Commit 9e709edc authored by Natanael Copa's avatar Natanael Copa
Browse files

main/xen: security fix (CVE-2013-2072)

ref #1900
fixes #1901
parent 5d522a99
......@@ -3,7 +3,7 @@
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
pkgver=4.2.1
pkgrel=10
pkgrel=11
pkgdesc="Xen hypervisor"
url="http://www.xen.org/"
arch="x86 x86_64"
......@@ -32,6 +32,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
xsa48-4.2.patch
xsa44-4.2.patch
xsa46-4.2.patch
xsa56.patch
xenstored.initd
xenstored.confd
......@@ -160,6 +161,7 @@ c05bb12fc5b6aa64cd23f2ad623c539a xsa47-4.2-unstable.patch
b3e3a57d189a4f86c9766eaf3b5207f4 xsa48-4.2.patch
85239ba26395b05502ceee5eec968ea7 xsa44-4.2.patch
b955534323681fa461f86c69e4acec75 xsa46-4.2.patch
e70b9128ffc2175cea314a533a7d8457 xsa56.patch
95d8af17bf844d41a015ff32aae51ba1 xenstored.initd
b017ccdd5e1c27bbf1513e3569d4ff07 xenstored.confd
ed262f15fb880badb53575539468646c xenconsoled.initd
......@@ -188,6 +190,7 @@ c29b59492f9d7e3f74bfc41877a2c5cff70436d3738fd91066f396f969aab0a7 xsa47-4.2-unst
dc23077028584e71a08dd0dc9e81552c76744a5ce9d39df5958a95ae9cf3107b xsa48-4.2.patch
c6c3afa228426d78e0484b7ac34210f642f79add35c4a04ca5ff7db5f2539e49 xsa44-4.2.patch
822da2303f1fc69648d7a29eb72fdda8e64baab3edc0e1548456d31e66ed1d7c xsa46-4.2.patch
a691c5f5332a42c0d38ddb4dc037eb902f01ba31033b64c47d02909a8de0257d xsa56.patch
81d335946c81311c86e2f2112b773a568a5a530c0db9802b2fe559e71bb8b381 xenstored.initd
ea9171e71ab3d33061979bcf3bb737156192aa4b0be4d1234438ced75b6fdef3 xenstored.confd
93bea2eb90ea1b4628854c8141dd351bbd1fbc5959b12795447ea933ad025f01 xenconsoled.initd
......@@ -216,6 +219,7 @@ aac646828703eb1f4cf9a94a29eec4901c7fcc37e86e06f60530bee40259bd789d1749d844b341ae
31dd8c62d41cc0a01a79d9b24a5b793f5e2058230808d9c5364c6ff3477ab02f3258f1bbd761d97dc1b97ee120b41524b999eaac77f33b606496fc324b5fa2e4 xsa48-4.2.patch
cfcf8d1af07032bfd3ff9c7a76a8f7d8c6f8b3b084712a494c3ca7624d9a03cbb7cad723b5a1dbc2a99e18a7046c221fae743c8dc42ba09b463f02fd069254d9 xsa44-4.2.patch
35ed4d580d219e977ee1085c223563f51ccd9ce3675df2660d10d99c366a2fe2446269c98ac9dbf57c37de83340f4b0868d0eb3c5d898be4c0fc80357f6ed780 xsa46-4.2.patch
26a1c2cc92ddd4c1ab6712b0e41a0135d0e76a7fe3a14b651fb0235e352e5a24077414371acccb93058b7ce4d882b667386811170ba74570c53165837bcd983d xsa56.patch
792b062e8a16a2efd3cb4662d379d1500527f2a7ca9228d7831c2bd34f3b9141df949153ea05463a7758c3e3dd9a4182492ad5505fa38e298ecf8c99db77b4ee xenstored.initd
100cf4112f401f45c1e4e885a5074698c484b40521262f6268fad286498e95f4c51e746f0e94eb43a590bb8e813a397bb53801ccacebec9541020799d8d70514 xenstored.confd
12f981b2459c65d66e67ec0b32d0d19b95a029bc54c2a79138cfe488d3524a22e51860f755abfe25ddcdaf1b27f2ded59b6e350b9d5f8791193d00e2d3673137 xenconsoled.initd
......
libxc: limit cpu values when setting vcpu affinity
When support for pinning more than 64 cpus was added, check for cpu
out-of-range values was removed. This can lead to subsequent
out-of-bounds cpumap array accesses in case the cpu number is higher
than the actual count.
This patch returns the check.
This is CVE-2013-2072 / XSA-56
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c
index e220f68..e611b24 100644
--- a/tools/python/xen/lowlevel/xc/xc.c
+++ b/tools/python/xen/lowlevel/xc/xc.c
@@ -228,6 +228,7 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
int vcpu = 0, i;
xc_cpumap_t cpumap;
PyObject *cpulist = NULL;
+ int nr_cpus;
static char *kwd_list[] = { "domid", "vcpu", "cpumap", NULL };
@@ -235,6 +236,10 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
&dom, &vcpu, &cpulist) )
return NULL;
+ nr_cpus = xc_get_max_cpus(self->xc_handle);
+ if ( nr_cpus == 0 )
+ return pyxc_error_to_exception(self->xc_handle);
+
cpumap = xc_cpumap_alloc(self->xc_handle);
if(cpumap == NULL)
return pyxc_error_to_exception(self->xc_handle);
@@ -244,6 +249,13 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
for ( i = 0; i < PyList_Size(cpulist); i++ )
{
long cpu = PyInt_AsLong(PyList_GetItem(cpulist, i));
+ if ( cpu < 0 || cpu >= nr_cpus )
+ {
+ free(cpumap);
+ errno = EINVAL;
+ PyErr_SetFromErrno(xc_error_obj);
+ return NULL;
+ }
cpumap[cpu / 8] |= 1 << (cpu % 8);
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment