Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:GA
xen.5854
xsa175-0006-libxl-Do-not-trust-frontend-for-dis...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xsa175-0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch of Package xen.5854
References: bsc#979620 CVE-2016-4962 XSA-175 From d3e1c77a8ae7820e0906f324254b551995624ab5 Mon Sep 17 00:00:00 2001 From: Ian Jackson <ian.jackson@eu.citrix.com> Date: Fri, 29 Apr 2016 19:21:51 +0100 Subject: [PATCH 06/12] libxl: Do not trust frontend for disk in getinfo * Rename the frontend variable to `fe_path' to check we caught them all * Read the backend path from /libxl, rather than from the frontend * Parse the backend domid from the backend path, rather than reading it from the frontend (and add the appropriate error path and initialisation) This is part of XSA-175. Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> --- tools/libxl/libxl.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) Index: xen-4.4.4-testing/tools/libxl/libxl.c =================================================================== --- xen-4.4.4-testing.orig/tools/libxl/libxl.c +++ xen-4.4.4-testing/tools/libxl/libxl.c @@ -2460,27 +2460,34 @@ int libxl_device_disk_getinfo(libxl_ctx libxl_device_disk *disk, libxl_diskinfo *diskinfo) { GC_INIT(ctx); - char *dompath, *diskpath; + char *dompath, *fe_path, *libxl_path; char *val; + int rc; + + diskinfo->backend = NULL; dompath = libxl__xs_get_dompath(gc, domid); diskinfo->devid = libxl__device_disk_dev_number(disk->vdev, NULL, NULL); /* tap devices entries in xenstore are written as vbd devices. */ - diskpath = libxl__sprintf(gc, "%s/device/vbd/%d", dompath, diskinfo->devid); + fe_path = GCSPRINTF("%s/device/vbd/%d", dompath, diskinfo->devid); + libxl_path = GCSPRINTF("%s/device/vbd/%d", + libxl__xs_libxl_path(gc, domid), diskinfo->devid); diskinfo->backend = xs_read(ctx->xsh, XBT_NULL, - libxl__sprintf(gc, "%s/backend", diskpath), NULL); + GCSPRINTF("%s/backend", libxl_path), NULL); if (!diskinfo->backend) { GC_FREE; return ERROR_FAIL; } - val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/backend-id", diskpath)); - diskinfo->backend_id = val ? strtoul(val, NULL, 10) : -1; - val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/state", diskpath)); + rc = libxl__backendpath_parse_domid(gc, diskinfo->backend, + &diskinfo->backend_id); + if (rc) goto out; + + val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/state", fe_path)); diskinfo->state = val ? strtoul(val, NULL, 10) : -1; - val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/event-channel", diskpath)); + val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/event-channel", fe_path)); diskinfo->evtch = val ? strtoul(val, NULL, 10) : -1; - val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/ring-ref", diskpath)); + val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/ring-ref", fe_path)); diskinfo->rref = val ? strtoul(val, NULL, 10) : -1; diskinfo->frontend = xs_read(ctx->xsh, XBT_NULL, libxl__sprintf(gc, "%s/frontend", diskinfo->backend), NULL); @@ -2489,6 +2496,10 @@ int libxl_device_disk_getinfo(libxl_ctx GC_FREE; return 0; + + out: + free(diskinfo->backend); + return rc; } int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor