[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] libxl: Fix NULL pointer due to XSA-178 fix wrong XS nodename



commit 62b4d4769ca39fd5263da20d786a7b9a80a22d9a
Author:     Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
AuthorDate: Wed Jun 8 15:42:19 2016 +0100
Commit:     Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
CommitDate: Wed Jun 8 16:13:24 2016 +0100

    libxl: Fix NULL pointer due to XSA-178 fix wrong XS nodename
    
    In "libxl: Do not trust backend for disk eject vdev" (c69871a2fb26 on
    xen.git#staging) we changed libxl_evenable_disk_eject to read the
    device vdev out of xenstore from the /libxl path, rather than the
    backend path, and to read it during setup rather than on each event.
    
    However, the patch has a mistake:
        -        GCSPRINTF("%s/dev", backend), NULL);
        +        GCSPRINTF("%s/vdev", libxl_path), &configured_vdev);
                               ^
    Spot the extra "v".  This causes configured_vdev always to be NULL.
    configured_vdev is passed to [libxl__]strdup.
    
    In Xen 4.6 and later libxl__strdup is used and tolerates NULL.
    evg->vdev is set to NULL.  This propagates to the `vdev' field in the
    generated event.  This may or may not cause further trouble, depending
    on the calling application.  In our osstest test cases it does not
    cause any trouble, so the bug goes undetected.
    
    In Xen 4.5 and earlier, the strdup does not tolerate NULL, and libxl
    crashes immediately.  This has been detected by osstest as a
    regression in Xen 4.5.
    
    IMO this patch should be applied immediately to
      xen.git#staging-4.5 (to check that it fixes the osstest regression)
      xen.git#staging     (to check that it does not break master
    
    Subject to passes, it should then be propagated to all supported
    stable trees and also be mentioned in an update to XSA-178.
    
    Signed-off-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
    Reviewed-by: Wei Liu <wei.liu2@xxxxxxxxxx>
    CC: security@xxxxxxxxxxxxxx
    CC: Jan Beulich <jbeulich@xxxxxxxx>
    CC: Wei Liu <wei.liu2@xxxxxxxxxx>
    (cherry picked from commit 27c5d7ff8cfdc2e15ff521b4912d69b782a269d7)
---
 tools/libxl/libxl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
index 006b83f..7584966 100644
--- a/tools/libxl/libxl.c
+++ b/tools/libxl/libxl.c
@@ -1399,7 +1399,7 @@ int libxl_evenable_disk_eject(libxl_ctx *ctx, uint32_t 
guest_domid,
 
     const char *configured_vdev;
     rc = libxl__xs_read_checked(gc, XBT_NULL,
-            GCSPRINTF("%s/vdev", libxl_path), &configured_vdev);
+            GCSPRINTF("%s/dev", libxl_path), &configured_vdev);
     if (rc) goto out;
 
     evg->vdev = libxl__strdup(NOGC, configured_vdev);
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.