nixpkgs/pkgs
Graham Christensen cc4919da89
xen: patch for XSAs: 197, 199, 207, 208, 209
XSA-197 Issue Description:

> The compiler can emit optimizations in qemu which can lead to double
> fetch vulnerabilities.  Specifically data on the rings shared
> between qemu and the hypervisor (which the guest under control can
> obtain mappings of) can be fetched twice (during which time the
> guest can alter the contents) possibly leading to arbitrary code
> execution in qemu.

More: https://xenbits.xen.org/xsa/advisory-197.html

XSA-199 Issue Description:

> The code in qemu which implements ioport read/write looks up the
> specified ioport address in a dispatch table.  The argument to the
> dispatch function is a uint32_t, and is used without a range check,
> even though the table has entries for only 2^16 ioports.
>
> When qemu is used as a standalone emulator, ioport accesses are
> generated only from cpu instructions emulated by qemu, and are
> therefore necessarily 16-bit, so there is no vulnerability.
>
> When qemu is used as a device model within Xen, io requests are
> generated by the hypervisor and read by qemu from a shared ring.  The
> entries in this ring use a common structure, including a 64-bit
> address field, for various accesses, including ioport addresses.
>
> Xen will write only 16-bit address ioport accesses.  However,
> depending on the Xen and qemu version, the ring may be writeable by
> the guest.  If so, the guest can generate out-of-range ioport
> accesses, resulting in wild pointer accesses within qemu.

More: https://xenbits.xen.org/xsa/advisory-199.html

XSA-207 Issue Description:

> Certain internal state is set up, during domain construction, in
> preparation for possible pass-through device assignment.  On ARM and
> AMD V-i hardware this setup includes memory allocation.  On guest
> teardown, cleanup was erroneously only performed when the guest
> actually had a pass-through device assigned.

More: https://xenbits.xen.org/xsa/advisory-207.html

XSA-209 Issue Description:

> When doing bitblt copy backwards, qemu should negate the blit width.
> This avoids an oob access before the start of video memory.

More: https://xenbits.xen.org/xsa/advisory-208.html

XSA-208 Issue Description:

> In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine
> cirrus_bitblt_cputovideo fails to check wethehr the specified memory
> region is safe.

More: https://xenbits.xen.org/xsa/advisory-209.html
2017-02-22 08:00:45 -05:00
..
applications xen: patch for XSAs: 197, 199, 207, 208, 209 2017-02-22 08:00:45 -05:00
build-support Grrr 2017-02-21 15:26:14 +01:00
common-updater maintainers: Add script to patch version/sha256 in .nix files 2017-02-19 16:51:17 +02:00
data stix-two: init at 2.0.0 2017-02-20 23:55:55 +01:00
desktops qlipper: 2016-09-26 -> 5.0.0 2017-02-19 11:52:26 -03:00
development Merge pull request #23071 from takikawa/add-ndpi-1.8 2017-02-22 10:46:19 +01:00
games scummvm: 1.8.0 -> 1.9.0 2017-02-17 23:46:53 +01:00
misc vim_configurable: Add packPath option to vimrcConfig (#22776) 2017-02-22 01:06:34 +01:00
os-specific Merge pull request #22822 from Mic92/iputils 2017-02-22 00:37:13 +01:00
servers Merge pull request #22822 from Mic92/iputils 2017-02-22 00:37:13 +01:00
shells oh-my-zsh: 2017-01-15 -> 2017-02-20 2017-02-21 19:07:59 -05:00
stdenv Merge pull request #22387 from Ericson2314/cross-3-platforms 2017-02-05 17:41:31 -05:00
test
tools bins: fix permissions issue regenerating albums 2017-02-21 06:37:07 +01:00
top-level Merge pull request #23071 from takikawa/add-ndpi-1.8 2017-02-22 10:46:19 +01:00