diff --git a/patches.rpmify/makefile-after_link.patch b/patches.rpmify/makefile-after_link.patch index ab738c6..9ad4744 100644 --- a/patches.rpmify/makefile-after_link.patch +++ b/patches.rpmify/makefile-after_link.patch @@ -70,8 +70,8 @@ index 6cc9478..94fb536 100644 # actual build commands quiet_cmd_vdso32ld = VDSO32L $@ -- cmd_vdso32ld = $(CC) $(c_flags) -Wl,-T $^ -o $@ -+ cmd_vdso32ld = $(CC) $(c_flags) -Wl,-T $^ -o $@ \ +- cmd_vdso32ld = $(CC) $(c_flags) -Wl,-T $(filter %.lds %.o,$^) -o $@ ++ cmd_vdso32ld = $(CC) $(c_flags) -Wl,-T $(filter %.lds %.o,$^) -o $@ \ + $(if $(AFTER_LINK),; $(AFTER_LINK)) quiet_cmd_vdso32as = VDSO32A $@ cmd_vdso32as = $(CC) $(a_flags) -c -o $@ $< @@ -84,8 +84,8 @@ index 2d54c18..a0e3e9d 100644 # actual build commands quiet_cmd_vdso64ld = VDSO64L $@ -- cmd_vdso64ld = $(CC) $(c_flags) -Wl,-T $^ -o $@ -+ cmd_vdso64ld = $(CC) $(c_flags) -Wl,-T $^ -o $@ \ +- cmd_vdso64ld = $(CC) $(c_flags) -Wl,-T $(filter %.lds %.o,$^) -o $@ ++ cmd_vdso64ld = $(CC) $(c_flags) -Wl,-T $(filter %.lds %.o,$^) -o $@ \ + $(if $(AFTER_LINK),; $(AFTER_LINK)) quiet_cmd_vdso64as = VDSO64A $@ cmd_vdso64as = $(CC) $(a_flags) -c -o $@ $< diff --git a/patches.xen/xsa270.patch b/patches.xen/xsa270.patch deleted file mode 100644 index 93b0655..0000000 --- a/patches.xen/xsa270.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Jan Beulich -Subject: xen-netback: fix input validation in xenvif_set_hash_mapping() - -Both len and off are frontend specified values, so we need to make -sure there's no overflow when adding the two for the bounds check. We -also want to avoid undefined behavior and hence use off to index into -->hash.mapping[] only after bounds checking. This at the same time -allows to take care of not applying off twice for the bounds checking -against vif->num_queues. - -It is also insufficient to bounds check copy_op.len, as this is len -truncated to 16 bits. - -This is XSA-270. - -Signed-off-by: Jan Beulich -Reviewed-by: Paul Durrant -Tested-by: Paul Durrant - ---- a/drivers/net/xen-netback/hash.c -+++ b/drivers/net/xen-netback/hash.c -@@ -332,20 +332,22 @@ u32 xenvif_set_hash_mapping_size(struct - u32 xenvif_set_hash_mapping(struct xenvif *vif, u32 gref, u32 len, - u32 off) - { -- u32 *mapping = &vif->hash.mapping[off]; -+ u32 *mapping = vif->hash.mapping; - struct gnttab_copy copy_op = { - .source.u.ref = gref, - .source.domid = vif->domid, -- .dest.u.gmfn = virt_to_gfn(mapping), - .dest.domid = DOMID_SELF, -- .dest.offset = xen_offset_in_page(mapping), -- .len = len * sizeof(u32), -+ .len = len * sizeof(*mapping), - .flags = GNTCOPY_source_gref - }; - -- if ((off + len > vif->hash.size) || copy_op.len > XEN_PAGE_SIZE) -+ if ((off + len < off) || (off + len > vif->hash.size) || -+ len > XEN_PAGE_SIZE / sizeof(*mapping)) - return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER; - -+ copy_op.dest.u.gmfn = virt_to_gfn(mapping + off); -+ copy_op.dest.offset = xen_offset_in_page(mapping + off); -+ - while (len-- != 0) - if (mapping[off++] >= vif->num_queues) - return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER; diff --git a/series.conf b/series.conf index 5dfb2c1..400d801 100644 --- a/series.conf +++ b/series.conf @@ -18,7 +18,6 @@ patches.xen/xsa155-linux44-0010-xen-netfront-do-not-use-data-already-exposed-to- patches.xen/xsa155-linux-0011-xen-netfront-add-range-check-for-Tx-response-id.patch patches.xen/xsa155-linux312-0012-xen-blkfront-make-local-copy-of-response-before-usin.patch patches.xen/xsa155-linux44-0013-xen-blkfront-prepare-request-locally-only-then-put-i.patch -patches.xen/xsa270.patch # MSI-X enabled device passthrough fix (#1734) patches.xen/pci_op-cleanup.patch diff --git a/version b/version index 0cababa..78dcd95 100644 --- a/version +++ b/version @@ -1 +1 @@ -4.14.74 +4.14.103