[xen/f17] xend toolstack doesn't check bounds for VCPU affinity [XSA-56, CVE-2013-2072]
myoung
myoung at fedoraproject.org
Fri May 17 21:28:40 UTC 2013
commit 9491b5b18748af384742c8904e080e64439f64e6
Author: Michael Young <m.a.young at durham.ac.uk>
Date: Fri May 17 22:26:53 2013 +0100
xend toolstack doesn't check bounds for VCPU affinity [XSA-56, CVE-2013-2072]
xen.spec | 8 +++++++-
xsa56.patch | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 57 insertions(+), 1 deletions(-)
---
diff --git a/xen.spec b/xen.spec
index d92c63e..2f7ef73 100644
--- a/xen.spec
+++ b/xen.spec
@@ -20,7 +20,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.1.5
-Release: 3%{?dist}
+Release: 4%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -81,6 +81,7 @@ Patch65: xsa45-4.1-06-unpin-preemptible.patch
Patch66: xsa45-4.1-07-mm-error-paths-preemptible.patch
Patch67: xsa49-4.1.patch
Patch68: xen.pygrubtitlefix.patch
+Patch69: xsa56.patch
Patch100: xen-configure-xend.patch
@@ -248,6 +249,7 @@ manage Xen virtual machines.
%patch66 -p1
%patch67 -p1
%patch68 -p1
+%patch69 -p1
%patch100 -p1
@@ -706,6 +708,10 @@ rm -rf %{buildroot}
%endif
%changelog
+* Fri May 17 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.5-4
+- xend toolstack doesn't check bounds for VCPU affinity
+ [XSA-56, CVE-2013-2072] (#964241)
+
* Wed May 15 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.5-3
- xen-devel should require libuuid-devel (#962833)
- pygrub menu items can include too much text (#958524)
diff --git a/xsa56.patch b/xsa56.patch
new file mode 100644
index 0000000..1368ac3
--- /dev/null
+++ b/xsa56.patch
@@ -0,0 +1,50 @@
+libxc: limit cpu values when setting vcpu affinity
+
+When support for pinning more than 64 cpus was added, check for cpu
+out-of-range values was removed. This can lead to subsequent
+out-of-bounds cpumap array accesses in case the cpu number is higher
+than the actual count.
+
+This patch returns the check.
+
+This is CVE-2013-2072 / XSA-56
+
+Signed-off-by: Petr Matousek <pmatouse at redhat.com>
+
+diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c
+index e220f68..e611b24 100644
+--- a/tools/python/xen/lowlevel/xc/xc.c
++++ b/tools/python/xen/lowlevel/xc/xc.c
+@@ -228,6 +228,7 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
+ int vcpu = 0, i;
+ xc_cpumap_t cpumap;
+ PyObject *cpulist = NULL;
++ int nr_cpus;
+
+ static char *kwd_list[] = { "domid", "vcpu", "cpumap", NULL };
+
+@@ -235,6 +236,10 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
+ &dom, &vcpu, &cpulist) )
+ return NULL;
+
++ nr_cpus = xc_get_max_cpus(self->xc_handle);
++ if ( nr_cpus == 0 )
++ return pyxc_error_to_exception(self->xc_handle);
++
+ cpumap = xc_cpumap_alloc(self->xc_handle);
+ if(cpumap == NULL)
+ return pyxc_error_to_exception(self->xc_handle);
+@@ -244,6 +249,13 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
+ for ( i = 0; i < PyList_Size(cpulist); i++ )
+ {
+ long cpu = PyInt_AsLong(PyList_GetItem(cpulist, i));
++ if ( cpu < 0 || cpu >= nr_cpus )
++ {
++ free(cpumap);
++ errno = EINVAL;
++ PyErr_SetFromErrno(xc_error_obj);
++ return NULL;
++ }
+ cpumap[cpu / 8] |= 1 << (cpu % 8);
+ }
+ }
More information about the scm-commits
mailing list