From nobody Mon Feb 9 12:29:37 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1610751169; cv=none; d=zohomail.com; s=zohoarc; b=Mb0yTXYnxC6k4sCjF0u0gtSOs2zaoI2o+LufeK14BZowNP4Y66a5gmpXLeEpF2KKqKmRNiztaVwQtr+oOJpPn55H1jA1uNjrX7blmeX5JjmVK4rblbW4L0ng3qfBlCXjUSudfY4LyDVW8L3gCPdG4WD5sEXX3X3BOd1ighGTKiw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1610751169; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=P1kWT4LejG00vRtq8/nO3Dyp2zUg7zp6Cj7l4OWA8BQ=; b=mcgb4iVMpD/EjD9ol93P+PFQR65TU1TlgB9h56Ki/nKoNgtRg7LJceJ4rXov+m5IHXu2rsg88DxjKi4a8JVK/IgqpNtHABe+JX1v1/LTRseigiJYX4HzqNyrFx3dpQ6ny8r75xw9XctU0a7fLlzaywcLt86CfVJgdVM7//EFKn8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1610751169357736.2691311517355; Fri, 15 Jan 2021 14:52:49 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.68724.123104 (Exim 4.92) (envelope-from ) id 1l0XxK-0001cM-Cq; Fri, 15 Jan 2021 22:52:34 +0000 Received: by outflank-mailman (output) from mailman id 68724.123104; Fri, 15 Jan 2021 22:52:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l0XxK-0001cA-9Z; Fri, 15 Jan 2021 22:52:34 +0000 Received: by outflank-mailman (input) for mailman id 68724; Fri, 15 Jan 2021 22:52:33 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1l0XxI-0001Wj-Uw for xen-devel@lists.xenproject.org; Fri, 15 Jan 2021 22:52:32 +0000 Received: from esa2.hc3370-68.iphmx.com (unknown [216.71.145.153]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 1366477a-b333-4dbf-9fcb-4f25fa92549d; Fri, 15 Jan 2021 22:52:27 +0000 (UTC) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 1366477a-b333-4dbf-9fcb-4f25fa92549d DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1610751147; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=+OLxkWnJxNPmZrvNFRL0MUtN+MtApJbP2A5WxD+DnyM=; b=a+t0ffsA7VIZqI/z4eElpcbh9GUtyggG7NnL0k7xm597ZqSw+YL367pn s7LjtWfTDhjhBHz+6TCW/oNLpfwSAN0TW6NK4O1PNdpzredbDdKRavrai CQ+6kV8K7/fk2sTto3MDnI0Gs0aYAky+sct1cSAbrdMlPbAVbIDFCQ3bU 4=; Authentication-Results: esa2.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none IronPort-SDR: V53lsOBJVkj3wb96l9yOL6SkECcF2upuHaHmTNxngYM3/flR16vvt099LsvoxFo/BD+Q+PFI7a TadbGOW8pJCyvIsyg0yvPsBZc8mA7RMmDKQBI366IIvLma9VvtzuB7tbZeqkxwwF550zwg7W1f 5O+iufqIUeysATXV7nVDbW2MIjrcyNEy2kef8/cgiQNasTj43U7Pu/n/yMMWONDPMJ7gEpVxDU 0wIg5zVr0nHClzSxJqSWOBuDyBwioKHtJP107nxlUD6TbQKDDPRhjlHm64nxl8cmwyE24fU/T7 2Ak= X-SBRS: 5.1 X-MesageID: 35263547 X-Ironport-Server: esa2.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.79,350,1602561600"; d="scan'208";a="35263547" From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= To: CC: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= , "Christian Lindig" , David Scott , "Ian Jackson" , Wei Liu Subject: [PATCH v2 1/2] tools/ocaml/xenstored: trim txhistory on xenbus reconnect Date: Fri, 15 Jan 2021 22:28:52 +0000 Message-ID: <08cd2d0b9af30f544ab63476b8f7d02d2f9c3fd8.1610748224.git.edvin.torok@citrix.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @citrix.com) There is a global history, containing transactions from the past 0.05s, whi= ch get trimmed whenever any transaction commits or aborts. Destroying a domain will cause xenopsd to perform some transactions deletin= g the tree, so that is fine. But I think that a domain can abuse the xenbus reconnect facility to cause = a large history to be recorded - provided that noone does any transactions on the system inbetwee= n, which may be difficult to achieve given squeezed's constant pinging. The theoretical situation is like this: - a domain starts a transaction, creates as large a tree as it can, commits= it. Then repeatedly: - start a transaction, do nothing with it, start a transaction, delete = part of the large tree, write some new unique data there, don't commit - cause a xenbus reconnect (I think this can be done by writing somethi= ng to the ring). This causes all transactions/watches for the connection to= be cleared, but NOT the history, there were no commits, so nobody trimmed = the history, i.e. it the history can contain transactions from more than ju= st 0.05s - loop back and start more transactions, you can keep this up indefinit= ely without hitting quotas Now there is a periodic History.trim running every 0.05s, so I don't think = you can do much damage with it. But lets be safe an trim the transaction history anyway on reconnect. Signed-off-by: Edwin T=C3=B6r=C3=B6k --- Changed since V1: * post publicly now that the XSA is out (not a security issue) --- tools/ocaml/xenstored/connection.ml | 2 +- tools/ocaml/xenstored/history.ml | 4 ++++ tools/ocaml/xenstored/process.ml | 4 ++-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/tools/ocaml/xenstored/connection.ml b/tools/ocaml/xenstored/co= nnection.ml index eb23c3af7a..1cf24beafd 100644 --- a/tools/ocaml/xenstored/connection.ml +++ b/tools/ocaml/xenstored/connection.ml @@ -47,7 +47,7 @@ let mark_as_bad con =3D =20 let initial_next_tid =3D 1 =20 -let reconnect con =3D +let do_reconnect con =3D Xenbus.Xb.reconnect con.xb; (* dom is the same *) Hashtbl.clear con.transactions; diff --git a/tools/ocaml/xenstored/history.ml b/tools/ocaml/xenstored/histo= ry.ml index f39565bff5..3899353da8 100644 --- a/tools/ocaml/xenstored/history.ml +++ b/tools/ocaml/xenstored/history.ml @@ -53,6 +53,10 @@ let end_transaction txn con tid commit =3D trim ~txn (); success =20 +let reconnect con =3D + trim (); + Connection.do_reconnect con + let push (x: history_record) =3D let dom =3D x.con.Connection.dom in match dom with diff --git a/tools/ocaml/xenstored/process.ml b/tools/ocaml/xenstored/proce= ss.ml index dd50456ad5..da8e9cdb26 100644 --- a/tools/ocaml/xenstored/process.ml +++ b/tools/ocaml/xenstored/process.ml @@ -705,7 +705,7 @@ let do_input store cons doms con =3D Connection.do_input con with Xenbus.Xb.Reconnect -> info "%s requests a reconnect" (Connection.get_domstr con); - Connection.reconnect con; + History.reconnect con; info "%s reconnection complete" (Connection.get_domstr con); false | Failure exp -> @@ -744,7 +744,7 @@ let do_output _store _cons _doms con =3D ignore (Connection.do_output con) with Xenbus.Xb.Reconnect -> info "%s requests a reconnect" (Connection.get_domstr con); - Connection.reconnect con; + History.reconnect con; info "%s reconnection complete" (Connection.get_domstr con) ) =20 --=20 2.29.2