Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:Update
xen.3680
CVE-2014-3672-qemuu-xsa180.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2014-3672-qemuu-xsa180.patch of Package xen.3680
References: bsc#981264 CVE-2014-3672 XSA-180 From f4ebdf08f3eaaf2026adeaee5b8e520b08bb5e11 Mon Sep 17 00:00:00 2001 From: Ian Jackson <ian.jackson@eu.citrix.com> Date: Thu, 19 May 2016 15:43:33 +0100 Subject: [PATCH] main loop: Big hammer to fix logfile disk DoS in Xen setups Each time round the main loop, we now fstat stderr. If it is too big, we dup2 /dev/null onto it. This is not a very pretty patch but it is very simple, easy to see that it's correct, and has a low risk of collateral damage. The limit is 1Mby by default but can be adjusted by setting a new environment variable. This fixes CVE-2014-3672. Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com> --- v2: Make it actually compile. Fix a typo in the message. Move the check_cve_2014_3672_xen up in the file, so that we can: Call check_cve_2014_3672_xen in the other copy of the main loop (!) --- main-loop.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/main-loop.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/main-loop.c +++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/main-loop.c @@ -149,6 +149,50 @@ int qemu_init_main_loop(void) return 0; } +static void check_cve_2014_3672_xen(void) +{ + static unsigned long limit = ~0UL; + const int fd = 2; + struct stat stab; + + if (limit == ~0UL) { + const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT"); + /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */ + limit = s ? strtoul(s,0,0) : 1*1024*1024; + } + if (limit == 0) + return; + + int r = fstat(fd, &stab); + if (r) { + perror("fstat stderr (for CVE-2014-3672 check)"); + exit(-1); + } + if (!S_ISREG(stab.st_mode)) + return; + if (stab.st_size <= limit) + return; + + /* oh dear */ + fprintf(stderr,"\r\n" + "Closing stderr due to CVE-2014-3672 limit. " + " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override," + " or 0 for no limit.\n"); + fflush(stderr); + + int nfd = open("/dev/null", O_WRONLY); + if (nfd < 0) { + perror("open /dev/null (for CVE-2014-3672 check)"); + exit(-1); + } + r = dup2(nfd, fd); + if (r != fd) { + perror("dup2 /dev/null (for CVE-2014-3672 check)"); + exit(-1); + } + close(nfd); +} + static int max_priority; #ifndef _WIN32 @@ -196,6 +240,8 @@ static int os_host_main_loop_wait(uint32 int ret; static int spin_counter; + check_cve_2014_3672_xen(); + glib_pollfds_fill(&timeout); /* If the I/O thread is very busy or we are incorrectly busy waiting in @@ -386,6 +432,8 @@ static int os_host_main_loop_wait(uint32 fd_set rfds, wfds, xfds; int nfds; + check_cve_2014_3672_xen(); + /* XXX: need to suppress polling by better using win32 events */ ret = 0; for (pe = first_polling_entry; pe != NULL; pe = pe->next) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor