app-emulation/xen/files/xen-4-CVE-2012-4539-XSA-24.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

# HG changeset patch
# User Ian Jackson <Ian.Jackson@eu.citrix.com>
# Date 1352893567 0
# Node ID 8ca6372315f826881f9de141ac1227ef962100cf
# Parent  159080b58dda9d19a5d3be42359e667bdb3e61ca
compat/gnttab: Prevent infinite loop in compat code

c/s 20281:95ea2052b41b, which introduces Grant Table version 2
hypercalls introduces a vulnerability whereby the compat hypercall
handler can fall into an infinite loop.

If the watchdog is enabled, Xen will die after the timeout.

This is a security problem, XSA-24 / CVE-2012-4539.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

xen-unstable changeset: 26151:b64a7d868f06
Backport-requested-by: security@xen.org
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

diff -r 159080b58dda -r 8ca6372315f8 xen/common/compat/grant_table.c
--- xen/common/compat/grant_table.c	Wed Nov 14 11:42:45 2012 +0000
+++ xen/common/compat/grant_table.c	Wed Nov 14 11:46:07 2012 +0000
@@ -318,6 +318,8 @@ int compat_grant_table_op(unsigned int c
 #undef XLAT_gnttab_get_status_frames_HNDL_frame_list
                 if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) )
                     rc = -EFAULT;
+                else
+                    i = 1;
             }
             break;
         }