diff options
Diffstat (limited to 'main/xen/xsa20.patch')
-rw-r--r-- | main/xen/xsa20.patch | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/main/xen/xsa20.patch b/main/xen/xsa20.patch new file mode 100644 index 000000000..bedd318f6 --- /dev/null +++ b/main/xen/xsa20.patch @@ -0,0 +1,38 @@ +VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability + +The timer action for a vcpu periodic timer is to calculate the next +expiry time, and to reinsert itself into the timer queue. If the +deadline ends up in the past, Xen never leaves __do_softirq(). The +affected PCPU will stay in an infinite loop until Xen is killed by the +watchdog (if enabled). + +This is a security problem, XSA-20 / CVE-2012-4535. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> + +diff -r 478ba3f146df xen/common/domain.c +--- a/xen/common/domain.c ++++ b/xen/common/domain.c +@@ -903,6 +903,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN + if ( set.period_ns < MILLISECS(1) ) + return -EINVAL; + ++ if ( set.period_ns > STIME_DELTA_MAX ) ++ return -EINVAL; ++ + v->periodic_period = set.period_ns; + vcpu_force_reschedule(v); + +diff -r 478ba3f146df xen/include/xen/time.h +--- a/xen/include/xen/time.h ++++ b/xen/include/xen/time.h +@@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t); + #define MILLISECS(_ms) ((s_time_t)((_ms) * 1000000ULL)) + #define MICROSECS(_us) ((s_time_t)((_us) * 1000ULL)) + #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1)) ++/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */ ++#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2)) + + extern void update_vcpu_system_time(struct vcpu *v); + extern void update_domain_wallclock_time(struct domain *d); |