From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: Xen Security Advisory 20 (CVE-2012-4535) - Timer
 overflow DoS vulnerability - Further bugfixes
Date: Tue, 13 Nov 2012 13:12:55 +0000
Message-ID: <50A24757.30402@citrix.com>
References: <E1TYG2A-0000z4-Uh@xenbits.xen.org>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------030408070200090609040107"
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <E1TYG2A-0000z4-Uh@xenbits.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: xen-devel@lists.xen.org
Cc: Keir Fraser <keir@xen.org>, Jan Beulich <jbeulich@suse.com>
List-Id: xen-devel@lists.xenproject.org

--------------030408070200090609040107
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit

Now this vulnerability has been publicly disclosed, here are 3 further
related bugfixes which are not security problems themselves.

-- 
Andrew Cooper - Dom0 Kernel Engineer, Citrix XenServer
T: +44 (0)1223 225 900, http://www.citrix.com


--------------030408070200090609040107
Content-Type: text/x-patch; name="validate-timers.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="validate-timers.patch"

# HG changeset patch
# Parent e0361d2401bbfc454794ad477c4848e6134c5c31
common/timers: Prevent guests timeouts which would overflow timer calculations

None of these have security implications, but will cause the timers to
expire instantly, rather than a long time into the future.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff -r e0361d2401bb xen/common/domain.c
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -896,6 +896,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
         if ( copy_from_guest(&set, arg, 1) )
             return -EFAULT;
 
+        if ( set.timeout_abs_ns > STIME_MAX )
+            return -EINVAL;
+
         if ( (set.flags & VCPU_SSHOTTMR_future) &&
              (set.timeout_abs_ns < NOW()) )
             return -ETIME;
diff -r e0361d2401bb xen/common/schedule.c
--- a/xen/common/schedule.c
+++ b/xen/common/schedule.c
@@ -739,6 +739,9 @@ static long do_poll(struct sched_poll *s
     if ( sched_poll->nr_ports > 128 )
         return -EINVAL;
 
+    if ( sched_poll->timeout > STIME_MAX )
+        return -EINVAL;
+
     if ( !guest_handle_okay(sched_poll->ports, sched_poll->nr_ports) )
         return -EFAULT;
 
@@ -829,6 +832,9 @@ static long domain_watchdog(struct domai
     if ( id > NR_DOMAIN_WATCHDOG_TIMERS )
         return -EINVAL;
 
+    if ( SECONDS(timeout) > STIME_DELTA_MAX )
+        return -EINVAL;
+
     spin_lock(&d->watchdog_lock);
 
     if ( id == 0 )

--------------030408070200090609040107
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

--------------030408070200090609040107--