Commit 1652f88a authored by Henrik Riomar's avatar Henrik Riomar Committed by Milan P. Stanić
Browse files

main/xen: fix XSA-324

This is CVE-2020-29484
parent 7fbdd0be
......@@ -202,6 +202,7 @@ options="!strip"
# - CVE-2020-29480 XSA-115
# - CVE-2020-29481 XSA-322
# - CVE-2020-29482 XSA-323
# - CVE-2020-29484 XSA-324
case "$CARCH" in
x86*)
......@@ -291,6 +292,8 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz
xsa323.patch
xsa324.patch
xenstored.initd
xenstored.confd
xenconsoled.initd
......@@ -558,6 +561,7 @@ d0ec105a6538bbe6b11ffcbe0620e20f8bfbf4bd14be4f3167d58a7b81e5db7b4be978ba7ec38091
7dfef0e914dd69796d0f51ab62501fc1f554d3c8c13c4fa3b4647fecda1c73c074a7a25d0685293c92d085ce42f466cdc438b37a07d9c704026c0554a5dac9e6 xsa322-o.patch
301729f80fd4ea60f2d55a0da3122d97aad11e8fd49e4526e2ddcc37a61fe958a4054c3e6ca3442511f7f1ce33300d1e1b5f53272deb126832de03011c5f57a3 xsa322-4.14-c.patch
a8fd66720a73f8c5af413a47188bc73481ead8c9fcdf2d51accdaa5cbaeb211480d990fa93f0e8376a237031683bd050963a44ccb5737a73bb2a804be489a9a9 xsa323.patch
7cbb488c29d3772d01a40d261c9a1cee6363d99f0182b904153a4ab7a0cb369f8e2d20788acedc45852bbdd8882a74e54f4565775bfe8cae4cb58558823c1d0d xsa324.patch
52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd
093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0 xenstored.confd
3c86ed48fbee0af4051c65c4a3893f131fa66e47bf083caf20c9b6aa4b63fdead8832f84a58d0e27964bc49ec8397251b34e5be5c212c139f556916dc8da9523 xenconsoled.initd
......
From: Juergen Gross <jgross@suse.com>
Subject: tools/xenstore: drop watch event messages exceeding maximum size
By setting a watch with a very large tag it is possible to trick
xenstored to send watch event messages exceeding the maximum allowed
payload size. This might in turn lead to a crash of xenstored as the
resulting error can cause dereferencing a NULL pointer in case there
is no active request being handled by the guest the watch event is
being sent to.
Fix that by just dropping such watch events. Additionally modify the
error handling to test the pointer to be not NULL before dereferencing
it.
This is XSA-324.
Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Julien Grall <jgrall@amazon.com>
diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 33f95dcf3c..3d74dbbb40 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -674,6 +674,9 @@ void send_reply(struct connection *conn, enum xsd_sockmsg_type type,
/* Replies reuse the request buffer, events need a new one. */
if (type != XS_WATCH_EVENT) {
bdata = conn->in;
+ /* Drop asynchronous responses, e.g. errors for watch events. */
+ if (!bdata)
+ return;
bdata->inhdr = true;
bdata->used = 0;
conn->in = NULL;
diff --git a/tools/xenstore/xenstored_watch.c b/tools/xenstore/xenstored_watch.c
index 71c108ea99..9ff20690c0 100644
--- a/tools/xenstore/xenstored_watch.c
+++ b/tools/xenstore/xenstored_watch.c
@@ -92,6 +92,10 @@ static void add_event(struct connection *conn,
}
len = strlen(name) + 1 + strlen(watch->token) + 1;
+ /* Don't try to send over-long events. */
+ if (len > XENSTORE_PAYLOAD_MAX)
+ return;
+
data = talloc_array(ctx, char, len);
if (!data)
return;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment