[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.19] tools/libxs: Fix length check in xs_talkv()

To: xen-changelog@xxxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Mon, 25 Nov 2024 13:33:12 +0000
Delivery-date: Mon, 25 Nov 2024 13:33:14 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xenproject.org>

commit dd2494735c3099f1d269af73104a8af497930908
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Mon Nov 25 11:53:18 2024 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Mon Nov 25 11:53:18 2024 +0100

    tools/libxs: Fix length check in xs_talkv()
    
    If the sum of iov element lengths overflows, the XENSTORE_PAYLOAD_MAX can
    pass, after which we'll write 4G of data with a good-looking length field, 
and
    the remainder of the payload will be interpreted as subsequent commands.
    
    Check each iov element length for XENSTORE_PAYLOAD_MAX before accmulating 
it.
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Jason Andryuk <jason.andryuk@xxxxxxx>
    Reviewed-by: Juergen Gross <jgross@xxxxxxxx>
    master commit: 42db2deb5e7617f0459b68cd73ab503938356186
    master date: 2024-07-23 15:11:27 +0100
---
 tools/libs/store/xs.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/tools/libs/store/xs.c b/tools/libs/store/xs.c
index 38a6ce3cf2..4c37de437b 100644
--- a/tools/libs/store/xs.c
+++ b/tools/libs/store/xs.c
@@ -576,21 +576,24 @@ static void *xs_talkv(struct xs_handle *h, 
xs_transaction_t t,
        struct xsd_sockmsg msg;
        void *ret = NULL;
        int saved_errno;
-       unsigned int i;
+       unsigned int i, msg_len;
        struct sigaction ignorepipe, oldact;
 
        msg.tx_id = t;
        msg.req_id = 0;
        msg.type = type;
-       msg.len = 0;
-       for (i = 0; i < num_vecs; i++)
-               msg.len += iovec[i].iov_len;
 
-       if (msg.len > XENSTORE_PAYLOAD_MAX) {
-               errno = E2BIG;
-               return 0;
+       /* Calculate the payload length by summing iovec elements */
+       for (i = 0, msg_len = 0; i < num_vecs; i++) {
+               if ((iovec[i].iov_len > XENSTORE_PAYLOAD_MAX) ||
+                   ((msg_len += iovec[i].iov_len) > XENSTORE_PAYLOAD_MAX)) {
+                       errno = E2BIG;
+                       return NULL;
+               }
        }
 
+       msg.len = msg_len;
+
        ignorepipe.sa_handler = SIG_IGN;
        sigemptyset(&ignorepipe.sa_mask);
        ignorepipe.sa_flags = 0;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.19

Prev by Date: [xen stable-4.19] tools/misc: xen-hvmcrash: Inject #DF instead of overwriting RIP
Next by Date: [xen stable-4.19] tools/libxs: Rework xs_talkv() to take xsd_sockmsg within the iovec
Previous by thread: [xen stable-4.19] tools/misc: xen-hvmcrash: Inject #DF instead of overwriting RIP
Next by thread: [xen stable-4.19] tools/libxs: Rework xs_talkv() to take xsd_sockmsg within the iovec
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.