diff options
Diffstat (limited to 'main/xen/xsa56.patch')
-rw-r--r-- | main/xen/xsa56.patch | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/main/xen/xsa56.patch b/main/xen/xsa56.patch new file mode 100644 index 0000000000..1368ac3514 --- /dev/null +++ b/main/xen/xsa56.patch @@ -0,0 +1,50 @@ +libxc: limit cpu values when setting vcpu affinity + +When support for pinning more than 64 cpus was added, check for cpu +out-of-range values was removed. This can lead to subsequent +out-of-bounds cpumap array accesses in case the cpu number is higher +than the actual count. + +This patch returns the check. + +This is CVE-2013-2072 / XSA-56 + +Signed-off-by: Petr Matousek <pmatouse@redhat.com> + +diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c +index e220f68..e611b24 100644 +--- a/tools/python/xen/lowlevel/xc/xc.c ++++ b/tools/python/xen/lowlevel/xc/xc.c +@@ -228,6 +228,7 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self, + int vcpu = 0, i; + xc_cpumap_t cpumap; + PyObject *cpulist = NULL; ++ int nr_cpus; + + static char *kwd_list[] = { "domid", "vcpu", "cpumap", NULL }; + +@@ -235,6 +236,10 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self, + &dom, &vcpu, &cpulist) ) + return NULL; + ++ nr_cpus = xc_get_max_cpus(self->xc_handle); ++ if ( nr_cpus == 0 ) ++ return pyxc_error_to_exception(self->xc_handle); ++ + cpumap = xc_cpumap_alloc(self->xc_handle); + if(cpumap == NULL) + return pyxc_error_to_exception(self->xc_handle); +@@ -244,6 +249,13 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self, + for ( i = 0; i < PyList_Size(cpulist); i++ ) + { + long cpu = PyInt_AsLong(PyList_GetItem(cpulist, i)); ++ if ( cpu < 0 || cpu >= nr_cpus ) ++ { ++ free(cpumap); ++ errno = EINVAL; ++ PyErr_SetFromErrno(xc_error_obj); ++ return NULL; ++ } + cpumap[cpu / 8] |= 1 << (cpu % 8); + } + } |