projects / xen.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 5b0919f) | patch
tools/ocaml: Ensure packet size is never negative
authorEdwin Török <edvin.torok@citrix.com>
Wed, 12 Oct 2022 18:13:05 +0000 (19:13 +0100)
committerAndrew Cooper <andrew.cooper3@citrix.com>
Tue, 1 Nov 2022 14:07:24 +0000 (14:07 +0000)
commit635390415f4a9c0621330f0b40f8c7e914c4523f
treeb0c1349e550592137606f166b04ea9d55755affdtree | snapshot
parent5b0919f2c0e5060f6e0bc328f100abae0a9f07b8commit | diff
tools/ocaml: Ensure packet size is never negative

Integers in Ocaml have 63 or 31 bits of signed precision.

On 64-bit builds of Ocaml, this is fine because a C uint32_t always fits
within a 63-bit signed integer.

In 32-bit builds of Ocaml, this goes wrong.  The C uint32_t is truncated
first (loses the top bit), then has a unsigned/signed mismatch.

A "negative" value (i.e. a packet on the ring of between 1G and 2G in size)
will trigger an exception later in Bytes.make in xb.ml, and because the packet
is not removed from the ring, the exception re-triggers on every subsequent
query, creating a livelock.

Fix both the source of the exception in Xb, and as defence in depth, mark the
domain as bad for any Invalid_argument exceptions to avoid the risk of
livelock.

This is XSA-420 / CVE-2022-42324.

Signed-off-by: Edwin Török <edvin.torok@citrix.com>
Acked-by: Christian Lindig <christian.lindig@citrix.com>
(cherry picked from commit ae34df4d82636f4c82700b447ea2c93b9f82b3f3)
tools/ocaml/libs/xb/partial.ml diff | blob | history
tools/ocaml/xenstored/process.ml diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.