[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.13] tools/xenstore: fix deleting node in transaction



commit 30a293fba36b438d90b802132d70020e76086058
Author:     Juergen Gross <jgross@xxxxxxxx>
AuthorDate: Tue Sep 13 07:35:13 2022 +0200
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Nov 1 15:25:15 2022 +0000

    tools/xenstore: fix deleting node in transaction
    
    In case a node has been created in a transaction and it is later
    deleted in the same transaction, the transaction will be terminated
    with an error.
    
    As this error is encountered only when handling the deleted node at
    transaction finalization, the transaction will have been performed
    partially and without updating the accounting information. This will
    enable a malicious guest to create arbitrary number of nodes.
    
    This is part of XSA-421 / CVE-2022-42325.
    
    Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
    Tested-by: Julien Grall <jgrall@xxxxxxxxxx>
    Reviewed-by: Julien Grall <jgrall@xxxxxxxxxx>
    (cherry picked from commit 13ac37f1416cae88d97f7baf6cf2a827edb9a187)
---
 tools/xenstore/xenstored_transaction.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/tools/xenstore/xenstored_transaction.c 
b/tools/xenstore/xenstored_transaction.c
index cd592845e7..6297149986 100644
--- a/tools/xenstore/xenstored_transaction.c
+++ b/tools/xenstore/xenstored_transaction.c
@@ -424,7 +424,13 @@ static int finalize_transaction(struct connection *conn,
                                                   true);
                                talloc_free(data.dptr);
                        } else {
-                               ret = do_tdb_delete(conn, &key, NULL);
+                               /*
+                                * A node having been created and later deleted
+                                * in this transaction will have no generation
+                                * information stored.
+                                */
+                               ret = (i->generation == NO_GENERATION)
+                                     ? 0 : do_tdb_delete(conn, &key, NULL);
                        }
                        if (ret)
                                goto err;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.13



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.