tools: xenstored: if the reply is too big then send E2BIG error

This fixes the issue for both C and ocaml xenstored, however only the ocaml
xenstored is vulnerable in its default configuration.

Adding a new error appears to be safe, since bit libxenstore and the Linux
driver at least treat an unknown error code as EINVAL.

This is XSA-72 / CVE-2013-4416.

Original ocaml patch by Jerome Maloberti <jerome.maloberti@citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Thomas Sanders <thomas.sanders@citrix.com>
master commit: 8b2c441a1b53a43a38b3c517e28f239da3349872
master date: 2013-10-29 15:45:53 +0000

diff --git a/tools/ocaml/xenstored/connection.ml b/tools/ocaml/xenstored/connection.ml
index c15595b4dae5060e2678cd40e592d63d4beb295f..6506dea31c9c0e9e9087bb5c2b3ac785f7641029 100644 (file)
--- a/tools/ocaml/xenstored/connection.ml
+++ b/tools/ocaml/xenstored/connection.ml
@@ -18,6 +18,8 @@ exception End_of_file
 
 open Stdext
 
+let xenstore_payload_max = 4096 (* xen/include/public/io/xs_wire.h *)
+
 type watch = {
        con: t;
        token: string;
@@ -112,8 +114,15 @@ let restrict con domid =
 let set_target con target_domid =
        con.perm <- Perms.Connection.set_target (get_perm con) ~perms:[Perms.READ; Perms.WRITE] target_domid
 
+let is_backend_mmap con = match con.xb.Xenbus.Xb.backend with
+       | Xenbus.Xb.Xenmmap _ -> true
+       | _ -> false
+
 let send_reply con tid rid ty data =
-       Xb.queue con.xb (Xb.Packet.create tid rid ty data)
+       if (String.length data) > xenstore_payload_max && (is_backend_mmap con) then
+               Xb.queue con.xb (Xb.Packet.create tid rid Xb.Op.Error "E2BIG\000")
+       else
+               Xb.queue con.xb (Xb.Packet.create tid rid ty data)
 
 let send_error con tid rid err = send_reply con tid rid Xb.Op.Error (err ^ "\000")
 let send_ack con tid rid ty = send_reply con tid rid ty "OK\000"

diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 1749740482458704737a0b3a5d81275d62eec1c0..0707ef6d071279a7e82573f4b868475f0201f963 100644 (file)
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -600,6 +600,11 @@ void send_reply(struct connection *conn, enum xsd_sockmsg_type type,
 {
        struct buffered_data *bdata;
 
+       if ( len > XENSTORE_PAYLOAD_MAX ) {
+               send_error(conn, E2BIG);
+               return;
+       }
+
        /* Message is a child of the connection context for auto-cleanup. */
        bdata = new_buffer(conn);
        bdata->buffer = talloc_array(bdata, char, len);

diff --git a/xen/include/public/io/xs_wire.h b/xen/include/public/io/xs_wire.h
index e1debceb63bf950a157a8a8c9125aed6936775bf..f10ccd07705c614486a2a89d07134398b66ba4a1 100644 (file)
--- a/xen/include/public/io/xs_wire.h
+++ b/xen/include/public/io/xs_wire.h
@@ -82,7 +82,8 @@ __attribute__((unused))
     XSD_ERROR(EROFS),
     XSD_ERROR(EBUSY),
     XSD_ERROR(EAGAIN),
-    XSD_ERROR(EISCONN)
+    XSD_ERROR(EISCONN),
+    XSD_ERROR(E2BIG)
 };
 #endif