Merge pull request #26867 from michalpalka/xen-security-2017.06-new

xen: patch for XSAs: 216, 217, 218, 219, 220, 221, 222, and 224
2017-06-28 22:43:46 -04:00 · 2017-06-28 22:43:46 -04:00 · 4cc729644e
commit 4cc729644e
parent eb052edd6f 80e0cda7ff
3 changed files with 81 additions and 0 deletions
--- a/pkgs/applications/virtualization/xen/4.5.nix
+++ b/pkgs/applications/virtualization/xen/4.5.nix
@ -71,6 +71,10 @@ callPackage (import ./generic.nix (rec {
          name = "211-qemuu-4.6";
          sha256 = "1g090xs8ca8676vyi78b99z5yjdliw6mxkr521b8kimhf8crx4yg";
        })
+        (xsaPatch {
+          name = "216-qemuu-4.5";
+          sha256 = "0nh5akbal93czia1gh1pzvwq7gc4zwiyr1hbyk1m6wwdmqv6ph61";
+        })
      ];
      meta.description = "Xen's fork of upstream Qemu";
    };
@ -342,6 +346,62 @@ callPackage (import ./generic.nix (rec {
        name = "215";
        sha256 = "0sv8ccc5xp09f1w1gj5a9n3mlsdsh96sdb1n560vh31f4kkd61xs";
      })
+      (xsaPatch {
+        name = "217-4.5";
+        sha256 = "067pgsfrb9py2dhm1pk9g8f6fs40vyfrcxhj8c12vzamb6svzmn4";
+      })
+      (xsaPatch {
+        name = "218-4.5/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures";
+        sha256 = "00y6j3yjxw0igpldsavikmhlxw711k2jsj1qx0s05w2k608gadkq";
+      })
+      (xsaPatch {
+        name = "218-4.5/0002-gnttab-fix-unmap-pin-accounting-race";
+        sha256 = "0qbbfnnjlpdcd29mzmacfmi859k92c213l91q7w1rg2k6pzx928k";
+      })
+      (xsaPatch {
+        name = "218-4.5/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry";
+        sha256 = "1cndzvyhf41mk4my6vh3bk9jvh2y4gpmqdhvl9zhxhmppszslqkc";
+      })
+      (xsaPatch {
+        name = "218-4.5/0004-gnttab-correct-maptrack-table-accesses";
+        sha256 = "02zpb0ffigijacqvyyjylwx3qpgibwslrka7mbxwnclf4s9c03a2";
+      })
+      (xsaPatch {
+        name = "219-4.5";
+        sha256 = "003msr5vhsc66scmdpgn0lp3p01g4zfw5vj86y5lw9ajkbaywdsm";
+      })
+      (xsaPatch {
+        name = "220-4.5";
+        sha256 = "1dj9nn6lzxlipjb3nb7b9m4337fl6yn2bd7ap1lqrjn8h9zkk1pp";
+      })
+      (xsaPatch {
+        name = "221";
+        sha256 = "1mcr1nqgxyjrkywdg7qhlfwgz7vj2if1dhic425vgd41p9cdgl26";
+      })
+      (xsaPatch {
+        name = "222-1-4.6";
+        sha256 = "1g4dqm5qx4wqlv1520jpfiscph95vllcp4gqp1rdfailk8xi0mcf";
+      })
+      (xsaPatch {
+        name = "222-2-4.5";
+        sha256 = "1hw8rhc7q4v309f4w11gxfsn5x1pirvxkg7s4kr711fnmvp9hkzd";
+      })
+      (xsaPatch {
+        name = "224-4.5/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap";
+        sha256 = "1aislj66ss4cb3v2bh12mrqsyrf288d4h54rj94jjq7h1hnycw7h";
+      })
+      (xsaPatch {
+        name = "224-4.5/0002-gnttab-never-create-host-mapping-unless-asked-to";
+        sha256 = "1j6fgm1ccb07gg0mi5qmdr0vqwwc3n12z433g1jrija2gbk1x8aq";
+      })
+      (xsaPatch {
+        name = "224-4.5/0003-gnttab-correct-logic-to-get-page-references-during-m";
+        sha256 = "166kmicwx280fjqjvgigbmhabjksa0hhvqx5h4v6kjlcjpmxqy08";
+      })
+      (xsaPatch {
+        name = "224-4.5/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth";
+        sha256 = "1skc0yj1zsn8xgyq1y57bdc0scvvlmd0ynrjwwf1zkias1wlilav";
+      })
    ];

  # Fix build on Glibc 2.24.
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@ -156,4 +156,21 @@ rec {
        sha256 = "10dmv3d3gj8rvj9h40js4jh8xbr5wyaqiy0kd819mya441mj8ll2";
      };
    };
+
+  # https://xenbits.xen.org/xsa/advisory-216.html
+  xen_XSA_216 =
+    { name = "xen_XSA-216";
+      patch = fetchpatch {
+        url = "https://xenbits.xen.org/xsa/xsa216-linux-4.11.patch";
+        sha256 = "14h017n6qwnraw5bv72q9xkg2w7xvx290505kny5zfwx891xahs8";
+      };
+    };
+
+  xen_XSA_216_4-4 =
+    { name = "xen_XSA-216-4.4";
+      patch = fetchpatch {
+        url = "https://xenbits.xen.org/xsa/xsa216-linux-4.4.patch";
+        sha256 = "1lv50wpr4lr49i4vp04vl778wcs9xn1jm51hp91h87jr0g3pbvi2";
+      };
+    };
 }
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -11926,6 +11926,7 @@ with pkgs;
      [ kernelPatches.bridge_stp_helper
        kernelPatches.p9_fixes
        kernelPatches.cpu-cgroup-v2."4.4"
+        kernelPatches.xen_XSA_216_4-4
      ]
      ++ lib.optionals ((platform.kernelArch or null) == "mips")
      [ kernelPatches.mips_fpureg_emu
@ -11940,6 +11941,7 @@ with pkgs;
        kernelPatches.p9_fixes
        kernelPatches.cpu-cgroup-v2."4.9"
        kernelPatches.modinst_arg_list_too_long
+        kernelPatches.xen_XSA_216
      ]
      ++ lib.optionals ((platform.kernelArch or null) == "mips")
      [ kernelPatches.mips_fpureg_emu
@ -11956,6 +11958,7 @@ with pkgs;
        # when adding a new linux version
        kernelPatches.cpu-cgroup-v2."4.11"
        kernelPatches.modinst_arg_list_too_long
+        kernelPatches.xen_XSA_216
      ]
      ++ lib.optionals ((platform.kernelArch or null) == "mips")
      [ kernelPatches.mips_fpureg_emu
@ -11969,6 +11972,7 @@ with pkgs;
      kernelPatches.bridge_stp_helper
      kernelPatches.p9_fixes
      kernelPatches.modinst_arg_list_too_long
+      kernelPatches.xen_XSA_216
    ] ++ lib.optionals ((platform.kernelArch or null) == "mips") [
      kernelPatches.mips_fpureg_emu
      kernelPatches.mips_fpu_sigill