From patchwork Wed Jun 8 14:56:36 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ian Jackson X-Patchwork-Id: 9164993 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3DD2C604DB for ; Wed, 8 Jun 2016 14:59:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2B6FC21BED for ; Wed, 8 Jun 2016 14:59:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1F55B282F9; Wed, 8 Jun 2016 14:59:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 9A6AD27BE5 for ; Wed, 8 Jun 2016 14:59:23 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bAev5-0004qL-D4; Wed, 08 Jun 2016 14:57:23 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bAev4-0004qC-1m for xen-devel@lists.xensource.com; Wed, 08 Jun 2016 14:57:22 +0000 Received: from [85.158.137.68] by server-7.bemta-3.messagelabs.com id 26/6A-15536-15238575; Wed, 08 Jun 2016 14:57:21 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrBLMWRWlGSWpSXmKPExsXitHRDpK6/UUS 4Qf8Bc4t7U96zOzB6bO/bxR7AGMWamZeUX5HAmnHu11P2gqMCFQ0Lu1kaGLfzdjFyckgI+Ets fzGDGcRmE9CVaNrylw3EFhFQljje9IW1i5GLg1lgI6PEl8//2LsYOTiEBXwlvr8KBqlhEVCR6 D84gxXE5hVwl7jc/poNYqaiRPezCWwg5UICahJz18dDlAhKnJz5hAXEZhaQkDj44gUzRDm3xO 3TU5knMPLMQlI2C0nZAkamVYwaxalFZalFuoZmeklFmekZJbmJmTm6hgbGermpxcWJ6ak5iUn Fesn5uZsYgSHCAAQ7GFdt9zzEKMnBpCTKq+geHi7El5SfUpmRWJwRX1Sak1p8iFGGg0NJgve6 QUS4kGBRanpqRVpmDjBYYdISHDxKIryBhkBp3uKCxNzizHSI1ClGRSlx3pMgfQIgiYzSPLg2W IRcYpSVEuZlBDpEiKcgtSg3swRV/hWjOAejkjCvNsh4nsy8Erjpr4AWMwEtXn4kHGRxSSJCSq qB0Vrbf6LMGfsdpk9uLWmpfOQ0vb765aYJ8WYRPhLZMVIvbx34L7nmg1hldEjIOeHFrBtWPDg xQ9zmVeSeKevf/qw6/3TrodsSHs3XZqqsf5r7VyZtOZPTk3XHagoqF4tdrUybdWZpzp38cwwa /s+npu5S4Tr5+O+TmGUyu+d/Ltq7YbO3h4JGULwSS3FGoqEWc1FxIgA/UwqViwIAAA== X-Env-Sender: prvs=96057bb4a=Ian.Jackson@citrix.com X-Msg-Ref: server-10.tower-31.messagelabs.com!1465397836!43714960!1 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n, received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 8.46; banners=-,-,- X-VirusChecked: Checked Received: (qmail 6667 invoked from network); 8 Jun 2016 14:57:19 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-10.tower-31.messagelabs.com with RC4-SHA encrypted SMTP; 8 Jun 2016 14:57:19 -0000 X-IronPort-AV: E=Sophos;i="5.26,439,1459814400"; d="scan'208";a="359173070" From: Ian Jackson To: Date: Wed, 8 Jun 2016 15:56:36 +0100 Message-ID: <1465397796-652-1-git-send-email-ian.jackson@eu.citrix.com> X-Mailer: git-send-email 1.7.10.4 MIME-Version: 1.0 X-DLP: MIA2 Cc: Wei Liu , Ian Jackson , security@xenproject.org, Jan Beulich Subject: [Xen-devel] [PATCH] libxl: Fix NULL pointer due to XSA-178 fix wrong XS nodename X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP In "libxl: Do not trust backend for disk eject vdev" (c69871a2fb26 on xen.git#staging) we changed libxl_evenable_disk_eject to read the device vdev out of xenstore from the /libxl path, rather than the backend path, and to read it during setup rather than on each event. However, the patch has a mistake: - GCSPRINTF("%s/dev", backend), NULL); + GCSPRINTF("%s/vdev", libxl_path), &configured_vdev); ^ Spot the extra "v". This causes configured_vdev always to be NULL. configured_vdev is passed to [libxl__]strdup. In Xen 4.6 and later libxl__strdup is used and tolerates NULL. evg->vdev is set to NULL. This propagates to the `vdev' field in the generated event. This may or may not cause further trouble, depending on the calling application. In our osstest test cases it does not cause any trouble, so the bug goes undetected. In Xen 4.5 and earlier, the strdup does not tolerate NULL, and libxl crashes immediately. This has been detected by osstest as a regression in Xen 4.5. IMO this patch should be applied immediately to xen.git#staging-4.5 (to check that it fixes the osstest regression) xen.git#staging (to check that it does not break master Subject to passes, it should then be propagated to all supported stable trees and also be mentioned in an update to XSA-178. Signed-off-by: Ian Jackson CC: security@xenproject.org CC: Jan Beulich CC: Wei Liu Reviewed-by: Wei Liu --- tools/libxl/libxl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c index 006b83f..7584966 100644 --- a/tools/libxl/libxl.c +++ b/tools/libxl/libxl.c @@ -1399,7 +1399,7 @@ int libxl_evenable_disk_eject(libxl_ctx *ctx, uint32_t guest_domid, const char *configured_vdev; rc = libxl__xs_read_checked(gc, XBT_NULL, - GCSPRINTF("%s/vdev", libxl_path), &configured_vdev); + GCSPRINTF("%s/dev", libxl_path), &configured_vdev); if (rc) goto out; evg->vdev = libxl__strdup(NOGC, configured_vdev);