From xen-announce-bounces@lists.xenproject.org Tue Aug 14 17:17:27 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 14 Aug 2018 17:17:27 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpcvk-0008Br-15; Tue, 14 Aug 2018 17:16:28 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpcvi-0008BF-1O for xen-announce@lists.xen.org; Tue, 14 Aug 2018 17:16:26 +0000 X-Inumbo-ID: d86af86d-9fe5-11e8-a6a9-d7ebe60f679a Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id d86af86d-9fe5-11e8-a6a9-d7ebe60f679a; Tue, 14 Aug 2018 17:16:56 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpcvX-0000ky-5b; Tue, 14 Aug 2018 17:16:15 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.89) (envelope-from ) id 1fpcvX-0005fq-35; Tue, 14 Aug 2018 17:16:15 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.508 (Entity 5.508) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 14 Aug 2018 17:16:15 +0000 Subject: [Xen-announce] Xen Security Advisory 273 v1 (CVE-2018-3620, CVE-2018-3646) - L1 Terminal Fault speculative side channel X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: "Xen.org security team" Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2018-3620,CVE-2018-3646 / XSA-273 L1 Terminal Fault speculative side channel ISSUE DESCRIPTION ================= In x86 nomenclature, a Terminal Fault is a pagetable walk which aborts due to the page being not present (e.g. paged out to disk), or because of reserved bits being set. Architecturally, such a memory access will result in a page fault exception, but some processors will speculatively compute the physical address and issue an L1D lookup. If data resides in the L1D cache, it may be forwarded to dependent instructions, and may be leaked via a side channel. Furthermore: * SGX protections are not applied * EPT guest to host translations are not applied * SMM protections are not applied This issue is split into multiple CVEs depending on circumstance. The CVEs which apply to Xen are: * CVE-2018-3620 - Operating Systems and SMM * CVE-2018-3646 - Hypervisors For more details, see: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html IMPACT ====== An attacker can potentially read arbitrary host RAM. This includes data belonging to Xen, data belonging to other guests, and data belonging to different security contexts within the same guest. An attacker could be a guest kernel (which can manipulate the pagetables directly), or could be guest userspace either directly (e.g. with mprotect() or similar system call) or indirectly (by gaming the guest kernel's paging subsystem). VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. Only x86 processors are vulnerable. ARM processors are not known to be affected. Only Intel Core based processors (from at least Merom onwards) are potentially affected. Other processor designs (Intel Atom/Knights range), and other manufacturers (AMD) are not known to be affected. x86 PV guests fall into the CVE-2018-3620 (OS and SMM) category. x86 HVM and PVH guests fall into the CVE-2018-3646 (Hypervisors) category. MITIGATION ========== This issue can be mitigated with a combination of software and firmware changes. Switching guests to being HVM with shadow paging enabled (hap=0 in xl.cfg) is believed to mitigate the vulnerability on systems which don't have terabytes of RAM. However the performance impact of shadow paging in combination with in-guests Meltdown mitigations (KPTI, KVAS, etc) will most likely make this option prohibitive to use. RESOLUTION ========== New microcode, and possibly a new firmware image is required to prevent SMM data from being leaked with this vulnerability. Consult your hardware vendor. Software updates to Xen (details below) are required to prevent guests from being able to leak data belonging to Xen or to other guests in the system. Guest kernel software updates are required to prevent guest userspace from being able to leak data belonging to the kernel or other processes within the same guest. Consult your OS vendors. 1) For PV guests (which fall into the CVE-2018-3620 - OS/SMM case), leakage of data from Xen or other guests can be prevented entirely with software changes in Xen. If the PV guest tries to write an L1TF-vulnerable PTE (for current kernels, very likely when paging data out to disk), shadow paging is activated and forced upon the guest. Alternatively, if shadow paging is compiled out, the guest is crashed instead. Shadowing comes with a workload-dependent performance hit to the guest. Once the guest kernel software updates have been applied, a well behaved guest will not write vulnerable PTEs, and will therefore avoid the performance penalty (or crash) entirely. This behaviour is active by default for guests on affected hardware (controlled by `pv-l1tf=`), but is disabled by default for dom0. Dom0's exemption is because of instabilities when being shadowed, which are under investigation, but dom0 kernel updates should still be taken to mitigate the userspace aspect. 2) For HVM and PVH guests running with Hardware Assisted Paging (which fall into the CVE-2018-3646 - Hypervisors case), leakage of data from Xen or other guests can only be prevented entirely by disabling SMT/Hyper-threading (if available and active in the BIOS), and by using the L1D_FLUSH feature (available in the new microcode) on every VMEntry. On affected hardware, L1D_FLUSH is enabled by default (controlled by `spec-ctrl=[no-]l1d-flush`), subject to microcode availability. However, SMT/Hyper-threading is not disabled by default, because Xen does not have enough information to choose an appropriate default. Safety can be arranged in a number of ways by the toolstack, including with finer granularity than simply on or off. Therefore, users are expected to perform a risk assessment of their deployment, and explicitly chose a default (`smt=`). See the RISK ASSESSMENT section below. Xen will issue a warning at boot on vulnerable hardware when no explicit smt choice has been set. There are ongoing experimentation and development efforts to find lower overhead mitigations for the HVM case. We are not supplying separate patches because the changes have many complicated prerequisites. To get the fixes, it is necessary to update to the latest Xen applicable staging-XX branch. The relevant git commit object ids are as follows: d757c29ffe2e31b15397e43cd58da88b6318b654 staging-4.11 13e85a6dbc1eeda4f95c0d3afcd205579eab5909 staging-4.10 14f90aaef8d441cbdece5b74829e85e767fb196c staging-4.9 d95b5bb31e6d4361e356f0ff0853b6bb172a8b6a staging-4.8 9b8375a272ad02d8d0c229b3e3e7989e852734d8 staging-4.7 e1b03b03b199bd206c81286b4f51b6a681123eda staging-4.6 aa67b97ed34279c43a43d9ca46727b5746caa92e staging # xen-unstable In each case the tip commit is "xl.conf: Add global affinity masks". RISK ASSESSMENT OF SMT/HYPER-THREADING ====================================== 1) If hyper-threading is unavailable, or already disabled in the BIOS, no further action is necessary. 2) If you are using exclusively PV or HVM Shadow guests, hyper-threading has no impact on security, and is safe to remain enabled. 3) If an HVM guest kernel is trusted (i.e. under host admin control), and has been updated to include the OS vendor mitigations, then it is probably safe to be scheduled with hyper-threading active. 4) If an HVM guest kernel is untrusted (i.e. not under host admin control), it is probably not safe to be scheduled with hyper-threading active. FINER GRAINED SMT/HYPER-THREADING CONTROL WITH TOOLSTACK SETTINGS ================================================================= New options (vm.cpumask, vm.hvm.cpumask and vm.pv.cpumask) have been added in the xl/libxl toolstack to provide global control over CPU hard affinity settings. The global masks are applied when a guest is created or when a vcpu is pinned. Sketch of how to use the new options: 1. Livepatch the hypervisor. 2. Identify all sibling threads and partition them with the new options in xl.conf. 3. For each DomU, run `xl vcpu-pin $DOM all all`, which should cause the global masks to be applied to all vcpus of a DomU. 4. Verify the required affinity has taken effect by running `xl vcpu-list`. The default behaviour of xl is to always apply global masks unless `--ignore-global-affinity-masks` is specified. Please refer to xl.conf(5) for details. NOTE CONCERNING CVE-2018-3615 ============================= CVE-2018-3615 covers the interaction of L1TF and Intel SGX. Xen has no support for enclaves in any currently released version, so no Xen systems are affected. NOTE REGARDING LACK OF EMBARGO ============================== Despite an attempt to organise predisclosure, the discoverers ultimately did not authorise a predisclosure. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJbcw4zAAoJEIP+FMlX6CvZZ0AIAMqgsxv05j191DxrphhMPgLT 9LybN7bCQU4z5bhufI0DQdppVU/WmAqhlVHL/Q9OJO1nnlTuGI0demuaObTnL6q0 HSNeC5ZArKT24qunr9hSzysG8LS5HI9lsIxYYz4FOSFOK6kn5MuQj5Z+ZdID/XTx 9/S21UfDvZPLhbxyqXmLfENzVkVOf+6NA/Ebl+0//sfbq/QtZAA0k63t3ZWatTPV 1heFGkb3Agmq5D/wtoKfcVbCmg2CU41/T9kXk4j1ADmIRc0FLjV/bXP16PC/XByP a+HmSG+nIWkYBpqYhDBu9M6lXeZb9bi2Oeh16FRuF5l28BbZcp3Zk19VUoSkgi4= =NRkR -----END PGP SIGNATURE----- --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Aug 14 17:18:42 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 14 Aug 2018 17:18:42 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpcxG-000096-Ss; Tue, 14 Aug 2018 17:18:02 +0000 Received: from us1-rack-dfw2.inumbo.com ([104.130.134.6]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpcxF-00008U-0o for xen-announce@lists.xen.org; Tue, 14 Aug 2018 17:18:01 +0000 X-Inumbo-ID: d6d37fa3-9fe5-11e8-a8a5-bc764e045a96 Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-rack-dfw2.inumbo.com (Halon) with ESMTPS id d6d37fa3-9fe5-11e8-a8a5-bc764e045a96; Tue, 14 Aug 2018 19:16:54 +0200 (CEST) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpcx4-0000oZ-Dg; Tue, 14 Aug 2018 17:17:50 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.89) (envelope-from ) id 1fpcx4-00075z-B7; Tue, 14 Aug 2018 17:17:50 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.508 (Entity 5.508) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 14 Aug 2018 17:17:50 +0000 Subject: [Xen-announce] Xen Security Advisory 268 v2 - Use of v2 grant tables may cause crash on ARM X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: "Xen.org security team" Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-268 version 2 Use of v2 grant tables may cause crash on ARM UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= ARM never properly implemented grant table v2, either in the hypervisor or in Linux. Unfortunately, an ARM guest can still request v2 grant tables; they will simply not be properly set up, resulting in subsequent grant-related hypercalls hitting BUG() checks. IMPACT ====== An unprivileged guest can cause a BUG() check in the hypervisor, resulting in a denial-of-service. VULNERABLE SYSTEMS ================== Only ARM systems are vulnerable. All supported versions of Xen are vulnerable. MITIGATION ========== None. CREDITS ======= This issue was discovered by 王磊 of Samsung. RESOLUTION ========== Applying the appropriate attached patch resolves this issue by preventing a guest from switching to grant v2. xsa268.patch xen-unstable xsa268-4.11.patch Xen 4.11.0 xsa268-4.10-?.patch Xen 4.10.x xsa268-4.9-?.patch Xen 4.9.x, Xen 4.8.x xsa268-4.7-?.patch Xen 4.7.x xsa268-4.6-?.patch Xen 4.6.x $ sha256sum xsa268* f336b45676e73f8b102e5dddf78af2d1d288f9a254142a8a8e9949db55e1cc3b xsa268.meta ca5f69cb8cfb74fae44a0f39f80ec9ae4d269c4895f36311b50d191be97bbcf0 xsa268.patch 93a68a5b23aedc6adf0aae23303dc8eb2c02dc40a5e1d7eb0a1b497cd66da209 xsa268-4.6-1.patch 5b74afd13d96779a72dc34ba7c63a1735cd267fb9bb643f735ac69b0e6ff54d5 xsa268-4.6-2.patch 820e1018f76ef2828b1cbb33e2966b99f6934a80ab55f11749ff847d375d1b02 xsa268-4.7-1.patch 233f7e69e5fb931d2e5cf03f4407f38ff960c039c9eced957df13d3cc37fa6b1 xsa268-4.7-2.patch 4a0c705f0266185b32daf313e686abc340e2fbb1a1644647500fc405bc180913 xsa268-4.9-1.patch ce16eaab94cd1e64f9c9127b64da7ebb6a7758eb540fecc3bbcc2dbfbcc4d7e2 xsa268-4.9-2.patch f413d41fadefe0e275c8bff16a2061bb325f3900b7ccf214a9e97fabf3ee1a89 xsa268-4.10-1.patch 531654f82908c1aa7b0fcea818c82c4b53d4750a697db3353cc05e9e91e5d639 xsa268-4.10-2.patch baeb6b2c28a9cbe929c9cf34398780002fffe12b928df4d1e5951c0a5b51336a xsa268-4.11.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJbcw6rAAoJEIP+FMlX6CvZ+i0H/0E0ezqXT58ivMM4QAGo5kkc jlJH1WikhqPYEaZ2XSLDSOj9Ukllfc3WKokxMCZJzFZPtjCBFd5ClVikDNiUotl3 tOyHTh+qQrVasWWZq0MG6vg+yCMBrVXolY8K7YgfT9A+nbkzaTTsTGTMKVKZwGDI jXoUUtkYn0n3OlnbNYYV3GcCTvfLnXxSAGzC+0NxjrKR4lXjZ/dT0U5eQerZfNha bEsP7Stt4B+ITWNIuMxLPYGNKNHq65gaTNmBQbxRE0lRdn8N5Q5KNeccpOhOKJMi U+ZhZ8cLEN1wNyZItO/MMB/zjVZwYaYxPYyKXAaf9uU21oOGFO6vrnF8f9oKlnQ= =ocO0 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa268.meta" Content-Disposition: attachment; filename="xsa268.meta" Content-Transfer-Encoding: base64 ewogICJYU0EiOiAyNjgsCiAgIlN1cHBvcnRlZFZlcnNpb25zIjogWwogICAg Im1hc3RlciIsCiAgICAiNC4xMSIsCiAgICAiNC4xMCIsCiAgICAiNC45IiwK ICAgICI0LjgiLAogICAgIjQuNyIsCiAgICAiNC42IgogIF0sCiAgIlRyZWVz IjogWwogICAgInhlbiIKICBdLAogICJSZWNpcGVzIjogewogICAgIjQuMTAi OiB7CiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAgICAg ICAgICAiU3RhYmxlUmVmIjogIjg3YzgzYWYzMzNlMDI0OGFkYTJlNjU2MDk2 NWFjYTYwOTZlYzdmMmIiLAogICAgICAgICAgIlByZXJlcXMiOiBbXSwKICAg ICAgICAgICJQYXRjaGVzIjogWwogICAgICAgICAgICAieHNhMjY4LTQuMTAt MS5wYXRjaCIsCiAgICAgICAgICAgICJ4c2EyNjgtNC4xMC0yLnBhdGNoIgog ICAgICAgICAgXQogICAgICAgIH0KICAgICAgfQogICAgfSwKICAgICI0LjEx IjogewogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjogewogICAg ICAgICAgIlN0YWJsZVJlZiI6ICIzM2NlZDcyNWUxMWFmNGVhYmQzMzM0ZDEy ZjUzZWQ4MDdlOWUyNTg2IiwKICAgICAgICAgICJQcmVyZXFzIjogW10sCiAg ICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTI2OC00LjEx LnBhdGNoIgogICAgICAgICAgXQogICAgICAgIH0KICAgICAgfQogICAgfSwK ICAgICI0LjYiOiB7CiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4i OiB7CiAgICAgICAgICAiU3RhYmxlUmVmIjogIjk4ZDc5NDhiNTBiNGU5MWVj NGVmYTg2MGRhMzJkOWFjNGZlNjkzMDAiLAogICAgICAgICAgIlByZXJlcXMi OiBbXSwKICAgICAgICAgICJQYXRjaGVzIjogWwogICAgICAgICAgICAieHNh MjY4LTQuNi0xLnBhdGNoIiwKICAgICAgICAgICAgInhzYTI2OC00LjYtMi5w YXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0sCiAg ICAiNC43IjogewogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjog ewogICAgICAgICAgIlN0YWJsZVJlZiI6ICI5MWNhODRjODYyYjE1ZmU3NGFi OWI1ODcwZTY2OTAzYWVjNGY4NmRkIiwKICAgICAgICAgICJQcmVyZXFzIjog W10sCiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTI2 OC00LjctMS5wYXRjaCIsCiAgICAgICAgICAgICJ4c2EyNjgtNC43LTIucGF0 Y2giCiAgICAgICAgICBdCiAgICAgICAgfQogICAgICB9CiAgICB9LAogICAg IjQuOCI6IHsKICAgICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhlbiI6IHsK ICAgICAgICAgICJTdGFibGVSZWYiOiAiYWE0NTAxNTNmMmQ5NjBjMjE3MTQ5 YjMxYjY4YThiNTdjNWE4ZTU5NSIsCiAgICAgICAgICAiUHJlcmVxcyI6IFtd LAogICAgICAgICAgIlBhdGNoZXMiOiBbCiAgICAgICAgICAgICJ4c2EyNjgt NC45LTEucGF0Y2giLAogICAgICAgICAgICAieHNhMjY4LTQuOS0yLnBhdGNo IgogICAgICAgICAgXQogICAgICAgIH0KICAgICAgfQogICAgfSwKICAgICI0 LjkiOiB7CiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAg ICAgICAgICAiU3RhYmxlUmVmIjogImExYjIyM2I3NTZmMzU0ODk1NTI1MDYw YmQzZjlmMWYwNzg5OWEwODIiLAogICAgICAgICAgIlByZXJlcXMiOiBbXSwK ICAgICAgICAgICJQYXRjaGVzIjogWwogICAgICAgICAgICAieHNhMjY4LTQu OS0xLnBhdGNoIiwKICAgICAgICAgICAgInhzYTI2OC00LjktMi5wYXRjaCIK ICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0sCiAgICAibWFz dGVyIjogewogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjogewog ICAgICAgICAgIlN0YWJsZVJlZiI6ICJhY2QwMGEzMDMzNzhjZTQ4YmQ2YmJk OGE1NzlmMWZlMmYxYjIxYTdkIiwKICAgICAgICAgICJQcmVyZXFzIjogW10s CiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTI2OC5w YXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0KICB9 Cn0= --=separator Content-Type: application/octet-stream; name="xsa268.patch" Content-Disposition: attachment; filename="xsa268.patch" Content-Transfer-Encoding: base64 RnJvbTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3RhYmVsbGluaUBrZXJuZWwu b3JnPgpTdWJqZWN0OiBBUk06IGRpc2FibGUgZ3JhbnQgdGFibGUgdjIKCkl0 IHdhcyBuZXZlciBleHBlY3RlZCB0byB3b3JrLCB0aGUgaW1wbGVtZW50YXRp b24gaXMgaW5jb21wbGV0ZS4KCkFzIGEgc2lkZSBlZmZlY3QsIGl0IGFsc28g cHJldmVudHMgZ3Vlc3RzIGZyb20gdHJpZ2dlcmluZyBhCiJCVUdfT04ocGFn ZV9nZXRfb3duZXIocGcpICE9IGQpIiBpbiBnbnR0YWJfdW5wb3B1bGF0ZV9z dGF0dXNfZnJhbWVzKCkuCgpUaGlzIGlzIFhTQS0yNjguCgpSZXBvcnRlZC1i eTog546L56OKIDxsZWkxOS53YW5nQHNhbXN1bmcuY29tPgpTaWduZWQtb2Zm LWJ5OiBTdGVmYW5vIFN0YWJlbGxpbmkgPHNzdGFiZWxsaW5pQGtlcm5lbC5v cmc+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ CgotLS0gYS9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgor KysgYi9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgpAQCAt OTM4LDYgKzkzOCw4IEBAIHZlcnNpb24gYXJlIDEgYW5kIDIuCiB1c2Ugb2Yg Z3JhbnQgdGFibGUgdjIgd2l0aG91dCB0cmFuc2l0aXZlIGdyYW50cyBpcyBh biBBQkkgYnJlYWthZ2UgZnJvbSB0aGUKIGd1ZXN0cyBwb2ludCBvZiB2aWV3 LgogCitUaGUgdXNhZ2Ugb2YgZ250dGFiIHYyIGlzIG5vdCBzZWN1cml0eSBz dXBwb3J0ZWQgb24gQVJNIHBsYXRmb3Jtcy4KKwogIyMjIGdudHRhYlxfbWF4 XF9mcmFtZXMKID4gYD0gPGludGVnZXI+YAogCi0tLSBhL3hlbi9jb21tb24v Z3JhbnRfdGFibGUuYworKysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMK QEAgLTg4LDcgKzg4LDExIEBAIHN0YXRpYyB1bnNpZ25lZCBpbnQgX19yZWFk X21vc3RseSBtYXhfbWFwdHJhY2tfZnJhbWVzID0KIHVuc2lnbmVkIGludCBf X3JlYWRfbW9zdGx5IG9wdF9tYXhfbWFwdHJhY2tfZnJhbWVzID0gMTAyNDsK IGludGVnZXJfcnVudGltZV9wYXJhbSgiZ250dGFiX21heF9tYXB0cmFja19m cmFtZXMiLCBvcHRfbWF4X21hcHRyYWNrX2ZyYW1lcyk7CiAKLXN0YXRpYyB1 bnNpZ25lZCBpbnQgX19yZWFkX21vc3RseSBvcHRfZ250dGFiX21heF92ZXJz aW9uID0gMjsKKyNpZm5kZWYgR05UVEFCX01BWF9WRVJTSU9OCisjZGVmaW5l IEdOVFRBQl9NQVhfVkVSU0lPTiAyCisjZW5kaWYKKworc3RhdGljIHVuc2ln bmVkIGludCBfX3JlYWRfbW9zdGx5IG9wdF9nbnR0YWJfbWF4X3ZlcnNpb24g PSBHTlRUQUJfTUFYX1ZFUlNJT047CiBzdGF0aWMgYm9vbCBfX3JlYWRfbW9z dGx5IG9wdF90cmFuc2l0aXZlX2dyYW50cyA9IHRydWU7CiAKIHN0YXRpYyBp bnQgX19pbml0IHBhcnNlX2dudHRhYihjb25zdCBjaGFyICpzKQotLS0gYS94 ZW4vaW5jbHVkZS9hc20tYXJtL2dyYW50X3RhYmxlLmgKKysrIGIveGVuL2lu Y2x1ZGUvYXNtLWFybS9ncmFudF90YWJsZS5oCkBAIC03LDYgKzcsNyBAQAog I2luY2x1ZGUgPHhlbi9zY2hlZC5oPgogCiAjZGVmaW5lIElOSVRJQUxfTlJf R1JBTlRfRlJBTUVTIDFVCisjZGVmaW5lIEdOVFRBQl9NQVhfVkVSU0lPTiAx CiAKIHN0cnVjdCBncmFudF90YWJsZV9hcmNoIHsKICAgICBnZm5fdCAqc2hh cmVkX2dmbjsK --=separator Content-Type: application/octet-stream; name="xsa268-4.6-1.patch" Content-Disposition: attachment; filename="xsa268-4.6-1.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogY29tbW9uL2dudHRhYjogSW50cm9kdWNlIGNvbW1hbmQg bGluZSBmZWF0dXJlIGNvbnRyb2xzCgpUaGlzIHBhdGNoIHdhcyBvcmlnaW5h bGx5IHJlbGVhc2VkIGFzIHBhcnQgb2YgWFNBLTIyNi4gIEl0IHJldGFpbnMg dGhlIHNhbWUKY29tbWFuZCBsaW5lIHN5bnRheCAoYXMgdmFyaW91cyBkb3du c3RyZWFtcyBhcmUgbWl0aWdhdGluZyBYU0EtMjI2IHVzaW5nIHRoaXMKbWVj aGFuaXNtKSBidXQgdGhlIGRlZmF1bHRzIGhhdmUgYmVlbiB1cGRhdGVkIGR1 ZSB0byB0aGUgcmV2aXNlZCBYU0EtMjI2CnBhdGNoZWQsIGFmdGVyIHdoaWNo IHRyYW5zaXRpdmUgZ3JhbnRzIGFyZSBiZWxpZXZlZCB0byBmdW5jdGlvbmlu Zwpwcm9wZXJseS4KClJlcG9ydGVkLWJ5OiDnjovno4ogPGxlaTE5LndhbmdA c2Ftc3VuZy5jb20+ClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFu ZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1 bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0gYS9kb2NzL21pc2MveGVu LWNvbW1hbmQtbGluZS5tYXJrZG93bgorKysgYi9kb2NzL21pc2MveGVuLWNv bW1hbmQtbGluZS5tYXJrZG93bgpAQCAtNzg3LDYgKzc4NywxOSBAQCBDb250 cm9scyBFUFQgcmVsYXRlZCBmZWF0dXJlcy4KIAogU3BlY2lmeSB0aGUgc2Vy aWFsIHBhcmFtZXRlcnMgZm9yIHRoZSBHREIgc3R1Yi4KIAorIyMjIGdudHRh YgorPiBgPSBMaXN0IG9mIFsgbWF4LXZlcjo8aW50ZWdlcj4sIHRyYW5zaXRp dmU9PGJvb2w+IF1gCisKKz4gRGVmYXVsdDogYGdudHRhYj1tYXgtdmVyOjIs dHJhbnNpdGl2ZWAKKworQ29udHJvbCB2YXJpb3VzIGFzcGVjdHMgb2YgdGhl IGdyYW50IHRhYmxlIGJlaGF2aW91ciBhdmFpbGFibGUgdG8gZ3Vlc3RzLgor CisqIGBtYXgtdmVyYCBTZWxlY3QgdGhlIG1heGltdW0gZ3JhbnQgdGFibGUg dmVyc2lvbiB0byBvZmZlciB0byBndWVzdHMuICBWYWxpZAordmVyc2lvbiBh cmUgMSBhbmQgMi4KKyogYHRyYW5zaXRpdmVgIFBlcm1pdCBvciBkaXNhbGxv dyB0aGUgdXNlIG9mIHRyYW5zaXRpdmUgZ3JhbnRzLiAgTm90ZSB0aGF0IHRo ZQordXNlIG9mIGdyYW50IHRhYmxlIHYyIHdpdGhvdXQgdHJhbnNpdGl2ZSBn cmFudHMgaXMgYW4gQUJJIGJyZWFrYWdlIGZyb20gdGhlCitndWVzdHMgcG9p bnQgb2Ygdmlldy4KKwogIyMjIGdudHRhYlxfbWF4XF9mcmFtZXMKID4gYD0g PGludGVnZXI+YAogCi0tLSBhL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwor KysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMKQEAgLTYyLDYgKzYyLDQx IEBAIGludGVnZXJfcGFyYW0oImdudHRhYl9tYXhfZnJhbWVzIiwgbWF4X2cK IHN0YXRpYyB1bnNpZ25lZCBpbnQgX19yZWFkX21vc3RseSBtYXhfbWFwdHJh Y2tfZnJhbWVzOwogaW50ZWdlcl9wYXJhbSgiZ250dGFiX21heF9tYXB0cmFj a19mcmFtZXMiLCBtYXhfbWFwdHJhY2tfZnJhbWVzKTsKIAorc3RhdGljIHVu c2lnbmVkIGludCBfX3JlYWRfbW9zdGx5IG9wdF9nbnR0YWJfbWF4X3ZlcnNp b24gPSAyOworc3RhdGljIGJvb2xfdCBfX3JlYWRfbW9zdGx5IG9wdF90cmFu c2l0aXZlX2dyYW50cyA9IDE7CisKK3N0YXRpYyBpbnQgX19pbml0IHBhcnNl X2dudHRhYihjb25zdCBjaGFyICpzKQoreworICAgIGNvbnN0IGNoYXIgKnNz LCAqZTsKKyAgICBpbnQgdmFsLCByYyA9IDA7CisKKyAgICBkbyB7CisgICAg ICAgIHNzID0gc3RyY2hyKHMsICcsJyk7CisgICAgICAgIGlmICggIXNzICkK KyAgICAgICAgICAgIHNzID0gc3RyY2hyKHMsICdcMCcpOworCisgICAgICAg IGlmICggIXN0cm5jbXAocywgIm1heC12ZXI6IiwgOCkgfHwKKyAgICAgICAg ICAgICAhc3RybmNtcChzLCAibWF4X3ZlcjoiLCA4KSApIC8qIEFsaWFzIGZv ciBvcmlnaW5hbCBYU0EtMjI2IHBhdGNoICovCisgICAgICAgIHsKKyAgICAg ICAgICAgIGxvbmcgdmVyID0gc2ltcGxlX3N0cnRvbChzICsgOCwgJmUsIDEw KTsKKworICAgICAgICAgICAgaWYgKCBlID09IHNzICYmIHZlciA+PSAxICYm IHZlciA8PSAyICkKKyAgICAgICAgICAgICAgICBvcHRfZ250dGFiX21heF92 ZXJzaW9uID0gdmVyOworICAgICAgICAgICAgZWxzZQorICAgICAgICAgICAg ICAgIHJjID0gLUVJTlZBTDsKKyAgICAgICAgfQorICAgICAgICBlbHNlIGlm ICggKHZhbCA9IHBhcnNlX2Jvb2xlYW4oInRyYW5zaXRpdmUiLCBzLCBzcykp ID49IDAgKQorICAgICAgICAgICAgb3B0X3RyYW5zaXRpdmVfZ3JhbnRzID0g dmFsOworICAgICAgICBlbHNlCisgICAgICAgICAgICByYyA9IC1FSU5WQUw7 CisKKyAgICAgICAgcyA9IHNzICsgMTsKKyAgICB9IHdoaWxlICggKnNzICk7 CisKKyAgICByZXR1cm4gcmM7Cit9CitjdXN0b21fcGFyYW0oImdudHRhYiIs IHBhcnNlX2dudHRhYik7CisKIC8qCiAgKiBOb3RlIHRoYXQgdGhlIHRocmVl IHZhbHVlcyBiZWxvdyBhcmUgZWZmZWN0aXZlbHkgcGFydCBvZiB0aGUgQUJJ LCBldmVuIGlmCiAgKiB3ZSBkb24ndCBuZWVkIHRvIG1ha2UgdGhlbSBhIGZv cm1hbCBwYXJ0IG9mIGl0OiBBIGd1ZXN0IHN1c3BlbmRlZCBmb3IKQEAgLTI1 MzIsNyArMjU2Nyw4IEBAIHN0YXRpYyBpbnQgZ250dGFiX2NvcHlfY2xhaW1f YnVmKGNvbnN0IHMKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgY3VycmVudC0+ZG9tYWluLT5kb21haW5faWQsCiAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJ1Zi0+cmVhZF9vbmx5LAog ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAmYnVmLT5m cmFtZSwgJmJ1Zi0+cGFnZSwKLSAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgJmJ1Zi0+cHRyLm9mZnNldCwgJmJ1Zi0+bGVuLCAxKTsK KyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJmJ1Zi0+ cHRyLm9mZnNldCwgJmJ1Zi0+bGVuLAorICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICBvcHRfdHJhbnNpdGl2ZV9ncmFudHMpOwogICAg ICAgICBpZiAoIHJjICE9IEdOVFNUX29rYXkgKQogICAgICAgICAgICAgZ290 byBvdXQ7CiAgICAgICAgIGJ1Zi0+cHRyLnUucmVmID0gcHRyLT51LnJlZjsK QEAgLTI3MzMsNiArMjc2OSwxMCBAQCBnbnR0YWJfc2V0X3ZlcnNpb24oWEVO X0dVRVNUX0hBTkRMRV9QQVJBCiAgICAgaWYgKCBvcC52ZXJzaW9uICE9IDEg JiYgb3AudmVyc2lvbiAhPSAyICkKICAgICAgICAgZ290byBvdXQ7CiAKKyAg ICByZXMgPSAtRU5PU1lTOworICAgIGlmICggb3AudmVyc2lvbiA9PSAyICYm IG9wdF9nbnR0YWJfbWF4X3ZlcnNpb24gPT0gMSApCisgICAgICAgIGdvdG8g b3V0OyAvKiBCZWhhdmUgYXMgYmVmb3JlIHNldF92ZXJzaW9uIHdhcyBpbnRy b2R1Y2VkLiAqLworCiAgICAgcmVzID0gMDsKICAgICBpZiAoIGd0LT5ndF92 ZXJzaW9uID09IG9wLnZlcnNpb24gKQogICAgICAgICBnb3RvIG91dDsK --=separator Content-Type: application/octet-stream; name="xsa268-4.6-2.patch" Content-Disposition: attachment; filename="xsa268-4.6-2.patch" Content-Transfer-Encoding: base64 RnJvbTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3RhYmVsbGluaUBrZXJuZWwu b3JnPgpTdWJqZWN0OiBBUk06IGRpc2FibGUgZ3JhbnQgdGFibGUgdjIKCkl0 IHdhcyBuZXZlciBleHBlY3RlZCB0byB3b3JrLCB0aGUgaW1wbGVtZW50YXRp b24gaXMgaW5jb21wbGV0ZS4KCkFzIGEgc2lkZSBlZmZlY3QsIGl0IGFsc28g cHJldmVudHMgZ3Vlc3RzIGZyb20gdHJpZ2dlcmluZyBhCiJCVUdfT04ocGFn ZV9nZXRfb3duZXIocGcpICE9IGQpIiBpbiBnbnR0YWJfdW5wb3B1bGF0ZV9z dGF0dXNfZnJhbWVzKCkuCgpUaGlzIGlzIFhTQS0yNjguCgpSZXBvcnRlZC1i eTog546L56OKIDxsZWkxOS53YW5nQHNhbXN1bmcuY29tPgpTaWduZWQtb2Zm LWJ5OiBTdGVmYW5vIFN0YWJlbGxpbmkgPHNzdGFiZWxsaW5pQGtlcm5lbC5v cmc+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ CgotLS0gYS9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgor KysgYi9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgpAQCAt ODAwLDYgKzgwMCw4IEBAIHZlcnNpb24gYXJlIDEgYW5kIDIuCiB1c2Ugb2Yg Z3JhbnQgdGFibGUgdjIgd2l0aG91dCB0cmFuc2l0aXZlIGdyYW50cyBpcyBh biBBQkkgYnJlYWthZ2UgZnJvbSB0aGUKIGd1ZXN0cyBwb2ludCBvZiB2aWV3 LgogCitUaGUgdXNhZ2Ugb2YgZ250dGFiIHYyIGlzIG5vdCBzZWN1cml0eSBz dXBwb3J0ZWQgb24gQVJNIHBsYXRmb3Jtcy4KKwogIyMjIGdudHRhYlxfbWF4 XF9mcmFtZXMKID4gYD0gPGludGVnZXI+YAogCi0tLSBhL3hlbi9jb21tb24v Z3JhbnRfdGFibGUuYworKysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMK QEAgLTYyLDcgKzYyLDExIEBAIGludGVnZXJfcGFyYW0oImdudHRhYl9tYXhf ZnJhbWVzIiwgbWF4X2cKIHN0YXRpYyB1bnNpZ25lZCBpbnQgX19yZWFkX21v c3RseSBtYXhfbWFwdHJhY2tfZnJhbWVzOwogaW50ZWdlcl9wYXJhbSgiZ250 dGFiX21heF9tYXB0cmFja19mcmFtZXMiLCBtYXhfbWFwdHJhY2tfZnJhbWVz KTsKIAotc3RhdGljIHVuc2lnbmVkIGludCBfX3JlYWRfbW9zdGx5IG9wdF9n bnR0YWJfbWF4X3ZlcnNpb24gPSAyOworI2lmbmRlZiBHTlRUQUJfTUFYX1ZF UlNJT04KKyNkZWZpbmUgR05UVEFCX01BWF9WRVJTSU9OIDIKKyNlbmRpZgor CitzdGF0aWMgdW5zaWduZWQgaW50IF9fcmVhZF9tb3N0bHkgb3B0X2dudHRh Yl9tYXhfdmVyc2lvbiA9IEdOVFRBQl9NQVhfVkVSU0lPTjsKIHN0YXRpYyBi b29sX3QgX19yZWFkX21vc3RseSBvcHRfdHJhbnNpdGl2ZV9ncmFudHMgPSAx OwogCiBzdGF0aWMgaW50IF9faW5pdCBwYXJzZV9nbnR0YWIoY29uc3QgY2hh ciAqcykKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9ncmFudF90YWJsZS5o CisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vZ3JhbnRfdGFibGUuaApAQCAt NCw2ICs0LDcgQEAKICNpbmNsdWRlIDx4ZW4vZ3JhbnRfdGFibGUuaD4KIAog I2RlZmluZSBJTklUSUFMX05SX0dSQU5UX0ZSQU1FUyA0CisjZGVmaW5lIEdO VFRBQl9NQVhfVkVSU0lPTiAxCiAKIHZvaWQgZ250dGFiX2NsZWFyX2ZsYWco dW5zaWduZWQgbG9uZyBuciwgdWludDE2X3QgKmFkZHIpOwogaW50IGNyZWF0 ZV9ncmFudF9ob3N0X21hcHBpbmcodW5zaWduZWQgbG9uZyBncGFkZHIsCg== --=separator Content-Type: application/octet-stream; name="xsa268-4.7-1.patch" Content-Disposition: attachment; filename="xsa268-4.7-1.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogY29tbW9uL2dudHRhYjogSW50cm9kdWNlIGNvbW1hbmQg bGluZSBmZWF0dXJlIGNvbnRyb2xzCgpUaGlzIHBhdGNoIHdhcyBvcmlnaW5h bGx5IHJlbGVhc2VkIGFzIHBhcnQgb2YgWFNBLTIyNi4gIEl0IHJldGFpbnMg dGhlIHNhbWUKY29tbWFuZCBsaW5lIHN5bnRheCAoYXMgdmFyaW91cyBkb3du c3RyZWFtcyBhcmUgbWl0aWdhdGluZyBYU0EtMjI2IHVzaW5nIHRoaXMKbWVj aGFuaXNtKSBidXQgdGhlIGRlZmF1bHRzIGhhdmUgYmVlbiB1cGRhdGVkIGR1 ZSB0byB0aGUgcmV2aXNlZCBYU0EtMjI2CnBhdGNoZWQsIGFmdGVyIHdoaWNo IHRyYW5zaXRpdmUgZ3JhbnRzIGFyZSBiZWxpZXZlZCB0byBmdW5jdGlvbmlu Zwpwcm9wZXJseS4KClJlcG9ydGVkLWJ5OiDnjovno4ogPGxlaTE5LndhbmdA c2Ftc3VuZy5jb20+ClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFu ZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1 bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0gYS9kb2NzL21pc2MveGVu LWNvbW1hbmQtbGluZS5tYXJrZG93bgorKysgYi9kb2NzL21pc2MveGVuLWNv bW1hbmQtbGluZS5tYXJrZG93bgpAQCAtODEyLDYgKzgxMiwxOSBAQCBDb250 cm9scyBFUFQgcmVsYXRlZCBmZWF0dXJlcy4KIAogU3BlY2lmeSB3aGljaCBj b25zb2xlIGdkYnN0dWIgc2hvdWxkIHVzZS4gU2VlICoqY29uc29sZSoqLgog CisjIyMgZ250dGFiCis+IGA9IExpc3Qgb2YgWyBtYXgtdmVyOjxpbnRlZ2Vy PiwgdHJhbnNpdGl2ZT08Ym9vbD4gXWAKKworPiBEZWZhdWx0OiBgZ250dGFi PW1heC12ZXI6Mix0cmFuc2l0aXZlYAorCitDb250cm9sIHZhcmlvdXMgYXNw ZWN0cyBvZiB0aGUgZ3JhbnQgdGFibGUgYmVoYXZpb3VyIGF2YWlsYWJsZSB0 byBndWVzdHMuCisKKyogYG1heC12ZXJgIFNlbGVjdCB0aGUgbWF4aW11bSBn cmFudCB0YWJsZSB2ZXJzaW9uIHRvIG9mZmVyIHRvIGd1ZXN0cy4gIFZhbGlk Cit2ZXJzaW9uIGFyZSAxIGFuZCAyLgorKiBgdHJhbnNpdGl2ZWAgUGVybWl0 IG9yIGRpc2FsbG93IHRoZSB1c2Ugb2YgdHJhbnNpdGl2ZSBncmFudHMuICBO b3RlIHRoYXQgdGhlCit1c2Ugb2YgZ3JhbnQgdGFibGUgdjIgd2l0aG91dCB0 cmFuc2l0aXZlIGdyYW50cyBpcyBhbiBBQkkgYnJlYWthZ2UgZnJvbSB0aGUK K2d1ZXN0cyBwb2ludCBvZiB2aWV3LgorCiAjIyMgZ250dGFiXF9tYXhcX2Zy YW1lcwogPiBgPSA8aW50ZWdlcj5gCiAKLS0tIGEveGVuL2NvbW1vbi9ncmFu dF90YWJsZS5jCisrKyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwpAQCAt NjIsNiArNjIsNDEgQEAgaW50ZWdlcl9wYXJhbSgiZ250dGFiX21heF9mcmFt ZXMiLCBtYXhfZwogc3RhdGljIHVuc2lnbmVkIGludCBfX3JlYWRfbW9zdGx5 IG1heF9tYXB0cmFja19mcmFtZXM7CiBpbnRlZ2VyX3BhcmFtKCJnbnR0YWJf bWF4X21hcHRyYWNrX2ZyYW1lcyIsIG1heF9tYXB0cmFja19mcmFtZXMpOwog CitzdGF0aWMgdW5zaWduZWQgaW50IF9fcmVhZF9tb3N0bHkgb3B0X2dudHRh Yl9tYXhfdmVyc2lvbiA9IDI7CitzdGF0aWMgYm9vbF90IF9fcmVhZF9tb3N0 bHkgb3B0X3RyYW5zaXRpdmVfZ3JhbnRzID0gMTsKKworc3RhdGljIGludCBf X2luaXQgcGFyc2VfZ250dGFiKGNvbnN0IGNoYXIgKnMpCit7CisgICAgY29u c3QgY2hhciAqc3MsICplOworICAgIGludCB2YWwsIHJjID0gMDsKKworICAg IGRvIHsKKyAgICAgICAgc3MgPSBzdHJjaHIocywgJywnKTsKKyAgICAgICAg aWYgKCAhc3MgKQorICAgICAgICAgICAgc3MgPSBzdHJjaHIocywgJ1wwJyk7 CisKKyAgICAgICAgaWYgKCAhc3RybmNtcChzLCAibWF4LXZlcjoiLCA4KSB8 fAorICAgICAgICAgICAgICFzdHJuY21wKHMsICJtYXhfdmVyOiIsIDgpICkg LyogQWxpYXMgZm9yIG9yaWdpbmFsIFhTQS0yMjYgcGF0Y2ggKi8KKyAgICAg ICAgeworICAgICAgICAgICAgbG9uZyB2ZXIgPSBzaW1wbGVfc3RydG9sKHMg KyA4LCAmZSwgMTApOworCisgICAgICAgICAgICBpZiAoIGUgPT0gc3MgJiYg dmVyID49IDEgJiYgdmVyIDw9IDIgKQorICAgICAgICAgICAgICAgIG9wdF9n bnR0YWJfbWF4X3ZlcnNpb24gPSB2ZXI7CisgICAgICAgICAgICBlbHNlCisg ICAgICAgICAgICAgICAgcmMgPSAtRUlOVkFMOworICAgICAgICB9CisgICAg ICAgIGVsc2UgaWYgKCAodmFsID0gcGFyc2VfYm9vbGVhbigidHJhbnNpdGl2 ZSIsIHMsIHNzKSkgPj0gMCApCisgICAgICAgICAgICBvcHRfdHJhbnNpdGl2 ZV9ncmFudHMgPSB2YWw7CisgICAgICAgIGVsc2UKKyAgICAgICAgICAgIHJj ID0gLUVJTlZBTDsKKworICAgICAgICBzID0gc3MgKyAxOworICAgIH0gd2hp bGUgKCAqc3MgKTsKKworICAgIHJldHVybiByYzsKK30KK2N1c3RvbV9wYXJh bSgiZ250dGFiIiwgcGFyc2VfZ250dGFiKTsKKwogLyoKICAqIE5vdGUgdGhh dCB0aGUgdGhyZWUgdmFsdWVzIGJlbG93IGFyZSBlZmZlY3RpdmVseSBwYXJ0 IG9mIHRoZSBBQkksIGV2ZW4gaWYKICAqIHdlIGRvbid0IG5lZWQgdG8gbWFr ZSB0aGVtIGEgZm9ybWFsIHBhcnQgb2YgaXQ6IEEgZ3Vlc3Qgc3VzcGVuZGVk IGZvcgpAQCAtMjUzNyw3ICsyNTcyLDggQEAgc3RhdGljIGludCBnbnR0YWJf Y29weV9jbGFpbV9idWYoY29uc3QgcwogICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICBjdXJyZW50LT5kb21haW4tPmRvbWFpbl9pZCwK ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnVmLT5y ZWFkX29ubHksCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICZidWYtPmZyYW1lLCAmYnVmLT5wYWdlLAotICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAmYnVmLT5wdHIub2Zmc2V0LCAmYnVm LT5sZW4sIDEpOworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAmYnVmLT5wdHIub2Zmc2V0LCAmYnVmLT5sZW4sCisgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9wdF90cmFuc2l0aXZlX2dy YW50cyk7CiAgICAgICAgIGlmICggcmMgIT0gR05UU1Rfb2theSApCiAgICAg ICAgICAgICBnb3RvIG91dDsKICAgICAgICAgYnVmLT5wdHIudS5yZWYgPSBw dHItPnUucmVmOwpAQCAtMjczOCw2ICsyNzc0LDEwIEBAIGdudHRhYl9zZXRf dmVyc2lvbihYRU5fR1VFU1RfSEFORExFX1BBUkEKICAgICBpZiAoIG9wLnZl cnNpb24gIT0gMSAmJiBvcC52ZXJzaW9uICE9IDIgKQogICAgICAgICBnb3Rv IG91dDsKIAorICAgIHJlcyA9IC1FTk9TWVM7CisgICAgaWYgKCBvcC52ZXJz aW9uID09IDIgJiYgb3B0X2dudHRhYl9tYXhfdmVyc2lvbiA9PSAxICkKKyAg ICAgICAgZ290byBvdXQ7IC8qIEJlaGF2ZSBhcyBiZWZvcmUgc2V0X3ZlcnNp b24gd2FzIGludHJvZHVjZWQuICovCisKICAgICByZXMgPSAwOwogICAgIGlm ICggZ3QtPmd0X3ZlcnNpb24gPT0gb3AudmVyc2lvbiApCiAgICAgICAgIGdv dG8gb3V0Owo= --=separator Content-Type: application/octet-stream; name="xsa268-4.7-2.patch" Content-Disposition: attachment; filename="xsa268-4.7-2.patch" Content-Transfer-Encoding: base64 RnJvbTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3RhYmVsbGluaUBrZXJuZWwu b3JnPgpTdWJqZWN0OiBBUk06IGRpc2FibGUgZ3JhbnQgdGFibGUgdjIKCkl0 IHdhcyBuZXZlciBleHBlY3RlZCB0byB3b3JrLCB0aGUgaW1wbGVtZW50YXRp b24gaXMgaW5jb21wbGV0ZS4KCkFzIGEgc2lkZSBlZmZlY3QsIGl0IGFsc28g cHJldmVudHMgZ3Vlc3RzIGZyb20gdHJpZ2dlcmluZyBhCiJCVUdfT04ocGFn ZV9nZXRfb3duZXIocGcpICE9IGQpIiBpbiBnbnR0YWJfdW5wb3B1bGF0ZV9z dGF0dXNfZnJhbWVzKCkuCgpUaGlzIGlzIFhTQS0yNjguCgpSZXBvcnRlZC1i eTog546L56OKIDxsZWkxOS53YW5nQHNhbXN1bmcuY29tPgpTaWduZWQtb2Zm LWJ5OiBTdGVmYW5vIFN0YWJlbGxpbmkgPHNzdGFiZWxsaW5pQGtlcm5lbC5v cmc+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ CgotLS0gYS9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgor KysgYi9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgpAQCAt ODI1LDYgKzgyNSw4IEBAIHZlcnNpb24gYXJlIDEgYW5kIDIuCiB1c2Ugb2Yg Z3JhbnQgdGFibGUgdjIgd2l0aG91dCB0cmFuc2l0aXZlIGdyYW50cyBpcyBh biBBQkkgYnJlYWthZ2UgZnJvbSB0aGUKIGd1ZXN0cyBwb2ludCBvZiB2aWV3 LgogCitUaGUgdXNhZ2Ugb2YgZ250dGFiIHYyIGlzIG5vdCBzZWN1cml0eSBz dXBwb3J0ZWQgb24gQVJNIHBsYXRmb3Jtcy4KKwogIyMjIGdudHRhYlxfbWF4 XF9mcmFtZXMKID4gYD0gPGludGVnZXI+YAogCi0tLSBhL3hlbi9jb21tb24v Z3JhbnRfdGFibGUuYworKysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMK QEAgLTYyLDcgKzYyLDExIEBAIGludGVnZXJfcGFyYW0oImdudHRhYl9tYXhf ZnJhbWVzIiwgbWF4X2cKIHN0YXRpYyB1bnNpZ25lZCBpbnQgX19yZWFkX21v c3RseSBtYXhfbWFwdHJhY2tfZnJhbWVzOwogaW50ZWdlcl9wYXJhbSgiZ250 dGFiX21heF9tYXB0cmFja19mcmFtZXMiLCBtYXhfbWFwdHJhY2tfZnJhbWVz KTsKIAotc3RhdGljIHVuc2lnbmVkIGludCBfX3JlYWRfbW9zdGx5IG9wdF9n bnR0YWJfbWF4X3ZlcnNpb24gPSAyOworI2lmbmRlZiBHTlRUQUJfTUFYX1ZF UlNJT04KKyNkZWZpbmUgR05UVEFCX01BWF9WRVJTSU9OIDIKKyNlbmRpZgor CitzdGF0aWMgdW5zaWduZWQgaW50IF9fcmVhZF9tb3N0bHkgb3B0X2dudHRh Yl9tYXhfdmVyc2lvbiA9IEdOVFRBQl9NQVhfVkVSU0lPTjsKIHN0YXRpYyBi b29sX3QgX19yZWFkX21vc3RseSBvcHRfdHJhbnNpdGl2ZV9ncmFudHMgPSAx OwogCiBzdGF0aWMgaW50IF9faW5pdCBwYXJzZV9nbnR0YWIoY29uc3QgY2hh ciAqcykKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9ncmFudF90YWJsZS5o CisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vZ3JhbnRfdGFibGUuaApAQCAt NCw2ICs0LDcgQEAKICNpbmNsdWRlIDx4ZW4vZ3JhbnRfdGFibGUuaD4KIAog I2RlZmluZSBJTklUSUFMX05SX0dSQU5UX0ZSQU1FUyA0CisjZGVmaW5lIEdO VFRBQl9NQVhfVkVSU0lPTiAxCiAKIHZvaWQgZ250dGFiX2NsZWFyX2ZsYWco dW5zaWduZWQgbG9uZyBuciwgdWludDE2X3QgKmFkZHIpOwogaW50IGNyZWF0 ZV9ncmFudF9ob3N0X21hcHBpbmcodW5zaWduZWQgbG9uZyBncGFkZHIsCg== --=separator Content-Type: application/octet-stream; name="xsa268-4.9-1.patch" Content-Disposition: attachment; filename="xsa268-4.9-1.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogY29tbW9uL2dudHRhYjogSW50cm9kdWNlIGNvbW1hbmQg bGluZSBmZWF0dXJlIGNvbnRyb2xzCgpUaGlzIHBhdGNoIHdhcyBvcmlnaW5h bGx5IHJlbGVhc2VkIGFzIHBhcnQgb2YgWFNBLTIyNi4gIEl0IHJldGFpbnMg dGhlIHNhbWUKY29tbWFuZCBsaW5lIHN5bnRheCAoYXMgdmFyaW91cyBkb3du c3RyZWFtcyBhcmUgbWl0aWdhdGluZyBYU0EtMjI2IHVzaW5nIHRoaXMKbWVj aGFuaXNtKSBidXQgdGhlIGRlZmF1bHRzIGhhdmUgYmVlbiB1cGRhdGVkIGR1 ZSB0byB0aGUgcmV2aXNlZCBYU0EtMjI2CnBhdGNoZWQsIGFmdGVyIHdoaWNo IHRyYW5zaXRpdmUgZ3JhbnRzIGFyZSBiZWxpZXZlZCB0byBmdW5jdGlvbmlu Zwpwcm9wZXJseS4KClJlcG9ydGVkLWJ5OiDnjovno4ogPGxlaTE5LndhbmdA c2Ftc3VuZy5jb20+ClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFu ZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1 bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0gYS9kb2NzL21pc2MveGVu LWNvbW1hbmQtbGluZS5tYXJrZG93bgorKysgYi9kb2NzL21pc2MveGVuLWNv bW1hbmQtbGluZS5tYXJrZG93bgpAQCAtODcyLDYgKzg3MiwxOSBAQCBDb250 cm9scyBFUFQgcmVsYXRlZCBmZWF0dXJlcy4KIAogU3BlY2lmeSB3aGljaCBj b25zb2xlIGdkYnN0dWIgc2hvdWxkIHVzZS4gU2VlICoqY29uc29sZSoqLgog CisjIyMgZ250dGFiCis+IGA9IExpc3Qgb2YgWyBtYXgtdmVyOjxpbnRlZ2Vy PiwgdHJhbnNpdGl2ZT08Ym9vbD4gXWAKKworPiBEZWZhdWx0OiBgZ250dGFi PW1heC12ZXI6Mix0cmFuc2l0aXZlYAorCitDb250cm9sIHZhcmlvdXMgYXNw ZWN0cyBvZiB0aGUgZ3JhbnQgdGFibGUgYmVoYXZpb3VyIGF2YWlsYWJsZSB0 byBndWVzdHMuCisKKyogYG1heC12ZXJgIFNlbGVjdCB0aGUgbWF4aW11bSBn cmFudCB0YWJsZSB2ZXJzaW9uIHRvIG9mZmVyIHRvIGd1ZXN0cy4gIFZhbGlk Cit2ZXJzaW9uIGFyZSAxIGFuZCAyLgorKiBgdHJhbnNpdGl2ZWAgUGVybWl0 IG9yIGRpc2FsbG93IHRoZSB1c2Ugb2YgdHJhbnNpdGl2ZSBncmFudHMuICBO b3RlIHRoYXQgdGhlCit1c2Ugb2YgZ3JhbnQgdGFibGUgdjIgd2l0aG91dCB0 cmFuc2l0aXZlIGdyYW50cyBpcyBhbiBBQkkgYnJlYWthZ2UgZnJvbSB0aGUK K2d1ZXN0cyBwb2ludCBvZiB2aWV3LgorCiAjIyMgZ250dGFiXF9tYXhcX2Zy YW1lcwogPiBgPSA8aW50ZWdlcj5gCiAKLS0tIGEveGVuL2NvbW1vbi9ncmFu dF90YWJsZS5jCisrKyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwpAQCAt NjIsNiArNjIsNDEgQEAgaW50ZWdlcl9wYXJhbSgiZ250dGFiX21heF9mcmFt ZXMiLCBtYXhfZwogc3RhdGljIHVuc2lnbmVkIGludCBfX3JlYWRfbW9zdGx5 IG1heF9tYXB0cmFja19mcmFtZXM7CiBpbnRlZ2VyX3BhcmFtKCJnbnR0YWJf bWF4X21hcHRyYWNrX2ZyYW1lcyIsIG1heF9tYXB0cmFja19mcmFtZXMpOwog CitzdGF0aWMgdW5zaWduZWQgaW50IF9fcmVhZF9tb3N0bHkgb3B0X2dudHRh Yl9tYXhfdmVyc2lvbiA9IDI7CitzdGF0aWMgYm9vbCBfX3JlYWRfbW9zdGx5 IG9wdF90cmFuc2l0aXZlX2dyYW50cyA9IHRydWU7CisKK3N0YXRpYyBpbnQg X19pbml0IHBhcnNlX2dudHRhYihjb25zdCBjaGFyICpzKQoreworICAgIGNv bnN0IGNoYXIgKnNzLCAqZTsKKyAgICBpbnQgdmFsLCByYyA9IDA7CisKKyAg ICBkbyB7CisgICAgICAgIHNzID0gc3RyY2hyKHMsICcsJyk7CisgICAgICAg IGlmICggIXNzICkKKyAgICAgICAgICAgIHNzID0gc3RyY2hyKHMsICdcMCcp OworCisgICAgICAgIGlmICggIXN0cm5jbXAocywgIm1heC12ZXI6IiwgOCkg fHwKKyAgICAgICAgICAgICAhc3RybmNtcChzLCAibWF4X3ZlcjoiLCA4KSAp IC8qIEFsaWFzIGZvciBvcmlnaW5hbCBYU0EtMjI2IHBhdGNoICovCisgICAg ICAgIHsKKyAgICAgICAgICAgIGxvbmcgdmVyID0gc2ltcGxlX3N0cnRvbChz ICsgOCwgJmUsIDEwKTsKKworICAgICAgICAgICAgaWYgKCBlID09IHNzICYm IHZlciA+PSAxICYmIHZlciA8PSAyICkKKyAgICAgICAgICAgICAgICBvcHRf Z250dGFiX21heF92ZXJzaW9uID0gdmVyOworICAgICAgICAgICAgZWxzZQor ICAgICAgICAgICAgICAgIHJjID0gLUVJTlZBTDsKKyAgICAgICAgfQorICAg ICAgICBlbHNlIGlmICggKHZhbCA9IHBhcnNlX2Jvb2xlYW4oInRyYW5zaXRp dmUiLCBzLCBzcykpID49IDAgKQorICAgICAgICAgICAgb3B0X3RyYW5zaXRp dmVfZ3JhbnRzID0gdmFsOworICAgICAgICBlbHNlCisgICAgICAgICAgICBy YyA9IC1FSU5WQUw7CisKKyAgICAgICAgcyA9IHNzICsgMTsKKyAgICB9IHdo aWxlICggKnNzICk7CisKKyAgICByZXR1cm4gcmM7Cit9CitjdXN0b21fcGFy YW0oImdudHRhYiIsIHBhcnNlX2dudHRhYik7CisKIC8qCiAgKiBOb3RlIHRo YXQgdGhlIHRocmVlIHZhbHVlcyBiZWxvdyBhcmUgZWZmZWN0aXZlbHkgcGFy dCBvZiB0aGUgQUJJLCBldmVuIGlmCiAgKiB3ZSBkb24ndCBuZWVkIHRvIG1h a2UgdGhlbSBhIGZvcm1hbCBwYXJ0IG9mIGl0OiBBIGd1ZXN0IHN1c3BlbmRl ZCBmb3IKQEAgLTI1MzgsNyArMjU3Myw4IEBAIHN0YXRpYyBpbnQgZ250dGFi X2NvcHlfY2xhaW1fYnVmKGNvbnN0IHMKICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgY3VycmVudC0+ZG9tYWluLT5kb21haW5faWQs CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJ1Zi0+ cmVhZF9vbmx5LAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAmYnVmLT5mcmFtZSwgJmJ1Zi0+cGFnZSwKLSAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgJmJ1Zi0+cHRyLm9mZnNldCwgJmJ1 Zi0+bGVuLCAxKTsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgJmJ1Zi0+cHRyLm9mZnNldCwgJmJ1Zi0+bGVuLAorICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvcHRfdHJhbnNpdGl2ZV9n cmFudHMpOwogICAgICAgICBpZiAoIHJjICE9IEdOVFNUX29rYXkgKQogICAg ICAgICAgICAgZ290byBvdXQ7CiAgICAgICAgIGJ1Zi0+cHRyLnUucmVmID0g cHRyLT51LnJlZjsKQEAgLTI3MzksNiArMjc3NSwxMCBAQCBnbnR0YWJfc2V0 X3ZlcnNpb24oWEVOX0dVRVNUX0hBTkRMRV9QQVJBCiAgICAgaWYgKCBvcC52 ZXJzaW9uICE9IDEgJiYgb3AudmVyc2lvbiAhPSAyICkKICAgICAgICAgZ290 byBvdXQ7CiAKKyAgICByZXMgPSAtRU5PU1lTOworICAgIGlmICggb3AudmVy c2lvbiA9PSAyICYmIG9wdF9nbnR0YWJfbWF4X3ZlcnNpb24gPT0gMSApCisg ICAgICAgIGdvdG8gb3V0OyAvKiBCZWhhdmUgYXMgYmVmb3JlIHNldF92ZXJz aW9uIHdhcyBpbnRyb2R1Y2VkLiAqLworCiAgICAgcmVzID0gMDsKICAgICBp ZiAoIGd0LT5ndF92ZXJzaW9uID09IG9wLnZlcnNpb24gKQogICAgICAgICBn b3RvIG91dDsK --=separator Content-Type: application/octet-stream; name="xsa268-4.9-2.patch" Content-Disposition: attachment; filename="xsa268-4.9-2.patch" Content-Transfer-Encoding: base64 RnJvbTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3RhYmVsbGluaUBrZXJuZWwu b3JnPgpTdWJqZWN0OiBBUk06IGRpc2FibGUgZ3JhbnQgdGFibGUgdjIKCkl0 IHdhcyBuZXZlciBleHBlY3RlZCB0byB3b3JrLCB0aGUgaW1wbGVtZW50YXRp b24gaXMgaW5jb21wbGV0ZS4KCkFzIGEgc2lkZSBlZmZlY3QsIGl0IGFsc28g cHJldmVudHMgZ3Vlc3RzIGZyb20gdHJpZ2dlcmluZyBhCiJCVUdfT04ocGFn ZV9nZXRfb3duZXIocGcpICE9IGQpIiBpbiBnbnR0YWJfdW5wb3B1bGF0ZV9z dGF0dXNfZnJhbWVzKCkuCgpUaGlzIGlzIFhTQS0yNjguCgpSZXBvcnRlZC1i eTog546L56OKIDxsZWkxOS53YW5nQHNhbXN1bmcuY29tPgpTaWduZWQtb2Zm LWJ5OiBTdGVmYW5vIFN0YWJlbGxpbmkgPHNzdGFiZWxsaW5pQGtlcm5lbC5v cmc+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ CgotLS0gYS9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgor KysgYi9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgpAQCAt ODg1LDYgKzg4NSw4IEBAIHZlcnNpb24gYXJlIDEgYW5kIDIuCiB1c2Ugb2Yg Z3JhbnQgdGFibGUgdjIgd2l0aG91dCB0cmFuc2l0aXZlIGdyYW50cyBpcyBh biBBQkkgYnJlYWthZ2UgZnJvbSB0aGUKIGd1ZXN0cyBwb2ludCBvZiB2aWV3 LgogCitUaGUgdXNhZ2Ugb2YgZ250dGFiIHYyIGlzIG5vdCBzZWN1cml0eSBz dXBwb3J0ZWQgb24gQVJNIHBsYXRmb3Jtcy4KKwogIyMjIGdudHRhYlxfbWF4 XF9mcmFtZXMKID4gYD0gPGludGVnZXI+YAogCi0tLSBhL3hlbi9jb21tb24v Z3JhbnRfdGFibGUuYworKysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMK QEAgLTYyLDcgKzYyLDExIEBAIGludGVnZXJfcGFyYW0oImdudHRhYl9tYXhf ZnJhbWVzIiwgbWF4X2cKIHN0YXRpYyB1bnNpZ25lZCBpbnQgX19yZWFkX21v c3RseSBtYXhfbWFwdHJhY2tfZnJhbWVzOwogaW50ZWdlcl9wYXJhbSgiZ250 dGFiX21heF9tYXB0cmFja19mcmFtZXMiLCBtYXhfbWFwdHJhY2tfZnJhbWVz KTsKIAotc3RhdGljIHVuc2lnbmVkIGludCBfX3JlYWRfbW9zdGx5IG9wdF9n bnR0YWJfbWF4X3ZlcnNpb24gPSAyOworI2lmbmRlZiBHTlRUQUJfTUFYX1ZF UlNJT04KKyNkZWZpbmUgR05UVEFCX01BWF9WRVJTSU9OIDIKKyNlbmRpZgor CitzdGF0aWMgdW5zaWduZWQgaW50IF9fcmVhZF9tb3N0bHkgb3B0X2dudHRh Yl9tYXhfdmVyc2lvbiA9IEdOVFRBQl9NQVhfVkVSU0lPTjsKIHN0YXRpYyBi b29sIF9fcmVhZF9tb3N0bHkgb3B0X3RyYW5zaXRpdmVfZ3JhbnRzID0gdHJ1 ZTsKIAogc3RhdGljIGludCBfX2luaXQgcGFyc2VfZ250dGFiKGNvbnN0IGNo YXIgKnMpCi0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vZ3JhbnRfdGFibGUu aAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL2dyYW50X3RhYmxlLmgKQEAg LTQsNiArNCw3IEBACiAjaW5jbHVkZSA8eGVuL2dyYW50X3RhYmxlLmg+CiAK ICNkZWZpbmUgSU5JVElBTF9OUl9HUkFOVF9GUkFNRVMgNAorI2RlZmluZSBH TlRUQUJfTUFYX1ZFUlNJT04gMQogCiB2b2lkIGdudHRhYl9jbGVhcl9mbGFn KHVuc2lnbmVkIGxvbmcgbnIsIHVpbnQxNl90ICphZGRyKTsKIGludCBjcmVh dGVfZ3JhbnRfaG9zdF9tYXBwaW5nKHVuc2lnbmVkIGxvbmcgZ3BhZGRyLAo= --=separator Content-Type: application/octet-stream; name="xsa268-4.10-1.patch" Content-Disposition: attachment; filename="xsa268-4.10-1.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogY29tbW9uL2dudHRhYjogSW50cm9kdWNlIGNvbW1hbmQg bGluZSBmZWF0dXJlIGNvbnRyb2xzCgpUaGlzIHBhdGNoIHdhcyBvcmlnaW5h bGx5IHJlbGVhc2VkIGFzIHBhcnQgb2YgWFNBLTIyNi4gIEl0IHJldGFpbnMg dGhlIHNhbWUKY29tbWFuZCBsaW5lIHN5bnRheCAoYXMgdmFyaW91cyBkb3du c3RyZWFtcyBhcmUgbWl0aWdhdGluZyBYU0EtMjI2IHVzaW5nIHRoaXMKbWVj aGFuaXNtKSBidXQgdGhlIGRlZmF1bHRzIGhhdmUgYmVlbiB1cGRhdGVkIGR1 ZSB0byB0aGUgcmV2aXNlZCBYU0EtMjI2CnBhdGNoZWQsIGFmdGVyIHdoaWNo IHRyYW5zaXRpdmUgZ3JhbnRzIGFyZSBiZWxpZXZlZCB0byBmdW5jdGlvbmlu Zwpwcm9wZXJseS4KClJlcG9ydGVkLWJ5OiDnjovno4ogPGxlaTE5LndhbmdA c2Ftc3VuZy5jb20+ClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFu ZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1 bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0gYS9kb2NzL21pc2MveGVu LWNvbW1hbmQtbGluZS5tYXJrZG93bgorKysgYi9kb2NzL21pc2MveGVuLWNv bW1hbmQtbGluZS5tYXJrZG93bgpAQCAtOTIwLDYgKzkyMCwxOSBAQCBDb250 cm9scyBFUFQgcmVsYXRlZCBmZWF0dXJlcy4KIAogU3BlY2lmeSB3aGljaCBj b25zb2xlIGdkYnN0dWIgc2hvdWxkIHVzZS4gU2VlICoqY29uc29sZSoqLgog CisjIyMgZ250dGFiCis+IGA9IExpc3Qgb2YgWyBtYXgtdmVyOjxpbnRlZ2Vy PiwgdHJhbnNpdGl2ZT08Ym9vbD4gXWAKKworPiBEZWZhdWx0OiBgZ250dGFi PW1heC12ZXI6Mix0cmFuc2l0aXZlYAorCitDb250cm9sIHZhcmlvdXMgYXNw ZWN0cyBvZiB0aGUgZ3JhbnQgdGFibGUgYmVoYXZpb3VyIGF2YWlsYWJsZSB0 byBndWVzdHMuCisKKyogYG1heC12ZXJgIFNlbGVjdCB0aGUgbWF4aW11bSBn cmFudCB0YWJsZSB2ZXJzaW9uIHRvIG9mZmVyIHRvIGd1ZXN0cy4gIFZhbGlk Cit2ZXJzaW9uIGFyZSAxIGFuZCAyLgorKiBgdHJhbnNpdGl2ZWAgUGVybWl0 IG9yIGRpc2FsbG93IHRoZSB1c2Ugb2YgdHJhbnNpdGl2ZSBncmFudHMuICBO b3RlIHRoYXQgdGhlCit1c2Ugb2YgZ3JhbnQgdGFibGUgdjIgd2l0aG91dCB0 cmFuc2l0aXZlIGdyYW50cyBpcyBhbiBBQkkgYnJlYWthZ2UgZnJvbSB0aGUK K2d1ZXN0cyBwb2ludCBvZiB2aWV3LgorCiAjIyMgZ250dGFiXF9tYXhcX2Zy YW1lcwogPiBgPSA8aW50ZWdlcj5gCiAKLS0tIGEveGVuL2NvbW1vbi9ncmFu dF90YWJsZS5jCisrKyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwpAQCAt OTcsNiArOTcsNDEgQEAgc3RhdGljIHVuc2lnbmVkIGludCBfX3JlYWRfbW9z dGx5IG1heF9tYQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICBERUZBVUxUX01BWF9NQVBUUkFDS19GUkFNRVM7CiBp bnRlZ2VyX3J1bnRpbWVfcGFyYW0oImdudHRhYl9tYXhfbWFwdHJhY2tfZnJh bWVzIiwgbWF4X21hcHRyYWNrX2ZyYW1lcyk7CiAKK3N0YXRpYyB1bnNpZ25l ZCBpbnQgX19yZWFkX21vc3RseSBvcHRfZ250dGFiX21heF92ZXJzaW9uID0g MjsKK3N0YXRpYyBib29sIF9fcmVhZF9tb3N0bHkgb3B0X3RyYW5zaXRpdmVf Z3JhbnRzID0gdHJ1ZTsKKworc3RhdGljIGludCBfX2luaXQgcGFyc2VfZ250 dGFiKGNvbnN0IGNoYXIgKnMpCit7CisgICAgY29uc3QgY2hhciAqc3MsICpl OworICAgIGludCB2YWwsIHJjID0gMDsKKworICAgIGRvIHsKKyAgICAgICAg c3MgPSBzdHJjaHIocywgJywnKTsKKyAgICAgICAgaWYgKCAhc3MgKQorICAg ICAgICAgICAgc3MgPSBzdHJjaHIocywgJ1wwJyk7CisKKyAgICAgICAgaWYg KCAhc3RybmNtcChzLCAibWF4LXZlcjoiLCA4KSB8fAorICAgICAgICAgICAg ICFzdHJuY21wKHMsICJtYXhfdmVyOiIsIDgpICkgLyogQWxpYXMgZm9yIG9y aWdpbmFsIFhTQS0yMjYgcGF0Y2ggKi8KKyAgICAgICAgeworICAgICAgICAg ICAgbG9uZyB2ZXIgPSBzaW1wbGVfc3RydG9sKHMgKyA4LCAmZSwgMTApOwor CisgICAgICAgICAgICBpZiAoIGUgPT0gc3MgJiYgdmVyID49IDEgJiYgdmVy IDw9IDIgKQorICAgICAgICAgICAgICAgIG9wdF9nbnR0YWJfbWF4X3ZlcnNp b24gPSB2ZXI7CisgICAgICAgICAgICBlbHNlCisgICAgICAgICAgICAgICAg cmMgPSAtRUlOVkFMOworICAgICAgICB9CisgICAgICAgIGVsc2UgaWYgKCAo dmFsID0gcGFyc2VfYm9vbGVhbigidHJhbnNpdGl2ZSIsIHMsIHNzKSkgPj0g MCApCisgICAgICAgICAgICBvcHRfdHJhbnNpdGl2ZV9ncmFudHMgPSB2YWw7 CisgICAgICAgIGVsc2UKKyAgICAgICAgICAgIHJjID0gLUVJTlZBTDsKKwor ICAgICAgICBzID0gc3MgKyAxOworICAgIH0gd2hpbGUgKCAqc3MgKTsKKwor ICAgIHJldHVybiByYzsKK30KK2N1c3RvbV9wYXJhbSgiZ250dGFiIiwgcGFy c2VfZ250dGFiKTsKKwogLyoKICAqIE5vdGUgdGhhdCB0aGUgdGhyZWUgdmFs dWVzIGJlbG93IGFyZSBlZmZlY3RpdmVseSBwYXJ0IG9mIHRoZSBBQkksIGV2 ZW4gaWYKICAqIHdlIGRvbid0IG5lZWQgdG8gbWFrZSB0aGVtIGEgZm9ybWFs IHBhcnQgb2YgaXQ6IEEgZ3Vlc3Qgc3VzcGVuZGVkIGZvcgpAQCAtMjcyNSw3 ICsyNzYwLDggQEAgc3RhdGljIGludCBnbnR0YWJfY29weV9jbGFpbV9idWYo Y29uc3QgcwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg Y3VycmVudC0+ZG9tYWluLT5kb21haW5faWQsCiAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICBidWYtPnJlYWRfb25seSwKICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICZidWYtPmZyYW1lLCAmYnVm LT5wYWdlLAotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg JmJ1Zi0+cHRyLm9mZnNldCwgJmJ1Zi0+bGVuLCB0cnVlKTsKKyAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICZidWYtPnB0ci5vZmZzZXQs ICZidWYtPmxlbiwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIG9wdF90cmFuc2l0aXZlX2dyYW50cyk7CiAgICAgICAgIGlmICggcmMg IT0gR05UU1Rfb2theSApCiAgICAgICAgICAgICBnb3RvIG91dDsKICAgICAg ICAgYnVmLT5wdHIudS5yZWYgPSBwdHItPnUucmVmOwpAQCAtMjkyNyw2ICsy OTYzLDEwIEBAIGdudHRhYl9zZXRfdmVyc2lvbihYRU5fR1VFU1RfSEFORExF X1BBUkEKICAgICBpZiAoIG9wLnZlcnNpb24gIT0gMSAmJiBvcC52ZXJzaW9u ICE9IDIgKQogICAgICAgICBnb3RvIG91dDsKIAorICAgIHJlcyA9IC1FTk9T WVM7CisgICAgaWYgKCBvcC52ZXJzaW9uID09IDIgJiYgb3B0X2dudHRhYl9t YXhfdmVyc2lvbiA9PSAxICkKKyAgICAgICAgZ290byBvdXQ7IC8qIEJlaGF2 ZSBhcyBiZWZvcmUgc2V0X3ZlcnNpb24gd2FzIGludHJvZHVjZWQuICovCisK ICAgICByZXMgPSAwOwogICAgIGlmICggZ3QtPmd0X3ZlcnNpb24gPT0gb3Au dmVyc2lvbiApCiAgICAgICAgIGdvdG8gb3V0Owo= --=separator Content-Type: application/octet-stream; name="xsa268-4.10-2.patch" Content-Disposition: attachment; filename="xsa268-4.10-2.patch" Content-Transfer-Encoding: base64 RnJvbTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3RhYmVsbGluaUBrZXJuZWwu b3JnPgpTdWJqZWN0OiBBUk06IGRpc2FibGUgZ3JhbnQgdGFibGUgdjIKCkl0 IHdhcyBuZXZlciBleHBlY3RlZCB0byB3b3JrLCB0aGUgaW1wbGVtZW50YXRp b24gaXMgaW5jb21wbGV0ZS4KCkFzIGEgc2lkZSBlZmZlY3QsIGl0IGFsc28g cHJldmVudHMgZ3Vlc3RzIGZyb20gdHJpZ2dlcmluZyBhCiJCVUdfT04ocGFn ZV9nZXRfb3duZXIocGcpICE9IGQpIiBpbiBnbnR0YWJfdW5wb3B1bGF0ZV9z dGF0dXNfZnJhbWVzKCkuCgpUaGlzIGlzIFhTQS0yNjguCgpSZXBvcnRlZC1i eTog546L56OKIDxsZWkxOS53YW5nQHNhbXN1bmcuY29tPgpTaWduZWQtb2Zm LWJ5OiBTdGVmYW5vIFN0YWJlbGxpbmkgPHNzdGFiZWxsaW5pQGtlcm5lbC5v cmc+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ CgotLS0gYS9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgor KysgYi9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgpAQCAt OTMzLDYgKzkzMyw4IEBAIHZlcnNpb24gYXJlIDEgYW5kIDIuCiB1c2Ugb2Yg Z3JhbnQgdGFibGUgdjIgd2l0aG91dCB0cmFuc2l0aXZlIGdyYW50cyBpcyBh biBBQkkgYnJlYWthZ2UgZnJvbSB0aGUKIGd1ZXN0cyBwb2ludCBvZiB2aWV3 LgogCitUaGUgdXNhZ2Ugb2YgZ250dGFiIHYyIGlzIG5vdCBzZWN1cml0eSBz dXBwb3J0ZWQgb24gQVJNIHBsYXRmb3Jtcy4KKwogIyMjIGdudHRhYlxfbWF4 XF9mcmFtZXMKID4gYD0gPGludGVnZXI+YAogCi0tLSBhL3hlbi9jb21tb24v Z3JhbnRfdGFibGUuYworKysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMK QEAgLTk3LDcgKzk3LDExIEBAIHN0YXRpYyB1bnNpZ25lZCBpbnQgX19yZWFk X21vc3RseSBtYXhfbWEKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgREVGQVVMVF9NQVhfTUFQVFJBQ0tfRlJBTUVT OwogaW50ZWdlcl9ydW50aW1lX3BhcmFtKCJnbnR0YWJfbWF4X21hcHRyYWNr X2ZyYW1lcyIsIG1heF9tYXB0cmFja19mcmFtZXMpOwogCi1zdGF0aWMgdW5z aWduZWQgaW50IF9fcmVhZF9tb3N0bHkgb3B0X2dudHRhYl9tYXhfdmVyc2lv biA9IDI7CisjaWZuZGVmIEdOVFRBQl9NQVhfVkVSU0lPTgorI2RlZmluZSBH TlRUQUJfTUFYX1ZFUlNJT04gMgorI2VuZGlmCisKK3N0YXRpYyB1bnNpZ25l ZCBpbnQgX19yZWFkX21vc3RseSBvcHRfZ250dGFiX21heF92ZXJzaW9uID0g R05UVEFCX01BWF9WRVJTSU9OOwogc3RhdGljIGJvb2wgX19yZWFkX21vc3Rs eSBvcHRfdHJhbnNpdGl2ZV9ncmFudHMgPSB0cnVlOwogCiBzdGF0aWMgaW50 IF9faW5pdCBwYXJzZV9nbnR0YWIoY29uc3QgY2hhciAqcykKLS0tIGEveGVu L2luY2x1ZGUvYXNtLWFybS9ncmFudF90YWJsZS5oCisrKyBiL3hlbi9pbmNs dWRlL2FzbS1hcm0vZ3JhbnRfdGFibGUuaApAQCAtNyw2ICs3LDcgQEAKICNp bmNsdWRlIDx4ZW4vc2NoZWQuaD4KIAogI2RlZmluZSBJTklUSUFMX05SX0dS QU5UX0ZSQU1FUyAxVQorI2RlZmluZSBHTlRUQUJfTUFYX1ZFUlNJT04gMQog CiBzdHJ1Y3QgZ3JhbnRfdGFibGVfYXJjaCB7CiAgICAgZ2ZuX3QgKnNoYXJl ZF9nZm47Cg== --=separator Content-Type: application/octet-stream; name="xsa268-4.11.patch" Content-Disposition: attachment; filename="xsa268-4.11.patch" Content-Transfer-Encoding: base64 RnJvbTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3RhYmVsbGluaUBrZXJuZWwu b3JnPgpTdWJqZWN0OiBBUk06IGRpc2FibGUgZ3JhbnQgdGFibGUgdjIKCkl0 IHdhcyBuZXZlciBleHBlY3RlZCB0byB3b3JrLCB0aGUgaW1wbGVtZW50YXRp b24gaXMgaW5jb21wbGV0ZS4KCkFzIGEgc2lkZSBlZmZlY3QsIGl0IGFsc28g cHJldmVudHMgZ3Vlc3RzIGZyb20gdHJpZ2dlcmluZyBhCiJCVUdfT04ocGFn ZV9nZXRfb3duZXIocGcpICE9IGQpIiBpbiBnbnR0YWJfdW5wb3B1bGF0ZV9z dGF0dXNfZnJhbWVzKCkuCgpUaGlzIGlzIFhTQS0yNjguCgpSZXBvcnRlZC1i eTog546L56OKIDxsZWkxOS53YW5nQHNhbXN1bmcuY29tPgpTaWduZWQtb2Zm LWJ5OiBTdGVmYW5vIFN0YWJlbGxpbmkgPHNzdGFiZWxsaW5pQGtlcm5lbC5v cmc+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ CgotLS0gYS9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgor KysgYi9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgpAQCAt OTM2LDYgKzkzNiw4IEBAIHZlcnNpb24gYXJlIDEgYW5kIDIuCiB1c2Ugb2Yg Z3JhbnQgdGFibGUgdjIgd2l0aG91dCB0cmFuc2l0aXZlIGdyYW50cyBpcyBh biBBQkkgYnJlYWthZ2UgZnJvbSB0aGUKIGd1ZXN0cyBwb2ludCBvZiB2aWV3 LgogCitUaGUgdXNhZ2Ugb2YgZ250dGFiIHYyIGlzIG5vdCBzZWN1cml0eSBz dXBwb3J0ZWQgb24gQVJNIHBsYXRmb3Jtcy4KKwogIyMjIGdudHRhYlxfbWF4 XF9mcmFtZXMKID4gYD0gPGludGVnZXI+YAogCi0tLSBhL3hlbi9jb21tb24v Z3JhbnRfdGFibGUuYworKysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMK QEAgLTk3LDcgKzk3LDExIEBAIHN0YXRpYyB1bnNpZ25lZCBpbnQgX19yZWFk X21vc3RseSBtYXhfbWFwdHJhY2tfZnJhbWVzID0KICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREVGQVVMVF9NQVhf TUFQVFJBQ0tfRlJBTUVTOwogaW50ZWdlcl9ydW50aW1lX3BhcmFtKCJnbnR0 YWJfbWF4X21hcHRyYWNrX2ZyYW1lcyIsIG1heF9tYXB0cmFja19mcmFtZXMp OwogCi1zdGF0aWMgdW5zaWduZWQgaW50IF9fcmVhZF9tb3N0bHkgb3B0X2du dHRhYl9tYXhfdmVyc2lvbiA9IDI7CisjaWZuZGVmIEdOVFRBQl9NQVhfVkVS U0lPTgorI2RlZmluZSBHTlRUQUJfTUFYX1ZFUlNJT04gMgorI2VuZGlmCisK K3N0YXRpYyB1bnNpZ25lZCBpbnQgX19yZWFkX21vc3RseSBvcHRfZ250dGFi X21heF92ZXJzaW9uID0gR05UVEFCX01BWF9WRVJTSU9OOwogc3RhdGljIGJv b2wgX19yZWFkX21vc3RseSBvcHRfdHJhbnNpdGl2ZV9ncmFudHMgPSB0cnVl OwogCiBzdGF0aWMgaW50IF9faW5pdCBwYXJzZV9nbnR0YWIoY29uc3QgY2hh ciAqcykKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9ncmFudF90YWJsZS5o CisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vZ3JhbnRfdGFibGUuaApAQCAt Nyw2ICs3LDcgQEAKICNpbmNsdWRlIDx4ZW4vc2NoZWQuaD4KIAogI2RlZmlu ZSBJTklUSUFMX05SX0dSQU5UX0ZSQU1FUyAxVQorI2RlZmluZSBHTlRUQUJf TUFYX1ZFUlNJT04gMQogCiBzdHJ1Y3QgZ3JhbnRfdGFibGVfYXJjaCB7CiAg ICAgZ2ZuX3QgKnNoYXJlZF9nZm47Cg== --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Aug 14 17:18:42 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 14 Aug 2018 17:18:42 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpcxN-0000Fx-KN; Tue, 14 Aug 2018 17:18:09 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpcxM-0000Ew-G2 for xen-announce@lists.xen.org; Tue, 14 Aug 2018 17:18:08 +0000 X-Inumbo-ID: 14e2d9ec-9fe6-11e8-a6a9-d7ebe60f679a Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id 14e2d9ec-9fe6-11e8-a6a9-d7ebe60f679a; Tue, 14 Aug 2018 17:18:37 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpcxE-0000pL-0J; Tue, 14 Aug 2018 17:18:00 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.89) (envelope-from ) id 1fpcxD-00079t-UA; Tue, 14 Aug 2018 17:17:59 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.508 (Entity 5.508) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 14 Aug 2018 17:17:59 +0000 Subject: [Xen-announce] Xen Security Advisory 270 v2 - Linux netback driver OOB access in hash handling X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: "Xen.org security team" Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-270 version 2 Linux netback driver OOB access in hash handling UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= Linux's netback driver allows frontends to control mapping of requests to request queues. When processing a request to set or change this mapping, some input validation was missing or flawed. IMPACT ====== A malicious or buggy frontend may cause the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in one or more of privilege escalation, Denial of Service (DoS), or information leaks. VULNERABLE SYSTEMS ================== Linux kernel versions from 4.7 onwards are affected. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by Felix Wilhelm of Google Project Zero. RESOLUTION ========== Applying the attached patch resolves this issue. xsa270.patch Linux 4.7 ... 4.17 $ sha256sum xsa270* 392868c37c1fe0d16c36086208fd0fc045c1baf8ab9b207995bce72681cb8c54 xsa270.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJbcw6uAAoJEIP+FMlX6CvZjxgH/iUkqOm+3T+Mr51itOmeOThy J10GbMvqyI8kb7oTVsfHRTMU/zCm01FSCb94B9WXxrKyr3J2RCWygZpS5D5+ujkK w8Ec3tqfRiJ6wXm+SUh+cFeiJBc4BUbTrSgc6VdtNqXO+uGB65CGVqFXTOZfSGMH AJKXQYOYe0gLtGU+H1TrCut6IC5RQKkdbI+gCEgahgc9HnPJnOrJZYoDaXsYCt1l gFPkd1UcVvtGbn+SUjNpXJlpWH8dY2tPeueqgu9LicGZ8jZkGI8FMCfOQ0g9dFMz t0Q8op8N3UAVXsPws+WvbGMuZ9mF71y9y8JUZYKRdg2iLND3CRO+asaMfN+3LSk= =gqkS -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa270.patch" Content-Disposition: attachment; filename="xsa270.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ZW4tbmV0YmFjazogZml4IGlucHV0IHZhbGlkYXRpb24gaW4geGVudmlm X3NldF9oYXNoX21hcHBpbmcoKQoKQm90aCBsZW4gYW5kIG9mZiBhcmUgZnJv bnRlbmQgc3BlY2lmaWVkIHZhbHVlcywgc28gd2UgbmVlZCB0byBtYWtlCnN1 cmUgdGhlcmUncyBubyBvdmVyZmxvdyB3aGVuIGFkZGluZyB0aGUgdHdvIGZv ciB0aGUgYm91bmRzIGNoZWNrLiBXZQphbHNvIHdhbnQgdG8gYXZvaWQgdW5k ZWZpbmVkIGJlaGF2aW9yIGFuZCBoZW5jZSB1c2Ugb2ZmIHRvIGluZGV4IGlu dG8KLT5oYXNoLm1hcHBpbmdbXSBvbmx5IGFmdGVyIGJvdW5kcyBjaGVja2lu Zy4gVGhpcyBhdCB0aGUgc2FtZSB0aW1lCmFsbG93cyB0byB0YWtlIGNhcmUg b2Ygbm90IGFwcGx5aW5nIG9mZiB0d2ljZSBmb3IgdGhlIGJvdW5kcyBjaGVj a2luZwphZ2FpbnN0IHZpZi0+bnVtX3F1ZXVlcy4KCkl0IGlzIGFsc28gaW5z dWZmaWNpZW50IHRvIGJvdW5kcyBjaGVjayBjb3B5X29wLmxlbiwgYXMgdGhp cyBpcyBsZW4KdHJ1bmNhdGVkIHRvIDE2IGJpdHMuCgpUaGlzIGlzIFhTQS0y NzAuCgpSZXBvcnRlZC1ieTogRmVsaXggV2lsaGVsbSA8ZndpbGhlbG1AZ29v Z2xlLmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNo QHN1c2UuY29tPgpSZXZpZXdlZC1ieTogUGF1bCBEdXJyYW50IDxwYXVsLmR1 cnJhbnRAY2l0cml4LmNvbT4KVGVzdGVkLWJ5OiBQYXVsIER1cnJhbnQgPHBh dWwuZHVycmFudEBjaXRyaXguY29tPgotLS0KVGhlIGJvdW5kcyBjaGVja2lu ZyBhZ2FpbnN0IHZpZi0+bnVtX3F1ZXVlcyBhbHNvIG9jY3VycyB0b28gZWFy bHkgYWZhaWN0CihpdCBzaG91bGQgYmUgZG9uZSBhZnRlciB0aGUgZ3JhbnQg Y29weSkuIEkgaGF2ZSBwYXRjaGVzIHJlYWR5IGFzIHB1YmxpYwpmb2xsb3ct dXBzIGZvciBib3RoIHRoaXMgYW5kIHRoZSAoYXQgbGVhc3QgbGF0ZW50KSBp c3N1ZSBvZiB0aGUgbWFwcGluZwphcnJheSBjcm9zc2luZyBhIHBhZ2UgYm91 bmRhcnkuCgotLS0gYS9kcml2ZXJzL25ldC94ZW4tbmV0YmFjay9oYXNoLmMK KysrIGIvZHJpdmVycy9uZXQveGVuLW5ldGJhY2svaGFzaC5jCkBAIC0zMzIs MjAgKzMzMiwyMiBAQCB1MzIgeGVudmlmX3NldF9oYXNoX21hcHBpbmdfc2l6 ZShzdHJ1Y3QKIHUzMiB4ZW52aWZfc2V0X2hhc2hfbWFwcGluZyhzdHJ1Y3Qg eGVudmlmICp2aWYsIHUzMiBncmVmLCB1MzIgbGVuLAogCQkJICAgIHUzMiBv ZmYpCiB7Ci0JdTMyICptYXBwaW5nID0gJnZpZi0+aGFzaC5tYXBwaW5nW29m Zl07CisJdTMyICptYXBwaW5nID0gdmlmLT5oYXNoLm1hcHBpbmc7CiAJc3Ry dWN0IGdudHRhYl9jb3B5IGNvcHlfb3AgPSB7CiAJCS5zb3VyY2UudS5yZWYg PSBncmVmLAogCQkuc291cmNlLmRvbWlkID0gdmlmLT5kb21pZCwKLQkJLmRl c3QudS5nbWZuID0gdmlydF90b19nZm4obWFwcGluZyksCiAJCS5kZXN0LmRv bWlkID0gRE9NSURfU0VMRiwKLQkJLmRlc3Qub2Zmc2V0ID0geGVuX29mZnNl dF9pbl9wYWdlKG1hcHBpbmcpLAotCQkubGVuID0gbGVuICogc2l6ZW9mKHUz MiksCisJCS5sZW4gPSBsZW4gKiBzaXplb2YoKm1hcHBpbmcpLAogCQkuZmxh Z3MgPSBHTlRDT1BZX3NvdXJjZV9ncmVmCiAJfTsKIAotCWlmICgob2ZmICsg bGVuID4gdmlmLT5oYXNoLnNpemUpIHx8IGNvcHlfb3AubGVuID4gWEVOX1BB R0VfU0laRSkKKwlpZiAoKG9mZiArIGxlbiA8IG9mZikgfHwgKG9mZiArIGxl biA+IHZpZi0+aGFzaC5zaXplKSB8fAorCSAgICBsZW4gPiBYRU5fUEFHRV9T SVpFIC8gc2l6ZW9mKCptYXBwaW5nKSkKIAkJcmV0dXJuIFhFTl9ORVRJRl9D VFJMX1NUQVRVU19JTlZBTElEX1BBUkFNRVRFUjsKIAorCWNvcHlfb3AuZGVz dC51LmdtZm4gPSB2aXJ0X3RvX2dmbihtYXBwaW5nICsgb2ZmKTsKKwljb3B5 X29wLmRlc3Qub2Zmc2V0ID0geGVuX29mZnNldF9pbl9wYWdlKG1hcHBpbmcg KyBvZmYpOworCiAJd2hpbGUgKGxlbi0tICE9IDApCiAJCWlmIChtYXBwaW5n W29mZisrXSA+PSB2aWYtPm51bV9xdWV1ZXMpCiAJCQlyZXR1cm4gWEVOX05F VElGX0NUUkxfU1RBVFVTX0lOVkFMSURfUEFSQU1FVEVSOwo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Aug 14 17:18:42 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 14 Aug 2018 17:18:42 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpcxT-0000Lc-4O; Tue, 14 Aug 2018 17:18:15 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpcxR-0000JK-QH for xen-announce@lists.xen.org; Tue, 14 Aug 2018 17:18:13 +0000 X-Inumbo-ID: 196f59b0-9fe6-11e8-a6a9-d7ebe60f679a Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id 196f59b0-9fe6-11e8-a6a9-d7ebe60f679a; Tue, 14 Aug 2018 17:18:45 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpcxH-0000q1-Bi; Tue, 14 Aug 2018 17:18:03 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.89) (envelope-from ) id 1fpcxH-0007Gh-9J; Tue, 14 Aug 2018 17:18:03 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.508 (Entity 5.508) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 14 Aug 2018 17:18:03 +0000 Subject: [Xen-announce] Xen Security Advisory 271 v2 (CVE-2018-14007) - XAPI HTTP directory traversal X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: "Xen.org security team" Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2018-14007 / XSA-271 version 2 XAPI HTTP directory traversal UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= XAPI has an unauthenticated HTTP endpoint update/ which exports the contents of /var/update for other hosts to use. However, the resolution of . and .. in paths is performed before url unquoting is performed. This allows an attacker to traverse out of the web root. IMPACT ====== An unauthenticated user with access to the management network can read arbitrary files from the dom0 filesystem. This includes the pool secret /etc/xensource/ptoken which grants the attacker full administrator access. VULNERABLE SYSTEMS ================== All versions of XAPI since v1.13.0 are vulnerable. If the directory /var/update doesn't exist, the vulnerability is not exposed. MITIGATION ========== In the recommended configuration, the management network is isolated and isn't reachable from untrusted hosts, or by general network traffic. CREDITS ======= This issue was discovered by Ronald Volgers of Computest https://www.computest.nl/en/ RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa271-xapi.patch $ sha256sum xsa271* ffefb71cd328e0ee5654c135bf9b08f48abedd013f1c68d5589132e2a03a01f8 xsa271-xapi.patch $ REGENERATION OF POOL SECRET =========================== There are no known exploits in the wild. If there is a risk that credentials could have been stolen, they should be reset. Most credentials can be reset via normal administrative means, but the pool secret doesn't have any mechanism to reset. The following instructions should be used: 1) On all pool members, stop Xapi: # service xapi stop 2) On the pool master: # rm /etc/xensource/ptoken # /opt/xensource/libexec/genptoken -f -o /etc/xensource/ptoken 3) Copy /etc/xensource/ptoken to all pool slaves 4) On the pool master, restart the toolstack: # xe-toolstack-restart 5) On all pool slaves, restart the toolstack: # xe-toolstack-restart Once the pool secret has been regenerated, the root password can be changed with: # xe user-password-change Furthermore, consideration should be given to other credentials, such as (but not limited to) SSL keys, Storage SAN/iSCSI/NFS details, as well as secrets contained within VMs disks/snapshots/etc. DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJbcw6vAAoJEIP+FMlX6CvZx6cH/0qaq4PDDHSrIONP7v35ZYWe nZEoA+IWk0u35t4MwSRA8qcXZ9m+d7icHdE0c5Jwdh2sBOSFKzoehCuZOFXVpYTv SHdr/J3ilZRN1KV7Zo/agZJFYClV5QxR118PnVYFqsAHVGjxh6RzazyBNPUTkoIa qw/FBQwsib4Wkj5/RPympYscxetzAUoYiFeVtTgtqknXlt3UbXqzwg/lXTrMZwtG nBSjFEW+EURlkKR0HF85mtFBmqA1I3xsKgJDaob5KWl+HmlIj0SY9knQ2le3lgxn 7zXiPSwOARg2E+vl3GB1Xd1fgcRGykBtjVWPX9uAgdb/C7qx6DN2PYEdyz1xZtI= =5lIm -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa271-xapi.patch" Content-Disposition: attachment; filename="xsa271-xapi.patch" Content-Transfer-Encoding: base64 RnJvbTogUm9iIEhvZXMgPHJvYi5ob2VzQGNpdHJpeC5jb20+CkRhdGU6IFdl ZCwgMTggSnVsIDIwMTggMTE6MTg6MjcgKzAxMDAKU3ViamVjdDogRml4IHBh dGggdmVyaWZpY2F0aW9uIGluIC91cGRhdGUvIGhhbmRsZXIKClRoZSBoYW5k bGVyIGRlY29kZWQgdGhlIHBlcmNlbnQtc3ltYm9scyBpbiB0aGUgZ2l2ZW4g cGF0aCBhZnRlciByZXNvbHZpbmcgdGhlIC4KYW5kIC4uIHBhdHRlcm5zLiBU aGlzIG1lYW50IHRoYXQgYW55ICIlMmUlMmUiIHN0cmluZ3MgaW4gdGhlIHBh dGggd291bGQgc3RpbGwKcmVzdWx0IGluIC4uIHN0cmluZ3MgaW4gdGhlIHZh bGlkYXRlIHBhdGgsIHdoaWNoIG1hZGUgaXQgcG9zc2libGUgdG8gZG93bmxv YWQKZmlsZXMgb3V0c2lkZSB0aGUgZGVzaWduYXRlZCBkaXJlY3RvcnkgZm9y IHVwZGF0ZXMuCgpSZXBvcnRlZC1ieTogUm9uYWxkIFZvbGdlcnMgPHJ2b2xn ZXJzQGNvbXB1dGVzdC5ubD4KU2lnbmVkLW9mZi1ieTogUm9iIEhvZXMgPHJv Yi5ob2VzQGNpdHJpeC5jb20+CgpkaWZmIC0tZ2l0IGEvb2NhbWwveGFwaS94 YXBpX3Bvb2xfdXBkYXRlLm1sIGIvb2NhbWwveGFwaS94YXBpX3Bvb2xfdXBk YXRlLm1sCmluZGV4IDI3NWE4ZTUuLmNjYzFkODggMTAwNjQ0Ci0tLSBhL29j YW1sL3hhcGkveGFwaV9wb29sX3VwZGF0ZS5tbAorKysgYi9vY2FtbC94YXBp L3hhcGlfcG9vbF91cGRhdGUubWwKQEAgLTUzNiw4ICs1MzYsOCBAQCBsZXQg cGF0aF9mcm9tX3VyaSB1cmkgPQogICAoKiByZW1vdmUgYW55IGRvZGd5IHVz ZSBvZiAiLiIgb3IgIi4uIiBOQiB3ZSBkb24ndCBwcmV2ZW50IHRoZSB1c2Ug b2Ygc3ltbGlua3MgKikKICAgU3RyaW5nLnN1Yl90b19lbmQgdXJpIChTdHJp bmcubGVuZ3RoIENvbnN0YW50cy5nZXRfcG9vbF91cGRhdGVfZG93bmxvYWRf dXJpKQogICB8PiBGaWxlbmFtZS5jb25jYXQgIVhhcGlfZ2xvYnMuaG9zdF91 cGRhdGVfZGlyCi0gIHw+IFN0ZGV4dC5Vbml4ZXh0LnJlc29sdmVfZG90X2Fu ZF9kb3Rkb3QKICAgfD4gVXJpLnBjdF9kZWNvZGUKKyAgfD4gU3RkZXh0LlVu aXhleHQucmVzb2x2ZV9kb3RfYW5kX2RvdGRvdAogCiBsZXQgcG9vbF91cGRh dGVfZG93bmxvYWRfaGFuZGxlciAocmVxOiBSZXF1ZXN0LnQpIHMgXyA9CiAg IGRlYnVnICJwb29sX3VwZGF0ZS5wb29sX3VwZGF0ZV9kb3dubG9hZF9oYW5k bGVyIFVSTCAlcyIgcmVxLlJlcXVlc3QudXJpOwo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Aug 14 17:18:42 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 14 Aug 2018 17:18:42 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpcxJ-0000BJ-L5; Tue, 14 Aug 2018 17:18:05 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpcxH-00009v-Rw for xen-announce@lists.xen.org; Tue, 14 Aug 2018 17:18:03 +0000 X-Inumbo-ID: 13490877-9fe6-11e8-a6a9-d7ebe60f679a Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id 13490877-9fe6-11e8-a6a9-d7ebe60f679a; Tue, 14 Aug 2018 17:18:35 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpcxA-0000ot-37; Tue, 14 Aug 2018 17:17:56 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.89) (envelope-from ) id 1fpcxA-00078C-0X; Tue, 14 Aug 2018 17:17:56 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.508 (Entity 5.508) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 14 Aug 2018 17:17:56 +0000 Subject: [Xen-announce] Xen Security Advisory 269 v2 - x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: "Xen.org security team" Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-269 version 2 x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the core. As a result, it must only be available to fully trusted guests. Unfortunately, in the case that vPMU is disabled, all value checking was skipped, allowing the guest to chose any MSR_DEBUGCTL setting it likes. IMPACT ====== A malicious or buggy guest administrator can lock up the entire host, causing a Denial of Service. VULNERABLE SYSTEMS ================== Xen versions 4.6 and later are vulnerable. Only systems using Intel CPUs are affected. ARM and AMD systems are unaffected. Only x86 HVM or PVH guests can exploit the vulnerability. x86 PV guests cannot exploit the vulnerability. MITIGATION ========== Running only x86 PV guests avoids the vulnerability. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa269.patch xen-unstable xsa269-4.11.patch Xen 4.11 xsa269-4.10.patch 4.10, 4.9 xsa269-4.8.patch Xen 4.8, 4.7, 4.6 $ sha256sum xsa269* 4733d09bb63523744ca2ee172e2fade0c39082c15d9a746144f279cf1359b723 xsa269.meta 5a5fe36f1f876a5029493e7fa191436fd021929aaba2d820636df17f4ed20113 xsa269.patch ea11cef818050bca13d4eb89294627c97e4cdb830124f679e77d37a44a370286 xsa269-4.8.patch 45ba1823530f329dd73088b77098e686b32f5daac0bc5177b2afea09f8c3593a xsa269-4.10.patch e0ca060311fb9ba3247e2fe65bca4806a131644f8894fd08be374904904b1944 xsa269-4.11.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJbcw6sAAoJEIP+FMlX6CvZNaQIAIPnev8ld7Rt9Gaty0mymCq8 WkKMRcqqSTbmHCgFvsWPPoji9yqQZR5QMkb+q7voE7PvzqH5sTAP6i8tHtsPjZNS jmron4grWnhoNMpM+jywIFjWyy0MT1WIDehP0GqzLIBgLODg1TIfGN1HMxBIxj5P yC9BRiGLNkIclOKknh0Yo2fj04XX38rETpeT7J3kbfRw8wzx5sTRgoIwwkkfoqjj GbcKSDmJmcm8OpCdl5xnMxdOxBv50p91j3VyBfOXzPeHw3sFzjURDSZgG16V5NY7 mrDzaHiRCFwdhN+k43zpyn8+A2JRI1dTz0yqGzJctyuCgFkkt4HEYLDafpeyEyg= =CK+x -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa269.meta" Content-Disposition: attachment; filename="xsa269.meta" Content-Transfer-Encoding: base64 ewogICJYU0EiOiAyNjksCiAgIlN1cHBvcnRlZFZlcnNpb25zIjogWwogICAg Im1hc3RlciIsCiAgICAiNC4xMSIsCiAgICAiNC4xMCIsCiAgICAiNC45IiwK ICAgICI0LjgiLAogICAgIjQuNyIsCiAgICAiNC42IgogIF0sCiAgIlRyZWVz IjogWwogICAgInhlbiIKICBdLAogICJSZWNpcGVzIjogewogICAgIjQuMTAi OiB7CiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAgICAg ICAgICAiU3RhYmxlUmVmIjogIjg3YzgzYWYzMzNlMDI0OGFkYTJlNjU2MDk2 NWFjYTYwOTZlYzdmMmIiLAogICAgICAgICAgIlByZXJlcXMiOiBbCiAgICAg ICAgICAgIDI2OAogICAgICAgICAgXSwKICAgICAgICAgICJQYXRjaGVzIjog WwogICAgICAgICAgICAieHNhMjY5LTQuMTAucGF0Y2giCiAgICAgICAgICBd CiAgICAgICAgfQogICAgICB9CiAgICB9LAogICAgIjQuMTEiOiB7CiAgICAg ICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAgICAgICAgICAiU3Rh YmxlUmVmIjogIjMzY2VkNzI1ZTExYWY0ZWFiZDMzMzRkMTJmNTNlZDgwN2U5 ZTI1ODYiLAogICAgICAgICAgIlByZXJlcXMiOiBbCiAgICAgICAgICAgIDI2 OAogICAgICAgICAgXSwKICAgICAgICAgICJQYXRjaGVzIjogWwogICAgICAg ICAgICAieHNhMjY5LTQuMTEucGF0Y2giCiAgICAgICAgICBdCiAgICAgICAg fQogICAgICB9CiAgICB9LAogICAgIjQuNiI6IHsKICAgICAgIlJlY2lwZXMi OiB7CiAgICAgICAgInhlbiI6IHsKICAgICAgICAgICJTdGFibGVSZWYiOiAi OThkNzk0OGI1MGI0ZTkxZWM0ZWZhODYwZGEzMmQ5YWM0ZmU2OTMwMCIsCiAg ICAgICAgICAiUHJlcmVxcyI6IFsKICAgICAgICAgICAgMjY4CiAgICAgICAg ICBdLAogICAgICAgICAgIlBhdGNoZXMiOiBbCiAgICAgICAgICAgICJ4c2Ey NjktNC44LnBhdGNoIgogICAgICAgICAgXQogICAgICAgIH0KICAgICAgfQog ICAgfSwKICAgICI0LjciOiB7CiAgICAgICJSZWNpcGVzIjogewogICAgICAg ICJ4ZW4iOiB7CiAgICAgICAgICAiU3RhYmxlUmVmIjogIjkxY2E4NGM4NjJi MTVmZTc0YWI5YjU4NzBlNjY5MDNhZWM0Zjg2ZGQiLAogICAgICAgICAgIlBy ZXJlcXMiOiBbCiAgICAgICAgICAgIDI2OAogICAgICAgICAgXSwKICAgICAg ICAgICJQYXRjaGVzIjogWwogICAgICAgICAgICAieHNhMjY5LTQuOC5wYXRj aCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0sCiAgICAi NC44IjogewogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjogewog ICAgICAgICAgIlN0YWJsZVJlZiI6ICJhYTQ1MDE1M2YyZDk2MGMyMTcxNDli MzFiNjhhOGI1N2M1YThlNTk1IiwKICAgICAgICAgICJQcmVyZXFzIjogWwog ICAgICAgICAgICAyNjgKICAgICAgICAgIF0sCiAgICAgICAgICAiUGF0Y2hl cyI6IFsKICAgICAgICAgICAgInhzYTI2OS00LjgucGF0Y2giCiAgICAgICAg ICBdCiAgICAgICAgfQogICAgICB9CiAgICB9LAogICAgIjQuOSI6IHsKICAg ICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhlbiI6IHsKICAgICAgICAgICJT dGFibGVSZWYiOiAiYTFiMjIzYjc1NmYzNTQ4OTU1MjUwNjBiZDNmOWYxZjA3 ODk5YTA4MiIsCiAgICAgICAgICAiUHJlcmVxcyI6IFsKICAgICAgICAgICAg MjY4CiAgICAgICAgICBdLAogICAgICAgICAgIlBhdGNoZXMiOiBbCiAgICAg ICAgICAgICJ4c2EyNjktNC4xMC5wYXRjaCIKICAgICAgICAgIF0KICAgICAg ICB9CiAgICAgIH0KICAgIH0sCiAgICAibWFzdGVyIjogewogICAgICAiUmVj aXBlcyI6IHsKICAgICAgICAieGVuIjogewogICAgICAgICAgIlN0YWJsZVJl ZiI6ICJhY2QwMGEzMDMzNzhjZTQ4YmQ2YmJkOGE1NzlmMWZlMmYxYjIxYTdk IiwKICAgICAgICAgICJQcmVyZXFzIjogWwogICAgICAgICAgICAyNjgKICAg ICAgICAgIF0sCiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAg InhzYTI2OS5wYXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0K ICAgIH0KICB9Cn0= --=separator Content-Type: application/octet-stream; name="xsa269.patch" Content-Disposition: attachment; filename="xsa269.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L3Z0eDogRml4IHRoZSBjaGVja2luZyBmb3IgdW5r bm93bi9pbnZhbGlkIE1TUl9ERUJVR0NUTCBiaXRzCgpUaGUgVlBNVV9NT0RF X09GRiBlYXJseS1leGl0IGluIHZwbXVfZG9fd3Jtc3IoKSBpbnRyb2R1Y2Vk IGJ5IGMvcwoxMWZlOTk4ZTU2IGJ5cGFzc2VzIGFsbCByZXNlcnZlZCBiaXQg Y2hlY2tpbmcgaW4gdGhlIGdlbmVyYWwgY2FzZS4gIEFzIGEKcmVzdWx0LCBh IGd1ZXN0IGNhbiBlbmFibGUgQlRTIHdoZW4gaXQgc2hvdWxkbid0IGJlIHBl cm1pdHRlZCB0bywgYW5kCmxvY2sgdXAgdGhlIGVudGlyZSBob3N0LgoKV2l0 aCB2UE1VIGFjdGl2ZSAobm90IGEgc2VjdXJpdHkgc3VwcG9ydGVkIGNvbmZp Z3VyYXRpb24sIGJ1dCB1c2VmdWwgZm9yCmRlYnVnZ2luZyksIHRoZSByZXNl cnZlZCBiaXQgY2hlY2tpbmcgaW4gYnJva2VuLCBjYXVzZWQgYnkgdGhlIG9y aWdpbmFsCkJUUyBjaGFuZ2VzZXQgMWE4YWE3NWVkLgoKRnJvbSBhIGNvcnJl Y3RuZXNzIHN0YW5kcG9pbnQsIGl0IGlzIG5vdCBwb3NzaWJsZSB0byBoYXZl IHR3byBkaWZmZXJlbnQKcGllY2VzIG9mIGNvZGUgcmVzcG9uc2libGUgZm9y IGRpZmZlcmVudCBwYXJ0cyBvZiB2YWx1ZSBjaGVja2luZywgaWYKdGhlcmUg aXNuJ3QgYW4gYWNjdW11bGF0aW9uIG9mIGJpdHMgd2hpY2ggaGF2ZSBiZWVu IGNoZWNrZWQuICBBCnByYWN0aWNhbCB1cHNob3Qgb2YgdGhpcyBpcyB0aGF0 IGEgZ3Vlc3QgY2FuIHNldCBhbnkgdmFsdWUgaXQKd2lzaGVzICh1c3VhbGx5 IHJlc3VsdGluZyBpbiBhIHZtZW50cnkgZmFpbHVyZSBmb3IgYmFkIGd1ZXN0 IHN0YXRlKS4KClRoZXJlZm9yZSwgZml4IHRoaXMgYnkgaW1wbGVtZW50aW5n IGFsbCB0aGUgcmVzZXJ2ZWQgYml0IGNoZWNraW5nIGluIHRoZQptYWluIE1T Ul9ERUJVR0NUTCBibG9jaywgYW5kIHJlbW92aW5nIGFsbCBoYW5kbGluZyBv ZiBERUJVR0NUTCBmcm9tIHRoZQp2UE1VIE1TUiBsb2dpYy4KClRoaXMgaXMg WFNBLTI2OQoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3 LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNo IDxqYmV1bGljaEBzdXNlLmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94 ODYvY3B1L3ZwbXVfaW50ZWwuYyBiL3hlbi9hcmNoL3g4Ni9jcHUvdnBtdV9p bnRlbC5jCmluZGV4IDFmYzc5YzkuLjZlMjdmNmUgMTAwNjQ0Ci0tLSBhL3hl bi9hcmNoL3g4Ni9jcHUvdnBtdV9pbnRlbC5jCisrKyBiL3hlbi9hcmNoL3g4 Ni9jcHUvdnBtdV9pbnRlbC5jCkBAIC01MzMsMjcgKzUzMyw3IEBAIHN0YXRp YyBpbnQgY29yZTJfdnBtdV9kb193cm1zcih1bnNpZ25lZCBpbnQgbXNyLCB1 aW50NjRfdCBtc3JfY29udGVudCwKICAgICB1aW50NjRfdCAqZW5hYmxlZF9j bnRyczsKIAogICAgIGlmICggIWNvcmUyX3ZwbXVfbXNyX2NvbW1vbl9jaGVj ayhtc3IsICZ0eXBlLCAmaW5kZXgpICkKLSAgICB7Ci0gICAgICAgIC8qIFNw ZWNpYWwgaGFuZGxpbmcgZm9yIEJUUyAqLwotICAgICAgICBpZiAoIG1zciA9 PSBNU1JfSUEzMl9ERUJVR0NUTE1TUiApCi0gICAgICAgIHsKLSAgICAgICAg ICAgIHN1cHBvcnRlZCB8PSBJQTMyX0RFQlVHQ1RMTVNSX1RSIHwgSUEzMl9E RUJVR0NUTE1TUl9CVFMgfAotICAgICAgICAgICAgICAgICAgICAgICAgIElB MzJfREVCVUdDVExNU1JfQlRJTlQ7Ci0KLSAgICAgICAgICAgIGlmICggY3B1 X2hhcygmY3VycmVudF9jcHVfZGF0YSwgWDg2X0ZFQVRVUkVfRFNDUEwpICkK LSAgICAgICAgICAgICAgICBzdXBwb3J0ZWQgfD0gSUEzMl9ERUJVR0NUTE1T Ul9CVFNfT0ZGX09TIHwKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAg SUEzMl9ERUJVR0NUTE1TUl9CVFNfT0ZGX1VTUjsKLSAgICAgICAgICAgIGlm ICggIShtc3JfY29udGVudCAmIH5zdXBwb3J0ZWQpICYmCi0gICAgICAgICAg ICAgICAgIHZwbXVfaXNfc2V0KHZwbXUsIFZQTVVfQ1BVX0hBU19CVFMpICkK LSAgICAgICAgICAgICAgICByZXR1cm4gMDsKLSAgICAgICAgICAgIGlmICgg KG1zcl9jb250ZW50ICYgc3VwcG9ydGVkKSAmJgotICAgICAgICAgICAgICAg ICAhdnBtdV9pc19zZXQodnBtdSwgVlBNVV9DUFVfSEFTX0JUUykgKQotICAg ICAgICAgICAgICAgIHByaW50ayhYRU5MT0dfR19XQVJOSU5HCi0gICAgICAg ICAgICAgICAgICAgICAgICIlcHY6IERlYnVnIFN0b3JlIHVuc3VwcG9ydGVk IG9uIHRoaXMgQ1BVXG4iLAotICAgICAgICAgICAgICAgICAgICAgICBjdXJy ZW50KTsKLSAgICAgICAgfQogICAgICAgICByZXR1cm4gLUVJTlZBTDsKLSAg ICB9CiAKICAgICBBU1NFUlQoIXN1cHBvcnRlZCk7CiAKZGlmZiAtLWdpdCBh L3hlbi9hcmNoL3g4Ni9odm0vdm14L3ZteC5jIGIveGVuL2FyY2gveDg2L2h2 bS92bXgvdm14LmMKaW5kZXggMTJlMGVlNS4uOGRhMDVmNSAxMDA2NDQKLS0t IGEveGVuL2FyY2gveDg2L2h2bS92bXgvdm14LmMKKysrIGIveGVuL2FyY2gv eDg2L2h2bS92bXgvdm14LmMKQEAgLTMwODEsMTEgKzMwODEsMTQgQEAgdm9p ZCB2bXhfdmxhcGljX21zcl9jaGFuZ2VkKHN0cnVjdCB2Y3B1ICp2KQogc3Rh dGljIGludCB2bXhfbXNyX3dyaXRlX2ludGVyY2VwdCh1bnNpZ25lZCBpbnQg bXNyLCB1aW50NjRfdCBtc3JfY29udGVudCkKIHsKICAgICBzdHJ1Y3QgdmNw dSAqdiA9IGN1cnJlbnQ7CisgICAgY29uc3Qgc3RydWN0IGNwdWlkX3BvbGlj eSAqY3AgPSB2LT5kb21haW4tPmFyY2guY3B1aWQ7CiAKICAgICBIVk1fREJH X0xPRyhEQkdfTEVWRUxfTVNSLCAiZWN4PSUjeCwgbXNyX3ZhbHVlPSUjIlBS SXg2NCwgbXNyLCBtc3JfY29udGVudCk7CiAKICAgICBzd2l0Y2ggKCBtc3Ig KQogICAgIHsKKyAgICAgICAgdWludDY0X3QgcnN2ZDsKKwogICAgIGNhc2Ug TVNSX0lBMzJfU1lTRU5URVJfQ1M6CiAgICAgICAgIF9fdm13cml0ZShHVUVT VF9TWVNFTlRFUl9DUywgbXNyX2NvbnRlbnQpOwogICAgICAgICBicmVhazsK QEAgLTMxMzgsMTggKzMxNDEsMjYgQEAgc3RhdGljIGludCB2bXhfbXNyX3dy aXRlX2ludGVyY2VwdCh1bnNpZ25lZCBpbnQgbXNyLCB1aW50NjRfdCBtc3Jf Y29udGVudCkKICAgICAgICAgd3Jtc3JsKE1TUl9TWVNDQUxMX01BU0ssIG1z cl9jb250ZW50KTsKICAgICAgICAgYnJlYWs7CiAKLSAgICBjYXNlIE1TUl9J QTMyX0RFQlVHQ1RMTVNSOiB7Ci0gICAgICAgIHVpbnQ2NF90IHN1cHBvcnRl ZCA9IElBMzJfREVCVUdDVExNU1JfTEJSIHwgSUEzMl9ERUJVR0NUTE1TUl9C VEY7CisgICAgY2FzZSBNU1JfSUEzMl9ERUJVR0NUTE1TUjoKKyAgICAgICAg cnN2ZCA9IH4oSUEzMl9ERUJVR0NUTE1TUl9MQlIgfCBJQTMyX0RFQlVHQ1RM TVNSX0JURik7CiAKLSAgICAgICAgaWYgKCBib290X2NwdV9oYXMoWDg2X0ZF QVRVUkVfUlRNKSApCi0gICAgICAgICAgICBzdXBwb3J0ZWQgfD0gSUEzMl9E RUJVR0NUTE1TUl9SVE07Ci0gICAgICAgIGlmICggbXNyX2NvbnRlbnQgJiB+ c3VwcG9ydGVkICkKKyAgICAgICAgLyogVE9ETzogV2lyZSB2UE1VIHNldHRp bmdzIHByb3Blcmx5IHRocm91Z2ggdGhlIENQVUlEIHBvbGljeSAqLworICAg ICAgICBpZiAoIHZwbXVfaXNfc2V0KHZjcHVfdnBtdSh2KSwgVlBNVV9DUFVf SEFTX0JUUykgKQogICAgICAgICB7Ci0gICAgICAgICAgICAvKiBQZXJoYXBz IHNvbWUgb3RoZXIgYml0cyBhcmUgc3VwcG9ydGVkIGluIHZwbXUuICovCi0g ICAgICAgICAgICBpZiAoIHZwbXVfZG9fd3Jtc3IobXNyLCBtc3JfY29udGVu dCwgc3VwcG9ydGVkKSApCi0gICAgICAgICAgICAgICAgYnJlYWs7CisgICAg ICAgICAgICByc3ZkICY9IH4oSUEzMl9ERUJVR0NUTE1TUl9UUiB8IElBMzJf REVCVUdDVExNU1JfQlRTIHwKKyAgICAgICAgICAgICAgICAgICAgICBJQTMy X0RFQlVHQ1RMTVNSX0JUSU5UKTsKKworICAgICAgICAgICAgaWYgKCBjcHVf aGFzKCZjdXJyZW50X2NwdV9kYXRhLCBYODZfRkVBVFVSRV9EU0NQTCkgKQor ICAgICAgICAgICAgICAgIHJzdmQgJj0gfihJQTMyX0RFQlVHQ1RMTVNSX0JU U19PRkZfT1MgfAorICAgICAgICAgICAgICAgICAgICAgICAgICBJQTMyX0RF QlVHQ1RMTVNSX0JUU19PRkZfVVNSKTsKICAgICAgICAgfQogCisgICAgICAg IGlmICggY3AtPmZlYXQucnRtICkKKyAgICAgICAgICAgIHJzdmQgJj0gfklB MzJfREVCVUdDVExNU1JfUlRNOworCisgICAgICAgIGlmICggbXNyX2NvbnRl bnQgJiByc3ZkICkKKyAgICAgICAgICAgIGdvdG8gZ3BfZmF1bHQ7CisKICAg ICAgICAgLyoKICAgICAgICAgICogV2hlbiBhIGd1ZXN0IGZpcnN0IGVuYWJs ZXMgTEJSLCBhcnJhbmdlIHRvIHNhdmUgYW5kIHJlc3RvcmUgdGhlIExCUgog ICAgICAgICAgKiBNU1JzIGFuZCBhbGxvdyB0aGUgZ3Vlc3QgZGlyZWN0IGFj Y2Vzcy4KQEAgLTMyMDgsNyArMzIxOSw3IEBAIHN0YXRpYyBpbnQgdm14X21z cl93cml0ZV9pbnRlcmNlcHQodW5zaWduZWQgaW50IG1zciwgdWludDY0X3Qg bXNyX2NvbnRlbnQpCiAKICAgICAgICAgX192bXdyaXRlKEdVRVNUX0lBMzJf REVCVUdDVEwsIG1zcl9jb250ZW50KTsKICAgICAgICAgYnJlYWs7Ci0gICAg fQorCiAgICAgY2FzZSBNU1JfSUEzMl9GRUFUVVJFX0NPTlRST0w6CiAgICAg Y2FzZSBNU1JfSUEzMl9WTVhfQkFTSUMgLi4uIE1TUl9JQTMyX1ZNWF9WTUZV TkM6CiAgICAgICAgIC8qIE5vbmUgb2YgdGhlc2UgTVNScyBhcmUgd3JpdGVh YmxlLiAqLwo= --=separator Content-Type: application/octet-stream; name="xsa269-4.8.patch" Content-Disposition: attachment; filename="xsa269-4.8.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L3Z0eDogRml4IHRoZSBjaGVja2luZyBmb3IgdW5r bm93bi9pbnZhbGlkIE1TUl9ERUJVR0NUTCBiaXRzCgpUaGUgVlBNVV9NT0RF X09GRiBlYXJseS1leGl0IGluIHZwbXVfZG9fd3Jtc3IoKSBpbnRyb2R1Y2Vk IGJ5IGMvcwoxMWZlOTk4ZTU2IGJ5cGFzc2VzIGFsbCByZXNlcnZlZCBiaXQg Y2hlY2tpbmcgaW4gdGhlIGdlbmVyYWwgY2FzZS4gIEFzIGEKcmVzdWx0LCBh IGd1ZXN0IGNhbiBlbmFibGUgQlRTIHdoZW4gaXQgc2hvdWxkbid0IGJlIHBl cm1pdHRlZCB0bywgYW5kCmxvY2sgdXAgdGhlIGVudGlyZSBob3N0LgoKV2l0 aCB2UE1VIGFjdGl2ZSAobm90IGEgc2VjdXJpdHkgc3VwcG9ydGVkIGNvbmZp Z3VyYXRpb24sIGJ1dCB1c2VmdWwgZm9yCmRlYnVnZ2luZyksIHRoZSByZXNl cnZlZCBiaXQgY2hlY2tpbmcgaW4gYnJva2VuLCBjYXVzZWQgYnkgdGhlIG9y aWdpbmFsCkJUUyBjaGFuZ2VzZXQgMWE4YWE3NWVkLgoKRnJvbSBhIGNvcnJl Y3RuZXNzIHN0YW5kcG9pbnQsIGl0IGlzIG5vdCBwb3NzaWJsZSB0byBoYXZl IHR3byBkaWZmZXJlbnQKcGllY2VzIG9mIGNvZGUgcmVzcG9uc2libGUgZm9y IGRpZmZlcmVudCBwYXJ0cyBvZiB2YWx1ZSBjaGVja2luZywgaWYKdGhlcmUg aXNuJ3QgYW4gYWNjdW11bGF0aW9uIG9mIGJpdHMgd2hpY2ggaGF2ZSBiZWVu IGNoZWNrZWQuICBBCnByYWN0aWNhbCB1cHNob3Qgb2YgdGhpcyBpcyB0aGF0 IGEgZ3Vlc3QgY2FuIHNldCBhbnkgdmFsdWUgaXQKd2lzaGVzICh1c3VhbGx5 IHJlc3VsdGluZyBpbiBhIHZtZW50cnkgZmFpbHVyZSBmb3IgYmFkIGd1ZXN0 IHN0YXRlKS4KClRoZXJlZm9yZSwgZml4IHRoaXMgYnkgaW1wbGVtZW50aW5n IGFsbCB0aGUgcmVzZXJ2ZWQgYml0IGNoZWNraW5nIGluIHRoZQptYWluIE1T Ul9ERUJVR0NUTCBibG9jaywgYW5kIHJlbW92aW5nIGFsbCBoYW5kbGluZyBv ZiBERUJVR0NUTCBmcm9tIHRoZQp2UE1VIE1TUiBsb2dpYy4KClRoaXMgaXMg WFNBLTI2OQoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3 LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNo IDxqYmV1bGljaEBzdXNlLmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94 ODYvY3B1L3ZwbXVfaW50ZWwuYyBiL3hlbi9hcmNoL3g4Ni9jcHUvdnBtdV9p bnRlbC5jCmluZGV4IDdmOWFkZDEuLjYyNzZjMTAgMTAwNjQ0Ci0tLSBhL3hl bi9hcmNoL3g4Ni9jcHUvdnBtdV9pbnRlbC5jCisrKyBiL3hlbi9hcmNoL3g4 Ni9jcHUvdnBtdV9pbnRlbC5jCkBAIC02OCwxMCArNjgsNiBAQAogI2RlZmlu ZSBNU1JfUE1DX0FMSUFTX01BU0sgICAgICAgKH4oTVNSX0lBMzJfUEVSRkNU UjAgXiBNU1JfSUEzMl9BX1BFUkZDVFIwKSkKIHN0YXRpYyBib29sX3QgX19y ZWFkX21vc3RseSBmdWxsX3dpZHRoX3dyaXRlOwogCi0vKiBJbnRlbC1zcGVj aWZpYyBWUE1VIGZlYXR1cmVzICovCi0jZGVmaW5lIFZQTVVfQ1BVX0hBU19E UyAgICAgICAgICAgICAgICAgICAgIDB4MTAwIC8qIEhhcyBEZWJ1ZyBTdG9y ZSAqLwotI2RlZmluZSBWUE1VX0NQVV9IQVNfQlRTICAgICAgICAgICAgICAg ICAgICAweDIwMCAvKiBIYXMgQnJhbmNoIFRyYWNlIFN0b3JlICovCi0KIC8q CiAgKiBNU1JfQ09SRV9QRVJGX0ZJWEVEX0NUUl9DVFJMIGNvbnRhaW5zIHRo ZSBjb25maWd1cmF0aW9uIG9mIGFsbCBmaXhlZAogICogY291bnRlcnMuIDQg Yml0cyBmb3IgZXZlcnkgY291bnRlci4KQEAgLTU2MywyNyArNTU5LDcgQEAg c3RhdGljIGludCBjb3JlMl92cG11X2RvX3dybXNyKHVuc2lnbmVkIGludCBt c3IsIHVpbnQ2NF90IG1zcl9jb250ZW50LAogICAgIHVpbnQ2NF90ICplbmFi bGVkX2NudHJzOwogCiAgICAgaWYgKCAhY29yZTJfdnBtdV9tc3JfY29tbW9u X2NoZWNrKG1zciwgJnR5cGUsICZpbmRleCkgKQotICAgIHsKLSAgICAgICAg LyogU3BlY2lhbCBoYW5kbGluZyBmb3IgQlRTICovCi0gICAgICAgIGlmICgg bXNyID09IE1TUl9JQTMyX0RFQlVHQ1RMTVNSICkKLSAgICAgICAgewotICAg ICAgICAgICAgc3VwcG9ydGVkIHw9IElBMzJfREVCVUdDVExNU1JfVFIgfCBJ QTMyX0RFQlVHQ1RMTVNSX0JUUyB8Ci0gICAgICAgICAgICAgICAgICAgICAg ICAgSUEzMl9ERUJVR0NUTE1TUl9CVElOVDsKLQotICAgICAgICAgICAgaWYg KCBjcHVfaGFzKCZjdXJyZW50X2NwdV9kYXRhLCBYODZfRkVBVFVSRV9EU0NQ TCkgKQotICAgICAgICAgICAgICAgIHN1cHBvcnRlZCB8PSBJQTMyX0RFQlVH Q1RMTVNSX0JUU19PRkZfT1MgfAotICAgICAgICAgICAgICAgICAgICAgICAg ICAgICBJQTMyX0RFQlVHQ1RMTVNSX0JUU19PRkZfVVNSOwotICAgICAgICAg ICAgaWYgKCAhKG1zcl9jb250ZW50ICYgfnN1cHBvcnRlZCkgJiYKLSAgICAg ICAgICAgICAgICAgdnBtdV9pc19zZXQodnBtdSwgVlBNVV9DUFVfSEFTX0JU UykgKQotICAgICAgICAgICAgICAgIHJldHVybiAwOwotICAgICAgICAgICAg aWYgKCAobXNyX2NvbnRlbnQgJiBzdXBwb3J0ZWQpICYmCi0gICAgICAgICAg ICAgICAgICF2cG11X2lzX3NldCh2cG11LCBWUE1VX0NQVV9IQVNfQlRTKSAp Ci0gICAgICAgICAgICAgICAgcHJpbnRrKFhFTkxPR19HX1dBUk5JTkcKLSAg ICAgICAgICAgICAgICAgICAgICAgIiVwdjogRGVidWcgU3RvcmUgdW5zdXBw b3J0ZWQgb24gdGhpcyBDUFVcbiIsCi0gICAgICAgICAgICAgICAgICAgICAg IGN1cnJlbnQpOwotICAgICAgICB9CiAgICAgICAgIHJldHVybiAtRUlOVkFM OwotICAgIH0KIAogICAgIEFTU0VSVCghc3VwcG9ydGVkKTsKIApkaWZmIC0t Z2l0IGEveGVuL2FyY2gveDg2L2h2bS92bXgvdm14LmMgYi94ZW4vYXJjaC94 ODYvaHZtL3ZteC92bXguYwppbmRleCA5NTU2NDNjLi5kMDdkOTQxIDEwMDY0 NAotLS0gYS94ZW4vYXJjaC94ODYvaHZtL3ZteC92bXguYworKysgYi94ZW4v YXJjaC94ODYvaHZtL3ZteC92bXguYwpAQCAtMjk3Niw2ICsyOTc2LDggQEAg c3RhdGljIGludCB2bXhfbXNyX3dyaXRlX2ludGVyY2VwdCh1bnNpZ25lZCBp bnQgbXNyLCB1aW50NjRfdCBtc3JfY29udGVudCkKIAogICAgIHN3aXRjaCAo IG1zciApCiAgICAgeworICAgICAgICB1aW50NjRfdCByc3ZkOworCiAgICAg Y2FzZSBNU1JfSUEzMl9TWVNFTlRFUl9DUzoKICAgICAgICAgX192bXdyaXRl KEdVRVNUX1NZU0VOVEVSX0NTLCBtc3JfY29udGVudCk7CiAgICAgICAgIGJy ZWFrOwpAQCAtMjk5MCwxNyArMjk5MiwyOSBAQCBzdGF0aWMgaW50IHZteF9t c3Jfd3JpdGVfaW50ZXJjZXB0KHVuc2lnbmVkIGludCBtc3IsIHVpbnQ2NF90 IG1zcl9jb250ZW50KQogICAgICAgICBfX3Ztd3JpdGUoR1VFU1RfU1lTRU5U RVJfRUlQLCBtc3JfY29udGVudCk7CiAgICAgICAgIGJyZWFrOwogICAgIGNh c2UgTVNSX0lBMzJfREVCVUdDVExNU1I6IHsKKyAgICAgICAgdWludDMyX3Qg ZWJ4LCBlY3ggPSAwOwogICAgICAgICBpbnQgaSwgcmMgPSAwOwotICAgICAg ICB1aW50NjRfdCBzdXBwb3J0ZWQgPSBJQTMyX0RFQlVHQ1RMTVNSX0xCUiB8 IElBMzJfREVCVUdDVExNU1JfQlRGOwogCi0gICAgICAgIGlmICggYm9vdF9j cHVfaGFzKFg4Nl9GRUFUVVJFX1JUTSkgKQotICAgICAgICAgICAgc3VwcG9y dGVkIHw9IElBMzJfREVCVUdDVExNU1JfUlRNOwotICAgICAgICBpZiAoIG1z cl9jb250ZW50ICYgfnN1cHBvcnRlZCApCisgICAgICAgIHJzdmQgPSB+KElB MzJfREVCVUdDVExNU1JfTEJSIHwgSUEzMl9ERUJVR0NUTE1TUl9CVEYpOwor CisgICAgICAgIC8qIFRPRE86IFdpcmUgdlBNVSBzZXR0aW5ncyBwcm9wZXJs eSB0aHJvdWdoIHRoZSBDUFVJRCBwb2xpY3kgKi8KKyAgICAgICAgaWYgKCB2 cG11X2lzX3NldCh2Y3B1X3ZwbXUodiksIFZQTVVfQ1BVX0hBU19CVFMpICkK ICAgICAgICAgewotICAgICAgICAgICAgLyogUGVyaGFwcyBzb21lIG90aGVy IGJpdHMgYXJlIHN1cHBvcnRlZCBpbiB2cG11LiAqLwotICAgICAgICAgICAg aWYgKCB2cG11X2RvX3dybXNyKG1zciwgbXNyX2NvbnRlbnQsIHN1cHBvcnRl ZCkgKQotICAgICAgICAgICAgICAgIGJyZWFrOworICAgICAgICAgICAgcnN2 ZCAmPSB+KElBMzJfREVCVUdDVExNU1JfVFIgfCBJQTMyX0RFQlVHQ1RMTVNS X0JUUyB8CisgICAgICAgICAgICAgICAgICAgICAgSUEzMl9ERUJVR0NUTE1T Ul9CVElOVCk7CisKKyAgICAgICAgICAgIGlmICggY3B1X2hhcygmY3VycmVu dF9jcHVfZGF0YSwgWDg2X0ZFQVRVUkVfRFNDUEwpICkKKyAgICAgICAgICAg ICAgICByc3ZkICY9IH4oSUEzMl9ERUJVR0NUTE1TUl9CVFNfT0ZGX09TIHwK KyAgICAgICAgICAgICAgICAgICAgICAgICAgSUEzMl9ERUJVR0NUTE1TUl9C VFNfT0ZGX1VTUik7CiAgICAgICAgIH0KKworICAgICAgICBodm1fY3B1aWQo NywgTlVMTCwgJmVieCwgJmVjeCwgTlVMTCk7CisgICAgICAgIGlmICggZWJ4 ICYgY3B1ZmVhdF9tYXNrKFg4Nl9GRUFUVVJFX1JUTSkgKQorICAgICAgICAg ICAgcnN2ZCAmPSB+SUEzMl9ERUJVR0NUTE1TUl9SVE07CisKKyAgICAgICAg aWYgKCBtc3JfY29udGVudCAmIHJzdmQgKQorICAgICAgICAgICAgZ290byBn cF9mYXVsdDsKKwogICAgICAgICBpZiAoIG1zcl9jb250ZW50ICYgSUEzMl9E RUJVR0NUTE1TUl9MQlIgKQogICAgICAgICB7CiAgICAgICAgICAgICBjb25z dCBzdHJ1Y3QgbGJyX2luZm8gKmxiciA9IGxhc3RfYnJhbmNoX21zcl9nZXQo KTsKZGlmZiAtLWdpdCBhL3hlbi9pbmNsdWRlL2FzbS14ODYvdnBtdS5oIGIv eGVuL2luY2x1ZGUvYXNtLXg4Ni92cG11LmgKaW5kZXggZWQ5ZWMwNy4uNzVi MTk3MyAxMDA2NDQKLS0tIGEveGVuL2luY2x1ZGUvYXNtLXg4Ni92cG11LmgK KysrIGIveGVuL2luY2x1ZGUvYXNtLXg4Ni92cG11LmgKQEAgLTc3LDYgKzc3 LDEwIEBAIHN0cnVjdCB2cG11X3N0cnVjdCB7CiAvKiBQVihIKSBndWVzdHM6 IFZQTVUgcmVnaXN0ZXJzIGFyZSBhY2Nlc3NlZCBieSBndWVzdCBmcm9tIHNo YXJlZCBwYWdlICovCiAjZGVmaW5lIFZQTVVfQ0FDSEVEICAgICAgICAgICAg ICAgICAgICAgICAgIDB4NDAKIAorLyogSW50ZWwtc3BlY2lmaWMgVlBNVSBm ZWF0dXJlcyAqLworI2RlZmluZSBWUE1VX0NQVV9IQVNfRFMgICAgICAgICAg ICAgICAgICAgICAweDEwMCAvKiBIYXMgRGVidWcgU3RvcmUgKi8KKyNkZWZp bmUgVlBNVV9DUFVfSEFTX0JUUyAgICAgICAgICAgICAgICAgICAgMHgyMDAg LyogSGFzIEJyYW5jaCBUcmFjZSBTdG9yZSAqLworCiBzdGF0aWMgaW5saW5l IHZvaWQgdnBtdV9zZXQoc3RydWN0IHZwbXVfc3RydWN0ICp2cG11LCBjb25z dCB1MzIgbWFzaykKIHsKICAgICB2cG11LT5mbGFncyB8PSBtYXNrOwo= --=separator Content-Type: application/octet-stream; name="xsa269-4.10.patch" Content-Disposition: attachment; filename="xsa269-4.10.patch" Content-Transfer-Encoding: base64 RnJvbSAwNjUzYTA1OTg2MTNlYTlkNzU5OGFkOGY5YWNlODllZDc0OTg0MTBj IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBNb24sIDMwIEp1 bCAyMDE4IDExOjAxOjI4ICswMTAwClN1YmplY3Q6IFtQQVRDSF0geDg2L3Z0 eDogRml4IHRoZSBjaGVja2luZyBmb3IgdW5rbm93bi9pbnZhbGlkIE1TUl9E RUJVR0NUTAogYml0cwoKVGhlIFZQTVVfTU9ERV9PRkYgZWFybHktZXhpdCBp biB2cG11X2RvX3dybXNyKCkgaW50cm9kdWNlZCBieSBjL3MKMTFmZTk5OGU1 NiBieXBhc3NlcyBhbGwgcmVzZXJ2ZWQgYml0IGNoZWNraW5nIGluIHRoZSBn ZW5lcmFsIGNhc2UuICBBcyBhCnJlc3VsdCwgYSBndWVzdCBjYW4gZW5hYmxl IEJUUyB3aGVuIGl0IHNob3VsZG4ndCBiZSBwZXJtaXR0ZWQgdG8sIGFuZAps b2NrIHVwIHRoZSBlbnRpcmUgaG9zdC4KCldpdGggdlBNVSBhY3RpdmUgKG5v dCBhIHNlY3VyaXR5IHN1cHBvcnRlZCBjb25maWd1cmF0aW9uLCBidXQgdXNl ZnVsIGZvcgpkZWJ1Z2dpbmcpLCB0aGUgcmVzZXJ2ZWQgYml0IGNoZWNraW5n IGluIGJyb2tlbiwgY2F1c2VkIGJ5IHRoZSBvcmlnaW5hbApCVFMgY2hhbmdl c2V0IDFhOGFhNzVlZC4KCkZyb20gYSBjb3JyZWN0bmVzcyBzdGFuZHBvaW50 LCBpdCBpcyBub3QgcG9zc2libGUgdG8gaGF2ZSB0d28gZGlmZmVyZW50CnBp ZWNlcyBvZiBjb2RlIHJlc3BvbnNpYmxlIGZvciBkaWZmZXJlbnQgcGFydHMg b2YgdmFsdWUgY2hlY2tpbmcsIGlmCnRoZXJlIGlzbid0IGFuIGFjY3VtdWxh dGlvbiBvZiBiaXRzIHdoaWNoIGhhdmUgYmVlbiBjaGVja2VkLiAgQQpwcmFj dGljYWwgdXBzaG90IG9mIHRoaXMgaXMgdGhhdCBhIGd1ZXN0IGNhbiBzZXQg YW55IHZhbHVlIGl0Cndpc2hlcyAodXN1YWxseSByZXN1bHRpbmcgaW4gYSB2 bWVudHJ5IGZhaWx1cmUgZm9yIGJhZCBndWVzdCBzdGF0ZSkuCgpUaGVyZWZv cmUsIGZpeCB0aGlzIGJ5IGltcGxlbWVudGluZyBhbGwgdGhlIHJlc2VydmVk IGJpdCBjaGVja2luZyBpbiB0aGUKbWFpbiBNU1JfREVCVUdDVEwgYmxvY2ss IGFuZCByZW1vdmluZyBhbGwgaGFuZGxpbmcgb2YgREVCVUdDVEwgZnJvbSB0 aGUKdlBNVSBNU1IgbG9naWMuCgpUaGlzIGlzIFhTQS0yNjkKClNpZ25lZC1v ZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5j b20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5j b20+Ci0tLQogeGVuL2FyY2gveDg2L2NwdS92cG11X2ludGVsLmMgfCAyMCAt LS0tLS0tLS0tLS0tLS0tLS0tLQogeGVuL2FyY2gveDg2L2h2bS92bXgvdm14 LmMgICAgfCAyNyArKysrKysrKysrKysrKysrKysrKy0tLS0tLS0KIDIgZmls ZXMgY2hhbmdlZCwgMjAgaW5zZXJ0aW9ucygrKSwgMjcgZGVsZXRpb25zKC0p CgpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L2NwdS92cG11X2ludGVsLmMg Yi94ZW4vYXJjaC94ODYvY3B1L3ZwbXVfaW50ZWwuYwppbmRleCAyMDdlMmU3 MTJjLi5kNDQ0NGYwZDk0IDEwMDY0NAotLS0gYS94ZW4vYXJjaC94ODYvY3B1 L3ZwbXVfaW50ZWwuYworKysgYi94ZW4vYXJjaC94ODYvY3B1L3ZwbXVfaW50 ZWwuYwpAQCAtNTM1LDI3ICs1MzUsNyBAQCBzdGF0aWMgaW50IGNvcmUyX3Zw bXVfZG9fd3Jtc3IodW5zaWduZWQgaW50IG1zciwgdWludDY0X3QgbXNyX2Nv bnRlbnQsCiAgICAgdWludDY0X3QgKmVuYWJsZWRfY250cnM7CiAKICAgICBp ZiAoICFjb3JlMl92cG11X21zcl9jb21tb25fY2hlY2sobXNyLCAmdHlwZSwg JmluZGV4KSApCi0gICAgewotICAgICAgICAvKiBTcGVjaWFsIGhhbmRsaW5n IGZvciBCVFMgKi8KLSAgICAgICAgaWYgKCBtc3IgPT0gTVNSX0lBMzJfREVC VUdDVExNU1IgKQotICAgICAgICB7Ci0gICAgICAgICAgICBzdXBwb3J0ZWQg fD0gSUEzMl9ERUJVR0NUTE1TUl9UUiB8IElBMzJfREVCVUdDVExNU1JfQlRT IHwKLSAgICAgICAgICAgICAgICAgICAgICAgICBJQTMyX0RFQlVHQ1RMTVNS X0JUSU5UOwotCi0gICAgICAgICAgICBpZiAoIGNwdV9oYXMoJmN1cnJlbnRf Y3B1X2RhdGEsIFg4Nl9GRUFUVVJFX0RTQ1BMKSApCi0gICAgICAgICAgICAg ICAgc3VwcG9ydGVkIHw9IElBMzJfREVCVUdDVExNU1JfQlRTX09GRl9PUyB8 Ci0gICAgICAgICAgICAgICAgICAgICAgICAgICAgIElBMzJfREVCVUdDVExN U1JfQlRTX09GRl9VU1I7Ci0gICAgICAgICAgICBpZiAoICEobXNyX2NvbnRl bnQgJiB+c3VwcG9ydGVkKSAmJgotICAgICAgICAgICAgICAgICB2cG11X2lz X3NldCh2cG11LCBWUE1VX0NQVV9IQVNfQlRTKSApCi0gICAgICAgICAgICAg ICAgcmV0dXJuIDA7Ci0gICAgICAgICAgICBpZiAoIChtc3JfY29udGVudCAm IHN1cHBvcnRlZCkgJiYKLSAgICAgICAgICAgICAgICAgIXZwbXVfaXNfc2V0 KHZwbXUsIFZQTVVfQ1BVX0hBU19CVFMpICkKLSAgICAgICAgICAgICAgICBw cmludGsoWEVOTE9HX0dfV0FSTklORwotICAgICAgICAgICAgICAgICAgICAg ICAiJXB2OiBEZWJ1ZyBTdG9yZSB1bnN1cHBvcnRlZCBvbiB0aGlzIENQVVxu IiwKLSAgICAgICAgICAgICAgICAgICAgICAgY3VycmVudCk7Ci0gICAgICAg IH0KICAgICAgICAgcmV0dXJuIC1FSU5WQUw7Ci0gICAgfQogCiAgICAgQVNT RVJUKCFzdXBwb3J0ZWQpOwogCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94ODYv aHZtL3ZteC92bXguYyBiL3hlbi9hcmNoL3g4Ni9odm0vdm14L3ZteC5jCmlu ZGV4IDQ4ZDNjNTRlODQuLjJjNDkwY2Y2MmEgMTAwNjQ0Ci0tLSBhL3hlbi9h cmNoL3g4Ni9odm0vdm14L3ZteC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0v dm14L3ZteC5jCkBAIC0zMDk3LDExICszMDk3LDE0IEBAIHZvaWQgdm14X3Zs YXBpY19tc3JfY2hhbmdlZChzdHJ1Y3QgdmNwdSAqdikKIHN0YXRpYyBpbnQg dm14X21zcl93cml0ZV9pbnRlcmNlcHQodW5zaWduZWQgaW50IG1zciwgdWlu dDY0X3QgbXNyX2NvbnRlbnQpCiB7CiAgICAgc3RydWN0IHZjcHUgKnYgPSBj dXJyZW50OworICAgIGNvbnN0IHN0cnVjdCBjcHVpZF9wb2xpY3kgKmNwID0g di0+ZG9tYWluLT5hcmNoLmNwdWlkOwogCiAgICAgSFZNX0RCR19MT0coREJH X0xFVkVMX01TUiwgImVjeD0lI3gsIG1zcl92YWx1ZT0lIyJQUkl4NjQsIG1z ciwgbXNyX2NvbnRlbnQpOwogCiAgICAgc3dpdGNoICggbXNyICkKICAgICB7 CisgICAgICAgIHVpbnQ2NF90IHJzdmQ7CisKICAgICBjYXNlIE1TUl9JQTMy X1NZU0VOVEVSX0NTOgogICAgICAgICBfX3Ztd3JpdGUoR1VFU1RfU1lTRU5U RVJfQ1MsIG1zcl9jb250ZW50KTsKICAgICAgICAgYnJlYWs7CkBAIC0zMTE3 LDE2ICszMTIwLDI2IEBAIHN0YXRpYyBpbnQgdm14X21zcl93cml0ZV9pbnRl cmNlcHQodW5zaWduZWQgaW50IG1zciwgdWludDY0X3QgbXNyX2NvbnRlbnQp CiAgICAgICAgIGJyZWFrOwogICAgIGNhc2UgTVNSX0lBMzJfREVCVUdDVExN U1I6IHsKICAgICAgICAgaW50IGksIHJjID0gMDsKLSAgICAgICAgdWludDY0 X3Qgc3VwcG9ydGVkID0gSUEzMl9ERUJVR0NUTE1TUl9MQlIgfCBJQTMyX0RF QlVHQ1RMTVNSX0JURjsKIAotICAgICAgICBpZiAoIGJvb3RfY3B1X2hhcyhY ODZfRkVBVFVSRV9SVE0pICkKLSAgICAgICAgICAgIHN1cHBvcnRlZCB8PSBJ QTMyX0RFQlVHQ1RMTVNSX1JUTTsKLSAgICAgICAgaWYgKCBtc3JfY29udGVu dCAmIH5zdXBwb3J0ZWQgKQorICAgICAgICByc3ZkID0gfihJQTMyX0RFQlVH Q1RMTVNSX0xCUiB8IElBMzJfREVCVUdDVExNU1JfQlRGKTsKKworICAgICAg ICAvKiBUT0RPOiBXaXJlIHZQTVUgc2V0dGluZ3MgcHJvcGVybHkgdGhyb3Vn aCB0aGUgQ1BVSUQgcG9saWN5ICovCisgICAgICAgIGlmICggdnBtdV9pc19z ZXQodmNwdV92cG11KHYpLCBWUE1VX0NQVV9IQVNfQlRTKSApCiAgICAgICAg IHsKLSAgICAgICAgICAgIC8qIFBlcmhhcHMgc29tZSBvdGhlciBiaXRzIGFy ZSBzdXBwb3J0ZWQgaW4gdnBtdS4gKi8KLSAgICAgICAgICAgIGlmICggdnBt dV9kb193cm1zcihtc3IsIG1zcl9jb250ZW50LCBzdXBwb3J0ZWQpICkKLSAg ICAgICAgICAgICAgICBicmVhazsKKyAgICAgICAgICAgIHJzdmQgJj0gfihJ QTMyX0RFQlVHQ1RMTVNSX1RSIHwgSUEzMl9ERUJVR0NUTE1TUl9CVFMgfAor ICAgICAgICAgICAgICAgICAgICAgIElBMzJfREVCVUdDVExNU1JfQlRJTlQp OworCisgICAgICAgICAgICBpZiAoIGNwdV9oYXMoJmN1cnJlbnRfY3B1X2Rh dGEsIFg4Nl9GRUFUVVJFX0RTQ1BMKSApCisgICAgICAgICAgICAgICAgcnN2 ZCAmPSB+KElBMzJfREVCVUdDVExNU1JfQlRTX09GRl9PUyB8CisgICAgICAg ICAgICAgICAgICAgICAgICAgIElBMzJfREVCVUdDVExNU1JfQlRTX09GRl9V U1IpOwogICAgICAgICB9CisKKyAgICAgICAgaWYgKCBjcC0+ZmVhdC5ydG0g KQorICAgICAgICAgICAgcnN2ZCAmPSB+SUEzMl9ERUJVR0NUTE1TUl9SVE07 CisKKyAgICAgICAgaWYgKCBtc3JfY29udGVudCAmIHJzdmQgKQorICAgICAg ICAgICAgZ290byBncF9mYXVsdDsKKwogICAgICAgICBpZiAoIG1zcl9jb250 ZW50ICYgSUEzMl9ERUJVR0NUTE1TUl9MQlIgKQogICAgICAgICB7CiAgICAg ICAgICAgICBjb25zdCBzdHJ1Y3QgbGJyX2luZm8gKmxiciA9IGxhc3RfYnJh bmNoX21zcl9nZXQoKTsKLS0gCjIuMTguMAoK --=separator Content-Type: application/octet-stream; name="xsa269-4.11.patch" Content-Disposition: attachment; filename="xsa269-4.11.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L3Z0eDogRml4IHRoZSBjaGVja2luZyBmb3IgdW5r bm93bi9pbnZhbGlkIE1TUl9ERUJVR0NUTCBiaXRzCgpUaGUgVlBNVV9NT0RF X09GRiBlYXJseS1leGl0IGluIHZwbXVfZG9fd3Jtc3IoKSBpbnRyb2R1Y2Vk IGJ5IGMvcwoxMWZlOTk4ZTU2IGJ5cGFzc2VzIGFsbCByZXNlcnZlZCBiaXQg Y2hlY2tpbmcgaW4gdGhlIGdlbmVyYWwgY2FzZS4gIEFzIGEKcmVzdWx0LCBh IGd1ZXN0IGNhbiBlbmFibGUgQlRTIHdoZW4gaXQgc2hvdWxkbid0IGJlIHBl cm1pdHRlZCB0bywgYW5kCmxvY2sgdXAgdGhlIGVudGlyZSBob3N0LgoKV2l0 aCB2UE1VIGFjdGl2ZSAobm90IGEgc2VjdXJpdHkgc3VwcG9ydGVkIGNvbmZp Z3VyYXRpb24sIGJ1dCB1c2VmdWwgZm9yCmRlYnVnZ2luZyksIHRoZSByZXNl cnZlZCBiaXQgY2hlY2tpbmcgaW4gYnJva2VuLCBjYXVzZWQgYnkgdGhlIG9y aWdpbmFsCkJUUyBjaGFuZ2VzZXQgMWE4YWE3NWVkLgoKRnJvbSBhIGNvcnJl Y3RuZXNzIHN0YW5kcG9pbnQsIGl0IGlzIG5vdCBwb3NzaWJsZSB0byBoYXZl IHR3byBkaWZmZXJlbnQKcGllY2VzIG9mIGNvZGUgcmVzcG9uc2libGUgZm9y IGRpZmZlcmVudCBwYXJ0cyBvZiB2YWx1ZSBjaGVja2luZywgaWYKdGhlcmUg aXNuJ3QgYW4gYWNjdW11bGF0aW9uIG9mIGJpdHMgd2hpY2ggaGF2ZSBiZWVu IGNoZWNrZWQuICBBCnByYWN0aWNhbCB1cHNob3Qgb2YgdGhpcyBpcyB0aGF0 IGEgZ3Vlc3QgY2FuIHNldCBhbnkgdmFsdWUgaXQKd2lzaGVzICh1c3VhbGx5 IHJlc3VsdGluZyBpbiBhIHZtZW50cnkgZmFpbHVyZSBmb3IgYmFkIGd1ZXN0 IHN0YXRlKS4KClRoZXJlZm9yZSwgZml4IHRoaXMgYnkgaW1wbGVtZW50aW5n IGFsbCB0aGUgcmVzZXJ2ZWQgYml0IGNoZWNraW5nIGluIHRoZQptYWluIE1T Ul9ERUJVR0NUTCBibG9jaywgYW5kIHJlbW92aW5nIGFsbCBoYW5kbGluZyBv ZiBERUJVR0NUTCBmcm9tIHRoZQp2UE1VIE1TUiBsb2dpYy4KClRoaXMgaXMg WFNBLTI2OQoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3 LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNo IDxqYmV1bGljaEBzdXNlLmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94 ODYvY3B1L3ZwbXVfaW50ZWwuYyBiL3hlbi9hcmNoL3g4Ni9jcHUvdnBtdV9p bnRlbC5jCmluZGV4IDIwN2UyZTcuLmQ0NDQ0ZjAgMTAwNjQ0Ci0tLSBhL3hl bi9hcmNoL3g4Ni9jcHUvdnBtdV9pbnRlbC5jCisrKyBiL3hlbi9hcmNoL3g4 Ni9jcHUvdnBtdV9pbnRlbC5jCkBAIC01MzUsMjcgKzUzNSw3IEBAIHN0YXRp YyBpbnQgY29yZTJfdnBtdV9kb193cm1zcih1bnNpZ25lZCBpbnQgbXNyLCB1 aW50NjRfdCBtc3JfY29udGVudCwKICAgICB1aW50NjRfdCAqZW5hYmxlZF9j bnRyczsKIAogICAgIGlmICggIWNvcmUyX3ZwbXVfbXNyX2NvbW1vbl9jaGVj ayhtc3IsICZ0eXBlLCAmaW5kZXgpICkKLSAgICB7Ci0gICAgICAgIC8qIFNw ZWNpYWwgaGFuZGxpbmcgZm9yIEJUUyAqLwotICAgICAgICBpZiAoIG1zciA9 PSBNU1JfSUEzMl9ERUJVR0NUTE1TUiApCi0gICAgICAgIHsKLSAgICAgICAg ICAgIHN1cHBvcnRlZCB8PSBJQTMyX0RFQlVHQ1RMTVNSX1RSIHwgSUEzMl9E RUJVR0NUTE1TUl9CVFMgfAotICAgICAgICAgICAgICAgICAgICAgICAgIElB MzJfREVCVUdDVExNU1JfQlRJTlQ7Ci0KLSAgICAgICAgICAgIGlmICggY3B1 X2hhcygmY3VycmVudF9jcHVfZGF0YSwgWDg2X0ZFQVRVUkVfRFNDUEwpICkK LSAgICAgICAgICAgICAgICBzdXBwb3J0ZWQgfD0gSUEzMl9ERUJVR0NUTE1T Ul9CVFNfT0ZGX09TIHwKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAg SUEzMl9ERUJVR0NUTE1TUl9CVFNfT0ZGX1VTUjsKLSAgICAgICAgICAgIGlm ICggIShtc3JfY29udGVudCAmIH5zdXBwb3J0ZWQpICYmCi0gICAgICAgICAg ICAgICAgIHZwbXVfaXNfc2V0KHZwbXUsIFZQTVVfQ1BVX0hBU19CVFMpICkK LSAgICAgICAgICAgICAgICByZXR1cm4gMDsKLSAgICAgICAgICAgIGlmICgg KG1zcl9jb250ZW50ICYgc3VwcG9ydGVkKSAmJgotICAgICAgICAgICAgICAg ICAhdnBtdV9pc19zZXQodnBtdSwgVlBNVV9DUFVfSEFTX0JUUykgKQotICAg ICAgICAgICAgICAgIHByaW50ayhYRU5MT0dfR19XQVJOSU5HCi0gICAgICAg ICAgICAgICAgICAgICAgICIlcHY6IERlYnVnIFN0b3JlIHVuc3VwcG9ydGVk IG9uIHRoaXMgQ1BVXG4iLAotICAgICAgICAgICAgICAgICAgICAgICBjdXJy ZW50KTsKLSAgICAgICAgfQogICAgICAgICByZXR1cm4gLUVJTlZBTDsKLSAg ICB9CiAKICAgICBBU1NFUlQoIXN1cHBvcnRlZCk7CiAKZGlmZiAtLWdpdCBh L3hlbi9hcmNoL3g4Ni9odm0vdm14L3ZteC5jIGIveGVuL2FyY2gveDg2L2h2 bS92bXgvdm14LmMKaW5kZXggOTcwNzUxNC4uYWUwMjhkZCAxMDA2NDQKLS0t IGEveGVuL2FyY2gveDg2L2h2bS92bXgvdm14LmMKKysrIGIveGVuL2FyY2gv eDg2L2h2bS92bXgvdm14LmMKQEAgLTMwMzIsMTEgKzMwMzIsMTQgQEAgdm9p ZCB2bXhfdmxhcGljX21zcl9jaGFuZ2VkKHN0cnVjdCB2Y3B1ICp2KQogc3Rh dGljIGludCB2bXhfbXNyX3dyaXRlX2ludGVyY2VwdCh1bnNpZ25lZCBpbnQg bXNyLCB1aW50NjRfdCBtc3JfY29udGVudCkKIHsKICAgICBzdHJ1Y3QgdmNw dSAqdiA9IGN1cnJlbnQ7CisgICAgY29uc3Qgc3RydWN0IGNwdWlkX3BvbGlj eSAqY3AgPSB2LT5kb21haW4tPmFyY2guY3B1aWQ7CiAKICAgICBIVk1fREJH X0xPRyhEQkdfTEVWRUxfTVNSLCAiZWN4PSUjeCwgbXNyX3ZhbHVlPSUjIlBS SXg2NCwgbXNyLCBtc3JfY29udGVudCk7CiAKICAgICBzd2l0Y2ggKCBtc3Ig KQogICAgIHsKKyAgICAgICAgdWludDY0X3QgcnN2ZDsKKwogICAgIGNhc2Ug TVNSX0lBMzJfU1lTRU5URVJfQ1M6CiAgICAgICAgIF9fdm13cml0ZShHVUVT VF9TWVNFTlRFUl9DUywgbXNyX2NvbnRlbnQpOwogICAgICAgICBicmVhazsK QEAgLTMwOTEsMTYgKzMwOTQsMjYgQEAgc3RhdGljIGludCB2bXhfbXNyX3dy aXRlX2ludGVyY2VwdCh1bnNpZ25lZCBpbnQgbXNyLCB1aW50NjRfdCBtc3Jf Y29udGVudCkKIAogICAgIGNhc2UgTVNSX0lBMzJfREVCVUdDVExNU1I6IHsK ICAgICAgICAgaW50IGksIHJjID0gMDsKLSAgICAgICAgdWludDY0X3Qgc3Vw cG9ydGVkID0gSUEzMl9ERUJVR0NUTE1TUl9MQlIgfCBJQTMyX0RFQlVHQ1RM TVNSX0JURjsKIAotICAgICAgICBpZiAoIGJvb3RfY3B1X2hhcyhYODZfRkVB VFVSRV9SVE0pICkKLSAgICAgICAgICAgIHN1cHBvcnRlZCB8PSBJQTMyX0RF QlVHQ1RMTVNSX1JUTTsKLSAgICAgICAgaWYgKCBtc3JfY29udGVudCAmIH5z dXBwb3J0ZWQgKQorICAgICAgICByc3ZkID0gfihJQTMyX0RFQlVHQ1RMTVNS X0xCUiB8IElBMzJfREVCVUdDVExNU1JfQlRGKTsKKworICAgICAgICAvKiBU T0RPOiBXaXJlIHZQTVUgc2V0dGluZ3MgcHJvcGVybHkgdGhyb3VnaCB0aGUg Q1BVSUQgcG9saWN5ICovCisgICAgICAgIGlmICggdnBtdV9pc19zZXQodmNw dV92cG11KHYpLCBWUE1VX0NQVV9IQVNfQlRTKSApCiAgICAgICAgIHsKLSAg ICAgICAgICAgIC8qIFBlcmhhcHMgc29tZSBvdGhlciBiaXRzIGFyZSBzdXBw b3J0ZWQgaW4gdnBtdS4gKi8KLSAgICAgICAgICAgIGlmICggdnBtdV9kb193 cm1zcihtc3IsIG1zcl9jb250ZW50LCBzdXBwb3J0ZWQpICkKLSAgICAgICAg ICAgICAgICBicmVhazsKKyAgICAgICAgICAgIHJzdmQgJj0gfihJQTMyX0RF QlVHQ1RMTVNSX1RSIHwgSUEzMl9ERUJVR0NUTE1TUl9CVFMgfAorICAgICAg ICAgICAgICAgICAgICAgIElBMzJfREVCVUdDVExNU1JfQlRJTlQpOworCisg ICAgICAgICAgICBpZiAoIGNwdV9oYXMoJmN1cnJlbnRfY3B1X2RhdGEsIFg4 Nl9GRUFUVVJFX0RTQ1BMKSApCisgICAgICAgICAgICAgICAgcnN2ZCAmPSB+ KElBMzJfREVCVUdDVExNU1JfQlRTX09GRl9PUyB8CisgICAgICAgICAgICAg ICAgICAgICAgICAgIElBMzJfREVCVUdDVExNU1JfQlRTX09GRl9VU1IpOwog ICAgICAgICB9CisKKyAgICAgICAgaWYgKCBjcC0+ZmVhdC5ydG0gKQorICAg ICAgICAgICAgcnN2ZCAmPSB+SUEzMl9ERUJVR0NUTE1TUl9SVE07CisKKyAg ICAgICAgaWYgKCBtc3JfY29udGVudCAmIHJzdmQgKQorICAgICAgICAgICAg Z290byBncF9mYXVsdDsKKwogICAgICAgICBpZiAoIG1zcl9jb250ZW50ICYg SUEzMl9ERUJVR0NUTE1TUl9MQlIgKQogICAgICAgICB7CiAgICAgICAgICAg ICBjb25zdCBzdHJ1Y3QgbGJyX2luZm8gKmxiciA9IGxhc3RfYnJhbmNoX21z cl9nZXQoKTsK --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Aug 14 17:20:50 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 14 Aug 2018 17:20:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpcyv-0001Wj-5x; Tue, 14 Aug 2018 17:19:45 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpcyt-0001Vk-U7 for xen-announce@lists.xen.org; Tue, 14 Aug 2018 17:19:43 +0000 X-Inumbo-ID: 4f5315f1-9fe6-11e8-a6a9-d7ebe60f679a Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id 4f5315f1-9fe6-11e8-a6a9-d7ebe60f679a; Tue, 14 Aug 2018 17:20:15 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpcyl-0000ud-G5; Tue, 14 Aug 2018 17:19:35 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.89) (envelope-from ) id 1fpcyl-0001qx-Dd; Tue, 14 Aug 2018 17:19:35 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.508 (Entity 5.508) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Tue, 14 Aug 2018 17:19:35 +0000 Subject: [Xen-announce] Xen Security Advisory 272 v2 - oxenstored does not apply quota-maxentity X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: "Xen.org security team" Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-272 version 2 oxenstored does not apply quota-maxentity UPDATES IN VERSION 2 ==================== Ammend patch to reference XSA-272 in the commit message. Public release. ISSUE DESCRIPTION ================= The logic in oxenstored for handling writes depended on the order of evaluation of expressions making up a tuple. As indicated in section 7.7.3 "Operations on data structures" of the OCaml manual: http://caml.inria.fr/pub/docs/manual-ocaml/expr.html the order of evaluation of subexpressions is not specified. In practice, different implementations behave differently. IMPACT ====== oxenstored may not enforce the configured quota-maxentity. This allows a malicious or buggy guest to write as many xenstore entries as it wishes, causing unbounded memory usage in oxenstored. This can lead to a system-wide DoS. VULNERABLE SYSTEMS ================== Xen 4.1 and later are potentially vulnerable. Only systems using the OCaml xenstored implementation are potentially vulnerable. Systems using the C xenstored implementation are not vulnerable. Whether the compiled oxenstored binary is vulnerable depends on which compiler was used. OCaml can be compiled either as bytecode (with ocamlc) or as a native binary (with ocamlopt). The following OCaml program demonstrates the issue, and identifies whether the resulting oxenstored binary will skip the quota enforcement. $ cat order.ml let check () = let flag = ref false in let update _ = flag := true; () in List.iter update [1;2;3], !flag let main () = let _, flag = check () in if flag then print_endline "This code is not vulnerable!" else print_endline "This code is vulnerable!" let () = main () $ ocamlc order.ml -o order.bytecode $ ./order.bytecode This code is vulnerable! $ ocamlopt order.ml -o order.native $ ./order.native This code is not vulnerable! To confirm whether an OCaml binary is bytecode or native, use file. $ file order.bytecode order.bytecode: a /usr/bin/ocamlrun script executable (binary data) $ file order.native order.native: ELF 64-bit LSB executable, ... NOTE: These results are applicable to OCaml 4.01.0-5 as distributed in Debian Jessie. These results are not representative of other versions of OCaml, or of other OS distributions. MITIGATION ========== There are no mitigations available. CREDITS ======= This issue was discovered by Christian Lindig of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa272.patch All versions of Xen $ sha256sum xsa272* 0da953ca48d0cf0688ecff6a074304a9d2217871809a76ef26b9addeb66ecb3e xsa272.meta 6e0359d89bf65794f16d39198cc90f5c3137bce4eb850e54625ab00e2c568c2c xsa272.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJbcw8fAAoJEIP+FMlX6CvZ1VYIALce26h9Sf0P0joLd/fhUwf4 JcCIaTWvHsy0ucJgpi7i+SCMa7Iz60CriK6dSYlwIuPvka8XU5MDmZ56gbENApDZ ibWMwvyCrgb0BH3VIwJZfk7eaKM7OwKeEnnIrIWaVGsT2StwoZOHgdLRLCTSFJ/K iss3ALSzZ8z7/WqEkBE3JeJ7skrh5nmNp428fJXWYhOyYbqkqyggn6XzBQg/EzGD vabxz4CdYCr1ox7sq42Q/UFeLoWB6CKCLgRgqOGyCrm7K324ymBzRXtXpPUrLEaq ugR27W/zr09e8N/fOhH4dBNCzkktuqclwrfMlFr1WUfiltSDmVwNZkURkvVGeu0= =TPZD -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa272.meta" Content-Disposition: attachment; filename="xsa272.meta" Content-Transfer-Encoding: base64 ewogICJYU0EiOiAyNzIsCiAgIlN1cHBvcnRlZFZlcnNpb25zIjogWwogICAg Im1hc3RlciIsCiAgICAiNC4xMSIsCiAgICAiNC4xMCIsCiAgICAiNC45IiwK ICAgICI0LjgiLAogICAgIjQuNyIsCiAgICAiNC42IgogIF0sCiAgIlRyZWVz IjogWwogICAgInhlbiIKICBdLAogICJSZWNpcGVzIjogewogICAgIjQuMTAi OiB7CiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAgICAg ICAgICAiU3RhYmxlUmVmIjogIjg3YzgzYWYzMzNlMDI0OGFkYTJlNjU2MDk2 NWFjYTYwOTZlYzdmMmIiLAogICAgICAgICAgIlByZXJlcXMiOiBbCiAgICAg ICAgICAgIDI2OCwKICAgICAgICAgICAgMjY5CiAgICAgICAgICBdLAogICAg ICAgICAgIlBhdGNoZXMiOiBbCiAgICAgICAgICAgICJ4c2EyNzIucGF0Y2gi CiAgICAgICAgICBdCiAgICAgICAgfQogICAgICB9CiAgICB9LAogICAgIjQu MTEiOiB7CiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAg ICAgICAgICAiU3RhYmxlUmVmIjogIjMzY2VkNzI1ZTExYWY0ZWFiZDMzMzRk MTJmNTNlZDgwN2U5ZTI1ODYiLAogICAgICAgICAgIlByZXJlcXMiOiBbCiAg ICAgICAgICAgIDI2OCwKICAgICAgICAgICAgMjY5CiAgICAgICAgICBdLAog ICAgICAgICAgIlBhdGNoZXMiOiBbCiAgICAgICAgICAgICJ4c2EyNzIucGF0 Y2giCiAgICAgICAgICBdCiAgICAgICAgfQogICAgICB9CiAgICB9LAogICAg IjQuNiI6IHsKICAgICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhlbiI6IHsK ICAgICAgICAgICJTdGFibGVSZWYiOiAiOThkNzk0OGI1MGI0ZTkxZWM0ZWZh ODYwZGEzMmQ5YWM0ZmU2OTMwMCIsCiAgICAgICAgICAiUHJlcmVxcyI6IFsK ICAgICAgICAgICAgMjY4LAogICAgICAgICAgICAyNjkKICAgICAgICAgIF0s CiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTI3Mi5w YXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0sCiAg ICAiNC43IjogewogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjog ewogICAgICAgICAgIlN0YWJsZVJlZiI6ICI5MWNhODRjODYyYjE1ZmU3NGFi OWI1ODcwZTY2OTAzYWVjNGY4NmRkIiwKICAgICAgICAgICJQcmVyZXFzIjog WwogICAgICAgICAgICAyNjgsCiAgICAgICAgICAgIDI2OQogICAgICAgICAg XSwKICAgICAgICAgICJQYXRjaGVzIjogWwogICAgICAgICAgICAieHNhMjcy LnBhdGNoIgogICAgICAgICAgXQogICAgICAgIH0KICAgICAgfQogICAgfSwK ICAgICI0LjgiOiB7CiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4i OiB7CiAgICAgICAgICAiU3RhYmxlUmVmIjogImFhNDUwMTUzZjJkOTYwYzIx NzE0OWIzMWI2OGE4YjU3YzVhOGU1OTUiLAogICAgICAgICAgIlByZXJlcXMi OiBbCiAgICAgICAgICAgIDI2OCwKICAgICAgICAgICAgMjY5CiAgICAgICAg ICBdLAogICAgICAgICAgIlBhdGNoZXMiOiBbCiAgICAgICAgICAgICJ4c2Ey NzIucGF0Y2giCiAgICAgICAgICBdCiAgICAgICAgfQogICAgICB9CiAgICB9 LAogICAgIjQuOSI6IHsKICAgICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhl biI6IHsKICAgICAgICAgICJTdGFibGVSZWYiOiAiYTFiMjIzYjc1NmYzNTQ4 OTU1MjUwNjBiZDNmOWYxZjA3ODk5YTA4MiIsCiAgICAgICAgICAiUHJlcmVx cyI6IFsKICAgICAgICAgICAgMjY4LAogICAgICAgICAgICAyNjkKICAgICAg ICAgIF0sCiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhz YTI3Mi5wYXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAg IH0sCiAgICAibWFzdGVyIjogewogICAgICAiUmVjaXBlcyI6IHsKICAgICAg ICAieGVuIjogewogICAgICAgICAgIlN0YWJsZVJlZiI6ICJhY2QwMGEzMDMz NzhjZTQ4YmQ2YmJkOGE1NzlmMWZlMmYxYjIxYTdkIiwKICAgICAgICAgICJQ cmVyZXFzIjogWwogICAgICAgICAgICAyNjgsCiAgICAgICAgICAgIDI2OQog ICAgICAgICAgXSwKICAgICAgICAgICJQYXRjaGVzIjogWwogICAgICAgICAg ICAieHNhMjcyLnBhdGNoIgogICAgICAgICAgXQogICAgICAgIH0KICAgICAg fQogICAgfQogIH0KfQ== --=separator Content-Type: application/octet-stream; name="xsa272.patch" Content-Disposition: attachment; filename="xsa272.patch" Content-Transfer-Encoding: base64 RnJvbTogQ2hyaXN0aWFuIExpbmRpZyA8Y2hyaXN0aWFuLmxpbmRpZ0BjaXRy aXguY29tPgpTdWJqZWN0OiB0b29scy9veGVuc3RvcmVkOiBNYWtlIGV2YWx1 YXRpb24gb3JkZXIgZXhwbGljaXQKCkluIFN0b3JlLnBhdGhfd3JpdGUoKSwg UGF0aC5hcHBseV9tb2RpZnkoKSB1cGRhdGVzIHRoZSBub2RlX2NyZWF0ZWQK cmVmZXJlbmNlIGFuZCBib3RoIHRoZSB2YWx1ZSBvZiBhcHBseV9tb2RpZnko KSBhbmQgbm9kZV9jcmVhdGVkIGFyZQpyZXR1cm5lZCBieSBwYXRoX3dyaXRl KCkuCgpBdCBsZWFzdCB3aXRoIE9DYW1sIDQuMDYuMSB0aGlzIGxlYWRzIHRv IHRoZSB2YWx1ZSBvZiBub2RlX2NyZWF0ZWQgYmVpbmcKcmV0dXJuZWQgKmJl Zm9yZSogaXQgaXMgdXBkYXRlZCBieSBhcHBseV9tb2RpZnkoKS4gIFRoaXMg aW4gdHVybiBsZWFkcwp0byB0aGUgcXVvdGEgZm9yIGEgZG9tYWluIG5vdCBi ZWluZyB1cGRhdGVkIGluIFN0b3JlLndyaXRlKCkuICBIZW5jZSwgYQpndWVz dCBjYW4gY3JlYXRlIGFuIHVubGltaXRlZCBudW1iZXIgb2YgZW50cmllcyBp biB4ZW5zdG9yZS4KClRoZSBmaXggaXMgdG8gbWFrZSBldmFsdWF0aW9uIG9y ZGVyIGV4cGxpY2l0LgoKVGhpcyBpcyBYU0EtMjcyLgoKU2lnbmVkLW9mZi1i eTogQ2hyaXN0aWFuIExpbmRpZyA8Y2hyaXN0aWFuLmxpbmRpZ0BjaXRyaXgu Y29tPgpSZXZpZXdlZC1ieTogUm9iIEhvZXMgPHJvYi5ob2VzQGNpdHJpeC5j b20+CgpkaWZmIC0tZ2l0IGEvdG9vbHMvb2NhbWwveGVuc3RvcmVkL3N0b3Jl Lm1sIGIvdG9vbHMvb2NhbWwveGVuc3RvcmVkL3N0b3JlLm1sCmluZGV4IDlm NjE5YjhmZDUuLjhiMDcyN2Y4YTggMTAwNjQ0Ci0tLSBhL3Rvb2xzL29jYW1s L3hlbnN0b3JlZC9zdG9yZS5tbAorKysgYi90b29scy9vY2FtbC94ZW5zdG9y ZWQvc3RvcmUubWwKQEAgLTI1Nyw3ICsyNTcsOCBAQCBsZXQgcGF0aF93cml0 ZSBzdG9yZSBwZXJtIHBhdGggdmFsdWUgPQogCQlOb2RlLmNoZWNrX3Blcm0g c3RvcmUucm9vdCBwZXJtIFBlcm1zLldSSVRFOwogCQlOb2RlLnNldF92YWx1 ZSBzdG9yZS5yb290IHZhbHVlLCBmYWxzZQogCSkgZWxzZQotCQlQYXRoLmFw cGx5X21vZGlmeSBzdG9yZS5yb290IHBhdGggZG9fd3JpdGUsICFub2RlX2Ny ZWF0ZWQKKwkJbGV0IHJvb3QgPSBQYXRoLmFwcGx5X21vZGlmeSBzdG9yZS5y b290IHBhdGggZG9fd3JpdGUgaW4KKwkJcm9vdCwgIW5vZGVfY3JlYXRlZAog CiBsZXQgcGF0aF9ybSBzdG9yZSBwZXJtIHBhdGggPQogCWxldCBkb19ybSBu b2RlIG5hbWUgPQo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Wed Aug 15 16:11:15 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 15 Aug 2018 16:11:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpyN1-0004lH-LS; Wed, 15 Aug 2018 16:10:03 +0000 Received: from us1-rack-dfw2.inumbo.com ([104.130.134.6]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpyMz-0004Yl-2v for xen-announce@lists.xen.org; Wed, 15 Aug 2018 16:10:01 +0000 X-Inumbo-ID: 815cce64-a0a5-11e8-a8a5-bc764e045a96 Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-rack-dfw2.inumbo.com (Halon) with ESMTPS id 815cce64-a0a5-11e8-a8a5-bc764e045a96; Wed, 15 Aug 2018 18:08:53 +0200 (CEST) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1fpyMq-0006x8-2H; Wed, 15 Aug 2018 16:09:52 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.89) (envelope-from ) id 1fpyMp-0006mM-Vn; Wed, 15 Aug 2018 16:09:51 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.508 (Entity 5.508) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Wed, 15 Aug 2018 16:09:51 +0000 Subject: [Xen-announce] Xen Security Advisory 274 v3 (CVE-2018-14678) - Linux: Uninitialized state in x86 PV failsafe callback path X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: "Xen.org security team" Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2018-14678 / XSA-274 version 3 Linux: Uninitialized state in x86 PV failsafe callback path UPDATES IN VERSION 3 ==================== Fix spelling in CREDITS. ISSUE DESCRIPTION ================= Linux has a `failsafe` callback, invoked by Xen under certain conditions. Normally in this failsafe callback, error_entry is paired with error_exit; and error_entry uses %ebx to communicate to error_exit whether to use the user or kernel return path. Unfortunately, on 64-bit PV Xen on x86, error_exit is called without error_entry being called first, leaving %ebx with an invalid value. IMPACT ====== A rogue user-space program could crash a guest kernel. Privilege escalation cannot be ruled out. VULNERABLE SYSTEMS ================== Only 64-bit x86 PV Linux systems are vulnerable. All versions of Linux are vulnerable. MITIGATION ========== Switching to HVM or PVH guests will mitigate this issue. CREDITS ======= This issue was discovered by M. Vefa Bicakci, and recognized as a security issue by Andy Lutomirski. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. NB this patch has not been accepted into Linux upstream yet. An updated advisory will be sent if the fix upstreamed looks significantly different. xsa274-linux-4.17.patch Linux 4.17 $ sha256sum xsa274* 0c30cb13d1d573f446c8cb8d4824ffad8ef9149a7589a19ef9bcc83c07bddcf5 xsa274-linux-4.17.patch $ NOTE ON THE LACK OF EMBARGO =========================== The patch for this issue was published on linux-kernel without being first reported to the XenProject Security Team. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJbdFA5AAoJEIP+FMlX6CvZWQQIAIxMK2w6CsH2aNQRDiDrgcBc 2FkBbroS5I1XHEhWVyO19aPhp1R3mYNU+pTUUFOevQuKvTP0nuZ0csgk5LUj9UP7 EE/3vM3jkAfmIIuXCAegOcznnEl6Wi9aMKGVXcxMkRu9qjKStGr4We5qvmdPncUj DkTdD6VbmM/Q665b0jU4j2aZPDMsH63qrsbz1rsnPAlYUi1R+yKw56Q5UdRJK17j Jc74v+elyqOkFq7QwH1usfnko+DQziLyLqEBQOztTSps2qYM+VwHLAZkhxNyuLsu 2x9/1D8XoZ+BHvVsVe50QmoNcJViMMunnHNhWYHmtXLYFErwUOt48N1vl+3xFpo= =k4Ak -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa274-linux-4.17.patch" Content-Disposition: attachment; filename="xsa274-linux-4.17.patch" Content-Transfer-Encoding: base64 RnJvbSA4ZGY2MzUwMDdlMDczNzg4NzUyMmVlYmVlODg2MTU1NjAyYjg4MDli IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmR5IEx1dG9taXJz a2kgPGx1dG9Aa2VybmVsLm9yZz4KRGF0ZTogU3VuLCAyMiBKdWwgMjAxOCAx MTowNTowOSAtMDcwMApTdWJqZWN0OiBbUEFUQ0hdIHg4Ni9lbnRyeS82NDog UmVtb3ZlICVlYnggaGFuZGxpbmcgZnJvbSBlcnJvcl9lbnRyeS9leGl0Cgpl cnJvcl9lbnRyeSBhbmQgZXJyb3JfZXhpdCBjb21tdW5pY2F0ZSB0aGUgdXNl ciB2cyBrZXJuZWwgc3RhdHVzIG9mCnRoZSBmcmFtZSB1c2luZyAlZWJ4LiAg VGhpcyBpcyB1bm5lY2Vzc2FyeSAtLSB0aGUgaW5mb3JtYXRpb24gaXMgaW4K cmVncy0+Y3MuICBKdXN0IHVzZSByZWdzLT5jcy4KClRoaXMgbWFrZXMgZXJy b3JfZW50cnkgc2ltcGxlciBhbmQgbWFrZXMgZXJyb3JfZXhpdCBtb3JlIHJv YnVzdC4KCkl0IGFsc28gZml4ZXMgYSBuYXN0eSBidWcuICBCZWZvcmUgYWxs IHRoZSBTcGVjdHJlIG5vbnNlbnNlLCBUaGUKeGVuX2ZhaWxzYWZlX2NhbGxi YWNrIGVudHJ5IHBvaW50IHJldHVybmVkIGxpa2UgdGhpczoKCiAgICAgICAg QUxMT0NfUFRfR1BSRUdTX09OX1NUQUNLCiAgICAgICAgU0FWRV9DX1JFR1MK ICAgICAgICBTQVZFX0VYVFJBX1JFR1MKICAgICAgICBFTkNPREVfRlJBTUVf UE9JTlRFUgogICAgICAgIGptcCAgICAgZXJyb3JfZXhpdAoKQW5kIGl0IGRp ZCBub3QgZ28gdGhyb3VnaCBlcnJvcl9lbnRyeS4gIFRoaXMgd2FzIGJvZ3Vz OiBSQlgKY29udGFpbmVkIGdhcmJhZ2UsIGFuZCBlcnJvcl9leGl0IGV4cGVj dGVkIGEgZmxhZyBpbiBSQlguCkZvcnR1bmF0ZWx5LCBpdCBnZW5lcmFsbHkg Y29udGFpbmVkICpub256ZXJvKiBnYXJiYWdlLCBzbyB0aGUKY29ycmVjdCBj b2RlIHBhdGggd2FzIHVzZWQuICBBcyBwYXJ0IG9mIHRoZSBTcGVjdHJlIGZp eGVzLCBjb2RlIHdhcwphZGRlZCB0byBjbGVhciBSQlggdG8gbWl0aWdhdGUg Y2VydGFpbiBzcGVjdWxhdGlvbiBhdHRhY2tzLiAgTm93LApkZXBlbmRpbmcg b24ga2VybmVsIGNvbmZpZ3VyYXRpb24sIFJCWCBnb3QgemVyb2VkIGFuZCwg d2hlbiBydW5uaW5nCnNvbWUgV2luZSB3b3JrbG9hZHMsIHRoZSBrZXJuZWwg Y3Jhc2hlcy4gIFRoaXMgd2FzIGludHJvZHVjZWQgYnk6CgogICAgY29tbWl0 IDNhYzZkOGM3ODdiOCAoIng4Ni9lbnRyeS82NDogQ2xlYXIgcmVnaXN0ZXJz IGZvcgogICAgZXhjZXB0aW9ucy9pbnRlcnJ1cHRzLCB0byByZWR1Y2Ugc3Bl Y3VsYXRpb24gYXR0YWNrIHN1cmZhY2UiKQoKV2l0aCB0aGlzIHBhdGNoIGFw cGxpZWQsIFJCWCBpcyBubyBsb25nZXIgbmVlZGVkIGFzIGEgZmxhZywgYW5k IHRoZQpwcm9ibGVtIGdvZXMgYXdheS4KCkkgc3VzcGVjdCB0aGF0IG1hbGlj aW91cyB1c2Vyc3BhY2UgY291bGQgdXNlIHRoaXMgYnVnIHRvIGNyYXNoIHRo ZQprZXJuZWwgZXZlbiB3aXRob3V0IHRoZSBvZmZlbmRpbmcgcGF0Y2ggYXBw bGllZCwgdGhvdWdoLgoKW0hpc3RvcmljYWwgbm90ZTogSSB3cm90ZSB0aGlz IHBhdGNoIGFzIGEgY2xlYW51cCBiZWZvcmUgSSB3YXMgYXdhcmUKIG9mIHRo ZSBidWcgaXQgZml4ZWQuXQoKW05vdGUgdG8gc3RhYmxlIG1haW50YWluZXJz OiB0aGlzIHNob3VsZCBwcm9iYWJseSBnZXQgYXBwbGllZCB0byBhbGwKIGtl cm5lbHMuICBJZiB5b3UncmUgbmVydm91cyBhYm91dCB0aGF0LCBhIG1vcmUg Y29uc2VydmF0aXZlIGZpeCB0bwogYWRkIHhvcmwgJWVieCwlZWJ4OyBpbmNs ICVlYnggYmVmb3JlIHRoZSBqdW1wIHRvIGVycm9yX2V4aXQgc2hvdWxkCiBh bHNvIGZpeCB0aGUgcHJvYmxlbS5dCgpDYzogQnJpYW4gR2Vyc3QgPGJyZ2Vy c3RAZ21haWwuY29tPgpDYzogQm9yaXNsYXYgUGV0a292IDxicEBhbGllbjgu ZGU+CkNjOiBEb21pbmlrIEJyb2Rvd3NraSA8bGludXhAZG9taW5pa2Jyb2Rv d3NraS5uZXQ+CkNjOiBJbmdvIE1vbG5hciA8bWluZ29AcmVkaGF0LmNvbT4K Q2M6ICJILiBQZXRlciBBbnZpbiIgPGhwYUB6eXRvci5jb20+CkNjOiBUaG9t YXMgR2xlaXhuZXIgPHRnbHhAbGludXRyb25peC5kZT4KQ2M6IEJvcmlzIE9z dHJvdnNreSA8Ym9yaXMub3N0cm92c2t5QG9yYWNsZS5jb20+CkNjOiBKdWVy Z2VuIEdyb3NzIDxqZ3Jvc3NAc3VzZS5jb20+CkNjOiB4ZW4tZGV2ZWxAbGlz dHMueGVucHJvamVjdC5vcmcKQ2M6IHg4NkBrZXJuZWwub3JnCkNjOiBzdGFi bGVAdmdlci5rZXJuZWwub3JnCkZpeGVzOiAzYWM2ZDhjNzg3YjggKCJ4ODYv ZW50cnkvNjQ6IENsZWFyIHJlZ2lzdGVycyBmb3IgZXhjZXB0aW9ucy9pbnRl cnJ1cHRzLCB0byByZWR1Y2Ugc3BlY3VsYXRpb24gYXR0YWNrIHN1cmZhY2Ui KQpSZXBvcnRlZC1hbmQtdGVzdGVkLWJ5OiAiTS4gVmVmYSBCaWNha2NpIiA8 bS52LmJAcnVuYm94LmNvbT4KU2lnbmVkLW9mZi1ieTogQW5keSBMdXRvbWly c2tpIDxsdXRvQGtlcm5lbC5vcmc+Ci0tLQogYXJjaC94ODYvZW50cnkvZW50 cnlfNjQuUyB8IDE4ICsrKystLS0tLS0tLS0tLS0tLQogMSBmaWxlIGNoYW5n ZWQsIDQgaW5zZXJ0aW9ucygrKSwgMTQgZGVsZXRpb25zKC0pCgpkaWZmIC0t Z2l0IGEvYXJjaC94ODYvZW50cnkvZW50cnlfNjQuUyBiL2FyY2gveDg2L2Vu dHJ5L2VudHJ5XzY0LlMKaW5kZXggNzNhNTIyZDUzYjUzLi44YWU3ZmZkYThm OTggMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L2VudHJ5L2VudHJ5XzY0LlMKKysr IGIvYXJjaC94ODYvZW50cnkvZW50cnlfNjQuUwpAQCAtOTgxLDcgKzk4MSw3 IEBAIEVOVFJZKFxzeW0pCiAKIAljYWxsCVxkb19zeW0KIAotCWptcAllcnJv cl9leGl0CQkJLyogJWVieDogbm8gc3dhcGdzIGZsYWcgKi8KKwlqbXAJZXJy b3JfZXhpdAogCS5lbmRpZgogRU5EKFxzeW0pCiAuZW5kbQpAQCAtMTIyMiw3 ICsxMjIyLDYgQEAgRU5EKHBhcmFub2lkX2V4aXQpCiAKIC8qCiAgKiBTYXZl IGFsbCByZWdpc3RlcnMgaW4gcHRfcmVncywgYW5kIHN3aXRjaCBHUyBpZiBu ZWVkZWQuCi0gKiBSZXR1cm46IEVCWD0wOiBjYW1lIGZyb20gdXNlciBtb2Rl OyBFQlg9MTogb3RoZXJ3aXNlCiAgKi8KIEVOVFJZKGVycm9yX2VudHJ5KQog CVVOV0lORF9ISU5UX0ZVTkMKQEAgLTEyNjksNyArMTI2OCw2IEBAIEVOVFJZ KGVycm9yX2VudHJ5KQogCSAqIGZvciB0aGVzZSBoZXJlIHRvby4KIAkgKi8K IC5MZXJyb3Jfa2VybmVsc3BhY2U6Ci0JaW5jbAklZWJ4CiAJbGVhcQluYXRp dmVfaXJxX3JldHVybl9pcmV0KCVyaXApLCAlcmN4CiAJY21wcQklcmN4LCBS SVArOCglcnNwKQogCWplCS5MZXJyb3JfYmFkX2lyZXQKQEAgLTEzMDMsMjgg KzEzMDEsMjAgQEAgRU5UUlkoZXJyb3JfZW50cnkpCiAKIAkvKgogCSAqIFBy ZXRlbmQgdGhhdCB0aGUgZXhjZXB0aW9uIGNhbWUgZnJvbSB1c2VyIG1vZGU6 IHNldCB1cCBwdF9yZWdzCi0JICogYXMgaWYgd2UgZmF1bHRlZCBpbW1lZGlh dGVseSBhZnRlciBJUkVUIGFuZCBjbGVhciBFQlggc28gdGhhdAotCSAqIGVy cm9yX2V4aXQga25vd3MgdGhhdCB3ZSB3aWxsIGJlIHJldHVybmluZyB0byB1 c2VyIG1vZGUuCisJICogYXMgaWYgd2UgZmF1bHRlZCBpbW1lZGlhdGVseSBh ZnRlciBJUkVULgogCSAqLwogCW1vdgklcnNwLCAlcmRpCiAJY2FsbAlmaXh1 cF9iYWRfaXJldAogCW1vdgklcmF4LCAlcnNwCi0JZGVjbAklZWJ4CiAJam1w CS5MZXJyb3JfZW50cnlfZnJvbV91c2VybW9kZV9hZnRlcl9zd2FwZ3MKIEVO RChlcnJvcl9lbnRyeSkKIAotCi0vKgotICogT24gZW50cnksIEVCWCBpcyBh ICJyZXR1cm4gdG8ga2VybmVsIG1vZGUiIGZsYWc6Ci0gKiAgIDE6IGFscmVh ZHkgaW4ga2VybmVsIG1vZGUsIGRvbid0IG5lZWQgU1dBUEdTCi0gKiAgIDA6 IHVzZXIgZ3NiYXNlIGlzIGxvYWRlZCwgd2UgbmVlZCBTV0FQR1MgYW5kIHN0 YW5kYXJkIHByZXBhcmF0aW9uIGZvciByZXR1cm4gdG8gdXNlcm1vZGUKLSAq LwogRU5UUlkoZXJyb3JfZXhpdCkKIAlVTldJTkRfSElOVF9SRUdTCiAJRElT QUJMRV9JTlRFUlJVUFRTKENMQlJfQU5ZKQogCVRSQUNFX0lSUVNfT0ZGCi0J dGVzdGwJJWVieCwgJWVieAotCWpueglyZXRpbnRfa2VybmVsCisJdGVzdGIJ JDMsIENTKCVyc3ApCisJanoJcmV0aW50X2tlcm5lbAogCWptcAlyZXRpbnRf dXNlcgogRU5EKGVycm9yX2V4aXQpCiAKLS0gCjIuMTguMAoK --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Mon Aug 20 09:48:32 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 20 Aug 2018 09:48:32 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1frgmq-0002v3-Ap; Mon, 20 Aug 2018 09:47:48 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1frgmo-0002uS-O2 for xen-announce@lists.xen.org; Mon, 20 Aug 2018 09:47:46 +0000 X-Inumbo-ID: 2d044e0b-a45e-11e8-a6a9-d7ebe60f679a Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id 2d044e0b-a45e-11e8-a6a9-d7ebe60f679a; Mon, 20 Aug 2018 09:48:22 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1frgmg-0002MB-Vu; Mon, 20 Aug 2018 09:47:38 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.89) (envelope-from ) id 1frgmg-0003fy-TP; Mon, 20 Aug 2018 09:47:38 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.508 (Entity 5.508) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Mon, 20 Aug 2018 09:47:38 +0000 Subject: [Xen-announce] Xen Security Advisory 268 v3 (CVE-2018-15469) - Use of v2 grant tables may cause crash on ARM X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: "Xen.org security team" Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2018-15469 / XSA-268 version 3 Use of v2 grant tables may cause crash on ARM UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= ARM never properly implemented grant table v2, either in the hypervisor or in Linux. Unfortunately, an ARM guest can still request v2 grant tables; they will simply not be properly set up, resulting in subsequent grant-related hypercalls hitting BUG() checks. IMPACT ====== An unprivileged guest can cause a BUG() check in the hypervisor, resulting in a denial-of-service. VULNERABLE SYSTEMS ================== Only ARM systems are vulnerable. All supported versions of Xen are vulnerable. MITIGATION ========== None. CREDITS ======= This issue was discovered by 王磊 of Samsung. RESOLUTION ========== Applying the appropriate attached patch resolves this issue by preventing a guest from switching to grant v2. xsa268.patch xen-unstable xsa268-4.11.patch Xen 4.11.0 xsa268-4.10-?.patch Xen 4.10.x xsa268-4.9-?.patch Xen 4.9.x, Xen 4.8.x xsa268-4.7-?.patch Xen 4.7.x xsa268-4.6-?.patch Xen 4.6.x $ sha256sum xsa268* f336b45676e73f8b102e5dddf78af2d1d288f9a254142a8a8e9949db55e1cc3b xsa268.meta ca5f69cb8cfb74fae44a0f39f80ec9ae4d269c4895f36311b50d191be97bbcf0 xsa268.patch 93a68a5b23aedc6adf0aae23303dc8eb2c02dc40a5e1d7eb0a1b497cd66da209 xsa268-4.6-1.patch 5b74afd13d96779a72dc34ba7c63a1735cd267fb9bb643f735ac69b0e6ff54d5 xsa268-4.6-2.patch 820e1018f76ef2828b1cbb33e2966b99f6934a80ab55f11749ff847d375d1b02 xsa268-4.7-1.patch 233f7e69e5fb931d2e5cf03f4407f38ff960c039c9eced957df13d3cc37fa6b1 xsa268-4.7-2.patch 4a0c705f0266185b32daf313e686abc340e2fbb1a1644647500fc405bc180913 xsa268-4.9-1.patch ce16eaab94cd1e64f9c9127b64da7ebb6a7758eb540fecc3bbcc2dbfbcc4d7e2 xsa268-4.9-2.patch f413d41fadefe0e275c8bff16a2061bb325f3900b7ccf214a9e97fabf3ee1a89 xsa268-4.10-1.patch 531654f82908c1aa7b0fcea818c82c4b53d4750a697db3353cc05e9e91e5d639 xsa268-4.10-2.patch baeb6b2c28a9cbe929c9cf34398780002fffe12b928df4d1e5951c0a5b51336a xsa268-4.11.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJbeo4HAAoJEIP+FMlX6CvZxYMH/R1pB/0Qh+eYJevI0XZCh0TX TlzPkzvTkif3JUfYtms1rVeXdAUoOaZPrMpzZYFWthOHhHR6Y8tiBWxiRGWuEf0a OaAYTebIQN4U69AUXGaXdA1p1Nnix5guOgljM1EHD3LGEBtadzdYdFfpKrEv1F7L f8fwLULljcfwHKI7Yv/CwGdRAt2YrtIFqry916yc0RHk2nQpLvX8V+8YXWla8zGR 1Vkin0WoR31qkcakJGXO8jXD1Wpn4J+2lAyMpAiPpN7d8F7/cEOj7huRuTkYFQha /sTUc5Dy3kniLptJF+2//dLOjwKQKSKd3c8LJjc8IGPCwfpNpVmLaCiB/93AcWk= =yh+i -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa268.meta" Content-Disposition: attachment; filename="xsa268.meta" Content-Transfer-Encoding: base64 ewogICJYU0EiOiAyNjgsCiAgIlN1cHBvcnRlZFZlcnNpb25zIjogWwogICAg Im1hc3RlciIsCiAgICAiNC4xMSIsCiAgICAiNC4xMCIsCiAgICAiNC45IiwK ICAgICI0LjgiLAogICAgIjQuNyIsCiAgICAiNC42IgogIF0sCiAgIlRyZWVz IjogWwogICAgInhlbiIKICBdLAogICJSZWNpcGVzIjogewogICAgIjQuMTAi OiB7CiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAgICAg ICAgICAiU3RhYmxlUmVmIjogIjg3YzgzYWYzMzNlMDI0OGFkYTJlNjU2MDk2 NWFjYTYwOTZlYzdmMmIiLAogICAgICAgICAgIlByZXJlcXMiOiBbXSwKICAg ICAgICAgICJQYXRjaGVzIjogWwogICAgICAgICAgICAieHNhMjY4LTQuMTAt MS5wYXRjaCIsCiAgICAgICAgICAgICJ4c2EyNjgtNC4xMC0yLnBhdGNoIgog ICAgICAgICAgXQogICAgICAgIH0KICAgICAgfQogICAgfSwKICAgICI0LjEx IjogewogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjogewogICAg ICAgICAgIlN0YWJsZVJlZiI6ICIzM2NlZDcyNWUxMWFmNGVhYmQzMzM0ZDEy ZjUzZWQ4MDdlOWUyNTg2IiwKICAgICAgICAgICJQcmVyZXFzIjogW10sCiAg ICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTI2OC00LjEx LnBhdGNoIgogICAgICAgICAgXQogICAgICAgIH0KICAgICAgfQogICAgfSwK ICAgICI0LjYiOiB7CiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4i OiB7CiAgICAgICAgICAiU3RhYmxlUmVmIjogIjk4ZDc5NDhiNTBiNGU5MWVj NGVmYTg2MGRhMzJkOWFjNGZlNjkzMDAiLAogICAgICAgICAgIlByZXJlcXMi OiBbXSwKICAgICAgICAgICJQYXRjaGVzIjogWwogICAgICAgICAgICAieHNh MjY4LTQuNi0xLnBhdGNoIiwKICAgICAgICAgICAgInhzYTI2OC00LjYtMi5w YXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0sCiAg ICAiNC43IjogewogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjog ewogICAgICAgICAgIlN0YWJsZVJlZiI6ICI5MWNhODRjODYyYjE1ZmU3NGFi OWI1ODcwZTY2OTAzYWVjNGY4NmRkIiwKICAgICAgICAgICJQcmVyZXFzIjog W10sCiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTI2 OC00LjctMS5wYXRjaCIsCiAgICAgICAgICAgICJ4c2EyNjgtNC43LTIucGF0 Y2giCiAgICAgICAgICBdCiAgICAgICAgfQogICAgICB9CiAgICB9LAogICAg IjQuOCI6IHsKICAgICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhlbiI6IHsK ICAgICAgICAgICJTdGFibGVSZWYiOiAiYWE0NTAxNTNmMmQ5NjBjMjE3MTQ5 YjMxYjY4YThiNTdjNWE4ZTU5NSIsCiAgICAgICAgICAiUHJlcmVxcyI6IFtd LAogICAgICAgICAgIlBhdGNoZXMiOiBbCiAgICAgICAgICAgICJ4c2EyNjgt NC45LTEucGF0Y2giLAogICAgICAgICAgICAieHNhMjY4LTQuOS0yLnBhdGNo IgogICAgICAgICAgXQogICAgICAgIH0KICAgICAgfQogICAgfSwKICAgICI0 LjkiOiB7CiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAg ICAgICAgICAiU3RhYmxlUmVmIjogImExYjIyM2I3NTZmMzU0ODk1NTI1MDYw YmQzZjlmMWYwNzg5OWEwODIiLAogICAgICAgICAgIlByZXJlcXMiOiBbXSwK ICAgICAgICAgICJQYXRjaGVzIjogWwogICAgICAgICAgICAieHNhMjY4LTQu OS0xLnBhdGNoIiwKICAgICAgICAgICAgInhzYTI2OC00LjktMi5wYXRjaCIK ICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0sCiAgICAibWFz dGVyIjogewogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjogewog ICAgICAgICAgIlN0YWJsZVJlZiI6ICJhY2QwMGEzMDMzNzhjZTQ4YmQ2YmJk OGE1NzlmMWZlMmYxYjIxYTdkIiwKICAgICAgICAgICJQcmVyZXFzIjogW10s CiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTI2OC5w YXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0KICB9 Cn0= --=separator Content-Type: application/octet-stream; name="xsa268.patch" Content-Disposition: attachment; filename="xsa268.patch" Content-Transfer-Encoding: base64 RnJvbTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3RhYmVsbGluaUBrZXJuZWwu b3JnPgpTdWJqZWN0OiBBUk06IGRpc2FibGUgZ3JhbnQgdGFibGUgdjIKCkl0 IHdhcyBuZXZlciBleHBlY3RlZCB0byB3b3JrLCB0aGUgaW1wbGVtZW50YXRp b24gaXMgaW5jb21wbGV0ZS4KCkFzIGEgc2lkZSBlZmZlY3QsIGl0IGFsc28g cHJldmVudHMgZ3Vlc3RzIGZyb20gdHJpZ2dlcmluZyBhCiJCVUdfT04ocGFn ZV9nZXRfb3duZXIocGcpICE9IGQpIiBpbiBnbnR0YWJfdW5wb3B1bGF0ZV9z dGF0dXNfZnJhbWVzKCkuCgpUaGlzIGlzIFhTQS0yNjguCgpSZXBvcnRlZC1i eTog546L56OKIDxsZWkxOS53YW5nQHNhbXN1bmcuY29tPgpTaWduZWQtb2Zm LWJ5OiBTdGVmYW5vIFN0YWJlbGxpbmkgPHNzdGFiZWxsaW5pQGtlcm5lbC5v cmc+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ CgotLS0gYS9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgor KysgYi9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgpAQCAt OTM4LDYgKzkzOCw4IEBAIHZlcnNpb24gYXJlIDEgYW5kIDIuCiB1c2Ugb2Yg Z3JhbnQgdGFibGUgdjIgd2l0aG91dCB0cmFuc2l0aXZlIGdyYW50cyBpcyBh biBBQkkgYnJlYWthZ2UgZnJvbSB0aGUKIGd1ZXN0cyBwb2ludCBvZiB2aWV3 LgogCitUaGUgdXNhZ2Ugb2YgZ250dGFiIHYyIGlzIG5vdCBzZWN1cml0eSBz dXBwb3J0ZWQgb24gQVJNIHBsYXRmb3Jtcy4KKwogIyMjIGdudHRhYlxfbWF4 XF9mcmFtZXMKID4gYD0gPGludGVnZXI+YAogCi0tLSBhL3hlbi9jb21tb24v Z3JhbnRfdGFibGUuYworKysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMK QEAgLTg4LDcgKzg4LDExIEBAIHN0YXRpYyB1bnNpZ25lZCBpbnQgX19yZWFk X21vc3RseSBtYXhfbWFwdHJhY2tfZnJhbWVzID0KIHVuc2lnbmVkIGludCBf X3JlYWRfbW9zdGx5IG9wdF9tYXhfbWFwdHJhY2tfZnJhbWVzID0gMTAyNDsK IGludGVnZXJfcnVudGltZV9wYXJhbSgiZ250dGFiX21heF9tYXB0cmFja19m cmFtZXMiLCBvcHRfbWF4X21hcHRyYWNrX2ZyYW1lcyk7CiAKLXN0YXRpYyB1 bnNpZ25lZCBpbnQgX19yZWFkX21vc3RseSBvcHRfZ250dGFiX21heF92ZXJz aW9uID0gMjsKKyNpZm5kZWYgR05UVEFCX01BWF9WRVJTSU9OCisjZGVmaW5l IEdOVFRBQl9NQVhfVkVSU0lPTiAyCisjZW5kaWYKKworc3RhdGljIHVuc2ln bmVkIGludCBfX3JlYWRfbW9zdGx5IG9wdF9nbnR0YWJfbWF4X3ZlcnNpb24g PSBHTlRUQUJfTUFYX1ZFUlNJT047CiBzdGF0aWMgYm9vbCBfX3JlYWRfbW9z dGx5IG9wdF90cmFuc2l0aXZlX2dyYW50cyA9IHRydWU7CiAKIHN0YXRpYyBp bnQgX19pbml0IHBhcnNlX2dudHRhYihjb25zdCBjaGFyICpzKQotLS0gYS94 ZW4vaW5jbHVkZS9hc20tYXJtL2dyYW50X3RhYmxlLmgKKysrIGIveGVuL2lu Y2x1ZGUvYXNtLWFybS9ncmFudF90YWJsZS5oCkBAIC03LDYgKzcsNyBAQAog I2luY2x1ZGUgPHhlbi9zY2hlZC5oPgogCiAjZGVmaW5lIElOSVRJQUxfTlJf R1JBTlRfRlJBTUVTIDFVCisjZGVmaW5lIEdOVFRBQl9NQVhfVkVSU0lPTiAx CiAKIHN0cnVjdCBncmFudF90YWJsZV9hcmNoIHsKICAgICBnZm5fdCAqc2hh cmVkX2dmbjsK --=separator Content-Type: application/octet-stream; name="xsa268-4.6-1.patch" Content-Disposition: attachment; filename="xsa268-4.6-1.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogY29tbW9uL2dudHRhYjogSW50cm9kdWNlIGNvbW1hbmQg bGluZSBmZWF0dXJlIGNvbnRyb2xzCgpUaGlzIHBhdGNoIHdhcyBvcmlnaW5h bGx5IHJlbGVhc2VkIGFzIHBhcnQgb2YgWFNBLTIyNi4gIEl0IHJldGFpbnMg dGhlIHNhbWUKY29tbWFuZCBsaW5lIHN5bnRheCAoYXMgdmFyaW91cyBkb3du c3RyZWFtcyBhcmUgbWl0aWdhdGluZyBYU0EtMjI2IHVzaW5nIHRoaXMKbWVj aGFuaXNtKSBidXQgdGhlIGRlZmF1bHRzIGhhdmUgYmVlbiB1cGRhdGVkIGR1 ZSB0byB0aGUgcmV2aXNlZCBYU0EtMjI2CnBhdGNoZWQsIGFmdGVyIHdoaWNo IHRyYW5zaXRpdmUgZ3JhbnRzIGFyZSBiZWxpZXZlZCB0byBmdW5jdGlvbmlu Zwpwcm9wZXJseS4KClJlcG9ydGVkLWJ5OiDnjovno4ogPGxlaTE5LndhbmdA c2Ftc3VuZy5jb20+ClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFu ZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1 bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0gYS9kb2NzL21pc2MveGVu LWNvbW1hbmQtbGluZS5tYXJrZG93bgorKysgYi9kb2NzL21pc2MveGVuLWNv bW1hbmQtbGluZS5tYXJrZG93bgpAQCAtNzg3LDYgKzc4NywxOSBAQCBDb250 cm9scyBFUFQgcmVsYXRlZCBmZWF0dXJlcy4KIAogU3BlY2lmeSB0aGUgc2Vy aWFsIHBhcmFtZXRlcnMgZm9yIHRoZSBHREIgc3R1Yi4KIAorIyMjIGdudHRh YgorPiBgPSBMaXN0IG9mIFsgbWF4LXZlcjo8aW50ZWdlcj4sIHRyYW5zaXRp dmU9PGJvb2w+IF1gCisKKz4gRGVmYXVsdDogYGdudHRhYj1tYXgtdmVyOjIs dHJhbnNpdGl2ZWAKKworQ29udHJvbCB2YXJpb3VzIGFzcGVjdHMgb2YgdGhl IGdyYW50IHRhYmxlIGJlaGF2aW91ciBhdmFpbGFibGUgdG8gZ3Vlc3RzLgor CisqIGBtYXgtdmVyYCBTZWxlY3QgdGhlIG1heGltdW0gZ3JhbnQgdGFibGUg dmVyc2lvbiB0byBvZmZlciB0byBndWVzdHMuICBWYWxpZAordmVyc2lvbiBh cmUgMSBhbmQgMi4KKyogYHRyYW5zaXRpdmVgIFBlcm1pdCBvciBkaXNhbGxv dyB0aGUgdXNlIG9mIHRyYW5zaXRpdmUgZ3JhbnRzLiAgTm90ZSB0aGF0IHRo ZQordXNlIG9mIGdyYW50IHRhYmxlIHYyIHdpdGhvdXQgdHJhbnNpdGl2ZSBn cmFudHMgaXMgYW4gQUJJIGJyZWFrYWdlIGZyb20gdGhlCitndWVzdHMgcG9p bnQgb2Ygdmlldy4KKwogIyMjIGdudHRhYlxfbWF4XF9mcmFtZXMKID4gYD0g PGludGVnZXI+YAogCi0tLSBhL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwor KysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMKQEAgLTYyLDYgKzYyLDQx IEBAIGludGVnZXJfcGFyYW0oImdudHRhYl9tYXhfZnJhbWVzIiwgbWF4X2cK IHN0YXRpYyB1bnNpZ25lZCBpbnQgX19yZWFkX21vc3RseSBtYXhfbWFwdHJh Y2tfZnJhbWVzOwogaW50ZWdlcl9wYXJhbSgiZ250dGFiX21heF9tYXB0cmFj a19mcmFtZXMiLCBtYXhfbWFwdHJhY2tfZnJhbWVzKTsKIAorc3RhdGljIHVu c2lnbmVkIGludCBfX3JlYWRfbW9zdGx5IG9wdF9nbnR0YWJfbWF4X3ZlcnNp b24gPSAyOworc3RhdGljIGJvb2xfdCBfX3JlYWRfbW9zdGx5IG9wdF90cmFu c2l0aXZlX2dyYW50cyA9IDE7CisKK3N0YXRpYyBpbnQgX19pbml0IHBhcnNl X2dudHRhYihjb25zdCBjaGFyICpzKQoreworICAgIGNvbnN0IGNoYXIgKnNz LCAqZTsKKyAgICBpbnQgdmFsLCByYyA9IDA7CisKKyAgICBkbyB7CisgICAg ICAgIHNzID0gc3RyY2hyKHMsICcsJyk7CisgICAgICAgIGlmICggIXNzICkK KyAgICAgICAgICAgIHNzID0gc3RyY2hyKHMsICdcMCcpOworCisgICAgICAg IGlmICggIXN0cm5jbXAocywgIm1heC12ZXI6IiwgOCkgfHwKKyAgICAgICAg ICAgICAhc3RybmNtcChzLCAibWF4X3ZlcjoiLCA4KSApIC8qIEFsaWFzIGZv ciBvcmlnaW5hbCBYU0EtMjI2IHBhdGNoICovCisgICAgICAgIHsKKyAgICAg ICAgICAgIGxvbmcgdmVyID0gc2ltcGxlX3N0cnRvbChzICsgOCwgJmUsIDEw KTsKKworICAgICAgICAgICAgaWYgKCBlID09IHNzICYmIHZlciA+PSAxICYm IHZlciA8PSAyICkKKyAgICAgICAgICAgICAgICBvcHRfZ250dGFiX21heF92 ZXJzaW9uID0gdmVyOworICAgICAgICAgICAgZWxzZQorICAgICAgICAgICAg ICAgIHJjID0gLUVJTlZBTDsKKyAgICAgICAgfQorICAgICAgICBlbHNlIGlm ICggKHZhbCA9IHBhcnNlX2Jvb2xlYW4oInRyYW5zaXRpdmUiLCBzLCBzcykp ID49IDAgKQorICAgICAgICAgICAgb3B0X3RyYW5zaXRpdmVfZ3JhbnRzID0g dmFsOworICAgICAgICBlbHNlCisgICAgICAgICAgICByYyA9IC1FSU5WQUw7 CisKKyAgICAgICAgcyA9IHNzICsgMTsKKyAgICB9IHdoaWxlICggKnNzICk7 CisKKyAgICByZXR1cm4gcmM7Cit9CitjdXN0b21fcGFyYW0oImdudHRhYiIs IHBhcnNlX2dudHRhYik7CisKIC8qCiAgKiBOb3RlIHRoYXQgdGhlIHRocmVl IHZhbHVlcyBiZWxvdyBhcmUgZWZmZWN0aXZlbHkgcGFydCBvZiB0aGUgQUJJ LCBldmVuIGlmCiAgKiB3ZSBkb24ndCBuZWVkIHRvIG1ha2UgdGhlbSBhIGZv cm1hbCBwYXJ0IG9mIGl0OiBBIGd1ZXN0IHN1c3BlbmRlZCBmb3IKQEAgLTI1 MzIsNyArMjU2Nyw4IEBAIHN0YXRpYyBpbnQgZ250dGFiX2NvcHlfY2xhaW1f YnVmKGNvbnN0IHMKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgY3VycmVudC0+ZG9tYWluLT5kb21haW5faWQsCiAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJ1Zi0+cmVhZF9vbmx5LAog ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAmYnVmLT5m cmFtZSwgJmJ1Zi0+cGFnZSwKLSAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgJmJ1Zi0+cHRyLm9mZnNldCwgJmJ1Zi0+bGVuLCAxKTsK KyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJmJ1Zi0+ cHRyLm9mZnNldCwgJmJ1Zi0+bGVuLAorICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICBvcHRfdHJhbnNpdGl2ZV9ncmFudHMpOwogICAg ICAgICBpZiAoIHJjICE9IEdOVFNUX29rYXkgKQogICAgICAgICAgICAgZ290 byBvdXQ7CiAgICAgICAgIGJ1Zi0+cHRyLnUucmVmID0gcHRyLT51LnJlZjsK QEAgLTI3MzMsNiArMjc2OSwxMCBAQCBnbnR0YWJfc2V0X3ZlcnNpb24oWEVO X0dVRVNUX0hBTkRMRV9QQVJBCiAgICAgaWYgKCBvcC52ZXJzaW9uICE9IDEg JiYgb3AudmVyc2lvbiAhPSAyICkKICAgICAgICAgZ290byBvdXQ7CiAKKyAg ICByZXMgPSAtRU5PU1lTOworICAgIGlmICggb3AudmVyc2lvbiA9PSAyICYm IG9wdF9nbnR0YWJfbWF4X3ZlcnNpb24gPT0gMSApCisgICAgICAgIGdvdG8g b3V0OyAvKiBCZWhhdmUgYXMgYmVmb3JlIHNldF92ZXJzaW9uIHdhcyBpbnRy b2R1Y2VkLiAqLworCiAgICAgcmVzID0gMDsKICAgICBpZiAoIGd0LT5ndF92 ZXJzaW9uID09IG9wLnZlcnNpb24gKQogICAgICAgICBnb3RvIG91dDsK --=separator Content-Type: application/octet-stream; name="xsa268-4.6-2.patch" Content-Disposition: attachment; filename="xsa268-4.6-2.patch" Content-Transfer-Encoding: base64 RnJvbTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3RhYmVsbGluaUBrZXJuZWwu b3JnPgpTdWJqZWN0OiBBUk06IGRpc2FibGUgZ3JhbnQgdGFibGUgdjIKCkl0 IHdhcyBuZXZlciBleHBlY3RlZCB0byB3b3JrLCB0aGUgaW1wbGVtZW50YXRp b24gaXMgaW5jb21wbGV0ZS4KCkFzIGEgc2lkZSBlZmZlY3QsIGl0IGFsc28g cHJldmVudHMgZ3Vlc3RzIGZyb20gdHJpZ2dlcmluZyBhCiJCVUdfT04ocGFn ZV9nZXRfb3duZXIocGcpICE9IGQpIiBpbiBnbnR0YWJfdW5wb3B1bGF0ZV9z dGF0dXNfZnJhbWVzKCkuCgpUaGlzIGlzIFhTQS0yNjguCgpSZXBvcnRlZC1i eTog546L56OKIDxsZWkxOS53YW5nQHNhbXN1bmcuY29tPgpTaWduZWQtb2Zm LWJ5OiBTdGVmYW5vIFN0YWJlbGxpbmkgPHNzdGFiZWxsaW5pQGtlcm5lbC5v cmc+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ CgotLS0gYS9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgor KysgYi9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgpAQCAt ODAwLDYgKzgwMCw4IEBAIHZlcnNpb24gYXJlIDEgYW5kIDIuCiB1c2Ugb2Yg Z3JhbnQgdGFibGUgdjIgd2l0aG91dCB0cmFuc2l0aXZlIGdyYW50cyBpcyBh biBBQkkgYnJlYWthZ2UgZnJvbSB0aGUKIGd1ZXN0cyBwb2ludCBvZiB2aWV3 LgogCitUaGUgdXNhZ2Ugb2YgZ250dGFiIHYyIGlzIG5vdCBzZWN1cml0eSBz dXBwb3J0ZWQgb24gQVJNIHBsYXRmb3Jtcy4KKwogIyMjIGdudHRhYlxfbWF4 XF9mcmFtZXMKID4gYD0gPGludGVnZXI+YAogCi0tLSBhL3hlbi9jb21tb24v Z3JhbnRfdGFibGUuYworKysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMK QEAgLTYyLDcgKzYyLDExIEBAIGludGVnZXJfcGFyYW0oImdudHRhYl9tYXhf ZnJhbWVzIiwgbWF4X2cKIHN0YXRpYyB1bnNpZ25lZCBpbnQgX19yZWFkX21v c3RseSBtYXhfbWFwdHJhY2tfZnJhbWVzOwogaW50ZWdlcl9wYXJhbSgiZ250 dGFiX21heF9tYXB0cmFja19mcmFtZXMiLCBtYXhfbWFwdHJhY2tfZnJhbWVz KTsKIAotc3RhdGljIHVuc2lnbmVkIGludCBfX3JlYWRfbW9zdGx5IG9wdF9n bnR0YWJfbWF4X3ZlcnNpb24gPSAyOworI2lmbmRlZiBHTlRUQUJfTUFYX1ZF UlNJT04KKyNkZWZpbmUgR05UVEFCX01BWF9WRVJTSU9OIDIKKyNlbmRpZgor CitzdGF0aWMgdW5zaWduZWQgaW50IF9fcmVhZF9tb3N0bHkgb3B0X2dudHRh Yl9tYXhfdmVyc2lvbiA9IEdOVFRBQl9NQVhfVkVSU0lPTjsKIHN0YXRpYyBi b29sX3QgX19yZWFkX21vc3RseSBvcHRfdHJhbnNpdGl2ZV9ncmFudHMgPSAx OwogCiBzdGF0aWMgaW50IF9faW5pdCBwYXJzZV9nbnR0YWIoY29uc3QgY2hh ciAqcykKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9ncmFudF90YWJsZS5o CisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vZ3JhbnRfdGFibGUuaApAQCAt NCw2ICs0LDcgQEAKICNpbmNsdWRlIDx4ZW4vZ3JhbnRfdGFibGUuaD4KIAog I2RlZmluZSBJTklUSUFMX05SX0dSQU5UX0ZSQU1FUyA0CisjZGVmaW5lIEdO VFRBQl9NQVhfVkVSU0lPTiAxCiAKIHZvaWQgZ250dGFiX2NsZWFyX2ZsYWco dW5zaWduZWQgbG9uZyBuciwgdWludDE2X3QgKmFkZHIpOwogaW50IGNyZWF0 ZV9ncmFudF9ob3N0X21hcHBpbmcodW5zaWduZWQgbG9uZyBncGFkZHIsCg== --=separator Content-Type: application/octet-stream; name="xsa268-4.7-1.patch" Content-Disposition: attachment; filename="xsa268-4.7-1.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogY29tbW9uL2dudHRhYjogSW50cm9kdWNlIGNvbW1hbmQg bGluZSBmZWF0dXJlIGNvbnRyb2xzCgpUaGlzIHBhdGNoIHdhcyBvcmlnaW5h bGx5IHJlbGVhc2VkIGFzIHBhcnQgb2YgWFNBLTIyNi4gIEl0IHJldGFpbnMg dGhlIHNhbWUKY29tbWFuZCBsaW5lIHN5bnRheCAoYXMgdmFyaW91cyBkb3du c3RyZWFtcyBhcmUgbWl0aWdhdGluZyBYU0EtMjI2IHVzaW5nIHRoaXMKbWVj aGFuaXNtKSBidXQgdGhlIGRlZmF1bHRzIGhhdmUgYmVlbiB1cGRhdGVkIGR1 ZSB0byB0aGUgcmV2aXNlZCBYU0EtMjI2CnBhdGNoZWQsIGFmdGVyIHdoaWNo IHRyYW5zaXRpdmUgZ3JhbnRzIGFyZSBiZWxpZXZlZCB0byBmdW5jdGlvbmlu Zwpwcm9wZXJseS4KClJlcG9ydGVkLWJ5OiDnjovno4ogPGxlaTE5LndhbmdA c2Ftc3VuZy5jb20+ClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFu ZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1 bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0gYS9kb2NzL21pc2MveGVu LWNvbW1hbmQtbGluZS5tYXJrZG93bgorKysgYi9kb2NzL21pc2MveGVuLWNv bW1hbmQtbGluZS5tYXJrZG93bgpAQCAtODEyLDYgKzgxMiwxOSBAQCBDb250 cm9scyBFUFQgcmVsYXRlZCBmZWF0dXJlcy4KIAogU3BlY2lmeSB3aGljaCBj b25zb2xlIGdkYnN0dWIgc2hvdWxkIHVzZS4gU2VlICoqY29uc29sZSoqLgog CisjIyMgZ250dGFiCis+IGA9IExpc3Qgb2YgWyBtYXgtdmVyOjxpbnRlZ2Vy PiwgdHJhbnNpdGl2ZT08Ym9vbD4gXWAKKworPiBEZWZhdWx0OiBgZ250dGFi PW1heC12ZXI6Mix0cmFuc2l0aXZlYAorCitDb250cm9sIHZhcmlvdXMgYXNw ZWN0cyBvZiB0aGUgZ3JhbnQgdGFibGUgYmVoYXZpb3VyIGF2YWlsYWJsZSB0 byBndWVzdHMuCisKKyogYG1heC12ZXJgIFNlbGVjdCB0aGUgbWF4aW11bSBn cmFudCB0YWJsZSB2ZXJzaW9uIHRvIG9mZmVyIHRvIGd1ZXN0cy4gIFZhbGlk Cit2ZXJzaW9uIGFyZSAxIGFuZCAyLgorKiBgdHJhbnNpdGl2ZWAgUGVybWl0 IG9yIGRpc2FsbG93IHRoZSB1c2Ugb2YgdHJhbnNpdGl2ZSBncmFudHMuICBO b3RlIHRoYXQgdGhlCit1c2Ugb2YgZ3JhbnQgdGFibGUgdjIgd2l0aG91dCB0 cmFuc2l0aXZlIGdyYW50cyBpcyBhbiBBQkkgYnJlYWthZ2UgZnJvbSB0aGUK K2d1ZXN0cyBwb2ludCBvZiB2aWV3LgorCiAjIyMgZ250dGFiXF9tYXhcX2Zy YW1lcwogPiBgPSA8aW50ZWdlcj5gCiAKLS0tIGEveGVuL2NvbW1vbi9ncmFu dF90YWJsZS5jCisrKyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwpAQCAt NjIsNiArNjIsNDEgQEAgaW50ZWdlcl9wYXJhbSgiZ250dGFiX21heF9mcmFt ZXMiLCBtYXhfZwogc3RhdGljIHVuc2lnbmVkIGludCBfX3JlYWRfbW9zdGx5 IG1heF9tYXB0cmFja19mcmFtZXM7CiBpbnRlZ2VyX3BhcmFtKCJnbnR0YWJf bWF4X21hcHRyYWNrX2ZyYW1lcyIsIG1heF9tYXB0cmFja19mcmFtZXMpOwog CitzdGF0aWMgdW5zaWduZWQgaW50IF9fcmVhZF9tb3N0bHkgb3B0X2dudHRh Yl9tYXhfdmVyc2lvbiA9IDI7CitzdGF0aWMgYm9vbF90IF9fcmVhZF9tb3N0 bHkgb3B0X3RyYW5zaXRpdmVfZ3JhbnRzID0gMTsKKworc3RhdGljIGludCBf X2luaXQgcGFyc2VfZ250dGFiKGNvbnN0IGNoYXIgKnMpCit7CisgICAgY29u c3QgY2hhciAqc3MsICplOworICAgIGludCB2YWwsIHJjID0gMDsKKworICAg IGRvIHsKKyAgICAgICAgc3MgPSBzdHJjaHIocywgJywnKTsKKyAgICAgICAg aWYgKCAhc3MgKQorICAgICAgICAgICAgc3MgPSBzdHJjaHIocywgJ1wwJyk7 CisKKyAgICAgICAgaWYgKCAhc3RybmNtcChzLCAibWF4LXZlcjoiLCA4KSB8 fAorICAgICAgICAgICAgICFzdHJuY21wKHMsICJtYXhfdmVyOiIsIDgpICkg LyogQWxpYXMgZm9yIG9yaWdpbmFsIFhTQS0yMjYgcGF0Y2ggKi8KKyAgICAg ICAgeworICAgICAgICAgICAgbG9uZyB2ZXIgPSBzaW1wbGVfc3RydG9sKHMg KyA4LCAmZSwgMTApOworCisgICAgICAgICAgICBpZiAoIGUgPT0gc3MgJiYg dmVyID49IDEgJiYgdmVyIDw9IDIgKQorICAgICAgICAgICAgICAgIG9wdF9n bnR0YWJfbWF4X3ZlcnNpb24gPSB2ZXI7CisgICAgICAgICAgICBlbHNlCisg ICAgICAgICAgICAgICAgcmMgPSAtRUlOVkFMOworICAgICAgICB9CisgICAg ICAgIGVsc2UgaWYgKCAodmFsID0gcGFyc2VfYm9vbGVhbigidHJhbnNpdGl2 ZSIsIHMsIHNzKSkgPj0gMCApCisgICAgICAgICAgICBvcHRfdHJhbnNpdGl2 ZV9ncmFudHMgPSB2YWw7CisgICAgICAgIGVsc2UKKyAgICAgICAgICAgIHJj ID0gLUVJTlZBTDsKKworICAgICAgICBzID0gc3MgKyAxOworICAgIH0gd2hp bGUgKCAqc3MgKTsKKworICAgIHJldHVybiByYzsKK30KK2N1c3RvbV9wYXJh bSgiZ250dGFiIiwgcGFyc2VfZ250dGFiKTsKKwogLyoKICAqIE5vdGUgdGhh dCB0aGUgdGhyZWUgdmFsdWVzIGJlbG93IGFyZSBlZmZlY3RpdmVseSBwYXJ0 IG9mIHRoZSBBQkksIGV2ZW4gaWYKICAqIHdlIGRvbid0IG5lZWQgdG8gbWFr ZSB0aGVtIGEgZm9ybWFsIHBhcnQgb2YgaXQ6IEEgZ3Vlc3Qgc3VzcGVuZGVk IGZvcgpAQCAtMjUzNyw3ICsyNTcyLDggQEAgc3RhdGljIGludCBnbnR0YWJf Y29weV9jbGFpbV9idWYoY29uc3QgcwogICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICBjdXJyZW50LT5kb21haW4tPmRvbWFpbl9pZCwK ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnVmLT5y ZWFkX29ubHksCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICZidWYtPmZyYW1lLCAmYnVmLT5wYWdlLAotICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAmYnVmLT5wdHIub2Zmc2V0LCAmYnVm LT5sZW4sIDEpOworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAmYnVmLT5wdHIub2Zmc2V0LCAmYnVmLT5sZW4sCisgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9wdF90cmFuc2l0aXZlX2dy YW50cyk7CiAgICAgICAgIGlmICggcmMgIT0gR05UU1Rfb2theSApCiAgICAg ICAgICAgICBnb3RvIG91dDsKICAgICAgICAgYnVmLT5wdHIudS5yZWYgPSBw dHItPnUucmVmOwpAQCAtMjczOCw2ICsyNzc0LDEwIEBAIGdudHRhYl9zZXRf dmVyc2lvbihYRU5fR1VFU1RfSEFORExFX1BBUkEKICAgICBpZiAoIG9wLnZl cnNpb24gIT0gMSAmJiBvcC52ZXJzaW9uICE9IDIgKQogICAgICAgICBnb3Rv IG91dDsKIAorICAgIHJlcyA9IC1FTk9TWVM7CisgICAgaWYgKCBvcC52ZXJz aW9uID09IDIgJiYgb3B0X2dudHRhYl9tYXhfdmVyc2lvbiA9PSAxICkKKyAg ICAgICAgZ290byBvdXQ7IC8qIEJlaGF2ZSBhcyBiZWZvcmUgc2V0X3ZlcnNp b24gd2FzIGludHJvZHVjZWQuICovCisKICAgICByZXMgPSAwOwogICAgIGlm ICggZ3QtPmd0X3ZlcnNpb24gPT0gb3AudmVyc2lvbiApCiAgICAgICAgIGdv dG8gb3V0Owo= --=separator Content-Type: application/octet-stream; name="xsa268-4.7-2.patch" Content-Disposition: attachment; filename="xsa268-4.7-2.patch" Content-Transfer-Encoding: base64 RnJvbTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3RhYmVsbGluaUBrZXJuZWwu b3JnPgpTdWJqZWN0OiBBUk06IGRpc2FibGUgZ3JhbnQgdGFibGUgdjIKCkl0 IHdhcyBuZXZlciBleHBlY3RlZCB0byB3b3JrLCB0aGUgaW1wbGVtZW50YXRp b24gaXMgaW5jb21wbGV0ZS4KCkFzIGEgc2lkZSBlZmZlY3QsIGl0IGFsc28g cHJldmVudHMgZ3Vlc3RzIGZyb20gdHJpZ2dlcmluZyBhCiJCVUdfT04ocGFn ZV9nZXRfb3duZXIocGcpICE9IGQpIiBpbiBnbnR0YWJfdW5wb3B1bGF0ZV9z dGF0dXNfZnJhbWVzKCkuCgpUaGlzIGlzIFhTQS0yNjguCgpSZXBvcnRlZC1i eTog546L56OKIDxsZWkxOS53YW5nQHNhbXN1bmcuY29tPgpTaWduZWQtb2Zm LWJ5OiBTdGVmYW5vIFN0YWJlbGxpbmkgPHNzdGFiZWxsaW5pQGtlcm5lbC5v cmc+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ CgotLS0gYS9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgor KysgYi9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgpAQCAt ODI1LDYgKzgyNSw4IEBAIHZlcnNpb24gYXJlIDEgYW5kIDIuCiB1c2Ugb2Yg Z3JhbnQgdGFibGUgdjIgd2l0aG91dCB0cmFuc2l0aXZlIGdyYW50cyBpcyBh biBBQkkgYnJlYWthZ2UgZnJvbSB0aGUKIGd1ZXN0cyBwb2ludCBvZiB2aWV3 LgogCitUaGUgdXNhZ2Ugb2YgZ250dGFiIHYyIGlzIG5vdCBzZWN1cml0eSBz dXBwb3J0ZWQgb24gQVJNIHBsYXRmb3Jtcy4KKwogIyMjIGdudHRhYlxfbWF4 XF9mcmFtZXMKID4gYD0gPGludGVnZXI+YAogCi0tLSBhL3hlbi9jb21tb24v Z3JhbnRfdGFibGUuYworKysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMK QEAgLTYyLDcgKzYyLDExIEBAIGludGVnZXJfcGFyYW0oImdudHRhYl9tYXhf ZnJhbWVzIiwgbWF4X2cKIHN0YXRpYyB1bnNpZ25lZCBpbnQgX19yZWFkX21v c3RseSBtYXhfbWFwdHJhY2tfZnJhbWVzOwogaW50ZWdlcl9wYXJhbSgiZ250 dGFiX21heF9tYXB0cmFja19mcmFtZXMiLCBtYXhfbWFwdHJhY2tfZnJhbWVz KTsKIAotc3RhdGljIHVuc2lnbmVkIGludCBfX3JlYWRfbW9zdGx5IG9wdF9n bnR0YWJfbWF4X3ZlcnNpb24gPSAyOworI2lmbmRlZiBHTlRUQUJfTUFYX1ZF UlNJT04KKyNkZWZpbmUgR05UVEFCX01BWF9WRVJTSU9OIDIKKyNlbmRpZgor CitzdGF0aWMgdW5zaWduZWQgaW50IF9fcmVhZF9tb3N0bHkgb3B0X2dudHRh Yl9tYXhfdmVyc2lvbiA9IEdOVFRBQl9NQVhfVkVSU0lPTjsKIHN0YXRpYyBi b29sX3QgX19yZWFkX21vc3RseSBvcHRfdHJhbnNpdGl2ZV9ncmFudHMgPSAx OwogCiBzdGF0aWMgaW50IF9faW5pdCBwYXJzZV9nbnR0YWIoY29uc3QgY2hh ciAqcykKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9ncmFudF90YWJsZS5o CisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vZ3JhbnRfdGFibGUuaApAQCAt NCw2ICs0LDcgQEAKICNpbmNsdWRlIDx4ZW4vZ3JhbnRfdGFibGUuaD4KIAog I2RlZmluZSBJTklUSUFMX05SX0dSQU5UX0ZSQU1FUyA0CisjZGVmaW5lIEdO VFRBQl9NQVhfVkVSU0lPTiAxCiAKIHZvaWQgZ250dGFiX2NsZWFyX2ZsYWco dW5zaWduZWQgbG9uZyBuciwgdWludDE2X3QgKmFkZHIpOwogaW50IGNyZWF0 ZV9ncmFudF9ob3N0X21hcHBpbmcodW5zaWduZWQgbG9uZyBncGFkZHIsCg== --=separator Content-Type: application/octet-stream; name="xsa268-4.9-1.patch" Content-Disposition: attachment; filename="xsa268-4.9-1.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogY29tbW9uL2dudHRhYjogSW50cm9kdWNlIGNvbW1hbmQg bGluZSBmZWF0dXJlIGNvbnRyb2xzCgpUaGlzIHBhdGNoIHdhcyBvcmlnaW5h bGx5IHJlbGVhc2VkIGFzIHBhcnQgb2YgWFNBLTIyNi4gIEl0IHJldGFpbnMg dGhlIHNhbWUKY29tbWFuZCBsaW5lIHN5bnRheCAoYXMgdmFyaW91cyBkb3du c3RyZWFtcyBhcmUgbWl0aWdhdGluZyBYU0EtMjI2IHVzaW5nIHRoaXMKbWVj aGFuaXNtKSBidXQgdGhlIGRlZmF1bHRzIGhhdmUgYmVlbiB1cGRhdGVkIGR1 ZSB0byB0aGUgcmV2aXNlZCBYU0EtMjI2CnBhdGNoZWQsIGFmdGVyIHdoaWNo IHRyYW5zaXRpdmUgZ3JhbnRzIGFyZSBiZWxpZXZlZCB0byBmdW5jdGlvbmlu Zwpwcm9wZXJseS4KClJlcG9ydGVkLWJ5OiDnjovno4ogPGxlaTE5LndhbmdA c2Ftc3VuZy5jb20+ClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFu ZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1 bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0gYS9kb2NzL21pc2MveGVu LWNvbW1hbmQtbGluZS5tYXJrZG93bgorKysgYi9kb2NzL21pc2MveGVuLWNv bW1hbmQtbGluZS5tYXJrZG93bgpAQCAtODcyLDYgKzg3MiwxOSBAQCBDb250 cm9scyBFUFQgcmVsYXRlZCBmZWF0dXJlcy4KIAogU3BlY2lmeSB3aGljaCBj b25zb2xlIGdkYnN0dWIgc2hvdWxkIHVzZS4gU2VlICoqY29uc29sZSoqLgog CisjIyMgZ250dGFiCis+IGA9IExpc3Qgb2YgWyBtYXgtdmVyOjxpbnRlZ2Vy PiwgdHJhbnNpdGl2ZT08Ym9vbD4gXWAKKworPiBEZWZhdWx0OiBgZ250dGFi PW1heC12ZXI6Mix0cmFuc2l0aXZlYAorCitDb250cm9sIHZhcmlvdXMgYXNw ZWN0cyBvZiB0aGUgZ3JhbnQgdGFibGUgYmVoYXZpb3VyIGF2YWlsYWJsZSB0 byBndWVzdHMuCisKKyogYG1heC12ZXJgIFNlbGVjdCB0aGUgbWF4aW11bSBn cmFudCB0YWJsZSB2ZXJzaW9uIHRvIG9mZmVyIHRvIGd1ZXN0cy4gIFZhbGlk Cit2ZXJzaW9uIGFyZSAxIGFuZCAyLgorKiBgdHJhbnNpdGl2ZWAgUGVybWl0 IG9yIGRpc2FsbG93IHRoZSB1c2Ugb2YgdHJhbnNpdGl2ZSBncmFudHMuICBO b3RlIHRoYXQgdGhlCit1c2Ugb2YgZ3JhbnQgdGFibGUgdjIgd2l0aG91dCB0 cmFuc2l0aXZlIGdyYW50cyBpcyBhbiBBQkkgYnJlYWthZ2UgZnJvbSB0aGUK K2d1ZXN0cyBwb2ludCBvZiB2aWV3LgorCiAjIyMgZ250dGFiXF9tYXhcX2Zy YW1lcwogPiBgPSA8aW50ZWdlcj5gCiAKLS0tIGEveGVuL2NvbW1vbi9ncmFu dF90YWJsZS5jCisrKyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwpAQCAt NjIsNiArNjIsNDEgQEAgaW50ZWdlcl9wYXJhbSgiZ250dGFiX21heF9mcmFt ZXMiLCBtYXhfZwogc3RhdGljIHVuc2lnbmVkIGludCBfX3JlYWRfbW9zdGx5 IG1heF9tYXB0cmFja19mcmFtZXM7CiBpbnRlZ2VyX3BhcmFtKCJnbnR0YWJf bWF4X21hcHRyYWNrX2ZyYW1lcyIsIG1heF9tYXB0cmFja19mcmFtZXMpOwog CitzdGF0aWMgdW5zaWduZWQgaW50IF9fcmVhZF9tb3N0bHkgb3B0X2dudHRh Yl9tYXhfdmVyc2lvbiA9IDI7CitzdGF0aWMgYm9vbCBfX3JlYWRfbW9zdGx5 IG9wdF90cmFuc2l0aXZlX2dyYW50cyA9IHRydWU7CisKK3N0YXRpYyBpbnQg X19pbml0IHBhcnNlX2dudHRhYihjb25zdCBjaGFyICpzKQoreworICAgIGNv bnN0IGNoYXIgKnNzLCAqZTsKKyAgICBpbnQgdmFsLCByYyA9IDA7CisKKyAg ICBkbyB7CisgICAgICAgIHNzID0gc3RyY2hyKHMsICcsJyk7CisgICAgICAg IGlmICggIXNzICkKKyAgICAgICAgICAgIHNzID0gc3RyY2hyKHMsICdcMCcp OworCisgICAgICAgIGlmICggIXN0cm5jbXAocywgIm1heC12ZXI6IiwgOCkg fHwKKyAgICAgICAgICAgICAhc3RybmNtcChzLCAibWF4X3ZlcjoiLCA4KSAp IC8qIEFsaWFzIGZvciBvcmlnaW5hbCBYU0EtMjI2IHBhdGNoICovCisgICAg ICAgIHsKKyAgICAgICAgICAgIGxvbmcgdmVyID0gc2ltcGxlX3N0cnRvbChz ICsgOCwgJmUsIDEwKTsKKworICAgICAgICAgICAgaWYgKCBlID09IHNzICYm IHZlciA+PSAxICYmIHZlciA8PSAyICkKKyAgICAgICAgICAgICAgICBvcHRf Z250dGFiX21heF92ZXJzaW9uID0gdmVyOworICAgICAgICAgICAgZWxzZQor ICAgICAgICAgICAgICAgIHJjID0gLUVJTlZBTDsKKyAgICAgICAgfQorICAg ICAgICBlbHNlIGlmICggKHZhbCA9IHBhcnNlX2Jvb2xlYW4oInRyYW5zaXRp dmUiLCBzLCBzcykpID49IDAgKQorICAgICAgICAgICAgb3B0X3RyYW5zaXRp dmVfZ3JhbnRzID0gdmFsOworICAgICAgICBlbHNlCisgICAgICAgICAgICBy YyA9IC1FSU5WQUw7CisKKyAgICAgICAgcyA9IHNzICsgMTsKKyAgICB9IHdo aWxlICggKnNzICk7CisKKyAgICByZXR1cm4gcmM7Cit9CitjdXN0b21fcGFy YW0oImdudHRhYiIsIHBhcnNlX2dudHRhYik7CisKIC8qCiAgKiBOb3RlIHRo YXQgdGhlIHRocmVlIHZhbHVlcyBiZWxvdyBhcmUgZWZmZWN0aXZlbHkgcGFy dCBvZiB0aGUgQUJJLCBldmVuIGlmCiAgKiB3ZSBkb24ndCBuZWVkIHRvIG1h a2UgdGhlbSBhIGZvcm1hbCBwYXJ0IG9mIGl0OiBBIGd1ZXN0IHN1c3BlbmRl ZCBmb3IKQEAgLTI1MzgsNyArMjU3Myw4IEBAIHN0YXRpYyBpbnQgZ250dGFi X2NvcHlfY2xhaW1fYnVmKGNvbnN0IHMKICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgY3VycmVudC0+ZG9tYWluLT5kb21haW5faWQs CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJ1Zi0+ cmVhZF9vbmx5LAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAmYnVmLT5mcmFtZSwgJmJ1Zi0+cGFnZSwKLSAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgJmJ1Zi0+cHRyLm9mZnNldCwgJmJ1 Zi0+bGVuLCAxKTsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgJmJ1Zi0+cHRyLm9mZnNldCwgJmJ1Zi0+bGVuLAorICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvcHRfdHJhbnNpdGl2ZV9n cmFudHMpOwogICAgICAgICBpZiAoIHJjICE9IEdOVFNUX29rYXkgKQogICAg ICAgICAgICAgZ290byBvdXQ7CiAgICAgICAgIGJ1Zi0+cHRyLnUucmVmID0g cHRyLT51LnJlZjsKQEAgLTI3MzksNiArMjc3NSwxMCBAQCBnbnR0YWJfc2V0 X3ZlcnNpb24oWEVOX0dVRVNUX0hBTkRMRV9QQVJBCiAgICAgaWYgKCBvcC52 ZXJzaW9uICE9IDEgJiYgb3AudmVyc2lvbiAhPSAyICkKICAgICAgICAgZ290 byBvdXQ7CiAKKyAgICByZXMgPSAtRU5PU1lTOworICAgIGlmICggb3AudmVy c2lvbiA9PSAyICYmIG9wdF9nbnR0YWJfbWF4X3ZlcnNpb24gPT0gMSApCisg ICAgICAgIGdvdG8gb3V0OyAvKiBCZWhhdmUgYXMgYmVmb3JlIHNldF92ZXJz aW9uIHdhcyBpbnRyb2R1Y2VkLiAqLworCiAgICAgcmVzID0gMDsKICAgICBp ZiAoIGd0LT5ndF92ZXJzaW9uID09IG9wLnZlcnNpb24gKQogICAgICAgICBn b3RvIG91dDsK --=separator Content-Type: application/octet-stream; name="xsa268-4.9-2.patch" Content-Disposition: attachment; filename="xsa268-4.9-2.patch" Content-Transfer-Encoding: base64 RnJvbTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3RhYmVsbGluaUBrZXJuZWwu b3JnPgpTdWJqZWN0OiBBUk06IGRpc2FibGUgZ3JhbnQgdGFibGUgdjIKCkl0 IHdhcyBuZXZlciBleHBlY3RlZCB0byB3b3JrLCB0aGUgaW1wbGVtZW50YXRp b24gaXMgaW5jb21wbGV0ZS4KCkFzIGEgc2lkZSBlZmZlY3QsIGl0IGFsc28g cHJldmVudHMgZ3Vlc3RzIGZyb20gdHJpZ2dlcmluZyBhCiJCVUdfT04ocGFn ZV9nZXRfb3duZXIocGcpICE9IGQpIiBpbiBnbnR0YWJfdW5wb3B1bGF0ZV9z dGF0dXNfZnJhbWVzKCkuCgpUaGlzIGlzIFhTQS0yNjguCgpSZXBvcnRlZC1i eTog546L56OKIDxsZWkxOS53YW5nQHNhbXN1bmcuY29tPgpTaWduZWQtb2Zm LWJ5OiBTdGVmYW5vIFN0YWJlbGxpbmkgPHNzdGFiZWxsaW5pQGtlcm5lbC5v cmc+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ CgotLS0gYS9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgor KysgYi9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgpAQCAt ODg1LDYgKzg4NSw4IEBAIHZlcnNpb24gYXJlIDEgYW5kIDIuCiB1c2Ugb2Yg Z3JhbnQgdGFibGUgdjIgd2l0aG91dCB0cmFuc2l0aXZlIGdyYW50cyBpcyBh biBBQkkgYnJlYWthZ2UgZnJvbSB0aGUKIGd1ZXN0cyBwb2ludCBvZiB2aWV3 LgogCitUaGUgdXNhZ2Ugb2YgZ250dGFiIHYyIGlzIG5vdCBzZWN1cml0eSBz dXBwb3J0ZWQgb24gQVJNIHBsYXRmb3Jtcy4KKwogIyMjIGdudHRhYlxfbWF4 XF9mcmFtZXMKID4gYD0gPGludGVnZXI+YAogCi0tLSBhL3hlbi9jb21tb24v Z3JhbnRfdGFibGUuYworKysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMK QEAgLTYyLDcgKzYyLDExIEBAIGludGVnZXJfcGFyYW0oImdudHRhYl9tYXhf ZnJhbWVzIiwgbWF4X2cKIHN0YXRpYyB1bnNpZ25lZCBpbnQgX19yZWFkX21v c3RseSBtYXhfbWFwdHJhY2tfZnJhbWVzOwogaW50ZWdlcl9wYXJhbSgiZ250 dGFiX21heF9tYXB0cmFja19mcmFtZXMiLCBtYXhfbWFwdHJhY2tfZnJhbWVz KTsKIAotc3RhdGljIHVuc2lnbmVkIGludCBfX3JlYWRfbW9zdGx5IG9wdF9n bnR0YWJfbWF4X3ZlcnNpb24gPSAyOworI2lmbmRlZiBHTlRUQUJfTUFYX1ZF UlNJT04KKyNkZWZpbmUgR05UVEFCX01BWF9WRVJTSU9OIDIKKyNlbmRpZgor CitzdGF0aWMgdW5zaWduZWQgaW50IF9fcmVhZF9tb3N0bHkgb3B0X2dudHRh Yl9tYXhfdmVyc2lvbiA9IEdOVFRBQl9NQVhfVkVSU0lPTjsKIHN0YXRpYyBi b29sIF9fcmVhZF9tb3N0bHkgb3B0X3RyYW5zaXRpdmVfZ3JhbnRzID0gdHJ1 ZTsKIAogc3RhdGljIGludCBfX2luaXQgcGFyc2VfZ250dGFiKGNvbnN0IGNo YXIgKnMpCi0tLSBhL3hlbi9pbmNsdWRlL2FzbS1hcm0vZ3JhbnRfdGFibGUu aAorKysgYi94ZW4vaW5jbHVkZS9hc20tYXJtL2dyYW50X3RhYmxlLmgKQEAg LTQsNiArNCw3IEBACiAjaW5jbHVkZSA8eGVuL2dyYW50X3RhYmxlLmg+CiAK ICNkZWZpbmUgSU5JVElBTF9OUl9HUkFOVF9GUkFNRVMgNAorI2RlZmluZSBH TlRUQUJfTUFYX1ZFUlNJT04gMQogCiB2b2lkIGdudHRhYl9jbGVhcl9mbGFn KHVuc2lnbmVkIGxvbmcgbnIsIHVpbnQxNl90ICphZGRyKTsKIGludCBjcmVh dGVfZ3JhbnRfaG9zdF9tYXBwaW5nKHVuc2lnbmVkIGxvbmcgZ3BhZGRyLAo= --=separator Content-Type: application/octet-stream; name="xsa268-4.10-1.patch" Content-Disposition: attachment; filename="xsa268-4.10-1.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogY29tbW9uL2dudHRhYjogSW50cm9kdWNlIGNvbW1hbmQg bGluZSBmZWF0dXJlIGNvbnRyb2xzCgpUaGlzIHBhdGNoIHdhcyBvcmlnaW5h bGx5IHJlbGVhc2VkIGFzIHBhcnQgb2YgWFNBLTIyNi4gIEl0IHJldGFpbnMg dGhlIHNhbWUKY29tbWFuZCBsaW5lIHN5bnRheCAoYXMgdmFyaW91cyBkb3du c3RyZWFtcyBhcmUgbWl0aWdhdGluZyBYU0EtMjI2IHVzaW5nIHRoaXMKbWVj aGFuaXNtKSBidXQgdGhlIGRlZmF1bHRzIGhhdmUgYmVlbiB1cGRhdGVkIGR1 ZSB0byB0aGUgcmV2aXNlZCBYU0EtMjI2CnBhdGNoZWQsIGFmdGVyIHdoaWNo IHRyYW5zaXRpdmUgZ3JhbnRzIGFyZSBiZWxpZXZlZCB0byBmdW5jdGlvbmlu Zwpwcm9wZXJseS4KClJlcG9ydGVkLWJ5OiDnjovno4ogPGxlaTE5LndhbmdA c2Ftc3VuZy5jb20+ClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFu ZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBKYW4gQmV1 bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0gYS9kb2NzL21pc2MveGVu LWNvbW1hbmQtbGluZS5tYXJrZG93bgorKysgYi9kb2NzL21pc2MveGVuLWNv bW1hbmQtbGluZS5tYXJrZG93bgpAQCAtOTIwLDYgKzkyMCwxOSBAQCBDb250 cm9scyBFUFQgcmVsYXRlZCBmZWF0dXJlcy4KIAogU3BlY2lmeSB3aGljaCBj b25zb2xlIGdkYnN0dWIgc2hvdWxkIHVzZS4gU2VlICoqY29uc29sZSoqLgog CisjIyMgZ250dGFiCis+IGA9IExpc3Qgb2YgWyBtYXgtdmVyOjxpbnRlZ2Vy PiwgdHJhbnNpdGl2ZT08Ym9vbD4gXWAKKworPiBEZWZhdWx0OiBgZ250dGFi PW1heC12ZXI6Mix0cmFuc2l0aXZlYAorCitDb250cm9sIHZhcmlvdXMgYXNw ZWN0cyBvZiB0aGUgZ3JhbnQgdGFibGUgYmVoYXZpb3VyIGF2YWlsYWJsZSB0 byBndWVzdHMuCisKKyogYG1heC12ZXJgIFNlbGVjdCB0aGUgbWF4aW11bSBn cmFudCB0YWJsZSB2ZXJzaW9uIHRvIG9mZmVyIHRvIGd1ZXN0cy4gIFZhbGlk Cit2ZXJzaW9uIGFyZSAxIGFuZCAyLgorKiBgdHJhbnNpdGl2ZWAgUGVybWl0 IG9yIGRpc2FsbG93IHRoZSB1c2Ugb2YgdHJhbnNpdGl2ZSBncmFudHMuICBO b3RlIHRoYXQgdGhlCit1c2Ugb2YgZ3JhbnQgdGFibGUgdjIgd2l0aG91dCB0 cmFuc2l0aXZlIGdyYW50cyBpcyBhbiBBQkkgYnJlYWthZ2UgZnJvbSB0aGUK K2d1ZXN0cyBwb2ludCBvZiB2aWV3LgorCiAjIyMgZ250dGFiXF9tYXhcX2Zy YW1lcwogPiBgPSA8aW50ZWdlcj5gCiAKLS0tIGEveGVuL2NvbW1vbi9ncmFu dF90YWJsZS5jCisrKyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwpAQCAt OTcsNiArOTcsNDEgQEAgc3RhdGljIHVuc2lnbmVkIGludCBfX3JlYWRfbW9z dGx5IG1heF9tYQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICBERUZBVUxUX01BWF9NQVBUUkFDS19GUkFNRVM7CiBp bnRlZ2VyX3J1bnRpbWVfcGFyYW0oImdudHRhYl9tYXhfbWFwdHJhY2tfZnJh bWVzIiwgbWF4X21hcHRyYWNrX2ZyYW1lcyk7CiAKK3N0YXRpYyB1bnNpZ25l ZCBpbnQgX19yZWFkX21vc3RseSBvcHRfZ250dGFiX21heF92ZXJzaW9uID0g MjsKK3N0YXRpYyBib29sIF9fcmVhZF9tb3N0bHkgb3B0X3RyYW5zaXRpdmVf Z3JhbnRzID0gdHJ1ZTsKKworc3RhdGljIGludCBfX2luaXQgcGFyc2VfZ250 dGFiKGNvbnN0IGNoYXIgKnMpCit7CisgICAgY29uc3QgY2hhciAqc3MsICpl OworICAgIGludCB2YWwsIHJjID0gMDsKKworICAgIGRvIHsKKyAgICAgICAg c3MgPSBzdHJjaHIocywgJywnKTsKKyAgICAgICAgaWYgKCAhc3MgKQorICAg ICAgICAgICAgc3MgPSBzdHJjaHIocywgJ1wwJyk7CisKKyAgICAgICAgaWYg KCAhc3RybmNtcChzLCAibWF4LXZlcjoiLCA4KSB8fAorICAgICAgICAgICAg ICFzdHJuY21wKHMsICJtYXhfdmVyOiIsIDgpICkgLyogQWxpYXMgZm9yIG9y aWdpbmFsIFhTQS0yMjYgcGF0Y2ggKi8KKyAgICAgICAgeworICAgICAgICAg ICAgbG9uZyB2ZXIgPSBzaW1wbGVfc3RydG9sKHMgKyA4LCAmZSwgMTApOwor CisgICAgICAgICAgICBpZiAoIGUgPT0gc3MgJiYgdmVyID49IDEgJiYgdmVy IDw9IDIgKQorICAgICAgICAgICAgICAgIG9wdF9nbnR0YWJfbWF4X3ZlcnNp b24gPSB2ZXI7CisgICAgICAgICAgICBlbHNlCisgICAgICAgICAgICAgICAg cmMgPSAtRUlOVkFMOworICAgICAgICB9CisgICAgICAgIGVsc2UgaWYgKCAo dmFsID0gcGFyc2VfYm9vbGVhbigidHJhbnNpdGl2ZSIsIHMsIHNzKSkgPj0g MCApCisgICAgICAgICAgICBvcHRfdHJhbnNpdGl2ZV9ncmFudHMgPSB2YWw7 CisgICAgICAgIGVsc2UKKyAgICAgICAgICAgIHJjID0gLUVJTlZBTDsKKwor ICAgICAgICBzID0gc3MgKyAxOworICAgIH0gd2hpbGUgKCAqc3MgKTsKKwor ICAgIHJldHVybiByYzsKK30KK2N1c3RvbV9wYXJhbSgiZ250dGFiIiwgcGFy c2VfZ250dGFiKTsKKwogLyoKICAqIE5vdGUgdGhhdCB0aGUgdGhyZWUgdmFs dWVzIGJlbG93IGFyZSBlZmZlY3RpdmVseSBwYXJ0IG9mIHRoZSBBQkksIGV2 ZW4gaWYKICAqIHdlIGRvbid0IG5lZWQgdG8gbWFrZSB0aGVtIGEgZm9ybWFs IHBhcnQgb2YgaXQ6IEEgZ3Vlc3Qgc3VzcGVuZGVkIGZvcgpAQCAtMjcyNSw3 ICsyNzYwLDggQEAgc3RhdGljIGludCBnbnR0YWJfY29weV9jbGFpbV9idWYo Y29uc3QgcwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg Y3VycmVudC0+ZG9tYWluLT5kb21haW5faWQsCiAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICBidWYtPnJlYWRfb25seSwKICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICZidWYtPmZyYW1lLCAmYnVm LT5wYWdlLAotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg JmJ1Zi0+cHRyLm9mZnNldCwgJmJ1Zi0+bGVuLCB0cnVlKTsKKyAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICZidWYtPnB0ci5vZmZzZXQs ICZidWYtPmxlbiwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIG9wdF90cmFuc2l0aXZlX2dyYW50cyk7CiAgICAgICAgIGlmICggcmMg IT0gR05UU1Rfb2theSApCiAgICAgICAgICAgICBnb3RvIG91dDsKICAgICAg ICAgYnVmLT5wdHIudS5yZWYgPSBwdHItPnUucmVmOwpAQCAtMjkyNyw2ICsy OTYzLDEwIEBAIGdudHRhYl9zZXRfdmVyc2lvbihYRU5fR1VFU1RfSEFORExF X1BBUkEKICAgICBpZiAoIG9wLnZlcnNpb24gIT0gMSAmJiBvcC52ZXJzaW9u ICE9IDIgKQogICAgICAgICBnb3RvIG91dDsKIAorICAgIHJlcyA9IC1FTk9T WVM7CisgICAgaWYgKCBvcC52ZXJzaW9uID09IDIgJiYgb3B0X2dudHRhYl9t YXhfdmVyc2lvbiA9PSAxICkKKyAgICAgICAgZ290byBvdXQ7IC8qIEJlaGF2 ZSBhcyBiZWZvcmUgc2V0X3ZlcnNpb24gd2FzIGludHJvZHVjZWQuICovCisK ICAgICByZXMgPSAwOwogICAgIGlmICggZ3QtPmd0X3ZlcnNpb24gPT0gb3Au dmVyc2lvbiApCiAgICAgICAgIGdvdG8gb3V0Owo= --=separator Content-Type: application/octet-stream; name="xsa268-4.10-2.patch" Content-Disposition: attachment; filename="xsa268-4.10-2.patch" Content-Transfer-Encoding: base64 RnJvbTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3RhYmVsbGluaUBrZXJuZWwu b3JnPgpTdWJqZWN0OiBBUk06IGRpc2FibGUgZ3JhbnQgdGFibGUgdjIKCkl0 IHdhcyBuZXZlciBleHBlY3RlZCB0byB3b3JrLCB0aGUgaW1wbGVtZW50YXRp b24gaXMgaW5jb21wbGV0ZS4KCkFzIGEgc2lkZSBlZmZlY3QsIGl0IGFsc28g cHJldmVudHMgZ3Vlc3RzIGZyb20gdHJpZ2dlcmluZyBhCiJCVUdfT04ocGFn ZV9nZXRfb3duZXIocGcpICE9IGQpIiBpbiBnbnR0YWJfdW5wb3B1bGF0ZV9z dGF0dXNfZnJhbWVzKCkuCgpUaGlzIGlzIFhTQS0yNjguCgpSZXBvcnRlZC1i eTog546L56OKIDxsZWkxOS53YW5nQHNhbXN1bmcuY29tPgpTaWduZWQtb2Zm LWJ5OiBTdGVmYW5vIFN0YWJlbGxpbmkgPHNzdGFiZWxsaW5pQGtlcm5lbC5v cmc+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ CgotLS0gYS9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgor KysgYi9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgpAQCAt OTMzLDYgKzkzMyw4IEBAIHZlcnNpb24gYXJlIDEgYW5kIDIuCiB1c2Ugb2Yg Z3JhbnQgdGFibGUgdjIgd2l0aG91dCB0cmFuc2l0aXZlIGdyYW50cyBpcyBh biBBQkkgYnJlYWthZ2UgZnJvbSB0aGUKIGd1ZXN0cyBwb2ludCBvZiB2aWV3 LgogCitUaGUgdXNhZ2Ugb2YgZ250dGFiIHYyIGlzIG5vdCBzZWN1cml0eSBz dXBwb3J0ZWQgb24gQVJNIHBsYXRmb3Jtcy4KKwogIyMjIGdudHRhYlxfbWF4 XF9mcmFtZXMKID4gYD0gPGludGVnZXI+YAogCi0tLSBhL3hlbi9jb21tb24v Z3JhbnRfdGFibGUuYworKysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMK QEAgLTk3LDcgKzk3LDExIEBAIHN0YXRpYyB1bnNpZ25lZCBpbnQgX19yZWFk X21vc3RseSBtYXhfbWEKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgREVGQVVMVF9NQVhfTUFQVFJBQ0tfRlJBTUVT OwogaW50ZWdlcl9ydW50aW1lX3BhcmFtKCJnbnR0YWJfbWF4X21hcHRyYWNr X2ZyYW1lcyIsIG1heF9tYXB0cmFja19mcmFtZXMpOwogCi1zdGF0aWMgdW5z aWduZWQgaW50IF9fcmVhZF9tb3N0bHkgb3B0X2dudHRhYl9tYXhfdmVyc2lv biA9IDI7CisjaWZuZGVmIEdOVFRBQl9NQVhfVkVSU0lPTgorI2RlZmluZSBH TlRUQUJfTUFYX1ZFUlNJT04gMgorI2VuZGlmCisKK3N0YXRpYyB1bnNpZ25l ZCBpbnQgX19yZWFkX21vc3RseSBvcHRfZ250dGFiX21heF92ZXJzaW9uID0g R05UVEFCX01BWF9WRVJTSU9OOwogc3RhdGljIGJvb2wgX19yZWFkX21vc3Rs eSBvcHRfdHJhbnNpdGl2ZV9ncmFudHMgPSB0cnVlOwogCiBzdGF0aWMgaW50 IF9faW5pdCBwYXJzZV9nbnR0YWIoY29uc3QgY2hhciAqcykKLS0tIGEveGVu L2luY2x1ZGUvYXNtLWFybS9ncmFudF90YWJsZS5oCisrKyBiL3hlbi9pbmNs dWRlL2FzbS1hcm0vZ3JhbnRfdGFibGUuaApAQCAtNyw2ICs3LDcgQEAKICNp bmNsdWRlIDx4ZW4vc2NoZWQuaD4KIAogI2RlZmluZSBJTklUSUFMX05SX0dS QU5UX0ZSQU1FUyAxVQorI2RlZmluZSBHTlRUQUJfTUFYX1ZFUlNJT04gMQog CiBzdHJ1Y3QgZ3JhbnRfdGFibGVfYXJjaCB7CiAgICAgZ2ZuX3QgKnNoYXJl ZF9nZm47Cg== --=separator Content-Type: application/octet-stream; name="xsa268-4.11.patch" Content-Disposition: attachment; filename="xsa268-4.11.patch" Content-Transfer-Encoding: base64 RnJvbTogU3RlZmFubyBTdGFiZWxsaW5pIDxzc3RhYmVsbGluaUBrZXJuZWwu b3JnPgpTdWJqZWN0OiBBUk06IGRpc2FibGUgZ3JhbnQgdGFibGUgdjIKCkl0 IHdhcyBuZXZlciBleHBlY3RlZCB0byB3b3JrLCB0aGUgaW1wbGVtZW50YXRp b24gaXMgaW5jb21wbGV0ZS4KCkFzIGEgc2lkZSBlZmZlY3QsIGl0IGFsc28g cHJldmVudHMgZ3Vlc3RzIGZyb20gdHJpZ2dlcmluZyBhCiJCVUdfT04ocGFn ZV9nZXRfb3duZXIocGcpICE9IGQpIiBpbiBnbnR0YWJfdW5wb3B1bGF0ZV9z dGF0dXNfZnJhbWVzKCkuCgpUaGlzIGlzIFhTQS0yNjguCgpSZXBvcnRlZC1i eTog546L56OKIDxsZWkxOS53YW5nQHNhbXN1bmcuY29tPgpTaWduZWQtb2Zm LWJ5OiBTdGVmYW5vIFN0YWJlbGxpbmkgPHNzdGFiZWxsaW5pQGtlcm5lbC5v cmc+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ CgotLS0gYS9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgor KysgYi9kb2NzL21pc2MveGVuLWNvbW1hbmQtbGluZS5tYXJrZG93bgpAQCAt OTM2LDYgKzkzNiw4IEBAIHZlcnNpb24gYXJlIDEgYW5kIDIuCiB1c2Ugb2Yg Z3JhbnQgdGFibGUgdjIgd2l0aG91dCB0cmFuc2l0aXZlIGdyYW50cyBpcyBh biBBQkkgYnJlYWthZ2UgZnJvbSB0aGUKIGd1ZXN0cyBwb2ludCBvZiB2aWV3 LgogCitUaGUgdXNhZ2Ugb2YgZ250dGFiIHYyIGlzIG5vdCBzZWN1cml0eSBz dXBwb3J0ZWQgb24gQVJNIHBsYXRmb3Jtcy4KKwogIyMjIGdudHRhYlxfbWF4 XF9mcmFtZXMKID4gYD0gPGludGVnZXI+YAogCi0tLSBhL3hlbi9jb21tb24v Z3JhbnRfdGFibGUuYworKysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxlLmMK QEAgLTk3LDcgKzk3LDExIEBAIHN0YXRpYyB1bnNpZ25lZCBpbnQgX19yZWFk X21vc3RseSBtYXhfbWFwdHJhY2tfZnJhbWVzID0KICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREVGQVVMVF9NQVhf TUFQVFJBQ0tfRlJBTUVTOwogaW50ZWdlcl9ydW50aW1lX3BhcmFtKCJnbnR0 YWJfbWF4X21hcHRyYWNrX2ZyYW1lcyIsIG1heF9tYXB0cmFja19mcmFtZXMp OwogCi1zdGF0aWMgdW5zaWduZWQgaW50IF9fcmVhZF9tb3N0bHkgb3B0X2du dHRhYl9tYXhfdmVyc2lvbiA9IDI7CisjaWZuZGVmIEdOVFRBQl9NQVhfVkVS U0lPTgorI2RlZmluZSBHTlRUQUJfTUFYX1ZFUlNJT04gMgorI2VuZGlmCisK K3N0YXRpYyB1bnNpZ25lZCBpbnQgX19yZWFkX21vc3RseSBvcHRfZ250dGFi X21heF92ZXJzaW9uID0gR05UVEFCX01BWF9WRVJTSU9OOwogc3RhdGljIGJv b2wgX19yZWFkX21vc3RseSBvcHRfdHJhbnNpdGl2ZV9ncmFudHMgPSB0cnVl OwogCiBzdGF0aWMgaW50IF9faW5pdCBwYXJzZV9nbnR0YWIoY29uc3QgY2hh ciAqcykKLS0tIGEveGVuL2luY2x1ZGUvYXNtLWFybS9ncmFudF90YWJsZS5o CisrKyBiL3hlbi9pbmNsdWRlL2FzbS1hcm0vZ3JhbnRfdGFibGUuaApAQCAt Nyw2ICs3LDcgQEAKICNpbmNsdWRlIDx4ZW4vc2NoZWQuaD4KIAogI2RlZmlu ZSBJTklUSUFMX05SX0dSQU5UX0ZSQU1FUyAxVQorI2RlZmluZSBHTlRUQUJf TUFYX1ZFUlNJT04gMQogCiBzdHJ1Y3QgZ3JhbnRfdGFibGVfYXJjaCB7CiAg ICAgZ2ZuX3QgKnNoYXJlZF9nZm47Cg== --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Mon Aug 20 09:48:32 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 20 Aug 2018 09:48:32 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1frgn4-00038Q-S7; Mon, 20 Aug 2018 09:48:02 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1frgn3-00037O-Li for xen-announce@lists.xen.org; Mon, 20 Aug 2018 09:48:01 +0000 X-Inumbo-ID: 30a53772-a45e-11e8-a6a9-d7ebe60f679a Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id 30a53772-a45e-11e8-a6a9-d7ebe60f679a; Mon, 20 Aug 2018 09:48:28 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1frgmo-0002Mx-EC; Mon, 20 Aug 2018 09:47:46 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.89) (envelope-from ) id 1frgmo-0003i7-Bf; Mon, 20 Aug 2018 09:47:46 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.508 (Entity 5.508) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Mon, 20 Aug 2018 09:47:46 +0000 Subject: [Xen-announce] Xen Security Advisory 270 v3 (CVE-2018-15471) - Linux netback driver OOB access in hash handling X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: "Xen.org security team" Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2018-15471 / XSA-270 version 3 Linux netback driver OOB access in hash handling UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= Linux's netback driver allows frontends to control mapping of requests to request queues. When processing a request to set or change this mapping, some input validation was missing or flawed. IMPACT ====== A malicious or buggy frontend may cause the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in one or more of privilege escalation, Denial of Service (DoS), or information leaks. VULNERABLE SYSTEMS ================== Linux kernel versions from 4.7 onwards are affected. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by Felix Wilhelm of Google Project Zero. RESOLUTION ========== Applying the attached patch resolves this issue. xsa270.patch Linux 4.7 ... 4.17 $ sha256sum xsa270* 392868c37c1fe0d16c36086208fd0fc045c1baf8ab9b207995bce72681cb8c54 xsa270.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJbeo4MAAoJEIP+FMlX6CvZOpsH/34RpIZaTTVsZWCVyNotieFf yLfCqu+9bbRVNEqYDq6NViFrj9I6WwvLpp8s7HZheJvdXlyIO1cYCen4QX8VSPqI VaRD7Jcu99drK1hy/t80AbicS+t9qvew97SzjG+MIIJZK7dnxG/Q0nbHLCg0zdCg 5G+pOTl17DK+4eM7Z1duo2BK1sxCms6I/YJVFfkGjC99vXKYAj2GAWGxVbiEwDWT 4jvf3R3w5athJNR4Lf6FxDz6MzvHaYNFQKikc0AMaTcO5HubumGXQQn5JQelAAno O6ujB25kF1j29A2PwYvBSxBDTD4uWQeWiv9kWML1YmzsQv1cy6Un0vwXtNhhb6s= =SC+y -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa270.patch" Content-Disposition: attachment; filename="xsa270.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ZW4tbmV0YmFjazogZml4IGlucHV0IHZhbGlkYXRpb24gaW4geGVudmlm X3NldF9oYXNoX21hcHBpbmcoKQoKQm90aCBsZW4gYW5kIG9mZiBhcmUgZnJv bnRlbmQgc3BlY2lmaWVkIHZhbHVlcywgc28gd2UgbmVlZCB0byBtYWtlCnN1 cmUgdGhlcmUncyBubyBvdmVyZmxvdyB3aGVuIGFkZGluZyB0aGUgdHdvIGZv ciB0aGUgYm91bmRzIGNoZWNrLiBXZQphbHNvIHdhbnQgdG8gYXZvaWQgdW5k ZWZpbmVkIGJlaGF2aW9yIGFuZCBoZW5jZSB1c2Ugb2ZmIHRvIGluZGV4IGlu dG8KLT5oYXNoLm1hcHBpbmdbXSBvbmx5IGFmdGVyIGJvdW5kcyBjaGVja2lu Zy4gVGhpcyBhdCB0aGUgc2FtZSB0aW1lCmFsbG93cyB0byB0YWtlIGNhcmUg b2Ygbm90IGFwcGx5aW5nIG9mZiB0d2ljZSBmb3IgdGhlIGJvdW5kcyBjaGVj a2luZwphZ2FpbnN0IHZpZi0+bnVtX3F1ZXVlcy4KCkl0IGlzIGFsc28gaW5z dWZmaWNpZW50IHRvIGJvdW5kcyBjaGVjayBjb3B5X29wLmxlbiwgYXMgdGhp cyBpcyBsZW4KdHJ1bmNhdGVkIHRvIDE2IGJpdHMuCgpUaGlzIGlzIFhTQS0y NzAuCgpSZXBvcnRlZC1ieTogRmVsaXggV2lsaGVsbSA8ZndpbGhlbG1AZ29v Z2xlLmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNo QHN1c2UuY29tPgpSZXZpZXdlZC1ieTogUGF1bCBEdXJyYW50IDxwYXVsLmR1 cnJhbnRAY2l0cml4LmNvbT4KVGVzdGVkLWJ5OiBQYXVsIER1cnJhbnQgPHBh dWwuZHVycmFudEBjaXRyaXguY29tPgotLS0KVGhlIGJvdW5kcyBjaGVja2lu ZyBhZ2FpbnN0IHZpZi0+bnVtX3F1ZXVlcyBhbHNvIG9jY3VycyB0b28gZWFy bHkgYWZhaWN0CihpdCBzaG91bGQgYmUgZG9uZSBhZnRlciB0aGUgZ3JhbnQg Y29weSkuIEkgaGF2ZSBwYXRjaGVzIHJlYWR5IGFzIHB1YmxpYwpmb2xsb3ct dXBzIGZvciBib3RoIHRoaXMgYW5kIHRoZSAoYXQgbGVhc3QgbGF0ZW50KSBp c3N1ZSBvZiB0aGUgbWFwcGluZwphcnJheSBjcm9zc2luZyBhIHBhZ2UgYm91 bmRhcnkuCgotLS0gYS9kcml2ZXJzL25ldC94ZW4tbmV0YmFjay9oYXNoLmMK KysrIGIvZHJpdmVycy9uZXQveGVuLW5ldGJhY2svaGFzaC5jCkBAIC0zMzIs MjAgKzMzMiwyMiBAQCB1MzIgeGVudmlmX3NldF9oYXNoX21hcHBpbmdfc2l6 ZShzdHJ1Y3QKIHUzMiB4ZW52aWZfc2V0X2hhc2hfbWFwcGluZyhzdHJ1Y3Qg eGVudmlmICp2aWYsIHUzMiBncmVmLCB1MzIgbGVuLAogCQkJICAgIHUzMiBv ZmYpCiB7Ci0JdTMyICptYXBwaW5nID0gJnZpZi0+aGFzaC5tYXBwaW5nW29m Zl07CisJdTMyICptYXBwaW5nID0gdmlmLT5oYXNoLm1hcHBpbmc7CiAJc3Ry dWN0IGdudHRhYl9jb3B5IGNvcHlfb3AgPSB7CiAJCS5zb3VyY2UudS5yZWYg PSBncmVmLAogCQkuc291cmNlLmRvbWlkID0gdmlmLT5kb21pZCwKLQkJLmRl c3QudS5nbWZuID0gdmlydF90b19nZm4obWFwcGluZyksCiAJCS5kZXN0LmRv bWlkID0gRE9NSURfU0VMRiwKLQkJLmRlc3Qub2Zmc2V0ID0geGVuX29mZnNl dF9pbl9wYWdlKG1hcHBpbmcpLAotCQkubGVuID0gbGVuICogc2l6ZW9mKHUz MiksCisJCS5sZW4gPSBsZW4gKiBzaXplb2YoKm1hcHBpbmcpLAogCQkuZmxh Z3MgPSBHTlRDT1BZX3NvdXJjZV9ncmVmCiAJfTsKIAotCWlmICgob2ZmICsg bGVuID4gdmlmLT5oYXNoLnNpemUpIHx8IGNvcHlfb3AubGVuID4gWEVOX1BB R0VfU0laRSkKKwlpZiAoKG9mZiArIGxlbiA8IG9mZikgfHwgKG9mZiArIGxl biA+IHZpZi0+aGFzaC5zaXplKSB8fAorCSAgICBsZW4gPiBYRU5fUEFHRV9T SVpFIC8gc2l6ZW9mKCptYXBwaW5nKSkKIAkJcmV0dXJuIFhFTl9ORVRJRl9D VFJMX1NUQVRVU19JTlZBTElEX1BBUkFNRVRFUjsKIAorCWNvcHlfb3AuZGVz dC51LmdtZm4gPSB2aXJ0X3RvX2dmbihtYXBwaW5nICsgb2ZmKTsKKwljb3B5 X29wLmRlc3Qub2Zmc2V0ID0geGVuX29mZnNldF9pbl9wYWdlKG1hcHBpbmcg KyBvZmYpOworCiAJd2hpbGUgKGxlbi0tICE9IDApCiAJCWlmIChtYXBwaW5n W29mZisrXSA+PSB2aWYtPm51bV9xdWV1ZXMpCiAJCQlyZXR1cm4gWEVOX05F VElGX0NUUkxfU1RBVFVTX0lOVkFMSURfUEFSQU1FVEVSOwo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Mon Aug 20 09:48:32 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 20 Aug 2018 09:48:32 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1frgml-0002rq-7J; Mon, 20 Aug 2018 09:47:43 +0000 Received: from us1-rack-dfw2.inumbo.com ([104.130.134.6]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1frgmj-0002rO-NE for xen-announce@lists.xen.org; Mon, 20 Aug 2018 09:47:41 +0000 X-Inumbo-ID: e7350224-a45d-11e8-a8a5-bc764e045a96 Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-rack-dfw2.inumbo.com (Halon) with ESMTPS id e7350224-a45d-11e8-a8a5-bc764e045a96; Mon, 20 Aug 2018 11:46:25 +0200 (CEST) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1frgmZ-0002Lq-32; Mon, 20 Aug 2018 09:47:31 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.89) (envelope-from ) id 1frgmY-0003e7-W2; Mon, 20 Aug 2018 09:47:30 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.508 (Entity 5.508) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Mon, 20 Aug 2018 09:47:30 +0000 Subject: [Xen-announce] Xen Security Advisory 269 v3 (CVE-2018-15468) - x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: "Xen.org security team" Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2018-15468 / XSA-269 version 3 x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the core. As a result, it must only be available to fully trusted guests. Unfortunately, in the case that vPMU is disabled, all value checking was skipped, allowing the guest to chose any MSR_DEBUGCTL setting it likes. IMPACT ====== A malicious or buggy guest administrator can lock up the entire host, causing a Denial of Service. VULNERABLE SYSTEMS ================== Xen versions 4.6 and later are vulnerable. Only systems using Intel CPUs are affected. ARM and AMD systems are unaffected. Only x86 HVM or PVH guests can exploit the vulnerability. x86 PV guests cannot exploit the vulnerability. MITIGATION ========== Running only x86 PV guests avoids the vulnerability. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa269.patch xen-unstable xsa269-4.11.patch Xen 4.11 xsa269-4.10.patch 4.10, 4.9 xsa269-4.8.patch Xen 4.8, 4.7, 4.6 $ sha256sum xsa269* 4733d09bb63523744ca2ee172e2fade0c39082c15d9a746144f279cf1359b723 xsa269.meta 5a5fe36f1f876a5029493e7fa191436fd021929aaba2d820636df17f4ed20113 xsa269.patch ea11cef818050bca13d4eb89294627c97e4cdb830124f679e77d37a44a370286 xsa269-4.8.patch 45ba1823530f329dd73088b77098e686b32f5daac0bc5177b2afea09f8c3593a xsa269-4.10.patch e0ca060311fb9ba3247e2fe65bca4806a131644f8894fd08be374904904b1944 xsa269-4.11.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJbeo4KAAoJEIP+FMlX6CvZfakIAJRgw9LWW7fnr0WX11dt/Rm1 GgBxMWS7DrnBPBjE7GqhtqgFyvIVHBnWEEj1WW1WvHWIV/XIbV8GKOi6ecfF5p3o vK/a/8S0qOSOtOPZZJkZGuZn6pNd9V0Ynx296Hn6DKildBBEkGSXoWo67ViaxrP2 iPzhYukDRYlqjF5pYfPr7Zek+RodtB+rxJEKMpDDIW8aeA3hnsOZNXAmr5n+Q465 rNojqJDV5Zwuli+L0SVzmtkY6dbeXyhMWn3zAj8a5Pq+/VkK3PdcEBVNADLXbh3a lnDmjwsY9ZX64HhXbamFMV1Wykhbjb+Jprj6CJjuz4wcGArKW+lsTV86p8Q5Kzk= =uYjg -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa269.meta" Content-Disposition: attachment; filename="xsa269.meta" Content-Transfer-Encoding: base64 ewogICJYU0EiOiAyNjksCiAgIlN1cHBvcnRlZFZlcnNpb25zIjogWwogICAg Im1hc3RlciIsCiAgICAiNC4xMSIsCiAgICAiNC4xMCIsCiAgICAiNC45IiwK ICAgICI0LjgiLAogICAgIjQuNyIsCiAgICAiNC42IgogIF0sCiAgIlRyZWVz IjogWwogICAgInhlbiIKICBdLAogICJSZWNpcGVzIjogewogICAgIjQuMTAi OiB7CiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAgICAg ICAgICAiU3RhYmxlUmVmIjogIjg3YzgzYWYzMzNlMDI0OGFkYTJlNjU2MDk2 NWFjYTYwOTZlYzdmMmIiLAogICAgICAgICAgIlByZXJlcXMiOiBbCiAgICAg ICAgICAgIDI2OAogICAgICAgICAgXSwKICAgICAgICAgICJQYXRjaGVzIjog WwogICAgICAgICAgICAieHNhMjY5LTQuMTAucGF0Y2giCiAgICAgICAgICBd CiAgICAgICAgfQogICAgICB9CiAgICB9LAogICAgIjQuMTEiOiB7CiAgICAg ICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAgICAgICAgICAiU3Rh YmxlUmVmIjogIjMzY2VkNzI1ZTExYWY0ZWFiZDMzMzRkMTJmNTNlZDgwN2U5 ZTI1ODYiLAogICAgICAgICAgIlByZXJlcXMiOiBbCiAgICAgICAgICAgIDI2 OAogICAgICAgICAgXSwKICAgICAgICAgICJQYXRjaGVzIjogWwogICAgICAg ICAgICAieHNhMjY5LTQuMTEucGF0Y2giCiAgICAgICAgICBdCiAgICAgICAg fQogICAgICB9CiAgICB9LAogICAgIjQuNiI6IHsKICAgICAgIlJlY2lwZXMi OiB7CiAgICAgICAgInhlbiI6IHsKICAgICAgICAgICJTdGFibGVSZWYiOiAi OThkNzk0OGI1MGI0ZTkxZWM0ZWZhODYwZGEzMmQ5YWM0ZmU2OTMwMCIsCiAg ICAgICAgICAiUHJlcmVxcyI6IFsKICAgICAgICAgICAgMjY4CiAgICAgICAg ICBdLAogICAgICAgICAgIlBhdGNoZXMiOiBbCiAgICAgICAgICAgICJ4c2Ey NjktNC44LnBhdGNoIgogICAgICAgICAgXQogICAgICAgIH0KICAgICAgfQog ICAgfSwKICAgICI0LjciOiB7CiAgICAgICJSZWNpcGVzIjogewogICAgICAg ICJ4ZW4iOiB7CiAgICAgICAgICAiU3RhYmxlUmVmIjogIjkxY2E4NGM4NjJi MTVmZTc0YWI5YjU4NzBlNjY5MDNhZWM0Zjg2ZGQiLAogICAgICAgICAgIlBy ZXJlcXMiOiBbCiAgICAgICAgICAgIDI2OAogICAgICAgICAgXSwKICAgICAg ICAgICJQYXRjaGVzIjogWwogICAgICAgICAgICAieHNhMjY5LTQuOC5wYXRj aCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0sCiAgICAi NC44IjogewogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjogewog ICAgICAgICAgIlN0YWJsZVJlZiI6ICJhYTQ1MDE1M2YyZDk2MGMyMTcxNDli MzFiNjhhOGI1N2M1YThlNTk1IiwKICAgICAgICAgICJQcmVyZXFzIjogWwog ICAgICAgICAgICAyNjgKICAgICAgICAgIF0sCiAgICAgICAgICAiUGF0Y2hl cyI6IFsKICAgICAgICAgICAgInhzYTI2OS00LjgucGF0Y2giCiAgICAgICAg ICBdCiAgICAgICAgfQogICAgICB9CiAgICB9LAogICAgIjQuOSI6IHsKICAg ICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhlbiI6IHsKICAgICAgICAgICJT dGFibGVSZWYiOiAiYTFiMjIzYjc1NmYzNTQ4OTU1MjUwNjBiZDNmOWYxZjA3 ODk5YTA4MiIsCiAgICAgICAgICAiUHJlcmVxcyI6IFsKICAgICAgICAgICAg MjY4CiAgICAgICAgICBdLAogICAgICAgICAgIlBhdGNoZXMiOiBbCiAgICAg ICAgICAgICJ4c2EyNjktNC4xMC5wYXRjaCIKICAgICAgICAgIF0KICAgICAg ICB9CiAgICAgIH0KICAgIH0sCiAgICAibWFzdGVyIjogewogICAgICAiUmVj aXBlcyI6IHsKICAgICAgICAieGVuIjogewogICAgICAgICAgIlN0YWJsZVJl ZiI6ICJhY2QwMGEzMDMzNzhjZTQ4YmQ2YmJkOGE1NzlmMWZlMmYxYjIxYTdk IiwKICAgICAgICAgICJQcmVyZXFzIjogWwogICAgICAgICAgICAyNjgKICAg ICAgICAgIF0sCiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAg InhzYTI2OS5wYXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0K ICAgIH0KICB9Cn0= --=separator Content-Type: application/octet-stream; name="xsa269.patch" Content-Disposition: attachment; filename="xsa269.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L3Z0eDogRml4IHRoZSBjaGVja2luZyBmb3IgdW5r bm93bi9pbnZhbGlkIE1TUl9ERUJVR0NUTCBiaXRzCgpUaGUgVlBNVV9NT0RF X09GRiBlYXJseS1leGl0IGluIHZwbXVfZG9fd3Jtc3IoKSBpbnRyb2R1Y2Vk IGJ5IGMvcwoxMWZlOTk4ZTU2IGJ5cGFzc2VzIGFsbCByZXNlcnZlZCBiaXQg Y2hlY2tpbmcgaW4gdGhlIGdlbmVyYWwgY2FzZS4gIEFzIGEKcmVzdWx0LCBh IGd1ZXN0IGNhbiBlbmFibGUgQlRTIHdoZW4gaXQgc2hvdWxkbid0IGJlIHBl cm1pdHRlZCB0bywgYW5kCmxvY2sgdXAgdGhlIGVudGlyZSBob3N0LgoKV2l0 aCB2UE1VIGFjdGl2ZSAobm90IGEgc2VjdXJpdHkgc3VwcG9ydGVkIGNvbmZp Z3VyYXRpb24sIGJ1dCB1c2VmdWwgZm9yCmRlYnVnZ2luZyksIHRoZSByZXNl cnZlZCBiaXQgY2hlY2tpbmcgaW4gYnJva2VuLCBjYXVzZWQgYnkgdGhlIG9y aWdpbmFsCkJUUyBjaGFuZ2VzZXQgMWE4YWE3NWVkLgoKRnJvbSBhIGNvcnJl Y3RuZXNzIHN0YW5kcG9pbnQsIGl0IGlzIG5vdCBwb3NzaWJsZSB0byBoYXZl IHR3byBkaWZmZXJlbnQKcGllY2VzIG9mIGNvZGUgcmVzcG9uc2libGUgZm9y IGRpZmZlcmVudCBwYXJ0cyBvZiB2YWx1ZSBjaGVja2luZywgaWYKdGhlcmUg aXNuJ3QgYW4gYWNjdW11bGF0aW9uIG9mIGJpdHMgd2hpY2ggaGF2ZSBiZWVu IGNoZWNrZWQuICBBCnByYWN0aWNhbCB1cHNob3Qgb2YgdGhpcyBpcyB0aGF0 IGEgZ3Vlc3QgY2FuIHNldCBhbnkgdmFsdWUgaXQKd2lzaGVzICh1c3VhbGx5 IHJlc3VsdGluZyBpbiBhIHZtZW50cnkgZmFpbHVyZSBmb3IgYmFkIGd1ZXN0 IHN0YXRlKS4KClRoZXJlZm9yZSwgZml4IHRoaXMgYnkgaW1wbGVtZW50aW5n IGFsbCB0aGUgcmVzZXJ2ZWQgYml0IGNoZWNraW5nIGluIHRoZQptYWluIE1T Ul9ERUJVR0NUTCBibG9jaywgYW5kIHJlbW92aW5nIGFsbCBoYW5kbGluZyBv ZiBERUJVR0NUTCBmcm9tIHRoZQp2UE1VIE1TUiBsb2dpYy4KClRoaXMgaXMg WFNBLTI2OQoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3 LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNo IDxqYmV1bGljaEBzdXNlLmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94 ODYvY3B1L3ZwbXVfaW50ZWwuYyBiL3hlbi9hcmNoL3g4Ni9jcHUvdnBtdV9p bnRlbC5jCmluZGV4IDFmYzc5YzkuLjZlMjdmNmUgMTAwNjQ0Ci0tLSBhL3hl bi9hcmNoL3g4Ni9jcHUvdnBtdV9pbnRlbC5jCisrKyBiL3hlbi9hcmNoL3g4 Ni9jcHUvdnBtdV9pbnRlbC5jCkBAIC01MzMsMjcgKzUzMyw3IEBAIHN0YXRp YyBpbnQgY29yZTJfdnBtdV9kb193cm1zcih1bnNpZ25lZCBpbnQgbXNyLCB1 aW50NjRfdCBtc3JfY29udGVudCwKICAgICB1aW50NjRfdCAqZW5hYmxlZF9j bnRyczsKIAogICAgIGlmICggIWNvcmUyX3ZwbXVfbXNyX2NvbW1vbl9jaGVj ayhtc3IsICZ0eXBlLCAmaW5kZXgpICkKLSAgICB7Ci0gICAgICAgIC8qIFNw ZWNpYWwgaGFuZGxpbmcgZm9yIEJUUyAqLwotICAgICAgICBpZiAoIG1zciA9 PSBNU1JfSUEzMl9ERUJVR0NUTE1TUiApCi0gICAgICAgIHsKLSAgICAgICAg ICAgIHN1cHBvcnRlZCB8PSBJQTMyX0RFQlVHQ1RMTVNSX1RSIHwgSUEzMl9E RUJVR0NUTE1TUl9CVFMgfAotICAgICAgICAgICAgICAgICAgICAgICAgIElB MzJfREVCVUdDVExNU1JfQlRJTlQ7Ci0KLSAgICAgICAgICAgIGlmICggY3B1 X2hhcygmY3VycmVudF9jcHVfZGF0YSwgWDg2X0ZFQVRVUkVfRFNDUEwpICkK LSAgICAgICAgICAgICAgICBzdXBwb3J0ZWQgfD0gSUEzMl9ERUJVR0NUTE1T Ul9CVFNfT0ZGX09TIHwKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAg SUEzMl9ERUJVR0NUTE1TUl9CVFNfT0ZGX1VTUjsKLSAgICAgICAgICAgIGlm ICggIShtc3JfY29udGVudCAmIH5zdXBwb3J0ZWQpICYmCi0gICAgICAgICAg ICAgICAgIHZwbXVfaXNfc2V0KHZwbXUsIFZQTVVfQ1BVX0hBU19CVFMpICkK LSAgICAgICAgICAgICAgICByZXR1cm4gMDsKLSAgICAgICAgICAgIGlmICgg KG1zcl9jb250ZW50ICYgc3VwcG9ydGVkKSAmJgotICAgICAgICAgICAgICAg ICAhdnBtdV9pc19zZXQodnBtdSwgVlBNVV9DUFVfSEFTX0JUUykgKQotICAg ICAgICAgICAgICAgIHByaW50ayhYRU5MT0dfR19XQVJOSU5HCi0gICAgICAg ICAgICAgICAgICAgICAgICIlcHY6IERlYnVnIFN0b3JlIHVuc3VwcG9ydGVk IG9uIHRoaXMgQ1BVXG4iLAotICAgICAgICAgICAgICAgICAgICAgICBjdXJy ZW50KTsKLSAgICAgICAgfQogICAgICAgICByZXR1cm4gLUVJTlZBTDsKLSAg ICB9CiAKICAgICBBU1NFUlQoIXN1cHBvcnRlZCk7CiAKZGlmZiAtLWdpdCBh L3hlbi9hcmNoL3g4Ni9odm0vdm14L3ZteC5jIGIveGVuL2FyY2gveDg2L2h2 bS92bXgvdm14LmMKaW5kZXggMTJlMGVlNS4uOGRhMDVmNSAxMDA2NDQKLS0t IGEveGVuL2FyY2gveDg2L2h2bS92bXgvdm14LmMKKysrIGIveGVuL2FyY2gv eDg2L2h2bS92bXgvdm14LmMKQEAgLTMwODEsMTEgKzMwODEsMTQgQEAgdm9p ZCB2bXhfdmxhcGljX21zcl9jaGFuZ2VkKHN0cnVjdCB2Y3B1ICp2KQogc3Rh dGljIGludCB2bXhfbXNyX3dyaXRlX2ludGVyY2VwdCh1bnNpZ25lZCBpbnQg bXNyLCB1aW50NjRfdCBtc3JfY29udGVudCkKIHsKICAgICBzdHJ1Y3QgdmNw dSAqdiA9IGN1cnJlbnQ7CisgICAgY29uc3Qgc3RydWN0IGNwdWlkX3BvbGlj eSAqY3AgPSB2LT5kb21haW4tPmFyY2guY3B1aWQ7CiAKICAgICBIVk1fREJH X0xPRyhEQkdfTEVWRUxfTVNSLCAiZWN4PSUjeCwgbXNyX3ZhbHVlPSUjIlBS SXg2NCwgbXNyLCBtc3JfY29udGVudCk7CiAKICAgICBzd2l0Y2ggKCBtc3Ig KQogICAgIHsKKyAgICAgICAgdWludDY0X3QgcnN2ZDsKKwogICAgIGNhc2Ug TVNSX0lBMzJfU1lTRU5URVJfQ1M6CiAgICAgICAgIF9fdm13cml0ZShHVUVT VF9TWVNFTlRFUl9DUywgbXNyX2NvbnRlbnQpOwogICAgICAgICBicmVhazsK QEAgLTMxMzgsMTggKzMxNDEsMjYgQEAgc3RhdGljIGludCB2bXhfbXNyX3dy aXRlX2ludGVyY2VwdCh1bnNpZ25lZCBpbnQgbXNyLCB1aW50NjRfdCBtc3Jf Y29udGVudCkKICAgICAgICAgd3Jtc3JsKE1TUl9TWVNDQUxMX01BU0ssIG1z cl9jb250ZW50KTsKICAgICAgICAgYnJlYWs7CiAKLSAgICBjYXNlIE1TUl9J QTMyX0RFQlVHQ1RMTVNSOiB7Ci0gICAgICAgIHVpbnQ2NF90IHN1cHBvcnRl ZCA9IElBMzJfREVCVUdDVExNU1JfTEJSIHwgSUEzMl9ERUJVR0NUTE1TUl9C VEY7CisgICAgY2FzZSBNU1JfSUEzMl9ERUJVR0NUTE1TUjoKKyAgICAgICAg cnN2ZCA9IH4oSUEzMl9ERUJVR0NUTE1TUl9MQlIgfCBJQTMyX0RFQlVHQ1RM TVNSX0JURik7CiAKLSAgICAgICAgaWYgKCBib290X2NwdV9oYXMoWDg2X0ZF QVRVUkVfUlRNKSApCi0gICAgICAgICAgICBzdXBwb3J0ZWQgfD0gSUEzMl9E RUJVR0NUTE1TUl9SVE07Ci0gICAgICAgIGlmICggbXNyX2NvbnRlbnQgJiB+ c3VwcG9ydGVkICkKKyAgICAgICAgLyogVE9ETzogV2lyZSB2UE1VIHNldHRp bmdzIHByb3Blcmx5IHRocm91Z2ggdGhlIENQVUlEIHBvbGljeSAqLworICAg ICAgICBpZiAoIHZwbXVfaXNfc2V0KHZjcHVfdnBtdSh2KSwgVlBNVV9DUFVf SEFTX0JUUykgKQogICAgICAgICB7Ci0gICAgICAgICAgICAvKiBQZXJoYXBz IHNvbWUgb3RoZXIgYml0cyBhcmUgc3VwcG9ydGVkIGluIHZwbXUuICovCi0g ICAgICAgICAgICBpZiAoIHZwbXVfZG9fd3Jtc3IobXNyLCBtc3JfY29udGVu dCwgc3VwcG9ydGVkKSApCi0gICAgICAgICAgICAgICAgYnJlYWs7CisgICAg ICAgICAgICByc3ZkICY9IH4oSUEzMl9ERUJVR0NUTE1TUl9UUiB8IElBMzJf REVCVUdDVExNU1JfQlRTIHwKKyAgICAgICAgICAgICAgICAgICAgICBJQTMy X0RFQlVHQ1RMTVNSX0JUSU5UKTsKKworICAgICAgICAgICAgaWYgKCBjcHVf aGFzKCZjdXJyZW50X2NwdV9kYXRhLCBYODZfRkVBVFVSRV9EU0NQTCkgKQor ICAgICAgICAgICAgICAgIHJzdmQgJj0gfihJQTMyX0RFQlVHQ1RMTVNSX0JU U19PRkZfT1MgfAorICAgICAgICAgICAgICAgICAgICAgICAgICBJQTMyX0RF QlVHQ1RMTVNSX0JUU19PRkZfVVNSKTsKICAgICAgICAgfQogCisgICAgICAg IGlmICggY3AtPmZlYXQucnRtICkKKyAgICAgICAgICAgIHJzdmQgJj0gfklB MzJfREVCVUdDVExNU1JfUlRNOworCisgICAgICAgIGlmICggbXNyX2NvbnRl bnQgJiByc3ZkICkKKyAgICAgICAgICAgIGdvdG8gZ3BfZmF1bHQ7CisKICAg ICAgICAgLyoKICAgICAgICAgICogV2hlbiBhIGd1ZXN0IGZpcnN0IGVuYWJs ZXMgTEJSLCBhcnJhbmdlIHRvIHNhdmUgYW5kIHJlc3RvcmUgdGhlIExCUgog ICAgICAgICAgKiBNU1JzIGFuZCBhbGxvdyB0aGUgZ3Vlc3QgZGlyZWN0IGFj Y2Vzcy4KQEAgLTMyMDgsNyArMzIxOSw3IEBAIHN0YXRpYyBpbnQgdm14X21z cl93cml0ZV9pbnRlcmNlcHQodW5zaWduZWQgaW50IG1zciwgdWludDY0X3Qg bXNyX2NvbnRlbnQpCiAKICAgICAgICAgX192bXdyaXRlKEdVRVNUX0lBMzJf REVCVUdDVEwsIG1zcl9jb250ZW50KTsKICAgICAgICAgYnJlYWs7Ci0gICAg fQorCiAgICAgY2FzZSBNU1JfSUEzMl9GRUFUVVJFX0NPTlRST0w6CiAgICAg Y2FzZSBNU1JfSUEzMl9WTVhfQkFTSUMgLi4uIE1TUl9JQTMyX1ZNWF9WTUZV TkM6CiAgICAgICAgIC8qIE5vbmUgb2YgdGhlc2UgTVNScyBhcmUgd3JpdGVh YmxlLiAqLwo= --=separator Content-Type: application/octet-stream; name="xsa269-4.8.patch" Content-Disposition: attachment; filename="xsa269-4.8.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L3Z0eDogRml4IHRoZSBjaGVja2luZyBmb3IgdW5r bm93bi9pbnZhbGlkIE1TUl9ERUJVR0NUTCBiaXRzCgpUaGUgVlBNVV9NT0RF X09GRiBlYXJseS1leGl0IGluIHZwbXVfZG9fd3Jtc3IoKSBpbnRyb2R1Y2Vk IGJ5IGMvcwoxMWZlOTk4ZTU2IGJ5cGFzc2VzIGFsbCByZXNlcnZlZCBiaXQg Y2hlY2tpbmcgaW4gdGhlIGdlbmVyYWwgY2FzZS4gIEFzIGEKcmVzdWx0LCBh IGd1ZXN0IGNhbiBlbmFibGUgQlRTIHdoZW4gaXQgc2hvdWxkbid0IGJlIHBl cm1pdHRlZCB0bywgYW5kCmxvY2sgdXAgdGhlIGVudGlyZSBob3N0LgoKV2l0 aCB2UE1VIGFjdGl2ZSAobm90IGEgc2VjdXJpdHkgc3VwcG9ydGVkIGNvbmZp Z3VyYXRpb24sIGJ1dCB1c2VmdWwgZm9yCmRlYnVnZ2luZyksIHRoZSByZXNl cnZlZCBiaXQgY2hlY2tpbmcgaW4gYnJva2VuLCBjYXVzZWQgYnkgdGhlIG9y aWdpbmFsCkJUUyBjaGFuZ2VzZXQgMWE4YWE3NWVkLgoKRnJvbSBhIGNvcnJl Y3RuZXNzIHN0YW5kcG9pbnQsIGl0IGlzIG5vdCBwb3NzaWJsZSB0byBoYXZl IHR3byBkaWZmZXJlbnQKcGllY2VzIG9mIGNvZGUgcmVzcG9uc2libGUgZm9y IGRpZmZlcmVudCBwYXJ0cyBvZiB2YWx1ZSBjaGVja2luZywgaWYKdGhlcmUg aXNuJ3QgYW4gYWNjdW11bGF0aW9uIG9mIGJpdHMgd2hpY2ggaGF2ZSBiZWVu IGNoZWNrZWQuICBBCnByYWN0aWNhbCB1cHNob3Qgb2YgdGhpcyBpcyB0aGF0 IGEgZ3Vlc3QgY2FuIHNldCBhbnkgdmFsdWUgaXQKd2lzaGVzICh1c3VhbGx5 IHJlc3VsdGluZyBpbiBhIHZtZW50cnkgZmFpbHVyZSBmb3IgYmFkIGd1ZXN0 IHN0YXRlKS4KClRoZXJlZm9yZSwgZml4IHRoaXMgYnkgaW1wbGVtZW50aW5n IGFsbCB0aGUgcmVzZXJ2ZWQgYml0IGNoZWNraW5nIGluIHRoZQptYWluIE1T Ul9ERUJVR0NUTCBibG9jaywgYW5kIHJlbW92aW5nIGFsbCBoYW5kbGluZyBv ZiBERUJVR0NUTCBmcm9tIHRoZQp2UE1VIE1TUiBsb2dpYy4KClRoaXMgaXMg WFNBLTI2OQoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3 LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNo IDxqYmV1bGljaEBzdXNlLmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94 ODYvY3B1L3ZwbXVfaW50ZWwuYyBiL3hlbi9hcmNoL3g4Ni9jcHUvdnBtdV9p bnRlbC5jCmluZGV4IDdmOWFkZDEuLjYyNzZjMTAgMTAwNjQ0Ci0tLSBhL3hl bi9hcmNoL3g4Ni9jcHUvdnBtdV9pbnRlbC5jCisrKyBiL3hlbi9hcmNoL3g4 Ni9jcHUvdnBtdV9pbnRlbC5jCkBAIC02OCwxMCArNjgsNiBAQAogI2RlZmlu ZSBNU1JfUE1DX0FMSUFTX01BU0sgICAgICAgKH4oTVNSX0lBMzJfUEVSRkNU UjAgXiBNU1JfSUEzMl9BX1BFUkZDVFIwKSkKIHN0YXRpYyBib29sX3QgX19y ZWFkX21vc3RseSBmdWxsX3dpZHRoX3dyaXRlOwogCi0vKiBJbnRlbC1zcGVj aWZpYyBWUE1VIGZlYXR1cmVzICovCi0jZGVmaW5lIFZQTVVfQ1BVX0hBU19E UyAgICAgICAgICAgICAgICAgICAgIDB4MTAwIC8qIEhhcyBEZWJ1ZyBTdG9y ZSAqLwotI2RlZmluZSBWUE1VX0NQVV9IQVNfQlRTICAgICAgICAgICAgICAg ICAgICAweDIwMCAvKiBIYXMgQnJhbmNoIFRyYWNlIFN0b3JlICovCi0KIC8q CiAgKiBNU1JfQ09SRV9QRVJGX0ZJWEVEX0NUUl9DVFJMIGNvbnRhaW5zIHRo ZSBjb25maWd1cmF0aW9uIG9mIGFsbCBmaXhlZAogICogY291bnRlcnMuIDQg Yml0cyBmb3IgZXZlcnkgY291bnRlci4KQEAgLTU2MywyNyArNTU5LDcgQEAg c3RhdGljIGludCBjb3JlMl92cG11X2RvX3dybXNyKHVuc2lnbmVkIGludCBt c3IsIHVpbnQ2NF90IG1zcl9jb250ZW50LAogICAgIHVpbnQ2NF90ICplbmFi bGVkX2NudHJzOwogCiAgICAgaWYgKCAhY29yZTJfdnBtdV9tc3JfY29tbW9u X2NoZWNrKG1zciwgJnR5cGUsICZpbmRleCkgKQotICAgIHsKLSAgICAgICAg LyogU3BlY2lhbCBoYW5kbGluZyBmb3IgQlRTICovCi0gICAgICAgIGlmICgg bXNyID09IE1TUl9JQTMyX0RFQlVHQ1RMTVNSICkKLSAgICAgICAgewotICAg ICAgICAgICAgc3VwcG9ydGVkIHw9IElBMzJfREVCVUdDVExNU1JfVFIgfCBJ QTMyX0RFQlVHQ1RMTVNSX0JUUyB8Ci0gICAgICAgICAgICAgICAgICAgICAg ICAgSUEzMl9ERUJVR0NUTE1TUl9CVElOVDsKLQotICAgICAgICAgICAgaWYg KCBjcHVfaGFzKCZjdXJyZW50X2NwdV9kYXRhLCBYODZfRkVBVFVSRV9EU0NQ TCkgKQotICAgICAgICAgICAgICAgIHN1cHBvcnRlZCB8PSBJQTMyX0RFQlVH Q1RMTVNSX0JUU19PRkZfT1MgfAotICAgICAgICAgICAgICAgICAgICAgICAg ICAgICBJQTMyX0RFQlVHQ1RMTVNSX0JUU19PRkZfVVNSOwotICAgICAgICAg ICAgaWYgKCAhKG1zcl9jb250ZW50ICYgfnN1cHBvcnRlZCkgJiYKLSAgICAg ICAgICAgICAgICAgdnBtdV9pc19zZXQodnBtdSwgVlBNVV9DUFVfSEFTX0JU UykgKQotICAgICAgICAgICAgICAgIHJldHVybiAwOwotICAgICAgICAgICAg aWYgKCAobXNyX2NvbnRlbnQgJiBzdXBwb3J0ZWQpICYmCi0gICAgICAgICAg ICAgICAgICF2cG11X2lzX3NldCh2cG11LCBWUE1VX0NQVV9IQVNfQlRTKSAp Ci0gICAgICAgICAgICAgICAgcHJpbnRrKFhFTkxPR19HX1dBUk5JTkcKLSAg ICAgICAgICAgICAgICAgICAgICAgIiVwdjogRGVidWcgU3RvcmUgdW5zdXBw b3J0ZWQgb24gdGhpcyBDUFVcbiIsCi0gICAgICAgICAgICAgICAgICAgICAg IGN1cnJlbnQpOwotICAgICAgICB9CiAgICAgICAgIHJldHVybiAtRUlOVkFM OwotICAgIH0KIAogICAgIEFTU0VSVCghc3VwcG9ydGVkKTsKIApkaWZmIC0t Z2l0IGEveGVuL2FyY2gveDg2L2h2bS92bXgvdm14LmMgYi94ZW4vYXJjaC94 ODYvaHZtL3ZteC92bXguYwppbmRleCA5NTU2NDNjLi5kMDdkOTQxIDEwMDY0 NAotLS0gYS94ZW4vYXJjaC94ODYvaHZtL3ZteC92bXguYworKysgYi94ZW4v YXJjaC94ODYvaHZtL3ZteC92bXguYwpAQCAtMjk3Niw2ICsyOTc2LDggQEAg c3RhdGljIGludCB2bXhfbXNyX3dyaXRlX2ludGVyY2VwdCh1bnNpZ25lZCBp bnQgbXNyLCB1aW50NjRfdCBtc3JfY29udGVudCkKIAogICAgIHN3aXRjaCAo IG1zciApCiAgICAgeworICAgICAgICB1aW50NjRfdCByc3ZkOworCiAgICAg