XSA-56

CVE-2013-2072


问题描述

http://xenbits.xen.org/xsa/advisory-56.html

Buffer overflow in xencontrol Python bindings affecting xend

The Python bindings for the xcvcpusetaffinity call do not properly check their inputs. Systems which allow untrusted administrators to configure guest vcpu affinity may be exploited to trigger a buffer overrun and corrupt memory.

buffer overflow


Patch描述

http://xenbits.xen.org/xsa/xsa56.patch

libxc: limit cpu values when setting vcpu affinity

When support for pinning more than 64 cpus was added, check for cpu out-of-range values was removed. This can lead to subsequent out-of-bounds cpumap array accesses in case the cpu number is higher than the actual count.

--- a/tools/python/xen/lowlevel/xc/xc.c
+++ b/tools/python/xen/lowlevel/xc/xc.c
@@ -228,6 +228,7 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
     int vcpu = 0, i;
     xc_cpumap_t cpumap;
     PyObject *cpulist = NULL;
+    int nr_cpus;
 
     static char *kwd_list[] = { "domid", "vcpu", "cpumap", NULL };
 
@@ -235,6 +236,10 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
                                       &dom, &vcpu, &cpulist) )
         return NULL;
 
+    nr_cpus = xc_get_max_cpus(self->xc_handle);
+    if ( nr_cpus == 0 )
+        return pyxc_error_to_exception(self->xc_handle);
+
     cpumap = xc_cpumap_alloc(self->xc_handle);
     if(cpumap == NULL)
         return pyxc_error_to_exception(self->xc_handle);
@@ -244,6 +249,13 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
         for ( i = 0; i < PyList_Size(cpulist); i++ ) 
         {
             long cpu = PyInt_AsLong(PyList_GetItem(cpulist, i));
+            if ( cpu < 0 || cpu >= nr_cpus )
+            {
+                free(cpumap);
+                errno = EINVAL;
+                PyErr_SetFromErrno(xc_error_obj);
+                return NULL;
+            }
             cpumap[cpu / 8] |= 1 << (cpu % 8);
         }
     }

Consequence

Exploiting this issue leads to memory corruption which may result in a DoS against the system by crashing the toolstack.

memory corruption, DoS