[app-emulation/xen] Security patch from xen-4 backported for xen-3 by Ian Delaney aka idell4

Package-Manager: portage-2.2.0_alpha59/cvs/Linux x86_64

4 files changed, 205 insertions, 15 deletions

diff --git a/app-emulation/xen/ChangeLog b/app-emulation/xen/ChangeLog
index 19bfacd00d43..26fd5bfb6af7 100644
--- a/app-emulation/xen/ChangeLog
+++ b/app-emulation/xen/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for app-emulation/xen
 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.80 2011/09/18 12:15:08 alexxy Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.81 2011/09/21 11:14:59 alexxy Exp $
+
+*xen-3.4.2-r2 (21 Sep 2011)
+
+  21 Sep 2011; Alexey Shvetsov <alexxy@gentoo.org> +xen-3.4.2-r2.ebuild,
+  +files/xen-3.4.2-no-DMA.patch:
+  Security patch from xen-4 backported for xen-3 by Ian Delaney aka idell4
 
 *xen-4.1.1-r2 (18 Sep 2011)
 
diff --git a/app-emulation/xen/Manifest b/app-emulation/xen/Manifest
index ef2e3367e8cf..06fa65255787 100644
--- a/app-emulation/xen/Manifest
+++ b/app-emulation/xen/Manifest
@@ -3,28 +3,30 @@ Hash: SHA256
 
 AUX xen-3.3.0-unexported-target-fix.patch 788 RMD160 4b30444c021479cbd3969493639533fc1e43e781 SHA1 9119f06b4a005c385ac27e085e2d96ccf9cd4dc9 SHA256 e46f5fbe4c579b84f895f0ac6e05589553a11305ca30e69405082d58abd9ee07
 AUX xen-3.4.2-dump_registers-watchdog-fix.patch 533 RMD160 766249003d91cbec3b0014a8446e1a4d01cd847a SHA1 6306250671976c638f814a4958211af4bacb53b4 SHA256 17d18f268efd302085bdfa0673e2d9478e84206b6d060d0a63854441233a81c6
+AUX xen-3.4.2-no-DMA.patch 2708 RMD160 9aa83e21e8b07feca1f799f9efb4f9cd5728c6c6 SHA1 e55fa5a04203470af68452762f919b402854fce9 SHA256 87a3fe134b8d3c762d4d229986ccb77898a603a18974f453cfdf6ba9d68fe982
 AUX xen-4.1.1-iommu_sec_fix.patch 2851 RMD160 4367178c10cdc1e752f3e9ffb70f42e6e7179242 SHA1 8487f85dbf81bf245deaccca5ff5b8f46e60d112 SHA256 3a0ab3cb5c18db91f4be457cbba36189a558da7b794e1a35795f4fed3d48a7c8
 DIST xen-3.4.2.tar.gz 11187726 RMD160 2ef81df1f44356d60e04e21df2173ce5357d8509 SHA1 3cd2cafacd52bbac2e2da1cfd846ee6260b43455 SHA256 d17c33136041cc8da69214ccf527fc48637bee7a9ab4d68a88ec50e6a9d20b0b
 DIST xen-4.1.1.tar.gz 10355625 RMD160 4b3c0641b0f098889f627662aa6b8fea00c5b636 SHA1 f1b5ef4b663c339faf9c77fc895327cfbcc9776c SHA256 246289227507466b5da8b2d0da84a5b0e68a392527b16cde38898d0348890f5b
 EBUILD xen-3.4.2-r1.ebuild 3058 RMD160 19a8baa3dbf87f4c5d4e5019f88ae4dc5ccc32e6 SHA1 aed8b48c47b8f713dbc17d67fa2d21c838f7f071 SHA256 719917cfbf0605d4951415d9f53c49262d92ba8e8921a3835aefcd549dd275bb
+EBUILD xen-3.4.2-r2.ebuild 3134 RMD160 ece90071fa1eade372d7ec8c39d21ebcae407a19 SHA1 c7d70437fd36305200602eda3c41f42b6bd76e61 SHA256 8a16d8ee07c79f5f8bf0ceb584e717b25770aeff14c645c4abd73ef586db2901
 EBUILD xen-4.1.1-r2.ebuild 3012 RMD160 7055789a3d10a477921485e1fd3a1500bca317a5 SHA1 7eab29e0157f06c46c530329b8acb4db53c3c061 SHA256 40fbd9ea0a51c0e72c7b53e5cbb85cdf9157687a1fdb3c6b34e29ad972b0c387
 EBUILD xen-9999.ebuild 2929 RMD160 34b61aa566948357bed2bde59d06e38fdc21249c SHA1 5dfa8cebff2f2b9a10e40b888e151baf8afb804c SHA256 62f131e504a87ab2e05b1109325167ae9f6d9747ae90d89536d49734c7445f0e
-MISC ChangeLog 12833 RMD160 446a1d8cdd825f12e62b6119f3effea7a35513d6 SHA1 17f7c82dfea94d0fbce0abee46dbd35a4b317406 SHA256 ce714638aa70a3180c06ad02bdce7e3b0814c43ebabe55411e2a5fe9a768edf4
+MISC ChangeLog 13044 RMD160 414249645a0e0095178820063c0baa3cb36d00a0 SHA1 7315826966a1861803a774e10ec55d5add8bbb3c SHA256 4f8456682b58e74d352cb0eb87fbe32fbf640202e76f757ee67a88439cad6f1a
 MISC metadata.xml 581 RMD160 d22ffb491d9dad33425b97add683dd6b8b9139e1 SHA1 649f65e9fd2ab25e32394c555a24fc0f6b59c37f SHA256 1cf2cc4bb5b5278ac75e74910607518ddd2bd6454f18325319ce1ac102fab535
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.18 (GNU/Linux)
 
-iQIcBAEBCAAGBQJOdeCdAAoJEOf+E+/4L5LmBGoP+gJzjte0I5pC0xd8qFwwe+UF
-SYOfe/pno7kmKM6cPCmLrISVxdpuAEngzndg7KMparoEW+7aon1k6MO69Mqd/aX/
-2s1gNyAhVrZLqJDESoslQPtSiN1g6EiM3PEBDgbrAEQFL5I74OH7cIctJ4yoVMkc
-9tDfIvS3M6mY0/ScaqlO9KDMMaotaKHPaPG07libIYdVzAx0B7GlaoK+52rOZnl+
-r6y+xJllwNh/ebdRm3RNTLQsYVrD9EgBDNjX9Of/Ct+Be1dtrAcp9LIArFWq4bZr
-kTJbkGLI5+NIWOOJ/OwpT2jtugjRhH3WDmE2u7IqdWHjUf5KxSypgMzOyVaPF+0D
-7jEMYlOoSucioTa72LAQg56ops0IRhuwIElWfV5fouDvJ/buRbrSrWv0LG1Y07fu
-6SZTXAPrgubwpIpbfl2WrkbL6AXuJmLQV+4fjB9BzC71VeMMGlNV+I52jWbVr9BT
-6NmMPL8b+9BA96KDuhxJp38wQtjde7ogDd04xnofmm+sjGt95pxjT83c3jIJO6Rp
-IpScDZe5uugRUSnEkDoFOoD8Q2O/ApdSS0U4gIfdAEIROrnsBKgjDoVNvyn3fvf9
-BXO3Uuw6rOh8ESFgK5Iys++Ti151Y3PTpH8FP04NlhELD9P36OdG8944X/nL9p9w
-86IpewGQSXzf3cXJz+p5
-=lrTB
+iQIcBAEBCAAGBQJOecb8AAoJEOf+E+/4L5Lmk+IP+QE+4YDpbkvTYcav5tCYxAu0
+n7x5GEX29qO7UAq7OXgQhZVZuXB2rZ+nPI3u4v8d1odOhnX4EgdTkKm26doVzdOg
+p+uINP/Vtbw29cGomO3vaHzEYZkKXyVfovDtv1Csqzj+jjr4fIzy/tiG0Fxn4cjY
+e72hprADqsAKq/u8tlfL4lp58zX71JLgXAESutGQBexqwUN8T4efpKV6qYRthuwF
+MVMFXjpZI7nKeZTlIQYHSNTgPTlMKsoZoUycCoMtsFWerCwuymDeS7lKr0KEf2mb
+luQV1C3LR+f9O1Ikmv+a23b309WQgyZp1sr4ydchBDwiSxytB9myAUU15xbLAHeS
+ZlZl/up8BM7eXqWH46Q+wRqYPe9hW5NUIQvMXiJPz0nSSfQ3W+QWSxrRbxK5CJP9
+8QymoE26SPO86K5S8OtJrk255FV/SwRGLVE9l1/j+V8XaMugiGayRNkaU4bftKyT
+LuaJH0YId8acIH1fYIiBUmKPTTYIkiGJlhr+mLocATxcFBVi/Svu9ew7ryc0c7gl
+4e3NE58ZJXQQfokrspJimVPjksHLPRkiXXI9tvWA+V50jg7rsg1WMO1vUovWKmID
+aEXdACW4jGAaZ4T0qk8k+pUiYuRcg6xRaae5BYG8iqVJ8aVAOA8LUcmyIo21sSCu
+GtBx8gJ0rfZIRvWRhQ+c
+=1IgY
 -----END PGP SIGNATURE-----
diff --git a/app-emulation/xen/files/xen-3.4.2-no-DMA.patch b/app-emulation/xen/files/xen-3.4.2-no-DMA.patch
new file mode 100644
index 000000000000..f04d9e26f9b2
--- /dev/null
+++ b/app-emulation/xen/files/xen-3.4.2-no-DMA.patch
@@ -0,0 +1,71 @@
+# HG changeset patch
+# User Tim Deegan <Tim.Deegan@citrix.com>
+# Date 1313145221 -3600
+# Node ID 84e3706df07a1963e23cd3875d8603917657d462
+# Parent  cb22fa57ff252893b6adb1481e09b1287eacd990
+Passthrough: disable bus-mastering on any card that causes an IOMMU fault.
+
+This stops the card from raising back-to-back faults and live-locking
+the CPU that handles them.
+
+Signed-off-by: Tim Deegan <tim@xen.org>
+Acked-by: Wei Wang2 <wei.wang2@amd.com>
+Acked-by: Allen M Kay <allen.m.kay@intel.com>
+
+--- a/xen/drivers/passthrough/vtd/iommu.c.orig	Mon Jul 25 16:48:39 2011 +0100
++++ b/xen/drivers/passthrough/vtd/iommu.c	Fri Aug 12 11:33:41 2011 +0100
+@@ -733,7 +733,7 @@
+     while (1)
+     {
+         u8 fault_reason;
+-        u16 source_id;
++        u16 source_id, cword;
+         u32 data;
+         u64 guest_addr;
+         int type;
+@@ -766,6 +766,14 @@
+         iommu_page_fault_do_one(iommu, type, fault_reason,
+                               source_id, guest_addr);
+ 
++        /* Tell the device to stop DMAing; we can't rely on the guest to
++         * control it for us. */
++        cword = pci_conf_read16(PCI_BUS(source_id), PCI_SLOT(source_id), 
++                                PCI_FUNC(source_id), PCI_COMMAND);
++        pci_conf_write16(PCI_BUS(source_id), PCI_SLOT(source_id), 
++                         PCI_FUNC(source_id), PCI_COMMAND, 
++                         cword & ~PCI_COMMAND_MASTER);
++
+         fault_index++;
+         if ( fault_index > cap_num_fault_regs(iommu->cap) )
+             fault_index = 0;
+
+--- a/xen/drivers/passthrough/amd/iommu_init.c.orig	Mon Jul 25 16:48:39 2011 +0100
++++ b/xen/drivers/passthrough/amd/iommu_init.c	Fri Aug 12 11:33:41 2011 +0100
+@@ -415,7 +415,7 @@
+  
+ static void parse_event_log_entry(u32 entry[])
+ {
+-    u16 domain_id, device_id;
++    u16 domain_id, device_id, bdf, cword;
+     u32 code;
+     u64 *addr;
+     char * event_str[] = {"ILLEGAL_DEV_TABLE_ENTRY",
+@@ -449,6 +449,18 @@
+         printk(XENLOG_ERR "AMD-Vi: "
+             "%s: domain = %d, device id = 0x%04x, fault address = 0x%"PRIx64"\n",
+             event_str[code-1], domain_id, device_id, *addr);
++
++        /* Tell the device to stop DMAing; we can't rely on the guest to
++         * control it for us. */
++        for ( bdf = 0; bdf < ivrs_bdf_entries; bdf++ )
++            if ( get_dma_requestor_id(bdf) == device_id ) 
++            {
++                cword = pci_conf_read16(PCI_BUS(bdf), PCI_SLOT(bdf), 
++                                PCI_FUNC(bdf), PCI_COMMAND);
++                pci_conf_write16(PCI_BUS(bdf), PCI_SLOT(bdf), 
++                                 PCI_FUNC(bdf), PCI_COMMAND, 
++                                 cword & ~PCI_COMMAND_MASTER);
++            }
+     }
+ }
+
diff --git a/app-emulation/xen/xen-3.4.2-r2.ebuild b/app-emulation/xen/xen-3.4.2-r2.ebuild
new file mode 100644
index 000000000000..c170f73ec782
--- /dev/null
+++ b/app-emulation/xen/xen-3.4.2-r2.ebuild
@@ -0,0 +1,111 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-3.4.2-r2.ebuild,v 1.1 2011/09/21 11:14:59 alexxy Exp $
+
+inherit mount-boot flag-o-matic toolchain-funcs
+
+DESCRIPTION="The Xen virtual machine monitor"
+HOMEPAGE="http://xen.org/"
+SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="debug custom-cflags pae acm flask xsm"
+
+RDEPEND="|| ( sys-boot/grub
+		sys-boot/grub-static )
+		>=sys-kernel/xen-sources-2.6.18"
+PDEPEND="~app-emulation/xen-tools-${PV}"
+
+RESTRICT="test"
+
+# Approved by QA team in bug #144032
+QA_WX_LOAD="boot/xen-syms-${PV}"
+
+pkg_setup() {
+	if [[ -z ${XEN_TARGET_ARCH} ]]; then
+		if use x86 && use amd64; then
+			die "Confusion! Both x86 and amd64 are set in your use flags!"
+		elif use x86; then
+			export XEN_TARGET_ARCH="x86_32"
+		elif use amd64; then
+			export XEN_TARGET_ARCH="x86_64"
+		else
+			die "Unsupported architecture!"
+		fi
+	fi
+
+	if use xsm ; then
+		export "XSM_ENABLE=y"
+		use acm && export "ACM_SECURITY=y"
+		if use flask ; then
+			! use acm  && export "FLASK_ENABLE=y"
+			  use acm  && ewarn "Both acm and flask XSM specified, defaulting to acm."
+		fi
+	elif use acm || use flask ; then
+		ewarn "acm and flask require USE=xsm to be set, dropping use flags"
+	fi
+}
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+
+	# Fix unexport $target in xen-setup
+	epatch "${FILESDIR}/"${PN}-3.3.0-unexported-target-fix.patch
+
+	# Fix crash in xen console
+	epatch "${FILESDIR}/"${P}-dump_registers-watchdog-fix.patch
+
+	# Security patches
+        epatch "${FILESDIR}/"${P}-no-DMA.patch || die
+
+	# if the user *really* wants to use their own custom-cflags, let them
+	if use custom-cflags; then
+		einfo "User wants their own CFLAGS - removing defaults"
+		# try and remove all the default custom-cflags
+		find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \
+			-e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \
+			-i {} \;
+	fi
+}
+
+src_compile() {
+	local myopt
+	use debug && myopt="${myopt} debug=y"
+	use pae && myopt="${myopt} pae=y"
+
+	if use custom-cflags; then
+		filter-flags -fPIE -fstack-protector
+		replace-flags -O3 -O2
+	else
+		unset CFLAGS
+	fi
+
+	# Send raw LDFLAGS so that --as-needed works
+	emake CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" -C xen ${myopt} || die "compile failed"
+}
+
+src_install() {
+	local myopt
+	use debug && myopt="${myopt} debug=y"
+	use pae && myopt="${myopt} pae=y"
+
+	emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install || die "install failed"
+}
+
+pkg_postinst() {
+	elog "Official Xen Guide and the unoffical wiki page:"
+	elog " http://www.gentoo.org/doc/en/xen-guide.xml"
+	elog " http://en.gentoo-wiki.com/wiki/Xen/"
+
+	if use pae; then
+		echo
+		ewarn "This is a PAE build of Xen. It will *only* boot PAE kernels!"
+	fi
+}