Supported Xen Project 4.5 series

Categories

Xen Project 4.5.0

Release Information

The Xen Project 4.5 release incorporates many new features and improvements to existing features.

Documentation

For Xen Project 4.5 documentation see

Contribution Acknowledgements

For a breakdown of contributions to Xen 4.5 check out the Xen Project 4.5 Acknowledgements.

Xen Project 4.5.1

We are pleased to announce the release of Xen 4.5.1. This is available immediately from its git repository

http://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.5 (tag RELEASE-4.5.1) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 6e865a4: README: update to say Xen 4.5, not Xen 4.5.0 [Ian Jackson]
  • 0b1b9d1: update Xen version to 4.5.1 [Jan Beulich]
  • a246727: cpupool: fix shutdown with cpupools with different schedulers [Dario Faggioli]
  • 5b2f480: libelf: fix elf_parse_bsdsyms call [Roger Pau Monné]
  • 8faef24: VT-d: extend quirks to newer desktop chipsets [Jan Beulich]
  • e254b19: EFI: support default attributes to map Runtime service areas with none given [Konrad Rzeszutek Wilk]
  • cbf41e0: EFI/early: add /mapbs to map EfiBootServices{Code,Data} [Konrad Rzeszutek Wilk]
  • 37bca10: x86/EFI: fix EFI_MEMORY_WP handling [Jan Beulich]
  • 6971bb6: efi: avoid calling boot services after ExitBootServices() [Ross Lagerwall]
  • 24fcf17: x86/VPMU: add lost Intel processor [Alan Robinson]
  • 131889c: x86/crash: don't use set_fixmap() in the crash path [Andrew Cooper]
  • 8791a30: x86/apic: Disable the LAPIC later in smp_send_stop() [Andrew Cooper]
  • b0dca51: efi: fix allocation problems if ExitBootServices() fails [Ross Lagerwall]
  • 6fb3483: x86: don't crash when mapping a page using EFI runtime page tables [Ross Lagerwall]
  • fbd26f2: x86/pvh: disable posted interrupts [Roger Pau Monné]
  • d963f64: tools/libxc: Fix build of 32bit toolstacks on CentOS 5.x following XSA-125 [Andrew Cooper]
  • 0d8cbca: libxl: In libxl_set_vcpuonline check for maximum number of VCPUs against the cpumap. [Konrad Rzeszutek Wilk]
  • bf06e40: libxl: event handling: ao_inprogress does waits while reports outstanding [Ian Jackson]
  • 97051bd: libxl: event handling: Break out ao_work_outstanding [Ian Jackson]
  • 0bc9f98: x86/traps: loop in the correct direction in compat_iret() [Andrew Cooper]
  • fcfbdb4: gnttab: add missing version check to GNTTABOP_swap_grant_ref handling [Jan Beulich]
  • 0f4362b: update Xen version to 4.5.1-rc2 [Jan Beulich]
  • 09f76cb: cpupools: avoid crashing if shutting down with free CPUs [Dario Faggioli]
  • f237ee4: cpupool: assigning a CPU to a pool can fail [Dario Faggioli]
  • b986072: xen: common: Use unbounded array for symbols_offset. [Ian Campbell]
  • 5eac1be: x86/irq: limit the maximum number of domain PIRQs [Andrew Cooper]
  • 9c3d34d: x86: don't unconditionally touch the hvm_domain union during domain construction [Andrew Cooper]
  • 5ca0609: x86/EFI: keep EFI runtime services top level page tables up-to-date [Jan Beulich]
  • 9d5b2b0: tools/xenconsoled: Increase file descriptor limit [Andrew Cooper]
  • a984d86: tools/hotplug: systemd: Don't ever kill xenstored [Ross Lagerwall]
  • cfc4c43: ocaml/xenctrl: Fix stub_xc_readconsolering() [Andrew Cooper]
  • 032673c: ocaml/xenctrl: Make failwith_xc() thread safe [Andrew Cooper]
  • c91ed88: ocaml/xenctrl: Check return values from hypercalls [Andrew Cooper]
  • fa62913: libxl: Domain destroy: fork [Ian Jackson]
  • c9b13f3: libxl: Domain destroy: unlock userdata earlier [Ian Jackson]
  • 0b19348: libxl: In domain death search, start search at first domid we want [Ian Jackson]
  • ddfe333: x86: don't change affinity with interrupt unmasked [Jan Beulich]
  • bf30232: x86: don't clear high 32 bits of RAX on sub-word guest I/O port reads [Jan Beulich]
  • a824bf9: x86_emulate: fix EFLAGS setting of CMPXCHG emulation [Eugene Korenevsky]
  • f653b7f: x86/hvm: implicitly disable an ioreq server when it is destroyed [Paul Durrant]
  • 8dbdcc3: x86/hvm: actually release ioreq server pages [Paul Durrant]
  • d072510: x86/efi: reserve SMBIOS table region when EFI booting [Ross Lagerwall]
  • 0c4e0ef: update Xen version to 4.5.1-rc1 [Jan Beulich]
  • d419061: Config.mk: Fix QEMU_TAG and QEMU_TRADITIONAL_REVISION handling [Ian Jackson]
  • 56fe488: x86/hvm: fix the unknown nested vmexit reason 80000021 bug [Liang Li]
  • 4a69292: x86_emulate: split the {reg,mem} union in struct operand [Tim Deegan]
  • 4a52101: VT-d: improve fault info logging [Jan Beulich]
  • 5a7c042: x86/MSI: fix error handling [Jan Beulich]
  • 51d8325: LZ4 : fix the data abort issue [JeHyeon Yeon]
  • 0327c93: hvmloader: don't treat ROM BAR like other BARs [Jan Beulich]
