From nobody Sat May 4 13:08:02 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org ARC-Seal: i=1; a=rsa-sha256; t=1585915463; cv=none; d=zohomail.com; s=zohoarc; b=TFtdmtQJqHwgPxGglzsskbSuKjxhA7Qi1f9QU/Lr/jFH5rFtegRwkl5VsDC+qxM77eNXLDstce+UNsjqgME/qyDvZX9+CIzjqS4sYYmQnUNgHgZeqSagr12MaxvbBnLH7+OdrsmMSQmPJ8bvJTjKHos4YB2l+Zvnb5n/+81V5oE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1585915463; h=Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:Message-ID:Sender:Subject:To; bh=rH8loJsYMtOsP3LN53GolOZg3FqsNnvKQAEIoChcIro=; b=XqtLTaYM03t32140L/kW8KQJBjTxvADL2Psf6ao8jEVqjlb8VnD1aOE03aCwfdV3Gn0z4RUoV4MaPRfSrt/cQAC5KTZaBptmz7ooO89S6oCmhPkhwb+2Y30e/3fBesByXbflHzKWBrxHgIYWIODMwKIb0l082AkQLOfbAAHHzkQ= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 15859154639911013.963636385905; Fri, 3 Apr 2020 05:04:23 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1jKL35-0000TQ-Rw; Fri, 03 Apr 2020 12:03:47 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1jKL33-0000TK-Vx for xen-devel@lists.xenproject.org; Fri, 03 Apr 2020 12:03:46 +0000 Received: from mx2.suse.de (unknown [195.135.220.15]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 2a2da74d-75a3-11ea-bcfe-12813bfff9fa; Fri, 03 Apr 2020 12:03:44 +0000 (UTC) Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id E6169AC0C; Fri, 3 Apr 2020 12:03:42 +0000 (UTC) X-Inumbo-ID: 2a2da74d-75a3-11ea-bcfe-12813bfff9fa X-Virus-Scanned: by amavisd-new at test-mx.suse.de From: Juergen Gross To: xen-devel@lists.xenproject.org Subject: [PATCH v2] tools/xenstore: fix a use after free problem in xenstored Date: Fri, 3 Apr 2020 14:03:40 +0200 Message-Id: <20200403120340.13406-1-jgross@suse.com> X-Mailer: git-send-email 2.16.4 X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Juergen Gross , Ian Jackson , Wei Liu Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Commit 562a1c0f7ef3fb ("tools/xenstore: dont unlink connection object twice") introduced a potential use after free problem in domain_cleanup(): after calling talloc_unlink() for domain->conn domain->conn is set to NULL. The problem is that domain is registered as talloc child of domain->conn, so it might be freed by the talloc_unlink() call. With Xenstore being single threaded there are normally no concurrent memory allocations running and freeing a virtual memory area normally doesn't result in that area no longer being accessible. A problem could occur only in case either a signal received results in some memory allocation done in the signal handler (SIGHUP is a primary candidate leading to reopening the log file), or in case the talloc framework would do some internal memory allocation during freeing of the memory (which would lead to clobbering of the freed domain structure). Fixes: 562a1c0f7ef3fb ("tools/xenstore: dont unlink connection object twice= ") Signed-off-by: Juergen Gross Reviewed-by: Julien Grall --- tools/xenstore/xenstored_domain.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_d= omain.c index baddaba5df..5858185211 100644 --- a/tools/xenstore/xenstored_domain.c +++ b/tools/xenstore/xenstored_domain.c @@ -214,6 +214,7 @@ static void domain_cleanup(void) { xc_dominfo_t dominfo; struct domain *domain; + struct connection *conn; int notify =3D 0; =20 again: @@ -230,8 +231,10 @@ static void domain_cleanup(void) continue; } if (domain->conn) { - talloc_unlink(talloc_autofree_context(), domain->conn); + /* domain is a talloc child of domain->conn. */ + conn =3D domain->conn; domain->conn =3D NULL; + talloc_unlink(talloc_autofree_context(), conn); notify =3D 0; /* destroy_domain() fires the watch */ goto again; } --=20 2.16.4