[PATCH for-4.7] XSA-180 patches for 4.7

[PATCH for-4.7] XSA-180 patches for 4.7

[Wei Liu]

Two patches for XSA-180 for Xen 4.7 release.

Wei.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

[PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU

[Wei Liu]

XSA-180 provides a patch to QEMU to bodge QEMU logging issue. We
explicitly set the limit in libxl for 4.7.

Introduce a function for setting the environment variable and call it in
the right places.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
 tools/libxl/libxl_dm.c | 33 ++++++++++++++++++++++++++++++---
 1 file changed, 30 insertions(+), 3 deletions(-)

diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
index 6bbc7c3..1412c29 100644
--- a/tools/libxl/libxl_dm.c
+++ b/tools/libxl/libxl_dm.c
@@ -365,6 +365,24 @@ int libxl__domain_device_construct_rdm(libxl__gc *gc,
     return ERROR_FAIL;
 }
 
+/* XSA-180 / CVE-2014-3672
+ *
+ * The QEMU shipped with Xen has a bodge. It checks for
+ * XEN_QEMU_CONSOLE_LIMIT to see how much data QEMU is allowed
+ * to write to stderr. We set that to 1MB if it is not set by
+ * system administrator.
+ */
+static void libxl__set_qemu_env_for_xsa_180(libxl__gc *gc,
+                                            flexarray_t *dm_envs)
+{
+    unsigned long limit = 0;
+    const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT");
+
+    limit = s ? strtoul(s,0,0) : 1*1024*1024;
+    flexarray_append_pair(dm_envs, "XEN_QEMU_CONSOLE_LIMIT",
+                          GCSPRINTF("%lu", limit));
+}
+
 const libxl_vnc_info *libxl__dm_vnc(const libxl_domain_config *guest_config)
 {
     const libxl_vnc_info *vnc = NULL;
@@ -415,6 +433,8 @@ static int libxl__build_device_model_args_old(libxl__gc *gc,
     dm_args = flexarray_make(gc, 16, 1);
     dm_envs = flexarray_make(gc, 16, 1);
 
+    libxl__set_qemu_env_for_xsa_180(gc, dm_envs);
+
     flexarray_vappend(dm_args, dm,
                       "-d", GCSPRINTF("%d", domid), NULL);
 
@@ -913,6 +933,8 @@ static int libxl__build_device_model_args_new(libxl__gc *gc,
     dm_args = flexarray_make(gc, 16, 1);
     dm_envs = flexarray_make(gc, 16, 1);
 
+    libxl__set_qemu_env_for_xsa_180(gc, dm_envs);
+
     flexarray_vappend(dm_args, dm,
                       "-xen-domid",
                       GCSPRINTF("%d", guest_domid), NULL);
@@ -2193,8 +2215,8 @@ static void device_model_spawn_outcome(libxl__egc *egc,
 void libxl__spawn_qdisk_backend(libxl__egc *egc, libxl__dm_spawn_state *dmss)
 {
     STATE_AO_GC(dmss->spawn.ao);
-    flexarray_t *dm_args;
-    char **args;
+    flexarray_t *dm_args, *dm_envs;
+    char **args, **envs;
     const char *dm;
     int logfile_w, null = -1, rc;
     uint32_t domid = dmss->guest_domid;
@@ -2203,6 +2225,8 @@ void libxl__spawn_qdisk_backend(libxl__egc *egc, libxl__dm_spawn_state *dmss)
     dm = qemu_xen_path(gc);
 
     dm_args = flexarray_make(gc, 15, 1);
+    dm_envs = flexarray_make(gc, 1, 1);
+
     flexarray_vappend(dm_args, dm, "-xen-domid",
                       GCSPRINTF("%d", domid), NULL);
     flexarray_append(dm_args, "-xen-attach");
@@ -2216,6 +2240,9 @@ void libxl__spawn_qdisk_backend(libxl__egc *egc, libxl__dm_spawn_state *dmss)
     flexarray_append(dm_args, NULL);
     args = (char **) flexarray_contents(dm_args);
 
+    libxl__set_qemu_env_for_xsa_180(gc, dm_envs);
+    envs = (char **) flexarray_contents(dm_envs);
+
     logfile_w = libxl__create_qemu_logfile(gc, GCSPRINTF("qdisk-%u", domid));
     if (logfile_w < 0) {
         rc = logfile_w;
@@ -2253,7 +2280,7 @@ void libxl__spawn_qdisk_backend(libxl__egc *egc, libxl__dm_spawn_state *dmss)
         goto out;
     if (!rc) { /* inner child */
         setsid();
-        libxl__exec(gc, null, logfile_w, logfile_w, dm, args, NULL);
+        libxl__exec(gc, null, logfile_w, logfile_w, dm, args, envs);
     }
 
     rc = 0;
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

[PATCH QEMU for-4.7] main loop: Big hammer to fix logfile disk DoS in Xen setups

[Wei Liu]

From: Ian Jackson <ian.jackson@eu.citrix.com>

Each time round the main loop, we now fstat stderr.  If it is too big,
we dup2 /dev/null onto it.  This is not a very pretty patch but it is
very simple, easy to see that it's correct, and has a low risk of
collateral damage.

The limit is 1Mby by default but can be adjusted by setting a new
environment variable.

This fixes CVE-2014-3672.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

Set the default to 0 so that it won't affect non-xen installation. The
limit will be set by Xen toolstack.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
 main-loop.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/main-loop.c b/main-loop.c
index 3997043..aa32f5b 100644
--- a/main-loop.c
+++ b/main-loop.c
@@ -164,6 +164,50 @@ int qemu_init_main_loop(Error **errp)
     return 0;
 }
 
+static void check_cve_2014_3672_xen(void)
+{
+    static unsigned long limit = ~0UL;
+    const int fd = 2;
+    struct stat stab;
+
+    if (limit == ~0UL) {
+        const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT");
+        /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */
+        limit = s ? strtoul(s,0,0) : 0;
+    }
+    if (limit == 0)
+        return;
+
+    int r = fstat(fd, &stab);
+    if (r) {
+        perror("fstat stderr (for CVE-2014-3672 check)");
+        exit(-1);
+    }
+    if (!S_ISREG(stab.st_mode))
+        return;
+    if (stab.st_size <= limit)
+        return;
+
+    /* oh dear */
+    fprintf(stderr,"\r\n"
+            "Closing stderr due to CVE-2014-3672 limit. "
+            " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override,"
+            " or 0 for no limit.\n");
+    fflush(stderr);
+
+    int nfd = open("/dev/null", O_WRONLY);
+    if (nfd < 0) {
+        perror("open /dev/null (for CVE-2014-3672 check)");
+        exit(-1);
+    }
+    r = dup2(nfd, fd);
+    if (r != fd) {
+        perror("dup2 /dev/null (for CVE-2014-3672 check)");
+        exit(-1);
+    }
+    close(nfd);
+}
+
 static int max_priority;
 
 #ifndef _WIN32
@@ -216,6 +260,8 @@ static int os_host_main_loop_wait(int64_t timeout)
     int ret;
     static int spin_counter;
 
+    check_cve_2014_3672_xen();
+
     glib_pollfds_fill(&timeout);
 
     /* If the I/O thread is very busy or we are incorrectly busy waiting in
@@ -407,6 +453,8 @@ static int os_host_main_loop_wait(int64_t timeout)
     fd_set rfds, wfds, xfds;
     int nfds;
 
+    check_cve_2014_3672_xen();
+
     /* XXX: need to suppress polling by better using win32 events */
     ret = 0;
     for (pe = first_polling_entry; pe != NULL; pe = pe->next) {
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH QEMU for-4.7] main loop: Big hammer to fix logfile disk DoS in Xen setups

[George Dunlap]

On Thu, May 26, 2016 at 4:21 PM, Wei Liu <wei.liu2@citrix.com> wrote:
> From: Ian Jackson <ian.jackson@eu.citrix.com>
>
> Each time round the main loop, we now fstat stderr.  If it is too big,
> we dup2 /dev/null onto it.  This is not a very pretty patch but it is
> very simple, easy to see that it's correct, and has a low risk of
> collateral damage.
>
> The limit is 1Mby by default but can be adjusted by setting a new
> environment variable.

There is no limit by default; a companion patch for libxl sets this to
1MiB.  This is so that this patch may be applied on a system qemu
which is shared between multiple use cases (including non-Xen cases).

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH QEMU for-4.7] main loop: Big hammer to fix logfile disk DoS in Xen setups

[Wei Liu]

On Thu, May 26, 2016 at 04:36:57PM +0100, George Dunlap wrote:
> On Thu, May 26, 2016 at 4:21 PM, Wei Liu <wei.liu2@citrix.com> wrote:
> > From: Ian Jackson <ian.jackson@eu.citrix.com>
> >
> > Each time round the main loop, we now fstat stderr.  If it is too big,
> > we dup2 /dev/null onto it.  This is not a very pretty patch but it is
> > very simple, easy to see that it's correct, and has a low risk of
> > collateral damage.
> >
> > The limit is 1Mby by default but can be adjusted by setting a new
> > environment variable.
> 
> There is no limit by default; a companion patch for libxl sets this to
> 1MiB.  This is so that this patch may be applied on a system qemu
> which is shared between multiple use cases (including non-Xen cases).
> 

I added a paragraph in that patch and have my S-o-B.

Did you miss that? Or do you mean I should rewrite the commit message
altogether?

Wei.

>  -George

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU

[Ian Jackson]

Wei Liu writes ("[PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU"):
> XSA-180 provides a patch to QEMU to bodge QEMU logging issue. We
> explicitly set the limit in libxl for 4.7.
...
> +    unsigned long limit = 0;
> +    const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT");
> +
> +    limit = s ? strtoul(s,0,0) : 1*1024*1024;
> +    flexarray_append_pair(dm_envs, "XEN_QEMU_CONSOLE_LIMIT",
> +                          GCSPRINTF("%lu", limit));

This is rather more complex than it needs to be.  What would be wrong
with
  if (getenv("XEN_QEMU_CONSOLE_LIMIT")) return;
  flexarray_append_pair(dm_envs, "XEN_QEMU_CONSOLE_LIMIT", "1048576");
?

But I guess I don't object enough to care, so

Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>


> +    flexarray_t *dm_args, *dm_envs;
> +    char **args, **envs;

All these parts are a bit of a palaver but I don't see a better way.
Thanks for doing this work!

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH QEMU for-4.7] main loop: Big hammer to fix logfile disk DoS in Xen setups

[Ian Jackson]

Wei Liu writes ("[PATCH QEMU for-4.7] main loop: Big hammer to fix logfile disk DoS in Xen setups"):
> The limit is 1Mby by default but can be adjusted by setting a new
> environment variable.
> 
> This fixes CVE-2014-3672.
> 
> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
> Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
> 
> Set the default to 0 so that it won't affect non-xen installation. The
> limit will be set by Xen toolstack.

Maybe the commit message, earlier, could be adjusted ?  But otherwise

Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU

[Wei Liu]

On Thu, May 26, 2016 at 04:41:53PM +0100, Ian Jackson wrote:
> Wei Liu writes ("[PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU"):
> > XSA-180 provides a patch to QEMU to bodge QEMU logging issue. We
> > explicitly set the limit in libxl for 4.7.
> ...
> > +    unsigned long limit = 0;
> > +    const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT");
> > +
> > +    limit = s ? strtoul(s,0,0) : 1*1024*1024;
> > +    flexarray_append_pair(dm_envs, "XEN_QEMU_CONSOLE_LIMIT",
> > +                          GCSPRINTF("%lu", limit));
> 
> This is rather more complex than it needs to be.  What would be wrong
> with
>   if (getenv("XEN_QEMU_CONSOLE_LIMIT")) return;
>   flexarray_append_pair(dm_envs, "XEN_QEMU_CONSOLE_LIMIT", "1048576");
> ?
> 

Nice, this is simpler. I will use this version and keep your ack.

> But I guess I don't object enough to care, so
> 
> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
> 
> 
> > +    flexarray_t *dm_args, *dm_envs;
> > +    char **args, **envs;
> 
> All these parts are a bit of a palaver but I don't see a better way.
> Thanks for doing this work!
> 

YW.

Wei.

> Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU

[Wei Liu]

On Thu, May 26, 2016 at 04:47:59PM +0100, Wei Liu wrote:
> On Thu, May 26, 2016 at 04:41:53PM +0100, Ian Jackson wrote:
> > Wei Liu writes ("[PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU"):
> > > XSA-180 provides a patch to QEMU to bodge QEMU logging issue. We
> > > explicitly set the limit in libxl for 4.7.
> > ...
> > > +    unsigned long limit = 0;
> > > +    const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT");
> > > +
> > > +    limit = s ? strtoul(s,0,0) : 1*1024*1024;
> > > +    flexarray_append_pair(dm_envs, "XEN_QEMU_CONSOLE_LIMIT",
> > > +                          GCSPRINTF("%lu", limit));
> > 
> > This is rather more complex than it needs to be.  What would be wrong
> > with
> >   if (getenv("XEN_QEMU_CONSOLE_LIMIT")) return;
> >   flexarray_append_pair(dm_envs, "XEN_QEMU_CONSOLE_LIMIT", "1048576");
> > ?
> > 
> 
> Nice, this is simpler. I will use this version and keep your ack.
> 

I will push this patch soon.

---8<---
From 1d915bc7805bde9fe90341e9bcea01bf50154d87 Mon Sep 17 00:00:00 2001
From: Wei Liu <wei.liu2@citrix.com>
Date: Thu, 26 May 2016 16:11:42 +0100
Subject: [PATCH] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU

XSA-180 provides a patch to QEMU to bodge QEMU logging issue. We
explicitly set the limit in libxl for 4.7.

Introduce a function for setting the environment variable and call it in
the right places.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
---
 tools/libxl/libxl_dm.c | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
index 6bbc7c3..155a653 100644
--- a/tools/libxl/libxl_dm.c
+++ b/tools/libxl/libxl_dm.c
@@ -365,6 +365,20 @@ int libxl__domain_device_construct_rdm(libxl__gc *gc,
     return ERROR_FAIL;
 }
 
+/* XSA-180 / CVE-2014-3672
+ *
+ * The QEMU shipped with Xen has a bodge. It checks for
+ * XEN_QEMU_CONSOLE_LIMIT to see how much data QEMU is allowed
+ * to write to stderr. We set that to 1MB if it is not set by
+ * system administrator.
+ */
+static void libxl__set_qemu_env_for_xsa_180(libxl__gc *gc,
+                                            flexarray_t *dm_envs)
+{
+    if (getenv("XEN_QEMU_CONSOLE_LIMIT")) return;
+    flexarray_append_pair(dm_envs, "XEN_QEMU_CONSOLE_LIMIT", "1048576");
+}
+
 const libxl_vnc_info *libxl__dm_vnc(const libxl_domain_config *guest_config)
 {
     const libxl_vnc_info *vnc = NULL;
@@ -415,6 +429,8 @@ static int libxl__build_device_model_args_old(libxl__gc *gc,
     dm_args = flexarray_make(gc, 16, 1);
     dm_envs = flexarray_make(gc, 16, 1);
 
+    libxl__set_qemu_env_for_xsa_180(gc, dm_envs);
+
     flexarray_vappend(dm_args, dm,
                       "-d", GCSPRINTF("%d", domid), NULL);
 
@@ -913,6 +929,8 @@ static int libxl__build_device_model_args_new(libxl__gc *gc,
     dm_args = flexarray_make(gc, 16, 1);
     dm_envs = flexarray_make(gc, 16, 1);
 
+    libxl__set_qemu_env_for_xsa_180(gc, dm_envs);
+
     flexarray_vappend(dm_args, dm,
                       "-xen-domid",
                       GCSPRINTF("%d", guest_domid), NULL);
@@ -2193,8 +2211,8 @@ static void device_model_spawn_outcome(libxl__egc *egc,
 void libxl__spawn_qdisk_backend(libxl__egc *egc, libxl__dm_spawn_state *dmss)
 {
     STATE_AO_GC(dmss->spawn.ao);
-    flexarray_t *dm_args;
-    char **args;
+    flexarray_t *dm_args, *dm_envs;
+    char **args, **envs;
     const char *dm;
     int logfile_w, null = -1, rc;
     uint32_t domid = dmss->guest_domid;
@@ -2203,6 +2221,8 @@ void libxl__spawn_qdisk_backend(libxl__egc *egc, libxl__dm_spawn_state *dmss)
     dm = qemu_xen_path(gc);
 
     dm_args = flexarray_make(gc, 15, 1);
+    dm_envs = flexarray_make(gc, 1, 1);
+
     flexarray_vappend(dm_args, dm, "-xen-domid",
                       GCSPRINTF("%d", domid), NULL);
     flexarray_append(dm_args, "-xen-attach");
@@ -2216,6 +2236,9 @@ void libxl__spawn_qdisk_backend(libxl__egc *egc, libxl__dm_spawn_state *dmss)
     flexarray_append(dm_args, NULL);
     args = (char **) flexarray_contents(dm_args);
 
+    libxl__set_qemu_env_for_xsa_180(gc, dm_envs);
+    envs = (char **) flexarray_contents(dm_envs);
+
     logfile_w = libxl__create_qemu_logfile(gc, GCSPRINTF("qdisk-%u", domid));
     if (logfile_w < 0) {
         rc = logfile_w;
@@ -2253,7 +2276,7 @@ void libxl__spawn_qdisk_backend(libxl__egc *egc, libxl__dm_spawn_state *dmss)
         goto out;
     if (!rc) { /* inner child */
         setsid();
-        libxl__exec(gc, null, logfile_w, logfile_w, dm, args, NULL);
+        libxl__exec(gc, null, logfile_w, logfile_w, dm, args, envs);
     }
 
     rc = 0;
-- 
2.1.4



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH QEMU for-4.7] main loop: Big hammer to fix logfile disk DoS in Xen setups

[Anthony PERARD]

On Thu, May 26, 2016 at 04:21:56PM +0100, Wei Liu wrote:
> From: Ian Jackson <ian.jackson@eu.citrix.com>
> 
> Each time round the main loop, we now fstat stderr.  If it is too big,
> we dup2 /dev/null onto it.  This is not a very pretty patch but it is
> very simple, easy to see that it's correct, and has a low risk of
> collateral damage.
> 
> The limit is 1Mby by default but can be adjusted by setting a new
> environment variable.
> 
> This fixes CVE-2014-3672.
> 
> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
> Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
> 
> Set the default to 0 so that it won't affect non-xen installation. The
> limit will be set by Xen toolstack.
> 
> Signed-off-by: Wei Liu <wei.liu2@citrix.com>

Beside the confusing commit message and the call in the WIN32 specific
mainloop, the patch look good. So,

Acked-by: Anthony PERARD <anthony.perard@citrix.com>

> ---
>  main-loop.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 48 insertions(+)
> 
> diff --git a/main-loop.c b/main-loop.c
> index 3997043..aa32f5b 100644
> --- a/main-loop.c
> +++ b/main-loop.c
> @@ -164,6 +164,50 @@ int qemu_init_main_loop(Error **errp)
>      return 0;
>  }
>  
> +static void check_cve_2014_3672_xen(void)
> +{
> +    static unsigned long limit = ~0UL;
> +    const int fd = 2;
> +    struct stat stab;
> +
> +    if (limit == ~0UL) {
> +        const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT");
> +        /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */
> +        limit = s ? strtoul(s,0,0) : 0;
> +    }
> +    if (limit == 0)
> +        return;
> +
> +    int r = fstat(fd, &stab);
> +    if (r) {
> +        perror("fstat stderr (for CVE-2014-3672 check)");
> +        exit(-1);
> +    }
> +    if (!S_ISREG(stab.st_mode))
> +        return;
> +    if (stab.st_size <= limit)
> +        return;
> +
> +    /* oh dear */
> +    fprintf(stderr,"\r\n"
> +            "Closing stderr due to CVE-2014-3672 limit. "
> +            " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override,"
> +            " or 0 for no limit.\n");
> +    fflush(stderr);
> +
> +    int nfd = open("/dev/null", O_WRONLY);
> +    if (nfd < 0) {
> +        perror("open /dev/null (for CVE-2014-3672 check)");
> +        exit(-1);
> +    }
> +    r = dup2(nfd, fd);
> +    if (r != fd) {
> +        perror("dup2 /dev/null (for CVE-2014-3672 check)");
> +        exit(-1);
> +    }
> +    close(nfd);
> +}
> +
>  static int max_priority;
>  
>  #ifndef _WIN32
> @@ -216,6 +260,8 @@ static int os_host_main_loop_wait(int64_t timeout)
>      int ret;
>      static int spin_counter;
>  
> +    check_cve_2014_3672_xen();
> +
>      glib_pollfds_fill(&timeout);
>  
>      /* If the I/O thread is very busy or we are incorrectly busy waiting in
> @@ -407,6 +453,8 @@ static int os_host_main_loop_wait(int64_t timeout)
>      fd_set rfds, wfds, xfds;
>      int nfds;
>  
> +    check_cve_2014_3672_xen();
> +

That's the call within an #ifdef _WIN32.

>      /* XXX: need to suppress polling by better using win32 events */
>      ret = 0;
>      for (pe = first_polling_entry; pe != NULL; pe = pe->next) {

-- 
Anthony PERARD

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH QEMU for-4.7] main loop: Big hammer to fix logfile disk DoS in Xen setups

[Anthony PERARD]

On Thu, May 26, 2016 at 05:10:52PM +0100, Anthony PERARD wrote:
> On Thu, May 26, 2016 at 04:21:56PM +0100, Wei Liu wrote:
> > From: Ian Jackson <ian.jackson@eu.citrix.com>
> > 
> > Each time round the main loop, we now fstat stderr.  If it is too big,
> > we dup2 /dev/null onto it.  This is not a very pretty patch but it is
> > very simple, easy to see that it's correct, and has a low risk of
> > collateral damage.
> > 
> > The limit is 1Mby by default but can be adjusted by setting a new
> > environment variable.
> > 
> > This fixes CVE-2014-3672.
> > 
> > Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
> > Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
> > 
> > Set the default to 0 so that it won't affect non-xen installation. The
> > limit will be set by Xen toolstack.
> > 
> > Signed-off-by: Wei Liu <wei.liu2@citrix.com>
> 
> Beside the confusing commit message and the call in the WIN32 specific
> mainloop, the patch look good. So,
> 
> Acked-by: Anthony PERARD <anthony.perard@citrix.com>

I have ajusted the commit message with
`s/The limit is 1Mby/There is no limit/` and going to push to staging.

-- 
Anthony PERARD

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel