[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen staging] tools/xenstore: fix deleting node in transaction
commit 13ac37f1416cae88d97f7baf6cf2a827edb9a187 Author: Juergen Gross <jgross@xxxxxxxx> AuthorDate: Tue Sep 13 07:35:13 2022 +0200 Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> CommitDate: Tue Nov 1 13:05:44 2022 +0000 tools/xenstore: fix deleting node in transaction In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encountered only when handling the deleted node at transaction finalization, the transaction will have been performed partially and without updating the accounting information. This will enable a malicious guest to create arbitrary number of nodes. This is part of XSA-421 / CVE-2022-42325. Signed-off-by: Juergen Gross <jgross@xxxxxxxx> Tested-by: Julien Grall <jgrall@xxxxxxxxxx> Reviewed-by: Julien Grall <jgrall@xxxxxxxxxx> --- tools/xenstore/xenstored_transaction.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/xenstore/xenstored_transaction.c b/tools/xenstore/xenstored_transaction.c index 3e3eb47326..7ffe21bb52 100644 --- a/tools/xenstore/xenstored_transaction.c +++ b/tools/xenstore/xenstored_transaction.c @@ -418,7 +418,13 @@ static int finalize_transaction(struct connection *conn, true); talloc_free(data.dptr); } else { - ret = do_tdb_delete(conn, &key, NULL); + /* + * A node having been created and later deleted + * in this transaction will have no generation + * information stored. + */ + ret = (i->generation == NO_GENERATION) + ? 0 : do_tdb_delete(conn, &key, NULL); } if (ret) goto err; -- generated by git-patchbot for /home/xen/git/xen.git#staging
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |