[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[win-pv-devel] [PATCH 1/2] Avoid double-free hazard in XENBUS_CACHE

  • To: <win-pv-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Paul Durrant <paul.durrant@xxxxxxxxxx>
  • Date: Fri, 31 May 2019 10:51:47 +0100
  • Authentication-results: esa2.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=paul.durrant@xxxxxxxxxx; spf=Pass smtp.mailfrom=Paul.Durrant@xxxxxxxxxx; spf=None smtp.helo=postmaster@xxxxxxxxxxxxxxxxxxxxxxxxxx
  • Cc: Paul Durrant <paul.durrant@xxxxxxxxxx>
  • Delivery-date: Fri, 31 May 2019 09:52:07 +0000
  • Ironport-sdr: V7a3N0treEJYIyGu102lSc/WzaIr3TLE9wXOuvP+f8Ya9bk0JksjQQKayK99ILQkpBcw156dH7 p6+gFtQmxeOzDp85x3RYEHT7r1njvi5Js3t3fT7tTf97rUGYCZlrt6cB+8gXTX+TynNpwdgxSw riMXsbkj6Gu6yGK389u9doy0YioUsqWH4Fg6/sml2LPTTg16WFw+HbsepB6g+P68alppbVoJW0 SltSvubek/I5zIVNVrXk77+Xv/joPjCX9yZ7+V5trlqZ4a7M0BO1w7IxdSrlw6shs/0n0fpPzF 1nM=
  • List-id: Developer list for the Windows PV Drivers subproject <win-pv-devel.lists.xenproject.org>
Currently CachePut() calls CachePutObjectToSlab() without holding the cache
lock. This allows two concurrent calls to subsequently serialize on the lock
and both find Slab->Allocated == 0 (the second one actually testing freed
memory), leading to a double-free.

Moving the lock acquisition to before the call to CachePutObjectToSlab()
fixes this problem.

For consistency, this patch also makes it a requirement that
CachePutObjectToSlab() is called with the lock held, and adjusts
__CacheFlushMagazines() accordingly.

Signed-off-by: Paul Durrant <paul.durrant@xxxxxxxxxx>
---
 src/xenbus/cache.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/xenbus/cache.c b/src/xenbus/cache.c
index a0f4135..877b395 100644
--- a/src/xenbus/cache.c
+++ b/src/xenbus/cache.c
@@ -355,7 +355,7 @@ CacheGetObjectFromSlab(
     return (PVOID)&Slab->Buffer[Index * Cache->Size];
 }
 
-// May be called with or without lock held
+// Must be called with lock held
 static VOID
 CachePutObjectToSlab(
     IN  PXENBUS_CACHE_SLAB  Slab,
@@ -460,11 +460,11 @@ CachePut(
     Slab = (PXENBUS_CACHE_SLAB)PAGE_ALIGN(Object);
     ASSERT3U(Slab->Magic, ==, XENBUS_CACHE_SLAB_MAGIC);
 
-    CachePutObjectToSlab(Slab, Object);
-
     if (!Locked)
         __CacheAcquireLock(Cache);
 
+    CachePutObjectToSlab(Slab, Object);
+
     if (Slab->Allocated == 0) {
         CacheDestroySlab(Cache, Slab);
     } else {
@@ -554,8 +554,12 @@ __CacheFlushMagazines(
     IN  PXENBUS_CACHE   Cache
     )
 {
+    KIRQL               Irql;
     ULONG               Index;
 
+    KeRaiseIrql(DISPATCH_LEVEL, &Irql);
+    __CacheAcquireLock(Cache);
+
     for (Index = 0; Index < Cache->MagazineCount; Index++) {
         PXENBUS_CACHE_MAGAZINE  Magazine = &Cache->Magazine[Index];
         PVOID                   Object;
@@ -569,6 +573,9 @@ __CacheFlushMagazines(
             CachePutObjectToSlab(Slab, Object);
         }
     }
+
+    __CacheReleaseLock(Cache);
+    KeLowerIrql(Irql);
 }
 
 static NTSTATUS
-- 
2.5.3


_______________________________________________
win-pv-devel mailing list
win-pv-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/win-pv-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.