[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] Re: Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability - Further bugfixes

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Date: Fri, 16 Nov 2012 16:16:17 +0000
Cc: Keir Fraser <keir@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, xen-devel@xxxxxxxxxxxxx
Delivery-date: Fri, 16 Nov 2012 16:16:34 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Andrew Cooper writes ("Re: [Xen-devel] Xen Security Advisory 20 (CVE-2012-4535) 
- Timer overflow DoS vulnerability - Further bugfixes"):
> Now this vulnerability has been publicly disclosed, here are 3 further
> related bugfixes which are not security problems themselves.

This seems to have been dropped.  I have added [PATCH] to the Subject.

Ian.

> common/timers: Prevent guests timeouts which would overflow timer calculations
> 
> None of these have security implications, but will cause the timers to
> expire instantly, rather than a long time into the future.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> 
> diff -r e0361d2401bb xen/common/domain.c
> --- a/xen/common/domain.c
> +++ b/xen/common/domain.c
> @@ -896,6 +896,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
>          if ( copy_from_guest(&set, arg, 1) )
>              return -EFAULT;
>  
> +        if ( set.timeout_abs_ns > STIME_MAX )
> +            return -EINVAL;
> +
>          if ( (set.flags & VCPU_SSHOTTMR_future) &&
>               (set.timeout_abs_ns < NOW()) )
>              return -ETIME;
> diff -r e0361d2401bb xen/common/schedule.c
> --- a/xen/common/schedule.c
> +++ b/xen/common/schedule.c
> @@ -739,6 +739,9 @@ static long do_poll(struct sched_poll *s
>      if ( sched_poll->nr_ports > 128 )
>          return -EINVAL;
>  
> +    if ( sched_poll->timeout > STIME_MAX )
> +        return -EINVAL;
> +
>      if ( !guest_handle_okay(sched_poll->ports, sched_poll->nr_ports) )
>          return -EFAULT;
>  
> @@ -829,6 +832,9 @@ static long domain_watchdog(struct domai
>      if ( id > NR_DOMAIN_WATCHDOG_TIMERS )
>          return -EINVAL;
>  
> +    if ( SECONDS(timeout) > STIME_DELTA_MAX )
> +        return -EINVAL;
> +
>      spin_lock(&d->watchdog_lock);
>  
>      if ( id == 0 )
> 
> ----------------------------------------------------------------------
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxx
> http://lists.xen.org/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability
  - From: Xen . org security team
- Re: [Xen-devel] Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability - Further bugfixes
  - From: Andrew Cooper

Prev by Date: Re: [Xen-devel] [PATCH 09/14] xen: events: Remove redundant check on unsigned variable
Next by Date: Re: [Xen-devel] [PATCH] qemu-stubdom: prevent useless medium change
Previous by thread: Re: [Xen-devel] Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability - Further bugfixes
Next by thread: [Xen-devel] Xen Security Advisory 21 (CVE-2012-4536) - pirq range check DoS vulnerability
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.