[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] libxl: Do not trust backend for disk eject vdev
commit c69871a2fb26de79a93b6291cc061e11d5764876 Author: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> AuthorDate: Fri Apr 29 16:23:35 2016 +0100 Commit: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> CommitDate: Thu Jun 2 15:53:29 2016 +0100 libxl: Do not trust backend for disk eject vdev For disk eject, use configured vdev from /libxl, not backend. The backend directory is writeable by driver domains. This means that a malicious driver domain could cause libxl to see a wrong vdev, confusing the user or the toolstack. Use the vdev from the /libxl space, rather than the backend. For convenience, we read the vdev from the /libxl space into the evg during setup and copy it on each event, rather than reading it afresh each time (which would in any case involve generating or saving a copy of the relevant /libxl path). This is part of XSA-178. Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> Reviewed-by: Wei Liu <wei.liu2@xxxxxxxxxx> --- tools/libxl/libxl.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c index 944f848..ec70b20 100644 --- a/tools/libxl/libxl.c +++ b/tools/libxl/libxl.c @@ -1357,8 +1357,7 @@ static void disk_eject_xswatch_callback(libxl__egc *egc, libxl__ev_xswatch *w, disk->pdev_path = strdup(""); /* xxx fixme malloc failure */ disk->format = LIBXL_DISK_FORMAT_EMPTY; /* this value is returned to the user: do not free right away */ - disk->vdev = xs_read(CTX->xsh, XBT_NULL, - GCSPRINTF("%s/dev", backend), NULL); + disk->vdev = libxl__strdup(NOGC, evg->vdev); disk->removable = 1; disk->readwrite = 0; disk->is_cdrom = 1; @@ -1381,9 +1380,6 @@ int libxl_evenable_disk_eject(libxl_ctx *ctx, uint32_t guest_domid, evg->domid = guest_domid; LIBXL_LIST_INSERT_HEAD(&CTX->disk_eject_evgens, evg, entry); - evg->vdev = strdup(vdev); - if (!evg->vdev) { rc = ERROR_NOMEM; goto out; } - uint32_t domid = libxl_get_stubdom_id(ctx, guest_domid); if (!domid) @@ -1401,6 +1397,13 @@ int libxl_evenable_disk_eject(libxl_ctx *ctx, uint32_t guest_domid, devid); evg->be_ptr_path = libxl__sprintf(NOGC, "%s/backend", libxl_path); + const char *configured_vdev; + rc = libxl__xs_read_checked(gc, XBT_NULL, + GCSPRINTF("%s/vdev", libxl_path), &configured_vdev); + if (rc) goto out; + + evg->vdev = libxl__strdup(NOGC, configured_vdev); + rc = libxl__ev_xswatch_register(gc, &evg->watch, disk_eject_xswatch_callback, path); if (rc) goto out; -- generated by git-patchbot for /home/xen/git/xen.git#master _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |