From xen-announce-bounces@lists.xenproject.org Tue Mar 21 12:01:16 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 21 Mar 2023 12:01:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.512389.792426 (Exim 4.92) (envelope-from ) id 1peafg-0006xx-Sq; Tue, 21 Mar 2023 12:00:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 512389.792426; Tue, 21 Mar 2023 12:00:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1peafg-0006vA-OT; Tue, 21 Mar 2023 12:00:56 +0000 Received: by outflank-mailman (input) for mailman id 512389; Tue, 21 Mar 2023 12:00:56 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1peaff-0006my-M6 for xen-announce@lists.xen.org; Tue, 21 Mar 2023 12:00:56 +0000 Received: from mail.xenproject.org (mail.xenproject.org [104.130.215.37]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 068921ef-c7e0-11ed-87f5-c1b5be75604c; Tue, 21 Mar 2023 13:00:52 +0100 (CET) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1peafT-000327-5Q; Tue, 21 Mar 2023 12:00:43 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1peafT-0000E9-4J; Tue, 21 Mar 2023 12:00:43 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" X-Inumbo-ID: 068921ef-c7e0-11ed-87f5-c1b5be75604c DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:CC:From:To:MIME-Version: Content-Transfer-Encoding:Content-Type; bh=L2NRhNiCpH3oAn0h6UZXjX2qXN/JuWq044e6t35cwIw=; b=3/ya04fbJzQzotl3griPE4weiY OfwRL+ExS2TwpQr6wklKOg4XZrKbjBPOkCKX/A82o6Z38AzTEKNWBaKyE8V0XMBeog2smY3uklxo+ t/cb72cZjEMO7eebFXpHn8d8XiIA06lkziy+sdXqYim9C3dJHdPt/t92+M21xCcnoIxY=; Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 428 v3 (CVE-2022-42333,CVE-2022-42334) - x86/HVM pinned cache attributes mis-handling Message-Id: Date: Tue, 21 Mar 2023 12:00:43 +0000 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-42333,CVE-2022-42334 / XSA-428 version 3 x86/HVM pinned cache attributes mis-handling UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. While not exposed to the affected guests themselves, the interface specifically exists for domains controlling such guests. This interface may therefore be used by not fully privileged entities, e.g. qemu running deprivileged in Dom0 or qemu running in a so called stub-domain. With this exposure it is an issue that - the number of the such controlled regions was unbounded (CVE-2022-42333), - installation and removal of such regions was not properly serialized (CVE-2022-42334). IMPACT ====== Entities controlling HVM guests can run the host out of resources or stall execution of a physical CPU for effectively unbounded periods of time, resulting in a Denial of Servis (DoS) affecting the entire host. Crashes, information leaks, or elevation of privilege cannot be ruled out. VULNERABLE SYSTEMS ================== Xen versions 4.11 through 4.17 are vulnerable. Older versions contain the same functionality, but it is exposed there only via an interface which is subject to XSA-77's constraints. Only x86 systems are potentially vulnerable. Arm systems are not vulnerable. Only entities controlling HVM guests can leverage the vulnerability. These are device models running in either a stub domain or de-privileged in Dom0. MITIGATION ========== Running only PV or PVH guests will avoid the vulnerability. (Switching from a device model stub domain or a de-privileged device model to a fully privileged Dom0 device model does NOT mitigate this vulnerability. Rather, it simply recategorises the vulnerability to hostile management code, regarding it "as designed"; thus it merely reclassifies these issues as "not a bug". The security of a Xen system using stub domains is still better than with a qemu-dm running as a Dom0 process. Users and vendors of stub qemu dm systems should not change their configuration to use a Dom0 qemu process.) CREDITS ======= Aspects of this issue were discovered by Andrew Cooper of XenServer and Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa428-?.patch xen-unstable xsa428-4.17-?.patch Xen 4.17.x xsa428-4.16-?.patch Xen 4.16.x - 4.14.x $ sha256sum xsa428* a7bd8d4c1e8579aeda47564efdc960cac92472387ba57d7f7a6d5d79470ebd6f xsa428.meta 85a421d9123a56894124bed54731b8b6f2e86ad4e286871dee86efff519f4c68 xsa428-1.patch 3b691ca228592539a751ce5af69f31e09d9c477218d53af0602ac5f39f1e74d7 xsa428-2.patch da60e01a17f9073c83098d187c07bad3a868a6b7f97dbc538cb5ea5698c51b39 xsa428-4.16-1.patch 27718a7a86fd57624cd8500df83eb42ff3499670bc807c6555686c25e7f7b01a xsa428-4.16-2.patch da60e01a17f9073c83098d187c07bad3a868a6b7f97dbc538cb5ea5698c51b39 xsa428-4.17-1.patch 20d3b66da8fe06d7e92992218e519f4f9746791d4ba5610d84a335f38a824fcb xsa428-4.17-2.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmQZlkwMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZevEH/R0hCjoC/n2AJSr2dOU97c4bZmjeB5mTnWrOtOMA AZnP68nvEzQ7OYfI4ihl+wgtKUvyVXLOWaBH9lKL8CySxrCX1r3BILMGhtDKViV4 opnKOoy0Ejg3H68x5McPhdr+PkvXWTzoNqbkUYMbNTw7ktB4Ze0mbsmKoXDUiLru QZZ0XxtL4jc+d8GUM0k3Msy0p3lLYvIob8k6DWg7RdWxiIOxL43pKNvShgh7ZehN P0S/PknVLpoPKzKFzMWrzakhZYYsOWoNM9U7C0zEozX4qrnsyQp3o3mvW/8MrPA+ 5BKsIjSYxdleUzLSNks7Xn0nG+ki6kOrwPjFGGOGAwoR8aE= =ILYn -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa428.meta" Content-Disposition: attachment; filename="xsa428.meta" Content-Transfer-Encoding: base64 ewogICJYU0EiOiA0MjgsCiAgIlN1cHBvcnRlZFZlcnNpb25zIjogWwogICAg Im1hc3RlciIsCiAgICAiNC4xNyIsCiAgICAiNC4xNiIsCiAgICAiNC4xNSIs CiAgICAiNC4xNCIKICBdLAogICJUcmVlcyI6IFsKICAgICJ4ZW4iCiAgXSwK ICAiUmVjaXBlcyI6IHsKICAgICI0LjE0IjogewogICAgICAiUmVjaXBlcyI6 IHsKICAgICAgICAieGVuIjogewogICAgICAgICAgIlN0YWJsZVJlZiI6ICJj MjY3YWJmYWYyZDgxNzYzNzFlZGEwMzdmOWI5MTUyNDU4ZTA2NTZkIiwKICAg ICAgICAgICJQcmVyZXFzIjogWwogICAgICAgICAgICA0MjcKICAgICAgICAg IF0sCiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTQy OC00LjE2LT8ucGF0Y2giCiAgICAgICAgICBdCiAgICAgICAgfQogICAgICB9 CiAgICB9LAogICAgIjQuMTUiOiB7CiAgICAgICJSZWNpcGVzIjogewogICAg ICAgICJ4ZW4iOiB7CiAgICAgICAgICAiU3RhYmxlUmVmIjogImZhODc1NTc0 YjczNjE4ZGFmM2JjNzBlNmZmNGQzNDI0OTNmYTExZDkiLAogICAgICAgICAg IlByZXJlcXMiOiBbCiAgICAgICAgICAgIDQyNwogICAgICAgICAgXSwKICAg ICAgICAgICJQYXRjaGVzIjogWwogICAgICAgICAgICAieHNhNDI4LTQuMTYt Py5wYXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0s CiAgICAiNC4xNiI6IHsKICAgICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhl biI6IHsKICAgICAgICAgICJTdGFibGVSZWYiOiAiODRkZmU3YTU2ZjA0YTc0 MTJmYTQ4NjliM2U3NTZjNDllMWNmYmU3NSIsCiAgICAgICAgICAiUHJlcmVx cyI6IFsKICAgICAgICAgICAgNDI3CiAgICAgICAgICBdLAogICAgICAgICAg IlBhdGNoZXMiOiBbCiAgICAgICAgICAgICJ4c2E0MjgtNC4xNi0/LnBhdGNo IgogICAgICAgICAgXQogICAgICAgIH0KICAgICAgfQogICAgfSwKICAgICI0 LjE3IjogewogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjogewog ICAgICAgICAgIlN0YWJsZVJlZiI6ICJlYzViMDU4ZDJhNjQzNmEyZTE4MDMx NTUyMmZjZjE2NDVhODE1M2I0IiwKICAgICAgICAgICJQcmVyZXFzIjogWwog ICAgICAgICAgICA0MjcKICAgICAgICAgIF0sCiAgICAgICAgICAiUGF0Y2hl cyI6IFsKICAgICAgICAgICAgInhzYTQyOC00LjE3LT8ucGF0Y2giCiAgICAg ICAgICBdCiAgICAgICAgfQogICAgICB9CiAgICB9LAogICAgIm1hc3RlciI6 IHsKICAgICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhlbiI6IHsKICAgICAg ICAgICJTdGFibGVSZWYiOiAiMzEyNzBmMTFhOTZlYmI4NzVjZDcwNjYxZTJk ZjllNWM2ZWRkNzU2NCIsCiAgICAgICAgICAiUHJlcmVxcyI6IFsKICAgICAg ICAgICAgNDI3CiAgICAgICAgICBdLAogICAgICAgICAgIlBhdGNoZXMiOiBb CiAgICAgICAgICAgICJ4c2E0MjgtPy5wYXRjaCIKICAgICAgICAgIF0KICAg ICAgICB9CiAgICAgIH0KICAgIH0KICB9Cn0= --=separator Content-Type: application/octet-stream; name="xsa428-1.patch" Content-Disposition: attachment; filename="xsa428-1.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvSFZNOiBib3VuZCBudW1iZXIgb2YgcGlubmVkIGNhY2hlIGF0dHJp YnV0ZSByZWdpb25zCgpUaGlzIGlzIGV4cG9zZWQgdmlhIERNT1AsIGkuZS4g dG8gcG90ZW50aWFsbHkgbm90IGZ1bGx5IHByaXZpbGVnZWQKZGV2aWNlIG1v ZGVscy4gV2l0aCB0aGF0IHdlIG1heSBub3QgcGVybWl0IHJlZ2lzdHJhdGlv biBvZiBhbiAoYWxtb3N0KQp1bmJvdW5kZWQgYW1vdW50IG9mIHN1Y2ggcmVn aW9ucy4KClRoaXMgaXMgQ1ZFLTIwMjItNDIzMzMgLyBwYXJ0IG9mIFhTQS00 MjguCgpSZXBvcnRlZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3Bl cjNAY2l0cml4LmNvbT4KRml4ZXM6IDY0MjEyM2M1MTIzZiAoIng4Ni9odm06 IHByb3ZpZGUgWEVOX0RNT1BfcGluX21lbW9yeV9jYWNoZWF0dHIiKQpTaWdu ZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJl dmlld2VkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L2h2bS9tdHJyLmMKKysrIGIv eGVuL2FyY2gveDg2L2h2bS9tdHJyLmMKQEAgLTU4OCw2ICs1ODgsNyBAQCBp bnQgaHZtX3NldF9tZW1fcGlubmVkX2NhY2hlYXR0cihzdHJ1Y3QKICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVpbnQ2NF90IGdmbl9lbmQs IHVpbnQzMl90IHR5cGUpCiB7CiAgICAgc3RydWN0IGh2bV9tZW1fcGlubmVk X2NhY2hlYXR0cl9yYW5nZSAqcmFuZ2U7CisgICAgdW5zaWduZWQgaW50IG5y ID0gMDsKICAgICBpbnQgcmMgPSAxOwogCiAgICAgaWYgKCAhaXNfaHZtX2Rv bWFpbihkKSApCkBAIC02NTksMTEgKzY2MCwxNSBAQCBpbnQgaHZtX3NldF9t ZW1fcGlubmVkX2NhY2hlYXR0cihzdHJ1Y3QKICAgICAgICAgICAgIHJjID0g LUVCVVNZOwogICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIH0KKyAgICAg ICAgKytucjsKICAgICB9CiAgICAgcmN1X3JlYWRfdW5sb2NrKCZwaW5uZWRf Y2FjaGVhdHRyX3JjdV9sb2NrKTsKICAgICBpZiAoIHJjIDw9IDAgKQogICAg ICAgICByZXR1cm4gcmM7CiAKKyAgICBpZiAoIG5yID49IDY0IC8qIFRoZSBs aW1pdCBpcyBhcmJpdHJhcnkuICovICkKKyAgICAgICAgcmV0dXJuIC1FTk9T UEM7CisKICAgICByYW5nZSA9IHh6YWxsb2Moc3RydWN0IGh2bV9tZW1fcGlu bmVkX2NhY2hlYXR0cl9yYW5nZSk7CiAgICAgaWYgKCByYW5nZSA9PSBOVUxM ICkKICAgICAgICAgcmV0dXJuIC1FTk9NRU07Cg== --=separator Content-Type: application/octet-stream; name="xsa428-2.patch" Content-Disposition: attachment; filename="xsa428-2.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvSFZNOiBzZXJpYWxpemUgcGlubmVkIGNhY2hlIGF0dHJpYnV0ZSBs aXN0IG1hbmlwdWxhdGlvbgoKV2hpbGUgdGhlIFJDVSB2YXJpYW50cyBvZiBs aXN0IGluc2VydGlvbiBhbmQgcmVtb3ZhbCBhbGxvdyBsb2NrbGVzcyBsaXN0 CnRyYXZlcnNhbCAod2l0aCBSQ1UganVzdCByZWFkLWxvY2tlZCksIGluc2Vy dGlvbnMgYW5kIHJlbW92YWxzIHN0aWxsCm5lZWQgc2VyaWFsaXppbmcgYW1v bmdzdCB0aGVtc2VsdmVzLiBUbyBrZWVwIHRoaW5ncyBzaW1wbGUsIHVzZSB0 aGUKZG9tYWluIGxvY2sgZm9yIHRoaXMgcHVycG9zZS4KClRoaXMgaXMgQ1ZF LTIwMjItNDIzMzQgLyBwYXJ0IG9mIFhTQS00MjguCgpGaXhlczogNjQyMTIz YzUxMjNmICgieDg2L2h2bTogcHJvdmlkZSBYRU5fRE1PUF9waW5fbWVtb3J5 X2NhY2hlYXR0ciIpClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1 bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBHcmFsbCA8amdy YWxsQGFtYXpvbi5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvaHZtL210cnIu YworKysgYi94ZW4vYXJjaC94ODYvaHZtL210cnIuYwpAQCAtNTg3LDcgKzU4 Nyw3IEBAIHN0YXRpYyB2b2lkIGNmX2NoZWNrIGZyZWVfcGlubmVkX2NhY2hl YXQKIGludCBodm1fc2V0X21lbV9waW5uZWRfY2FjaGVhdHRyKHN0cnVjdCBk b21haW4gKmQsIHVpbnQ2NF90IGdmbl9zdGFydCwKICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIHVpbnQ2NF90IGdmbl9lbmQsIHVpbnQzMl90 IHR5cGUpCiB7Ci0gICAgc3RydWN0IGh2bV9tZW1fcGlubmVkX2NhY2hlYXR0 cl9yYW5nZSAqcmFuZ2U7CisgICAgc3RydWN0IGh2bV9tZW1fcGlubmVkX2Nh Y2hlYXR0cl9yYW5nZSAqcmFuZ2UsICpuZXdyOwogICAgIHVuc2lnbmVkIGlu dCBuciA9IDA7CiAgICAgaW50IHJjID0gMTsKIApAQCAtNjAxLDE0ICs2MDEs MTUgQEAgaW50IGh2bV9zZXRfbWVtX3Bpbm5lZF9jYWNoZWF0dHIoc3RydWN0 CiAgICAgewogICAgIGNhc2UgWEVOX0RPTUNUTF9ERUxFVEVfTUVNX0NBQ0hF QVRUUjoKICAgICAgICAgLyogUmVtb3ZlIHRoZSByZXF1ZXN0ZWQgcmFuZ2Uu ICovCi0gICAgICAgIHJjdV9yZWFkX2xvY2soJnBpbm5lZF9jYWNoZWF0dHJf cmN1X2xvY2spOwotICAgICAgICBsaXN0X2Zvcl9lYWNoX2VudHJ5X3JjdSAo IHJhbmdlLAotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZk LT5hcmNoLmh2bS5waW5uZWRfY2FjaGVhdHRyX3JhbmdlcywKLSAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICBsaXN0ICkKKyAgICAgICAgZG9t YWluX2xvY2soZCk7CisgICAgICAgIGxpc3RfZm9yX2VhY2hfZW50cnkgKCBy YW5nZSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZkLT5hcmNo Lmh2bS5waW5uZWRfY2FjaGVhdHRyX3JhbmdlcywKKyAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIGxpc3QgKQogICAgICAgICAgICAgaWYgKCByYW5n ZS0+c3RhcnQgPT0gZ2ZuX3N0YXJ0ICYmIHJhbmdlLT5lbmQgPT0gZ2ZuX2Vu ZCApCiAgICAgICAgICAgICB7Ci0gICAgICAgICAgICAgICAgcmN1X3JlYWRf dW5sb2NrKCZwaW5uZWRfY2FjaGVhdHRyX3JjdV9sb2NrKTsKICAgICAgICAg ICAgICAgICBsaXN0X2RlbF9yY3UoJnJhbmdlLT5saXN0KTsKKyAgICAgICAg ICAgICAgICBkb21haW5fdW5sb2NrKGQpOworCiAgICAgICAgICAgICAgICAg dHlwZSA9IHJhbmdlLT50eXBlOwogICAgICAgICAgICAgICAgIGNhbGxfcmN1 KCZyYW5nZS0+cmN1LCBmcmVlX3Bpbm5lZF9jYWNoZWF0dHJfZW50cnkpOwog ICAgICAgICAgICAgICAgIHAybV9tZW1vcnlfdHlwZV9jaGFuZ2VkKGQpOwpA QCAtNjI5LDcgKzYzMCw3IEBAIGludCBodm1fc2V0X21lbV9waW5uZWRfY2Fj aGVhdHRyKHN0cnVjdAogICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAg ICAgICByZXR1cm4gMDsKICAgICAgICAgICAgIH0KLSAgICAgICAgcmN1X3Jl YWRfdW5sb2NrKCZwaW5uZWRfY2FjaGVhdHRyX3JjdV9sb2NrKTsKKyAgICAg ICAgZG9tYWluX3VubG9jayhkKTsKICAgICAgICAgcmV0dXJuIC1FTk9FTlQ7 CiAKICAgICBjYXNlIFg4Nl9NVF9VQ006CkBAIC02NDQsNyArNjQ1LDEwIEBA IGludCBodm1fc2V0X21lbV9waW5uZWRfY2FjaGVhdHRyKHN0cnVjdAogICAg ICAgICByZXR1cm4gLUVJTlZBTDsKICAgICB9CiAKLSAgICByY3VfcmVhZF9s b2NrKCZwaW5uZWRfY2FjaGVhdHRyX3JjdV9sb2NrKTsKKyAgICBuZXdyID0g eHphbGxvYyhzdHJ1Y3QgaHZtX21lbV9waW5uZWRfY2FjaGVhdHRyX3Jhbmdl KTsKKworICAgIGRvbWFpbl9sb2NrKGQpOworCiAgICAgbGlzdF9mb3JfZWFj aF9lbnRyeV9yY3UgKCByYW5nZSwKICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICZkLT5hcmNoLmh2bS5waW5uZWRfY2FjaGVhdHRyX3JhbmdlcywK ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxpc3QgKQpAQCAtNjYy LDI3ICs2NjYsMzQgQEAgaW50IGh2bV9zZXRfbWVtX3Bpbm5lZF9jYWNoZWF0 dHIoc3RydWN0CiAgICAgICAgIH0KICAgICAgICAgKytucjsKICAgICB9Ci0g ICAgcmN1X3JlYWRfdW5sb2NrKCZwaW5uZWRfY2FjaGVhdHRyX3JjdV9sb2Nr KTsKKwogICAgIGlmICggcmMgPD0gMCApCi0gICAgICAgIHJldHVybiByYzsK KyAgICAgICAgLyogbm90aGluZyAqLzsKKyAgICBlbHNlIGlmICggbnIgPj0g NjQgLyogVGhlIGxpbWl0IGlzIGFyYml0cmFyeS4gKi8gKQorICAgICAgICBy YyA9IC1FTk9TUEM7CisgICAgZWxzZSBpZiAoICFuZXdyICkKKyAgICAgICAg cmMgPSAtRU5PTUVNOworICAgIGVsc2UKKyAgICB7CisgICAgICAgIG5ld3It PnN0YXJ0ID0gZ2ZuX3N0YXJ0OworICAgICAgICBuZXdyLT5lbmQgPSBnZm5f ZW5kOworICAgICAgICBuZXdyLT50eXBlID0gdHlwZTsKIAotICAgIGlmICgg bnIgPj0gNjQgLyogVGhlIGxpbWl0IGlzIGFyYml0cmFyeS4gKi8gKQotICAg ICAgICByZXR1cm4gLUVOT1NQQzsKKyAgICAgICAgbGlzdF9hZGRfcmN1KCZu ZXdyLT5saXN0LCAmZC0+YXJjaC5odm0ucGlubmVkX2NhY2hlYXR0cl9yYW5n ZXMpOworCisgICAgICAgIG5ld3IgPSBOVUxMOworICAgICAgICByYyA9IDA7 CisgICAgfQogCi0gICAgcmFuZ2UgPSB4emFsbG9jKHN0cnVjdCBodm1fbWVt X3Bpbm5lZF9jYWNoZWF0dHJfcmFuZ2UpOwotICAgIGlmICggcmFuZ2UgPT0g TlVMTCApCi0gICAgICAgIHJldHVybiAtRU5PTUVNOworICAgIGRvbWFpbl91 bmxvY2soZCk7CiAKLSAgICByYW5nZS0+c3RhcnQgPSBnZm5fc3RhcnQ7Ci0g ICAgcmFuZ2UtPmVuZCA9IGdmbl9lbmQ7Ci0gICAgcmFuZ2UtPnR5cGUgPSB0 eXBlOworICAgIHhmcmVlKG5ld3IpOwogCi0gICAgbGlzdF9hZGRfcmN1KCZy YW5nZS0+bGlzdCwgJmQtPmFyY2guaHZtLnBpbm5lZF9jYWNoZWF0dHJfcmFu Z2VzKTsKICAgICBwMm1fbWVtb3J5X3R5cGVfY2hhbmdlZChkKTsKICAgICBp ZiAoIHR5cGUgIT0gWDg2X01UX1dCICkKICAgICAgICAgZmx1c2hfYWxsKEZM VVNIX0NBQ0hFKTsKIAotICAgIHJldHVybiAwOworICAgIHJldHVybiByYzsK IH0KIAogc3RhdGljIGludCBjZl9jaGVjayBodm1fc2F2ZV9tdHJyX21zcihz dHJ1Y3QgdmNwdSAqdiwgaHZtX2RvbWFpbl9jb250ZXh0X3QgKmgpCg== --=separator Content-Type: application/octet-stream; name="xsa428-4.16-1.patch" Content-Disposition: attachment; filename="xsa428-4.16-1.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvSFZNOiBib3VuZCBudW1iZXIgb2YgcGlubmVkIGNhY2hlIGF0dHJp YnV0ZSByZWdpb25zCgpUaGlzIGlzIGV4cG9zZWQgdmlhIERNT1AsIGkuZS4g dG8gcG90ZW50aWFsbHkgbm90IGZ1bGx5IHByaXZpbGVnZWQKZGV2aWNlIG1v ZGVscy4gV2l0aCB0aGF0IHdlIG1heSBub3QgcGVybWl0IHJlZ2lzdHJhdGlv biBvZiBhbiAoYWxtb3N0KQp1bmJvdW5kZWQgYW1vdW50IG9mIHN1Y2ggcmVn aW9ucy4KClRoaXMgaXMgQ1ZFLTIwMjItNDIzMzMgLyBwYXJ0IG9mIFhTQS00 MjguCgpSZXBvcnRlZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3Bl cjNAY2l0cml4LmNvbT4KRml4ZXM6IDY0MjEyM2M1MTIzZiAoIng4Ni9odm06 IHByb3ZpZGUgWEVOX0RNT1BfcGluX21lbW9yeV9jYWNoZWF0dHIiKQpTaWdu ZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJl dmlld2VkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L2h2bS9tdHJyLmMKKysrIGIv eGVuL2FyY2gveDg2L2h2bS9tdHJyLmMKQEAgLTU5NSw2ICs1OTUsNyBAQCBp bnQgaHZtX3NldF9tZW1fcGlubmVkX2NhY2hlYXR0cihzdHJ1Y3QKICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVpbnQ2NF90IGdmbl9lbmQs IHVpbnQzMl90IHR5cGUpCiB7CiAgICAgc3RydWN0IGh2bV9tZW1fcGlubmVk X2NhY2hlYXR0cl9yYW5nZSAqcmFuZ2U7CisgICAgdW5zaWduZWQgaW50IG5y ID0gMDsKICAgICBpbnQgcmMgPSAxOwogCiAgICAgaWYgKCAhaXNfaHZtX2Rv bWFpbihkKSApCkBAIC02NjYsMTEgKzY2NywxNSBAQCBpbnQgaHZtX3NldF9t ZW1fcGlubmVkX2NhY2hlYXR0cihzdHJ1Y3QKICAgICAgICAgICAgIHJjID0g LUVCVVNZOwogICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIH0KKyAgICAg ICAgKytucjsKICAgICB9CiAgICAgcmN1X3JlYWRfdW5sb2NrKCZwaW5uZWRf Y2FjaGVhdHRyX3JjdV9sb2NrKTsKICAgICBpZiAoIHJjIDw9IDAgKQogICAg ICAgICByZXR1cm4gcmM7CiAKKyAgICBpZiAoIG5yID49IDY0IC8qIFRoZSBs aW1pdCBpcyBhcmJpdHJhcnkuICovICkKKyAgICAgICAgcmV0dXJuIC1FTk9T UEM7CisKICAgICByYW5nZSA9IHh6YWxsb2Moc3RydWN0IGh2bV9tZW1fcGlu bmVkX2NhY2hlYXR0cl9yYW5nZSk7CiAgICAgaWYgKCByYW5nZSA9PSBOVUxM ICkKICAgICAgICAgcmV0dXJuIC1FTk9NRU07Cg== --=separator Content-Type: application/octet-stream; name="xsa428-4.16-2.patch" Content-Disposition: attachment; filename="xsa428-4.16-2.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvSFZNOiBzZXJpYWxpemUgcGlubmVkIGNhY2hlIGF0dHJpYnV0ZSBs aXN0IG1hbmlwdWxhdGlvbgoKV2hpbGUgdGhlIFJDVSB2YXJpYW50cyBvZiBs aXN0IGluc2VydGlvbiBhbmQgcmVtb3ZhbCBhbGxvdyBsb2NrbGVzcyBsaXN0 CnRyYXZlcnNhbCAod2l0aCBSQ1UganVzdCByZWFkLWxvY2tlZCksIGluc2Vy dGlvbnMgYW5kIHJlbW92YWxzIHN0aWxsCm5lZWQgc2VyaWFsaXppbmcgYW1v bmdzdCB0aGVtc2VsdmVzLiBUbyBrZWVwIHRoaW5ncyBzaW1wbGUsIHVzZSB0 aGUKZG9tYWluIGxvY2sgZm9yIHRoaXMgcHVycG9zZS4KClRoaXMgaXMgQ1ZF LTIwMjItNDIzMzQgLyBwYXJ0IG9mIFhTQS00MjguCgpGaXhlczogNjQyMTIz YzUxMjNmICgieDg2L2h2bTogcHJvdmlkZSBYRU5fRE1PUF9waW5fbWVtb3J5 X2NhY2hlYXR0ciIpClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1 bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBHcmFsbCA8amdy YWxsQGFtYXpvbi5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvaHZtL210cnIu YworKysgYi94ZW4vYXJjaC94ODYvaHZtL210cnIuYwpAQCAtNTk0LDcgKzU5 NCw3IEBAIHN0YXRpYyB2b2lkIGZyZWVfcGlubmVkX2NhY2hlYXR0cl9lbnRy eSgKIGludCBodm1fc2V0X21lbV9waW5uZWRfY2FjaGVhdHRyKHN0cnVjdCBk b21haW4gKmQsIHVpbnQ2NF90IGdmbl9zdGFydCwKICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIHVpbnQ2NF90IGdmbl9lbmQsIHVpbnQzMl90 IHR5cGUpCiB7Ci0gICAgc3RydWN0IGh2bV9tZW1fcGlubmVkX2NhY2hlYXR0 cl9yYW5nZSAqcmFuZ2U7CisgICAgc3RydWN0IGh2bV9tZW1fcGlubmVkX2Nh Y2hlYXR0cl9yYW5nZSAqcmFuZ2UsICpuZXdyOwogICAgIHVuc2lnbmVkIGlu dCBuciA9IDA7CiAgICAgaW50IHJjID0gMTsKIApAQCAtNjA4LDE0ICs2MDgs MTUgQEAgaW50IGh2bV9zZXRfbWVtX3Bpbm5lZF9jYWNoZWF0dHIoc3RydWN0 CiAgICAgewogICAgIGNhc2UgWEVOX0RPTUNUTF9ERUxFVEVfTUVNX0NBQ0hF QVRUUjoKICAgICAgICAgLyogUmVtb3ZlIHRoZSByZXF1ZXN0ZWQgcmFuZ2Uu ICovCi0gICAgICAgIHJjdV9yZWFkX2xvY2soJnBpbm5lZF9jYWNoZWF0dHJf cmN1X2xvY2spOwotICAgICAgICBsaXN0X2Zvcl9lYWNoX2VudHJ5X3JjdSAo IHJhbmdlLAotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZk LT5hcmNoLmh2bS5waW5uZWRfY2FjaGVhdHRyX3JhbmdlcywKLSAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICBsaXN0ICkKKyAgICAgICAgZG9t YWluX2xvY2soZCk7CisgICAgICAgIGxpc3RfZm9yX2VhY2hfZW50cnkgKCBy YW5nZSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZkLT5hcmNo Lmh2bS5waW5uZWRfY2FjaGVhdHRyX3JhbmdlcywKKyAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIGxpc3QgKQogICAgICAgICAgICAgaWYgKCByYW5n ZS0+c3RhcnQgPT0gZ2ZuX3N0YXJ0ICYmIHJhbmdlLT5lbmQgPT0gZ2ZuX2Vu ZCApCiAgICAgICAgICAgICB7Ci0gICAgICAgICAgICAgICAgcmN1X3JlYWRf dW5sb2NrKCZwaW5uZWRfY2FjaGVhdHRyX3JjdV9sb2NrKTsKICAgICAgICAg ICAgICAgICBsaXN0X2RlbF9yY3UoJnJhbmdlLT5saXN0KTsKKyAgICAgICAg ICAgICAgICBkb21haW5fdW5sb2NrKGQpOworCiAgICAgICAgICAgICAgICAg dHlwZSA9IHJhbmdlLT50eXBlOwogICAgICAgICAgICAgICAgIGNhbGxfcmN1 KCZyYW5nZS0+cmN1LCBmcmVlX3Bpbm5lZF9jYWNoZWF0dHJfZW50cnkpOwog ICAgICAgICAgICAgICAgIHAybV9tZW1vcnlfdHlwZV9jaGFuZ2VkKGQpOwpA QCAtNjM2LDcgKzYzNyw3IEBAIGludCBodm1fc2V0X21lbV9waW5uZWRfY2Fj aGVhdHRyKHN0cnVjdAogICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAg ICAgICByZXR1cm4gMDsKICAgICAgICAgICAgIH0KLSAgICAgICAgcmN1X3Jl YWRfdW5sb2NrKCZwaW5uZWRfY2FjaGVhdHRyX3JjdV9sb2NrKTsKKyAgICAg ICAgZG9tYWluX3VubG9jayhkKTsKICAgICAgICAgcmV0dXJuIC1FTk9FTlQ7 CiAKICAgICBjYXNlIFBBVF9UWVBFX1VDX01JTlVTOgpAQCAtNjUxLDcgKzY1 MiwxMCBAQCBpbnQgaHZtX3NldF9tZW1fcGlubmVkX2NhY2hlYXR0cihzdHJ1 Y3QKICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgfQogCi0gICAgcmN1 X3JlYWRfbG9jaygmcGlubmVkX2NhY2hlYXR0cl9yY3VfbG9jayk7CisgICAg bmV3ciA9IHh6YWxsb2Moc3RydWN0IGh2bV9tZW1fcGlubmVkX2NhY2hlYXR0 cl9yYW5nZSk7CisKKyAgICBkb21haW5fbG9jayhkKTsKKwogICAgIGxpc3Rf Zm9yX2VhY2hfZW50cnlfcmN1ICggcmFuZ2UsCiAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAmZC0+YXJjaC5odm0ucGlubmVkX2NhY2hlYXR0cl9y YW5nZXMsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsaXN0ICkK QEAgLTY2OSwyNyArNjczLDM0IEBAIGludCBodm1fc2V0X21lbV9waW5uZWRf Y2FjaGVhdHRyKHN0cnVjdAogICAgICAgICB9CiAgICAgICAgICsrbnI7CiAg ICAgfQotICAgIHJjdV9yZWFkX3VubG9jaygmcGlubmVkX2NhY2hlYXR0cl9y Y3VfbG9jayk7CisKICAgICBpZiAoIHJjIDw9IDAgKQotICAgICAgICByZXR1 cm4gcmM7CisgICAgICAgIC8qIG5vdGhpbmcgKi87CisgICAgZWxzZSBpZiAo IG5yID49IDY0IC8qIFRoZSBsaW1pdCBpcyBhcmJpdHJhcnkuICovICkKKyAg ICAgICAgcmMgPSAtRU5PU1BDOworICAgIGVsc2UgaWYgKCAhbmV3ciApCisg ICAgICAgIHJjID0gLUVOT01FTTsKKyAgICBlbHNlCisgICAgeworICAgICAg ICBuZXdyLT5zdGFydCA9IGdmbl9zdGFydDsKKyAgICAgICAgbmV3ci0+ZW5k ID0gZ2ZuX2VuZDsKKyAgICAgICAgbmV3ci0+dHlwZSA9IHR5cGU7CiAKLSAg ICBpZiAoIG5yID49IDY0IC8qIFRoZSBsaW1pdCBpcyBhcmJpdHJhcnkuICov ICkKLSAgICAgICAgcmV0dXJuIC1FTk9TUEM7CisgICAgICAgIGxpc3RfYWRk X3JjdSgmbmV3ci0+bGlzdCwgJmQtPmFyY2guaHZtLnBpbm5lZF9jYWNoZWF0 dHJfcmFuZ2VzKTsKKworICAgICAgICBuZXdyID0gTlVMTDsKKyAgICAgICAg cmMgPSAwOworICAgIH0KIAotICAgIHJhbmdlID0geHphbGxvYyhzdHJ1Y3Qg aHZtX21lbV9waW5uZWRfY2FjaGVhdHRyX3JhbmdlKTsKLSAgICBpZiAoIHJh bmdlID09IE5VTEwgKQotICAgICAgICByZXR1cm4gLUVOT01FTTsKKyAgICBk b21haW5fdW5sb2NrKGQpOwogCi0gICAgcmFuZ2UtPnN0YXJ0ID0gZ2ZuX3N0 YXJ0OwotICAgIHJhbmdlLT5lbmQgPSBnZm5fZW5kOwotICAgIHJhbmdlLT50 eXBlID0gdHlwZTsKKyAgICB4ZnJlZShuZXdyKTsKIAotICAgIGxpc3RfYWRk X3JjdSgmcmFuZ2UtPmxpc3QsICZkLT5hcmNoLmh2bS5waW5uZWRfY2FjaGVh dHRyX3Jhbmdlcyk7CiAgICAgcDJtX21lbW9yeV90eXBlX2NoYW5nZWQoZCk7 CiAgICAgaWYgKCB0eXBlICE9IFBBVF9UWVBFX1dSQkFDSyApCiAgICAgICAg IGZsdXNoX2FsbChGTFVTSF9DQUNIRSk7CiAKLSAgICByZXR1cm4gMDsKKyAg ICByZXR1cm4gcmM7CiB9CiAKIHN0YXRpYyBpbnQgaHZtX3NhdmVfbXRycl9t c3Ioc3RydWN0IHZjcHUgKnYsIGh2bV9kb21haW5fY29udGV4dF90ICpoKQo= --=separator Content-Type: application/octet-stream; name="xsa428-4.17-1.patch" Content-Disposition: attachment; filename="xsa428-4.17-1.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvSFZNOiBib3VuZCBudW1iZXIgb2YgcGlubmVkIGNhY2hlIGF0dHJp YnV0ZSByZWdpb25zCgpUaGlzIGlzIGV4cG9zZWQgdmlhIERNT1AsIGkuZS4g dG8gcG90ZW50aWFsbHkgbm90IGZ1bGx5IHByaXZpbGVnZWQKZGV2aWNlIG1v ZGVscy4gV2l0aCB0aGF0IHdlIG1heSBub3QgcGVybWl0IHJlZ2lzdHJhdGlv biBvZiBhbiAoYWxtb3N0KQp1bmJvdW5kZWQgYW1vdW50IG9mIHN1Y2ggcmVn aW9ucy4KClRoaXMgaXMgQ1ZFLTIwMjItNDIzMzMgLyBwYXJ0IG9mIFhTQS00 MjguCgpSZXBvcnRlZC1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3Bl cjNAY2l0cml4LmNvbT4KRml4ZXM6IDY0MjEyM2M1MTIzZiAoIng4Ni9odm06 IHByb3ZpZGUgWEVOX0RNT1BfcGluX21lbW9yeV9jYWNoZWF0dHIiKQpTaWdu ZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJl dmlld2VkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L2h2bS9tdHJyLmMKKysrIGIv eGVuL2FyY2gveDg2L2h2bS9tdHJyLmMKQEAgLTU5NSw2ICs1OTUsNyBAQCBp bnQgaHZtX3NldF9tZW1fcGlubmVkX2NhY2hlYXR0cihzdHJ1Y3QKICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVpbnQ2NF90IGdmbl9lbmQs IHVpbnQzMl90IHR5cGUpCiB7CiAgICAgc3RydWN0IGh2bV9tZW1fcGlubmVk X2NhY2hlYXR0cl9yYW5nZSAqcmFuZ2U7CisgICAgdW5zaWduZWQgaW50IG5y ID0gMDsKICAgICBpbnQgcmMgPSAxOwogCiAgICAgaWYgKCAhaXNfaHZtX2Rv bWFpbihkKSApCkBAIC02NjYsMTEgKzY2NywxNSBAQCBpbnQgaHZtX3NldF9t ZW1fcGlubmVkX2NhY2hlYXR0cihzdHJ1Y3QKICAgICAgICAgICAgIHJjID0g LUVCVVNZOwogICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIH0KKyAgICAg ICAgKytucjsKICAgICB9CiAgICAgcmN1X3JlYWRfdW5sb2NrKCZwaW5uZWRf Y2FjaGVhdHRyX3JjdV9sb2NrKTsKICAgICBpZiAoIHJjIDw9IDAgKQogICAg ICAgICByZXR1cm4gcmM7CiAKKyAgICBpZiAoIG5yID49IDY0IC8qIFRoZSBs aW1pdCBpcyBhcmJpdHJhcnkuICovICkKKyAgICAgICAgcmV0dXJuIC1FTk9T UEM7CisKICAgICByYW5nZSA9IHh6YWxsb2Moc3RydWN0IGh2bV9tZW1fcGlu bmVkX2NhY2hlYXR0cl9yYW5nZSk7CiAgICAgaWYgKCByYW5nZSA9PSBOVUxM ICkKICAgICAgICAgcmV0dXJuIC1FTk9NRU07Cg== --=separator Content-Type: application/octet-stream; name="xsa428-4.17-2.patch" Content-Disposition: attachment; filename="xsa428-4.17-2.