From 86d019205b87aa53a739d2c8a25de56335949091 Mon Sep 17 00:00:00 2001 From: Keir Fraser Date: Tue, 23 Oct 2007 09:26:43 +0100 Subject: xenmon: Fix security vulnerability CVE-2007-3919. The xenbaked daemon and xenmon utility communicate via a mmap'ed shared file. Since this file is located in /tmp, unprivileged users can cause arbitrary files to be truncated by creating a symlink from the well-known /tmp filename to e.g., /etc/passwd. The fix is to place the shared file in a directory to which only root should have access (in this case /var/run/). This bug was reported, and the fix suggested, by Steve Kemp . Thanks! Signed-off-by: Keir Fraser --- tools/xenmon/xenbaked.c | 2 +- tools/xenmon/xenmon.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'tools/xenmon') diff --git a/tools/xenmon/xenbaked.c b/tools/xenmon/xenbaked.c index afca2f2168..5d5d0d4e43 100644 --- a/tools/xenmon/xenbaked.c +++ b/tools/xenmon/xenbaked.c @@ -589,7 +589,7 @@ error_t cmd_parser(int key, char *arg, struct argp_state *state) return 0; } -#define SHARED_MEM_FILE "/tmp/xenq-shm" +#define SHARED_MEM_FILE "/var/run/xenq-shm" void alloc_qos_data(int ncpu) { int i, n, pgsize, off=0; diff --git a/tools/xenmon/xenmon.py b/tools/xenmon/xenmon.py index 01b96fecad..6a76d56ab7 100644 --- a/tools/xenmon/xenmon.py +++ b/tools/xenmon/xenmon.py @@ -46,7 +46,7 @@ ST_QDATA = "%dQ" % (6*NDOMAINS + 4) QOS_DATA_SIZE = struct.calcsize(ST_QDATA)*NSAMPLES + struct.calcsize(ST_DOM_INFO)*NDOMAINS + struct.calcsize("4i") # location of mmaped file, hard coded right now -SHM_FILE = "/tmp/xenq-shm" +SHM_FILE = "/var/run/xenq-shm" # format strings TOTALS = 15*' ' + "%6.2f%%" + 35*' ' + "%6.2f%%" -- cgit v1.2.3