main/xen: security fix (CVE-2013-2072)

ref #1900 fixes #1903
author: Natanael Copa <ncopa@alpinelinux.org> 2013-05-20 07:56:07 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2013-05-20 09:20:03 +0000
commit: 13e7303be19a003b85e73795409e1bcb7bfa9666 (patch)
tree: 789cf9d5d2d7bebdeba5ac3b1af3d0500bd67d67
parent: dd895219bdebd021153245cf40a0ba3c3da7e07c (diff)
download: alpine_aports-13e7303be19a003b85e73795409e1bcb7bfa9666.tar.bz2
alpine_aports-13e7303be19a003b85e73795409e1bcb7bfa9666.tar.xz
alpine_aports-13e7303be19a003b85e73795409e1bcb7bfa9666.zip
2 files changed, 53 insertions, 1 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index dbeee605ce..04510e4196 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.1.4
-pkgrel=2
+pkgrel=3
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86 x86_64"
@@ -24,6 +24,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
        busybox-sed.patch
        xsa33-4.1.patch
        xsa41.patch
+        xsa56.patch
        xenstored.initd
        xenstored.confd
@@ -125,6 +126,7 @@ fa06495a175571f4aa3b6cb88937953e  librt.patch
 1bea3543ddc712330527b62fd9ff6520  busybox-sed.patch
 25ba4efc5eee29daa12855fbadce84f8  xsa33-4.1.patch
 ce56f00762139cd611dfc3332b7571cf  xsa41.patch
+e70b9128ffc2175cea314a533a7d8457  xsa56.patch
 6e5739dad7e2bd1b625e55ddc6c782b7  xenstored.initd
 b017ccdd5e1c27bbf1513e3569d4ff07  xenstored.confd
 ed262f15fb880badb53575539468646c  xenconsoled.initd
diff --git a/main/xen/xsa56.patch b/main/xen/xsa56.patch
new file mode 100644
index 0000000000..1368ac3514
--- /dev/null
+++ b/main/xen/xsa56.patch
@@ -0,0 +1,50 @@
+libxc: limit cpu values when setting vcpu affinity
+When support for pinning more than 64 cpus was added, check for cpu
+out-of-range values was removed. This can lead to subsequent
+out-of-bounds cpumap array accesses in case the cpu number is higher
+than the actual count.
+This patch returns the check.
+This is CVE-2013-2072 / XSA-56
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c
+index e220f68..e611b24 100644
+--- a/tools/python/xen/lowlevel/xc/xc.c
+++ b/tools/python/xen/lowlevel/xc/xc.c
+@@ -228,6 +228,7 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
+     int vcpu = 0, i;
+     xc_cpumap_t cpumap;
+     PyObject *cpulist = NULL;
+    int nr_cpus;
+ 
+     static char *kwd_list[] = { "domid", "vcpu", "cpumap", NULL };
+ 
+@@ -235,6 +236,10 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
+                                       &dom, &vcpu, &cpulist) )
+         return NULL;
+ 
+    nr_cpus = xc_get_max_cpus(self->xc_handle);
+    if ( nr_cpus == 0 )
+        return pyxc_error_to_exception(self->xc_handle);
+
+     cpumap = xc_cpumap_alloc(self->xc_handle);
+     if(cpumap == NULL)
+         return pyxc_error_to_exception(self->xc_handle);
+@@ -244,6 +249,13 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
+         for ( i = 0; i < PyList_Size(cpulist); i++ ) 
+         {
+             long cpu = PyInt_AsLong(PyList_GetItem(cpulist, i));
+            if ( cpu < 0 || cpu >= nr_cpus )
+            {
+                free(cpumap);
+                errno = EINVAL;
+                PyErr_SetFromErrno(xc_error_obj);
+                return NULL;
+            }
+             cpumap[cpu / 8] |= 1 << (cpu % 8);
+         }
+     }
author	Natanael Copa <ncopa@alpinelinux.org>	2013-05-20 07:56:07 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2013-05-20 09:20:03 +0000
commit	13e7303be19a003b85e73795409e1bcb7bfa9666 (patch)
tree	789cf9d5d2d7bebdeba5ac3b1af3d0500bd67d67
parent	dd895219bdebd021153245cf40a0ba3c3da7e07c (diff)
download	alpine_aports-13e7303be19a003b85e73795409e1bcb7bfa9666.tar.bz2 alpine_aports-13e7303be19a003b85e73795409e1bcb7bfa9666.tar.xz alpine_aports-13e7303be19a003b85e73795409e1bcb7bfa9666.zip

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index dbeee605ce..04510e4196 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
3	# Maintainer: William Pitcock <nenolod@dereferenced.org>	3	# Maintainer: William Pitcock <nenolod@dereferenced.org>
4	pkgname=xen	4	pkgname=xen
5	pkgver=4.1.4	5	pkgver=4.1.4
6	pkgrel=2	6	pkgrel=3
7	pkgdesc="Xen hypervisor"	7	pkgdesc="Xen hypervisor"
8	url="http://www.xen.org/"	8	url="http://www.xen.org/"
9	arch="x86 x86_64"	9	arch="x86 x86_64"
@@ -24,6 +24,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
24	busybox-sed.patch	24	busybox-sed.patch
25	xsa33-4.1.patch	25	xsa33-4.1.patch
26	xsa41.patch	26	xsa41.patch
		27	xsa56.patch
27		28
28	xenstored.initd	29	xenstored.initd
29	xenstored.confd	30	xenstored.confd
@@ -125,6 +126,7 @@ fa06495a175571f4aa3b6cb88937953e librt.patch
125	1bea3543ddc712330527b62fd9ff6520 busybox-sed.patch	126	1bea3543ddc712330527b62fd9ff6520 busybox-sed.patch
126	25ba4efc5eee29daa12855fbadce84f8 xsa33-4.1.patch	127	25ba4efc5eee29daa12855fbadce84f8 xsa33-4.1.patch
127	ce56f00762139cd611dfc3332b7571cf xsa41.patch	128	ce56f00762139cd611dfc3332b7571cf xsa41.patch
		129	e70b9128ffc2175cea314a533a7d8457 xsa56.patch
128	6e5739dad7e2bd1b625e55ddc6c782b7 xenstored.initd	130	6e5739dad7e2bd1b625e55ddc6c782b7 xenstored.initd
129	b017ccdd5e1c27bbf1513e3569d4ff07 xenstored.confd	131	b017ccdd5e1c27bbf1513e3569d4ff07 xenstored.confd
130	ed262f15fb880badb53575539468646c xenconsoled.initd	132	ed262f15fb880badb53575539468646c xenconsoled.initd


diff --git a/main/xen/xsa56.patch b/main/xen/xsa56.patch new file mode 100644 index 0000000000..1368ac3514 --- /dev/null +++ b/main/xen/xsa56.patch
@@ -0,0 +1,50 @@
		1	libxc: limit cpu values when setting vcpu affinity
		2
		3	When support for pinning more than 64 cpus was added, check for cpu
		4	out-of-range values was removed. This can lead to subsequent
		5	out-of-bounds cpumap array accesses in case the cpu number is higher
		6	than the actual count.
		7
		8	This patch returns the check.
		9
		10	This is CVE-2013-2072 / XSA-56
		11
		12	Signed-off-by: Petr Matousek <pmatouse@redhat.com>
		13
		14	diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c
		15	index e220f68..e611b24 100644
		16	--- a/tools/python/xen/lowlevel/xc/xc.c
		17	+++ b/tools/python/xen/lowlevel/xc/xc.c
		18	@@ -228,6 +228,7 @@ static PyObject pyxc_vcpu_setaffinity(XcObject self,
		19	int vcpu = 0, i;
		20	xc_cpumap_t cpumap;
		21	PyObject *cpulist = NULL;
		22	+ int nr_cpus;
		23
		24	static char *kwd_list[] = { "domid", "vcpu", "cpumap", NULL };
		25
		26	@@ -235,6 +236,10 @@ static PyObject pyxc_vcpu_setaffinity(XcObject self,
		27	&dom, &vcpu, &cpulist) )
		28	return NULL;
		29
		30	+ nr_cpus = xc_get_max_cpus(self->xc_handle);
		31	+ if ( nr_cpus == 0 )
		32	+ return pyxc_error_to_exception(self->xc_handle);
		33	+
		34	cpumap = xc_cpumap_alloc(self->xc_handle);
		35	if(cpumap == NULL)
		36	return pyxc_error_to_exception(self->xc_handle);
		37	@@ -244,6 +249,13 @@ static PyObject pyxc_vcpu_setaffinity(XcObject self,
		38	for ( i = 0; i < PyList_Size(cpulist); i++ )
		39	{
		40	long cpu = PyInt_AsLong(PyList_GetItem(cpulist, i));
		41	+ if ( cpu < 0 \|\| cpu >= nr_cpus )
		42	+ {
		43	+ free(cpumap);
		44	+ errno = EINVAL;
		45	+ PyErr_SetFromErrno(xc_error_obj);
		46	+ return NULL;
		47	+ }
		48	cpumap[cpu / 8] \|= 1 << (cpu % 8);
		49	}
		50	}