IHdoZW4gaXQgdHJhcHMgb24gZXh0ZXJuYWwg
YWJvcnQKCklmIHdlIHNwb3QgYSBkYXRhIG9yIHByZWZldGNoIGFib3J0IGJl
YXJpbmcgdGhlIEVTUl9FTDIuRUEgYml0IHNldCwgd2UKa25vdyB0aGF0IHRo
aXMgaXMgYW4gZXh0ZXJuYWwgYWJvcnQsIGFuZCB0aGF0IHNob3VsZCBjcmFz
aCB0aGUgZ3Vlc3QuCgpUaGlzIGlzIENWRS0yMDE2LTk4MTcsIHBhcnQgb2Yg
WFNBLTIwMS4KClNpZ25lZC1vZmYtYnk6IFdlaSBDaGVuIDxXZWkuQ2hlbkBh
cm0uY29tPgpSZXZpZXdlZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3Rh
YmVsbGluaUBrZXJuZWwub3JnPgpSZXZpZXdlZC1ieTogU3RldmUgQ2FwcGVy
IDxzdGV2ZS5jYXBwZXJAYXJtLmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBH
cmFsbCA8SnVsaWVuLkdyYWxsQGFybS5jb20+CgotLS0gYS94ZW4vYXJjaC9h
cm0vdHJhcHMuYworKysgYi94ZW4vYXJjaC9hcm0vdHJhcHMuYwpAQCAtMjQw
OSw2ICsyNDA5LDE1IEBAIHN0YXRpYyB2b2lkIGRvX3RyYXBfaW5zdHJfYWJv
cnRfZ3Vlc3Qoc3RydWN0IGNwdV91c2VyX3JlZ3MgKnJlZ3MsCiAgICAgcGFk
ZHJfdCBncGE7CiAgICAgbWZuX3QgbWZuOwoKKyAgICAvKgorICAgICAqIElm
IHRoaXMgYml0IGhhcyBiZWVuIHNldCwgaXQgbWVhbnMgdGhhdCB0aGlzIGlu
c3RydWN0aW9uIGFib3J0IGlzIGNhdXNlZAorICAgICAqIGJ5IGEgZ3Vlc3Qg
ZXh0ZXJuYWwgYWJvcnQuIEN1cnJlbnRseSB3ZSBjcmFzaCB0aGUgZ3Vlc3Qg
dG8gcHJvdGVjdCB0aGUKKyAgICAgKiBoeXBlcnZpc29yLiBJbiBmdXR1cmUg
b25lIGNhbiBiZXR0ZXIgaGFuZGxlIHRoaXMgYnkgaW5qZWN0aW5nIGEgdmly
dHVhbAorICAgICAqIGFib3J0IHRvIHRoZSBndWVzdC4KKyAgICAgKi8KKyAg
ICBpZiAoIGhzci5pYWJ0LmVhdCApCisgICAgICAgIGRvbWFpbl9jcmFzaF9z
eW5jaHJvbm91cygpOworCiAgICAgaWYgKCBocGZhcl9pc192YWxpZChoc3Iu
aWFidC5zMXB0dywgZnNjKSApCiAgICAgICAgIGdwYSA9IGdldF9mYXVsdGlu
Z19pcGEoZ3ZhKTsKICAgICBlbHNlCkBAIC0yNTAzLDYgKzI1MTIsMTUgQEAg
c3RhdGljIHZvaWQgZG9fdHJhcF9kYXRhX2Fib3J0X2d1ZXN0KHN0cnVjdCBj
cHVfdXNlcl9yZWdzICpyZWdzLAogICAgIHVpbnQ4X3QgZnNjID0gaHNyLmRh
YnQuZGZzYyAmIH5GU0NfTExfTUFTSzsKICAgICBtZm5fdCBtZm47CgorICAg
IC8qCisgICAgICogSWYgdGhpcyBiaXQgaGFzIGJlZW4gc2V0LCBpdCBtZWFu
cyB0aGF0IHRoaXMgZGF0YSBhYm9ydCBpcyBjYXVzZWQKKyAgICAgKiBieSBh
IGd1ZXN0IGV4dGVybmFsIGFib3J0LiBDdXJyZW50bHkgd2UgY3Jhc2ggdGhl
IGd1ZXN0IHRvIHByb3RlY3QgdGhlCisgICAgICogaHlwZXJ2aXNvci4gSW4g
ZnV0dXJlIG9uZSBjYW4gYmV0dGVyIGhhbmRsZSB0aGlzIGJ5IGluamVjdGlu
ZyBhIHZpcnR1YWwKKyAgICAgKiBhYm9ydCB0byB0aGUgZ3Vlc3QuCisgICAg
ICovCisgICAgaWYgKCBkYWJ0LmVhdCApCisgICAgICAgIGRvbWFpbl9jcmFz
aF9zeW5jaHJvbm91cygpOworCiAgICAgaW5mby5kYWJ0ID0gZGFidDsKICNp
ZmRlZiBDT05GSUdfQVJNXzMyCiAgICAgaW5mby5ndmEgPSBSRUFEX0NQMzIo
SERGQVIpOwo=

--=separator
Content-Type: application/octet-stream; name="xsa201-3-4.7.patch"
Content-Disposition: attachment; filename="xsa201-3-4.7.patch"
Content-Transfer-Encoding: base64

RnJvbTogV2VpIENoZW4gPFdlaS5DaGVuQGFybS5jb20+ClN1YmplY3Q6IGFy
bTogY3Jhc2ggdGhlIGd1ZXN0IHdoZW4gaXQgdHJhcHMgb24gZXh0ZXJuYWwg
YWJvcnQKCklmIHdlIHNwb3QgYSBkYXRhIG9yIHByZWZldGNoIGFib3J0IGJl
YXJpbmcgdGhlIEVTUl9FTDIuRUEgYml0IHNldCwgd2UKa25vdyB0aGF0IHRo
aXMgaXMgYW4gZXh0ZXJuYWwgYWJvcnQsIGFuZCB0aGF0IHNob3VsZCBjcmFz
aCB0aGUgZ3Vlc3QuCgpUaGlzIGlzIENWRS0yMDE2LTk4MTcsIHBhcnQgb2Yg
WFNBLTIwMS4KClNpZ25lZC1vZmYtYnk6IFdlaSBDaGVuIDxXZWkuQ2hlbkBh
cm0uY29tPgpSZXZpZXdlZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3Rh
YmVsbGluaUBrZXJuZWwub3JnPgpSZXZpZXdlZC1ieTogU3RldmUgQ2FwcGVy
IDxzdGV2ZS5jYXBwZXJAYXJtLmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBH
cmFsbCA8SnVsaWVuLkdyYWxsQGFybS5jb20+CgotLS0gYS94ZW4vYXJjaC9h
cm0vdHJhcHMuYworKysgYi94ZW4vYXJjaC9hcm0vdHJhcHMuYwpAQCAtMjM4
Myw2ICsyMzgzLDE1IEBAIHN0YXRpYyB2b2lkIGRvX3RyYXBfaW5zdHJfYWJv
cnRfZ3Vlc3Qoc3RydWN0IGNwdV91c2VyX3JlZ3MgKnJlZ3MsCiAgICAgaW50
IHJjOwogICAgIHJlZ2lzdGVyX3QgZ3ZhID0gUkVBRF9TWVNSRUcoRkFSX0VM
Mik7CiAKKyAgICAvKgorICAgICAqIElmIHRoaXMgYml0IGhhcyBiZWVuIHNl
dCwgaXQgbWVhbnMgdGhhdCB0aGlzIGluc3RydWN0aW9uIGFib3J0IGlzIGNh
dXNlZAorICAgICAqIGJ5IGEgZ3Vlc3QgZXh0ZXJuYWwgYWJvcnQuIEN1cnJl
bnRseSB3ZSBjcmFzaCB0aGUgZ3Vlc3QgdG8gcHJvdGVjdCB0aGUKKyAgICAg
KiBoeXBlcnZpc29yLiBJbiBmdXR1cmUgb25lIGNhbiBiZXR0ZXIgaGFuZGxl
IHRoaXMgYnkgaW5qZWN0aW5nIGEgdmlydHVhbAorICAgICAqIGFib3J0IHRv
IHRoZSBndWVzdC4KKyAgICAgKi8KKyAgICBpZiAoIGhzci5pYWJ0LmVhdCAp
CisgICAgICAgIGRvbWFpbl9jcmFzaF9zeW5jaHJvbm91cygpOworCiAgICAg
c3dpdGNoICggaHNyLmlhYnQuaWZzYyAmIDB4M2YgKQogICAgIHsKICAgICBj
YXNlIEZTQ19GTFRfUEVSTSAuLi4gRlNDX0ZMVF9QRVJNICsgMzoKQEAgLTI0
MzcsNiArMjQ0NiwxNSBAQCBzdGF0aWMgdm9pZCBkb190cmFwX2RhdGFfYWJv
cnRfZ3Vlc3Qoc3RydWN0IGNwdV91c2VyX3JlZ3MgKnJlZ3MsCiAgICAgICAg
IHJldHVybjsKICAgICB9CiAKKyAgICAvKgorICAgICAqIElmIHRoaXMgYml0
IGhhcyBiZWVuIHNldCwgaXQgbWVhbnMgdGhhdCB0aGlzIGRhdGEgYWJvcnQg
aXMgY2F1c2VkCisgICAgICogYnkgYSBndWVzdCBleHRlcm5hbCBhYm9ydC4g
Q3VycmVudGx5IHdlIGNyYXNoIHRoZSBndWVzdCB0byBwcm90ZWN0IHRoZQor
ICAgICAqIGh5cGVydmlzb3IuIEluIGZ1dHVyZSBvbmUgY2FuIGJldHRlciBo
YW5kbGUgdGhpcyBieSBpbmplY3RpbmcgYSB2aXJ0dWFsCisgICAgICogYWJv
cnQgdG8gdGhlIGd1ZXN0LgorICAgICAqLworICAgIGlmICggZGFidC5lYXQg
KQorICAgICAgICBkb21haW5fY3Jhc2hfc3luY2hyb25vdXMoKTsKKwogICAg
IGluZm8uZGFidCA9IGRhYnQ7CiAjaWZkZWYgQ09ORklHX0FSTV8zMgogICAg
IGluZm8uZ3ZhID0gUkVBRF9DUDMyKEhERkFSKTsK

--=separator
Content-Type: application/octet-stream; name="xsa201-4.patch"
Content-Disposition: attachment; filename="xsa201-4.patch"
Content-Transfer-Encoding: base64

RnJvbTogV2VpIENoZW4gPFdlaS5DaGVuQGFybS5jb20+ClN1YmplY3Q6IGFy
bTMyOiBoYW5kbGUgYXN5bmMgYWJvcnRzIGRlbGl2ZXJlZCB3aGlsZSBhdCBI
WVAKCklmIGd1ZXN0IGdlbmVyYXRlcyBhbiBhc3luY2hyb25vdXMgYWJvcnQg
YW5kIHRoZW4gdHJhcHMgaW50byBIWVAKKGJ5IEhWQyBvciBJUlEpIGJlZm9y
ZSB0aGUgYWJvcnQgaGFzIGJlZW4gZGVsaXZlcmVkLCB0aGUgaHlwZXJ2aXNv
cgpjb3VsZCBub3QgY2F0Y2ggaXQsIGJlY2F1c2UgdGhlIFBTVEFURS5BIGJp
dCBpcyBtYXNrZWQgYWxsIHRoZSB0aW1lCmluIGh5cGVydmlzb3IuIFNvIHRo
aXMgYXN5bmNocm9ub3VzIGFib3J0IG1heSBiZSBzbGlwcGVkIHRvIG5leHQK
cnVubmluZyBndWVzdCB3aXRoIFBTVEFURS5BIGJpdCB1bm1hc2tlZC4KCklu
IG9yZGVyIHRvIGF2b2lkIHRoaXMsIGl0IGlzIG5lY2Vzc2FyeSB0byB0YWtl
IHRoZSBhYm9ydCBhdCBIWVAsIGJ5CmNsZWFyaW5nIHRoZSBQU1RBVEUuQSBi
aXQuIEluIHRoaXMgcGF0Y2gsIHdlIHVubWFzayB0aGUgUFNUQVRFLkEgYml0
CnRvIG9wZW4gYSB3aW5kb3cgdG8gY2F0Y2ggZ3Vlc3QtZ2VuZXJhdGVkIGFz
eW5jaHJvbm91cyBhYm9ydCBpbiBhbGwKR3Vlc3QgLT4gSFlQIHN3aXRjaCBw
YXRocy4gSWYgd2UgY2F1Z2h0IHN1Y2ggYXN5bmNocm9ub3VzIGFib3J0IGlu
CmNoZWNraW5nIHdpbmRvdywgdGhlIEhZUCBkYXRhIGFib3J0IGV4Y2VwdGlv
biB3aWxsIGJlIHRyaWdnZXJlZCBhbmQKdGhlIGFib3J0IHNvdXJjZSBndWVz
dCB3aWxsIGJlIGNyYXNoZWQuCgpUaGlzIGlzIENWRS0yMDE2LTk4MTgsIHBh
cnQgb2YgWFNBLTIwMS4KClNpZ25lZC1vZmYtYnk6IFdlaSBDaGVuIDxXZWku
Q2hlbkBhcm0uY29tPgpSZXZpZXdlZC1ieTogSnVsaWVuIEdyYWxsIDxqdWxp
ZW4uZ3JhbGxAYXJtLmNvbT4KCi0tLSBhL3hlbi9hcmNoL2FybS9hcm0zMi9l
bnRyeS5TCisrKyBiL3hlbi9hcmNoL2FybS9hcm0zMi9lbnRyeS5TCkBAIC00
Miw2ICs0Miw2MSBAQCBzYXZlX2d1ZXN0X3JlZ3M6CiAgICAgICAgIFNBVkVf
QkFOS0VEKGZpcSkKICAgICAgICAgU0FWRV9PTkVfQkFOS0VEKFI4X2ZpcSk7
IFNBVkVfT05FX0JBTktFRChSOV9maXEpOyBTQVZFX09ORV9CQU5LRUQoUjEw
X2ZpcSkKICAgICAgICAgU0FWRV9PTkVfQkFOS0VEKFIxMV9maXEpOyBTQVZF
X09ORV9CQU5LRUQoUjEyX2ZpcSk7CisgICAgICAgIC8qCisgICAgICAgICAq
IFN0YXJ0IHRvIGNoZWNrIHBlbmRpbmcgdmlydHVhbCBhYm9ydCBpbiB0aGUg
Z2FwIG9mIEd1ZXN0IC0+IEhZUAorICAgICAgICAgKiB3b3JsZCBzd2l0Y2gu
CisgICAgICAgICAqCisgICAgICAgICAqIFNhdmUgRUxSX2h5cCB0byBjaGVj
ayB3aGV0aGVyIHRoZSBwZW5kaW5nIHZpcnR1YWwgYWJvcnQgZXhjZXB0aW9u
CisgICAgICAgICAqIHRha2VzIHBsYWNlIHdoaWxlIHdlIGFyZSBkb2luZyB0
aGlzIHRyYXAgZXhjZXB0aW9uLgorICAgICAgICAgKi8KKyAgICAgICAgbXJz
IHIxLCBFTFJfaHlwCisKKyAgICAgICAgLyoKKyAgICAgICAgICogRm9yY2Ug
bG9hZHMgYW5kIHN0b3JlcyB0byBjb21wbGV0ZSBiZWZvcmUgdW5tYXNraW5n
IGFzeW5jaHJvbm91cworICAgICAgICAgKiBhYm9ydHMgYW5kIGZvcmNpbmcg
dGhlIGRlbGl2ZXJ5IG9mIHRoZSBleGNlcHRpb24uCisgICAgICAgICAqLwor
ICAgICAgICBkc2Igc3kKKworICAgICAgICAvKgorICAgICAgICAgKiBVbm1h
c2sgYXN5bmNocm9ub3VzIGFib3J0IGJpdC4gSWYgdGhlcmUgaXMgYSBwZW5k
aW5nIGFzeW5jaHJvbm91cworICAgICAgICAgKiBhYm9ydCwgdGhlIGRhdGFf
YWJvcnQgZXhjZXB0aW9uIHdpbGwgaGFwcGVuIGFmdGVyIEEgYml0IGlzIGNs
ZWFyZWQuCisgICAgICAgICAqLworICAgICAgICBjcHNpZSBhCisKKyAgICAg
ICAgLyoKKyAgICAgICAgICogVGhpcyBpcyBvdXIgc2luZ2xlIGluc3RydWN0
aW9uIGV4Y2VwdGlvbiB3aW5kb3cuIEEgcGVuZGluZworICAgICAgICAgKiBh
c3luY2hyb25vdXMgYWJvcnQgaXMgZ3VhcmFudGVlZCB0byBvY2N1ciBhdCB0
aGUgZWFybGllc3Qgd2hlbiB3ZQorICAgICAgICAgKiB1bm1hc2sgaXQsIGFu
ZCBhdCB0aGUgbGF0ZXN0IGp1c3QgYWZ0ZXIgdGhlIElTQi4KKyAgICAgICAg
ICoKKyAgICAgICAgICogSWYgYSBwZW5kaW5nIGFib3J0IG9jY3VycywgdGhl
IHByb2dyYW0gd2lsbCBqdW1wIHRvIGRhdGFfYWJvcnQKKyAgICAgICAgICog
ZXhjZXB0aW9uIGhhbmRsZXIsIGFuZCB0aGUgRUxSX2h5cCB3aWxsIGJlIHNl
dCB0bworICAgICAgICAgKiBhYm9ydF9ndWVzdF9leGl0X3N0YXJ0IG9yIGFi
b3J0X2d1ZXN0X2V4aXRfZW5kLgorICAgICAgICAgKi8KKyAgICAgICAgLmds
b2JhbCBhYm9ydF9ndWVzdF9leGl0X3N0YXJ0CithYm9ydF9ndWVzdF9leGl0
X3N0YXJ0OgorCisgICAgICAgIGlzYgorCisgICAgICAgIC5nbG9iYWwgYWJv
cnRfZ3Vlc3RfZXhpdF9lbmQKK2Fib3J0X2d1ZXN0X2V4aXRfZW5kOgorICAg
ICAgICAvKiBNYXNrIENQU1IgYXN5bmNocm9ub3VzIGFib3J0IGJpdCwgY2xv
c2UgdGhlIGNoZWNraW5nIHdpbmRvdy4gKi8KKyAgICAgICAgY3BzaWQgYQor
CisgICAgICAgIC8qCisgICAgICAgICAqIENvbXBhcmUgRUxSX2h5cCBhbmQg
dGhlIHNhdmVkIHZhbHVlIHRvIGNoZWNrIHdoZXRoZXIgd2UgYXJlCisgICAg
ICAgICAqIHJldHVybmluZyBmcm9tIGEgdmFsaWQgZXhjZXB0aW9uIGNhdXNl
ZCBieSBwZW5kaW5nIHZpcnR1YWwKKyAgICAgICAgICogYWJvcnQuCisgICAg
ICAgICAqLworICAgICAgICBtcnMgcjIsIEVMUl9oeXAKKyAgICAgICAgY21w
IHIxLCByMgorCisgICAgICAgIC8qCisgICAgICAgICAqIE5vdCBlcXVhbCwg
dGhlIHBlbmRpbmcgdmlydHVhbCBhYm9ydCBleGNlcHRpb24gdG9vayBwbGFj
ZSwgdGhlCisgICAgICAgICAqIGluaXRpYWwgZXhjZXB0aW9uIGRvZXMgbm90
IGhhdmUgYW55IHNpZ25pZmljYW5jZSB0byBiZSBoYW5kbGVkLgorICAgICAg
ICAgKiBFeGl0IEFTQVAuCisgICAgICAgICAqLworICAgICAgICBibmUgcmV0
dXJuX2Zyb21fdHJhcAorCiAgICAgICAgIG1vdiBwYywgbHIKCiAjZGVmaW5l
IERFRklORV9UUkFQX0VOVFJZKHRyYXApICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICBcCi0tLSBhL3hlbi9hcmNoL2FybS9hcm0z
Mi90cmFwcy5jCisrKyBiL3hlbi9hcmNoL2FybS9hcm0zMi90cmFwcy5jCkBA
IC02Myw3ICs2MywxMCBAQCBhc21saW5rYWdlIHZvaWQgZG9fdHJhcF9wcmVm
ZXRjaF9hYm9ydChzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKCiBhc21s
aW5rYWdlIHZvaWQgZG9fdHJhcF9kYXRhX2Fib3J0KHN0cnVjdCBjcHVfdXNl
cl9yZWdzICpyZWdzKQogewotICAgIGRvX3VuZXhwZWN0ZWRfdHJhcCgiRGF0
YSBBYm9ydCIsIHJlZ3MpOworICAgIGlmICggVkFCT1JUX0dFTl9CWV9HVUVT
VChyZWdzKSApCisgICAgICAgIGRvX3RyYXBfZ3Vlc3RfZXJyb3IocmVncyk7
CisgICAgZWxzZQorICAgICAgICBkb191bmV4cGVjdGVkX3RyYXAoIkRhdGEg
QWJvcnQiLCByZWdzKTsKIH0KCiAvKgotLS0gYS94ZW4vaW5jbHVkZS9hc20t
YXJtL2FybTMyL3Byb2Nlc3Nvci5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1h
cm0vYXJtMzIvcHJvY2Vzc29yLmgKQEAgLTU1LDYgKzU1LDE3IEBAIHN0cnVj
dCBjcHVfdXNlcl9yZWdzCgogICAgIHVpbnQzMl90IHBhZDE7IC8qIERvdWJs
ZXdvcmQtYWxpZ24gdGhlIHVzZXIgaGFsZiBvZiB0aGUgZnJhbWUgKi8KIH07
CisKKy8qIEZ1bmN0aW9ucyBmb3IgcGVuZGluZyB2aXJ0dWFsIGFib3J0IGNo
ZWNraW5nIHdpbmRvdy4gKi8KK3ZvaWQgYWJvcnRfZ3Vlc3RfZXhpdF9zdGFy
dCh2b2lkKTsKK3ZvaWQgYWJvcnRfZ3Vlc3RfZXhpdF9lbmQodm9pZCk7CisK
KyNkZWZpbmUgVkFCT1JUX0dFTl9CWV9HVUVTVChyKSAgXAorKCBcCisgICAg
KCAodW5zaWduZWQgbG9uZylhYm9ydF9ndWVzdF9leGl0X3N0YXJ0ID09IChy
KS0+cGMgKSB8fCBcCisgICAgKCAodW5zaWduZWQgbG9uZylhYm9ydF9ndWVz
dF9leGl0X2VuZCA9PSAociktPnBjICkgXAorKQorCiAjZW5kaWYKCiAvKiBM
YXlvdXQgYXMgdXNlZCBpbiBhc3NlbWJseSwgd2l0aCBzcmMvZGVzdCByZWdp
c3RlcnMgbWl4ZWQgaW4gKi8KLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9w
cm9jZXNzb3IuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL3Byb2Nlc3Nv
ci5oCkBAIC02OTAsNiArNjkwLDggQEAgdm9pZCB2Y3B1X3JlZ3NfdXNlcl90
b19oeXAoc3RydWN0IHZjcHUgKnZjcHUsCiBpbnQgY2FsbF9zbWMocmVnaXN0
ZXJfdCBmdW5jdGlvbl9pZCwgcmVnaXN0ZXJfdCBhcmcwLCByZWdpc3Rlcl90
IGFyZzEsCiAgICAgICAgICAgICAgcmVnaXN0ZXJfdCBhcmcyKTsKCit2b2lk
IGRvX3RyYXBfZ3Vlc3RfZXJyb3Ioc3RydWN0IGNwdV91c2VyX3JlZ3MgKnJl
Z3MpOworCiAjZW5kaWYgLyogX19BU1NFTUJMWV9fICovCiAjZW5kaWYgLyog
X19BU01fQVJNX1BST0NFU1NPUl9IICovCiAvKgo=

--=separator
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91
bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz
Lnhlbi5vcmcveGVuLWFubm91bmNl

--=separator--


From xen-announce-bounces@lists.xen.org Wed Dec 07 10:34:01 2016
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Wed, 07 Dec 2016 10:34:01 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1cEZWx-0005RP-4H; Wed, 07 Dec 2016 10:32:55 +0000
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cEZWv-0005RD-N9; Wed, 07 Dec 2016 10:32:53 +0000
Received: from [85.158.137.68] by server-13.bemta-3.messagelabs.com id
 58/4A-23854-455E7485; Wed, 07 Dec 2016 10:32:52 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrPKsWRWlGSWpSXmKPExsWS0XRdVTf4qXu
 EwbZWKYtbN1uZLZZ8XMxiserqAVYHZo+ju38zBTBGsWbmJeVXJLBm9L76xlKw6gZjxfJ+3QbG
 BRcZuxi5OIQEjjNKTO9bzwrhLGKUeNL5HMjh5GAWcJW4sW8zG4StKHHhXgMLiM0rIChxcuYTM
 FtCQFPizptV7CC2iECRxM5zL8FsNgE9iblnJzFB9OpIvNy/mglkgbBAL6PE4707WSEGmUl861
 8DNohFQFVi4+btrBMYeWYh2T0Lye5ZSHbPYuQAimtKrN+lD2FKSyz/xwFRLS+x/e0cZoiwrcS
 5tfoQYSuJm9+bmWAGTul+yA5h20o8+naFEabm79PtzKhqIMbc/yYMU9L+fC8LpjGOEj0vrkDF
 7SQ2bFzGjM2qJefXssDMOfn+OSOymgWMoqsYNYpTi8pSi3SNjPSSijLTM0pyEzNzdA0NjPVyU
 4uLE9NTcxKTivWS83M3MQITQD0DA+MOxqkn/A4xSnIwKYny7prgHiHEl5SfUpmRWJwRX1Sak1
 p8iFGGg0NJgtfjCVBOsCg1PbUiLTMHmIpg0hIcPEoivLUgad7igsTc4sx0iNQpRkuOCW8XPmX
 imPZsMZCcs33FUyYhlrz8vFQpcV5lkAYBkIaM0jy4cbB0eYlRVkqYl5GBgUGIpyC1KDezBFX+
 FaM4B6OSMG8fyBSezLwSuK2vgA5iAjpo3g2wg0oSEVJSDYxeixbufeuh922KRML0eSqZFxtqT
 8eIlwYciLoiefmoVrnmo/7GkwXG+9gnr/9t0Hdtx0EzAZefh0L8H9wLkbdSXtzpe3Ct5Owutc
 7zUc+lC5UFb5g945yhxSh3VuztPoYdAdxCf5+ePZT3487Kqxr7WhjL9a66RXn1G4vtZJrYP3P
 riqtfPh1UYinOSDTUYi4qTgQAC6lZkZIDAAA=
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-5.tower-31.messagelabs.com!1481106770!71658946!1
X-Originating-IP: [104.130.215.37]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 9.0.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 25267 invoked from network); 7 Dec 2016 10:32:50 -0000
Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37)
 by server-5.tower-31.messagelabs.com with AES128-GCM-SHA256
 encrypted SMTP; 7 Dec 2016 10:32:50 -0000
Received: from xenbits.xenproject.org ([104.239.192.120])
 by mail.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cEZWj-0005kA-UV; Wed, 07 Dec 2016 10:32:41 +0000
Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cEZWj-0004yO-QN; Wed, 07 Dec 2016 10:32:41 +0000
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
 xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Message-Id: <E1cEZWj-0004yO-QN@xenbits.xenproject.org>
Date: Wed, 07 Dec 2016 10:32:41 +0000
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 201 (CVE-2016-9815,
 CVE-2016-9816, CVE-2016-9817,
 CVE-2016-9818) - ARM guests may induce host asynchronous abort
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Errors-To: xen-announce-bounces@lists.xen.org
Sender: "Xen-announce" <xen-announce-bounces@lists.xen.org>

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 Xen Security Advisory CVE-2016-9815,CVE-2016-9816,CVE-2016-9817,CVE-2016-9818 / XSA-201
                              version 2

             ARM guests may induce host asynchronous abort

UPDATES IN VERSION 2
====================

CVEs assigned.

ISSUE DESCRIPTION
=================

Depending on how the hardware and firmware have been integrated,
guest-triggered asynchronous aborts (SError on ARMv8) may be received
by the hypervisor.  The current action is to crash the host.

A guest might trigger an asynchronous abort when accessing memory
mapped hardware in a non-conventional way.  Even if device
pass-through has not been configured, the hypervisor may give the
guest access to memory mapped hardware in order to take advantage of
hardware virtualization.

The CVEs are as follows:
 xsa201-1.patch     CVE-2016-9815
 xsa201-2.patch     CVE-2016-9816
 xsa201-3-*.patch   CVE-2016-9817
 xsa201-4.patch     CVE-2016-9818

IMPACT
======

A malicious guest may be able to crash the host.

VULNERABLE SYSTEMS
==================

All Xen versions which support ARM are potentially affected.

Whether a particular ARM systems is affected depends on technical
details of the hardware and/or firmware.

x86 systems are not affected.

MITIGATION
==========

On systems where the guest kernel is controlled by the host rather than
guest administrator, running only kernels which do not expose MMIO to
userspace will prevent untrusted guest users from exploiting this issue.
However untrusted guest administrators can still trigger it unless
further steps are taken to prevent them from loading code into the
kernel (e.g by disabling loadable modules etc) or from using other
mechanisms which allow them to run code at kernel privilege.

NOTE REGARDING LACK OF EMBARGO
==============================

The issue was discussed publicly (and has been fixed already in KVM in
public trees).

CREDITS
=======

This issue was discovered by ARM engineering personnel.

RESOLUTION
==========

Applying the appropriate set of attached patched resolves this issue.

xsa201-[1234].patch       Xen-unstable

xsa201-[12].patch         }
xsa201-3-4.7.patch        } Xen 4.7.x, Xen 4.6.x
xsa201-4.patch            }

$ sha256sum xsa201*
163aeb9ae3ffce28e0bc95bdfff490d2df6f6f0b85ac1d4f447bea921f0a0dda  xsa201-1.patch
0ba570ed7df172475bc745e02b89670608251634895e5279edcf534619d6d81b  xsa201-2.patch
4045e046473f069c51e5fd579f63563862aa497d945b183c768481ef11885744  xsa201-3.patch
a9cf56564d020675c0f2f1ea15009a712f172be3d53ea8ddf2f48adaac392e76  xsa201-3-4.7.patch
388d548cd4e30883ae100863d33e792869e7dbd86054299a91b64db6d6599919  xsa201-4.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYR+VFAAoJEIP+FMlX6CvZVZkIAKygymoB/4TYWHSQCDaekqe7
oqs0SrOZwAiaXDDtNEq5oUmWzw852p6ewHzeHkuFrpXSTg9NZqE3ve/Ygy4z2lwQ
jlrQblTl1wopoJDKFfvVqnGX4sEQvDqsOKAYpX0LbtjiIOAisKNT5f40J9X3L2Oz
dzEdMuKDNvCDO6hPbDXprDDP9qETO4+Wopsj14F6rraYICrMl1P1LKabwr12936s
XuegVU25S777YJ3CXpJVSCGns6zZzJm345l1VdgQ5M+KmMQkb4P+v5do7rMHMZFU
LvYqxT9M+V6EDylByNp1HuYJWFQU7jgH/oK4k0M3EHAuovN5GZKp7SdGywVEEwY=
=t4pk
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa201-1.patch"
Content-Disposition: attachment; filename="xsa201-1.patch"
Content-Transfer-Encoding: base64

RnJvbTogV2VpIENoZW4gPFdlaS5DaGVuQGFybS5jb20+ClN1YmplY3Q6IGFy
bTY0OiBoYW5kbGUgZ3Vlc3QtZ2VuZXJhdGVkIEVMMSBhc3luY2hyb25vdXMg
YWJvcnQKCkluIGN1cnJlbnQgY29kZSwgd2hlbiB0aGUgaHlwZXJ2aXNvciBy
ZWNlaXZlcyBhbiBhc3luY2hyb25vdXMgYWJvcnQKZnJvbSBhIGd1ZXN0LCB0
aGUgaHlwZXJ2aXNvciB3aWxsIGRvIHBhbmljLCB0aGUgaG9zdCB3aWxsIGJl
IGRvd24uCldlIGhhdmUgdG8gcHJldmVudCBzdWNoIHNlY3VyaXR5IGlzc3Vl
LCBzbywgaW4gdGhpcyBwYXRjaCB3ZSBjcmFzaAp0aGUgZ3Vlc3QsIHdoZW4g
dGhlIGh5cGVydmlzb3IgcmVjZWl2ZXMgYW4gYXN5bmNocm9ub3VzIGFib3J0
IGZyb20KdGhlIGd1ZXN0LgoKVGhpcyBpcyBDVkUtMjAxNi05ODE1LCBwYXJ0
IG9mIFhTQS0yMDEuCgpTaWduZWQtb2ZmLWJ5OiBXZWkgQ2hlbiA8V2VpLkNo
ZW5AYXJtLmNvbT4KUmV2aWV3ZWQtYnk6IFN0ZWZhbm8gU3RhYmVsbGluaSA8
c3N0YWJlbGxpbmlAa2VybmVsLm9yZz4KUmV2aWV3ZWQtYnk6IFN0ZXZlIENh
cHBlciA8c3RldmUuY2FwcGVyQGFybS5jb20+ClJldmlld2VkLWJ5OiBKdWxp
ZW4gR3JhbGwgPEp1bGllbi5HcmFsbEBhcm0uY29tPgoKLS0tIGEveGVuL2Fy
Y2gvYXJtL2FybTY0L2VudHJ5LlMKKysrIGIveGVuL2FyY2gvYXJtL2FybTY0
L2VudHJ5LlMKQEAgLTIwNCw5ICsyMDQsMTIgQEAgZ3Vlc3RfZmlxX2ludmFs
aWQ6CiAgICAgICAgIGVudHJ5ICAgaHlwPTAsIGNvbXBhdD0wCiAgICAgICAg
IGludmFsaWQgQkFEX0ZJUQoKLWd1ZXN0X2Vycm9yX2ludmFsaWQ6CitndWVz
dF9lcnJvcjoKICAgICAgICAgZW50cnkgICBoeXA9MCwgY29tcGF0PTAKLSAg
ICAgICAgaW52YWxpZCBCQURfRVJST1IKKyAgICAgICAgbXNyICAgICBkYWlm
Y2xyLCAjMgorICAgICAgICBtb3YgICAgIHgwLCBzcAorICAgICAgICBibCAg
ICAgIGRvX3RyYXBfZ3Vlc3RfZXJyb3IKKyAgICAgICAgZXhpdCAgICBoeXA9
MCwgY29tcGF0PTAKCiBndWVzdF9zeW5jX2NvbXBhdDoKICAgICAgICAgZW50
cnkgICBoeXA9MCwgY29tcGF0PTEKQEAgLTIyNSw5ICsyMjgsMTIgQEAgZ3Vl
c3RfZmlxX2ludmFsaWRfY29tcGF0OgogICAgICAgICBlbnRyeSAgIGh5cD0w
LCBjb21wYXQ9MQogICAgICAgICBpbnZhbGlkIEJBRF9GSVEKCi1ndWVzdF9l
cnJvcl9pbnZhbGlkX2NvbXBhdDoKK2d1ZXN0X2Vycm9yX2NvbXBhdDoKICAg
ICAgICAgZW50cnkgICBoeXA9MCwgY29tcGF0PTEKLSAgICAgICAgaW52YWxp
ZCBCQURfRVJST1IKKyAgICAgICAgbXNyICAgICBkYWlmY2xyLCAjMgorICAg
ICAgICBtb3YgICAgIHgwLCBzcAorICAgICAgICBibCAgICAgIGRvX3RyYXBf
Z3Vlc3RfZXJyb3IKKyAgICAgICAgZXhpdCAgICBoeXA9MCwgY29tcGF0PTEK
CiBFTlRSWShyZXR1cm5fdG9fbmV3X3ZjcHUzMikKICAgICAgICAgZXhpdCAg
ICBoeXA9MCwgY29tcGF0PTEKQEAgLTI4NiwxMiArMjkyLDEyIEBAIEVOVFJZ
KGh5cF90cmFwc192ZWN0b3IpCiAgICAgICAgIHZlbnRyeSAgZ3Vlc3Rfc3lu
YyAgICAgICAgICAgICAgICAgICAgICAvLyBTeW5jaHJvbm91cyA2NC1iaXQg
RUwwL0VMMQogICAgICAgICB2ZW50cnkgIGd1ZXN0X2lycSAgICAgICAgICAg
ICAgICAgICAgICAgLy8gSVJRIDY0LWJpdCBFTDAvRUwxCiAgICAgICAgIHZl
bnRyeSAgZ3Vlc3RfZmlxX2ludmFsaWQgICAgICAgICAgICAgICAvLyBGSVEg
NjQtYml0IEVMMC9FTDEKLSAgICAgICAgdmVudHJ5ICBndWVzdF9lcnJvcl9p
bnZhbGlkICAgICAgICAgICAgIC8vIEVycm9yIDY0LWJpdCBFTDAvRUwxCisg
ICAgICAgIHZlbnRyeSAgZ3Vlc3RfZXJyb3IgICAgICAgICAgICAgICAgICAg
ICAvLyBFcnJvciA2NC1iaXQgRUwwL0VMMQoKICAgICAgICAgdmVudHJ5ICBn
dWVzdF9zeW5jX2NvbXBhdCAgICAgICAgICAgICAgIC8vIFN5bmNocm9ub3Vz
IDMyLWJpdCBFTDAvRUwxCiAgICAgICAgIHZlbnRyeSAgZ3Vlc3RfaXJxX2Nv
bXBhdCAgICAgICAgICAgICAgICAvLyBJUlEgMzItYml0IEVMMC9FTDEKICAg
ICAgICAgdmVudHJ5ICBndWVzdF9maXFfaW52YWxpZF9jb21wYXQgICAgICAg
IC8vIEZJUSAzMi1iaXQgRUwwL0VMMQotICAgICAgICB2ZW50cnkgIGd1ZXN0
X2Vycm9yX2ludmFsaWRfY29tcGF0ICAgICAgLy8gRXJyb3IgMzItYml0IEVM
MC9FTDEKKyAgICAgICAgdmVudHJ5ICBndWVzdF9lcnJvcl9jb21wYXQgICAg
ICAgICAgICAgIC8vIEVycm9yIDMyLWJpdCBFTDAvRUwxCgogLyoKICAqIHN0
cnVjdCB2Y3B1ICpfX2NvbnRleHRfc3dpdGNoKHN0cnVjdCB2Y3B1ICpwcmV2
LCBzdHJ1Y3QgdmNwdSAqbmV4dCkKLS0tIGEveGVuL2FyY2gvYXJtL3RyYXBz
LmMKKysrIGIveGVuL2FyY2gvYXJtL3RyYXBzLmMKQEAgLTI3MjMsNiArMjcy
MywyMSBAQCBhc21saW5rYWdlIHZvaWQgZG9fdHJhcF9oeXBlcnZpc29yKHN0
cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQogICAgIH0KIH0KCithc21saW5r
YWdlIHZvaWQgZG9fdHJhcF9ndWVzdF9lcnJvcihzdHJ1Y3QgY3B1X3VzZXJf
cmVncyAqcmVncykKK3sKKyAgICBlbnRlcl9oeXBlcnZpc29yX2hlYWQocmVn
cyk7CisKKyAgICAvKgorICAgICAqIEN1cnJlbnRseSwgdG8gZW5zdXJlIGh5
cGVydmlzb3Igc2FmZXR5LCB3aGVuIHdlIHJlY2VpdmVkIGEKKyAgICAgKiBn
dWVzdC1nZW5lcmF0ZWQgdlNlcnJvci92QWJvcnQsIHdlIGp1c3QgY3Jhc2gg
dGhlIGd1ZXN0IHRvIHByb3RlY3QKKyAgICAgKiB0aGUgaHlwZXJ2aXNvci4g
SW4gZnV0dXJlIHdlIGNhbiBiZXR0ZXIgaGFuZGxlIHRoaXMgYnkgaW5qZWN0
aW5nCisgICAgICogYSB2U2Vycm9yL3ZBYm9ydCB0byB0aGUgZ3Vlc3QuCisg
ICAgICovCisgICAgZ2RwcmludGsoWEVOTE9HX1dBUk5JTkcsICJHdWVzdChE
b20tJXUpIHdpbGwgYmUgY3Jhc2hlZCBieSB2U0Vycm9yXG4iLAorICAgICAg
ICAgICAgIGN1cnJlbnQtPmRvbWFpbi0+ZG9tYWluX2lkKTsKKyAgICBkb21h
aW5fY3Jhc2hfc3luY2hyb25vdXMoKTsKK30KKwogYXNtbGlua2FnZSB2b2lk
IGRvX3RyYXBfaXJxKHN0cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQogewog
ICAgIGVudGVyX2h5cGVydmlzb3JfaGVhZChyZWdzKTsK

--=separator
Content-Type: application/octet-stream; name="xsa201-2.patch"
Content-Disposition: attachment; filename="xsa201-2.patch"
Content-Transfer-Encoding: base64

RnJvbTogV2VpIENoZW4gPFdlaS5DaGVuQGFybS5jb20+ClN1YmplY3Q6IGFy
bTY0OiBoYW5kbGUgYXN5bmMgYWJvcnRzIGRlbGl2ZXJlZCB3aGlsZSBhdCBF
TDIKCklmIEVMMSBnZW5lcmF0ZXMgYW4gYXN5bmNocm9ub3VzIGFib3J0IGFu
ZCB0aGVuIHRyYXBzIGludG8gRUwyCihieSBIVkMgb3IgSVJRKSBiZWZvcmUg
dGhlIGFib3J0IGhhcyBiZWVuIGRlbGl2ZXJlZCwgdGhlIGh5cGVydmlzb3IK
Y291bGQgbm90IGNhdGNoIGl0LCBiZWNhdXNlIHRoZSBQU1RBVEUuQSBiaXQg
aXMgbWFza2VkIGFsbCB0aGUgdGltZQppbiBoeXBlcnZpc29yLiBTbyB0aGlz
IGFzeW5jaHJvbm91cyBhYm9ydCBtYXkgYmUgc2xpcHBlZCB0byBuZXh0CnJ1
bm5pbmcgZ3Vlc3Qgd2l0aCBQU1RBVEUuQSBiaXQgdW5tYXNrZWQuCgpJbiBv
cmRlciB0byBhdm9pZCB0aGlzLCBpdCBpcyBuZWNlc3NhcnkgdG8gdGFrZSB0
aGUgYWJvcnQgYXQgRUwyLCBieQpjbGVhcmluZyB0aGUgUFNUQVRFLkEgYml0
LiBJbiB0aGlzIHBhdGNoLCB3ZSB1bm1hc2sgdGhlIFBTVEFURS5BIGJpdAp0
byBvcGVuIGEgd2luZG93IHRvIGNhdGNoIGd1ZXN0LWdlbmVyYXRlZCBhc3lu
Y2hyb25vdXMgYWJvcnQgaW4gYWxsCkVMMSAtPiBFTDIgc3dpY2ggcGF0aHMu
IElmIHdlIGNhdGNoZWQgc3VjaCBhc3luY2hyb25vdXMgYWJvcnQgaW4KY2hl
Y2tpbmcgd2luZG93LCB0aGUgaHlwX2Vycm9yIGV4Y2VwdGlvbiB3aWxsIGJl
IHRyaWdnZXJlZCBhbmQgdGhlCmFib3J0IHNvdXJjZSBndWVzdCB3aWxsIGJl
IGNyYXNoZWQuCgpUaGlzIGlzIENWRS0yMDE2LTk4MTYsIHBhcnQgb2YgWFNB
LTIwMS4KClNpZ25lZC1vZmYtYnk6IFdlaSBDaGVuIDxXZWkuQ2hlbkBhcm0u
Y29tPgpSZXZpZXdlZC1ieTogSnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxA
YXJtLmNvbT4KCi0tLSBhL3hlbi9hcmNoL2FybS9hcm02NC9lbnRyeS5TCisr
KyBiL3hlbi9hcmNoL2FybS9hcm02NC9lbnRyeS5TCkBAIC0xNzMsNiArMTcz
LDQzIEBAIGh5cF9lcnJvcl9pbnZhbGlkOgogICAgICAgICBlbnRyeSAgIGh5
cD0xCiAgICAgICAgIGludmFsaWQgQkFEX0VSUk9SCgoraHlwX2Vycm9yOgor
ICAgICAgICAvKgorICAgICAgICAgKiBPbmx5IHR3byBwb3NzaWJpbGl0aWVz
OgorICAgICAgICAgKiAxKSBFaXRoZXIgd2UgY29tZSBmcm9tIHRoZSBleGl0
IHBhdGgsIGhhdmluZyBqdXN0IHVubWFza2VkCisgICAgICAgICAqICAgIFBT
VEFURS5BOiBjaGFuZ2UgdGhlIHJldHVybiBjb2RlIHRvIGFuIEVMMiBmYXVs
dCwgYW5kCisgICAgICAgICAqICAgIGNhcnJ5IG9uLCBhcyB3ZSdyZSBhbHJl
YWR5IGluIGEgc2FuZSBzdGF0ZSB0byBoYW5kbGUgaXQuCisgICAgICAgICAq
IDIpIE9yIHdlIGNvbWUgZnJvbSBhbnl3aGVyZSBlbHNlLCBhbmQgdGhhdCdz
IGEgYnVnOiB3ZSBwYW5pYy4KKyAgICAgICAgICovCisgICAgICAgIGVudHJ5
ICAgaHlwPTEKKyAgICAgICAgbXNyICAgICBkYWlmY2xyLCAjMgorCisgICAg
ICAgIC8qCisgICAgICAgICAqIFRoZSBFTFJfRUwyIG1heSBiZSBtb2RpZmll
ZCBieSBhbiBpbnRlcnJ1cHQsIHNvIHdlIGhhdmUgdG8gdXNlIHRoZQorICAg
ICAgICAgKiBzYXZlZCB2YWx1ZSBpbiBjcHVfdXNlcl9yZWdzIHRvIGNoZWNr
IHdoZXRoZXIgd2UgY29tZSBmcm9tIDEpIG9yCisgICAgICAgICAqIG5vdC4K
KyAgICAgICAgICovCisgICAgICAgIGxkciAgICAgeDAsIFtzcCwgI1VSRUdT
X1BDXQorICAgICAgICBhZHIgICAgIHgxLCBhYm9ydF9ndWVzdF9leGl0X3N0
YXJ0CisgICAgICAgIGNtcCAgICAgeDAsIHgxCisgICAgICAgIGFkciAgICAg
eDEsIGFib3J0X2d1ZXN0X2V4aXRfZW5kCisgICAgICAgIGNjbXAgICAgeDAs
IHgxLCAjNCwgbmUKKyAgICAgICAgbW92ICAgICB4MCwgc3AKKyAgICAgICAg
bW92ICAgICB4MSwgI0JBRF9FUlJPUgorCisgICAgICAgIC8qCisgICAgICAg
ICAqIE5vdCBlcXVhbCwgdGhlIGV4Y2VwdGlvbiBjb21lIGZyb20gMikuIEl0
J3MgYSBidWcsIHdlIGhhdmUgdG8KKyAgICAgICAgICogcGFuaWMgdGhlIGh5
cGVydmlzb3IuCisgICAgICAgICAqLworICAgICAgICBiLm5lICAgIGRvX2Jh
ZF9tb2RlCisKKyAgICAgICAgLyoKKyAgICAgICAgICogT3RoZXJ3aXNlLCB0
aGUgZXhjZXB0aW9uIGNvbWUgZnJvbSAxKS4gSXQgaGFwcGVuZWQgYmVjYXVz
ZSBvZgorICAgICAgICAgKiB0aGUgZ3Vlc3QuIENyYXNoIHRoaXMgZ3Vlc3Qu
CisgICAgICAgICAqLworICAgICAgICBibCAgICAgIGRvX3RyYXBfZ3Vlc3Rf
ZXJyb3IKKyAgICAgICAgZXhpdCAgICBoeXA9MQorCiAvKiBUcmFwcyB0YWtl
biBpbiBDdXJyZW50IEVMIHdpdGggU1BfRUx4ICovCiBoeXBfc3luYzoKICAg
ICAgICAgZW50cnkgICBoeXA9MQpAQCAtMTg5LDE1ICsyMjYsMjkgQEAgaHlw
X2lycToKCiBndWVzdF9zeW5jOgogICAgICAgICBlbnRyeSAgIGh5cD0wLCBj
b21wYXQ9MAorICAgICAgICBibCAgICAgIGNoZWNrX3BlbmRpbmdfdnNlcnJv
cgorICAgICAgICAvKgorICAgICAgICAgKiBJZiB4MCBpcyBOb24temVybywg
YSB2U0Vycm9yIHRvb2sgcGxhY2UsIHRoZSBpbml0aWFsIGV4Y2VwdGlvbgor
ICAgICAgICAgKiBkb2Vzbid0IGhhdmUgYW55IHNpZ25pZmljYW5jZSB0byBi
ZSBoYW5kbGVkLiBFeGl0IEFTQVAKKyAgICAgICAgICovCisgICAgICAgIGNi
bnogICAgeDAsIDFmCiAgICAgICAgIG1zciAgICAgZGFpZmNsciwgIzIKICAg
ICAgICAgbW92ICAgICB4MCwgc3AKICAgICAgICAgYmwgICAgICBkb190cmFw
X2h5cGVydmlzb3IKKzE6CiAgICAgICAgIGV4aXQgICAgaHlwPTAsIGNvbXBh
dD0wCgogZ3Vlc3RfaXJxOgogICAgICAgICBlbnRyeSAgIGh5cD0wLCBjb21w
YXQ9MAorICAgICAgICBibCAgICAgIGNoZWNrX3BlbmRpbmdfdnNlcnJvcgor
ICAgICAgICAvKgorICAgICAgICAgKiBJZiB4MCBpcyBOb24temVybywgYSB2
U0Vycm9yIHRvb2sgcGxhY2UsIHRoZSBpbml0aWFsIGV4Y2VwdGlvbgorICAg
ICAgICAgKiBkb2Vzbid0IGhhdmUgYW55IHNpZ25pZmljYW5jZSB0byBiZSBo
YW5kbGVkLiBFeGl0IEFTQVAKKyAgICAgICAgICovCisgICAgICAgIGNibnog
ICAgeDAsIDFmCiAgICAgICAgIG1vdiAgICAgeDAsIHNwCiAgICAgICAgIGJs
ICAgICAgZG9fdHJhcF9pcnEKKzE6CiAgICAgICAgIGV4aXQgICAgaHlwPTAs
IGNvbXBhdD0wCgogZ3Vlc3RfZmlxX2ludmFsaWQ6CkBAIC0yMTMsMTUgKzI2
NCwyOSBAQCBndWVzdF9lcnJvcjoKCiBndWVzdF9zeW5jX2NvbXBhdDoKICAg
ICAgICAgZW50cnkgICBoeXA9MCwgY29tcGF0PTEKKyAgICAgICAgYmwgICAg
ICBjaGVja19wZW5kaW5nX3ZzZXJyb3IKKyAgICAgICAgLyoKKyAgICAgICAg
ICogSWYgeDAgaXMgTm9uLXplcm8sIGEgdlNFcnJvciB0b29rIHBsYWNlLCB0
aGUgaW5pdGlhbCBleGNlcHRpb24KKyAgICAgICAgICogZG9lc24ndCBoYXZl
IGFueSBzaWduaWZpY2FuY2UgdG8gYmUgaGFuZGxlZC4gRXhpdCBBU0FQCisg
ICAgICAgICAqLworICAgICAgICBjYm56ICAgIHgwLCAxZgogICAgICAgICBt
c3IgICAgIGRhaWZjbHIsICMyCiAgICAgICAgIG1vdiAgICAgeDAsIHNwCiAg
ICAgICAgIGJsICAgICAgZG9fdHJhcF9oeXBlcnZpc29yCisxOgogICAgICAg
ICBleGl0ICAgIGh5cD0wLCBjb21wYXQ9MQoKIGd1ZXN0X2lycV9jb21wYXQ6
CiAgICAgICAgIGVudHJ5ICAgaHlwPTAsIGNvbXBhdD0xCisgICAgICAgIGJs
ICAgICAgY2hlY2tfcGVuZGluZ192c2Vycm9yCisgICAgICAgIC8qCisgICAg
ICAgICAqIElmIHgwIGlzIE5vbi16ZXJvLCBhIHZTRXJyb3IgdG9vayBwbGFj
ZSwgdGhlIGluaXRpYWwgZXhjZXB0aW9uCisgICAgICAgICAqIGRvZXNuJ3Qg
aGF2ZSBhbnkgc2lnbmlmaWNhbmNlIHRvIGJlIGhhbmRsZWQuIEV4aXQgQVNB
UAorICAgICAgICAgKi8KKyAgICAgICAgY2JueiAgICB4MCwgMWYKICAgICAg
ICAgbW92ICAgICB4MCwgc3AKICAgICAgICAgYmwgICAgICBkb190cmFwX2ly
cQorMToKICAgICAgICAgZXhpdCAgICBoeXA9MCwgY29tcGF0PTEKCiBndWVz
dF9maXFfaW52YWxpZF9jb21wYXQ6CkBAIC0yNzAsNiArMzM1LDYyIEBAIHJl
dHVybl9mcm9tX3RyYXA6CiAgICAgICAgIGVyZXQKCiAvKgorICogVGhpcyBm
dW5jdGlvbiBpcyB1c2VkIHRvIGNoZWNrIHBlbmRpbmcgdmlydHVhbCBTRXJy
b3IgaW4gdGhlIGdhcCBvZgorICogRUwxIC0+IEVMMiB3b3JsZCBzd2l0Y2gu
CisgKiBUaGUgeDAgcmVnaXN0ZXIgd2lsbCBiZSB1c2VkIHRvIGluZGljYXRl
IHRoZSByZXN1bHRzIG9mIGRldGVjdGlvbi4KKyAqIHgwIC0tIE5vbi16ZXJv
IGluZGljYXRlcyBhIHBlbmRpbmcgdmlydHVhbCBTRXJyb3IgdG9vayBwbGFj
ZS4KKyAqIHgwIC0tIFplcm8gaW5kaWNhdGVzIG5vIHBlbmRpbmcgdmlydHVh
bCBTRXJyb3IgdG9vayBwbGFjZS4KKyAqLworY2hlY2tfcGVuZGluZ192c2Vy
cm9yOgorICAgICAgICAvKgorICAgICAgICAgKiBTYXZlIGVscl9lbDIgdG8g
Y2hlY2sgd2hldGhlciB0aGUgcGVuZGluZyBTRXJyb3IgZXhjZXB0aW9uIHRh
a2VzCisgICAgICAgICAqIHBsYWNlIHdoaWxlIHdlIGFyZSBkb2luZyB0aGlz
IHN5bmMgZXhjZXB0aW9uLgorICAgICAgICAgKi8KKyAgICAgICAgbXJzICAg
ICB4MCwgZWxyX2VsMgorCisgICAgICAgIC8qIFN5bmNocm9uaXplIGFnYWlu
c3QgaW4tZmxpZ2h0IGxkL3N0ICovCisgICAgICAgIGRzYiAgICAgc3kKKwor
ICAgICAgICAvKgorICAgICAgICAgKiBVbm1hc2sgUFNUQVRFIGFzeW5jaHJv
bm91cyBhYm9ydCBiaXQuIElmIHRoZXJlIGlzIGEgcGVuZGluZworICAgICAg
ICAgKiBTRXJyb3IsIHRoZSBFTDIgZXJyb3IgZXhjZXB0aW9uIHdpbGwgaGFw
cGVuIGFmdGVyIFBTVEFURS5BCisgICAgICAgICAqIGlzIGNsZWFyZWQuCisg
ICAgICAgICAqLworICAgICAgICBtc3IgICAgIGRhaWZjbHIsICM0CisKKyAg
ICAgICAgLyoKKyAgICAgICAgICogVGhpcyBpcyBvdXIgc2luZ2xlIGluc3Ry
dWN0aW9uIGV4Y2VwdGlvbiB3aW5kb3cuIEEgcGVuZGluZworICAgICAgICAg
KiBTRXJyb3IgaXMgZ3VhcmFudGVlZCB0byBvY2N1ciBhdCB0aGUgZWFybGll
c3Qgd2hlbiB3ZSB1bm1hc2sKKyAgICAgICAgICogaXQsIGFuZCBhdCB0aGUg
bGF0ZXN0IGp1c3QgYWZ0ZXIgdGhlIElTQi4KKyAgICAgICAgICoKKyAgICAg
ICAgICogSWYgYSBwZW5kaW5nIFNFcnJvciBvY2N1cnMsIHRoZSBwcm9ncmFt
IHdpbGwganVtcCB0byBFTDIgZXJyb3IKKyAgICAgICAgICogZXhjZXB0aW9u
IGhhbmRsZXIsIGFuZCB0aGUgZWxyX2VsMiB3aWxsIGJlIHNldCB0bworICAg
ICAgICAgKiBhYm9ydF9ndWVzdF9leGl0X3N0YXJ0IG9yIGFib3J0X2d1ZXN0
X2V4aXRfZW5kLgorICAgICAgICAgKi8KK2Fib3J0X2d1ZXN0X2V4aXRfc3Rh
cnQ6CisKKyAgICAgICAgaXNiCisKK2Fib3J0X2d1ZXN0X2V4aXRfZW5kOgor
ICAgICAgICAvKiBNYXNrIFBTVEFURSBhc3luY2hyb25vdXMgYWJvcnQgYml0
LCBjbG9zZSB0aGUgY2hlY2tpbmcgd2luZG93LiAqLworICAgICAgICBtc3Ig
ICAgIGRhaWZzZXQsICM0CisKKyAgICAgICAgLyoKKyAgICAgICAgICogQ29t
cGFyZSBlbHJfZWwyIGFuZCB0aGUgc2F2ZWQgdmFsdWUgdG8gY2hlY2sgd2hl
dGhlciB3ZSBhcmUKKyAgICAgICAgICogcmV0dXJuaW5nIGZyb20gYSB2YWxp
ZCBleGNlcHRpb24gY2F1c2VkIGJ5IHBlbmRpbmcgU0Vycm9yLgorICAgICAg
ICAgKi8KKyAgICAgICAgbXJzICAgICB4MSwgZWxyX2VsMgorICAgICAgICBj
bXAgICAgIHgwLCB4MQorCisgICAgICAgIC8qCisgICAgICAgICAqIE5vdCBl
cXVhbCwgdGhlIHBlbmRpbmcgU0Vycm9yIGV4Y2VwdGlvbiB0b29rIHBsYWNl
LCBzZXQKKyAgICAgICAgICogeDAgdG8gbm9uLXplcm8uCisgICAgICAgICAq
LworICAgICAgICBjc2V0ICAgIHgwLCBuZQorCisgICAgICAgIHJldAorCisv
KgogICogRXhjZXB0aW9uIHZlY3RvcnMuCiAgKi8KICAgICAgICAgLm1hY3Jv
ICB2ZW50cnkgIGxhYmVsCkBAIC0yODcsNyArNDA4LDcgQEAgRU5UUlkoaHlw
X3RyYXBzX3ZlY3RvcikKICAgICAgICAgdmVudHJ5ICBoeXBfc3luYyAgICAg
ICAgICAgICAgICAgICAgICAgIC8vIFN5bmNocm9ub3VzIEVMMmgKICAgICAg
ICAgdmVudHJ5ICBoeXBfaXJxICAgICAgICAgICAgICAgICAgICAgICAgIC8v
IElSUSBFTDJoCiAgICAgICAgIHZlbnRyeSAgaHlwX2ZpcV9pbnZhbGlkICAg
ICAgICAgICAgICAgICAvLyBGSVEgRUwyaAotICAgICAgICB2ZW50cnkgIGh5
cF9lcnJvcl9pbnZhbGlkICAgICAgICAgICAgICAgLy8gRXJyb3IgRUwyaAor
ICAgICAgICB2ZW50cnkgIGh5cF9lcnJvciAgICAgICAgICAgICAgICAgICAg
ICAgLy8gRXJyb3IgRUwyaAoKICAgICAgICAgdmVudHJ5ICBndWVzdF9zeW5j
ICAgICAgICAgICAgICAgICAgICAgIC8vIFN5bmNocm9ub3VzIDY0LWJpdCBF
TDAvRUwxCiAgICAgICAgIHZlbnRyeSAgZ3Vlc3RfaXJxICAgICAgICAgICAg
ICAgICAgICAgICAvLyBJUlEgNjQtYml0IEVMMC9FTDEK

--=separator
Content-Type: application/octet-stream; name="xsa201-3.patch"
Content-Disposition: attachment; filename="xsa201-3.patch"
Content-Transfer-Encoding: base64

RnJvbTogV2VpIENoZW4gPFdlaS5DaGVuQGFybS5jb20+ClN1YmplY3Q6IGFy
bTogY3Jhc2ggdGhlIGd1ZXN0IHdoZW4gaXQgdHJhcHMgb24gZXh0ZXJuYWwg
YWJvcnQKCklmIHdlIHNwb3QgYSBkYXRhIG9yIHByZWZldGNoIGFib3J0IGJl
YXJpbmcgdGhlIEVTUl9FTDIuRUEgYml0IHNldCwgd2UKa25vdyB0aGF0IHRo
aXMgaXMgYW4gZXh0ZXJuYWwgYWJvcnQsIGFuZCB0aGF0IHNob3VsZCBjcmFz
aCB0aGUgZ3Vlc3QuCgpUaGlzIGlzIENWRS0yMDE2LTk4MTcsIHBhcnQgb2Yg
WFNBLTIwMS4KClNpZ25lZC1vZmYtYnk6IFdlaSBDaGVuIDxXZWkuQ2hlbkBh
cm0uY29tPgpSZXZpZXdlZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3Rh
YmVsbGluaUBrZXJuZWwub3JnPgpSZXZpZXdlZC1ieTogU3RldmUgQ2FwcGVy
IDxzdGV2ZS5jYXBwZXJAYXJtLmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBH
cmFsbCA8SnVsaWVuLkdyYWxsQGFybS5jb20+CgotLS0gYS94ZW4vYXJjaC9h
cm0vdHJhcHMuYworKysgYi94ZW4vYXJjaC9hcm0vdHJhcHMuYwpAQCAtMjQw
OSw2ICsyNDA5LDE1IEBAIHN0YXRpYyB2b2lkIGRvX3RyYXBfaW5zdHJfYWJv
cnRfZ3Vlc3Qoc3RydWN0IGNwdV91c2VyX3JlZ3MgKnJlZ3MsCiAgICAgcGFk
ZHJfdCBncGE7CiAgICAgbWZuX3QgbWZuOwoKKyAgICAvKgorICAgICAqIElm
IHRoaXMgYml0IGhhcyBiZWVuIHNldCwgaXQgbWVhbnMgdGhhdCB0aGlzIGlu
c3RydWN0aW9uIGFib3J0IGlzIGNhdXNlZAorICAgICAqIGJ5IGEgZ3Vlc3Qg
ZXh0ZXJuYWwgYWJvcnQuIEN1cnJlbnRseSB3ZSBjcmFzaCB0aGUgZ3Vlc3Qg
dG8gcHJvdGVjdCB0aGUKKyAgICAgKiBoeXBlcnZpc29yLiBJbiBmdXR1cmUg
b25lIGNhbiBiZXR0ZXIgaGFuZGxlIHRoaXMgYnkgaW5qZWN0aW5nIGEgdmly
dHVhbAorICAgICAqIGFib3J0IHRvIHRoZSBndWVzdC4KKyAgICAgKi8KKyAg
ICBpZiAoIGhzci5pYWJ0LmVhdCApCisgICAgICAgIGRvbWFpbl9jcmFzaF9z
eW5jaHJvbm91cygpOworCiAgICAgaWYgKCBocGZhcl9pc192YWxpZChoc3Iu
aWFidC5zMXB0dywgZnNjKSApCiAgICAgICAgIGdwYSA9IGdldF9mYXVsdGlu
Z19pcGEoZ3ZhKTsKICAgICBlbHNlCkBAIC0yNTAzLDYgKzI1MTIsMTUgQEAg
c3RhdGljIHZvaWQgZG9fdHJhcF9kYXRhX2Fib3J0X2d1ZXN0KHN0cnVjdCBj
cHVfdXNlcl9yZWdzICpyZWdzLAogICAgIHVpbnQ4X3QgZnNjID0gaHNyLmRh
YnQuZGZzYyAmIH5GU0NfTExfTUFTSzsKICAgICBtZm5fdCBtZm47CgorICAg
IC8qCisgICAgICogSWYgdGhpcyBiaXQgaGFzIGJlZW4gc2V0LCBpdCBtZWFu
cyB0aGF0IHRoaXMgZGF0YSBhYm9ydCBpcyBjYXVzZWQKKyAgICAgKiBieSBh
IGd1ZXN0IGV4dGVybmFsIGFib3J0LiBDdXJyZW50bHkgd2UgY3Jhc2ggdGhl
IGd1ZXN0IHRvIHByb3RlY3QgdGhlCisgICAgICogaHlwZXJ2aXNvci4gSW4g
ZnV0dXJlIG9uZSBjYW4gYmV0dGVyIGhhbmRsZSB0aGlzIGJ5IGluamVjdGlu
ZyBhIHZpcnR1YWwKKyAgICAgKiBhYm9ydCB0byB0aGUgZ3Vlc3QuCisgICAg
ICovCisgICAgaWYgKCBkYWJ0LmVhdCApCisgICAgICAgIGRvbWFpbl9jcmFz
aF9zeW5jaHJvbm91cygpOworCiAgICAgaW5mby5kYWJ0ID0gZGFidDsKICNp
ZmRlZiBDT05GSUdfQVJNXzMyCiAgICAgaW5mby5ndmEgPSBSRUFEX0NQMzIo
SERGQVIpOwo=

--=separator
Content-Type: application/octet-stream; name="xsa201-3-4.7.patch"
Content-Disposition: attachment; filename="xsa201-3-4.7.patch"
Content-Transfer-Encoding: base64

RnJvbTogV2VpIENoZW4gPFdlaS5DaGVuQGFybS5jb20+ClN1YmplY3Q6IGFy
bTogY3Jhc2ggdGhlIGd1ZXN0IHdoZW4gaXQgdHJhcHMgb24gZXh0ZXJuYWwg
YWJvcnQKCklmIHdlIHNwb3QgYSBkYXRhIG9yIHByZWZldGNoIGFib3J0IGJl
YXJpbmcgdGhlIEVTUl9FTDIuRUEgYml0IHNldCwgd2UKa25vdyB0aGF0IHRo
aXMgaXMgYW4gZXh0ZXJuYWwgYWJvcnQsIGFuZCB0aGF0IHNob3VsZCBjcmFz
aCB0aGUgZ3Vlc3QuCgpUaGlzIGlzIENWRS0yMDE2LTk4MTcsIHBhcnQgb2Yg
WFNBLTIwMS4KClNpZ25lZC1vZmYtYnk6IFdlaSBDaGVuIDxXZWkuQ2hlbkBh
cm0uY29tPgpSZXZpZXdlZC1ieTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3Rh
YmVsbGluaUBrZXJuZWwub3JnPgpSZXZpZXdlZC1ieTogU3RldmUgQ2FwcGVy
IDxzdGV2ZS5jYXBwZXJAYXJtLmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBH
cmFsbCA8SnVsaWVuLkdyYWxsQGFybS5jb20+CgotLS0gYS94ZW4vYXJjaC9h
cm0vdHJhcHMuYworKysgYi94ZW4vYXJjaC9hcm0vdHJhcHMuYwpAQCAtMjM4
Myw2ICsyMzgzLDE1IEBAIHN0YXRpYyB2b2lkIGRvX3RyYXBfaW5zdHJfYWJv
cnRfZ3Vlc3Qoc3RydWN0IGNwdV91c2VyX3JlZ3MgKnJlZ3MsCiAgICAgaW50
IHJjOwogICAgIHJlZ2lzdGVyX3QgZ3ZhID0gUkVBRF9TWVNSRUcoRkFSX0VM
Mik7CiAKKyAgICAvKgorICAgICAqIElmIHRoaXMgYml0IGhhcyBiZWVuIHNl
dCwgaXQgbWVhbnMgdGhhdCB0aGlzIGluc3RydWN0aW9uIGFib3J0IGlzIGNh
dXNlZAorICAgICAqIGJ5IGEgZ3Vlc3QgZXh0ZXJuYWwgYWJvcnQuIEN1cnJl
bnRseSB3ZSBjcmFzaCB0aGUgZ3Vlc3QgdG8gcHJvdGVjdCB0aGUKKyAgICAg
KiBoeXBlcnZpc29yLiBJbiBmdXR1cmUgb25lIGNhbiBiZXR0ZXIgaGFuZGxl
IHRoaXMgYnkgaW5qZWN0aW5nIGEgdmlydHVhbAorICAgICAqIGFib3J0IHRv
IHRoZSBndWVzdC4KKyAgICAgKi8KKyAgICBpZiAoIGhzci5pYWJ0LmVhdCAp
CisgICAgICAgIGRvbWFpbl9jcmFzaF9zeW5jaHJvbm91cygpOworCiAgICAg
c3dpdGNoICggaHNyLmlhYnQuaWZzYyAmIDB4M2YgKQogICAgIHsKICAgICBj
YXNlIEZTQ19GTFRfUEVSTSAuLi4gRlNDX0ZMVF9QRVJNICsgMzoKQEAgLTI0
MzcsNiArMjQ0NiwxNSBAQCBzdGF0aWMgdm9pZCBkb190cmFwX2RhdGFfYWJv
cnRfZ3Vlc3Qoc3RydWN0IGNwdV91c2VyX3JlZ3MgKnJlZ3MsCiAgICAgICAg
IHJldHVybjsKICAgICB9CiAKKyAgICAvKgorICAgICAqIElmIHRoaXMgYml0
IGhhcyBiZWVuIHNldCwgaXQgbWVhbnMgdGhhdCB0aGlzIGRhdGEgYWJvcnQg
aXMgY2F1c2VkCisgICAgICogYnkgYSBndWVzdCBleHRlcm5hbCBhYm9ydC4g
Q3VycmVudGx5IHdlIGNyYXNoIHRoZSBndWVzdCB0byBwcm90ZWN0IHRoZQor
ICAgICAqIGh5cGVydmlzb3IuIEluIGZ1dHVyZSBvbmUgY2FuIGJldHRlciBo
YW5kbGUgdGhpcyBieSBpbmplY3RpbmcgYSB2aXJ0dWFsCisgICAgICogYWJv
cnQgdG8gdGhlIGd1ZXN0LgorICAgICAqLworICAgIGlmICggZGFidC5lYXQg
KQorICAgICAgICBkb21haW5fY3Jhc2hfc3luY2hyb25vdXMoKTsKKwogICAg
IGluZm8uZGFidCA9IGRhYnQ7CiAjaWZkZWYgQ09ORklHX0FSTV8zMgogICAg
IGluZm8uZ3ZhID0gUkVBRF9DUDMyKEhERkFSKTsK

--=separator
Content-Type: application/octet-stream; name="xsa201-4.patch"
Content-Disposition: attachment; filename="xsa201-4.patch"
Content-Transfer-Encoding: base64

RnJvbTogV2VpIENoZW4gPFdlaS5DaGVuQGFybS5jb20+ClN1YmplY3Q6IGFy
bTMyOiBoYW5kbGUgYXN5bmMgYWJvcnRzIGRlbGl2ZXJlZCB3aGlsZSBhdCBI
WVAKCklmIGd1ZXN0IGdlbmVyYXRlcyBhbiBhc3luY2hyb25vdXMgYWJvcnQg
YW5kIHRoZW4gdHJhcHMgaW50byBIWVAKKGJ5IEhWQyBvciBJUlEpIGJlZm9y
ZSB0aGUgYWJvcnQgaGFzIGJlZW4gZGVsaXZlcmVkLCB0aGUgaHlwZXJ2aXNv
cgpjb3VsZCBub3QgY2F0Y2ggaXQsIGJlY2F1c2UgdGhlIFBTVEFURS5BIGJp
dCBpcyBtYXNrZWQgYWxsIHRoZSB0aW1lCmluIGh5cGVydmlzb3IuIFNvIHRo
aXMgYXN5bmNocm9ub3VzIGFib3J0IG1heSBiZSBzbGlwcGVkIHRvIG5leHQK
cnVubmluZyBndWVzdCB3aXRoIFBTVEFURS5BIGJpdCB1bm1hc2tlZC4KCklu
IG9yZGVyIHRvIGF2b2lkIHRoaXMsIGl0IGlzIG5lY2Vzc2FyeSB0byB0YWtl
IHRoZSBhYm9ydCBhdCBIWVAsIGJ5CmNsZWFyaW5nIHRoZSBQU1RBVEUuQSBi
aXQuIEluIHRoaXMgcGF0Y2gsIHdlIHVubWFzayB0aGUgUFNUQVRFLkEgYml0
CnRvIG9wZW4gYSB3aW5kb3cgdG8gY2F0Y2ggZ3Vlc3QtZ2VuZXJhdGVkIGFz
eW5jaHJvbm91cyBhYm9ydCBpbiBhbGwKR3Vlc3QgLT4gSFlQIHN3aXRjaCBw
YXRocy4gSWYgd2UgY2F1Z2h0IHN1Y2ggYXN5bmNocm9ub3VzIGFib3J0IGlu
CmNoZWNraW5nIHdpbmRvdywgdGhlIEhZUCBkYXRhIGFib3J0IGV4Y2VwdGlv
biB3aWxsIGJlIHRyaWdnZXJlZCBhbmQKdGhlIGFib3J0IHNvdXJjZSBndWVz
dCB3aWxsIGJlIGNyYXNoZWQuCgpUaGlzIGlzIENWRS0yMDE2LTk4MTgsIHBh
cnQgb2YgWFNBLTIwMS4KClNpZ25lZC1vZmYtYnk6IFdlaSBDaGVuIDxXZWku
Q2hlbkBhcm0uY29tPgpSZXZpZXdlZC1ieTogSnVsaWVuIEdyYWxsIDxqdWxp
ZW4uZ3JhbGxAYXJtLmNvbT4KCi0tLSBhL3hlbi9hcmNoL2FybS9hcm0zMi9l
bnRyeS5TCisrKyBiL3hlbi9hcmNoL2FybS9hcm0zMi9lbnRyeS5TCkBAIC00
Miw2ICs0Miw2MSBAQCBzYXZlX2d1ZXN0X3JlZ3M6CiAgICAgICAgIFNBVkVf
QkFOS0VEKGZpcSkKICAgICAgICAgU0FWRV9PTkVfQkFOS0VEKFI4X2ZpcSk7
IFNBVkVfT05FX0JBTktFRChSOV9maXEpOyBTQVZFX09ORV9CQU5LRUQoUjEw
X2ZpcSkKICAgICAgICAgU0FWRV9PTkVfQkFOS0VEKFIxMV9maXEpOyBTQVZF
X09ORV9CQU5LRUQoUjEyX2ZpcSk7CisgICAgICAgIC8qCisgICAgICAgICAq
IFN0YXJ0IHRvIGNoZWNrIHBlbmRpbmcgdmlydHVhbCBhYm9ydCBpbiB0aGUg
Z2FwIG9mIEd1ZXN0IC0+IEhZUAorICAgICAgICAgKiB3b3JsZCBzd2l0Y2gu
CisgICAgICAgICAqCisgICAgICAgICAqIFNhdmUgRUxSX2h5cCB0byBjaGVj
ayB3aGV0aGVyIHRoZSBwZW5kaW5nIHZpcnR1YWwgYWJvcnQgZXhjZXB0aW9u
CisgICAgICAgICAqIHRha2VzIHBsYWNlIHdoaWxlIHdlIGFyZSBkb2luZyB0
aGlzIHRyYXAgZXhjZXB0aW9uLgorICAgICAgICAgKi8KKyAgICAgICAgbXJz
IHIxLCBFTFJfaHlwCisKKyAgICAgICAgLyoKKyAgICAgICAgICogRm9yY2Ug
bG9hZHMgYW5kIHN0b3JlcyB0byBjb21wbGV0ZSBiZWZvcmUgdW5tYXNraW5n
IGFzeW5jaHJvbm91cworICAgICAgICAgKiBhYm9ydHMgYW5kIGZvcmNpbmcg
dGhlIGRlbGl2ZXJ5IG9mIHRoZSBleGNlcHRpb24uCisgICAgICAgICAqLwor
ICAgICAgICBkc2Igc3kKKworICAgICAgICAvKgorICAgICAgICAgKiBVbm1h
c2sgYXN5bmNocm9ub3VzIGFib3J0IGJpdC4gSWYgdGhlcmUgaXMgYSBwZW5k
aW5nIGFzeW5jaHJvbm91cworICAgICAgICAgKiBhYm9ydCwgdGhlIGRhdGFf
YWJvcnQgZXhjZXB0aW9uIHdpbGwgaGFwcGVuIGFmdGVyIEEgYml0IGlzIGNs
ZWFyZWQuCisgICAgICAgICAqLworICAgICAgICBjcHNpZSBhCisKKyAgICAg
ICAgLyoKKyAgICAgICAgICogVGhpcyBpcyBvdXIgc2luZ2xlIGluc3RydWN0
aW9uIGV4Y2VwdGlvbiB3aW5kb3cuIEEgcGVuZGluZworICAgICAgICAgKiBh
c3luY2hyb25vdXMgYWJvcnQgaXMgZ3VhcmFudGVlZCB0byBvY2N1ciBhdCB0
aGUgZWFybGllc3Qgd2hlbiB3ZQorICAgICAgICAgKiB1bm1hc2sgaXQsIGFu
ZCBhdCB0aGUgbGF0ZXN0IGp1c3QgYWZ0ZXIgdGhlIElTQi4KKyAgICAgICAg
ICoKKyAgICAgICAgICogSWYgYSBwZW5kaW5nIGFib3J0IG9jY3VycywgdGhl
IHByb2dyYW0gd2lsbCBqdW1wIHRvIGRhdGFfYWJvcnQKKyAgICAgICAgICog
ZXhjZXB0aW9uIGhhbmRsZXIsIGFuZCB0aGUgRUxSX2h5cCB3aWxsIGJlIHNl
dCB0bworICAgICAgICAgKiBhYm9ydF9ndWVzdF9leGl0X3N0YXJ0IG9yIGFi
b3J0X2d1ZXN0X2V4aXRfZW5kLgorICAgICAgICAgKi8KKyAgICAgICAgLmds
b2JhbCBhYm9ydF9ndWVzdF9leGl0X3N0YXJ0CithYm9ydF9ndWVzdF9leGl0
X3N0YXJ0OgorCisgICAgICAgIGlzYgorCisgICAgICAgIC5nbG9iYWwgYWJv
cnRfZ3Vlc3RfZXhpdF9lbmQKK2Fib3J0X2d1ZXN0X2V4aXRfZW5kOgorICAg
ICAgICAvKiBNYXNrIENQU1IgYXN5bmNocm9ub3VzIGFib3J0IGJpdCwgY2xv
c2UgdGhlIGNoZWNraW5nIHdpbmRvdy4gKi8KKyAgICAgICAgY3BzaWQgYQor
CisgICAgICAgIC8qCisgICAgICAgICAqIENvbXBhcmUgRUxSX2h5cCBhbmQg
dGhlIHNhdmVkIHZhbHVlIHRvIGNoZWNrIHdoZXRoZXIgd2UgYXJlCisgICAg
ICAgICAqIHJldHVybmluZyBmcm9tIGEgdmFsaWQgZXhjZXB0aW9uIGNhdXNl
ZCBieSBwZW5kaW5nIHZpcnR1YWwKKyAgICAgICAgICogYWJvcnQuCisgICAg
ICAgICAqLworICAgICAgICBtcnMgcjIsIEVMUl9oeXAKKyAgICAgICAgY21w
IHIxLCByMgorCisgICAgICAgIC8qCisgICAgICAgICAqIE5vdCBlcXVhbCwg
dGhlIHBlbmRpbmcgdmlydHVhbCBhYm9ydCBleGNlcHRpb24gdG9vayBwbGFj
ZSwgdGhlCisgICAgICAgICAqIGluaXRpYWwgZXhjZXB0aW9uIGRvZXMgbm90
IGhhdmUgYW55IHNpZ25pZmljYW5jZSB0byBiZSBoYW5kbGVkLgorICAgICAg
ICAgKiBFeGl0IEFTQVAuCisgICAgICAgICAqLworICAgICAgICBibmUgcmV0
dXJuX2Zyb21fdHJhcAorCiAgICAgICAgIG1vdiBwYywgbHIKCiAjZGVmaW5l
IERFRklORV9UUkFQX0VOVFJZKHRyYXApICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICBcCi0tLSBhL3hlbi9hcmNoL2FybS9hcm0z
Mi90cmFwcy5jCisrKyBiL3hlbi9hcmNoL2FybS9hcm0zMi90cmFwcy5jCkBA
IC02Myw3ICs2MywxMCBAQCBhc21saW5rYWdlIHZvaWQgZG9fdHJhcF9wcmVm
ZXRjaF9hYm9ydChzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVncykKCiBhc21s
aW5rYWdlIHZvaWQgZG9fdHJhcF9kYXRhX2Fib3J0KHN0cnVjdCBjcHVfdXNl
cl9yZWdzICpyZWdzKQogewotICAgIGRvX3VuZXhwZWN0ZWRfdHJhcCgiRGF0
YSBBYm9ydCIsIHJlZ3MpOworICAgIGlmICggVkFCT1JUX0dFTl9CWV9HVUVT
VChyZWdzKSApCisgICAgICAgIGRvX3RyYXBfZ3Vlc3RfZXJyb3IocmVncyk7
CisgICAgZWxzZQorICAgICAgICBkb191bmV4cGVjdGVkX3RyYXAoIkRhdGEg
QWJvcnQiLCByZWdzKTsKIH0KCiAvKgotLS0gYS94ZW4vaW5jbHVkZS9hc20t
YXJtL2FybTMyL3Byb2Nlc3Nvci5oCisrKyBiL3hlbi9pbmNsdWRlL2FzbS1h
cm0vYXJtMzIvcHJvY2Vzc29yLmgKQEAgLTU1LDYgKzU1LDE3IEBAIHN0cnVj
dCBjcHVfdXNlcl9yZWdzCgogICAgIHVpbnQzMl90IHBhZDE7IC8qIERvdWJs
ZXdvcmQtYWxpZ24gdGhlIHVzZXIgaGFsZiBvZiB0aGUgZnJhbWUgKi8KIH07
CisKKy8qIEZ1bmN0aW9ucyBmb3IgcGVuZGluZyB2aXJ0dWFsIGFib3J0IGNo
ZWNraW5nIHdpbmRvdy4gKi8KK3ZvaWQgYWJvcnRfZ3Vlc3RfZXhpdF9zdGFy
dCh2b2lkKTsKK3ZvaWQgYWJvcnRfZ3Vlc3RfZXhpdF9lbmQodm9pZCk7CisK
KyNkZWZpbmUgVkFCT1JUX0dFTl9CWV9HVUVTVChyKSAgXAorKCBcCisgICAg
KCAodW5zaWduZWQgbG9uZylhYm9ydF9ndWVzdF9leGl0X3N0YXJ0ID09IChy
KS0+cGMgKSB8fCBcCisgICAgKCAodW5zaWduZWQgbG9uZylhYm9ydF9ndWVz
dF9leGl0X2VuZCA9PSAociktPnBjICkgXAorKQorCiAjZW5kaWYKCiAvKiBM
YXlvdXQgYXMgdXNlZCBpbiBhc3NlbWJseSwgd2l0aCBzcmMvZGVzdCByZWdp
c3RlcnMgbWl4ZWQgaW4gKi8KLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9w
cm9jZXNzb3IuaAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL3Byb2Nlc3Nv
ci5oCkBAIC02OTAsNiArNjkwLDggQEAgdm9pZCB2Y3B1X3JlZ3NfdXNlcl90
b19oeXAoc3RydWN0IHZjcHUgKnZjcHUsCiBpbnQgY2FsbF9zbWMocmVnaXN0
ZXJfdCBmdW5jdGlvbl9pZCwgcmVnaXN0ZXJfdCBhcmcwLCByZWdpc3Rlcl90
IGFyZzEsCiAgICAgICAgICAgICAgcmVnaXN0ZXJfdCBhcmcyKTsKCit2b2lk
IGRvX3RyYXBfZ3Vlc3RfZXJyb3Ioc3RydWN0IGNwdV91c2VyX3JlZ3MgKnJl
Z3MpOworCiAjZW5kaWYgLyogX19BU1NFTUJMWV9fICovCiAjZW5kaWYgLyog
X19BU01fQVJNX1BST0NFU1NPUl9IICovCiAvKgo=

--=separator
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91
bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz
Lnhlbi5vcmcveGVuLWFubm91bmNl

--=separator--


From xen-announce-bounces@lists.xen.org Wed Dec 07 15:08:06 2016
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Wed, 07 Dec 2016 15:08:06 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1cEdoL-0003cZ-C3; Wed, 07 Dec 2016 15:07:09 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <prvs=142852ecb=wei.liu2@citrix.com>)
 id 1cEdn5-0003XN-S4; Wed, 07 Dec 2016 15:05:51 +0000
Received: from [85.158.139.211] by server-3.bemta-5.messagelabs.com id
 CD/DA-01948-F4528485; Wed, 07 Dec 2016 15:05:51 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprBIsWRWlGSWpSXmKPExsXitHSDva6fqke
 EQeMVBYvZG9uYLd7t+8vswORx+MMVlgDGKNbMvKT8igTWjL8rprIWtLFVrNq6l6WBcRJrFyMn
 h4SAv8TzP1fAbBYBFYlLS7+C2WwCyhI/O3vZQGwRAU+JGS//MIPYzAKKEqduzwCyOTiEBXQln
 m+XAwnzCuhL9J68xQRhC0qcnPmEBaJcR2LB7k9sIOXMAtISy/9xgIRFgTZdmfCWHcQWElCQ6J
 h+jGkCI88sJN2zkHTPQuhewMi8ilG9OLWoLLVI10QvqSgzPaMkNzEzR9fQwFQvN7W4ODE9NSc
 xqVgvOT93EyMwfBiAYAfjrT7nQ4ySHExKory7JrhHCPEl5adUZiQWZ8QXleakFh9ilOHgUJLg
 zVTxiBASLEpNT61Iy8wBBjJMWoKDR0mEVwEkzVtckJhbnJkOkTrFaMwx7dnip0wcB96veMokx
 JKXn5cqJc4rDFIqAFKaUZoHNwgWYZcYZaWEeRmBThPiKUgtys0sQZV/xSjOwagkzGsLMoUnM6
 8Ebt8roFOYgE6Zd8Md5JSSRISUVAPjgi266k+bN6g7dF/IXm//OHBf7PTMuKftGbOm9VzYcHn
 hsWmlrxLLwn8n28U+uphywfH4N/59Wzk8Nx6s+LRiLdME6YLK64snxop+rNl/69zmm3KPNMV6
 7d+rXQ14K6f0nl2xpvJeIK/gvL1aJgX7ox2n1jQa72JYcHL6rZRgPem9XCLeutEvlViKMxINt
 ZiLihMBv4aOm6sCAAA=
X-Env-Sender: prvs=142852ecb=wei.liu2@citrix.com
X-Msg-Ref: server-12.tower-206.messagelabs.com!1481123145!37929659!1
X-Originating-IP: [66.165.176.63]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: 
 VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,received_headers: No 
 Received headers
X-StarScan-Received: 
X-StarScan-Version: 9.0.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 56754 invoked from network); 7 Dec 2016 15:05:47 -0000
Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63)
 by server-12.tower-206.messagelabs.com with RC4-SHA encrypted SMTP;
 7 Dec 2016 15:05:47 -0000
X-IronPort-AV: E=Sophos;i="5.33,310,1477958400"; d="scan'208";a="402318851"
Date: Wed, 7 Dec 2016 15:03:59 +0000
From: Wei Liu <wei.liu2@citrix.com>
To: <xen-announce@lists.xenproject.org>, <xen-users@lists.xenproject.org>
Message-ID: <20161207150359.GI28069@citrix.com>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Mailman-Approved-At: Wed, 07 Dec 2016 15:07:07 +0000
Subject: [Xen-announce] [ANNOUNCEMENT] Xen 4.8.0 is released
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: xen-announce-bounces@lists.xen.org
Sender: "Xen-announce" <xen-announce-bounces@lists.xen.org>

RGVhciBjb21tdW5pdHkgbWVtYmVycywKCkknbSBwbGVhc2VkIHRvIGFubm91bmNlIHRoYXQgWGVu
IDQuOC4wIGlzIHJlbGVhc2VkLgoKUGxlYXNlIGZpbmQgdGhlIHRhcmJhbGwgYW5kIGl0cyBzaWdu
YXR1cmUgYXQ6CgogIGh0dHBzOi8vZG93bmxvYWRzLnhlbnByb2plY3Qub3JnL3JlbGVhc2UveGVu
LzQuOC4wLwoKWW91IGNhbiBhbHNvIGNoZWNrIG91dCB0aGUgdGFnIGluIHhlbi5naXQ6CgogIGdp
dDovL3hlbmJpdHMueGVuLm9yZy94ZW4uZ2l0IFJFTEVBU0UtNC44LjAKClJlbGVhc2Ugbm90ZXMg
Y2FuIGJlIGZvdW5kIGF0OgoKICBodHRwczovL3dpa2kueGVucHJvamVjdC5vcmcvd2lraS9YZW5f
UHJvamVjdF80LjhfUmVsZWFzZV9Ob3RlcwoKQSBzdW1tYXJ5IGZvciA0LjggcmVsZWFzZSBkb2N1
bWVudHMgY2FuIGJlIGZvdW5kIGF0OgoKICBodHRwczovL3dpa2kueGVucHJvamVjdC5vcmcvd2lr
aS9DYXRlZ29yeTpYZW5fNC44CgpUZWNobmljYWwgYmxvZyBwb3N0IGZvciA0LjggY2FuIGJlIGZv
dW5kIGF0OgoKICBodHRwczovL2Jsb2cueGVucHJvamVjdC5vcmcvP3A9MTE1OTMKClRoYW5rcyBl
dmVyeW9uZSB3aG8gY29udHJpYnV0ZWQgdG8gdGhpcyByZWxlYXNlLiBUaGlzIHJlbGVhc2Ugd291
bGQKbm90IGhhdmUgaGFwcGVuZWQgd2l0aG91dCBhbGwgdGhlIGF3ZXNvbWUgY29udHJpYnV0aW9u
cyBmcm9tIGFyb3VuZAp0aGUgZ2xvYmUuCgpSZWdhcmRzLApXZWkgTGl1IChvbiBiZWhhbGYgb2Yg
dGhlIFhlbiBQcm9qZWN0IEh5cGVydmlzb3IgdGVhbSkKCl9fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fClhlbi1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKWGVuLWFu
bm91bmNlQGxpc3RzLnhlbi5vcmcKaHR0cHM6Ly9saXN0cy54ZW4ub3JnL3hlbi1hbm5vdW5jZQ==

