[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.3] libxl: Fix NULL pointer due to XSA-178 fix wrong XS nodename



commit 899205dc8e02500716255e495a65c9f03763759a
Author:     Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
AuthorDate: Wed Jun 8 15:42:19 2016 +0100
Commit:     Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
CommitDate: Wed Jun 8 16:16:12 2016 +0100

    libxl: Fix NULL pointer due to XSA-178 fix wrong XS nodename
    
    In "libxl: Do not trust backend for disk eject vdev" (c69871a2fb26 on
    xen.git#staging) we changed libxl_evenable_disk_eject to read the
    device vdev out of xenstore from the /libxl path, rather than the
    backend path, and to read it during setup rather than on each event.
    
    However, the patch has a mistake:
        -        GCSPRINTF("%s/dev", backend), NULL);
        +        GCSPRINTF("%s/vdev", libxl_path), &configured_vdev);
                               ^
    Spot the extra "v".  This causes configured_vdev always to be NULL.
    configured_vdev is passed to [libxl__]strdup.
    
    In Xen 4.6 and later libxl__strdup is used and tolerates NULL.
    evg->vdev is set to NULL.  This propagates to the `vdev' field in the
    generated event.  This may or may not cause further trouble, depending
    on the calling application.  In our osstest test cases it does not
    cause any trouble, so the bug goes undetected.
    
    In Xen 4.5 and earlier, the strdup does not tolerate NULL, and libxl
    crashes immediately.  This has been detected by osstest as a
    regression in Xen 4.5.
    
    IMO this patch should be applied immediately to
      xen.git#staging-4.5 (to check that it fixes the osstest regression)
      xen.git#staging     (to check that it does not break master
    
    Subject to passes, it should then be propagated to all supported
    stable trees and also be mentioned in an update to XSA-178.
    
    Signed-off-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
    Reviewed-by: Wei Liu <wei.liu2@xxxxxxxxxx>
    CC: security@xxxxxxxxxxxxxx
    CC: Jan Beulich <jbeulich@xxxxxxxx>
    CC: Wei Liu <wei.liu2@xxxxxxxxxx>
    (cherry picked from commit 62b4d4769ca39fd5263da20d786a7b9a80a22d9a)
    (cherry picked from commit 8b7a356409023f60f80e9f4b00bba16ad56cd77b)
    (cherry picked from commit 6d272988fb3bdcc2578c5ee6d8a408628d1f0c0e)
    (cherry picked from commit ec5925c72cfd7544b86fc6273937c9cc7e21e580)
---
 tools/libxl/libxl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
index 69b009c..339cfc3 100644
--- a/tools/libxl/libxl.c
+++ b/tools/libxl/libxl.c
@@ -1227,7 +1227,7 @@ int libxl_evenable_disk_eject(libxl_ctx *ctx, uint32_t 
guest_domid,
 
     const char *configured_vdev;
     rc = libxl__xs_read_checked(gc, XBT_NULL,
-            GCSPRINTF("%s/vdev", libxl_path), &configured_vdev);
+            GCSPRINTF("%s/dev", libxl_path), &configured_vdev);
     if (rc) goto out;
 
     evg->vdev = libxl__strdup(NOGC, configured_vdev);
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.3

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.