From: Andrew Cooper <andrew.cooper3@citrix.com>
To: xen-devel@lists.xen.org
Cc: Keir Fraser <keir@xen.org>, Jan Beulich <jbeulich@suse.com>
Subject: Re: Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability - Further bugfixes
Date: Tue, 13 Nov 2012 13:12:55 +0000 [thread overview]
Message-ID: <50A24757.30402@citrix.com> (raw)
In-Reply-To: <E1TYG2A-0000z4-Uh@xenbits.xen.org>
[-- Attachment #1: Type: text/plain, Size: 239 bytes --]
Now this vulnerability has been publicly disclosed, here are 3 further
related bugfixes which are not security problems themselves.
--
Andrew Cooper - Dom0 Kernel Engineer, Citrix XenServer
T: +44 (0)1223 225 900, http://www.citrix.com
[-- Attachment #2: validate-timers.patch --]
[-- Type: text/x-patch, Size: 1432 bytes --]
# HG changeset patch
# Parent e0361d2401bbfc454794ad477c4848e6134c5c31
common/timers: Prevent guests timeouts which would overflow timer calculations
None of these have security implications, but will cause the timers to
expire instantly, rather than a long time into the future.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
diff -r e0361d2401bb xen/common/domain.c
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -896,6 +896,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
if ( copy_from_guest(&set, arg, 1) )
return -EFAULT;
+ if ( set.timeout_abs_ns > STIME_MAX )
+ return -EINVAL;
+
if ( (set.flags & VCPU_SSHOTTMR_future) &&
(set.timeout_abs_ns < NOW()) )
return -ETIME;
diff -r e0361d2401bb xen/common/schedule.c
--- a/xen/common/schedule.c
+++ b/xen/common/schedule.c
@@ -739,6 +739,9 @@ static long do_poll(struct sched_poll *s
if ( sched_poll->nr_ports > 128 )
return -EINVAL;
+ if ( sched_poll->timeout > STIME_MAX )
+ return -EINVAL;
+
if ( !guest_handle_okay(sched_poll->ports, sched_poll->nr_ports) )
return -EFAULT;
@@ -829,6 +832,9 @@ static long domain_watchdog(struct domai
if ( id > NR_DOMAIN_WATCHDOG_TIMERS )
return -EINVAL;
+ if ( SECONDS(timeout) > STIME_DELTA_MAX )
+ return -EINVAL;
+
spin_lock(&d->watchdog_lock);
if ( id == 0 )
[-- Attachment #3: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next parent reply other threads:[~2012-11-13 13:12 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <E1TYG2A-0000z4-Uh@xenbits.xen.org>
2012-11-13 13:12 ` Andrew Cooper [this message]
2012-11-16 16:16 ` [PATCH] Re: Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability - Further bugfixes Ian Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50A24757.30402@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=jbeulich@suse.com \
--cc=keir@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.