[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.19] tools/xenstored: fix canonicalize() error testing

commit 7e16c850cd6c91a9490d528146a09d405e1ac0c3
Author:     Juergen Gross <jgross@xxxxxxxx>
AuthorDate: Thu Feb 12 08:29:38 2026 +0100
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Mar 17 12:08:41 2026 +0000

    tools/xenstored: fix canonicalize() error testing
    
    The setting of errno in canonicalize() is rather fragile and seems to
    be even wrong in one corner case: when the invalid path "/local/domain/"
    is passed, sscanf() will set errno to 0, resulting in canonicalize() to
    return NULL with errno being 0. This can result in triggering the
    assert(conn->in == NULL) in consider_message().
    
    Don't assume the initial setting of errno to "EINVAL" will stay valid
    in all cases and set it to EINVAL only when returning NULL due to an
    invalid path.
    
    This is XSA-481/CVE-2026-23555
    
    Reported-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
    Reviewed-by: Julien Grall <julien@xxxxxxx>
    (cherry picked from commit 4c61822b04aac089d1df9ab15ae3a3f6dfb4e305)
---
 tools/xenstored/core.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tools/xenstored/core.c b/tools/xenstored/core.c
index bada1ad9a2..64baec268b 100644
--- a/tools/xenstored/core.c
+++ b/tools/xenstored/core.c
@@ -1242,11 +1242,10 @@ const char *canonicalize(struct connection *conn, const 
void *ctx,
         * - illegal character in node
         * - starts with '@' but no special node allowed
         */
-       errno = EINVAL;
        if (!node ||
            !valid_chars(node) ||
            (node[0] == '@' && !allow_special))
-               return NULL;
+               goto inval;
 
        if (node[0] != '/' && node[0] != '@') {
                name = talloc_asprintf(ctx, "%s/%s", get_implicit_path(conn),
@@ -1274,6 +1273,8 @@ const char *canonicalize(struct connection *conn, const 
void *ctx,
        if (name != node)
                talloc_free(name);
 
+ inval:
+       errno = EINVAL;
        return NULL;
 }
 
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.19

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.