diff --git a/qemu.CVE-2016-4439.patch b/qemu.CVE-2016-4439.patch new file mode 100644 index 0000000..61060d4 --- /dev/null +++ b/qemu.CVE-2016-4439.patch @@ -0,0 +1,44 @@ +------------------------------------------------------------------------ +*From*: P J P +*Subject*: [Qemu-devel] [PATCH 1/2] scsi: check command buffer length +before write(CVE-2016-4439) +*Date*: Thu, 19 May 2016 16:09:30 +0530 + +------------------------------------------------------------------------ + +From: Prasad J Pandit + +The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte +FIFO buffer. It is used to handle command and data transfer. While +writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check +was missing to validate input length. Add check to avoid OOB write +access. + +Fixes CVE-2016-4439 +Reported-by: Li Qiang + +Signed-off-by: Prasad J Pandit +--- + hw/scsi/esp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tools/qemu-xen/hw/scsi/esp.c b/tools/qemu-xen/hw/scsi/esp.c +index 8961be2..01497e6 100644 +--- a/tools/qemu-xen/hw/scsi/esp.c ++++ b/tools/qemu-xen/hw/scsi/esp.c +@@ -448,7 +448,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val) + break; + case ESP_FIFO: + if (s->do_cmd) { +- s->cmdbuf[s->cmdlen++] = val & 0xff; ++ if (s->cmdlen < TI_BUFSZ) { ++ s->cmdbuf[s->cmdlen++] = val & 0xff; ++ } else { ++ trace_esp_error_fifo_overrun(); ++ } + } else if (s->ti_size == TI_BUFSZ - 1) { + trace_esp_error_fifo_overrun(); + } else { +-- +2.5.5 + diff --git a/qemu.CVE-2016-4441.patch b/qemu.CVE-2016-4441.patch new file mode 100644 index 0000000..7f8c1fa --- /dev/null +++ b/qemu.CVE-2016-4441.patch @@ -0,0 +1,77 @@ +------------------------------------------------------------------------ +*From*: P J P +*Subject*: [Qemu-devel] [PATCH 2/2] scsi: check dma length before +reading scsi command(CVE-2016-4441) +*Date*: Thu, 19 May 2016 16:09:31 +0530 + +------------------------------------------------------------------------ + +From: Prasad J Pandit + +The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte +FIFO buffer. It is used to handle command and data transfer. +Routine get_cmd() uses DMA to read scsi commands into this buffer. +Add check to validate DMA length against buffer size to avoid any +overrun. + +Fixes CVE-2016-4441 +Reported-by: Li Qiang + +Signed-off-by: Prasad J Pandit +--- + hw/scsi/esp.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/tools/qemu-xen/hw/scsi/esp.c b/tools/qemu-xen/hw/scsi/esp.c +index 01497e6..591c817 100644 +--- a/tools/qemu-xen/hw/scsi/esp.c ++++ b/tools/qemu-xen/hw/scsi/esp.c +@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req) + } + } + +-static uint32_t get_cmd(ESPState *s, uint8_t *buf) ++static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) + { + uint32_t dmalen; + int target; +@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf) + dmalen = s->rregs[ESP_TCLO]; + dmalen |= s->rregs[ESP_TCMID] << 8; + dmalen |= s->rregs[ESP_TCHI] << 16; ++ if (dmalen > buflen) { ++ return 0; ++ } + s->dma_memory_read(s->dma_opaque, buf, dmalen); + } else { + dmalen = s->ti_size; +@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s) + s->dma_cb = handle_satn; + return; + } +- len = get_cmd(s, buf); ++ len = get_cmd(s, buf, sizeof(buf)); + if (len) + do_cmd(s, buf); + } +@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s) + s->dma_cb = handle_s_without_atn; + return; + } +- len = get_cmd(s, buf); ++ len = get_cmd(s, buf, sizeof(buf)); + if (len) { + do_busid_cmd(s, buf, 0); + } +@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s) + s->dma_cb = handle_satn_stop; + return; + } +- s->cmdlen = get_cmd(s, s->cmdbuf); ++ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf)); + if (s->cmdlen) { + trace_esp_handle_satn_stop(s->cmdlen); + s->do_cmd = 1; +-- +2.5.5 + diff --git a/qemu.CVE-2016-5105.patch b/qemu.CVE-2016-5105.patch new file mode 100644 index 0000000..47f0d16 --- /dev/null +++ b/qemu.CVE-2016-5105.patch @@ -0,0 +1,40 @@ +------------------------------------------------------------------------ +*From*: P J P +*Subject*: [Qemu-devel] [PATCH v2] scsi: megasas: initialise local +configuration data buffer +*Date*: Wed, 25 May 2016 17:41:44 +0530 + +------------------------------------------------------------------------ + +From: Prasad J Pandit + +When reading MegaRAID SAS controller configuration via MegaRAID +Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read +uses an uninitialised local data buffer. Initialise this buffer +to avoid stack information leakage. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +--- + hw/scsi/megasas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Update as per + -> https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg04402.html + +diff --git a/tools/qemu-xen/hw/scsi/megasas.c b/tools/qemu-xen/hw/scsi/megasas.c +index dcbd3e1..bf642d4 100644 +--- a/tools/qemu-xen/hw/scsi/megasas.c ++++ b/tools/qemu-xen/hw/scsi/megasas.c +@@ -1293,7 +1293,7 @@ static int megasas_dcmd_ld_get_info(MegasasState *s, MegasasCmd *cmd) + + static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd) + { +- uint8_t data[4096]; ++ uint8_t data[4096] = { 0 }; + struct mfi_config_data *info; + int num_pd_disks = 0, array_offset, ld_offset; + BusChild *kid; +-- +2.5.5 + diff --git a/qemu.CVE-2016-5106.patch b/qemu.CVE-2016-5106.patch new file mode 100644 index 0000000..baca1f1 --- /dev/null +++ b/qemu.CVE-2016-5106.patch @@ -0,0 +1,37 @@ +------------------------------------------------------------------------ +*From*: P J P +*Subject*: [Qemu-devel] [PATCH 1/3] scsi: megasas: use appropriate +property buffer size +*Date*: Wed, 25 May 2016 16:01:29 +0530 + +------------------------------------------------------------------------ + +From: Prasad J Pandit + +When setting MegaRAID SAS controller properties via MegaRAID +Firmware Interface(MFI) commands, a user supplied size parameter +is used to set property value. Use appropriate size value to avoid +OOB access issues. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +--- + hw/scsi/megasas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/qemu-xen/hw/scsi/megasas.c b/tools/qemu-xen/hw/scsi/megasas.c +index a63a581..dcbd3e1 100644 +--- a/tools/qemu-xen/hw/scsi/megasas.c ++++ b/tools/qemu-xen/hw/scsi/megasas.c +@@ -1446,7 +1446,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd) + dcmd_size); + return MFI_STAT_INVALID_PARAMETER; + } +- dma_buf_write((uint8_t *)&info, cmd->iov_size, &cmd->qsg); ++ dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg); + trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size); + return MFI_STAT_OK; + } +-- +2.5.5 + diff --git a/qemu.trad.CVE-2016-4439.patch b/qemu.trad.CVE-2016-4439.patch new file mode 100644 index 0000000..6816695 --- /dev/null +++ b/qemu.trad.CVE-2016-4439.patch @@ -0,0 +1,44 @@ +------------------------------------------------------------------------ +*From*: P J P +*Subject*: [Qemu-devel] [PATCH 1/2] scsi: check command buffer length +before write(CVE-2016-4439) +*Date*: Thu, 19 May 2016 16:09:30 +0530 + +------------------------------------------------------------------------ + +From: Prasad J Pandit + +The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte +FIFO buffer. It is used to handle command and data transfer. While +writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check +was missing to validate input length. Add check to avoid OOB write +access. + +Fixes CVE-2016-4439 +Reported-by: Li Qiang + +Signed-off-by: Prasad J Pandit +--- + hw/scsi/esp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tools/qemu-xen-traditional/hw/esp.c b/tools/qemu-xen-traditional/hw/esp.c +index 8961be2..01497e6 100644 +--- a/tools/qemu-xen-traditional/hw/esp.c ++++ b/tools/qemu-xen-traditional/hw/esp.c +@@ -448,7 +448,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val) + break; + case ESP_FIFO: + if (s->do_cmd) { +- s->cmdbuf[s->cmdlen++] = val & 0xff; ++ if (s->cmdlen < TI_BUFSZ) { ++ s->cmdbuf[s->cmdlen++] = val & 0xff; ++ } else { ++ ESP_ERROR("fifo overrun\n"); ++ } + } else if (s->ti_size == TI_BUFSZ - 1) { + ESP_ERROR("fifo overrun\n"); + } else { +-- +2.5.5 + diff --git a/qemu.trad.CVE-2016-4441.patch b/qemu.trad.CVE-2016-4441.patch new file mode 100644 index 0000000..fab6a35 --- /dev/null +++ b/qemu.trad.CVE-2016-4441.patch @@ -0,0 +1,68 @@ +------------------------------------------------------------------------ +*From*: P J P +*Subject*: [Qemu-devel] [PATCH 2/2] scsi: check dma length before +reading scsi command(CVE-2016-4441) +*Date*: Thu, 19 May 2016 16:09:31 +0530 + +------------------------------------------------------------------------ + +From: Prasad J Pandit + +The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte +FIFO buffer. It is used to handle command and data transfer. +Routine get_cmd() uses DMA to read scsi commands into this buffer. +Add check to validate DMA length against buffer size to avoid any +overrun. + +Fixes CVE-2016-4441 +Reported-by: Li Qiang + +Signed-off-by: Prasad J Pandit +--- + hw/scsi/esp.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/tools/qemu-xen-traditional/hw/esp.c b/tools/qemu-xen-traditional/hw/esp.c +index 01497e6..591c817 100644 +--- a/tools/qemu-xen-traditional/hw/esp.c ++++ b/tools/qemu-xen-traditional/hw/esp.c +@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req) + } + } + +-static uint32_t get_cmd(ESPState *s, uint8_t *buf) ++static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) + { + uint32_t dmalen; + int target; +@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf) + target = s->wregs[ESP_WBUSID] & BUSID_DID; + if (s->dma) { + dmalen = s->rregs[ESP_TCLO] | (s->rregs[ESP_TCMID] << 8); ++ if (dmalen > buflen) { ++ return 0; ++ } + s->dma_memory_read(s->dma_opaque, buf, dmalen); + } else { + dmalen = s->ti_size; +@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s) + uint8_t buf[32]; + int len; + +- len = get_cmd(s, buf); ++ len = get_cmd(s, buf, sizeof(buf)); + if (len) + do_cmd(s, buf); + } +@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s) + + static void handle_satn_stop(ESPState *s) + { +- s->cmdlen = get_cmd(s, s->cmdbuf); ++ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf)); + if (s->cmdlen) { + DPRINTF("Set ATN & Stop: cmdlen %d\n", s->cmdlen); + s->do_cmd = 1; +-- +2.5.5 + diff --git a/xen.modules.tidy.patch b/xen.modules.tidy.patch deleted file mode 100644 index 35cf6f8..0000000 --- a/xen.modules.tidy.patch +++ /dev/null @@ -1,19 +0,0 @@ ---- xen-4.6.1/tools/configure.orig 2016-05-14 19:41:52.823267045 +0100 -+++ xen-4.6.1/tools/configure 2016-05-14 19:54:54.847929632 +0100 -@@ -4125,15 +4125,8 @@ - xen-blkback - xen-netback - xen-pciback --evtchn --gntdev --netbk --blkbk --xen-scsibk --usbbk --pciback -+xen-scsiback - xen-acpi-processor --blktap2 - " - ;; - *) diff --git a/xen.spec b/xen.spec index acb38e4..8027f04 100644 --- a/xen.spec +++ b/xen.spec @@ -51,7 +51,7 @@ Summary: Xen is a virtual machine monitor Name: xen Version: 4.6.1 -Release: 9%{?dist} +Release: 10%{?dist} Group: Development/Libraries License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ @@ -150,8 +150,15 @@ Patch108: xsa179-qemuu-4.6-0002-vga-add-vbe_enabled-helper.patch Patch109: xsa179-qemuu-4.6-0003-vga-factor-out-vga-register-setup.patch Patch110: xsa179-qemuu-4.6-0004-vga-update-vga-register-setup-on-vbe-changes.patch Patch111: xsa179-qemuu-4.6-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch -Patch112: xen.modules.tidy.patch Patch113: xsa176.patch +Patch114: xsa180-qemut.patch +Patch115: xsa180-qemuu.patch +Patch116: qemu.CVE-2016-4439.patch +Patch117: qemu.trad.CVE-2016-4439.patch +Patch118: qemu.CVE-2016-4441.patch +Patch119: qemu.trad.CVE-2016-4441.patch +Patch120: qemu.CVE-2016-5106.patch +Patch121: qemu.CVE-2016-5105.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -403,8 +410,15 @@ manage Xen virtual machines. %patch109 -p1 %patch110 -p1 %patch111 -p1 -%patch112 -p1 %patch113 -p1 +%patch114 -p1 +%patch115 -p1 +%patch116 -p1 +%patch117 -p1 +%patch118 -p1 +%patch119 -p1 +%patch120 -p1 +%patch121 -p1 # stubdom sources cp -v %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} stubdom @@ -426,7 +440,7 @@ mkdir -p dist/install/boot/efi/efi/fedora export XEN_VENDORVERSION="-%{release}" export CFLAGS="$RPM_OPT_FLAGS" make %{?_smp_mflags} %{?efi_flags} prefix=/usr dist-xen -./configure --prefix=%{_prefix} --libdir=%{_libdir} --with-system-seabios=%{seabiosloc} --with-system-qemu=/usr/bin/qemu-system-i386 +./configure --prefix=%{_prefix} --libdir=%{_libdir} --with-system-seabios=%{seabiosloc} --with-system-qemu=/usr/bin/qemu-system-i386 --with-linux-backend-modules="xen-evtchn xen-gntdev xen-gntalloc xen-blkback xen-netback xen-pciback xen-scsiback xen-acpi-processor" make %{?_smp_mflags} %{?ocaml_flags} prefix=/usr dist-tools make prefix=/usr dist-docs unset CFLAGS @@ -934,6 +948,18 @@ rm -rf %{buildroot} %endif %changelog +* Sat May 28 2016 Michael Young - 4.6.1-10 +- cleaner way to set kernel module load list +- Unrestricted qemu logging [XSA-180, CVE-2014-3672] (#1339125) +- Qemu: scsi: esp: OOB write while writing to 's->cmdbuf' in esp_reg_write + [CVE-2016-4439] (#1337502) +- Qemu: scsi: esp: OOB write while writing to 's->cmdbuf' in get_cmd + [CVE-2016-4441] (#1337505) +- Qemu: scsi: megasas: out-of-bounds write while setting controller properties + [CVE-2016-5106] (#1339578) +- Qemu: scsi: megasas: stack information leakage while reading configuration + [CVE-2016-5105] (#1339583) + * Tue May 17 2016 Michael Young - 4.6.1-9 - xen no longer crashes when built without -fno-tree-coalesce-vars - in systemd only try to load kernel modules that are in Fedora (#1291089) diff --git a/xsa180-qemut.patch b/xsa180-qemut.patch new file mode 100644 index 0000000..9903b64 --- /dev/null +++ b/xsa180-qemut.patch @@ -0,0 +1,88 @@ +From 7490dab5c1a01b1623e9d87bdc653cb4f963dd8a Mon Sep 17 00:00:00 2001 +From: Ian Jackson +Date: Thu, 19 May 2016 19:38:35 +0100 +Subject: [PATCH] main loop: Big hammer to fix logfile disk DoS in Xen setups + +Each time round the main loop, we now fstat stderr. If it is too big, +we dup2 /dev/null onto it. This is not a very pretty patch but it is +very simple, easy to see that it's correct, and has a low risk of +collateral damage. + +The limit is 1Mby by default but can be adjusted by setting a new +environment variable. + +This fixes CVE-2014-3672. + +Signed-off-by: Ian Jackson +Tested-by: Ian Jackson +--- + vl.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 46 insertions(+) + +diff --git a/tools/qemu-xen-traditional/vl.c b/tools/qemu-xen-traditional/vl.c +index c864e7d..d7ef742 100644 +--- a/tools/qemu-xen-traditional/vl.c ++++ b/tools/qemu-xen-traditional/vl.c +@@ -3752,6 +3752,50 @@ static void host_main_loop_wait(int *timeout) + } + #endif + ++static void check_cve_2014_3672_xen(void) ++{ ++ static unsigned long limit = ~0UL; ++ const int fd = 2; ++ struct stat stab; ++ ++ if (limit == ~0UL) { ++ const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT"); ++ /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */ ++ limit = s ? strtoul(s,0,0) : 1*1024*1024; ++ } ++ if (limit == 0) ++ return; ++ ++ int r = fstat(fd, &stab); ++ if (r) { ++ perror("fstat stderr (for CVE-2014-3672 check)"); ++ exit(-1); ++ } ++ if (!S_ISREG(stab.st_mode)) ++ return; ++ if (stab.st_size <= limit) ++ return; ++ ++ /* oh dear */ ++ fprintf(stderr,"\r\n" ++ "Closing stderr due to CVE-2014-3672 limit. " ++ " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override," ++ " or 0 for no limit.\n"); ++ fflush(stderr); ++ ++ int nfd = open("/dev/null", O_WRONLY); ++ if (nfd < 0) { ++ perror("open /dev/null (for CVE-2014-3672 check)"); ++ exit(-1); ++ } ++ r = dup2(nfd, fd); ++ if (r != fd) { ++ perror("dup2 /dev/null (for CVE-2014-3672 check)"); ++ exit(-1); ++ } ++ close(nfd); ++} ++ + void main_loop_wait(int timeout) + { + IOHandlerRecord *ioh; +@@ -3763,6 +3807,8 @@ void main_loop_wait(int timeout) + + host_main_loop_wait(&timeout); + ++ check_cve_2014_3672_xen(); ++ + /* poll any events */ + /* XXX: separate device handlers from system ones */ + nfds = -1; +-- +1.7.10.4 + diff --git a/xsa180-qemuu.patch b/xsa180-qemuu.patch new file mode 100644 index 0000000..cee4de5 --- /dev/null +++ b/xsa180-qemuu.patch @@ -0,0 +1,101 @@ +From f4ebdf08f3eaaf2026adeaee5b8e520b08bb5e11 Mon Sep 17 00:00:00 2001 +From: Ian Jackson +Date: Thu, 19 May 2016 15:43:33 +0100 +Subject: [PATCH] main loop: Big hammer to fix logfile disk DoS in Xen setups + +Each time round the main loop, we now fstat stderr. If it is too big, +we dup2 /dev/null onto it. This is not a very pretty patch but it is +very simple, easy to see that it's correct, and has a low risk of +collateral damage. + +The limit is 1Mby by default but can be adjusted by setting a new +environment variable. + +This fixes CVE-2014-3672. + +Signed-off-by: Ian Jackson +Tested-by: Ian Jackson +--- +v2: Make it actually compile. Fix a typo in the message. + Move the check_cve_2014_3672_xen up in the file, so that we can: + Call check_cve_2014_3672_xen in the other copy of the main loop (!) +--- + main-loop.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 48 insertions(+) + +diff --git a/tools/qemu-xen/main-loop.c b/tools/qemu-xen/main-loop.c +index 3997043..4ac089e 100644 +--- a/tools/qemu-xen/main-loop.c ++++ b/tools/qemu-xen/main-loop.c +@@ -164,6 +164,50 @@ int qemu_init_main_loop(Error **errp) + return 0; + } + ++static void check_cve_2014_3672_xen(void) ++{ ++ static unsigned long limit = ~0UL; ++ const int fd = 2; ++ struct stat stab; ++ ++ if (limit == ~0UL) { ++ const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT"); ++ /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */ ++ limit = s ? strtoul(s,0,0) : 1*1024*1024; ++ } ++ if (limit == 0) ++ return; ++ ++ int r = fstat(fd, &stab); ++ if (r) { ++ perror("fstat stderr (for CVE-2014-3672 check)"); ++ exit(-1); ++ } ++ if (!S_ISREG(stab.st_mode)) ++ return; ++ if (stab.st_size <= limit) ++ return; ++ ++ /* oh dear */ ++ fprintf(stderr,"\r\n" ++ "Closing stderr due to CVE-2014-3672 limit. " ++ " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override," ++ " or 0 for no limit.\n"); ++ fflush(stderr); ++ ++ int nfd = open("/dev/null", O_WRONLY); ++ if (nfd < 0) { ++ perror("open /dev/null (for CVE-2014-3672 check)"); ++ exit(-1); ++ } ++ r = dup2(nfd, fd); ++ if (r != fd) { ++ perror("dup2 /dev/null (for CVE-2014-3672 check)"); ++ exit(-1); ++ } ++ close(nfd); ++} ++ + static int max_priority; + + #ifndef _WIN32 +@@ -216,6 +260,8 @@ static int os_host_main_loop_wait(int64_t timeout) + int ret; + static int spin_counter; + ++ check_cve_2014_3672_xen(); ++ + glib_pollfds_fill(&timeout); + + /* If the I/O thread is very busy or we are incorrectly busy waiting in +@@ -407,6 +453,8 @@ static int os_host_main_loop_wait(int64_t timeout) + fd_set rfds, wfds, xfds; + int nfds; + ++ check_cve_2014_3672_xen(); ++ + /* XXX: need to suppress polling by better using win32 events */ + ret = 0; + for (pe = first_polling_entry; pe != NULL; pe = pe->next) { +-- +1.7.10.4 +