Xen project Mailing List

Re: [PATCH 1/6] xen/dt-overlay: fix double-free of rangesets on attach failure

To: "Gyujeong Jin" <wlsrbwjd7232@xxxxxxxxx>, "Michal Orzel" <michal.orzel@xxxxxxx>

From: "Teddy Astie" <teddy.astie@xxxxxxxxxx>

Date: Wed, 15 Apr 2026 11:56:22 +0000

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=mte1 header.d=mandrillapp.com header.i="@mandrillapp.com" header.h="From:Subject:Message-Id:To:Cc:References:In-Reply-To:Feedback-ID:Date:MIME-Version:Content-Type:Content-Transfer-Encoding"; dkim=pass header.s=mte1 header.d=vates.tech header.i="teddy.astie@xxxxxxxxxx" header.h="From:Subject:Message-Id:To:Cc:References:In-Reply-To:Feedback-ID:Date:MIME-Version:Content-Type:Content-Transfer-Encoding"

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, "Stefano Stabellini" <sstabellini@xxxxxxxxxx>, "Julien Grall" <julien@xxxxxxx>, "Bertrand Marquis" <bertrand.marquis@xxxxxxx>

Delivery-date: Wed, 15 Apr 2026 11:58:33 +0000

Feedback-id: 30504962:30504962.20260415:md

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Le 15/04/2026 à 13:51, Gyujeong Jin a écrit : > Thanks for your efforts. > > I’ve seen some advisories that received cve here. > https://xenbits.xen.org/xsa/ <https://xenbits.xen.org/xsa/> > > Can I receive a cve for this report? > > Thanks. > Device-tree overlay is marked as "Experimental", hence it's not Security supported so no XSA would be issued, even if it it has security implications for the feature. I don't know regarding individual CVEs though. > 2026년 4월 15일 (수) 20:37, Michal Orzel <michal.orzel@xxxxxxx > <mailto:michal.orzel@xxxxxxx>>님이 작성: > > handle_attach_overlay_nodes() destroys the IRQ and IOMEM rangesets on > failure but leaves the pointers dangling in the tracker entry. A > subsequent handle_remove_overlay_nodes() for the same overlay will call > rangeset_consume_ranges() on freed memory followed by a second > rangeset_destroy(), resulting in use-after-free and double-free. > > NULL the pointers after rangeset_destroy() so that remove_nodes() and > handle_remove_overlay_nodes() skip the stale entries. > > Fixes: 4c733873b5c2 ("xen/arm: Add XEN_DOMCTL_dt_overlay and device > attachment to domains") > Reported-by: Gyujeong Jin <wlsrbwjd7232@xxxxxxxxx > <mailto:wlsrbwjd7232@xxxxxxxxx>> > Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx > <mailto:michal.orzel@xxxxxxx>> > --- > xen/common/device-tree/dt-overlay.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/xen/common/device-tree/dt-overlay.c b/xen/common/ > device-tree/dt-overlay.c > index d184186c015e..6fa07dbf42a5 100644 > --- a/xen/common/device-tree/dt-overlay.c > +++ b/xen/common/device-tree/dt-overlay.c > @@ -910,7 +910,9 @@ static long handle_attach_overlay_nodes(struct > domain *d, > if ( entry ) > { > rangeset_destroy(entry->irq_ranges); > + entry->irq_ranges = NULL; > rangeset_destroy(entry->iomem_ranges); > + entry->iomem_ranges = NULL; > } > > return rc; > -- > 2.43.0 > Teddy -- Teddy Astie | Vates XCP-ng Developer XCP-ng & Xen Orchestra - Vates solutions web: https://vates.tech

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.