From patchwork Thu May 26 15:21:56 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Wei Liu <Wei.Liu2@citrix.com>
X-Patchwork-Id: 9137101
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	5D1AF6075C for <patchwork-xen-devel@patchwork.kernel.org>;
	Thu, 26 May 2016 15:24:09 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 51A4828098
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Thu, 26 May 2016 15:24:09 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 46715282F5; Thu, 26 May 2016 15:24:09 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id CF14328098
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Thu, 26 May 2016 15:24:08 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1b5x6v-0003sP-Sd; Thu, 26 May 2016 15:22:09 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <prvs=947cb6223=wei.liu2@citrix.com>)
	id 1b5x6t-0003rz-RS
	for xen-devel@lists.xenproject.org; Thu, 26 May 2016 15:22:07 +0000
Received: from [85.158.139.211] by server-12.bemta-5.messagelabs.com id
	31/A1-01945-F9417475; Thu, 26 May 2016 15:22:07 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprAIsWRWlGSWpSXmKPExsXitHSDve48Efd
	wg99dahbft0xmcmD0OPzhCksAYxRrZl5SfkUCa8brM/OZC7pFK44uvMrcwNgo0MXIySEh4C9x
	7Mo6NhCbTUBZ4mdnL5gtIqAn0XTgOWMXIxcHs8BCRonrn+6ydzFycAgLREr0dFmD1LAIqEp8f
	XWKHcTmFXCSmNhxiA1ippzE+eM/mUHKOQWcJaZ8CAQJCwmkS7ztXsgMYStIdEw/xgTRKihxcu
	YTFhCbWUBC4uCLF8wQY7glbp+eyjyBkW8WkrJZSMoWMDKtYtQoTi0qSy3SNTTVSyrKTM8oyU3
	MzNE1NDDVy00tLk5MT81JTCrWS87P3cQIDCkGINjB2LDd8xCjJAeTkiivuLhbuBBfUn5KZUZi
	cUZ8UWlOavEhRhkODiUJ3ksHgHKCRanpqRVpmTnA4IZJS3DwKInwigm7hwvxFhck5hZnpkOkT
	jEqSonzPhUCSgiAJDJK8+DaYBF1iVFWSpiXEegQIZ6C1KLczBJU+VeM4hyMSsK8RiDjeTLzSu
	CmvwJazAS02P+LM8jikkSElFQDY5Gv2Jx1emunPYu7MKtFRkbH5cuFFWGq4XPLFULvTplqsOb
	fhdB5bo7xr3sVT4h/tpDUMnxfHMN7ir94duFXXovnFzad3Cm1lbvY2G7/2kMBfb+4ONIdeNt4
	onbn6p5ear7jxRPrV5/El04TO/KVe05O7mr56O22E4QmZVxaax8515mfv3jTBCWW4oxEQy3mo
	uJEAMxBpyijAgAA
X-Env-Sender: prvs=947cb6223=wei.liu2@citrix.com
X-Msg-Ref: server-8.tower-206.messagelabs.com!1464276123!41588759!2
X-Originating-IP: [66.165.176.63]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor:
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 8.34; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 58646 invoked from network); 26 May 2016 15:22:06 -0000
Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63)
	by server-8.tower-206.messagelabs.com with RC4-SHA encrypted SMTP;
	26 May 2016 15:22:06 -0000
X-IronPort-AV: E=Sophos;i="5.26,367,1459814400"; d="scan'208";a="363632837"
From: Wei Liu <wei.liu2@citrix.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
Date: Thu, 26 May 2016 16:21:56 +0100
Message-ID: <1464276116-8412-2-git-send-email-wei.liu2@citrix.com>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1464276116-8412-1-git-send-email-wei.liu2@citrix.com>
References: <20160526151957.GX22076@citrix.com>
	<1464276116-8412-1-git-send-email-wei.liu2@citrix.com>
MIME-Version: 1.0
X-DLP: MIA2
Cc: Anthony PERARD <anthony.perard@citrix.com>, Wei Liu <wei.liu2@citrix.com>,
	Ian Jackson <ian.jackson@eu.citrix.com>
Subject: [Xen-devel] [PATCH QEMU for-4.7] main loop: Big hammer to fix
	logfile disk DoS in Xen setups
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Ian Jackson <ian.jackson@eu.citrix.com>

Each time round the main loop, we now fstat stderr.  If it is too big,
we dup2 /dev/null onto it.  This is not a very pretty patch but it is
very simple, easy to see that it's correct, and has a low risk of
collateral damage.

The limit is 1Mby by default but can be adjusted by setting a new
environment variable.

This fixes CVE-2014-3672.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

Set the default to 0 so that it won't affect non-xen installation. The
limit will be set by Xen toolstack.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
---
 main-loop.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/main-loop.c b/main-loop.c
index 3997043..aa32f5b 100644
--- a/main-loop.c
+++ b/main-loop.c
@@ -164,6 +164,50 @@ int qemu_init_main_loop(Error **errp)
     return 0;
 }
 
+static void check_cve_2014_3672_xen(void)
+{
+    static unsigned long limit = ~0UL;
+    const int fd = 2;
+    struct stat stab;
+
+    if (limit == ~0UL) {
+        const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT");
+        /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */
+        limit = s ? strtoul(s,0,0) : 0;
+    }
+    if (limit == 0)
+        return;
+
+    int r = fstat(fd, &stab);
+    if (r) {
+        perror("fstat stderr (for CVE-2014-3672 check)");
+        exit(-1);
+    }
+    if (!S_ISREG(stab.st_mode))
+        return;
+    if (stab.st_size <= limit)
+        return;
+
+    /* oh dear */
+    fprintf(stderr,"\r\n"
+            "Closing stderr due to CVE-2014-3672 limit. "
+            " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override,"
+            " or 0 for no limit.\n");
+    fflush(stderr);
+
+    int nfd = open("/dev/null", O_WRONLY);
+    if (nfd < 0) {
+        perror("open /dev/null (for CVE-2014-3672 check)");
+        exit(-1);
+    }
+    r = dup2(nfd, fd);
+    if (r != fd) {
+        perror("dup2 /dev/null (for CVE-2014-3672 check)");
+        exit(-1);
+    }
+    close(nfd);
+}
+
 static int max_priority;
 
 #ifndef _WIN32
@@ -216,6 +260,8 @@ static int os_host_main_loop_wait(int64_t timeout)
     int ret;
     static int spin_counter;
 
+    check_cve_2014_3672_xen();
+
     glib_pollfds_fill(&timeout);
 
     /* If the I/O thread is very busy or we are incorrectly busy waiting in
@@ -407,6 +453,8 @@ static int os_host_main_loop_wait(int64_t timeout)
     fd_set rfds, wfds, xfds;
     int nfds;
 
+    check_cve_2014_3672_xen();
+
     /* XXX: need to suppress polling by better using win32 events */
     ret = 0;
     for (pe = first_polling_entry; pe != NULL; pe = pe->next) {