Andrew Cooper
2012-Nov-13 13:12 UTC
Re: Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability - Further bugfixes
Now this vulnerability has been publicly disclosed, here are 3 further related bugfixes which are not security problems themselves. -- Andrew Cooper - Dom0 Kernel Engineer, Citrix XenServer T: +44 (0)1223 225 900, http://www.citrix.com _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Ian Jackson
2012-Nov-16 16:16 UTC
[PATCH] Re: Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability - Further bugfixes
Andrew Cooper writes ("Re: [Xen-devel] Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability - Further bugfixes"):> Now this vulnerability has been publicly disclosed, here are 3 further > related bugfixes which are not security problems themselves.This seems to have been dropped. I have added [PATCH] to the Subject. Ian.> common/timers: Prevent guests timeouts which would overflow timer calculations > > None of these have security implications, but will cause the timers to > expire instantly, rather than a long time into the future. > > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> > > diff -r e0361d2401bb xen/common/domain.c > --- a/xen/common/domain.c > +++ b/xen/common/domain.c > @@ -896,6 +896,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN > if ( copy_from_guest(&set, arg, 1) ) > return -EFAULT; > > + if ( set.timeout_abs_ns > STIME_MAX ) > + return -EINVAL; > + > if ( (set.flags & VCPU_SSHOTTMR_future) && > (set.timeout_abs_ns < NOW()) ) > return -ETIME; > diff -r e0361d2401bb xen/common/schedule.c > --- a/xen/common/schedule.c > +++ b/xen/common/schedule.c > @@ -739,6 +739,9 @@ static long do_poll(struct sched_poll *s > if ( sched_poll->nr_ports > 128 ) > return -EINVAL; > > + if ( sched_poll->timeout > STIME_MAX ) > + return -EINVAL; > + > if ( !guest_handle_okay(sched_poll->ports, sched_poll->nr_ports) ) > return -EFAULT; > > @@ -829,6 +832,9 @@ static long domain_watchdog(struct domai > if ( id > NR_DOMAIN_WATCHDOG_TIMERS ) > return -EINVAL; > > + if ( SECONDS(timeout) > STIME_DELTA_MAX ) > + return -EINVAL; > + > spin_lock(&d->watchdog_lock); > > if ( id == 0 ) > > ---------------------------------------------------------------------- > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-devel