[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] libxl: Fix NULL pointer due to XSA-178 fix wrong XS nodename

On Wed, Jun 08, 2016 at 03:56:36PM +0100, Ian Jackson wrote:
> In "libxl: Do not trust backend for disk eject vdev" (c69871a2fb26 on
> xen.git#staging) we changed libxl_evenable_disk_eject to read the
> device vdev out of xenstore from the /libxl path, rather than the
> backend path, and to read it during setup rather than on each event.
> 
> However, the patch has a mistake:
>     -        GCSPRINTF("%s/dev", backend), NULL);
>     +        GCSPRINTF("%s/vdev", libxl_path), &configured_vdev);
>                            ^
> Spot the extra "v".  This causes configured_vdev always to be NULL.
> configured_vdev is passed to [libxl__]strdup.
> 
> In Xen 4.6 and later libxl__strdup is used and tolerates NULL.
> evg->vdev is set to NULL.  This propagates to the `vdev' field in the
> generated event.  This may or may not cause further trouble, depending
> on the calling application.  In our osstest test cases it does not
> cause any trouble, so the bug goes undetected.
> 
> In Xen 4.5 and earlier, the strdup does not tolerate NULL, and libxl
> crashes immediately.  This has been detected by osstest as a
> regression in Xen 4.5.
> 
> IMO this patch should be applied immediately to
>   xen.git#staging-4.5 (to check that it fixes the osstest regression)
>   xen.git#staging     (to check that it does not break master
> 
> Subject to passes, it should then be propagated to all supported
> stable trees and also be mentioned in an update to XSA-178.
> 
> Signed-off-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
> CC: security@xxxxxxxxxxxxxx
> CC: Jan Beulich <jbeulich@xxxxxxxx>
> CC: Wei Liu <wei.liu2@xxxxxxxxxx>

Reviewed-by: Wei Liu <wei.liu2@xxxxxxxxxx>

> ---
>  tools/libxl/libxl.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
> index 006b83f..7584966 100644
> --- a/tools/libxl/libxl.c
> +++ b/tools/libxl/libxl.c
> @@ -1399,7 +1399,7 @@ int libxl_evenable_disk_eject(libxl_ctx *ctx, uint32_t 
> guest_domid,
>  
>      const char *configured_vdev;
>      rc = libxl__xs_read_checked(gc, XBT_NULL,
> -            GCSPRINTF("%s/vdev", libxl_path), &configured_vdev);
> +            GCSPRINTF("%s/dev", libxl_path), &configured_vdev);
>      if (rc) goto out;
>  
>      evg->vdev = libxl__strdup(NOGC, configured_vdev);
> -- 
> 1.7.10.4
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.