tools/xenstored: Avoid dereferencing a NULL pointer if LiveUpdate is failing

[PATCH for-4.15] tools/xenstored: Avoid dereferencing a NULL pointer if LiveUpdate is failing

Posted by Julien Grall 4 years, 11 months ago

From: Julien Grall <jgrall@amazon.com>

In case of failure in do_lu_start(), XenStored will first free lu_start
and then try to dereference it.

This will result to a NULL dereference as the destruction callback will
set lu_start to NULL.

The crash can be avoided by freeing lu_start *after* the reply has been
set.

Fixes: af216a99fb4a ("tools/xenstore: add the basic framework for doing the live update")
Signed-off-by: Julien Grall <jgrall@amazon.com>

---

This is a bug fix candidate for 4.15. The easiest way to trigger it is
to have a XTF test that starts a transaction but never terminates it.

In this case, live-updating would fail and trigger a crash.
---
 tools/xenstore/xenstored_control.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/tools/xenstore/xenstored_control.c b/tools/xenstore/xenstored_control.c
index 653890f2d9e0..766b2438396a 100644
--- a/tools/xenstore/xenstored_control.c
+++ b/tools/xenstore/xenstored_control.c
@@ -657,9 +657,8 @@ static bool do_lu_start(struct delayed_request *req)
 
 	/* We will reach this point only in case of failure. */
  out:
-	talloc_free(lu_status);
-
 	send_reply(lu_status->conn, XS_CONTROL, ret, strlen(ret) + 1);
+	talloc_free(lu_status);
 
 	return true;
 }
-- 
2.17.1

Re: [PATCH for-4.15] tools/xenstored: Avoid dereferencing a NULL pointer if LiveUpdate is failing

Posted by Ian Jackson 4 years, 11 months ago

Julien Grall writes ("[PATCH for-4.15] tools/xenstored: Avoid dereferencing a NULL pointer if LiveUpdate is failing"):
> From: Julien Grall <jgrall@amazon.com>
> 
> In case of failure in do_lu_start(), XenStored will first free lu_start
> and then try to dereference it.
> 
> This will result to a NULL dereference as the destruction callback will
> set lu_start to NULL.
> 
> The crash can be avoided by freeing lu_start *after* the reply has been
> set.
> 
> Fixes: af216a99fb4a ("tools/xenstore: add the basic framework for doing the live update")
> Signed-off-by: Julien Grall <jgrall@amazon.com>

Release-Acked-by: Ian Jackson <iwj@xenproject.org>

Re: [PATCH for-4.15] tools/xenstored: Avoid dereferencing a NULL pointer if LiveUpdate is failing

Posted by Jürgen Groß 4 years, 11 months ago

On 26.02.21 19:26, Julien Grall wrote:
> From: Julien Grall <jgrall@amazon.com>
> 
> In case of failure in do_lu_start(), XenStored will first free lu_start
> and then try to dereference it.
> 
> This will result to a NULL dereference as the destruction callback will
> set lu_start to NULL.
> 
> The crash can be avoided by freeing lu_start *after* the reply has been
> set.
> 
> Fixes: af216a99fb4a ("tools/xenstore: add the basic framework for doing the live update")
> Signed-off-by: Julien Grall <jgrall@amazon.com>

Reviewed-by: Juergen Gross <jgross@suse.com>


Juergen

Re: [PATCH for-4.15] tools/xenstored: Avoid dereferencing a NULL pointer if LiveUpdate is failing

Posted by Julien Grall 4 years, 11 months ago

Hi Juergen,

On 01/03/2021 19:19, Jürgen Groß wrote:
> On 26.02.21 19:26, Julien Grall wrote:
>> From: Julien Grall <jgrall@amazon.com>
>>
>> In case of failure in do_lu_start(), XenStored will first free lu_start
>> and then try to dereference it.
>>
>> This will result to a NULL dereference as the destruction callback will
>> set lu_start to NULL.
>>
>> The crash can be avoided by freeing lu_start *after* the reply has been
>> set.
>>
>> Fixes: af216a99fb4a ("tools/xenstore: add the basic framework for 
>> doing the live update")
>> Signed-off-by: Julien Grall <jgrall@amazon.com>
> 
> Reviewed-by: Juergen Gross <jgross@suse.com>

Thanks! I have committed the patch.

Cheers,

-- 
Julien Grall