From xen-announce-bounces@lists.xen.org Wed Dec 07 15:08:06 2016
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Wed, 07 Dec 2016 15:08:06 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1cEdoL-0003cZ-C3; Wed, 07 Dec 2016 15:07:09 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <prvs=142852ecb=wei.liu2@citrix.com>)
 id 1cEdn5-0003XN-S4; Wed, 07 Dec 2016 15:05:51 +0000
Received: from [85.158.139.211] by server-3.bemta-5.messagelabs.com id
 CD/DA-01948-F4528485; Wed, 07 Dec 2016 15:05:51 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprBIsWRWlGSWpSXmKPExsXitHSDva6fqke
 EQeMVBYvZG9uYLd7t+8vswORx+MMVlgDGKNbMvKT8igTWjL8rprIWtLFVrNq6l6WBcRJrFyMn
 h4SAv8TzP1fAbBYBFYlLS7+C2WwCyhI/O3vZQGwRAU+JGS//MIPYzAKKEqduzwCyOTiEBXQln
 m+XAwnzCuhL9J68xQRhC0qcnPmEBaJcR2LB7k9sIOXMAtISy/9xgIRFgTZdmfCWHcQWElCQ6J
 h+jGkCI88sJN2zkHTPQuhewMi8ilG9OLWoLLVI10QvqSgzPaMkNzEzR9fQwFQvN7W4ODE9NSc
 xqVgvOT93EyMwfBiAYAfjrT7nQ4ySHExKory7JrhHCPEl5adUZiQWZ8QXleakFh9ilOHgUJLg
 zVTxiBASLEpNT61Iy8wBBjJMWoKDR0mEVwEkzVtckJhbnJkOkTrFaMwx7dnip0wcB96veMokx
 JKXn5cqJc4rDFIqAFKaUZoHNwgWYZcYZaWEeRmBThPiKUgtys0sQZV/xSjOwagkzGsLMoUnM6
 8Ebt8roFOYgE6Zd8Md5JSSRISUVAPjgi266k+bN6g7dF/IXm//OHBf7PTMuKftGbOm9VzYcHn
 hsWmlrxLLwn8n28U+uphywfH4N/59Wzk8Nx6s+LRiLdME6YLK64snxop+rNl/69zmm3KPNMV6
 7d+rXQ14K6f0nl2xpvJeIK/gvL1aJgX7ox2n1jQa72JYcHL6rZRgPem9XCLeutEvlViKMxINt
 ZiLihMBv4aOm6sCAAA=
X-Env-Sender: prvs=142852ecb=wei.liu2@citrix.com
X-Msg-Ref: server-12.tower-206.messagelabs.com!1481123145!37929659!1
X-Originating-IP: [66.165.176.63]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: 
 VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,received_headers: No 
 Received headers
X-StarScan-Received: 
X-StarScan-Version: 9.0.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 56754 invoked from network); 7 Dec 2016 15:05:47 -0000
Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63)
 by server-12.tower-206.messagelabs.com with RC4-SHA encrypted SMTP;
 7 Dec 2016 15:05:47 -0000
X-IronPort-AV: E=Sophos;i="5.33,310,1477958400"; d="scan'208";a="402318851"
Date: Wed, 7 Dec 2016 15:03:59 +0000
From: Wei Liu <wei.liu2@citrix.com>
To: <xen-announce@lists.xenproject.org>, <xen-users@lists.xenproject.org>
Message-ID: <20161207150359.GI28069@citrix.com>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Mailman-Approved-At: Wed, 07 Dec 2016 15:07:07 +0000
Subject: [Xen-announce] [ANNOUNCEMENT] Xen 4.8.0 is released
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: xen-announce-bounces@lists.xen.org
Sender: "Xen-announce" <xen-announce-bounces@lists.xen.org>

RGVhciBjb21tdW5pdHkgbWVtYmVycywKCkknbSBwbGVhc2VkIHRvIGFubm91bmNlIHRoYXQgWGVu
IDQuOC4wIGlzIHJlbGVhc2VkLgoKUGxlYXNlIGZpbmQgdGhlIHRhcmJhbGwgYW5kIGl0cyBzaWdu
YXR1cmUgYXQ6CgogIGh0dHBzOi8vZG93bmxvYWRzLnhlbnByb2plY3Qub3JnL3JlbGVhc2UveGVu
LzQuOC4wLwoKWW91IGNhbiBhbHNvIGNoZWNrIG91dCB0aGUgdGFnIGluIHhlbi5naXQ6CgogIGdp
dDovL3hlbmJpdHMueGVuLm9yZy94ZW4uZ2l0IFJFTEVBU0UtNC44LjAKClJlbGVhc2Ugbm90ZXMg
Y2FuIGJlIGZvdW5kIGF0OgoKICBodHRwczovL3dpa2kueGVucHJvamVjdC5vcmcvd2lraS9YZW5f
UHJvamVjdF80LjhfUmVsZWFzZV9Ob3RlcwoKQSBzdW1tYXJ5IGZvciA0LjggcmVsZWFzZSBkb2N1
bWVudHMgY2FuIGJlIGZvdW5kIGF0OgoKICBodHRwczovL3dpa2kueGVucHJvamVjdC5vcmcvd2lr
aS9DYXRlZ29yeTpYZW5fNC44CgpUZWNobmljYWwgYmxvZyBwb3N0IGZvciA0LjggY2FuIGJlIGZv
dW5kIGF0OgoKICBodHRwczovL2Jsb2cueGVucHJvamVjdC5vcmcvP3A9MTE1OTMKClRoYW5rcyBl
dmVyeW9uZSB3aG8gY29udHJpYnV0ZWQgdG8gdGhpcyByZWxlYXNlLiBUaGlzIHJlbGVhc2Ugd291
bGQKbm90IGhhdmUgaGFwcGVuZWQgd2l0aG91dCBhbGwgdGhlIGF3ZXNvbWUgY29udHJpYnV0aW9u
cyBmcm9tIGFyb3VuZAp0aGUgZ2xvYmUuCgpSZWdhcmRzLApXZWkgTGl1IChvbiBiZWhhbGYgb2Yg
dGhlIFhlbiBQcm9qZWN0IEh5cGVydmlzb3IgdGVhbSkKCl9fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fClhlbi1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKWGVuLWFu
bm91bmNlQGxpc3RzLnhlbi5vcmcKaHR0cHM6Ly9saXN0cy54ZW4ub3JnL3hlbi1hbm5vdW5jZQ==

From xen-announce-bounces@lists.xen.org Tue Dec 13 13:09:27 2016
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Tue, 13 Dec 2016 13:09:27 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1cGmog-0007OV-FR; Tue, 13 Dec 2016 13:08:22 +0000
Received: from mail6.bemta6.messagelabs.com ([193.109.254.103])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cGmoe-0007O1-He; Tue, 13 Dec 2016 13:08:20 +0000
Received: from [193.109.254.147] by server-5.bemta-6.messagelabs.com id
 A0/0D-11476-4C2FF485; Tue, 13 Dec 2016 13:08:20 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprIKsWRWlGSWpSXmKPExsWS0XRdVffwJ/8
 Ig0P7+S1u3WxltljycTGLxaqrB1gdmD2O7v7NFMAYxZqZl5RfkcCasXXySaaCN54VG07/Y2tg
 POTSxcjFISRwnFHiYudjZghnEaPE3JYTTF2MnBzMAq4SN/ZtZoOwFSUu3GtgAbF5BQQlTs58A
 mZLCGhK3Hmzih3EFhEokth57iWYzSagJzH37CSoOToSL/evBrOFBYolfpybzAgxx0zi06ktYD
 aLgKrEvK7VLBMYeWYhWT0LyepZSFbPYuQAimtKrN+lD2FKSyz/xwFRLS+x/e0cZgjbXqJp6kl
 2iBIbiSkrImEGTul+yA5TMvvQPKhyG4kLm6ewIatZwMizilG9OLWoLLVI11gvqSgzPaMkNzEz
 R9fQwEwvN7W4ODE9NScxqVgvOT93EyMwShiAYAdjxz+nQ4ySHExKoryfq/0jhPiS8lMqMxKLM
 +KLSnNSiw8xynBwKEnwCgCjTkiwKDU9tSItMwcYrzBpCQ4eJRFeTZA0b3FBYm5xZjpE6hSjJc
 eEtwufMnFMe7YYSM7ZvuIpkxBLXn5eqpQ478ePQA0CIA0ZpXlw42Ap5RKjrJQwLyPQgUI8Bal
 FuZklqPKvGMU5GJWEeS1B1vJk5pXAbX0FdBAT0EGiS8AOKklESEk1MM52v/7q8pc9AV7f84xq
 oi4fumGTsjRt90FbbbFWh2DN3pJIgUat+FXTRTv0wxaIuXmlfK/dfZc34rzeZYtMFfc1a1y+L
 7Lt/JTBxBUwRVPNy7zwxAOxEMZDfrGfOL/cMK4KezQn/YHEzD2e2j2b1mbdlmPZtGif9DVuy8
 0neY4uNpM4y31vjxJLcUaioRZzUXEiAB9Tn+YkAwAA
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-9.tower-27.messagelabs.com!1481634498!77229026!1
X-Originating-IP: [104.130.215.37]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 9.1.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 4782 invoked from network); 13 Dec 2016 13:08:19 -0000
Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37)
 by server-9.tower-27.messagelabs.com with AES128-GCM-SHA256
 encrypted SMTP; 13 Dec 2016 13:08:19 -0000
Received: from xenbits.xenproject.org ([104.239.192.120])
 by mail.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cGmoP-0003xt-Mt; Tue, 13 Dec 2016 13:08:05 +0000
Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cGmoP-00020v-Lw; Tue, 13 Dec 2016 13:08:05 +0000
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
 xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Message-Id: <E1cGmoP-00020v-Lw@xenbits.xenproject.org>
Date: Tue, 13 Dec 2016 13:08:05 +0000
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 200 (CVE-2016-9932) - x86
 CMPXCHG8B emulation fails to ignore operand size override
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Errors-To: xen-announce-bounces@lists.xen.org
Sender: "Xen-announce" <xen-announce-bounces@lists.xen.org>

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2016-9932 / XSA-200
                              version 3

     x86 CMPXCHG8B emulation fails to ignore operand size override

UPDATES IN VERSION 3
====================

CVE assigned.

Public release.

ISSUE DESCRIPTION
=================

The x86 instruction CMPXCHG8B is supposed to ignore legacy operand
size overrides; it only honors the REX.W override (making it
CMPXCHG16B).  So, the operand size is always 8 or 16.

When support for CMPXCHG16B emulation was added to the instruction
emulator, this restriction on the set of possible operand sizes was
relied on in some parts of the emulation; but a wrong, fully general,
operand size value was used for other parts of the emulation.

As a result, if a guest uses a supposedly-ignored operand size prefix,
a small amount of hypervisor stack data is leaked to the guests: a 96
bit leak to guests running in 64-bit mode; or, a 32 bit leak to other
guests.

IMPACT
======

A malicious unprivileged guest may be able to obtain sensitive
information from the host.

VULNERABLE SYSTEMS
==================

Xen versions 3.3 through 4.7 are affected.  Xen master and Xen 4.8 as
well as Xen versions 3.2 and earlier are not affected.

Only x86 systems are affected.  ARM systems are not affected.

On Xen 4.6 and earlier the vulnerability is exposed to all HVM guest
user processes, including unprivileged processes.

On Xen 4.7, the vulnerability is exposed only to HVM guest user
processes granted a degree of privilege (such as direct hardware
access) by the guest administrator; or, to all user processes when the
VM has been explicitly configured with a non-default cpu vendor string
(in xm/xl, this would be done with a `cpuid=' domain config option).

MITIGATION
==========

There is no known mitigation.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa200-4.7.patch       Xen 4.7.x
xsa200-4.6.patch       Xen 4.6.x, Xen 4.5.x, Xen 4.4.x

$ sha256sum xsa200*
820e95e87b838de5eb4158a55c81cf205428f0ed17009dc8d45b2392cf9a0885  xsa200-4.6.patch
d7113b94f6ef1c2849aedfe33eace85b0713fa83639c8a533fb289aa73e818e8  xsa200-4.7.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYT/KgAAoJEIP+FMlX6CvZR6QH/0eEM2+9ixdfFAiyhFzn0TTq
mLgbKs4L0ALfPD2JVhkiLlB/thJ7RKXfPAsYVBQhNY+xb58OLykH4Clh0NuOY45W
wkWxHeunHAfsNo3FIaISr/uG/5fAnarPsfF+bNYpyWCuWLz4Ml+uuflnfL60PmoP
OGSPLEPKZ56r9lyaIALFVfkXgHkaquM/WXi+FdG23aArbT43cVHeGou8dUNbH/Jd
FpKdO3AhMT9i+ioPeicSIimxLOEBZnrCaB/7qOAzu7q3nlQ8X/1Q8a8TjjOtYtQA
/kOkvpexkQuRA98AI6018ajqU/D5VdFW+I2X0kmbTAxj1SyT12X25f9Wsc0PbdE=
=ERcI
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa200-4.6.patch"
Content-Disposition: attachment; filename="xsa200-4.6.patch"
Content-Transfer-Encoding: base64

RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0
OiB4ODZlbXVsOiBDTVBYQ0hHOEIgaWdub3JlcyBvcGVyYW5kIHNpemUgcHJl
Zml4CgpPdGhlcndpc2UgYmVzaWRlcyBtaXMtaGFuZGxpbmcgdGhlIGluc3Ry
dWN0aW9uLCB0aGUgY29tcGFyaXNvbiBmYWlsdXJlCmNhc2Ugd291bGQgcmVz
dWx0IGluIHVuaW5pdGlhbGl6ZWQgc3RhY2sgZGF0YSBiZWluZyBoYW5kZWQg
YmFjayB0byB0aGUKZ3Vlc3QgaW4gckRYOnJBWCAoMzIgYml0cyBsZWFrZWQg
Zm9yIDMyLWJpdCBndWVzdHMsIDk2IGJpdHMgZm9yIDY0LWJpdApvbmVzKS4K
ClRoaXMgaXMgWFNBLTIwMC4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNo
IDxqYmV1bGljaEBzdXNlLmNvbT4KCi0tLSBhL3Rvb2xzL3Rlc3RzL3g4Nl9l
bXVsYXRvci90ZXN0X3g4Nl9lbXVsYXRvci5jCisrKyBiL3Rvb2xzL3Rlc3Rz
L3g4Nl9lbXVsYXRvci90ZXN0X3g4Nl9lbXVsYXRvci5jCkBAIC00MjksNiAr
NDI5LDI0IEBAIGludCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikKICAg
ICAgICAgZ290byBmYWlsOwogICAgIHByaW50Zigib2theVxuIik7CiAKKyAg
ICBwcmludGYoIiUtNDBzIiwgIlRlc3RpbmcgY21weGNoZzhiICglZWRpKSBb
b3BzaXplXS4uLiIpOworICAgIGluc3RyWzBdID0gMHg2NjsgaW5zdHJbMV0g
PSAweDBmOyBpbnN0clsyXSA9IDB4Yzc7IGluc3RyWzNdID0gMHgwZjsKKyAg
ICByZXNbMF0gICAgICA9IDB4MTIzNDU2Nzg7CisgICAgcmVzWzFdICAgICAg
PSAweDg3NjU0MzIxOworICAgIHJlZ3MuZWZsYWdzID0gMHgyMDA7CisgICAg
cmVncy5laXAgICAgPSAodW5zaWduZWQgbG9uZykmaW5zdHJbMF07CisgICAg
cmVncy5lZGkgICAgPSAodW5zaWduZWQgbG9uZylyZXM7CisgICAgcmMgPSB4
ODZfZW11bGF0ZSgmY3R4dCwgJmVtdWxvcHMpOworICAgIGlmICggKHJjICE9
IFg4NkVNVUxfT0tBWSkgfHwKKyAgICAgICAgIChyZXNbMF0gIT0gMHgxMjM0
NTY3OCkgfHwKKyAgICAgICAgIChyZXNbMV0gIT0gMHg4NzY1NDMyMSkgfHwK
KyAgICAgICAgIChyZWdzLmVheCAhPSAweDEyMzQ1Njc4KSB8fAorICAgICAg
ICAgKHJlZ3MuZWR4ICE9IDB4ODc2NTQzMjEpIHx8CisgICAgICAgICAoKHJl
Z3MuZWZsYWdzJjB4MjQwKSAhPSAweDIwMCkgfHwKKyAgICAgICAgIChyZWdz
LmVpcCAhPSAodW5zaWduZWQgbG9uZykmaW5zdHJbNF0pICkKKyAgICAgICAg
Z290byBmYWlsOworICAgIHByaW50Zigib2theVxuIik7CisKICAgICBwcmlu
dGYoIiUtNDBzIiwgIlRlc3RpbmcgbW92c3hiZCAoJSVlYXgpLCUlZWN4Li4u
Iik7CiAgICAgaW5zdHJbMF0gPSAweDBmOyBpbnN0clsxXSA9IDB4YmU7IGlu
c3RyWzJdID0gMHgwODsKICAgICByZWdzLmVmbGFncyA9IDB4MjAwOwotLS0g
YS94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYworKysg
Yi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwpAQCAt
NDczOSw4ICs0NzM5LDEyIEBAIHg4Nl9lbXVsYXRlKAogICAgICAgICBnZW5l
cmF0ZV9leGNlcHRpb25faWYoKG1vZHJtX3JlZyAmIDcpICE9IDEsIEVYQ19V
RCwgLTEpOwogICAgICAgICBnZW5lcmF0ZV9leGNlcHRpb25faWYoZWEudHlw
ZSAhPSBPUF9NRU0sIEVYQ19VRCwgLTEpOwogICAgICAgICBpZiAoIG9wX2J5
dGVzID09IDggKQorICAgICAgICB7CiAgICAgICAgICAgICB2Y3B1X211c3Rf
aGF2ZV9jeDE2KCk7Ci0gICAgICAgIG9wX2J5dGVzICo9IDI7CisgICAgICAg
ICAgICBvcF9ieXRlcyA9IDE2OworICAgICAgICB9CisgICAgICAgIGVsc2UK
KyAgICAgICAgICAgIG9wX2J5dGVzID0gODsKIAogICAgICAgICAvKiBHZXQg
YWN0dWFsIG9sZCB2YWx1ZS4gKi8KICAgICAgICAgaWYgKCAocmMgPSBvcHMt
PnJlYWQoZWEubWVtLnNlZywgZWEubWVtLm9mZiwgb2xkLCBvcF9ieXRlcywK

--=separator
Content-Type: application/octet-stream; name="xsa200-4.7.patch"
Content-Disposition: attachment; filename="xsa200-4.7.patch"
Content-Transfer-Encoding: base64

RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0
OiB4ODZlbXVsOiBDTVBYQ0hHOEIgaWdub3JlcyBvcGVyYW5kIHNpemUgcHJl
Zml4CgpPdGhlcndpc2UgYmVzaWRlcyBtaXMtaGFuZGxpbmcgdGhlIGluc3Ry
dWN0aW9uLCB0aGUgY29tcGFyaXNvbiBmYWlsdXJlCmNhc2Ugd291bGQgcmVz
dWx0IGluIHVuaW5pdGlhbGl6ZWQgc3RhY2sgZGF0YSBiZWluZyBoYW5kZWQg
YmFjayB0byB0aGUKZ3Vlc3QgaW4gckRYOnJBWCAoMzIgYml0cyBsZWFrZWQg
Zm9yIDMyLWJpdCBndWVzdHMsIDk2IGJpdHMgZm9yIDY0LWJpdApvbmVzKS4K
ClRoaXMgaXMgWFNBLTIwMC4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNo
IDxqYmV1bGljaEBzdXNlLmNvbT4KCi0tLSBhL3Rvb2xzL3Rlc3RzL3g4Nl9l
bXVsYXRvci90ZXN0X3g4Nl9lbXVsYXRvci5jCisrKyBiL3Rvb2xzL3Rlc3Rz
L3g4Nl9lbXVsYXRvci90ZXN0X3g4Nl9lbXVsYXRvci5jCkBAIC00MzUsNiAr
NDM1LDI0IEBAIGludCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikKICAg
ICAgICAgZ290byBmYWlsOwogICAgIHByaW50Zigib2theVxuIik7CiAKKyAg
ICBwcmludGYoIiUtNDBzIiwgIlRlc3RpbmcgY21weGNoZzhiICglZWRpKSBb
b3BzaXplXS4uLiIpOworICAgIGluc3RyWzBdID0gMHg2NjsgaW5zdHJbMV0g
PSAweDBmOyBpbnN0clsyXSA9IDB4Yzc7IGluc3RyWzNdID0gMHgwZjsKKyAg
ICByZXNbMF0gICAgICA9IDB4MTIzNDU2Nzg7CisgICAgcmVzWzFdICAgICAg
PSAweDg3NjU0MzIxOworICAgIHJlZ3MuZWZsYWdzID0gMHgyMDA7CisgICAg
cmVncy5laXAgICAgPSAodW5zaWduZWQgbG9uZykmaW5zdHJbMF07CisgICAg
cmVncy5lZGkgICAgPSAodW5zaWduZWQgbG9uZylyZXM7CisgICAgcmMgPSB4
ODZfZW11bGF0ZSgmY3R4dCwgJmVtdWxvcHMpOworICAgIGlmICggKHJjICE9
IFg4NkVNVUxfT0tBWSkgfHwKKyAgICAgICAgIChyZXNbMF0gIT0gMHgxMjM0
NTY3OCkgfHwKKyAgICAgICAgIChyZXNbMV0gIT0gMHg4NzY1NDMyMSkgfHwK
KyAgICAgICAgIChyZWdzLmVheCAhPSAweDEyMzQ1Njc4KSB8fAorICAgICAg
ICAgKHJlZ3MuZWR4ICE9IDB4ODc2NTQzMjEpIHx8CisgICAgICAgICAoKHJl
Z3MuZWZsYWdzJjB4MjQwKSAhPSAweDIwMCkgfHwKKyAgICAgICAgIChyZWdz
LmVpcCAhPSAodW5zaWduZWQgbG9uZykmaW5zdHJbNF0pICkKKyAgICAgICAg
Z290byBmYWlsOworICAgIHByaW50Zigib2theVxuIik7CisKICAgICBwcmlu
dGYoIiUtNDBzIiwgIlRlc3RpbmcgbW92c3hiZCAoJSVlYXgpLCUlZWN4Li4u
Iik7CiAgICAgaW5zdHJbMF0gPSAweDBmOyBpbnN0clsxXSA9IDB4YmU7IGlu
c3RyWzJdID0gMHgwODsKICAgICByZWdzLmVmbGFncyA9IDB4MjAwOwotLS0g
YS94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYworKysg
Yi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwpAQCAt
NDc3NSw4ICs0Nzc1LDEyIEBAIHg4Nl9lbXVsYXRlKAogICAgICAgICBnZW5l
cmF0ZV9leGNlcHRpb25faWYoKG1vZHJtX3JlZyAmIDcpICE9IDEsIEVYQ19V
RCwgLTEpOwogICAgICAgICBnZW5lcmF0ZV9leGNlcHRpb25faWYoZWEudHlw
ZSAhPSBPUF9NRU0sIEVYQ19VRCwgLTEpOwogICAgICAgICBpZiAoIG9wX2J5
dGVzID09IDggKQorICAgICAgICB7CiAgICAgICAgICAgICBob3N0X2FuZF92
Y3B1X211c3RfaGF2ZShjeDE2KTsKLSAgICAgICAgb3BfYnl0ZXMgKj0gMjsK
KyAgICAgICAgICAgIG9wX2J5dGVzID0gMTY7CisgICAgICAgIH0KKyAgICAg
ICAgZWxzZQorICAgICAgICAgICAgb3BfYnl0ZXMgPSA4OwogCiAgICAgICAg
IC8qIEdldCBhY3R1YWwgb2xkIHZhbHVlLiAqLwogICAgICAgICBpZiAoIChy
YyA9IG9wcy0+cmVhZChlYS5tZW0uc2VnLCBlYS5tZW0ub2ZmLCBvbGQsIG9w
X2J5dGVzLAo=

--=separator
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91
bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz
Lnhlbi5vcmcveGVuLWFubm91bmNl

--=separator--


From xen-announce-bounces@lists.xen.org Tue Dec 13 13:09:27 2016
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Tue, 13 Dec 2016 13:09:27 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1cGmog-0007OV-FR; Tue, 13 Dec 2016 13:08:22 +0000
Received: from mail6.bemta6.messagelabs.com ([193.109.254.103])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cGmoe-0007O1-He; Tue, 13 Dec 2016 13:08:20 +0000
Received: from [193.109.254.147] by server-5.bemta-6.messagelabs.com id
 A0/0D-11476-4C2FF485; Tue, 13 Dec 2016 13:08:20 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprIKsWRWlGSWpSXmKPExsWS0XRdVffwJ/8
 Ig0P7+S1u3WxltljycTGLxaqrB1gdmD2O7v7NFMAYxZqZl5RfkcCasXXySaaCN54VG07/Y2tg
 POTSxcjFISRwnFHiYudjZghnEaPE3JYTTF2MnBzMAq4SN/ZtZoOwFSUu3GtgAbF5BQQlTs58A
 mZLCGhK3Hmzih3EFhEokth57iWYzSagJzH37CSoOToSL/evBrOFBYolfpybzAgxx0zi06ktYD
 aLgKrEvK7VLBMYeWYhWT0LyepZSFbPYuQAimtKrN+lD2FKSyz/xwFRLS+x/e0cZgjbXqJp6kl
 2iBIbiSkrImEGTul+yA5TMvvQPKhyG4kLm6ewIatZwMizilG9OLWoLLVI11gvqSgzPaMkNzEz
 R9fQwEwvN7W4ODE9NScxqVgvOT93EyMwShiAYAdjxz+nQ4ySHExKoryfq/0jhPiS8lMqMxKLM
 +KLSnNSiw8xynBwKEnwCgCjTkiwKDU9tSItMwcYrzBpCQ4eJRFeTZA0b3FBYm5xZjpE6hSjJc
 eEtwufMnFMe7YYSM7ZvuIpkxBLXn5eqpQ478ePQA0CIA0ZpXlw42Ap5RKjrJQwLyPQgUI8Bal
 FuZklqPKvGMU5GJWEeS1B1vJk5pXAbX0FdBAT0EGiS8AOKklESEk1MM52v/7q8pc9AV7f84xq
 oi4fumGTsjRt90FbbbFWh2DN3pJIgUat+FXTRTv0wxaIuXmlfK/dfZc34rzeZYtMFfc1a1y+L
 7Lt/JTBxBUwRVPNy7zwxAOxEMZDfrGfOL/cMK4KezQn/YHEzD2e2j2b1mbdlmPZtGif9DVuy8
 0neY4uNpM4y31vjxJLcUaioRZzUXEiAB9Tn+YkAwAA
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-9.tower-27.messagelabs.com!1481634498!77229026!1
X-Originating-IP: [104.130.215.37]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 9.1.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 4782 invoked from network); 13 Dec 2016 13:08:19 -0000
Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37)
 by server-9.tower-27.messagelabs.com with AES128-GCM-SHA256
 encrypted SMTP; 13 Dec 2016 13:08:19 -0000
Received: from xenbits.xenproject.org ([104.239.192.120])
 by mail.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cGmoP-0003xt-Mt; Tue, 13 Dec 2016 13:08:05 +0000
Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cGmoP-00020v-Lw; Tue, 13 Dec 2016 13:08:05 +0000
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
 xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Message-Id: <E1cGmoP-00020v-Lw@xenbits.xenproject.org>
Date: Tue, 13 Dec 2016 13:08:05 +0000
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 200 (CVE-2016-9932) - x86
 CMPXCHG8B emulation fails to ignore operand size override
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Errors-To: xen-announce-bounces@lists.xen.org
Sender: "Xen-announce" <xen-announce-bounces@lists.xen.org>

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2016-9932 / XSA-200
                              version 3

     x86 CMPXCHG8B emulation fails to ignore operand size override

UPDATES IN VERSION 3
====================

CVE assigned.

Public release.

ISSUE DESCRIPTION
=================

The x86 instruction CMPXCHG8B is supposed to ignore legacy operand
size overrides; it only honors the REX.W override (making it
CMPXCHG16B).  So, the operand size is always 8 or 16.

When support for CMPXCHG16B emulation was added to the instruction
emulator, this restriction on the set of possible operand sizes was
relied on in some parts of the emulation; but a wrong, fully general,
operand size value was used for other parts of the emulation.

As a result, if a guest uses a supposedly-ignored operand size prefix,
a small amount of hypervisor stack data is leaked to the guests: a 96
bit leak to guests running in 64-bit mode; or, a 32 bit leak to other
guests.

IMPACT
======

A malicious unprivileged guest may be able to obtain sensitive
information from the host.

VULNERABLE SYSTEMS
==================

Xen versions 3.3 through 4.7 are affected.  Xen master and Xen 4.8 as
well as Xen versions 3.2 and earlier are not affected.

Only x86 systems are affected.  ARM systems are not affected.

On Xen 4.6 and earlier the vulnerability is exposed to all HVM guest
user processes, including unprivileged processes.

On Xen 4.7, the vulnerability is exposed only to HVM guest user
processes granted a degree of privilege (such as direct hardware
access) by the guest administrator; or, to all user processes when the
VM has been explicitly configured with a non-default cpu vendor string
(in xm/xl, this would be done with a `cpuid=' domain config option).

MITIGATION
==========

There is no known mitigation.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa200-4.7.patch       Xen 4.7.x
xsa200-4.6.patch       Xen 4.6.x, Xen 4.5.x, Xen 4.4.x

$ sha256sum xsa200*
820e95e87b838de5eb4158a55c81cf205428f0ed17009dc8d45b2392cf9a0885  xsa200-4.6.patch
d7113b94f6ef1c2849aedfe33eace85b0713fa83639c8a533fb289aa73e818e8  xsa200-4.7.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYT/KgAAoJEIP+FMlX6CvZR6QH/0eEM2+9ixdfFAiyhFzn0TTq
mLgbKs4L0ALfPD2JVhkiLlB/thJ7RKXfPAsYVBQhNY+xb58OLykH4Clh0NuOY45W
wkWxHeunHAfsNo3FIaISr/uG/5fAnarPsfF+bNYpyWCuWLz4Ml+uuflnfL60PmoP
OGSPLEPKZ56r9lyaIALFVfkXgHkaquM/WXi+FdG23aArbT43cVHeGou8dUNbH/Jd
FpKdO3AhMT9i+ioPeicSIimxLOEBZnrCaB/7qOAzu7q3nlQ8X/1Q8a8TjjOtYtQA
/kOkvpexkQuRA98AI6018ajqU/D5VdFW+I2X0kmbTAxj1SyT12X25f9Wsc0PbdE=
=ERcI
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa200-4.6.patch"
Content-Disposition: attachment; filename="xsa200-4.6.patch"
Content-Transfer-Encoding: base64

RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0
OiB4ODZlbXVsOiBDTVBYQ0hHOEIgaWdub3JlcyBvcGVyYW5kIHNpemUgcHJl
Zml4CgpPdGhlcndpc2UgYmVzaWRlcyBtaXMtaGFuZGxpbmcgdGhlIGluc3Ry
dWN0aW9uLCB0aGUgY29tcGFyaXNvbiBmYWlsdXJlCmNhc2Ugd291bGQgcmVz
dWx0IGluIHVuaW5pdGlhbGl6ZWQgc3RhY2sgZGF0YSBiZWluZyBoYW5kZWQg
YmFjayB0byB0aGUKZ3Vlc3QgaW4gckRYOnJBWCAoMzIgYml0cyBsZWFrZWQg
Zm9yIDMyLWJpdCBndWVzdHMsIDk2IGJpdHMgZm9yIDY0LWJpdApvbmVzKS4K
ClRoaXMgaXMgWFNBLTIwMC4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNo
IDxqYmV1bGljaEBzdXNlLmNvbT4KCi0tLSBhL3Rvb2xzL3Rlc3RzL3g4Nl9l
bXVsYXRvci90ZXN0X3g4Nl9lbXVsYXRvci5jCisrKyBiL3Rvb2xzL3Rlc3Rz
L3g4Nl9lbXVsYXRvci90ZXN0X3g4Nl9lbXVsYXRvci5jCkBAIC00MjksNiAr
NDI5LDI0IEBAIGludCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikKICAg
ICAgICAgZ290byBmYWlsOwogICAgIHByaW50Zigib2theVxuIik7CiAKKyAg
ICBwcmludGYoIiUtNDBzIiwgIlRlc3RpbmcgY21weGNoZzhiICglZWRpKSBb
b3BzaXplXS4uLiIpOworICAgIGluc3RyWzBdID0gMHg2NjsgaW5zdHJbMV0g
PSAweDBmOyBpbnN0clsyXSA9IDB4Yzc7IGluc3RyWzNdID0gMHgwZjsKKyAg
ICByZXNbMF0gICAgICA9IDB4MTIzNDU2Nzg7CisgICAgcmVzWzFdICAgICAg
PSAweDg3NjU0MzIxOworICAgIHJlZ3MuZWZsYWdzID0gMHgyMDA7CisgICAg
cmVncy5laXAgICAgPSAodW5zaWduZWQgbG9uZykmaW5zdHJbMF07CisgICAg
cmVncy5lZGkgICAgPSAodW5zaWduZWQgbG9uZylyZXM7CisgICAgcmMgPSB4
ODZfZW11bGF0ZSgmY3R4dCwgJmVtdWxvcHMpOworICAgIGlmICggKHJjICE9
IFg4NkVNVUxfT0tBWSkgfHwKKyAgICAgICAgIChyZXNbMF0gIT0gMHgxMjM0
NTY3OCkgfHwKKyAgICAgICAgIChyZXNbMV0gIT0gMHg4NzY1NDMyMSkgfHwK
KyAgICAgICAgIChyZWdzLmVheCAhPSAweDEyMzQ1Njc4KSB8fAorICAgICAg
ICAgKHJlZ3MuZWR4ICE9IDB4ODc2NTQzMjEpIHx8CisgICAgICAgICAoKHJl
Z3MuZWZsYWdzJjB4MjQwKSAhPSAweDIwMCkgfHwKKyAgICAgICAgIChyZWdz
LmVpcCAhPSAodW5zaWduZWQgbG9uZykmaW5zdHJbNF0pICkKKyAgICAgICAg
Z290byBmYWlsOworICAgIHByaW50Zigib2theVxuIik7CisKICAgICBwcmlu
dGYoIiUtNDBzIiwgIlRlc3RpbmcgbW92c3hiZCAoJSVlYXgpLCUlZWN4Li4u
Iik7CiAgICAgaW5zdHJbMF0gPSAweDBmOyBpbnN0clsxXSA9IDB4YmU7IGlu
c3RyWzJdID0gMHgwODsKICAgICByZWdzLmVmbGFncyA9IDB4MjAwOwotLS0g
YS94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYworKysg
Yi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwpAQCAt
NDczOSw4ICs0NzM5LDEyIEBAIHg4Nl9lbXVsYXRlKAogICAgICAgICBnZW5l
cmF0ZV9leGNlcHRpb25faWYoKG1vZHJtX3JlZyAmIDcpICE9IDEsIEVYQ19V
RCwgLTEpOwogICAgICAgICBnZW5lcmF0ZV9leGNlcHRpb25faWYoZWEudHlw
ZSAhPSBPUF9NRU0sIEVYQ19VRCwgLTEpOwogICAgICAgICBpZiAoIG9wX2J5
dGVzID09IDggKQorICAgICAgICB7CiAgICAgICAgICAgICB2Y3B1X211c3Rf
aGF2ZV9jeDE2KCk7Ci0gICAgICAgIG9wX2J5dGVzICo9IDI7CisgICAgICAg
ICAgICBvcF9ieXRlcyA9IDE2OworICAgICAgICB9CisgICAgICAgIGVsc2UK
KyAgICAgICAgICAgIG9wX2J5dGVzID0gODsKIAogICAgICAgICAvKiBHZXQg
YWN0dWFsIG9sZCB2YWx1ZS4gKi8KICAgICAgICAgaWYgKCAocmMgPSBvcHMt
PnJlYWQoZWEubWVtLnNlZywgZWEubWVtLm9mZiwgb2xkLCBvcF9ieXRlcywK

--=separator
Content-Type: application/octet-stream; name="xsa200-4.7.patch"
Content-Disposition: attachment; filename="xsa200-4.7.patch"
Content-Transfer-Encoding: base64

RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0
OiB4ODZlbXVsOiBDTVBYQ0hHOEIgaWdub3JlcyBvcGVyYW5kIHNpemUgcHJl
Zml4CgpPdGhlcndpc2UgYmVzaWRlcyBtaXMtaGFuZGxpbmcgdGhlIGluc3Ry
dWN0aW9uLCB0aGUgY29tcGFyaXNvbiBmYWlsdXJlCmNhc2Ugd291bGQgcmVz
dWx0IGluIHVuaW5pdGlhbGl6ZWQgc3RhY2sgZGF0YSBiZWluZyBoYW5kZWQg
YmFjayB0byB0aGUKZ3Vlc3QgaW4gckRYOnJBWCAoMzIgYml0cyBsZWFrZWQg
Zm9yIDMyLWJpdCBndWVzdHMsIDk2IGJpdHMgZm9yIDY0LWJpdApvbmVzKS4K
ClRoaXMgaXMgWFNBLTIwMC4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNo
IDxqYmV1bGljaEBzdXNlLmNvbT4KCi0tLSBhL3Rvb2xzL3Rlc3RzL3g4Nl9l
bXVsYXRvci90ZXN0X3g4Nl9lbXVsYXRvci5jCisrKyBiL3Rvb2xzL3Rlc3Rz
L3g4Nl9lbXVsYXRvci90ZXN0X3g4Nl9lbXVsYXRvci5jCkBAIC00MzUsNiAr
NDM1LDI0IEBAIGludCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikKICAg
ICAgICAgZ290byBmYWlsOwogICAgIHByaW50Zigib2theVxuIik7CiAKKyAg
ICBwcmludGYoIiUtNDBzIiwgIlRlc3RpbmcgY21weGNoZzhiICglZWRpKSBb
b3BzaXplXS4uLiIpOworICAgIGluc3RyWzBdID0gMHg2NjsgaW5zdHJbMV0g
PSAweDBmOyBpbnN0clsyXSA9IDB4Yzc7IGluc3RyWzNdID0gMHgwZjsKKyAg
ICByZXNbMF0gICAgICA9IDB4MTIzNDU2Nzg7CisgICAgcmVzWzFdICAgICAg
PSAweDg3NjU0MzIxOworICAgIHJlZ3MuZWZsYWdzID0gMHgyMDA7CisgICAg
cmVncy5laXAgICAgPSAodW5zaWduZWQgbG9uZykmaW5zdHJbMF07CisgICAg
cmVncy5lZGkgICAgPSAodW5zaWduZWQgbG9uZylyZXM7CisgICAgcmMgPSB4
ODZfZW11bGF0ZSgmY3R4dCwgJmVtdWxvcHMpOworICAgIGlmICggKHJjICE9
IFg4NkVNVUxfT0tBWSkgfHwKKyAgICAgICAgIChyZXNbMF0gIT0gMHgxMjM0
NTY3OCkgfHwKKyAgICAgICAgIChyZXNbMV0gIT0gMHg4NzY1NDMyMSkgfHwK
KyAgICAgICAgIChyZWdzLmVheCAhPSAweDEyMzQ1Njc4KSB8fAorICAgICAg
ICAgKHJlZ3MuZWR4ICE9IDB4ODc2NTQzMjEpIHx8CisgICAgICAgICAoKHJl
Z3MuZWZsYWdzJjB4MjQwKSAhPSAweDIwMCkgfHwKKyAgICAgICAgIChyZWdz
LmVpcCAhPSAodW5zaWduZWQgbG9uZykmaW5zdHJbNF0pICkKKyAgICAgICAg
Z290byBmYWlsOworICAgIHByaW50Zigib2theVxuIik7CisKICAgICBwcmlu
dGYoIiUtNDBzIiwgIlRlc3RpbmcgbW92c3hiZCAoJSVlYXgpLCUlZWN4Li4u
Iik7CiAgICAgaW5zdHJbMF0gPSAweDBmOyBpbnN0clsxXSA9IDB4YmU7IGlu
c3RyWzJdID0gMHgwODsKICAgICByZWdzLmVmbGFncyA9IDB4MjAwOwotLS0g
YS94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYworKysg
Yi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwpAQCAt
NDc3NSw4ICs0Nzc1LDEyIEBAIHg4Nl9lbXVsYXRlKAogICAgICAgICBnZW5l
cmF0ZV9leGNlcHRpb25faWYoKG1vZHJtX3JlZyAmIDcpICE9IDEsIEVYQ19V
RCwgLTEpOwogICAgICAgICBnZW5lcmF0ZV9leGNlcHRpb25faWYoZWEudHlw
ZSAhPSBPUF9NRU0sIEVYQ19VRCwgLTEpOwogICAgICAgICBpZiAoIG9wX2J5
dGVzID09IDggKQorICAgICAgICB7CiAgICAgICAgICAgICBob3N0X2FuZF92
Y3B1X211c3RfaGF2ZShjeDE2KTsKLSAgICAgICAgb3BfYnl0ZXMgKj0gMjsK
KyAgICAgICAgICAgIG9wX2J5dGVzID0gMTY7CisgICAgICAgIH0KKyAgICAg
ICAgZWxzZQorICAgICAgICAgICAgb3BfYnl0ZXMgPSA4OwogCiAgICAgICAg
IC8qIEdldCBhY3R1YWwgb2xkIHZhbHVlLiAqLwogICAgICAgICBpZiAoIChy
YyA9IG9wcy0+cmVhZChlYS5tZW0uc2VnLCBlYS5tZW0ub2ZmLCBvbGQsIG9w
X2J5dGVzLAo=

--=separator
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91
bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz
Lnhlbi5vcmcveGVuLWFubm91bmNl

--=separator--


From xen-announce-bounces@lists.xen.org Mon Dec 19 15:39:22 2016
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Mon, 19 Dec 2016 15:39:22 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1cJ011-0005uR-AI; Mon, 19 Dec 2016 15:38:15 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJ010-0005uF-6y; Mon, 19 Dec 2016 15:38:14 +0000
Received: from [85.158.139.211] by server-15.bemta-5.messagelabs.com id
 D9/A0-06501-5EEF7585; Mon, 19 Dec 2016 15:38:13 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrGKsWRWlGSWpSXmKPExsWS0XRdVffJv/A
 Igx0rmC1u3WxltljycTGLxaqrB1gdmD2O7v7NFMAYxZqZl5RfkcCacenLKqaCxX2MFQd2vGFs
 YFzRwdjFyMUhJHCcUWLRhQ/MEM4iRokHF9ewdzFycjALuErc2LeZDcJWlLhwr4EFxOYVEJQ4O
 fMJmC0hoClx580qsHoRgSKJnedegtlsAnoSc89OYoLo1ZF4uX81mC0sECvxcM0GNog5ZhIdc5
 6DxVkEVCVmn9zHPIGRZxaS1bOQrJ6FZPUsRg6guKbE+l36EKa0xPJ/HBDV8hLb385hhrCtJZb
 vXQU1xUJi0bteuIlTuh+yQ9j2EodaWxghbBuJpztgbFQ1Pw+sZYGp+frqLhM2NcsbWuFqWib8
 RrFrAaPQKkb14tSistQiXSO9pKLM9IyS3MTMHF1DA1O93NTi4sT01JzEpGK95PzcTYzA2GUAg
 h2M3/84HWKU5GBSEuWdsjYkQogvKT+lMiOxOCO+qDQntfgQowwHh5IEryQwFQgJFqWmp1akZe
 YAkwhMWoKDR0mEd81foDRvcUFibnFmOkTqFKMxx4S3C58ycczZvuIpkxBLXn5eqpQ472WQUgG
 Q0ozSPLhBsOR2iVFWSpiXEeg0IZ6C1KLczBJU+VeM4hyMSsK8UiD38GTmlcDtewV0ChPQKQu7
 wU4pSURISTUwqtp+vMXvK3PA3bRfgHOlzNq6q1e+XOwX/NEkm/5+vaHH2deVS0InHOlLWCdab
 NNc5nhl5YaILleOx9oPS7effqE0Mc8jbMXlwiC12XctPzLrMv89V6Cuqbch6dNp1W8r9xw5HG
 AvsCb5TIgpU+ciE9fjE1Nmyp/x+CuXHn1+431NHg5LoclpSizFGYmGWsxFxYkAsK6uH2kDAAA
 =
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-15.tower-206.messagelabs.com!1482161887!62261763!1
X-Originating-IP: [104.130.215.37]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 9.1.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 27179 invoked from network); 19 Dec 2016 15:38:08 -0000
Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37)
 by server-15.tower-206.messagelabs.com with AES128-GCM-SHA256
 encrypted SMTP; 19 Dec 2016 15:38:08 -0000
Received: from xenbits.xenproject.org ([104.239.192.120])
 by mail.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJ00d-00030I-Ru; Mon, 19 Dec 2016 15:37:51 +0000
Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJ00d-0004mG-QD; Mon, 19 Dec 2016 15:37:51 +0000
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
 xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Message-Id: <E1cJ00d-0004mG-QD@xenbits.xenproject.org>
Date: Mon, 19 Dec 2016 15:37:51 +0000
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 204 - x86: Mishandling of
 SYSCALL singlestep during emulation
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Errors-To: xen-announce-bounces@lists.xen.org
Sender: "Xen-announce" <xen-announce-bounces@lists.xen.org>

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-204

        x86: Mishandling of SYSCALL singlestep during emulation

ISSUE DESCRIPTION
=================

The typical behaviour of singlestepping exceptions is determined at the
start of the instruction, with a #DB trap being raised at the end of the
instruction.

SYSCALL (and SYSRET, although we don't implement it) behave differently
because the typical behaviour allows userspace to escalate its
privilege.  (This difference in behaviour seems to be undocumented.)

Xen wrongly raised the exception based on the flags at the start of
the instruction.

IMPACT
======

Guest userspace which can invoke the instruction emulator can use this
flaw to escalate its privilege to that of the guest kernel.

VULNERABLE SYSTEMS
==================

All Xen versions are affected.

The vulnerability is only exposed to 64-bit x86 HVM guests.

On Xen 4.6 and earlier the vulnerability is exposed to all guest user
processes, including unprivileged processes, in such guests.

On Xen 4.7 and later, the vulnerability is exposed only to guest user
processes granted a degree of privilege (such as direct hardware access)
by the guest administrator; or, to all user processes when the VM has
been explicitly configured with a non-default cpu vendor string (in
xm/xl, this would be done with a `cpuid=' domain config option).

A 64-bit guest kernel which uses an IST for #DB handling will most likely
mitigate the issue, but will have a single unexpected #DB exception
frame to deal with.  This in practice means that Linux is not
vulnerable.

The vulnerability is not exposed to 32-bit HVM guests.  This is because
the emulation bug also matches real hardware behaviour, and a 32-bit
guest kernel using SYSCALL will already have to be using a Task Gate for
handling #DB to avoid being susceptible to an escalation of privilege.

The vulnerability is not exposed to PV guests.

ARM systems are not vulnerable.

MITIGATION
==========

There is no known mitigation.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa204.patch           xen-unstable
xsa204-4.8.patch       Xen 4.8.x
xsa204-4.7.patch       Xen 4.7.x, Xen 4.6.x
xsa204-4.5.patch       Xen 4.5.x, Xen 4.4.x

$ sha256sum xsa204*
251c33905f86d386cc07240041108ec0664e5e9dddb2b88685d9b4b8ca7fdc24  xsa204.patch
e523b65ba122c8e22d32004d2035facaf06295094fdc8b67c151b6f44799ef0b  xsa204-4.5.patch
d0359f26e9be783672896200e14d85a3111c29d7da580313b593fca04688fef2  xsa204-4.7.patch
fa2a69682868104b6263655abbfc6b326f76deebdac3273b4b65da6673f5d977  xsa204-4.8.patch
$

NOTE REGARDING EMBARGO
======================

This issue was discussed publicly on qemu-devel before its impact was
realised.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYV/5uAAoJEIP+FMlX6CvZnxgIAMXcpEN0qejTe50dAP/gSzzP
edi76o/LNGaQBdFRVLvIasRna2TZSXhBNbHPEcAQLPq6pTfQG/HiqdVtftaaaoaG
dvNhuDBdZaa1/fmhCV1P+t9vaipp3U3yK2s0eiSJLXp3nGqkgjSSmZloYY0bevDN
DJ0uZ7uWkvyN6Tkl6R/h3h9PsgIKPIQBIyBuT2zYPf/JAjBD27ZYX11F9JvVMmt3
JH/AbvJwUsaqNG3teLg+tioQPwHwkZCdxOhG+v2Y3CeqQ1bvNCb5emLtpXFO9h0w
kZNh88gT1mwbxDWbF3Ek/OhHbOHosfxi9kn8ib5Yu0P8xRmvYhQHMeQDa/rt9Y0=
=OVcU
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa204.patch"
Content-Disposition: attachment; filename="xsa204.patch"
Content-Transfer-Encoding: base64

RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KRGF0ZTogU3VuLCAxOCBEZWMgMjAxNiAxNTo0Mjo1OSArMDAwMApTdWJq
ZWN0OiBbUEFUQ0hdIHg4Ni9lbXVsOiBDb3JyZWN0IHRoZSBoYW5kbGluZyBv
ZiBlZmxhZ3Mgd2l0aCBTWVNDQUxMCgpBIHNpbmdsZXN0ZXAgI0RCIGlzIGRl
dGVybWluZWQgYnkgdGhlIHJlc3VsdGluZyBlZmxhZ3MgdmFsdWUgZnJvbSB0
aGUKZXhlY3V0aW9uIG9mIFNZU0NBTEwsIG5vdCB0aGUgb3JpZ2luYWwgZWZs
YWdzIHZhbHVlLgoKQnkgdXNpbmcgdGhlIG9yaWdpbmFsIGVmbGFncyB2YWx1
ZSwgd2UgbmVnYXRlIHRoZSBndWVzdCBrZXJuZWxzIGF0dGVtcHQgdG8KcHJv
dGVjdCBpdHNlbGYgZnJvbSBhIHByaXZpbGVnZSBlc2NhbGF0aW9uIGJ5IG1h
c2tpbmcgVEYuCgoocmUpaW50cm9kdWNlIGEgc2luZ2xlc3RlcCBib29sZWFu
LCBkZWZhdWx0aW5nIHRvIHRoZSBvcmlnaW5hbCBlZmxhZ3Mgc3RhdGUsCmJ1
dCBoYXZlIHRoZSBTWVNDQUxMIGVtdWxhdGlvbiByZWNhbGN1bGF0ZSBpdCBh
ZnRlciBtYXNraW5nIGhhcyBvY2N1cnJlZC4KClRoaXMgaXMgWFNBLTIwNAoK
U2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNA
Y2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGlj
aEBzdXNlLmNvbT4KLS0tCiB4ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2
X2VtdWxhdGUuYyB8IDI0ICsrKysrKysrKysrKysrKysrKysrKy0tLQogMSBm
aWxlIGNoYW5nZWQsIDIxIGluc2VydGlvbnMoKyksIDMgZGVsZXRpb25zKC0p
CgpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9l
bXVsYXRlLmMgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxh
dGUuYwppbmRleCBmNjlkZWNlLi4xNjVlZWJiIDEwMDY0NAotLS0gYS94ZW4v
YXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYworKysgYi94ZW4v
YXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwpAQCAtMjUwMiw2
ICsyNTAyLDcgQEAgeDg2X2VtdWxhdGUoCiAgICAgc3RydWN0IHg4Nl9lbXVs
YXRlX3N0YXRlIHN0YXRlOwogICAgIGludCByYzsKICAgICB1aW50OF90IGIs
IGQ7CisgICAgYm9vbCBzaW5nbGVzdGVwID0gY3R4dC0+cmVncy0+ZWZsYWdz
ICYgRUZMR19URjsKICAgICBzdHJ1Y3Qgb3BlcmFuZCBzcmMgPSB7IC5yZWcg
PSBQVFJfUE9JU09OIH07CiAgICAgc3RydWN0IG9wZXJhbmQgZHN0ID0geyAu
cmVnID0gUFRSX1BPSVNPTiB9OwogICAgIGVudW0geDg2X3N3aW50X3R5cGUg
c3dpbnRfdHlwZTsKQEAgLTQ2NzgsNiArNDY3OSwyMyBAQCB4ODZfZW11bGF0
ZSgKICAgICAgICAgICAgICAocmMgPSBvcHMtPndyaXRlX3NlZ21lbnQoeDg2
X3NlZ19zcywgJnNyZWcsIGN0eHQpKSApCiAgICAgICAgICAgICBnb3RvIGRv
bmU7CiAKKyAgICAgICAgLyoKKyAgICAgICAgICogU1lTQ0FMTCAodW5saWtl
IG1vc3QgaW5zdHJ1Y3Rpb25zKSBldmFsdWF0ZXMgaXRzIHNpbmdsZXN0ZXAg
YWN0aW9uCisgICAgICAgICAqIGJhc2VkIG9uIHRoZSByZXN1bHRpbmcgRUZM
R19URiwgbm90IHRoZSBzdGFydGluZyBFRkxHX1RGLgorICAgICAgICAgKgor
ICAgICAgICAgKiBBcyB0aGUgI0RCIGlzIHJhaXNlZCBhZnRlciB0aGUgQ1BM
IGNoYW5nZSBhbmQgYmVmb3JlIHRoZSBPUyBjYW4KKyAgICAgICAgICogc3dp
dGNoIHN0YWNrLCBpdCBpcyBhIGxhcmdlIHJpc2sgZm9yIHByaXZpbGVnZSBl
c2NhbGF0aW9uLgorICAgICAgICAgKgorICAgICAgICAgKiA2NGJpdCBrZXJu
ZWxzIHNob3VsZCBtYXNrIEVGTEdfVEYgaW4gTVNSX0ZNQVNLIHRvIGF2b2lk
IGFueQorICAgICAgICAgKiB2dWxuZXJhYmlsaXR5LiAgUnVubmluZyB0aGUg
I0RCIGhhbmRsZXIgb24gYW4gSVNUIHN0YWNrIGlzIGFsc28gYQorICAgICAg
ICAgKiBtaXRpZ2F0aW9uLgorICAgICAgICAgKgorICAgICAgICAgKiAzMmJp
dCBrZXJuZWxzIGhhdmUgbm8gYWJpbGl0eSB0byBtYXNrIEVGTEdfVEYgYXQg
YWxsLiAgVGhlaXIgb25seQorICAgICAgICAgKiBtaXRpZ2F0aW9uIGlzIHRv
IHVzZSBhIHRhc2sgZ2F0ZSBmb3IgaGFuZGxpbmcgI0RCIChvciB0byBub3Qg
dXNlCisgICAgICAgICAqIGVuYWJsZSBFRkVSLlNDRSB0byBzdGFydCB3aXRo
KS4KKyAgICAgICAgICovCisgICAgICAgIHNpbmdsZXN0ZXAgPSBfcmVncy5l
ZmxhZ3MgJiBFRkxHX1RGOworCiAgICAgICAgIGJyZWFrOwogICAgIH0KIApA
QCAtNTU4MCw5ICs1NTk4LDkgQEAgeDg2X2VtdWxhdGUoCiAgICAgaWYgKCAh
bW9kZV82NGJpdCgpICkKICAgICAgICAgX3JlZ3MuZWlwID0gKHVpbnQzMl90
KV9yZWdzLmVpcDsKIAotICAgIC8qIFdhcyBzaW5nZXN0ZXBwaW5nIGFjdGl2
ZSBhdCB0aGUgc3RhcnQgb2YgdGhpcyBpbnN0cnVjdGlvbj8gKi8KLSAgICBp
ZiAoIChyYyA9PSBYODZFTVVMX09LQVkpICYmIChjdHh0LT5yZWdzLT5lZmxh
Z3MgJiBFRkxHX1RGKSApCi0gICAgICAgIGN0eHQtPnJldGlyZS5zaW5nbGVz
dGVwID0gdHJ1ZTsKKyAgICAvKiBTaG91bGQgYSBzaW5nbGVzdGVwICNEQiBi
ZSByYWlzZWQ/ICovCisgICAgaWYgKCByYyA9PSBYODZFTVVMX09LQVkgKQor
ICAgICAgICBjdHh0LT5yZXRpcmUuc2luZ2xlc3RlcCA9IHNpbmdsZXN0ZXA7
CiAKICAgICBpZiAoIHJjICE9IFg4NkVNVUxfRE9ORSApCiAgICAgICAgICpj
dHh0LT5yZWdzID0gX3JlZ3M7Cg==

--=separator
Content-Type: application/octet-stream; name="xsa204-4.5.patch"
Content-Disposition: attachment; filename="xsa204-4.5.patch"
Content-Transfer-Encoding: base64

RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KRGF0ZTogU3VuLCAxOCBEZWMgMjAxNiAxNTo0Mjo1OSArMDAwMApTdWJq
ZWN0OiBbUEFUQ0hdIHg4Ni9lbXVsOiBDb3JyZWN0IHRoZSBoYW5kbGluZyBv
ZiBlZmxhZ3Mgd2l0aCBTWVNDQUxMCgpBIHNpbmdsZXN0ZXAgI0RCIGlzIGRl
dGVybWluZWQgYnkgdGhlIHJlc3VsdGluZyBlZmxhZ3MgdmFsdWUgZnJvbSB0
aGUKZXhlY3V0aW9uIG9mIFNZU0NBTEwsIG5vdCB0aGUgb3JpZ2luYWwgZWZs
YWdzIHZhbHVlLgoKQnkgdXNpbmcgdGhlIG9yaWdpbmFsIGVmbGFncyB2YWx1
ZSwgd2UgbmVnYXRlIHRoZSBndWVzdCBrZXJuZWxzIGF0dGVtcHQgdG8KcHJv
dGVjdCBpdHNlbGYgZnJvbSBhIHByaXZpbGVnZSBlc2NhbGF0aW9uIGJ5IG1h
c2tpbmcgVEYuCgpJbnRyb2R1Y2UgYSB0ZiBib29sZWFuIGFuZCBoYXZlIHRo
ZSBTWVNDQUxMIGVtdWxhdGlvbiByZWNhbGN1bGF0ZSBpdAphZnRlciB0aGUg
aW5zdHJ1Y3Rpb24gaXMgY29tcGxldGUuCgpUaGlzIGlzIFhTQS0yMDQKClNp
Z25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNp
dHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA
c3VzZS5jb20+Ci0tLQogeGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9l
bXVsYXRlLmMgfCAyMyArKysrKysrKysrKysrKysrKysrKy0tLQogMSBmaWxl
IGNoYW5nZWQsIDIwIGluc2VydGlvbnMoKyksIDMgZGVsZXRpb25zKC0pCgpk
aWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVs
YXRlLmMgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUu
YwppbmRleCAwYzQzZmUxLi5mNjc1ZGM5IDEwMDY0NAotLS0gYS94ZW4vYXJj
aC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYworKysgYi94ZW4vYXJj
aC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwpAQCAtMTUzNyw2ICsx
NTM3LDcgQEAgeDg2X2VtdWxhdGUoCiAgICAgdW5pb24gdmV4IHZleCA9IHt9
OwogICAgIHVuc2lnbmVkIGludCBvcF9ieXRlcywgZGVmX29wX2J5dGVzLCBh
ZF9ieXRlcywgZGVmX2FkX2J5dGVzOwogICAgIGJvb2xfdCBsb2NrX3ByZWZp
eCA9IDA7CisgICAgYm9vbF90IHRmID0gISEoY3R4dC0+cmVncy0+ZWZsYWdz
ICYgRUZMR19URik7CiAgICAgaW50IG92ZXJyaWRlX3NlZyA9IC0xLCByYyA9
IFg4NkVNVUxfT0tBWTsKICAgICBzdHJ1Y3Qgb3BlcmFuZCBzcmMgPSB7IC5y
ZWcgPSBSRUdfUE9JU09OIH07CiAgICAgc3RydWN0IG9wZXJhbmQgZHN0ID0g
eyAucmVnID0gUkVHX1BPSVNPTiB9OwpAQCAtMzg4MSw5ICszODgyLDggQEAg
eDg2X2VtdWxhdGUoCiAgICAgICAgIGJyZWFrOwogICAgIH0KIAotICAgIC8q
IEluamVjdCAjREIgaWYgc2luZ2xlLXN0ZXAgdHJhY2luZyB3YXMgZW5hYmxl
ZCBhdCBpbnN0cnVjdGlvbiBzdGFydC4gKi8KLSAgICBpZiAoIChjdHh0LT5y
ZWdzLT5lZmxhZ3MgJiBFRkxHX1RGKSAmJiAocmMgPT0gWDg2RU1VTF9PS0FZ
KSAmJgotICAgICAgICAgKG9wcy0+aW5qZWN0X2h3X2V4Y2VwdGlvbiAhPSBO
VUxMKSApCisgICAgLyogU2hvdWxkIGEgc2luZ2xlc3RlcCAjREIgYmUgcmFp
c2VkPyAqLworICAgIGlmICggdGYgJiYgKHJjID09IFg4NkVNVUxfT0tBWSkg
JiYgKG9wcy0+aW5qZWN0X2h3X2V4Y2VwdGlvbiAhPSBOVUxMKSApCiAgICAg
ICAgIHJjID0gb3BzLT5pbmplY3RfaHdfZXhjZXB0aW9uKEVYQ19EQiwgLTEs
IGN0eHQpID8gOiBYODZFTVVMX0VYQ0VQVElPTjsKIAogICAgIC8qIENvbW1p
dCBzaGFkb3cgcmVnaXN0ZXIgc3RhdGUuICovCkBAIC00MDY4LDYgKzQwNjgs
MjMgQEAgeDg2X2VtdWxhdGUoCiAgICAgICAgICAgICAgKHJjID0gb3BzLT53
cml0ZV9zZWdtZW50KHg4Nl9zZWdfc3MsICZzcywgY3R4dCkpICkKICAgICAg
ICAgICAgIGdvdG8gZG9uZTsKIAorICAgICAgICAvKgorICAgICAgICAgKiBT
WVNDQUxMICh1bmxpa2UgbW9zdCBpbnN0cnVjdGlvbnMpIGV2YWx1YXRlcyBp
dHMgc2luZ2xlc3RlcCBhY3Rpb24KKyAgICAgICAgICogYmFzZWQgb24gdGhl
IHJlc3VsdGluZyBFRkxHX1RGLCBub3QgdGhlIHN0YXJ0aW5nIEVGTEdfVEYu
CisgICAgICAgICAqCisgICAgICAgICAqIEFzIHRoZSAjREIgaXMgcmFpc2Vk
IGFmdGVyIHRoZSBDUEwgY2hhbmdlIGFuZCBiZWZvcmUgdGhlIE9TIGNhbgor
ICAgICAgICAgKiBzd2l0Y2ggc3RhY2ssIGl0IGlzIGEgbGFyZ2UgcmlzayBm
b3IgcHJpdmlsZWdlIGVzY2FsYXRpb24uCisgICAgICAgICAqCisgICAgICAg
ICAqIDY0Yml0IGtlcm5lbHMgc2hvdWxkIG1hc2sgRUZMR19URiBpbiBNU1Jf
Rk1BU0sgdG8gYXZvaWQgYW55CisgICAgICAgICAqIHZ1bG5lcmFiaWxpdHku
ICBSdW5uaW5nIHRoZSAjREIgaGFuZGxlciBvbiBhbiBJU1Qgc3RhY2sgaXMg
YWxzbyBhCisgICAgICAgICAqIG1pdGlnYXRpb24uCisgICAgICAgICAqCisg
ICAgICAgICAqIDMyYml0IGtlcm5lbHMgaGF2ZSBubyBhYmlsaXR5IHRvIG1h
c2sgRUZMR19URiBhdCBhbGwuICBUaGVpciBvbmx5CisgICAgICAgICAqIG1p
dGlnYXRpb24gaXMgdG8gdXNlIGEgdGFzayBnYXRlIGZvciBoYW5kbGluZyAj
REIgKG9yIHRvIG5vdCB1c2UKKyAgICAgICAgICogZW5hYmxlIEVGRVIuU0NF
IHRvIHN0YXJ0IHdpdGgpLgorICAgICAgICAgKi8KKyAgICAgICAgdGYgPSAh
IShfcmVncy5lZmxhZ3MgJiBFRkxHX1RGKTsKKwogICAgICAgICBicmVhazsK
ICAgICB9CiAK

--=separator
Content-Type: application/octet-stream; name="xsa204-4.7.patch"
Content-Disposition: attachment; filename="xsa204-4.7.patch"
Content-Transfer-Encoding: base64

RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KRGF0ZTogU3VuLCAxOCBEZWMgMjAxNiAxNTo0Mjo1OSArMDAwMApTdWJq
ZWN0OiBbUEFUQ0hdIHg4Ni9lbXVsOiBDb3JyZWN0IHRoZSBoYW5kbGluZyBv
ZiBlZmxhZ3Mgd2l0aCBTWVNDQUxMCgpBIHNpbmdsZXN0ZXAgI0RCIGlzIGRl
dGVybWluZWQgYnkgdGhlIHJlc3VsdGluZyBlZmxhZ3MgdmFsdWUgZnJvbSB0
aGUKZXhlY3V0aW9uIG9mIFNZU0NBTEwsIG5vdCB0aGUgb3JpZ2luYWwgZWZs
YWdzIHZhbHVlLgoKQnkgdXNpbmcgdGhlIG9yaWdpbmFsIGVmbGFncyB2YWx1
ZSwgd2UgbmVnYXRlIHRoZSBndWVzdCBrZXJuZWxzIGF0dGVtcHQgdG8KcHJv
dGVjdCBpdHNlbGYgZnJvbSBhIHByaXZpbGVnZSBlc2NhbGF0aW9uIGJ5IG1h
c2tpbmcgVEYuCgpJbnRyb2R1Y2UgYSB0ZiBib29sZWFuIGFuZCBoYXZlIHRo
ZSBTWVNDQUxMIGVtdWxhdGlvbiByZWNhbGN1bGF0ZSBpdAphZnRlciB0aGUg
aW5zdHJ1Y3Rpb24gaXMgY29tcGxldGUuCgpUaGlzIGlzIFhTQS0yMDQKClNp
Z25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNp
dHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA
c3VzZS5jb20+Ci0tLQogeGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9l
bXVsYXRlLmMgfCAyMyArKysrKysrKysrKysrKysrKysrKy0tLQogMSBmaWxl
IGNoYW5nZWQsIDIwIGluc2VydGlvbnMoKyksIDMgZGVsZXRpb25zKC0pCgpk
aWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVs
YXRlLmMgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUu
YwppbmRleCBiY2E3MDQ1Li5hYmU0NDJlIDEwMDY0NAotLS0gYS94ZW4vYXJj
aC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYworKysgYi94ZW4vYXJj
aC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwpAQCAtMTU4Miw2ICsx
NTgyLDcgQEAgeDg2X2VtdWxhdGUoCiAgICAgdW5pb24gdmV4IHZleCA9IHt9
OwogICAgIHVuc2lnbmVkIGludCBvcF9ieXRlcywgZGVmX29wX2J5dGVzLCBh
ZF9ieXRlcywgZGVmX2FkX2J5dGVzOwogICAgIGJvb2xfdCBsb2NrX3ByZWZp
eCA9IDA7CisgICAgYm9vbF90IHRmID0gISEoY3R4dC0+cmVncy0+ZWZsYWdz
ICYgRUZMR19URik7CiAgICAgaW50IG92ZXJyaWRlX3NlZyA9IC0xLCByYyA9
IFg4NkVNVUxfT0tBWTsKICAgICBzdHJ1Y3Qgb3BlcmFuZCBzcmMgPSB7IC5y
ZWcgPSBSRUdfUE9JU09OIH07CiAgICAgc3RydWN0IG9wZXJhbmQgZHN0ID0g
eyAucmVnID0gUkVHX1BPSVNPTiB9OwpAQCAtMzkxMCw5ICszOTExLDggQEAg
eDg2X2VtdWxhdGUoCiAgICAgfQogCiAgbm9fd3JpdGViYWNrOgotICAgIC8q
IEluamVjdCAjREIgaWYgc2luZ2xlLXN0ZXAgdHJhY2luZyB3YXMgZW5hYmxl
ZCBhdCBpbnN0cnVjdGlvbiBzdGFydC4gKi8KLSAgICBpZiAoIChjdHh0LT5y
ZWdzLT5lZmxhZ3MgJiBFRkxHX1RGKSAmJiAocmMgPT0gWDg2RU1VTF9PS0FZ
KSAmJgotICAgICAgICAgKG9wcy0+aW5qZWN0X2h3X2V4Y2VwdGlvbiAhPSBO
VUxMKSApCisgICAgLyogU2hvdWxkIGEgc2luZ2xlc3RlcCAjREIgYmUgcmFp
c2VkPyAqLworICAgIGlmICggdGYgJiYgKHJjID09IFg4NkVNVUxfT0tBWSkg
JiYgKG9wcy0+aW5qZWN0X2h3X2V4Y2VwdGlvbiAhPSBOVUxMKSApCiAgICAg
ICAgIHJjID0gb3BzLT5pbmplY3RfaHdfZXhjZXB0aW9uKEVYQ19EQiwgLTEs
IGN0eHQpID8gOiBYODZFTVVMX0VYQ0VQVElPTjsKIAogICAgIC8qIENvbW1p
dCBzaGFkb3cgcmVnaXN0ZXIgc3RhdGUuICovCkBAIC00MTQzLDYgKzQxNDMs
MjMgQEAgeDg2X2VtdWxhdGUoCiAgICAgICAgICAgICAgKHJjID0gb3BzLT53
cml0ZV9zZWdtZW50KHg4Nl9zZWdfc3MsICZzcywgY3R4dCkpICkKICAgICAg
ICAgICAgIGdvdG8gZG9uZTsKIAorICAgICAgICAvKgorICAgICAgICAgKiBT
WVNDQUxMICh1bmxpa2UgbW9zdCBpbnN0cnVjdGlvbnMpIGV2YWx1YXRlcyBp
dHMgc2luZ2xlc3RlcCBhY3Rpb24KKyAgICAgICAgICogYmFzZWQgb24gdGhl
IHJlc3VsdGluZyBFRkxHX1RGLCBub3QgdGhlIHN0YXJ0aW5nIEVGTEdfVEYu
CisgICAgICAgICAqCisgICAgICAgICAqIEFzIHRoZSAjREIgaXMgcmFpc2Vk
IGFmdGVyIHRoZSBDUEwgY2hhbmdlIGFuZCBiZWZvcmUgdGhlIE9TIGNhbgor
ICAgICAgICAgKiBzd2l0Y2ggc3RhY2ssIGl0IGlzIGEgbGFyZ2UgcmlzayBm
b3IgcHJpdmlsZWdlIGVzY2FsYXRpb24uCisgICAgICAgICAqCisgICAgICAg
ICAqIDY0Yml0IGtlcm5lbHMgc2hvdWxkIG1hc2sgRUZMR19URiBpbiBNU1Jf
Rk1BU0sgdG8gYXZvaWQgYW55CisgICAgICAgICAqIHZ1bG5lcmFiaWxpdHku
ICBSdW5uaW5nIHRoZSAjREIgaGFuZGxlciBvbiBhbiBJU1Qgc3RhY2sgaXMg
YWxzbyBhCisgICAgICAgICAqIG1pdGlnYXRpb24uCisgICAgICAgICAqCisg
ICAgICAgICAqIDMyYml0IGtlcm5lbHMgaGF2ZSBubyBhYmlsaXR5IHRvIG1h
c2sgRUZMR19URiBhdCBhbGwuICBUaGVpciBvbmx5CisgICAgICAgICAqIG1p
dGlnYXRpb24gaXMgdG8gdXNlIGEgdGFzayBnYXRlIGZvciBoYW5kbGluZyAj
REIgKG9yIHRvIG5vdCB1c2UKKyAgICAgICAgICogZW5hYmxlIEVGRVIuU0NF
IHRvIHN0YXJ0IHdpdGgpLgorICAgICAgICAgKi8KKyAgICAgICAgdGYgPSAh
IShfcmVncy5lZmxhZ3MgJiBFRkxHX1RGKTsKKwogICAgICAgICBicmVhazsK
ICAgICB9CiAK

--=separator
Content-Type: application/octet-stream; name="xsa204-4.8.patch"
Content-Disposition: attachment; filename="xsa204-4.8.patch"
Content-Transfer-Encoding: base64

RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KRGF0ZTogU3VuLCAxOCBEZWMgMjAxNiAxNTo0Mjo1OSArMDAwMApTdWJq
ZWN0OiBbUEFUQ0hdIHg4Ni9lbXVsOiBDb3JyZWN0IHRoZSBoYW5kbGluZyBv
ZiBlZmxhZ3Mgd2l0aCBTWVNDQUxMCgpBIHNpbmdsZXN0ZXAgI0RCIGlzIGRl
dGVybWluZWQgYnkgdGhlIHJlc3VsdGluZyBlZmxhZ3MgdmFsdWUgZnJvbSB0
aGUKZXhlY3V0aW9uIG9mIFNZU0NBTEwsIG5vdCB0aGUgb3JpZ2luYWwgZWZs
YWdzIHZhbHVlLgoKQnkgdXNpbmcgdGhlIG9yaWdpbmFsIGVmbGFncyB2YWx1
ZSwgd2UgbmVnYXRlIHRoZSBndWVzdCBrZXJuZWxzIGF0dGVtcHQgdG8KcHJv
dGVjdCBpdHNlbGYgZnJvbSBhIHByaXZpbGVnZSBlc2NhbGF0aW9uIGJ5IG1h
c2tpbmcgVEYuCgpIYXZlIHRoZSBTWVNDQUxMIGVtdWxhdGlvbiByZWNhbGN1
bGF0ZSB0ZiBhZnRlciB0aGUgaW5zdHJ1Y3Rpb24gaXMgY29tcGxldGUuCgpU
aGlzIGlzIFhTQS0yMDQKClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIg
PGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4g
QmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+Ci0tLQogeGVuL2FyY2gveDg2
L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMgfCAxOSArKysrKysrKysrKysr
KysrKystCiAxIGZpbGUgY2hhbmdlZCwgMTggaW5zZXJ0aW9ucygrKSwgMSBk
ZWxldGlvbigtKQoKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL3g4Ni94ODZfZW11
bGF0ZS94ODZfZW11bGF0ZS5jIGIveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRl
L3g4Nl9lbXVsYXRlLmMKaW5kZXggZDgyZTg1ZC4uZmY5NTJhOSAxMDA2NDQK
LS0tIGEveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMK
KysrIGIveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMK
QEAgLTQ1NjEsNiArNDU2MSwyMyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAg
ICAgICAocmMgPSBvcHMtPndyaXRlX3NlZ21lbnQoeDg2X3NlZ19zcywgJnNy
ZWcsIGN0eHQpKSApCiAgICAgICAgICAgICBnb3RvIGRvbmU7CiAKKyAgICAg
ICAgLyoKKyAgICAgICAgICogU1lTQ0FMTCAodW5saWtlIG1vc3QgaW5zdHJ1
Y3Rpb25zKSBldmFsdWF0ZXMgaXRzIHNpbmdsZXN0ZXAgYWN0aW9uCisgICAg
ICAgICAqIGJhc2VkIG9uIHRoZSByZXN1bHRpbmcgRUZMR19URiwgbm90IHRo
ZSBzdGFydGluZyBFRkxHX1RGLgorICAgICAgICAgKgorICAgICAgICAgKiBB
cyB0aGUgI0RCIGlzIHJhaXNlZCBhZnRlciB0aGUgQ1BMIGNoYW5nZSBhbmQg
YmVmb3JlIHRoZSBPUyBjYW4KKyAgICAgICAgICogc3dpdGNoIHN0YWNrLCBp
dCBpcyBhIGxhcmdlIHJpc2sgZm9yIHByaXZpbGVnZSBlc2NhbGF0aW9uLgor
ICAgICAgICAgKgorICAgICAgICAgKiA2NGJpdCBrZXJuZWxzIHNob3VsZCBt
YXNrIEVGTEdfVEYgaW4gTVNSX0ZNQVNLIHRvIGF2b2lkIGFueQorICAgICAg
ICAgKiB2dWxuZXJhYmlsaXR5LiAgUnVubmluZyB0aGUgI0RCIGhhbmRsZXIg
b24gYW4gSVNUIHN0YWNrIGlzIGFsc28gYQorICAgICAgICAgKiBtaXRpZ2F0
aW9uLgorICAgICAgICAgKgorICAgICAgICAgKiAzMmJpdCBrZXJuZWxzIGhh
dmUgbm8gYWJpbGl0eSB0byBtYXNrIEVGTEdfVEYgYXQgYWxsLiAgVGhlaXIg
b25seQorICAgICAgICAgKiBtaXRpZ2F0aW9uIGlzIHRvIHVzZSBhIHRhc2sg
Z2F0ZSBmb3IgaGFuZGxpbmcgI0RCIChvciB0byBub3QgdXNlCisgICAgICAg
ICAqIGVuYWJsZSBFRkVSLlNDRSB0byBzdGFydCB3aXRoKS4KKyAgICAgICAg
ICovCisgICAgICAgIHRmID0gX3JlZ3MuZWZsYWdzICYgRUZMR19URjsKKwog
ICAgICAgICBicmVhazsKICAgICB9CiAKQEAgLTU0MTIsNyArNTQyOSw3IEBA
IHg4Nl9lbXVsYXRlKAogCiAgICAgKmN0eHQtPnJlZ3MgPSBfcmVnczsKIAot
ICAgIC8qIEluamVjdCAjREIgaWYgc2luZ2xlLXN0ZXAgdHJhY2luZyB3YXMg
ZW5hYmxlZCBhdCBpbnN0cnVjdGlvbiBzdGFydC4gKi8KKyAgICAvKiBTaG91
bGQgYSBzaW5nbGVzdGVwICNEQiBiZSByYWlzZWQ/ICovCiAgICAgaWYgKCB0
ZiAmJiAocmMgPT0gWDg2RU1VTF9PS0FZKSAmJiBvcHMtPmluamVjdF9od19l
eGNlcHRpb24gKQogICAgICAgICByYyA9IG9wcy0+aW5qZWN0X2h3X2V4Y2Vw
dGlvbihFWENfREIsIC0xLCBjdHh0KSA/IDogWDg2RU1VTF9FWENFUFRJT047
CiAK

--=separator
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91
bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz
Lnhlbi5vcmcveGVuLWFubm91bmNl

--=separator--


From xen-announce-bounces@lists.xen.org Mon Dec 19 15:39:22 2016
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Mon, 19 Dec 2016 15:39:22 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1cJ011-0005uR-AI; Mon, 19 Dec 2016 15:38:15 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJ010-0005uF-6y; Mon, 19 Dec 2016 15:38:14 +0000
Received: from [85.158.139.211] by server-15.bemta-5.messagelabs.com id
 D9/A0-06501-5EEF7585; Mon, 19 Dec 2016 15:38:13 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrGKsWRWlGSWpSXmKPExsWS0XRdVffJv/A
 Igx0rmC1u3WxltljycTGLxaqrB1gdmD2O7v7NFMAYxZqZl5RfkcCacenLKqaCxX2MFQd2vGFs
 YFzRwdjFyMUhJHCcUWLRhQ/MEM4iRokHF9ewdzFycjALuErc2LeZDcJWlLhwr4EFxOYVEJQ4O
 fMJmC0hoClx580qsHoRgSKJnedegtlsAnoSc89OYoLo1ZF4uX81mC0sECvxcM0GNog5ZhIdc5
 6DxVkEVCVmn9zHPIGRZxaS1bOQrJ6FZPUsRg6guKbE+l36EKa0xPJ/HBDV8hLb385hhrCtJZb
 vXQU1xUJi0bteuIlTuh+yQ9j2EodaWxghbBuJpztgbFQ1Pw+sZYGp+frqLhM2NcsbWuFqWib8
 RrFrAaPQKkb14tSistQiXSO9pKLM9IyS3MTMHF1DA1O93NTi4sT01JzEpGK95PzcTYzA2GUAg
 h2M3/84HWKU5GBSEuWdsjYkQogvKT+lMiOxOCO+qDQntfgQowwHh5IEryQwFQgJFqWmp1akZe
 YAkwhMWoKDR0mEd81foDRvcUFibnFmOkTqFKMxx4S3C58ycczZvuIpkxBLXn5eqpQ472WQUgG
 Q0ozSPLhBsOR2iVFWSpiXEeg0IZ6C1KLczBJU+VeM4hyMSsK8UiD38GTmlcDtewV0ChPQKQu7
 wU4pSURISTUwqtp+vMXvK3PA3bRfgHOlzNq6q1e+XOwX/NEkm/5+vaHH2deVS0InHOlLWCdab
 NNc5nhl5YaILleOx9oPS7effqE0Mc8jbMXlwiC12XctPzLrMv89V6Cuqbch6dNp1W8r9xw5HG
 AvsCb5TIgpU+ciE9fjE1Nmyp/x+CuXHn1+431NHg5LoclpSizFGYmGWsxFxYkAsK6uH2kDAAA
 =
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-15.tower-206.messagelabs.com!1482161887!62261763!1
X-Originating-IP: [104.130.215.37]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 9.1.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 27179 invoked from network); 19 Dec 2016 15:38:08 -0000
Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37)
 by server-15.tower-206.messagelabs.com with AES128-GCM-SHA256
 encrypted SMTP; 19 Dec 2016 15:38:08 -0000
Received: from xenbits.xenproject.org ([104.239.192.120])
 by mail.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJ00d-00030I-Ru; Mon, 19 Dec 2016 15:37:51 +0000
Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJ00d-0004mG-QD; Mon, 19 Dec 2016 15:37:51 +0000
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
 xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Message-Id: <E1cJ00d-0004mG-QD@xenbits.xenproject.org>
Date: Mon, 19 Dec 2016 15:37:51 +0000
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 204 - x86: Mishandling of
 SYSCALL singlestep during emulation
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Errors-To: xen-announce-bounces@lists.xen.org
Sender: "Xen-announce" <xen-announce-bounces@lists.xen.org>

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-204

        x86: Mishandling of SYSCALL singlestep during emulation

ISSUE DESCRIPTION
=================

The typical behaviour of singlestepping exceptions is determined at the
start of the instruction, with a #DB trap being raised at the end of the
instruction.

SYSCALL (and SYSRET, although we don't implement it) behave differently
because the typical behaviour allows userspace to escalate its
privilege.  (This difference in behaviour seems to be undocumented.)

Xen wrongly raised the exception based on the flags at the start of
the instruction.

IMPACT
======

Guest userspace which can invoke the instruction emulator can use this
flaw to escalate its privilege to that of the guest kernel.

VULNERABLE SYSTEMS
==================

All Xen versions are affected.

The vulnerability is only exposed to 64-bit x86 HVM guests.

On Xen 4.6 and earlier the vulnerability is exposed to all guest user
processes, including unprivileged processes, in such guests.

On Xen 4.7 and later, the vulnerability is exposed only to guest user
processes granted a degree of privilege (such as direct hardware access)
by the guest administrator; or, to all user processes when the VM has
been explicitly configured with a non-default cpu vendor string (in
xm/xl, this would be done with a `cpuid=' domain config option).

A 64-bit guest kernel which uses an IST for #DB handling will most likely
mitigate the issue, but will have a single unexpected #DB exception
frame to deal with.  This in practice means that Linux is not
vulnerable.

The vulnerability is not exposed to 32-bit HVM guests.  This is because
the emulation bug also matches real hardware behaviour, and a 32-bit
guest kernel using SYSCALL will already have to be using a Task Gate for
handling #DB to avoid being susceptible to an escalation of privilege.

The vulnerability is not exposed to PV guests.

ARM systems are not vulnerable.

MITIGATION
==========

There is no known mitigation.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa204.patch           xen-unstable
xsa204-4.8.patch       Xen 4.8.x
xsa204-4.7.patch       Xen 4.7.x, Xen 4.6.x
xsa204-4.5.patch       Xen 4.5.x, Xen 4.4.x

$ sha256sum xsa204*
251c33905f86d386cc07240041108ec0664e5e9dddb2b88685d9b4b8ca7fdc24  xsa204.patch
e523b65ba122c8e22d32004d2035facaf06295094fdc8b67c151b6f44799ef0b  xsa204-4.5.patch
d0359f26e9be783672896200e14d85a3111c29d7da580313b593fca04688fef2  xsa204-4.7.patch
fa2a69682868104b6263655abbfc6b326f76deebdac3273b4b65da6673f5d977  xsa204-4.8.patch
$

NOTE REGARDING EMBARGO
======================

This issue was discussed publicly on qemu-devel before its impact was
realised.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYV/5uAAoJEIP+FMlX6CvZnxgIAMXcpEN0qejTe50dAP/gSzzP
edi76o/LNGaQBdFRVLvIasRna2TZSXhBNbHPEcAQLPq6pTfQG/HiqdVtftaaaoaG
dvNhuDBdZaa1/fmhCV1P+t9vaipp3U3yK2s0eiSJLXp3nGqkgjSSmZloYY0bevDN
DJ0uZ7uWkvyN6Tkl6R/h3h9PsgIKPIQBIyBuT2zYPf/JAjBD27ZYX11F9JvVMmt3
JH/AbvJwUsaqNG3teLg+tioQPwHwkZCdxOhG+v2Y3CeqQ1bvNCb5emLtpXFO9h0w
kZNh88gT1mwbxDWbF3Ek/OhHbOHosfxi9kn8ib5Yu0P8xRmvYhQHMeQDa/rt9Y0=
=OVcU
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa204.patch"
Content-Disposition: attachment; filename="xsa204.patch"
Content-Transfer-Encoding: base64

RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KRGF0ZTogU3VuLCAxOCBEZWMgMjAxNiAxNTo0Mjo1OSArMDAwMApTdWJq
ZWN0OiBbUEFUQ0hdIHg4Ni9lbXVsOiBDb3JyZWN0IHRoZSBoYW5kbGluZyBv
ZiBlZmxhZ3Mgd2l0aCBTWVNDQUxMCgpBIHNpbmdsZXN0ZXAgI0RCIGlzIGRl
dGVybWluZWQgYnkgdGhlIHJlc3VsdGluZyBlZmxhZ3MgdmFsdWUgZnJvbSB0
aGUKZXhlY3V0aW9uIG9mIFNZU0NBTEwsIG5vdCB0aGUgb3JpZ2luYWwgZWZs
YWdzIHZhbHVlLgoKQnkgdXNpbmcgdGhlIG9yaWdpbmFsIGVmbGFncyB2YWx1
ZSwgd2UgbmVnYXRlIHRoZSBndWVzdCBrZXJuZWxzIGF0dGVtcHQgdG8KcHJv
dGVjdCBpdHNlbGYgZnJvbSBhIHByaXZpbGVnZSBlc2NhbGF0aW9uIGJ5IG1h
c2tpbmcgVEYuCgoocmUpaW50cm9kdWNlIGEgc2luZ2xlc3RlcCBib29sZWFu
LCBkZWZhdWx0aW5nIHRvIHRoZSBvcmlnaW5hbCBlZmxhZ3Mgc3RhdGUsCmJ1
dCBoYXZlIHRoZSBTWVNDQUxMIGVtdWxhdGlvbiByZWNhbGN1bGF0ZSBpdCBh
ZnRlciBtYXNraW5nIGhhcyBvY2N1cnJlZC4KClRoaXMgaXMgWFNBLTIwNAoK
U2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNA
Y2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGlj
aEBzdXNlLmNvbT4KLS0tCiB4ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2
X2VtdWxhdGUuYyB8IDI0ICsrKysrKysrKysrKysrKysrKysrKy0tLQogMSBm
aWxlIGNoYW5nZWQsIDIxIGluc2VydGlvbnMoKyksIDMgZGVsZXRpb25zKC0p
CgpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9l
bXVsYXRlLmMgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxh
dGUuYwppbmRleCBmNjlkZWNlLi4xNjVlZWJiIDEwMDY0NAotLS0gYS94ZW4v
YXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYworKysgYi94ZW4v
YXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwpAQCAtMjUwMiw2
ICsyNTAyLDcgQEAgeDg2X2VtdWxhdGUoCiAgICAgc3RydWN0IHg4Nl9lbXVs
YXRlX3N0YXRlIHN0YXRlOwogICAgIGludCByYzsKICAgICB1aW50OF90IGIs
IGQ7CisgICAgYm9vbCBzaW5nbGVzdGVwID0gY3R4dC0+cmVncy0+ZWZsYWdz
ICYgRUZMR19URjsKICAgICBzdHJ1Y3Qgb3BlcmFuZCBzcmMgPSB7IC5yZWcg
PSBQVFJfUE9JU09OIH07CiAgICAgc3RydWN0IG9wZXJhbmQgZHN0ID0geyAu
cmVnID0gUFRSX1BPSVNPTiB9OwogICAgIGVudW0geDg2X3N3aW50X3R5cGUg
c3dpbnRfdHlwZTsKQEAgLTQ2NzgsNiArNDY3OSwyMyBAQCB4ODZfZW11bGF0
ZSgKICAgICAgICAgICAgICAocmMgPSBvcHMtPndyaXRlX3NlZ21lbnQoeDg2
X3NlZ19zcywgJnNyZWcsIGN0eHQpKSApCiAgICAgICAgICAgICBnb3RvIGRv
bmU7CiAKKyAgICAgICAgLyoKKyAgICAgICAgICogU1lTQ0FMTCAodW5saWtl
IG1vc3QgaW5zdHJ1Y3Rpb25zKSBldmFsdWF0ZXMgaXRzIHNpbmdsZXN0ZXAg
YWN0aW9uCisgICAgICAgICAqIGJhc2VkIG9uIHRoZSByZXN1bHRpbmcgRUZM
R19URiwgbm90IHRoZSBzdGFydGluZyBFRkxHX1RGLgorICAgICAgICAgKgor
ICAgICAgICAgKiBBcyB0aGUgI0RCIGlzIHJhaXNlZCBhZnRlciB0aGUgQ1BM
IGNoYW5nZSBhbmQgYmVmb3JlIHRoZSBPUyBjYW4KKyAgICAgICAgICogc3dp
dGNoIHN0YWNrLCBpdCBpcyBhIGxhcmdlIHJpc2sgZm9yIHByaXZpbGVnZSBl
c2NhbGF0aW9uLgorICAgICAgICAgKgorICAgICAgICAgKiA2NGJpdCBrZXJu
ZWxzIHNob3VsZCBtYXNrIEVGTEdfVEYgaW4gTVNSX0ZNQVNLIHRvIGF2b2lk
IGFueQorICAgICAgICAgKiB2dWxuZXJhYmlsaXR5LiAgUnVubmluZyB0aGUg
I0RCIGhhbmRsZXIgb24gYW4gSVNUIHN0YWNrIGlzIGFsc28gYQorICAgICAg
ICAgKiBtaXRpZ2F0aW9uLgorICAgICAgICAgKgorICAgICAgICAgKiAzMmJp
dCBrZXJuZWxzIGhhdmUgbm8gYWJpbGl0eSB0byBtYXNrIEVGTEdfVEYgYXQg
YWxsLiAgVGhlaXIgb25seQorICAgICAgICAgKiBtaXRpZ2F0aW9uIGlzIHRv
IHVzZSBhIHRhc2sgZ2F0ZSBmb3IgaGFuZGxpbmcgI0RCIChvciB0byBub3Qg
dXNlCisgICAgICAgICAqIGVuYWJsZSBFRkVSLlNDRSB0byBzdGFydCB3aXRo
KS4KKyAgICAgICAgICovCisgICAgICAgIHNpbmdsZXN0ZXAgPSBfcmVncy5l
ZmxhZ3MgJiBFRkxHX1RGOworCiAgICAgICAgIGJyZWFrOwogICAgIH0KIApA
QCAtNTU4MCw5ICs1NTk4LDkgQEAgeDg2X2VtdWxhdGUoCiAgICAgaWYgKCAh
bW9kZV82NGJpdCgpICkKICAgICAgICAgX3JlZ3MuZWlwID0gKHVpbnQzMl90
KV9yZWdzLmVpcDsKIAotICAgIC8qIFdhcyBzaW5nZXN0ZXBwaW5nIGFjdGl2
ZSBhdCB0aGUgc3RhcnQgb2YgdGhpcyBpbnN0cnVjdGlvbj8gKi8KLSAgICBp
ZiAoIChyYyA9PSBYODZFTVVMX09LQVkpICYmIChjdHh0LT5yZWdzLT5lZmxh
Z3MgJiBFRkxHX1RGKSApCi0gICAgICAgIGN0eHQtPnJldGlyZS5zaW5nbGVz
dGVwID0gdHJ1ZTsKKyAgICAvKiBTaG91bGQgYSBzaW5nbGVzdGVwICNEQiBi
ZSByYWlzZWQ/ICovCisgICAgaWYgKCByYyA9PSBYODZFTVVMX09LQVkgKQor
ICAgICAgICBjdHh0LT5yZXRpcmUuc2luZ2xlc3RlcCA9IHNpbmdsZXN0ZXA7
CiAKICAgICBpZiAoIHJjICE9IFg4NkVNVUxfRE9ORSApCiAgICAgICAgICpj
dHh0LT5yZWdzID0gX3JlZ3M7Cg==

--=separator
Content-Type: application/octet-stream; name="xsa204-4.5.patch"
Content-Disposition: attachment; filename="xsa204-4.5.patch"
Content-Transfer-Encoding: base64

RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KRGF0ZTogU3VuLCAxOCBEZWMgMjAxNiAxNTo0Mjo1OSArMDAwMApTdWJq
ZWN0OiBbUEFUQ0hdIHg4Ni9lbXVsOiBDb3JyZWN0IHRoZSBoYW5kbGluZyBv
ZiBlZmxhZ3Mgd2l0aCBTWVNDQUxMCgpBIHNpbmdsZXN0ZXAgI0RCIGlzIGRl
dGVybWluZWQgYnkgdGhlIHJlc3VsdGluZyBlZmxhZ3MgdmFsdWUgZnJvbSB0
aGUKZXhlY3V0aW9uIG9mIFNZU0NBTEwsIG5vdCB0aGUgb3JpZ2luYWwgZWZs
YWdzIHZhbHVlLgoKQnkgdXNpbmcgdGhlIG9yaWdpbmFsIGVmbGFncyB2YWx1
ZSwgd2UgbmVnYXRlIHRoZSBndWVzdCBrZXJuZWxzIGF0dGVtcHQgdG8KcHJv
dGVjdCBpdHNlbGYgZnJvbSBhIHByaXZpbGVnZSBlc2NhbGF0aW9uIGJ5IG1h
c2tpbmcgVEYuCgpJbnRyb2R1Y2UgYSB0ZiBib29sZWFuIGFuZCBoYXZlIHRo
ZSBTWVNDQUxMIGVtdWxhdGlvbiByZWNhbGN1bGF0ZSBpdAphZnRlciB0aGUg
aW5zdHJ1Y3Rpb24gaXMgY29tcGxldGUuCgpUaGlzIGlzIFhTQS0yMDQKClNp
Z25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNp
dHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA
c3VzZS5jb20+Ci0tLQogeGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9l
bXVsYXRlLmMgfCAyMyArKysrKysrKysrKysrKysrKysrKy0tLQogMSBmaWxl
IGNoYW5nZWQsIDIwIGluc2VydGlvbnMoKyksIDMgZGVsZXRpb25zKC0pCgpk
aWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVs
YXRlLmMgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUu
YwppbmRleCAwYzQzZmUxLi5mNjc1ZGM5IDEwMDY0NAotLS0gYS94ZW4vYXJj
aC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYworKysgYi94ZW4vYXJj
aC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwpAQCAtMTUzNyw2ICsx
NTM3LDcgQEAgeDg2X2VtdWxhdGUoCiAgICAgdW5pb24gdmV4IHZleCA9IHt9
OwogICAgIHVuc2lnbmVkIGludCBvcF9ieXRlcywgZGVmX29wX2J5dGVzLCBh
ZF9ieXRlcywgZGVmX2FkX2J5dGVzOwogICAgIGJvb2xfdCBsb2NrX3ByZWZp
eCA9IDA7CisgICAgYm9vbF90IHRmID0gISEoY3R4dC0+cmVncy0+ZWZsYWdz
ICYgRUZMR19URik7CiAgICAgaW50IG92ZXJyaWRlX3NlZyA9IC0xLCByYyA9
IFg4NkVNVUxfT0tBWTsKICAgICBzdHJ1Y3Qgb3BlcmFuZCBzcmMgPSB7IC5y
ZWcgPSBSRUdfUE9JU09OIH07CiAgICAgc3RydWN0IG9wZXJhbmQgZHN0ID0g
eyAucmVnID0gUkVHX1BPSVNPTiB9OwpAQCAtMzg4MSw5ICszODgyLDggQEAg
eDg2X2VtdWxhdGUoCiAgICAgICAgIGJyZWFrOwogICAgIH0KIAotICAgIC8q
IEluamVjdCAjREIgaWYgc2luZ2xlLXN0ZXAgdHJhY2luZyB3YXMgZW5hYmxl
ZCBhdCBpbnN0cnVjdGlvbiBzdGFydC4gKi8KLSAgICBpZiAoIChjdHh0LT5y
ZWdzLT5lZmxhZ3MgJiBFRkxHX1RGKSAmJiAocmMgPT0gWDg2RU1VTF9PS0FZ
KSAmJgotICAgICAgICAgKG9wcy0+aW5qZWN0X2h3X2V4Y2VwdGlvbiAhPSBO
VUxMKSApCisgICAgLyogU2hvdWxkIGEgc2luZ2xlc3RlcCAjREIgYmUgcmFp
c2VkPyAqLworICAgIGlmICggdGYgJiYgKHJjID09IFg4NkVNVUxfT0tBWSkg
JiYgKG9wcy0+aW5qZWN0X2h3X2V4Y2VwdGlvbiAhPSBOVUxMKSApCiAgICAg
ICAgIHJjID0gb3BzLT5pbmplY3RfaHdfZXhjZXB0aW9uKEVYQ19EQiwgLTEs
IGN0eHQpID8gOiBYODZFTVVMX0VYQ0VQVElPTjsKIAogICAgIC8qIENvbW1p
dCBzaGFkb3cgcmVnaXN0ZXIgc3RhdGUuICovCkBAIC00MDY4LDYgKzQwNjgs
MjMgQEAgeDg2X2VtdWxhdGUoCiAgICAgICAgICAgICAgKHJjID0gb3BzLT53
cml0ZV9zZWdtZW50KHg4Nl9zZWdfc3MsICZzcywgY3R4dCkpICkKICAgICAg
ICAgICAgIGdvdG8gZG9uZTsKIAorICAgICAgICAvKgorICAgICAgICAgKiBT
WVNDQUxMICh1bmxpa2UgbW9zdCBpbnN0cnVjdGlvbnMpIGV2YWx1YXRlcyBp
dHMgc2luZ2xlc3RlcCBhY3Rpb24KKyAgICAgICAgICogYmFzZWQgb24gdGhl
IHJlc3VsdGluZyBFRkxHX1RGLCBub3QgdGhlIHN0YXJ0aW5nIEVGTEdfVEYu
CisgICAgICAgICAqCisgICAgICAgICAqIEFzIHRoZSAjREIgaXMgcmFpc2Vk
IGFmdGVyIHRoZSBDUEwgY2hhbmdlIGFuZCBiZWZvcmUgdGhlIE9TIGNhbgor
ICAgICAgICAgKiBzd2l0Y2ggc3RhY2ssIGl0IGlzIGEgbGFyZ2UgcmlzayBm
b3IgcHJpdmlsZWdlIGVzY2FsYXRpb24uCisgICAgICAgICAqCisgICAgICAg
ICAqIDY0Yml0IGtlcm5lbHMgc2hvdWxkIG1hc2sgRUZMR19URiBpbiBNU1Jf
Rk1BU0sgdG8gYXZvaWQgYW55CisgICAgICAgICAqIHZ1bG5lcmFiaWxpdHku
ICBSdW5uaW5nIHRoZSAjREIgaGFuZGxlciBvbiBhbiBJU1Qgc3RhY2sgaXMg
YWxzbyBhCisgICAgICAgICAqIG1pdGlnYXRpb24uCisgICAgICAgICAqCisg
ICAgICAgICAqIDMyYml0IGtlcm5lbHMgaGF2ZSBubyBhYmlsaXR5IHRvIG1h
c2sgRUZMR19URiBhdCBhbGwuICBUaGVpciBvbmx5CisgICAgICAgICAqIG1p
dGlnYXRpb24gaXMgdG8gdXNlIGEgdGFzayBnYXRlIGZvciBoYW5kbGluZyAj
REIgKG9yIHRvIG5vdCB1c2UKKyAgICAgICAgICogZW5hYmxlIEVGRVIuU0NF
IHRvIHN0YXJ0IHdpdGgpLgorICAgICAgICAgKi8KKyAgICAgICAgdGYgPSAh
IShfcmVncy5lZmxhZ3MgJiBFRkxHX1RGKTsKKwogICAgICAgICBicmVhazsK
ICAgICB9CiAK

--=separator
Content-Type: application/octet-stream; name="xsa204-4.7.patch"
Content-Disposition: attachment; filename="xsa204-4.7.patch"
Content-Transfer-Encoding: base64

RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KRGF0ZTogU3VuLCAxOCBEZWMgMjAxNiAxNTo0Mjo1OSArMDAwMApTdWJq
ZWN0OiBbUEFUQ0hdIHg4Ni9lbXVsOiBDb3JyZWN0IHRoZSBoYW5kbGluZyBv
ZiBlZmxhZ3Mgd2l0aCBTWVNDQUxMCgpBIHNpbmdsZXN0ZXAgI0RCIGlzIGRl
dGVybWluZWQgYnkgdGhlIHJlc3VsdGluZyBlZmxhZ3MgdmFsdWUgZnJvbSB0
aGUKZXhlY3V0aW9uIG9mIFNZU0NBTEwsIG5vdCB0aGUgb3JpZ2luYWwgZWZs
YWdzIHZhbHVlLgoKQnkgdXNpbmcgdGhlIG9yaWdpbmFsIGVmbGFncyB2YWx1
ZSwgd2UgbmVnYXRlIHRoZSBndWVzdCBrZXJuZWxzIGF0dGVtcHQgdG8KcHJv
dGVjdCBpdHNlbGYgZnJvbSBhIHByaXZpbGVnZSBlc2NhbGF0aW9uIGJ5IG1h
c2tpbmcgVEYuCgpJbnRyb2R1Y2UgYSB0ZiBib29sZWFuIGFuZCBoYXZlIHRo
ZSBTWVNDQUxMIGVtdWxhdGlvbiByZWNhbGN1bGF0ZSBpdAphZnRlciB0aGUg
aW5zdHJ1Y3Rpb24gaXMgY29tcGxldGUuCgpUaGlzIGlzIFhTQS0yMDQKClNp
Z25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNp
dHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA
c3VzZS5jb20+Ci0tLQogeGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9l
bXVsYXRlLmMgfCAyMyArKysrKysrKysrKysrKysrKysrKy0tLQogMSBmaWxl
IGNoYW5nZWQsIDIwIGluc2VydGlvbnMoKyksIDMgZGVsZXRpb25zKC0pCgpk
aWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVs
YXRlLmMgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUu
YwppbmRleCBiY2E3MDQ1Li5hYmU0NDJlIDEwMDY0NAotLS0gYS94ZW4vYXJj
aC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYworKysgYi94ZW4vYXJj
aC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwpAQCAtMTU4Miw2ICsx
NTgyLDcgQEAgeDg2X2VtdWxhdGUoCiAgICAgdW5pb24gdmV4IHZleCA9IHt9
OwogICAgIHVuc2lnbmVkIGludCBvcF9ieXRlcywgZGVmX29wX2J5dGVzLCBh
ZF9ieXRlcywgZGVmX2FkX2J5dGVzOwogICAgIGJvb2xfdCBsb2NrX3ByZWZp
eCA9IDA7CisgICAgYm9vbF90IHRmID0gISEoY3R4dC0+cmVncy0+ZWZsYWdz
ICYgRUZMR19URik7CiAgICAgaW50IG92ZXJyaWRlX3NlZyA9IC0xLCByYyA9
IFg4NkVNVUxfT0tBWTsKICAgICBzdHJ1Y3Qgb3BlcmFuZCBzcmMgPSB7IC5y
ZWcgPSBSRUdfUE9JU09OIH07CiAgICAgc3RydWN0IG9wZXJhbmQgZHN0ID0g
eyAucmVnID0gUkVHX1BPSVNPTiB9OwpAQCAtMzkxMCw5ICszOTExLDggQEAg
eDg2X2VtdWxhdGUoCiAgICAgfQogCiAgbm9fd3JpdGViYWNrOgotICAgIC8q
IEluamVjdCAjREIgaWYgc2luZ2xlLXN0ZXAgdHJhY2luZyB3YXMgZW5hYmxl
ZCBhdCBpbnN0cnVjdGlvbiBzdGFydC4gKi8KLSAgICBpZiAoIChjdHh0LT5y
ZWdzLT5lZmxhZ3MgJiBFRkxHX1RGKSAmJiAocmMgPT0gWDg2RU1VTF9PS0FZ
KSAmJgotICAgICAgICAgKG9wcy0+aW5qZWN0X2h3X2V4Y2VwdGlvbiAhPSBO
VUxMKSApCisgICAgLyogU2hvdWxkIGEgc2luZ2xlc3RlcCAjREIgYmUgcmFp
c2VkPyAqLworICAgIGlmICggdGYgJiYgKHJjID09IFg4NkVNVUxfT0tBWSkg
JiYgKG9wcy0+aW5qZWN0X2h3X2V4Y2VwdGlvbiAhPSBOVUxMKSApCiAgICAg
ICAgIHJjID0gb3BzLT5pbmplY3RfaHdfZXhjZXB0aW9uKEVYQ19EQiwgLTEs
IGN0eHQpID8gOiBYODZFTVVMX0VYQ0VQVElPTjsKIAogICAgIC8qIENvbW1p
dCBzaGFkb3cgcmVnaXN0ZXIgc3RhdGUuICovCkBAIC00MTQzLDYgKzQxNDMs
MjMgQEAgeDg2X2VtdWxhdGUoCiAgICAgICAgICAgICAgKHJjID0gb3BzLT53
cml0ZV9zZWdtZW50KHg4Nl9zZWdfc3MsICZzcywgY3R4dCkpICkKICAgICAg
ICAgICAgIGdvdG8gZG9uZTsKIAorICAgICAgICAvKgorICAgICAgICAgKiBT
WVNDQUxMICh1bmxpa2UgbW9zdCBpbnN0cnVjdGlvbnMpIGV2YWx1YXRlcyBp
dHMgc2luZ2xlc3RlcCBhY3Rpb24KKyAgICAgICAgICogYmFzZWQgb24gdGhl
IHJlc3VsdGluZyBFRkxHX1RGLCBub3QgdGhlIHN0YXJ0aW5nIEVGTEdfVEYu
CisgICAgICAgICAqCisgICAgICAgICAqIEFzIHRoZSAjREIgaXMgcmFpc2Vk
IGFmdGVyIHRoZSBDUEwgY2hhbmdlIGFuZCBiZWZvcmUgdGhlIE9TIGNhbgor
ICAgICAgICAgKiBzd2l0Y2ggc3RhY2ssIGl0IGlzIGEgbGFyZ2UgcmlzayBm
b3IgcHJpdmlsZWdlIGVzY2FsYXRpb24uCisgICAgICAgICAqCisgICAgICAg
ICAqIDY0Yml0IGtlcm5lbHMgc2hvdWxkIG1hc2sgRUZMR19URiBpbiBNU1Jf
Rk1BU0sgdG8gYXZvaWQgYW55CisgICAgICAgICAqIHZ1bG5lcmFiaWxpdHku
ICBSdW5uaW5nIHRoZSAjREIgaGFuZGxlciBvbiBhbiBJU1Qgc3RhY2sgaXMg
YWxzbyBhCisgICAgICAgICAqIG1pdGlnYXRpb24uCisgICAgICAgICAqCisg
ICAgICAgICAqIDMyYml0IGtlcm5lbHMgaGF2ZSBubyBhYmlsaXR5IHRvIG1h
c2sgRUZMR19URiBhdCBhbGwuICBUaGVpciBvbmx5CisgICAgICAgICAqIG1p
dGlnYXRpb24gaXMgdG8gdXNlIGEgdGFzayBnYXRlIGZvciBoYW5kbGluZyAj
REIgKG9yIHRvIG5vdCB1c2UKKyAgICAgICAgICogZW5hYmxlIEVGRVIuU0NF
IHRvIHN0YXJ0IHdpdGgpLgorICAgICAgICAgKi8KKyAgICAgICAgdGYgPSAh
IShfcmVncy5lZmxhZ3MgJiBFRkxHX1RGKTsKKwogICAgICAgICBicmVhazsK
ICAgICB9CiAK

--=separator
Content-Type: application/octet-stream; name="xsa204-4.8.patch"
Content-Disposition: attachment; filename="xsa204-4.8.patch"
Content-Transfer-Encoding: base64

RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KRGF0ZTogU3VuLCAxOCBEZWMgMjAxNiAxNTo0Mjo1OSArMDAwMApTdWJq
ZWN0OiBbUEFUQ0hdIHg4Ni9lbXVsOiBDb3JyZWN0IHRoZSBoYW5kbGluZyBv
ZiBlZmxhZ3Mgd2l0aCBTWVNDQUxMCgpBIHNpbmdsZXN0ZXAgI0RCIGlzIGRl
dGVybWluZWQgYnkgdGhlIHJlc3VsdGluZyBlZmxhZ3MgdmFsdWUgZnJvbSB0
aGUKZXhlY3V0aW9uIG9mIFNZU0NBTEwsIG5vdCB0aGUgb3JpZ2luYWwgZWZs
YWdzIHZhbHVlLgoKQnkgdXNpbmcgdGhlIG9yaWdpbmFsIGVmbGFncyB2YWx1
ZSwgd2UgbmVnYXRlIHRoZSBndWVzdCBrZXJuZWxzIGF0dGVtcHQgdG8KcHJv
dGVjdCBpdHNlbGYgZnJvbSBhIHByaXZpbGVnZSBlc2NhbGF0aW9uIGJ5IG1h
c2tpbmcgVEYuCgpIYXZlIHRoZSBTWVNDQUxMIGVtdWxhdGlvbiByZWNhbGN1
bGF0ZSB0ZiBhZnRlciB0aGUgaW5zdHJ1Y3Rpb24gaXMgY29tcGxldGUuCgpU
aGlzIGlzIFhTQS0yMDQKClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIg
PGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4g
QmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+Ci0tLQogeGVuL2FyY2gveDg2
L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMgfCAxOSArKysrKysrKysrKysr
KysrKystCiAxIGZpbGUgY2hhbmdlZCwgMTggaW5zZXJ0aW9ucygrKSwgMSBk
ZWxldGlvbigtKQoKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL3g4Ni94ODZfZW11
bGF0ZS94ODZfZW11bGF0ZS5jIGIveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRl
L3g4Nl9lbXVsYXRlLmMKaW5kZXggZDgyZTg1ZC4uZmY5NTJhOSAxMDA2NDQK
LS0tIGEveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMK
KysrIGIveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMK
QEAgLTQ1NjEsNiArNDU2MSwyMyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAg
ICAgICAocmMgPSBvcHMtPndyaXRlX3NlZ21lbnQoeDg2X3NlZ19zcywgJnNy
ZWcsIGN0eHQpKSApCiAgICAgICAgICAgICBnb3RvIGRvbmU7CiAKKyAgICAg
ICAgLyoKKyAgICAgICAgICogU1lTQ0FMTCAodW5saWtlIG1vc3QgaW5zdHJ1
Y3Rpb25zKSBldmFsdWF0ZXMgaXRzIHNpbmdsZXN0ZXAgYWN0aW9uCisgICAg
ICAgICAqIGJhc2VkIG9uIHRoZSByZXN1bHRpbmcgRUZMR19URiwgbm90IHRo
ZSBzdGFydGluZyBFRkxHX1RGLgorICAgICAgICAgKgorICAgICAgICAgKiBB
cyB0aGUgI0RCIGlzIHJhaXNlZCBhZnRlciB0aGUgQ1BMIGNoYW5nZSBhbmQg
YmVmb3JlIHRoZSBPUyBjYW4KKyAgICAgICAgICogc3dpdGNoIHN0YWNrLCBp
dCBpcyBhIGxhcmdlIHJpc2sgZm9yIHByaXZpbGVnZSBlc2NhbGF0aW9uLgor
ICAgICAgICAgKgorICAgICAgICAgKiA2NGJpdCBrZXJuZWxzIHNob3VsZCBt
YXNrIEVGTEdfVEYgaW4gTVNSX0ZNQVNLIHRvIGF2b2lkIGFueQorICAgICAg
ICAgKiB2dWxuZXJhYmlsaXR5LiAgUnVubmluZyB0aGUgI0RCIGhhbmRsZXIg
b24gYW4gSVNUIHN0YWNrIGlzIGFsc28gYQorICAgICAgICAgKiBtaXRpZ2F0
aW9uLgorICAgICAgICAgKgorICAgICAgICAgKiAzMmJpdCBrZXJuZWxzIGhh
dmUgbm8gYWJpbGl0eSB0byBtYXNrIEVGTEdfVEYgYXQgYWxsLiAgVGhlaXIg
b25seQorICAgICAgICAgKiBtaXRpZ2F0aW9uIGlzIHRvIHVzZSBhIHRhc2sg
Z2F0ZSBmb3IgaGFuZGxpbmcgI0RCIChvciB0byBub3QgdXNlCisgICAgICAg
ICAqIGVuYWJsZSBFRkVSLlNDRSB0byBzdGFydCB3aXRoKS4KKyAgICAgICAg
ICovCisgICAgICAgIHRmID0gX3JlZ3MuZWZsYWdzICYgRUZMR19URjsKKwog
ICAgICAgICBicmVhazsKICAgICB9CiAKQEAgLTU0MTIsNyArNTQyOSw3IEBA
IHg4Nl9lbXVsYXRlKAogCiAgICAgKmN0eHQtPnJlZ3MgPSBfcmVnczsKIAot
ICAgIC8qIEluamVjdCAjREIgaWYgc2luZ2xlLXN0ZXAgdHJhY2luZyB3YXMg
ZW5hYmxlZCBhdCBpbnN0cnVjdGlvbiBzdGFydC4gKi8KKyAgICAvKiBTaG91
bGQgYSBzaW5nbGVzdGVwICNEQiBiZSByYWlzZWQ/ICovCiAgICAgaWYgKCB0
ZiAmJiAocmMgPT0gWDg2RU1VTF9PS0FZKSAmJiBvcHMtPmluamVjdF9od19l
eGNlcHRpb24gKQogICAgICAgICByYyA9IG9wcy0+aW5qZWN0X2h3X2V4Y2Vw
dGlvbihFWENfREIsIC0xLCBjdHh0KSA/IDogWDg2RU1VTF9FWENFUFRJT047
CiAK

--=separator
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91
bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz
Lnhlbi5vcmcveGVuLWFubm91bmNl

--=separator--


From xen-announce-bounces@lists.xen.org Mon Dec 19 17:06:08 2016
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Mon, 19 Dec 2016 17:06:08 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1cJ1N2-0006BE-20; Mon, 19 Dec 2016 17:05:04 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJ1N0-0006Av-E6; Mon, 19 Dec 2016 17:05:02 +0000
Received: from [85.158.139.211] by server-7.bemta-5.messagelabs.com id
 93/A9-29113-D3318585; Mon, 19 Dec 2016 17:05:01 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrDKsWRWlGSWpSXmKPExsWS0XRdVddSOCL
 C4MdfRYtbN1uZLZZ8XMxiserqAVYHZo+ju38zBTBGsWbmJeVXJLBmXLtzgaWgr5+x4uy5ZsYG
 xg8djF2MXBxCAscZJU4+/s0E4SxilDjU8B8ow8nBLOAqcWPfZjYIW1Hiwr0GFhCbV0BQ4uTMJ
 2C2hICmxJ03q9hBbBGBIomd516C2WwCehJzz05igujVkXi5fzWYLSyQJ7EH6FCIOWYSew58Y+
 1i5OBgEVCVmPCcYwIjzywkm2ch2TwLyeZZQB3MQJvX79KHMKUllv/jgKiWl9j+dg4zhG0tsXz
 vKqgpFhKL3vXCTZzS/ZAdwraXONTawghh20g83QFjo6r5eWAtC0zN11d3mbCpWd7QClfTMuE3
 il0LGIVWMWoUpxaVpRbpGlrqJRVlpmeU5CZm5ugaGpjq5aYWFyemp+YkJhXrJefnbmIExm49A
 wPjDsZH/X6HGCU5mJREeffzREQI8SXlp1RmJBZnxBeV5qQWH2KU4eBQkuCVFgLKCRalpqdWpG
 XmAJMITFqCg0dJhFcWJM1bXJCYW5yZDpE6xWjJMeHtwqdMHHO2rwCS626se8okxJKXn5cqJc4
 bCdIgANKQUZoHNw6W6C4xykoJ8zIyMDAI8RSkFuVmlqDKv2IU52BUEuYNBpnCk5lXArf1FdBB
 TEAHLewOBzmoJBEhJdXA6DA53s9vesKzX7senKz9Y/G18uT+znDNvVFhb6+Y2ktptP81MV5kV
 uYt1MT4KE8+ebPdU5Zq+6uB3imHMze13+XqKXsqH742Qvbm362TxXYc3ST96Vqhm43XS3HRr0
 3stY+tuspSKxmEDhxsF/c0zp63ZK9Q0MQP7vrZ1qp7N2pfCHGpsj6qxFKckWioxVxUnAgAf7U
 /828DAAA=
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-3.tower-206.messagelabs.com!1482167095!72618762!1
X-Originating-IP: [104.130.215.37]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 9.1.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 57212 invoked from network); 19 Dec 2016 17:04:56 -0000
Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37)
 by server-3.tower-206.messagelabs.com with AES128-GCM-SHA256
 encrypted SMTP; 19 Dec 2016 17:04:56 -0000
Received: from xenbits.xenproject.org ([104.239.192.120])
 by mail.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJ1Mm-0005yA-39; Mon, 19 Dec 2016 17:04:48 +0000
Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJ1Ml-0004sP-Vs; Mon, 19 Dec 2016 17:04:47 +0000
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
 xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Message-Id: <E1cJ1Ml-0004sP-Vs@xenbits.xenproject.org>
Date: Mon, 19 Dec 2016 17:04:47 +0000
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 204 (CVE-2016-10013) - x86:
 Mishandling of SYSCALL singlestep during emulation
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Errors-To: xen-announce-bounces@lists.xen.org
Sender: "Xen-announce" <xen-announce-bounces@lists.xen.org>

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2016-10013 / XSA-204
                              version 2

        x86: Mishandling of SYSCALL singlestep during emulation

UPDATES IN VERSION 2
====================

CVE assigned.

ISSUE DESCRIPTION
=================

The typical behaviour of singlestepping exceptions is determined at the
start of the instruction, with a #DB trap being raised at the end of the
instruction.

SYSCALL (and SYSRET, although we don't implement it) behave differently
because the typical behaviour allows userspace to escalate its
privilege.  (This difference in behaviour seems to be undocumented.)

Xen wrongly raised the exception based on the flags at the start of
the instruction.

IMPACT
======

Guest userspace which can invoke the instruction emulator can use this
flaw to escalate its privilege to that of the guest kernel.

VULNERABLE SYSTEMS
==================

All Xen versions are affected.

The vulnerability is only exposed to 64-bit x86 HVM guests.

On Xen 4.6 and earlier the vulnerability is exposed to all guest user
processes, including unprivileged processes, in such guests.

On Xen 4.7 and later, the vulnerability is exposed only to guest user
processes granted a degree of privilege (such as direct hardware access)
by the guest administrator; or, to all user processes when the VM has
been explicitly configured with a non-default cpu vendor string (in
xm/xl, this would be done with a `cpuid=' domain config option).

A 64-bit guest kernel which uses an IST for #DB handling will most likely
mitigate the issue, but will have a single unexpected #DB exception
frame to deal with.  This in practice means that Linux is not
vulnerable.

The vulnerability is not exposed to 32-bit HVM guests.  This is because
the emulation bug also matches real hardware behaviour, and a 32-bit
guest kernel using SYSCALL will already have to be using a Task Gate for
handling #DB to avoid being susceptible to an escalation of privilege.

The vulnerability is not exposed to PV guests.

ARM systems are not vulnerable.

MITIGATION
==========

There is no known mitigation.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa204.patch           xen-unstable
xsa204-4.8.patch       Xen 4.8.x
xsa204-4.7.patch       Xen 4.7.x, Xen 4.6.x
xsa204-4.5.patch       Xen 4.5.x, Xen 4.4.x

$ sha256sum xsa204*
251c33905f86d386cc07240041108ec0664e5e9dddb2b88685d9b4b8ca7fdc24  xsa204.patch
e523b65ba122c8e22d32004d2035facaf06295094fdc8b67c151b6f44799ef0b  xsa204-4.5.patch
d0359f26e9be783672896200e14d85a3111c29d7da580313b593fca04688fef2  xsa204-4.7.patch
fa2a69682868104b6263655abbfc6b326f76deebdac3273b4b65da6673f5d977  xsa204-4.8.patch
$

NOTE REGARDING EMBARGO
======================

This issue was discussed publicly on qemu-devel before its impact was
realised.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYWBMjAAoJEIP+FMlX6CvZe2wH/i/tAxpXbIc0xhhA5L6nlGJ9
fYZY0C6GuujTFIPmF40dMKIZieB+zKxiBseYHw4dHSzs3hbLbYhcP2Qgr2WJ2uJw
3zuS+OAtOlwzl+KRu6WUZPMf5JTAZp+kWJny3qCymUzXqz4OmUzsqHAORYyAjVi/
RN0lqgnkoTrGV8YS7fEUC5mB6PQGaEerJWFRLmaEmxV0th70oTuSGELjZ7rJdJg/
92BZ/GVQNspuSgZCJyEhwSfzBgF1MvAKjUZafh9+0/2G5Ab0Z71ikRX/l8RWop9E
7B+KC6zeG6DukPME2sJTuL+b0EmZyfOwewDnbdGbzb2nCfOhwsoHvzrAhF9rYwI=
=ypHy
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa204.patch"
Content-Disposition: attachment; filename="xsa204.patch"
Content-Transfer-Encoding: base64

RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KRGF0ZTogU3VuLCAxOCBEZWMgMjAxNiAxNTo0Mjo1OSArMDAwMApTdWJq
ZWN0OiBbUEFUQ0hdIHg4Ni9lbXVsOiBDb3JyZWN0IHRoZSBoYW5kbGluZyBv
ZiBlZmxhZ3Mgd2l0aCBTWVNDQUxMCgpBIHNpbmdsZXN0ZXAgI0RCIGlzIGRl
dGVybWluZWQgYnkgdGhlIHJlc3VsdGluZyBlZmxhZ3MgdmFsdWUgZnJvbSB0
aGUKZXhlY3V0aW9uIG9mIFNZU0NBTEwsIG5vdCB0aGUgb3JpZ2luYWwgZWZs
YWdzIHZhbHVlLgoKQnkgdXNpbmcgdGhlIG9yaWdpbmFsIGVmbGFncyB2YWx1
ZSwgd2UgbmVnYXRlIHRoZSBndWVzdCBrZXJuZWxzIGF0dGVtcHQgdG8KcHJv
dGVjdCBpdHNlbGYgZnJvbSBhIHByaXZpbGVnZSBlc2NhbGF0aW9uIGJ5IG1h
c2tpbmcgVEYuCgoocmUpaW50cm9kdWNlIGEgc2luZ2xlc3RlcCBib29sZWFu
LCBkZWZhdWx0aW5nIHRvIHRoZSBvcmlnaW5hbCBlZmxhZ3Mgc3RhdGUsCmJ1
dCBoYXZlIHRoZSBTWVNDQUxMIGVtdWxhdGlvbiByZWNhbGN1bGF0ZSBpdCBh
ZnRlciBtYXNraW5nIGhhcyBvY2N1cnJlZC4KClRoaXMgaXMgWFNBLTIwNAoK
U2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNA
Y2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGlj
aEBzdXNlLmNvbT4KLS0tCiB4ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2
X2VtdWxhdGUuYyB8IDI0ICsrKysrKysrKysrKysrKysrKysrKy0tLQogMSBm
aWxlIGNoYW5nZWQsIDIxIGluc2VydGlvbnMoKyksIDMgZGVsZXRpb25zKC0p
CgpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9l
bXVsYXRlLmMgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxh
dGUuYwppbmRleCBmNjlkZWNlLi4xNjVlZWJiIDEwMDY0NAotLS0gYS94ZW4v
YXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYworKysgYi94ZW4v
YXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwpAQCAtMjUwMiw2
ICsyNTAyLDcgQEAgeDg2X2VtdWxhdGUoCiAgICAgc3RydWN0IHg4Nl9lbXVs
YXRlX3N0YXRlIHN0YXRlOwogICAgIGludCByYzsKICAgICB1aW50OF90IGIs
IGQ7CisgICAgYm9vbCBzaW5nbGVzdGVwID0gY3R4dC0+cmVncy0+ZWZsYWdz
ICYgRUZMR19URjsKICAgICBzdHJ1Y3Qgb3BlcmFuZCBzcmMgPSB7IC5yZWcg
PSBQVFJfUE9JU09OIH07CiAgICAgc3RydWN0IG9wZXJhbmQgZHN0ID0geyAu
cmVnID0gUFRSX1BPSVNPTiB9OwogICAgIGVudW0geDg2X3N3aW50X3R5cGUg
c3dpbnRfdHlwZTsKQEAgLTQ2NzgsNiArNDY3OSwyMyBAQCB4ODZfZW11bGF0
ZSgKICAgICAgICAgICAgICAocmMgPSBvcHMtPndyaXRlX3NlZ21lbnQoeDg2
X3NlZ19zcywgJnNyZWcsIGN0eHQpKSApCiAgICAgICAgICAgICBnb3RvIGRv
bmU7CiAKKyAgICAgICAgLyoKKyAgICAgICAgICogU1lTQ0FMTCAodW5saWtl
IG1vc3QgaW5zdHJ1Y3Rpb25zKSBldmFsdWF0ZXMgaXRzIHNpbmdsZXN0ZXAg
YWN0aW9uCisgICAgICAgICAqIGJhc2VkIG9uIHRoZSByZXN1bHRpbmcgRUZM
R19URiwgbm90IHRoZSBzdGFydGluZyBFRkxHX1RGLgorICAgICAgICAgKgor
ICAgICAgICAgKiBBcyB0aGUgI0RCIGlzIHJhaXNlZCBhZnRlciB0aGUgQ1BM
IGNoYW5nZSBhbmQgYmVmb3JlIHRoZSBPUyBjYW4KKyAgICAgICAgICogc3dp
dGNoIHN0YWNrLCBpdCBpcyBhIGxhcmdlIHJpc2sgZm9yIHByaXZpbGVnZSBl
c2NhbGF0aW9uLgorICAgICAgICAgKgorICAgICAgICAgKiA2NGJpdCBrZXJu
ZWxzIHNob3VsZCBtYXNrIEVGTEdfVEYgaW4gTVNSX0ZNQVNLIHRvIGF2b2lk
IGFueQorICAgICAgICAgKiB2dWxuZXJhYmlsaXR5LiAgUnVubmluZyB0aGUg
I0RCIGhhbmRsZXIgb24gYW4gSVNUIHN0YWNrIGlzIGFsc28gYQorICAgICAg
ICAgKiBtaXRpZ2F0aW9uLgorICAgICAgICAgKgorICAgICAgICAgKiAzMmJp
dCBrZXJuZWxzIGhhdmUgbm8gYWJpbGl0eSB0byBtYXNrIEVGTEdfVEYgYXQg
YWxsLiAgVGhlaXIgb25seQorICAgICAgICAgKiBtaXRpZ2F0aW9uIGlzIHRv
IHVzZSBhIHRhc2sgZ2F0ZSBmb3IgaGFuZGxpbmcgI0RCIChvciB0byBub3Qg
dXNlCisgICAgICAgICAqIGVuYWJsZSBFRkVSLlNDRSB0byBzdGFydCB3aXRo
KS4KKyAgICAgICAgICovCisgICAgICAgIHNpbmdsZXN0ZXAgPSBfcmVncy5l
ZmxhZ3MgJiBFRkxHX1RGOworCiAgICAgICAgIGJyZWFrOwogICAgIH0KIApA
QCAtNTU4MCw5ICs1NTk4LDkgQEAgeDg2X2VtdWxhdGUoCiAgICAgaWYgKCAh
bW9kZV82NGJpdCgpICkKICAgICAgICAgX3JlZ3MuZWlwID0gKHVpbnQzMl90
KV9yZWdzLmVpcDsKIAotICAgIC8qIFdhcyBzaW5nZXN0ZXBwaW5nIGFjdGl2
ZSBhdCB0aGUgc3RhcnQgb2YgdGhpcyBpbnN0cnVjdGlvbj8gKi8KLSAgICBp
ZiAoIChyYyA9PSBYODZFTVVMX09LQVkpICYmIChjdHh0LT5yZWdzLT5lZmxh
Z3MgJiBFRkxHX1RGKSApCi0gICAgICAgIGN0eHQtPnJldGlyZS5zaW5nbGVz
dGVwID0gdHJ1ZTsKKyAgICAvKiBTaG91bGQgYSBzaW5nbGVzdGVwICNEQiBi
ZSByYWlzZWQ/ICovCisgICAgaWYgKCByYyA9PSBYODZFTVVMX09LQVkgKQor
ICAgICAgICBjdHh0LT5yZXRpcmUuc2luZ2xlc3RlcCA9IHNpbmdsZXN0ZXA7
CiAKICAgICBpZiAoIHJjICE9IFg4NkVNVUxfRE9ORSApCiAgICAgICAgICpj
dHh0LT5yZWdzID0gX3JlZ3M7Cg==

--=separator
Content-Type: application/octet-stream; name="xsa204-4.5.patch"
Content-Disposition: attachment; filename="xsa204-4.5.patch"
Content-Transfer-Encoding: base64

RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KRGF0ZTogU3VuLCAxOCBEZWMgMjAxNiAxNTo0Mjo1OSArMDAwMApTdWJq
ZWN0OiBbUEFUQ0hdIHg4Ni9lbXVsOiBDb3JyZWN0IHRoZSBoYW5kbGluZyBv
ZiBlZmxhZ3Mgd2l0aCBTWVNDQUxMCgpBIHNpbmdsZXN0ZXAgI0RCIGlzIGRl
dGVybWluZWQgYnkgdGhlIHJlc3VsdGluZyBlZmxhZ3MgdmFsdWUgZnJvbSB0
aGUKZXhlY3V0aW9uIG9mIFNZU0NBTEwsIG5vdCB0aGUgb3JpZ2luYWwgZWZs
YWdzIHZhbHVlLgoKQnkgdXNpbmcgdGhlIG9yaWdpbmFsIGVmbGFncyB2YWx1
ZSwgd2UgbmVnYXRlIHRoZSBndWVzdCBrZXJuZWxzIGF0dGVtcHQgdG8KcHJv
dGVjdCBpdHNlbGYgZnJvbSBhIHByaXZpbGVnZSBlc2NhbGF0aW9uIGJ5IG1h
c2tpbmcgVEYuCgpJbnRyb2R1Y2UgYSB0ZiBib29sZWFuIGFuZCBoYXZlIHRo
ZSBTWVNDQUxMIGVtdWxhdGlvbiByZWNhbGN1bGF0ZSBpdAphZnRlciB0aGUg
aW5zdHJ1Y3Rpb24gaXMgY29tcGxldGUuCgpUaGlzIGlzIFhTQS0yMDQKClNp
Z25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNp
dHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA
c3VzZS5jb20+Ci0tLQogeGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9l
bXVsYXRlLmMgfCAyMyArKysrKysrKysrKysrKysrKysrKy0tLQogMSBmaWxl
IGNoYW5nZWQsIDIwIGluc2VydGlvbnMoKyksIDMgZGVsZXRpb25zKC0pCgpk
aWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVs
YXRlLmMgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUu
YwppbmRleCAwYzQzZmUxLi5mNjc1ZGM5IDEwMDY0NAotLS0gYS94ZW4vYXJj
aC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYworKysgYi94ZW4vYXJj
aC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwpAQCAtMTUzNyw2ICsx
NTM3LDcgQEAgeDg2X2VtdWxhdGUoCiAgICAgdW5pb24gdmV4IHZleCA9IHt9
OwogICAgIHVuc2lnbmVkIGludCBvcF9ieXRlcywgZGVmX29wX2J5dGVzLCBh
ZF9ieXRlcywgZGVmX2FkX2J5dGVzOwogICAgIGJvb2xfdCBsb2NrX3ByZWZp
eCA9IDA7CisgICAgYm9vbF90IHRmID0gISEoY3R4dC0+cmVncy0+ZWZsYWdz
ICYgRUZMR19URik7CiAgICAgaW50IG92ZXJyaWRlX3NlZyA9IC0xLCByYyA9
IFg4NkVNVUxfT0tBWTsKICAgICBzdHJ1Y3Qgb3BlcmFuZCBzcmMgPSB7IC5y
ZWcgPSBSRUdfUE9JU09OIH07CiAgICAgc3RydWN0IG9wZXJhbmQgZHN0ID0g
eyAucmVnID0gUkVHX1BPSVNPTiB9OwpAQCAtMzg4MSw5ICszODgyLDggQEAg
eDg2X2VtdWxhdGUoCiAgICAgICAgIGJyZWFrOwogICAgIH0KIAotICAgIC8q
IEluamVjdCAjREIgaWYgc2luZ2xlLXN0ZXAgdHJhY2luZyB3YXMgZW5hYmxl
ZCBhdCBpbnN0cnVjdGlvbiBzdGFydC4gKi8KLSAgICBpZiAoIChjdHh0LT5y
ZWdzLT5lZmxhZ3MgJiBFRkxHX1RGKSAmJiAocmMgPT0gWDg2RU1VTF9PS0FZ
KSAmJgotICAgICAgICAgKG9wcy0+aW5qZWN0X2h3X2V4Y2VwdGlvbiAhPSBO
VUxMKSApCisgICAgLyogU2hvdWxkIGEgc2luZ2xlc3RlcCAjREIgYmUgcmFp
c2VkPyAqLworICAgIGlmICggdGYgJiYgKHJjID09IFg4NkVNVUxfT0tBWSkg
JiYgKG9wcy0+aW5qZWN0X2h3X2V4Y2VwdGlvbiAhPSBOVUxMKSApCiAgICAg
ICAgIHJjID0gb3BzLT5pbmplY3RfaHdfZXhjZXB0aW9uKEVYQ19EQiwgLTEs
IGN0eHQpID8gOiBYODZFTVVMX0VYQ0VQVElPTjsKIAogICAgIC8qIENvbW1p
dCBzaGFkb3cgcmVnaXN0ZXIgc3RhdGUuICovCkBAIC00MDY4LDYgKzQwNjgs
MjMgQEAgeDg2X2VtdWxhdGUoCiAgICAgICAgICAgICAgKHJjID0gb3BzLT53
cml0ZV9zZWdtZW50KHg4Nl9zZWdfc3MsICZzcywgY3R4dCkpICkKICAgICAg
ICAgICAgIGdvdG8gZG9uZTsKIAorICAgICAgICAvKgorICAgICAgICAgKiBT
WVNDQUxMICh1bmxpa2UgbW9zdCBpbnN0cnVjdGlvbnMpIGV2YWx1YXRlcyBp
dHMgc2luZ2xlc3RlcCBhY3Rpb24KKyAgICAgICAgICogYmFzZWQgb24gdGhl
IHJlc3VsdGluZyBFRkxHX1RGLCBub3QgdGhlIHN0YXJ0aW5nIEVGTEdfVEYu
CisgICAgICAgICAqCisgICAgICAgICAqIEFzIHRoZSAjREIgaXMgcmFpc2Vk
IGFmdGVyIHRoZSBDUEwgY2hhbmdlIGFuZCBiZWZvcmUgdGhlIE9TIGNhbgor
ICAgICAgICAgKiBzd2l0Y2ggc3RhY2ssIGl0IGlzIGEgbGFyZ2UgcmlzayBm
b3IgcHJpdmlsZWdlIGVzY2FsYXRpb24uCisgICAgICAgICAqCisgICAgICAg
ICAqIDY0Yml0IGtlcm5lbHMgc2hvdWxkIG1hc2sgRUZMR19URiBpbiBNU1Jf
Rk1BU0sgdG8gYXZvaWQgYW55CisgICAgICAgICAqIHZ1bG5lcmFiaWxpdHku
ICBSdW5uaW5nIHRoZSAjREIgaGFuZGxlciBvbiBhbiBJU1Qgc3RhY2sgaXMg
YWxzbyBhCisgICAgICAgICAqIG1pdGlnYXRpb24uCisgICAgICAgICAqCisg
ICAgICAgICAqIDMyYml0IGtlcm5lbHMgaGF2ZSBubyBhYmlsaXR5IHRvIG1h
c2sgRUZMR19URiBhdCBhbGwuICBUaGVpciBvbmx5CisgICAgICAgICAqIG1p
dGlnYXRpb24gaXMgdG8gdXNlIGEgdGFzayBnYXRlIGZvciBoYW5kbGluZyAj
REIgKG9yIHRvIG5vdCB1c2UKKyAgICAgICAgICogZW5hYmxlIEVGRVIuU0NF
IHRvIHN0YXJ0IHdpdGgpLgorICAgICAgICAgKi8KKyAgICAgICAgdGYgPSAh
IShfcmVncy5lZmxhZ3MgJiBFRkxHX1RGKTsKKwogICAgICAgICBicmVhazsK
ICAgICB9CiAK

--=separator
Content-Type: application/octet-stream; name="xsa204-4.7.patch"
Content-Disposition: attachment; filename="xsa204-4.7.patch"
Content-Transfer-Encoding: base64

RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KRGF0ZTogU3VuLCAxOCBEZWMgMjAxNiAxNTo0Mjo1OSArMDAwMApTdWJq
ZWN0OiBbUEFUQ0hdIHg4Ni9lbXVsOiBDb3JyZWN0IHRoZSBoYW5kbGluZyBv
ZiBlZmxhZ3Mgd2l0aCBTWVNDQUxMCgpBIHNpbmdsZXN0ZXAgI0RCIGlzIGRl
dGVybWluZWQgYnkgdGhlIHJlc3VsdGluZyBlZmxhZ3MgdmFsdWUgZnJvbSB0
aGUKZXhlY3V0aW9uIG9mIFNZU0NBTEwsIG5vdCB0aGUgb3JpZ2luYWwgZWZs
YWdzIHZhbHVlLgoKQnkgdXNpbmcgdGhlIG9yaWdpbmFsIGVmbGFncyB2YWx1
ZSwgd2UgbmVnYXRlIHRoZSBndWVzdCBrZXJuZWxzIGF0dGVtcHQgdG8KcHJv
dGVjdCBpdHNlbGYgZnJvbSBhIHByaXZpbGVnZSBlc2NhbGF0aW9uIGJ5IG1h
c2tpbmcgVEYuCgpJbnRyb2R1Y2UgYSB0ZiBib29sZWFuIGFuZCBoYXZlIHRo
ZSBTWVNDQUxMIGVtdWxhdGlvbiByZWNhbGN1bGF0ZSBpdAphZnRlciB0aGUg
aW5zdHJ1Y3Rpb24gaXMgY29tcGxldGUuCgpUaGlzIGlzIFhTQS0yMDQKClNp
Z25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNp
dHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA
c3VzZS5jb20+Ci0tLQogeGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9l
bXVsYXRlLmMgfCAyMyArKysrKysrKysrKysrKysrKysrKy0tLQogMSBmaWxl
IGNoYW5nZWQsIDIwIGluc2VydGlvbnMoKyksIDMgZGVsZXRpb25zKC0pCgpk
aWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVs
YXRlLmMgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUu
YwppbmRleCBiY2E3MDQ1Li5hYmU0NDJlIDEwMDY0NAotLS0gYS94ZW4vYXJj
aC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYworKysgYi94ZW4vYXJj
aC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwpAQCAtMTU4Miw2ICsx
NTgyLDcgQEAgeDg2X2VtdWxhdGUoCiAgICAgdW5pb24gdmV4IHZleCA9IHt9
OwogICAgIHVuc2lnbmVkIGludCBvcF9ieXRlcywgZGVmX29wX2J5dGVzLCBh
ZF9ieXRlcywgZGVmX2FkX2J5dGVzOwogICAgIGJvb2xfdCBsb2NrX3ByZWZp
eCA9IDA7CisgICAgYm9vbF90IHRmID0gISEoY3R4dC0+cmVncy0+ZWZsYWdz
ICYgRUZMR19URik7CiAgICAgaW50IG92ZXJyaWRlX3NlZyA9IC0xLCByYyA9
IFg4NkVNVUxfT0tBWTsKICAgICBzdHJ1Y3Qgb3BlcmFuZCBzcmMgPSB7IC5y
ZWcgPSBSRUdfUE9JU09OIH07CiAgICAgc3RydWN0IG9wZXJhbmQgZHN0ID0g
eyAucmVnID0gUkVHX1BPSVNPTiB9OwpAQCAtMzkxMCw5ICszOTExLDggQEAg
eDg2X2VtdWxhdGUoCiAgICAgfQogCiAgbm9fd3JpdGViYWNrOgotICAgIC8q
IEluamVjdCAjREIgaWYgc2luZ2xlLXN0ZXAgdHJhY2luZyB3YXMgZW5hYmxl
ZCBhdCBpbnN0cnVjdGlvbiBzdGFydC4gKi8KLSAgICBpZiAoIChjdHh0LT5y
ZWdzLT5lZmxhZ3MgJiBFRkxHX1RGKSAmJiAocmMgPT0gWDg2RU1VTF9PS0FZ
KSAmJgotICAgICAgICAgKG9wcy0+aW5qZWN0X2h3X2V4Y2VwdGlvbiAhPSBO
VUxMKSApCisgICAgLyogU2hvdWxkIGEgc2luZ2xlc3RlcCAjREIgYmUgcmFp
c2VkPyAqLworICAgIGlmICggdGYgJiYgKHJjID09IFg4NkVNVUxfT0tBWSkg
JiYgKG9wcy0+aW5qZWN0X2h3X2V4Y2VwdGlvbiAhPSBOVUxMKSApCiAgICAg
ICAgIHJjID0gb3BzLT5pbmplY3RfaHdfZXhjZXB0aW9uKEVYQ19EQiwgLTEs
IGN0eHQpID8gOiBYODZFTVVMX0VYQ0VQVElPTjsKIAogICAgIC8qIENvbW1p
dCBzaGFkb3cgcmVnaXN0ZXIgc3RhdGUuICovCkBAIC00MTQzLDYgKzQxNDMs
MjMgQEAgeDg2X2VtdWxhdGUoCiAgICAgICAgICAgICAgKHJjID0gb3BzLT53
cml0ZV9zZWdtZW50KHg4Nl9zZWdfc3MsICZzcywgY3R4dCkpICkKICAgICAg
ICAgICAgIGdvdG8gZG9uZTsKIAorICAgICAgICAvKgorICAgICAgICAgKiBT
WVNDQUxMICh1bmxpa2UgbW9zdCBpbnN0cnVjdGlvbnMpIGV2YWx1YXRlcyBp
dHMgc2luZ2xlc3RlcCBhY3Rpb24KKyAgICAgICAgICogYmFzZWQgb24gdGhl
IHJlc3VsdGluZyBFRkxHX1RGLCBub3QgdGhlIHN0YXJ0aW5nIEVGTEdfVEYu
CisgICAgICAgICAqCisgICAgICAgICAqIEFzIHRoZSAjREIgaXMgcmFpc2Vk
IGFmdGVyIHRoZSBDUEwgY2hhbmdlIGFuZCBiZWZvcmUgdGhlIE9TIGNhbgor
ICAgICAgICAgKiBzd2l0Y2ggc3RhY2ssIGl0IGlzIGEgbGFyZ2UgcmlzayBm
b3IgcHJpdmlsZWdlIGVzY2FsYXRpb24uCisgICAgICAgICAqCisgICAgICAg
ICAqIDY0Yml0IGtlcm5lbHMgc2hvdWxkIG1hc2sgRUZMR19URiBpbiBNU1Jf
Rk1BU0sgdG8gYXZvaWQgYW55CisgICAgICAgICAqIHZ1bG5lcmFiaWxpdHku
ICBSdW5uaW5nIHRoZSAjREIgaGFuZGxlciBvbiBhbiBJU1Qgc3RhY2sgaXMg
YWxzbyBhCisgICAgICAgICAqIG1pdGlnYXRpb24uCisgICAgICAgICAqCisg
ICAgICAgICAqIDMyYml0IGtlcm5lbHMgaGF2ZSBubyBhYmlsaXR5IHRvIG1h
c2sgRUZMR19URiBhdCBhbGwuICBUaGVpciBvbmx5CisgICAgICAgICAqIG1p
dGlnYXRpb24gaXMgdG8gdXNlIGEgdGFzayBnYXRlIGZvciBoYW5kbGluZyAj
REIgKG9yIHRvIG5vdCB1c2UKKyAgICAgICAgICogZW5hYmxlIEVGRVIuU0NF
IHRvIHN0YXJ0IHdpdGgpLgorICAgICAgICAgKi8KKyAgICAgICAgdGYgPSAh
IShfcmVncy5lZmxhZ3MgJiBFRkxHX1RGKTsKKwogICAgICAgICBicmVhazsK
ICAgICB9CiAK

--=separator
Content-Type: application/octet-stream; name="xsa204-4.8.patch"
Content-Disposition: attachment; filename="xsa204-4.8.patch"
Content-Transfer-Encoding: base64

RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KRGF0ZTogU3VuLCAxOCBEZWMgMjAxNiAxNTo0Mjo1OSArMDAwMApTdWJq
ZWN0OiBbUEFUQ0hdIHg4Ni9lbXVsOiBDb3JyZWN0IHRoZSBoYW5kbGluZyBv
ZiBlZmxhZ3Mgd2l0aCBTWVNDQUxMCgpBIHNpbmdsZXN0ZXAgI0RCIGlzIGRl
dGVybWluZWQgYnkgdGhlIHJlc3VsdGluZyBlZmxhZ3MgdmFsdWUgZnJvbSB0
aGUKZXhlY3V0aW9uIG9mIFNZU0NBTEwsIG5vdCB0aGUgb3JpZ2luYWwgZWZs
YWdzIHZhbHVlLgoKQnkgdXNpbmcgdGhlIG9yaWdpbmFsIGVmbGFncyB2YWx1
ZSwgd2UgbmVnYXRlIHRoZSBndWVzdCBrZXJuZWxzIGF0dGVtcHQgdG8KcHJv
dGVjdCBpdHNlbGYgZnJvbSBhIHByaXZpbGVnZSBlc2NhbGF0aW9uIGJ5IG1h
c2tpbmcgVEYuCgpIYXZlIHRoZSBTWVNDQUxMIGVtdWxhdGlvbiByZWNhbGN1
bGF0ZSB0ZiBhZnRlciB0aGUgaW5zdHJ1Y3Rpb24gaXMgY29tcGxldGUuCgpU
aGlzIGlzIFhTQS0yMDQKClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIg
PGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4g
QmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+Ci0tLQogeGVuL2FyY2gveDg2
L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMgfCAxOSArKysrKysrKysrKysr
KysrKystCiAxIGZpbGUgY2hhbmdlZCwgMTggaW5zZXJ0aW9ucygrKSwgMSBk
ZWxldGlvbigtKQoKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL3g4Ni94ODZfZW11
bGF0ZS94ODZfZW11bGF0ZS5jIGIveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRl
L3g4Nl9lbXVsYXRlLmMKaW5kZXggZDgyZTg1ZC4uZmY5NTJhOSAxMDA2NDQK
LS0tIGEveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMK
KysrIGIveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMK
QEAgLTQ1NjEsNiArNDU2MSwyMyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAg
ICAgICAocmMgPSBvcHMtPndyaXRlX3NlZ21lbnQoeDg2X3NlZ19zcywgJnNy
ZWcsIGN0eHQpKSApCiAgICAgICAgICAgICBnb3RvIGRvbmU7CiAKKyAgICAg
ICAgLyoKKyAgICAgICAgICogU1lTQ0FMTCAodW5saWtlIG1vc3QgaW5zdHJ1
Y3Rpb25zKSBldmFsdWF0ZXMgaXRzIHNpbmdsZXN0ZXAgYWN0aW9uCisgICAg
ICAgICAqIGJhc2VkIG9uIHRoZSByZXN1bHRpbmcgRUZMR19URiwgbm90IHRo
ZSBzdGFydGluZyBFRkxHX1RGLgorICAgICAgICAgKgorICAgICAgICAgKiBB
cyB0aGUgI0RCIGlzIHJhaXNlZCBhZnRlciB0aGUgQ1BMIGNoYW5nZSBhbmQg
YmVmb3JlIHRoZSBPUyBjYW4KKyAgICAgICAgICogc3dpdGNoIHN0YWNrLCBp
dCBpcyBhIGxhcmdlIHJpc2sgZm9yIHByaXZpbGVnZSBlc2NhbGF0aW9uLgor
ICAgICAgICAgKgorICAgICAgICAgKiA2NGJpdCBrZXJuZWxzIHNob3VsZCBt
YXNrIEVGTEdfVEYgaW4gTVNSX0ZNQVNLIHRvIGF2b2lkIGFueQorICAgICAg
ICAgKiB2dWxuZXJhYmlsaXR5LiAgUnVubmluZyB0aGUgI0RCIGhhbmRsZXIg
b24gYW4gSVNUIHN0YWNrIGlzIGFsc28gYQorICAgICAgICAgKiBtaXRpZ2F0
aW9uLgorICAgICAgICAgKgorICAgICAgICAgKiAzMmJpdCBrZXJuZWxzIGhh
dmUgbm8gYWJpbGl0eSB0byBtYXNrIEVGTEdfVEYgYXQgYWxsLiAgVGhlaXIg
b25seQorICAgICAgICAgKiBtaXRpZ2F0aW9uIGlzIHRvIHVzZSBhIHRhc2sg
Z2F0ZSBmb3IgaGFuZGxpbmcgI0RCIChvciB0byBub3QgdXNlCisgICAgICAg
ICAqIGVuYWJsZSBFRkVSLlNDRSB0byBzdGFydCB3aXRoKS4KKyAgICAgICAg
ICovCisgICAgICAgIHRmID0gX3JlZ3MuZWZsYWdzICYgRUZMR19URjsKKwog
ICAgICAgICBicmVhazsKICAgICB9CiAKQEAgLTU0MTIsNyArNTQyOSw3IEBA
IHg4Nl9lbXVsYXRlKAogCiAgICAgKmN0eHQtPnJlZ3MgPSBfcmVnczsKIAot
ICAgIC8qIEluamVjdCAjREIgaWYgc2luZ2xlLXN0ZXAgdHJhY2luZyB3YXMg
ZW5hYmxlZCBhdCBpbnN0cnVjdGlvbiBzdGFydC4gKi8KKyAgICAvKiBTaG91
bGQgYSBzaW5nbGVzdGVwICNEQiBiZSByYWlzZWQ/ICovCiAgICAgaWYgKCB0
ZiAmJiAocmMgPT0gWDg2RU1VTF9PS0FZKSAmJiBvcHMtPmluamVjdF9od19l
eGNlcHRpb24gKQogICAgICAgICByYyA9IG9wcy0+aW5qZWN0X2h3X2V4Y2Vw
dGlvbihFWENfREIsIC0xLCBjdHh0KSA/IDogWDg2RU1VTF9FWENFUFRJT047
CiAK

--=separator
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91
bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz
Lnhlbi5vcmcveGVuLWFubm91bmNl

--=separator--


From xen-announce-bounces@lists.xen.org Mon Dec 19 17:06:08 2016
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Mon, 19 Dec 2016 17:06:08 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1cJ1N2-0006BE-20; Mon, 19 Dec 2016 17:05:04 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJ1N0-0006Av-E6; Mon, 19 Dec 2016 17:05:02 +0000
Received: from [85.158.139.211] by server-7.bemta-5.messagelabs.com id
 93/A9-29113-D3318585; Mon, 19 Dec 2016 17:05:01 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrDKsWRWlGSWpSXmKPExsWS0XRdVddSOCL
 C4MdfRYtbN1uZLZZ8XMxiserqAVYHZo+ju38zBTBGsWbmJeVXJLBmXLtzgaWgr5+x4uy5ZsYG
 xg8djF2MXBxCAscZJU4+/s0E4SxilDjU8B8ow8nBLOAqcWPfZjYIW1Hiwr0GFhCbV0BQ4uTMJ
 2C2hICmxJ03q9hBbBGBIomd516C2WwCehJzz05igujVkXi5fzWYLSyQJ7EH6FCIOWYSew58Y+
 1i5OBgEVCVmPCcYwIjzywkm2ch2TwLyeZZQB3MQJvX79KHMKUllv/jgKiWl9j+dg4zhG0tsXz
 vKqgpFhKL3vXCTZzS/ZAdwraXONTawghh20g83QFjo6r5eWAtC0zN11d3mbCpWd7QClfTMuE3
 il0LGIVWMWoUpxaVpRbpGlrqJRVlpmeU5CZm5ugaGpjq5aYWFyemp+YkJhXrJefnbmIExm49A
 wPjDsZH/X6HGCU5mJREeffzREQI8SXlp1RmJBZnxBeV5qQWH2KU4eBQkuCVFgLKCRalpqdWpG
 XmAJMITFqCg0dJhFcWJM1bXJCYW5yZDpE6xWjJMeHtwqdMHHO2rwCS626se8okxJKXn5cqJc4
 bCdIgANKQUZoHNw6W6C4xykoJ8zIyMDAI8RSkFuVmlqDKv2IU52BUEuYNBpnCk5lXArf1FdBB
 TEAHLewOBzmoJBEhJdXA6DA53s9vesKzX7senKz9Y/G18uT+znDNvVFhb6+Y2ktptP81MV5kV
 uYt1MT4KE8+ebPdU5Zq+6uB3imHMze13+XqKXsqH742Qvbm362TxXYc3ST96Vqhm43XS3HRr0
 3stY+tuspSKxmEDhxsF/c0zp63ZK9Q0MQP7vrZ1qp7N2pfCHGpsj6qxFKckWioxVxUnAgAf7U
 /828DAAA=
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-3.tower-206.messagelabs.com!1482167095!72618762!1
X-Originating-IP: [104.130.215.37]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 9.1.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 57212 invoked from network); 19 Dec 2016 17:04:56 -0000
Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37)
 by server-3.tower-206.messagelabs.com with AES128-GCM-SHA256
 encrypted SMTP; 19 Dec 2016 17:04:56 -0000
Received: from xenbits.xenproject.org ([104.239.192.120])
 by mail.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJ1Mm-0005yA-39; Mon, 19 Dec 2016 17:04:48 +0000
Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJ1Ml-0004sP-Vs; Mon, 19 Dec 2016 17:04:47 +0000
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
 xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Message-Id: <E1cJ1Ml-0004sP-Vs@xenbits.xenproject.org>
Date: Mon, 19 Dec 2016 17:04:47 +0000
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 204 (CVE-2016-10013) - x86:
 Mishandling of SYSCALL singlestep during emulation
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Errors-To: xen-announce-bounces@lists.xen.org
Sender: "Xen-announce" <xen-announce-bounces@lists.xen.org>

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2016-10013 / XSA-204
                              version 2

        x86: Mishandling of SYSCALL singlestep during emulation

UPDATES IN VERSION 2
====================

CVE assigned.

ISSUE DESCRIPTION
=================

The typical behaviour of singlestepping exceptions is determined at the
start of the instruction, with a #DB trap being raised at the end of the
instruction.

SYSCALL (and SYSRET, although we don't implement it) behave differently
because the typical behaviour allows userspace to escalate its
privilege.  (This difference in behaviour seems to be undocumented.)

Xen wrongly raised the exception based on the flags at the start of
the instruction.

IMPACT
======

Guest userspace which can invoke the instruction emulator can use this
flaw to escalate its privilege to that of the guest kernel.

VULNERABLE SYSTEMS
==================

All Xen versions are affected.

The vulnerability is only exposed to 64-bit x86 HVM guests.

On Xen 4.6 and earlier the vulnerability is exposed to all guest user
processes, including unprivileged processes, in such guests.

On Xen 4.7 and later, the vulnerability is exposed only to guest user
processes granted a degree of privilege (such as direct hardware access)
by the guest administrator; or, to all user processes when the VM has
been explicitly configured with a non-default cpu vendor string (in
xm/xl, this would be done with a `cpuid=' domain config option).

A 64-bit guest kernel which uses an IST for #DB handling will most likely
mitigate the issue, but will have a single unexpected #DB exception
frame to deal with.  This in practice means that Linux is not
vulnerable.

The vulnerability is not exposed to 32-bit HVM guests.  This is because
the emulation bug also matches real hardware behaviour, and a 32-bit
guest kernel using SYSCALL will already have to be using a Task Gate for
handling #DB to avoid being susceptible to an escalation of privilege.

The vulnerability is not exposed to PV guests.

ARM systems are not vulnerable.

MITIGATION
==========

There is no known mitigation.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa204.patch           xen-unstable
xsa204-4.8.patch       Xen 4.8.x
xsa204-4.7.patch       Xen 4.7.x, Xen 4.6.x
xsa204-4.5.patch       Xen 4.5.x, Xen 4.4.x

$ sha256sum xsa204*
251c33905f86d386cc07240041108ec0664e5e9dddb2b88685d9b4b8ca7fdc24  xsa204.patch
e523b65ba122c8e22d32004d2035facaf06295094fdc8b67c151b6f44799ef0b  xsa204-4.5.patch
d0359f26e9be783672896200e14d85a3111c29d7da580313b593fca04688fef2  xsa204-4.7.patch
fa2a69682868104b6263655abbfc6b326f76deebdac3273b4b65da6673f5d977  xsa204-4.8.patch
$

NOTE REGARDING EMBARGO
======================

This issue was discussed publicly on qemu-devel before its impact was
realised.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYWBMjAAoJEIP+FMlX6CvZe2wH/i/tAxpXbIc0xhhA5L6nlGJ9
fYZY0C6GuujTFIPmF40dMKIZieB+zKxiBseYHw4dHSzs3hbLbYhcP2Qgr2WJ2uJw
3zuS+OAtOlwzl+KRu6WUZPMf5JTAZp+kWJny3qCymUzXqz4OmUzsqHAORYyAjVi/
RN0lqgnkoTrGV8YS7fEUC5mB6PQGaEerJWFRLmaEmxV0th70oTuSGELjZ7rJdJg/
92BZ/GVQNspuSgZCJyEhwSfzBgF1MvAKjUZafh9+0/2G5Ab0Z71ikRX/l8RWop9E
7B+KC6zeG6DukPME2sJTuL+b0EmZyfOwewDnbdGbzb2nCfOhwsoHvzrAhF9rYwI=
=ypHy
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa204.patch"
Content-Disposition: attachment; filename="xsa204.patch"
Content-Transfer-Encoding: base64

RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KRGF0ZTogU3VuLCAxOCBEZWMgMjAxNiAxNTo0Mjo1OSArMDAwMApTdWJq
ZWN0OiBbUEFUQ0hdIHg4Ni9lbXVsOiBDb3JyZWN0IHRoZSBoYW5kbGluZyBv
ZiBlZmxhZ3Mgd2l0aCBTWVNDQUxMCgpBIHNpbmdsZXN0ZXAgI0RCIGlzIGRl
dGVybWluZWQgYnkgdGhlIHJlc3VsdGluZyBlZmxhZ3MgdmFsdWUgZnJvbSB0
aGUKZXhlY3V0aW9uIG9mIFNZU0NBTEwsIG5vdCB0aGUgb3JpZ2luYWwgZWZs
YWdzIHZhbHVlLgoKQnkgdXNpbmcgdGhlIG9yaWdpbmFsIGVmbGFncyB2YWx1
ZSwgd2UgbmVnYXRlIHRoZSBndWVzdCBrZXJuZWxzIGF0dGVtcHQgdG8KcHJv
dGVjdCBpdHNlbGYgZnJvbSBhIHByaXZpbGVnZSBlc2NhbGF0aW9uIGJ5IG1h
c2tpbmcgVEYuCgoocmUpaW50cm9kdWNlIGEgc2luZ2xlc3RlcCBib29sZWFu
LCBkZWZhdWx0aW5nIHRvIHRoZSBvcmlnaW5hbCBlZmxhZ3Mgc3RhdGUsCmJ1
dCBoYXZlIHRoZSBTWVNDQUxMIGVtdWxhdGlvbiByZWNhbGN1bGF0ZSBpdCBh
ZnRlciBtYXNraW5nIGhhcyBvY2N1cnJlZC4KClRoaXMgaXMgWFNBLTIwNAoK
U2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNA
Y2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGlj
aEBzdXNlLmNvbT4KLS0tCiB4ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2
X2VtdWxhdGUuYyB8IDI0ICsrKysrKysrKysrKysrKysrKysrKy0tLQogMSBm
aWxlIGNoYW5nZWQsIDIxIGluc2VydGlvbnMoKyksIDMgZGVsZXRpb25zKC0p
CgpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9l
bXVsYXRlLmMgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxh
dGUuYwppbmRleCBmNjlkZWNlLi4xNjVlZWJiIDEwMDY0NAotLS0gYS94ZW4v
YXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYworKysgYi94ZW4v
YXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwpAQCAtMjUwMiw2
ICsyNTAyLDcgQEAgeDg2X2VtdWxhdGUoCiAgICAgc3RydWN0IHg4Nl9lbXVs
YXRlX3N0YXRlIHN0YXRlOwogICAgIGludCByYzsKICAgICB1aW50OF90IGIs
IGQ7CisgICAgYm9vbCBzaW5nbGVzdGVwID0gY3R4dC0+cmVncy0+ZWZsYWdz
ICYgRUZMR19URjsKICAgICBzdHJ1Y3Qgb3BlcmFuZCBzcmMgPSB7IC5yZWcg
PSBQVFJfUE9JU09OIH07CiAgICAgc3RydWN0IG9wZXJhbmQgZHN0ID0geyAu
cmVnID0gUFRSX1BPSVNPTiB9OwogICAgIGVudW0geDg2X3N3aW50X3R5cGUg
c3dpbnRfdHlwZTsKQEAgLTQ2NzgsNiArNDY3OSwyMyBAQCB4ODZfZW11bGF0
ZSgKICAgICAgICAgICAgICAocmMgPSBvcHMtPndyaXRlX3NlZ21lbnQoeDg2
X3NlZ19zcywgJnNyZWcsIGN0eHQpKSApCiAgICAgICAgICAgICBnb3RvIGRv
bmU7CiAKKyAgICAgICAgLyoKKyAgICAgICAgICogU1lTQ0FMTCAodW5saWtl
IG1vc3QgaW5zdHJ1Y3Rpb25zKSBldmFsdWF0ZXMgaXRzIHNpbmdsZXN0ZXAg
YWN0aW9uCisgICAgICAgICAqIGJhc2VkIG9uIHRoZSByZXN1bHRpbmcgRUZM
R19URiwgbm90IHRoZSBzdGFydGluZyBFRkxHX1RGLgorICAgICAgICAgKgor
ICAgICAgICAgKiBBcyB0aGUgI0RCIGlzIHJhaXNlZCBhZnRlciB0aGUgQ1BM
IGNoYW5nZSBhbmQgYmVmb3JlIHRoZSBPUyBjYW4KKyAgICAgICAgICogc3dp
dGNoIHN0YWNrLCBpdCBpcyBhIGxhcmdlIHJpc2sgZm9yIHByaXZpbGVnZSBl
c2NhbGF0aW9uLgorICAgICAgICAgKgorICAgICAgICAgKiA2NGJpdCBrZXJu
ZWxzIHNob3VsZCBtYXNrIEVGTEdfVEYgaW4gTVNSX0ZNQVNLIHRvIGF2b2lk
IGFueQorICAgICAgICAgKiB2dWxuZXJhYmlsaXR5LiAgUnVubmluZyB0aGUg
I0RCIGhhbmRsZXIgb24gYW4gSVNUIHN0YWNrIGlzIGFsc28gYQorICAgICAg
ICAgKiBtaXRpZ2F0aW9uLgorICAgICAgICAgKgorICAgICAgICAgKiAzMmJp
dCBrZXJuZWxzIGhhdmUgbm8gYWJpbGl0eSB0byBtYXNrIEVGTEdfVEYgYXQg
YWxsLiAgVGhlaXIgb25seQorICAgICAgICAgKiBtaXRpZ2F0aW9uIGlzIHRv
IHVzZSBhIHRhc2sgZ2F0ZSBmb3IgaGFuZGxpbmcgI0RCIChvciB0byBub3Qg
dXNlCisgICAgICAgICAqIGVuYWJsZSBFRkVSLlNDRSB0byBzdGFydCB3aXRo
KS4KKyAgICAgICAgICovCisgICAgICAgIHNpbmdsZXN0ZXAgPSBfcmVncy5l
ZmxhZ3MgJiBFRkxHX1RGOworCiAgICAgICAgIGJyZWFrOwogICAgIH0KIApA
QCAtNTU4MCw5ICs1NTk4LDkgQEAgeDg2X2VtdWxhdGUoCiAgICAgaWYgKCAh
bW9kZV82NGJpdCgpICkKICAgICAgICAgX3JlZ3MuZWlwID0gKHVpbnQzMl90
KV9yZWdzLmVpcDsKIAotICAgIC8qIFdhcyBzaW5nZXN0ZXBwaW5nIGFjdGl2
ZSBhdCB0aGUgc3RhcnQgb2YgdGhpcyBpbnN0cnVjdGlvbj8gKi8KLSAgICBp
ZiAoIChyYyA9PSBYODZFTVVMX09LQVkpICYmIChjdHh0LT5yZWdzLT5lZmxh
Z3MgJiBFRkxHX1RGKSApCi0gICAgICAgIGN0eHQtPnJldGlyZS5zaW5nbGVz
dGVwID0gdHJ1ZTsKKyAgICAvKiBTaG91bGQgYSBzaW5nbGVzdGVwICNEQiBi
ZSByYWlzZWQ/ICovCisgICAgaWYgKCByYyA9PSBYODZFTVVMX09LQVkgKQor
ICAgICAgICBjdHh0LT5yZXRpcmUuc2luZ2xlc3RlcCA9IHNpbmdsZXN0ZXA7
CiAKICAgICBpZiAoIHJjICE9IFg4NkVNVUxfRE9ORSApCiAgICAgICAgICpj
dHh0LT5yZWdzID0gX3JlZ3M7Cg==

--=separator
Content-Type: application/octet-stream; name="xsa204-4.5.patch"
Content-Disposition: attachment; filename="xsa204-4.5.patch"
Content-Transfer-Encoding: base64

RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KRGF0ZTogU3VuLCAxOCBEZWMgMjAxNiAxNTo0Mjo1OSArMDAwMApTdWJq
ZWN0OiBbUEFUQ0hdIHg4Ni9lbXVsOiBDb3JyZWN0IHRoZSBoYW5kbGluZyBv
ZiBlZmxhZ3Mgd2l0aCBTWVNDQUxMCgpBIHNpbmdsZXN0ZXAgI0RCIGlzIGRl
dGVybWluZWQgYnkgdGhlIHJlc3VsdGluZyBlZmxhZ3MgdmFsdWUgZnJvbSB0
aGUKZXhlY3V0aW9uIG9mIFNZU0NBTEwsIG5vdCB0aGUgb3JpZ2luYWwgZWZs
YWdzIHZhbHVlLgoKQnkgdXNpbmcgdGhlIG9yaWdpbmFsIGVmbGFncyB2YWx1
ZSwgd2UgbmVnYXRlIHRoZSBndWVzdCBrZXJuZWxzIGF0dGVtcHQgdG8KcHJv
dGVjdCBpdHNlbGYgZnJvbSBhIHByaXZpbGVnZSBlc2NhbGF0aW9uIGJ5IG1h
c2tpbmcgVEYuCgpJbnRyb2R1Y2UgYSB0ZiBib29sZWFuIGFuZCBoYXZlIHRo
ZSBTWVNDQUxMIGVtdWxhdGlvbiByZWNhbGN1bGF0ZSBpdAphZnRlciB0aGUg
aW5zdHJ1Y3Rpb24gaXMgY29tcGxldGUuCgpUaGlzIGlzIFhTQS0yMDQKClNp
Z25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNp
dHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA
c3VzZS5jb20+Ci0tLQogeGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9l
bXVsYXRlLmMgfCAyMyArKysrKysrKysrKysrKysrKysrKy0tLQogMSBmaWxl
IGNoYW5nZWQsIDIwIGluc2VydGlvbnMoKyksIDMgZGVsZXRpb25zKC0pCgpk
aWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVs
YXRlLmMgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUu
YwppbmRleCAwYzQzZmUxLi5mNjc1ZGM5IDEwMDY0NAotLS0gYS94ZW4vYXJj
aC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYworKysgYi94ZW4vYXJj
aC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwpAQCAtMTUzNyw2ICsx
NTM3LDcgQEAgeDg2X2VtdWxhdGUoCiAgICAgdW5pb24gdmV4IHZleCA9IHt9
OwogICAgIHVuc2lnbmVkIGludCBvcF9ieXRlcywgZGVmX29wX2J5dGVzLCBh
ZF9ieXRlcywgZGVmX2FkX2J5dGVzOwogICAgIGJvb2xfdCBsb2NrX3ByZWZp
eCA9IDA7CisgICAgYm9vbF90IHRmID0gISEoY3R4dC0+cmVncy0+ZWZsYWdz
ICYgRUZMR19URik7CiAgICAgaW50IG92ZXJyaWRlX3NlZyA9IC0xLCByYyA9
IFg4NkVNVUxfT0tBWTsKICAgICBzdHJ1Y3Qgb3BlcmFuZCBzcmMgPSB7IC5y
ZWcgPSBSRUdfUE9JU09OIH07CiAgICAgc3RydWN0IG9wZXJhbmQgZHN0ID0g
eyAucmVnID0gUkVHX1BPSVNPTiB9OwpAQCAtMzg4MSw5ICszODgyLDggQEAg
eDg2X2VtdWxhdGUoCiAgICAgICAgIGJyZWFrOwogICAgIH0KIAotICAgIC8q
IEluamVjdCAjREIgaWYgc2luZ2xlLXN0ZXAgdHJhY2luZyB3YXMgZW5hYmxl
ZCBhdCBpbnN0cnVjdGlvbiBzdGFydC4gKi8KLSAgICBpZiAoIChjdHh0LT5y
ZWdzLT5lZmxhZ3MgJiBFRkxHX1RGKSAmJiAocmMgPT0gWDg2RU1VTF9PS0FZ
KSAmJgotICAgICAgICAgKG9wcy0+aW5qZWN0X2h3X2V4Y2VwdGlvbiAhPSBO
VUxMKSApCisgICAgLyogU2hvdWxkIGEgc2luZ2xlc3RlcCAjREIgYmUgcmFp
c2VkPyAqLworICAgIGlmICggdGYgJiYgKHJjID09IFg4NkVNVUxfT0tBWSkg
JiYgKG9wcy0+aW5qZWN0X2h3X2V4Y2VwdGlvbiAhPSBOVUxMKSApCiAgICAg
ICAgIHJjID0gb3BzLT5pbmplY3RfaHdfZXhjZXB0aW9uKEVYQ19EQiwgLTEs
IGN0eHQpID8gOiBYODZFTVVMX0VYQ0VQVElPTjsKIAogICAgIC8qIENvbW1p
dCBzaGFkb3cgcmVnaXN0ZXIgc3RhdGUuICovCkBAIC00MDY4LDYgKzQwNjgs
MjMgQEAgeDg2X2VtdWxhdGUoCiAgICAgICAgICAgICAgKHJjID0gb3BzLT53
cml0ZV9zZWdtZW50KHg4Nl9zZWdfc3MsICZzcywgY3R4dCkpICkKICAgICAg
ICAgICAgIGdvdG8gZG9uZTsKIAorICAgICAgICAvKgorICAgICAgICAgKiBT
WVNDQUxMICh1bmxpa2UgbW9zdCBpbnN0cnVjdGlvbnMpIGV2YWx1YXRlcyBp
dHMgc2luZ2xlc3RlcCBhY3Rpb24KKyAgICAgICAgICogYmFzZWQgb24gdGhl
IHJlc3VsdGluZyBFRkxHX1RGLCBub3QgdGhlIHN0YXJ0aW5nIEVGTEdfVEYu
CisgICAgICAgICAqCisgICAgICAgICAqIEFzIHRoZSAjREIgaXMgcmFpc2Vk
IGFmdGVyIHRoZSBDUEwgY2hhbmdlIGFuZCBiZWZvcmUgdGhlIE9TIGNhbgor
ICAgICAgICAgKiBzd2l0Y2ggc3RhY2ssIGl0IGlzIGEgbGFyZ2UgcmlzayBm
b3IgcHJpdmlsZWdlIGVzY2FsYXRpb24uCisgICAgICAgICAqCisgICAgICAg
ICAqIDY0Yml0IGtlcm5lbHMgc2hvdWxkIG1hc2sgRUZMR19URiBpbiBNU1Jf
Rk1BU0sgdG8gYXZvaWQgYW55CisgICAgICAgICAqIHZ1bG5lcmFiaWxpdHku
ICBSdW5uaW5nIHRoZSAjREIgaGFuZGxlciBvbiBhbiBJU1Qgc3RhY2sgaXMg
YWxzbyBhCisgICAgICAgICAqIG1pdGlnYXRpb24uCisgICAgICAgICAqCisg
ICAgICAgICAqIDMyYml0IGtlcm5lbHMgaGF2ZSBubyBhYmlsaXR5IHRvIG1h
c2sgRUZMR19URiBhdCBhbGwuICBUaGVpciBvbmx5CisgICAgICAgICAqIG1p
dGlnYXRpb24gaXMgdG8gdXNlIGEgdGFzayBnYXRlIGZvciBoYW5kbGluZyAj
REIgKG9yIHRvIG5vdCB1c2UKKyAgICAgICAgICogZW5hYmxlIEVGRVIuU0NF
IHRvIHN0YXJ0IHdpdGgpLgorICAgICAgICAgKi8KKyAgICAgICAgdGYgPSAh
IShfcmVncy5lZmxhZ3MgJiBFRkxHX1RGKTsKKwogICAgICAgICBicmVhazsK
ICAgICB9CiAK

--=separator
Content-Type: application/octet-stream; name="xsa204-4.7.patch"
Content-Disposition: attachment; filename="xsa204-4.7.patch"
Content-Transfer-Encoding: base64

RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KRGF0ZTogU3VuLCAxOCBEZWMgMjAxNiAxNTo0Mjo1OSArMDAwMApTdWJq
ZWN0OiBbUEFUQ0hdIHg4Ni9lbXVsOiBDb3JyZWN0IHRoZSBoYW5kbGluZyBv
ZiBlZmxhZ3Mgd2l0aCBTWVNDQUxMCgpBIHNpbmdsZXN0ZXAgI0RCIGlzIGRl
dGVybWluZWQgYnkgdGhlIHJlc3VsdGluZyBlZmxhZ3MgdmFsdWUgZnJvbSB0
aGUKZXhlY3V0aW9uIG9mIFNZU0NBTEwsIG5vdCB0aGUgb3JpZ2luYWwgZWZs
YWdzIHZhbHVlLgoKQnkgdXNpbmcgdGhlIG9yaWdpbmFsIGVmbGFncyB2YWx1
ZSwgd2UgbmVnYXRlIHRoZSBndWVzdCBrZXJuZWxzIGF0dGVtcHQgdG8KcHJv
dGVjdCBpdHNlbGYgZnJvbSBhIHByaXZpbGVnZSBlc2NhbGF0aW9uIGJ5IG1h
c2tpbmcgVEYuCgpJbnRyb2R1Y2UgYSB0ZiBib29sZWFuIGFuZCBoYXZlIHRo
ZSBTWVNDQUxMIGVtdWxhdGlvbiByZWNhbGN1bGF0ZSBpdAphZnRlciB0aGUg
aW5zdHJ1Y3Rpb24gaXMgY29tcGxldGUuCgpUaGlzIGlzIFhTQS0yMDQKClNp
Z25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNp
dHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA
c3VzZS5jb20+Ci0tLQogeGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9l
bXVsYXRlLmMgfCAyMyArKysrKysrKysrKysrKysrKysrKy0tLQogMSBmaWxl
IGNoYW5nZWQsIDIwIGluc2VydGlvbnMoKyksIDMgZGVsZXRpb25zKC0pCgpk
aWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVs
YXRlLmMgYi94ZW4vYXJjaC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUu
YwppbmRleCBiY2E3MDQ1Li5hYmU0NDJlIDEwMDY0NAotLS0gYS94ZW4vYXJj
aC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYworKysgYi94ZW4vYXJj
aC94ODYveDg2X2VtdWxhdGUveDg2X2VtdWxhdGUuYwpAQCAtMTU4Miw2ICsx
NTgyLDcgQEAgeDg2X2VtdWxhdGUoCiAgICAgdW5pb24gdmV4IHZleCA9IHt9
OwogICAgIHVuc2lnbmVkIGludCBvcF9ieXRlcywgZGVmX29wX2J5dGVzLCBh
ZF9ieXRlcywgZGVmX2FkX2J5dGVzOwogICAgIGJvb2xfdCBsb2NrX3ByZWZp
eCA9IDA7CisgICAgYm9vbF90IHRmID0gISEoY3R4dC0+cmVncy0+ZWZsYWdz
ICYgRUZMR19URik7CiAgICAgaW50IG92ZXJyaWRlX3NlZyA9IC0xLCByYyA9
IFg4NkVNVUxfT0tBWTsKICAgICBzdHJ1Y3Qgb3BlcmFuZCBzcmMgPSB7IC5y
ZWcgPSBSRUdfUE9JU09OIH07CiAgICAgc3RydWN0IG9wZXJhbmQgZHN0ID0g
eyAucmVnID0gUkVHX1BPSVNPTiB9OwpAQCAtMzkxMCw5ICszOTExLDggQEAg
eDg2X2VtdWxhdGUoCiAgICAgfQogCiAgbm9fd3JpdGViYWNrOgotICAgIC8q
IEluamVjdCAjREIgaWYgc2luZ2xlLXN0ZXAgdHJhY2luZyB3YXMgZW5hYmxl
ZCBhdCBpbnN0cnVjdGlvbiBzdGFydC4gKi8KLSAgICBpZiAoIChjdHh0LT5y
ZWdzLT5lZmxhZ3MgJiBFRkxHX1RGKSAmJiAocmMgPT0gWDg2RU1VTF9PS0FZ
KSAmJgotICAgICAgICAgKG9wcy0+aW5qZWN0X2h3X2V4Y2VwdGlvbiAhPSBO
VUxMKSApCisgICAgLyogU2hvdWxkIGEgc2luZ2xlc3RlcCAjREIgYmUgcmFp
c2VkPyAqLworICAgIGlmICggdGYgJiYgKHJjID09IFg4NkVNVUxfT0tBWSkg
JiYgKG9wcy0+aW5qZWN0X2h3X2V4Y2VwdGlvbiAhPSBOVUxMKSApCiAgICAg
ICAgIHJjID0gb3BzLT5pbmplY3RfaHdfZXhjZXB0aW9uKEVYQ19EQiwgLTEs
IGN0eHQpID8gOiBYODZFTVVMX0VYQ0VQVElPTjsKIAogICAgIC8qIENvbW1p
dCBzaGFkb3cgcmVnaXN0ZXIgc3RhdGUuICovCkBAIC00MTQzLDYgKzQxNDMs
MjMgQEAgeDg2X2VtdWxhdGUoCiAgICAgICAgICAgICAgKHJjID0gb3BzLT53
cml0ZV9zZWdtZW50KHg4Nl9zZWdfc3MsICZzcywgY3R4dCkpICkKICAgICAg
ICAgICAgIGdvdG8gZG9uZTsKIAorICAgICAgICAvKgorICAgICAgICAgKiBT
WVNDQUxMICh1bmxpa2UgbW9zdCBpbnN0cnVjdGlvbnMpIGV2YWx1YXRlcyBp
dHMgc2luZ2xlc3RlcCBhY3Rpb24KKyAgICAgICAgICogYmFzZWQgb24gdGhl
IHJlc3VsdGluZyBFRkxHX1RGLCBub3QgdGhlIHN0YXJ0aW5nIEVGTEdfVEYu
CisgICAgICAgICAqCisgICAgICAgICAqIEFzIHRoZSAjREIgaXMgcmFpc2Vk
IGFmdGVyIHRoZSBDUEwgY2hhbmdlIGFuZCBiZWZvcmUgdGhlIE9TIGNhbgor
ICAgICAgICAgKiBzd2l0Y2ggc3RhY2ssIGl0IGlzIGEgbGFyZ2UgcmlzayBm
b3IgcHJpdmlsZWdlIGVzY2FsYXRpb24uCisgICAgICAgICAqCisgICAgICAg
ICAqIDY0Yml0IGtlcm5lbHMgc2hvdWxkIG1hc2sgRUZMR19URiBpbiBNU1Jf
Rk1BU0sgdG8gYXZvaWQgYW55CisgICAgICAgICAqIHZ1bG5lcmFiaWxpdHku
ICBSdW5uaW5nIHRoZSAjREIgaGFuZGxlciBvbiBhbiBJU1Qgc3RhY2sgaXMg
YWxzbyBhCisgICAgICAgICAqIG1pdGlnYXRpb24uCisgICAgICAgICAqCisg
ICAgICAgICAqIDMyYml0IGtlcm5lbHMgaGF2ZSBubyBhYmlsaXR5IHRvIG1h
c2sgRUZMR19URiBhdCBhbGwuICBUaGVpciBvbmx5CisgICAgICAgICAqIG1p
dGlnYXRpb24gaXMgdG8gdXNlIGEgdGFzayBnYXRlIGZvciBoYW5kbGluZyAj
REIgKG9yIHRvIG5vdCB1c2UKKyAgICAgICAgICogZW5hYmxlIEVGRVIuU0NF
IHRvIHN0YXJ0IHdpdGgpLgorICAgICAgICAgKi8KKyAgICAgICAgdGYgPSAh
IShfcmVncy5lZmxhZ3MgJiBFRkxHX1RGKTsKKwogICAgICAgICBicmVhazsK
ICAgICB9CiAK

--=separator
Content-Type: application/octet-stream; name="xsa204-4.8.patch"
Content-Disposition: attachment; filename="xsa204-4.8.patch"
Content-Transfer-Encoding: base64

RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv
bT4KRGF0ZTogU3VuLCAxOCBEZWMgMjAxNiAxNTo0Mjo1OSArMDAwMApTdWJq
ZWN0OiBbUEFUQ0hdIHg4Ni9lbXVsOiBDb3JyZWN0IHRoZSBoYW5kbGluZyBv
ZiBlZmxhZ3Mgd2l0aCBTWVNDQUxMCgpBIHNpbmdsZXN0ZXAgI0RCIGlzIGRl
dGVybWluZWQgYnkgdGhlIHJlc3VsdGluZyBlZmxhZ3MgdmFsdWUgZnJvbSB0
aGUKZXhlY3V0aW9uIG9mIFNZU0NBTEwsIG5vdCB0aGUgb3JpZ2luYWwgZWZs
YWdzIHZhbHVlLgoKQnkgdXNpbmcgdGhlIG9yaWdpbmFsIGVmbGFncyB2YWx1
ZSwgd2UgbmVnYXRlIHRoZSBndWVzdCBrZXJuZWxzIGF0dGVtcHQgdG8KcHJv
dGVjdCBpdHNlbGYgZnJvbSBhIHByaXZpbGVnZSBlc2NhbGF0aW9uIGJ5IG1h
c2tpbmcgVEYuCgpIYXZlIHRoZSBTWVNDQUxMIGVtdWxhdGlvbiByZWNhbGN1
bGF0ZSB0ZiBhZnRlciB0aGUgaW5zdHJ1Y3Rpb24gaXMgY29tcGxldGUuCgpU
aGlzIGlzIFhTQS0yMDQKClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIg
PGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4g
QmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+Ci0tLQogeGVuL2FyY2gveDg2
L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMgfCAxOSArKysrKysrKysrKysr
KysrKystCiAxIGZpbGUgY2hhbmdlZCwgMTggaW5zZXJ0aW9ucygrKSwgMSBk
ZWxldGlvbigtKQoKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL3g4Ni94ODZfZW11
bGF0ZS94ODZfZW11bGF0ZS5jIGIveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRl
L3g4Nl9lbXVsYXRlLmMKaW5kZXggZDgyZTg1ZC4uZmY5NTJhOSAxMDA2NDQK
LS0tIGEveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMK
KysrIGIveGVuL2FyY2gveDg2L3g4Nl9lbXVsYXRlL3g4Nl9lbXVsYXRlLmMK
QEAgLTQ1NjEsNiArNDU2MSwyMyBAQCB4ODZfZW11bGF0ZSgKICAgICAgICAg
ICAgICAocmMgPSBvcHMtPndyaXRlX3NlZ21lbnQoeDg2X3NlZ19zcywgJnNy
ZWcsIGN0eHQpKSApCiAgICAgICAgICAgICBnb3RvIGRvbmU7CiAKKyAgICAg
ICAgLyoKKyAgICAgICAgICogU1lTQ0FMTCAodW5saWtlIG1vc3QgaW5zdHJ1
Y3Rpb25zKSBldmFsdWF0ZXMgaXRzIHNpbmdsZXN0ZXAgYWN0aW9uCisgICAg
ICAgICAqIGJhc2VkIG9uIHRoZSByZXN1bHRpbmcgRUZMR19URiwgbm90IHRo
ZSBzdGFydGluZyBFRkxHX1RGLgorICAgICAgICAgKgorICAgICAgICAgKiBB
cyB0aGUgI0RCIGlzIHJhaXNlZCBhZnRlciB0aGUgQ1BMIGNoYW5nZSBhbmQg
YmVmb3JlIHRoZSBPUyBjYW4KKyAgICAgICAgICogc3dpdGNoIHN0YWNrLCBp
dCBpcyBhIGxhcmdlIHJpc2sgZm9yIHByaXZpbGVnZSBlc2NhbGF0aW9uLgor
ICAgICAgICAgKgorICAgICAgICAgKiA2NGJpdCBrZXJuZWxzIHNob3VsZCBt
YXNrIEVGTEdfVEYgaW4gTVNSX0ZNQVNLIHRvIGF2b2lkIGFueQorICAgICAg
ICAgKiB2dWxuZXJhYmlsaXR5LiAgUnVubmluZyB0aGUgI0RCIGhhbmRsZXIg
b24gYW4gSVNUIHN0YWNrIGlzIGFsc28gYQorICAgICAgICAgKiBtaXRpZ2F0
aW9uLgorICAgICAgICAgKgorICAgICAgICAgKiAzMmJpdCBrZXJuZWxzIGhh
dmUgbm8gYWJpbGl0eSB0byBtYXNrIEVGTEdfVEYgYXQgYWxsLiAgVGhlaXIg
b25seQorICAgICAgICAgKiBtaXRpZ2F0aW9uIGlzIHRvIHVzZSBhIHRhc2sg
Z2F0ZSBmb3IgaGFuZGxpbmcgI0RCIChvciB0byBub3QgdXNlCisgICAgICAg
ICAqIGVuYWJsZSBFRkVSLlNDRSB0byBzdGFydCB3aXRoKS4KKyAgICAgICAg
ICovCisgICAgICAgIHRmID0gX3JlZ3MuZWZsYWdzICYgRUZMR19URjsKKwog
ICAgICAgICBicmVhazsKICAgICB9CiAKQEAgLTU0MTIsNyArNTQyOSw3IEBA
IHg4Nl9lbXVsYXRlKAogCiAgICAgKmN0eHQtPnJlZ3MgPSBfcmVnczsKIAot
ICAgIC8qIEluamVjdCAjREIgaWYgc2luZ2xlLXN0ZXAgdHJhY2luZyB3YXMg
ZW5hYmxlZCBhdCBpbnN0cnVjdGlvbiBzdGFydC4gKi8KKyAgICAvKiBTaG91
bGQgYSBzaW5nbGVzdGVwICNEQiBiZSByYWlzZWQ/ICovCiAgICAgaWYgKCB0
ZiAmJiAocmMgPT0gWDg2RU1VTF9PS0FZKSAmJiBvcHMtPmluamVjdF9od19l
eGNlcHRpb24gKQogICAgICAgICByYyA9IG9wcy0+aW5qZWN0X2h3X2V4Y2Vw
dGlvbihFWENfREIsIC0xLCBjdHh0KSA/IDogWDg2RU1VTF9FWENFUFRJT047
CiAK

--=separator
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91
bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz
Lnhlbi5vcmcveGVuLWFubm91bmNl

--=separator--


From xen-announce-bounces@lists.xen.org Wed Dec 21 12:02:40 2016
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Wed, 21 Dec 2016 12:02:40 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1cJfaf-0003Y4-2J; Wed, 21 Dec 2016 12:01:49 +0000
Received: from mail6.bemta6.messagelabs.com ([193.109.254.103])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJfad-0003XQ-Bf; Wed, 21 Dec 2016 12:01:47 +0000
Received: from [193.109.254.147] by server-9.bemta-6.messagelabs.com id
 B1/F4-27165-A2F6A585; Wed, 21 Dec 2016 12:01:46 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrHKsWRWlGSWpSXmKPExsWS0XRdVVczPyr
 C4MoUOYtbN1uZLZZ8XMxiserqAVYHZo+ju38zBTBGsWbmJeVXJLBm/HzJXXA2r2LB0YksDYx9
 mV2MXBxCAscZJe40dzNDOIsYJaav2cbSxcjJwSzgKnFj32Y2CFtR4sK9BrA4r4CgxMmZT8BsC
 QFNiTtvVrGD2CICRRI7z70Es9kE9CTmnp3EBNGrI/Fy/2ogm4NDWCBZYnlHPojJK2Am0bVLGa
 SCRUBV4sihDawTGHlmIVk8C8niWUgWzwLqZgZavH6XPoQpLbH8HwdEtbzE9rdzmCFsa4m/V1d
 BTbGQmH5gMgvMxCndD9khbHuJt/sOskLYNhLXji9lxaZm0v1bLDA1E5/uR1GzgJF/FaNGcWpR
 WWqRrpGBXlJRZnpGSW5iZo6uoYGZXm5qcXFiempOYlKxXnJ+7iZGYKwxAMEOxl/LAg4xSnIwK
 YnyTvoZGSHEl5SfUpmRWJwRX1Sak1p8iFGGg0NJgrcjLypCSLAoNT21Ii0zBxj1MGkJDh4lEd
 5ykDRvcUFibnFmOkTqFKMxx4S3C58ycczZvuIpkxBLXn5eqpQ4RKkASGlGaR7cIFgyusQoKyX
 Mywh0mhBPQWpRbmYJqvwrRnEORiVhXieQKTyZeSVw+14BncIEdMrC7nCQU0oSEVJSDYxNnef4
 2iW2G5c3pU5c5threizo/GF7lrVbyz/tPJF/Y5VG6fFzQRq2vN/ildm5Pjv/s7vM2v1JrTX1+
 IPFUbyz5T4+L+zQPdLzO/C+1aTM4D83Flho6Tp+sjMMaHBMstlhoxif4dwyfU+KxpZHbVw6c0
 OEveWdbrK/qV32KFQ45++8/mkiDkosxRmJhlrMRcWJANOjgAlBAwAA
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-5.tower-27.messagelabs.com!1482321704!73028595!1
X-Originating-IP: [104.130.215.37]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 9.1.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 46055 invoked from network); 21 Dec 2016 12:01:45 -0000
Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37)
 by server-5.tower-27.messagelabs.com with AES128-GCM-SHA256
 encrypted SMTP; 21 Dec 2016 12:01:45 -0000
Received: from xenbits.xenproject.org ([104.239.192.120])
 by mail.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJfaM-0007HK-GS; Wed, 21 Dec 2016 12:01:30 +0000
Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJfaM-0003vY-CB; Wed, 21 Dec 2016 12:01:30 +0000
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
 xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Message-Id: <E1cJfaM-0003vY-CB@xenbits.xenproject.org>
Date: Wed, 21 Dec 2016 12:01:30 +0000
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 202 (CVE-2016-10024) - x86 PV
 guests may be able to mask interrupts
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Errors-To: xen-announce-bounces@lists.xen.org
Sender: "Xen-announce" <xen-announce-bounces@lists.xen.org>

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2016-10024 / XSA-202
                               version 3

             x86 PV guests may be able to mask interrupts

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

Certain PV guest kernel operations (page table writes in particular)
need emulation, and use Xen's general x86 instruction emulator.  This
allows a malicious guest kernel which asynchronously modifies its
instruction stream to effect the clearing of EFLAGS.IF from the state
used to return to guest context.

IMPACT
======

A malicious guest kernel administrator can cause a host hang or
crash, resulting in a Denial of Service.

VULNERABLE SYSTEMS
==================

All Xen versions are vulnerable.

Only x86 PV guests can exploit the vulnerability.

Neither ARM guests nor x86 HVM guests can exploit the vulnerability.

MITIGATION
==========

Running only HVM guests will avoid the vulnerability.

For PV guests the vulnerability can be avoided if the guest kernel is
controlled by the host rather than guest administrator, provided that
further steps are taken to prevent the guest administrator from loading
code into the kernel (e.g. by disabling loadable modules etc) or from
using other mechanisms which allow them to run code at kernel privilege.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa202.patch           xen-unstable, Xen 4.8.x, Xen 4.7.x
xsa202-4.6.patch       Xen 4.6.x, Xen 4.5.x
xsa202-4.4.patch       Xen 4.4.x

$ sha256sum xsa202*
057be742acfef200ba6f094a5dce486dd1c4e15013afe3efc963523ce2ec9cbb  xsa202.patch
cd53dc8b761dc7eb60998ea2419c98af926aa62b4317dbef15f597f5554f9015  xsa202-4.4.patch
e007187639f5392a9256979504d50eff0ae38309a61524ea42c4150fab38b6f4  xsa202-4.6.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYWm8TAAoJEIP+FMlX6CvZlekIALNmG5XBvAvY3Hpjwr/h+bh6
AJNof+4jH7WUsyV8NyJxBOtAxDBeGsQ5csoryIt8CoqPfL6lph5Y0eUMAa+aOGYB
FyMtWlKhyhoCjXcxhBCSAuHKldXyroZtzb6mx01nZSC8PbOCrnRzIGm/JLlnVS7b
WBol9ID3DRWlI42gwpzDh3l/64Rioyyk1I26Kqal56+CT9iPk/b2UwqVb9oGQPI0
iq8Lki5NAKwOQdRxQKEFnWMuwK2bJsuayM3K0Cl/DBckvcOstMkP543btZDZA/Uy
AiAOrTcBeDPmOoUVRpjwNEsFiiNeGgXV1R+FOcoZfWLdTKsn2igOtUkEekwVdAs=
=SNhC
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa202.patch"
Content-Disposition: attachment; filename="xsa202.patch"
Content-Transfer-Encoding: base64

RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0
OiB4ODY6IGZvcmNlIEVGTEFHUy5JRiBvbiB3aGVuIGV4aXRpbmcgdG8gUFYg
Z3Vlc3RzCgpHdWVzdCBrZXJuZWxzIG1vZGlmeWluZyBpbnN0cnVjdGlvbnMg
aW4gdGhlIHByb2Nlc3Mgb2YgYmVpbmcgZW11bGF0ZWQKZm9yIGFub3RoZXIg
b2YgdGhlaXIgdkNQVS1zIG1heSBlZmZlY3QgRUZMQUdTLklGIHRvIGJlIGNs
ZWFyZWQgdXBvbgpuZXh0IGV4aXRpbmcgdG8gZ3Vlc3QgY29udGV4dCwgYnkg
Y29udmVydGluZyB0aGUgYmVpbmcgZW11bGF0ZWQKaW5zdHJ1Y3Rpb24gdG8g
Q0xJIChhdCB0aGUgcmlnaHQgcG9pbnQgaW4gdGltZSkuIFByZXZlbnQgYW55
IHN1Y2ggYmFkCmVmZmVjdHMgYnkgYWx3YXlzIGZvcmNpbmcgRUZMQUdTLklG
IG9uLiBBbmQgdG8gY292ZXIgaHlwb3RoZXRpY2FsIG90aGVyCnNpbWlsYXIg
aXNzdWVzLCBhbHNvIGZvcmNlIEVGTEFHUy57SU9QTCxOVCxWTX0gdG8gemVy
by4KClRoaXMgaXMgWFNBLTIwMi4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVs
aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEFuZHJldyBD
b29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+Ci0tLQoKLS0tIGEv
eGVuL2FyY2gveDg2L3g4Nl82NC9jb21wYXQvZW50cnkuUworKysgYi94ZW4v
YXJjaC94ODYveDg2XzY0L2NvbXBhdC9lbnRyeS5TCkBAIC0xMDksNiArMTA5
LDggQEAgY29tcGF0X3Byb2Nlc3NfdHJhcDoKIC8qICVyYng6IHN0cnVjdCB2
Y3B1LCBpbnRlcnJ1cHRzIGRpc2FibGVkICovCiBFTlRSWShjb21wYXRfcmVz
dG9yZV9hbGxfZ3Vlc3QpCiAgICAgICAgIEFTU0VSVF9JTlRFUlJVUFRTX0RJ
U0FCTEVECisgICAgICAgIG1vdiAgICR+KFg4Nl9FRkxBR1NfSU9QTHxYODZf
RUZMQUdTX05UfFg4Nl9FRkxBR1NfVk0pLCVyMTFkCisgICAgICAgIGFuZCAg
IFVSRUdTX2VmbGFncyglcnNwKSwlcjExZAogLkxjcjRfb3JpZzoKICAgICAg
ICAgLnNraXAgLkxjcjRfYWx0X2VuZCAtIC5MY3I0X2FsdCwgMHg5MAogLkxj
cjRfb3JpZ19lbmQ6CkBAIC0xNDQsNiArMTQ2LDggQEAgRU5UUlkoY29tcGF0
X3Jlc3RvcmVfYWxsX2d1ZXN0KQogICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAoLkxjcjRfb3JpZ19lbmQgLSAuTGNyNF9vcmlnKSwgXAogICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAoLkxjcjRfYWx0X2VuZCAtIC5MY3I0
X2FsdCkKICAgICAgICAgLnBvcHNlY3Rpb24KKyAgICAgICAgb3IgICAgJFg4
Nl9FRkxBR1NfSUYsJXIxMQorICAgICAgICBtb3YgICAlcjExZCxVUkVHU19l
ZmxhZ3MoJXJzcCkKICAgICAgICAgUkVTVE9SRV9BTEwgYWRqPTggY29tcGF0
PTEKIC5MZnQwOiAgaXJldHEKICAgICAgICAgX0FTTV9QUkVfRVhUQUJMRSgu
TGZ0MCwgaGFuZGxlX2V4Y2VwdGlvbikKLS0tIGEveGVuL2FyY2gveDg2L3g4
Nl82NC9lbnRyeS5TCisrKyBiL3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnku
UwpAQCAtNDAsMjggKzQwLDI5IEBAIHJlc3RvcmVfYWxsX2d1ZXN0OgogICAg
ICAgICB0ZXN0dyAkVFJBUF9zeXNjYWxsLDQoJXJzcCkKICAgICAgICAganog
ICAgaXJldF9leGl0X3RvX2d1ZXN0CiAKKyAgICAgICAgbW92cSAgMjQoJXJz
cCksJXIxMSAgICAgICAgICAgIyBSRkxBR1MKKyAgICAgICAgYW5kcSAgJH4o
WDg2X0VGTEFHU19JT1BMfFg4Nl9FRkxBR1NfTlR8WDg2X0VGTEFHU19WTSks
JXIxMQorICAgICAgICBvcnEgICAkWDg2X0VGTEFHU19JRiwlcjExCisKICAg
ICAgICAgLyogRG9uJ3QgdXNlIFNZU1JFVCBwYXRoIGlmIHRoZSByZXR1cm4g
YWRkcmVzcyBpcyBub3QgY2Fub25pY2FsLiAqLwogICAgICAgICBtb3ZxICA4
KCVyc3ApLCVyY3gKICAgICAgICAgc2FycSAgJDQ3LCVyY3gKICAgICAgICAg
aW5jbCAgJWVjeAogICAgICAgICBjbXBsICAkMSwlZWN4Ci0gICAgICAgIGph
ICAgIC5MZm9yY2VfaXJldAorICAgICAgICBtb3ZxICA4KCVyc3ApLCVyY3gg
ICAgICAgICAgICAjIFJJUAorICAgICAgICBqYSAgICBpcmV0X2V4aXRfdG9f
Z3Vlc3QKIAogICAgICAgICBjbXB3ICAkRkxBVF9VU0VSX0NTMzIsMTYoJXJz
cCkjIENTCi0gICAgICAgIG1vdnEgIDgoJXJzcCksJXJjeCAgICAgICAgICAg
ICMgUklQCi0gICAgICAgIG1vdnEgIDI0KCVyc3ApLCVyMTEgICAgICAgICAg
ICMgUkZMQUdTCiAgICAgICAgIG1vdnEgIDMyKCVyc3ApLCVyc3AgICAgICAg
ICAgICMgUlNQCiAgICAgICAgIGplICAgIDFmCiAgICAgICAgIHN5c3JldHEK
IDE6ICAgICAgc3lzcmV0bAogCi0uTGZvcmNlX2lyZXQ6Ci0gICAgICAgIC8q
IE1pbWljIFNZU1JFVCBiZWhhdmlvci4gKi8KLSAgICAgICAgbW92cSAgOCgl
cnNwKSwlcmN4ICAgICAgICAgICAgIyBSSVAKLSAgICAgICAgbW92cSAgMjQo
JXJzcCksJXIxMSAgICAgICAgICAgIyBSRkxBR1MKICAgICAgICAgQUxJR04K
IC8qIE5vIHNwZWNpYWwgcmVnaXN0ZXIgYXNzdW1wdGlvbnMuICovCiBpcmV0
X2V4aXRfdG9fZ3Vlc3Q6CisgICAgICAgIGFuZGwgICR+KFg4Nl9FRkxBR1Nf
SU9QTHxYODZfRUZMQUdTX05UfFg4Nl9FRkxBR1NfVk0pLDI0KCVyc3ApCisg
ICAgICAgIG9ybCAgICRYODZfRUZMQUdTX0lGLDI0KCVyc3ApCiAgICAgICAg
IGFkZHEgICQ4LCVyc3AKIC5MZnQwOiAgaXJldHEKICAgICAgICAgX0FTTV9Q
UkVfRVhUQUJMRSguTGZ0MCwgaGFuZGxlX2V4Y2VwdGlvbikK

--=separator
Content-Type: application/octet-stream; name="xsa202-4.4.patch"
Content-Disposition: attachment; filename="xsa202-4.4.patch"
Content-Transfer-Encoding: base64

RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0
OiB4ODY6IGZvcmNlIEVGTEFHUy5JRiBvbiB3aGVuIGV4aXRpbmcgdG8gUFYg
Z3Vlc3RzCgpHdWVzdCBrZXJuZWxzIG1vZGlmeWluZyBpbnN0cnVjdGlvbnMg
aW4gdGhlIHByb2Nlc3Mgb2YgYmVpbmcgZW11bGF0ZWQKZm9yIGFub3RoZXIg
b2YgdGhlaXIgdkNQVS1zIG1heSBlZmZlY3QgRUZMQUdTLklGIHRvIGJlIGNs
ZWFyZWQgdXBvbgpuZXh0IGV4aXRpbmcgdG8gZ3Vlc3QgY29udGV4dCwgYnkg
Y29udmVydGluZyB0aGUgYmVpbmcgZW11bGF0ZWQKaW5zdHJ1Y3Rpb24gdG8g
Q0xJIChhdCB0aGUgcmlnaHQgcG9pbnQgaW4gdGltZSkuIFByZXZlbnQgYW55
IHN1Y2ggYmFkCmVmZmVjdHMgYnkgYWx3YXlzIGZvcmNpbmcgRUZMQUdTLklG
IG9uLiBBbmQgdG8gY292ZXIgaHlwb3RoZXRpY2FsIG90aGVyCnNpbWlsYXIg
aXNzdWVzLCBhbHNvIGZvcmNlIEVGTEFHUy57SU9QTCxOVCxWTX0gdG8gemVy
by4KClRoaXMgaXMgWFNBLTIwMi4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVs
aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni94
ODZfNjQvY29tcGF0L2VudHJ5LlMKKysrIGIveGVuL2FyY2gveDg2L3g4Nl82
NC9jb21wYXQvZW50cnkuUwpAQCAtMTczLDYgKzE3MywxMCBAQCBjb21wYXRf
YmFkX2h5cGVyY2FsbDoKIC8qICVyYng6IHN0cnVjdCB2Y3B1LCBpbnRlcnJ1
cHRzIGRpc2FibGVkICovCiBFTlRSWShjb21wYXRfcmVzdG9yZV9hbGxfZ3Vl
c3QpCiAgICAgICAgIEFTU0VSVF9JTlRFUlJVUFRTX0RJU0FCTEVECisgICAg
ICAgIG1vdiAgICR+KFg4Nl9FRkxBR1NfSU9QTHxYODZfRUZMQUdTX05UfFg4
Nl9FRkxBR1NfVk0pLCVyMTFkCisgICAgICAgIGFuZCAgIFVSRUdTX2VmbGFn
cyglcnNwKSwlcjExZAorICAgICAgICBvciAgICAkWDg2X0VGTEFHU19JRiwl
cjExCisgICAgICAgIG1vdiAgICVyMTFkLFVSRUdTX2VmbGFncyglcnNwKQog
ICAgICAgICBSRVNUT1JFX0FMTCBhZGo9OCBjb21wYXQ9MQogLkxmdDA6ICBp
cmV0cQogCi0tLSBhL3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnkuUworKysg
Yi94ZW4vYXJjaC94ODYveDg2XzY0L2VudHJ5LlMKQEAgLTQxLDI4ICs0MSwy
OSBAQCByZXN0b3JlX2FsbF9ndWVzdDoKICAgICAgICAgdGVzdHcgJFRSQVBf
c3lzY2FsbCw0KCVyc3ApCiAgICAgICAgIGp6ICAgIGlyZXRfZXhpdF90b19n
dWVzdAogCisgICAgICAgIG1vdnEgIDI0KCVyc3ApLCVyMTEgICAgICAgICAg
ICMgUkZMQUdTCisgICAgICAgIGFuZHEgICR+KFg4Nl9FRkxBR1NfSU9QTHxY
ODZfRUZMQUdTX05UfFg4Nl9FRkxBR1NfVk0pLCVyMTEKKyAgICAgICAgb3Jx
ICAgJFg4Nl9FRkxBR1NfSUYsJXIxMQorCiAgICAgICAgIC8qIERvbid0IHVz
ZSBTWVNSRVQgcGF0aCBpZiB0aGUgcmV0dXJuIGFkZHJlc3MgaXMgbm90IGNh
bm9uaWNhbC4gKi8KICAgICAgICAgbW92cSAgOCglcnNwKSwlcmN4CiAgICAg
ICAgIHNhcnEgICQ0NywlcmN4CiAgICAgICAgIGluY2wgICVlY3gKICAgICAg
ICAgY21wbCAgJDEsJWVjeAotICAgICAgICBqYSAgICAuTGZvcmNlX2lyZXQK
KyAgICAgICAgbW92cSAgOCglcnNwKSwlcmN4ICAgICAgICAgICAgIyBSSVAK
KyAgICAgICAgamEgICAgaXJldF9leGl0X3RvX2d1ZXN0CiAKICAgICAgICAg
Y21wdyAgJEZMQVRfVVNFUl9DUzMyLDE2KCVyc3ApIyBDUwotICAgICAgICBt
b3ZxICA4KCVyc3ApLCVyY3ggICAgICAgICAgICAjIFJJUAotICAgICAgICBt
b3ZxICAyNCglcnNwKSwlcjExICAgICAgICAgICAjIFJGTEFHUwogICAgICAg
ICBtb3ZxICAzMiglcnNwKSwlcnNwICAgICAgICAgICAjIFJTUAogICAgICAg
ICBqZSAgICAxZgogICAgICAgICBzeXNyZXRxCiAxOiAgICAgIHN5c3JldGwK
IAotLkxmb3JjZV9pcmV0OgotICAgICAgICAvKiBNaW1pYyBTWVNSRVQgYmVo
YXZpb3IuICovCi0gICAgICAgIG1vdnEgIDgoJXJzcCksJXJjeCAgICAgICAg
ICAgICMgUklQCi0gICAgICAgIG1vdnEgIDI0KCVyc3ApLCVyMTEgICAgICAg
ICAgICMgUkZMQUdTCiAgICAgICAgIEFMSUdOCiAvKiBObyBzcGVjaWFsIHJl
Z2lzdGVyIGFzc3VtcHRpb25zLiAqLwogaXJldF9leGl0X3RvX2d1ZXN0Ogor
ICAgICAgICBhbmRsICAkfihYODZfRUZMQUdTX0lPUEx8WDg2X0VGTEFHU19O
VHxYODZfRUZMQUdTX1ZNKSwyNCglcnNwKQorICAgICAgICBvcmwgICAkWDg2
X0VGTEFHU19JRiwyNCglcnNwKQogICAgICAgICBhZGRxICAkOCwlcnNwCiAu
TGZ0MDogIGlyZXRxCiAK

--=separator
Content-Type: application/octet-stream; name="xsa202-4.6.patch"
Content-Disposition: attachment; filename="xsa202-4.6.patch"
Content-Transfer-Encoding: base64

RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0
OiB4ODY6IGZvcmNlIEVGTEFHUy5JRiBvbiB3aGVuIGV4aXRpbmcgdG8gUFYg
Z3Vlc3RzCgpHdWVzdCBrZXJuZWxzIG1vZGlmeWluZyBpbnN0cnVjdGlvbnMg
aW4gdGhlIHByb2Nlc3Mgb2YgYmVpbmcgZW11bGF0ZWQKZm9yIGFub3RoZXIg
b2YgdGhlaXIgdkNQVS1zIG1heSBlZmZlY3QgRUZMQUdTLklGIHRvIGJlIGNs
ZWFyZWQgdXBvbgpuZXh0IGV4aXRpbmcgdG8gZ3Vlc3QgY29udGV4dCwgYnkg
Y29udmVydGluZyB0aGUgYmVpbmcgZW11bGF0ZWQKaW5zdHJ1Y3Rpb24gdG8g
Q0xJIChhdCB0aGUgcmlnaHQgcG9pbnQgaW4gdGltZSkuIFByZXZlbnQgYW55
IHN1Y2ggYmFkCmVmZmVjdHMgYnkgYWx3YXlzIGZvcmNpbmcgRUZMQUdTLklG
IG9uLiBBbmQgdG8gY292ZXIgaHlwb3RoZXRpY2FsIG90aGVyCnNpbWlsYXIg
aXNzdWVzLCBhbHNvIGZvcmNlIEVGTEFHUy57SU9QTCxOVCxWTX0gdG8gemVy
by4KClRoaXMgaXMgWFNBLTIwMi4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVs
aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni94
ODZfNjQvY29tcGF0L2VudHJ5LlMKKysrIGIveGVuL2FyY2gveDg2L3g4Nl82
NC9jb21wYXQvZW50cnkuUwpAQCAtMTc0LDYgKzE3NCw4IEBAIGNvbXBhdF9i
YWRfaHlwZXJjYWxsOgogLyogJXJieDogc3RydWN0IHZjcHUsIGludGVycnVw
dHMgZGlzYWJsZWQgKi8KIEVOVFJZKGNvbXBhdF9yZXN0b3JlX2FsbF9ndWVz
dCkKICAgICAgICAgQVNTRVJUX0lOVEVSUlVQVFNfRElTQUJMRUQKKyAgICAg
ICAgbW92ICAgJH4oWDg2X0VGTEFHU19JT1BMfFg4Nl9FRkxBR1NfTlR8WDg2
X0VGTEFHU19WTSksJXIxMWQKKyAgICAgICAgYW5kICAgVVJFR1NfZWZsYWdz
KCVyc3ApLCVyMTFkCiAuTGNyNF9vcmlnOgogICAgICAgICAuc2tpcCAuTGNy
NF9hbHRfZW5kIC0gLkxjcjRfYWx0LCAweDkwCiAuTGNyNF9vcmlnX2VuZDoK
QEAgLTIwOSw2ICsyMTEsOCBAQCBFTlRSWShjb21wYXRfcmVzdG9yZV9hbGxf
Z3Vlc3QpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICguTGNyNF9v
cmlnX2VuZCAtIC5MY3I0X29yaWcpLCBcCiAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICguTGNyNF9hbHRfZW5kIC0gLkxjcjRfYWx0KQogICAgICAg
ICAucG9wc2VjdGlvbgorICAgICAgICBvciAgICAkWDg2X0VGTEFHU19JRiwl
cjExCisgICAgICAgIG1vdiAgICVyMTFkLFVSRUdTX2VmbGFncyglcnNwKQog
ICAgICAgICBSRVNUT1JFX0FMTCBhZGo9OCBjb21wYXQ9MQogLkxmdDA6ICBp
cmV0cQogCi0tLSBhL3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnkuUworKysg
Yi94ZW4vYXJjaC94ODYveDg2XzY0L2VudHJ5LlMKQEAgLTQwLDI4ICs0MCwy
OSBAQCByZXN0b3JlX2FsbF9ndWVzdDoKICAgICAgICAgdGVzdHcgJFRSQVBf
c3lzY2FsbCw0KCVyc3ApCiAgICAgICAgIGp6ICAgIGlyZXRfZXhpdF90b19n
dWVzdAogCisgICAgICAgIG1vdnEgIDI0KCVyc3ApLCVyMTEgICAgICAgICAg
ICMgUkZMQUdTCisgICAgICAgIGFuZHEgICR+KFg4Nl9FRkxBR1NfSU9QTHxY
ODZfRUZMQUdTX05UfFg4Nl9FRkxBR1NfVk0pLCVyMTEKKyAgICAgICAgb3Jx
ICAgJFg4Nl9FRkxBR1NfSUYsJXIxMQorCiAgICAgICAgIC8qIERvbid0IHVz
ZSBTWVNSRVQgcGF0aCBpZiB0aGUgcmV0dXJuIGFkZHJlc3MgaXMgbm90IGNh
bm9uaWNhbC4gKi8KICAgICAgICAgbW92cSAgOCglcnNwKSwlcmN4CiAgICAg
ICAgIHNhcnEgICQ0NywlcmN4CiAgICAgICAgIGluY2wgICVlY3gKICAgICAg
ICAgY21wbCAgJDEsJWVjeAotICAgICAgICBqYSAgICAuTGZvcmNlX2lyZXQK
KyAgICAgICAgbW92cSAgOCglcnNwKSwlcmN4ICAgICAgICAgICAgIyBSSVAK
KyAgICAgICAgamEgICAgaXJldF9leGl0X3RvX2d1ZXN0CiAKICAgICAgICAg
Y21wdyAgJEZMQVRfVVNFUl9DUzMyLDE2KCVyc3ApIyBDUwotICAgICAgICBt
b3ZxICA4KCVyc3ApLCVyY3ggICAgICAgICAgICAjIFJJUAotICAgICAgICBt
b3ZxICAyNCglcnNwKSwlcjExICAgICAgICAgICAjIFJGTEFHUwogICAgICAg
ICBtb3ZxICAzMiglcnNwKSwlcnNwICAgICAgICAgICAjIFJTUAogICAgICAg
ICBqZSAgICAxZgogICAgICAgICBzeXNyZXRxCiAxOiAgICAgIHN5c3JldGwK
IAotLkxmb3JjZV9pcmV0OgotICAgICAgICAvKiBNaW1pYyBTWVNSRVQgYmVo
YXZpb3IuICovCi0gICAgICAgIG1vdnEgIDgoJXJzcCksJXJjeCAgICAgICAg
ICAgICMgUklQCi0gICAgICAgIG1vdnEgIDI0KCVyc3ApLCVyMTEgICAgICAg
ICAgICMgUkZMQUdTCiAgICAgICAgIEFMSUdOCiAvKiBObyBzcGVjaWFsIHJl
Z2lzdGVyIGFzc3VtcHRpb25zLiAqLwogaXJldF9leGl0X3RvX2d1ZXN0Ogor
ICAgICAgICBhbmRsICAkfihYODZfRUZMQUdTX0lPUEx8WDg2X0VGTEFHU19O
VHxYODZfRUZMQUdTX1ZNKSwyNCglcnNwKQorICAgICAgICBvcmwgICAkWDg2
X0VGTEFHU19JRiwyNCglcnNwKQogICAgICAgICBhZGRxICAkOCwlcnNwCiAu
TGZ0MDogIGlyZXRxCiAK

--=separator
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91
bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz
Lnhlbi5vcmcveGVuLWFubm91bmNl

--=separator--


From xen-announce-bounces@lists.xen.org Wed Dec 21 12:02:40 2016
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Wed, 21 Dec 2016 12:02:40 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1cJfab-0003Wc-7p; Wed, 21 Dec 2016 12:01:45 +0000
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJfaa-0003W8-89; Wed, 21 Dec 2016 12:01:44 +0000
Received: from [85.158.137.68] by server-4.bemta-3.messagelabs.com id
 36/93-01392-72F6A585; Wed, 21 Dec 2016 12:01:43 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrHKsWRWlGSWpSXmKPExsWS0XRdVVctPyr
 CYG8jt8Wtm63MFks+LmaxWHX1AKsDs8fR3b+ZAhijWDPzkvIrElgz/vTFFDQZV5zpP8zWwLhX
 r4uRi0NI4DijRP+mtcwQziJGiYVXzrN3MXJyMAu4StzYt5kNwlaUuHCvgQXE5hUQlDg58wmYL
 SGgKXHnzSqwehGBIomd516C2WwCehJzz05igujVkXi5fzWYLSyQJbHo1B12iDlmEkf2/ASLsw
 ioSrR+X8E4gZFnFpLVs5CsnoVk9SxGDqC4psT6XfoQprTE8n8cENXyEtvfzmGGCFtLHOg3hAh
 bSMw6fY4RZuCU7ofsELa9xPPpX1kgbBuJ2c3/sarZeeYOXM3Hx/tYkdUsYORfxahenFpUllqk
 a6yXVJSZnlGSm5iZo2toYKyXm1pcnJiempOYVKyXnJ+7iREYawxAsIOx+YvTIUZJDiYlUd5JP
 yMjhPiS8lMqMxKLM+KLSnNSiw8xynBwKEnw/siNihASLEpNT61Iy8wBRj1MWoKDR0mEtzwPKM
 1bXJCYW5yZDpE6xWjMMeHtwqdMHHO2r3jKJMSSl5+XKiXOywVSKgBSmlGaBzcIlowuMcpKCfM
 yAp0mxFOQWpSbWYIq/4pRnINRSZjXCWQKT2ZeCdy+V0CnMAGdsrA7HOSUkkSElFQDY0uwaG5N
 17nzuzdOKPS58aO6e9ftfxGWBy4emiR/OZJHeMKEjby3bmvsmHbkjt+24Cn9d9KY3jXKpG2Y1
 V31QnGtHFtclsSp5y1Pd31XVpzG0r2ndXpS1Pnan1eembu9ibIK4FhlGs33u+UEy5mJTvzLim
 XXWj2TKlr/xCq2gq897kzmCZ7je5RYijMSDbWYi4oTAfMVWdNBAwAA
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-3.tower-31.messagelabs.com!1482321701!77236095!1
X-Originating-IP: [104.130.215.37]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 9.1.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 57620 invoked from network); 21 Dec 2016 12:01:41 -0000
Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37)
 by server-3.tower-31.messagelabs.com with AES128-GCM-SHA256
 encrypted SMTP; 21 Dec 2016 12:01:41 -0000
Received: from xenbits.xenproject.org ([104.239.192.120])
 by mail.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJfaO-0007HX-O5; Wed, 21 Dec 2016 12:01:32 +0000
Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJfaO-00040Q-Jz; Wed, 21 Dec 2016 12:01:32 +0000
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
 xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Message-Id: <E1cJfaO-00040Q-Jz@xenbits.xenproject.org>
Date: Wed, 21 Dec 2016 12:01:32 +0000
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 203 (CVE-2016-10025) - x86:
 missing NULL pointer check in VMFUNC emulation
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Errors-To: xen-announce-bounces@lists.xen.org
Sender: "Xen-announce" <xen-announce-bounces@lists.xen.org>

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2016-10025 / XSA-203
                               version 3

          x86: missing NULL pointer check in VMFUNC emulation

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When support for the Intel VMX VMFUNC leaf 0 was added, a new optional
function pointer hvmemul_vmfunc was added to the hvm_emulate_ops
table.  As is intended, that new function pointer is NULL on non-VMX
hardware, including AMD SVM hardware.  However at a call site, the
necessary NULL check was omitted before the indirect function call.

IMPACT
======

Malicious guests may cause a hypervisor crash, resulting in a Denial
of Service (DoS).

VULNERABLE SYSTEMS
==================

Xen versions 4.6 and newer are vulnerable.  Xen versions 4.5 and earlier
are not vulnerable.

Only HVM guests can exploit the vulnerability.  PV guests cannot exploit
the vulnerability.

Only x86 systems using SVM (AMD virtualisation extensions) rather than
VMX (Intel virtualisation extensions) are vulnerable.  This applies to
HVM guests on AMD x86 CPUs.  Therefore AMD x86 hardware is vulnerable;
Intel hardware is not vulnerable.

ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

Running HVM guests on only VMX capable hardware will also avoid this
vulnerability.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa203.patch           xen-unstable
xsa203-4.8.patch       Xen 4.8.x
xsa203-4.7.patch       Xen 4.7.x, Xen 4.6.x

$ sha256sum xsa203*
9af7e862705987a60de1def81ed179931c3f683d05b05c2708cf16bb85d203c9  xsa203.patch
7cc04278778fe885e4c3ae3f846d099075a38bccfafe6dff018ba525499b4e46  xsa203-4.7.patch
4218fcfff11ec4788462a3ea9dddecb25b9d9fb1beaad17ca0f723b07b6675e4  xsa203-4.8.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYWm8VAAoJEIP+FMlX6CvZid4H/RlcaSaA1qky6vTKjaW4xUiX
/48Fvz3H8Ioau3Mlqy9WGqoq7HnuhJl2MUuq47vpwChOlYvvNXeRe47sVHsLwz1O
/yImaOc0cZEYsyECpddsVSOdwFEMnR38WFWirH4xboGx8NjWeQg3Fsmwh1r8iHsm
HyR2kRktw/Tu2hpc8BaipsYObglvLGQGy06KwwIB0MPycm20MpR4W41a5vc6iE+1
oKMIag/UD+W1eR7zWkftHnEcG+QNfbpWfU7rKPOrQSX5nuXHCXTcu6JQbzlPD8JS
h+A5r+/tfyQPLTWxoBkH4wbMwdqDPNo1AuiDaGD8KWD97m/j2pFaZKl7lGk8X9w=
=TUeg
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa203.patch"
Content-Disposition: attachment; filename="xsa203.patch"
Content-Transfer-Encoding: base64

RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0
OiB4ODYvSFZNOiBhZGQgbWlzc2luZyBOVUxMIGNoZWNrIGJlZm9yZSB1c2lu
ZyBWTUZVTkMgaG9vawoKVGhpcyBpcyBYU0EtMjAzLgoKU2lnbmVkLW9mZi1i
eTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpSZXZpZXdlZC1i
eTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4K
Ci0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vZW11bGF0ZS5jCisrKyBiL3hlbi9h
cmNoL3g4Ni9odm0vZW11bGF0ZS5jCkBAIC0xNjQ3LDYgKzE2NDcsOCBAQCBz
dGF0aWMgaW50IGh2bWVtdWxfdm1mdW5jKAogewogICAgIGludCByYzsKIAor
ICAgIGlmICggIWh2bV9mdW5jcy5hbHRwMm1fdmNwdV9lbXVsYXRlX3ZtZnVu
YyApCisgICAgICAgIHJldHVybiBYODZFTVVMX1VOSEFORExFQUJMRTsKICAg
ICByYyA9IGh2bV9mdW5jcy5hbHRwMm1fdmNwdV9lbXVsYXRlX3ZtZnVuYyhj
dHh0LT5yZWdzKTsKICAgICBpZiAoIHJjICE9IFg4NkVNVUxfT0tBWSApCiAg
ICAgICAgIHg4Nl9lbXVsX2h3X2V4Y2VwdGlvbihUUkFQX2ludmFsaWRfb3As
IFg4Nl9FVkVOVF9OT19FQywgY3R4dCk7Cg==

--=separator
Content-Type: application/octet-stream; name="xsa203-4.7.patch"
Content-Disposition: attachment; filename="xsa203-4.7.patch"
Content-Transfer-Encoding: base64

RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0
OiB4ODYvSFZNOiBhZGQgbWlzc2luZyBOVUxMIGNoZWNrIGJlZm9yZSB1c2lu
ZyBWTUZVTkMgaG9vawoKVGhpcyBpcyBYU0EtMjAzLgoKU2lnbmVkLW9mZi1i
eTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpSZXZpZXdlZC1i
eTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4K
Ci0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vZW11bGF0ZS5jCisrKyBiL3hlbi9h
cmNoL3g4Ni9odm0vZW11bGF0ZS5jCkBAIC0xNjQzLDYgKzE2NDMsOCBAQCBz
dGF0aWMgaW50IGh2bWVtdWxfdm1mdW5jKAogewogICAgIGludCByYzsKIAor
ICAgIGlmICggIWh2bV9mdW5jcy5hbHRwMm1fdmNwdV9lbXVsYXRlX3ZtZnVu
YyApCisgICAgICAgIHJldHVybiBYODZFTVVMX1VOSEFORExFQUJMRTsKICAg
ICByYyA9IGh2bV9mdW5jcy5hbHRwMm1fdmNwdV9lbXVsYXRlX3ZtZnVuYyhj
dHh0LT5yZWdzKTsKICAgICBpZiAoIHJjICE9IFg4NkVNVUxfT0tBWSApCiAg
ICAgICAgIGh2bWVtdWxfaW5qZWN0X2h3X2V4Y2VwdGlvbihUUkFQX2ludmFs
aWRfb3AsIDAsIGN0eHQpOwo=

--=separator
Content-Type: application/octet-stream; name="xsa203-4.8.patch"
Content-Disposition: attachment; filename="xsa203-4.8.patch"
Content-Transfer-Encoding: base64

RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0
OiB4ODYvSFZNOiBhZGQgbWlzc2luZyBOVUxMIGNoZWNrIGJlZm9yZSB1c2lu
ZyBWTUZVTkMgaG9vawoKVGhpcyBpcyBYU0EtMjAzLgoKU2lnbmVkLW9mZi1i
eTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpSZXZpZXdlZC1i
eTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4K
Ci0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vZW11bGF0ZS5jCisrKyBiL3hlbi9h
cmNoL3g4Ni9odm0vZW11bGF0ZS5jCkBAIC0xNjk0LDYgKzE2OTQsOCBAQCBz
dGF0aWMgaW50IGh2bWVtdWxfdm1mdW5jKAogewogICAgIGludCByYzsKIAor
ICAgIGlmICggIWh2bV9mdW5jcy5hbHRwMm1fdmNwdV9lbXVsYXRlX3ZtZnVu
YyApCisgICAgICAgIHJldHVybiBYODZFTVVMX1VOSEFORExFQUJMRTsKICAg
ICByYyA9IGh2bV9mdW5jcy5hbHRwMm1fdmNwdV9lbXVsYXRlX3ZtZnVuYyhj
dHh0LT5yZWdzKTsKICAgICBpZiAoIHJjICE9IFg4NkVNVUxfT0tBWSApCiAg
ICAgICAgIGh2bWVtdWxfaW5qZWN0X2h3X2V4Y2VwdGlvbihUUkFQX2ludmFs
aWRfb3AsIEhWTV9ERUxJVkVSX05PX0VSUk9SX0NPREUsCg==

--=separator
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91
bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz
Lnhlbi5vcmcveGVuLWFubm91bmNl

--=separator--


From xen-announce-bounces@lists.xen.org Wed Dec 21 12:02:40 2016
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Wed, 21 Dec 2016 12:02:40 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1cJfaf-0003Y4-2J; Wed, 21 Dec 2016 12:01:49 +0000
Received: from mail6.bemta6.messagelabs.com ([193.109.254.103])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJfad-0003XQ-Bf; Wed, 21 Dec 2016 12:01:47 +0000
Received: from [193.109.254.147] by server-9.bemta-6.messagelabs.com id
 B1/F4-27165-A2F6A585; Wed, 21 Dec 2016 12:01:46 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrHKsWRWlGSWpSXmKPExsWS0XRdVVczPyr
 C4MoUOYtbN1uZLZZ8XMxiserqAVYHZo+ju38zBTBGsWbmJeVXJLBm/HzJXXA2r2LB0YksDYx9
 mV2MXBxCAscZJe40dzNDOIsYJaav2cbSxcjJwSzgKnFj32Y2CFtR4sK9BrA4r4CgxMmZT8BsC
 QFNiTtvVrGD2CICRRI7z70Es9kE9CTmnp3EBNGrI/Fy/2ogm4NDWCBZYnlHPojJK2Am0bVLGa
 SCRUBV4sihDawTGHlmIVk8C8niWUgWzwLqZgZavH6XPoQpLbH8HwdEtbzE9rdzmCFsa4m/V1d
 BTbGQmH5gMgvMxCndD9khbHuJt/sOskLYNhLXji9lxaZm0v1bLDA1E5/uR1GzgJF/FaNGcWpR
 WWqRrpGBXlJRZnpGSW5iZo6uoYGZXm5qcXFiempOYlKxXnJ+7iZGYKwxAMEOxl/LAg4xSnIwK
 YnyTvoZGSHEl5SfUpmRWJwRX1Sak1p8iFGGg0NJgrcjLypCSLAoNT21Ii0zBxj1MGkJDh4lEd
 5ykDRvcUFibnFmOkTqFKMxx4S3C58ycczZvuIpkxBLXn5eqpQ4RKkASGlGaR7cIFgyusQoKyX
 Mywh0mhBPQWpRbmYJqvwrRnEORiVhXieQKTyZeSVw+14BncIEdMrC7nCQU0oSEVJSDYxNnef4
 2iW2G5c3pU5c5threizo/GF7lrVbyz/tPJF/Y5VG6fFzQRq2vN/ildm5Pjv/s7vM2v1JrTX1+
 IPFUbyz5T4+L+zQPdLzO/C+1aTM4D83Flho6Tp+sjMMaHBMstlhoxif4dwyfU+KxpZHbVw6c0
 OEveWdbrK/qV32KFQ45++8/mkiDkosxRmJhlrMRcWJANOjgAlBAwAA
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-5.tower-27.messagelabs.com!1482321704!73028595!1
X-Originating-IP: [104.130.215.37]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 9.1.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 46055 invoked from network); 21 Dec 2016 12:01:45 -0000
Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37)
 by server-5.tower-27.messagelabs.com with AES128-GCM-SHA256
 encrypted SMTP; 21 Dec 2016 12:01:45 -0000
Received: from xenbits.xenproject.org ([104.239.192.120])
 by mail.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJfaM-0007HK-GS; Wed, 21 Dec 2016 12:01:30 +0000
Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJfaM-0003vY-CB; Wed, 21 Dec 2016 12:01:30 +0000
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
 xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Message-Id: <E1cJfaM-0003vY-CB@xenbits.xenproject.org>
Date: Wed, 21 Dec 2016 12:01:30 +0000
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 202 (CVE-2016-10024) - x86 PV
 guests may be able to mask interrupts
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Errors-To: xen-announce-bounces@lists.xen.org
Sender: "Xen-announce" <xen-announce-bounces@lists.xen.org>

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2016-10024 / XSA-202
                               version 3

             x86 PV guests may be able to mask interrupts

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

Certain PV guest kernel operations (page table writes in particular)
need emulation, and use Xen's general x86 instruction emulator.  This
allows a malicious guest kernel which asynchronously modifies its
instruction stream to effect the clearing of EFLAGS.IF from the state
used to return to guest context.

IMPACT
======

A malicious guest kernel administrator can cause a host hang or
crash, resulting in a Denial of Service.

VULNERABLE SYSTEMS
==================

All Xen versions are vulnerable.

Only x86 PV guests can exploit the vulnerability.

Neither ARM guests nor x86 HVM guests can exploit the vulnerability.

MITIGATION
==========

Running only HVM guests will avoid the vulnerability.

For PV guests the vulnerability can be avoided if the guest kernel is
controlled by the host rather than guest administrator, provided that
further steps are taken to prevent the guest administrator from loading
code into the kernel (e.g. by disabling loadable modules etc) or from
using other mechanisms which allow them to run code at kernel privilege.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa202.patch           xen-unstable, Xen 4.8.x, Xen 4.7.x
xsa202-4.6.patch       Xen 4.6.x, Xen 4.5.x
xsa202-4.4.patch       Xen 4.4.x

$ sha256sum xsa202*
057be742acfef200ba6f094a5dce486dd1c4e15013afe3efc963523ce2ec9cbb  xsa202.patch
cd53dc8b761dc7eb60998ea2419c98af926aa62b4317dbef15f597f5554f9015  xsa202-4.4.patch
e007187639f5392a9256979504d50eff0ae38309a61524ea42c4150fab38b6f4  xsa202-4.6.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYWm8TAAoJEIP+FMlX6CvZlekIALNmG5XBvAvY3Hpjwr/h+bh6
AJNof+4jH7WUsyV8NyJxBOtAxDBeGsQ5csoryIt8CoqPfL6lph5Y0eUMAa+aOGYB
FyMtWlKhyhoCjXcxhBCSAuHKldXyroZtzb6mx01nZSC8PbOCrnRzIGm/JLlnVS7b
WBol9ID3DRWlI42gwpzDh3l/64Rioyyk1I26Kqal56+CT9iPk/b2UwqVb9oGQPI0
iq8Lki5NAKwOQdRxQKEFnWMuwK2bJsuayM3K0Cl/DBckvcOstMkP543btZDZA/Uy
AiAOrTcBeDPmOoUVRpjwNEsFiiNeGgXV1R+FOcoZfWLdTKsn2igOtUkEekwVdAs=
=SNhC
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa202.patch"
Content-Disposition: attachment; filename="xsa202.patch"
Content-Transfer-Encoding: base64

RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0
OiB4ODY6IGZvcmNlIEVGTEFHUy5JRiBvbiB3aGVuIGV4aXRpbmcgdG8gUFYg
Z3Vlc3RzCgpHdWVzdCBrZXJuZWxzIG1vZGlmeWluZyBpbnN0cnVjdGlvbnMg
aW4gdGhlIHByb2Nlc3Mgb2YgYmVpbmcgZW11bGF0ZWQKZm9yIGFub3RoZXIg
b2YgdGhlaXIgdkNQVS1zIG1heSBlZmZlY3QgRUZMQUdTLklGIHRvIGJlIGNs
ZWFyZWQgdXBvbgpuZXh0IGV4aXRpbmcgdG8gZ3Vlc3QgY29udGV4dCwgYnkg
Y29udmVydGluZyB0aGUgYmVpbmcgZW11bGF0ZWQKaW5zdHJ1Y3Rpb24gdG8g
Q0xJIChhdCB0aGUgcmlnaHQgcG9pbnQgaW4gdGltZSkuIFByZXZlbnQgYW55
IHN1Y2ggYmFkCmVmZmVjdHMgYnkgYWx3YXlzIGZvcmNpbmcgRUZMQUdTLklG
IG9uLiBBbmQgdG8gY292ZXIgaHlwb3RoZXRpY2FsIG90aGVyCnNpbWlsYXIg
aXNzdWVzLCBhbHNvIGZvcmNlIEVGTEFHUy57SU9QTCxOVCxWTX0gdG8gemVy
by4KClRoaXMgaXMgWFNBLTIwMi4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVs
aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEFuZHJldyBD
b29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+Ci0tLQoKLS0tIGEv
eGVuL2FyY2gveDg2L3g4Nl82NC9jb21wYXQvZW50cnkuUworKysgYi94ZW4v
YXJjaC94ODYveDg2XzY0L2NvbXBhdC9lbnRyeS5TCkBAIC0xMDksNiArMTA5
LDggQEAgY29tcGF0X3Byb2Nlc3NfdHJhcDoKIC8qICVyYng6IHN0cnVjdCB2
Y3B1LCBpbnRlcnJ1cHRzIGRpc2FibGVkICovCiBFTlRSWShjb21wYXRfcmVz
dG9yZV9hbGxfZ3Vlc3QpCiAgICAgICAgIEFTU0VSVF9JTlRFUlJVUFRTX0RJ
U0FCTEVECisgICAgICAgIG1vdiAgICR+KFg4Nl9FRkxBR1NfSU9QTHxYODZf
RUZMQUdTX05UfFg4Nl9FRkxBR1NfVk0pLCVyMTFkCisgICAgICAgIGFuZCAg
IFVSRUdTX2VmbGFncyglcnNwKSwlcjExZAogLkxjcjRfb3JpZzoKICAgICAg
ICAgLnNraXAgLkxjcjRfYWx0X2VuZCAtIC5MY3I0X2FsdCwgMHg5MAogLkxj
cjRfb3JpZ19lbmQ6CkBAIC0xNDQsNiArMTQ2LDggQEAgRU5UUlkoY29tcGF0
X3Jlc3RvcmVfYWxsX2d1ZXN0KQogICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAoLkxjcjRfb3JpZ19lbmQgLSAuTGNyNF9vcmlnKSwgXAogICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAoLkxjcjRfYWx0X2VuZCAtIC5MY3I0
X2FsdCkKICAgICAgICAgLnBvcHNlY3Rpb24KKyAgICAgICAgb3IgICAgJFg4
Nl9FRkxBR1NfSUYsJXIxMQorICAgICAgICBtb3YgICAlcjExZCxVUkVHU19l
ZmxhZ3MoJXJzcCkKICAgICAgICAgUkVTVE9SRV9BTEwgYWRqPTggY29tcGF0
PTEKIC5MZnQwOiAgaXJldHEKICAgICAgICAgX0FTTV9QUkVfRVhUQUJMRSgu
TGZ0MCwgaGFuZGxlX2V4Y2VwdGlvbikKLS0tIGEveGVuL2FyY2gveDg2L3g4
Nl82NC9lbnRyeS5TCisrKyBiL3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnku
UwpAQCAtNDAsMjggKzQwLDI5IEBAIHJlc3RvcmVfYWxsX2d1ZXN0OgogICAg
ICAgICB0ZXN0dyAkVFJBUF9zeXNjYWxsLDQoJXJzcCkKICAgICAgICAganog
ICAgaXJldF9leGl0X3RvX2d1ZXN0CiAKKyAgICAgICAgbW92cSAgMjQoJXJz
cCksJXIxMSAgICAgICAgICAgIyBSRkxBR1MKKyAgICAgICAgYW5kcSAgJH4o
WDg2X0VGTEFHU19JT1BMfFg4Nl9FRkxBR1NfTlR8WDg2X0VGTEFHU19WTSks
JXIxMQorICAgICAgICBvcnEgICAkWDg2X0VGTEFHU19JRiwlcjExCisKICAg
ICAgICAgLyogRG9uJ3QgdXNlIFNZU1JFVCBwYXRoIGlmIHRoZSByZXR1cm4g
YWRkcmVzcyBpcyBub3QgY2Fub25pY2FsLiAqLwogICAgICAgICBtb3ZxICA4
KCVyc3ApLCVyY3gKICAgICAgICAgc2FycSAgJDQ3LCVyY3gKICAgICAgICAg
aW5jbCAgJWVjeAogICAgICAgICBjbXBsICAkMSwlZWN4Ci0gICAgICAgIGph
ICAgIC5MZm9yY2VfaXJldAorICAgICAgICBtb3ZxICA4KCVyc3ApLCVyY3gg
ICAgICAgICAgICAjIFJJUAorICAgICAgICBqYSAgICBpcmV0X2V4aXRfdG9f
Z3Vlc3QKIAogICAgICAgICBjbXB3ICAkRkxBVF9VU0VSX0NTMzIsMTYoJXJz
cCkjIENTCi0gICAgICAgIG1vdnEgIDgoJXJzcCksJXJjeCAgICAgICAgICAg
ICMgUklQCi0gICAgICAgIG1vdnEgIDI0KCVyc3ApLCVyMTEgICAgICAgICAg
ICMgUkZMQUdTCiAgICAgICAgIG1vdnEgIDMyKCVyc3ApLCVyc3AgICAgICAg
ICAgICMgUlNQCiAgICAgICAgIGplICAgIDFmCiAgICAgICAgIHN5c3JldHEK
IDE6ICAgICAgc3lzcmV0bAogCi0uTGZvcmNlX2lyZXQ6Ci0gICAgICAgIC8q
IE1pbWljIFNZU1JFVCBiZWhhdmlvci4gKi8KLSAgICAgICAgbW92cSAgOCgl
cnNwKSwlcmN4ICAgICAgICAgICAgIyBSSVAKLSAgICAgICAgbW92cSAgMjQo
JXJzcCksJXIxMSAgICAgICAgICAgIyBSRkxBR1MKICAgICAgICAgQUxJR04K
IC8qIE5vIHNwZWNpYWwgcmVnaXN0ZXIgYXNzdW1wdGlvbnMuICovCiBpcmV0
X2V4aXRfdG9fZ3Vlc3Q6CisgICAgICAgIGFuZGwgICR+KFg4Nl9FRkxBR1Nf
SU9QTHxYODZfRUZMQUdTX05UfFg4Nl9FRkxBR1NfVk0pLDI0KCVyc3ApCisg
ICAgICAgIG9ybCAgICRYODZfRUZMQUdTX0lGLDI0KCVyc3ApCiAgICAgICAg
IGFkZHEgICQ4LCVyc3AKIC5MZnQwOiAgaXJldHEKICAgICAgICAgX0FTTV9Q
UkVfRVhUQUJMRSguTGZ0MCwgaGFuZGxlX2V4Y2VwdGlvbikK

--=separator
Content-Type: application/octet-stream; name="xsa202-4.4.patch"
Content-Disposition: attachment; filename="xsa202-4.4.patch"
Content-Transfer-Encoding: base64

RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0
OiB4ODY6IGZvcmNlIEVGTEFHUy5JRiBvbiB3aGVuIGV4aXRpbmcgdG8gUFYg
Z3Vlc3RzCgpHdWVzdCBrZXJuZWxzIG1vZGlmeWluZyBpbnN0cnVjdGlvbnMg
aW4gdGhlIHByb2Nlc3Mgb2YgYmVpbmcgZW11bGF0ZWQKZm9yIGFub3RoZXIg
b2YgdGhlaXIgdkNQVS1zIG1heSBlZmZlY3QgRUZMQUdTLklGIHRvIGJlIGNs
ZWFyZWQgdXBvbgpuZXh0IGV4aXRpbmcgdG8gZ3Vlc3QgY29udGV4dCwgYnkg
Y29udmVydGluZyB0aGUgYmVpbmcgZW11bGF0ZWQKaW5zdHJ1Y3Rpb24gdG8g
Q0xJIChhdCB0aGUgcmlnaHQgcG9pbnQgaW4gdGltZSkuIFByZXZlbnQgYW55
IHN1Y2ggYmFkCmVmZmVjdHMgYnkgYWx3YXlzIGZvcmNpbmcgRUZMQUdTLklG
IG9uLiBBbmQgdG8gY292ZXIgaHlwb3RoZXRpY2FsIG90aGVyCnNpbWlsYXIg
aXNzdWVzLCBhbHNvIGZvcmNlIEVGTEFHUy57SU9QTCxOVCxWTX0gdG8gemVy
by4KClRoaXMgaXMgWFNBLTIwMi4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVs
aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni94
ODZfNjQvY29tcGF0L2VudHJ5LlMKKysrIGIveGVuL2FyY2gveDg2L3g4Nl82
NC9jb21wYXQvZW50cnkuUwpAQCAtMTczLDYgKzE3MywxMCBAQCBjb21wYXRf
YmFkX2h5cGVyY2FsbDoKIC8qICVyYng6IHN0cnVjdCB2Y3B1LCBpbnRlcnJ1
cHRzIGRpc2FibGVkICovCiBFTlRSWShjb21wYXRfcmVzdG9yZV9hbGxfZ3Vl
c3QpCiAgICAgICAgIEFTU0VSVF9JTlRFUlJVUFRTX0RJU0FCTEVECisgICAg
ICAgIG1vdiAgICR+KFg4Nl9FRkxBR1NfSU9QTHxYODZfRUZMQUdTX05UfFg4
Nl9FRkxBR1NfVk0pLCVyMTFkCisgICAgICAgIGFuZCAgIFVSRUdTX2VmbGFn
cyglcnNwKSwlcjExZAorICAgICAgICBvciAgICAkWDg2X0VGTEFHU19JRiwl
cjExCisgICAgICAgIG1vdiAgICVyMTFkLFVSRUdTX2VmbGFncyglcnNwKQog
ICAgICAgICBSRVNUT1JFX0FMTCBhZGo9OCBjb21wYXQ9MQogLkxmdDA6ICBp
cmV0cQogCi0tLSBhL3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnkuUworKysg
Yi94ZW4vYXJjaC94ODYveDg2XzY0L2VudHJ5LlMKQEAgLTQxLDI4ICs0MSwy
OSBAQCByZXN0b3JlX2FsbF9ndWVzdDoKICAgICAgICAgdGVzdHcgJFRSQVBf
c3lzY2FsbCw0KCVyc3ApCiAgICAgICAgIGp6ICAgIGlyZXRfZXhpdF90b19n
dWVzdAogCisgICAgICAgIG1vdnEgIDI0KCVyc3ApLCVyMTEgICAgICAgICAg
ICMgUkZMQUdTCisgICAgICAgIGFuZHEgICR+KFg4Nl9FRkxBR1NfSU9QTHxY
ODZfRUZMQUdTX05UfFg4Nl9FRkxBR1NfVk0pLCVyMTEKKyAgICAgICAgb3Jx
ICAgJFg4Nl9FRkxBR1NfSUYsJXIxMQorCiAgICAgICAgIC8qIERvbid0IHVz
ZSBTWVNSRVQgcGF0aCBpZiB0aGUgcmV0dXJuIGFkZHJlc3MgaXMgbm90IGNh
bm9uaWNhbC4gKi8KICAgICAgICAgbW92cSAgOCglcnNwKSwlcmN4CiAgICAg
ICAgIHNhcnEgICQ0NywlcmN4CiAgICAgICAgIGluY2wgICVlY3gKICAgICAg
ICAgY21wbCAgJDEsJWVjeAotICAgICAgICBqYSAgICAuTGZvcmNlX2lyZXQK
KyAgICAgICAgbW92cSAgOCglcnNwKSwlcmN4ICAgICAgICAgICAgIyBSSVAK
KyAgICAgICAgamEgICAgaXJldF9leGl0X3RvX2d1ZXN0CiAKICAgICAgICAg
Y21wdyAgJEZMQVRfVVNFUl9DUzMyLDE2KCVyc3ApIyBDUwotICAgICAgICBt
b3ZxICA4KCVyc3ApLCVyY3ggICAgICAgICAgICAjIFJJUAotICAgICAgICBt
b3ZxICAyNCglcnNwKSwlcjExICAgICAgICAgICAjIFJGTEFHUwogICAgICAg
ICBtb3ZxICAzMiglcnNwKSwlcnNwICAgICAgICAgICAjIFJTUAogICAgICAg
ICBqZSAgICAxZgogICAgICAgICBzeXNyZXRxCiAxOiAgICAgIHN5c3JldGwK
IAotLkxmb3JjZV9pcmV0OgotICAgICAgICAvKiBNaW1pYyBTWVNSRVQgYmVo
YXZpb3IuICovCi0gICAgICAgIG1vdnEgIDgoJXJzcCksJXJjeCAgICAgICAg
ICAgICMgUklQCi0gICAgICAgIG1vdnEgIDI0KCVyc3ApLCVyMTEgICAgICAg
ICAgICMgUkZMQUdTCiAgICAgICAgIEFMSUdOCiAvKiBObyBzcGVjaWFsIHJl
Z2lzdGVyIGFzc3VtcHRpb25zLiAqLwogaXJldF9leGl0X3RvX2d1ZXN0Ogor
ICAgICAgICBhbmRsICAkfihYODZfRUZMQUdTX0lPUEx8WDg2X0VGTEFHU19O
VHxYODZfRUZMQUdTX1ZNKSwyNCglcnNwKQorICAgICAgICBvcmwgICAkWDg2
X0VGTEFHU19JRiwyNCglcnNwKQogICAgICAgICBhZGRxICAkOCwlcnNwCiAu
TGZ0MDogIGlyZXRxCiAK

--=separator
Content-Type: application/octet-stream; name="xsa202-4.6.patch"
Content-Disposition: attachment; filename="xsa202-4.6.patch"
Content-Transfer-Encoding: base64

RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0
OiB4ODY6IGZvcmNlIEVGTEFHUy5JRiBvbiB3aGVuIGV4aXRpbmcgdG8gUFYg
Z3Vlc3RzCgpHdWVzdCBrZXJuZWxzIG1vZGlmeWluZyBpbnN0cnVjdGlvbnMg
aW4gdGhlIHByb2Nlc3Mgb2YgYmVpbmcgZW11bGF0ZWQKZm9yIGFub3RoZXIg
b2YgdGhlaXIgdkNQVS1zIG1heSBlZmZlY3QgRUZMQUdTLklGIHRvIGJlIGNs
ZWFyZWQgdXBvbgpuZXh0IGV4aXRpbmcgdG8gZ3Vlc3QgY29udGV4dCwgYnkg
Y29udmVydGluZyB0aGUgYmVpbmcgZW11bGF0ZWQKaW5zdHJ1Y3Rpb24gdG8g
Q0xJIChhdCB0aGUgcmlnaHQgcG9pbnQgaW4gdGltZSkuIFByZXZlbnQgYW55
IHN1Y2ggYmFkCmVmZmVjdHMgYnkgYWx3YXlzIGZvcmNpbmcgRUZMQUdTLklG
IG9uLiBBbmQgdG8gY292ZXIgaHlwb3RoZXRpY2FsIG90aGVyCnNpbWlsYXIg
aXNzdWVzLCBhbHNvIGZvcmNlIEVGTEFHUy57SU9QTCxOVCxWTX0gdG8gemVy
by4KClRoaXMgaXMgWFNBLTIwMi4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVs
aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni94
ODZfNjQvY29tcGF0L2VudHJ5LlMKKysrIGIveGVuL2FyY2gveDg2L3g4Nl82
NC9jb21wYXQvZW50cnkuUwpAQCAtMTc0LDYgKzE3NCw4IEBAIGNvbXBhdF9i
YWRfaHlwZXJjYWxsOgogLyogJXJieDogc3RydWN0IHZjcHUsIGludGVycnVw
dHMgZGlzYWJsZWQgKi8KIEVOVFJZKGNvbXBhdF9yZXN0b3JlX2FsbF9ndWVz
dCkKICAgICAgICAgQVNTRVJUX0lOVEVSUlVQVFNfRElTQUJMRUQKKyAgICAg
ICAgbW92ICAgJH4oWDg2X0VGTEFHU19JT1BMfFg4Nl9FRkxBR1NfTlR8WDg2
X0VGTEFHU19WTSksJXIxMWQKKyAgICAgICAgYW5kICAgVVJFR1NfZWZsYWdz
KCVyc3ApLCVyMTFkCiAuTGNyNF9vcmlnOgogICAgICAgICAuc2tpcCAuTGNy
NF9hbHRfZW5kIC0gLkxjcjRfYWx0LCAweDkwCiAuTGNyNF9vcmlnX2VuZDoK
QEAgLTIwOSw2ICsyMTEsOCBAQCBFTlRSWShjb21wYXRfcmVzdG9yZV9hbGxf
Z3Vlc3QpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICguTGNyNF9v
cmlnX2VuZCAtIC5MY3I0X29yaWcpLCBcCiAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICguTGNyNF9hbHRfZW5kIC0gLkxjcjRfYWx0KQogICAgICAg
ICAucG9wc2VjdGlvbgorICAgICAgICBvciAgICAkWDg2X0VGTEFHU19JRiwl
cjExCisgICAgICAgIG1vdiAgICVyMTFkLFVSRUdTX2VmbGFncyglcnNwKQog
ICAgICAgICBSRVNUT1JFX0FMTCBhZGo9OCBjb21wYXQ9MQogLkxmdDA6ICBp
cmV0cQogCi0tLSBhL3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnkuUworKysg
Yi94ZW4vYXJjaC94ODYveDg2XzY0L2VudHJ5LlMKQEAgLTQwLDI4ICs0MCwy
OSBAQCByZXN0b3JlX2FsbF9ndWVzdDoKICAgICAgICAgdGVzdHcgJFRSQVBf
c3lzY2FsbCw0KCVyc3ApCiAgICAgICAgIGp6ICAgIGlyZXRfZXhpdF90b19n
dWVzdAogCisgICAgICAgIG1vdnEgIDI0KCVyc3ApLCVyMTEgICAgICAgICAg
ICMgUkZMQUdTCisgICAgICAgIGFuZHEgICR+KFg4Nl9FRkxBR1NfSU9QTHxY
ODZfRUZMQUdTX05UfFg4Nl9FRkxBR1NfVk0pLCVyMTEKKyAgICAgICAgb3Jx
ICAgJFg4Nl9FRkxBR1NfSUYsJXIxMQorCiAgICAgICAgIC8qIERvbid0IHVz
ZSBTWVNSRVQgcGF0aCBpZiB0aGUgcmV0dXJuIGFkZHJlc3MgaXMgbm90IGNh
bm9uaWNhbC4gKi8KICAgICAgICAgbW92cSAgOCglcnNwKSwlcmN4CiAgICAg
ICAgIHNhcnEgICQ0NywlcmN4CiAgICAgICAgIGluY2wgICVlY3gKICAgICAg
ICAgY21wbCAgJDEsJWVjeAotICAgICAgICBqYSAgICAuTGZvcmNlX2lyZXQK
KyAgICAgICAgbW92cSAgOCglcnNwKSwlcmN4ICAgICAgICAgICAgIyBSSVAK
KyAgICAgICAgamEgICAgaXJldF9leGl0X3RvX2d1ZXN0CiAKICAgICAgICAg
Y21wdyAgJEZMQVRfVVNFUl9DUzMyLDE2KCVyc3ApIyBDUwotICAgICAgICBt
b3ZxICA4KCVyc3ApLCVyY3ggICAgICAgICAgICAjIFJJUAotICAgICAgICBt
b3ZxICAyNCglcnNwKSwlcjExICAgICAgICAgICAjIFJGTEFHUwogICAgICAg
ICBtb3ZxICAzMiglcnNwKSwlcnNwICAgICAgICAgICAjIFJTUAogICAgICAg
ICBqZSAgICAxZgogICAgICAgICBzeXNyZXRxCiAxOiAgICAgIHN5c3JldGwK
IAotLkxmb3JjZV9pcmV0OgotICAgICAgICAvKiBNaW1pYyBTWVNSRVQgYmVo
YXZpb3IuICovCi0gICAgICAgIG1vdnEgIDgoJXJzcCksJXJjeCAgICAgICAg
ICAgICMgUklQCi0gICAgICAgIG1vdnEgIDI0KCVyc3ApLCVyMTEgICAgICAg
ICAgICMgUkZMQUdTCiAgICAgICAgIEFMSUdOCiAvKiBObyBzcGVjaWFsIHJl
Z2lzdGVyIGFzc3VtcHRpb25zLiAqLwogaXJldF9leGl0X3RvX2d1ZXN0Ogor
ICAgICAgICBhbmRsICAkfihYODZfRUZMQUdTX0lPUEx8WDg2X0VGTEFHU19O
VHxYODZfRUZMQUdTX1ZNKSwyNCglcnNwKQorICAgICAgICBvcmwgICAkWDg2
X0VGTEFHU19JRiwyNCglcnNwKQogICAgICAgICBhZGRxICAkOCwlcnNwCiAu
TGZ0MDogIGlyZXRxCiAK

--=separator
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91
bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz
Lnhlbi5vcmcveGVuLWFubm91bmNl

--=separator--


From xen-announce-bounces@lists.xen.org Wed Dec 21 12:02:40 2016
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Wed, 21 Dec 2016 12:02:40 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1cJfab-0003Wc-7p; Wed, 21 Dec 2016 12:01:45 +0000
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJfaa-0003W8-89; Wed, 21 Dec 2016 12:01:44 +0000
Received: from [85.158.137.68] by server-4.bemta-3.messagelabs.com id
 36/93-01392-72F6A585; Wed, 21 Dec 2016 12:01:43 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrHKsWRWlGSWpSXmKPExsWS0XRdVVctPyr
 CYG8jt8Wtm63MFks+LmaxWHX1AKsDs8fR3b+ZAhijWDPzkvIrElgz/vTFFDQZV5zpP8zWwLhX
 r4uRi0NI4DijRP+mtcwQziJGiYVXzrN3MXJyMAu4StzYt5kNwlaUuHCvgQXE5hUQlDg58wmYL
 SGgKXHnzSqwehGBIomd516C2WwCehJzz05igujVkXi5fzWYLSyQJbHo1B12iDlmEkf2/ASLsw
 ioSrR+X8E4gZFnFpLVs5CsnoVk9SxGDqC4psT6XfoQprTE8n8cENXyEtvfzmGGCFtLHOg3hAh
 bSMw6fY4RZuCU7ofsELa9xPPpX1kgbBuJ2c3/sarZeeYOXM3Hx/tYkdUsYORfxahenFpUllqk
 a6yXVJSZnlGSm5iZo2toYKyXm1pcnJiempOYVKyXnJ+7iREYawxAsIOx+YvTIUZJDiYlUd5JP
 yMjhPiS8lMqMxKLM+KLSnNSiw8xynBwKEnw/siNihASLEpNT61Iy8wBRj1MWoKDR0mEtzwPKM
 1bXJCYW5yZDpE6xWjMMeHtwqdMHHO2r3jKJMSSl5+XKiXOywVSKgBSmlGaBzcIlowuMcpKCfM
 yAp0mxFOQWpSbWYIq/4pRnINRSZjXCWQKT2ZeCdy+V0CnMAGdsrA7HOSUkkSElFQDY0uwaG5N
 17nzuzdOKPS58aO6e9ftfxGWBy4emiR/OZJHeMKEjby3bmvsmHbkjt+24Cn9d9KY3jXKpG2Y1
 V31QnGtHFtclsSp5y1Pd31XVpzG0r2ndXpS1Pnan1eembu9ibIK4FhlGs33u+UEy5mJTvzLim
 XXWj2TKlr/xCq2gq897kzmCZ7je5RYijMSDbWYi4oTAfMVWdNBAwAA
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-3.tower-31.messagelabs.com!1482321701!77236095!1
X-Originating-IP: [104.130.215.37]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 9.1.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 57620 invoked from network); 21 Dec 2016 12:01:41 -0000
Received: from mail.xenproject.org (HELO mail.xenproject.org) (104.130.215.37)
 by server-3.tower-31.messagelabs.com with AES128-GCM-SHA256
 encrypted SMTP; 21 Dec 2016 12:01:41 -0000
Received: from xenbits.xenproject.org ([104.239.192.120])
 by mail.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJfaO-0007HX-O5; Wed, 21 Dec 2016 12:01:32 +0000
Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2)
 (envelope-from <iwj@xenbits.xen.org>)
 id 1cJfaO-00040Q-Jz; Wed, 21 Dec 2016 12:01:32 +0000
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
 xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Message-Id: <E1cJfaO-00040Q-Jz@xenbits.xenproject.org>
Date: Wed, 21 Dec 2016 12:01:32 +0000
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 203 (CVE-2016-10025) - x86:
 missing NULL pointer check in VMFUNC emulation
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
 <mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Errors-To: xen-announce-bounces@lists.xen.org
Sender: "Xen-announce" <xen-announce-bounces@lists.xen.org>

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2016-10025 / XSA-203
                               version 3

          x86: missing NULL pointer check in VMFUNC emulation

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When support for the Intel VMX VMFUNC leaf 0 was added, a new optional
function pointer hvmemul_vmfunc was added to the hvm_emulate_ops
table.  As is intended, that new function pointer is NULL on non-VMX
hardware, including AMD SVM hardware.  However at a call site, the
necessary NULL check was omitted before the indirect function call.

IMPACT
======

Malicious guests may cause a hypervisor crash, resulting in a Denial
of Service (DoS).

VULNERABLE SYSTEMS
==================

Xen versions 4.6 and newer are vulnerable.  Xen versions 4.5 and earlier
are not vulnerable.

Only HVM guests can exploit the vulnerability.  PV guests cannot exploit
the vulnerability.

Only x86 systems using SVM (AMD virtualisation extensions) rather than
VMX (Intel virtualisation extensions) are vulnerable.  This applies to
HVM guests on AMD x86 CPUs.  Therefore AMD x86 hardware is vulnerable;
Intel hardware is not vulnerable.

ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

Running HVM guests on only VMX capable hardware will also avoid this
vulnerability.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa203.patch           xen-unstable
xsa203-4.8.patch       Xen 4.8.x
xsa203-4.7.patch       Xen 4.7.x, Xen 4.6.x

$ sha256sum xsa203*
9af7e862705987a60de1def81ed179931c3f683d05b05c2708cf16bb85d203c9  xsa203.patch
7cc04278778fe885e4c3ae3f846d099075a38bccfafe6dff018ba525499b4e46  xsa203-4.7.patch
4218fcfff11ec4788462a3ea9dddecb25b9d9fb1beaad17ca0f723b07b6675e4  xsa203-4.8.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYWm8VAAoJEIP+FMlX6CvZid4H/RlcaSaA1qky6vTKjaW4xUiX
/48Fvz3H8Ioau3Mlqy9WGqoq7HnuhJl2MUuq47vpwChOlYvvNXeRe47sVHsLwz1O
/yImaOc0cZEYsyECpddsVSOdwFEMnR38WFWirH4xboGx8NjWeQg3Fsmwh1r8iHsm
HyR2kRktw/Tu2hpc8BaipsYObglvLGQGy06KwwIB0MPycm20MpR4W41a5vc6iE+1
oKMIag/UD+W1eR7zWkftHnEcG+QNfbpWfU7rKPOrQSX5nuXHCXTcu6JQbzlPD8JS
h+A5r+/tfyQPLTWxoBkH4wbMwdqDPNo1AuiDaGD8KWD97m/j2pFaZKl7lGk8X9w=
=TUeg
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa203.patch"
Content-Disposition: attachment; filename="xsa203.patch"
Content-Transfer-Encoding: base64

RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0
OiB4ODYvSFZNOiBhZGQgbWlzc2luZyBOVUxMIGNoZWNrIGJlZm9yZSB1c2lu
ZyBWTUZVTkMgaG9vawoKVGhpcyBpcyBYU0EtMjAzLgoKU2lnbmVkLW9mZi1i
eTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpSZXZpZXdlZC1i
eTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4K
Ci0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vZW11bGF0ZS5jCisrKyBiL3hlbi9h
cmNoL3g4Ni9odm0vZW11bGF0ZS5jCkBAIC0xNjQ3LDYgKzE2NDcsOCBAQCBz
dGF0aWMgaW50IGh2bWVtdWxfdm1mdW5jKAogewogICAgIGludCByYzsKIAor
ICAgIGlmICggIWh2bV9mdW5jcy5hbHRwMm1fdmNwdV9lbXVsYXRlX3ZtZnVu
YyApCisgICAgICAgIHJldHVybiBYODZFTVVMX1VOSEFORExFQUJMRTsKICAg
ICByYyA9IGh2bV9mdW5jcy5hbHRwMm1fdmNwdV9lbXVsYXRlX3ZtZnVuYyhj
dHh0LT5yZWdzKTsKICAgICBpZiAoIHJjICE9IFg4NkVNVUxfT0tBWSApCiAg
ICAgICAgIHg4Nl9lbXVsX2h3X2V4Y2VwdGlvbihUUkFQX2ludmFsaWRfb3As
IFg4Nl9FVkVOVF9OT19FQywgY3R4dCk7Cg==

--=separator
Content-Type: application/octet-stream; name="xsa203-4.7.patch"
Content-Disposition: attachment; filename="xsa203-4.7.patch"
Content-Transfer-Encoding: base64

RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0
OiB4ODYvSFZNOiBhZGQgbWlzc2luZyBOVUxMIGNoZWNrIGJlZm9yZSB1c2lu
ZyBWTUZVTkMgaG9vawoKVGhpcyBpcyBYU0EtMjAzLgoKU2lnbmVkLW9mZi1i
eTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpSZXZpZXdlZC1i
eTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4K
Ci0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vZW11bGF0ZS5jCisrKyBiL3hlbi9h
cmNoL3g4Ni9odm0vZW11bGF0ZS5jCkBAIC0xNjQzLDYgKzE2NDMsOCBAQCBz
dGF0aWMgaW50IGh2bWVtdWxfdm1mdW5jKAogewogICAgIGludCByYzsKIAor
ICAgIGlmICggIWh2bV9mdW5jcy5hbHRwMm1fdmNwdV9lbXVsYXRlX3ZtZnVu
YyApCisgICAgICAgIHJldHVybiBYODZFTVVMX1VOSEFORExFQUJMRTsKICAg
ICByYyA9IGh2bV9mdW5jcy5hbHRwMm1fdmNwdV9lbXVsYXRlX3ZtZnVuYyhj
dHh0LT5yZWdzKTsKICAgICBpZiAoIHJjICE9IFg4NkVNVUxfT0tBWSApCiAg
ICAgICAgIGh2bWVtdWxfaW5qZWN0X2h3X2V4Y2VwdGlvbihUUkFQX2ludmFs
aWRfb3AsIDAsIGN0eHQpOwo=

--=separator
Content-Type: application/octet-stream; name="xsa203-4.8.patch"
Content-Disposition: attachment; filename="xsa203-4.8.patch"
Content-Transfer-Encoding: base64

RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0
OiB4ODYvSFZNOiBhZGQgbWlzc2luZyBOVUxMIGNoZWNrIGJlZm9yZSB1c2lu
ZyBWTUZVTkMgaG9vawoKVGhpcyBpcyBYU0EtMjAzLgoKU2lnbmVkLW9mZi1i
eTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpSZXZpZXdlZC1i
eTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4K
Ci0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vZW11bGF0ZS5jCisrKyBiL3hlbi9h
cmNoL3g4Ni9odm0vZW11bGF0ZS5jCkBAIC0xNjk0LDYgKzE2OTQsOCBAQCBz
dGF0aWMgaW50IGh2bWVtdWxfdm1mdW5jKAogewogICAgIGludCByYzsKIAor
ICAgIGlmICggIWh2bV9mdW5jcy5hbHRwMm1fdmNwdV9lbXVsYXRlX3ZtZnVu
YyApCisgICAgICAgIHJldHVybiBYODZFTVVMX1VOSEFORExFQUJMRTsKICAg
ICByYyA9IGh2bV9mdW5jcy5hbHRwMm1fdmNwdV9lbXVsYXRlX3ZtZnVuYyhj
dHh0LT5yZWdzKTsKICAgICBpZiAoIHJjICE9IFg4NkVNVUxfT0tBWSApCiAg
ICAgICAgIGh2bWVtdWxfaW5qZWN0X2h3X2V4Y2VwdGlvbihUUkFQX2ludmFs
aWRfb3AsIEhWTV9ERUxJVkVSX05PX0VSUk9SX0NPREUsCg==

--=separator
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91
bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3Rz
Lnhlbi5vcmcveGVuLWFubm91bmNl

--=separator--