diff options
-rw-r--r-- | system/xen/dom0/config-5.15.139-xen.x86_64 (renamed from system/xen/dom0/config-5.15.94-xen.x86_64) | 29 | ||||
-rw-r--r-- | system/xen/dom0/kernel-xen.sh | 4 | ||||
-rw-r--r-- | system/xen/domU/domU.sh | 2 | ||||
-rw-r--r-- | system/xen/patches/edk2-ovmf-202105-werror.patch | 38 | ||||
-rw-r--r-- | system/xen/patches/edk2-ovmf-werror.diff | 34 | ||||
-rw-r--r-- | system/xen/patches/qemu-remove-password-option-for-spice.patch | 123 | ||||
-rw-r--r-- | system/xen/patches/symlinks_instead_of_hardlinks.diff | 21 | ||||
-rw-r--r-- | system/xen/xen.SlackBuild | 17 | ||||
-rw-r--r-- | system/xen/xen.info | 18 | ||||
-rw-r--r-- | system/xen/xsa/xsa437.patch | 110 |
10 files changed, 197 insertions, 199 deletions
diff --git a/system/xen/dom0/config-5.15.94-xen.x86_64 b/system/xen/dom0/config-5.15.139-xen.x86_64 index a84c93e24e4da..b5c74fb8ff28e 100644 --- a/system/xen/dom0/config-5.15.94-xen.x86_64 +++ b/system/xen/dom0/config-5.15.139-xen.x86_64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.15.94 Kernel Configuration +# Linux/x86 5.15.139 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y @@ -18,6 +18,7 @@ CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y CONFIG_CC_HAS_ASM_INLINE=y CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y +CONFIG_PAHOLE_VERSION=0 CONFIG_IRQ_WORK=y CONFIG_BUILDTIME_TABLE_SORT=y CONFIG_THREAD_INFO_IN_TASK=y @@ -442,7 +443,7 @@ CONFIG_I8K=m CONFIG_MICROCODE=y CONFIG_MICROCODE_INTEL=y CONFIG_MICROCODE_AMD=y -CONFIG_MICROCODE_OLD_INTERFACE=y +# CONFIG_MICROCODE_LATE_LOADING is not set CONFIG_X86_MSR=y CONFIG_X86_CPUID=y # CONFIG_X86_5LEVEL is not set @@ -525,6 +526,8 @@ CONFIG_RETHUNK=y CONFIG_CPU_UNRET_ENTRY=y CONFIG_CPU_IBPB_ENTRY=y CONFIG_CPU_IBRS_ENTRY=y +CONFIG_CPU_SRSO=y +# CONFIG_GDS_FORCE_MITIGATION is not set CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y CONFIG_USE_PERCPU_NUMA_NODE_ID=y @@ -756,6 +759,7 @@ CONFIG_GENERIC_SMP_IDLE_THREAD=y CONFIG_ARCH_HAS_FORTIFY_SOURCE=y CONFIG_ARCH_HAS_SET_MEMORY=y CONFIG_ARCH_HAS_SET_DIRECT_MAP=y +CONFIG_ARCH_HAS_CPU_FINALIZE_INIT=y CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y CONFIG_ARCH_WANTS_NO_INSTR=y @@ -1517,13 +1521,6 @@ CONFIG_IP6_NF_TARGET_NPT=m # end of IPv6: Netfilter Configuration CONFIG_NF_DEFRAG_IPV6=m - -# -# DECnet: Netfilter Configuration -# -# CONFIG_DECNET_NF_GRABULATOR is not set -# end of DECnet: Netfilter Configuration - CONFIG_NF_TABLES_BRIDGE=m CONFIG_NFT_BRIDGE_META=m CONFIG_NFT_BRIDGE_REJECT=m @@ -1627,8 +1624,6 @@ CONFIG_NET_DSA_TAG_XRS700X=m CONFIG_VLAN_8021Q=m CONFIG_VLAN_8021Q_GVRP=y CONFIG_VLAN_8021Q_MVRP=y -CONFIG_DECNET=m -# CONFIG_DECNET_ROUTER is not set CONFIG_LLC=m CONFIG_LLC2=m CONFIG_ATALK=m @@ -1703,14 +1698,11 @@ CONFIG_NET_SCH_ETS=m # CONFIG_NET_CLS=y CONFIG_NET_CLS_BASIC=m -CONFIG_NET_CLS_TCINDEX=m CONFIG_NET_CLS_ROUTE4=m CONFIG_NET_CLS_FW=m CONFIG_NET_CLS_U32=m # CONFIG_CLS_U32_PERF is not set CONFIG_CLS_U32_MARK=y -CONFIG_NET_CLS_RSVP=m -CONFIG_NET_CLS_RSVP6=m CONFIG_NET_CLS_FLOW=m CONFIG_NET_CLS_CGROUP=y CONFIG_NET_CLS_BPF=m @@ -2528,7 +2520,6 @@ CONFIG_BLK_DEV_CRYPTOLOOP=m CONFIG_BLK_DEV_DRBD=m # CONFIG_DRBD_FAULT_INJECTION is not set CONFIG_BLK_DEV_NBD=m -CONFIG_BLK_DEV_SX8=m CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_RAM_COUNT=16 CONFIG_BLK_DEV_RAM_SIZE=16384 @@ -8173,9 +8164,10 @@ CONFIG_AMILO_RFKILL=m CONFIG_FUJITSU_LAPTOP=m CONFIG_FUJITSU_TABLET=m CONFIG_GPD_POCKET_FAN=m +CONFIG_X86_PLATFORM_DRIVERS_HP=y CONFIG_HP_ACCEL=m -CONFIG_WIRELESS_HOTKEY=m CONFIG_HP_WMI=m +CONFIG_WIRELESS_HOTKEY=m CONFIG_IBM_RTL=m CONFIG_IDEAPAD_LAPTOP=m CONFIG_SENSORS_HDAPS=m @@ -8572,6 +8564,11 @@ CONFIG_XILINX_XADC=m # end of Analog to digital converters # +# Analog to digital and digital to analog converters +# +# end of Analog to digital and digital to analog converters + +# # Analog Front Ends # # end of Analog Front Ends diff --git a/system/xen/dom0/kernel-xen.sh b/system/xen/dom0/kernel-xen.sh index 17a79170b502c..0741ee7ce9216 100644 --- a/system/xen/dom0/kernel-xen.sh +++ b/system/xen/dom0/kernel-xen.sh @@ -5,8 +5,8 @@ # Written by Chris Abela <chris.abela@maltats.com>, 20100515 # Modified by Mario Preksavec <mario@slackware.hr> -KERNEL=${KERNEL:-5.15.94} -XEN=${XEN:-4.17.1} +KERNEL=${KERNEL:-5.15.139} +XEN=${XEN:-4.18.0} ROOTMOD=${ROOTMOD:-ext4} ROOTFS=${ROOTFS:-ext4} diff --git a/system/xen/domU/domU.sh b/system/xen/domU/domU.sh index 9df7b99008e72..4b167fc63a627 100644 --- a/system/xen/domU/domU.sh +++ b/system/xen/domU/domU.sh @@ -7,7 +7,7 @@ set -e -KERNEL=${KERNEL:-5.15.94} +KERNEL=${KERNEL:-5.15.139} # Build an image for the root file system and another for the swap # Default values : 8GB and 500MB resepectively. diff --git a/system/xen/patches/edk2-ovmf-202105-werror.patch b/system/xen/patches/edk2-ovmf-202105-werror.patch deleted file mode 100644 index db71faed77286..0000000000000 --- a/system/xen/patches/edk2-ovmf-202105-werror.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff --git a/BaseTools/Conf/tools_def.template b/BaseTools/Conf/tools_def.template -index 498696e..8a360f4 100755 ---- a/BaseTools/Conf/tools_def.template -+++ b/BaseTools/Conf/tools_def.template -@@ -1863,7 +1863,7 @@ NOOPT_*_*_OBJCOPY_ADDDEBUGFLAG = --add-gnu-debuglink=$(DEBUG_DIR)/$(MODULE_N - *_*_*_DTCPP_PATH = DEF(DTCPP_BIN)
- *_*_*_DTC_PATH = DEF(DTC_BIN)
-
--DEFINE GCC_ALL_CC_FLAGS = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -include AutoGen.h -fno-common
-+DEFINE GCC_ALL_CC_FLAGS = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Wno-array-bounds -include AutoGen.h -fno-common
- DEFINE GCC_IA32_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -m32 -malign-double -freorder-blocks -freorder-blocks-and-partition -O2 -mno-stack-arg-probe
- DEFINE GCC_X64_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mno-red-zone -Wno-address -mno-stack-arg-probe
- DEFINE GCC_ARM_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -mabi=aapcs -fno-short-enums -funsigned-char -ffunction-sections -fdata-sections -fomit-frame-pointer -Wno-address -mthumb -mfloat-abi=soft -fno-pic -fno-pie
-diff --git a/BaseTools/Source/C/Makefiles/header.makefile b/BaseTools/Source/C/Makefiles/header.makefile -index 0df728f..49f9706 100644 ---- a/BaseTools/Source/C/Makefiles/header.makefile -+++ b/BaseTools/Source/C/Makefiles/header.makefile -@@ -82,17 +82,17 @@ BUILD_OPTFLAGS = -O2 $(EXTRA_OPTFLAGS) -
- ifeq ($(DARWIN),Darwin)
- # assume clang or clang compatible flags on OS X
--BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror \
-+BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall \
- -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -g
- else
- ifeq ($(CXX), llvm)
- BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
---fno-delete-null-pointer-checks -Wall -Werror \
-+-fno-delete-null-pointer-checks -Wall \
- -Wno-deprecated-declarations -Wno-self-assign \
- -Wno-unused-result -nostdlib -g
- else
- BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
---fno-delete-null-pointer-checks -Wall -Werror \
-+-fno-delete-null-pointer-checks -Wall \
- -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict \
- -Wno-unused-result -nostdlib -g
- endif
diff --git a/system/xen/patches/edk2-ovmf-werror.diff b/system/xen/patches/edk2-ovmf-werror.diff new file mode 100644 index 0000000000000..49915c25c9498 --- /dev/null +++ b/system/xen/patches/edk2-ovmf-werror.diff @@ -0,0 +1,34 @@ +--- xen-4.18.0/tools/firmware/ovmf-dir-remote/BaseTools/Conf/tools_def.template.ORIG 2023-05-24 14:59:54.000000000 +0200 ++++ xen-4.18.0/tools/firmware/ovmf-dir-remote/BaseTools/Conf/tools_def.template 2023-12-05 03:34:17.395390728 +0100 +@@ -739,7 +739,7 @@ + *_*_*_DTCPP_PATH = DEF(DTCPP_BIN)
+ *_*_*_DTC_PATH = DEF(DTC_BIN)
+
+-DEFINE GCC_ALL_CC_FLAGS = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -include AutoGen.h -fno-common
++DEFINE GCC_ALL_CC_FLAGS = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Wno-array-bounds -include AutoGen.h -fno-common
+ DEFINE GCC_ARM_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -mabi=aapcs -fno-short-enums -funsigned-char -ffunction-sections -fdata-sections -fomit-frame-pointer -Wno-address -mthumb -fno-pic -fno-pie
+ DEFINE GCC_LOONGARCH64_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mabi=lp64d -fno-asynchronous-unwind-tables -fno-plt -Wno-address -fno-short-enums -fsigned-char -ffunction-sections -fdata-sections
+ DEFINE GCC_ARM_CC_XIPFLAGS = -mno-unaligned-access
+--- xen-4.18.0/tools/firmware/ovmf-dir-remote/BaseTools/Source/C/Makefiles/header.makefile.ORIG 2023-05-24 14:59:54.000000000 +0200 ++++ xen-4.18.0/tools/firmware/ovmf-dir-remote/BaseTools/Source/C/Makefiles/header.makefile 2023-12-05 03:36:03.531794147 +0100 +@@ -89,17 +89,17 @@ +
+ ifeq ($(DARWIN),Darwin)
+ # assume clang or clang compatible flags on OS X
+-CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror \
++CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall \
+ -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -g
+ else
+ ifneq ($(CLANG),)
+ CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
+--fno-delete-null-pointer-checks -Wall -Werror \
++-fno-delete-null-pointer-checks -Wall \
+ -Wno-deprecated-declarations -Wno-self-assign \
+ -Wno-unused-result -nostdlib -g
+ else
+ CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
+--fno-delete-null-pointer-checks -Wall -Werror \
++-fno-delete-null-pointer-checks -Wall \
+ -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict \
+ -Wno-unused-result -nostdlib -g
+ endif
diff --git a/system/xen/patches/qemu-remove-password-option-for-spice.patch b/system/xen/patches/qemu-remove-password-option-for-spice.patch new file mode 100644 index 0000000000000..210d9d99f3309 --- /dev/null +++ b/system/xen/patches/qemu-remove-password-option-for-spice.patch @@ -0,0 +1,123 @@ +From 36debafddd788066be10b33c5f11b984a08e5c85 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> +Date: Thu, 1 Dec 2022 04:22:11 -0500 +Subject: [PATCH] ui: remove deprecated 'password' option for SPICE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This has been replaced by the 'password-secret' option, +which references a 'secret' object instance. + +Reviewed-by: Fabiano Rosas <farosas@suse.de> +Reviewed-by: Markus Armbruster <armbru@redhat.com> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> +--- + docs/about/deprecated.rst | 8 -------- + docs/about/removed-features.rst | 7 +++++++ + qemu-options.hx | 9 +-------- + ui/spice-core.c | 15 --------------- + 4 files changed, 8 insertions(+), 31 deletions(-) + +diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst +index d31ffa86d40..2827b0c0beb 100644 +--- a/docs/about/deprecated.rst ++++ b/docs/about/deprecated.rst +@@ -66,14 +66,6 @@ and will cause a warning. + The replacement for the ``nodelay`` short-form boolean option is ``nodelay=on`` + rather than ``delay=off``. + +-``-spice password=string`` (since 6.0) +-'''''''''''''''''''''''''''''''''''''' +- +-This option is insecure because the SPICE password remains visible in +-the process listing. This is replaced by the new ``password-secret`` +-option which lets the password be securely provided on the command +-line using a ``secret`` object instance. +- + ``-smp`` ("parameter=0" SMP configurations) (since 6.2) + ''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +diff --git a/docs/about/removed-features.rst b/docs/about/removed-features.rst +index 4a84e6174fe..e901637ce5f 100644 +--- a/docs/about/removed-features.rst ++++ b/docs/about/removed-features.rst +@@ -428,6 +428,13 @@ respectively. The actual backend names should be used instead. + Use ``-drive if=pflash`` to configure the OTP device of the sifive_u + RISC-V machine instead. + ++``-spice password=string`` (removed in 8.0) ++''''''''''''''''''''''''''''''''''''''''''' ++ ++This option was insecure because the SPICE password remained visible in ++the process listing. This was replaced by the new ``password-secret`` ++option which lets the password be securely provided on the command ++line using a ``secret`` object instance. + + QEMU Machine Protocol (QMP) commands + ------------------------------------ +diff --git a/qemu-options.hx b/qemu-options.hx +index e79ff4d8fb9..cafd8be8eda 100644 +--- a/qemu-options.hx ++++ b/qemu-options.hx +@@ -2135,7 +2135,7 @@ DEF("spice", HAS_ARG, QEMU_OPTION_spice, + " [,tls-channel=[main|display|cursor|inputs|record|playback]]\n" + " [,plaintext-channel=[main|display|cursor|inputs|record|playback]]\n" + " [,sasl=on|off][,disable-ticketing=on|off]\n" +- " [,password=<string>][,password-secret=<secret-id>]\n" ++ " [,password-secret=<secret-id>]\n" + " [,image-compression=[auto_glz|auto_lz|quic|glz|lz|off]]\n" + " [,jpeg-wan-compression=[auto|never|always]]\n" + " [,zlib-glz-wan-compression=[auto|never|always]]\n" +@@ -2161,13 +2161,6 @@ SRST + ``ipv4=on|off``; \ ``ipv6=on|off``; \ ``unix=on|off`` + Force using the specified IP version. + +- ``password=<string>`` +- Set the password you need to authenticate. +- +- This option is deprecated and insecure because it leaves the +- password visible in the process listing. Use ``password-secret`` +- instead. +- + ``password-secret=<secret-id>`` + Set the ID of the ``secret`` object containing the password + you need to authenticate. +diff --git a/ui/spice-core.c b/ui/spice-core.c +index 72f8f1681c6..76f7c2bc3d1 100644 +--- a/ui/spice-core.c ++++ b/ui/spice-core.c +@@ -412,9 +412,6 @@ static QemuOptsList qemu_spice_opts = { + .name = "unix", + .type = QEMU_OPT_BOOL, + #endif +- },{ +- .name = "password", +- .type = QEMU_OPT_STRING, + },{ + .name = "password-secret", + .type = QEMU_OPT_STRING, +@@ -666,20 +663,8 @@ static void qemu_spice_init(void) + } + passwordSecret = qemu_opt_get(opts, "password-secret"); + if (passwordSecret) { +- if (qemu_opt_get(opts, "password")) { +- error_report("'password' option is mutually exclusive with " +- "'password-secret'"); +- exit(1); +- } + password = qcrypto_secret_lookup_as_utf8(passwordSecret, + &error_fatal); +- } else { +- str = qemu_opt_get(opts, "password"); +- if (str) { +- warn_report("'password' option is deprecated and insecure, " +- "use 'password-secret' instead"); +- password = g_strdup(str); +- } + } + + if (tls_port) { +-- +GitLab + diff --git a/system/xen/patches/symlinks_instead_of_hardlinks.diff b/system/xen/patches/symlinks_instead_of_hardlinks.diff index d7cbfb6544716..c4a38e3bc0f9c 100644 --- a/system/xen/patches/symlinks_instead_of_hardlinks.diff +++ b/system/xen/patches/symlinks_instead_of_hardlinks.diff @@ -1,15 +1,15 @@ ---- xen-4.15.0/tools/xenstore/Makefile.orig 2021-04-06 19:14:18.000000000 +0200 -+++ xen-4.15.0/tools/xenstore/Makefile 2021-04-09 20:43:12.613910598 +0200 -@@ -76,7 +76,7 @@ - $(AR) cr $@ $^ +--- xen-4.18.0/tools/xs-clients/Makefile.ORIG 2023-11-16 22:44:21.000000000 +0100 ++++ xen-4.18.0/tools/xs-clients/Makefile 2023-12-05 03:01:05.801759446 +0100 +@@ -29,7 +29,7 @@ + clients: xenstore $(CLIENTS) xenstore-control $(CLIENTS): xenstore - ln -f xenstore $@ + ln -sf xenstore $@ xenstore: xenstore_client.o - $(CC) $< $(LDFLAGS) $(LDLIBS_libxenstore) $(LDLIBS_libxentoolcore) $(SOCKET_LIBS) -o $@ $(APPEND_LDFLAGS) -@@ -117,7 +117,7 @@ + $(CC) $(LDFLAGS) $^ $(LDLIBS) -o $@ $(APPEND_LDFLAGS) +@@ -54,7 +54,7 @@ $(INSTALL_PROG) xenstore-control $(DESTDIR)$(bindir) $(INSTALL_PROG) xenstore $(DESTDIR)$(bindir) set -e ; for c in $(CLIENTS) ; do \ @@ -18,12 +18,3 @@ done .PHONY: uninstall -@@ -144,7 +144,7 @@ - $(INSTALL_DIR) $(DESTDIR)$(bindir) - $(INSTALL_PROG) xenstore $(DESTDIR)$(bindir) - set -e ; for c in $(CLIENTS) ; do \ -- ln -f $(DESTDIR)$(bindir)/xenstore $(DESTDIR)$(bindir)/$${c} ; \ -+ ln -sf xenstore $(DESTDIR)$(bindir)/$${c} ; \ - done - - -include $(DEPS_INCLUDE) diff --git a/system/xen/xen.SlackBuild b/system/xen/xen.SlackBuild index 4bee50e1e26b8..5f3f380186f6a 100644 --- a/system/xen/xen.SlackBuild +++ b/system/xen/xen.SlackBuild @@ -25,14 +25,14 @@ cd $(dirname $0) ; CWD=$(pwd) PRGNAM=xen -VERSION=${VERSION:-4.17.2} +VERSION=${VERSION:-4.18.0} BUILD=${BUILD:-1} TAG=${TAG:-_SBo} PKGTYPE=${PKGTYPE:-tgz} -SEABIOS=${SEABIOS:-1.16.0} -OVMF=${OVMF:-20210824_7b4a99be8a} -IPXE=${IPXE:-3c040ad387099483102708bb1839110bc788cefb} +SEABIOS=${SEABIOS:-1.16.2} +OVMF=${OVMF:-20230524_ba91d0292e} +IPXE=${IPXE:-1d1cf74a5e58811822bee4b3da3cff7282fcdfca} if [ -z "$ARCH" ]; then case "$( uname -m )" in @@ -169,19 +169,20 @@ patch -p1 <$CWD/patches/stubdom_zlib_disable_man_install.diff # Fix glibc-2.27 build if [ "$(ldd --version | awk '{print $NF; exit}')" = "2.27" ]; then - ( cd tools/qemu-xen && patch -p1 <$CWD/patches/glibc-memfd_fix_configure_test.patch ) + tools/qemu-xen && patch -d tools/qemu-xen -p1 <$CWD/patches/glibc-memfd_fix_configure_test.patch fi # Fix ovmf firmware build -( cd tools/firmware/ovmf-dir-remote && \ - patch -p1 <$CWD/patches/edk2-ovmf-202105-werror.patch -) +patch -p1 <$CWD/patches/edk2-ovmf-werror.diff # Fix binutils-2.36 build if [ "$(objcopy --version | awk '{print $NF; exit}' | cut -d- -f1)" = "2.36" ]; then patch -p1 <$CWD/patches/qemu-xen-no-pie.diff fi +# Revert QEMU password removal for spice +patch -d tools/qemu-xen -p1 -R <$CWD/patches/qemu-remove-password-option-for-spice.patch + CFLAGS="$SLKCFLAGS" \ CXXFLAGS="$SLKCFLAGS" \ ./configure \ diff --git a/system/xen/xen.info b/system/xen/xen.info index e1a3760f26096..83847ec03174d 100644 --- a/system/xen/xen.info +++ b/system/xen/xen.info @@ -1,10 +1,10 @@ PRGNAM="xen" -VERSION="4.17.2" +VERSION="4.18.0" HOMEPAGE="http://www.xenproject.org/" DOWNLOAD="UNSUPPORTED" MD5SUM="" -DOWNLOAD_x86_64="http://mirror.slackware.hr/sources/xen/xen-4.17.2.tar.gz \ - http://mirror.slackware.hr/sources/xen-extfiles/ipxe-git-3c040ad387099483102708bb1839110bc788cefb.tar.gz \ +DOWNLOAD_x86_64="http://mirror.slackware.hr/sources/xen/xen-4.18.0.tar.gz \ + http://mirror.slackware.hr/sources/xen-extfiles/ipxe-git-1d1cf74a5e58811822bee4b3da3cff7282fcdfca.tar.gz \ http://mirror.slackware.hr/sources/xen-extfiles/lwip-1.3.0.tar.gz \ http://mirror.slackware.hr/sources/xen-extfiles/zlib-1.2.3.tar.gz \ http://mirror.slackware.hr/sources/xen-extfiles/newlib-1.16.0.tar.gz \ @@ -13,10 +13,10 @@ DOWNLOAD_x86_64="http://mirror.slackware.hr/sources/xen/xen-4.17.2.tar.gz \ http://mirror.slackware.hr/sources/xen-extfiles/polarssl-1.1.4-gpl.tgz \ http://mirror.slackware.hr/sources/xen-extfiles/gmp-4.3.2.tar.bz2 \ http://mirror.slackware.hr/sources/xen-extfiles/tpm_emulator-0.7.4.tar.gz \ - http://mirror.slackware.hr/sources/xen-seabios/seabios-1.16.0.tar.gz \ - http://mirror.slackware.hr/sources/xen-ovmf/xen-ovmf-20210824_7b4a99be8a.tar.bz2" -MD5SUM_x86_64="f344056c4566ac1627db46ea92588c3a \ - 23ba00d5e2c5b4343d12665af73e1cb5 \ + http://mirror.slackware.hr/sources/xen-seabios/seabios-1.16.2.tar.gz \ + http://mirror.slackware.hr/sources/xen-ovmf/xen-ovmf-20230524_ba91d0292e.tar.bz2" +MD5SUM_x86_64="c564d641a8638cfd43a0a810ebce2179 \ + 0d0dc7451b47f2c7a2992bbec20bf4d0 \ 36cc57650cffda9a0269493be2a169bb \ debc62758716a169df9f62e6ab2bc634 \ bf8f1f9e3ca83d732c00a79a6ef29bc4 \ @@ -25,8 +25,8 @@ MD5SUM_x86_64="f344056c4566ac1627db46ea92588c3a \ 7b72caf22b01464ee7d6165f2fd85f44 \ dd60683d7057917e34630b4a787932e8 \ e26becb8a6a2b6695f6b3e8097593db8 \ - 1411e7647ef93424fe88fea5d0ef9a82 \ - 322d42a3378394b5486acc1564651a4f" + ef52bf37a78e78a082688a244300ab86 \ + 00968782d77aa244952c8236c299c45b" REQUIRES="acpica yajl" MAINTAINER="Mario Preksavec" EMAIL="mario at slackware dot hr" diff --git a/system/xen/xsa/xsa437.patch b/system/xen/xsa/xsa437.patch deleted file mode 100644 index 18c9f8fc103c9..0000000000000 --- a/system/xen/xsa/xsa437.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 7fac5971340a13ca9458195305bcfe14df2e52d2 Mon Sep 17 00:00:00 2001 -From: Stefano Stabellini <stefano.stabellini@amd.com> -Date: Thu, 17 Aug 2023 13:41:35 +0100 -Subject: [PATCH] xen/arm: page: Handle cache flush of an element at the top of - the address space - -The region that needs to be cleaned/invalidated may be at the top -of the address space. This means that 'end' (i.e. 'p + size') will -be 0 and therefore nothing will be cleaned/invalidated as the check -in the loop will always be false. - -On Arm64, we only support we only support up to 48-bit Virtual -address space. So this is not a concern there. However, for 32-bit, -the mapcache is using the last 2GB of the address space. Therefore -we may not clean/invalidate properly some pages. This could lead -to memory corruption or data leakage (the scrubbed value may -still sit in the cache when the guest could read directly the memory -and therefore read the old content). - -Rework invalidate_dcache_va_range(), clean_dcache_va_range(), -clean_and_invalidate_dcache_va_range() to handle a cache flush -with an element at the top of the address space. - -This is CVE-2023-34321 / XSA-437. - -Reported-by: Julien Grall <jgrall@amazon.com> -Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com> -Signed-off-by: Julien Grall <jgrall@amazon.com> -Acked-by: Bertrand Marquis <bertrand.marquis@arm.com> - ---- - xen/arch/arm/include/asm/page.h | 33 ++++++++++++++++++++------------- - 1 file changed, 20 insertions(+), 13 deletions(-) - -diff --git a/xen/arch/arm/include/asm/page.h b/xen/arch/arm/include/asm/page.h -index e7cd62190c7f..d7fe770a5e49 100644 ---- a/xen/arch/arm/include/asm/page.h -+++ b/xen/arch/arm/include/asm/page.h -@@ -160,26 +160,25 @@ static inline size_t read_dcache_line_bytes(void) - - static inline int invalidate_dcache_va_range(const void *p, unsigned long size) - { -- const void *end = p + size; - size_t cacheline_mask = dcache_line_bytes - 1; - - dsb(sy); /* So the CPU issues all writes to the range */ - - if ( (uintptr_t)p & cacheline_mask ) - { -+ size -= dcache_line_bytes - ((uintptr_t)p & cacheline_mask); - p = (void *)((uintptr_t)p & ~cacheline_mask); - asm volatile (__clean_and_invalidate_dcache_one(0) : : "r" (p)); - p += dcache_line_bytes; - } -- if ( (uintptr_t)end & cacheline_mask ) -- { -- end = (void *)((uintptr_t)end & ~cacheline_mask); -- asm volatile (__clean_and_invalidate_dcache_one(0) : : "r" (end)); -- } - -- for ( ; p < end; p += dcache_line_bytes ) -+ for ( ; size >= dcache_line_bytes; -+ p += dcache_line_bytes, size -= dcache_line_bytes ) - asm volatile (__invalidate_dcache_one(0) : : "r" (p)); - -+ if ( size > 0 ) -+ asm volatile (__clean_and_invalidate_dcache_one(0) : : "r" (p)); -+ - dsb(sy); /* So we know the flushes happen before continuing */ - - return 0; -@@ -187,10 +186,14 @@ static inline int invalidate_dcache_va_range(const void *p, unsigned long size) - - static inline int clean_dcache_va_range(const void *p, unsigned long size) - { -- const void *end = p + size; -+ size_t cacheline_mask = dcache_line_bytes - 1; -+ - dsb(sy); /* So the CPU issues all writes to the range */ -- p = (void *)((uintptr_t)p & ~(dcache_line_bytes - 1)); -- for ( ; p < end; p += dcache_line_bytes ) -+ size += (uintptr_t)p & cacheline_mask; -+ size = (size + cacheline_mask) & ~cacheline_mask; -+ p = (void *)((uintptr_t)p & ~cacheline_mask); -+ for ( ; size >= dcache_line_bytes; -+ p += dcache_line_bytes, size -= dcache_line_bytes ) - asm volatile (__clean_dcache_one(0) : : "r" (p)); - dsb(sy); /* So we know the flushes happen before continuing */ - /* ARM callers assume that dcache_* functions cannot fail. */ -@@ -200,10 +203,14 @@ static inline int clean_dcache_va_range(const void *p, unsigned long size) - static inline int clean_and_invalidate_dcache_va_range - (const void *p, unsigned long size) - { -- const void *end = p + size; -+ size_t cacheline_mask = dcache_line_bytes - 1; -+ - dsb(sy); /* So the CPU issues all writes to the range */ -- p = (void *)((uintptr_t)p & ~(dcache_line_bytes - 1)); -- for ( ; p < end; p += dcache_line_bytes ) -+ size += (uintptr_t)p & cacheline_mask; -+ size = (size + cacheline_mask) & ~cacheline_mask; -+ p = (void *)((uintptr_t)p & ~cacheline_mask); -+ for ( ; size >= dcache_line_bytes; -+ p += dcache_line_bytes, size -= dcache_line_bytes ) - asm volatile (__clean_and_invalidate_dcache_one(0) : : "r" (p)); - dsb(sy); /* So we know the flushes happen before continuing */ - /* ARM callers assume that dcache_* functions cannot fail. */ --- -2.40.1 - |