From nobody Sun May 19 01:42:55 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=quarantine dis=none) header.from=suse.com ARC-Seal: i=1; a=rsa-sha256; t=1608044682; cv=none; d=zohomail.com; s=zohoarc; b=ZSNL+ZL3R8vPLlkQSl+nC43eKj2XCXS7l8cVVx6PxfdIRrRsTKKfXtcBkHAYJgj4/lD/knCy8Cl6gYW2yC5lyg6E9JdNcoDJGI7CYBi9g4mOU4smm0woltKkIgBJXRAMa/dbbJoKYTHC95ADu9JGqkVsxMxFALZ77NEWyqIJBvE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1608044682; h=Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=1ONxP5uPtKWFefZOyd/Uymh+C2zg0SXGzfp1xar6tXg=; b=ICY13yxm1V7+v6FP71tva3x/gKA3j5judP9YPi95TGcPy/YP/U6PtcQyg1uZFcOjj1FNAfQ1jp50QrkWrMQ2cbLdQTYFKKBW2NNPcjKCwwCJ4XQAjCqGlLkeszNjIAT0EsMzgSQeezXyiaEqBOQ/DCtrZAY0h6CyaRYmMOQ6hxU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=quarantine dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1608044682515405.8598544092224; Tue, 15 Dec 2020 07:04:42 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.54314.94285 (Exim 4.92) (envelope-from ) id 1kpBsA-0001MS-Vr; Tue, 15 Dec 2020 15:04:18 +0000 Received: by outflank-mailman (output) from mailman id 54314.94285; Tue, 15 Dec 2020 15:04:18 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1kpBsA-0001ML-Sv; Tue, 15 Dec 2020 15:04:18 +0000 Received: by outflank-mailman (input) for mailman id 54314; Tue, 15 Dec 2020 15:04:16 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1kpBs8-0001MG-MR for xen-devel@lists.xenproject.org; Tue, 15 Dec 2020 15:04:16 +0000 Received: from mx2.suse.de (unknown [195.135.220.15]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 2348941b-46a8-412d-b803-75683c9fd45f; Tue, 15 Dec 2020 15:04:15 +0000 (UTC) Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id D4C48AC7F; Tue, 15 Dec 2020 15:04:14 +0000 (UTC) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 2348941b-46a8-412d-b803-75683c9fd45f X-Virus-Scanned: by amavisd-new at test-mx.suse.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1608044655; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=1ONxP5uPtKWFefZOyd/Uymh+C2zg0SXGzfp1xar6tXg=; b=eT/aDkZ+5/0+ZflH9JfPI+zJmA6sc3gawUouS0XEtySeQ77MT4yCRKtUYqHUsNIkilx8+q AGwEOoctpwnibcMFEdrJFs+38I+ab3eY/TuQQAdg7hnjNgiGLYg4yMzIqwvL9BaApF8x6E caZpu2LJ7eiTqzUs9M8+0I2LerOJiTY= From: Juergen Gross To: xen-devel@lists.xenproject.org Cc: Juergen Gross , Ian Jackson , Wei Liu , Paul Durrant , Julien Grall Subject: [PATCH] tools/xenstore: rework path length check Date: Tue, 15 Dec 2020 16:04:11 +0100 Message-Id: <20201215150411.9987-1-jgross@suse.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @suse.com) Content-Type: text/plain; charset="utf-8" The different fixed limits for absolute and relative path lengths of Xenstore nodes make it possible to create per-domain nodes via absolute paths which are not accessible using relative paths, as the two limits differ by 1024 characters. Instead of this weird limits use only one limit, which applies to the relative path length of per-domain nodes and to the absolute path length of all other nodes. This means, the path length check is applied to the path after removing a possible start of "/local/domain//" with being a domain id. There has been the request to be able to limit the path lengths even more, so an additional quota is added which can be applied to path lengths. It is XENSTORE_REL_PATH_MAX (2048) per default, but can be set to lower values. This is done via the new "-M" or "--path-max" option when invoking xenstored. Signed-off-by: Juergen Gross Reviewed-by: Paul Durrant Acked-by: Julien Grall Acked-by: Wei Liu Reviewed-by: Andrew Cooper --- This patch was originally thought to be part of XSA-323, but later it was decided not to include it, as in C Xenstored this is no security issue. --- tools/xenstore/xenstored_core.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_cor= e.c index 746a1247b3..3082a36d3a 100644 --- a/tools/xenstore/xenstored_core.c +++ b/tools/xenstore/xenstored_core.c @@ -102,6 +102,7 @@ int quota_nb_watch_per_domain =3D 128; int quota_max_entry_size =3D 2048; /* 2K */ int quota_max_transaction =3D 10; int quota_nb_perms_per_node =3D 5; +int quota_max_path_len =3D XENSTORE_REL_PATH_MAX; =20 void trace(const char *fmt, ...) { @@ -734,6 +735,9 @@ static bool valid_chars(const char *node) =20 bool is_valid_nodename(const char *node) { + int local_off =3D 0; + unsigned int domid; + /* Must start in /. */ if (!strstarts(node, "/")) return false; @@ -746,7 +750,10 @@ bool is_valid_nodename(const char *node) if (strstr(node, "//")) return false; =20 - if (strlen(node) > XENSTORE_ABS_PATH_MAX) + if (sscanf(node, "/local/domain/%5u/%n", &domid, &local_off) !=3D 1) + local_off =3D 0; + + if (strlen(node) > local_off + quota_max_path_len) return false; =20 return valid_chars(node); @@ -806,6 +813,8 @@ static struct node *get_node_canonicalized(struct conne= ction *conn, if (!canonical_name) canonical_name =3D &tmp_name; *canonical_name =3D canonicalize(conn, ctx, name); + if (!*canonical_name) + return NULL; return get_node(conn, ctx, *canonical_name, perm); } =20 @@ -1926,6 +1935,7 @@ static void usage(void) " -W, --watch-nb limit the number of watches per domain,\n" " -t, --transaction limit the number of transaction allowed per dom= ain,\n" " -A, --perm-nb limit the number of permissions per node,\n" +" -M, --path-max limit the allowed Xenstore node path length,\n" " -R, --no-recovery to request that no recovery should be attempted= when\n" " the store is corrupted (debug only),\n" " -I, --internal-db store database in memory, not on disk\n" @@ -1947,6 +1957,7 @@ static struct option options[] =3D { { "trace-file", 1, NULL, 'T' }, { "transaction", 1, NULL, 't' }, { "perm-nb", 1, NULL, 'A' }, + { "path-max", 1, NULL, 'M' }, { "no-recovery", 0, NULL, 'R' }, { "internal-db", 0, NULL, 'I' }, { "verbose", 0, NULL, 'V' }, @@ -1969,7 +1980,7 @@ int main(int argc, char *argv[]) int timeout; =20 =20 - while ((opt =3D getopt_long(argc, argv, "DE:F:HNPS:t:A:T:RVW:", options, + while ((opt =3D getopt_long(argc, argv, "DE:F:HNPS:t:A:M:T:RVW:", options, NULL)) !=3D -1) { switch (opt) { case 'D': @@ -2014,6 +2025,10 @@ int main(int argc, char *argv[]) case 'A': quota_nb_perms_per_node =3D strtol(optarg, NULL, 10); break; + quota_max_path_len =3D strtol(optarg, NULL, 10); + quota_max_path_len =3D min(XENSTORE_REL_PATH_MAX, + quota_max_path_len); + break; case 'e': dom0_event =3D strtol(optarg, NULL, 10); break; --=20 2.26.2