Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2018-04-27 16:00:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "xen" Fri Apr 27 16:00:36 2018 rev:246 rq:601072 version:4.10.0_18 Changes: -------- --- /work/SRC/openSUSE:Factory/xen/xen.changes 2018-03-30 12:00:43.480265750 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new/xen.changes 2018-04-27 16:00:39.633358022 +0200 @@ -1,0 +2,16 @@ +Mon Apr 16 14:03:24 MDT 2018 - carnold@suse.com + +- bsc#1089152 - VUL-0: xen: Information leak via crafted + user-supplied CDROM (XSA-258) + xsa258.patch +- bsc#1089635 - VUL-0: xen: x86: PV guest may crash Xen with XPTI + (XSA-259) + xsa259.patch + +------------------------------------------------------------------- +Wed Mar 28 08:28:59 UTC 2018 - ohering@suse.de + +- Preserve xen-syms from xen-dbg.gz to allow processing vmcores + with crash(1) (bsc#1087251) + +------------------------------------------------------------------- New: ---- xsa258.patch xsa259.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xen.spec ++++++ --- /var/tmp/diff_new_pack.bxKPP6/_old 2018-04-27 16:00:46.281114042 +0200 +++ /var/tmp/diff_new_pack.bxKPP6/_new 2018-04-27 16:00:46.289113748 +0200 @@ -126,7 +126,7 @@ BuildRequires: pesign-obs-integration %endif -Version: 4.10.0_16 +Version: 4.10.0_18 Release: 0 Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License: GPL-2.0 @@ -224,6 +224,8 @@ Patch61: 5a9eb890-x86-remove-CR-reads-from-exit-to-guest-path.patch Patch62: 5aa2b6b9-cpufreq-ondemand-CPU-offlining-race.patch Patch63: 5aaa9878-x86-vlapic-clear-TMR-bit-for-edge-triggered-intr.patch +Patch258: xsa258.patch +Patch259: xsa259.patch # Our platform specific patches Patch400: xen-destdir.patch Patch401: vif-bridge-no-iptables.patch @@ -477,6 +479,8 @@ %patch61 -p1 %patch62 -p1 %patch63 -p1 +%patch258 -p1 +%patch259 -p1 # Our platform specific patches %patch400 -p1 %patch401 -p1 @@ -815,6 +819,8 @@ find $RPM_BUILD_ROOT/boot -ls if [ -n "$1" ]; then ext="-$1" + mv $RPM_BUILD_ROOT/boot/xen-syms-${XEN_FULLVERSION} \ + $RPM_BUILD_ROOT/boot/xen-syms${ext}-${XEN_FULLVERSION} mv $RPM_BUILD_ROOT/boot/xen-${XEN_FULLVERSION}%{xen_install_suffix} \ $RPM_BUILD_ROOT/boot/xen${ext}-${XEN_FULLVERSION}%{xen_install_suffix} if test -d $RPM_BUILD_ROOT%{_libdir}/efi; then ++++++ libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch ++++++ --- /var/tmp/diff_new_pack.bxKPP6/_old 2018-04-27 16:00:47.845056643 +0200 +++ /var/tmp/diff_new_pack.bxKPP6/_new 2018-04-27 16:00:47.849056497 +0200 @@ -87,7 +87,7 @@ =================================================================== --- xen-4.10.0-testing.orig/tools/libxl/libxl_dm.c +++ xen-4.10.0-testing/tools/libxl/libxl_dm.c -@@ -805,6 +805,19 @@ enum { +@@ -792,6 +792,19 @@ enum { LIBXL__COLO_SECONDARY, }; @@ -107,7 +107,7 @@ static char *qemu_disk_scsi_drive_string(libxl__gc *gc, const char *target_path, int unit, const char *format, const libxl_device_disk *disk, -@@ -818,8 +831,8 @@ static char *qemu_disk_scsi_drive_string +@@ -805,8 +818,8 @@ static char *qemu_disk_scsi_drive_string switch (colo_mode) { case LIBXL__COLO_NONE: drive = libxl__sprintf @@ -118,7 +118,7 @@ break; case LIBXL__COLO_PRIMARY: /* -@@ -832,13 +845,15 @@ static char *qemu_disk_scsi_drive_string +@@ -819,13 +832,15 @@ static char *qemu_disk_scsi_drive_string * vote-threshold=1 */ drive = GCSPRINTF( @@ -136,7 +136,7 @@ break; case LIBXL__COLO_SECONDARY: /* -@@ -852,7 +867,7 @@ static char *qemu_disk_scsi_drive_string +@@ -839,7 +854,7 @@ static char *qemu_disk_scsi_drive_string * file.backing.backing=exportname, */ drive = GCSPRINTF( @@ -145,7 +145,7 @@ "driver=replication," "mode=secondary," "top-id=top-colo," -@@ -861,7 +876,9 @@ static char *qemu_disk_scsi_drive_string +@@ -848,7 +863,9 @@ static char *qemu_disk_scsi_drive_string "file.backing.driver=qcow2," "file.backing.file.filename=%s," "file.backing.backing=%s", @@ -156,7 +156,7 @@ break; default: abort(); -@@ -883,8 +900,8 @@ static char *qemu_disk_ide_drive_string( +@@ -870,8 +887,8 @@ static char *qemu_disk_ide_drive_string( switch (colo_mode) { case LIBXL__COLO_NONE: drive = GCSPRINTF @@ -167,7 +167,7 @@ break; case LIBXL__COLO_PRIMARY: /* -@@ -897,13 +914,15 @@ static char *qemu_disk_ide_drive_string( +@@ -884,13 +901,15 @@ static char *qemu_disk_ide_drive_string( * vote-threshold=1 */ drive = GCSPRINTF( @@ -185,7 +185,7 @@ break; case LIBXL__COLO_SECONDARY: /* -@@ -917,7 +936,7 @@ static char *qemu_disk_ide_drive_string( +@@ -904,7 +923,7 @@ static char *qemu_disk_ide_drive_string( * file.backing.backing=exportname, */ drive = GCSPRINTF( @@ -194,7 +194,7 @@ "driver=replication," "mode=secondary," "top-id=top-colo," -@@ -926,7 +945,9 @@ static char *qemu_disk_ide_drive_string( +@@ -913,7 +932,9 @@ static char *qemu_disk_ide_drive_string( "file.backing.driver=qcow2," "file.backing.file.filename=%s," "file.backing.backing=%s", @@ -205,7 +205,7 @@ break; default: abort(); -@@ -1605,8 +1626,8 @@ static int libxl__build_device_model_arg +@@ -1592,8 +1613,8 @@ static int libxl__build_device_model_arg return ERROR_INVAL; } flexarray_vappend(dm_args, "-drive", ++++++ libxl.pvscsi.patch ++++++ --- /var/tmp/diff_new_pack.bxKPP6/_old 2018-04-27 16:00:47.865055910 +0200 +++ /var/tmp/diff_new_pack.bxKPP6/_new 2018-04-27 16:00:47.869055763 +0200 @@ -226,7 +226,7 @@ =================================================================== --- xen-4.10.0-testing.orig/tools/libxl/libxl_internal.h +++ xen-4.10.0-testing/tools/libxl/libxl_internal.h -@@ -3579,6 +3579,7 @@ extern const struct libxl_device_type li +@@ -3580,6 +3580,7 @@ extern const struct libxl_device_type li extern const struct libxl_device_type libxl__disk_devtype; extern const struct libxl_device_type libxl__nic_devtype; extern const struct libxl_device_type libxl__vtpm_devtype; ++++++ libxl.set-migration-constraints-from-cmdline.patch ++++++ --- /var/tmp/diff_new_pack.bxKPP6/_old 2018-04-27 16:00:47.889055029 +0200 +++ /var/tmp/diff_new_pack.bxKPP6/_new 2018-04-27 16:00:47.889055029 +0200 @@ -395,7 +395,7 @@ =================================================================== --- xen-4.10.0-testing.orig/tools/libxl/libxl_internal.h +++ xen-4.10.0-testing/tools/libxl/libxl_internal.h -@@ -3293,6 +3293,10 @@ struct libxl__domain_save_state { +@@ -3294,6 +3294,10 @@ struct libxl__domain_save_state { /* private */ int rc; int hvm; ++++++ xen.libxl.dmmd.patch ++++++ --- /var/tmp/diff_new_pack.bxKPP6/_old 2018-04-27 16:00:48.097047395 +0200 +++ /var/tmp/diff_new_pack.bxKPP6/_new 2018-04-27 16:00:48.097047395 +0200 @@ -49,7 +49,7 @@ =================================================================== --- xen-4.10.0-testing.orig/tools/libxl/libxl_dm.c +++ xen-4.10.0-testing/tools/libxl/libxl_dm.c -@@ -956,6 +956,30 @@ static char *qemu_disk_ide_drive_string( +@@ -943,6 +943,30 @@ static char *qemu_disk_ide_drive_string( return drive; } @@ -80,7 +80,7 @@ static int libxl__build_device_model_args_new(libxl__gc *gc, const char *dm, int guest_domid, const libxl_domain_config *guest_config, -@@ -1523,9 +1547,11 @@ static int libxl__build_device_model_arg +@@ -1510,9 +1534,11 @@ static int libxl__build_device_model_arg libxl__device_disk_dev_number(disks[i].vdev, &disk, &part); const char *format; char *drive; @@ -93,7 +93,7 @@ if (dev_number == -1) { LOGD(WARN, guest_domid, "unable to determine"" disk number for %s", disks[i].vdev); -@@ -1566,7 +1592,7 @@ static int libxl__build_device_model_arg +@@ -1553,7 +1579,7 @@ static int libxl__build_device_model_arg * the bootloader path. */ if (disks[i].backend == LIBXL_DISK_BACKEND_TAP) @@ -119,7 +119,7 @@ =================================================================== --- xen-4.10.0-testing.orig/tools/libxl/libxl_internal.h +++ xen-4.10.0-testing/tools/libxl/libxl_internal.h -@@ -1758,6 +1758,10 @@ _hidden char *libxl__blktap_devpath(libx +@@ -1759,6 +1759,10 @@ _hidden char *libxl__blktap_devpath(libx */ _hidden int libxl__device_destroy_tapdisk(libxl__gc *gc, const char *params); ++++++ xen2libvirt.py ++++++ --- /var/tmp/diff_new_pack.bxKPP6/_old 2018-04-27 16:00:48.125046367 +0200 +++ /var/tmp/diff_new_pack.bxKPP6/_new 2018-04-27 16:00:48.125046367 +0200 @@ -52,7 +52,7 @@ isbinary = os.system('file -b ' + path + ' | grep text > /dev/null') if isbinary: - print(('Skipping %s (not a valid Xen configuration file)' % path)) + print('Skipping %s (not a valid Xen configuration file)' % path) return 'unknown' for line in config.splitlines(): @@ -62,14 +62,14 @@ # XML is not a supported conversion format break if line.startswith('(domain'): - print(('Found sexpr formatted file %s' % path)) + print('Found sexpr formatted file %s' % path) return 'sexpr' if '=' in line: - print(('Found xm formatted file %s' % path)) + print('Found xm formatted file %s' % path) return 'xm' break - print(('Skipping %s (not a valid Xen configuration file)' % path)) + print('Skipping %s (not a valid Xen configuration file)' % path) return 'unknown' @@ -131,7 +131,7 @@ print_verbose('Processing file %s' % abs_name) import_domain(conn, abs_name, args.format, args.convert_only) except IOError: - print(('Failed to open/read path %s' % path)) + print('Failed to open/read path %s' % path) sys.exit(1) else: import_domain(conn, args.path, args.format, args.convert_only) ++++++ xsa258.patch ++++++
From bf9ab0ec0b632739fe6366391e89a7d4dcf9993b Mon Sep 17 00:00:00 2001 From: Anthony PERARD <anthony.perard@citrix.com> Date: Thu, 8 Mar 2018 18:16:41 +0000 Subject: [PATCH] libxl: Specify format of inserted cdrom
Without this extra parameter on the QMP command, QEMU will guess the format of the new file. This is XSA-258. Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> --- tools/libxl/libxl_device.c | 13 +++++++++++++ tools/libxl/libxl_dm.c | 17 ++--------------- tools/libxl/libxl_internal.h | 1 + tools/libxl/libxl_qmp.c | 2 ++ 4 files changed, 18 insertions(+), 15 deletions(-) Index: xen-4.10.0-testing/tools/libxl/libxl_device.c =================================================================== --- xen-4.10.0-testing.orig/tools/libxl/libxl_device.c +++ xen-4.10.0-testing/tools/libxl/libxl_device.c @@ -430,6 +430,19 @@ char *libxl__device_disk_string_of_backe } } +const char *libxl__qemu_disk_format_string(libxl_disk_format format) +{ + switch (format) { + case LIBXL_DISK_FORMAT_QCOW: return "qcow"; + case LIBXL_DISK_FORMAT_QCOW2: return "qcow2"; + case LIBXL_DISK_FORMAT_VHD: return "vpc"; + case LIBXL_DISK_FORMAT_RAW: return "raw"; + case LIBXL_DISK_FORMAT_EMPTY: return NULL; + case LIBXL_DISK_FORMAT_QED: return "qed"; + default: return NULL; + } +} + int libxl__device_physdisk_major_minor(const char *physpath, int *major, int *minor) { struct stat buf; Index: xen-4.10.0-testing/tools/libxl/libxl_dm.c =================================================================== --- xen-4.10.0-testing.orig/tools/libxl/libxl_dm.c +++ xen-4.10.0-testing/tools/libxl/libxl_dm.c @@ -677,19 +677,6 @@ static int libxl__build_device_model_arg return 0; } -static const char *qemu_disk_format_string(libxl_disk_format format) -{ - switch (format) { - case LIBXL_DISK_FORMAT_QCOW: return "qcow"; - case LIBXL_DISK_FORMAT_QCOW2: return "qcow2"; - case LIBXL_DISK_FORMAT_VHD: return "vpc"; - case LIBXL_DISK_FORMAT_RAW: return "raw"; - case LIBXL_DISK_FORMAT_EMPTY: return NULL; - case LIBXL_DISK_FORMAT_QED: return "qed"; - default: return NULL; - } -} - static char *dm_spice_options(libxl__gc *gc, const libxl_spice_info *spice) { @@ -1516,9 +1503,9 @@ static int libxl__build_device_model_arg * always raw */ if (disks[i].backend == LIBXL_DISK_BACKEND_QDISK) - format = qemu_disk_format_string(disks[i].format); + format = libxl__qemu_disk_format_string(disks[i].format); else - format = qemu_disk_format_string(LIBXL_DISK_FORMAT_RAW); + format = libxl__qemu_disk_format_string(LIBXL_DISK_FORMAT_RAW); if (disks[i].format == LIBXL_DISK_FORMAT_EMPTY) { if (!disks[i].is_cdrom) { Index: xen-4.10.0-testing/tools/libxl/libxl_internal.h =================================================================== --- xen-4.10.0-testing.orig/tools/libxl/libxl_internal.h +++ xen-4.10.0-testing/tools/libxl/libxl_internal.h @@ -1198,6 +1198,7 @@ _hidden int libxl__domain_pvcontrol_writ /* from xl_device */ _hidden char *libxl__device_disk_string_of_backend(libxl_disk_backend backend); _hidden char *libxl__device_disk_string_of_format(libxl_disk_format format); +_hidden const char *libxl__qemu_disk_format_string(libxl_disk_format format); _hidden int libxl__device_disk_set_backend(libxl__gc*, libxl_device_disk*); _hidden int libxl__device_physdisk_major_minor(const char *physpath, int *major, int *minor); Index: xen-4.10.0-testing/tools/libxl/libxl_qmp.c =================================================================== --- xen-4.10.0-testing.orig/tools/libxl/libxl_qmp.c +++ xen-4.10.0-testing/tools/libxl/libxl_qmp.c @@ -982,6 +982,8 @@ int libxl__qmp_insert_cdrom(libxl__gc *g return qmp_run_command(gc, domid, "eject", args, NULL, NULL); } else { qmp_parameters_add_string(gc, &args, "target", disk->pdev_path); + qmp_parameters_add_string(gc, &args, "arg", + libxl__qemu_disk_format_string(disk->format)); return qmp_run_command(gc, domid, "change", args, NULL, NULL); } } ++++++ xsa259.patch ++++++ From: Jan Beulich <jbeulich@suse.com> Subject: x86: fix slow int80 path after XPTI additions For the int80 slow path to jump to handle_exception_saved, %r14 needs to be set up suitably for XPTI purposes. This is because of the difference in nature between the int80 path (which is synchronous WRT guest actions) and the exception path which is potentially asynchronous. This is XSA-259. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Index: xen-4.10.0-testing/xen/arch/x86/x86_64/entry.S =================================================================== --- xen-4.10.0-testing.orig/xen/arch/x86/x86_64/entry.S +++ xen-4.10.0-testing/xen/arch/x86/x86_64/entry.S @@ -372,6 +372,12 @@ int80_slow_path: movl $TRAP_gp_fault,UREGS_entry_vector(%rsp) /* A GPF wouldn't have incremented the instruction pointer. */ subq $2,UREGS_rip(%rsp) + /* + * While we've cleared xen_cr3 above already, normal exception handling + * code has logic to restore the original value from %r15. Therefore we + * need to set up %r14 here, while %r15 is required to still be zero. + */ + GET_STACK_END(14) jmp handle_exception_saved /* create_bounce_frame & helpers don't need to be in .text.entry */