[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] tools/xenstored: Prevent a buffer overflow in dump_state_node_perms()

On 06.05.21 18:12, Julien Grall wrote:
From: Julien Grall <jgrall@xxxxxxxxxx>

ASAN reported one issue when Live Updating Xenstored:

==873==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc194f53e0 
at pc 0x555c6b323292 bp 0x7ffc194f5340 sp 0x7ffc194f5338
WRITE of size 1 at 0x7ffc194f53e0 thread T0
     #0 0x555c6b323291 in dump_state_node_perms 
     #1 0x555c6b32746e in dump_state_special_node 
     #2 0x555c6b32a702 in dump_state_special_nodes 
     #3 0x555c6b32ddb3 in lu_dump_state 
     #4 0x555c6b32e380 in do_lu_start xen/tools/xenstore/xenstored_control.c:660
     #5 0x555c6b31b461 in call_delayed xen/tools/xenstore/xenstored_core.c:278
     #6 0x555c6b32275e in main xen/tools/xenstore/xenstored_core.c:2357
     #7 0x7f95eecf3d09 in __libc_start_main ../csu/libc-start.c:308
     #8 0x555c6b3197e9 in _start (/usr/local/sbin/xenstored+0xc7e9)

Address 0x7ffc194f53e0 is located in stack of thread T0 at offset 80 in frame
     #0 0x555c6b32713e in dump_state_special_node 

   This frame has 2 object(s):
     [32, 40) 'head' (line 1233)
     [64, 80) 'sn' (line 1234) <== Memory access at offset 80 overflows this 

This is happening because the callers are passing a pointer to a variable
allocated on the stack. However, the field perms is a dynamic array, so
Xenstored will end up to read outside of the variable.

Rework the code so the permissions are written one by one in the fd.

Fixes: ed6eebf17d2c ("tools/xenstore: dump the xenstore state for live update")
Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx>

Reviewed-by: Juergen Gross <jgross@xxxxxxxx>


Attachment: OpenPGP_0xB0DE9DD628BF132F.asc
Description: application/pgp-keys

Attachment: OpenPGP_signature
Description: OpenPGP digital signature



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.