CVE-2013-2072
http://xenbits.xen.org/xsa/advisory-56.html
Buffer overflow in xencontrol Python bindings affecting xend
The Python bindings for the xcvcpusetaffinity call do not properly check their inputs. Systems which allow untrusted administrators to configure guest vcpu affinity may be exploited to trigger a buffer overrun and corrupt memory.
buffer overflow
http://xenbits.xen.org/xsa/xsa56.patch
libxc: limit cpu values when setting vcpu affinity
When support for pinning more than 64 cpus was added, check for cpu out-of-range values was removed. This can lead to subsequent out-of-bounds cpumap array accesses in case the cpu number is higher than the actual count.
--- a/tools/python/xen/lowlevel/xc/xc.c
+++ b/tools/python/xen/lowlevel/xc/xc.c
@@ -228,6 +228,7 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
int vcpu = 0, i;
xc_cpumap_t cpumap;
PyObject *cpulist = NULL;
+ int nr_cpus;
static char *kwd_list[] = { "domid", "vcpu", "cpumap", NULL };
@@ -235,6 +236,10 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
&dom, &vcpu, &cpulist) )
return NULL;
+ nr_cpus = xc_get_max_cpus(self->xc_handle);
+ if ( nr_cpus == 0 )
+ return pyxc_error_to_exception(self->xc_handle);
+
cpumap = xc_cpumap_alloc(self->xc_handle);
if(cpumap == NULL)
return pyxc_error_to_exception(self->xc_handle);
@@ -244,6 +249,13 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
for ( i = 0; i < PyList_Size(cpulist); i++ )
{
long cpu = PyInt_AsLong(PyList_GetItem(cpulist, i));
+ if ( cpu < 0 || cpu >= nr_cpus )
+ {
+ free(cpumap);
+ errno = EINVAL;
+ PyErr_SetFromErrno(xc_error_obj);
+ return NULL;
+ }
cpumap[cpu / 8] |= 1 << (cpu % 8);
}
}Exploiting this issue leads to memory corruption which may result in a DoS against the system by crashing the toolstack.
memory corruption, DoS