libxc: limit cpu values when setting vcpu affinity

When support for pinning more than 64 cpus was added, check for cpu
out-of-range values was removed. This can lead to subsequent
out-of-bounds cpumap array accesses in case the cpu number is higher
than the actual count.

This patch returns the check.

This is CVE-2013-2072 / XSA-56

Signed-off-by: Petr Matousek <pmatouse@redhat.com>
master commit: 41abbadef60e5fccdfd688579dd458f7f7887cf5
master date: 2013-05-29 15:49:22 +0100

diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c
index 2600b90060c905746b0c11646fd93ba092417170..1c4ac93ba78b797fafbcce1fe86a3a01508841c4 100644 (file)
--- a/tools/python/xen/lowlevel/xc/xc.c
+++ b/tools/python/xen/lowlevel/xc/xc.c
@@ -228,6 +228,7 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
     int vcpu = 0, i;
     xc_cpumap_t cpumap;
     PyObject *cpulist = NULL;
+    int nr_cpus;
 
     static char *kwd_list[] = { "domid", "vcpu", "cpumap", NULL };
 
@@ -235,6 +236,10 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
                                       &dom, &vcpu, &cpulist) )
         return NULL;
 
+    nr_cpus = xc_get_max_cpus(self->xc_handle);
+    if ( nr_cpus == 0 )
+        return pyxc_error_to_exception(self->xc_handle);
+
     cpumap = xc_cpumap_alloc(self->xc_handle);
     if(cpumap == NULL)
         return pyxc_error_to_exception(self->xc_handle);
@@ -244,6 +249,13 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
         for ( i = 0; i < PyList_Size(cpulist); i++ ) 
         {
             long cpu = PyInt_AsLong(PyList_GetItem(cpulist, i));
+            if ( cpu < 0 || cpu >= nr_cpus )
+            {
+                free(cpumap);
+                errno = EINVAL;
+                PyErr_SetFromErrno(xc_error_obj);
+                return NULL;
+            }
             cpumap[cpu / 8] |= 1 << (cpu % 8);
         }
     }