From mboxrd@z Thu Jan 1 00:00:00 1970 From: Xen.org security team Subject: Xen Security Advisory 182 (CVE-2016-6258) - x86: Privilege escalation in PV guests Date: Tue, 26 Jul 2016 12:04:00 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary Return-path: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com Cc: "Xen.org security team" List-Id: xen-devel@lists.xenproject.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-6258 / XSA-182 version 3 x86: Privilege escalation in PV guests UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases (e.g. clearing only Access/Dirty bits). The bits considered safe were too broad, and not actually safe. IMPACT ====== A malicous PV guest administrator can escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. The vulnerability is only exposed to PV guests on x86 hardware. The vulnerability is not exposed to x86 HVM guests, or ARM guests. MITIGATION ========== Running only HVM guests will avoid this vulnerability. CREDITS ======= This issue was discovered by Jérémie Boutoille of Quarkslab. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa182.patch xen-unstable, Xen 4.7.x xsa182-4.6.patch Xen 4.6.x xsa182-4.5.patch Xen 4.5.x, 4.4.x, 4.3.x $ sha256sum xsa182* 303400b9a832a3c1d423cc2cc97c2f00482793722f9ef7dd246783a049ac2792 xsa182-unstable.patch 2383695b1dc114e4e31e42dd05d4c86239ce9606478b5e1a71db1111d95b63a2 xsa182-4.5.patch f10665acaf17dedd15c40bfeb832b188db1ab3e789d95cc3787575529a280813 xsa182-4.6.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJXl0M8AAoJEIP+FMlX6CvZvsUIAKeTcuCNrXAkCMsa1jcTOJEB zo1sZB6DeUZjAjYm+vVTv3bcr8E9e+B02Cyg6Y97TByrpwsarvOyYZzds/wf3TO+ 3hm6cKPRBhUdQBgXLi6DqgsBIb+BvMEqT6jXpmNmLWqlJtuJPrCn74e2K0hXFgt2 RDELGjg6qsTW7hJtwNfkEI6/nj2/lBsNVHkp1F7olxT17euC4nJoLEzeDRc8UN/+ pf9UT1yoEVOddPA+iIjC7PeSYyWhJFyNR0m4BN7MshKEoy+tiIQJDZzyLJLh46uf c28vUByyu6fCersz63ZkpF9MHWR0+8cChOvmY3Tuyy/yitUMbcJoygu/35QV2tc= =u+6O -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa182-unstable.patch" Content-Disposition: attachment; filename="xsa182-unstable.patch" Content-Transfer-Encoding: base64 RnJvbSAwMDU5MzY1NWUyMzFlZDVlYTIwNzA0MTIwMDM3MDI2ZTMzYjgzZmJi IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBNb24sIDExIEp1 bCAyMDE2IDE0OjMyOjAzICswMTAwClN1YmplY3Q6IFtQQVRDSF0geDg2L3B2 OiBSZW1vdmUgdW5zYWZlIGJpdHMgZnJvbSB0aGUgbW9kX2w/X2VudHJ5KCkg ZmFzdHBhdGgKCkFsbCBjaGFuZ2VzIGluIHdyaXRlYWJpbGl0eSBhbmQgY2Fj aGVhYmlsaXR5IG11c3QgZ28gdGhyb3VnaCBmdWxsCnJlLXZhbGlkYXRpb24u CgpSZXdvcmsgdGhlIGxvZ2ljIGFzIGEgd2hpdGVsaXN0LCB0byBtYWtlIGl0 IGNsZWFyZXIgdG8gZm9sbG93LgoKVGhpcyBpcyBYU0EtMTgyCgpSZXBvcnRl ZC1ieTogSsOpcsOpbWllIEJvdXRvaWxsZSA8amJvdXRvaWxsZUBleHQucXVh cmtzbGFiLmNvbT4KU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5k cmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IFRpbSBEZWVn YW4gPHRpbUB4ZW4ub3JnPgotLS0KIHhlbi9hcmNoL3g4Ni9tbS5jICAgICAg ICAgIHwgMjggKysrKysrKysrKysrKysrKy0tLS0tLS0tLS0tLQogeGVuL2lu Y2x1ZGUvYXNtLXg4Ni9wYWdlLmggfCAgMSArCiAyIGZpbGVzIGNoYW5nZWQs IDE3IGluc2VydGlvbnMoKyksIDEyIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdp dCBhL3hlbi9hcmNoL3g4Ni9tbS5jIGIveGVuL2FyY2gveDg2L21tLmMKaW5k ZXggZGJjZjZjYi4uNTZjYTE5ZiAxMDA2NDQKLS0tIGEveGVuL2FyY2gveDg2 L21tLmMKKysrIGIveGVuL2FyY2gveDg2L21tLmMKQEAgLTE4NTIsNiArMTg1 MiwxNCBAQCBzdGF0aWMgaW5saW5lIGludCB1cGRhdGVfaW50cHRlKGludHB0 ZV90ICpwLAogICAgICAgICAgICAgICAgICAgX3QgIyMgZV9nZXRfaW50cHRl KF9vKSwgX3QgIyMgZV9nZXRfaW50cHRlKF9uKSwgICBcCiAgICAgICAgICAg ICAgICAgICAoX20pLCAoX3YpLCAoX2FkKSkKIAorLyoKKyAqIFBURSBmbGFn cyB0aGF0IGEgZ3Vlc3QgbWF5IGNoYW5nZSB3aXRob3V0IHJlLXZhbGlkYXRp bmcgdGhlIFBURS4KKyAqIEFsbCBvdGhlciBiaXRzIGFmZmVjdCB0cmFuc2xh dGlvbiwgY2FjaGluZywgb3IgWGVuJ3Mgc2FmZXR5LgorICovCisjZGVmaW5l IEZBU1RQQVRIX0ZMQUdfV0hJVEVMSVNUICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIFwKKyAgICAoX1BBR0VfTlhfQklUIHwgX1BBR0Vf QVZBSUxfSElHSCB8IF9QQUdFX0FWQUlMIHwgX1BBR0VfR0xPQkFMIHwgXAor ICAgICBfUEFHRV9ESVJUWSB8IF9QQUdFX0FDQ0VTU0VEIHwgX1BBR0VfVVNF UikKKwogLyogVXBkYXRlIHRoZSBMMSBlbnRyeSBhdCBwbDFlIHRvIG5ldyB2 YWx1ZSBubDFlLiAqLwogc3RhdGljIGludCBtb2RfbDFfZW50cnkobDFfcGdl bnRyeV90ICpwbDFlLCBsMV9wZ2VudHJ5X3QgbmwxZSwKICAgICAgICAgICAg ICAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgZ2wxbWZuLCBpbnQgcHJlc2Vy dmVfYWQsCkBAIC0xODkxLDkgKzE4OTksOCBAQCBzdGF0aWMgaW50IG1vZF9s MV9lbnRyeShsMV9wZ2VudHJ5X3QgKnBsMWUsIGwxX3BnZW50cnlfdCBubDFl LAogICAgICAgICAgICAgbmwxZSA9IGwxZV9mcm9tX3BmbihwYWdlX3RvX21m bihwYWdlKSwgbDFlX2dldF9mbGFncyhubDFlKSk7CiAgICAgICAgIH0KIAot ICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBwaW5nLCBy L3csIHByZXNlbmNlLCBhbmQgY2FjaGFiaWxpdHkuICovCi0gICAgICAgIGlm ICggIWwxZV9oYXNfY2hhbmdlZChvbDFlLCBubDFlLAotICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgUEFHRV9DQUNIRV9BVFRSUyB8IF9QQUdFX1JX IHwgX1BBR0VfUFJFU0VOVCkgKQorICAgICAgICAvKiBGYXN0IHBhdGggZm9y IHN1ZmZpY2llbnRseS1zaW1pbGFyIG1hcHBpbmdzLiAqLworICAgICAgICBp ZiAoICFsMWVfaGFzX2NoYW5nZWQob2wxZSwgbmwxZSwgfkZBU1RQQVRIX0ZM QUdfV0hJVEVMSVNUKSApCiAgICAgICAgIHsKICAgICAgICAgICAgIGFkanVz dF9ndWVzdF9sMWUobmwxZSwgcHRfZG9tKTsKICAgICAgICAgICAgIHJjID0g VVBEQVRFX0VOVFJZKGwxLCBwbDFlLCBvbDFlLCBubDFlLCBnbDFtZm4sIHB0 X3ZjcHUsCkBAIC0xOTcwLDExICsxOTc3LDggQEAgc3RhdGljIGludCBtb2Rf bDJfZW50cnkobDJfcGdlbnRyeV90ICpwbDJlLAogICAgICAgICAgICAgcmV0 dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAotICAgICAgICAvKiBGYXN0IHBh dGggZm9yIGlkZW50aWNhbCBtYXBwaW5nIGFuZCBwcmVzZW5jZS4gKi8KLSAg ICAgICAgaWYgKCAhbDJlX2hhc19jaGFuZ2VkKG9sMmUsIG5sMmUsCi0gICAg ICAgICAgICAgICAgICAgICAgICAgICAgICB1bmxpa2VseShvcHRfYWxsb3df c3VwZXJwYWdlKQotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPyBf UEFHRV9QU0UgfCBfUEFHRV9SVyB8IF9QQUdFX1BSRVNFTlQKLSAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIDogX1BBR0VfUFJFU0VOVCkgKQorICAg ICAgICAvKiBGYXN0IHBhdGggZm9yIHN1ZmZpY2llbnRseS1zaW1pbGFyIG1h cHBpbmdzLiAqLworICAgICAgICBpZiAoICFsMmVfaGFzX2NoYW5nZWQob2wy ZSwgbmwyZSwgfkZBU1RQQVRIX0ZMQUdfV0hJVEVMSVNUKSApCiAgICAgICAg IHsKICAgICAgICAgICAgIGFkanVzdF9ndWVzdF9sMmUobmwyZSwgZCk7CiAg ICAgICAgICAgICBpZiAoIFVQREFURV9FTlRSWShsMiwgcGwyZSwgb2wyZSwg bmwyZSwgcGZuLCB2Y3B1LCBwcmVzZXJ2ZV9hZCkgKQpAQCAtMjAzOSw4ICsy MDQzLDggQEAgc3RhdGljIGludCBtb2RfbDNfZW50cnkobDNfcGdlbnRyeV90 ICpwbDNlLAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAg IH0KIAotICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBw aW5nIGFuZCBwcmVzZW5jZS4gKi8KLSAgICAgICAgaWYgKCAhbDNlX2hhc19j aGFuZ2VkKG9sM2UsIG5sM2UsIF9QQUdFX1BSRVNFTlQpICkKKyAgICAgICAg LyogRmFzdCBwYXRoIGZvciBzdWZmaWNpZW50bHktc2ltaWxhciBtYXBwaW5n cy4gKi8KKyAgICAgICAgaWYgKCAhbDNlX2hhc19jaGFuZ2VkKG9sM2UsIG5s M2UsIH5GQVNUUEFUSF9GTEFHX1dISVRFTElTVCkgKQogICAgICAgICB7CiAg ICAgICAgICAgICBhZGp1c3RfZ3Vlc3RfbDNlKG5sM2UsIGQpOwogICAgICAg ICAgICAgcmMgPSBVUERBVEVfRU5UUlkobDMsIHBsM2UsIG9sM2UsIG5sM2Us IHBmbiwgdmNwdSwgcHJlc2VydmVfYWQpOwpAQCAtMjEwMyw4ICsyMTA3LDgg QEAgc3RhdGljIGludCBtb2RfbDRfZW50cnkobDRfcGdlbnRyeV90ICpwbDRl LAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAot ICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBwaW5nIGFu ZCBwcmVzZW5jZS4gKi8KLSAgICAgICAgaWYgKCAhbDRlX2hhc19jaGFuZ2Vk KG9sNGUsIG5sNGUsIF9QQUdFX1BSRVNFTlQpICkKKyAgICAgICAgLyogRmFz dCBwYXRoIGZvciBzdWZmaWNpZW50bHktc2ltaWxhciBtYXBwaW5ncy4gKi8K KyAgICAgICAgaWYgKCAhbDRlX2hhc19jaGFuZ2VkKG9sNGUsIG5sNGUsIH5G QVNUUEFUSF9GTEFHX1dISVRFTElTVCkgKQogICAgICAgICB7CiAgICAgICAg ICAgICBhZGp1c3RfZ3Vlc3RfbDRlKG5sNGUsIGQpOwogICAgICAgICAgICAg cmMgPSBVUERBVEVfRU5UUlkobDQsIHBsNGUsIG9sNGUsIG5sNGUsIHBmbiwg dmNwdSwgcHJlc2VydmVfYWQpOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUv YXNtLXg4Ni9wYWdlLmggYi94ZW4vaW5jbHVkZS9hc20teDg2L3BhZ2UuaApp bmRleCAyMjQ4NTJhLi40YWUzODdmIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVk ZS9hc20teDg2L3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20teDg2L3Bh Z2UuaApAQCAtMzEzLDYgKzMxMyw3IEBAIHZvaWQgZWZpX3VwZGF0ZV9sNF9w Z3RhYmxlKHVuc2lnbmVkIGludCBsNGlkeCwgbDRfcGdlbnRyeV90KTsKICNk ZWZpbmUgX1BBR0VfQVZBSUwyICAgX0FDKDB4ODAwLFUpCiAjZGVmaW5lIF9Q QUdFX0FWQUlMICAgIF9BQygweEUwMCxVKQogI2RlZmluZSBfUEFHRV9QU0Vf UEFUICBfQUMoMHgxMDAwLFUpCisjZGVmaW5lIF9QQUdFX0FWQUlMX0hJR0gg KF9BQygweDdmZiwgVSkgPDwgMTIpCiAjZGVmaW5lIF9QQUdFX05YICAgICAg IChjcHVfaGFzX254ID8gX1BBR0VfTlhfQklUIDogMCkKIC8qIG5vbi1hcmNo aXRlY3R1cmFsIGZsYWdzICovCiAjZGVmaW5lIF9QQUdFX1BBR0VEICAgMHgy MDAwVQotLSAKMi4xLjQKCg== --=separator Content-Type: application/octet-stream; name="xsa182-4.5.patch" Content-Disposition: attachment; filename="xsa182-4.5.patch" Content-Transfer-Encoding: base64 RnJvbSA3OThjMTQ5OGY3NjRiZmFhN2IwYjk1NWJhYjQwYjAxYjA2MTBkMzcy IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBNb24sIDExIEp1 bCAyMDE2IDE0OjMyOjAzICswMTAwClN1YmplY3Q6IFtQQVRDSF0geDg2L3B2 OiBSZW1vdmUgdW5zYWZlIGJpdHMgZnJvbSB0aGUgbW9kX2w/X2VudHJ5KCkg ZmFzdHBhdGgKCkFsbCBjaGFuZ2VzIGluIHdyaXRlYWJpbGl0eSBhbmQgY2Fj aGVhYmlsaXR5IG11c3QgZ28gdGhyb3VnaCBmdWxsCnJlLXZhbGlkYXRpb24u CgpSZXdvcmsgdGhlIGxvZ2ljIGFzIGEgd2hpdGVsaXN0LCB0byBtYWtlIGl0 IGNsZWFyZXIgdG8gZm9sbG93LgoKVGhpcyBpcyBYU0EtMTgyCgpSZXBvcnRl ZC1ieTogSsOpcsOpbWllIEJvdXRvaWxsZSA8amJvdXRvaWxsZUBleHQucXVh cmtzbGFiLmNvbT4KU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5k cmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IFRpbSBEZWVn YW4gPHRpbUB4ZW4ub3JnPgotLS0KIHhlbi9hcmNoL3g4Ni9tbS5jICAgICAg ICAgIHwgMjggKysrKysrKysrKysrKysrKy0tLS0tLS0tLS0tLQogeGVuL2lu Y2x1ZGUvYXNtLXg4Ni9wYWdlLmggfCAgMSArCiAyIGZpbGVzIGNoYW5nZWQs IDE3IGluc2VydGlvbnMoKyksIDEyIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdp dCBhL3hlbi9hcmNoL3g4Ni9tbS5jIGIveGVuL2FyY2gveDg2L21tLmMKaW5k ZXggYjRjNGZhNC4uYTY4YTFhYiAxMDA2NDQKLS0tIGEveGVuL2FyY2gveDg2 L21tLmMKKysrIGIveGVuL2FyY2gveDg2L21tLmMKQEAgLTE2OTUsNiArMTY5 NSwxNCBAQCBzdGF0aWMgaW5saW5lIGludCB1cGRhdGVfaW50cHRlKGludHB0 ZV90ICpwLAogICAgICAgICAgICAgICAgICAgX3QgIyMgZV9nZXRfaW50cHRl KF9vKSwgX3QgIyMgZV9nZXRfaW50cHRlKF9uKSwgICBcCiAgICAgICAgICAg ICAgICAgICAoX20pLCAoX3YpLCAoX2FkKSkKIAorLyoKKyAqIFBURSBmbGFn cyB0aGF0IGEgZ3Vlc3QgbWF5IGNoYW5nZSB3aXRob3V0IHJlLXZhbGlkYXRp bmcgdGhlIFBURS4KKyAqIEFsbCBvdGhlciBiaXRzIGFmZmVjdCB0cmFuc2xh dGlvbiwgY2FjaGluZywgb3IgWGVuJ3Mgc2FmZXR5LgorICovCisjZGVmaW5l IEZBU1RQQVRIX0ZMQUdfV0hJVEVMSVNUICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIFwKKyAgICAoX1BBR0VfTlhfQklUIHwgX1BBR0Vf QVZBSUxfSElHSCB8IF9QQUdFX0FWQUlMIHwgX1BBR0VfR0xPQkFMIHwgXAor ICAgICBfUEFHRV9ESVJUWSB8IF9QQUdFX0FDQ0VTU0VEIHwgX1BBR0VfVVNF UikKKwogLyogVXBkYXRlIHRoZSBMMSBlbnRyeSBhdCBwbDFlIHRvIG5ldyB2 YWx1ZSBubDFlLiAqLwogc3RhdGljIGludCBtb2RfbDFfZW50cnkobDFfcGdl bnRyeV90ICpwbDFlLCBsMV9wZ2VudHJ5X3QgbmwxZSwKICAgICAgICAgICAg ICAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgZ2wxbWZuLCBpbnQgcHJlc2Vy dmVfYWQsCkBAIC0xNzM1LDkgKzE3NDMsOCBAQCBzdGF0aWMgaW50IG1vZF9s MV9lbnRyeShsMV9wZ2VudHJ5X3QgKnBsMWUsIGwxX3BnZW50cnlfdCBubDFl LAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAot ICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBwaW5nLCBy L3csIHByZXNlbmNlLCBhbmQgY2FjaGFiaWxpdHkuICovCi0gICAgICAgIGlm ICggIWwxZV9oYXNfY2hhbmdlZChvbDFlLCBubDFlLAotICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgUEFHRV9DQUNIRV9BVFRSUyB8IF9QQUdFX1JX IHwgX1BBR0VfUFJFU0VOVCkgKQorICAgICAgICAvKiBGYXN0IHBhdGggZm9y IHN1ZmZpY2llbnRseS1zaW1pbGFyIG1hcHBpbmdzLiAqLworICAgICAgICBp ZiAoICFsMWVfaGFzX2NoYW5nZWQob2wxZSwgbmwxZSwgfkZBU1RQQVRIX0ZM QUdfV0hJVEVMSVNUKSApCiAgICAgICAgIHsKICAgICAgICAgICAgIGFkanVz dF9ndWVzdF9sMWUobmwxZSwgcHRfZG9tKTsKICAgICAgICAgICAgIGlmICgg VVBEQVRFX0VOVFJZKGwxLCBwbDFlLCBvbDFlLCBubDFlLCBnbDFtZm4sIHB0 X3ZjcHUsCkBAIC0xODE5LDExICsxODI2LDggQEAgc3RhdGljIGludCBtb2Rf bDJfZW50cnkobDJfcGdlbnRyeV90ICpwbDJlLAogICAgICAgICAgICAgcmV0 dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAotICAgICAgICAvKiBGYXN0IHBh dGggZm9yIGlkZW50aWNhbCBtYXBwaW5nIGFuZCBwcmVzZW5jZS4gKi8KLSAg ICAgICAgaWYgKCAhbDJlX2hhc19jaGFuZ2VkKG9sMmUsIG5sMmUsCi0gICAg ICAgICAgICAgICAgICAgICAgICAgICAgICB1bmxpa2VseShvcHRfYWxsb3df c3VwZXJwYWdlKQotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPyBf UEFHRV9QU0UgfCBfUEFHRV9SVyB8IF9QQUdFX1BSRVNFTlQKLSAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIDogX1BBR0VfUFJFU0VOVCkgKQorICAg ICAgICAvKiBGYXN0IHBhdGggZm9yIHN1ZmZpY2llbnRseS1zaW1pbGFyIG1h cHBpbmdzLiAqLworICAgICAgICBpZiAoICFsMmVfaGFzX2NoYW5nZWQob2wy ZSwgbmwyZSwgfkZBU1RQQVRIX0ZMQUdfV0hJVEVMSVNUKSApCiAgICAgICAg IHsKICAgICAgICAgICAgIGFkanVzdF9ndWVzdF9sMmUobmwyZSwgZCk7CiAg ICAgICAgICAgICBpZiAoIFVQREFURV9FTlRSWShsMiwgcGwyZSwgb2wyZSwg bmwyZSwgcGZuLCB2Y3B1LCBwcmVzZXJ2ZV9hZCkgKQpAQCAtMTg4OCw4ICsx ODkyLDggQEAgc3RhdGljIGludCBtb2RfbDNfZW50cnkobDNfcGdlbnRyeV90 ICpwbDNlLAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAg IH0KIAotICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBw aW5nIGFuZCBwcmVzZW5jZS4gKi8KLSAgICAgICAgaWYgKCAhbDNlX2hhc19j aGFuZ2VkKG9sM2UsIG5sM2UsIF9QQUdFX1BSRVNFTlQpICkKKyAgICAgICAg LyogRmFzdCBwYXRoIGZvciBzdWZmaWNpZW50bHktc2ltaWxhciBtYXBwaW5n cy4gKi8KKyAgICAgICAgaWYgKCAhbDNlX2hhc19jaGFuZ2VkKG9sM2UsIG5s M2UsIH5GQVNUUEFUSF9GTEFHX1dISVRFTElTVCkgKQogICAgICAgICB7CiAg ICAgICAgICAgICBhZGp1c3RfZ3Vlc3RfbDNlKG5sM2UsIGQpOwogICAgICAg ICAgICAgcmMgPSBVUERBVEVfRU5UUlkobDMsIHBsM2UsIG9sM2UsIG5sM2Us IHBmbiwgdmNwdSwgcHJlc2VydmVfYWQpOwpAQCAtMTk1Miw4ICsxOTU2LDgg