[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.18] tools/xenstored: fix canonicalize() error testing

commit 2c5f7fd78ba894c6a2fd3bfc2d164cc792db8f42
Author:     Juergen Gross <jgross@xxxxxxxx>
AuthorDate: Thu Feb 12 08:29:38 2026 +0100
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Mar 17 12:11:44 2026 +0000

    tools/xenstored: fix canonicalize() error testing
    
    The setting of errno in canonicalize() is rather fragile and seems to
    be even wrong in one corner case: when the invalid path "/local/domain/"
    is passed, sscanf() will set errno to 0, resulting in canonicalize() to
    return NULL with errno being 0. This can result in triggering the
    assert(conn->in == NULL) in consider_message().
    
    Don't assume the initial setting of errno to "EINVAL" will stay valid
    in all cases and set it to EINVAL only when returning NULL due to an
    invalid path.
    
    This is XSA-481/CVE-2026-23555
    
    Reported-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
    Reviewed-by: Julien Grall <julien@xxxxxxx>
    (cherry picked from commit 4c61822b04aac089d1df9ab15ae3a3f6dfb4e305)
---
 tools/xenstored/core.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tools/xenstored/core.c b/tools/xenstored/core.c
index dfe98e7bfc..e8a0e3830b 100644
--- a/tools/xenstored/core.c
+++ b/tools/xenstored/core.c
@@ -1262,11 +1262,10 @@ const char *canonicalize(struct connection *conn, const 
void *ctx,
         * - illegal character in node
         * - starts with '@' but no special node allowed
         */
-       errno = EINVAL;
        if (!node ||
            !valid_chars(node) ||
            (node[0] == '@' && !allow_special))
-               return NULL;
+               goto inval;
 
        if (node[0] != '/' && node[0] != '@') {
                name = talloc_asprintf(ctx, "%s/%s", get_implicit_path(conn),
@@ -1294,6 +1293,8 @@ const char *canonicalize(struct connection *conn, const 
void *ctx,
        if (name != node)
                talloc_free(name);
 
+ inval:
+       errno = EINVAL;
        return NULL;
 }
 
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.18

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.