Overview

File xsa178-0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch of Package xen.3242

References: bsc#979670 CVE-2016-4963 XSA-178

From 5399ab94a9224b4a826fd5c6a1b8b258292d1efd Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Fri, 29 Apr 2016 19:13:17 +0100
Subject: [PATCH 09/21] libxl: Do not trust backend for cdrom insert

Use the /libxl path where appropriate.  Rename `path' variable to
`be_path' to make sure we caught all the occurrences.

Specifically, when checking that the device still exists, check the
`frontend' value in /libxl, rather than anything in the backend
directory.

This is part of XSA-178.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
---
 tools/libxl/libxl.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

Index: xen-4.5.3-testing/tools/libxl/libxl.c
===================================================================
--- xen-4.5.3-testing.orig/tools/libxl/libxl.c
+++ xen-4.5.3-testing/tools/libxl/libxl.c
@@ -2860,7 +2860,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, u
     libxl_domain_config d_config;
     int rc, dm_ver;
     libxl__device device;
-    const char *path, *libxl_path;
+    const char *be_path, *libxl_path;
     char * tmp;
     libxl__domain_userdata_lock *lock = NULL;
     xs_transaction_t t = XBT_NULL;
@@ -2927,7 +2927,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, u
     rc = libxl__device_from_disk(gc, domid, disk, &device);
     if (rc) goto out;
 
-    path = libxl__device_backend_path(gc, &device);
+    be_path = libxl__device_backend_path(gc, &device);
     libxl_path = libxl__device_libxl_path(gc, &device);
 
     insert = flexarray_make(gc, 4, 1);
@@ -2967,19 +2967,19 @@ int libxl_cdrom_insert(libxl_ctx *ctx, u
     for (;;) {
         rc = libxl__xs_transaction_start(gc, &t);
         if (rc) goto out;
-        /* Sanity check: make sure the backend exists before writing here */
-        tmp = libxl__xs_read(gc, t, libxl__sprintf(gc, "%s/frontend", path));
+        /* Sanity check: make sure the device exists before writing here */
+        tmp = libxl__xs_read(gc, t, GCSPRINTF("%s/frontend", libxl_path));
         if (!tmp)
         {
             LIBXL__LOG(ctx, LIBXL__LOG_ERROR, "Internal error: %s does not exist",
-                       libxl__sprintf(gc, "%s/frontend", path));
+                GCSPRINTF("%s/frontend", libxl_path));
             rc = ERROR_FAIL;
             goto out;
         }
 
         char **kvs = libxl__xs_kvs_of_flexarray(gc, empty, empty->count);
 
-        rc = libxl__xs_writev(gc, t, path, kvs);
+        rc = libxl__xs_writev(gc, t, be_path, kvs);
         if (rc) goto out;
 
         rc = libxl__xs_writev(gc, t, libxl_path, kvs);
@@ -3003,12 +3003,12 @@ int libxl_cdrom_insert(libxl_ctx *ctx, u
     for (;;) {
         rc = libxl__xs_transaction_start(gc, &t);
         if (rc) goto out;
-        /* Sanity check: make sure the backend exists before writing here */
-        tmp = libxl__xs_read(gc, t, libxl__sprintf(gc, "%s/frontend", path));
+        /* Sanity check: make sure the device exists before writing here */
+        tmp = libxl__xs_read(gc, t, GCSPRINTF("%s/frontend", libxl_path));
         if (!tmp)
         {
             LIBXL__LOG(ctx, LIBXL__LOG_ERROR, "Internal error: %s does not exist",
-                       libxl__sprintf(gc, "%s/frontend", path));
+                GCSPRINTF("%s/frontend", libxl_path));
             rc = ERROR_FAIL;
             goto out;
         }
@@ -3018,7 +3018,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, u
 
         char **kvs = libxl__xs_kvs_of_flexarray(gc, insert, insert->count);
 
-        rc = libxl__xs_writev(gc, t, path, kvs);
+        rc = libxl__xs_writev(gc, t, be_path, kvs);
         if (rc) goto out;
 
         rc = libxl__xs_writev(gc, t, libxl_path, kvs);
openSUSE Build Service is sponsored by
Places