nixpkgs/pkgs/applications/virtualization
Michał Pałka dd3dcceb23 xen: patch for XSAs: 206, 211, 212, 213, 214 and 215
XSA-206 Issue Description:

> xenstored supports transactions, such that if writes which would
> invalidate assumptions of a transaction occur, the entire transaction
> fails.  Typical response on a failed transaction is to simply retry
> the transaction until it succeeds.
>
> Unprivileged domains may issue writes to xenstore which conflict with
> transactions either of the toolstack or of backends such as the driver
> domain. Depending on the exact timing, repeated writes may cause
> transactions made by these entities to fail indefinitely.

More: https://xenbits.xen.org/xsa/advisory-206.html

XSA-211 Issue Description:

> When a graphics update command gets passed to the VGA emulator, there
> are 3 possible modes that can be used to update the display:
>
> * blank - Clears the display
> * text - Treats the display as showing text
> * graph - Treats the display as showing graphics
>
> After the display geometry gets changed (i.e., after the CIRRUS VGA
> emulation has resized the display), the VGA emulator will resize the
> console during the next update command. However, when a blank mode is
> also selected during an update, this resize doesn't happen. The resize
> will be properly handled during the next time a non-blank mode is
> selected during an update.
>
> However, other console components - such as the VNC emulation - will
> operate as though this resize had happened. When the display is
> resized to be larger than before, this can result in a heap overflow
> as console components will expect the display buffer to be larger than
> it is currently allocated.

More: https://xenbits.xen.org/xsa/advisory-211.html

XSA-212 Issue Description:

> The XSA-29 fix introduced an insufficient check on XENMEM_exchange
> input, allowing the caller to drive hypervisor memory accesses outside
> of the guest provided input/output arrays.

More: https://xenbits.xen.org/xsa/advisory-212.html

XSA-213 Issue Description:

> 64-bit PV guests typically use separate (root) page tables for their
> kernel and user modes.  Hypercalls are accessible to guest kernel
> context only, which certain hypercall handlers make assumptions on.
> The IRET hypercall (replacing the identically name CPU instruction)
> is used by guest kernels to transfer control from kernel mode to user
> mode.  If such an IRET hypercall is placed in the middle of a multicall
> batch, subsequent operations invoked by the same multicall batch may
> wrongly assume the guest to still be in kernel mode.  If one or more of
> these subsequent operations involve operations on page tables, they may
> be using the wrong root page table, confusing internal accounting.  As
> a result the guest may gain writable access to some of its page tables.

More: https://xenbits.xen.org/xsa/advisory-213.html

XSA-214 Issue Description:

> The GNTTABOP_transfer operation allows one guest to transfer a page to
> another guest.  The internal processing of this, however, does not
> include zapping the previous type of the page being transferred.  This
> makes it possible for a PV guest to transfer a page previously used as
> part of a segment descriptor table to another guest while retaining the
> "contains segment descriptors" property.
>
> If the destination guest is a PV one of different bitness, it may gain
> access to segment descriptors it is not normally allowed to have, like
> 64-bit code segments in a 32-bit PV guest.
>
> If the destination guest is a HVM one, that guest may freely alter the
> page contents and then hand the page back to the same or another PV
> guest.
>
> In either case, if the destination PV guest then inserts that page into
> one of its own descriptor tables, the page still having the designated
> type results in validation of its contents being skipped.

More: https://xenbits.xen.org/xsa/advisory-214.html

XSA-215 Issue Description:

> Under certain special conditions Xen reports an exception resulting
> from returning to guest mode not via ordinary exception entry points,
> but via a so call failsafe callback.  This callback, unlike exception
> handlers, takes 4 extra arguments on the stack (the saved data
> selectors DS, ES, FS, and GS).  Prior to placing exception or failsafe
> callback frames on the guest kernel stack, Xen checks the linear
> address range to not overlap with hypervisor space.  The range spanned
> by that check was mistakenly not covering these extra 4 slots.

More: https://xenbits.xen.org/xsa/advisory-215.html
2017-06-09 13:09:01 +00:00
..
8086tiny Small style fixups 2014-09-10 21:34:50 -03:00
aqemu aqemu: init at 0.9.2 2017-02-10 12:48:29 +01:00
bochs treewide: explicitly specify gtk and related package versions 2016-09-12 18:26:06 +03:00
cbfstool cbfstool: git-2015-07-09 -> 4.5 2016-10-22 21:07:33 +03:00
containerd containerd: use removeReferencesTo 2017-03-11 15:17:32 +01:00
docker docker-proxy: remove go references 2017-05-17 22:14:34 +01:00
docker-distribution docker-distribution: 2.5.1 -> 2.6.0 2017-04-04 21:01:27 -04:00
driver Virtualization: add XEN/KVM related drivers for Windows 2015-07-04 00:14:05 +02:00
ecs-agent ecs-agent: init at 1.14.0 2017-02-10 04:33:48 +00:00
lkl lkl: split outputs 2017-05-24 01:07:26 +02:00
open-vm-tools open-vm-tools: fixup build with glibc-2.25 2017-02-22 16:54:07 +01:00
openstack Python: replace requests2 with requests tree-wide 2017-05-07 12:56:09 +02:00
OVMF OVMF: fix build 2017-05-29 12:21:17 +02:00
qboot qboot: turn off stackprotector and pic hardening 2016-04-03 11:41:30 +00:00
qemu qemu: 2.8.1 -> 2.9.0 2017-04-23 14:20:48 +02:00
rancher-compose rancher-compose: set version during build 2016-10-22 14:40:30 +02:00
remotebox remotebox: 2.1 -> 2.2 2016-11-09 02:24:46 +01:00
rkt rkt: 1.25.0 -> 1.26.0 2017-05-25 18:13:54 -04:00
runc runc: use removeReferencesTo 2017-03-11 15:17:36 +01:00
seabios Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-08-03 13:34:44 +00:00
singularity singularity: init 2.2 2016-11-15 09:11:53 +11:00
spice-vdagent spice-vdagent: 0.16.0 -> 0.17.0 2016-09-26 08:20:04 -04:00
tini docker: 1.12.6 -> 1.13.0 2017-01-18 21:33:37 +01:00
virt-manager virtmanager: Fix python import error 2017-06-05 23:42:25 +09:00
virt-top virt-top: init at 1.0.8 (#21536) 2017-02-04 16:07:45 +01:00
virt-viewer libvirt packages: fix & clean up dependencies 2017-03-28 19:45:01 +02:00
virtinst virtinst: do not depend on glanceclient 2017-05-07 10:02:33 +02:00
virtualbox virtualbox: a more maintenance-free way of patching refs to dlopen()-affected dependencies 2017-03-28 01:32:11 +03:00
xen xen: patch for XSAs: 206, 211, 212, 213, 214 and 215 2017-06-09 13:09:01 +00:00
xhyve xhyve: update and fix to use our Hypervisor framework 2017-03-14 22:38:35 -04:00