  • f2e08aa: domctl/sysctl: don't leak hypervisor stack to toolstacks [Andrew Cooper]
  • 0b754fb: xen/arm: Call context_saved() with interrupts enabled during context switch [denys drozdov]
  • ad727c0: xen/arm: Blacklist the memory mapped timer (armv7-timer-mem) [Julien Grall]
  • fe6bc7d: xen: arm: Factor out psr_mode_is_user [Ian Campbell]
  • 3771b5a: arm64: fix fls() [Jan Beulich]
  • 1dcdf90: xen: arm: correctly handle continuations for 64-bit guests [Ian Campbell]
  • 01148e9: xen: arm32: reduce default size of the xenheap [Ian Campbell]
  • f5d255d: xen/arm: vgic-v2: Take the lock when writing into GICD_CTLR [Julien Grall]
  • 6f05077: xen/arm: vgic-v2: GICD_I{S, C}PENDR* are only word-accessible [Julien Grall]
  • 009d14d: xen/arm: vgic-v2: Correctly handle RAZ/WI registers [Julien Grall]
  • 6498c5f: xen/arm: vgic-v2: Correctly set GICD_TYPER.CPUNumber [Julien Grall]
  • fd50553: xen/arm: vgic-v3: Correctly set GICD_TYPER.CPUNumber [Julien Grall]
  • b66d8c3: xen/arm: vgic-v3: Correctly set GICD_TYPER.IDbits [Julien Grall]
  • f7cfc16: xen/arm: vgic: Rename nr_lines into nr_spis [Julien Grall]
  • 9246d2e: domctl: don't allow a toolstack domain to call domain_pause() on itself [Andrew Cooper]
  • f5bca81: Limit XEN_DOMCTL_memory_mapping hypercall to only process up to 64 GFNs (or less) [Konrad Rzeszutek Wilk]
  • 7fe1c1b: x86: don't apply reboot quirks if reboot set by user [Ross Lagerwall]
  • 969df12: Revert "cpupools: update domU's node-affinity on the cpupool_unassign_cpu() path" [Jan Beulich]
  • 89bdb85: x86/EFI: allow reboot= overrides when running under EFI [Konrad Rzeszutek Wilk]
  • 68e434b: EFI: fix getting EFI variable list on some systems [Ross Lagerwall]
  • b738650: VT-d: print_vtd_entries() should cope with superpages [Jan Beulich]
  • 5bbd39d: complete conversion set_bit() -> __cpumask_set_cpu() by 4aaca0e9cd [Jan Beulich]
  • 483c6cd: honor MEMF_no_refcount in alloc_heap_pages() [Jan Beulich]
  • e76209d: xen: arm: correct arm64 version of gva_to_ma_par [Ian Campbell]
  • 6616c4d: tools: libxl: Explicitly disable graphics backends on qemu cmdline [Ian Campbell]
  • d0b141e: x86/tboot: invalidate FIX_TBOOT_MAP_ADDRESS mapping after use [Jan Beulich]
  • 902998e: x86emul: fully ignore segment override for register-only operations [Jan Beulich]
  • 25c6ee8: pre-fill structures for certain HYPERVISOR_xen_version sub-ops [Aaron Adams]
  • 7ef0364: x86/HVM: return all ones on wrong-sized reads of system device I/O ports [Jan Beulich]
  • 3665563: tools/libxc: Don't leave scratch_pfn uninitialised if the domain has no memory [Andrew Cooper]
  • 75ac8cf: x86/nmi: fix shootdown of pcpus running in VMX non-root mode [Andrew Cooper]
  • ad6b254: x86/traps: export the exception_table[] function pointer table to C [Andrew Cooper]
  • 1e44c92: x86/hvm: explicitly mark ioreq server pages dirty [Paul Durrant]
  • 2bfef90: x86/hvm: wait for at least one ioreq server to be enabled [Paul Durrant]
  • d976397: x86/VPMU: disable when NMI watchdog is on [Boris Ostrovsky]
  • 1e753b6: xen/arm: vgic-v2: Don't crash the hypervisor if the SGI target mode is invalid [Julien Grall]
  • 2035943: tools/configure: detect $host_vendor of rumprun, not just rumpxen [Ian Jackson]
  • 9fd6292: rump kernels: use new platform macro [Wei Liu]
  • 84f2484: libxc: introduce a per architecture scratch pfn for temporary grant mapping [Julien Grall]
  • 6302c61: Install libxlutil.h [Jim Fehlig]
  • d8e78d6: bunzip2: off by one in get_next_block() [Dan Carpenter]
  • 8a855b3: docs/commandline: correct information for 'x2apic_phys' parameter [Andrew Cooper]
  • 3a777be: x86: vcpu_destroy_pagetables() must not return -EINTR [Konrad Rzeszutek Wilk]
  • 1acb3b6: handle XENMEM_get_vnumainfo in compat_memory_op [Wei Liu]
  • 4eec09f: x86: correctly check for sub-leaf zero of leaf 7 in pv_cpuid() [Jan Beulich]
  • 7788cbb: x86: don't expose XSAVES capability to PV guests [Jan Beulich]
  • 4cfc54b: xsm/evtchn: never pretend to have successfully created a Xen event channel [Andrew Cooper]
  • 2fdd521: common/memory: fix an XSM error path [Jan Beulich]
  • ad83ad9: x86emul: tighten CLFLUSH emulation [Jan Beulich]
  • 896437d: xen/arm: vgic-v2: message in the emulation code should be rate-limited [Julien Grall]
  • 38a7be8: xen/arm: vgic-v3: message in the emulation code should be rate-limited [Julien Grall]
  • c93aa9b: xen/arm: Manage pl011 uart TX interrupt correctly [Vijaya Kumar K]
  • 1928318: dt-uart: use ':' as separator between path and options [Ian Campbell]
  • 3367ca8: bump __XEN_LATEST_INTERFACE_VERSION__ [Jan Beulich]
  • 70f5abd: update Xen version to 4.5.1-pre [Jan Beulich]
  • 9ae1853: libxl: Don't ignore error when we fail to give access to ioport/irq/iomem [Julien Grall]

