File xsa175-0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch of Package xen.7673
References: bsc#979620 CVE-2016-4962 XSA-175
From d36cdc6238506f65ca9ce2bb008c61e45dbcb9d0 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Tue, 3 May 2016 16:00:20 +0100
Subject: [PATCH 08/12] libxl: Do not trust frontend for vtpm in getinfo
libxl_device_vtpm_getinfo needs to examine devices without trusting
frontend-controlled data. So:
* Use /libxl to find the backend path.
* Parse the backend path to find the backend domid, rather than
reading it from the frontend.
This is part of XSA-175.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
---
tools/libxl/libxl.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
Index: xen-4.4.4-testing/tools/libxl/libxl.c
===================================================================
--- xen-4.4.4-testing.orig/tools/libxl/libxl.c
+++ xen-4.4.4-testing/tools/libxl/libxl.c
@@ -1939,7 +1939,7 @@ int libxl_device_vtpm_getinfo(libxl_ctx
libxl_vtpminfo *vtpminfo)
{
GC_INIT(ctx);
- char *dompath, *vtpmpath;
+ char *libxl_path, *dompath, *vtpmpath;
char *val;
int rc = 0;
@@ -1948,8 +1948,10 @@ int libxl_device_vtpm_getinfo(libxl_ctx
vtpminfo->devid = vtpm->devid;
vtpmpath = GCSPRINTF("%s/device/vtpm/%d", dompath, vtpminfo->devid);
+ libxl_path = GCSPRINTF("%s/device/vtpm/%d",
+ libxl__xs_libxl_path(gc, domid), vtpminfo->devid);
vtpminfo->backend = xs_read(ctx->xsh, XBT_NULL,
- GCSPRINTF("%s/backend", vtpmpath), NULL);
+ GCSPRINTF("%s/backend", libxl_path), NULL);
if (!vtpminfo->backend) {
goto err;
}
@@ -1957,9 +1959,9 @@ int libxl_device_vtpm_getinfo(libxl_ctx
goto err;
}
- val = libxl__xs_read(gc, XBT_NULL,
- GCSPRINTF("%s/backend-id", vtpmpath));
- vtpminfo->backend_id = val ? strtoul(val, NULL, 10) : -1;
+ rc = libxl__backendpath_parse_domid(gc, vtpminfo->backend,
+ &vtpminfo->backend_id);
+ if (rc) goto exit;
val = libxl__xs_read(gc, XBT_NULL,
GCSPRINTF("%s/state", vtpmpath));