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvSFZNOiBzZXJpYWxpemUgcGlubmVkIGNhY2hlIGF0dHJpYnV0ZSBs aXN0IG1hbmlwdWxhdGlvbgoKV2hpbGUgdGhlIFJDVSB2YXJpYW50cyBvZiBs aXN0IGluc2VydGlvbiBhbmQgcmVtb3ZhbCBhbGxvdyBsb2NrbGVzcyBsaXN0 CnRyYXZlcnNhbCAod2l0aCBSQ1UganVzdCByZWFkLWxvY2tlZCksIGluc2Vy dGlvbnMgYW5kIHJlbW92YWxzIHN0aWxsCm5lZWQgc2VyaWFsaXppbmcgYW1v bmdzdCB0aGVtc2VsdmVzLiBUbyBrZWVwIHRoaW5ncyBzaW1wbGUsIHVzZSB0 aGUKZG9tYWluIGxvY2sgZm9yIHRoaXMgcHVycG9zZS4KClRoaXMgaXMgQ1ZF LTIwMjItNDIzMzQgLyBwYXJ0IG9mIFhTQS00MjguCgpGaXhlczogNjQyMTIz YzUxMjNmICgieDg2L2h2bTogcHJvdmlkZSBYRU5fRE1PUF9waW5fbWVtb3J5 X2NhY2hlYXR0ciIpClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1 bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEp1bGllbiBHcmFsbCA8amdy YWxsQGFtYXpvbi5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvaHZtL210cnIu YworKysgYi94ZW4vYXJjaC94ODYvaHZtL210cnIuYwpAQCAtNTk0LDcgKzU5 NCw3IEBAIHN0YXRpYyB2b2lkIGNmX2NoZWNrIGZyZWVfcGlubmVkX2NhY2hl YXQKIGludCBodm1fc2V0X21lbV9waW5uZWRfY2FjaGVhdHRyKHN0cnVjdCBk b21haW4gKmQsIHVpbnQ2NF90IGdmbl9zdGFydCwKICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIHVpbnQ2NF90IGdmbl9lbmQsIHVpbnQzMl90 IHR5cGUpCiB7Ci0gICAgc3RydWN0IGh2bV9tZW1fcGlubmVkX2NhY2hlYXR0 cl9yYW5nZSAqcmFuZ2U7CisgICAgc3RydWN0IGh2bV9tZW1fcGlubmVkX2Nh Y2hlYXR0cl9yYW5nZSAqcmFuZ2UsICpuZXdyOwogICAgIHVuc2lnbmVkIGlu dCBuciA9IDA7CiAgICAgaW50IHJjID0gMTsKIApAQCAtNjA4LDE0ICs2MDgs MTUgQEAgaW50IGh2bV9zZXRfbWVtX3Bpbm5lZF9jYWNoZWF0dHIoc3RydWN0 CiAgICAgewogICAgIGNhc2UgWEVOX0RPTUNUTF9ERUxFVEVfTUVNX0NBQ0hF QVRUUjoKICAgICAgICAgLyogUmVtb3ZlIHRoZSByZXF1ZXN0ZWQgcmFuZ2Uu ICovCi0gICAgICAgIHJjdV9yZWFkX2xvY2soJnBpbm5lZF9jYWNoZWF0dHJf cmN1X2xvY2spOwotICAgICAgICBsaXN0X2Zvcl9lYWNoX2VudHJ5X3JjdSAo IHJhbmdlLAotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZk LT5hcmNoLmh2bS5waW5uZWRfY2FjaGVhdHRyX3JhbmdlcywKLSAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICBsaXN0ICkKKyAgICAgICAgZG9t YWluX2xvY2soZCk7CisgICAgICAgIGxpc3RfZm9yX2VhY2hfZW50cnkgKCBy YW5nZSwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZkLT5hcmNo Lmh2bS5waW5uZWRfY2FjaGVhdHRyX3JhbmdlcywKKyAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIGxpc3QgKQogICAgICAgICAgICAgaWYgKCByYW5n ZS0+c3RhcnQgPT0gZ2ZuX3N0YXJ0ICYmIHJhbmdlLT5lbmQgPT0gZ2ZuX2Vu ZCApCiAgICAgICAgICAgICB7Ci0gICAgICAgICAgICAgICAgcmN1X3JlYWRf dW5sb2NrKCZwaW5uZWRfY2FjaGVhdHRyX3JjdV9sb2NrKTsKICAgICAgICAg ICAgICAgICBsaXN0X2RlbF9yY3UoJnJhbmdlLT5saXN0KTsKKyAgICAgICAg ICAgICAgICBkb21haW5fdW5sb2NrKGQpOworCiAgICAgICAgICAgICAgICAg dHlwZSA9IHJhbmdlLT50eXBlOwogICAgICAgICAgICAgICAgIGNhbGxfcmN1 KCZyYW5nZS0+cmN1LCBmcmVlX3Bpbm5lZF9jYWNoZWF0dHJfZW50cnkpOwog ICAgICAgICAgICAgICAgIHAybV9tZW1vcnlfdHlwZV9jaGFuZ2VkKGQpOwpA QCAtNjM2LDcgKzYzNyw3IEBAIGludCBodm1fc2V0X21lbV9waW5uZWRfY2Fj aGVhdHRyKHN0cnVjdAogICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAg ICAgICByZXR1cm4gMDsKICAgICAgICAgICAgIH0KLSAgICAgICAgcmN1X3Jl YWRfdW5sb2NrKCZwaW5uZWRfY2FjaGVhdHRyX3JjdV9sb2NrKTsKKyAgICAg ICAgZG9tYWluX3VubG9jayhkKTsKICAgICAgICAgcmV0dXJuIC1FTk9FTlQ7 CiAKICAgICBjYXNlIFBBVF9UWVBFX1VDX01JTlVTOgpAQCAtNjUxLDcgKzY1 MiwxMCBAQCBpbnQgaHZtX3NldF9tZW1fcGlubmVkX2NhY2hlYXR0cihzdHJ1 Y3QKICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgfQogCi0gICAgcmN1 X3JlYWRfbG9jaygmcGlubmVkX2NhY2hlYXR0cl9yY3VfbG9jayk7CisgICAg bmV3ciA9IHh6YWxsb2Moc3RydWN0IGh2bV9tZW1fcGlubmVkX2NhY2hlYXR0 cl9yYW5nZSk7CisKKyAgICBkb21haW5fbG9jayhkKTsKKwogICAgIGxpc3Rf Zm9yX2VhY2hfZW50cnlfcmN1ICggcmFuZ2UsCiAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAmZC0+YXJjaC5odm0ucGlubmVkX2NhY2hlYXR0cl9y YW5nZXMsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsaXN0ICkK QEAgLTY2OSwyNyArNjczLDM0IEBAIGludCBodm1fc2V0X21lbV9waW5uZWRf Y2FjaGVhdHRyKHN0cnVjdAogICAgICAgICB9CiAgICAgICAgICsrbnI7CiAg ICAgfQotICAgIHJjdV9yZWFkX3VubG9jaygmcGlubmVkX2NhY2hlYXR0cl9y Y3VfbG9jayk7CisKICAgICBpZiAoIHJjIDw9IDAgKQotICAgICAgICByZXR1 cm4gcmM7CisgICAgICAgIC8qIG5vdGhpbmcgKi87CisgICAgZWxzZSBpZiAo IG5yID49IDY0IC8qIFRoZSBsaW1pdCBpcyBhcmJpdHJhcnkuICovICkKKyAg ICAgICAgcmMgPSAtRU5PU1BDOworICAgIGVsc2UgaWYgKCAhbmV3ciApCisg ICAgICAgIHJjID0gLUVOT01FTTsKKyAgICBlbHNlCisgICAgeworICAgICAg ICBuZXdyLT5zdGFydCA9IGdmbl9zdGFydDsKKyAgICAgICAgbmV3ci0+ZW5k ID0gZ2ZuX2VuZDsKKyAgICAgICAgbmV3ci0+dHlwZSA9IHR5cGU7CiAKLSAg ICBpZiAoIG5yID49IDY0IC8qIFRoZSBsaW1pdCBpcyBhcmJpdHJhcnkuICov ICkKLSAgICAgICAgcmV0dXJuIC1FTk9TUEM7CisgICAgICAgIGxpc3RfYWRk X3JjdSgmbmV3ci0+bGlzdCwgJmQtPmFyY2guaHZtLnBpbm5lZF9jYWNoZWF0 dHJfcmFuZ2VzKTsKKworICAgICAgICBuZXdyID0gTlVMTDsKKyAgICAgICAg cmMgPSAwOworICAgIH0KIAotICAgIHJhbmdlID0geHphbGxvYyhzdHJ1Y3Qg aHZtX21lbV9waW5uZWRfY2FjaGVhdHRyX3JhbmdlKTsKLSAgICBpZiAoIHJh bmdlID09IE5VTEwgKQotICAgICAgICByZXR1cm4gLUVOT01FTTsKKyAgICBk b21haW5fdW5sb2NrKGQpOwogCi0gICAgcmFuZ2UtPnN0YXJ0ID0gZ2ZuX3N0 YXJ0OwotICAgIHJhbmdlLT5lbmQgPSBnZm5fZW5kOwotICAgIHJhbmdlLT50 eXBlID0gdHlwZTsKKyAgICB4ZnJlZShuZXdyKTsKIAotICAgIGxpc3RfYWRk X3JjdSgmcmFuZ2UtPmxpc3QsICZkLT5hcmNoLmh2bS5waW5uZWRfY2FjaGVh dHRyX3Jhbmdlcyk7CiAgICAgcDJtX21lbW9yeV90eXBlX2NoYW5nZWQoZCk7 CiAgICAgaWYgKCB0eXBlICE9IFBBVF9UWVBFX1dSQkFDSyApCiAgICAgICAg IGZsdXNoX2FsbChGTFVTSF9DQUNIRSk7CiAKLSAgICByZXR1cm4gMDsKKyAg ICByZXR1cm4gcmM7CiB9CiAKIHN0YXRpYyBpbnQgY2ZfY2hlY2sgaHZtX3Nh dmVfbXRycl9tc3Ioc3RydWN0IHZjcHUgKnYsIGh2bV9kb21haW5fY29udGV4 dF90ICpoKQo= --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Mar 21 12:01:16 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 21 Mar 2023 12:01:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.512395.792492 (Exim 4.92) (envelope-from ) id 1peafm-0008W0-GP; Tue, 21 Mar 2023 12:01:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 512395.792492; Tue, 21 Mar 2023 12:01:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1peafm-0008UW-4B; Tue, 21 Mar 2023 12:01:02 +0000 Received: by outflank-mailman (input) for mailman id 512395; Tue, 21 Mar 2023 12:01:01 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1peafk-0006jQ-Vp for xen-announce@lists.xen.org; Tue, 21 Mar 2023 12:01:01 +0000 Received: from mail.xenproject.org (mail.xenproject.org [104.130.215.37]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 08a9e9d1-c7e0-11ed-b464-930f4c7d94ae; Tue, 21 Mar 2023 13:00:56 +0100 (CET) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1peafW-00032f-Vc; Tue, 21 Mar 2023 12:00:46 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1peafW-0000G3-UU; Tue, 21 Mar 2023 12:00:46 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" X-Inumbo-ID: 08a9e9d1-c7e0-11ed-b464-930f4c7d94ae DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:CC:From:To:MIME-Version: Content-Transfer-Encoding:Content-Type; bh=BNYP1Dv8uG/bHThSnhfkWPM3dVwF/6evTsYsRlnLLhM=; b=vvHTAhAUdf3ak/OfzwLNFEGKO5 UJwMOHC8Ie34RPlIiUxyWPhJ8l0WCoAArCxlWmmP3gbNQ22fp1klqR+EX0ifTNWIlwtRQCfoWlrsc kcNA/FYi0eEzKA9quhRYI4JmxaZxAD7/pXDKj190x0Bu/ByYLK5OvoWFUnVfUpHcw2vw=; Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 429 v3 (CVE-2022-42331) - x86: speculative vulnerability in 32bit SYSCALL path Message-Id: Date: Tue, 21 Mar 2023 12:00:46 +0000 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-42331 / XSA-429 version 3 x86: speculative vulnerability in 32bit SYSCALL path UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks. IMPACT ====== An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. VULNERABLE SYSTEMS ================== Xen versions 4.5 through 4.17 are vulnerable. Older versions are not vulnerable. Only x86 CPUs are potentially vulnerable. CPUs of other architectures are not vulnerable. The problematic codepath is only reachable on x86 CPUs which follow AMD's behaviour with respect to SYSCALL instructions from compatibility mode segments. This means that AMD and Hygon CPUs are potentially vulnerable, whereas Intel CPUs are not. Other vendors have not been checked. Only PV guests can leverage the vulnerability. On Xen 4.16 and later, the vulnerability is only present if 32bit PV guest support is compiled in - i.e. CONFIG_PV32=y. On Xen 4.15 and older, all supported build configurations are vulnerable. The vulnerability is only present when booting on hardware that supports SMEP or SMAP (Supervisor Mode Execution/Access Prevention). This is believed to be some Family 0x16 models, and all later CPUs. MITIGATION ========== Not running untrusted PV guests will avoid the issue. CREDITS ======= This issue was discovered by Andrew Cooper of XenServer. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa429.patch xen-unstable - Xen 4.16 xsa429-4.15.patch Xen 4.15 - Xen 4.14 $ sha256sum xsa429* 2d7be90d917c475ab5217e657d2b44f5d8b107d9023dca034fcfb7feab07b2f0 xsa429.meta 36ed36dbfaad9e5df5fa87b9a3d9e9c531f476f97eeb2afe280aa238032a0540 xsa429.patch 7ac3d4182585e5d2d39231f10e7c0c9fcb972c82cf81cb884e95b628187de3a7 xsa429-4.15.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmQZlWMMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZil4H/2b1DkLLz4RQqAgvaB8+SBeVLPqoZ7QxGLl8QXWT AMjFdy+M5T1OtbrMvEYCZNYhZnGOJgmVagERUvg/yZbPYx28NIHjG4+u90Ot6OId AQPqdrJ0wjEzN/ppNpnu1ALofAGbjsnAypEouGPh12gh5fcpcLQdT0rvpl2ff5f6 Qi4ShtUXhBiduBQcJ0TSneSCf5s7cq1+sMenntenK5Nrsvg7gu51YR45FyKyXdZc raonkGDny9kmDAjdKkywS2Au2763ph9nHbW5TbD17s65AKUDTupzk+QlFPhJLIP+ /gxDoUjKFiD/eY0AABWMAFGGvHFRNvdhTfUd6ImmWhqdEeE= =HxUJ -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa429.meta" Content-Disposition: attachment; filename="xsa429.meta" Content-Transfer-Encoding: base64 ewogICJYU0EiOiA0MjksCiAgIlN1cHBvcnRlZFZlcnNpb25zIjogWwogICAg Im1hc3RlciIsCiAgICAiNC4xNyIsCiAgICAiNC4xNiIsCiAgICAiNC4xNSIs CiAgICAiNC4xNCIKICBdLAogICJUcmVlcyI6IFsKICAgICJ4ZW4iCiAgXSwK ICAiUmVjaXBlcyI6IHsKICAgICI0LjE0IjogewogICAgICAiUmVjaXBlcyI6 IHsKICAgICAgICAieGVuIjogewogICAgICAgICAgIlN0YWJsZVJlZiI6ICJj MjY3YWJmYWYyZDgxNzYzNzFlZGEwMzdmOWI5MTUyNDU4ZTA2NTZkIiwKICAg ICAgICAgICJQcmVyZXFzIjogWwogICAgICAgICAgICA0MjcsCiAgICAgICAg ICAgIDQyOAogICAgICAgICAgXSwKICAgICAgICAgICJQYXRjaGVzIjogWwog ICAgICAgICAgICAieHNhNDI5LTQuMTUucGF0Y2giCiAgICAgICAgICBdCiAg ICAgICAgfQogICAgICB9CiAgICB9LAogICAgIjQuMTUiOiB7CiAgICAgICJS ZWNpcGVzIjogewogICAgICAgICJ4ZW4iOiB7CiAgICAgICAgICAiU3RhYmxl UmVmIjogImZhODc1NTc0YjczNjE4ZGFmM2JjNzBlNmZmNGQzNDI0OTNmYTEx ZDkiLAogICAgICAgICAgIlByZXJlcXMiOiBbCiAgICAgICAgICAgIDQyNywK ICAgICAgICAgICAgNDI4CiAgICAgICAgICBdLAogICAgICAgICAgIlBhdGNo ZXMiOiBbCiAgICAgICAgICAgICJ4c2E0MjktNC4xNS5wYXRjaCIKICAgICAg ICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0sCiAgICAiNC4xNiI6IHsK ICAgICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhlbiI6IHsKICAgICAgICAg ICJTdGFibGVSZWYiOiAiODRkZmU3YTU2ZjA0YTc0MTJmYTQ4NjliM2U3NTZj NDllMWNmYmU3NSIsCiAgICAgICAgICAiUHJlcmVxcyI6IFsKICAgICAgICAg ICAgNDI3LAogICAgICAgICAgICA0MjgKICAgICAgICAgIF0sCiAgICAgICAg ICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTQyOS5wYXRjaCIKICAg ICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0sCiAgICAiNC4xNyI6 IHsKICAgICAgIlJlY2lwZXMiOiB7CiAgICAgICAgInhlbiI6IHsKICAgICAg ICAgICJTdGFibGVSZWYiOiAiZWM1YjA1OGQyYTY0MzZhMmUxODAzMTU1MjJm Y2YxNjQ1YTgxNTNiNCIsCiAgICAgICAgICAiUHJlcmVxcyI6IFsKICAgICAg ICAgICAgNDI3LAogICAgICAgICAgICA0MjgKICAgICAgICAgIF0sCiAgICAg ICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTQyOS5wYXRjaCIK ICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0sCiAgICAibWFz dGVyIjogewogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjogewog ICAgICAgICAgIlN0YWJsZVJlZiI6ICIzMTI3MGYxMWE5NmViYjg3NWNkNzA2 NjFlMmRmOWU1YzZlZGQ3NTY0IiwKICAgICAgICAgICJQcmVyZXFzIjogWwog ICAgICAgICAgICA0MjcsCiAgICAgICAgICAgIDQyOAogICAgICAgICAgXSwK ICAgICAgICAgICJQYXRjaGVzIjogWwogICAgICAgICAgICAieHNhNDI5LnBh dGNoIgogICAgICAgICAgXQogICAgICAgIH0KICAgICAgfQogICAgfQogIH0K fQ== --=separator Content-Type: application/octet-stream; name="xsa429.patch" Content-Disposition: attachment; filename="xsa429.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L3NwZWMtY3RybDogRGVmZXIgQ1I0X1BWMzJfUkVT VE9SRSBvbiB0aGUgY3N0YXJfZW50ZXIgcGF0aAoKQXMgc3RhdGVkIChjb3Jy ZWN0bHkpIGJ5IHRoZSBjb21tZW50IG5leHQgdG8gU1BFQ19DVFJMX0VOVFJZ X0ZST01fUFYsIGJldHdlZW4KdGhlIHR3byBodW5rcyB2aXNpYmxlIGluIHRo ZSBwYXRjaCwgUkVUJ3MgYXJlIG5vdCBzYWZlIHByaW9yIHRvIHRoaXMgcG9p bnQuCgpDUjRfUFYzMl9SRVNUT1JFIGhpZGVzIGEgQ0FMTC9SRVQgcGFpciBp biBjZXJ0YWluIGNvbmZpZ3VyYXRpb25zIChQVjMyCmNvbXBpbGVkIGluLCBT TUVQIG9yIFNNQVAgYWN0aXZlKSwgYW5kIHRoZSBSRVQgY2FuIGJlIGF0dGFj a2VkIHdpdGggb25lIG9mCnNldmVyYWwga25vd24gc3BlY3VsYXRpdmUgaXNz dWVzLgoKRnVydGhlcm1vcmUsIENSNF9QVjMyX1JFU1RPUkUgYWxzbyBoaWRl cyBhIHJlZmVyZW5jZSB0byB0aGUgY3I0X3B2MzJfbWFzawpnbG9iYWwgdmFy aWFibGUsIHdoaWNoIGlzIG5vdCBzYWZlIHdoZW4gWFBUSSBpcyBhY3RpdmUg YmVmb3JlIHJlc3RvcmluZyBYZW4ncwpmdWxsIHBhZ2V0YWJsZXMuCgpUaGlz IGNyYXNoIGhhcyBnb25lIHVubm90aWNlZCBiZWNhdXNlIGl0IGlzIG9ubHkg QU1EIENQVXMgd2hpY2ggcGVybWl0IHRoZQpTWVNDQUxMIGluc3RydWN0aW9u IGluIGNvbXBhdGliaWxpdHkgbW9kZSwgYW5kIHRoZXNlIGFyZSBub3QgdnVs bmVyYWJsZSB0bwpNZWx0ZG93biBzbyBkb24ndCBhY3RpdmF0ZSBYUFRJIGJ5 IGRlZmF1bHQuCgpUaGlzIGlzIFhTQS00MjkgLyBDVkUtMjAyMi00MjMzMQoK Rml4ZXM6IDVlNzk2MjkwMTEzMSAoIng4Ni9lbnRyeTogT3JnYW5pc2UgdGhl IHVzZSBvZiBNU1JfU1BFQ19DVFJMIGF0IGVhY2ggZW50cnkvZXhpdCBwb2lu dCIpCkZpeGVzOiA1Nzg0ZGUzZTIwNjcgKCJ4ODY6IE1lbHRkb3duIGJhbmQt YWlkIGFnYWluc3QgbWFsaWNpb3VzIDY0LWJpdCBQViBndWVzdHMiKQpTaWdu ZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgpSZXZpZXdlZC1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgoKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50 cnkuUyBiL3hlbi9hcmNoL3g4Ni94ODZfNjQvZW50cnkuUwppbmRleCBhZTAx Mjg1MTgxOWEuLjc2NzVhNTlmZjA1NyAxMDA2NDQKLS0tIGEveGVuL2FyY2gv eDg2L3g4Nl82NC9lbnRyeS5TCisrKyBiL3hlbi9hcmNoL3g4Ni94ODZfNjQv ZW50cnkuUwpAQCAtMjg4LDcgKzI4OCw2IEBAIEVOVFJZKGNzdGFyX2VudGVy KQogICAgICAgICBBTFRFUk5BVElWRSAiIiwgInNldHNzYnN5IiwgWDg2X0ZF QVRVUkVfWEVOX1NIU1RLCiAjZW5kaWYKICAgICAgICAgcHVzaCAgJXJheCAg ICAgICAgICAvKiBHdWVzdCAlcnNwICovCi0gICAgICAgIENSNF9QVjMyX1JF U1RPUkUKICAgICAgICAgbW92cSAgOCglcnNwKSwgJXJheCAvKiBSZXN0b3Jl IGd1ZXN0ICVyYXguICovCiAgICAgICAgIG1vdnEgICRGTEFUX1VTRVJfU1Mz MiwgOCglcnNwKSAvKiBBc3N1bWUgYSA2NGJpdCBkb21haW4uICBDb21wYXQg aGFuZGxlZCBsb3dlci4gKi8KICAgICAgICAgcHVzaHEgJXIxMQpAQCAtMzEy LDYgKzMxMSw4IEBAIEVOVFJZKGNzdGFyX2VudGVyKQogLkxjc3Rhcl9jcjNf b2theToKICAgICAgICAgc3RpCiAKKyAgICAgICAgQ1I0X1BWMzJfUkVTVE9S RQorCiAgICAgICAgIG1vdnEgIFNUQUNLX0NQVUlORk9fRklFTEQoY3VycmVu dF92Y3B1KSglcmJ4KSwgJXJieAogCiAjaWZkZWYgQ09ORklHX1BWMzIK --=separator Content-Type: application/octet-stream; name="xsa429-4.15.patch" Content-Disposition: attachment; filename="xsa429-4.15.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L3NwZWMtY3RybDogRGVmZXIgQ1I0X1BWMzJfUkVT VE9SRSBvbiB0aGUgY3N0YXJfZW50ZXIgcGF0aAoKQXMgc3RhdGVkIChjb3Jy ZWN0bHkpIGJ5IHRoZSBjb21tZW50IG5leHQgdG8gU1BFQ19DVFJMX0VOVFJZ X0ZST01fUFYsIGJldHdlZW4KdGhlIHR3byBodW5rcyB2aXNpYmxlIGluIHRo ZSBwYXRjaCwgUkVUJ3MgYXJlIG5vdCBzYWZlIHByaW9yIHRvIHRoaXMgcG9p bnQuCgpDUjRfUFYzMl9SRVNUT1JFIGhpZGVzIGEgQ0FMTC9SRVQgcGFpciBp biBjZXJ0YWluIGNvbmZpZ3VyYXRpb25zIChQVjMyCmNvbXBpbGVkIGluLCBT TUVQIG9yIFNNQVAgYWN0aXZlKSwgYW5kIHRoZSBSRVQgY2FuIGJlIGF0dGFj a2VkIHdpdGggb25lIG9mCnNldmVyYWwga25vd24gc3BlY3VsYXRpdmUgaXNz dWVzLgoKRnVydGhlcm1vcmUsIENSNF9QVjMyX1JFU1RPUkUgYWxzbyBoaWRl cyBhIHJlZmVyZW5jZSB0byB0aGUgY3I0X3B2MzJfbWFzawpnbG9iYWwgdmFy aWFibGUsIHdoaWNoIGlzIG5vdCBzYWZlIHdoZW4gWFBUSSBpcyBhY3RpdmUg YmVmb3JlIHJlc3RvcmluZyBYZW4ncwpmdWxsIHBhZ2V0YWJsZXMuCgpUaGlz IGNyYXNoIGhhcyBnb25lIHVubm90aWNlZCBiZWNhdXNlIGl0IGlzIG9ubHkg QU1EIENQVXMgd2hpY2ggcGVybWl0IHRoZQpTWVNDQUxMIGluc3RydWN0aW9u IGluIGNvbXBhdGliaWxpdHkgbW9kZSwgYW5kIHRoZXNlIGFyZSBub3QgdnVs bmVyYWJsZSB0bwpNZWx0ZG93biBzbyBkb24ndCBhY3RpdmF0ZSBYUFRJIGJ5 IGRlZmF1bHQuCgpUaGlzIGlzIFhTQS00MjkgLyBDVkUtMjAyMi00MjMzMQoK Rml4ZXM6IDVlNzk2MjkwMTEzMSAoIng4Ni9lbnRyeTogT3JnYW5pc2UgdGhl IHVzZSBvZiBNU1JfU1BFQ19DVFJMIGF0IGVhY2ggZW50cnkvZXhpdCBwb2lu dCIpCkZpeGVzOiA1Nzg0ZGUzZTIwNjcgKCJ4ODY6IE1lbHRkb3duIGJhbmQt YWlkIGFnYWluc3QgbWFsaWNpb3VzIDY0LWJpdCBQViBndWVzdHMiKQpTaWdu ZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgpSZXZpZXdlZC1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1 c2UuY29tPgoKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL3g4Ni94ODZfNjQvY29t cGF0L2VudHJ5LlMgYi94ZW4vYXJjaC94ODYveDg2XzY0L2NvbXBhdC9lbnRy eS5TCmluZGV4IDVjOTk5MjcxZTYxNy4uMDlhODY3NjhhYzAyIDEwMDY0NAot LS0gYS94ZW4vYXJjaC94ODYveDg2XzY0L2NvbXBhdC9lbnRyeS5TCisrKyBi L3hlbi9hcmNoL3g4Ni94ODZfNjQvY29tcGF0L2VudHJ5LlMKQEAgLTIwNiw3 ICsyMDYsNiBAQCBFTlRSWShjc3Rhcl9lbnRlcikKICAgICAgICAgQUxURVJO QVRJVkUgIiIsICJzZXRzc2JzeSIsIFg4Nl9GRUFUVVJFX1hFTl9TSFNUSwog I2VuZGlmCiAgICAgICAgIHB1c2ggICVyYXggICAgICAgICAgLyogR3Vlc3Qg JXJzcCAqLwotICAgICAgICBDUjRfUFYzMl9SRVNUT1JFCiAgICAgICAgIG1v dnEgIDgoJXJzcCksICVyYXggLyogUmVzdG9yZSBndWVzdCAlcmF4LiAqLwog ICAgICAgICBtb3ZxICAkRkxBVF9VU0VSX1NTMzIsIDgoJXJzcCkgLyogQXNz dW1lIGEgNjRiaXQgZG9tYWluLiAgQ29tcGF0IGhhbmRsZWQgbG93ZXIuICov CiAgICAgICAgIHB1c2hxICVyMTEKQEAgLTIzMCw2ICsyMjksOCBAQCBFTlRS WShjc3Rhcl9lbnRlcikKIC5MY3N0YXJfY3IzX29rYXk6CiAgICAgICAgIHN0 aQogCisgICAgICAgIENSNF9QVjMyX1JFU1RPUkUKKwogICAgICAgICBtb3Zx ICBTVEFDS19DUFVJTkZPX0ZJRUxEKGN1cnJlbnRfdmNwdSkoJXJieCksICVy YngKICAgICAgICAgbW92cSAgVkNQVV9kb21haW4oJXJieCksJXJjeAogICAg ICAgICBjbXBiICAkMCxET01BSU5faXNfMzJiaXRfcHYoJXJjeCkK --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Mar 21 12:01:16 2023 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 21 Mar 2023 12:01:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.512393.792473 (Exim 4.92) (envelope-from ) id 1peafk-00082O-Fb; Tue, 21 Mar 2023 12:01:00 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 512393.792473; Tue, 21 Mar 2023 12:01:00 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1peafk-0007yR-67; Tue, 21 Mar 2023 12:01:00 +0000 Received: by outflank-mailman (input) for mailman id 512393; Tue, 21 Mar 2023 12:00:59 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1peafi-0006my-ML for xen-announce@lists.xen.org; Tue, 21 Mar 2023 12:00:58 +0000 Received: from mail.xenproject.org (mail.xenproject.org [104.130.215.37]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 0520b88e-c7e0-11ed-87f5-c1b5be75604c; Tue, 21 Mar 2023 13:00:52 +0100 (CET) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1peafP-00031n-MN; Tue, 21 Mar 2023 12:00:39 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1peafP-0000Ca-Ko; Tue, 21 Mar 2023 12:00:39 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" X-Inumbo-ID: 0520b88e-c7e0-11ed-87f5-c1b5be75604c DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:CC:From:To:MIME-Version: Content-Transfer-Encoding:Content-Type; bh=qJpzbqFfBV6lXHuKcxpZTx3thPo+2f4kK2BgZkQtjpE=; b=I1IpmoNQCS2vbtqtWazOam0O4u W6I4J6iEyJ3yrs10NSYc5F8ZMkzJIfvGrb1WeSalAg58mAXjiRs3SLNWKxFxRZvSoEtOtCbhle5aD Zx5YZpvMKH64xsSepMYpKEmMtjMupQiZnR59QEq4R+IJAaqcJX9HRZZlXA8vpofKkTko=; Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 427 v2 (CVE-2022-42332) - x86 shadow plus log-dirty mode use-after-free Message-Id: Date: Tue, 21 Mar 2023 12:00:39 +0000 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-42332 / XSA-427 version 2 x86 shadow plus log-dirty mode use-after-free UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Shadow mode maintains a pool of memory used for both shadow page tables as well as auxiliary data structures. To migrate or snapshot guests, Xen additionally runs them in so called log-dirty mode. The data structures needed by the log-dirty tracking are part of aformentioned auxiliary data. In order to keep error handling efforts within reasonable bounds, for operations which may require memory allocations shadow mode logic ensures up front that enough memory is available for the worst case requirements. Unfortunately, while page table memory is properly accounted for on the code path requiring the potential establishing of new shadows, demands by the log-dirty infrastructure were not taken into consideration. As a result, just established shadow page tables could be freed again immediately, while other code is still accessing them on the assumption that they would remain allocated. IMPACT ====== Guests running in shadow mode and being subject to migration or snapshotting may be able to cause Denial of Service and other problems, including escalation of privilege. VULNERABLE SYSTEMS ================== All Xen versions from at least 3.2 onwards are vulnerable. Earlier versions have not been inspected. Only x86 systems are vulnerable. The vulnerability is limited to migration and snapshotting of guests, and only to PV ones as well as HVM or PVH ones run with shadow paging. MITIGATION ========== Not migrating or snapshotting guests will avoid the vulnerability. Running only HVM or PVH guests and only in HAP (Hardware Assisted Paging) mode will also avoid the vulnerability. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa427.patch xen-unstable - Xen 4.17.x xsa427-4.16.patch Xen 4.16.x xsa427-4.15.patch Xen 4.15.x xsa427-4.14.patch Xen 4.14.x $ sha256sum xsa427* 5ebcdc495ba6f439e47be7e17dbb8fbdecf4de66d2fac560d460f6841bd3bef3 xsa427.meta aa39316cbb81478c62b3d5c5aea7edfb6ade3bc5e6d0aa8c4677f9ea7bcc97a2 xsa427.patch 5ba679bc2170b0d9cd4c6ce139057e3287a6ee00434fa0e9a7a02441420030ff xsa427-4.14.patch 410ee6be28412841ab5aba1131f7dd7b84b9983f6c93974605f196fd278562e1 xsa427-4.15.patch 76c1850eb9a274c1feb5a8645f61ecf394a0551278f4e40e123ec07ea307f101 xsa427-4.16.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmQZlVkMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZgRMH/RU6mB8M/feJeZDkYbrLPmT3yLiw6BpWroMTUTpv 5kIlixxlfQqyv8gqd25p5WMMKUsZlPZdLCT0iOlyMTNz6EUPRBME2Yb3ByiM7O7/ kFtlFDk5ZY5c/Vk1w0XuLm+YcABj0xnsn003YvgknmZfBJ2HWdR2iIayT/NjfQ+u twErqUqa7il2Em5M8ZwHZeJjCUN9t+g2sv5sdI/rQeRge8ofjsquLubpgUVMGjiV xwwUPCn3co0/2WArB4mHjWCNcoATk1NVZ3CTUyKGl5Mr+EvdmYWvzmlDa4wc8QPV tNoASqXw0MbOOTy+RnZQHwappCDP371MirPq4IaTwiXy7eo= =0flx -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa427.meta" Content-Disposition: attachment; filename="xsa427.meta" Content-Transfer-Encoding: base64 ewogICJYU0EiOiA0MjcsCiAgIlN1cHBvcnRlZFZlcnNpb25zIjogWwogICAg Im1hc3RlciIsCiAgICAiNC4xNyIsCiAgICAiNC4xNiIsCiAgICAiNC4xNSIs CiAgICAiNC4xNCIKICBdLAogICJUcmVlcyI6IFsKICAgICJ4ZW4iCiAgXSwK ICAiUmVjaXBlcyI6IHsKICAgICI0LjE0IjogewogICAgICAiUmVjaXBlcyI6 IHsKICAgICAgICAieGVuIjogewogICAgICAgICAgIlN0YWJsZVJlZiI6ICJj MjY3YWJmYWYyZDgxNzYzNzFlZGEwMzdmOWI5MTUyNDU4ZTA2NTZkIiwKICAg ICAgICAgICJQcmVyZXFzIjogW10sCiAgICAgICAgICAiUGF0Y2hlcyI6IFsK ICAgICAgICAgICAgInhzYTQyNy00LjE0LnBhdGNoIgogICAgICAgICAgXQog ICAgICAgIH0KICAgICAgfQogICAgfSwKICAgICI0LjE1IjogewogICAgICAi UmVjaXBlcyI6IHsKICAgICAgICAieGVuIjogewogICAgICAgICAgIlN0YWJs ZVJlZiI6ICJmYTg3NTU3NGI3MzYxOGRhZjNiYzcwZTZmZjRkMzQyNDkzZmEx MWQ5IiwKICAgICAgICAgICJQcmVyZXFzIjogW10sCiAgICAgICAgICAiUGF0 Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTQyNy00LjE1LnBhdGNoIgogICAg ICAgICAgXQogICAgICAgIH0KICAgICAgfQogICAgfSwKICAgICI0LjE2Ijog ewogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjogewogICAgICAg ICAgIlN0YWJsZVJlZiI6ICI4NGRmZTdhNTZmMDRhNzQxMmZhNDg2OWIzZTc1 NmM0OWUxY2ZiZTc1IiwKICAgICAgICAgICJQcmVyZXFzIjogW10sCiAgICAg ICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTQyNy00LjE2LnBh dGNoIgogICAgICAgICAgXQogICAgICAgIH0KICAgICAgfQogICAgfSwKICAg ICI0LjE3IjogewogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAieGVuIjog ewogICAgICAgICAgIlN0YWJsZVJlZiI6ICJlYzViMDU4ZDJhNjQzNmEyZTE4 MDMxNTUyMmZjZjE2NDVhODE1M2I0IiwKICAgICAgICAgICJQcmVyZXFzIjog W10sCiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAgInhzYTQy Ny5wYXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0KICAgIH0s CiAgICAibWFzdGVyIjogewogICAgICAiUmVjaXBlcyI6IHsKICAgICAgICAi eGVuIjogewogICAgICAgICAgIlN0YWJsZVJlZiI6ICIzMTI3MGYxMWE5NmVi Yjg3NWNkNzA2NjFlMmRmOWU1YzZlZGQ3NTY0IiwKICAgICAgICAgICJQcmVy ZXFzIjogW10sCiAgICAgICAgICAiUGF0Y2hlcyI6IFsKICAgICAgICAgICAg InhzYTQyNy5wYXRjaCIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0K ICAgIH0KICB9Cn0= --=separator Content-Type: application/octet-stream; name="xsa427.patch" Content-Disposition: attachment; filename="xsa427.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvc2hhZG93OiBhY2NvdW50IGZvciBsb2ctZGlydHkgbW9kZSB3aGVu IHByZS1hbGxvY2F0aW5nCgpQcmUtYWxsb2NhdGlvbiBpcyBpbnRlbmRlZCB0 byBlbnN1cmUgdGhhdCBpbiB0aGUgY291cnNlIG9mIGNvbnN0cnVjdGluZwpv ciB1cGRhdGluZyBzaGFkb3dzIHRoZXJlIHdvbid0IGJlIGFueSByaXNrIG9m IGp1c3QgbWFkZSBzaGFkb3dzIG9yCnNoYWRvd3MgYmVpbmcgYWN0ZWQgdXBv biBjYW4gZGlzYXBwZWFyIHVuZGVyIG91ciBmZWV0LiBUaGUgYW1vdW50IG9m CnBhZ2VzIHByZS1hbGxvY2F0ZWQgdGhlbiwgaG93ZXZlciwgbmVlZHMgdG8g YWNjb3VudCBmb3IgYWxsIHBvc3NpYmxlCnN1YnNlcXVlbnQgYWxsb2NhdGlv bnMuIFdoaWxlIHRoZSB1c2UgaW4gc2hfcGFnZV9mYXVsdCgpIGFjY291bnRz IGZvcgphbGwgc2hhZG93cyB3aGljaCBtYXkgbmVlZCBtYWtpbmcsIHNvIGZh ciBpdCBkaWRuJ3QgYWNjb3VudCBmb3IKYWxsb2NhdGlvbnMgY29taW5nIGZy b20gbG9nLWRpcnR5IHRyYWNraW5nICh3aGljaCBwaWdneWJhY2tzIG9udG8g dGhlClAyTSBhbGxvY2F0aW9uIGZ1bmN0aW9ucykuCgpTaW5jZSBzaGFkb3df cHJlYWxsb2MoKSB0YWtlcyBhIGNvdW50IG9mIHNoYWRvd3MgKG9yIG90aGVy IGRhdGEKc3RydWN0dXJlcykgcmF0aGVyIHRoYW4gYSBjb3VudCBvZiBwYWdl cywgcHV0dGluZyB0aGUgYWRqdXN0bWVudCBhdCB0aGUKY2FsbCBzaXRlIG9m IHRoaXMgZnVuY3Rpb24gd29uJ3Qgd29yayB2ZXJ5IHdlbGw6IFdlIHNpbXBs eSBjYW4ndCBleHByZXNzCnRoZSBjb3JyZWN0IGNvdW50IHRoYXQgd2F5IGlu IGFsbCBjYXNlcy4gSW5zdGVhZCB0YWtlIGNhcmUgb2YgdGhpcyBpbgp0aGUg ZnVuY3Rpb24gaXRzZWxmLCBieSAic25vb3BpbmciIGZvciBMMSB0eXBlIHJl cXVlc3RzLiAoV2hpbGUgbm90CmFwcGxpY2FibGUgcmlnaHQgbm93LCBmdXR1 cmUgbmV3IHJlcXVlc3Qgc2l0ZXMgb2YgTDEgdGFibGVzIHdvdWxkIHRoZW4K YWxzbyBiZSBjb3ZlcmVkIHJpZ2h0IGF3YXkuKQoKSXQgaXMgcmVsZXZhbnQg dG8gbm90ZSBoZXJlIHRoYXQgcHJlLWFsbG9jYXRpb25zIGxpa2UgdGhlIG9u ZSBkb25lIGZyb20Kc2hhZG93X2FsbG9jX3AybV9wYWdlKCkgYXJlIGJlbmln biB3aGVuIHRoZXkgZmFsbCBpbiB0aGUgInNjb3BlIiBvZiBhbgplYXJsaWVy IHByZS1hbGxvYyB3aGljaCBhbHJlYWR5IGluY2x1ZGVkIHRoYXQgY291bnQ6 IFRoZSBpbm5lciBjYWxsIHdpbGwKc2ltcGx5IGZpbmQgZW5vdWdoIHBhZ2Vz IGF2YWlsYWJsZSB0aGVuOyBpdCdsbCBiYWlsIHJpZ2h0IGF3YXkuCgpUaGlz IGlzIENWRS0yMDIyLTQyMzMyIC8gWFNBLTQyNy4KClNpZ25lZC1vZmYtYnk6 IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6 IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgotLS0KdjI6IEVudGlyZWx5IGRp ZmZlcmVudCBhcHByb2FjaC4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9pbmNsdWRl L2FzbS9wYWdpbmcuaAorKysgYi94ZW4vYXJjaC94ODYvaW5jbHVkZS9hc20v cGFnaW5nLmgKQEAgLTE4OSw2ICsxODksMTAgQEAgYm9vbCBwYWdpbmdfbWZu X2lzX2RpcnR5KGNvbnN0IHN0cnVjdCBkbwogI2RlZmluZSBMNF9MT0dESVJU WV9JRFgocGZuKSAoKHBmbl94KHBmbikgPj4gKFBBR0VfU0hJRlQgKyAzICsg UEFHRVRBQkxFX09SREVSICogMikpICYgXAogICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgKExPR0RJUlRZX05PREVfRU5UUklFUy0xKSkKIAorI2Rl ZmluZSBwYWdpbmdfbG9nZGlydHlfbGV2ZWxzKCkgXAorICAgIChESVZfUk9V TkRfVVAoUEFERFJfQklUUyAtIFBBR0VfU0hJRlQgLSAoUEFHRV9TSElGVCAr IDMpLCBcCisgICAgICAgICAgICAgICAgICBQQUdFX1NISUZUIC0gaWxvZzIo c2l6ZW9mKG1mbl90KSkpICsgMSkKKwogI2lmZGVmIENPTkZJR19IVk0KIC8q IFZSQU0gZGlydHkgdHJhY2tpbmcgc3VwcG9ydCAqLwogc3RydWN0IHNoX2Rp cnR5X3ZyYW0gewotLS0gYS94ZW4vYXJjaC94ODYvbW0vcGFnaW5nLmMKKysr IGIveGVuL2FyY2gveDg2L21tL3BhZ2luZy5jCkBAIC0yODIsNiArMjgyLDcg QEAgdm9pZCBwYWdpbmdfbWFya19wZm5fZGlydHkoc3RydWN0IGRvbWFpbgog ICAgIGlmICggdW5saWtlbHkoIVZBTElEX00yUChwZm5feChwZm4pKSkgKQog ICAgICAgICByZXR1cm47CiAKKyAgICBCVUlMRF9CVUdfT04ocGFnaW5nX2xv Z2RpcnR5X2xldmVscygpICE9IDQpOwogICAgIGkxID0gTDFfTE9HRElSVFlf SURYKHBmbik7CiAgICAgaTIgPSBMMl9MT0dESVJUWV9JRFgocGZuKTsKICAg ICBpMyA9IEwzX0xPR0RJUlRZX0lEWChwZm4pOwotLS0gYS94ZW4vYXJjaC94 ODYvbW0vc2hhZG93L2NvbW1vbi5jCisrKyBiL3hlbi9hcmNoL3g4Ni9tbS9z aGFkb3cvY29tbW9uLmMKQEAgLTEwMTEsNyArMTAxMSwxNyBAQCBib29sIHNo YWRvd19wcmVhbGxvYyhzdHJ1Y3QgZG9tYWluICpkLCB1CiAgICAgaWYgKCB1 bmxpa2VseShkLT5pc19keWluZykgKQogICAgICAgIHJldHVybiBmYWxzZTsK IAotICAgIHJldCA9IF9zaGFkb3dfcHJlYWxsb2MoZCwgc2hhZG93X3NpemUo dHlwZSkgKiBjb3VudCk7CisgICAgY291bnQgKj0gc2hhZG93X3NpemUodHlw ZSk7CisgICAgLyoKKyAgICAgKiBMb2ctZGlydHkgaGFuZGxpbmcgbWF5IHJl c3VsdCBpbiBhbGxvY2F0aW9ucyB3aGVuIHBvcHVsYXRpbmcgaXRzCisgICAg ICogdHJhY2tpbmcgc3RydWN0dXJlcy4gIFRpZSB0aGlzIHRvIHRoZSBjYWxs ZXIgcmVxdWVzdGluZyBzcGFjZSBmb3IgTDEKKyAgICAgKiBzaGFkb3dzLgor ICAgICAqLworICAgIGlmICggcGFnaW5nX21vZGVfbG9nX2RpcnR5KGQpICYm CisgICAgICAgICAoKFNIRl9MMV9BTlkgfCBTSEZfRkwxX0FOWSkgJiAoMXUg PDwgdHlwZSkpICkKKyAgICAgICAgY291bnQgKz0gcGFnaW5nX2xvZ2RpcnR5 X2xldmVscygpOworCisgICAgcmV0ID0gX3NoYWRvd19wcmVhbGxvYyhkLCBj b3VudCk7CiAgICAgaWYgKCAhcmV0ICYmICghZC0+aXNfc2h1dHRpbmdfZG93 biB8fCBkLT5zaHV0ZG93bl9jb2RlICE9IFNIVVRET1dOX2NyYXNoKSApCiAg ICAgICAgIC8qCiAgICAgICAgICAqIEZhaWxpbmcgdG8gYWxsb2NhdGUgbWVt b3J5IHJlcXVpcmVkIGZvciBzaGFkb3cgdXNhZ2UgY2FuIG9ubHkgcmVzdWx0 IGluCg== --=separator Content-Type: application/octet-stream; name="xsa427-4.14.patch" Content-Disposition: attachment; filename="xsa427-4.14.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvc2hhZG93OiBhY2NvdW50IGZvciBsb2ctZGlydHkgbW9kZSB3aGVu IHByZS1hbGxvY2F0aW5nCgpQcmUtYWxsb2NhdGlvbiBpcyBpbnRlbmRlZCB0 byBlbnN1cmUgdGhhdCBpbiB0aGUgY291cnNlIG9mIGNvbnN0cnVjdGluZwpv ciB1cGRhdGluZyBzaGFkb3dzIHRoZXJlIHdvbid0IGJlIGFueSByaXNrIG9m IGp1c3QgbWFkZSBzaGFkb3dzIG9yCnNoYWRvd3MgYmVpbmcgYWN0ZWQgdXBv biBjYW4gZGlzYXBwZWFyIHVuZGVyIG91ciBmZWV0LiBUaGUgYW1vdW50IG9m CnBhZ2VzIHByZS1hbGxvY2F0ZWQgdGhlbiwgaG93ZXZlciwgbmVlZHMgdG8g YWNjb3VudCBmb3IgYWxsIHBvc3NpYmxlCnN1YnNlcXVlbnQgYWxsb2NhdGlv bnMuIFdoaWxlIHRoZSB1c2UgaW4gc2hfcGFnZV9mYXVsdCgpIGFjY291bnRz IGZvcgphbGwgc2hhZG93cyB3aGljaCBtYXkgbmVlZCBtYWtpbmcsIHNvIGZh ciBpdCBkaWRuJ3QgYWNjb3VudCBmb3IKYWxsb2NhdGlvbnMgY29taW5nIGZy b20gbG9nLWRpcnR5IHRyYWNraW5nICh3aGljaCBwaWdneWJhY2tzIG9udG8g dGhlClAyTSBhbGxvY2F0aW9uIGZ1bmN0aW9ucykuCgpTaW5jZSBzaGFkb3df cHJlYWxsb2MoKSB0YWtlcyBhIGNvdW50IG9mIHNoYWRvd3MgKG9yIG90aGVy IGRhdGEKc3RydWN0dXJlcykgcmF0aGVyIHRoYW4gYSBjb3VudCBvZiBwYWdl cywgcHV0dGluZyB0aGUgYWRqdXN0bWVudCBhdCB0aGUKY2FsbCBzaXRlIG9m IHRoaXMgZnVuY3Rpb24gd29uJ3Qgd29yayB2ZXJ5IHdlbGw6IFdlIHNpbXBs eSBjYW4ndCBleHByZXNzCnRoZSBjb3JyZWN0IGNvdW50IHRoYXQgd2F5IGlu IGFsbCBjYXNlcy4gSW5zdGVhZCB0YWtlIGNhcmUgb2YgdGhpcyBpbgp0aGUg ZnVuY3Rpb24gaXRzZWxmLCBieSAic25vb3BpbmciIGZvciBMMSB0eXBlIHJl cXVlc3RzLiAoV2hpbGUgbm90CmFwcGxpY2FibGUgcmlnaHQgbm93LCBmdXR1 cmUgbmV3IHJlcXVlc3Qgc2l0ZXMgb2YgTDEgdGFibGVzIHdvdWxkIHRoZW4K YWxzbyBiZSBjb3ZlcmVkIHJpZ2h0IGF3YXkuKQoKSXQgaXMgcmVsZXZhbnQg dG8gbm90ZSBoZXJlIHRoYXQgcHJlLWFsbG9jYXRpb25zIGxpa2UgdGhlIG9u ZSBkb25lIGZyb20Kc2hhZG93X2FsbG9jX3AybV9wYWdlKCkgYXJlIGJlbmln biB3aGVuIHRoZXkgZmFsbCBpbiB0aGUgInNjb3BlIiBvZiBhbgplYXJsaWVy IHByZS1hbGxvYyB3aGljaCBhbHJlYWR5IGluY2x1ZGVkIHRoYXQgY291bnQ6 IFRoZSBpbm5lciBjYWxsIHdpbGwKc2ltcGx5IGZpbmQgZW5vdWdoIHBhZ2Vz IGF2YWlsYWJsZSB0aGVuOyBpdCdsbCBiYWlsIHJpZ2h0IGF3YXkuCgpUaGlz IGlzIENWRS0yMDIyLTQyMzMyIC8gWFNBLTQyNy4KClNpZ25lZC1vZmYtYnk6 IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6 IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoKLS0tIGEveGVuL2luY2x1ZGUv YXNtLXg4Ni9wYWdpbmcuaAorKysgYi94ZW4vaW5jbHVkZS9hc20teDg2L3Bh Z2luZy5oCkBAIC0xOTAsNiArMTkwLDEwIEBAIGludCBwYWdpbmdfbWZuX2lz X2RpcnR5KHN0cnVjdCBkb21haW4gKmQKICNkZWZpbmUgTDRfTE9HRElSVFlf SURYKHBmbikgKChwZm5feChwZm4pID4+IChQQUdFX1NISUZUICsgMyArIFBB R0VUQUJMRV9PUkRFUiAqIDIpKSAmIFwKICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIChMT0dESVJUWV9OT0RFX0VOVFJJRVMtMSkpCiAKKyNkZWZp bmUgcGFnaW5nX2xvZ2RpcnR5X2xldmVscygpIFwKKyAgICAoRElWX1JPVU5E X1VQKFBBRERSX0JJVFMgLSBQQUdFX1NISUZUIC0gKFBBR0VfU0hJRlQgKyAz KSwgXAorICAgICAgICAgICAgICAgICAgUEFHRV9TSElGVCAtIGlsb2cyKHNp emVvZihtZm5fdCkpKSArIDEpCisKIC8qIFZSQU0gZGlydHkgdHJhY2tpbmcg c3VwcG9ydCAqLwogc3RydWN0IHNoX2RpcnR5X3ZyYW0gewogICAgIHVuc2ln bmVkIGxvbmcgYmVnaW5fcGZuOwotLS0gYS94ZW4vYXJjaC94ODYvbW0vcGFn aW5nLmMKKysrIGIveGVuL2FyY2gveDg2L21tL3BhZ2luZy5jCkBAIC0yNzgs NiArMjc4LDcgQEAgdm9pZCBwYWdpbmdfbWFya19wZm5fZGlydHkoc3RydWN0 IGRvbWFpbgogICAgIGlmICggdW5saWtlbHkoIVZBTElEX00yUChwZm5feChw Zm4pKSkgKQogICAgICAgICByZXR1cm47CiAKKyAgICBCVUlMRF9CVUdfT04o cGFnaW5nX2xvZ2RpcnR5X2xldmVscygpICE9IDQpOwogICAgIGkxID0gTDFf TE9HRElSVFlfSURYKHBmbik7CiAgICAgaTIgPSBMMl9MT0dESVJUWV9JRFgo cGZuKTsKICAgICBpMyA9IEwzX0xPR0RJUlRZX0lEWChwZm4pOwotLS0gYS94 ZW4vYXJjaC94ODYvbW0vc2hhZG93L2NvbW1vbi5jCisrKyBiL3hlbi9hcmNo L3g4Ni9tbS9zaGFkb3cvY29tbW9uLmMKQEAgLTEwMTIsNyArMTAxMiwxNyBA QCBib29sIHNoYWRvd19wcmVhbGxvYyhzdHJ1Y3QgZG9tYWluICpkLCB1CiAg ICAgaWYgKCB1bmxpa2VseShkLT5pc19keWluZykgKQogICAgICAgIHJldHVy biBmYWxzZTsKIAotICAgIHJldCA9IF9zaGFkb3dfcHJlYWxsb2MoZCwgc2hh ZG93X3NpemUodHlwZSkgKiBjb3VudCk7CisgICAgY291bnQgKj0gc2hhZG93 X3NpemUodHlwZSk7CisgICAgLyoKKyAgICAgKiBMb2ctZGlydHkgaGFuZGxp bmcgbWF5IHJlc3VsdCBpbiBhbGxvY2F0aW9ucyB3aGVuIHBvcHVsYXRpbmcg aXRzCisgICAgICogdHJhY2tpbmcgc3RydWN0dXJlcy4gIFRpZSB0aGlzIHRv IHRoZSBjYWxsZXIgcmVxdWVzdGluZyBzcGFjZSBmb3IgTDEKKyAgICAgKiBz aGFkb3dzLgorICAgICAqLworICAgIGlmICggcGFnaW5nX21vZGVfbG9nX2Rp cnR5KGQpICYmCisgICAgICAgICAoKFNIRl9MMV9BTlkgfCBTSEZfRkwxX0FO WSkgJiAoMXUgPDwgdHlwZSkpICkKKyAgICAgICAgY291bnQgKz0gcGFnaW5n X2xvZ2RpcnR5X2xldmVscygpOworCisgICAgcmV0ID0gX3NoYWRvd19wcmVh bGxvYyhkLCBjb3VudCk7CiAgICAgaWYgKCAhcmV0ICYmICghZC0+aXNfc2h1 dHRpbmdfZG93biB8fCBkLT5zaHV0ZG93bl9jb2RlICE9IFNIVVRET1dOX2Ny YXNoKSApCiAgICAgICAgIC8qCiAgICAgICAgICAqIEZhaWxpbmcgdG8gYWxs b2NhdGUgbWVtb3J5IHJlcXVpcmVkIGZvciBzaGFkb3cgdXNhZ2UgY2FuIG9u bHkgcmVzdWx0IGluCi0tLSBhL3hlbi9hcmNoL3g4Ni9tbS9zaGFkb3cvcHJp dmF0ZS5oCisrKyBiL3hlbi9hcmNoL3g4Ni9tbS9zaGFkb3cvcHJpdmF0ZS5o CkBAIC0yNjksNiArMjY5LDcgQEAgc3RhdGljIGlubGluZSB2b2lkIHNoX3Rl cm1pbmF0ZV9saXN0KHN0cgogI2RlZmluZSBTSEZfNjQgIChTSEZfTDFfNjR8 U0hGX0ZMMV82NHxTSEZfTDJfNjR8U0hGX0wySF82NHxTSEZfTDNfNjR8U0hG X0w0XzY0KQogCiAjZGVmaW5lIFNIRl9MMV9BTlkgIChTSEZfTDFfMzJ8U0hG X0wxX1BBRXxTSEZfTDFfNjQpCisjZGVmaW5lIFNIRl9GTDFfQU5ZIChTSEZf RkwxXzMyfFNIRl9GTDFfUEFFfFNIRl9GTDFfNjQpCiAKICNpZiAoU0hBRE9X X09QVElNSVpBVElPTlMgJiBTSE9QVF9PVVRfT0ZfU1lOQykKIC8qIE1hcmtz IGEgZ3Vlc3QgTDEgcGFnZSB0YWJsZSB3aGljaCBpcyBzaGFkb3dlZCBidXQg bm90IHdyaXRlLXByb3RlY3RlZC4K --=separator Content-Type: application/octet-stream; name="xsa427-4.15.patch" Content-Disposition: attachment; filename="xsa427-4.15.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvc2hhZG93OiBhY2NvdW50IGZvciBsb2ctZGlydHkgbW9kZSB3aGVu IHByZS1hbGxvY2F0aW5nCgpQcmUtYWxsb2NhdGlvbiBpcyBpbnRlbmRlZCB0 byBlbnN1cmUgdGhhdCBpbiB0aGUgY291cnNlIG9mIGNvbnN0cnVjdGluZwpv ciB1cGRhdGluZyBzaGFkb3dzIHRoZXJlIHdvbid0IGJlIGFueSByaXNrIG9m IGp1c3QgbWFkZSBzaGFkb3dzIG9yCnNoYWRvd3MgYmVpbmcgYWN0ZWQgdXBv biBjYW4gZGlzYXBwZWFyIHVuZGVyIG91ciBmZWV0LiBUaGUgYW1vdW50IG9m CnBhZ2VzIHByZS1hbGxvY2F0ZWQgdGhlbiwgaG93ZXZlciwgbmVlZHMgdG8g YWNjb3VudCBmb3IgYWxsIHBvc3NpYmxlCnN1YnNlcXVlbnQgYWxsb2NhdGlv bnMuIFdoaWxlIHRoZSB1c2UgaW4gc2hfcGFnZV9mYXVsdCgpIGFjY291bnRz IGZvcgphbGwgc2hhZG93cyB3aGljaCBtYXkgbmVlZCBtYWtpbmcsIHNvIGZh ciBpdCBkaWRuJ3QgYWNjb3VudCBmb3IKYWxsb2NhdGlvbnMgY29taW5nIGZy b20gbG9nLWRpcnR5IHRyYWNraW5nICh3aGljaCBwaWdneWJhY2tzIG9udG8g dGhlClAyTSBhbGxvY2F0aW9uIGZ1bmN0aW9ucykuCgpTaW5jZSBzaGFkb3df cHJlYWxsb2MoKSB0YWtlcyBhIGNvdW50IG9mIHNoYWRvd3MgKG9yIG90aGVy IGRhdGEKc3RydWN0dXJlcykgcmF0aGVyIHRoYW4gYSBjb3VudCBvZiBwYWdl cywgcHV0dGluZyB0aGUgYWRqdXN0bWVudCBhdCB0aGUKY2FsbCBzaXRlIG9m IHRoaXMgZnVuY3Rpb24gd29uJ3Qgd29yayB2ZXJ5IHdlbGw6IFdlIHNpbXBs eSBjYW4ndCBleHByZXNzCnRoZSBjb3JyZWN0IGNvdW50IHRoYXQgd2F5IGlu IGFsbCBjYXNlcy4gSW5zdGVhZCB0YWtlIGNhcmUgb2YgdGhpcyBpbgp0aGUg ZnVuY3Rpb24gaXRzZWxmLCBieSAic25vb3BpbmciIGZvciBMMSB0eXBlIHJl cXVlc3RzLiAoV2hpbGUgbm90CmFwcGxpY2FibGUgcmlnaHQgbm93LCBmdXR1 cmUgbmV3IHJlcXVlc3Qgc2l0ZXMgb2YgTDEgdGFibGVzIHdvdWxkIHRoZW4K YWxzbyBiZSBjb3ZlcmVkIHJpZ2h0IGF3YXkuKQoKSXQgaXMgcmVsZXZhbnQg dG8gbm90ZSBoZXJlIHRoYXQgcHJlLWFsbG9jYXRpb25zIGxpa2UgdGhlIG9u ZSBkb25lIGZyb20Kc2hhZG93X2FsbG9jX3AybV9wYWdlKCkgYXJlIGJlbmln biB3aGVuIHRoZXkgZmFsbCBpbiB0aGUgInNjb3BlIiBvZiBhbgplYXJsaWVy IHByZS1hbGxvYyB3aGljaCBhbHJlYWR5IGluY2x1ZGVkIHRoYXQgY291bnQ6 IFRoZSBpbm5lciBjYWxsIHdpbGwKc2ltcGx5IGZpbmQgZW5vdWdoIHBhZ2Vz IGF2YWlsYWJsZSB0aGVuOyBpdCdsbCBiYWlsIHJpZ2h0IGF3YXkuCgpUaGlz IGlzIENWRS0yMDIyLTQyMzMyIC8gWFNBLTQyNy4KClNpZ25lZC1vZmYtYnk6 IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6 IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoKLS0tIGEveGVuL2luY2x1ZGUv YXNtLXg4Ni9wYWdpbmcuaAorKysgYi94ZW4vaW5jbHVkZS9hc20teDg2L3Bh Z2luZy5oCkBAIC0xOTAsNiArMTkwLDEwIEBAIGludCBwYWdpbmdfbWZuX2lz X2RpcnR5KHN0cnVjdCBkb21haW4gKmQKICNkZWZpbmUgTDRfTE9HRElSVFlf SURYKHBmbikgKChwZm5feChwZm4pID4+IChQQUdFX1NISUZUICsgMyArIFBB R0VUQUJMRV9PUkRFUiAqIDIpKSAmIFwKICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIChMT0dESVJUWV9OT0RFX0VOVFJJRVMtMSkpCiAKKyNkZWZp bmUgcGFnaW5nX2xvZ2RpcnR5X2xldmVscygpIFwKKyAgICAoRElWX1JPVU5E X1VQKFBBRERSX0JJVFMgLSBQQUdFX1NISUZUIC0gKFBBR0VfU0hJRlQgKyAz KSwgXAorICAgICAgICAgICAgICAgICAgUEFHRV9TSElGVCAtIGlsb2cyKHNp emVvZihtZm5fdCkpKSArIDEpCisKICNpZmRlZiBDT05GSUdfSFZNCiAvKiBW UkFNIGRpcnR5IHRyYWNraW5nIHN1cHBvcnQgKi8KIHN0cnVjdCBzaF9kaXJ0 eV92cmFtIHsKLS0tIGEveGVuL2FyY2gveDg2L21tL3BhZ2luZy5jCisrKyBi L3hlbi9hcmNoL3g4Ni9tbS9wYWdpbmcuYwpAQCAtMjgwLDYgKzI4MCw3IEBA IHZvaWQgcGFnaW5nX21hcmtfcGZuX2RpcnR5KHN0cnVjdCBkb21haW4KICAg ICBpZiAoIHVubGlrZWx5KCFWQUxJRF9NMlAocGZuX3gocGZuKSkpICkKICAg ICAgICAgcmV0dXJuOwogCisgICAgQlVJTERfQlVHX09OKHBhZ2luZ19sb2dk aXJ0eV9sZXZlbHMoKSAhPSA0KTsKICAgICBpMSA9IEwxX0xPR0RJUlRZX0lE WChwZm4pOwogICAgIGkyID0gTDJfTE9HRElSVFlfSURYKHBmbik7CiAgICAg aTMgPSBMM19MT0dESVJUWV9JRFgocGZuKTsKLS0tIGEveGVuL2FyY2gveDg2 L21tL3NoYWRvdy9jb21tb24uYworKysgYi94ZW4vYXJjaC94ODYvbW0vc2hh ZG93L2NvbW1vbi5jCkBAIC0xMDE0LDcgKzEwMTQsMTcgQEAgYm9vbCBzaGFk b3dfcHJlYWxsb2Moc3RydWN0IGRvbWFpbiAqZCwgdQogICAgIGlmICggdW5s aWtlbHkoZC0+aXNfZHlpbmcpICkKICAgICAgICByZXR1cm4gZmFsc2U7CiAK LSAgICByZXQgPSBfc2hhZG93X3ByZWFsbG9jKGQsIHNoYWRvd19zaXplKHR5 cGUpICogY291bnQpOworICAgIGNvdW50ICo9IHNoYWRvd19zaXplKHR5cGUp OworICAgIC8qCisgICAgICogTG9nLWRpcnR5IGhhbmRsaW5nIG1heSByZXN1 bHQgaW4gYWxsb2NhdGlvbnMgd2hlbiBwb3B1bGF0aW5nIGl0cworICAgICAq IHRyYWNraW5nIHN0cnVjdHVyZXMuICBUaWUgdGhpcyB0byB0aGUgY2FsbGVy IHJlcXVlc3Rpbmcgc3BhY2UgZm9yIEwxCisgICAgICogc2hhZG93cy4KKyAg ICAgKi8KKyAgICBpZiAoIHBhZ2luZ19tb2RlX2xvZ19kaXJ0eShkKSAmJgor ICAgICAgICAgKChTSEZfTDFfQU5ZIHwgU0hGX0ZMMV9BTlkpICYgKDF1IDw8 IHR5cGUpKSApCisgICAgICAgIGNvdW50ICs9IHBhZ2luZ19sb2dkaXJ0eV9s ZXZlbHMoKTsKKworICAgIHJldCA9IF9zaGFkb3dfcHJlYWxsb2MoZCwgY291 bnQpOwogICAgIGlmICggIXJldCAmJiAoIWQtPmlzX3NodXR0aW5nX2Rvd24g fHwgZC0+c2h1dGRvd25fY29kZSAhPSBTSFVURE9XTl9jcmFzaCkgKQogICAg ICAgICAvKgogICAgICAgICAgKiBGYWlsaW5nIHRvIGFsbG9jYXRlIG1lbW9y eSByZXF1aXJlZCBmb3Igc2hhZG93IHVzYWdlIGNhbiBvbmx5IHJlc3VsdCBp bgotLS0gYS94ZW4vYXJjaC94ODYvbW0vc2hhZG93L3ByaXZhdGUuaAorKysg Yi94ZW4vYXJjaC94ODYvbW0vc2hhZG93L3ByaXZhdGUuaApAQCAtMjY5LDYg KzI2OSw3IEBAIHN0YXRpYyBpbmxpbmUgdm9pZCBzaF90ZXJtaW5hdGVfbGlz dChzdHIKICNkZWZpbmUgU0hGXzY0ICAoU0hGX0wxXzY0fFNIRl9GTDFfNjR8 U0hGX0wyXzY0fFNIRl9MMkhfNjR8U0hGX0wzXzY0fFNIRl9MNF82NCkKIAog I2RlZmluZSBTSEZfTDFfQU5ZICAoU0hGX0wxXzMyfFNIRl9MMV9QQUV8U0hG X0wxXzY0KQorI2RlZmluZSBTSEZfRkwxX0FOWSAoU0hGX0ZMMV8zMnxTSEZf RkwxX1BBRXxTSEZfRkwxXzY0KQogCiAjaWYgKFNIQURPV19PUFRJTUlaQVRJ T05TICYgU0hPUFRfT1VUX09GX1NZTkMpCiAvKiBNYXJrcyBhIGd1ZXN0IEwx IHBhZ2UgdGFibGUgd2hpY2ggaXMgc2hhZG93ZWQgYnV0IG5vdCB3cml0ZS1w cm90ZWN0ZWQuCg== --=separator Content-Type: application/octet-stream; name="xsa427-4.16.patch" Content-Disposition: attachment; filename="xsa427-4.16.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvc2hhZG93OiBhY2NvdW50IGZvciBsb2ctZGlydHkgbW9kZSB3aGVu IHByZS1hbGxvY2F0aW5nCgpQcmUtYWxsb2NhdGlvbiBpcyBpbnRlbmRlZCB0 byBlbnN1cmUgdGhhdCBpbiB0aGUgY291cnNlIG9mIGNvbnN0cnVjdGluZwpv ciB1cGRhdGluZyBzaGFkb3dzIHRoZXJlIHdvbid0IGJlIGFueSByaXNrIG9m IGp1c3QgbWFkZSBzaGFkb3dzIG9yCnNoYWRvd3MgYmVpbmcgYWN0ZWQgdXBv biBjYW4gZGlzYXBwZWFyIHVuZGVyIG91ciBmZWV0LiBUaGUgYW1vdW50IG9m CnBhZ2VzIHByZS1hbGxvY2F0ZWQgdGhlbiwgaG93ZXZlciwgbmVlZHMgdG8g YWNjb3VudCBmb3IgYWxsIHBvc3NpYmxlCnN1YnNlcXVlbnQgYWxsb2NhdGlv bnMuIFdoaWxlIHRoZSB1c2UgaW4gc2hfcGFnZV9mYXVsdCgpIGFjY291bnRz IGZvcgphbGwgc2hhZG93cyB3aGljaCBtYXkgbmVlZCBtYWtpbmcsIHNvIGZh ciBpdCBkaWRuJ3QgYWNjb3VudCBmb3IKYWxsb2NhdGlvbnMgY29taW5nIGZy b20gbG9nLWRpcnR5IHRyYWNraW5nICh3aGljaCBwaWdneWJhY2tzIG9udG8g dGhlClAyTSBhbGxvY2F0aW9uIGZ1bmN0aW9ucykuCgpTaW5jZSBzaGFkb3df cHJlYWxsb2MoKSB0YWtlcyBhIGNvdW50IG9mIHNoYWRvd3MgKG9yIG90aGVy IGRhdGEKc3RydWN0dXJlcykgcmF0aGVyIHRoYW4gYSBjb3VudCBvZiBwYWdl cywgcHV0dGluZyB0aGUgYWRqdXN0bWVudCBhdCB0aGUKY2FsbCBzaXRlIG9m IHRoaXMgZnVuY3Rpb24gd29uJ3Qgd29yayB2ZXJ5IHdlbGw6IFdlIHNpbXBs eSBjYW4ndCBleHByZXNzCnRoZSBjb3JyZWN0IGNvdW50IHRoYXQgd2F5IGlu IGFsbCBjYXNlcy4gSW5zdGVhZCB0YWtlIGNhcmUgb2YgdGhpcyBpbgp0aGUg ZnVuY3Rpb24gaXRzZWxmLCBieSAic25vb3BpbmciIGZvciBMMSB0eXBlIHJl cXVlc3RzLiAoV2hpbGUgbm90CmFwcGxpY2FibGUgcmlnaHQgbm93LCBmdXR1 cmUgbmV3IHJlcXVlc3Qgc2l0ZXMgb2YgTDEgdGFibGVzIHdvdWxkIHRoZW4K YWxzbyBiZSBjb3ZlcmVkIHJpZ2h0IGF3YXkuKQoKSXQgaXMgcmVsZXZhbnQg dG8gbm90ZSBoZXJlIHRoYXQgcHJlLWFsbG9jYXRpb25zIGxpa2UgdGhlIG9u ZSBkb25lIGZyb20Kc2hhZG93X2FsbG9jX3AybV9wYWdlKCkgYXJlIGJlbmln biB3aGVuIHRoZXkgZmFsbCBpbiB0aGUgInNjb3BlIiBvZiBhbgplYXJsaWVy IHByZS1hbGxvYyB3aGljaCBhbHJlYWR5IGluY2x1ZGVkIHRoYXQgY291bnQ6 IFRoZSBpbm5lciBjYWxsIHdpbGwKc2ltcGx5IGZpbmQgZW5vdWdoIHBhZ2Vz IGF2YWlsYWJsZSB0aGVuOyBpdCdsbCBiYWlsIHJpZ2h0IGF3YXkuCgpUaGlz IGlzIENWRS0yMDIyLTQyMzMyIC8gWFNBLTQyNy4KClNpZ25lZC1vZmYtYnk6 IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNvbT4KUmV2aWV3ZWQtYnk6 IFRpbSBEZWVnYW4gPHRpbUB4ZW4ub3JnPgoKLS0tIGEveGVuL2luY2x1ZGUv YXNtLXg4Ni9wYWdpbmcuaAorKysgYi94ZW4vaW5jbHVkZS9hc20teDg2L3Bh Z2luZy5oCkBAIC0xOTIsNiArMTkyLDEwIEBAIGludCBwYWdpbmdfbWZuX2lz X2RpcnR5KHN0cnVjdCBkb21haW4gKmQKICNkZWZpbmUgTDRfTE9HRElSVFlf SURYKHBmbikgKChwZm5feChwZm4pID4+IChQQUdFX1NISUZUICsgMyArIFBB R0VUQUJMRV9PUkRFUiAqIDIpKSAmIFwKICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIChMT0dESVJUWV9OT0RFX0VOVFJJRVMtMSkpCiAKKyNkZWZp bmUgcGFnaW5nX2xvZ2RpcnR5X2xldmVscygpIFwKKyAgICAoRElWX1JPVU5E X1VQKFBBRERSX0JJVFMgLSBQQUdFX1NISUZUIC0gKFBBR0VfU0hJRlQgKyAz KSwgXAorICAgICAgICAgICAgICAgICAgUEFHRV9TSElGVCAtIGlsb2cyKHNp emVvZihtZm5fdCkpKSArIDEpCisKICNpZmRlZiBDT05GSUdfSFZNCiAvKiBW UkFNIGRpcnR5IHRyYWNraW5nIHN1cHBvcnQgKi8KIHN0cnVjdCBzaF9kaXJ0 eV92cmFtIHsKLS0tIGEveGVuL2FyY2gveDg2L21tL3BhZ2luZy5jCisrKyBi L3hlbi9hcmNoL3g4Ni9tbS9wYWdpbmcuYwpAQCAtMjgwLDYgKzI4MCw3IEBA IHZvaWQgcGFnaW5nX21hcmtfcGZuX2RpcnR5KHN0cnVjdCBkb21haW4KICAg ICBpZiAoIHVubGlrZWx5KCFWQUxJRF9NMlAocGZuX3gocGZuKSkpICkKICAg ICAgICAgcmV0dXJuOwogCisgICAgQlVJTERfQlVHX09OKHBhZ2luZ19sb2dk aXJ0eV9sZXZlbHMoKSAhPSA0KTsKICAgICBpMSA9IEwxX0xPR0RJUlRZX0lE WChwZm4pOwogICAgIGkyID0gTDJfTE9HRElSVFlfSURYKHBmbik7CiAgICAg aTMgPSBMM19MT0dESVJUWV9JRFgocGZuKTsKLS0tIGEveGVuL2FyY2gveDg2 L21tL3NoYWRvdy9jb21tb24uYworKysgYi94ZW4vYXJjaC94ODYvbW0vc2hh ZG93L2NvbW1vbi5jCkBAIC0xMDE1LDcgKzEwMTUsMTcgQEAgYm9vbCBzaGFk b3dfcHJlYWxsb2Moc3RydWN0IGRvbWFpbiAqZCwgdQogICAgIGlmICggdW5s aWtlbHkoZC0+aXNfZHlpbmcpICkKICAgICAgICByZXR1cm4gZmFsc2U7CiAK LSAgICByZXQgPSBfc2hhZG93X3ByZWFsbG9jKGQsIHNoYWRvd19zaXplKHR5 cGUpICogY291bnQpOworICAgIGNvdW50ICo9IHNoYWRvd19zaXplKHR5cGUp OworICAgIC8qCisgICAgICogTG9nLWRpcnR5IGhhbmRsaW5nIG1heSByZXN1 bHQgaW4gYWxsb2NhdGlvbnMgd2hlbiBwb3B1bGF0aW5nIGl0cworICAgICAq IHRyYWNraW5nIHN0cnVjdHVyZXMuICBUaWUgdGhpcyB0byB0aGUgY2FsbGVy IHJlcXVlc3Rpbmcgc3BhY2UgZm9yIEwxCisgICAgICogc2hhZG93cy4KKyAg ICAgKi8KKyAgICBpZiAoIHBhZ2luZ19tb2RlX2xvZ19kaXJ0eShkKSAmJgor ICAgICAgICAgKChTSEZfTDFfQU5ZIHwgU0hGX0ZMMV9BTlkpICYgKDF1IDw8 IHR5cGUpKSApCisgICAgICAgIGNvdW50ICs9IHBhZ2luZ19sb2dkaXJ0eV9s ZXZlbHMoKTsKKworICAgIHJldCA9IF9zaGFkb3dfcHJlYWxsb2MoZCwgY291 bnQpOwogICAgIGlmICggIXJldCAmJiAoIWQtPmlzX3NodXR0aW5nX2Rvd24g fHwgZC0+c2h1dGRvd25fY29kZSAhPSBTSFVURE9XTl9jcmFzaCkgKQogICAg ICAgICAvKgogICAgICAgICAgKiBGYWlsaW5nIHRvIGFsbG9jYXRlIG1lbW9y eSByZXF1aXJlZCBmb3Igc2hhZG93IHVzYWdlIGNhbiBvbmx5IHJlc3VsdCBp bgo= --=separator--