In addition, this release also contains the following fixes to qemu-traditional:

  • afaa35b: ... by default. Add a per-device "permissive" mode similar to pciback's to allow restoring previous behavior (and hence break security again, i.e. should be used only for trusted guests). [Jan Beulich]
  • 3cff7ad: Since the next patch will turn all not explicitly described fields read-only by default, those fields that have guest writable bits need to be given explicit descriptors. [Jan Beulich]
  • ec61b93: The adjustments are solely to make the subsequent patches work right (and hence make the patch set consistent), namely if permissive mode (introduced by the last patch) gets used (as both reserved registers and reserved fields must be similarly protected from guest access in default mode, but the guest should be allowed access to them in permissive mode). [Jan Beulich]
  • 37c77b8: xen_pt_emu_reg_pcie[]'s PCI_EXP_DEVCAP needs to cover all bits as read- only to avoid unintended write-back (just a precaution, the field ought to be read-only in hardware). [Jan Beulich]
  • 2dc4059: This is just to avoid having to adjust that calculation later in multiple places. [Jan Beulich]
  • 29d9566: xen_pt_pmcsr_reg_write() needs an adjustment to deal with the RW1C nature of the not passed through bit 15 (PCI_PM_CTRL_PME_STATUS). [Jan Beulich]
  • 2e19270: There's no point in xen_pt_pmcsr_reg_{read,write}() each ORing PCI_PM_CTRL_STATE_MASK and PCI_PM_CTRL_NO_SOFT_RESET into a local emu_mask variable - we can have the same effect by setting the field descriptor's emu_mask member suitably right away. Note that xen_pt_pmcsr_reg_write() is being retained in order to allow later patches to be less intrusive. [Jan Beulich]
  • 751d20d: Without this the actual XSA-131 fix would cause the enable bit to not get set anymore (due to the write back getting suppressed there based on the OR of emu_mask, ro_mask, and res_mask). [Jan Beulich]
  • 51f3b5b: ... to avoid allowing the guest to cause the control domain's disk to fill. [Jan Beulich]
  • 7f99bb9: It's being used by the hypervisor. For now simply mimic a device not capable of masking, and fully emulate any accesses a guest may issue nevertheless as simple reads/writes without side effects. [Jan Beulich]
  • 6fc82bf: The old logic didn't work as intended when an access spanned multiple fields (for example a 32-bit access to the location of the MSI Message Data field with the high 16 bits not being covered by any known field). Remove it and derive which fields not to write to from the accessed fields' emulation masks: When they're all ones, there's no point in doing any host write. [Jan Beulich]
  • e42b84c: fdc: force the fifo access to be in bounds of the allocated buffer [Petr Matousek]
  • 62e4158: xen: limit guest control of PCI command register [Jan Beulich]
  • 3499745: cirrus: fix an uninitialized variable [Jan Beulich]

This release also contains the security fixes for XSA-117 to XSA-136, with the exception of XSA-124 which documents security risks of non-standard PCI device functionality that cannot be addressed in software. It also includes an update to XSA-98 and XSA-59

For CVE-2013-3495 / XSA-59 (Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts) we are told that the workaround is now completely implemented for server CPUs/chipsets (thanks to newer CPUs/chipsets addressing the underlying hardware issue). For all desktop and mobile CPUs/chipsets which are currently known to be affected by XSA-59 the necessary workaround has been implemented. However, we expect to extend the workaround for upcoming hardware variants where the underlying hardware issue is not yet addressed.

Note that the fix for the qemu portion of XSA-135 has not been applied to qemu-traditional due to an oversight. The fix has been applied to qemu upstream; for qemu-traditional it is also available at http://xenbits.xen.org/gitweb/?p=qemu-xen-4.5-testing.git;a=shortlog (commits bb42407 & 9f94419).

See http://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.5 stable series to update to this first point release.

Xen Project 4.5.2

We are pleased to announce the release of Xen 4.5.2. This is available immediately from its git repository

http://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.5 (tag RELEASE-4.5.2) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • e0a36c0: update Xen version to 4.5.2 [Jan Beulich]
  • 423d2cd: libxl: adjust PoD target by memory fudge, too [Ian Jackson]
  • d3063bb: x86: rate-limit logging in do_xen{oprof,pmu}_op() [Jan Beulich]
  • 8dbbba7: xenoprof: free domain's vcpu array [Jan Beulich]
  • 0b12f70: x86/PoD: Eager sweep for zeroed pages [Andrew Cooper]
  • fd4d3cf: free domain's vcpu array [Jan Beulich]
  • d2fa0ee: x86: guard against undue super page PTE creation [Jan Beulich]
  • b6ee626: arm: handle races between relinquish_memory and free_domheap_pages [Ian Campbell]
  • 659e934: arm: rate-limit logging from unimplemented PHYSDEVOP and HVMOP. [Ian Campbell]
  • 41dd3b8: arm: Support hypercall_create_continuation for multicall [Julien Grall]
  • 47db4b0: Revert "libxl: use correct command line for arm guests." [Ian Jackson]
  • a5d0480: tools/libxc: arm: Check the index before accessing the bank [Julien Grall]
  • 9befcd3: libxl: use correct command line for arm guests. [Ian Campbell]
  • 53c11b0: x86/NUMA: fix SRAT table processor entry parsing and consumption [Jan Beulich]
  • 0368463: x86: hide MWAITX from PV domains [Jan Beulich]
  • a262a89: VT-d: don't suppress invalidation address write when it is zero [Jan Beulich]
  • 80e9f56: docs: xl.cfg: permissive option is not PV only. [Ian Campbell]
  • 5461ad2: tools: libxl: allow permissive qemu-upstream pci passthrough. [Ian Campbell]
  • db0f474: x86/p2m-pt: tighten conditions of IOMMU mapping updates [Jan Beulich]
  • 2b58d7b: credit1: fix tickling when it happens from a remote pCPU [Dario Faggioli]
  • 887da2b: x86/p2m-pt: ignore pt-share flag for shadow mode guests [Jan Beulich]
  • e4e18ec: x86/p2m-pt: delay freeing of intermediate page tables [Jan Beulich]
  • dde2414: x86/EPT: tighten conditions of IOMMU mapping updates [Jan Beulich]
  • b6e40c9: vt-d: fix IM bit mask and unmask of Fault Event Control Register [Quan Xu]
  • d3d476f: xen/xsm: Make p->policyvers be a local variable (ver) to shut up GCC 5.1.1 warnings. [Konrad Rzeszutek Wilk]
  • 0297baf: xen/arm: vgic-v2: Map the GIC virtual CPU interface with the correct size [Julien Grall]
  • 9b147f9: xen/arm: vgic: Correctly emulate write when byte is used [Julien Grall]
  • f72ab69: xen: arm: bootfdt: Avoid reading off the front of *_cells array [Ian Campbell]
  • c562986: xen: arm: always omit guest user stack in vcpu_show_execution_state [Ian Campbell]
  • 12cc60d: xen: arm: handle accesses to CNTP_CVAL_EL0 [Ian Campbell]
  • 2b0d371: xen: arm: correctly handle vtimer traps from userspace [Ian Campbell]
  • 9bed918: x86/sysctl: don't clobber memory if NCAPINTS > ARRAY_SIZE(pi->hw_cap) [Andrew Cooper]
  • bda02ca: x86/MSI: fail if no hardware support [Jan Beulich]
  • 33562a4: x86/p2m: fix mismatched unlock [Jan Beulich]
  • fe84222: x86/hvm: fix saved pmtimer and hpet values [Kouya Shimura]
  • bfa874d: efi: introduce efi_arch_flush_dcache_area [Stefano Stabellini]
  • 0619913: libxl: handle read-only drives with qemu-xen [Stefano Stabellini]
  • bbbd29a: libxl: Increase device model startup timeout to 1min. [Anthony PERARD]
  • ffb4e63: xl: correct handling of extra_config in main_cpupoolcreate [Wei Liu]
  • 2049db3: QEMU_TAG update [Ian Jackson]
  • 0b6e02b: x86/NUMA: make init_node_heap() respect Xen heap limit [Jan Beulich]
  • ef372ac: x86/NUMA: don't account hotplug regions [Jan Beulich]
  • 8bdfe14: x86/NUMA: fix setup_node() [Jan Beulich]
  • 8933ed4: IOMMU: skip domains without page tables when dumping [Jan Beulich]
  • d461923: x86/IO-APIC: don't create pIRQ mapping from masked RTE [Jan Beulich]
  • 5b71988: x86, amd_ucode: skip microcode updates for final levels [Aravind Gopalakrishnan]
  • fabd2cf: mm: populate_physmap: validate correctly the gfn for direct mapped domain [Julien Grall]
  • 9e6379e: x86/mm: Make {hap, shadow}_teardown() preemptible [Anshul Makkar]
  • 12afed3: x86/gdt: Drop write-only, xalloc()'d array from set_gdt() [Andrew Cooper]
  • ef89dc8: xen/arm: mm: Do not dump the p2m when mapping a foreign gfn [Julien Grall]
  • 7f7642f: libxl: poll: Avoid fd deregistration race POLLNVAL crash [Ian Jackson]
  • 9f6f513: libxl: poll: Use poller_get and poller_put for poller_app [Ian Jackson]
  • 8c40913: libxl: poll: Make libxl__poller_get have only one success return path [Ian Jackson]
  • 9a4c625: tools: libxl: Handle failure to create qemu dm logfile [Ian Campbell]
  • 6040b3a: xl: Sane handling of extra config file arguments [Ian Jackson]
  • 7ac1a26: QEMU_TAG update [Ian Jackson]
  • 07249f4: Config.mk: update in-tree OVMF changeset [Wei Liu]
  • 666b80f: dmar: device scope mem leak fix [Elena Ufimtseva]
  • aa885a0: make rangeset_report_ranges() report all ranges [Jan Beulich]
  • cf423e9: xen: earlycpio: Pull in latest linux earlycpio.[ch] [Ian Campbell]
  • 8c16642: x86/hvmloader: avoid data corruption with xenstore reads/writes [Andrew Cooper]
  • 7b1a3be: credit1: properly deal with pCPUs not in any cpupool [Dario Faggioli]
  • de8b550: x86 / cpupool: clear the proper cpu_valid bit on pCPU teardown [Dario Faggioli]
  • 4b0782f: x86/p2m-ept: don't unmap the EPT pagetable while it is still in use [Andrew Cooper]
  • 96289ee: nested EPT: fix the handling of nested EPT [Liang Li]
  • 36a7c54: x86/traps: avoid using current too early on boot [Andrew Cooper]
  • d906add: x86: avoid tripping watchdog when constructing dom0 [Ross Lagerwall]
  • 4ef8635: x86/EFI: adjust EFI_MEMORY_WP handling for spec version 2.5 [Jan Beulich]
  • b30aee4: kexec: add more pages to v1 environment [Jan Beulich]
  • b92d571: x86/debugger: use copy_to/from_guest() in dbg_rw_guest_mem() [Andrew Cooper]
  • 3e7e487: passthrough/amd: avoid reading an uninitialized variable [Tim Deegan]
  • c4d7b91: x86/traps: identify the vcpu in context when dumping registers [Andrew Cooper]
  • e3bd3ce: QEMU_TAG update [Ian Jackson]
  • 031ab7f: update Xen version to 4.5.2-pre [Jan Beulich]

In addition, this release also contains the following fixes to qemu-traditional:

  • dfe880e: vnc: limit client_cut_text msg payload size [Peter Lieven]
  • 327319a: ide: Clear DRQ after handling all expected accesses [Kevin Wolf]
  • 8ded5f4: ide: Check array bounds before writing to io_buffer (CVE-2015-5154) [Kevin Wolf]
  • 9f94419: pcnet: force the buffer access to be in bounds during tx [Petr Matousek]
  • bb42407: pcnet: fix Negative array index read [Gonglei]

This release also contains the security fixes for XSA-137XSA-138XSA-141 to XSA-153. XSA-139 and XSA-140 only apply to QEMU Upstream and are fixed from versions 2.3.1 and 2.4.0 of QEMU. The qemu portion of XSA-135 has also been applied to qemu-traditional.

See http://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.5 stable series to update to this first point release.

Hardware related Security Risks:

For CVE-2013-3495 / XSA-59 (Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts) we are told that the workaround is now completely implemented for server CPUs/chipsets (thanks to newer CPUs/chipsets addressing the underlying hardware issue). For all desktop and mobile CPUs/chipsets which are currently known to be affected by XSA-59 the necessary workaround has been implemented. However, we expect to extend the workaround for upcoming hardware variants where the underlying hardware issue is not yet addressed.

XSA-124 documents security risks of non-standard PCI device functionality that cannot be addressed in software.

Xen Project 4.5.3

We are pleased to announce the release of Xen 4.5.3. This is available immediately from its git repository 

http://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.5 (tag RELEASE-4.5.3) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 619ea5d: update Xen version to 4.5.3 [Jan Beulich]
  • 3f802a5: vmx: restore debug registers when injecting #DB traps [Ross Lagerwall]
  • a8f23b3: x86: don't flush the whole cache when changing cachability [David Vrabel]
  • 1fac32b: libvchan: Read prod/cons only once. [Konrad Rzeszutek Wilk]
  • d165c49: x86emul: limit-check branch targets [Jan Beulich]
  • 9ab5f84: x86/hvm: print register state upon triple fault [Andrew Cooper]
  • 4368db0: x86emul: fix rIP handling [Jan Beulich]
  • a48c1d3: xen/arm: vgic-v2: Implement correctly ITARGETSR0 - ITARGETSR7 read-only [Julien Grall]
  • 86060f8: xen/arm: vgic-v2: Report the correct GICC size to the guest [Julien Grall]
  • 812406c: tools: pygrub: if partition table is empty, try treating as a whole disk [Ian Campbell]
  • fe71162: x86: fix unintended fallthrough case from XSA-154 [Andrew Cooper]
  • d4e0fcb: xen/arm64: Make sure we get all debug output [Dirk Behme]
  • 820311c: hvmloader: fix scratch_alloc to avoid overlaps [Anthony PERARD]
  • 1d69621: x86/nHVM: avoid NULL deref during INVLPG intercept handling [Jan Beulich]
  • 836dc18: credit: recalculate per-cpupool credits when updating timeslice [Juergen Gross]
  • 3fa5fb5: credit: update timeslice under lock [Juergen Gross]
  • 0baa073: x86/vmx: don't clobber exception_bitmap when entering/leaving emulated real mode [Andrew Cooper]
  • a7f6bcb: x86/mce: fix misleading indentation in init_nonfatal_mce_checker() [Ian Campbell]
  • 677eb6e: x86: fix (and simplify) MTRR overlap checking [Jan Beulich]
  • e7fa1af: x86/mmuext: tighten TLB flush address checks [Jan Beulich]
  • 30b0e11: x86/VMX: sanitize rIP before re-entering guest [Jan Beulich]
  • 96b4955: x86: enforce consistent cachability of MMIO mappings [Jan Beulich]
  • 7afddd3: docs: correct descriptions of gnttab_max_{, maptrack}_frames [Ian Campbell]
  • 5a1acb6: x86/vmx: Fix injection of #DB traps following XSA-156 [Andrew Cooper]
  • 934e86f: x86/VMX: prevent INVVPID failure due to non-canonical guest address [Jan Beulich]
  • 642943d: x86/mm: PV superpage handling lacks sanity checks [Jan Beulich]
  • a34fbcf: tools/ocaml/xb: Correct calculations of data/space the ring [Andrew Cooper]
  • d603cb9: oxenstored: Quota.merge: don't assume domain already exists [Jonathan Davies]
  • ee576d7: Config.mk: update OVMF changeset [Wei Liu]
  • 845e8c1: blktap: Fix two 'maybe uninitialized' variables [Dario Faggioli]
  • 7b2ce45: QEMU_TAG update [Ian Jackson]
  • 172797e: QEMU_TAG update [Ian Jackson]
  • 880c29f: x86/HVM: avoid reading ioreq state more than once [Jan Beulich]
  • b45e534: x86: don't leak ST(n)/XMMn values to domains first using them [Jan Beulich]
  • 4c11414: x86/time: fix domain type check in tsc_set_info() [Haozhong Zhang]
  • d11d0df: VT-d: drop unneeded Ivybridge quirk workaround [Jan Beulich]
  • 74b7f46: evtchn: don't reuse ports that are still "busy" [David Vrabel]
  • 4c8859e: x86/ept: remove unnecessary sync after resolving misconfigured entries [David Vrabel]
  • 7c56b09: x86/boot: check for not allowed sections before linking [Daniel Kiper]
  • fea50c0: x86/vPMU: document as unsupported [Jan Beulich]
  • 413d59f: sched: fix locking for insert_vcpu() in credit1 and RTDS [Dario Faggioli]
  • ec70614: VMX: fix/adjust trap injection [Jan Beulich]
  • f44b542: x86/HVM: don't inject #DB with error code [Jan Beulich]
  • 96aaf7e: x86/vmx: improvements to vmentry failure handling [Andrew Cooper]
  • 92bea0a: x86/PoD: Make p2m_pod_empty_cache() restartable [Andrew Cooper]
  • a84cecd: memory: fix XSA-158 fix [Jan Beulich]
  • b248662: QEMU_TAG update [Ian Jackson]
  • 42f4d98: libxl: Fix bootloader-related virtual memory leak on pv build failure [Ian Jackson]
  • 746534f: memory: fix XENMEM_exchange error handling [Jan Beulich]
  • e0d4509: memory: split and tighten maximum order permitted in memops [Jan Beulich]
  • 0cabed0: Config: Switch to unified qemu trees. [Ian Campbell]
  • f299bd4: update Xen version to 4.5.3-pre [Jan Beulich]
  • 6d8233d: x86/HVM: always intercept #AC and #DB [Jan Beulich]

In addition, this release also contains the following fixes to qemu-traditional:

  • f5bf3ed: MSI-X: avoid array overrun upon MSI-X table writes [Jan Beulich]
  • f9eb995: blkif: Avoid double access to src->nr_segments [Stefano Stabellini]
  • 12cbf57: xenfb: avoid reading twice the same fields from the shared page [Stefano Stabellini]
  • 3159615: net: pcnet: add check to validate receive data size(CVE-2015-7504) [Ian Jackson]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check http://xenbits.xen.org/gitweb/?p=qemu-xen.git;a=shortlog (between tags qemu-xen-4.5.2 and qemu-xen-4.5.3).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

XSA Xen qemu-traditional qemu-upstream 
XSA-154 Applied N/A N/A
XSA-155
Applied Applied Applied
XSA-156 Applied N/A N/A
XSA-157 N/A (XSA applies to Linux only) ---------------------------------------------------------------------------------------------------------------------------------------------------------------
XSA-158 Applied N/A N/A
XSA-159 Applied N/A N/A
XSA-160 Applied N/A N/A
XSA-161 N/A (XSA withdrawn) -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
XSA-162 N/A Applied Applied
XSA-163 Applied N/A N/A
XSA-164 N/A Applied N/A (applies to qemu-traditional only)
XSA-165 Applied N/A N/A
XSA-166 Applied N/A N/A
XSA-167 Applied N/A N/A
XSA-168 Applied N/A N/A
XSA-169 N/A (XSA applies to Xen 4.6 only) ------------------------------------------------------------------------------------------------------------------------------------------------------------
XSA-170 Applied N/A N/A


See http://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.5 stable series to update to this latest point release. 

Xen Project 4.5.4 (not released)

Note regarding 4.5.4: An issue was found late in the release process of 4.5.4, after one of the affected trees was mistakenly tagged with a wrong signed git tag. We therefore decided to skip version 4.5.4 and bump up the version number to 4.5.5.

Xen Project 4.5.5

We are pleased to announce the release of Xen 4.5.5. This is available immediately from its git repository 

https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.5 (tag RELEASE-4.5.5) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • e4ae4b0: update Xen version to 4.5.5 [Jan Beulich]
  • 22857ab: update Xen version to 4.5.4 [Jan Beulich]
  • c18dfbb: Revert "x86/hvm: Perform a user instruction fetch for a FEP in userspace" [Jan Beulich]
  • 9edce7c: x86/segment: Bounds check accesses to emulation ctxt->seg_reg[] [Andrew Cooper]
  • 9555949: x86/hvm: Perform a user instruction fetch for a FEP in userspace [Andrew Cooper]
  • 57e7172: hvm/fep: Allow testing of instructions crossing the -1 -> 0 virtual boundary [Andrew Cooper]
  • 11c0462: VMX: correct feature checks for MPX [Jan Beulich]
  • 433ebca: x86/shadow: Avoid overflowing sh_ctxt->seg_reg[] [Andrew Cooper]
  • bc9f72b: x86/emulate: Correct boundary interactions of emulated instructions [Andrew Cooper]
  • ec88876: x86/32on64: don't allow recursive page tables from L3 [Jan Beulich]
  • d50078b: memory: fix compat handling of XENMEM_access_op [Jan Beulich]
  • 42ea059: credit1: fix a race when picking initial pCPU for a vCPU [Dario Faggioli]
  • 9e06b02: x86/32on64: misc adjustments to call gate emulation [Jan Beulich]
  • e824aae: xen: Remove buggy initial placement algorithm [George Dunlap]
  • 2e56416: xen: Have schedulers revise initial placement [George Dunlap]
  • cda8e7e: sched: better handle (not) inserting idle vCPUs in runqueues [Dario Faggioli]
  • 462f714: xen/physmap: Do not permit a guest to populate PoD pages for itself [Andrew Cooper]
  • de1d9ea: page-alloc/x86: don't restrict DMA heap to node 0 [Jan Beulich]
  • 2ad058e: libxl: return any serial tty path in libxl_console_get_tty [Bob Liu]
  • 50a4501: tools/libxc: Properly increment ApicIdCoreSize field on AMD [Boris Ostrovsky]
  • 8ca7cf8: libxenvchan: Change license of header from Lesser GPL v2.1 to BSD [Konrad Rzeszutek Wilk]
  • 9eb11dc: xl: correct xl cpupool-numa-split with vcpu limited dom0 [Juergen Gross]
  • e86a6fb: configure: Fix when no libsystemd compat lib are available [Anthony PERARD]
  • 08313b4: Revert "xen: Have schedulers revise initial placement" [Jan Beulich]
  • 0fc8aab: Revert "xen: Remove buggy initial placement algorithm" [Jan Beulich]
  • c18c145: x86/mmcfg: Fix initalisation of variables in pci_mmcfg_nvidia_mcp55() [Andrew Cooper]
  • 505ad3a: xen: Remove buggy initial placement algorithm [George Dunlap]
  • c421378: xen: Have schedulers revise initial placement [George Dunlap]
  • b1f4e86: nested vmx: Validate host VMX MSRs before accessing them [Euan Harris]
  • cfcdeea: serial: fix incorrect length of strncmp for dtuart [Jiandi An]
  • c4c0312: x86/entry: Avoid SMAP violation in compat_create_bounce_frame() [Andrew Cooper]
  • 467f77d: x86/pv: Remove unsafe bits from the mod_l?_entry() fastpath [Andrew Cooper]
  • eadd663: QEMU_UPSTREAM_REVISION update [Ian Jackson]
  • 818d58d: public: typo: use ' as apostrophe in grant_table.h [Dario Faggioli]
  • 071d2e3: QEMU_TAG update [Ian Jackson]
  • 44a703d: libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU [Wei Liu]
  • 6d27298: libxl: Fix NULL pointer due to XSA-178 fix wrong XS nodename [Ian Jackson]
  • 6338746: QEMU_TAG update [Ian Jackson]
  • df9c5c4: libxl: keep PoD target adjustment by memory fudge after reload_domain_config() [Vitaly Kuznetsov]
  • d8ac67e: libxl: Document ~/serial/ correctly [Ian Jackson]
  • 509ae90: libxl: Cleanup: use libxl__backendpath_parse_domid in libxl__device_disk_from_xs_be [Ian Jackson]
  • 3675172: libxl: Cleanup: Have libxl__alloc_vdev use /libxl [Ian Jackson]
  • 8df6d98: libxl: Do not trust backend in channel list [Ian Jackson]
  • 1a75ae1: libxl: Do not trust backend for nic in list [Ian Jackson]
  • 6925b22: libxl: Do not trust backend for nic in devid_to_device [Ian Jackson]
  • 517d1d8: libxl: Do not trust backend in nic getinfo [Ian Jackson]
  • 31be4b9: libxl: Have READ_LIBXLDEV use libxl_path rather than be_path [Ian Jackson]
  • bbbe635: libxl: Rename READ_BACKEND to READ_LIBXLDEV [Ian Jackson]
  • 382ed2f: libxl: Rename libxl__device_{nic,channel}_from_xs_be to _from_xenstore [Ian Jackson]
  • c9b8314: libxl: Do not trust backend for channel in getinfo [Ian Jackson]
  • 3a3c8b2: libxl: Do not trust backend for cdrom insert [Ian Jackson]
  • 2614f9a: libxl: Do not trust backend for disk in getinfo [Ian Jackson]
  • a81a94d: libxl: Do not trust backend for disk; fix driver domain disks list [Ian Jackson]
  • c7e9c4b: libxl: Do not trust backend for disk eject vdev [Ian Jackson]
  • 2388be0: libxl: cdrom eject and insert: write to /libxl [Ian Jackson]
  • 2cd66e8: libxl: Do not trust backend for vtpm in getinfo (uuid) [Ian Jackson]
  • eaf75a3: libxl: Do not trust backend for vtpm in getinfo (except uuid) [Ian Jackson]
  • 840a49a: libxl: Do not trust backend in libxl__device_exists [Ian Jackson]
  • 27874bc: libxl: Make copy of every xs backend in /libxl in _generic_add [Ian Jackson]
  • 6265a6f: libxl: Do not trust frontend for channel in getinfo [Ian Jackson]
  • e08efef: libxl: Do not trust frontend for channel in list [Ian Jackson]
  • 1c44339: libxl: Do not trust frontend for nic in getinfo [Ian Jackson]
  • a848f24: libxl: Do not trust frontend for nic in libxl_devid_to_device_nic [Ian Jackson]
  • ec5591d: libxl: Do not trust frontend for vtpm in getinfo [Ian Jackson]
  • cc0376e: libxl: Do not trust frontend for vtpm list [Ian Jackson]
  • f9d0a2c: libxl: Do not trust frontend for disk in getinfo [Ian Jackson]
  • f058444: libxl: Do not trust frontend for disk eject event [Ian Jackson]
  • 24f5f12: libxl: Do not trust frontend in libxl__device_nextid [Ian Jackson]
  • 16cb1fb: libxl: Do not trust frontend in libxl__devices_destroy [Ian Jackson]
  • 2aef428: libxl: Provide libxl__backendpath_parse_domid [Ian Jackson]
  • 2978e1a: libxl: Record backend/frontend paths in /libxl/$DOMID [Ian Jackson]
  • 8c4b403: xen/arm: Don't free p2m->root in p2m_teardown() before it has been allocated [Andrew Cooper]
  • 524a93d: sched: avoid races on time values read from NOW() [Dario Faggioli]
  • 8549385: x86emul: suppress writeback upon unsuccessful MMX/SSE/AVX insn emulation [Jan Beulich]
  • b1c94bd: xen/nested_p2m: Don't walk EPT tables with a regular PT walker [Andrew Cooper]
  • 644aa81: x86/PoD: skip eager reclaim when possible [Jan Beulich]
  • e5fa482: IOMMU/x86: per-domain control structure is not HVM-specific [Jan Beulich]
  • 8d1e559: x86: use optimal NOPs to fill the SMEP/SMAP placeholders [Jan Beulich]
  • f332597: x86: suppress SMEP and SMAP while running 32-bit PV guest code [Jan Beulich]
  • c790220: x86: move cached CR4 value to struct cpu_info [Jan Beulich]
  • 49fe83a: x86/alternatives: correct near branch check [Jan Beulich]
  • a67e0f1: x86/P2M: consolidate handling of types not requiring a valid MFN [Jan Beulich]
  • ffda547: xen/arm: p2m: Release the p2m lock before undoing the mappings [Julien Grall]
  • d4d3739: xen/arm: p2m: apply_p2m_changes: Do not undo more than necessary [Julien Grall]
  • facf156: libxl: fix old style declarations [Wei Liu]
  • 62e8902: x86/mm: fully honor PS bits in guest page table walks [Jan Beulich]
  • 4065709: xen/arm64: ensure that the correct SP is used for exceptions [Kyle J. Temkin]
  • d19f941: arm: Fix asynchronous aborts (SError exceptions) due to bogus PTEs [Vikram Sethi]
  • c0bb033: xen/arm: Force broadcast of TLB and instruction cache maintenance instructions [Julien Grall]
  • 1334fa9: Update QEMU_UPSTREAM_REVISION [Ian Jackson]
  • 478ad3f: QEMU_TAG update [Ian Jackson]
  • 2c438f8: QEMU_TAG update [Ian Jackson]
  • 2bc9bd9: libxc: fix usage of uninitialized variable [Roger Pau Monne]
  • 350eb39: libxl: handle error from libxl__need_xenpv_qemu() correctly [Juergen Gross]
  • 065b134: x86/shadow: account for ioreq server pages before complaining about not found mapping [Jan Beulich]
  • f9cc40e: x86/time: fix gtime_to_gtsc for vtsc=1 PV guests [Jan Beulich]
  • becb125a: unmodified_drivers: enable use of register_oldmem_pfn_is_ram() API [Mike Meyer Mon Apr 4 15:02:59 2016 +0200]
  • 0aabc28: x86/HVM: fix forwarding of internally cached requests [Jan Beulich]
  • 12acca5: x86/fpu: improve check for XSAVE* not writing FIP/FDP fields [David Vrabel]
  • 9945f62: x86/hvm: add HVM_PARAM_X87_FIP_WIDTH [David Vrabel]
  • 38eee32: x86/fpu: add a per-domain field to set the width of FIP/FDP [David Vrabel]
  • c70ab64: x86: limit GFNs to 32 bits for shadowed superpages. [Tim Deegan]
  • 1f92bdb: x86: fix information leak on AMD CPUs [Jan Beulich]
  • 7eb2fae: update Xen version to 4.5.4-pre [Jan Beulich]

