[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 1/6] xen/dt-overlay: fix double-free of rangesets on attach failure
- To: Michal Orzel <michal.orzel@xxxxxxx>
- From: Gyujeong Jin <wlsrbwjd7232@xxxxxxxxx>
- Date: Wed, 15 Apr 2026 20:48:53 +0900
- Arc-authentication-results: i=1; mx.google.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=fF0EDgYzvalXVplasDURxrz1JbxTcNnbbzGMmI0mBAw=; fh=55tUfj1WwP7DhKmsv27FhfRdeMgov7mEKJwUGhbYoYE=; b=WMKFdwMTqqa7AZKXDkdHR87vMke0rOrN8nOVXURzU1ttr4b6QDsB1+U28lEi/uUZhW Q0hR5OONG1TQSwGidv2qgdvI5iz6uZZDkc4h6W1Qi7T7/m4JWidFGpP/r3cuZeTZwtyy akDYctfkPMqO5Iq/u+8aqXJay3xI0DS7Dtjf1Wt4l/3zcBGrPcCaSHvTtUOjwbShTs6R AZZK/C38kNYJOQH1BRh6MSUjUNXJ4ohZi7obP9ghC/bjkPofhdSEh41emh1xisKYvfxR B+BlLq04HzT87BnJHWcRHnQ0GQUYUon34Z+IR5NK+XTl/cuZr9Z7s0zW7RD4lT6AV4r7 zZ9g==; darn=lists.xenproject.org
- Arc-seal: i=1; a=rsa-sha256; t=1776253745; cv=none; d=google.com; s=arc-20240605; b=hoX1EA4eaN1rbw6hAXbaL7aKN4xYv6vnfcObrAY8zOb0Zqs4kwLNJXsTzRgHWe8wkY a4SYQUKTHKWT7Q6KhMBuQieh0Tidoxm2qcCJJLkMdIff742NOMZxQoYiaNy71Zl9uE7i 84PxOmsFQ/meT6zhatBF1jcqk3WECkz7KsH/aJMDmrJZQSYw/FY5vT4oWygI70M+0ssA n4EfbRLq1TsyjGfPoLlzuDpGLB/y3hl/BBie33fkGOb9UM3AxQx9uzlLYOTkK1JNMtjf 3yUk+Zs3Ce7IdpJJD5c5CqDHd0poKq6djMyi/n+CKJEgJcCeNpquArY6KtqoITUSSS1P WmRA==
- Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=20251104 header.d=gmail.com header.i="@gmail.com" header.h="Cc:To:Subject:Message-ID:Date:From:In-Reply-To:References:MIME-Version"
- Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>
- Delivery-date: Wed, 15 Apr 2026 11:49:14 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
Thanks for your efforts.
I’ve seen some advisories that received cve here. Can I receive a cve for this report?
Thanks. handle_attach_overlay_nodes() destroys the IRQ and IOMEM rangesets on
failure but leaves the pointers dangling in the tracker entry. A
subsequent handle_remove_overlay_nodes() for the same overlay will call
rangeset_consume_ranges() on freed memory followed by a second
rangeset_destroy(), resulting in use-after-free and double-free.
NULL the pointers after rangeset_destroy() so that remove_nodes() and
handle_remove_overlay_nodes() skip the stale entries.
Fixes: 4c733873b5c2 ("xen/arm: Add XEN_DOMCTL_dt_overlay and device attachment to domains")
Reported-by: Gyujeong Jin <wlsrbwjd7232@xxxxxxxxx>
Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx>
---
xen/common/device-tree/dt-overlay.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/xen/common/device-tree/dt-overlay.c b/xen/common/device-tree/dt-overlay.c
index d184186c015e..6fa07dbf42a5 100644
--- a/xen/common/device-tree/dt-overlay.c
+++ b/xen/common/device-tree/dt-overlay.c
@@ -910,7 +910,9 @@ static long handle_attach_overlay_nodes(struct domain *d,
if ( entry )
{
rangeset_destroy(entry->irq_ranges);
+ entry->irq_ranges = NULL;
rangeset_destroy(entry->iomem_ranges);
+ entry->iomem_ranges = NULL;
}
return rc;
--
2.43.0
|
