diff options
Diffstat (limited to 'main/xen/xsa56.patch')
| -rw-r--r-- | main/xen/xsa56.patch | 50 |
1 files changed, 0 insertions, 50 deletions
diff --git a/main/xen/xsa56.patch b/main/xen/xsa56.patch deleted file mode 100644 index 1368ac3514..0000000000 --- a/main/xen/xsa56.patch +++ /dev/null @@ -1,50 +0,0 @@ -libxc: limit cpu values when setting vcpu affinity - -When support for pinning more than 64 cpus was added, check for cpu -out-of-range values was removed. This can lead to subsequent -out-of-bounds cpumap array accesses in case the cpu number is higher -than the actual count. - -This patch returns the check. - -This is CVE-2013-2072 / XSA-56 - -Signed-off-by: Petr Matousek <pmatouse@redhat.com> - -diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c -index e220f68..e611b24 100644 ---- a/tools/python/xen/lowlevel/xc/xc.c -+++ b/tools/python/xen/lowlevel/xc/xc.c -@@ -228,6 +228,7 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self, - int vcpu = 0, i; - xc_cpumap_t cpumap; - PyObject *cpulist = NULL; -+ int nr_cpus; - - static char *kwd_list[] = { "domid", "vcpu", "cpumap", NULL }; - -@@ -235,6 +236,10 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self, - &dom, &vcpu, &cpulist) ) - return NULL; - -+ nr_cpus = xc_get_max_cpus(self->xc_handle); -+ if ( nr_cpus == 0 ) -+ return pyxc_error_to_exception(self->xc_handle); -+ - cpumap = xc_cpumap_alloc(self->xc_handle); - if(cpumap == NULL) - return pyxc_error_to_exception(self->xc_handle); -@@ -244,6 +249,13 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self, - for ( i = 0; i < PyList_Size(cpulist); i++ ) - { - long cpu = PyInt_AsLong(PyList_GetItem(cpulist, i)); -+ if ( cpu < 0 || cpu >= nr_cpus ) -+ { -+ free(cpumap); -+ errno = EINVAL; -+ PyErr_SetFromErrno(xc_error_obj); -+ return NULL; -+ } - cpumap[cpu / 8] |= 1 << (cpu % 8); - } - } |