Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:GA
xen.5854
xsa178-0007-libxl-Do-not-trust-backend-for-disk...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xsa178-0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch of Package xen.5854
References: bsc#979670 CVE-2016-4963 XSA-178 From 7f08021df653dbc44898c70eacff143363d8cc5d Mon Sep 17 00:00:00 2001 From: Ian Jackson <ian.jackson@eu.citrix.com> Date: Fri, 29 Apr 2016 18:29:45 +0100 Subject: [PATCH 07/21] libxl: Do not trust backend for disk; fix driver domain disks list Rework libxl__device_disk_from_xs_be (which takes a backend path) into to libxl__device_disk_from_xenstore (which takes a libxl path). libxl__device_disk_from_xenstore now finds the backend path itself, although it doesn't use it any more for most of its functions. We rename the variable from be_path to backend_path to make sure we didn't miss any cases. All the data collection is now done by reading from the copy in /libxl. libxl_device_disk_list and its helper libxl__append_disk_list (which used to be libxl__append_disk_list_of_type) need extensive rework, because they now need to specify the /libxl path rather than the backend path. To do that they enumerate disks by looking in the appropriate area in /libxl. Previously they scanned various of the backend directories in dom0 (which was broken for driver domains). It is no longer necessary to enumerate the various disk backends, because they all use the same paths in /devices. libxl__device_disk_from_xenstore will parse the type out of the backend path, for itself. (Indeed, it did so before - the now-gone type parameter to libxl__append_disk_list_of_type wasn't used other than to construct the directory to list.) Finally, remove a redundant store to pdisk->backend_domid in libxl__append_disk_list[_of_type]. Even before this commit, that store was not needed because libxl_device_disk_init (called by libxl__device_disk_from_xenstore) would zero it. Now it overwrites the correct backend domid with zero; so remove it. This is part of XSA-178. Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> --- v2: Also fix up COLO reads, following rebase --- tools/libxl/libxl.c | 94 +++++++++++++++++++++++++++-------------------------- 1 file changed, 48 insertions(+), 46 deletions(-) Index: xen-4.4.4-testing/tools/libxl/libxl.c =================================================================== --- xen-4.4.4-testing.orig/tools/libxl/libxl.c +++ xen-4.4.4-testing/tools/libxl/libxl.c @@ -2287,8 +2287,8 @@ void libxl__device_disk_add(libxl__egc * device_disk_add(egc, domid, disk, aodev, NULL, NULL); } -static int libxl__device_disk_from_xs_be(libxl__gc *gc, - const char *be_path, +static int libxl__device_disk_from_xenstore(libxl__gc *gc, + const char *libxl_path, libxl_device_disk *disk) { libxl_ctx *ctx = libxl__gc_owner(gc); @@ -2298,15 +2298,27 @@ static int libxl__device_disk_from_xs_be libxl_device_disk_init(disk); - rc = sscanf(be_path, "/local/domain/%d/", &disk->backend_domid); + const char *backend_path; + rc = libxl__xs_read_checked(gc, XBT_NULL, + GCSPRINTF("%s/backend", libxl_path), + &backend_path); + if (rc) goto out; + + if (!backend_path) { + LOG(ERROR, "disk %s does not exist (no backend path", libxl_path); + rc = ERROR_FAIL; + goto out; + } + + rc = sscanf(backend_path, "/local/domain/%d/", &disk->backend_domid); if (rc != 1) { - LOG(ERROR, "Unable to fetch device backend domid from %s", be_path); + LOG(ERROR, "Unable to fetch device backend domid from %s", backend_path); goto cleanup; } /* "params" may not be present; but everything else must be. */ tmp = xs_read(ctx->xsh, XBT_NULL, - libxl__sprintf(gc, "%s/params", be_path), &len); + GCSPRINTF("%s/params", libxl_path), &len); if (tmp && strchr(tmp, ':')) { disk->pdev_path = strdup(strchr(tmp, ':') + 1); free(tmp); @@ -2316,31 +2328,31 @@ static int libxl__device_disk_from_xs_be tmp = libxl__xs_read(gc, XBT_NULL, - libxl__sprintf(gc, "%s/type", be_path)); + GCSPRINTF("%s/type", libxl_path)); if (!tmp) { - LOG(ERROR, "Missing xenstore node %s/type", be_path); + LOG(ERROR, "Missing xenstore node %s/type", libxl_path); goto cleanup; } libxl_string_to_backend(ctx, tmp, &(disk->backend)); disk->vdev = xs_read(ctx->xsh, XBT_NULL, - libxl__sprintf(gc, "%s/dev", be_path), &len); + GCSPRINTF("%s/dev", libxl_path), &len); if (!disk->vdev) { - LOG(ERROR, "Missing xenstore node %s/dev", be_path); + LOG(ERROR, "Missing xenstore node %s/dev", libxl_path); goto cleanup; } tmp = libxl__xs_read(gc, XBT_NULL, libxl__sprintf - (gc, "%s/removable", be_path)); + (gc, "%s/removable", libxl_path)); if (!tmp) { - LOG(ERROR, "Missing xenstore node %s/removable", be_path); + LOG(ERROR, "Missing xenstore node %s/removable", libxl_path); goto cleanup; } disk->removable = atoi(tmp); - tmp = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/mode", be_path)); + tmp = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/mode", libxl_path)); if (!tmp) { - LOG(ERROR, "Missing xenstore node %s/mode", be_path); + LOG(ERROR, "Missing xenstore node %s/mode", libxl_path); goto cleanup; } if (!strcmp(tmp, "w")) @@ -2349,9 +2361,9 @@ static int libxl__device_disk_from_xs_be disk->readwrite = 0; tmp = libxl__xs_read(gc, XBT_NULL, - libxl__sprintf(gc, "%s/device-type", be_path)); + libxl__sprintf(gc, "%s/device-type", libxl_path)); if (!tmp) { - LOG(ERROR, "Missing xenstore node %s/device-type", be_path); + LOG(ERROR, "Missing xenstore node %s/device-type", libxl_path); goto cleanup; } disk->is_cdrom = !strcmp(tmp, "cdrom"); @@ -2360,15 +2372,17 @@ static int libxl__device_disk_from_xs_be return 0; cleanup: + rc = ERROR_FAIL; + out: libxl_device_disk_dispose(disk); - return ERROR_FAIL; + return rc; } int libxl_vdev_to_device_disk(libxl_ctx *ctx, uint32_t domid, const char *vdev, libxl_device_disk *disk) { GC_INIT(ctx); - char *dompath, *path; + char *dom_xl_path, *libxl_path; int devid = libxl__device_disk_dev_number(vdev, NULL, NULL); int rc = ERROR_FAIL; @@ -2377,39 +2391,34 @@ int libxl_vdev_to_device_disk(libxl_ctx libxl_device_disk_init(disk); - dompath = libxl__xs_get_dompath(gc, domid); - if (!dompath) { + dom_xl_path = libxl__xs_libxl_path(gc, domid); + if (!dom_xl_path) { goto out; } - path = libxl__xs_read(gc, XBT_NULL, - libxl__sprintf(gc, "%s/device/vbd/%d/backend", - dompath, devid)); - if (!path) - goto out; + libxl_path = GCSPRINTF("%s/device/vbd/%d", dom_xl_path, devid); - rc = libxl__device_disk_from_xs_be(gc, path, disk); + rc = libxl__device_disk_from_xenstore(gc, libxl_path, disk); out: GC_FREE; return rc; } -static int libxl__append_disk_list_of_type(libxl__gc *gc, +static int libxl__append_disk_list(libxl__gc *gc, uint32_t domid, - const char *type, libxl_device_disk **disks, int *ndisks) { - char *be_path = NULL; + char *libxl_dir_path = NULL; char **dir = NULL; unsigned int n = 0; libxl_device_disk *pdisk = NULL, *pdisk_end = NULL; int rc=0; int initial_disks = *ndisks; - be_path = libxl__sprintf(gc, "%s/backend/%s/%d", - libxl__xs_get_dompath(gc, 0), type, domid); - dir = libxl__xs_directory(gc, XBT_NULL, be_path, &n); + libxl_dir_path = GCSPRINTF("%s/device/vbd", + libxl__xs_libxl_path(gc, domid)); + dir = libxl__xs_directory(gc, XBT_NULL, libxl_dir_path, &n); if (dir && n) { libxl_device_disk *tmp; tmp = realloc(*disks, sizeof (libxl_device_disk) * (*ndisks + n)); @@ -2420,10 +2429,9 @@ static int libxl__append_disk_list_of_ty pdisk_end = *disks + initial_disks + n; for (; pdisk < pdisk_end; pdisk++, dir++) { const char *p; - p = libxl__sprintf(gc, "%s/%s", be_path, *dir); - if ((rc=libxl__device_disk_from_xs_be(gc, p, pdisk))) + p = GCSPRINTF("%s/%s", libxl_dir_path, *dir); + if ((rc=libxl__device_disk_from_xenstore(gc, p, pdisk))) goto out; - pdisk->backend_domid = 0; *ndisks += 1; } } @@ -2439,13 +2447,7 @@ libxl_device_disk *libxl_device_disk_lis *num = 0; - rc = libxl__append_disk_list_of_type(gc, domid, "vbd", &disks, num); - if (rc) goto out_err; - - rc = libxl__append_disk_list_of_type(gc, domid, "tap", &disks, num); - if (rc) goto out_err; - - rc = libxl__append_disk_list_of_type(gc, domid, "qdisk", &disks, num); + rc = libxl__append_disk_list(gc, domid, &disks, num); if (rc) goto out_err; GC_FREE;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor