[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging-4.16] tools/xenstore: don't let remove_child_entry() call corrupt()



commit 32ff913afed898e6aef61626a58dc0bf5c6309ef
Author:     Juergen Gross <jgross@xxxxxxxx>
AuthorDate: Tue Sep 13 07:35:11 2022 +0200
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Nov 1 14:07:24 2022 +0000

    tools/xenstore: don't let remove_child_entry() call corrupt()
    
    In case of write_node() returning an error, remove_child_entry() will
    call corrupt() today. This could result in an endless recursion, as
    remove_child_entry() is called by corrupt(), too:
    
    corrupt()
      check_store()
        check_store_()
          remove_child_entry()
    
    Fix that by letting remove_child_entry() return an error instead and
    let the caller decide what to do.
    
    This is part of XSA-418 / CVE-2022-42321.
    
    Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
    Reviewed-by: Julien Grall <jgrall@xxxxxxxxxx>
    (cherry picked from commit 0c00c51f3bc8206c7f9cf87d014650157bee2bf4)
---
 tools/xenstore/xenstored_core.c | 36 ++++++++++++++++++++----------------
 1 file changed, 20 insertions(+), 16 deletions(-)

diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 3907c35643..f433a45dc2 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -1608,15 +1608,15 @@ static void memdel(void *mem, unsigned off, unsigned 
len, unsigned total)
        memmove(mem + off, mem + off + len, total - off - len);
 }
 
-static void remove_child_entry(struct connection *conn, struct node *node,
-                              size_t offset)
+static int remove_child_entry(struct connection *conn, struct node *node,
+                             size_t offset)
 {
        size_t childlen = strlen(node->children + offset);
 
        memdel(node->children, offset, childlen + 1, node->childlen);
        node->childlen -= childlen + 1;
-       if (write_node(conn, node, true))
-               corrupt(conn, "Can't update parent node '%s'", node->name);
+
+       return write_node(conn, node, true);
 }
 
 static void delete_child(struct connection *conn,
@@ -1626,7 +1626,9 @@ static void delete_child(struct connection *conn,
 
        for (i = 0; i < node->childlen; i += strlen(node->children+i) + 1) {
                if (streq(node->children+i, childname)) {
-                       remove_child_entry(conn, node, i);
+                       if (remove_child_entry(conn, node, i))
+                               corrupt(conn, "Can't update parent node '%s'",
+                                       node->name);
                        return;
                }
        }
@@ -2325,6 +2327,17 @@ int remember_string(struct hashtable *hash, const char 
*str)
        return hashtable_insert(hash, k, (void *)1);
 }
 
+static int rm_child_entry(struct node *node, size_t off, size_t len)
+{
+       if (!recovery)
+               return off;
+
+       if (remove_child_entry(NULL, node, off))
+               log("check_store: child entry could not be removed from '%s'",
+                   node->name);
+
+       return off - len - 1;
+}
 
 /**
  * A node has a children field that names the children of the node, separated
@@ -2377,12 +2390,7 @@ static int check_store_(const char *name, struct 
hashtable *reachable)
                                if (hashtable_search(children, childname)) {
                                        log("check_store: '%s' is duplicated!",
                                            childname);
-
-                                       if (recovery) {
-                                               remove_child_entry(NULL, node,
-                                                                  i);
-                                               i -= childlen + 1;
-                                       }
+                                       i = rm_child_entry(node, i, childlen);
                                }
                                else {
                                        if (!remember_string(children,
@@ -2399,11 +2407,7 @@ static int check_store_(const char *name, struct 
hashtable *reachable)
                        } else if (errno != ENOMEM) {
                                log("check_store: No child '%s' found!\n",
                                    childname);
-
-                               if (recovery) {
-                                       remove_child_entry(NULL, node, i);
-                                       i -= childlen + 1;
-                               }
+                               i = rm_child_entry(node, i, childlen);
                        } else {
                                log("check_store: ENOMEM");
                                ret = ENOMEM;
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.16



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.