tools/ocaml/libs/eventchn/xeneventchn_stubs.c | 6 ++++-- tools/ocaml/libs/xc/xenctrl_stubs.c | 3 ++- 2 files changed, 6 insertions(+), 3 deletions(-)
All caml_alloc_*() functions can throw exceptions, and longjump out of
context. If this happens, we leak the xch/xce handle.
Reorder the logic to allocate the the Ocaml object first.
Fixes: 8b3c06a3e545 ("tools/ocaml/xenctrl: OCaml 5 support, fix use-after-free")
Fixes: 22d5affdf0ce ("tools/ocaml/evtchn: OCaml 5 support, fix potential resource leak")
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Christian Lindig <christian.lindig@citrix.com>
CC: David Scott <dave@recoil.org>
CC: Edwin Török <edwin.torok@cloud.com>
CC: Rob Hoes <Rob.Hoes@citrix.com>
---
tools/ocaml/libs/eventchn/xeneventchn_stubs.c | 6 ++++--
tools/ocaml/libs/xc/xenctrl_stubs.c | 3 ++-
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c
index 34dcfed30275..1980acf405a5 100644
--- a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c
+++ b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c
@@ -63,6 +63,8 @@ CAMLprim value stub_eventchn_init(value cloexec)
if ( !Bool_val(cloexec) )
flags |= XENEVTCHN_NO_CLOEXEC;
+ result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1);
+
caml_enter_blocking_section();
xce = xenevtchn_open(NULL, flags);
caml_leave_blocking_section();
@@ -70,7 +72,6 @@ CAMLprim value stub_eventchn_init(value cloexec)
if (xce == NULL)
caml_failwith("open failed");
- result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1);
*(xenevtchn_handle **)Data_custom_val(result) = xce;
CAMLreturn(result);
@@ -82,6 +83,8 @@ CAMLprim value stub_eventchn_fdopen(value fdval)
CAMLlocal1(result);
xenevtchn_handle *xce;
+ result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1);
+
caml_enter_blocking_section();
xce = xenevtchn_fdopen(NULL, Int_val(fdval), 0);
caml_leave_blocking_section();
@@ -89,7 +92,6 @@ CAMLprim value stub_eventchn_fdopen(value fdval)
if (xce == NULL)
caml_failwith("evtchn fdopen failed");
- result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1);
*(xenevtchn_handle **)Data_custom_val(result) = xce;
CAMLreturn(result);
diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c b/tools/ocaml/libs/xc/xenctrl_stubs.c
index f9006c662382..ed1cbafdb488 100644
--- a/tools/ocaml/libs/xc/xenctrl_stubs.c
+++ b/tools/ocaml/libs/xc/xenctrl_stubs.c
@@ -98,6 +98,8 @@ CAMLprim value stub_xc_interface_open(value unit)
CAMLlocal1(result);
xc_interface *xch;
+ result = caml_alloc_custom(&xenctrl_ops, sizeof(xch), 0, 1);
+
caml_enter_blocking_section();
xch = xc_interface_open(NULL, NULL, 0);
caml_leave_blocking_section();
@@ -105,7 +107,6 @@ CAMLprim value stub_xc_interface_open(value unit)
if ( !xch )
failwith_xc(xch);
- result = caml_alloc_custom(&xenctrl_ops, sizeof(xch), 0, 1);
*(xc_interface **)Data_custom_val(result) = xch;
CAMLreturn(result);
--
2.11.0
> On 1 Feb 2023, at 13:29, Andrew Cooper <andrew.cooper3@citrix.com> wrote: > > All caml_alloc_*() functions can throw exceptions, and longjump out of > context. If this happens, we leak the xch/xce handle. > > Reorder the logic to allocate the the Ocaml object first. > > Fixes: 8b3c06a3e545 ("tools/ocaml/xenctrl: OCaml 5 support, fix use-after-free") > Fixes: 22d5affdf0ce ("tools/ocaml/evtchn: OCaml 5 support, fix potential resource leak") > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> > --- > CC: Christian Lindig <christian.lindig@citrix.com> > CC: David Scott <dave@recoil.org> > CC: Edwin Török <edwin.torok@cloud.com> > CC: Rob Hoes <Rob.Hoes@citrix.com> > --- > tools/ocaml/libs/eventchn/xeneventchn_stubs.c | 6 ++++-- > tools/ocaml/libs/xc/xenctrl_stubs.c | 3 ++- > 2 files changed, 6 insertions(+), 3 deletions(-) Acked-by: Christian Lindig <christian.lindig@citrix.com>
© 2016 - 2024 Red Hat, Inc.