[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] libxl: Fix NULL pointer due to XSA-178 fix wrong XS nodename
commit 62b4d4769ca39fd5263da20d786a7b9a80a22d9a Author: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> AuthorDate: Wed Jun 8 15:42:19 2016 +0100 Commit: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> CommitDate: Wed Jun 8 16:13:24 2016 +0100 libxl: Fix NULL pointer due to XSA-178 fix wrong XS nodename In "libxl: Do not trust backend for disk eject vdev" (c69871a2fb26 on xen.git#staging) we changed libxl_evenable_disk_eject to read the device vdev out of xenstore from the /libxl path, rather than the backend path, and to read it during setup rather than on each event. However, the patch has a mistake: - GCSPRINTF("%s/dev", backend), NULL); + GCSPRINTF("%s/vdev", libxl_path), &configured_vdev); ^ Spot the extra "v". This causes configured_vdev always to be NULL. configured_vdev is passed to [libxl__]strdup. In Xen 4.6 and later libxl__strdup is used and tolerates NULL. evg->vdev is set to NULL. This propagates to the `vdev' field in the generated event. This may or may not cause further trouble, depending on the calling application. In our osstest test cases it does not cause any trouble, so the bug goes undetected. In Xen 4.5 and earlier, the strdup does not tolerate NULL, and libxl crashes immediately. This has been detected by osstest as a regression in Xen 4.5. IMO this patch should be applied immediately to xen.git#staging-4.5 (to check that it fixes the osstest regression) xen.git#staging (to check that it does not break master Subject to passes, it should then be propagated to all supported stable trees and also be mentioned in an update to XSA-178. Signed-off-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> Reviewed-by: Wei Liu <wei.liu2@xxxxxxxxxx> CC: security@xxxxxxxxxxxxxx CC: Jan Beulich <jbeulich@xxxxxxxx> CC: Wei Liu <wei.liu2@xxxxxxxxxx> (cherry picked from commit 27c5d7ff8cfdc2e15ff521b4912d69b782a269d7) --- tools/libxl/libxl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c index 006b83f..7584966 100644 --- a/tools/libxl/libxl.c +++ b/tools/libxl/libxl.c @@ -1399,7 +1399,7 @@ int libxl_evenable_disk_eject(libxl_ctx *ctx, uint32_t guest_domid, const char *configured_vdev; rc = libxl__xs_read_checked(gc, XBT_NULL, - GCSPRINTF("%s/vdev", libxl_path), &configured_vdev); + GCSPRINTF("%s/dev", libxl_path), &configured_vdev); if (rc) goto out; evg->vdev = libxl__strdup(NOGC, configured_vdev); -- generated by git-patchbot for /home/xen/git/xen.git#master _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |