diff options
author | Petr Matousek <pmatouse@redhat.com> | 2013-05-31 12:24:18 +0200 |
---|---|---|
committer | Jan Beulich <jbeulich@suse.com> | 2013-05-31 12:24:18 +0200 |
commit | 34e2c78baa7eff6369595adc7e51e70a4a0c8727 (patch) | |
tree | 89486a9f330eb1751d1dc716a9ccf68c8d0b1806 /tools | |
parent | 857e2b43715ba86ee660924cfe1d772fa052c54d (diff) | |
download | xen-34e2c78baa7eff6369595adc7e51e70a4a0c8727.tar.gz xen-34e2c78baa7eff6369595adc7e51e70a4a0c8727.tar.bz2 xen-34e2c78baa7eff6369595adc7e51e70a4a0c8727.zip |
libxc: limit cpu values when setting vcpu affinity
When support for pinning more than 64 cpus was added, check for cpu
out-of-range values was removed. This can lead to subsequent
out-of-bounds cpumap array accesses in case the cpu number is higher
than the actual count.
This patch returns the check.
This is CVE-2013-2072 / XSA-56
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
master commit: 41abbadef60e5fccdfd688579dd458f7f7887cf5
master date: 2013-05-29 15:49:22 +0100
Diffstat (limited to 'tools')
-rw-r--r-- | tools/python/xen/lowlevel/xc/xc.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c index 7c89756af1..540de61608 100644 --- a/tools/python/xen/lowlevel/xc/xc.c +++ b/tools/python/xen/lowlevel/xc/xc.c @@ -228,6 +228,7 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self, int vcpu = 0, i; xc_cpumap_t cpumap; PyObject *cpulist = NULL; + int nr_cpus; static char *kwd_list[] = { "domid", "vcpu", "cpumap", NULL }; @@ -235,6 +236,10 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self, &dom, &vcpu, &cpulist) ) return NULL; + nr_cpus = xc_get_max_cpus(self->xc_handle); + if ( nr_cpus == 0 ) + return pyxc_error_to_exception(self->xc_handle); + cpumap = xc_cpumap_alloc(self->xc_handle); if(cpumap == NULL) return pyxc_error_to_exception(self->xc_handle); @@ -244,6 +249,13 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self, for ( i = 0; i < PyList_Size(cpulist); i++ ) { long cpu = PyInt_AsLong(PyList_GetItem(cpulist, i)); + if ( cpu < 0 || cpu >= nr_cpus ) + { + free(cpumap); + errno = EINVAL; + PyErr_SetFromErrno(xc_error_obj); + return NULL; + } cpumap[cpu / 8] |= 1 << (cpu % 8); } } |