[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.14] tools/xenstore: add memory accounting for responses

To: xen-changelog@xxxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Wed, 02 Nov 2022 08:24:14 +0000
Delivery-date: Wed, 02 Nov 2022 08:24:15 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xenproject.org>

commit cc289061d93786aa5bd504c91b583e1abb55bbb4
Author:     Juergen Gross <jgross@xxxxxxxx>
AuthorDate: Tue Sep 13 07:35:09 2022 +0200
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Nov 1 15:20:41 2022 +0000

    tools/xenstore: add memory accounting for responses
    
    Add the memory accounting for queued responses.
    
    In case adding a watch event for a guest is causing the hard memory
    quota of that guest to be violated, the event is dropped. This will
    ensure that it is impossible to drive another guest past its memory
    quota by generating insane amounts of events for that guest. This is
    especially important for protecting driver domains from that attack
    vector.
    
    This is part of XSA-326 / CVE-2022-42315.
    
    Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
    Reviewed-by: Julien Grall <jgrall@xxxxxxxxxx>
    (cherry picked from commit f6d00133643a524d2138c9e3f192bbde719050ba)
---
 tools/xenstore/xenstored_core.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 9fd83ea025..4322d3cf63 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -257,6 +257,8 @@ static void free_buffered_data(struct buffered_data *out,
                }
        }
 
+       domain_memory_add_nochk(conn->id, -out->hdr.msg.len - sizeof(out->hdr));
+
        if (out->hdr.msg.type == XS_WATCH_EVENT) {
                req = out->pend.req;
                if (req) {
@@ -845,11 +847,14 @@ void send_reply(struct connection *conn, enum 
xsd_sockmsg_type type,
        bdata->timeout_msec = 0;
        bdata->watch_event = false;
 
-       if (len <= DEFAULT_BUFFER_SIZE)
+       if (len <= DEFAULT_BUFFER_SIZE) {
                bdata->buffer = bdata->default_buffer;
-       else {
+               /* Don't check quota, path might be used for returning error. */
+               domain_memory_add_nochk(conn->id, len + sizeof(bdata->hdr));
+       } else {
                bdata->buffer = talloc_array(bdata, char, len);
-               if (!bdata->buffer) {
+               if (!bdata->buffer ||
+                   domain_memory_add_chk(conn->id, len + sizeof(bdata->hdr))) {
                        send_error(conn, ENOMEM);
                        return;
                }
@@ -914,6 +919,11 @@ void send_event(struct buffered_data *req, struct 
connection *conn,
                }
        }
 
+       if (domain_memory_add_chk(conn->id, len + sizeof(bdata->hdr))) {
+               talloc_free(bdata);
+               return;
+       }
+
        if (timeout_watch_event_msec && domain_is_unprivileged(conn)) {
                bdata->timeout_msec = get_now_msec() + timeout_watch_event_msec;
                if (!conn->timeout_msec)
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.14

Prev by Date: [xen stable-4.14] tools/xenstore: add infrastructure to keep track of per domain memory usage
Next by Date: [xen stable-4.14] tools/xenstore: add memory accounting for watches
Previous by thread: [xen stable-4.14] tools/xenstore: add infrastructure to keep track of per domain memory usage
Next by thread: [xen stable-4.14] tools/xenstore: add memory accounting for watches
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.