|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.3] libxl: Fix NULL pointer due to XSA-178 fix wrong XS nodename
commit 899205dc8e02500716255e495a65c9f03763759a
Author: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
AuthorDate: Wed Jun 8 15:42:19 2016 +0100
Commit: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
CommitDate: Wed Jun 8 16:16:12 2016 +0100
libxl: Fix NULL pointer due to XSA-178 fix wrong XS nodename
In "libxl: Do not trust backend for disk eject vdev" (c69871a2fb26 on
xen.git#staging) we changed libxl_evenable_disk_eject to read the
device vdev out of xenstore from the /libxl path, rather than the
backend path, and to read it during setup rather than on each event.
However, the patch has a mistake:
- GCSPRINTF("%s/dev", backend), NULL);
+ GCSPRINTF("%s/vdev", libxl_path), &configured_vdev);
^
Spot the extra "v". This causes configured_vdev always to be NULL.
configured_vdev is passed to [libxl__]strdup.
In Xen 4.6 and later libxl__strdup is used and tolerates NULL.
evg->vdev is set to NULL. This propagates to the `vdev' field in the
generated event. This may or may not cause further trouble, depending
on the calling application. In our osstest test cases it does not
cause any trouble, so the bug goes undetected.
In Xen 4.5 and earlier, the strdup does not tolerate NULL, and libxl
crashes immediately. This has been detected by osstest as a
regression in Xen 4.5.
IMO this patch should be applied immediately to
xen.git#staging-4.5 (to check that it fixes the osstest regression)
xen.git#staging (to check that it does not break master
Subject to passes, it should then be propagated to all supported
stable trees and also be mentioned in an update to XSA-178.
Signed-off-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Reviewed-by: Wei Liu <wei.liu2@xxxxxxxxxx>
CC: security@xxxxxxxxxxxxxx
CC: Jan Beulich <jbeulich@xxxxxxxx>
CC: Wei Liu <wei.liu2@xxxxxxxxxx>
(cherry picked from commit 62b4d4769ca39fd5263da20d786a7b9a80a22d9a)
(cherry picked from commit 8b7a356409023f60f80e9f4b00bba16ad56cd77b)
(cherry picked from commit 6d272988fb3bdcc2578c5ee6d8a408628d1f0c0e)
(cherry picked from commit ec5925c72cfd7544b86fc6273937c9cc7e21e580)
---
tools/libxl/libxl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
index 69b009c..339cfc3 100644
--- a/tools/libxl/libxl.c
+++ b/tools/libxl/libxl.c
@@ -1227,7 +1227,7 @@ int libxl_evenable_disk_eject(libxl_ctx *ctx, uint32_t
guest_domid,
const char *configured_vdev;
rc = libxl__xs_read_checked(gc, XBT_NULL,
- GCSPRINTF("%s/vdev", libxl_path), &configured_vdev);
+ GCSPRINTF("%s/dev", libxl_path), &configured_vdev);
if (rc) goto out;
evg->vdev = libxl__strdup(NOGC, configured_vdev);
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.3
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |