[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen staging-4.13] tools/xenstore: add memory accounting for responses
commit 115156c416ad9a12d72d14f2df0c982ea1a254c4 Author: Juergen Gross <jgross@xxxxxxxx> AuthorDate: Tue Sep 13 07:35:09 2022 +0200 Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> CommitDate: Tue Nov 1 15:25:15 2022 +0000 tools/xenstore: add memory accounting for responses Add the memory accounting for queued responses. In case adding a watch event for a guest is causing the hard memory quota of that guest to be violated, the event is dropped. This will ensure that it is impossible to drive another guest past its memory quota by generating insane amounts of events for that guest. This is especially important for protecting driver domains from that attack vector. This is part of XSA-326 / CVE-2022-42315. Signed-off-by: Juergen Gross <jgross@xxxxxxxx> Reviewed-by: Julien Grall <jgrall@xxxxxxxxxx> (cherry picked from commit f6d00133643a524d2138c9e3f192bbde719050ba) --- tools/xenstore/xenstored_core.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c index 217096d91a..4f29439ad8 100644 --- a/tools/xenstore/xenstored_core.c +++ b/tools/xenstore/xenstored_core.c @@ -254,6 +254,8 @@ static void free_buffered_data(struct buffered_data *out, } } + domain_memory_add_nochk(conn->id, -out->hdr.msg.len - sizeof(out->hdr)); + if (out->hdr.msg.type == XS_WATCH_EVENT) { req = out->pend.req; if (req) { @@ -843,11 +845,14 @@ void send_reply(struct connection *conn, enum xsd_sockmsg_type type, bdata->timeout_msec = 0; bdata->watch_event = false; - if (len <= DEFAULT_BUFFER_SIZE) + if (len <= DEFAULT_BUFFER_SIZE) { bdata->buffer = bdata->default_buffer; - else { + /* Don't check quota, path might be used for returning error. */ + domain_memory_add_nochk(conn->id, len + sizeof(bdata->hdr)); + } else { bdata->buffer = talloc_array(bdata, char, len); - if (!bdata->buffer) { + if (!bdata->buffer || + domain_memory_add_chk(conn->id, len + sizeof(bdata->hdr))) { send_error(conn, ENOMEM); return; } @@ -912,6 +917,11 @@ void send_event(struct buffered_data *req, struct connection *conn, } } + if (domain_memory_add_chk(conn->id, len + sizeof(bdata->hdr))) { + talloc_free(bdata); + return; + } + if (timeout_watch_event_msec && domain_is_unprivileged(conn)) { bdata->timeout_msec = get_now_msec() + timeout_watch_event_msec; if (!conn->timeout_msec) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.13
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |