xen/CVE-2012-4539-xsa24.patch

References: CVE-2012-4539 XSA-24 bnc#786520

compat/gnttab: Prevent infinite loop in compat code

c/s 20281:95ea2052b41b, which introduces Grant Table version 2
hypercalls introduces a vulnerability whereby the compat hypercall
handler can fall into an infinite loop.

If the watchdog is enabled, Xen will die after the timeout.

This is a security problem, XSA-24 / CVE-2012-4539.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

Index: xen-4.2.0-testing/xen/common/compat/grant_table.c
===================================================================
--- xen-4.2.0-testing.orig/xen/common/compat/grant_table.c
+++ xen-4.2.0-testing/xen/common/compat/grant_table.c
@@ -318,6 +318,8 @@ int compat_grant_table_op(unsigned int c
 #undef XLAT_gnttab_get_status_frames_HNDL_frame_list
                 if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) )
                     rc = -EFAULT;
+                else
+                    i = 1;
             }
             break;
         }
- bnc#777628 - guest "disappears" after live migration Updated block-dmmd script - fate#310510 - fix xenpaging restore changes to integrate paging into xm/xend xenpaging.autostart.patch xenpaging.doc.patch - bnc#787163 - VUL-0: CVE-2012-4544: xen: Domain builder Out-of- memory due to malicious kernel/ramdisk (XSA 25) CVE-2012-4544-xsa25.patch - bnc#779212 - VUL-0: CVE-2012-4411: XEN / qemu: guest administrator can access qemu monitor console (XSA-19) CVE-2012-4411-xsa19.patch - bnc#786516 - VUL-0: CVE-2012-4535: xen: Timer overflow DoS vulnerability CVE-2012-4535-xsa20.patch - bnc#786518 - VUL-0: CVE-2012-4536: xen: pirq range check DoS vulnerability CVE-2012-4536-xsa21.patch - bnc#786517 - VUL-0: CVE-2012-4537: xen: Memory mapping failure DoS vulnerability CVE-2012-4537-xsa22.patch - bnc#786519 - VUL-0: CVE-2012-4538: xen: Unhooking empty PAE entries DoS vulnerability CVE-2012-4538-xsa23.patch - bnc#786520 - VUL-0: CVE-2012-4539: xen: Grant table hypercall infinite loop DoS vulnerability CVE-2012-4539-xsa24.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=212 2012-11-19 13:58:33 +00:00			`References: CVE-2012-4539 XSA-24 bnc#786520`

			`compat/gnttab: Prevent infinite loop in compat code`

			`c/s 20281:95ea2052b41b, which introduces Grant Table version 2`
			`hypercalls introduces a vulnerability whereby the compat hypercall`
			`handler can fall into an infinite loop.`

			`If the watchdog is enabled, Xen will die after the timeout.`

			`This is a security problem, XSA-24 / CVE-2012-4539.`

			`Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>`
			`Acked-by: Jan Beulich <jbeulich@suse.com>`
			`Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>`

			`Index: xen-4.2.0-testing/xen/common/compat/grant_table.c`
			`===================================================================`
			`--- xen-4.2.0-testing.orig/xen/common/compat/grant_table.c`
			`+++ xen-4.2.0-testing/xen/common/compat/grant_table.c`
			`@@ -318,6 +318,8 @@ int compat_grant_table_op(unsigned int c`
			`#undef XLAT_gnttab_get_status_frames_HNDL_frame_list`
			`if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) )`
			`rc = -EFAULT;`
			`+ else`
			`+ i = 1;`
			`}`
			`break;`
			`}`