[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [qemu-xen-traditional stable-4.4] main loop: Big hammer to fix logfile disk DoS in Xen setups



commit 564f935e958bd102df822c978bd021673365dc78
Author:     Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
AuthorDate: Thu May 19 19:38:35 2016 +0100
Commit:     Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
CommitDate: Fri Jun 10 13:10:59 2016 +0100

    main loop: Big hammer to fix logfile disk DoS in Xen setups
    
    Each time round the main loop, we now fstat stderr.  If it is too big,
    we dup2 /dev/null onto it.  This is not a very pretty patch but it is
    very simple, easy to see that it's correct, and has a low risk of
    collateral damage.
    
    There is no limit by default but can be adjusted by setting a new
    environment variable.
    
    This is part of CVE-2014-3672.
    
    Signed-off-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
    Tested-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
    
    Set the default to 0 so that it won't affect non-xen installation. The
    limit will be set by Xen toolstack.
    
    Signed-off-by: Wei Liu <wei.liu2@xxxxxxxxxx>
    Acked-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
    Acked-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>
    
    (ad-hoc cherry-pick from 44a072f0de0d57c95c2212bbce02888832b7b74f)
    Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
    (cherry picked from commit 6e20809727261599e8527c456eb078c0e89139a1)
    (cherry picked from commit 698d6d6f8d095edadb0c23612b552a89dd3eee4c)
    (cherry picked from commit 29b39dac29529b9989e4f597adb354f7879b6f63)
    (cherry picked from commit 28c21388c2a32259cff37fc578684f994dca8c9f)
---
 vl.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/vl.c b/vl.c
index d21c3aa..5f6db2f 100644
--- a/vl.c
+++ b/vl.c
@@ -3753,6 +3753,50 @@ static void host_main_loop_wait(int *timeout)
 }
 #endif
 
+static void check_cve_2014_3672_xen(void)
+{
+    static unsigned long limit = ~0UL;
+    const int fd = 2;
+    struct stat stab;
+
+    if (limit == ~0UL) {
+        const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT");
+        /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */
+        limit = s ? strtoul(s,0,0) : 0;
+    }
+    if (limit == 0)
+        return;
+
+    int r = fstat(fd, &stab);
+    if (r) {
+        perror("fstat stderr (for CVE-2014-3672 check)");
+        exit(-1);
+    }
+    if (!S_ISREG(stab.st_mode))
+        return;
+    if (stab.st_size <= limit)
+        return;
+
+    /* oh dear */
+    fprintf(stderr,"\r\n"
+            "Closing stderr due to CVE-2014-3672 limit. "
+            " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override,"
+            " or 0 for no limit.\n");
+    fflush(stderr);
+
+    int nfd = open("/dev/null", O_WRONLY);
+    if (nfd < 0) {
+        perror("open /dev/null (for CVE-2014-3672 check)");
+        exit(-1);
+    }
+    r = dup2(nfd, fd);
+    if (r != fd) {
+        perror("dup2 /dev/null (for CVE-2014-3672 check)");
+        exit(-1);
+    }
+    close(nfd);
+}
+
 void main_loop_wait(int timeout)
 {
     IOHandlerRecord *ioh;
@@ -3764,6 +3808,8 @@ void main_loop_wait(int timeout)
 
     host_main_loop_wait(&timeout);
 
+    check_cve_2014_3672_xen();
+
     /* poll any events */
     /* XXX: separate device handlers from system ones */
     nfds = -1;
--
generated by git-patchbot for /home/xen/git/qemu-xen-traditional.git#stable-4.4

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.