- bsc#981264 - VUL-0: CVE-2014-3672: xen: Unrestricted qemu logging
(XSA-180) CVE-2014-3672-qemut-xsa180.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=433
This commit is contained in:
parent
10a6644014
commit
1fed24fd43
87
CVE-2014-3672-qemut-xsa180.patch
Normal file
87
CVE-2014-3672-qemut-xsa180.patch
Normal file
@ -0,0 +1,87 @@
|
||||
References: bsc#981264 CVE-2014-3672 XSA-180
|
||||
|
||||
From 7490dab5c1a01b1623e9d87bdc653cb4f963dd8a Mon Sep 17 00:00:00 2001
|
||||
From: Ian Jackson <ian.jackson@eu.citrix.com>
|
||||
Date: Thu, 19 May 2016 19:38:35 +0100
|
||||
Subject: [PATCH] main loop: Big hammer to fix logfile disk DoS in Xen setups
|
||||
|
||||
Each time round the main loop, we now fstat stderr. If it is too big,
|
||||
we dup2 /dev/null onto it. This is not a very pretty patch but it is
|
||||
very simple, easy to see that it's correct, and has a low risk of
|
||||
collateral damage.
|
||||
|
||||
The limit is 1Mby by default but can be adjusted by setting a new
|
||||
environment variable.
|
||||
|
||||
This fixes CVE-2014-3672.
|
||||
|
||||
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
||||
Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
||||
---
|
||||
vl.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 46 insertions(+)
|
||||
|
||||
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
===================================================================
|
||||
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
@@ -3752,6 +3752,50 @@ static void host_main_loop_wait(int *tim
|
||||
}
|
||||
#endif
|
||||
|
||||
+static void check_cve_2014_3672_xen(void)
|
||||
+{
|
||||
+ static unsigned long limit = ~0UL;
|
||||
+ const int fd = 2;
|
||||
+ struct stat stab;
|
||||
+
|
||||
+ if (limit == ~0UL) {
|
||||
+ const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT");
|
||||
+ /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */
|
||||
+ limit = s ? strtoul(s,0,0) : 1*1024*1024;
|
||||
+ }
|
||||
+ if (limit == 0)
|
||||
+ return;
|
||||
+
|
||||
+ int r = fstat(fd, &stab);
|
||||
+ if (r) {
|
||||
+ perror("fstat stderr (for CVE-2014-3672 check)");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+ if (!S_ISREG(stab.st_mode))
|
||||
+ return;
|
||||
+ if (stab.st_size <= limit)
|
||||
+ return;
|
||||
+
|
||||
+ /* oh dear */
|
||||
+ fprintf(stderr,"\r\n"
|
||||
+ "Closing stderr due to CVE-2014-3672 limit. "
|
||||
+ " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override,"
|
||||
+ " or 0 for no limit.\n");
|
||||
+ fflush(stderr);
|
||||
+
|
||||
+ int nfd = open("/dev/null", O_WRONLY);
|
||||
+ if (nfd < 0) {
|
||||
+ perror("open /dev/null (for CVE-2014-3672 check)");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+ r = dup2(nfd, fd);
|
||||
+ if (r != fd) {
|
||||
+ perror("dup2 /dev/null (for CVE-2014-3672 check)");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+ close(nfd);
|
||||
+}
|
||||
+
|
||||
void main_loop_wait(int timeout)
|
||||
{
|
||||
IOHandlerRecord *ioh;
|
||||
@@ -3763,6 +3807,8 @@ void main_loop_wait(int timeout)
|
||||
|
||||
host_main_loop_wait(&timeout);
|
||||
|
||||
+ check_cve_2014_3672_xen();
|
||||
+
|
||||
/* poll any events */
|
||||
/* XXX: separate device handlers from system ones */
|
||||
nfds = -1;
|
@ -1,7 +1,7 @@
|
||||
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
|
||||
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
|
||||
===================================================================
|
||||
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
|
||||
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
|
||||
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
|
||||
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
|
||||
@@ -1,6 +1,8 @@
|
||||
#ifndef QEMU_XEN_H
|
||||
#define QEMU_XEN_H
|
||||
@ -20,11 +20,11 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
|
||||
int xenstore_parse_disable_pf_config(void);
|
||||
int xenstore_fd(void);
|
||||
void xenstore_process_event(void *opaque);
|
||||
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
===================================================================
|
||||
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
@@ -5861,9 +5861,9 @@ int main(int argc, char **argv, char **e
|
||||
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
@@ -5907,9 +5907,9 @@ int main(int argc, char **argv, char **e
|
||||
if ((msg = xenbus_read(XBT_NIL, "domid", &domid_s)))
|
||||
fprintf(stderr,"Can not read our own domid: %s\n", msg);
|
||||
else
|
||||
@ -36,10 +36,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
#endif /* CONFIG_STUBDOM */
|
||||
}
|
||||
|
||||
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c
|
||||
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c
|
||||
===================================================================
|
||||
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/xenstore.c
|
||||
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c
|
||||
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/xenstore.c
|
||||
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c
|
||||
@@ -445,7 +445,7 @@ void xenstore_init(void)
|
||||
}
|
||||
}
|
||||
|
@ -10,10 +10,10 @@ everything that was raised about the previous version ...
|
||||
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
|
||||
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
|
||||
|
||||
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
|
||||
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
|
||||
===================================================================
|
||||
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/Makefile.target
|
||||
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
|
||||
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/Makefile.target
|
||||
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
|
||||
@@ -580,6 +580,10 @@ OBJS += e1000.o
|
||||
# Serial mouse
|
||||
OBJS += msmouse.o
|
||||
@ -25,10 +25,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
|
||||
ifeq ($(TARGET_BASE_ARCH), i386)
|
||||
# Hardware support
|
||||
ifdef CONFIG_AUDIO
|
||||
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
|
||||
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
|
||||
===================================================================
|
||||
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c
|
||||
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
|
||||
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c
|
||||
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
|
||||
@@ -41,6 +41,7 @@
|
||||
#include "virtio-balloon.h"
|
||||
#include "virtio-console.h"
|
||||
@ -46,10 +46,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
|
||||
for(i = 0; i < nb_nics; i++) {
|
||||
NICInfo *nd = &nd_table[i];
|
||||
|
||||
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
|
||||
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
|
||||
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
|
||||
@@ -0,0 +1,136 @@
|
||||
+/*
|
||||
+ * Virtual hardware watchdog.
|
||||
@ -187,10 +187,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
|
||||
+ wdt_ib700_init();
|
||||
+ wdt_i6300esb_init();
|
||||
+}
|
||||
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
|
||||
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
|
||||
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
|
||||
@@ -0,0 +1,65 @@
|
||||
+/*
|
||||
+ * Virtual hardware watchdog.
|
||||
@ -257,10 +257,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
|
||||
+extern void register_watchdogs(void);
|
||||
+
|
||||
+#endif /* QEMU_WATCHDOG_H */
|
||||
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
|
||||
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
|
||||
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
|
||||
@@ -0,0 +1,470 @@
|
||||
+/*
|
||||
+ * Virtual hardware watchdog.
|
||||
@ -732,10 +732,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
|
||||
+{
|
||||
+ watchdog_add_model(&model);
|
||||
+}
|
||||
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
|
||||
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
|
||||
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
|
||||
@@ -0,0 +1,112 @@
|
||||
+/*
|
||||
+ * Virtual hardware watchdog.
|
||||
@ -849,10 +849,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
|
||||
+ watchdog_add_model(&model);
|
||||
+ timer = qemu_new_timer(vm_clock, ib700_timer_expired, NULL);
|
||||
+}
|
||||
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
|
||||
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
|
||||
===================================================================
|
||||
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/monitor.c
|
||||
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
|
||||
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/monitor.c
|
||||
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
|
||||
@@ -26,6 +26,7 @@
|
||||
#include "hw/pcmcia.h"
|
||||
#include "hw/pc.h"
|
||||
@ -884,10 +884,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
|
||||
{ "cpu_set", "is", do_cpu_set_nr,
|
||||
"cpu [online|offline]", "change cpu state" },
|
||||
{ NULL, NULL, },
|
||||
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
===================================================================
|
||||
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
@@ -30,6 +30,7 @@
|
||||
#include "hw/isa.h"
|
||||
#include "hw/baum.h"
|
||||
@ -905,7 +905,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
const char *option_rom[MAX_OPTION_ROMS];
|
||||
int nb_option_roms;
|
||||
int semihosting_enabled = 0;
|
||||
@@ -4176,6 +4179,10 @@ static void help(int exitcode)
|
||||
@@ -4222,6 +4225,10 @@ static void help(int exitcode)
|
||||
"-startdate select initial date of the clock\n"
|
||||
"-icount [N|auto]\n"
|
||||
" enable virtual instruction counter with 2^N clock ticks per instruction\n"
|
||||
@ -916,7 +916,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
"-echr chr set terminal escape character instead of ctrl-a\n"
|
||||
"-virtioconsole c\n"
|
||||
" set virtio console\n"
|
||||
@@ -4323,6 +4330,8 @@ enum {
|
||||
@@ -4369,6 +4376,8 @@ enum {
|
||||
QEMU_OPTION_localtime,
|
||||
QEMU_OPTION_startdate,
|
||||
QEMU_OPTION_icount,
|
||||
@ -925,7 +925,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
QEMU_OPTION_echr,
|
||||
QEMU_OPTION_virtiocon,
|
||||
QEMU_OPTION_show_cursor,
|
||||
@@ -4449,6 +4458,8 @@ static const QEMUOption qemu_options[] =
|
||||
@@ -4495,6 +4504,8 @@ static const QEMUOption qemu_options[] =
|
||||
{ "localtime", 0, QEMU_OPTION_localtime },
|
||||
{ "startdate", HAS_ARG, QEMU_OPTION_startdate },
|
||||
{ "icount", HAS_ARG, QEMU_OPTION_icount },
|
||||
@ -934,7 +934,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
{ "echr", HAS_ARG, QEMU_OPTION_echr },
|
||||
{ "virtioconsole", HAS_ARG, QEMU_OPTION_virtiocon },
|
||||
{ "show-cursor", 0, QEMU_OPTION_show_cursor },
|
||||
@@ -4950,6 +4961,8 @@ int main(int argc, char **argv, char **e
|
||||
@@ -4996,6 +5007,8 @@ int main(int argc, char **argv, char **e
|
||||
tb_size = 0;
|
||||
autostart= 1;
|
||||
|
||||
@ -943,7 +943,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
|
||||
optind = 1;
|
||||
for(;;) {
|
||||
if (optind >= argc)
|
||||
@@ -5324,6 +5337,17 @@ int main(int argc, char **argv, char **e
|
||||
@@ -5370,6 +5383,17 @@ int main(int argc, char **argv, char **e
|
||||
serial_devices[serial_device_index] = optarg;
|
||||
serial_device_index++;
|
||||
break;
|
||||
|
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon May 23 15:24:35 MDT 2016 - carnold@suse.com
|
||||
|
||||
- bsc#981264 - VUL-0: CVE-2014-3672: xen: Unrestricted qemu logging
|
||||
(XSA-180)
|
||||
CVE-2014-3672-qemut-xsa180.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 19 10:46:53 MDT 2016 - carnold@suse.com
|
||||
|
||||
|
2
xen.spec
2
xen.spec
@ -230,6 +230,7 @@ Patch275: CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.
|
||||
Patch276: CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch
|
||||
Patch277: CVE-2016-4439-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-esp_reg_write.patch
|
||||
Patch278: CVE-2016-4441-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-get_cmd.patch
|
||||
Patch279: CVE-2014-3672-qemut-xsa180.patch
|
||||
# qemu-traditional patches that are not upstream
|
||||
Patch350: blktap.patch
|
||||
Patch351: cdrom-removable.patch
|
||||
@ -548,6 +549,7 @@ Authors:
|
||||
%patch276 -p1
|
||||
%patch277 -p1
|
||||
%patch278 -p1
|
||||
%patch279 -p1
|
||||
# Qemu traditional
|
||||
%patch350 -p1
|
||||
%patch351 -p1
|
||||
|
Loading…
Reference in New Issue
Block a user