Xen project Mailing List

Re: [PATCH 1/2] ioctl_store: Add missing path validity checks

To: Tu Dinh <ngoc-tu.dinh@xxxxxxxxxx>, "win-pv-devel@xxxxxxxxxxxxxxxxxxxx" <win-pv-devel@xxxxxxxxxxxxxxxxxxxx>

From: Owen Smith <owen.smith@xxxxxxxxxx>

Date: Thu, 25 Jun 2026 13:48:56 +0000

Accept-language: en-GB, en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ckZl9XHh03srUDJaj94tGjaeBZ4NpCjUufMnJ6UkVvg=; b=DmKMu7/nFN/hz1g/D6ipprTyJwVatAosROZgqCiYVFlxmsKDYRzYGFK8B3IcktzMGKJGfJySUY3V+Vg6lvC4AnUTPvR15trWbnt1re+RBl8aFTLjt8z+A3TehWBTAJGVfxVXgW+qKN4bb7sAjEXYeTn5GgyMepNflnf6cZYN2YjBLkdSdfo9NMDf9tz2aWU+y0wnbNx50Ga9VAZ/QE+YX1CYqiK1h1rHSFqsst633kVRnvC/18ibkhnEiY4yykhr24ntNrC7uyJx4roFOFNt/Dd/NOUagk/duP3bfVCrlBtMPq2VUsfeXoDp5X2cc7baF1gQ5KXo5MJxucmUUH3LlA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=zOaBcVQNMNZ/98PWkBN2Ei0Z4B9waXQHxtkPQPIPhKkxtHkKOl2ZsBDKjO/d5jciT6J7FLGfy0cvWK2zQKOJJIfM6Z4rIhLgsrpcL0HxD64cJQwcq9HhZ3dtr4Oru8FqnAbDRH7G0ipT9DeFMGddu+lYgWoPo9yb9Rbnmvt8F+n1TyBjQbarWyjagH2rVd/B2xeARQUqjxc400d9C+7hHt42WaQSR7yzbyd//7h/L6AKs3u/93AiKlzJeca6Izoxp4QEB2dBoa4urtg/bg0/6MscA7BiZar/FwBDx3pUG7lS1UJV5WZbkq6h6F+Urp98Hd+gyeuVxMjlf3PaGswIPQ==

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=citrix.com header.i="@citrix.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:x-ms-exchange-senderadcheck"

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Delivery-date: Thu, 25 Jun 2026 13:49:22 +0000

List-id: Developer list for the Windows PV Drivers subproject <win-pv-devel.lists.xenproject.org>

Msip_labels:

Thread-index: AQHdBH4TjgJt4UT2IUmbuFHReY6YILZPSaad

Thread-topic: [PATCH 1/2] ioctl_store: Add missing path validity checks

Reviewed-by: Owen Smith <owen.smith@xxxxxxxxxx> ________________________________________ From: win-pv-devel <win-pv-devel-bounces@xxxxxxxxxxxxxxxxxxxx> on behalf of Tu Dinh <ngoc-tu.dinh@xxxxxxxxxx> Sent: 25 June 2026 9:38 AM To: win-pv-devel@xxxxxxxxxxxxxxxxxxxx Cc: Tu Dinh Subject: [PATCH 1/2] ioctl_store: Add missing path validity checks The path was not checked for validity in IoctlStoreSetPermissions and IoctlStoreAddWatch. Signed-off-by: Tu Dinh <ngoc-tu.dinh@xxxxxxxxxx> --- src/xeniface/ioctl_store.c | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/src/xeniface/ioctl_store.c b/src/xeniface/ioctl_store.c index 266eb73..2ac96af 100644 --- a/src/xeniface/ioctl_store.c +++ b/src/xeniface/ioctl_store.c @@ -416,6 +416,10 @@ IoctlStoreSetPermissions( goto fail5; Path[In->PathLength - 1] = 0; + status = STATUS_INVALID_PARAMETER; + if (!__IsValidStr(Path, In->PathLength)) + goto fail6; + Trace("> Path '%s', NumberPermissions %lu\n", Path, In->NumberPermissions); for (Index = 0; Index < In->NumberPermissions; Index++) { @@ -434,12 +438,15 @@ IoctlStoreSetPermissions( In->NumberPermissions); if (!NT_SUCCESS(status)) - goto fail6; + goto fail7; __FreePermissions(Permissions); __FreeCapturedBuffer(Path); return status; +fail7: + Error("Fail7\n"); + fail6: Error("Fail6\n"); __FreeCapturedBuffer(Path); @@ -526,11 +533,14 @@ IoctlStoreAddWatch( goto fail3; Path[In->PathLength - 1] = 0; + status = STATUS_INVALID_PARAMETER; + if (!__IsValidStr(Path, In->PathLength)) + goto fail4; status = STATUS_NO_MEMORY; Context = __AllocatePoolWithTag(NonPagedPool, sizeof(XENIFACE_STORE_CONTEXT), XENIFACE_POOL_TAG); if (Context == NULL) - goto fail4; + goto fail5; RtlZeroMemory(Context, sizeof(XENIFACE_STORE_CONTEXT)); @@ -543,7 +553,7 @@ IoctlStoreAddWatch( &Context->Event, NULL); if (!NT_SUCCESS(status)) - goto fail5; + goto fail6; Trace("> Path '%s', Event %p, FO %p\n", Path, In->Event, FileObject); @@ -551,7 +561,7 @@ IoctlStoreAddWatch( status = ThreadCreate(StoreWatch, Context, &Context->Thread); if (!NT_SUCCESS(status)) - goto fail6; + goto fail7; status = XENBUS_STORE(WatchAdd, &Fdo->StoreInterface, @@ -561,7 +571,7 @@ IoctlStoreAddWatch( &Context->Watch); if (!NT_SUCCESS(status)) - goto fail7; + goto fail8; ExInterlockedInsertTailList(&Fdo->StoreWatchList, &Context->Entry, &Fdo->StoreWatchLock); @@ -572,21 +582,24 @@ IoctlStoreAddWatch( return status; -fail7: +fail8: __FreeCapturedBuffer(Context->Path); - Error("Fail7\n"); + Error("Fail8\n"); ThreadAlert(Context->Thread); ThreadJoin(Context->Thread); +fail7: + Error("Fail7\n"); + ObDereferenceObject(Context->Event); + fail6: Error("Fail6\n"); - ObDereferenceObject(Context->Event); + RtlZeroMemory(Context, sizeof(XENIFACE_STORE_CONTEXT)); + __FreePoolWithTag(Context, XENIFACE_POOL_TAG); fail5: Error("Fail5\n"); - RtlZeroMemory(Context, sizeof(XENIFACE_STORE_CONTEXT)); - __FreePoolWithTag(Context, XENIFACE_POOL_TAG); fail4: Error("Fail4\n"); -- 2.54.0.windows.1 -- Ngoc Tu Dinh | Vates XCP-ng Developer XCP-ng & Xen Orchestra - Vates solutions web: https://vates.tech

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.