From: Ian Jackson Date: Wed, 14 Nov 2012 11:30:34 +0000 (+0000) Subject: VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~7656 X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https:/%22bookmarks://%22Dat/%22http:/www.example.com/cgi/%22https:/%22bookmarks:/%22Dat?a=commitdiff_plain;h=dfa0cb6a14b3c835e643f56b620137b5aff3e1c1;p=xen.git VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability The timer action for a vcpu periodic timer is to calculate the next expiry time, and to reinsert itself into the timer queue. If the deadline ends up in the past, Xen never leaves __do_softirq(). The affected PCPU will stay in an infinite loop until Xen is killed by the watchdog (if enabled). This is a security problem, XSA-20 / CVE-2012-4535. Signed-off-by: Andrew Cooper Acked-by: Ian Campbell Committed-by: Ian Jackson --- diff --git a/xen/common/domain.c b/xen/common/domain.c index 0e3e36aa1b..12c8e24e09 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -903,6 +903,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN_GUEST_HANDLE_PARAM(void) arg) if ( set.period_ns < MILLISECS(1) ) return -EINVAL; + if ( set.period_ns > STIME_DELTA_MAX ) + return -EINVAL; + v->periodic_period = set.period_ns; vcpu_force_reschedule(v); diff --git a/xen/include/xen/time.h b/xen/include/xen/time.h index 0b2eaade3a..4224962de2 100644 --- a/xen/include/xen/time.h +++ b/xen/include/xen/time.h @@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t); #define MILLISECS(_ms) ((s_time_t)((_ms) * 1000000ULL)) #define MICROSECS(_us) ((s_time_t)((_us) * 1000ULL)) #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1)) +/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */ +#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2)) extern void update_vcpu_system_time(struct vcpu *v); extern void update_domain_wallclock_time(struct domain *d);