File xsa175-0007-libxl-Do-not-trust-frontend-for-vtp... of Package xen.4507

Overview Repositories Revisions Requests Users Attributes Meta

File xsa175-0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch of Package xen.4507

References: bsc#979620 CVE-2016-4962 XSA-175

From c277f046e8d5c8413d6436685dbda75c5626d577 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Tue, 3 May 2016 15:58:32 +0100
Subject: [PATCH 07/12] libxl: Do not trust frontend for vtpm list

libxl_device_vtpm_list needs to enumerate and identify devices without
trusting frontend-controlled data.  So

* Use the /libxl path to enumerate vtpms.
* Use the /libxl path to find the corresponding backends.
* Parse the backend path to find the backend domid.

This is part of XSA-175.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
---
 tools/libxl/libxl.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

Index: xen-4.4.4-testing/tools/libxl/libxl.c
===================================================================
--- xen-4.4.4-testing.orig/tools/libxl/libxl.c
+++ xen-4.4.4-testing/tools/libxl/libxl.c
@@ -1890,14 +1890,15 @@ libxl_device_vtpm *libxl_device_vtpm_lis
     GC_INIT(ctx);
 
     libxl_device_vtpm* vtpms = NULL;
-    char* fe_path = NULL;
+    char *libxl_path;
     char** dir = NULL;
     unsigned int ndirs = 0;
+    int rc;
 
     *num = 0;
 
-    fe_path = libxl__sprintf(gc, "%s/device/vtpm", libxl__xs_get_dompath(gc, domid));
-    dir = libxl__xs_directory(gc, XBT_NULL, fe_path, &ndirs);
+    libxl_path = GCSPRINTF("%s/device/vtpm", libxl__xs_libxl_path(gc, domid));
+    dir = libxl__xs_directory(gc, XBT_NULL, libxl_path, &ndirs);
     if (dir && ndirs) {
        vtpms = malloc(sizeof(*vtpms) * ndirs);
        libxl_device_vtpm* vtpm;
@@ -1906,16 +1907,15 @@ libxl_device_vtpm *libxl_device_vtpm_lis
           char* tmp;
           const char* be_path = libxl__xs_read(gc, XBT_NULL,
                 GCSPRINTF("%s/%s/backend",
-                   fe_path, *dir));
+                   libxl_path, *dir));
 
           libxl_device_vtpm_init(vtpm);
 
           vtpm->devid = atoi(*dir);
 
-          tmp = libxl__xs_read(gc, XBT_NULL,
-                GCSPRINTF("%s/%s/backend-id",
-                   fe_path, *dir));
-          vtpm->backend_domid = atoi(tmp);
+          rc = libxl__backendpath_parse_domid(gc, be_path,
+                                              &vtpm->backend_domid);
+          if (rc) return NULL;
 
           tmp = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/uuid", be_path));
           if (tmp) {

Places

File xsa175-0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch of Package xen.4507

Places