[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [qemu-xen stable-4.3] main loop: Big hammer to fix logfile disk DoS in Xen setups
commit 12e8fccf5b5460be7aecddc71d27eceaba6e1f15 Author: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> AuthorDate: Thu May 26 16:21:56 2016 +0100 Commit: Anthony PERARD <anthony.perard@xxxxxxxxxx> CommitDate: Fri Jun 10 12:16:15 2016 +0100 main loop: Big hammer to fix logfile disk DoS in Xen setups Each time round the main loop, we now fstat stderr. If it is too big, we dup2 /dev/null onto it. This is not a very pretty patch but it is very simple, easy to see that it's correct, and has a low risk of collateral damage. There is no limit by default but can be adjusted by setting a new environment variable. This fixes CVE-2014-3672. Signed-off-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> Tested-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> Set the default to 0 so that it won't affect non-xen installation. The limit will be set by Xen toolstack. Signed-off-by: Wei Liu <wei.liu2@xxxxxxxxxx> Acked-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> Acked-by: Anthony PERARD <anthony.perard@xxxxxxxxxx> (cherry picked from commit 44a072f0de0d57c95c2212bbce02888832b7b74f) --- main-loop.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/main-loop.c b/main-loop.c index c87624e..1d46985 100644 --- a/main-loop.c +++ b/main-loop.c @@ -140,6 +140,50 @@ int qemu_init_main_loop(void) return 0; } +static void check_cve_2014_3672_xen(void) +{ + static unsigned long limit = ~0UL; + const int fd = 2; + struct stat stab; + + if (limit == ~0UL) { + const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT"); + /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */ + limit = s ? strtoul(s,0,0) : 0; + } + if (limit == 0) + return; + + int r = fstat(fd, &stab); + if (r) { + perror("fstat stderr (for CVE-2014-3672 check)"); + exit(-1); + } + if (!S_ISREG(stab.st_mode)) + return; + if (stab.st_size <= limit) + return; + + /* oh dear */ + fprintf(stderr,"\r\n" + "Closing stderr due to CVE-2014-3672 limit. " + " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override," + " or 0 for no limit.\n"); + fflush(stderr); + + int nfd = open("/dev/null", O_WRONLY); + if (nfd < 0) { + perror("open /dev/null (for CVE-2014-3672 check)"); + exit(-1); + } + r = dup2(nfd, fd); + if (r != fd) { + perror("dup2 /dev/null (for CVE-2014-3672 check)"); + exit(-1); + } + close(nfd); +} + static fd_set rfds, wfds, xfds; static int nfds; static GPollFD poll_fds[1024 * 2]; /* this is probably overkill */ @@ -215,6 +259,8 @@ static int os_host_main_loop_wait(uint32_t timeout) struct timeval tv, *tvarg = NULL; int ret; + check_cve_2014_3672_xen(); + glib_select_fill(&nfds, &rfds, &wfds, &xfds, &timeout); if (timeout < UINT32_MAX) { @@ -336,6 +382,8 @@ static int os_host_main_loop_wait(uint32_t timeout) gint poll_timeout; static struct timeval tv0; + check_cve_2014_3672_xen(); + /* XXX: need to suppress polling by better using win32 events */ ret = 0; for (pe = first_polling_entry; pe != NULL; pe = pe->next) { -- generated by git-patchbot for /home/xen/git/qemu-xen.git#stable-4.3 _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |