Patches fail - why ?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Patches fail - why ?

Jan Vejvalka
Hi *,

- I downloaded Xen 4.10.1 source from
 
https://xenproject.org/downloads/xen-archives/xen-project-410-series/xen-4101/371-xen-4101/file.html
- downloaded xsa-263 patches from
   http://xenbits.xen.org/xsa/xsa263-4.10/*.patch
- try to patch the source with patch --verbose -p1
- get rejects, e.g.

(...)
|Subject: [PATCH] x86/spec_ctrl: Read MSR_ARCH_CAPABILITIES only once
(...)
Hunk #1 succeeded at 81.
Hunk #2 succeeded at 121 (offset -1 lines).
Hunk #3 FAILED at 133.
Hunk #4 succeeded at 178 (offset -37 lines).
Hunk #5 succeeded at 210 (offset -37 lines).
Hunk #6 succeeded at 295 (offset -37 lines).

What is it that I am doing wrong ?

Thanks,

Jan

_______________________________________________
Xen-users mailing list
[hidden email]
https://lists.xenproject.org/mailman/listinfo/xen-users
Reply | Threaded
Open this post in threaded view
|

Re: Patches fail - why ?

Mark Pryor
Hello,

take the patches from git, stable-4.10
$git checkout stable-4.10
$git log --oneline RELEASE-4.10.1..c2b84e7cc4dca

that commit is the last of the XSA-263 patchset, but note that none of the XSA-263 patches identify as an XSA in their description.

I believe that command will give 35 lines. Then you can use `git format-patch` to export all.

PryMar56



On Sunday, June 3, 2018, 11:29:06 PM PDT, Jan Vejvalka <[hidden email]> wrote:


Hi *,

- I downloaded Xen 4.10.1 source from

- downloaded xsa-263 patches from
- try to patch the source with patch --verbose -p1
- get rejects, e.g.

(...)
|Subject: [PATCH] x86/spec_ctrl: Read MSR_ARCH_CAPABILITIES only once
(...)
Hunk #1 succeeded at 81.
Hunk #2 succeeded at 121 (offset -1 lines).
Hunk #3 FAILED at 133.
Hunk #4 succeeded at 178 (offset -37 lines).
Hunk #5 succeeded at 210 (offset -37 lines).
Hunk #6 succeeded at 295 (offset -37 lines).

What is it that I am doing wrong ?

Thanks,

Jan

_______________________________________________
Xen-users mailing list

_______________________________________________
Xen-users mailing list
[hidden email]
https://lists.xenproject.org/mailman/listinfo/xen-users
Reply | Threaded
Open this post in threaded view
|

Re: Patches fail - why ?

Jan Vejvalka
Thank you, Mark -

- my question, however, remains: what do I do/assume wrong when I'm
getting errors applying the official (?) patch set (XSA-263) on the
official (?) source package (4.10.1).

Thanks, Jan


On 04.06.2018 18:29, Mark Pryor wrote:
 > Hello,
 >
 > take the patches from git, stable-4.10
 > $git checkout stable-4.10
 > $git log --oneline RELEASE-4.10.1..c2b84e7cc4dca
 >
 > that commit is the last of the XSA-263 patchset, but note that none
of the XSA-263 patches identify as an XSA in their description.
 >
 > I believe that command will give 35 lines. Then you can use `git
format-patch` to export all.
 >
 > PryMar56
 >
 >
 >
 > On Sunday, June 3, 2018, 11:29:06 PM PDT, Jan Vejvalka
<[hidden email]> wrote:
 >
 >
 > Hi *,
 >
 > - I downloaded Xen 4.10.1 source from
 >
 >
https://xenproject.org/downloads/xen-archives/xen-project-410-series/xen-4101/371-xen-4101/file.html
 > - downloaded xsa-263 patches from
 > http://xenbits.xen.org/xsa/xsa263-4.10/*.patch
 > - try to patch the source with patch --verbose -p1
 > - get rejects, e.g.
 >
 > (...)
 > |Subject: [PATCH] x86/spec_ctrl: Read MSR_ARCH_CAPABILITIES only once
 > (...)
 > Hunk #1 succeeded at 81.
 > Hunk #2 succeeded at 121 (offset -1 lines).
 > Hunk #3 FAILED at 133.
 > Hunk #4 succeeded at 178 (offset -37 lines).
 > Hunk #5 succeeded at 210 (offset -37 lines).
 > Hunk #6 succeeded at 295 (offset -37 lines).
 >
 > What is it that I am doing wrong ?
 >
 > Thanks,
 >
 > Jan
 >
 > _______________________________________________
 > Xen-users mailing list
 > [hidden email] <mailto:[hidden email]>
 > https://lists.xenproject.org/mailman/listinfo/xen-users

_______________________________________________
Xen-users mailing list
[hidden email]
https://lists.xenproject.org/mailman/listinfo/xen-users
Reply | Threaded
Open this post in threaded view
|

Re: Patches fail - why ?

George Dunlap
On Tue, Jun 5, 2018 at 8:20 AM, Jan Vejvalka
<[hidden email]> wrote:
> Thank you, Mark -
>
> - my question, however, remains: what do I do/assume wrong when I'm
> getting errors applying the official (?) patch set (XSA-263) on the
> official (?) source package (4.10.1).

