You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
51 lines
1.7 KiB
51 lines
1.7 KiB
libxc: limit cpu values when setting vcpu affinity
|
|
|
|
When support for pinning more than 64 cpus was added, check for cpu
|
|
out-of-range values was removed. This can lead to subsequent
|
|
out-of-bounds cpumap array accesses in case the cpu number is higher
|
|
than the actual count.
|
|
|
|
This patch returns the check.
|
|
|
|
This is CVE-2013-2072 / XSA-56
|
|
|
|
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
|
|
|
diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c
|
|
index e220f68..e611b24 100644
|
|
--- a/tools/python/xen/lowlevel/xc/xc.c
|
|
+++ b/tools/python/xen/lowlevel/xc/xc.c
|
|
@@ -228,6 +228,7 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
|
|
int vcpu = 0, i;
|
|
xc_cpumap_t cpumap;
|
|
PyObject *cpulist = NULL;
|
|
+ int nr_cpus;
|
|
|
|
static char *kwd_list[] = { "domid", "vcpu", "cpumap", NULL };
|
|
|
|
@@ -235,6 +236,10 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
|
|
&dom, &vcpu, &cpulist) )
|
|
return NULL;
|
|
|
|
+ nr_cpus = xc_get_max_cpus(self->xc_handle);
|
|
+ if ( nr_cpus == 0 )
|
|
+ return pyxc_error_to_exception(self->xc_handle);
|
|
+
|
|
cpumap = xc_cpumap_alloc(self->xc_handle);
|
|
if(cpumap == NULL)
|
|
return pyxc_error_to_exception(self->xc_handle);
|
|
@@ -244,6 +249,13 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
|
|
for ( i = 0; i < PyList_Size(cpulist); i++ )
|
|
{
|
|
long cpu = PyInt_AsLong(PyList_GetItem(cpulist, i));
|
|
+ if ( cpu < 0 || cpu >= nr_cpus )
|
|
+ {
|
|
+ free(cpumap);
|
|
+ errno = EINVAL;
|
|
+ PyErr_SetFromErrno(xc_error_obj);
|
|
+ return NULL;
|
|
+ }
|
|
cpumap[cpu / 8] |= 1 << (cpu % 8);
|
|
}
|
|
}
|