# HG changeset patch
# User Keir Fraser <keir@xxxxxxxxxxxxx>
# Date 1193128003 -3600
# Node ID b28ae5f00553ea053bd4e4576634d8ea49e77bc3
# Parent 118a21c66fd53a08d7191159e5b2888f8d9e4ad2
xenmon: Fix security vulnerability CVE-2007-3919.
The xenbaked daemon and xenmon utility communicate via a mmap'ed
shared file. Since this file is located in /tmp, unprivileged users
can cause arbitrary files to be truncated by creating a symlink from
the well-known /tmp filename to e.g., /etc/passwd.
The fix is to place the shared file in a directory to which only root
should have access (in this case /var/run/).
This bug was reported, and the fix suggested, by Steve Kemp
<skx@xxxxxxxxxx>. Thanks!
Signed-off-by: Keir Fraser <keir@xxxxxxxxxxxxx>
---
tools/xenmon/xenbaked.c | 2 +-
tools/xenmon/xenmon.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff -r 118a21c66fd5 -r b28ae5f00553 tools/xenmon/xenbaked.c
--- a/tools/xenmon/xenbaked.c Mon Oct 22 21:06:11 2007 +0100
+++ b/tools/xenmon/xenbaked.c Tue Oct 23 09:26:43 2007 +0100
@@ -589,7 +589,7 @@ error_t cmd_parser(int key, char *arg, s
return 0;
}
-#define SHARED_MEM_FILE "/tmp/xenq-shm"
+#define SHARED_MEM_FILE "/var/run/xenq-shm"
void alloc_qos_data(int ncpu)
{
int i, n, pgsize, off=0;
diff -r 118a21c66fd5 -r b28ae5f00553 tools/xenmon/xenmon.py
--- a/tools/xenmon/xenmon.py Mon Oct 22 21:06:11 2007 +0100
+++ b/tools/xenmon/xenmon.py Tue Oct 23 09:26:43 2007 +0100
@@ -46,7 +46,7 @@ QOS_DATA_SIZE = struct.calcsize(ST_QDATA
QOS_DATA_SIZE = struct.calcsize(ST_QDATA)*NSAMPLES +
struct.calcsize(ST_DOM_INFO)*NDOMAINS + struct.calcsize("4i")
# location of mmaped file, hard coded right now
-SHM_FILE = "/tmp/xenq-shm"
+SHM_FILE = "/var/run/xenq-shm"
# format strings
TOTALS = 15*' ' + "%6.2f%%" + 35*' ' + "%6.2f%%"
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
Home
xen.org, 