diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-20 07:56:07 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-20 09:20:03 +0000 |
commit | 13e7303be19a003b85e73795409e1bcb7bfa9666 (patch) | |
tree | 789cf9d5d2d7bebdeba5ac3b1af3d0500bd67d67 | |
parent | dd895219bdebd021153245cf40a0ba3c3da7e07c (diff) | |
download | alpine_aports-13e7303be19a003b85e73795409e1bcb7bfa9666.tar.bz2 alpine_aports-13e7303be19a003b85e73795409e1bcb7bfa9666.tar.xz alpine_aports-13e7303be19a003b85e73795409e1bcb7bfa9666.zip |
main/xen: security fix (CVE-2013-2072)
ref #1900
fixes #1903
-rw-r--r-- | main/xen/APKBUILD | 4 | ||||
-rw-r--r-- | main/xen/xsa56.patch | 50 |
2 files changed, 53 insertions, 1 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index dbeee605ce..04510e4196 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD | |||
@@ -3,7 +3,7 @@ | |||
3 | # Maintainer: William Pitcock <nenolod@dereferenced.org> | 3 | # Maintainer: William Pitcock <nenolod@dereferenced.org> |
4 | pkgname=xen | 4 | pkgname=xen |
5 | pkgver=4.1.4 | 5 | pkgver=4.1.4 |
6 | pkgrel=2 | 6 | pkgrel=3 |
7 | pkgdesc="Xen hypervisor" | 7 | pkgdesc="Xen hypervisor" |
8 | url="http://www.xen.org/" | 8 | url="http://www.xen.org/" |
9 | arch="x86 x86_64" | 9 | arch="x86 x86_64" |
@@ -24,6 +24,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g | |||
24 | busybox-sed.patch | 24 | busybox-sed.patch |
25 | xsa33-4.1.patch | 25 | xsa33-4.1.patch |
26 | xsa41.patch | 26 | xsa41.patch |
27 | xsa56.patch | ||
27 | 28 | ||
28 | xenstored.initd | 29 | xenstored.initd |
29 | xenstored.confd | 30 | xenstored.confd |
@@ -125,6 +126,7 @@ fa06495a175571f4aa3b6cb88937953e librt.patch | |||
125 | 1bea3543ddc712330527b62fd9ff6520 busybox-sed.patch | 126 | 1bea3543ddc712330527b62fd9ff6520 busybox-sed.patch |
126 | 25ba4efc5eee29daa12855fbadce84f8 xsa33-4.1.patch | 127 | 25ba4efc5eee29daa12855fbadce84f8 xsa33-4.1.patch |
127 | ce56f00762139cd611dfc3332b7571cf xsa41.patch | 128 | ce56f00762139cd611dfc3332b7571cf xsa41.patch |
129 | e70b9128ffc2175cea314a533a7d8457 xsa56.patch | ||
128 | 6e5739dad7e2bd1b625e55ddc6c782b7 xenstored.initd | 130 | 6e5739dad7e2bd1b625e55ddc6c782b7 xenstored.initd |
129 | b017ccdd5e1c27bbf1513e3569d4ff07 xenstored.confd | 131 | b017ccdd5e1c27bbf1513e3569d4ff07 xenstored.confd |
130 | ed262f15fb880badb53575539468646c xenconsoled.initd | 132 | ed262f15fb880badb53575539468646c xenconsoled.initd |
diff --git a/main/xen/xsa56.patch b/main/xen/xsa56.patch new file mode 100644 index 0000000000..1368ac3514 --- /dev/null +++ b/main/xen/xsa56.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | libxc: limit cpu values when setting vcpu affinity | ||
2 | |||
3 | When support for pinning more than 64 cpus was added, check for cpu | ||
4 | out-of-range values was removed. This can lead to subsequent | ||
5 | out-of-bounds cpumap array accesses in case the cpu number is higher | ||
6 | than the actual count. | ||
7 | |||
8 | This patch returns the check. | ||
9 | |||
10 | This is CVE-2013-2072 / XSA-56 | ||
11 | |||
12 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||
13 | |||
14 | diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c | ||
15 | index e220f68..e611b24 100644 | ||
16 | --- a/tools/python/xen/lowlevel/xc/xc.c | ||
17 | +++ b/tools/python/xen/lowlevel/xc/xc.c | ||
18 | @@ -228,6 +228,7 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self, | ||
19 | int vcpu = 0, i; | ||
20 | xc_cpumap_t cpumap; | ||
21 | PyObject *cpulist = NULL; | ||
22 | + int nr_cpus; | ||
23 | |||
24 | static char *kwd_list[] = { "domid", "vcpu", "cpumap", NULL }; | ||
25 | |||
26 | @@ -235,6 +236,10 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self, | ||
27 | &dom, &vcpu, &cpulist) ) | ||
28 | return NULL; | ||
29 | |||
30 | + nr_cpus = xc_get_max_cpus(self->xc_handle); | ||
31 | + if ( nr_cpus == 0 ) | ||
32 | + return pyxc_error_to_exception(self->xc_handle); | ||
33 | + | ||
34 | cpumap = xc_cpumap_alloc(self->xc_handle); | ||
35 | if(cpumap == NULL) | ||
36 | return pyxc_error_to_exception(self->xc_handle); | ||
37 | @@ -244,6 +249,13 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self, | ||
38 | for ( i = 0; i < PyList_Size(cpulist); i++ ) | ||
39 | { | ||
40 | long cpu = PyInt_AsLong(PyList_GetItem(cpulist, i)); | ||
41 | + if ( cpu < 0 || cpu >= nr_cpus ) | ||
42 | + { | ||
43 | + free(cpumap); | ||
44 | + errno = EINVAL; | ||
45 | + PyErr_SetFromErrno(xc_error_obj); | ||
46 | + return NULL; | ||
47 | + } | ||
48 | cpumap[cpu / 8] |= 1 << (cpu % 8); | ||
49 | } | ||
50 | } | ||