[qemu-xen master] main loop: Big hammer to fix logfile disk DoS in Xen setups

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[qemu-xen master] main loop: Big hammer to fix logfile disk DoS in Xen setups

patchbot
commit 269381bb635692856aa8789a3f322e543e0c648d
Author:     Ian Jackson <[hidden email]>
AuthorDate: Thu May 26 16:21:56 2016 +0100
Commit:     Anthony PERARD <[hidden email]>
CommitDate: Wed Aug 2 16:01:41 2017 +0100

    main loop: Big hammer to fix logfile disk DoS in Xen setups
   
    Each time round the main loop, we now fstat stderr.  If it is too big,
    we dup2 /dev/null onto it.  This is not a very pretty patch but it is
    very simple, easy to see that it's correct, and has a low risk of
    collateral damage.
   
    There is no limit by default but can be adjusted by setting a new
    environment variable.
   
    This fixes CVE-2014-3672.
   
    Signed-off-by: Ian Jackson <[hidden email]>
    Tested-by: Ian Jackson <[hidden email]>
   
    Set the default to 0 so that it won't affect non-xen installation. The
    limit will be set by Xen toolstack.
   
    Signed-off-by: Wei Liu <[hidden email]>
    Acked-by: Ian Jackson <[hidden email]>
    Acked-by: Anthony PERARD <[hidden email]>
    (cherry picked from commit 44a072f0de0d57c95c2212bbce02888832b7b74f)
---
 util/main-loop.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/util/main-loop.c b/util/main-loop.c
index 19cad6b..a51cade 100644
--- a/util/main-loop.c
+++ b/util/main-loop.c
@@ -169,6 +169,50 @@ int qemu_init_main_loop(Error **errp)
     return 0;
 }
 
+static void check_cve_2014_3672_xen(void)
+{
+    static unsigned long limit = ~0UL;
+    const int fd = 2;
+    struct stat stab;
+
+    if (limit == ~0UL) {
+        const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT");
+        /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */
+        limit = s ? strtoul(s,0,0) : 0;
+    }
+    if (limit == 0)
+        return;
+
+    int r = fstat(fd, &stab);
+    if (r) {
+        perror("fstat stderr (for CVE-2014-3672 check)");
+        exit(-1);
+    }
+    if (!S_ISREG(stab.st_mode))
+        return;
+    if (stab.st_size <= limit)
+        return;
+
+    /* oh dear */
+    fprintf(stderr,"\r\n"
+            "Closing stderr due to CVE-2014-3672 limit. "
+            " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override,"
+            " or 0 for no limit.\n");
+    fflush(stderr);
+
+    int nfd = open("/dev/null", O_WRONLY);
+    if (nfd < 0) {
+        perror("open /dev/null (for CVE-2014-3672 check)");
+        exit(-1);
+    }
+    r = dup2(nfd, fd);
+    if (r != fd) {
+        perror("dup2 /dev/null (for CVE-2014-3672 check)");
+        exit(-1);
+    }
+    close(nfd);
+}
+
 static int max_priority;
 
 #ifndef _WIN32
@@ -224,6 +268,8 @@ static int os_host_main_loop_wait(int64_t timeout)
 
     g_main_context_acquire(context);
 
+    check_cve_2014_3672_xen();
+
     glib_pollfds_fill(&timeout);
 
     /* If the I/O thread is very busy or we are incorrectly busy waiting in
@@ -420,6 +466,8 @@ static int os_host_main_loop_wait(int64_t timeout)
 
     g_main_context_acquire(context);
 
+    check_cve_2014_3672_xen();
+
     /* XXX: need to suppress polling by better using win32 events */
     ret = 0;
     for (pe = first_polling_entry; pe != NULL; pe = pe->next) {
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#master

_______________________________________________
Xen-changelog mailing list
[hidden email]
https://lists.xenproject.org/xen-changelog
Loading...