Xen project Mailing List

Re: [PATCH] Fix double-free on error condition in GnttabPermitForeignAccess()

From: Rafał Wojdyła <omeg@xxxxxxxxxxxxxxxxxxxxxx>

Date: Thu, 7 Mar 2024 11:06:52 +0100

Autocrypt: addr=omeg@xxxxxxxxxxxxxxxxxxxxxx; keydata= xsBNBFH+JQwBCAC0ym1Jtm5HM2p32Nw8NDNdkhwJR1For9txOKqeYMJWBTPzGJQG9HVHdYY/ PZNfzvJkl26q1CB7JbAXVq2rSt1hn7cc4qL4BIDackJ4SEAAYbSLK82pQYUHhj18nNzZgxnn DBHpppRUA76DhSRKxEOZ+7GQAHd6H8RA0zBW+5ut0iOmglia3sOlim2yqeBRj6XaRn3RGmT9 LXQu/UrJDY52LwJGE9on1wTvw+tN4QmCipFUk6YToVbkHiyDSnNN6aRqclH0vJBZquagQ/wn aOohowIyyzbY2+GJspKEPD3J9Ov5aKe/jN13WjBYwcy+NUG9SWT+VTIi6th43mh/L3dNABEB AAHNLVJhZmHFgiBXb2pkecWCYSA8b21lZ0BpbnZpc2libGV0aGluZ3NsYWIuY29tPsLAeQQT AQIAIwUCUkHE5wIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEIWi9rB2GrW7hasI AK5DFMRDqARqlOIncq0bDJbbPnScXozcVjrU2jHaA736d9eoXNixSxX+D1+4QGjgEIUJWaa6 yqGTlqgHdOMKWYoDpUsm56Utj16E/ln1hSxXxEeHL30Fyqfqfmi0mlJv4ijasfxqwoHSt+Yy cACIhm563cwCaAdaO++lrcF2O/g+KIUXo0uEx+n6c8M25gu2TC3Cxn1ZeWH+5y9rUB6ph6JV eVKAYBSdK4qDEpDwz124YcpBloh5S4Jt6pVBSbJodbP+LQyet3Gb3IMYzFa+M6SMO/6EQX8k Q0zv1axlFCFs/Wf19A+nh40fZRRL+Q/v3lY9/v7u2mY4jGvKYao+sKXOwE0EUf4lDAEIALD5 ungRVF1VnOKpNBS6xcpXw7jGX5Lh+r9fOZ9pSyqQRfD5t6yF3bjwgJBzfIJO2t/WhxlNTwZA Y3ZYA/+UBOyi9Y0axEp1L6bR42iC1tCt4kawpm+Lye4aRXdbKo/EBP6wSUiOqQ3+LLLmnaSj saAiYQWUZ3at1hOHrZZRIy3vk38rsheWURu6FQWc4VK2odEFtKD2gvw0s93Q6xbMahcWRP3M 1TWzBSlO4pbV64nXBJVtqDOOs/jQwYjkdotNWb70a2uYasPz+btS0YvW31m94zedXdKZnJN+ kP314z1q7Gv8CPfgRTqU3JonIkw69ylk2AGzeRv5oFVhRKgFlv0AEQEAAcLAXwQYAQIACQUC Uf4lDAIbDAAKCRCFovawdhq1u8wYB/9kZRnMX5gm0Yq7zdqu/K6o3EfAfYI/ZBOXSgYcb58s L1Jy+b3inq5PZQrLn7D9V5DFBBjKwthhKVK/eKCALqYuVvaiBmhHjE02xZoi1g7pvV2kj0z6 OFtF2IXO4vwtaHQhhIutVd+jjDmnSl0kYCBurOjVFmD2ZCTDQ5/JqEDU26V5i9Dwp9sImDm7 r3lBgLOKu5uWKoQRHbdxPN8FzoFfxDH+xZKubqGgvEvCsX1CjFRP7/kcGW5TrAb/rNEOG1Ik 25Qj7mjWFa6sv2jYvV1aIpCK8sKKTPeS0mRfhnqQDYqluBsOQIrSHSHbjCTkuIdSutzJyxpG xLY7n9TPT2ug

Cc: win-pv-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Thu, 07 Mar 2024 10:07:07 +0000

Feedback-id: i409c4082:Fastmail

List-id: Developer list for the Windows PV Drivers subproject <win-pv-devel.lists.xenproject.org>

On 7 mar 2024 10:36, Owen Smith wrote:

Is there other cleanup needed in other fail cases?

Context->Grants, Context->KernelVa, Context->Mdl are allocated and pagescould need revoking access during the cleanup operation in a failure case.

Calling GnttabStopSharing() should do this, but its not called in thecase where GnttabPermitForeignAccess returns a failure code.


Owen

Good catch, the GnttabStopSharing() call should remain there to clean up

the contents of the context. I'll send the updated version.

On Thu, Mar 7, 2024 at 8:51 AM Rafał Wojdyła<omeg@xxxxxxxxxxxxxxxxxxxxxx <mailto:omeg@xxxxxxxxxxxxxxxxxxxxxx>> wrote:


    XENIFACE_GNTTAB_CONTEXT associated with the request was incorrectly
    freed
    by GnttabPermitForeignAccess() when a failure occured. The context
    is also
    freed by the parent function, IoctlGnttabPermitForeignAccess(),
    which led
    to a double-free and kernel heap corruption.

    Signed-off-by: Rafał Wojdyła <omeg@xxxxxxxxxxxxxxxxxxxxxx
    <mailto:omeg@xxxxxxxxxxxxxxxxxxxxxx>>
    ---
      src/xeniface/ioctl_gnttab.c | 7 -------
      1 file changed, 7 deletions(-)

    diff --git a/src/xeniface/ioctl_gnttab.c b/src/xeniface/ioctl_gnttab.c
    index 8ab2099..083c29d 100644
    --- a/src/xeniface/ioctl_gnttab.c
    +++ b/src/xeniface/ioctl_gnttab.c
    @@ -303,13 +303,6 @@ fail2:

      fail1:
          Error("Fail1\n");
    -    GnttabStopSharing(Fdo, Context, Page);
    -
    -    if (Context != NULL) {
    -        RtlZeroMemory(Context, sizeof(*Context));
    -        __FreePoolWithTag(Context, XENIFACE_POOL_TAG);
    -    }
    -
          return Status;
      }

--2.43.0.windows.1

-- Rafał Wojdyła Invisible Things Lab

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.