Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:GA
xen.27500
5e876b0f-tools-xenstore-fix-a-use-after-free-pr...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 5e876b0f-tools-xenstore-fix-a-use-after-free-problem-in-xenstored.patch of Package xen.27500
Subject: tools/xenstore: fix a use after free problem in xenstored From: Juergen Gross jgross@suse.com Fri Apr 3 13:03:40 2020 +0100 Date: Tue May 5 15:36:20 2020 +0100: Git: 93cc305d1f3e7c6949a8f4116446624fa2dbfdf4 Commit 562a1c0f7ef3fb ("tools/xenstore: dont unlink connection object twice") introduced a potential use after free problem in domain_cleanup(): after calling talloc_unlink() for domain->conn domain->conn is set to NULL. The problem is that domain is registered as talloc child of domain->conn, so it might be freed by the talloc_unlink() call. With Xenstore being single threaded there are normally no concurrent memory allocations running and freeing a virtual memory area normally doesn't result in that area no longer being accessible. A problem could occur only in case either a signal received results in some memory allocation done in the signal handler (SIGHUP is a primary candidate leading to reopening the log file), or in case the talloc framework would do some internal memory allocation during freeing of the memory (which would lead to clobbering of the freed domain structure). Fixes: 562a1c0f7ef3fb ("tools/xenstore: dont unlink connection object twice") Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Julien Grall <jgrall@amazon.com> (cherry picked from commit bb2a34fd740e9a26be9e2244f1a5b4cef439e5a8) (cherry picked from commit dc5176d0f9434e275e0be1df8d0518e243798beb) (cherry picked from commit a997ffe678e698ff2b4c89ae5a98661d12247fef) (cherry picked from commit 48e8564435aca590f1c292ab7bb1f3dbc6b75693) (cherry picked from commit 1e722e6971539eab4f484affd60490cbc8429951) --- xen-4.7.6-testing.orig/tools/xenstore/xenstored_domain.c +++ xen-4.7.6-testing/tools/xenstore/xenstored_domain.c @@ -240,6 +240,7 @@ static void domain_cleanup(void) { xc_dominfo_t dominfo; struct domain *domain; + struct connection *conn; int notify = 0; bool dom_valid; @@ -263,8 +264,10 @@ static void domain_cleanup(void) continue; } if (domain->conn) { - talloc_unlink(talloc_autofree_context(), domain->conn); + /* domain is a talloc child of domain->conn. */ + conn = domain->conn; domain->conn = NULL; + talloc_unlink(talloc_autofree_context(), conn); notify = 0; /* destroy_domain() fires the watch */ goto again; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor