[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.2] tools: xenstored: if the reply is too big then send E2BIG error



commit a2b1b99d74c7729b8346eeef23508be7e3d6fdca
Author:     Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
AuthorDate: Tue Oct 29 15:45:53 2013 +0000
Commit:     Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
CommitDate: Tue Oct 29 16:02:36 2013 +0000

    tools: xenstored: if the reply is too big then send E2BIG error
    
    This fixes the issue for both C and ocaml xenstored, however only the ocaml
    xenstored is vulnerable in its default configuration.
    
    Adding a new error appears to be safe, since bit libxenstore and the Linux
    driver at least treat an unknown error code as EINVAL.
    
    This is XSA-72 / CVE-2013-4416.
    
    Original ocaml patch by Jerome Maloberti <jerome.maloberti@xxxxxxxxxx>
    Signed-off-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
    Signed-off-by: Thomas Sanders <thomas.sanders@xxxxxxxxxx>
    (cherry picked from commit 8b2c441a1b53a43a38b3c517e28f239da3349872)
    (cherry picked from commit d88ac91ef2f0a93ea9359a8133405dbd78abc89b)
---
 tools/ocaml/xenstored/connection.ml |   11 ++++++++++-
 tools/xenstore/xenstored_core.c     |    5 +++++
 xen/include/public/io/xs_wire.h     |    3 ++-
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/tools/ocaml/xenstored/connection.ml 
b/tools/ocaml/xenstored/connection.ml
index 273fe4d..47695f8 100644
--- a/tools/ocaml/xenstored/connection.ml
+++ b/tools/ocaml/xenstored/connection.ml
@@ -18,6 +18,8 @@ exception End_of_file
 
 open Stdext
 
+let xenstore_payload_max = 4096 (* xen/include/public/io/xs_wire.h *)
+
 type watch = {
        con: t;
        token: string;
@@ -112,8 +114,15 @@ let restrict con domid =
 let set_target con target_domid =
        con.perm <- Perms.Connection.set_target (get_perm con) 
~perms:[Perms.READ; Perms.WRITE] target_domid
 
+let is_backend_mmap con = match con.xb.Xenbus.Xb.backend with
+       | Xenbus.Xb.Xenmmap _ -> true
+       | _ -> false
+
 let send_reply con tid rid ty data =
-       Xenbus.Xb.queue con.xb (Xenbus.Xb.Packet.create tid rid ty data)
+       if (String.length data) > xenstore_payload_max && (is_backend_mmap con) 
then
+               Xenbus.Xb.queue con.xb (Xenbus.Xb.Packet.create tid rid 
Xenbus.Xb.Op.Error "E2BIG\000")
+       else
+               Xenbus.Xb.queue con.xb (Xenbus.Xb.Packet.create tid rid ty data)
 
 let send_error con tid rid err = send_reply con tid rid Xenbus.Xb.Op.Error 
(err ^ "\000")
 let send_ack con tid rid ty = send_reply con tid rid ty "OK\000"
diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index bd44645..07338b5 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -599,6 +599,11 @@ void send_reply(struct connection *conn, enum 
xsd_sockmsg_type type,
 {
        struct buffered_data *bdata;
 
+       if ( len > XENSTORE_PAYLOAD_MAX ) {
+               send_error(conn, E2BIG);
+               return;
+       }
+
        /* Message is a child of the connection context for auto-cleanup. */
        bdata = new_buffer(conn);
        bdata->buffer = talloc_array(bdata, char, len);
diff --git a/xen/include/public/io/xs_wire.h b/xen/include/public/io/xs_wire.h
index 7e454c4..70a048a 100644
--- a/xen/include/public/io/xs_wire.h
+++ b/xen/include/public/io/xs_wire.h
@@ -83,7 +83,8 @@ __attribute__((unused))
     XSD_ERROR(EROFS),
     XSD_ERROR(EBUSY),
     XSD_ERROR(EAGAIN),
-    XSD_ERROR(EISCONN)
+    XSD_ERROR(EISCONN),
+    XSD_ERROR(E2BIG)
 };
 #endif
 
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.2

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.