From patchwork Fri Oct 27 16:32:15 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Wieczorkiewicz, Pawel" <wipawel@amazon.de>
X-Patchwork-Id: 10030325
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	47ED96034B for <patchwork-xen-devel@patchwork.kernel.org>;
	Fri, 27 Oct 2017 16:36:27 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5264928F03
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Fri, 27 Oct 2017 16:36:27 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 4615428F80; Fri, 27 Oct 2017 16:36:27 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.8 required=2.0 tests=BAYES_00,DKIM_ADSP_ALL,
	DKIM_SIGNED, RCVD_IN_DNSWL_MED, RCVD_IN_SORBS_SPAM,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 4C6B728F03
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Fri, 27 Oct 2017 16:36:25 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1e87aB-0003ft-By; Fri, 27 Oct 2017 16:34:07 +0000
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <prvs=466efebc7=wipawel@amazon.de>)
	id 1e87aA-0003fn-01
	for xen-devel@lists.xen.org; Fri, 27 Oct 2017 16:34:06 +0000
Received: from [85.158.137.68] by server-7.bemta-3.messagelabs.com id
	D3/90-08856-DFF53F95; Fri, 27 Oct 2017 16:34:05 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrBIsWRWlGSWpSXmKPExsVyfvUOSd0/8Z8
	jDd6tU7dY8nExiwOjx9Hdv5kCGKNYM/OS8isSWDNu/7/MXNDCU9H6YDtbA+NSri5GLg4WgY3M
	EodvHGLrYuTkkBDwl/h+ZCkrSEJI4DWjxNOn3YwgCSGBVUwSR28pQiT2MEr8udzIDOHsZpT4u
	vEulHOTUWLqs8PsIC1sAnoSkzf1g80VEZCVWN01hx2kiFngNKPEldl/wYqEBQIkPk9/zAxisw
	ioSvzf/R3I5uDgFXCUuHfYFOImBYkpD9+DlfAKCEqcnPmEBcRmFpCQOPjiBVhcQEBAYsOrB+w
	TGAVnISmbhaRsASPTKkaN4tSistQiXWMDvaSizPSMktzEzBxdQwNjvdzU4uLE9NScxKRiveT8
	3E2MwDCtZ2Bg3MHYecLvEKMkB5OSKO++858ihfiS8lMqMxKLM+KLSnNSiw8xynBwKEnwno37H
	CkkWJSanlqRlpkDjBiYtAQHj5II7zeQNG9xQWJucWY6ROoUoz3HsU2X/zBx/Jh0BUh23LwLJJ
	/NfN3ALMSSl5+XKiXO+xmkTQCkLaM0D24oLMIvMcpKCfMyMjAwCPEUpBblZpagyr9iFOdgVBL
	m/QkyhSczrwRu9yugs5iAzmpS/QByVkkiQkqqgTF/6oI9h2wPrNP9eVJdVj1Xrcvr9oT9hp93
	NSzOqD+1K+Crb82jlOMVh39vn5nnm1izpoBl1oFAU7Zcj43O1xRK/ycJ3bczjb5yWcJ2wp4Mg
	T2Or0P7Mhdn9U7V/d8/3e8C34IFO5l4DPfuX1q3M8FureuRA1b6PFuF9+XPysxNyHDb3mG+7o
	MSS3FGoqEWc1FxIgC2IAPK6wIAAA==
X-Env-Sender: prvs=466efebc7=wipawel@amazon.de
X-Msg-Ref: server-6.tower-31.messagelabs.com!1509122042!73762011!1
X-Originating-IP: [207.171.184.25]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor:
	VHJ1c3RlZCBJUDogMjA3LjE3MS4xODQuMjUgPT4gMjA0MDI2\n
X-StarScan-Received: 
X-StarScan-Version: 9.4.45; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 48117 invoked from network); 27 Oct 2017 16:34:04 -0000
Received: from smtp-fw-9101.amazon.com (HELO smtp-fw-9101.amazon.com)
	(207.171.184.25)
	by server-6.tower-31.messagelabs.com with RC4-SHA encrypted SMTP;
	27 Oct 2017 16:34:04 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209;
	t=1509122044; x=1540658044;
	h=from:to:cc:subject:date:message-id:mime-version;
	bh=+orhxQu0zEB7kUxKxTsWxI2P+CSCGv+m5+rHQj6AzPY=;
	b=lI1LRsIYzAc5nORIqXQEA7kaZpEm0Z5bHc01jq2/ZP/9RZYmSODz/QYz
	xUkNxoSBYknT0sXlR6BS2zaAB7AZ0R0b/NzEITfdUQ9Qi4OP/ries1Mxm
	MWp96BmtZDvsg7E5hjUcIYrV/QVH506DfJ1dllzT87lqvvypXJYnWXCKk I=;
X-IronPort-AV: E=Sophos;i="5.44,304,1505779200"; d="scan'208";a="714245319"
Received: from sea3-co-svc-lb6-vlan3.sea.amazon.com (HELO
	email-inbound-relay-2a-6e2fc477.us-west-2.amazon.com) ([10.47.22.38])
	by smtp-border-fw-out-9101.sea19.amazon.com with
	ESMTP/TLS/DHE-RSA-AES256-SHA; 27 Oct 2017 16:32:58 +0000
Received: from EX13MTAUEA001.ant.amazon.com
	(pdx1-ws-svc-p6-lb9-vlan3.pdx.amazon.com [10.236.137.198])
	by email-inbound-relay-2a-6e2fc477.us-west-2.amazon.com
	(8.14.7/8.14.7) with ESMTP id v9RGWZbq011760
	(version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL);
	Fri, 27 Oct 2017 16:32:38 GMT
Received: from EX13D03EUA001.ant.amazon.com (10.43.165.33) by
	EX13MTAUEA001.ant.amazon.com (10.43.61.243) with Microsoft SMTP
	Server (TLS) id 15.0.1236.3; Fri, 27 Oct 2017 16:32:38 +0000
Received: from EX13MTAUEB001.ant.amazon.com (10.43.60.96) by
	EX13D03EUA001.ant.amazon.com (10.43.165.33) with Microsoft SMTP
	Server (TLS) id 15.0.1236.3; Fri, 27 Oct 2017 16:32:37 +0000
Received: from dev-dsk-wipawel-1a-0c4e6d58.eu-west-1.amazon.com (10.4.134.33)
	by mail-relay.amazon.com (10.43.60.129) with Microsoft SMTP Server id
	15.0.1236.3 via Frontend Transport; Fri, 27 Oct 2017 16:32:35 +0000
From: Pawel Wieczorkiewicz <wipawel@amazon.de>
To: <xen-devel@lists.xen.org>
Date: Fri, 27 Oct 2017 16:32:15 +0000
Message-ID: <1509121935-41889-1-git-send-email-wipawel@amazon.de>
X-Mailer: git-send-email 1.8.3.1
MIME-Version: 1.0
Precedence: Bulk
Cc: jgross@suse.com, wei.liu2@citrix.com, julien.grall@linaro.org,
	ian.jackson@eu.citrix.com, mpohlack@amazon.de, Pawel
	Wieczorkiewicz <wipawel@amazon.de>, doebel@amazon.de
Subject: [Xen-devel] [PATCH] tools/xenstored: Check number of strings passed
	to do_control()
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

It is possible to send a zero-string message body to xenstore's
XS_CONTROL handling function. Then the number of strings is used
for an array allocation. This leads to a crash in strcmp() in a
CONTROL sub-command invocation loop.
The output of xs_count_string() should be verified and all 0 or
negative values should be rejected with an EINVAL. At least the
sub-command name must be specified.

The xenstore crash can only be triggered from within dom0 (there
is a check in do_control() rejecting all non-dom0 requests with
an EACCES).

Testing: reproduced with the following command:
python -c 'print 16*"\x00"' | nc -U $XENSTORED_RUNDIR/socket

Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
Reviewed-by: Martin Pohlack <mpohlack@amazon.de>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
---
 tools/xenstore/xenstored_control.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tools/xenstore/xenstored_control.c b/tools/xenstore/xenstored_control.c
index 7c14911..e4b8aa9 100644
--- a/tools/xenstore/xenstored_control.c
+++ b/tools/xenstore/xenstored_control.c
@@ -184,6 +184,8 @@ int do_control(struct connection *conn, struct buffered_data *in)
 		return EACCES;
 
 	num = xs_count_strings(in->buffer, in->used);
+	if (num < 1)
+		return EINVAL;
 	vec = talloc_array(in, char *, num);
 	if (!vec)
 		return ENOMEM;