diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-20 07:56:07 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-20 09:20:03 +0000 |
commit | 13e7303be19a003b85e73795409e1bcb7bfa9666 (patch) | |
tree | 789cf9d5d2d7bebdeba5ac3b1af3d0500bd67d67 | |
parent | dd895219bdebd021153245cf40a0ba3c3da7e07c (diff) | |
download | aports-13e7303be19a003b85e73795409e1bcb7bfa9666.tar.bz2 aports-13e7303be19a003b85e73795409e1bcb7bfa9666.tar.xz |
main/xen: security fix (CVE-2013-2072)
-rw-r--r-- | main/xen/APKBUILD | 4 | ||||
-rw-r--r-- | main/xen/xsa56.patch | 50 |
2 files changed, 53 insertions, 1 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index dbeee605c..04510e419 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: William Pitcock <nenolod@dereferenced.org> pkgname=xen pkgver=4.1.4 -pkgrel=2 +pkgrel=3 pkgdesc="Xen hypervisor" url="http://www.xen.org/" arch="x86 x86_64" @@ -24,6 +24,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g busybox-sed.patch xsa33-4.1.patch xsa41.patch + xsa56.patch xenstored.initd xenstored.confd @@ -125,6 +126,7 @@ fa06495a175571f4aa3b6cb88937953e librt.patch 1bea3543ddc712330527b62fd9ff6520 busybox-sed.patch 25ba4efc5eee29daa12855fbadce84f8 xsa33-4.1.patch ce56f00762139cd611dfc3332b7571cf xsa41.patch +e70b9128ffc2175cea314a533a7d8457 xsa56.patch 6e5739dad7e2bd1b625e55ddc6c782b7 xenstored.initd b017ccdd5e1c27bbf1513e3569d4ff07 xenstored.confd ed262f15fb880badb53575539468646c xenconsoled.initd diff --git a/main/xen/xsa56.patch b/main/xen/xsa56.patch new file mode 100644 index 000000000..1368ac351 --- /dev/null +++ b/main/xen/xsa56.patch @@ -0,0 +1,50 @@ +libxc: limit cpu values when setting vcpu affinity + +When support for pinning more than 64 cpus was added, check for cpu +out-of-range values was removed. This can lead to subsequent +out-of-bounds cpumap array accesses in case the cpu number is higher +than the actual count. + +This patch returns the check. + +This is CVE-2013-2072 / XSA-56 + +Signed-off-by: Petr Matousek <pmatouse@redhat.com> + +diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c +index e220f68..e611b24 100644 +--- a/tools/python/xen/lowlevel/xc/xc.c ++++ b/tools/python/xen/lowlevel/xc/xc.c +@@ -228,6 +228,7 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self, + int vcpu = 0, i; + xc_cpumap_t cpumap; + PyObject *cpulist = NULL; ++ int nr_cpus; + + static char *kwd_list[] = { "domid", "vcpu", "cpumap", NULL }; + +@@ -235,6 +236,10 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self, + &dom, &vcpu, &cpulist) ) + return NULL; + ++ nr_cpus = xc_get_max_cpus(self->xc_handle); ++ if ( nr_cpus == 0 ) ++ return pyxc_error_to_exception(self->xc_handle); ++ + cpumap = xc_cpumap_alloc(self->xc_handle); + if(cpumap == NULL) + return pyxc_error_to_exception(self->xc_handle); +@@ -244,6 +249,13 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self, + for ( i = 0; i < PyList_Size(cpulist); i++ ) + { + long cpu = PyInt_AsLong(PyList_GetItem(cpulist, i)); ++ if ( cpu < 0 || cpu >= nr_cpus ) ++ { ++ free(cpumap); ++ errno = EINVAL; ++ PyErr_SetFromErrno(xc_error_obj); ++ return NULL; ++ } + cpumap[cpu / 8] |= 1 << (cpu % 8); + } + } |