Overview

File xsa175-0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch of Package xen.4507

References: bsc#979620 CVE-2016-4962 XSA-175

From d3e1c77a8ae7820e0906f324254b551995624ab5 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Fri, 29 Apr 2016 19:21:51 +0100
Subject: [PATCH 06/12] libxl: Do not trust frontend for disk in getinfo

* Rename the frontend variable to `fe_path' to check we caught them all
* Read the backend path from /libxl, rather than from the frontend
* Parse the backend domid from the backend path, rather than reading it
  from the frontend (and add the appropriate error path and initialisation)

This is part of XSA-175.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
---
 tools/libxl/libxl.c | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

Index: xen-4.4.4-testing/tools/libxl/libxl.c
===================================================================
--- xen-4.4.4-testing.orig/tools/libxl/libxl.c
+++ xen-4.4.4-testing/tools/libxl/libxl.c
@@ -2460,27 +2460,34 @@ int libxl_device_disk_getinfo(libxl_ctx
                               libxl_device_disk *disk, libxl_diskinfo *diskinfo)
 {
     GC_INIT(ctx);
-    char *dompath, *diskpath;
+    char *dompath, *fe_path, *libxl_path;
     char *val;
+    int rc;
+
+    diskinfo->backend = NULL;
 
     dompath = libxl__xs_get_dompath(gc, domid);
     diskinfo->devid = libxl__device_disk_dev_number(disk->vdev, NULL, NULL);
 
     /* tap devices entries in xenstore are written as vbd devices. */
-    diskpath = libxl__sprintf(gc, "%s/device/vbd/%d", dompath, diskinfo->devid);
+    fe_path = GCSPRINTF("%s/device/vbd/%d", dompath, diskinfo->devid);
+    libxl_path = GCSPRINTF("%s/device/vbd/%d",
+                           libxl__xs_libxl_path(gc, domid), diskinfo->devid);
     diskinfo->backend = xs_read(ctx->xsh, XBT_NULL,
-                                libxl__sprintf(gc, "%s/backend", diskpath), NULL);
+                                GCSPRINTF("%s/backend", libxl_path), NULL);
     if (!diskinfo->backend) {
         GC_FREE;
         return ERROR_FAIL;
     }
-    val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/backend-id", diskpath));
-    diskinfo->backend_id = val ? strtoul(val, NULL, 10) : -1;
-    val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/state", diskpath));
+    rc = libxl__backendpath_parse_domid(gc, diskinfo->backend,
+                                        &diskinfo->backend_id);
+    if (rc) goto out;
+
+    val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/state", fe_path));
     diskinfo->state = val ? strtoul(val, NULL, 10) : -1;
-    val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/event-channel", diskpath));
+    val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/event-channel", fe_path));
     diskinfo->evtch = val ? strtoul(val, NULL, 10) : -1;
-    val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/ring-ref", diskpath));
+    val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/ring-ref", fe_path));
     diskinfo->rref = val ? strtoul(val, NULL, 10) : -1;
     diskinfo->frontend = xs_read(ctx->xsh, XBT_NULL,
                                  libxl__sprintf(gc, "%s/frontend", diskinfo->backend), NULL);
@@ -2489,6 +2496,10 @@ int libxl_device_disk_getinfo(libxl_ctx
 
     GC_FREE;
     return 0;
+
+ out:
+    free(diskinfo->backend);
+    return rc;
 }
 
 int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
openSUSE Build Service is sponsored by
Places