Description: VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability
 The timer action for a vcpu periodic timer is to calculate the next
 expiry time, and to reinsert itself into the timer queue.  If the
 deadline ends up in the past, Xen never leaves __do_softirq().  The
 affected PCPU will stay in an infinite loop until Xen is killed by the
 watchdog (if enabled).
From: Andrew Cooper <andrew.cooper3@citrix.com>
Origin: upstream, commit:23406:701f5e3321c1
Id: CVE-2012-4535
---
diff -r 448ffa4bcf63 -r 701f5e3321c1 xen/common/domain.c
--- a/xen/common/domain.c	Wed Nov 14 10:44:09 2012 +0100
+++ b/xen/common/domain.c	Wed Nov 14 11:33:36 2012 +0000
@@ -873,6 +873,9 @@
         if ( set.period_ns < MILLISECS(1) )
             return -EINVAL;
 
+        if ( set.period_ns > STIME_DELTA_MAX )
+            return -EINVAL;
+
         v->periodic_period = set.period_ns;
         vcpu_force_reschedule(v);
 
diff -r 448ffa4bcf63 -r 701f5e3321c1 xen/include/xen/time.h
--- a/xen/include/xen/time.h	Wed Nov 14 10:44:09 2012 +0100
+++ b/xen/include/xen/time.h	Wed Nov 14 11:33:36 2012 +0000
@@ -53,6 +53,8 @@
 #define MILLISECS(_ms)  ((s_time_t)((_ms) * 1000000ULL))
 #define MICROSECS(_us)  ((s_time_t)((_us) * 1000ULL))
 #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1))
+/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */
+#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2))
 
 extern void update_vcpu_system_time(struct vcpu *v);
 extern void update_domain_wallclock_time(struct domain *d);
