commit 1cf02b05b27c48775a25699e61b93b814b9ae042
Author: Ian Jackson <ian.jackson@eu.citrix.com>
AuthorDate: Thu May 26 16:21:56 2016 +0100
Commit: Anthony PERARD <anthony.perard@gmail.com>
CommitDate: Thu Dec 15 15:19:18 2022 +0000
main loop: Big hammer to fix logfile disk DoS in Xen setups
Each time round the main loop, we now fstat stderr. If it is too big,
we dup2 /dev/null onto it. This is not a very pretty patch but it is
very simple, easy to see that it's correct, and has a low risk of
collateral damage.
There is no limit by default but can be adjusted by setting a new
environment variable.
This fixes CVE-2014-3672.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Set the default to 0 so that it won't affect non-xen installation. The
limit will be set by Xen toolstack.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
(cherry picked from commit 44a072f0de0d57c95c2212bbce02888832b7b74f)
(cherry picked from commit 269381bb635692856aa8789a3f322e543e0c648d)
---
util/main-loop.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/util/main-loop.c b/util/main-loop.c
index 10fa74c6e3..7dfb95e3c5 100644
--- a/util/main-loop.c
+++ b/util/main-loop.c
@@ -186,6 +186,50 @@ int qemu_init_main_loop(Error **errp)
return 0;
}
+static void check_cve_2014_3672_xen(void)
+{
+ static unsigned long limit = ~0UL;
+ const int fd = 2;
+ struct stat stab;
+
+ if (limit == ~0UL) {
+ const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT");
+ /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */
+ limit = s ? strtoul(s,0,0) : 0;
+ }
+ if (limit == 0)
+ return;
+
+ int r = fstat(fd, &stab);
+ if (r) {
+ perror("fstat stderr (for CVE-2014-3672 check)");
+ exit(-1);
+ }
+ if (!S_ISREG(stab.st_mode))
+ return;
+ if (stab.st_size <= limit)
+ return;
+
+ /* oh dear */
+ fprintf(stderr,"\r\n"
+ "Closing stderr due to CVE-2014-3672 limit. "
+ " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override,"
+ " or 0 for no limit.\n");
+ fflush(stderr);
+
+ int nfd = open("/dev/null", O_WRONLY);
+ if (nfd < 0) {
+ perror("open /dev/null (for CVE-2014-3672 check)");
+ exit(-1);
+ }
+ r = dup2(nfd, fd);
+ if (r != fd) {
+ perror("dup2 /dev/null (for CVE-2014-3672 check)");
+ exit(-1);
+ }
+ close(nfd);
+}
+
static void main_loop_update_params(EventLoopBase *base, Error **errp)
{
ERRP_GUARD();
@@ -307,6 +351,8 @@ static int os_host_main_loop_wait(int64_t timeout)
g_main_context_acquire(context);
+ check_cve_2014_3672_xen();
+
glib_pollfds_fill(&timeout);
qemu_mutex_unlock_iothread();
@@ -489,6 +535,8 @@ static int os_host_main_loop_wait(int64_t timeout)
g_main_context_acquire(context);
+ check_cve_2014_3672_xen();
+
/* XXX: need to suppress polling by better using win32 events */
ret = 0;
for (pe = first_polling_entry; pe != NULL; pe = pe->next) {
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#master
Author: Ian Jackson <ian.jackson@eu.citrix.com>
AuthorDate: Thu May 26 16:21:56 2016 +0100
Commit: Anthony PERARD <anthony.perard@gmail.com>
CommitDate: Thu Dec 15 15:19:18 2022 +0000
main loop: Big hammer to fix logfile disk DoS in Xen setups
Each time round the main loop, we now fstat stderr. If it is too big,
we dup2 /dev/null onto it. This is not a very pretty patch but it is
very simple, easy to see that it's correct, and has a low risk of
collateral damage.
There is no limit by default but can be adjusted by setting a new
environment variable.
This fixes CVE-2014-3672.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Set the default to 0 so that it won't affect non-xen installation. The
limit will be set by Xen toolstack.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
(cherry picked from commit 44a072f0de0d57c95c2212bbce02888832b7b74f)
(cherry picked from commit 269381bb635692856aa8789a3f322e543e0c648d)
---
util/main-loop.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/util/main-loop.c b/util/main-loop.c
index 10fa74c6e3..7dfb95e3c5 100644
--- a/util/main-loop.c
+++ b/util/main-loop.c
@@ -186,6 +186,50 @@ int qemu_init_main_loop(Error **errp)
return 0;
}
+static void check_cve_2014_3672_xen(void)
+{
+ static unsigned long limit = ~0UL;
+ const int fd = 2;
+ struct stat stab;
+
+ if (limit == ~0UL) {
+ const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT");
+ /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */
+ limit = s ? strtoul(s,0,0) : 0;
+ }
+ if (limit == 0)
+ return;
+
+ int r = fstat(fd, &stab);
+ if (r) {
+ perror("fstat stderr (for CVE-2014-3672 check)");
+ exit(-1);
+ }
+ if (!S_ISREG(stab.st_mode))
+ return;
+ if (stab.st_size <= limit)
+ return;
+
+ /* oh dear */
+ fprintf(stderr,"\r\n"
+ "Closing stderr due to CVE-2014-3672 limit. "
+ " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override,"
+ " or 0 for no limit.\n");
+ fflush(stderr);
+
+ int nfd = open("/dev/null", O_WRONLY);
+ if (nfd < 0) {
+ perror("open /dev/null (for CVE-2014-3672 check)");
+ exit(-1);
+ }
+ r = dup2(nfd, fd);
+ if (r != fd) {
+ perror("dup2 /dev/null (for CVE-2014-3672 check)");
+ exit(-1);
+ }
+ close(nfd);
+}
+
static void main_loop_update_params(EventLoopBase *base, Error **errp)
{
ERRP_GUARD();
@@ -307,6 +351,8 @@ static int os_host_main_loop_wait(int64_t timeout)
g_main_context_acquire(context);
+ check_cve_2014_3672_xen();
+
glib_pollfds_fill(&timeout);
qemu_mutex_unlock_iothread();
@@ -489,6 +535,8 @@ static int os_host_main_loop_wait(int64_t timeout)
g_main_context_acquire(context);
+ check_cve_2014_3672_xen();
+
/* XXX: need to suppress polling by better using win32 events */
ret = 0;
for (pe = first_polling_entry; pe != NULL; pe = pe->next) {
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#master