Add xen-4.2.1-r1 and patches

Package-Manager: portage-2.1.11.40
author: Ian Delaney <della5@iinet.com.au> 2013-02-12 21:30:39 +0800
committer: Ian Delaney <della5@iinet.com.au> 2013-02-12 21:30:39 +0800
commit: 354b9c76006432cc0b64b5b148bc420ae4dd666c (patch)
tree: c58cecc82fbff80646fea48da4585dfb6a5d47e4
parent: drop xen-pvgrub-4.2.0 (diff)
download: virtualization-354b9c76006432cc0b64b5b148bc420ae4dd666c.tar.gz
virtualization-354b9c76006432cc0b64b5b148bc420ae4dd666c.tar.bz2
virtualization-354b9c76006432cc0b64b5b148bc420ae4dd666c.zip
6 files changed, 272 insertions, 0 deletions
diff --git a/app-emulation/xen/Manifest b/app-emulation/xen/Manifest
index e0a06e3..ddf30d9 100644
--- a/app-emulation/xen/Manifest
+++ b/app-emulation/xen/Manifest
@@ -1 +1,2 @@
 DIST xen-4.2.0.tar.gz 15587687 SHA256 43f4a086e4e0330145a27b7ace8365c42b5afbc95cefadafe067be91bd3e5cfb SHA512 4fb56c79d722fb307bc657f16d02079c6636427e7650c4354193632d38d2d1db8e588f844ff0ca6e757c108ed639a528565ec9fc7c00bb4d5b6fbc9d122d8a70 WHIRLPOOL 369a109375864cb61920b56cf501522051d28513e738f0fd0e7b76244c3e08a8a0a6ff6cf245872d9bbd9c0f22c7da76c9cbc0f852bad6108ca25fd42dc677c0
+DIST xen-4.2.1.tar.gz 15593695 SHA256 fb8df5827ce3e2d2d3b078d9e5afde502beb5e7ab9442e51a94087061bd450c6 SHA512 fe27a965e2b34035bd025482eda9fc4d4e82523c929323fd30813367d5ffbe2fa1ed3d7d4479f2632e8b5625972448b7bd6a7768e8dc1dcd1b6747d281cc1a9e WHIRLPOOL 226bbed059541e804f1a44e721023ffbc04bae43000653b1d7d6a9bfec0d9efbf7a48b1b0a7ad3fcb8e34f8b91e1c620c2a8eddf97baad487e9db37d49a58f37
diff --git a/app-emulation/xen/files/xen-4-CVE-2012-5634-XSA-33.patch b/app-emulation/xen/files/xen-4-CVE-2012-5634-XSA-33.patch
new file mode 100644
index 0000000..20342ec
--- /dev/null
+++ b/app-emulation/xen/files/xen-4-CVE-2012-5634-XSA-33.patch
@@ -0,0 +1,18 @@
+VT-d: fix interrupt remapping source validation for devices behind legacy bridges 
+Using SVT_VERIFY_BUS here doesn't make sense; 
+
+native Linux also uses SVT_VERIFY_SID_SQ here instead. 
+This is XSA-33 / CVE-2012-5634. 
+Signed-off-by: Jan Beulich <jbeulich@suse.com> 
+
+--- xen/drivers/passthrough/vtd/intremap.c 
++++ xen/drivers/passthrough/vtd/intremap.c 
+@@ -466,7 +466,7 @@ static void set_msi_source_id(struct pci_dev *pdev, struct iremap_entry *ire)
+                  set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, 
+                              (bus << 8) | pdev->bus);
+             else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE )
+-                set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16,
++                set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16,
+                             PCI_BDF2(bus, devfn));
+         }
+         break; 
diff --git a/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-34_35.patch b/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-34_35.patch
new file mode 100644
index 0000000..f074fa6
--- /dev/null
+++ b/app-emulation/xen/files/xen-4-CVE-2013-0151-XSA-34_35.patch
@@ -0,0 +1,70 @@
+commit 66141b2e068fa39f28bdda6be05882e323663687
+Author: Michael Young 
+Date:   Tue Jan 22 22:22:10 2013 +0000
+
+    Security fix from nested virtualization CVE-2013-0151,
+    restore status option to xend which is used by libvirt
+#diff --git a/xsa34-4.2.patch b/xsa34-4.2.patch
+#new file mode 100644
+#index 0000000..f5328ef
+#--- /dev/null
+#+++ xsa34-4.2.patch
+#@@ -0,0 +1,30 @@
+#+x86_32: don't allow use of nested HVM
+#+
+#+There are (indirect) uses of map_domain_page() in the nested HVM code
+#+that are unsafe when not just using the 1:1 mapping.
+#+
+#+This is XSA-34 / CVE-2013-0151.
+#+
+#+Signed-off-by: Jan Beulich 
+#+
+#diff --git a/xsa35-4.2-with-xsa34.patch b/xsa35-4.2-with-xsa34.patch
+#new file mode 100644
+#index 0000000..28c6171
+#--- /dev/null
+#+++ xsa35-4.2-with-xsa34.patch
+#@@ -0,0 +1,24 @@
+#+xen: Do not allow guests to enable nested HVM on themselves
+#+
+#+There is no reason for this and doing so exposes a memory leak to
+#+guests. Only toolstacks need write access to this HVM param.
+#+
+#+This is XSA-35 / CVE-2013-0152.
+#+
+#+Signed-off-by: Ian Campbell 
+#+Acked-by: Jan Beulich 
+#+
+--- xen/arch/x86/hvm/hvm.c
++++ xen/arch/x86/hvm/hvm.c
+@@ -3858,6 +3858,11 @@
+                     rc = -EINVAL;
+                 break;
+             case HVM_PARAM_NESTEDHVM:
++                if ( !IS_PRIV(current->domain) )
++                {
++                    rc = -EPERM;
++                    break;
++                }
+                 if ( a.value > 1 )
+                     rc = -EINVAL;
+                 if ( !is_hvm_domain(d) )
+@@ -3926,6 +3926,10 @@ long do_hvm_op(unsigned long op, XEN_GUE
+                     rc = -EINVAL;
+                 break;
+             case HVM_PARAM_NESTEDHVM:
++#ifdef __i386__
++                if ( a.value )
++                    rc = -EINVAL;
++#else
+                 if ( a.value > 1 )
+                     rc = -EINVAL;
+                 if ( !is_hvm_domain(d) )
+@@ -3940,6 +3944,7 @@ long do_hvm_op(unsigned long op, XEN_GUE
+                     for_each_vcpu(d, v)
+                         if ( rc == 0 )
+                             rc = nestedhvm_vcpu_initialise(v);
++#endif
+                 break;
+             case HVM_PARAM_BUFIOREQ_EVTCHN:
+                 rc = -EINVAL;
diff --git a/app-emulation/xen/files/xen-4-CVE-2013-0154-XSA-37.patch b/app-emulation/xen/files/xen-4-CVE-2013-0154-XSA-37.patch
new file mode 100644
index 0000000..bb43acd
--- /dev/null
+++ b/app-emulation/xen/files/xen-4-CVE-2013-0154-XSA-37.patch
@@ -0,0 +1,23 @@
+x86: fix assertion in get_page_type()
+
+c/s 22998:e9fab50d7b61 (and immediately following ones) made it
+possible that __get_page_type() returns other than -EINVAL, in
+particular -EBUSY. Consequently, the assertion in get_page_type()
+should check for only the return values we absolutely don't expect to
+see there.
+
+This is XSA-37 / CVE-2013-0154.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- xen/arch/x86/mm.c
++++ xen/arch/x86/mm.c
+@@ -2586,7 +2586,7 @@ int get_page_type(struct page_info *page
+     int rc = __get_page_type(page, type, 0);
+     if ( likely(rc == 0) )
+         return 1;
+-    ASSERT(rc == -EINVAL);
++    ASSERT(rc != -EINTR && rc != -EAGAIN);
+     return 0;
+ }
+
diff --git a/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch b/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch
new file mode 100644
index 0000000..c0dbd20
--- /dev/null
+++ b/app-emulation/xen/files/xen-4-fix_dotconfig-gcc.patch
@@ -0,0 +1,37 @@
+# Fix gcc-4.6
+diff -ur xen-4.2.0.orig/extras/mini-os/minios.mk xen-4.2.0/extras/mini-os/minios.mk
+--- extras/mini-os/minios.mk	2012-09-17 18:21:17.000000000 +0800
++++ extras/mini-os/minios.mk	2012-12-05 14:01:10.653260260 +0800
+@@ -6,7 +6,7 @@
+ 
+ # Define some default flags.
+ # NB. '-Wcast-qual' is nasty, so I omitted it.
+-DEF_CFLAGS += -fno-builtin -Wall -Werror -Wredundant-decls -Wno-format -Wno-redundant-decls
++DEF_CFLAGS += -fno-builtin -Wall -Wredundant-decls -Wno-format -Wno-redundant-decls
+ DEF_CFLAGS += $(call cc-option,$(CC),-fno-stack-protector,)
+ DEF_CFLAGS += $(call cc-option,$(CC),-fgnu89-inline)
+ DEF_CFLAGS += -Wstrict-prototypes -Wnested-externs -Wpointer-arith -Winline
+diff -ur xen-4.2.0.orig/tools/libxc/Makefile xen-4.2.0/tools/libxc/Makefile
+--- tools/libxc/Makefile       2012-09-17 18:21:18.000000000 +0800
++++ tools/libxc/Makefile       2012-12-05 14:01:10.653260260 +0800
+@@ -73,7 +73,7 @@
+
+ -include $(XEN_TARGET_ARCH)/Makefile
+
+-CFLAGS   += -Werror -Wmissing-prototypes
++CFLAGS   += -Wmissing-prototypes
+ CFLAGS   += -I. $(CFLAGS_xeninclude)
+
+ # Needed for posix_fadvise64() in xc_linux.c
+# Drop .config
+diff -ur xen-4.2.0.orig/Config.mk xen-4.2.0/Config.mk
+--- Config.mk	2012-09-17 18:23:12.000000000 +0800
++++ Config.mk	2012-12-05 14:01:10.641260261 +0800
+@@ -7,7 +7,6 @@
+ # fallback for older make
+ realpath = $(wildcard $(foreach file,$(1),$(shell cd -P $(dir $(file)) && echo "$$PWD/$(notdir $(file))")))
+ 
+--include $(XEN_ROOT)/.config
+ 
+ # A debug build of Xen and tools?
+ debug ?= n
diff --git a/app-emulation/xen/xen-4.2.1-r1.ebuild b/app-emulation/xen/xen-4.2.1-r1.ebuild
new file mode 100644
index 0000000..b3d3a88
--- /dev/null
+++ b/app-emulation/xen/xen-4.2.1-r1.ebuild
@@ -0,0 +1,123 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.2.1-r1.ebuild,v 1.2 2013/01/31 15:43:53 idella4 Exp $
+
+EAPI=5
+
+PYTHON_COMPAT=( python{2_6,2_7} )
+
+if [[ $PV == *9999 ]]; then
+	KEYWORDS=""
+	REPO="xen-unstable.hg"
+	EHG_REPO_URI="http://xenbits.xensource.com/${REPO}"
+	S="${WORKDIR}/${REPO}"
+	live_eclass="mercurial"
+else
+	KEYWORDS="~amd64 ~x86"
+	SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz"
+fi
+
+inherit mount-boot flag-o-matic python-single-r1 toolchain-funcs ${live_eclass}
+
+DESCRIPTION="The Xen virtual machine monitor"
+HOMEPAGE="http://xen.org/"
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="custom-cflags debug flask pae xsm"
+
+RDEPEND=""
+PDEPEND="~app-emulation/xen-tools-${PV}"
+
+RESTRICT="test"
+
+# Approved by QA team in bug #144032
+QA_WX_LOAD="boot/xen-syms-${PV}"
+
+REQUIRED_USE="
+	flask? ( xsm )
+	"
+
+pkg_setup() {
+	python-single-r1_pkg_setup
+	if [[ -z ${XEN_TARGET_ARCH} ]]; then
+		if use x86 && use amd64; then
+			die "Confusion! Both x86 and amd64 are set in your use flags!"
+		elif use x86; then
+			export XEN_TARGET_ARCH="x86_32"
+		elif use amd64; then
+			export XEN_TARGET_ARCH="x86_64"
+		else
+			die "Unsupported architecture!"
+		fi
+	fi
+
+	if use flask ; then
+		export "XSM_ENABLE=y"
+		export "FLASK_ENABLE=y"
+	elif use xsm ; then
+		export "XSM_ENABLE=y"
+	fi
+}
+
+src_prepare() {
+	# Drop .config and fix gcc-4.6
+	epatch  "${FILESDIR}"/${PN/-pvgrub/}-4-fix_dotconfig-gcc.patch
+
+	# if the user *really* wants to use their own custom-cflags, let them
+	if use custom-cflags; then
+		einfo "User wants their own CFLAGS - removing defaults"
+		# try and remove all the default custom-cflags
+		find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \
+			-e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \
+			-i {} \; || die "failed to re-set custom-cflags"
+	fi
+
+	# not strictly necessary to fix this
+	sed -i 's/, "-Werror"//' "${S}/tools/python/setup.py" || die "failed to re-set setup.py"
+
+	#Security patches
+	epatch "${FILESDIR}"/${PN}-4-CVE-2012-5634-XSA-33.patch \
+                "${FILESDIR}"/${PN}-4-CVE-2013-0151-XSA-34_35.patch \
+                "${FILESDIR}"/${PN}-4-CVE-2013-0154-XSA-37.patch
+}
+
+src_configure() {
+	use debug && myopt="${myopt} debug=y"
+	use pae && myopt="${myopt} pae=y"
+
+	if use custom-cflags; then
+		filter-flags -fPIE -fstack-protector
+		replace-flags -O3 -O2
+	else
+		unset CFLAGS
+	fi
+}
+
+src_compile() {
+	# Send raw LDFLAGS so that --as-needed works
+	emake CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)"  -C xen ${myopt}
+}
+
+src_install() {
+	local myopt
+	use debug && myopt="${myopt} debug=y"
+	use pae && myopt="${myopt} pae=y"
+
+	emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install
+}
+
+pkg_postinst() {
+	elog "Official Xen Guide and the unoffical wiki page:"
+	elog " http://www.gentoo.org/doc/en/xen-guide.xml"
+	elog " http://en.gentoo-wiki.com/wiki/Xen/"
+
+	if use pae; then
+		echo
+		ewarn "This is a PAE build of Xen. It will *only* boot PAE kernels!"
+	fi
+}
author	Ian Delaney <della5@iinet.com.au>	2013-02-12 21:30:39 +0800
committer	Ian Delaney <della5@iinet.com.au>	2013-02-12 21:30:39 +0800
commit	354b9c76006432cc0b64b5b148bc420ae4dd666c (patch)
tree	c58cecc82fbff80646fea48da4585dfb6a5d47e4
parent	drop xen-pvgrub-4.2.0 (diff)
download	virtualization-354b9c76006432cc0b64b5b148bc420ae4dd666c.tar.gz virtualization-354b9c76006432cc0b64b5b148bc420ae4dd666c.tar.bz2 virtualization-354b9c76006432cc0b64b5b148bc420ae4dd666c.zip