File xsa421-01.patch of Package xen.30827

Overview Repositories Revisions Requests Users Attributes Meta

File xsa421-01.patch of Package xen.30827

From 246d8db540f08470c2f8789a8440173028c85b38 Mon Sep 17 00:00:00 2001
From: Juergen Gross <jgross@suse.com>
Date: Tue, 13 Sep 2022 07:35:13 +0200
Subject: tools/xenstore: fix deleting node in transaction

In case a node has been created in a transaction and it is later
deleted in the same transaction, the transaction will be terminated
with an error.

As this error is encountered only when handling the deleted node at
transaction finalization, the transaction will have been performed
partially and without updating the accounting information. This will
enable a malicious guest to create arbitrary number of nodes.

This is part of XSA-421 / CVE-2022-42325.

Signed-off-by: Juergen Gross <jgross@suse.com>
Tested-by: Julien Grall <jgrall@amazon.com>
Reviewed-by: Julien Grall <jgrall@amazon.com>

--- a/tools/xenstore/xenstored_transaction.c
+++ b/tools/xenstore/xenstored_transaction.c
@@ -424,7 +424,13 @@ static int finalize_transaction(struct c
 						   true);
 				talloc_free(data.dptr);
 			} else {
-				ret = do_tdb_delete(conn, &key, NULL);
+				/*
+				 * A node having been created and later deleted
+				 * in this transaction will have no generation
+				 * information stored.
+				 */
+				ret = (i->generation == NO_GENERATION)
+				      ? 0 : do_tdb_delete(conn, &key, NULL);
 			}
 			if (ret)
 				goto err;

Places

File xsa421-01.patch of Package xen.30827

Places