[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] libxl: Do not trust backend for disk eject vdev



commit c69871a2fb26de79a93b6291cc061e11d5764876
Author:     Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
AuthorDate: Fri Apr 29 16:23:35 2016 +0100
Commit:     Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
CommitDate: Thu Jun 2 15:53:29 2016 +0100

    libxl: Do not trust backend for disk eject vdev
    
    For disk eject, use configured vdev from /libxl, not backend.
    
    The backend directory is writeable by driver domains.  This means that
    a malicious driver domain could cause libxl to see a wrong vdev,
    confusing the user or the toolstack.
    
    Use the vdev from the /libxl space, rather than the backend.
    
    For convenience, we read the vdev from the /libxl space into the evg
    during setup and copy it on each event, rather than reading it afresh
    each time (which would in any case involve generating or saving a copy
    of the relevant /libxl path).
    
    This is part of XSA-178.
    
    Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
    Reviewed-by: Wei Liu <wei.liu2@xxxxxxxxxx>
---
 tools/libxl/libxl.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
index 944f848..ec70b20 100644
--- a/tools/libxl/libxl.c
+++ b/tools/libxl/libxl.c
@@ -1357,8 +1357,7 @@ static void disk_eject_xswatch_callback(libxl__egc *egc, 
libxl__ev_xswatch *w,
     disk->pdev_path = strdup(""); /* xxx fixme malloc failure */
     disk->format = LIBXL_DISK_FORMAT_EMPTY;
     /* this value is returned to the user: do not free right away */
-    disk->vdev = xs_read(CTX->xsh, XBT_NULL,
-                         GCSPRINTF("%s/dev", backend), NULL);
+    disk->vdev = libxl__strdup(NOGC, evg->vdev);
     disk->removable = 1;
     disk->readwrite = 0;
     disk->is_cdrom = 1;
@@ -1381,9 +1380,6 @@ int libxl_evenable_disk_eject(libxl_ctx *ctx, uint32_t 
guest_domid,
     evg->domid = guest_domid;
     LIBXL_LIST_INSERT_HEAD(&CTX->disk_eject_evgens, evg, entry);
 
-    evg->vdev = strdup(vdev);
-    if (!evg->vdev) { rc = ERROR_NOMEM; goto out; }
-
     uint32_t domid = libxl_get_stubdom_id(ctx, guest_domid);
 
     if (!domid)
@@ -1401,6 +1397,13 @@ int libxl_evenable_disk_eject(libxl_ctx *ctx, uint32_t 
guest_domid,
                                  devid);
     evg->be_ptr_path = libxl__sprintf(NOGC, "%s/backend", libxl_path);
 
+    const char *configured_vdev;
+    rc = libxl__xs_read_checked(gc, XBT_NULL,
+            GCSPRINTF("%s/vdev", libxl_path), &configured_vdev);
+    if (rc) goto out;
+
+    evg->vdev = libxl__strdup(NOGC, configured_vdev);
+
     rc = libxl__ev_xswatch_register(gc, &evg->watch,
                                     disk_eject_xswatch_callback, path);
     if (rc) goto out;
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.