From xen-announce-bounces@lists.xenproject.org Wed Jan 03 22:31:20 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 03 Jan 2018 22:31:20 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eWrY6-0006Vv-ER; Wed, 03 Jan 2018 22:30:14 +0000 Received: from us1-rack-dfw2.inumbo.com ([104.130.134.6]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eWrY4-0006VS-VW for xen-announce@lists.xen.org; Wed, 03 Jan 2018 22:30:12 +0000 X-Inumbo-ID: 7fa1b434-f0d5-11e7-b4a6-bc764e045a96 Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-rack-dfw2.inumbo.com (Halon) with ESMTPS id 7fa1b434-f0d5-11e7-b4a6-bc764e045a96; Wed, 03 Jan 2018 23:29:02 +0100 (CET) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eWrXs-0003qS-Ce; Wed, 03 Jan 2018 22:30:00 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1eWrXs-0007D0-Bg; Wed, 03 Jan 2018 22:30:00 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Wed, 03 Jan 2018 22:30:00 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 254 - Information leak via side effects of speculative execution X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-254 Information leak via side effects of speculative execution ISSUE DESCRIPTION ================= Processors give the illusion of a sequence of instructions executed one-by-one. However, in order to most efficiently use cpu resources, modern superscalar processors actually begin executing many instructions in parallel. In cases where instructions depend on the result of previous instructions or checks which have not yet completed, execution happens based on guesses about what the outcome will be. If the guess is correct, execution has been sped up. If the guess is incorrect, partially-executed instructions are cancelled and architectural state changes (to registers, memory, and so on) reverted; but the whole process is no slower than if no guess had been made at all. This is sometimes called "speculative execution". Unfortunately, although architectural state is rolled back, there are other side effects, such as changes to TLB or cache state, which are not rolled back. These side effects can subsequently be detected by an attacker to determine information about what happened during the speculative execution phase. If an attacker can cause speculative execution to access sensitive memory areas, they may be able to infer what that sensitive memory contained. Furthermore, these guesses can often be 'poisoned', such that attacker can cause logic to reliably 'guess' the way the attacker chooses. This advisory discusses three ways to cause speculative execution to access sensitive memory areas (named here according to the discoverer's naming scheme): SP1, "Bounds-check bypass": Poison the branch predictor, such that operating system or hypervisor code is speculatively executed past boundary and security checks. This would allow an attacker to, for instance, cause speculative code in the normal hypercall / emulation path to execute with wild array indexes. SP2, "Branch Target Injection": Poison the branch predictor. Well-abstracted code often involves calling function pointers via indirect branches; reading these function pointers may involve a (slow) memory access, so the CPU attempts to guess where indirect branches will lead. Poisoning this enables an attacker to speculatively branch to any code that exists in the hypervisor. SP3, "Rogue Data Load": On some processors, certain pagetable permission checks only happen when the instruction is retired; effectively meaning that speculative execution is not subject to pagetable permission checks. On such processors, an attacker can speculatively execute arbitrary code in userspace with, effectively, the highest privilege level. More information is available here: https://meltdownattack.com/ https://spectreattack.com/ Additional Xen-specific background: 64-bit Xen hypervisors on systems with less than 5TiB of RAM map all of physical RAM, so code speculatively executed in a hypervisor context can read all of system RAM. When running PV guests, the guest and the hypervisor share the address space; guest kernels run in a lower privilege level, and Xen runs in the highest privilege level. (HVM and PVH guests run in a separate address space to the hypervisor.) However, only 64-bit PV guests can generate addresses large enough to point to hypervisor memory. IMPACT ====== Xen guests may be able to infer the contents of arbitrary host memory, including memory assigned to other guests. An attacker's choice of code to speculatively execute (and thus the ease of extracting useful information) goes up with the numbers. For SP1, or SP2 on systems where SMEP (supervisor mode execute protection) is enabled: an attacker is limited to windows of code after bound checks of user-supplied indexes. For SP2 without SMEP, or SP3, an attacker can write arbitrary code to speculatively execute. NOTE ON TIMING ============== This vulnerability was originally scheduled to be made public on 9 January. It was accelerated at the request of the discloser due to one of the issues being made public. VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. For SP1 and SP2, both Intel and AMD are vulnerable. For SP3, only Intel processors are vulnerable. Furthermore, only 64-bit PV guests can exploit SP3 against Xen. PVH and 32-bit PV guests cannot exploit SP3. We believe that ARM is affected, but unfortunately due to the accelerated schedule, we haven't been able to get concrete input from ARM. We are asking ARM and will publish more information when it is available. MITIGATION ========== There is no mitigation for SP1 and SP2. SP3 can be mitigated by running guests in HVM or PVH mode. For guests with legacy PV kernels which cannot be run in HVM mode, we have developed a "shim" hypervisor that allows PV guests to run in PVH mode. Unfortunately, due to the accelerated schedule, this is not yet ready to release. We expect to have it ready for 4.10, as well as PVH backports to 4.9 and 4.8, available over the next few days. RESOLUTION ========== There is no available resolution for SP1 or SP3. We are working on patches which mitigate SP2 but these are not currently available. Given that the vulnerabilities are now public, these will be developed and published in public, initially via xen-devel. When we have useful information we will send an update. NOTE ON LACK OF EMBARGO ======================= The timetable and process were set by the discloser. After the intensive initial response period for these vulnerabilities is over, we will prepare and publish a full timeline, as we have done in a handful of other cases of significant public interest where we saw opportunities for process improvement. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJaTVlQAAoJEIP+FMlX6CvZRIkH/3LGBnVPE6/4eBYwUTAZZ1bC +PLMLiUpSZuSwxbKrt80Tuu8hXBWPvf9bTL5gwEg0IGbypLmehoRc1Xj1Ra+9U2h PVcmyoP2rcgENSqGKqv8CKHI0xt1QqXK0hF2L7q370+3crgNAx79T+nJf11SAsnA m3MUvi7eDm1BUf4sIYlePkVcSbxcyjcejGKr/aAwo4Ku3aInO0lgapb8kjYiMKME wgQ9oOVLuSvkTwcOCTnJaMF3FkpFATq6VpmtbRDNkeSd8yrF3d9C/GAoPwoMt6oY zLNBs77T5LfrQtLJ62aOeXmPcu3vZOZlTH89+1IBLef4Gs5eqD5rTfKcTc8AaPE= =70SF -----END PGP SIGNATURE----- --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Thu Jan 04 13:04:16 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 04 Jan 2018 13:04:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eX5Ar-0008ML-0i; Thu, 04 Jan 2018 13:03:09 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eX5Aq-0008M4-9C for xen-announce@lists.xen.org; Thu, 04 Jan 2018 13:03:08 +0000 X-Inumbo-ID: d8e17796-f14f-11e7-b0d7-9f685aff125f Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id d8e17796-f14f-11e7-b0d7-9f685aff125f; Thu, 04 Jan 2018 13:04:50 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eX5AX-0001lq-SB; Thu, 04 Jan 2018 13:02:49 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1eX5AX-0003nj-R9; Thu, 04 Jan 2018 13:02:49 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Thu, 04 Jan 2018 13:02:49 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 253 - x86: memory leak with MSR emulation X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-253 version 2 x86: memory leak with MSR emulation UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= In Xen 4.10, new infrastructure was introduced as part of an overhaul to how MSR emulation happens for guests. Unfortunately, one tracking structure isn't freed when a vcpu is destroyed. IMPACT ====== A memory allocation of 8 bytes is leaked each time a vcpu is destroyed. A malicious guest may, by frequently rebooting over extended periods of time, run the system out of memory, resulting in a Denial of Service (DoS). VULNERABLE SYSTEMS ================== Xen versions 4.10 and later are affected. Xen 4.9 and earlier are not affected. Only x86 systems are affected. ARM systems are not. All guest kinds can exploit this vulnerability. MITIGATION ========== Limiting the frequency with which a guest is able to reboot, will limit the memory leak. Rebooting each host (after migrating its guests) periodically will reclaim the leaked space. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa253.patch Xen 4.10, xen-unstable $ sha256sum xsa253* bba1abb5e4368421de29385e37f8477bf3534d3ba3ff7e2aae9c9d3da53f1393 xsa253.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJaTiXyAAoJEIP+FMlX6CvZ/CIH/3LEbyAmWUSs4C2Rt0EENDLO JnnAGXWIy3DsffGiG9zOhfYiItn2iD+J+EcO+WC5lGPBSkX1KiXdsWVla/dJuy0F frx5pdqJNSHFihK/6fGU0WnSBFz6o2gkn2hOnzWfpxNLiJMrHCI6GEOcdMx6xtOQ 9QZAa7rCN1aRx0Lx1LjuvaqPwy4rJ294zLnwarMoN10KZ3oRVbQ8mf4kN+/X+hlK 9MxUj99WYZWcJhcRLGiQALPdRQeabh72/ZTFsfIAwPxaEgT6YhwFrFDG526iNcM0 MkruO8HeD+byrQrni/qgB5EAIyPsFuBfvzddHzPA+9sSrf4QDjQWPFihQ3ti+xg= =sQVC -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa253.patch" Content-Disposition: attachment; filename="xsa253.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L21zcjogRnJlZSBtc3JfdmNwdV9wb2xpY3kgZHVy aW5nIHZjcHUgZGVzdHJ1Y3Rpb24KCmMvcyA0MTg3Zjc5ZGM3ICJ4ODYvbXNy OiBpbnRyb2R1Y2Ugc3RydWN0IG1zcl92Y3B1X3BvbGljeSIgaW50cm9kdWNl ZCBhCnBlci12Y3B1IG1lbW9yeSBhbGxvY2F0aW9uLCBidXQgZmFpbGVkIHRv IGZyZWUgaXQgaW4gdGhlIGNsZWFuIHZjcHUKZGVzdHJ1Y3Rpb24gY2FzZS4K ClRoaXMgaXMgWFNBLTI1MwoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3Bl ciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEph biBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KCmRpZmYgLS1naXQgYS94 ZW4vYXJjaC94ODYvZG9tYWluLmMgYi94ZW4vYXJjaC94ODYvZG9tYWluLmMK aW5kZXggYjE3NDY4Yy4uMGFlNzE1ZCAxMDA2NDQKLS0tIGEveGVuL2FyY2gv eDg2L2RvbWFpbi5jCisrKyBiL3hlbi9hcmNoL3g4Ni9kb21haW4uYwpAQCAt MzgyLDYgKzM4Miw5IEBAIHZvaWQgdmNwdV9kZXN0cm95KHN0cnVjdCB2Y3B1 ICp2KQogCiAgICAgdmNwdV9kZXN0cm95X2ZwdSh2KTsKIAorICAgIHhmcmVl KHYtPmFyY2gubXNyKTsKKyAgICB2LT5hcmNoLm1zciA9IE5VTEw7CisKICAg ICBpZiAoICFpc19pZGxlX2RvbWFpbih2LT5kb21haW4pICkKICAgICAgICAg dnBtdV9kZXN0cm95KHYpOwogCg== --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Fri Jan 05 18:46:27 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 05 Jan 2018 18:46:27 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eXWzf-0007wG-Ir; Fri, 05 Jan 2018 18:45:27 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eXWzd-0007vW-Ps for xen-announce@lists.xen.org; Fri, 05 Jan 2018 18:45:25 +0000 X-Inumbo-ID: d76b619d-f248-11e7-b0d7-9f685aff125f Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id d76b619d-f248-11e7-b0d7-9f685aff125f; Fri, 05 Jan 2018 18:47:12 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eXWz6-0008II-1o; Fri, 05 Jan 2018 18:44:52 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1eXWz5-00070v-TN; Fri, 05 Jan 2018 18:44:51 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Fri, 05 Jan 2018 18:44:51 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 254 (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) - Information leak via side effects of speculative execution X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2017-5753,CVE-2017-5715,CVE-2017-5754 / XSA-254 version 3 Information leak via side effects of speculative execution UPDATES IN VERSION 3 ==================== Add information about ARM vulnerability. Correct description of SP2 difficulty. Mention that resolutions for SP1 and SP3 may be available in the future. Move description of the PV-in-PVH shim from Mitigation to Resolution. (When available and deployed, it will eliminate the SP3 vulnerability.) Add colloquial names and CVEs to the relevant paragraphs in Issue Description. Add a URL. Say explicitly in Vulnerable Systems that HVM guests cannot exploit SP3. Clarify that SP1 and SP2 can be exploited against other victims besides operating systems and hypervisors. Grammar fixes. Remove erroneous detail about when Xen direct maps the whole of physical memory. State in Description that Xen ARM guests run in a separate address space. ISSUE DESCRIPTION ================= Processors give the illusion of a sequence of instructions executed one-by-one. However, in order to most efficiently use cpu resources, modern superscalar processors actually begin executing many instructions in parallel. In cases where instructions depend on the result of previous instructions or checks which have not yet completed, execution happens based on guesses about what the outcome will be. If the guess is correct, execution has been sped up. If the guess is incorrect, partially-executed instructions are cancelled and architectural state changes (to registers, memory, and so on) reverted; but the whole process is no slower than if no guess had been made at all. This is sometimes called "speculative execution". Unfortunately, although architectural state is rolled back, there are other side effects, such as changes to TLB or cache state, which are not rolled back. These side effects can subsequently be detected by an attacker to determine information about what happened during the speculative execution phase. If an attacker can cause speculative execution to access sensitive memory areas, they may be able to infer what that sensitive memory contained. Furthermore, these guesses can often be 'poisoned', such that attacker can cause logic to reliably 'guess' the way the attacker chooses. This advisory discusses three ways to cause speculative execution to access sensitive memory areas (named here according to the discoverer's naming scheme): "Bounds-check bypass" (aka SP1, "Variant 1", Spectre CVE-2017-5753): Poison the branch predictor, such that victim code is speculatively executed past boundary and security checks. This would allow an attacker to, for instance, cause speculative code in the normal hypercall / emulation path to execute with wild array indexes. "Branch Target Injection" (aka SP2, "Variant 2", Spectre CVE-2017-5715): Poison the branch predictor. Well-abstracted code often involves calling function pointers via indirect branches; reading these function pointers may involve a (slow) memory access, so the CPU attempts to guess where indirect branches will lead. Poisoning this enables an attacker to speculatively branch to any code that is executable by the victim (eg, anywhere in the hypervisor). "Rogue Data Load" (aka SP3, "Variant 3", Meltdown, CVE-2017-5754): On some processors, certain pagetable permission checks only happen when the instruction is retired; effectively meaning that speculative execution is not subject to pagetable permission checks. On such processors, an attacker can speculatively execute arbitrary code in userspace with, effectively, the highest privilege level. More information is available here: https://meltdownattack.com/ https://spectreattack.com/ https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html Additional Xen-specific background: Xen hypervisors on most systems map all of physical RAM, so code speculatively executed in a hypervisor context can read all of system RAM. When running PV guests, the guest and the hypervisor share the address space; guest kernels run in a lower privilege level, and Xen runs in the highest privilege level. (x86 HVM and PVH guests, and ARM guests, run in a separate address space to the hypervisor.) However, only 64-bit PV guests can generate addresses large enough to point to hypervisor memory. IMPACT ====== Xen guests may be able to infer the contents of arbitrary host memory, including memory assigned to other guests. An attacker's choice of code to speculatively execute (and thus the ease of extracting useful information) goes up with the numbers. For SP1, an attacker is limited to windows of code after bound checks of user-supplied indexes. For SP2, the attacker will in many cases will be limited to executing arbitrary pre-existing code inside of Xen. For SP3 (and other cases for SP2), an attacker can write arbitrary code to speculatively execute. Additionally, in general, attacks within a guest (from guest user to guest kernel) will be the same as on real hardware. Consult your operating system provider for more information. NOTE ON TIMING ============== This vulnerability was originally scheduled to be made public on 9 January. It was accelerated at the request of the discloser due to one of the issues being made public. VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. For SP1 and SP2, both Intel and AMD are vulnerable. Vulnerability of ARM processors to SP1 and SP2 varies by model and manufacturer. ARM has information on affected models on the following website: https://developer.arm.com/support/security-update For SP3, only Intel processors are vulnerable. (The hypervisor cannot be attacked using SP3 on any ARM processors, even those that are listed as affected by SP3.) Furthermore, only 64-bit PV guests can exploit SP3 against Xen. PVH, HVM, and 32-bit PV guests cannot exploit SP3. MITIGATION ========== There is no mitigation for SP1 and SP2. SP3 can be mitigated by running guests in HVM or PVH mode. RESOLUTION ========== There is no available resolution for SP1. A solution may be available in the future. We are working on patches which mitigate SP2 but these are not currently available. Given that the vulnerabilities are now public, these will be developed and published in public, initially via xen-devel. For guests with legacy PV kernels which cannot be run in HVM mode, we have developed a "shim" hypervisor that allows PV guests to run in PVH mode. Unfortunately, due to the accelerated schedule, this is not yet ready to release. We expect to have it ready for 4.10, as well as PVH backports to 4.9 and 4.8, available over the next few days. When we have useful information we will send an update. NOTE ON LACK OF EMBARGO ======================= The timetable and process were set by the discloser. After the intensive initial response period for these vulnerabilities is over, we will prepare and publish a full timeline, as we have done in a handful of other cases of significant public interest where we saw opportunities for process improvement. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJaT8eJAAoJEIP+FMlX6CvZpHsIAMd+oeUvMIDyGwMSDL93KAqJ TPKV9Qi5FxTfW+dkfJ5GRR/IPHbxr9yHfbUpU33QfLYDmyMzL3oNokOR3R6jSpFE dgqHIoS04EXsy7fSZ777YWwZoGBsAfbDZ5sJnFWxLTcLx6440N03LJC0wsLFyRET 6wPF7Ml9ZsWfkd3VvMDUc4PRhjbzGio1eP+ZUS4HfRk01DYmv/NTnUZIdY01sFFE PVSTxO3iO0ptiTlqd+PPsjlqswNu0gmvW7jkc/MaLPLUhKcUG7tat0yDapxCf0Hv xJZ6eNsjhTVJitINISyGYR5ZZESpfhXzig6znex6nr7r1/Ey4w6ud90pSV9j2/o= =VIt1 -----END PGP SIGNATURE----- --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Sat Jan 06 15:26:24 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sat, 06 Jan 2018 15:26:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eXqLZ-00056P-BM; Sat, 06 Jan 2018 15:25:21 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eXqLX-000567-GJ for xen-announce@lists.xen.org; Sat, 06 Jan 2018 15:25:19 +0000 X-Inumbo-ID: 0f4ad281-f2f6-11e7-b0d7-9f685aff125f Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id 0f4ad281-f2f6-11e7-b0d7-9f685aff125f; Sat, 06 Jan 2018 15:27:09 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eXqLJ-00074N-An; Sat, 06 Jan 2018 15:25:05 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1eXqLJ-0008JW-6M; Sat, 06 Jan 2018 15:25:05 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Sat, 06 Jan 2018 15:25:05 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 253 (CVE-2018-5244) - x86: memory leak with MSR emulation X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2018-5244 / XSA-253 version 3 x86: memory leak with MSR emulation UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= In Xen 4.10, new infrastructure was introduced as part of an overhaul to how MSR emulation happens for guests. Unfortunately, one tracking structure isn't freed when a vcpu is destroyed. IMPACT ====== A memory allocation of 8 bytes is leaked each time a vcpu is destroyed. A malicious guest may, by frequently rebooting over extended periods of time, run the system out of memory, resulting in a Denial of Service (DoS). VULNERABLE SYSTEMS ================== Xen versions 4.10 and later are affected. Xen 4.9 and earlier are not affected. Only x86 systems are affected. ARM systems are not. All guest kinds can exploit this vulnerability. MITIGATION ========== Limiting the frequency with which a guest is able to reboot, will limit the memory leak. Rebooting each host (after migrating its guests) periodically will reclaim the leaked space. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa253.patch Xen 4.10, xen-unstable $ sha256sum xsa253* bba1abb5e4368421de29385e37f8477bf3534d3ba3ff7e2aae9c9d3da53f1393 xsa253.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJaUOoXAAoJEIP+FMlX6CvZchUIAKlvxu5o9IcIyULARW0s2YEA 6ueK3tyaH2vlWH1IG9KORletdAGALJrfEODt8SBJb+0rKDZKGHSKNB7a911QRebK njXdSpdb1WCdHmStI82csLKvdMGbrFq/6wWFJRt1eFtzr7Qt3rwKXtHv/OI4Kr1T sZ+K6M2KCavkJ+yPSF/f9GTBuD6iiu2E7RI5HzbjdV+k9E7tJkURH2/BPAfhhhyo zsColbPQAxm96RCHIEPaOI5qZXVcfL+5VNbUh5+6vOtUiZdpnOMHmSwDF0AZc1hO 0YQ93/8blRm7N914rn8gu0zY+nQHcgC2klWzHOcCFirzTI0aHXfQQJsX9Oe6g3w= =CX95 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa253.patch" Content-Disposition: attachment; filename="xsa253.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L21zcjogRnJlZSBtc3JfdmNwdV9wb2xpY3kgZHVy aW5nIHZjcHUgZGVzdHJ1Y3Rpb24KCmMvcyA0MTg3Zjc5ZGM3ICJ4ODYvbXNy OiBpbnRyb2R1Y2Ugc3RydWN0IG1zcl92Y3B1X3BvbGljeSIgaW50cm9kdWNl ZCBhCnBlci12Y3B1IG1lbW9yeSBhbGxvY2F0aW9uLCBidXQgZmFpbGVkIHRv IGZyZWUgaXQgaW4gdGhlIGNsZWFuIHZjcHUKZGVzdHJ1Y3Rpb24gY2FzZS4K ClRoaXMgaXMgWFNBLTI1MwoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3Bl ciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEph biBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KCmRpZmYgLS1naXQgYS94 ZW4vYXJjaC94ODYvZG9tYWluLmMgYi94ZW4vYXJjaC94ODYvZG9tYWluLmMK aW5kZXggYjE3NDY4Yy4uMGFlNzE1ZCAxMDA2NDQKLS0tIGEveGVuL2FyY2gv eDg2L2RvbWFpbi5jCisrKyBiL3hlbi9hcmNoL3g4Ni9kb21haW4uYwpAQCAt MzgyLDYgKzM4Miw5IEBAIHZvaWQgdmNwdV9kZXN0cm95KHN0cnVjdCB2Y3B1 ICp2KQogCiAgICAgdmNwdV9kZXN0cm95X2ZwdSh2KTsKIAorICAgIHhmcmVl KHYtPmFyY2gubXNyKTsKKyAgICB2LT5hcmNoLm1zciA9IE5VTEw7CisKICAg ICBpZiAoICFpc19pZGxlX2RvbWFpbih2LT5kb21haW4pICkKICAgICAgICAg dnBtdV9kZXN0cm95KHYpOwogCg== --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Sat Jan 06 16:16:59 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sat, 06 Jan 2018 16:16:59 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eXr8h-0001Dm-1a; Sat, 06 Jan 2018 16:16:07 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eXr8f-0001DU-KQ for xen-announce@lists.xen.org; Sat, 06 Jan 2018 16:16:05 +0000 X-Inumbo-ID: 273801db-f2fd-11e7-b0d7-9f685aff125f Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id 273801db-f2fd-11e7-b0d7-9f685aff125f; Sat, 06 Jan 2018 16:17:55 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eXr8R-0000SP-Da; Sat, 06 Jan 2018 16:15:51 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1eXr8R-0004f1-Ce; Sat, 06 Jan 2018 16:15:51 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Sat, 06 Jan 2018 16:15:51 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 248 (CVE-2017-17566) - x86 PV guests may gain access to internally used pages X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2017-17566 / XSA-248 version 3 x86 PV guests may gain access to internally used pages UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= Memory management for PV guests builds on page ownership and page attributes. A domain can always map, at least r/o, pages of which it is the owner. Certain fields in the control structure of a page are used for different purposes in the main PV memory management code and in code handling shadow paging. When a guest is running in shadow mode (which for PV guests is necessary e.g. for live migration), certain auxiliary pages used by Xen internally had their owner set to the guest itself. When the PV guest maps such a page, shadow code and PV memory management code will disagree on the meaning of said multi-purpose fields, generally leading to a crash of the hypervisor. IMPACT ====== A malicious or buggy PV guest may cause a hypervisor crash, resulting in a Denial of Service (DoS) affecting the entire host, or cause hypervisor memory corruption. We cannot rule out a guest being able to escalate its privilege. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. Only x86 systems are affected. ARM systems are not vulnerable. x86 HVM guests cannot exploit this vulnerability. Only x86 PV guests can exploit this vulnerability, and only when being run in shadow mode. PV guests are typically run in shadow mode for live migration, as well as for features like VM snapshot. Note that save / restore does *not* use shadow mode, and so does not expose this vulnerability. Some downstreams also include a "non-live migration" feature, which also does not use shadow mode (and thus does not expose this vulnerability). MITIGATION ========== Running only HVM guests avoids the vulnerability. Avoiding live migration of x86 PV guests also avoids the vulnerability. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa248.patch xen-unstable, Xen 4.9.x xsa248-4.8.patch Xen 4.8.x, Xen 4.7.x, Xen 4.6.x xsa248-4.5.patch Xen 4.5.x $ sha256sum xsa248* f0ac5c5ff956118f52821e111c6e27416f788cea6e98cc54cb051c42b793357e xsa248.meta 20bcfb1890d90bd74f52e45a1e8aa020a8991e3a0db37eecf53ce48b16e602bf xsa248.patch ec4227633df18f76fbd8cb12e367879470b63fb5236f10b2a971dccef9f83172 xsa248-4.5.patch 3bbd9fd92e5ffab1ddd7ff804bfbab09c1c654af3aa7f80f742f321da120b715 xsa248-4.8.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJaUPXWAAoJEIP+FMlX6CvZ5R8H/Rn0CZ9fEExfAjcqm5kjTZFt HgI+ZfUYwhEfMuYc4bv5rYYfzhFsCWe4afrcxBdh1qtMeJjZWfGtf8yOFNzox0PR XeMZ/p7qwspg9TyNO/7dM+wd6nHRp88pTcy4QQcmfczcZrcUbm0wGCmhaIJdWlMA CsgKsiekPapB9R+fqeVroc/gmMRx9iTFif/w96OpApGsMPO5SnuSzeFrL8RzMU9u rjwCfu0Yz9MPHT8E+KvI9GeB7srov3XEfMsmaJ9NUDgnrDl9Xhe5wC7FnL3mvTYC YZML85QbvghxFoQM6v2MyBwF8tLW3YEgZK/oR4ed1E6BrKfDQwyXIaT0GXtIFzk= =ytqY -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa248.meta" Content-Disposition: attachment; filename="xsa248.meta" Content-Transfer-Encoding: base64 ewogICJYU0EiOiAyNDgsCiAgIlN1cHBvcnRlZFZlcnNpb25zIjogWwogICAg Im1hc3RlciIsCiAgICAiNC4xMCIsCiAgICAiNC45IiwKICAgICI0LjgiLAog ICAgIjQuNyIsCiAgICAiNC42IiwKICAgICI0LjUiCiAgXSwKICAiVHJlZXMi OiBbCiAgICAieGVuIgogIF0sCiAgIlJlY2lwZXMiOiB7CiAgICAiNC4xMCI6 IHsKICAgICAgIlhlblZlcnNpb24iOiAiNC4xMCIsCiAgICAgICJSZWNpcGVz IjogewogICAgICAgICJ4ZW4iOiB7CiAgICAgICAgICAiU3RhYmxlUmVmIjog IjM0NWJiOWNkNjM0NDIxZjUwYjczMmQ0ZjljODlhNjQ5YTdhMWQwZGIiLAog ICAgICAgICAgIlByZXJlcXMiOiBbXSwKICAgICAgICAgICJQYXRjaGVzIjog WwogICAgICAgICAgICAieHNhMjQ4LnBhdGNoIgogICAgICAgICAgXQogICAg ICAgIH0KICAgICAgfQogICAgfSwKICAgICI0LjUiOiB7CiAgICAgICJYZW5W ZXJzaW9uIjogIjQuNSIsCiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4 ZW4iOiB7CiAgICAgICAgICAiU3RhYmxlUmVmIjogIjQxZjZkZDA1ZDEwZmQx YjQyODFjMTcyMmUyZDhmMjllMzc4YWJlOWEiLAogICAgICAgICAgIlByZXJl cXMiOiBbXSwKICAgICAgICAgICJQYXRjaGVzIjogWwogICAgICAgICAgICAi eHNhMjQ4LTQuNS5wYXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAg IH0KICAgIH0sCiAgICAiNC42IjogewogICAgICAiWGVuVmVyc2lvbiI6ICI0 LjYiLAogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjogewogICAg ICAgICAgIlN0YWJsZVJlZiI6ICI5YjBjMmEyMjMxMzJhMDdmMDZmMGJlOGU4 NWRhMzkwZGVmZTk5OGY1IiwKICAgICAgICAgICJQcmVyZXFzIjogW10sCiAg ICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTI0OC00Ljgu cGF0Y2giCiAgICAgICAgICBdCiAgICAgICAgfQogICAgICB9CiAgICB9LAog ICAgIjQuNyI6IHsKICAgICAgIlhlblZlcnNpb24iOiAiNC43IiwKICAgICAg IlJlY2lwZXMiOiB7CiAgICAgICAgInhlbiI6IHsKICAgICAgICAgICJTdGFi bGVSZWYiOiAiYmNjOWUyNDVhYWZiZGFlNDRjNzYxMDUzYzg5OGJlZGIzNTgy Y2M0ZCIsCiAgICAgICAgICAiUHJlcmVxcyI6IFtdLAogICAgICAgICAgIlBh dGNoZXMiOiBbCiAgICAgICAgICAgICJ4c2EyNDgtNC44LnBhdGNoIgogICAg ICAgICAgXQogICAgICAgIH0KICAgICAgfQogICAgfSwKICAgICI0LjgiOiB7 CiAgICAgICJYZW5WZXJzaW9uIjogIjQuOCIsCiAgICAgICJSZWNpcGVzIjog ewogICAgICAgICJ4ZW4iOiB7CiAgICAgICAgICAiU3RhYmxlUmVmIjogIjli YTY3ODNlNDdkYjcxMzc5YzUxMjAwMzliODc4ZjYwNWJkZjMxZjMiLAogICAg ICAgICAgIlByZXJlcXMiOiBbXSwKICAgICAgICAgICJQYXRjaGVzIjogWwog ICAgICAgICAgICAieHNhMjQ4LTQuOC5wYXRjaCIKICAgICAgICAgIF0KICAg ICAgICB9CiAgICAgIH0KICAgIH0sCiAgICAiNC45IjogewogICAgICAiWGVu VmVyc2lvbiI6ICI0LjkiLAogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAi eGVuIjogewogICAgICAgICAgIlN0YWJsZVJlZiI6ICJhZTM0YWI4YzVkMmU5 NzdmNmQ4MDgxYzJjZTQ0OTQ4NzUyMzJmNTYzIiwKICAgICAgICAgICJQcmVy ZXFzIjogW10sCiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAg InhzYTI0OC5wYXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0K ICAgIH0sCiAgICAibWFzdGVyIjogewogICAgICAiWGVuVmVyc2lvbiI6ICI0 LjEwIiwKICAgICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhlbiI6IHsKICAg ICAgICAgICJTdGFibGVSZWYiOiAiMzQ1YmI5Y2Q2MzQ0MjFmNTBiNzMyZDRm OWM4OWE2NDlhN2ExZDBkYiIsCiAgICAgICAgICAiUHJlcmVxcyI6IFtdLAog ICAgICAgICAgIlBhdGNoZXMiOiBbCiAgICAgICAgICAgICJ4c2EyNDgucGF0 Y2giCiAgICAgICAgICBdCiAgICAgICAgfQogICAgICB9CiAgICB9CiAgfQp9 --=separator Content-Type: application/octet-stream; name="xsa248.patch" Content-Disposition: attachment; filename="xsa248.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvbW06IGRvbid0IHdyb25nbHkgc2V0IHBhZ2Ugb3duZXJzaGlwCgpQ ViBkb21haW5zIGNhbiBvYnRhaW4gbWFwcGluZ3Mgb2YgYW55IHBhZ2VzIG93 bmVkIGJ5IHRoZSBjb3JyZWN0IGRvbWFpbiwKaW5jbHVkaW5nIG9uZXMgdGhh dCBhcmVuJ3QgYWN0dWFsbHkgYXNzaWduZWQgYXMgIm5vcm1hbCIgUkFNLCBi dXQgdXNlZApieSBYZW4gaW50ZXJuYWxseS4gIEF0IHRoZSBtb21lbnQgc3Vj aCAiaW50ZXJuYWwiIHBhZ2VzIG1hcmtlZCBhcyBvd25lZApieSBhIGd1ZXN0 IGluY2x1ZGUgcGFnZXMgdXNlZCB0byB0cmFjayBsb2dkaXJ0eSBiaXRzLCBh cyB3ZWxsIGFzIHAybQpwYWdlcyBhbmQgdGhlICJ1bnBhZ2VkIHBhZ2V0YWJs ZSIgZm9yIEhWTSBndWVzdHMuIFNpbmNlIHRoZSBQViBtZW1vcnkKbWFuYWdl bWVudCBhbmQgc2hhZG93IGNvZGUgY29uZmxpY3QgaW4gdGhlaXIgdXNlIG9m IHN0cnVjdCBwYWdlX2luZm8KZmllbGRzLCBhbmQgc2luY2Ugc2hhZG93IGNv ZGUgaXMgYmVpbmcgdXNlZCBmb3IgbG9nLWRpcnR5IGhhbmRsaW5nIGZvcgpQ ViBkb21haW5zLCBwYWdlcyBjb21pbmcgZnJvbSB0aGUgc2hhZG93IHBvb2wg bXVzdCwgZm9yIFBWIGRvbWFpbnMsIG5vdApoYXZlIHRoZSBkb21haW4gc2V0 IGFzIHRoZWlyIG93bmVyLgoKV2hpbGUgdGhlIGNoYW5nZSBjb3VsZCBiZSBk b25lIGNvbmRpdGlvbmFsbHkgZm9yIGp1c3QgdGhlIFBWIGNhc2UgaW4Kc2hh ZG93IGNvZGUsIGRvIGl0IHVuY29uZGl0aW9uYWxseSAoYW5kIGZvciBjb25z aXN0ZW5jeSBhbHNvIGZvciBIQVApLApqdXN0IHRvIGJlIG9uIHRoZSBzYWZl IHNpZGUuCgpUaGVyZSdzIG9uZSBzcGVjaWFsIGNhc2UgdGhvdWdoIGZvciBz aGFkb3cgY29kZTogVGhlIHBhZ2UgdGFibGUgdXNlZCBmb3IKcnVubmluZyBh IEhWTSBndWVzdCBpbiB1bnBhZ2VkIG1vZGUgaXMgc3ViamVjdCB0byBnZXRf cGFnZSgpIChpbgpzZXRfc2hhZG93X3N0YXR1cygpKSBhbmQgaGVuY2UgbXVz dCBoYXZlIGl0cyBvd25lciBzZXQuCgpUaGlzIGlzIFhTQS0yNDguCgpTaWdu ZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJl dmlld2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9yZz4KUmV2aWV3ZWQt Ynk6IEdlb3JnZSBEdW5sYXAgPGdlb3JnZS5kdW5sYXBAY2l0cml4LmNvbT4K LS0tCnYyOiBEcm9wIFBHQ19wYWdlX3RhYmxlIHJlbGF0ZWQgcGllY2VzLgoK LS0tIGEveGVuL2FyY2gveDg2L21tL2hhcC9oYXAuYworKysgYi94ZW4vYXJj aC94ODYvbW0vaGFwL2hhcC5jCkBAIC0yODYsOCArMjg2LDcgQEAgc3RhdGlj IHN0cnVjdCBwYWdlX2luZm8gKmhhcF9hbGxvY19wMm1fcAogICAgIHsKICAg ICAgICAgZC0+YXJjaC5wYWdpbmcuaGFwLnRvdGFsX3BhZ2VzLS07CiAgICAg ICAgIGQtPmFyY2gucGFnaW5nLmhhcC5wMm1fcGFnZXMrKzsKLSAgICAgICAg cGFnZV9zZXRfb3duZXIocGcsIGQpOwotICAgICAgICBwZy0+Y291bnRfaW5m byB8PSAxOworICAgICAgICBBU1NFUlQoIXBhZ2VfZ2V0X293bmVyKHBnKSAm JiAhKHBnLT5jb3VudF9pbmZvICYgUEdDX2NvdW50X21hc2spKTsKICAgICB9 CiAgICAgZWxzZSBpZiAoICFkLT5hcmNoLnBhZ2luZy5wMm1fYWxsb2NfZmFp bGVkICkKICAgICB7CkBAIC0zMDIsMjEgKzMwMSwyMyBAQCBzdGF0aWMgc3Ry dWN0IHBhZ2VfaW5mbyAqaGFwX2FsbG9jX3AybV9wCiAKIHN0YXRpYyB2b2lk IGhhcF9mcmVlX3AybV9wYWdlKHN0cnVjdCBkb21haW4gKmQsIHN0cnVjdCBw YWdlX2luZm8gKnBnKQogeworICAgIHN0cnVjdCBkb21haW4gKm93bmVyID0g cGFnZV9nZXRfb3duZXIocGcpOworCiAgICAgLyogVGhpcyBpcyBjYWxsZWQg Ym90aCBmcm9tIHRoZSBwMm0gY29kZSAod2hpY2ggbmV2ZXIgaG9sZHMgdGhl IAogICAgICAqIHBhZ2luZyBsb2NrKSBhbmQgdGhlIGxvZy1kaXJ0eSBjb2Rl ICh3aGljaCBhbHdheXMgZG9lcykuICovCiAgICAgcGFnaW5nX2xvY2tfcmVj dXJzaXZlKGQpOwogCi0gICAgQVNTRVJUKHBhZ2VfZ2V0X293bmVyKHBnKSA9 PSBkKTsKLSAgICAvKiBTaG91bGQgaGF2ZSBqdXN0IHRoZSBvbmUgcmVmIHdl IGdhdmUgaXQgaW4gYWxsb2NfcDJtX3BhZ2UoKSAqLwotICAgIGlmICggKHBn LT5jb3VudF9pbmZvICYgUEdDX2NvdW50X21hc2spICE9IDEgKSB7Ci0gICAg ICAgIEhBUF9FUlJPUigiT2RkIHAybSBwYWdlICVwIGNvdW50IGM9JSNseCB0 PSUiUFJ0eXBlX2luZm8iXG4iLAotICAgICAgICAgICAgICAgICAgICAgcGcs IHBnLT5jb3VudF9pbmZvLCBwZy0+dS5pbnVzZS50eXBlX2luZm8pOworICAg IC8qIFNob3VsZCBzdGlsbCBoYXZlIG5vIG93bmVyIGFuZCBjb3VudCB6ZXJv LiAqLworICAgIGlmICggb3duZXIgfHwgKHBnLT5jb3VudF9pbmZvICYgUEdD X2NvdW50X21hc2spICkKKyAgICB7CisgICAgICAgIEhBUF9FUlJPUigiZCVk OiBPZGQgcDJtIHBhZ2UgJSJQUklfbWZuIiBkPSVkIGM9JWx4IHQ9JSJQUnR5 cGVfaW5mbyJcbiIsCisgICAgICAgICAgICAgICAgICBkLT5kb21haW5faWQs IG1mbl94KHBhZ2VfdG9fbWZuKHBnKSksCisgICAgICAgICAgICAgICAgICBv d25lciA/IG93bmVyLT5kb21haW5faWQgOiBET01JRF9JTlZBTElELAorICAg ICAgICAgICAgICAgICAgcGctPmNvdW50X2luZm8sIHBnLT51LmludXNlLnR5 cGVfaW5mbyk7CiAgICAgICAgIFdBUk4oKTsKKyAgICAgICAgcGctPmNvdW50 X2luZm8gJj0gflBHQ19jb3VudF9tYXNrOworICAgICAgICBwYWdlX3NldF9v d25lcihwZywgTlVMTCk7CiAgICAgfQotICAgIHBnLT5jb3VudF9pbmZvICY9 IH5QR0NfY291bnRfbWFzazsKLSAgICAvKiBGcmVlIHNob3VsZCBub3QgZGVj cmVtZW50IGRvbWFpbidzIHRvdGFsIGFsbG9jYXRpb24sIHNpbmNlCi0gICAg ICogdGhlc2UgcGFnZXMgd2VyZSBhbGxvY2F0ZWQgd2l0aG91dCBhbiBvd25l ci4gKi8KLSAgICBwYWdlX3NldF9vd25lcihwZywgTlVMTCk7CiAgICAgZC0+ YXJjaC5wYWdpbmcuaGFwLnAybV9wYWdlcy0tOwogICAgIGQtPmFyY2gucGFn aW5nLmhhcC50b3RhbF9wYWdlcysrOwogICAgIGhhcF9mcmVlKGQsIHBhZ2Vf dG9fbWZuKHBnKSk7Ci0tLSBhL3hlbi9hcmNoL3g4Ni9tbS9zaGFkb3cvY29t bW9uLmMKKysrIGIveGVuL2FyY2gveDg2L21tL3NoYWRvdy9jb21tb24uYwpA QCAtMTUwMywzMiArMTUwMywyOSBAQCBzaGFkb3dfYWxsb2NfcDJtX3BhZ2Uo c3RydWN0IGRvbWFpbiAqZCkKICAgICBwZyA9IG1mbl90b19wYWdlKHNoYWRv d19hbGxvYyhkLCBTSF90eXBlX3AybV90YWJsZSwgMCkpOwogICAgIGQtPmFy Y2gucGFnaW5nLnNoYWRvdy5wMm1fcGFnZXMrKzsKICAgICBkLT5hcmNoLnBh Z2luZy5zaGFkb3cudG90YWxfcGFnZXMtLTsKKyAgICBBU1NFUlQoIXBhZ2Vf Z2V0X293bmVyKHBnKSAmJiAhKHBnLT5jb3VudF9pbmZvICYgUEdDX2NvdW50 X21hc2spKTsKIAogICAgIHBhZ2luZ191bmxvY2soZCk7CiAKLSAgICAvKiBV bmxpa2Ugc2hhZG93IHBhZ2VzLCBtYXJrIHAybSBwYWdlcyBhcyBvd25lZCBi eSB0aGUgZG9tYWluLgotICAgICAqIE1hcmtpbmcgdGhlIGRvbWFpbiBhcyB0 aGUgb3duZXIgd291bGQgbm9ybWFsbHkgYWxsb3cgdGhlIGd1ZXN0IHRvCi0g ICAgICogY3JlYXRlIG1hcHBpbmdzIG9mIHRoZXNlIHBhZ2VzLCBidXQgdGhl c2UgcDJtIHBhZ2VzIHdpbGwgbmV2ZXIgYmUKLSAgICAgKiBpbiB0aGUgZG9t YWluJ3MgZ3Vlc3QtcGh5c2ljYWwgYWRkcmVzcyBzcGFjZSwgYW5kIHNvIHRo YXQgaXMgbm90Ci0gICAgICogYmVsaWV2ZWQgdG8gYmUgYSBjb25jZXJuLiAq LwotICAgIHBhZ2Vfc2V0X293bmVyKHBnLCBkKTsKLSAgICBwZy0+Y291bnRf aW5mbyB8PSAxOwogICAgIHJldHVybiBwZzsKIH0KIAogc3RhdGljIHZvaWQK IHNoYWRvd19mcmVlX3AybV9wYWdlKHN0cnVjdCBkb21haW4gKmQsIHN0cnVj dCBwYWdlX2luZm8gKnBnKQogewotICAgIEFTU0VSVChwYWdlX2dldF9vd25l cihwZykgPT0gZCk7Ci0gICAgLyogU2hvdWxkIGhhdmUganVzdCB0aGUgb25l IHJlZiB3ZSBnYXZlIGl0IGluIGFsbG9jX3AybV9wYWdlKCkgKi8KLSAgICBp ZiAoIChwZy0+Y291bnRfaW5mbyAmIFBHQ19jb3VudF9tYXNrKSAhPSAxICkK KyAgICBzdHJ1Y3QgZG9tYWluICpvd25lciA9IHBhZ2VfZ2V0X293bmVyKHBn KTsKKworICAgIC8qIFNob3VsZCBzdGlsbCBoYXZlIG5vIG93bmVyIGFuZCBj b3VudCB6ZXJvLiAqLworICAgIGlmICggb3duZXIgfHwgKHBnLT5jb3VudF9p bmZvICYgUEdDX2NvdW50X21hc2spICkKICAgICB7Ci0gICAgICAgIFNIQURP V19FUlJPUigiT2RkIHAybSBwYWdlIGNvdW50IGM9JSNseCB0PSUiUFJ0eXBl X2luZm8iXG4iLAorICAgICAgICBTSEFET1dfRVJST1IoImQlZDogT2RkIHAy bSBwYWdlICUiUFJJX21mbiIgZD0lZCBjPSVseCB0PSUiUFJ0eXBlX2luZm8i XG4iLAorICAgICAgICAgICAgICAgICAgICAgZC0+ZG9tYWluX2lkLCBtZm5f eChwYWdlX3RvX21mbihwZykpLAorICAgICAgICAgICAgICAgICAgICAgb3du ZXIgPyBvd25lci0+ZG9tYWluX2lkIDogRE9NSURfSU5WQUxJRCwKICAgICAg ICAgICAgICAgICAgICAgIHBnLT5jb3VudF9pbmZvLCBwZy0+dS5pbnVzZS50 eXBlX2luZm8pOworICAgICAgICBwZy0+Y291bnRfaW5mbyAmPSB+UEdDX2Nv dW50X21hc2s7CisgICAgICAgIHBhZ2Vfc2V0X293bmVyKHBnLCBOVUxMKTsK ICAgICB9Ci0gICAgcGctPmNvdW50X2luZm8gJj0gflBHQ19jb3VudF9tYXNr OwogICAgIHBnLT51LnNoLnR5cGUgPSBTSF90eXBlX3AybV90YWJsZTsgLyog cDJtIGNvZGUgcmV1c2VzIHR5cGUtaW5mbyAqLwotICAgIHBhZ2Vfc2V0X293 bmVyKHBnLCBOVUxMKTsKIAogICAgIC8qIFRoaXMgaXMgY2FsbGVkIGJvdGgg ZnJvbSB0aGUgcDJtIGNvZGUgKHdoaWNoIG5ldmVyIGhvbGRzIHRoZQogICAg ICAqIHBhZ2luZyBsb2NrKSBhbmQgdGhlIGxvZy1kaXJ0eSBjb2RlICh3aGlj aCBhbHdheXMgZG9lcykuICovCkBAIC0zMTMyLDcgKzMxMjksOSBAQCBpbnQg c2hhZG93X2VuYWJsZShzdHJ1Y3QgZG9tYWluICpkLCB1MzIKICAgICAgICAg ZSA9IF9fbWFwX2RvbWFpbl9wYWdlKHBnKTsKICAgICAgICAgd3JpdGVfMzJi aXRfcHNlX2lkZW50bWFwKGUpOwogICAgICAgICB1bm1hcF9kb21haW5fcGFn ZShlKTsKKyAgICAgICAgcGctPmNvdW50X2luZm8gPSAxOwogICAgICAgICBw Zy0+dS5pbnVzZS50eXBlX2luZm8gPSBQR1RfbDJfcGFnZV90YWJsZSB8IDEg fCBQR1RfdmFsaWRhdGVkOworICAgICAgICBwYWdlX3NldF9vd25lcihwZywg ZCk7CiAgICAgfQogCiAgICAgcGFnaW5nX2xvY2soZCk7CkBAIC0zMTcwLDcg KzMxNjksMTEgQEAgaW50IHNoYWRvd19lbmFibGUoc3RydWN0IGRvbWFpbiAq ZCwgdTMyCiAgICAgaWYgKCBydiAhPSAwICYmICFwYWdldGFibGVfaXNfbnVs bChwMm1fZ2V0X3BhZ2V0YWJsZShwMm0pKSApCiAgICAgICAgIHAybV90ZWFy ZG93bihwMm0pOwogICAgIGlmICggcnYgIT0gMCAmJiBwZyAhPSBOVUxMICkK KyAgICB7CisgICAgICAgIHBnLT5jb3VudF9pbmZvICY9IH5QR0NfY291bnRf bWFzazsKKyAgICAgICAgcGFnZV9zZXRfb3duZXIocGcsIE5VTEwpOwogICAg ICAgICBzaGFkb3dfZnJlZV9wMm1fcGFnZShkLCBwZyk7CisgICAgfQogICAg IGRvbWFpbl91bnBhdXNlKGQpOwogICAgIHJldHVybiBydjsKIH0KQEAgLTMy NzksNyArMzI4MiwyMiBAQCBvdXQ6CiAKICAgICAvKiBNdXN0IGJlIGNhbGxl ZCBvdXRzaWRlIHRoZSBsb2NrICovCiAgICAgaWYgKCB1bnBhZ2VkX3BhZ2V0 YWJsZSApCisgICAgeworICAgICAgICBpZiAoIHBhZ2VfZ2V0X293bmVyKHVu cGFnZWRfcGFnZXRhYmxlKSA9PSBkICYmCisgICAgICAgICAgICAgKHVucGFn ZWRfcGFnZXRhYmxlLT5jb3VudF9pbmZvICYgUEdDX2NvdW50X21hc2spID09 IDEgKQorICAgICAgICB7CisgICAgICAgICAgICB1bnBhZ2VkX3BhZ2V0YWJs ZS0+Y291bnRfaW5mbyAmPSB+UEdDX2NvdW50X21hc2s7CisgICAgICAgICAg ICBwYWdlX3NldF9vd25lcih1bnBhZ2VkX3BhZ2V0YWJsZSwgTlVMTCk7Cisg ICAgICAgIH0KKyAgICAgICAgLyogQ29tcGxhaW4gaGVyZSBpbiBjYXNlcyB3 aGVyZSBzaGFkb3dfZnJlZV9wMm1fcGFnZSgpIHdvbid0LiAqLworICAgICAg ICBlbHNlIGlmICggIXBhZ2VfZ2V0X293bmVyKHVucGFnZWRfcGFnZXRhYmxl KSAmJgorICAgICAgICAgICAgICAgICAgISh1bnBhZ2VkX3BhZ2V0YWJsZS0+ Y291bnRfaW5mbyAmIFBHQ19jb3VudF9tYXNrKSApCisgICAgICAgICAgICBT SEFET1dfRVJST1IoImQlZDogT2RkIHVucGFnZWQgcHQgJSJQUklfbWZuIiBj PSVseCB0PSUiUFJ0eXBlX2luZm8iXG4iLAorICAgICAgICAgICAgICAgICAg ICAgICAgIGQtPmRvbWFpbl9pZCwgbWZuX3gocGFnZV90b19tZm4odW5wYWdl ZF9wYWdldGFibGUpKSwKKyAgICAgICAgICAgICAgICAgICAgICAgICB1bnBh Z2VkX3BhZ2V0YWJsZS0+Y291bnRfaW5mbywKKyAgICAgICAgICAgICAgICAg ICAgICAgICB1bnBhZ2VkX3BhZ2V0YWJsZS0+dS5pbnVzZS50eXBlX2luZm8p OwogICAgICAgICBzaGFkb3dfZnJlZV9wMm1fcGFnZShkLCB1bnBhZ2VkX3Bh Z2V0YWJsZSk7CisgICAgfQogfQogCiB2b2lkIHNoYWRvd19maW5hbF90ZWFy ZG93bihzdHJ1Y3QgZG9tYWluICpkKQo= --=separator Content-Type: application/octet-stream; name="xsa248-4.5.patch" Content-Disposition: attachment; filename="xsa248-4.5.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvbW06IGRvbid0IHdyb25nbHkgc2V0IHBhZ2Ugb3duZXJzaGlwCgpQ ViBkb21haW5zIGNhbiBvYnRhaW4gbWFwcGluZ3Mgb2YgYW55IHBhZ2VzIG93 bmVkIGJ5IHRoZSBjb3JyZWN0IGRvbWFpbiwKaW5jbHVkaW5nIG9uZXMgdGhh dCBhcmVuJ3QgYWN0dWFsbHkgYXNzaWduZWQgYXMgIm5vcm1hbCIgUkFNLCBi dXQgdXNlZApieSBYZW4gaW50ZXJuYWxseS4gIEF0IHRoZSBtb21lbnQgc3Vj aCAiaW50ZXJuYWwiIHBhZ2VzIG1hcmtlZCBhcyBvd25lZApieSBhIGd1ZXN0 IGluY2x1ZGUgcGFnZXMgdXNlZCB0byB0cmFjayBsb2dkaXJ0eSBiaXRzLCBh cyB3ZWxsIGFzIHAybQpwYWdlcyBhbmQgdGhlICJ1bnBhZ2VkIHBhZ2V0YWJs ZSIgZm9yIEhWTSBndWVzdHMuIFNpbmNlIHRoZSBQViBtZW1vcnkKbWFuYWdl bWVudCBhbmQgc2hhZG93IGNvZGUgY29uZmxpY3QgaW4gdGhlaXIgdXNlIG9m IHN0cnVjdCBwYWdlX2luZm8KZmllbGRzLCBhbmQgc2luY2Ugc2hhZG93IGNv ZGUgaXMgYmVpbmcgdXNlZCBmb3IgbG9nLWRpcnR5IGhhbmRsaW5nIGZvcgpQ ViBkb21haW5zLCBwYWdlcyBjb21pbmcgZnJvbSB0aGUgc2hhZG93IHBvb2wg bXVzdCwgZm9yIFBWIGRvbWFpbnMsIG5vdApoYXZlIHRoZSBkb21haW4gc2V0 IGFzIHRoZWlyIG93bmVyLgoKV2hpbGUgdGhlIGNoYW5nZSBjb3VsZCBiZSBk b25lIGNvbmRpdGlvbmFsbHkgZm9yIGp1c3QgdGhlIFBWIGNhc2UgaW4Kc2hh ZG93IGNvZGUsIGRvIGl0IHVuY29uZGl0aW9uYWxseSAoYW5kIGZvciBjb25z aXN0ZW5jeSBhbHNvIGZvciBIQVApLApqdXN0IHRvIGJlIG9uIHRoZSBzYWZl IHNpZGUuCgpUaGVyZSdzIG9uZSBzcGVjaWFsIGNhc2UgdGhvdWdoIGZvciBz aGFkb3cgY29kZTogVGhlIHBhZ2UgdGFibGUgdXNlZCBmb3IKcnVubmluZyBh IEhWTSBndWVzdCBpbiB1bnBhZ2VkIG1vZGUgaXMgc3ViamVjdCB0byBnZXRf cGFnZSgpIChpbgpzZXRfc2hhZG93X3N0YXR1cygpKSBhbmQgaGVuY2UgbXVz dCBoYXZlIGl0cyBvd25lciBzZXQuCgpUaGlzIGlzIFhTQS0yNDguCgpTaWdu ZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJl dmlld2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9yZz4KUmV2aWV3ZWQt Ynk6IEdlb3JnZSBEdW5sYXAgPGdlb3JnZS5kdW5sYXBAY2l0cml4LmNvbT4K Ci0tLSBhL3hlbi9hcmNoL3g4Ni9tbS9oYXAvaGFwLmMKKysrIGIveGVuL2Fy Y2gveDg2L21tL2hhcC9oYXAuYwpAQCAtMjY0LDggKzI2NCw3IEBAIHN0YXRp YyBzdHJ1Y3QgcGFnZV9pbmZvICpoYXBfYWxsb2NfcDJtX3AKICAgICB7CiAg ICAgICAgIGQtPmFyY2gucGFnaW5nLmhhcC50b3RhbF9wYWdlcy0tOwogICAg ICAgICBkLT5hcmNoLnBhZ2luZy5oYXAucDJtX3BhZ2VzKys7Ci0gICAgICAg IHBhZ2Vfc2V0X293bmVyKHBnLCBkKTsKLSAgICAgICAgcGctPmNvdW50X2lu Zm8gfD0gMTsKKyAgICAgICAgQVNTRVJUKCFwYWdlX2dldF9vd25lcihwZykg JiYgIShwZy0+Y291bnRfaW5mbyAmIFBHQ19jb3VudF9tYXNrKSk7CiAgICAg fQogICAgIGVsc2UgaWYgKCAhZC0+YXJjaC5wYWdpbmcucDJtX2FsbG9jX2Zh aWxlZCApCiAgICAgewpAQCAtMjgwLDIxICsyNzksMjMgQEAgc3RhdGljIHN0 cnVjdCBwYWdlX2luZm8gKmhhcF9hbGxvY19wMm1fcAogCiBzdGF0aWMgdm9p ZCBoYXBfZnJlZV9wMm1fcGFnZShzdHJ1Y3QgZG9tYWluICpkLCBzdHJ1Y3Qg cGFnZV9pbmZvICpwZykKIHsKKyAgICBzdHJ1Y3QgZG9tYWluICpvd25lciA9 IHBhZ2VfZ2V0X293bmVyKHBnKTsKKwogICAgIC8qIFRoaXMgaXMgY2FsbGVk IGJvdGggZnJvbSB0aGUgcDJtIGNvZGUgKHdoaWNoIG5ldmVyIGhvbGRzIHRo ZSAKICAgICAgKiBwYWdpbmcgbG9jaykgYW5kIHRoZSBsb2ctZGlydHkgY29k ZSAod2hpY2ggYWx3YXlzIGRvZXMpLiAqLwogICAgIHBhZ2luZ19sb2NrX3Jl Y3Vyc2l2ZShkKTsKIAotICAgIEFTU0VSVChwYWdlX2dldF9vd25lcihwZykg PT0gZCk7Ci0gICAgLyogU2hvdWxkIGhhdmUganVzdCB0aGUgb25lIHJlZiB3 ZSBnYXZlIGl0IGluIGFsbG9jX3AybV9wYWdlKCkgKi8KLSAgICBpZiAoIChw Zy0+Y291bnRfaW5mbyAmIFBHQ19jb3VudF9tYXNrKSAhPSAxICkgewotICAg ICAgICBIQVBfRVJST1IoIk9kZCBwMm0gcGFnZSAlcCBjb3VudCBjPSUjbHgg dD0lIlBSdHlwZV9pbmZvIlxuIiwKLSAgICAgICAgICAgICAgICAgICAgIHBn LCBwZy0+Y291bnRfaW5mbywgcGctPnUuaW51c2UudHlwZV9pbmZvKTsKKyAg ICAvKiBTaG91bGQgc3RpbGwgaGF2ZSBubyBvd25lciBhbmQgY291bnQgemVy by4gKi8KKyAgICBpZiAoIG93bmVyIHx8IChwZy0+Y291bnRfaW5mbyAmIFBH Q19jb3VudF9tYXNrKSApCisgICAgeworICAgICAgICBIQVBfRVJST1IoImQl ZDogT2RkIHAybSBwYWdlICUiUFJJX21mbiIgZD0lZCBjPSVseCB0PSUiUFJ0 eXBlX2luZm8iXG4iLAorICAgICAgICAgICAgICAgICAgZC0+ZG9tYWluX2lk LCBtZm5feChwYWdlX3RvX21mbihwZykpLAorICAgICAgICAgICAgICAgICAg b3duZXIgPyBvd25lci0+ZG9tYWluX2lkIDogRE9NSURfSU5WQUxJRCwKKyAg ICAgICAgICAgICAgICAgIHBnLT5jb3VudF9pbmZvLCBwZy0+dS5pbnVzZS50 eXBlX2luZm8pOwogICAgICAgICBXQVJOKCk7CisgICAgICAgIHBnLT5jb3Vu dF9pbmZvICY9IH5QR0NfY291bnRfbWFzazsKKyAgICAgICAgcGFnZV9zZXRf b3duZXIocGcsIE5VTEwpOwogICAgIH0KLSAgICBwZy0+Y291bnRfaW5mbyAm PSB+UEdDX2NvdW50X21hc2s7Ci0gICAgLyogRnJlZSBzaG91bGQgbm90IGRl Y3JlbWVudCBkb21haW4ncyB0b3RhbCBhbGxvY2F0aW9uLCBzaW5jZQotICAg ICAqIHRoZXNlIHBhZ2VzIHdlcmUgYWxsb2NhdGVkIHdpdGhvdXQgYW4gb3du ZXIuICovCi0gICAgcGFnZV9zZXRfb3duZXIocGcsIE5VTEwpOwogICAgIGQt PmFyY2gucGFnaW5nLmhhcC5wMm1fcGFnZXMtLTsKICAgICBkLT5hcmNoLnBh Z2luZy5oYXAudG90YWxfcGFnZXMrKzsKICAgICBoYXBfZnJlZShkLCBwYWdl X3RvX21mbihwZykpOwotLS0gYS94ZW4vYXJjaC94ODYvbW0vc2hhZG93L2Nv bW1vbi5jCisrKyBiL3hlbi9hcmNoL3g4Ni9tbS9zaGFkb3cvY29tbW9uLmMK QEAgLTE2MjIsMzIgKzE2MjIsMjkgQEAgc2hhZG93X2FsbG9jX3AybV9wYWdl KHN0cnVjdCBkb21haW4gKmQpCiAgICAgcGcgPSBtZm5fdG9fcGFnZShzaGFk b3dfYWxsb2MoZCwgU0hfdHlwZV9wMm1fdGFibGUsIDApKTsKICAgICBkLT5h cmNoLnBhZ2luZy5zaGFkb3cucDJtX3BhZ2VzKys7CiAgICAgZC0+YXJjaC5w YWdpbmcuc2hhZG93LnRvdGFsX3BhZ2VzLS07CisgICAgQVNTRVJUKCFwYWdl X2dldF9vd25lcihwZykgJiYgIShwZy0+Y291bnRfaW5mbyAmIFBHQ19jb3Vu dF9tYXNrKSk7CiAKICAgICBwYWdpbmdfdW5sb2NrKGQpOwogCi0gICAgLyog VW5saWtlIHNoYWRvdyBwYWdlcywgbWFyayBwMm0gcGFnZXMgYXMgb3duZWQg YnkgdGhlIGRvbWFpbi4KLSAgICAgKiBNYXJraW5nIHRoZSBkb21haW4gYXMg dGhlIG93bmVyIHdvdWxkIG5vcm1hbGx5IGFsbG93IHRoZSBndWVzdCB0bwot ICAgICAqIGNyZWF0ZSBtYXBwaW5ncyBvZiB0aGVzZSBwYWdlcywgYnV0IHRo ZXNlIHAybSBwYWdlcyB3aWxsIG5ldmVyIGJlCi0gICAgICogaW4gdGhlIGRv bWFpbidzIGd1ZXN0LXBoeXNpY2FsIGFkZHJlc3Mgc3BhY2UsIGFuZCBzbyB0 aGF0IGlzIG5vdAotICAgICAqIGJlbGlldmVkIHRvIGJlIGEgY29uY2Vybi4g Ki8KLSAgICBwYWdlX3NldF9vd25lcihwZywgZCk7Ci0gICAgcGctPmNvdW50 X2luZm8gfD0gMTsKICAgICByZXR1cm4gcGc7CiB9CiAKIHN0YXRpYyB2b2lk CiBzaGFkb3dfZnJlZV9wMm1fcGFnZShzdHJ1Y3QgZG9tYWluICpkLCBzdHJ1 Y3QgcGFnZV9pbmZvICpwZykKIHsKLSAgICBBU1NFUlQocGFnZV9nZXRfb3du ZXIocGcpID09IGQpOwotICAgIC8qIFNob3VsZCBoYXZlIGp1c3QgdGhlIG9u ZSByZWYgd2UgZ2F2ZSBpdCBpbiBhbGxvY19wMm1fcGFnZSgpICovCi0gICAg aWYgKCAocGctPmNvdW50X2luZm8gJiBQR0NfY291bnRfbWFzaykgIT0gMSAp CisgICAgc3RydWN0IGRvbWFpbiAqb3duZXIgPSBwYWdlX2dldF9vd25lcihw Zyk7CisKKyAgICAvKiBTaG91bGQgc3RpbGwgaGF2ZSBubyBvd25lciBhbmQg Y291bnQgemVyby4gKi8KKyAgICBpZiAoIG93bmVyIHx8IChwZy0+Y291bnRf aW5mbyAmIFBHQ19jb3VudF9tYXNrKSApCiAgICAgewotICAgICAgICBTSEFE T1dfRVJST1IoIk9kZCBwMm0gcGFnZSBjb3VudCBjPSUjbHggdD0lIlBSdHlw ZV9pbmZvIlxuIiwKKyAgICAgICAgU0hBRE9XX0VSUk9SKCJkJWQ6IE9kZCBw Mm0gcGFnZSAlIlBSSV9tZm4iIGQ9JWQgYz0lbHggdD0lIlBSdHlwZV9pbmZv IlxuIiwKKyAgICAgICAgICAgICAgICAgICAgIGQtPmRvbWFpbl9pZCwgbWZu X3gocGFnZV90b19tZm4ocGcpKSwKKyAgICAgICAgICAgICAgICAgICAgIG93 bmVyID8gb3duZXItPmRvbWFpbl9pZCA6IERPTUlEX0lOVkFMSUQsCiAgICAg ICAgICAgICAgICAgICAgICBwZy0+Y291bnRfaW5mbywgcGctPnUuaW51c2Uu dHlwZV9pbmZvKTsKKyAgICAgICAgcGctPmNvdW50X2luZm8gJj0gflBHQ19j b3VudF9tYXNrOworICAgICAgICBwYWdlX3NldF9vd25lcihwZywgTlVMTCk7 CiAgICAgfQotICAgIHBnLT5jb3VudF9pbmZvICY9IH5QR0NfY291bnRfbWFz azsKICAgICBwZy0+dS5zaC50eXBlID0gU0hfdHlwZV9wMm1fdGFibGU7IC8q IHAybSBjb2RlIHJldXNlcyB0eXBlLWluZm8gKi8KLSAgICBwYWdlX3NldF9v d25lcihwZywgTlVMTCk7IAogCiAgICAgLyogVGhpcyBpcyBjYWxsZWQgYm90 aCBmcm9tIHRoZSBwMm0gY29kZSAod2hpY2ggbmV2ZXIgaG9sZHMgdGhlIAog ICAgICAqIHBhZ2luZyBsb2NrKSBhbmQgdGhlIGxvZy1kaXJ0eSBjb2RlICh3 aGljaCBhbHdheXMgZG9lcykuICovCkBAIC0zMDEyLDcgKzMwMDksOSBAQCBp bnQgc2hhZG93X2VuYWJsZShzdHJ1Y3QgZG9tYWluICpkLCB1MzIKICAgICAg ICAgICAgICAgICAgICAgfCBfUEFHRV9QUkVTRU5UIHwgX1BBR0VfUlcgfCBf UEFHRV9VU0VSIAogICAgICAgICAgICAgICAgICAgICB8IF9QQUdFX0FDQ0VT U0VEIHwgX1BBR0VfRElSVFkgfCBfUEFHRV9QU0UpOwogICAgICAgICBzaF91 bm1hcF9kb21haW5fcGFnZShlKTsKKyAgICAgICAgcGctPmNvdW50X2luZm8g PSAxOwogICAgICAgICBwZy0+dS5pbnVzZS50eXBlX2luZm8gPSBQR1RfbDJf cGFnZV90YWJsZSB8IDEgfCBQR1RfdmFsaWRhdGVkOworICAgICAgICBwYWdl X3NldF9vd25lcihwZywgZCk7CiAgICAgfQogCiAgICAgcGFnaW5nX2xvY2so ZCk7CkBAIC0zMDUwLDcgKzMwNDksMTEgQEAgaW50IHNoYWRvd19lbmFibGUo c3RydWN0IGRvbWFpbiAqZCwgdTMyCiAgICAgaWYgKCBydiAhPSAwICYmICFw YWdldGFibGVfaXNfbnVsbChwMm1fZ2V0X3BhZ2V0YWJsZShwMm0pKSApCiAg ICAgICAgIHAybV90ZWFyZG93bihwMm0pOwogICAgIGlmICggcnYgIT0gMCAm JiBwZyAhPSBOVUxMICkKKyAgICB7CisgICAgICAgIHBnLT5jb3VudF9pbmZv ICY9IH5QR0NfY291bnRfbWFzazsKKyAgICAgICAgcGFnZV9zZXRfb3duZXIo cGcsIE5VTEwpOwogICAgICAgICBzaGFkb3dfZnJlZV9wMm1fcGFnZShkLCBw Zyk7CisgICAgfQogICAgIGRvbWFpbl91bnBhdXNlKGQpOwogICAgIHJldHVy biBydjsKIH0KQEAgLTMxNjEsNyArMzE2NCwyMiBAQCBvdXQ6CiAKICAgICAv KiBNdXN0IGJlIGNhbGxlZCBvdXRzaWRlIHRoZSBsb2NrICovCiAgICAgaWYg KCB1bnBhZ2VkX3BhZ2V0YWJsZSApIAorICAgIHsKKyAgICAgICAgaWYgKCBw YWdlX2dldF9vd25lcih1bnBhZ2VkX3BhZ2V0YWJsZSkgPT0gZCAmJgorICAg ICAgICAgICAgICh1bnBhZ2VkX3BhZ2V0YWJsZS0+Y291bnRfaW5mbyAmIFBH Q19jb3VudF9tYXNrKSA9PSAxICkKKyAgICAgICAgeworICAgICAgICAgICAg dW5wYWdlZF9wYWdldGFibGUtPmNvdW50X2luZm8gJj0gflBHQ19jb3VudF9t YXNrOworICAgICAgICAgICAgcGFnZV9zZXRfb3duZXIodW5wYWdlZF9wYWdl dGFibGUsIE5VTEwpOworICAgICAgICB9CisgICAgICAgIC8qIENvbXBsYWlu IGhlcmUgaW4gY2FzZXMgd2hlcmUgc2hhZG93X2ZyZWVfcDJtX3BhZ2UoKSB3 b24ndC4gKi8KKyAgICAgICAgZWxzZSBpZiAoICFwYWdlX2dldF9vd25lcih1 bnBhZ2VkX3BhZ2V0YWJsZSkgJiYKKyAgICAgICAgICAgICAgICAgICEodW5w YWdlZF9wYWdldGFibGUtPmNvdW50X2luZm8gJiBQR0NfY291bnRfbWFzaykg KQorICAgICAgICAgICAgU0hBRE9XX0VSUk9SKCJkJWQ6IE9kZCB1bnBhZ2Vk IHB0ICUiUFJJX21mbiIgYz0lbHggdD0lIlBSdHlwZV9pbmZvIlxuIiwKKyAg ICAgICAgICAgICAgICAgICAgICAgICBkLT5kb21haW5faWQsIG1mbl94KHBh Z2VfdG9fbWZuKHVucGFnZWRfcGFnZXRhYmxlKSksCisgICAgICAgICAgICAg ICAgICAgICAgICAgdW5wYWdlZF9wYWdldGFibGUtPmNvdW50X2luZm8sCisg ICAgICAgICAgICAgICAgICAgICAgICAgdW5wYWdlZF9wYWdldGFibGUtPnUu aW51c2UudHlwZV9pbmZvKTsKICAgICAgICAgc2hhZG93X2ZyZWVfcDJtX3Bh Z2UoZCwgdW5wYWdlZF9wYWdldGFibGUpOworICAgIH0KIH0KIAogdm9pZCBz aGFkb3dfZmluYWxfdGVhcmRvd24oc3RydWN0IGRvbWFpbiAqZCkK --=separator Content-Type: application/octet-stream; name="xsa248-4.8.patch" Content-Disposition: attachment; filename="xsa248-4.8.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvbW06IGRvbid0IHdyb25nbHkgc2V0IHBhZ2Ugb3duZXJzaGlwCgpQ ViBkb21haW5zIGNhbiBvYnRhaW4gbWFwcGluZ3Mgb2YgYW55IHBhZ2VzIG93 bmVkIGJ5IHRoZSBjb3JyZWN0IGRvbWFpbiwKaW5jbHVkaW5nIG9uZXMgdGhh dCBhcmVuJ3QgYWN0dWFsbHkgYXNzaWduZWQgYXMgIm5vcm1hbCIgUkFNLCBi dXQgdXNlZApieSBYZW4gaW50ZXJuYWxseS4gIEF0IHRoZSBtb21lbnQgc3Vj aCAiaW50ZXJuYWwiIHBhZ2VzIG1hcmtlZCBhcyBvd25lZApieSBhIGd1ZXN0 IGluY2x1ZGUgcGFnZXMgdXNlZCB0byB0cmFjayBsb2dkaXJ0eSBiaXRzLCBh cyB3ZWxsIGFzIHAybQpwYWdlcyBhbmQgdGhlICJ1bnBhZ2VkIHBhZ2V0YWJs ZSIgZm9yIEhWTSBndWVzdHMuIFNpbmNlIHRoZSBQViBtZW1vcnkKbWFuYWdl bWVudCBhbmQgc2hhZG93IGNvZGUgY29uZmxpY3QgaW4gdGhlaXIgdXNlIG9m IHN0cnVjdCBwYWdlX2luZm8KZmllbGRzLCBhbmQgc2luY2Ugc2hhZG93IGNv ZGUgaXMgYmVpbmcgdXNlZCBmb3IgbG9nLWRpcnR5IGhhbmRsaW5nIGZvcgpQ ViBkb21haW5zLCBwYWdlcyBjb21pbmcgZnJvbSB0aGUgc2hhZG93IHBvb2wg bXVzdCwgZm9yIFBWIGRvbWFpbnMsIG5vdApoYXZlIHRoZSBkb21haW4gc2V0 IGFzIHRoZWlyIG93bmVyLgoKV2hpbGUgdGhlIGNoYW5nZSBjb3VsZCBiZSBk b25lIGNvbmRpdGlvbmFsbHkgZm9yIGp1c3QgdGhlIFBWIGNhc2UgaW4Kc2hh ZG93IGNvZGUsIGRvIGl0IHVuY29uZGl0aW9uYWxseSAoYW5kIGZvciBjb25z aXN0ZW5jeSBhbHNvIGZvciBIQVApLApqdXN0IHRvIGJlIG9uIHRoZSBzYWZl IHNpZGUuCgpUaGVyZSdzIG9uZSBzcGVjaWFsIGNhc2UgdGhvdWdoIGZvciBz aGFkb3cgY29kZTogVGhlIHBhZ2UgdGFibGUgdXNlZCBmb3IKcnVubmluZyBh IEhWTSBndWVzdCBpbiB1bnBhZ2VkIG1vZGUgaXMgc3ViamVjdCB0byBnZXRf cGFnZSgpIChpbgpzZXRfc2hhZG93X3N0YXR1cygpKSBhbmQgaGVuY2UgbXVz dCBoYXZlIGl0cyBvd25lciBzZXQuCgpUaGlzIGlzIFhTQS0yNDguCgpTaWdu ZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJl dmlld2VkLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9yZz4KUmV2aWV3ZWQt Ynk6IEdlb3JnZSBEdW5sYXAgPGdlb3JnZS5kdW5sYXBAY2l0cml4LmNvbT4K Ci0tLSBhL3hlbi9hcmNoL3g4Ni9tbS9oYXAvaGFwLmMKKysrIGIveGVuL2Fy Y2gveDg2L21tL2hhcC9oYXAuYwpAQCAtMjgzLDggKzI4Myw3IEBAIHN0YXRp YyBzdHJ1Y3QgcGFnZV9pbmZvICpoYXBfYWxsb2NfcDJtX3AKICAgICB7CiAg ICAgICAgIGQtPmFyY2gucGFnaW5nLmhhcC50b3RhbF9wYWdlcy0tOwogICAg ICAgICBkLT5hcmNoLnBhZ2luZy5oYXAucDJtX3BhZ2VzKys7Ci0gICAgICAg IHBhZ2Vfc2V0X293bmVyKHBnLCBkKTsKLSAgICAgICAgcGctPmNvdW50X2lu Zm8gfD0gMTsKKyAgICAgICAgQVNTRVJUKCFwYWdlX2dldF9vd25lcihwZykg JiYgIShwZy0+Y291bnRfaW5mbyAmIFBHQ19jb3VudF9tYXNrKSk7CiAgICAg fQogICAgIGVsc2UgaWYgKCAhZC0+YXJjaC5wYWdpbmcucDJtX2FsbG9jX2Zh aWxlZCApCiAgICAgewpAQCAtMjk5LDIxICsyOTgsMjMgQEAgc3RhdGljIHN0 cnVjdCBwYWdlX2luZm8gKmhhcF9hbGxvY19wMm1fcAogCiBzdGF0aWMgdm9p ZCBoYXBfZnJlZV9wMm1fcGFnZShzdHJ1Y3QgZG9tYWluICpkLCBzdHJ1Y3Qg cGFnZV9pbmZvICpwZykKIHsKKyAgICBzdHJ1Y3QgZG9tYWluICpvd25lciA9 IHBhZ2VfZ2V0X293bmVyKHBnKTsKKwogICAgIC8qIFRoaXMgaXMgY2FsbGVk IGJvdGggZnJvbSB0aGUgcDJtIGNvZGUgKHdoaWNoIG5ldmVyIGhvbGRzIHRo ZSAKICAgICAgKiBwYWdpbmcgbG9jaykgYW5kIHRoZSBsb2ctZGlydHkgY29k ZSAod2hpY2ggYWx3YXlzIGRvZXMpLiAqLwogICAgIHBhZ2luZ19sb2NrX3Jl Y3Vyc2l2ZShkKTsKIAotICAgIEFTU0VSVChwYWdlX2dldF9vd25lcihwZykg PT0gZCk7Ci0gICAgLyogU2hvdWxkIGhhdmUganVzdCB0aGUgb25lIHJlZiB3 ZSBnYXZlIGl0IGluIGFsbG9jX3AybV9wYWdlKCkgKi8KLSAgICBpZiAoIChw Zy0+Y291bnRfaW5mbyAmIFBHQ19jb3VudF9tYXNrKSAhPSAxICkgewotICAg ICAgICBIQVBfRVJST1IoIk9kZCBwMm0gcGFnZSAlcCBjb3VudCBjPSUjbHgg dD0lIlBSdHlwZV9pbmZvIlxuIiwKLSAgICAgICAgICAgICAgICAgICAgIHBn LCBwZy0+Y291bnRfaW5mbywgcGctPnUuaW51c2UudHlwZV9pbmZvKTsKKyAg ICAvKiBTaG91bGQgc3RpbGwgaGF2ZSBubyBvd25lciBhbmQgY291bnQgemVy by4gKi8KKyAgICBpZiAoIG93bmVyIHx8IChwZy0+Y291bnRfaW5mbyAmIFBH Q19jb3VudF9tYXNrKSApCisgICAgeworICAgICAgICBIQVBfRVJST1IoImQl ZDogT2RkIHAybSBwYWdlICUiUFJJX21mbiIgZD0lZCBjPSVseCB0PSUiUFJ0 eXBlX2luZm8iXG4iLAorICAgICAgICAgICAgICAgICAgZC0+ZG9tYWluX2lk LCBtZm5feChwYWdlX3RvX21mbihwZykpLAorICAgICAgICAgICAgICAgICAg b3duZXIgPyBvd25lci0+ZG9tYWluX2lkIDogRE9NSURfSU5WQUxJRCwKKyAg ICAgICAgICAgICAgICAgIHBnLT5jb3VudF9pbmZvLCBwZy0+dS5pbnVzZS50 eXBlX2luZm8pOwogICAgICAgICBXQVJOKCk7CisgICAgICAgIHBnLT5jb3Vu dF9pbmZvICY9IH5QR0NfY291bnRfbWFzazsKKyAgICAgICAgcGFnZV9zZXRf b3duZXIocGcsIE5VTEwpOwogICAgIH0KLSAgICBwZy0+Y291bnRfaW5mbyAm PSB+UEdDX2NvdW50X21hc2s7Ci0gICAgLyogRnJlZSBzaG91bGQgbm90IGRl Y3JlbWVudCBkb21haW4ncyB0b3RhbCBhbGxvY2F0aW9uLCBzaW5jZQotICAg ICAqIHRoZXNlIHBhZ2VzIHdlcmUgYWxsb2NhdGVkIHdpdGhvdXQgYW4gb3du ZXIuICovCi0gICAgcGFnZV9zZXRfb3duZXIocGcsIE5VTEwpOwogICAgIGQt PmFyY2gucGFnaW5nLmhhcC5wMm1fcGFnZXMtLTsKICAgICBkLT5hcmNoLnBh Z2luZy5oYXAudG90YWxfcGFnZXMrKzsKICAgICBoYXBfZnJlZShkLCBwYWdl X3RvX21mbihwZykpOwotLS0gYS94ZW4vYXJjaC94ODYvbW0vc2hhZG93L2Nv bW1vbi5jCisrKyBiL3hlbi9hcmNoL3g4Ni9tbS9zaGFkb3cvY29tbW9uLmMK QEAgLTE1NzMsMzIgKzE1NzMsMjkgQEAgc2hhZG93X2FsbG9jX3AybV9wYWdl KHN0cnVjdCBkb21haW4gKmQpCiAgICAgcGcgPSBtZm5fdG9fcGFnZShzaGFk b3dfYWxsb2MoZCwgU0hfdHlwZV9wMm1fdGFibGUsIDApKTsKICAgICBkLT5h cmNoLnBhZ2luZy5zaGFkb3cucDJtX3BhZ2VzKys7CiAgICAgZC0+YXJjaC5w YWdpbmcuc2hhZG93LnRvdGFsX3BhZ2VzLS07CisgICAgQVNTRVJUKCFwYWdl X2dldF9vd25lcihwZykgJiYgIShwZy0+Y291bnRfaW5mbyAmIFBHQ19jb3Vu dF9tYXNrKSk7CiAKICAgICBwYWdpbmdfdW5sb2NrKGQpOwogCi0gICAgLyog VW5saWtlIHNoYWRvdyBwYWdlcywgbWFyayBwMm0gcGFnZXMgYXMgb3duZWQg YnkgdGhlIGRvbWFpbi4KLSAgICAgKiBNYXJraW5nIHRoZSBkb21haW4gYXMg dGhlIG93bmVyIHdvdWxkIG5vcm1hbGx5IGFsbG93IHRoZSBndWVzdCB0bwot ICAgICAqIGNyZWF0ZSBtYXBwaW5ncyBvZiB0aGVzZSBwYWdlcywgYnV0IHRo ZXNlIHAybSBwYWdlcyB3aWxsIG5ldmVyIGJlCi0gICAgICogaW4gdGhlIGRv bWFpbidzIGd1ZXN0LXBoeXNpY2FsIGFkZHJlc3Mgc3BhY2UsIGFuZCBzbyB0 aGF0IGlzIG5vdAotICAgICAqIGJlbGlldmVkIHRvIGJlIGEgY29uY2Vybi4g Ki8KLSAgICBwYWdlX3NldF9vd25lcihwZywgZCk7Ci0gICAgcGctPmNvdW50 X2luZm8gfD0gMTsKICAgICByZXR1cm4gcGc7CiB9CiAKIHN0YXRpYyB2b2lk CiBzaGFkb3dfZnJlZV9wMm1fcGFnZShzdHJ1Y3QgZG9tYWluICpkLCBzdHJ1 Y3QgcGFnZV9pbmZvICpwZykKIHsKLSAgICBBU1NFUlQocGFnZV9nZXRfb3du ZXIocGcpID09IGQpOwotICAgIC8qIFNob3VsZCBoYXZlIGp1c3QgdGhlIG9u ZSByZWYgd2UgZ2F2ZSBpdCBpbiBhbGxvY19wMm1fcGFnZSgpICovCi0gICAg aWYgKCAocGctPmNvdW50X2luZm8gJiBQR0NfY291bnRfbWFzaykgIT0gMSAp CisgICAgc3RydWN0IGRvbWFpbiAqb3duZXIgPSBwYWdlX2dldF9vd25lcihw Zyk7CisKKyAgICAvKiBTaG91bGQgc3RpbGwgaGF2ZSBubyBvd25lciBhbmQg Y291bnQgemVyby4gKi8KKyAgICBpZiAoIG93bmVyIHx8IChwZy0+Y291bnRf aW5mbyAmIFBHQ19jb3VudF9tYXNrKSApCiAgICAgewotICAgICAgICBTSEFE T1dfRVJST1IoIk9kZCBwMm0gcGFnZSBjb3VudCBjPSUjbHggdD0lIlBSdHlw ZV9pbmZvIlxuIiwKKyAgICAgICAgU0hBRE9XX0VSUk9SKCJkJWQ6IE9kZCBw Mm0gcGFnZSAlIlBSSV9tZm4iIGQ9JWQgYz0lbHggdD0lIlBSdHlwZV9pbmZv IlxuIiwKKyAgICAgICAgICAgICAgICAgICAgIGQtPmRvbWFpbl9pZCwgbWZu X3gocGFnZV90b19tZm4ocGcpKSwKKyAgICAgICAgICAgICAgICAgICAgIG93 bmVyID8gb3duZXItPmRvbWFpbl9pZCA6IERPTUlEX0lOVkFMSUQsCiAgICAg ICAgICAgICAgICAgICAgICBwZy0+Y291bnRfaW5mbywgcGctPnUuaW51c2Uu dHlwZV9pbmZvKTsKKyAgICAgICAgcGctPmNvdW50X2luZm8gJj0gflBHQ19j b3VudF9tYXNrOworICAgICAgICBwYWdlX3NldF9vd25lcihwZywgTlVMTCk7 CiAgICAgfQotICAgIHBnLT5jb3VudF9pbmZvICY9IH5QR0NfY291bnRfbWFz azsKICAgICBwZy0+dS5zaC50eXBlID0gU0hfdHlwZV9wMm1fdGFibGU7IC8q IHAybSBjb2RlIHJldXNlcyB0eXBlLWluZm8gKi8KLSAgICBwYWdlX3NldF9v d25lcihwZywgTlVMTCk7CiAKICAgICAvKiBUaGlzIGlzIGNhbGxlZCBib3Ro IGZyb20gdGhlIHAybSBjb2RlICh3aGljaCBuZXZlciBob2xkcyB0aGUKICAg ICAgKiBwYWdpbmcgbG9jaykgYW5kIHRoZSBsb2ctZGlydHkgY29kZSAod2hp Y2ggYWx3YXlzIGRvZXMpLiAqLwpAQCAtMzIxNiw3ICszMjEzLDkgQEAgaW50 IHNoYWRvd19lbmFibGUoc3RydWN0IGRvbWFpbiAqZCwgdTMyCiAgICAgICAg ICAgICAgICAgICAgIHwgX1BBR0VfUFJFU0VOVCB8IF9QQUdFX1JXIHwgX1BB R0VfVVNFUgogICAgICAgICAgICAgICAgICAgICB8IF9QQUdFX0FDQ0VTU0VE IHwgX1BBR0VfRElSVFkgfCBfUEFHRV9QU0UpOwogICAgICAgICB1bm1hcF9k b21haW5fcGFnZShlKTsKKyAgICAgICAgcGctPmNvdW50X2luZm8gPSAxOwog ICAgICAgICBwZy0+dS5pbnVzZS50eXBlX2luZm8gPSBQR1RfbDJfcGFnZV90 YWJsZSB8IDEgfCBQR1RfdmFsaWRhdGVkOworICAgICAgICBwYWdlX3NldF9v d25lcihwZywgZCk7CiAgICAgfQogCiAgICAgcGFnaW5nX2xvY2soZCk7CkBA IC0zMjU0LDcgKzMyNTMsMTEgQEAgaW50IHNoYWRvd19lbmFibGUoc3RydWN0 IGRvbWFpbiAqZCwgdTMyCiAgICAgaWYgKCBydiAhPSAwICYmICFwYWdldGFi bGVfaXNfbnVsbChwMm1fZ2V0X3BhZ2V0YWJsZShwMm0pKSApCiAgICAgICAg IHAybV90ZWFyZG93bihwMm0pOwogICAgIGlmICggcnYgIT0gMCAmJiBwZyAh PSBOVUxMICkKKyAgICB7CisgICAgICAgIHBnLT5jb3VudF9pbmZvICY9IH5Q R0NfY291bnRfbWFzazsKKyAgICAgICAgcGFnZV9zZXRfb3duZXIocGcsIE5V TEwpOwogICAgICAgICBzaGFkb3dfZnJlZV9wMm1fcGFnZShkLCBwZyk7Cisg ICAgfQogICAgIGRvbWFpbl91bnBhdXNlKGQpOwogICAgIHJldHVybiBydjsK IH0KQEAgLTMzNjMsNyArMzM2NiwyMiBAQCBvdXQ6CiAKICAgICAvKiBNdXN0 IGJlIGNhbGxlZCBvdXRzaWRlIHRoZSBsb2NrICovCiAgICAgaWYgKCB1bnBh Z2VkX3BhZ2V0YWJsZSApCisgICAgeworICAgICAgICBpZiAoIHBhZ2VfZ2V0 X293bmVyKHVucGFnZWRfcGFnZXRhYmxlKSA9PSBkICYmCisgICAgICAgICAg ICAgKHVucGFnZWRfcGFnZXRhYmxlLT5jb3VudF9pbmZvICYgUEdDX2NvdW50 X21hc2spID09IDEgKQorICAgICAgICB7CisgICAgICAgICAgICB1bnBhZ2Vk X3BhZ2V0YWJsZS0+Y291bnRfaW5mbyAmPSB+UEdDX2NvdW50X21hc2s7Cisg ICAgICAgICAgICBwYWdlX3NldF9vd25lcih1bnBhZ2VkX3BhZ2V0YWJsZSwg TlVMTCk7CisgICAgICAgIH0KKyAgICAgICAgLyogQ29tcGxhaW4gaGVyZSBp biBjYXNlcyB3aGVyZSBzaGFkb3dfZnJlZV9wMm1fcGFnZSgpIHdvbid0LiAq LworICAgICAgICBlbHNlIGlmICggIXBhZ2VfZ2V0X293bmVyKHVucGFnZWRf cGFnZXRhYmxlKSAmJgorICAgICAgICAgICAgICAgICAgISh1bnBhZ2VkX3Bh Z2V0YWJsZS0+Y291bnRfaW5mbyAmIFBHQ19jb3VudF9tYXNrKSApCisgICAg ICAgICAgICBTSEFET1dfRVJST1IoImQlZDogT2RkIHVucGFnZWQgcHQgJSJQ UklfbWZuIiBjPSVseCB0PSUiUFJ0eXBlX2luZm8iXG4iLAorICAgICAgICAg ICAgICAgICAgICAgICAgIGQtPmRvbWFpbl9pZCwgbWZuX3gocGFnZV90b19t Zm4odW5wYWdlZF9wYWdldGFibGUpKSwKKyAgICAgICAgICAgICAgICAgICAg ICAgICB1bnBhZ2VkX3BhZ2V0YWJsZS0+Y291bnRfaW5mbywKKyAgICAgICAg ICAgICAgICAgICAgICAgICB1bnBhZ2VkX3BhZ2V0YWJsZS0+dS5pbnVzZS50 eXBlX2luZm8pOwogICAgICAgICBzaGFkb3dfZnJlZV9wMm1fcGFnZShkLCB1 bnBhZ2VkX3BhZ2V0YWJsZSk7CisgICAgfQogfQogCiB2b2lkIHNoYWRvd19m aW5hbF90ZWFyZG93bihzdHJ1Y3QgZG9tYWluICpkKQo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Sat Jan 06 16:16:59 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sat, 06 Jan 2018 16:16:59 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eXr8i-0001FO-VN; Sat, 06 Jan 2018 16:16:08 +0000 Received: from us1-rack-dfw2.inumbo.com ([104.130.134.6]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eXr8h-0001Dv-CC for xen-announce@lists.xen.org; Sat, 06 Jan 2018 16:16:07 +0000 X-Inumbo-ID: b9a314a1-f2fc-11e7-b4a6-bc764e045a96 Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-rack-dfw2.inumbo.com (Halon) with ESMTPS id b9a314a1-f2fc-11e7-b4a6-bc764e045a96; Sat, 06 Jan 2018 17:14:52 +0100 (CET) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eXr8Y-0000Sw-8V; Sat, 06 Jan 2018 16:15:58 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1eXr8Y-0004iB-7j; Sat, 06 Jan 2018 16:15:58 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Sat, 06 Jan 2018 16:15:58 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 250 (CVE-2017-17564) - improper x86 shadow mode refcount error handling X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2017-17564 / XSA-250 version 3 improper x86 shadow mode refcount error handling UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= Pages being used to run x86 guests in shadow mode are reference counted to track their uses. When another reference cannot be acquired, the corresponding page table entry must not be inserted. Due to incorrect error handling, this constraint could be violated. IMPACT ====== A malicious or buggy guest may cause a hypervisor crash, resulting in a Denial of Service (DoS) affecting the entire host, or cause hypervisor memory corruption. We cannot rule out a guest being able to escalate its privilege. VULNERABLE SYSTEMS ================== All Xen versions are affected. x86 systems are vulnerable. ARM systems are not vulnerable. Only guests run in shadow mode can exploit the vulnerability. PV guests typically only run in shadow mode during live migration, as well as for features like VM snapshot. Note that save / restore does *not* use shadow mode, and so does not expose this vulnerability. Some downstreams also include a "non-live migration" feature, which also does not use shadow mode (and thus does not expose this vulnerability). HVM guests run in shadow mode on hardware without HAP support, or when HAP is disabled (globally or in the VM configuration file). Live migration does not affect an HVM guest's use of shadow mode. MITIGATION ========== For HVM guest explicitly configured to use shadow paging (e.g. via the `hap=0' xl domain configuration file parameter), changing to HAP (e.g. by setting `hap=1') will avoid exposing the vulnerability to those guests. HAP is the default (in upstream Xen), where the hardware supports it; so this mitigation is only applicable if HAP has been disabled by configuration. For PV guests, avoiding their live migration avoids the vulnerability. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa250.patch xen-unstable, Xen 4.9.x ... 4.6.x xsa250-4.5.patch Xen 4.5.x $ sha256sum xsa250* c15c1c3e64cfb7ab2e2c48970214aa8c3881deb7e11c498526554bb74535b601 xsa250.meta adf4d8242dbddb4ec52fe1effc1f8b233d33d8d6a59c1bb677dcc6e2ed2bf711 xsa250.patch d123a58308db606185c4e48dcf4a114ac29bb988ffc0eeb04ded213ec474e0f2 xsa250-4.5.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJaUPXdAAoJEIP+FMlX6CvZeoMH/iS1gZ8zBPWnBCSPm4pUt9ZJ cAJ9vX9E3wDZm0hEQRHOFvTlpqEY3w5TkkBZbErB8m1VD/Om45fZiHvvZRKPtCvK Jks8OVH2Mx2466WladCK4x3km86N2o2547u03dZzZIDUCvn19S8acI1wV8r4TOrv Op4VeDH+cxJ2EAmmrGWkCJc4lQxvJTqzsz+paZ+/dyOdaZGIKJJOhX6s7ZmkjhZz HHr05i+U72kzttUIYqVO4CIp3hoPsOyAcHsd004XGGH6LmWUA7bG1+Fcm+7b2ajD JX/l4xVstD8GWijRnyvOVo/ozRAGb+Nfve+xtVzbyozqVol5PTcP6Jwxerby8PA= =tkcf -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa250.meta" Content-Disposition: attachment; filename="xsa250.meta" Content-Transfer-Encoding: base64 ewogICJYU0EiOiAyNTAsCiAgIlN1cHBvcnRlZFZlcnNpb25zIjogWwogICAg Im1hc3RlciIsCiAgICAiNC4xMCIsCiAgICAiNC45IiwKICAgICI0LjgiLAog ICAgIjQuNyIsCiAgICAiNC42IiwKICAgICI0LjUiCiAgXSwKICAiVHJlZXMi OiBbCiAgICAieGVuIgogIF0sCiAgIlJlY2lwZXMiOiB7CiAgICAiNC4xMCI6 IHsKICAgICAgIlhlblZlcnNpb24iOiAiNC4xMCIsCiAgICAgICJSZWNpcGVz IjogewogICAgICAgICJ4ZW4iOiB7CiAgICAgICAgICAiU3RhYmxlUmVmIjog IjM0NWJiOWNkNjM0NDIxZjUwYjczMmQ0ZjljODlhNjQ5YTdhMWQwZGIiLAog ICAgICAgICAgIlByZXJlcXMiOiBbCiAgICAgICAgICAgIDI0OCwKICAgICAg ICAgICAgMjQ5CiAgICAgICAgICBdLAogICAgICAgICAgIlBhdGNoZXMiOiBb CiAgICAgICAgICAgICJ4c2EyNTAucGF0Y2giCiAgICAgICAgICBdCiAgICAg ICAgfQogICAgICB9CiAgICB9LAogICAgIjQuNSI6IHsKICAgICAgIlhlblZl cnNpb24iOiAiNC41IiwKICAgICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhl biI6IHsKICAgICAgICAgICJTdGFibGVSZWYiOiAiNDFmNmRkMDVkMTBmZDFi NDI4MWMxNzIyZTJkOGYyOWUzNzhhYmU5YSIsCiAgICAgICAgICAiUHJlcmVx cyI6IFsKICAgICAgICAgICAgMjQ4LAogICAgICAgICAgICAyNDkKICAgICAg ICAgIF0sCiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhz YTI1MC00LjUucGF0Y2giCiAgICAgICAgICBdCiAgICAgICAgfQogICAgICB9 CiAgICB9LAogICAgIjQuNiI6IHsKICAgICAgIlhlblZlcnNpb24iOiAiNC42 IiwKICAgICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhlbiI6IHsKICAgICAg ICAgICJTdGFibGVSZWYiOiAiOWIwYzJhMjIzMTMyYTA3ZjA2ZjBiZThlODVk YTM5MGRlZmU5OThmNSIsCiAgICAgICAgICAiUHJlcmVxcyI6IFsKICAgICAg ICAgICAgMjQ4LAogICAgICAgICAgICAyNDkKICAgICAgICAgIF0sCiAgICAg ICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTI1MC5wYXRjaCIK ICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0sCiAgICAiNC43 IjogewogICAgICAiWGVuVmVyc2lvbiI6ICI0LjciLAogICAgICAiUmVjaXBl cyI6IHsKICAgICAgICAieGVuIjogewogICAgICAgICAgIlN0YWJsZVJlZiI6 ICJiY2M5ZTI0NWFhZmJkYWU0NGM3NjEwNTNjODk4YmVkYjM1ODJjYzRkIiwK ICAgICAgICAgICJQcmVyZXFzIjogWwogICAgICAgICAgICAyNDgsCiAgICAg ICAgICAgIDI0OQogICAgICAgICAgXSwKICAgICAgICAgICJQYXRjaGVzIjog WwogICAgICAgICAgICAieHNhMjUwLnBhdGNoIgogICAgICAgICAgXQogICAg ICAgIH0KICAgICAgfQogICAgfSwKICAgICI0LjgiOiB7CiAgICAgICJYZW5W ZXJzaW9uIjogIjQuOCIsCiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4 ZW4iOiB7CiAgICAgICAgICAiU3RhYmxlUmVmIjogIjliYTY3ODNlNDdkYjcx Mzc5YzUxMjAwMzliODc4ZjYwNWJkZjMxZjMiLAogICAgICAgICAgIlByZXJl cXMiOiBbCiAgICAgICAgICAgIDI0OCwKICAgICAgICAgICAgMjQ5CiAgICAg ICAgICBdLAogICAgICAgICAgIlBhdGNoZXMiOiBbCiAgICAgICAgICAgICJ4 c2EyNTAucGF0Y2giCiAgICAgICAgICBdCiAgICAgICAgfQogICAgICB9CiAg ICB9LAogICAgIjQuOSI6IHsKICAgICAgIlhlblZlcnNpb24iOiAiNC45IiwK ICAgICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhlbiI6IHsKICAgICAgICAg ICJTdGFibGVSZWYiOiAiYWUzNGFiOGM1ZDJlOTc3ZjZkODA4MWMyY2U0NDk0 ODc1MjMyZjU2MyIsCiAgICAgICAgICAiUHJlcmVxcyI6IFsKICAgICAgICAg ICAgMjQ4LAogICAgICAgICAgICAyNDkKICAgICAgICAgIF0sCiAgICAgICAg ICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTI1MC5wYXRjaCIKICAg ICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0sCiAgICAibWFzdGVy IjogewogICAgICAiWGVuVmVyc2lvbiI6ICI0LjEwIiwKICAgICAgIlJlY2lw ZXMiOiB7CiAgICAgICAgInhlbiI6IHsKICAgICAgICAgICJTdGFibGVSZWYi OiAiMzQ1YmI5Y2Q2MzQ0MjFmNTBiNzMyZDRmOWM4OWE2NDlhN2ExZDBkYiIs CiAgICAgICAgICAiUHJlcmVxcyI6IFsKICAgICAgICAgICAgMjQ4LAogICAg ICAgICAgICAyNDkKICAgICAgICAgIF0sCiAgICAgICAgICAiUGF0Y2hlcyI6 IFsKICAgICAgICAgICAgInhzYTI1MC5wYXRjaCIKICAgICAgICAgIF0KICAg ICAgICB9CiAgICAgIH0KICAgIH0KICB9Cn0= --=separator Content-Type: application/octet-stream; name="xsa250.patch" Content-Disposition: attachment; filename="xsa250.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvc2hhZG93OiBmaXggcmVmLWNvdW50aW5nIGVycm9yIGhhbmRsaW5n CgpUaGUgb2xkLUxpbnV4IGhhbmRsaW5nIGluIHNoYWRvd19zZXRfbDRlKCkg bWlzdGFrZW5seSBPUmVkIHRvZ2V0aGVyIHRoZQpyZXN1bHRzIG9mIHNoX2dl dF9yZWYoKSBhbmQgc2hfcGluKCkuIEFzIHRoZSBsYXR0ZXIgZmFpbGluZyBp cyBub3QgYQpjb3JyZWN0bmVzcyBwcm9ibGVtLCBzaW1wbHkgaWdub3JlIGl0 cyByZXR1cm4gdmFsdWUuCgpJbiBzaF9zZXRfdG9wbGV2ZWxfc2hhZG93KCkg YSBmYWlsaW5nIHNoX2dldF9yZWYoKSBtdXN0IG5vdCBiZQphY2NvbXBhbmll ZCBieSBpbnN0YWxsaW5nIHRoZSBlbnRyeSwgZGVzcGl0ZSB0aGUgZG9tYWlu IGJlaW5nIGNyYXNoZWQuCgpUaGlzIGlzIFhTQS0yNTAuCgpTaWduZWQtb2Zm LWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2Vk LWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9yZz4KCi0tLSBhL3hlbi9hcmNo L3g4Ni9tbS9zaGFkb3cvbXVsdGkuYworKysgYi94ZW4vYXJjaC94ODYvbW0v c2hhZG93L211bHRpLmMKQEAgLTkyMyw3ICs5MjMsNyBAQCBzdGF0aWMgaW50 IHNoYWRvd19zZXRfbDRlKHN0cnVjdCBkb21haW4KICAgICAgICAgICAgICAg ICAgICAgICAgICAgc2hhZG93X2w0ZV90IG5ld19zbDRlLAogICAgICAgICAg ICAgICAgICAgICAgICAgICBtZm5fdCBzbDRtZm4pCiB7Ci0gICAgaW50IGZs YWdzID0gMCwgb2s7CisgICAgaW50IGZsYWdzID0gMDsKICAgICBzaGFkb3df bDRlX3Qgb2xkX3NsNGU7CiAgICAgcGFkZHJfdCBwYWRkcjsKICAgICBBU1NF UlQoc2w0ZSAhPSBOVUxMKTsKQEAgLTkzOCwxNSArOTM4LDE2IEBAIHN0YXRp YyBpbnQgc2hhZG93X3NldF9sNGUoc3RydWN0IGRvbWFpbgogICAgIHsKICAg ICAgICAgLyogQWJvdXQgdG8gaW5zdGFsbCBhIG5ldyByZWZlcmVuY2UgKi8K ICAgICAgICAgbWZuX3Qgc2wzbWZuID0gc2hhZG93X2w0ZV9nZXRfbWZuKG5l d19zbDRlKTsKLSAgICAgICAgb2sgPSBzaF9nZXRfcmVmKGQsIHNsM21mbiwg cGFkZHIpOwotICAgICAgICAvKiBBcmUgd2UgcGlubmluZyBsMyBzaGFkb3dz IHRvIGhhbmRsZSB3aWVyZCBsaW51eCBiZWhhdmlvdXI/ICovCi0gICAgICAg IGlmICggc2hfdHlwZV9pc19waW5uYWJsZShkLCBTSF90eXBlX2wzXzY0X3No YWRvdykgKQotICAgICAgICAgICAgb2sgfD0gc2hfcGluKGQsIHNsM21mbik7 Ci0gICAgICAgIGlmICggIW9rICkKKworICAgICAgICBpZiAoICFzaF9nZXRf cmVmKGQsIHNsM21mbiwgcGFkZHIpICkKICAgICAgICAgewogICAgICAgICAg ICAgZG9tYWluX2NyYXNoKGQpOwogICAgICAgICAgICAgcmV0dXJuIFNIQURP V19TRVRfRVJST1I7CiAgICAgICAgIH0KKworICAgICAgICAvKiBBcmUgd2Ug cGlubmluZyBsMyBzaGFkb3dzIHRvIGhhbmRsZSB3ZWlyZCBMaW51eCBiZWhh dmlvdXI/ICovCisgICAgICAgIGlmICggc2hfdHlwZV9pc19waW5uYWJsZShk LCBTSF90eXBlX2wzXzY0X3NoYWRvdykgKQorICAgICAgICAgICAgc2hfcGlu KGQsIHNsM21mbik7CiAgICAgfQogCiAgICAgLyogV3JpdGUgdGhlIG5ldyBl bnRyeSAqLwpAQCAtMzk2NSwxNCArMzk2NiwxNSBAQCBzaF9zZXRfdG9wbGV2 ZWxfc2hhZG93KHN0cnVjdCB2Y3B1ICp2LAogCiAgICAgLyogVGFrZSBhIHJl ZiB0byB0aGlzIHBhZ2U6IGl0IHdpbGwgYmUgcmVsZWFzZWQgaW4gc2hfZGV0 YWNoX29sZF90YWJsZXMoKQogICAgICAqIG9yIHRoZSBuZXh0IGNhbGwgdG8g c2V0X3RvcGxldmVsX3NoYWRvdygpICovCi0gICAgaWYgKCAhc2hfZ2V0X3Jl ZihkLCBzbWZuLCAwKSApCisgICAgaWYgKCBzaF9nZXRfcmVmKGQsIHNtZm4s IDApICkKKyAgICAgICAgbmV3X2VudHJ5ID0gcGFnZXRhYmxlX2Zyb21fbWZu KHNtZm4pOworICAgIGVsc2UKICAgICB7CiAgICAgICAgIFNIQURPV19FUlJP UigiY2FuJ3QgaW5zdGFsbCAlI2x4IGFzIHRvcGxldmVsIHNoYWRvd1xuIiwg bWZuX3goc21mbikpOwogICAgICAgICBkb21haW5fY3Jhc2goZCk7CisgICAg ICAgIG5ld19lbnRyeSA9IHBhZ2V0YWJsZV9udWxsKCk7CiAgICAgfQogCi0g ICAgbmV3X2VudHJ5ID0gcGFnZXRhYmxlX2Zyb21fbWZuKHNtZm4pOwotCiAg aW5zdGFsbF9uZXdfZW50cnk6CiAgICAgLyogRG9uZS4gIEluc3RhbGwgaXQg Ki8KICAgICBTSEFET1dfUFJJTlRLKCIldS8ldSBbJXVdIGdtZm4gJSMiUFJJ X21mbiIgc21mbiAlIyJQUklfbWZuIlxuIiwK --=separator Content-Type: application/octet-stream; name="xsa250-4.5.patch" Content-Disposition: attachment; filename="xsa250-4.5.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvc2hhZG93OiBmaXggcmVmLWNvdW50aW5nIGVycm9yIGhhbmRsaW5n CgpUaGUgb2xkLUxpbnV4IGhhbmRsaW5nIGluIHNoYWRvd19zZXRfbDRlKCkg bWlzdGFrZW5seSBPUmVkIHRvZ2V0aGVyIHRoZQpyZXN1bHRzIG9mIHNoX2dl dF9yZWYoKSBhbmQgc2hfcGluKCkuIEFzIHRoZSBsYXR0ZXIgZmFpbGluZyBp cyBub3QgYQpjb3JyZWN0bmVzcyBwcm9ibGVtLCBzaW1wbHkgaWdub3JlIGl0 cyByZXR1cm4gdmFsdWUuCgpJbiBzaF9zZXRfdG9wbGV2ZWxfc2hhZG93KCkg YSBmYWlsaW5nIHNoX2dldF9yZWYoKSBtdXN0IG5vdCBiZQphY2NvbXBhbmll ZCBieSBpbnN0YWxsaW5nIHRoZSBlbnRyeSwgZGVzcGl0ZSB0aGUgZG9tYWlu IGJlaW5nIGNyYXNoZWQuCgpUaGlzIGlzIFhTQS0yNTAuCgpTaWduZWQtb2Zm LWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2Vk LWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9yZz4KCi0tLSBhL3hlbi9hcmNo L3g4Ni9tbS9zaGFkb3cvbXVsdGkuYworKysgYi94ZW4vYXJjaC94ODYvbW0v c2hhZG93L211bHRpLmMKQEAgLTg5Niw3ICs4OTYsNyBAQCBzdGF0aWMgaW50 IHNoYWRvd19zZXRfbDRlKHN0cnVjdCB2Y3B1ICp2CiAgICAgICAgICAgICAg ICAgICAgICAgICAgIHNoYWRvd19sNGVfdCBuZXdfc2w0ZSwgCiAgICAgICAg ICAgICAgICAgICAgICAgICAgIG1mbl90IHNsNG1mbikKIHsKLSAgICBpbnQg ZmxhZ3MgPSAwLCBvazsKKyAgICBpbnQgZmxhZ3MgPSAwOwogICAgIHNoYWRv d19sNGVfdCBvbGRfc2w0ZTsKICAgICBwYWRkcl90IHBhZGRyOwogICAgIEFT U0VSVChzbDRlICE9IE5VTEwpOwpAQCAtOTExLDE1ICs5MTEsMTYgQEAgc3Rh dGljIGludCBzaGFkb3dfc2V0X2w0ZShzdHJ1Y3QgdmNwdSAqdgogICAgIHsK ICAgICAgICAgLyogQWJvdXQgdG8gaW5zdGFsbCBhIG5ldyByZWZlcmVuY2Ug Ki8gICAgICAgIAogICAgICAgICBtZm5fdCBzbDNtZm4gPSBzaGFkb3dfbDRl X2dldF9tZm4obmV3X3NsNGUpOwotICAgICAgICBvayA9IHNoX2dldF9yZWYo diwgc2wzbWZuLCBwYWRkcik7Ci0gICAgICAgIC8qIEFyZSB3ZSBwaW5uaW5n IGwzIHNoYWRvd3MgdG8gaGFuZGxlIHdpZXJkIGxpbnV4IGJlaGF2aW91cj8g Ki8KLSAgICAgICAgaWYgKCBzaF90eXBlX2lzX3Bpbm5hYmxlKHYsIFNIX3R5 cGVfbDNfNjRfc2hhZG93KSApCi0gICAgICAgICAgICBvayB8PSBzaF9waW4o diwgc2wzbWZuKTsKLSAgICAgICAgaWYgKCAhb2sgKQorCisgICAgICAgIGlm ICggIXNoX2dldF9yZWYodiwgc2wzbWZuLCBwYWRkcikgKQogICAgICAgICB7 CiAgICAgICAgICAgICBkb21haW5fY3Jhc2godi0+ZG9tYWluKTsKICAgICAg ICAgICAgIHJldHVybiBTSEFET1dfU0VUX0VSUk9SOwogICAgICAgICB9CisK KyAgICAgICAgLyogQXJlIHdlIHBpbm5pbmcgbDMgc2hhZG93cyB0byBoYW5k bGUgd2VpcmQgTGludXggYmVoYXZpb3VyPyAqLworICAgICAgICBpZiAoIHNo X3R5cGVfaXNfcGlubmFibGUodiwgU0hfdHlwZV9sM182NF9zaGFkb3cpICkK KyAgICAgICAgICAgIHNoX3Bpbih2LCBzbDNtZm4pOwogICAgIH0KIAogICAg IC8qIFdyaXRlIHRoZSBuZXcgZW50cnkgKi8KQEAgLTM4ODEsMTQgKzM4ODIs MTUgQEAgc2hfc2V0X3RvcGxldmVsX3NoYWRvdyhzdHJ1Y3QgdmNwdSAqdiwK IAogICAgIC8qIFRha2UgYSByZWYgdG8gdGhpcyBwYWdlOiBpdCB3aWxsIGJl IHJlbGVhc2VkIGluIHNoX2RldGFjaF9vbGRfdGFibGVzKCkKICAgICAgKiBv ciB0aGUgbmV4dCBjYWxsIHRvIHNldF90b3BsZXZlbF9zaGFkb3coKSAqLwot ICAgIGlmICggIXNoX2dldF9yZWYodiwgc21mbiwgMCkgKQorICAgIGlmICgg c2hfZ2V0X3JlZih2LCBzbWZuLCAwKSApCisgICAgICAgIG5ld19lbnRyeSA9 IHBhZ2V0YWJsZV9mcm9tX21mbihzbWZuKTsKKyAgICBlbHNlCiAgICAgewog ICAgICAgICBTSEFET1dfRVJST1IoImNhbid0IGluc3RhbGwgJSNseCBhcyB0 b3BsZXZlbCBzaGFkb3dcbiIsIG1mbl94KHNtZm4pKTsKICAgICAgICAgZG9t YWluX2NyYXNoKHYtPmRvbWFpbik7CisgICAgICAgIG5ld19lbnRyeSA9IHBh Z2V0YWJsZV9udWxsKCk7CiAgICAgfQogCi0gICAgbmV3X2VudHJ5ID0gcGFn ZXRhYmxlX2Zyb21fbWZuKHNtZm4pOwotCiAgaW5zdGFsbF9uZXdfZW50cnk6 CiAgICAgLyogRG9uZS4gIEluc3RhbGwgaXQgKi8KICAgICBTSEFET1dfUFJJ TlRLKCIldS8ldSBbJXVdIGdtZm4gJSMiUFJJX21mbiIgc21mbiAlIyJQUklf bWZuIlxuIiwK --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Sat Jan 06 16:16:59 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sat, 06 Jan 2018 16:16:59 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eXr8o-0001Ht-0c; Sat, 06 Jan 2018 16:16:14 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eXr8m-0001Eb-RE for xen-announce@lists.xen.org; Sat, 06 Jan 2018 16:16:12 +0000 X-Inumbo-ID: 2b969930-f2fd-11e7-b0d7-9f685aff125f Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id 2b969930-f2fd-11e7-b0d7-9f685aff125f; Sat, 06 Jan 2018 16:18:03 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eXr8b-0000TL-2e; Sat, 06 Jan 2018 16:16:01 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1eXr8b-0004ji-1y; Sat, 06 Jan 2018 16:16:01 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Sat, 06 Jan 2018 16:16:01 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 251 (CVE-2017-17565) - improper bug check in x86 log-dirty handling X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2017-17565 / XSA-251 version 3 improper bug check in x86 log-dirty handling UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= Memory sharing, available to x86 HVM guests only, uses a special value in the global machine to physical address translation table (M2P). PV guests have full control over M2P entries corresponding to pages they own. A bug check (specifically, an assertion that an M2P entry is not the special "shared" indicator) was insufficiently qualified, and as a consequence is triggerable by PV guests in log-dirty mode (e.g. because of being live migrated). IMPACT ====== A malicious or buggy PV guest may cause a hypervisor crash, resulting in a Denial of Service (DoS) affecting the entire host. VULNERABLE SYSTEMS ================== Xen versions 4.0 and later are affected. Xen versions 3.4 and earlier are not affected. Only x86 systems are vulnerable. ARM systems are not vulnerable. x86 HVM guests cannot exploit this vulnerability. Only x86 PV guests can exploit this vulnerability, and only when being run in shadow mode. PV guests are typically run in shadow mode for live migration, as well as for features like VM snapshot. Note that save / restore does *not* use shadow mode, and so does not expose this vulnerability. Some downstreams also include a "non-live migration" feature, which also does not use shadow mode (and thus does not expose this vulnerability). MITIGATION ========== Running only HVM guests avoids the vulnerability. Avoiding live migration of x86 PV guests also avoids the vulnerability. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa251.patch xen-unstable, Xen 4.9.x xsa251-4.8.patch Xen 4.8.x, Xen 4.7.x, Xen 4.6.x xsa251-4.5.patch Xen 4.5.x $ sha256sum xsa251* 152cf5c88c3e441af01cdf5749877cabb6ab961afee9f29ae3077e725b703aa2 xsa251.meta 0dfbcfe459f051abb571d3fbedbe9760a4c6cd540ab5d525627050e3eeb9234e xsa251.patch 345a6e004e0d0d89c7fc8db55d48d68f53402a521bd1aa3cb4168043e1ae5673 xsa251-4.5.patch f8cecf013a3628038e0a4566778852a560b25a1ce2f3872a989087ab2fc9a913 xsa251-4.8.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJaUPXgAAoJEIP+FMlX6CvZd1wIALEfYx5UtaqCZrUpgc+TwN8u Fg+huu3hE/YDVMY5IHueUsVU4WMk7/XJL/hXxf0+Dr01M5nVUbs1cJIB7Gqch37n Vo6JMHM0XHUEQB/Ctxn/nRi1PfAjvz/nSrCcRacIeTZNHm6Wzc7qtlOyjDWgbVwJ JvboCmK0ueGTVd3RIGvxM0jDzWqRuObf4KLaCWka3rqZvYzZJJOGAO9C8HdZn9Bc pMIV79QuYySvJm9rdNUSno2s19DJNNCOki2/HpU1CHv/b8May82fE+qZH5XexsnZ x2d1G8cvsK0L+auqQO/U3Rln9B2MWp9hn2cVGP2DbLq/AO2yir5b7d/CPzqhIag= =O0vJ -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa251.meta" Content-Disposition: attachment; filename="xsa251.meta" Content-Transfer-Encoding: base64 ewogICJYU0EiOiAyNTEsCiAgIlN1cHBvcnRlZFZlcnNpb25zIjogWwogICAg Im1hc3RlciIsCiAgICAiNC4xMCIsCiAgICAiNC45IiwKICAgICI0LjgiLAog ICAgIjQuNyIsCiAgICAiNC42IiwKICAgICI0LjUiCiAgXSwKICAiVHJlZXMi OiBbCiAgICAieGVuIgogIF0sCiAgIlJlY2lwZXMiOiB7CiAgICAiNC4xMCI6 IHsKICAgICAgIlhlblZlcnNpb24iOiAiNC4xMCIsCiAgICAgICJSZWNpcGVz IjogewogICAgICAgICJ4ZW4iOiB7CiAgICAgICAgICAiU3RhYmxlUmVmIjog IjM0NWJiOWNkNjM0NDIxZjUwYjczMmQ0ZjljODlhNjQ5YTdhMWQwZGIiLAog ICAgICAgICAgIlByZXJlcXMiOiBbCiAgICAgICAgICAgIDI0OCwKICAgICAg ICAgICAgMjQ5LAogICAgICAgICAgICAyNTAKICAgICAgICAgIF0sCiAgICAg ICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTI1MS5wYXRjaCIK ICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0sCiAgICAiNC41 IjogewogICAgICAiWGVuVmVyc2lvbiI6ICI0LjUiLAogICAgICAiUmVjaXBl cyI6IHsKICAgICAgICAieGVuIjogewogICAgICAgICAgIlN0YWJsZVJlZiI6 ICI0MWY2ZGQwNWQxMGZkMWI0MjgxYzE3MjJlMmQ4ZjI5ZTM3OGFiZTlhIiwK ICAgICAgICAgICJQcmVyZXFzIjogWwogICAgICAgICAgICAyNDgsCiAgICAg ICAgICAgIDI0OSwKICAgICAgICAgICAgMjUwCiAgICAgICAgICBdLAogICAg ICAgICAgIlBhdGNoZXMiOiBbCiAgICAgICAgICAgICJ4c2EyNTEtNC41LnBh dGNoIgogICAgICAgICAgXQogICAgICAgIH0KICAgICAgfQogICAgfSwKICAg ICI0LjYiOiB7CiAgICAgICJYZW5WZXJzaW9uIjogIjQuNiIsCiAgICAgICJS ZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAgICAgICAgICAiU3RhYmxl UmVmIjogIjliMGMyYTIyMzEzMmEwN2YwNmYwYmU4ZTg1ZGEzOTBkZWZlOTk4 ZjUiLAogICAgICAgICAgIlByZXJlcXMiOiBbCiAgICAgICAgICAgIDI0OCwK ICAgICAgICAgICAgMjQ5LAogICAgICAgICAgICAyNTAKICAgICAgICAgIF0s CiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTI1MS00 LjgucGF0Y2giCiAgICAgICAgICBdCiAgICAgICAgfQogICAgICB9CiAgICB9 LAogICAgIjQuNyI6IHsKICAgICAgIlhlblZlcnNpb24iOiAiNC43IiwKICAg ICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhlbiI6IHsKICAgICAgICAgICJT dGFibGVSZWYiOiAiYmNjOWUyNDVhYWZiZGFlNDRjNzYxMDUzYzg5OGJlZGIz NTgyY2M0ZCIsCiAgICAgICAgICAiUHJlcmVxcyI6IFsKICAgICAgICAgICAg MjQ4LAogICAgICAgICAgICAyNDksCiAgICAgICAgICAgIDI1MAogICAgICAg ICAgXSwKICAgICAgICAgICJQYXRjaGVzIjogWwogICAgICAgICAgICAieHNh MjUxLTQuOC5wYXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0K ICAgIH0sCiAgICAiNC44IjogewogICAgICAiWGVuVmVyc2lvbiI6ICI0Ljgi LAogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjogewogICAgICAg ICAgIlN0YWJsZVJlZiI6ICI5YmE2NzgzZTQ3ZGI3MTM3OWM1MTIwMDM5Yjg3 OGY2MDViZGYzMWYzIiwKICAgICAgICAgICJQcmVyZXFzIjogWwogICAgICAg ICAgICAyNDgsCiAgICAgICAgICAgIDI0OSwKICAgICAgICAgICAgMjUwCiAg ICAgICAgICBdLAogICAgICAgICAgIlBhdGNoZXMiOiBbCiAgICAgICAgICAg ICJ4c2EyNTEtNC44LnBhdGNoIgogICAgICAgICAgXQogICAgICAgIH0KICAg ICAgfQogICAgfSwKICAgICI0LjkiOiB7CiAgICAgICJYZW5WZXJzaW9uIjog IjQuOSIsCiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAg ICAgICAgICAiU3RhYmxlUmVmIjogImFlMzRhYjhjNWQyZTk3N2Y2ZDgwODFj MmNlNDQ5NDg3NTIzMmY1NjMiLAogICAgICAgICAgIlByZXJlcXMiOiBbCiAg ICAgICAgICAgIDI0OCwKICAgICAgICAgICAgMjQ5LAogICAgICAgICAgICAy NTAKICAgICAgICAgIF0sCiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAg ICAgICAgInhzYTI1MS5wYXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAg ICAgIH0KICAgIH0sCiAgICAibWFzdGVyIjogewogICAgICAiWGVuVmVyc2lv biI6ICI0LjEwIiwKICAgICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhlbiI6 IHsKICAgICAgICAgICJTdGFibGVSZWYiOiAiMzQ1YmI5Y2Q2MzQ0MjFmNTBi NzMyZDRmOWM4OWE2NDlhN2ExZDBkYiIsCiAgICAgICAgICAiUHJlcmVxcyI6 IFsKICAgICAgICAgICAgMjQ4LAogICAgICAgICAgICAyNDksCiAgICAgICAg ICAgIDI1MAogICAgICAgICAgXSwKICAgICAgICAgICJQYXRjaGVzIjogWwog ICAgICAgICAgICAieHNhMjUxLnBhdGNoIgogICAgICAgICAgXQogICAgICAg IH0KICAgICAgfQogICAgfQogIH0KfQ== --=separator Content-Type: application/octet-stream; name="xsa251.patch" Content-Disposition: attachment; filename="xsa251.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvcGFnaW5nOiBkb24ndCB1bmNvbmRpdGlvbmFsbHkgQlVHKCkgb24g ZmluZGluZyBTSEFSRURfTTJQX0VOVFJZCgpQViBndWVzdHMgY2FuIGZ1bGx5 IGNvbnRyb2wgdGhlIHZhbHVlcyB3cml0dGVuIGludG8gdGhlIFAyTS4KClRo aXMgaXMgWFNBLTI1MS4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxq YmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEFuZHJldyBDb29wZXIg PGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CgotLS0gYS94ZW4vYXJjaC94 ODYvbW0vcGFnaW5nLmMKKysrIGIveGVuL2FyY2gveDg2L21tL3BhZ2luZy5j CkBAIC0yNzQsNyArMjc0LDcgQEAgdm9pZCBwYWdpbmdfbWFya19wZm5fZGly dHkoc3RydWN0IGRvbWFpbgogICAgICAgICByZXR1cm47CiAKICAgICAvKiBT aGFyZWQgTUZOcyBzaG91bGQgTkVWRVIgYmUgbWFya2VkIGRpcnR5ICovCi0g ICAgQlVHX09OKFNIQVJFRF9NMlAocGZuX3gocGZuKSkpOworICAgIEJVR19P TihwYWdpbmdfbW9kZV90cmFuc2xhdGUoZCkgJiYgU0hBUkVEX00yUChwZm5f eChwZm4pKSk7CiAKICAgICAvKgogICAgICAqIFZhbHVlcyB3aXRoIHRoZSBN U0Igc2V0IGRlbm90ZSBNRk5zIHRoYXQgYXJlbid0IHJlYWxseSBwYXJ0IG9m IHRoZQo= --=separator Content-Type: application/octet-stream; name="xsa251-4.5.patch" Content-Disposition: attachment; filename="xsa251-4.5.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvcGFnaW5nOiBkb24ndCB1bmNvbmRpdGlvbmFsbHkgQlVHKCkgb24g ZmluZGluZyBTSEFSRURfTTJQX0VOVFJZCgpQViBndWVzdHMgY2FuIGZ1bGx5 IGNvbnRyb2wgdGhlIHZhbHVlcyB3cml0dGVuIGludG8gdGhlIFAyTS4KClRo aXMgaXMgWFNBLTI1MS4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxq YmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEFuZHJldyBDb29wZXIg PGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CgotLS0gYS94ZW4vYXJjaC94 ODYvbW0vcGFnaW5nLmMKKysrIGIveGVuL2FyY2gveDg2L21tL3BhZ2luZy5j CkBAIC0yODUsNyArMjg1LDcgQEAgdm9pZCBwYWdpbmdfbWFya19kaXJ0eShz dHJ1Y3QgZG9tYWluICpkLAogICAgIC8qIFdlIC9yZWFsbHkvIG1lYW4gUEZO IGhlcmUsIGV2ZW4gZm9yIG5vbi10cmFuc2xhdGVkIGd1ZXN0cy4gKi8KICAg ICBwZm4gPSBnZXRfZ3Bmbl9mcm9tX21mbihtZm5feChnbWZuKSk7CiAgICAg LyogU2hhcmVkIE1GTnMgc2hvdWxkIE5FVkVSIGJlIG1hcmtlZCBkaXJ0eSAq LwotICAgIEJVR19PTihTSEFSRURfTTJQKHBmbikpOworICAgIEJVR19PTihw YWdpbmdfbW9kZV90cmFuc2xhdGUoZCkgJiYgU0hBUkVEX00yUChwZm4pKTsK IAogICAgIC8qCiAgICAgICogVmFsdWVzIHdpdGggdGhlIE1TQiBzZXQgZGVu b3RlIE1GTnMgdGhhdCBhcmVuJ3QgcmVhbGx5IHBhcnQgb2YgdGhlCg== --=separator Content-Type: application/octet-stream; name="xsa251-4.8.patch" Content-Disposition: attachment; filename="xsa251-4.8.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvcGFnaW5nOiBkb24ndCB1bmNvbmRpdGlvbmFsbHkgQlVHKCkgb24g ZmluZGluZyBTSEFSRURfTTJQX0VOVFJZCgpQViBndWVzdHMgY2FuIGZ1bGx5 IGNvbnRyb2wgdGhlIHZhbHVlcyB3cml0dGVuIGludG8gdGhlIFAyTS4KClRo aXMgaXMgWFNBLTI1MS4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxq YmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEFuZHJldyBDb29wZXIg PGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CgotLS0gYS94ZW4vYXJjaC94 ODYvbW0vcGFnaW5nLmMKKysrIGIveGVuL2FyY2gveDg2L21tL3BhZ2luZy5j CkBAIC0yNzYsNyArMjc2LDcgQEAgdm9pZCBwYWdpbmdfbWFya19wZm5fZGly dHkoc3RydWN0IGRvbWFpbgogICAgICAgICByZXR1cm47CiAKICAgICAvKiBT aGFyZWQgTUZOcyBzaG91bGQgTkVWRVIgYmUgbWFya2VkIGRpcnR5ICovCi0g ICAgQlVHX09OKFNIQVJFRF9NMlAocGZuKSk7CisgICAgQlVHX09OKHBhZ2lu Z19tb2RlX3RyYW5zbGF0ZShkKSAmJiBTSEFSRURfTTJQKHBmbikpOwogCiAg ICAgLyoKICAgICAgKiBWYWx1ZXMgd2l0aCB0aGUgTVNCIHNldCBkZW5vdGUg TUZOcyB0aGF0IGFyZW4ndCByZWFsbHkgcGFydCBvZiB0aGUK --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Sat Jan 06 16:21:19 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sat, 06 Jan 2018 16:21:19 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eXrCs-0003Em-Ib; Sat, 06 Jan 2018 16:20:26 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eXrCq-0003DQ-QU for xen-announce@lists.xen.org; Sat, 06 Jan 2018 16:20:24 +0000 X-Inumbo-ID: 290d6ab3-f2fd-11e7-b0d7-9f685aff125f Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id 290d6ab3-f2fd-11e7-b0d7-9f685aff125f; Sat, 06 Jan 2018 16:17:58 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eXr8V-0000Sf-Mn; Sat, 06 Jan 2018 16:15:55 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1eXr8V-0004gc-K0; Sat, 06 Jan 2018 16:15:55 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Sat, 06 Jan 2018 16:15:55 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 249 (CVE-2017-17563) - broken x86 shadow mode refcount overflow check X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2017-17563 / XSA-249 version 3 broken x86 shadow mode refcount overflow check UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= Pages being used to run x86 guests in shadow mode are reference counted to track their uses. Unfortunately the overflow check when trying to obtain a new reference used a mask one bit wider than the reference count actually is, rendering the entire check ineffective. IMPACT ====== A malicious or buggy guest may cause a hypervisor crash, resulting in a Denial of Service (DoS) affecting the entire host, or cause hypervisor memory corruption. We cannot rule out a guest being able to escalate its privilege. VULNERABLE SYSTEMS ================== Xen versions 4.1 and later are affected. Xen versions 4.0 and earlier are not affected. x86 systems are vulnerable. ARM systems are not vulnerable. Only guests run in shadow mode can exploit the vulnerability. PV guests typically only run in shadow mode during live migration, as well as for features like VM snapshot. Note that save / restore does *not* use shadow mode, and so does not expose this vulnerability. Some downstreams also include a "non-live migration" feature, which also does not use shadow mode (and thus does not expose this vulnerability). HVM guests run in shadow mode on hardware without HAP support, or when HAP is disabled (globally or in the VM configuration file). Live migration does not affect an HVM guest's use of shadow mode. MITIGATION ========== For HVM guest explicitly configured to use shadow paging (e.g. via the `hap=0' xl domain configuration file parameter), changing to HAP (e.g. by setting `hap=1') will avoid exposing the vulnerability to those guests. HAP is the default (in upstream Xen), where the hardware supports it; so this mitigation is only applicable if HAP has been disabled by configuration. For PV guests, avoiding their live migration avoids the vulnerability. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the attached patch resolves this issue. xsa249.patch xen-unstable, Xen 4.9.x ... 4.5.x $ sha256sum xsa249* 38a4b8033d634e22939ad42b882c35e46482782619e3e03b968a2f6489e459c9 xsa249.meta e99066b0171d4757c6a66e1223aabe01e990de2d0dc50416936e064e6e750d00 xsa249.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJaUPXbAAoJEIP+FMlX6CvZdqQH/2b6yXlcScNp9SWs2VIoDLcc Hh3Wxmvx4oRBkdUOiE7/YNJK3yScnW2Jled+fLrBd7yuFNmztlA6Hue1thxgQmFN N2qDReHVBhLDQSv4Xolyifqx/leMo/s7jYkL8zBEPvRrf4DMkj7+i9/JBn8gri8G hiImDmIet9pKL9OP+jQDsgQia5p7ygPVLommMVS/2VZp4O4sBnpvfrAIHNvmmLPy xbr3Jw8cska7gspfmsXU1PziBFmawxk21pvozef9XN1lxC/ZY56yODtph/6KoBvr KGtGleF0QVtj/Nvt42yBr5nMagl9XsjdFz4Jero0K4hOE1Kw7IgO0Oigav8nap8= =Z+E8 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa249.meta" Content-Disposition: attachment; filename="xsa249.meta" Content-Transfer-Encoding: base64 ewogICJYU0EiOiAyNDksCiAgIlN1cHBvcnRlZFZlcnNpb25zIjogWwogICAg Im1hc3RlciIsCiAgICAiNC4xMCIsCiAgICAiNC45IiwKICAgICI0LjgiLAog ICAgIjQuNyIsCiAgICAiNC42IiwKICAgICI0LjUiCiAgXSwKICAiVHJlZXMi OiBbCiAgICAieGVuIgogIF0sCiAgIlJlY2lwZXMiOiB7CiAgICAiNC4xMCI6 IHsKICAgICAgIlhlblZlcnNpb24iOiAiNC4xMCIsCiAgICAgICJSZWNpcGVz IjogewogICAgICAgICJ4ZW4iOiB7CiAgICAgICAgICAiU3RhYmxlUmVmIjog IjM0NWJiOWNkNjM0NDIxZjUwYjczMmQ0ZjljODlhNjQ5YTdhMWQwZGIiLAog ICAgICAgICAgIlByZXJlcXMiOiBbCiAgICAgICAgICAgIDI0OAogICAgICAg ICAgXSwKICAgICAgICAgICJQYXRjaGVzIjogWwogICAgICAgICAgICAieHNh MjQ5LnBhdGNoIgogICAgICAgICAgXQogICAgICAgIH0KICAgICAgfQogICAg fSwKICAgICI0LjUiOiB7CiAgICAgICJYZW5WZXJzaW9uIjogIjQuNSIsCiAg ICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAgICAgICAgICAi U3RhYmxlUmVmIjogIjQxZjZkZDA1ZDEwZmQxYjQyODFjMTcyMmUyZDhmMjll Mzc4YWJlOWEiLAogICAgICAgICAgIlByZXJlcXMiOiBbCiAgICAgICAgICAg IDI0OAogICAgICAgICAgXSwKICAgICAgICAgICJQYXRjaGVzIjogWwogICAg ICAgICAgICAieHNhMjQ5LnBhdGNoIgogICAgICAgICAgXQogICAgICAgIH0K ICAgICAgfQogICAgfSwKICAgICI0LjYiOiB7CiAgICAgICJYZW5WZXJzaW9u IjogIjQuNiIsCiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7 CiAgICAgICAgICAiU3RhYmxlUmVmIjogIjliMGMyYTIyMzEzMmEwN2YwNmYw YmU4ZTg1ZGEzOTBkZWZlOTk4ZjUiLAogICAgICAgICAgIlByZXJlcXMiOiBb CiAgICAgICAgICAgIDI0OAogICAgICAgICAgXSwKICAgICAgICAgICJQYXRj aGVzIjogWwogICAgICAgICAgICAieHNhMjQ5LnBhdGNoIgogICAgICAgICAg XQogICAgICAgIH0KICAgICAgfQogICAgfSwKICAgICI0LjciOiB7CiAgICAg ICJYZW5WZXJzaW9uIjogIjQuNyIsCiAgICAgICJSZWNpcGVzIjogewogICAg ICAgICJ4ZW4iOiB7CiAgICAgICAgICAiU3RhYmxlUmVmIjogImJjYzllMjQ1 YWFmYmRhZTQ0Yzc2MTA1M2M4OThiZWRiMzU4MmNjNGQiLAogICAgICAgICAg IlByZXJlcXMiOiBbCiAgICAgICAgICAgIDI0OAogICAgICAgICAgXSwKICAg ICAgICAgICJQYXRjaGVzIjogWwogICAgICAgICAgICAieHNhMjQ5LnBhdGNo IgogICAgICAgICAgXQogICAgICAgIH0KICAgICAgfQogICAgfSwKICAgICI0 LjgiOiB7CiAgICAgICJYZW5WZXJzaW9uIjogIjQuOCIsCiAgICAgICJSZWNp cGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAgICAgICAgICAiU3RhYmxlUmVm IjogIjliYTY3ODNlNDdkYjcxMzc5YzUxMjAwMzliODc4ZjYwNWJkZjMxZjMi LAogICAgICAgICAgIlByZXJlcXMiOiBbCiAgICAgICAgICAgIDI0OAogICAg ICAgICAgXSwKICAgICAgICAgICJQYXRjaGVzIjogWwogICAgICAgICAgICAi eHNhMjQ5LnBhdGNoIgogICAgICAgICAgXQogICAgICAgIH0KICAgICAgfQog ICAgfSwKICAgICI0LjkiOiB7CiAgICAgICJYZW5WZXJzaW9uIjogIjQuOSIs CiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAgICAgICAg ICAiU3RhYmxlUmVmIjogImFlMzRhYjhjNWQyZTk3N2Y2ZDgwODFjMmNlNDQ5 NDg3NTIzMmY1NjMiLAogICAgICAgICAgIlByZXJlcXMiOiBbCiAgICAgICAg ICAgIDI0OAogICAgICAgICAgXSwKICAgICAgICAgICJQYXRjaGVzIjogWwog ICAgICAgICAgICAieHNhMjQ5LnBhdGNoIgogICAgICAgICAgXQogICAgICAg IH0KICAgICAgfQogICAgfSwKICAgICJtYXN0ZXIiOiB7CiAgICAgICJYZW5W ZXJzaW9uIjogIjQuMTAiLAogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAi eGVuIjogewogICAgICAgICAgIlN0YWJsZVJlZiI6ICIzNDViYjljZDYzNDQy MWY1MGI3MzJkNGY5Yzg5YTY0OWE3YTFkMGRiIiwKICAgICAgICAgICJQcmVy ZXFzIjogWwogICAgICAgICAgICAyNDgKICAgICAgICAgIF0sCiAgICAgICAg ICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTI0OS5wYXRjaCIKICAg ICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0KICB9Cn0= --=separator Content-Type: application/octet-stream; name="xsa249.patch" Content-Disposition: attachment; filename="xsa249.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvc2hhZG93OiBmaXggcmVmY291bnQgb3ZlcmZsb3cgY2hlY2sKCkNv bW1pdCBjMzg1ZDI3MDc5ICgieDg2IHNoYWRvdzogZm9yIG11bHRpLXBhZ2Ug c2hhZG93cywgZXhwbGljaXRseSB0cmFjawp0aGUgZmlyc3QgcGFnZSIpIHJl ZHVjZWQgdGhlIHJlZmNvdW50IHdpZHRoIHRvIDI1LCB3aXRob3V0IGFkanVz dGluZyB0aGUKb3ZlcmZsb3cgY2hlY2suIEVsaW1pbmF0ZSB0aGUgZGlzY29u bmVjdCBieSB1c2luZyBhIG1hbmlmZXN0IGNvbnN0YW50LgoKSW50ZXJlc3Rp bmdseSwgdXAgdG8gY29tbWl0IDA0Nzc4MmZhMDEgKCJPdXQtb2Ytc3luYyBM MSBzaGFkb3dzOiBPT1MKc25hcHNob3QiKSB0aGUgcmVmY291bnQgd2FzIDI3 IGJpdHMgd2lkZSwgeWV0IHRoZSBjaGVjayB3YXMgYWxyZWFkeQp1c2luZyAy Ni4KClRoaXMgaXMgWFNBLTI0OS4KClNpZ25lZC1vZmYtYnk6IEphbiBCZXVs aWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEdlb3JnZSBE dW5sYXAgPGdlb3JnZS5kdW5sYXBAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6 IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgotLS0KdjI6IFNpbXBsaWZ5IGV4 cHJlc3Npb24gYmFjayB0byB0aGUgc3R5bGUgaXQgd2FzLgoKLS0tIGEveGVu L2FyY2gveDg2L21tL3NoYWRvdy9wcml2YXRlLmgKKysrIGIveGVuL2FyY2gv eDg2L21tL3NoYWRvdy9wcml2YXRlLmgKQEAgLTUyOSw3ICs1MjksNyBAQCBz dGF0aWMgaW5saW5lIGludCBzaF9nZXRfcmVmKHN0cnVjdCBkb21hCiAgICAg eCA9IHNwLT51LnNoLmNvdW50OwogICAgIG54ID0geCArIDE7CiAKLSAgICBp ZiAoIHVubGlrZWx5KG54ID49IDFVPDwyNikgKQorICAgIGlmICggdW5saWtl bHkobnggPj0gKDFVIDw8IFBBR0VfU0hfUkVGQ09VTlRfV0lEVEgpKSApCiAg ICAgewogICAgICAgICBTSEFET1dfUFJJTlRLKCJzaGFkb3cgcmVmIG92ZXJm bG93LCBnbWZuPSVseCBzbWZuPSVseFxuIiwKICAgICAgICAgICAgICAgICAg ICAgICAgX19iYWNrcG9pbnRlcihzcCksIG1mbl94KHNtZm4pKTsKLS0tIGEv eGVuL2luY2x1ZGUvYXNtLXg4Ni9tbS5oCisrKyBiL3hlbi9pbmNsdWRlL2Fz bS14ODYvbW0uaApAQCAtODIsNyArODIsOCBAQCBzdHJ1Y3QgcGFnZV9pbmZv CiAgICAgICAgICAgICB1bnNpZ25lZCBsb25nIHR5cGU6NTsgICAvKiBXaGF0 IGtpbmQgb2Ygc2hhZG93IGlzIHRoaXM/ICovCiAgICAgICAgICAgICB1bnNp Z25lZCBsb25nIHBpbm5lZDoxOyAvKiBJcyB0aGUgc2hhZG93IHBpbm5lZD8g Ki8KICAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgaGVhZDoxOyAgIC8qIElz IHRoaXMgdGhlIGZpcnN0IHBhZ2Ugb2YgdGhlIHNoYWRvdz8gKi8KLSAgICAg ICAgICAgIHVuc2lnbmVkIGxvbmcgY291bnQ6MjU7IC8qIFJlZmVyZW5jZSBj b3VudCAqLworI2RlZmluZSBQQUdFX1NIX1JFRkNPVU5UX1dJRFRIIDI1Cisg ICAgICAgICAgICB1bnNpZ25lZCBsb25nIGNvdW50OlBBR0VfU0hfUkVGQ09V TlRfV0lEVEg7IC8qIFJlZmVyZW5jZSBjb3VudCAqLwogICAgICAgICB9IHNo OwogCiAgICAgICAgIC8qIFBhZ2UgaXMgb24gYSBmcmVlIGxpc3Q6ICgoY291 bnRfaW5mbyAmIFBHQ19jb3VudF9tYXNrKSA9PSAwKS4gKi8K --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Thu Jan 11 20:10:22 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 11 Jan 2018 20:10:22 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZjAD-0004If-7H; Thu, 11 Jan 2018 20:09:25 +0000 Received: from us1-rack-dfw2.inumbo.com ([104.130.134.6]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZjAB-0004IN-8g for xen-announce@lists.xen.org; Thu, 11 Jan 2018 20:09:23 +0000 X-Inumbo-ID: 1e4f4a54-f70b-11e7-b4a6-bc764e045a96 Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-rack-dfw2.inumbo.com (Halon) with ESMTPS id 1e4f4a54-f70b-11e7-b4a6-bc764e045a96; Thu, 11 Jan 2018 21:07:59 +0100 (CET) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZj9z-00070P-UW; Thu, 11 Jan 2018 20:09:11 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1eZj9z-0007m9-Rz; Thu, 11 Jan 2018 20:09:11 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Thu, 11 Jan 2018 20:09:11 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 254 (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) - Information leak via side effects of speculative execution X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2017-5753,CVE-2017-5715,CVE-2017-5754 / XSA-254 version 4 Information leak via side effects of speculative execution UPDATES IN VERSION 4 ==================== Added README for determining which shim to use, as well as instructions for using "Vixen" (HVM shim) and the required conversion script ISSUE DESCRIPTION ================= Processors give the illusion of a sequence of instructions executed one-by-one. However, in order to most efficiently use cpu resources, modern superscalar processors actually begin executing many instructions in parallel. In cases where instructions depend on the result of previous instructions or checks which have not yet completed, execution happens based on guesses about what the outcome will be. If the guess is correct, execution has been sped up. If the guess is incorrect, partially-executed instructions are cancelled and architectural state changes (to registers, memory, and so on) reverted; but the whole process is no slower than if no guess had been made at all. This is sometimes called "speculative execution". Unfortunately, although architectural state is rolled back, there are other side effects, such as changes to TLB or cache state, which are not rolled back. These side effects can subsequently be detected by an attacker to determine information about what happened during the speculative execution phase. If an attacker can cause speculative execution to access sensitive memory areas, they may be able to infer what that sensitive memory contained. Furthermore, these guesses can often be 'poisoned', such that attacker can cause logic to reliably 'guess' the way the attacker chooses. This advisory discusses three ways to cause speculative execution to access sensitive memory areas (named here according to the discoverer's naming scheme): "Bounds-check bypass" (aka SP1, "Variant 1", Spectre CVE-2017-5753): Poison the branch predictor, such that victim code is speculatively executed past boundary and security checks. This would allow an attacker to, for instance, cause speculative code in the normal hypercall / emulation path to execute with wild array indexes. "Branch Target Injection" (aka SP2, "Variant 2", Spectre CVE-2017-5715): Poison the branch predictor. Well-abstracted code often involves calling function pointers via indirect branches; reading these function pointers may involve a (slow) memory access, so the CPU attempts to guess where indirect branches will lead. Poisoning this enables an attacker to speculatively branch to any code that is executable by the victim (eg, anywhere in the hypervisor). "Rogue Data Load" (aka SP3, "Variant 3", Meltdown, CVE-2017-5754): On some processors, certain pagetable permission checks only happen when the instruction is retired; effectively meaning that speculative execution is not subject to pagetable permission checks. On such processors, an attacker can speculatively execute arbitrary code in userspace with, effectively, the highest privilege level. More information is available here: https://meltdownattack.com/ https://spectreattack.com/ https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html Additional Xen-specific background: Xen hypervisors on most systems map all of physical RAM, so code speculatively executed in a hypervisor context can read all of system RAM. When running PV guests, the guest and the hypervisor share the address space; guest kernels run in a lower privilege level, and Xen runs in the highest privilege level. (x86 HVM and PVH guests, and ARM guests, run in a separate address space to the hypervisor.) However, only 64-bit PV guests can generate addresses large enough to point to hypervisor memory. IMPACT ====== Xen guests may be able to infer the contents of arbitrary host memory, including memory assigned to other guests. An attacker's choice of code to speculatively execute (and thus the ease of extracting useful information) goes up with the numbers. For SP1, an attacker is limited to windows of code after bound checks of user-supplied indexes. For SP2, the attacker will in many cases will be limited to executing arbitrary pre-existing code inside of Xen. For SP3 (and other cases for SP2), an attacker can write arbitrary code to speculatively execute. Additionally, in general, attacks within a guest (from guest user to guest kernel) will be the same as on real hardware. Consult your operating system provider for more information. NOTE ON TIMING ============== This vulnerability was originally scheduled to be made public on 9 January. It was accelerated at the request of the discloser due to one of the issues being made public. VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. For SP1 and SP2, both Intel and AMD are vulnerable. Vulnerability of ARM processors to SP1 and SP2 varies by model and manufacturer. ARM has information on affected models on the following website: https://developer.arm.com/support/security-update For SP3, only Intel processors are vulnerable. (The hypervisor cannot be attacked using SP3 on any ARM processors, even those that are listed as affected by SP3.) Furthermore, only 64-bit PV guests can exploit SP3 against Xen. PVH, HVM, and 32-bit PV guests cannot exploit SP3. MITIGATION ========== There is no mitigation for SP1 and SP2. SP3 can be mitigated by running guests in HVM or PVH mode. RESOLUTION ========== There is no available resolution for SP1. A solution may be available in the future. We are working on patches which mitigate SP2 but these are not currently available. Given that the vulnerabilities are now public, these will be developed and published in public, initially via xen-devel. For guests with legacy PV kernels which cannot be run in HVM or PVH mode directly, we have developed two "shim" hypervisors that allow PV guests to run in HVM mode or PVH mode. The HVM shim (codenamed "Vixen") is available now. We expect to have the PVH shim (codenamed "Comet") available within a few days. Please read README.which-shim to determine which shim is suitable for you. $ sha256sum xsa254*/* 2df6b811ec7a377a9cc717f7a8ed497f3a90928c21cba81182eb4a802e32ecd7 xsa254/README.vixen bc04385fd3ec899e1b8c1c001b6169587a8a8b20d5d0d584ff749b7ed67d7e70 xsa254/README.which-shim 36e825118fa8fca30158e50607580ddf64f6c62e5c5127d87d0042fbe2ff37b2 xsa254/pvshim-converter.pl $ NOTE ON LACK OF EMBARGO ======================= The timetable and process were set by the discloser. After the intensive initial response period for these vulnerabilities is over, we will prepare and publish a full timeline, as we have done in a handful of other cases of significant public interest where we saw opportunities for process improvement. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJaV8ReAAoJEIP+FMlX6CvZWoUH/joZJ3sMPCs5EHlDcKMcoWXx YMsZuypqVyotc9WbvBdh3QfdfCEOqouJatHUBkl3Me8bzkJY1IEzcE4BlG0Ku1Bv s2DKEcUDbEtA7zuJuQukeuYdx4QaqfVr93fnW48P2Ax2X7kBl1cvr5isxjBaPqC2 dHVMqXgwPGPwOzPW7GZjmzDikyPAHgsNxdH/rXdAHSJ8hLVUeQv3zhMaoUmvQiNb xq7+mSIoVAZr82fXKGKApX2XTxmwq7SgyzAVVfGySID9GGjnGGoSpirpMtkD+7io rpe0W+KD/muukgzvRd5+eHbx+dIq5MN0VnQiFbc2WmM8HNoJF/R8k/kvLtQfiZ4= =2xGF -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa254/README.vixen" Content-Disposition: attachment; filename="xsa254/README.vixen" Content-Transfer-Encoding: base64 ICAgICAgICAgICAgICAgIFBWLWluLUhWTSBzaGltIHdpdGggInNpZGVjYXIi IElTTwogICAgICAgICAgICAgICAgPT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09CgpTdW1tYXJ5Ci0tLS0tLS0KClRoaXMgUkVBRE1FIGRlc2Ny aWJlcyBvbmUgb2YgdHdvIG1pdGlnYXRpb24gc3RyYXRlZ2llcyBmb3IgTWVs dGRvd24uCgpUaGUgYmFzaWMgcHJpbmNpcGxlIGlzIHRvIHJ1biBQViBndWVz dHMgKHdoaWNoIGNhbiByZWFkIGFsbCBvZiBob3N0Cm1lbW9yeSBkdWUgdG8g dGhlIGhhcmR3YXJlIGJ1Z3MpIGFzIEhWTSBndWVzdHMgKHdoaWNoIGNhbm5v dCwgYXQgbGVhc3QKbm90IGR1ZSB0byBNZWx0ZG93bikuICBUaGUgUFYgZW52 aXJvbm1lbnQgaXMgc3RpbGwgcHJvdmlkZWQgdG8gdGhlCmd1ZXN0IGJ5IGFu IGVtYmVkZGVkIGNvcHkgb2YgWGVuLCB0aGUgInNoaW0iLiAgVGhpcyB2ZXJz aW9uIG9mIHRoZQpzaGltIGlzIGNvZGVuYW1lZCAiVml4ZW4iLgoKSW4gb3Jk ZXIgdG8gYm9vdCB0aGUgc2hpbSB3aXRoIGFuIHVubW9kaWZpZWQgdG9vbHN0 YWNrLCB5b3UgYWxzbwpwcm92aWRlIGEgc3BlY2lhbCBkaXNrIGNvbnRhaW5p bmcgdGhlIHNoaW0gYW5kIHRoZSBndWVzdCBrZXJuZWwgKG9yCnB2Z3J1Yik7 IHRoaXMgaXMgY2FsbGVkIHRoZSAic2lkZWNhciIuCgpXaGF0IHlvdSB3aWxs IG5lZWQKLS0tLS0tLS0tLS0tLS0tLS0tCgogKiBZb3VyIGhvc3QgbXVzdCBi ZSBhYmxlIHRvIHJ1biBncnViLW1rcmVzY3VlIHRvIGdlbmVyYXRlIGEgLmlz bwogKiBZb3Ugd2lsbCB0aGVyZWZvcmUgbmVlZCB4b3JyaXNvIGFuZCBtdG9v bHMKICogWW91IG11c3QgYmUgdXNpbmcgeGwgYW5kIGFibGUgdG8gdXNlIGFu IGFsdGVybmF0aXZlIHlvdXIgZ3Vlc3QgY29uZmlnCgogKiBZb3Ugd2lsbCBu ZWVkIHRoZSBzY3JpcHQgInB2c2hpbS1jb252ZXJ0ZXIucGwiCiAgLSBUaGlz IHJlbGllcyBvbiBwZXJsLWpzb24KICogWW91IHdpbGwgbmVlZCB0aGUgeGVu LmdpdCB0YWcgNC45LjEtc2hpbS12aXhlbi0xCgoKSW5zdHJ1Y3Rpb25zCi0t LS0tLS0tLS0tLQoKMS4gT24gYSBzdWl0YWJsZSBzeXN0ZW0gKHBlcmhhcHMg YSBkaWZmZXJlbnQgaG9zdCkKICAgIGdpdCBjbG9uZSBnaXQ6Ly94ZW5iaXRz LnhlbnByb2plY3Qub3JnL3hlbi5naXQgeGVuLmdpdAogICAgY2QgeGVuLmdp dAogICAgZ2l0IGNoZWNrb3V0IDQuOS4xLXNoaW0tdml4ZW4tMQoKSWYgeW91 IG5lZWQgYmktZGlyZWN0aW9uYWwgY29uc29sZSBhbmQgZG9uJ3QgbWluZCBh IGxlc3MtdGVzdGVkIHBhdGNoLAp5b3UgY2FuIGFwcGx5IHRoZSBwYXRjaCBm b3VuZCBpbiB0aGlzIGVtYWlsOgoKICAgIG1hcmMuaW5mby8/aT08MTUxNTYw NDU1Mi05MjA1LTEtZ2l0LXNlbmQtZW1haWwtc3JuQHByZ21yLmNvbT4KCmJ1 aWxkIGEgeGVuIGh5cGVydmlzb3IgYmluYXJ5IGFzIHVzdWFsOgoKICAgIG1h a2UgeGVuCgpJZiB5b3VyIGRlZmF1bHQgdmVyc2lvbiBvZiBweXRob24gaXMg cHl0aG9uIDMsIHlvdSBtYXkgbmVlZCB0byBhZGQgdGhlIGZvbGxvd2luZzoK CiAgICBtYWtlIFBZVEhPTj1weXRob24yIHhlbgoKVGhpcyB3aWxsIGJ1aWxk IGEgZmlsZQogICAgeGVuL3hlbi5negoKMi4gQ29weSB0aGF0IGZpbGUgdG8g eW91ciBkb20wLgoKSWRlYWxseSBzb21lcGxhY2UgbGlrZSAvdXNyL2xpYi94 ZW4vYm9vdC94ZW4tdml4ZW4uZ3oKCjMuIENvcHkgdGhlIHNjcmlwdCBwdnNo aW0tY29udmVydGVyIHRvIHlvdXIgZG9tMCBhbmQgbWFrZQogICBpdCBleGVj dXRhYmxlOgogICAgICBjaG1vZCAreCBwdnNoaW0tY29udmVydGVyLnBsCgo0 LiBGb3IgZWFjaCBndWVzdAoKICAoaSkgaWYgdGhlIGd1ZXN0IGlzIGN1cnJl bnRseSBib290ZWQgd2l0aCBweWdydWIgeW91IG11c3QgZmlyc3QKICAgc3dp dGNoIHRvIGRpcmVjdCBrZXJuZWwgYm9vdCAoYnkgbWFudWFsbHkgY29weWlu ZyB0aGUga2VybmVsIGFuZAogICBpbml0cmFtZnMgb3V0IG9mIHRoZSBndWVz dCwgYW5kIGNvbmZpZ3VyaW5nIHRoZSBjb21tYW5kIGxpbmUgaW4gdGhlCiAg IGRvbWFpbiBjb25maWd1cmF0aW9uIGZpbGUpLCBvciBwdmdydWIuCgogIChp aSkgcnVuCiAgICAgIC4vcHZzaGltLWNvbnZlcnRlci5wbCAtLXNoaW09L3Vz ci9saWIveGVuL2Jvb3QveGVuLXZpeGVuLmd6IC9ldGMveGVuL0dVRVNULmNm ZyAvZXRjL3hlbi9HVUVTVC53aXRoLXNoaW0tY2ZnCgogIChpaWkpIHNodXQg dGhlIGd1ZXN0IGRvd24gY2xlYW5seQoKICAoaXYpIGNyZWF0ZSB0aGUgZ3Vl c3Qgd2l0aCB0aGUgbmV3IGNvbmZpZwogICAgICB4bCBjcmVhdGUgL2V0Yy94 ZW4vR1VFU1Qud2l0aC1zaGltLWNmZwoKICAodikgQ2hlY2sgdGhhdCBpdCBi b290cyBwcm9wZXJseS4gIHhsIGNvbnNvbGUgc2hvdWxkIHdvcmsuCgogICh2 aSkgTWFrZSBhcnJhbmdlbWVudHMgc28gdGhhdCBhdXRvc3RhcnRpbmcgb2Yg dGhlIGd1ZXN0IHdpbGwgdXNlCiAgICAgdGhlIG5ldyBjb25maWcgZmlsZSBy YXRoZXIgdGhhbiB0aGUgb2xkIG9uZQoK --=separator Content-Type: application/octet-stream; name="xsa254/README.which-shim" Content-Disposition: attachment; filename="xsa254/README.which-shim" Content-Transfer-Encoding: base64 CQkgICBIb3cgdG8gZGVjaWRlIHdoaWNoIHNoaW0gdG8gdXNlCgkJICAgPT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQoKQSB3b3JrLWFyb3VuZCB0 byBNZWx0ZG93biAoYWthICJTUDMiIG9yICJWYXJpYW50IDMiKSBvbiBJbnRl bApwcm9jZXNzb3JzIGlzIHRvIHJ1biBndWVzdHMgaW4gSFZNIG9yIFBWSCBt b2RlLgoKU29tZSBndWVzdHMgYXJlIGRpZmZpY3VsdCB0byBjb252ZXJ0IHRv IHJ1bm5pbmcgaW4gSFZNIG9yIFBWSCBtb2RlLAplaXRoZXIgZHVlIHRvIGxh Y2sgb2YgcGFydGl0aW9uaW5nIC8gTUJSLCBvciBkdWUgdG8ga2VybmVsCmNv bXBhdGliaWxpdGllcy4gIEFzIGFuIGVtZXJnZW5jeSBiYWNrc3RvcCwgdGhl cmUgYXJlIHR3byBhcHByb2FjaGVzLAp3aGljaCB3ZSd2ZSBjb2RlbmFtZWQg IlZpeGVuIiBhbmQgIkNvbWV0Ii4gIEJvdGggaW52b2x2ZSBydW5uaW5nIGFu CmVtYmVkZGVkIGNvcHkgb2YgWGVuIChjYWxsZWQgYSAic2hpbSIpIHdpdGhp biB0aGUgSFZNIG9yIFBWSCBndWVzdCB0bwpwcm92aWRlIHRoZSBuYXRpdmUg UFYgaW50ZXJmYWNlLgoKQmVsb3cgZGVzY3JpYmVzIHRoZSBwcm9wZXJ0aWVz LCBhbmQgd2hvIG1pZ2h0IHdhbnQgdG8gdXNlIGVhY2ggb25lLgoKTk9URTog Qm90aCBzaGltcyByZXF1aXJlIGhvc3QgcGF0Y2hlcyB0byBib290IG9uIEFN RCBob3N0cy4gIFRoaXMKc2hvdWxkbid0IGJlIGFuIGlzc3VlLCBhcyBTUDMg ZG9lcyBub3QgYWZmZWN0IHN5c3RlbXMgcnVubmluZyBvbiBBTUQuCgpWaXhl bgotLS0tLQoKVml4ZW4gaGFzIHRoZSBmb2xsb3dpbmcgcHJvcGVydGllczoK ICogUnVucyB0aGUgc2hpbSBpbiBhbiBIVk0gZ3Vlc3QuCiAqIEl0IHJlcXVp cmVzIG5vIGh5cGVydmlzb3Igb3IgdG9vbHN0YWNrIGNoYW5nZXMsIG5vciBk b2VzIGl0IHJlcXVpcmUKICAgYSBob3N0IHJlYm9vdC4KICogSXQgaGFzIGJl ZW4gZXh0ZW5zaXZlbHkgdGVzdGVkIGluIEFtYXpvbidzIGRlcGxveW1lbnQg Zm9yIHZlcnNpb25zCiAgIG9mIFhlbiBnb2luZyBiYWNrIHRvIDMuNAogKiBH dWVzdCByZWJvb3RzIGFyZSByZXF1aXJlZAogKiBHdWVzdCBjb25maWdzIG11 c3QgYmUgZmVkIHRocm91Z2ggYSBjb252ZXJ0ZXIgcHJvZ3JhbQogKiBUaGUg Y29udmVydGVyIHByb2dyYW0gc3BpdHMgb3V0IGEgc21hbGwgZ3Vlc3Qtc3Bl Y2lmaWMgLmlzbwogICBpbWFnZSAod2UgY2FsbCB0aGlzIGEgInNpZGVjYXIi KSB1c2VkIGZvciBib290aW5nCiAqIEJlY2F1c2UgdGhlIHJlc3VsdCBpcyBh biBIVk0gZ3Vlc3QsIHRoaXMgYXBwcm9hY2ggaW52b2x2ZXMKICAgcnVubmlu ZyBxZW11IGFzIGEgUEMgZW11bGF0b3IgKHRoaXMgaXMgZG9uZSBhdXRvbWF0 aWNhbGx5KQogKiBTb21lIGNvbW1vbiBmZWF0dXJlcyBhcmUgbm90IHN1cHBv cnRlZDoKICAtIEJhbGxvb25pbmcKICAtIE1pZ3JhdGlvbgogIC0gdmNwdSBo b3RwbHVnCiAgLSBiaWRpcmVjdGlvbmFsIGNvbnNvbGUgc3VwcG9ydCAoY29u c29sZSBpcyB3cml0ZS1vbmx5KQogKiBEaXJlY3QtYm9vdCBrZXJuZWxzIGFu ZCBwdmdydWIgKGJvdGggcHZncnViMSBhbmQgcHZncnViMikgYXJlCiAgIHN1 cHBvcnRlZCBieSB0aGUgY29udmVyc2lvbiBwcm9ncmFtLiAgJ3B5Z3J1Yicg aXMgbm90IHN1cHBvcnRlZC4KICogeGwgYW5kIHhtIGRvbWFpbiBjb25maWdz IGNhbiBiZSBjb252ZXJ0ZWQ7IGxpYnZpcnQgZG9tYWluCiAgIGNvbmZpZ3Vy YXRpb24gYXJyYW5nZW1lbnRzIGFyZSBub3Qgc3VwcG9ydGVkLgoKWW91IG1p Z2h0IGNvbnNpZGVyIHRoaXMgYXBwcm9hY2ggaWY6Ci0gWW91IHdhbnQgdG8g ZGVwbG95IGEgZml4IGltbWVkaWF0ZWx5Ci0gWW91IGNhbid0LCBvciB3b3Vs ZCBsaWtlIHRvIGF2b2lkLCB1cGRhdGluZyB0byBYZW4gNC44IG9yIG5ld2Vy Ci0gWW91J2QgbGlrZSB0byBhdm9pZCBwYXRjaGluZyBhbmQgcmVib290aW5n IHlvdXIgaG9zdAotIFlvdSBhcmUgYWJsZSB0bzoKIC0gUnVuIGEgc2NyaXB0 IHRvIG1vZGlmeSBlYWNoIGRvbWFpbiBjb25maWcKIC0gQWZmb3JkIGFuIGV4 dHJhIDgwTWlCIHBlciBndWVzdAogLSBUb2xlcmF0ZSBoYXZpbmcgYW4gZXh0 cmEgUUVNVSBhcm91bmQKLSBZb3UgZG9uJ3QgbmVlZCBtaWdyYXRpb24sIG1l bW9yeSBiYWxsb29uaW5nLCB2Y3B1IGhvdHBsdWcsCiAgb3IgYSBiaS1kaXJl Y3Rpb25hbCBjb25zb2xlCgpUbyB1c2UgdGhpcyBzb2x1dGlvbiwgc2VlIFJF QURNRS52aXhlbi4KCkJpLWRpcmVjdGlvbmFsIGNvbnNvbGUgaXMgYXZhaWxh YmxlIGFzIGFuIGV4dHJhIHBhdGNoLCBidXQgaGFzbid0IGJlZW4Kd2lkZWx5 IHRlc3RlZDoKCm1hcmMuaW5mby8/aT08MTUxNTYwNDU1Mi05MjA1LTEtZ2l0 LXNlbmQtZW1haWwtc3JuQHByZ21yLmNvbT4KCkNvbWV0Ci0tLS0tCgpDb21l dCBoYXMgdGhlIGZvbGxvd2luZyBwcm9wZXJ0aWVzOgogKiBSdW5zIHRoZSBz aGltIGluIGEgUFZIIGd1ZXN0LgogKiBQVkggbW9kZSBpcyBhdmFpbGFibGUg aW4gWGVuIDQuMTAsIGFuZCB3aWxsIGJlIGJhY2twb3J0ZWQgdG8gWGVuCiAg IDQuOSBhbmQgNC44IGJ1dCBubyBmYXJ0aGVyCiAqIFJlcXVpcmVzIGhvc3Qg aHlwZXJ2aXNvciBhbmQgdG9vbHN0YWNrIHBhdGNoZXMgKGFuZCBob3N0IHJl Ym9vdCksCiAgIGV2ZW4gZm9yIFhlbiA0LjEwCiAqIFJlcXVpcmVzIG1pbmlt YWwgZ3Vlc3QgY29uZmlnIGNoYW5nZXMsIGFuZCBubyAic2lkZWNhciIKICog Qm9vdGxvYWRpbmcgaXMgaWRlbnRpY2FsIHRvIG5hdGl2ZSBQViBndWVzdHM7 IGRpcmVjdC1ib290LCBwdmdydWIsCiAgIGFuZCBweWdydWIgYWxsIHdvcmsg ZXF1YWxseSB3ZWxsCiAqIEJlY2F1c2UgdGhlIHJlc3VsdCBpcyBhIFBWSCBn dWVzdCwgdGhpcyBhcHByb2FjaCBpbnZvbHZlcyBubyBQQyBlbXVsYXRvci4K ICogVGhlIGZvbGxvd2luZyBmZWF0dXJlcyBub3QgYXZhaWxhYmxlIGluIFZp eGVuIGFyZSBzdXBwb3J0ZWQ6CiAgLSBNZW1vcnkgYmFsbG9vbmluZwogIC0g R3Vlc3QgbWlncmF0aW9uCiAgLSB2Y3B1IGhvdHBsdWcKICAtIGJpZGlyZWN0 aW9uYWwgY29uc29sZSBzdXBwb3J0CgpZb3UgbWlnaHQgY29uc2lkZXIgdGhp cyBhcHByb2FjaCBpZjoKLSBZb3UncmUgb24gNC44IG9yIGxhdGVyIGFscmVh ZHkKLSBZb3UgY2FuIHBhdGNoIGFuZCByZWJvb3QgeW91ciBob3N0Ci0gWW91 IGRvbid0IHdhbnQgYW4gZXh0cmEgUUVNVSBhcm91bmQKLSBZb3UgbmVlZCBt aWdyYXRpb24sIG1lbW9yeSBiYWxsb29uaW5nLCBvciB2Y3B1IGhvdHBsdWcs IG9yIGEKICBiaWRpcmVjdGlvbmFsIGNvbnNvbGUKLSBZb3UgbmVlZCBweWdy dWIKLSBZb3UgbmVlZCB0byB1c2UgbGlidmlydAoKVW5mb3J0dW5hdGVseSB0 aGlzIHNvbHV0aW9uIGlzIG5vdCB5ZXQgYXZhaWxhYmxlLiAgV2UgZXhwZWN0 IHRvIGhhdmUKaXQgYXZhaWxhYmxlIHdpdGhpbiBhIGZldyB3b3JraW5nIGRh eXMu --=separator Content-Type: application/octet-stream; name="xsa254/pvshim-converter.pl" Content-Disposition: attachment; filename="xsa254/pvshim-converter.pl" Content-Transfer-Encoding: base64 IyEvdXNyL2Jpbi9wZXJsIC13CiMKIyB1c2FnZToKIyAgIHB2c2hpbS1jb252 ZXJ0ZXIgW09QVElPTlNdIE9MRC1DT05GSUcgTkVXLUNPTkZJRwojCiMgb3B0 aW9uczoKIyAgIC0tc2lkZWNhcnMtZGlyZWN0b3J5IERJUiAgIGRlZmF1bHQg aXMgL3Zhci9saWIveGVuL3B2c2hpbS1zaWRlY2FycwojICAgLS1zaGltIFNI SU0gICAgICAgICAgICAgICAgb3ZlcnJpZGVzIGRvbWFpbiBjb25maWcgZmls ZQojICAgLS1kZWJ1ZyAgICAgICAgICAgICAgICAgICAgdmVyYm9zZSwgYW5k IGxlYXZlcyBzaWRlY2FyIHByZXAgZGlyIGFyb3VuZAojCiMgV2hhdCB3ZSBk bwojCiMgIHJlYWQgZXhpc3RpbmcgY29uZmlnIGZpbGUgdXNpbmcgcHl0aG9u CiMgIGRldGVybWluZSBrZXJuZWwsIHJhbWRpc2sgYW5kIGNtZGxpbmUKIyAg dXNlIHRoZW0gdG8gcHJvZHVjZSBzaWRlY2FyIGFuZCBzYXZlIGl0IHVuZGVy IGRvbWFpbiBuYW1lCiMgIG1lc3Mgd2l0aCB0aGUgdGhpbmdzIHRoYXQgbmVl ZCB0byBiZSBtZXNzZWQgd2l0aAojICBzcGl0IG91dCBuZXcgY29uZmlnIGZp bGUKCnVzZSBzdHJpY3Q7Cgp1c2UgR2V0b3B0OjpMb25nOwp1c2UgSlNPTjsK dXNlIElPOjpIYW5kbGU7CnVzZSBQT1NJWDsKdXNlIEZjbnRsIHF3KDpmbG9j ayk7CgpvdXIgJGRlYnVnOwoKc3ViIHJ1bmNtZCB7CiAgICBwcmludCBTVERF UlIgIisgQF9cbiIgaWYgJGRlYnVnOwogICAgJCE9MDsgJD89MDsgc3lzdGVt IEBfIGFuZCBkaWUgIiRfWzBdOiAkISAkPyI7Cn0KCm91ciAkc2hpbTsKb3Vy ICRzaWRlY2Fyc19kaXIgPSAnL3Zhci9saWIveGVuL3B2c2hpbS1zaWRlY2Fy cyc7CgpHZXRPcHRpb25zKCdzaWRlY2Fycy1kaXJlY3Rvcnk9cycgPT4gXCRz aWRlY2Fyc19kaXIsCiAgICAgICAgICAgJ3NoaW09cycgPT4gXCRzaGltLAog ICAgICAgICAgICdkZWJ1ZycgPT4gXCRkZWJ1ZykKICAgIG9yIGRpZSAicHZz aGltLWNvbnZlcnRlcjogYmFkIG9wdGlvbnNcbiI7CgpAQVJHVj09MiBvciBk aWUgInB2c2hpbS1jb252ZXJ0ZXI6IG5lZWQgb2xkIGFuZCBuZXcgY29uZmln IGZpbGVuYW1lcyI7CgpvdXIgKCRpbiwkb3V0KSA9IEBBUkdWOwoKb3VyICRp bmRhdGE7CgppZiAoJGluIG5lICctJykgewogICAgb3BlbiBJLCAnPCcsICIk aW4iIG9yIGRpZSAib3BlbiBpbnB1dCBjb25maWcgZmlsZTogJCFcbiI7Cn0g ZWxzZSB7CiAgICBvcGVuIEksICc8JlNURElOJyBvciBkaWUgJCE7Cn0Kewog ICAgbG9jYWwgJC87CiAgICAkaW5kYXRhID0gPEk+Owp9CkktPmVycm9yIGFu ZCBkaWUgJCE7CmNsb3NlIEk7CgpvcGVuIFAsICItfCIsIHF3KHB5dGhvbjIg LWMpLCA8PEVORCwgJGluZGF0YSBvciBkaWUgJCE7CmltcG9ydCBzeXMKaW1w b3J0IGpzb24KbCA9IHt9CmV4ZWMgc3lzLmFyZ3ZbMV0gaW4gbApmb3IgayBp biBsLmtleXMoKToKCWlmIGsuc3RhcnRzd2l0aCgiXyIpOgoJCWRlbCBsW2td CnByaW50IGpzb24uZHVtcHMobCkKRU5ECgpvdXIgJGM7Cgp7CiAgICBsb2Nh bCAkLzsKICAgICRfID0gPFA+OwogICAgJCE9MDsgJD89MDsgY2xvc2UgUCBv ciBkaWUgIiQhICQ/IjsKICAgICRjID0gZGVjb2RlX2pzb24gJF87Cn0KCmRp ZSAibm8gZG9tYWluIG5hbWUgPyIgdW5sZXNzIGV4aXN0cyAkYy0+e25hbWV9 OwpkaWUgImJvb3Rsb2FkZXIgbm90IHlldCBzdXBwb3J0ZWQiIGlmICRjLT57 Ym9vdGxvYWRlcn07CmRpZSAibm8ga2VybmVsIiB1bmxlc3MgJGMtPntrZXJu ZWx9OwoKb3VyICRzaWRlY2FyID0gJGMtPntwdnNoaW1fc2lkZWNhcl9wYXRo fSB8fCAiJHNpZGVjYXJzX2Rpci8kYy0+e25hbWV9LmlzbyI7Cm91ciAkZG13 cmFwID0gJGMtPntwdnNoaW1fc2lkZWNhcl9wYXRofSB8fCAiJHNpZGVjYXJz X2Rpci8kYy0+e25hbWV9LmRtIjsKCiRzaGltIHx8PSAkYy0+e3B2c2hpbV9w YXRofTsKJHNoaW0gfHw9ICcvdXNyL2xvY2FsL2xpYi94ZW4vYm9vdC94ZW4t c2hpbSc7CgpvdXIgJHNoaW1fY21kbGluZSA9ICRjLT57cHZzaGltX2NtZGxp bmV9IHx8ICdjb25zb2xlPWNvbTEgY29tMT0xMTUyMDBuMSc7CiRzaGltX2Nt ZGxpbmUgLj0gJyAnLiRjLT57cHZzaGltX2V4dHJhfSBpZiAkYy0+e3B2c2hp bV9leHRyYX07CgpvdXIgJGtlcm5lbF9jbWRsaW5lID0gJGMtPntjbWRsaW5l fSB8fCAnJzsKJGtlcm5lbF9jbWRsaW5lIC49ICcgcm9vdD0nLiRjLT57cm9v dH0gaWYgJGMtPntyb290fTsKJGtlcm5lbF9jbWRsaW5lIC49ICcgJy4kYy0+ e2V4dHJhfSBpZiAkYy0+e2V4dHJhfTsKCnByaW50ICJwdnNoaW0tY29udmVy dGVyOiBjcmVhdGluZyBzaWRlY2FyIGluICRzaWRlY2FyXG4iOwoKcnVuY21k IHF3KG1rZGlyIC1tNzAwIC1wIC0tKSwgJHNpZGVjYXJzX2RpcjsKCm9wZW4g TCwgIj4iLCAiJHNpZGVjYXIubG9jayIgb3IgZGllICIkc2lkZWNhci5sb2Nr OiBvcGVuICQhIjsKZmxvY2sgTCwgTE9DS19FWCBvciBkaWUgIiRzaWRlY2Fy LmxvY2s6IGxvY2s6ICQhIjsKCm15ICRzZCA9ICIkc2lkZWNhci5kaXIiOwoK c3lzdGVtIHF3KHJtIC1yZiAtLSksICRzZDsKbWtkaXIgJHNkLCAwNzAwOwoK cnVuY21kIHF3KGNwIC0tKSwgJHNoaW0sICIkc2Qvc2hpbSI7CnJ1bmNtZCBx dyhjcCAtLSksICRjLT57a2VybmVsfSwgIiRzZC9rZXJuZWwiOwpydW5jbWQg cXcoY3AgLS0pLCAkYy0+e3JhbWRpc2t9LCAiJHNkL3JhbWRpc2siIGlmICRj LT57cmFtZGlza307CgpteSAkZ3J1YmNmZyA9IDw8RU5EOwpzZXJpYWwgLS11 bml0PTAgLS1zcGVlZD05NjAwIC0td29yZD04IC0tcGFyaXR5PW5vIC0tc3Rv cD0xCnRlcm1pbmFsX2lucHV0IHNlcmlhbAp0ZXJtaW5hbF9vdXRwdXQgc2Vy aWFsCgpzZXQgdGltZW91dD0wCgptZW51ZW50cnkgJ1hlbiBzaGltJyB7Cglp bnNtb2QgZ3ppbwoJaW5zbW9kIHh6aW8KICAgICAgICBtdWx0aWJvb3QgKGNk KS9zaGltIHBsYWNlaG9sZGVyICRzaGltX2NtZGxpbmUKICAgICAgICBtb2R1 bGUgKGNkKS9rZXJuZWwgcGxhY2Vob2xkZXIgJGtlcm5lbF9jbWRsaW5lCiAg ICAgICAgbW9kdWxlIChjZCkvcmFtZGlzawp9CkVORAoKcnVuY21kIHF3KG1r ZGlyIC1wIC0tKSwgIiRzZC9ib290L2dydWIiOwpvcGVuIEcsICI+IiwgIiRz ZC9ib290L2dydWIvZ3J1Yi5jZmciIG9yIGRpZSAiJHNkLCBncnViLmNmZzog JCEiOwpwcmludCBHICRncnViY2ZnIG9yIGRpZSAkITsKY2xvc2UgRyBvciBk aWUgJCE7Cgp1bmxpbmsgIiRzaWRlY2FyLm5ldyIgb3IgJCE9PUVOT0VOVCBv ciBkaWUgIiRzaWRlY2FyLm5ldzogcm06ICQhIjsKcnVuY21kIHF3KGdydWIt bWtyZXNjdWUgLW8pLCAiJHNpZGVjYXIubmV3IiwgIiRzaWRlY2FyLmRpciI7 CmlmICghc3RhdCAiJHNpZGVjYXIubmV3IikgewogICAgJCE9PUVOT0VOVCBv ciBkaWUgIiRzaWRlY2FyLm5ldzogc3RhdDogJCEiOwoKICAgIHByaW50IFNU REVSUiA8PEVORDsKcHZzaGltLWNvbnZlcnRlcjogZ3J1Yi1ta3Jlc2N1ZSBl eGl0ZWQgd2l0aCBzdGF0dXMgemVybyBidXQgZmFpbGVkIHRvIG1ha2UgaXNv LgpOQiB0aGF0IGdydWItbWtyZXNjdWUgaGFzIGEgdGVuZGVuY3kgdG8gbGll IGluIGl0cyBlcnJvciBtZXNzYWdlcy4KRU5ECiAgICBteSAkbWlzc2luZzsK ICAgIGZvcmVhY2ggbXkgJGNoZWNrIChxdyh4b3JyaXNvIG1mb3JtYXQpKSB7 CiAgICAgICAgJG1pc3NpbmcgfD0gc3lzdGVtIHF3KHNoIC1jKSwgInR5cGUg JGNoZWNrIjsKICAgIH0KCiAgICBpZiAoJG1pc3NpbmcpIHsKICAgICAgICBw cmludCBTVERFUlIgPDxFTkQ7CllvdSBzZWVtIHRvIGhhdmUgc29tZSBwcm9n cmFtKHMpIG1pc3Npbmcgd2hpY2ggZ3J1Yi1ta3Jlc2N1ZSBkZXBlbmRzIG9u LApzZWUgYWJvdmUuICAoIm1mb3JtYXQiIGlzIG5vcm1hbGx5IGluIHRoZSBw YWNrYWdlICJtdG9vbHMiLikKSW5zdGFsbGluZyB0aG9zZSBwcm9ncmFtcyB3 aWxsIHByb2JhYmx5IGhlbHAuCkVORAogICAgfSBlbHNlIHsKICAgICAgICBw cmludCBTVERFUlIgPDxFTkQ7CkFuZCBvbGRlciBncnViLW1rcmVzY3VlIGhh cyBhIHRlbmRlbmN5IG5vdCB0byBub3RpY2UgY2VydGFpbiBwcm9ibGVtcy4K TWF5YmUgc3RyYWNlIHdpbGwgdGVsbCB5b3Ugd2hhdCBpcyB3cm9uZy4gIDot LwpFTkQKICAgIH0KICAgIGRpZSAicHZzaGltLWNvbnZlcnRlcjogZ3J1Yi1t a3Jlc2N1ZSBkaWQgbm90IG1ha2UgaXNvXG4iOwp9CgpydW5jbWQgcXcocm0g LXJmIC0tKSwgIiRzaWRlY2FyLmRpciIgdW5sZXNzICRkZWJ1ZzsKCm9wZW4g USwgIj4iLCAiJGRtd3JhcC5uZXciIG9yIGRpZSAiJGRtd3JhcDogJCEiOwpw cmludCBRIDw8J0VORF9ETVdSQVAnOwojIS9iaW4vYmFzaAoKc2V0IC14Cjog IiRAIgpzZXQgK3gKCm5ld2FyZ3M9KCkKCm5ld2FyZyAoKSB7CiAgICBuZXdh cmdzKz0oIiQxIikKfQoKd2hpbGUgWyAkIyAtZ3QgMSBdOyBkbwogICAgY2Fz ZSAiJDEiIGluCgktbm8tc2h1dGRvd258LW5vZGVmYXVsdHN8LW5vLXVzZXIt Y29uZmlnKQoJICAgIG5ld2FyZyAiJDEiOyBzaGlmdAoJICAgIDs7CgkteGVu LWRvbWlkfC1jaGFyZGV2fC1tb258LWRpc3BsYXl8LWJvb3R8LW18LW1hY2hp bmUpCgkgICAgbmV3YXJnICIkMSI7IHNoaWZ0CgkgICAgbmV3YXJnICIkMSI7 IHNoaWZ0CgkgICAgOzsKICAgICAgICAtbmFtZSkKICAgICAgICAgICAgbmV3 YXJnICIkMSI7IHNoaWZ0CiAgICAgICAgICAgIG5hbWU9IiQxIjsgc2hpZnQK ICAgICAgICAgICAgbmV3YXJnICIkbmFtZSIKICAgICAgICAgICAgOzsKCS1u ZXRkZXZ8LWNkcm9tKQoJICAgIDogZml4bWUKCSAgICBuZXdhcmcgIiQxIjsg c2hpZnQKCSAgICBuZXdhcmcgIiQxIjsgc2hpZnQKCSAgICA7OwoJLWRyaXZl fC1rZXJuZWx8LWluaXRyZHwtYXBwZW5kfC12bmMpCgkgICAgc2hpZnQ7IHNo aWZ0CgkgICAgOzsKCS1kZXZpY2UpCgkgICAgc2hpZnQKCSAgICBjYXNlICIk MSIgaW4KCQlYWFhydGw4MTM5KikKCQkgICAgbmV3YXJnICItZGV2aWNlIgoJ CSAgICBuZXdhcmcgIiQxIjsgc2hpZnQKCQkgICAgOzsKCQkqKQoJCSAgICBz aGlmdAoJCSAgICA7OwoJICAgIGVzYWMKCSAgICA7OwoJKikKCSAgICBlY2hv ID4mMiAid2FybmluZzogdW5leHBlY3RlZCBhcmd1bWVudCAkMSBiZWluZyBw YXNzZWQgdGhyb3VnaCIKCSAgICBuZXdhcmcgIiQxIjsgc2hpZnQKCSAgICA7 OwogICAgZXNhYwpkb25lCgojaWYgWyAieCRuYW1lIiAhPSB4IF07IHRoZW4K IyAgICBsb2dkaXI9L3Zhci9sb2cveGVuCiMgICAgbG9nZmlsZT0iJGxvZ2Rp ci9zaGltLSRuYW1lLmxvZyIKIyAgICBzYXZlbG9nICIkbG9nZmlsZSIgfHw6 CiMgICAgbmV3YXJnIC1zZXJpYWwKIyAgICBuZXdhcmcgImZpbGU6JGxvZ2Zp bGUiCiNmaQoKc2V0IC14CmZvciBwYXRoIGluIC91c3IvbG9jYWwvbGliIC91 c3IvbGliOyBkbwogICAgJHBhdGgveGVuL2Jpbi9xZW11LXN5c3RlbS1pMzg2 ICIke25ld2FyZ3NbQF19IiB8fDoKZG9uZQplY2hvID4mMiAnY291bGQgbm90 IGV4ZWMgcWVtdScKZXhpdCAxMjcKRU5EX0RNV1JBUAoKY2htb2QgMDc1NSwg IiRkbXdyYXAubmV3IiBvciBkaWUgIiRkbXdyYXA6IGNobW9kOiAkISI7Cgpj bG9zZSBRIG9yIGRpZSAkITsKCnJlbmFtZSAiJHNpZGVjYXIubmV3IiwgJHNp ZGVjYXIgb3IgZGllICIkc2lkZWNhcjogaW5zdGFsbDogJCEiOwpyZW5hbWUg IiRkbXdyYXAubmV3IiwgICRkbXdyYXAgIG9yIGRpZSAiJGRtd3JhcDogaW5z dGFsbDogJCEiOwoKcHJpbnQgU1RERVJSIDw8RU5EOwpwdnNoaW0tY29udmVy dGVyOiB3cm90ZSBxZW11IHdyYXBwZXIgdG8gJGRtd3JhcApwdnNoaW0tY29u dmVydGVyOiB3cm90ZSBzaWRlY2FyIHRvICRzaWRlY2FyCkVORAoKbXkgJGFw cGVuZCA9IDw8RU5EOwpidWlsZGVyPSdodm0nCnR5cGU9J2h2bScKZGV2aWNl X21vZGVsX3ZlcnNpb249J3FlbXUteGVuJwpkZXZpY2VfbW9kZWxfb3ZlcnJp ZGU9JyRkbXdyYXAnCmRldmljZV9tb2RlbF9hcmdzX2h2bT1bJy1jZHJvbScs JyRzaWRlY2FyJ10KYm9vdD0nYycKc2VyaWFsPSdwdHknCkVORAoKaWYgKCRv dXQgbmUgJy0nKSB7CiAgICBvcGVuIE8sICI+IiwgIiRvdXQudG1wIiBvciBk aWUgIm9wZW4gb3V0cHV0IGNvbmZpZyB0ZW1wOiAkb3V0LnRtcDogJCFcbiI7 Cn0gZWxzZSB7CiAgICBvcGVuIE8sICI+JlNURE9VVCIgb3IgZGllICQhOwp9 CgpwcmludCBPICRpbmRhdGEsICJcbiIsICRhcHBlbmQgb3IgZGllICJ3cml0 ZSBvdXRwdXQ6ICQhIjsKY2xvc2UgTyBvciBkaWUgImNsb3NlIG91dHB1dDog JCEiOwoKaWYgKCRvdXQgbmUgJy0nKSB7CiAgICByZW5hbWUgIiRvdXQudG1w IiwgJG91dCBvciBkaWUgImluc3RhbGwgb3V0cHV0OiAkISI7CiAgICBwcmlu dCBTVERFUlIgInB2c2hpbS1jb252ZXJ0ZXI6IHdyb3RlIG5ldyBndWVzdCBj b25maWcgdG8gJG91dFxuIjsKfSBlbHNlIHsKICAgIHByaW50IFNUREVSUiAi cHZzaGltLWNvbnZlcnRlcjogd3JvdGUgbmV3IGd1ZXN0IGNvbmZpZyB0byBz dGRvdXRcbiI7Cn0K --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Fri Jan 12 12:17:22 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 12 Jan 2018 12:17:22 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZyFv-00034W-PO; Fri, 12 Jan 2018 12:16:19 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZyFu-000342-2z for xen-announce@lists.xen.org; Fri, 12 Jan 2018 12:16:18 +0000 X-Inumbo-ID: b0441b43-f792-11e7-b0d7-9f685aff125f Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id b0441b43-f792-11e7-b0d7-9f685aff125f; Fri, 12 Jan 2018 12:18:25 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZyFb-0003rU-Ua; Fri, 12 Jan 2018 12:15:59 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1eZyFb-0003RY-Ry; Fri, 12 Jan 2018 12:15:59 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Fri, 12 Jan 2018 12:15:59 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 254 (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) - Information leak via side effects of speculative execution X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2017-5753,CVE-2017-5715,CVE-2017-5754 / XSA-254 version 5 Information leak via side effects of speculative execution UPDATES IN VERSION 5 ==================== PV-in-PVH/HVM shim approach leaves *guest* vulnerable to Meltdown attacks from its unprivileged users, even if the guest has KPTI patches. That is, guest userspace can use Meltdown to read all memory in the same guest. In Vixen shim sidecar creator script, look for qemu in some more places, and provide a command line option to specify the qemu-system-i386 to use in case the default doesn't find it. ISSUE DESCRIPTION ================= Processors give the illusion of a sequence of instructions executed one-by-one. However, in order to most efficiently use cpu resources, modern superscalar processors actually begin executing many instructions in parallel. In cases where instructions depend on the result of previous instructions or checks which have not yet completed, execution happens based on guesses about what the outcome will be. If the guess is correct, execution has been sped up. If the guess is incorrect, partially-executed instructions are cancelled and architectural state changes (to registers, memory, and so on) reverted; but the whole process is no slower than if no guess had been made at all. This is sometimes called "speculative execution". Unfortunately, although architectural state is rolled back, there are other side effects, such as changes to TLB or cache state, which are not rolled back. These side effects can subsequently be detected by an attacker to determine information about what happened during the speculative execution phase. If an attacker can cause speculative execution to access sensitive memory areas, they may be able to infer what that sensitive memory contained. Furthermore, these guesses can often be 'poisoned', such that attacker can cause logic to reliably 'guess' the way the attacker chooses. This advisory discusses three ways to cause speculative execution to access sensitive memory areas (named here according to the discoverer's naming scheme): "Bounds-check bypass" (aka SP1, "Variant 1", Spectre CVE-2017-5753): Poison the branch predictor, such that victim code is speculatively executed past boundary and security checks. This would allow an attacker to, for instance, cause speculative code in the normal hypercall / emulation path to execute with wild array indexes. "Branch Target Injection" (aka SP2, "Variant 2", Spectre CVE-2017-5715): Poison the branch predictor. Well-abstracted code often involves calling function pointers via indirect branches; reading these function pointers may involve a (slow) memory access, so the CPU attempts to guess where indirect branches will lead. Poisoning this enables an attacker to speculatively branch to any code that is executable by the victim (eg, anywhere in the hypervisor). "Rogue Data Load" (aka SP3, "Variant 3", Meltdown, CVE-2017-5754): On some processors, certain pagetable permission checks only happen when the instruction is retired; effectively meaning that speculative execution is not subject to pagetable permission checks. On such processors, an attacker can speculatively execute arbitrary code in userspace with, effectively, the highest privilege level. More information is available here: https://meltdownattack.com/ https://spectreattack.com/ https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html Additional Xen-specific background: Xen hypervisors on most systems map all of physical RAM, so code speculatively executed in a hypervisor context can read all of system RAM. When running PV guests, the guest and the hypervisor share the address space; guest kernels run in a lower privilege level, and Xen runs in the highest privilege level. (x86 HVM and PVH guests, and ARM guests, run in a separate address space to the hypervisor.) However, only 64-bit PV guests can generate addresses large enough to point to hypervisor memory. IMPACT ====== Xen guests may be able to infer the contents of arbitrary host memory, including memory assigned to other guests. An attacker's choice of code to speculatively execute (and thus the ease of extracting useful information) goes up with the numbers. For SP1, an attacker is limited to windows of code after bound checks of user-supplied indexes. For SP2, the attacker will in many cases will be limited to executing arbitrary pre-existing code inside of Xen. For SP3 (and other cases for SP2), an attacker can write arbitrary code to speculatively execute. Additionally, in general, attacks within a guest (from guest user to guest kernel) will be the same as on real hardware. Consult your operating system provider for more information. NOTE ON TIMING ============== This vulnerability was originally scheduled to be made public on 9 January. It was accelerated at the request of the discloser due to one of the issues being made public. VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. For SP1 and SP2, both Intel and AMD are vulnerable. Vulnerability of ARM processors to SP1 and SP2 varies by model and manufacturer. ARM has information on affected models on the following website: https://developer.arm.com/support/security-update For SP3, only Intel processors are vulnerable. (The hypervisor cannot be attacked using SP3 on any ARM processors, even those that are listed as affected by SP3.) Furthermore, only 64-bit PV guests can exploit SP3 against Xen. PVH, HVM, and 32-bit PV guests cannot exploit SP3. MITIGATION ========== There is no mitigation for SP1 and SP2. SP3 can be mitigated by running guests in HVM or PVH mode. (Within-guest attacks are still possible unless the guest OS has also been updated with an SP3 mitigation series such as KPTI/Kaiser.) For guests with legacy PV kernels which cannot be run in HVM or PVH mode directly, we have developed two "shim" hypervisors that allow PV guests to run in HVM mode or PVH mode. This prevents attacks on the host, but it leaves the guest vulnerable to Meltdown attacks by its own unprivileged processes, even if the guest OS has KPTI or similar Meltdown mitigation. The HVM shim (codenamed "Vixen") is available now. We expect to have the PVH shim (codenamed "Comet") available within a few days. Please read README.which-shim to determine which shim is suitable for you. $ sha256sum xsa254*/* 2df6b811ec7a377a9cc717f7a8ed497f3a90928c21cba81182eb4a802e32ecd7 xsa254/README.vixen 4c30295513ad82debe04845248b5baac0b3d0c151b80fdca32f2df8b9aa0b541 xsa254/README.which-shim 6210615c1384e13da953452e6f47066f8837e2b2c7f671280902e32e96763b54 xsa254/pvshim-converter.pl $ RESOLUTION ========== There is no available resolution for SP1. A solution may be available in the future. We are working on patches which mitigate SP2 but these are not currently available. Given that the vulnerabilities are now public, these will be developed and published in public, initially via xen-devel. NOTE ON LACK OF EMBARGO ======================= The timetable and process were set by the discloser. After the intensive initial response period for these vulnerabilities is over, we will prepare and publish a full timeline, as we have done in a handful of other cases of significant public interest where we saw opportunities for process improvement. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJaWKbzAAoJEIP+FMlX6CvZtl4H/RKmXpS1fL51efZbrhYaDBTF nLSHxfPdmi+MLaJ8Y7hS9w061ovK7OYTcvi9xlAhE6yC0b4lX5NToc1CPkX6pjGV atOh0q4QyxDQm9JGW1aL9pZa3ZSF/Y7ad/zv5OlU97ZmDEwuEVvOTSsGj+jMFB08 gJ+VfQ0F2R+sjdh9BIScbUedLEz+M5so2wGaOJObr/ybRfLyAobxwiIc+yPniBoi c4eNLSdzBjmg0YrRGeMToVziNH6YXmHD+VLSj23SbVYOjgSS/vnbpRtw7DbcwGXy jhwK8WheInGUsCe+Nz0VU54MXtRhkV+JtsB/g2h4flr49mUm8kt2VY3P0NO7dcE= =jGQH -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa254/README.vixen" Content-Disposition: attachment; filename="xsa254/README.vixen" Content-Transfer-Encoding: base64 ICAgICAgICAgICAgICAgIFBWLWluLUhWTSBzaGltIHdpdGggInNpZGVjYXIi IElTTwogICAgICAgICAgICAgICAgPT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09CgpTdW1tYXJ5Ci0tLS0tLS0KClRoaXMgUkVBRE1FIGRlc2Ny aWJlcyBvbmUgb2YgdHdvIG1pdGlnYXRpb24gc3RyYXRlZ2llcyBmb3IgTWVs dGRvd24uCgpUaGUgYmFzaWMgcHJpbmNpcGxlIGlzIHRvIHJ1biBQViBndWVz dHMgKHdoaWNoIGNhbiByZWFkIGFsbCBvZiBob3N0Cm1lbW9yeSBkdWUgdG8g dGhlIGhhcmR3YXJlIGJ1Z3MpIGFzIEhWTSBndWVzdHMgKHdoaWNoIGNhbm5v dCwgYXQgbGVhc3QKbm90IGR1ZSB0byBNZWx0ZG93bikuICBUaGUgUFYgZW52 aXJvbm1lbnQgaXMgc3RpbGwgcHJvdmlkZWQgdG8gdGhlCmd1ZXN0IGJ5IGFu IGVtYmVkZGVkIGNvcHkgb2YgWGVuLCB0aGUgInNoaW0iLiAgVGhpcyB2ZXJz aW9uIG9mIHRoZQpzaGltIGlzIGNvZGVuYW1lZCAiVml4ZW4iLgoKSW4gb3Jk ZXIgdG8gYm9vdCB0aGUgc2hpbSB3aXRoIGFuIHVubW9kaWZpZWQgdG9vbHN0 YWNrLCB5b3UgYWxzbwpwcm92aWRlIGEgc3BlY2lhbCBkaXNrIGNvbnRhaW5p bmcgdGhlIHNoaW0gYW5kIHRoZSBndWVzdCBrZXJuZWwgKG9yCnB2Z3J1Yik7 IHRoaXMgaXMgY2FsbGVkIHRoZSAic2lkZWNhciIuCgpXaGF0IHlvdSB3aWxs IG5lZWQKLS0tLS0tLS0tLS0tLS0tLS0tCgogKiBZb3VyIGhvc3QgbXVzdCBi ZSBhYmxlIHRvIHJ1biBncnViLW1rcmVzY3VlIHRvIGdlbmVyYXRlIGEgLmlz bwogKiBZb3Ugd2lsbCB0aGVyZWZvcmUgbmVlZCB4b3JyaXNvIGFuZCBtdG9v bHMKICogWW91IG11c3QgYmUgdXNpbmcgeGwgYW5kIGFibGUgdG8gdXNlIGFu IGFsdGVybmF0aXZlIHlvdXIgZ3Vlc3QgY29uZmlnCgogKiBZb3Ugd2lsbCBu ZWVkIHRoZSBzY3JpcHQgInB2c2hpbS1jb252ZXJ0ZXIucGwiCiAgLSBUaGlz IHJlbGllcyBvbiBwZXJsLWpzb24KICogWW91IHdpbGwgbmVlZCB0aGUgeGVu LmdpdCB0YWcgNC45LjEtc2hpbS12aXhlbi0xCgoKSW5zdHJ1Y3Rpb25zCi0t LS0tLS0tLS0tLQoKMS4gT24gYSBzdWl0YWJsZSBzeXN0ZW0gKHBlcmhhcHMg YSBkaWZmZXJlbnQgaG9zdCkKICAgIGdpdCBjbG9uZSBnaXQ6Ly94ZW5iaXRz LnhlbnByb2plY3Qub3JnL3hlbi5naXQgeGVuLmdpdAogICAgY2QgeGVuLmdp dAogICAgZ2l0IGNoZWNrb3V0IDQuOS4xLXNoaW0tdml4ZW4tMQoKSWYgeW91 IG5lZWQgYmktZGlyZWN0aW9uYWwgY29uc29sZSBhbmQgZG9uJ3QgbWluZCBh IGxlc3MtdGVzdGVkIHBhdGNoLAp5b3UgY2FuIGFwcGx5IHRoZSBwYXRjaCBm b3VuZCBpbiB0aGlzIGVtYWlsOgoKICAgIG1hcmMuaW5mby8/aT08MTUxNTYw NDU1Mi05MjA1LTEtZ2l0LXNlbmQtZW1haWwtc3JuQHByZ21yLmNvbT4KCmJ1 aWxkIGEgeGVuIGh5cGVydmlzb3IgYmluYXJ5IGFzIHVzdWFsOgoKICAgIG1h a2UgeGVuCgpJZiB5b3VyIGRlZmF1bHQgdmVyc2lvbiBvZiBweXRob24gaXMg cHl0aG9uIDMsIHlvdSBtYXkgbmVlZCB0byBhZGQgdGhlIGZvbGxvd2luZzoK CiAgICBtYWtlIFBZVEhPTj1weXRob24yIHhlbgoKVGhpcyB3aWxsIGJ1aWxk IGEgZmlsZQogICAgeGVuL3hlbi5negoKMi4gQ29weSB0aGF0IGZpbGUgdG8g eW91ciBkb20wLgoKSWRlYWxseSBzb21lcGxhY2UgbGlrZSAvdXNyL2xpYi94 ZW4vYm9vdC94ZW4tdml4ZW4uZ3oKCjMuIENvcHkgdGhlIHNjcmlwdCBwdnNo aW0tY29udmVydGVyIHRvIHlvdXIgZG9tMCBhbmQgbWFrZQogICBpdCBleGVj dXRhYmxlOgogICAgICBjaG1vZCAreCBwdnNoaW0tY29udmVydGVyLnBsCgo0 LiBGb3IgZWFjaCBndWVzdAoKICAoaSkgaWYgdGhlIGd1ZXN0IGlzIGN1cnJl bnRseSBib290ZWQgd2l0aCBweWdydWIgeW91IG11c3QgZmlyc3QKICAgc3dp dGNoIHRvIGRpcmVjdCBrZXJuZWwgYm9vdCAoYnkgbWFudWFsbHkgY29weWlu ZyB0aGUga2VybmVsIGFuZAogICBpbml0cmFtZnMgb3V0IG9mIHRoZSBndWVz dCwgYW5kIGNvbmZpZ3VyaW5nIHRoZSBjb21tYW5kIGxpbmUgaW4gdGhlCiAg IGRvbWFpbiBjb25maWd1cmF0aW9uIGZpbGUpLCBvciBwdmdydWIuCgogIChp aSkgcnVuCiAgICAgIC4vcHZzaGltLWNvbnZlcnRlci5wbCAtLXNoaW09L3Vz ci9saWIveGVuL2Jvb3QveGVuLXZpeGVuLmd6IC9ldGMveGVuL0dVRVNULmNm ZyAvZXRjL3hlbi9HVUVTVC53aXRoLXNoaW0tY2ZnCgogIChpaWkpIHNodXQg dGhlIGd1ZXN0IGRvd24gY2xlYW5seQoKICAoaXYpIGNyZWF0ZSB0aGUgZ3Vl c3Qgd2l0aCB0aGUgbmV3IGNvbmZpZwogICAgICB4bCBjcmVhdGUgL2V0Yy94 ZW4vR1VFU1Qud2l0aC1zaGltLWNmZwoKICAodikgQ2hlY2sgdGhhdCBpdCBi b290cyBwcm9wZXJseS4gIHhsIGNvbnNvbGUgc2hvdWxkIHdvcmsuCgogICh2 aSkgTWFrZSBhcnJhbmdlbWVudHMgc28gdGhhdCBhdXRvc3RhcnRpbmcgb2Yg dGhlIGd1ZXN0IHdpbGwgdXNlCiAgICAgdGhlIG5ldyBjb25maWcgZmlsZSBy YXRoZXIgdGhhbiB0aGUgb2xkIG9uZQoK --=separator Content-Type: application/octet-stream; name="xsa254/README.which-shim" Content-Disposition: attachment; filename="xsa254/README.which-shim" Content-Transfer-Encoding: base64 CQkgICBIb3cgdG8gZGVjaWRlIHdoaWNoIHNoaW0gdG8gdXNlCgkJICAgPT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQoKQSB3b3JrLWFyb3VuZCB0 byBNZWx0ZG93biAoYWthICJTUDMiIG9yICJWYXJpYW50IDMiKSBvbiBJbnRl bApwcm9jZXNzb3JzIGlzIHRvIHJ1biBndWVzdHMgaW4gSFZNIG9yIFBWSCBt b2RlLgoKTkIgdGhhdCB0aGVzZSBhcHByb2FjaGVzIGxlYXZlIHRoZSBndWVz dCB2dWxuZXJhYmxlIHRvIHdpdGhpbi1ndWVzdAppbmZvcm1hdGlvbiBsZWFr cyBiYXNlZCBvbiBNZWx0ZG93biwgKmV2ZW4gaWYgdGhlIGd1ZXN0IE9TIGhh cwpLUFRJL0thaXNlciBvciBhIHNpbWlsYXIgTWVsdGRvd24gbWlnaXRhdGlv biouCgpTb21lIGd1ZXN0cyBhcmUgZGlmZmljdWx0IHRvIGNvbnZlcnQgdG8g cnVubmluZyBpbiBIVk0gb3IgUFZIIG1vZGUsCmVpdGhlciBkdWUgdG8gbGFj ayBvZiBwYXJ0aXRpb25pbmcgLyBNQlIsIG9yIGR1ZSB0byBrZXJuZWwKY29t cGF0aWJpbGl0aWVzLiAgQXMgYW4gZW1lcmdlbmN5IGJhY2tzdG9wLCB0aGVy ZSBhcmUgdHdvIGFwcHJvYWNoZXMsCndoaWNoIHdlJ3ZlIGNvZGVuYW1lZCAi Vml4ZW4iIGFuZCAiQ29tZXQiLiAgQm90aCBpbnZvbHZlIHJ1bm5pbmcgYW4K ZW1iZWRkZWQgY29weSBvZiBYZW4gKGNhbGxlZCBhICJzaGltIikgd2l0aGlu IHRoZSBIVk0gb3IgUFZIIGd1ZXN0IHRvCnByb3ZpZGUgdGhlIG5hdGl2ZSBQ ViBpbnRlcmZhY2UuCgpCZWxvdyBkZXNjcmliZXMgdGhlIHByb3BlcnRpZXMs IGFuZCB3aG8gbWlnaHQgd2FudCB0byB1c2UgZWFjaCBvbmUuCgpOT1RFOiBC b3RoIHNoaW1zIHJlcXVpcmUgaG9zdCBwYXRjaGVzIHRvIGJvb3Qgb24gQU1E IGhvc3RzLiAgVGhpcwpzaG91bGRuJ3QgYmUgYW4gaXNzdWUsIGFzIFNQMyBk b2VzIG5vdCBhZmZlY3Qgc3lzdGVtcyBydW5uaW5nIG9uIEFNRC4KClZpeGVu Ci0tLS0tCgpWaXhlbiBoYXMgdGhlIGZvbGxvd2luZyBwcm9wZXJ0aWVzOgog KiBSdW5zIHRoZSBzaGltIGluIGFuIEhWTSBndWVzdC4KICogSXQgcmVxdWly ZXMgbm8gaHlwZXJ2aXNvciBvciB0b29sc3RhY2sgY2hhbmdlcywgbm9yIGRv ZXMgaXQgcmVxdWlyZQogICBhIGhvc3QgcmVib290LgogKiBJdCBoYXMgYmVl biBleHRlbnNpdmVseSB0ZXN0ZWQgaW4gQW1hem9uJ3MgZGVwbG95bWVudCBm b3IgdmVyc2lvbnMKICAgb2YgWGVuIGdvaW5nIGJhY2sgdG8gMy40CiAqIEd1 ZXN0IHJlYm9vdHMgYXJlIHJlcXVpcmVkCiAqIEd1ZXN0IGNvbmZpZ3MgbXVz dCBiZSBmZWQgdGhyb3VnaCBhIGNvbnZlcnRlciBwcm9ncmFtCiAqIFRoZSBj b252ZXJ0ZXIgcHJvZ3JhbSBzcGl0cyBvdXQgYSBzbWFsbCBndWVzdC1zcGVj aWZpYyAuaXNvCiAgIGltYWdlICh3ZSBjYWxsIHRoaXMgYSAic2lkZWNhciIp IHVzZWQgZm9yIGJvb3RpbmcKICogQmVjYXVzZSB0aGUgcmVzdWx0IGlzIGFu IEhWTSBndWVzdCwgdGhpcyBhcHByb2FjaCBpbnZvbHZlcwogICBydW5uaW5n IHFlbXUgYXMgYSBQQyBlbXVsYXRvciAodGhpcyBpcyBkb25lIGF1dG9tYXRp Y2FsbHkpCiAqIFNvbWUgY29tbW9uIGZlYXR1cmVzIGFyZSBub3Qgc3VwcG9y dGVkOgogIC0gQmFsbG9vbmluZwogIC0gTWlncmF0aW9uCiAgLSB2Y3B1IGhv dHBsdWcKICAtIGJpZGlyZWN0aW9uYWwgY29uc29sZSBzdXBwb3J0IChjb25z b2xlIGlzIHdyaXRlLW9ubHkpCiAqIERpcmVjdC1ib290IGtlcm5lbHMgYW5k IHB2Z3J1YiAoYm90aCBwdmdydWIxIGFuZCBwdmdydWIyKSBhcmUKICAgc3Vw cG9ydGVkIGJ5IHRoZSBjb252ZXJzaW9uIHByb2dyYW0uICAncHlncnViJyBp cyBub3Qgc3VwcG9ydGVkLgogKiB4bCBhbmQgeG0gZG9tYWluIGNvbmZpZ3Mg Y2FuIGJlIGNvbnZlcnRlZDsgbGlidmlydCBkb21haW4KICAgY29uZmlndXJh dGlvbiBhcnJhbmdlbWVudHMgYXJlIG5vdCBzdXBwb3J0ZWQuCiAqIEd1ZXN0 IHVzZXJzcGFjZSBjYW4gcmVhZCBhbGwgb2YgZ3Vlc3QgbWVtb3J5LCB3aXRo aW4gZWFjaCBndWVzdCwKICAgYW5kIGEgZ3Vlc3QgbWlnaXRhdGlvbiBmb3Ig dGhpcyBpcyBub3QgcG9zc2libGUuCgpZb3UgbWlnaHQgY29uc2lkZXIgdGhp cyBhcHByb2FjaCBpZjoKLSBZb3Ugd2FudCB0byBkZXBsb3kgYSBmaXggaW1t ZWRpYXRlbHkKLSBZb3UgY2FuIHRvbGVyYXRlIHRoZSBsb3NzIG9mIHdpdGhp bi1ndWVzdCBzZWN1cml0eQotIFlvdSBjYW4ndCwgb3Igd291bGQgbGlrZSB0 byBhdm9pZCwgdXBkYXRpbmcgdG8gWGVuIDQuOCBvciBuZXdlcgotIFlvdSdk IGxpa2UgdG8gYXZvaWQgcGF0Y2hpbmcgYW5kIHJlYm9vdGluZyB5b3VyIGhv c3QKLSBZb3UgYXJlIGFibGUgdG86CiAtIFJ1biBhIHNjcmlwdCB0byBtb2Rp ZnkgZWFjaCBkb21haW4gY29uZmlnCiAtIEFmZm9yZCBhbiBleHRyYSA4ME1p QiBwZXIgZ3Vlc3QKIC0gVG9sZXJhdGUgaGF2aW5nIGFuIGV4dHJhIFFFTVUg YXJvdW5kCi0gWW91IGRvbid0IG5lZWQgbWlncmF0aW9uLCBtZW1vcnkgYmFs bG9vbmluZywgdmNwdSBob3RwbHVnLAogIG9yIGEgYmktZGlyZWN0aW9uYWwg Y29uc29sZQoKVG8gdXNlIHRoaXMgc29sdXRpb24sIHNlZSBSRUFETUUudml4 ZW4uCgpCaS1kaXJlY3Rpb25hbCBjb25zb2xlIGlzIGF2YWlsYWJsZSBhcyBh biBleHRyYSBwYXRjaCwgYnV0IGhhc24ndCBiZWVuCndpZGVseSB0ZXN0ZWQ6 CgptYXJjLmluZm8vP2k9PDE1MTU2MDQ1NTItOTIwNS0xLWdpdC1zZW5kLWVt YWlsLXNybkBwcmdtci5jb20+CgpDb21ldAotLS0tLQoKQ29tZXQgaGFzIHRo ZSBmb2xsb3dpbmcgcHJvcGVydGllczoKICogUnVucyB0aGUgc2hpbSBpbiBh IFBWSCBndWVzdC4KICogUFZIIG1vZGUgaXMgYXZhaWxhYmxlIGluIFhlbiA0 LjEwLCBhbmQgd2lsbCBiZSBiYWNrcG9ydGVkIHRvIFhlbgogICA0LjkgYW5k IDQuOCBidXQgbm8gZmFydGhlcgogKiBSZXF1aXJlcyBob3N0IGh5cGVydmlz b3IgYW5kIHRvb2xzdGFjayBwYXRjaGVzIChhbmQgaG9zdCByZWJvb3QpLAog ICBldmVuIGZvciBYZW4gNC4xMAogKiBSZXF1aXJlcyBtaW5pbWFsIGd1ZXN0 IGNvbmZpZyBjaGFuZ2VzLCBhbmQgbm8gInNpZGVjYXIiCiAqIEJvb3Rsb2Fk aW5nIGlzIGlkZW50aWNhbCB0byBuYXRpdmUgUFYgZ3Vlc3RzOyBkaXJlY3Qt Ym9vdCwgcHZncnViLAogICBhbmQgcHlncnViIGFsbCB3b3JrIGVxdWFsbHkg d2VsbAogKiBCZWNhdXNlIHRoZSByZXN1bHQgaXMgYSBQVkggZ3Vlc3QsIHRo aXMgYXBwcm9hY2ggaW52b2x2ZXMgbm8gUEMgZW11bGF0b3IuCiAqIFRoZSBm b2xsb3dpbmcgZmVhdHVyZXMgbm90IGF2YWlsYWJsZSBpbiBWaXhlbiBhcmUg c3VwcG9ydGVkOgogIC0gTWVtb3J5IGJhbGxvb25pbmcKICAtIEd1ZXN0IG1p Z3JhdGlvbgogIC0gdmNwdSBob3RwbHVnCiAgLSBiaWRpcmVjdGlvbmFsIGNv bnNvbGUgc3VwcG9ydAogKiBHdWVzdCB1c2Vyc3BhY2UgY2FuIHJlYWQgYWxs IG9mIGd1ZXN0IG1lbW9yeSwgd2l0aGluIGVhY2ggZ3Vlc3QsCiAgIGFuZCBh IGd1ZXN0IG1pZ2l0YXRpb24gZm9yIHRoaXMgaXMgbm90IHBvc3NpYmxlLgoK WW91IG1pZ2h0IGNvbnNpZGVyIHRoaXMgYXBwcm9hY2ggaWY6Ci0gWW91J3Jl IG9uIDQuOCBvciBsYXRlciBhbHJlYWR5Ci0gWW91IGNhbiB0b2xlcmF0ZSB0 aGUgbG9zcyBvZiB3aXRoaW4tZ3Vlc3Qgc2VjdXJpdHkKLSBZb3UgY2FuIHBh dGNoIGFuZCByZWJvb3QgeW91ciBob3N0Ci0gWW91IGRvbid0IHdhbnQgYW4g ZXh0cmEgUUVNVSBhcm91bmQKLSBZb3UgbmVlZCBtaWdyYXRpb24sIG1lbW9y eSBiYWxsb29uaW5nLCBvciB2Y3B1IGhvdHBsdWcsIG9yIGEKICBiaWRpcmVj dGlvbmFsIGNvbnNvbGUKLSBZb3UgbmVlZCBweWdydWIKLSBZb3UgbmVlZCB0 byB1c2UgbGlidmlydAoKVW5mb3J0dW5hdGVseSB0aGlzIHNvbHV0aW9uIGlz IG5vdCB5ZXQgYXZhaWxhYmxlLiAgV2UgZXhwZWN0IHRvIGhhdmUKaXQgYXZh aWxhYmxlIHdpdGhpbiBhIGZldyB3b3JraW5nIGRheXMuCg== --=separator Content-Type: application/octet-stream; name="xsa254/pvshim-converter.pl" Content-Disposition: attachment; filename="xsa254/pvshim-converter.pl" Content-Transfer-Encoding: base64 IyEvdXNyL2Jpbi9wZXJsIC13CiMKIyB1c2FnZToKIyAgIHB2c2hpbS1jb252 ZXJ0ZXIgW09QVElPTlNdIE9MRC1DT05GSUcgTkVXLUNPTkZJRwojCiMgb3B0 aW9uczoKIyAgIC0tcWVtdSBQQVRILVRPLVFFTVUgICAgICAgIGZpbGVuYW1l IG9mIHFlbXUtc3lzdGVtLWkzODYKIyAgIC0tc2lkZWNhcnMtZGlyZWN0b3J5 IERJUiAgIGRlZmF1bHQgaXMgL3Zhci9saWIveGVuL3B2c2hpbS1zaWRlY2Fy cwojICAgLS1zaGltIFNISU0gICAgICAgICAgICAgICAgb3ZlcnJpZGVzIGRv bWFpbiBjb25maWcgZmlsZQojICAgLS1kZWJ1ZyAgICAgICAgICAgICAgICAg ICAgdmVyYm9zZSwgYW5kIGxlYXZlcyBzaWRlY2FyIHByZXAgZGlyIGFyb3Vu ZAojCiMgV2hhdCB3ZSBkbwojCiMgIHJlYWQgZXhpc3RpbmcgY29uZmlnIGZp bGUgdXNpbmcgcHl0aG9uCiMgIGRldGVybWluZSBrZXJuZWwsIHJhbWRpc2sg YW5kIGNtZGxpbmUKIyAgdXNlIHRoZW0gdG8gcHJvZHVjZSBzaWRlY2FyIGFu ZCBzYXZlIGl0IHVuZGVyIGRvbWFpbiBuYW1lCiMgIG1lc3Mgd2l0aCB0aGUg dGhpbmdzIHRoYXQgbmVlZCB0byBiZSBtZXNzZWQgd2l0aAojICBzcGl0IG91 dCBuZXcgY29uZmlnIGZpbGUKCnVzZSBzdHJpY3Q7Cgp1c2UgR2V0b3B0OjpM b25nOwp1c2UgSlNPTjsKdXNlIElPOjpIYW5kbGU7CnVzZSBQT1NJWDsKdXNl IEZjbnRsIHF3KDpmbG9jayk7CgpvdXIgJGRlYnVnOwoKc3ViIHJ1bmNtZCB7 CiAgICBwcmludCBTVERFUlIgIisgQF9cbiIgaWYgJGRlYnVnOwogICAgJCE9 MDsgJD89MDsgc3lzdGVtIEBfIGFuZCBkaWUgIiRfWzBdOiAkISAkPyI7Cn0K Cm91ciAkcWVtdTsKb3VyICRzaGltOwpvdXIgJHNpZGVjYXJzX2RpciA9ICcv dmFyL2xpYi94ZW4vcHZzaGltLXNpZGVjYXJzJzsKCkdldE9wdGlvbnMoJ3Fl bXU9cycgPT4gXCRxZW11LAogICAgICAgICAgICdzaWRlY2Fycy1kaXJlY3Rv cnk9cycgPT4gXCRzaWRlY2Fyc19kaXIsCiAgICAgICAgICAgJ3NoaW09cycg PT4gXCRzaGltLAogICAgICAgICAgICdkZWJ1ZycgPT4gXCRkZWJ1ZykKICAg IG9yIGRpZSAicHZzaGltLWNvbnZlcnRlcjogYmFkIG9wdGlvbnNcbiI7CgpA QVJHVj09MiBvciBkaWUgInB2c2hpbS1jb252ZXJ0ZXI6IG5lZWQgb2xkIGFu ZCBuZXcgY29uZmlnIGZpbGVuYW1lcyI7CgpvdXIgKCRpbiwkb3V0KSA9IEBB UkdWOwoKb3VyICRpbmRhdGE7CgppZiAoJGluIG5lICctJykgewogICAgb3Bl biBJLCAnPCcsICIkaW4iIG9yIGRpZSAib3BlbiBpbnB1dCBjb25maWcgZmls ZTogJCFcbiI7Cn0gZWxzZSB7CiAgICBvcGVuIEksICc8JlNURElOJyBvciBk aWUgJCE7Cn0KewogICAgbG9jYWwgJC87CiAgICAkaW5kYXRhID0gPEk+Owp9 CkktPmVycm9yIGFuZCBkaWUgJCE7CmNsb3NlIEk7CgpvcGVuIFAsICItfCIs IHF3KHB5dGhvbjIgLWMpLCA8PEVORCwgJGluZGF0YSBvciBkaWUgJCE7Cmlt cG9ydCBzeXMKaW1wb3J0IGpzb24KbCA9IHt9CmV4ZWMgc3lzLmFyZ3ZbMV0g aW4gbApmb3IgayBpbiBsLmtleXMoKToKCWlmIGsuc3RhcnRzd2l0aCgiXyIp OgoJCWRlbCBsW2tdCnByaW50IGpzb24uZHVtcHMobCkKRU5ECgpvdXIgJGM7 Cgp7CiAgICBsb2NhbCAkLzsKICAgICRfID0gPFA+OwogICAgJCE9MDsgJD89 MDsgY2xvc2UgUCBvciBkaWUgIiQhICQ/IjsKICAgICRjID0gZGVjb2RlX2pz b24gJF87Cn0KCmRpZSAibm8gZG9tYWluIG5hbWUgPyIgdW5sZXNzIGV4aXN0 cyAkYy0+e25hbWV9OwpkaWUgImJvb3Rsb2FkZXIgbm90IHlldCBzdXBwb3J0 ZWQiIGlmICRjLT57Ym9vdGxvYWRlcn07CmRpZSAibm8ga2VybmVsIiB1bmxl c3MgJGMtPntrZXJuZWx9OwoKb3VyICRzaWRlY2FyID0gJGMtPntwdnNoaW1f c2lkZWNhcl9wYXRofSB8fCAiJHNpZGVjYXJzX2Rpci8kYy0+e25hbWV9Lmlz byI7Cm91ciAkZG13cmFwID0gJGMtPntwdnNoaW1fc2lkZWNhcl9wYXRofSB8 fCAiJHNpZGVjYXJzX2Rpci8kYy0+e25hbWV9LmRtIjsKCiRzaGltIHx8PSAk Yy0+e3B2c2hpbV9wYXRofTsKJHNoaW0gfHw9ICcvdXNyL2xvY2FsL2xpYi94 ZW4vYm9vdC94ZW4tc2hpbSc7CgpvdXIgJHNoaW1fY21kbGluZSA9ICRjLT57 cHZzaGltX2NtZGxpbmV9IHx8ICdjb25zb2xlPWNvbTEgY29tMT0xMTUyMDBu MSc7CiRzaGltX2NtZGxpbmUgLj0gJyAnLiRjLT57cHZzaGltX2V4dHJhfSBp ZiAkYy0+e3B2c2hpbV9leHRyYX07CgpvdXIgJGtlcm5lbF9jbWRsaW5lID0g JGMtPntjbWRsaW5lfSB8fCAnJzsKJGtlcm5lbF9jbWRsaW5lIC49ICcgcm9v dD0nLiRjLT57cm9vdH0gaWYgJGMtPntyb290fTsKJGtlcm5lbF9jbWRsaW5l IC49ICcgJy4kYy0+e2V4dHJhfSBpZiAkYy0+e2V4dHJhfTsKCnByaW50ICJw dnNoaW0tY29udmVydGVyOiBjcmVhdGluZyBzaWRlY2FyIGluICRzaWRlY2Fy XG4iOwoKcnVuY21kIHF3KG1rZGlyIC1tNzAwIC1wIC0tKSwgJHNpZGVjYXJz X2RpcjsKCm9wZW4gTCwgIj4iLCAiJHNpZGVjYXIubG9jayIgb3IgZGllICIk c2lkZWNhci5sb2NrOiBvcGVuICQhIjsKZmxvY2sgTCwgTE9DS19FWCBvciBk aWUgIiRzaWRlY2FyLmxvY2s6IGxvY2s6ICQhIjsKCm15ICRzZCA9ICIkc2lk ZWNhci5kaXIiOwoKc3lzdGVtIHF3KHJtIC1yZiAtLSksICRzZDsKbWtkaXIg JHNkLCAwNzAwOwoKcnVuY21kIHF3KGNwIC0tKSwgJHNoaW0sICIkc2Qvc2hp bSI7CnJ1bmNtZCBxdyhjcCAtLSksICRjLT57a2VybmVsfSwgIiRzZC9rZXJu ZWwiOwpydW5jbWQgcXcoY3AgLS0pLCAkYy0+e3JhbWRpc2t9LCAiJHNkL3Jh bWRpc2siIGlmICRjLT57cmFtZGlza307CgpteSAkZ3J1YmNmZyA9IDw8RU5E OwpzZXJpYWwgLS11bml0PTAgLS1zcGVlZD05NjAwIC0td29yZD04IC0tcGFy aXR5PW5vIC0tc3RvcD0xCnRlcm1pbmFsX2lucHV0IHNlcmlhbAp0ZXJtaW5h bF9vdXRwdXQgc2VyaWFsCgpzZXQgdGltZW91dD0wCgptZW51ZW50cnkgJ1hl biBzaGltJyB7CglpbnNtb2QgZ3ppbwoJaW5zbW9kIHh6aW8KICAgICAgICBt dWx0aWJvb3QgKGNkKS9zaGltIHBsYWNlaG9sZGVyICRzaGltX2NtZGxpbmUK ICAgICAgICBtb2R1bGUgKGNkKS9rZXJuZWwgcGxhY2Vob2xkZXIgJGtlcm5l bF9jbWRsaW5lCiAgICAgICAgbW9kdWxlIChjZCkvcmFtZGlzawp9CkVORAoK cnVuY21kIHF3KG1rZGlyIC1wIC0tKSwgIiRzZC9ib290L2dydWIiOwpvcGVu IEcsICI+IiwgIiRzZC9ib290L2dydWIvZ3J1Yi5jZmciIG9yIGRpZSAiJHNk LCBncnViLmNmZzogJCEiOwpwcmludCBHICRncnViY2ZnIG9yIGRpZSAkITsK Y2xvc2UgRyBvciBkaWUgJCE7Cgp1bmxpbmsgIiRzaWRlY2FyLm5ldyIgb3Ig JCE9PUVOT0VOVCBvciBkaWUgIiRzaWRlY2FyLm5ldzogcm06ICQhIjsKcnVu Y21kIHF3KGdydWItbWtyZXNjdWUgLW8pLCAiJHNpZGVjYXIubmV3IiwgIiRz aWRlY2FyLmRpciI7CmlmICghc3RhdCAiJHNpZGVjYXIubmV3IikgewogICAg JCE9PUVOT0VOVCBvciBkaWUgIiRzaWRlY2FyLm5ldzogc3RhdDogJCEiOwoK ICAgIHByaW50IFNUREVSUiA8PEVORDsKcHZzaGltLWNvbnZlcnRlcjogZ3J1 Yi1ta3Jlc2N1ZSBleGl0ZWQgd2l0aCBzdGF0dXMgemVybyBidXQgZmFpbGVk IHRvIG1ha2UgaXNvLgpOQiB0aGF0IGdydWItbWtyZXNjdWUgaGFzIGEgdGVu ZGVuY3kgdG8gbGllIGluIGl0cyBlcnJvciBtZXNzYWdlcy4KRU5ECiAgICBt eSAkbWlzc2luZzsKICAgIGZvcmVhY2ggbXkgJGNoZWNrIChxdyh4b3JyaXNv IG1mb3JtYXQpKSB7CiAgICAgICAgJG1pc3NpbmcgfD0gc3lzdGVtIHF3KHNo IC1jKSwgInR5cGUgJGNoZWNrIjsKICAgIH0KCiAgICBpZiAoJG1pc3Npbmcp IHsKICAgICAgICBwcmludCBTVERFUlIgPDxFTkQ7CllvdSBzZWVtIHRvIGhh dmUgc29tZSBwcm9ncmFtKHMpIG1pc3Npbmcgd2hpY2ggZ3J1Yi1ta3Jlc2N1 ZSBkZXBlbmRzIG9uLApzZWUgYWJvdmUuICAoIm1mb3JtYXQiIGlzIG5vcm1h bGx5IGluIHRoZSBwYWNrYWdlICJtdG9vbHMiLikKSW5zdGFsbGluZyB0aG9z ZSBwcm9ncmFtcyB3aWxsIHByb2JhYmx5IGhlbHAuCkVORAogICAgfSBlbHNl IHsKICAgICAgICBwcmludCBTVERFUlIgPDxFTkQ7CkFuZCBvbGRlciBncnVi LW1rcmVzY3VlIGhhcyBhIHRlbmRlbmN5IG5vdCB0byBub3RpY2UgY2VydGFp biBwcm9ibGVtcy4KTWF5YmUgc3RyYWNlIHdpbGwgdGVsbCB5b3Ugd2hhdCBp cyB3cm9uZy4gIDotLwpFTkQKICAgIH0KICAgIGRpZSAicHZzaGltLWNvbnZl cnRlcjogZ3J1Yi1ta3Jlc2N1ZSBkaWQgbm90IG1ha2UgaXNvXG4iOwp9Cgpy dW5jbWQgcXcocm0gLXJmIC0tKSwgIiRzaWRlY2FyLmRpciIgdW5sZXNzICRk ZWJ1ZzsKCm9wZW4gUSwgIj4iLCAiJGRtd3JhcC5uZXciIG9yIGRpZSAiJGRt d3JhcDogJCEiOwpwcmludCBRIDw8J0VORF9ETVdSQVAnIG9yIGRpZSAkITsK IyEvYmluL2Jhc2gKCnNldCAteAo6ICIkQCIKc2V0ICt4CgpuZXdhcmdzPSgp CgpuZXdhcmcgKCkgewogICAgbmV3YXJncys9KCIkMSIpCn0KCndoaWxlIFsg JCMgLWd0IDEgXTsgZG8KICAgIGNhc2UgIiQxIiBpbgoJLW5vLXNodXRkb3du fC1ub2RlZmF1bHRzfC1uby11c2VyLWNvbmZpZykKCSAgICBuZXdhcmcgIiQx Ijsgc2hpZnQKCSAgICA7OwoJLXhlbi1kb21pZHwtY2hhcmRldnwtbW9ufC1k aXNwbGF5fC1ib290fC1tfC1tYWNoaW5lKQoJICAgIG5ld2FyZyAiJDEiOyBz aGlmdAoJICAgIG5ld2FyZyAiJDEiOyBzaGlmdAoJICAgIDs7CiAgICAgICAg LW5hbWUpCiAgICAgICAgICAgIG5ld2FyZyAiJDEiOyBzaGlmdAogICAgICAg ICAgICBuYW1lPSIkMSI7IHNoaWZ0CiAgICAgICAgICAgIG5ld2FyZyAiJG5h bWUiCiAgICAgICAgICAgIDs7CgktbmV0ZGV2fC1jZHJvbSkKCSAgICA6IGZp eG1lCgkgICAgbmV3YXJnICIkMSI7IHNoaWZ0CgkgICAgbmV3YXJnICIkMSI7 IHNoaWZ0CgkgICAgOzsKCS1kcml2ZXwta2VybmVsfC1pbml0cmR8LWFwcGVu ZHwtdm5jKQoJICAgIHNoaWZ0OyBzaGlmdAoJICAgIDs7CgktZGV2aWNlKQoJ ICAgIHNoaWZ0CgkgICAgY2FzZSAiJDEiIGluCgkJWFhYcnRsODEzOSopCgkJ ICAgIG5ld2FyZyAiLWRldmljZSIKCQkgICAgbmV3YXJnICIkMSI7IHNoaWZ0 CgkJICAgIDs7CgkJKikKCQkgICAgc2hpZnQKCQkgICAgOzsKCSAgICBlc2Fj CgkgICAgOzsKCSopCgkgICAgZWNobyA+JjIgIndhcm5pbmc6IHVuZXhwZWN0 ZWQgYXJndW1lbnQgJDEgYmVpbmcgcGFzc2VkIHRocm91Z2giCgkgICAgbmV3 YXJnICIkMSI7IHNoaWZ0CgkgICAgOzsKICAgIGVzYWMKZG9uZQoKI2lmIFsg IngkbmFtZSIgIT0geCBdOyB0aGVuCiMgICAgbG9nZGlyPS92YXIvbG9nL3hl bgojICAgIGxvZ2ZpbGU9IiRsb2dkaXIvc2hpbS0kbmFtZS5sb2ciCiMgICAg c2F2ZWxvZyAiJGxvZ2ZpbGUiIHx8OgojICAgIG5ld2FyZyAtc2VyaWFsCiMg ICAgbmV3YXJnICJmaWxlOiRsb2dmaWxlIgojZmkKRU5EX0RNV1JBUAoKaWYg KCRxZW11KSB7CiAgICBwcmludGYgUSA8PCdFTkRfRE1XUkFQJywgJHFlbXUg b3IgZGllICQhOwogICAgJyVzJyAiJHtuZXdhcmdzW0BdfSIKRU5EX0RNV1JB UAp9IGVsc2UgewogICAgcHJpbnQgUSA8PCdFTkRfRE1XUkFQJyBvciBkaWUg JCE7CnNldCAteApmb3IgcGF0aCBpbiAvdXNyL2xvY2FsL2xpYi94ZW4vYmlu IC91c3IvbGliL3hlbi9iaW4gL3Vzci9sb2NhbC9iaW4gL3Vzci9iaW47IGRv CiAgICAkcGF0aC9xZW11LXN5c3RlbS1pMzg2ICIke25ld2FyZ3NbQF19IiB8 fDoKZG9uZQplY2hvID4mMiAnY291bGQgbm90IGV4ZWMgcWVtdScKZXhpdCAx MjcKRU5EX0RNV1JBUAp9CgpjaG1vZCAwNzU1LCAiJGRtd3JhcC5uZXciIG9y IGRpZSAiJGRtd3JhcDogY2htb2Q6ICQhIjsKCmNsb3NlIFEgb3IgZGllICQh OwoKcmVuYW1lICIkc2lkZWNhci5uZXciLCAkc2lkZWNhciBvciBkaWUgIiRz aWRlY2FyOiBpbnN0YWxsOiAkISI7CnJlbmFtZSAiJGRtd3JhcC5uZXciLCAg JGRtd3JhcCAgb3IgZGllICIkZG13cmFwOiBpbnN0YWxsOiAkISI7Cgpwcmlu dCBTVERFUlIgPDxFTkQ7CnB2c2hpbS1jb252ZXJ0ZXI6IHdyb3RlIHFlbXUg d3JhcHBlciB0byAkZG13cmFwCnB2c2hpbS1jb252ZXJ0ZXI6IHdyb3RlIHNp ZGVjYXIgdG8gJHNpZGVjYXIKRU5ECgpteSAkYXBwZW5kID0gPDxFTkQ7CmJ1 aWxkZXI9J2h2bScKdHlwZT0naHZtJwpkZXZpY2VfbW9kZWxfdmVyc2lvbj0n cWVtdS14ZW4nCmRldmljZV9tb2RlbF9vdmVycmlkZT0nJGRtd3JhcCcKZGV2 aWNlX21vZGVsX2FyZ3NfaHZtPVsnLWNkcm9tJywnJHNpZGVjYXInXQpib290 PSdjJwpzZXJpYWw9J3B0eScKRU5ECgppZiAoJG91dCBuZSAnLScpIHsKICAg IG9wZW4gTywgIj4iLCAiJG91dC50bXAiIG9yIGRpZSAib3BlbiBvdXRwdXQg Y29uZmlnIHRlbXA6ICRvdXQudG1wOiAkIVxuIjsKfSBlbHNlIHsKICAgIG9w ZW4gTywgIj4mU1RET1VUIiBvciBkaWUgJCE7Cn0KCnByaW50IE8gJGluZGF0 YSwgIlxuIiwgJGFwcGVuZCBvciBkaWUgIndyaXRlIG91dHB1dDogJCEiOwpj bG9zZSBPIG9yIGRpZSAiY2xvc2Ugb3V0cHV0OiAkISI7CgppZiAoJG91dCBu ZSAnLScpIHsKICAgIHJlbmFtZSAiJG91dC50bXAiLCAkb3V0IG9yIGRpZSAi aW5zdGFsbCBvdXRwdXQ6ICQhIjsKICAgIHByaW50IFNUREVSUiAicHZzaGlt LWNvbnZlcnRlcjogd3JvdGUgbmV3IGd1ZXN0IGNvbmZpZyB0byAkb3V0XG4i Owp9IGVsc2UgewogICAgcHJpbnQgU1RERVJSICJwdnNoaW0tY29udmVydGVy OiB3cm90ZSBuZXcgZ3Vlc3QgY29uZmlnIHRvIHN0ZG91dFxuIjsKfQo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Fri Jan 12 17:37:51 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 12 Jan 2018 17:37:51 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ea3G9-0000Hp-6y; Fri, 12 Jan 2018 17:36:53 +0000 Received: from us1-rack-dfw2.inumbo.com ([104.130.134.6]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ea3G8-0000HW-RB for xen-announce@lists.xen.org; Fri, 12 Jan 2018 17:36:52 +0000 X-Inumbo-ID: f9c836d6-f7be-11e7-b4a6-bc764e045a96 Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-rack-dfw2.inumbo.com (Halon) with ESMTPS id f9c836d6-f7be-11e7-b4a6-bc764e045a96; Fri, 12 Jan 2018 18:35:26 +0100 (CET) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ea3Fo-0004gu-BD; Fri, 12 Jan 2018 17:36:32 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1ea3Fo-0000JJ-8f; Fri, 12 Jan 2018 17:36:32 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Fri, 12 Jan 2018 17:36:32 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 254 (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) - Information leak via side effects of speculative execution X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2017-5753,CVE-2017-5715,CVE-2017-5754 / XSA-254 version 6 Information leak via side effects of speculative execution UPDATES IN VERSION 6 ==================== PVH shim ("Comet") for 4.10 is available. Mention within-guest attack in README.vixen as well as README.which-shim. Vixen shim converter script "exec"s qemu, avoiding stale qemu processes (and, therefore, avoiding stale domains). ISSUE DESCRIPTION ================= Processors give the illusion of a sequence of instructions executed one-by-one. However, in order to most efficiently use cpu resources, modern superscalar processors actually begin executing many instructions in parallel. In cases where instructions depend on the result of previous instructions or checks which have not yet completed, execution happens based on guesses about what the outcome will be. If the guess is correct, execution has been sped up. If the guess is incorrect, partially-executed instructions are cancelled and architectural state changes (to registers, memory, and so on) reverted; but the whole process is no slower than if no guess had been made at all. This is sometimes called "speculative execution". Unfortunately, although architectural state is rolled back, there are other side effects, such as changes to TLB or cache state, which are not rolled back. These side effects can subsequently be detected by an attacker to determine information about what happened during the speculative execution phase. If an attacker can cause speculative execution to access sensitive memory areas, they may be able to infer what that sensitive memory contained. Furthermore, these guesses can often be 'poisoned', such that attacker can cause logic to reliably 'guess' the way the attacker chooses. This advisory discusses three ways to cause speculative execution to access sensitive memory areas (named here according to the discoverer's naming scheme): "Bounds-check bypass" (aka SP1, "Variant 1", Spectre CVE-2017-5753): Poison the branch predictor, such that victim code is speculatively executed past boundary and security checks. This would allow an attacker to, for instance, cause speculative code in the normal hypercall / emulation path to execute with wild array indexes. "Branch Target Injection" (aka SP2, "Variant 2", Spectre CVE-2017-5715): Poison the branch predictor. Well-abstracted code often involves calling function pointers via indirect branches; reading these function pointers may involve a (slow) memory access, so the CPU attempts to guess where indirect branches will lead. Poisoning this enables an attacker to speculatively branch to any code that is executable by the victim (eg, anywhere in the hypervisor). "Rogue Data Load" (aka SP3, "Variant 3", Meltdown, CVE-2017-5754): On some processors, certain pagetable permission checks only happen when the instruction is retired; effectively meaning that speculative execution is not subject to pagetable permission checks. On such processors, an attacker can speculatively execute arbitrary code in userspace with, effectively, the highest privilege level. More information is available here: https://meltdownattack.com/ https://spectreattack.com/ https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html Additional Xen-specific background: Xen hypervisors on most systems map all of physical RAM, so code speculatively executed in a hypervisor context can read all of system RAM. When running PV guests, the guest and the hypervisor share the address space; guest kernels run in a lower privilege level, and Xen runs in the highest privilege level. (x86 HVM and PVH guests, and ARM guests, run in a separate address space to the hypervisor.) However, only 64-bit PV guests can generate addresses large enough to point to hypervisor memory. IMPACT ====== Xen guests may be able to infer the contents of arbitrary host memory, including memory assigned to other guests. An attacker's choice of code to speculatively execute (and thus the ease of extracting useful information) goes up with the numbers. For SP1, an attacker is limited to windows of code after bound checks of user-supplied indexes. For SP2, the attacker will in many cases will be limited to executing arbitrary pre-existing code inside of Xen. For SP3 (and other cases for SP2), an attacker can write arbitrary code to speculatively execute. Additionally, in general, attacks within a guest (from guest user to guest kernel) will be the same as on real hardware. Consult your operating system provider for more information. NOTE ON TIMING ============== This vulnerability was originally scheduled to be made public on 9 January. It was accelerated at the request of the discloser due to one of the issues being made public. VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. For SP1 and SP2, both Intel and AMD are vulnerable. Vulnerability of ARM processors to SP1 and SP2 varies by model and manufacturer. ARM has information on affected models on the following website: https://developer.arm.com/support/security-update For SP3, only Intel processors are vulnerable. (The hypervisor cannot be attacked using SP3 on any ARM processors, even those that are listed as affected by SP3.) Furthermore, only 64-bit PV guests can exploit SP3 against Xen. PVH, HVM, and 32-bit PV guests cannot exploit SP3. MITIGATION ========== There is no mitigation for SP1 and SP2. SP3 can be mitigated by running guests in HVM or PVH mode. (Within-guest attacks are still possible unless the guest OS has also been updated with an SP3 mitigation series such as KPTI/Kaiser.) For guests with legacy PV kernels which cannot be run in HVM or PVH mode directly, we have developed two "shim" hypervisors that allow PV guests to run in HVM mode or PVH mode. This prevents attacks on the host, but it leaves the guest vulnerable to Meltdown attacks by its own unprivileged processes, even if the guest OS has KPTI or similar Meltdown mitigation. The HVM shim (codenamed "Vixen") is available now, as is the PVH shim (codenamed "Comet") for Xen 4.10. We expect to have Comet for 4.8 and 4.9 within a few days. Please read README.which-shim to determine which shim is suitable for you. $ sha256sum xsa254*/* f81c4624f8b188a2c33efa8687d3442bbd17c476e1a10761ef70c0aa99f6c659 xsa254/README.comet 1c594822dbd95998951203f6094bc77586d5720788de15897784d20bacb2ef08 xsa254/README.vixen 7e816160c1c1d1cd93ec3c3dd9753c8f3957fefe86b7aa967e9e77833828f849 xsa254/README.which-shim 1d2098ad3890a5be49444560406f8f271c716e9f80e7dfe11ff5c818277f33f8 xsa254/pvshim-converter.pl $ RESOLUTION ========== There is no available resolution for SP1. A solution may be available in the future. We are working on patches which mitigate SP2 but these are not currently available. Given that the vulnerabilities are now public, these will be developed and published in public, initially via xen-devel. NOTE ON LACK OF EMBARGO ======================= The timetable and process were set by the discloser. After the intensive initial response period for these vulnerabilities is over, we will prepare and publish a full timeline, as we have done in a handful of other cases of significant public interest where we saw opportunities for process improvement. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJaWPIbAAoJEIP+FMlX6CvZQuoH/0A21scnQhrQPmFjtBO0b0Ai /xQ7VCf2t3iKeZYJJGzj2atE1Hj91H6sZe6t6tLFbfPeYv2Gbfpl/09EE8ONSpSj ae69fgwQN/EvpkCVec+QWQ0pWj7tLYgkT4IwQJSW+6VrTWjEV8PzQgkfjgclJEOk J7EhaauI0qZVPEC2QZoMGJlgwfoS4xJalpCUGflrvgtmPhYbGGYDP8bP7WbVtqYS I9nIoqndBdeWeyyu1O+cnMquV5BX2Nq7BDOTB3SMwNBHsnKudRQQRc3yNdmvQa2C jvUMs/U7rqfK5pgOfimvLSDLR0TSnzNC8ahuI9Tv6TSwIl+AVt4xg0DZzhMjiqQ= =aOVG -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa254/README.comet" Content-Disposition: attachment; filename="xsa254/README.comet" Content-Transfer-Encoding: base64 CQkJICAgIFBWLWluLVBWSCBzaGltCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICA9PT09PT09PT09PT09PQoKU3VtbWFyeQotLS0tLS0tCgpUaGlzIFJF QURNRSBkZXNjcmliZXMgb25lIG9mIHR3byBtaXRpZ2F0aW9uIHN0cmF0ZWdp ZXMgZm9yIE1lbHRkb3duLgoKVGhlIGJhc2ljIHByaW5jaXBsZSBpcyB0byBy dW4gUFYgZ3Vlc3RzICh3aGljaCBjYW4gcmVhZCBhbGwgb2YgaG9zdAptZW1v cnkgZHVlIHRvIHRoZSBoYXJkd2FyZSBidWdzKSBhcyBQVkggZ3Vlc3RzICh3 aGljaCBjYW5ub3QsIGF0IGxlYXN0Cm5vdCBkdWUgdG8gTWVsdGRvd24pLiAg VGhlIFBWIGVudmlyb25tZW50IGlzIHN0aWxsIHByb3ZpZGVkIHRvIHRoZQpn dWVzdCBieSBhbiBlbWJlZGRlZCBjb3B5IG9mIFhlbiwgdGhlICJzaGltIi4g IFRoaXMgdmVyc2lvbiBvZiB0aGUKc2hpbSBpcyBjb2RlbmFtZWQgIkNvbWV0 Ii4KClVubGlrZSBWaXhlbiwgQ29tZXQgcmVxdWlyZXMgbW9kaWZpY2F0aW9u cyB0byB0aGUgdG9vbHN0YWNrIGFuZCBob3N0Cmh5cGVydmlzb3IuCgpOb3Rl IHRoYXQgYm90aCBvZiB0aGVzZSBzaGltLWJhc2VkIGFwcHJvYWNoZXMgcHJl dmVudCBhdHRhY2tzIG9uIHRoZQpob3N0LCBidXQgbGVhdmUgdGhlIGd1ZXN0 IHZ1bG5lcmFibGUgdG8gTWVsdGRvd24gYXR0YWNrcyBieSBpdHMgb3duCnVu cHJpdmlsZWdlZCBwcm9jZXNzZXM7IHRoaXMgaXMgdHJ1ZSBldmVuIGlmIHRo ZSBndWVzdCBPUyBoYXMgS1BUSSBvcgpzaW1pbGFyIE1lbHRkb3duIG1pdGln YXRpb24uCgpBdCB0aGUgbW9tZW50LCBvbmx5IDQuMTAgaXMgYXZhaWxhYmxl LiAgV2UgaG9wZSB0byBoYXZlIDQuOCBhbmQgNC45IGluCnRoZSBjb21pbmcg ZmV3IGRheXMuCgpXaGF0IHlvdSB3aWxsIG5lZWQKLS0tLS0tLS0tLS0tLS0t LS0tCgogKiBZb3Ugd2lsbCBuZWVkIHRoZSB4ZW4uZ2l0IHdpdGggdGhlIGZv bGxvd2luZyB0YWdzOgogIC0gRm9yIDQuMTA6IDQuMTAuMC1zaGltLWNvbWV0 LTEKCkJ1aWxkIGluc3RydWN0aW9uczogNC4xMAotLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0KCjEuIEJ1aWxkIGEgNC4xMCsgc3lzdGVtCiAgICBnaXQgY2xv bmUgZ2l0Oi8veGVuYml0cy54ZW5wcm9qZWN0Lm9yZy94ZW4uZ2l0IHhlbi5n aXQKICAgIGNkIHhlbi5naXQKICAgIGdpdCBjaGVja291dCA0LjEwLjAtc2hp bS1jb21ldC0xLjEKCkRvIGEgYnVpbGQgYW5kIGluc3RhbGwgYXMgbm9ybWFs LiAgVGhlIHNoaW0gd2lsbCBiZSBidWlsdCBhcyBwYXJ0IG9mIHRoZQpub3Jt YWwgYnVpbGQgcHJvY2VzcywgYW5kIHBsYWNlZCB3aXRoIG90aGVyICdzeXN0 ZW0nIGJpbmFyaWVzIHdoZXJlIHRoZQp0b29zdGFjayBrbm93cyBob3cgdG8g ZmluZCBpdC4KClVzYWdlIGluc3RydWN0aW9ucwotLS0tLS0tLS0tLS0tLS0t LS0KCiogQ29udmVydGluZyBhIFBWIGNvbmZpZyB0byBhIFBWSCBzaGltIGNv bmZpZwoKLSBSZW1vdmUgYW55IHJlZmVyZW5jZSB0byAnYnVpbGRlcicgKGUu Zy4sIGBidWlsZGVyPSJnZW5lcmljImApCi0gQWRkIHRoZSBmb2xsb3dpbmcg dHdvIGxpbmVzOgogIHR5cGU9InB2aCIKICBwdnNoaW09MQoKKiBDb252ZXJ0 aW5nIGEgUFYgY29uZmlnIHRvIGEgUFZIIGNvbmZpZwoKSWYgeW91IGhhdmUg YSBrZXJuZWwgY2FwYWJsZSBvZiBib290aW5nIFBWSCwgdGhlbiBQVkggbW9k ZSBpcyBib3RoCmZhc3RlciBhbmQgbW9yZSBzZWN1cmUgdGhhbiBQViBvciBQ Vkgtc2hpbSBtb2RlLgoKLSBSZW1vdmUgYW55IHJlZmVyZW5jZSB0byAnYnVp bGRlcicgKGUuZy4sIGBidWlsZGVyPSJnZW5lcmljImApCi0gQWRkIHRoZSBm b2xsb3dpbmcgbGluZToKICB0eXBlPSJwdmgiCg== --=separator Content-Type: application/octet-stream; name="xsa254/README.vixen" Content-Disposition: attachment; filename="xsa254/README.vixen" Content-Transfer-Encoding: base64 ICAgICAgICAgICAgICAgIFBWLWluLUhWTSBzaGltIHdpdGggInNpZGVjYXIi IElTTwogICAgICAgICAgICAgICAgPT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09CgpTdW1tYXJ5Ci0tLS0tLS0KClRoaXMgUkVBRE1FIGRlc2Ny aWJlcyBvbmUgb2YgdHdvIG1pdGlnYXRpb24gc3RyYXRlZ2llcyBmb3IgTWVs dGRvd24uCgpUaGUgYmFzaWMgcHJpbmNpcGxlIGlzIHRvIHJ1biBQViBndWVz dHMgKHdoaWNoIGNhbiByZWFkIGFsbCBvZiBob3N0Cm1lbW9yeSBkdWUgdG8g dGhlIGhhcmR3YXJlIGJ1Z3MpIGFzIEhWTSBndWVzdHMgKHdoaWNoIGNhbm5v dCwgYXQgbGVhc3QKbm90IGR1ZSB0byBNZWx0ZG93bikuICBUaGUgUFYgZW52 aXJvbm1lbnQgaXMgc3RpbGwgcHJvdmlkZWQgdG8gdGhlCmd1ZXN0IGJ5IGFu IGVtYmVkZGVkIGNvcHkgb2YgWGVuLCB0aGUgInNoaW0iLiAgVGhpcyB2ZXJz aW9uIG9mIHRoZQpzaGltIGlzIGNvZGVuYW1lZCAiVml4ZW4iLgoKSW4gb3Jk ZXIgdG8gYm9vdCB0aGUgc2hpbSB3aXRoIGFuIHVubW9kaWZpZWQgdG9vbHN0 YWNrLCB5b3UgYWxzbwpwcm92aWRlIGEgc3BlY2lhbCBkaXNrIGNvbnRhaW5p bmcgdGhlIHNoaW0gYW5kIHRoZSBndWVzdCBrZXJuZWwgKG9yCnB2Z3J1Yik7 IHRoaXMgaXMgY2FsbGVkIHRoZSAic2lkZWNhciIuCgpOb3RlIHRoYXQgYm90 aCBvZiB0aGVzZSBzaGltLWJhc2VkIGFwcHJvYWNoZXMgcHJldmVudCBhdHRh Y2tzIG9uIHRoZQpob3N0LCBidXQgbGVhdmUgdGhlIGd1ZXN0IHZ1bG5lcmFi bGUgdG8gTWVsdGRvd24gYXR0YWNrcyBieSBpdHMgb3duCnVucHJpdmlsZWdl ZCBwcm9jZXNzZXM7IHRoaXMgaXMgdHJ1ZSBldmVuIGlmIHRoZSBndWVzdCBP UyBoYXMgS1BUSSBvcgpzaW1pbGFyIE1lbHRkb3duIG1pdGlnYXRpb24uCgpX aGF0IHlvdSB3aWxsIG5lZWQKLS0tLS0tLS0tLS0tLS0tLS0tCgogKiBZb3Vy IGhvc3QgbXVzdCBiZSBhYmxlIHRvIHJ1biBncnViLW1rcmVzY3VlIHRvIGdl bmVyYXRlIGEgLmlzbwogKiBZb3Ugd2lsbCB0aGVyZWZvcmUgbmVlZCB4b3Jy aXNvIGFuZCBtdG9vbHMKICogWW91IG11c3QgYmUgdXNpbmcgeGwgYW5kIGFi bGUgdG8gdXNlIGFuIGFsdGVybmF0aXZlIHlvdXIgZ3Vlc3QgY29uZmlnCgog KiBZb3Ugd2lsbCBuZWVkIHRoZSBzY3JpcHQgInB2c2hpbS1jb252ZXJ0ZXIu cGwiCiAgLSBUaGlzIHJlbGllcyBvbiBwZXJsLWpzb24KICogWW91IHdpbGwg bmVlZCB0aGUgeGVuLmdpdCB0YWcgNC45LjEtc2hpbS12aXhlbi0xCgoKSW5z dHJ1Y3Rpb25zCi0tLS0tLS0tLS0tLQoKMS4gT24gYSBzdWl0YWJsZSBzeXN0 ZW0gKHBlcmhhcHMgYSBkaWZmZXJlbnQgaG9zdCkKICAgIGdpdCBjbG9uZSBn aXQ6Ly94ZW5iaXRzLnhlbnByb2plY3Qub3JnL3hlbi5naXQgeGVuLmdpdAog ICAgY2QgeGVuLmdpdAogICAgZ2l0IGNoZWNrb3V0IDQuOS4xLXNoaW0tdml4 ZW4tMQoKSWYgeW91IG5lZWQgYmktZGlyZWN0aW9uYWwgY29uc29sZSBhbmQg ZG9uJ3QgbWluZCBhIGxlc3MtdGVzdGVkIHBhdGNoLAp5b3UgY2FuIGFwcGx5 IHRoZSBwYXRjaCBmb3VuZCBpbiB0aGlzIGVtYWlsOgoKICAgIG1hcmMuaW5m by8/aT08MTUxNTYwNDU1Mi05MjA1LTEtZ2l0LXNlbmQtZW1haWwtc3JuQHBy Z21yLmNvbT4KCmJ1aWxkIGEgeGVuIGh5cGVydmlzb3IgYmluYXJ5IGFzIHVz dWFsOgoKICAgIG1ha2UgeGVuCgpJZiB5b3VyIGRlZmF1bHQgdmVyc2lvbiBv ZiBweXRob24gaXMgcHl0aG9uIDMsIHlvdSBtYXkgbmVlZCB0byBhZGQgdGhl IGZvbGxvd2luZzoKCiAgICBtYWtlIFBZVEhPTj1weXRob24yIHhlbgoKVGhp cyB3aWxsIGJ1aWxkIGEgZmlsZQogICAgeGVuL3hlbi5negoKMi4gQ29weSB0 aGF0IGZpbGUgdG8geW91ciBkb20wLgoKSWRlYWxseSBzb21lcGxhY2UgbGlr ZSAvdXNyL2xpYi94ZW4vYm9vdC94ZW4tdml4ZW4uZ3oKCjMuIENvcHkgdGhl IHNjcmlwdCBwdnNoaW0tY29udmVydGVyIHRvIHlvdXIgZG9tMCBhbmQgbWFr ZQogICBpdCBleGVjdXRhYmxlOgogICAgICBjaG1vZCAreCBwdnNoaW0tY29u dmVydGVyLnBsCgo0LiBGb3IgZWFjaCBndWVzdAoKICAoaSkgaWYgdGhlIGd1 ZXN0IGlzIGN1cnJlbnRseSBib290ZWQgd2l0aCBweWdydWIgeW91IG11c3Qg Zmlyc3QKICAgc3dpdGNoIHRvIGRpcmVjdCBrZXJuZWwgYm9vdCAoYnkgbWFu dWFsbHkgY29weWluZyB0aGUga2VybmVsIGFuZAogICBpbml0cmFtZnMgb3V0 IG9mIHRoZSBndWVzdCwgYW5kIGNvbmZpZ3VyaW5nIHRoZSBjb21tYW5kIGxp bmUgaW4gdGhlCiAgIGRvbWFpbiBjb25maWd1cmF0aW9uIGZpbGUpLCBvciBw dmdydWIuCgogIChpaSkgcnVuCiAgICAgIC4vcHZzaGltLWNvbnZlcnRlci5w bCAtLXNoaW09L3Vzci9saWIveGVuL2Jvb3QveGVuLXZpeGVuLmd6IC9ldGMv eGVuL0dVRVNULmNmZyAvZXRjL3hlbi9HVUVTVC53aXRoLXNoaW0tY2ZnCgog IChpaWkpIHNodXQgdGhlIGd1ZXN0IGRvd24gY2xlYW5seQoKICAoaXYpIGNy ZWF0ZSB0aGUgZ3Vlc3Qgd2l0aCB0aGUgbmV3IGNvbmZpZwogICAgICB4bCBj cmVhdGUgL2V0Yy94ZW4vR1VFU1Qud2l0aC1zaGltLWNmZwoKICAodikgQ2hl Y2sgdGhhdCBpdCBib290cyBwcm9wZXJseS4gIHhsIGNvbnNvbGUgc2hvdWxk IHdvcmsuCgogICh2aSkgTWFrZSBhcnJhbmdlbWVudHMgc28gdGhhdCBhdXRv c3RhcnRpbmcgb2YgdGhlIGd1ZXN0IHdpbGwgdXNlCiAgICAgdGhlIG5ldyBj b25maWcgZmlsZSByYXRoZXIgdGhhbiB0aGUgb2xkIG9uZQoK --=separator Content-Type: application/octet-stream; name="xsa254/README.which-shim" Content-Disposition: attachment; filename="xsa254/README.which-shim" Content-Transfer-Encoding: base64 CQkgICBIb3cgdG8gZGVjaWRlIHdoaWNoIHNoaW0gdG8gdXNlCgkJICAgPT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQoKQSB3b3JrLWFyb3VuZCB0 byBNZWx0ZG93biAoYWthICJTUDMiIG9yICJWYXJpYW50IDMiKSBvbiBJbnRl bApwcm9jZXNzb3JzIGlzIHRvIHJ1biBndWVzdHMgaW4gSFZNIG9yIFBWSCBt b2RlLgoKTm90ZSB0aGlzIHNoaW0tYmFzZWQgYXBwcm9hY2ggcHJldmVudHMg YXR0YWNrcyBvbiB0aGUgaG9zdCwgYnV0IGxlYXZlcwp0aGUgZ3Vlc3QgdnVs bmVyYWJsZSB0byBNZWx0ZG93biBhdHRhY2tzIGJ5IGl0cyBvd24gdW5wcml2 aWxlZ2VkCnByb2Nlc3NlczsgdGhpcyBpcyB0cnVlIGV2ZW4gaWYgdGhlIGd1 ZXN0IE9TIGhhcyBLUFRJIG9yIHNpbWlsYXIKTWVsdGRvd24gbWl0aWdhdGlv bi4KClNvbWUgZ3Vlc3RzIGFyZSBkaWZmaWN1bHQgdG8gY29udmVydCB0byBy dW5uaW5nIGluIEhWTSBvciBQVkggbW9kZSwKZWl0aGVyIGR1ZSB0byBsYWNr IG9mIHBhcnRpdGlvbmluZyAvIE1CUiwgb3IgZHVlIHRvIGtlcm5lbApjb21w YXRpYmlsaXRpZXMuICBBcyBhbiBlbWVyZ2VuY3kgYmFja3N0b3AsIHRoZXJl IGFyZSB0d28gYXBwcm9hY2hlcywKd2hpY2ggd2UndmUgY29kZW5hbWVkICJW aXhlbiIgYW5kICJDb21ldCIuICBCb3RoIGludm9sdmUgcnVubmluZyBhbgpl bWJlZGRlZCBjb3B5IG9mIFhlbiAoY2FsbGVkIGEgInNoaW0iKSB3aXRoaW4g dGhlIEhWTSBvciBQVkggZ3Vlc3QgdG8KcHJvdmlkZSB0aGUgbmF0aXZlIFBW IGludGVyZmFjZS4KCkJlbG93IGRlc2NyaWJlcyB0aGUgcHJvcGVydGllcywg YW5kIHdobyBtaWdodCB3YW50IHRvIHVzZSBlYWNoIG9uZS4KCk5PVEU6IEJv dGggc2hpbXMgcmVxdWlyZSBob3N0IHBhdGNoZXMgdG8gYm9vdCBvbiBBTUQg aG9zdHMuICBUaGlzCnNob3VsZG4ndCBiZSBhbiBpc3N1ZSwgYXMgU1AzIGRv ZXMgbm90IGFmZmVjdCBzeXN0ZW1zIHJ1bm5pbmcgb24gQU1ELgoKVml4ZW4K LS0tLS0KClZpeGVuIGhhcyB0aGUgZm9sbG93aW5nIHByb3BlcnRpZXM6CiAq IFJ1bnMgdGhlIHNoaW0gaW4gYW4gSFZNIGd1ZXN0LgogKiBJdCByZXF1aXJl cyBubyBoeXBlcnZpc29yIG9yIHRvb2xzdGFjayBjaGFuZ2VzLCBub3IgZG9l cyBpdCByZXF1aXJlCiAgIGEgaG9zdCByZWJvb3QuCiAqIEl0IGhhcyBiZWVu IGV4dGVuc2l2ZWx5IHRlc3RlZCBpbiBBbWF6b24ncyBkZXBsb3ltZW50IGZv ciB2ZXJzaW9ucwogICBvZiBYZW4gZ29pbmcgYmFjayB0byAzLjQKICogR3Vl c3QgcmVib290cyBhcmUgcmVxdWlyZWQKICogR3Vlc3QgY29uZmlncyBtdXN0 IGJlIGZlZCB0aHJvdWdoIGEgY29udmVydGVyIHByb2dyYW0KICogVGhlIGNv bnZlcnRlciBwcm9ncmFtIHNwaXRzIG91dCBhIHNtYWxsIGd1ZXN0LXNwZWNp ZmljIC5pc28KICAgaW1hZ2UgKHdlIGNhbGwgdGhpcyBhICJzaWRlY2FyIikg dXNlZCBmb3IgYm9vdGluZwogKiBCZWNhdXNlIHRoZSByZXN1bHQgaXMgYW4g SFZNIGd1ZXN0LCB0aGlzIGFwcHJvYWNoIGludm9sdmVzCiAgIHJ1bm5pbmcg cWVtdSBhcyBhIFBDIGVtdWxhdG9yICh0aGlzIGlzIGRvbmUgYXV0b21hdGlj YWxseSkKICogU29tZSBjb21tb24gZmVhdHVyZXMgYXJlIG5vdCBzdXBwb3J0 ZWQ6CiAgLSBCYWxsb29uaW5nCiAgLSBNaWdyYXRpb24KICAtIHZjcHUgaG90 cGx1ZwogIC0gYmlkaXJlY3Rpb25hbCBjb25zb2xlIHN1cHBvcnQgKGNvbnNv bGUgaXMgd3JpdGUtb25seSkKICogRGlyZWN0LWJvb3Qga2VybmVscyBhbmQg cHZncnViIChib3RoIHB2Z3J1YjEgYW5kIHB2Z3J1YjIpIGFyZQogICBzdXBw b3J0ZWQgYnkgdGhlIGNvbnZlcnNpb24gcHJvZ3JhbS4gICdweWdydWInIGlz IG5vdCBzdXBwb3J0ZWQuCiAqIHhsIGFuZCB4bSBkb21haW4gY29uZmlncyBj YW4gYmUgY29udmVydGVkOyBsaWJ2aXJ0IGRvbWFpbgogICBjb25maWd1cmF0 aW9uIGFycmFuZ2VtZW50cyBhcmUgbm90IHN1cHBvcnRlZC4KICogR3Vlc3Qg dXNlcnNwYWNlIGNhbiByZWFkIGFsbCBvZiBndWVzdCBtZW1vcnksIHdpdGhp biBlYWNoIGd1ZXN0LAogICBhbmQgYSBndWVzdCBtaWdpdGF0aW9uIGZvciB0 aGlzIGlzIG5vdCBwb3NzaWJsZS4KCllvdSBtaWdodCBjb25zaWRlciB0aGlz IGFwcHJvYWNoIGlmOgotIFlvdSB3YW50IHRvIGRlcGxveSBhIGZpeCBpbW1l ZGlhdGVseQotIFlvdSBjYW4gdG9sZXJhdGUgdGhlIGxvc3Mgb2Ygd2l0aGlu LWd1ZXN0IHNlY3VyaXR5Ci0gWW91IGNhbid0LCBvciB3b3VsZCBsaWtlIHRv IGF2b2lkLCB1cGRhdGluZyB0byBYZW4gNC44IG9yIG5ld2VyCi0gWW91J2Qg bGlrZSB0byBhdm9pZCBwYXRjaGluZyBhbmQgcmVib290aW5nIHlvdXIgaG9z dAotIFlvdSBhcmUgYWJsZSB0bzoKIC0gUnVuIGEgc2NyaXB0IHRvIG1vZGlm eSBlYWNoIGRvbWFpbiBjb25maWcKIC0gQWZmb3JkIGFuIGV4dHJhIDgwTWlC IHBlciBndWVzdAogLSBUb2xlcmF0ZSBoYXZpbmcgYW4gZXh0cmEgUUVNVSBh cm91bmQKLSBZb3UgZG9uJ3QgbmVlZCBtaWdyYXRpb24sIG1lbW9yeSBiYWxs b29uaW5nLCB2Y3B1IGhvdHBsdWcsCiAgb3IgYSBiaS1kaXJlY3Rpb25hbCBj b25zb2xlCgpUbyB1c2UgdGhpcyBzb2x1dGlvbiwgc2VlIFJFQURNRS52aXhl bi4KCkJpLWRpcmVjdGlvbmFsIGNvbnNvbGUgaXMgYXZhaWxhYmxlIGFzIGFu IGV4dHJhIHBhdGNoLCBidXQgaGFzbid0IGJlZW4Kd2lkZWx5IHRlc3RlZDoK Cm1hcmMuaW5mby8/aT08MTUxNTYwNDU1Mi05MjA1LTEtZ2l0LXNlbmQtZW1h aWwtc3JuQHByZ21yLmNvbT4KCkNvbWV0Ci0tLS0tCgpDb21ldCBoYXMgdGhl IGZvbGxvd2luZyBwcm9wZXJ0aWVzOgogKiBSdW5zIHRoZSBzaGltIGluIGEg UFZIIGd1ZXN0LgogKiBQVkggbW9kZSBpcyBhdmFpbGFibGUgaW4gWGVuIDQu MTAsIGFuZCB3aWxsIGJlIGJhY2twb3J0ZWQgdG8gWGVuCiAgIDQuOSBhbmQg NC44IGJ1dCBubyBmYXJ0aGVyCiAqIFJlcXVpcmVzIGhvc3QgaHlwZXJ2aXNv ciBhbmQgdG9vbHN0YWNrIHBhdGNoZXMgKGFuZCBob3N0IHJlYm9vdCksCiAg IGV2ZW4gZm9yIFhlbiA0LjEwCiAqIFJlcXVpcmVzIG1pbmltYWwgZ3Vlc3Qg Y29uZmlnIGNoYW5nZXMsIGFuZCBubyAic2lkZWNhciIKICogQm9vdGxvYWRp bmcgaXMgaWRlbnRpY2FsIHRvIG5hdGl2ZSBQViBndWVzdHM7IGRpcmVjdC1i b290LCBwdmdydWIsCiAgIGFuZCBweWdydWIgYWxsIHdvcmsgZXF1YWxseSB3 ZWxsCiAqIEJlY2F1c2UgdGhlIHJlc3VsdCBpcyBhIFBWSCBndWVzdCwgdGhp cyBhcHByb2FjaCBpbnZvbHZlcyBubyBQQyBlbXVsYXRvci4KICogVGhlIGZv bGxvd2luZyBmZWF0dXJlcyBub3QgYXZhaWxhYmxlIGluIFZpeGVuIGFyZSBz dXBwb3J0ZWQ6CiAgLSBNZW1vcnkgYmFsbG9vbmluZwogIC0gR3Vlc3QgbWln cmF0aW9uCiAgLSB2Y3B1IGhvdHBsdWcKICAtIGJpZGlyZWN0aW9uYWwgY29u c29sZSBzdXBwb3J0CiAqIEd1ZXN0IHVzZXJzcGFjZSBjYW4gcmVhZCBhbGwg b2YgZ3Vlc3QgbWVtb3J5LCB3aXRoaW4gZWFjaCBndWVzdCwKICAgYW5kIGEg Z3Vlc3QgbWlnaXRhdGlvbiBmb3IgdGhpcyBpcyBub3QgcG9zc2libGUuCgpZ b3UgbWlnaHQgY29uc2lkZXIgdGhpcyBhcHByb2FjaCBpZjoKLSBZb3UncmUg b24gNC44IG9yIGxhdGVyIGFscmVhZHkKLSBZb3UgY2FuIHRvbGVyYXRlIHRo ZSBsb3NzIG9mIHdpdGhpbi1ndWVzdCBzZWN1cml0eQotIFlvdSBjYW4gcGF0 Y2ggYW5kIHJlYm9vdCB5b3VyIGhvc3QKLSBZb3UgZG9uJ3Qgd2FudCBhbiBl eHRyYSBRRU1VIGFyb3VuZAotIFlvdSBuZWVkIG1pZ3JhdGlvbiwgbWVtb3J5 IGJhbGxvb25pbmcsIG9yIHZjcHUgaG90cGx1Zywgb3IgYQogIGJpZGlyZWN0 aW9uYWwgY29uc29sZQotIFlvdSBuZWVkIHB5Z3J1YgotIFlvdSBuZWVkIHRv IHVzZSBsaWJ2aXJ0CgpBdCB0aGUgbW9tZW50LCBDb21ldCBpcyBhdmFpbGFi bGUgZm9yIDQuMTAuICAgV2UgZXhwZWN0IHRvIGhhdmUKYmFja3BvcnRzIHRv IDQuOCBhbmQgNC44IGF2YWlsYWJsZSB3aXRoaW4gYSBmZXcgd29ya2luZyBk YXlzLgo= --=separator Content-Type: application/octet-stream; name="xsa254/pvshim-converter.pl" Content-Disposition: attachment; filename="xsa254/pvshim-converter.pl" Content-Transfer-Encoding: base64 IyEvdXNyL2Jpbi9wZXJsIC13CiMKIyB1c2FnZToKIyAgIHB2c2hpbS1jb252 ZXJ0ZXIgW09QVElPTlNdIE9MRC1DT05GSUcgTkVXLUNPTkZJRwojCiMgb3B0 aW9uczoKIyAgIC0tcWVtdSBQQVRILVRPLVFFTVUgICAgICAgIGZpbGVuYW1l IG9mIHFlbXUtc3lzdGVtLWkzODYKIyAgIC0tc2lkZWNhcnMtZGlyZWN0b3J5 IERJUiAgIGRlZmF1bHQgaXMgL3Zhci9saWIveGVuL3B2c2hpbS1zaWRlY2Fy cwojICAgLS1zaGltIFNISU0gICAgICAgICAgICAgICAgb3ZlcnJpZGVzIGRv bWFpbiBjb25maWcgZmlsZQojICAgLS1kZWJ1ZyAgICAgICAgICAgICAgICAg ICAgdmVyYm9zZSwgYW5kIGxlYXZlcyBzaWRlY2FyIHByZXAgZGlyIGFyb3Vu ZAojCiMgV2hhdCB3ZSBkbwojCiMgIHJlYWQgZXhpc3RpbmcgY29uZmlnIGZp bGUgdXNpbmcgcHl0aG9uCiMgIGRldGVybWluZSBrZXJuZWwsIHJhbWRpc2sg YW5kIGNtZGxpbmUKIyAgdXNlIHRoZW0gdG8gcHJvZHVjZSBzaWRlY2FyIGFu ZCBzYXZlIGl0IHVuZGVyIGRvbWFpbiBuYW1lCiMgIG1lc3Mgd2l0aCB0aGUg dGhpbmdzIHRoYXQgbmVlZCB0byBiZSBtZXNzZWQgd2l0aAojICBzcGl0IG91 dCBuZXcgY29uZmlnIGZpbGUKCnVzZSBzdHJpY3Q7Cgp1c2UgR2V0b3B0OjpM b25nOwp1c2UgSlNPTjsKdXNlIElPOjpIYW5kbGU7CnVzZSBQT1NJWDsKdXNl IEZjbnRsIHF3KDpmbG9jayk7CgpvdXIgJGRlYnVnOwoKc3ViIHJ1bmNtZCB7 CiAgICBwcmludCBTVERFUlIgIisgQF9cbiIgaWYgJGRlYnVnOwogICAgJCE9 MDsgJD89MDsgc3lzdGVtIEBfIGFuZCBkaWUgIiRfWzBdOiAkISAkPyI7Cn0K Cm91ciAkcWVtdTsKb3VyICRzaGltOwpvdXIgJHNpZGVjYXJzX2RpciA9ICcv dmFyL2xpYi94ZW4vcHZzaGltLXNpZGVjYXJzJzsKCkdldE9wdGlvbnMoJ3Fl bXU9cycgPT4gXCRxZW11LAogICAgICAgICAgICdzaWRlY2Fycy1kaXJlY3Rv cnk9cycgPT4gXCRzaWRlY2Fyc19kaXIsCiAgICAgICAgICAgJ3NoaW09cycg PT4gXCRzaGltLAogICAgICAgICAgICdkZWJ1ZycgPT4gXCRkZWJ1ZykKICAg IG9yIGRpZSAicHZzaGltLWNvbnZlcnRlcjogYmFkIG9wdGlvbnNcbiI7CgpA QVJHVj09MiBvciBkaWUgInB2c2hpbS1jb252ZXJ0ZXI6IG5lZWQgb2xkIGFu ZCBuZXcgY29uZmlnIGZpbGVuYW1lcyI7CgpvdXIgKCRpbiwkb3V0KSA9IEBB UkdWOwoKb3VyICRpbmRhdGE7CgppZiAoJGluIG5lICctJykgewogICAgb3Bl biBJLCAnPCcsICIkaW4iIG9yIGRpZSAib3BlbiBpbnB1dCBjb25maWcgZmls ZTogJCFcbiI7Cn0gZWxzZSB7CiAgICBvcGVuIEksICc8JlNURElOJyBvciBk aWUgJCE7Cn0KewogICAgbG9jYWwgJC87CiAgICAkaW5kYXRhID0gPEk+Owp9 CkktPmVycm9yIGFuZCBkaWUgJCE7CmNsb3NlIEk7CgpvcGVuIFAsICItfCIs IHF3KHB5dGhvbjIgLWMpLCA8PEVORCwgJGluZGF0YSBvciBkaWUgJCE7Cmlt cG9ydCBzeXMKaW1wb3J0IGpzb24KbCA9IHt9CmV4ZWMgc3lzLmFyZ3ZbMV0g aW4gbApmb3IgayBpbiBsLmtleXMoKToKCWlmIGsuc3RhcnRzd2l0aCgiXyIp OgoJCWRlbCBsW2tdCnByaW50IGpzb24uZHVtcHMobCkKRU5ECgpvdXIgJGM7 Cgp7CiAgICBsb2NhbCAkLzsKICAgICRfID0gPFA+OwogICAgJCE9MDsgJD89 MDsgY2xvc2UgUCBvciBkaWUgIiQhICQ/IjsKICAgICRjID0gZGVjb2RlX2pz b24gJF87Cn0KCmRpZSAibm8gZG9tYWluIG5hbWUgPyIgdW5sZXNzIGV4aXN0 cyAkYy0+e25hbWV9OwpkaWUgImJvb3Rsb2FkZXIgbm90IHlldCBzdXBwb3J0 ZWQiIGlmICRjLT57Ym9vdGxvYWRlcn07CmRpZSAibm8ga2VybmVsIiB1bmxl c3MgJGMtPntrZXJuZWx9OwoKb3VyICRzaWRlY2FyID0gJGMtPntwdnNoaW1f c2lkZWNhcl9wYXRofSB8fCAiJHNpZGVjYXJzX2Rpci8kYy0+e25hbWV9Lmlz byI7Cm91ciAkZG13cmFwID0gJGMtPntwdnNoaW1fc2lkZWNhcl9wYXRofSB8 fCAiJHNpZGVjYXJzX2Rpci8kYy0+e25hbWV9LmRtIjsKCiRzaGltIHx8PSAk Yy0+e3B2c2hpbV9wYXRofTsKJHNoaW0gfHw9ICcvdXNyL2xvY2FsL2xpYi94 ZW4vYm9vdC94ZW4tc2hpbSc7CgpvdXIgJHNoaW1fY21kbGluZSA9ICRjLT57 cHZzaGltX2NtZGxpbmV9IHx8ICdjb25zb2xlPWNvbTEgY29tMT0xMTUyMDBu MSc7CiRzaGltX2NtZGxpbmUgLj0gJyAnLiRjLT57cHZzaGltX2V4dHJhfSBp ZiAkYy0+e3B2c2hpbV9leHRyYX07CgpvdXIgJGtlcm5lbF9jbWRsaW5lID0g JGMtPntjbWRsaW5lfSB8fCAnJzsKJGtlcm5lbF9jbWRsaW5lIC49ICcgcm9v dD0nLiRjLT57cm9vdH0gaWYgJGMtPntyb290fTsKJGtlcm5lbF9jbWRsaW5l IC49ICcgJy4kYy0+e2V4dHJhfSBpZiAkYy0+e2V4dHJhfTsKCnByaW50ICJw dnNoaW0tY29udmVydGVyOiBjcmVhdGluZyBzaWRlY2FyIGluICRzaWRlY2Fy XG4iOwoKcnVuY21kIHF3KG1rZGlyIC1tNzAwIC1wIC0tKSwgJHNpZGVjYXJz X2RpcjsKCm9wZW4gTCwgIj4iLCAiJHNpZGVjYXIubG9jayIgb3IgZGllICIk c2lkZWNhci5sb2NrOiBvcGVuICQhIjsKZmxvY2sgTCwgTE9DS19FWCBvciBk aWUgIiRzaWRlY2FyLmxvY2s6IGxvY2s6ICQhIjsKCm15ICRzZCA9ICIkc2lk ZWNhci5kaXIiOwoKc3lzdGVtIHF3KHJtIC1yZiAtLSksICRzZDsKbWtkaXIg JHNkLCAwNzAwOwoKcnVuY21kIHF3KGNwIC0tKSwgJHNoaW0sICIkc2Qvc2hp bSI7CnJ1bmNtZCBxdyhjcCAtLSksICRjLT57a2VybmVsfSwgIiRzZC9rZXJu ZWwiOwpydW5jbWQgcXcoY3AgLS0pLCAkYy0+e3JhbWRpc2t9LCAiJHNkL3Jh bWRpc2siIGlmICRjLT57cmFtZGlza307CgpteSAkZ3J1YmNmZyA9IDw8RU5E OwpzZXJpYWwgLS11bml0PTAgLS1zcGVlZD05NjAwIC0td29yZD04IC0tcGFy aXR5PW5vIC0tc3RvcD0xCnRlcm1pbmFsX2lucHV0IHNlcmlhbAp0ZXJtaW5h bF9vdXRwdXQgc2VyaWFsCgpzZXQgdGltZW91dD0wCgptZW51ZW50cnkgJ1hl biBzaGltJyB7CglpbnNtb2QgZ3ppbwoJaW5zbW9kIHh6aW8KICAgICAgICBt dWx0aWJvb3QgKGNkKS9zaGltIHBsYWNlaG9sZGVyICRzaGltX2NtZGxpbmUK ICAgICAgICBtb2R1bGUgKGNkKS9rZXJuZWwgcGxhY2Vob2xkZXIgJGtlcm5l bF9jbWRsaW5lCiAgICAgICAgbW9kdWxlIChjZCkvcmFtZGlzawp9CkVORAoK cnVuY21kIHF3KG1rZGlyIC1wIC0tKSwgIiRzZC9ib290L2dydWIiOwpvcGVu IEcsICI+IiwgIiRzZC9ib290L2dydWIvZ3J1Yi5jZmciIG9yIGRpZSAiJHNk LCBncnViLmNmZzogJCEiOwpwcmludCBHICRncnViY2ZnIG9yIGRpZSAkITsK Y2xvc2UgRyBvciBkaWUgJCE7Cgp1bmxpbmsgIiRzaWRlY2FyLm5ldyIgb3Ig JCE9PUVOT0VOVCBvciBkaWUgIiRzaWRlY2FyLm5ldzogcm06ICQhIjsKcnVu Y21kIHF3KGdydWItbWtyZXNjdWUgLW8pLCAiJHNpZGVjYXIubmV3IiwgIiRz aWRlY2FyLmRpciI7CmlmICghc3RhdCAiJHNpZGVjYXIubmV3IikgewogICAg JCE9PUVOT0VOVCBvciBkaWUgIiRzaWRlY2FyLm5ldzogc3RhdDogJCEiOwoK ICAgIHByaW50IFNUREVSUiA8PEVORDsKcHZzaGltLWNvbnZlcnRlcjogZ3J1 Yi1ta3Jlc2N1ZSBleGl0ZWQgd2l0aCBzdGF0dXMgemVybyBidXQgZmFpbGVk IHRvIG1ha2UgaXNvLgpOQiB0aGF0IGdydWItbWtyZXNjdWUgaGFzIGEgdGVu ZGVuY3kgdG8gbGllIGluIGl0cyBlcnJvciBtZXNzYWdlcy4KRU5ECiAgICBt eSAkbWlzc2luZzsKICAgIGZvcmVhY2ggbXkgJGNoZWNrIChxdyh4b3JyaXNv IG1mb3JtYXQpKSB7CiAgICAgICAgJG1pc3NpbmcgfD0gc3lzdGVtIHF3KHNo IC1jKSwgInR5cGUgJGNoZWNrIjsKICAgIH0KCiAgICBpZiAoJG1pc3Npbmcp IHsKICAgICAgICBwcmludCBTVERFUlIgPDxFTkQ7CllvdSBzZWVtIHRvIGhh dmUgc29tZSBwcm9ncmFtKHMpIG1pc3Npbmcgd2hpY2ggZ3J1Yi1ta3Jlc2N1 ZSBkZXBlbmRzIG9uLApzZWUgYWJvdmUuICAoIm1mb3JtYXQiIGlzIG5vcm1h bGx5IGluIHRoZSBwYWNrYWdlICJtdG9vbHMiLikKSW5zdGFsbGluZyB0aG9z ZSBwcm9ncmFtcyB3aWxsIHByb2JhYmx5IGhlbHAuCkVORAogICAgfSBlbHNl IHsKICAgICAgICBwcmludCBTVERFUlIgPDxFTkQ7CkFuZCBvbGRlciBncnVi LW1rcmVzY3VlIGhhcyBhIHRlbmRlbmN5IG5vdCB0byBub3RpY2UgY2VydGFp biBwcm9ibGVtcy4KTWF5YmUgc3RyYWNlIHdpbGwgdGVsbCB5b3Ugd2hhdCBp cyB3cm9uZy4gIDotLwpFTkQKICAgIH0KICAgIGRpZSAicHZzaGltLWNvbnZl cnRlcjogZ3J1Yi1ta3Jlc2N1ZSBkaWQgbm90IG1ha2UgaXNvXG4iOwp9Cgpy dW5jbWQgcXcocm0gLXJmIC0tKSwgIiRzaWRlY2FyLmRpciIgdW5sZXNzICRk ZWJ1ZzsKCm9wZW4gUSwgIj4iLCAiJGRtd3JhcC5uZXciIG9yIGRpZSAiJGRt d3JhcDogJCEiOwpwcmludCBRIDw8J0VORF9ETVdSQVAnIG9yIGRpZSAkITsK IyEvYmluL2Jhc2gKCnNldCAteAo6ICIkQCIKc2V0ICt4CgpuZXdhcmdzPSgp CgpuZXdhcmcgKCkgewogICAgbmV3YXJncys9KCIkMSIpCn0KCndoaWxlIFsg JCMgLWd0IDEgXTsgZG8KICAgIGNhc2UgIiQxIiBpbgoJLW5vLXNodXRkb3du fC1ub2RlZmF1bHRzfC1uby11c2VyLWNvbmZpZykKCSAgICBuZXdhcmcgIiQx Ijsgc2hpZnQKCSAgICA7OwoJLXhlbi1kb21pZHwtY2hhcmRldnwtbW9ufC1k aXNwbGF5fC1ib290fC1tfC1tYWNoaW5lKQoJICAgIG5ld2FyZyAiJDEiOyBz aGlmdAoJICAgIG5ld2FyZyAiJDEiOyBzaGlmdAoJICAgIDs7CiAgICAgICAg LW5hbWUpCiAgICAgICAgICAgIG5ld2FyZyAiJDEiOyBzaGlmdAogICAgICAg ICAgICBuYW1lPSIkMSI7IHNoaWZ0CiAgICAgICAgICAgIG5ld2FyZyAiJG5h bWUiCiAgICAgICAgICAgIDs7CgktbmV0ZGV2fC1jZHJvbSkKCSAgICA6IGZp eG1lCgkgICAgbmV3YXJnICIkMSI7IHNoaWZ0CgkgICAgbmV3YXJnICIkMSI7 IHNoaWZ0CgkgICAgOzsKCS1kcml2ZXwta2VybmVsfC1pbml0cmR8LWFwcGVu ZHwtdm5jKQoJICAgIHNoaWZ0OyBzaGlmdAoJICAgIDs7CgktZGV2aWNlKQoJ ICAgIHNoaWZ0CgkgICAgY2FzZSAiJDEiIGluCgkJWFhYcnRsODEzOSopCgkJ ICAgIG5ld2FyZyAiLWRldmljZSIKCQkgICAgbmV3YXJnICIkMSI7IHNoaWZ0 CgkJICAgIDs7CgkJKikKCQkgICAgc2hpZnQKCQkgICAgOzsKCSAgICBlc2Fj CgkgICAgOzsKCSopCgkgICAgZWNobyA+JjIgIndhcm5pbmc6IHVuZXhwZWN0 ZWQgYXJndW1lbnQgJDEgYmVpbmcgcGFzc2VkIHRocm91Z2giCgkgICAgbmV3 YXJnICIkMSI7IHNoaWZ0CgkgICAgOzsKICAgIGVzYWMKZG9uZQoKI2lmIFsg IngkbmFtZSIgIT0geCBdOyB0aGVuCiMgICAgbG9nZGlyPS92YXIvbG9nL3hl bgojICAgIGxvZ2ZpbGU9IiRsb2dkaXIvc2hpbS0kbmFtZS5sb2ciCiMgICAg c2F2ZWxvZyAiJGxvZ2ZpbGUiIHx8OgojICAgIG5ld2FyZyAtc2VyaWFsCiMg ICAgbmV3YXJnICJmaWxlOiRsb2dmaWxlIgojZmkKRU5EX0RNV1JBUAoKaWYg KCRxZW11KSB7CiAgICBwcmludGYgUSA8PCdFTkRfRE1XUkFQJywgJHFlbXUg b3IgZGllICQhOwogICAgZXhlYyAnJXMnICIke25ld2FyZ3NbQF19IgpFTkRf RE1XUkFQCn0gZWxzZSB7CiAgICBwcmludCBRIDw8J0VORF9ETVdSQVAnIG9y IGRpZSAkITsKc2V0IC14CmZvciBwYXRoIGluIC91c3IvbG9jYWwvbGliL3hl bi9iaW4gL3Vzci9saWIveGVuL2JpbiAvdXNyL2xvY2FsL2JpbiAvdXNyL2Jp bjsgZG8KICAgIGlmIHRlc3QgLWUgJHBhdGgvcWVtdS1zeXN0ZW0taTM4Njsg dGhlbgogICAgICAgIGV4ZWMgJHBhdGgvcWVtdS1zeXN0ZW0taTM4NiAiJHtu ZXdhcmdzW0BdfSIKICAgIGZpCmRvbmUKZWNobyA+JjIgJ2NvdWxkIG5vdCBl eGVjIHFlbXUnCmV4aXQgMTI3CkVORF9ETVdSQVAKfQoKY2htb2QgMDc1NSwg IiRkbXdyYXAubmV3IiBvciBkaWUgIiRkbXdyYXA6IGNobW9kOiAkISI7Cgpj bG9zZSBRIG9yIGRpZSAkITsKCnJlbmFtZSAiJHNpZGVjYXIubmV3IiwgJHNp ZGVjYXIgb3IgZGllICIkc2lkZWNhcjogaW5zdGFsbDogJCEiOwpyZW5hbWUg IiRkbXdyYXAubmV3IiwgICRkbXdyYXAgIG9yIGRpZSAiJGRtd3JhcDogaW5z dGFsbDogJCEiOwoKcHJpbnQgU1RERVJSIDw8RU5EOwpwdnNoaW0tY29udmVy dGVyOiB3cm90ZSBxZW11IHdyYXBwZXIgdG8gJGRtd3JhcApwdnNoaW0tY29u dmVydGVyOiB3cm90ZSBzaWRlY2FyIHRvICRzaWRlY2FyCkVORAoKbXkgJGFw cGVuZCA9IDw8RU5EOwpidWlsZGVyPSdodm0nCnR5cGU9J2h2bScKZGV2aWNl X21vZGVsX3ZlcnNpb249J3FlbXUteGVuJwpkZXZpY2VfbW9kZWxfb3ZlcnJp ZGU9JyRkbXdyYXAnCmRldmljZV9tb2RlbF9hcmdzX2h2bT1bJy1jZHJvbScs JyRzaWRlY2FyJ10KYm9vdD0nYycKc2VyaWFsPSdwdHknCkVORAoKaWYgKCRv dXQgbmUgJy0nKSB7CiAgICBvcGVuIE8sICI+IiwgIiRvdXQudG1wIiBvciBk aWUgIm9wZW4gb3V0cHV0IGNvbmZpZyB0ZW1wOiAkb3V0LnRtcDogJCFcbiI7 Cn0gZWxzZSB7CiAgICBvcGVuIE8sICI+JlNURE9VVCIgb3IgZGllICQhOwp9 CgpwcmludCBPICRpbmRhdGEsICJcbiIsICRhcHBlbmQgb3IgZGllICJ3cml0 ZSBvdXRwdXQ6ICQhIjsKY2xvc2UgTyBvciBkaWUgImNsb3NlIG91dHB1dDog JCEiOwoKaWYgKCRvdXQgbmUgJy0nKSB7CiAgICByZW5hbWUgIiRvdXQudG1w IiwgJG91dCBvciBkaWUgImluc3RhbGwgb3V0cHV0OiAkISI7CiAgICBwcmlu dCBTVERFUlIgInB2c2hpbS1jb252ZXJ0ZXI6IHdyb3RlIG5ldyBndWVzdCBj b25maWcgdG8gJG91dFxuIjsKfSBlbHNlIHsKICAgIHByaW50IFNUREVSUiAi cHZzaGltLWNvbnZlcnRlcjogd3JvdGUgbmV3IGd1ZXN0IGNvbmZpZyB0byBz dGRvdXRcbiI7Cn0K --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Fri Jan 12 17:48:03 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 12 Jan 2018 17:48:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ea3Q7-0002G3-HK; Fri, 12 Jan 2018 17:47:11 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ea3Q5-0002F1-3Z for xen-announce@lists.xen.org; Fri, 12 Jan 2018 17:47:09 +0000 X-Inumbo-ID: e98cf734-f7c0-11e7-b0d7-9f685aff125f Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id e98cf734-f7c0-11e7-b0d7-9f685aff125f; Fri, 12 Jan 2018 17:49:18 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ea3Pq-00052n-To; Fri, 12 Jan 2018 17:46:54 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1ea3Pq-0002Nf-RK; Fri, 12 Jan 2018 17:46:54 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Fri, 12 Jan 2018 17:46:54 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 254 (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) - Information leak via side effects of speculative execution X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2017-5753,CVE-2017-5715,CVE-2017-5754 / XSA-254 version 7 Information leak via side effects of speculative execution UPDATES IN VERSION 7 ==================== PVH shim ("Comet") for 4.10 tag correction: please use tag 4.10.0-shim-comet-1.1. ISSUE DESCRIPTION ================= Processors give the illusion of a sequence of instructions executed one-by-one. However, in order to most efficiently use cpu resources, modern superscalar processors actually begin executing many instructions in parallel. In cases where instructions depend on the result of previous instructions or checks which have not yet completed, execution happens based on guesses about what the outcome will be. If the guess is correct, execution has been sped up. If the guess is incorrect, partially-executed instructions are cancelled and architectural state changes (to registers, memory, and so on) reverted; but the whole process is no slower than if no guess had been made at all. This is sometimes called "speculative execution". Unfortunately, although architectural state is rolled back, there are other side effects, such as changes to TLB or cache state, which are not rolled back. These side effects can subsequently be detected by an attacker to determine information about what happened during the speculative execution phase. If an attacker can cause speculative execution to access sensitive memory areas, they may be able to infer what that sensitive memory contained. Furthermore, these guesses can often be 'poisoned', such that attacker can cause logic to reliably 'guess' the way the attacker chooses. This advisory discusses three ways to cause speculative execution to access sensitive memory areas (named here according to the discoverer's naming scheme): "Bounds-check bypass" (aka SP1, "Variant 1", Spectre CVE-2017-5753): Poison the branch predictor, such that victim code is speculatively executed past boundary and security checks. This would allow an attacker to, for instance, cause speculative code in the normal hypercall / emulation path to execute with wild array indexes. "Branch Target Injection" (aka SP2, "Variant 2", Spectre CVE-2017-5715): Poison the branch predictor. Well-abstracted code often involves calling function pointers via indirect branches; reading these function pointers may involve a (slow) memory access, so the CPU attempts to guess where indirect branches will lead. Poisoning this enables an attacker to speculatively branch to any code that is executable by the victim (eg, anywhere in the hypervisor). "Rogue Data Load" (aka SP3, "Variant 3", Meltdown, CVE-2017-5754): On some processors, certain pagetable permission checks only happen when the instruction is retired; effectively meaning that speculative execution is not subject to pagetable permission checks. On such processors, an attacker can speculatively execute arbitrary code in userspace with, effectively, the highest privilege level. More information is available here: https://meltdownattack.com/ https://spectreattack.com/ https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html Additional Xen-specific background: Xen hypervisors on most systems map all of physical RAM, so code speculatively executed in a hypervisor context can read all of system RAM. When running PV guests, the guest and the hypervisor share the address space; guest kernels run in a lower privilege level, and Xen runs in the highest privilege level. (x86 HVM and PVH guests, and ARM guests, run in a separate address space to the hypervisor.) However, only 64-bit PV guests can generate addresses large enough to point to hypervisor memory. IMPACT ====== Xen guests may be able to infer the contents of arbitrary host memory, including memory assigned to other guests. An attacker's choice of code to speculatively execute (and thus the ease of extracting useful information) goes up with the numbers. For SP1, an attacker is limited to windows of code after bound checks of user-supplied indexes. For SP2, the attacker will in many cases will be limited to executing arbitrary pre-existing code inside of Xen. For SP3 (and other cases for SP2), an attacker can write arbitrary code to speculatively execute. Additionally, in general, attacks within a guest (from guest user to guest kernel) will be the same as on real hardware. Consult your operating system provider for more information. NOTE ON TIMING ============== This vulnerability was originally scheduled to be made public on 9 January. It was accelerated at the request of the discloser due to one of the issues being made public. VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. For SP1 and SP2, both Intel and AMD are vulnerable. Vulnerability of ARM processors to SP1 and SP2 varies by model and manufacturer. ARM has information on affected models on the following website: https://developer.arm.com/support/security-update For SP3, only Intel processors are vulnerable. (The hypervisor cannot be attacked using SP3 on any ARM processors, even those that are listed as affected by SP3.) Furthermore, only 64-bit PV guests can exploit SP3 against Xen. PVH, HVM, and 32-bit PV guests cannot exploit SP3. MITIGATION ========== There is no mitigation for SP1 and SP2. SP3 can be mitigated by running guests in HVM or PVH mode. (Within-guest attacks are still possible unless the guest OS has also been updated with an SP3 mitigation series such as KPTI/Kaiser.) For guests with legacy PV kernels which cannot be run in HVM or PVH mode directly, we have developed two "shim" hypervisors that allow PV guests to run in HVM mode or PVH mode. This prevents attacks on the host, but it leaves the guest vulnerable to Meltdown attacks by its own unprivileged processes, even if the guest OS has KPTI or similar Meltdown mitigation. The HVM shim (codenamed "Vixen") is available now, as is the PVH shim (codenamed "Comet") for Xen 4.10. We expect to have Comet for 4.8 and 4.9 within a few days. Please read README.which-shim to determine which shim is suitable for you. $ sha256sum xsa254*/* 34749c1169c5c8a1c0f7457184998e17ae54d5b262984150286db74ac1a82d22 xsa254/README.comet 1c594822dbd95998951203f6094bc77586d5720788de15897784d20bacb2ef08 xsa254/README.vixen 7e816160c1c1d1cd93ec3c3dd9753c8f3957fefe86b7aa967e9e77833828f849 xsa254/README.which-shim 1d2098ad3890a5be49444560406f8f271c716e9f80e7dfe11ff5c818277f33f8 xsa254/pvshim-converter.pl $ RESOLUTION ========== There is no available resolution for SP1. A solution may be available in the future. We are working on patches which mitigate SP2 but these are not currently available. Given that the vulnerabilities are now public, these will be developed and published in public, initially via xen-devel. NOTE ON LACK OF EMBARGO ======================= The timetable and process were set by the discloser. After the intensive initial response period for these vulnerabilities is over, we will prepare and publish a full timeline, as we have done in a handful of other cases of significant public interest where we saw opportunities for process improvement. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJaWPSKAAoJEIP+FMlX6CvZkicH/2H/Nn8eN90XeK6cXXTnz4Nx OhDM1Rr9K0Sdnw84T5azKbtpEjPhiM762oRMRgO6uAYHs4cbCHemDLvruqS65Se5 0+Gs6V0b7nqXPremlulqe81A2rTBlmqtFTCQf2VWg2uLLHXwMVtbqCtCCdzmMA+w XyiVQUO/MfgEOjbgM2XJSfmA0TcZfTClDW3FCvb9LhYLgdOGioxpGQ+SGsSNiZOL 0acn2eocI+Lihr0o/bX6tkhePTzThVOniah/AfIOcKD6WqEeN0NXdHZQUOOXCMMq Js8tlwCu1ixrg8IFngUxFAKrD3Ge0pEmtCw90yWdhY/vsS6eE80Ixj+ZqaKUATE= =FHIM -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa254/README.comet" Content-Disposition: attachment; filename="xsa254/README.comet" Content-Transfer-Encoding: base64 CQkJICAgIFBWLWluLVBWSCBzaGltCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICA9PT09PT09PT09PT09PQoKU3VtbWFyeQotLS0tLS0tCgpUaGlzIFJF QURNRSBkZXNjcmliZXMgb25lIG9mIHR3byBtaXRpZ2F0aW9uIHN0cmF0ZWdp ZXMgZm9yIE1lbHRkb3duLgoKVGhlIGJhc2ljIHByaW5jaXBsZSBpcyB0byBy dW4gUFYgZ3Vlc3RzICh3aGljaCBjYW4gcmVhZCBhbGwgb2YgaG9zdAptZW1v cnkgZHVlIHRvIHRoZSBoYXJkd2FyZSBidWdzKSBhcyBQVkggZ3Vlc3RzICh3 aGljaCBjYW5ub3QsIGF0IGxlYXN0Cm5vdCBkdWUgdG8gTWVsdGRvd24pLiAg VGhlIFBWIGVudmlyb25tZW50IGlzIHN0aWxsIHByb3ZpZGVkIHRvIHRoZQpn dWVzdCBieSBhbiBlbWJlZGRlZCBjb3B5IG9mIFhlbiwgdGhlICJzaGltIi4g IFRoaXMgdmVyc2lvbiBvZiB0aGUKc2hpbSBpcyBjb2RlbmFtZWQgIkNvbWV0 Ii4KClVubGlrZSBWaXhlbiwgQ29tZXQgcmVxdWlyZXMgbW9kaWZpY2F0aW9u cyB0byB0aGUgdG9vbHN0YWNrIGFuZCBob3N0Cmh5cGVydmlzb3IuCgpOb3Rl IHRoYXQgYm90aCBvZiB0aGVzZSBzaGltLWJhc2VkIGFwcHJvYWNoZXMgcHJl dmVudCBhdHRhY2tzIG9uIHRoZQpob3N0LCBidXQgbGVhdmUgdGhlIGd1ZXN0 IHZ1bG5lcmFibGUgdG8gTWVsdGRvd24gYXR0YWNrcyBieSBpdHMgb3duCnVu cHJpdmlsZWdlZCBwcm9jZXNzZXM7IHRoaXMgaXMgdHJ1ZSBldmVuIGlmIHRo ZSBndWVzdCBPUyBoYXMgS1BUSSBvcgpzaW1pbGFyIE1lbHRkb3duIG1pdGln YXRpb24uCgpBdCB0aGUgbW9tZW50LCBvbmx5IDQuMTAgaXMgYXZhaWxhYmxl LiAgV2UgaG9wZSB0byBoYXZlIDQuOCBhbmQgNC45IGluCnRoZSBjb21pbmcg ZmV3IGRheXMuCgpXaGF0IHlvdSB3aWxsIG5lZWQKLS0tLS0tLS0tLS0tLS0t LS0tCgogKiBZb3Ugd2lsbCBuZWVkIHRoZSB4ZW4uZ2l0IHdpdGggdGhlIGZv bGxvd2luZyB0YWdzOgogIC0gRm9yIDQuMTA6IDQuMTAuMC1zaGltLWNvbWV0 LTEuMQoKQnVpbGQgaW5zdHJ1Y3Rpb25zOiA0LjEwCi0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLQoKMS4gQnVpbGQgYSA0LjEwKyBzeXN0ZW0KICAgIGdpdCBj bG9uZSBnaXQ6Ly94ZW5iaXRzLnhlbnByb2plY3Qub3JnL3hlbi5naXQgeGVu LmdpdAogICAgY2QgeGVuLmdpdAogICAgZ2l0IGNoZWNrb3V0IDQuMTAuMC1z aGltLWNvbWV0LTEuMQoKRG8gYSBidWlsZCBhbmQgaW5zdGFsbCBhcyBub3Jt YWwuICBUaGUgc2hpbSB3aWxsIGJlIGJ1aWx0IGFzIHBhcnQgb2YgdGhlCm5v cm1hbCBidWlsZCBwcm9jZXNzLCBhbmQgcGxhY2VkIHdpdGggb3RoZXIgJ3N5 c3RlbScgYmluYXJpZXMgd2hlcmUgdGhlCnRvb3N0YWNrIGtub3dzIGhvdyB0 byBmaW5kIGl0LgoKVXNhZ2UgaW5zdHJ1Y3Rpb25zCi0tLS0tLS0tLS0tLS0t LS0tLQoKKiBDb252ZXJ0aW5nIGEgUFYgY29uZmlnIHRvIGEgUFZIIHNoaW0g Y29uZmlnCgotIFJlbW92ZSBhbnkgcmVmZXJlbmNlIHRvICdidWlsZGVyJyAo ZS5nLiwgYGJ1aWxkZXI9ImdlbmVyaWMiYCkKLSBBZGQgdGhlIGZvbGxvd2lu ZyB0d28gbGluZXM6CiAgdHlwZT0icHZoIgogIHB2c2hpbT0xCgoqIENvbnZl cnRpbmcgYSBQViBjb25maWcgdG8gYSBQVkggY29uZmlnCgpJZiB5b3UgaGF2 ZSBhIGtlcm5lbCBjYXBhYmxlIG9mIGJvb3RpbmcgUFZILCB0aGVuIFBWSCBt b2RlIGlzIGJvdGgKZmFzdGVyIGFuZCBtb3JlIHNlY3VyZSB0aGFuIFBWIG9y IFBWSC1zaGltIG1vZGUuCgotIFJlbW92ZSBhbnkgcmVmZXJlbmNlIHRvICdi dWlsZGVyJyAoZS5nLiwgYGJ1aWxkZXI9ImdlbmVyaWMiYCkKLSBBZGQgdGhl IGZvbGxvd2luZyBsaW5lOgogIHR5cGU9InB2aCIK --=separator Content-Type: application/octet-stream; name="xsa254/README.vixen" Content-Disposition: attachment; filename="xsa254/README.vixen" Content-Transfer-Encoding: base64 ICAgICAgICAgICAgICAgIFBWLWluLUhWTSBzaGltIHdpdGggInNpZGVjYXIi IElTTwogICAgICAgICAgICAgICAgPT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09CgpTdW1tYXJ5Ci0tLS0tLS0KClRoaXMgUkVBRE1FIGRlc2Ny aWJlcyBvbmUgb2YgdHdvIG1pdGlnYXRpb24gc3RyYXRlZ2llcyBmb3IgTWVs dGRvd24uCgpUaGUgYmFzaWMgcHJpbmNpcGxlIGlzIHRvIHJ1biBQViBndWVz dHMgKHdoaWNoIGNhbiByZWFkIGFsbCBvZiBob3N0Cm1lbW9yeSBkdWUgdG8g dGhlIGhhcmR3YXJlIGJ1Z3MpIGFzIEhWTSBndWVzdHMgKHdoaWNoIGNhbm5v dCwgYXQgbGVhc3QKbm90IGR1ZSB0byBNZWx0ZG93bikuICBUaGUgUFYgZW52 aXJvbm1lbnQgaXMgc3RpbGwgcHJvdmlkZWQgdG8gdGhlCmd1ZXN0IGJ5IGFu IGVtYmVkZGVkIGNvcHkgb2YgWGVuLCB0aGUgInNoaW0iLiAgVGhpcyB2ZXJz aW9uIG9mIHRoZQpzaGltIGlzIGNvZGVuYW1lZCAiVml4ZW4iLgoKSW4gb3Jk ZXIgdG8gYm9vdCB0aGUgc2hpbSB3aXRoIGFuIHVubW9kaWZpZWQgdG9vbHN0 YWNrLCB5b3UgYWxzbwpwcm92aWRlIGEgc3BlY2lhbCBkaXNrIGNvbnRhaW5p bmcgdGhlIHNoaW0gYW5kIHRoZSBndWVzdCBrZXJuZWwgKG9yCnB2Z3J1Yik7 IHRoaXMgaXMgY2FsbGVkIHRoZSAic2lkZWNhciIuCgpOb3RlIHRoYXQgYm90 aCBvZiB0aGVzZSBzaGltLWJhc2VkIGFwcHJvYWNoZXMgcHJldmVudCBhdHRh Y2tzIG9uIHRoZQpob3N0LCBidXQgbGVhdmUgdGhlIGd1ZXN0IHZ1bG5lcmFi bGUgdG8gTWVsdGRvd24gYXR0YWNrcyBieSBpdHMgb3duCnVucHJpdmlsZWdl ZCBwcm9jZXNzZXM7IHRoaXMgaXMgdHJ1ZSBldmVuIGlmIHRoZSBndWVzdCBP UyBoYXMgS1BUSSBvcgpzaW1pbGFyIE1lbHRkb3duIG1pdGlnYXRpb24uCgpX aGF0IHlvdSB3aWxsIG5lZWQKLS0tLS0tLS0tLS0tLS0tLS0tCgogKiBZb3Vy IGhvc3QgbXVzdCBiZSBhYmxlIHRvIHJ1biBncnViLW1rcmVzY3VlIHRvIGdl bmVyYXRlIGEgLmlzbwogKiBZb3Ugd2lsbCB0aGVyZWZvcmUgbmVlZCB4b3Jy aXNvIGFuZCBtdG9vbHMKICogWW91IG11c3QgYmUgdXNpbmcgeGwgYW5kIGFi bGUgdG8gdXNlIGFuIGFsdGVybmF0aXZlIHlvdXIgZ3Vlc3QgY29uZmlnCgog KiBZb3Ugd2lsbCBuZWVkIHRoZSBzY3JpcHQgInB2c2hpbS1jb252ZXJ0ZXIu cGwiCiAgLSBUaGlzIHJlbGllcyBvbiBwZXJsLWpzb24KICogWW91IHdpbGwg bmVlZCB0aGUgeGVuLmdpdCB0YWcgNC45LjEtc2hpbS12aXhlbi0xCgoKSW5z dHJ1Y3Rpb25zCi0tLS0tLS0tLS0tLQoKMS4gT24gYSBzdWl0YWJsZSBzeXN0 ZW0gKHBlcmhhcHMgYSBkaWZmZXJlbnQgaG9zdCkKICAgIGdpdCBjbG9uZSBn aXQ6Ly94ZW5iaXRzLnhlbnByb2plY3Qub3JnL3hlbi5naXQgeGVuLmdpdAog ICAgY2QgeGVuLmdpdAogICAgZ2l0IGNoZWNrb3V0IDQuOS4xLXNoaW0tdml4 ZW4tMQoKSWYgeW91IG5lZWQgYmktZGlyZWN0aW9uYWwgY29uc29sZSBhbmQg ZG9uJ3QgbWluZCBhIGxlc3MtdGVzdGVkIHBhdGNoLAp5b3UgY2FuIGFwcGx5 IHRoZSBwYXRjaCBmb3VuZCBpbiB0aGlzIGVtYWlsOgoKICAgIG1hcmMuaW5m by8/aT08MTUxNTYwNDU1Mi05MjA1LTEtZ2l0LXNlbmQtZW1haWwtc3JuQHBy Z21yLmNvbT4KCmJ1aWxkIGEgeGVuIGh5cGVydmlzb3IgYmluYXJ5IGFzIHVz dWFsOgoKICAgIG1ha2UgeGVuCgpJZiB5b3VyIGRlZmF1bHQgdmVyc2lvbiBv ZiBweXRob24gaXMgcHl0aG9uIDMsIHlvdSBtYXkgbmVlZCB0byBhZGQgdGhl IGZvbGxvd2luZzoKCiAgICBtYWtlIFBZVEhPTj1weXRob24yIHhlbgoKVGhp cyB3aWxsIGJ1aWxkIGEgZmlsZQogICAgeGVuL3hlbi5negoKMi4gQ29weSB0 aGF0IGZpbGUgdG8geW91ciBkb20wLgoKSWRlYWxseSBzb21lcGxhY2UgbGlr ZSAvdXNyL2xpYi94ZW4vYm9vdC94ZW4tdml4ZW4uZ3oKCjMuIENvcHkgdGhl IHNjcmlwdCBwdnNoaW0tY29udmVydGVyIHRvIHlvdXIgZG9tMCBhbmQgbWFr ZQogICBpdCBleGVjdXRhYmxlOgogICAgICBjaG1vZCAreCBwdnNoaW0tY29u dmVydGVyLnBsCgo0LiBGb3IgZWFjaCBndWVzdAoKICAoaSkgaWYgdGhlIGd1 ZXN0IGlzIGN1cnJlbnRseSBib290ZWQgd2l0aCBweWdydWIgeW91IG11c3Qg Zmlyc3QKICAgc3dpdGNoIHRvIGRpcmVjdCBrZXJuZWwgYm9vdCAoYnkgbWFu dWFsbHkgY29weWluZyB0aGUga2VybmVsIGFuZAogICBpbml0cmFtZnMgb3V0 IG9mIHRoZSBndWVzdCwgYW5kIGNvbmZpZ3VyaW5nIHRoZSBjb21tYW5kIGxp bmUgaW4gdGhlCiAgIGRvbWFpbiBjb25maWd1cmF0aW9uIGZpbGUpLCBvciBw dmdydWIuCgogIChpaSkgcnVuCiAgICAgIC4vcHZzaGltLWNvbnZlcnRlci5w bCAtLXNoaW09L3Vzci9saWIveGVuL2Jvb3QveGVuLXZpeGVuLmd6IC9ldGMv eGVuL0dVRVNULmNmZyAvZXRjL3hlbi9HVUVTVC53aXRoLXNoaW0tY2ZnCgog IChpaWkpIHNodXQgdGhlIGd1ZXN0IGRvd24gY2xlYW5seQoKICAoaXYpIGNy ZWF0ZSB0aGUgZ3Vlc3Qgd2l0aCB0aGUgbmV3IGNvbmZpZwogICAgICB4bCBj cmVhdGUgL2V0Yy94ZW4vR1VFU1Qud2l0aC1zaGltLWNmZwoKICAodikgQ2hl Y2sgdGhhdCBpdCBib290cyBwcm9wZXJseS4gIHhsIGNvbnNvbGUgc2hvdWxk IHdvcmsuCgogICh2aSkgTWFrZSBhcnJhbmdlbWVudHMgc28gdGhhdCBhdXRv c3RhcnRpbmcgb2YgdGhlIGd1ZXN0IHdpbGwgdXNlCiAgICAgdGhlIG5ldyBj b25maWcgZmlsZSByYXRoZXIgdGhhbiB0aGUgb2xkIG9uZQoK --=separator Content-Type: application/octet-stream; name="xsa254/README.which-shim" Content-Disposition: attachment; filename="xsa254/README.which-shim" Content-Transfer-Encoding: base64 CQkgICBIb3cgdG8gZGVjaWRlIHdoaWNoIHNoaW0gdG8gdXNlCgkJICAgPT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQoKQSB3b3JrLWFyb3VuZCB0 byBNZWx0ZG93biAoYWthICJTUDMiIG9yICJWYXJpYW50IDMiKSBvbiBJbnRl bApwcm9jZXNzb3JzIGlzIHRvIHJ1biBndWVzdHMgaW4gSFZNIG9yIFBWSCBt b2RlLgoKTm90ZSB0aGlzIHNoaW0tYmFzZWQgYXBwcm9hY2ggcHJldmVudHMg YXR0YWNrcyBvbiB0aGUgaG9zdCwgYnV0IGxlYXZlcwp0aGUgZ3Vlc3QgdnVs bmVyYWJsZSB0byBNZWx0ZG93biBhdHRhY2tzIGJ5IGl0cyBvd24gdW5wcml2 aWxlZ2VkCnByb2Nlc3NlczsgdGhpcyBpcyB0cnVlIGV2ZW4gaWYgdGhlIGd1 ZXN0IE9TIGhhcyBLUFRJIG9yIHNpbWlsYXIKTWVsdGRvd24gbWl0aWdhdGlv bi4KClNvbWUgZ3Vlc3RzIGFyZSBkaWZmaWN1bHQgdG8gY29udmVydCB0byBy dW5uaW5nIGluIEhWTSBvciBQVkggbW9kZSwKZWl0aGVyIGR1ZSB0byBsYWNr IG9mIHBhcnRpdGlvbmluZyAvIE1CUiwgb3IgZHVlIHRvIGtlcm5lbApjb21w YXRpYmlsaXRpZXMuICBBcyBhbiBlbWVyZ2VuY3kgYmFja3N0b3AsIHRoZXJl IGFyZSB0d28gYXBwcm9hY2hlcywKd2hpY2ggd2UndmUgY29kZW5hbWVkICJW aXhlbiIgYW5kICJDb21ldCIuICBCb3RoIGludm9sdmUgcnVubmluZyBhbgpl bWJlZGRlZCBjb3B5IG9mIFhlbiAoY2FsbGVkIGEgInNoaW0iKSB3aXRoaW4g dGhlIEhWTSBvciBQVkggZ3Vlc3QgdG8KcHJvdmlkZSB0aGUgbmF0aXZlIFBW IGludGVyZmFjZS4KCkJlbG93IGRlc2NyaWJlcyB0aGUgcHJvcGVydGllcywg YW5kIHdobyBtaWdodCB3YW50IHRvIHVzZSBlYWNoIG9uZS4KCk5PVEU6IEJv dGggc2hpbXMgcmVxdWlyZSBob3N0IHBhdGNoZXMgdG8gYm9vdCBvbiBBTUQg aG9zdHMuICBUaGlzCnNob3VsZG4ndCBiZSBhbiBpc3N1ZSwgYXMgU1AzIGRv ZXMgbm90IGFmZmVjdCBzeXN0ZW1zIHJ1bm5pbmcgb24gQU1ELgoKVml4ZW4K LS0tLS0KClZpeGVuIGhhcyB0aGUgZm9sbG93aW5nIHByb3BlcnRpZXM6CiAq IFJ1bnMgdGhlIHNoaW0gaW4gYW4gSFZNIGd1ZXN0LgogKiBJdCByZXF1aXJl cyBubyBoeXBlcnZpc29yIG9yIHRvb2xzdGFjayBjaGFuZ2VzLCBub3IgZG9l cyBpdCByZXF1aXJlCiAgIGEgaG9zdCByZWJvb3QuCiAqIEl0IGhhcyBiZWVu IGV4dGVuc2l2ZWx5IHRlc3RlZCBpbiBBbWF6b24ncyBkZXBsb3ltZW50IGZv ciB2ZXJzaW9ucwogICBvZiBYZW4gZ29pbmcgYmFjayB0byAzLjQKICogR3Vl c3QgcmVib290cyBhcmUgcmVxdWlyZWQKICogR3Vlc3QgY29uZmlncyBtdXN0 IGJlIGZlZCB0aHJvdWdoIGEgY29udmVydGVyIHByb2dyYW0KICogVGhlIGNv bnZlcnRlciBwcm9ncmFtIHNwaXRzIG91dCBhIHNtYWxsIGd1ZXN0LXNwZWNp ZmljIC5pc28KICAgaW1hZ2UgKHdlIGNhbGwgdGhpcyBhICJzaWRlY2FyIikg dXNlZCBmb3IgYm9vdGluZwogKiBCZWNhdXNlIHRoZSByZXN1bHQgaXMgYW4g SFZNIGd1ZXN0LCB0aGlzIGFwcHJvYWNoIGludm9sdmVzCiAgIHJ1bm5pbmcg cWVtdSBhcyBhIFBDIGVtdWxhdG9yICh0aGlzIGlzIGRvbmUgYXV0b21hdGlj YWxseSkKICogU29tZSBjb21tb24gZmVhdHVyZXMgYXJlIG5vdCBzdXBwb3J0 ZWQ6CiAgLSBCYWxsb29uaW5nCiAgLSBNaWdyYXRpb24KICAtIHZjcHUgaG90 cGx1ZwogIC0gYmlkaXJlY3Rpb25hbCBjb25zb2xlIHN1cHBvcnQgKGNvbnNv bGUgaXMgd3JpdGUtb25seSkKICogRGlyZWN0LWJvb3Qga2VybmVscyBhbmQg cHZncnViIChib3RoIHB2Z3J1YjEgYW5kIHB2Z3J1YjIpIGFyZQogICBzdXBw b3J0ZWQgYnkgdGhlIGNvbnZlcnNpb24gcHJvZ3JhbS4gICdweWdydWInIGlz IG5vdCBzdXBwb3J0ZWQuCiAqIHhsIGFuZCB4bSBkb21haW4gY29uZmlncyBj YW4gYmUgY29udmVydGVkOyBsaWJ2aXJ0IGRvbWFpbgogICBjb25maWd1cmF0 aW9uIGFycmFuZ2VtZW50cyBhcmUgbm90IHN1cHBvcnRlZC4KICogR3Vlc3Qg dXNlcnNwYWNlIGNhbiByZWFkIGFsbCBvZiBndWVzdCBtZW1vcnksIHdpdGhp biBlYWNoIGd1ZXN0LAogICBhbmQgYSBndWVzdCBtaWdpdGF0aW9uIGZvciB0 aGlzIGlzIG5vdCBwb3NzaWJsZS4KCllvdSBtaWdodCBjb25zaWRlciB0aGlz IGFwcHJvYWNoIGlmOgotIFlvdSB3YW50IHRvIGRlcGxveSBhIGZpeCBpbW1l ZGlhdGVseQotIFlvdSBjYW4gdG9sZXJhdGUgdGhlIGxvc3Mgb2Ygd2l0aGlu LWd1ZXN0IHNlY3VyaXR5Ci0gWW91IGNhbid0LCBvciB3b3VsZCBsaWtlIHRv IGF2b2lkLCB1cGRhdGluZyB0byBYZW4gNC44IG9yIG5ld2VyCi0gWW91J2Qg bGlrZSB0byBhdm9pZCBwYXRjaGluZyBhbmQgcmVib290aW5nIHlvdXIgaG9z dAotIFlvdSBhcmUgYWJsZSB0bzoKIC0gUnVuIGEgc2NyaXB0IHRvIG1vZGlm eSBlYWNoIGRvbWFpbiBjb25maWcKIC0gQWZmb3JkIGFuIGV4dHJhIDgwTWlC IHBlciBndWVzdAogLSBUb2xlcmF0ZSBoYXZpbmcgYW4gZXh0cmEgUUVNVSBh cm91bmQKLSBZb3UgZG9uJ3QgbmVlZCBtaWdyYXRpb24sIG1lbW9yeSBiYWxs b29uaW5nLCB2Y3B1IGhvdHBsdWcsCiAgb3IgYSBiaS1kaXJlY3Rpb25hbCBj b25zb2xlCgpUbyB1c2UgdGhpcyBzb2x1dGlvbiwgc2VlIFJFQURNRS52aXhl bi4KCkJpLWRpcmVjdGlvbmFsIGNvbnNvbGUgaXMgYXZhaWxhYmxlIGFzIGFu IGV4dHJhIHBhdGNoLCBidXQgaGFzbid0IGJlZW4Kd2lkZWx5IHRlc3RlZDoK Cm1hcmMuaW5mby8/aT08MTUxNTYwNDU1Mi05MjA1LTEtZ2l0LXNlbmQtZW1h aWwtc3JuQHByZ21yLmNvbT4KCkNvbWV0Ci0tLS0tCgpDb21ldCBoYXMgdGhl IGZvbGxvd2luZyBwcm9wZXJ0aWVzOgogKiBSdW5zIHRoZSBzaGltIGluIGEg UFZIIGd1ZXN0LgogKiBQVkggbW9kZSBpcyBhdmFpbGFibGUgaW4gWGVuIDQu MTAsIGFuZCB3aWxsIGJlIGJhY2twb3J0ZWQgdG8gWGVuCiAgIDQuOSBhbmQg NC44IGJ1dCBubyBmYXJ0aGVyCiAqIFJlcXVpcmVzIGhvc3QgaHlwZXJ2aXNv ciBhbmQgdG9vbHN0YWNrIHBhdGNoZXMgKGFuZCBob3N0IHJlYm9vdCksCiAg IGV2ZW4gZm9yIFhlbiA0LjEwCiAqIFJlcXVpcmVzIG1pbmltYWwgZ3Vlc3Qg Y29uZmlnIGNoYW5nZXMsIGFuZCBubyAic2lkZWNhciIKICogQm9vdGxvYWRp bmcgaXMgaWRlbnRpY2FsIHRvIG5hdGl2ZSBQViBndWVzdHM7IGRpcmVjdC1i b290LCBwdmdydWIsCiAgIGFuZCBweWdydWIgYWxsIHdvcmsgZXF1YWxseSB3 ZWxsCiAqIEJlY2F1c2UgdGhlIHJlc3VsdCBpcyBhIFBWSCBndWVzdCwgdGhp cyBhcHByb2FjaCBpbnZvbHZlcyBubyBQQyBlbXVsYXRvci4KICogVGhlIGZv bGxvd2luZyBmZWF0dXJlcyBub3QgYXZhaWxhYmxlIGluIFZpeGVuIGFyZSBz dXBwb3J0ZWQ6CiAgLSBNZW1vcnkgYmFsbG9vbmluZwogIC0gR3Vlc3QgbWln cmF0aW9uCiAgLSB2Y3B1IGhvdHBsdWcKICAtIGJpZGlyZWN0aW9uYWwgY29u c29sZSBzdXBwb3J0CiAqIEd1ZXN0IHVzZXJzcGFjZSBjYW4gcmVhZCBhbGwg b2YgZ3Vlc3QgbWVtb3J5LCB3aXRoaW4gZWFjaCBndWVzdCwKICAgYW5kIGEg Z3Vlc3QgbWlnaXRhdGlvbiBmb3IgdGhpcyBpcyBub3QgcG9zc2libGUuCgpZ b3UgbWlnaHQgY29uc2lkZXIgdGhpcyBhcHByb2FjaCBpZjoKLSBZb3UncmUg b24gNC44IG9yIGxhdGVyIGFscmVhZHkKLSBZb3UgY2FuIHRvbGVyYXRlIHRo ZSBsb3NzIG9mIHdpdGhpbi1ndWVzdCBzZWN1cml0eQotIFlvdSBjYW4gcGF0 Y2ggYW5kIHJlYm9vdCB5b3VyIGhvc3QKLSBZb3UgZG9uJ3Qgd2FudCBhbiBl eHRyYSBRRU1VIGFyb3VuZAotIFlvdSBuZWVkIG1pZ3JhdGlvbiwgbWVtb3J5 IGJhbGxvb25pbmcsIG9yIHZjcHUgaG90cGx1Zywgb3IgYQogIGJpZGlyZWN0 aW9uYWwgY29uc29sZQotIFlvdSBuZWVkIHB5Z3J1YgotIFlvdSBuZWVkIHRv IHVzZSBsaWJ2aXJ0CgpBdCB0aGUgbW9tZW50LCBDb21ldCBpcyBhdmFpbGFi bGUgZm9yIDQuMTAuICAgV2UgZXhwZWN0IHRvIGhhdmUKYmFja3BvcnRzIHRv IDQuOCBhbmQgNC44IGF2YWlsYWJsZSB3aXRoaW4gYSBmZXcgd29ya2luZyBk YXlzLgo= --=separator Content-Type: application/octet-stream; name="xsa254/pvshim-converter.pl" Content-Disposition: attachment; filename="xsa254/pvshim-converter.pl" Content-Transfer-Encoding: base64 IyEvdXNyL2Jpbi9wZXJsIC13CiMKIyB1c2FnZToKIyAgIHB2c2hpbS1jb252 ZXJ0ZXIgW09QVElPTlNdIE9MRC1DT05GSUcgTkVXLUNPTkZJRwojCiMgb3B0 aW9uczoKIyAgIC0tcWVtdSBQQVRILVRPLVFFTVUgICAgICAgIGZpbGVuYW1l IG9mIHFlbXUtc3lzdGVtLWkzODYKIyAgIC0tc2lkZWNhcnMtZGlyZWN0b3J5 IERJUiAgIGRlZmF1bHQgaXMgL3Zhci9saWIveGVuL3B2c2hpbS1zaWRlY2Fy cwojICAgLS1zaGltIFNISU0gICAgICAgICAgICAgICAgb3ZlcnJpZGVzIGRv bWFpbiBjb25maWcgZmlsZQojICAgLS1kZWJ1ZyAgICAgICAgICAgICAgICAg ICAgdmVyYm9zZSwgYW5kIGxlYXZlcyBzaWRlY2FyIHByZXAgZGlyIGFyb3Vu ZAojCiMgV2hhdCB3ZSBkbwojCiMgIHJlYWQgZXhpc3RpbmcgY29uZmlnIGZp bGUgdXNpbmcgcHl0aG9uCiMgIGRldGVybWluZSBrZXJuZWwsIHJhbWRpc2sg YW5kIGNtZGxpbmUKIyAgdXNlIHRoZW0gdG8gcHJvZHVjZSBzaWRlY2FyIGFu ZCBzYXZlIGl0IHVuZGVyIGRvbWFpbiBuYW1lCiMgIG1lc3Mgd2l0aCB0aGUg dGhpbmdzIHRoYXQgbmVlZCB0byBiZSBtZXNzZWQgd2l0aAojICBzcGl0IG91 dCBuZXcgY29uZmlnIGZpbGUKCnVzZSBzdHJpY3Q7Cgp1c2UgR2V0b3B0OjpM b25nOwp1c2UgSlNPTjsKdXNlIElPOjpIYW5kbGU7CnVzZSBQT1NJWDsKdXNl IEZjbnRsIHF3KDpmbG9jayk7CgpvdXIgJGRlYnVnOwoKc3ViIHJ1bmNtZCB7 CiAgICBwcmludCBTVERFUlIgIisgQF9cbiIgaWYgJGRlYnVnOwogICAgJCE9 MDsgJD89MDsgc3lzdGVtIEBfIGFuZCBkaWUgIiRfWzBdOiAkISAkPyI7Cn0K Cm91ciAkcWVtdTsKb3VyICRzaGltOwpvdXIgJHNpZGVjYXJzX2RpciA9ICcv dmFyL2xpYi94ZW4vcHZzaGltLXNpZGVjYXJzJzsKCkdldE9wdGlvbnMoJ3Fl bXU9cycgPT4gXCRxZW11LAogICAgICAgICAgICdzaWRlY2Fycy1kaXJlY3Rv cnk9cycgPT4gXCRzaWRlY2Fyc19kaXIsCiAgICAgICAgICAgJ3NoaW09cycg PT4gXCRzaGltLAogICAgICAgICAgICdkZWJ1ZycgPT4gXCRkZWJ1ZykKICAg IG9yIGRpZSAicHZzaGltLWNvbnZlcnRlcjogYmFkIG9wdGlvbnNcbiI7CgpA QVJHVj09MiBvciBkaWUgInB2c2hpbS1jb252ZXJ0ZXI6IG5lZWQgb2xkIGFu ZCBuZXcgY29uZmlnIGZpbGVuYW1lcyI7CgpvdXIgKCRpbiwkb3V0KSA9IEBB UkdWOwoKb3VyICRpbmRhdGE7CgppZiAoJGluIG5lICctJykgewogICAgb3Bl biBJLCAnPCcsICIkaW4iIG9yIGRpZSAib3BlbiBpbnB1dCBjb25maWcgZmls ZTogJCFcbiI7Cn0gZWxzZSB7CiAgICBvcGVuIEksICc8JlNURElOJyBvciBk aWUgJCE7Cn0KewogICAgbG9jYWwgJC87CiAgICAkaW5kYXRhID0gPEk+Owp9 CkktPmVycm9yIGFuZCBkaWUgJCE7CmNsb3NlIEk7CgpvcGVuIFAsICItfCIs IHF3KHB5dGhvbjIgLWMpLCA8PEVORCwgJGluZGF0YSBvciBkaWUgJCE7Cmlt cG9ydCBzeXMKaW1wb3J0IGpzb24KbCA9IHt9CmV4ZWMgc3lzLmFyZ3ZbMV0g aW4gbApmb3IgayBpbiBsLmtleXMoKToKCWlmIGsuc3RhcnRzd2l0aCgiXyIp OgoJCWRlbCBsW2tdCnByaW50IGpzb24uZHVtcHMobCkKRU5ECgpvdXIgJGM7 Cgp7CiAgICBsb2NhbCAkLzsKICAgICRfID0gPFA+OwogICAgJCE9MDsgJD89 MDsgY2xvc2UgUCBvciBkaWUgIiQhICQ/IjsKICAgICRjID0gZGVjb2RlX2pz b24gJF87Cn0KCmRpZSAibm8gZG9tYWluIG5hbWUgPyIgdW5sZXNzIGV4aXN0 cyAkYy0+e25hbWV9OwpkaWUgImJvb3Rsb2FkZXIgbm90IHlldCBzdXBwb3J0 ZWQiIGlmICRjLT57Ym9vdGxvYWRlcn07CmRpZSAibm8ga2VybmVsIiB1bmxl c3MgJGMtPntrZXJuZWx9OwoKb3VyICRzaWRlY2FyID0gJGMtPntwdnNoaW1f c2lkZWNhcl9wYXRofSB8fCAiJHNpZGVjYXJzX2Rpci8kYy0+e25hbWV9Lmlz byI7Cm91ciAkZG13cmFwID0gJGMtPntwdnNoaW1fc2lkZWNhcl9wYXRofSB8 fCAiJHNpZGVjYXJzX2Rpci8kYy0+e25hbWV9LmRtIjsKCiRzaGltIHx8PSAk Yy0+e3B2c2hpbV9wYXRofTsKJHNoaW0gfHw9ICcvdXNyL2xvY2FsL2xpYi94 ZW4vYm9vdC94ZW4tc2hpbSc7CgpvdXIgJHNoaW1fY21kbGluZSA9ICRjLT57 cHZzaGltX2NtZGxpbmV9IHx8ICdjb25zb2xlPWNvbTEgY29tMT0xMTUyMDBu MSc7CiRzaGltX2NtZGxpbmUgLj0gJyAnLiRjLT57cHZzaGltX2V4dHJhfSBp ZiAkYy0+e3B2c2hpbV9leHRyYX07CgpvdXIgJGtlcm5lbF9jbWRsaW5lID0g JGMtPntjbWRsaW5lfSB8fCAnJzsKJGtlcm5lbF9jbWRsaW5lIC49ICcgcm9v dD0nLiRjLT57cm9vdH0gaWYgJGMtPntyb290fTsKJGtlcm5lbF9jbWRsaW5l IC49ICcgJy4kYy0+e2V4dHJhfSBpZiAkYy0+e2V4dHJhfTsKCnByaW50ICJw dnNoaW0tY29udmVydGVyOiBjcmVhdGluZyBzaWRlY2FyIGluICRzaWRlY2Fy XG4iOwoKcnVuY21kIHF3KG1rZGlyIC1tNzAwIC1wIC0tKSwgJHNpZGVjYXJz X2RpcjsKCm9wZW4gTCwgIj4iLCAiJHNpZGVjYXIubG9jayIgb3IgZGllICIk c2lkZWNhci5sb2NrOiBvcGVuICQhIjsKZmxvY2sgTCwgTE9DS19FWCBvciBk aWUgIiRzaWRlY2FyLmxvY2s6IGxvY2s6ICQhIjsKCm15ICRzZCA9ICIkc2lk ZWNhci5kaXIiOwoKc3lzdGVtIHF3KHJtIC1yZiAtLSksICRzZDsKbWtkaXIg JHNkLCAwNzAwOwoKcnVuY21kIHF3KGNwIC0tKSwgJHNoaW0sICIkc2Qvc2hp bSI7CnJ1bmNtZCBxdyhjcCAtLSksICRjLT57a2VybmVsfSwgIiRzZC9rZXJu ZWwiOwpydW5jbWQgcXcoY3AgLS0pLCAkYy0+e3JhbWRpc2t9LCAiJHNkL3Jh bWRpc2siIGlmICRjLT57cmFtZGlza307CgpteSAkZ3J1YmNmZyA9IDw8RU5E OwpzZXJpYWwgLS11bml0PTAgLS1zcGVlZD05NjAwIC0td29yZD04IC0tcGFy aXR5PW5vIC0tc3RvcD0xCnRlcm1pbmFsX2lucHV0IHNlcmlhbAp0ZXJtaW5h bF9vdXRwdXQgc2VyaWFsCgpzZXQgdGltZW91dD0wCgptZW51ZW50cnkgJ1hl biBzaGltJyB7CglpbnNtb2QgZ3ppbwoJaW5zbW9kIHh6aW8KICAgICAgICBt dWx0aWJvb3QgKGNkKS9zaGltIHBsYWNlaG9sZGVyICRzaGltX2NtZGxpbmUK ICAgICAgICBtb2R1bGUgKGNkKS9rZXJuZWwgcGxhY2Vob2xkZXIgJGtlcm5l bF9jbWRsaW5lCiAgICAgICAgbW9kdWxlIChjZCkvcmFtZGlzawp9CkVORAoK cnVuY21kIHF3KG1rZGlyIC1wIC0tKSwgIiRzZC9ib290L2dydWIiOwpvcGVu IEcsICI+IiwgIiRzZC9ib290L2dydWIvZ3J1Yi5jZmciIG9yIGRpZSAiJHNk LCBncnViLmNmZzogJCEiOwpwcmludCBHICRncnViY2ZnIG9yIGRpZSAkITsK Y2xvc2UgRyBvciBkaWUgJCE7Cgp1bmxpbmsgIiRzaWRlY2FyLm5ldyIgb3Ig JCE9PUVOT0VOVCBvciBkaWUgIiRzaWRlY2FyLm5ldzogcm06ICQhIjsKcnVu Y21kIHF3KGdydWItbWtyZXNjdWUgLW8pLCAiJHNpZGVjYXIubmV3IiwgIiRz aWRlY2FyLmRpciI7CmlmICghc3RhdCAiJHNpZGVjYXIubmV3IikgewogICAg JCE9PUVOT0VOVCBvciBkaWUgIiRzaWRlY2FyLm5ldzogc3RhdDogJCEiOwoK ICAgIHByaW50IFNUREVSUiA8PEVORDsKcHZzaGltLWNvbnZlcnRlcjogZ3J1 Yi1ta3Jlc2N1ZSBleGl0ZWQgd2l0aCBzdGF0dXMgemVybyBidXQgZmFpbGVk IHRvIG1ha2UgaXNvLgpOQiB0aGF0IGdydWItbWtyZXNjdWUgaGFzIGEgdGVu ZGVuY3kgdG8gbGllIGluIGl0cyBlcnJvciBtZXNzYWdlcy4KRU5ECiAgICBt eSAkbWlzc2luZzsKICAgIGZvcmVhY2ggbXkgJGNoZWNrIChxdyh4b3JyaXNv IG1mb3JtYXQpKSB7CiAgICAgICAgJG1pc3NpbmcgfD0gc3lzdGVtIHF3KHNo IC1jKSwgInR5cGUgJGNoZWNrIjsKICAgIH0KCiAgICBpZiAoJG1pc3Npbmcp IHsKICAgICAgICBwcmludCBTVERFUlIgPDxFTkQ7CllvdSBzZWVtIHRvIGhh dmUgc29tZSBwcm9ncmFtKHMpIG1pc3Npbmcgd2hpY2ggZ3J1Yi1ta3Jlc2N1 ZSBkZXBlbmRzIG9uLApzZWUgYWJvdmUuICAoIm1mb3JtYXQiIGlzIG5vcm1h bGx5IGluIHRoZSBwYWNrYWdlICJtdG9vbHMiLikKSW5zdGFsbGluZyB0aG9z ZSBwcm9ncmFtcyB3aWxsIHByb2JhYmx5IGhlbHAuCkVORAogICAgfSBlbHNl IHsKICAgICAgICBwcmludCBTVERFUlIgPDxFTkQ7CkFuZCBvbGRlciBncnVi LW1rcmVzY3VlIGhhcyBhIHRlbmRlbmN5IG5vdCB0byBub3RpY2UgY2VydGFp biBwcm9ibGVtcy4KTWF5YmUgc3RyYWNlIHdpbGwgdGVsbCB5b3Ugd2hhdCBp cyB3cm9uZy4gIDotLwpFTkQKICAgIH0KICAgIGRpZSAicHZzaGltLWNvbnZl cnRlcjogZ3J1Yi1ta3Jlc2N1ZSBkaWQgbm90IG1ha2UgaXNvXG4iOwp9Cgpy dW5jbWQgcXcocm0gLXJmIC0tKSwgIiRzaWRlY2FyLmRpciIgdW5sZXNzICRk ZWJ1ZzsKCm9wZW4gUSwgIj4iLCAiJGRtd3JhcC5uZXciIG9yIGRpZSAiJGRt d3JhcDogJCEiOwpwcmludCBRIDw8J0VORF9ETVdSQVAnIG9yIGRpZSAkITsK IyEvYmluL2Jhc2gKCnNldCAteAo6ICIkQCIKc2V0ICt4CgpuZXdhcmdzPSgp CgpuZXdhcmcgKCkgewogICAgbmV3YXJncys9KCIkMSIpCn0KCndoaWxlIFsg JCMgLWd0IDEgXTsgZG8KICAgIGNhc2UgIiQxIiBpbgoJLW5vLXNodXRkb3du fC1ub2RlZmF1bHRzfC1uby11c2VyLWNvbmZpZykKCSAgICBuZXdhcmcgIiQx Ijsgc2hpZnQKCSAgICA7OwoJLXhlbi1kb21pZHwtY2hhcmRldnwtbW9ufC1k aXNwbGF5fC1ib290fC1tfC1tYWNoaW5lKQoJICAgIG5ld2FyZyAiJDEiOyBz aGlmdAoJICAgIG5ld2FyZyAiJDEiOyBzaGlmdAoJICAgIDs7CiAgICAgICAg LW5hbWUpCiAgICAgICAgICAgIG5ld2FyZyAiJDEiOyBzaGlmdAogICAgICAg ICAgICBuYW1lPSIkMSI7IHNoaWZ0CiAgICAgICAgICAgIG5ld2FyZyAiJG5h bWUiCiAgICAgICAgICAgIDs7CgktbmV0ZGV2fC1jZHJvbSkKCSAgICA6IGZp eG1lCgkgICAgbmV3YXJnICIkMSI7IHNoaWZ0CgkgICAgbmV3YXJnICIkMSI7 IHNoaWZ0CgkgICAgOzsKCS1kcml2ZXwta2VybmVsfC1pbml0cmR8LWFwcGVu ZHwtdm5jKQoJICAgIHNoaWZ0OyBzaGlmdAoJICAgIDs7CgktZGV2aWNlKQoJ ICAgIHNoaWZ0CgkgICAgY2FzZSAiJDEiIGluCgkJWFhYcnRsODEzOSopCgkJ ICAgIG5ld2FyZyAiLWRldmljZSIKCQkgICAgbmV3YXJnICIkMSI7IHNoaWZ0 CgkJICAgIDs7CgkJKikKCQkgICAgc2hpZnQKCQkgICAgOzsKCSAgICBlc2Fj CgkgICAgOzsKCSopCgkgICAgZWNobyA+JjIgIndhcm5pbmc6IHVuZXhwZWN0 ZWQgYXJndW1lbnQgJDEgYmVpbmcgcGFzc2VkIHRocm91Z2giCgkgICAgbmV3 YXJnICIkMSI7IHNoaWZ0CgkgICAgOzsKICAgIGVzYWMKZG9uZQoKI2lmIFsg IngkbmFtZSIgIT0geCBdOyB0aGVuCiMgICAgbG9nZGlyPS92YXIvbG9nL3hl bgojICAgIGxvZ2ZpbGU9IiRsb2dkaXIvc2hpbS0kbmFtZS5sb2ciCiMgICAg c2F2ZWxvZyAiJGxvZ2ZpbGUiIHx8OgojICAgIG5ld2FyZyAtc2VyaWFsCiMg ICAgbmV3YXJnICJmaWxlOiRsb2dmaWxlIgojZmkKRU5EX0RNV1JBUAoKaWYg KCRxZW11KSB7CiAgICBwcmludGYgUSA8PCdFTkRfRE1XUkFQJywgJHFlbXUg b3IgZGllICQhOwogICAgZXhlYyAnJXMnICIke25ld2FyZ3NbQF19IgpFTkRf RE1XUkFQCn0gZWxzZSB7CiAgICBwcmludCBRIDw8J0VORF9ETVdSQVAnIG9y IGRpZSAkITsKc2V0IC14CmZvciBwYXRoIGluIC91c3IvbG9jYWwvbGliL3hl bi9iaW4gL3Vzci9saWIveGVuL2JpbiAvdXNyL2xvY2FsL2JpbiAvdXNyL2Jp bjsgZG8KICAgIGlmIHRlc3QgLWUgJHBhdGgvcWVtdS1zeXN0ZW0taTM4Njsg dGhlbgogICAgICAgIGV4ZWMgJHBhdGgvcWVtdS1zeXN0ZW0taTM4NiAiJHtu ZXdhcmdzW0BdfSIKICAgIGZpCmRvbmUKZWNobyA+JjIgJ2NvdWxkIG5vdCBl eGVjIHFlbXUnCmV4aXQgMTI3CkVORF9ETVdSQVAKfQoKY2htb2QgMDc1NSwg IiRkbXdyYXAubmV3IiBvciBkaWUgIiRkbXdyYXA6IGNobW9kOiAkISI7Cgpj bG9zZSBRIG9yIGRpZSAkITsKCnJlbmFtZSAiJHNpZGVjYXIubmV3IiwgJHNp ZGVjYXIgb3IgZGllICIkc2lkZWNhcjogaW5zdGFsbDogJCEiOwpyZW5hbWUg IiRkbXdyYXAubmV3IiwgICRkbXdyYXAgIG9yIGRpZSAiJGRtd3JhcDogaW5z dGFsbDogJCEiOwoKcHJpbnQgU1RERVJSIDw8RU5EOwpwdnNoaW0tY29udmVy dGVyOiB3cm90ZSBxZW11IHdyYXBwZXIgdG8gJGRtd3JhcApwdnNoaW0tY29u dmVydGVyOiB3cm90ZSBzaWRlY2FyIHRvICRzaWRlY2FyCkVORAoKbXkgJGFw cGVuZCA9IDw8RU5EOwpidWlsZGVyPSdodm0nCnR5cGU9J2h2bScKZGV2aWNl X21vZGVsX3ZlcnNpb249J3FlbXUteGVuJwpkZXZpY2VfbW9kZWxfb3ZlcnJp ZGU9JyRkbXdyYXAnCmRldmljZV9tb2RlbF9hcmdzX2h2bT1bJy1jZHJvbScs JyRzaWRlY2FyJ10KYm9vdD0nYycKc2VyaWFsPSdwdHknCkVORAoKaWYgKCRv dXQgbmUgJy0nKSB7CiAgICBvcGVuIE8sICI+IiwgIiRvdXQudG1wIiBvciBk aWUgIm9wZW4gb3V0cHV0IGNvbmZpZyB0ZW1wOiAkb3V0LnRtcDogJCFcbiI7 Cn0gZWxzZSB7CiAgICBvcGVuIE8sICI+JlNURE9VVCIgb3IgZGllICQhOwp9 CgpwcmludCBPICRpbmRhdGEsICJcbiIsICRhcHBlbmQgb3IgZGllICJ3cml0 ZSBvdXRwdXQ6ICQhIjsKY2xvc2UgTyBvciBkaWUgImNsb3NlIG91dHB1dDog JCEiOwoKaWYgKCRvdXQgbmUgJy0nKSB7CiAgICByZW5hbWUgIiRvdXQudG1w IiwgJG91dCBvciBkaWUgImluc3RhbGwgb3V0cHV0OiAkISI7CiAgICBwcmlu dCBTVERFUlIgInB2c2hpbS1jb252ZXJ0ZXI6IHdyb3RlIG5ldyBndWVzdCBj b25maWcgdG8gJG91dFxuIjsKfSBlbHNlIHsKICAgIHByaW50IFNUREVSUiAi cHZzaGltLWNvbnZlcnRlcjogd3JvdGUgbmV3IGd1ZXN0IGNvbmZpZyB0byBz dGRvdXRcbiI7Cn0K --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Jan 16 17:44:49 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 16 Jan 2018 17:44:49 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ebVH5-0003Wf-Vv; Tue, 16 Jan 2018 17:43:51 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ebVH4-0003W0-GC for xen-announce@lists.xen.org; Tue, 16 Jan 2018 17:43:50 +0000 X-Inumbo-ID: 248f1630-fae5-11e7-b0d7-9f685aff125f Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id 248f1630-fae5-11e7-b0d7-9f685aff125f; Tue, 16 Jan 2018 17:46:12 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ebVGp-0005ww-0y; Tue, 16 Jan 2018 17:43:35 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1ebVGo-0005UP-WF; Tue, 16 Jan 2018 17:43:35 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 16 Jan 2018 17:43:34 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 254 (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) - Information leak via side effects of speculative execution X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2017-5753,CVE-2017-5715,CVE-2017-5754 / XSA-254 version 8 Information leak via side effects of speculative execution UPDATES IN VERSION 8 ==================== PVH shim ("Comet") is now available for Xen 4.8. Fixes for two bugs in PVH shim "Comet": one relating to shim initialisation, which can cause hangs during guest boot shortly after host boot(!), and one to make qemu PV backends work in PVH mode. Thanks to the respective contributors. We are longer inclined to port the "Comet" patches to Xen 4.9. If this causes you a problem please let us know by contacting us: To: security@xenproject.org; CC: xen-devel@lists.xenproject.org ISSUE DESCRIPTION ================= Processors give the illusion of a sequence of instructions executed one-by-one. However, in order to most efficiently use cpu resources, modern superscalar processors actually begin executing many instructions in parallel. In cases where instructions depend on the result of previous instructions or checks which have not yet completed, execution happens based on guesses about what the outcome will be. If the guess is correct, execution has been sped up. If the guess is incorrect, partially-executed instructions are cancelled and architectural state changes (to registers, memory, and so on) reverted; but the whole process is no slower than if no guess had been made at all. This is sometimes called "speculative execution". Unfortunately, although architectural state is rolled back, there are other side effects, such as changes to TLB or cache state, which are not rolled back. These side effects can subsequently be detected by an attacker to determine information about what happened during the speculative execution phase. If an attacker can cause speculative execution to access sensitive memory areas, they may be able to infer what that sensitive memory contained. Furthermore, these guesses can often be 'poisoned', such that attacker can cause logic to reliably 'guess' the way the attacker chooses. This advisory discusses three ways to cause speculative execution to access sensitive memory areas (named here according to the discoverer's naming scheme): "Bounds-check bypass" (aka SP1, "Variant 1", Spectre CVE-2017-5753): Poison the branch predictor, such that victim code is speculatively executed past boundary and security checks. This would allow an attacker to, for instance, cause speculative code in the normal hypercall / emulation path to execute with wild array indexes. "Branch Target Injection" (aka SP2, "Variant 2", Spectre CVE-2017-5715): Poison the branch predictor. Well-abstracted code often involves calling function pointers via indirect branches; reading these function pointers may involve a (slow) memory access, so the CPU attempts to guess where indirect branches will lead. Poisoning this enables an attacker to speculatively branch to any code that is executable by the victim (eg, anywhere in the hypervisor). "Rogue Data Load" (aka SP3, "Variant 3", Meltdown, CVE-2017-5754): On some processors, certain pagetable permission checks only happen when the instruction is retired; effectively meaning that speculative execution is not subject to pagetable permission checks. On such processors, an attacker can speculatively execute arbitrary code in userspace with, effectively, the highest privilege level. More information is available here: https://meltdownattack.com/ https://spectreattack.com/ https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html Additional Xen-specific background: Xen hypervisors on most systems map all of physical RAM, so code speculatively executed in a hypervisor context can read all of system RAM. When running PV guests, the guest and the hypervisor share the address space; guest kernels run in a lower privilege level, and Xen runs in the highest privilege level. (x86 HVM and PVH guests, and ARM guests, run in a separate address space to the hypervisor.) However, only 64-bit PV guests can generate addresses large enough to point to hypervisor memory. IMPACT ====== Xen guests may be able to infer the contents of arbitrary host memory, including memory assigned to other guests. An attacker's choice of code to speculatively execute (and thus the ease of extracting useful information) goes up with the numbers. For SP1, an attacker is limited to windows of code after bound checks of user-supplied indexes. For SP2, the attacker will in many cases will be limited to executing arbitrary pre-existing code inside of Xen. For SP3 (and other cases for SP2), an attacker can write arbitrary code to speculatively execute. Additionally, in general, attacks within a guest (from guest user to guest kernel) will be the same as on real hardware. Consult your operating system provider for more information. NOTE ON TIMING ============== This vulnerability was originally scheduled to be made public on 9 January. It was accelerated at the request of the discloser due to one of the issues being made public. VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. For SP1 and SP2, both Intel and AMD are vulnerable. Vulnerability of ARM processors to SP1 and SP2 varies by model and manufacturer. ARM has information on affected models on the following website: https://developer.arm.com/support/security-update For SP3, only Intel processors are vulnerable. (The hypervisor cannot be attacked using SP3 on any ARM processors, even those that are listed as affected by SP3.) Furthermore, only 64-bit PV guests can exploit SP3 against Xen. PVH, HVM, and 32-bit PV guests cannot exploit SP3. MITIGATION ========== There is no mitigation for SP1 and SP2. SP3 can be mitigated by running guests in HVM or PVH mode. (Within-guest attacks are still possible unless the guest OS has also been updated with an SP3 mitigation series such as KPTI/Kaiser.) For guests with legacy PV kernels which cannot be run in HVM or PVH mode directly, we have developed two "shim" hypervisors that allow PV guests to run in HVM mode or PVH mode. This prevents attacks on the host, but it leaves the guest vulnerable to Meltdown attacks by its own unprivileged processes, even if the guest OS has KPTI or similar Meltdown mitigation. The HVM shim (codenamed "Vixen") is available now, as is the PVH shim (codenamed "Comet") for Xen 4.10 and Xen 4.8. Please read README.which-shim to determine which shim is suitable for you. $ sha256sum xsa254*/* 2f830fede5d58d3d90fe942ec2d8c4ef65cd14c4d565f9a1b9817847662ebba1 xsa254/README.comet 1c594822dbd95998951203f6094bc77586d5720788de15897784d20bacb2ef08 xsa254/README.vixen 7e816160c1c1d1cd93ec3c3dd9753c8f3957fefe86b7aa967e9e77833828f849 xsa254/README.which-shim 1d2098ad3890a5be49444560406f8f271c716e9f80e7dfe11ff5c818277f33f8 xsa254/pvshim-converter.pl $ RESOLUTION ========== There is no available resolution for SP1. A solution may be available in the future. We are working on patches which mitigate SP2 but these are not currently available. Given that the vulnerabilities are now public, these will be developed and published in public, initially via xen-devel. NOTE ON LACK OF EMBARGO ======================= The timetable and process were set by the discloser. After the intensive initial response period for these vulnerabilities is over, we will prepare and publish a full timeline, as we have done in a handful of other cases of significant public interest where we saw opportunities for process improvement. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJaXjm9AAoJEIP+FMlX6CvZ5VwH/1KQOIRXgsfYILMkdYIR4mG4 VGFcPT7l6egTndGOxPUUDcjxchP1guyyAucSMX+OzoK+SNJReqlSM/mjIN9Vvka4 BQiTr2Xh0y6GcyB+ldd29YTYAv45FYaIiMzrWUfATdkswezraW/uv3AKFkIrmwt3 LRNMGws0fyXLYfLAISdUJtlLN5pfuQ6jKNGXQTnAbmJ+PbGuOBJcOrJZjf+estGK ptIp3jLwjBPuKwO8IR8jSYEAP7vOTRwOES1+TNeMyU9vPqWIa6D0L1wyjt4uTrjz OPeAgD52v/Xh4nekFDaAZYaezqhLuzQqpIJKAtGbAUMxJkzFhevgCcBzOu/1/vM= =F+76 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa254/README.comet" Content-Disposition: attachment; filename="xsa254/README.comet" Content-Transfer-Encoding: base64 CQkJICAgIFBWLWluLVBWSCBzaGltCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICA9PT09PT09PT09PT09PQoKU3VtbWFyeQotLS0tLS0tCgpUaGlzIFJF QURNRSBkZXNjcmliZXMgb25lIG9mIHR3byBtaXRpZ2F0aW9uIHN0cmF0ZWdp ZXMgZm9yIE1lbHRkb3duLgoKVGhlIGJhc2ljIHByaW5jaXBsZSBpcyB0byBy dW4gUFYgZ3Vlc3RzICh3aGljaCBjYW4gcmVhZCBhbGwgb2YgaG9zdAptZW1v cnkgZHVlIHRvIHRoZSBoYXJkd2FyZSBidWdzKSBhcyBQVkggZ3Vlc3RzICh3 aGljaCBjYW5ub3QsIGF0IGxlYXN0Cm5vdCBkdWUgdG8gTWVsdGRvd24pLiAg VGhlIFBWIGVudmlyb25tZW50IGlzIHN0aWxsIHByb3ZpZGVkIHRvIHRoZQpn dWVzdCBieSBhbiBlbWJlZGRlZCBjb3B5IG9mIFhlbiwgdGhlICJzaGltIi4g IFRoaXMgdmVyc2lvbiBvZiB0aGUKc2hpbSBpcyBjb2RlbmFtZWQgIkNvbWV0 Ii4KClVubGlrZSBWaXhlbiwgQ29tZXQgcmVxdWlyZXMgbW9kaWZpY2F0aW9u cyB0byB0aGUgdG9vbHN0YWNrIGFuZCBob3N0Cmh5cGVydmlzb3IuCgpOb3Rl IHRoYXQgYm90aCBvZiB0aGVzZSBzaGltLWJhc2VkIGFwcHJvYWNoZXMgcHJl dmVudCBhdHRhY2tzIG9uIHRoZQpob3N0LCBidXQgbGVhdmUgdGhlIGd1ZXN0 IHZ1bG5lcmFibGUgdG8gTWVsdGRvd24gYXR0YWNrcyBieSBpdHMgb3duCnVu cHJpdmlsZWdlZCBwcm9jZXNzZXM7IHRoaXMgaXMgdHJ1ZSBldmVuIGlmIHRo ZSBndWVzdCBPUyBoYXMgS1BUSSBvcgpzaW1pbGFyIE1lbHRkb3duIG1pdGln YXRpb24uCgpWZXJzaW9ucyBmb3IgWGVuIDQuOCBhbmQgNC4xMCBhcmUgYXZh aWxhYmxlLgoKV2hhdCB5b3Ugd2lsbCBuZWVkCi0tLS0tLS0tLS0tLS0tLS0t LQoKICogWW91IHdpbGwgbmVlZCB0aGUgeGVuLmdpdCB3aXRoIHRoZSBmb2xs b3dpbmcgdGFnczoKICAtIEZvciA0LjEwOiA0LjEwLjAtc2hpbS1jb21ldC0y CiAgLSBGb3IgNC44OiAgNC44LjNwcmUtc2hpbS1jb21ldC0yICAgYW5kICA0 LjEwLjAtc2hpbS1jb21ldC0yCgpCdWlsZCBpbnN0cnVjdGlvbnM6IDQuMTAK LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCgoxLiBCdWlsZCBhIDQuMTArIHN5 c3RlbQogICAgZ2l0IGNsb25lIGdpdDovL3hlbmJpdHMueGVucHJvamVjdC5v cmcveGVuLmdpdCB4ZW4uZ2l0CiAgICBjZCB4ZW4uZ2l0CiAgICBnaXQgY2hl Y2tvdXQgNC4xMC4wLXNoaW0tY29tZXQtMgoKRG8gYSBidWlsZCBhbmQgaW5z dGFsbCBhcyBub3JtYWwuICBUaGUgc2hpbSB3aWxsIGJlIGJ1aWx0IGFzIHBh cnQgb2YgdGhlCm5vcm1hbCBidWlsZCBwcm9jZXNzLCBhbmQgcGxhY2VkIHdp dGggb3RoZXIgJ3N5c3RlbScgYmluYXJpZXMgd2hlcmUgdGhlCnRvb3N0YWNr IGtub3dzIGhvdyB0byBmaW5kIGl0LgoKQnVpbGQgaW5zdHJ1Y3Rpb25zOiA0 LjgKLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KClRoZSBjb2RlIGZvciBzaGlt IGl0c2VsZiBpcyBub3QgYmFja3BvcnRlZCB0byA0LjguICA0LjggdXNlcnMg c2hvdWxkCnVzZSBhIHNoaW0gYnVpbHQgZnJvbSA0LjEwLWJhc2VkIHNvdXJj ZSBjb2RlOyB0aGlzIGNhbiBiZSBzaW1wbHkKZHJvcHBlZCBpbnRvIGEgWGVu IDQuOCBpbnN0YWxsYXRpb24uCgoxLiBCdWlsZCBhIDQuOCsgc3lzdGVtIHdp dGggc3VwcG9ydCBmb3IgcnVubmluZyBQVkgsIGFuZCBmb3IgcHZzaGltOgoK ICAgIGdpdCBjbG9uZSBnaXQ6Ly94ZW5iaXRzLnhlbnByb2plY3Qub3JnL3hl bi5naXQgeGVuLmdpdAogICAgY2QgeGVuLmdpdAogICAgZ2l0IGNoZWNrb3V0 IDQuOC4zcHJlLXNoaW0tY29tZXQtMgoKICBEbyBhIGJ1aWxkIGFuZCBpbnN0 YWxsIGFzIG5vcm1hbC4KCjIuIEJ1aWxkIGEgNC4xMCsgc3lzdGVtIHRvIGJl IHRoZSBzaGltOgoKICAgIGdpdCBjbG9uZSBnaXQ6Ly94ZW5iaXRzLnhlbnBy b2plY3Qub3JnL3hlbi5naXQgeGVuLmdpdAogICAgY2QgeGVuLmdpdAogICAg Z2l0IGNoZWNrb3V0IDQuMTAuMC1zaGltLWNvbWV0LTIKICAgIC4vY29uZmln dXJlCiAgICBtYWtlIC1DIHRvb2xzL2Zpcm13YXJlL3hlbi1kaXIKCiAgQW5k IHRoZW4gaW5zdGFsbCB0aGUgc2hpbSBleGVjdXRhYmxlIHdoZXJlCiAgdGhl IDQuOCBwdiBzaGltIG1vZGUgdG9vbHMgZXhwZWN0IHRvIGZpbmQgaXQKCiAg ICBjcCB0b29scy9maXJtd2FyZS94ZW4tZGlyL3hlbi1zaGltIC91c3IvbGli L3hlbi9ib290L3hlbi1zaGltCiAgICBjcCB0b29scy9maXJtd2FyZS94ZW4t ZGlyL3hlbi1zaGltIC91c3IvbG9jYWwvbGliL3hlbi9ib290L3hlbi1zaGlt CgogIFRoaXMgc3RlcCBpcyBvbmx5IG5lZWRlZCB0byBib290IGd1ZXN0cyBp biAiUFZIIHdpdGggUFYgc2hpbSIKICBtb2RlOyBpdCBpcyBub3QgbmVlZGVk IHdoZW4gYm9vdGluZyBQVkgtc3VwcG9ydGluZyBndWVzdHMgYXMgUFZILgoK ClVzYWdlIGluc3RydWN0aW9ucwotLS0tLS0tLS0tLS0tLS0tLS0KCiogQ29u dmVydGluZyBhIFBWIGNvbmZpZyB0byBhIFBWSCBzaGltIGNvbmZpZwoKLSBS ZW1vdmUgYW55IHJlZmVyZW5jZSB0byAnYnVpbGRlcicgKGUuZy4sIGBidWls ZGVyPSJnZW5lcmljImApCi0gQWRkIHRoZSBmb2xsb3dpbmcgdHdvIGxpbmVz OgogIHR5cGU9InB2aCIKICBwdnNoaW09MQoKKiBDb252ZXJ0aW5nIGEgUFYg Y29uZmlnIHRvIGEgUFZIIGNvbmZpZwoKSWYgeW91IGhhdmUgYSBrZXJuZWwg Y2FwYWJsZSBvZiBib290aW5nIFBWSCwgdGhlbiBQVkggbW9kZSBpcyBib3Ro CmZhc3RlciBhbmQgbW9yZSBzZWN1cmUgdGhhbiBQViBvciBQVkgtc2hpbSBt b2RlLgoKLSBSZW1vdmUgYW55IHJlZmVyZW5jZSB0byAnYnVpbGRlcicgKGUu Zy4sIGBidWlsZGVyPSJnZW5lcmljImApCi0gQWRkIHRoZSBmb2xsb3dpbmcg bGluZToKICB0eXBlPSJwdmgiCg== --=separator Content-Type: application/octet-stream; name="xsa254/README.vixen" Content-Disposition: attachment; filename="xsa254/README.vixen" Content-Transfer-Encoding: base64 ICAgICAgICAgICAgICAgIFBWLWluLUhWTSBzaGltIHdpdGggInNpZGVjYXIi IElTTwogICAgICAgICAgICAgICAgPT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09CgpTdW1tYXJ5Ci0tLS0tLS0KClRoaXMgUkVBRE1FIGRlc2Ny aWJlcyBvbmUgb2YgdHdvIG1pdGlnYXRpb24gc3RyYXRlZ2llcyBmb3IgTWVs dGRvd24uCgpUaGUgYmFzaWMgcHJpbmNpcGxlIGlzIHRvIHJ1biBQViBndWVz dHMgKHdoaWNoIGNhbiByZWFkIGFsbCBvZiBob3N0Cm1lbW9yeSBkdWUgdG8g dGhlIGhhcmR3YXJlIGJ1Z3MpIGFzIEhWTSBndWVzdHMgKHdoaWNoIGNhbm5v dCwgYXQgbGVhc3QKbm90IGR1ZSB0byBNZWx0ZG93bikuICBUaGUgUFYgZW52 aXJvbm1lbnQgaXMgc3RpbGwgcHJvdmlkZWQgdG8gdGhlCmd1ZXN0IGJ5IGFu IGVtYmVkZGVkIGNvcHkgb2YgWGVuLCB0aGUgInNoaW0iLiAgVGhpcyB2ZXJz aW9uIG9mIHRoZQpzaGltIGlzIGNvZGVuYW1lZCAiVml4ZW4iLgoKSW4gb3Jk ZXIgdG8gYm9vdCB0aGUgc2hpbSB3aXRoIGFuIHVubW9kaWZpZWQgdG9vbHN0 YWNrLCB5b3UgYWxzbwpwcm92aWRlIGEgc3BlY2lhbCBkaXNrIGNvbnRhaW5p bmcgdGhlIHNoaW0gYW5kIHRoZSBndWVzdCBrZXJuZWwgKG9yCnB2Z3J1Yik7 IHRoaXMgaXMgY2FsbGVkIHRoZSAic2lkZWNhciIuCgpOb3RlIHRoYXQgYm90 aCBvZiB0aGVzZSBzaGltLWJhc2VkIGFwcHJvYWNoZXMgcHJldmVudCBhdHRh Y2tzIG9uIHRoZQpob3N0LCBidXQgbGVhdmUgdGhlIGd1ZXN0IHZ1bG5lcmFi bGUgdG8gTWVsdGRvd24gYXR0YWNrcyBieSBpdHMgb3duCnVucHJpdmlsZWdl ZCBwcm9jZXNzZXM7IHRoaXMgaXMgdHJ1ZSBldmVuIGlmIHRoZSBndWVzdCBP UyBoYXMgS1BUSSBvcgpzaW1pbGFyIE1lbHRkb3duIG1pdGlnYXRpb24uCgpX aGF0IHlvdSB3aWxsIG5lZWQKLS0tLS0tLS0tLS0tLS0tLS0tCgogKiBZb3Vy IGhvc3QgbXVzdCBiZSBhYmxlIHRvIHJ1biBncnViLW1rcmVzY3VlIHRvIGdl bmVyYXRlIGEgLmlzbwogKiBZb3Ugd2lsbCB0aGVyZWZvcmUgbmVlZCB4b3Jy aXNvIGFuZCBtdG9vbHMKICogWW91IG11c3QgYmUgdXNpbmcgeGwgYW5kIGFi bGUgdG8gdXNlIGFuIGFsdGVybmF0aXZlIHlvdXIgZ3Vlc3QgY29uZmlnCgog KiBZb3Ugd2lsbCBuZWVkIHRoZSBzY3JpcHQgInB2c2hpbS1jb252ZXJ0ZXIu cGwiCiAgLSBUaGlzIHJlbGllcyBvbiBwZXJsLWpzb24KICogWW91IHdpbGwg bmVlZCB0aGUgeGVuLmdpdCB0YWcgNC45LjEtc2hpbS12aXhlbi0xCgoKSW5z dHJ1Y3Rpb25zCi0tLS0tLS0tLS0tLQoKMS4gT24gYSBzdWl0YWJsZSBzeXN0 ZW0gKHBlcmhhcHMgYSBkaWZmZXJlbnQgaG9zdCkKICAgIGdpdCBjbG9uZSBn aXQ6Ly94ZW5iaXRzLnhlbnByb2plY3Qub3JnL3hlbi5naXQgeGVuLmdpdAog ICAgY2QgeGVuLmdpdAogICAgZ2l0IGNoZWNrb3V0IDQuOS4xLXNoaW0tdml4 ZW4tMQoKSWYgeW91IG5lZWQgYmktZGlyZWN0aW9uYWwgY29uc29sZSBhbmQg ZG9uJ3QgbWluZCBhIGxlc3MtdGVzdGVkIHBhdGNoLAp5b3UgY2FuIGFwcGx5 IHRoZSBwYXRjaCBmb3VuZCBpbiB0aGlzIGVtYWlsOgoKICAgIG1hcmMuaW5m by8/aT08MTUxNTYwNDU1Mi05MjA1LTEtZ2l0LXNlbmQtZW1haWwtc3JuQHBy Z21yLmNvbT4KCmJ1aWxkIGEgeGVuIGh5cGVydmlzb3IgYmluYXJ5IGFzIHVz dWFsOgoKICAgIG1ha2UgeGVuCgpJZiB5b3VyIGRlZmF1bHQgdmVyc2lvbiBv ZiBweXRob24gaXMgcHl0aG9uIDMsIHlvdSBtYXkgbmVlZCB0byBhZGQgdGhl IGZvbGxvd2luZzoKCiAgICBtYWtlIFBZVEhPTj1weXRob24yIHhlbgoKVGhp cyB3aWxsIGJ1aWxkIGEgZmlsZQogICAgeGVuL3hlbi5negoKMi4gQ29weSB0 aGF0IGZpbGUgdG8geW91ciBkb20wLgoKSWRlYWxseSBzb21lcGxhY2UgbGlr ZSAvdXNyL2xpYi94ZW4vYm9vdC94ZW4tdml4ZW4uZ3oKCjMuIENvcHkgdGhl IHNjcmlwdCBwdnNoaW0tY29udmVydGVyIHRvIHlvdXIgZG9tMCBhbmQgbWFr ZQogICBpdCBleGVjdXRhYmxlOgogICAgICBjaG1vZCAreCBwdnNoaW0tY29u dmVydGVyLnBsCgo0LiBGb3IgZWFjaCBndWVzdAoKICAoaSkgaWYgdGhlIGd1 ZXN0IGlzIGN1cnJlbnRseSBib290ZWQgd2l0aCBweWdydWIgeW91IG11c3Qg Zmlyc3QKICAgc3dpdGNoIHRvIGRpcmVjdCBrZXJuZWwgYm9vdCAoYnkgbWFu dWFsbHkgY29weWluZyB0aGUga2VybmVsIGFuZAogICBpbml0cmFtZnMgb3V0 IG9mIHRoZSBndWVzdCwgYW5kIGNvbmZpZ3VyaW5nIHRoZSBjb21tYW5kIGxp bmUgaW4gdGhlCiAgIGRvbWFpbiBjb25maWd1cmF0aW9uIGZpbGUpLCBvciBw dmdydWIuCgogIChpaSkgcnVuCiAgICAgIC4vcHZzaGltLWNvbnZlcnRlci5w bCAtLXNoaW09L3Vzci9saWIveGVuL2Jvb3QveGVuLXZpeGVuLmd6IC9ldGMv eGVuL0dVRVNULmNmZyAvZXRjL3hlbi9HVUVTVC53aXRoLXNoaW0tY2ZnCgog IChpaWkpIHNodXQgdGhlIGd1ZXN0IGRvd24gY2xlYW5seQoKICAoaXYpIGNy ZWF0ZSB0aGUgZ3Vlc3Qgd2l0aCB0aGUgbmV3IGNvbmZpZwogICAgICB4bCBj cmVhdGUgL2V0Yy94ZW4vR1VFU1Qud2l0aC1zaGltLWNmZwoKICAodikgQ2hl Y2sgdGhhdCBpdCBib290cyBwcm9wZXJseS4gIHhsIGNvbnNvbGUgc2hvdWxk IHdvcmsuCgogICh2aSkgTWFrZSBhcnJhbmdlbWVudHMgc28gdGhhdCBhdXRv c3RhcnRpbmcgb2YgdGhlIGd1ZXN0IHdpbGwgdXNlCiAgICAgdGhlIG5ldyBj b25maWcgZmlsZSByYXRoZXIgdGhhbiB0aGUgb2xkIG9uZQoK --=separator Content-Type: application/octet-stream; name="xsa254/README.which-shim" Content-Disposition: attachment; filename="xsa254/README.which-shim" Content-Transfer-Encoding: base64 CQkgICBIb3cgdG8gZGVjaWRlIHdoaWNoIHNoaW0gdG8gdXNlCgkJICAgPT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQoKQSB3b3JrLWFyb3VuZCB0 byBNZWx0ZG93biAoYWthICJTUDMiIG9yICJWYXJpYW50IDMiKSBvbiBJbnRl bApwcm9jZXNzb3JzIGlzIHRvIHJ1biBndWVzdHMgaW4gSFZNIG9yIFBWSCBt b2RlLgoKTm90ZSB0aGlzIHNoaW0tYmFzZWQgYXBwcm9hY2ggcHJldmVudHMg YXR0YWNrcyBvbiB0aGUgaG9zdCwgYnV0IGxlYXZlcwp0aGUgZ3Vlc3QgdnVs bmVyYWJsZSB0byBNZWx0ZG93biBhdHRhY2tzIGJ5IGl0cyBvd24gdW5wcml2 aWxlZ2VkCnByb2Nlc3NlczsgdGhpcyBpcyB0cnVlIGV2ZW4gaWYgdGhlIGd1 ZXN0IE9TIGhhcyBLUFRJIG9yIHNpbWlsYXIKTWVsdGRvd24gbWl0aWdhdGlv bi4KClNvbWUgZ3Vlc3RzIGFyZSBkaWZmaWN1bHQgdG8gY29udmVydCB0byBy dW5uaW5nIGluIEhWTSBvciBQVkggbW9kZSwKZWl0aGVyIGR1ZSB0byBsYWNr IG9mIHBhcnRpdGlvbmluZyAvIE1CUiwgb3IgZHVlIHRvIGtlcm5lbApjb21w YXRpYmlsaXRpZXMuICBBcyBhbiBlbWVyZ2VuY3kgYmFja3N0b3AsIHRoZXJl IGFyZSB0d28gYXBwcm9hY2hlcywKd2hpY2ggd2UndmUgY29kZW5hbWVkICJW aXhlbiIgYW5kICJDb21ldCIuICBCb3RoIGludm9sdmUgcnVubmluZyBhbgpl bWJlZGRlZCBjb3B5IG9mIFhlbiAoY2FsbGVkIGEgInNoaW0iKSB3aXRoaW4g dGhlIEhWTSBvciBQVkggZ3Vlc3QgdG8KcHJvdmlkZSB0aGUgbmF0aXZlIFBW IGludGVyZmFjZS4KCkJlbG93IGRlc2NyaWJlcyB0aGUgcHJvcGVydGllcywg YW5kIHdobyBtaWdodCB3YW50IHRvIHVzZSBlYWNoIG9uZS4KCk5PVEU6IEJv dGggc2hpbXMgcmVxdWlyZSBob3N0IHBhdGNoZXMgdG8gYm9vdCBvbiBBTUQg aG9zdHMuICBUaGlzCnNob3VsZG4ndCBiZSBhbiBpc3N1ZSwgYXMgU1AzIGRv ZXMgbm90IGFmZmVjdCBzeXN0ZW1zIHJ1bm5pbmcgb24gQU1ELgoKVml4ZW4K LS0tLS0KClZpeGVuIGhhcyB0aGUgZm9sbG93aW5nIHByb3BlcnRpZXM6CiAq IFJ1bnMgdGhlIHNoaW0gaW4gYW4gSFZNIGd1ZXN0LgogKiBJdCByZXF1aXJl cyBubyBoeXBlcnZpc29yIG9yIHRvb2xzdGFjayBjaGFuZ2VzLCBub3IgZG9l cyBpdCByZXF1aXJlCiAgIGEgaG9zdCByZWJvb3QuCiAqIEl0IGhhcyBiZWVu IGV4dGVuc2l2ZWx5IHRlc3RlZCBpbiBBbWF6b24ncyBkZXBsb3ltZW50IGZv ciB2ZXJzaW9ucwogICBvZiBYZW4gZ29pbmcgYmFjayB0byAzLjQKICogR3Vl c3QgcmVib290cyBhcmUgcmVxdWlyZWQKICogR3Vlc3QgY29uZmlncyBtdXN0 IGJlIGZlZCB0aHJvdWdoIGEgY29udmVydGVyIHByb2dyYW0KICogVGhlIGNv bnZlcnRlciBwcm9ncmFtIHNwaXRzIG91dCBhIHNtYWxsIGd1ZXN0LXNwZWNp ZmljIC5pc28KICAgaW1hZ2UgKHdlIGNhbGwgdGhpcyBhICJzaWRlY2FyIikg dXNlZCBmb3IgYm9vdGluZwogKiBCZWNhdXNlIHRoZSByZXN1bHQgaXMgYW4g SFZNIGd1ZXN0LCB0aGlzIGFwcHJvYWNoIGludm9sdmVzCiAgIHJ1bm5pbmcg cWVtdSBhcyBhIFBDIGVtdWxhdG9yICh0aGlzIGlzIGRvbmUgYXV0b21hdGlj YWxseSkKICogU29tZSBjb21tb24gZmVhdHVyZXMgYXJlIG5vdCBzdXBwb3J0 ZWQ6CiAgLSBCYWxsb29uaW5nCiAgLSBNaWdyYXRpb24KICAtIHZjcHUgaG90 cGx1ZwogIC0gYmlkaXJlY3Rpb25hbCBjb25zb2xlIHN1cHBvcnQgKGNvbnNv bGUgaXMgd3JpdGUtb25seSkKICogRGlyZWN0LWJvb3Qga2VybmVscyBhbmQg cHZncnViIChib3RoIHB2Z3J1YjEgYW5kIHB2Z3J1YjIpIGFyZQogICBzdXBw b3J0ZWQgYnkgdGhlIGNvbnZlcnNpb24gcHJvZ3JhbS4gICdweWdydWInIGlz IG5vdCBzdXBwb3J0ZWQuCiAqIHhsIGFuZCB4bSBkb21haW4gY29uZmlncyBj YW4gYmUgY29udmVydGVkOyBsaWJ2aXJ0IGRvbWFpbgogICBjb25maWd1cmF0 aW9uIGFycmFuZ2VtZW50cyBhcmUgbm90IHN1cHBvcnRlZC4KICogR3Vlc3Qg dXNlcnNwYWNlIGNhbiByZWFkIGFsbCBvZiBndWVzdCBtZW1vcnksIHdpdGhp biBlYWNoIGd1ZXN0LAogICBhbmQgYSBndWVzdCBtaWdpdGF0aW9uIGZvciB0 aGlzIGlzIG5vdCBwb3NzaWJsZS4KCllvdSBtaWdodCBjb25zaWRlciB0aGlz IGFwcHJvYWNoIGlmOgotIFlvdSB3YW50IHRvIGRlcGxveSBhIGZpeCBpbW1l ZGlhdGVseQotIFlvdSBjYW4gdG9sZXJhdGUgdGhlIGxvc3Mgb2Ygd2l0aGlu LWd1ZXN0IHNlY3VyaXR5Ci0gWW91IGNhbid0LCBvciB3b3VsZCBsaWtlIHRv IGF2b2lkLCB1cGRhdGluZyB0byBYZW4gNC44IG9yIG5ld2VyCi0gWW91J2Qg bGlrZSB0byBhdm9pZCBwYXRjaGluZyBhbmQgcmVib290aW5nIHlvdXIgaG9z dAotIFlvdSBhcmUgYWJsZSB0bzoKIC0gUnVuIGEgc2NyaXB0IHRvIG1vZGlm eSBlYWNoIGRvbWFpbiBjb25maWcKIC0gQWZmb3JkIGFuIGV4dHJhIDgwTWlC IHBlciBndWVzdAogLSBUb2xlcmF0ZSBoYXZpbmcgYW4gZXh0cmEgUUVNVSBh cm91bmQKLSBZb3UgZG9uJ3QgbmVlZCBtaWdyYXRpb24sIG1lbW9yeSBiYWxs b29uaW5nLCB2Y3B1IGhvdHBsdWcsCiAgb3IgYSBiaS1kaXJlY3Rpb25hbCBj b25zb2xlCgpUbyB1c2UgdGhpcyBzb2x1dGlvbiwgc2VlIFJFQURNRS52aXhl bi4KCkJpLWRpcmVjdGlvbmFsIGNvbnNvbGUgaXMgYXZhaWxhYmxlIGFzIGFu IGV4dHJhIHBhdGNoLCBidXQgaGFzbid0IGJlZW4Kd2lkZWx5IHRlc3RlZDoK Cm1hcmMuaW5mby8/aT08MTUxNTYwNDU1Mi05MjA1LTEtZ2l0LXNlbmQtZW1h aWwtc3JuQHByZ21yLmNvbT4KCkNvbWV0Ci0tLS0tCgpDb21ldCBoYXMgdGhl IGZvbGxvd2luZyBwcm9wZXJ0aWVzOgogKiBSdW5zIHRoZSBzaGltIGluIGEg UFZIIGd1ZXN0LgogKiBQVkggbW9kZSBpcyBhdmFpbGFibGUgaW4gWGVuIDQu MTAsIGFuZCB3aWxsIGJlIGJhY2twb3J0ZWQgdG8gWGVuCiAgIDQuOSBhbmQg NC44IGJ1dCBubyBmYXJ0aGVyCiAqIFJlcXVpcmVzIGhvc3QgaHlwZXJ2aXNv ciBhbmQgdG9vbHN0YWNrIHBhdGNoZXMgKGFuZCBob3N0IHJlYm9vdCksCiAg IGV2ZW4gZm9yIFhlbiA0LjEwCiAqIFJlcXVpcmVzIG1pbmltYWwgZ3Vlc3Qg Y29uZmlnIGNoYW5nZXMsIGFuZCBubyAic2lkZWNhciIKICogQm9vdGxvYWRp bmcgaXMgaWRlbnRpY2FsIHRvIG5hdGl2ZSBQViBndWVzdHM7IGRpcmVjdC1i b290LCBwdmdydWIsCiAgIGFuZCBweWdydWIgYWxsIHdvcmsgZXF1YWxseSB3 ZWxsCiAqIEJlY2F1c2UgdGhlIHJlc3VsdCBpcyBhIFBWSCBndWVzdCwgdGhp cyBhcHByb2FjaCBpbnZvbHZlcyBubyBQQyBlbXVsYXRvci4KICogVGhlIGZv bGxvd2luZyBmZWF0dXJlcyBub3QgYXZhaWxhYmxlIGluIFZpeGVuIGFyZSBz dXBwb3J0ZWQ6CiAgLSBNZW1vcnkgYmFsbG9vbmluZwogIC0gR3Vlc3QgbWln cmF0aW9uCiAgLSB2Y3B1IGhvdHBsdWcKICAtIGJpZGlyZWN0aW9uYWwgY29u c29sZSBzdXBwb3J0CiAqIEd1ZXN0IHVzZXJzcGFjZSBjYW4gcmVhZCBhbGwg b2YgZ3Vlc3QgbWVtb3J5LCB3aXRoaW4gZWFjaCBndWVzdCwKICAgYW5kIGEg Z3Vlc3QgbWlnaXRhdGlvbiBmb3IgdGhpcyBpcyBub3QgcG9zc2libGUuCgpZ b3UgbWlnaHQgY29uc2lkZXIgdGhpcyBhcHByb2FjaCBpZjoKLSBZb3UncmUg b24gNC44IG9yIGxhdGVyIGFscmVhZHkKLSBZb3UgY2FuIHRvbGVyYXRlIHRo ZSBsb3NzIG9mIHdpdGhpbi1ndWVzdCBzZWN1cml0eQotIFlvdSBjYW4gcGF0 Y2ggYW5kIHJlYm9vdCB5b3VyIGhvc3QKLSBZb3UgZG9uJ3Qgd2FudCBhbiBl eHRyYSBRRU1VIGFyb3VuZAotIFlvdSBuZWVkIG1pZ3JhdGlvbiwgbWVtb3J5 IGJhbGxvb25pbmcsIG9yIHZjcHUgaG90cGx1Zywgb3IgYQogIGJpZGlyZWN0 aW9uYWwgY29uc29sZQotIFlvdSBuZWVkIHB5Z3J1YgotIFlvdSBuZWVkIHRv IHVzZSBsaWJ2aXJ0CgpBdCB0aGUgbW9tZW50LCBDb21ldCBpcyBhdmFpbGFi bGUgZm9yIDQuMTAuICAgV2UgZXhwZWN0IHRvIGhhdmUKYmFja3BvcnRzIHRv IDQuOCBhbmQgNC44IGF2YWlsYWJsZSB3aXRoaW4gYSBmZXcgd29ya2luZyBk YXlzLgo= --=separator Content-Type: application/octet-stream; name="xsa254/pvshim-converter.pl" Content-Disposition: attachment; filename="xsa254/pvshim-converter.pl" Content-Transfer-Encoding: base64 IyEvdXNyL2Jpbi9wZXJsIC13CiMKIyB1c2FnZToKIyAgIHB2c2hpbS1jb252 ZXJ0ZXIgW09QVElPTlNdIE9MRC1DT05GSUcgTkVXLUNPTkZJRwojCiMgb3B0 aW9uczoKIyAgIC0tcWVtdSBQQVRILVRPLVFFTVUgICAgICAgIGZpbGVuYW1l IG9mIHFlbXUtc3lzdGVtLWkzODYKIyAgIC0tc2lkZWNhcnMtZGlyZWN0b3J5 IERJUiAgIGRlZmF1bHQgaXMgL3Zhci9saWIveGVuL3B2c2hpbS1zaWRlY2Fy cwojICAgLS1zaGltIFNISU0gICAgICAgICAgICAgICAgb3ZlcnJpZGVzIGRv bWFpbiBjb25maWcgZmlsZQojICAgLS1kZWJ1ZyAgICAgICAgICAgICAgICAg ICAgdmVyYm9zZSwgYW5kIGxlYXZlcyBzaWRlY2FyIHByZXAgZGlyIGFyb3Vu ZAojCiMgV2hhdCB3ZSBkbwojCiMgIHJlYWQgZXhpc3RpbmcgY29uZmlnIGZp bGUgdXNpbmcgcHl0aG9uCiMgIGRldGVybWluZSBrZXJuZWwsIHJhbWRpc2sg YW5kIGNtZGxpbmUKIyAgdXNlIHRoZW0gdG8gcHJvZHVjZSBzaWRlY2FyIGFu ZCBzYXZlIGl0IHVuZGVyIGRvbWFpbiBuYW1lCiMgIG1lc3Mgd2l0aCB0aGUg dGhpbmdzIHRoYXQgbmVlZCB0byBiZSBtZXNzZWQgd2l0aAojICBzcGl0IG91 dCBuZXcgY29uZmlnIGZpbGUKCnVzZSBzdHJpY3Q7Cgp1c2UgR2V0b3B0OjpM b25nOwp1c2UgSlNPTjsKdXNlIElPOjpIYW5kbGU7CnVzZSBQT1NJWDsKdXNl IEZjbnRsIHF3KDpmbG9jayk7CgpvdXIgJGRlYnVnOwoKc3ViIHJ1bmNtZCB7 CiAgICBwcmludCBTVERFUlIgIisgQF9cbiIgaWYgJGRlYnVnOwogICAgJCE9 MDsgJD89MDsgc3lzdGVtIEBfIGFuZCBkaWUgIiRfWzBdOiAkISAkPyI7Cn0K Cm91ciAkcWVtdTsKb3VyICRzaGltOwpvdXIgJHNpZGVjYXJzX2RpciA9ICcv dmFyL2xpYi94ZW4vcHZzaGltLXNpZGVjYXJzJzsKCkdldE9wdGlvbnMoJ3Fl bXU9cycgPT4gXCRxZW11LAogICAgICAgICAgICdzaWRlY2Fycy1kaXJlY3Rv cnk9cycgPT4gXCRzaWRlY2Fyc19kaXIsCiAgICAgICAgICAgJ3NoaW09cycg PT4gXCRzaGltLAogICAgICAgICAgICdkZWJ1ZycgPT4gXCRkZWJ1ZykKICAg IG9yIGRpZSAicHZzaGltLWNvbnZlcnRlcjogYmFkIG9wdGlvbnNcbiI7CgpA QVJHVj09MiBvciBkaWUgInB2c2hpbS1jb252ZXJ0ZXI6IG5lZWQgb2xkIGFu ZCBuZXcgY29uZmlnIGZpbGVuYW1lcyI7CgpvdXIgKCRpbiwkb3V0KSA9IEBB UkdWOwoKb3VyICRpbmRhdGE7CgppZiAoJGluIG5lICctJykgewogICAgb3Bl biBJLCAnPCcsICIkaW4iIG9yIGRpZSAib3BlbiBpbnB1dCBjb25maWcgZmls ZTogJCFcbiI7Cn0gZWxzZSB7CiAgICBvcGVuIEksICc8JlNURElOJyBvciBk aWUgJCE7Cn0KewogICAgbG9jYWwgJC87CiAgICAkaW5kYXRhID0gPEk+Owp9 CkktPmVycm9yIGFuZCBkaWUgJCE7CmNsb3NlIEk7CgpvcGVuIFAsICItfCIs IHF3KHB5dGhvbjIgLWMpLCA8PEVORCwgJGluZGF0YSBvciBkaWUgJCE7Cmlt cG9ydCBzeXMKaW1wb3J0IGpzb24KbCA9IHt9CmV4ZWMgc3lzLmFyZ3ZbMV0g aW4gbApmb3IgayBpbiBsLmtleXMoKToKCWlmIGsuc3RhcnRzd2l0aCgiXyIp OgoJCWRlbCBsW2tdCnByaW50IGpzb24uZHVtcHMobCkKRU5ECgpvdXIgJGM7 Cgp7CiAgICBsb2NhbCAkLzsKICAgICRfID0gPFA+OwogICAgJCE9MDsgJD89 MDsgY2xvc2UgUCBvciBkaWUgIiQhICQ/IjsKICAgICRjID0gZGVjb2RlX2pz b24gJF87Cn0KCmRpZSAibm8gZG9tYWluIG5hbWUgPyIgdW5sZXNzIGV4aXN0 cyAkYy0+e25hbWV9OwpkaWUgImJvb3Rsb2FkZXIgbm90IHlldCBzdXBwb3J0 ZWQiIGlmICRjLT57Ym9vdGxvYWRlcn07CmRpZSAibm8ga2VybmVsIiB1bmxl c3MgJGMtPntrZXJuZWx9OwoKb3VyICRzaWRlY2FyID0gJGMtPntwdnNoaW1f c2lkZWNhcl9wYXRofSB8fCAiJHNpZGVjYXJzX2Rpci8kYy0+e25hbWV9Lmlz byI7Cm91ciAkZG13cmFwID0gJGMtPntwdnNoaW1fc2lkZWNhcl9wYXRofSB8 fCAiJHNpZGVjYXJzX2Rpci8kYy0+e25hbWV9LmRtIjsKCiRzaGltIHx8PSAk Yy0+e3B2c2hpbV9wYXRofTsKJHNoaW0gfHw9ICcvdXNyL2xvY2FsL2xpYi94 ZW4vYm9vdC94ZW4tc2hpbSc7CgpvdXIgJHNoaW1fY21kbGluZSA9ICRjLT57 cHZzaGltX2NtZGxpbmV9IHx8ICdjb25zb2xlPWNvbTEgY29tMT0xMTUyMDBu MSc7CiRzaGltX2NtZGxpbmUgLj0gJyAnLiRjLT57cHZzaGltX2V4dHJhfSBp ZiAkYy0+e3B2c2hpbV9leHRyYX07CgpvdXIgJGtlcm5lbF9jbWRsaW5lID0g JGMtPntjbWRsaW5lfSB8fCAnJzsKJGtlcm5lbF9jbWRsaW5lIC49ICcgcm9v dD0nLiRjLT57cm9vdH0gaWYgJGMtPntyb290fTsKJGtlcm5lbF9jbWRsaW5l IC49ICcgJy4kYy0+e2V4dHJhfSBpZiAkYy0+e2V4dHJhfTsKCnByaW50ICJw dnNoaW0tY29udmVydGVyOiBjcmVhdGluZyBzaWRlY2FyIGluICRzaWRlY2Fy XG4iOwoKcnVuY21kIHF3KG1rZGlyIC1tNzAwIC1wIC0tKSwgJHNpZGVjYXJz X2RpcjsKCm9wZW4gTCwgIj4iLCAiJHNpZGVjYXIubG9jayIgb3IgZGllICIk c2lkZWNhci5sb2NrOiBvcGVuICQhIjsKZmxvY2sgTCwgTE9DS19FWCBvciBk aWUgIiRzaWRlY2FyLmxvY2s6IGxvY2s6ICQhIjsKCm15ICRzZCA9ICIkc2lk ZWNhci5kaXIiOwoKc3lzdGVtIHF3KHJtIC1yZiAtLSksICRzZDsKbWtkaXIg JHNkLCAwNzAwOwoKcnVuY21kIHF3KGNwIC0tKSwgJHNoaW0sICIkc2Qvc2hp bSI7CnJ1bmNtZCBxdyhjcCAtLSksICRjLT57a2VybmVsfSwgIiRzZC9rZXJu ZWwiOwpydW5jbWQgcXcoY3AgLS0pLCAkYy0+e3JhbWRpc2t9LCAiJHNkL3Jh bWRpc2siIGlmICRjLT57cmFtZGlza307CgpteSAkZ3J1YmNmZyA9IDw8RU5E OwpzZXJpYWwgLS11bml0PTAgLS1zcGVlZD05NjAwIC0td29yZD04IC0tcGFy aXR5PW5vIC0tc3RvcD0xCnRlcm1pbmFsX2lucHV0IHNlcmlhbAp0ZXJtaW5h bF9vdXRwdXQgc2VyaWFsCgpzZXQgdGltZW91dD0wCgptZW51ZW50cnkgJ1hl biBzaGltJyB7CglpbnNtb2QgZ3ppbwoJaW5zbW9kIHh6aW8KICAgICAgICBt dWx0aWJvb3QgKGNkKS9zaGltIHBsYWNlaG9sZGVyICRzaGltX2NtZGxpbmUK ICAgICAgICBtb2R1bGUgKGNkKS9rZXJuZWwgcGxhY2Vob2xkZXIgJGtlcm5l bF9jbWRsaW5lCiAgICAgICAgbW9kdWxlIChjZCkvcmFtZGlzawp9CkVORAoK cnVuY21kIHF3KG1rZGlyIC1wIC0tKSwgIiRzZC9ib290L2dydWIiOwpvcGVu IEcsICI+IiwgIiRzZC9ib290L2dydWIvZ3J1Yi5jZmciIG9yIGRpZSAiJHNk LCBncnViLmNmZzogJCEiOwpwcmludCBHICRncnViY2ZnIG9yIGRpZSAkITsK Y2xvc2UgRyBvciBkaWUgJCE7Cgp1bmxpbmsgIiRzaWRlY2FyLm5ldyIgb3Ig JCE9PUVOT0VOVCBvciBkaWUgIiRzaWRlY2FyLm5ldzogcm06ICQhIjsKcnVu Y21kIHF3KGdydWItbWtyZXNjdWUgLW8pLCAiJHNpZGVjYXIubmV3IiwgIiRz aWRlY2FyLmRpciI7CmlmICghc3RhdCAiJHNpZGVjYXIubmV3IikgewogICAg JCE9PUVOT0VOVCBvciBkaWUgIiRzaWRlY2FyLm5ldzogc3RhdDogJCEiOwoK ICAgIHByaW50IFNUREVSUiA8PEVORDsKcHZzaGltLWNvbnZlcnRlcjogZ3J1 Yi1ta3Jlc2N1ZSBleGl0ZWQgd2l0aCBzdGF0dXMgemVybyBidXQgZmFpbGVk IHRvIG1ha2UgaXNvLgpOQiB0aGF0IGdydWItbWtyZXNjdWUgaGFzIGEgdGVu ZGVuY3kgdG8gbGllIGluIGl0cyBlcnJvciBtZXNzYWdlcy4KRU5ECiAgICBt eSAkbWlzc2luZzsKICAgIGZvcmVhY2ggbXkgJGNoZWNrIChxdyh4b3JyaXNv IG1mb3JtYXQpKSB7CiAgICAgICAgJG1pc3NpbmcgfD0gc3lzdGVtIHF3KHNo IC1jKSwgInR5cGUgJGNoZWNrIjsKICAgIH0KCiAgICBpZiAoJG1pc3Npbmcp IHsKICAgICAgICBwcmludCBTVERFUlIgPDxFTkQ7CllvdSBzZWVtIHRvIGhh dmUgc29tZSBwcm9ncmFtKHMpIG1pc3Npbmcgd2hpY2ggZ3J1Yi1ta3Jlc2N1 ZSBkZXBlbmRzIG9uLApzZWUgYWJvdmUuICAoIm1mb3JtYXQiIGlzIG5vcm1h bGx5IGluIHRoZSBwYWNrYWdlICJtdG9vbHMiLikKSW5zdGFsbGluZyB0aG9z ZSBwcm9ncmFtcyB3aWxsIHByb2JhYmx5IGhlbHAuCkVORAogICAgfSBlbHNl IHsKICAgICAgICBwcmludCBTVERFUlIgPDxFTkQ7CkFuZCBvbGRlciBncnVi LW1rcmVzY3VlIGhhcyBhIHRlbmRlbmN5IG5vdCB0byBub3RpY2UgY2VydGFp biBwcm9ibGVtcy4KTWF5YmUgc3RyYWNlIHdpbGwgdGVsbCB5b3Ugd2hhdCBp cyB3cm9uZy4gIDotLwpFTkQKICAgIH0KICAgIGRpZSAicHZzaGltLWNvbnZl cnRlcjogZ3J1Yi1ta3Jlc2N1ZSBkaWQgbm90IG1ha2UgaXNvXG4iOwp9Cgpy dW5jbWQgcXcocm0gLXJmIC0tKSwgIiRzaWRlY2FyLmRpciIgdW5sZXNzICRk ZWJ1ZzsKCm9wZW4gUSwgIj4iLCAiJGRtd3JhcC5uZXciIG9yIGRpZSAiJGRt d3JhcDogJCEiOwpwcmludCBRIDw8J0VORF9ETVdSQVAnIG9yIGRpZSAkITsK IyEvYmluL2Jhc2gKCnNldCAteAo6ICIkQCIKc2V0ICt4CgpuZXdhcmdzPSgp CgpuZXdhcmcgKCkgewogICAgbmV3YXJncys9KCIkMSIpCn0KCndoaWxlIFsg JCMgLWd0IDEgXTsgZG8KICAgIGNhc2UgIiQxIiBpbgoJLW5vLXNodXRkb3du fC1ub2RlZmF1bHRzfC1uby11c2VyLWNvbmZpZykKCSAgICBuZXdhcmcgIiQx Ijsgc2hpZnQKCSAgICA7OwoJLXhlbi1kb21pZHwtY2hhcmRldnwtbW9ufC1k aXNwbGF5fC1ib290fC1tfC1tYWNoaW5lKQoJICAgIG5ld2FyZyAiJDEiOyBz aGlmdAoJICAgIG5ld2FyZyAiJDEiOyBzaGlmdAoJICAgIDs7CiAgICAgICAg LW5hbWUpCiAgICAgICAgICAgIG5ld2FyZyAiJDEiOyBzaGlmdAogICAgICAg ICAgICBuYW1lPSIkMSI7IHNoaWZ0CiAgICAgICAgICAgIG5ld2FyZyAiJG5h bWUiCiAgICAgICAgICAgIDs7CgktbmV0ZGV2fC1jZHJvbSkKCSAgICA6IGZp eG1lCgkgICAgbmV3YXJnICIkMSI7IHNoaWZ0CgkgICAgbmV3YXJnICIkMSI7 IHNoaWZ0CgkgICAgOzsKCS1kcml2ZXwta2VybmVsfC1pbml0cmR8LWFwcGVu ZHwtdm5jKQoJICAgIHNoaWZ0OyBzaGlmdAoJICAgIDs7CgktZGV2aWNlKQoJ ICAgIHNoaWZ0CgkgICAgY2FzZSAiJDEiIGluCgkJWFhYcnRsODEzOSopCgkJ ICAgIG5ld2FyZyAiLWRldmljZSIKCQkgICAgbmV3YXJnICIkMSI7IHNoaWZ0 CgkJICAgIDs7CgkJKikKCQkgICAgc2hpZnQKCQkgICAgOzsKCSAgICBlc2Fj CgkgICAgOzsKCSopCgkgICAgZWNobyA+JjIgIndhcm5pbmc6IHVuZXhwZWN0 ZWQgYXJndW1lbnQgJDEgYmVpbmcgcGFzc2VkIHRocm91Z2giCgkgICAgbmV3 YXJnICIkMSI7IHNoaWZ0CgkgICAgOzsKICAgIGVzYWMKZG9uZQoKI2lmIFsg IngkbmFtZSIgIT0geCBdOyB0aGVuCiMgICAgbG9nZGlyPS92YXIvbG9nL3hl bgojICAgIGxvZ2ZpbGU9IiRsb2dkaXIvc2hpbS0kbmFtZS5sb2ciCiMgICAg c2F2ZWxvZyAiJGxvZ2ZpbGUiIHx8OgojICAgIG5ld2FyZyAtc2VyaWFsCiMg ICAgbmV3YXJnICJmaWxlOiRsb2dmaWxlIgojZmkKRU5EX0RNV1JBUAoKaWYg KCRxZW11KSB7CiAgICBwcmludGYgUSA8PCdFTkRfRE1XUkFQJywgJHFlbXUg b3IgZGllICQhOwogICAgZXhlYyAnJXMnICIke25ld2FyZ3NbQF19IgpFTkRf RE1XUkFQCn0gZWxzZSB7CiAgICBwcmludCBRIDw8J0VORF9ETVdSQVAnIG9y IGRpZSAkITsKc2V0IC14CmZvciBwYXRoIGluIC91c3IvbG9jYWwvbGliL3hl bi9iaW4gL3Vzci9saWIveGVuL2JpbiAvdXNyL2xvY2FsL2JpbiAvdXNyL2Jp bjsgZG8KICAgIGlmIHRlc3QgLWUgJHBhdGgvcWVtdS1zeXN0ZW0taTM4Njsg dGhlbgogICAgICAgIGV4ZWMgJHBhdGgvcWVtdS1zeXN0ZW0taTM4NiAiJHtu ZXdhcmdzW0BdfSIKICAgIGZpCmRvbmUKZWNobyA+JjIgJ2NvdWxkIG5vdCBl eGVjIHFlbXUnCmV4aXQgMTI3CkVORF9ETVdSQVAKfQoKY2htb2QgMDc1NSwg IiRkbXdyYXAubmV3IiBvciBkaWUgIiRkbXdyYXA6IGNobW9kOiAkISI7Cgpj bG9zZSBRIG9yIGRpZSAkITsKCnJlbmFtZSAiJHNpZGVjYXIubmV3IiwgJHNp ZGVjYXIgb3IgZGllICIkc2lkZWNhcjogaW5zdGFsbDogJCEiOwpyZW5hbWUg IiRkbXdyYXAubmV3IiwgICRkbXdyYXAgIG9yIGRpZSAiJGRtd3JhcDogaW5z dGFsbDogJCEiOwoKcHJpbnQgU1RERVJSIDw8RU5EOwpwdnNoaW0tY29udmVy dGVyOiB3cm90ZSBxZW11IHdyYXBwZXIgdG8gJGRtd3JhcApwdnNoaW0tY29u dmVydGVyOiB3cm90ZSBzaWRlY2FyIHRvICRzaWRlY2FyCkVORAoKbXkgJGFw cGVuZCA9IDw8RU5EOwpidWlsZGVyPSdodm0nCnR5cGU9J2h2bScKZGV2aWNl X21vZGVsX3ZlcnNpb249J3FlbXUteGVuJwpkZXZpY2VfbW9kZWxfb3ZlcnJp ZGU9JyRkbXdyYXAnCmRldmljZV9tb2RlbF9hcmdzX2h2bT1bJy1jZHJvbScs JyRzaWRlY2FyJ10KYm9vdD0nYycKc2VyaWFsPSdwdHknCkVORAoKaWYgKCRv dXQgbmUgJy0nKSB7CiAgICBvcGVuIE8sICI+IiwgIiRvdXQudG1wIiBvciBk aWUgIm9wZW4gb3V0cHV0IGNvbmZpZyB0ZW1wOiAkb3V0LnRtcDogJCFcbiI7 Cn0gZWxzZSB7CiAgICBvcGVuIE8sICI+JlNURE9VVCIgb3IgZGllICQhOwp9 CgpwcmludCBPICRpbmRhdGEsICJcbiIsICRhcHBlbmQgb3IgZGllICJ3cml0 ZSBvdXRwdXQ6ICQhIjsKY2xvc2UgTyBvciBkaWUgImNsb3NlIG91dHB1dDog JCEiOwoKaWYgKCRvdXQgbmUgJy0nKSB7CiAgICByZW5hbWUgIiRvdXQudG1w IiwgJG91dCBvciBkaWUgImluc3RhbGwgb3V0cHV0OiAkISI7CiAgICBwcmlu dCBTVERFUlIgInB2c2hpbS1jb252ZXJ0ZXI6IHdyb3RlIG5ldyBndWVzdCBj b25maWcgdG8gJG91dFxuIjsKfSBlbHNlIHsKICAgIHByaW50IFNUREVSUiAi cHZzaGltLWNvbnZlcnRlcjogd3JvdGUgbmV3IGd1ZXN0IGNvbmZpZyB0byBz dGRvdXRcbiI7Cn0K --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Wed Jan 17 17:14:26 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 17 Jan 2018 17:14:26 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ebrHB-0003hj-3K; Wed, 17 Jan 2018 17:13:25 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ebrHA-0003h7-5p for xen-announce@lists.xen.org; Wed, 17 Jan 2018 17:13:24 +0000 X-Inumbo-ID: 102a629c-fbaa-11e7-b0d7-9f685aff125f Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id 102a629c-fbaa-11e7-b0d7-9f685aff125f; Wed, 17 Jan 2018 17:15:49 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ebrGm-0007Li-9H; Wed, 17 Jan 2018 17:13:00 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1ebrGm-0003TG-2n; Wed, 17 Jan 2018 17:13:00 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Wed, 17 Jan 2018 17:13:00 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 254 (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) - Information leak via side effects of speculative execution X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2017-5753,CVE-2017-5715,CVE-2017-5754 / XSA-254 version 9 Information leak via side effects of speculative execution UPDATES IN VERSION 9 ==================== "Stage 1" pagetable isolation (PTI) Meltdown fixes for Xen are available. "Comet" updates to shim code (4.10 branch): * Include >32vcpu workaround in shim branch so that all shim guests can boot without hypervisor changes. * Fix shim build on systems whose find(1) lacks -printf * Place shim trampoline at page 0x1 to avoid having 0 mapped (4.8 "Comet" users are using the 4.10 shim and may want to update.) ISSUE DESCRIPTION ================= Processors give the illusion of a sequence of instructions executed one-by-one. However, in order to most efficiently use cpu resources, modern superscalar processors actually begin executing many instructions in parallel. In cases where instructions depend on the result of previous instructions or checks which have not yet completed, execution happens based on guesses about what the outcome will be. If the guess is correct, execution has been sped up. If the guess is incorrect, partially-executed instructions are cancelled and architectural state changes (to registers, memory, and so on) reverted; but the whole process is no slower than if no guess had been made at all. This is sometimes called "speculative execution". Unfortunately, although architectural state is rolled back, there are other side effects, such as changes to TLB or cache state, which are not rolled back. These side effects can subsequently be detected by an attacker to determine information about what happened during the speculative execution phase. If an attacker can cause speculative execution to access sensitive memory areas, they may be able to infer what that sensitive memory contained. Furthermore, these guesses can often be 'poisoned', such that attacker can cause logic to reliably 'guess' the way the attacker chooses. This advisory discusses three ways to cause speculative execution to access sensitive memory areas (named here according to the discoverer's naming scheme): "Bounds-check bypass" (aka SP1, "Variant 1", Spectre CVE-2017-5753): Poison the branch predictor, such that victim code is speculatively executed past boundary and security checks. This would allow an attacker to, for instance, cause speculative code in the normal hypercall / emulation path to execute with wild array indexes. "Branch Target Injection" (aka SP2, "Variant 2", Spectre CVE-2017-5715): Poison the branch predictor. Well-abstracted code often involves calling function pointers via indirect branches; reading these function pointers may involve a (slow) memory access, so the CPU attempts to guess where indirect branches will lead. Poisoning this enables an attacker to speculatively branch to any code that is executable by the victim (eg, anywhere in the hypervisor). "Rogue Data Load" (aka SP3, "Variant 3", Meltdown, CVE-2017-5754): On some processors, certain pagetable permission checks only happen when the instruction is retired; effectively meaning that speculative execution is not subject to pagetable permission checks. On such processors, an attacker can speculatively execute arbitrary code in userspace with, effectively, the highest privilege level. More information is available here: https://meltdownattack.com/ https://spectreattack.com/ https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html Additional Xen-specific background: Xen hypervisors on most systems map all of physical RAM, so code speculatively executed in a hypervisor context can read all of system RAM. When running PV guests, the guest and the hypervisor share the address space; guest kernels run in a lower privilege level, and Xen runs in the highest privilege level. (x86 HVM and PVH guests, and ARM guests, run in a separate address space to the hypervisor.) However, only 64-bit PV guests can generate addresses large enough to point to hypervisor memory. IMPACT ====== Xen guests may be able to infer the contents of arbitrary host memory, including memory assigned to other guests. An attacker's choice of code to speculatively execute (and thus the ease of extracting useful information) goes up with the numbers. For SP1, an attacker is limited to windows of code after bound checks of user-supplied indexes. For SP2, the attacker will in many cases will be limited to executing arbitrary pre-existing code inside of Xen. For SP3 (and other cases for SP2), an attacker can write arbitrary code to speculatively execute. Additionally, in general, attacks within a guest (from guest user to guest kernel) will be the same as on real hardware. Consult your operating system provider for more information. NOTE ON TIMING ============== This vulnerability was originally scheduled to be made public on 9 January. It was accelerated at the request of the discloser due to one of the issues being made public. VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. For SP1 and SP2, both Intel and AMD are vulnerable. Vulnerability of ARM processors to SP1 and SP2 varies by model and manufacturer. ARM has information on affected models on the following website: https://developer.arm.com/support/security-update For SP3, only Intel processors are vulnerable. (The hypervisor cannot be attacked using SP3 on any ARM processors, even those that are listed as affected by SP3.) Furthermore, only 64-bit PV guests can exploit SP3 against Xen. PVH, HVM, and 32-bit PV guests cannot exploit SP3. MITIGATION ========== There is no mitigation for SP1 and SP2. SP3 can be mitigated by page-table isolation ("PTI"). See Resolution below. SP3 can be mitigated by running guests in HVM or PVH mode. (Within-guest attacks are still possible unless the guest OS has also been updated with an SP3 mitigation series such as KPTI/Kaiser.) For guests with legacy PV kernels which cannot be run in HVM or PVH mode directly, we have developed two "shim" hypervisors that allow PV guests to run in HVM mode or PVH mode. This prevents attacks on the host, but it leaves the guest vulnerable to Meltdown attacks by its own unprivileged processes, even if the guest OS has KPTI or similar Meltdown mitigation. The HVM shim (codenamed "Vixen") is available now, as is the PVH shim (codenamed "Comet") for Xen 4.10 and Xen 4.8. Please read README.which-shim to determine which shim is suitable for you. $ sha256sum xsa254*/* 1cba14ff83844d001d6c8a74afc3f764f49182cc7a06bb4463548450ac96cc2f xsa254/README.comet cddd78cd7a00df9fa254156993f0309cea825d600f5ad8b36243148cf686bc9b xsa254/README.pti 3ef42381879befc84aa78b67d3a9b7b0cd862a2ffa445810466e90be6c6a5e86 xsa254/README.vixen 7e816160c1c1d1cd93ec3c3dd9753c8f3957fefe86b7aa967e9e77833828f849 xsa254/README.which-shim 1d2098ad3890a5be49444560406f8f271c716e9f80e7dfe11ff5c818277f33f8 xsa254/pvshim-converter.pl $ RESOLUTION ========== These are hardware bugs, so technically speaking they cannot be properly fixed in software. However, it is possible in many cases to provide patches to software to work around the problems. There is no available resolution for SP1. A solution may be available in the future. We are working on patches which mitigate SP2 but these are not currently available. Given that the vulnerabilities are now public, these will be developed and published in public, initially via xen-devel. SP3 can be mitigated by page-table isolation ("PTI"). We have a "stage 1" implementation. It allows 64-bit PV guests to be run natively while restricting what can be accessed via SP3 to the Xen stack of the current pcpu (which may contain remnants of information from other guests, but should be much more difficult to attack reliably). Unfortunately these "stage 1" patches incur a non-negligible performance overhead; about equivalent to the "PV shim" approaches above. Moving to plain HVM or PVH guests is recommended where possible. For more information on that, see below. Patches for the "stage-1" PTI implementation are available in the Xen staging-NN branches for each Xen revision. See README.pti for specific revisons. NOTE ON LACK OF EMBARGO ======================= The timetable and process were set by the discloser. After the intensive initial response period for these vulnerabilities is over, we will prepare and publish a full timeline, as we have done in a handful of other cases of significant public interest where we saw opportunities for process improvement. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJaX4QSAAoJEIP+FMlX6CvZubQH/iuxfjnW24mzMX+hVughCH5Q PKoZiNDnKMoWCzztrRjMNNcXRFcLAo+IU/+jWdjytJr5ISvNtICPtU6mzRTduqRe KwfvOxrX8bfkoxJWdM7g4ux6sGTNKGS27+HaJYHNBypPexmwQwb/GBJnp+Yj+TRJ 0p+OGvN/F+gVBrOm17rD2/NE2jwDLa3WAX/oS12WaTJtwvnnFjTKmNAKj4XU3FRs PMZdmE6Iimix5rA6YlYLmmsVrS+kD9B7SSU2CRX0wqOQcFpLn1ZM1QXQ7ux7p9+I bAE7EMrA28ZJ+TS8H+1AYYL8e8xvo2/KIXPjEKsEAEr1nXIEOciSuVjHByvTGbQ= =2SAx -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa254/README.comet" Content-Disposition: attachment; filename="xsa254/README.comet" Content-Transfer-Encoding: base64 CQkJICAgIFBWLWluLVBWSCBzaGltCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICA9PT09PT09PT09PT09PQoKU3VtbWFyeQotLS0tLS0tCgpUaGlzIFJF QURNRSBkZXNjcmliZXMgb25lIG9mIHRocmVlIG1pdGlnYXRpb24gc3RyYXRl Z2llcyBmb3IgTWVsdGRvd24uCgpUaGUgYmFzaWMgcHJpbmNpcGxlIGlzIHRv IHJ1biBQViBndWVzdHMgKHdoaWNoIGNhbiByZWFkIGFsbCBvZiBob3N0Cm1l bW9yeSBkdWUgdG8gdGhlIGhhcmR3YXJlIGJ1Z3MpIGFzIFBWSCBndWVzdHMg KHdoaWNoIGNhbm5vdCwgYXQgbGVhc3QKbm90IGR1ZSB0byBNZWx0ZG93biku ICBUaGUgUFYgZW52aXJvbm1lbnQgaXMgc3RpbGwgcHJvdmlkZWQgdG8gdGhl Cmd1ZXN0IGJ5IGFuIGVtYmVkZGVkIGNvcHkgb2YgWGVuLCB0aGUgInNoaW0i LiAgVGhpcyB2ZXJzaW9uIG9mIHRoZQpzaGltIGlzIGNvZGVuYW1lZCAiQ29t ZXQiLgoKVW5saWtlIFZpeGVuLCBDb21ldCByZXF1aXJlcyBtb2RpZmljYXRp b25zIHRvIHRoZSB0b29sc3RhY2sgYW5kIGhvc3QKaHlwZXJ2aXNvci4KCk5v dGUgdGhhdCBib3RoIG9mIHRoZXNlIHNoaW0tYmFzZWQgYXBwcm9hY2hlcyBw cmV2ZW50IGF0dGFja3Mgb24gdGhlCmhvc3QsIGJ1dCBsZWF2ZSB0aGUgZ3Vl c3QgdnVsbmVyYWJsZSB0byBNZWx0ZG93biBhdHRhY2tzIGJ5IGl0cyBvd24K dW5wcml2aWxlZ2VkIHByb2Nlc3NlczsgdGhpcyBpcyB0cnVlIGV2ZW4gaWYg dGhlIGd1ZXN0IE9TIGhhcyBLUFRJIG9yCnNpbWlsYXIgTWVsdGRvd24gbWl0 aWdhdGlvbi4KClZlcnNpb25zIGZvciBYZW4gNC44IGFuZCA0LjEwIGFyZSBh dmFpbGFibGUuCgpXaGF0IHlvdSB3aWxsIG5lZWQKLS0tLS0tLS0tLS0tLS0t LS0tCgogKiBZb3Ugd2lsbCBuZWVkIHRoZSB4ZW4uZ2l0IHdpdGggdGhlIGZv bGxvd2luZyB0YWdzOgogIC0gRm9yIDQuMTA6IDQuMTAuMC1zaGltLWNvbWV0 LTMKICAtIEZvciA0Ljg6ICA0LjguM3ByZS1zaGltLWNvbWV0LTIgICBhbmQg IDQuMTAuMC1zaGltLWNvbWV0LTMKCkJ1aWxkIGluc3RydWN0aW9uczogNC4x MAotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KCjEuIEJ1aWxkIGEgNC4xMCsg c3lzdGVtCiAgICBnaXQgY2xvbmUgZ2l0Oi8veGVuYml0cy54ZW5wcm9qZWN0 Lm9yZy94ZW4uZ2l0IHhlbi5naXQKICAgIGNkIHhlbi5naXQKICAgIGdpdCBj aGVja291dCA0LjEwLjAtc2hpbS1jb21ldC0zCgpEbyBhIGJ1aWxkIGFuZCBp bnN0YWxsIGFzIG5vcm1hbC4gIFRoZSBzaGltIHdpbGwgYmUgYnVpbHQgYXMg cGFydCBvZiB0aGUKbm9ybWFsIGJ1aWxkIHByb2Nlc3MsIGFuZCBwbGFjZWQg d2l0aCBvdGhlciAnc3lzdGVtJyBiaW5hcmllcyB3aGVyZSB0aGUKdG9vc3Rh Y2sga25vd3MgaG93IHRvIGZpbmQgaXQuCgpCdWlsZCBpbnN0cnVjdGlvbnM6 IDQuOAotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQoKVGhlIGNvZGUgZm9yIHNo aW0gaXRzZWxmIGlzIG5vdCBiYWNrcG9ydGVkIHRvIDQuOC4gIDQuOCB1c2Vy cyBzaG91bGQKdXNlIGEgc2hpbSBidWlsdCBmcm9tIDQuMTAtYmFzZWQgc291 cmNlIGNvZGU7IHRoaXMgY2FuIGJlIHNpbXBseQpkcm9wcGVkIGludG8gYSBY ZW4gNC44IGluc3RhbGxhdGlvbi4KCjEuIEJ1aWxkIGEgNC44KyBzeXN0ZW0g d2l0aCBzdXBwb3J0IGZvciBydW5uaW5nIFBWSCwgYW5kIGZvciBwdnNoaW06 CgogICAgZ2l0IGNsb25lIGdpdDovL3hlbmJpdHMueGVucHJvamVjdC5vcmcv eGVuLmdpdCB4ZW4uZ2l0CiAgICBjZCB4ZW4uZ2l0CiAgICBnaXQgY2hlY2tv dXQgNC44LjNwcmUtc2hpbS1jb21ldC0yCgogIERvIGEgYnVpbGQgYW5kIGlu c3RhbGwgYXMgbm9ybWFsLgoKMi4gQnVpbGQgYSA0LjEwKyBzeXN0ZW0gdG8g YmUgdGhlIHNoaW06CgogICAgZ2l0IGNsb25lIGdpdDovL3hlbmJpdHMueGVu cHJvamVjdC5vcmcveGVuLmdpdCB4ZW4uZ2l0CiAgICBjZCB4ZW4uZ2l0CiAg ICBnaXQgY2hlY2tvdXQgNC4xMC4wLXNoaW0tY29tZXQtMwogICAgLi9jb25m aWd1cmUKICAgIG1ha2UgLUMgdG9vbHMvZmlybXdhcmUveGVuLWRpcgoKICBB bmQgdGhlbiBpbnN0YWxsIHRoZSBzaGltIGV4ZWN1dGFibGUgd2hlcmUKICB0 aGUgNC44IHB2IHNoaW0gbW9kZSB0b29scyBleHBlY3QgdG8gZmluZCBpdAoK ICAgIGNwIHRvb2xzL2Zpcm13YXJlL3hlbi1kaXIveGVuLXNoaW0gL3Vzci9s aWIveGVuL2Jvb3QveGVuLXNoaW0KICAgIGNwIHRvb2xzL2Zpcm13YXJlL3hl bi1kaXIveGVuLXNoaW0gL3Vzci9sb2NhbC9saWIveGVuL2Jvb3QveGVuLXNo aW0KCiAgVGhpcyBzdGVwIGlzIG9ubHkgbmVlZGVkIHRvIGJvb3QgZ3Vlc3Rz IGluICJQVkggd2l0aCBQViBzaGltIgogIG1vZGU7IGl0IGlzIG5vdCBuZWVk ZWQgd2hlbiBib290aW5nIFBWSC1zdXBwb3J0aW5nIGd1ZXN0cyBhcyBQVkgu CgoKVXNhZ2UgaW5zdHJ1Y3Rpb25zCi0tLS0tLS0tLS0tLS0tLS0tLQoKKiBD b252ZXJ0aW5nIGEgUFYgY29uZmlnIHRvIGEgUFZIIHNoaW0gY29uZmlnCgot IFJlbW92ZSBhbnkgcmVmZXJlbmNlIHRvICdidWlsZGVyJyAoZS5nLiwgYGJ1 aWxkZXI9ImdlbmVyaWMiYCkKLSBBZGQgdGhlIGZvbGxvd2luZyB0d28gbGlu ZXM6CiAgdHlwZT0icHZoIgogIHB2c2hpbT0xCgoqIENvbnZlcnRpbmcgYSBQ ViBjb25maWcgdG8gYSBQVkggY29uZmlnCgpJZiB5b3UgaGF2ZSBhIGtlcm5l bCBjYXBhYmxlIG9mIGJvb3RpbmcgUFZILCB0aGVuIFBWSCBtb2RlIGlzIGJv dGgKZmFzdGVyIGFuZCBtb3JlIHNlY3VyZSB0aGFuIFBWIG9yIFBWSC1zaGlt IG1vZGUuCgotIFJlbW92ZSBhbnkgcmVmZXJlbmNlIHRvICdidWlsZGVyJyAo ZS5nLiwgYGJ1aWxkZXI9ImdlbmVyaWMiYCkKLSBBZGQgdGhlIGZvbGxvd2lu ZyBsaW5lOgogIHR5cGU9InB2aCIKCiogVGhlcmUgaXMgbm8gbmVlZCB0byBy ZWJvb3QgdGhlIGhvc3QuCg== --=separator Content-Type: application/octet-stream; name="xsa254/README.pti" Content-Disposition: attachment; filename="xsa254/README.pti" Content-Transfer-Encoding: base64 ICAgICAgICAgICAgICAgICAgICAgIFhlbiBwYWdlLXRhYmxlIGlzb2xhdGlv biAoWFBUSSkKICAgICAgICAgICAgICAgICAgICAgID09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT0KClN1bW1hcnkKLS0tLS0tLQoKVGhpcyBSRUFE TUUgZ2l2ZXMgcmVmZXJlbmNlcyBmb3Igb25lIG9mIHRocmVlIG1pdGlnYXRp b24gc3RyYXRlZ2llcwpmb3IgTWVsdGRvd24uCgpUaGlzIHNlcmllcyBpcyBh IGZpcnN0LWNsYXNzIG1pZ2l0YXRpb24gcGFnZXRhYmxlIGlzb2xhdGlvbiBz ZXJpZXMgZm9yClhlbi4gIEl0IGlzIGF2YWlsYWJsZSBmb3IgWGVuIDQuNiB0 byBYZW4gNC4xMCBhbmQgbGF0ZXIuCgpQcmVjaXNlIGdpdCBjb21taXRzIGFy ZSBhcyBmb2xsb3dzOgoKNC4xMDoKCjdjY2NkNmY3NDhlYzcyNGNmOTQwOGNl YzZiM2VjOGU1NGE4YTJjMWYgeDg2OiBhbGxvdyBNZWx0ZG93biBiYW5kLWFp ZCB0byBiZSBkaXNhYmxlZAoyMzRmNDgxMzM3ZWExYTkzZGI5NjhkNjE0NjQ5 YTZiZGZkYzg0MThhIHg4NjogTWVsdGRvd24gYmFuZC1haWQgYWdhaW5zdCBt YWxpY2lvdXMgNjQtYml0IFBWIGd1ZXN0cwo1N2RjMTk3Y2YwZDM2YzU2YmEx ZDlkMzJjNmExNDU0YmI1MjYwNWJiIHg4Ni9tbTogQWx3YXlzIHNldCBfUEFH RV9BQ0NFU1NFRCBvbiBMNGUgdXBkYXRlcwo5MTBkZDAwNWRhMjBmMjdmMzQx NWI3ZWNjZGY0MzY4NzQ5ODk1MDZiIHg4Ni9lbnRyeTogUmVtb3ZlIHN1cHBv cnQgZm9yIHBhcnRpYWwgY3B1X3VzZXJfcmVncyBmcmFtZXMKCjQuOToKCmRj N2Q0NjU4MGQ5YzYzM2E1OWJlMWMzNzc2Zjc5YzAxZGQwY2I5OGIgeDg2OiBh bGxvdyBNZWx0ZG93biBiYW5kLWFpZCB0byBiZSBkaXNhYmxlZAoxZTA5NzQ2 MzhkNjVkOWI4YWNmOWFjNzUxMWQ3NDcxODhmMzhiY2MzIHg4NjogTWVsdGRv d24gYmFuZC1haWQgYWdhaW5zdCBtYWxpY2lvdXMgNjQtYml0IFBWIGd1ZXN0 cwo4N2VhNzgxNjI0NzA5MGU4ZTViYzU2NTNiMTZjNDEyOTQzYTA1OGI1IHg4 Ni9tbTogQWx3YXlzIHNldCBfUEFHRV9BQ0NFU1NFRCBvbiBMNGUgdXBkYXRl cwoyMjEzZmZlMWEyZDgyYzNjOWM0YTE1NGVhNmVlMjUyMzk1YWE4NjkzIHg4 Ni9lbnRyeTogUmVtb3ZlIHN1cHBvcnQgZm9yIHBhcnRpYWwgY3B1X3VzZXJf cmVncyBmcmFtZXMKCjQuODoKCjMxZDM4ZDYzM2EzMDZiMmIwNjc2N2I1YTVm NWE4YTAwMjY5ZjNjOTIgeDg2OiBhbGxvdyBNZWx0ZG93biBiYW5kLWFpZCB0 byBiZSBkaXNhYmxlZAoxYmE0NzdiZGU3MzdiZjliMjhjYzQ1NWJlZjFlOWE2 YmM3NmQ2NmZjIHg4NjogTWVsdGRvd24gYmFuZC1haWQgYWdhaW5zdCBtYWxp Y2lvdXMgNjQtYml0IFBWIGd1ZXN0cwowNDllMmY0NWJmYTQ4ODk2NzQ5NDQ2 NmVjNjUwNmMzZWNhZTVmZTBlIHg4Ni9tbTogQWx3YXlzIHNldCBfUEFHRV9B Q0NFU1NFRCBvbiBMNGUgdXBkYXRlcwphN2NmMGEzYjgxODM3N2E4YTQ5YmFl ZDM2MDZiZmEyZjIxNGNkNjQ1IHg4Ni9lbnRyeTogUmVtb3ZlIHN1cHBvcnQg Zm9yIHBhcnRpYWwgY3B1X3VzZXJfcmVncyBmcmFtZXMKCjQuNzoKCmUxOWQw YWY0ZWUyYWU5ZTQyYTg1ZGI2MzlmZDY4NDhlNzJmNTY1OGIgeDg2OiBhbGxv dyBNZWx0ZG93biBiYW5kLWFpZCB0byBiZSBkaXNhYmxlZAplMTk1MTdhMzM1 NWFjYWFhMmZmODMwMThiYzQxZTdmZDA0NDE2MWU1IHg4NjogTWVsdGRvd24g YmFuZC1haWQgYWdhaW5zdCBtYWxpY2lvdXMgNjQtYml0IFBWIGd1ZXN0cwo5 Yjc2OTA4ZTZlMDc0ZDdlZmJlYWZlNmJhZDA2NmVjYzVmM2MzYzQzIHg4Ni9t bTogQWx3YXlzIHNldCBfUEFHRV9BQ0NFU1NFRCBvbiBMNGUgdXBkYXRlcwow ZTZjNmZjNDQ5MDAwZDk3ZjlmYTg3ZWQxZmJlMjNmMGNmMjE0MDZiIHg4Ni9l bnRyeTogUmVtb3ZlIHN1cHBvcnQgZm9yIHBhcnRpYWwgY3B1X3VzZXJfcmVn cyBmcmFtZXMKCjQuNjoKCjQ0YWQ3ZjY4OTVkYTk4NjEwNDJkN2E0MWU2MzVk NDJkODNjYjI2NjAgeDg2OiBhbGxvdyBNZWx0ZG93biBiYW5kLWFpZCB0byBi ZSBkaXNhYmxlZAo5MWRjOTAyZmRmNDE2NTljMjEwMzI5ZDZmNjU3OGY4MTMy ZWU0NzcwIHg4NjogTWVsdGRvd24gYmFuZC1haWQgYWdhaW5zdCBtYWxpY2lv dXMgNjQtYml0IFBWIGd1ZXN0cwphMDY1ODQxYjNhZTlmMGVmNDliOTgyM2Nk MjA1Yzc5ZWUwYzIyYjljIHg4Ni9tbTogQWx3YXlzIHNldCBfUEFHRV9BQ0NF U1NFRCBvbiBMNGUgdXBkYXRlcwpjNmU5ZTYwOTU2NjliM2M2M2I5MmQyMWZk ZGIzMjY0NDFjNzM3MTJjIHg4Ni9lbnRyeTogUmVtb3ZlIHN1cHBvcnQgZm9y IHBhcnRpYWwgY3B1X3VzZXJfcmVncyBmcmFtZXMK --=separator Content-Type: application/octet-stream; name="xsa254/README.vixen" Content-Disposition: attachment; filename="xsa254/README.vixen" Content-Transfer-Encoding: base64 ICAgICAgICAgICAgICAgIFBWLWluLUhWTSBzaGltIHdpdGggInNpZGVjYXIi IElTTwogICAgICAgICAgICAgICAgPT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09CgpTdW1tYXJ5Ci0tLS0tLS0KClRoaXMgUkVBRE1FIGRlc2Ny aWJlcyBvbmUgb2YgdGhyZWUgbWl0aWdhdGlvbiBzdHJhdGVnaWVzIGZvciBN ZWx0ZG93bi4KClRoZSBiYXNpYyBwcmluY2lwbGUgaXMgdG8gcnVuIFBWIGd1 ZXN0cyAod2hpY2ggY2FuIHJlYWQgYWxsIG9mIGhvc3QKbWVtb3J5IGR1ZSB0 byB0aGUgaGFyZHdhcmUgYnVncykgYXMgSFZNIGd1ZXN0cyAod2hpY2ggY2Fu bm90LCBhdCBsZWFzdApub3QgZHVlIHRvIE1lbHRkb3duKS4gIFRoZSBQViBl bnZpcm9ubWVudCBpcyBzdGlsbCBwcm92aWRlZCB0byB0aGUKZ3Vlc3QgYnkg YW4gZW1iZWRkZWQgY29weSBvZiBYZW4sIHRoZSAic2hpbSIuICBUaGlzIHZl cnNpb24gb2YgdGhlCnNoaW0gaXMgY29kZW5hbWVkICJWaXhlbiIuCgpJbiBv cmRlciB0byBib290IHRoZSBzaGltIHdpdGggYW4gdW5tb2RpZmllZCB0b29s c3RhY2ssIHlvdSBhbHNvCnByb3ZpZGUgYSBzcGVjaWFsIGRpc2sgY29udGFp bmluZyB0aGUgc2hpbSBhbmQgdGhlIGd1ZXN0IGtlcm5lbCAob3IKcHZncnVi KTsgdGhpcyBpcyBjYWxsZWQgdGhlICJzaWRlY2FyIi4KCk5vdGUgdGhhdCBi b3RoIG9mIHRoZXNlIHNoaW0tYmFzZWQgYXBwcm9hY2hlcyBwcmV2ZW50IGF0 dGFja3Mgb24gdGhlCmhvc3QsIGJ1dCBsZWF2ZSB0aGUgZ3Vlc3QgdnVsbmVy YWJsZSB0byBNZWx0ZG93biBhdHRhY2tzIGJ5IGl0cyBvd24KdW5wcml2aWxl Z2VkIHByb2Nlc3NlczsgdGhpcyBpcyB0cnVlIGV2ZW4gaWYgdGhlIGd1ZXN0 IE9TIGhhcyBLUFRJIG9yCnNpbWlsYXIgTWVsdGRvd24gbWl0aWdhdGlvbi4K CldoYXQgeW91IHdpbGwgbmVlZAotLS0tLS0tLS0tLS0tLS0tLS0KCiAqIFlv dXIgaG9zdCBtdXN0IGJlIGFibGUgdG8gcnVuIGdydWItbWtyZXNjdWUgdG8g Z2VuZXJhdGUgYSAuaXNvCiAqIFlvdSB3aWxsIHRoZXJlZm9yZSBuZWVkIHhv cnJpc28gYW5kIG10b29scwogKiBZb3UgbXVzdCBiZSB1c2luZyB4bCBhbmQg YWJsZSB0byB1c2UgYW4gYWx0ZXJuYXRpdmUgeW91ciBndWVzdCBjb25maWcK CiAqIFlvdSB3aWxsIG5lZWQgdGhlIHNjcmlwdCAicHZzaGltLWNvbnZlcnRl ci5wbCIKICAtIFRoaXMgcmVsaWVzIG9uIHBlcmwtanNvbgogKiBZb3Ugd2ls bCBuZWVkIHRoZSB4ZW4uZ2l0IHRhZyA0LjkuMS1zaGltLXZpeGVuLTEKCgpJ bnN0cnVjdGlvbnMKLS0tLS0tLS0tLS0tCgoxLiBPbiBhIHN1aXRhYmxlIHN5 c3RlbSAocGVyaGFwcyBhIGRpZmZlcmVudCBob3N0KQogICAgZ2l0IGNsb25l IGdpdDovL3hlbmJpdHMueGVucHJvamVjdC5vcmcveGVuLmdpdCB4ZW4uZ2l0 CiAgICBjZCB4ZW4uZ2l0CiAgICBnaXQgY2hlY2tvdXQgNC45LjEtc2hpbS12 aXhlbi0xCgpJZiB5b3UgbmVlZCBiaS1kaXJlY3Rpb25hbCBjb25zb2xlIGFu ZCBkb24ndCBtaW5kIGEgbGVzcy10ZXN0ZWQgcGF0Y2gsCnlvdSBjYW4gYXBw bHkgdGhlIHBhdGNoIGZvdW5kIGluIHRoaXMgZW1haWw6CgogICAgbWFyYy5p bmZvLz9pPTwxNTE1NjA0NTUyLTkyMDUtMS1naXQtc2VuZC1lbWFpbC1zcm5A cHJnbXIuY29tPgoKYnVpbGQgYSB4ZW4gaHlwZXJ2aXNvciBiaW5hcnkgYXMg dXN1YWw6CgogICAgbWFrZSB4ZW4KCklmIHlvdXIgZGVmYXVsdCB2ZXJzaW9u IG9mIHB5dGhvbiBpcyBweXRob24gMywgeW91IG1heSBuZWVkIHRvIGFkZCB0 aGUgZm9sbG93aW5nOgoKICAgIG1ha2UgUFlUSE9OPXB5dGhvbjIgeGVuCgpU aGlzIHdpbGwgYnVpbGQgYSBmaWxlCiAgICB4ZW4veGVuLmd6CgoyLiBDb3B5 IHRoYXQgZmlsZSB0byB5b3VyIGRvbTAuCgpJZGVhbGx5IHNvbWVwbGFjZSBs aWtlIC91c3IvbGliL3hlbi9ib290L3hlbi12aXhlbi5negoKMy4gQ29weSB0 aGUgc2NyaXB0IHB2c2hpbS1jb252ZXJ0ZXIgdG8geW91ciBkb20wIGFuZCBt YWtlCiAgIGl0IGV4ZWN1dGFibGU6CiAgICAgIGNobW9kICt4IHB2c2hpbS1j b252ZXJ0ZXIucGwKCjQuIEZvciBlYWNoIGd1ZXN0CgogIChpKSBpZiB0aGUg Z3Vlc3QgaXMgY3VycmVudGx5IGJvb3RlZCB3aXRoIHB5Z3J1YiB5b3UgbXVz dCBmaXJzdAogICBzd2l0Y2ggdG8gZGlyZWN0IGtlcm5lbCBib290IChieSBt YW51YWxseSBjb3B5aW5nIHRoZSBrZXJuZWwgYW5kCiAgIGluaXRyYW1mcyBv dXQgb2YgdGhlIGd1ZXN0LCBhbmQgY29uZmlndXJpbmcgdGhlIGNvbW1hbmQg bGluZSBpbiB0aGUKICAgZG9tYWluIGNvbmZpZ3VyYXRpb24gZmlsZSksIG9y IHB2Z3J1Yi4KCiAgKGlpKSBydW4KICAgICAgLi9wdnNoaW0tY29udmVydGVy LnBsIC0tc2hpbT0vdXNyL2xpYi94ZW4vYm9vdC94ZW4tdml4ZW4uZ3ogL2V0 Yy94ZW4vR1VFU1QuY2ZnIC9ldGMveGVuL0dVRVNULndpdGgtc2hpbS1jZmcK CiAgKGlpaSkgc2h1dCB0aGUgZ3Vlc3QgZG93biBjbGVhbmx5CgogIChpdikg Y3JlYXRlIHRoZSBndWVzdCB3aXRoIHRoZSBuZXcgY29uZmlnCiAgICAgIHhs IGNyZWF0ZSAvZXRjL3hlbi9HVUVTVC53aXRoLXNoaW0tY2ZnCgogICh2KSBD aGVjayB0aGF0IGl0IGJvb3RzIHByb3Blcmx5LiAgeGwgY29uc29sZSBzaG91 bGQgd29yay4KCiAgKHZpKSBNYWtlIGFycmFuZ2VtZW50cyBzbyB0aGF0IGF1 dG9zdGFydGluZyBvZiB0aGUgZ3Vlc3Qgd2lsbCB1c2UKICAgICB0aGUgbmV3 IGNvbmZpZyBmaWxlIHJhdGhlciB0aGFuIHRoZSBvbGQgb25lCgo= --=separator Content-Type: application/octet-stream; name="xsa254/README.which-shim" Content-Disposition: attachment; filename="xsa254/README.which-shim" Content-Transfer-Encoding: base64 CQkgICBIb3cgdG8gZGVjaWRlIHdoaWNoIHNoaW0gdG8gdXNlCgkJICAgPT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQoKQSB3b3JrLWFyb3VuZCB0 byBNZWx0ZG93biAoYWthICJTUDMiIG9yICJWYXJpYW50IDMiKSBvbiBJbnRl bApwcm9jZXNzb3JzIGlzIHRvIHJ1biBndWVzdHMgaW4gSFZNIG9yIFBWSCBt b2RlLgoKTm90ZSB0aGlzIHNoaW0tYmFzZWQgYXBwcm9hY2ggcHJldmVudHMg YXR0YWNrcyBvbiB0aGUgaG9zdCwgYnV0IGxlYXZlcwp0aGUgZ3Vlc3QgdnVs bmVyYWJsZSB0byBNZWx0ZG93biBhdHRhY2tzIGJ5IGl0cyBvd24gdW5wcml2 aWxlZ2VkCnByb2Nlc3NlczsgdGhpcyBpcyB0cnVlIGV2ZW4gaWYgdGhlIGd1 ZXN0IE9TIGhhcyBLUFRJIG9yIHNpbWlsYXIKTWVsdGRvd24gbWl0aWdhdGlv bi4KClNvbWUgZ3Vlc3RzIGFyZSBkaWZmaWN1bHQgdG8gY29udmVydCB0byBy dW5uaW5nIGluIEhWTSBvciBQVkggbW9kZSwKZWl0aGVyIGR1ZSB0byBsYWNr IG9mIHBhcnRpdGlvbmluZyAvIE1CUiwgb3IgZHVlIHRvIGtlcm5lbApjb21w YXRpYmlsaXRpZXMuICBBcyBhbiBlbWVyZ2VuY3kgYmFja3N0b3AsIHRoZXJl IGFyZSB0d28gYXBwcm9hY2hlcywKd2hpY2ggd2UndmUgY29kZW5hbWVkICJW aXhlbiIgYW5kICJDb21ldCIuICBCb3RoIGludm9sdmUgcnVubmluZyBhbgpl bWJlZGRlZCBjb3B5IG9mIFhlbiAoY2FsbGVkIGEgInNoaW0iKSB3aXRoaW4g dGhlIEhWTSBvciBQVkggZ3Vlc3QgdG8KcHJvdmlkZSB0aGUgbmF0aXZlIFBW IGludGVyZmFjZS4KCkJlbG93IGRlc2NyaWJlcyB0aGUgcHJvcGVydGllcywg YW5kIHdobyBtaWdodCB3YW50IHRvIHVzZSBlYWNoIG9uZS4KCk5PVEU6IEJv dGggc2hpbXMgcmVxdWlyZSBob3N0IHBhdGNoZXMgdG8gYm9vdCBvbiBBTUQg aG9zdHMuICBUaGlzCnNob3VsZG4ndCBiZSBhbiBpc3N1ZSwgYXMgU1AzIGRv ZXMgbm90IGFmZmVjdCBzeXN0ZW1zIHJ1bm5pbmcgb24gQU1ELgoKVml4ZW4K LS0tLS0KClZpeGVuIGhhcyB0aGUgZm9sbG93aW5nIHByb3BlcnRpZXM6CiAq IFJ1bnMgdGhlIHNoaW0gaW4gYW4gSFZNIGd1ZXN0LgogKiBJdCByZXF1aXJl cyBubyBoeXBlcnZpc29yIG9yIHRvb2xzdGFjayBjaGFuZ2VzLCBub3IgZG9l cyBpdCByZXF1aXJlCiAgIGEgaG9zdCByZWJvb3QuCiAqIEl0IGhhcyBiZWVu IGV4dGVuc2l2ZWx5IHRlc3RlZCBpbiBBbWF6b24ncyBkZXBsb3ltZW50IGZv ciB2ZXJzaW9ucwogICBvZiBYZW4gZ29pbmcgYmFjayB0byAzLjQKICogR3Vl c3QgcmVib290cyBhcmUgcmVxdWlyZWQKICogR3Vlc3QgY29uZmlncyBtdXN0 IGJlIGZlZCB0aHJvdWdoIGEgY29udmVydGVyIHByb2dyYW0KICogVGhlIGNv bnZlcnRlciBwcm9ncmFtIHNwaXRzIG91dCBhIHNtYWxsIGd1ZXN0LXNwZWNp ZmljIC5pc28KICAgaW1hZ2UgKHdlIGNhbGwgdGhpcyBhICJzaWRlY2FyIikg dXNlZCBmb3IgYm9vdGluZwogKiBCZWNhdXNlIHRoZSByZXN1bHQgaXMgYW4g SFZNIGd1ZXN0LCB0aGlzIGFwcHJvYWNoIGludm9sdmVzCiAgIHJ1bm5pbmcg cWVtdSBhcyBhIFBDIGVtdWxhdG9yICh0aGlzIGlzIGRvbmUgYXV0b21hdGlj YWxseSkKICogU29tZSBjb21tb24gZmVhdHVyZXMgYXJlIG5vdCBzdXBwb3J0 ZWQ6CiAgLSBCYWxsb29uaW5nCiAgLSBNaWdyYXRpb24KICAtIHZjcHUgaG90 cGx1ZwogIC0gYmlkaXJlY3Rpb25hbCBjb25zb2xlIHN1cHBvcnQgKGNvbnNv bGUgaXMgd3JpdGUtb25seSkKICogRGlyZWN0LWJvb3Qga2VybmVscyBhbmQg cHZncnViIChib3RoIHB2Z3J1YjEgYW5kIHB2Z3J1YjIpIGFyZQogICBzdXBw b3J0ZWQgYnkgdGhlIGNvbnZlcnNpb24gcHJvZ3JhbS4gICdweWdydWInIGlz IG5vdCBzdXBwb3J0ZWQuCiAqIHhsIGFuZCB4bSBkb21haW4gY29uZmlncyBj YW4gYmUgY29udmVydGVkOyBsaWJ2aXJ0IGRvbWFpbgogICBjb25maWd1cmF0 aW9uIGFycmFuZ2VtZW50cyBhcmUgbm90IHN1cHBvcnRlZC4KICogR3Vlc3Qg dXNlcnNwYWNlIGNhbiByZWFkIGFsbCBvZiBndWVzdCBtZW1vcnksIHdpdGhp biBlYWNoIGd1ZXN0LAogICBhbmQgYSBndWVzdCBtaWdpdGF0aW9uIGZvciB0 aGlzIGlzIG5vdCBwb3NzaWJsZS4KCllvdSBtaWdodCBjb25zaWRlciB0aGlz IGFwcHJvYWNoIGlmOgotIFlvdSB3YW50IHRvIGRlcGxveSBhIGZpeCBpbW1l ZGlhdGVseQotIFlvdSBjYW4gdG9sZXJhdGUgdGhlIGxvc3Mgb2Ygd2l0aGlu LWd1ZXN0IHNlY3VyaXR5Ci0gWW91IGNhbid0LCBvciB3b3VsZCBsaWtlIHRv IGF2b2lkLCB1cGRhdGluZyB0byBYZW4gNC44IG9yIG5ld2VyCi0gWW91J2Qg bGlrZSB0byBhdm9pZCBwYXRjaGluZyBhbmQgcmVib290aW5nIHlvdXIgaG9z dAotIFlvdSBhcmUgYWJsZSB0bzoKIC0gUnVuIGEgc2NyaXB0IHRvIG1vZGlm eSBlYWNoIGRvbWFpbiBjb25maWcKIC0gQWZmb3JkIGFuIGV4dHJhIDgwTWlC IHBlciBndWVzdAogLSBUb2xlcmF0ZSBoYXZpbmcgYW4gZXh0cmEgUUVNVSBh cm91bmQKLSBZb3UgZG9uJ3QgbmVlZCBtaWdyYXRpb24sIG1lbW9yeSBiYWxs b29uaW5nLCB2Y3B1IGhvdHBsdWcsCiAgb3IgYSBiaS1kaXJlY3Rpb25hbCBj b25zb2xlCgpUbyB1c2UgdGhpcyBzb2x1dGlvbiwgc2VlIFJFQURNRS52aXhl bi4KCkJpLWRpcmVjdGlvbmFsIGNvbnNvbGUgaXMgYXZhaWxhYmxlIGFzIGFu IGV4dHJhIHBhdGNoLCBidXQgaGFzbid0IGJlZW4Kd2lkZWx5IHRlc3RlZDoK Cm1hcmMuaW5mby8/aT08MTUxNTYwNDU1Mi05MjA1LTEtZ2l0LXNlbmQtZW1h aWwtc3JuQHByZ21yLmNvbT4KCkNvbWV0Ci0tLS0tCgpDb21ldCBoYXMgdGhl IGZvbGxvd2luZyBwcm9wZXJ0aWVzOgogKiBSdW5zIHRoZSBzaGltIGluIGEg UFZIIGd1ZXN0LgogKiBQVkggbW9kZSBpcyBhdmFpbGFibGUgaW4gWGVuIDQu MTAsIGFuZCB3aWxsIGJlIGJhY2twb3J0ZWQgdG8gWGVuCiAgIDQuOSBhbmQg NC44IGJ1dCBubyBmYXJ0aGVyCiAqIFJlcXVpcmVzIGhvc3QgaHlwZXJ2aXNv ciBhbmQgdG9vbHN0YWNrIHBhdGNoZXMgKGFuZCBob3N0IHJlYm9vdCksCiAg IGV2ZW4gZm9yIFhlbiA0LjEwCiAqIFJlcXVpcmVzIG1pbmltYWwgZ3Vlc3Qg Y29uZmlnIGNoYW5nZXMsIGFuZCBubyAic2lkZWNhciIKICogQm9vdGxvYWRp bmcgaXMgaWRlbnRpY2FsIHRvIG5hdGl2ZSBQViBndWVzdHM7IGRpcmVjdC1i b290LCBwdmdydWIsCiAgIGFuZCBweWdydWIgYWxsIHdvcmsgZXF1YWxseSB3 ZWxsCiAqIEJlY2F1c2UgdGhlIHJlc3VsdCBpcyBhIFBWSCBndWVzdCwgdGhp cyBhcHByb2FjaCBpbnZvbHZlcyBubyBQQyBlbXVsYXRvci4KICogVGhlIGZv bGxvd2luZyBmZWF0dXJlcyBub3QgYXZhaWxhYmxlIGluIFZpeGVuIGFyZSBz dXBwb3J0ZWQ6CiAgLSBNZW1vcnkgYmFsbG9vbmluZwogIC0gR3Vlc3QgbWln cmF0aW9uCiAgLSB2Y3B1IGhvdHBsdWcKICAtIGJpZGlyZWN0aW9uYWwgY29u c29sZSBzdXBwb3J0CiAqIEd1ZXN0IHVzZXJzcGFjZSBjYW4gcmVhZCBhbGwg b2YgZ3Vlc3QgbWVtb3J5LCB3aXRoaW4gZWFjaCBndWVzdCwKICAgYW5kIGEg Z3Vlc3QgbWlnaXRhdGlvbiBmb3IgdGhpcyBpcyBub3QgcG9zc2libGUuCgpZ b3UgbWlnaHQgY29uc2lkZXIgdGhpcyBhcHByb2FjaCBpZjoKLSBZb3UncmUg b24gNC44IG9yIGxhdGVyIGFscmVhZHkKLSBZb3UgY2FuIHRvbGVyYXRlIHRo ZSBsb3NzIG9mIHdpdGhpbi1ndWVzdCBzZWN1cml0eQotIFlvdSBjYW4gcGF0 Y2ggYW5kIHJlYm9vdCB5b3VyIGhvc3QKLSBZb3UgZG9uJ3Qgd2FudCBhbiBl eHRyYSBRRU1VIGFyb3VuZAotIFlvdSBuZWVkIG1pZ3JhdGlvbiwgbWVtb3J5 IGJhbGxvb25pbmcsIG9yIHZjcHUgaG90cGx1Zywgb3IgYQogIGJpZGlyZWN0 aW9uYWwgY29uc29sZQotIFlvdSBuZWVkIHB5Z3J1YgotIFlvdSBuZWVkIHRv IHVzZSBsaWJ2aXJ0CgpBdCB0aGUgbW9tZW50LCBDb21ldCBpcyBhdmFpbGFi bGUgZm9yIDQuMTAuICAgV2UgZXhwZWN0IHRvIGhhdmUKYmFja3BvcnRzIHRv IDQuOCBhbmQgNC44IGF2YWlsYWJsZSB3aXRoaW4gYSBmZXcgd29ya2luZyBk YXlzLgo= --=separator Content-Type: application/octet-stream; name="xsa254/pvshim-converter.pl" Content-Disposition: attachment; filename="xsa254/pvshim-converter.pl" Content-Transfer-Encoding: base64 IyEvdXNyL2Jpbi9wZXJsIC13CiMKIyB1c2FnZToKIyAgIHB2c2hpbS1jb252 ZXJ0ZXIgW09QVElPTlNdIE9MRC1DT05GSUcgTkVXLUNPTkZJRwojCiMgb3B0 aW9uczoKIyAgIC0tcWVtdSBQQVRILVRPLVFFTVUgICAgICAgIGZpbGVuYW1l IG9mIHFlbXUtc3lzdGVtLWkzODYKIyAgIC0tc2lkZWNhcnMtZGlyZWN0b3J5 IERJUiAgIGRlZmF1bHQgaXMgL3Zhci9saWIveGVuL3B2c2hpbS1zaWRlY2Fy cwojICAgLS1zaGltIFNISU0gICAgICAgICAgICAgICAgb3ZlcnJpZGVzIGRv bWFpbiBjb25maWcgZmlsZQojICAgLS1kZWJ1ZyAgICAgICAgICAgICAgICAg ICAgdmVyYm9zZSwgYW5kIGxlYXZlcyBzaWRlY2FyIHByZXAgZGlyIGFyb3Vu ZAojCiMgV2hhdCB3ZSBkbwojCiMgIHJlYWQgZXhpc3RpbmcgY29uZmlnIGZp bGUgdXNpbmcgcHl0aG9uCiMgIGRldGVybWluZSBrZXJuZWwsIHJhbWRpc2sg YW5kIGNtZGxpbmUKIyAgdXNlIHRoZW0gdG8gcHJvZHVjZSBzaWRlY2FyIGFu ZCBzYXZlIGl0IHVuZGVyIGRvbWFpbiBuYW1lCiMgIG1lc3Mgd2l0aCB0aGUg dGhpbmdzIHRoYXQgbmVlZCB0byBiZSBtZXNzZWQgd2l0aAojICBzcGl0IG91 dCBuZXcgY29uZmlnIGZpbGUKCnVzZSBzdHJpY3Q7Cgp1c2UgR2V0b3B0OjpM b25nOwp1c2UgSlNPTjsKdXNlIElPOjpIYW5kbGU7CnVzZSBQT1NJWDsKdXNl IEZjbnRsIHF3KDpmbG9jayk7CgpvdXIgJGRlYnVnOwoKc3ViIHJ1bmNtZCB7 CiAgICBwcmludCBTVERFUlIgIisgQF9cbiIgaWYgJGRlYnVnOwogICAgJCE9 MDsgJD89MDsgc3lzdGVtIEBfIGFuZCBkaWUgIiRfWzBdOiAkISAkPyI7Cn0K Cm91ciAkcWVtdTsKb3VyICRzaGltOwpvdXIgJHNpZGVjYXJzX2RpciA9ICcv dmFyL2xpYi94ZW4vcHZzaGltLXNpZGVjYXJzJzsKCkdldE9wdGlvbnMoJ3Fl bXU9cycgPT4gXCRxZW11LAogICAgICAgICAgICdzaWRlY2Fycy1kaXJlY3Rv cnk9cycgPT4gXCRzaWRlY2Fyc19kaXIsCiAgICAgICAgICAgJ3NoaW09cycg PT4gXCRzaGltLAogICAgICAgICAgICdkZWJ1ZycgPT4gXCRkZWJ1ZykKICAg IG9yIGRpZSAicHZzaGltLWNvbnZlcnRlcjogYmFkIG9wdGlvbnNcbiI7CgpA QVJHVj09MiBvciBkaWUgInB2c2hpbS1jb252ZXJ0ZXI6IG5lZWQgb2xkIGFu ZCBuZXcgY29uZmlnIGZpbGVuYW1lcyI7CgpvdXIgKCRpbiwkb3V0KSA9IEBB UkdWOwoKb3VyICRpbmRhdGE7CgppZiAoJGluIG5lICctJykgewogICAgb3Bl biBJLCAnPCcsICIkaW4iIG9yIGRpZSAib3BlbiBpbnB1dCBjb25maWcgZmls ZTogJCFcbiI7Cn0gZWxzZSB7CiAgICBvcGVuIEksICc8JlNURElOJyBvciBk aWUgJCE7Cn0KewogICAgbG9jYWwgJC87CiAgICAkaW5kYXRhID0gPEk+Owp9 CkktPmVycm9yIGFuZCBkaWUgJCE7CmNsb3NlIEk7CgpvcGVuIFAsICItfCIs IHF3KHB5dGhvbjIgLWMpLCA8PEVORCwgJGluZGF0YSBvciBkaWUgJCE7Cmlt cG9ydCBzeXMKaW1wb3J0IGpzb24KbCA9IHt9CmV4ZWMgc3lzLmFyZ3ZbMV0g aW4gbApmb3IgayBpbiBsLmtleXMoKToKCWlmIGsuc3RhcnRzd2l0aCgiXyIp OgoJCWRlbCBsW2tdCnByaW50IGpzb24uZHVtcHMobCkKRU5ECgpvdXIgJGM7 Cgp7CiAgICBsb2NhbCAkLzsKICAgICRfID0gPFA+OwogICAgJCE9MDsgJD89 MDsgY2xvc2UgUCBvciBkaWUgIiQhICQ/IjsKICAgICRjID0gZGVjb2RlX2pz b24gJF87Cn0KCmRpZSAibm8gZG9tYWluIG5hbWUgPyIgdW5sZXNzIGV4aXN0 cyAkYy0+e25hbWV9OwpkaWUgImJvb3Rsb2FkZXIgbm90IHlldCBzdXBwb3J0 ZWQiIGlmICRjLT57Ym9vdGxvYWRlcn07CmRpZSAibm8ga2VybmVsIiB1bmxl c3MgJGMtPntrZXJuZWx9OwoKb3VyICRzaWRlY2FyID0gJGMtPntwdnNoaW1f c2lkZWNhcl9wYXRofSB8fCAiJHNpZGVjYXJzX2Rpci8kYy0+e25hbWV9Lmlz byI7Cm91ciAkZG13cmFwID0gJGMtPntwdnNoaW1fc2lkZWNhcl9wYXRofSB8 fCAiJHNpZGVjYXJzX2Rpci8kYy0+e25hbWV9LmRtIjsKCiRzaGltIHx8PSAk Yy0+e3B2c2hpbV9wYXRofTsKJHNoaW0gfHw9ICcvdXNyL2xvY2FsL2xpYi94 ZW4vYm9vdC94ZW4tc2hpbSc7CgpvdXIgJHNoaW1fY21kbGluZSA9ICRjLT57 cHZzaGltX2NtZGxpbmV9IHx8ICdjb25zb2xlPWNvbTEgY29tMT0xMTUyMDBu MSc7CiRzaGltX2NtZGxpbmUgLj0gJyAnLiRjLT57cHZzaGltX2V4dHJhfSBp ZiAkYy0+e3B2c2hpbV9leHRyYX07CgpvdXIgJGtlcm5lbF9jbWRsaW5lID0g JGMtPntjbWRsaW5lfSB8fCAnJzsKJGtlcm5lbF9jbWRsaW5lIC49ICcgcm9v dD0nLiRjLT57cm9vdH0gaWYgJGMtPntyb290fTsKJGtlcm5lbF9jbWRsaW5l IC49ICcgJy4kYy0+e2V4dHJhfSBpZiAkYy0+e2V4dHJhfTsKCnByaW50ICJw dnNoaW0tY29udmVydGVyOiBjcmVhdGluZyBzaWRlY2FyIGluICRzaWRlY2Fy XG4iOwoKcnVuY21kIHF3KG1rZGlyIC1tNzAwIC1wIC0tKSwgJHNpZGVjYXJz X2RpcjsKCm9wZW4gTCwgIj4iLCAiJHNpZGVjYXIubG9jayIgb3IgZGllICIk c2lkZWNhci5sb2NrOiBvcGVuICQhIjsKZmxvY2sgTCwgTE9DS19FWCBvciBk aWUgIiRzaWRlY2FyLmxvY2s6IGxvY2s6ICQhIjsKCm15ICRzZCA9ICIkc2lk ZWNhci5kaXIiOwoKc3lzdGVtIHF3KHJtIC1yZiAtLSksICRzZDsKbWtkaXIg JHNkLCAwNzAwOwoKcnVuY21kIHF3KGNwIC0tKSwgJHNoaW0sICIkc2Qvc2hp bSI7CnJ1bmNtZCBxdyhjcCAtLSksICRjLT57a2VybmVsfSwgIiRzZC9rZXJu ZWwiOwpydW5jbWQgcXcoY3AgLS0pLCAkYy0+e3JhbWRpc2t9LCAiJHNkL3Jh bWRpc2siIGlmICRjLT57cmFtZGlza307CgpteSAkZ3J1YmNmZyA9IDw8RU5E OwpzZXJpYWwgLS11bml0PTAgLS1zcGVlZD05NjAwIC0td29yZD04IC0tcGFy aXR5PW5vIC0tc3RvcD0xCnRlcm1pbmFsX2lucHV0IHNlcmlhbAp0ZXJtaW5h bF9vdXRwdXQgc2VyaWFsCgpzZXQgdGltZW91dD0wCgptZW51ZW50cnkgJ1hl biBzaGltJyB7CglpbnNtb2QgZ3ppbwoJaW5zbW9kIHh6aW8KICAgICAgICBt dWx0aWJvb3QgKGNkKS9zaGltIHBsYWNlaG9sZGVyICRzaGltX2NtZGxpbmUK ICAgICAgICBtb2R1bGUgKGNkKS9rZXJuZWwgcGxhY2Vob2xkZXIgJGtlcm5l bF9jbWRsaW5lCiAgICAgICAgbW9kdWxlIChjZCkvcmFtZGlzawp9CkVORAoK cnVuY21kIHF3KG1rZGlyIC1wIC0tKSwgIiRzZC9ib290L2dydWIiOwpvcGVu IEcsICI+IiwgIiRzZC9ib290L2dydWIvZ3J1Yi5jZmciIG9yIGRpZSAiJHNk LCBncnViLmNmZzogJCEiOwpwcmludCBHICRncnViY2ZnIG9yIGRpZSAkITsK Y2xvc2UgRyBvciBkaWUgJCE7Cgp1bmxpbmsgIiRzaWRlY2FyLm5ldyIgb3Ig JCE9PUVOT0VOVCBvciBkaWUgIiRzaWRlY2FyLm5ldzogcm06ICQhIjsKcnVu Y21kIHF3KGdydWItbWtyZXNjdWUgLW8pLCAiJHNpZGVjYXIubmV3IiwgIiRz aWRlY2FyLmRpciI7CmlmICghc3RhdCAiJHNpZGVjYXIubmV3IikgewogICAg JCE9PUVOT0VOVCBvciBkaWUgIiRzaWRlY2FyLm5ldzogc3RhdDogJCEiOwoK ICAgIHByaW50IFNUREVSUiA8PEVORDsKcHZzaGltLWNvbnZlcnRlcjogZ3J1 Yi1ta3Jlc2N1ZSBleGl0ZWQgd2l0aCBzdGF0dXMgemVybyBidXQgZmFpbGVk IHRvIG1ha2UgaXNvLgpOQiB0aGF0IGdydWItbWtyZXNjdWUgaGFzIGEgdGVu ZGVuY3kgdG8gbGllIGluIGl0cyBlcnJvciBtZXNzYWdlcy4KRU5ECiAgICBt eSAkbWlzc2luZzsKICAgIGZvcmVhY2ggbXkgJGNoZWNrIChxdyh4b3JyaXNv IG1mb3JtYXQpKSB7CiAgICAgICAgJG1pc3NpbmcgfD0gc3lzdGVtIHF3KHNo IC1jKSwgInR5cGUgJGNoZWNrIjsKICAgIH0KCiAgICBpZiAoJG1pc3Npbmcp IHsKICAgICAgICBwcmludCBTVERFUlIgPDxFTkQ7CllvdSBzZWVtIHRvIGhh dmUgc29tZSBwcm9ncmFtKHMpIG1pc3Npbmcgd2hpY2ggZ3J1Yi1ta3Jlc2N1 ZSBkZXBlbmRzIG9uLApzZWUgYWJvdmUuICAoIm1mb3JtYXQiIGlzIG5vcm1h bGx5IGluIHRoZSBwYWNrYWdlICJtdG9vbHMiLikKSW5zdGFsbGluZyB0aG9z ZSBwcm9ncmFtcyB3aWxsIHByb2JhYmx5IGhlbHAuCkVORAogICAgfSBlbHNl IHsKICAgICAgICBwcmludCBTVERFUlIgPDxFTkQ7CkFuZCBvbGRlciBncnVi LW1rcmVzY3VlIGhhcyBhIHRlbmRlbmN5IG5vdCB0byBub3RpY2UgY2VydGFp biBwcm9ibGVtcy4KTWF5YmUgc3RyYWNlIHdpbGwgdGVsbCB5b3Ugd2hhdCBp cyB3cm9uZy4gIDotLwpFTkQKICAgIH0KICAgIGRpZSAicHZzaGltLWNvbnZl cnRlcjogZ3J1Yi1ta3Jlc2N1ZSBkaWQgbm90IG1ha2UgaXNvXG4iOwp9Cgpy dW5jbWQgcXcocm0gLXJmIC0tKSwgIiRzaWRlY2FyLmRpciIgdW5sZXNzICRk ZWJ1ZzsKCm9wZW4gUSwgIj4iLCAiJGRtd3JhcC5uZXciIG9yIGRpZSAiJGRt d3JhcDogJCEiOwpwcmludCBRIDw8J0VORF9ETVdSQVAnIG9yIGRpZSAkITsK IyEvYmluL2Jhc2gKCnNldCAteAo6ICIkQCIKc2V0ICt4CgpuZXdhcmdzPSgp CgpuZXdhcmcgKCkgewogICAgbmV3YXJncys9KCIkMSIpCn0KCndoaWxlIFsg JCMgLWd0IDEgXTsgZG8KICAgIGNhc2UgIiQxIiBpbgoJLW5vLXNodXRkb3du fC1ub2RlZmF1bHRzfC1uby11c2VyLWNvbmZpZykKCSAgICBuZXdhcmcgIiQx Ijsgc2hpZnQKCSAgICA7OwoJLXhlbi1kb21pZHwtY2hhcmRldnwtbW9ufC1k aXNwbGF5fC1ib290fC1tfC1tYWNoaW5lKQoJICAgIG5ld2FyZyAiJDEiOyBz aGlmdAoJICAgIG5ld2FyZyAiJDEiOyBzaGlmdAoJICAgIDs7CiAgICAgICAg LW5hbWUpCiAgICAgICAgICAgIG5ld2FyZyAiJDEiOyBzaGlmdAogICAgICAg ICAgICBuYW1lPSIkMSI7IHNoaWZ0CiAgICAgICAgICAgIG5ld2FyZyAiJG5h bWUiCiAgICAgICAgICAgIDs7CgktbmV0ZGV2fC1jZHJvbSkKCSAgICA6IGZp eG1lCgkgICAgbmV3YXJnICIkMSI7IHNoaWZ0CgkgICAgbmV3YXJnICIkMSI7 IHNoaWZ0CgkgICAgOzsKCS1kcml2ZXwta2VybmVsfC1pbml0cmR8LWFwcGVu ZHwtdm5jKQoJICAgIHNoaWZ0OyBzaGlmdAoJICAgIDs7CgktZGV2aWNlKQoJ ICAgIHNoaWZ0CgkgICAgY2FzZSAiJDEiIGluCgkJWFhYcnRsODEzOSopCgkJ ICAgIG5ld2FyZyAiLWRldmljZSIKCQkgICAgbmV3YXJnICIkMSI7IHNoaWZ0 CgkJICAgIDs7CgkJKikKCQkgICAgc2hpZnQKCQkgICAgOzsKCSAgICBlc2Fj CgkgICAgOzsKCSopCgkgICAgZWNobyA+JjIgIndhcm5pbmc6IHVuZXhwZWN0 ZWQgYXJndW1lbnQgJDEgYmVpbmcgcGFzc2VkIHRocm91Z2giCgkgICAgbmV3 YXJnICIkMSI7IHNoaWZ0CgkgICAgOzsKICAgIGVzYWMKZG9uZQoKI2lmIFsg IngkbmFtZSIgIT0geCBdOyB0aGVuCiMgICAgbG9nZGlyPS92YXIvbG9nL3hl bgojICAgIGxvZ2ZpbGU9IiRsb2dkaXIvc2hpbS0kbmFtZS5sb2ciCiMgICAg c2F2ZWxvZyAiJGxvZ2ZpbGUiIHx8OgojICAgIG5ld2FyZyAtc2VyaWFsCiMg ICAgbmV3YXJnICJmaWxlOiRsb2dmaWxlIgojZmkKRU5EX0RNV1JBUAoKaWYg KCRxZW11KSB7CiAgICBwcmludGYgUSA8PCdFTkRfRE1XUkFQJywgJHFlbXUg b3IgZGllICQhOwogICAgZXhlYyAnJXMnICIke25ld2FyZ3NbQF19IgpFTkRf RE1XUkFQCn0gZWxzZSB7CiAgICBwcmludCBRIDw8J0VORF9ETVdSQVAnIG9y IGRpZSAkITsKc2V0IC14CmZvciBwYXRoIGluIC91c3IvbG9jYWwvbGliL3hl bi9iaW4gL3Vzci9saWIveGVuL2JpbiAvdXNyL2xvY2FsL2JpbiAvdXNyL2Jp bjsgZG8KICAgIGlmIHRlc3QgLWUgJHBhdGgvcWVtdS1zeXN0ZW0taTM4Njsg dGhlbgogICAgICAgIGV4ZWMgJHBhdGgvcWVtdS1zeXN0ZW0taTM4NiAiJHtu ZXdhcmdzW0BdfSIKICAgIGZpCmRvbmUKZWNobyA+JjIgJ2NvdWxkIG5vdCBl eGVjIHFlbXUnCmV4aXQgMTI3CkVORF9ETVdSQVAKfQoKY2htb2QgMDc1NSwg IiRkbXdyYXAubmV3IiBvciBkaWUgIiRkbXdyYXA6IGNobW9kOiAkISI7Cgpj bG9zZSBRIG9yIGRpZSAkITsKCnJlbmFtZSAiJHNpZGVjYXIubmV3IiwgJHNp ZGVjYXIgb3IgZGllICIkc2lkZWNhcjogaW5zdGFsbDogJCEiOwpyZW5hbWUg IiRkbXdyYXAubmV3IiwgICRkbXdyYXAgIG9yIGRpZSAiJGRtd3JhcDogaW5z dGFsbDogJCEiOwoKcHJpbnQgU1RERVJSIDw8RU5EOwpwdnNoaW0tY29udmVy dGVyOiB3cm90ZSBxZW11IHdyYXBwZXIgdG8gJGRtd3JhcApwdnNoaW0tY29u dmVydGVyOiB3cm90ZSBzaWRlY2FyIHRvICRzaWRlY2FyCkVORAoKbXkgJGFw cGVuZCA9IDw8RU5EOwpidWlsZGVyPSdodm0nCnR5cGU9J2h2bScKZGV2aWNl X21vZGVsX3ZlcnNpb249J3FlbXUteGVuJwpkZXZpY2VfbW9kZWxfb3ZlcnJp ZGU9JyRkbXdyYXAnCmRldmljZV9tb2RlbF9hcmdzX2h2bT1bJy1jZHJvbScs JyRzaWRlY2FyJ10KYm9vdD0nYycKc2VyaWFsPSdwdHknCkVORAoKaWYgKCRv dXQgbmUgJy0nKSB7CiAgICBvcGVuIE8sICI+IiwgIiRvdXQudG1wIiBvciBk aWUgIm9wZW4gb3V0cHV0IGNvbmZpZyB0ZW1wOiAkb3V0LnRtcDogJCFcbiI7 Cn0gZWxzZSB7CiAgICBvcGVuIE8sICI+JlNURE9VVCIgb3IgZGllICQhOwp9 CgpwcmludCBPICRpbmRhdGEsICJcbiIsICRhcHBlbmQgb3IgZGllICJ3cml0 ZSBvdXRwdXQ6ICQhIjsKY2xvc2UgTyBvciBkaWUgImNsb3NlIG91dHB1dDog JCEiOwoKaWYgKCRvdXQgbmUgJy0nKSB7CiAgICByZW5hbWUgIiRvdXQudG1w IiwgJG91dCBvciBkaWUgImluc3RhbGwgb3V0cHV0OiAkISI7CiAgICBwcmlu dCBTVERFUlIgInB2c2hpbS1jb252ZXJ0ZXI6IHdyb3RlIG5ldyBndWVzdCBj b25maWcgdG8gJG91dFxuIjsKfSBlbHNlIHsKICAgIHByaW50IFNUREVSUiAi cHZzaGltLWNvbnZlcnRlcjogd3JvdGUgbmV3IGd1ZXN0IGNvbmZpZyB0byBz dGRvdXRcbiI7Cn0K --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Thu Jan 18 18:40:08 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 18 Jan 2018 18:40:08 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ecF5d-0007x3-DB; Thu, 18 Jan 2018 18:39:05 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ecF5c-0007wk-EI for xen-announce@lists.xen.org; Thu, 18 Jan 2018 18:39:04 +0000 X-Inumbo-ID: 34cf0fdd-fc7f-11e7-b0d7-9f685aff125f Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id 34cf0fdd-fc7f-11e7-b0d7-9f685aff125f; Thu, 18 Jan 2018 18:41:33 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ecF5F-0002Qa-AN; Thu, 18 Jan 2018 18:38:41 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.84_2) (envelope-from ) id 1ecF5F-00031D-7Y; Thu, 18 Jan 2018 18:38:41 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Thu, 18 Jan 2018 18:38:41 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 254 (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) - Information leak via side effects of speculative execution X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2017-5753,CVE-2017-5715,CVE-2017-5754 / XSA-254 version 10 Information leak via side effects of speculative execution UPDATES IN VERSION 10 ===================== Provided summary table for the varous Meltdown options. Note that in XSA-254 v9's Updates section we said * Include >32vcpu workaround in shim branch ... but this workaround is for guests with 32 or *fewer* vcpus; guests with more will still need the L0 hypervisor patched and rebooted. ISSUE DESCRIPTION ================= Processors give the illusion of a sequence of instructions executed one-by-one. However, in order to most efficiently use cpu resources, modern superscalar processors actually begin executing many instructions in parallel. In cases where instructions depend on the result of previous instructions or checks which have not yet completed, execution happens based on guesses about what the outcome will be. If the guess is correct, execution has been sped up. If the guess is incorrect, partially-executed instructions are cancelled and architectural state changes (to registers, memory, and so on) reverted; but the whole process is no slower than if no guess had been made at all. This is sometimes called "speculative execution". Unfortunately, although architectural state is rolled back, there are other side effects, such as changes to TLB or cache state, which are not rolled back. These side effects can subsequently be detected by an attacker to determine information about what happened during the speculative execution phase. If an attacker can cause speculative execution to access sensitive memory areas, they may be able to infer what that sensitive memory contained. Furthermore, these guesses can often be 'poisoned', such that attacker can cause logic to reliably 'guess' the way the attacker chooses. This advisory discusses three ways to cause speculative execution to access sensitive memory areas (named here according to the discoverer's naming scheme): "Bounds-check bypass" (aka SP1, "Variant 1", Spectre CVE-2017-5753): Poison the branch predictor, such that victim code is speculatively executed past boundary and security checks. This would allow an attacker to, for instance, cause speculative code in the normal hypercall / emulation path to execute with wild array indexes. "Branch Target Injection" (aka SP2, "Variant 2", Spectre CVE-2017-5715): Poison the branch predictor. Well-abstracted code often involves calling function pointers via indirect branches; reading these function pointers may involve a (slow) memory access, so the CPU attempts to guess where indirect branches will lead. Poisoning this enables an attacker to speculatively branch to any code that is executable by the victim (eg, anywhere in the hypervisor). "Rogue Data Load" (aka SP3, "Variant 3", Meltdown, CVE-2017-5754): On some processors, certain pagetable permission checks only happen when the instruction is retired; effectively meaning that speculative execution is not subject to pagetable permission checks. On such processors, an attacker can speculatively execute arbitrary code in userspace with, effectively, the highest privilege level. More information is available here: https://meltdownattack.com/ https://spectreattack.com/ https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html Additional Xen-specific background: Xen hypervisors on most systems map all of physical RAM, so code speculatively executed in a hypervisor context can read all of system RAM. When running PV guests, the guest and the hypervisor share the address space; guest kernels run in a lower privilege level, and Xen runs in the highest privilege level. (x86 HVM and PVH guests, and ARM guests, run in a separate address space to the hypervisor.) However, only 64-bit PV guests can generate addresses large enough to point to hypervisor memory. IMPACT ====== Xen guests may be able to infer the contents of arbitrary host memory, including memory assigned to other guests. An attacker's choice of code to speculatively execute (and thus the ease of extracting useful information) goes up with the numbers. For SP1, an attacker is limited to windows of code after bound checks of user-supplied indexes. For SP2, the attacker will in many cases will be limited to executing arbitrary pre-existing code inside of Xen. For SP3 (and other cases for SP2), an attacker can write arbitrary code to speculatively execute. Additionally, in general, attacks within a guest (from guest user to guest kernel) will be the same as on real hardware. Consult your operating system provider for more information. NOTE ON TIMING ============== This vulnerability was originally scheduled to be made public on 9 January. It was accelerated at the request of the discloser due to one of the issues being made public. VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. For SP1 and SP2, both Intel and AMD are vulnerable. Vulnerability of ARM processors to SP1 and SP2 varies by model and manufacturer. ARM has information on affected models on the following website: https://developer.arm.com/support/security-update For SP3, only Intel processors are vulnerable. (The hypervisor cannot be attacked using SP3 on any ARM processors, even those that are listed as affected by SP3.) Furthermore, only 64-bit PV guests can exploit SP3 against Xen. PVH, HVM, and 32-bit PV guests cannot exploit SP3. MITIGATION ========== There is no mitigation for SP1 and SP2. SP3 can be mitigated by page-table isolation ("PTI"). See Resolution below. SP3 can, alternatively, be mitigated by running guests in HVM or PVH mode. (Within-guest attacks are still possible unless the guest OS has also been updated with an SP3 mitigation series such as KPTI/Kaiser.) For guests with legacy PV kernels which cannot be run in HVM or PVH mode directly, we have developed two "shim" hypervisors that allow PV guests to run in HVM mode or PVH mode. This prevents attacks on the host, but it leaves the guest vulnerable to Meltdown attacks by its own unprivileged processes, even if the guest OS has KPTI or similar Meltdown mitigation. The HVM shim (codenamed "Vixen") is available now, as is the PVH shim (codenamed "Comet") for Xen 4.10 and Xen 4.8. Please read README.which-shim to determine which shim is suitable for you. RESOLUTION ========== These are hardware bugs, so technically speaking they cannot be properly fixed in software. However, it is possible in many cases to provide patches to software to work around the problems. There is no available resolution for SP1. A solution may be available in the future. We are working on patches which mitigate SP2 but these are not currently available. Given that the vulnerabilities are now public, these will be developed and published in public, initially via xen-devel. SP3 can be mitigated by page-table isolation ("PTI"). We have a "stage 1" implementation. It allows 64-bit PV guests to be run natively while restricting what can be accessed via SP3 to the Xen stack of the current pcpu (which may contain remnants of information from other guests, but should be much more difficult to attack reliably). Unfortunately these "stage 1" patches incur a non-negligible performance overhead; about equivalent to the "PV shim" approaches above. Moving to plain HVM or PVH guests is recommended where possible. For more information on that, see below. Patches for the "stage-1" PTI implementation are available in the Xen staging-NN branches for each Xen revision. See README.pti for specific revisons. SP3 MITIGATION OPTIONS SUMMARY TABLE FOR 64-bit X86 PV GUESTS ============================================================= Everything in this section applies to 64-bit PV x86 guests only. Xen PTI Use PVH Use HVM PVH shim HVM shim "stage 1" "Comet" "Vixen" How to use README.pti type="pvh" type="hvm" README.comet README.vixen Guest All Linux 4.11+ Most[4] All All support ?unikernels?[3] Xen 4.6+ 4.10+ All 4.10, 4.8 All versions 4.8-comet[1] Testing Limited 4.10: Good Very good Moderate Very good status Very new 4.8: Moderate Performance Fair Excellent Varies[4] Fair Fair Hypervisor Needed No need No need No need No need changes SP3 guest Substantially Protected Protected Protected Protected to host protected SP3 within Protected Guest Guest Vulnerable Vulnerable guest patches patches [5] [5] SP3 from Protected n/a; vuln. n/a; vuln. n/a; vuln. n/a; vuln. dom0 user [9] [9] [9] [9] Device model No dm No dm Qemu No dm Qemu Config change None type="pvh" type="hvm"/ type="pvh" Tool to rewrite builder="hvm" pvshim=1 Needs "sidecar" Within-guest None Should be Disks+net None None changes? none may change Extra RAM use V. slight None ~9Mb/guest >=~20Mb/guest >=~29Mb/guest Migration OK OK OK[4] OK Unsupported[2] Guest mem adj OK OK OK Broken[2] Unsupported[2] vcpu hotplug OK OK OK OK Unsupported[2] Solution Indefinite Indefinite Indefinite Indefinite Limited lifetime [7] [6] [1] PVH is supported in Xen 4.8 only with the 4.8 "Comet" security release branch. [2] Some features in PVH/HVM shim guests are not inherently broken, but buggy in the currently available versions. These may be fixed in future proper releases of the same feature. [3] Most unikernels have Xen support based on a version of mini-os. mini-os master can boot PVH. But this is very recent. [4] Some guests which have support for Xen PV fail to boot properly in Xen HVM. Some such guests can made to boot HVM by disabling the PV-on-HVM support entirely in the guest or in Xen; in that case the guest may work but IO performance will be poor. Some PV-supporting guests can boot as HVM, with PV drivers, but fail when migrated. [5] The Comet and Vixen shim hypervisors direct-map all of their "physical" memory, and that direct-map can be accessed using Meltdown by unprivileged processes in the guest. So the guest is vulnerable to within-guest Meltdown attacks and the guest operating system cannot protect itself. [6] "Vixen" HVM shim is not expected to be incorporated in future Xen stable releases. At some point, support for it will be withdrawn. However, HVM shim functionality may be available in a future Xen 4.10 stable point release and would then probably be useable with the existing conversion script provided in this advisory. [7] The lifetime of the special Comet branches is limited, but we will not desupport them until some time after the same functionality is in appropriate Xen stable point releases. [8] The 64-bit x86 PV guest ABI precludes a guest from mapping its kernel and userspace in the same address space. So these guests are inherently immune to within-guest Meltdown attacks, without within-guest patching. (This applies to 64-bit x86 PV guests only.) [9] It is not possible to run dom0 as HVM. dom0 PVH is a planned enhancement which is not yet available even in preview form. ATTACHMENTS =========== $ sha256sum xsa254*/* 1cba14ff83844d001d6c8a74afc3f764f49182cc7a06bb4463548450ac96cc2f xsa254/README.comet cddd78cd7a00df9fa254156993f0309cea825d600f5ad8b36243148cf686bc9b xsa254/README.pti 3ef42381879befc84aa78b67d3a9b7b0cd862a2ffa445810466e90be6c6a5e86 xsa254/README.vixen 7e816160c1c1d1cd93ec3c3dd9753c8f3957fefe86b7aa967e9e77833828f849 xsa254/README.which-shim 1d2098ad3890a5be49444560406f8f271c716e9f80e7dfe11ff5c818277f33f8 xsa254/pvshim-converter.pl $ NOTE ON LACK OF EMBARGO ======================= The timetable and process were set by the discloser. After the intensive initial response period for these vulnerabilities is over, we will prepare and publish a full timeline, as we have done in a handful of other cases of significant public interest where we saw opportunities for process improvement. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJaYOmqAAoJEIP+FMlX6CvZ9yQH/RrybJAcL4F48T8OoNIsPjz7 YCdKxAWLSugLM0oQ1AcWvF6oSoKrqzJndInmRlpK2WFxu3xsRSZepgwpLQ8uyr5J BGfyqdT5JbswvaO9xCnl679Hi6iPnKsVEOtOQWHHT5h8B6A1kP5B80bW0u2Y6VP4 EiTF4UbGy/jrpfLLiNG4p5fmQxC5QCuUEUm4jKRzMq9DzAZTMQVnSzMyPruwGYeP 3UjgIQ1crMRdeBsUts6AF8FW355w53I1vwXnXZqVq+V65jlwurXaC6n5CJRKiItu PYWVSdOBKCrUbvBf6hOPMBrz5259IXVBcukzsuobEP2S/yK9AyVG+bjXU3fdZLY= =FFWp -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa254/README.comet" Content-Disposition: attachment; filename="xsa254/README.comet" Content-Transfer-Encoding: base64 CQkJICAgIFBWLWluLVBWSCBzaGltCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICA9PT09PT09PT09PT09PQoKU3VtbWFyeQotLS0tLS0tCgpUaGlzIFJF QURNRSBkZXNjcmliZXMgb25lIG9mIHRocmVlIG1pdGlnYXRpb24gc3RyYXRl Z2llcyBmb3IgTWVsdGRvd24uCgpUaGUgYmFzaWMgcHJpbmNpcGxlIGlzIHRv IHJ1biBQViBndWVzdHMgKHdoaWNoIGNhbiByZWFkIGFsbCBvZiBob3N0Cm1l bW9yeSBkdWUgdG8gdGhlIGhhcmR3YXJlIGJ1Z3MpIGFzIFBWSCBndWVzdHMg KHdoaWNoIGNhbm5vdCwgYXQgbGVhc3QKbm90IGR1ZSB0byBNZWx0ZG93biku ICBUaGUgUFYgZW52aXJvbm1lbnQgaXMgc3RpbGwgcHJvdmlkZWQgdG8gdGhl Cmd1ZXN0IGJ5IGFuIGVtYmVkZGVkIGNvcHkgb2YgWGVuLCB0aGUgInNoaW0i LiAgVGhpcyB2ZXJzaW9uIG9mIHRoZQpzaGltIGlzIGNvZGVuYW1lZCAiQ29t ZXQiLgoKVW5saWtlIFZpeGVuLCBDb21ldCByZXF1aXJlcyBtb2RpZmljYXRp b25zIHRvIHRoZSB0b29sc3RhY2sgYW5kIGhvc3QKaHlwZXJ2aXNvci4KCk5v dGUgdGhhdCBib3RoIG9mIHRoZXNlIHNoaW0tYmFzZWQgYXBwcm9hY2hlcyBw cmV2ZW50IGF0dGFja3Mgb24gdGhlCmhvc3QsIGJ1dCBsZWF2ZSB0aGUgZ3Vl c3QgdnVsbmVyYWJsZSB0byBNZWx0ZG93biBhdHRhY2tzIGJ5IGl0cyBvd24K dW5wcml2aWxlZ2VkIHByb2Nlc3NlczsgdGhpcyBpcyB0cnVlIGV2ZW4gaWYg dGhlIGd1ZXN0IE9TIGhhcyBLUFRJIG9yCnNpbWlsYXIgTWVsdGRvd24gbWl0 aWdhdGlvbi4KClZlcnNpb25zIGZvciBYZW4gNC44IGFuZCA0LjEwIGFyZSBh dmFpbGFibGUuCgpXaGF0IHlvdSB3aWxsIG5lZWQKLS0tLS0tLS0tLS0tLS0t LS0tCgogKiBZb3Ugd2lsbCBuZWVkIHRoZSB4ZW4uZ2l0IHdpdGggdGhlIGZv bGxvd2luZyB0YWdzOgogIC0gRm9yIDQuMTA6IDQuMTAuMC1zaGltLWNvbWV0 LTMKICAtIEZvciA0Ljg6ICA0LjguM3ByZS1zaGltLWNvbWV0LTIgICBhbmQg IDQuMTAuMC1zaGltLWNvbWV0LTMKCkJ1aWxkIGluc3RydWN0aW9uczogNC4x MAotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KCjEuIEJ1aWxkIGEgNC4xMCsg c3lzdGVtCiAgICBnaXQgY2xvbmUgZ2l0Oi8veGVuYml0cy54ZW5wcm9qZWN0 Lm9yZy94ZW4uZ2l0IHhlbi5naXQKICAgIGNkIHhlbi5naXQKICAgIGdpdCBj aGVja291dCA0LjEwLjAtc2hpbS1jb21ldC0zCgpEbyBhIGJ1aWxkIGFuZCBp bnN0YWxsIGFzIG5vcm1hbC4gIFRoZSBzaGltIHdpbGwgYmUgYnVpbHQgYXMg cGFydCBvZiB0aGUKbm9ybWFsIGJ1aWxkIHByb2Nlc3MsIGFuZCBwbGFjZWQg d2l0aCBvdGhlciAnc3lzdGVtJyBiaW5hcmllcyB3aGVyZSB0aGUKdG9vc3Rh Y2sga25vd3MgaG93IHRvIGZpbmQgaXQuCgpCdWlsZCBpbnN0cnVjdGlvbnM6 IDQuOAotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQoKVGhlIGNvZGUgZm9yIHNo aW0gaXRzZWxmIGlzIG5vdCBiYWNrcG9ydGVkIHRvIDQuOC4gIDQuOCB1c2Vy cyBzaG91bGQKdXNlIGEgc2hpbSBidWlsdCBmcm9tIDQuMTAtYmFzZWQgc291 cmNlIGNvZGU7IHRoaXMgY2FuIGJlIHNpbXBseQpkcm9wcGVkIGludG8gYSBY ZW4gNC44IGluc3RhbGxhdGlvbi4KCjEuIEJ1aWxkIGEgNC44KyBzeXN0ZW0g d2l0aCBzdXBwb3J0IGZvciBydW5uaW5nIFBWSCwgYW5kIGZvciBwdnNoaW06 CgogICAgZ2l0IGNsb25lIGdpdDovL3hlbmJpdHMueGVucHJvamVjdC5vcmcv eGVuLmdpdCB4ZW4uZ2l0CiAgICBjZCB4ZW4uZ2l0CiAgICBnaXQgY2hlY2tv dXQgNC44LjNwcmUtc2hpbS1jb21ldC0yCgogIERvIGEgYnVpbGQgYW5kIGlu c3RhbGwgYXMgbm9ybWFsLgoKMi4gQnVpbGQgYSA0LjEwKyBzeXN0ZW0gdG8g YmUgdGhlIHNoaW06CgogICAgZ2l0IGNsb25lIGdpdDovL3hlbmJpdHMueGVu cHJvamVjdC5vcmcveGVuLmdpdCB4ZW4uZ2l0CiAgICBjZCB4ZW4uZ2l0CiAg ICBnaXQgY2hlY2tvdXQgNC4xMC4wLXNoaW0tY29tZXQtMwogICAgLi9jb25m aWd1cmUKICAgIG1ha2UgLUMgdG9vbHMvZmlybXdhcmUveGVuLWRpcgoKICBB bmQgdGhlbiBpbnN0YWxsIHRoZSBzaGltIGV4ZWN1dGFibGUgd2hlcmUKICB0 aGUgNC44IHB2IHNoaW0gbW9kZSB0b29scyBleHBlY3QgdG8gZmluZCBpdAoK ICAgIGNwIHRvb2xzL2Zpcm13YXJlL3hlbi1kaXIveGVuLXNoaW0gL3Vzci9s aWIveGVuL2Jvb3QveGVuLXNoaW0KICAgIGNwIHRvb2xzL2Zpcm13YXJlL3hl bi1kaXIveGVuLXNoaW0gL3Vzci9sb2NhbC9saWIveGVuL2Jvb3QveGVuLXNo aW0KCiAgVGhpcyBzdGVwIGlzIG9ubHkgbmVlZGVkIHRvIGJvb3QgZ3Vlc3Rz IGluICJQVkggd2l0aCBQViBzaGltIgogIG1vZGU7IGl0IGlzIG5vdCBuZWVk ZWQgd2hlbiBib290aW5nIFBWSC1zdXBwb3J0aW5nIGd1ZXN0cyBhcyBQVkgu CgoKVXNhZ2UgaW5zdHJ1Y3Rpb25zCi0tLS0tLS0tLS0tLS0tLS0tLQoKKiBD b252ZXJ0aW5nIGEgUFYgY29uZmlnIHRvIGEgUFZIIHNoaW0gY29uZmlnCgot IFJlbW92ZSBhbnkgcmVmZXJlbmNlIHRvICdidWlsZGVyJyAoZS5nLiwgYGJ1 aWxkZXI9ImdlbmVyaWMiYCkKLSBBZGQgdGhlIGZvbGxvd2luZyB0d28gbGlu ZXM6CiAgdHlwZT0icHZoIgogIHB2c2hpbT0xCgoqIENvbnZlcnRpbmcgYSBQ ViBjb25maWcgdG8gYSBQVkggY29uZmlnCgpJZiB5b3UgaGF2ZSBhIGtlcm5l bCBjYXBhYmxlIG9mIGJvb3RpbmcgUFZILCB0aGVuIFBWSCBtb2RlIGlzIGJv dGgKZmFzdGVyIGFuZCBtb3JlIHNlY3VyZSB0aGFuIFBWIG9yIFBWSC1zaGlt IG1vZGUuCgotIFJlbW92ZSBhbnkgcmVmZXJlbmNlIHRvICdidWlsZGVyJyAo ZS5nLiwgYGJ1aWxkZXI9ImdlbmVyaWMiYCkKLSBBZGQgdGhlIGZvbGxvd2lu ZyBsaW5lOgogIHR5cGU9InB2aCIKCiogVGhlcmUgaXMgbm8gbmVlZCB0byBy ZWJvb3QgdGhlIGhvc3QuCg== --=separator Content-Type: application/octet-stream; name="xsa254/README.pti" Content-Disposition: attachment; filename="xsa254/README.pti" Content-Transfer-Encoding: base64 ICAgICAgICAgICAgICAgICAgICAgIFhlbiBwYWdlLXRhYmxlIGlzb2xhdGlv biAoWFBUSSkKICAgICAgICAgICAgICAgICAgICAgID09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT0KClN1bW1hcnkKLS0tLS0tLQoKVGhpcyBSRUFE TUUgZ2l2ZXMgcmVmZXJlbmNlcyBmb3Igb25lIG9mIHRocmVlIG1pdGlnYXRp b24gc3RyYXRlZ2llcwpmb3IgTWVsdGRvd24uCgpUaGlzIHNlcmllcyBpcyBh IGZpcnN0LWNsYXNzIG1pZ2l0YXRpb24gcGFnZXRhYmxlIGlzb2xhdGlvbiBz ZXJpZXMgZm9yClhlbi4gIEl0IGlzIGF2YWlsYWJsZSBmb3IgWGVuIDQuNiB0 byBYZW4gNC4xMCBhbmQgbGF0ZXIuCgpQcmVjaXNlIGdpdCBjb21taXRzIGFy ZSBhcyBmb2xsb3dzOgoKNC4xMDoKCjdjY2NkNmY3NDhlYzcyNGNmOTQwOGNl YzZiM2VjOGU1NGE4YTJjMWYgeDg2OiBhbGxvdyBNZWx0ZG93biBiYW5kLWFp ZCB0byBiZSBkaXNhYmxlZAoyMzRmNDgxMzM3ZWExYTkzZGI5NjhkNjE0NjQ5 YTZiZGZkYzg0MThhIHg4NjogTWVsdGRvd24gYmFuZC1haWQgYWdhaW5zdCBt YWxpY2lvdXMgNjQtYml0IFBWIGd1ZXN0cwo1N2RjMTk3Y2YwZDM2YzU2YmEx ZDlkMzJjNmExNDU0YmI1MjYwNWJiIHg4Ni9tbTogQWx3YXlzIHNldCBfUEFH RV9BQ0NFU1NFRCBvbiBMNGUgdXBkYXRlcwo5MTBkZDAwNWRhMjBmMjdmMzQx NWI3ZWNjZGY0MzY4NzQ5ODk1MDZiIHg4Ni9lbnRyeTogUmVtb3ZlIHN1cHBv cnQgZm9yIHBhcnRpYWwgY3B1X3VzZXJfcmVncyBmcmFtZXMKCjQuOToKCmRj N2Q0NjU4MGQ5YzYzM2E1OWJlMWMzNzc2Zjc5YzAxZGQwY2I5OGIgeDg2OiBh bGxvdyBNZWx0ZG93biBiYW5kLWFpZCB0byBiZSBkaXNhYmxlZAoxZTA5NzQ2 MzhkNjVkOWI4YWNmOWFjNzUxMWQ3NDcxODhmMzhiY2MzIHg4NjogTWVsdGRv d24gYmFuZC1haWQgYWdhaW5zdCBtYWxpY2lvdXMgNjQtYml0IFBWIGd1ZXN0 cwo4N2VhNzgxNjI0NzA5MGU4ZTViYzU2NTNiMTZjNDEyOTQzYTA1OGI1IHg4 Ni9tbTogQWx3YXlzIHNldCBfUEFHRV9BQ0NFU1NFRCBvbiBMNGUgdXBkYXRl cwoyMjEzZmZlMWEyZDgyYzNjOWM0YTE1NGVhNmVlMjUyMzk1YWE4NjkzIHg4 Ni9lbnRyeTogUmVtb3ZlIHN1cHBvcnQgZm9yIHBhcnRpYWwgY3B1X3VzZXJf cmVncyBmcmFtZXMKCjQuODoKCjMxZDM4ZDYzM2EzMDZiMmIwNjc2N2I1YTVm NWE4YTAwMjY5ZjNjOTIgeDg2OiBhbGxvdyBNZWx0ZG93biBiYW5kLWFpZCB0 byBiZSBkaXNhYmxlZAoxYmE0NzdiZGU3MzdiZjliMjhjYzQ1NWJlZjFlOWE2 YmM3NmQ2NmZjIHg4NjogTWVsdGRvd24gYmFuZC1haWQgYWdhaW5zdCBtYWxp Y2lvdXMgNjQtYml0IFBWIGd1ZXN0cwowNDllMmY0NWJmYTQ4ODk2NzQ5NDQ2 NmVjNjUwNmMzZWNhZTVmZTBlIHg4Ni9tbTogQWx3YXlzIHNldCBfUEFHRV9B Q0NFU1NFRCBvbiBMNGUgdXBkYXRlcwphN2NmMGEzYjgxODM3N2E4YTQ5YmFl ZDM2MDZiZmEyZjIxNGNkNjQ1IHg4Ni9lbnRyeTogUmVtb3ZlIHN1cHBvcnQg Zm9yIHBhcnRpYWwgY3B1X3VzZXJfcmVncyBmcmFtZXMKCjQuNzoKCmUxOWQw YWY0ZWUyYWU5ZTQyYTg1ZGI2MzlmZDY4NDhlNzJmNTY1OGIgeDg2OiBhbGxv dyBNZWx0ZG93biBiYW5kLWFpZCB0byBiZSBkaXNhYmxlZAplMTk1MTdhMzM1 NWFjYWFhMmZmODMwMThiYzQxZTdmZDA0NDE2MWU1IHg4NjogTWVsdGRvd24g YmFuZC1haWQgYWdhaW5zdCBtYWxpY2lvdXMgNjQtYml0IFBWIGd1ZXN0cwo5 Yjc2OTA4ZTZlMDc0ZDdlZmJlYWZlNmJhZDA2NmVjYzVmM2MzYzQzIHg4Ni9t bTogQWx3YXlzIHNldCBfUEFHRV9BQ0NFU1NFRCBvbiBMNGUgdXBkYXRlcwow ZTZjNmZjNDQ5MDAwZDk3ZjlmYTg3ZWQxZmJlMjNmMGNmMjE0MDZiIHg4Ni9l bnRyeTogUmVtb3ZlIHN1cHBvcnQgZm9yIHBhcnRpYWwgY3B1X3VzZXJfcmVn cyBmcmFtZXMKCjQuNjoKCjQ0YWQ3ZjY4OTVkYTk4NjEwNDJkN2E0MWU2MzVk NDJkODNjYjI2NjAgeDg2OiBhbGxvdyBNZWx0ZG93biBiYW5kLWFpZCB0byBi ZSBkaXNhYmxlZAo5MWRjOTAyZmRmNDE2NTljMjEwMzI5ZDZmNjU3OGY4MTMy ZWU0NzcwIHg4NjogTWVsdGRvd24gYmFuZC1haWQgYWdhaW5zdCBtYWxpY2lv dXMgNjQtYml0IFBWIGd1ZXN0cwphMDY1ODQxYjNhZTlmMGVmNDliOTgyM2Nk MjA1Yzc5ZWUwYzIyYjljIHg4Ni9tbTogQWx3YXlzIHNldCBfUEFHRV9BQ0NF U1NFRCBvbiBMNGUgdXBkYXRlcwpjNmU5ZTYwOTU2NjliM2M2M2I5MmQyMWZk ZGIzMjY0NDFjNzM3MTJjIHg4Ni9lbnRyeTogUmVtb3ZlIHN1cHBvcnQgZm9y IHBhcnRpYWwgY3B1X3VzZXJfcmVncyBmcmFtZXMK --=separator Content-Type: application/octet-stream; name="xsa254/README.vixen" Content-Disposition: attachment; filename="xsa254/README.vixen" Content-Transfer-Encoding: base64 ICAgICAgICAgICAgICAgIFBWLWluLUhWTSBzaGltIHdpdGggInNpZGVjYXIi IElTTwogICAgICAgICAgICAgICAgPT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09CgpTdW1tYXJ5Ci0tLS0tLS0KClRoaXMgUkVBRE1FIGRlc2Ny aWJlcyBvbmUgb2YgdGhyZWUgbWl0aWdhdGlvbiBzdHJhdGVnaWVzIGZvciBN ZWx0ZG93bi4KClRoZSBiYXNpYyBwcmluY2lwbGUgaXMgdG8gcnVuIFBWIGd1 ZXN0cyAod2hpY2ggY2FuIHJlYWQgYWxsIG9mIGhvc3QKbWVtb3J5IGR1ZSB0 byB0aGUgaGFyZHdhcmUgYnVncykgYXMgSFZNIGd1ZXN0cyAod2hpY2ggY2Fu bm90LCBhdCBsZWFzdApub3QgZHVlIHRvIE1lbHRkb3duKS4gIFRoZSBQViBl bnZpcm9ubWVudCBpcyBzdGlsbCBwcm92aWRlZCB0byB0aGUKZ3Vlc3QgYnkg YW4gZW1iZWRkZWQgY29weSBvZiBYZW4sIHRoZSAic2hpbSIuICBUaGlzIHZl cnNpb24gb2YgdGhlCnNoaW0gaXMgY29kZW5hbWVkICJWaXhlbiIuCgpJbiBv cmRlciB0byBib290IHRoZSBzaGltIHdpdGggYW4gdW5tb2RpZmllZCB0b29s c3RhY2ssIHlvdSBhbHNvCnByb3ZpZGUgYSBzcGVjaWFsIGRpc2sgY29udGFp bmluZyB0aGUgc2hpbSBhbmQgdGhlIGd1ZXN0IGtlcm5lbCAob3IKcHZncnVi KTsgdGhpcyBpcyBjYWxsZWQgdGhlICJzaWRlY2FyIi4KCk5vdGUgdGhhdCBi b3RoIG9mIHRoZXNlIHNoaW0tYmFzZWQgYXBwcm9hY2hlcyBwcmV2ZW50IGF0 dGFja3Mgb24gdGhlCmhvc3QsIGJ1dCBsZWF2ZSB0aGUgZ3Vlc3QgdnVsbmVy YWJsZSB0byBNZWx0ZG93biBhdHRhY2tzIGJ5IGl0cyBvd24KdW5wcml2aWxl Z2VkIHByb2Nlc3NlczsgdGhpcyBpcyB0cnVlIGV2ZW4gaWYgdGhlIGd1ZXN0 IE9TIGhhcyBLUFRJIG9yCnNpbWlsYXIgTWVsdGRvd24gbWl0aWdhdGlvbi4K CldoYXQgeW91IHdpbGwgbmVlZAotLS0tLS0tLS0tLS0tLS0tLS0KCiAqIFlv dXIgaG9zdCBtdXN0IGJlIGFibGUgdG8gcnVuIGdydWItbWtyZXNjdWUgdG8g Z2VuZXJhdGUgYSAuaXNvCiAqIFlvdSB3aWxsIHRoZXJlZm9yZSBuZWVkIHhv cnJpc28gYW5kIG10b29scwogKiBZb3UgbXVzdCBiZSB1c2luZyB4bCBhbmQg YWJsZSB0byB1c2UgYW4gYWx0ZXJuYXRpdmUgeW91ciBndWVzdCBjb25maWcK CiAqIFlvdSB3aWxsIG5lZWQgdGhlIHNjcmlwdCAicHZzaGltLWNvbnZlcnRl ci5wbCIKICAtIFRoaXMgcmVsaWVzIG9uIHBlcmwtanNvbgogKiBZb3Ugd2ls bCBuZWVkIHRoZSB4ZW4uZ2l0IHRhZyA0LjkuMS1zaGltLXZpeGVuLTEKCgpJ bnN0cnVjdGlvbnMKLS0tLS0tLS0tLS0tCgoxLiBPbiBhIHN1aXRhYmxlIHN5 c3RlbSAocGVyaGFwcyBhIGRpZmZlcmVudCBob3N0KQogICAgZ2l0IGNsb25l IGdpdDovL3hlbmJpdHMueGVucHJvamVjdC5vcmcveGVuLmdpdCB4ZW4uZ2l0 CiAgICBjZCB4ZW4uZ2l0CiAgICBnaXQgY2hlY2tvdXQgNC45LjEtc2hpbS12 aXhlbi0xCgpJZiB5b3UgbmVlZCBiaS1kaXJlY3Rpb25hbCBjb25zb2xlIGFu ZCBkb24ndCBtaW5kIGEgbGVzcy10ZXN0ZWQgcGF0Y2gsCnlvdSBjYW4gYXBw bHkgdGhlIHBhdGNoIGZvdW5kIGluIHRoaXMgZW1haWw6CgogICAgbWFyYy5p bmZvLz9pPTwxNTE1NjA0NTUyLTkyMDUtMS1naXQtc2VuZC1lbWFpbC1zcm5A cHJnbXIuY29tPgoKYnVpbGQgYSB4ZW4gaHlwZXJ2aXNvciBiaW5hcnkgYXMg dXN1YWw6CgogICAgbWFrZSB4ZW4KCklmIHlvdXIgZGVmYXVsdCB2ZXJzaW9u IG9mIHB5dGhvbiBpcyBweXRob24gMywgeW91IG1heSBuZWVkIHRvIGFkZCB0 aGUgZm9sbG93aW5nOgoKICAgIG1ha2UgUFlUSE9OPXB5dGhvbjIgeGVuCgpU aGlzIHdpbGwgYnVpbGQgYSBmaWxlCiAgICB4ZW4veGVuLmd6CgoyLiBDb3B5 IHRoYXQgZmlsZSB0byB5b3VyIGRvbTAuCgpJZGVhbGx5IHNvbWVwbGFjZSBs aWtlIC91c3IvbGliL3hlbi9ib290L3hlbi12aXhlbi5negoKMy4gQ29weSB0 aGUgc2NyaXB0IHB2c2hpbS1jb252ZXJ0ZXIgdG8geW91ciBkb20wIGFuZCBt YWtlCiAgIGl0IGV4ZWN1dGFibGU6CiAgICAgIGNobW9kICt4IHB2c2hpbS1j b252ZXJ0ZXIucGwKCjQuIEZvciBlYWNoIGd1ZXN0CgogIChpKSBpZiB0aGUg Z3Vlc3QgaXMgY3VycmVudGx5IGJvb3RlZCB3aXRoIHB5Z3J1YiB5b3UgbXVz dCBmaXJzdAogICBzd2l0Y2ggdG8gZGlyZWN0IGtlcm5lbCBib290IChieSBt YW51YWxseSBjb3B5aW5nIHRoZSBrZXJuZWwgYW5kCiAgIGluaXRyYW1mcyBv dXQgb2YgdGhlIGd1ZXN0LCBhbmQgY29uZmlndXJpbmcgdGhlIGNvbW1hbmQg bGluZSBpbiB0aGUKICAgZG9tYWluIGNvbmZpZ3VyYXRpb24gZmlsZSksIG9y IHB2Z3J1Yi4KCiAgKGlpKSBydW4KICAgICAgLi9wdnNoaW0tY29udmVydGVy LnBsIC0tc2hpbT0vdXNyL2xpYi94ZW4vYm9vdC94ZW4tdml4ZW4uZ3ogL2V0 Yy94ZW4vR1VFU1QuY2ZnIC9ldGMveGVuL0dVRVNULndpdGgtc2hpbS1jZmcK CiAgKGlpaSkgc2h1dCB0aGUgZ3Vlc3QgZG93biBjbGVhbmx5CgogIChpdikg Y3JlYXRlIHRoZSBndWVzdCB3aXRoIHRoZSBuZXcgY29uZmlnCiAgICAgIHhs IGNyZWF0ZSAvZXRjL3hlbi9HVUVTVC53aXRoLXNoaW0tY2ZnCgogICh2KSBD aGVjayB0aGF0IGl0IGJvb3RzIHByb3Blcmx5LiAgeGwgY29uc29sZSBzaG91 bGQgd29yay4KCiAgKHZpKSBNYWtlIGFycmFuZ2VtZW50cyBzbyB0aGF0IGF1 dG9zdGFydGluZyBvZiB0aGUgZ3Vlc3Qgd2lsbCB1c2UKICAgICB0aGUgbmV3 IGNvbmZpZyBmaWxlIHJhdGhlciB0aGFuIHRoZSBvbGQgb25lCgo= --=separator Content-Type: application/octet-stream; name="xsa254/README.which-shim" Content-Disposition: attachment; filename="xsa254/README.which-shim" Content-Transfer-Encoding: base64 CQkgICBIb3cgdG8gZGVjaWRlIHdoaWNoIHNoaW0gdG8gdXNlCgkJICAgPT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQoKQSB3b3JrLWFyb3VuZCB0 byBNZWx0ZG93biAoYWthICJTUDMiIG9yICJWYXJpYW50IDMiKSBvbiBJbnRl bApwcm9jZXNzb3JzIGlzIHRvIHJ1biBndWVzdHMgaW4gSFZNIG9yIFBWSCBt b2RlLgoKTm90ZSB0aGlzIHNoaW0tYmFzZWQgYXBwcm9hY2ggcHJldmVudHMg YXR0YWNrcyBvbiB0aGUgaG9zdCwgYnV0IGxlYXZlcwp0aGUgZ3Vlc3QgdnVs bmVyYWJsZSB0byBNZWx0ZG93biBhdHRhY2tzIGJ5IGl0cyBvd24gdW5wcml2 aWxlZ2VkCnByb2Nlc3NlczsgdGhpcyBpcyB0cnVlIGV2ZW4gaWYgdGhlIGd1 ZXN0IE9TIGhhcyBLUFRJIG9yIHNpbWlsYXIKTWVsdGRvd24gbWl0aWdhdGlv bi4KClNvbWUgZ3Vlc3RzIGFyZSBkaWZmaWN1bHQgdG8gY29udmVydCB0byBy dW5uaW5nIGluIEhWTSBvciBQVkggbW9kZSwKZWl0aGVyIGR1ZSB0byBsYWNr IG9mIHBhcnRpdGlvbmluZyAvIE1CUiwgb3IgZHVlIHRvIGtlcm5lbApjb21w YXRpYmlsaXRpZXMuICBBcyBhbiBlbWVyZ2VuY3kgYmFja3N0b3AsIHRoZXJl IGFyZSB0d28gYXBwcm9hY2hlcywKd2hpY2ggd2UndmUgY29kZW5hbWVkICJW aXhlbiIgYW5kICJDb21ldCIuICBCb3RoIGludm9sdmUgcnVubmluZyBhbgpl bWJlZGRlZCBjb3B5IG9mIFhlbiAoY2FsbGVkIGEgInNoaW0iKSB3aXRoaW4g dGhlIEhWTSBvciBQVkggZ3Vlc3QgdG8KcHJvdmlkZSB0aGUgbmF0aXZlIFBW IGludGVyZmFjZS4KCkJlbG93IGRlc2NyaWJlcyB0aGUgcHJvcGVydGllcywg YW5kIHdobyBtaWdodCB3YW50IHRvIHVzZSBlYWNoIG9uZS4KCk5PVEU6IEJv dGggc2hpbXMgcmVxdWlyZSBob3N0IHBhdGNoZXMgdG8gYm9vdCBvbiBBTUQg aG9zdHMuICBUaGlzCnNob3VsZG4ndCBiZSBhbiBpc3N1ZSwgYXMgU1AzIGRv ZXMgbm90IGFmZmVjdCBzeXN0ZW1zIHJ1bm5pbmcgb24gQU1ELgoKVml4ZW4K LS0tLS0KClZpeGVuIGhhcyB0aGUgZm9sbG93aW5nIHByb3BlcnRpZXM6CiAq IFJ1bnMgdGhlIHNoaW0gaW4gYW4gSFZNIGd1ZXN0LgogKiBJdCByZXF1aXJl cyBubyBoeXBlcnZpc29yIG9yIHRvb2xzdGFjayBjaGFuZ2VzLCBub3IgZG9l cyBpdCByZXF1aXJlCiAgIGEgaG9zdCByZWJvb3QuCiAqIEl0IGhhcyBiZWVu IGV4dGVuc2l2ZWx5IHRlc3RlZCBpbiBBbWF6b24ncyBkZXBsb3ltZW50IGZv ciB2ZXJzaW9ucwogICBvZiBYZW4gZ29pbmcgYmFjayB0byAzLjQKICogR3Vl c3QgcmVib290cyBhcmUgcmVxdWlyZWQKICogR3Vlc3QgY29uZmlncyBtdXN0 IGJlIGZlZCB0aHJvdWdoIGEgY29udmVydGVyIHByb2dyYW0KICogVGhlIGNv bnZlcnRlciBwcm9ncmFtIHNwaXRzIG91dCBhIHNtYWxsIGd1ZXN0LXNwZWNp ZmljIC5pc28KICAgaW1hZ2UgKHdlIGNhbGwgdGhpcyBhICJzaWRlY2FyIikg dXNlZCBmb3IgYm9vdGluZwogKiBCZWNhdXNlIHRoZSByZXN1bHQgaXMgYW4g SFZNIGd1ZXN0LCB0aGlzIGFwcHJvYWNoIGludm9sdmVzCiAgIHJ1bm5pbmcg cWVtdSBhcyBhIFBDIGVtdWxhdG9yICh0aGlzIGlzIGRvbmUgYXV0b21hdGlj YWxseSkKICogU29tZSBjb21tb24gZmVhdHVyZXMgYXJlIG5vdCBzdXBwb3J0 ZWQ6CiAgLSBCYWxsb29uaW5nCiAgLSBNaWdyYXRpb24KICAtIHZjcHUgaG90 cGx1ZwogIC0gYmlkaXJlY3Rpb25hbCBjb25zb2xlIHN1cHBvcnQgKGNvbnNv bGUgaXMgd3JpdGUtb25seSkKICogRGlyZWN0LWJvb3Qga2VybmVscyBhbmQg cHZncnViIChib3RoIHB2Z3J1YjEgYW5kIHB2Z3J1YjIpIGFyZQogICBzdXBw b3J0ZWQgYnkgdGhlIGNvbnZlcnNpb24gcHJvZ3JhbS4gICdweWdydWInIGlz IG5vdCBzdXBwb3J0ZWQuCiAqIHhsIGFuZCB4bSBkb21haW4gY29uZmlncyBj YW4gYmUgY29udmVydGVkOyBsaWJ2aXJ0IGRvbWFpbgogICBjb25maWd1cmF0 aW9uIGFycmFuZ2VtZW50cyBhcmUgbm90IHN1cHBvcnRlZC4KICogR3Vlc3Qg dXNlcnNwYWNlIGNhbiByZWFkIGFsbCBvZiBndWVzdCBtZW1vcnksIHdpdGhp biBlYWNoIGd1ZXN0LAogICBhbmQgYSBndWVzdCBtaWdpdGF0aW9uIGZvciB0 aGlzIGlzIG5vdCBwb3NzaWJsZS4KCllvdSBtaWdodCBjb25zaWRlciB0aGlz IGFwcHJvYWNoIGlmOgotIFlvdSB3YW50IHRvIGRlcGxveSBhIGZpeCBpbW1l ZGlhdGVseQotIFlvdSBjYW4gdG9sZXJhdGUgdGhlIGxvc3Mgb2Ygd2l0aGlu LWd1ZXN0IHNlY3VyaXR5Ci0gWW91IGNhbid0LCBvciB3b3VsZCBsaWtlIHRv IGF2b2lkLCB1cGRhdGluZyB0byBYZW4gNC44IG9yIG5ld2VyCi0gWW91J2Qg bGlrZSB0byBhdm9pZCBwYXRjaGluZyBhbmQgcmVib290aW5nIHlvdXIgaG9z dAotIFlvdSBhcmUgYWJsZSB0bzoKIC0gUnVuIGEgc2NyaXB0IHRvIG1vZGlm eSBlYWNoIGRvbWFpbiBjb25maWcKIC0gQWZmb3JkIGFuIGV4dHJhIDgwTWlC IHBlciBndWVzdAogLSBUb2xlcmF0ZSBoYXZpbmcgYW4gZXh0cmEgUUVNVSBh cm91bmQKLSBZb3UgZG9uJ3QgbmVlZCBtaWdyYXRpb24sIG1lbW9yeSBiYWxs b29uaW5nLCB2Y3B1IGhvdHBsdWcsCiAgb3IgYSBiaS1kaXJlY3Rpb25hbCBj b25zb2xlCgpUbyB1c2UgdGhpcyBzb2x1dGlvbiwgc2VlIFJFQURNRS52aXhl bi4KCkJpLWRpcmVjdGlvbmFsIGNvbnNvbGUgaXMgYXZhaWxhYmxlIGFzIGFu IGV4dHJhIHBhdGNoLCBidXQgaGFzbid0IGJlZW4Kd2lkZWx5IHRlc3RlZDoK Cm1hcmMuaW5mby8/aT08MTUxNTYwNDU1Mi05MjA1LTEtZ2l0LXNlbmQtZW1h aWwtc3JuQHByZ21yLmNvbT4KCkNvbWV0Ci0tLS0tCgpDb21ldCBoYXMgdGhl IGZvbGxvd2luZyBwcm9wZXJ0aWVzOgogKiBSdW5zIHRoZSBzaGltIGluIGEg UFZIIGd1ZXN0LgogKiBQVkggbW9kZSBpcyBhdmFpbGFibGUgaW4gWGVuIDQu MTAsIGFuZCB3aWxsIGJlIGJhY2twb3J0ZWQgdG8gWGVuCiAgIDQuOSBhbmQg NC44IGJ1dCBubyBmYXJ0aGVyCiAqIFJlcXVpcmVzIGhvc3QgaHlwZXJ2aXNv ciBhbmQgdG9vbHN0YWNrIHBhdGNoZXMgKGFuZCBob3N0IHJlYm9vdCksCiAg IGV2ZW4gZm9yIFhlbiA0LjEwCiAqIFJlcXVpcmVzIG1pbmltYWwgZ3Vlc3Qg Y29uZmlnIGNoYW5nZXMsIGFuZCBubyAic2lkZWNhciIKICogQm9vdGxvYWRp bmcgaXMgaWRlbnRpY2FsIHRvIG5hdGl2ZSBQViBndWVzdHM7IGRpcmVjdC1i b290LCBwdmdydWIsCiAgIGFuZCBweWdydWIgYWxsIHdvcmsgZXF1YWxseSB3 ZWxsCiAqIEJlY2F1c2UgdGhlIHJlc3VsdCBpcyBhIFBWSCBndWVzdCwgdGhp cyBhcHByb2FjaCBpbnZvbHZlcyBubyBQQyBlbXVsYXRvci4KICogVGhlIGZv bGxvd2luZyBmZWF0dXJlcyBub3QgYXZhaWxhYmxlIGluIFZpeGVuIGFyZSBz dXBwb3J0ZWQ6CiAgLSBNZW1vcnkgYmFsbG9vbmluZwogIC0gR3Vlc3QgbWln cmF0aW9uCiAgLSB2Y3B1IGhvdHBsdWcKICAtIGJpZGlyZWN0aW9uYWwgY29u c29sZSBzdXBwb3J0CiAqIEd1ZXN0IHVzZXJzcGFjZSBjYW4gcmVhZCBhbGwg b2YgZ3Vlc3QgbWVtb3J5LCB3aXRoaW4gZWFjaCBndWVzdCwKICAgYW5kIGEg Z3Vlc3QgbWlnaXRhdGlvbiBmb3IgdGhpcyBpcyBub3QgcG9zc2libGUuCgpZ b3UgbWlnaHQgY29uc2lkZXIgdGhpcyBhcHByb2FjaCBpZjoKLSBZb3UncmUg b24gNC44IG9yIGxhdGVyIGFscmVhZHkKLSBZb3UgY2FuIHRvbGVyYXRlIHRo ZSBsb3NzIG9mIHdpdGhpbi1ndWVzdCBzZWN1cml0eQotIFlvdSBjYW4gcGF0 Y2ggYW5kIHJlYm9vdCB5b3VyIGhvc3QKLSBZb3UgZG9uJ3Qgd2FudCBhbiBl eHRyYSBRRU1VIGFyb3VuZAotIFlvdSBuZWVkIG1pZ3JhdGlvbiwgbWVtb3J5 IGJhbGxvb25pbmcsIG9yIHZjcHUgaG90cGx1Zywgb3IgYQogIGJpZGlyZWN0 aW9uYWwgY29uc29sZQotIFlvdSBuZWVkIHB5Z3J1YgotIFlvdSBuZWVkIHRv IHVzZSBsaWJ2aXJ0CgpBdCB0aGUgbW9tZW50LCBDb21ldCBpcyBhdmFpbGFi bGUgZm9yIDQuMTAuICAgV2UgZXhwZWN0IHRvIGhhdmUKYmFja3BvcnRzIHRv IDQuOCBhbmQgNC44IGF2YWlsYWJsZSB3aXRoaW4gYSBmZXcgd29ya2luZyBk YXlzLgo= --=separator Content-Type: application/octet-stream; name="xsa254/pvshim-converter.pl" Content-Disposition: attachment; filename="xsa254/pvshim-converter.pl" Content-Transfer-Encoding: base64 IyEvdXNyL2Jpbi9wZXJsIC13CiMKIyB1c2FnZToKIyAgIHB2c2hpbS1jb252 ZXJ0ZXIgW09QVElPTlNdIE9MRC1DT05GSUcgTkVXLUNPTkZJRwojCiMgb3B0 aW9uczoKIyAgIC0tcWVtdSBQQVRILVRPLVFFTVUgICAgICAgIGZpbGVuYW1l IG9mIHFlbXUtc3lzdGVtLWkzODYKIyAgIC0tc2lkZWNhcnMtZGlyZWN0b3J5 IERJUiAgIGRlZmF1bHQgaXMgL3Zhci9saWIveGVuL3B2c2hpbS1zaWRlY2Fy cwojICAgLS1zaGltIFNISU0gICAgICAgICAgICAgICAgb3ZlcnJpZGVzIGRv bWFpbiBjb25maWcgZmlsZQojICAgLS1kZWJ1ZyAgICAgICAgICAgICAgICAg ICAgdmVyYm9zZSwgYW5kIGxlYXZlcyBzaWRlY2FyIHByZXAgZGlyIGFyb3Vu ZAojCiMgV2hhdCB3ZSBkbwojCiMgIHJlYWQgZXhpc3RpbmcgY29uZmlnIGZp bGUgdXNpbmcgcHl0aG9uCiMgIGRldGVybWluZSBrZXJuZWwsIHJhbWRpc2sg YW5kIGNtZGxpbmUKIyAgdXNlIHRoZW0gdG8gcHJvZHVjZSBzaWRlY2FyIGFu ZCBzYXZlIGl0IHVuZGVyIGRvbWFpbiBuYW1lCiMgIG1lc3Mgd2l0aCB0aGUg dGhpbmdzIHRoYXQgbmVlZCB0byBiZSBtZXNzZWQgd2l0aAojICBzcGl0IG91 dCBuZXcgY29uZmlnIGZpbGUKCnVzZSBzdHJpY3Q7Cgp1c2UgR2V0b3B0OjpM b25nOwp1c2UgSlNPTjsKdXNlIElPOjpIYW5kbGU7CnVzZSBQT1NJWDsKdXNl IEZjbnRsIHF3KDpmbG9jayk7CgpvdXIgJGRlYnVnOwoKc3ViIHJ1bmNtZCB7 CiAgICBwcmludCBTVERFUlIgIisgQF9cbiIgaWYgJGRlYnVnOwogICAgJCE9 MDsgJD89MDsgc3lzdGVtIEBfIGFuZCBkaWUgIiRfWzBdOiAkISAkPyI7Cn0K Cm91ciAkcWVtdTsKb3VyICRzaGltOwpvdXIgJHNpZGVjYXJzX2RpciA9ICcv dmFyL2xpYi94ZW4vcHZzaGltLXNpZGVjYXJzJzsKCkdldE9wdGlvbnMoJ3Fl bXU9cycgPT4gXCRxZW11LAogICAgICAgICAgICdzaWRlY2Fycy1kaXJlY3Rv cnk9cycgPT4gXCRzaWRlY2Fyc19kaXIsCiAgICAgICAgICAgJ3NoaW09cycg PT4gXCRzaGltLAogICAgICAgICAgICdkZWJ1ZycgPT4gXCRkZWJ1ZykKICAg IG9yIGRpZSAicHZzaGltLWNvbnZlcnRlcjogYmFkIG9wdGlvbnNcbiI7CgpA QVJHVj09MiBvciBkaWUgInB2c2hpbS1jb252ZXJ0ZXI6IG5lZWQgb2xkIGFu ZCBuZXcgY29uZmlnIGZpbGVuYW1lcyI7CgpvdXIgKCRpbiwkb3V0KSA9IEBB UkdWOwoKb3VyICRpbmRhdGE7CgppZiAoJGluIG5lICctJykgewogICAgb3Bl biBJLCAnPCcsICIkaW4iIG9yIGRpZSAib3BlbiBpbnB1dCBjb25maWcgZmls ZTogJCFcbiI7Cn0gZWxzZSB7CiAgICBvcGVuIEksICc8JlNURElOJyBvciBk aWUgJCE7Cn0KewogICAgbG9jYWwgJC87CiAgICAkaW5kYXRhID0gPEk+Owp9 CkktPmVycm9yIGFuZCBkaWUgJCE7CmNsb3NlIEk7CgpvcGVuIFAsICItfCIs IHF3KHB5dGhvbjIgLWMpLCA8PEVORCwgJGluZGF0YSBvciBkaWUgJCE7Cmlt cG9ydCBzeXMKaW1wb3J0IGpzb24KbCA9IHt9CmV4ZWMgc3lzLmFyZ3ZbMV0g aW4gbApmb3IgayBpbiBsLmtleXMoKToKCWlmIGsuc3RhcnRzd2l0aCgiXyIp OgoJCWRlbCBsW2tdCnByaW50IGpzb24uZHVtcHMobCkKRU5ECgpvdXIgJGM7 Cgp7CiAgICBsb2NhbCAkLzsKICAgICRfID0gPFA+OwogICAgJCE9MDsgJD89 MDsgY2xvc2UgUCBvciBkaWUgIiQhICQ/IjsKICAgICRjID0gZGVjb2RlX2pz b24gJF87Cn0KCmRpZSAibm8gZG9tYWluIG5hbWUgPyIgdW5sZXNzIGV4aXN0 cyAkYy0+e25hbWV9OwpkaWUgImJvb3Rsb2FkZXIgbm90IHlldCBzdXBwb3J0 ZWQiIGlmICRjLT57Ym9vdGxvYWRlcn07CmRpZSAibm8ga2VybmVsIiB1bmxl c3MgJGMtPntrZXJuZWx9OwoKb3VyICRzaWRlY2FyID0gJGMtPntwdnNoaW1f c2lkZWNhcl9wYXRofSB8fCAiJHNpZGVjYXJzX2Rpci8kYy0+e25hbWV9Lmlz byI7Cm91ciAkZG13cmFwID0gJGMtPntwdnNoaW1fc2lkZWNhcl9wYXRofSB8 fCAiJHNpZGVjYXJzX2Rpci8kYy0+e25hbWV9LmRtIjsKCiRzaGltIHx8PSAk Yy0+e3B2c2hpbV9wYXRofTsKJHNoaW0gfHw9ICcvdXNyL2xvY2FsL2xpYi94 ZW4vYm9vdC94ZW4tc2hpbSc7CgpvdXIgJHNoaW1fY21kbGluZSA9ICRjLT57 cHZzaGltX2NtZGxpbmV9IHx8ICdjb25zb2xlPWNvbTEgY29tMT0xMTUyMDBu MSc7CiRzaGltX2NtZGxpbmUgLj0gJyAnLiRjLT57cHZzaGltX2V4dHJhfSBp ZiAkYy0+e3B2c2hpbV9leHRyYX07CgpvdXIgJGtlcm5lbF9jbWRsaW5lID0g JGMtPntjbWRsaW5lfSB8fCAnJzsKJGtlcm5lbF9jbWRsaW5lIC49ICcgcm9v dD0nLiRjLT57cm9vdH0gaWYgJGMtPntyb290fTsKJGtlcm5lbF9jbWRsaW5l IC49ICcgJy4kYy0+e2V4dHJhfSBpZiAkYy0+e2V4dHJhfTsKCnByaW50ICJw dnNoaW0tY29udmVydGVyOiBjcmVhdGluZyBzaWRlY2FyIGluICRzaWRlY2Fy XG4iOwoKcnVuY21kIHF3KG1rZGlyIC1tNzAwIC1wIC0tKSwgJHNpZGVjYXJz X2RpcjsKCm9wZW4gTCwgIj4iLCAiJHNpZGVjYXIubG9jayIgb3IgZGllICIk c2lkZWNhci5sb2NrOiBvcGVuICQhIjsKZmxvY2sgTCwgTE9DS19FWCBvciBk aWUgIiRzaWRlY2FyLmxvY2s6IGxvY2s6ICQhIjsKCm15ICRzZCA9ICIkc2lk ZWNhci5kaXIiOwoKc3lzdGVtIHF3KHJtIC1yZiAtLSksICRzZDsKbWtkaXIg JHNkLCAwNzAwOwoKcnVuY21kIHF3KGNwIC0tKSwgJHNoaW0sICIkc2Qvc2hp bSI7CnJ1bmNtZCBxdyhjcCAtLSksICRjLT57a2VybmVsfSwgIiRzZC9rZXJu ZWwiOwpydW5jbWQgcXcoY3AgLS0pLCAkYy0+e3JhbWRpc2t9LCAiJHNkL3Jh bWRpc2siIGlmICRjLT57cmFtZGlza307CgpteSAkZ3J1YmNmZyA9IDw8RU5E OwpzZXJpYWwgLS11bml0PTAgLS1zcGVlZD05NjAwIC0td29yZD04IC0tcGFy aXR5PW5vIC0tc3RvcD0xCnRlcm1pbmFsX2lucHV0IHNlcmlhbAp0ZXJtaW5h bF9vdXRwdXQgc2VyaWFsCgpzZXQgdGltZW91dD0wCgptZW51ZW50cnkgJ1hl biBzaGltJyB7CglpbnNtb2QgZ3ppbwoJaW5zbW9kIHh6aW8KICAgICAgICBt dWx0aWJvb3QgKGNkKS9zaGltIHBsYWNlaG9sZGVyICRzaGltX2NtZGxpbmUK ICAgICAgICBtb2R1bGUgKGNkKS9rZXJuZWwgcGxhY2Vob2xkZXIgJGtlcm5l bF9jbWRsaW5lCiAgICAgICAgbW9kdWxlIChjZCkvcmFtZGlzawp9CkVORAoK cnVuY21kIHF3KG1rZGlyIC1wIC0tKSwgIiRzZC9ib290L2dydWIiOwpvcGVu IEcsICI+IiwgIiRzZC9ib290L2dydWIvZ3J1Yi5jZmciIG9yIGRpZSAiJHNk LCBncnViLmNmZzogJCEiOwpwcmludCBHICRncnViY2ZnIG9yIGRpZSAkITsK Y2xvc2UgRyBvciBkaWUgJCE7Cgp1bmxpbmsgIiRzaWRlY2FyLm5ldyIgb3Ig JCE9PUVOT0VOVCBvciBkaWUgIiRzaWRlY2FyLm5ldzogcm06ICQhIjsKcnVu Y21kIHF3KGdydWItbWtyZXNjdWUgLW8pLCAiJHNpZGVjYXIubmV3IiwgIiRz aWRlY2FyLmRpciI7CmlmICghc3RhdCAiJHNpZGVjYXIubmV3IikgewogICAg JCE9PUVOT0VOVCBvciBkaWUgIiRzaWRlY2FyLm5ldzogc3RhdDogJCEiOwoK ICAgIHByaW50IFNUREVSUiA8PEVORDsKcHZzaGltLWNvbnZlcnRlcjogZ3J1 Yi1ta3Jlc2N1ZSBleGl0ZWQgd2l0aCBzdGF0dXMgemVybyBidXQgZmFpbGVk IHRvIG1ha2UgaXNvLgpOQiB0aGF0IGdydWItbWtyZXNjdWUgaGFzIGEgdGVu ZGVuY3kgdG8gbGllIGluIGl0cyBlcnJvciBtZXNzYWdlcy4KRU5ECiAgICBt eSAkbWlzc2luZzsKICAgIGZvcmVhY2ggbXkgJGNoZWNrIChxdyh4b3JyaXNv IG1mb3JtYXQpKSB7CiAgICAgICAgJG1pc3NpbmcgfD0gc3lzdGVtIHF3KHNo IC1jKSwgInR5cGUgJGNoZWNrIjsKICAgIH0KCiAgICBpZiAoJG1pc3Npbmcp IHsKICAgICAgICBwcmludCBTVERFUlIgPDxFTkQ7CllvdSBzZWVtIHRvIGhh dmUgc29tZSBwcm9ncmFtKHMpIG1pc3Npbmcgd2hpY2ggZ3J1Yi1ta3Jlc2N1 ZSBkZXBlbmRzIG9uLApzZWUgYWJvdmUuICAoIm1mb3JtYXQiIGlzIG5vcm1h bGx5IGluIHRoZSBwYWNrYWdlICJtdG9vbHMiLikKSW5zdGFsbGluZyB0aG9z ZSBwcm9ncmFtcyB3aWxsIHByb2JhYmx5IGhlbHAuCkVORAogICAgfSBlbHNl IHsKICAgICAgICBwcmludCBTVERFUlIgPDxFTkQ7CkFuZCBvbGRlciBncnVi LW1rcmVzY3VlIGhhcyBhIHRlbmRlbmN5IG5vdCB0byBub3RpY2UgY2VydGFp biBwcm9ibGVtcy4KTWF5YmUgc3RyYWNlIHdpbGwgdGVsbCB5b3Ugd2hhdCBp cyB3cm9uZy4gIDotLwpFTkQKICAgIH0KICAgIGRpZSAicHZzaGltLWNvbnZl cnRlcjogZ3J1Yi1ta3Jlc2N1ZSBkaWQgbm90IG1ha2UgaXNvXG4iOwp9Cgpy dW5jbWQgcXcocm0gLXJmIC0tKSwgIiRzaWRlY2FyLmRpciIgdW5sZXNzICRk ZWJ1ZzsKCm9wZW4gUSwgIj4iLCAiJGRtd3JhcC5uZXciIG9yIGRpZSAiJGRt d3JhcDogJCEiOwpwcmludCBRIDw8J0VORF9ETVdSQVAnIG9yIGRpZSAkITsK IyEvYmluL2Jhc2gKCnNldCAteAo6ICIkQCIKc2V0ICt4CgpuZXdhcmdzPSgp CgpuZXdhcmcgKCkgewogICAgbmV3YXJncys9KCIkMSIpCn0KCndoaWxlIFsg JCMgLWd0IDEgXTsgZG8KICAgIGNhc2UgIiQxIiBpbgoJLW5vLXNodXRkb3du fC1ub2RlZmF1bHRzfC1uby11c2VyLWNvbmZpZykKCSAgICBuZXdhcmcgIiQx Ijsgc2hpZnQKCSAgICA7OwoJLXhlbi1kb21pZHwtY2hhcmRldnwtbW9ufC1k aXNwbGF5fC1ib290fC1tfC1tYWNoaW5lKQoJICAgIG5ld2FyZyAiJDEiOyBz aGlmdAoJICAgIG5ld2FyZyAiJDEiOyBzaGlmdAoJICAgIDs7CiAgICAgICAg LW5hbWUpCiAgICAgICAgICAgIG5ld2FyZyAiJDEiOyBzaGlmdAogICAgICAg ICAgICBuYW1lPSIkMSI7IHNoaWZ0CiAgICAgICAgICAgIG5ld2FyZyAiJG5h bWUiCiAgICAgICAgICAgIDs7CgktbmV0ZGV2fC1jZHJvbSkKCSAgICA6IGZp eG1lCgkgICAgbmV3YXJnICIkMSI7IHNoaWZ0CgkgICAgbmV3YXJnICIkMSI7 IHNoaWZ0CgkgICAgOzsKCS1kcml2ZXwta2VybmVsfC1pbml0cmR8LWFwcGVu ZHwtdm5jKQoJICAgIHNoaWZ0OyBzaGlmdAoJICAgIDs7CgktZGV2aWNlKQoJ ICAgIHNoaWZ0CgkgICAgY2FzZSAiJDEiIGluCgkJWFhYcnRsODEzOSopCgkJ ICAgIG5ld2FyZyAiLWRldmljZSIKCQkgICAgbmV3YXJnICIkMSI7IHNoaWZ0 CgkJICAgIDs7CgkJKikKCQkgICAgc2hpZnQKCQkgICAgOzsKCSAgICBlc2Fj CgkgICAgOzsKCSopCgkgICAgZWNobyA+JjIgIndhcm5pbmc6IHVuZXhwZWN0 ZWQgYXJndW1lbnQgJDEgYmVpbmcgcGFzc2VkIHRocm91Z2giCgkgICAgbmV3 YXJnICIkMSI7IHNoaWZ0CgkgICAgOzsKICAgIGVzYWMKZG9uZQoKI2lmIFsg IngkbmFtZSIgIT0geCBdOyB0aGVuCiMgICAgbG9nZGlyPS92YXIvbG9nL3hl bgojICAgIGxvZ2ZpbGU9IiRsb2dkaXIvc2hpbS0kbmFtZS5sb2ciCiMgICAg c2F2ZWxvZyAiJGxvZ2ZpbGUiIHx8OgojICAgIG5ld2FyZyAtc2VyaWFsCiMg ICAgbmV3YXJnICJmaWxlOiRsb2dmaWxlIgojZmkKRU5EX0RNV1JBUAoKaWYg KCRxZW11KSB7CiAgICBwcmludGYgUSA8PCdFTkRfRE1XUkFQJywgJHFlbXUg b3IgZGllICQhOwogICAgZXhlYyAnJXMnICIke25ld2FyZ3NbQF19IgpFTkRf RE1XUkFQCn0gZWxzZSB7CiAgICBwcmludCBRIDw8J0VORF9ETVdSQVAnIG9y IGRpZSAkITsKc2V0IC14CmZvciBwYXRoIGluIC91c3IvbG9jYWwvbGliL3hl bi9iaW4gL3Vzci9saWIveGVuL2JpbiAvdXNyL2xvY2FsL2JpbiAvdXNyL2Jp bjsgZG8KICAgIGlmIHRlc3QgLWUgJHBhdGgvcWVtdS1zeXN0ZW0taTM4Njsg dGhlbgogICAgICAgIGV4ZWMgJHBhdGgvcWVtdS1zeXN0ZW0taTM4NiAiJHtu ZXdhcmdzW0BdfSIKICAgIGZpCmRvbmUKZWNobyA+JjIgJ2NvdWxkIG5vdCBl eGVjIHFlbXUnCmV4aXQgMTI3CkVORF9ETVdSQVAKfQoKY2htb2QgMDc1NSwg IiRkbXdyYXAubmV3IiBvciBkaWUgIiRkbXdyYXA6IGNobW9kOiAkISI7Cgpj bG9zZSBRIG9yIGRpZSAkITsKCnJlbmFtZSAiJHNpZGVjYXIubmV3IiwgJHNp ZGVjYXIgb3IgZGllICIkc2lkZWNhcjogaW5zdGFsbDogJCEiOwpyZW5hbWUg IiRkbXdyYXAubmV3IiwgICRkbXdyYXAgIG9yIGRpZSAiJGRtd3JhcDogaW5z dGFsbDogJCEiOwoKcHJpbnQgU1RERVJSIDw8RU5EOwpwdnNoaW0tY29udmVy dGVyOiB3cm90ZSBxZW11IHdyYXBwZXIgdG8gJGRtd3JhcApwdnNoaW0tY29u dmVydGVyOiB3cm90ZSBzaWRlY2FyIHRvICRzaWRlY2FyCkVORAoKbXkgJGFw cGVuZCA9IDw8RU5EOwpidWlsZGVyPSdodm0nCnR5cGU9J2h2bScKZGV2aWNl X21vZGVsX3ZlcnNpb249J3FlbXUteGVuJwpkZXZpY2VfbW9kZWxfb3ZlcnJp ZGU9JyRkbXdyYXAnCmRldmljZV9tb2RlbF9hcmdzX2h2bT1bJy1jZHJvbScs JyRzaWRlY2FyJ10KYm9vdD0nYycKc2VyaWFsPSdwdHknCkVORAoKaWYgKCRv dXQgbmUgJy0nKSB7CiAgICBvcGVuIE8sICI+IiwgIiRvdXQudG1wIiBvciBk aWUgIm9wZW4gb3V0cHV0IGNvbmZpZyB0ZW1wOiAkb3V0LnRtcDogJCFcbiI7 Cn0gZWxzZSB7CiAgICBvcGVuIE8sICI+JlNURE9VVCIgb3IgZGllICQhOwp9 CgpwcmludCBPICRpbmRhdGEsICJcbiIsICRhcHBlbmQgb3IgZGllICJ3cml0 ZSBvdXRwdXQ6ICQhIjsKY2xvc2UgTyBvciBkaWUgImNsb3NlIG91dHB1dDog JCEiOwoKaWYgKCRvdXQgbmUgJy0nKSB7CiAgICByZW5hbWUgIiRvdXQudG1w IiwgJG91dCBvciBkaWUgImluc3RhbGwgb3V0cHV0OiAkISI7CiAgICBwcmlu dCBTVERFUlIgInB2c2hpbS1jb252ZXJ0ZXI6IHdyb3RlIG5ldyBndWVzdCBj b25maWcgdG8gJG91dFxuIjsKfSBlbHNlIHsKICAgIHByaW50IFNUREVSUiAi cHZzaGltLWNvbnZlcnRlcjogd3JvdGUgbmV3IGd1ZXN0IGNvbmZpZyB0byBz dGRvdXRcbiI7Cn0K --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Wed Jan 24 16:34:12 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 24 Jan 2018 16:34:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eeNyf-0004rO-0D; Wed, 24 Jan 2018 16:32:45 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eeKY1-0007xH-Fv for xen-announce@lists.xenproject.org; Wed, 24 Jan 2018 12:53:01 +0000 X-Inumbo-ID: 82422a42-0105-11e8-b9b1-635ca7ef6cff Received: from prv-mh.provo.novell.com (unknown [137.65.248.74]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id 82422a42-0105-11e8-b9b1-635ca7ef6cff; Wed, 24 Jan 2018 12:53:01 +0000 (UTC) Received: from INET-PRV-MTA by prv-mh.provo.novell.com with Novell_GroupWise; Wed, 24 Jan 2018 05:52:53 -0700 Message-Id: <5A688FB402000078001A1F1C@prv-mh.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 18.0.0 Date: Wed, 24 Jan 2018 05:52:52 -0700 From: "Jan Beulich" To: Mime-Version: 1.0 Content-Disposition: inline X-Mailman-Approved-At: Wed, 24 Jan 2018 16:32:43 +0000 Cc: xen-devel Subject: [Xen-announce] Xen 4.8.3 released X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" QWxsLAoKSSBhbSBwbGVhc2VkIHRvIGFubm91bmNlIHRoZSByZWxlYXNlIG9mIFhlbiA0LjguMy4g VGhpcyBpcwphdmFpbGFibGUgaW1tZWRpYXRlbHkgZnJvbSBpdHMgZ2l0IHJlcG9zaXRvcnkKaHR0 cDovL3hlbmJpdHMueGVuLm9yZy9naXR3ZWIvP3A9eGVuLmdpdDthPXNob3J0bG9nO2g9cmVmcy9o ZWFkcy9zdGFibGUtNC44IAoodGFnIFJFTEVBU0UtNC44LjMpIG9yIGZyb20gdGhlIFhlblByb2pl Y3QgZG93bmxvYWQgcGFnZQpodHRwOi8vd3d3LnhlbnByb2plY3Qub3JnL2Rvd25sb2Fkcy94ZW4t YXJjaGl2ZXMveGVuLXByb2plY3QtNDgtc2VyaWVzL3hlbi00ODMuaHRtbCAKKHdoZXJlIGEgbGlz dCBvZiBjaGFuZ2VzIGNhbiBhbHNvIGJlIGZvdW5kKS4KCldlIHJlY29tbWVuZCBhbGwgdXNlcnMg b2YgdGhlIDQuOCBzdGFibGUgc2VyaWVzIHRvIHVwZGF0ZSB0byB0aGlzCmxhdGVzdCBwb2ludCBy ZWxlYXNlLgoKUmVnYXJkcywgSmFuCgoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX18KWGVuLWFubm91bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlz dHMueGVucHJvamVjdC5vcmcKaHR0cHM6Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xp c3RpbmZvL3hlbi1hbm5vdW5jZQ==