pkgsrc-ng/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1

$NetBSD: patch-CVE-2013-4355_1,v 1.3 2014/03/28 16:07:08 drochner Exp $

http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03160.html
also fixes
http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg03827.html
(CVE-2013-4554)
also fixes
http://lists.xenproject.org/archives/html/xen-devel/2014-03/msg03177.html
(CVE-2014-2599)

--- xen/arch/x86/hvm/hvm.c.orig	2014-03-28 15:27:28.000000000 +0000
+++ xen/arch/x86/hvm/hvm.c	2014-03-28 15:27:36.000000000 +0000
@@ -1961,11 +1961,7 @@
 
     rc = hvm_copy_from_guest_virt(
         &tss, prev_tr.base, sizeof(tss), PFEC_page_present);
-    if ( rc == HVMCOPY_bad_gva_to_gfn )
-        goto out;
-    if ( rc == HVMCOPY_gfn_paged_out )
-        goto out;
-    if ( rc == HVMCOPY_gfn_shared )
+    if ( rc != HVMCOPY_okay )
         goto out;
 
     eflags = regs->eflags;
@@ -2010,13 +2006,11 @@
 
     rc = hvm_copy_from_guest_virt(
         &tss, tr.base, sizeof(tss), PFEC_page_present);
-    if ( rc == HVMCOPY_bad_gva_to_gfn )
-        goto out;
-    if ( rc == HVMCOPY_gfn_paged_out )
-        goto out;
-    /* Note: this could be optimised, if the callee functions knew we want RO
-     * access */
-    if ( rc == HVMCOPY_gfn_shared )
+    /*
+     * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee
+     * functions knew we want RO access.
+     */
+    if ( rc != HVMCOPY_okay )
         goto out;
 
 
@@ -2834,7 +2828,7 @@
     case 4:
     case 2:
         hvm_get_segment_register(curr, x86_seg_ss, &sreg);
-        if ( unlikely(sreg.attr.fields.dpl == 3) )
+        if ( unlikely(sreg.attr.fields.dpl) )
         {
     default:
             regs->eax = -EPERM;
@@ -3746,7 +3740,7 @@
              ((a.first_pfn + a.nr - 1) > domain_get_maximum_gpfn(d)) )
             goto param_fail5;
             
-        for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ )
+        for ( pfn = a.first_pfn; a.nr; ++pfn )
         {
             p2m_type_t t;
             mfn_t mfn;
@@ -3759,6 +3753,17 @@
             p2m_unlock(p2m);
             if ( !success )
                 goto param_fail5;
+
+            /* Check for continuation if it's not the last interation. */
+            if ( --a.nr && hypercall_preempt_check() )
+            {
+                a.first_pfn = pfn + 1;
+                if ( copy_to_guest(arg, &a, 1) )
+                    rc = -EFAULT;
+                else
+                    rc = -EAGAIN;
+                goto param_fail5;
+            }
         }
 
         rc = 0;