[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [BUG] Potential double-free in Xen dt-overlay attach/remove error path

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>
  • Date: Fri, 10 Apr 2026 12:06:46 +0200
  • Arc-authentication-results: i=1; bugseng.com; arc=none smtp.remote-ip=162.55.131.47
  • Arc-message-signature: i=1; d=bugseng.com; s=openarc; a=rsa-sha256; c=relaxed/relaxed; t=1775815607; h=MIME-Version:Date:From:To:Cc:Subject:In-Reply-To:References: Message-ID:X-Sender:Organization:Content-Type: Content-Transfer-Encoding; bh=AthjxD6bIMJJOd71BX/xR7xA5ig717DgsSmNBAcifVk=; b=p6/i966JC5eohSNNJHNMFqvLHODPP0jTYVQ2tMzma/LuQHu3yT3TONHOe+FMD5GqNS2I DycIguteQVprseFuqRXk/7o+JFEWkCZSry+CZu2vdU+8/VHRrIgZQnKWHWohY59EWv9rv FnsjN3Xi8irTxVeLctxsbMB5Apppflv4QwpsmjzN1BjbyFuVWctVY48dlwYbBDEli1AE9 ufSWhHN8Iq38NX7LUMJTi4N0dT//s4fMnAQ5cdqGfKm2HDbIXxTmnxQhrWinml9/GSEKo dn/kHsqNIIdiY2dg4ZJjGv91WVF6mUGEhJ4ui5aGzhiyzZTYJIvEyc3ATBKYKoXykn120 y4kE7imA9xSm7BfHEu4cFUewSVWBGlPnQS/o3/bEJc9la2ueRnKsNOCw6xQCUziwIQFDV jCKQvA20GE4ccrZPg75HV98ba6Oav5Rpjp1gKkj9dFyzFxhRjxU34TyNdfiPCDuuJ1MyF FLambikrRCFlik5WYeSdYY23MF/m2v7+IpGoFAgn6fFzUM0GbmzXkhpKBUntwmA4tXvOB 5FRt2evvljrLp0SwuPUVzRytfpgPPX92FO+8i1zKj/33zE4ZKZfVygl7xsoyRCRNBzsHR 6SIlTCaxeE9LrblsYESUmkiX6jdHiR+e/zZenwqpN98KTO3AAb2wKN4Ybj1wL24=
  • Arc-seal: i=1; d=bugseng.com; s=openarc; a=rsa-sha256; cv=none; t=1775815607; b=MjdY4/JVIuAW9N36xCD3YXm3JotM3V+RfEQt+4MziYEvN3e07ypH3uL2PS6tRREgPlrh eFgNSqpj0cFZszk/EYt3w+spZnkqYb0xtfH4bYb8Al6KRLp0iDn9/G6mgli7yYdyv7Xlx 9n8VMNGEkH/66VjLita3reZoMxBeSUX/ee72S0qQpcayF7QSx+yUBmzqBmEoRwEv4qUsT F9hVA/Ckp6O2BDKpCq15pnPFqc6aNIYCoW77+t34/diJIn7ls71oezMVWks24x/r6L+nE zHfqxZReahftdzo/7YmKBOStHNPBwxH2zm6bKgQ3Pk6WgCgdEBilPocP+7fG9eXiDE3uc f7oGk50b/4p+wvrYevGaQh5MVoS3Vvz6fBUULWsoq40Bn/DXsysE52a+dsqf52huG3f9Q emMM9isp+9Y2uDeeJfYZsF9tvmJSW9xajTXZw/m02EBpsJSY5b5QYZm5kNd2WC5UHEaQx +Wb9Wg+d3Kche3Ig0TRbdpsELuO6JR1DuDDzRAat5NIU5BjUbtVHF2y1ap/P1xyeDFGNG g+wHznknrWKFQ1eMLsRhsaYYYB9SqClBmHRqIO/KNhjUye0SiQ1f8cHOAMStNcKzssRdY lNFpNAzcKujryKs4TxupYSl7dwwcYdzpz48RKGdBpiQ+AZbHyc7Idztyk0XTEZI=
  • Authentication-results: eu.smtp.expurgate.cloud; none
  • Authentication-results: bugseng.com; arc=none smtp.remote-ip=162.55.131.47
  • Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Gyujeong Jin <wlsrbwjd7232@xxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>
  • Delivery-date: Fri, 10 Apr 2026 10:06:55 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 2026-04-10 08:31, Jan Beulich wrote:

On 09.04.2026 23:28, Gyujeong Jin wrote:

Hello Team, I was advised to report this issue in this way because
dt-overlay is currently experimental and not security supported.
I would like to report a potential memory safety issue in Xen related to 
the Device Tree overlay handling logic.
------------------------------
Problem Description

A double-free / use-after-free condition may occur in the dt-overlay
handling path when an overlay attachment fails and the same overlay is
later removed.
The issue arises because rangeset objects are freed on the failure path of 
handle_attach_overlay_nodes(), but the corresponding pointers are not
cleared. Subsequently, handle_remove_overlay_nodes() may operate on these 
stale pointers, leading to a second free.
Affected Component

   - Xen ARM
   - Device Tree overlay subsystem
   - File: xen/common/device-tree/dt-overlay.c

Relevant functions:

   - handle_attach_overlay_nodes()
   - handle_remove_overlay_nodes()

Impact

This issue may lead to:

   - Double-free of rangeset structures
   - Use-after-free when accessing stale pointers
   - Potential hypervisor crash (DoS)
   - Possible memory corruption depending on allocator behavior
Given that this occurs in the hypervisor context, the impact could extend 
beyond a simple crash under certain conditions.
Root Cause
The issue originates from inconsistent memory management between the attach 
failure path and the remove path.
In handle_attach_overlay_nodes(), the failure path frees rangeset objects: 

static long handle_attach_overlay_nodes(...)
{
    ...

    if ( entry )
    {
        rangeset_destroy(entry->irq_ranges);
        rangeset_destroy(entry->iomem_ranges);
    }

    return rc;
}

However, the corresponding pointers (entry->irq_ranges and
entry->iomem_ranges) are not set to NULL afterward, leaving dangling
pointers in the entry structure.
Further to this, am I overlooking any check preventing an already created pair of rangesets to be replaced by new ones, leaking the original pair?
And then there's a Misra issue as well: dt_overlay_domctl() has unreachable code. Anything other than XEN_DOMCTL_DT_OVERLAY_ATTACH is excluded at the top, so the "else" body near the bottom is unreachable. (This in turn makes me wonder: How come there's no "detach"?) Yet then, that's probably pretty meaningless, as there look to be other issues (Misra and general robustness 
ones) as well.

Jan
Is it by any chance enabled in *-allcode analyses? I don't see such reports for unreachable code on ARM64. 

--
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.