[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.7] tools/xenstore: dont unlink connection object twice
commit 3331050a1ac28a7c60f6542469c239f74584b3dc Author: Juergen Gross <jgross@xxxxxxxx> AuthorDate: Tue Sep 12 15:10:44 2017 +0200 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Tue Sep 12 15:10:44 2017 +0200 tools/xenstore: dont unlink connection object twice A connection object of a domain with associated stubdom has two parents: the domain and the stubdom. When cleaning up the list of active domains in domain_cleanup() make sure not to unlink the connection twice from the same domain. This could happen when the domain and its stubdom are being destroyed at the same time leading to the domain loop being entered twice. Additionally don't use talloc_free() in this case as it will remove a random parent link, leading eventually to a memory leak. Use talloc_unlink() instead specifying the context from which the connection object should be removed. This is CVE-2017-14317 / XSA-233. Reported-by: Eric Chanudet <chanudete@xxxxxxxxxxxx> Signed-off-by: Juergen Gross <jgross@xxxxxxxx> Reviewed-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> master commit: 562a1c0f7ef3fbf3c122c3dfa4f2ad9dd51da9fe master date: 2017-09-12 14:44:56 +0200 --- tools/xenstore/xenstored_domain.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c index 318276c..132de3f 100644 --- a/tools/xenstore/xenstored_domain.c +++ b/tools/xenstore/xenstored_domain.c @@ -221,10 +221,11 @@ static int destroy_domain(void *_domain) static void domain_cleanup(void) { xc_dominfo_t dominfo; - struct domain *domain, *tmp; + struct domain *domain; int notify = 0; - list_for_each_entry_safe(domain, tmp, &domains, list) { + again: + list_for_each_entry(domain, &domains, list) { if (xc_domain_getinfo(*xc_handle, domain->domid, 1, &dominfo) == 1 && dominfo.domid == domain->domid) { @@ -236,8 +237,12 @@ static void domain_cleanup(void) if (!dominfo.dying) continue; } - talloc_free(domain->conn); - notify = 0; /* destroy_domain() fires the watch */ + if (domain->conn) { + talloc_unlink(talloc_autofree_context(), domain->conn); + domain->conn = NULL; + notify = 0; /* destroy_domain() fires the watch */ + goto again; + } } if (notify) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.7 _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx https://lists.xenproject.org/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |