Re: Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability

xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed

* Re: Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability - Further bugfixes
       [not found] <E1TYG2A-0000z4-Uh@xenbits.xen.org>
@ 2012-11-13 13:12 ` Andrew Cooper
  2012-11-16 16:16   ` [PATCH] " Ian Jackson
  0 siblings, 1 reply; 2+ messages in thread
From: Andrew Cooper @ 2012-11-13 13:12 UTC (permalink / raw)
  To: xen-devel; +Cc: Keir Fraser, Jan Beulich

[-- Attachment #1: Type: text/plain, Size: 239 bytes --]

Now this vulnerability has been publicly disclosed, here are 3 further
related bugfixes which are not security problems themselves.

-- 
Andrew Cooper - Dom0 Kernel Engineer, Citrix XenServer
T: +44 (0)1223 225 900, http://www.citrix.com


[-- Attachment #2: validate-timers.patch --]
[-- Type: text/x-patch, Size: 1432 bytes --]

# HG changeset patch
# Parent e0361d2401bbfc454794ad477c4848e6134c5c31
common/timers: Prevent guests timeouts which would overflow timer calculations

None of these have security implications, but will cause the timers to
expire instantly, rather than a long time into the future.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff -r e0361d2401bb xen/common/domain.c
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -896,6 +896,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
         if ( copy_from_guest(&set, arg, 1) )
             return -EFAULT;
 
+        if ( set.timeout_abs_ns > STIME_MAX )
+            return -EINVAL;
+
         if ( (set.flags & VCPU_SSHOTTMR_future) &&
              (set.timeout_abs_ns < NOW()) )
             return -ETIME;
diff -r e0361d2401bb xen/common/schedule.c
--- a/xen/common/schedule.c
+++ b/xen/common/schedule.c
@@ -739,6 +739,9 @@ static long do_poll(struct sched_poll *s
     if ( sched_poll->nr_ports > 128 )
         return -EINVAL;
 
+    if ( sched_poll->timeout > STIME_MAX )
+        return -EINVAL;
+
     if ( !guest_handle_okay(sched_poll->ports, sched_poll->nr_ports) )
         return -EFAULT;
 
@@ -829,6 +832,9 @@ static long domain_watchdog(struct domai
     if ( id > NR_DOMAIN_WATCHDOG_TIMERS )
         return -EINVAL;
 
+    if ( SECONDS(timeout) > STIME_DELTA_MAX )
+        return -EINVAL;
+
     spin_lock(&d->watchdog_lock);
 
     if ( id == 0 )

[-- Attachment #3: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 2+ messages in thread

* [PATCH] Re: Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability - Further bugfixes
  2012-11-13 13:12 ` Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability - Further bugfixes Andrew Cooper
@ 2012-11-16 16:16   ` Ian Jackson
  0 siblings, 0 replies; 2+ messages in thread
From: Ian Jackson @ 2012-11-16 16:16 UTC (permalink / raw)
  To: Andrew Cooper; +Cc: Keir Fraser, Jan Beulich, xen-devel

Andrew Cooper writes ("Re: [Xen-devel] Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability - Further bugfixes"):
> Now this vulnerability has been publicly disclosed, here are 3 further
> related bugfixes which are not security problems themselves.

This seems to have been dropped.  I have added [PATCH] to the Subject.

Ian.

> common/timers: Prevent guests timeouts which would overflow timer calculations
> 
> None of these have security implications, but will cause the timers to
> expire instantly, rather than a long time into the future.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> 
> diff -r e0361d2401bb xen/common/domain.c
> --- a/xen/common/domain.c
> +++ b/xen/common/domain.c
> @@ -896,6 +896,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
>          if ( copy_from_guest(&set, arg, 1) )
>              return -EFAULT;
>  
> +        if ( set.timeout_abs_ns > STIME_MAX )
> +            return -EINVAL;
> +
>          if ( (set.flags & VCPU_SSHOTTMR_future) &&
>               (set.timeout_abs_ns < NOW()) )
>              return -ETIME;
> diff -r e0361d2401bb xen/common/schedule.c
> --- a/xen/common/schedule.c
> +++ b/xen/common/schedule.c
> @@ -739,6 +739,9 @@ static long do_poll(struct sched_poll *s
>      if ( sched_poll->nr_ports > 128 )
>          return -EINVAL;
>  
> +    if ( sched_poll->timeout > STIME_MAX )
> +        return -EINVAL;
> +
>      if ( !guest_handle_okay(sched_poll->ports, sched_poll->nr_ports) )
>          return -EFAULT;
>  
> @@ -829,6 +832,9 @@ static long domain_watchdog(struct domai
>      if ( id > NR_DOMAIN_WATCHDOG_TIMERS )
>          return -EINVAL;
>  
> +    if ( SECONDS(timeout) > STIME_DELTA_MAX )
> +        return -EINVAL;
> +
>      spin_lock(&d->watchdog_lock);
>  
>      if ( id == 0 )
> 
> ----------------------------------------------------------------------
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2012-11-16 16:16 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <E1TYG2A-0000z4-Uh@xenbits.xen.org>
2012-11-13 13:12 ` Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability - Further bugfixes Andrew Cooper
2012-11-16 16:16   ` [PATCH] " Ian Jackson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).