From: Julien Grall <jgrall@amazon.com>
In case of failure in do_lu_start(), XenStored will first free lu_start
and then try to dereference it.
This will result to a NULL dereference as the destruction callback will
set lu_start to NULL.
The crash can be avoided by freeing lu_start *after* the reply has been
set.
Fixes: af216a99fb4a ("tools/xenstore: add the basic framework for doing the live update")
Signed-off-by: Julien Grall <jgrall@amazon.com>
---
This is a bug fix candidate for 4.15. The easiest way to trigger it is
to have a XTF test that starts a transaction but never terminates it.
In this case, live-updating would fail and trigger a crash.
---
tools/xenstore/xenstored_control.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/tools/xenstore/xenstored_control.c b/tools/xenstore/xenstored_control.c
index 653890f2d9e0..766b2438396a 100644
--- a/tools/xenstore/xenstored_control.c
+++ b/tools/xenstore/xenstored_control.c
@@ -657,9 +657,8 @@ static bool do_lu_start(struct delayed_request *req)
/* We will reach this point only in case of failure. */
out:
- talloc_free(lu_status);
-
send_reply(lu_status->conn, XS_CONTROL, ret, strlen(ret) + 1);
+ talloc_free(lu_status);
return true;
}
--
2.17.1
Julien Grall writes ("[PATCH for-4.15] tools/xenstored: Avoid dereferencing a NULL pointer if LiveUpdate is failing"): > From: Julien Grall <jgrall@amazon.com> > > In case of failure in do_lu_start(), XenStored will first free lu_start > and then try to dereference it. > > This will result to a NULL dereference as the destruction callback will > set lu_start to NULL. > > The crash can be avoided by freeing lu_start *after* the reply has been > set. > > Fixes: af216a99fb4a ("tools/xenstore: add the basic framework for doing the live update") > Signed-off-by: Julien Grall <jgrall@amazon.com> Release-Acked-by: Ian Jackson <iwj@xenproject.org>
On 26.02.21 19:26, Julien Grall wrote: > From: Julien Grall <jgrall@amazon.com> > > In case of failure in do_lu_start(), XenStored will first free lu_start > and then try to dereference it. > > This will result to a NULL dereference as the destruction callback will > set lu_start to NULL. > > The crash can be avoided by freeing lu_start *after* the reply has been > set. > > Fixes: af216a99fb4a ("tools/xenstore: add the basic framework for doing the live update") > Signed-off-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Juergen Gross <jgross@suse.com> Juergen
Hi Juergen, On 01/03/2021 19:19, Jürgen Groß wrote: > On 26.02.21 19:26, Julien Grall wrote: >> From: Julien Grall <jgrall@amazon.com> >> >> In case of failure in do_lu_start(), XenStored will first free lu_start >> and then try to dereference it. >> >> This will result to a NULL dereference as the destruction callback will >> set lu_start to NULL. >> >> The crash can be avoided by freeing lu_start *after* the reply has been >> set. >> >> Fixes: af216a99fb4a ("tools/xenstore: add the basic framework for >> doing the live update") >> Signed-off-by: Julien Grall <jgrall@amazon.com> > > Reviewed-by: Juergen Gross <jgross@suse.com> Thanks! I have committed the patch. Cheers, -- Julien Grall
© 2016 - 2024 Red Hat, Inc.