[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [patch] Fix use-after-free in xenconsoled.

To: Xen Development Mailing List <xen-devel@xxxxxxxxxxxxxxxxxxx>
From: Gerd Hoffmann <kraxel@xxxxxxxxxx>
Date: Thu, 01 Nov 2007 14:59:58 +0100
Delivery-date: Thu, 01 Nov 2007 07:00:43 -0700
List-id: Xen developer discussion <xen-devel.lists.xensource.com>

  Hi,

shutdown_domain() MUST NOT call cleanup_domain(), just flagging them as
dead is enough.  cleanup_domains() for dead domains is called by the
mainloop in handle_io() in a safe way already.

shutdown_domain() calling cleanup_domain() too leads struct domain being
accessed after freeing and to a double-free.

Fixed by simply dropping the cleanup_domain() call and by making the
functions called by the main loop in handle_io() ignore dead domains.

please apply,

  Gerd

Fix use-after-free in xenconsoled.

shutdown_domain() MUST NOT call cleanup_domain(), just flagging them as
dead is enough.  cleanup_domains() for dead domains is called by the main
loop in handle_io() in a safe way already.

shutdown_domain() calling cleanup_domain() too leads struct domain being
accessed after freeing and to a double-free.

Fixed by simply dropping the cleanup_domain() call and by making the
functions called by the main loop in handle_io() ignore dead domains.

Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
diff -r c0b0974fb055 tools/console/daemon/io.c
--- a/tools/console/daemon/io.c Fri May 18 16:59:32 2007 +0100
+++ b/tools/console/daemon/io.c Thu Nov 01 14:47:49 2007 +0100
@@ -467,7 +467,6 @@ static void shutdown_domain(struct domai
        if (d->xce_handle != -1)
                xc_evtchn_close(d->xce_handle);
        d->xce_handle = -1;
-       cleanup_domain(d);
 }
 
 void enum_domains(void)
@@ -513,6 +512,9 @@ static void handle_tty_read(struct domai
        struct xencons_interface *intf = dom->interface;
        XENCONS_RING_IDX prod;
 
+       if (dom->is_dead)
+               return;
+
        len = ring_free_bytes(dom);
        if (len == 0)
                return;
@@ -550,6 +552,9 @@ static void handle_tty_write(struct doma
 {
        ssize_t len;
 
+       if (dom->is_dead)
+               return;
+
        len = write(dom->tty_fd, dom->buffer.data + dom->buffer.consumed,
                    dom->buffer.size - dom->buffer.consumed);
        if (len < 1) {
@@ -572,6 +577,9 @@ static void handle_ring_read(struct doma
 static void handle_ring_read(struct domain *dom)
 {
        evtchn_port_t port;
+
+       if (dom->is_dead)
+               return;
 
        if ((port = xc_evtchn_pending(dom->xce_handle)) == -1)
                return;

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

Prev by Date: [Xen-devel] Are drivers in Dom0 virtualized in any way
Next by Date: Re: Fwd: [Xen-devel] Inter-domain shared memory facility in Xen?
Previous by thread: [Xen-devel] Are drivers in Dom0 virtualized in any way
Next by thread: Re: [Xen-devel] [PATCH] Fix stdvga performance for 32bit ops
Index(es):
- Date
- Thread