1 files changed, 26 insertions, 0 deletions

diff --git a/main/xen/xsa24.patch b/main/xen/xsa24.patch
new file mode 100644
index 000000000..e46f513a7
--- /dev/null
+++ b/main/xen/xsa24.patch
@@ -0,0 +1,26 @@
+compat/gnttab: Prevent infinite loop in compat code
+
+c/s 20281:95ea2052b41b, which introduces Grant Table version 2
+hypercalls introduces a vulnerability whereby the compat hypercall
+handler can fall into an infinite loop.
+
+If the watchdog is enabled, Xen will die after the timeout.
+
+This is a security problem, XSA-24 / CVE-2012-4539.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
+
+diff -r bac883cf805a xen/common/compat/grant_table.c
+--- a/xen/common/compat/grant_table.c
++++ b/xen/common/compat/grant_table.c
+@@ -318,6 +318,8 @@ int compat_grant_table_op(unsigned int c
+ #undef XLAT_gnttab_get_status_frames_HNDL_frame_list
+                 if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) )
+                     rc = -EFAULT;
++                else
++                    i = 1;
+             }
+             break;
+         }