QEAgc3RhdGljIGludCBtb2RfbDRfZW50cnkobDRfcGdlbnRyeV90ICpwbDRl LAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAot ICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBwaW5nIGFu ZCBwcmVzZW5jZS4gKi8KLSAgICAgICAgaWYgKCAhbDRlX2hhc19jaGFuZ2Vk KG9sNGUsIG5sNGUsIF9QQUdFX1BSRVNFTlQpICkKKyAgICAgICAgLyogRmFz dCBwYXRoIGZvciBzdWZmaWNpZW50bHktc2ltaWxhciBtYXBwaW5ncy4gKi8K KyAgICAgICAgaWYgKCAhbDRlX2hhc19jaGFuZ2VkKG9sNGUsIG5sNGUsIH5G QVNUUEFUSF9GTEFHX1dISVRFTElTVCkgKQogICAgICAgICB7CiAgICAgICAg ICAgICBhZGp1c3RfZ3Vlc3RfbDRlKG5sNGUsIGQpOwogICAgICAgICAgICAg cmMgPSBVUERBVEVfRU5UUlkobDQsIHBsNGUsIG9sNGUsIG5sNGUsIHBmbiwg dmNwdSwgcHJlc2VydmVfYWQpOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUv YXNtLXg4Ni9wYWdlLmggYi94ZW4vaW5jbHVkZS9hc20teDg2L3BhZ2UuaApp bmRleCA2ZGM5NjQ2Li4wM2MwMjRjIDEwMDY0NAotLS0gYS94ZW4vaW5jbHVk ZS9hc20teDg2L3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20teDg2L3Bh Z2UuaApAQCAtMzA4LDYgKzMwOCw3IEBAIHZvaWQgZWZpX3VwZGF0ZV9sNF9w Z3RhYmxlKHVuc2lnbmVkIGludCBsNGlkeCwgbDRfcGdlbnRyeV90KTsKICNk ZWZpbmUgX1BBR0VfQVZBSUwyICAgX0FDKDB4ODAwLFUpCiAjZGVmaW5lIF9Q QUdFX0FWQUlMICAgIF9BQygweEUwMCxVKQogI2RlZmluZSBfUEFHRV9QU0Vf UEFUIF9BQygweDEwMDAsVSkKKyNkZWZpbmUgX1BBR0VfQVZBSUxfSElHSCAo X0FDKDB4N2ZmLCBVKSA8PCAxMikKIC8qIG5vbi1hcmNoaXRlY3R1cmFsIGZs YWdzICovCiAjZGVmaW5lIF9QQUdFX1BBR0VEICAgMHgyMDAwVQogI2RlZmlu ZSBfUEFHRV9TSEFSRUQgIDB4NDAwMFUKLS0gCjIuMS40Cgo= --=separator Content-Type: application/octet-stream; name="xsa182-4.6.patch" Content-Disposition: attachment; filename="xsa182-4.6.patch" Content-Transfer-Encoding: base64 RnJvbSBmNDhhNzViMGMxMGFjNzliMjg3Y2EyYjU4MGVjYjllYTJmNjk2NjA3 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBbmRyZXcgQ29vcGVy IDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpEYXRlOiBNb24sIDExIEp1 bCAyMDE2IDE0OjMyOjAzICswMTAwClN1YmplY3Q6IFtQQVRDSF0geDg2L3B2 OiBSZW1vdmUgdW5zYWZlIGJpdHMgZnJvbSB0aGUgbW9kX2w/X2VudHJ5KCkg ZmFzdHBhdGgKCkFsbCBjaGFuZ2VzIGluIHdyaXRlYWJpbGl0eSBhbmQgY2Fj aGVhYmlsaXR5IG11c3QgZ28gdGhyb3VnaCBmdWxsCnJlLXZhbGlkYXRpb24u CgpSZXdvcmsgdGhlIGxvZ2ljIGFzIGEgd2hpdGVsaXN0LCB0byBtYWtlIGl0 IGNsZWFyZXIgdG8gZm9sbG93LgoKVGhpcyBpcyBYU0EtMTgyCgpSZXBvcnRl ZC1ieTogSsOpcsOpbWllIEJvdXRvaWxsZSA8amJvdXRvaWxsZUBleHQucXVh cmtzbGFiLmNvbT4KU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5k cmV3LmNvb3BlcjNAY2l0cml4LmNvbT4KUmV2aWV3ZWQtYnk6IFRpbSBEZWVn YW4gPHRpbUB4ZW4ub3JnPgotLS0KIHhlbi9hcmNoL3g4Ni9tbS5jICAgICAg ICAgIHwgMjggKysrKysrKysrKysrKysrKy0tLS0tLS0tLS0tLQogeGVuL2lu Y2x1ZGUvYXNtLXg4Ni9wYWdlLmggfCAgMSArCiAyIGZpbGVzIGNoYW5nZWQs IDE3IGluc2VydGlvbnMoKyksIDEyIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdp dCBhL3hlbi9hcmNoL3g4Ni9tbS5jIGIveGVuL2FyY2gveDg2L21tLmMKaW5k ZXggZGFmMDJhYi4uOGRkMjJiOCAxMDA2NDQKLS0tIGEveGVuL2FyY2gveDg2 L21tLmMKKysrIGIveGVuL2FyY2gveDg2L21tLmMKQEAgLTE3ODAsNiArMTc4 MCwxNCBAQCBzdGF0aWMgaW5saW5lIGludCB1cGRhdGVfaW50cHRlKGludHB0 ZV90ICpwLAogICAgICAgICAgICAgICAgICAgX3QgIyMgZV9nZXRfaW50cHRl KF9vKSwgX3QgIyMgZV9nZXRfaW50cHRlKF9uKSwgICBcCiAgICAgICAgICAg ICAgICAgICAoX20pLCAoX3YpLCAoX2FkKSkKIAorLyoKKyAqIFBURSBmbGFn cyB0aGF0IGEgZ3Vlc3QgbWF5IGNoYW5nZSB3aXRob3V0IHJlLXZhbGlkYXRp bmcgdGhlIFBURS4KKyAqIEFsbCBvdGhlciBiaXRzIGFmZmVjdCB0cmFuc2xh dGlvbiwgY2FjaGluZywgb3IgWGVuJ3Mgc2FmZXR5LgorICovCisjZGVmaW5l IEZBU1RQQVRIX0ZMQUdfV0hJVEVMSVNUICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIFwKKyAgICAoX1BBR0VfTlhfQklUIHwgX1BBR0Vf QVZBSUxfSElHSCB8IF9QQUdFX0FWQUlMIHwgX1BBR0VfR0xPQkFMIHwgXAor ICAgICBfUEFHRV9ESVJUWSB8IF9QQUdFX0FDQ0VTU0VEIHwgX1BBR0VfVVNF UikKKwogLyogVXBkYXRlIHRoZSBMMSBlbnRyeSBhdCBwbDFlIHRvIG5ldyB2 YWx1ZSBubDFlLiAqLwogc3RhdGljIGludCBtb2RfbDFfZW50cnkobDFfcGdl bnRyeV90ICpwbDFlLCBsMV9wZ2VudHJ5X3QgbmwxZSwKICAgICAgICAgICAg ICAgICAgICAgICAgIHVuc2lnbmVkIGxvbmcgZ2wxbWZuLCBpbnQgcHJlc2Vy dmVfYWQsCkBAIC0xODIwLDkgKzE4MjgsOCBAQCBzdGF0aWMgaW50IG1vZF9s MV9lbnRyeShsMV9wZ2VudHJ5X3QgKnBsMWUsIGwxX3BnZW50cnlfdCBubDFl LAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAot ICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBwaW5nLCBy L3csIHByZXNlbmNlLCBhbmQgY2FjaGFiaWxpdHkuICovCi0gICAgICAgIGlm ICggIWwxZV9oYXNfY2hhbmdlZChvbDFlLCBubDFlLAotICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgUEFHRV9DQUNIRV9BVFRSUyB8IF9QQUdFX1JX IHwgX1BBR0VfUFJFU0VOVCkgKQorICAgICAgICAvKiBGYXN0IHBhdGggZm9y IHN1ZmZpY2llbnRseS1zaW1pbGFyIG1hcHBpbmdzLiAqLworICAgICAgICBp ZiAoICFsMWVfaGFzX2NoYW5nZWQob2wxZSwgbmwxZSwgfkZBU1RQQVRIX0ZM QUdfV0hJVEVMSVNUKSApCiAgICAgICAgIHsKICAgICAgICAgICAgIGFkanVz dF9ndWVzdF9sMWUobmwxZSwgcHRfZG9tKTsKICAgICAgICAgICAgIGlmICgg VVBEQVRFX0VOVFJZKGwxLCBwbDFlLCBvbDFlLCBubDFlLCBnbDFtZm4sIHB0 X3ZjcHUsCkBAIC0xOTA0LDExICsxOTExLDggQEAgc3RhdGljIGludCBtb2Rf bDJfZW50cnkobDJfcGdlbnRyeV90ICpwbDJlLAogICAgICAgICAgICAgcmV0 dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAotICAgICAgICAvKiBGYXN0IHBh dGggZm9yIGlkZW50aWNhbCBtYXBwaW5nIGFuZCBwcmVzZW5jZS4gKi8KLSAg ICAgICAgaWYgKCAhbDJlX2hhc19jaGFuZ2VkKG9sMmUsIG5sMmUsCi0gICAg ICAgICAgICAgICAgICAgICAgICAgICAgICB1bmxpa2VseShvcHRfYWxsb3df c3VwZXJwYWdlKQotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPyBf UEFHRV9QU0UgfCBfUEFHRV9SVyB8IF9QQUdFX1BSRVNFTlQKLSAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIDogX1BBR0VfUFJFU0VOVCkgKQorICAg ICAgICAvKiBGYXN0IHBhdGggZm9yIHN1ZmZpY2llbnRseS1zaW1pbGFyIG1h cHBpbmdzLiAqLworICAgICAgICBpZiAoICFsMmVfaGFzX2NoYW5nZWQob2wy ZSwgbmwyZSwgfkZBU1RQQVRIX0ZMQUdfV0hJVEVMSVNUKSApCiAgICAgICAg IHsKICAgICAgICAgICAgIGFkanVzdF9ndWVzdF9sMmUobmwyZSwgZCk7CiAg ICAgICAgICAgICBpZiAoIFVQREFURV9FTlRSWShsMiwgcGwyZSwgb2wyZSwg bmwyZSwgcGZuLCB2Y3B1LCBwcmVzZXJ2ZV9hZCkgKQpAQCAtMTk3Myw4ICsx OTc3LDggQEAgc3RhdGljIGludCBtb2RfbDNfZW50cnkobDNfcGdlbnRyeV90 ICpwbDNlLAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAg IH0KIAotICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBw aW5nIGFuZCBwcmVzZW5jZS4gKi8KLSAgICAgICAgaWYgKCAhbDNlX2hhc19j aGFuZ2VkKG9sM2UsIG5sM2UsIF9QQUdFX1BSRVNFTlQpICkKKyAgICAgICAg LyogRmFzdCBwYXRoIGZvciBzdWZmaWNpZW50bHktc2ltaWxhciBtYXBwaW5n cy4gKi8KKyAgICAgICAgaWYgKCAhbDNlX2hhc19jaGFuZ2VkKG9sM2UsIG5s M2UsIH5GQVNUUEFUSF9GTEFHX1dISVRFTElTVCkgKQogICAgICAgICB7CiAg ICAgICAgICAgICBhZGp1c3RfZ3Vlc3RfbDNlKG5sM2UsIGQpOwogICAgICAg ICAgICAgcmMgPSBVUERBVEVfRU5UUlkobDMsIHBsM2UsIG9sM2UsIG5sM2Us IHBmbiwgdmNwdSwgcHJlc2VydmVfYWQpOwpAQCAtMjAzNyw4ICsyMDQxLDgg QEAgc3RhdGljIGludCBtb2RfbDRfZW50cnkobDRfcGdlbnRyeV90ICpwbDRl LAogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAgICAgIH0KIAot ICAgICAgICAvKiBGYXN0IHBhdGggZm9yIGlkZW50aWNhbCBtYXBwaW5nIGFu ZCBwcmVzZW5jZS4gKi8KLSAgICAgICAgaWYgKCAhbDRlX2hhc19jaGFuZ2Vk KG9sNGUsIG5sNGUsIF9QQUdFX1BSRVNFTlQpICkKKyAgICAgICAgLyogRmFz dCBwYXRoIGZvciBzdWZmaWNpZW50bHktc2ltaWxhciBtYXBwaW5ncy4gKi8K KyAgICAgICAgaWYgKCAhbDRlX2hhc19jaGFuZ2VkKG9sNGUsIG5sNGUsIH5G QVNUUEFUSF9GTEFHX1dISVRFTElTVCkgKQogICAgICAgICB7CiAgICAgICAg ICAgICBhZGp1c3RfZ3Vlc3RfbDRlKG5sNGUsIGQpOwogICAgICAgICAgICAg cmMgPSBVUERBVEVfRU5UUlkobDQsIHBsNGUsIG9sNGUsIG5sNGUsIHBmbiwg dmNwdSwgcHJlc2VydmVfYWQpOwpkaWZmIC0tZ2l0IGEveGVuL2luY2x1ZGUv YXNtLXg4Ni9wYWdlLmggYi94ZW4vaW5jbHVkZS9hc20teDg2L3BhZ2UuaApp bmRleCA2NmI2MTFjLi4xYTU5ZWQ4IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVk ZS9hc20teDg2L3BhZ2UuaAorKysgYi94ZW4vaW5jbHVkZS9hc20teDg2L3Bh Z2UuaApAQCAtMzExLDYgKzMxMSw3IEBAIHZvaWQgZWZpX3VwZGF0ZV9sNF9w Z3RhYmxlKHVuc2lnbmVkIGludCBsNGlkeCwgbDRfcGdlbnRyeV90KTsKICNk ZWZpbmUgX1BBR0VfQVZBSUwyICAgX0FDKDB4ODAwLFUpCiAjZGVmaW5lIF9Q QUdFX0FWQUlMICAgIF9BQygweEUwMCxVKQogI2RlZmluZSBfUEFHRV9QU0Vf UEFUICBfQUMoMHgxMDAwLFUpCisjZGVmaW5lIF9QQUdFX0FWQUlMX0hJR0gg KF9BQygweDdmZiwgVSkgPDwgMTIpCiAjZGVmaW5lIF9QQUdFX05YICAgICAg IChjcHVfaGFzX254ID8gX1BBR0VfTlhfQklUIDogMCkKIC8qIG5vbi1hcmNo aXRlY3R1cmFsIGZsYWdzICovCiAjZGVmaW5lIF9QQUdFX1BBR0VEICAgMHgy MDAwVQotLSAKMi4xLjQKCg== --=separator Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWRldmVs IG1haWxpbmcgbGlzdApYZW4tZGV2ZWxAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3RzLnhlbi5v cmcveGVuLWRldmVsCg== --=separator--