1 files changed, 50 insertions, 0 deletions

diff --git a/main/xen/xsa56.patch b/main/xen/xsa56.patch
new file mode 100644
index 0000000000..1368ac3514
--- /dev/null
+++ b/main/xen/xsa56.patch
@@ -0,0 +1,50 @@
+libxc: limit cpu values when setting vcpu affinity
+
+When support for pinning more than 64 cpus was added, check for cpu
+out-of-range values was removed. This can lead to subsequent
+out-of-bounds cpumap array accesses in case the cpu number is higher
+than the actual count.
+
+This patch returns the check.
+
+This is CVE-2013-2072 / XSA-56
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+
+diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c
+index e220f68..e611b24 100644
+--- a/tools/python/xen/lowlevel/xc/xc.c
++++ b/tools/python/xen/lowlevel/xc/xc.c
+@@ -228,6 +228,7 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
+     int vcpu = 0, i;
+     xc_cpumap_t cpumap;
+     PyObject *cpulist = NULL;
++    int nr_cpus;
+ 
+     static char *kwd_list[] = { "domid", "vcpu", "cpumap", NULL };
+ 
+@@ -235,6 +236,10 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
+                                       &dom, &vcpu, &cpulist) )
+         return NULL;
+ 
++    nr_cpus = xc_get_max_cpus(self->xc_handle);
++    if ( nr_cpus == 0 )
++        return pyxc_error_to_exception(self->xc_handle);
++
+     cpumap = xc_cpumap_alloc(self->xc_handle);
+     if(cpumap == NULL)
+         return pyxc_error_to_exception(self->xc_handle);
+@@ -244,6 +249,13 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
+         for ( i = 0; i < PyList_Size(cpulist); i++ ) 
+         {
+             long cpu = PyInt_AsLong(PyList_GetItem(cpulist, i));
++            if ( cpu < 0 || cpu >= nr_cpus )
++            {
++                free(cpumap);
++                errno = EINVAL;
++                PyErr_SetFromErrno(xc_error_obj);
++                return NULL;
++            }
+             cpumap[cpu / 8] |= 1 << (cpu % 8);
+         }
+     }