[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-3.1-testing] Fix use-after-free in xenconsoled.

# HG changeset patch
# User Keir Fraser <keir@xxxxxxxxxxxxx>
# Date 1193934959 0
# Node ID 039ff3dbba5fc79c98fb8c6025d0cc91624a1283
# Parent  27347d6d73a359aa8aece2ad10d9cc8b924b3990
Fix use-after-free in xenconsoled.

shutdown_domain() MUST NOT call cleanup_domain(), just flagging them
as dead is enough.  cleanup_domains() for dead domains is called by
the main loop in handle_io() in a safe way already.

shutdown_domain() calling cleanup_domain() too leads struct domain
being accessed after freeing and to a double-free.

Fixed by simply dropping the cleanup_domain() call and by making the
functions called by the main loop in handle_io() ignore dead domains.

Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
xen-unstable changeset:   16289:2462265f09ae310d7c8e8b194ce9e01430cb9071
xen-unstable date:        Thu Nov 01 16:34:43 2007 +0000
---
 tools/console/daemon/io.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletion(-)

diff -r 27347d6d73a3 -r 039ff3dbba5f tools/console/daemon/io.c
--- a/tools/console/daemon/io.c Thu Nov 01 16:26:38 2007 +0000
+++ b/tools/console/daemon/io.c Thu Nov 01 16:35:59 2007 +0000
@@ -469,7 +469,6 @@ static void shutdown_domain(struct domai
        if (d->xce_handle != -1)
                xc_evtchn_close(d->xce_handle);
        d->xce_handle = -1;
-       cleanup_domain(d);
 }
 
 void enum_domains(void)
@@ -515,6 +514,9 @@ static void handle_tty_read(struct domai
        struct xencons_interface *intf = dom->interface;
        XENCONS_RING_IDX prod;
 
+       if (dom->is_dead)
+               return;
+
        len = ring_free_bytes(dom);
        if (len == 0)
                return;
@@ -552,6 +554,9 @@ static void handle_tty_write(struct doma
 {
        ssize_t len;
 
+       if (dom->is_dead)
+               return;
+
        len = write(dom->tty_fd, dom->buffer.data + dom->buffer.consumed,
                    dom->buffer.size - dom->buffer.consumed);
        if (len < 1) {
@@ -574,6 +579,9 @@ static void handle_ring_read(struct doma
 static void handle_ring_read(struct domain *dom)
 {
        evtchn_port_t port;
+
+       if (dom->is_dead)
+               return;
 
        if ((port = xc_evtchn_pending(dom->xce_handle)) == -1)
                return;

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.