blob: bedd318f658cef27f663c4c559a671794714b412 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability
The timer action for a vcpu periodic timer is to calculate the next
expiry time, and to reinsert itself into the timer queue. If the
deadline ends up in the past, Xen never leaves __do_softirq(). The
affected PCPU will stay in an infinite loop until Xen is killed by the
watchdog (if enabled).
This is a security problem, XSA-20 / CVE-2012-4535.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
diff -r 478ba3f146df xen/common/domain.c
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -903,6 +903,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
if ( set.period_ns < MILLISECS(1) )
return -EINVAL;
+ if ( set.period_ns > STIME_DELTA_MAX )
+ return -EINVAL;
+
v->periodic_period = set.period_ns;
vcpu_force_reschedule(v);
diff -r 478ba3f146df xen/include/xen/time.h
--- a/xen/include/xen/time.h
+++ b/xen/include/xen/time.h
@@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t);
#define MILLISECS(_ms) ((s_time_t)((_ms) * 1000000ULL))
#define MICROSECS(_us) ((s_time_t)((_us) * 1000ULL))
#define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1))
+/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */
+#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2))
extern void update_vcpu_system_time(struct vcpu *v);
extern void update_domain_wallclock_time(struct domain *d);
|
