Re: Xen 4.4 updates - request for feedback
On 2018-10-24 11:24:28, Antoine Beaupré wrote:
> On 2018-10-23 14:03:37, Peter Dreuw wrote:
>> Hello, everyone,
>>
>> I prepared another set of fixes based on the current Xen package on jessie-security (4.4.4lts2-0+deb8u1, DLA-1549).
>>
>> These fixes include
>>
>> CVE-2017-15595 / xsa 240
>> CVE-2017-15593 / xsa 242
>> CVE-2017-15592 / xsa 243
>> CVE-2017-16693 / xsa 244
>> CVE-2017-17044 / xsa 246
>> CVE-2017-17045 / xsa 247
>> CVE-2018-10472 / xsa 258
>> CVE-2018-10981 / xsa 262
>>
>> The testing packages are available here:
>>
>> https://share.credativ.com/~pdr/xen-test/
>
> I'll be reviewing those diffs shortly, thanks!
I've given that a shot and, unfortunately, the actual contents of the
patchset goes over my head, so I cannot provide useful feedback on
those. When I worked on Xen/qemu before, I was content to just adapt the
upstream patches without auditing the fix itself, for what it's worth.
So I have reviewed the patches in that context and they generally seem
to reflect upstreams' intention, for what that's worth.
The only issues I could find were whitespace and shouldn't affect
functionality.
(In XSA-240 [20c8d60a5c], a comment block present in the upstream patch
[0003-x86-dont-wrongly-trigger-linear-page-table-assertion.patch] is
missing. Purely cosmetic. Whitespace noise is introduced in 49721ad27a
which might make future merges needlessly harder. There's a similar
issue in XSA-247 [06d16d9c].)
Again, that's assuming that upstream patchsets backport logically into
4.4. Many XSAs have 4.5 patches (or in some cases 4.6) so it's not that
big of a leap.
Thanks for the hard work!
A.
Reply to: