1 files changed, 38 insertions, 0 deletions

diff --git a/main/xen/xsa20.patch b/main/xen/xsa20.patch
new file mode 100644
index 0000000000..bedd318f65
--- /dev/null
+++ b/main/xen/xsa20.patch
@@ -0,0 +1,38 @@
+VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability
+
+The timer action for a vcpu periodic timer is to calculate the next
+expiry time, and to reinsert itself into the timer queue.  If the
+deadline ends up in the past, Xen never leaves __do_softirq().  The
+affected PCPU will stay in an infinite loop until Xen is killed by the
+watchdog (if enabled).
+
+This is a security problem, XSA-20 / CVE-2012-4535.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+diff -r 478ba3f146df xen/common/domain.c
+--- a/xen/common/domain.c
++++ b/xen/common/domain.c
+@@ -903,6 +903,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
+         if ( set.period_ns < MILLISECS(1) )
+             return -EINVAL;
+ 
++        if ( set.period_ns > STIME_DELTA_MAX )
++            return -EINVAL;
++
+         v->periodic_period = set.period_ns;
+         vcpu_force_reschedule(v);
+ 
+diff -r 478ba3f146df xen/include/xen/time.h
+--- a/xen/include/xen/time.h
++++ b/xen/include/xen/time.h
+@@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t);
+ #define MILLISECS(_ms)  ((s_time_t)((_ms) * 1000000ULL))
+ #define MICROSECS(_us)  ((s_time_t)((_us) * 1000ULL))
+ #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1))
++/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */
++#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2))
+ 
+ extern void update_vcpu_system_time(struct vcpu *v);
+ extern void update_domain_wallclock_time(struct domain *d);