Next | Query returned 42 messages, browsing 31 to 40 | Previous

History of commit frequency

CVS Commit History:


   2015-10-30 08:46:36 by Manuel Bouyer | Files touched by this commit (1)
Log message:
Add patch entries from previous security commit. Pointed out by
Takahiro Hayashi, thanks !
   2015-10-29 21:40:53 by Manuel Bouyer | Files touched by this commit (5)
Log message:
Add patches from Xen security advisory, fixing:
CVE-2015-7835 aka XSA-148
CVE-2015-7869 aka XSA-149 + XSA-151
CVE-2015-7970 aka XSA-150
CVE-2015-7971 aka XSA-152
Bump PKGREVISION
   2015-09-14 15:36:29 by Joerg Sonnenberger | Files touched by this commit (7)
Log message:
Avoid undefined behavior when left-shifting negative values.
   2015-06-23 19:45:34 by Manuel Bouyer | Files touched by this commit (19) | Package removed
Log message:
Upgrade xenkernel45 and xentools45 to 4.5.1.
Note that the  patch for XSA135 for qemu-traditional, which was
no applied  to the 4.5 branch before the release due to an oversight,
is applied here (xentools45/patches/patch-XSA135).

Selected entries from the relase notes:
    a246727: cpupool: fix shutdown with cpupools with different schedulers \ 
[Dario Faggioli]
    5b2f480: libelf: fix elf_parse_bsdsyms call [Roger Pau Monné]
    8faef24: VT-d: extend quirks to newer desktop chipsets [Jan Beulich]
    24fcf17: x86/VPMU: add lost Intel processor [Alan Robinson]
    131889c: x86/crash: don't use set_fixmap() in the crash path [Andrew Cooper]
    8791a30: x86/apic: Disable the LAPIC later in smp_send_stop() [Andrew Cooper]
    fbd26f2: x86/pvh: disable posted interrupts [Roger Pau Monné]
    0d8cbca: libxl: In libxl_set_vcpuonline check for maximum number of VCPUs \ 
against the cpumap. [Konrad Rzeszutek Wilk]
    bf06e40: libxl: event handling: ao_inprogress does waits while reports \ 
outstanding [Ian Jackson]
    97051bd: libxl: event handling: Break out ao_work_outstanding [Ian Jackson]
    0bc9f98: x86/traps: loop in the correct direction in compat_iret() [Andrew \ 
Cooper]
    fcfbdb4: gnttab: add missing version check to GNTTABOP_swap_grant_ref \ 
handling [Jan Beulich]
    09f76cb: cpupools: avoid crashing if shutting down with free CPUs [Dario \ 
Faggioli]
    f237ee4: cpupool: assigning a CPU to a pool can fail [Dario Faggioli]
    b986072: xen: common: Use unbounded array for symbols_offset. [Ian Campbell]
    5eac1be: x86/irq: limit the maximum number of domain PIRQs [Andrew Cooper]
    9c3d34d: x86: don't unconditionally touch the hvm_domain union during domain \ 
construction [Andrew Cooper]
    9d5b2b0: tools/xenconsoled: Increase file descriptor limit [Andrew Cooper]
    cfc4c43: ocaml/xenctrl: Fix stub_xc_readconsolering() [Andrew Cooper]
    032673c: ocaml/xenctrl: Make failwith_xc() thread safe [Andrew Cooper]
    c91ed88: ocaml/xenctrl: Check return values from hypercalls [Andrew Cooper]
    fa62913: libxl: Domain destroy: fork [Ian Jackson]
    c9b13f3: libxl: Domain destroy: unlock userdata earlier [Ian Jackson]
    0b19348: libxl: In domain death search, start search at first domid we want \ 
[Ian Jackson]
    ddfe333: x86: don't change affinity with interrupt unmasked [Jan Beulich]
    bf30232: x86: don't clear high 32 bits of RAX on sub-word guest I/O port \ 
reads [Jan Beulich]
