From nobody Mon Feb  9 09:33:55 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass(p=quarantine dis=none)  header.from=suse.com
ARC-Seal: i=1; a=rsa-sha256; t=1690013846; cv=none;
	d=zohomail.com; s=zohoarc;
	b=aWLmN2GDfcI0UQhCGmIHjphUHxbZfrp5JQs+H3gR9Y892NeaRat4TlMiP9tstDDaCgfMChg+KPHftweyzBRh3aiql+JrKNjp+4yF/LimWlUnchVbEM4T1qORdRtKBqvXTjvZV5ZTPiTQ+a+Iiu55C7LYFOmR5gqExF+8dIfd+oc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1690013846;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=Kd7YFY39EtpfbWA0cD3V6qSiR/q/58pWNd+JYYA4Oc4=;
	b=ghJKxO5qJyYLXnPyDRBxUcWWRVXoBwKKN+ebbLtOcCUMe8neiaBuv8GzS6vtvVCemEhAcrh2N630G5Pq97RTR8HyJnuX38cg2lKoMnrwf+TTJ53/CHfoHPEMtoxGTF4bK2/x9YWpmujmFI5RmSKTfEN6hFm3VHpwogeq/fJiv0Y=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass header.from=<jgross@suse.com> (p=quarantine dis=none)
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 1690013846661355.7314775956215;
 Sat, 22 Jul 2023 01:17:26 -0700 (PDT)
Received: from list by lists.xenproject.org with
 outflank-mailman.567880.887361 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1qN7nS-0001Ah-CE; Sat, 22 Jul 2023 08:17:02 +0000
Received: by outflank-mailman (output) from mailman id 567880.887361;
 Sat, 22 Jul 2023 08:17:02 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1qN7nS-0001Aa-97; Sat, 22 Jul 2023 08:17:02 +0000
Received: by outflank-mailman (input) for mailman id 567880;
 Sat, 22 Jul 2023 08:17:00 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92)
 (envelope-from <SRS0=9aU5=DI=suse.com=jgross@srs-se1.protection.inumbo.net>)
 id 1qN7nQ-0000sH-UM
 for xen-devel@lists.xenproject.org; Sat, 22 Jul 2023 08:17:00 +0000
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 21ca3d1a-2868-11ee-b23a-6b7b168915f2;
 Sat, 22 Jul 2023 10:17:00 +0200 (CEST)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
 [192.168.254.74])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
 (No client certificate requested)
 by smtp-out2.suse.de (Postfix) with ESMTPS id 4B89B1FD99;
 Sat, 22 Jul 2023 08:17:00 +0000 (UTC)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
 [192.168.254.74])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
 (No client certificate requested)
 by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 1AFDA1346D;
 Sat, 22 Jul 2023 08:17:00 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
 by imap2.suse-dmz.suse.de with ESMTPSA id MZknBXyQu2TGQQAAMHmgww
 (envelope-from <jgross@suse.com>); Sat, 22 Jul 2023 08:17:00 +0000
X-Outflank-Mailman: Message body and most headers restored to incoming version
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 21ca3d1a-2868-11ee-b23a-6b7b168915f2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
	t=1690013820;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=Kd7YFY39EtpfbWA0cD3V6qSiR/q/58pWNd+JYYA4Oc4=;
	b=ZtA5qAX5FeosMEBzMZ5nABWpmR2ywfNbkBQO1fLkDoXxxGNrMgKUOhiUyU699pLl9UXpE5
	exGehh2Ll7i4My3c2/1/lNxnORpyife5CxojsEAiotB3l/SRkFM8sSeXPz7yRsPukAwyIc
	nzZpZ+TajwwMj8LzQRdfXv+OubI8/Ao=
From: Juergen Gross <jgross@suse.com>
To: xen-devel@lists.xenproject.org
Cc: Juergen Gross <jgross@suse.com>,
	Wei Liu <wl@xen.org>,
	Julien Grall <julien@xen.org>,
	Anthony PERARD <anthony.perard@citrix.com>
Subject: [PATCH v2 2/2] tools/xenstore: fix get_spec_node()
Date: Sat, 22 Jul 2023 10:16:46 +0200
Message-Id: <20230722081646.4136-3-jgross@suse.com>
X-Mailer: git-send-email 2.35.3
In-Reply-To: <20230722081646.4136-1-jgross@suse.com>
References: <20230722081646.4136-1-jgross@suse.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @suse.com)
X-ZM-MESSAGEID: 1690013847335100003
Content-Type: text/plain; charset="utf-8"

In case get_spec_node() is being called for a special node starting
with '@' it won't set *canonical_name. This can result in a crash of
xenstored due to dereferencing the uninitialized name in
fire_watches().

This is no security issue as it requires either a privileged caller or
ownership of the special node in question by an unprivileged caller
(which is questionable, as this would make the owner privileged in some
way).

Fixes: d6bb63924fc2 ("tools/xenstore: introduce dummy nodes for special wat=
ch paths")
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Julien Grall <jgrall@amazon.com>
---
 tools/xenstore/xenstored_core.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_cor=
e.c
index 3d3c39bd70..749717ec25 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -1253,8 +1253,11 @@ static struct node *get_spec_node(struct connection =
*conn, const void *ctx,
 				  const char *name, const char **canonical_name,
 				  unsigned int perm)
 {
-	if (name[0] =3D=3D '@')
+	if (name[0] =3D=3D '@') {
+		if (canonical_name)
+			*canonical_name =3D name;
 		return get_node(conn, ctx, name, perm);
+	}
=20
 	return get_node_canonicalized(conn, ctx, name, canonical_name, perm);
 }
--=20
2.35.3