Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
xen.4698
xsa175-0005-libxl-Do-not-trust-frontend-for-dis...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xsa175-0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch of Package xen.4698
References: bsc#979620 CVE-2016-4962 XSA-175 From f02320d65226f722bf8eaaa6bf6e0148d633965a Mon Sep 17 00:00:00 2001 From: Ian Jackson <ian.jackson@eu.citrix.com> Date: Wed, 27 Apr 2016 16:08:49 +0100 Subject: [PATCH 05/12] libxl: Do not trust frontend for disk eject event Use the /libxl path for interpreting disk eject watch events: do not read the backend path out of the frontend. Instead, use the version in /libxl. That avoids us relying on the guest-modifiable $frontend/backend pointer. To implement this we store the path /libxl/$guest/device/vbd/$devid/backend in the evgen structure. This is part of XSA-175. Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> --- tools/libxl/libxl.c | 28 ++++++++++++++++++++++------ tools/libxl/libxl_internal.h | 2 +- 2 files changed, 23 insertions(+), 7 deletions(-) Index: xen-4.4.4-testing/tools/libxl/libxl.c =================================================================== --- xen-4.4.4-testing.orig/tools/libxl/libxl.c +++ xen-4.4.4-testing/tools/libxl/libxl.c @@ -1148,9 +1148,10 @@ static void disk_eject_xswatch_callback( const char *wpath, const char *epath) { EGC_GC; libxl_evgen_disk_eject *evg = (void*)w; - char *backend; + const char *backend; char *value; char backend_type[BACKEND_STRING_SIZE+1]; + int rc; value = libxl__xs_read(gc, XBT_NULL, wpath); @@ -1166,9 +1167,16 @@ static void disk_eject_xswatch_callback( libxl_event *ev = NEW_EVENT(egc, DISK_EJECT, evg->domid, evg->user); libxl_device_disk *disk = &ev->u.disk_eject.disk; - backend = libxl__xs_read(gc, XBT_NULL, - libxl__sprintf(gc, "%.*s/backend", - (int)strlen(wpath)-6, wpath)); + rc = libxl__xs_read_checked(gc, XBT_NULL, evg->be_ptr_path, &backend); + if (rc) { + LIBXL__EVENT_DISASTER(egc, "xs_read failed reading be_ptr_path", + errno, LIBXL_EVENT_TYPE_DISK_EJECT); + return; + } + if (!backend) { + /* device has been removed, not simply ejected */ + return; + } sscanf(backend, "/local/domain/%d/backend/%" TOSTRING(BACKEND_STRING_SIZE) @@ -1217,11 +1225,18 @@ int libxl_evenable_disk_eject(libxl_ctx if (!domid) domid = guest_domid; - path = libxl__sprintf(gc, "%s/device/vbd/%d/eject", + int devid = libxl__device_disk_dev_number(vdev, NULL, NULL); + + path = GCSPRINTF("%s/device/vbd/%d/eject", libxl__xs_get_dompath(gc, domid), - libxl__device_disk_dev_number(vdev, NULL, NULL)); + devid); if (!path) { rc = ERROR_NOMEM; goto out; } + const char *libxl_path = GCSPRINTF("%s/device/vbd/%d", + libxl__xs_libxl_path(gc, domid), + devid); + evg->be_ptr_path = libxl__sprintf(NOGC, "%s/backend", libxl_path); + rc = libxl__ev_xswatch_register(gc, &evg->watch, disk_eject_xswatch_callback, path); if (rc) goto out; @@ -1248,6 +1263,7 @@ void libxl__evdisable_disk_eject(libxl__ libxl__ev_xswatch_deregister(gc, &evg->watch); free(evg->vdev); + free(evg->be_ptr_path); free(evg); CTX_UNLOCK; Index: xen-4.4.4-testing/tools/libxl/libxl_internal.h =================================================================== --- xen-4.4.4-testing.orig/tools/libxl/libxl_internal.h +++ xen-4.4.4-testing/tools/libxl/libxl_internal.h @@ -257,7 +257,7 @@ struct libxl__evgen_disk_eject { uint32_t domid; LIBXL_LIST_ENTRY(libxl_evgen_disk_eject) entry; libxl_ev_user user; - char *vdev; + char *vdev, *be_ptr_path; }; _hidden void libxl__evdisable_disk_eject(libxl__gc*, libxl_evgen_disk_eject*);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor