[prev in list] [next in list] [prev in thread] [next in thread]
List: xen-announce
Subject: [Xen-announce] Xen Security Advisory 68 (CVE-2013-4369) - possible null dereference when parsing vif
From: Xen.org security team <security () xen ! org>
Date: 2013-10-10 12:22:45
Message-ID: E1VUFGP-0002YX-VB () xenbits ! xen ! org
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-4369 / XSA-68
version 2
possible null dereference when parsing vif ratelimiting info
UPDATES IN VERSION 2
====================
Public release.
ISSUE DESCRIPTION
=================
The libxlu library function xlu_vif_parse_rate does not properly
handle inputs which consist solely of the '@' character, leading to a
NULL pointer dereference.
IMPACT
======
A toolstack which allows untrusted users to specify an arbitrary
configuration for the VIF rate can be subjected to a DOS.
The only known user of this library is the xl toolstack which does not
have a central long running daemon and therefore the impact is limited
to crashing the process which is creating the domain, which exists
only to service a single domain.
VULNERABLE SYSTEMS
==================
The vulnerable code is present from Xen 4.2 onwards.
MITIGATION
==========
Disallowing untrusted users from specifying arbitrary VIF rate limits
will avoid this issue.
CREDITS
=======
This issue was discovered by Coverity Scan and Matthew Daley.
RESOLUTION
==========
Applying the attached patch resolves this issue in all branches
xsa68.patch xen-unstable, Xen 4.3.x, Xen 4.2.x
$ sha256sum xsa68*.patch
64716cb49696298e0bbd9556fe9d6f559a4e2785081e28d50607317b6e27ba32 xsa68.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJSVpv6AAoJEIP+FMlX6CvZh5AH/3eMQvmLfgXNbr/vBFKwwJFc
FXd/5N76S17ZI5jTPLoXc1GiXOI9MhPNazKo6e/RLYkVrxgK4Cq8jowBJBgg8Q4R
egOlTinu87uT3ik6DP1ZQVQXEC2Wot0lJwjkN5B/72Tx/ldnS7i/Wi7P5QW7kzcJ
3FWSoCP/degKK/pBbPbt6keUjsUgkIXR3S0Vx/5+NXWeGMfjBFMqV6O1TQ1COkjw
GrvYzXBPAnhmw0fUSYdh87Ed2MH0nZqBGuP/b4wlXqoYWBZN/1xs8M+txnfGLyRm
+vvoM5shs+IiC0cVUcOPF+o7xZRiF6ZNdEMZdMV0NPHNeVEKtdXd6zlc/7VWuvM=
=9/V5
-----END PGP SIGNATURE-----
["xsa68.patch" (application/octet-stream)]
libxl: fix vif rate parsing
strtok can return NULL here. We don't need to use strtok anyway, so just
use a simple strchr method.
Coverity-ID: 1055642
This is CVE-2013-4369 / XSA-68
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Fix type. Add test case
Signed-off-by: Ian Campbell <Ian.campbell@citrix.com>
diff --git a/tools/libxl/check-xl-vif-parse b/tools/libxl/check-xl-vif-parse
index 0473182..02c6dba 100755
--- a/tools/libxl/check-xl-vif-parse
+++ b/tools/libxl/check-xl-vif-parse
@@ -206,4 +206,8 @@ expected </dev/null
one $e rate=4294967295GB/s@5us
one $e rate=4296MB/s@4294s
+# test include of single '@'
+expected </dev/null
+one $e rate=@
+
complete
diff --git a/tools/libxl/libxlu_vif.c b/tools/libxl/libxlu_vif.c
index 3b3de0f..0665e62 100644
--- a/tools/libxl/libxlu_vif.c
+++ b/tools/libxl/libxlu_vif.c
@@ -95,23 +95,30 @@ int xlu_vif_parse_rate(XLU_Config *cfg, const char *rate, libxl_device_nic *nic)
uint64_t bytes_per_sec = 0;
uint64_t bytes_per_interval = 0;
uint32_t interval_usecs = 50000UL; /* Default to 50ms */
- char *ratetok, *tmprate;
+ char *p, *tmprate;
int rc = 0;
tmprate = strdup(rate);
+ if (tmprate == NULL) {
+ rc = ENOMEM;
+ goto out;
+ }
+
+ p = strchr(tmprate, '@');
+ if (p != NULL)
+ *p++ = 0;
+
if (!strcmp(tmprate,"")) {
xlu__vif_err(cfg, "no rate specified", rate);
rc = EINVAL;
goto out;
}
- ratetok = strtok(tmprate, "@");
- rc = vif_parse_rate_bytes_per_sec(cfg, ratetok, &bytes_per_sec);
+ rc = vif_parse_rate_bytes_per_sec(cfg, tmprate, &bytes_per_sec);
if (rc) goto out;
- ratetok = strtok(NULL, "@");
- if (ratetok != NULL) {
- rc = vif_parse_rate_interval_usecs(cfg, ratetok, &interval_usecs);
+ if (p != NULL) {
+ rc = vif_parse_rate_interval_usecs(cfg, p, &interval_usecs);
if (rc) goto out;
}
_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic