thr3ads.net - Xen devel - Re: Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability

If this information is useful, please help other people find it:
Share via:

Andrew Cooper

2012-Nov-13 13:12 UTC

Re: Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability - Further bugfixes

Now this vulnerability has been publicly disclosed, here are 3 further
related bugfixes which are not security problems themselves.

-- 
Andrew Cooper - Dom0 Kernel Engineer, Citrix XenServer
T: +44 (0)1223 225 900, http://www.citrix.com



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Ian Jackson

2012-Nov-16 16:16 UTC

head link

[PATCH] Re: Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability - Further bugfixes

Andrew Cooper writes ("Re: [Xen-devel] Xen Security Advisory 20
(CVE-2012-4535) - Timer overflow DoS vulnerability - Further
bugfixes"):> Now this vulnerability has been publicly disclosed, here are 3 further
> related bugfixes which are not security problems themselves.
This seems to have been dropped.  I have added [PATCH] to the Subject.

Ian.
> common/timers: Prevent guests timeouts which would overflow timer
calculations
> 
> None of these have security implications, but will cause the timers to
> expire instantly, rather than a long time into the future.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> 
> diff -r e0361d2401bb xen/common/domain.c
> --- a/xen/common/domain.c
> +++ b/xen/common/domain.c
> @@ -896,6 +896,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
>          if ( copy_from_guest(&set, arg, 1) )
>              return -EFAULT;
>  
> +        if ( set.timeout_abs_ns > STIME_MAX )
> +            return -EINVAL;
> +
>          if ( (set.flags & VCPU_SSHOTTMR_future) &&
>               (set.timeout_abs_ns < NOW()) )
>              return -ETIME;
> diff -r e0361d2401bb xen/common/schedule.c
> --- a/xen/common/schedule.c
> +++ b/xen/common/schedule.c
> @@ -739,6 +739,9 @@ static long do_poll(struct sched_poll *s
>      if ( sched_poll->nr_ports > 128 )
>          return -EINVAL;
>  
> +    if ( sched_poll->timeout > STIME_MAX )
> +        return -EINVAL;
> +
>      if ( !guest_handle_okay(sched_poll->ports, sched_poll->nr_ports)
)
>          return -EFAULT;
>  
> @@ -829,6 +832,9 @@ static long domain_watchdog(struct domai
>      if ( id > NR_DOMAIN_WATCHDOG_TIMERS )
>          return -EINVAL;
>  
> +    if ( SECONDS(timeout) > STIME_DELTA_MAX )
> +        return -EINVAL;
> +
>      spin_lock(&d->watchdog_lock);
>  
>      if ( id == 0 )
> 
> ----------------------------------------------------------------------
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel

Xen devel - Nov 2012 - Re: Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability - Further bugfixes

Re: Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability - Further bugfixes

[PATCH] Re: Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability - Further bugfixes