xen/CVE-2012-4535-xsa20.patch

References: CVE-2012-4535 XSA-20 bnc#786516

VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability

The timer action for a vcpu periodic timer is to calculate the next
expiry time, and to reinsert itself into the timer queue.  If the
deadline ends up in the past, Xen never leaves __do_softirq().  The
affected PCPU will stay in an infinite loop until Xen is killed by the
watchdog (if enabled).

This is a security problem, XSA-20 / CVE-2012-4535.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

Index: xen-4.2.0-testing/xen/common/domain.c
===================================================================
--- xen-4.2.0-testing.orig/xen/common/domain.c
+++ xen-4.2.0-testing/xen/common/domain.c
@@ -882,6 +882,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
         if ( set.period_ns < MILLISECS(1) )
             return -EINVAL;
 
+        if ( set.period_ns > STIME_DELTA_MAX )
+            return -EINVAL;
+
         v->periodic_period = set.period_ns;
         vcpu_force_reschedule(v);
 
Index: xen-4.2.0-testing/xen/include/xen/time.h
===================================================================
--- xen-4.2.0-testing.orig/xen/include/xen/time.h
+++ xen-4.2.0-testing/xen/include/xen/time.h
@@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t);
 #define MILLISECS(_ms)  ((s_time_t)((_ms) * 1000000ULL))
 #define MICROSECS(_us)  ((s_time_t)((_us) * 1000ULL))
 #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1))
+/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */
+#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2))
 
 extern void update_vcpu_system_time(struct vcpu *v);
 extern void update_domain_wallclock_time(struct domain *d);
- bnc#777628 - guest "disappears" after live migration Updated block-dmmd script - fate#310510 - fix xenpaging restore changes to integrate paging into xm/xend xenpaging.autostart.patch xenpaging.doc.patch - bnc#787163 - VUL-0: CVE-2012-4544: xen: Domain builder Out-of- memory due to malicious kernel/ramdisk (XSA 25) CVE-2012-4544-xsa25.patch - bnc#779212 - VUL-0: CVE-2012-4411: XEN / qemu: guest administrator can access qemu monitor console (XSA-19) CVE-2012-4411-xsa19.patch - bnc#786516 - VUL-0: CVE-2012-4535: xen: Timer overflow DoS vulnerability CVE-2012-4535-xsa20.patch - bnc#786518 - VUL-0: CVE-2012-4536: xen: pirq range check DoS vulnerability CVE-2012-4536-xsa21.patch - bnc#786517 - VUL-0: CVE-2012-4537: xen: Memory mapping failure DoS vulnerability CVE-2012-4537-xsa22.patch - bnc#786519 - VUL-0: CVE-2012-4538: xen: Unhooking empty PAE entries DoS vulnerability CVE-2012-4538-xsa23.patch - bnc#786520 - VUL-0: CVE-2012-4539: xen: Grant table hypercall infinite loop DoS vulnerability CVE-2012-4539-xsa24.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=212 2012-11-19 13:58:33 +00:00			`References: CVE-2012-4535 XSA-20 bnc#786516`

			`VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability`

			`The timer action for a vcpu periodic timer is to calculate the next`
			`expiry time, and to reinsert itself into the timer queue. If the`
			`deadline ends up in the past, Xen never leaves __do_softirq(). The`
			`affected PCPU will stay in an infinite loop until Xen is killed by the`
			`watchdog (if enabled).`

			`This is a security problem, XSA-20 / CVE-2012-4535.`

			`Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>`
			`Acked-by: Ian Campbell <ian.campbell@citrix.com>`

			`Index: xen-4.2.0-testing/xen/common/domain.c`
			`===================================================================`
			`--- xen-4.2.0-testing.orig/xen/common/domain.c`
			`+++ xen-4.2.0-testing/xen/common/domain.c`
			`@@ -882,6 +882,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN`
			`if ( set.period_ns < MILLISECS(1) )`
			`return -EINVAL;`

			`+ if ( set.period_ns > STIME_DELTA_MAX )`
			`+ return -EINVAL;`
			`+`
			`v->periodic_period = set.period_ns;`
			`vcpu_force_reschedule(v);`

			`Index: xen-4.2.0-testing/xen/include/xen/time.h`
			`===================================================================`
			`--- xen-4.2.0-testing.orig/xen/include/xen/time.h`
			`+++ xen-4.2.0-testing/xen/include/xen/time.h`
			`@@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t);`
			`#define MILLISECS(_ms) ((s_time_t)((_ms) * 1000000ULL))`
			`#define MICROSECS(_us) ((s_time_t)((_us) * 1000ULL))`
			`#define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1))`
			`+/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */`
			`+#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2))`

			`extern void update_vcpu_system_time(struct vcpu *v);`
			`extern void update_domain_wallclock_time(struct domain *d);`