Xen devel - Oct 2013 - xen-CVE-2013-1442-XSA-62.patch

I am confused.

http://xenbits.xen.org/xsa/advisory-62.html says 

"Applying the attached patch resolves this issue.

xsa62.patch                 Xen 4.2.x, 4.3.x, and unstable
"
        #Security patches
        epatch "${FILESDIR}"/${PN}-4-CVE-2013-1918-XSA-45_[1-7].patch
\
                "${FILESDIR}"/${PN}-4.2-2013-2076-XSA-52to54.patch \
                "${FILESDIR}"/${PN}-4.2-CVE-2013-1432-XSA-58.patch \
                "${FILESDIR}"/${PN}-CVE-2013-4355-XSA-63.patch \
                "${FILESDIR}"/${PN}-CVE-2013-4361-XSA-66.patch \
                "${FILESDIR}"/${PN}-CVE-2013-1442-XSA-62.patch

in the ebuild yields

* Applying
  xen-4.2-2013-2076-XSA-52to54.patch ...
  [ ok ]
 * Applying
  xen-4.2-CVE-2013-1432-XSA-58.patch ...
  [ ok ]
 * Applying
  xen-CVE-2013-4355-XSA-63.patch ...
  [ ok ]
 * Applying
  xen-CVE-2013-4361-XSA-66.patch ...
  [ ok ]
 * Applying xen-CVE-2013-1442-XSA-62.patch ...

 * Failed Patch: xen-CVE-2013-1442-XSA-62.patch !
 *
   (
/home/testuser/cvsPortage/gentoo-x86/app-emulation/xen/files/xen-CVE-2013-1442-XSA-62.patch
   )
 * 
 * Include in your bugreport the contents of:
 * 
 *  
/mnt/gen2/TmpDir/portage/app-emulation/xen-4.2.2-r2/temp/xen-CVE-2013-1442-XSA-62.patch.out

 * ERROR: app-emulation/xen-4.2.2-r2::gentoo failed (prepare phase):
 *   Failed Patch: xen-CVE-2013-1442-XSA-62.patch!

and int handle_xsetbv does not appear in 
xen-4.2.2/xen/arch/x86/xstate.c

Does it really apply to 4.2.x????

--  kind regards

Ian Delaney

On 02/10/13 17:47, IAN DELANEY wrote:
> I am confused.
>
> http://xenbits.xen.org/xsa/advisory-62.html says 
>
> "Applying the attached patch resolves this issue.
>
> xsa62.patch                 Xen 4.2.x, 4.3.x, and unstable
> "
>         #Security patches
>         epatch
"${FILESDIR}"/${PN}-4-CVE-2013-1918-XSA-45_[1-7].patch \
>                
"${FILESDIR}"/${PN}-4.2-2013-2076-XSA-52to54.patch \
>                
"${FILESDIR}"/${PN}-4.2-CVE-2013-1432-XSA-58.patch \
>                 "${FILESDIR}"/${PN}-CVE-2013-4355-XSA-63.patch \
>                 "${FILESDIR}"/${PN}-CVE-2013-4361-XSA-66.patch \
>                 "${FILESDIR}"/${PN}-CVE-2013-1442-XSA-62.patch
>
> in the ebuild yields
>
> * Applying
>   xen-4.2-2013-2076-XSA-52to54.patch ...
>   [ ok ]
>  * Applying
>   xen-4.2-CVE-2013-1432-XSA-58.patch ...
>   [ ok ]
>  * Applying
>   xen-CVE-2013-4355-XSA-63.patch ...
>   [ ok ]
>  * Applying
>   xen-CVE-2013-4361-XSA-66.patch ...
>   [ ok ]
>  * Applying xen-CVE-2013-1442-XSA-62.patch ...
>
>  * Failed Patch: xen-CVE-2013-1442-XSA-62.patch !
>  *
>    (
/home/testuser/cvsPortage/gentoo-x86/app-emulation/xen/files/xen-CVE-2013-1442-XSA-62.patch
>    )
>  * 
>  * Include in your bugreport the contents of:
>  * 
>  *  
/mnt/gen2/TmpDir/portage/app-emulation/xen-4.2.2-r2/temp/xen-CVE-2013-1442-XSA-62.patch.out
>
>  * ERROR: app-emulation/xen-4.2.2-r2::gentoo failed (prepare phase):
>  *   Failed Patch: xen-CVE-2013-1442-XSA-62.patch!
>
> and int handle_xsetbv does not appear in 
> xen-4.2.2/xen/arch/x86/xstate.c
>
> Does it really apply to 4.2.x????
>
> --  kind regards
>
> Ian Delaney
It applies to 4.2-stable/staging.  It does however have functional and
textural dependencies on several of the recent backports into that tree,
so if your base tree is not very up to date, you have some extra
backports to do.  (Which is a good thing really, as xsave was
functionally broken before)

~Andrew

Op woensdag 2 oktober 2013 17:59:05 schreef Andrew
Cooper:
> On 02/10/13 17:47, IAN DELANEY wrote:
> > I am confused.
> > 
> > http://xenbits.xen.org/xsa/advisory-62.html says
> > 
> > "Applying the attached patch resolves this issue.
> > 
> > xsa62.patch                 Xen 4.2.x, 4.3.x, and unstable
> > "
> > 
> >         #Security patches
> >         epatch
"${FILESDIR}"/${PN}-4-CVE-2013-1918-XSA-45_[1-7].patch \
> >         
> >                
"${FILESDIR}"/${PN}-4.2-2013-2076-XSA-52to54.patch \
> >                
"${FILESDIR}"/${PN}-4.2-CVE-2013-1432-XSA-58.patch \
> >                
"${FILESDIR}"/${PN}-CVE-2013-4355-XSA-63.patch \
> >                
"${FILESDIR}"/${PN}-CVE-2013-4361-XSA-66.patch \
> >                
"${FILESDIR}"/${PN}-CVE-2013-1442-XSA-62.patch
> > 
> > in the ebuild yields
> > 
> > * Applying
> > 
> >   xen-4.2-2013-2076-XSA-52to54.patch ...
> >   [ ok ]
> >  
> >  * Applying
> >  
> >   xen-4.2-CVE-2013-1432-XSA-58.patch ...
> >   [ ok ]
> >  
> >  * Applying
> >  
> >   xen-CVE-2013-4355-XSA-63.patch ...
> >   [ ok ]
> >  
> >  * Applying
> >  
> >   xen-CVE-2013-4361-XSA-66.patch ...
> >   [ ok ]
> >  
> >  * Applying xen-CVE-2013-1442-XSA-62.patch ...
> >  
> >  * Failed Patch: xen-CVE-2013-1442-XSA-62.patch !
> >  *
> >  
> >    (
> >   
/home/testuser/cvsPortage/gentoo-x86/app-emulation/xen/files/xen-CVE-2
> >    013-1442-XSA-62.patch )
> >  
> >  *
> >  * Include in your bugreport the contents of:
> >  *
> >  *  
> > 
/mnt/gen2/TmpDir/portage/app-emulation/xen-4.2.2-r2/temp/xen-CVE-2013-14
> >  42-XSA-62.patch.out
> >  
> >  * ERROR: app-emulation/xen-4.2.2-r2::gentoo failed (prepare phase):
> >  *   Failed Patch: xen-CVE-2013-1442-XSA-62.patch!
> > 
> > and int handle_xsetbv does not appear in
> > xen-4.2.2/xen/arch/x86/xstate.c
> > 
> > Does it really apply to 4.2.x????
> > 
> > --  kind regards
> > 
> > Ian Delaney
> 
> It applies to 4.2-stable/staging.  It does however have functional and
> textural dependencies on several of the recent backports into that tree,
> so if your base tree is not very up to date, you have some extra
> backports to do.  (Which is a good thing really, as xsave was
> functionally broken before)
I have the same issue, i have the released 4.2.1 in our stable Mageia 3 
release, and i keep this up2date with security releases, however, this is the 
only patch that fails to apply... skipping this patch makes all the others 
work, however, i now have a security issues since XSA 62 doesn''t
apply...

any idea?

On 02/10/13 19:39, AL13N wrote:
> Op woensdag 2 oktober 2013 17:59:05 schreef Andrew Cooper:
>> On 02/10/13 17:47, IAN DELANEY wrote:
>>> I am confused.
>>>
>>> http://xenbits.xen.org/xsa/advisory-62.html says
>>>
>>> "Applying the attached patch resolves this issue.
>>>
>>> xsa62.patch                 Xen 4.2.x, 4.3.x, and unstable
>>> "
>>>
>>>         #Security patches
>>>         epatch
"${FILESDIR}"/${PN}-4-CVE-2013-1918-XSA-45_[1-7].patch \
>>>         
>>>                
"${FILESDIR}"/${PN}-4.2-2013-2076-XSA-52to54.patch \
>>>                
"${FILESDIR}"/${PN}-4.2-CVE-2013-1432-XSA-58.patch \
>>>                
"${FILESDIR}"/${PN}-CVE-2013-4355-XSA-63.patch \
>>>                
"${FILESDIR}"/${PN}-CVE-2013-4361-XSA-66.patch \
>>>                
"${FILESDIR}"/${PN}-CVE-2013-1442-XSA-62.patch
>>>
>>> in the ebuild yields
>>>
>>> * Applying
>>>
>>>   xen-4.2-2013-2076-XSA-52to54.patch ...
>>>   [ ok ]
>>>  
>>>  * Applying
>>>  
>>>   xen-4.2-CVE-2013-1432-XSA-58.patch ...
>>>   [ ok ]
>>>  
>>>  * Applying
>>>  
>>>   xen-CVE-2013-4355-XSA-63.patch ...
>>>   [ ok ]
>>>  
>>>  * Applying
>>>  
>>>   xen-CVE-2013-4361-XSA-66.patch ...
>>>   [ ok ]
>>>  
>>>  * Applying xen-CVE-2013-1442-XSA-62.patch ...
>>>  
>>>  * Failed Patch: xen-CVE-2013-1442-XSA-62.patch !
>>>  *
>>>  
>>>    (
>>>   
/home/testuser/cvsPortage/gentoo-x86/app-emulation/xen/files/xen-CVE-2
>>>    013-1442-XSA-62.patch )
>>>  
>>>  *
>>>  * Include in your bugreport the contents of:
>>>  *
>>>  *  
>>> 
/mnt/gen2/TmpDir/portage/app-emulation/xen-4.2.2-r2/temp/xen-CVE-2013-14
>>>  42-XSA-62.patch.out
>>>  
>>>  * ERROR: app-emulation/xen-4.2.2-r2::gentoo failed (prepare
phase):
>>>  *   Failed Patch: xen-CVE-2013-1442-XSA-62.patch!
>>>
>>> and int handle_xsetbv does not appear in
>>> xen-4.2.2/xen/arch/x86/xstate.c
>>>
>>> Does it really apply to 4.2.x????
>>>
>>> --  kind regards
>>>
>>> Ian Delaney
>> It applies to 4.2-stable/staging.  It does however have functional and
>> textural dependencies on several of the recent backports into that
tree,
>> so if your base tree is not very up to date, you have some extra
>> backports to do.  (Which is a good thing really, as xsave was
>> functionally broken before)
> I have the same issue, i have the released 4.2.1 in our stable Mageia 3 
> release, and i keep this up2date with security releases, however, this is
the
> only patch that fails to apply... skipping this patch makes all the others 
> work, however, i now have a security issues since XSA 62 doesn''t
apply...
>
> any idea?
You have a few options

1) Unconditionally force xsave off.  It is at the very least buggy if
you are missing the patches causing your patch application problems.

2) Backport the xsave patches as well. 
http://xenbits.xen.org/gitweb/?p=xen.git;a=history;f=xen/arch/x86/xstate.c;hb=12b0ee04a16194f064d5b895a844fcdc6414bfc0
should give you a good idea of the patches. 
http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=0bda88abe18029c2bbe9dc5d07cc706bd775c9b7
is probably the main patch needed.

3) Rework the security patch yourself using
0bda88abe18029c2bbe9dc5d07cc706bd775c9b7 as a reference of where and how
to patch in arch/x86/traps.c


I highly recommend option 2.

~Andrew

Op woensdag 2 oktober 2013 19:53:06 schreef Andrew Cooper:
[...]
> You have a few options
> 
> 1) Unconditionally force xsave off.  It is at the very least buggy if
> you are missing the patches causing your patch application problems.
i can do this programmatorically, so that noone in Mageia 3 will be able to 
use it?

does this mean xsave has been buggy on the released 4.2.1 in any case?
> 2) Backport the xsave patches as well.
>
http://xenbits.xen.org/gitweb/?p=xen.git;a=history;f=xen/arch/x86/xstate.c;h
> b=12b0ee04a16194f064d5b895a844fcdc6414bfc0 should give you a good idea of
> the patches.
>
http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=0bda88abe18029c2bbe9
> dc5d07cc706bd775c9b7 is probably the main patch needed.
> 
> 3) Rework the security patch yourself using
> 0bda88abe18029c2bbe9dc5d07cc706bd775c9b7 as a reference of where and how
> to patch in arch/x86/traps.c
> 
> 
> I highly recommend option 2.
thanks for the quick assistance

On 02/10/13 20:12, AL13N wrote:
> Op woensdag 2 oktober 2013 19:53:06 schreef Andrew Cooper:
> [...]
>> You have a few options
>>
>> 1) Unconditionally force xsave off.  It is at the very least buggy if
>> you are missing the patches causing your patch application problems.
> i can do this programmatorically, so that noone in Mageia 3 will be able to
> use it?
>
> does this mean xsave has been buggy on the released 4.2.1 in any case?
Xsave support in Xen has been buggy on all releases, with the final
fixes only appearing very recently.  The upcoming 4.3.1 release is I
believe the first formal Xen release where xsave support is supposedly
fixed.

If you want to disable xsave, then you need to play with "use_xsave"
in
xen/arch/x86/cpu/common.c

However, if anyone has VMs using xsave, this change in a security update
will break the VM on live migrate.
>
>> 2) Backport the xsave patches as well.
>>
http://xenbits.xen.org/gitweb/?p=xen.git;a=history;f=xen/arch/x86/xstate.c;h
>> b=12b0ee04a16194f064d5b895a844fcdc6414bfc0 should give you a good idea
of
>> the patches.
>>
http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=0bda88abe18029c2bbe9
>> dc5d07cc706bd775c9b7 is probably the main patch needed.
>>
>> 3) Rework the security patch yourself using
>> 0bda88abe18029c2bbe9dc5d07cc706bd775c9b7 as a reference of where and
how
>> to patch in arch/x86/traps.c
>>
>>
>> I highly recommend option 2.
> thanks for the quick assistance
As I said, option 2 is the only reasonable solution to this problem
which wont cause regressions for users, and has a side effect of making
xsave actually work.

~Andrew