    a824bf9: x86_emulate: fix EFLAGS setting of CMPXCHG emulation [Eugene Korenevsky]
    f653b7f: x86/hvm: implicitly disable an ioreq server when it is destroyed \ 
[Paul Durrant]
    8dbdcc3: x86/hvm: actually release ioreq server pages [Paul Durrant]
    56fe488: x86/hvm: fix the unknown nested vmexit reason 80000021 bug [Liang Li]
    4a52101: VT-d: improve fault info logging [Jan Beulich]
    5a7c042: x86/MSI: fix error handling [Jan Beulich]
    51d8325: LZ4 : fix the data abort issue [JeHyeon Yeon]
    0327c93: hvmloader: don't treat ROM BAR like other BARs [Jan Beulich]
    f2e08aa: domctl/sysctl: don't leak hypervisor stack to toolstacks [Andrew Cooper]
    3771b5a: arm64: fix fls() [Jan Beulich]
    9246d2e: domctl: don't allow a toolstack domain to call domain_pause() on \ 
itself [Andrew Cooper]
    f5bca81: Limit XEN_DOMCTL_memory_mapping hypercall to only process up to 64 \ 
GFNs (or less) [Konrad Rzeszutek Wilk]
    7fe1c1b: x86: don't apply reboot quirks if reboot set by user [Ross Lagerwall]
    969df12: Revert "cpupools: update domU's node-affinity on the \ 
cpupool_unassign_cpu() path" [Jan Beulich]
    483c6cd: honor MEMF_no_refcount in alloc_heap_pages() [Jan Beulich]
    6616c4d: tools: libxl: Explicitly disable graphics backends on qemu cmdline \ 
[Ian Campbell]
    d0b141e: x86/tboot: invalidate FIX_TBOOT_MAP_ADDRESS mapping after use [Jan \ 
Beulich]
    902998e: x86emul: fully ignore segment override for register-only operations \ 
[Jan Beulich]
    25c6ee8: pre-fill structures for certain HYPERVISOR_xen_version sub-ops \ 
[Aaron Adams]
    7ef0364: x86/HVM: return all ones on wrong-sized reads of system device I/O \ 
ports [Jan Beulich]
    3665563: tools/libxc: Don't leave scratch_pfn uninitialised if the domain \ 
has no memory [Andrew Cooper]
    75ac8cf: x86/nmi: fix shootdown of pcpus running in VMX non-root mode \ 
[Andrew Cooper]
    1e44c92: x86/hvm: explicitly mark ioreq server pages dirty [Paul Durrant]
    2bfef90: x86/hvm: wait for at least one ioreq server to be enabled [Paul Durrant]
    d976397: x86/VPMU: disable when NMI watchdog is on [Boris Ostrovsky]
    84f2484: libxc: introduce a per architecture scratch pfn for temporary grant \ 
mapping [Julien Grall]
    6302c61: Install libxlutil.h [Jim Fehlig]
    d8e78d6: bunzip2: off by one in get_next_block() [Dan Carpenter]
    8a855b3: docs/commandline: correct information for 'x2apic_phys' parameter \ 
[Andrew Cooper]
    3a777be: x86: vcpu_destroy_pagetables() must not return -EINTR [Konrad \ 
Rzeszutek Wilk]
    1acb3b6: handle XENMEM_get_vnumainfo in compat_memory_op [Wei Liu]
    4eec09f: x86: correctly check for sub-leaf zero of leaf 7 in pv_cpuid() [Jan \ 
Beulich]
    7788cbb: x86: don't expose XSAVES capability to PV guests [Jan Beulich]
    4cfc54b: xsm/evtchn: never pretend to have successfully created a Xen event \ 
channel [Andrew Cooper]
    2fdd521: common/memory: fix an XSM error path [Jan Beulich]
    ad83ad9: x86emul: tighten CLFLUSH emulation [Jan Beulich]
    1928318: dt-uart: use ':' as separator between path and options [Ian Campbell]
    9ae1853: libxl: Don't ignore error when we fail to give access to \ 
ioport/irq/iomem [Julien Grall]

In addition, this release also contains the following fixes to qemu-traditional:

    afaa35b: ... by default. Add a per-device "permissive" mode \ 
similar to pciback's to allow restoring previous behavior (and hence break \ 
security again, i.e. should be used only for trusted guests). [Jan Beulich]
    3cff7ad: Since the next patch will turn all not explicitly described fields \ 
read-only by default, those fields that have guest writable bits need to be \ 
given explicit descriptors. [Jan Beulich]
    ec61b93: The adjustments are solely to make the subsequent patches work \ 
right (and hence make the patch set consistent), namely if permissive mode \ 
(introduced by the last patch) gets used (as both reserved registers and \ 
reserved fields must be similarly protected from guest access in default mode, \ 
but the guest should be allowed access to them in permissive mode). [Jan \ 
Beulich]
    37c77b8: xen_pt_emu_reg_pcie[]'s PCI_EXP_DEVCAP needs to cover all bits as \ 
read- only to avoid unintended write-back (just a precaution, the field ought to \ 
be read-only in hardware). [Jan Beulich]
    2dc4059: This is just to avoid having to adjust that calculation later in \ 
multiple places. [Jan Beulich]
    29d9566: xen_pt_pmcsr_reg_write() needs an adjustment to deal with the RW1C \ 
nature of the not passed through bit 15 (PCI_PM_CTRL_PME_STATUS). [Jan Beulich]
    2e19270: There's no point in xen_pt_pmcsr_reg_{read,write}() each ORing \ 
PCI_PM_CTRL_STATE_MASK and PCI_PM_CTRL_NO_SOFT_RESET into a local emu_mask \ 
variable - we can have the same effect by setting the field descriptor's \ 
emu_mask member suitably right away. Note that xen_pt_pmcsr_reg_write() is being \ 
retained in order to allow later patches to be less intrusive. [Jan Beulich]
    751d20d: Without this the actual XSA-131 fix would cause the enable bit to \ 
not get set anymore (due to the write back getting suppressed there based on the \ 
OR of emu_mask, ro_mask, and res_mask). [Jan Beulich]
    51f3b5b: ... to avoid allowing the guest to cause the control domain's disk \ 
to fill. [Jan Beulich]
    7f99bb9: It's being used by the hypervisor. For now simply mimic a device \ 
not capable of masking, and fully emulate any accesses a guest may issue \ 
nevertheless as simple reads/writes without side effects. [Jan Beulich]
    6fc82bf: The old logic didn't work as intended when an access spanned \ 
multiple fields (for example a 32-bit access to the location of the MSI Message \ 
Data field with the high 16 bits not being covered by any known field). Remove \ 
it and derive which fields not to write to from the accessed fields' emulation \ 
masks: When they're all ones, there's no point in doing any host write. [Jan \ 
Beulich]
    e42b84c: fdc: force the fifo access to be in bounds of the allocated buffer \ 
[Petr Matousek]
    62e4158: xen: limit guest control of PCI command register [Jan Beulich]
    3499745: cirrus: fix an uninitialized variable [Jan Beulich]

This release also contains the security fixes for XSA-117 to XSA-136, with the \ 
exception of XSA-124 which documents security risks of non-standard PCI device \ 
functionality that cannot be addressed in software. It also includes an update \ 
to XSA-98 and XSA-59.
   2015-06-05 19:15:04 by Pierre Pronchery | Files touched by this commit (3)
Log message:
Apply fixes from upstream for XSA-133

Privilege escalation via emulated floppy disk drive

The code in qemu which emulates a floppy disk controller did not
correctly bounds check accesses to an array and therefore was
vulnerable to a buffer overflow attack.

A guest which has access to an emulated floppy device can exploit this
vulnerability to take over the qemu process elevating its privilege to
that of the qemu process.

All Xen systems running x86 HVM guests without stubdomains are
vulnerable to this depending on the specific guest configuration. The
default configuration is vulnerable.

Guests using either the traditional "qemu-xen" or upstream qemu device
models are vulnerable.
Guests using a qemu-dm stubdomain to run the device model are only
vulnerable to takeover of that service domain.

Systems running only x86 PV guests are not vulnerable.
ARM systems are not vulnerable.
   2015-04-19 17:02:12 by S.P.Zeidler | Files touched by this commit (3)
Log message:
adding upstream's patch for
XSA-127 Certain domctl operations may be abused to lock up the host
   2015-04-19 15:13:21 by S.P.Zeidler | Files touched by this commit (24)
Log message:
apply fixes from upstream for
XSA-125 Long latency MMIO mapping operations are not preemptible
XSA-126 Unmediated PCI command register access in qemu
   2015-03-10 21:08:44 by S.P.Zeidler | Files touched by this commit (3)
Log message:
xsa123.patch from upstream:
x86emul: fully ignore segment override for register-only operations

For ModRM encoded instructions with register operands we must not
overwrite ea.mem.seg (if a - bogus in that case - segment override was
present) as it aliases with ea.reg.

This is CVE-2015-2151 / XSA-123.
   2015-03-05 15:21:31 by S.P.Zeidler | Files touched by this commit (4)
Log message:
Add patches for XSA-121 and XSA-122 from upstream.
   2015-02-04 21:52:16 by Joerg Sonnenberger | Files touched by this commit (3)
Log message:
Fix build with clang.

Next | Query returned 42 messages, browsing 31 to 40 | Previous