[xen/f17] xend toolstack doesn't check bounds for VCPU affinity [XSA-56, CVE-2013-2072]

Fri May 17 21:28:40 UTC 2013

commit 9491b5b18748af384742c8904e080e64439f64e6
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Fri May 17 22:26:53 2013 +0100

    xend toolstack doesn't check bounds for VCPU affinity [XSA-56, CVE-2013-2072]

 xen.spec    |    8 +++++++-
 xsa56.patch |   50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 1 deletions(-)
---

diff --git a/xen.spec b/xen.spec
index d92c63e..2f7ef73 100644
--- a/xen.spec
+++ b/xen.spec
@@ -20,7 +20,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.1.5
-Release: 3%{?dist}
+Release: 4%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -81,6 +81,7 @@ Patch65: xsa45-4.1-06-unpin-preemptible.patch
 Patch66: xsa45-4.1-07-mm-error-paths-preemptible.patch
 Patch67: xsa49-4.1.patch
 Patch68: xen.pygrubtitlefix.patch
+Patch69: xsa56.patch
 
 Patch100: xen-configure-xend.patch
 
@@ -248,6 +249,7 @@ manage Xen virtual machines.
 %patch66 -p1
 %patch67 -p1
 %patch68 -p1
+%patch69 -p1
 
 %patch100 -p1
 
@@ -706,6 +708,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Fri May 17 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.5-4
+- xend toolstack doesn't check bounds for VCPU affinity
+  [XSA-56, CVE-2013-2072] (#964241)
+
 * Wed May 15 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.5-3
 - xen-devel should require libuuid-devel (#962833)
 - pygrub menu items can include too much text (#958524)
diff --git a/xsa56.patch b/xsa56.patch
new file mode 100644
index 0000000..1368ac3
--- /dev/null
+++ b/xsa56.patch
@@ -0,0 +1,50 @@
+libxc: limit cpu values when setting vcpu affinity
+
+When support for pinning more than 64 cpus was added, check for cpu
+out-of-range values was removed. This can lead to subsequent
+out-of-bounds cpumap array accesses in case the cpu number is higher
+than the actual count.
+
+This patch returns the check.
+
+This is CVE-2013-2072 / XSA-56
+
+Signed-off-by: Petr Matousek <pmatouse at redhat.com>
+
+diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c
+index e220f68..e611b24 100644
+--- a/tools/python/xen/lowlevel/xc/xc.c
++++ b/tools/python/xen/lowlevel/xc/xc.c
+@@ -228,6 +228,7 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
+     int vcpu = 0, i;
+     xc_cpumap_t cpumap;
+     PyObject *cpulist = NULL;
++    int nr_cpus;
+ 
+     static char *kwd_list[] = { "domid", "vcpu", "cpumap", NULL };
+ 
+@@ -235,6 +236,10 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
+                                       &dom, &vcpu, &cpulist) )
+         return NULL;
+ 
++    nr_cpus = xc_get_max_cpus(self->xc_handle);
++    if ( nr_cpus == 0 )
++        return pyxc_error_to_exception(self->xc_handle);
++
+     cpumap = xc_cpumap_alloc(self->xc_handle);
+     if(cpumap == NULL)
+         return pyxc_error_to_exception(self->xc_handle);
+@@ -244,6 +249,13 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
+         for ( i = 0; i < PyList_Size(cpulist); i++ ) 
+         {
+             long cpu = PyInt_AsLong(PyList_GetItem(cpulist, i));
++            if ( cpu < 0 || cpu >= nr_cpus )
++            {
++                free(cpumap);
++                errno = EINVAL;
++                PyErr_SetFromErrno(xc_error_obj);
++                return NULL;
++            }
+             cpumap[cpu / 8] |= 1 << (cpu % 8);
+         }
+     }
