[xen stable-4.8] tools/xenstore: dont unlink connection object twice

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[xen stable-4.8] tools/xenstore: dont unlink connection object twice

patchbot
commit 4d7ccae75134a48e2e062f9f4f3587adb0df9496
Author:     Juergen Gross <[hidden email]>
AuthorDate: Tue Sep 12 15:07:10 2017 +0200
Commit:     Jan Beulich <[hidden email]>
CommitDate: Tue Sep 12 15:07:10 2017 +0200

    tools/xenstore: dont unlink connection object twice
   
    A connection object of a domain with associated stubdom has two
    parents: the domain and the stubdom. When cleaning up the list of
    active domains in domain_cleanup() make sure not to unlink the
    connection twice from the same domain. This could happen when the
    domain and its stubdom are being destroyed at the same time leading
    to the domain loop being entered twice.
   
    Additionally don't use talloc_free() in this case as it will remove
    a random parent link, leading eventually to a memory leak. Use
    talloc_unlink() instead specifying the context from which the
    connection object should be removed.
   
    This is CVE-2017-14317 / XSA-233.
   
    Reported-by: Eric Chanudet <[hidden email]>
    Signed-off-by: Juergen Gross <[hidden email]>
    Reviewed-by: Ian Jackson <[hidden email]>
    master commit: 562a1c0f7ef3fbf3c122c3dfa4f2ad9dd51da9fe
    master date: 2017-09-12 14:44:56 +0200
---
 tools/xenstore/xenstored_domain.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
index 18ac327..17a66be 100644
--- a/tools/xenstore/xenstored_domain.c
+++ b/tools/xenstore/xenstored_domain.c
@@ -221,10 +221,11 @@ static int destroy_domain(void *_domain)
 static void domain_cleanup(void)
 {
  xc_dominfo_t dominfo;
- struct domain *domain, *tmp;
+ struct domain *domain;
  int notify = 0;
 
- list_for_each_entry_safe(domain, tmp, &domains, list) {
+ again:
+ list_for_each_entry(domain, &domains, list) {
  if (xc_domain_getinfo(*xc_handle, domain->domid, 1,
       &dominfo) == 1 &&
     dominfo.domid == domain->domid) {
@@ -236,8 +237,12 @@ static void domain_cleanup(void)
  if (!dominfo.dying)
  continue;
  }
- talloc_free(domain->conn);
- notify = 0; /* destroy_domain() fires the watch */
+ if (domain->conn) {
+ talloc_unlink(talloc_autofree_context(), domain->conn);
+ domain->conn = NULL;
+ notify = 0; /* destroy_domain() fires the watch */
+ goto again;
+ }
  }
 
  if (notify)
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.8

_______________________________________________
Xen-changelog mailing list
[hidden email]
https://lists.xenproject.org/xen-changelog