Because the official patch isn't aimed at being applied on top of the
tarball; it's aimed at being applied to the staging branch, to make
sure that 4.10.2 is fixed properly.

Fundamentally there are many different "pseudo-branches" to which a
patch might or might not apply:
1. The plain 4.10.1 release tarball
2. The 4.10.1 release tarball + all previous XSAs
3. The 4.10.1 release tarball + all previous XSAs + some set of fixes
backported from the staging branch
4. The staging-4.10 branch, which will eventually become 4.10.2

In this case, it sounds like you're doing #1; I *think* if you do #2
then t  he patch will apply in  this case. But in the general case, a
patch may only apply to one of those branches.

A patch for #4 will always have to be done no matter what; so no
matter how many patches per release we generate, we'll always have to
prepare that one.

Every time a patch is ported it takes extra effort for the security
team -- we already release 6 versions of the security patch (4.6 -
4.10 + master).  If we created a separate patches for #2 (and #1),
then every single XSA patch would require 18 versions; and many XSAs
contain several patches.  That's just not sustainable.

I see where you're coming from -- I also maintain the CentOS packages
and have to deal with the delta between the published patch and my
package as well.  It's a difficult issue that we're still wrestling
with.

 -George

_______________________________________________
Xen-users mailing list
[hidden email]
https://lists.xenproject.org/mailman/listinfo/xen-users
Reply | Threaded
Open this post in threaded view
|

Re: Patches fail - why ?

George Dunlap
On Tue, Jun 5, 2018 at 10:54 AM, George Dunlap <[hidden email]> wrote:

> On Tue, Jun 5, 2018 at 8:20 AM, Jan Vejvalka
> <[hidden email]> wrote:
>> Thank you, Mark -
>>
>> - my question, however, remains: what do I do/assume wrong when I'm
>> getting errors applying the official (?) patch set (XSA-263) on the
>> official (?) source package (4.10.1).
>
> Because the official patch isn't aimed at being applied on top of the
> tarball; it's aimed at being applied to the staging branch, to make
> sure that 4.10.2 is fixed properly.

BTW, along with the "official" patch comes an "official" json file
telling you exactly where we applied the patch.  If you look at
xsa263.meta, inside 'Recipes', you'll see this stanza:

    "4.10": {
      "Recipes": {
        "xen": {
          "StableRef": "a0355180b660b149f8054b9facdd9cac8ec86a95",
          "Prereqs": [],
          "Patches": [
            "xsa263-4.10/*.patch"
          ]
        }
      }
    },

This means that for 4.10, take xen.git commit hash
a0355180b660b149f8054b9facdd9cac8ec86a95 (which is from the stable
branch around the time of the public release), and run "git am
xsa263-4.10/*.patch" to get an up-to-date tree.

 -George

_______________________________________________
Xen-users mailing list
[hidden email]
https://lists.xenproject.org/mailman/listinfo/xen-users
Reply | Threaded
Open this post in threaded view
|

Re: Patches fail - why ?

Jan Vejvalka
In reply to this post by George Dunlap
Thank you, George -

> Because the official patch isn't aimed at being applied on top of the
> tarball; it's aimed at being applied to the staging branch, to make
> sure that 4.10.2 is fixed properly.

Does it mean that patches are published against a not-yet-released
release ?

> Fundamentally there are many different "pseudo-branches" to which a
> patch might or might not apply:
> 1. The plain 4.10.1 release tarball
> 2. The 4.10.1 release tarball + all previous XSAs
> 3. The 4.10.1 release tarball + all previous XSAs + some set of fixes
> backported from the staging branch
> 4. The staging-4.10 branch, which will eventually become 4.10.2
>
> In this case, it sounds like you're doing #1; I *think* if you do #2
> then t  he patch will apply in  this case. But in the general case, a
> patch may only apply to one of those branches.

I'm doing #2, as this makes most sense to me.

> A patch for #4 will always have to be done no matter what; so no
> matter how many patches per release we generate, we'll always have to
> prepare that one.

That's clear.

> Every time a patch is ported it takes extra effort for the security
> team -- we already release 6 versions of the security patch (4.6 -
> 4.10 + master).  If we created a separate patches for #2 (and #1),
> then every single XSA patch would require 18 versions; and many XSAs
> contain several patches.  That's just not sustainable.

I can see the trouble (I think).
On the other hand, I can't see the point in separate (out of git)
publishing of XSA patches other than #2 (vs. the stable, officially
patched release): #1 is out of consideration, #4 is in the git anyway
and #3 implies that the stable branch is never frozen by a release
(and always has to be taken from git - therefore the patches can stay
there as well, perhaps with some alert that a new version of the stable
branch has to be built for security reasons).
What is it that I miss ?

> I see where you're coming from -- I also maintain the CentOS packages
> and have to deal with the delta between the published patch and my
> package as well.  It's a difficult issue that we're still wrestling
> with.

No - I don't maintain anything, I want to rely on the official source
package. That's why I am asking.

Thanks again,

Jan

_______________________________________________
Xen-users mailing list
[hidden email]
https://lists.xenproject.org/mailman/listinfo/xen-users