In addition, this release also contains the following fixes to qemu-traditional:

  • 28c2138: main loop: Big hammer to fix logfile disk DoS in Xen setups [Ian Jackson]
  • e11b0e3: Fix build with newer version of GNUTLS [Wei Liu]
  • f1cfdc3: rtl8139: check TCP Data Offset field [Stefan Hajnoczi]
  • ebb3779: rtl8139: skip offload on short TCP header [Stefan Hajnoczi]
  • dbc7093: rtl8139: check IP Total Length field [Stefan Hajnoczi]
  • a9e97f6: rtl8139: check IP Header Length field [Stefan Hajnoczi]
  • 354c70a: rtl8139: skip offload on short Ethernet/IP header [Stefan Hajnoczi]
  • e10db6a: rtl8139: drop tautologous if (ip) {...} statement [Stefan Hajnoczi]
  • 6a9ffb9: rtl8139: avoid nested ifs in IP header parsing [Stefan Hajnoczi]
  • 6fe8ced: vga: make sure vga register setup for vbe stays intact (CVE-2016-3712). [Gerd Hoffmann]
  • 4cdbfab: vga: update vga register setup on vbe changes [Gerd Hoffmann]
  • ee152b7: vga: factor out vga register setup [Gerd Hoffmann]
  • 3040124: vga: add vbe_enabled() helper [Gerd Hoffmann]
  • 0c035e0: vga: fix banked access bounds checking (CVE-2016-3710) [Gerd Hoffmann]
  • 6e39ebb: CVE-2014-3615: vbe: rework sanity checks [Andrew Cooper]
  • f37beb1: CVE-2014-7815: vnc: sanitize bits_per_pixel from the client [Andrew Cooper]
  • 1c7a501: CVE-2014-8106: cirrus: fix blit region check [Andrew Cooper]
  • cb6319f: usb-linux.c: fix buffer overflow [Jim Paris]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check https://xenbits.xenproject.org/gitweb/?p=qemu-xen.git;a=shortlog (between tags qemu-xen-4.5.3 and qemu-xen-4.5.5).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

XSA Xen qemu-traditional qemu-upstream 
XSA-171 N/A (XSA applies to Linux only)......
XSA-172
Applied N/A N/A
XSA-173 Applied N/A N/A
XSA-174 N/A (XSA applies to Linux only)......
XSA-175 Applied N/A N/A
XSA-176 Applied N/A N/A
XSA-177 N/A (unused XSA number)......
XSA-178 Applied N/A N/A
XSA-179 N/A Applied Applied
XSA-180 N/A Applied Applied, however only to qemu-xen.git, which is shipped with this release. The fix is not in git.qemu.org/qemu.git
XSA-181 Applied N/A N/A
XSA-182 Applied N/A N/A
XSA-183 Applied N/A N/A
XSA-184 N/A This XSA has not been applied due to an oversight. The XSA is a minor issue that does not affect default configurations. Applied
XSA-185 Applied N/A N/A
XSA-186 Applied N/A N/A
XSA-187 Applied N/A N/A
XSA-188 N/A (Xen 4.5 not vulnerable)......


See https://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.5 stable series to update to this latest point release.