xen/5256be57-libxl-fix-vif-rate-parsing.patch

References: bnc#842512 CVE-2013-4369 XSA-68

# Commit c53702cee1d6f9f1b72f0cae0b412e21bcda8724
# Date 2013-10-10 15:48:55 +0100
# Author Ian Jackson <ian.jackson@eu.citrix.com>
# Committer Ian Jackson <Ian.Jackson@eu.citrix.com>
libxl: fix vif rate parsing

strtok can return NULL here. We don't need to use strtok anyway, so just
use a simple strchr method.

Coverity-ID: 1055642

This is CVE-2013-4369 / XSA-68

Signed-off-by: Matthew Daley <mattjd@gmail.com>

Fix type. Add test case

Signed-off-by: Ian Campbell <Ian.campbell@citrix.com>

--- a/tools/libxl/check-xl-vif-parse
+++ b/tools/libxl/check-xl-vif-parse
@@ -206,4 +206,8 @@ expected </dev/null
 one $e rate=4294967295GB/s@5us
 one $e rate=4296MB/s@4294s
 
+# test include of single '@'
+expected </dev/null
+one $e rate=@
+
 complete
--- a/tools/libxl/libxlu_vif.c
+++ b/tools/libxl/libxlu_vif.c
@@ -95,23 +95,30 @@ int xlu_vif_parse_rate(XLU_Config *cfg, 
     uint64_t bytes_per_sec = 0;
     uint64_t bytes_per_interval = 0;
     uint32_t interval_usecs = 50000UL; /* Default to 50ms */
-    char *ratetok, *tmprate;
+    char *p, *tmprate;
     int rc = 0;
 
     tmprate = strdup(rate);
+    if (tmprate == NULL) {
+        rc = ENOMEM;
+        goto out;
+    }
+
+    p = strchr(tmprate, '@');
+    if (p != NULL)
+        *p++ = 0;
+
     if (!strcmp(tmprate,"")) {
         xlu__vif_err(cfg, "no rate specified", rate);
         rc = EINVAL;
         goto out;
     }
 
-    ratetok = strtok(tmprate, "@");
-    rc = vif_parse_rate_bytes_per_sec(cfg, ratetok, &bytes_per_sec);
+    rc = vif_parse_rate_bytes_per_sec(cfg, tmprate, &bytes_per_sec);
     if (rc) goto out;
 
-    ratetok = strtok(NULL, "@");
-    if (ratetok != NULL) {
-        rc = vif_parse_rate_interval_usecs(cfg, ratetok, &interval_usecs);
+    if (p != NULL) {
+        rc = vif_parse_rate_interval_usecs(cfg, p, &interval_usecs);
         if (rc) goto out;
     }
- domUloader can no longer be used with the xl toolstack to boot sles10. Patch pygrub to get the kernel and initrd from the image. pygrub-boot-legacy-sles.patch - bnc#842515 - VUL-0: CVE-2013-4375: XSA-71: xen: qemu disk backend (qdisk) resource leak CVE-2013-4375-xsa71.patch - Upstream patches from Jan 52496bea-x86-properly-handle-hvm_copy_from_guest_-phys-virt-errors.patch (Replaces CVE-2013-4355-xsa63.patch) 52496c11-x86-mm-shadow-Fix-initialization-of-PV-shadow-L4-tables.patch (Replaces CVE-2013-4356-xsa64.patch) 52496c32-x86-properly-set-up-fbld-emulation-operand-address.patch (Replaces CVE-2013-4361-xsa66.patch) 52497c6c-x86-don-t-blindly-create-L3-tables-for-the-direct-map.patch 524e971b-x86-idle-Fix-get_cpu_idle_time-s-interaction-with-offline-pcpus.patch 524e9762-x86-percpu-Force-INVALID_PERCPU_AREA-to-non-canonical.patch 524e983e-Nested-VMX-check-VMX-capability-before-read-VMX-related-MSRs.patch 524e98b1-Nested-VMX-fix-IA32_VMX_CR4_FIXED1-msr-emulation.patch 524e9dc0-xsm-forbid-PV-guest-console-reads.patch 5256a979-x86-check-segment-descriptor-read-result-in-64-bit-OUTS-emulation.patch 5256be57-libxl-fix-vif-rate-parsing.patch 5256be84-tools-ocaml-fix-erroneous-free-of-cpumap-in-stub_xc_vcpu_getaffinity.patch 5256be92-libxl-fix-out-of-memory-error-handling-in-libxl_list_cpupool.patch 5257a89a-x86-correct-LDT-checks.patch 5257a8e7-x86-add-address-validity-check-to-guest_map_l1e.patch 5257a944-x86-check-for-canonical-address-before-doing-page-walks.patch 525b95f4-scheduler-adjust-internal-locking-interface.patch 525b9617-sched-fix-race-between-sched_move_domain-and-vcpu_wake.patch 525e69e8-credit-unpause-parked-vcpu-before-destroying-it.patch 525faf5e-x86-print-relevant-tail-part-of-filename-for-warnings-and-crashes.patch - bnc#840196 - L3: MTU size on Dom0 gets reset when booting DomU OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=276 2013-10-24 21:00:35 +00:00			`References: bnc#842512 CVE-2013-4369 XSA-68`

			`# Commit c53702cee1d6f9f1b72f0cae0b412e21bcda8724`
			`# Date 2013-10-10 15:48:55 +0100`
			`# Author Ian Jackson <ian.jackson@eu.citrix.com>`
			`# Committer Ian Jackson <Ian.Jackson@eu.citrix.com>`
			`libxl: fix vif rate parsing`

			`strtok can return NULL here. We don't need to use strtok anyway, so just`
			`use a simple strchr method.`

			`Coverity-ID: 1055642`

			`This is CVE-2013-4369 / XSA-68`

			`Signed-off-by: Matthew Daley <mattjd@gmail.com>`

			`Fix type. Add test case`

			`Signed-off-by: Ian Campbell <Ian.campbell@citrix.com>`

			`--- a/tools/libxl/check-xl-vif-parse`
			`+++ b/tools/libxl/check-xl-vif-parse`
			`@@ -206,4 +206,8 @@ expected </dev/null`
			`one $e rate=4294967295GB/s@5us`
			`one $e rate=4296MB/s@4294s`

			`+# test include of single '@'`
			`+expected </dev/null`
			`+one $e rate=@`
			`+`
			`complete`
			`--- a/tools/libxl/libxlu_vif.c`
			`+++ b/tools/libxl/libxlu_vif.c`
			`@@ -95,23 +95,30 @@ int xlu_vif_parse_rate(XLU_Config *cfg,`
			`uint64_t bytes_per_sec = 0;`
			`uint64_t bytes_per_interval = 0;`
			`uint32_t interval_usecs = 50000UL; /* Default to 50ms */`
			`- char ratetok, tmprate;`
			`+ char p, tmprate;`
			`int rc = 0;`

			`tmprate = strdup(rate);`
			`+ if (tmprate == NULL) {`
			`+ rc = ENOMEM;`
			`+ goto out;`
			`+ }`
			`+`
			`+ p = strchr(tmprate, '@');`
			`+ if (p != NULL)`
			`+ *p++ = 0;`
			`+`
			`if (!strcmp(tmprate,"")) {`
			`xlu__vif_err(cfg, "no rate specified", rate);`
			`rc = EINVAL;`
			`goto out;`
			`}`

			`- ratetok = strtok(tmprate, "@");`
			`- rc = vif_parse_rate_bytes_per_sec(cfg, ratetok, &bytes_per_sec);`
			`+ rc = vif_parse_rate_bytes_per_sec(cfg, tmprate, &bytes_per_sec);`
			`if (rc) goto out;`

			`- ratetok = strtok(NULL, "@");`
			`- if (ratetok != NULL) {`
			`- rc = vif_parse_rate_interval_usecs(cfg, ratetok, &interval_usecs);`
			`+ if (p != NULL) {`
			`+ rc = vif_parse_rate_interval_usecs(cfg, p, &interval_usecs);`
			`if (rc) goto out;`
			`}`