Y2FzZSBNU1JfSUEzMl9TWVNFTlRFUl9DUzoKICAgICAgICAgX192bXdyaXRl KEdVRVNUX1NZU0VOVEVSX0NTLCBtc3JfY29udGVudCk7CiAgICAgICAgIGJy ZWFrOwpAQCAtMjk5MCwxNyArMjk5MiwyOSBAQCBzdGF0aWMgaW50IHZteF9t c3Jfd3JpdGVfaW50ZXJjZXB0KHVuc2lnbmVkIGludCBtc3IsIHVpbnQ2NF90 IG1zcl9jb250ZW50KQogICAgICAgICBfX3Ztd3JpdGUoR1VFU1RfU1lTRU5U RVJfRUlQLCBtc3JfY29udGVudCk7CiAgICAgICAgIGJyZWFrOwogICAgIGNh c2UgTVNSX0lBMzJfREVCVUdDVExNU1I6IHsKKyAgICAgICAgdWludDMyX3Qg ZWJ4LCBlY3ggPSAwOwogICAgICAgICBpbnQgaSwgcmMgPSAwOwotICAgICAg ICB1aW50NjRfdCBzdXBwb3J0ZWQgPSBJQTMyX0RFQlVHQ1RMTVNSX0xCUiB8 IElBMzJfREVCVUdDVExNU1JfQlRGOwogCi0gICAgICAgIGlmICggYm9vdF9j cHVfaGFzKFg4Nl9GRUFUVVJFX1JUTSkgKQotICAgICAgICAgICAgc3VwcG9y dGVkIHw9IElBMzJfREVCVUdDVExNU1JfUlRNOwotICAgICAgICBpZiAoIG1z cl9jb250ZW50ICYgfnN1cHBvcnRlZCApCisgICAgICAgIHJzdmQgPSB+KElB MzJfREVCVUdDVExNU1JfTEJSIHwgSUEzMl9ERUJVR0NUTE1TUl9CVEYpOwor CisgICAgICAgIC8qIFRPRE86IFdpcmUgdlBNVSBzZXR0aW5ncyBwcm9wZXJs eSB0aHJvdWdoIHRoZSBDUFVJRCBwb2xpY3kgKi8KKyAgICAgICAgaWYgKCB2 cG11X2lzX3NldCh2Y3B1X3ZwbXUodiksIFZQTVVfQ1BVX0hBU19CVFMpICkK ICAgICAgICAgewotICAgICAgICAgICAgLyogUGVyaGFwcyBzb21lIG90aGVy IGJpdHMgYXJlIHN1cHBvcnRlZCBpbiB2cG11LiAqLwotICAgICAgICAgICAg aWYgKCB2cG11X2RvX3dybXNyKG1zciwgbXNyX2NvbnRlbnQsIHN1cHBvcnRl ZCkgKQotICAgICAgICAgICAgICAgIGJyZWFrOworICAgICAgICAgICAgcnN2 ZCAmPSB+KElBMzJfREVCVUdDVExNU1JfVFIgfCBJQTMyX0RFQlVHQ1RMTVNS X0JUUyB8CisgICAgICAgICAgICAgICAgICAgICAgSUEzMl9ERUJVR0NUTE1T Ul9CVElOVCk7CisKKyAgICAgICAgICAgIGlmICggY3B1X2hhcygmY3VycmVu dF9jcHVfZGF0YSwgWDg2X0ZFQVRVUkVfRFNDUEwpICkKKyAgICAgICAgICAg ICAgICByc3ZkICY9IH4oSUEzMl9ERUJVR0NUTE1TUl9CVFNfT0ZGX09TIHwK KyAgICAgICAgICAgICAgICAgICAgICAgICAgSUEzMl9ERUJVR0NUTE1TUl9C VFNfT0ZGX1VTUik7CiAgICAgICAgIH0KKworICAgICAgICBodm1fY3B1aWQo NywgTlVMTCwgJmVieCwgJmVjeCwgTlVMTCk7CisgICAgICAgIGlmICggZWJ4 ICYgY3B1ZmVhdF9tYXNrKFg4Nl9GRUFUVVJFX1JUTSkgKQorICAgICAgICAg ICAgcnN2ZCAmPSB+SUEzMl9ERUJVR0NUTE1TUl9SVE07CisKKyAgICAgICAg aWYgKCBtc3JfY29udGVudCAmIHJzdmQgKQorICAgICAgICAgICAgZ290byBn cF9mYXVsdDsKKwogICAgICAgICBpZiAoIG1zcl9jb250ZW50ICYgSUEzMl9E RUJVR0NUTE1TUl9MQlIgKQogICAgICAgICB7CiAgICAgICAgICAgICBjb25z dCBzdHJ1Y3QgbGJyX2luZm8gKmxiciA9IGxhc3RfYnJhbmNoX21zcl9nZXQo KTsKZGlmZiAtLWdpdCBhL3hlbi9pbmNsdWRlL2FzbS14ODYvdnBtdS5oIGIv eGVuL2luY2x1ZGUvYXNtLXg4Ni92cG11LmgKaW5kZXggZWQ5ZWMwNy4uNzVi MTk3MyAxMDA2NDQKLS0tIGEveGVuL2luY2x1ZGUvYXNtLXg4Ni92cG11LmgK KysrIGIveGVuL2luY2x1ZGUvYXNtLXg4Ni92cG11LmgKQEAgLTc3LDYgKzc3 LDEwIEBAIHN0cnVjdCB2cG11X3N0cnVjdCB7CiAvKiBQVihIKSBndWVzdHM6 IFZQTVUgcmVnaXN0ZXJzIGFyZSBhY2Nlc3NlZCBieSBndWVzdCBmcm9tIHNo YXJlZCBwYWdlICovCiAjZGVmaW5lIFZQTVVfQ0FDSEVEICAgICAgICAgICAg ICAgICAgICAgICAgIDB4NDAKIAorLyogSW50ZWwtc3BlY2lmaWMgVlBNVSBm ZWF0dXJlcyAqLworI2RlZmluZSBWUE1VX0NQVV9IQVNfRFMgICAgICAgICAg ICAgICAgICAgICAweDEwMCAvKiBIYXMgRGVidWcgU3RvcmUgKi8KKyNkZWZp bmUgVlBNVV9DUFVfSEFTX0JUUyAgICAgICAgICAgICAgICAgICAgMHgyMDAg LyogSGFzIEJyYW5jaCBUcmFjZSBTdG9yZSAqLworCiBzdGF0aWMgaW5saW5l IHZvaWQgdnBtdV9zZXQoc3RydWN0IHZwbXVfc3RydWN0ICp2cG11LCBjb25z dCB1MzIgbWFzaykKIHsKICAgICB2cG11LT5mbGFncyB8PSBtYXNrOwo= --=separator Content-Type: application/octet-stream; name="xsa269-4.10.patch" Content-Disposition: attachment; filename="xsa269-4.10.patch" Content-Transfer-Encoding: base64 RnJvbSAwNjUzYTA1OTg2MTNlYTlkNzU5OGFkOGY5YWNlODllZDc0OTg0MTBj IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBNb24sIDMwIEp1 bCAyMDE4IDExOjAxOjI4ICswMTAwClN1YmplY3Q6IFtQQVRDSF0geDg2L3Z0 eDogRml4IHRoZSBjaGVja2luZyBmb3IgdW5rbm93bi9pbnZhbGlkIE1TUl9E RUJVR0NUTAogYml0cwoKVGhlIFZQTVVfTU9ERV9PRkYgZWFybHktZXhpdCBp biB2cG11X2RvX3dybXNyKCkgaW50cm9kdWNlZCBieSBjL3MKMTFmZTk5OGU1 NiBieXBhc3NlcyBhbGwgcmVzZXJ2ZWQgYml0IGNoZWNraW5nIGluIHRoZSBn ZW5lcmFsIGNhc2UuICBBcyBhCnJlc3VsdCwgYSBndWVzdCBjYW4gZW5hYmxl IEJUUyB3aGVuIGl0IHNob3VsZG4ndCBiZSBwZXJtaXR0ZWQgdG8sIGFuZAps b2NrIHVwIHRoZSBlbnRpcmUgaG9zdC4KCldpdGggdlBNVSBhY3RpdmUgKG5v dCBhIHNlY3VyaXR5IHN1cHBvcnRlZCBjb25maWd1cmF0aW9uLCBidXQgdXNl ZnVsIGZvcgpkZWJ1Z2dpbmcpLCB0aGUgcmVzZXJ2ZWQgYml0IGNoZWNraW5n IGluIGJyb2tlbiwgY2F1c2VkIGJ5IHRoZSBvcmlnaW5hbApCVFMgY2hhbmdl c2V0IDFhOGFhNzVlZC4KCkZyb20gYSBjb3JyZWN0bmVzcyBzdGFuZHBvaW50 LCBpdCBpcyBub3QgcG9zc2libGUgdG8gaGF2ZSB0d28gZGlmZmVyZW50CnBp ZWNlcyBvZiBjb2RlIHJlc3BvbnNpYmxlIGZvciBkaWZmZXJlbnQgcGFydHMg b2YgdmFsdWUgY2hlY2tpbmcsIGlmCnRoZXJlIGlzbid0IGFuIGFjY3VtdWxh dGlvbiBvZiBiaXRzIHdoaWNoIGhhdmUgYmVlbiBjaGVja2VkLiAgQQpwcmFj dGljYWwgdXBzaG90IG9mIHRoaXMgaXMgdGhhdCBhIGd1ZXN0IGNhbiBzZXQg YW55IHZhbHVlIGl0Cndpc2hlcyAodXN1YWxseSByZXN1bHRpbmcgaW4gYSB2 bWVudHJ5IGZhaWx1cmUgZm9yIGJhZCBndWVzdCBzdGF0ZSkuCgpUaGVyZWZv cmUsIGZpeCB0aGlzIGJ5IGltcGxlbWVudGluZyBhbGwgdGhlIHJlc2VydmVk IGJpdCBjaGVja2luZyBpbiB0aGUKbWFpbiBNU1JfREVCVUdDVEwgYmxvY2ss IGFuZCByZW1vdmluZyBhbGwgaGFuZGxpbmcgb2YgREVCVUdDVEwgZnJvbSB0 aGUKdlBNVSBNU1IgbG9naWMuCgpUaGlzIGlzIFhTQS0yNjkKClNpZ25lZC1v ZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5j b20+ClJldmlld2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5j b20+Ci0tLQogeGVuL2FyY2gveDg2L2NwdS92cG11X2ludGVsLmMgfCAyMCAt LS0tLS0tLS0tLS0tLS0tLS0tLQogeGVuL2FyY2gveDg2L2h2bS92bXgvdm14 LmMgICAgfCAyNyArKysrKysrKysrKysrKysrKysrKy0tLS0tLS0KIDIgZmls ZXMgY2hhbmdlZCwgMjAgaW5zZXJ0aW9ucygrKSwgMjcgZGVsZXRpb25zKC0p CgpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L2NwdS92cG11X2ludGVsLmMg Yi94ZW4vYXJjaC94ODYvY3B1L3ZwbXVfaW50ZWwuYwppbmRleCAyMDdlMmU3 MTJjLi5kNDQ0NGYwZDk0IDEwMDY0NAotLS0gYS94ZW4vYXJjaC94ODYvY3B1 L3ZwbXVfaW50ZWwuYworKysgYi94ZW4vYXJjaC94ODYvY3B1L3ZwbXVfaW50 ZWwuYwpAQCAtNTM1LDI3ICs1MzUsNyBAQCBzdGF0aWMgaW50IGNvcmUyX3Zw bXVfZG9fd3Jtc3IodW5zaWduZWQgaW50IG1zciwgdWludDY0X3QgbXNyX2Nv bnRlbnQsCiAgICAgdWludDY0X3QgKmVuYWJsZWRfY250cnM7CiAKICAgICBp ZiAoICFjb3JlMl92cG11X21zcl9jb21tb25fY2hlY2sobXNyLCAmdHlwZSwg JmluZGV4KSApCi0gICAgewotICAgICAgICAvKiBTcGVjaWFsIGhhbmRsaW5n IGZvciBCVFMgKi8KLSAgICAgICAgaWYgKCBtc3IgPT0gTVNSX0lBMzJfREVC VUdDVExNU1IgKQotICAgICAgICB7Ci0gICAgICAgICAgICBzdXBwb3J0ZWQg fD0gSUEzMl9ERUJVR0NUTE1TUl9UUiB8IElBMzJfREVCVUdDVExNU1JfQlRT IHwKLSAgICAgICAgICAgICAgICAgICAgICAgICBJQTMyX0RFQlVHQ1RMTVNS X0JUSU5UOwotCi0gICAgICAgICAgICBpZiAoIGNwdV9oYXMoJmN1cnJlbnRf Y3B1X2RhdGEsIFg4Nl9GRUFUVVJFX0RTQ1BMKSApCi0gICAgICAgICAgICAg ICAgc3VwcG9ydGVkIHw9IElBMzJfREVCVUdDVExNU1JfQlRTX09GRl9PUyB8 Ci0gICAgICAgICAgICAgICAgICAgICAgICAgICAgIElBMzJfREVCVUdDVExN U1JfQlRTX09GRl9VU1I7Ci0gICAgICAgICAgICBpZiAoICEobXNyX2NvbnRl bnQgJiB+c3VwcG9ydGVkKSAmJgotICAgICAgICAgICAgICAgICB2cG11X2lz X3NldCh2cG11LCBWUE1VX0NQVV9IQVNfQlRTKSApCi0gICAgICAgICAgICAg ICAgcmV0dXJuIDA7Ci0gICAgICAgICAgICBpZiAoIChtc3JfY29udGVudCAm IHN1cHBvcnRlZCkgJiYKLSAgICAgICAgICAgICAgICAgIXZwbXVfaXNfc2V0 KHZwbXUsIFZQTVVfQ1BVX0hBU19CVFMpICkKLSAgICAgICAgICAgICAgICBw cmludGsoWEVOTE9HX0dfV0FSTklORwotICAgICAgICAgICAgICAgICAgICAg ICAiJXB2OiBEZWJ1ZyBTdG9yZSB1bnN1cHBvcnRlZCBvbiB0aGlzIENQVVxu IiwKLSAgICAgICAgICAgICAgICAgICAgICAgY3VycmVudCk7Ci0gICAgICAg IH0KICAgICAgICAgcmV0dXJuIC1FSU5WQUw7Ci0gICAgfQogCiAgICAgQVNT RVJUKCFzdXBwb3J0ZWQpOwogCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94ODYv aHZtL3ZteC92bXguYyBiL3hlbi9hcmNoL3g4Ni9odm0vdm14L3ZteC5jCmlu ZGV4IDQ4ZDNjNTRlODQuLjJjNDkwY2Y2MmEgMTAwNjQ0Ci0tLSBhL3hlbi9h cmNoL3g4Ni9odm0vdm14L3ZteC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0v dm14L3ZteC5jCkBAIC0zMDk3LDExICszMDk3LDE0IEBAIHZvaWQgdm14X3Zs YXBpY19tc3JfY2hhbmdlZChzdHJ1Y3QgdmNwdSAqdikKIHN0YXRpYyBpbnQg dm14X21zcl93cml0ZV9pbnRlcmNlcHQodW5zaWduZWQgaW50IG1zciwgdWlu dDY0X3QgbXNyX2NvbnRlbnQpCiB7CiAgICAgc3RydWN0IHZjcHUgKnYgPSBj dXJyZW50OworICAgIGNvbnN0IHN0cnVjdCBjcHVpZF9wb2xpY3kgKmNwID0g di0+ZG9tYWluLT5hcmNoLmNwdWlkOwogCiAgICAgSFZNX0RCR19MT0coREJH X0xFVkVMX01TUiwgImVjeD0lI3gsIG1zcl92YWx1ZT0lIyJQUkl4NjQsIG1z ciwgbXNyX2NvbnRlbnQpOwogCiAgICAgc3dpdGNoICggbXNyICkKICAgICB7 CisgICAgICAgIHVpbnQ2NF90IHJzdmQ7CisKICAgICBjYXNlIE1TUl9JQTMy X1NZU0VOVEVSX0NTOgogICAgICAgICBfX3Ztd3JpdGUoR1VFU1RfU1lTRU5U RVJfQ1MsIG1zcl9jb250ZW50KTsKICAgICAgICAgYnJlYWs7CkBAIC0zMTE3 LDE2ICszMTIwLDI2IEBAIHN0YXRpYyBpbnQgdm14X21zcl93cml0ZV9pbnRl cmNlcHQodW5zaWduZWQgaW50IG1zciwgdWludDY0X3QgbXNyX2NvbnRlbnQp CiAgICAgICAgIGJyZWFrOwogICAgIGNhc2UgTVNSX0lBMzJfREVCVUdDVExN U1I6IHsKICAgICAgICAgaW50IGksIHJjID0gMDsKLSAgICAgICAgdWludDY0 X3Qgc3VwcG9ydGVkID0gSUEzMl9ERUJVR0NUTE1TUl9MQlIgfCBJQTMyX0RF QlVHQ1RMTVNSX0JURjsKIAotICAgICAgICBpZiAoIGJvb3RfY3B1X2hhcyhY ODZfRkVBVFVSRV9SVE0pICkKLSAgICAgICAgICAgIHN1cHBvcnRlZCB8PSBJ QTMyX0RFQlVHQ1RMTVNSX1JUTTsKLSAgICAgICAgaWYgKCBtc3JfY29udGVu dCAmIH5zdXBwb3J0ZWQgKQorICAgICAgICByc3ZkID0gfihJQTMyX0RFQlVH Q1RMTVNSX0xCUiB8IElBMzJfREVCVUdDVExNU1JfQlRGKTsKKworICAgICAg ICAvKiBUT0RPOiBXaXJlIHZQTVUgc2V0dGluZ3MgcHJvcGVybHkgdGhyb3Vn aCB0aGUgQ1BVSUQgcG9saWN5ICovCisgICAgICAgIGlmICggdnBtdV9pc19z ZXQodmNwdV92cG11KHYpLCBWUE1VX0NQVV9IQVNfQlRTKSApCiAgICAgICAg IHsKLSAgICAgICAgICAgIC8qIFBlcmhhcHMgc29tZSBvdGhlciBiaXRzIGFy ZSBzdXBwb3J0ZWQgaW4gdnBtdS4gKi8KLSAgICAgICAgICAgIGlmICggdnBt dV9kb193cm1zcihtc3IsIG1zcl9jb250ZW50LCBzdXBwb3J0ZWQpICkKLSAg ICAgICAgICAgICAgICBicmVhazsKKyAgICAgICAgICAgIHJzdmQgJj0gfihJ QTMyX0RFQlVHQ1RMTVNSX1RSIHwgSUEzMl9ERUJVR0NUTE1TUl9CVFMgfAor ICAgICAgICAgICAgICAgICAgICAgIElBMzJfREVCVUdDVExNU1JfQlRJTlQp OworCisgICAgICAgICAgICBpZiAoIGNwdV9oYXMoJmN1cnJlbnRfY3B1X2Rh dGEsIFg4Nl9GRUFUVVJFX0RTQ1BMKSApCisgICAgICAgICAgICAgICAgcnN2 ZCAmPSB+KElBMzJfREVCVUdDVExNU1JfQlRTX09GRl9PUyB8CisgICAgICAg ICAgICAgICAgICAgICAgICAgIElBMzJfREVCVUdDVExNU1JfQlRTX09GRl9V U1IpOwogICAgICAgICB9CisKKyAgICAgICAgaWYgKCBjcC0+ZmVhdC5ydG0g KQorICAgICAgICAgICAgcnN2ZCAmPSB+SUEzMl9ERUJVR0NUTE1TUl9SVE07 CisKKyAgICAgICAgaWYgKCBtc3JfY29udGVudCAmIHJzdmQgKQorICAgICAg ICAgICAgZ290byBncF9mYXVsdDsKKwogICAgICAgICBpZiAoIG1zcl9jb250 ZW50ICYgSUEzMl9ERUJVR0NUTE1TUl9MQlIgKQogICAgICAgICB7CiAgICAg ICAgICAgICBjb25zdCBzdHJ1Y3QgbGJyX2luZm8gKmxiciA9IGxhc3RfYnJh bmNoX21zcl9nZXQoKTsKLS0gCjIuMTguMAoK --=separator Content-Type: application/octet-stream; name="xsa269-4.11.patch" Content-Disposition: attachment; filename="xsa269-4.11.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L3Z0eDogRml4IHRoZSBjaGVja2luZyBmb3IgdW5r bm93bi9pbnZhbGlkIE1TUl9ERUJVR0NUTCBiaXRzCgpUaGUgVlBNVV9NT0RF X09GRiBlYXJseS1leGl0IGluIHZwbXVfZG9fd3Jtc3IoKSBpbnRyb2R1Y2Vk IGJ5IGMvcwoxMWZlOTk4ZTU2IGJ5cGFzc2VzIGFsbCByZXNlcnZlZCBiaXQg Y2hlY2tpbmcgaW4gdGhlIGdlbmVyYWwgY2FzZS4gIEFzIGEKcmVzdWx0LCBh IGd1ZXN0IGNhbiBlbmFibGUgQlRTIHdoZW4gaXQgc2hvdWxkbid0IGJlIHBl cm1pdHRlZCB0bywgYW5kCmxvY2sgdXAgdGhlIGVudGlyZSBob3N0LgoKV2l0 aCB2UE1VIGFjdGl2ZSAobm90IGEgc2VjdXJpdHkgc3VwcG9ydGVkIGNvbmZp Z3VyYXRpb24sIGJ1dCB1c2VmdWwgZm9yCmRlYnVnZ2luZyksIHRoZSByZXNl cnZlZCBiaXQgY2hlY2tpbmcgaW4gYnJva2VuLCBjYXVzZWQgYnkgdGhlIG9y aWdpbmFsCkJUUyBjaGFuZ2VzZXQgMWE4YWE3NWVkLgoKRnJvbSBhIGNvcnJl Y3RuZXNzIHN0YW5kcG9pbnQsIGl0IGlzIG5vdCBwb3NzaWJsZSB0byBoYXZl IHR3byBkaWZmZXJlbnQKcGllY2VzIG9mIGNvZGUgcmVzcG9uc2libGUgZm9y IGRpZmZlcmVudCBwYXJ0cyBvZiB2YWx1ZSBjaGVja2luZywgaWYKdGhlcmUg aXNuJ3QgYW4gYWNjdW11bGF0aW9uIG9mIGJpdHMgd2hpY2ggaGF2ZSBiZWVu IGNoZWNrZWQuICBBCnByYWN0aWNhbCB1cHNob3Qgb2YgdGhpcyBpcyB0aGF0 IGEgZ3Vlc3QgY2FuIHNldCBhbnkgdmFsdWUgaXQKd2lzaGVzICh1c3VhbGx5 IHJlc3VsdGluZyBpbiBhIHZtZW50cnkgZmFpbHVyZSBmb3IgYmFkIGd1ZXN0 IHN0YXRlKS4KClRoZXJlZm9yZSwgZml4IHRoaXMgYnkgaW1wbGVtZW50aW5n IGFsbCB0aGUgcmVzZXJ2ZWQgYml0IGNoZWNraW5nIGluIHRoZQptYWluIE1T Ul9ERUJVR0NUTCBibG9jaywgYW5kIHJlbW92aW5nIGFsbCBoYW5kbGluZyBv ZiBERUJVR0NUTCBmcm9tIHRoZQp2UE1VIE1TUiBsb2dpYy4KClRoaXMgaXMg WFNBLTI2OQoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3 LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IEphbiBCZXVsaWNo IDxqYmV1bGljaEBzdXNlLmNvbT4KCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94 ODYvY3B1L3ZwbXVfaW50ZWwuYyBiL3hlbi9hcmNoL3g4Ni9jcHUvdnBtdV9p bnRlbC5jCmluZGV4IDIwN2UyZTcuLmQ0NDQ0ZjAgMTAwNjQ0Ci0tLSBhL3hl bi9hcmNoL3g4Ni9jcHUvdnBtdV9pbnRlbC5jCisrKyBiL3hlbi9hcmNoL3g4 Ni9jcHUvdnBtdV9pbnRlbC5jCkBAIC01MzUsMjcgKzUzNSw3IEBAIHN0YXRp YyBpbnQgY29yZTJfdnBtdV9kb193cm1zcih1bnNpZ25lZCBpbnQgbXNyLCB1 aW50NjRfdCBtc3JfY29udGVudCwKICAgICB1aW50NjRfdCAqZW5hYmxlZF9j bnRyczsKIAogICAgIGlmICggIWNvcmUyX3ZwbXVfbXNyX2NvbW1vbl9jaGVj ayhtc3IsICZ0eXBlLCAmaW5kZXgpICkKLSAgICB7Ci0gICAgICAgIC8qIFNw ZWNpYWwgaGFuZGxpbmcgZm9yIEJUUyAqLwotICAgICAgICBpZiAoIG1zciA9 PSBNU1JfSUEzMl9ERUJVR0NUTE1TUiApCi0gICAgICAgIHsKLSAgICAgICAg ICAgIHN1cHBvcnRlZCB8PSBJQTMyX0RFQlVHQ1RMTVNSX1RSIHwgSUEzMl9E RUJVR0NUTE1TUl9CVFMgfAotICAgICAgICAgICAgICAgICAgICAgICAgIElB MzJfREVCVUdDVExNU1JfQlRJTlQ7Ci0KLSAgICAgICAgICAgIGlmICggY3B1 X2hhcygmY3VycmVudF9jcHVfZGF0YSwgWDg2X0ZFQVRVUkVfRFNDUEwpICkK LSAgICAgICAgICAgICAgICBzdXBwb3J0ZWQgfD0gSUEzMl9ERUJVR0NUTE1T Ul9CVFNfT0ZGX09TIHwKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAg SUEzMl9ERUJVR0NUTE1TUl9CVFNfT0ZGX1VTUjsKLSAgICAgICAgICAgIGlm ICggIShtc3JfY29udGVudCAmIH5zdXBwb3J0ZWQpICYmCi0gICAgICAgICAg ICAgICAgIHZwbXVfaXNfc2V0KHZwbXUsIFZQTVVfQ1BVX0hBU19CVFMpICkK LSAgICAgICAgICAgICAgICByZXR1cm4gMDsKLSAgICAgICAgICAgIGlmICgg KG1zcl9jb250ZW50ICYgc3VwcG9ydGVkKSAmJgotICAgICAgICAgICAgICAg ICAhdnBtdV9pc19zZXQodnBtdSwgVlBNVV9DUFVfSEFTX0JUUykgKQotICAg ICAgICAgICAgICAgIHByaW50ayhYRU5MT0dfR19XQVJOSU5HCi0gICAgICAg ICAgICAgICAgICAgICAgICIlcHY6IERlYnVnIFN0b3JlIHVuc3VwcG9ydGVk IG9uIHRoaXMgQ1BVXG4iLAotICAgICAgICAgICAgICAgICAgICAgICBjdXJy ZW50KTsKLSAgICAgICAgfQogICAgICAgICByZXR1cm4gLUVJTlZBTDsKLSAg ICB9CiAKICAgICBBU1NFUlQoIXN1cHBvcnRlZCk7CiAKZGlmZiAtLWdpdCBh L3hlbi9hcmNoL3g4Ni9odm0vdm14L3ZteC5jIGIveGVuL2FyY2gveDg2L2h2 bS92bXgvdm14LmMKaW5kZXggOTcwNzUxNC4uYWUwMjhkZCAxMDA2NDQKLS0t IGEveGVuL2FyY2gveDg2L2h2bS92bXgvdm14LmMKKysrIGIveGVuL2FyY2gv eDg2L2h2bS92bXgvdm14LmMKQEAgLTMwMzIsMTEgKzMwMzIsMTQgQEAgdm9p ZCB2bXhfdmxhcGljX21zcl9jaGFuZ2VkKHN0cnVjdCB2Y3B1ICp2KQogc3Rh dGljIGludCB2bXhfbXNyX3dyaXRlX2ludGVyY2VwdCh1bnNpZ25lZCBpbnQg bXNyLCB1aW50NjRfdCBtc3JfY29udGVudCkKIHsKICAgICBzdHJ1Y3QgdmNw dSAqdiA9IGN1cnJlbnQ7CisgICAgY29uc3Qgc3RydWN0IGNwdWlkX3BvbGlj eSAqY3AgPSB2LT5kb21haW4tPmFyY2guY3B1aWQ7CiAKICAgICBIVk1fREJH X0xPRyhEQkdfTEVWRUxfTVNSLCAiZWN4PSUjeCwgbXNyX3ZhbHVlPSUjIlBS SXg2NCwgbXNyLCBtc3JfY29udGVudCk7CiAKICAgICBzd2l0Y2ggKCBtc3Ig KQogICAgIHsKKyAgICAgICAgdWludDY0X3QgcnN2ZDsKKwogICAgIGNhc2Ug TVNSX0lBMzJfU1lTRU5URVJfQ1M6CiAgICAgICAgIF9fdm13cml0ZShHVUVT VF9TWVNFTlRFUl9DUywgbXNyX2NvbnRlbnQpOwogICAgICAgICBicmVhazsK QEAgLTMwOTEsMTYgKzMwOTQsMjYgQEAgc3RhdGljIGludCB2bXhfbXNyX3dy aXRlX2ludGVyY2VwdCh1bnNpZ25lZCBpbnQgbXNyLCB1aW50NjRfdCBtc3Jf Y29udGVudCkKIAogICAgIGNhc2UgTVNSX0lBMzJfREVCVUdDVExNU1I6IHsK ICAgICAgICAgaW50IGksIHJjID0gMDsKLSAgICAgICAgdWludDY0X3Qgc3Vw cG9ydGVkID0gSUEzMl9ERUJVR0NUTE1TUl9MQlIgfCBJQTMyX0RFQlVHQ1RM TVNSX0JURjsKIAotICAgICAgICBpZiAoIGJvb3RfY3B1X2hhcyhYODZfRkVB VFVSRV9SVE0pICkKLSAgICAgICAgICAgIHN1cHBvcnRlZCB8PSBJQTMyX0RF QlVHQ1RMTVNSX1JUTTsKLSAgICAgICAgaWYgKCBtc3JfY29udGVudCAmIH5z dXBwb3J0ZWQgKQorICAgICAgICByc3ZkID0gfihJQTMyX0RFQlVHQ1RMTVNS X0xCUiB8IElBMzJfREVCVUdDVExNU1JfQlRGKTsKKworICAgICAgICAvKiBU T0RPOiBXaXJlIHZQTVUgc2V0dGluZ3MgcHJvcGVybHkgdGhyb3VnaCB0aGUg Q1BVSUQgcG9saWN5ICovCisgICAgICAgIGlmICggdnBtdV9pc19zZXQodmNw dV92cG11KHYpLCBWUE1VX0NQVV9IQVNfQlRTKSApCiAgICAgICAgIHsKLSAg ICAgICAgICAgIC8qIFBlcmhhcHMgc29tZSBvdGhlciBiaXRzIGFyZSBzdXBw b3J0ZWQgaW4gdnBtdS4gKi8KLSAgICAgICAgICAgIGlmICggdnBtdV9kb193 cm1zcihtc3IsIG1zcl9jb250ZW50LCBzdXBwb3J0ZWQpICkKLSAgICAgICAg ICAgICAgICBicmVhazsKKyAgICAgICAgICAgIHJzdmQgJj0gfihJQTMyX0RF QlVHQ1RMTVNSX1RSIHwgSUEzMl9ERUJVR0NUTE1TUl9CVFMgfAorICAgICAg ICAgICAgICAgICAgICAgIElBMzJfREVCVUdDVExNU1JfQlRJTlQpOworCisg ICAgICAgICAgICBpZiAoIGNwdV9oYXMoJmN1cnJlbnRfY3B1X2RhdGEsIFg4 Nl9GRUFUVVJFX0RTQ1BMKSApCisgICAgICAgICAgICAgICAgcnN2ZCAmPSB+ KElBMzJfREVCVUdDVExNU1JfQlRTX09GRl9PUyB8CisgICAgICAgICAgICAg ICAgICAgICAgICAgIElBMzJfREVCVUdDVExNU1JfQlRTX09GRl9VU1IpOwog ICAgICAgICB9CisKKyAgICAgICAgaWYgKCBjcC0+ZmVhdC5ydG0gKQorICAg ICAgICAgICAgcnN2ZCAmPSB+SUEzMl9ERUJVR0NUTE1TUl9SVE07CisKKyAg ICAgICAgaWYgKCBtc3JfY29udGVudCAmIHJzdmQgKQorICAgICAgICAgICAg Z290byBncF9mYXVsdDsKKwogICAgICAgICBpZiAoIG1zcl9jb250ZW50ICYg SUEzMl9ERUJVR0NUTE1TUl9MQlIgKQogICAgICAgICB7CiAgICAgICAgICAg ICBjb25zdCBzdHJ1Y3QgbGJyX2luZm8gKmxiciA9IGxhc3RfYnJhbmNoX21z cl9nZXQoKTsK --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator-- From xen-announce-bounces@lists.xenproject.org Mon Aug 20 09:51:43 2018 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 20 Aug 2018 09:51:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1frgpZ-0004eZ-Du; Mon, 20 Aug 2018 09:50:37 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1frgpX-0004eF-UE for xen-announce@lists.xen.org; Mon, 20 Aug 2018 09:50:35 +0000 X-Inumbo-ID: 300967e1-a45e-11e8-a6a9-d7ebe60f679a Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id 300967e1-a45e-11e8-a6a9-d7ebe60f679a; Mon, 20 Aug 2018 09:48:27 +0000 (UTC) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1frgmk-0002MR-KR; Mon, 20 Aug 2018 09:47:42 +0000 Received: from iwj by xenbits.xenproject.org with local (Exim 4.89) (envelope-from ) id 1frgmk-0003h1-Hq; Mon, 20 Aug 2018 09:47:42 +0000 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.508 (Entity 5.508) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team Message-Id: Date: Mon, 20 Aug 2018 09:47:42 +0000 Subject: [Xen-announce] Xen Security Advisory 272 v3 (CVE-2018-15470) - oxenstored does not apply quota-maxentity X-BeenThere: xen-announce@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: "Xen.org security team" Errors-To: xen-announce-bounces@lists.xenproject.org Sender: "Xen-announce" --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2018-15470 / XSA-272 version 3 oxenstored does not apply quota-maxentity UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= The logic in oxenstored for handling writes depended on the order of evaluation of expressions making up a tuple. As indicated in section 7.7.3 "Operations on data structures" of the OCaml manual: http://caml.inria.fr/pub/docs/manual-ocaml/expr.html the order of evaluation of subexpressions is not specified. In practice, different implementations behave differently. IMPACT ====== oxenstored may not enforce the configured quota-maxentity. This allows a malicious or buggy guest to write as many xenstore entries as it wishes, causing unbounded memory usage in oxenstored. This can lead to a system-wide DoS. VULNERABLE SYSTEMS ================== Xen 4.1 and later are potentially vulnerable. Only systems using the OCaml xenstored implementation are potentially vulnerable. Systems using the C xenstored implementation are not vulnerable. Whether the compiled oxenstored binary is vulnerable depends on which compiler was used. OCaml can be compiled either as bytecode (with ocamlc) or as a native binary (with ocamlopt). The following OCaml program demonstrates the issue, and identifies whether the resulting oxenstored binary will skip the quota enforcement. $ cat order.ml let check () = let flag = ref false in let update _ = flag := true; () in List.iter update [1;2;3], !flag let main () = let _, flag = check () in if flag then print_endline "This code is not vulnerable!" else print_endline "This code is vulnerable!" let () = main () $ ocamlc order.ml -o order.bytecode $ ./order.bytecode This code is vulnerable! $ ocamlopt order.ml -o order.native $ ./order.native This code is not vulnerable! To confirm whether an OCaml binary is bytecode or native, use file. $ file order.bytecode order.bytecode: a /usr/bin/ocamlrun script executable (binary data) $ file order.native order.native: ELF 64-bit LSB executable, ... NOTE: These results are applicable to OCaml 4.01.0-5 as distributed in Debian Jessie. These results are not representative of other versions of OCaml, or of other OS distributions. MITIGATION ========== There are no mitigations available. CREDITS ======= This issue was discovered by Christian Lindig of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa272.patch All versions of Xen $ sha256sum xsa272* 0da953ca48d0cf0688ecff6a074304a9d2217871809a76ef26b9addeb66ecb3e xsa272.meta 6e0359d89bf65794f16d39198cc90f5c3137bce4eb850e54625ab00e2c568c2c xsa272.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJbeo4OAAoJEIP+FMlX6CvZCO8H/Rj7Z+rFSuQAVEUKXvvV3lvJ rytocZDTAIduyiBundcbdkcxfCuun6Tqw8ScPJXtml82P8YE+R/ix1hMLcQdYblt tj3qftb6KtjFibctoc0sSLsfjhl2oJC2VjQR3HdixfMlSxEzLkCC3I21fteYs9fp ahO7dByNHFTufbb9GpB+DANmIJ5hwMXxCinvts/L2MP/CCRfb4w5+aTARCQ3UHpX 3/r2wJxLnf4sNpBhHNsArROy8wS+ad0i4XC2fef/Bdye+NRbeICJNqof9fcGjWwE fZRyeNVSk33DuuRz2HI4aoEKAQ/v3b3KLXnfVZY5F5z6Z8j9rie42RI8VDO8Mzc= =Y10L -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa272.meta" Content-Disposition: attachment; filename="xsa272.meta" Content-Transfer-Encoding: base64 ewogICJYU0EiOiAyNzIsCiAgIlN1cHBvcnRlZFZlcnNpb25zIjogWwogICAg Im1hc3RlciIsCiAgICAiNC4xMSIsCiAgICAiNC4xMCIsCiAgICAiNC45IiwK ICAgICI0LjgiLAogICAgIjQuNyIsCiAgICAiNC42IgogIF0sCiAgIlRyZWVz IjogWwogICAgInhlbiIKICBdLAogICJSZWNpcGVzIjogewogICAgIjQuMTAi OiB7CiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAgICAg ICAgICAiU3RhYmxlUmVmIjogIjg3YzgzYWYzMzNlMDI0OGFkYTJlNjU2MDk2 NWFjYTYwOTZlYzdmMmIiLAogICAgICAgICAgIlByZXJlcXMiOiBbCiAgICAg ICAgICAgIDI2OCwKICAgICAgICAgICAgMjY5CiAgICAgICAgICBdLAogICAg ICAgICAgIlBhdGNoZXMiOiBbCiAgICAgICAgICAgICJ4c2EyNzIucGF0Y2gi CiAgICAgICAgICBdCiAgICAgICAgfQogICAgICB9CiAgICB9LAogICAgIjQu MTEiOiB7CiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAg ICAgICAgICAiU3RhYmxlUmVmIjogIjMzY2VkNzI1ZTExYWY0ZWFiZDMzMzRk MTJmNTNlZDgwN2U5ZTI1ODYiLAogICAgICAgICAgIlByZXJlcXMiOiBbCiAg ICAgICAgICAgIDI2OCwKICAgICAgICAgICAgMjY5CiAgICAgICAgICBdLAog ICAgICAgICAgIlBhdGNoZXMiOiBbCiAgICAgICAgICAgICJ4c2EyNzIucGF0 Y2giCiAgICAgICAgICBdCiAgICAgICAgfQogICAgICB9CiAgICB9LAogICAg IjQuNiI6IHsKICAgICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhlbiI6IHsK ICAgICAgICAgICJTdGFibGVSZWYiOiAiOThkNzk0OGI1MGI0ZTkxZWM0ZWZh ODYwZGEzMmQ5YWM0ZmU2OTMwMCIsCiAgICAgICAgICAiUHJlcmVxcyI6IFsK ICAgICAgICAgICAgMjY4LAogICAgICAgICAgICAyNjkKICAgICAgICAgIF0s CiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTI3Mi5w YXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0sCiAg ICAiNC43IjogewogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjog ewogICAgICAgICAgIlN0YWJsZVJlZiI6ICI5MWNhODRjODYyYjE1ZmU3NGFi OWI1ODcwZTY2OTAzYWVjNGY4NmRkIiwKICAgICAgICAgICJQcmVyZXFzIjog WwogICAgICAgICAgICAyNjgsCiAgICAgICAgICAgIDI2OQogICAgICAgICAg XSwKICAgICAgICAgICJQYXRjaGVzIjogWwogICAgICAgICAgICAieHNhMjcy LnBhdGNoIgogICAgICAgICAgXQogICAgICAgIH0KICAgICAgfQogICAgfSwK ICAgICI0LjgiOiB7CiAgICAgICJSZWNpcGVzIjogewogICAgICAgICJ4ZW4i OiB7CiAgICAgICAgICAiU3RhYmxlUmVmIjogImFhNDUwMTUzZjJkOTYwYzIx NzE0OWIzMWI2OGE4YjU3YzVhOGU1OTUiLAogICAgICAgICAgIlByZXJlcXMi OiBbCiAgICAgICAgICAgIDI2OCwKICAgICAgICAgICAgMjY5CiAgICAgICAg ICBdLAogICAgICAgICAgIlBhdGNoZXMiOiBbCiAgICAgICAgICAgICJ4c2Ey NzIucGF0Y2giCiAgICAgICAgICBdCiAgICAgICAgfQogICAgICB9CiAgICB9 LAogICAgIjQuOSI6IHsKICAgICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhl biI6IHsKICAgICAgICAgICJTdGFibGVSZWYiOiAiYTFiMjIzYjc1NmYzNTQ4 OTU1MjUwNjBiZDNmOWYxZjA3ODk5YTA4MiIsCiAgICAgICAgICAiUHJlcmVx cyI6IFsKICAgICAgICAgICAgMjY4LAogICAgICAgICAgICAyNjkKICAgICAg ICAgIF0sCiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhz YTI3Mi5wYXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAg IH0sCiAgICAibWFzdGVyIjogewogICAgICAiUmVjaXBlcyI6IHsKICAgICAg ICAieGVuIjogewogICAgICAgICAgIlN0YWJsZVJlZiI6ICJhY2QwMGEzMDMz NzhjZTQ4YmQ2YmJkOGE1NzlmMWZlMmYxYjIxYTdkIiwKICAgICAgICAgICJQ cmVyZXFzIjogWwogICAgICAgICAgICAyNjgsCiAgICAgICAgICAgIDI2OQog ICAgICAgICAgXSwKICAgICAgICAgICJQYXRjaGVzIjogWwogICAgICAgICAg ICAieHNhMjcyLnBhdGNoIgogICAgICAgICAgXQogICAgICAgIH0KICAgICAg fQogICAgfQogIH0KfQ== --=separator Content-Type: application/octet-stream; name="xsa272.patch" Content-Disposition: attachment; filename="xsa272.patch" Content-Transfer-Encoding: base64 RnJvbTogQ2hyaXN0aWFuIExpbmRpZyA8Y2hyaXN0aWFuLmxpbmRpZ0BjaXRy aXguY29tPgpTdWJqZWN0OiB0b29scy9veGVuc3RvcmVkOiBNYWtlIGV2YWx1 YXRpb24gb3JkZXIgZXhwbGljaXQKCkluIFN0b3JlLnBhdGhfd3JpdGUoKSwg UGF0aC5hcHBseV9tb2RpZnkoKSB1cGRhdGVzIHRoZSBub2RlX2NyZWF0ZWQK cmVmZXJlbmNlIGFuZCBib3RoIHRoZSB2YWx1ZSBvZiBhcHBseV9tb2RpZnko KSBhbmQgbm9kZV9jcmVhdGVkIGFyZQpyZXR1cm5lZCBieSBwYXRoX3dyaXRl KCkuCgpBdCBsZWFzdCB3aXRoIE9DYW1sIDQuMDYuMSB0aGlzIGxlYWRzIHRv IHRoZSB2YWx1ZSBvZiBub2RlX2NyZWF0ZWQgYmVpbmcKcmV0dXJuZWQgKmJl Zm9yZSogaXQgaXMgdXBkYXRlZCBieSBhcHBseV9tb2RpZnkoKS4gIFRoaXMg aW4gdHVybiBsZWFkcwp0byB0aGUgcXVvdGEgZm9yIGEgZG9tYWluIG5vdCBi ZWluZyB1cGRhdGVkIGluIFN0b3JlLndyaXRlKCkuICBIZW5jZSwgYQpndWVz dCBjYW4gY3JlYXRlIGFuIHVubGltaXRlZCBudW1iZXIgb2YgZW50cmllcyBp biB4ZW5zdG9yZS4KClRoZSBmaXggaXMgdG8gbWFrZSBldmFsdWF0aW9uIG9y ZGVyIGV4cGxpY2l0LgoKVGhpcyBpcyBYU0EtMjcyLgoKU2lnbmVkLW9mZi1i eTogQ2hyaXN0aWFuIExpbmRpZyA8Y2hyaXN0aWFuLmxpbmRpZ0BjaXRyaXgu Y29tPgpSZXZpZXdlZC1ieTogUm9iIEhvZXMgPHJvYi5ob2VzQGNpdHJpeC5j b20+CgpkaWZmIC0tZ2l0IGEvdG9vbHMvb2NhbWwveGVuc3RvcmVkL3N0b3Jl Lm1sIGIvdG9vbHMvb2NhbWwveGVuc3RvcmVkL3N0b3JlLm1sCmluZGV4IDlm NjE5YjhmZDUuLjhiMDcyN2Y4YTggMTAwNjQ0Ci0tLSBhL3Rvb2xzL29jYW1s L3hlbnN0b3JlZC9zdG9yZS5tbAorKysgYi90b29scy9vY2FtbC94ZW5zdG9y ZWQvc3RvcmUubWwKQEAgLTI1Nyw3ICsyNTcsOCBAQCBsZXQgcGF0aF93cml0 ZSBzdG9yZSBwZXJtIHBhdGggdmFsdWUgPQogCQlOb2RlLmNoZWNrX3Blcm0g c3RvcmUucm9vdCBwZXJtIFBlcm1zLldSSVRFOwogCQlOb2RlLnNldF92YWx1 ZSBzdG9yZS5yb290IHZhbHVlLCBmYWxzZQogCSkgZWxzZQotCQlQYXRoLmFw cGx5X21vZGlmeSBzdG9yZS5yb290IHBhdGggZG9fd3JpdGUsICFub2RlX2Ny ZWF0ZWQKKwkJbGV0IHJvb3QgPSBQYXRoLmFwcGx5X21vZGlmeSBzdG9yZS5y b290IHBhdGggZG9fd3JpdGUgaW4KKwkJcm9vdCwgIW5vZGVfY3JlYXRlZAog CiBsZXQgcGF0aF9ybSBzdG9yZSBwZXJtIHBhdGggPQogCWxldCBkb19ybSBu b2RlIG5hbWUgPQo= --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWFubm91 bmNlIG1haWxpbmcgbGlzdApYZW4tYW5ub3VuY2VAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6 Ly9saXN0cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1hbm5vdW5jZQ== --=separator--