[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH v2] tools/xenstore: fix a use after free problem in xenstored
Hi Juergen, On 03/04/2020 13:03, Juergen Gross wrote: Commit 562a1c0f7ef3fb ("tools/xenstore: dont unlink connection object twice") introduced a potential use after free problem in domain_cleanup(): after calling talloc_unlink() for domain->conn domain->conn is set to NULL. The problem is that domain is registered as talloc child of domain->conn, so it might be freed by the talloc_unlink() call. With Xenstore being single threaded there are normally no concurrent memory allocations running and freeing a virtual memory area normally doesn't result in that area no longer being accessible. A problem could occur only in case either a signal received results in some memory allocation done in the signal handler (SIGHUP is a primary candidate leading to reopening the log file), or in case the talloc framework would do some internal memory allocation during freeing of the memory (which would lead to clobbering of the freed domain structure). Thank you for writing more context! Fixes: 562a1c0f7ef3fb ("tools/xenstore: dont unlink connection object twice") Signed-off-by: Juergen Gross <jgross@xxxxxxxx> Reviewed-by: Julien Grall <jgrall@xxxxxxxxxx> Cheers, -- Julien Grall
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |