Xen project Mailing List

Re: [BUG] Potential double-free in Xen dt-overlay attach/remove error path

To: Nicola Vetrini <nicola.vetrini@xxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Fri, 10 Apr 2026 11:11:00 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=80cr0fbEyf+3LSpJr7OWb7Mu6O2vhzsw5TXapkzEWb0=; b=HZ7xBDGYTUUTmrU6LE1ILHEjryDJz0cgzHTMB65MzYF/p2xtJfowcG943mceGJzJ8prlnIiU+tHyXwmfq2toFHGOIQ3cbZiq+x2JjsIVQyugFTbdGz8mg2ZWyQgTvGRq3B0CS08cxtkVS9+NOs3G4dGWFMaYf5YAH4tfmqumgdA9q9izwVW/LRzqIkPDLxKyas1DoUyBLf/K6u5+Z+PD+sttHtAZdhQ1TaQmjRaGZfRsS+4bDBq/3NU1ODIDP0u0OBwYMFZ/xj45Tni+YPMj9IqhZ7ICfTbw20nHy6XS2TrvGuF3pC+DrEXONPZDGyFM8yRPW7ozqciEdlp3Cd6qtA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=yu5qYVQV8G2lMQbinL7tuNAwp8w+DwnYJCMXqkfKz9uDirJk8++RNl2x9ITRAgg/KLSvs0t6CdyCSFkqZps8Dnul7AUUpr3MUo80ps/XhxNcj604tGlnk7hAJLYmnIu92OhcQ9gE8d28ZiQo93DYvXgm+kom6pfueCCxmLWWXeBmxPl2hO+C1Wx3tme1WBOKZ6eSGeLNM64UVWTueuwSOFVTbWodchmYlp/Z4FtU72ztvW41hWQ9EEyQmIiZZnRIy0g39aCsJLSom1XSVAkhdWLHcylDsmDiK4cCXrNpQUhoal9F5R+cu2QJ+N/s4XetCcFUZ9ZoafWydhEs48mrnA==

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=citrix.com header.i="@citrix.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Gyujeong Jin <wlsrbwjd7232@xxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>

Delivery-date: Fri, 10 Apr 2026 10:11:11 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 10/04/2026 11:06 am, Nicola Vetrini wrote: > On 2026-04-10 08:31, Jan Beulich wrote: >> On 09.04.2026 23:28, Gyujeong Jin wrote: >>> Hello Team, I was advised to report this issue in this way because >>> dt-overlay is currently experimental and not security supported. >>> >>> I would like to report a potential memory safety issue in Xen >>> related to >>> the Device Tree overlay handling logic. >>> ------------------------------ >>> Problem Description >>> >>> A double-free / use-after-free condition may occur in the dt-overlay >>> handling path when an overlay attachment fails and the same overlay is >>> later removed. >>> >>> The issue arises because rangeset objects are freed on the failure >>> path of >>> handle_attach_overlay_nodes(), but the corresponding pointers are not >>> cleared. Subsequently, handle_remove_overlay_nodes() may operate on >>> these >>> stale pointers, leading to a second free. >>> Affected Component >>> >>> - Xen ARM >>> - Device Tree overlay subsystem >>> - File: xen/common/device-tree/dt-overlay.c >>> >>> Relevant functions: >>> >>> - handle_attach_overlay_nodes() >>> - handle_remove_overlay_nodes() >>> >>> Impact >>> >>> This issue may lead to: >>> >>> - Double-free of rangeset structures >>> - Use-after-free when accessing stale pointers >>> - Potential hypervisor crash (DoS) >>> - Possible memory corruption depending on allocator behavior >>> >>> Given that this occurs in the hypervisor context, the impact could >>> extend >>> beyond a simple crash under certain conditions. >>> Root Cause >>> >>> The issue originates from inconsistent memory management between the >>> attach >>> failure path and the remove path. >>> >>> In handle_attach_overlay_nodes(), the failure path frees rangeset >>> objects: >>> >>> static long handle_attach_overlay_nodes(...) >>> { >>> ... >>> >>> if ( entry ) >>> { >>> rangeset_destroy(entry->irq_ranges); >>> rangeset_destroy(entry->iomem_ranges); >>> } >>> >>> return rc; >>> } >>> >>> However, the corresponding pointers (entry->irq_ranges and >>> entry->iomem_ranges) are not set to NULL afterward, leaving dangling >>> pointers in the entry structure. >> >> Further to this, am I overlooking any check preventing an already >> created >> pair of rangesets to be replaced by new ones, leaking the original pair? >> >> And then there's a Misra issue as well: dt_overlay_domctl() has >> unreachable >> code. Anything other than XEN_DOMCTL_DT_OVERLAY_ATTACH is excluded at >> the >> top, so the "else" body near the bottom is unreachable. (This in turn >> makes >> me wonder: How come there's no "detach"?) Yet then, that's probably >> pretty >> meaningless, as there look to be other issues (Misra and general >> robustness >> ones) as well. >> >> Jan > > Is it by any chance enabled in *-allcode analyses? I don't see such > reports for unreachable code on ARM64. > eclair-ARM64-allcode: ... EXTRA_XEN_CONFIG: | ... CONFIG_OVERLAY_DTB=y Seems to be, yes. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.