XSA-71

CVE-2013-4375

问题描述

http://xenbits.xen.org/xsa/advisory-71.html

qemu disk backend (qdisk) resource leak

The qdisk PV disk backend in the qemu-xen flavour of qemu (upstream qemu) can be influenced by a malicious frontend to leak mapped grant references.

logic error (not mark flag)

Patch描述

http://xenbits.xen.org/xsa/xsa71-qemu-xen-4.2.patch

xen_disk: mark ioreq as mapped before unmapping in error case

The frontend user can force xen_disk to leak grant mappings, a per-backend-domain limited resource.

Fix by marking the ioreq as mapped before calling ioreq_unmap in this situation.

--- a/hw/xen_disk.c
+++ b/hw/xen_disk.c
@@ -299,6 +299,7 @@ static int ioreq_map(struct ioreq *ioreq)
                 xen_be_printf(&ioreq->blkdev->xendev, 0,
                               "can't map grant ref %d (%s, %d maps)\n",
                               ioreq->refs[i], strerror(errno), ioreq->blkdev->cnt_map);
+                ioreq->mapped = 1;
                 ioreq_unmap(ioreq);
                 return -1;
             }

Consequence

A malicious HVM guest can cause the backend domain to run out of grant references, leading to a DoS for any other domain which shares that driver domain.

DoS