From 511cc6f46df22e581ad8ccc4451173b795e3d116 Mon Sep 17 00:00:00 2001 From: Michael Young Date: Oct 29 2013 18:47:58 +0000 Subject: ocaml xenstored mishandles oversized message replies --- diff --git a/xen.spec b/xen.spec index 9938660..13de2ea 100644 --- a/xen.spec +++ b/xen.spec @@ -46,7 +46,7 @@ Summary: Xen is a virtual machine monitor Name: xen Version: 4.3.0 -Release: 9%{?dist} +Release: 10%{?dist} Group: Development/Libraries License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ @@ -107,6 +107,7 @@ Patch27: xsa68.patch Patch28: xsa69.patch Patch29: xsa70.patch Patch30: xsa71-qemu-xen-unstable.patch +Patch31: xsa72.patch Patch100: xen-configure-xend.patch @@ -296,6 +297,7 @@ manage Xen virtual machines. %patch28 -p1 %patch29 -p1 %patch30 -p1 +%patch31 -p1 %patch100 -p1 @@ -828,6 +830,10 @@ rm -rf %{buildroot} %endif %changelog +* Tue Oct 29 2013 Michael Young - 4.3.0-10 +- ocaml xenstored mishandles oversized message replies + [XSA-72, CVE-2013-4416] (#1024450) + * Thu Oct 24 2013 Michael Young - 4.3.0-9 - systemd changes to allow oxenstored to be used instead of xenstored (#1022640) diff --git a/xsa72.patch b/xsa72.patch new file mode 100644 index 0000000..f170b4e --- /dev/null +++ b/xsa72.patch @@ -0,0 +1,74 @@ +tools: xenstored: if the reply is too big then send E2BIG error + +This fixes the issue for both C and ocaml xenstored, however only the ocaml +xenstored is vulnerable in its default configuration. + +Adding a new error appears to be safe, since bit libxenstore and the Linux +driver at least treat an unknown error code as EINVAL. + +This is XSA-72 + +Original ocaml patch by Jerome Maloberti +Signed-off-by: Ian Campbell +Signed-off-by: Thomas Sanders + +diff --git a/tools/ocaml/xenstored/connection.ml b/tools/ocaml/xenstored/connection.ml +index 273fe4d..47695f8 100644 +--- a/tools/ocaml/xenstored/connection.ml ++++ b/tools/ocaml/xenstored/connection.ml +@@ -18,6 +18,8 @@ exception End_of_file + + open Stdext + ++let xenstore_payload_max = 4096 (* xen/include/public/io/xs_wire.h *) ++ + type watch = { + con: t; + token: string; +@@ -112,8 +114,15 @@ let restrict con domid = + let set_target con target_domid = + con.perm <- Perms.Connection.set_target (get_perm con) ~perms:[Perms.READ; Perms.WRITE] target_domid + ++let is_backend_mmap con = match con.xb.Xenbus.Xb.backend with ++ | Xenbus.Xb.Xenmmap _ -> true ++ | _ -> false ++ + let send_reply con tid rid ty data = +- Xenbus.Xb.queue con.xb (Xenbus.Xb.Packet.create tid rid ty data) ++ if (String.length data) > xenstore_payload_max && (is_backend_mmap con) then ++ Xenbus.Xb.queue con.xb (Xenbus.Xb.Packet.create tid rid Xenbus.Xb.Op.Error "E2BIG\000") ++ else ++ Xenbus.Xb.queue con.xb (Xenbus.Xb.Packet.create tid rid ty data) + + let send_error con tid rid err = send_reply con tid rid Xenbus.Xb.Op.Error (err ^ "\000") + let send_ack con tid rid ty = send_reply con tid rid ty "OK\000" +diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c +index 0f8ba64..ccfdaa3 100644 +--- a/tools/xenstore/xenstored_core.c ++++ b/tools/xenstore/xenstored_core.c +@@ -629,6 +629,11 @@ void send_reply(struct connection *conn, enum xsd_sockmsg_type type, + { + struct buffered_data *bdata; + ++ if ( len > XENSTORE_PAYLOAD_MAX ) { ++ send_error(conn, E2BIG); ++ return; ++ } ++ + /* Message is a child of the connection context for auto-cleanup. */ + bdata = new_buffer(conn); + bdata->buffer = talloc_array(bdata, char, len); +diff --git a/xen/include/public/io/xs_wire.h b/xen/include/public/io/xs_wire.h +index 99d24e3..585f0c8 100644 +--- a/xen/include/public/io/xs_wire.h ++++ b/xen/include/public/io/xs_wire.h +@@ -83,7 +83,8 @@ __attribute__((unused)) + XSD_ERROR(EROFS), + XSD_ERROR(EBUSY), + XSD_ERROR(EAGAIN), +- XSD_ERROR(EISCONN) ++ XSD_ERROR(EISCONN), ++ XSD_ERROR(E2BIG) + }; + #endif +